Comments (5)
I must note that Clash Meta supports logical rules in its config and one can easily do something like this (with your GeoIP.dat, GeoSite.dat files) to achieve the same result:
rules:
- GEOSITE,category-ads-all,REJECT
- DOMAIN,d.metacubex.one,DIRECT
- GEOSITE,ir,DIRECT
- GEOIP,IR,DIRECT
- NOT,((GEOSITE,ir)),PROXY
- GEOIP,private,DIRECT,no-resolve
- MATCH,PROXY
But still, vanilla Clash Premium needs a handcrafted rule to do so.
from iran-clash-rules.
Adding such a category would require a lot of data and maintenance, and will increase the file size significantly.
It's better to bypass the small list of local domains than to proxy the large list of foreign domains.
As for vanilla clash, it also has some DNS leak issues, maybe using tunnels to proxy all DNS traffic mitigate this issue.
from iran-clash-rules.
has some DNS leak issues
Care to elaborate?
from iran-clash-rules.
has some DNS leak issues
Care to elaborate?
Clash resolves domain addresses locally in order to route traffic, then sends the resolved IP address to remote proxy server. This will cause a DNS leak, and since clash has no DNS hijack feature, as a workaround you can use Clash Tunnel feature and map local 53 port to proxy server address and clash will resolve all domains through proxy server. Note that you need your default outbound to use an IP address for server:
parameter, otherwise you will stuck in a loop and won't be able to connect.
from iran-clash-rules.
has some DNS leak issues
Care to elaborate?
Clash resolves domain addresses locally in order to route traffic, then sends the resolved IP address to remote proxy server. This will cause a DNS leak, and since clash has no DNS hijack feature, as a workaround you can use Clash Tunnel feature and map local 53 port to proxy server address and clash will resolve all domains through proxy server. Note that you need your default outbound to use an IP address for
server:
parameter, otherwise you will stuck in a loop and won't be able to connect.
As I understood the source code and documentation:
- For better connectivity to CDNs, if a request has a domain name, clash only sends the domain to proxy server and lets the server resolve the domain before connecting.
- Only DNS leak I see here is when kernel queries a plaintext DNS locally (to determine what path to choose) and leaks the destination to adversaries on your home network.
- This can be mitigated by using
no-resolve
and/or encrypted DNS servers indns.nameserver
- Mapping a port like 53 requires elevated access (sudo or CAP). When clash DOES have DNS hijack feature when utilizing the TUN, someone could just use that and no
tunnels:
configuration is needed (yet I'm not sure).
So I think I'm stuck with geolocation-!cn
and encrypted DNS in my config for now. Thank you for your awesome rules!
from iran-clash-rules.
Related Issues (4)
- Important Notes HOT 2
- invalid domain for clash HOT 1
- پیشنهاد لیستای جدید HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from iran-clash-rules.