1 Why connection logs beat “try another proxy”
Mihomo resolves hostnames (with optional FakeIP), evaluates rules, selects proxy-groups, then dials whichever chain you configured. Misalignment at any tier reproduces strangely similar symptoms from the cockpit: stalled tabs, intermittent TLS errors, or streaming clients that swear the network vanished even though pings succeed. Cycling through exits randomizes whichever healthy hop you land on—not the underlying contradiction between DNS testimony, sniffed hostname, and rule ordering.
Connection logs document that pipeline with timestamps: Which process opened the socket, whether the resolver returned an IP or handed back NXDOMAIN/SERVFAIL semantics, whether the classifier picked DIRECT, a nested url-test leaf, or the catch-all MATCH line—and often which rule label short-circuited the traversal. Dedicated guides already explain browser Secure DNS, Android Private DNS overlays, or sharing a laptop with Tailscale; this tutorial assumes you skimmed those when relevant. Here the goal is pure interpretive skill—not another generic feature overview.
2 Log levels on Mihomo-compatible cores
Verbose logging is deliberate signal, not brute-force spam. Mihomo inherits Clash family conventions—think of verbosity as layering: quieter modes confirm only anomalies; broader modes annotate resolver round-trips so you stop inferring phantom packet loss. Typical scales include silent (minimal operational confirmation), error (fatal or policy-hard failures such as malformed subscriptions), warning (degraded retries, stalled providers), info (steady-state connections and policy summaries), and debug or trace tiers that expand DNS internals, sniffed metadata, handshake fragments, or repeated matcher passes.
For day-to-day triage keep info as your cruising altitude: Enough to correlate destinations with outbound names without drowning in TTL chatter. Bump to debug only during active investigations—the extra lines justify themselves when NXDOMAIN bursts or repeated fallback DNS attempts align with flaky Wi-Fi resets. Retreat to quieter levels afterward; unattended debug sessions on routers fill flash partitions and blur security reviews when partners shoulder-surf screenshots.
log-level:. If UI labels diverge (“Trace” versus “Dump”), peek at exported profiles to confirm translation.
3 Where logs live on desktop and headless rigs
On graphical clients you usually watch a rolling pane—often with search and export—bound to STDERR from the bundled core daemon. Containers or gateways may instead journal to stdout for Docker or write append-only files when log-level plus external rotation scripts pair with systemd timers. Decide early whether your diagnosis chain requires historical buffers; tailing ephemeral buffers loses context when outages last minutes but symptoms reference hour-old DNS drift.
If you operate multiple Mihomo profiles, label terminal sessions plainly: mixing logging tabs between “lab” YAML and household production wastes hours blaming the wrong tun.enable toggle. Duplicate the offending profile fragment into a disposable test harness with identical DNS blocks when possible so log statements stay comparable sentence by sentence—as boring as versioning sounds, reproducibility matters more than charisma once families depend on uptime.
4 Reading connection-centric log lines
Connection entries echo the decisive evaluation order: inbound listener (system proxy versus TUN), destination tuple (possibly rewritten after sniffing), matched policy group, chained outbounds, handshake notes, throughput hints. When diagnosing misroutes, skim for these anchors: Was the hostname visible before HTTPS completed? Did the log note a rewritten destination after sniffing? Which rule label or provider stopped the walk—an explicit domain line, GEOIP verdict, RULE-SET entry, or the trailing MATCH funnel?
If your mental model insists on pristine hostnames yet logs show only synthesized addresses, pair this reading with our Sniffer primer on TLS Server Name sniffing; without sniffed context, GEOIP matchers may preempt domain rows you believe should win outright. Conversely, sniffing succeeds but rules still cascade incorrectly when earlier lines accidentally subsume CDN ranges—GEOIP upkeep matters, as described in GEOIP geodata maintenance.
5 DNS failure signatures versus slow proxies
DNS failures surface early in the pipeline: repeated resolver attempts alternating between primary and fallback nameservers; explicit negative responses translating to unreachable destinations even before SOCKS handshakes; timeout strings referencing upstream DoH hosts your LAN cannot reach captive-portal routers through. Symptoms overlap with flaky nodes, but log cadence differs: DNS noise clusters around query bursts when tabs reopen dozens of trackers simultaneously, whereas degraded exits usually show stalled TCP establishes after satisfactory resolution timings.
