From 0aaa5013bcc28237e83e4d9170a310293d596f46 Mon Sep 17 00:00:00 2001
From: juewuy <juewuy@gmail.com>
Date: Sun, 14 Dec 2025 18:48:24 +0800
Subject: [PATCH] =?UTF-8?q?~=E5=A2=9E=E5=8A=A0DNS=E9=98=B2=E6=B3=84?=
 =?UTF-8?q?=E9=9C=B2=E5=BC=80=E5=85=B3(=E9=BB=98=E8=AE=A4=E5=90=AF?=
 =?UTF-8?q?=E7=94=A8)=20~=E5=A2=9E=E5=8A=A0=E4=BA=86=E9=83=A8=E5=88=86?=
 =?UTF-8?q?=E8=87=AA=E5=AE=9A=E4=B9=89=E5=86=85=E6=A0=B8=E7=9A=84=E4=B8=8B?=
 =?UTF-8?q?=E8=BD=BD=20~=E4=BC=98=E5=8C=96=E4=B8=80=E9=94=AE=E5=8A=A0?=
 =?UTF-8?q?=E5=AF=86DNS=E5=8A=9F=E8=83=BD=EF=BC=8C=E7=8E=B0=E5=9C=A8Mihomo?=
 =?UTF-8?q?=E5=92=8CSingbox=E5=86=85=E6=A0=B8=E4=B8=8D=E5=86=8D=E4=BE=9D?=
 =?UTF-8?q?=E8=B5=96=E6=A0=B9=E8=AF=81=E4=B9=A6=E6=96=87=E4=BB=B6=20~?=
 =?UTF-8?q?=E5=B1=8F=E8=94=BDDnsmasq=E8=BD=AC=E5=8F=91=E5=8A=9F=E8=83=BD?=
 =?UTF-8?q?=20~=E8=B0=83=E6=95=B4Singbox=E5=86=85=E6=A0=B8DNS=E5=85=A5?=
 =?UTF-8?q?=E7=AB=99=E9=80=BB=E8=BE=91=EF=BC=8C=E5=B0=9D=E8=AF=95=E4=BF=AE?=
 =?UTF-8?q?=E5=A4=8D=E5=86=85=E5=AD=98=E6=BA=A2=E5=87=BA=E9=97=AE=E9=A2=98?=
 =?UTF-8?q?=20~=E4=BF=AE=E5=A4=8DSingbox=E5=86=85=E6=A0=B8=E5=90=AF?=
 =?UTF-8?q?=E5=8A=A8=E5=90=8E=E6=97=A0=E6=B3=95=E6=AD=A3=E7=A1=AE=E8=BF=98?=
 =?UTF-8?q?=E5=8E=9F=E9=9D=A2=E6=9D=BF=E8=8A=82=E7=82=B9=E9=80=89=E6=8B=A9?=
 =?UTF-8?q?=E7=9A=84bug?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 scripts/menu.sh   | 46 +++++++++++++++++++++++++++-------------------
 scripts/start.sh  | 43 +++++++++++++++++--------------------------
 scripts/webget.sh | 20 +++++++++++++++++---
 3 files changed, 61 insertions(+), 48 deletions(-)

diff --git a/scripts/menu.sh b/scripts/menu.sh
index cf9cdc2f..219b310a 100644
--- a/scripts/menu.sh
+++ b/scripts/menu.sh
@@ -699,6 +699,7 @@ setdns() { #DNS详细设置
 	[ -z "$dns_fallback" ] && dns_fallback="1.1.1.1, 8.8.8.8"
 	[ -z "$dns_resolver" ] && dns_resolver="223.5.5.5, 2400:3200::1"
 	[ -z "$hosts_opt" ] && hosts_opt=已启用
+	[ -z "$dns_protect" ] && dns_protect=ON
 	[ -z "$dns_redir" ] && dns_redir=未开启
 	[ -z "$dns_no" ] && dns_no=未禁用
 	echo -----------------------------------------------
@@ -712,10 +713,11 @@ setdns() { #DNS详细设置
 	echo -e " 1 修改\033[32m基础DNS\033[0m"
 	echo -e " 2 修改\033[36mPROXY-DNS\033[0m(该DNS查询会经过节点)"
 	echo -e " 3 修改\033[33m解析DNS\033[0m(必须是IP,用于解析其他DNS)"
-	echo -e " 4 一键配置\033[32m加密DNS\033[0m"
-	echo -e " 5 hosts优化：  	\033[36m$hosts_opt\033[0m	————调用本机hosts并劫持NTP服务"
-	echo -e " 6 Dnsmasq转发：	\033[36m$dns_redir\033[0m	————不推荐使用"
-	echo -e " 7 禁用DNS劫持：	\033[36m$dns_no\033[0m	————搭配第三方DNS使用"
+	echo -e " 4 DNS防泄漏：  \033[36m$dns_protect\033[0m	———启用时少量网站可能连接卡顿"
+	echo -e " 5 hosts优化：  \033[36m$hosts_opt\033[0m	———调用本机hosts并劫持NTP服务"
