NaiveProxy outbound connection fails on SFI despite identical config working on SFM #3695
Description
Operating system
iOS
System version
iOS 26.2 (23C55)
Installation type
sing-box for iOS Graphical Client
If you are using a graphical client, please provide the version of the client.
SFI 1.13.0 Build 85
Version
sing-box 1.13.0-beta.5Description
I am encountering a connectivity issue where the naiveproxy outbound fails to establish connections on SFI, resulting in widespread DNS resolution failures.
The client attempts to initiate an outbound connection, but it appears to hang or drop, causing subsequent DNS exchanges to fail.
The exact same configuration works perfectly on SFM within the same network environment.
No connection logs are received or generated on the server side when attempting to connect from SFI, indicating the packets likely never established a valid handshake or did not leave the client device successfully.
All platforms are running sing-box 1.13.0-beta.5.
Reproduction
Server configuration:
{
"log": {
"level": "info"
},
"dns": {
"servers": [
{
"type": "https",
"tag": "google",
"server": "8.8.8.8"
}
]
},
"inbounds": [
{
"type": "naive",
"tag": "naive-in",
"listen": "::",
"listen_port": 443,
"users": [
{
"username": "username",
"password": "password"
}
],
"tls": {
"enabled": true,
"server_name": "servername.com",
"certificate_path": "/etc/letsencrypt/live/servername.com/fullchain.pem",
"key_path": "/etc/letsencrypt/live/servername.com/privkey.pem"
}
}
],
"outbounds": [
{
"type": "direct"
}
]
}
Client configuration:
{
"inbounds": [
{
"type": "tun",
"tag": "tun-in",
"address": [
"172.19.0.1/30",
"fdfe:dcba:9876::1/126"
],
"auto_route": true,
"strict_route": true
}
],
"experimental": {
"cache_file": {
"enabled": true,
"store_fakeip": true
},
"clash_api": {
"external_controller": "127.0.0.1:9090",
"external_ui": "ui",
"default_mode": "Enhanced"
}
},
"log": {
"level": "debug",
"timestamp": true
},
"dns": {
"servers": [
{
"tag": "dns_proxy",
"type": "https",
"server": "8.8.8.8",
"detour": "proxy"
},
{
"tag": "dns_direct",
"type": "udp",
"server": "223.5.5.5"
}
],
"rules": [
{
"rule_set": "geosite-geolocation-cn",
"server": "dns_direct"
},
{
"type": "logical",
"mode": "and",
"rules": [
{
"rule_set": "geosite-geolocation-!cn",
"invert": true
},
{
"rule_set": "geoip-cn"
}
],
"server": "dns_proxy",
"client_subnet": "114.114.114.114/24"
}
],
"final": "dns_proxy",
"strategy": "prefer_ipv4"
},
"route": {
"rule_set": [
{
"tag": "geoip-cn",
"type": "remote",
"format": "binary",
"url": "https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geoip/cn.srs"
},
{
"tag": "geosite-geolocation-cn",
"type": "remote",
"format": "binary",
"url": "https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geosite/geolocation-cn.srs"
},
{
"tag": "geosite-geolocation-!cn",
"type": "remote",
"format": "binary",
"url": "https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geosite/geolocation-!cn.srs"
}
],
"rules": [
{
"action": "sniff"
},
{
"type": "logical",
"mode": "or",
"rules": [
{
"protocol": "dns"
},
{
"port": 53
}
],
"action": "hijack-dns"
},
{
"type": "logical",
"mode": "or",
"rules": [
{
"port": 853
},
{
