Handle EDNS version downgrade

cmd/sing-box/cmd_rule_set_match.go

@@ -5,6 +5,7 @@ import (
 	"context"
 	"io"
 	"os"
+	"path/filepath"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/srs"
@@ -56,6 +57,14 @@ func ruleSetMatch(sourcePath string, domain string) error {
 	if err != nil {
 		return E.Cause(err, "read rule-set")
 	}
+	if flagRuleSetMatchFormat == "" {
+		switch filepath.Ext(sourcePath) {
+		case ".json":
+			flagRuleSetMatchFormat = C.RuleSetFormatSource
+		case ".srs":
+			flagRuleSetMatchFormat = C.RuleSetFormatBinary
+		}
+	}
 	var ruleSet option.PlainRuleSetCompat
 	switch flagRuleSetMatchFormat {
 	case C.RuleSetFormatSource:

dns/client.go

@@ -232,10 +232,20 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 			record.Header().Ttl = timeToLive
 		}
 	}
-	response.Id = messageId
 	if !disableCache {
 		c.storeCache(transport, question, response, timeToLive)
 	}
+	response.Id = messageId
+	requestEDNSOpt := message.IsEdns0()
+	responseEDNSOpt := response.IsEdns0()
+	if responseEDNSOpt != nil && (requestEDNSOpt == nil || requestEDNSOpt.Version() < responseEDNSOpt.Version()) {
+		response.Extra = common.Filter(response.Extra, func(it dns.RR) bool {
+			return it.Header().Rrtype != dns.TypeOPT
+		})
+		if requestEDNSOpt != nil {
+			response.SetEdns0(responseEDNSOpt.UDPSize(), responseEDNSOpt.Do())
+		}
+	}
 	logExchangedResponse(c.logger, ctx, response, timeToLive)
 	return response, err
 }

docs/changelog.md

@@ -2,12 +2,20 @@
 icon: material/alert-decagram
 ---
 
+#### 1.12.0-beta.8
+
+* Fixes and improvements
+
 ### 1.11.9
 
 * Fixes and improvements
 
 _We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected)._
 
+#### 1.12.0-beta.5
+
+* Fixes and improvements
+
 ### 1.11.8
 
 * Improve `auto_redirect` **1**
@@ -20,38 +28,205 @@ see [Tun](/configuration/inbound/tun/#auto_redirect).
 
 _We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected)._
 
+#### 1.12.0-beta.3
+
+* Fixes and improvements
+
 ### 1.11.7
 
 * Fixes and improvements
 
 _We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected)._
 
+#### 1.12.0-beta.1
+
+* Fixes and improvements
+
+**1**:
+
+Now `auto_redirect` fixes compatibility issues between tun and Docker bridge networks,
+see [Tun](/configuration/inbound/tun/#auto_redirect).
+
 ### 1.11.6
 
 * Fixes and improvements
 
 _We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected)._
 
+#### 1.12.0-alpha.19
+
+* Update gVisor to 20250319.0
+* Fixes and improvements
+
+#### 1.12.0-alpha.18
+
+* Add wildcard SNI support for ShadowTLS inbound **1**
+* Fixes and improvements
+
+**1**:
+
+See [ShadowTLS](/configuration/inbound/shadowtls/#wildcard_sni).
+
+#### 1.12.0-alpha.17
+
+* Add NTP sniffer **1**
+* Fixes and improvements
+
+**1**:
+
+See [Protocol Sniff](/configuration/route/sniff/).
+
+#### 1.12.0-alpha.16
+
+* Update `domain_resolver` behavior **1**
+* Fixes and improvements
+
+**1**:
+
+`route.default_domain_resolver` or `outbound.domain_resolver` is now optional when only one DNS server is configured.
+
+See [Dial Fields](/configuration/shared/dial/#domain_resolver).
+
 ### 1.11.5
 
 * Fixes and improvements
 
 _We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected)._
 
+#### 1.12.0-alpha.13
+
+* Move `predefined` DNS server to DNS rule action **1**
+* Fixes and improvements
+
+**1**:
+
+See [DNS Rule Action](/configuration/dns/rule_action/#predefined).
+
 ### 1.11.4
 
 * Fixes and improvements
 
+#### 1.12.0-alpha.11
+
+* Fixes and improvements
+
+#### 1.12.0-alpha.10
+
+* Add AnyTLS protocol **1**
+* Improve `resolve` route action **2**
+* Migrate to stdlib ECH implementation **3**
+* Fixes and improvements
+
+**1**:
+
+The new AnyTLS protocol claims to mitigate TLS proxy traffic characteristics and comes with a new multiplexing scheme.
+
+See [AnyTLS Inbound](/configuration/inbound/anytls/) and [AnyTLS Outbound](/configuration/outbound/anytls/).
+
+**2**:
+
+`resolve` route action now accepts `disable_cache` and other options like in DNS route actions, see [Route Action](/configuration/route/rule_action).
+
+**3**:
+
+See [TLS](/configuration/shared/tls).
+
+The build tag `with_ech` is no longer needed and has been removed.
+
+#### 1.12.0-alpha.7
+
+* Add Tailscale DNS server **1**
+* Fixes and improvements
+
+**1**:
+
+See [Tailscale](/configuration/dns/server/tailscale/).
+
+#### 1.12.0-alpha.6
+
+* Add Tailscale endpoint **1**
+* Drop support for go1.22 **2**
+* Fixes and improvements
+
+**1**:
+
+See [Tailscale](/configuration/endpoint/tailscale/).
+
+**2**:
+
+Due to maintenance difficulties, sing-box 1.12.0 requires at least Go 1.23 to compile.
+
+For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches from [MetaCubeX/go](https://github.com/MetaCubeX/go).
+
 ### 1.11.3
 
