Clash.Meta and IPv6

Clash. Meta and IPv6

I have ran into the problem where some connection in my clash log was bypassing my DNS interception setup for a long time. Even though I was intercepting all traffic on port 53, they managed to resolve DNS queries without being intercepted. Some websites were slower when accessed via IPv6 compared to IPv4, but I was mainly relied on two IPv6 servers... So I can't simply disable all IPv6 connection.

OpenWRT

On my OpenWRT, I run Smartdns with two sets of dns servers, : 6553 for sino-sites and 7553 for others. And Smartdns can be set to avoid AAAA returns. It seems to be working well.

dns:

  enable: true # 关闭将使用系统 DNS

  prefer-h3: false # 开启 DoH 支持 HTTP/3,将并发尝试

  listen: 0.0.0.0:53 # 开启 DNS 服务器监听

  ipv6: false # false 将返回 AAAA 的空结果

  # ipv6-timeout: 300 # 单位:ms,内部双栈并发时,向上游查询 AAAA 时,等待 AAAA 的时间,默认 100ms

  # 用于解析 nameserver,fallback 以及其他DNS服务器配置的,DNS 服务域名

  # 只能使用纯 IP 地址,可使用加密 DNS

  default-nameserver:

    # - tls://1.12.12.12:853

    # - tls://223.5.5.5:853

    # - tls://120.53.53.53

    - 127.0.0.1:6553

  enhanced-mode: fake-ip # or redir-host

  use-hosts: true

  

  fake-ip-range: 198.18.0.1/16 # fake-ip 池设置

  

  # use-hosts: true # 查询 hosts

  

  # 配置不使用fake-ip的域名

  fake-ip-filter:

    - "*.lan"

    - localhost.ptlogin2.qq.com

    - +.stun.*.*

    - +.stun.*.*.*

    - +.stun.*.*.*.*

    - +.stun.*.*.*.*.*

    - "*.n.n.srv.nintendo.net"

    - +.stun.playstation.net

    - "xbox.*.*.microsoft.com"

    - "*.*.xboxlive.com"

    - WORKGROUP
  nameserver:

    - 127.0.0.1:7553

    # - "https://8.8.8.8/dns-query#DNS&h3=false"

    # - "https://1.1.1.1/dns-query#DNS&h3=false" # 指定 DNS 过代理查询,ProxyGroupName 为策略组名或节点名,过代理配置优先于配置出口网卡,当找不到策略组或节点名则设置为出口网卡

    # # - "https://dns.twnic.tw/dns-query#DNS&h3=false"

    # - "https://94.140.14.140/dns-query#DNS&h3=false"

  

  # 配置查询域名使用的 DNS 服务器

  nameserver-policy:

    #   'www.baidu.com': '114.114.114.114'

    #   '+.internal.crop.com': '10.0.0.1'

    "*.msftncsi.com,*.msftconnecttest.com": [127.0.0.1:7553]

    # "geosite:private,microsoft@cn,apple-cn,google-cn,cn,category-games@cn":

    "geosite:private,apple-cn,google-cn,cn,category-games@cn":

      # - "tls://1.12.12.12:853#h3=false"

      # - "https://223.5.5.5/dns-query#h3=false"

      # - "tls://120.53.53.53#h3=false"

      - 127.0.0.1:6553

Run on device per se

The OpenWRT device provides a transparent proxy by being a gateway and a DNS server. In my case, it is my os DNS server.

But on my PC, it keeps appearing that connections bypass my DNS interception
I used the netstat command in Windows to identify the connection ,for example, [fdfe:dcba:9876::1]:8964 and found that it was initiated by Chrome. This was confirmed by cross-referencing the process ID (PID) in the Task Manager.

I discovered that Chrome uses DNS over HTTPS (DoH) to perform DNS queries over an encrypted HTTPS connection, bypassing traditional DNS interception on port 53. I confirmed this by checking chrome://settings/security and found the Use secure DNS option enabled. Though the default setting is OS default, but somehow chrome manage to use DoH or DoT if the OS default servers support it.

To solve the issue,

Just turn off the “Use secure DNS” option or change the os default to the listened address of your tool, which means 127.0.0.1:{port} or [::1]:{port}.