documentation: Bump version

Co-authored-by: anytls <anytls>

.github/workflows/build.yml

@@ -155,7 +155,7 @@ jobs:
         uses: goreleaser/goreleaser-action@v6
         with:
           distribution: goreleaser-pro
-          version: 2.5.1
+          version: '~> v2'
           install-only: true
       - name: Extract signing key
         run: |-
@@ -551,7 +551,7 @@ jobs:
         uses: goreleaser/goreleaser-action@v6
         with:
           distribution: goreleaser-pro
-          version: 2.5.1
+          version: '~> v2'
           install-only: true
       - name: Cache ghr
         uses: actions/cache@v4

.github/workflows/linux.yml

@@ -28,7 +28,7 @@ jobs:
         uses: goreleaser/goreleaser-action@v6
         with:
           distribution: goreleaser-pro
-          version: latest
+          version: '~> v2'
           args: release -f .goreleaser.fury.yaml --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.goreleaser.yaml

@@ -97,10 +97,12 @@ archives:
     builds:
       - main
       - android
-    format: tar.gz
+    formats:
+      - tar.gz
     format_overrides:
       - goos: windows
-        format: zip
+        formats:
+          - zip
     wrap_in_directory: true
     files:
       - LICENSE

adapter/inbound.go

@@ -53,10 +53,11 @@ type InboundContext struct {
 
 	// sniffer
 
-	Protocol     string
-	Domain       string
-	Client       string
-	SniffContext any
+	Protocol         string
+	Domain           string
+	Client           string
+	SniffContext     any
+	PacketSniffError error
 
 	// cache
 

adapter/outbound/manager.go

@@ -246,8 +246,6 @@ func (m *Manager) Create(ctx context.Context, router adapter.Router, logger log.
 	if err != nil {
 		return err
 	}
-	m.access.Lock()
-	defer m.access.Unlock()
 	if m.started {
 		for _, stage := range adapter.ListStartStages {
 			err = adapter.LegacyStart(outbound, stage)
@@ -256,6 +254,8 @@ func (m *Manager) Create(ctx context.Context, router adapter.Router, logger log.
 			}
 		}
 	}
+	m.access.Lock()
+	defer m.access.Unlock()
 	if existsOutbound, loaded := m.outboundByTag[tag]; loaded {
 		if m.started {
 			err = common.Close(existsOutbound)

box.go

@@ -216,8 +216,15 @@ func New(options Options) (*Box, error) {
 		} else {
 			tag = F.ToString(i)
 		}
+		endpointCtx := ctx
+		if tag != "" {
+			// TODO: remove this
+			endpointCtx = adapter.WithContext(endpointCtx, &adapter.InboundContext{
+				Outbound: tag,
+			})
+		}
 		err = endpointManager.Create(
-			ctx,
+			endpointCtx,
 			router,
 			logFactory.NewLogger(F.ToString("endpoint/", endpointOptions.Type, "[", tag, "]")),
 			tag,

common/certificate/store.go

@@ -34,10 +34,13 @@ func NewStore(ctx context.Context, logger logger.Logger, options option.Certific
 	switch options.Store {
 	case C.CertificateStoreSystem, "":
 		systemPool = x509.NewCertPool()
+		platformInterface := service.FromContext[platform.Interface](ctx)
 		var systemValid bool
-		for _, cert := range service.FromContext[platform.Interface](ctx).SystemCertificates() {
-			if systemPool.AppendCertsFromPEM([]byte(cert)) {
-				systemValid = true
+		if platformInterface != nil {
+			for _, cert := range platformInterface.SystemCertificates() {
+				if systemPool.AppendCertsFromPEM([]byte(cert)) {
+					systemValid = true
+				}
 			}
 		}
 		if !systemValid {

common/dialer/default.go

@@ -210,6 +210,8 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 func (d *DefaultDialer) DialContext(ctx context.Context, network string, address M.Socksaddr) (net.Conn, error) {
 	if !address.IsValid() {
 		return nil, E.New("invalid address")
+	} else if address.IsFqdn() {
+		return nil, E.New("domain not resolved")
 	}
 	if d.networkStrategy == nil {
 		switch N.NetworkName(network) {

common/dialer/default_parallel_interface.go

@@ -18,6 +18,7 @@ func (d *DefaultDialer) dialParallelInterface(ctx context.Context, dialer net.Di
 	if len(primaryInterfaces)+len(fallbackInterfaces) == 0 {
 		return nil, false, E.New("no available network interface")
 	}
+	defaultInterface := d.networkManager.InterfaceMonitor().DefaultInterface()
 	if fallbackDelay == 0 {
 		fallbackDelay = N.DefaultFallbackDelay
 	}
@@ -31,7 +32,9 @@ func (d *DefaultDialer) dialParallelInterface(ctx context.Context, dialer net.Di
 	results := make(chan dialResult) // unbuffered
 	startRacer := func(ctx context.Context, primary bool, iif adapter.NetworkInterface) {
 		perNetDialer := dialer
-		perNetDialer.Control = control.Append(perNetDialer.Control, control.BindToInterface(nil, iif.Name, iif.Index))
+		if defaultInterface == nil || iif.Index != defaultInterface.Index {
+			perNetDialer.Control = control.Append(perNetDialer.Control, control.BindToInterface(nil, iif.Name, iif.Index))
+		}
 		conn, err := perNetDialer.DialContext(ctx, network, addr)
 		if err != nil {
 			select {
@@ -89,6 +92,7 @@ func (d *DefaultDialer) dialParallelInterfaceFastFallback(ctx context.Context, d
 	if len(primaryInterfaces)+len(fallbackInterfaces) == 0 {
 		return nil, false, E.New("no available network interface")
 	}
+	defaultInterface := d.networkManager.InterfaceMonitor().DefaultInterface()
 	if fallbackDelay == 0 {
 		fallbackDelay = N.DefaultFallbackDelay
 	}
@@ -103,7 +107,9 @@ func (d *DefaultDialer) dialParallelInterfaceFastFallback(ctx context.Context, d
 	results := make(chan dialResult) // unbuffered
 	startRacer := func(ctx context.Context, primary bool, iif adapter.NetworkInterface) {
 		perNetDialer := dialer
-		perNetDialer.Control = control.Append(perNetDialer.Control, control.BindToInterface(nil, iif.Name, iif.Index))
+		if defaultInterface == nil || iif.Index != defaultInterface.Index {
+			perNetDialer.Control = control.Append(perNetDialer.Control, control.BindToInterface(nil, iif.Name, iif.Index))
+		}
 		conn, err := perNetDialer.DialContext(ctx, network, addr)
 		if err != nil {
 			select {
@@ -149,10 +155,13 @@ func (d *DefaultDialer) listenSerialInterfacePacket(ctx context.Context, listene
 	if len(primaryInterfaces)+len(fallbackInterfaces) == 0 {
 		return nil, E.New("no available network interface")
 	}
+	defaultInterface := d.networkManager.InterfaceMonitor().DefaultInterface()
 	var errors []error
 	for _, primaryInterface := range primaryInterfaces {
 		perNetListener := listener
-		perNetListener.Control = control.Append(perNetListener.Control, control.BindToInterface(nil, primaryInterface.Name, primaryInterface.Index))
+		if defaultInterface == nil || primaryInterface.Index != defaultInterface.Index {
+			perNetListener.Control = control.Append(perNetListener.Control, control.BindToInterface(nil, primaryInterface.Name, primaryInterface.Index))
+		}
 		conn, err := perNetListener.ListenPacket(ctx, network, addr)
 		if err == nil {
 			return conn, nil
@@ -161,7 +170,9 @@ func (d *DefaultDialer) listenSerialInterfacePacket(ctx context.Context, listene
 	}
 	for _, fallbackInterface := range fallbackInterfaces {
 		perNetListener := listener
-		perNetListener.Control = control.Append(perNetListener.Control, control.BindToInterface(nil, fallbackInterface.Name, fallbackInterface.Index))
+		if defaultInterface == nil || fallbackInterface.Index != defaultInterface.Index {
+			perNetListener.Control = control.Append(perNetListener.Control, control.BindToInterface(nil, fallbackInterface.Name, fallbackInterface.Index))
+		}
 		conn, err := perNetListener.ListenPacket(ctx, network, addr)
 		if err == nil {
 			return conn, nil

common/dialer/dialer.go

@@ -52,7 +52,7 @@ func NewWithOptions(options Options) (N.Dialer, error) {
 			return nil, err
 		}
 	}
-	if options.RemoteIsDomain && (dialOptions.Detour == "" || options.ResolverOnDetour) {
+	if options.RemoteIsDomain && (dialOptions.Detour == "" || options.ResolverOnDetour || dialOptions.DomainResolver != nil && dialOptions.DomainResolver.Server != "") {
 		networkManager := service.FromContext[adapter.NetworkManager](options.Context)
 		dnsTransport := service.FromContext[adapter.DNSTransportManager](options.Context)
 		var defaultOptions adapter.NetworkOptions
@@ -104,7 +104,12 @@ func NewWithOptions(options Options) (N.Dialer, error) {
 		} else if options.NewDialer {
 			return nil, E.New("missing domain resolver for domain server address")
 		} else {
-			deprecated.Report(options.Context, deprecated.OptionMissingDomainResolver)
+			transports := dnsTransport.Transports()
+			if len(transports) < 2 {
+				dnsQueryOptions.Transport = dnsTransport.Default()
+			} else {
+				deprecated.Report(options.Context, deprecated.OptionMissingDomainResolver)
+			}
 		}
 		dialer = NewResolveDialer(
 			options.Context,

common/dialer/resolve.go

@@ -44,6 +44,20 @@ type resolveDialer struct {
 }
 
 func NewResolveDialer(ctx context.Context, dialer N.Dialer, parallel bool, server string, queryOptions adapter.DNSQueryOptions, fallbackDelay time.Duration) ResolveDialer {
+	if parallelDialer, isParallel := dialer.(ParallelInterfaceDialer); isParallel {
+		return &resolveParallelNetworkDialer{
+			resolveDialer{
+				transport:     service.FromContext[adapter.DNSTransportManager](ctx),
+				router:        service.FromContext[adapter.DNSRouter](ctx),
+				dialer:        dialer,
+				parallel:      parallel,
+				server:        server,
+				queryOptions:  queryOptions,
+				fallbackDelay: fallbackDelay,
+			},
+			parallelDialer,
+		}
+	}
 	return &resolveDialer{
 		transport:     service.FromContext[adapter.DNSTransportManager](ctx),
 		router:        service.FromContext[adapter.DNSRouter](ctx),
@@ -60,21 +74,6 @@ type resolveParallelNetworkDialer struct {
 	dialer ParallelInterfaceDialer
 }
 
-func NewResolveParallelInterfaceDialer(ctx context.Context, dialer ParallelInterfaceDialer, parallel bool, server string, queryOptions adapter.DNSQueryOptions, fallbackDelay time.Duration) ParallelInterfaceResolveDialer {
-	return &resolveParallelNetworkDialer{
-		resolveDialer{
-			transport:     service.FromContext[adapter.DNSTransportManager](ctx),
-			router:        service.FromContext[adapter.DNSRouter](ctx),
-			dialer:        dialer,
-			parallel:      parallel,
-			server:        server,
-			queryOptions:  queryOptions,
-			fallbackDelay: fallbackDelay,
-		},
-		dialer,
-	}
-}
-
 func (d *resolveDialer) initialize() error {
 	d.initOnce.Do(d.initServer)
 	return d.initErr

common/sniff/ntp.go

@@ -0,0 +1,58 @@
+package sniff
+
+import (
+	"context"
+	"encoding/binary"
+	"os"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+)
+
+func NTP(ctx context.Context, metadata *adapter.InboundContext, packet []byte) error {
+	// NTP packets must be at least 48 bytes long (standard NTP header size).
+	pLen := len(packet)
+	if pLen < 48 {
+		return os.ErrInvalid
+	}
+	// Check the LI (Leap Indicator) and Version Number (VN) in the first byte.
+	// We'll primarily focus on ensuring the version is valid for NTP.
+	// Many NTP versions are used, but let's check for generally accepted ones (3 & 4 for IPv4, plus potential extensions/customizations)
+	firstByte := packet[0]
+	li := (firstByte >> 6) & 0x03 // Extract LI
+	vn := (firstByte >> 3) & 0x07 // Extract VN
+	mode := firstByte & 0x07      // Extract Mode
+
+	// Leap Indicator should be a valid value (0-3).
+	if li > 3 {
+		return os.ErrInvalid
+	}
+
+	// Version Check (common NTP versions are 3 and 4)
+	if vn != 3 && vn != 4 {
+		return os.ErrInvalid
+	}
+
+	// Check the Mode field for a client request (Mode 3).  This validates it *is* a request.
+	if mode != 3 {
+		return os.ErrInvalid
+	}
+
+	// Check Root Delay and Root Dispersion. While not strictly *required* for a request,
+	// we can check if they appear to be reasonable values (not excessively large).
+	rootDelay := binary.BigEndian.Uint32(packet[4:8])
+	rootDispersion := binary.BigEndian.Uint32(packet[8:12])
+
+	// Check for unreasonably large root delay and dispersion.  NTP RFC specifies max values of approximately 16 seconds.
+	// Convert to milliseconds for easy comparison.  Each unit is 1/2^16 seconds.
+	if float64(rootDelay)/65536.0 > 16.0 {
+		return os.ErrInvalid
+	}
+	if float64(rootDispersion)/65536.0 > 16.0 {
+		return os.ErrInvalid
+	}
+
+	metadata.Protocol = C.ProtocolNTP
+
+	return nil
+}

common/sniff/ntp_test.go

@@ -0,0 +1,33 @@
+package sniff_test
+
+import (
+	"context"
+	"encoding/hex"
+	"os"
+	"testing"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/sniff"
+	C "github.com/sagernet/sing-box/constant"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestSniffNTP(t *testing.T) {
+	t.Parallel()
+	packet, err := hex.DecodeString("1b0006000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
+	require.NoError(t, err)
+	var metadata adapter.InboundContext
+	err = sniff.NTP(context.Background(), &metadata, packet)
+	require.NoError(t, err)
+	require.Equal(t, metadata.Protocol, C.ProtocolNTP)
+}
+
+func TestSniffNTPFailed(t *testing.T) {
+	t.Parallel()
+	packet, err := hex.DecodeString("400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
+	require.NoError(t, err)
+	var metadata adapter.InboundContext
+	err = sniff.NTP(context.Background(), &metadata, packet)
+	require.ErrorIs(t, err, os.ErrInvalid)
+}

common/sniff/sniff.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
 )
@@ -34,7 +35,7 @@ func Skip(metadata *adapter.InboundContext) bool {
 	return false
 }
 
-func PeekStream(ctx context.Context, metadata *adapter.InboundContext, conn net.Conn, buffer *buf.Buffer, timeout time.Duration, sniffers ...StreamSniffer) error {
+func PeekStream(ctx context.Context, metadata *adapter.InboundContext, conn net.Conn, buffers []*buf.Buffer, buffer *buf.Buffer, timeout time.Duration, sniffers ...StreamSniffer) error {
 	if timeout == 0 {
 		timeout = C.ReadPayloadTimeout
 	}
@@ -55,7 +56,10 @@ func PeekStream(ctx context.Context, metadata *adapter.InboundContext, conn net.
 		}
 		errors = nil
 		for _, sniffer := range sniffers {
-			err = sniffer(ctx, metadata, bytes.NewReader(buffer.Bytes()))
+			reader := io.MultiReader(common.Map(append(buffers, buffer), func(it *buf.Buffer) io.Reader {
+				return bytes.NewReader(it.Bytes())
+			})...)
+			err = sniffer(ctx, metadata, reader)
 			if err == nil {
 				return nil
 			}

constant/dns.go

@@ -15,19 +15,19 @@ const (
 )
 
 const (
-	DNSTypeLegacy     = "legacy"
-	DNSTypeUDP        = "udp"
-	DNSTypeTCP        = "tcp"
-	DNSTypeTLS        = "tls"
-	DNSTypeHTTPS      = "https"
-	DNSTypeQUIC       = "quic"
-	DNSTypeHTTP3      = "h3"
-	DNSTypeHosts      = "hosts"
-	DNSTypeLocal      = "local"
-	DNSTypePreDefined = "predefined"
-	DNSTypeFakeIP     = "fakeip"
-	DNSTypeDHCP       = "dhcp"
-	DNSTypeTailscale  = "tailscale"
+	DNSTypeLegacy      = "legacy"
+	DNSTypeLegacyRcode = "legacy_rcode"
+	DNSTypeUDP         = "udp"
+	DNSTypeTCP         = "tcp"
+	DNSTypeTLS         = "tls"
+	DNSTypeHTTPS       = "https"
+	DNSTypeQUIC        = "quic"
+	DNSTypeHTTP3       = "h3"
+	DNSTypeLocal       = "local"
+	DNSTypeHosts       = "hosts"
+	DNSTypeFakeIP      = "fakeip"
+	DNSTypeDHCP        = "dhcp"
+	DNSTypeTailscale   = "tailscale"
 )
 
 const (

constant/proxy.go

@@ -78,6 +78,8 @@ func ProxyDisplayName(proxyType string) string {
 		return "TUIC"
 	case TypeHysteria2:
 		return "Hysteria2"
+	case TypeAnyTLS:
+		return "AnyTLS"
 	case TypeSelector:
 		return "Selector"
 	case TypeURLTest:

constant/rule.go

@@ -33,6 +33,7 @@ const (
 	RuleActionTypeHijackDNS    = "hijack-dns"
 	RuleActionTypeSniff        = "sniff"
 	RuleActionTypeResolve      = "resolve"
+	RuleActionTypePredefined   = "predefined"
 )
 
 const (

dns/client.go

@@ -537,7 +537,7 @@ func FixedResponse(id uint16, question dns.Question, addresses []netip.Addr, tim
 		Question: []dns.Question{question},
 	}
 	for _, address := range addresses {
-		if address.Is4() {
+		if address.Is4() && question.Qtype == dns.TypeA {
 			response.Answer = append(response.Answer, &dns.A{
 				Hdr: dns.RR_Header{
 					Name:   question.Name,
@@ -547,7 +547,7 @@ func FixedResponse(id uint16, question dns.Question, addresses []netip.Addr, tim
 				},
 				A: address.AsSlice(),
 			})
-		} else {
+		} else if address.Is6() && question.Qtype == dns.TypeAAAA {
 			response.Answer = append(response.Answer, &dns.AAAA{
 				Hdr: dns.RR_Header{
 					Name:   question.Name,

