documentation: Bump version

Allow direct outbounds without domain_resolver
Fix Tailscale dialer
2026-04-13 20:28:32 +10:00 · 2025-04-02 16:54:50 +08:00 · 2025-04-02 16:54:49 +08:00 · 2025-04-02 16:54:49 +08:00 · 2025-04-02 16:54:49 +08:00 · 2025-04-02 16:54:48 +08:00
342 changed files with 18526 additions and 5482 deletions
--- a/.fpm
+++ b/.fpm
@@ -0,0 +1,19 @@
 -s dir
 --name sing-box
 --category net
 --license GPLv3-or-later
 --description "The universal proxy platform."
 --url "https://sing-box.sagernet.org/"
 --maintainer "nekohasekai <contact-git@sekai.icu>"
 --deb-field "Bug: https://github.com/SagerNet/sing-box/issues"
 release/config/config.json=/etc/sing-box/config.json
 release/config/sing-box.service=/usr/lib/systemd/system/sing-box.service
 release/config/sing-box@.service=/usr/lib/systemd/system/sing-box@.service
 release/completions/sing-box.bash=/usr/share/bash-completion/completions/sing-box.bash
 release/completions/sing-box.fish=/usr/share/fish/vendor_completions.d/sing-box.fish
 release/completions/sing-box.zsh=/usr/share/zsh/site-functions/_sing-box
 LICENSE=/usr/share/licenses/sing-box/LICENSE
--- a/.github/setup_legacy_go.sh
+++ b/.github/setup_legacy_go.sh
@@ -0,0 +1,25 @@
 #!/usr/bin/env bash
 VERSION="1.23.6"
 mkdir -p $HOME/go
 cd $HOME/go
 wget "https://dl.google.com/go/go${VERSION}.linux-amd64.tar.gz"
 tar -xzf "go${VERSION}.linux-amd64.tar.gz"
 mv go go_legacy
 cd go_legacy
 # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
 # this patch file only works on golang1.23.x
 # that means after golang1.24 release it must be changed
 # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.23/
 # revert:
 # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
 # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
 # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
 # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
 curl https://github.com/MetaCubeX/go/commit/9ac42137ef6730e8b7daca016ece831297a1d75b.diff | patch --verbose -p 1
 curl https://github.com/MetaCubeX/go/commit/21290de8a4c91408de7c2b5b68757b1e90af49dd.diff | patch --verbose -p 1
 curl https://github.com/MetaCubeX/go/commit/6a31d3fa8e47ddabc10bd97bff10d9a85f4cfb76.diff | patch --verbose -p 1
 curl https://github.com/MetaCubeX/go/commit/69e2eed6dd0f6d815ebf15797761c13f31213dd6.diff | patch --verbose -p 1
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -46,16 +46,16 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.23
+          go-version: ^1.24
      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
-          echo "version=${{ inputs.version }}" 
+          echo "version=${{ inputs.version }}"
          echo "version=${{ inputs.version }}" >> "$GITHUB_ENV"
      - name: Calculate version
        if: github.event_name != 'workflow_dispatch'
        run: |-
-          go run -v ./cmd/internal/read_tag --nightly
+          go run -v ./cmd/internal/read_tag --ci --nightly
      - name: Set outputs
        id: outputs
        run: |-
@@ -68,142 +68,185 @@ jobs:
      - calculate_version
    strategy:
      matrix:
        os: [ linux, windows, darwin, android ]
        arch: [ "386", amd64, arm64 ]
        legacy_go: [ false ]
        include:
-          - name: linux_386
+          - { os: linux, arch: amd64, debian: amd64, rpm: x86_64, pacman: x86_64 }
-            goos: linux
+          - { os: linux, arch: "386", debian: i386, rpm: i386 }
-            goarch: 386
+          - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl }
-          - name: linux_amd64
+          - { os: linux, arch: arm, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl }
-            goos: linux
+          - { os: linux, arch: arm64, debian: arm64, rpm: aarch64, pacman: aarch64 }
-            goarch: amd64
+          - { os: linux, arch: mips64le, debian: mips64el, rpm: mips64el }
-          - name: linux_arm64
+          - { os: linux, arch: mipsle, debian: mipsel, rpm: mipsel }
-            goos: linux
+          - { os: linux, arch: s390x, debian: s390x, rpm: s390x }
-            goarch: arm64
+          - { os: linux, arch: ppc64le, debian: ppc64el, rpm: ppc64le }
-          - name: linux_arm
+          - { os: linux, arch: riscv64, debian: riscv64, rpm: riscv64 }
-            goos: linux
+          - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64 }
-            goarch: arm
+
-            goarm: 6
+          - { os: windows, arch: "386", legacy_go: true }
-          - name: linux_arm_v7
+          - { os: windows, arch: amd64, legacy_go: true }
-            goos: linux
+
-            goarch: arm
+          - { os: android, arch: "386", ndk: "i686-linux-android21" }
-            goarm: 7
+          - { os: android, arch: amd64, ndk: "x86_64-linux-android21" }
-          - name: linux_s390x
+          - { os: android, arch: arm64, ndk: "aarch64-linux-android21" }
-            goos: linux
+          - { os: android, arch: arm, ndk: "armv7a-linux-androideabi21" }
-            goarch: s390x
+        exclude:
-          - name: linux_riscv64
+          - { os: darwin, arch: "386" }
            goos: linux
            goarch: riscv64
          - name: linux_mips64le
            goos: linux
            goarch: mips64le
          - name: windows_amd64
            goos: windows
            goarch: amd64
            require_legacy_go: true
          - name: windows_386
            goos: windows
            goarch: 386
            require_legacy_go: true
          - name: windows_arm64
            goos: windows
            goarch: arm64
          - name: darwin_arm64
            goos: darwin
            goarch: arm64
          - name: darwin_amd64
            goos: darwin
            goarch: amd64
            require_legacy_go: true
          - name: android_arm64
            goos: android
            goarch: arm64
          - name: android_arm
            goos: android
            goarch: arm
            goarm: 7
          - name: android_amd64
            goos: android
            goarch: amd64
          - name: android_386
            goos: android
            goarch: 386
    steps:
      - name: Checkout
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
        if: ${{ ! matrix.legacy_go }}
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.23
+          go-version: ^1.24
-      - name: Cache legacy Go
+      - name: Cache Legacy Go
        if: matrix.require_legacy_go
        id: cache-legacy-go
        uses: actions/cache@v4
        with:
          path: |
-            ~/go/go1.20.14
+            ~/go/go_legacy
-          key: go120
+          key: go_legacy_1236
-      - name: Setup legacy Go
+      - name: Setup Legacy Go
-        if: matrix.require_legacy_go == 'true' && steps.cache-legacy-go.outputs.cache-hit != 'true'
+        if: matrix.legacy_go && steps.cache-legacy-go.outputs.cache-hit != 'true'
        run: |-
-          wget https://dl.google.com/go/go1.20.14.linux-amd64.tar.gz
+          .github/setup_legacy_go.sh
-          tar -xzf go1.20.14.linux-amd64.tar.gz
+      - name: Setup Legacy Go 2
-          mv go $HOME/go/go1.20.14
+        if: matrix.legacy_go
        run: |-
          echo "PATH=$HOME/go/go_legacy/bin:$PATH" >> $GITHUB_ENV
          echo "GOROOT=$HOME/go/go_legacy" >> $GITHUB_ENV
      - name: Setup Android NDK
-        if: matrix.goos == 'android'
+        if: matrix.os == 'android'
        uses: nttld/setup-ndk@v1
        with:
-          ndk-version: r28-beta2
+          ndk-version: r28
          local-cache: true
      - name: Setup Goreleaser
        uses: goreleaser/goreleaser-action@v6
        with:
          distribution: goreleaser-pro
          version: latest
          install-only: true
      - name: Extract signing key
        run: |-
          mkdir -p $HOME/.gnupg
          cat > $HOME/.gnupg/sagernet.key <<EOF
          ${{ secrets.GPG_KEY }}
          EOF
          echo "HOME=$HOME" >> "$GITHUB_ENV"
      - name: Set tag
        run: |-
          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
          git tag v${{ needs.calculate_version.outputs.version }} -f
      - name: Set build tags
        run: |
          set -xeuo pipefail
          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_acme,with_clash_api'
          if [ ! '${{ matrix.legacy_go }}' = 'true' ]; then
            TAGS="${TAGS},with_ech"
          fi
          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
      - name: Build
-        if: matrix.goos != 'android'
+        if: matrix.os != 'android'
-        run: |-
+        run: |
-          goreleaser release --clean --split
+          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' \
          ./cmd/sing-box
        env:
-          GOOS: ${{ matrix.goos }}
+          CGO_ENABLED: "0"
-          GOARCH: ${{ matrix.goarch }}
+          GOOS: ${{ matrix.os }}
-          GOPATH: ${{ env.HOME }}/go
+          GOARCH: ${{ matrix.arch }}
          GOARM: ${{ matrix.goarm }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
          NFPM_KEY_PATH: ${{ env.HOME }}/.gnupg/sagernet.key
          NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
      - name: Build Android
-        if: matrix.goos == 'android'
+        if: matrix.os == 'android'
-        run: |-
+        run: |
          set -xeuo pipefail
          go install -v ./cmd/internal/build
-          GOOS=$BUILD_GOOS GOARCH=$BUILD_GOARCH build goreleaser release --clean --split
+          export CC='${{ matrix.ndk }}-clang'
          export CXX="${CC}++"
          mkdir -p dist
          GOOS=$BUILD_GOOS GOARCH=$BUILD_GOARCH build go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' \
          ./cmd/sing-box
        env:
-          BUILD_GOOS: ${{ matrix.goos }}
+          CGO_ENABLED: "1"
-          BUILD_GOARCH: ${{ matrix.goarch }}
+          BUILD_GOOS: ${{ matrix.os }}
-          GOARM: ${{ matrix.goarm }}
+          BUILD_GOARCH: ${{ matrix.arch }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+      - name: Set name
-          NFPM_KEY_PATH: ${{ env.HOME }}/.gnupg/sagernet.key
+        run: |-
-          NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+          ARM_VERSION=$([ -n '${{ matrix.goarm}}' ] && echo 'v${{ matrix.goarm}}' || true)
          LEGACY=$([ '${{ matrix.legacy_go }}' = 'true' ] && echo "-legacy" || true)
          DIR_NAME="sing-box-${{ needs.calculate_version.outputs.version }}-${{ matrix.os }}-${{ matrix.arch }}${ARM_VERSION}${LEGACY}"
          PKG_NAME="sing-box_${{ needs.calculate_version.outputs.version }}_${{ matrix.os }}_${{ matrix.arch }}${ARM_VERSION}"
          echo "DIR_NAME=${DIR_NAME}" >> "${GITHUB_ENV}"
          echo "PKG_NAME=${PKG_NAME}" >> "${GITHUB_ENV}"
          PKG_VERSION="${{ needs.calculate_version.outputs.version }}"
          PKG_VERSION="${PKG_VERSION//-/\~}"
          echo "PKG_VERSION=${PKG_VERSION}" >> "${GITHUB_ENV}"
      - name: Package DEB
        if: matrix.debian != ''
        run: |
          set -xeuo pipefail
          sudo gem install fpm
          sudo apt-get install -y debsigs
          fpm -t deb \
            -v "$PKG_VERSION" \
            -p "dist/${PKG_NAME}.deb" \
            --architecture ${{ matrix.debian }} \
            dist/sing-box=/usr/bin/sing-box
          curl -Lo '/tmp/debsigs.diff' 'https://gitlab.com/debsigs/debsigs/-/commit/160138f5de1ec110376d3c807b60a37388bc7c90.diff'
          sudo patch /usr/bin/debsigs < '/tmp/debsigs.diff'
          rm -rf $HOME/.gnupg
          gpg --pinentry-mode loopback --passphrase "${{ secrets.GPG_PASSPHRASE }}" --import <<EOF
          ${{ secrets.GPG_KEY }}
          EOF
          debsigs --sign=origin -k ${{ secrets.GPG_KEY_ID }} --gpgopts '--pinentry-mode loopback --passphrase "${{ secrets.GPG_PASSPHRASE }}"' dist/*.deb
      - name: Package RPM
        if: matrix.rpm != ''
        run: |-
          set -xeuo pipefail
          sudo gem install fpm
          fpm -t rpm \
            -v "$PKG_VERSION" \
            -p "dist/${PKG_NAME}.rpm" \
            --architecture ${{ matrix.rpm }} \
            dist/sing-box=/usr/bin/sing-box
          cat > $HOME/.rpmmacros <<EOF
          %_gpg_name ${{ secrets.GPG_KEY_ID }}
          %_gpg_sign_cmd_extra_args --pinentry-mode loopback --passphrase ${{ secrets.GPG_PASSPHRASE }}
          EOF
          gpg --pinentry-mode loopback --passphrase "${{ secrets.GPG_PASSPHRASE }}" --import <<EOF
          ${{ secrets.GPG_KEY }}
          EOF
          rpmsign --addsign dist/*.rpm
      - name: Package Pacman
        if: matrix.pacman != ''
        run: |-
          set -xeuo pipefail
          sudo gem install fpm
          sudo apt-get install -y libarchive-tools
          fpm -t pacman \
            -v "$PKG_VERSION" \
            -p "dist/${PKG_NAME}.pkg.tar.zst" \
            --architecture ${{ matrix.pacman }} \
            dist/sing-box=/usr/bin/sing-box
      - name: Archive
        run: |
          set -xeuo pipefail
          cd dist
          mkdir -p "${DIR_NAME}"
          cp ../LICENSE "${DIR_NAME}"
          if [ '${{ matrix.os }}' = 'windows' ]; then
            cp sing-box "${DIR_NAME}/sing-box.exe"
            zip -r "${DIR_NAME}.zip" "${DIR_NAME}"
          else
            cp sing-box "${DIR_NAME}"
            tar -czvf "${DIR_NAME}.tar.gz" "${DIR_NAME}"
          fi
          rm -r "${DIR_NAME}"
      - name: Cleanup
        run: rm dist/sing-box
      - name: Upload artifact
        if: github.event_name == 'workflow_dispatch'
        uses: actions/upload-artifact@v4
        with:
-          name: binary-${{ matrix.name }}
+          name: binary-${{ matrix.os }}_${{ matrix.arch }}${{ matrix.goarm && format('v{0}', matrix.goarm) }}${{ matrix.legacy_go && '-legacy' || '' }}
-          path: 'dist'
+          path: "dist"
  build_android:
    name: Build Android
    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android'
@@ -219,12 +262,12 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.23
+          go-version: ^1.24
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
        with:
-          ndk-version: r28-beta2
+          ndk-version: r28
      - name: Setup OpenJDK
        run: |-
          sudo apt update && sudo apt install -y openjdk-17-jdk-headless
@@ -256,10 +299,16 @@ jobs:
        with:
          path: ~/.gradle
          key: gradle-${{ hashFiles('**/*.gradle') }}
-      - name: Build release
+      - name: Update version
        if: github.event_name == 'workflow_dispatch'
        run: |-
          go run -v ./cmd/internal/update_android_version --ci
      - name: Update nightly version
        if: github.event_name != 'workflow_dispatch'
        run: |-
          go run -v ./cmd/internal/update_android_version --ci --nightly
      - name: Build
        run: |-
          mkdir clients/android/app/libs
          cp libbox.aar clients/android/app/libs
          cd clients/android
@@ -268,47 +317,16 @@ jobs:
          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
          LOCAL_PROPERTIES: ${{ secrets.LOCAL_PROPERTIES }}
-      - name: Build debug
+      - name: Prepare upload
        if: github.event_name != 'workflow_dispatch'
        run: |-
-          go run -v ./cmd/internal/update_android_version --ci
+          mkdir -p dist
-          mkdir clients/android/app/libs
+          cp clients/android/app/build/outputs/apk/play/release/*.apk dist
-          cp libbox.aar clients/android/app/libs
+          cp clients/android/app/build/outputs/apk/other/release/*-universal.apk dist
          cd clients/android
          ./gradlew :app:assemblePlayRelease
        env:
          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
          LOCAL_PROPERTIES: ${{ secrets.LOCAL_PROPERTIES }}
      - name: Prepare release upload
        if: github.event_name == 'workflow_dispatch'
        run: |-
          mkdir -p dist/release
          cp clients/android/app/build/outputs/apk/play/release/*.apk dist/release
          cp clients/android/app/build/outputs/apk/other/release/*-universal.apk dist/release
      - name: Prepare debug upload
        if: github.event_name != 'workflow_dispatch'
        run: |-
          mkdir -p dist/release
          cp clients/android/app/build/outputs/apk/play/release/*.apk dist/release
      - name: Upload artifact
        if: github.event_name == 'workflow_dispatch'
        uses: actions/upload-artifact@v4
        with:
          name: binary-android-apks
          path: 'dist'
      - name: Upload debug apk (arm64-v8a)
        if: github.event_name != 'workflow_dispatch'
        uses: actions/upload-artifact@v4
        with:
          name: "SFA-${{ needs.calculate_version.outputs.version }}-arm64-v8a.apk"
          path: 'dist/release/*-arm64-v8a.apk'
      - name: Upload debug apk (universal)
        if: github.event_name != 'workflow_dispatch'
        uses: actions/upload-artifact@v4
        with:
          name: "SFA-${{ needs.calculate_version.outputs.version }}-universal.apk"
          path: 'dist/release/*-universal.apk'
  publish_android:
    name: Publish Android
    if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android'
@@ -324,12 +342,12 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.23
+          go-version: ^1.24
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
        with:
-          ndk-version: r28-beta2
+          ndk-version: r28
      - name: Setup OpenJDK
        run: |-
          sudo apt update && sudo apt install -y openjdk-17-jdk-headless
@@ -422,7 +440,7 @@ jobs:
        if: matrix.if
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.23
+          go-version: ^1.24
      - name: Setup Xcode stable
        if: matrix.if && github.ref == 'refs/heads/main-next'
        run: |-
@@ -462,19 +480,19 @@ jobs:
          PROFILES_ZIP_PATH=$RUNNER_TEMP/Profiles.zip
          echo -n "$PROVISIONING_PROFILES" | base64 --decode -o $PROFILES_ZIP_PATH
-          
+
          PROFILES_PATH="$HOME/Library/MobileDevice/Provisioning Profiles"
          mkdir -p "$PROFILES_PATH"
          unzip $PROFILES_ZIP_PATH -d "$PROFILES_PATH"
-          
+
          ASC_KEY_PATH=$RUNNER_TEMP/Key.p12
          echo -n "$ASC_KEY" | base64 --decode -o $ASC_KEY_PATH
-          
+
          xcrun notarytool store-credentials "notarytool-password" \
            --key $ASC_KEY_PATH \
            --key-id $ASC_KEY_ID \
            --issuer $ASC_KEY_ISSUER_ID
-          
+
          echo "ASC_KEY_PATH=$ASC_KEY_PATH" >> "$GITHUB_ENV"
          echo "ASC_KEY_ID=$ASC_KEY_ID" >> "$GITHUB_ENV"
          echo "ASC_KEY_ISSUER_ID=$ASC_KEY_ISSUER_ID" >> "$GITHUB_ENV"
@@ -550,10 +568,10 @@ jobs:
          cd "${{ matrix.archive }}"
          zip -r SFM.dSYMs.zip dSYMs
          popd
-          
+
-          mkdir -p dist/release
+          mkdir -p dist
-          cp clients/apple/SFM.dmg "dist/release/SFM-${VERSION}-universal.dmg"
+          cp clients/apple/SFM.dmg "dist/SFM-${VERSION}-universal.dmg"
-          cp "clients/apple/${{ matrix.archive }}/SFM.dSYMs.zip" "dist/release/SFM-${VERSION}-universal.dSYMs.zip"
+          cp "clients/apple/${{ matrix.archive }}/SFM.dSYMs.zip" "dist/SFM-${VERSION}-universal.dSYMs.zip"
      - name: Upload image
        if: matrix.if && matrix.name == 'macOS-standalone' && github.event_name == 'workflow_dispatch'
        uses: actions/upload-artifact@v4
@@ -574,12 +592,6 @@ jobs:
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
        with:
          fetch-depth: 0
      - name: Setup Goreleaser
        uses: goreleaser/goreleaser-action@v6
        with:
          distribution: goreleaser-pro
          version: latest
          install-only: true
      - name: Cache ghr
        uses: actions/cache@v4
        id: cache-ghr
@@ -604,26 +616,17 @@ jobs:
        with:
          path: dist
          merge-multiple: true
      - name: Merge builds
        if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Binary'
        run: |-
          goreleaser continue --merge --skip publish
          mkdir -p dist/release
          mv dist/*/sing-box*{tar.gz,zip,deb,rpm,_amd64.pkg.tar.zst,_arm64.pkg.tar.zst} dist/release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
      - name: Upload builds
        if: ${{ env.PUBLISHED == 'false' }}
        run: |-
          export PATH="$PATH:$HOME/go/bin"
-          ghr --replace --draft --prerelease -p 5 "v${VERSION}" dist/release
+          ghr --replace --draft --prerelease -p 5 "v${VERSION}" dist
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Replace builds
        if: ${{ env.PUBLISHED != 'false' }}
        run: |-
          export PATH="$PATH:$HOME/go/bin"
-          ghr --replace -p 5 "v${VERSION}" dist/release
+          ghr --replace -p 5 "v${VERSION}" dist
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -28,10 +28,11 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.23
+          go-version: ^1.24
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v6
        with:
          version: latest
          args: --timeout=30m
-          install-mode: binary
+          install-mode: binary
          verify: false
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -1,13 +1,22 @@
-name: Release to Linux repository
+name: Build Linux Packages
 on:
  workflow_dispatch:
    inputs:
      version:
        description: "Version name"
        required: true
        type: string
  release:
    types:
      - published
 jobs:
-  build:
+  calculate_version:
    name: Calculate version
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.outputs.outputs.version }}
    steps:
      - name: Checkout
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
@@ -16,23 +25,161 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.23
+          go-version: ^1.24
-      - name: Extract signing key
+      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
-          mkdir -p $HOME/.gnupg
+          echo "version=${{ inputs.version }}"
-          cat > $HOME/.gnupg/sagernet.key <<EOF
+          echo "version=${{ inputs.version }}" >> "$GITHUB_ENV"
      - name: Calculate version
        if: github.event_name != 'workflow_dispatch'
        run: |-
          go run -v ./cmd/internal/read_tag --ci --nightly
      - name: Set outputs
        id: outputs
        run: |-
          echo "version=$version" >> "$GITHUB_OUTPUT"
  build:
    name: Build binary
    runs-on: ubuntu-latest
    needs:
      - calculate_version
    strategy:
      matrix:
        include:
          - { os: linux, arch: amd64, debian: amd64, rpm: x86_64, pacman: x86_64 }
          - { os: linux, arch: "386", debian: i386, rpm: i386 }
          - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl }
          - { os: linux, arch: arm, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl }
          - { os: linux, arch: arm64, debian: arm64, rpm: aarch64, pacman: aarch64 }
          - { os: linux, arch: mips64le, debian: mips64el, rpm: mips64el }
          - { os: linux, arch: mipsle, debian: mipsel, rpm: mipsel }
          - { os: linux, arch: s390x, debian: s390x, rpm: s390x }
          - { os: linux, arch: ppc64le, debian: ppc64el, rpm: ppc64le }
          - { os: linux, arch: riscv64, debian: riscv64, rpm: riscv64 }
          - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64 }
    steps:
      - name: Checkout
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ^1.24
      - name: Setup Android NDK
        if: matrix.os == 'android'
        uses: nttld/setup-ndk@v1
        with:
          ndk-version: r28
          local-cache: true
      - name: Set tag
        run: |-
          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
          git tag v${{ needs.calculate_version.outputs.version }} -f
      - name: Set build tags
        run: |
          set -xeuo pipefail
          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_acme,with_clash_api'
          if [ ! '${{ matrix.legacy_go }}' = 'true' ]; then
            TAGS="${TAGS},with_ech"
          fi
          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
      - name: Build
        run: |
          set -xeuo pipefail
          mkdir -p dist
          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }}' \
          ./cmd/sing-box
        env:
          CGO_ENABLED: "0"
          GOOS: ${{ matrix.os }}
          GOARCH: ${{ matrix.arch }}
          GOARM: ${{ matrix.goarm }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Set mtime
        run: |-
          TZ=UTC touch -t '197001010000' dist/sing-box
      - name: Set name
        if: ${{ ! contains(needs.calculate_version.outputs.version, '-') }}
        run: |-
          echo "NAME=sing-box" >> "$GITHUB_ENV"
      - name: Set beta name
        if: contains(needs.calculate_version.outputs.version, '-')
        run: |-
          echo "NAME=sing-box-beta" >> "$GITHUB_ENV"
      - name: Set version
        run: |-
          PKG_VERSION="${{ needs.calculate_version.outputs.version }}"
          PKG_VERSION="${PKG_VERSION//-/\~}"
          echo "PKG_VERSION=${PKG_VERSION}" >> "${GITHUB_ENV}"
      - name: Package DEB
        if: matrix.debian != ''
        run: |
          set -xeuo pipefail
          sudo gem install fpm
          sudo apt-get install -y debsigs
          fpm -t deb \
            --name "${NAME}" \
            -v "$PKG_VERSION" \
            -p "dist/${NAME}_${{ needs.calculate_version.outputs.version }}_linux_${{ matrix.debian }}.deb" \
            --architecture ${{ matrix.debian }} \
            dist/sing-box=/usr/bin/sing-box
          curl -Lo '/tmp/debsigs.diff' 'https://gitlab.com/debsigs/debsigs/-/commit/160138f5de1ec110376d3c807b60a37388bc7c90.diff'
          sudo patch /usr/bin/debsigs < '/tmp/debsigs.diff'
          rm -rf $HOME/.gnupg
          gpg --pinentry-mode loopback --passphrase "${{ secrets.GPG_PASSPHRASE }}" --import <<EOF
          ${{ secrets.GPG_KEY }}
          EOF
-          echo "HOME=$HOME" >> "$GITHUB_ENV"
+          debsigs --sign=origin -k ${{ secrets.GPG_KEY_ID }} --gpgopts '--pinentry-mode loopback --passphrase "${{ secrets.GPG_PASSPHRASE }}"' dist/*.deb
-      - name: Publish release
+      - name: Package RPM
-        uses: goreleaser/goreleaser-action@v6
+        if: matrix.rpm != ''
        run: |-
          set -xeuo pipefail
          sudo gem install fpm
          fpm -t rpm \
            --name "${NAME}" \
            -v "$PKG_VERSION" \
            -p "dist/${NAME}_${{ needs.calculate_version.outputs.version }}_linux_${{ matrix.rpm }}.rpm" \
            --architecture ${{ matrix.rpm }} \
            dist/sing-box=/usr/bin/sing-box
          cat > $HOME/.rpmmacros <<EOF
          %_gpg_name ${{ secrets.GPG_KEY_ID }}
          %_gpg_sign_cmd_extra_args --pinentry-mode loopback --passphrase ${{ secrets.GPG_PASSPHRASE }}
          EOF
          gpg --pinentry-mode loopback --passphrase "${{ secrets.GPG_PASSPHRASE }}" --import <<EOF
          ${{ secrets.GPG_KEY }}
          EOF
          rpmsign --addsign dist/*.rpm
      - name: Cleanup
        run: rm dist/sing-box
      - name: Upload artifact
        uses: actions/upload-artifact@v4
        with:
-          distribution: goreleaser-pro
+          name: binary-${{ matrix.os }}_${{ matrix.arch }}${{ matrix.goarm && format('v{0}', matrix.goarm) }}${{ matrix.legacy_go && '-legacy' || '' }}
-          version: latest
+          path: "dist"
-          args: release -f .goreleaser.fury.yaml --clean
+  upload:
-        env:
+    name: Upload builds
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    runs-on: ubuntu-latest
-          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+    needs:
-          FURY_TOKEN: ${{ secrets.FURY_TOKEN }}
+      - calculate_version
-          NFPM_KEY_PATH: ${{ env.HOME }}/.gnupg/sagernet.key
+      - build
-          NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+    steps:
      - name: Checkout
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
        with:
          fetch-depth: 0
      - name: Set tag
        run: |-
          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
          git tag v${{ needs.calculate_version.outputs.version }} -f
          echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
      - name: Download builds
        uses: actions/download-artifact@v4
        with:
          path: dist
          merge-multiple: true
      - name: Publish packages
        run: |-
          ls dist | xargs -I {} curl -F "package=@dist/{}" https://${{ secrets.FURY_TOKEN }}@push.fury.io/sagernet/
