Clash Proxy Rules: DOMAIN-SUFFIX, IP-CIDR & RULE-SET 2026

At the heart of every Clash configuration lies the Rules section. While simple configurations might suffice for basic browsing, a truly optimized network environment in 2026 requires a deep understanding of how traffic is categorized and routed. Whether you are using the original Clash, the powerful Clash Meta (Mihomo), or a modern graphical client, the quality of your experience is directly determined by your rules. In this comprehensive guide, we will explore the nuances of DOMAIN-SUFFIX, IP-CIDR, and the game-changing RULE-SET syntax, providing you with the tools to build a precise, high-speed split-tunneling setup.

1. The First Commandment: Order of Execution

Before writing a single line of syntax, you must grasp the fundamental logic of the Clash rule engine: Top-to-Bottom, First-Match-Wins.

Clash processes rules in the exact order they appear in your YAML file. When a connection request arrives (e.g., from your browser), Clash checks it against the first rule. If it matches, the traffic is routed according to that rule's policy, and no further rules are checked. If it doesn't match, it proceeds to the second rule, and so on.

A common mistake is placing a broad rule, like MATCH,DIRECT, at the top. This would cause all traffic to bypass the proxy entirely, rendering subsequent specific rules useless. The professional standard for 2026 is a layered approach:

Filtering Layer: Blocking ads and trackers (REJECT).
Specific Services Layer: Routing specific domains like Netflix, Google, or GitHub.
Regional Layer: Splitting domestic and international traffic (GEOIP).
Catch-all Layer: The final instruction for unknown traffic (MATCH).

2. Domain-Based Matching: Precision at Scale

Most of your daily traffic is domain-based. Clash provides three primary ways to match these strings, each with its own performance and scope characteristics.

2.1 DOMAIN: The Scalpel

The DOMAIN rule is for exact, case-insensitive matches. For example:

- DOMAIN,www.google.com,Proxy

This rule matches only www.google.com. It will not match images.google.com or google.com. Use this only when you need surgical precision for a specific subdomain, such as bypassing a single endpoint of a large CDN.

2.2 DOMAIN-SUFFIX: The Workhorse

This is arguably the most important rule type in the Clash ecosystem. It matches a domain and all of its subdomains. For example:

- DOMAIN-SUFFIX,google.com,Proxy

This rule acts as a umbrella, catching google.com, www.google.com, mail.google.com, and any other sub-layer. In 2026, over 80% of manual rules should utilize DOMAIN-SUFFIX for its balance of simplicity and broad coverage.

2.3 DOMAIN-KEYWORD: The Wide Net

If you want to route anything containing a specific string, use DOMAIN-KEYWORD:

- DOMAIN-KEYWORD,google,Proxy

This will match google.hk, googleblog.com, and even notgoogle.com. Use this with extreme caution, as it can easily lead to "over-proxying," where domestic sites containing the keyword are unintentionally routed through international nodes, causing slow load times.

3. IP-Based Routing and the 'no-resolve' Paradox

When a domain match fails, or when an application uses raw IP addresses (common in gaming and IoT), IP-based rules take over. Understanding these is vital for preventing DNS leakage.

3.1 IP-CIDR: Network Range Routing

IP-CIDR allows you to route specific IP ranges. For instance:

- IP-CIDR,1.1.1.1/32,Proxy

The /32 indicates a single IP, while /24 would indicate an entire subnet. This is essential for routing services that don't rely on DNS, such as internal company servers or specific gaming relay nodes.

3.2 The Critical Importance of 'no-resolve'

In modern Clash configurations, you will often see no-resolve at the end of an IP rule. This is one of the most misunderstood parameters.

// TIP: Why use no-resolve? By default, when Clash encounters an IP rule, it tries to resolve the domain of the connection into an IP address to see if it matches the rule. If your DNS environment is not perfectly configured, this can cause a "DNS leak," where the domain is leaked to your local ISP before the proxy is engaged. Adding no-resolve tells Clash: "Only apply this rule if the connection request already is an IP address. Do not trigger a DNS lookup for domain connections." This is crucial for privacy and performance.

3.3 GEOIP: Location-Aware Routing

Using GEOIP,CN,DIRECT is the standard way to ensure that domestic traffic stays local. It leverages a MaxMind or proprietary database to identify the geographical origin of an IP. Combined with no-resolve, it creates a robust fallback that only triggers for non-proxied international traffic.

4. RULE-SET: The Modern Configuration Standard

Manually maintaining thousands of DOMAIN-SUFFIX rules is impossible. Modern Clash implementations use RULE-SET (powered by rule-providers) to outsource the heavy lifting.

4.1 Why move to RULE-SET?

Rule-sets allow your Clash client to pull optimized lists (e.g., ad filters, Apple services, Telegram IPs) from remote URLs. These lists are maintained by the community and updated automatically. Your configuration remains slim (less than 100 lines), while your routing logic handles millions of endpoints.

4.2 Practical Implementation

First, define your provider in the rule-providers section:

rule-providers:
  streaming:
    type: http
    behavior: domain
    url: "https://example.com/streaming.txt"
    path: ./ruleset/streaming.yaml
    interval: 86400

Then, call it in your rules section:

rules:
  - RULE-SET,streaming,StreamingGroup

5. Advanced Syntax: DST-PORT and PROCESS-NAME

For power users in 2026, domain and IP matching might not be enough. Clash allows you to route traffic based on the destination port or the application itself.

5.1 DST-PORT: Routing by Protocol

Want all SSH traffic (port 22) to go through a specific low-latency node? Use DST-PORT:

- DST-PORT,22,WorkProxy

This is extremely useful for developers and system administrators who need consistent routing for specific services regardless of the domain.

5.2 PROCESS-NAME: Application-Level Logic

On desktop platforms (Windows/macOS), Clash can identify which application is sending the request. This allows you to route an entire app (like Telegram or Steam) through a specific proxy without knowing every domain it uses:

- PROCESS-NAME,Telegram.exe,Proxy

Note that this requires elevated permissions and is not supported on most mobile platforms due to OS sandboxing.

6. Best Practices for 2026: The "Gold Standard" Configuration

How should a professional-grade rule section look today? We recommend a "White-list + Fallback" structure:

rules:
  # 1. Local Bypass
  - DOMAIN-SUFFIX,local,DIRECT
  - IP-CIDR,192.168.0.0/16,DIRECT,no-resolve
  
  # 2. Blockers (Ads/Tracking)
  - RULE-SET,reject,REJECT
  
  # 3. High-Priority Services
  - RULE-SET,apple,DIRECT
  - RULE-SET,google,Proxy
  - RULE-SET,telegram,Proxy
  
  # 4. Regional Fallback
  - GEOIP,US,DIRECT,no-resolve
  
  # 5. Catch-all
  - MATCH,FinalProxy

This structure ensures that local resources are fast, ads are gone, critical services are routed correctly, and unknown traffic has a safe default path. It is the most robust and performant way to use Clash in 2026.

7. Conclusion: Optimization Never Ends

Understanding the difference between DOMAIN and DOMAIN-SUFFIX, or knowing when to apply no-resolve, separates a casual user from a master of their network. As internet architectures become more complex, the ability to control your traffic at the packet level becomes a vital skill for privacy, speed, and security.

If managing complex YAML files feels overwhelming, or if you're struggling with rule-set update failures, our Clash Client is the perfect solution. It comes pre-configured with the most advanced 2026 rule sets, optimized for global performance. We've built a user-friendly interface on top of the powerful Mihomo core, giving you all the precision of manual rules with the simplicity of a single click. Elevate your internet experience today.

→ Download Clash Client now and unlock the full potential of automated routing