Add DNS mode

nekohasekai · nekohasekai · commit 2d297555be66 · 2026-05-02T15:28:40.000+08:00
diff --git a/redirect_nftables_rules.go b/redirect_nftables_rules.go
@@ -675,7 +675,7 @@ func (r *autoRedirect) nftablesCreateExcludeRules(nft *nftables.Conn, table *nft
 		nftablesCreateExcludeDestinationIPSet(nft, table, chain, inet6RouteExcludeAddress.ID, inet6RouteExcludeAddress.Name, nftables.TableFamilyIPv6, false)
 	}
 
-	if !r.tunOptions.EXP_DisableDNSHijack && ((chain.Hooknum == nftables.ChainHookPrerouting && chain.Type == nftables.ChainTypeNAT) ||
+	if r.tunOptions.DNSMode == DNSModeHijack && ((chain.Hooknum == nftables.ChainHookPrerouting && chain.Type == nftables.ChainTypeNAT) ||
 		(r.tunOptions.AutoRedirectMarkMode && chain.Hooknum == nftables.ChainHookOutput && chain.Type == nftables.ChainTypeNAT)) {
 		if r.enableIPv4 {
 			err := r.nftablesCreateDNSHijackRulesForFamily(nft, table, chain, nftables.TableFamilyIPv4, 5, "inet4_local_address_set")
@@ -997,23 +997,19 @@ func (r *autoRedirect) nftablesCreateDNSHijackRulesForFamily(
 	if err != nil {
 		return E.Cause(err, "add dns protocol set")
 	}
-	dnsServer := common.Find(r.tunOptions.DNSServers, func(it netip.Addr) bool {
-		return it.Is4() == (family == nftables.TableFamilyIPv4)
-	})
-	if !dnsServer.IsValid() {
-		if family == nftables.TableFamilyIPv4 {
-			if HasNextAddress(r.tunOptions.Inet4Address[0], 1) {
-				dnsServer = r.tunOptions.Inet4Address[0].Addr().Next()
-			}
-		} else {
-			if HasNextAddress(r.tunOptions.Inet6Address[0], 1) {
-				dnsServer = r.tunOptions.Inet6Address[0].Addr().Next()
-			}
-		}
+	var dnsServers []netip.Addr
+	if family == nftables.TableFamilyIPv4 {
+		dnsServers, err = r.tunOptions.Inet4DNSAddress()
+	} else {
+		dnsServers, err = r.tunOptions.Inet6DNSAddress()
+	}
+	if err != nil {
+		return err
 	}
-	if !dnsServer.IsValid() {
+	if len(dnsServers) == 0 {
 		return nil
 	}
+	dnsServer := dnsServers[0]
 	exprs := []expr.Any{
 		&expr.Meta{
 			Key:      expr.MetaKeyNFPROTO,
diff --git a/tun.go b/tun.go
@@ -9,8 +9,10 @@ import (
 	"strings"
 	"time"
 
+	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/control"
+	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
@@ -68,6 +70,12 @@ const (
 	DefaultIPRoute2AutoRedirectFallbackRuleIndex = 32768
 )
 
+const (
+	DNSModeDisabled = "disabled"
+	DNSModeNative   = "native"
+	DNSModeHijack   = "hijack"
+)
+
 type Options struct {
 	Name                                  string
 	Inet4Address                          []netip.Prefix
@@ -78,7 +86,8 @@ type Options struct {
 	InterfaceScope                        bool
 	Inet4Gateway                          netip.Addr
 	Inet6Gateway                          netip.Addr
-	DNSServers                            []netip.Addr
+	DNSMode                               string
+	DNSAddress                            []netip.Addr
 	IPRoute2TableIndex                    int
 	IPRoute2RuleIndex                     int
 	IPRoute2AutoRedirectFallbackRuleIndex int
@@ -124,6 +133,65 @@ type Options struct {
 	EXP_SendMsgX bool
 }
 
