documentation: Bump version

Allow direct outbounds without domain_resolver
Fix Tailscale dialer
2025-06-13 21:54:13 +08:00 · 2025-04-02 16:54:50 +08:00 · 2025-04-02 16:54:49 +08:00 · 2025-04-02 16:54:49 +08:00 · 2025-04-02 16:54:49 +08:00 · 2025-04-02 16:54:48 +08:00
10 changed files with 65 additions and 20 deletions
--- a/common/dialer/dialer.go
+++ b/common/dialer/dialer.go
@ -24,6 +24,7 @@ type Options struct {
 	ResolverOnDetour bool
 	NewDialer        bool
 	LegacyDNSDialer  bool
+	DirectOutbound   bool
 }

 // TODO: merge with NewWithOptions
@ -108,7 +109,7 @@ func NewWithOptions(options Options) (N.Dialer, error) {
 				dnsQueryOptions.Transport = dnsTransport.Default()
 			} else if options.NewDialer {
 				return nil, E.New("missing domain resolver for domain server address")
-			} else {
+			} else if !options.DirectOutbound {
 				deprecated.Report(options.Context, deprecated.OptionMissingDomainResolver)
 			}
 		}
--- a/common/sniff/dns.go
+++ b/common/sniff/dns.go
@ -11,7 +11,6 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
-	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/task"

 	mDNS "github.com/miekg/dns"
@ -47,9 +46,6 @@ func DomainNameQuery(ctx context.Context, metadata *adapter.InboundContext, pack
 	if err != nil {
 		return err
 	}
-	if len(msg.Question) == 0 || msg.Question[0].Qclass != mDNS.ClassINET || !M.IsDomainName(msg.Question[0].Name) {
-		return os.ErrInvalid
-	}
 	metadata.Protocol = C.ProtocolDNS
 	return nil
 }
--- a/common/sniff/dns_test.go
+++ b/common/sniff/dns_test.go
@ -0,0 +1,23 @@
+package sniff_test
+
+import (
+	"context"
+	"encoding/hex"
+	"testing"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/sniff"
+	C "github.com/sagernet/sing-box/constant"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestSniffDNS(t *testing.T) {
+	t.Parallel()
+	query, err := hex.DecodeString("740701000001000000000000012a06676f6f676c6503636f6d0000010001")
+	require.NoError(t, err)
+	var metadata adapter.InboundContext
+	err = sniff.DomainNameQuery(context.TODO(), &metadata, query)
+	require.NoError(t, err)
+	require.Equal(t, C.ProtocolDNS, metadata.Protocol)
+}
--- a/docs/changelog.md
+++ b/docs/changelog.md
@ -2,10 +2,16 @@
 icon: material/alert-decagram
 ---

-#### 1.12.0-alpha.23
+#### 1.12.0-beta.1

+* Improve `auto_redirect` **1**
 * Fixes and improvements

+**1**:
+
+Now `auto_redirect` fixes compatibility issues between tun and Docker bridge networks,
+see [Tun](/configuration/inbound/tun/#auto_redirect).
+
 ### 1.11.6

 * Fixes and improvements
--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@ -211,6 +211,10 @@ Set the default route to the Tun.

    By default, VPN takes precedence over tun. To make tun go through VPN, enable `route.override_android_vpn`.

+!!! note "Also enable `auto_redirect`"
+
+    `auto_redirect` is always recommended on Linux, it provides better routing, higher performance (better than tproxy), and avoids conflicts with Docker bridge networks.
+
 #### iproute2_table_index

 !!! question "Since sing-box 1.10.0"
@ -237,6 +241,10 @@ Linux iproute2 rule start index generated by `auto_route`.

 Automatically configure iptables/nftables to redirect connections.

+Auto redirect is always recommended on Linux, it provides better routing,
+higher performance (better than tproxy),
+and avoids conflicts with Docker bridge networks.
+
 *In Android*：

 Only local IPv4 connections are forwarded. To share your VPN connection over hotspot or repeater,
@ -246,11 +254,13 @@ use [VPNHotspot](https://github.com/Mygod/VPNHotspot).

 `auto_route` with `auto_redirect` works as expected on routers **without intervention**.

+Conflict with `route.default_mark` and `[dialOptions].routing_mark`.
+
 #### auto_redirect_input_mark

 !!! question "Since sing-box 1.10.0"

-Connection input mark used by `route[_exclude]_address_set` with `auto_redirect`.
+Connection input mark used by `auto_redirect`.

 `0x2023` is used by default.

