[Bug] MacOS Tun 最新版中没有正确覆盖DNS

[kmahyyg]

Verify steps

• 我已在标题简短的描述了我所遇到的问题
• 我已在 Issue Tracker 中寻找过我要提出的问题，但未找到相同的问题
• 我已在 常见问题 中寻找过我要提出的问题，并没有找到答案
• 这是 GUI 程序的问题，而不是内核程序的问题
• 我已经关闭所有杀毒软件/代理软件后测试过，问题依旧存在
• 我已经使用最新的测试版本测试过，问题依旧存在

操作系统

MacOS

系统版本

15.2 (24C101) ARM64

发生问题 mihomo-party 版本

v1.5.12

描述

在 1.5.10/1.5.11 版本中启用 tun 模式会自动修改当前网卡 DNS 为 198.18.0.2，在 1.5.12 中此功能失效，DNS 仍为原网络下 DHCP 下发的 DNS。

GUI 侧设置中已配置为 接管DNS=True，接管Sniff=True
DNS 配置中 覆盖DNS策略=False，使用系统 Hosts=True，IPv6=False
Sniff 配置启用，覆盖连接地址=False

历史 Issue #80 中有提到会自动配置，实际没有。

重现方式

开启 Tun 模式，DNS 配置为 Fake-IP。

[xishang0128]

party从来就没有将dns设置成“198.18.0.2”过,而是设置成“223.5.5.5”

[kmahyyg]

那也和你的说法不匹配啊，仍然保留在 DHCP 下发的 DNS 而不是你说的 223.5.5.5

[xishang0128]

@kmahyyg 截图dns设置

[kmahyyg]

[xishang0128]

@kmahyyg 虚拟网卡设置

[kmahyyg]

[xishang0128]

@kmahyyg 发log

[kmahyyg]

2025-1-4_REDACTED.log.zip

Username and server domain name redacted. Logging level changed to debug.
Reproduce step:

• Change log level and fully exit the app
• Cleaned all log, start app
• Enable TUN mode and ping baidu.com (should return IP 198.18.0.x)
• Disable TUN mode and exit app
• Collect log

May I kindly request to reopen this issue for progress tracking purpose?

[kmahyyg]

Just FYI, affected code should be located

mihomo-party/src/main/core/manager.ts

Lines 278 to 321 in 7d70008

	async function getOriginDNS(): Promise<void> {
	const execPromise = promisify(exec)
	const service = await getDefaultService()
	const { stdout: dns } = await execPromise(`networksetup -getdnsservers "${service}"`)
	if (dns.startsWith("There aren't any DNS Servers set on")) {
	await patchAppConfig({ originDNS: 'Empty' })
	} else {
	await patchAppConfig({ originDNS: dns.trim().replace(/\n/g, ' ') })
	}
	}
	async function setDNS(dns: string): Promise<void> {
	const service = await getDefaultService()
	const execPromise = promisify(exec)
	await execPromise(`networksetup -setdnsservers "${service}" ${dns}`)
	}
	async function setPublicDNS(): Promise<void> {
	if (process.platform !== 'darwin') return
	if (net.isOnline()) {
	const { originDNS } = await getAppConfig()
	if (!originDNS) {
	await getOriginDNS()
	await setDNS('223.5.5.5')
	}
	} else {
	if (setPublicDNSTimer) clearTimeout(setPublicDNSTimer)
	setPublicDNSTimer = setTimeout(() => setPublicDNS(), 5000)
	}
	}
	async function recoverDNS(): Promise<void> {
	if (process.platform !== 'darwin') return
	if (net.isOnline()) {
	const { originDNS } = await getAppConfig()
	if (originDNS) {
	await setDNS(originDNS)
	await patchAppConfig({ originDNS: undefined })
	}
	} else {
	if (recoverDNSTimer) clearTimeout(recoverDNSTimer)
	recoverDNSTimer = setTimeout(() => recoverDNS(), 5000)
	}
	}

❯ networksetup -listnetworkserviceorder
An asterisk (*) denotes that a network service is disabled.
(1) USB 10/100/1000 LAN
(Hardware Port: USB 10/100/1000 LAN, Device: en9)

(2) Wi-Fi
(Hardware Port: Wi-Fi, Device: en0)

(3) iPhone USB
(Hardware Port: iPhone USB, Device: en8)

❯ networksetup -setdnsservers "Wi-Fi" "198.18.0.2"
** Error: Command requires admin privileges.
❯ networksetup -getdnsservers "Wi-Fi"
There aren't any DNS Servers set on Wi-Fi.
❯ sudo networksetup -setdnsservers "Wi-Fi" "198.18.0.2"
❯ networksetup -getdnsservers "Wi-Fi"
198.18.0.2

The output above may be helpful for troubleshooting. Thanks for assistance in advance.

[ghost]

[kmahyyg]

Thanks for guidance, after turning it off, the DNS has been successfully set to 223.5.5.5. However, I would consider this as a temporary workaround because it might lower the security posture of system. Is it possible to have a privileged helper program without turning this option off?

[xishang0128]

@kmahyyg 这需要party储存密码,部分人认为这更不安全

[kmahyyg]

@kmahyyg 这需要party储存密码,部分人认为这更不安全

我觉得可能并不需要，因为：

> ps axuw | grep -i mihomo
root              5034   0.5  0.2 411570448  34560   ??  S     5:11PM   0:00.45 /Applications/Mihomo Party.app/Contents/Resources/sidecar/mihomo -d /Users/USERNAME/Library/Application Support/mihomo-party/work -ext-ctl-unix /tmp/mihomo-party.sock

因为看上去在事实上你已经有一个 root 权限的 sidecar 进程了，需要的只是一个 wrapper，比如在这个进程通过 unix socket 去传入一个 cmd+dns 实现一个 privileged IPC 来改掉 DNS。

然后在用户开启 Fake-IP + Tun 的情况下，自动修改 DNS 到 198.18.0.2 可能是比 223.5.5.5 更好的选择。

[xishang0128]

@kmahyyg 设置为198.18.0.2的话,异常退出会导致无法上网,公共dns则没有这个问题,内核仅仅需要一个能路由到tun的dns地址

[kmahyyg]

I agree with @xishang0128 , and for the suggestion of wrapper implementation, please have a consider about that. If you'd choose to ask user to turn off "require an administrator password to access system-wide settings", please add it to the manual and FAQ page on your website for helping poor basxxxd like me.

I really appreciate your help regarding this issue and thank you so much for your excellent work.