Advanced Config · Estimated reading 21 mins

Configure Mihomo redir-host DNS in YAML
nameserver, fallback, and fallback-filter for stable Clash Meta resolves (2026)

When you deliberately avoid—or cannot fully embrace—Fake-IP, Mihomo-compatible Clash Meta stacks still expose a disciplined DNS engine: bootstrap default-nameserver, pragmatic nameserver tiers, selective fallback, and optional nameserver-policy. This playbook walks redir-host first so routing sees honest A/AAAA records, then stitches resolvers together so GEOIP-heavy rules behave instead of jittering across hijacked TTLs or half-wired stubs. Reach for Fake-IP deep dives only after this foundation is coherent—our companion narrative on resolver chaos lives in connection logs versus DNS failures, while browser/OS secure DNS quirks pair with Chrome and Edge overlays once you stabilize the Mihomo YAML core.

Mihomo · redir-host · nameserver · fallback · YAML · Meta DNS

1 When redir-host is the ergonomically sane default

Fake-IP is brilliant at hiding recursive latency and keeping CONNECT targets stable in many split-routing setups, yet it proliferates troubleshooting debt the moment mixed-mode apps, legacy TLS stacks, or partially tunneled traffic still insist on inspecting real RRsets. Selecting redir-host asks Mihomo—or any Mihomo-labeled Clash Meta fork—to keep ordinary resolver semantics intact while the kernel redirects flows based on the returned IP envelope. GEOIP lookups line up far more intuitively against live routing tables because the IP you see matches what CDN edges expect, dramatically reducing phantom “MATCH-to-proxy” guesses when upstream keeps rotating anycast footprints.

Corporations juggling corporate VPN coexistence frequently disable Fake-IP on sensitive VLANs precisely because auditors want reproducible PCAP evidence. Hobbyists tethering routers may only proxy selected SSIDs yet still funnel DNS queries through Mihomo listeners; once those LAN clients stop trusting spoofed subnets, Fake-IP quickly becomes incompatible. Acknowledging that scope up front anchors the YAML work: instead of cramming Tun mode docs into every paragraph—see systemd stub guidance when OS-level stubs clash—we focus narrowly on assembling resolver chains that survive redir-host’s transparency requirements.

The trade-offs are blunt. Redir-host surfaces DNS pollution immediately: if your ISP rewrites lookups, Mihomo relays that poison before rules ever activate. Conversely, diagnosing pollution becomes honest again because log lines reference real servers instead of synthesized pools. Respect that symmetry when choosing upstreams—you are no longer papering anomalies over with magically mapped IPs. This article embraces that realism and documents how nameserver plus fallback cooperate to tame it.

2 Skeleton YAML showing dns:, listen, and enhanced-mode

Start every profile from a deterministic skeleton—even if GUIs regenerate fragments—so teammates can grep for inconsistencies. Mihomo merges dns with other top-level dictionaries exactly like upstream Clash Meta examples: enable the subsystem, advertise the listener IPv4 stack (or a DHCP-derived interface URI if your build supports it), and pin enhanced-mode to redir-host so queries return routable addresses that GEOIP-aware rules can evaluate without translating through a Fake-IP pool.

dns skeleton (adapt paths) 
dns:
  enable: true
  listen: 0.0.0.0:1053          # Client GUIs remap this; verify no collision with systemd-resolved
  ipv6: false                   # Toggle true once your fallback paths handle AAAA cleanly
  enhanced-mode: redir-host
  fake-ip-range: 198.18.0.1/15  # Unused in redir-host but keep template parity with upstream docs
  use-hosts: true
  respect-rules: false          # Turn true ONLY after rules explicitly gate DNS egress

Placeholder comments matter because Mihomo dashboards often silently rewrite listen ports: exporting YAML after editing should still reflect the port your OS forwarded through iptables nftables redirection. Readers who automate renders through CI should lint for duplicate listeners before rolling out fleet-wide—you would be surprised how many “DNS stuck” incidents trace to overlapping doh.pub forwards on :53 and :1053.

