User Guide / Troubleshooting

DNS leaks: detection and repair

Troubleshooting · Updated 2026-06-22 · ~2 min read

A DNS leak means: your traffic rides the proxy, but the domain lookups still go in plaintext to your local ISP's resolver — they cannot read your traffic, yet they log every domain you visit.

Detecting

With the proxy on, open any DNS leak test site (search "dns leak test") and run the extended test:

The repair combo

  1. fake-ip mode: browser-level lookups get answered locally with fake IPs, and real resolution happens at the proxy's far end — most of the leak disappears at the source ("fake-ip vs redir-host");
  2. Encrypted upstream DNS: what Clash itself must resolve goes over DoH/DoT — config in "Custom DNS";
  3. TUN as the system-wide net: with dns-hijack, every port-53 query on the machine is forcibly captured by Clash — covering even programs that bypass the system proxy.

Re-run the test afterwards. Bonus tip: IPv6 opens extra leak paths — if tests stay dirty and you do not rely on IPv6, disable it on the General page and test again.