add doc for lookup built-in func

apernet · Apr 8, 2024 · 091f316 · 091f316
1 parent f5c9caa
commit 091f316
Show file tree

Hide file tree

Showing 4 changed files with 62 additions and 0 deletions.
diff --git a/docs/docs/functions.md b/docs/docs/functions.md
@@ -49,3 +49,20 @@ Example:
   action: block
   expr: geosite(string(tls?.req?.sni), "bilibili")
 ```
+
+### `lookup`
+
+```
+lookup(domain: string) -> list<string>
+lookup(domain: string, server: string) -> list<string>
+```
+
+Perform a DNS lookup for a domain, returns the list of IP addresses (both A and AAAA records) returned by the DNS server. If the server address is not specified, it uses the system default. Note that this uses the standard DNS protocol (not DNS over TLS, DNS over HTTPS, for example), and you must specify both IP and port for the server address (e.g. `8.8.8.8:53`).
+
+Example:
+
+```yaml
+- name: SNI mismatch
+  log: true
+  expr: tls?.req?.sni != nil && ip.dst not in lookup(tls.req.sni)
+```
diff --git a/docs/docs/functions.zh.md b/docs/docs/functions.zh.md
@@ -49,3 +49,20 @@ geosite(domain: string, category: string) -> bool
   action: block
   expr: geosite(string(tls?.req?.sni), "bilibili")
 ```
+
+### `lookup`
+
+```
+lookup(domain: string) -> list<string>
+lookup(domain: string, server: string) -> list<string>
+```
+
+对指定的域名进行 DNS 查询，返回 IP 地址列表（同时包括 A 和 AAAA 记录）。如果未指定服务器地址，则使用系统默认的 DNS。此操作使用标准 DNS 协议（不是 DNS over TLS、DNS over HTTPS 等），且服务器地址必须同时包括 IP 地址和端口（如 `8.8.8.8:53`）。
+
+示例：
+
+```yaml
+- name: SNI mismatch
+  log: true
+  expr: tls?.req?.sni != nil && ip.dst not in lookup(tls.req.sni)
+```
diff --git a/docs/docs/rules.md b/docs/docs/rules.md
@@ -118,3 +118,17 @@ The data available for matching comes from analyzers, please refer to the [analy
   action: block
   expr: cidr(string(ip.dst), "192.168.0.0/16")
 ```
+
+#### Block Xray Reality/ShadowTLS connections
+
+How it works: The TLS handshake of protocols like Xray Reality/ShadowTLS "steals" that of real websites, but the destination IP is the proxy server rather than a real IP that belongs to those websites. Therefore, you can check the connection by performing DNS lookups on the SNI domain name; if the destination IP isn't among what's in the DNS records, then the connection can be considered suspicious.
+
+!!! warning
+
+    To minimize false positives, the rule below queries two additional servers besides the system's default DNS. The connection is allowed as long as the destination IP is in one of the results. Be sure to adjust the rule to your actual network environment. If the domain name cannot be resolved, the `lookup` function will fail, causing this rule to fail as well, and the connection won't be blocked.
+
+```yaml
+- name: SNI mismatch
+  action: block
+  expr: tls?.req?.sni != nil && ip.dst not in concat(lookup(tls.req.sni), lookup(tls.req.sni, "1.1.1.1:53"), lookup(tls.req.sni, "8.8.8.8:53"))
+```
diff --git a/docs/docs/rules.zh.md b/docs/docs/rules.zh.md
@@ -118,3 +118,17 @@ title: 规则文件
   action: block
   expr: cidr(string(ip.dst), "192.168.0.0/16")
 ```
+
+#### 阻断 Xray Reality/ShadowTLS 连接
+
+原理：Xray Reality/ShadowTLS 等协议的 TLS 握手是 "盗用" 其他正常网站的，但连接的目标 IP 是代理服务器而并非这些网站的真正 IP。因此可以通过 DNS 查询 SNI 域名解析到的地址，如果连接的目标 IP 不在这些地址中，则阻断连接。
+
+!!! warning
+
+    为了尽量降低误伤，下面提供的规则中除了使用系统默认 DNS 外还通过另外两个服务器进行查询，只要目标 IP 在任何结果中出现则放行。请根据实际网络环境对规则进行调整。如果域名无法解析，则 `lookup` 函数会出错导致此条规则出错，也不会阻断连接。
+
+```yaml
+- name: SNI mismatch
+  action: block
+  expr: tls?.req?.sni != nil && ip.dst not in concat(lookup(tls.req.sni), lookup(tls.req.sni, "1.1.1.1:53"), lookup(tls.req.sni, "8.8.8.8:53"))
+```