When Android’s Private DNS insists on oblivious transports that bypass Mihomo’s enhanced stack logs may appear contradictory—the OS insists “network OK” yet application proxies never see lookups. Readers hitting that intersection should reconcile OS toggles alongside this article using Android Private DNS and FakeIP; similar caution applies where Chrome Secure DNS overshadows resolver policy on desktops.
To confirm DNS cleanly, correlate logged query outcomes with utilities such as segmented temporary switching of enhanced-mode or controlled tun.dns-hijack setups—yet never leave experimental DNS toggles unlogged in shared environments; annotate YAML commits so future-you recognizes why fallback lists expanded during hotel weeks overseas.
Another frequent pitfall mixes IPv6 Happy Eyeballs with partial tunnel coverage: Logs may show alternating AAAA and A successes where only one branch exits through Mihomo-friendly routes. When both families appear reachable yet sites spin, confirm whether ICMP or ancillary UDP paths failed silently—routing tables matter as much as stub resolvers once you escalate beyond simplistic “IPv6 OFF” folklore.
Finally, captive portals and captive DNS hijinks masquerade as proxy bugs: Resolver responses may point browsers to authentication pages unrelated to Mihomo YAML. Cross-check timestamps with OS connectivity notifications before refactoring entire rule hierarchies purely because coffee-shop Wi-Fi spoofed lookups for five-minute sessions.
Keep in mind authoritative answers may differ geographically; logging “correct” DNS locally while GEOIP still mis-tags remote egress is possible when CDNs multiplex aggressively. Tie DNS confirmations with GEOIP freshness rather than swapping nodes alone—logs become your narrative glue between resolver truth and geopolitical tagging.
When subscription providers intermittently throttle API domains, Mihomo retries may surface warnings distinct from outright NXDOMAIN—they suggest policy-level blocks or HTTP 451 semantics rather than OS-level breakage. Parsing those distinctions prevents conflating operator-side quirks with defective exit hardware.
6 Interpreting “rule did not behave” without guesswork
Rule misses rarely announce themselves politely; logs instead note whichever matcher fired first—even if intuitively wrong. Suppose you penned an elaborate DOMAIN-SUFFIX,example.dev,Special entry yet traffic still rides PROXY_GLOBAL because a broader GEOIP,AU line appears earlier courtesy of borrowed subscription snippets—you will see the GEOIP attribution even while mentally screaming about suffix intent. Fixing that requires reshuffling authoritative YAML—not expanding log verbosity endlessly.
MATCH leftovers deserve explicit skepticism whenever they recur for destinations you consciously intended to categorize. Patterns include mis-sorted merges that alphabetized provider fragments incorrectly, nightly automation overwriting manual inserts, or case sensitivity mismatched between imported lists and handwritten entries. Maintain git diffs of your local patches so regressions correlate with upstream merges instead of spontaneously blaming Mihomo releases.
For nested policy groups—particularly fallback or url-test composites—logging often prints both the parent group slug and whichever child survived health checks. When children rotate faster than dashboards update, watchers mis-attribute blame to sniffing pipelines; slow the refresh interval temporarily and watch whether consistent children eliminate perceived flapping. Our URL-test and Fallback primer walks those tunables with more arithmetic detail than duplicated here—use it alongside log breadcrumbs.
Specialized REJECT sinks from ad lists sometimes masquerade as connectivity failures (“site broken”) even though HTTPS technically completed with reset semantics; cross-check BLOCK or DROP tags when logs abruptly stop describing upstream bytes yet policy names reference blocklists—not every silent page equals DNS collapse.
Enterprise VPN coexistence overlays may prepend corporate routes that overshadow personal YAML unless you unify ordering; logs reveal whether corporate matchers hijacked flows before Mihomo glimpsed hosts. Coordinating adapters rather than blindly toggling off tun.auto-route saves weeks of iterative pain when split-tunnel desktops mix employer profiles with personal stacks.
Finally, scripted automation such as MCP agents or IDE extensions may instantiate thousands of ephemeral connections referencing odd hostnames—the resulting log flood looks catastrophic yet indicates tooling behavior rather than WAN impairment. Isolate dev environments when profiling homeowner-friendly defaults so analytics stay representative.
7 FakeIP quirks as seen through log lenses
FakeIP reduces latency by returning synthetic addresses referencing internal mappings. Logs may therefore show IPs that never publicly existed—which is intentional—while rule evaluation still depends on reconstructed hostnames downstream. Misreading those tuples as spoofing attacks wastes energy; reconcile by enabling sniffing overlays or inspecting mapping tables from your GUI diagnostics page when suspicion peaks.
