NetShift 0.9.3
What's new
DNS-via-outbound routing modes — the dns_outbound_mode UCI option
(single | multi | paranoid, default single) now steers
resolver queries that reach sing-box via the dns-in inbound
(127.0.0.42:53) through the chosen proxy outbound in multi/paranoid mode.
This makes recursive-aware multi-resolver proxy work end-to-end: a query
lands on the internal DNS, gets routed through the same outbound as the
rest of the section, and resolves against the panel's recursive chain
instead of the upstream ISP resolver.
The single mode keeps the byte-identical behaviour from 0.9.2
(no regression for users who don't touch the option).
Internals
netshift/files/etc/config/netshift: new commented option
dns_outbound_modewith a usage hintnetshift/files/usr/bin/netshift:sing_box_configure_dnscase
arm — appends adns.rules[]entry withaction=route,
inbound=[dns-in],outbound=<vpn-tag>for multi/paranoid; emits
a fail-open warn whendns_detour_tagis empty; logs unknown-mode
values and falls back tosinglenetshift/files/usr/lib/constants.sh:SB_DNS_INBOUND_ROUTING_TAG
("dns-inbound-routing-rule-tag") — internal tag for the appended
rule, stripped on save via the existing__service_tagmechanismtests/entrypoint.sh: +2 gates
(dns-multi-fail-open-production-warn,dns-multi-unknown-mode-warn).
Smoke suite 24/4 OK
Compatibility
single(default) is byte-identical to 0.9.2 — safe drop-in upgrade.- No changes to runtime contract (ports, marks, nft, dnsmasq, UCI schema
default). - No changes to sing-box minimum version (1.12.0).