I think there are a lot of solutions out there for your needs.
For example, hosts/DNS with expectIPs+domain/IP-based routing rules.
The key to solving the problem is to limit the IPs returned by DNS query.

I think there are a lot of solutions out there for your needs. For example, hosts/DNS with expectIPs+domain/IP-based routing rules. The key to solving the problem is to limit the IPs returned by DNS query.

No, if returned Ips is only in cloudflare range, i forcibly use another proxy instead of worker/domain-fronting.

I just want to use worker/domain-fronting as much as possible.

Your solution completely disconnects the connection.

I think there are a lot of solutions out there for your needs. For example, hosts/DNS with expectIPs+domain/IP-based routing rules. The key to solving the problem is to limit the IPs returned by DNS query.

No, if returned Ips is only in cloudflare range, i forcibly use another proxy instead of worker/domain-fronting.

I just want to use worker/domain-fronting as much as possible.

Your solution completely disconnects the connection.

Just specify two DNS, one with Fastly IPs as expectIPs and a normal one. If the DNS query result contains both Fastly and Cloudflare IPs, only Fastly ones are retained, and you can route the connections with an IP-based rule. Otherwise, the normal DNS is used as fallback and all IPs are returned.

one with Fastly IPs as expectIPs

So, we have a redundant dns-query for all cloudflare domains!

one with Fastly IPs as expectIPs

So, we have a redundant dns-query for all cloudflare domains!

You can configure to use this DNS to resolve only certain domains. And the results are cached, so there will not be too many duplicate queries.
For example:

      "8.8.8.8",
      {
        "address": "8.8.8.8",
        "domains": ["domain:twimg.com"],
        "expectIPs": ["geoip:fastly"],
        "skipFallback": true
      }

Certain domains???
We have no information about which domains are behaving this way.
twimg.com is only one domain that i found by chance.

Any domain can behave like this.

Certain domains??? We have no information about which domains are behaving this way. twimg.com is only one domain that i found by chance.

Any domain can behave like this.

Second, with this, we have a redundant query for all cloudflare domains!

Well, in this case, most domains require 2 queries.
Xray-core is not going to be able to fully meet your needs. If this is important to you, I would recommend implementing an external proxy that forwards DNS queries and filters the returned IPs.

Yes, this feature should be added.
ctx is the key.
Do you read and understand the suggested solution?

(I don't want any of this for myself, I want it for all Iranian users.)

ctx is the key. Do you read and understand the suggested solution?

I think I understand what you are talking about. I don't care about ctx, I just care about solving the problem in the easiest way possible.
In my opinion, limiting the IPs returned by DNS queries is the simplest solution.
For the above solution I proposed, would this solve your problem except that it would send duplicate queries? If this is the case, you can fix the problem of sending duplicate queries by changing just one line of the code.
Change this line

I've submitted a similar issue #4146 before, but it doesn't seem to be a priority for developers. And it's hard to consider the current implementation "a bug" since Xray/v2ray has worked this way since a few years ago. No user has reported any practical issue related to this since then.

geoip:fastly is just an example, other ips could be of any range, so we need "notExpectIPs".

@RPRX @Fangliding

@HeXis-YS solution with some changes completely solve this problem.

Suppose this solution:

{
        "address": "8.8.8.8",
        "expectIPs": ["geoip:!cloudflare"]
},
{
        "address": "8.8.8.8"
{

the problem is that the second dns-query-result may not be the same as the first one.(suppose the first one only contains cloudflare-ips and the second one contains both cloudflare and non-cloudflare ips)
also, another problem is that we have a redundant dns-query for all cloudflare domains(domains that only return cloudflare ips)

so we also need to add "ignoreExpectIPsWhenNoMatch" bool option for each DnsServerObject, and change the:

to:

if len(newIps) == 0 {
		if ignoreExpectIPsWhenNoMatch{
                	return ips, nil
                }
		return nil, errExpectedIPNonMatch
	}

///

so with:

{
        "address": "8.8.8.8",
        "expectIPs": ["geoip:!cloudflare"],
        "ignoreExpectIPsWhenNoMatch": true
}

and using "dialerProxy" + "forceIP" in outbound, the problem is completely solved, and we can achieve our goal.

Thank you very much @HeXis-YS.

#4423 (comment)

是否是 expected IP 是另一个问题，这个确实可以加个选项

@RPRX

I just realized that Xray-core already had "notExpectIPs".

my "notExpectIPs": ["geoip:cloudflare"] feature is exactly the same as "expectIPs": ["geoip:!cloudflare"].

so only "ignoreExpectIPsWhenNoMatch" option should be implemented.