diff --git a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua
index bf2c38361..fbf848cea 100644
--- a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua
+++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua
@@ -533,6 +533,7 @@ o:depends({dns_mode = "xray"})
 o = s:taboption("DNS", Flag, "remote_fakedns", "FakeDNS", translate("Use FakeDNS work in the shunt domain that proxy."))
 o.default = "0"
 o:depends({dns_mode = "sing-box", dns_shunt = "dnsmasq"})
+o:depends({dns_mode = "sing-box", dns_shunt = "chinadns-ng"})
 o.validate = function(self, value, t)
 	if value and value == "1" then
 		local _dns_mode = s.fields["dns_mode"]:formvalue(t)
diff --git a/luci-app-passwall/root/usr/share/passwall/app.sh b/luci-app-passwall/root/usr/share/passwall/app.sh
index e66dae249..a005f6a8d 100755
--- a/luci-app-passwall/root/usr/share/passwall/app.sh
+++ b/luci-app-passwall/root/usr/share/passwall/app.sh
@@ -562,7 +562,7 @@ run_dns2socks() {
 }
 
 run_chinadns_ng() {
-	local _flag _listen_port _dns_local _dns_trust _no_ipv6_trust _use_direct_list _use_proxy_list _gfwlist _chnlist _default_mode _default_tag _no_logic_log _tcp_node
+	local _flag _listen_port _dns_local _dns_trust _no_ipv6_trust _use_direct_list _use_proxy_list _gfwlist _chnlist _default_mode _default_tag _no_logic_log _tcp_node _remote_fakedns
 	local _extra_param=""
 	eval_set_val $@
 
@@ -573,7 +573,7 @@ run_chinadns_ng() {
 	_extra_param="-FLAG ${_flag} -TCP_NODE ${_tcp_node} -LISTEN_PORT ${_listen_port} -DNS_LOCAL ${_dns_local} -DNS_TRUST ${_dns_trust}"
 	_extra_param="${_extra_param} -USE_DIRECT_LIST ${_use_direct_list} -USE_PROXY_LIST ${_use_proxy_list} -USE_BLOCK_LIST ${_use_block_list}"
 	_extra_param="${_extra_param} -GFWLIST ${_gfwlist} -CHNLIST ${_chnlist} -NO_IPV6_TRUST ${_no_ipv6_trust} -DEFAULT_MODE ${_default_mode}"
-	_extra_param="${_extra_param} -DEFAULT_TAG ${_default_tag} -NFTFLAG ${nftflag} -NO_LOGIC_LOG ${_no_logic_log}"
+	_extra_param="${_extra_param} -DEFAULT_TAG ${_default_tag} -NFTFLAG ${nftflag} -NO_LOGIC_LOG ${_no_logic_log} -REMOTE_FAKEDNS ${_remote_fakedns}"
 
 	lua $APP_PATH/helper_chinadns_add.lua ${_extra_param} > ${_CONF_FILE}
 	ln_run "$(first_type chinadns-ng)" chinadns-ng "${_LOG_FILE}" -C ${_CONF_FILE}
@@ -1579,7 +1579,8 @@ start_dns() {
 			_default_mode=${TCP_PROXY_MODE} \
 			_default_tag=$(config_t_get global chinadns_ng_default_tag smart) \
 			_no_logic_log=0 \
-			_tcp_node=${TCP_NODE}
+			_tcp_node=${TCP_NODE} \
+			_remote_fakedns=${fakedns:-0}
 
 		USE_DEFAULT_DNS="chinadns_ng"
 	}
@@ -1830,7 +1831,8 @@ acl_app() {
 										_default_mode=${tcp_proxy_mode} \
 										_default_tag=${chinadns_ng_default_tag:-smart} \
 										_no_logic_log=1 \
-										_tcp_node=${tcp_node}
+										_tcp_node=${tcp_node} \
+										_remote_fakedns=0
 
 									use_default_dns="chinadns_ng"
 								}
diff --git a/luci-app-passwall/root/usr/share/passwall/helper_chinadns_add.lua b/luci-app-passwall/root/usr/share/passwall/helper_chinadns_add.lua
index 704ffe83a..f4089a521 100644
--- a/luci-app-passwall/root/usr/share/passwall/helper_chinadns_add.lua
+++ b/luci-app-passwall/root/usr/share/passwall/helper_chinadns_add.lua
@@ -18,6 +18,7 @@ local DEFAULT_TAG = var["-DEFAULT_TAG"]
 local NO_LOGIC_LOG = var["-NO_LOGIC_LOG"]
 local TCP_NODE = var["-TCP_NODE"]
 local NFTFLAG = var["-NFTFLAG"]
+local REMOTE_FAKEDNS = var["-REMOTE_FAKEDNS"]
 
 local uci = api.uci
 local sys = api.sys
@@ -100,6 +101,8 @@ end
 
 local setflag = (NFTFLAG == "1") and "inet@passwall@" or ""
 