dns/router.go

@@ -190,6 +190,8 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 				}
 			case *R.RuleActionReject:
 				return nil, currentRule, currentRuleIndex
+			case *R.RuleActionPredefined:
+				return nil, currentRule, currentRuleIndex
 			}
 		}
 	}
@@ -260,6 +262,21 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 						case C.RuleActionRejectMethodDrop:
 							return nil, tun.ErrDrop
 						}
+					case *R.RuleActionPredefined:
+						return &mDNS.Msg{
+							MsgHdr: mDNS.MsgHdr{
+								Id:                 message.Id,
+								Response:           true,
+								Authoritative:      true,
+								RecursionDesired:   true,
+								RecursionAvailable: true,
+								Rcode:              action.Rcode,
+							},
+							Question: message.Question,
+							Answer:   action.Answer,
+							Ns:       action.Ns,
+							Extra:    action.Extra,
+						}, nil
 					}
 				}
 				var responseCheck func(responseAddrs []netip.Addr) bool
@@ -366,7 +383,8 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 		ruleIndex = -1
 		for {
 			dnsCtx := adapter.OverrideContext(ctx)
-			transport, rule, ruleIndex = r.matchDNS(ctx, false, ruleIndex, true, &options)
+			dnsOptions := options
+			transport, rule, ruleIndex = r.matchDNS(ctx, false, ruleIndex, true, &dnsOptions)
 			if rule != nil {
 				switch action := rule.Action().(type) {
 				case *R.RuleActionReject:
@@ -376,6 +394,20 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 					case C.RuleActionRejectMethodDrop:
 						return nil, tun.ErrDrop
 					}
+				case *R.RuleActionPredefined:
+					if action.Rcode != mDNS.RcodeSuccess {
+						err = RcodeError(action.Rcode)
+					} else {
+						for _, answer := range action.Answer {
+							switch record := answer.(type) {
+							case *mDNS.A:
+								responseAddrs = append(responseAddrs, M.AddrFromIP(record.A))
+							case *mDNS.AAAA:
+								responseAddrs = append(responseAddrs, M.AddrFromIP(record.AAAA))
+							}
+						}
+					}
+					goto response
 				}
 			}
 			var responseCheck func(responseAddrs []netip.Addr) bool
@@ -385,16 +417,17 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 					return rule.MatchAddressLimit(metadata)
 				}
 			}
-			if options.Strategy == C.DomainStrategyAsIS {
-				options.Strategy = r.defaultDomainStrategy
+			if dnsOptions.Strategy == C.DomainStrategyAsIS {
+				dnsOptions.Strategy = r.defaultDomainStrategy
 			}
-			responseAddrs, err = r.client.Lookup(dnsCtx, transport, domain, options, responseCheck)
+			responseAddrs, err = r.client.Lookup(dnsCtx, transport, domain, dnsOptions, responseCheck)
 			if responseCheck == nil || err == nil {
 				break
 			}
 			printResult()
 		}
 	}
+response:
 	printResult()
 	if len(responseAddrs) > 0 {
 		r.logger.InfoContext(ctx, "lookup succeed for ", domain, ": ", strings.Join(F.MapToString(responseAddrs), " "))

dns/transport/hosts/hosts.go

@@ -2,12 +2,15 @@ package hosts
 
 import (
 	"context"
+	"net/netip"
+	"os"
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/dns"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/service/filemanager"
 
 	mDNS "github.com/miekg/dns"
 )
@@ -20,21 +23,31 @@ var _ adapter.DNSTransport = (*Transport)(nil)
 
 type Transport struct {
 	dns.TransportAdapter
-	files []*File
+	files      []*File
+	predefined map[string][]netip.Addr
 }
 
 func NewTransport(ctx context.Context, logger log.ContextLogger, tag string, options option.HostsDNSServerOptions) (adapter.DNSTransport, error) {
-	var files []*File
+	var (
+		files      []*File
+		predefined = make(map[string][]netip.Addr)
+	)
 	if len(options.Path) == 0 {
 		files = append(files, NewFile(DefaultPath))
 	} else {
 		for _, path := range options.Path {
-			files = append(files, NewFile(path))
+			files = append(files, NewFile(filemanager.BasePath(ctx, os.ExpandEnv(path))))
+		}
+	}
+	if options.Predefined != nil {
+		for _, entry := range options.Predefined.Entries() {
+			predefined[mDNS.CanonicalName(entry.Key)] = entry.Value
 		}
 	}
 	return &Transport{
 		TransportAdapter: dns.NewTransportAdapter(C.DNSTypeHosts, tag, nil),
 		files:            files,
+		predefined:       predefined,
 	}, nil
 }
 
@@ -43,8 +56,11 @@ func (t *Transport) Reset() {
 
 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	question := message.Question[0]
-	domain := dns.FqdnToDomain(question.Name)
+	domain := mDNS.CanonicalName(question.Name)
 	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
+		if addresses, ok := t.predefined[domain]; ok {
+			return dns.FixedResponse(message.Id, question, addresses, C.DefaultDNSTTL), nil
+		}
 		for _, file := range t.files {
 			addresses := file.Lookup(domain)
 			if len(addresses) > 0 {

dns/transport/hosts/hosts_file.go

@@ -34,7 +34,7 @@ func (f *File) Lookup(name string) []netip.Addr {
 	f.access.Lock()
 	defer f.access.Unlock()
 	f.update()
-	return f.byName[name]
+	return f.byName[dns.CanonicalName(name)]
 }
 
 func (f *File) update() {

dns/transport/hosts/hosts_test.go

@@ -11,6 +11,6 @@ import (
 
 func TestHosts(t *testing.T) {
 	t.Parallel()
-	require.Equal(t, []netip.Addr{netip.AddrFrom4([4]byte{127, 0, 0, 1}), netip.IPv6Loopback()}, hosts.NewFile("testdata/hosts").Lookup("localhost."))
-	require.NotEmpty(t, hosts.NewFile(hosts.DefaultPath).Lookup("localhost."))
+	require.Equal(t, []netip.Addr{netip.AddrFrom4([4]byte{127, 0, 0, 1}), netip.IPv6Loopback()}, hosts.NewFile("testdata/hosts").Lookup("localhost"))
+	require.NotEmpty(t, hosts.NewFile(hosts.DefaultPath).Lookup("localhost"))
 }

dns/transport/https.go

@@ -91,7 +91,7 @@ func NewHTTPS(ctx context.Context, logger log.ContextLogger, tag string, options
 	if err != nil {
 		return nil, err
 	}
-	serverAddr := options.ServerOptions.Build()
+	serverAddr := options.DNSServerAddressOptions.Build()
 	if serverAddr.Port == 0 {
 		serverAddr.Port = 443
 	}

dns/transport/local/local.go

@@ -139,6 +139,9 @@ func (t *Transport) tryOneName(ctx context.Context, config *dnsConfig, fqdn stri
 }
 
 func (t *Transport) exchangeOne(ctx context.Context, server M.Socksaddr, question mDNS.Question, timeout time.Duration, useTCP, ad bool) (*mDNS.Msg, error) {
+	if server.Port == 0 {
+		server.Port = 53
+	}
 	var networks []string
 	if useTCP {
 		networks = []string{N.NetworkTCP}

dns/transport/local/local_fallback.go

@@ -58,8 +58,12 @@ func (f *FallbackTransport) Start(stage adapter.StartStage) error {
 	return nil
 }
 
+func (f *FallbackTransport) Close() error {
+	return nil
+}
+
 func (f *FallbackTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	if f.fallback {
+	if !f.fallback {
 		return f.DNSTransport.Exchange(ctx, message)
 	}
 	question := message.Question[0]

dns/transport/predefined.go

@@ -1,83 +0,0 @@
-package transport
-
-import (
-	"context"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-
-	mDNS "github.com/miekg/dns"
-)
-
-var _ adapter.DNSTransport = (*PredefinedTransport)(nil)
-
-func RegisterPredefined(registry *dns.TransportRegistry) {
-	dns.RegisterTransport[option.PredefinedDNSServerOptions](registry, C.DNSTypePreDefined, NewPredefined)
-}
-
-type PredefinedTransport struct {
-	dns.TransportAdapter
-	responses []*predefinedResponse
-}
-
-type predefinedResponse struct {
-	questions []mDNS.Question
-	answer    *mDNS.Msg
-}
-
-func NewPredefined(ctx context.Context, logger log.ContextLogger, tag string, options option.PredefinedDNSServerOptions) (adapter.DNSTransport, error) {
-	var responses []*predefinedResponse
-	for _, response := range options.Responses {
-		questions, msg, err := response.Build()
-		if err != nil {
-			return nil, err
-		}
-		responses = append(responses, &predefinedResponse{
-			questions: questions,
-			answer:    msg,
-		})
-	}
-	if len(responses) == 0 {
-		return nil, E.New("empty predefined responses")
-	}
-	return &PredefinedTransport{
-		TransportAdapter: dns.NewTransportAdapter(C.DNSTypePreDefined, tag, nil),
-		responses:        responses,
-	}, nil
-}
-
-func (t *PredefinedTransport) Reset() {
-}
-
-func (t *PredefinedTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	for _, response := range t.responses {
-		for _, question := range response.questions {
-			if func() bool {
-				if question.Name == "" && question.Qtype == mDNS.TypeNone {
-					return true
-				} else if question.Name == "" {
-					return common.Any(message.Question, func(it mDNS.Question) bool {
-						return it.Qtype == question.Qtype
-					})
-				} else if question.Qtype == mDNS.TypeNone {
-					return common.Any(message.Question, func(it mDNS.Question) bool {
-						return it.Name == question.Name
-					})
-				} else {
-					return common.Contains(message.Question, question)
-				}
-			}() {
-				copyAnswer := *response.answer
-				copyAnswer.Id = message.Id
-				copyAnswer.Question = message.Question
-				return &copyAnswer, nil
-			}
-		}
-	}
-	return nil, dns.RcodeNameError
-}

dns/transport/quic/http3.go

@@ -23,7 +23,6 @@ import (
 	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	sHTTP "github.com/sagernet/sing/protocol/http"
 
@@ -89,7 +88,7 @@ func NewHTTP3(ctx context.Context, logger log.ContextLogger, tag string, options
 	if err != nil {
 		return nil, err
 	}
-	serverAddr := options.ServerOptions.Build()
+	serverAddr := options.DNSServerAddressOptions.Build()
 	if serverAddr.Port == 0 {
 		serverAddr.Port = 443
 	}
@@ -101,8 +100,7 @@ func NewHTTP3(ctx context.Context, logger log.ContextLogger, tag string, options
 		headers:          headers,
 		transport: &http3.Transport{
 			Dial: func(ctx context.Context, addr string, tlsCfg *tls.STDConfig, cfg *quic.Config) (quic.EarlyConnection, error) {
-				destinationAddr := M.ParseSocksaddr(addr)
-				conn, dialErr := transportDialer.DialContext(ctx, N.NetworkUDP, destinationAddr)
+				conn, dialErr := transportDialer.DialContext(ctx, N.NetworkUDP, serverAddr)
 				if dialErr != nil {
 					return nil, dialErr
 				}

dns/transport/quic/quic.go

@@ -54,7 +54,7 @@ func NewQUIC(ctx context.Context, logger log.ContextLogger, tag string, options
 	if len(tlsConfig.NextProtos()) == 0 {
 		tlsConfig.SetNextProtos([]string{"doq"})
 	}
-	serverAddr := options.ServerOptions.Build()
+	serverAddr := options.DNSServerAddressOptions.Build()
 	if serverAddr.Port == 0 {
 		serverAddr.Port = 853
 	}

dns/transport/tcp.go

@@ -35,7 +35,7 @@ func NewTCP(ctx context.Context, logger log.ContextLogger, tag string, options o
 	if err != nil {
 		return nil, err
 	}
-	serverAddr := options.ServerOptions.Build()
+	serverAddr := options.DNSServerAddressOptions.Build()
 	if serverAddr.Port == 0 {
 		serverAddr.Port = 53
 	}

dns/transport/tls.go

@@ -52,7 +52,7 @@ func NewTLS(ctx context.Context, logger log.ContextLogger, tag string, options o
 	if err != nil {
 		return nil, err
 	}
-	serverAddr := options.ServerOptions.Build()
+	serverAddr := options.DNSServerAddressOptions.Build()
 	if serverAddr.Port == 0 {
 		serverAddr.Port = 853
 	}

dns/transport/udp.go

@@ -42,7 +42,7 @@ func NewUDP(ctx context.Context, logger log.ContextLogger, tag string, options o
 	if err != nil {
 		return nil, err
 	}
-	serverAddr := options.ServerOptions.Build()
+	serverAddr := options.DNSServerAddressOptions.Build()
 	if serverAddr.Port == 0 {
 		serverAddr.Port = 53
 	}
@@ -110,13 +110,6 @@ func (t *UDPTransport) exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.M
 		conn.access.Lock()
 		delete(conn.callbacks, messageId)
 		conn.access.Unlock()
-		callback.access.Lock()
-		select {
-		case <-callback.done:
-		default:
-			close(callback.done)
-		}
-		callback.access.Unlock()
 	}()
 	rawMessage, err := exMessage.PackBuffer(buffer.FreeBytes())
 	if err != nil {

docs/changelog.md

@@ -2,6 +2,54 @@
 icon: material/alert-decagram
 ---
 
+#### 1.12.0-alpha.18
+
+* Add wildcard SNI support for ShadowTLS inbound **1**
+* Fixes and improvements
+
+**1**:
+
+See [ShadowTLS](/configuration/inbound/shadowtls/#wildcard_sni).
+
+#### 1.12.0-alpha.17
+
+* Add NTP sniffer **1**
+* Fixes and improvements
+
+**1**:
+
+See [Protocol Sniff](/configuration/route/sniff/).
+
+#### 1.12.0-alpha.16
+
+* Update `domain_resolver` behavior **1**
+* Fixes and improvements
+
+**1**:
+
+`route.default_domain_resolver` or `outbound.domain_resolver` is now optional when only one DNS server is configured.
+
+See [Dial Fields](/configuration/shared/dial/#domain_resolver).
+
+### 1.11.5
+
+* Fixes and improvements
+
+_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected)._
+
+#### 1.12.0-alpha.13
+
+* Move `predefined` DNS server to DNS rule action **1**
+* Fixes and improvements
+
+**1**:
+
+See [DNS Rule Action](/configuration/dns/rule_action/#predefined).
+
+### 1.11.4
+
+* Fixes and improvements
+
 #### 1.12.0-alpha.11
 
 * Fixes and improvements

docs/clients/apple/index.md

@@ -7,6 +7,10 @@ icon: material/apple
 SFI/SFM/SFT allows users to manage and run local or remote sing-box configuration files, and provides
 platform-specific function implementation, such as TUN transparent proxy implementation.
 
+!!! failure ""
+
+    We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected).
+
 ## :material-graph: Requirements
 
 * iOS 15.0+ / macOS 13.0+ / Apple tvOS 17.0+

docs/configuration/dns/rule.md

@@ -4,6 +4,7 @@ icon: material/alert-decagram
 
 !!! quote "Changes in sing-box 1.12.0"
 
+    :material-plus: [ip_accept_any](#ip_accept_any)  
     :material-delete-clock: [outbound](#outbound)
 
 !!! quote "Changes in sing-box 1.11.0"
@@ -77,15 +78,6 @@ icon: material/alert-decagram
         "domain_regex": [
           "^stun\\..+"
         ],
-        "geosite": [
-          "cn"
-        ],
-        "source_geoip": [
-          "private"
-        ],
-        "geoip": [
-          "cn"
-        ],
         "source_ip_cidr": [
           "10.0.0.0/24",
           "192.168.0.1"
@@ -96,6 +88,7 @@ icon: material/alert-decagram
           "192.168.0.1"
         ],
         "ip_is_private": false,
+        "ip_accept_any": false,
         "source_port": [
           12345
         ],
@@ -147,8 +140,6 @@ icon: material/alert-decagram
           "geoip-cn",
           "geosite-cn"
         ],
-        // deprecated
-        "rule_set_ipcidr_match_source": false,
         "rule_set_ip_cidr_match_source": false,
         "rule_set_ip_cidr_accept_empty": false,
         "invert": false,
@@ -156,7 +147,20 @@ icon: material/alert-decagram
           "direct"
         ],
         "action": "route",
-        "server": "local"
+        "server": "local",
+
+        // Deprecated
+        
+        "rule_set_ipcidr_match_source": false,
+        "geosite": [
+          "cn"
+        ],
+        "source_geoip": [
+          "private"
+        ],
+        "geoip": [
+          "cn"
+        ]
       },
       {
         "type": "logical",
@@ -451,7 +455,9 @@ Only takes effect for address requests (A/AAAA/HTTPS). When the query results do
 
 #### geoip
 
-!!! question "Since sing-box 1.9.0"
+!!! failure "Removed in sing-box 1.12.0"
+
+    GeoIP is deprecated in sing-box 1.8.0 and removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geoip-to-rule-sets).
 
 Match GeoIP with query response.
 
@@ -473,6 +479,12 @@ Match private IP with query response.
 
 Make `ip_cidr` rules in rule-sets accept empty query response.
 
+#### ip_accept_any
+
+!!! question "Since sing-box 1.12.0"
+
+Match any IP with query response.
+
 ### Logical Fields
 
 #### type

docs/configuration/dns/rule.zh.md

@@ -4,6 +4,7 @@ icon: material/alert-decagram
 
 !!! quote "sing-box 1.12.0 中的更改"
 
+    :material-plus: [ip_accept_any](#ip_accept_any)  
     :material-delete-clock: [outbound](#outbound)
 
 !!! quote "sing-box 1.11.0 中的更改"
@@ -77,15 +78,6 @@ icon: material/alert-decagram
         "domain_regex": [
           "^stun\\..+"
         ],
-        "geosite": [
-          "cn"
-        ],
-        "source_geoip": [
-          "private"
-        ],
-        "geoip": [
-          "cn"
-        ],
         "source_ip_cidr": [
           "10.0.0.0/24",
           "192.168.0.1"
@@ -96,6 +88,7 @@ icon: material/alert-decagram
           "192.168.0.1"
         ],
         "ip_is_private": false,
+        "ip_accept_any": false,
         "source_port": [
           12345
         ],
@@ -147,8 +140,6 @@ icon: material/alert-decagram
           "geoip-cn",
           "geosite-cn"
         ],
-        // 已弃用
-        "rule_set_ipcidr_match_source": false,
         "rule_set_ip_cidr_match_source": false,
         "rule_set_ip_cidr_accept_empty": false,
         "invert": false,
@@ -156,7 +147,19 @@ icon: material/alert-decagram
           "direct"
         ],
         "action": "route",
-        "server": "local"
+        "server": "local",
+
+        // 已弃用
+        "rule_set_ipcidr_match_source": false,
+        "geosite": [
+          "cn"
+        ],
+        "source_geoip": [
+          "private"
+        ],
+        "geoip": [
+          "cn"
+        ]
       },
       {
         "type": "logical",
@@ -232,17 +235,17 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 #### geosite
 
-!!! failure "已在 sing-box 1.8.0 废弃"
+!!! failure "已在 sing-box 1.12.0 中被移除"
 
-    Geosite 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#geosite)。
+    GeoSite 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geosite)。
 
 匹配 Geosite。
 
 #### source_geoip
 
-!!! failure "已在 sing-box 1.8.0 废弃"
+!!! failure "已在 sing-box 1.12.0 中被移除"
 
-    GeoIP 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#geoip)。
+    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geoip)。
 
 匹配源 GeoIP。
 
@@ -451,7 +454,10 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
 
 #### geoip
 
-!!! question "自 sing-box 1.9.0 起"
+!!! failure "已在 sing-box 1.12.0 中被移除"
+
+    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geoip)。
+
 
 与查询响应匹配 GeoIP。
 
@@ -467,6 +473,12 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
 
 与查询响应匹配非公开 IP。
 
+#### ip_accept_any
+
+!!! question "自 sing-box 1.12.0 起"
+
+匹配任意 IP。
+
 #### rule_set_ip_cidr_accept_empty
 
 !!! question "自 sing-box 1.10.0 起"

docs/configuration/dns/rule_action.md

@@ -4,7 +4,8 @@ icon: material/new-box
 
 !!! quote "Changes in sing-box 1.12.0"
 
-    :material-plus: [strategy](#strategy)
+    :material-plus: [strategy](#strategy)  
+    :material-plus: [predefined](#predefined)
 
 !!! question "Since sing-box 1.11.0"
 
@@ -31,6 +32,8 @@ Tag of target server.
 
