关于 clash dns 的问题

policy 未命中就先丢给 nameserver
可以试试 respect-rules=true ，然后连接改成（ tls://8.8.4.4#代理组名称）
如果 nameserver-policy 不让用#指定代理组，就换个思路，policy 设置 geosite:cn 为 223.5.5.5 ，然后 nameserver 写 tls://8.8.4.4#代理组名称

@wangritian policy 未命中时，好像并未丢给 Nameserver: 223.5.5.5,因为我用 dns 检测网站检测时未发现境内 dns

难道 8.8.4.4 这种不应该走代理吗。

配置脱敏贴全，带上版本号

会解析失败，但如果你有在规则里配置域名类的，也不影响分流，这一步解析只是为了拿到 ip ，匹配 ip 类的规则

建议看 mihomo 的 dns 解析流程说明
或者直接看我发的 clash 配置 都贴上了 dns 解析流程

nameserver 具有兜底作用，其余 DNS 配置组失败的情况下会走到 nameserver 。

proxy-groups:
- name: 🚀 节点选择
proxies:
- openclash
- 直连
- hysteria
type: select
- name: 🏠 国内流量
proxies:
- 直连
- 🚀 节点选择
type: select
- name: 🌐 国外流量
proxies:
- 🚀 节点选择
- 直连
type: select
- name: 🛑 广告拦截
proxies:
- 阻断
- 直连
type: select
- name: 📺 YouTube
proxies:
- 🚀 节点选择
- 直连
type: select
- name: 🎬 Netflix
proxies:
- 🚀 节点选择
- 直连
type: select
- name: 🪟 Microsoft
proxies:
- 直连
- 🚀 节点选择
type: select
- name: 🧠 AI 服务
proxies:
- 🚀 节点选择
- 直连
- openclash
type: select
- name: 🖥 LAN 设备
proxies:
- 直连
- 🚀 节点选择
type: select
dns:
enable: true
ipv6: false
enhanced-mode: fake-ip
fake-ip-range: 198.18.0.1/16
listen: 0.0.0.0:7874
fake-ip-filter-mode: blacklist
fake-ip-filter:
- "*.lan"
- "*.localdomain"
- "*.example"
- "*.invalid"
- "*.localhost"
- "*.test"
- "*.local"
- "*.home.arpa"
- "*.direct"
- cable.auth.com
- network-test.debian.org
- detectportal.firefox.com
- resolver1.opendns.com
- global.turn.twilio.com
- global.stun.twilio.com
- app.yinxiang.com
- injections.adguard.org
- "*.weixin.qq.com"
- "*.blzstatic.cn"
- "*.cmpassport.com"
- id6.me
- open.e.189.cn
- opencloud.wostore.cn
- id.mail.wo.cn
- mdn.open.wo.cn
- hmrz.wo.cn
- nishub1.10010.com
- enrichgw.10010.com
- "*.wosms.cn"
- "*.jegotrip.com.cn"
- "*.icitymobile.mobi"
- "*.pingan.com.cn"
- "*.cmbchina.com"
- "*.10099.com.cn"
- "*.microdone.cn"
- PDC._msDCS.*.*
- DC._msDCS.*.*
- GC._msDCS.*.*
- time.*.com
- time.*.gov
- time.*.edu.cn
- time.*.apple.com
- time-ios.apple.com
- time1.*.com
- time2.*.com
- time3.*.com
- time4.*.com
- time5.*.com
- time6.*.com
- time7.*.com
- ntp.*.com
- ntp1.*.com
- ntp2.*.com
- ntp3.*.com
- ntp4.*.com
- ntp5.*.com
- ntp6.*.com
- ntp7.*.com
- "*.time.edu.cn"
- "*.ntp.org.cn"
- "+.pool.ntp.org"
- time1.cloud.tencent.com
- music.163.com
- "*.music.163.com"
- "*.126.net"
- musicapi.taihe.com
- music.taihe.com
- songsearch.kugou.com
- trackercdn.kugou.com
- "*.kuwo.cn"
- api-jooxtt.sanook.com
- api.joox.com
- joox.com
- y.qq.com
- "*.y.qq.com"
- streamoc.music.tc.qq.com
- mobileoc.music.tc.qq.com
- isure.stream.qqmusic.qq.com
- dl.stream.qqmusic.qq.com
- aqqmusic.tc.qq.com
- amobile.music.tc.qq.com
- "*.xiami.com"
- "*.music.migu.cn"
- music.migu.cn
- "+.msftconnecttest.com"
- "+.msftncsi.com"
- ptlogin2.qq.com
- sec.qq.com
- "+.qq.com"
- "+.tencent.com"
- "+.srv.nintendo.net"
- "*.n.n.srv.nintendo.net"
- "+.cdn.nintendo.net"
- "+.stun.playstation.net"
- xbox.*.*.microsoft.com
- "*.*.xboxlive.com"
- xbox.*.microsoft.com
- xnotify.xboxlive.com
- "+.battle.net"
- "+.battlenet.com.cn"
- "+.wotgame.cn"
- "+.wggames.cn"
- "+.wowsgame.cn"
- "+.wargaming.net"
- proxy.golang.org
- stun.*.*
- stun.*.*.*
- "+.stun.*.*"
- "+.stun.*.*.*"
- "+.stun.*.*.*.*"
- "+.stun.*.*.*.*.*"
- heartbeat.belkin.com
- "*.linksys.com"
- "*.linksyssmartwifi.com"
- "*.router.asus.com"
- mesu.apple.com
- swscan.apple.com
- swquery.apple.com
- swdownload.apple.com
- swcdn.apple.com
- swdist.apple.com
- lens.l.google.com
- stun.l.google.com
- na.b.g-tun.com
- "+.nflxvideo.net"
- "*.square-enix.com"
