Fake-IP vs Redir-Host in Clash Meta: DNS Mode Comparison and Routing Fix Steps (2026)

1. What DNS Mode Changes in Clash Meta

Clash Meta does not magically “apply VPN DNS.” It runs a resolver pipeline—listeners, upstreams, fake-IP pools, caching, and optional sniffing—that feeds the same rule engine your rules: section declares. When people say DNS mode in this ecosystem, they usually mean how the core maps hostnames to addresses under dns: with enhanced-mode set to fake-ip or redir-host, plus the companion toggles around IPv6, fallback DNS, and whether applications actually communicate with the listener you trust.

The practical distinction is ownership of the name-to-number transition. Under fake-ip, the core can answer clients immediately with synthetic addresses while it finishes resolution in the background, which keeps domain rules tightly coupled to the original query string. Under redir-host, clients tend to see “real” upstream answers sooner, which restores expectations for software that probes resolvers on its own—but also means GEOIP, IP-CIDR, and domestic-direct lists now execute against the literal numbers your resolver returned, for better or worse.

Neither mode replaces disciplined rule order. Both modes still lose if your browser uses secure DNS beside the core, if Android private DNS skips the tunnel, or if a corporate VPN split tunnel answers first. Treat DNS mode as one dial in a connected system, not a single switch labeled “make split tunneling work.”

2. Fake-IP: Fast Answers and Domain-Centric Routing

Choose fake-ip when you want the core to prioritize hostname fidelity: the first-hop decision for many flows still carries the original domain label inside mihomo, which tends to make DOMAIN, DOMAIN-SUFFIX, and explicit service bundles feel crisp. Latency-sensitive applications benefit because clients receive prompt answers from the local listener instead of waiting for every upstream RTT chain to finish before opening sockets.

The trade-off is cognitive: you must keep resolver bypass out of the picture. Operating systems, browsers, containers, and mobile stacks that resolve outside the core can still learn “real” answers, then open connections that arrive at the tunnel as bare IPs. Those flows force you into IP-CIDR lists, GEOIP buckets, or sniffed hostnames—precisely the situation our sniffer-focused walkthrough documents. If you adopt fake-ip, commit to a single resolver authority for the apps you care about, then validate with logs rather than assuming the GUI icon is sufficient proof.

Another subtle advantage is consistency when multiple upstreams disagree. A client that flips between DoH providers can yield different CDN edges and different routing semantics under redir-host; fake-ip keeps the rule layer anchored to the hostname you typed unless you intentionally bypass it. That stability matters for automation stacks—CI runners, IDEs, and language package managers—because those tools rarely tolerate “works on Wi-Fi, dies on Ethernet” resolver roulette.

3. Redir-Host: Real Addresses and Classic Resolver Semantics

Pick redir-host when you prefer transparent addressing: applications receive plausible public or private responses from the configured upstream chain, which mirrors how most users expect DNS to behave on a normal laptop. That transparency helps debugging—packet captures show familiar destinations—and it can reduce surprises with software that performs secondary lookups or validates resolver identities aggressively.

The downside is that your GEOIP and IP-CIDR rules now ride the exact mapping the resolver returned. If an anycast node lands in an unexpected country bucket, a broad domestic-direct rule can steal traffic before your boutique DOMAIN row ever runs. The failure is not “Clash is lazy”; it is geography-of-IP versus geography-of-brand. Readers juggling domestic CDNs and overseas SaaS edges should expect to invest more time curating IP rules or explicit domain exceptions when staying on redir-host.

Mixed-mode networks amplify the effect. Inside TUN, split stacks, or dual-stack IPv4/IPv6 paths, a hostname may resolve twice with different outcomes—once on the tunnel listener and once on a bypassed interface—producing the classic symptom: one tab speaks Mandarin CDN fast, another tab pulls the overseas asset at modem speed. If that sounds familiar, revisit TUN IPv6 calibration after you settle DNS mode, because address-family leaks masquerade as “bad rule lists.”

4. Symptom Matrix: When Pages Work but Policy Feels Wrong

Most support threads begin with an honest half-truth: “Everything opens, so Clash must be fine.” Opening a page only proves something resolved and something carried TLS. It does not prove the flow used the proxy group stamped in your mental model. Under both fake-ip and redir-host, you can observe partial splits where HTML arrives direct while API calls proxy—or the inverse—because subdomains glided through different policy matches.

Inventory the environment before blaming YAML. Desktop Chrome with secure DNS, Edge with DoH, Android private DNS set to “Automatic” versus a provider hostname, and Windows “encrypted DNS” each introduce parallel resolvers. Our Windows-focused note on browser secure DNS versus system proxy remains the fastest way to eliminate whole classes of “rule ignored” bugs without touching subscription URLs.

Once bypass is ruled out, classify the symptom. If domain rules never appear in logs but GEOIP lines fire constantly, suspect address-first classification—either true redir-host semantics or bypassed lookups under fake-ip. If domain rows appear yet outcomes disagree with policy labels, suspect rule order: a shorter GEOIP shortcut, MATCH, or imported RULE-SET may still be winning. For maintenance habits around providers, see rule-providers and GEOIP updates.