+local only_global = (DEFAULT_MODE == "proxy" and CHNLIST == "0" and GFWLIST == "0") and 1
+
 config_lines = {
 	--"verbose",
 	"bind-addr 127.0.0.1",
@@ -249,7 +252,7 @@ if USE_PROXY_LIST == "1" and is_file_nonzero(file_proxy_host) then
 		"group proxylist",
 		"group-dnl " .. file_proxy_host,
 		"group-upstream " .. DNS_TRUST,
-		"group-ipset " .. setflag .. "passwall_blacklist," .. setflag .. "passwall_blacklist6"
+		REMOTE_FAKEDNS ~= "1" and "group-ipset " .. setflag .. "passwall_blacklist," .. setflag .. "passwall_blacklist6" or nil
 	}
 	if NO_IPV6_TRUST == "1" then table.insert(tmp_lines, "no-ipv6 tag:proxylist") end
 	insert_array_after(config_lines, tmp_lines, "#--3")
@@ -261,7 +264,7 @@ end
 if GFWLIST == "1" and is_file_nonzero(RULES_PATH .. "/gfwlist") then
 	tmp_lines = {
 		"gfwlist-file " .. RULES_PATH .. "/gfwlist",
-		"add-taggfw-ip " .. setflag .. "passwall_gfwlist," .. setflag .. "passwall_gfwlist6"
+		REMOTE_FAKEDNS ~= "1" and "add-taggfw-ip " .. setflag .. "passwall_gfwlist," .. setflag .. "passwall_gfwlist6" or nil
 	}
 	if NO_IPV6_TRUST == "1" then table.insert(tmp_lines, "no-ipv6 tag:gfw") end
 	merge_array(config_lines, tmp_lines)
@@ -288,7 +291,7 @@ if CHNLIST ~= "0" and is_file_nonzero(RULES_PATH .. "/chnlist") then
 			"group chn_proxy",
 			"group-dnl " .. RULES_PATH .. "/chnlist",
 			"group-upstream " .. DNS_TRUST,
-			"group-ipset " .. setflag .. "passwall_chnroute," .. setflag .. "passwall_chnroute6"
+			REMOTE_FAKEDNS ~= "1" and "group-ipset " .. setflag .. "passwall_chnroute," .. setflag .. "passwall_chnroute6" or nil
 		}
 		if NO_IPV6_TRUST == "1" then table.insert(tmp_lines, "no-ipv6 tag:chn_proxy") end
 		insert_array_after(config_lines, tmp_lines, "#--1")
@@ -402,7 +405,7 @@ if uci:get(appname, TCP_NODE, "protocol") == "_shunt" then
 			"group shuntlist",
 			"group-dnl " .. file_shunt_host,
 			"group-upstream " .. DNS_TRUST,
-			"group-ipset " .. setflag .. "passwall_shuntlist," .. setflag .. "passwall_shuntlist6"
+			(not only_global and REMOTE_FAKEDNS == "1") and nil or ("group-ipset " .. setflag .. "passwall_shuntlist," .. setflag .. "passwall_shuntlist6")
 		}
 		if NO_IPV6_TRUST == "1" then table.insert(tmp_lines, "no-ipv6 tag:shuntlist") end
 		insert_array_after(config_lines, tmp_lines, "#--2")
@@ -417,7 +420,7 @@ if GFWLIST == "1" and CHNLIST == "0" then DEFAULT_TAG = "chn" end
 if CHNLIST == "proxy" then DEFAULT_TAG = "chn" end
 
