Domain Sniffing
Under transparent proxying (TUN/Redir/TProxy), the core sometimes only sees the destination IP and not the domain, causing DOMAIN-based rules to fail. Sniffer recovers the domain by reading the TLS SNI / HTTP Host field early in the connection.
Example Config
sniffer: enable: true force-dns-mapping: true parse-pure-ip: true override-destination: false sniff: HTTP: ports: [80, 8080-8880] override-destination: true TLS: ports: [443, 8443] QUIC: ports: [443, 8443] force-domain: - +.v2ex.com skip-domain: - Mijia Cloud skip-src-address: - 192.168.0.3/32 skip-dst-address: - 192.168.0.3/32
Field Reference
enableRequiredThe master switch for enabling sniffer.
sniffRequiredConfigures which ports to sniff, per protocol โ supports HTTP/TLS/QUIC. Each protocol object's ports specifies the port range, and override-destination is optional, used to override the global setting.
override-destinationDefault: trueWhether to use the sniffed result as the actual connection destination. When enabled, domain-based rules like DOMAIN/DOMAIN-SUFFIX can match against the sniffed domain; otherwise rules can still only see the original IP.
force-dns-mappingOptionalForces sniffing on traffic identified as redir-host type.
parse-pure-ipOptionalForces sniffing on all traffic where no domain was obtained (e.g. when the client has already resolved the domain itself and connects directly with an IP).
force-domainOptionalA list of domains to force sniffing on, supporting wildcards. By default, sniffing only happens for pure-IP connections โ configuring this forces re-sniffing even for already-known domains.
skip-domainOptionalA list of domains to skip sniffing for, supporting wildcards. Mainly used to fix sites whose SNI field isn't a standard domain, causing abnormal sniffing results โ e.g. Xiaomi's Mijia Cloud devices, or Apple's push service +.push.apple.com, are good candidates to add here.
skip-src-address / skip-dst-addressOptionalA list of source/destination IP ranges to skip sniffing for.