sing-box 运行时 DNS 请求被直接发往 tun 的 ip 导致网络访问全都失败, 怎么解决？

站内找到一个极有可能遇到同样问题的朋友 /t/1184470

最好贴下配置

{
"log": {
"disabled": false,
"level": "info",
"timestamp": true
},
"dns": {
"rules": [
{
"rule_set": ["geosite-cn"],
"server": "ali"
}
],
"servers": [
{
"type": "https",
"tag": "ali",
"domain_resolver": {
"server": "local",
"strategy": "ipv4_only",
"client_subnet": "59.70.63.44"
},
"server": "dns.alidns.com",
"server_port": 443
},
{
"type": "dhcp",
"tag": "local"
},
{
"type": "https",
"tag": "cfg-google-dns",
"detour": "ss",
"domain_resolver": {
"server": "local",
"strategy": "ipv4_only",
"client_subnet": "59.70.63.44"
},
"server": "dns.google",
"server_port": 443
}
],
"final": "cfg-google-dns",
"strategy": "ipv4_only",
"client_subnet": "59.70.63.44"
},
"inbounds": [
{
"type": "tun",
"tag": "tun-in",
"mtu": 9000,
"address": ["172.18.0.1/30"],
"route_address": ["0.0.0.0/1", "128.0.0.0/1", "::/1", "8000::/1"],
"route_exclude_address": [
"192.168.0.0/16",
"10.0.0.0/8",
"172.16.0.0/12",
"fc00::/7"
],
"auto_route": true,
"strict_route": false
},
{
"type": "mixed",
"tag": "mixed-in",
"listen": "127.0.0.1",
"listen_port": 7890
}
],
"outbounds": [
{
"type": "shadowsocks",
"tag": "ss",
"server": "<server_ip>",
"server_port": 49628,
"method": "2022-blake3-aes-128-gcm",
"password": "<password>",
"multiplex": {
"enabled": false
}
},
{
"type": "direct",
"tag": "direct"
}
],
"route": {
"auto_detect_interface": true,
"default_domain_resolver": {
"server": "local",
"strategy": "ipv4_only",
"client_subnet": "59.70.63.44"
},
"rules": [
{
"ip_is_private": true,
"outbound": "direct"
},
{
"action": "sniff"
},
{
"protocol": "dns",
"action": "hijack-dns"
},
{
"protocol": [
"bittorrent",
"quic"
],
"action": "reject",
"method": "default"
},
{
"clash_mode": "Direct",
"outbound": "direct"
},
{
"clash_mode": "Proxy",
"outbound": "ss"
},
{
"rule_set": [
"geosite-openai",
"geosite-anthropic"
],
"outbound": "ss"
},
{
"rule_set": ["geosite-category-ads-all"],
"action": "reject"
},
{
"rule_set": ["geosite-cn"],
"outbound": "direct"
},
{
"rule_set": ["geoip-cn"],
"outbound": "direct"
}
],
"rule_set": [
{
"tag": "geosite-openai",
"type": "remote",
"format": "binary",
"url": "https://github.com/SagerNet/sing-geosite/raw/rule-set/geosite-openai.srs",
"download_detour": "direct"
},
{
"tag": "geosite-anthropic",
"type": "remote",
"format": "binary",
"url": "https://github.com/SagerNet/sing-geosite/raw/rule-set/geosite-anthropic.srs",
"download_detour": "direct"
},
{
"tag": "geosite-cn",
"type": "remote",
"format": "binary",
"url": "https://github.com/SagerNet/sing-geosite/raw/rule-set/geosite-cn.srs",
"download_detour": "direct"
},
{
"tag": "geoip-cn",
"type": "remote",
"format": "binary",
"url": "https://github.com/SagerNet/sing-geoip/raw/rule-set/geoip-cn.srs",
"download_detour": "direct"
},
{
"tag": "geosite-category-ads-all",
"type": "remote",
"format": "binary",
"url": "https://github.com/SagerNet/sing-geosite/raw/rule-set/geosite-category-ads-all.srs",
"download_detour": "direct"
}
],
"final": "ss"
},
"experimental": {
"cache_file": {
"enabled": true
},
"clash_api": {
"external_controller": "127.0.0.1:9090",
"access_control_allow_origin": [
"http://127.0.0.1",
"http://yacd.haishan.me"
],
"access_control_allow_private_network": true
}
}
}

@poxiaogg 补上了 网上抄了一部分，自己写了一部分

inbounds 加上这个试试

```json
{
"tag": "dns-in",
"type": "direct",
"listen": "0.0.0.0",
"listen_port": 53
}
```

@poxiaogg 大佬太牛逼了，加上就一切正常了，救我于水火了，感谢感谢

@poxiaogg 对了大佬，还有一个小问题，其实不影响使用，但是强迫症很不爽，就是在服务端配置开启 ss 的 multiplex ，之后，如果在客户端配置文件中也开启的话，就会出现各种访问错误，AI 说和 http2 有关，这个有办法解决吗？

@cairnechen 大佬不用麻烦了，检查了一下发现服务端配置文件 multiplex 多启用了一个 padding ，官网查了发现 1.13 才支持，去掉就行了

和用 sing-tun 的 clash meta 一样的问题，内网其他设备除了运行 tun 的本机之外的 dns 请求做不到通过自动设置 ip rule 或者路由表什么的直接 hijack ，所以只能走软件自己的监听 53 端口的 dns

singbox 自劫持 dns 请求不太好，我没搞懂原理，也没想去弄，大概看了一下你的配置，加一个 dnsin 。然后 dns 写到 singbox 的机器就行了。或者你自己写一个防火墙劫持下。

@poxiaogg 好奇一下，加了这个 inbound 之后，能解决问题的原理是啥？

btw ，我见官方的教程有一个 outbound 是这样的，是不是起到类似的效果？

{
"type": "logical",
"mode": "or",
"rules": [
{
"protocol": "dns"
},
{
"port": 53
}
],
"action": "hijack-dns"
},

@choicky 这个应该是劫持，但是不监听 53 端口