Skip to main content

Smart Fallback Proxy

Added in v4.0.0, the Smart Proxy automatically selects the best working encrypted DNS protocol and switches to another if it gets blocked. This is designed for environments where protocols are frequently disrupted.

Protocol Cascade

The proxy tries protocols in this order:
  1. DoH (DNS over HTTPS) — Hardest to block, looks like web traffic
  2. DoT (DNS over TLS) — Lower overhead, uses port 853
  3. DNSCrypt — Encrypted from first packet, no CA dependency
  4. Sing-box — VLESS/REALITY, VMess, Trojan, etc. (when configured)
  5. Plain DNS — Last resort fallback
Sing-box protocols (VLESS/REALITY, etc.) can be added to the cascade by providing a sing-box configuration. These protocols offer the strongest anti-censorship protection for users in Iran and similar regions.

How It Works

  1. Startup probe — Tests all available protocols and selects the fastest working one
  2. Health monitoring — Checks the active protocol every 30 seconds
  3. Failure counting — After 3 consecutive failures, probes for a new protocol
  4. Auto-switch — Seamlessly switches to the next working protocol
  5. Notification — Logs protocol switches so you know what’s happening

Interactive Mode

From the main menu, select [10] Smart Proxy (Auto-Fallback):
  • Configure the listen address (default: 127.0.0.1:5354)
  • The proxy probes protocols and starts automatically
  • Return to the menu to view status or stop the proxy

CLI Mode

# Start with defaults (auto-select protocol, listen on 127.0.0.1:5354)
dns-mns proxy

# Prefer a specific protocol
dns-mns proxy --protocol doh
dns-mns proxy --protocol dot
dns-mns proxy --protocol dnscrypt

# Custom listen address
dns-mns proxy --listen 127.0.0.1:5353

# With TLS fragmentation for DPI evasion
dns-mns proxy --fragment sni

# JSON status output
dns-mns proxy --json
Press Ctrl+C to stop the proxy gracefully.

Configuration

FlagDefaultDescription
--listen127.0.0.1:5354Local address:port to listen on
--protocolautoPreferred protocol: auto, doh, dot, dnscrypt
--fragmentnoneTLS fragment mode: none, sni, half, chunked
--jsonfalseOutput status as JSON

Using with Sing-box

When sing-box is configured, it becomes part of the fallback cascade: 
# Start fallback proxy with sing-box as a fallback option
# (sing-box configuration must be provided via the API)
The fallback proxy will:
  1. Try DoH/DoT/DNSCrypt first
  2. Fall back to sing-box (VLESS/REALITY, etc.) if configured
  3. Use plain DNS as last resort
This provides multiple layers of fallback for maximum resilience.

Using With System DNS

After starting the proxy, configure your system DNS to point to the proxy’s listen address: 
# If proxy is on 127.0.0.1:5354, set system DNS to 127.0.0.1
# and configure your resolver to use port 5354
Or use a port 53 listen address (requires root): 
sudo dns-mns proxy --listen 127.0.0.1:53