Reading tip
Identify the scenario first, then follow the checks in order. Jump to the linked download, subscription or configuration page when the issue becomes specific.
Three Terms First
- nameserver: the default resolver list.
- fallback: alternate resolvers used for selected domains or abnormal results.
- enhanced-mode: commonly fake-ip or redir-host, affecting domain restoration and rule matching.
Check Order
- Disable complex overrides and keep only the DNS config generated by the current profile.
- Confirm whether enhanced-mode is fake-ip or redir-host.
- Read logs for the resolved domain and the final matched rule.
- If only some sites fail, add fake-ip-filter entries or adjust nameserver-policy.
- If everything fails, restore system DNS or disable TUN, then enable settings one at a time.
fake-ip or redir-host?
| Mode | Strength | Watch For |
|---|---|---|
| fake-ip | Often stronger for transparent proxy and rule matching | Some LAN, banking, gaming, casting and time services need filters |
| redir-host | Easier to reason about because real records remain visible | Complex routing can lose domain context more easily |
Common Filter Example
dns:
enable: true
enhanced-mode: fake-ip
fake-ip-filter:
- '*.lan'
- '*.local'
- time.*.com
- '+.ntp.org'The example shows placement only. Adjust domains based on logs and device behavior.
Reducing DNS Leaks
- Avoid letting the system, browser and client use conflicting DNS policies.
- In TUN mode, confirm DNS hijack and routing are both active.
- Do not publish internal domain names or log screenshots that reveal private network details.