22icon : material/alert-decagram
33---
44
5+ #### 1.14.0-alpha.15
6+
7+ * Add search domain support for Tailscale DNS ** 1**
8+ * Fixes and improvements
9+
10+ ** 1** :
11+
12+ See [ Tailscale DNS Server] ( /configuration/dns/server/tailscale/#accept_search_domain ) .
13+
514#### 1.13.9
615
716* Fixes and improvements
817
18+ #### 1.14.0-alpha.13
19+
20+ * Unify HTTP client ** 1**
21+ * Add Apple HTTP and TLS engines ** 2**
22+ * Unify HTTP/2 and QUIC parameters ** 3**
23+ * Add TLS spoof ** 4**
24+ * Fixes and improvements
25+
26+ ** 1** :
27+
28+ The new top-level [ ` http_clients ` ] ( /configuration/shared/http-client/ )
29+ option defines reusable HTTP clients (engine, version, dialer, TLS,
30+ HTTP/2 and QUIC parameters). Components that make outbound HTTP requests
31+ — remote rule-sets, ACME and Cloudflare Origin CA certificate providers,
32+ DERP ` verify_client_url ` , and the Tailscale ` control_http_client ` — now
33+ accept an inline HTTP client object or the tag of an ` http_clients `
34+ entry, replacing the dial and TLS fields previously inlined in each
35+ component. When the field is omitted, ACME, Cloudflare Origin CA, DERP
36+ and Tailscale dial direct (their existing default).
37+
38+ Remote rule-sets are the only HTTP-using component whose default for an
39+ omitted ` http_client ` has historically resolved to the default outbound,
40+ not to direct, and a typical configuration contains many of them. To
41+ avoid repeating the same ` http_client ` block in every rule-set,
42+ [ ` route.default_http_client ` ] ( /configuration/route/#default_http_client )
43+ selects a default rule-set client by tag and is the only field that
44+ consults it. If ` default_http_client ` is empty and ` http_clients ` is
45+ non-empty, the first entry is used automatically. The legacy fallback
46+ (use the default outbound when ` http_clients ` is empty altogether) is
47+ preserved with a deprecation warning and will be removed in sing-box
48+ 1.16.0, together with the legacy ` download_detour ` remote rule-set
49+ option and the legacy dialer fields on Tailscale endpoints.
50+
51+ ** 2** :
52+
53+ A new ` apple ` engine is available on Apple platforms in two independent
54+ places:
55+
56+ * [ HTTP client ` engine ` ] ( /configuration/shared/http-client/#engine ) —
57+ routes HTTP requests through ` NSURLSession ` .
58+ * Outbound TLS [ ` engine ` ] ( /configuration/shared/tls/#engine ) — routes
59+ the TLS handshake through ` Network.framework ` for direct TCP TLS
60+ client connections.
61+
62+ The default remains ` go ` . Both engines come with additional CGO and
63+ framework memory overhead and platform restrictions documented on each
64+ field.
65+
66+ ** 3** :
67+
68+ [ HTTP/2] ( /configuration/shared/http2/ ) and
69+ [ QUIC] ( /configuration/shared/quic/ ) parameters
70+ (` idle_timeout ` , ` keep_alive_period ` , ` stream_receive_window ` ,
71+ ` connection_receive_window ` , ` max_concurrent_streams ` ,
72+ ` initial_packet_size ` , ` disable_path_mtu_discovery ` ) are now shared
73+ across QUIC-based outbounds
74+ ([ Hysteria] ( /configuration/outbound/hysteria/ ) ,
75+ [ Hysteria2] ( /configuration/outbound/hysteria2/ ) ,
76+ [ TUIC] ( /configuration/outbound/tuic/ ) ) and HTTP clients running HTTP/2
77+ or HTTP/3.
78+
79+ This deprecates the Hysteria v1 tuning fields ` recv_window_conn ` ,
80+ ` recv_window ` , ` recv_window_client ` , ` max_conn_client ` and
81+ ` disable_mtu_discovery ` ; they will be removed in sing-box 1.16.0.
82+
83+ ** 4** :
84+
85+ Added outbound TLS [ ` spoof ` ] ( /configuration/shared/tls/#spoof ) and
86+ [ ` spoof_method ` ] ( /configuration/shared/tls/#spoof_method ) fields. When
87+ enabled, a forged ClientHello carrying a whitelisted SNI is sent before
88+ the real handshake to fool SNI-filtering middleboxes. Requires
89+ ` CAP_NET_RAW ` + ` CAP_NET_ADMIN ` or root on Linux and macOS, and
90+ Administrator privileges on Windows (ARM64 is not supported). IP-literal
91+ server names are rejected.