@ -258,7 +268,7 @@ Connection input mark used by `route[_exclude]_address_set` with `auto_redirect`

 !!! question "Since sing-box 1.10.0"

-Connection input mark used by `route[_exclude]_address_set` with `auto_redirect`.
+Connection output mark used by `auto_redirect`.

 `0x2024` is used by default.

@ -368,8 +378,6 @@ Exclude custom routes when `auto_route` is enabled.
    Add the destination IP CIDR rules in the specified rule-sets to the firewall.
    Matched traffic will bypass the sing-box routes.

-    Conflict with `route.default_mark` and `[dialOptions].routing_mark`.
-
 === "Without `auto_redirect` enabled"

    !!! question "Since sing-box 1.11.0"
--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@ -215,6 +215,10 @@ tun 接口的 IPv6 前缀。

    VPN 默认优先于 tun。要使 tun 经过 VPN，启用 `route.override_android_vpn`。

+!!! note "也启用 `auto_redirect`"
+
+  在 Linux 上始终推荐使用 `auto_redirect`，它提供更好的路由， 更高的性能（优于 tproxy）， 并避免与 Docker 桥接网络冲突。
+
 #### iproute2_table_index

 !!! question "自 sing-box 1.10.0 起"
@ -241,19 +245,23 @@ tun 接口的 IPv6 前缀。

 自动配置 iptables/nftables 以重定向连接。

+在 Linux 上始终推荐使用 auto redirect，它提供更好的路由， 更高的性能（优于 tproxy）， 并避免与 Docker 桥接网络冲突。
+
 *在 Android 中*：

 仅转发本地 IPv4 连接。 要通过热点或中继共享您的 VPN 连接，请使用 [VPNHotspot](https://github.com/Mygod/VPNHotspot)。

 *在 Linux 中*:

-带有 `auto_redirect `的 `auto_route` 可以在路由器上按预期工作，**无需干预**。
+带有 `auto_redirect` 的 `auto_route` 在路由器上**无需干预**即可按预期工作。
+
+与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。

 #### auto_redirect_input_mark

 !!! question "自 sing-box 1.10.0 起"

-`route_address_set` 和 `route_exclude_address_set` 使用的连接输入标记。
+`auto_redriect` 使用的连接输入标记。

 默认使用 `0x2023`。

@ -261,7 +269,7 @@ tun 接口的 IPv6 前缀。

 !!! question "自 sing-box 1.10.0 起"

-`route_address_set` 和 `route_exclude_address_set` 使用的连接输出标记。
+`auto_redriect` 使用的连接输出标记。

 默认使用 `0x2024`。

@ -342,8 +350,6 @@ tun 接口的 IPv6 前缀。
    将指定规则集中的目标 IP CIDR 规则添加到防火墙。
    不匹配的流量将绕过 sing-box 路由。

-    与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。
-
 === "`auto_redirect` 未启用"

