Search intent: when GEOIP and GEOSITE earn their keep
The typical upgrade path looks like this: you start with a handful of explicit domains for work apps, then you borrow a community profile that already separates “ads” and “telemetry.” Eventually you want a policy that mirrors how humans think about geography—Chinese CDNs and government sites direct, overseas SaaS through a resilient proxy group—without hand-maintaining every hostname Akamai might front next Tuesday. That is where GEOIP shines: it classifies the destination IP using a MaxMind-style database shipped as geoip.dat (or an equivalent blob your build expects). GEOSITE complements it by answering a different question: “Is this domain a member of a curated tag like google or category-games?” using geosite.dat data maintained upstream.
Neither keyword replaces Sniffer magic for HTTPS flows that arrive as bare IPs in logs, and neither replaces PROCESS-NAME when the executable—not the site—should decide policy. They sit in the middle layer: after you have a hostname or a resolved IP the core can evaluate, but before you fall through to a blunt MATCH. If that layering sounds abstract, the fix is simple: keep reading, paste the baseline blocks, then reorder until three test URLs behave exactly as you expect.
Mental model: what each classifier actually sees
Think of the rule engine as a strict top-to-bottom ladder. Each rung asks a yes-or-no question. DOMAIN and DOMAIN-SUFFIX questions require a hostname string; if the connection metadata only contains an IP because TLS hid the name, those rungs may not fire unless Sniffer recovered SNI or QUIC hints. GEOSITE also wants a domain: it looks the name up in a trie backed by geosite.dat and checks membership in a tag such as netflix or telegram. GEOIP instead reads the destination address (or source, when using source forms) and asks which country code the database associates with that range.
Because IP databases lag real-world routing, GEOIP is excellent for coarse split tunnels—especially paired with GEOIP,CN,DIRECT versus GEOIP,!CN,Proxy—but terrible as the only tool for CDN-heavy sites that share IPs across regions. GEOSITE fixes many CDN puzzles by keying off names, yet it cannot help when no domain is available at classification time. That is why mature profiles stack layers: explicit domains, GEOSITE bundles, then GEOIP as a safety net, then MATCH.
First match wins: a broad GEOSITE line above a careful DOMAIN line can accidentally capture traffic you meant to carve out. Treat ordering like firewall ACLs.
Step 0: geodata files and auto-update
Before any GEOIP or GEOSITE line works, the core must load databases. Most Meta-class distributions download community-maintained blobs automatically when you enable the right flags; offline or locked-down environments may need you to place files beside the binary and point geodata-loader settings explicitly. A pragmatic 2026 pattern is to let Mihomo fetch fresh geoip.dat and geosite.dat on an interval so your China ranges and streaming lists do not go stale for months.
The exact YAML keys drift slightly between minor releases, so always cross-check your installed version’s documentation. The illustrative block below shows the shape most users expect: remote URLs, periodic refresh, and loader mode toggles. Adjust hostnames if your organization mirrors artifacts internally.
# Geodata baseline — verify keys against your Mihomo / Meta build
geodata-mode: true
geo-auto-update: true
geo-update-interval: 24h
geox-url:
geoip: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip.dat"
geosite: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geosite.dat"
If downloads fail—corporate TLS inspection, flaky DNS, or aggressive antivirus quarantine—the symptom is immediate: rules silently skip database lookups or log loader errors while everything falls to MATCH. Fix the transport first; do not compensate by duplicating thousands of IP-CIDR lines unless you truly operate air-gapped.
GEOIP rules: country classes, negation, and private space
A minimal country split for readers in mainland China often resembles two lines: send Chinese destination ranges direct, send the rest to a proxy group. Community templates phrase that as GEOIP,CN,DIRECT followed by GEOIP,!CN,YourProxy. The exclamation prefix means “not in this country code,” which is convenient when your default policy would otherwise be direct and you only want to elevate foreign destinations.
