DNS leaks: detection and repair
A DNS leak means: your traffic rides the proxy, but the domain lookups still go in plaintext to your local ISP's resolver — they cannot read your traffic, yet they log every domain you visit.
Detecting
With the proxy on, open any DNS leak test site (search "dns leak test") and run the extended test:
- only resolvers in your exit node's region appear → no leak;
- your local ISP's resolvers appear → you are leaking.
The repair combo
- fake-ip mode: browser-level lookups get answered locally with fake IPs, and real resolution happens at the proxy's far end — most of the leak disappears at the source ("fake-ip vs redir-host");
- Encrypted upstream DNS: what Clash itself must resolve goes over DoH/DoT — config in "Custom DNS";
- TUN as the system-wide net: with
dns-hijack, every port-53 query on the machine is forcibly captured by Clash — covering even programs that bypass the system proxy.
Re-run the test afterwards. Bonus tip: IPv6 opens extra leak paths — if tests stay dirty and you do not rely on IPv6, disable it on the General page and test again.