DNS Server

Built-in DNS Service

Custom Upstream DNS Servers

Stash supports the configuration of multiple DNS servers at the same time. When making a query, Stash will concurrently request all servers and adopt the fastest response. Stash supports the following DNS protocols:

default-nameserver will be used to resolve the domain name of the DNS service, only the IP address of the DNS server can be filled in.

  # The following DNS servers will be used to resolve the domain name of the DNS service
  # Only fill in the IP address of the DNS server
  # DNS services supporting UDP / TCP / DoT / DoH / DoQ protocols, can specify the specific connection port number.
  # All DNS requests will be sent directly to the server, without going through any proxy.
  # Stash will use the first obtained resolution record to reply to the DNS request
    # It is not recommended to configure more than 2 DNS servers, which will increase system power consumption
    - https://doh.pub/dns-query
    - https://dns.alidns.com/dns-query
    - quic://dns.adguard.com:853
    - doq://test.dns.nextdns.io:853
    - system # Use iOS system DNS
  # Skip certificate verification, solve some compatibility issues https://help.nextdns.io/t/g9hdkjz
  skip-cert-verify: true
  # DNS query follows proxy rules
  follow-rule: false

Stash will use the LRU algorithm for local caching of DNS queries. When the local cache expires, Stash will continue to use the cache result and silently update the record in the background, which will effectively reduce the request delay caused by DNS cache expiration.

Domain-based Custom DNS Service

nameserver-policy can use a specific DNS server for a specified domain name.

  # Use separate DNS servers for some domain names
    '+.internal.crop.com': system

Custom Hosts

# Support wildcard domain names (for example: *.clash.dev, *.foo.*.example.com)
# Domain names without wildcards have higher priority than those with wildcards (for example: foo.example.com > *.example.com > .example.com)
# Note: The effect of +.foo.com is equivalent to .foo.com and foo.com
  'alpha.clash.dev': '::1'

DNS Query Follows Rules

By default, all DNS queries sent by Stash will go directly outbound, without being forwarded by any proxy rules. After enabling the follow-rule option, Stash will forward DNS queries according to the proxy rules.


In most scenarios, this configuration does not need to be enabled. After the DNS query is forwarded by the proxy, it may disrupt the global optimization strategy of the cloud service provider's CDN, causing slow loading of static resources. The DNS query request entering the Stash network engine will also cause a slight increase in delay.

Please only enable this configuration when necessary.


Since connecting to the proxy server may require DNS resolution, there will be a problem of recursive queries after the DNS query is forwarded by the proxy. Before enabling this configuration, please ensure that one of the following conditions is met:

  • The proxy address forwarding the DNS request is an IP address, not a domain name
  • The DNS server address is an IP address, not a domain name