admin avatar

clash内核dns泄露问题解决更新版

🕛 by admin

又在折腾clash了,这次更新了clash内核dns泄露的问题

不多说了,下面贴配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
 
port: 7890
socks-port: 7891
allow-lan: true
mode: Rule
log-level: info
#external-controller: 127.0.0.1:9090
geoip: true
geodata-mode: true
geox-url:
  geoip: https://cdn.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/geoip.dat
dns:
  enable: true
  ipv6: false
  listen: :53 #这里并没有添加ip留空即可
  nameserver:
    - tls://1.1.1.1
    - tls://1.0.0.1#
    - tls://208.67.222.123
    - tls://208.67.220.123
    - tls://101.101.101.101
    - tls://101.102.103.104
    - tls://185.222.222.222
    - tls://45.11.45.11
    - tls://1.1.1.1
  default-nameserver:
    - 223.5.5.5
    - 119.29.29.29
  #####backup
  ##nameserver-policy:
  ## geosite:cn: tls://1.12.12.12##
  #######
  nameserver-policy:
    "geosite:cn,private":
      - tls://1.12.12.12#
      - tls://120.53.53.53
proxies:
########################
#这里贴你的节点信息
########################
proxy-groups:
  - name: 🚀 节点选择
    type: select
    proxies:
      - ♻️ 自动选择
      - 🔯 故障转移
      - 🔮 负载均衡
      - DIRECT
      - 🇭🇰 香港节点
      - 🇯🇵 日本节点
      - 🇸🇬 新加坡节点
      - 🇺🇸 美国节点
      - 🇹🇼 台湾节点
      - 🇰🇷 韩国节点
      - usdemo2 xtls-reality
      - usdemo1 xtls-reality
      - usdemo3 xtls-reality
      - usdemo2 trojan
      - usdemo1 trojan
      - usdemo3 trojan
      - usdemo2 grpc-reality
      - usdemo1 grpc-reality
      - usdemo3 grpc-reality
      - usdemo3-ssv4
      - usdemo2-ssv4
      - usdemo1-ssv4
  - name: ♻️ 自动选择
    type: url-test
    url: http://www.gstatic.com/generate_204
    interval: 300
    tolerance: 50
    proxies:
      - 🇭🇰 香港节点
      - 🇯🇵 日本节点
      - 🇸🇬 新加坡节点
      - 🇺🇸 美国节点
      - 🇹🇼 台湾节点
      - 🇰🇷 韩国节点
      - usdemo2 xtls-reality
      - usdemo1 xtls-reality
      - usdemo3 xtls-reality
      - usdemo2 trojan
      - usdemo1 trojan
      - usdemo3 trojan
      - usdemo2 grpc-reality
      - usdemo1 grpc-reality
      - usdemo3 grpc-reality
      - usdemo3-ssv4
      - usdemo2-ssv4
      - usdemo1-ssv4
  - name: 🔯 故障转移
    type: fallback
    url: http://www.gstatic.com/generate_204
    interval: 180
    proxies:
      - 🇭🇰 香港节点
      - 🇯🇵 日本节点
      - 🇸🇬 新加坡节点
      - 🇺🇸 美国节点
      - 🇹🇼 台湾节点
      - 🇰🇷 韩国节点
      - usdemo2 xtls-reality
      - usdemo1 xtls-reality
      - usdemo3 xtls-reality
      - usdemo2 trojan
      - usdemo1 trojan
      - usdemo3 trojan
      - usdemo2 grpc-reality
      - usdemo1 grpc-reality
      - usdemo3 grpc-reality
      - usdemo3-ssv4
      - usdemo2-ssv4
      - usdemo1-ssv4
  - name: 🔮 负载均衡
    type: load-balance
    strategy: consistent-hashing
    url: http://www.gstatic.com/generate_204
    interval: 180
    proxies:
      - 🇭🇰 香港节点
      - 🇯🇵 日本节点
      - 🇸🇬 新加坡节点
      - 🇺🇸 美国节点
      - 🇹🇼 台湾节点
      - 🇰🇷 韩国节点
      - usdemo2 xtls-reality
      - usdemo1 xtls-reality
      - usdemo3 xtls-reality
      - usdemo2 trojan
      - usdemo1 trojan
      - usdemo3 trojan
      - usdemo2 grpc-reality
      - usdemo1 grpc-reality
      - usdemo3 grpc-reality
      - usdemo3-ssv4
      - usdemo2-ssv4
      - usdemo1-ssv4
  - name: 🎯 全球直连
    type: select
    proxies:
      - DIRECT
  - name: 🛑 全球拦截
    type: select
    proxies:
      - REJECT
  - name: 🐟 漏网之鱼
    type: select
    proxies:
      - ♻️ 自动选择
      - 🔯 故障转移
      - 🔮 负载均衡
rule-providers:
  ads:
    type: http
    behavior: domain
    format: text
    path: ./rules/ads.list
    url: https://raw.githubusercontent.com/DustinWin/ruleset_geodata/clash-ruleset/ads.list
    interval: 86400
  private:
    type: http
    behavior: domain
    format: text
    path: ./rules/private.list
    url: https://raw.githubusercontent.com/DustinWin/ruleset_geodata/clash-ruleset/private.list
    interval: 86400
  privateip:
    type: http
    behavior: ipcidr
    format: text
    path: ./rules/privateip.list
    url: https://raw.githubusercontent.com/DustinWin/ruleset_geodata/clash-ruleset/privateip.list
    interval: 86400
  cnip:
    type: http
    behavior: ipcidr
    format: text
    path: ./rules/cnip.list
    url: https://raw.githubusercontent.com/DustinWin/ruleset_geodata/clash-ruleset/cnip.list
    interval: 86400
rules:
  - RULE-SET,ads,🛑 全球拦截
  - RULE-SET,privateip,🎯 全球直连
  - RULE-SET,cnip,🎯 全球直连,no-resolve
  #- RULE-SET,cn,🎯 全球直连
  #- RULE-SET,microsoft-cn,🎯 全球直连
  #- RULE-SET,google-cn,🎯 全球直连
  #- RULE-SET,games-cn,🎯 全球直连
  #- RULE-SET,networktest,🎯 全球直连
  #- RULE-SET,proxy,🔯 故障转移,🔮 负载均衡
  - MATCH,🐟 漏网之鱼,🔯 故障转移,🔮 负载均衡

