Blacklisted apps steal DNS from proxy to resolve IPv6

[Anderhar]

I'm seeing already a lot of IPv6 related issues here, so mine will just be a few more cents to this piggy bank.

The problem is as follows. I am using BFM with sing-box core in whitelist mode for only one app (successfully tunneling a paid VPN client), so other apps are considered blacklisted. My cellular carrier doesn't provide IPv6, so under normal circumstances the DNS leak test only shows DNS IPv4 servers belonging to my carrier. But when BFM is enabled, within blacklisted web browser I can see a set of leaking DNS IPv6 coming from Cloudflare DNS defined in my sing-box config. So, the blacklisted apps may still access the BFM's DNS and use it to resolve IPv6 requests.

For now, I've managed to soften the problem by adding "detour": "direct" parameter just to not expose the location of my VPS. But that doesn't fix the leak itself, and still looks rather suspicious. And the similar leak, but of both IPv6 and IPv4, occurs when I sharing my VPN connection via Wi-Fi tethering (but I'm not sure if it's the same thing).

The final tests were performed on the latest v1.5.0_9395bf1_20240525_debug with IPv6 DNS fix.

My settings.ini tweaks is:

ipv6="true" #changing to "false" does not make any difference
bin_name="sing-box"
network_mode="tun"
proxy_mode="whitelist"
packages_list=("targeted_application")

My sing-box config is also here: config.json

[Anderhar]

Still present in v1.6.0 with updated TUN inbound.