Download Latest Version
sing-box-1.12.1-linux-s390x.tar.gz (16.0 MB)
Get an email when there's a new version of Sing-box
:memo: Release Notes
Important changes since 1.11:
- Refactor DNS servers 1
- Add domain resolver options2
- Add TLS fragment/record fragment support to route options and outbound TLS options 3
- Add certificate options 4
- Add Tailscale endpoint and DNS server 5
- Drop support for go1.22 6
- Add AnyTLS protocol 7
- Migrate to stdlib ECH implementation 8
- Add NTP sniffer 9
- Add wildcard SNI support for ShadowTLS inbound 10
- Improve
auto_redirect11 - Add control options for listeners 12
- Add DERP service 13
- Add Resolved service and DNS server 14
- Add SSM API service 15
- Add loopback address support for tun 16
- Improve tun performance on Apple platforms 17
- Update quic-go to v0.52.0
- Update gVisor to 20250319.0
- Update the status of graphical clients in stores 18
1:
DNS servers are refactored for better performance and scalability.
See DNS server.
For migration, see Migrate to new DNS server formats.
Compatibility for old formats will be removed in sing-box 1.14.0.
2:
Legacy outbound DNS rules are deprecated and can be replaced by the new domain_resolver option.
See Dial Fields and Route.
For migration, see Migrate outbound DNS rule items to domain resolver.
3:
See Route Action and TLS.
4:
New certificate options allow you to manage the default list of trusted X509 CA certificates.
For the system certificate list, fixed Go not reading Android trusted certificates correctly.
You can also use the Mozilla Included List instead, or add trusted certificates yourself.
See Certificate.
5:
See Tailscale.
6:
Due to maintenance difficulties, sing-box 1.12.0 requires at least Go 1.23 to compile.
For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches from MetaCubeX/go.
7:
The new AnyTLS protocol claims to mitigate TLS proxy traffic characteristics and comes with a new multiplexing scheme.
See AnyTLS Inbound and AnyTLS Outbound.
8:
See TLS.
The build tag with_ech is no longer needed and has been removed.
9:
See Protocol Sniff.
10:
See ShadowTLS.
11:
Now auto_redirect fixes compatibility issues between tun and Docker bridge networks, see Tun.
12:
You can now set bind_interface, routing_mark and reuse_addr in Listen Fields.
See Listen Fields.
13:
DERP service is a Tailscale DERP server, similar to derper.
See DERP Service.
14:
Resolved service is a fake systemd-resolved DBUS service to receive DNS settings from other programs (e.g. NetworkManager) and provide DNS resolution.
See Resolved Service and Resolved DNS Server.
15:
SSM API service is a RESTful API server for managing Shadowsocks servers.
See SSM API Service.
16:
TUN now implements SideStore's StosVPN.
See Tun.
17:
We have significantly improved the performance of tun inbound on Apple platforms, especially in the gVisor stack.
The following data was tested using tun_bench on M4 MacBook pro.
| Version | Stack | MTU | Upload | Download |
|---|---|---|---|---|
| 1.11.15 | gvisor | 1500 | 852M | 2.57G |
| 1.12.0-rc.4 | gvisor | 1500 | 2.90G | 4.68G |
| 1.11.15 | gvisor | 4064 | 2.31G | 6.34G |
| 1.12.0-rc.4 | gvisor | 4064 | 7.54G | 12.2G |
| 1.11.15 | gvisor | 65535 | 27.6G | 18.1G |
| 1.12.0-rc.4 | gvisor | 65535 | 39.8G | 34.7G |
| 1.11.15 | system | 1500 | 664M | 706M |
| 1.12.0-rc.4 | system | 1500 | 2.44G | 2.51G |
| 1.11.15 | system | 4064 | 1.88G | 1.94G |
| 1.12.0-rc.4 | system | 4064 | 6.45G | 6.27G |
| 1.11.15 | system | 65535 | 26.2G | 17.4G |
| 1.12.0-rc.4 | system | 65535 | 17.6G | 21.0G |
18:
We continue to experience issues updating our sing-box apps on the App Store and Play Store. Until we rewrite and resubmit the apps, they are considered irrecoverable. Therefore, after this release, we will not be repeating this notice unless there is new information.