重点国外的dns选择加密的ip dns服务器,这样就不用解释域名了,访问网络更快速

怎样查看某个ip dns是否支持tls加密?

使用下面的代码测试如果返回了加密证书则代表这个ip dns服务器支持加密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
 

openssl s_client -connect 208.67.222.123:853

//返回了加密的证书信息

CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
verify return:1
depth=1 C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1
verify return:1
depth=0 C = US, ST = California, L = San Jose, O = Cisco Systems Inc., CN = doh.opendns.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = San Jose, O = Cisco Systems Inc., CN = doh.opendns.com
   i:C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 18 00:13:01 2024 GMT; NotAfter: Feb 16 00:12:01 2025 GMT
 1 s:C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1
   i:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 12 16:56:15 2019 GMT; NotAfter: Dec 12 16:56:15 2029 GMT
 2 s:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
   i:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 16 18:12:23 2014 GMT; NotAfter: Jan 16 18:12:23 2034 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIJOjCCCCKgAwIBAgIQQAGNGen83nNL9Lb5DG7FMTANBgkqhkiG9w0BAQsFADBy
MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MS4wLAYDVQQLEyVIeWRy
YW50SUQgVHJ1c3RlZCBDZXJ0aWZpY2F0ZSBTZXJ2aWNlMR8wHQYDVQQDExZIeWRy
YW50SUQgU2VydmVyIENBIE8xMB4XDTI0MDExODAwMTMwMVoXDTI1MDIxNjAwMTIw
MVowbDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcT
CFNhbiBKb3NlMRswGQYDVQQKExJDaXNjbyBTeXN0ZW1zIEluYy4xGDAWBgNVBAMT
D2RvaC5vcGVuZG5zLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJPUNn+Xywv6au7CmWxfVMWm246h03Ha4/ZwYaUtWrblPT9GnVs6QaVl09d1iifu
F2n+TWebAOBEakVeZAiyETZLADpbvfXTzEOrfmAiRnUgwlQc9SA4DtlZM41gvHZ+
pjEes1WgKN3elFAYX+SrPoFFoUbRJNJXNJx/plRe3cd85wvTPitnA8A7L0yNzybc
KuNKziCjdEdPM/eXWGrm+32ikx9D2RItTAp/0QKsAdzYUmZ786QqnNQ5FKzbO8W8
A5ddmLDk94tcwTegVDCV7uNUJ8ZlSM6REaZVPQCdRPxHWlHAo82/O/IeBuXCQzan
zlwGuW9cIDgLpE+45ylp+BsCAwEAAaOCBdAwggXMMA4GA1UdDwEB/wQEAwIFoDCB
hQYIKwYBBQUHAQEEeTB3MDAGCCsGAQUFBzABhiRodHRwOi8vY29tbWVyY2lhbC5v
Y3NwLmlkZW50cnVzdC5jb20wQwYIKwYBBQUHMAKGN2h0dHA6Ly92YWxpZGF0aW9u
LmlkZW50cnVzdC5jb20vY2VydHMvaHlkcmFudGlkY2FPMS5wN2MwHwYDVR0jBBgw
FoAUibibtp7t+7DGvQ3sZ048o5KdLfkwIQYDVR0gBBowGDAIBgZngQwBAgIwDAYK
YIZIAYb5LwAGAzBGBgNVHR8EPzA9MDugOaA3hjVodHRwOi8vdmFsaWRhdGlvbi5p
ZGVudHJ1c3QuY29tL2NybC9oeWRyYW50aWRjYW8xLmNybDCCAuMGA1UdEQSCAtow
ggLWhwSScCkChwSScCkDhwSScCkEhwSScCkFhwTQQ9wChwTQQ94ChwTQQ9x7hwTQ
Q9zchwTQQ957hwTQQ97ehwSbvm9vhwSbvm97hwTMwujIhwTMwurIhxAmIAAADMwA
AAAAAAAAAAAChxAmIAAADM0AAAAAAAAAAAAChxAmIAEZADUAAAAAAAAAAAA1hxAm
IAEZADUAAAAAAAAAAAEjhxAmIAEZAFMAAAAAAAAAAABThxAmIAEZAFMAAAAAAAAA
AAEjhxAmIAEZAPoAAAAAAAAAAABThxAmIAEZAPoAAAAAAAAAAAEghxAmIAEZAPwA
AAAAAAAAAAAChxAmIAEZAPwAAAAAAAAAAAADhxAmIAEZAPwAAAAAAAAAAAAEhxAm
IAEZAPwAAAAAAAAAAAAFgg9kbnMub3BlbmRucy5jb22CD2RvaC5vcGVuZG5zLmNv
bYIQZG5zLnVtYnJlbGxhLmNvbYIQZG9oLnVtYnJlbGxhLmNvbYIQcGRucy5vcGVu