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -21,13 +21,12 @@ linters-settings:
      - -SA1003
 run:
-  go: "1.23"
+  go: "1.24"
  build-tags:
    - with_gvisor
    - with_quic
    - with_dhcp
    - with_wireguard
    - with_ech
    - with_utls
    - with_reality_server
    - with_acme
--- a/.goreleaser.fury.yaml
+++ b/.goreleaser.fury.yaml
@@ -6,17 +6,19 @@ builds:
      - -v
      - -trimpath
    ldflags:
-      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }} -s -w -buildid=
+      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }}
      - -s
      - -buildid=
    tags:
      - with_gvisor
      - with_quic
      - with_dhcp
      - with_wireguard
      - with_ech
      - with_utls
      - with_reality_server
      - with_acme
      - with_clash_api
      - with_tailscale
    env:
      - CGO_ENABLED=0
    targets:
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -16,13 +16,14 @@ builds:
      - with_quic
      - with_dhcp
      - with_wireguard
      - with_ech
      - with_utls
      - with_reality_server
      - with_acme
      - with_clash_api
      - with_tailscale
    env:
      - CGO_ENABLED=0
      - GOTOOLCHAIN=local
    targets:
      - linux_386
      - linux_amd64_v1
@@ -49,18 +50,19 @@ builds:
      - with_reality_server
      - with_acme
      - with_clash_api
      - with_tailscale
    env:
      - CGO_ENABLED=0
-      - GOROOT={{ .Env.GOPATH }}/go1.20.14
+      - GOROOT={{ .Env.GOPATH }}/go_legacy
-    gobinary: "{{ .Env.GOPATH }}/go1.20.14/bin/go"
+    tool: "{{ .Env.GOPATH }}/go_legacy/bin/go"
    targets:
      - windows_amd64_v1
      - windows_386
      - darwin_amd64_v1
  - id: android
    <<: *template
    env:
      - CGO_ENABLED=1
      - GOTOOLCHAIN=local
    overrides:
      - goos: android
        goarch: arm
@@ -95,10 +97,12 @@ archives:
    builds:
      - main
      - android
-    format: tar.gz
+    formats:
      - tar.gz
    format_overrides:
      - goos: windows
-        format: zip
+        formats:
          - zip
    wrap_in_directory: true
    files:
      - LICENSE
--- a/4
+++ b/4
@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.23-alpine AS builder
+FROM --platform=$BUILDPLATFORM golang:1.24-alpine AS builder
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 COPY . /go/src/github.com/sagernet/sing-box
 WORKDIR /go/src/github.com/sagernet/sing-box
@@ -13,7 +13,7 @@ RUN set -ex \
    && export COMMIT=$(git rev-parse --short HEAD) \
    && export VERSION=$(go run ./cmd/internal/read_tag) \
    && go build -v -trimpath -tags \
-        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api" \
+        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_acme,with_clash_api,with_tailscale" \
        -o /go/bin/sing-box \
        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid=" \
        ./cmd/sing-box
--- a/21
+++ b/21
@@ -1,9 +1,7 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS_GO120 = with_gvisor,with_dhcp,with_wireguard,with_reality_server,with_clash_api,with_quic,with_utls
+TAGS ?= with_gvisor,with_dhcp,with_wireguard,with_reality_server,with_clash_api,with_quic,with_utls,with_tailscale
-TAGS_GO121 = with_ech
+TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_utls,with_reality_server
 TAGS ?= $(TAGS_GO118),$(TAGS_GO120),$(TAGS_GO121)
 TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server
 GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
@@ -17,14 +15,12 @@ PREFIX ?= $(shell go env GOPATH)
 .PHONY: test release docs build
 build:
 	export GOTOOLCHAIN=local && \
 	go build $(MAIN_PARAMS) $(MAIN)
 ci_build_go120:
 	go build $(PARAMS) $(MAIN)
 	go build $(PARAMS) -tags "$(TAGS_GO120)" $(MAIN)
 ci_build:
-	go build $(PARAMS) $(MAIN)
+	export GOTOOLCHAIN=local && \
 	go build $(PARAMS) $(MAIN) && \
 	go build $(MAIN_PARAMS) $(MAIN)
 generate_completions:
@@ -61,6 +57,9 @@ proto_install:
 	go install -v google.golang.org/protobuf/cmd/protoc-gen-go@latest
 	go install -v google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
 update_certificates:
 	go run ./cmd/internal/update_certificates
 release:
 	go run ./cmd/internal/build goreleaser release --clean --skip publish
 	mkdir dist/release
@@ -227,8 +226,8 @@ lib:
 	go run ./cmd/internal/build_libbox -target ios
 lib_install:
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.4
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.1.5
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.4
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.1.5
 docs:
 	venv/bin/mkdocs serve
--- a/adapter/certificate.go
+++ b/adapter/certificate.go
@@ -0,0 +1,21 @@
 package adapter
 import (
 	"context"
 	"crypto/x509"
 	"github.com/sagernet/sing/service"
 )
 type CertificateStore interface {
 	LifecycleService
 	Pool() *x509.CertPool
 }
 func RootPoolFromContext(ctx context.Context) *x509.CertPool {
 	store := service.FromContext[CertificateStore](ctx)
 	if store == nil {
 		return nil
 	}
 	return store.Pool()
 }
--- a/adapter/dns.go
+++ b/adapter/dns.go
@@ -0,0 +1,73 @@
 package adapter
 import (
 	"context"
 	"net/netip"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/logger"
 	"github.com/miekg/dns"
 )
 type DNSRouter interface {
 	Lifecycle
 	Exchange(ctx context.Context, message *dns.Msg, options DNSQueryOptions) (*dns.Msg, error)
 	Lookup(ctx context.Context, domain string, options DNSQueryOptions) ([]netip.Addr, error)
 	ClearCache()
 	LookupReverseMapping(ip netip.Addr) (string, bool)
 	ResetNetwork()
 }
 type DNSClient interface {
 	Start()
 	Exchange(ctx context.Context, transport DNSTransport, message *dns.Msg, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error)
 	Lookup(ctx context.Context, transport DNSTransport, domain string, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error)
 	LookupCache(domain string, strategy C.DomainStrategy) ([]netip.Addr, bool)
 	ExchangeCache(ctx context.Context, message *dns.Msg) (*dns.Msg, bool)
 	ClearCache()
 }
 type DNSQueryOptions struct {
 	Transport    DNSTransport
 	Strategy     C.DomainStrategy
 	DisableCache bool
 	RewriteTTL   *uint32
 	ClientSubnet netip.Prefix
 }
 type RDRCStore interface {
 	LoadRDRC(transportName string, qName string, qType uint16) (rejected bool)
 	SaveRDRC(transportName string, qName string, qType uint16) error
 	SaveRDRCAsync(transportName string, qName string, qType uint16, logger logger.Logger)
 }
 type DNSTransport interface {
 	Lifecycle
 	Type() string
 	Tag() string
 	Dependencies() []string
 	Exchange(ctx context.Context, message *dns.Msg) (*dns.Msg, error)
 }
 type LegacyDNSTransport interface {
 	LegacyStrategy() C.DomainStrategy
 	LegacyClientSubnet() netip.Prefix
 }
 type DNSTransportRegistry interface {
 	option.DNSTransportOptionsRegistry
 	CreateDNSTransport(ctx context.Context, logger log.ContextLogger, tag string, transportType string, options any) (DNSTransport, error)
 }
 type DNSTransportManager interface {
 	Lifecycle
 	Transports() []DNSTransport
 	Transport(tag string) (DNSTransport, bool)
 	Default() DNSTransport
 	FakeIP() FakeIPTransport
 	Remove(tag string) error
 	Create(ctx context.Context, logger log.ContextLogger, tag string, outboundType string, options any) error
 }
--- a/adapter/experimental.go
+++ b/adapter/experimental.go
@@ -6,8 +6,6 @@ import (
 	"encoding/binary"
 	"time"
 	"github.com/sagernet/sing-box/common/urltest"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common/varbin"
 )
@@ -16,7 +14,20 @@ type ClashServer interface {
 	ConnectionTracker
 	Mode() string
 	ModeList() []string
-	HistoryStorage() *urltest.HistoryStorage
+	HistoryStorage() URLTestHistoryStorage
 }
 type URLTestHistory struct {
 	Time  time.Time `json:"time"`
 	Delay uint16    `json:"delay"`
 }
 type URLTestHistoryStorage interface {
 	SetHook(hook chan<- struct{})
 	LoadURLTestHistory(tag string) *URLTestHistory
 	DeleteURLTestHistory(tag string)
 	StoreURLTestHistory(tag string, history *URLTestHistory)
 	Close() error
 }
 type V2RayServer interface {
@@ -31,7 +42,7 @@ type CacheFile interface {
 	FakeIPStorage
 	StoreRDRC() bool
-	dns.RDRCStore
+	RDRCStore
 	LoadMode() string
 	StoreMode(mode string) error
@@ -39,17 +50,17 @@ type CacheFile interface {
 	StoreSelected(group string, selected string) error
 	LoadGroupExpand(group string) (isExpand bool, loaded bool)
 	StoreGroupExpand(group string, expand bool) error
-	LoadRuleSet(tag string) *SavedRuleSet
+	LoadRuleSet(tag string) *SavedBinary
-	SaveRuleSet(tag string, set *SavedRuleSet) error
+	SaveRuleSet(tag string, set *SavedBinary) error
 }
-type SavedRuleSet struct {
+type SavedBinary struct {
 	Content     []byte
 	LastUpdated time.Time
 	LastEtag    string
 }
-func (s *SavedRuleSet) MarshalBinary() ([]byte, error) {
+func (s *SavedBinary) MarshalBinary() ([]byte, error) {
 	var buffer bytes.Buffer
 	err := binary.Write(&buffer, binary.BigEndian, uint8(1))
 	if err != nil {
@@ -70,7 +81,7 @@ func (s *SavedRuleSet) MarshalBinary() ([]byte, error) {
 	return buffer.Bytes(), nil
 }
-func (s *SavedRuleSet) UnmarshalBinary(data []byte) error {
+func (s *SavedBinary) UnmarshalBinary(data []byte) error {
 	reader := bytes.NewReader(data)
 	var version uint8
 	err := binary.Read(reader, binary.BigEndian, &version)
--- a/adapter/fakeip.go
+++ b/adapter/fakeip.go
@@ -3,7 +3,6 @@ package adapter
 import (
 	"net/netip"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common/logger"
 )
@@ -27,6 +26,6 @@ type FakeIPStorage interface {
 }
 type FakeIPTransport interface {
-	dns.Transport
+	DNSTransport
 	Store() FakeIPStore
 }
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -53,10 +53,11 @@ type InboundContext struct {
 	// sniffer
-	Protocol     string
+	Protocol         string
-	Domain       string
+	Domain           string
-	Client       string
+	Client           string
-	SniffContext any
+	SniffContext     any
 	PacketSniffError error
 	// cache
@@ -71,14 +72,14 @@ type InboundContext struct {
 	UDPDisableDomainUnmapping bool
 	UDPConnect                bool
 	UDPTimeout                time.Duration
 	TLSFragment               bool
 	TLSFragmentFallbackDelay  time.Duration
 	NetworkStrategy     *C.NetworkStrategy
 	NetworkType         []C.InterfaceType
 	FallbackNetworkType []C.InterfaceType
 	FallbackDelay       time.Duration
 	DNSServer string
 	DestinationAddresses []netip.Addr
 	SourceGeoIPCode      string
 	GeoIPCode            string
--- a/adapter/network.go
+++ b/adapter/network.go
@@ -25,15 +25,18 @@ type NetworkManager interface {
 	PackageManager() tun.PackageManager
 	WIFIState() WIFIState
 	ResetNetwork()
 	UpdateWIFIState()
 }
 type NetworkOptions struct {
-	NetworkStrategy     *C.NetworkStrategy
+	BindInterface        string
-	NetworkType         []C.InterfaceType
+	RoutingMark          uint32
-	FallbackNetworkType []C.InterfaceType
+	DomainResolver       string
-	FallbackDelay       time.Duration
+	DomainResolveOptions DNSQueryOptions
-	BindInterface       string
+	NetworkStrategy      *C.NetworkStrategy
-	RoutingMark         uint32
+	NetworkType          []C.InterfaceType
 	FallbackNetworkType  []C.InterfaceType
 	FallbackDelay        time.Duration
 }
 type InterfaceUpdateListener interface {
--- a/adapter/outbound/manager.go
+++ b/adapter/outbound/manager.go
@@ -23,7 +23,7 @@ type Manager struct {
 	registry                adapter.OutboundRegistry
 	endpoint                adapter.EndpointManager
 	defaultTag              string
-	access                  sync.Mutex
+	access                  sync.RWMutex
 	started                 bool
 	stage                   adapter.StartStage
 	outbounds               []adapter.Outbound
@@ -169,15 +169,15 @@ func (m *Manager) Close() error {
 }
 func (m *Manager) Outbounds() []adapter.Outbound {
-	m.access.Lock()
+	m.access.RLock()
-	defer m.access.Unlock()
+	defer m.access.RUnlock()
 	return m.outbounds
 }
 func (m *Manager) Outbound(tag string) (adapter.Outbound, bool) {
-	m.access.Lock()
+	m.access.RLock()
 	outbound, found := m.outboundByTag[tag]
-	m.access.Unlock()
+	m.access.RUnlock()
 	if found {
 		return outbound, true
 	}
@@ -185,8 +185,8 @@ func (m *Manager) Outbound(tag string) (adapter.Outbound, bool) {
 }
 func (m *Manager) Default() adapter.Outbound {
-	m.access.Lock()
+	m.access.RLock()
-	defer m.access.Unlock()
+	defer m.access.RUnlock()
 	if m.defaultOutbound != nil {
 		return m.defaultOutbound
 	} else {
@@ -196,9 +196,9 @@ func (m *Manager) Default() adapter.Outbound {
 func (m *Manager) Remove(tag string) error {
 	m.access.Lock()
 	defer m.access.Unlock()
 	outbound, found := m.outboundByTag[tag]
 	if !found {
 		m.access.Unlock()
 		return os.ErrInvalid
 	}
 	delete(m.outboundByTag, tag)
@@ -232,7 +232,6 @@ func (m *Manager) Remove(tag string) error {
 			})
 		}
 	}
 	m.access.Unlock()
 	if started {
 		return common.Close(outbound)
 	}
@@ -247,8 +246,6 @@ func (m *Manager) Create(ctx context.Context, router adapter.Router, logger log.
 	if err != nil {
 		return err
 	}
 	m.access.Lock()
 	defer m.access.Unlock()
 	if m.started {
 		for _, stage := range adapter.ListStartStages {
 			err = adapter.LegacyStart(outbound, stage)
@@ -257,6 +254,8 @@ func (m *Manager) Create(ctx context.Context, router adapter.Router, logger log.
 			}
 		}
 	}
 	m.access.Lock()
 	defer m.access.Unlock()
 	if existsOutbound, loaded := m.outboundByTag[tag]; loaded {
 		if m.started {
 			err = common.Close(existsOutbound)
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -2,44 +2,29 @@ package adapter
 import (
 	"context"
 	"crypto/tls"
 	"net"
 	"net/http"
 	"net/netip"
 	"sync"
 	"github.com/sagernet/sing-box/common/geoip"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-dns"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/ntp"
 	"github.com/sagernet/sing/common/x/list"
 	mdns "github.com/miekg/dns"
 	"go4.org/netipx"
 )
 type Router interface {
 	Lifecycle
 	FakeIPStore() FakeIPStore
 	ConnectionRouter
 	PreMatch(metadata InboundContext) error
 	ConnectionRouterEx
 	GeoIPReader() *geoip.Reader
 	LoadGeosite(code string) (Rule, error)
 	RuleSet(tag string) (RuleSet, bool)
 	NeedWIFIState() bool
 	Exchange(ctx context.Context, message *mdns.Msg) (*mdns.Msg, error)
 	Lookup(ctx context.Context, domain string, strategy dns.DomainStrategy) ([]netip.Addr, error)
 	LookupDefault(ctx context.Context, domain string) ([]netip.Addr, error)
 	ClearDNSCache()
 	Rules() []Rule
 	SetTracker(tracker ConnectionTracker)
 	ResetNetwork()
 }
@@ -83,12 +68,14 @@ type RuleSetMetadata struct {
 	ContainsIPCIDRRule  bool
 }
 type HTTPStartContext struct {
 	ctx             context.Context
 	access          sync.Mutex
 	httpClientCache map[string]*http.Client
 }
-func NewHTTPStartContext() *HTTPStartContext {
+func NewHTTPStartContext(ctx context.Context) *HTTPStartContext {
 	return &HTTPStartContext{
 		ctx:             ctx,
 		httpClientCache: make(map[string]*http.Client),
 	}
 }
@@ -106,6 +93,10 @@ func (c *HTTPStartContext) HTTPClient(detour string, dialer N.Dialer) *http.Clie
 			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
 				return dialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
 			},
 			TLSClientConfig: &tls.Config{
 				Time:    ntp.TimeFuncFromContext(c.ctx),
 				RootCAs: RootPoolFromContext(c.ctx),
 			},
 		},
 	}
 	c.httpClientCache[detour] = httpClient
--- a/adapter/rule.go
+++ b/adapter/rule.go
@@ -13,7 +13,6 @@ type Rule interface {
 	HeadlessRule
 	Service
 	Type() string
 	UpdateGeosite() error
 	Action() RuleAction
 }
--- a/box.go
+++ b/box.go
@@ -12,11 +12,13 @@ import (
 	"github.com/sagernet/sing-box/adapter/endpoint"
 	"github.com/sagernet/sing-box/adapter/inbound"
 	"github.com/sagernet/sing-box/adapter/outbound"
-	"github.com/sagernet/sing-box/common/conntrack"
+	"github.com/sagernet/sing-box/common/certificate"
 	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/common/taskmonitor"
 	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/dns"
 	"github.com/sagernet/sing-box/dns/transport/local"
 	"github.com/sagernet/sing-box/experimental"
 	"github.com/sagernet/sing-box/experimental/cachefile"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
@@ -35,17 +37,19 @@ import (
 var _ adapter.Service = (*Box)(nil)
 type Box struct {
-	createdAt  time.Time
+	createdAt    time.Time
-	logFactory log.Factory
+	logFactory   log.Factory
-	logger     log.ContextLogger
+	logger       log.ContextLogger
-	network    *route.NetworkManager
+	network      *route.NetworkManager
-	endpoint   *endpoint.Manager
+	endpoint     *endpoint.Manager
-	inbound    *inbound.Manager
+	inbound      *inbound.Manager
-	outbound   *outbound.Manager
+	outbound     *outbound.Manager
-	connection *route.ConnectionManager
+	dnsTransport *dns.TransportManager
-	router     *route.Router
+	dnsRouter    *dns.Router
-	services   []adapter.LifecycleService
+	connection   *route.ConnectionManager
-	done       chan struct{}
+	router       *route.Router
 	services     []adapter.LifecycleService
 	done         chan struct{}
 }
 type Options struct {
@@ -59,6 +63,7 @@ func Context(
 	inboundRegistry adapter.InboundRegistry,
 	outboundRegistry adapter.OutboundRegistry,
 	endpointRegistry adapter.EndpointRegistry,
 	dnsTransportRegistry adapter.DNSTransportRegistry,
 ) context.Context {
 	if service.FromContext[option.InboundOptionsRegistry](ctx) == nil ||
 		service.FromContext[adapter.InboundRegistry](ctx) == nil {
@@ -75,6 +80,10 @@ func Context(
 		ctx = service.ContextWith[option.EndpointOptionsRegistry](ctx, endpointRegistry)
 		ctx = service.ContextWith[adapter.EndpointRegistry](ctx, endpointRegistry)
 	}
 	if service.FromContext[adapter.DNSTransportRegistry](ctx) == nil {
 		ctx = service.ContextWith[option.DNSTransportOptionsRegistry](ctx, dnsTransportRegistry)
 		ctx = service.ContextWith[adapter.DNSTransportRegistry](ctx, dnsTransportRegistry)
 	}
 	return ctx
 }
@@ -85,9 +94,11 @@ func New(options Options) (*Box, error) {
 		ctx = context.Background()
 	}
 	ctx = service.ContextWithDefaultRegistry(ctx)
 	endpointRegistry := service.FromContext[adapter.EndpointRegistry](ctx)
 	inboundRegistry := service.FromContext[adapter.InboundRegistry](ctx)
 	outboundRegistry := service.FromContext[adapter.OutboundRegistry](ctx)
 	dnsTransportRegistry := service.FromContext[adapter.DNSTransportRegistry](ctx)
 	if endpointRegistry == nil {
 		return nil, E.New("missing endpoint registry in context")
@@ -101,10 +112,7 @@ func New(options Options) (*Box, error) {
 	ctx = pause.WithDefaultManager(ctx)
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
-	debugOptions := common.PtrValueOrDefault(experimentalOptions.Debug)
+	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
 	applyDebugOptions(debugOptions)
 	ctx = conntrack.ContextWithDefaultTracker(ctx, debugOptions.OOMKiller, uint64(debugOptions.MemoryLimit))
 	var needCacheFile bool
 	var needClashAPI bool
 	var needV2RayAPI bool
@@ -134,14 +142,32 @@ func New(options Options) (*Box, error) {
 		return nil, E.Cause(err, "create log factory")
 	}
 	var services []adapter.LifecycleService
 	certificateOptions := common.PtrValueOrDefault(options.Certificate)
 	if C.IsAndroid || certificateOptions.Store != "" && certificateOptions.Store != C.CertificateStoreSystem ||
 		len(certificateOptions.Certificate) > 0 ||
 		len(certificateOptions.CertificatePath) > 0 ||
 		len(certificateOptions.CertificateDirectoryPath) > 0 {
 		certificateStore, err := certificate.NewStore(ctx, logFactory.NewLogger("certificate"), certificateOptions)
 		if err != nil {
 			return nil, err
 		}
 		service.MustRegister[adapter.CertificateStore](ctx, certificateStore)
 		services = append(services, certificateStore)
 	}
 	routeOptions := common.PtrValueOrDefault(options.Route)
 	dnsOptions := common.PtrValueOrDefault(options.DNS)
 	endpointManager := endpoint.NewManager(logFactory.NewLogger("endpoint"), endpointRegistry)
 	inboundManager := inbound.NewManager(logFactory.NewLogger("inbound"), inboundRegistry, endpointManager)
 	outboundManager := outbound.NewManager(logFactory.NewLogger("outbound"), outboundRegistry, endpointManager, routeOptions.Final)
 	dnsTransportManager := dns.NewTransportManager(logFactory.NewLogger("dns/transport"), dnsTransportRegistry, outboundManager, dnsOptions.Final)
 	service.MustRegister[adapter.EndpointManager](ctx, endpointManager)
 	service.MustRegister[adapter.InboundManager](ctx, inboundManager)
 	service.MustRegister[adapter.OutboundManager](ctx, outboundManager)
-
+	service.MustRegister[adapter.DNSTransportManager](ctx, dnsTransportManager)
 	dnsRouter := dns.NewRouter(ctx, logFactory, dnsOptions)
 	service.MustRegister[adapter.DNSRouter](ctx, dnsRouter)
 	networkManager, err := route.NewNetworkManager(ctx, logFactory.NewLogger("network"), routeOptions)
 	if err != nil {
 		return nil, E.Cause(err, "initialize network manager")
@@ -149,18 +175,40 @@ func New(options Options) (*Box, error) {
 	service.MustRegister[adapter.NetworkManager](ctx, networkManager)
 	connectionManager := route.NewConnectionManager(logFactory.NewLogger("connection"))
 	service.MustRegister[adapter.ConnectionManager](ctx, connectionManager)
-	router, err := route.NewRouter(ctx, logFactory, routeOptions, common.PtrValueOrDefault(options.DNS))
+	router := route.NewRouter(ctx, logFactory, routeOptions, dnsOptions)
 	service.MustRegister[adapter.Router](ctx, router)
 	err = router.Initialize(routeOptions.Rules, routeOptions.RuleSet)
 	if err != nil {
 		return nil, E.Cause(err, "initialize router")
 	}
 	ntpOptions := common.PtrValueOrDefault(options.NTP)
 	var timeService *tls.TimeServiceWrapper
 	if ntpOptions.Enabled {
 		timeService = new(tls.TimeServiceWrapper)
 		service.MustRegister[ntp.TimeService](ctx, timeService)
 	}
-
+	for i, transportOptions := range dnsOptions.Servers {
 		var tag string
 		if transportOptions.Tag != "" {
 			tag = transportOptions.Tag
 		} else {
 			tag = F.ToString(i)
 		}
 		err = dnsTransportManager.Create(
 			ctx,
 			logFactory.NewLogger(F.ToString("dns/", transportOptions.Type, "[", tag, "]")),
 			tag,
 			transportOptions.Type,
 			transportOptions.Options,
 		)
 		if err != nil {
 			return nil, E.Cause(err, "initialize DNS server[", i, "]")
 		}
 	}
 	err = dnsRouter.Initialize(dnsOptions.Rules)
 	if err != nil {
 		return nil, E.Cause(err, "initialize dns router")
 	}
 	for i, endpointOptions := range options.Endpoints {
 		var tag string
 		if endpointOptions.Tag != "" {
@@ -168,7 +216,15 @@ func New(options Options) (*Box, error) {
 		} else {
 			tag = F.ToString(i)
 		}
-		err = endpointManager.Create(ctx,
+		endpointCtx := ctx
 		if tag != "" {
 			// TODO: remove this
 			endpointCtx = adapter.WithContext(endpointCtx, &adapter.InboundContext{
 				Outbound: tag,
 			})
 		}
 		err = endpointManager.Create(
 			endpointCtx,
 			router,
 			logFactory.NewLogger(F.ToString("endpoint/", endpointOptions.Type, "[", tag, "]")),
 			tag,
@@ -176,7 +232,7 @@ func New(options Options) (*Box, error) {
 			endpointOptions.Options,
 		)
 		if err != nil {
-			return nil, E.Cause(err, "initialize inbound[", i, "]")
+			return nil, E.Cause(err, "initialize endpoint[", i, "]")
 		}
 	}
 	for i, inboundOptions := range options.Inbounds {
@@ -186,7 +242,8 @@ func New(options Options) (*Box, error) {
 		} else {
 			tag = F.ToString(i)
 		}
-		err = inboundManager.Create(ctx,
+		err = inboundManager.Create(
 			ctx,
 			router,
 			logFactory.NewLogger(F.ToString("inbound/", inboundOptions.Type, "[", tag, "]")),
 			tag,
@@ -232,13 +289,19 @@ func New(options Options) (*Box, error) {
 			option.DirectOutboundOptions{},
 		),
 	))
 	dnsTransportManager.Initialize(common.Must1(
 		local.NewTransport(
 			ctx,
 			logFactory.NewLogger("dns/local"),
 			"local",
 			option.LocalDNSServerOptions{},
 		)))
 	if platformInterface != nil {
 		err = platformInterface.Initialize(networkManager)
 		if err != nil {
 			return nil, E.Cause(err, "initialize platform interface")
 		}
 	}
 	var services []adapter.LifecycleService
 	if needCacheFile {
 		cacheFile := cachefile.New(ctx, common.PtrValueOrDefault(experimentalOptions.CacheFile))
 		service.MustRegister[adapter.CacheFile](ctx, cacheFile)
@@ -267,7 +330,7 @@ func New(options Options) (*Box, error) {
 		}
 	}
 	if ntpOptions.Enabled {
-		ntpDialer, err := dialer.New(ctx, ntpOptions.DialerOptions)
+		ntpDialer, err := dialer.New(ctx, ntpOptions.DialerOptions, ntpOptions.ServerIsDomain())
 		if err != nil {
 			return nil, E.Cause(err, "create NTP service")
 		}
@@ -283,17 +346,19 @@ func New(options Options) (*Box, error) {
 		services = append(services, adapter.NewLifecycleService(ntpService, "ntp service"))
 	}
 	return &Box{
-		network:    networkManager,
+		network:      networkManager,
-		endpoint:   endpointManager,
+		endpoint:     endpointManager,
-		inbound:    inboundManager,
+		inbound:      inboundManager,
-		outbound:   outboundManager,
+		outbound:     outboundManager,
-		connection: connectionManager,
+		dnsTransport: dnsTransportManager,
-		router:     router,
+		dnsRouter:    dnsRouter,
-		createdAt:  createdAt,
+		connection:   connectionManager,
-		logFactory: logFactory,
+		router:       router,
-		logger:     logFactory.Logger(),
+		createdAt:    createdAt,
-		services:   services,
+		logFactory:   logFactory,
-		done:       make(chan struct{}),
+		logger:       logFactory.Logger(),
 		services:     services,
 		done:         make(chan struct{}),
 	}, nil
 }
@@ -347,11 +412,11 @@ func (s *Box) preStart() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStateInitialize, s.network, s.connection, s.router, s.outbound, s.inbound, s.endpoint)
+	err = adapter.Start(adapter.StartStateInitialize, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStateStart, s.outbound, s.network, s.connection, s.router)
+	err = adapter.Start(adapter.StartStateStart, s.outbound, s.dnsTransport, s.dnsRouter, s.network, s.connection, s.router)
 	if err != nil {
 		return err
 	}
@@ -375,7 +440,7 @@ func (s *Box) start() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStatePostStart, s.outbound, s.network, s.connection, s.router, s.inbound, s.endpoint)
+	err = adapter.Start(adapter.StartStatePostStart, s.outbound, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.inbound, s.endpoint)
 	if err != nil {
 		return err
 	}
@@ -383,7 +448,7 @@ func (s *Box) start() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStateStarted, s.network, s.connection, s.router, s.outbound, s.inbound, s.endpoint)
+	err = adapter.Start(adapter.StartStateStarted, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint)
 	if err != nil {
 		return err
 	}
@@ -402,7 +467,7 @@ func (s *Box) Close() error {
 		close(s.done)
 	}
 	err := common.Close(
-		s.inbound, s.outbound, s.router, s.connection, s.network,
+		s.inbound, s.outbound, s.endpoint, s.router, s.connection, s.dnsRouter, s.dnsTransport, s.network,
 	)
 	for _, lifecycleService := range s.services {
 		err = E.Append(err, lifecycleService.Close(), func(err error) error {
--- a/clients/android
+++ b/clients/android
--- a/clients/apple
+++ b/clients/apple
--- a/cmd/internal/app_store_connect/main.go
+++ b/cmd/internal/app_store_connect/main.go
@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"os"
 	"strconv"
 	"strings"
 	"time"
 	"github.com/sagernet/asc-go/asc"
@@ -194,6 +195,10 @@ func publishTestflight(ctx context.Context) error {
 				log.Info(string(platform), " ", tag, " create submission")
 				_, _, err = client.TestFlight.CreateBetaAppReviewSubmission(ctx, build.ID)
 				if err != nil {
 					if strings.Contains(err.Error(), "ANOTHER_BUILD_IN_REVIEW") {
 						log.Error(err)
 						break
 					}
 					return err
 				}
 			}
--- a/cmd/internal/build_libbox/main.go
+++ b/cmd/internal/build_libbox/main.go
@@ -45,6 +45,7 @@ var (
 	debugFlags  []string
 	sharedTags  []string
 	iosTags     []string
 	memcTags    []string
 	debugTags   []string
 )
@@ -58,8 +59,9 @@ func init() {
 	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=")
 	debugFlags = append(debugFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag)
-	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_ech", "with_utls", "with_clash_api")
+	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_clash_api")
 	iosTags = append(iosTags, "with_dhcp", "with_low_memory", "with_conntrack")
 	memcTags = append(memcTags, "with_tailscale")
 	debugTags = append(debugTags, "debug")
 }
@@ -99,18 +101,19 @@ func buildAndroid() {
 		"-javapkg=io.nekohasekai",
 		"-libname=box",
 	}
 	if !debugEnabled {
 		args = append(args, sharedFlags...)
