Make DNS hijack optional

redirect_iptables.go

@@ -7,6 +7,7 @@ import (
 	"os/exec"
 	"strings"
 
+	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 
@@ -109,16 +110,21 @@ func (r *autoRedirect) setupIPTables(family int) error {
 			return err
 		}
 	}
-	var dnsServerAddress netip.Addr
+	if !r.tunOptions.EXP_DisableDNSHijack {
+		dnsServer := common.Find(r.tunOptions.DNSServers, func(it netip.Addr) bool {
+			return it.Is4() == (family == unix.AF_INET)
+		})
+		if !dnsServer.IsValid() {
 			if family == unix.AF_INET {
-		dnsServerAddress = r.tunOptions.Inet4Address[0].Addr().Next()
+				dnsServer = r.tunOptions.Inet4Address[0].Addr().Next()
 			} else {
-		dnsServerAddress = r.tunOptions.Inet6Address[0].Addr().Next()
+				dnsServer = r.tunOptions.Inet6Address[0].Addr().Next()
+			}
 		}
 		if len(routeAddress) > 0 {
 			for _, address := range routeAddress {
 				err = r.runShell(iptablesPath, "-t nat -A", tableNamePreRouteing,
-				"-d", address.String(), "-p udp --dport 53 -j DNAT --to", dnsServerAddress)
+					"-d", address.String(), "-p udp --dport 53 -j DNAT --to", dnsServer)
 				if err != nil {
 					return err
 				}
@@ -126,7 +132,7 @@ func (r *autoRedirect) setupIPTables(family int) error {
 		} else if len(r.tunOptions.IncludeInterface) > 0 || len(r.tunOptions.IncludeUID) > 0 {
 			for _, name := range r.tunOptions.IncludeInterface {
 				err = r.runShell(iptablesPath, "-t nat -A", tableNamePreRouteing,
-				"-i", name, "-p udp --dport 53 -j DNAT --to", dnsServerAddress)
+					"-i", name, "-p udp --dport 53 -j DNAT --to", dnsServer)
 				if err != nil {
 					return err
 				}
@@ -134,7 +140,7 @@ func (r *autoRedirect) setupIPTables(family int) error {
 			for _, uidRange := range r.tunOptions.IncludeUID {
 				for uid := uidRange.Start; uid <= uidRange.End; uid++ {
 					err = r.runShell(iptablesPath, "-t nat -A", tableNamePreRouteing,
-					"-m owner --uid-owner", uid, "-p udp --dport 53 -j DNAT --to", dnsServerAddress)
+						"-m owner --uid-owner", uid, "-p udp --dport 53 -j DNAT --to", dnsServer)
 					if err != nil {
 						return err
 					}
@@ -142,11 +148,12 @@ func (r *autoRedirect) setupIPTables(family int) error {
 			}
 		} else {
 			err = r.runShell(iptablesPath, "-t nat -A", tableNamePreRouteing,
-			"-p udp --dport 53 -j DNAT --to", dnsServerAddress)
+				"-p udp --dport 53 -j DNAT --to", dnsServer)
 			if err != nil {
 				return err
 			}
 		}
+	}
 
 	err = r.runShell(iptablesPath, "-t nat -A", tableNamePreRouteing, "-m addrtype --dst-type LOCAL -j RETURN")
 	if err != nil {

redirect_linux.go

@@ -2,15 +2,16 @@ package tun
 
 import (
 	"context"
+	"net/netip"
+	"os"
+	"os/exec"
+	"runtime"
+
 	"github.com/sagernet/nftables"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
-	"net/netip"
-	"os"
-	"os/exec"
-	"runtime"
 
 	"golang.org/x/sys/unix"
 )
@@ -39,6 +40,7 @@ func NewAutoRedirect(options AutoRedirectOptions) (AutoRedirect, error) {
 		ctx:                    options.Context,
 		handler:                options.Handler,
 		logger:                 options.Logger,
+		tableName:              options.TableName,
 		useNFTables:            runtime.GOOS != "android" && !options.DisableNFTables,
 		customRedirectPortFunc: options.CustomRedirectPort,
 	}

redirect_nftables.go

@@ -8,6 +8,7 @@ import (
 	"github.com/sagernet/nftables"
 	"github.com/sagernet/nftables/binaryutil"
 	"github.com/sagernet/nftables/expr"
+	"github.com/sagernet/sing/common"
 	F "github.com/sagernet/sing/common/format"
 