ZG5zLmNvbYIRZG5zLnNzZS5jaXNjby5jb22CEWRvaC5zc2UuY2lzY28uY29tghFw
ZG5zLnVtYnJlbGxhLmNvbYITc2FuZGJveC5vcGVuZG5zLmNvbYIVc2FuZGJveC5z
c2UuY2lzY28uY29tghdkb2guc2FuZGJveC5vcGVuZG5zLmNvbYIYZmFtaWx5c2hp
ZWxkLm9wZW5kbnMuY29tghpmYW1pbHlzaGllbGQuc3NlLmNpc2NvLmNvbYIcZG9o
LmZhbWlseXNoaWVsZC5vcGVuZG5zLmNvbYIccmVzb2x2ZXJ0ZXN0LmRvaC5vcGVu
ZG5zLmNvbYIeKi5yZXNvbHZlcnRlc3QuZG9oLm9wZW5kbnMuY29tgh5yZXNvbHZl
cnRlc3QuZG9oLnNzZS5jaXNjby5jb22CICoucmVzb2x2ZXJ0ZXN0LmRvaC5zc2Uu
Y2lzY28uY29tMB0GA1UdDgQWBBRk72y9C2APFK/BCZCifapgmkkLZzAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwggF/BgorBgEEAdZ5AgQCBIIBbwSCAWsB
aQB2AE51oydcmhDDOFts1N8/Uusd8OCOG41pwLH6ZLFimjnfAAABjRnp/uEAAAQD
AEcwRQIgElzqh+uRm64pjOsek4uuMFDOE4wQhsTX5cL/ivg9tZsCIQD/l6J1QCqM
gpEkv7BeJFTX6qOhb0GvbGym4xOrT8LuEgB3AH1ZHhLheCp7HGFnfF79+NCHXBSg
TpWeuQMv2Q6MLnm4AAABjRnp/iMAAAQDAEgwRgIhAOGcqjT7cIsyP8e9QPxQ3twK
H46TAozpl1zk2aIf6GJGAiEAvif5xpB4WDFFKTEkT1hYtI3NcrGaYSHNw99PPhoR
5DQAdgDm0jFjQHeMwRBBBtdxuc7B0kD2loSG+7qHMh39HjeOUAAAAY0Z6f44AAAE
AwBHMEUCIGmRNgSSgayhP61hJpKBqt9YK0TISq7KGTIzjQBTApWuAiEAvBw7HY5T
Q8PFtVQ+b59/6Dxy0yYAEBvgEeLWfErqG2gwDQYJKoZIhvcNAQELBQADggEBAMH3
q/DAjqirkXnkZoVAJnHUIfeoPjf0WGZ+e4nVDPlBIm8pmGaFnmtAVot4I7CPkFjg
FZ7dkiXxgnsvVWDJHfwKgyrABLfV/2Jum/RpxAgAOue/ZKN0/4Quc1toK8aOz47U
NTni4NA13w2cqjYrAnPaec4bs+Gsf+JbumlGLOyrAIA61osO/C/OE2tNWIjaMLLa
M2Ojpz/5ZB8a5nXV6+XYgrO3c5HTZPE4nO/02oycXXd/fjcjdEk7E8CG7kPJUZ/f
Db5cm6aNeW7GhjaF7G2wx2+Rk7vZSzrOSANQaOTAUQs0zhWQX0tGPzo0BVl4swrU
iBvdtTprysPsrnFl140=
-----END CERTIFICATE-----
subject=C = US, ST = California, L = San Jose, O = Cisco Systems Inc., CN = doh.opendns.com
issuer=C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6066 bytes and written 377 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 39100A0B9E4F9A48B909EE49749F6EBA33AA75428CE8E23E4D943C37B36A1673
    Session-ID-ctx: 
    Resumption PSK: 3CA7BD955AF2D3A65FB2CC9AD14A018311E1493FAB50AD504DFB8AF735AF6500DE11D5B6055451240F15392CFE54F8F9
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 3a d9 53 b5 57 c3 2b 29-49 ee 77 f3 46 83 0e 11   :.S.W.+)I.w.F...
    0010 - 0d 6e ca d3 2c 83 a3 c5-bb 95 1b 62 73 a7 12 2d   .n..,......bs..-
    0020 - ad 90 2b 30 27 01 51 dc-0b fd 0b d0 ef dd 05 1d   ..+0'.Q.........
    0030 - c8 c9 a3 ec 30 3d af 7e-28 0d 0d 4d d6 eb 4e cf   ....0=.~(..M..N.
    0040 - c4 5d a3 0f 85 b0 da 61-78 d8 c9 a6 0c 21 b5 99   .].....ax....!..
    0050 - 3c 78 83 68 16 fc 0e 0e-46 fd 69 8b d8 56 19 3f   <x.h....F.i..V.?
    0060 - 9e ec bf c7 1b 17 34 db-cc 70 04 a6 0e 83 77 2f   ......4..p....w/
    0070 - 55 21 c6 56 88 74 d7 27-da 0f b6 35 84 a2 15 ca   U!.V.t.'...5....
    0080 - 8c 30 e8 5e 82 b7 b4 5b-ec 6c 92 5e f9 68 3e 83   .0.^...[.l.^.h>.
    0090 - 26 40 dd 5f 30 5a 24 42-7f 42 e6 65 3f 8b b2 e0   &@._0Z$B.B.e?...
    00a0 - 69 63 24 5b c0 61 06 f8-2e e2 38 56 33 18 9b 12   ic$[.a....8V3...
    00b0 - 6e 63 6d 6a 48 7f b4 41-b1 86 51 9f 1c 39 85 a7   ncmjH..A..Q..9..