 	} else {
 		args = append(args, debugFlags...)
 	}
-	args = append(args, "-tags")
+	tags := append(sharedTags, memcTags...)
-	if !debugEnabled {
+	if debugEnabled {
-		args = append(args, strings.Join(sharedTags, ","))
+		tags = append(tags, debugTags...)
 	} else {
 		args = append(args, strings.Join(append(sharedTags, debugTags...), ","))
 	}
 	args = append(args, "-tags", strings.Join(tags, ","))
 	args = append(args, "./experimental/libbox")
 	command := exec.Command(build_shared.GoBinPath+"/gomobile", args...)
@@ -148,7 +151,9 @@ func buildApple() {
 		"-v",
 		"-target", bindTarget,
 		"-libname=box",
 		"-tags-macos=" + strings.Join(memcTags, ","),
 	}
 	if !debugEnabled {
 		args = append(args, sharedFlags...)
 	} else {
@@ -156,12 +161,11 @@ func buildApple() {
 	}
 	tags := append(sharedTags, iosTags...)
-	args = append(args, "-tags")
+	if debugEnabled {
-	if !debugEnabled {
+		tags = append(tags, debugTags...)
 		args = append(args, strings.Join(tags, ","))
 	} else {
 		args = append(args, strings.Join(append(tags, debugTags...), ","))
 	}
 	args = append(args, "-tags", strings.Join(tags, ","))
 	args = append(args, "./experimental/libbox")
 	command := exec.Command(build_shared.GoBinPath+"/gomobile", args...)
--- a/cmd/internal/build_shared/sdk.go
+++ b/cmd/internal/build_shared/sdk.go
@@ -48,7 +48,7 @@ func FindSDK() {
 }
 func findNDK() bool {
-	const fixedVersion = "28.0.12674087"
+	const fixedVersion = "28.0.13004108"
 	const versionFile = "source.properties"
 	if fixedPath := filepath.Join(androidSDKPath, "ndk", fixedVersion); rw.IsFile(filepath.Join(fixedPath, versionFile)) {
 		androidNDKPath = fixedPath
--- a/cmd/internal/read_tag/main.go
+++ b/cmd/internal/read_tag/main.go
@@ -5,40 +5,49 @@ import (
 	"os"
 	"github.com/sagernet/sing-box/cmd/internal/build_shared"
 	"github.com/sagernet/sing-box/common/badversion"
 	"github.com/sagernet/sing-box/log"
 )
-var nightly bool
+var (
 	flagRunInCI    bool
 	flagRunNightly bool
 )
 func init() {
-	flag.BoolVar(&nightly, "nightly", false, "Print nightly tag")
+	flag.BoolVar(&flagRunInCI, "ci", false, "Run in CI")
 	flag.BoolVar(&flagRunNightly, "nightly", false, "Run nightly")
 }
 func main() {
 	flag.Parse()
-	if nightly {
+	var (
-		version, err := build_shared.ReadTagVersionRev()
+		versionStr string
 		err        error
 	)
 	if flagRunNightly {
 		var version badversion.Version
 		version, err = build_shared.ReadTagVersion()
 		if err == nil {
 			versionStr = version.String()
 		}
 	} else {
 		versionStr, err = build_shared.ReadTag()
 	}
 	if flagRunInCI {
 		if err != nil {
 			log.Fatal(err)
 		}
 		var versionStr string
 		if version.PreReleaseIdentifier != "" {
 			versionStr = version.VersionString() + "-nightly"
 		} else {
 			version.Patch++
 			versionStr = version.VersionString() + "-nightly"
 		}
 		err = setGitHubEnv("version", versionStr)
 		if err != nil {
 			log.Fatal(err)
 		}
 	} else {
 		tag, err := build_shared.ReadTag()
 		if err != nil {
 			log.Error(err)
 			os.Stdout.WriteString("unknown\n")
 		} else {
-			os.Stdout.WriteString(tag + "\n")
+			os.Stdout.WriteString(versionStr + "\n")
 		}
 	}
 }
--- a/cmd/internal/update_android_version/main.go
+++ b/cmd/internal/update_android_version/main.go
@@ -13,10 +13,14 @@ import (
 	"github.com/sagernet/sing/common"
 )
-var flagRunInCI bool
+var (
 	flagRunInCI    bool
 	flagRunNightly bool
 )
 func init() {
 	flag.BoolVar(&flagRunInCI, "ci", false, "Run in CI")
 	flag.BoolVar(&flagRunNightly, "nightly", false, "Run nightly")
 }
 func main() {
@@ -46,21 +50,23 @@ func main() {
 		switch propPair[0] {
 		case "VERSION_NAME":
 			if propPair[1] != newVersion {
 				log.Info("updated version from ", propPair[1], " to ", newVersion)
 				versionUpdated = true
 				propPair[1] = newVersion
 				log.Info("updated version to ", newVersion)
 			}
 		case "GO_VERSION":
 			if propPair[1] != runtime.Version() {
 				log.Info("updated Go version from ", propPair[1], " to ", runtime.Version())
 				goVersionUpdated = true
 				propPair[1] = runtime.Version()
 				log.Info("updated Go version to ", runtime.Version())
 			}
 		}
 	}
 	if !(versionUpdated || goVersionUpdated) {
 		log.Info("version not changed")
 		return
 	} else if flagRunInCI && !flagRunNightly {
 		log.Fatal("version changed, commit changes first.")
 	}
 	for _, propPair := range propsList {
 		switch propPair[0] {
--- a/cmd/internal/update_certificates/main.go
+++ b/cmd/internal/update_certificates/main.go
@@ -0,0 +1,71 @@
 package main
 import (
 	"encoding/csv"
 	"io"
 	"net/http"
 	"os"
 	"strings"
 	"github.com/sagernet/sing-box/log"
 	"golang.org/x/exp/slices"
 )
 func main() {
 	err := updateMozillaIncludedRootCAs()
 	if err != nil {
 		log.Error(err)
 	}
 }
 func updateMozillaIncludedRootCAs() error {
 	response, err := http.Get("https://ccadb.my.salesforce-sites.com/mozilla/IncludedCACertificateReportPEMCSV")
 	if err != nil {
 		return err
 	}
 	defer response.Body.Close()
 	reader := csv.NewReader(response.Body)
 	header, err := reader.Read()
 	if err != nil {
 		return err
 	}
 	geoIndex := slices.Index(header, "Geographic Focus")
 	nameIndex := slices.Index(header, "Common Name or Certificate Name")
 	certIndex := slices.Index(header, "PEM Info")
 	generated := strings.Builder{}
 	generated.WriteString(`// Code generated by 'make update_certificates'. DO NOT EDIT.
 package certificate
 import "crypto/x509"
 var mozillaIncluded *x509.CertPool
 func init() {
 	mozillaIncluded = x509.NewCertPool()
 `)
 	for {
 		record, err := reader.Read()
 		if err == io.EOF {
 			break
 		} else if err != nil {
 			return err
 		}
 		if record[geoIndex] == "China" {
 			continue
 		}
 		generated.WriteString("\n	// ")
 		generated.WriteString(record[nameIndex])
 		generated.WriteString("\n")
 		generated.WriteString("	mozillaIncluded.AppendCertsFromPEM([]byte(`")
 		cert := record[certIndex]
 		// Remove single quotes
 		cert = cert[1 : len(cert)-1]
 		generated.WriteString(cert)
 		generated.WriteString("`))\n")
 	}
 	generated.WriteString("}\n")
 	return os.WriteFile("common/certificate/mozilla.go", []byte(generated.String()), 0o644)
 }
--- a/cmd/sing-box/cmd.go
+++ b/cmd/sing-box/cmd.go
@@ -69,5 +69,5 @@ func preRun(cmd *cobra.Command, args []string) {
 		configPaths = append(configPaths, "config.json")
 	}
 	globalCtx = service.ContextWith(globalCtx, deprecated.NewStderrManager(log.StdLogger()))
-	globalCtx = box.Context(globalCtx, include.InboundRegistry(), include.OutboundRegistry(), include.EndpointRegistry())
+	globalCtx = box.Context(globalCtx, include.InboundRegistry(), include.OutboundRegistry(), include.EndpointRegistry(), include.DNSTransportRegistry())
 }
--- a/cmd/sing-box/cmd_generate_ech.go
+++ b/cmd/sing-box/cmd_generate_ech.go
@@ -9,8 +9,6 @@ import (
 	"github.com/spf13/cobra"
 )
 var pqSignatureSchemesEnabled bool
 var commandGenerateECHKeyPair = &cobra.Command{
 	Use:   "ech-keypair <plain_server_name>",
 	Short: "Generate TLS ECH key pair",
@@ -24,12 +22,11 @@ var commandGenerateECHKeyPair = &cobra.Command{
 }
 func init() {
 	commandGenerateECHKeyPair.Flags().BoolVar(&pqSignatureSchemesEnabled, "pq-signature-schemes-enabled", false, "Enable PQ signature schemes")
 	commandGenerate.AddCommand(commandGenerateECHKeyPair)
 }
 func generateECHKeyPair(serverName string) error {
-	configPem, keyPem, err := tls.ECHKeygenDefault(serverName, pqSignatureSchemesEnabled)
+	configPem, keyPem, err := tls.ECHKeygenDefault(serverName)
 	if err != nil {
 		return err
 	}
--- a/cmd/sing-box/cmd_generate_tls.go
+++ b/cmd/sing-box/cmd_generate_tls.go
@@ -30,7 +30,7 @@ func init() {
 }
 func generateTLSKeyPair(serverName string) error {
-	privateKeyPem, publicKeyPem, err := tls.GenerateKeyPair(time.Now, serverName, time.Now().AddDate(0, flagGenerateTLSKeyPairMonths, 0))
+	privateKeyPem, publicKeyPem, err := tls.GenerateCertificate(nil, nil, time.Now, serverName, time.Now().AddDate(0, flagGenerateTLSKeyPairMonths, 0))
 	if err != nil {
 		return err
 	}
--- a/cmd/sing-box/cmd_rule_set_upgrade.go
+++ b/cmd/sing-box/cmd_rule_set_upgrade.go
@@ -61,14 +61,15 @@ func upgradeRuleSet(sourcePath string) error {
 		log.Info("already up-to-date")
 		return nil
 	}
-	plainRuleSet, err := plainRuleSetCompat.Upgrade()
+	plainRuleSetCompat.Options, err = plainRuleSetCompat.Upgrade()
 	if err != nil {
 		return err
 	}
 	plainRuleSetCompat.Version = C.RuleSetVersionCurrent
 	buffer := new(bytes.Buffer)
 	encoder := json.NewEncoder(buffer)
 	encoder.SetIndent("", "  ")
-	err = encoder.Encode(plainRuleSet)
+	err = encoder.Encode(plainRuleSetCompat)
 	if err != nil {
 		return E.Cause(err, "encode config")
 	}
--- a/cmd/sing-box/cmd_tools_synctime.go
+++ b/cmd/sing-box/cmd_tools_synctime.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"os"
 	"github.com/sagernet/sing-box/common/settings"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -58,7 +57,7 @@ func syncTime() error {
 		return err
 	}
 	if commandSyncTimeWrite {
-		err = settings.SetSystemTime(response.Time)
+		err = ntp.SetSystemTime(response.Time)
 		if err != nil {
 			return E.Cause(err, "write time to system")
 		}
--- a/common/badtls/read_wait_ech.go
+++ b/common/badtls/read_wait_ech.go
@@ -1,31 +0,0 @@
 //go:build go1.21 && !without_badtls && with_ech
 package badtls
 import (
 	"net"
 	_ "unsafe"
 	"github.com/sagernet/cloudflare-tls"
 	"github.com/sagernet/sing/common"
 )
 func init() {
 	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error) {
 		tlsConn, loaded := common.Cast[*tls.Conn](conn)
 		if !loaded {
 			return
 		}
 		return true, func() error {
 				return echReadRecord(tlsConn)
 			}, func() error {
 				return echHandlePostHandshakeMessage(tlsConn)
 			}
 	})
 }
 //go:linkname echReadRecord github.com/sagernet/cloudflare-tls.(*Conn).readRecord
 func echReadRecord(c *tls.Conn) error
 //go:linkname echHandlePostHandshakeMessage github.com/sagernet/cloudflare-tls.(*Conn).handlePostHandshakeMessage
 func echHandlePostHandshakeMessage(c *tls.Conn) error
--- a/common/certificate/mozilla.go
+++ b/common/certificate/mozilla.go
--- a/common/certificate/store.go
+++ b/common/certificate/store.go
@@ -0,0 +1,185 @@
 package certificate
 import (
 	"context"
 	"crypto/x509"
 	"io/fs"
 	"os"
 	"path/filepath"
 	"strings"
 	"github.com/sagernet/fswatch"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	"github.com/sagernet/sing/service"
 )
 var _ adapter.CertificateStore = (*Store)(nil)
 type Store struct {
 	systemPool                *x509.CertPool
 	currentPool               *x509.CertPool
 	certificate               string
 	certificatePaths          []string
 	certificateDirectoryPaths []string
 	watcher                   *fswatch.Watcher
 }
 func NewStore(ctx context.Context, logger logger.Logger, options option.CertificateOptions) (*Store, error) {
 	var systemPool *x509.CertPool
 	switch options.Store {
 	case C.CertificateStoreSystem, "":
 		systemPool = x509.NewCertPool()
 		platformInterface := service.FromContext[platform.Interface](ctx)
 		var systemValid bool
 		if platformInterface != nil {
 			for _, cert := range platformInterface.SystemCertificates() {
 				if systemPool.AppendCertsFromPEM([]byte(cert)) {
 					systemValid = true
 				}
 			}
 		}
 		if !systemValid {
 			certPool, err := x509.SystemCertPool()
 			if err != nil {
 				return nil, err
 			}
 			systemPool = certPool
 		}
 	case C.CertificateStoreMozilla:
 		systemPool = mozillaIncluded
 	case C.CertificateStoreNone:
 		systemPool = nil
 	default:
 		return nil, E.New("unknown certificate store: ", options.Store)
 	}
 	store := &Store{
 		systemPool:                systemPool,
 		certificate:               strings.Join(options.Certificate, "\n"),
 		certificatePaths:          options.CertificatePath,
 		certificateDirectoryPaths: options.CertificateDirectoryPath,
 	}
 	var watchPaths []string
 	for _, target := range options.CertificatePath {
 		watchPaths = append(watchPaths, target)
 	}
 	for _, target := range options.CertificateDirectoryPath {
 		watchPaths = append(watchPaths, target)
 	}
 	if len(watchPaths) > 0 {
 		watcher, err := fswatch.NewWatcher(fswatch.Options{
 			Path:   watchPaths,
 			Logger: logger,
 			Callback: func(_ string) {
 				err := store.update()
 				if err != nil {
 					logger.Error(E.Cause(err, "reload certificates"))
 				}
 			},
 		})
 		if err != nil {
 			return nil, E.Cause(err, "fswatch: create fsnotify watcher")
 		}
 		store.watcher = watcher
 	}
 	err := store.update()
 	if err != nil {
 		return nil, E.Cause(err, "initializing certificate store")
 	}
 	return store, nil
 }
 func (s *Store) Name() string {
 	return "certificate"
 }
 func (s *Store) Start(stage adapter.StartStage) error {
 	if stage != adapter.StartStateStart {
 		return nil
 	}
 	if s.watcher != nil {
 		return s.watcher.Start()
 	}
 	return nil
 }
 func (s *Store) Close() error {
 	if s.watcher != nil {
 		return s.watcher.Close()
 	}
 	return nil
 }
 func (s *Store) Pool() *x509.CertPool {
 	return s.currentPool
 }
 func (s *Store) update() error {
 	var currentPool *x509.CertPool
 	if s.systemPool == nil {
 		currentPool = x509.NewCertPool()
 	} else {
 		currentPool = s.systemPool.Clone()
 	}
 	if s.certificate != "" {
 		if !currentPool.AppendCertsFromPEM([]byte(s.certificate)) {
 			return E.New("invalid certificate PEM strings")
 		}
 	}
 	for _, path := range s.certificatePaths {
 		pemContent, err := os.ReadFile(path)
 		if err != nil {
 			return err
 		}
 		if !currentPool.AppendCertsFromPEM(pemContent) {
 			return E.New("invalid certificate PEM file: ", path)
 		}
 	}
 	var firstErr error
 	for _, directoryPath := range s.certificateDirectoryPaths {
 		directoryEntries, err := readUniqueDirectoryEntries(directoryPath)
 		if err != nil {
 			if firstErr == nil && !os.IsNotExist(err) {
 				firstErr = E.Cause(err, "invalid certificate directory: ", directoryPath)
 			}
 			continue
 		}
 		for _, directoryEntry := range directoryEntries {
 			pemContent, err := os.ReadFile(filepath.Join(directoryPath, directoryEntry.Name()))
 			if err == nil {
 				currentPool.AppendCertsFromPEM(pemContent)
 			}
 		}
 	}
 	if firstErr != nil {
 		return firstErr
 	}
 	s.currentPool = currentPool
 	return nil
 }
 func readUniqueDirectoryEntries(dir string) ([]fs.DirEntry, error) {
 	files, err := os.ReadDir(dir)
 	if err != nil {
 		return nil, err
 	}
 	uniq := files[:0]
 	for _, f := range files {
 		if !isSameDirSymlink(f, dir) {
 			uniq = append(uniq, f)
 		}
 	}
 	return uniq, nil
 }
 func isSameDirSymlink(f fs.DirEntry, dir string) bool {
 	if f.Type()&fs.ModeSymlink == 0 {
 		return false
 	}
 	target, err := os.Readlink(filepath.Join(dir, f.Name()))
 	return err == nil && !strings.Contains(target, "/")
 }
--- a/common/conntrack/conn.go
+++ b/common/conntrack/conn.go
@@ -0,0 +1,54 @@
 package conntrack
 import (
 	"io"
 	"net"
 	"github.com/sagernet/sing/common/x/list"
 )
 type Conn struct {
 	net.Conn
 	element *list.Element[io.Closer]
 }
 func NewConn(conn net.Conn) (net.Conn, error) {
 	connAccess.Lock()
 	element := openConnection.PushBack(conn)
 	connAccess.Unlock()
 	if KillerEnabled {
 		err := KillerCheck()
 		if err != nil {
 			conn.Close()
 			return nil, err
 		}
 	}
 	return &Conn{
 		Conn:    conn,
 		element: element,
 	}, nil
 }
 func (c *Conn) Close() error {
 	if c.element.Value != nil {
 		connAccess.Lock()
 		if c.element.Value != nil {
 			openConnection.Remove(c.element)
 			c.element.Value = nil
 		}
 		connAccess.Unlock()
 	}
 	return c.Conn.Close()
 }
 func (c *Conn) Upstream() any {
 	return c.Conn
 }
 func (c *Conn) ReaderReplaceable() bool {
 	return true
 }
 func (c *Conn) WriterReplaceable() bool {
 	return true
 }
--- a/common/conntrack/context.go
+++ b/common/conntrack/context.go
@@ -1,14 +0,0 @@
 package conntrack
 import (
 	"context"
 	"github.com/sagernet/sing/service"
 )
 func ContextWithDefaultTracker(ctx context.Context, killerEnabled bool, memoryLimit uint64) context.Context {
 	if service.FromContext[Tracker](ctx) != nil {
 		return ctx
 	}
 	return service.ContextWith[Tracker](ctx, NewDefaultTracker(killerEnabled, memoryLimit))
 }
--- a/common/conntrack/default.go
+++ b/common/conntrack/default.go
@@ -1,245 +0,0 @@
 package conntrack
 import (
 	"net"
 	"net/netip"
 	runtimeDebug "runtime/debug"
 	"sync"
 	"time"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/memory"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/x/list"
 )
 var _ Tracker = (*DefaultTracker)(nil)
 type DefaultTracker struct {
 	connAccess  sync.RWMutex
 	connList    list.List[net.Conn]
 	connAddress map[netip.AddrPort]netip.AddrPort
 	packetConnAccess  sync.RWMutex
 	packetConnList    list.List[AbstractPacketConn]
 	packetConnAddress map[netip.AddrPort]bool
 	pendingAccess sync.RWMutex
 	pendingList   list.List[netip.AddrPort]
 	killerEnabled   bool
 	memoryLimit     uint64
 	killerLastCheck time.Time
 }
 func NewDefaultTracker(killerEnabled bool, memoryLimit uint64) *DefaultTracker {
 	return &DefaultTracker{
 		connAddress:       make(map[netip.AddrPort]netip.AddrPort),
 		packetConnAddress: make(map[netip.AddrPort]bool),
 		killerEnabled:     killerEnabled,
 		memoryLimit:       memoryLimit,
 	}
 }
 func (t *DefaultTracker) NewConn(conn net.Conn) (net.Conn, error) {
 	err := t.KillerCheck()
 	if err != nil {
 		conn.Close()
 		return nil, err
 	}
 	t.connAccess.Lock()
 	element := t.connList.PushBack(conn)
 	t.connAddress[M.AddrPortFromNet(conn.LocalAddr())] = M.AddrPortFromNet(conn.RemoteAddr())
 	t.connAccess.Unlock()
 	return &Conn{
 		Conn: conn,
 		closeFunc: common.OnceFunc(func() {
 			t.removeConn(element)
 		}),
 	}, nil
 }
 func (t *DefaultTracker) NewConnEx(conn net.Conn) (N.CloseHandlerFunc, error) {
 	err := t.KillerCheck()
 	if err != nil {
 		conn.Close()
 		return nil, err
 	}
 	t.connAccess.Lock()
 	element := t.connList.PushBack(conn)
 	t.connAddress[M.AddrPortFromNet(conn.LocalAddr())] = M.AddrPortFromNet(conn.RemoteAddr())
 	t.connAccess.Unlock()
 	return N.OnceClose(func(it error) {
 		t.removeConn(element)
 	}), nil
 }
 func (t *DefaultTracker) NewPacketConn(conn net.PacketConn) (net.PacketConn, error) {
 	err := t.KillerCheck()
 	if err != nil {
 		conn.Close()
 		return nil, err
 	}
 	t.packetConnAccess.Lock()
 	element := t.packetConnList.PushBack(conn)
 	t.packetConnAddress[M.AddrPortFromNet(conn.LocalAddr())] = true
 	t.packetConnAccess.Unlock()
 	return &PacketConn{
 		PacketConn: conn,
 		closeFunc: common.OnceFunc(func() {
 			t.removePacketConn(element)
 		}),
 	}, nil
 }
 func (t *DefaultTracker) NewPacketConnEx(conn AbstractPacketConn) (N.CloseHandlerFunc, error) {
 	err := t.KillerCheck()
 	if err != nil {
 		conn.Close()
 		return nil, err
 	}
 	t.packetConnAccess.Lock()
 	element := t.packetConnList.PushBack(conn)
 	t.packetConnAddress[M.AddrPortFromNet(conn.LocalAddr())] = true
 	t.packetConnAccess.Unlock()
 	return N.OnceClose(func(it error) {
 		t.removePacketConn(element)
 	}), nil
 }
 func (t *DefaultTracker) CheckConn(source netip.AddrPort, destination netip.AddrPort) bool {
 	t.connAccess.RLock()
 	defer t.connAccess.RUnlock()
 	return t.connAddress[source] == destination
 }
 func (t *DefaultTracker) CheckPacketConn(source netip.AddrPort) bool {
 	t.packetConnAccess.RLock()
 	defer t.packetConnAccess.RUnlock()
 	return t.packetConnAddress[source]
 }
 func (t *DefaultTracker) AddPendingDestination(destination netip.AddrPort) func() {
 	t.pendingAccess.Lock()
 	defer t.pendingAccess.Unlock()
 	element := t.pendingList.PushBack(destination)
 	return func() {
 		t.pendingAccess.Lock()
 		defer t.pendingAccess.Unlock()
 		t.pendingList.Remove(element)
 	}
 }
 func (t *DefaultTracker) CheckDestination(destination netip.AddrPort) bool {
 	t.pendingAccess.RLock()
 	defer t.pendingAccess.RUnlock()
 	for element := t.pendingList.Front(); element != nil; element = element.Next() {
 		if element.Value == destination {
 			return true
 		}
 	}
 	return false
 }
 func (t *DefaultTracker) KillerCheck() error {
 	if !t.killerEnabled {
 		return nil
 	}
 	nowTime := time.Now()
 	if nowTime.Sub(t.killerLastCheck) < 3*time.Second {
 		return nil
 	}
 	t.killerLastCheck = nowTime
 	if memory.Total() > t.memoryLimit {
 		t.Close()
 		go func() {
 			time.Sleep(time.Second)
 			runtimeDebug.FreeOSMemory()
 		}()
 		return E.New("out of memory")
 	}
 	return nil
 }
 func (t *DefaultTracker) Count() int {
 	t.connAccess.RLock()
 	defer t.connAccess.RUnlock()
 	t.packetConnAccess.RLock()
 	defer t.packetConnAccess.RUnlock()
 	return t.connList.Len() + t.packetConnList.Len()
 }
 func (t *DefaultTracker) Close() {
 	t.connAccess.Lock()
 	for element := t.connList.Front(); element != nil; element = element.Next() {
 		element.Value.Close()
 	}
 	t.connList.Init()
 	t.connAccess.Unlock()
 	t.packetConnAccess.Lock()
 	for element := t.packetConnList.Front(); element != nil; element = element.Next() {
 		element.Value.Close()
 	}
 	t.packetConnList.Init()
 	t.packetConnAccess.Unlock()
 }
 func (t *DefaultTracker) removeConn(element *list.Element[net.Conn]) {
 	t.connAccess.Lock()
 	defer t.connAccess.Unlock()
 	delete(t.connAddress, M.AddrPortFromNet(element.Value.LocalAddr()))
 	t.connList.Remove(element)
 }
 func (t *DefaultTracker) removePacketConn(element *list.Element[AbstractPacketConn]) {
 	t.packetConnAccess.Lock()
 	defer t.packetConnAccess.Unlock()
 	delete(t.packetConnAddress, M.AddrPortFromNet(element.Value.LocalAddr()))
 	t.packetConnList.Remove(element)
 }
 type Conn struct {
 	net.Conn
 	closeFunc func()
 }
 func (c *Conn) Close() error {
 	c.closeFunc()
 	return c.Conn.Close()
 }
 func (c *Conn) Upstream() any {
 	return c.Conn
 }
 func (c *Conn) ReaderReplaceable() bool {
 	return true
 }
 func (c *Conn) WriterReplaceable() bool {
 	return true
 }
 type PacketConn struct {
 	net.PacketConn
 	closeFunc func()
 }
 func (c *PacketConn) Close() error {
 	c.closeFunc()
 	return c.PacketConn.Close()
 }
 func (c *PacketConn) Upstream() any {
 	return c.PacketConn
 }
 func (c *PacketConn) ReaderReplaceable() bool {
 	return true
 }
 func (c *PacketConn) WriterReplaceable() bool {
 	return true
 }
--- a/common/conntrack/killer.go
+++ b/common/conntrack/killer.go
@@ -0,0 +1,35 @@
 package conntrack
 import (
 	runtimeDebug "runtime/debug"
 	"time"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/memory"
 )
 var (
 	KillerEnabled   bool
 	MemoryLimit     uint64
 	killerLastCheck time.Time
 )
 func KillerCheck() error {
