You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a public website (e.g., google.com) attempts to connect to an IP address classified as "Private", the browser triggers a "Local network access" permission prompt.
当公网网站尝试连接被归类为“私有”的 IP 地址时,浏览器会触发“本地网络访问”权限弹窗。
According to Chrome's PNA specification, the IPv6 range fc00::/7 (ULA) is strictly classified as Private.
根据 Chrome 文档,IPv6 的 fc00::/7 (ULA) 范围被严格归类为私有网络。
Xray-core's default FakeDNS IPv6 range is fc00::/18. This causes almost every proxied request to trigger an annoying permission popup, because the browser thinks a public website is probing the user's local LAN.
Xray-core 目前默认的 FakeDNS IPv6 段是 fc00::/18。这导致几乎所有经过代理的请求都会触发权限弹窗,因为浏览器认为公网网站正在探测用户的局域网设备。
Proposal / 建议
I suggest changing the default FakeDNS IPv6 range from fc00::/18 to 2001:db8::/32.
建议将默认的 FakeDNS IPv6 段从 fc00::/18 修改为 2001:db8::/32。
Why this range? / 为什么选择这个段?
Bypass PNA:2001:db8::/32 is classified as Global Unicast, so it will not trigger the PNA security prompt in Chrome. (绕过拦截:它被识别为全局单播地址,不会触发弹窗。)
RFC 3849 Compliance: This range is reserved for "Documentation and Examples". It is non-routable on the public internet, ensuring zero conflict with real-world websites. (合规且无冲突:根据 RFC 3849,此段仅用于文档示例,不会在公网路由,确保了安全性。)
Better UX: It provides a seamless browsing experience while maintaining the benefits of FakeDNS. (更好的用户体验:保持 FakeDNS 功能的同时消除频繁的弹窗干扰。)
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Background / 背景
Recently, Chromium-based browsers (Chrome v141+) have fully enforced Private Network Access (PNA) protections.
最近,基于 Chromium 的浏览器正式启用了“私有网络访问 (PNA)”保护机制。
The Problem / 问题描述
When a public website (e.g.,
google.com) attempts to connect to an IP address classified as "Private", the browser triggers a "Local network access" permission prompt.当公网网站尝试连接被归类为“私有”的 IP 地址时,浏览器会触发“本地网络访问”权限弹窗。
According to Chrome's PNA specification, the IPv6 range
fc00::/7(ULA) is strictly classified as Private.根据 Chrome 文档,IPv6 的
fc00::/7(ULA) 范围被严格归类为私有网络。Xray-core's default FakeDNS IPv6 range is
fc00::/18. This causes almost every proxied request to trigger an annoying permission popup, because the browser thinks a public website is probing the user's local LAN.Xray-core 目前默认的 FakeDNS IPv6 段是
fc00::/18。这导致几乎所有经过代理的请求都会触发权限弹窗,因为浏览器认为公网网站正在探测用户的局域网设备。Proposal / 建议
I suggest changing the default FakeDNS IPv6 range from
fc00::/18to2001:db8::/32.建议将默认的 FakeDNS IPv6 段从
fc00::/18修改为2001:db8::/32。Why this range? / 为什么选择这个段?
2001:db8::/32is classified as Global Unicast, so it will not trigger the PNA security prompt in Chrome. (绕过拦截:它被识别为全局单播地址,不会触发弹窗。)References / 参考资料
Beta Was this translation helpful? Give feedback.
All reactions