 	"golang.org/x/sys/unix"
@@ -138,35 +139,40 @@ func (r *autoRedirect) setupNFTables(family int) error {
 		}
 	}
 
-	var dnsServerAddress netip.Addr
+	if !r.tunOptions.EXP_DisableDNSHijack {
-	if table.Family == nftables.TableFamilyIPv4 {
+		dnsServer := common.Find(r.tunOptions.DNSServers, func(it netip.Addr) bool {
-		dnsServerAddress = r.tunOptions.Inet4Address[0].Addr().Next()
+			return it.Is4() == (family == unix.AF_INET)
+		})
+		if !dnsServer.IsValid() {
+			if family == unix.AF_INET {
+				dnsServer = r.tunOptions.Inet4Address[0].Addr().Next()
 			} else {
-		dnsServerAddress = r.tunOptions.Inet6Address[0].Addr().Next()
+				dnsServer = r.tunOptions.Inet6Address[0].Addr().Next()
+			}
 		}
-
 		if len(r.tunOptions.IncludeInterface) > 0 || len(r.tunOptions.IncludeUID) > 0 {
 			for _, name := range r.tunOptions.IncludeInterface {
 				nft.AddRule(&nftables.Rule{
 					Table: table,
 					Chain: chainPreRouting,
-				Exprs: nftablesRuleIfName(expr.MetaKeyIIFNAME, name, append(routeExprs, nftablesRuleHijackDNS(table.Family, dnsServerAddress)...)...),
+					Exprs: nftablesRuleIfName(expr.MetaKeyIIFNAME, name, append(routeExprs, nftablesRuleHijackDNS(table.Family, dnsServer)...)...),
 				})
 			}
 			for _, uidRange := range r.tunOptions.IncludeUID {
 				nft.AddRule(&nftables.Rule{
 					Table: table,
 					Chain: chainPreRouting,
-				Exprs: nftablesRuleMetaUInt32Range(expr.MetaKeySKUID, uidRange, append(routeExprs, nftablesRuleHijackDNS(table.Family, dnsServerAddress)...)...),
+					Exprs: nftablesRuleMetaUInt32Range(expr.MetaKeySKUID, uidRange, append(routeExprs, nftablesRuleHijackDNS(table.Family, dnsServer)...)...),
 				})
 			}
 		} else {
 			nft.AddRule(&nftables.Rule{
 				Table: table,
 				Chain: chainPreRouting,
-			Exprs: append(routeExprs, nftablesRuleHijackDNS(table.Family, dnsServerAddress)...),
+				Exprs: append(routeExprs, nftablesRuleHijackDNS(table.Family, dnsServer)...),
 			})
 		}
+	}
 
 	nft.AddRule(&nftables.Rule{
 		Table: table,

stack_gvisor_udp.go

@@ -138,7 +138,6 @@ func (w *UDPBackWriter) WritePacket(packetBuffer *buf.Buffer, destination M.Sock
 		TTL:      route.DefaultTTL(),
 		TOS:      0,
 	}, packet)
-
 	if err != nil {
 		route.Stats().UDP.PacketSendErrors.Increment()
 		return wrapStackError(err)

tun.go

@@ -48,6 +48,8 @@ type Options struct {
 	MTU                      uint32
 	GSO                      bool
 	AutoRoute                bool
+	DNSServers               []netip.Addr
+	IPRoute2RuleIndex        int
 	StrictRoute              bool
 	Inet4RouteAddress        []netip.Prefix
 	Inet6RouteAddress        []netip.Prefix
@@ -67,6 +69,9 @@ type Options struct {
 