 	if !KillerEnabled {
 		return nil
 	}
 	nowTime := time.Now()
 	if nowTime.Sub(killerLastCheck) < 3*time.Second {
 		return nil
 	}
 	killerLastCheck = nowTime
 	if memory.Total() > MemoryLimit {
 		Close()
 		go func() {
 			time.Sleep(time.Second)
 			runtimeDebug.FreeOSMemory()
 		}()
 		return E.New("out of memory")
 	}
 	return nil
 }
--- a/common/conntrack/packet_conn.go
+++ b/common/conntrack/packet_conn.go
@@ -0,0 +1,55 @@
 package conntrack
 import (
 	"io"
 	"net"
 	"github.com/sagernet/sing/common/bufio"
 	"github.com/sagernet/sing/common/x/list"
 )
 type PacketConn struct {
 	net.PacketConn
 	element *list.Element[io.Closer]
 }
 func NewPacketConn(conn net.PacketConn) (net.PacketConn, error) {
 	connAccess.Lock()
 	element := openConnection.PushBack(conn)
 	connAccess.Unlock()
 	if KillerEnabled {
 		err := KillerCheck()
 		if err != nil {
 			conn.Close()
 			return nil, err
 		}
 	}
 	return &PacketConn{
 		PacketConn: conn,
 		element:    element,
 	}, nil
 }
 func (c *PacketConn) Close() error {
 	if c.element.Value != nil {
 		connAccess.Lock()
 		if c.element.Value != nil {
 			openConnection.Remove(c.element)
 			c.element.Value = nil
 		}
 		connAccess.Unlock()
 	}
 	return c.PacketConn.Close()
 }
 func (c *PacketConn) Upstream() any {
 	return bufio.NewPacketConn(c.PacketConn)
 }
 func (c *PacketConn) ReaderReplaceable() bool {
 	return true
 }
 func (c *PacketConn) WriterReplaceable() bool {
 	return true
 }
--- a/common/conntrack/track.go
+++ b/common/conntrack/track.go
@@ -0,0 +1,47 @@
 package conntrack
 import (
 	"io"
 	"sync"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/x/list"
 )
 var (
 	connAccess     sync.RWMutex
 	openConnection list.List[io.Closer]
 )
 func Count() int {
 	if !Enabled {
 		return 0
 	}
 	return openConnection.Len()
 }
 func List() []io.Closer {
 	if !Enabled {
 		return nil
 	}
 	connAccess.RLock()
 	defer connAccess.RUnlock()
 	connList := make([]io.Closer, 0, openConnection.Len())
 	for element := openConnection.Front(); element != nil; element = element.Next() {
 		connList = append(connList, element.Value)
 	}
 	return connList
 }
 func Close() {
 	if !Enabled {
 		return
 	}
 	connAccess.Lock()
 	defer connAccess.Unlock()
 	for element := openConnection.Front(); element != nil; element = element.Next() {
 		common.Close(element.Value)
 		element.Value = nil
 	}
 	openConnection.Init()
 }
--- a/common/conntrack/track_disable.go
+++ b/common/conntrack/track_disable.go
@@ -0,0 +1,5 @@
 //go:build !with_conntrack
 package conntrack
 const Enabled = false
--- a/common/conntrack/track_enable.go
+++ b/common/conntrack/track_enable.go
@@ -0,0 +1,5 @@
 //go:build with_conntrack
 package conntrack
 const Enabled = true
--- a/common/conntrack/tracker.go
+++ b/common/conntrack/tracker.go
@@ -1,32 +0,0 @@
 package conntrack
 import (
 	"net"
 	"net/netip"
 	"time"
 	N "github.com/sagernet/sing/common/network"
 )
 // TODO: add to N
 type AbstractPacketConn interface {
 	Close() error
 	LocalAddr() net.Addr
 	SetDeadline(t time.Time) error
 	SetReadDeadline(t time.Time) error
 	SetWriteDeadline(t time.Time) error
 }
 type Tracker interface {
 	NewConn(conn net.Conn) (net.Conn, error)
 	NewPacketConn(conn net.PacketConn) (net.PacketConn, error)
 	NewConnEx(conn net.Conn) (N.CloseHandlerFunc, error)
 	NewPacketConnEx(conn AbstractPacketConn) (N.CloseHandlerFunc, error)
 	CheckConn(source netip.AddrPort, destination netip.AddrPort) bool
 	CheckPacketConn(source netip.AddrPort) bool
 	AddPendingDestination(destination netip.AddrPort) func()
 	CheckDestination(destination netip.AddrPort) bool
 	KillerCheck() error
 	Count() int
 	Close()
 }
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -10,6 +10,7 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/common/listener"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/option"
@@ -28,7 +29,6 @@ var (
 )
 type DefaultDialer struct {
 	tracker                conntrack.Tracker
 	dialer4                tcpDialer
 	dialer6                tcpDialer
 	udpDialer4             net.Dialer
@@ -36,7 +36,7 @@ type DefaultDialer struct {
 	udpListener            net.ListenConfig
 	udpAddr4               string
 	udpAddr6               string
-	isWireGuardListener    bool
+	netns                  string
 	networkManager         adapter.NetworkManager
 	networkStrategy        *C.NetworkStrategy
 	defaultNetworkStrategy bool
@@ -47,7 +47,6 @@ type DefaultDialer struct {
 }
 func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDialer, error) {
 	tracker := service.FromContext[conntrack.Tracker](ctx)
 	networkManager := service.FromContext[adapter.NetworkManager](ctx)
 	platformInterface := service.FromContext[platform.Interface](ctx)
@@ -185,11 +184,6 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		}
 		setMultiPathTCP(&dialer4)
 	}
 	if options.IsWireGuardListener {
 		for _, controlFn := range WgControlFns {
 			listener.Control = control.Append(listener.Control, controlFn)
 		}
 	}
 	tcpDialer4, err := newTCPDialer(dialer4, options.TCPFastOpen)
 	if err != nil {
 		return nil, err
@@ -199,7 +193,6 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		return nil, err
 	}
 	return &DefaultDialer{
 		tracker:                tracker,
 		dialer4:                tcpDialer4,
 		dialer6:                tcpDialer6,
 		udpDialer4:             udpDialer4,
@@ -207,7 +200,7 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		udpListener:            listener,
 		udpAddr4:               udpAddr4,
 		udpAddr6:               udpAddr6,
-		isWireGuardListener:    options.IsWireGuardListener,
+		netns:                  options.NetNs,
 		networkManager:         networkManager,
 		networkStrategy:        networkStrategy,
 		defaultNetworkStrategy: defaultNetworkStrategy,
@@ -220,29 +213,25 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 func (d *DefaultDialer) DialContext(ctx context.Context, network string, address M.Socksaddr) (net.Conn, error) {
 	if !address.IsValid() {
 		return nil, E.New("invalid address")
 	} else if address.IsFqdn() {
 		return nil, E.New("domain not resolved")
 	}
 	if d.networkStrategy == nil {
-		if address.IsFqdn() {
+		return trackConn(listener.ListenNetworkNamespace[net.Conn](d.netns, func() (net.Conn, error) {
-			return nil, E.New("unexpected domain destination")
+			switch N.NetworkName(network) {
-		}
+			case N.NetworkUDP:
-		// Since pending check is only used by ndis, it is not performed for non-windows connections which are only supported on platform clients
+				if !address.IsIPv6() {
-		if d.tracker != nil {
+					return d.udpDialer4.DialContext(ctx, network, address.String())
-			done := d.tracker.AddPendingDestination(address.AddrPort())
+				} else {
-			defer done()
+					return d.udpDialer6.DialContext(ctx, network, address.String())
-		}
+				}
 		switch N.NetworkName(network) {
 		case N.NetworkUDP:
 			if !address.IsIPv6() {
 				return d.trackConn(d.udpDialer4.DialContext(ctx, network, address.String()))
 			} else {
 				return d.trackConn(d.udpDialer6.DialContext(ctx, network, address.String()))
 			}
-		}
+			if !address.IsIPv6() {
-		if !address.IsIPv6() {
+				return DialSlowContext(&d.dialer4, ctx, network, address)
-			return d.trackConn(DialSlowContext(&d.dialer4, ctx, network, address))
+			} else {
-		} else {
+				return DialSlowContext(&d.dialer6, ctx, network, address)
-			return d.trackConn(DialSlowContext(&d.dialer6, ctx, network, address))
+			}
-		}
+		}))
 	} else {
 		return d.DialParallelInterface(ctx, network, address, d.networkStrategy, d.networkType, d.fallbackNetworkType, d.networkFallbackDelay)
 	}
@@ -293,18 +282,20 @@ func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network strin
 	if !fastFallback && !isPrimary {
 		d.networkLastFallback.Store(time.Now())
 	}
-	return d.trackConn(conn, nil)
+	return trackConn(conn, nil)
 }
 func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	if d.networkStrategy == nil {
-		if destination.IsIPv6() {
+		return trackPacketConn(listener.ListenNetworkNamespace[net.PacketConn](d.netns, func() (net.PacketConn, error) {
-			return d.trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6))
+			if destination.IsIPv6() {
-		} else if destination.IsIPv4() && !destination.Addr.IsUnspecified() {
+				return d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6)
-			return d.trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP+"4", d.udpAddr4))
+			} else if destination.IsIPv4() && !destination.Addr.IsUnspecified() {
-		} else {
+				return d.udpListener.ListenPacket(ctx, N.NetworkUDP+"4", d.udpAddr4)
-			return d.trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr4))
+			} else {
-		}
+				return d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr4)
 			}
 		}))
 	} else {
 		return d.ListenSerialInterfacePacket(ctx, destination, d.networkStrategy, d.networkType, d.fallbackNetworkType, d.networkFallbackDelay)
 	}
@@ -340,23 +331,23 @@ func (d *DefaultDialer) ListenSerialInterfacePacket(ctx context.Context, destina
 			return nil, err
 		}
 	}
-	return d.trackPacketConn(packetConn, nil)
+	return trackPacketConn(packetConn, nil)
 }
 func (d *DefaultDialer) ListenPacketCompat(network, address string) (net.PacketConn, error) {
 	return d.udpListener.ListenPacket(context.Background(), network, address)
 }
-func (d *DefaultDialer) trackConn(conn net.Conn, err error) (net.Conn, error) {
+func trackConn(conn net.Conn, err error) (net.Conn, error) {
-	if d.tracker == nil || err != nil {
+	if !conntrack.Enabled || err != nil {
 		return conn, err
 	}
-	return d.tracker.NewConn(conn)
+	return conntrack.NewConn(conn)
 }
-func (d *DefaultDialer) trackPacketConn(conn net.PacketConn, err error) (net.PacketConn, error) {
+func trackPacketConn(conn net.PacketConn, err error) (net.PacketConn, error) {
-	if err != nil {
+	if !conntrack.Enabled || err != nil {
 		return conn, err
 	}
-	return d.tracker.NewPacketConn(conn)
+	return conntrack.NewPacketConn(conn)
 }
--- a/common/dialer/default_parallel_interface.go
+++ b/common/dialer/default_parallel_interface.go
@@ -18,6 +18,7 @@ func (d *DefaultDialer) dialParallelInterface(ctx context.Context, dialer net.Di
 	if len(primaryInterfaces)+len(fallbackInterfaces) == 0 {
 		return nil, false, E.New("no available network interface")
 	}
 	defaultInterface := d.networkManager.InterfaceMonitor().DefaultInterface()
 	if fallbackDelay == 0 {
 		fallbackDelay = N.DefaultFallbackDelay
 	}
@@ -31,7 +32,9 @@ func (d *DefaultDialer) dialParallelInterface(ctx context.Context, dialer net.Di
 	results := make(chan dialResult) // unbuffered
 	startRacer := func(ctx context.Context, primary bool, iif adapter.NetworkInterface) {
 		perNetDialer := dialer
-		perNetDialer.Control = control.Append(perNetDialer.Control, control.BindToInterface(nil, iif.Name, iif.Index))
+		if defaultInterface == nil || iif.Index != defaultInterface.Index {
 			perNetDialer.Control = control.Append(perNetDialer.Control, control.BindToInterface(nil, iif.Name, iif.Index))
 		}
 		conn, err := perNetDialer.DialContext(ctx, network, addr)
 		if err != nil {
 			select {
@@ -89,6 +92,7 @@ func (d *DefaultDialer) dialParallelInterfaceFastFallback(ctx context.Context, d
 	if len(primaryInterfaces)+len(fallbackInterfaces) == 0 {
 		return nil, false, E.New("no available network interface")
 	}
 	defaultInterface := d.networkManager.InterfaceMonitor().DefaultInterface()
 	if fallbackDelay == 0 {
 		fallbackDelay = N.DefaultFallbackDelay
 	}
@@ -103,7 +107,9 @@ func (d *DefaultDialer) dialParallelInterfaceFastFallback(ctx context.Context, d
 	results := make(chan dialResult) // unbuffered
 	startRacer := func(ctx context.Context, primary bool, iif adapter.NetworkInterface) {
 		perNetDialer := dialer
-		perNetDialer.Control = control.Append(perNetDialer.Control, control.BindToInterface(nil, iif.Name, iif.Index))
+		if defaultInterface == nil || iif.Index != defaultInterface.Index {
 			perNetDialer.Control = control.Append(perNetDialer.Control, control.BindToInterface(nil, iif.Name, iif.Index))
 		}
 		conn, err := perNetDialer.DialContext(ctx, network, addr)
 		if err != nil {
 			select {
@@ -149,10 +155,13 @@ func (d *DefaultDialer) listenSerialInterfacePacket(ctx context.Context, listene
 	if len(primaryInterfaces)+len(fallbackInterfaces) == 0 {
 		return nil, E.New("no available network interface")
 	}
 	defaultInterface := d.networkManager.InterfaceMonitor().DefaultInterface()
 	var errors []error
 	for _, primaryInterface := range primaryInterfaces {
 		perNetListener := listener
-		perNetListener.Control = control.Append(perNetListener.Control, control.BindToInterface(nil, primaryInterface.Name, primaryInterface.Index))
+		if defaultInterface == nil || primaryInterface.Index != defaultInterface.Index {
 			perNetListener.Control = control.Append(perNetListener.Control, control.BindToInterface(nil, primaryInterface.Name, primaryInterface.Index))
 		}
 		conn, err := perNetListener.ListenPacket(ctx, network, addr)
 		if err == nil {
 			return conn, nil
@@ -161,7 +170,9 @@ func (d *DefaultDialer) listenSerialInterfacePacket(ctx context.Context, listene
 	}
 	for _, fallbackInterface := range fallbackInterfaces {
 		perNetListener := listener
-		perNetListener.Control = control.Append(perNetListener.Control, control.BindToInterface(nil, fallbackInterface.Name, fallbackInterface.Index))
+		if defaultInterface == nil || fallbackInterface.Index != defaultInterface.Index {
 			perNetListener.Control = control.Append(perNetListener.Control, control.BindToInterface(nil, fallbackInterface.Name, fallbackInterface.Index))
 		}
 		conn, err := perNetListener.ListenPacket(ctx, network, addr)
 		if err == nil {
 			return conn, nil
--- a/common/dialer/detour.go
+++ b/common/dialer/detour.go
@@ -6,39 +6,63 @@ import (
 	"sync"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 type DirectDialer interface {
 	IsEmpty() bool
 }
 type DetourDialer struct {
 	outboundManager adapter.OutboundManager
 	detour          string
 	legacyDNSDialer bool
 	dialer          N.Dialer
 	initOnce        sync.Once
 	initErr         error
 }
-func NewDetour(outboundManager adapter.OutboundManager, detour string) N.Dialer {
+func NewDetour(outboundManager adapter.OutboundManager, detour string, legacyDNSDialer bool) N.Dialer {
-	return &DetourDialer{outboundManager: outboundManager, detour: detour}
+	return &DetourDialer{
 		outboundManager: outboundManager,
 		detour:          detour,
 		legacyDNSDialer: legacyDNSDialer,
 	}
 }
-func (d *DetourDialer) Start() error {
+func InitializeDetour(dialer N.Dialer) error {
-	_, err := d.Dialer()
+	detourDialer, isDetour := common.Cast[*DetourDialer](dialer)
-	return err
+	if !isDetour {
 		return nil
 	}
 	return common.Error(detourDialer.Dialer())
 }
 func (d *DetourDialer) Dialer() (N.Dialer, error) {
-	d.initOnce.Do(func() {
+	d.initOnce.Do(d.init)
 		var loaded bool
 		d.dialer, loaded = d.outboundManager.Outbound(d.detour)
 		if !loaded {
 			d.initErr = E.New("outbound detour not found: ", d.detour)
 		}
 	})
 	return d.dialer, d.initErr
 }
 func (d *DetourDialer) init() {
 	dialer, loaded := d.outboundManager.Outbound(d.detour)
 	if !loaded {
 		d.initErr = E.New("outbound detour not found: ", d.detour)
 		return
 	}
 	if !d.legacyDNSDialer {
 		if directDialer, isDirect := dialer.(DirectDialer); isDirect {
 			if directDialer.IsEmpty() {
 				d.initErr = E.New("detour to an empty direct outbound makes no sense")
 				return
 			}
 		}
 	}
 	d.dialer = dialer
 }
 func (d *DetourDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	dialer, err := d.Dialer()
 	if err != nil {
--- a/common/dialer/dialer.go
+++ b/common/dialer/dialer.go
@@ -8,68 +8,123 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-dns"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/service"
 )
-func New(ctx context.Context, options option.DialerOptions) (N.Dialer, error) {
+type Options struct {
-	if options.IsWireGuardListener {
+	Context          context.Context
-		return NewDefault(ctx, options)
+	Options          option.DialerOptions
-	}
+	RemoteIsDomain   bool
 	DirectResolver   bool
 	ResolverOnDetour bool
 	NewDialer        bool
 	LegacyDNSDialer  bool
 	DirectOutbound   bool
 }
 // TODO: merge with NewWithOptions
 func New(ctx context.Context, options option.DialerOptions, remoteIsDomain bool) (N.Dialer, error) {
 	return NewWithOptions(Options{
 		Context:        ctx,
 		Options:        options,
 		RemoteIsDomain: remoteIsDomain,
 	})
 }
 func NewWithOptions(options Options) (N.Dialer, error) {
 	dialOptions := options.Options
 	var (
 		dialer N.Dialer
 		err    error
 	)
-	if options.Detour == "" {
+	if dialOptions.Detour != "" {
-		dialer, err = NewDefault(ctx, options)
+		outboundManager := service.FromContext[adapter.OutboundManager](options.Context)
 		if err != nil {
 			return nil, err
 		}
 	} else {
 		outboundManager := service.FromContext[adapter.OutboundManager](ctx)
 		if outboundManager == nil {
 			return nil, E.New("missing outbound manager")
 		}
-		dialer = NewDetour(outboundManager, options.Detour)
+		dialer = NewDetour(outboundManager, dialOptions.Detour, options.LegacyDNSDialer)
-	}
+	} else {
-	if options.Detour == "" {
+		dialer, err = NewDefault(options.Context, dialOptions)
-		router := service.FromContext[adapter.Router](ctx)
+		if err != nil {
-		if router != nil {
+			return nil, err
 			dialer = NewResolveDialer(
 				router,
 				dialer,
 				options.Detour == "" && !options.TCPFastOpen,
 				dns.DomainStrategy(options.DomainStrategy),
 				time.Duration(options.FallbackDelay))
 		}
 	}
 	if options.RemoteIsDomain && (dialOptions.Detour == "" || options.ResolverOnDetour || dialOptions.DomainResolver != nil && dialOptions.DomainResolver.Server != "") {
 		networkManager := service.FromContext[adapter.NetworkManager](options.Context)
 		dnsTransport := service.FromContext[adapter.DNSTransportManager](options.Context)
 		var defaultOptions adapter.NetworkOptions
 		if networkManager != nil {
 			defaultOptions = networkManager.DefaultOptions()
 		}
 		var (
 			server               string
 			dnsQueryOptions      adapter.DNSQueryOptions
 			resolveFallbackDelay time.Duration
 		)
 		if dialOptions.DomainResolver != nil && dialOptions.DomainResolver.Server != "" {
 			var transport adapter.DNSTransport
 			if !options.DirectResolver {
 				var loaded bool
 				transport, loaded = dnsTransport.Transport(dialOptions.DomainResolver.Server)
 				if !loaded {
 					return nil, E.New("domain resolver not found: " + dialOptions.DomainResolver.Server)
 				}
 			}
 			var strategy C.DomainStrategy
 			if dialOptions.DomainResolver.Strategy != option.DomainStrategy(C.DomainStrategyAsIS) {
 				strategy = C.DomainStrategy(dialOptions.DomainResolver.Strategy)
 			} else if
 			//nolint:staticcheck
 			dialOptions.DomainStrategy != option.DomainStrategy(C.DomainStrategyAsIS) {
 				//nolint:staticcheck
 				strategy = C.DomainStrategy(dialOptions.DomainStrategy)
 			}
 			server = dialOptions.DomainResolver.Server
 			dnsQueryOptions = adapter.DNSQueryOptions{
 				Transport:    transport,
 				Strategy:     strategy,
 				DisableCache: dialOptions.DomainResolver.DisableCache,
 				RewriteTTL:   dialOptions.DomainResolver.RewriteTTL,
 				ClientSubnet: dialOptions.DomainResolver.ClientSubnet.Build(netip.Prefix{}),
 			}
 			resolveFallbackDelay = time.Duration(dialOptions.FallbackDelay)
 		} else if options.DirectResolver {
 			return nil, E.New("missing domain resolver for domain server address")
 		} else if defaultOptions.DomainResolver != "" {
 			dnsQueryOptions = defaultOptions.DomainResolveOptions
 			transport, loaded := dnsTransport.Transport(defaultOptions.DomainResolver)
 			if !loaded {
 				return nil, E.New("default domain resolver not found: " + defaultOptions.DomainResolver)
 			}
 			dnsQueryOptions.Transport = transport
 			resolveFallbackDelay = time.Duration(dialOptions.FallbackDelay)
 		} else {
 			transports := dnsTransport.Transports()
 			if len(transports) < 2 {
 				dnsQueryOptions.Transport = dnsTransport.Default()
 			} else if options.NewDialer {
 				return nil, E.New("missing domain resolver for domain server address")
 			} else if !options.DirectOutbound {
 				deprecated.Report(options.Context, deprecated.OptionMissingDomainResolver)
 			}
 		}
 		dialer = NewResolveDialer(
 			options.Context,
 			dialer,
 			dialOptions.Detour == "" && !dialOptions.TCPFastOpen,
 			server,
 			dnsQueryOptions,
 			resolveFallbackDelay,
 		)
 	}
 	return dialer, nil
 }
 func NewDirect(ctx context.Context, options option.DialerOptions) (ParallelInterfaceDialer, error) {
 	if options.Detour != "" {
 		return nil, E.New("`detour` is not supported in direct context")
 	}
 	if options.IsWireGuardListener {
 		return NewDefault(ctx, options)
 	}
 	dialer, err := NewDefault(ctx, options)
 	if err != nil {
 		return nil, err
 	}
 	return NewResolveParallelInterfaceDialer(
 		service.FromContext[adapter.Router](ctx),
 		dialer,
 		true,
 		dns.DomainStrategy(options.DomainStrategy),
 		time.Duration(options.FallbackDelay),
 	), nil
 }
 type ParallelInterfaceDialer interface {
 	N.Dialer
 	DialParallelInterface(ctx context.Context, network string, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
--- a/common/dialer/resolve.go
+++ b/common/dialer/resolve.go
@@ -3,16 +3,17 @@ package dialer
 import (
 	"context"
 	"net"
-	"net/netip"
+	"sync"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/service"
 )
 var (
@@ -20,21 +21,51 @@ var (
 	_ ParallelInterfaceDialer = (*resolveParallelNetworkDialer)(nil)
 )
 type ResolveDialer interface {
 	N.Dialer
 	QueryOptions() adapter.DNSQueryOptions
 }
 type ParallelInterfaceResolveDialer interface {
 	ParallelInterfaceDialer
 	QueryOptions() adapter.DNSQueryOptions
 }
 type resolveDialer struct {
 	transport     adapter.DNSTransportManager
 	router        adapter.DNSRouter
 	dialer        N.Dialer
 	parallel      bool
-	router        adapter.Router
+	server        string
-	strategy      dns.DomainStrategy
+	initOnce      sync.Once
 	initErr       error
 	queryOptions  adapter.DNSQueryOptions
 	fallbackDelay time.Duration
 }
-func NewResolveDialer(router adapter.Router, dialer N.Dialer, parallel bool, strategy dns.DomainStrategy, fallbackDelay time.Duration) N.Dialer {
+func NewResolveDialer(ctx context.Context, dialer N.Dialer, parallel bool, server string, queryOptions adapter.DNSQueryOptions, fallbackDelay time.Duration) ResolveDialer {
