dns.client_subnet is not working

[zzzz-cloud]

Operating system

macOS

System version

Sequoia 15.4

Installation type

sing-box for macOS Graphical Client

If you are using a graphical client, please provide the version of the client.

1.12.0-beta.18 (1)

Version

Description

When DNS queries go through the final resolver, they are not using client_subnet.

Reproduction

For www.dji.com, I expect it to return a China IP, but it actually returns a Japan IP.

xxxdeMacBook-Pro ~ % dig +short www.mi.com
www.mi.com.mgslb.com.
www.mi.com.bsgslb.cn.
xiaomiipv6.v.bsgslb.cn.
xiaomiipv6.v.smogfly.cn.
116.162.225.153 //China IP
116.162.225.157
116.162.225.152
116.162.225.156
xxxdeMacBook-Pro ~ % dig +short www.dji.com
d125tdjigxzobs.cloudfront.net.
3.164.110.49 //Japan IP
3.164.110.66
3.164.110.60
3.164.110.90

Here is my config:

{
  "log": {
    "disabled": false,
    "level": "debug",
    "output": "",
    "timestamp": true
  },
  "dns": {
    "servers": [
      {
        "tag": "default-dns",
        "type": "local",
        "detour": "DIRECT"
      },
      {
        "tag": "google",
        "type": "https",
        "server": "dns.google",
        "domain_resolver": "default-dns",
        "path": "/dns-query",
        "detour": "PROXY"
      }
    ],
    "rules": [
      {
        "domain_suffix": "mi.com",
        "server": "google",
        "strategy": "ipv4_only",
        "client_subnet": "58.250.0.0/16"
      }
    ],
    "strategy": "ipv4_only",
    "disable_cache": false,
    "disable_expire": false,
    "independent_cache": false,
    "final": "google",
    "client_subnet": "58.250.0.0/16"
  },
  "inbounds": [
    {
      "type": "tun",
      "tag": "tun-in",
      "address": [
        "172.19.0.1/30",
        "fdfe:dcba:9876::1/126"
      ],
      "mtu": 9000,
      "auto_route": true,
      "stack": "mixed",
      "sniff": true,
      "sniff_override_destination": false
    }
  ],
  "outbounds": [
    {
      "type": "direct",
      "tag": "DIRECT"
    },
    {
      "type": "vless",
      "tag": "jp",
      "server": "",
      "server_port": 443,
      "uuid": "",
      "flow": "xtls-rprx-vision",
      "network": "tcp",
      "tls": {
        "enabled": true,
        "server_name": "",
        "utls": {
          "enabled": true,
          "fingerprint": ""
        },
        "reality": {
          "enabled": true,
          "public_key": "",
          "short_id": ""
        }
      }
    },
    {
      "type": "selector",
      "tag": "PROXY",
      "outbounds": [
        "jp",
        "DIRECT"
      ]
    }
  ],
  "route": {
    "rules": [
      {
        "type": "logical",
        "mode": "or",
        "rules": [
          {
            "network": "udp",
            "port": 53
          },
          {
            "protocol": "dns"
          }
        ],
        "action": "hijack-dns"
      },
      {
        "rule_set": [
          "geoip-cn"
        ],
        "action": "route",
        "outbound": "DIRECT"
      }
    ],
    "rule_set": [
      {
        "type": "remote",
        "tag": "geoip-cn",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/SagerNet/sing-geoip/rule-set/geoip-cn.srs",
        "download_detour": "PROXY"
      }
    ],
    "auto_detect_interface": true,
    "final": "PROXY"
  }
}