GUI translation layer Exported profiles may rename booleans (ipv6, respect-rules) or inject client-specific defaults. Diff before trusting screenshots: the literal keys in Mihomo-compatible cores must match upstream grammar or silent drops occur mid-parse.

3 Bootstrap with default-nameserver

Next, supply default-nameserver — the tiny resolver roster responsible for unlocking everything else when your primary list mixes DNS-over-TLS endpoints that themselves require DNS lookups. Mihomo interrogates those bootstrap servers before evaluating the broader nameserver array, preventing circular dependency nightmares when https://dns.quad9.net/dns-query hides behind CDN front doors. Prefer low-latency ISP neutral UDP resolvers reachable without the proxy overlay; two geographically diverse IPs reduce single-path brownouts tied to flaky Wi-Fi offload.

bootstrap block 
  default-nameserver:
    - 223.5.5.5
    - 119.29.29.29
    - tls://dns.google

Document why each bootstrap target exists directly in Pull Requests: auditors reading your YAML months later deserve context stating whether Alibaba DNS is tolerated for bootstrap only or mirrored into production policy. Operational hygiene also demands rotating default entries after upstream outages—for example, swapping to operator-provided SLA resolvers aboard cruise ship satellite uplinks—with comments noting temporary exceptions.

If you mistakenly leave default-nameserver empty yet reference DoH URIs requiring SNI lookups, Mihomo emits repeating “no available nameserver” errors that masquerade as broken rules. Troubleshooting should always run dig against the same upstreams from the host shell to confirm reachability before blaming Clash Meta kernels. When both sides succeed yet Mihomo still loops, capture pcaps on the listener port; mis-set listen binding to 127.0.0.1 while your LAN clients target the gateway IP is a repeat offender.

4 Build the primary nameserver tier

Primary nameserver entries should reflect how you want typical domains resolved before any fallback logic fires. Most operators stack a fast domestic UDP pair for latency wins, then append DoH entries with TLS pinning for DNSSEC-friendly privacy. Mixing schemes—udp://, tls://, https://—is encouraged because single-stack failures differ: UDP throttles show up as silent drops, while TLS handshakes fail loudly with certificate errors you can trace to captive portals.

nameserver array 
  nameserver:
    - 223.5.5.5
    - 119.28.28.28
    - https://dns.alidns.com/dns-query
    - https://dns.google/dns-query

Order matters less than diversity, but duplicate logic across regions can surprise you: if every entry ultimately routes through the same anycast POP, you only think you have redundancy. When piloting cross-border campus networks, embed at least one resolver operated outside your domestic legal jurisdiction yet still acceptable to compliance—document that tension clearly for security reviews referencing Clash Meta workloads.

Some templates wrap each entry inside policy-specific YAML anchors; Mihomo merges anchors identically upstream, so collapsing them for readability avoids Git diff noise unless automation truly requires duplication. Watching metrics from Mihomo exporters also helps determine whether your primary tier saturates concurrency limits—latency spikes occasionally trace to concurrency caps instead of WAN loss.

5 Compose fallback resolvers plus fallback-filter

fallback is where redir-host profiles regain nuance Fake-IP often hides. Mihomo interrogates fallback servers whenever filtering heuristics—GeoIP lookups, LAN IP classifications, ASN tags, keyword lists—indicate answers from primaries merit a second opinion. Typical patterns pair domestic ISP resolvers inside nameserver with neutrality-focused DoT services inside fallback so sensitive overseas domains avoid poisoned TTL games without dragging static Chinese SaaS lookups through Rotterdam anycast relays.

fallback tier + geo filter 
  fallback:
    - https://dns.google/dns-query
    - tls://8.8.4.4:853
    - https://1.1.1.1/dns-query
  fallback-filter:
    geoip: true
    geoip-code: CN
    domain:
      - '+.google.com'
      - '+.youtube.com'
    ipcidr:
      - 240.0.0.0/4
      - 127.0.0.1/32
      - 169.254.0.0/16

Tweaking geoip-code anchors the definition of “domestic”; leaving it implicit often defaults intelligently yet explicit codes remove ambiguity across teammates who maintain forked GEOIP bundles. Listing domain suffixes under fallback-filter nudges well-known cross-border names toward the secondary resolver tier without waiting for a bad answer from primaries. Some Mihomo builds extend the block with geosite-backed shortcuts; if you adopt those, gate them behind the same geodata refresh cadence as your routing rules and document version-specific behavior in runbooks.

