When using fakeip on version 1.11.0 and 1.11.1 a loop occurs.

[Dr4tez]

Operating system

Linux

System version

AsusWRT-Merlin 3004.388.8_4

Installation type

Original sing-box Command Line

If you are using a graphical client, please provide the version of the client.

No response

Version

/opt/root/sing-box/sing-box version
sing-box version 1.11.1

Environment: go1.23.5 linux/arm64
Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api
Revision: 92d245ad040cbda2f84b21c2a847a470e532c179
CGO: disabled

Description

When using fakeip on version 1.11.0 and 1.11.1 a loop occurs. This happens if some domains are resolved via fakeip and all others via dns-direct. As a result, the number of active connections exceeds 1000.
On versions 1.10.* the loop does not occur.

Reproduction

Tested with the following configuration file.

{
  "log": {
    "level": "debug",
    "output": "/opt/root/sing-box/box.log",
    "timestamp": true
  },
  "dns": {
    "servers": [
      {
        "tag": "dns-direct",
        "address": "https://dns.google/dns-query",
        "address_resolver": "dns-resolver"
      },
      {
        "tag": "dns-resolver",
        "address": "8.8.8.8"
      },
      {
        "tag": "dns-fakeip",
        "address": "fakeip"
      }
    ],
    "rules": [
      {
        "query_type": "A",
        "rule_set": "rule-set",
        "server": "dns-fakeip"
      }
    ],
    "fakeip": {
      "enabled": true,
      "inet4_range": "198.18.0.0/15"
    },
    "strategy": "ipv4_only"
  },
  "inbounds": [
    {
      "type": "tun",
      "tag": "tunin",
      "interface_name": "sbtun",
      "mtu": 1500,
      "address": "172.19.0.1/28"
    },
    {
      "type": "direct",
      "tag": "dns4tunin",
      "listen": "0.0.0.0",
      "listen_port": 55553,
      "override_port": 53
    }
  ],
  "outbounds": [
    {
      "type": "direct",
      "tag": "direct"
    },
    {
      "type": "vless",
      "tag": "Proxy",
      "server": "my_domain",
      "server_port": 443,
      "uuid": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
      "flow": "xtls-rprx-vision",
      "tls": {
        "enabled": true,
        "server_name": "XXXXXX",
        "utls": {
          "enabled": true,
          "fingerprint": "chrome"
        },
        "reality": {
          "enabled": true,
          "public_key": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
          "short_id": "XXXXX"
        }
      }
    }
  ],
  "route": {
    "rules": [
      {
        "action": "sniff"
      },
      {
        "protocol": "dns",
        "action": "hijack-dns"
      },
      {
        "inbound": "dns4tunin",
        "action": "hijack-dns"
      },
      {
        "rule_set": "rule-set",
        "outbound": "Proxy"
      }
    ],
    "rule_set": [
      {
        "type": "remote",
        "tag": "rule-set",
        "format": "binary",
        "url": "https://github.com/Dr4tez/my_domains/raw/main/my_domains.srs"
      }
    ]
  },
  "experimental": {
    "cache_file": {
      "enabled": true,
      "path": "/opt/root/sing-box/cache.db"
    },
    "clash_api": {
      "external_controller": "0.0.0.0:9090",
      "external_ui": "/opt/root/sing-box/ui",
      "secret": "2097"
    }
  }
}

The routes and rules in the system for the sing-box to work are created using my script, it has about 1500 lines, so I will not provide it here, here is a link to it https://github.com/Dr4tez/sing-box4asus/blob/main/sbs
If i add the rule

{
"ip_cidr": "198.18.0.0/15",
"action": "reject"
}

to the configuration file,
then the loop will not be formed.

