Resources
Feature overview
Using Shadowrocket, Quantumult X, or Clash? To avoid DNS leaks, check these options
Charles
2026-03-16 03:43
If you’re using Shadowrocket, Quantumult X, or Clash, pay attention! Many people think that once they connect to a node and their IP changes, everything is safe — but that’s not necessarily true.
If the settings are not configured correctly, DNS leaks can easily occur. Even though your traffic goes through the proxy IP, the DNS resolution requests may still go through your local network. When that happens, websites may still be able to identify your real network environment.
So today we’re going to talk about something important: if you’re using Shadowrocket, Quantumult X, or Clash, there are several key settings you should enable to effectively prevent DNS leaks.
1. First, understand what a DNS leak is
DNS can be understood as the “phone book” of the internet. When you visit a website, the system first uses DNS to resolve the domain name into an IP address before connecting to the server.
If your proxy tool only proxies traffic but does not proxy DNS requests, the following situation can occur:
• Website traffic goes through the proxy IP
• But DNS queries still come from your local network
• This is the common DNS leak problem.
Many websites actually don’t just check your IP directly. Instead, they use DNS leak detection to determine your real network environment. If the DNS still shows your local ISP, your location is essentially exposed.
2. DNS Leak Test is essential
Many people actually don’t know whether their DNS is leaking or not, so the first step should always be running a DNS leak test. The testing method is very simple:
• Open a DNS leak testing website
• Click start test
• Check the DNS server location
If you see any of the following results, there may be an issue:
• DNS shows your local ISP
• The DNS region does not match the proxy IP
• Multiple DNS sources appear
It’s recommended to run two types of checks: DNS leak detection and browser fingerprint detection. These tests can quickly reveal whether your environment is properly configured.
3. DNS settings you must enable in Shadowrocket / Quantumult X / Clash
| Tool | Platform Support | DNS Control Capability | Ease of Use | Recommended For |
|---|---|---|---|---|
| Shadowrocket | iOS | Flexible DNS settings with support for remote DNS | Easy | Everyday users |
| Quantumult X | iOS | Very detailed DNS control with customizable rules | Medium | Advanced users |
| Clash | Windows / Mac / Android | Strong DNS management with Fake-IP support | More complex | Technical users |
Although the interfaces of these tools are slightly different, the underlying principle is the same. If you want to avoid DNS leaks, these settings must be enabled.
1. Enable Remote DNS Resolution
Many tools have options such as:
• Remote DNS
• DNS over Proxy
• Use Remote DNS
Be sure to enable this option. It ensures that DNS queries also go through the proxy instead of the local network. This is the most critical step in preventing DNS leaks.
2. Disable Local DNS Fallback
Some tools include a backup DNS mechanism, such as:
• Fallback DNS
• System DNS
• If fallback is enabled, the system may automatically use local DNS when remote DNS becomes slow.
This may cause DNS leak detection to show local resolution. If you require a cleaner environment, it’s recommended to disable or carefully configure this setting.
3. Enable Fake-IP Mode (Important for Clash Users)
Many Clash users enable Fake-IP mode. The advantages include:
• DNS is handled entirely by the proxy
• Fewer local DNS requests
• More consistent network environment
For users who require a stable and consistent network setup, this setting is extremely useful.
4. Disable WebRTC Leaks
• Although this is not related to DNS, it often appears together with DNS issues. Many browser fingerprint detection websites also check WebRTC.
• If WebRTC is not handled properly, it may expose your real IP.
• The solution is to disable WebRTC in your browser or use privacy extensions.
4. Checking DNS + Fingerprint Together Is More Reliable
Many people only run a DNS leak test, but that’s not enough. A full environment check typically includes:
• IP address
• DNS servers
• WebRTC
• Browser fingerprint
• Time zone and language
You can use tools like ToDetect fingerprint checking websites. If the results show:
• DNS and IP locations match
• No WebRTC leak
• Normal browser fingerprint
Then your proxy environment is generally considered clean.
5. A Detail Many People Ignore in DNS Leak Detection
One detail many people overlook is the system DNS cache. Even if you modify your proxy settings, the system may still store old DNS records. It is recommended to:
• Reconnect the proxy
• Clear the DNS cache
• Run the DNS leak test again
This will give more accurate results.
Summary
If you are using Shadowrocket, Quantumult X, or Clash, make sure to enable remote DNS resolution so that DNS queries also go through the proxy, and disable local DNS fallback to prevent leaks.
Combine this with a full check using the ToDetect fingerprint tool. As long as the DNS, IP, and fingerprint environment are consistent, your network setup will be much cleaner and more stable.
Once these details are properly configured, your proxy environment will be cleaner, safer, and more reliable.
AD