92+
93+ #### 1.14.0-alpha.12
94+
95+ * Fix fake-ip DNS server should return SUCCESS when address type is not configured
96+ * Fixes and improvements
97+
998#### 1.13.8
1099
11100* Update naiveproxy to v147.0.7727.49-1
12101* Fix fake-ip DNS server should return SUCCESS when address type is not configured
13102* Fixes and improvements
14103
15- #### 1.13.7
104+ #### 1.14.0-alpha.11
16105
106+ * Add optimistic DNS cache ** 1**
107+ * Update NaiveProxy to 147.0.7727.49
17108* Fixes and improvements
18109
110+ ** 1** :
111+
112+ Optimistic DNS cache returns an expired cached response immediately while
113+ refreshing it in the background, reducing tail latency for repeated
114+ queries. Enabled via [ ` optimistic ` ] ( /configuration/dns/#optimistic )
115+ in DNS options, and can be persisted across restarts with the new
116+ [ ` store_dns ` ] ( /configuration/experimental/cache-file/#store_dns ) cache
117+ file option. A per-query
118+ [ ` disable_optimistic_cache ` ] ( /configuration/dns/rule_action/#disable_optimistic_cache )
119+ field is also available on DNS rule actions and the ` resolve ` route rule
120+ action.
121+
122+ This deprecates the ` independent_cache ` DNS option (the DNS cache now
123+ always keys by transport) and the ` store_rdrc ` cache file option
124+ (replaced by ` store_dns ` ); both will be removed in sing-box 1.16.0.
125+ See [ Migration] ( /migration/#migrate-independent-dns-cache ) .
126+
127+ #### 1.14.0-alpha.10
128+
129+ * Add ` evaluate ` DNS rule action and Response Match Fields ** 1**
130+ * ` ip_version ` and ` query_type ` now also take effect on internal DNS lookups ** 2**
131+ * Add ` package_name_regex ` route, DNS and headless rule item ** 3**
132+ * Add cloudflared inbound ** 4**
133+ * Fixes and improvements
134+
135+ ** 1** :
136+
137+ Response Match Fields
138+ ([ ` response_rcode ` ] ( /configuration/dns/rule/#response_rcode ) ,
139+ [ ` response_answer ` ] ( /configuration/dns/rule/#response_answer ) ,
140+ [ ` response_ns ` ] ( /configuration/dns/rule/#response_ns ) ,
141+ and [ ` response_extra ` ] ( /configuration/dns/rule/#response_extra ) )
142+ match the evaluated DNS response. They are gated by the new
143+ [ ` match_response ` ] ( /configuration/dns/rule/#match_response ) field and
144+ populated by a preceding
145+ [ ` evaluate ` ] ( /configuration/dns/rule_action/#evaluate ) DNS rule action;
146+ the evaluated response can also be returned directly by a
147+ [ ` respond ` ] ( /configuration/dns/rule_action/#respond ) action.
148+
149+ This deprecates the Legacy Address Filter Fields (` ip_cidr ` ,
150+ ` ip_is_private ` without ` match_response ` ) in DNS rules, the Legacy
151+ ` strategy ` DNS rule action option, and the Legacy
152+ ` rule_set_ip_cidr_accept_empty ` DNS rule item; all three will be removed
153+ in sing-box 1.16.0.
154+ See [ Migration] ( /migration/#migrate-address-filter-fields-to-response-matching ) .
155+
156+ ** 2** :
157+
158+ ` ip_version ` and ` query_type ` in DNS rules, together with ` query_type ` in
159+ referenced rule-sets, now take effect on every DNS rule evaluation,
160+ including matches from internal domain resolutions that do not target a
161+ specific DNS server (for example a ` resolve ` route rule action without
162+ ` server ` set). In earlier versions they were silently ignored in that
163+ path. Combining these fields with any of the legacy DNS fields deprecated
164+ in ** 1** in the same DNS configuration is no longer supported and is
165+ rejected at startup.
166+ See [ Migration] ( /migration/#ip_version-and-query_type-behavior-changes-in-dns-rules ) .
167+
168+ ** 3** :
169+
170+ See [ Route Rule] ( /configuration/route/rule/#package_name_regex ) ,
171+ [ DNS Rule] ( /configuration/dns/rule/#package_name_regex ) and
172+ [ Headless Rule] ( /configuration/rule-set/headless-rule/#package_name_regex ) .