 #### strategy
 
+!!! question "Since sing-box 1.12.0"
+
 Set domain strategy for this query.
 
 One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
@@ -69,7 +72,7 @@ Will overrides `dns.client_subnet`.
 ```json
 {
   "action": "reject",
-  "method": "default", // default
+  "method": "",
   "no_drop": false
 }
 ```
@@ -81,8 +84,61 @@ Will overrides `dns.client_subnet`.
 - `default`: Reply with NXDOMAIN.
 - `drop`: Drop the request.
 
+`default` will be used by default.
+
 #### no_drop
 
 If not enabled, `method` will be temporarily overwritten to `drop` after 50 triggers in 30s.
 
 Not available when `method` is set to drop.
+
+### predefined
+
+!!! question "Since sing-box 1.12.0"
+
+```json
+{
+  "action": "predefined",
+  "rcode": "",
+  "answer": [],
+  "ns": [],
+  "extra": []
+}
+```
+
+`predefined` responds with predefined DNS records.
+
+#### rcode
+
+The response code.
+
+| Value      | Value in the legacy rcode server | Description     |
+|------------|----------------------------------|-----------------|
+| `NOERROR`  | `success`                        | Ok              |
+| `FORMERR`  | `format_error`                   | Bad request     |
+| `SERVFAIL` | `server_failure`                 | Server failure  |
+| `NXDOMAIN` | `name_error`                     | Not found       |
+| `NOTIMP`   | `not_implemented`                | Not implemented |
+| `REFUSED`  | `refused`                        | Refused         |
+
+`NOERROR` will be used by default.
+
+#### answer
+
+List of text DNS record to respond as answers.
+
+Examples:
+
+| Record Type | Example                       |
+|-------------|-------------------------------|
+| `A`         | `localhost. IN A 127.0.0.1`   |
+| `AAAA`      | `localhost. IN AAAA ::1`      |
+| `TXT`       | `localhost. IN TXT \"Hello\"` |
+
+#### ns
+
+List of text DNS record to respond as name servers.
+
+#### extra
+
+List of text DNS record to respond as extra records.

docs/configuration/dns/rule_action.zh.md

@@ -4,7 +4,8 @@ icon: material/new-box
 
 !!! quote "sing-box 1.12.0 中的更改"
 
-    :material-plus: [strategy](#strategy)
+    :material-plus: [strategy](#strategy)  
+    :material-plus: [predefined](#predefined)
 
 !!! question "自 sing-box 1.11.0 起"
 
@@ -12,9 +13,8 @@ icon: material/new-box
 
 ```json
 {
-  "action": "route",  // 默认
+  "action": "route", // 默认
   "server": "",
-
   "strategy": "",
   "disable_cache": false,
   "rewrite_ttl": null,
@@ -32,6 +32,8 @@ icon: material/new-box
 
 #### strategy
 
+!!! question "自 sing-box 1.12.0 起"
+
 为此查询设置域名策略。
 
 可选项：`prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
@@ -70,7 +72,7 @@ icon: material/new-box
 ```json
 {
   "action": "reject",
-  "method": "default", // default
+  "method": "",
   "no_drop": false
 }
 ```
@@ -82,8 +84,61 @@ icon: material/new-box
 - `default`: 返回 NXDOMAIN。
 - `drop`: 丢弃请求。
 
+默认使用 `defualt`。
+
 #### no_drop
 
 如果未启用，则 30 秒内触发 50 次后，`method` 将被暂时覆盖为 `drop`。
 
 当 `method` 设为 `drop` 时不可用。
+
+### predefined
+
+!!! question "自 sing-box 1.12.0 起"
+
+```json
+{
+  "action": "predefined",
+  "rcode": "",
+  "answer": [],
+  "ns": [],
+  "extra": []
+}
+```
+
+`predefined` 以预定义的 DNS 记录响应。
+
+#### rcode
+
+响应码。
+
+| 值          | 旧 rcode DNS 服务器中的值 | 描述              |
+|------------|--------------------|-----------------|
+| `NOERROR`  | `success`          | Ok              |
+| `FORMERR`  | `format_error`     | Bad request     |
+| `SERVFAIL` | `server_failure`   | Server failure  |
+| `NXDOMAIN` | `name_error`       | Not found       |
+| `NOTIMP`   | `not_implemented`  | Not implemented |
+| `REFUSED`  | `refused`          | Refused         |
+
+默认使用 `NOERROR`。
+
+#### answer
+
+用于作为回答响应的文本 DNS 记录列表。
+
+例子:
+
+| 记录类型   | 例子                            |
+|--------|-------------------------------|
+| `A`    | `localhost. IN A 127.0.0.1`   |
+| `AAAA` | `localhost. IN AAAA ::1`      |
+| `TXT`  | `localhost. IN TXT \"Hello\"` |
+
+#### ns
+
+用于作为名称服务器响应的文本 DNS 记录列表。
+
+#### extra
+
+用于作为额外记录响应的文本 DNS 记录列表。

docs/configuration/dns/server/hosts.md

@@ -0,0 +1,96 @@
+---
+icon: material/new-box
+---
+
+!!! question "Since sing-box 1.12.0"
+
+# Hosts
+
+### Structure
+
+```json
+{
+  "dns": {
+    "servers": [
+      {
+        "type": "hosts",
+        "tag": "",
+
+        "path": [],
+        "predefined": {}
+      }
+    ]
+  }
+}
+```
+
+!!! note ""
+
+    You can ignore the JSON Array [] tag when the content is only one item
+
+### Fields
+
+#### path
+
+List of paths to hosts files.
+
+`/etc/hosts` is used by default.
+
+`C:\Windows\System32\Drivers\etc\hosts` is used by default on Windows.
+
+Example:
+
+```json
+{
+  // "path": "/etc/hosts"
+  
+  "path": [
+    "/etc/hosts",
+    "$HOME/.hosts"
+  ]
+}
+```
+
+#### predefined
+
+Predefined hosts.
+
+Example:
+
+```json
+{
+  "predefined": {
+    "www.google.com": "127.0.0.1",
+    "localhost": [
+      "127.0.0.1",
+      "::1"
+    ]
+  }
+}
+```
+
+### Examples
+
+=== "Use hosts if available"
+
+    ```json
+    {
+      "dns": {
+        "servers": [
+          {
+            ...
+          },
+          {
+            "type": "hosts",
+            "tag": "hosts"
+          }
+        ],
+        "rules": [
+          {
+            "ip_accept_any": true,
+            "server": "hosts"
+          }
+        ]
+      }
+    }
+    ```

docs/configuration/dns/server/predefined.md

@@ -1,93 +0,0 @@
----
-icon: material/new-box
----
-
-!!! question "Since sing-box 1.12.0"
-
-# Predefined
-
-### Structure
-
-```json
-{
-  "dns": {
-    "servers": [
-      {
-        "type": "predefined",
-        "tag": "",
-        "responses": []
-      }
-    ]
-  }
-}
-```
-
-### Fields
-
-#### responses
-
-==Required==
-
-List of [Response](#response-structure).
-
-### Response Structure
-
-```json
-{
-  "query": [],
-  "query_type": [],
-  "rcode": "",
-  "answer": [],
-  "ns": [],
-  "extra": []
-}
-```
-
-!!! note ""
-
-    You can ignore the JSON Array [] tag when the content is only one item
-
-### Response Fields
-
-#### query
-
-List of domain name to match.
-
-#### query_type
-
-List of query type to match.
-
-#### rcode
-
-The response code.
-
-| Value      | Value in the legacy rcode server | Description     |
-|------------|----------------------------------|-----------------|
-| `NOERROR`  | `success`                        | Ok              |
-| `FORMERR`  | `format_error`                   | Bad request     |
-| `SERVFAIL` | `server_failure`                 | Server failure  |
-| `NXDOMAIN` | `name_error`                     | Not found       |
-| `NOTIMP`   | `not_implemented`                | Not implemented |
-| `REFUSED`  | `refused`                        | Refused         |
-
-`NOERROR` will be used by default.
-
-#### answer
-
-List of text DNS record to respond as answers.
-
-Examples:
-
-| Record Type | Example                       |
-|-------------|-------------------------------|
-| `A`         | `localhost. IN A 127.0.0.1`   |
-| `AAAA`      | `localhost. IN AAAA ::1`      |
-| `TXT`       | `localhost. IN TXT \"Hello\"` |
-
-#### ns
-
-List of text DNS record to respond as name servers.
-
-#### extra
-
-List of text DNS record to respond as extra records.

docs/configuration/dns/server/udp.md

@@ -4,7 +4,7 @@ icon: material/new-box
 
 !!! question "Since sing-box 1.12.0"
 
-# TCP
+# UDP
 
 ### Structure
 

docs/configuration/inbound/shadowtls.md

@@ -1,3 +1,11 @@
+---
+icon: material/new-box
+---
+
+!!! quote "Changes in sing-box 1.12.0"
+
+    :material-plus: [wildcard_sni](#wildcard_sni)
+
 ### Structure
 
 ```json
@@ -29,7 +37,8 @@
       ... // Dial Fields
     }
   },
-  "strict_mode": false
+  "strict_mode": false,
+  "wildcard_sni": ""
 }
 ```
 
@@ -55,7 +64,6 @@ ShadowTLS password.
 
 Only available in the ShadowTLS protocol 2.
 
-
 #### users
 
 ShadowTLS users.
@@ -66,6 +74,8 @@ Only available in the ShadowTLS protocol 3.
 
 ==Required==
 
+When `wildcard_sni` is configured to `all`, the server address is optional.
+
 Handshake server address and [Dial Fields](/configuration/shared/dial/).
 
 #### handshake_for_server_name
@@ -79,3 +89,19 @@ Only available in the ShadowTLS protocol 2/3.
 ShadowTLS strict mode.
 
 Only available in the ShadowTLS protocol 3.
+
+#### wildcard_sni
+
+!!! question "Since sing-box 1.12.0"
+
+ShadowTLS wildcard SNI mode.
+
+Available values are:
+
+* `off`: (default) Disabled.
+* `authed`: Authenticated connections will have their destination overwritten to `(servername):443`
+* `all`: All connections will have their destination overwritten to `(servername):443`
+
+Additionally, connections matching `handshake_for_server_name` are not affected.
+
+Only available in the ShadowTLS protocol 3.

docs/configuration/inbound/shadowtls.zh.md

@@ -1,3 +1,11 @@
+---
+icon: material/new-box
+---
+
+!!! quote "sing-box 1.12.0 中的更改"
+
+    :material-plus: [wildcard_sni](#wildcard_sni)
+
 ### 结构
 
