Docs Config Domain Sniffing

Domain Sniffing

Under transparent proxying (TUN/Redir/TProxy), the core sometimes only sees the destination IP and not the domain, causing DOMAIN-based rules to fail. Sniffer recovers the domain by reading the TLS SNI / HTTP Host field early in the connection.

Example Config

config.yaml YAML
sniffer:
  enable: true
  force-dns-mapping: true
  parse-pure-ip: true
  override-destination: false
  sniff:
    HTTP:
      ports: [80, 8080-8880]
      override-destination: true
    TLS:
      ports: [443, 8443]
    QUIC:
      ports: [443, 8443]
  force-domain:
    - +.v2ex.com
  skip-domain:
    - Mijia Cloud
  skip-src-address:
    - 192.168.0.3/32
  skip-dst-address:
    - 192.168.0.3/32

Field Reference

enableRequired

The master switch for enabling sniffer.

sniffRequired

Configures which ports to sniff, per protocol โ€” supports HTTP/TLS/QUIC. Each protocol object's ports specifies the port range, and override-destination is optional, used to override the global setting.

override-destinationDefault: true

Whether to use the sniffed result as the actual connection destination. When enabled, domain-based rules like DOMAIN/DOMAIN-SUFFIX can match against the sniffed domain; otherwise rules can still only see the original IP.

force-dns-mappingOptional

Forces sniffing on traffic identified as redir-host type.

parse-pure-ipOptional

Forces sniffing on all traffic where no domain was obtained (e.g. when the client has already resolved the domain itself and connects directly with an IP).

force-domainOptional

A list of domains to force sniffing on, supporting wildcards. By default, sniffing only happens for pure-IP connections โ€” configuring this forces re-sniffing even for already-known domains.

skip-domainOptional

A list of domains to skip sniffing for, supporting wildcards. Mainly used to fix sites whose SNI field isn't a standard domain, causing abnormal sniffing results โ€” e.g. Xiaomi's Mijia Cloud devices, or Apple's push service +.push.apple.com, are good candidates to add here.

skip-src-address / skip-dst-addressOptional

A list of source/destination IP ranges to skip sniffing for.