173+
174+ ** 4** :
175+
176+ See [ Cloudflared] ( /configuration/inbound/cloudflared/ ) .
177+
178+ #### 1.13.7
179+
180+ * Fixes and improvement
181+
19182#### 1.13.6
20183
21184* Fixes and improvements
22185
186+ #### 1.14.0-alpha.8
187+
188+ * Add BBR profile and hop interval randomization for Hysteria2 ** 1**
189+ * Fixes and improvements
190+
191+ ** 1** :
192+
193+ See [ Hysteria2 Inbound] ( /configuration/inbound/hysteria2/#bbr_profile ) and [ Hysteria2 Outbound] ( /configuration/outbound/hysteria2/#bbr_profile ) .
194+
195+ #### 1.14.0-alpha.8
196+
197+ * Fixes and improvements
198+
23199#### 1.13.5
24200
25201* Fixes and improvements
26202
203+ #### 1.14.0-alpha.7
204+
205+ * Fixes and improvements
206+
27207#### 1.13.4
28208
29209* Fixes and improvements
30210
211+ #### 1.14.0-alpha.4
212+
213+ * Refactor ACME support to certificate provider system ** 1**
214+ * Add Cloudflare Origin CA certificate provider ** 2**
215+ * Add Tailscale certificate provider ** 3**
216+ * Fixes and improvements
217+
218+ ** 1** :
219+
220+ See [ Certificate Provider] ( /configuration/shared/certificate-provider/ ) and [ Migration] ( /migration/#migrate-inline-acme-to-certificate-provider ) .
221+
222+ ** 2** :
223+
224+ See [ Cloudflare Origin CA] ( /configuration/shared/certificate-provider/cloudflare-origin-ca ) .
225+
226+ ** 3** :
227+
228+ See [ Tailscale] ( /configuration/shared/certificate-provider/tailscale ) .
229+
31230#### 1.13.3
32231
33232* Add OpenWrt and Alpine APK packages to release ** 1**
@@ -52,6 +251,59 @@ from [SagerNet/go](https://github.com/SagerNet/go).
52251
53252See [ OCM] ( /configuration/service/ocm ) .
54253
254+ #### 1.12.24
255+
256+ * Fixes and improvements
257+
258+ #### 1.14.0-alpha.2
259+
260+ * Add OpenWrt and Alpine APK packages to release ** 1**
261+ * Backport to macOS 10.13 High Sierra ** 2**
262+ * OCM service: Add WebSocket support for Responses API ** 3**
263+ * Fixes and improvements
264+
265+ ** 1** :
266+
267+ Alpine APK files use ` linux ` in the filename to distinguish from OpenWrt APKs which use the ` openwrt ` prefix:
268+
269+ - OpenWrt: ` sing-box_{version}_openwrt_{architecture}.apk `
270+ - Alpine: ` sing-box_{version}_linux_{architecture}.apk `
271+
272+ ** 2** :
273+
274+ Legacy macOS binaries (with ` -legacy-macos-10.13 ` suffix) now support
275+ macOS 10.13 High Sierra, built using Go 1.25 with patches
276+ from [ SagerNet/go] ( https://github.com/SagerNet/go ) .
277+
278+ ** 3** :
279+
280+ See [ OCM] ( /configuration/service/ocm ) .
281+
282+ #### 1.14.0-alpha.1
283+
284+ * Add ` source_mac_address ` and ` source_hostname ` rule items ** 1**
285+ * Add ` include_mac_address ` and ` exclude_mac_address ` TUN options ** 2**
286+ * Update NaiveProxy to 145.0.7632.159 ** 3**
287+ * Fixes and improvements
288+
289+ ** 1** :
290+
291+ New rule items for matching LAN devices by MAC address and hostname via neighbor resolution.
292+ Supported on Linux, macOS, or in graphical clients on Android and macOS.
293+
294+ See [ Route Rule] ( /configuration/route/rule/#source_mac_address ) , [ DNS Rule] ( /configuration/dns/rule/#source_mac_address ) and [ Neighbor Resolution] ( /configuration/shared/neighbor/ ) .
295+
296+ ** 2** :
297+
298+ Limit or exclude devices from TUN routing by MAC address.
299+ Only supported on Linux with ` auto_route ` and ` auto_redirect ` enabled.
300+
301+ See [ TUN] ( /configuration/inbound/tun/#include_mac_address ) .
302+
303+ ** 3** :
304+
305+ This is not an official update from NaiveProxy. Instead, it's a Chromium codebase update maintained by Project S.
306+
55307#### 1.13.2
56308
57309* Fixes and improvements
0 commit comments