"network": "udp",
"port": 443
}
],
"action": "reject"
},
{
"rule_set": "geosite-geolocation-cn",
"outbound": "direct"
},
{
"type": "logical",
"mode": "and",
"rules": [
{
"rule_set": "geoip-cn"
},
{
"rule_set": "geosite-geolocation-!cn",
"invert": true
}
],
"outbound": "direct"
}
],
"default_domain_resolver": "dns_direct",
"auto_detect_interface": true,
"final": "proxy"
},
"outbounds": [
{
"tag": "proxy",
"type": "naive",
"server": "server_ip",
"server_port": 443,
"username": "username",
"password": "password",
"insecure_concurrency": 0,
"udp_over_tcp": {
"enabled": true,
"version": 2
},
"tls": {
"enabled": true,
"server_name": "servername.com",
"insecure": false
}
},
{
"tag": "direct",
"type": "direct"
}
]
}
Logs
SFI log:
DEBUG[0001] [2738969218 1.3s] dns: exchange gateway.icloud.com. IN AAAA
DEBUG[0001] [2262995103 1.3s] dns: exchange gateway.icloud.com. IN A
INFO[0001] [2262995103 1.3s] outbound/naive[proxy]: outbound connection to 8.8.8.8:443
DEBUG[0001] [334894256 1.1s] dns: exchange edge-012.hkhkg2.icloud-content.com. IN A
DEBUG[0001] [3898792744 1.1s] dns: exchange gateway.icloud.com. IN HTTPS
DEBUG[0001] [2301708078 1.2s] dns: exchange 40-courier.push.apple.com. IN AAAA
DEBUG[0001] [3892646158 1.2s] dns: exchange 40-courier.push.apple.com. IN A
DEBUG[0001] [3422292735 1.2s] dns: exchange edge-012.hkhkg2.icloud-content.com. IN HTTPS
DEBUG[0001] [1934473037 1.2s] dns: exchange edge-012.hkhkg2.icloud-content.com. IN AAAA
DEBUG[0001] [3359066610 1.3s] dns: exchange _dns.resolver.arpa. IN SVCB
ERROR[0001] [2262995103 1.3s] dns: exchange failed for gateway.icloud.com. IN A: name not resolved
ERROR[0001] [3892646158 1.3s] dns: exchange failed for 40-courier.push.apple.com. IN A: name not resolved
ERROR[0001] [3898792744 1.2s] dns: exchange failed for gateway.icloud.com. IN HTTPS: name not resolved
ERROR[0001] [2262995103 1.3s] router: process DNS packet: name not resolved
ERROR[0001] [3892646158 1.3s] router: process DNS packet: name not resolved
ERROR[0001] [3898792744 1.2s] router: process DNS packet: name not resolved
ERROR[0001] [3359066610 1.3s] dns: exchange failed for _dns.resolver.arpa. IN SVCB: name not resolved
ERROR[0001] [2301708078 1.3s] dns: exchange failed for 40-courier.push.apple.com. IN AAAA: name not resolved
ERROR[0001] [3359066610 1.3s] router: process DNS packet: name not resolved
ERROR[0001] [2301708078 1.3s] router: process DNS packet: name not resolved
ERROR[0001] [334894256 1.2s] dns: exchange failed for edge-012.hkhkg2.icloud-content.com. IN A: name not resolved
ERROR[0001] [2738969218 1.4s] dns: exchange failed for gateway.icloud.com. IN AAAA: name not resolved
ERROR[0001] [334894256 1.2s] router: process DNS packet: name not resolved
ERROR[0001] [1934473037 1.2s] dns: exchange failed for edge-012.hkhkg2.icloud-content.com. IN AAAA: name not resolved
ERROR[0001] [1934473037 1.2s] router: process DNS packet: name not resolved
ERROR[0001] [2738969218 1.4s] router: process DNS packet: name not resolved
ERROR[0001] [3422292735 1.2s] dns: exchange failed for edge-012.hkhkg2.icloud-content.com. IN HTTPS: name not resolved
ERROR[0001] [3422292735 1.2s] router: process DNS packet: name not resolved
