fix: use direct detour for dns_remote to unblock sing-box startup#415
fix: use direct detour for dns_remote to unblock sing-box startup#415myleshorton wants to merge 1 commit intomainfrom
Conversation
dns_remote previously used detour "auto" (the URL-test proxy group). At sing-box startup, that group has no known network interface yet, so any DNS lookup routed through dns_remote — including the synchronous rule-set fetch triggered by smart routing — fails with "no available network interface", preventing the VPN from starting. Switch to detour "direct" so dns_remote can resolve hostnames before the proxy group is ready. This is safe because: - A/AAAA queries for user traffic are intercepted by the dns_fakeip rule; actual resolution happens on the proxy side via TUN routing. - dns_remote is only used for non-A/AAAA queries and rule-set/ad-block downloads, neither of which needs to be proxied. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR changes the sing-box DNS server configuration so dns_remote uses a direct detour during startup, preventing early DNS lookups (e.g., rule-set fetching) from failing before the URL-test proxy group has an available network interface.
Changes:
- Switch
dns_remotedialer detour from"auto"to"direct". - Expand inline comments explaining the startup dependency and rationale.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // queries for user traffic are routed through dns_fakeip anyway, so | ||
| // dns_remote is only used for non-A/AAAA lookups and rule-set downloads — | ||
| // neither of which requires proxying. |
There was a problem hiding this comment.
The added comment says dns_remote is only used for non-A/AAAA lookups and rule-set downloads, but with the current DNS rules (only A/AAAA -> dns_fakeip) and DNS.Final set to dns_local, non-A/AAAA queries appear to fall back to dns_local rather than dns_remote. Please either adjust this comment to match the actual server selection, or add a DNS rule / change Final if dns_remote is intended to handle those queries.
| // queries for user traffic are routed through dns_fakeip anyway, so | |
| // dns_remote is only used for non-A/AAAA lookups and rule-set downloads — | |
| // neither of which requires proxying. | |
| // queries for user traffic are routed through dns_fakeip; other query | |
| // types are selected by the configured DNS rules/final server rather than | |
| // by this server definition alone, so dns_remote is kept as a direct | |
| // remote resolver without assuming it handles all non-A/AAAA lookups. |
| }, | ||
| LocalDNSServerOptions: option.LocalDNSServerOptions{ | ||
| DialerOptions: option.DialerOptions{ | ||
| Detour: "auto", | ||
| Detour: "direct", | ||
| }, |
There was a problem hiding this comment.
This config change is safety-critical for startup; please add/extend a unit test that asserts the generated DNS options set the dns_remote detour to direct (to prevent regressions back to auto).
|
Closing this, as we implemented a fix on the server side. |
Summary
dns_remotepreviously useddetour: "auto"(the URL-test proxy group)dns_remote(including the synchronous initial rule-set fetch for smart routing) fails with"no available network interface", preventing the VPN from starting and snapping the toggle back to Offdetour: "direct"sodns_remoteresolves hostnames before the proxy group is readyWhy this is safe
dns_fakeiprule; actual DNS resolution happens server-side via TUN routing —dns_remoteis not involveddns_remoteis only used for: (1) non-A/AAAA queries (PTR, MX, etc.), and (2) rule-set/ad-block downloads — neither of which needs to be routed through a proxyTest plan
dns_remotesuccessfully resolves hostnames during sing-box startup (no "no available network interface" errors in logs)Fixes the client-side root cause identified in Freshdesk ticket #172573 (v9.0.24 beta, Bulgaria).
See also: getlantern/lantern-cloud#2564 (server-side mitigation disabling smart routing until this ships)
🤖 Generated with Claude Code