How to allow-insecure to my DoH server?

[hamedsbt]

Hi, I have my own DoH server on the server's IP and I want to use it as "default-nameserver"
Because I can't afford to buy valid ssl cert for it I would like to skip error:
re-creating the http client due to requesting https://185.101.51.22:443/dns-query: Get "https://185.101.51.22:443/dns-query?dns=AAABAAABAAAAAAAAA2RvcQhjYXB0bmVtbwJpbgAAHAAB": tls: failed to verify certificate: x509: cannot validate certificate for 185.101.51.22 because it doesn't contain any IP SANs

Could you help me please?!

[qixing-jk]

Maybe you should read the documentation first, even though it's in Chinese which is not so friendly to you!

Actually the documentation has the answer https://wiki.metacubex.one/en/config/dns/#doh

[hamedsbt]

Thank you for your reply.
I had read the doc before I asked and I couldn't find the solution or perhaps I didn't understand the existing solution.

Well, in my reign all DNS requests are redirected to blocking systems, and most DoH/DoH are blocked by their domain addresses at the DNS query level.
So I need provide the IP manually to the ClashMeta core.
Assuming the dns.cloudflare.com domain is NOT blocked but the DNS request for it is blocked and returns a fake result for it (e.g, the IP 40.30.20.10) how I can provide the correct IP to the ClashMeta core?!

I tried this DNS config:

dns:
  enable: true
  use-system-hosts: false
  respect-rules: true
  use-hosts: true
  hosts:
    'dns.cloudflare.com': '104,16,139,229'
  nameserver-policy:
    'dns.cloudflare.com': '104,16,139,229'
  nameserver:
    - https://dns.cloudflare.com/dns-query
  proxy-server-nameserver:
    - https://dns.cloudflare.com/dns-query

However, ClashMeta sends a DNS request for the dns.cloudflare.com domain and receives an incorrect result, as I mentioned earlier.

[qixing-jk]

I think the easiest way is to use the proxy DNS feature https://wiki.metacubex.one/config/dns/#dns_1.

If you still insist on direct DNS lookups

• if the DOTs are available, consider switching to IP DOTs
• use hosts https://wiki.metacubex.one/config/dns/hosts/#hosts , which is the wrong way to write hosts, "hosts:" node should be the root node. The "hosts:" node should be the root node, which is the same level as the "dns:" node.

Other suggestions, you can do a certain degree of DNS by policy diversion query, some sites may perform better when using your local DNS.

[hamedsbt]

The DNS documents are disappointing. I couldn't understand the role of the 'proxy-server-nameserver.'

It appears that ClashMeta has a limitation in situations where UDP DNS requests are forwarded to a blocking system by the ISP, as the 'default-nameserver' doesn't support domain names that can be resolved by the 'hosts' configuration. Consequently, all initial UDP DNS requests will be forwarded by the blocking system, and the responses are polluted by the ISP from the outset.

[qixing-jk]

proxy-server-nameserver is the DNS server that is used to resolve your proxy domain name, this can be left unconfigured and nameserver will be used by default.

So one possible solution is that if your local DNS can resolve your proxy server domain name correctly, you can set the proxy-server-nameserver to your local DNS, and then specify the nameserver as Cloudflare's DNS to perform proxy DNS resolution through the proxy server.

Why doesn't DOH just use the IP format of DOH? Like DOT, for example https://1.1.1.1/dns-query, this method is the simplest.

And in fact, if you understand correctly what you need proxy and what you don't, the DNS process is not so important, DNS is just to assist clash to make IP rule judgment, if you specify proxy is not need DNS resolution, see https://wiki.metacubex.one/en/config/dns/diagram/

[hamedsbt]

Unfortunately, almost all famous DoH/DoT servers are blocked in my region (such as https://1.1.1.1/dns-query). Some other DoH/DoT servers are blocked at the UDP DNS layer. So, how can I resolve their IPs? It's impossible to resolve them with the "default-nameserver" since they are blocked at the UDP DNS layer, right? Therefore, I need to tell ClashMeta what their IPs are manually (not through the default name servers). But how can I do that? This is the limitation I mentioned before.

[qixing-jk]

I think I have explained clearly how to solve the problem. Maybe the problem I understand is different from yours. Can you leave your contact information so that we can communicate in detail in real time?

[hamedsbt]

All UDP DNS requests are forwarded by the ISP to a DNS filtering system, and since dns.cloudflare.com is blocked by the ISP at the DNS level, it returns a fake IP address: 10.20.30.40. However, the HTTP request (DoH) to the correct IP is not blocked.

How can I specify the correct IP to ClashMeta and prevent it from making a UDP DNS query?

Here is my configuration:

hosts:
   dns.cloudflare.com: [104.16.132.229]
 
dns:
  enable: true
  ipv6: false
  use-hosts: true
  use-system-hosts: false
  default-nameserver:
    - 8.8.8.8 # ISP will skip it since it forwards all UDP DNS requests to DNS blocking system.

  nameserver:
    - https://dns.cloudflare.com/dns-query

[qixing-jk]

Please try the following commands in turn in cmd or shell and let me know the results
curl -H "accept: application/dns-json" "https://dns.cloudflare.com/dns-query?name=google.com&type=A"
curl -H "accept: application/dns-json" "https://1.1.1.1/dns-query?name=google.com&type=A"
curl -H "accept: application/dns-json" "https://1.0.0.1/dns-query?name=google.com&type=A"

I don't think you're listening to what I'm saying, or you're not understanding what I'm saying correctly, or may be you've got more than a simple case of DNS not getting the right IP, but DOH/DOT blocking.

If you really are just Simply DNS not getting the correct IP, just try:

dns:
  enable: true
  ipv6: false
  default-nameserver:
    - your local DNS（Must be IP, can be encrypted DNS, but you have to make sure you can access it.）
  nameserver:
    - https://1.1.1.1/dns-query
    - https://1.0.0.1/dns-query

If the above is still unavailable and it's DOH/DOT blocked

dns:
  enable: true
  ipv6: false
  default-nameserver:
    - your local DNS（Anything, but you have to make sure you can access it.）
  nameserver:
    - https://1.1.1.1/dns-query#proxy_name
    - https://1.0.0.1/dns-query#proxy_name

proxy_name is the name of one of your proxy groups, such as

proxy-groups:
- name: "proxy_name"
  type: select
  proxies:
  - DIRECT
  - ss

[qixing-jk]

I've already given an answer to the question about your own certificates for encrypted DNS, but I'll give you a specific configuration anyway, I think it's because you don't quite know how to configure them

dns:
enable: true
ipv6: false
default-nameserver:
- your local DNS（Must be IP, can be encrypted DNS, but you have to make sure you can access it.）
nameserver:
- https://185.101.51.22:443/dns-query#skip-cert-verify=true