 ```json
@@ -29,7 +37,8 @@
       ... // 拨号字段
     }
   },
-  "strict_mode": false
+  "strict_mode": false,
+  "wildcard_sni": ""
 }
 ```
 
@@ -80,3 +89,19 @@ ShadowTLS 用户。
 ShadowTLS 严格模式。
 
 仅在 ShadowTLS 协议版本 3 中可用。
+
+#### wildcard_sni
+
+!!! question "自 sing-box 1.12.0 起"
+
+ShadowTLS 通配符 SNI 模式。
+
+可用值：
+
+* `off`：（默认）禁用。
+* `authed`：已认证的连接的目标将被重写为 `(servername):443`。
+* `all`：所有连接的目标将被重写为 `(servername):443`。
+
+此外，匹配 `handshake_for_server_name` 的连接不受影响。
+
+仅在 ShadowTLS 协议 3 中可用。

docs/configuration/outbound/anytls.md

@@ -16,6 +16,7 @@ icon: material/new-box
   "password": "8JCsPssfgS8tiRwiMlhARg==",
   "idle_session_check_interval": "30s",
   "idle_session_timeout": "30s",
+  "min_idle_session": 5,
   "tls": {},
 
   ... // Dial Fields
@@ -50,6 +51,10 @@ Interval checking for idle sessions. Default: 30s.
 
 In the check, close sessions that have been idle for longer than this. Default: 30s.
 
+#### min_idle_session
+
+In the check, at least the first `n` idle sessions are kept open. Default value: `n`=0
+
 #### tls
 
 ==Required==

docs/configuration/outbound/anytls.zh.md

@@ -16,6 +16,7 @@ icon: material/new-box
   "password": "8JCsPssfgS8tiRwiMlhARg==",
   "idle_session_check_interval": "30s",
   "idle_session_timeout": "30s",
+  "min_idle_session": 5,
   "tls": {},
 
   ... // 拨号字段
@@ -50,6 +51,10 @@ AnyTLS 密码。
 
 在检查中，关闭闲置时间超过此值的会话。默认值：30秒。
 
+#### min_idle_session
+
+在检查中，至少前 `n` 个空闲会话保持打开状态。默认值：`n`=0
+
 #### tls
 
 ==必填==

docs/configuration/route/sniff.md

@@ -22,6 +22,7 @@ If enabled in the inbound, the protocol and domain name (if present) of by the c
 |   UDP   |    `dtls`    |      /      |        /         |
 |   TCP   |    `ssh`     |      /      | SSH Client Name  |
 |   TCP   |    `rdp`     |      /      |        /         |
+|   UDP   |    `ntp`     |      /      |        /         |
 
 |       QUIC Client        |    Type    |
 |:------------------------:|:----------:|

docs/configuration/route/sniff.zh.md

@@ -22,6 +22,7 @@
 |   UDP   |    `dtls`    |      /      |     /      |
 |   TCP   |    `ssh`     |      /      | SSH 客户端名称  |
 |   TCP   |    `rdp`     |      /      |     /      |
+|   UDP   |    `ntp`     |      /      |     /      |
 
 |         QUIC 客户端         |     类型     |
 |:------------------------:|:----------:|

docs/configuration/shared/dial.md

@@ -106,6 +106,10 @@ Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
 
     `outbound` DNS rule items are deprecated and will be removed in sing-box 1.14.0, so this item will be required for outbound/endpoints using domain name in server address since sing-box 1.14.0.
 
+!!! info ""
+
+    `domain_resolver` or `route.default_domain_resolver` is optional when only one DNS server is configured.
+
 Set domain resolver to use for resolving domain names.
 
 This option uses the same format as the [route DNS rule action](/configuration/dns/rule_action/#route) without the `action` field.

docs/configuration/shared/dial.zh.md

@@ -105,6 +105,10 @@ icon: material/new-box
 
     `outbound` DNS 规则项已弃用，且将在 sing-box 1.14.0 中被移除。因此，从 sing-box 1.14.0 版本开始，所有在服务器地址中使用域名的出站/端点均需配置此项。
 
+!!! info ""
+
+    当只有一个 DNS 服务器已配置时，`domain_resolver` 或 `route.default_domain_resolver` 是可选的。 
+
 用于设置解析域名的域名解析器。
 
 此选项的格式与 [路由 DNS 规则动作](/configuration/dns/rule_action/#route) 相同，但不包含 `action` 字段。  

docs/configuration/shared/udp-over-tcp.md

@@ -31,12 +31,11 @@ The protocol version, `1` or `2`.
 
 ### Application support
 
-| Project      | UoT v1               | UoT v2                                                                                                            |
-|--------------|----------------------|-------------------------------------------------------------------------------------------------------------------|
-| sing-box     | v0 (2022/08/11)      | v1.2-beta9                                                                                                        |
-| Xray-core    | v1.5.7 (2022/06/05)  | [f57ec13](https://github.com/XTLS/Xray-core/commit/f57ec1388084df041a2289bacab14e446bf1b357) (Not released)       |
-| Clash.Meta   | v1.12.0 (2022/07/02) | [8cb67b6](https://github.com/MetaCubeX/Clash.Meta/commit/8cb67b6480649edfa45dcc9ac89ce0789651e8b3) (Not released) |
-| Shadowrocket | v2.2.12 (2022/08/13) | /                                                                                                                 |
+| Project      | UoT v1               | UoT v2               |
+|--------------|----------------------|----------------------|
+| sing-box     | v0 (2022/08/11)      | v1.2-beta9           |
+| Clash.Meta   | v1.12.0 (2022/07/02) | v1.14.3 (2023/03/31) |
+| Shadowrocket | v2.2.12 (2022/08/13) | /                    |
 
 ### Protocol details
 
@@ -50,7 +49,13 @@ The client requests the magic address to the upper layer proxy protocol to indic
 |------|----------|-------|--------|----------|
 | u8   | variable | u16be | u16be  | variable |
 
-**ATYP / address / port**: Uses the SOCKS address format.
+**ATYP / address / port**: Uses the SOCKS address format, but with different address types:
+
+| ATYP   | Address type |
+|--------|--------------|
+| `0x00` | IPv4 Address |
+| `0x01` | IPv6 Address |
+| `0x02` | Domain Name  |
 
 #### Protocol version 2
 

docs/installation/build-from-source.md

@@ -58,6 +58,6 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
 | `with_v2ray_api`                   | :material-close:️    | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
 | `with_gvisor`                      | :material-check:     | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
 | `with_embedded_tor` (CGO required) | :material-close:️    | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                             |
-| `with_tailscale`                   | :material-check:     | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale)                                                                                                                                                                                                                                      |
+| `with_tailscale`                   | :material-check:   | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale)                                                                                                                                                                                                                                      |
 
 It is not recommended to change the default build tag list unless you really know what you are adding.

docs/installation/package-manager.zh.md

@@ -51,7 +51,7 @@ icon: material/package
 
 === ":material-linux: Linux"
 
-    | 类型       | 平台            | 链接                           | 命令                                                                                                            |
+    | 类型       | 平台            | 命令                           | 链接                                                                                                            |
     |----------|---------------|------------------------------|---------------------------------------------------------------------------------------------------------------|
     | AUR      | Arch Linux    | `? -S sing-box`              | [![AUR package](https://repology.org/badge/version-for-repo/aur/sing-box.svg)][aur]                           |
     | nixpkgs  | NixOS         | `nix-env -iA nixos.sing-box` | [![nixpkgs unstable package](https://repology.org/badge/version-for-repo/nix_unstable/sing-box.svg)][nixpkgs] |
@@ -61,13 +61,13 @@ icon: material/package
 
 === ":material-apple: macOS"
 
-    | 类型       | 平台    | 链接                      | 命令                                                                                             |
+    | 类型       | 平台    | 命令                      | 链接                                                                                             |
     |----------|-------|-------------------------|------------------------------------------------------------------------------------------------|
     | Homebrew | macOS | `brew install sing-box` | [![Homebrew package](https://repology.org/badge/version-for-repo/homebrew/sing-box.svg)][brew] |
 
 === ":material-microsoft-windows: Windows"
 
-    | 类型         | 平台      | 链接                        | 命令                                                                                                  |
+    | 类型         | 平台      | 命令                        | 链接                                                                                                  |
     |------------|---------|---------------------------|-----------------------------------------------------------------------------------------------------|
     | Scoop      | Windows | `scoop install sing-box`  | [![Scoop package](https://repology.org/badge/version-for-repo/scoop/sing-box.svg)][scoop]           |
     | Chocolatey | Windows | `choco install sing-box`  | [![Chocolatey package](https://repology.org/badge/version-for-repo/chocolatey/sing-box.svg)][choco] |
@@ -75,13 +75,13 @@ icon: material/package
 
 === ":material-android: Android"
 
-    | 类型     | 平台      | 链接                 | 命令                                                                                           |
+    | 类型     | 平台      | 命令                 | 链接                                                                                           |
     |--------|---------|--------------------|----------------------------------------------------------------------------------------------|
     | Termux | Android | `pkg add sing-box` | [![Termux package](https://repology.org/badge/version-for-repo/termux/sing-box.svg)][termux] |
 
 === ":material-freebsd: FreeBSD"
 
-    | 类型         | 平台      | 链接                     | 命令                                                                                         |
+    | 类型         | 平台      | 命令                     | 链接                                                                                         |
     |------------|---------|------------------------|--------------------------------------------------------------------------------------------|
     | FreshPorts | FreeBSD | `pkg install sing-box` | [![FreeBSD port](https://repology.org/badge/version-for-repo/freebsd/sing-box.svg)][ports] |
 

docs/migration.md

@@ -567,7 +567,7 @@ The legacy outbound DNS rules are deprecated and can be replaced by new domain r
           "server_port": 2080,
           "domain_resolver": {
             "server": "local",
-            "rewrite_tll": 60,
+            "rewrite_ttl": 60,
             "client_subnet": "1.1.1.1"
           },
           // or "domain_resolver": "local",
@@ -579,7 +579,7 @@ The legacy outbound DNS rules are deprecated and can be replaced by new domain r
       "route": {
         "default_domain_resolver": {
           "server": "local",
-          "rewrite_tll": 60,
+          "rewrite_ttl": 60,
           "client_subnet": "1.1.1.1"
         }
       }

docs/migration.zh.md

@@ -565,13 +565,21 @@ DNS 服务器已经重构。
           "type": "socks",
           "server": "example.org",
           "server_port": 2080,
-          "domain_resolver": "local",
+          "domain_resolver": {
+            "server": "local",
+            "rewrite_ttl": 60,
+            "client_subnet": "1.1.1.1"
+          },
+          // 或 "domain_resolver": "local",
         }
       ],
+
+      // 或
+
       "route": {
         "default_domain_resolver": {
           "server": "local",
-          "rewrite_tll": 60,
+          "rewrite_ttl": 60,
           "client_subnet": "1.1.1.1"
         }
       }

experimental/clashapi/server_resources.go

@@ -77,15 +77,15 @@ func (s *Server) downloadExternalUI() error {
 	if response.StatusCode != http.StatusOK {
 		return E.New("download external ui failed: ", response.Status)
 	}
-	err = s.downloadZIP(filepath.Base(downloadURL), response.Body, s.externalUI)
+	err = s.downloadZIP(response.Body, s.externalUI)
 	if err != nil {
 		removeAllInDirectory(s.externalUI)
 	}
 	return err
 }
 
-func (s *Server) downloadZIP(name string, body io.Reader, output string) error {
-	tempFile, err := filemanager.CreateTemp(s.ctx, name)
+func (s *Server) downloadZIP(body io.Reader, output string) error {
+	tempFile, err := filemanager.CreateTemp(s.ctx, "external-ui.zip")
 	if err != nil {
 		return err
 	}

experimental/libbox/monitor.go

@@ -56,7 +56,12 @@ func (m *platformDefaultInterfaceMonitor) UnregisterCallback(element *list.Eleme
 
 func (m *platformDefaultInterfaceMonitor) UpdateDefaultInterface(interfaceName string, interfaceIndex32 int32, isExpensive bool, isConstrained bool) {
 	if sFixAndroidStack {
-		go m.updateDefaultInterface(interfaceName, interfaceIndex32, isExpensive, isConstrained)
+		done := make(chan struct{})
+		go func() {
+			m.updateDefaultInterface(interfaceName, interfaceIndex32, isExpensive, isConstrained)
+			close(done)
+		}()
+		<-done
 	} else {
 		m.updateDefaultInterface(interfaceName, interfaceIndex32, isExpensive, isConstrained)
 	}

go.mod

@@ -3,7 +3,7 @@ module github.com/sagernet/sing-box
 go 1.23.1
 
 require (
-	github.com/anytls/sing-anytls v0.0.2
+	github.com/anytls/sing-anytls v0.0.6
 	github.com/caddyserver/certmagic v0.21.7
 	github.com/cloudflare/circl v1.6.0
 	github.com/cretz/bine v0.2.0
@@ -26,16 +26,16 @@ require (
 	github.com/sagernet/gvisor v0.0.0-20241123041152-536d05261cff
 	github.com/sagernet/quic-go v0.49.0-beta.1
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.6.2-0.20250210072154-8dff604468ff
+	github.com/sagernet/sing v0.6.4-0.20250316065121-38f666955109
 	github.com/sagernet/sing-mux v0.3.1
 	github.com/sagernet/sing-quic v0.4.1-beta.1
 	github.com/sagernet/sing-shadowsocks v0.2.7
 	github.com/sagernet/sing-shadowsocks2 v0.2.0
-	github.com/sagernet/sing-shadowtls v0.2.0
+	github.com/sagernet/sing-shadowtls v0.2.1-0.20250316154757-6f9e732e5056
 	github.com/sagernet/sing-tun v0.6.1
 	github.com/sagernet/sing-vmess v0.2.0
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7
-	github.com/sagernet/tailscale v1.79.0-mod.1
+	github.com/sagernet/tailscale v1.80.3-mod.0
 	github.com/sagernet/utls v1.6.7
 	github.com/sagernet/wireguard-go v0.0.1-beta.5
 	github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854
@@ -44,7 +44,7 @@ require (
 	go.uber.org/zap v1.27.0
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
 	golang.org/x/crypto v0.33.0
-	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
+	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8
 	golang.org/x/mod v0.23.0
 	golang.org/x/net v0.35.0
 	golang.org/x/sys v0.30.0
@@ -72,9 +72,9 @@ require (
 	github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1 // indirect
 	github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
-	github.com/fxamacker/cbor/v2 v2.6.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/gaissmai/bart v0.11.1 // indirect
-	github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0 // indirect
+	github.com/go-json-experiment/json v0.0.0-20250103232110-6a9a0fde9288 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gobwas/httphead v0.1.0 // indirect
@@ -87,20 +87,19 @@ require (
 	github.com/google/nftables v0.2.1-0.20240414091927-5e242ec57806 // indirect
 	github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/gorilla/csrf v1.7.2 // indirect
+	github.com/gorilla/csrf v1.7.3-0.20250123201450-9dd6af1f6d30 // indirect
 	github.com/gorilla/securecookie v1.1.2 // indirect
 	github.com/hashicorp/yamux v0.1.2 // indirect
 	github.com/hdevalence/ed25519consensus v0.2.0 // indirect
 	github.com/illarion/gonotify/v2 v2.0.3 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 // indirect
 	github.com/jsimonetti/rtnetlink v1.4.0 // indirect
 	github.com/klauspost/compress v1.17.11 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.9 // indirect
 	github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a // indirect
 	github.com/libdns/libdns v0.2.2 // indirect
 	github.com/mdlayher/genetlink v1.3.2 // indirect
-	github.com/mdlayher/netlink v1.7.2 // indirect
+	github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 // indirect
 	github.com/mdlayher/sdnotify v1.0.0 // indirect
 	github.com/mdlayher/socket v0.5.1 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
@@ -120,21 +119,20 @@ require (
 	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 // indirect
 	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a // indirect
 	github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7 // indirect
-	github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4 // indirect
-	github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1 // indirect
-	github.com/tcnksm/go-httpstat v0.2.0 // indirect
-	github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e // indirect
+	github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc // indirect
+	github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 // indirect
+	github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/zeebo/blake3 v0.2.4 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap/exp v0.3.0 // indirect
-	go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect
+	go4.org/mem v0.0.0-20240501181205-ae6ca9944745 // indirect
 	golang.org/x/sync v0.11.0 // indirect
 	golang.org/x/term v0.29.0 // indirect
 	golang.org/x/text v0.22.0 // indirect
-	golang.org/x/time v0.7.0 // indirect
-	golang.org/x/tools v0.24.0 // indirect
+	golang.org/x/time v0.9.0 // indirect
+	golang.org/x/tools v0.29.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20241202173237-19429a94021a // indirect

go.sum

@@ -8,10 +8,8 @@ github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7V
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/andybalholm/brotli v1.1.0 h1:eLKJA0d02Lf0mVpIDgYnqXcUn0GqVmEFny3VuID1U3M=
 github.com/andybalholm/brotli v1.1.0/go.mod h1:sms7XGricyQI9K10gOSf56VKKWS4oLer58Q+mhRPtnY=
-github.com/anytls/sing-anytls v0.0.1 h1:Hex6GFUcgATWMWL2E9YgH/7oPgwdokiIF09UQi5BEC0=
-github.com/anytls/sing-anytls v0.0.1/go.mod h1:7rjN6IukwysmdusYsrV51Fgu1uW6vsrdd6ctjnEAln8=
-github.com/anytls/sing-anytls v0.0.2 h1:25azSh0o/LMcIkhS4ZutgRTIGwh8O3wuOhsThVM9K9o=
-github.com/anytls/sing-anytls v0.0.2/go.mod h1:7rjN6IukwysmdusYsrV51Fgu1uW6vsrdd6ctjnEAln8=