 	if parallelDialer, isParallel := dialer.(ParallelInterfaceDialer); isParallel {
 		return &resolveParallelNetworkDialer{
 			resolveDialer{
 				transport:     service.FromContext[adapter.DNSTransportManager](ctx),
 				router:        service.FromContext[adapter.DNSRouter](ctx),
 				dialer:        dialer,
 				parallel:      parallel,
 				server:        server,
 				queryOptions:  queryOptions,
 				fallbackDelay: fallbackDelay,
 			},
 			parallelDialer,
 		}
 	}
 	return &resolveDialer{
-		dialer,
+		transport:     service.FromContext[adapter.DNSTransportManager](ctx),
-		parallel,
+		router:        service.FromContext[adapter.DNSRouter](ctx),
-		router,
+		dialer:        dialer,
-		strategy,
+		parallel:      parallel,
-		fallbackDelay,
+		server:        server,
 		queryOptions:  queryOptions,
 		fallbackDelay: fallbackDelay,
 	}
 }
@@ -43,59 +74,53 @@ type resolveParallelNetworkDialer struct {
 	dialer ParallelInterfaceDialer
 }
-func NewResolveParallelInterfaceDialer(router adapter.Router, dialer ParallelInterfaceDialer, parallel bool, strategy dns.DomainStrategy, fallbackDelay time.Duration) ParallelInterfaceDialer {
+func (d *resolveDialer) initialize() error {
-	return &resolveParallelNetworkDialer{
+	d.initOnce.Do(d.initServer)
-		resolveDialer{
+	return d.initErr
-			dialer,
+}
-			parallel,
+
-			router,
+func (d *resolveDialer) initServer() {
-			strategy,
+	if d.server == "" {
-			fallbackDelay,
+		return
 		},
 		dialer,
 	}
 	transport, loaded := d.transport.Transport(d.server)
 	if !loaded {
 		d.initErr = E.New("domain resolver not found: " + d.server)
 		return
 	}
 	d.queryOptions.Transport = transport
 }
 func (d *resolveDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	err := d.initialize()
 	if err != nil {
 		return nil, err
 	}
 	if !destination.IsFqdn() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
 	ctx, metadata := adapter.ExtendContext(ctx)
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
-	metadata.Destination = destination
+	addresses, err := d.router.Lookup(ctx, destination.Fqdn, d.queryOptions)
 	metadata.Domain = ""
 	var addresses []netip.Addr
 	var err error
 	if d.strategy == dns.DomainStrategyAsIS {
 		addresses, err = d.router.LookupDefault(ctx, destination.Fqdn)
 	} else {
 		addresses, err = d.router.Lookup(ctx, destination.Fqdn, d.strategy)
 	}
 	if err != nil {
 		return nil, err
 	}
 	if d.parallel {
-		return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == dns.DomainStrategyPreferIPv6, d.fallbackDelay)
+		return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.queryOptions.Strategy == C.DomainStrategyPreferIPv6, d.fallbackDelay)
 	} else {
 		return N.DialSerial(ctx, d.dialer, network, destination, addresses)
 	}
 }
 func (d *resolveDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	err := d.initialize()
 	if err != nil {
 		return nil, err
 	}
 	if !destination.IsFqdn() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
 	ctx, metadata := adapter.ExtendContext(ctx)
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
-	metadata.Destination = destination
+	addresses, err := d.router.Lookup(ctx, destination.Fqdn, d.queryOptions)
 	metadata.Domain = ""
 	var addresses []netip.Addr
 	var err error
 	if d.strategy == dns.DomainStrategyAsIS {
 		addresses, err = d.router.LookupDefault(ctx, destination.Fqdn)
 	} else {
 		addresses, err = d.router.Lookup(ctx, destination.Fqdn, d.strategy)
 	}
 	if err != nil {
 		return nil, err
 	}
@@ -106,21 +131,24 @@ func (d *resolveDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 	return bufio.NewNATPacketConn(bufio.NewPacketConn(conn), M.SocksaddrFrom(destinationAddress, destination.Port), destination), nil
 }
 func (d *resolveDialer) QueryOptions() adapter.DNSQueryOptions {
 	return d.queryOptions
 }
 func (d *resolveDialer) Upstream() any {
 	return d.dialer
 }
 func (d *resolveParallelNetworkDialer) DialParallelInterface(ctx context.Context, network string, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
 	err := d.initialize()
 	if err != nil {
 		return nil, err
 	}
 	if !destination.IsFqdn() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
 	ctx, metadata := adapter.ExtendContext(ctx)
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
-	metadata.Destination = destination
+	addresses, err := d.router.Lookup(ctx, destination.Fqdn, d.queryOptions)
 	metadata.Domain = ""
 	var addresses []netip.Addr
 	var err error
 	if d.strategy == dns.DomainStrategyAsIS {
 		addresses, err = d.router.LookupDefault(ctx, destination.Fqdn)
 	} else {
 		addresses, err = d.router.Lookup(ctx, destination.Fqdn, d.strategy)
 	}
 	if err != nil {
 		return nil, err
 	}
@@ -128,30 +156,28 @@ func (d *resolveParallelNetworkDialer) DialParallelInterface(ctx context.Context
 		fallbackDelay = d.fallbackDelay
 	}
 	if d.parallel {
-		return DialParallelNetwork(ctx, d.dialer, network, destination, addresses, d.strategy == dns.DomainStrategyPreferIPv6, strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
+		return DialParallelNetwork(ctx, d.dialer, network, destination, addresses, d.queryOptions.Strategy == C.DomainStrategyPreferIPv6, strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
 	} else {
 		return DialSerialNetwork(ctx, d.dialer, network, destination, addresses, strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
 	}
 }
 func (d *resolveParallelNetworkDialer) ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error) {
 	err := d.initialize()
 	if err != nil {
 		return nil, err
 	}
 	if !destination.IsFqdn() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
 	ctx, metadata := adapter.ExtendContext(ctx)
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
-	metadata.Destination = destination
+	addresses, err := d.router.Lookup(ctx, destination.Fqdn, d.queryOptions)
 	metadata.Domain = ""
 	var addresses []netip.Addr
 	var err error
 	if d.strategy == dns.DomainStrategyAsIS {
 		addresses, err = d.router.LookupDefault(ctx, destination.Fqdn)
 	} else {
 		addresses, err = d.router.Lookup(ctx, destination.Fqdn, d.strategy)
 	}
 	if err != nil {
 		return nil, err
 	}
 	if fallbackDelay == 0 {
 		fallbackDelay = d.fallbackDelay
 	}
 	conn, destinationAddress, err := ListenSerialNetworkPacket(ctx, d.dialer, destination, addresses, strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
 	if err != nil {
 		return nil, err
@@ -159,6 +185,10 @@ func (d *resolveParallelNetworkDialer) ListenSerialInterfacePacket(ctx context.C
 	return bufio.NewNATPacketConn(bufio.NewPacketConn(conn), M.SocksaddrFrom(destinationAddress, destination.Port), destination), nil
 }
-func (d *resolveDialer) Upstream() any {
+func (d *resolveParallelNetworkDialer) QueryOptions() adapter.DNSQueryOptions {
 	return d.queryOptions
 }
 func (d *resolveParallelNetworkDialer) Upstream() any {
 	return d.dialer
 }
--- a/common/dialer/router.go
+++ b/common/dialer/router.go
@@ -7,24 +7,27 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/service"
 )
 type DefaultOutboundDialer struct {
-	outboundManager adapter.OutboundManager
+	outbound adapter.OutboundManager
 }
-func NewDefaultOutbound(outboundManager adapter.OutboundManager) N.Dialer {
+func NewDefaultOutbound(ctx context.Context) N.Dialer {
-	return &DefaultOutboundDialer{outboundManager: outboundManager}
+	return &DefaultOutboundDialer{
 		outbound: service.FromContext[adapter.OutboundManager](ctx),
 	}
 }
 func (d *DefaultOutboundDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	return d.outboundManager.Default().DialContext(ctx, network, destination)
+	return d.outbound.Default().DialContext(ctx, network, destination)
 }
 func (d *DefaultOutboundDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	return d.outboundManager.Default().ListenPacket(ctx, destination)
+	return d.outbound.Default().ListenPacket(ctx, destination)
 }
 func (d *DefaultOutboundDialer) Upstream() any {
-	return d.outboundManager.Default()
+	return d.outbound.Default()
 }
--- a/common/listener/listener.go
+++ b/common/listener/listener.go
@@ -4,6 +4,8 @@ import (
 	"context"
 	"net"
 	"net/netip"
 	"runtime"
 	"strings"
 	"sync/atomic"
 	"github.com/sagernet/sing-box/adapter"
@@ -14,6 +16,8 @@ import (
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/vishvananda/netns"
 )
 type Listener struct {
@@ -135,3 +139,30 @@ func (l *Listener) UDPConn() *net.UDPConn {
 func (l *Listener) ListenOptions() option.ListenOptions {
 	return l.listenOptions
 }
 func ListenNetworkNamespace[T any](nameOrPath string, block func() (T, error)) (T, error) {
 	if nameOrPath != "" {
 		runtime.LockOSThread()
 		defer runtime.UnlockOSThread()
 		currentNs, err := netns.Get()
 		if err != nil {
 			return common.DefaultValue[T](), E.Cause(err, "get current netns")
 		}
 		defer netns.Set(currentNs)
 		var targetNs netns.NsHandle
 		if strings.HasPrefix(nameOrPath, "/") {
 			targetNs, err = netns.GetFromPath(nameOrPath)
 		} else {
 			targetNs, err = netns.GetFromName(nameOrPath)
 		}
 		if err != nil {
 			return common.DefaultValue[T](), E.Cause(err, "get netns ", nameOrPath)
 		}
 		defer targetNs.Close()
 		err = netns.Set(targetNs)
 		if err != nil {
 			return common.DefaultValue[T](), E.Cause(err, "set netns to ", nameOrPath)
 		}
 	}
 	return block()
 }
--- a/common/listener/listener_tcp.go
+++ b/common/listener/listener_tcp.go
@@ -16,9 +16,12 @@ import (
 )
 func (l *Listener) ListenTCP() (net.Listener, error) {
 	//nolint:staticcheck
 	if l.listenOptions.ProxyProtocol || l.listenOptions.ProxyProtocolAcceptNoHeader {
 		return nil, E.New("Proxy Protocol is deprecated and removed in sing-box 1.6.0")
 	}
 	var err error
 	bindAddr := M.SocksaddrFrom(l.listenOptions.Listen.Build(netip.AddrFrom4([4]byte{127, 0, 0, 1})), l.listenOptions.ListenPort)
 	var tcpListener net.Listener
 	var listenConfig net.ListenConfig
 	if l.listenOptions.TCPKeepAlive >= 0 {
 		keepIdle := time.Duration(l.listenOptions.TCPKeepAlive)
@@ -37,20 +40,19 @@ func (l *Listener) ListenTCP() (net.Listener, error) {
 		}
 		setMultiPathTCP(&listenConfig)
 	}
-	if l.listenOptions.TCPFastOpen {
+	tcpListener, err := ListenNetworkNamespace[net.Listener](l.listenOptions.NetNs, func() (net.Listener, error) {
-		var tfoConfig tfo.ListenConfig
+		if l.listenOptions.TCPFastOpen {
-		tfoConfig.ListenConfig = listenConfig
+			var tfoConfig tfo.ListenConfig
-		tcpListener, err = tfoConfig.Listen(l.ctx, M.NetworkFromNetAddr(N.NetworkTCP, bindAddr.Addr), bindAddr.String())
+			tfoConfig.ListenConfig = listenConfig
-	} else {
+			return tfoConfig.Listen(l.ctx, M.NetworkFromNetAddr(N.NetworkTCP, bindAddr.Addr), bindAddr.String())
-		tcpListener, err = listenConfig.Listen(l.ctx, M.NetworkFromNetAddr(N.NetworkTCP, bindAddr.Addr), bindAddr.String())
+		} else {
-	}
+			return listenConfig.Listen(l.ctx, M.NetworkFromNetAddr(N.NetworkTCP, bindAddr.Addr), bindAddr.String())
-	if err == nil {
+		}
-		l.logger.Info("tcp server started at ", tcpListener.Addr())
+	})
-	}
+	if err != nil {
-	//nolint:staticcheck
+		return nil, err
 	if l.listenOptions.ProxyProtocol || l.listenOptions.ProxyProtocolAcceptNoHeader {
 		return nil, E.New("Proxy Protocol is deprecated and removed in sing-box 1.6.0")
 	}
 	l.logger.Info("tcp server started at ", tcpListener.Addr())
 	l.tcpListener = tcpListener
 	return tcpListener, err
 }
--- a/common/listener/listener_udp.go
+++ b/common/listener/listener_udp.go
@@ -1,6 +1,7 @@
 package listener
 import (
 	"context"
 	"net"
 	"net/netip"
 	"os"
@@ -24,7 +25,9 @@ func (l *Listener) ListenUDP() (net.PacketConn, error) {
 	if !udpFragment {
 		lc.Control = control.Append(lc.Control, control.DisableUDPFragment())
 	}
-	udpConn, err := lc.ListenPacket(l.ctx, M.NetworkFromNetAddr(N.NetworkUDP, bindAddr.Addr), bindAddr.String())
+	udpConn, err := ListenNetworkNamespace[net.PacketConn](l.listenOptions.NetNs, func() (net.PacketConn, error) {
 		return lc.ListenPacket(l.ctx, M.NetworkFromNetAddr(N.NetworkUDP, bindAddr.Addr), bindAddr.String())
 	})
 	if err != nil {
 		return nil, err
 	}
@@ -34,6 +37,12 @@ func (l *Listener) ListenUDP() (net.PacketConn, error) {
 	return udpConn, err
 }
 func (l *Listener) ListenPacket(listenConfig net.ListenConfig, ctx context.Context, network string, address string) (net.PacketConn, error) {
 	return ListenNetworkNamespace[net.PacketConn](l.listenOptions.NetNs, func() (net.PacketConn, error) {
 		return listenConfig.ListenPacket(ctx, network, address)
 	})
 }
 func (l *Listener) UDPAddr() M.Socksaddr {
 	return l.udpAddr
 }
--- a/common/process/searcher.go
+++ b/common/process/searcher.go
@@ -23,6 +23,7 @@ type Config struct {
 }
 type Info struct {
 	ProcessID   uint32
 	ProcessPath string
 	PackageName string
 	User        string
--- a/common/process/searcher_windows.go
+++ b/common/process/searcher_windows.go
@@ -2,14 +2,11 @@ package process
 import (
 	"context"
 	"fmt"
 	"net/netip"
 	"os"
 	"syscall"
 	"unsafe"
 	E "github.com/sagernet/sing/common/exceptions"
-	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/winiphlpapi"
 	"golang.org/x/sys/windows"
 )
@@ -26,209 +23,39 @@ func NewSearcher(_ Config) (Searcher, error) {
 	return &windowsSearcher{}, nil
 }
 var (
 	modiphlpapi                    = windows.NewLazySystemDLL("iphlpapi.dll")
 	procGetExtendedTcpTable        = modiphlpapi.NewProc("GetExtendedTcpTable")
 	procGetExtendedUdpTable        = modiphlpapi.NewProc("GetExtendedUdpTable")
 	modkernel32                    = windows.NewLazySystemDLL("kernel32.dll")
 	procQueryFullProcessImageNameW = modkernel32.NewProc("QueryFullProcessImageNameW")
 )
 func initWin32API() error {
-	err := modiphlpapi.Load()
+	return winiphlpapi.LoadExtendedTable()
 	if err != nil {
 		return E.Cause(err, "load iphlpapi.dll")
 	}
 	err = procGetExtendedTcpTable.Find()
 	if err != nil {
 		return E.Cause(err, "load iphlpapi::GetExtendedTcpTable")
 	}
 	err = procGetExtendedUdpTable.Find()
 	if err != nil {
 		return E.Cause(err, "load iphlpapi::GetExtendedUdpTable")
 	}
 	err = modkernel32.Load()
 	if err != nil {
 		return E.Cause(err, "load kernel32.dll")
 	}
 	err = procQueryFullProcessImageNameW.Find()
 	if err != nil {
 		return E.Cause(err, "load kernel32::QueryFullProcessImageNameW")
 	}
 	return nil
 }
 func (s *windowsSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
-	processName, err := findProcessName(network, source.Addr(), int(source.Port()))
+	pid, err := winiphlpapi.FindPid(network, source)
 	if err != nil {
 		return nil, err
 	}
-	return &Info{ProcessPath: processName, UserId: -1}, nil
+	path, err := getProcessPath(pid)
 }
 func findProcessName(network string, ip netip.Addr, srcPort int) (string, error) {
 	family := windows.AF_INET
 	if ip.Is6() {
 		family = windows.AF_INET6
 	}
 	const (
 		tcpTablePidConn = 4
 		udpTablePid     = 1
 	)
 	var class int
 	var fn uintptr
 	switch network {
 	case N.NetworkTCP:
 		fn = procGetExtendedTcpTable.Addr()
 		class = tcpTablePidConn
 	case N.NetworkUDP:
 		fn = procGetExtendedUdpTable.Addr()
 		class = udpTablePid
 	default:
 		return "", os.ErrInvalid
 	}
 	buf, err := getTransportTable(fn, family, class)
 	if err != nil {
-		return "", err
+		return &Info{ProcessID: pid, UserId: -1}, err
 	}
-
+	return &Info{ProcessID: pid, ProcessPath: path, UserId: -1}, nil
 	s := newSearcher(family == windows.AF_INET, network == N.NetworkTCP)
 	pid, err := s.Search(buf, ip, uint16(srcPort))
 	if err != nil {
 		return "", err
 	}
 	return getExecPathFromPID(pid)
 }
-type searcher struct {
+func getProcessPath(pid uint32) (string, error) {
 	itemSize int
 	port     int
 	ip       int
 	ipSize   int
 	pid      int
 	tcpState int
 }
 func (s *searcher) Search(b []byte, ip netip.Addr, port uint16) (uint32, error) {
 	n := int(readNativeUint32(b[:4]))
 	itemSize := s.itemSize
 	for i := 0; i < n; i++ {
 		row := b[4+itemSize*i : 4+itemSize*(i+1)]
 		if s.tcpState >= 0 {
 			tcpState := readNativeUint32(row[s.tcpState : s.tcpState+4])
 			// MIB_TCP_STATE_ESTAB, only check established connections for TCP
 			if tcpState != 5 {
 				continue
 			}
 		}
 		// according to MSDN, only the lower 16 bits of dwLocalPort are used and the port number is in network endian.
 		// this field can be illustrated as follows depends on different machine endianess:
 		//     little endian: [ MSB LSB  0   0  ]   interpret as native uint32 is ((LSB<<8)|MSB)
 		//       big  endian: [  0   0  MSB LSB ]   interpret as native uint32 is ((MSB<<8)|LSB)
 		// so we need an syscall.Ntohs on the lower 16 bits after read the port as native uint32
 		srcPort := syscall.Ntohs(uint16(readNativeUint32(row[s.port : s.port+4])))
 		if srcPort != port {
 			continue
 		}
 		srcIP, _ := netip.AddrFromSlice(row[s.ip : s.ip+s.ipSize])
 		// windows binds an unbound udp socket to 0.0.0.0/[::] while first sendto
 		if ip != srcIP && (!srcIP.IsUnspecified() || s.tcpState != -1) {
 			continue
 		}
 		pid := readNativeUint32(row[s.pid : s.pid+4])
 		return pid, nil
 	}
 	return 0, ErrNotFound
 }
 func newSearcher(isV4, isTCP bool) *searcher {
 	var itemSize, port, ip, ipSize, pid int
 	tcpState := -1
 	switch {
 	case isV4 && isTCP:
 		// struct MIB_TCPROW_OWNER_PID
 		itemSize, port, ip, ipSize, pid, tcpState = 24, 8, 4, 4, 20, 0
 	case isV4 && !isTCP:
 		// struct MIB_UDPROW_OWNER_PID
 		itemSize, port, ip, ipSize, pid = 12, 4, 0, 4, 8
 	case !isV4 && isTCP:
 		// struct MIB_TCP6ROW_OWNER_PID
 		itemSize, port, ip, ipSize, pid, tcpState = 56, 20, 0, 16, 52, 48
 	case !isV4 && !isTCP:
 		// struct MIB_UDP6ROW_OWNER_PID
 		itemSize, port, ip, ipSize, pid = 28, 20, 0, 16, 24
 	}
 	return &searcher{
 		itemSize: itemSize,
 		port:     port,
 		ip:       ip,
 		ipSize:   ipSize,
 		pid:      pid,
 		tcpState: tcpState,
 	}
 }
 func getTransportTable(fn uintptr, family int, class int) ([]byte, error) {
 	for size, buf := uint32(8), make([]byte, 8); ; {
 		ptr := unsafe.Pointer(&buf[0])
 		err, _, _ := syscall.SyscallN(fn, uintptr(ptr), uintptr(unsafe.Pointer(&size)), 0, uintptr(family), uintptr(class), 0)
 		switch err {
 		case 0:
 			return buf, nil
 		case uintptr(syscall.ERROR_INSUFFICIENT_BUFFER):
 			buf = make([]byte, size)
 		default:
 			return nil, fmt.Errorf("syscall error: %d", err)
 		}
 	}
 }
 func readNativeUint32(b []byte) uint32 {
 	return *(*uint32)(unsafe.Pointer(&b[0]))
 }
 func getExecPathFromPID(pid uint32) (string, error) {
 	// kernel process starts with a colon in order to distinguish with normal processes
 	switch pid {
 	case 0:
 		// reserved pid for system idle process
 		return ":System Idle Process", nil
 	case 4:
 		// reserved pid for windows kernel image
 		return ":System", nil
 	}
-	h, err := windows.OpenProcess(windows.PROCESS_QUERY_LIMITED_INFORMATION, false, pid)
+	handle, err := windows.OpenProcess(windows.PROCESS_QUERY_LIMITED_INFORMATION, false, pid)
 	if err != nil {
 		return "", err
 	}
-	defer windows.CloseHandle(h)
+	defer windows.CloseHandle(handle)
-
+	size := uint32(syscall.MAX_LONG_PATH)
 	buf := make([]uint16, syscall.MAX_LONG_PATH)
-	size := uint32(len(buf))
+	err = windows.QueryFullProcessImageName(handle, 0, &buf[0], &size)
-	r1, _, err := syscall.SyscallN(
+	if err != nil {
 		procQueryFullProcessImageNameW.Addr(),
 		uintptr(h),
 		uintptr(0),
 		uintptr(unsafe.Pointer(&buf[0])),
 		uintptr(unsafe.Pointer(&size)),
 	)
 	if r1 == 0 {
 		return "", err
 	}
-	return syscall.UTF16ToString(buf[:size]), nil
+	return windows.UTF16ToString(buf[:size]), nil
 }
--- a/common/settings/time_stub.go
+++ b/common/settings/time_stub.go
@@ -1,12 +0,0 @@
 //go:build !(windows || linux || darwin)
 package settings
 import (
 	"os"
 	"time"
 )
 func SetSystemTime(nowTime time.Time) error {
 	return os.ErrInvalid
 }
--- a/common/settings/time_unix.go
+++ b/common/settings/time_unix.go
@@ -1,14 +0,0 @@
 //go:build linux || darwin
 package settings
 import (
 	"time"
 	"golang.org/x/sys/unix"
 )
 func SetSystemTime(nowTime time.Time) error {
 	timeVal := unix.NsecToTimeval(nowTime.UnixNano())
 	return unix.Settimeofday(&timeVal)
 }
--- a/common/settings/time_windows.go
+++ b/common/settings/time_windows.go
@@ -1,32 +0,0 @@
 package settings
 import (
 	"time"
 	"unsafe"
 	"golang.org/x/sys/windows"
 )
 func SetSystemTime(nowTime time.Time) error {
 	var systemTime windows.Systemtime
 	systemTime.Year = uint16(nowTime.Year())
 	systemTime.Month = uint16(nowTime.Month())
 	systemTime.Day = uint16(nowTime.Day())
 	systemTime.Hour = uint16(nowTime.Hour())
 	systemTime.Minute = uint16(nowTime.Minute())
 	systemTime.Second = uint16(nowTime.Second())
 	systemTime.Milliseconds = uint16(nowTime.UnixMilli() - nowTime.Unix()*1000)
 	dllKernel32 := windows.NewLazySystemDLL("kernel32.dll")
 	proc := dllKernel32.NewProc("SetSystemTime")
 	_, _, err := proc.Call(
 		uintptr(unsafe.Pointer(&systemTime)),
 	)
 	if err != nil && err.Error() != "The operation completed successfully." {
 		return err
 	}
 	return nil
 }
--- a/common/sniff/dns.go
+++ b/common/sniff/dns.go
@@ -11,7 +11,6 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/task"
 	mDNS "github.com/miekg/dns"
@@ -47,9 +46,6 @@ func DomainNameQuery(ctx context.Context, metadata *adapter.InboundContext, pack
 	if err != nil {
 		return err
 	}
 	if len(msg.Question) == 0 || msg.Question[0].Qclass != mDNS.ClassINET || !M.IsDomainName(msg.Question[0].Name) {
 		return os.ErrInvalid
 	}
 	metadata.Protocol = C.ProtocolDNS
 	return nil
 }
--- a/common/sniff/dns_test.go
+++ b/common/sniff/dns_test.go
@@ -0,0 +1,23 @@
 package sniff_test
 import (
 	"context"
 	"encoding/hex"
 	"testing"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/sniff"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/stretchr/testify/require"
 )
 func TestSniffDNS(t *testing.T) {
 	t.Parallel()
 	query, err := hex.DecodeString("740701000001000000000000012a06676f6f676c6503636f6d0000010001")
 	require.NoError(t, err)
 	var metadata adapter.InboundContext
 	err = sniff.DomainNameQuery(context.TODO(), &metadata, query)
 	require.NoError(t, err)
 	require.Equal(t, C.ProtocolDNS, metadata.Protocol)
 }
--- a/common/sniff/ntp.go
+++ b/common/sniff/ntp.go
@@ -0,0 +1,58 @@
 package sniff
 import (
 	"context"
 	"encoding/binary"
 	"os"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 )
 func NTP(ctx context.Context, metadata *adapter.InboundContext, packet []byte) error {
 	// NTP packets must be at least 48 bytes long (standard NTP header size).
 	pLen := len(packet)
 	if pLen < 48 {
 		return os.ErrInvalid
 	}
 	// Check the LI (Leap Indicator) and Version Number (VN) in the first byte.
