Closed adiprasetya closed 8 months ago
Thank you for the feedback. I need to conduct some tests to determine where the problem lies and how to modify it.
@adiprasetya
Based on my understanding of your question, it seems you're experiencing an issue where, despite having set your local DNS to Cloudflare DNS, a DNS Leak Test identifies the DNS server as the AdGuard DNS server set on your service side. Please correct me if my understanding is inaccurate.
Regarding this issue, consider the insights from these two articles:
浅谈在代理环境中的 DNS 解析行为 漫谈各种黑科技式 DNS 技术在代理环境中的应用
Concerning your configuration file:
Copy code
dns:
enable: true
ipv6: false
enhanced-mode: redir-host # or fake-ip
default-nameserver:
- 8.8.8.8#DIRECT
nameserver:
- tls://1.1.1.1#PROXY
- https://1.1.1.1/dns-query#PROXY
proxy-server-nameserver:
- 8.8.8.8#DIRECT
When accessing dnsleaktest.com
, consider the following scenarios:
Regarding the difference between redir-host
and fake-ip
modes, redir-host
always initiates local DNS resolution, potentially showing both Cloudflare DNS and AdGuard. In contrast, fake-ip
, when directly matching domain rules, bypasses local DNS resolution.
For a simple test, add the rule - DOMAIN-KEYWORD,dnsleaktest.com,DIRECT
at the top of your configuration file. After reloading the configuration, you should find that the detected DNS server is now your locally set Cloudflare DNS server.
Here are my test results: After adding - DOMAIN-KEYWORD,dnsleaktest.com,DIRECT
and setting my local DNS to Cloudflare, the results were as follows, only my client DNS:
Removing this rule and allowing dnsleaktest.com to go through the proxy, the result showed the remote server's DNS service:
as i know, dns client side configuration it should be using the client configuration (like sing-box). no matter if go through proxy or direct. for an example, if i using cloudflare and it's will be resolving on the client and then request to the server as an ip, that because it's already resolved on the client. if it's still request to the proxy server as a hostname, that will be resolve on the server, not in the client. dns resolver should be client only. it's matter for privacy. kinda not understanding what you mean.
sorry for the bad english.
I understand that what you want is for the client to complete the DNS resolution and then for the server to use the IP resolved by the client directly, without performing its own DNS resolution. However, to avoid DNS pollution, it is necessary to use a pure DNS server. Generally, we choose DOH or DOT services. In most cases, it's also necessary to add #PROXY
to query through a proxy. In this way, the DNS resolution is already done via a remote proxy server. From this perspective, there is no difference in terms of privacy issues compared to the current method.
This topic warrants further discussion, so I'll be moving it to the Discussions section rather than addressing it as an issue.
Prerequisites
Version
Clash Rev Version: v1.0.2 OS: android Architecture: arm64 Go Version: go1.21.4 Build Time: Thu Nov 16 10:14:11 CST 2023 Use tags: with_gvisor
Operating System
Linux, Android
Architecture
amd64, arm64
Configuration File
Log
Description
it seems clash still using dns on the server even the logs say that resolved from client conf. actually it using server configuration. before meta archive they repo, i already make this issue and no response. it is bug from clash founder. i hope it can be fixed. i just ordinary person so what can i do is just bug reporting.
Reproduction Steps
server configuration using sing-box set to adguard
dnsleaktest redir-host
dnsleaktest fake-ip
server log return hostname instead of ip, so it basically using dns server. unlike sing-box, sing-box return ip on the server log.