Fix Clash/V2Ray DNS leaks: safest config (tutorial included)

Many people think that as long as Clash or V2Ray connects to a node and web pages can be opened, the configuration is considered “successful.” But in many cases, your DNS requests may have already quietly “taken another route.”

When this happens, the problem is often not with the node or speed, but with the DNS settings in the Clash/V2Ray configuration file.

Next, let’s walk through how to prevent DNS leaks in Clash/V2Ray configuration files, along with detailed tutorials and testing methods to help you fix everything in one go.

1. What is a DNS leak? Why it matters

DNS is like a “phone book” that translates domain names into IP addresses. When you visit a website, if the DNS request does not go through the proxy but is sent directly through the local network, a DNS leak occurs.

Common risks: exposing your real IP location, your ISP logging visited domains, reduced privacy and anonymity, and some platforms determining your region via DNS, causing proxy failure.

Especially when using Clash/V2Ray, if the DNS rules are not properly configured, leaks can still occur even if the proxy itself works fine.

2. How to determine if a DNS leak existsDNS Leak

Before adjusting configurations, it is recommended to run a DNS leak test. Common methods:

•  Use online DNS leak testing websites

•  Combine with browser fingerprint testing

•  Use professional tools such as ToDetect fingerprint checker

The criteria are simple:

•  If the DNS server shows a domestic IP → leak exists

•  If DNS resolution matches the proxy exit → normal

It’s recommended to test before and after changes for comparison.

3. Clash configuration to prevent DNS leaks

Clash users mainly fix this by editing config.yaml. Below is a practical and secure DNS configuration example:

dns: enable: true listen: 0.0.0.0:53 ipv6: false enhanced-mode: fake-ip fake-ip-range: 198.18.0.1/16 nameserver: - 1.1.1.1 - 8.8.8.8 fallback: - https://1.1.1.1/dns-query - https://8.8.8.8/dns-query fallback-filter: geoip: true ipcidr: - 240.0.0.0/4

•  enhanced-mode: fake-ip is recommended to effectively avoid DNS direct connections

•  Use nameserver + fallback to combine regular DNS and DoH (DNS over HTTPS)

•  ipv6: false prevents IPv6 from bypassing the proxy

•  fallback-filter filters domestic resolution results

If you are using a subscription configuration, it is recommended to manually override the DNS section outside the rules to avoid being overwritten.

4. V2Ray configuration to prevent DNS leaks

V2Ray users need to configure the DNS module in config.json:

{ "dns": { "servers": [ "1.1.1.1", "8.8.8.8", { "address": "https://1.1.1.1/dns-query", "domains": ["geosite:geolocation-!cn"] } ] }, "routing": { "domainStrategy": "IPIfNonMatch" }}

•  Use DoH servers (such as Cloudflare) and domainStrategy to avoid direct DNS connections, prioritizing foreign domains through the proxy

•  If using V2RayN or V2RayNG clients, ensure “bypass mainland China” rules are enabled and DNS is not set to system default

5. Comparison of common DNS leak prevention methods

6. Advanced optimization: avoiding hidden leaksDNS Leak Test

1. Browser DNS

Chrome/Edge may enable secure DNS, which can bypass the proxy. Solution: disable “secure DNS” in the browser or manually set a DoH provider.

2. OS DNS cache

The system may cache old DNS results. Suggestions:

•  Windows: run ipconfig /flushdns

•  macOS: run sudo killall -HUP mDNSResponder

3. WebRTC leak

This is a type of IP leak and often appears together with DNS issues. You can block it with browser extensions or disable WebRTC in settings.

7. Common DNS leak issues in Clash/V2Ray

1. Why do I still have DNS leaks even with a proxy enabled?

The most common reason is incorrect DNS configuration in Clash/V2Ray. For example, not enabling fake-ip mode or still using system default DNS, causing requests to bypass the proxy.

👉 Solution: force the use of proxy DNS (e.g., DoH) and disable direct system DNS resolution.

2. The DNS leak test shows normal, but I’m still not confident—what should I do?

Some basic DNS leak tests only check surface results and cannot verify browser environment consistency.

👉 Suggestion: combine browser fingerprint detection or use ToDetect for a more comprehensive check.

3. Some websites don’t load after enabling fake-ip mode in Clash—what should I do?

This is a common compatibility issue. Some sites (especially banking or streaming) do not support fake-ip well.

👉 Solution: route specific domains via redir-host mode or allow direct connection in rules.

4. I’ve already configured DoH, so why is there still a DNS leak?

Even if DoH is set in Clash/V2Ray, browsers or systems may have independent DNS (such as Chrome secure DNS) that bypasses the proxy.

👉 Solution: disable browser secure DNS, clear system DNS cache, and ensure all traffic follows proxy rules.

Summary

In many cases, the issue is not with the proxy node but with configuration details. Proper DNS setup can eliminate most leak risks.

The key to solving DNS leaks in Clash/V2Ray is correct DNS configuration (fake-ip + DoH) and regular testing using tools like ToDetect.

Once you understand this, you won’t be stuck with the problem of “appearing normal but actually leaking.”