~增加DNS防泄露开关(默认启用)

~增加了部分自定义内核的下载 ~优化一键加密DNS功能，现在Mihomo和Singbox内核不再依赖根证书文件 ~屏蔽Dnsmasq转发功能 ~调整Singbox内核DNS入站逻辑，尝试修复内存溢出问题 ~修复Singbox内核启动后无法正确还原面板节点选择的bug
2026-03-10 23:41:22 +00:00 · 2025-12-14 18:48:24 +08:00
parent a7c9a8b3f3
commit 0aaa5013bc
3 changed files with 61 additions and 48 deletions
--- a/scripts/menu.sh
+++ b/scripts/menu.sh
@@ -699,6 +699,7 @@ setdns() { #DNS详细设置
 	[ -z "$dns_fallback" ] && dns_fallback="1.1.1.1, 8.8.8.8"
 	[ -z "$dns_resolver" ] && dns_resolver="223.5.5.5, 2400:3200::1"
 	[ -z "$hosts_opt" ] && hosts_opt=已启用
+	[ -z "$dns_protect" ] && dns_protect=ON
 	[ -z "$dns_redir" ] && dns_redir=未开启
 	[ -z "$dns_no" ] && dns_no=未禁用
 	echo -----------------------------------------------
@@ -712,10 +713,11 @@ setdns() { #DNS详细设置
 	echo -e " 1 修改\033[32m基础DNS\033[0m"
 	echo -e " 2 修改\033[36mPROXY-DNS\033[0m(该DNS查询会经过节点)"
 	echo -e " 3 修改\033[33m解析DNS\033[0m(必须是IP,用于解析其他DNS)"
-	echo -e " 4 一键配置\033[32m加密DNS\033[0m"
-	echo -e " 5 hosts优化：  	\033[36m$hosts_opt\033[0m	————调用本机hosts并劫持NTP服务"
-	echo -e " 6 Dnsmasq转发：	\033[36m$dns_redir\033[0m	————不推荐使用"
-	echo -e " 7 禁用DNS劫持：	\033[36m$dns_no\033[0m	————搭配第三方DNS使用"
+	echo -e " 4 DNS防泄漏：  \033[36m$dns_protect\033[0m	———启用时少量网站可能连接卡顿"
+	echo -e " 5 hosts优化：  \033[36m$hosts_opt\033[0m	———调用本机hosts并劫持NTP服务"
+	#echo -e " 6 Dnsmasq转发：\033[36m$dns_redir\033[0m	———不推荐使用"
+	echo -e " 7 禁用DNS劫持：\033[36m$dns_no\033[0m	———搭配第三方DNS使用"
+	echo -e " 8 一键配置\033[32m加密DNS\033[0m"
 	echo -e " 9 \033[33m重置\033[0m默认DNS配置"
 	echo -e " 0 返回上级菜单"
 	echo -----------------------------------------------
@@ -756,21 +758,9 @@ setdns() { #DNS详细设置
 		setdns
 	;;
 	4)
-		echo -----------------------------------------------
-		openssldir="$(openssl version -d 2>&1 | awk -F '"' '{print $2}')"
-		if [ -s "$openssldir/certs/ca-certificates.crt" -o -s "/etc/ssl/certs/ca-certificates.crt" ]; then
-			dns_nameserver='https://doh.360.cn/dns-query, https://dns.alidns.com/dns-query, https://doh.pub/dns-query'
-			dns_fallback='https://cloudflare-dns.com/dns-query, https://dns.google/dns-query, https://doh.opendns.com/dns-query'
-			dns_resolver='https://223.5.5.5/dns-query, 2400:3200::1'
-			setconfig dns_nameserver "'$dns_nameserver'"
-			setconfig dns_fallback "'$dns_fallback'"
-			setconfig dns_resolver "'$dns_resolver'"
-			echo -e "\033[32m已设置加密DNS，如出现DNS解析问题，请尝试重置DNS配置！\033[0m"
-		else
-			echo -e "\033[31m找不到根证书文件，无法启用加密DNS，Linux系统请自行搜索安装OpenSSL的方式！\033[0m"
-		fi
-		sleep 1
-		setdns
+		[ "$dns_protect" = "ON" ] && dns_protect=OFF || dns_protect=ON
+		setconfig dns_protect $dns_protect
+		setdns		
 	;;
 	5)
 		echo -----------------------------------------------
@@ -818,6 +808,24 @@ setdns() { #DNS详细设置
 		sleep 1
 		setdns
 	;;
+	8)
+		echo -----------------------------------------------
+		openssldir="$(openssl version -d 2>&1 | awk -F '"' '{print $2}')"
+		if [ -s "$openssldir/certs/ca-certificates.crt" ] || [ -s "/etc/ssl/certs/ca-certificates.crt" ] || \
+			echo "$crashcore" |grep -qE 'meta|singbox'; then