Logs

+0800 2025-05-27 19:50:36 DEBUG [820280476 0ms] router: sniffed packet protocol: dns
+0800 2025-05-27 19:50:36 DEBUG [820280476 0ms] router: match[0] network=udp port=53 || protocol=dns => hijack-dns
+0800 2025-05-27 19:50:36 DEBUG [820280476 0ms] dns: exchange ins-8y4ghcjp.ias.tencent-cloud.net. IN AAAA
+0800 2025-05-27 19:50:36 DEBUG [820280476 0ms] dns: strategy rejected
+0800 2025-05-27 19:50:36 INFO [269533721 275ms] outbound/vless[jp]: outbound connection to 8.8.4.4:853
+0800 2025-05-27 19:50:36 INFO [245476134 281ms] outbound/vless[jp]: outbound connection to 8.8.4.4:853
+0800 2025-05-27 19:50:36 INFO [131519415 231ms] outbound/vless[jp]: outbound connection to 8.8.4.4:443
+0800 2025-05-27 19:50:36 INFO [2954101592 230ms] outbound/vless[jp]: outbound connection to 8.8.4.4:443
+0800 2025-05-27 19:50:36 INFO [1165421802 228ms] outbound/vless[jp]: outbound connection to 17.57.145.150:5223
+0800 2025-05-27 19:50:36 DEBUG [131519415 425ms] connection: connection upload finished
+0800 2025-05-27 19:50:36 DEBUG [269533721 479ms] connection: connection upload finished
+0800 2025-05-27 19:50:36 DEBUG [245476134 483ms] connection: connection upload finished
+0800 2025-05-27 19:50:36 DEBUG [2954101592 472ms] connection: connection upload finished
+0800 2025-05-27 19:50:43 INFO [3323297749 0ms] inbound/tun[tun-in]: inbound packet connection from 172.19.0.1:49992
+0800 2025-05-27 19:50:43 INFO [3323297749 0ms] inbound/tun[tun-in]: inbound packet connection to 172.19.0.2:53
+0800 2025-05-27 19:50:43 DEBUG [3323297749 0ms] router: sniffed packet protocol: dns
+0800 2025-05-27 19:50:43 DEBUG [3323297749 0ms] router: match[0] network=udp port=53 || protocol=dns => hijack-dns
+0800 2025-05-27 19:50:43 DEBUG [3323297749 0ms] dns: exchange www.mi.com. IN A
+0800 2025-05-27 19:50:43 DEBUG [3323297749 0ms] dns: match[1] domain_suffix=mi.com => route(google,client-subnet=58.250.0.0/16)
+0800 2025-05-27 19:50:44 DEBUG [3323297749 1.25s] dns: exchanged www.mi.com NOERROR 60
+0800 2025-05-27 19:50:44 INFO [3323297749 1.25s] dns: exchanged CNAME www.mi.com. 60 IN CNAME www.mi.com.mgslb.com.
+0800 2025-05-27 19:50:44 INFO [3323297749 1.25s] dns: exchanged CNAME www.mi.com.mgslb.com. 60 IN CNAME www.mi.com.bsgslb.cn.
+0800 2025-05-27 19:50:44 INFO [3323297749 1.25s] dns: exchanged CNAME www.mi.com.bsgslb.cn. 60 IN CNAME xiaomiipv6.v.bsgslb.cn.
+0800 2025-05-27 19:50:44 INFO [3323297749 1.25s] dns: exchanged CNAME xiaomiipv6.v.bsgslb.cn. 60 IN CNAME xiaomiipv6.v.smogfly.cn.
+0800 2025-05-27 19:50:44 INFO [3323297749 1.25s] dns: exchanged A xiaomiipv6.v.smogfly.cn. 60 IN A 116.162.225.153
+0800 2025-05-27 19:50:44 INFO [3323297749 1.25s] dns: exchanged A xiaomiipv6.v.smogfly.cn. 60 IN A 116.162.225.157
+0800 2025-05-27 19:50:44 INFO [3323297749 1.25s] dns: exchanged A xiaomiipv6.v.smogfly.cn. 60 IN A 116.162.225.152
+0800 2025-05-27 19:50:44 INFO [3323297749 1.25s] dns: exchanged A xiaomiipv6.v.smogfly.cn. 60 IN A 116.162.225.156
+0800 2025-05-27 19:50:44 INFO [3323297749 1.25s] dns: exchanged OPT OPT PSEUDOSECTION: EDNS: version 0 flags: MBZ: 0x003c, udp: 512 SUBNET: 58.250.0.0/16/18
+0800 2025-05-27 19:50:50 INFO [2403063383 0ms] inbound/tun[tun-in]: inbound packet connection from 172.19.0.1:55886
+0800 2025-05-27 19:50:50 INFO [2403063383 0ms] inbound/tun[tun-in]: inbound packet connection to 172.19.0.2:53
+0800 2025-05-27 19:50:50 DEBUG [2403063383 0ms] router: sniffed packet protocol: dns
+0800 2025-05-27 19:50:50 DEBUG [2403063383 0ms] router: match[0] network=udp port=53 || protocol=dns => hijack-dns
+0800 2025-05-27 19:50:50 DEBUG [2403063383 0ms] dns: exchange www.dji.com. IN A
+0800 2025-05-27 19:50:50 DEBUG [2403063383 154ms] dns: exchanged www.dji.com NOERROR 60
+0800 2025-05-27 19:50:50 INFO [2403063383 154ms] dns: exchanged CNAME www.dji.com. 60 IN CNAME d125tdjigxzobs.cloudfront.net.
+0800 2025-05-27 19:50:50 INFO [2403063383 154ms] dns: exchanged A d125tdjigxzobs.cloudfront.net. 60 IN A 3.164.110.49
+0800 2025-05-27 19:50:50 INFO [2403063383 154ms] dns: exchanged A d125tdjigxzobs.cloudfront.net. 60 IN A 3.164.110.66
+0800 2025-05-27 19:50:50 INFO [2403063383 155ms] dns: exchanged A d125tdjigxzobs.cloudfront.net. 60 IN A 3.164.110.60
+0800 2025-05-27 19:50:50 INFO [2403063383 155ms] dns: exchanged A d125tdjigxzobs.cloudfront.net. 60 IN A 3.164.110.90
+0800 2025-05-27 19:50:50 INFO [2403063383 155ms] dns: exchanged OPT OPT PSEUDOSECTION: EDNS: version 0 flags: MBZ: 0x003c, udp: 512

Supporter

• I am a sponsor

Integrity requirements

• I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
• I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
• I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
• I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.