GitHub Copilot and Models Keep Dropping? Split Microsoft and GitHub CDN in Clash

1. Why Copilot and GitHub Models feel “randomly” broken

Symptoms rarely arrive as a clean “403 everywhere” banner. You might sign in to GitHub in a browser, open Visual Studio Code or JetBrains, and watch inline suggestions stall while the rest of the editor works. GitHub Models in the browser at models.github.ai might load the shell yet fail mid-chat with timeouts that do not reproduce on a different network. Sometimes Microsoft account prompts succeed once, then subsequent token refreshes crawl until the IDE declares Copilot unreachable. Those patterns usually mean different hostnames are taking different paths: one request rides your chosen proxy group, another falls to DIRECT because of rule order, DNS mismatch, or an application subprocess that ignores system proxy settings.

Before you rewrite rules, confirm your profile loads and your subscription is current. If YAML structure or provider blocks are unfamiliar, start with our subscription import tutorial so you edit the active profile rather than a stale copy the GUI never selected. Otherwise you can spend hours tuning a file the runtime never reads.

2. The Microsoft-plus-GitHub chain is not one hostname

Think in stages instead of “GitHub is down.” First, identity: Microsoft and GitHub interoperate across account flows that may touch login.microsoftonline.com, login.live.com, and related Microsoft domains alongside github.com and OAuth callbacks. Second, control-plane APIs: Copilot eligibility, billing signals, and feature flags often traverse api.github.com and other GitHub API hosts rather than the marketing homepage. Third, Copilot-specific infrastructure may include dedicated proxy or telemetry endpoints that do not share the same CDN footprint as raw Git repository traffic. Fourth, when you use GitHub Models, traffic to models.github.ai and its dependencies may differ again from classic REST calls you already route for git push.

Fifth, static assets and model payloads frequently come from high-throughput CDNs—think github.githubassets.com, objects.githubusercontent.com, and Microsoft or Azure edge domains—whose DNS names and geographic routing can diverge sharply from the API hostname you mentally associate with “GitHub.” If your rules only match github.com, you have left entire classes of requests outside the policy you believed you configured. Clash split routing works best when you mirror that real topology in explicit suffix rules and optional separate proxy groups for interactive APIs versus bulk downloads.

3. Recommended order of operations

Follow a reproducible sequence so your connection log stays interpretable when something regresses after an IDE or Copilot extension update.

1. Decide whether you rely on system proxy or TUN, then verify the IDE and its helper processes actually use that path.
2. Open the live connection view, reproduce the failure, and filter for processes and HTTPS hostnames involved in the broken action.
3. Audit DNS mode—especially fake-ip—and consider nameserver-policy for Microsoft and GitHub-related suffixes if resolution looks unstable or split across public and corporate resolvers.
4. Add or reorder DOMAIN-SUFFIX and DOMAIN rules so Microsoft login, GitHub API, Copilot-specific hosts, and CDN families cannot be swallowed by an unintended earlier exception.
5. After routing is correct, pick stable nodes for API and chat traffic; avoid aggressive auto-switching that flaps during long TLS sessions.

For port conflicts, invalid YAML, and core startup errors, keep the general Clash troubleshooting guide open. This article assumes Clash runs and focuses on hostname nuance for Copilot and GitHub Models.

4. System proxy versus TUN for IDEs and Copilot

System proxy is convenient when macOS or Windows propagates settings to most GUI programs. Many developers run day-to-day browsing this way. Visual Studio Code and JetBrains IDEs, however, spawn language servers, extension hosts, and helper binaries that do not always inherit the same proxy visibility as the main window. If the editor UI loads while Copilot’s language server cannot reach its endpoints, suspect inconsistent proxy application rather than a mythical “GitHub outage.”

TUN mode pushes routing closer to the network stack so fewer processes can accidentally bypass Clash. It demands more care—permissions, route tables, conflicts with other VPN clients—but often yields the most predictable outcome for mixed workloads that include terminals, Git, and IDE extensions. After you enable TUN using our TUN mode guide, revisit the connection log and confirm Copilot-related rows no longer appear as surprise DIRECT entries. Either mode can be correct; the failure is assuming coverage you do not actually have.

