Clash DNS

Overview

DNS is central to Clash routing because many rules start from a domain name. In normal HTTP or SOCKS scenarios the domain is visible to Clash, but traffic intercepted at the network layer may only expose an IP address. Clash DNS bridges that gap.

fake-ip mode

In fake-ip mode, Clash answers a DNS query with an address from a reserved fake-IP pool, then keeps an internal mapping from that fake IP back to the original domain. When traffic later reaches Clash, it can recover the domain name and apply domain-based rules.

1. The application asks DNS for example.com.
2. Clash returns a fake IP such as 198.18.1.10.
3. The application connects to that fake IP.
4. Clash maps the fake IP back to example.com and evaluates the rules.

Practical notes

Use fake-IP carefully with applications that cache DNS aggressively or compare certificates with literal IP addresses. If a local service, game launcher or captive portal breaks, add it to a fake-IP filter or test with a different DNS mode.

Support Checks

When sites open inconsistently, compare DNS logs, rule matches and whether the profile uses enhanced-mode: fake-ip. DNS symptoms often look like connection symptoms even when the selected node is healthy.

Related pages

• Reference Configuration
• Premium Introduction
• TUN Device

Reference examples

These examples mirror the corresponding Chinese documentation page so the English page carries the same configuration material.

$ curl -v http://google.com
# reference note
# reference note
*   Trying 198.18.1.70:80...
# reference note
# reference note
* Connected to google.com (198.18.1.70) port 80 (#0)
# reference note
# reference note
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/8.0.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: http://www.google.com/
< Content-Type: text/html; charset=UTF-8
< Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-ahELFt78xOoxhySY2lQ34A' 'strict-dynamic' 'report-sample' 'unverified-eval' 'unverified-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
< Date: Thu, 11 May 2023 06:52:19 GMT
< Expires: Sat, 10 Jun 2023 06:52:19 GMT
< Cache-Control: public, max-age=2592000
< Server: gws
< Content-Length: 219
< X-XSS-Protection: 0
< X-Frame-Options: SAMEORIGIN
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
* Connection #0 to host google.com left intact

Reference links

• RFC 3089