中文 EN
Product home/Docs

6. DNS and hosts#

DNS is central to transparent proxying and TUN. Many cases where "rules do not take effect" are essentially because Link1 did not obtain the domain name.

Minimal DNS Configuration#

dns:
  enable: true
  listen: 127.0.0.1:1053
  ipv6: false
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16
  nameserver:
    - https://223.5.5.5/dns-query
    - tls://223.5.5.5:853

Practical impact:

DNS Server Syntax#

Link1 supports the following DNS upstream formats:

FormatProtocolExampleDescription
1.1.1.1UDP1.1.1.1Treated as UDP DNS when no scheme is specified
udp://host:53UDPudp://8.8.8.8:53Explicit UDP
tcp://host:53TCPtcp://8.8.8.8:53TCP DNS
tls://host:853DoTtls://1.1.1.1:853DNS over TLS
quic://host:853DoQquic://dns.adguard-dns.com:853DNS over QUIC
https://host/dns-queryDoHhttps://dns.google/dns-queryDNS over HTTPS
http://host/dns-queryHTTP DNShttp://127.0.0.1:8053/dns-queryPlaintext HTTP DNS
system://System DNSsystem://Use the system resolver
dhcp://ifaceDHCP DNSdhcp://eth0Obtain DNS from DHCP on the specified interface
rcode://nameFixed RCodercode://refusedUsed for testing or blocking
openvpn://nameOpenVPN Dynamic DNSopenvpn://ovpn-nodeUse DNS provided by the OpenVPN egress
tailscale://name / ts://nameTailscale MagicDNSts://tailnetUse MagicDNS / tailnet DNS from the Tailscale egress

DoH can specify HTTP/3 through a URL fragment:

nameserver:
  - https://dns.google/dns-query#h3=true

You can also use a fragment to select a routing egress:

nameserver:
  - https://dns.google/dns-query#PROXY

DNS Field Reference#

FieldMeaningPractical impact
enableEnables the DNS moduleDNS/Fake-IP does not work when disabled
prefer-h3Prefer HTTP/3 for DoHAffects transport for https:// DNS upstreams
listenDNS service listen addressUsed by the system, router, or TUN hijack for queries
ipv6Whether DNS returns IPv6 recordsAlso limited by the top-level ipv6 setting
ipv6-timeoutIPv6 query wait time, in millisecondsAffects wait time during dual-stack resolution
enhanced-modenormal or fake-ipFake-IP mode improves domain-rule hits
fake-ip-rangeIPv4 Fake-IP poolDefault: 198.18.0.1/16
fake-ip-range6IPv6 Fake-IP poolUsed for IPv6 Fake-IP
fake-ip-filterDomains that do not receive Fake-IP addressesCommonly used for LAN and connectivity-check domains
fake-ip-filter-modeFilter modeUsually blacklist
fake-ip-ttlFake-IP DNS TTLAffects client cache duration
cache-algorithmDNS cache algorithmAffects cache eviction strategy
cache-max-sizeDNS cache limitToo small increases queries; too large uses more memory
default-nameserverDNS used to resolve upstream DNS domain namesSolves bootstrap for DoH/DoT upstream domains
nameserverDefault DNS upstreamUsed for normal domain resolution
fallbackBackup DNS upstreamUsed with fallback-filter
fallback-filterConditions for using fallbackEvaluated by GeoIP/GeoSite/domain/ipcidr
proxy-server-nameserverDNS used to resolve proxy server domain namesPrevents proxy server domains from being affected by normal routing
proxy-server-nameserver-policyDNS routing policy for proxy serversSpecifies DNS separately for proxy server domains
direct-nameserverDNS for direct connectionsUsed for resolution on the direct path
direct-nameserver-follow-policyWhether direct DNS follows policyAffects whether directly connected domains still use policy-based DNS routing
respect-rulesWhether DNS respects routing rulesLets DNS queries choose an egress closer to the final route
use-hostsUse hosts from the configurationEnables static domain overrides
use-system-hostsUse the system hosts fileEnables /etc/hosts or platform hosts
nameserver-policySpecify DNS by domain/rulesetImplements DNS routing

Fake-IP#

How Fake-IP works:

The client queries api.example.com
  -> Link1 returns 198.18.0.10
Client connection 198.18.0.10:443
  -> Link1 reverse-maps 198.18.0.10 to api.example.com
  -> Domain rules can match

Suitable for:

Not suitable for, or should be filtered for:

Example:

dns:
  enhanced-mode: fake-ip
  fake-ip-filter:
    - '*.lan'
    - '+.local'
    - 'dns.msftnsci.com'

nameserver-policy#

Specify different DNS upstreams by domain:

dns:
  nameserver:
    - https://dns.google/dns-query
  nameserver-policy:
    '+.corp.example.com':
      - openvpn://corp-vpn
    '+.tailnet.ts.net':
      - ts://tailnet
    'geosite:cn':
      - https://223.5.5.5/dns-query
    'rule-set:private':
      - system://

Practical impact:

fallback-filter#

dns:
  fallback:
    - https://1.1.1.1/dns-query
  fallback-filter:
    geoip: true
    geoip-code: CN
    geosite:
      - geolocation-!cn
    domain:
      - '+.google.com'
    ipcidr:
      - 240.0.0.0/4

Meaning: when the default DNS returns an unexpected result, use the fallback result. A common use case is reducing the impact of DNS pollution.

Field impact:

FieldMeaning
geoipDetermines whether to use fallback based on GeoIP
geoip-codeExpected country/region code
geositeTriggers fallback based on GeoSite category
domainTriggers fallback based on domain pattern
ipcidrTriggers fallback based on returned IP CIDR

hosts#

Static hosts:

hosts:
  router.lan: 192.168.9.1
  api.local:
    - 10.0.0.10
    - 10.0.0.11

Practical impact:

hosts-providers#

Load hosts from an external file or URL:

hosts-providers:
  intranet:
    type: file
    path: ./hosts/intranet.hosts

  remote-hosts:
    type: http
    url: https://example.com/hosts.txt
    path: ./hosts/remote.hosts
    interval: 3600
    proxy: DIRECT

Field impact:

FieldMeaning
typefile or http
pathLocal file or cache path
urlHTTP download URL
intervalRefresh interval, in seconds
dialer-proxy / proxyEgress used for download
headerHTTP request headers
size-limitDownload size limit

Relationship Between DNS and Rules#

Domain rules depend on domain context, and IP rules depend on IP context. For TUN/transparent proxying, the following is recommended:

dns:
  enable: true
  enhanced-mode: fake-ip

tun:
  enable: true
  dns-hijack:
    - any:53

sniffer:
  enable: true

This lets the rule engine obtain both domain and IP information as much as possible.