Skip to content

Fix dns leakage by properly passing config of dns-hijack to TUN#151

Merged
likuai2010 merged 1 commit into
xiaobaigroup:masterfrom
tljk:fix-dns-hijack-not-applied-to-tun
Jul 5, 2026
Merged

Fix dns leakage by properly passing config of dns-hijack to TUN#151
likuai2010 merged 1 commit into
xiaobaigroup:masterfrom
tljk:fix-dns-hijack-not-applied-to-tun

Conversation

@tljk

@tljk tljk commented Jul 5, 2026

Copy link
Copy Markdown

Summary

The TUN listener was always hijacking DNS to the internal DNS server on port 53, ignoring any dns-hijack list the user set in their tun: config. This PR threads the configured DNSHijack value through to the TUN Start call and only falls back to the hardcoded default when the user hasn't specified one.

Problem

In proxy_core/src/flclash/tun/tun.go, Start unconditionally built the hijack list from the internal DNS address:

var dnsHijack []string
dnsHijack = append(dnsHijack, net.JoinHostPort(state.GetDnsServerAddress(), "53"))

Because Start never received the config value, anything a user put under tun.dns-hijack (e.g. any:53, tcp://any:53, any:853) was silently discarded. Only UDP:53 to the internal resolver was ever hijacked, so TCP DNS and non-standard DNS ports fell through unintercepted — a common DNS-leak vector.

Fix

  • tun.Start now accepts a dnsHijack []string parameter.

  • The hardcoded default is applied only as a fallback when the passed list is empty:

    if len(dnsHijack) == 0 {
        dnsHijack = append(dnsHijack, net.JoinHostPort(state.GetDnsServerAddress(), "53"))
    }
  • StartTUN in lib_linux.go now passes currentConfig.General.Tun.DNSHijack into Start, so the parsed config value reaches the listener.

This preserves existing behavior for anyone who didn't set dns-hijack (they still get the internal-resolver default) while honoring the config for everyone who did.

Files changed

  • proxy_core/src/flclash/lib_linux.go — pass Tun.DNSHijack into Start; also tidies the import block (moves net into the stdlib group and metacubex/mihomo/component/iface into the mihomo group).
  • proxy_core/src/flclash/tun/tun.go — add dnsHijack []string param; fallback-only default; plus gofmt cleanup on the prefix4/prefix6 blocks (tabs and brace style).

Testing

  • Rebuild the mihomo core.
  • With any:53 set (the default config), confirm no port-53 traffic is observed passing through the TUN interface — indicating the UDP DNS queries are being intercepted/hijacked rather than forwarded out.
  • With no dns-hijack set, confirmed default (internal resolver :53) still applies.

@likuai2010 likuai2010 merged commit 1fdc47e into xiaobaigroup:master Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants