clash内核dns泄露问题解决更新版
又在折腾clash了,这次更新了clash内核dns泄露的问题
不多说了,下面贴配置
port: 7890
socks-port: 7891
allow-lan: true
mode: Rule
log-level: info
#external-controller: 127.0.0.1:9090
geoip: true
geodata-mode: true
geox-url:
geoip: https://cdn.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/geoip.dat
dns:
enable: true
ipv6: false
listen: :53 #这里并没有添加ip留空即可
nameserver:
- tls://1.1.1.1
- tls://1.0.0.1#
- tls://208.67.222.123
- tls://208.67.220.123
- tls://101.101.101.101
- tls://101.102.103.104
- tls://185.222.222.222
- tls://45.11.45.11
- tls://1.1.1.1
default-nameserver:
- 223.5.5.5
- 119.29.29.29
#####backup
##nameserver-policy:
## geosite:cn: tls://1.12.12.12##
#######
nameserver-policy:
"geosite:cn,private":
- tls://1.12.12.12#
- tls://120.53.53.53
proxies:
########################
#这里贴你的节点信息
########################
proxy-groups:
- name: 🚀 节点选择
type: select
proxies:
- ♻️ 自动选择
- 🔯 故障转移
- 🔮 负载均衡
- DIRECT
- 🇭🇰 香港节点
- 🇯🇵 日本节点
- 🇸🇬 新加坡节点
- 🇺🇸 美国节点
- 🇹🇼 台湾节点
- 🇰🇷 韩国节点
- usdemo2 xtls-reality
- usdemo1 xtls-reality
- usdemo3 xtls-reality
- usdemo2 trojan
- usdemo1 trojan
- usdemo3 trojan
- usdemo2 grpc-reality
- usdemo1 grpc-reality
- usdemo3 grpc-reality
- usdemo3-ssv4
- usdemo2-ssv4
- usdemo1-ssv4
- name: ♻️ 自动选择
type: url-test
url: http://www.gstatic.com/generate_204
interval: 300
tolerance: 50
proxies:
- 🇭🇰 香港节点
- 🇯🇵 日本节点
- 🇸🇬 新加坡节点
- 🇺🇸 美国节点
- 🇹🇼 台湾节点
- 🇰🇷 韩国节点
- usdemo2 xtls-reality
- usdemo1 xtls-reality
- usdemo3 xtls-reality
- usdemo2 trojan
- usdemo1 trojan
- usdemo3 trojan
- usdemo2 grpc-reality
- usdemo1 grpc-reality
- usdemo3 grpc-reality
- usdemo3-ssv4
- usdemo2-ssv4
- usdemo1-ssv4
- name: 🔯 故障转移
type: fallback
url: http://www.gstatic.com/generate_204
interval: 180
proxies:
- 🇭🇰 香港节点
- 🇯🇵 日本节点
- 🇸🇬 新加坡节点
- 🇺🇸 美国节点
- 🇹🇼 台湾节点
- 🇰🇷 韩国节点
- usdemo2 xtls-reality
- usdemo1 xtls-reality
- usdemo3 xtls-reality
- usdemo2 trojan
- usdemo1 trojan
- usdemo3 trojan
- usdemo2 grpc-reality
- usdemo1 grpc-reality
- usdemo3 grpc-reality
- usdemo3-ssv4
- usdemo2-ssv4
- usdemo1-ssv4
- name: 🔮 负载均衡
type: load-balance
strategy: consistent-hashing
url: http://www.gstatic.com/generate_204
interval: 180
proxies:
- 🇭🇰 香港节点
- 🇯🇵 日本节点
- 🇸🇬 新加坡节点
- 🇺🇸 美国节点
- 🇹🇼 台湾节点
- 🇰🇷 韩国节点
- usdemo2 xtls-reality
- usdemo1 xtls-reality
- usdemo3 xtls-reality
- usdemo2 trojan
- usdemo1 trojan
- usdemo3 trojan
- usdemo2 grpc-reality
- usdemo1 grpc-reality
- usdemo3 grpc-reality
- usdemo3-ssv4
- usdemo2-ssv4
- usdemo1-ssv4
- name: 🎯 全球直连
type: select
proxies:
- DIRECT
- name: 🛑 全球拦截
type: select
proxies:
- REJECT
- name: 🐟 漏网之鱼
type: select
proxies:
- ♻️ 自动选择
- 🔯 故障转移
- 🔮 负载均衡
rule-providers:
ads:
type: http
behavior: domain
format: text
path: ./rules/ads.list
url: https://raw.githubusercontent.com/DustinWin/ruleset_geodata/clash-ruleset/ads.list
interval: 86400
private:
type: http
behavior: domain
format: text
path: ./rules/private.list
url: https://raw.githubusercontent.com/DustinWin/ruleset_geodata/clash-ruleset/private.list
interval: 86400
privateip:
type: http
behavior: ipcidr
format: text
path: ./rules/privateip.list
url: https://raw.githubusercontent.com/DustinWin/ruleset_geodata/clash-ruleset/privateip.list
interval: 86400
cnip:
type: http
behavior: ipcidr
format: text
path: ./rules/cnip.list
url: https://raw.githubusercontent.com/DustinWin/ruleset_geodata/clash-ruleset/cnip.list
interval: 86400
rules:
- RULE-SET,ads,🛑 全球拦截
- RULE-SET,privateip,🎯 全球直连
- RULE-SET,cnip,🎯 全球直连,no-resolve
#- RULE-SET,cn,🎯 全球直连
#- RULE-SET,microsoft-cn,🎯 全球直连
#- RULE-SET,google-cn,🎯 全球直连
#- RULE-SET,games-cn,🎯 全球直连
#- RULE-SET,networktest,🎯 全球直连
#- RULE-SET,proxy,🔯 故障转移,🔮 负载均衡
- MATCH,🐟 漏网之鱼,🔯 故障转移,🔮 负载均衡
重点国外的dns选择加密的ip dns服务器,这样就不用解释域名了,访问网络更快速
怎样查看某个ip dns是否支持tls加密?
使用下面的代码测试如果返回了加密证书则代表这个ip dns服务器支持加密
openssl s_client -connect 208.67.222.123:853
//返回了加密的证书信息
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
verify return:1
depth=1 C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1
verify return:1
depth=0 C = US, ST = California, L = San Jose, O = Cisco Systems Inc., CN = doh.opendns.com
verify return:1
---
Certificate chain
0 s:C = US, ST = California, L = San Jose, O = Cisco Systems Inc., CN = doh.opendns.com
i:C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 18 00:13:01 2024 GMT; NotAfter: Feb 16 00:12:01 2025 GMT
1 s:C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1
i:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 12 16:56:15 2019 GMT; NotAfter: Dec 12 16:56:15 2029 GMT
2 s:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
i:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 16 18:12:23 2014 GMT; NotAfter: Jan 16 18:12:23 2034 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIJOjCCCCKgAwIBAgIQQAGNGen83nNL9Lb5DG7FMTANBgkqhkiG9w0BAQsFADBy
MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MS4wLAYDVQQLEyVIeWRy
YW50SUQgVHJ1c3RlZCBDZXJ0aWZpY2F0ZSBTZXJ2aWNlMR8wHQYDVQQDExZIeWRy
YW50SUQgU2VydmVyIENBIE8xMB4XDTI0MDExODAwMTMwMVoXDTI1MDIxNjAwMTIw
MVowbDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcT
CFNhbiBKb3NlMRswGQYDVQQKExJDaXNjbyBTeXN0ZW1zIEluYy4xGDAWBgNVBAMT
D2RvaC5vcGVuZG5zLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJPUNn+Xywv6au7CmWxfVMWm246h03Ha4/ZwYaUtWrblPT9GnVs6QaVl09d1iifu
F2n+TWebAOBEakVeZAiyETZLADpbvfXTzEOrfmAiRnUgwlQc9SA4DtlZM41gvHZ+
pjEes1WgKN3elFAYX+SrPoFFoUbRJNJXNJx/plRe3cd85wvTPitnA8A7L0yNzybc
KuNKziCjdEdPM/eXWGrm+32ikx9D2RItTAp/0QKsAdzYUmZ786QqnNQ5FKzbO8W8
A5ddmLDk94tcwTegVDCV7uNUJ8ZlSM6REaZVPQCdRPxHWlHAo82/O/IeBuXCQzan
zlwGuW9cIDgLpE+45ylp+BsCAwEAAaOCBdAwggXMMA4GA1UdDwEB/wQEAwIFoDCB
hQYIKwYBBQUHAQEEeTB3MDAGCCsGAQUFBzABhiRodHRwOi8vY29tbWVyY2lhbC5v
Y3NwLmlkZW50cnVzdC5jb20wQwYIKwYBBQUHMAKGN2h0dHA6Ly92YWxpZGF0aW9u
LmlkZW50cnVzdC5jb20vY2VydHMvaHlkcmFudGlkY2FPMS5wN2MwHwYDVR0jBBgw
FoAUibibtp7t+7DGvQ3sZ048o5KdLfkwIQYDVR0gBBowGDAIBgZngQwBAgIwDAYK
YIZIAYb5LwAGAzBGBgNVHR8EPzA9MDugOaA3hjVodHRwOi8vdmFsaWRhdGlvbi5p
ZGVudHJ1c3QuY29tL2NybC9oeWRyYW50aWRjYW8xLmNybDCCAuMGA1UdEQSCAtow
ggLWhwSScCkChwSScCkDhwSScCkEhwSScCkFhwTQQ9wChwTQQ94ChwTQQ9x7hwTQ
Q9zchwTQQ957hwTQQ97ehwSbvm9vhwSbvm97hwTMwujIhwTMwurIhxAmIAAADMwA
AAAAAAAAAAAChxAmIAAADM0AAAAAAAAAAAAChxAmIAEZADUAAAAAAAAAAAA1hxAm
IAEZADUAAAAAAAAAAAEjhxAmIAEZAFMAAAAAAAAAAABThxAmIAEZAFMAAAAAAAAA
AAEjhxAmIAEZAPoAAAAAAAAAAABThxAmIAEZAPoAAAAAAAAAAAEghxAmIAEZAPwA
AAAAAAAAAAAChxAmIAEZAPwAAAAAAAAAAAADhxAmIAEZAPwAAAAAAAAAAAAEhxAm
IAEZAPwAAAAAAAAAAAAFgg9kbnMub3BlbmRucy5jb22CD2RvaC5vcGVuZG5zLmNv
bYIQZG5zLnVtYnJlbGxhLmNvbYIQZG9oLnVtYnJlbGxhLmNvbYIQcGRucy5vcGVu
ZG5zLmNvbYIRZG5zLnNzZS5jaXNjby5jb22CEWRvaC5zc2UuY2lzY28uY29tghFw
ZG5zLnVtYnJlbGxhLmNvbYITc2FuZGJveC5vcGVuZG5zLmNvbYIVc2FuZGJveC5z
c2UuY2lzY28uY29tghdkb2guc2FuZGJveC5vcGVuZG5zLmNvbYIYZmFtaWx5c2hp
ZWxkLm9wZW5kbnMuY29tghpmYW1pbHlzaGllbGQuc3NlLmNpc2NvLmNvbYIcZG9o
LmZhbWlseXNoaWVsZC5vcGVuZG5zLmNvbYIccmVzb2x2ZXJ0ZXN0LmRvaC5vcGVu
ZG5zLmNvbYIeKi5yZXNvbHZlcnRlc3QuZG9oLm9wZW5kbnMuY29tgh5yZXNvbHZl
cnRlc3QuZG9oLnNzZS5jaXNjby5jb22CICoucmVzb2x2ZXJ0ZXN0LmRvaC5zc2Uu
Y2lzY28uY29tMB0GA1UdDgQWBBRk72y9C2APFK/BCZCifapgmkkLZzAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwggF/BgorBgEEAdZ5AgQCBIIBbwSCAWsB
aQB2AE51oydcmhDDOFts1N8/Uusd8OCOG41pwLH6ZLFimjnfAAABjRnp/uEAAAQD
AEcwRQIgElzqh+uRm64pjOsek4uuMFDOE4wQhsTX5cL/ivg9tZsCIQD/l6J1QCqM
gpEkv7BeJFTX6qOhb0GvbGym4xOrT8LuEgB3AH1ZHhLheCp7HGFnfF79+NCHXBSg
TpWeuQMv2Q6MLnm4AAABjRnp/iMAAAQDAEgwRgIhAOGcqjT7cIsyP8e9QPxQ3twK
H46TAozpl1zk2aIf6GJGAiEAvif5xpB4WDFFKTEkT1hYtI3NcrGaYSHNw99PPhoR
5DQAdgDm0jFjQHeMwRBBBtdxuc7B0kD2loSG+7qHMh39HjeOUAAAAY0Z6f44AAAE
AwBHMEUCIGmRNgSSgayhP61hJpKBqt9YK0TISq7KGTIzjQBTApWuAiEAvBw7HY5T
Q8PFtVQ+b59/6Dxy0yYAEBvgEeLWfErqG2gwDQYJKoZIhvcNAQELBQADggEBAMH3
q/DAjqirkXnkZoVAJnHUIfeoPjf0WGZ+e4nVDPlBIm8pmGaFnmtAVot4I7CPkFjg
FZ7dkiXxgnsvVWDJHfwKgyrABLfV/2Jum/RpxAgAOue/ZKN0/4Quc1toK8aOz47U
NTni4NA13w2cqjYrAnPaec4bs+Gsf+JbumlGLOyrAIA61osO/C/OE2tNWIjaMLLa
M2Ojpz/5ZB8a5nXV6+XYgrO3c5HTZPE4nO/02oycXXd/fjcjdEk7E8CG7kPJUZ/f
Db5cm6aNeW7GhjaF7G2wx2+Rk7vZSzrOSANQaOTAUQs0zhWQX0tGPzo0BVl4swrU
iBvdtTprysPsrnFl140=
-----END CERTIFICATE-----
subject=C = US, ST = California, L = San Jose, O = Cisco Systems Inc., CN = doh.opendns.com
issuer=C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6066 bytes and written 377 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 39100A0B9E4F9A48B909EE49749F6EBA33AA75428CE8E23E4D943C37B36A1673
Session-ID-ctx:
Resumption PSK: 3CA7BD955AF2D3A65FB2CC9AD14A018311E1493FAB50AD504DFB8AF735AF6500DE11D5B6055451240F15392CFE54F8F9
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 3a d9 53 b5 57 c3 2b 29-49 ee 77 f3 46 83 0e 11 :.S.W.+)I.w.F...
0010 - 0d 6e ca d3 2c 83 a3 c5-bb 95 1b 62 73 a7 12 2d .n..,......bs..-
0020 - ad 90 2b 30 27 01 51 dc-0b fd 0b d0 ef dd 05 1d ..+0'.Q.........
0030 - c8 c9 a3 ec 30 3d af 7e-28 0d 0d 4d d6 eb 4e cf ....0=.~(..M..N.
0040 - c4 5d a3 0f 85 b0 da 61-78 d8 c9 a6 0c 21 b5 99 .].....ax....!..
0050 - 3c 78 83 68 16 fc 0e 0e-46 fd 69 8b d8 56 19 3f <x.h....F.i..V.?
0060 - 9e ec bf c7 1b 17 34 db-cc 70 04 a6 0e 83 77 2f ......4..p....w/
0070 - 55 21 c6 56 88 74 d7 27-da 0f b6 35 84 a2 15 ca U!.V.t.'...5....
0080 - 8c 30 e8 5e 82 b7 b4 5b-ec 6c 92 5e f9 68 3e 83 .0.^...[.l.^.h>.
0090 - 26 40 dd 5f 30 5a 24 42-7f 42 e6 65 3f 8b b2 e0 &@._0Z$B.B.e?...
00a0 - 69 63 24 5b c0 61 06 f8-2e e2 38 56 33 18 9b 12 ic$[.a....8V3...
00b0 - 6e 63 6d 6a 48 7f b4 41-b1 86 51 9f 1c 39 85 a7 ncmjH..A..Q..9..
Start Time: 1726326129
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 867C8F11A24A1FBD046D00835607D67F07882D3A0B3C3D34C3B5B9EE4F64DB53
Session-ID-ctx:
Resumption PSK: ABD6409713B4B041B6C0609D20428B430064EC0ACE2E4A2BF42023E189691FEB9E8002F41EE2A5357F55E1B6E6BAEAE6
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 3a d9 53 b5 57 c3 2b 29-49 ee 77 f3 46 83 0e 11 :.S.W.+)I.w.F...
0010 - ad e8 a9 2e 05 69 f4 3f-c6 6e e4 cc 8d 4d 84 c6 .....i.?.n...M..
0020 - ad 7c 99 b9 b6 5e 3f 72-ed da 9a 99 34 c5 74 5c .|...^?r....4.t\
0030 - 7d 86 77 96 f1 8c 11 da-44 12 4b a0 bd 81 e3 e0 }.w.....D.K.....
0040 - d8 f8 b1 38 fd 0d 13 37-a7 5b ef 34 ea d8 06 42 ...8...7.[.4...B
0050 - 07 f8 94 8d a3 b6 22 20-8c 69 69 da 56 40 8a e5 ......" .ii.V@..
0060 - b7 93 e7 06 56 75 3e 44-b4 11 c3 9b 13 45 ce 75 ....Vu>D.....E.u
0070 - 34 08 ac b8 97 59 b4 3e-20 dd 79 38 41 a0 7e 03 4....Y.> .y8A.~.
0080 - ea d6 51 a9 46 e2 2d 51-75 54 a4 66 21 a0 1e b7 ..Q.F.-QuT.f!...
0090 - 9f b6 da 3b b1 38 43 3d-0c 16 16 ca ac 29 d1 0c ...;.8C=.....)..
00a0 - 62 c6 34 47 38 27 32 9b-31 74 e4 d3 55 c6 ce 88 b.4G8'2.1t..U...
00b0 - 3a a2 33 be 9b 19 a3 c5-0b d3 96 c2 d4 d9 8e 1d :.3.............
Start Time: 1726326129
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
closed