5. Typical Fake-IP Failures: Bypass, Stale Pools, IP Rules

The classic fake-ip footgun is silent resolver bypass: an application asks a public DoH endpoint, caches a real A/AAAA record, then connects to the numeric address. The tunnel sees an IP-first flow, your immaculate DOMAIN row never executes, and the user experiences “overseas services think I am domestic” or the opposite. The repair is structural—disable competing DNS or route those resolver hosts intentionally—not “toggle UDP.”

Long-lived HTTP/2 or QUIC pools exaggerate the story. A tab might reuse connections established before you fixed YAML, so policy changes appear inconsistent until you fully restart the client or clear idle sockets. Pair fake-ip with conservative testing hygiene: after DNS edits, close browsers entirely, reopen with logging, and compare fresh traces rather than refreshing once.

Advanced stacks that require literal address fidelity—certain game launchers, legacy enterprise VPNs, or tooling that pins certificates to IPs—may fight synthetic responses. If you must coexist with them, segment profiles: keep fake-ip for general browsing while experimenting with redir-host on a narrow test profile that excludes hostile software, rather than blending contradictory resolver philosophies inside one mega-file.

6. Typical Redir-Host Failures: GEOIP Surprises and Rule Order

Under redir-host, expect GEOIP to behave like a blunt hammer: the database sees where the resolver said the IP lives, not where the brand registers its marketing entity. A SaaS edge in your home country may still satisfy an overseas user’s traffic, and CDNs routinely relocate answers between metros. That is not a “broken node”; it is geography encoded numerically.

Imported “domestic direct” lists compound the issue because they are optimized for general web surfing, not your AI, payment, or developer SaaS bundles. A broad CN direct rule that fires early can strand api.example.com on the wrong path even when the UI domain already had an explicit row—if ordering places IP logic first. The fix is triage: lift narrow DOMAIN / DOMAIN-SUFFIX rows above continent-scale shortcuts, document why they deserve priority, and keep a diff-friendly merge file instead of sprinkling one-off hacks at file bottoms.

When IPv6 is enabled, confirm both families classify consistently. A happy IPv4 path plus a leaking IPv6 path reproduces “half my tabs obey split routing” in a single session. Calibrate dual stack before you purchase new subscriptions; otherwise you will chase upstream latency ghosts.

7. Read the Logs: Resolver Line vs Rule Line

Treat verbose logging as the source of truth. A disciplined incident pass asks three questions in order: Which hostname did the application try to use? Which resolver path answered it? Which rule matched first and which outbound won? If you cannot answer all three from text, you are still guessing.

Under fake-ip, verify that queries hit your Clash Meta DNS listener rather than a stray upstream. Under redir-host, verify that the IP shown in policy traces matches the resolver output you expect, then correlate with GEOIP results. When IP-first flows persist despite fixes, escalate to sniffer settings cautiously—sniffing is powerful and should stay bounded to protocols you understand, as detailed in the SNI guide.

Subscription refresh days deserve a mini audit. Providers sometimes reshuffle defaults or prepend provider rule-sets that shadow your local overrides. After each update, skim the diff, confirm your personal merge still prepends or appends where you think it does, and rerun the same trio of hostname tests you used last month. Consistency beats heroic midnight YAML surgery.

8. Minimal YAML Patterns and Safe Experiments

The fragments below are illustrations, not copy-paste law. Adapt listeners, upstream names, and cache settings to your GUI export; the point is to show where DNS mode lives relative to the rest of the profile.

dns:
  enable: true
  listen: 0.0.0.0:53  # example; align with your stack
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16  # illustrative pool; follow your template
  nameserver:
    - tls://one.trusted.resolver
    - https://another.trusted.resolver

dns:
  enable: true
  listen: 0.0.0.0:53
  enhanced-mode: redir-host
  nameserver:
    - tls://one.trusted.resolver

9. Migration Checklist Between Modes

Switching DNS mode is not a cosmetic toggle. Treat it like a mini migration: snapshot your working profile, change one variable, restart clients completely, and rerun baseline tests. Expect to revisit rule order because GEOIP weight shifts when addresses become “real” sooner.

Keep legal and vendor terms in view. This guide explains resolver and routing mechanics for setups you are authorized to operate; it does not counsel bypassing workplace policies or regional regulations.

10. Closing Thoughts

Choosing between fake-ip and redir-host in Clash Meta is less about tribal identity and more about which failure mode you can afford to debug. Prefer fake-ip when hostname fidelity and fast local answers buy you cleaner DOMAIN semantics, provided you starve competing resolvers. Prefer redir-host when transparent addressing or legacy applications demand conventional DNS behavior, knowing you must police GEOIP and IP rules with equal rigor.

In both cases, the antidote to “rules stopped working” is structured evidence: resolver path, first-match rule, actual outbound. Pair that discipline with service-specific playbooks—DeepSeek or Netflix streaming maps are different suffix lists, but the logging workflow is identical once DNS mode stops fighting you.

When you are ready for a maintained client and installer track that follows the Meta ecosystem, start from our download center instead of chasing random binaries—then re-run the checklist above with verbose logs until hostname, resolver, and policy lines tell the same story. Compared with opaque all-in-one VPN apps, transparent mihomo cores reward readers who treat split routing as engineering, not superstition. → Download Clash for free and experience the difference