A Brief Configuration Guide for Clash (Meta) DNS

Posted on Edited on In Views: Disqus: Word count in article: 4.9k Reading time ≈ 4 mins.

This guide provides a brief overview of DNS configuration in the Clash Meta kernel. It covers the basics of DNS, the issues of DNS hijacking, pollution, and leaks, and how Clash’s DNS configuration can resolve them. The article also includes detailed steps for setting up DNS in Clash Meta, helping users enhance their browsing experience by securing DNS queries. Ideal for readers familiar with Clash configuration files, this guide aims to simplify DNS setup and improve internet security.

Preface

Due to the Clash kernel being discontinued for a long timedeleted, and encountering persistent “strange” DNS resolution issues during my usage, I was troubled until I resolved my problem by using the Clash Meta kernel. Therefore, in the following, “Clash” will refer to the “Clash Meta kernel” [1].

Regarding the DNS configuration of Clash, I have “tinkered” with it multiple times. After reading some blogs and documentation [3-5], I felt it necessary to write an article to briefly summarize Clash’s DNS configuration, hoping to be of help. This article is suitable for readers who already have some understanding of Clash configuration files (for example, those who can customize Clash configuration files). If you are only using Clash, it is recommended to first read the official Clash documentation and other tutorials to gain a deep understanding of Clash’s configuration files [7] before reading this article.

What are DNS, DNS Hijacking, Pollution, and Leaks?

For these topics, you can study the fundamentals of networking and read some related articles/videos here. They will not be elaborated on here.

How to Solve?

Clash’s DNS configuration can help us solve these problems. Clash supports multiple DNS configuration methods [2], including traditional UDP and TCP-based DNS, as well as more secure options like DoH, DoT, DoQ, etc. This article will not introduce these DNS configuration methods. You can refer to the official Clash documentation [1-2].

Clash DNS Configuration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
dns:
  enable: true
  ipv6: false
  respect-rules: true
  enhanced-mode: fake-ip
  listen: 0.0.0.0:53
  fake-ip-range: 198.18.0.1/16
  fake-ip-filter: ['*', '+.lan', '+.local', '+.direct', '+.msftconnecttest.com', '+.msftncsi.com']
  default-nameserver:
    - 223.5.5.5
    - 119.29.29.29
    - tls://1.12.12.12:853
    - tls://223.5.5.5:853
  nameserver:
    - https://120.53.53.53/dns-query
    - https://223.5.5.5/dns-query
  proxy-server-nameserver:
    - https://120.53.53.53/dns-query
    - https://223.5.5.5/dns-query
  nameserver-policy:
    'geosite:cn,private':
      - https://120.53.53.53/dns-query
      - https://1.12.12.12/dns-query
      - https://223.5.5.5/dns-quer
    'geosite:gfw,geolocation-!cn':
      - https://1.0.0.2/dns-query
      - https://doh.dns.sb/dns-query
      - https://dns.cloudflare.com/dns-query
      - https://dns.google/dns-query

When Does Clash Perform DNS Requests?

To answer this question, let’s first understand the workflow of Clash DNS:

Clash DNS’s workflow is as shown in the above diagram. When Clash receives a request, it first performs rule matching. If the accessed website, for example, www.example.com, matches a rule, Clash will perform the corresponding action based on the rule, such as direct connection, proxy, interception, etc.

  1. Proxy Match: If it matches “proxy”, Clash will forward the request to the proxy server, which will perform DNS resolution. In this case, Clash does not perform DNS requests.
  2. Direct Match: If it matches “direct”, Clash will perform DNS requests.
  3. Reject Match: If it matches “reject”, Clash will intercept directly, and Clash does not perform DNS requests.

If none of the rules match the domain, and it encounters IP-based rules (e.g., IP-CIDR,192.168.0.0/16,DIRECT), then Clash will also perform DNS requests.

The Process of Domain Name Resolution in ClashDNS

When Clash performs a DNS request to resolve a domain name, it first checks the cache. If the cache contains the resolution result for the domain name, Clash will directly return the cached result. Otherwise, Clash will perform a DNS request based on the configured DNS servers.

  1. FakeIP-Direct Domains that are not hit will attempt to match the nameserver-policy. If the domain matches a nameserver-policy, Clash will use the DNS servers defined in that nameserver-policy to perform the DNS request.
  2. If it does not match the nameserver-policy, Clash will use the DNS servers in nameserver to perform the DNS request.
  3. default-nameserver is the default DNS, used to resolve the domains of “DNS servers” (for example, when nameserver: https://doh.pub/dns-query is used, to resolve doh.pub).

How to Prevent DNS Hijacking, Pollution, and Leaks?

We can use secure DNS servers, such as DoH, DoT, etc. Some domestic providers may have DNS pollution issues, so we can use public DNS servers, especially with a fallback strategy (or nameserver-policy), to let foreign websites use foreign DNS servers.

Conclusion

DNS is an important infrastructure of the internet. Currently, there is also some research in academia on DNS security. For example, Professor Duan Haixin’s team at Tsinghua University has many outstanding research results in this area.

The security of DNS is crucial for our online experience. Clash’s DNS configuration can help users solve problems like DNS hijacking, pollution, and leaks in daily browsing. I hope this article is helpful to everyone.

References

[1] Clash Meta Document

[2] Clash Meta DNS Configuration

[3] Sukka - I Have Unique DNS Configuration and Usage Tips

[4] What is Fake-IP

[5] An In-Depth Introduction to Clash DNS’s Working Principles

[6] Comprehensive List of Free Public DNS Servers

[7] Clash Meta Reference Configuration File