INFO[0005] [2203147812 0ms] inbound/tun[tun-in]: inbound packet connection from 172.19.0.1:60430
INFO[0005] [2203147812 0ms] inbound/tun[tun-in]: inbound packet connection to 172.19.0.2:53
DEBUG[0005] [2203147812 0ms] router: match[0] => sniff
DEBUG[0005] [2203147812 0ms] router: sniffed packet protocol: dns
DEBUG[0005] [2203147812 0ms] router: match[1] protocol=dns || port=53 => hijack-dns
DEBUG[0005] [2203147812 0ms] dns: exchange gspe1-ssl.ls.apple.com. IN HTTPS
INFO[0005] [3982886159 0ms] inbound/tun[tun-in]: inbound packet connection from 172.19.0.1:57858
INFO[0005] [3982886159 0ms] inbound/tun[tun-in]: inbound packet connection to 172.19.0.2:53
INFO[0005] [2203147812 0ms] outbound/naive[proxy]: outbound connection to 8.8.8.8:443
DEBUG[0005] [3982886159 0ms] router: match[0] => sniff
DEBUG[0005] [3982886159 0ms] router: sniffed packet protocol: dns
DEBUG[0005] [3982886159 0ms] router: match[1] protocol=dns || port=53 => hijack-dns
DEBUG[0005] [3982886159 0ms] dns: exchange gspe1-ssl.ls.apple.com. IN AAAA
INFO[0005] [601266555 0ms] inbound/tun[tun-in]: inbound packet connection from 172.19.0.1:55805
INFO[0005] [601266555 0ms] inbound/tun[tun-in]: inbound packet connection to 172.19.0.2:53
DEBUG[0005] [601266555 0ms] router: match[0] => sniff
DEBUG[0005] [601266555 0ms] router: sniffed packet protocol: dns
DEBUG[0005] [601266555 0ms] router: match[1] protocol=dns || port=53 => hijack-dns
DEBUG[0005] [601266555 0ms] dns: exchange gspe1-ssl.ls.apple.com. IN A
ERROR[0005] [3982886159 6ms] dns: exchange failed for gspe1-ssl.ls.apple.com. IN AAAA: name not resolved
ERROR[0005] [601266555 5ms] dns: exchange failed for gspe1-ssl.ls.apple.com. IN A: name not resolved
ERROR[0005] [3982886159 6ms] router: process DNS packet: name not resolved
ERROR[0005] [601266555 5ms] router: process DNS packet: name not resolved
ERROR[0005] [2203147812 6ms] dns: exchange failed for gspe1-ssl.ls.apple.com. IN HTTPS: name not resolved
ERROR[0005] [2203147812 6ms] router: process DNS packet: name not resolved
DEBUG[0006] [2203147812 1.2s] dns: exchange gspe1-ssl.ls.apple.com. IN HTTPS
DEBUG[0006] [3982886159 1.2s] dns: exchange gspe1-ssl.ls.apple.com. IN AAAA
DEBUG[0006] [601266555 1.2s] dns: exchange gspe1-ssl.ls.apple.com. IN A
INFO[0006] [601266555 1.2s] outbound/naive[proxy]: outbound connection to 8.8.8.8:443
ERROR[0006] [601266555 1.3s] dns: exchange failed for gspe1-ssl.ls.apple.com. IN A: name not resolved
ERROR[0006] [3982886159 1.3s] dns: exchange failed for gspe1-ssl.ls.apple.com. IN AAAA: name not resolved
ERROR[0006] [2203147812 1.3s] dns: exchange failed for gspe1-ssl.ls.apple.com. IN HTTPS: name not resolved
ERROR[0006] [601266555 1.3s] router: process DNS packet: name not resolved
ERROR[0006] [2203147812 1.3s] router: process DNS packet: name not resolved
ERROR[0006] [3982886159 1.3s] router: process DNS packet: name not resolved
DEBUG[0007] [2738969218 7.27s] dns: exchange gateway.icloud.com. IN AAAA
DEBUG[0007] [2262995103 7.27s] dns: exchange gateway.icloud.com. IN A
DEBUG[0007] [3359066610 7.27s] dns: exchange _dns.resolver.arpa. IN SVCB
DEBUG[0007] [2301708078 7.26s] dns: exchange 40-courier.push.apple.com. IN AAAA