    !!! question "自 sing-box 1.11.0 起"
--- a/go.mod
+++ b/go.mod
@ -32,7 +32,7 @@ require (
 	github.com/sagernet/sing-shadowsocks v0.2.7
 	github.com/sagernet/sing-shadowsocks2 v0.2.0
 	github.com/sagernet/sing-shadowtls v0.2.1-0.20250316154757-6f9e732e5056
-	github.com/sagernet/sing-tun v0.6.2-0.20250319123703-35b5747b44ec
+	github.com/sagernet/sing-tun v0.6.2
 	github.com/sagernet/sing-vmess v0.2.0
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7
 	github.com/sagernet/tailscale v1.80.3-mod.2
--- a/go.sum
+++ b/go.sum
@ -190,8 +190,8 @@ github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wK
 github.com/sagernet/sing-shadowsocks2 v0.2.0/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250316154757-6f9e732e5056 h1:GFNJQAHhSXqAfxAw1wDG/QWbdpGH5Na3k8qUynqWnEA=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250316154757-6f9e732e5056/go.mod h1:HyacBPIFiKihJQR8LQp56FM4hBtd/7MZXnRxxQIOPsc=
-github.com/sagernet/sing-tun v0.6.2-0.20250319123703-35b5747b44ec h1:9/OYGb9qDmUFIhqd3S+3eni62EKRQR1rSmRH18baA/M=
-github.com/sagernet/sing-tun v0.6.2-0.20250319123703-35b5747b44ec/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
+github.com/sagernet/sing-tun v0.6.2 h1:SoylB/8dA6bRWoUhi4GbFb4WkKL0SMCpmYcvumPndo0=
+github.com/sagernet/sing-tun v0.6.2/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
 github.com/sagernet/sing-vmess v0.2.0 h1:pCMGUXN2k7RpikQV65/rtXtDHzb190foTfF9IGTMZrI=
 github.com/sagernet/sing-vmess v0.2.0/go.mod h1:jDAZ0A0St1zVRkyvhAPRySOFfhC+4SQtO5VYyeFotgA=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=
--- a/protocol/direct/outbound.go
+++ b/protocol/direct/outbound.go
@ -48,7 +48,12 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 	if options.Detour != "" {
 		return nil, E.New("`detour` is not supported in direct context")
 	}
-	outboundDialer, err := dialer.New(ctx, options.DialerOptions, true)
+	outboundDialer, err := dialer.NewWithOptions(dialer.Options{
+		Context:        ctx,
+		Options:        options.DialerOptions,
+		RemoteIsDomain: true,
+		DirectOutbound: true,
+	})
 	if err != nil {
 		return nil, err
 	}
--- a/protocol/tun/inbound.go
+++ b/protocol/tun/inbound.go
@ -245,7 +245,7 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 		if err != nil {
 			return nil, E.Cause(err, "initialize auto-redirect")
 		}
-		if !C.IsAndroid && (len(inbound.routeRuleSet) > 0 || len(inbound.routeExcludeRuleSet) > 0) {
+		if !C.IsAndroid {
 			inbound.tunOptions.AutoRedirectMarkMode = true
 			err = networkManager.RegisterAutoRedirectOutputMark(inbound.tunOptions.AutoRedirectOutputMark)
 			if err != nil {
Author	SHA1	Message	Date
世界	bf9c0ea0d5	documentation: Bump version	2025-04-02 16:54:50 +08:00
世界	63d7444512	Allow direct outbounds without `domain_resolver`	2025-04-02 16:54:49 +08:00
世界	3533a86e53	Fix Tailscale dialer	2025-04-02 16:54:49 +08:00
dyhkwong	80d55f3d55	Fix DNS over QUIC stream close	2025-04-02 16:54:49 +08:00
anytls	cd506f1e50	Update anytls Co-authored-by: anytls <anytls>	2025-04-02 16:54:48 +08:00
Rambling2076	5990cc18ff	Fix missing `with_tailscale` in Dockerfile Signed-off-by: Rambling2076 <Rambling2076@proton.me>	2025-04-02 16:54:48 +08:00
世界	a44c7ffb91	Fail when default DNS server not found	2025-04-02 16:54:48 +08:00
世界	8292ac1043	Update gVisor to 20250319.0	2025-04-02 16:54:48 +08:00
世界	30c1c364b3	release: Do not build tailscale on iOS and tvOS	2025-04-02 16:54:47 +08:00
世界	a64c520de2	Explicitly reject detour to empty direct outbounds	2025-04-02 16:54:47 +08:00
世界	74bfea713d	Add netns support	2025-04-02 16:54:47 +08:00
世界	63f10d37ff	Add wildcard name support for predefined records	2025-04-02 16:54:46 +08:00
世界	8c231fbc38	Remove map usage in options	2025-04-02 16:54:46 +08:00
世界	1cfbee8293	Fix unhandled DNS loop	2025-04-02 16:54:46 +08:00
世界	529d41ed6a	Add wildcard-sni support for shadow-tls inbound	2025-04-02 16:54:46 +08:00