Logs

+0300 2025-02-05 16:35:48 DEBUG router: found fakeip domain: safebrowsing.googleapis.com
+0300 2025-02-05 16:35:48 INFO [3798384768 0ms] inbound/tun[tunin]: inbound packet connection from 172.19.0.1:51053
+0300 2025-02-05 16:35:48 INFO [3798384768 0ms] inbound/tun[tunin]: inbound packet connection to 198.18.0.6:443
+0300 2025-02-05 16:35:48 DEBUG [3798384768 0ms] router: found fakeip domain: safebrowsing.googleapis.com
+0300 2025-02-05 16:35:48 DEBUG [3798384768 0ms] router: match[0] => sniff
+0300 2025-02-05 16:35:48 DEBUG [3798384768 0ms] router: sniffed packet protocol: quic, client: chromium
+0300 2025-02-05 16:35:48 INFO [3798384768 0ms] outbound/direct[direct]: outbound packet connection
+0300 2025-02-05 16:35:48 DEBUG router: found fakeip domain: safebrowsing.googleapis.com
+0300 2025-02-05 16:35:48 INFO [3807009148 0ms] inbound/tun[tunin]: inbound packet connection from 172.19.0.1:53685
+0300 2025-02-05 16:35:48 INFO [3807009148 0ms] inbound/tun[tunin]: inbound packet connection to 198.18.0.6:443
+0300 2025-02-05 16:35:48 DEBUG [3807009148 0ms] router: found fakeip domain: safebrowsing.googleapis.com
+0300 2025-02-05 16:35:48 DEBUG [3807009148 0ms] router: match[0] => sniff
+0300 2025-02-05 16:35:48 DEBUG [3807009148 0ms] router: sniffed packet protocol: quic, client: chromium
+0300 2025-02-05 16:35:48 INFO [3807009148 0ms] outbound/direct[direct]: outbound packet connection
+0300 2025-02-05 16:35:48 DEBUG router: found fakeip domain: safebrowsing.googleapis.com
+0300 2025-02-05 16:35:48 INFO [2543939737 0ms] inbound/tun[tunin]: inbound packet connection from 172.19.0.1:52867
+0300 2025-02-05 16:35:48 INFO [2543939737 0ms] inbound/tun[tunin]: inbound packet connection to 198.18.0.6:443
+0300 2025-02-05 16:35:48 DEBUG [2543939737 0ms] router: found fakeip domain: safebrowsing.googleapis.com
+0300 2025-02-05 16:35:48 DEBUG [2543939737 0ms] router: match[0] => sniff
+0300 2025-02-05 16:35:48 DEBUG [2543939737 4ms] router: sniffed packet protocol: quic, client: chromium
+0300 2025-02-05 16:35:48 INFO [2543939737 4ms] outbound/direct[direct]: outbound packet connection
+0300 2025-02-05 16:35:48 DEBUG router: found fakeip domain: safebrowsing.googleapis.com
+0300 2025-02-05 16:35:48 INFO [2265786462 0ms] inbound/tun[tunin]: inbound packet connection from 172.19.0.1:56158
+0300 2025-02-05 16:35:48 INFO [2265786462 0ms] inbound/tun[tunin]: inbound packet connection to 198.18.0.6:443
+0300 2025-02-05 16:35:48 DEBUG [2265786462 0ms] router: found fakeip domain: safebrowsing.googleapis.com
+0300 2025-02-05 16:35:48 DEBUG [2265786462 0ms] router: match[0] => sniff
+0300 2025-02-05 16:35:48 DEBUG [2265786462 0ms] router: sniffed packet protocol: quic, client: chromium
+0300 2025-02-05 16:35:48 INFO [2265786462 0ms] outbound/direct[direct]: outbound packet connection
+0300 2025-02-05 16:35:48 DEBUG router: found fakeip domain: safebrowsing.googleapis.com
+0300 2025-02-05 16:35:48 INFO [1573951028 0ms] inbound/tun[tunin]: inbound packet connection from 172.19.0.1:55231
+0300 2025-02-05 16:35:48 INFO [1573951028 0ms] inbound/tun[tunin]: inbound packet connection to 198.18.0.6:443

Supporter

• I am a sponsor

Integrity requirements

• I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
• I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
• I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
• I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.

[nekohasekai]

Try a2d40eb

[Dr4tez]

Try a2d40eb

Thank you very much for your quick help. But unfortunately I don't know what to do with the patch you provided. I don't know how to build packages from sources.

P.S. I learned how to do it). I compiled 1.11.1 with the patch you suggested and it works and the loop does not occur!