 --全局模式，默认使用远程DNS
-if DEFAULT_MODE == "proxy" and CHNLIST == "0" and GFWLIST == "0" then
+if only_global then
 	DEFAULT_TAG = "gfw"
 	if NO_IPV6_TRUST == "1" and uci:get(appname, TCP_NODE, "protocol") ~= "_shunt" then 
 		table.insert(config_lines, "no-ipv6")
diff --git a/patch-luci-app-passwall.patch b/patch-luci-app-passwall.patch
index a442d1018..ac6458cca 100644
--- a/patch-luci-app-passwall.patch
+++ b/patch-luci-app-passwall.patch
@@ -33,7 +33,7 @@ index e7fcbee..4143d44 100644
  	if code ~= 0 then
  		local use_time = luci.sys.exec("echo -n '" .. result .. "' | awk -F ':' '{print $2}'")
 diff --git a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua
-index 9b0cdb3..bf2c383 100644
+index 70925af..fbf848c 100644
 --- a/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua
 +++ b/luci-app-passwall/luasrc/model/cbi/passwall/client/global.lua
 @@ -478,6 +478,12 @@ o:value("9.9.9.9", "9.9.9.9 (Quad9)")
@@ -49,7 +49,7 @@ index 9b0cdb3..bf2c383 100644
  o:depends({dns_mode = "dns2socks"})
  o:depends({dns_mode = "tcp"})
  o:depends({dns_mode = "udp"})
-@@ -569,7 +575,7 @@ if api.is_finded("smartdns") then
+@@ -570,7 +576,7 @@ if api.is_finded("smartdns") then
  end
  
  o = s:taboption("DNS", Flag, "dns_redirect", translate("DNS Redirect"), translate("Force special DNS server to need proxy devices."))
@@ -175,10 +175,10 @@ index 551c824..2a6a814 100644
  config global_forwarding
  	option tcp_no_redir_ports 'disable'
 diff --git a/luci-app-passwall/root/usr/share/passwall/app.sh b/luci-app-passwall/root/usr/share/passwall/app.sh
-index 7529308..e66dae2 100755
+index 64b063d..a005f6a 100755
 --- a/luci-app-passwall/root/usr/share/passwall/app.sh
 +++ b/luci-app-passwall/root/usr/share/passwall/app.sh
-@@ -1589,9 +1589,7 @@ start_dns() {
+@@ -1590,9 +1590,7 @@ start_dns() {
  		[ "$(expr $dnsmasq_version \>= 2.87)" == 0 ] && echolog "Dnsmasq版本低于2.87，有可能无法正常使用！！！"
  	}
  
