From 10d26bd6e7c994b1657f0bc9e3c8dfaa506048d5 Mon Sep 17 00:00:00 2001
From: ClashFX Team <noreply@clashfx.com>
Date: Thu, 7 May 2026 15:53:28 +0800
Subject: [PATCH] fix: drop 8.8.8.8 from default-nameserver to survive
 enterprise SSL VPN UDP/53 interception
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The default-nameserver list (used to bootstrap-resolve DNS server
domains like doh.pub before DoH/DoT can be used) included 8.8.8.8 in
two code paths:

  - applyTunConfig (Enhanced Mode/TUN bring-up)
  - clashWriteEnhancedConfig (writing enhanced config to disk)

When users run an enterprise SSL VPN that intercepts UDP/53 (e.g.
SangFor Easy Connect, which DNATs all dport 53 UDP to its internal
DNS proxy), the bootstrap query to 8.8.8.8:53 times out, blocking
DoH/DoT from coming online. nameserver/fallback lists already
preferred DoH (https://) + DoT (tls://...:853) so the in-flight
queries themselves are safe — but bootstrap is still UDP.

Replace 8.8.8.8 with 119.29.29.29 (Tencent DNSPod, domestic) for
parity with nameserverPolicyForConvertedProxies (lines 491-495,
already domestic-only). Domestic DNS UDP/53 is generally allowed
by enterprise VPN policies because corporate DNS itself usually
forwards to upstream domestic resolvers.

No new dependencies, no API change, no template-version bump
required. Companion to ClashX-Pro/ClashX#20 (which aligned that
project's share-link Go DNS defaults with our DoH/DoT design).
---
 ClashFX/goClash/main.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ClashFX/goClash/main.go b/ClashFX/goClash/main.go
index 53ac941..68db0e1 100644
--- a/ClashFX/goClash/main.go
+++ b/ClashFX/goClash/main.go
@@ -405,7 +405,7 @@ func applyTunConfig(rawCfg *config.RawConfig) {
 		rawCfg.DNS.DefaultNameserver = []string{
 			"114.114.114.114",
 			"223.5.5.5",
-			"8.8.8.8",
+			"119.29.29.29",
 		}
 	}
 }
@@ -896,7 +896,7 @@ func clashWriteEnhancedConfig(configPath *C.char, outputPath *C.char, tunRouteEx
 		dns["nameserver"] = []string{"https://doh.pub/dns-query", "tls://223.5.5.5:853"}
 	}
 	if dns["default-nameserver"] == nil {
-		dns["default-nameserver"] = []string{"114.114.114.114", "223.5.5.5", "8.8.8.8"}
+		dns["default-nameserver"] = []string{"114.114.114.114", "223.5.5.5", "119.29.29.29"}
 	}
 	// Use a free port for DNS listen to avoid conflict with in-process clash core
 	if dnsPort, err := freeport.GetFreePort(); err == nil {