adminIntroduction: The Vulnerability of Domain Resolution
The Domain Name System (DNS) is the phonebook of the internet, translating human-readable domain names (e.g., google.com) into computer-readable IP addresses. However, this critical service is a primary target for censorship, often resulting in DNS Pollution or DNS Spoofing.
DNS Pollution is a technique where a censor intercepts a DNS query for a blocked domain and returns a fake, incorrect IP address (often an IP belonging to a blocking page or a honeypot). The client then attempts to connect to the fake IP, resulting in a connection failure or a block.
The combination of Traffic Sniffing (Article 35) and Fake DNS is V2Ray’s ultimate defense against this threat. Sniffing tells V2Ray the true destination domain, and Fake DNS ensures that when V2Ray asks for the IP, it receives a controlled, harmless local IP instead of the poisoned address, effectively neutralizing the external DNS threat.
Section 1: The Core Mechanism: Internal IP Management
Fake DNS operates by making V2Ray act as its own local DNS server, but with a critical difference: instead of resolving the blocked domain to its correct public IP, it resolves it to a private, non-routable IP address within the V2Ray server itself.
1. The Fake IP Pool
The Fake DNS mechanism relies on an internally managed pool of private IP addresses (e.g., in the range 198.18.0.0/15). These addresses are globally reserved for benchmarking and testing and are not routed on the public internet.
- Function: When a user queries a blocked domain (e.g.,
facebook.com), V2Ray’s internal DNS system assigns a Fake IP from this pool to that domain (e.g.,facebook.commaps to198.18.1.1). - The Deception: The client device receives this Fake IP and attempts to connect to it. Since the IP is private and local, the request never leaves the server’s control and cannot be intercepted or logged by external censors.
2. Pairing with Traffic Sniffing (The Key)
The Fake DNS mechanism would be useless without Traffic Sniffing.
- Client Queries: The client sends a request to V2Ray’s DNS server for
facebook.com. - V2Ray Resolves: V2Ray returns the Fake IP (
198.18.1.1). - Client Connects: The client attempts to connect to the Fake IP via the V2Ray tunnel.
- V2Ray Sniffs: V2Ray receives the connection, sniffs the TLS SNI header (Article 35), and sees the true intended domain is
facebook.com. - V2Ray Reroutes: V2Ray ignores the Fake IP and uses the sniffed domain (
facebook.com) to perform a clean, secure DNS lookup (using its own secure DNS resolver, Article 6) and routes the traffic to the correct, unpolluted public IP address via the proxy Outbound.
This entire process occurs transparently to the client, which believes it connected to the Fake IP, while V2Ray ensures the data reaches the real destination.
Section 2: Configuration: The dns and routing Integration
Implementing Fake DNS requires two main configuration steps: setting up the DNS section and defining the routing rules that utilize the Fake IP range.
1. DNS Configuration (dns object)
The DNS section must define the Fake IP pool and specify which domains should be resolved to Fake IPs.
| Setting | Type | Description | Rationale |
|---|---|---|---|
hosts | object | Static mapping of blocked domains to the Fake IP pool. | Ensures known blocked domains get an instant Fake IP. |
fakeip | object | Defines the IP range V2Ray can use for its internal pool. | The defined range should not interfere with any internal network ranges. |
DNS Configuration Example:
"dns": {
"servers": [
// 1. Define the pool of non-routable IPs (reserved for benchmarking)
{
"address": "fakeip",
"ipPool": "198.18.0.0/15", // The reserved Fake IP range
"domains": [
"geosite:geolocation-!cn", // Map all non-Chinese domains to Fake IPs
"geosite:google",
"geosite:facebook"
]
},
// 2. Define the secure external DNS resolver for actual lookups
"1.1.1.1" // Cloudflare secure DNS
],
"tag": "dns-internal"
}
2. Routing Configuration (routing object)
The routing rules must ensure that traffic destined for the Fake IP range is correctly intercepted and subjected to Traffic Sniffing.
"routing": {
"rules": [
{
"type": "field",
"ip": ["198.18.0.0/15"], // CRITICAL: Intercept all traffic going to the Fake IP range
"inboundTag": ["all"],
"outboundTag": "proxy" // Forward this traffic to the main proxy outbound
}
// ... all other routing rules (direct, block, etc.) ...
]
}
Section 3: Benefits and Advanced Applications
Fake DNS provides significant operational advantages beyond simple DNS pollution defense.
1. Defeating Client-Side Resolution
Many V2Ray clients are configured to use the tunnel for DNS resolution. If a client’s DNS query is hijacked, Fake DNS ensures that V2Ray sends back a controlled IP, guaranteeing that the connection attempt will come back through the V2Ray server, where the true identity (via SNI) can be verified.
2. Reducing DNS Traffic Volume
By forcing the client to connect using a Fake IP, V2Ray centralizes the actual public DNS lookups to its own secure, internal resolvers (like 1.1.1.1). This prevents thousands of individual DNS queries from being sent from the client’s original location, reducing local network footprint and simplifying audit logs (Article 21).
3. Combining with Geo-IP/Geo-Domain
Fake DNS perfectly complements Geo-Domain routing (Article 34).
- Workflow: The Geo-Domain list (e.g.,
geosite:cn) is used to define which traffic should bypass the proxy. Everything not in that list is mapped to a Fake IP pool. This creates a powerful, negative filtering mechanism: “Bypass only traffic I explicitly trust; proxy and sniff everything else.”
Section 4: Trade-offs and Troubleshooting
1. Resource Consumption
Fake DNS requires V2Ray to maintain the internal IP-to-Domain mapping pool, which consumes a small amount of memory. However, the performance benefits derived from accurate routing and reduced external DNS queries far outweigh this minimal overhead.
2. Troubleshooting Failures
If Fake DNS is enabled and connections fail, the problem is almost always one of the following:
- Sniffing Disabled: If Traffic Sniffing (Article 35) is disabled, V2Ray will receive the connection to the Fake IP but will have no way to extract the true destination domain, resulting in a black hole. Fake DNS requires Sniffing.
- Routing Mismatch: The routing rule for the Fake IP range (
198.18.0.0/15) must point to the proxy Outbound, not thedirectOutbound. If routed directly, the traffic will attempt to use a private IP address on the public internet, which will fail.
Conclusion: Neutralizing DNS Censorship
The Fake DNS feature, when correctly integrated with Traffic Sniffing, is an essential tool for neutralizing one of the oldest and most effective censorship techniques: DNS pollution. By transforming external DNS threats into harmless, local connections that V2Ray can internally manage and verify, administrators ensure that routing decisions are based on the true intended destination domain, maintaining tunnel resilience, accuracy, and security against local network interference. Mastery of this feature is mandatory for deployment in environments with aggressive filtering.