+github.com/anytls/sing-anytls v0.0.6 h1:UatIjl/OvzWQGXQ1I2bAIkabL9WtihW0fA7G+DXGBUg=
+github.com/anytls/sing-anytls v0.0.6/go.mod h1:7rjN6IukwysmdusYsrV51Fgu1uW6vsrdd6ctjnEAln8=
 github.com/bits-and-blooms/bitset v1.13.0 h1:bAQ9OPNFYbGHV6Nez0tmNI0RiEu7/hxlYJRUA0wFAVE=
 github.com/bits-and-blooms/bitset v1.13.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
 github.com/caddyserver/certmagic v0.21.7 h1:66KJioPFJwttL43KYSWk7ErSmE6LfaJgCQuhm8Sg6fg=
@@ -42,8 +40,8 @@ github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e h1:vUmf0yez
 github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e/go.mod h1:YTIHhz/QFSYnu/EhlF2SpU2Uk+32abacUYA5ZPljz1A=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
-github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA=
-github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
+github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
+github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/gaissmai/bart v0.11.1 h1:5Uv5XwsaFBRo4E5VBcb9TzY8B7zxFf+U7isDxqOrRfc=
 github.com/gaissmai/bart v0.11.1/go.mod h1:KHeYECXQiBjTzQz/om2tqn3sZF1J7hw9m6z41ftj3fg=
 github.com/github/fakeca v0.1.0 h1:Km/MVOFvclqxPM9dZBC4+QE564nU4gz4iZ0D9pMw28I=
@@ -52,8 +50,8 @@ github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8=
 github.com/go-chi/chi/v5 v5.2.1/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
 github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=
 github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
-github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0 h1:ymLjT4f35nQbASLnvxEde4XOBL+Sn7rFuV+FOJqkljg=
-github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0/go.mod h1:6daplAwHHGbUGib4990V3Il26O0OC4aRyvewaaAihaA=
+github.com/go-json-experiment/json v0.0.0-20250103232110-6a9a0fde9288 h1:KbX3Z3CgiYlbaavUq3Cj9/MjpO+88S7/AGXzynVDv84=
+github.com/go-json-experiment/json v0.0.0-20250103232110-6a9a0fde9288/go.mod h1:BWmvoE1Xia34f3l/ibJweyhrT+aROb/FQ6d+37F0e2s=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
@@ -89,8 +87,8 @@ github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQN
 github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gorilla/csrf v1.7.2 h1:oTUjx0vyf2T+wkrx09Trsev1TE+/EbDAeHtSTbtC2eI=
-github.com/gorilla/csrf v1.7.2/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
+github.com/gorilla/csrf v1.7.3-0.20250123201450-9dd6af1f6d30 h1:fiJdrgVBkjZ5B1HJ2WQwNOaXB+QyYcNXTA3t1XYLz0M=
+github.com/gorilla/csrf v1.7.3-0.20250123201450-9dd6af1f6d30/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
 github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/hashicorp/yamux v0.1.2 h1:XtB8kyFOyHXYVFnwT5C3+Bdo8gArse7j2AQ0DA0Uey8=
@@ -104,9 +102,6 @@ github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLf
 github.com/insomniacslk/dhcp v0.0.0-20250109001534-8abf58130905 h1:q3OEI9RaN/wwcx+qgGo6ZaoJkCiDYe/gjDLfq7lQQF4=
 github.com/insomniacslk/dhcp v0.0.0-20250109001534-8abf58130905/go.mod h1:VvGYjkZoJyKqlmT1yzakUs4mfKMNB0XdODP0+rdml6k=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
-github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
-github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 h1:elKwZS1OcdQ0WwEDBeqxKwb7WB62QX8bvZ/FJnVXIfk=
-github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86/go.mod h1:aFAMtuldEgx/4q7iSGazk22+IcgvtiC+HIimFO9XlS8=
 github.com/jsimonetti/rtnetlink v1.4.0 h1:Z1BF0fRgcETPEa0Kt0MRk3yV5+kF1FWTni6KUFKrq2I=
 github.com/jsimonetti/rtnetlink v1.4.0/go.mod h1:5W1jDvWdnthFJ7fxYX1GMK07BUpI4oskfOqvPteYS6E=
 github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
@@ -126,8 +121,8 @@ github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczG
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
 github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
 github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o=
-github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
-github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
+github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 h1:A1Cq6Ysb0GM0tpKMbdCXCIfBclan4oHk1Jb+Hrejirg=
+github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42/go.mod h1:BB4YCPDOzfy7FniQ/lxuYQ3dgmM2cZumHbK8RpTjN2o=
 github.com/mdlayher/sdnotify v1.0.0 h1:Ma9XeLVN/l0qpyx1tNeMSeTjCPH6NtuD6/N9XdTlQ3c=
 github.com/mdlayher/sdnotify v1.0.0/go.mod h1:HQUmpM4XgYkhDLtd+Uad8ZFK1T9D5+pNxnXQjCeJlGE=
 github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos=
@@ -148,7 +143,6 @@ github.com/onsi/gomega v1.33.0 h1:snPCflnZrpMsy94p4lXVEkHo12lmPnc3vY5XBbreexE=
 github.com/onsi/gomega v1.33.0/go.mod h1:+925n5YtiFsLzzafLUHzVMBpvvRAzrydIBiSIxjX3wY=
 github.com/oschwald/maxminddb-golang v1.13.1 h1:G3wwjdN9JmIK2o/ermkHM+98oX5fS+k5MbwsmL4MRQE=
 github.com/oschwald/maxminddb-golang v1.13.1/go.mod h1:K4pgV9N/GcK694KSTmVSDTODk4IsCNThNdTmnaBZ/F8=
-github.com/pierrec/lz4/v4 v4.1.14/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
 github.com/pierrec/lz4/v4 v4.1.21/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -184,8 +178,8 @@ github.com/sagernet/quic-go v0.49.0-beta.1/go.mod h1:uesWD1Ihrldq1M3XtjuEvIUqi8W
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing v0.6.2-0.20250210072154-8dff604468ff h1:5UGghwx8cI14qFa0ienrLekAYfhdKAiWvJUkY7rHmsI=
-github.com/sagernet/sing v0.6.2-0.20250210072154-8dff604468ff/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/sing v0.6.4-0.20250316065121-38f666955109 h1:clwEzQu0oiapGllEDtbGQjcmQaIAt8DH3EeOHAWyiKs=
+github.com/sagernet/sing v0.6.4-0.20250316065121-38f666955109/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/sagernet/sing-mux v0.3.1 h1:kvCc8HyGAskDHDQ0yQvoTi/7J4cZPB/VJMsAM3MmdQI=
 github.com/sagernet/sing-mux v0.3.1/go.mod h1:Mkdz8LnDstthz0HWuA/5foncnDIdcNN5KZ6AdJX+x78=
 github.com/sagernet/sing-quic v0.4.1-beta.1 h1:V2VfMckT3EQR3ZdfSzJgZZDsvfZZH42QAZpnOnHKa0s=
@@ -194,16 +188,16 @@ github.com/sagernet/sing-shadowsocks v0.2.7 h1:zaopR1tbHEw5Nk6FAkM05wCslV6ahVegE
 github.com/sagernet/sing-shadowsocks v0.2.7/go.mod h1:0rIKJZBR65Qi0zwdKezt4s57y/Tl1ofkaq6NlkzVuyE=
 github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wKFHi+8XwgADg=
 github.com/sagernet/sing-shadowsocks2 v0.2.0/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
-github.com/sagernet/sing-shadowtls v0.2.0 h1:cLKe4OAOFwuhmAIuPLj//CIL7Q9js+pIDardhJ+/osk=
-github.com/sagernet/sing-shadowtls v0.2.0/go.mod h1:agU+Fw5X+xnWVyRHyFthoZCX3MfWKCFPm4JUf+1oaxo=
+github.com/sagernet/sing-shadowtls v0.2.1-0.20250316154757-6f9e732e5056 h1:GFNJQAHhSXqAfxAw1wDG/QWbdpGH5Na3k8qUynqWnEA=
+github.com/sagernet/sing-shadowtls v0.2.1-0.20250316154757-6f9e732e5056/go.mod h1:HyacBPIFiKihJQR8LQp56FM4hBtd/7MZXnRxxQIOPsc=
 github.com/sagernet/sing-tun v0.6.1 h1:4l0+gnEKcGjlWfUVTD+W0BRApqIny/lU2ZliurE+VMo=
 github.com/sagernet/sing-tun v0.6.1/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
 github.com/sagernet/sing-vmess v0.2.0 h1:pCMGUXN2k7RpikQV65/rtXtDHzb190foTfF9IGTMZrI=
 github.com/sagernet/sing-vmess v0.2.0/go.mod h1:jDAZ0A0St1zVRkyvhAPRySOFfhC+4SQtO5VYyeFotgA=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7/go.mod h1:FP9X2xjT/Az1EsG/orYYoC+5MojWnuI7hrffz8fGwwo=
-github.com/sagernet/tailscale v1.79.0-mod.1 h1:wIuAH7VqBYJNk0h2+bTyk4F0OlSqHvyLDCBrD3i+XNI=
-github.com/sagernet/tailscale v1.79.0-mod.1/go.mod h1:RKY5WjYLj3JJ7VO/8ZCw8eAFa4+kWU6A1Ftdk84uB14=
+github.com/sagernet/tailscale v1.80.3-mod.0 h1:oHIdivbR/yxoiA9d3a2rRlhYn2shY9XVF35Rr8jW508=
+github.com/sagernet/tailscale v1.80.3-mod.0/go.mod h1:EBxXsWu4OH2ELbQLq32WoBeIubG8KgDrg4/Oaxjs6lI=
 github.com/sagernet/utls v1.6.7 h1:Ep3+aJ8FUGGta+II2IEVNUc3EDhaRCZINWkj/LloIA8=
 github.com/sagernet/utls v1.6.7/go.mod h1:Uua1TKO/FFuAhLr9rkaVnnrTmmiItzDjv1BUb2+ERwM=
 github.com/sagernet/wireguard-go v0.0.1-beta.5 h1:aBEsxJUMEONwOZqKPIkuAcv4zJV5p6XlzEN04CF0FXc=
@@ -230,16 +224,14 @@ github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a h1:SJy1Pu0eH1C29X
 github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a/go.mod h1:DFSS3NAGHthKo1gTlmEcSBiZrRJXi28rLNd/1udP1c8=
 github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7 h1:uFsXVBE9Qr4ZoF094vE6iYTLDl0qCiKzYXlL6UeWObU=
 github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
-github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4 h1:Gz0rz40FvFVLTBk/K8UNAenb36EbDSnh+q7Z9ldcC8w=
-github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4/go.mod h1:phI29ccmHQBc+wvroosENp1IF9195449VDnFDhJ4rJU=
-github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1 h1:tdUdyPqJ0C97SJfjB9tW6EylTtreyee9C44de+UBG0g=
-github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
+github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc h1:24heQPtnFR+yfntqhI3oAu9i27nEojcQ4NuBQOo5ZFA=
+github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc/go.mod h1:f93CXfllFsO9ZQVq+Zocb1Gp4G5Fz0b0rXHLOzt/Djc=
+github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 h1:UBPHPtv8+nEAy2PD8RyAhOYvau1ek0HDJqLS/Pysi14=
+github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
 github.com/tc-hib/winres v0.2.1 h1:YDE0FiP0VmtRaDn7+aaChp1KiF4owBiJa5l964l5ujA=
 github.com/tc-hib/winres v0.2.1/go.mod h1:C/JaNhH3KBvhNKVbvdlDWkbMDO9H4fKKDaN7/07SSuk=
-github.com/tcnksm/go-httpstat v0.2.0 h1:rP7T5e5U2HfmOBmZzGgGZjBQ5/GluWUylujl0tJ04I0=
-github.com/tcnksm/go-httpstat v0.2.0/go.mod h1:s3JVJFtQxtBEBC9dwcdTTXS9xFnM3SXAZwPG41aurT8=
-github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e h1:BA9O3BmlTmpjbvajAwzWx4Wo2TRVdpPXZEeemGQcajw=
-github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
+github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM=
+github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA=
 github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
 github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
@@ -269,17 +261,17 @@ go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 go.uber.org/zap/exp v0.3.0 h1:6JYzdifzYkGmTdRR59oYH+Ng7k49H9qVpWwNSsGJj3U=
 go.uber.org/zap/exp v0.3.0/go.mod h1:5I384qq7XGxYyByIhHm6jg5CHkGY0nsTfbDLgDDlgJQ=
-go4.org/mem v0.0.0-20220726221520-4f986261bf13 h1:CbZeCBZ0aZj8EfVgnqQcYZgf0lpZ3H9rmp5nkDTAst8=
-go4.org/mem v0.0.0-20220726221520-4f986261bf13/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
+go4.org/mem v0.0.0-20240501181205-ae6ca9944745 h1:Tl++JLUCe4sxGu8cTpDzRLd3tN7US4hOxG5YpKCzkek=
+go4.org/mem v0.0.0-20240501181205-ae6ca9944745/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
 golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
 golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
-golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
-golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
-golang.org/x/image v0.18.0 h1:jGzIakQa/ZXI1I0Fxvaa9W7yP25TqT6cHIHn+6CqvSQ=
-golang.org/x/image v0.18.0/go.mod h1:4yyo5vMFQjVjUcVk4jEQcU9MGy/rulF5WvUILseCM2E=
+golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 h1:yqrTHse8TCMW1M1ZCP+VAR/l0kKxwaAIqN/il7x4voA=
+golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8/go.mod h1:tujkw807nyEEAamNbDrEGzRav+ilXA7PCRAd6xsmwiU=
+golang.org/x/image v0.23.0 h1:HseQ7c2OpPKTPVzNjG5fwJsOTCiiwS4QdsYi5XU6H68=
+golang.org/x/image v0.23.0/go.mod h1:wJJBTdLfCCf3tiHa1fNxpZmUI4mmoZvwMCPP0ddoNKY=
 golang.org/x/mod v0.23.0 h1:Zb7khfcRGKk+kqfxFaP5tZqCnDZMjC5VtUBs87Hr6QM=
 golang.org/x/mod v0.23.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@@ -293,10 +285,8 @@ golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220817070843-5a390386f1f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.4.1-0.20230131160137-e7d7f63158de/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
@@ -308,11 +298,11 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
 golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
-golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
-golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
+golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24=
-golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ=
+golang.org/x/tools v0.29.0 h1:Xx0h3TtM9rzQpQuR4dKLrdglAmCEN5Oi+P74JdhdzXE=
+golang.org/x/tools v0.29.0/go.mod h1:KMQVMRsVxU6nHCFXrBPhDB8XncLNLM0lIy/F14RP588=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

include/registry.go

@@ -107,7 +107,6 @@ func DNSTransportRegistry() *dns.TransportRegistry {
 	transport.RegisterUDP(registry)
 	transport.RegisterTLS(registry)
 	transport.RegisterHTTPS(registry)
-	transport.RegisterPredefined(registry)
 	hosts.RegisterTransport(registry)
 	local.RegisterTransport(registry)
 	fakeip.RegisterTransport(registry)

log/id.go

@@ -20,12 +20,16 @@ type ID struct {
 }
 
 func ContextWithNewID(ctx context.Context) context.Context {
-	return context.WithValue(ctx, (*idKey)(nil), ID{
+	return ContextWithID(ctx, ID{
 		ID:        rand.Uint32(),
 		CreatedAt: time.Now(),
 	})
 }
 
+func ContextWithID(ctx context.Context, id ID) context.Context {
+	return context.WithValue(ctx, (*idKey)(nil), id)
+}
+
 func IDFromContext(ctx context.Context) (ID, bool) {
 	id, loaded := ctx.Value((*idKey)(nil)).(ID)
 	return id, loaded

mkdocs.yml

@@ -84,13 +84,13 @@ nav:
               - configuration/dns/server/index.md
               - Legacy: configuration/dns/server/legacy.md
               - Local: configuration/dns/server/local.md
+              - Hosts: configuration/dns/server/hosts.md
               - TCP: configuration/dns/server/tcp.md
               - UDP: configuration/dns/server/udp.md
               - TLS: configuration/dns/server/tls.md
               - QUIC: configuration/dns/server/quic.md
               - HTTPS: configuration/dns/server/https.md
               - HTTP3: configuration/dns/server/http3.md
-              - Predefined: configuration/dns/server/predefined.md
               - DHCP: configuration/dns/server/dhcp.md
               - FakeIP: configuration/dns/server/fakeip.md
               - Tailscale: configuration/dns/server/tailscale.md

option/anytls.go

@@ -21,4 +21,5 @@ type AnyTLSOutboundOptions struct {
 	Password                 string             `json:"password,omitempty"`
 	IdleSessionCheckInterval badoption.Duration `json:"idle_session_check_interval,omitempty"`
 	IdleSessionTimeout       badoption.Duration `json:"idle_session_timeout,omitempty"`
+	MinIdleSession           int                `json:"min_idle_session,omitempty"`
 }

option/dns.go

@@ -19,10 +19,10 @@ import (
 )
 
 type RawDNSOptions struct {
-	Servers        []NewDNSServerOptions `json:"servers,omitempty"`
-	Rules          []DNSRule             `json:"rules,omitempty"`
-	Final          string                `json:"final,omitempty"`
-	ReverseMapping bool                  `json:"reverse_mapping,omitempty"`
+	Servers        []DNSServerOptions `json:"servers,omitempty"`
+	Rules          []DNSRule          `json:"rules,omitempty"`
+	Final          string             `json:"final,omitempty"`
+	ReverseMapping bool               `json:"reverse_mapping,omitempty"`
 	DNSClientOptions
 }
 
@@ -35,18 +35,72 @@ type DNSOptions struct {
 	LegacyDNSOptions
 }
 
+type contextKeyDontUpgrade struct{}
+
+func ContextWithDontUpgrade(ctx context.Context) context.Context {
+	return context.WithValue(ctx, (*contextKeyDontUpgrade)(nil), true)
+}
+
+func dontUpgradeFromContext(ctx context.Context) bool {
+	return ctx.Value((*contextKeyDontUpgrade)(nil)) == true
+}
+
 func (o *DNSOptions) UnmarshalJSONContext(ctx context.Context, content []byte) error {
 	err := json.UnmarshalContext(ctx, content, &o.LegacyDNSOptions)
 	if err != nil {
 		return err
 	}
-	if o.FakeIP != nil && o.FakeIP.Enabled {
-		deprecated.Report(ctx, deprecated.OptionLegacyDNSFakeIPOptions)
-		ctx = context.WithValue(ctx, (*LegacyDNSFakeIPOptions)(nil), o.FakeIP)
-	}
+	dontUpgrade := dontUpgradeFromContext(ctx)
 	legacyOptions := o.LegacyDNSOptions
-	o.LegacyDNSOptions = LegacyDNSOptions{}
-	return badjson.UnmarshallExcludedContext(ctx, content, legacyOptions, &o.RawDNSOptions)
+	if !dontUpgrade {
+		if o.FakeIP != nil && o.FakeIP.Enabled {
+			deprecated.Report(ctx, deprecated.OptionLegacyDNSFakeIPOptions)
+			ctx = context.WithValue(ctx, (*LegacyDNSFakeIPOptions)(nil), o.FakeIP)
+		}
+		o.LegacyDNSOptions = LegacyDNSOptions{}
+	}
+	err = badjson.UnmarshallExcludedContext(ctx, content, legacyOptions, &o.RawDNSOptions)
+	if err != nil {
+		return err
+	}
+	if !dontUpgrade {
+		rcodeMap := make(map[string]int)
+		o.Servers = common.Filter(o.Servers, func(it DNSServerOptions) bool {
+			if it.Type == C.DNSTypeLegacyRcode {
+				rcodeMap[it.Tag] = it.Options.(int)
+				return false
+			}
+			return true
+		})
+		if len(rcodeMap) > 0 {
+			for i := 0; i < len(o.Rules); i++ {
+				rewriteRcode(rcodeMap, &o.Rules[i])
+			}
+		}
+	}
+	return nil
+}
+
+func rewriteRcode(rcodeMap map[string]int, rule *DNSRule) {
+	switch rule.Type {
+	case C.RuleTypeDefault:
+		rewriteRcodeAction(rcodeMap, &rule.DefaultOptions.DNSRuleAction)
+	case C.RuleTypeLogical:
+		rewriteRcodeAction(rcodeMap, &rule.LogicalOptions.DNSRuleAction)
+	}
+}
+
+func rewriteRcodeAction(rcodeMap map[string]int, ruleAction *DNSRuleAction) {
+	if ruleAction.Action != C.RuleActionTypeRoute {
+		return
+	}
+	rcode, loaded := rcodeMap[ruleAction.RouteOptions.Server]
+	if !loaded {
+		return
+	}
+	ruleAction.Action = C.RuleActionTypePredefined
+	ruleAction.PredefinedOptions.Rcode = common.Ptr(DNSRCode(rcode))
+	return
 }
 
 type DNSClientOptions struct {
@@ -68,26 +122,30 @@ type DNSTransportOptionsRegistry interface {
 	CreateOptions(transportType string) (any, bool)
 }
 
-type _NewDNSServerOptions struct {
+type _DNSServerOptions struct {
 	Type    string `json:"type,omitempty"`
 	Tag     string `json:"tag,omitempty"`
 	Options any    `json:"-"`
 }
 
-type NewDNSServerOptions _NewDNSServerOptions
+type DNSServerOptions _DNSServerOptions
 
-func (o *NewDNSServerOptions) MarshalJSONContext(ctx context.Context) ([]byte, error) {
-	return badjson.MarshallObjectsContext(ctx, (*_NewDNSServerOptions)(o), o.Options)
+func (o *DNSServerOptions) MarshalJSONContext(ctx context.Context) ([]byte, error) {
+	switch o.Type {
+	case C.DNSTypeLegacy:
+		o.Type = ""
+	}
+	return badjson.MarshallObjectsContext(ctx, (*_DNSServerOptions)(o), o.Options)
 }
 
-func (o *NewDNSServerOptions) UnmarshalJSONContext(ctx context.Context, content []byte) error {
-	err := json.UnmarshalContext(ctx, content, (*_NewDNSServerOptions)(o))
+func (o *DNSServerOptions) UnmarshalJSONContext(ctx context.Context, content []byte) error {