 	// We'll primarily focus on ensuring the version is valid for NTP.
 	// Many NTP versions are used, but let's check for generally accepted ones (3 & 4 for IPv4, plus potential extensions/customizations)
 	firstByte := packet[0]
 	li := (firstByte >> 6) & 0x03 // Extract LI
 	vn := (firstByte >> 3) & 0x07 // Extract VN
 	mode := firstByte & 0x07      // Extract Mode
 	// Leap Indicator should be a valid value (0-3).
 	if li > 3 {
 		return os.ErrInvalid
 	}
 	// Version Check (common NTP versions are 3 and 4)
 	if vn != 3 && vn != 4 {
 		return os.ErrInvalid
 	}
 	// Check the Mode field for a client request (Mode 3).  This validates it *is* a request.
 	if mode != 3 {
 		return os.ErrInvalid
 	}
 	// Check Root Delay and Root Dispersion. While not strictly *required* for a request,
 	// we can check if they appear to be reasonable values (not excessively large).
 	rootDelay := binary.BigEndian.Uint32(packet[4:8])
 	rootDispersion := binary.BigEndian.Uint32(packet[8:12])
 	// Check for unreasonably large root delay and dispersion.  NTP RFC specifies max values of approximately 16 seconds.
 	// Convert to milliseconds for easy comparison.  Each unit is 1/2^16 seconds.
 	if float64(rootDelay)/65536.0 > 16.0 {
 		return os.ErrInvalid
 	}
 	if float64(rootDispersion)/65536.0 > 16.0 {
 		return os.ErrInvalid
 	}
 	metadata.Protocol = C.ProtocolNTP
 	return nil
 }
--- a/common/sniff/ntp_test.go
+++ b/common/sniff/ntp_test.go
@@ -0,0 +1,33 @@
 package sniff_test
 import (
 	"context"
 	"encoding/hex"
 	"os"
 	"testing"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/sniff"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/stretchr/testify/require"
 )
 func TestSniffNTP(t *testing.T) {
 	t.Parallel()
 	packet, err := hex.DecodeString("1b0006000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
 	require.NoError(t, err)
 	var metadata adapter.InboundContext
 	err = sniff.NTP(context.Background(), &metadata, packet)
 	require.NoError(t, err)
 	require.Equal(t, metadata.Protocol, C.ProtocolNTP)
 }
 func TestSniffNTPFailed(t *testing.T) {
 	t.Parallel()
 	packet, err := hex.DecodeString("400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
 	require.NoError(t, err)
 	var metadata adapter.InboundContext
 	err = sniff.NTP(context.Background(), &metadata, packet)
 	require.ErrorIs(t, err, os.ErrInvalid)
 }
--- a/common/sniff/quic_test.go
+++ b/common/sniff/quic_test.go
@@ -12,6 +12,26 @@ import (
 	"github.com/stretchr/testify/require"
 )
 func TestSniffQUICChromeNew(t *testing.T) {
 	t.Parallel()
 	pkt, err := hex.DecodeString("ca0000000108e241a0c601413b4f004046006d8f15dae9999edf39d58df6762822b9a2ab996d7f6a10044338af3b51b1814bc4ac0fa5a87c34c6ae604af8cabc5957c5240174deefc8e378719ffdab2ae4e15bf4514bea4489ad89c322f75f9a383c90d126a0b21104cb519c2bb32e6a134e86896452e942b26c519b8c7ac9e4c99fae5e1f65cf08fb98443b30e4567932e8fb0789820d8f33037b59ac8113530258c9467dfb52489396dae01f099d28b234efa107fa411f2a1ffa2abe74988e03d662d4296024e95ce0fe1671724937157f77b84990478a2d4060676cf0827b4e8c600654111750414dafa0cccb332f3020c2922a015f445df5edc9c7d2d1ceea9fddcc9ff821c9183aa39a70da20fcc057579e1051c1c899148d6cf9d08b4919822082d040d1ce03ca4f216be6cb7ef03db6df0993ef1ccce5c8c648980554f41704526e1809d2545739f5872e75ec797db1c99f5682e2eda9363cb32aa367b7b363c782ddbacf874183cc15c8a2db068dd4093eebdd096ad33832a7939deb0a872279744f5a56dc001ba62fac973bf680f3b362bdd336add4dd102f462b773bf70bfce1921070a802a92025273a177186d1a643081b42175eb789ccddadb71033ef4feacbf6fd282ab622cf61669d73cda559e411c6ccdd8f003443b6933b7729b7a357aa4aa2fba0f365f829a4d497afb5dc2648a53bc9f3e786d955069d0a4781088a5463747dfe9958ea19ea444eae947ec6a67640955f710f93640084f3fbb8ad259b68dbc0ee0b7fab2d81bffd83ed8a6d33522dbfef43bec0a0fb4bdf1cb712dc4ced0680c0687fa240fd157baa232b1c84e14adce6421cf9270f9b3972f98fc67b344b8a4f1fb551e26f7f76d484ed9f8197f231dc5d9a44cc0ddce73d7f810a620851f4e97eb5037ab5135d7c3be5b80cc32d19910b8387aca64c93c02dc3e35238b78e6aff470722078982e58802844932b6041446bfdcc97ba640cbb86721bcd0f40f27b77aa6287ce5674ec1720134b9302875482c3269787e004b9edb483d44f326eef38c0e83cb46af96488c2e696bc2524567fb29c1e8edcd5a73615496d172d46a9d29e0505c0018b7bbb00165eca0389e09c4b1d73b6cc4a2f735a720650134a2e98e8105e20695cf231b92586237dfe0f99c897414e51c21627496276535f07abb53fb2b554376fe520fa45a3e944fd91dfe7a72aead08842b6b63d8edf861fb911954c83bd9a896eb9da4af5eff646455069d747facd4e77c254096843bff7c3e9031dbdf8dc37ea45f1122922fcbc322ec1378f3c7c1af0da62e1052e6210f1b23073f93a82d90e14cb20bc4501d487a1c848674d57a7c269b13590b3a99d8b8b4f6d0dfbd1d2cbbe7a32c0d5c84ae7ec438b0b19f3862d8fabaa828d06c7e3c6967405cd56a1ae90f38633e2ee0e3ecfca3df399fe12f029e0860a1a30da010300d0c94f0bf56091d00011488c1429928b21c739ebf50ba8be91116315d3173f6d2c56735722478c4d74392ba84d1727036b3d64e8c2263b0f33cb8086be587ca6b3940259c06afa2683868856529303ae12e91d7ca874568be7f2bfaa0656dfab0ed31ed90eaea10fb7f3433ec59a334abe6211d547fa0c825ac45d3691e749d15432008de83e9f6d98f368359137ae803d9189b3386f800c7c0cf4b615d1983cf82d9981a8105b60a80fe66c9b0d439b5ba153dd19e9e7483a01cf3b02b4597540b38e658d4eb8455e030b2bf2690bdd78c23f16fe5")
 	require.NoError(t, err)
 	var metadata adapter.InboundContext
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
 	require.Equal(t, metadata.Client, C.ClientChromium)
 	require.ErrorIs(t, err, sniff.ErrClientHelloFragmented)
 	pkt, err = hex.DecodeString("cc0000000108e241a0c601413b4f004046006d8f15dae9999edf39d58df6762822b9a2ab996d7f6a10044338af3b51b1814bc4ac0fa5a87c34c6ae604af8cabc5957c5240174deefc8e378719ffdab2ae4e15bf4514bea44894b626c685cd5d5c965f7e97b3a1bdc520b75813e747f37a3ae83ad38b9ca2acb0de4fc9424839a50c8fb815a62b498609fbbc59145698860e0509cc08a04d1b119daef844ba2f09c16e2665e5cc0b47624b71f7b950c54fd56b4a1fbb826cba44eeeee3949ced8f5de60d4c81b19ee59f75aa1abb33f22c6b13c27095eb1e99cff01fdc93e6e88da2622ee18c08a79f508befd7e33e99bca60e64bef9a47b764384bd93823daeeb6fcb4d7cfbc4ab53eff59b3636f6dcaaf229b5a94941b5712807166b9bd5e82cb4a9708a71451c4cd6f6e33fb2fe40c8c70dd51a30b37ff9c5e35783debde0093fde19ce074b4887b3c90980b107b9c0f32cf61a66f37c251b789abc4d27fc421207966846c8cc7faa42d9af6ad355a6bc94cb78223b612be8b3e2a4df61fee83a674a0ceb8b7c3a29b97102cda22fecdf6a4628e5b612bc17eab64d6f75feedd0b106c0419e484e66725759964cb5935ac5125e5ae920cd280bd40df57c1d7ae1845700bd4eb7b7ab12bc0850950bfe6e69edd6ac1daa5db2c2b07484327196e561c513462d72872dc6771c39f6b60d46a1f2c92343b7338450a0ef8e39f97fa70652b3a12cd04043698951627aaaa82cc95e76df92021d30e8014c984f12eea0143de8b17e5e4a36ec07bf4814251b391f168a59ef75afcd2319249aaba930f06bb7a11b9491e6f71b3d5774a6503a965e94edd0a67737282fc9cb0271779ff14151b7aa9267bb8f7d643185512515aeea513c0c98bfae782381a3317064195d8825cf8b25c17cdab5fced02612a3f2870e40df57e6ca3f08228a2b04e8de1425eb4b970118f9bbdc212223ff86a5d6b648cdf2366722f21de4b14a1014879eadb69215cdb1aa2a9f4f310ecfe3116214fe3ab0a23f4775a0a54b48d7dfd8f7283ed687b3ac7e1a7e42a0bdc3478aba8651c03e1e9cc9df17d106b8130afe854269b0103b7a696f452721887b19d8181830073c9f10684c65f96d3a6c6efbae044eec03d6399e001fa44d54635dc72f9b8ea6b87d0f452cad1e1e32273e2b47c40f2730235adcae8523b8282f86b8cf1ab63ae54aaa06130df3bbf6ecac7d7d1d43d2a87aea837267ff8ccfaa4b7e47b7ded909e6603d0b928a304f8915c839153598adc4178eb48bc0e98ad7793d7980275e1e491ba4847a4a04ae30fe7f5cc7d4b6f4f63a525e9964d72245860ca76a668a4654adb6619f16e9db79131e5675b93cafb96c92f1da8464d4fef2a22e7f9db695965fe2cc27ea30974629c8fe17cfa2f860179e1eb9faaa88a91ec9ce6da28c1a2894c3b932b5e1c807146718cc77ca13c61eaae00c7c99e019f599772064b198c5c2c5e863336367673630b417ac845ddb7c93b0856317e5d64bab208c5730abc2c63536784fbeaaec139dffc917e775715f1e42164ddef5138d4d163609ab3fbdcab968f8738385c0e7e34ff3cf7771a1dc5ba25a8850fdf96dabafa21f9065f307457ce9af4b7a73450c9d20a3b46fa8d3a1163d22bd01a7d17f0ec274181bf9640fa941427694bfeb1346089f7a851efe0fbb7a2041fa6bb6541ccbad77dd3e1a97999fc05f1fef070e7b5c4b385b8b2a8cc32483fdeba6a373970de2fa4139ba18e5916f949aab0aab2894")
 	require.NoError(t, err)
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.ErrorIs(t, err, sniff.ErrClientHelloFragmented)
 	pkt, err = hex.DecodeString("c20000000108e241a0c601413b4f004046006d8f15dae9999edf39d58df6762822b9a2ab996d7f6a10044338af3b51b1814bc4ac0fa5a87c34c6ae604af8cabc5957c5240174deefc8e378719ffdab2ae4e15bf4514bea4489e2ff30c43a5f63beb2e4501ce7754085bcbe838003a0b4bccb53863c0766df7eac073c2bdc170772b157997945acdc2ab2e84750cc9aa0ffa0fdc023da7fc565a14f87f7c563dbc9183dd226aab79957d263f66e64b85a1b15a24516bd2c7c04eea4fa0a34ef9849c21585db2e4adb7c05e265c4f38d8ffe4cbed0f3b0e68f3693bf1f726c3fb135b8e32a5d22931d7c55fc2ff4b9a354933ab14544df3cdaf3e3217dfb8d7feb3465dc34df6320ea486f12e5b2d609aaa5f4515c20c86fc440f8087be0ee3d339835746ae2573c2afdee6bb6ef7e9eb541feae9209391b2902cfb0bdaccd9da8d290714638b7da588d4a656ca6eabba78b7363922d6037cf060b161a42019d4feb4156459103cffdeefd0e63114af2b0e0c39e70ebc7fecb8dd1ebb8d60b2137f509bb7dcef5f1d3e06ab1d391466652d57440a410fb4f58a6ce1fb62feb453241f64e110709f59a3d9ebdac94f811337d0e4a80fd6b56b2a70cd6eebbf98e1661291da6bf5beb8b8afc376dfd20eb76afe709e8e8f28e0ef82105954e346546ad25973df43f4acddbec0ffd9b215f62abebebf71305b5ea993560316f69430bf5afe50420340622f802b5830f3bcebffff04980c75a59d28902879e5d51a4fb21062a4ae13c42297075b21d54ee04303879c1157e7470c1451673c98a2f3921f2f3e8f6acfe85b01caaca66b59e5ebffbfe68e5e9ab17e9a1b857eb409df91cb76767fc1814fd3c522a9b117edd0b02526e469cb4afb291a4dcc74c79b47ec6e7ce558c597129366f83ec306b11d2598c705fd4ee9ee99df6b7039bef13b08fc6f26853ad213829d24f895747d45a47414f931c583fb6c3e4f6c27d0c2b81a5f3cee390ec6314e1fec637e8d28b675e97caafdfbf8c25d34a635083a7553d219dd80dbb39087d74c6ad6192ca6f48a3ff8d47db41b2a492c63fcd780012780931dae0a325f9dcbd772d09a700f132c4bc1d9809b25b9751b694eb72a8ba4db7208d2b1bab63e1845208e4f841ea30218a559db98751589716b6d059ca673378f5fe7c7d8a1c82e14a561c47313bbcc278412ba86ffb2b87ec308eab9df696f5b4b54f8e361731bf232820a02a35fda7e5d4bf01b8f005ad299a055116e7b23c181f15a66442cf6032ca477bccc55b79d424eb4f245847bd81a581dc369dd20b1a4892733bde3c38e492c0039f69f2b947a4dc251a49ee7ccc0f36b3b75a555fa1d126db75f94dab60f52f6b15a877a0c380b59f82d35c570bc5f8051e9ef87db51f52383d47b50829b7f9e947ccc67aa280566aa48b4a85c1c7eca6f542789d8abcc050f1aa3cc221b6859656a21454aa21c7bfb9d12115f61c3ed46263ade68a8d3679fa62a659a5da7817406bd16618fccf33ed208ada1b03584e8b485d3cb6ed80a0774e60b6cd55aff64169ea998cf8235997049515abac58e0169ca07fb1c8c4c8b2803ba9d27b44c045d0a1cac86e5e188195c68001f53eb44851b6d821fc01ccbb41e27f38e6ddd66540c2d62ed6e0d551e22c0f26b60078c74a6302a1ed3d9e8fc0861257a63f6ac4e759fd54bff088becd28e30944a6c15db4fc8ae6244346869add946d9d92c430d737e042fa18b28a8ed64d1e8987ad9061cdc1335f")
 	require.NoError(t, err)
 	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
 	require.NoError(t, err)
 	require.Equal(t, "www.google.com", metadata.Domain)
 }
 func TestSniffQUICChromium(t *testing.T) {
 	t.Parallel()
 	pkt, err := hex.DecodeString("c30000000108f40d654cc09b27f5000044d08a94548e57e43cc5483f129986187c432d58d46674830442988f869566a6e31e2ae37c9f7acbf61cc81621594fab0b3dfdc1635460b32389563dc8e74006315661cd22694114612973c1c45910621713a48b375854f095e8a77ccf3afa64e972f0f7f7002f50e0b014b1b146ea47c07fb20b73ad5587872b51a0b3fafdf1c4cf4fe6f8b112142392efa25d993abe2f42582be145148bdfe12edcd96c3655b65a4781b093e5594ba8e3ae5320f12e8314fc3ca374128cc43381046c322b964681ed4395c813b28534505118201459665a44b8f0abead877de322e9040631d20b05f15b81fa7ff785d4041aecc37c7e2ccdc5d1532787ce566517e8985fd5c200dbfd1e67bc255efaba94cfc07bb52fea4a90887413b134f2715b5643542aa897c6116486f428d82da64d2a2c1e1bdd40bd592558901a554b003d6966ac5a7b8b9413eddbf6ef21f28386c74981e3ce1d724c341e95494907626659692720c81114ca4acea35a14c402cfa3dc2228446e78dc1b81fa4325cf7e314a9cad6a6bdff33b3351dcba74eb15fae67f1227283aa4cdd64bcadf8f19358333f8549b596f4350297b5c65274565869d497398339947b9d3d064e5b06d39d34b436d8a41c1a3880de10bd26c3b1c5b4e2a49b0d4d07b8d90cd9e92bc611564d19ea8ec33099e92033caf21f5307dbeaa4708b99eb313bff99e2081ac25fd12d6a72e8335e0724f6718fe023cd0ad0d6e6a6309f09c9c391eec2bc08e9c3210a043c08e1759f354c121f6517fff4d6e20711a871e41285d48d930352fddffb92c96ba57df045ce99f8bfdfa8edc0969ce68a51e9fbb4f54b956d9df74a9e4af27ed2b27839bce1cffeca8333c0aaee81a570217442f9029ba8fedb84a2cf4be4d910982d891ea00e816c7fb98e8020e896a9c6fdd9106611da0a99dde18df1b7a8f6327acb1eed9ad93314451e48cb0dfb9571728521ca3db2ac0968159d5622556a55d51a422d11995b650949aaefc5d24c16080446dfc4fbc10353f9f93ce161ab513367bb89ab83988e0630b689e174e27bcfcc31996ee7b0bca909e251b82d69a28fee5a5d662e127508cd19dbbe5097b7d5b62a49203d66764197a527e472e2627e44a93d44177dace9d60e7d0e03305ddf4cfe47cdf2362e14de79ef46a6763ce696cd7854a48d9419a0817507a4713ffd4977b906d4f2b5fb6dbe1bd15bc505d5fea582190bf531a45d5ee026da8918547fd5105f15e5d061c7b0cf80a34990366ed8e91e13c2f0d85e5dad537298808d193cf54b7eaac33f10051f74cb6b75e52f81618c36f03d86aef613ba237a1a793ba1539938a38f62ccaf7bd5f6c5e0ce53cde4012fcf2b758214a0422d2faaa798e86e19d7481b42df2b36a73d287ff28c20cce01ce598771fec16a8f1f00305c06010126013a6c1de9f589b4e79d693717cd88ad1c42a2d99fa96617ba0bc6365b68e21a70ebc447904aa27979e1514433cfd83bfec09f137c747d47582cb63eb28f873fb94cf7a59ff764ddfbb687d79a58bb10f85949269f7f72c611a5e0fbb52adfa298ff060ec2eb7216fd7302ea8fb07798cbb3be25cb53ac8161aac2b5bbcfbcfb01c113d28bd1cb0333fb89ac82a95930f7abded0a2f5a623cc6a1f62bf3f38ef1b81c1e50a634f657dbb6770e4af45879e2fb1e00c742e7b52205c8015b5c0f5b1e40186ff9aa7288ab3e01a51fb87761f9bc6837082af109b39cc9f620")
--- a/common/sniff/sniff.go
+++ b/common/sniff/sniff.go
@@ -9,6 +9,7 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
 )
@@ -34,7 +35,7 @@ func Skip(metadata *adapter.InboundContext) bool {
 	return false
 }
-func PeekStream(ctx context.Context, metadata *adapter.InboundContext, conn net.Conn, buffer *buf.Buffer, timeout time.Duration, sniffers ...StreamSniffer) error {
+func PeekStream(ctx context.Context, metadata *adapter.InboundContext, conn net.Conn, buffers []*buf.Buffer, buffer *buf.Buffer, timeout time.Duration, sniffers ...StreamSniffer) error {
 	if timeout == 0 {
 		timeout = C.ReadPayloadTimeout
 	}
@@ -55,7 +56,10 @@ func PeekStream(ctx context.Context, metadata *adapter.InboundContext, conn net.
 		}
 		errors = nil
 		for _, sniffer := range sniffers {
-			err = sniffer(ctx, metadata, bytes.NewReader(buffer.Bytes()))
+			reader := io.MultiReader(common.Map(append(buffers, buffer), func(it *buf.Buffer) io.Reader {
 				return bytes.NewReader(it.Bytes())
 			})...)
