Skip to content
On this page

ClashT DNS

Since some parts of ClashT run on the Layer 3 (Network Layer), they would've been impossible to obtain domain names of the packets for rule-based routing.

Enter fake-ip. It enables rule-based routing, minimises the impact of DNS pollution attack and improves network performance, sometimes drastically.


The concept of "fake IP" addresses is originated from RFC 3089:

A "fake IP" address is used as a key to look up the corresponding "FQDN" information.

The default CIDR for the fake-ip pool is, a reserved IPv4 address space, which can be changed in dns.fake-ip-range.

When a DNS request is sent to the ClashT DNS, the core allocates a free fake-ip address from the pool, by managing an internal mapping of domain names and their fake-ip addresses.

Take an example of accessing with your browser.

  1. The browser asks ClashT DNS for the IP address of

  2. ClashT checks the internal mapping and returned

  3. The browser sends an HTTP request to on 80/tcp

  4. When receiving the inbound packet for, ClashT looks up the internal mapping and realises the client is actually sending a packet to

  5. Depending on the rules:

    1. ClashT may just send the domain name to an outbound proxy like SOCKS5 or shadowsocks and establish the connection with the proxy server

    2. or ClashT might look for the real IP address of, in the case of encountering a SCRIPT, GEOIP, IP-CIDR rule, or the case of DIRECT outbound

Being a confusing concept, I'll take another example of accessing with the cURL utility:

$ curl -v
<---- cURL asks your system DNS (ClashT) about the IP address of
----> ClashT decided should be used as and remembers it
*   Trying
<---- cURL connects to tcp/80
----> ClashT will accept the connection immediately, and..
* Connected to ( port 80 (#0)
----> ClashT looks up in its memory and found being
----> ClashT looks up in the rules and sends the packet via the matching outbound
> GET / HTTP/1.1
> Host:
> User-Agent: curl/8.0.1
> Accept: */*
< HTTP/1.1 301 Moved Permanently
< Location:
< Content-Type: text/html; charset=UTF-8
< Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-ahELFt78xOoxhySY2lQ34A' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri
< Date: Thu, 11 May 2023 06:52:19 GMT
< Expires: Sat, 10 Jun 2023 06:52:19 GMT
< Cache-Control: public, max-age=2592000
< Server: gws
< Content-Length: 219
< X-XSS-Protection: 0
< X-Frame-Options: SAMEORIGIN
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<H1>301 Moved</H1>
The document has moved
<A HREF="">here</A>.
* Connection #0 to host left intact