+	err := json.UnmarshalContext(ctx, content, (*_DNSServerOptions)(o))
 	if err != nil {
 		return err
 	}
 	registry := service.FromContext[DNSTransportOptionsRegistry](ctx)
 	if registry == nil {
-		return E.New("missing outbound options registry in context")
+		return E.New("missing DNS transport options registry in context")
 	}
 	var options any
 	switch o.Type {
@@ -102,12 +160,12 @@ func (o *NewDNSServerOptions) UnmarshalJSONContext(ctx context.Context, content
 			return E.New("unknown transport type: ", o.Type)
 		}
 	}
-	err = badjson.UnmarshallExcludedContext(ctx, content, (*_Outbound)(o), options)
+	err = badjson.UnmarshallExcludedContext(ctx, content, (*_DNSServerOptions)(o), options)
 	if err != nil {
 		return err
 	}
 	o.Options = options
-	if o.Type == C.DNSTypeLegacy {
+	if o.Type == C.DNSTypeLegacy && !dontUpgradeFromContext(ctx) {
 		err = o.Upgrade(ctx)
 		if err != nil {
 			return err
@@ -116,7 +174,7 @@ func (o *NewDNSServerOptions) UnmarshalJSONContext(ctx context.Context, content
 	return nil
 }
 
-func (o *NewDNSServerOptions) Upgrade(ctx context.Context) error {
+func (o *DNSServerOptions) Upgrade(ctx context.Context) error {
 	if o.Type != C.DNSTypeLegacy {
 		return nil
 	}
@@ -178,12 +236,10 @@ func (o *NewDNSServerOptions) Upgrade(ctx context.Context) error {
 		if !serverAddr.IsValid() {
 			return E.New("invalid server address")
 		}
-		remoteOptions.Server = serverAddr.Addr.String()
+		remoteOptions.Server = serverAddr.AddrString()
 		if serverAddr.Port != 0 && serverAddr.Port != 53 {
 			remoteOptions.ServerPort = serverAddr.Port
 		}
-		remoteOptions.Server = serverAddr.AddrString()
-		remoteOptions.ServerPort = serverAddr.Port
 	case C.DNSTypeTCP:
 		o.Type = C.DNSTypeTCP
 		o.Options = &remoteOptions
@@ -191,19 +247,17 @@ func (o *NewDNSServerOptions) Upgrade(ctx context.Context) error {
 		if !serverAddr.IsValid() {
 			return E.New("invalid server address")
 		}
-		remoteOptions.Server = serverAddr.Addr.String()
+		remoteOptions.Server = serverAddr.AddrString()
 		if serverAddr.Port != 0 && serverAddr.Port != 53 {
 			remoteOptions.ServerPort = serverAddr.Port
 		}
-		remoteOptions.Server = serverAddr.AddrString()
-		remoteOptions.ServerPort = serverAddr.Port
 	case C.DNSTypeTLS, C.DNSTypeQUIC:
 		o.Type = serverType
 		serverAddr := M.ParseSocksaddr(serverURL.Host)
 		if !serverAddr.IsValid() {
 			return E.New("invalid server address")
 		}
-		remoteOptions.Server = serverAddr.Addr.String()
+		remoteOptions.Server = serverAddr.AddrString()
 		if serverAddr.Port != 0 && serverAddr.Port != 853 {
 			remoteOptions.ServerPort = serverAddr.Port
 		}
@@ -222,7 +276,7 @@ func (o *NewDNSServerOptions) Upgrade(ctx context.Context) error {
 		if !serverAddr.IsValid() {
 			return E.New("invalid server address")
 		}
-		httpsOptions.Server = serverAddr.Addr.String()
+		httpsOptions.Server = serverAddr.AddrString()
 		if serverAddr.Port != 0 && serverAddr.Port != 443 {
 			httpsOptions.ServerPort = serverAddr.Port
 		}
@@ -247,14 +301,8 @@ func (o *NewDNSServerOptions) Upgrade(ctx context.Context) error {
 		default:
 			return E.New("unknown rcode: ", serverURL.Host)
 		}
-		o.Type = C.DNSTypePreDefined
-		o.Options = &PredefinedDNSServerOptions{
-			Responses: []DNSResponseOptions{
-				{
-					RCode: common.Ptr(DNSRCode(rcode)),
-				},
-			},
-		}
+		o.Type = C.DNSTypeLegacyRcode
+		o.Options = rcode
 	case C.DNSTypeDHCP:
 		o.Type = C.DNSTypeDHCP
 		dhcpOptions := DHCPDNSServerOptions{}
@@ -276,6 +324,27 @@ func (o *NewDNSServerOptions) Upgrade(ctx context.Context) error {
 	return nil
 }
 
+type DNSServerAddressOptions struct {
+	Server     string `json:"server"`
+	ServerPort uint16 `json:"server_port,omitempty"`
+}
+
+func (o DNSServerAddressOptions) Build() M.Socksaddr {
+	return M.ParseSocksaddrHostPort(o.Server, o.ServerPort)
+}
+
+func (o DNSServerAddressOptions) ServerIsDomain() bool {
+	return M.IsDomainName(o.Server)
+}
+
+func (o *DNSServerAddressOptions) TakeServerOptions() ServerOptions {
+	return ServerOptions(*o)
+}
+
+func (o *DNSServerAddressOptions) ReplaceServerOptions(options ServerOptions) {
+	*o = DNSServerAddressOptions(options)
+}
+
 type LegacyDNSServerOptions struct {
 	Address              string                `json:"address"`
 	AddressResolver      string                `json:"address_resolver,omitempty"`
@@ -287,8 +356,8 @@ type LegacyDNSServerOptions struct {
 }
 
 type HostsDNSServerOptions struct {
-	Path       badoption.Listable[string]                               `json:"path,omitempty"`
-	Predefined badjson.TypedMap[string, badoption.Listable[netip.Addr]] `json:"predefined,omitempty"`
+	Path       badoption.Listable[string]                                `json:"path,omitempty"`
+	Predefined *badjson.TypedMap[string, badoption.Listable[netip.Addr]] `json:"predefined,omitempty"`
 }
 
 type LocalDNSServerOptions struct {
@@ -300,7 +369,7 @@ type LocalDNSServerOptions struct {
 
 type RemoteDNSServerOptions struct {
 	LocalDNSServerOptions
-	ServerOptions
+	DNSServerAddressOptions
 	LegacyAddressResolver      string             `json:"-"`
 	LegacyAddressStrategy      DomainStrategy     `json:"-"`
 	LegacyAddressFallbackDelay badoption.Duration `json:"-"`

option/dns_record.go

@@ -3,30 +3,14 @@ package option
 import (
 	"encoding/base64"
 
-	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
-	"github.com/sagernet/sing/common/json/badoption"
 	M "github.com/sagernet/sing/common/metadata"
 
 	"github.com/miekg/dns"
 )
 
-type PredefinedDNSServerOptions struct {
-	Responses []DNSResponseOptions `json:"responses,omitempty"`
-}
-
-type DNSResponseOptions struct {
-	Query     badoption.Listable[string]       `json:"query,omitempty"`
-	QueryType badoption.Listable[DNSQueryType] `json:"query_type,omitempty"`
-
-	RCode  *DNSRCode                            `json:"rcode,omitempty"`
-	Answer badoption.Listable[DNSRecordOptions] `json:"answer,omitempty"`
-	Ns     badoption.Listable[DNSRecordOptions] `json:"ns,omitempty"`
-	Extra  badoption.Listable[DNSRecordOptions] `json:"extra,omitempty"`
-}
-
 type DNSRCode int
 
 func (r DNSRCode) MarshalJSON() ([]byte, error) {
@@ -64,49 +48,6 @@ func (r *DNSRCode) Build() int {
 	return int(*r)
 }
 
-func (o DNSResponseOptions) Build() ([]dns.Question, *dns.Msg, error) {
-	var questions []dns.Question
-	if len(o.Query) == 0 && len(o.QueryType) == 0 {
-		questions = []dns.Question{{Qclass: dns.ClassINET}}
-	} else if len(o.Query) == 0 {
-		for _, queryType := range o.QueryType {
-			questions = append(questions, dns.Question{
-				Qtype:  uint16(queryType),
-				Qclass: dns.ClassINET,
-			})
-		}
-	} else if len(o.QueryType) == 0 {
-		for _, domain := range o.Query {
-			questions = append(questions, dns.Question{
-				Name:   dns.Fqdn(domain),
-				Qclass: dns.ClassINET,
-			})
-		}
-	} else {
-		for _, queryType := range o.QueryType {
-			for _, domain := range o.Query {
-				questions = append(questions, dns.Question{
-					Name:   dns.Fqdn(domain),
-					Qtype:  uint16(queryType),
-					Qclass: dns.ClassINET,
-				})
-			}
-		}
-	}
-	return questions, &dns.Msg{
-		MsgHdr: dns.MsgHdr{
-			Response:           true,
-			Rcode:              o.RCode.Build(),
-			Authoritative:      true,
-			RecursionDesired:   true,
-			RecursionAvailable: true,
-		},
-		Answer: common.Map(o.Answer, DNSRecordOptions.build),
-		Ns:     common.Map(o.Ns, DNSRecordOptions.build),
-		Extra:  common.Map(o.Extra, DNSRecordOptions.build),
-	}, nil
-}
-
 type DNSRecordOptions struct {
 	dns.RR
 	fromBase64 bool
@@ -156,6 +97,6 @@ func (o *DNSRecordOptions) unmarshalBase64(binary []byte) error {
 	return nil
 }
 
-func (o DNSRecordOptions) build() dns.RR {
+func (o DNSRecordOptions) Build() dns.RR {
 	return o.RR
 }

option/outbound.go

@@ -99,7 +99,9 @@ type _DomainResolveOptions struct {
 type DomainResolveOptions _DomainResolveOptions
 
 func (o DomainResolveOptions) MarshalJSON() ([]byte, error) {
-	if o.Strategy == DomainStrategy(C.DomainStrategyAsIS) &&
+	if o.Server == "" {
+		return []byte("{}"), nil
+	} else if o.Strategy == DomainStrategy(C.DomainStrategyAsIS) &&
 		!o.DisableCache &&
 		o.RewriteTTL == nil &&
 		o.ClientSubnet == nil {
@@ -116,7 +118,14 @@ func (o *DomainResolveOptions) UnmarshalJSON(bytes []byte) error {
 		o.Server = stringValue
 		return nil
 	}
-	return json.Unmarshal(bytes, (*_DomainResolveOptions)(o))
+	err = json.Unmarshal(bytes, (*_DomainResolveOptions)(o))
+	if err != nil {
+		return err
+	}
+	if o.Server == "" {
+		return E.New("empty domain_resolver.server")
+	}
+	return nil
 }
 
 func (o *DialerOptions) TakeDialerOptions() DialerOptions {

option/rule_action.go

@@ -92,6 +92,7 @@ type _DNSRuleAction struct {
 	RouteOptions        DNSRouteActionOptions        `json:"-"`
 	RouteOptionsOptions DNSRouteOptionsActionOptions `json:"-"`
 	RejectOptions       RejectActionOptions          `json:"-"`
+	PredefinedOptions   DNSRouteActionPredefined     `json:"-"`
 }
 
 type DNSRuleAction _DNSRuleAction
@@ -109,6 +110,8 @@ func (r DNSRuleAction) MarshalJSON() ([]byte, error) {
 		v = r.RouteOptionsOptions
 	case C.RuleActionTypeReject:
 		v = r.RejectOptions
+	case C.RuleActionTypePredefined:
+		v = r.PredefinedOptions
 	default:
 		return nil, E.New("unknown DNS rule action: " + r.Action)
 	}
@@ -129,6 +132,8 @@ func (r *DNSRuleAction) UnmarshalJSONContext(ctx context.Context, data []byte) e
 		v = &r.RouteOptionsOptions
 	case C.RuleActionTypeReject:
 		v = &r.RejectOptions
+	case C.RuleActionTypePredefined:
+		v = &r.PredefinedOptions
 	default:
 		return E.New("unknown DNS rule action: " + r.Action)
 	}
@@ -294,3 +299,10 @@ type RouteActionResolve struct {
 	RewriteTTL   *uint32               `json:"rewrite_ttl,omitempty"`
 	ClientSubnet *badoption.Prefixable `json:"client_subnet,omitempty"`
 }
+
+type DNSRouteActionPredefined struct {
+	Rcode  *DNSRCode                            `json:"rcode,omitempty"`
+	Answer badoption.Listable[DNSRecordOptions] `json:"answer,omitempty"`
+	Ns     badoption.Listable[DNSRecordOptions] `json:"ns,omitempty"`
+	Extra  badoption.Listable[DNSRecordOptions] `json:"extra,omitempty"`
+}

option/shadowtls.go

@@ -1,5 +1,11 @@
 package option
 
+import (
+	"encoding/json"
+
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
 type ShadowTLSInboundOptions struct {
 	ListenOptions
 	Version                int                                  `json:"version,omitempty"`
@@ -8,6 +14,51 @@ type ShadowTLSInboundOptions struct {
 	Handshake              ShadowTLSHandshakeOptions            `json:"handshake,omitempty"`
 	HandshakeForServerName map[string]ShadowTLSHandshakeOptions `json:"handshake_for_server_name,omitempty"`
 	StrictMode             bool                                 `json:"strict_mode,omitempty"`
+	WildcardSNI            WildcardSNI                          `json:"wildcard_sni,omitempty"`
+}
+
+type WildcardSNI int
+
+const (
+	ShadowTLSWildcardSNIOff WildcardSNI = iota
+	ShadowTLSWildcardSNIAuthed
+	ShadowTLSWildcardSNIAll
+)
+
+func (w WildcardSNI) MarshalJSON() ([]byte, error) {
+	return json.Marshal(w.String())
+}
+
+func (w WildcardSNI) String() string {
+	switch w {
+	case ShadowTLSWildcardSNIOff:
+		return "off"
+	case ShadowTLSWildcardSNIAuthed:
+		return "authed"
+	case ShadowTLSWildcardSNIAll:
+		return "all"
+	default:
+		panic("unknown wildcard SNI value")
+	}
+}
+
+func (w *WildcardSNI) UnmarshalJSON(bytes []byte) error {
+	var valueString string
+	err := json.Unmarshal(bytes, &valueString)
+	if err != nil {
+		return err
+	}
+	switch valueString {
+	case "off", "":
+		*w = ShadowTLSWildcardSNIOff
+	case "authed":
+		*w = ShadowTLSWildcardSNIAuthed
+	case "all":
+		*w = ShadowTLSWildcardSNIAll
+	default:
+		return E.New("unknown wildcard SNI value: ", valueString)
+	}
+	return nil
 }
 
 type ShadowTLSUser struct {

protocol/anytls/outbound.go

@@ -51,8 +51,9 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 	outbound.tlsConfig = tlsConfig
 
 	outboundDialer, err := dialer.NewWithOptions(dialer.Options{
-		Context: ctx,
-		Options: options.DialerOptions,
+		Context:        ctx,
+		Options:        options.DialerOptions,
+		RemoteIsDomain: options.ServerIsDomain(),
 	})
 	if err != nil {
 		return nil, err
@@ -63,6 +64,7 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 		Password:                 options.Password,
 		IdleSessionCheckInterval: options.IdleSessionCheckInterval.Build(),
 		IdleSessionTimeout:       options.IdleSessionTimeout.Build(),
+		MinIdleSession:           options.MinIdleSession,
 		DialOut:                  outbound.dialOut,
 		Logger:                   logger,
 	})

protocol/direct/inbound.go

@@ -12,6 +12,7 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/udpnat2"
@@ -80,7 +81,7 @@ func (i *Inbound) Close() error {
 }
 
 func (i *Inbound) NewPacketEx(buffer *buf.Buffer, source M.Socksaddr) {
-	i.udpNat.NewPacket([][]byte{buffer.Bytes()}, source, M.Socksaddr{}, nil)
+	i.udpNat.NewPacket([][]byte{buffer.Bytes()}, source, i.listener.UDPAddr(), nil)
 }
 
 func (i *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
@@ -104,7 +105,6 @@ func (i *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, metadata a
 
 func (i *Inbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
 	i.logger.InfoContext(ctx, "inbound packet connection from ", source)
-	i.logger.InfoContext(ctx, "inbound packet connection to ", destination)
 	var metadata adapter.InboundContext
 	metadata.Inbound = i.Tag()
 	metadata.InboundType = i.Type()
@@ -123,8 +123,11 @@ func (i *Inbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 		destination.Port = i.overrideDestination.Port
 	default:
 	}
+	i.logger.InfoContext(ctx, "inbound packet connection to ", destination)
 	metadata.Destination = destination
-	metadata.OriginDestination = i.listener.UDPAddr()
+	if i.overrideOption != 0 {
+		conn = bufio.NewDestinationNATPacketConn(bufio.NewNetPacketConn(conn), i.listener.UDPAddr(), destination)
+	}
 	i.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
 }
 

protocol/direct/outbound.go

@@ -45,7 +45,7 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 	if options.Detour != "" {
 		return nil, E.New("`detour` is not supported in direct context")
 	}
-	outboundDialer, err := dialer.New(ctx, options.DialerOptions, false)
+	outboundDialer, err := dialer.New(ctx, options.DialerOptions, true)
 	if err != nil {
 		return nil, err
 	}

protocol/shadowsocks/inbound.go

@@ -61,7 +61,7 @@ func newInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 		logger:  logger,
 	}
 	var err error
-	inbound.router, err = mux.NewRouterWithOptions(router, logger, common.PtrValueOrDefault(options.Multiplex))
+	inbound.router, err = mux.NewRouterWithOptions(inbound.router, logger, common.PtrValueOrDefault(options.Multiplex))
 	if err != nil {
 		return nil, err
 	}

protocol/shadowtls/inbound.go

@@ -57,7 +57,11 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 			}
 		}
 	}
-	handshakeDialer, err := dialer.New(ctx, options.Handshake.DialerOptions, options.Handshake.ServerIsDomain())
+	serverIsDomain := options.Handshake.ServerIsDomain()
+	if options.WildcardSNI != option.ShadowTLSWildcardSNIOff {
+		serverIsDomain = true
+	}
+	handshakeDialer, err := dialer.New(ctx, options.Handshake.DialerOptions, serverIsDomain)
 	if err != nil {
 		return nil, err
 	}
@@ -73,6 +77,7 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 		},
 		HandshakeForServerName: handshakeForServerName,
 		StrictMode:             options.StrictMode,
+		WildcardSNI:            shadowtls.WildcardSNI(options.WildcardSNI),
 		Handler:                (*inboundHandler)(inbound),
 		Logger:                 logger,
 	})

protocol/tailscale/endpoint.go

@@ -39,6 +39,7 @@ import (
 	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/filemanager"
 	"github.com/sagernet/tailscale/ipn"
+	tsDNS "github.com/sagernet/tailscale/net/dns"
 	"github.com/sagernet/tailscale/net/netmon"
 	"github.com/sagernet/tailscale/net/tsaddr"
 	"github.com/sagernet/tailscale/tsnet"
@@ -145,6 +146,7 @@ func NewEndpoint(ctx context.Context, router adapter.Router, logger log.ContextL
 		LookupHook: func(ctx context.Context, host string) ([]netip.Addr, error) {
 			return dnsRouter.Lookup(ctx, host, outboundDialer.(dialer.ResolveDialer).QueryOptions())
 		},
+		DNS: &dnsConfigurtor{},
 	}
 	return &Endpoint{
 		Adapter:                endpoint.NewAdapter(C.TypeTailscale, tag, []string{N.NetworkTCP, N.NetworkUDP}, nil),
@@ -471,3 +473,24 @@ func (d *endpointDialer) ListenPacket(ctx context.Context, destination M.Socksad
 	d.logger.InfoContext(ctx, "output packet connection")
 	return d.Dialer.ListenPacket(ctx, destination)
 }
+
+type dnsConfigurtor struct {
+	baseConfig tsDNS.OSConfig
+}
+
+func (c *dnsConfigurtor) SetDNS(cfg tsDNS.OSConfig) error {
+	c.baseConfig = cfg
+	return nil
+}
+
+func (c *dnsConfigurtor) SupportsSplitDNS() bool {
+	return true
+}
+
+func (c *dnsConfigurtor) GetBaseConfig() (tsDNS.OSConfig, error) {
+	return c.baseConfig, nil
+}
+
+func (c *dnsConfigurtor) Close() error {
+	return nil
+}

route/conn.go

@@ -5,6 +5,7 @@ import (
 	"io"
 	"net"
 	"net/netip"
+	"os"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -14,6 +15,7 @@ import (
 	"github.com/sagernet/sing-box/common/tlsfragment"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio"
 	"github.com/sagernet/sing/common/canceler"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -165,22 +167,17 @@ func (m *ConnectionManager) NewPacketConnection(ctx context.Context, this N.Dial
 		} else {
 			originDestination = metadata.Destination
 		}
-		if metadata.Destination != M.SocksaddrFrom(destinationAddress, metadata.Destination.Port) {
+		if natConn, loaded := common.Cast[bufio.NATPacketConn](conn); loaded {
+			natConn.UpdateDestination(destinationAddress)
+		} else if metadata.Destination != M.SocksaddrFrom(destinationAddress, metadata.Destination.Port) {
 			if metadata.UDPDisableDomainUnmapping {
 				remotePacketConn = bufio.NewUnidirectionalNATPacketConn(bufio.NewPacketConn(remotePacketConn), M.SocksaddrFrom(destinationAddress, metadata.Destination.Port), originDestination)
 			} else {
 				remotePacketConn = bufio.NewNATPacketConn(bufio.NewPacketConn(remotePacketConn), M.SocksaddrFrom(destinationAddress, metadata.Destination.Port), originDestination)
 			}
 		}