+	#echo -e " 6 Dnsmasq转发：\033[36m$dns_redir\033[0m	———不推荐使用"
+	echo -e " 7 禁用DNS劫持：\033[36m$dns_no\033[0m	———搭配第三方DNS使用"
+	echo -e " 8 一键配置\033[32m加密DNS\033[0m"
 	echo -e " 9 \033[33m重置\033[0m默认DNS配置"
 	echo -e " 0 返回上级菜单"
 	echo -----------------------------------------------
@@ -756,21 +758,9 @@ setdns() { #DNS详细设置
 		setdns
 	;;
 	4)
-		echo -----------------------------------------------
-		openssldir="$(openssl version -d 2>&1 | awk -F '"' '{print $2}')"
-		if [ -s "$openssldir/certs/ca-certificates.crt" -o -s "/etc/ssl/certs/ca-certificates.crt" ]; then
-			dns_nameserver='https://doh.360.cn/dns-query, https://dns.alidns.com/dns-query, https://doh.pub/dns-query'
-			dns_fallback='https://cloudflare-dns.com/dns-query, https://dns.google/dns-query, https://doh.opendns.com/dns-query'
-			dns_resolver='https://223.5.5.5/dns-query, 2400:3200::1'
-			setconfig dns_nameserver "'$dns_nameserver'"
-			setconfig dns_fallback "'$dns_fallback'"
-			setconfig dns_resolver "'$dns_resolver'"
-			echo -e "\033[32m已设置加密DNS，如出现DNS解析问题，请尝试重置DNS配置！\033[0m"
-		else
-			echo -e "\033[31m找不到根证书文件，无法启用加密DNS，Linux系统请自行搜索安装OpenSSL的方式！\033[0m"
-		fi
-		sleep 1
-		setdns
+		[ "$dns_protect" = "ON" ] && dns_protect=OFF || dns_protect=ON
+		setconfig dns_protect $dns_protect
+		setdns		
 	;;
 	5)
 		echo -----------------------------------------------
@@ -818,6 +808,24 @@ setdns() { #DNS详细设置
 		sleep 1
 		setdns
 	;;
+	8)
+		echo -----------------------------------------------
+		openssldir="$(openssl version -d 2>&1 | awk -F '"' '{print $2}')"
+		if [ -s "$openssldir/certs/ca-certificates.crt" ] || [ -s "/etc/ssl/certs/ca-certificates.crt" ] || \
+			echo "$crashcore" |grep -qE 'meta|singbox'; then
+			dns_nameserver='https://doh.360.cn/dns-query, https://dns.alidns.com/dns-query, https://doh.pub/dns-query'
+			dns_fallback='https://cloudflare-dns.com/dns-query, https://dns.google/dns-query, https://doh.opendns.com/dns-query'
+			dns_resolver='https://223.5.5.5/dns-query, 2400:3200::1'
+			setconfig dns_nameserver "'$dns_nameserver'"
+			setconfig dns_fallback "'$dns_fallback'"
+			setconfig dns_resolver "'$dns_resolver'"
+			echo -e "\033[32m已设置加密DNS，如出现DNS解析问题，请尝试重置DNS配置！\033[0m"
+		else
+			echo -e "\033[31m找不到根证书文件，无法启用加密DNS，Linux系统请自行搜索安装OpenSSL的方式！\033[0m"
+		fi
+		sleep 1
+		setdns
+	;;
 	9)
 		dns_nameserver=
 		dns_fallback=
diff --git a/scripts/start.sh b/scripts/start.sh
index 44eae3ad..a24da069 100644
--- a/scripts/start.sh
+++ b/scripts/start.sh
@@ -438,11 +438,12 @@ EOF
 		[ "$dns_mod" = "mix" ] && echo '    - "rule-set:cn"' >>"$TMPDIR"/dns.yaml
 		#mix模式和route模式插入分流设置
 		if [ "$dns_mod" = "mix" ] || [ "$dns_mod" = "route" ];then