世界	8af464eb7e	Fix Tailscale DNS	2025-04-02 16:51:29 +08:00
k9982874	3766bbbf9d	Add ntp protocol sniffing	2025-04-02 16:51:28 +08:00
世界	0d65af5d0a	option: Fix marshal legacy DNS options	2025-04-02 16:51:28 +08:00
世界	439f3c05ec	Make `domain_resolver` optional when only one DNS server is configured	2025-04-02 16:51:28 +08:00
世界	e3a1e71e4d	Fix DNS lookup context pollution	2025-04-02 16:51:27 +08:00
世界	83c284749e	Fix http3 DNS server connecting to wrong address	2025-04-02 16:51:26 +08:00
Restia-Ashbell	d95fc51be4	documentation: Fix typo	2025-04-02 16:51:26 +08:00
anytls	6cccfafc10	Update sing-anytls Co-authored-by: anytls <anytls>	2025-04-02 16:51:25 +08:00
k9982874	650e85e684	Fix hosts DNS server	2025-04-02 16:51:25 +08:00
世界	edfd6fb29d	Fix UDP DNS server crash	2025-04-02 16:51:25 +08:00
世界	452ca3f5e6	documentation: Fix missing `ip_accept_any` DNS rule option	2025-04-02 16:51:24 +08:00
世界	693da37d62	Fix anytls dialer usage	2025-04-02 16:51:24 +08:00
世界	4f902b8507	Move predefined DNS server to rule action	2025-04-02 16:51:23 +08:00
世界	de9ceb82bb	Fix domain resolver on direct outbound	2025-04-02 16:51:23 +08:00
Zephyruso	112508ccbb	Fix missing AnyTLS display name	2025-04-02 16:51:23 +08:00
anytls	6fb224dd05	Update sing-anytls Co-authored-by: anytls <anytls>	2025-04-02 16:51:23 +08:00
Estel	683c5b71ed	documentation: Fix typo Signed-off-by: Estel <callmebedrockdigger@gmail.com>	2025-04-02 16:51:23 +08:00
TargetLocked	174b857658	Fix parsing legacy DNS options	2025-04-02 16:51:22 +08:00
世界	5d63c7a0da	Fix DNS fallback	2025-04-02 16:51:21 +08:00
世界	09f89b4181	documentation: Fix missing hosts DNS server	2025-04-02 16:51:21 +08:00
anytls	c9522fd6d6	Add MinIdleSession option to AnyTLS outbound Co-authored-by: anytls <anytls>	2025-04-02 16:51:21 +08:00
ReleTor	9e9886b140	documentation: Minor fixes	2025-04-02 16:51:21 +08:00
libtry486	f5dc2ec1dc	documentation: Fix typo fix typo Signed-off-by: libtry486 <89328481+libtry486@users.noreply.github.com>	2025-04-02 16:51:21 +08:00
Alireza Ahmadi	e0202da833	Fix Outbound deadlock	2025-04-02 16:51:20 +08:00
世界	db01fe90e4	documentation: Fix AnyTLS doc	2025-04-02 16:51:20 +08:00
anytls	104ea172c0	Add AnyTLS protocol	2025-04-02 16:51:20 +08:00
世界	341958d7c1	Migrate to stdlib ECH support	2025-04-02 16:51:19 +08:00
世界	05fea2a199	Add fallback local DNS server for iOS	2025-04-02 16:51:18 +08:00
世界	cc294c4616	Get darwin local DNS server from libresolv	2025-04-02 16:51:18 +08:00
世界	b99c6a0025	Improve resolve action	2025-04-02 16:51:18 +08:00
世界	845138a1d8	Fix toolchain version	2025-04-02 16:51:17 +08:00
世界	0645ebe73f	Add back port hopping to hysteria 1	2025-04-02 16:51:17 +08:00
世界	1847cb6dfb	Update dependencies	2025-04-02 16:51:17 +08:00
xchacha20-poly1305	1dd716453d	Remove single quotes of raw Moziila certs	2025-04-02 16:51:16 +08:00
世界	456eb3dcdc	Add Tailscale endpoint	2025-04-02 16:51:16 +08:00
世界	8f9454ce72	Build legacy binaries with latest Go	2025-04-02 16:51:15 +08:00
世界	3bae0c96bc	documentation: Remove outdated icons	2025-04-02 16:51:15 +08:00
世界	0153fc7e08	documentation: Certificate store	2025-04-02 16:51:15 +08:00
世界	a52ee299e6	documentation: TLS fragment	2025-04-02 16:51:15 +08:00
世界	bf0e71f32a	documentation: Outbound domain resolver	2025-04-02 16:51:15 +08:00
世界	b2dcb4dc03	documentation: Refactor DNS	2025-04-02 16:51:13 +08:00
世界	221c003ce0	Add certificate store	2025-04-02 16:51:13 +08:00
世界	8b7c8dcdb4	Add TLS fragment support	2025-04-02 16:51:13 +08:00
世界	360b25e53c	refactor: Outbound domain resolver	2025-04-02 16:51:12 +08:00
世界	6c9e61a0a0	refactor: DNS	2025-04-02 16:51:12 +08:00
世界	572ee775b1	Bump version	2025-04-02 16:50:36 +08:00
世界	4f98009a15	Improve auto redirect	2025-04-02 16:50:36 +08:00
世界	0d54aee584	test: Force auto-redirect mark mode	2025-04-02 13:44:39 +08:00
世界	f4c29840c3	Fix DNS sniffer	2025-03-31 20:45:04 +08:00