-		if natConn, loaded := common.Cast[bufio.NATPacketConn](conn); loaded {
-			natConn.UpdateDestination(destinationAddress)
-		}
 	} else if metadata.RouteOriginalDestination.IsValid() && metadata.RouteOriginalDestination != metadata.Destination {
-		if metadata.UDPDisableDomainUnmapping {
-			remotePacketConn = bufio.NewUnidirectionalNATPacketConn(bufio.NewPacketConn(remotePacketConn), metadata.Destination, metadata.RouteOriginalDestination)
-		} else {
-			remotePacketConn = bufio.NewNATPacketConn(bufio.NewPacketConn(remotePacketConn), metadata.Destination, metadata.RouteOriginalDestination)
-		}
+		remotePacketConn = bufio.NewDestinationNATPacketConn(bufio.NewPacketConn(remotePacketConn), metadata.Destination, metadata.RouteOriginalDestination)
 	}
 	var udpTimeout time.Duration
 	if metadata.UDPTimeout > 0 {
@@ -211,14 +208,16 @@ func (m *ConnectionManager) NewPacketConnection(ctx context.Context, this N.Dial
 	go m.packetConnectionCopy(ctx, destination, conn, true, &done, onClose)
 }
 
-func (m *ConnectionManager) connectionCopy(ctx context.Context, source io.Reader, destination io.Writer, direction bool, done *atomic.Bool, onClose N.CloseHandlerFunc) {
-	originSource := source
-	originDestination := destination
+func (m *ConnectionManager) connectionCopy(ctx context.Context, source net.Conn, destination net.Conn, direction bool, done *atomic.Bool, onClose N.CloseHandlerFunc) {
+	var (
+		sourceReader      io.Reader = source
+		destinationWriter io.Writer = destination
+	)
 	var readCounters, writeCounters []N.CountFunc
 	for {
-		source, readCounters = N.UnwrapCountReader(source, readCounters)
-		destination, writeCounters = N.UnwrapCountWriter(destination, writeCounters)
-		if cachedSrc, isCached := source.(N.CachedReader); isCached {
+		sourceReader, readCounters = N.UnwrapCountReader(sourceReader, readCounters)
+		destinationWriter, writeCounters = N.UnwrapCountWriter(destinationWriter, writeCounters)
+		if cachedSrc, isCached := sourceReader.(N.CachedReader); isCached {
 			cachedBuffer := cachedSrc.ReadCached()
 			if cachedBuffer != nil {
 				dataLen := cachedBuffer.Len()
@@ -228,7 +227,7 @@ func (m *ConnectionManager) connectionCopy(ctx context.Context, source io.Reader
 					if done.Swap(true) {
 						onClose(err)
 					}
-					common.Close(originSource, originDestination)
+					common.Close(source, destination)
 					if !direction {
 						m.logger.ErrorContext(ctx, "connection upload payload: ", err)
 					} else {
@@ -247,9 +246,13 @@ func (m *ConnectionManager) connectionCopy(ctx context.Context, source io.Reader
 		}
 		break
 	}
-	if earlyConn, isEarlyConn := common.Cast[N.EarlyConn](destination); isEarlyConn && earlyConn.NeedHandshake() {
-		_, err := destination.Write(nil)
+	if earlyConn, isEarlyConn := common.Cast[N.EarlyConn](destinationWriter); isEarlyConn && earlyConn.NeedHandshake() {
+		err := m.connectionCopyEarly(source, destination)
 		if err != nil {
+			if done.Swap(true) {
+				onClose(err)
+			}
+			common.Close(source, destination)
 			if !direction {
 				m.logger.ErrorContext(ctx, "connection upload handshake: ", err)
 			} else {
@@ -258,20 +261,20 @@ func (m *ConnectionManager) connectionCopy(ctx context.Context, source io.Reader
 			return
 		}
 	}
-	_, err := bufio.CopyWithCounters(destination, source, originSource, readCounters, writeCounters)
+	_, err := bufio.CopyWithCounters(destination, sourceReader, source, readCounters, writeCounters)
 	if err != nil {
-		common.Close(originDestination)
+		common.Close(source, destination)
 	} else if duplexDst, isDuplex := destination.(N.WriteCloser); isDuplex {
 		err = duplexDst.CloseWrite()
 		if err != nil {
-			common.Close(originSource, originDestination)
+			common.Close(source, destination)
 		}
 	} else {
-		common.Close(originDestination)
+		destination.Close()
 	}
 	if done.Swap(true) {
 		onClose(err)
-		common.Close(originSource, originDestination)
+		common.Close(source, destination)
 	}
 	if !direction {
 		if err == nil {
@@ -292,16 +295,42 @@ func (m *ConnectionManager) connectionCopy(ctx context.Context, source io.Reader
 	}
 }
 
+func (m *ConnectionManager) connectionCopyEarly(source net.Conn, destination io.Writer) error {
+	payload := buf.NewPacket()
+	defer payload.Release()
+	err := source.SetReadDeadline(time.Now().Add(C.ReadPayloadTimeout))
+	if err != nil {
+		if err == os.ErrInvalid {
+			return common.Error(destination.Write(nil))
+		}
+		return err
+	}
+	_, err = payload.ReadOnceFrom(source)
+	if err != nil && !E.IsTimeout(err) {
+		return E.Cause(err, "read payload")
+	}
+	_ = source.SetReadDeadline(time.Time{})
+	_, err = destination.Write(payload.Bytes())
+	if err != nil {
+		return E.Cause(err, "write payload")
+	}
+	return nil
+}
+
 func (m *ConnectionManager) packetConnectionCopy(ctx context.Context, source N.PacketReader, destination N.PacketWriter, direction bool, done *atomic.Bool, onClose N.CloseHandlerFunc) {
 	_, err := bufio.CopyPacket(destination, source)
 	if !direction {
-		if E.IsClosedOrCanceled(err) {
+		if err == nil {
+			m.logger.DebugContext(ctx, "packet upload finished")
+		} else if E.IsClosedOrCanceled(err) {
 			m.logger.TraceContext(ctx, "packet upload closed")
 		} else {
 			m.logger.DebugContext(ctx, "packet upload closed: ", err)
 		}
 	} else {
-		if E.IsClosedOrCanceled(err) {
+		if err == nil {
+			m.logger.DebugContext(ctx, "packet download finished")
+		} else if E.IsClosedOrCanceled(err) {
 			m.logger.TraceContext(ctx, "packet download closed")
 		} else {
 			m.logger.DebugContext(ctx, "packet download closed: ", err)

route/route.go

@@ -358,7 +358,7 @@ func (r *Router) matchRule(
 			newBuffer, newPackerBuffers, newErr := r.actionSniff(ctx, metadata, &rule.RuleActionSniff{
 				OverrideDestination: metadata.InboundOptions.SniffOverrideDestination,
 				Timeout:             time.Duration(metadata.InboundOptions.SniffTimeout),
-			}, inputConn, inputPacketConn)
+			}, inputConn, inputPacketConn, nil)
 			if newErr != nil {
 				fatalErr = newErr
 				return
@@ -462,7 +462,7 @@ match:
 		switch action := currentRule.Action().(type) {
 		case *rule.RuleActionSniff:
 			if !preMatch {
-				newBuffer, newPacketBuffers, newErr := r.actionSniff(ctx, metadata, action, inputConn, inputPacketConn)
+				newBuffer, newPacketBuffers, newErr := r.actionSniff(ctx, metadata, action, inputConn, inputPacketConn, buffers)
 				if newErr != nil {
 					fatalErr = newErr
 					return
@@ -493,28 +493,21 @@ match:
 			break match
 		}
 	}
-	if !preMatch && inputPacketConn != nil && (metadata.InboundType == C.TypeSOCKS || metadata.InboundType == C.TypeMixed) && !metadata.Destination.IsFqdn() && !metadata.Destination.Addr.IsGlobalUnicast() {
-		newBuffer, newPacketBuffers, newErr := r.actionSniff(ctx, metadata, &rule.RuleActionSniff{Timeout: C.TCPTimeout}, inputConn, inputPacketConn)
-		if newErr != nil {
-			fatalErr = newErr
-			return
-		}
-		if newBuffer != nil {
-			buffers = append(buffers, newBuffer)
-		} else if len(newPacketBuffers) > 0 {
-			packetBuffers = append(packetBuffers, newPacketBuffers...)
-		}
-	}
 	return
 }
 
 func (r *Router) actionSniff(
 	ctx context.Context, metadata *adapter.InboundContext, action *rule.RuleActionSniff,
-	inputConn net.Conn, inputPacketConn N.PacketConn,
+	inputConn net.Conn, inputPacketConn N.PacketConn, inputBuffers []*buf.Buffer,
 ) (buffer *buf.Buffer, packetBuffers []*N.PacketBuffer, fatalErr error) {
 	if sniff.Skip(metadata) {
+		r.logger.DebugContext(ctx, "sniff skipped due to port considered as server-first")
 		return
-	} else if inputConn != nil {
+	} else if metadata.Protocol != "" {
+		r.logger.DebugContext(ctx, "duplicate sniff skipped")
+		return
+	}
+	if inputConn != nil {
 		sniffBuffer := buf.NewPacket()
 		var streamSniffers []sniff.StreamSniffer
 		if len(action.StreamSniffers) > 0 {
@@ -533,6 +526,7 @@ func (r *Router) actionSniff(
 			ctx,
 			metadata,
 			inputConn,
+			inputBuffers,
 			sniffBuffer,
 			action.Timeout,
 			streamSniffers...,
@@ -559,6 +553,10 @@ func (r *Router) actionSniff(
 			sniffBuffer.Release()
 		}
 	} else if inputPacketConn != nil {
+		if metadata.PacketSniffError != nil && !errors.Is(metadata.PacketSniffError, sniff.ErrClientHelloFragmented) {
+			r.logger.DebugContext(ctx, "packet sniff skipped due to previous error: ", metadata.PacketSniffError)
+			return
+		}
 		for {
 			var (
 				sniffBuffer = buf.NewPacket()
@@ -590,10 +588,7 @@ func (r *Router) actionSniff(
 					return
 				}
 			} else {
-				if (metadata.InboundType == C.TypeSOCKS || metadata.InboundType == C.TypeMixed) && !metadata.Destination.IsFqdn() && !metadata.Destination.Addr.IsGlobalUnicast() && !metadata.RouteOriginalDestination.IsValid() {
-					metadata.Destination = destination
-				}
-				if len(packetBuffers) > 0 {
+				if len(packetBuffers) > 0 || metadata.PacketSniffError != nil {
 					err = sniff.PeekPacket(
 						ctx,
 						metadata,
@@ -612,6 +607,7 @@ func (r *Router) actionSniff(
 							sniff.UTP,
 							sniff.UDPTracker,
 							sniff.DTLSRecord,
+							sniff.NTP,
 						}
 					}
 					err = sniff.PeekPacket(
@@ -626,7 +622,8 @@ func (r *Router) actionSniff(
 					Destination: destination,
 				}
 				packetBuffers = append(packetBuffers, packetBuffer)
-				if E.IsMulti(err, sniff.ErrClientHelloFragmented) {
+				metadata.PacketSniffError = err
+				if errors.Is(err, sniff.ErrClientHelloFragmented) {
 					r.logger.DebugContext(ctx, "attempt to sniff fragmented QUIC client hello")
 					continue
 				}

route/rule/rule_action.go

@@ -20,6 +20,8 @@ import (
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+
+	"github.com/miekg/dns"
 )
 
 func NewRuleAction(ctx context.Context, logger logger.ContextLogger, action option.RuleAction) (adapter.RuleAction, error) {
@@ -126,6 +128,13 @@ func NewDNSRuleAction(logger logger.ContextLogger, action option.DNSRuleAction)
 			NoDrop: action.RejectOptions.NoDrop,
 			logger: logger,
 		}
+	case C.RuleActionTypePredefined:
+		return &RuleActionPredefined{
+			Rcode:  action.PredefinedOptions.Rcode.Build(),
+			Answer: common.Map(action.PredefinedOptions.Answer, option.DNSRecordOptions.Build),
+			Ns:     common.Map(action.PredefinedOptions.Ns, option.DNSRecordOptions.Build),
+			Extra:  common.Map(action.PredefinedOptions.Extra, option.DNSRecordOptions.Build),
+		}
 	default:
 		panic(F.ToString("unknown rule action: ", action.Action))
 	}
@@ -359,6 +368,8 @@ func (r *RuleActionSniff) build() error {
 			r.StreamSniffers = append(r.StreamSniffers, sniff.SSH)
 		case C.ProtocolRDP:
 			r.StreamSniffers = append(r.StreamSniffers, sniff.RDP)
+		case C.ProtocolNTP:
+			r.PacketSniffers = append(r.PacketSniffers, sniff.NTP)
 		default:
 			return E.New("unknown sniffer: ", name)
 		}
@@ -413,3 +424,23 @@ func (r *RuleActionResolve) String() string {
 		return F.ToString("resolve(", strings.Join(options, ","), ")")
 	}
 }
+
+type RuleActionPredefined struct {
+	Rcode  int
+	Answer []dns.RR
+	Ns     []dns.RR
+	Extra  []dns.RR
+}
+
+func (r *RuleActionPredefined) Type() string {
+	return C.RuleActionTypePredefined
+}
+
+func (r *RuleActionPredefined) String() string {
+	var options []string
+	options = append(options, dns.RcodeToString[r.Rcode])
+	options = append(options, common.Map(r.Answer, dns.RR.String)...)
+	options = append(options, common.Map(r.Ns, dns.RR.String)...)
+	options = append(options, common.Map(r.Extra, dns.RR.String)...)
+	return F.ToString("predefined(", strings.Join(options, ","), ")")
+}

test/go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/docker/go-connections v0.5.0
 	github.com/gofrs/uuid/v5 v5.3.1
 	github.com/sagernet/quic-go v0.49.0-beta.1
-	github.com/sagernet/sing v0.6.2-0.20250210072154-8dff604468ff
+	github.com/sagernet/sing v0.6.4-0.20250316065121-38f666955109
 	github.com/sagernet/sing-quic v0.4.1-beta.1
 	github.com/sagernet/sing-shadowsocks v0.2.7
 	github.com/sagernet/sing-shadowsocks2 v0.2.0
@@ -30,7 +30,7 @@ require (
 	github.com/akutz/memconn v0.1.0 // indirect
 	github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa // indirect
 	github.com/andybalholm/brotli v1.1.0 // indirect
-	github.com/anytls/sing-anytls v0.0.2 // indirect
+	github.com/anytls/sing-anytls v0.0.6 // indirect
 	github.com/bits-and-blooms/bitset v1.13.0 // indirect
 	github.com/caddyserver/certmagic v0.21.7 // indirect
 	github.com/caddyserver/zerossl v0.1.3 // indirect
@@ -46,11 +46,11 @@ require (
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
-	github.com/fxamacker/cbor/v2 v2.6.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/gaissmai/bart v0.11.1 // indirect
 	github.com/go-chi/chi/v5 v5.2.1 // indirect
 	github.com/go-chi/render v1.0.3 // indirect
-	github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0 // indirect
+	github.com/go-json-experiment/json v0.0.0-20250103232110-6a9a0fde9288 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
@@ -65,13 +65,12 @@ require (
 	github.com/google/nftables v0.2.1-0.20240414091927-5e242ec57806 // indirect
 	github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/gorilla/csrf v1.7.2 // indirect
+	github.com/gorilla/csrf v1.7.3-0.20250123201450-9dd6af1f6d30 // indirect
 	github.com/gorilla/securecookie v1.1.2 // indirect
 	github.com/hashicorp/yamux v0.1.2 // indirect
 	github.com/hdevalence/ed25519consensus v0.2.0 // indirect
 	github.com/illarion/gonotify/v2 v2.0.3 // indirect
 	github.com/insomniacslk/dhcp v0.0.0-20250109001534-8abf58130905 // indirect
-	github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 // indirect
 	github.com/jsimonetti/rtnetlink v1.4.0 // indirect
 	github.com/klauspost/compress v1.17.11 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.9 // indirect
@@ -81,7 +80,7 @@ require (
 	github.com/libdns/libdns v0.2.2 // indirect
 	github.com/logrusorgru/aurora v2.0.3+incompatible // indirect
 	github.com/mdlayher/genetlink v1.3.2 // indirect
-	github.com/mdlayher/netlink v1.7.2 // indirect
+	github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 // indirect
 	github.com/mdlayher/sdnotify v1.0.0 // indirect
 	github.com/mdlayher/socket v0.5.1 // indirect
 	github.com/metacubex/tfo-go v0.0.0-20241231083714-66613d49c422 // indirect
@@ -109,11 +108,11 @@ require (
 	github.com/sagernet/nftables v0.3.0-beta.4 // indirect
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 // indirect
 	github.com/sagernet/sing-mux v0.3.1 // indirect
-	github.com/sagernet/sing-shadowtls v0.2.0 // indirect
+	github.com/sagernet/sing-shadowtls v0.2.1-0.20250316154757-6f9e732e5056 // indirect
 	github.com/sagernet/sing-tun v0.6.1 // indirect
 	github.com/sagernet/sing-vmess v0.2.0 // indirect
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 // indirect
-	github.com/sagernet/tailscale v1.79.0-mod.1 // indirect
+	github.com/sagernet/tailscale v1.80.3-mod.0 // indirect
 	github.com/sagernet/utls v1.6.7 // indirect
 	github.com/sagernet/wireguard-go v0.0.1-beta.5 // indirect
 	github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854 // indirect
@@ -123,10 +122,9 @@ require (
 	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 // indirect
 	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a // indirect
 	github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7 // indirect
-	github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4 // indirect
-	github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1 // indirect
-	github.com/tcnksm/go-httpstat v0.2.0 // indirect
-	github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e // indirect
+	github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc // indirect
+	github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 // indirect
+	github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/zeebo/blake3 v0.2.4 // indirect
@@ -138,17 +136,17 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	go.uber.org/zap/exp v0.3.0 // indirect
-	go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect
+	go4.org/mem v0.0.0-20240501181205-ae6ca9944745 // indirect
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
 	golang.org/x/crypto v0.33.0 // indirect
-	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
+	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 // indirect
 	golang.org/x/mod v0.23.0 // indirect
 	golang.org/x/sync v0.11.0 // indirect
 	golang.org/x/sys v0.30.0 // indirect
 	golang.org/x/term v0.29.0 // indirect
 	golang.org/x/text v0.22.0 // indirect
-	golang.org/x/time v0.7.0 // indirect
-	golang.org/x/tools v0.24.0 // indirect
+	golang.org/x/time v0.9.0 // indirect
+	golang.org/x/tools v0.29.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20241202173237-19429a94021a // indirect

test/go.sum

@@ -12,8 +12,8 @@ github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7V
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/andybalholm/brotli v1.1.0 h1:eLKJA0d02Lf0mVpIDgYnqXcUn0GqVmEFny3VuID1U3M=
 github.com/andybalholm/brotli v1.1.0/go.mod h1:sms7XGricyQI9K10gOSf56VKKWS4oLer58Q+mhRPtnY=
-github.com/anytls/sing-anytls v0.0.2 h1:25azSh0o/LMcIkhS4ZutgRTIGwh8O3wuOhsThVM9K9o=
-github.com/anytls/sing-anytls v0.0.2/go.mod h1:7rjN6IukwysmdusYsrV51Fgu1uW6vsrdd6ctjnEAln8=
+github.com/anytls/sing-anytls v0.0.6 h1:UatIjl/OvzWQGXQ1I2bAIkabL9WtihW0fA7G+DXGBUg=
+github.com/anytls/sing-anytls v0.0.6/go.mod h1:7rjN6IukwysmdusYsrV51Fgu1uW6vsrdd6ctjnEAln8=
 github.com/bits-and-blooms/bitset v1.13.0 h1:bAQ9OPNFYbGHV6Nez0tmNI0RiEu7/hxlYJRUA0wFAVE=
 github.com/bits-and-blooms/bitset v1.13.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
 github.com/caddyserver/certmagic v0.21.7 h1:66KJioPFJwttL43KYSWk7ErSmE6LfaJgCQuhm8Sg6fg=
@@ -53,8 +53,8 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
-github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA=
-github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
+github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
+github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/gaissmai/bart v0.11.1 h1:5Uv5XwsaFBRo4E5VBcb9TzY8B7zxFf+U7isDxqOrRfc=
 github.com/gaissmai/bart v0.11.1/go.mod h1:KHeYECXQiBjTzQz/om2tqn3sZF1J7hw9m6z41ftj3fg=
 github.com/github/fakeca v0.1.0 h1:Km/MVOFvclqxPM9dZBC4+QE564nU4gz4iZ0D9pMw28I=
@@ -63,8 +63,8 @@ github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8=
 github.com/go-chi/chi/v5 v5.2.1/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
