feat(dns): support proxy-server-nameserver

[Itsusinn]

🤔 This is a ...

• New feature
• Bug fix
• Performance optimization
• Enhancement feature
• Refactoring
• Code style optimization
• Test Case
• Branch merge
• Workflow
• Other (about what?)

🔗 Related issue link

N/A

💡 Background and solution

Problem:
When proxy servers use domain names (e.g., proxy.example.com), they need to be resolved through DNS. Using regular nameservers may result in:

• DNS poisoning/pollution for proxy domains
• Connection failures due to incorrect IP resolution
• Privacy leaks by exposing proxy server queries to local DNS

Solution:
Implement proxy-nameserver configuration following clash-meta's approach. This feature provides dedicated DNS servers specifically for resolving proxy server domain names, ensuring reliable and secure proxy connections.

Implementation:

1. Add proxy-nameserver field to DNS configuration
2. Extract all proxy server domains during initialization from all proxy protocols (shadowsocks, vmess, vless, trojan, tuic, hysteria2, wireguard, ssh, shadowquic)
3. Create dedicated resolver for proxy domains when proxy-nameserver is configured
4. During DNS resolution, check if queried domain is a proxy server domain
5. Route proxy domain queries to proxy-nameserver, regular queries to normal nameservers

Sample Configuration:

dns:
  enable: true
  listen: 127.0.0.1:53
  default-nameserver:
    - 114.114.114.114
    - 8.8.8.8
  proxy-nameserver:  # New field
    - 8.8.8.8
    - 1.1.1.1
  nameserver:
    - 223.5.5.5
    - 119.29.29.29

proxies:
  - name: my-proxy
    type: vmess
    server: proxy.example.com  # This domain will be resolved using proxy-nameserver
    port: 443
    # ... other options

📝 Changelog

Features:

• Add proxy-nameserver DNS configuration option for resolving proxy server domains
• Automatically extract and track all proxy server domains from proxy configurations
• Support all proxy protocols: shadowsocks, socks5, vmess, vless, trojan, tuic, hysteria2, wireguard, ssh, shadowquic

Changes:

• DNS config now supports proxy-nameserver field (optional)
• If not configured, proxy domains fall back to default-nameserver
• No breaking changes, fully backward compatible

Files Changed:

• clash-lib/src/config/def.rs - Add proxy_nameserver field
• clash-lib/src/app/dns/config.rs - Parse proxy-nameserver config
• clash-lib/src/app/dns/resolver/enhanced.rs - Implement proxy domain resolution logic
• clash-lib/src/app/dns/resolver/mod.rs - Update resolver initialization
• clash-lib/src/app/outbound/manager.rs - Add proxy domain extraction
• clash-lib/src/lib.rs - Integrate proxy domains into DNS resolver
• clash-lib/src/proxy/utils/test_utils/docker_utils/config_helper.rs - Update test helper

☑️ Self-Check before Merge

⚠️ Please check all items below before requesting a reviewing. ⚠️

• Doc is updated/provided or not needed
• Changelog is provided or not needed

[codecov]

Codecov Report

❌ Patch coverage is 91.72932% with 22 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
clash-lib/src/app/outbound/manager.rs	89.28%	12 Missing ⚠️
clash-lib/src/app/dns/config.rs	27.27%	8 Missing ⚠️
clash-lib/src/app/dns/resolver/enhanced.rs	99.16%	0 Missing and 1 partial ⚠️
clash-lib/src/lib.rs	91.66%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

[ibigbug]

Like I said if you want to do this you need to handle DDNS update properly

[Itsusinn]

My option, anyway, we didn't handle DDNS before. What I do didn't affect DDNS

[ibigbug]

No it does. You are caching the pre resolved result for ever. When the proxy DNS changes, they'll fail.

[Itsusinn]

No it does. You are caching the pre resolved result for ever. When the proxy DNS changes, they'll fail.

I didn't cache more than baseline.
It's still

EnhancedResolver::batch_exchange(&proxy_resolver.main, message)

DNS cache obey DNS TTL