Fix dns leakage by properly passing config of dns-hijack to TUN#151
Merged
likuai2010 merged 1 commit intoJul 5, 2026
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The TUN listener was always hijacking DNS to the internal DNS server on port 53, ignoring any
dns-hijacklist the user set in theirtun:config. This PR threads the configuredDNSHijackvalue through to the TUNStartcall and only falls back to the hardcoded default when the user hasn't specified one.Problem
In
proxy_core/src/flclash/tun/tun.go,Startunconditionally built the hijack list from the internal DNS address:Because
Startnever received the config value, anything a user put undertun.dns-hijack(e.g.any:53,tcp://any:53,any:853) was silently discarded. Only UDP:53 to the internal resolver was ever hijacked, so TCP DNS and non-standard DNS ports fell through unintercepted — a common DNS-leak vector.Fix
tun.Startnow accepts adnsHijack []stringparameter.The hardcoded default is applied only as a fallback when the passed list is empty:
StartTUNinlib_linux.gonow passescurrentConfig.General.Tun.DNSHijackintoStart, so the parsed config value reaches the listener.This preserves existing behavior for anyone who didn't set
dns-hijack(they still get the internal-resolver default) while honoring the config for everyone who did.Files changed
proxy_core/src/flclash/lib_linux.go— passTun.DNSHijackintoStart; also tidies the import block (movesnetinto the stdlib group andmetacubex/mihomo/component/ifaceinto the mihomo group).proxy_core/src/flclash/tun/tun.go— adddnsHijack []stringparam; fallback-only default; plus gofmt cleanup on theprefix4/prefix6blocks (tabs and brace style).Testing
any:53set (the default config), confirm no port-53 traffic is observed passing through the TUN interface — indicating the UDP DNS queries are being intercepted/hijacked rather than forwarded out.