+func (o *Options) NormalizeDNSMode() error {
+	switch o.DNSMode {
+	case "":
+		if o.EXP_DisableDNSHijack {
+			o.DNSMode = DNSModeDisabled
+		} else {
+			o.DNSMode = DNSModeHijack
+		}
+	case DNSModeDisabled, DNSModeNative, DNSModeHijack:
+	default:
+		return E.New("unknown DNS mode: ", o.DNSMode)
+	}
+	return nil
+}
+
+func (o *Options) DNSServerAddress() ([]netip.Addr, error) {
+	inet4DNS, err := o.Inet4DNSAddress()
+	if err != nil {
+		return nil, err
+	}
+	inet6DNS, err := o.Inet6DNSAddress()
+	if err != nil {
+		return nil, err
+	}
+	return append(inet4DNS, inet6DNS...), nil
+}
+
+func (o *Options) Inet4DNSAddress() ([]netip.Addr, error) {
+	if len(o.Inet4Address) == 0 {
+		return nil, nil
+	}
+	if len(o.DNSAddress) > 0 {
+		return common.Filter(o.DNSAddress, netip.Addr.Is4), nil
+	}
+	if HasNextAddress(o.Inet4Address[0], 1) {
+		return []netip.Addr{o.Inet4Address[0].Addr().Next()}, nil
+	}
+	if o.DNSMode == DNSModeNative {
+		return nil, E.New("no IPv4 server configured and no usable next address in ", o.Inet4Address[0], " for native DNS")
+	}
+	return nil, nil
+}
+
+func (o *Options) Inet6DNSAddress() ([]netip.Addr, error) {
+	if len(o.Inet6Address) == 0 {
+		return nil, nil
+	}
+	if len(o.DNSAddress) > 0 {
+		return common.Filter(o.DNSAddress, netip.Addr.Is6), nil
+	}
+	if HasNextAddress(o.Inet6Address[0], 1) {
+		return []netip.Addr{o.Inet6Address[0].Addr().Next()}, nil
+	}
+	if o.DNSMode == DNSModeNative {
+		return nil, E.New("no IPv6 server configured and no usable next address in ", o.Inet6Address[0], " for native DNS")
+	}
+	return nil, nil
+}
+
 func (o *Options) Inet4GatewayAddr() netip.Addr {
 	if o.Inet4Gateway.IsValid() {
 		return o.Inet4Gateway
diff --git a/tun_darwin.go b/tun_darwin.go
@@ -89,6 +89,9 @@ func (t *NativeTun) Name() (string, error) {
 }
 
 func New(options Options) (Tun, error) {
+	if err := options.NormalizeDNSMode(); err != nil {
+		return nil, err
+	}
 	var tunFd int
 	batchSize := ((512 * 1024) / int(options.MTU)) + 1
 	if options.FileDescriptor == 0 {
diff --git a/tun_linux.go b/tun_linux.go
@@ -49,6 +49,9 @@ type NativeTun struct {
 }
 
 func New(options Options) (Tun, error) {
+	if err := options.NormalizeDNSMode(); err != nil {
+		return nil, err
+	}
 	var nativeTun *NativeTun
 	if options.FileDescriptor == 0 {
 		tunFd, err := open(options.Name, options.GSO)
@@ -317,7 +320,12 @@ func (t *NativeTun) Start() error {
 		return E.Cause(err, "set rules")
 	}
 
-	t.setSearchDomainForSystemdResolved()
+	if t.options.DNSMode != DNSModeDisabled {
+		err = t.setSearchDomainForSystemdResolved()
+		if err != nil {
+			return E.Cause(err, "set search domain")
+		}
+	}
 
 	if t.options.AutoRoute && runtime.GOOS == "android" {
 		t.interfaceCallback = t.options.InterfaceMonitor.RegisterCallback(t.routeUpdate)
@@ -332,7 +340,9 @@ func (t *NativeTun) Close() error {
 	if t.options.EXP_ExternalConfiguration {
 		return common.Close(common.PtrOrNil(t.tunFile))
 	}
-	t.unsetSearchDomainForSystemdResolved()
+	if t.options.DNSMode != DNSModeDisabled {
+		t.unsetSearchDomainForSystemdResolved()
+	}
 	t.unsetAddresses()
 	return E.Errors(t.unsetRoute(), t.unsetRules(), common.Close(common.PtrOrNil(t.tunFile)))
 }
@@ -1073,37 +1083,24 @@ func (t *NativeTun) routeUpdate(_ *control.Interface, flags int) {
 	}
 }
 
-func (t *NativeTun) setSearchDomainForSystemdResolved() {
-	if t.options.EXP_DisableDNSHijack {
-		return
-	}
+func (t *NativeTun) setSearchDomainForSystemdResolved() error {
 	ctlPath, err := exec.LookPath("resolvectl")
 	if err != nil {
-		return
-	}
-	dnsServer := t.options.DNSServers
-	if len(dnsServer) == 0 {
-		if len(t.options.Inet4Address) > 0 && HasNextAddress(t.options.Inet4Address[0], 1) {
-			dnsServer = append(dnsServer, t.options.Inet4Address[0].Addr().Next())
-		}
-		if len(t.options.Inet6Address) > 0 && HasNextAddress(t.options.Inet6Address[0], 1) {
-			dnsServer = append(dnsServer, t.options.Inet6Address[0].Addr().Next())
-		}
+		return nil
 	}
-	if len(dnsServer) == 0 {
-		return
+	dnsAddress, err := t.options.DNSServerAddress()
+	if err != nil {
+		return err
 	}
 	go func() {
 		_ = shell.Exec(ctlPath, "domain", t.options.Name, "~.").Run()
 		_ = shell.Exec(ctlPath, "default-route", t.options.Name, "true").Run()
-		_ = shell.Exec(ctlPath, append([]string{"dns", t.options.Name}, common.Map(dnsServer, netip.Addr.String)...)...).Run()
+		_ = shell.Exec(ctlPath, append([]string{"dns", t.options.Name}, common.Map(dnsAddress, netip.Addr.String)...)...).Run()
 	}()
+	return nil
 }
 
 func (t *NativeTun) unsetSearchDomainForSystemdResolved() {
-	if t.options.EXP_DisableDNSHijack {
-		return
-	}
 	ctlPath, err := exec.LookPath("resolvectl")
 	if err != nil {
 		return
diff --git a/tun_windows.go b/tun_windows.go
@@ -16,7 +16,6 @@ import (
 	"github.com/sagernet/sing-tun/internal/winipcfg"
 	"github.com/sagernet/sing-tun/internal/winsys"
 	"github.com/sagernet/sing-tun/internal/wintun"
-	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/windnsapi"
 
@@ -38,6 +37,9 @@ type NativeTun struct {
 }
 
 func New(options Options) (WinTun, error) {
+	if err := options.NormalizeDNSMode(); err != nil {
+		return nil, err
+	}
 	if options.FileDescriptor != 0 {
 		return nil, os.ErrInvalid
 	}
@@ -74,16 +76,14 @@ func (t *NativeTun) configure() error {
 		if err != nil {
 			return E.Cause(err, "set ipv4 address")
 		}
-		if t.options.AutoRoute && !t.options.EXP_DisableDNSHijack {
-			dnsServers := common.Filter(t.options.DNSServers, netip.Addr.Is4)
-			if len(dnsServers) == 0 && HasNextAddress(t.options.Inet4Address[0], 1) {
-				dnsServers = []netip.Addr{t.options.Inet4Address[0].Addr().Next()}
+		if t.options.AutoRoute && t.options.DNSMode != DNSModeDisabled {
+			dnsServers, err := t.options.Inet4DNSAddress()
+			if err != nil {
+				return err
 			}
-			if len(dnsServers) > 0 {
-				err = luid.SetDNS(winipcfg.AddressFamily(windows.AF_INET), dnsServers, nil)
-				if err != nil {
-					return E.Cause(err, "set ipv4 dns")
-				}
+			err = luid.SetDNS(winipcfg.AddressFamily(windows.AF_INET), dnsServers, nil)
+			if err != nil {
+				return E.Cause(err, "set ipv4 dns")
 			}
 		} else {
 			err = luid.SetDNS(winipcfg.AddressFamily(windows.AF_INET), nil, nil)
@@ -97,16 +97,14 @@ func (t *NativeTun) configure() error {
 		if err != nil {
 			return E.Cause(err, "set ipv6 address")
 		}
-		if t.options.AutoRoute && !t.options.EXP_DisableDNSHijack {
-			dnsServers := common.Filter(t.options.DNSServers, netip.Addr.Is6)
-			if len(dnsServers) == 0 && HasNextAddress(t.options.Inet6Address[0], 1) {
-				dnsServers = []netip.Addr{t.options.Inet6Address[0].Addr().Next()}
+		if t.options.AutoRoute && t.options.DNSMode != DNSModeDisabled {
+			dnsServers, err := t.options.Inet6DNSAddress()
+			if err != nil {
+				return err
 			}
-			if len(dnsServers) > 0 {
-				err = luid.SetDNS(winipcfg.AddressFamily(windows.AF_INET6), dnsServers, nil)
-				if err != nil {
-					return E.Cause(err, "set ipv6 dns")
-				}
+			err = luid.SetDNS(winipcfg.AddressFamily(windows.AF_INET6), dnsServers, nil)
+			if err != nil {
+				return E.Cause(err, "set ipv6 dns")
 			}
 		} else {
 			err = luid.SetDNS(winipcfg.AddressFamily(windows.AF_INET6), nil, nil)
@@ -327,7 +325,7 @@ func (t *NativeTun) Start() error {
 			}
 		}
 
-		if !t.options.EXP_DisableDNSHijack {
+		if t.options.DNSMode == DNSModeHijack {
 			blockDNSCondition := make([]winsys.FWPM_FILTER_CONDITION0, 1)
 			blockDNSCondition[0].FieldKey = winsys.FWPM_CONDITION_IP_REMOTE_PORT
 			blockDNSCondition[0].MatchType = winsys.FWP_MATCH_EQUAL

Original file line number	Diff line number	Diff line change
`@@ -89,6 +89,9 @@ func (t *NativeTun) Name() (string, error) {`
`89`	`89`	`}`
`90`	`90`
`91`	`91`	`func New(options Options) (Tun, error) {`
	`92`	`+ if err := options.NormalizeDNSMode(); err != nil {`
	`93`	`+ return nil, err`
	`94`	`+ }`
`92`	`95`	`var tunFd int`
`93`	`96`	`batchSize := ((512 * 1024) / int(options.MTU)) + 1`
`94`	`97`	`if options.FileDescriptor == 0 {`