I have no idea with why DNS request timeout. I think 1 second is enough for DNS request. Even if dig 8.8.8.8, the response always return in 60ms.

I can't use 8.8.8.8 or 1.1.1.1 directly in my network condition, they are blocked. I must use 8.8.8.8 through a proxy. Then the DNS query latency depends on proxy's latency, which is unstable.

I prefer it not to be a question of the request timeout. Let's discuss your expectations first: you want to get "real ip". However, in the clash, "real ip" may not be required. the response of ip passes through Rule, and the original domain would send to outbound proxy.

In the other side, the experience of "dns over socks5" is terrible. When your DNS request timeout (1s), you should think about whether something wrong you used.

Replay for the first question.

If you have a few more users, you must use fallback-dns must be used( I mean you can not leave fallback-dns empty). Let me explain.

I know what you want to say, though the user gets an incorrect IP, clash can get correct domain-name, and TCP connect may establish correctly.

But, if you have a few more users, the amount of domain became larger. And you know the poisoned IP is limited(around 70-80) nowadays. There are very very like to be collision(multiple domains direct to same incorrect IP address), this can cause many problems, but hard to reproduce.

If you can't emit dns-fallback, then the latency becomes a problem. When upstream timed out, clash DNS server will replay ServFail to the client rather than incorrect IP, which mean client doesn't get any IP address at all. Then the client will not try to establish any TCP connection. Then enhanced-mode will not work at all.

Replay to the second question

I'm using a reliable proxy now. It's not perfect, but it's good enough. On usual conditions, latency is 70-100ms (target on Google HK), but sometimes all the proxy backend's (including backend not selected) latency increase to 4000ms+. (tested by clash web front-end)

I‘m still analyzing this issue and I can't figure it out now. So I'm sorry I can't tell the true reason.

But I can confirm it's related to DNS. If I change fallback-dns to some other DNS server(like USTC) which do not need the proxy, though I still get some DNS problem, the backend latency restored to 70-100ms.

This is why I create this issue. I think this is an Avalanche effect. If a client can not get correct IP, the client will retry, which increase the load of proxy-backend, lead to higher latency. Higher latency leads to more DNS timeout and more ServFail. Then the malfunction is not recoverable.

I don't think #105 is elegant enough, I am trying to find an elegant way to switch requests to the fallback mode with minimizing request time. Are polluted dns responses have characteristic?

Are you talking about #95?

yep, #105 is a solution, but not elegant enough.

似乎ClashX和Clash for Windows某些情况下出现“连接已重置”是这个timeout原因引起的：

感觉dns-failed可以加一加

加个配置让 dns 解析错误的时候不直接 close 而是跳过 ip 类的规则你们看怎么样？@Fndroid @comzyh , 超时时间过长会影响实际体验

@Dreamacro 我现在是配置多个dns server来解决的。加个配置来解决应该更加靠谱

加个配置让 dns 解析错误的时候不直接 close 而是跳过 ip 类的规则你们看怎么样？@Fndroid @comzyh , 超时时间过长会影响实际体验

也好呀，这样也会最后走到MATCH也很合理

加个配置让 dns 解析错误的时候不直接 close 而是跳过 ip 类的规则你们看怎么样？@Fndroid @comzyh , 超时时间过长会影响实际体验

如果InBound和OutBound 都是支持Host的那这样做挺好的，我没什么其他的想法。

不过我遇到的问题是 Clash as DNS server 的时候的问题，这个时候提高一些超时时间不会有什么不良影响。

可以考虑单独为“规则解析”和“DNS服务”设置不同的超时时间？

似乎ClashX和Clash for Windows某些情况下出现“连接已重置”是这个timeout原因引起的：

感觉dns-failed可以加一加

为什么Reset和DNS有关系呢？我没太看明白。

似乎ClashX和Clash for Windows某些情况下出现“连接已重置”是这个timeout原因引起的：

感觉dns-failed可以加一加

为什么Reset和DNS有关系呢？我没太看明白。

https://github.com/Dreamacro/clash/blob/master/tunnel/tunnel.go#L173

似乎ClashX和Clash for Windows某些情况下出现“连接已重置”是这个timeout原因引起的：

感觉dns-failed可以加一加

为什么Reset和DNS有关系呢？我没太看明白。

https://github.com/Dreamacro/clash/blob/master/tunnel/tunnel.go#L173
了解了，谢谢。
https://github.com/Dreamacro/clash/blob/744728cb842080063d3ac9e744d11ce2c50d34e7/tunnel/tunnel.go#L171-L174

464