Also confirm loopback tooling stays local. Debug adapters, local language servers, and container endpoints on 127.0.0.1 should not be dragged through remote proxies by over-broad rules. When in doubt, log first, then edit.

5. DNS, fake-ip, and why Microsoft login CDN issues masquerade as Copilot bugs

Clash’s fake-ip mode can accelerate certain browsing flows, yet when DNS answers disagree with how rules evaluate destinations, you see brittle symptoms: TLS retries, half-rendered account pages, and OAuth loops that succeed in one browser profile but not inside the IDE’s embedded webview. Microsoft’s identity stack fans out across many subdomains; a single mis-resolved name can break token refresh even while static GitHub pages still load.

A practical approach combines two ideas. First, ensure upstream resolvers you use for international Microsoft and GitHub names are reachable and consistent with your compliance posture. Second, apply targeted resolver policies—commonly nameserver-policy in Mihomo-class cores—for suffixes tied to Microsoft login, GitHub APIs, and major CDN providers you observe in DevTools or connection tables. Exact keys evolve with core versions, so align snippets with the documentation for the binary you ship. When DNS fixes remove most symptoms without swapping exit nodes, you have evidence the bottleneck was resolution, not raw bandwidth.

Inside enterprises with split DNS, internal resolvers may return different answers than public ones. Clash cannot invent reachability; it routes what your stack resolves. Coordinate with network policy or capture the real hostnames from logs before you argue with account security teams about “Copilot being blocked.”

6. Hostname buckets: Microsoft login, GitHub API, Copilot, Models, CDN

Use your client’s developer tools, IDE logs, or Clash’s live connection table to collect evidence. The table below lists representative buckets and example suffixes you might see. Vendor infrastructure changes; treat each row as a checklist to validate locally, not a permanent guarantee.

Because Copilot and GitHub Models evolve on independent release trains, mirroring someone else’s “one file fixes everything” rule dump often fails silently when a new subdomain appears. Treat community snippets as starting points and always reconcile them against your own traces.

7. Rule snippets: split Microsoft login, GitHub API, and CDN suffixes

The YAML fragment below illustrates steering representative suffixes to a proxy group. Replace PROXY with your real policy name and keep order in mind: specific lines must appear before broad provider rules that prefer DIRECT or a catch-all you did not intend.

# Example only — replace PROXY; verify hostnames in your logs
rules:
  - DOMAIN-SUFFIX,login.microsoftonline.com,PROXY
  - DOMAIN-SUFFIX,login.live.com,PROXY
  - DOMAIN-SUFFIX,account.microsoft.com,PROXY
  - DOMAIN-SUFFIX,microsoft.com,PROXY
  - DOMAIN-SUFFIX,live.com,PROXY
  - DOMAIN-SUFFIX,github.com,PROXY
  - DOMAIN-SUFFIX,githubusercontent.com,PROXY
  - DOMAIN-SUFFIX,githubassets.com,PROXY
  - DOMAIN-SUFFIX,github.ai,PROXY
  - DOMAIN-SUFFIX,azureedge.net,PROXY

Why include CDN-style suffixes? Copilot extensions and web assets often pull from domains that do not match the API hostname you picture when you think of “GitHub.” If only api.github.com is proxied while object storage traffic is not, you will see authenticated actions succeed sporadically while downloads or model shards time out mid-stream. Adjust the list based on what your connection log shows in the real world.

When you want finer control, define separate groups such as PROXY_API and PROXY_BULK. Route api.github.com and models.github.ai toward the API-oriented group while steering large CDN patterns toward the bulk group. Declare both under proxy-groups before referencing them in rules; otherwise the core will refuse to start with a validation error that wastes debugging time.

8. GitHub Models at models.github.ai versus in-IDE Copilot

GitHub Models in the browser is not byte-for-byte identical to the Copilot stack inside your editor. The web experience may call models.github.ai and companion endpoints that never appeared in your older Copilot-only captures. Conversely, IDE integrations might hit Copilot proxy infrastructure that your browser session never touches. That is why “Copilot works but Models does not” is a routing clue, not a contradiction: you are observing different hostname families.

