What Goes Wrong When DNS Is Misconfigured
If a client only intercepts outbound traffic but leaves DNS lookups untouched, domain resolution requests can still go straight to whatever resolver your network hands out by default. That causes two separate problems. First, the returned IP can be tampered with or simply wrong, so a site that should have gone through the proxy fails to connect at all. Second, even when the actual traffic is proxied correctly, the DNS query itself still reveals which domain you're visiting to anyone watching the network — the classic "DNS leak."
fake-ip: the Dominant Solution Today
The idea behind enhanced-mode: fake-ip is simple: instead of letting a DNS query return the real IP address, the client intercepts it and hands the application a placeholder address drawn from a dedicated virtual range (fake-ip-range). When the application later opens a connection to that placeholder, the client resolves the real destination domain at the network layer and applies the routing rules from there. The whole trick is invisible to the application, and it currently offers the best combination of compatibility and speed among the available approaches.
dns:
enable: true
enhanced-mode: fake-ip
fake-ip-range: 198.18.0.1/16
fake-ip-filter:
- "*.lan"
- "+.local"
fake-ip-filter excludes domains that shouldn't go through the fake-IP mechanism — typically LAN device discovery or other local-network services that need a real IP to function correctly. Any domain matching the filter gets its genuine resolution result instead of a placeholder.
Splitting Resolution by Domain: nameserver-policy
Resolving every domain through a single set of DNS servers is rarely the best setup — local or regional domains are usually resolved faster by a nearby resolver, while everything else benefits from a resolver that's harder to tamper with. nameserver-policy lets you route resolution differently depending on domain ownership, typically paired with GeoSite categories:
dns:
nameserver:
- https://dns.google/dns-query
- https://1.1.1.1/dns-query
fallback:
- https://1.0.0.1/dns-query
- https://dns.quad9.net/dns-query
nameserver-policy:
"geosite:private": [192.168.1.1]
"geosite:category-ads-all": [https://1.1.1.1/dns-query]
Any domain that doesn't match a nameserver-policy entry falls back to the default nameserver list. Swap in whichever GeoSite category actually matches the domains you want to split out for your own region — the entries above are just illustrative. If you need an extra layer of trust-checking on top of that, pair it with fallback and the fallback-filter logic described below.
fallback-filter: Judging Whether a Result Is Trustworthy
fallback-filter decides when the client should discard the result from the default DNS servers and re-query using the fallback list instead. The most common check is based on geoip:
dns:
fallback-filter:
geoip: true
geoip-code: US
With this enabled, if the IP returned by the default resolver doesn't belong to the region specified by geoip-code (replace US with your own country code), the client treats the result as suspect — a common symptom of DNS spoofing, where a bogus foreign IP gets returned instead of the correct one — and re-resolves the domain using the more trustworthy servers in fallback.
A Quick Troubleshooting Checklist
- Confirm
dns.enableis set totrue— otherwise none of the DNS block takes effect; - Confirm
enhanced-modeis set tofake-ip(or that you have a clear reason for using something else); - If LAN device discovery breaks, check whether the relevant domains need to be added to
fake-ip-filter; - If you suspect DNS spoofing, check that
fallbackandfallback-filterare configured correctly.
For a deeper look at where DNS settings fit into a complete config.yaml, check out the Advanced Configuration Docs. If you're new to Clash, the default DNS settings shipped by most clients are already solid enough that you don't need to touch anything.
DNS Sorted Out — Time to Put It to Work
Download the Clash client, paste in your subscription link, and you'll go from install to online in just a few minutes.