Private LAN and link-local space should not ride the foreign bucket. Experienced profiles prepend GEOIP,private,DIRECT,no-resolve or equivalent IP-CIDR private entries. The no-resolve option matters when a rule could trigger IP resolution in contexts where you already have a domain from DNS; it prevents the core from doing extra lookups that might steer policy in surprising ways during race conditions. If your release notes describe additional modifiers, prefer the vendor wording—this article focuses on portable intent, not every historical alias.
# Example tail of a China-direct / foreign-proxy ladder (illustrative)
rules:
- GEOIP,private,DIRECT,no-resolve
- GEOIP,CN,DIRECT
- GEOIP,!CN,Proxy
- MATCH,DIRECT
Some advanced setups add SRC-GEOIP variants to treat clients differently based on where packets originate on a router. That pattern shows up in gateway deployments more often than on laptops. If you run Mihomo on OpenWrt-style boxes, revisit interface binding and source address visibility before trusting source-country predicates; misidentified sources make GEOIP look “random.”
GEOSITE rules: tags, bundles, and community semantics
GEOSITE lines look like GEOSITE,tag,policy. The tag comes from the dataset authors: Loyalsoldier-style lists expose familiar names—google, telegram, category-ads-all—while other mirrors may slice categories differently. Treat tags as opaque identifiers: copy the spelling exactly, including hyphens, and verify behavior with a test domain you understand.
A frequent pattern pairs advertising and analytics blocks with REJECT or a sink policy, then routes geolocation-!cn (or similarly named bundles) to a proxy while keeping cn-oriented tags direct. Because naming varies by dataset, start from the README bundled with the geosite.dat you actually downloaded—forum snippets love to drift out of sync with upstream renames.
# GEOSITE illustrations — tags must exist in your geosite.dat
rules:
- GEOSITE,category-ads-all,REJECT
- GEOSITE,github,Proxy
- GEOSITE,google@cn,DIRECT
- GEOSITE,geolocation-!cn,Proxy
When you need vendor-scale lists but want them outside the main file, rule providers and compiled RULE-SET entries are the scalable path; our ACL4SSR versus Loyalsoldier walkthrough explains trade-offs between mega bundles and hand-curated slices. This page stays focused on first-party GEOSITE predicates so you understand the grammar before you outsource list maintenance.
Ordering strategy: where GEOIP and GEOSITE belong
A sane default ladder for desktop clients with TUN enabled looks like this skeleton: block or reject unwanted categories early; pin ultra-specific corporate domains next; apply GEOSITE bundles for major verticals; insert LAN and private IP matches; only then add GEOIP country classes; finish with MATCH. The guiding principle is resolving ambiguity before breadth—broad country buckets come late because they happily swallow CDN IPs that also serve domestic eyeballs.
If you invert that order, you will see maddening cases where GEOIP,CN,DIRECT grabs a connection that should have used a GEOSITE tag for a multinational SaaS fronted inside China. The fix is not “disable GEOIP”; the fix is moving the GEOSITE line above the country catch-all or narrowing the country rule with complementary tags. Document why each block sits where it does—future you will thank present you during a midnight merge conflict with a subscription generator.
no-resolve, DNS modes, and FakeIP interactions
GEOIP and GEOSITE do not magically fix resolver behavior. When FakeIP is on, the core may see different combinations of domain and IP than you expect from a browser’s perspective; that is normal, not haunted. Misalignment usually means DNS and rules disagree about timing—consult Meta core DNS leak prevention for resolver stacks, then return here to revalidate ordering.
Use no-resolve on selected rules when you want to avoid resolution side effects explicitly called out in your release’s manual. Overusing it everywhere is as bad as omitting it: you can starve GEOIP of the IP evidence it needs. The practical approach is to apply no-resolve on private and RFC1918-style lines first, observe logs, then extend only when a documented edge case demands it.