 	// No work for TCP, do not use.
 	_TXChecksumOffload bool
+
+	// For library usages.
+	EXP_DisableDNSHijack bool
 }
 
 func CalculateInterfaceName(name string) (tunName string) {

tun_linux.go

@@ -359,11 +359,6 @@ func (t *NativeTun) routes(tunLink netlink.Link) ([]netlink.Route, error) {
 	}), nil
 }
 
-const (
-	ruleStart = 9000
-	ruleEnd   = ruleStart + 10
-)
-
 func (t *NativeTun) nextIndex6() int {
 	ruleList, err := netlink.RuleList(netlink.FAMILY_V6)
 	if err != nil {
@@ -411,9 +406,14 @@ func (t *NativeTun) rules() []*netlink.Rule {
 	var it *netlink.Rule
 
 	excludeRanges := t.options.ExcludedRanges()
+
+	ruleStart := t.options.IPRoute2RuleIndex
+	if ruleStart == 0 {
+		ruleStart = 9000
+	}
 	priority := ruleStart
 	priority6 := priority
-	nopPriority := ruleEnd
+	nopPriority := ruleStart + 10
 
 	for _, excludeRange := range excludeRanges {
 		if p4 {
@@ -788,6 +788,11 @@ func (t *NativeTun) unsetRules() error {
 			return err
 		}
 		for _, rule := range ruleList {
+			ruleStart := t.options.IPRoute2RuleIndex
+			if ruleStart == 0 {
+				ruleStart = 9000
+			}
+			ruleEnd := ruleStart + 10
 			if rule.Priority >= ruleStart && rule.Priority <= ruleEnd {
 				ruleToDel := netlink.NewRule()
 				ruleToDel.Family = rule.Family
@@ -820,20 +825,28 @@ func (t *NativeTun) routeUpdate(event int) {
 }
 
 func (t *NativeTun) setSearchDomainForSystemdResolved() {
+	if t.options.EXP_DisableDNSHijack {
+		return
+	}
 	ctlPath, err := exec.LookPath("resolvectl")
 	if err != nil {
 		return
 	}
-	var dnsServer []netip.Addr
+	dnsServer := t.options.DNSServers
+	if len(dnsServer) == 0 {
 		if len(t.options.Inet4Address) > 0 {
 			dnsServer = append(dnsServer, t.options.Inet4Address[0].Addr().Next())
 		}
 		if len(t.options.Inet6Address) > 0 {
 			dnsServer = append(dnsServer, t.options.Inet6Address[0].Addr().Next())
 		}
-	go shell.Exec(ctlPath, "domain", t.options.Name, "~.").Run()
-	if t.options.AutoRoute {
-		go shell.Exec(ctlPath, "default-route", t.options.Name, "true").Run()
-		go shell.Exec(ctlPath, append([]string{"dns", t.options.Name}, common.Map(dnsServer, netip.Addr.String)...)...).Run()
 	}
+	if len(dnsServer) == 0 {
+		return
+	}
+	go func() {
+		_ = shell.Exec(ctlPath, "domain", t.options.Name, "~.").Run()
+		_ = shell.Exec(ctlPath, "default-route", t.options.Name, "true").Run()
+		_ = shell.Exec(ctlPath, append([]string{"dns", t.options.Name}, common.Map(dnsServer, netip.Addr.String)...)...).Run()
+	}()
 }