+			dns_nameserver='https://doh.360.cn/dns-query, https://dns.alidns.com/dns-query, https://doh.pub/dns-query'
+			dns_fallback='https://cloudflare-dns.com/dns-query, https://dns.google/dns-query, https://doh.opendns.com/dns-query'
+			dns_resolver='https://223.5.5.5/dns-query, 2400:3200::1'
+			setconfig dns_nameserver "'$dns_nameserver'"
+			setconfig dns_fallback "'$dns_fallback'"
+			setconfig dns_resolver "'$dns_resolver'"
+			echo -e "\033[32m已设置加密DNS，如出现DNS解析问题，请尝试重置DNS配置！\033[0m"
+		else
+			echo -e "\033[31m找不到根证书文件，无法启用加密DNS，Linux系统请自行搜索安装OpenSSL的方式！\033[0m"
+		fi
+		sleep 1
+		setdns
+	;;
 	9)
 		dns_nameserver=
 		dns_fallback=
--- a/scripts/start.sh
+++ b/scripts/start.sh
@@ -438,11 +438,12 @@ EOF
 		[ "$dns_mod" = "mix" ] && echo '    - "rule-set:cn"' >>"$TMPDIR"/dns.yaml
 		#mix模式和route模式插入分流设置
 		if [ "$dns_mod" = "mix" ] || [ "$dns_mod" = "route" ];then
+			[ "$dns_protect" = "OFF" ] && dns_final="$dns_fallback" || dns_final="$dns_nameserver"
 			cat >>"$TMPDIR"/dns.yaml <<EOF
  respect-rules: true
  nameserver-policy: {'rule-set:cn': [ $dns_nameserver ]}
  proxy-server-nameserver : [ $dns_resolver ]
-  nameserver: [ $dns_fallback ]
+  nameserver: [ $dns_final ]
 EOF
 		else
 			cat >>"$TMPDIR"/dns.yaml <<EOF
@@ -573,7 +574,7 @@ EOF
 		mv -f "$TMPDIR"/rules.add "$TMPDIR"/rules.yaml
 	}
 	#mix模式生成rule-providers
-	[ "$dns_mod" = "mix" ] && ! grep -q 'cn:' "$TMPDIR"/rule-providers.yaml && ! grep -q '^rule-providers' "$CRASHDIR"/yamls/others.yaml 2>/dev/null && {
+	[ "$dns_mod" = "mix" ] && ! grep -q ' cn: ' "$TMPDIR"/rule-providers.yaml && ! grep -q '^rule-providers' "$CRASHDIR"/yamls/others.yaml 2>/dev/null && {
 		space=$(sed -n "1p" "$TMPDIR"/rule-providers.yaml | grep -oE '^ *')                               #获取空格数
 		[ -z "$space" ] && space='  '
 		echo "${space}cn: {type: http, behavior: domain, format: mrs, path: ./ruleset/cn.mrs, url: https://testingcf.jsdelivr.net/gh/juewuy/ShellCrash@update/bin/geodata/mrs_geosite_cn.mrs}" >> "$TMPDIR"/rule-providers.yaml 
@@ -692,7 +693,7 @@ EOF
 	#根据dns模式生成
 	[ "$dns_mod" = "redir_host" ] && {
 		global_dns=dns_proxy
-		direct_dns="{ \"inbound\": [ \"dns-in\" ], \"server\": \"dns_direct\" }"
+		direct_dns='{ "inbound": [ "dns-in" ], "server": "dns_direct" }'
 	}
 	[ "$dns_mod" = "fake-ip" ] || [ "$dns_mod" = "mix" ] && {
 		global_dns=dns_fakeip
@@ -704,16 +705,18 @@ EOF
 		[ -n "$fake_ip_filter_regex" ] && fake_ip_filter_regex="{ \"domain_regex\": [$fake_ip_filter_regex], \"server\": \"dns_direct\" },"
 		proxy_dns='{ "query_type": ["A", "AAAA"], "server": "dns_fakeip", "strategy": "'"$strategy"'", "rewrite_ttl": 1 }'
 		#mix模式插入fakeip过滤规则
-		[ "$dns_mod" = "mix" ] && direct_dns="{ \"rule_set\": [\"cn\"], \"server\": \"dns_direct\" },"
+		[ "$dns_mod" = "mix" ] && direct_dns='{ "rule_set": ["cn"], "server": "dns_direct" }'
 	}
 	[ "$dns_mod" = "route" ] && {
 		global_dns=dns_proxy
-		direct_dns="{ \"rule_set\": [\"cn\"], \"server\": \"dns_direct\" }"
+		direct_dns='{ "rule_set": ["cn"], "server": "dns_direct" }'
 	}
-		#生成add_rule_set.json