 			err = sniffer(ctx, metadata, reader)
 			if err == nil {
 				return nil
 			}
--- a/common/tls/acme.go
+++ b/common/tls/acme.go
@@ -16,7 +16,7 @@ import (
 	"github.com/caddyserver/certmagic"
 	"github.com/libdns/alidns"
 	"github.com/libdns/cloudflare"
-	"github.com/mholt/acmez/acme"
+	"github.com/mholt/acmez/v3/acme"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
 )
--- a/common/tls/client.go
+++ b/common/tls/client.go
@@ -29,15 +29,12 @@ func NewClient(ctx context.Context, serverAddress string, options option.Outboun
 	if !options.Enabled {
 		return nil, nil
 	}
-	if options.ECH != nil && options.ECH.Enabled {
+	if options.Reality != nil && options.Reality.Enabled {
 		return NewECHClient(ctx, serverAddress, options)
 	} else if options.Reality != nil && options.Reality.Enabled {
 		return NewRealityClient(ctx, serverAddress, options)
 	} else if options.UTLS != nil && options.UTLS.Enabled {
 		return NewUTLSClient(ctx, serverAddress, options)
 	} else {
 		return NewSTDClient(ctx, serverAddress, options)
 	}
 	return NewSTDClient(ctx, serverAddress, options)
 }
 func ClientHandshake(ctx context.Context, conn net.Conn, config Config) (Conn, error) {
--- a/common/tls/ech.go
+++ b/common/tls/ech.go
@@ -0,0 +1,174 @@
 //go:build go1.24
 package tls
 import (
 	"context"
 	"crypto/tls"
 	"encoding/base64"
 	"encoding/pem"
 	"net"
 	"os"
 	"strings"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/dns"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	aTLS "github.com/sagernet/sing/common/tls"
 	"github.com/sagernet/sing/service"
 	mDNS "github.com/miekg/dns"
 	"golang.org/x/crypto/cryptobyte"
 )
 func parseECHClientConfig(ctx context.Context, options option.OutboundTLSOptions, tlsConfig *tls.Config) (Config, error) {
 	var echConfig []byte
 	if len(options.ECH.Config) > 0 {
 		echConfig = []byte(strings.Join(options.ECH.Config, "\n"))
 	} else if options.ECH.ConfigPath != "" {
 		content, err := os.ReadFile(options.ECH.ConfigPath)
 		if err != nil {
 			return nil, E.Cause(err, "read ECH config")
 		}
 		echConfig = content
 	}
 	//nolint:staticcheck
 	if options.ECH.PQSignatureSchemesEnabled || options.ECH.DynamicRecordSizingDisabled {
 		deprecated.Report(ctx, deprecated.OptionLegacyECHOptions)
 	}
 	if len(echConfig) > 0 {
 		block, rest := pem.Decode(echConfig)
 		if block == nil || block.Type != "ECH CONFIGS" || len(rest) > 0 {
 			return nil, E.New("invalid ECH configs pem")
 		}
 		tlsConfig.EncryptedClientHelloConfigList = block.Bytes
 		return &STDClientConfig{tlsConfig}, nil
 	} else {
 		return &STDECHClientConfig{STDClientConfig{tlsConfig}, service.FromContext[adapter.DNSRouter](ctx)}, nil
 	}
 }
 func parseECHServerConfig(ctx context.Context, options option.InboundTLSOptions, tlsConfig *tls.Config, echKeyPath *string) error {
 	var echKey []byte
 	if len(options.ECH.Key) > 0 {
 		echKey = []byte(strings.Join(options.ECH.Key, "\n"))
 	} else if options.ECH.KeyPath != "" {
 		content, err := os.ReadFile(options.ECH.KeyPath)
 		if err != nil {
 			return E.Cause(err, "read ECH keys")
 		}
 		echKey = content
 		*echKeyPath = options.ECH.KeyPath
 	} else {
 		return E.New("missing ECH keys")
 	}
 	block, rest := pem.Decode(echKey)
 	if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
 		return E.New("invalid ECH keys pem")
 	}
 	echKeys, err := UnmarshalECHKeys(block.Bytes)
 	if err != nil {
 		return E.Cause(err, "parse ECH keys")
 	}
 	tlsConfig.EncryptedClientHelloKeys = echKeys
 	//nolint:staticcheck
 	if options.ECH.PQSignatureSchemesEnabled || options.ECH.DynamicRecordSizingDisabled {
 		deprecated.Report(ctx, deprecated.OptionLegacyECHOptions)
 	}
 	return nil
 }
 func reloadECHKeys(echKeyPath string, tlsConfig *tls.Config) error {
 	echKey, err := os.ReadFile(echKeyPath)
 	if err != nil {
 		return E.Cause(err, "reload ECH keys from ", echKeyPath)
 	}
 	block, _ := pem.Decode(echKey)
 	if block == nil || block.Type != "ECH KEYS" {
 		return E.New("invalid ECH keys pem")
 	}
 	echKeys, err := UnmarshalECHKeys(block.Bytes)
 	if err != nil {
 		return E.Cause(err, "parse ECH keys")
 	}
 	tlsConfig.EncryptedClientHelloKeys = echKeys
 	return nil
 }
 type STDECHClientConfig struct {
 	STDClientConfig
 	dnsRouter adapter.DNSRouter
 }
 func (s *STDECHClientConfig) ClientHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
 	if len(s.config.EncryptedClientHelloConfigList) == 0 {
 		message := &mDNS.Msg{
 			MsgHdr: mDNS.MsgHdr{
 				RecursionDesired: true,
 			},
 			Question: []mDNS.Question{
 				{
 					Name:   mDNS.Fqdn(s.config.ServerName),
 					Qtype:  mDNS.TypeHTTPS,
 					Qclass: mDNS.ClassINET,
 				},
 			},
 		}
 		response, err := s.dnsRouter.Exchange(ctx, message, adapter.DNSQueryOptions{})
 		if err != nil {
 			return nil, E.Cause(err, "fetch ECH config list")
 		}
 		if response.Rcode != mDNS.RcodeSuccess {
 			return nil, E.Cause(dns.RcodeError(response.Rcode), "fetch ECH config list")
 		}
 		for _, rr := range response.Answer {
 			switch resource := rr.(type) {
 			case *mDNS.HTTPS:
 				for _, value := range resource.Value {
 					if value.Key().String() == "ech" {
 						echConfigList, err := base64.StdEncoding.DecodeString(value.String())
 						if err != nil {
 							return nil, E.Cause(err, "decode ECH config")
 						}
 						s.config.EncryptedClientHelloConfigList = echConfigList
 					}
 				}
 			}
 		}
 		return nil, E.New("no ECH config found in DNS records")
 	}
 	tlsConn, err := s.Client(conn)
 	if err != nil {
 		return nil, err
 	}
 	err = tlsConn.HandshakeContext(ctx)
 	if err != nil {
 		return nil, err
 	}
 	return tlsConn, nil
 }
 func (s *STDECHClientConfig) Clone() Config {
 	return &STDECHClientConfig{STDClientConfig{s.config.Clone()}, s.dnsRouter}
 }
 func UnmarshalECHKeys(raw []byte) ([]tls.EncryptedClientHelloKey, error) {
 	var keys []tls.EncryptedClientHelloKey
 	rawString := cryptobyte.String(raw)
 	for !rawString.Empty() {
 		var key tls.EncryptedClientHelloKey
 		if !rawString.ReadUint16LengthPrefixed((*cryptobyte.String)(&key.PrivateKey)) {
 			return nil, E.New("error parsing private key")
 		}
 		if !rawString.ReadUint16LengthPrefixed((*cryptobyte.String)(&key.Config)) {
 			return nil, E.New("error parsing config")
 		}
 		keys = append(keys, key)
 	}
 	if len(keys) == 0 {
 		return nil, E.New("empty ECH keys")
 	}
 	return keys, nil
 }
--- a/common/tls/ech_client.go
+++ b/common/tls/ech_client.go
@@ -1,243 +0,0 @@
 //go:build with_ech
 package tls
 import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/pem"
 	"net"
 	"net/netip"
 	"os"
 	"strings"
 	cftls "github.com/sagernet/cloudflare-tls"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-dns"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
 	"github.com/sagernet/sing/service"
 	mDNS "github.com/miekg/dns"
 )
 type echClientConfig struct {
 	config *cftls.Config
 }
 func (c *echClientConfig) ServerName() string {
 	return c.config.ServerName
 }
 func (c *echClientConfig) SetServerName(serverName string) {
 	c.config.ServerName = serverName
 }
 func (c *echClientConfig) NextProtos() []string {
 	return c.config.NextProtos
 }
 func (c *echClientConfig) SetNextProtos(nextProto []string) {
 	c.config.NextProtos = nextProto
 }
 func (c *echClientConfig) Config() (*STDConfig, error) {
 	return nil, E.New("unsupported usage for ECH")
 }
 func (c *echClientConfig) Client(conn net.Conn) (Conn, error) {
 	return &echConnWrapper{cftls.Client(conn, c.config)}, nil
 }
 func (c *echClientConfig) Clone() Config {
 	return &echClientConfig{
 		config: c.config.Clone(),
 	}
 }
 type echConnWrapper struct {
 	*cftls.Conn
 }
 func (c *echConnWrapper) ConnectionState() tls.ConnectionState {
 	state := c.Conn.ConnectionState()
 	//nolint:staticcheck
 	return tls.ConnectionState{
 		Version:                     state.Version,
 		HandshakeComplete:           state.HandshakeComplete,
 		DidResume:                   state.DidResume,
 		CipherSuite:                 state.CipherSuite,
 		NegotiatedProtocol:          state.NegotiatedProtocol,
 		NegotiatedProtocolIsMutual:  state.NegotiatedProtocolIsMutual,
 		ServerName:                  state.ServerName,
 		PeerCertificates:            state.PeerCertificates,
 		VerifiedChains:              state.VerifiedChains,
 		SignedCertificateTimestamps: state.SignedCertificateTimestamps,
 		OCSPResponse:                state.OCSPResponse,
 		TLSUnique:                   state.TLSUnique,
 	}
 }
 func (c *echConnWrapper) Upstream() any {
 	return c.Conn
 }
 func NewECHClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
 	} else if serverAddress != "" {
 		if _, err := netip.ParseAddr(serverName); err != nil {
 			serverName = serverAddress
 		}
 	}
 	if serverName == "" && !options.Insecure {
 		return nil, E.New("missing server_name or insecure=true")
 	}
 	var tlsConfig cftls.Config
 	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	if options.DisableSNI {
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {
 		tlsConfig.ServerName = serverName
 	}
 	if options.Insecure {
 		tlsConfig.InsecureSkipVerify = options.Insecure
 	} else if options.DisableSNI {
 		tlsConfig.InsecureSkipVerify = true
 		tlsConfig.VerifyConnection = func(state cftls.ConnectionState) error {
 			verifyOptions := x509.VerifyOptions{
 				DNSName:       serverName,
 				Intermediates: x509.NewCertPool(),
 			}
 			for _, cert := range state.PeerCertificates[1:] {
 				verifyOptions.Intermediates.AddCert(cert)
 			}
 			_, err := state.PeerCertificates[0].Verify(verifyOptions)
 			return err
 		}
 	}
 	if len(options.ALPN) > 0 {
 		tlsConfig.NextProtos = options.ALPN
 	}
 	if options.MinVersion != "" {
 		minVersion, err := ParseTLSVersion(options.MinVersion)
 		if err != nil {
 			return nil, E.Cause(err, "parse min_version")
 		}
 		tlsConfig.MinVersion = minVersion
 	}
 	if options.MaxVersion != "" {
 		maxVersion, err := ParseTLSVersion(options.MaxVersion)
 		if err != nil {
 			return nil, E.Cause(err, "parse max_version")
 		}
 		tlsConfig.MaxVersion = maxVersion
 	}
 	if options.CipherSuites != nil {
 	find:
 		for _, cipherSuite := range options.CipherSuites {
 			for _, tlsCipherSuite := range cftls.CipherSuites() {
 				if cipherSuite == tlsCipherSuite.Name {
 					tlsConfig.CipherSuites = append(tlsConfig.CipherSuites, tlsCipherSuite.ID)
 					continue find
 				}
 			}
 			return nil, E.New("unknown cipher_suite: ", cipherSuite)
 		}
 	}
 	var certificate []byte
 	if len(options.Certificate) > 0 {
 		certificate = []byte(strings.Join(options.Certificate, "\n"))
 	} else if options.CertificatePath != "" {
 		content, err := os.ReadFile(options.CertificatePath)
 		if err != nil {
 			return nil, E.Cause(err, "read certificate")
 		}
 		certificate = content
 	}
 	if len(certificate) > 0 {
 		certPool := x509.NewCertPool()
 		if !certPool.AppendCertsFromPEM(certificate) {
 			return nil, E.New("failed to parse certificate:\n\n", certificate)
 		}
 		tlsConfig.RootCAs = certPool
 	}
 	// ECH Config
 	tlsConfig.ECHEnabled = true
 	tlsConfig.PQSignatureSchemesEnabled = options.ECH.PQSignatureSchemesEnabled
 	tlsConfig.DynamicRecordSizingDisabled = options.ECH.DynamicRecordSizingDisabled
 	var echConfig []byte
 	if len(options.ECH.Config) > 0 {
 		echConfig = []byte(strings.Join(options.ECH.Config, "\n"))
 	} else if options.ECH.ConfigPath != "" {
 		content, err := os.ReadFile(options.ECH.ConfigPath)
 		if err != nil {
 			return nil, E.Cause(err, "read ECH config")
 		}
 		echConfig = content
 	}
 	if len(echConfig) > 0 {
 		block, rest := pem.Decode(echConfig)
 		if block == nil || block.Type != "ECH CONFIGS" || len(rest) > 0 {
 			return nil, E.New("invalid ECH configs pem")
 		}
 		echConfigs, err := cftls.UnmarshalECHConfigs(block.Bytes)
 		if err != nil {
 			return nil, E.Cause(err, "parse ECH configs")
 		}
 		tlsConfig.ClientECHConfigs = echConfigs
 	} else {
 		tlsConfig.GetClientECHConfigs = fetchECHClientConfig(ctx)
 	}
 	return &echClientConfig{&tlsConfig}, nil
 }
 func fetchECHClientConfig(ctx context.Context) func(_ context.Context, serverName string) ([]cftls.ECHConfig, error) {
 	return func(_ context.Context, serverName string) ([]cftls.ECHConfig, error) {
 		message := &mDNS.Msg{
 			MsgHdr: mDNS.MsgHdr{
 				RecursionDesired: true,
 			},
 			Question: []mDNS.Question{
 				{
 					Name:   serverName + ".",
 					Qtype:  mDNS.TypeHTTPS,
 					Qclass: mDNS.ClassINET,
 				},
 			},
 		}
 		response, err := service.FromContext[adapter.Router](ctx).Exchange(ctx, message)
 		if err != nil {
 			return nil, err
 		}
 		if response.Rcode != mDNS.RcodeSuccess {
 			return nil, dns.RCodeError(response.Rcode)
 		}
 		for _, rr := range response.Answer {
 			switch resource := rr.(type) {
 			case *mDNS.HTTPS:
 				for _, value := range resource.Value {
 					if value.Key().String() == "ech" {
 						echConfig, err := base64.StdEncoding.DecodeString(value.String())
 						if err != nil {
 							return nil, E.Cause(err, "decode ECH config")
 						}
 						return cftls.UnmarshalECHConfigs(echConfig)
 					}
 				}
 			default:
 				return nil, E.New("unknown resource record type: ", resource.Header().Rrtype)
 			}
 		}
 		return nil, E.New("no ECH config found")
 	}
 }
--- a/common/tls/ech_keygen.go
+++ b/common/tls/ech_keygen.go
@@ -1,5 +1,3 @@
 //go:build with_ech
 package tls
 import (
@@ -7,14 +5,13 @@ import (
 	"encoding/binary"
 	"encoding/pem"
 	cftls "github.com/sagernet/cloudflare-tls"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/cloudflare/circl/hpke"
 	"github.com/cloudflare/circl/kem"
 )
-func ECHKeygenDefault(serverName string, pqSignatureSchemesEnabled bool) (configPem string, keyPem string, err error) {
+func ECHKeygenDefault(serverName string) (configPem string, keyPem string, err error) {
 	cipherSuites := []echCipherSuite{
 		{
 			kdf:  hpke.KDF_HKDF_SHA256,
@@ -24,13 +21,9 @@ func ECHKeygenDefault(serverName string, pqSignatureSchemesEnabled bool) (config
 			aead: hpke.AEAD_ChaCha20Poly1305,
 		},
 	}
 	keyConfig := []myECHKeyConfig{
 		{id: 0, kem: hpke.KEM_X25519_HKDF_SHA256},
 	}
 	if pqSignatureSchemesEnabled {
 		keyConfig = append(keyConfig, myECHKeyConfig{id: 1, kem: hpke.KEM_X25519_KYBER768_DRAFT00})
 	}
 	keyPairs, err := echKeygen(0xfe0d, serverName, keyConfig, cipherSuites)
 	if err != nil {
@@ -59,7 +52,6 @@ func ECHKeygenDefault(serverName string, pqSignatureSchemesEnabled bool) (config
 type echKeyConfigPair struct {
 	id      uint8
 	key     cftls.EXP_ECHKey
 	rawKey  []byte
 	conf    myECHKeyConfig
 	rawConf []byte
@@ -155,15 +147,6 @@ func echKeygen(version uint16, serverName string, conf []myECHKeyConfig, suite [
 		sk = append(sk, secBuf...)
 		sk = be.AppendUint16(sk, uint16(len(b)))
 		sk = append(sk, b...)
 		cfECHKeys, err := cftls.EXP_UnmarshalECHKeys(sk)
 		if err != nil {
 			return nil, E.Cause(err, "bug: can't parse generated ECH server key")
 		}
 		if len(cfECHKeys) != 1 {
 			return nil, E.New("bug: unexpected server key count")
 		}
 		pair.key = cfECHKeys[0]
 		pair.rawKey = sk
 		pairs = append(pairs, pair)
--- a/common/tls/ech_quic.go
+++ b/common/tls/ech_quic.go
@@ -1,55 +0,0 @@
 //go:build with_quic && with_ech
 package tls
 import (
 	"context"
 	"net"
 	"net/http"
 	"github.com/sagernet/cloudflare-tls"
 	"github.com/sagernet/quic-go/ech"
 	"github.com/sagernet/quic-go/http3_ech"
 	"github.com/sagernet/sing-quic"
 	M "github.com/sagernet/sing/common/metadata"
 )
 var (
 	_ qtls.Config       = (*echClientConfig)(nil)
 	_ qtls.ServerConfig = (*echServerConfig)(nil)
 )
 func (c *echClientConfig) Dial(ctx context.Context, conn net.PacketConn, addr net.Addr, config *quic.Config) (quic.Connection, error) {
 	return quic.Dial(ctx, conn, addr, c.config, config)
 }
 func (c *echClientConfig) DialEarly(ctx context.Context, conn net.PacketConn, addr net.Addr, config *quic.Config) (quic.EarlyConnection, error) {
 	return quic.DialEarly(ctx, conn, addr, c.config, config)
 }
 func (c *echClientConfig) CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, quicConfig *quic.Config) http.RoundTripper {
 	return &http3.Transport{
 		TLSClientConfig: c.config,
 		QUICConfig:      quicConfig,
 		Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
 			quicConn, err := quic.DialEarly(ctx, conn, serverAddr.UDPAddr(), tlsCfg, cfg)
 			if err != nil {
 				return nil, err
 			}
 			*quicConnPtr = quicConn
 			return quicConn, nil
 		},
 	}
 }
 func (c *echServerConfig) Listen(conn net.PacketConn, config *quic.Config) (qtls.Listener, error) {
 	return quic.Listen(conn, c.config, config)
 }
 func (c *echServerConfig) ListenEarly(conn net.PacketConn, config *quic.Config) (qtls.EarlyListener, error) {
 	return quic.ListenEarly(conn, c.config, config)
 }
 func (c *echServerConfig) ConfigureHTTP3() {
 	http3.ConfigureTLSConfig(c.config)
 }
--- a/common/tls/ech_server.go
+++ b/common/tls/ech_server.go
@@ -1,278 +0,0 @@
 //go:build with_ech
 package tls
 import (
 	"context"
 	"crypto/tls"
 	"encoding/pem"
 	"net"
 	"os"
 	"strings"
 	cftls "github.com/sagernet/cloudflare-tls"
 	"github.com/sagernet/fswatch"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
 )
 type echServerConfig struct {
 	config          *cftls.Config
 	logger          log.Logger
 	certificate     []byte
 	key             []byte
 	certificatePath string
 	keyPath         string
 	echKeyPath      string
 	watcher         *fswatch.Watcher
 }
 func (c *echServerConfig) ServerName() string {
 	return c.config.ServerName
 }
 func (c *echServerConfig) SetServerName(serverName string) {
 	c.config.ServerName = serverName
 }
 func (c *echServerConfig) NextProtos() []string {
 	return c.config.NextProtos
 }
 func (c *echServerConfig) SetNextProtos(nextProto []string) {
 	c.config.NextProtos = nextProto
 }
 func (c *echServerConfig) Config() (*STDConfig, error) {
 	return nil, E.New("unsupported usage for ECH")
 }
 func (c *echServerConfig) Client(conn net.Conn) (Conn, error) {
 	return &echConnWrapper{cftls.Client(conn, c.config)}, nil
 }
 func (c *echServerConfig) Server(conn net.Conn) (Conn, error) {
 	return &echConnWrapper{cftls.Server(conn, c.config)}, nil
 }
 func (c *echServerConfig) Clone() Config {
 	return &echServerConfig{
 		config: c.config.Clone(),
 	}
 }
 func (c *echServerConfig) Start() error {
 	err := c.startWatcher()
 	if err != nil {
 		c.logger.Warn("create credentials watcher: ", err)
 	}
 	return nil
 }
 func (c *echServerConfig) startWatcher() error {
 	var watchPath []string
 	if c.certificatePath != "" {
 		watchPath = append(watchPath, c.certificatePath)
 	}
 	if c.keyPath != "" {
 		watchPath = append(watchPath, c.keyPath)
 	}
 	if c.echKeyPath != "" {
 		watchPath = append(watchPath, c.echKeyPath)
 	}
 	if len(watchPath) == 0 {
 		return nil
 	}
 	watcher, err := fswatch.NewWatcher(fswatch.Options{
 		Path: watchPath,
 		Callback: func(path string) {
 			err := c.credentialsUpdated(path)
 			if err != nil {
 				c.logger.Error(E.Cause(err, "reload credentials from ", path))
 			}
 		},
 	})
 	if err != nil {
 		return err
 	}
 	err = watcher.Start()
 	if err != nil {
 		return err
 	}
 	c.watcher = watcher
 	return nil
 }
 func (c *echServerConfig) credentialsUpdated(path string) error {
 	if path == c.certificatePath || path == c.keyPath {
 		if path == c.certificatePath {
 			certificate, err := os.ReadFile(c.certificatePath)
 			if err != nil {
 				return err
 			}
 			c.certificate = certificate
 		} else {
 			key, err := os.ReadFile(c.keyPath)
 			if err != nil {
 				return err
 			}
 			c.key = key
 		}
 		keyPair, err := cftls.X509KeyPair(c.certificate, c.key)
 		if err != nil {
 			return E.Cause(err, "parse key pair")
 		}
 		c.config.Certificates = []cftls.Certificate{keyPair}
 		c.logger.Info("reloaded TLS certificate")
 	} else {
 		echKeyContent, err := os.ReadFile(c.echKeyPath)
 		if err != nil {
 			return err
 		}
 		block, rest := pem.Decode(echKeyContent)
 		if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
 			return E.New("invalid ECH keys pem")
 		}
 		echKeys, err := cftls.EXP_UnmarshalECHKeys(block.Bytes)
 		if err != nil {
 			return E.Cause(err, "parse ECH keys")
 		}
 		echKeySet, err := cftls.EXP_NewECHKeySet(echKeys)
 		if err != nil {
 			return E.Cause(err, "create ECH key set")
 		}
 		c.config.ServerECHProvider = echKeySet
 		c.logger.Info("reloaded ECH keys")
 	}
 	return nil
 }
 func (c *echServerConfig) Close() error {
 	var err error
 	if c.watcher != nil {
 		err = E.Append(err, c.watcher.Close(), func(err error) error {
 			return E.Cause(err, "close credentials watcher")
 		})
 	}
 	return err
 }
 func NewECHServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
 	var tlsConfig cftls.Config
 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
 		return nil, E.New("acme is unavailable in ech")
 	}
 	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	if options.ServerName != "" {
 		tlsConfig.ServerName = options.ServerName
 	}
 	if len(options.ALPN) > 0 {
 		tlsConfig.NextProtos = append(options.ALPN, tlsConfig.NextProtos...)
 	}
 	if options.MinVersion != "" {
 		minVersion, err := ParseTLSVersion(options.MinVersion)
 		if err != nil {
 			return nil, E.Cause(err, "parse min_version")
 		}
 		tlsConfig.MinVersion = minVersion
 	}
 	if options.MaxVersion != "" {
 		maxVersion, err := ParseTLSVersion(options.MaxVersion)
 		if err != nil {
 			return nil, E.Cause(err, "parse max_version")
 		}
 		tlsConfig.MaxVersion = maxVersion
 	}
 	if options.CipherSuites != nil {
 	find:
 		for _, cipherSuite := range options.CipherSuites {
 			for _, tlsCipherSuite := range tls.CipherSuites() {
 				if cipherSuite == tlsCipherSuite.Name {
 					tlsConfig.CipherSuites = append(tlsConfig.CipherSuites, tlsCipherSuite.ID)
 					continue find
 				}
 			}
 			return nil, E.New("unknown cipher_suite: ", cipherSuite)
 		}
 	}
 	var certificate []byte
 	var key []byte
 	if len(options.Certificate) > 0 {
 		certificate = []byte(strings.Join(options.Certificate, "\n"))
 	} else if options.CertificatePath != "" {
 		content, err := os.ReadFile(options.CertificatePath)
 		if err != nil {
 			return nil, E.Cause(err, "read certificate")
 		}
 		certificate = content
 	}
 	if len(options.Key) > 0 {
 		key = []byte(strings.Join(options.Key, "\n"))
 	} else if options.KeyPath != "" {
 		content, err := os.ReadFile(options.KeyPath)
 		if err != nil {
 			return nil, E.Cause(err, "read key")
 		}
 		key = content
 	}
 	if certificate == nil {
 		return nil, E.New("missing certificate")
 	} else if key == nil {
 		return nil, E.New("missing key")
 	}
 	keyPair, err := cftls.X509KeyPair(certificate, key)
 	if err != nil {
 		return nil, E.Cause(err, "parse x509 key pair")
 	}
 	tlsConfig.Certificates = []cftls.Certificate{keyPair}
 	var echKey []byte
 	if len(options.ECH.Key) > 0 {
 		echKey = []byte(strings.Join(options.ECH.Key, "\n"))
 	} else if options.ECH.KeyPath != "" {
 		content, err := os.ReadFile(options.ECH.KeyPath)
 		if err != nil {
 			return nil, E.Cause(err, "read ECH key")
 		}
 		echKey = content
 	} else {
 		return nil, E.New("missing ECH key")
 	}
 	block, rest := pem.Decode(echKey)
 	if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
 		return nil, E.New("invalid ECH keys pem")
 	}
 	echKeys, err := cftls.EXP_UnmarshalECHKeys(block.Bytes)
 	if err != nil {
 		return nil, E.Cause(err, "parse ECH keys")
 	}
 	echKeySet, err := cftls.EXP_NewECHKeySet(echKeys)
 	if err != nil {
 		return nil, E.Cause(err, "create ECH key set")
 	}
 	tlsConfig.ECHEnabled = true
 	tlsConfig.PQSignatureSchemesEnabled = options.ECH.PQSignatureSchemesEnabled
 	tlsConfig.DynamicRecordSizingDisabled = options.ECH.DynamicRecordSizingDisabled
 	tlsConfig.ServerECHProvider = echKeySet
 	return &echServerConfig{
 		config:          &tlsConfig,
 		logger:          logger,
 		certificate:     certificate,
 		key:             key,
 		certificatePath: options.CertificatePath,
 		keyPath:         options.KeyPath,
 		echKeyPath:      options.ECH.KeyPath,
 	}, nil
 }
--- a/common/tls/ech_stub.go
+++ b/common/tls/ech_stub.go
@@ -1,25 +1,23 @@
-//go:build !with_ech
+//go:build !go1.24
 package tls
 import (
 	"context"
 	"crypto/tls"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )
-var errECHNotIncluded = E.New(`ECH is not included in this build, rebuild with -tags with_ech`)
+func parseECHClientConfig(ctx context.Context, options option.OutboundTLSOptions, tlsConfig *tls.Config) (Config, error) {
-
+	return nil, E.New("ECH requires go1.24, please recompile your binary.")
 func NewECHServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
 	return nil, errECHNotIncluded
 }
-func NewECHClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func parseECHServerConfig(ctx context.Context, options option.InboundTLSOptions, tlsConfig *tls.Config, echKeyPath *string) error {
-	return nil, errECHNotIncluded
+	return E.New("ECH requires go1.24, please recompile your binary.")
 }
-func ECHKeygenDefault(host string, pqSignatureSchemesEnabled bool) (configPem string, keyPem string, err error) {
+func reloadECHKeys(echKeyPath string, tlsConfig *tls.Config) error {
-	return "", "", errECHNotIncluded
+	return E.New("ECH requires go1.24, please recompile your binary.")
 }
--- a/common/tls/mkcert.go
+++ b/common/tls/mkcert.go
@@ -11,8 +11,11 @@ import (
 	"time"
 )
-func GenerateCertificate(timeFunc func() time.Time, serverName string) (*tls.Certificate, error) {
+func GenerateKeyPair(parent *x509.Certificate, parentKey any, timeFunc func() time.Time, serverName string) (*tls.Certificate, error) {
-	privateKeyPem, publicKeyPem, err := GenerateKeyPair(timeFunc, serverName, timeFunc().Add(time.Hour))
+	if timeFunc == nil {
 		timeFunc = time.Now
 	}
 	privateKeyPem, publicKeyPem, err := GenerateCertificate(parent, parentKey, timeFunc, serverName, timeFunc().Add(time.Hour))
 	if err != nil {
 		return nil, err
 	}
@@ -23,10 +26,7 @@ func GenerateCertificate(timeFunc func() time.Time, serverName string) (*tls.Cer
 	return &certificate, err
 }
-func GenerateKeyPair(timeFunc func() time.Time, serverName string, expire time.Time) (privateKeyPem []byte, publicKeyPem []byte, err error) {
+func GenerateCertificate(parent *x509.Certificate, parentKey any, timeFunc func() time.Time, serverName string, expire time.Time) (privateKeyPem []byte, publicKeyPem []byte, err error) {
 	if timeFunc == nil {
 		timeFunc = time.Now
 	}
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		return
@@ -47,7 +47,11 @@ func GenerateKeyPair(timeFunc func() time.Time, serverName string, expire time.T
 		},
 		DNSNames: []string{serverName},
 	}
-	publicDer, err := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key)
+	if parent == nil {
 		parent = template
 		parentKey = key
 	}
 	publicDer, err := x509.CreateCertificate(rand.Reader, template, parent, key.Public(), parentKey)
 	if err != nil {
 		return
 	}
--- a/common/tls/reality_client.go
+++ b/common/tls/reality_client.go
@@ -27,9 +27,11 @@ import (
 	"time"
 	"unsafe"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/debug"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
 	aTLS "github.com/sagernet/sing/common/tls"
 	utls "github.com/sagernet/utls"
@@ -40,6 +42,7 @@ import (
 var _ ConfigCompat = (*RealityClientConfig)(nil)
 type RealityClientConfig struct {
 	ctx       context.Context
 	uClient   *UTLSClientConfig
 	publicKey []byte
 	shortID   [8]byte
@@ -70,7 +73,7 @@ func NewRealityClient(ctx context.Context, serverAddress string, options option.
 	if decodedLen > 8 {
 		return nil, E.New("invalid short_id")
 	}
-	return &RealityClientConfig{uClient, publicKey, shortID}, nil
+	return &RealityClientConfig{ctx, uClient, publicKey, shortID}, nil
 }
 func (e *RealityClientConfig) ServerName() string {
@@ -180,20 +183,24 @@ func (e *RealityClientConfig) ClientHandshake(ctx context.Context, conn net.Conn
 	}
 	if !verifier.verified {
-		go realityClientFallback(uConn, e.uClient.ServerName(), e.uClient.id)
+		go realityClientFallback(e.ctx, uConn, e.uClient.ServerName(), e.uClient.id)
 		return nil, E.New("reality verification failed")
 	}
-	return &utlsConnWrapper{uConn}, nil
+	return &realityClientConnWrapper{uConn}, nil
 }
-func realityClientFallback(uConn net.Conn, serverName string, fingerprint utls.ClientHelloID) {
+func realityClientFallback(ctx context.Context, uConn net.Conn, serverName string, fingerprint utls.ClientHelloID) {
 	defer uConn.Close()
 	client := &http.Client{
 		Transport: &http2.Transport{
 			DialTLSContext: func(ctx context.Context, network, addr string, config *tls.Config) (net.Conn, error) {
 				return uConn, nil
 			},
 			TLSClientConfig: &tls.Config{
 				Time:    ntp.TimeFuncFromContext(ctx),
 				RootCAs: adapter.RootPoolFromContext(ctx),
 			},
 		},
 	}
 	request, _ := http.NewRequest("GET", "https://"+serverName, nil)
@@ -213,6 +220,7 @@ func (e *RealityClientConfig) SetSessionIDGenerator(generator func(clientHello [
 func (e *RealityClientConfig) Clone() Config {
 	return &RealityClientConfig{
 		e.ctx,
 		e.uClient.Clone().(*UTLSClientConfig),
 		e.publicKey,
 		e.shortID,
@@ -249,3 +257,36 @@ func (c *realityVerifier) VerifyPeerCertificate(rawCerts [][]byte, verifiedChain
 	}
 	return nil
 }
 type realityClientConnWrapper struct {
 	*utls.UConn
 }
 func (c *realityClientConnWrapper) ConnectionState() tls.ConnectionState {
 	state := c.Conn.ConnectionState()
 	//nolint:staticcheck
 	return tls.ConnectionState{
 		Version:                     state.Version,
 		HandshakeComplete:           state.HandshakeComplete,
 		DidResume:                   state.DidResume,
 		CipherSuite:                 state.CipherSuite,
 		NegotiatedProtocol:          state.NegotiatedProtocol,
 		NegotiatedProtocolIsMutual:  state.NegotiatedProtocolIsMutual,
 		ServerName:                  state.ServerName,
 		PeerCertificates:            state.PeerCertificates,
 		VerifiedChains:              state.VerifiedChains,
 		SignedCertificateTimestamps: state.SignedCertificateTimestamps,
 		OCSPResponse:                state.OCSPResponse,
 		TLSUnique:                   state.TLSUnique,
 	}
 }
 func (c *realityClientConnWrapper) Upstream() any {
 	return c.UConn
 }
 // Due to low implementation quality, the reality server intercepted half close and caused memory leaks.