+			[ "$dns_protect" = "OFF" ] && dns_final="$dns_fallback" || dns_final="$dns_nameserver"
 			cat >>"$TMPDIR"/dns.yaml <<EOF
   respect-rules: true
   nameserver-policy: {'rule-set:cn': [ $dns_nameserver ]}
   proxy-server-nameserver : [ $dns_resolver ]
-  nameserver: [ $dns_fallback ]
+  nameserver: [ $dns_final ]
 EOF
 		else
 			cat >>"$TMPDIR"/dns.yaml <<EOF
@@ -573,7 +574,7 @@ EOF
 		mv -f "$TMPDIR"/rules.add "$TMPDIR"/rules.yaml
 	}
 	#mix模式生成rule-providers
-	[ "$dns_mod" = "mix" ] && ! grep -q 'cn:' "$TMPDIR"/rule-providers.yaml && ! grep -q '^rule-providers' "$CRASHDIR"/yamls/others.yaml 2>/dev/null && {
+	[ "$dns_mod" = "mix" ] && ! grep -q ' cn: ' "$TMPDIR"/rule-providers.yaml && ! grep -q '^rule-providers' "$CRASHDIR"/yamls/others.yaml 2>/dev/null && {
 		space=$(sed -n "1p" "$TMPDIR"/rule-providers.yaml | grep -oE '^ *')                               #获取空格数
 		[ -z "$space" ] && space='  '
 		echo "${space}cn: {type: http, behavior: domain, format: mrs, path: ./ruleset/cn.mrs, url: https://testingcf.jsdelivr.net/gh/juewuy/ShellCrash@update/bin/geodata/mrs_geosite_cn.mrs}" >> "$TMPDIR"/rule-providers.yaml 
@@ -692,7 +693,7 @@ EOF
 	#根据dns模式生成
 	[ "$dns_mod" = "redir_host" ] && {
 		global_dns=dns_proxy
-		direct_dns="{ \"inbound\": [ \"dns-in\" ], \"server\": \"dns_direct\" }"
+		direct_dns='{ "inbound": [ "dns-in" ], "server": "dns_direct" }'
 	}
 	[ "$dns_mod" = "fake-ip" ] || [ "$dns_mod" = "mix" ] && {
 		global_dns=dns_fakeip
@@ -704,16 +705,18 @@ EOF
 		[ -n "$fake_ip_filter_regex" ] && fake_ip_filter_regex="{ \"domain_regex\": [$fake_ip_filter_regex], \"server\": \"dns_direct\" },"
 		proxy_dns='{ "query_type": ["A", "AAAA"], "server": "dns_fakeip", "strategy": "'"$strategy"'", "rewrite_ttl": 1 }'
 		#mix模式插入fakeip过滤规则
-		[ "$dns_mod" = "mix" ] && direct_dns="{ \"rule_set\": [\"cn\"], \"server\": \"dns_direct\" },"
+		[ "$dns_mod" = "mix" ] && direct_dns='{ "rule_set": ["cn"], "server": "dns_direct" }'
 	}
 	[ "$dns_mod" = "route" ] && {
 		global_dns=dns_proxy
-		direct_dns="{ \"rule_set\": [\"cn\"], \"server\": \"dns_direct\" }"
+		direct_dns='{ "rule_set": ["cn"], "server": "dns_direct" }'
 	}
-		#生成add_rule_set.json
-		[ "$dns_mod" = "mix" ] || [ "$dns_mod" = "route" ] && \
-		[ -z "$(cat "$CRASHDIR"/jsons/*.json | grep -Ei '"tag" *: *"cn"')" ] && \
-		cat >"$TMPDIR"/jsons/add_rule_set.json <<EOF
+	#防泄露设置
+	[ "$dns_protect" = "OFF" ] && sed -i 's/"server": "dns_proxy"/"server": "dns_direct"/g' "$TMPDIR"/jsons/route.json
+	#生成add_rule_set.json
+	[ "$dns_mod" = "mix" ] || [ "$dns_mod" = "route" ] && \
+	[ -z "$(cat "$CRASHDIR"/jsons/*.json | grep -Ei '"tag" *: *"cn"')" ] && \