- "*.finalfantasyxiv.com"
- "*.ffxiv.com"
- "*.ff14.sdo.com"
- ff.dorado.sdo.com
- "*.mcdn.bilivideo.cn"
- "+.media.dssott.com"
- shark007.net
- "+.cmbchina.com"
- "+.cmbimg.com"
- local.adguard.org
- "+.sandai.net"
- "+.n0808.com"
- "+.uu.163.com"
- ps.res.netease.com
- "+.pub.3gppnetwork.org"
- "*.jsdelivr.net"
- testingcf.jsdelivr.net
- vps.779886.xyz
nameserver:
- 114.114.114.114
default-nameserver:
- 114.114.114.114
nameserver-policy:
"+.cn":
- 114.114.114.114
"geosite:cn":
- 114.114.114.114
"geosite:private":
- 114.114.114.114
"geosite:microsoft":
- 114.114.114.114
proxy-server-nameserver:
- https://1.1.1.1/dns-query
- https://8.8.8.8/dns-query
fallback:
- https://1.1.1.1/dns-query
- https://8.8.8.8/dns-query
fallback-filter:
geoip: true
geoip-code: CN
redir-port: 7892
tproxy-port: 7895
port: 7890
socks-port: 7891
mixed-port: 7893
mode: rule
allow-lan: true
external-controller: 0.0.0.0:9090
secret: 999999
bind-address: "*"
external-ui: "/usr/share/openclash/ui"
external-ui-name: metacubexd
keep-alive-interval: 15
keep-alive-idle: 600
ipv6: false
tcp-concurrent: true
sniffer:
enable: true
override-destination: true
parse-pure-ip: false
sniff:
QUIC:
ports:
- 443
TLS:
ports:
- 443
force-domain:
- "+.netflix.com"
- "+.nflxvideo.net"
- "+.amazonaws.com"
- "+.media.dssott.com"
skip-domain:
- "+.apple.com"
- dlg.io.mi.com
- "+.oray.com"
- "+.sunlogin.net"
- "+.push.apple.com"
tun:
enable: true
stack: system
device: utun
dns-hijack:
- 127.0.0.1:53
endpoint-independent-nat: true
auto-route: true
auto-detect-interface: true
auto-redirect: true
strict-route: false
mtu: 1400
profile:
store-selected: true
store-fake-ip: true
authentication:
- Clash:999999999
rule-providers:
LAN:
type: http
behavior: classical
url: https://testingcf.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/LAN.yaml
path: ./rule_provider/LAN
interval: 86400
AI:
behavior: classical
interval: 86400
path: ./rule_provider/AI
type: http
url: https://testingcf.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/AI%20Suite.yaml
Advertising:
behavior: classical
interval: 86400
path: ./rule_provider/Advertising
type: http
url: https://testingcf.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/AdBlock.yaml
Domestic:
behavior: classical
interval: 86400
path: ./rule_provider/Domestic
type: http
url: https://testingcf.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Domestic.yaml
Microsoft:
behavior: classical
interval: 86400
path: ./rule_provider/Microsoft
type: http
url: https://testingcf.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Microsoft.yaml
Netflix:
behavior: classical
interval: 86400
path: ./rule_provider/Netflix
type: http
url: https://testingcf.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/Netflix.yaml
YouTube:
behavior: classical
interval: 86400
path: ./rule_provider/YouTube
type: http
url: https://testingcf.jsdelivr.net/gh/dler-io/Rules@main/Clash/Provider/Media/YouTube.yaml
rules:
- IP-CIDR,23.94.66.29/32,🏠 国内流量
- IP-CIDR,8.133.125.0/24,🏠 国内流量
- DOMAIN,vps.779886.xyz,🏠 国内流量
- RULE-SET,LAN,🖥 LAN 设备
- RULE-SET,Advertising,🛑 广告拦截
- RULE-SET,YouTube,📺 YouTube
- RULE-SET,Netflix,🎬 Netflix
- RULE-SET,Microsoft,🪟 Microsoft
- RULE-SET,AI,🧠 AI 服务
- RULE-SET,Domestic,🏠 国内流量
- GEOIP,cn,🏠 国内流量
- MATCH,🌐 国外流量


请各位大佬指点，这个配置要怎么优化，线路不好是不是不要用 fakeip 模式会好点

@mezi04 能走到 dns 这一步，自然是域名规则未命中的小众网站

@MCC12138 问题是 policy 的目的就是提前排除掉不需要 nameserver 兜底的域名，我这里是排除掉!cn

@yyysuo 域名规则未命中的小众网站，就会走到 dns 这一步，所以我问 policy 再次未命中时会怎地走