`!ir` about iran-clash-rules HOT 5 CLOSED

I must note that Clash Meta supports logical rules in its config and one can easily do something like this (with your GeoIP.dat, GeoSite.dat files) to achieve the same result:

 rules:
- GEOSITE,category-ads-all,REJECT

- DOMAIN,d.metacubex.one,DIRECT

- GEOSITE,ir,DIRECT
- GEOIP,IR,DIRECT

- NOT,((GEOSITE,ir)),PROXY
- GEOIP,private,DIRECT,no-resolve
- MATCH,PROXY

But still, vanilla Clash Premium needs a handcrafted rule to do so.

from iran-clash-rules.

Adding such a category would require a lot of data and maintenance, and will increase the file size significantly.
It's better to bypass the small list of local domains than to proxy the large list of foreign domains.
As for vanilla clash, it also has some DNS leak issues, maybe using tunnels to proxy all DNS traffic mitigate this issue.

from iran-clash-rules.

has some DNS leak issues

Care to elaborate?

from iran-clash-rules.

has some DNS leak issues

Care to elaborate?

Clash resolves domain addresses locally in order to route traffic, then sends the resolved IP address to remote proxy server. This will cause a DNS leak, and since clash has no DNS hijack feature, as a workaround you can use Clash Tunnel feature and map local 53 port to proxy server address and clash will resolve all domains through proxy server. Note that you need your default outbound to use an IP address for server: parameter, otherwise you will stuck in a loop and won't be able to connect.

from iran-clash-rules.

has some DNS leak issues

Care to elaborate?

Clash resolves domain addresses locally in order to route traffic, then sends the resolved IP address to remote proxy server. This will cause a DNS leak, and since clash has no DNS hijack feature, as a workaround you can use Clash Tunnel feature and map local 53 port to proxy server address and clash will resolve all domains through proxy server. Note that you need your default outbound to use an IP address for server: parameter, otherwise you will stuck in a loop and won't be able to connect.

As I understood the source code and documentation:

1. For better connectivity to CDNs, if a request has a domain name, clash only sends the domain to proxy server and lets the server resolve the domain before connecting.
2. Only DNS leak I see here is when kernel queries a plaintext DNS locally (to determine what path to choose) and leaks the destination to adversaries on your home network.
3. This can be mitigated by using no-resolve and/or encrypted DNS servers in dns.nameserver
4. Mapping a port like 53 requires elevated access (sudo or CAP). When clash DOES have DNS hijack feature when utilizing the TUN, someone could just use that and no tunnels: configuration is needed (yet I'm not sure).

So I think I'm stuck with geolocation-!cn and encrypted DNS in my config for now. Thank you for your awesome rules!

from iran-clash-rules.