What Is DNS Pollution
DNS pollution (DNS Spoofing / DNS Poisoning) refers to ISPs or the Great Firewall returning fake IP addresses for DNS queries on specific domains, preventing users from accessing target websites. For example, when querying www.google.com through a carrier DNS server, the returned IP may be an invalid address or the request may be outright rejected.
DNS leak is another related issue: even with a proxy enabled, DNS queries may still bypass the proxy and be sent directly to the carrier's DNS server. This not only causes some domains to fail to resolve, but also exposes your browsing activity to the ISP.
| Problem | Symptom | Consequence |
|---|---|---|
| DNS Pollution | Domain resolves to wrong IP | Cannot access target website |
| DNS Leak | DNS queries bypass proxy | Browsing activity logged by ISP; some sites still inaccessible |
Two Resolution Modes: fake-ip vs redir-host
fake-ip Mode (Recommended)
fake-ip is Clash's proprietary high-performance DNS resolution mode:
- When an application makes a DNS query, Clash immediately returns a fake IP (in the 198.18.x.x range)
- The application uses this fake IP to initiate a connection request
- Clash intercepts the connection request and decides whether to go direct or through a proxy based on rules
- If routed through a proxy, Clash sends the original domain name to the proxy server, which performs the real DNS resolution overseas
Advantages: Connections can be established without waiting for DNS resolution to complete, resulting in extremely low latency; DNS queries for overseas domains never pass through domestic DNS, completely preventing pollution.
Disadvantages: A few applications (e.g., certain games, P2P software) may not handle fake IPs correctly and need to be excluded in fake-ip-filter.
redir-host Mode
Traditional DNS resolution mode: Clash resolves domains to real IPs normally, then decides whether to use a proxy based on IP-CIDR rules.
Advantages: Better compatibility; all applications work normally.
Disadvantages: Requires DNS resolution to complete before establishing a connection, resulting in higher latency; for polluted domains, relies on fallback DNS for a second resolution, making configuration more complex.
DoH / DoT Encrypted DNS Configuration
Regular DNS queries use plaintext UDP/TCP protocols, which ISPs can easily intercept and tamper with. DoH (DNS over HTTPS) and DoT (DNS over TLS) protect DNS queries through encryption:
- DoH: DNS queries are encapsulated in HTTPS requests, using port 443, blending with regular HTTPS traffic and making them hard to identify and filter
- DoT: DNS queries are encrypted via TLS, using dedicated port 853; encryption is reliable but the traffic signature is obvious and easily filtered
In Clash, DoH uses the https:// prefix and DoT uses the tls:// prefix:
dns:
nameserver:
- https://dns.alidns.com/dns-query # Alibaba DoH (domestic)
- https://doh.pub/dns-query # Tencent DoH (domestic)
fallback:
- tls://8.8.8.8:853 # Google DoT (overseas)
- tls://1.1.1.1:853 # Cloudflare DoT (overseas)
- https://dns.google/dns-query # Google DoH (overseas)Complete Anti-Pollution DNS Configuration
The following is a verified best-practice configuration:
dns:
enable: true
listen: 0.0.0.0:1053 # DNS listen port (taken over by dns-hijack in TUN mode)
enhanced-mode: fake-ip
fake-ip-range: 198.18.0.1/16
# fake-ip exclusion list: these domains bypass fake-ip and return real IPs directly
fake-ip-filter:
- "*.lan"
- "*.local"
- "localhost.ptlogin2.qq.com"
- "+.stun.*.*"
- "+.stun.*.*.*"
- "time.*.com"
- "time.*.gov"
- "*.ntp.org.cn"
- "ntp.*.com"
# Domestic DNS: for resolving domestic domains
nameserver:
- 223.5.5.5 # Alibaba DNS (plaintext, fast)
- 119.29.29.29 # Tencent DNS
- https://dns.alidns.com/dns-query # Alibaba DoH
# Overseas DNS: for resolving polluted overseas domains (accessed via proxy)
fallback:
- tls://8.8.8.8:853
- tls://1.1.1.1:853
- https://dns.google/dns-query
- https://cloudflare-dns.com/dns-query
# Fallback trigger condition: use fallback DNS when IP is not in CN
fallback-filter:
geoip: true
geoip-code: CN
ipcidr:
- 240.0.0.0/4 # Reserved addresses (usually pollution results)
domain:
- "+.google.com"
- "+.facebook.com"
- "+.youtube.com"
- "+.twitter.com"
- "+.github.com"
# Assign specific DNS servers to specific domains
nameserver-policy:
"geosite:cn": [223.5.5.5, 119.29.29.29]
"geosite:geolocation-!cn": [tls://8.8.8.8:853, tls://1.1.1.1:853]Key Configuration Options Explained
| Option | Description |
|---|---|
enhanced-mode: fake-ip | Enables fake-ip mode, greatly reducing DNS resolution latency |
fake-ip-filter | These domains bypass fake-ip and return real IPs (for protocols like mDNS and NTP that require real IPs) |
nameserver | Primary DNS, used for fast resolution of domestic domains |
fallback | Backup DNS, triggered when nameserver returns a polluted IP |
fallback-filter.geoip: true | Triggers fallback re-query if the IP returned by nameserver is not in CN |
nameserver-policy | Assigns dedicated DNS servers to specific domains, takes priority over nameserver/fallback |
Using with TUN Mode
When TUN mode is enabled, configure dns-hijack to route all DNS requests into Clash for processing:
tun:
enable: true
stack: mixed
auto-route: true
auto-detect-interface: true
dns-hijack:
- any:53 # Hijack all UDP/TCP requests to port 53
- tcp://any:53
dns:
enable: true
enhanced-mode: fake-ip
# ... rest of config as aboveWith dns-hijack: any:53 enabled, even if the system DNS is set to another server (e.g., 8.8.8.8), all DNS requests will be handled by Clash's DNS module, fundamentally eliminating DNS leaks.
DNS Leak Testing
After configuration, use the following tools to verify that DNS anti-pollution is working:
- Visit dnsleaktest.com and click "Standard Test"
- After the test completes, review the DNS server list:
- If it shows overseas servers such as Google or Cloudflare (no domestic carrier IPs) → anti-pollution configuration is correct
- If it shows domestic DNS from China Unicom, China Telecom, etc. → DNS leak present, check your configuration
- You can also visit ipleak.net for a comprehensive check of IP, DNS, and WebRTC leaks
Common DNS Troubleshooting
DNS Resolution Completely Fails
All websites are inaccessible with "DNS_PROBE_FINISHED_NXDOMAIN" errors:
- Check that
dns.enable: trueis set - Confirm that at least one accessible DNS server is listed in
nameserver - Temporarily change nameserver to
223.5.5.5(plaintext UDP, most basic) to test connectivity - Check Clash logs and search for DNS-related error messages
Slow DNS Resolution
- Confirm
enhanced-mode: fake-ipis enabled (greatly reduces first-connection latency) - Replace DoH servers in
nameserverwith plaintext UDP (e.g.,223.5.5.5); DoH has significant TLS handshake overhead - Check that fallback DNS servers are reachable; unreachable fallback servers cause timeout delays
Some Sites Inaccessible Despite Normal IP
This may be a compatibility issue caused by fake-ip. Add the domain to the fake-ip-filter exclusion list:
dns:
fake-ip-filter:
- "problem-domain.com" # Add the problematic domainSummary
- DNS pollution causes domains to resolve to wrong IPs; DNS leaks expose browsing activity to the ISP
- fake-ip mode is the optimal solution: instantly returns a fake IP, overseas domains are resolved by the proxy server overseas, with low latency and complete pollution prevention
- Use fast plaintext UDP (223.5.5.5) for domestic DNS (nameserver); use encrypted DoT/DoH (tls://8.8.8.8:853) for overseas DNS (fallback)
fallback-filter.geoip: trueis the key to triggering fallback, ensuring polluted domains are re-resolved via overseas DNS- In TUN mode, use
dns-hijack: any:53to completely eliminate DNS leaks - After configuration, verify with dnsleaktest.com and confirm the DNS servers shown are overseas nodes
Further Reading
- TUN Mode Guide: Global proxy solution to use alongside DNS anti-pollution
- Rule-Based Routing Configuration: Precisely control which traffic goes through the proxy using rules
- Subscription Auto-Update Settings: Keep node lists and rule sets automatically updated