[Bug] dns配置了 use-hosts: false, 但是仍然参考了系统hosts

HydrangeaPurple commented 11 months ago

Verify steps

[X] 确保你使用的是本仓库最新的的 clash 或 clash Alpha 版本 Ensure you are using the latest version of Clash or Clash Premium from this repository.
[ ] 如果你可以自己 debug 并解决的话，提交 PR 吧 Is this something you can debug and fix? Send a pull request! Bug fixes and documentation fixes are welcome.
[X] 我已经在 Issue Tracker 中找过我要提出的问题 I have searched on the issue tracker for a related issue.
[X] 我已经使用 Alpha 分支版本测试过，问题依旧存在 I have tested using the dev branch, and the issue still exists.
[X] 我已经仔细看过 Documentation 并无法自行解决问题 I have read the documentation and was unable to solve the issue.
[X] 这是 Clash 核心的问题，并非我所使用的 Clash 衍生版本（如 OpenClash、KoolClash 等）的特定问题 This is an issue of the Clash core per se, not to the derivatives of Clash, like OpenClash or KoolClash.

Clash version

Clash Meta alpha-39289d9 windows amd64 with go1.21.3 Mon Oct 16 16:18:25 UTC 2023

What OS are you seeing the problem on?

Windows

Clash config

mixed-port: 7890
redir-port: 7891
tproxy-port: 1536

enable-process: true

unified-delay: false
geodata-mode: true
tcp-concurrent: false
find-process-mode: strict
global-client-fingerprint: chrome

allow-lan: true
mode: rule
log-level: warning
ipv6: false

external-controller: 0.0.0.0:9090
external-ui: Dashboard

geox-url:
  geoip: "https://github.com/xishang0128/meta-rules-dat/releases/download/latest/geoip-lite.dat"
  geosite: "https://github.com/xishang0128/meta-rules-dat/releases/download/latest/geosite.dat"
  mmdb: "https://github.com/xishang0128/meta-rules-dat/releases/download/latest/country.mmdb"

profile:
  store-selected: true
  store-fake-ip: true

sniffer:
  enable: false
  sniff:
    TLS:
      ports: [443, 8443]
    HTTP:
      ports: [80, 8080-8880]
      override-destination: true

tun:
  enable: false
  stack: system
  dns-hijack:
    - 'any:53'
  auto-route: true
  auto-detect-interface: true

dns:
  enable: true
  prefer-h3: true
  ipv6: false
  listen: 0.0.0.0:1053
  enhanced-mode: fake-ip
  use-hosts: false
  fake-ip-filter: ['+.lan', '+.local', '+.mshome', 'dns.pub', 'dns.alidns.com', 'resolver1.opendns.com', 'detectportal.firefox.com', 'dmd.metaservices.microsoft.com', '+.stun.*.*', '+.stun.*.*.*', '+.stun.*.*.*.*', '+.stun.*.*.*.*.*', '*.n.n.srv.nintendo.net', '+.stun.playstation.net', 'xbox.*.*.microsoft.com', '*.*.xboxlive.com', '*.msftncsi.com', '*.msftconnecttest.com', 'connect.rom.miui.com', '+.gstatic.com', 'lens.l.google.com', '*.mcdn.bilivideo.cn', 'WORKGROUP', '*']
  fake-ip-range: 28.0.0.1/8
  default-nameserver:
    - 'https://223.5.5.5/dns-query'
    # - 'https://1.12.12.12/dns-query'
  nameserver:
    - 'https://8.8.8.8/dns-query#dns'
    - 'https://1.1.1.1/dns-query#dns'
  proxy-server-nameserver:
    - https://223.5.5.5/dns-query
    # - https://1.12.12.12/dns-query
  nameserver-policy:
    "geosite:cn,private":
      - https://223.5.5.5/dns-query   # alidns
      - https://1.12.12.12/dns-query   # dns.pub

Clash log

No response

Description

而我换内核到 1.15.1 是没这个问题的刚才又换了 1.16.0, 和alpha的问题一样, 以下问题都只在大于等于 1.16.0 版本复现了测试的网站包含 google.com 和 www.google.com, 都走上了 geosite:google 规则但是谷歌首页会显示隐私错误, 查看证书, 结果是被污染到 *.coolhub.top

iKira commented 10 months ago

1、fake-ip-filter里最后有一个'*'，你仔细品一下。 2、你设的全是带IP的DNS服务器，没有增加proxy-server-nameserver的必要。 3、geosite的cn分类里其实也有少部分google域名，这部分域名被认为可以直连（但是不是真的需要直连，因地而异，最安全的做法是所有google系域名全走代理，并将google的cn域名重定向到com）。

wzfdgh commented 10 months ago

纯IP ns下只能扔defaultns ns不过代理才能扔proxyns

MetaCubeX / mihomo