 * Fixes and improvements
 
 _This version overwrites 1.11.2, as incorrect binaries were released due to a bug in the continuous integration process._
 
+#### 1.12.0-alpha.5
+
+* Fixes and improvements
+
 ### 1.11.1
 
 * Fixes and improvements
 
+#### 1.12.0-alpha.2
+
+* Update quic-go to v0.49.0
+* Fixes and improvements
+
+#### 1.12.0-alpha.1
+
+* Refactor DNS servers **1**
+* Add domain resolver options**2**
+* Add TLS fragment route options **3**
+* Add certificate options **4**
+
+**1**:
+
+DNS servers are refactored for better performance and scalability.
+
+See [DNS server](/configuration/dns/server/).
+
+For migration, see [Migrate to new DNS server formats](/migration/#migrate-to-new-dns-servers).
+
+Compatibility for old formats will be removed in sing-box 1.14.0.
+
+**2**:
+
+Legacy `outbound` DNS rules are deprecated
+and can be replaced by the new `domain_resolver` option.
+
+See [Dial Fields](/configuration/shared/dial/#domain_resolver) and
+[Route](/configuration/route/#default_domain_resolver).
+
+For migration,
+see [Migrate outbound DNS rule items to domain resolver](/migration/#migrate-outbound-dns-rule-items-to-domain-resolver).
+
+**3**:
+
+The new TLS fragment route options allow you to fragment TLS handshakes to bypass firewalls.
+
+This feature is intended to circumvent simple firewalls based on **plaintext packet matching**, and should not be used
+to circumvent real censorship.
+
+Since it is not designed for performance, it should not be applied to all connections, but only to server names that are
+known to be blocked.
+
+See [Route Action](/configuration/route/rule_action/#tls_fragment).
+
+**4**:
+
+New certificate options allow you to manage the default list of trusted X509 CA certificates.
+
+For the system certificate list, fixed Go not reading Android trusted certificates correctly.
+
+You can also use the Mozilla Included List instead, or add trusted certificates yourself.
+
+See [Certificate](/configuration/certificate/).
+
 ### 1.11.0
 
 Important changes since 1.10:

docs/configuration/rule-set/index.md

@@ -80,6 +80,8 @@ List of [Headless Rule](./headless-rule/).
 
 Format of rule-set file, `source` or `binary`.
 
+Optional when `path` or `url` uses `json` or `srs` as extension.
+
 ### Local Fields
 
 #### path

docs/configuration/rule-set/index.zh.md

@@ -80,6 +80,8 @@
 
 规则集格式， `source` 或 `binary`。
 
+当 `path` 或 `url` 使用 `json` 或 `srs` 作为扩展名时可选。
+
 ### 本地字段
 
 #### path

option/rule_set.go

@@ -1,6 +1,8 @@
 package option
 
 import (
+	"net/url"
+	"path/filepath"
 	"reflect"
 
 	C "github.com/sagernet/sing-box/constant"
@@ -27,6 +29,18 @@ type _RuleSet struct {
 type RuleSet _RuleSet
 
 func (r RuleSet) MarshalJSON() ([]byte, error) {
+	if r.Type != C.RuleSetTypeInline {
+		var defaultFormat string
+		switch r.Type {
+		case C.RuleSetTypeLocal:
+			defaultFormat = ruleSetDefaultFormat(r.LocalOptions.Path)
+		case C.RuleSetTypeRemote:
+			defaultFormat = ruleSetDefaultFormat(r.RemoteOptions.URL)
+		}
+		if r.Format == defaultFormat {
+			r.Format = ""
+		}
+	}
 	var v any
 	switch r.Type {
 	case "", C.RuleSetTypeInline:
@@ -62,7 +76,19 @@ func (r *RuleSet) UnmarshalJSON(bytes []byte) error {
 	default:
 		return E.New("unknown rule-set type: " + r.Type)
 	}
+	err = badjson.UnmarshallExcluded(bytes, (*_RuleSet)(r), v)
+	if err != nil {
+		return err
+	}
 	if r.Type != C.RuleSetTypeInline {
+		if r.Format == "" {
+			switch r.Type {
+			case C.RuleSetTypeLocal:
+				r.Format = ruleSetDefaultFormat(r.LocalOptions.Path)
+			case C.RuleSetTypeRemote:
+				r.Format = ruleSetDefaultFormat(r.RemoteOptions.URL)
+			}
+		}
 		switch r.Format {
 		case "":
 			return E.New("missing format")
@@ -73,13 +99,23 @@ func (r *RuleSet) UnmarshalJSON(bytes []byte) error {
 	} else {
 		r.Format = ""
 	}
-	err = badjson.UnmarshallExcluded(bytes, (*_RuleSet)(r), v)
-	if err != nil {
-		return err
-	}
 	return nil
 }
 
+func ruleSetDefaultFormat(path string) string {
+	if pathURL, err := url.Parse(path); err == nil {
+		path = pathURL.Path
+	}
+	switch filepath.Ext(path) {
+	case ".json":
+		return C.RuleSetFormatSource
+	case ".srs":
+		return C.RuleSetFormatBinary
+	default:
+		return ""
+	}
+}
+
 type LocalRuleSet struct {
 	Path string `json:"path,omitempty"`
 }