Clash DNS
由于 Clash 的某些部分运行在第 3 层 (网络层) , 因此其数据包的域名是无法获取的, 也就无法进行基于规则的路由.
Enter fake-ip: 它支持基于规则的路由, 最大程度地减少了 DNS 污染攻击的影响, 并且提高了网络性能, 有时甚至是显著的.
fake-ip
- "fake IP" 的概念源自 RFC 3089: 一个 "fake IP" 地址被用于查询相应的 "FQDN" 信息的关键字.
- fake-ip 池的默认 CIDR 是
198.18.0.1/16(一个保留的 IPv4 地址空间, 可以在dns.fake-ip-range中进行更改). - 当 DNS 请求被发送到 Clash DNS 时, Clash 内核会通过管理内部的域名和其 fake-ip 地址的映射, 从池中分配一个 空闲 的 fake-ip 地址.
工作流程
以使用浏览器访问 http://google.com 为例:
- 浏览器向 Clash DNS 请求
google.com的 IP 地址 - Clash 检查内部映射并返回
198.18.1.5 - 浏览器向
198.18.1.5的80/tcp端口发送 HTTP 请求 - 当收到
198.18.1.5的入站数据包时, Clash 查询内部映射, 发现客户端实际上是在向google.com发送数据包 - 根据规则的不同:
- Clash 可能仅将域名发送到 SOCKS5 或 shadowsocks 等出站代理, 并与代理服务器建立连接
- 或者 Clash 可能会基于 SCRIPT、GEOIP、IP-CIDR 规则或者使用 DIRECT 直连出口查询
google.com的真实 IP 地址
示例
由于这是一个令人困惑的概念, 我将以使用 cURL 程序访问 http://google.com 为例:
$ curl -v http://google.com
<---- cURL 向您的系统 DNS (Clash) 询问 google.com 的 IP 地址
----> Clash 决定使用 198.18.1.70 作为 google.com 的 IP 地址, 并记住它
* Trying 198.18.1.70:80...
<---- cURL 连接到 198.18.1.70 tcp/80
----> Clash 将立即接受连接, 并且..
* Connected to google.com (198.18.1.70) port 80 (#0)
----> Clash 在其内存中查找到 198.18.1.70 对应于 google.com
----> Clash 查询对应的规则, 并通过匹配的出口发送数据包
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/8.0.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: http://www.google.com/
< Content-Type: text/html; charset=UTF-8
< Date: Thu, 11 May 2023 06:52:19 GMT
< Content-Length: 219
< Server: gws
<
< HTML>
< HEAD>
< TITLE>301 Moved
< /HEAD>
< BODY>
< H1>301 Moved
< /H1>
< A HREF="http://www.google.com/">here
< /A>
< /BODY>
< /HTML>
* Connection #0 to host google.com left intactClash DNS
Since some parts of Clash operate at Layer 3 (the network layer), the domain name of its packets cannot be obtained, making rule-based routing impossible.
Enter fake-ip: It supports rule-based routing, minimizes the impact of DNS pollution attacks, and improves network performance, sometimes significantly.
fake-ip
- The concept of "fake IP" originates from RFC 3089: A "fake IP" address is used as a keyword to query corresponding "FQDN" information.
- The default CIDR for the fake-ip pool is
198.18.0.1/16(a reserved IPv4 address space, which can be changed indns.fake-ip-range). - When a DNS request is sent to Clash DNS, the Clash kernel assigns an available fake-ip address from the pool by managing an internal mapping between domain names and their fake-ip addresses.
How It Works
Example: using a browser to access http://google.com:
- Browser requests the IP address of
google.comfrom Clash DNS - Clash checks the internal mapping and returns
198.18.1.5 - Browser sends an HTTP request to
198.18.1.5port80/tcp - When receiving the inbound packet to
198.18.1.5, Clash queries the internal mapping and discovers the client is actually sending a packet togoogle.com - Depending on the rules:
- Clash may only send the domain name to outbound proxies like SOCKS5 or shadowsocks, establishing a connection with the proxy server
- Or Clash may query the real IP address of
google.combased on SCRIPT, GEOIP, IP-CIDR rules, or using DIRECT for direct connection
Example
Since this is a confusing concept, I will use the cURL program to access http://google.com as an example:
$ curl -v http://google.com
<---- cURL asks your system DNS (Clash) for google.com's IP address
----> Clash decides to use 198.18.1.70 as google.com's IP address, and remembers it
* Trying 198.18.1.70:80...
<---- cURL connects to 198.18.1.70 tcp/80
----> Clash immediately accepts the connection, and..
* Connected to google.com (198.18.1.70) port 80 (#0)
----> Clash finds in its memory that 198.18.1.70 corresponds to google.com
----> Clash queries the corresponding rules and sends the packet through the matching exit
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/8.0.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: http://www.google.com/
< Content-Type: text/html; charset=UTF-8
< Date: Thu, 11 May 2023 06:52:19 GMT
< Content-Length: 219
< Server: gws
<
< HTML>
< HEAD>
< TITLE>301 Moved
< /HEAD>
< BODY>
< H1>301 Moved
< /H1>
< A HREF="http://www.google.com/">here
< /A>
< /BODY>
< /HTML>
* Connection #0 to host google.com left intact