[Feature Request] Enable sniffing on dokodemo-door to inspect DNS queries (e.g. for domain-based access control)

[Str1ker17]

Currently, dokodemo-door acts as a passive TCP/UDP forwarder.

With sniffing, it could be possible to:

• Apply routing.rules with domain: match
• Allow/block specific domains (e.g., *.baidu.com, *.google.com)
• Log or redirect based on the requested domain

Real world scenario: I'm running public DNS/DoT entry point, so want to enforce access rules. Certainly:

• Allow public DNS queries only to the base domain ultibot.ru to use it as a bootstrap point for Xray client config;
• Block everything else for public, but still run the Xray built-in resolver for all domains for private access (DNS over VLESS).

Adding this to Xray would make it even more powerful as a full-featured edge resolver.
Maybe the idea will be useful for Chinese people who host servers as well. This would be especially helpful for server operators in China who expose DNS or DoT endpoints and need to restrict access to specific domains while complying with local policies and avoiding DNS pollution or hijacking. Having sniffing in dokodemo-door would allow them to run Xray as a filtered edge DNS without needing to rely on external tools like dnsdist.

I believe no rewriting of destination address is needed to allow access control.

Thanks for delivering the great software, by the way. It is already very flexible, allowed me to use DNS over TLS by simply adding streamSettings for the outbound, and many more.

[Fangliding]

xray的路由机制不是这么工作的 同一个udp四元组里可能会包含多个query 它们会被xray识别成一个connection 完全不可能被按照不同的内容分流 更别提一个单一的UDP DNS数据包可能包含复数个query(虽然应该很少) 与之相关的处理只可能在parse后进行
内置DNS只是为了满足正常轻度的代理需求 什么高大全DNS之类的我是一直比较反对的