    Start Time: 1726326129
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 867C8F11A24A1FBD046D00835607D67F07882D3A0B3C3D34C3B5B9EE4F64DB53
    Session-ID-ctx: 
    Resumption PSK: ABD6409713B4B041B6C0609D20428B430064EC0ACE2E4A2BF42023E189691FEB9E8002F41EE2A5357F55E1B6E6BAEAE6
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 3a d9 53 b5 57 c3 2b 29-49 ee 77 f3 46 83 0e 11   :.S.W.+)I.w.F...
    0010 - ad e8 a9 2e 05 69 f4 3f-c6 6e e4 cc 8d 4d 84 c6   .....i.?.n...M..
    0020 - ad 7c 99 b9 b6 5e 3f 72-ed da 9a 99 34 c5 74 5c   .|...^?r....4.t\
    0030 - 7d 86 77 96 f1 8c 11 da-44 12 4b a0 bd 81 e3 e0   }.w.....D.K.....
    0040 - d8 f8 b1 38 fd 0d 13 37-a7 5b ef 34 ea d8 06 42   ...8...7.[.4...B
    0050 - 07 f8 94 8d a3 b6 22 20-8c 69 69 da 56 40 8a e5   ......" .ii.V@..
    0060 - b7 93 e7 06 56 75 3e 44-b4 11 c3 9b 13 45 ce 75   ....Vu>D.....E.u
    0070 - 34 08 ac b8 97 59 b4 3e-20 dd 79 38 41 a0 7e 03   4....Y.> .y8A.~.
    0080 - ea d6 51 a9 46 e2 2d 51-75 54 a4 66 21 a0 1e b7   ..Q.F.-QuT.f!...
    0090 - 9f b6 da 3b b1 38 43 3d-0c 16 16 ca ac 29 d1 0c   ...;.8C=.....)..
    00a0 - 62 c6 34 47 38 27 32 9b-31 74 e4 d3 55 c6 ce 88   b.4G8'2.1t..U...
    00b0 - 3a a2 33 be 9b 19 a3 c5-0b d3 96 c2 d4 d9 8e 1d   :.3.............

    Start Time: 1726326129
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

💘 相关文章

写一条评论

登录发表评论