How this differs from Sniffer and PROCESS-NAME
If connections still appear as raw IPs for HTTPS, your GEOSITE lines cannot evaluate because there is no domain string to consult—only GEOIP and IP-based rules remain. Turning on Sniffer is the correct next step so DOMAIN and GEOSITE predicates see hostnames again. Conversely, if the hostname is visible but the wrong application is steering policy—think two browsers with different compliance requirements—PROCESS-NAME remains the scalpel. GEOIP and GEOSITE answer “where” and “what category,” not “which binary.”
Step-by-step workflow you can repeat
1Confirm TUN captures traffic
Before tuning databases, make sure packets actually traverse the core. If you still rely on per-app proxy settings only, follow the Clash Verge Rev TUN mode guide, then return. GEO-based policies are meaningless if half your apps bypass the tunnel.
2Enable geodata downloads and reload once
Paste the geodata block, restart or hot-reload, and watch logs for successful database pulls. On metered links, schedule updates off-peak; on sealed networks, bake files into your image and disable auto-update intentionally.
3Insert GEOSITE precision ahead of GEOIP breadth
Add tags you trust—ads rejection, streaming proxy, domestic Google paths direct—then place GEOIP,private, GEOIP,CN, and GEOIP,!CN (or your regional equivalents) beneath them. Keep a comment per tag explaining the business reason.
4Pair with Sniffer if HTTPS logs show only IPs
Validate in the connections panel: if names are missing, enable Sniffer per the dedicated guide, then re-test GEOSITE lines with a known domain inside the tag.
5Regression-test three canaries
Pick one domestic site that must stay direct, one foreign SaaS that must proxy, and one ad-heavy page that should strip trackers if you enabled reject tags. If any canary fails, adjust order before you touch node quality.
Common pitfalls that waste evenings
- Stale databases: CDN ranges move; if China direct feels “slow but domestic,” refresh
geoip.datbefore blaming your ISP. - Wrong tag spelling: GEOSITE fails closed to the next rule—typo means silent misses.
- GEOIP before GEOSITE: country buckets steal traffic from nuanced bundles; reorder instead of duplicating exceptions randomly.
- Assuming GEOSITE covers IPs: without a domain, rely on GEOIP,
IP-CIDR, or fix Sniffer. - Subscription merges: generators may strip your geodata stanza; isolate personal fragments in includes that survive regeneration.
Troubleshooting checklist
- Loader errors on boot: verify outbound access to the geodata URL or switch to local files.
- Everything hits MATCH: confirm
rules:is actually bound to the running profile, not an inactive overlay. - Inconsistent browser vs CLI: different apps may bypass TUN; compare with a curl through the mixed port.
- Mixed corporate VPNs: nested tunnels reorder source and destination visibility—simplify before debugging predicates.
Verification habits
After each change, capture three pieces of evidence: the rule that matched, the resolved policy group, and whether metadata showed a domain or only an IP. Redact endpoints when sharing in forums, but keep the shape of the metadata—moderators can spot ordering mistakes instantly when they see a hostnameless flow sitting above a stubborn GEOSITE line.
Open source, downloads, and trust
Mihomo and the community datasets publish sources and changelogs so you can audit how tags are built. For client installers, use the official Clash download page; treat GitHub as transparency for code and issues, separate from day-to-day package downloads when site distribution exists.
Summary
GEOIP and GEOSITE in Clash Meta / Mihomo give you geography and curated domain bundles without hand-writing every hostname. Load geoip.dat and geosite.dat reliably, place GEOSITE precision above GEOIP breadth, use no-resolve thoughtfully on private ranges, and pair with Sniffer when HTTPS flows hide names. Keep PROCESS-NAME in your toolkit for executable-specific policy, and lean on DNS hardening when resolvers and rules disagree. Compared with flat IP-CIDR spreadsheets, this stack ages more gracefully—as long as you refresh data and respect rule order.
When databases stay current and the ladder is ordered like a firewall ACL, country and category routing finally feels boring—which is exactly what you want from infrastructure.