DEBUG[0007] [3892646158 7.26s] dns: exchange 40-courier.push.apple.com. IN A
INFO[0007] [2262995103 7.27s] outbound/naive[proxy]: outbound connection to 8.8.8.8:443
ERROR[0007] [2301708078 7.26s] dns: exchange failed for 40-courier.push.apple.com. IN AAAA: name not resolved
ERROR[0007] [2262995103 7.27s] dns: exchange failed for gateway.icloud.com. IN A: name not resolved
ERROR[0007] [3359066610 7.27s] dns: exchange failed for _dns.resolver.arpa. IN SVCB: name not resolved
ERROR[0007] [2301708078 7.26s] router: process DNS packet: name not resolved
ERROR[0007] [2262995103 7.27s] router: process DNS packet: name not resolved
ERROR[0007] [3892646158 7.26s] dns: exchange failed for 40-courier.push.apple.com. IN A: name not resolved
ERROR[0007] [3359066610 7.27s] router: process DNS packet: name not resolved
ERROR[0007] [3892646158 7.26s] router: process DNS packet: name not resolved
ERROR[0007] [2738969218 7.27s] dns: exchange failed for gateway.icloud.com. IN AAAA: name not resolved
ERROR[0007] [2738969218 7.27s] router: process DNS packet: name not resolved
DEBUG[0008] [2203147812 3.6s] dns: exchange gspe1-ssl.ls.apple.com. IN HTTPS
INFO[0008] [2203147812 3.6s] outbound/naive[proxy]: outbound connection to 8.8.8.8:443
DEBUG[0008] [601266555 3.6s] dns: exchange gspe1-ssl.ls.apple.com. IN A
DEBUG[0008] [3982886159 3.6s] dns: exchange gspe1-ssl.ls.apple.com. IN AAAA
ERROR[0008] [3982886159 3.7s] dns: exchange failed for gspe1-ssl.ls.apple.com. IN AAAA: name not resolved
ERROR[0008] [2203147812 3.7s] dns: exchange failed for gspe1-ssl.ls.apple.com. IN HTTPS: name not resolved
ERROR[0008] [3982886159 3.7s] router: process DNS packet: name not resolved
ERROR[0008] [2203147812 3.7s] router: process DNS packet: name not resolved
ERROR[0008] [601266555 3.6s] dns: exchange failed for gspe1-ssl.ls.apple.com. IN A: name not resolved
ERROR[0008] [601266555 3.6s] router: process DNS packet: name not resolved
DEBUG[0012] [2203147812 7.17s] dns: exchange gspe1-ssl.ls.apple.com. IN HTTPS
DEBUG[0012] [3982886159 7.17s] dns: exchange gspe1-ssl.ls.apple.com. IN AAAA
DEBUG[0012] [601266555 7.17s] dns: exchange gspe1-ssl.ls.apple.com. IN A
INFO[0012] [601266555 7.17s] outbound/naive[proxy]: outbound connection to 8.8.8.8:443
ERROR[0012] [601266555 7.18s] dns: exchange failed for gspe1-ssl.ls.apple.com. IN A: name not resolved
ERROR[0012] [2203147812 7.18s] dns: exchange failed for gspe1-ssl.ls.apple.com. IN HTTPS: name not resolved
ERROR[0012] [601266555 7.18s] router: process DNS packet: name not resolved
ERROR[0012] [2203147812 7.18s] router: process DNS packet: name not resolved
ERROR[0012] [3982886159 7.18s] dns: exchange failed for gspe1-ssl.ls.apple.com. IN AAAA: name not resolved
ERROR[0012] [3982886159 7.18s] router: process DNS packet: name not resolved
(packet-tunnel) stopping, reason: NEProviderStopReason(rawValue: 1)
(packet-tunnel) stop service: invalid argumentSupporter
- I am a sponsor
Integrity requirements
- I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
- I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
- I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
- I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.