Never treat fallback as magically private: each extra hop lengthens observable metadata trails. Operational security teams evaluating Clash Meta footprints should quantify how often fallback triggers versus primaries via external-controller dashboards. If percentages skew above expectations, broaden primary trusted resolvers rather than starving fallback concurrency and triggering thundering herds.

Fallback starvation Listing only overseas high-latency resolvers inside fallback without domestic primaries elongates CONNECT times for benign sites because every suspicious classification pays an RTT tax. Trim geosite lists after measuring false positives rather than preemptively guarding every imaginable domain keyword.

6 Layer nameserver-policy once primaries stabilize

After global tiers behave, selectively pin domains to resolver clusters using nameserver-policy. Corporations referencing internal split-horizon AD zones might map "*.corp.local" to on-prem BIND while everyone else inherits the WAN stack described earlier. Mihomo merges policy maps deterministically yet logs collisions when duplicated patterns appear—sanitize automation output accordingly.

policy split example 
  nameserver-policy:
    "ntp.org": [223.5.5.5, tls://dns.google]
    "*.cloudflare-dns.com":
      - https://1.1.1.1/dns-query
    "detectportal.firefox.com": [ dhcp://en0 ]

Combining policy entries with GEOIP-heavy rules yields predictable outcomes—DNS answers align with whichever logical interface should own the subdomain, reducing oddities where captive portal checks bounce through unintended nodes. Replace en0 with your active interface name (often eth0 on Linux, WLAN-style adapters on Windows builds that support the scheme). Maintain documentation listing each rationale; future refactors hinge on tribal knowledge unless commit messages articulate why captive-portal probes warrant DHCP-scoped lookups.

For readers orchestrating fleets, template engines can inject YAML fragments per region: APAC gateways might prepend policy blocks referencing local university DNS relays while LATAM gateways insert entirely different bilingual resolvers without touching global nameserver arrays. Mihomo excels at merges when those fragments obey consistent indentation—_tabs versus spaces mishaps silently skip entire dictionaries during parse.

7 Tie listeners back to hosts, DHCP, or TUN hybrids

Skeleton examples hard-code listen: 0.0.0.0:1053; production scenarios often prefer interface-scoped binds or dhcp-driven tokens that auto-track roaming interfaces. Mihomo-compatible releases mirroring upstream Clash Meta syntax accept dhcp pseudo schemes so laptops switching between WPA3 hotspots keep DNS listeners aligned without hand-editing YAML on every airplane gate change.

If you coexist with systemd-resolved, decide single-writer semantics up front either by disabling stub listeners or by layering DNAT redirection—half measures produce duplicated EDNS probing that manifests as flaky HTTP/3 in browsers unaware of duplicated caching layers. Transparent bridge deployments on routers need parallel discussion of offload tables; offload hardware occasionally bypasses userland DNS redirection you assumed intact.

Document firewall zones explicitly: WAN-facing listeners without ACLs accidentally expose Mihomo recursion to ISP scanning bots. Bind to RFC1918 networks or wrap listeners with nftables jump rules referencing ipsets of trusted LAN subnets. Incident responders appreciate runbooks tying each opening to ticketing references because surprise exposure often traces to copy-pasta Mihomo gist files.

8 Pitfalls unique to transparent redir-host setups

Transparent modes amplify misconfiguration echoes. Oversized TTL caches from WAN resolvers collide with Mihomo TTL overrides; when both fight, intermittent stale routes appear until you flush systemd caches or restart browser profiles. Conversely, pinning TTL too low wastes battery on mobiles because radios wake aggressively per lookup—balance via measured metrics rather than folklore defaults plucked from old forum posts.