@@ -188,7 +188,7 @@ index 7529308..e66dae2 100755
  	if [ "${RUN_NEW_DNSMASQ}" == "0" ]; then
  		#The old logic will be removed in the future.
  		#Run a copy dnsmasq instance, DNS hijack that don't need a proxy devices.
-@@ -1609,7 +1607,7 @@ start_dns() {
+@@ -1610,7 +1608,7 @@ start_dns() {
  		#Modify the default dnsmasq service
  		lua $APP_PATH/helper_dnsmasq.lua stretch
  		lua $APP_PATH/helper_dnsmasq.lua add_rule -FLAG "default" -TMP_DNSMASQ_PATH ${GLOBAL_DNSMASQ_CONF_PATH} -DNSMASQ_CONF_FILE ${GLOBAL_DNSMASQ_CONF} \
@@ -197,7 +197,7 @@ index 7529308..e66dae2 100755
  			-REMOTE_FAKEDNS ${fakedns:-0} -USE_DEFAULT_DNS "${USE_DEFAULT_DNS:-direct}" -CHINADNS_DNS ${china_ng_listen:-0} \
  			-USE_DIRECT_LIST "${USE_DIRECT_LIST}" -USE_PROXY_LIST "${USE_PROXY_LIST}" -USE_BLOCK_LIST "${USE_BLOCK_LIST}" -USE_GFW_LIST "${USE_GFW_LIST}" -CHN_LIST "${CHN_LIST}" \
  			-TCP_NODE ${TCP_NODE} -DEFAULT_PROXY_MODE ${TCP_PROXY_MODE} -NO_PROXY_IPV6 ${DNSMASQ_FILTER_PROXY_IPV6:-0} -NFTFLAG ${nftflag:-0} \
-@@ -1621,7 +1619,7 @@ start_dns() {
+@@ -1622,7 +1620,7 @@ start_dns() {
  		GLOBAL_DNSMASQ_CONF=${GLOBAL_ACL_PATH}/dnsmasq.conf
  		GLOBAL_DNSMASQ_CONF_PATH=${GLOBAL_ACL_PATH}/dnsmasq.d
  		lua $APP_PATH/helper_dnsmasq.lua add_rule -FLAG "default" -TMP_DNSMASQ_PATH ${GLOBAL_DNSMASQ_CONF_PATH} -DNSMASQ_CONF_FILE ${GLOBAL_DNSMASQ_CONF} \
@@ -206,7 +206,7 @@ index 7529308..e66dae2 100755
  			-REMOTE_FAKEDNS ${fakedns:-0} -USE_DEFAULT_DNS "${USE_DEFAULT_DNS:-direct}" -CHINADNS_DNS ${china_ng_listen:-0} \
  			-USE_DIRECT_LIST "${USE_DIRECT_LIST}" -USE_PROXY_LIST "${USE_PROXY_LIST}" -USE_BLOCK_LIST "${USE_BLOCK_LIST}" -USE_GFW_LIST "${USE_GFW_LIST}" -CHN_LIST "${CHN_LIST}" \
  			-TCP_NODE ${TCP_NODE} -DEFAULT_PROXY_MODE ${TCP_PROXY_MODE} -NO_PROXY_IPV6 ${DNSMASQ_FILTER_PROXY_IPV6:-0} -NFTFLAG ${nftflag:-0} \
-@@ -1688,7 +1686,8 @@ acl_app() {
+@@ -1689,7 +1687,8 @@ acl_app() {
  		socks_port=11100
  		redir_port=11200
  		dns_port=11300
@@ -216,7 +216,7 @@ index 7529308..e66dae2 100755
  		chinadns_port=11500
  		for item in $items; do
  			sid=$(uci -q show "${CONFIG}.${item}" | grep "=acl_rule" | awk -F '=' '{print $1}' | awk -F '.' '{print $2}')
-@@ -1752,6 +1751,7 @@ acl_app() {
+@@ -1753,6 +1752,7 @@ acl_app() {
  
  			[ -n "$tcp_node" ] && {
  				local GLOBAL_TCP_NODE=$(get_cache_var "ACL_GLOBAL_TCP_node")
@@ -224,7 +224,7 @@ index 7529308..e66dae2 100755
  				[ -n "${GLOBAL_TCP_NODE}" ] && GLOBAL_TCP_redir_port=$(get_cache_var "ACL_GLOBAL_TCP_redir_port")
  				if [ "$tcp_node" = "default" ]; then
  					if [ -n "${GLOBAL_TCP_NODE}" ]; then
-@@ -2003,10 +2003,8 @@ start() {
+@@ -2005,10 +2005,8 @@ start() {
  
  	if [ "$ENABLED_DEFAULT_ACL" == 1 ] || [ "$ENABLED_ACLS" == 1 ]; then
  		[ "$(uci -q get dhcp.@dnsmasq[0].dns_redirect)" == "1" ] && {
@@ -237,7 +237,7 @@ index 7529308..e66dae2 100755
  			/etc/init.d/dnsmasq restart >/dev/null 2>&1
  		}
  	fi
-@@ -2048,23 +2046,11 @@ stop() {
+@@ -2050,23 +2048,11 @@ stop() {
  	source $APP_PATH/helper_smartdns.sh del
  	rm -rf $GLOBAL_DNSMASQ_CONF
  	rm -rf $GLOBAL_DNSMASQ_CONF_PATH
@@ -266,7 +266,7 @@ index 7529308..e66dae2 100755
  	rm -rf $TMP_PATH
  	rm -rf /tmp/lock/${CONFIG}_socks_auto_switch*
  	echolog "清空并关闭相关程序和缓存完成。"
-@@ -2123,7 +2109,6 @@ DNS_CACHE=0
+@@ -2125,7 +2111,6 @@ DNS_CACHE=0
  REMOTE_DNS=$(config_t_get global remote_dns 1.1.1.1:53 | sed 's/#/:/g' | sed -E 's/\:([^:]+)$/#\1/g')
  USE_DEFAULT_DNS=$(config_t_get global use_default_dns direct)
  FILTER_PROXY_IPV6=$(config_t_get global filter_proxy_ipv6 0)