-		[ "$dns_mod" = "mix" ] || [ "$dns_mod" = "route" ] && \
-		[ -z "$(cat "$CRASHDIR"/jsons/*.json | grep -Ei '"tag" *: *"cn"')" ] && \
-		cat >"$TMPDIR"/jsons/add_rule_set.json <<EOF
+	#防泄露设置
+	[ "$dns_protect" = "OFF" ] && sed -i 's/"server": "dns_proxy"/"server": "dns_direct"/g' "$TMPDIR"/jsons/route.json
+	#生成add_rule_set.json
+	[ "$dns_mod" = "mix" ] || [ "$dns_mod" = "route" ] && \
+	[ -z "$(cat "$CRASHDIR"/jsons/*.json | grep -Ei '"tag" *: *"cn"')" ] && \
+	cat >"$TMPDIR"/jsons/add_rule_set.json <<EOF
 {
  "route": {
    "rule_set": [
@@ -784,27 +787,16 @@ EOF
 	"default_domain_resolver": "dns_resolver",
    "default_mark": $routing_mark,
 	"rules": [
-	  { "inbound": [ "dns-in" ], "action": "hijack-dns" },
+	  { "inbound": [ "dns-in" ], "action": "sniff", "timeout": "500ms" },
 	  $sniffer_set
      { "protocol": "dns", "action": "hijack-dns" },
+	  { "inbound": [ "dns-in" ], "action": "reject" },
      { "clash_mode": "Direct" , "outbound": "DIRECT" },
      { "clash_mode": "Global" , "outbound": "GLOBAL" }
 	]
  }
 }
 EOF
-	#生成ntp.json
-	# cat > "$TMPDIR"/jsons/ntp.json <<EOF
-	# {
-	# "ntp": {
-	# "enabled": true,
-	# "server": "203.107.6.88",
-	# "server_port": 123,
-	# "interval": "30m0s",
-	# "detour": "DIRECT"
-	# }
-	# }
-	# EOF
 	#生成certificate.json
 	cat >"$TMPDIR"/jsons/certificate.json <<EOF
 {
@@ -1696,12 +1688,11 @@ web_restore() { #还原面板选择
 	#设置循环检测面板端口以判定服务启动是否成功
 	test=""
 	i=1
-	while [ -z "$test" -a "$i" -lt 20 ]; do
-		sleep 2
-		test=$(get_save http://127.0.0.1:${db_port}/configs | grep -o port)
+	while [ -z "$test" -a "$i" -lt 30 ]; do
+		test=$(get_save http://127.0.0.1:${db_port}/proxies | grep -o proxies)
 		i=$((i + 1))
+		sleep 2
 	done
-	sleep 1
 	[ -n "$test" ] && {
 		#发送节点选择数据
 		[ -s "$CRASHDIR"/configs/web_save ] && {
--- a/scripts/webget.sh
+++ b/scripts/webget.sh
@@ -1438,8 +1438,10 @@ setcustcore(){ #自定义内核
 	echo -e "1 \033[36mMetaCubeX/mihomo\033[32m@release\033[0m版本官方内核"
 	echo -e "2 \033[36mMetaCubeX/mihomo\033[32m@alpha\033[0m版本官方内核"
 	echo -e "3 \033[36mvernesong/mihomo\033[32m@alpha\033[0m版本内核(支持Smart策略)"
-	echo -e "4 \033[36mreF1nd/sing-box\033[32m@dev\033[0m版本内核(完整编译)"
-	echo -e "5 Premium-2023.08.17内核(已停止维护)"
+	echo -e "4 \033[36mSagerNet/sing-box\033[32m@release\033[0m版本官方内核"
+	echo -e "5 \033[36mreF1nd/sing-box\033[32m@release\033[0m版本内核(完整编译)"
+	echo -e "6 \033[36mreF1nd/sing-box\033[32m@dev\033[0m版本内核(完整编译)"
+	echo -e "7 Premium-2023.08.17内核(已停止维护)"
 	echo -e "a \033[33m自定义内核链接 \033[0m"
 	echo -----------------------------------------------
 	read -p "请输入对应数字 > " num
@@ -1463,12 +1465,24 @@ setcustcore(){ #自定义内核
 		checkcustcore
 	;;
 	4)
+		project=SagerNet/sing-box
+		api_tag=latest
+		crashcore=singbox
+		checkcustcore
+	;;
+	5)
 		project=juewuy/ShellCrash
 		api_tag=singbox_core_reF1nd
 		crashcore=singboxr
 		checkcustcore
 	;;
-	5)
+	6)
+		project=juewuy/ShellCrash
+		api_tag=singbox_core_dev_reF1nd
+		crashcore=singboxr
+		checkcustcore
+	;;
+	7)
 		project=juewuy/ShellCrash
 		api_tag=clash.premium.latest
 		crashcore=clashpre