When debugging web Models, open browser DevTools, reproduce the failure, and export the failing hostnames carefully—avoid posting sensitive tokens. Add explicit DOMAIN-SUFFIX entries for the suffixes you see, placed ahead of generic rules. If TLS fails only on specific CDNs while HTML shells load, suspect partial proxy coverage or corporate inspection on that CDN class rather than a total GitHub outage.

If you compare this workflow with browser-centric AI, our ChatGPT and OpenAI routing article explains similar split ideas for another vendor’s console and API hostnames. Use both guides together when your day spans browser Models, IDE Copilot, and general ChatGPT tabs; do not assume one rule block covers every AI surface you rely on.

9. Node strategy for interactive AI versus Microsoft login CDN bursts

Leaderboard-topping latency is less important than stability for OAuth refreshes and chat-style APIs. Brief spikes force TLS session rebuilds, which surface as intermittent HTTP 5xx responses or client-side retry storms that feel like “Copilot keeps disconnecting.” A steadier middle-tier node often outperforms a jittery “fastest” pick that changes every few dozen seconds.

If you compare transports, our Shadowsocks vs Trojan vs Hysteria2 overview explains how different protocols behave under packet loss. You might route bulky CDN pulls through a high-throughput profile while keeping Microsoft login CDN and API calls pinned to a conservative group—another form of split routing that improves perceived reliability without pretending one node is optimal for every workload.

10. GUI workflow: logs as the source of truth

Desktop clients such as Clash Verge Rev expose live connections next to rule editors. Filter for substrings like github, microsoft, live.com, azureedge, or models while reproducing an issue. If anything unexpected shows DIRECT, revisit bypass lists, per-app overrides, and rule precedence before swapping servers. Newcomers should complete the Clash Verge Rev setup guide so subscriptions, ports, and core selection are baseline-stable before debugging IDE traffic.

Document your final policy names and DNS mode in a short internal note. Teammates who onboard later will thank you when they do not repeat the same proxy mystery during their first Copilot trial.

11. How this differs from our Cursor Marketplace article

Our Cursor Marketplace split-routing guide centers on extension catalogs, Open VSX mirrors, and IDE distribution pipelines that resemble Visual Studio Code’s extension ecosystem. GitHub Copilot and GitHub Models instead emphasize Microsoft account coupling, GitHub API control planes, Copilot-specific infrastructure, and the models.github.ai surface. The troubleshooting mindset overlaps—DNS truth, rule order, stable nodes—but the hostname checklist diverges. Use both articles side by side if you run Cursor with Copilot features enabled or hop between multiple AI IDEs; do not assume one YAML snippet covers every developer AI product you touch in a week.

12. Enterprise and TLS inspection caveats

Some corporate networks intercept TLS or inject captive portals on specific CDN classes. Clash cannot repair certificate pinning broken by inspection, but split routing still localizes which hop fails. If only Microsoft login flows break while raw Git clones succeed, your evidence points at identity infrastructure rather than “all of GitHub.” Similarly, simultaneous VPN tools can create routing loops that masquerade as Copilot outages. Pause competing tunnel software, standardize on a single exit path, and only then continue tuning Clash.

Automation users should confirm CI runners, remote dev containers, and cloud shells each inherit the proxy environment you expect. A script that works on a laptop may still call GitHub APIs from a host that never reads desktop proxy settings, which is why many teams standardize on TUN for developer machines while keeping lighter modes for casual browsing. Capture those decisions in your internal README so future you does not chase imaginary product failures.

13. Summary: evidence over anecdotes

When GitHub Copilot or GitHub Models flakes, resist narrating it as a single “blocked service.” Split the problem into proxy visibility for IDE subprocesses, DNS consistency across Microsoft and GitHub suffixes, explicit coverage for APIs versus CDNs—including traffic to models.github.ai when you use web Models—and node stability for long-lived sessions. Clash gives you the vocabulary to express that split in rules and groups, which is far more precise than vague advice to “turn on global VPN.” After routing is evidence-backed, daily development returns to being about code, not packet divination.

A maintained desktop client with Mihomo integration keeps connection diagnostics adjacent to rule editing, which matters when your toolchain spans browsers, IDEs, and large CDN downloads. → Download Clash for free and experience the difference