Skip to content

fix(network): reject non-stub DNS traffic#6

Merged
ZaneL1u merged 1 commit into
mainfrom
codex/fix-public-dns-reject-428
Jun 18, 2026
Merged

fix(network): reject non-stub DNS traffic#6
ZaneL1u merged 1 commit into
mainfrom
codex/fix-public-dns-reject-428

Conversation

@ZaneL1u

@ZaneL1u ZaneL1u commented Jun 18, 2026

Copy link
Copy Markdown
Owner

背景

v4.2.7 修复了 sing-box 不支持 type: "dns" inbound 导致的容器启动失败,但线上继续推进到网络校验后失败在 net.dns_leakdig @8.8.8.8 被无条件 hijack-dns 规则接管并成功返回。

修改

  • hijack-dns 限定为只匹配本地 DNS stub inbound:inbound: "dns-direct"
  • 增加 fallback DNS reject 规则,确保非 stub DNS 流量(例如 dig @8.8.8.8)失败。
  • 补回归测试锁定规则顺序和范围。
  • 更新 CHANGELOG.mdv4.2.8 条目和 GSD quick 记录。

验证

  • 红灯:go test ./internal/network -run TestBuildContainerSingBoxConfig_DNSHijackScopedToStubAndRejectsOtherDNS -count=1 在修复前失败。
  • 绿灯:go test ./internal/network -run TestBuildContainerSingBoxConfig_DNSHijackScopedToStubAndRejectsOtherDNS -count=1
  • 绿灯:go test ./internal/network -count=1
  • 绿灯:go test ./internal/network ./internal/runtime/tasks ./internal/controlplane/http -count=1
  • 绿灯:go test ./... -count=1
  • 远端热验证:临时应用同等路由规则后,受管容器内 dig @8.8.8.8 example.com 返回非零退出码,普通 getent ahostsv4 example.com 正常。

@ZaneL1u ZaneL1u merged commit 8af6b36 into main Jun 18, 2026
9 checks passed
@ZaneL1u ZaneL1u deleted the codex/fix-public-dns-reject-428 branch June 18, 2026 07:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ZaneL1u