+	cat >"$TMPDIR"/jsons/add_rule_set.json <<EOF
 {
   "route": {
     "rule_set": [
@@ -784,27 +787,16 @@ EOF
 	"default_domain_resolver": "dns_resolver",
     "default_mark": $routing_mark,
 	"rules": [
-	  { "inbound": [ "dns-in" ], "action": "hijack-dns" },
+	  { "inbound": [ "dns-in" ], "action": "sniff", "timeout": "500ms" },
 	  $sniffer_set
       { "protocol": "dns", "action": "hijack-dns" },
+	  { "inbound": [ "dns-in" ], "action": "reject" },
       { "clash_mode": "Direct" , "outbound": "DIRECT" },
       { "clash_mode": "Global" , "outbound": "GLOBAL" }
 	]
   }
 }
 EOF
-	#生成ntp.json
-	# cat > "$TMPDIR"/jsons/ntp.json <<EOF
-	# {
-	# "ntp": {
-	# "enabled": true,
-	# "server": "203.107.6.88",
-	# "server_port": 123,
-	# "interval": "30m0s",
-	# "detour": "DIRECT"
-	# }
-	# }
-	# EOF
 	#生成certificate.json
 	cat >"$TMPDIR"/jsons/certificate.json <<EOF
 {
@@ -1696,12 +1688,11 @@ web_restore() { #还原面板选择
 	#设置循环检测面板端口以判定服务启动是否成功
 	test=""
 	i=1
-	while [ -z "$test" -a "$i" -lt 20 ]; do
-		sleep 2
-		test=$(get_save http://127.0.0.1:${db_port}/configs | grep -o port)
+	while [ -z "$test" -a "$i" -lt 30 ]; do
+		test=$(get_save http://127.0.0.1:${db_port}/proxies | grep -o proxies)
 		i=$((i + 1))
+		sleep 2
 	done
-	sleep 1
 	[ -n "$test" ] && {
 		#发送节点选择数据
 		[ -s "$CRASHDIR"/configs/web_save ] && {
diff --git a/scripts/webget.sh b/scripts/webget.sh
index ce8d3073..e6c2a015 100644
--- a/scripts/webget.sh
+++ b/scripts/webget.sh
@@ -1438,8 +1438,10 @@ setcustcore(){ #自定义内核
 	echo -e "1 \033[36mMetaCubeX/mihomo\033[32m@release\033[0m版本官方内核"
 	echo -e "2 \033[36mMetaCubeX/mihomo\033[32m@alpha\033[0m版本官方内核"
 	echo -e "3 \033[36mvernesong/mihomo\033[32m@alpha\033[0m版本内核(支持Smart策略)"
-	echo -e "4 \033[36mreF1nd/sing-box\033[32m@dev\033[0m版本内核(完整编译)"
-	echo -e "5 Premium-2023.08.17内核(已停止维护)"
+	echo -e "4 \033[36mSagerNet/sing-box\033[32m@release\033[0m版本官方内核"
+	echo -e "5 \033[36mreF1nd/sing-box\033[32m@release\033[0m版本内核(完整编译)"
+	echo -e "6 \033[36mreF1nd/sing-box\033[32m@dev\033[0m版本内核(完整编译)"
+	echo -e "7 Premium-2023.08.17内核(已停止维护)"
 	echo -e "a \033[33m自定义内核链接 \033[0m"
 	echo -----------------------------------------------
 	read -p "请输入对应数字 > " num
@@ -1463,12 +1465,24 @@ setcustcore(){ #自定义内核
 		checkcustcore
 	;;
 	4)
+		project=SagerNet/sing-box
+		api_tag=latest
+		crashcore=singbox
+		checkcustcore
+	;;
+	5)
 		project=juewuy/ShellCrash
 		api_tag=singbox_core_reF1nd
 		crashcore=singboxr
 		checkcustcore
 	;;
-	5)
+	6)
+		project=juewuy/ShellCrash
+		api_tag=singbox_core_dev_reF1nd
+		crashcore=singboxr
+		checkcustcore
+	;;
+	7)
 		project=juewuy/ShellCrash
 		api_tag=clash.premium.latest
 		crashcore=clashpre