If certain always-on protocols must skip the fictitious pool altogether, tighten fake-ip-filter entries after observing offending hosts from connection logs—not by copying decade-old gist fragments wholesale. Conversely, excessively wide filters degrade benefits; iterate from measured packet captures balanced with bedtime-friendly logging volume.
When hybrid stacks merge DNS forwarding with OS-level stubs, contradictory answers appear if one side bypasses Mihomo—even though rule logs swear policy matched cleanly. Harmonize transports before layering more experimental toggles atop already fragile tethering hotspots.
redir-host for a narrow test window, and diff logs. Revert quickly—redir-host trades privacy and performance characteristics you may not want long term.
8 A compact triage workflow
- Reproduce once with info logging; capture timestamp boundaries.
- Search for resolver errors or negative DNS codes before outbound attempts fail.
- Identify which rule label or provider entry attached to the flow; if
MATCHtriggers unexpectedly, diff YAML ordering against intent. - If hostnames look absent or wrong, revisit Sniffer settings and TLS visibility before touching nodes.
- Escalate to debug only while actively testing; export truncated excerpts post-run.
- Document fixes in version control so subscription churn does not silently revert your ordering discipline.
This loop scales from single-user laptops to homelab gateways because it privileges evidence over superstition—exactly the mindset that keeps long-form guides like Meta DNS leak prevention relevant after upstream releases ship monthly.
9 Privacy, disk space, and responsible sharing
Verbose logs embed domains customers visited, SaaS tenancy hints, occasional API keys from misconfigured dashboards, maybe internal corporate hostnames—not material suitable for indefinite retention on shared rigs. Rotate files, tighten permissions on exported archives, strip tokens before uploads, prefer textual snippets over entire multi-megabyte blobs when collaborating asynchronously.
Conversely, sanitized timelines help maintainers enormously; include Mihomo semantic version, OS locale, succinct YAML excerpts absent secrets, correlation IDs from provider dashboards whenever discussing subscription oddities—all without forcing volunteers to sift through unstructured noise.
On battery-powered gateways, prolonged debug logging heats silicon and trims flash longevity; schedule investigations during tethered benches when practical. Respect household bandwidth contracts too—streaming debug verbosity while tethering exaggerates metering anxiety without necessarily clarifying WAN-level drops.
Legal contexts vary internationally; archiving raw logs may oblige disclosures under workplace policies even on personal laptops running corporate MDM coexistence stacks—confirm compliance comfort before indefinite retention creep becomes accidental policy violation.
Encrypted disk backups propagate log archives unless you exclude directories explicitly; factor that into rotational scripts so misplaced diligence does not negate encryption benefits paradoxically stuffing plaintext secrets into dormant backup vaults presumed offline forever.
Community forums thrive when contributors annotate reproduction steps crisply—“works after toggling sniff override” beats thousand-line dumps duplicating intangible emotional frustration without numeric anchors.
Finally, multilingual households should remember translation layers sometimes reinterpret error strings oddly; capture original English fragments when escalating upstream issues to Mihomo maintainers—even when conversational fluency dominates daily life—because deterministic grep patterns rely on canonical wording.
10 Wrap-up
Mihomo connection logs close the ambiguity gap between intuition and evidence: Resolver failures betray themselves before SOCKS chains stall; rule ordering mistakes linger in unmistakable policy attributions once verbosity fits the situation; FakeIP interplay explains synthetic addresses skeptics mistakenly treat as spoofing artifacts. Compared with randomly rotating nodes, iterative log-guided tuning respects your YAML investment and amortizes troubleshooting across future regressions—even when subscriptions mutate weekly—because you internalized repeatable observability habits instead of brute-force luck.
Complementary tooling such as GEOIP upkeep, sniffed TLS names, resilient proxy groups, and OS-level DNS coexistence deepen the same toolchain without replacing log literacy; treat each guide as orthogonal chapters rather than substitute tutorials. Stability wins when desktops and routers share reproducible narratives captured in succinct excerpts rather than mythic campfire folklore about mythical “best nodes overseas.” Compared with heavier commercial suites, Mihomo-compatible stacks reward operators who annotate configurations like professional infrastructure engineers—verbosity becomes signal, entropy shrinks proportionally whenever households adopt disciplined logging hygiene.
When builds match your posture, consolidate installs from distributors you trust, fetch clients from consolidated download hubs with reproducible changelogs, then reload profiles calmly while tails stream cleanly rather than drifting across nightly fork binaries.