 github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=
 github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
-github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0 h1:ymLjT4f35nQbASLnvxEde4XOBL+Sn7rFuV+FOJqkljg=
-github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0/go.mod h1:6daplAwHHGbUGib4990V3Il26O0OC4aRyvewaaAihaA=
+github.com/go-json-experiment/json v0.0.0-20250103232110-6a9a0fde9288 h1:KbX3Z3CgiYlbaavUq3Cj9/MjpO+88S7/AGXzynVDv84=
+github.com/go-json-experiment/json v0.0.0-20250103232110-6a9a0fde9288/go.mod h1:BWmvoE1Xia34f3l/ibJweyhrT+aROb/FQ6d+37F0e2s=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -100,8 +100,8 @@ github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQN
 github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gorilla/csrf v1.7.2 h1:oTUjx0vyf2T+wkrx09Trsev1TE+/EbDAeHtSTbtC2eI=
-github.com/gorilla/csrf v1.7.2/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
+github.com/gorilla/csrf v1.7.3-0.20250123201450-9dd6af1f6d30 h1:fiJdrgVBkjZ5B1HJ2WQwNOaXB+QyYcNXTA3t1XYLz0M=
+github.com/gorilla/csrf v1.7.3-0.20250123201450-9dd6af1f6d30/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
 github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys=
@@ -114,9 +114,6 @@ github.com/illarion/gonotify/v2 v2.0.3 h1:B6+SKPo/0Sw8cRJh1aLzNEeNVFfzE3c6N+o+vy
 github.com/illarion/gonotify/v2 v2.0.3/go.mod h1:38oIJTgFqupkEydkkClkbL6i5lXV/bxdH9do5TALPEE=
 github.com/insomniacslk/dhcp v0.0.0-20250109001534-8abf58130905 h1:q3OEI9RaN/wwcx+qgGo6ZaoJkCiDYe/gjDLfq7lQQF4=
 github.com/insomniacslk/dhcp v0.0.0-20250109001534-8abf58130905/go.mod h1:VvGYjkZoJyKqlmT1yzakUs4mfKMNB0XdODP0+rdml6k=
-github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
-github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 h1:elKwZS1OcdQ0WwEDBeqxKwb7WB62QX8bvZ/FJnVXIfk=
-github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86/go.mod h1:aFAMtuldEgx/4q7iSGazk22+IcgvtiC+HIimFO9XlS8=
 github.com/jsimonetti/rtnetlink v1.4.0 h1:Z1BF0fRgcETPEa0Kt0MRk3yV5+kF1FWTni6KUFKrq2I=
 github.com/jsimonetti/rtnetlink v1.4.0/go.mod h1:5W1jDvWdnthFJ7fxYX1GMK07BUpI4oskfOqvPteYS6E=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
@@ -142,8 +139,8 @@ github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczG
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
 github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
 github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o=
-github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
-github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
+github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 h1:A1Cq6Ysb0GM0tpKMbdCXCIfBclan4oHk1Jb+Hrejirg=
+github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42/go.mod h1:BB4YCPDOzfy7FniQ/lxuYQ3dgmM2cZumHbK8RpTjN2o=
 github.com/mdlayher/sdnotify v1.0.0 h1:Ma9XeLVN/l0qpyx1tNeMSeTjCPH6NtuD6/N9XdTlQ3c=
 github.com/mdlayher/sdnotify v1.0.0/go.mod h1:HQUmpM4XgYkhDLtd+Uad8ZFK1T9D5+pNxnXQjCeJlGE=
 github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos=
@@ -172,7 +169,6 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM=
 github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/pierrec/lz4/v4 v4.1.14/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
 github.com/pierrec/lz4/v4 v4.1.21/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -205,8 +201,8 @@ github.com/sagernet/quic-go v0.49.0-beta.1/go.mod h1:uesWD1Ihrldq1M3XtjuEvIUqi8W
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing v0.6.2-0.20250210072154-8dff604468ff h1:5UGghwx8cI14qFa0ienrLekAYfhdKAiWvJUkY7rHmsI=
-github.com/sagernet/sing v0.6.2-0.20250210072154-8dff604468ff/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/sing v0.6.4-0.20250316065121-38f666955109 h1:clwEzQu0oiapGllEDtbGQjcmQaIAt8DH3EeOHAWyiKs=
+github.com/sagernet/sing v0.6.4-0.20250316065121-38f666955109/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/sagernet/sing-mux v0.3.1 h1:kvCc8HyGAskDHDQ0yQvoTi/7J4cZPB/VJMsAM3MmdQI=
 github.com/sagernet/sing-mux v0.3.1/go.mod h1:Mkdz8LnDstthz0HWuA/5foncnDIdcNN5KZ6AdJX+x78=
 github.com/sagernet/sing-quic v0.4.1-beta.1 h1:V2VfMckT3EQR3ZdfSzJgZZDsvfZZH42QAZpnOnHKa0s=
@@ -215,16 +211,16 @@ github.com/sagernet/sing-shadowsocks v0.2.7 h1:zaopR1tbHEw5Nk6FAkM05wCslV6ahVegE
 github.com/sagernet/sing-shadowsocks v0.2.7/go.mod h1:0rIKJZBR65Qi0zwdKezt4s57y/Tl1ofkaq6NlkzVuyE=
 github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wKFHi+8XwgADg=
 github.com/sagernet/sing-shadowsocks2 v0.2.0/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
-github.com/sagernet/sing-shadowtls v0.2.0 h1:cLKe4OAOFwuhmAIuPLj//CIL7Q9js+pIDardhJ+/osk=
-github.com/sagernet/sing-shadowtls v0.2.0/go.mod h1:agU+Fw5X+xnWVyRHyFthoZCX3MfWKCFPm4JUf+1oaxo=
+github.com/sagernet/sing-shadowtls v0.2.1-0.20250316154757-6f9e732e5056 h1:GFNJQAHhSXqAfxAw1wDG/QWbdpGH5Na3k8qUynqWnEA=
+github.com/sagernet/sing-shadowtls v0.2.1-0.20250316154757-6f9e732e5056/go.mod h1:HyacBPIFiKihJQR8LQp56FM4hBtd/7MZXnRxxQIOPsc=
 github.com/sagernet/sing-tun v0.6.1 h1:4l0+gnEKcGjlWfUVTD+W0BRApqIny/lU2ZliurE+VMo=
 github.com/sagernet/sing-tun v0.6.1/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
 github.com/sagernet/sing-vmess v0.2.0 h1:pCMGUXN2k7RpikQV65/rtXtDHzb190foTfF9IGTMZrI=
 github.com/sagernet/sing-vmess v0.2.0/go.mod h1:jDAZ0A0St1zVRkyvhAPRySOFfhC+4SQtO5VYyeFotgA=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7/go.mod h1:FP9X2xjT/Az1EsG/orYYoC+5MojWnuI7hrffz8fGwwo=
-github.com/sagernet/tailscale v1.79.0-mod.1 h1:wIuAH7VqBYJNk0h2+bTyk4F0OlSqHvyLDCBrD3i+XNI=
-github.com/sagernet/tailscale v1.79.0-mod.1/go.mod h1:RKY5WjYLj3JJ7VO/8ZCw8eAFa4+kWU6A1Ftdk84uB14=
+github.com/sagernet/tailscale v1.80.3-mod.0 h1:oHIdivbR/yxoiA9d3a2rRlhYn2shY9XVF35Rr8jW508=
+github.com/sagernet/tailscale v1.80.3-mod.0/go.mod h1:EBxXsWu4OH2ELbQLq32WoBeIubG8KgDrg4/Oaxjs6lI=
 github.com/sagernet/utls v1.6.7 h1:Ep3+aJ8FUGGta+II2IEVNUc3EDhaRCZINWkj/LloIA8=
 github.com/sagernet/utls v1.6.7/go.mod h1:Uua1TKO/FFuAhLr9rkaVnnrTmmiItzDjv1BUb2+ERwM=
 github.com/sagernet/wireguard-go v0.0.1-beta.5 h1:aBEsxJUMEONwOZqKPIkuAcv4zJV5p6XlzEN04CF0FXc=
@@ -251,16 +247,14 @@ github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a h1:SJy1Pu0eH1C29X
 github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a/go.mod h1:DFSS3NAGHthKo1gTlmEcSBiZrRJXi28rLNd/1udP1c8=
 github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7 h1:uFsXVBE9Qr4ZoF094vE6iYTLDl0qCiKzYXlL6UeWObU=
 github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
-github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4 h1:Gz0rz40FvFVLTBk/K8UNAenb36EbDSnh+q7Z9ldcC8w=
-github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4/go.mod h1:phI29ccmHQBc+wvroosENp1IF9195449VDnFDhJ4rJU=
-github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1 h1:tdUdyPqJ0C97SJfjB9tW6EylTtreyee9C44de+UBG0g=
-github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
+github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc h1:24heQPtnFR+yfntqhI3oAu9i27nEojcQ4NuBQOo5ZFA=
+github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc/go.mod h1:f93CXfllFsO9ZQVq+Zocb1Gp4G5Fz0b0rXHLOzt/Djc=
+github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 h1:UBPHPtv8+nEAy2PD8RyAhOYvau1ek0HDJqLS/Pysi14=
+github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
 github.com/tc-hib/winres v0.2.1 h1:YDE0FiP0VmtRaDn7+aaChp1KiF4owBiJa5l964l5ujA=
 github.com/tc-hib/winres v0.2.1/go.mod h1:C/JaNhH3KBvhNKVbvdlDWkbMDO9H4fKKDaN7/07SSuk=
-github.com/tcnksm/go-httpstat v0.2.0 h1:rP7T5e5U2HfmOBmZzGgGZjBQ5/GluWUylujl0tJ04I0=
-github.com/tcnksm/go-httpstat v0.2.0/go.mod h1:s3JVJFtQxtBEBC9dwcdTTXS9xFnM3SXAZwPG41aurT8=
-github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e h1:BA9O3BmlTmpjbvajAwzWx4Wo2TRVdpPXZEeemGQcajw=
-github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
+github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM=
+github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA=
 github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
 github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
@@ -300,8 +294,8 @@ go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 go.uber.org/zap/exp v0.3.0 h1:6JYzdifzYkGmTdRR59oYH+Ng7k49H9qVpWwNSsGJj3U=
 go.uber.org/zap/exp v0.3.0/go.mod h1:5I384qq7XGxYyByIhHm6jg5CHkGY0nsTfbDLgDDlgJQ=
-go4.org/mem v0.0.0-20220726221520-4f986261bf13 h1:CbZeCBZ0aZj8EfVgnqQcYZgf0lpZ3H9rmp5nkDTAst8=
-go4.org/mem v0.0.0-20220726221520-4f986261bf13/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
+go4.org/mem v0.0.0-20240501181205-ae6ca9944745 h1:Tl++JLUCe4sxGu8cTpDzRLd3tN7US4hOxG5YpKCzkek=
+go4.org/mem v0.0.0-20240501181205-ae6ca9944745/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -310,10 +304,10 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
 golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
 golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
-golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
-golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
-golang.org/x/image v0.18.0 h1:jGzIakQa/ZXI1I0Fxvaa9W7yP25TqT6cHIHn+6CqvSQ=
-golang.org/x/image v0.18.0/go.mod h1:4yyo5vMFQjVjUcVk4jEQcU9MGy/rulF5WvUILseCM2E=
+golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 h1:yqrTHse8TCMW1M1ZCP+VAR/l0kKxwaAIqN/il7x4voA=
+golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8/go.mod h1:tujkw807nyEEAamNbDrEGzRav+ilXA7PCRAd6xsmwiU=
+golang.org/x/image v0.23.0 h1:HseQ7c2OpPKTPVzNjG5fwJsOTCiiwS4QdsYi5XU6H68=
+golang.org/x/image v0.23.0/go.mod h1:wJJBTdLfCCf3tiHa1fNxpZmUI4mmoZvwMCPP0ddoNKY=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.23.0 h1:Zb7khfcRGKk+kqfxFaP5tZqCnDZMjC5VtUBs87Hr6QM=
@@ -339,10 +333,8 @@ golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220817070843-5a390386f1f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.4.1-0.20230131160137-e7d7f63158de/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
@@ -355,14 +347,14 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
 golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
-golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
-golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
+golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24=
-golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ=
+golang.org/x/tools v0.29.0 h1:Xx0h3TtM9rzQpQuR4dKLrdglAmCEN5Oi+P74JdhdzXE=
+golang.org/x/tools v0.29.0/go.mod h1:KMQVMRsVxU6nHCFXrBPhDB8XncLNLM0lIy/F14RP588=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

test/shadowtls_test.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"net"
 	"net/http"
 	"net/netip"
@@ -157,7 +158,7 @@ func TestShadowTLSFallback(t *testing.T) {
 					},
 					Handshake: option.ShadowTLSHandshakeOptions{
 						ServerOptions: option.ServerOptions{
-							Server:     "google.com",
+							Server:     "bing.com",
 							ServerPort: 443,
 						},
 					},
@@ -177,13 +178,125 @@ func TestShadowTLSFallback(t *testing.T) {
 			},
 		},
 	}
-	response, err := client.Get("https://google.com")
+	response, err := client.Get("https://bing.com")
 	require.NoError(t, err)
 	require.Equal(t, response.StatusCode, 200)
 	response.Body.Close()
 	client.CloseIdleConnections()
 }
 
+func TestShadowTLSFallbackWildcardAll(t *testing.T) {
+	startInstance(t, option.Options{
+		Inbounds: []option.Inbound{
+			{
+				Type: C.TypeShadowTLS,
+				Options: &option.ShadowTLSInboundOptions{
+					ListenOptions: option.ListenOptions{
+						Listen:     common.Ptr(badoption.Addr(netip.IPv4Unspecified())),
+						ListenPort: serverPort,
+					},
+					Version: 3,
+					Users: []option.ShadowTLSUser{
+						{Password: "hello"},
+					},
+					WildcardSNI: option.ShadowTLSWildcardSNIAll,
+				},
+			},
+		},
+	})
+	client := &http.Client{
+		Transport: &http.Transport{
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				var d net.Dialer
+				return d.DialContext(ctx, network, "127.0.0.1:"+F.ToString(serverPort))
+			},
+		},
+	}
+	response, err := client.Get("https://www.bing.com")
+	require.NoError(t, err)
+	require.Equal(t, response.StatusCode, 200)
+	response.Body.Close()
+	client.CloseIdleConnections()
+}
+
+func TestShadowTLSFallbackWildcardAuthedFail(t *testing.T) {
+	startInstance(t, option.Options{
+		Inbounds: []option.Inbound{
+			{
+				Type: C.TypeShadowTLS,
+				Options: &option.ShadowTLSInboundOptions{
+					ListenOptions: option.ListenOptions{
+						Listen:     common.Ptr(badoption.Addr(netip.IPv4Unspecified())),
+						ListenPort: serverPort,
+					},
+					Handshake: option.ShadowTLSHandshakeOptions{
+						ServerOptions: option.ServerOptions{
+							Server:     "bing.com",
+							ServerPort: 443,
+						},
+					},
+					Version: 3,
+					Users: []option.ShadowTLSUser{
+						{Password: "hello"},
+					},
+					WildcardSNI: option.ShadowTLSWildcardSNIAuthed,
+				},
+			},
+		},
+	})
+	client := &http.Client{
+		Transport: &http.Transport{
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				var d net.Dialer
+				return d.DialContext(ctx, network, "127.0.0.1:"+F.ToString(serverPort))
+			},
+		},
+	}
+	_, err := client.Get("https://baidu.com")
+	expected := &tls.CertificateVerificationError{}
+	require.ErrorAs(t, err, &expected)
+	client.CloseIdleConnections()
+}
+
+func TestShadowTLSFallbackWildcardOffFail(t *testing.T) {
+	startInstance(t, option.Options{
+		Inbounds: []option.Inbound{
+			{
+				Type: C.TypeShadowTLS,
+				Options: &option.ShadowTLSInboundOptions{
+					ListenOptions: option.ListenOptions{
+						Listen:     common.Ptr(badoption.Addr(netip.IPv4Unspecified())),
+						ListenPort: serverPort,
+					},
+					Handshake: option.ShadowTLSHandshakeOptions{
+						ServerOptions: option.ServerOptions{
+							Server:     "bing.com",
+							ServerPort: 443,
+						},
+					},
+					Version: 3,
+					Users: []option.ShadowTLSUser{
+						{Password: "hello"},
+					},
+					WildcardSNI: option.ShadowTLSWildcardSNIOff,
+				},
+			},
+		},
+	})
+	client := &http.Client{
+		Transport: &http.Transport{
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				var d net.Dialer
+				return d.DialContext(ctx, network, "127.0.0.1:"+F.ToString(serverPort))
+			},
+		},
+	}
+	_, err := client.Get("https://baidu.com")
+	expected := &tls.CertificateVerificationError{}
+	require.ErrorAs(t, err, &expected)
+	client.CloseIdleConnections()
+}
+
 func TestShadowTLSInbound(t *testing.T) {
 	method := shadowaead_2022.List[0]
 	password := mkBase64(t, 16)

transport/v2raygrpclite/conn.go

@@ -21,6 +21,7 @@ import (
 var _ net.Conn = (*GunConn)(nil)
 
 type GunConn struct {
+	rawReader     io.Reader
 	reader        *std_bufio.Reader
 	writer        io.Writer
 	flusher       http.Flusher
@@ -31,9 +32,10 @@ type GunConn struct {
 
 func newGunConn(reader io.Reader, writer io.Writer, flusher http.Flusher) *GunConn {
 	return &GunConn{
-		reader:  std_bufio.NewReader(reader),
-		writer:  writer,
-		flusher: flusher,
+		rawReader: reader,
+		reader:    std_bufio.NewReader(reader),
+		writer:    writer,
+		flusher:   flusher,
 	}
 }
 
@@ -46,6 +48,7 @@ func newLateGunConn(writer io.Writer) *GunConn {
 
 func (c *GunConn) setup(reader io.Reader, err error) {
 	if reader != nil {
+		c.rawReader = reader
 		c.reader = std_bufio.NewReader(reader)
 	}
 	c.err = err
@@ -138,7 +141,7 @@ func (c *GunConn) FrontHeadroom() int {
 }
 
 func (c *GunConn) Close() error {
-	return common.Close(c.reader, c.writer)
+	return common.Close(c.rawReader, c.writer)
 }
 
 func (c *GunConn) LocalAddr() net.Addr {

transport/v2rayhttp/conn.go

@@ -2,6 +2,7 @@ package v2rayhttp
 
 import (
 	std_bufio "bufio"
+	"context"
 	"io"
 	"net"
 	"net/http"
@@ -10,6 +11,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/baderror"
 	"github.com/sagernet/sing/common/buf"
@@ -255,3 +257,11 @@ func (w *HTTP2ConnWrapper) Close() error {
 func (w *HTTP2ConnWrapper) Upstream() any {
 	return w.ExtendedConn
 }
+
+func DupContext(ctx context.Context) context.Context {
+	id, loaded := log.IDFromContext(ctx)
+	if !loaded {
+		return context.Background()
+	}
+	return log.ContextWithID(context.Background(), id)
+}

transport/v2rayhttp/server.go

@@ -132,7 +132,7 @@ func (s *Server) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
 		if requestBody != nil {
 			conn = bufio.NewCachedConn(conn, requestBody)
 		}
-		s.handler.NewConnectionEx(request.Context(), conn, source, M.Socksaddr{}, nil)
+		s.handler.NewConnectionEx(DupContext(request.Context()), conn, source, M.Socksaddr{}, nil)
 	} else {
 		writer.WriteHeader(http.StatusOK)
 		done := make(chan struct{})

transport/v2rayhttpupgrade/server.go

@@ -12,6 +12,7 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-box/transport/v2rayhttp"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
@@ -37,6 +38,7 @@ type Server struct {
 func NewServer(ctx context.Context, logger logger.ContextLogger, options option.V2RayHTTPUpgradeOptions, tlsConfig tls.ServerConfig, handler adapter.V2RayServerTransportHandler) (*Server, error) {
 	server := &Server{
 		ctx:       ctx,
+		logger:    logger,
 		tlsConfig: tlsConfig,
 		handler:   handler,
 		host:      options.Host,
@@ -110,7 +112,7 @@ func (s *Server) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
 		s.invalidRequest(writer, request, http.StatusInternalServerError, E.Cause(err, "hijack failed"))
 		return
 	}
-	s.handler.NewConnectionEx(request.Context(), conn, sHttp.SourceAddress(request), M.Socksaddr{}, nil)
+	s.handler.NewConnectionEx(v2rayhttp.DupContext(request.Context()), conn, sHttp.SourceAddress(request), M.Socksaddr{}, nil)
 }
 
 func (s *Server) invalidRequest(writer http.ResponseWriter, request *http.Request, statusCode int, err error) {

transport/v2raywebsocket/server.go

@@ -13,6 +13,7 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-box/transport/v2rayhttp"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio"
@@ -114,7 +115,7 @@ func (s *Server) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
 	if len(earlyData) > 0 {
 		conn = bufio.NewCachedConn(conn, buf.As(earlyData))
 	}
-	s.handler.NewConnectionEx(request.Context(), conn, source, M.Socksaddr{}, nil)
+	s.handler.NewConnectionEx(v2rayhttp.DupContext(request.Context()), conn, source, M.Socksaddr{}, nil)
 }
 
 func (s *Server) invalidRequest(writer http.ResponseWriter, request *http.Request, statusCode int, err error) {