Double NAT environments sometimes translate DNS IDs unpredictably—use kernel logs verifying no overlapping masquerading rules rewrite source ports midway. GEOIP mismatches flare when Mihomo GEO databases lag CDN expansions into new countries; automate weekly geodata refreshes concurrently with Mihomo upgrades so fallback-filter triggers reference current boundaries.

Sniffer interplay remains relevant even under redir-host: HTTP hosts recovered by sniffers occasionally bypass DNS entirely, circumventing naive assumptions about parity between resolver outputs and CONNECT targets. If that nuance sparks confusion while debugging, revisit HTTPS sniffer misroute notes after stabilizing YAML fundamentals.

Verification loop After reloading config, alternate dig @127.0.0.1 -p1053 twitter.com (replace port) with Mihomo-enabled and disabled states, diffing RRsets versus known-good answers. Persist scripts in repos so regressions caught post-upgrade reproduce consistently.

9 Frequently asked Mihomo DNS questions

Does Mihomo DNS still obey fallback when respect-rules is enabled?

Respect-rules reshapes egress selection for lookups themselves; interplay with fallback policies depends on matched DNS rules upstream. Audit every MATCH,DNS style snippet because mis-ordered precedence can starve fallback tiers entirely—the symptom looks like stalled HTTPS even though pings succeed. Maintain staging profiles toggling respect-rules sequentially to pinpoint surprises.

Can I omit fake-ip-range now that redir-host is active?

Keeping the range commented but present preserves schema compatibility across GUIs and automation templates that still lint for Fake-IP fields. Stripping unused keys altogether is fine syntactically—just ensure exporter scripts do not blindly re-insert defaults that re-enable Fake-IP accidentally after nightly merges.

How does this mesh with mixin overrides?

mixin layers append or replace dictionaries depending on nesting depth documented in Mihomo merges. Isolate DNS deltas inside mixin shards so teammates can cherry-pick environment-specific tweaks without risking subscription overwrite collisions—pattern mirrors recommendations in our mixin primer even though subscriptions differ from resolver lists structurally.

10 Operational wrap-up

Redir-host is not nostalgia—it is disciplined transparency. Once default-nameserver clears bootstrap paths, nameserver answers everyday domains, fallback plus fallback-filter gate cross-border mistrust responsibly, and nameserver-policy pins oddball zones, your Clash Meta/Mihomo stack stops masquerading DNS bugs as routing bugs. Operational logging becomes legible enough that incident retrospectives cite resolver tiers instead of hand-wavy “probably the airport node.”

Command-line-centric cores and brittle vendor GUIs alike tend to bury DNS ergonomics beneath glossy charts. Some forks hide fallback toggles altogether, silently flattening redundancy until you sniff TLS failure loops on hotel Wi-Fi. Others demand JSON patches incompatible with reproducible IaC snapshots. Conversely, workflows that prioritize honest YAML, external-controller telemetry, and first-class mixin layering keep resolver intent reviewable—even when fleets span mixed operating systems chasing BYOD chaos.

Readers who crave that blend—transparent Meta-class DNS knobs, approachable exports for redir-host baselines, and clients that coexist with tunneled overlays without rewriting history every release—typically land on the curated builds showcased on our download hub rather than juggling abandoned forks. Compared with patching five divergent gist files nightly, consolidating around a documented surface area leaves more evening hours for tinkering routing instead of parsing crash logs. Whenever you decide the same sanity matters for your desktops and routers, skim the installers on our download page and pick whichever channel matches your platform; pairing those builds with this resolver recipe keeps Mihomo behaving like infrastructure instead of improvisation.

→ Explore Clash builds tuned for Mihomo workflows

Tags: Mihomo redir-host DNS nameserver fallback YAML Clash Meta
Clash logo for Mihomo redir-host DNS YAML configuration

Clash Client Hub picks

Mihomo-class cores · Honest YAML · Desktop ready

Redir-host DNS needs stable exports—see nameserver tiers, fallback filters, and policy splits without rewriting arcane JSON merges every update.

Transparent DNS knobs Readable YAML merges Resolver-friendly logs Meta core alignment Guided installers
Windows macOS Linux