tun_windows.go

@@ -72,21 +72,33 @@ func (t *NativeTun) configure() error {
 		if err != nil {
 			return E.Cause(err, "set ipv4 address")
 		}
-		err = luid.SetDNS(winipcfg.AddressFamily(windows.AF_INET), []netip.Addr{t.options.Inet4Address[0].Addr().Next()}, nil)
+		if !t.options.EXP_DisableDNSHijack {
+			dnsServers := common.Filter(t.options.DNSServers, netip.Addr.Is4)
+			if len(dnsServers) == 0 {
+				dnsServers = []netip.Addr{t.options.Inet4Address[0].Addr().Next()}
+			}
+			err = luid.SetDNS(winipcfg.AddressFamily(windows.AF_INET), dnsServers, nil)
 			if err != nil {
 				return E.Cause(err, "set ipv4 dns")
 			}
 		}
+	}
 	if len(t.options.Inet6Address) > 0 {
 		err := luid.SetIPAddressesForFamily(winipcfg.AddressFamily(windows.AF_INET6), t.options.Inet6Address)
 		if err != nil {
 			return E.Cause(err, "set ipv6 address")
 		}
-		err = luid.SetDNS(winipcfg.AddressFamily(windows.AF_INET6), []netip.Addr{t.options.Inet6Address[0].Addr().Next()}, nil)
+		if !t.options.EXP_DisableDNSHijack {
+			dnsServers := common.Filter(t.options.DNSServers, netip.Addr.Is6)
+			if len(dnsServers) == 0 {
+				dnsServers = []netip.Addr{t.options.Inet6Address[0].Addr().Next()}
+			}
+			err = luid.SetDNS(winipcfg.AddressFamily(windows.AF_INET6), dnsServers, nil)
 			if err != nil {
 				return E.Cause(err, "set ipv6 dns")
 			}
 		}
+	}
 	if len(t.options.Inet4Address) > 0 || len(t.options.Inet6Address) > 0 {
 		_ = luid.DisableDNSRegistration()
 	}
@@ -284,19 +296,16 @@ func (t *NativeTun) configure() error {
 			}
 		}
 
-		blockDNSCondition := make([]winsys.FWPM_FILTER_CONDITION0, 2)
+		if !t.options.EXP_DisableDNSHijack {
-		blockDNSCondition[0].FieldKey = winsys.FWPM_CONDITION_IP_PROTOCOL
+			blockDNSCondition := make([]winsys.FWPM_FILTER_CONDITION0, 1)
+			blockDNSCondition[0].FieldKey = winsys.FWPM_CONDITION_IP_REMOTE_PORT
 			blockDNSCondition[0].MatchType = winsys.FWP_MATCH_EQUAL
-		blockDNSCondition[0].ConditionValue.Type = winsys.FWP_UINT8
+			blockDNSCondition[0].ConditionValue.Type = winsys.FWP_UINT16
-		blockDNSCondition[0].ConditionValue.Value = uintptr(uint8(winsys.IPPROTO_UDP))
+			blockDNSCondition[0].ConditionValue.Value = uintptr(uint16(53))
-		blockDNSCondition[1].FieldKey = winsys.FWPM_CONDITION_IP_REMOTE_PORT
-		blockDNSCondition[1].MatchType = winsys.FWP_MATCH_EQUAL
-		blockDNSCondition[1].ConditionValue.Type = winsys.FWP_UINT16
-		blockDNSCondition[1].ConditionValue.Value = uintptr(uint16(53))
 
 			blockDNSFilter4 := winsys.FWPM_FILTER0{}
 			blockDNSFilter4.FilterCondition = &blockDNSCondition[0]
-		blockDNSFilter4.NumFilterConditions = 2
+			blockDNSFilter4.NumFilterConditions = 1
 			blockDNSFilter4.DisplayData = winsys.CreateDisplayData(TunnelType, "block ipv4 dns")
 			blockDNSFilter4.SubLayerKey = subLayerKey
 			blockDNSFilter4.LayerKey = winsys.FWPM_LAYER_ALE_AUTH_CONNECT_V4
@@ -310,7 +319,7 @@ func (t *NativeTun) configure() error {
 
 			blockDNSFilter6 := winsys.FWPM_FILTER0{}
 			blockDNSFilter6.FilterCondition = &blockDNSCondition[0]
-		blockDNSFilter6.NumFilterConditions = 2
+			blockDNSFilter6.NumFilterConditions = 1
 			blockDNSFilter6.DisplayData = winsys.CreateDisplayData(TunnelType, "block ipv6 dns")
 			blockDNSFilter6.SubLayerKey = subLayerKey
 			blockDNSFilter6.LayerKey = winsys.FWPM_LAYER_ALE_AUTH_CONNECT_V6
@@ -322,6 +331,7 @@ func (t *NativeTun) configure() error {
 				return os.NewSyscallError("FwpmFilterAdd0", err)
 			}
 		}
+	}
 
 	return nil
 }