 // We fixed it by calling Close() directly.
 func (c *realityClientConnWrapper) CloseWrite() error {
 	return c.Close()
 }
--- a/common/tls/reality_server.go
+++ b/common/tls/reality_server.go
@@ -101,7 +101,7 @@ func NewRealityServer(ctx context.Context, logger log.Logger, options option.Inb
 		tlsConfig.ShortIds[shortID] = true
 	}
-	handshakeDialer, err := dialer.New(ctx, options.Reality.Handshake.DialerOptions)
+	handshakeDialer, err := dialer.New(ctx, options.Reality.Handshake.DialerOptions, options.Reality.Handshake.ServerIsDomain())
 	if err != nil {
 		return nil, err
 	}
@@ -194,3 +194,9 @@ func (c *realityConnWrapper) ConnectionState() ConnectionState {
 func (c *realityConnWrapper) Upstream() any {
 	return c.Conn
 }
 // Due to low implementation quality, the reality server intercepted half close and caused memory leaks.
 // We fixed it by calling Close() directly.
 func (c *realityConnWrapper) CloseWrite() error {
 	return c.Close()
 }
--- a/common/tls/server.go
+++ b/common/tls/server.go
@@ -16,13 +16,10 @@ func NewServer(ctx context.Context, logger log.Logger, options option.InboundTLS
 	if !options.Enabled {
 		return nil, nil
 	}
-	if options.ECH != nil && options.ECH.Enabled {
+	if options.Reality != nil && options.Reality.Enabled {
 		return NewECHServer(ctx, logger, options)
 	} else if options.Reality != nil && options.Reality.Enabled {
 		return NewRealityServer(ctx, logger, options)
 	} else {
 		return NewSTDServer(ctx, logger, options)
 	}
 	return NewSTDServer(ctx, logger, options)
 }
 func ServerHandshake(ctx context.Context, conn net.Conn, config ServerConfig) (Conn, error) {
--- a/common/tls/std_client.go
+++ b/common/tls/std_client.go
@@ -5,10 +5,10 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"net"
 	"net/netip"
 	"os"
 	"strings"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
@@ -51,9 +51,7 @@ func NewSTDClient(ctx context.Context, serverAddress string, options option.Outb
 	if options.ServerName != "" {
 		serverName = options.ServerName
 	} else if serverAddress != "" {
-		if _, err := netip.ParseAddr(serverName); err != nil {
+		serverName = serverAddress
 			serverName = serverAddress
 		}
 	}
 	if serverName == "" && !options.Insecure {
 		return nil, E.New("missing server_name or insecure=true")
@@ -61,6 +59,7 @@ func NewSTDClient(ctx context.Context, serverAddress string, options option.Outb
 	var tlsConfig tls.Config
 	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	tlsConfig.RootCAs = adapter.RootPoolFromContext(ctx)
 	if options.DisableSNI {
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {
@@ -128,5 +127,8 @@ func NewSTDClient(ctx context.Context, serverAddress string, options option.Outb
 		}
 		tlsConfig.RootCAs = certPool
 	}
 	if options.ECH != nil && options.ECH.Enabled {
 		return parseECHClientConfig(ctx, options, &tlsConfig)
 	}
 	return &STDClientConfig{&tlsConfig}, nil
 }
--- a/common/tls/std_server.go
+++ b/common/tls/std_server.go
@@ -26,6 +26,7 @@ type STDServerConfig struct {
 	key             []byte
 	certificatePath string
 	keyPath         string
 	echKeyPath      string
 	watcher         *fswatch.Watcher
 }
@@ -94,12 +95,15 @@ func (c *STDServerConfig) startWatcher() error {
 	if c.keyPath != "" {
 		watchPath = append(watchPath, c.keyPath)
 	}
 	if c.echKeyPath != "" {
 		watchPath = append(watchPath, c.echKeyPath)
 	}
 	watcher, err := fswatch.NewWatcher(fswatch.Options{
 		Path: watchPath,
 		Callback: func(path string) {
 			err := c.certificateUpdated(path)
 			if err != nil {
-				c.logger.Error(err)
+				c.logger.Error(E.Cause(err, "reload certificate"))
 			}
 		},
 	})
@@ -115,25 +119,33 @@ func (c *STDServerConfig) startWatcher() error {
 }
 func (c *STDServerConfig) certificateUpdated(path string) error {
-	if path == c.certificatePath {
+	if path == c.certificatePath || path == c.keyPath {
-		certificate, err := os.ReadFile(c.certificatePath)
+		if path == c.certificatePath {
-		if err != nil {
+			certificate, err := os.ReadFile(c.certificatePath)
-			return E.Cause(err, "reload certificate from ", c.certificatePath)
+			if err != nil {
 				return E.Cause(err, "reload certificate from ", c.certificatePath)
 			}
 			c.certificate = certificate
 		} else if path == c.keyPath {
 			key, err := os.ReadFile(c.keyPath)
 			if err != nil {
 				return E.Cause(err, "reload key from ", c.keyPath)
 			}
 			c.key = key
 		}
-		c.certificate = certificate
+		keyPair, err := tls.X509KeyPair(c.certificate, c.key)
 	} else if path == c.keyPath {
 		key, err := os.ReadFile(c.keyPath)
 		if err != nil {
-			return E.Cause(err, "reload key from ", c.keyPath)
+			return E.Cause(err, "reload key pair")
 		}
-		c.key = key
+		c.config.Certificates = []tls.Certificate{keyPair}
 		c.logger.Info("reloaded TLS certificate")
 	} else if path == c.echKeyPath {
 		err := reloadECHKeys(c.echKeyPath, c.config)
 		if err != nil {
 			return err
 		}
 		c.logger.Info("reloaded ECH keys")
 	}
 	keyPair, err := tls.X509KeyPair(c.certificate, c.key)
 	if err != nil {
 		return E.Cause(err, "reload key pair")
 	}
 	c.config.Certificates = []tls.Certificate{keyPair}
 	c.logger.Info("reloaded TLS certificate")
 	return nil
 }
@@ -222,7 +234,7 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 		}
 		if certificate == nil && key == nil && options.Insecure {
 			tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
-				return GenerateCertificate(ntp.TimeFuncFromContext(ctx), info.ServerName)
+				return GenerateKeyPair(nil, nil, ntp.TimeFuncFromContext(ctx), info.ServerName)
 			}
 		} else {
 			if certificate == nil {
@@ -238,6 +250,13 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 			tlsConfig.Certificates = []tls.Certificate{keyPair}
 		}
 	}
 	var echKeyPath string
 	if options.ECH != nil && options.ECH.Enabled {
 		err = parseECHServerConfig(ctx, options, tlsConfig, &echKeyPath)
 		if err != nil {
 			return nil, err
 		}
 	}
 	return &STDServerConfig{
 		config:          tlsConfig,
 		logger:          logger,
@@ -246,5 +265,6 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 		key:             key,
 		certificatePath: options.CertificatePath,
 		keyPath:         options.KeyPath,
 		echKeyPath:      echKeyPath,
 	}, nil
 }
--- a/common/tls/utls_client.go
+++ b/common/tls/utls_client.go
@@ -12,6 +12,7 @@ import (
 	"os"
 	"strings"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
@@ -130,6 +131,7 @@ func NewUTLSClient(ctx context.Context, serverAddress string, options option.Out
 	var tlsConfig utls.Config
 	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	tlsConfig.RootCAs = adapter.RootPoolFromContext(ctx)
 	if options.DisableSNI {
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {
--- a/common/tlsfragment/conn.go
+++ b/common/tlsfragment/conn.go
@@ -0,0 +1,107 @@
 package tf
 import (
 	"context"
 	"math/rand"
 	"net"
 	"strings"
 	"time"
 	N "github.com/sagernet/sing/common/network"
 	"golang.org/x/net/publicsuffix"
 )
 type Conn struct {
 	net.Conn
 	tcpConn            *net.TCPConn
 	ctx                context.Context
 	firstPacketWritten bool
 	fallbackDelay      time.Duration
 }
 func NewConn(conn net.Conn, ctx context.Context, fallbackDelay time.Duration) (*Conn, error) {
 	tcpConn, _ := N.UnwrapReader(conn).(*net.TCPConn)
 	return &Conn{
 		Conn:          conn,
 		tcpConn:       tcpConn,
 		ctx:           ctx,
 		fallbackDelay: fallbackDelay,
 	}, nil
 }
 func (c *Conn) Write(b []byte) (n int, err error) {
 	if !c.firstPacketWritten {
 		defer func() {
 			c.firstPacketWritten = true
 		}()
 		serverName := indexTLSServerName(b)
 		if serverName != nil {
 			if c.tcpConn != nil {
 				err = c.tcpConn.SetNoDelay(true)
 				if err != nil {
 					return
 				}
 			}
 			splits := strings.Split(serverName.ServerName, ".")
 			currentIndex := serverName.Index
 			if publicSuffix := publicsuffix.List.PublicSuffix(serverName.ServerName); publicSuffix != "" {
 				splits = splits[:len(splits)-strings.Count(serverName.ServerName, ".")]
 			}
 			if len(splits) > 1 && splits[0] == "..." {
 				currentIndex += len(splits[0]) + 1
 				splits = splits[1:]
 			}
 			var splitIndexes []int
 			for i, split := range splits {
 				splitAt := rand.Intn(len(split))
 				splitIndexes = append(splitIndexes, currentIndex+splitAt)
 				currentIndex += len(split)
 				if i != len(splits)-1 {
 					currentIndex++
 				}
 			}
 			for i := 0; i <= len(splitIndexes); i++ {
 				var payload []byte
 				if i == 0 {
 					payload = b[:splitIndexes[i]]
 				} else if i == len(splitIndexes) {
 					payload = b[splitIndexes[i-1]:]
 				} else {
 					payload = b[splitIndexes[i-1]:splitIndexes[i]]
 				}
 				if c.tcpConn != nil && i != len(splitIndexes) {
 					err = writeAndWaitAck(c.ctx, c.tcpConn, payload, c.fallbackDelay)
 					if err != nil {
 						return
 					}
 				} else {
 					_, err = c.Conn.Write(payload)
 					if err != nil {
 						return
 					}
 				}
 			}
 			if c.tcpConn != nil {
 				err = c.tcpConn.SetNoDelay(false)
 				if err != nil {
 					return
 				}
 			}
 			return len(b), nil
 		}
 	}
 	return c.Conn.Write(b)
 }
 func (c *Conn) ReaderReplaceable() bool {
 	return true
 }
 func (c *Conn) WriterReplaceable() bool {
 	return c.firstPacketWritten
 }
 func (c *Conn) Upstream() any {
 	return c.Conn
 }
--- a/common/tlsfragment/index.go
+++ b/common/tlsfragment/index.go
@@ -0,0 +1,131 @@
 package tf
 import (
 	"encoding/binary"
 )
 const (
 	recordLayerHeaderLen    int    = 5
 	handshakeHeaderLen      int    = 6
 	randomDataLen           int    = 32
 	sessionIDHeaderLen      int    = 1
 	cipherSuiteHeaderLen    int    = 2
 	compressMethodHeaderLen int    = 1
 	extensionsHeaderLen     int    = 2
 	extensionHeaderLen      int    = 4
 	sniExtensionHeaderLen   int    = 5
 	contentType             uint8  = 22
 	handshakeType           uint8  = 1
 	sniExtensionType        uint16 = 0
 	sniNameDNSHostnameType  uint8  = 0
 	tlsVersionBitmask       uint16 = 0xFFFC
 	tls13                   uint16 = 0x0304
 )
 type myServerName struct {
 	Index      int
 	Length     int
 	ServerName string
 }
 func indexTLSServerName(payload []byte) *myServerName {
 	if len(payload) < recordLayerHeaderLen || payload[0] != contentType {
 		return nil
 	}
 	segmentLen := binary.BigEndian.Uint16(payload[3:5])
 	if len(payload) < recordLayerHeaderLen+int(segmentLen) {
 		return nil
 	}
 	serverName := indexTLSServerNameFromHandshake(payload[recordLayerHeaderLen : recordLayerHeaderLen+int(segmentLen)])
 	if serverName == nil {
 		return nil
 	}
 	serverName.Length += recordLayerHeaderLen
 	return serverName
 }
 func indexTLSServerNameFromHandshake(hs []byte) *myServerName {
 	if len(hs) < handshakeHeaderLen+randomDataLen+sessionIDHeaderLen {
 		return nil
 	}
 	if hs[0] != handshakeType {
 		return nil
 	}
 	handshakeLen := uint32(hs[1])<<16 | uint32(hs[2])<<8 | uint32(hs[3])
 	if len(hs[4:]) != int(handshakeLen) {
 		return nil
 	}
 	tlsVersion := uint16(hs[4])<<8 | uint16(hs[5])
 	if tlsVersion&tlsVersionBitmask != 0x0300 && tlsVersion != tls13 {
 		return nil
 	}
 	sessionIDLen := hs[38]
 	if len(hs) < handshakeHeaderLen+randomDataLen+sessionIDHeaderLen+int(sessionIDLen) {
 		return nil
 	}
 	cs := hs[handshakeHeaderLen+randomDataLen+sessionIDHeaderLen+int(sessionIDLen):]
 	if len(cs) < cipherSuiteHeaderLen {
 		return nil
 	}
 	csLen := uint16(cs[0])<<8 | uint16(cs[1])
 	if len(cs) < cipherSuiteHeaderLen+int(csLen)+compressMethodHeaderLen {
 		return nil
 	}
 	compressMethodLen := uint16(cs[cipherSuiteHeaderLen+int(csLen)])
 	if len(cs) < cipherSuiteHeaderLen+int(csLen)+compressMethodHeaderLen+int(compressMethodLen) {
 		return nil
 	}
 	currentIndex := cipherSuiteHeaderLen + int(csLen) + compressMethodHeaderLen + int(compressMethodLen)
 	serverName := indexTLSServerNameFromExtensions(cs[currentIndex:])
 	if serverName == nil {
 		return nil
 	}
 	serverName.Index += currentIndex
 	return serverName
 }
 func indexTLSServerNameFromExtensions(exs []byte) *myServerName {
 	if len(exs) == 0 {
 		return nil
 	}
 	if len(exs) < extensionsHeaderLen {
 		return nil
 	}
 	exsLen := uint16(exs[0])<<8 | uint16(exs[1])
 	exs = exs[extensionsHeaderLen:]
 	if len(exs) < int(exsLen) {
 		return nil
 	}
 	for currentIndex := extensionsHeaderLen; len(exs) > 0; {
 		if len(exs) < extensionHeaderLen {
 			return nil
 		}
 		exType := uint16(exs[0])<<8 | uint16(exs[1])
 		exLen := uint16(exs[2])<<8 | uint16(exs[3])
 		if len(exs) < extensionHeaderLen+int(exLen) {
 			return nil
 		}
 		sex := exs[extensionHeaderLen : extensionHeaderLen+int(exLen)]
 		switch exType {
 		case sniExtensionType:
 			if len(sex) < sniExtensionHeaderLen {
 				return nil
 			}
 			sniType := sex[2]
 			if sniType != sniNameDNSHostnameType {
 				return nil
 			}
 			sniLen := uint16(sex[3])<<8 | uint16(sex[4])
 			sex = sex[sniExtensionHeaderLen:]
 			return &myServerName{
 				Index:      currentIndex + extensionHeaderLen + sniExtensionHeaderLen,
 				Length:     int(sniLen),
 				ServerName: string(sex),
 			}
 		}
 		exs = exs[4+exLen:]
 		currentIndex += 4 + int(exLen)
 	}
 	return nil
 }
--- a/common/tlsfragment/wait_darwin.go
+++ b/common/tlsfragment/wait_darwin.go
@@ -0,0 +1,93 @@
 package tf
 import (
 	"context"
 	"net"
 	"time"
 	"github.com/sagernet/sing/common/control"
 	"golang.org/x/sys/unix"
 )
 /*
 const tcpMaxNotifyAck = 10
 type tcpNotifyAckID uint32
 	type tcpNotifyAckComplete struct {
 		NotifyPending       uint32
 		NotifyCompleteCount uint32
 		NotifyCompleteID    [tcpMaxNotifyAck]tcpNotifyAckID
 	}
 var sizeOfTCPNotifyAckComplete = int(unsafe.Sizeof(tcpNotifyAckComplete{}))
 	func getsockoptTCPNotifyAckComplete(fd, level, opt int) (*tcpNotifyAckComplete, error) {
 		var value tcpNotifyAckComplete
 		vallen := uint32(sizeOfTCPNotifyAckComplete)
 		err := getsockopt(fd, level, opt, unsafe.Pointer(&value), &vallen)
 		return &value, err
 	}
 //go:linkname getsockopt golang.org/x/sys/unix.getsockopt
 func getsockopt(s int, level int, name int, val unsafe.Pointer, vallen *uint32) error
 	func waitAck(ctx context.Context, conn *net.TCPConn, _ time.Duration) error {
 		const TCP_NOTIFY_ACKNOWLEDGEMENT = 0x212
 		return control.Conn(conn, func(fd uintptr) error {
 			err := unix.SetsockoptInt(int(fd), unix.IPPROTO_TCP, TCP_NOTIFY_ACKNOWLEDGEMENT, 1)
 			if err != nil {
 				if errors.Is(err, unix.EINVAL) {
 					return waitAckFallback(ctx, conn, 0)
 				}
 				return err
 			}
 			for {
 				select {
 				case <-ctx.Done():
 					return ctx.Err()
 				default:
 				}
 				var ackComplete *tcpNotifyAckComplete
 				ackComplete, err = getsockoptTCPNotifyAckComplete(int(fd), unix.IPPROTO_TCP, TCP_NOTIFY_ACKNOWLEDGEMENT)
 				if err != nil {
 					return err
 				}
 				if ackComplete.NotifyPending == 0 {
 					return nil
 				}
 				time.Sleep(10 * time.Millisecond)
 			}
 		})
 	}
 */
 func writeAndWaitAck(ctx context.Context, conn *net.TCPConn, payload []byte, fallbackDelay time.Duration) error {
 	_, err := conn.Write(payload)
 	if err != nil {
 		return err
 	}
 	return control.Conn(conn, func(fd uintptr) error {
 		start := time.Now()
 		for {
 			select {
 			case <-ctx.Done():
 				return ctx.Err()
 			default:
 			}
 			unacked, err := unix.GetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_NWRITE)
 			if err != nil {
 				return err
 			}
 			if unacked == 0 {
 				if time.Since(start) <= 20*time.Millisecond {
 					// under transparent proxy
 					time.Sleep(fallbackDelay)
 				}
 				return nil
 			}
 			time.Sleep(10 * time.Millisecond)
 		}
 	})
 }
--- a/common/tlsfragment/wait_linux.go
+++ b/common/tlsfragment/wait_linux.go
@@ -0,0 +1,40 @@
 package tf
 import (
 	"context"
 	"net"
 	"time"
 	"github.com/sagernet/sing/common/control"
 	"golang.org/x/sys/unix"
 )
 func writeAndWaitAck(ctx context.Context, conn *net.TCPConn, payload []byte, fallbackDelay time.Duration) error {
 	_, err := conn.Write(payload)
 	if err != nil {
 		return err
 	}
 	return control.Conn(conn, func(fd uintptr) error {
 		start := time.Now()
 		for {
 			select {
 			case <-ctx.Done():
 				return ctx.Err()
 			default:
 			}
 			tcpInfo, err := unix.GetsockoptTCPInfo(int(fd), unix.IPPROTO_TCP, unix.TCP_INFO)
 			if err != nil {
 				return err
 			}
 			if tcpInfo.Unacked == 0 {
 				if time.Since(start) <= 20*time.Millisecond {
 					// under transparent proxy
 					time.Sleep(fallbackDelay)
 				}
 				return nil
 			}
 			time.Sleep(10 * time.Millisecond)
 		}
 	})
 }
--- a/common/tlsfragment/wait_stub.go
+++ b/common/tlsfragment/wait_stub.go
@@ -0,0 +1,14 @@
 //go:build !(linux || darwin || windows)
 package tf
 import (
 	"context"
 	"net"
 	"time"
 )
 func writeAndWaitAck(ctx context.Context, conn *net.TCPConn, payload []byte, fallbackDelay time.Duration) error {
 	time.Sleep(fallbackDelay)
 	return nil
 }
--- a/common/tlsfragment/wait_windows.go
+++ b/common/tlsfragment/wait_windows.go
@@ -0,0 +1,28 @@
 package tf
 import (
 	"context"
 	"errors"
 	"net"
 	"time"
 	"github.com/sagernet/sing/common/winiphlpapi"
 	"golang.org/x/sys/windows"
 )
 func writeAndWaitAck(ctx context.Context, conn *net.TCPConn, payload []byte, fallbackDelay time.Duration) error {
 	start := time.Now()
 	err := winiphlpapi.WriteAndWaitAck(ctx, conn, payload)
 	if err != nil {
 		if errors.Is(err, windows.ERROR_ACCESS_DENIED) {
 			time.Sleep(fallbackDelay)
 			return nil
 		}
 		return err
 	}
 	if time.Since(start) <= 20*time.Millisecond {
 		time.Sleep(fallbackDelay)
 	}
 	return nil
 }
--- a/common/urltest/urltest.go
+++ b/common/urltest/urltest.go
@@ -2,32 +2,32 @@ package urltest
 import (
 	"context"
 	"crypto/tls"
 	"net"
 	"net/http"
 	"net/url"
 	"sync"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/ntp"
 )
-type History struct {
+var _ adapter.URLTestHistoryStorage = (*HistoryStorage)(nil)
 	Time  time.Time `json:"time"`
 	Delay uint16    `json:"delay"`
 }
 type HistoryStorage struct {
 	access       sync.RWMutex
-	delayHistory map[string]*History
+	delayHistory map[string]*adapter.URLTestHistory
 	updateHook   chan<- struct{}
 }
 func NewHistoryStorage() *HistoryStorage {
 	return &HistoryStorage{
-		delayHistory: make(map[string]*History),
+		delayHistory: make(map[string]*adapter.URLTestHistory),
 	}
 }
@@ -35,7 +35,7 @@ func (s *HistoryStorage) SetHook(hook chan<- struct{}) {
 	s.updateHook = hook
 }
-func (s *HistoryStorage) LoadURLTestHistory(tag string) *History {
+func (s *HistoryStorage) LoadURLTestHistory(tag string) *adapter.URLTestHistory {
 	if s == nil {
 		return nil
 	}
@@ -51,7 +51,7 @@ func (s *HistoryStorage) DeleteURLTestHistory(tag string) {
 	s.notifyUpdated()
 }
-func (s *HistoryStorage) StoreURLTestHistory(tag string, history *History) {
+func (s *HistoryStorage) StoreURLTestHistory(tag string, history *adapter.URLTestHistory) {
 	s.access.Lock()
 	s.delayHistory[tag] = history
 	s.access.Unlock()
@@ -110,6 +110,10 @@ func URLTest(ctx context.Context, link string, detour N.Dialer) (t uint16, err e
 			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
 				return instance, nil
 			},
 			TLSClientConfig: &tls.Config{
 				Time:    ntp.TimeFuncFromContext(ctx),
 				RootCAs: adapter.RootPoolFromContext(ctx),
 			},
 		},
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
 			return http.ErrUseLastResponse
--- a/constant/certificate.go
+++ b/constant/certificate.go
@@ -0,0 +1,7 @@
 package constant
 const (
 	CertificateStoreSystem  = "system"
 	CertificateStoreMozilla = "mozilla"
 	CertificateStoreNone    = "none"
 )
--- a/constant/dns.go
+++ b/constant/dns.go
@@ -1,5 +1,35 @@
 package constant
 const (
 	DefaultDNSTTL = 600
 )
 type DomainStrategy = uint8
 const (
 	DomainStrategyAsIS DomainStrategy = iota
 	DomainStrategyPreferIPv4
 	DomainStrategyPreferIPv6
 	DomainStrategyIPv4Only
 	DomainStrategyIPv6Only
 )
 const (
 	DNSTypeLegacy      = "legacy"
 	DNSTypeLegacyRcode = "legacy_rcode"
 	DNSTypeUDP         = "udp"
 	DNSTypeTCP         = "tcp"
 	DNSTypeTLS         = "tls"
 	DNSTypeHTTPS       = "https"
 	DNSTypeQUIC        = "quic"
 	DNSTypeHTTP3       = "h3"
 	DNSTypeLocal       = "local"
 	DNSTypeHosts       = "hosts"
 	DNSTypeFakeIP      = "fakeip"
 	DNSTypeDHCP        = "dhcp"
 	DNSTypeTailscale   = "tailscale"
 )
 const (
 	DNSProviderAliDNS     = "alidns"
 	DNSProviderCloudflare = "cloudflare"
--- a/constant/proxy.go
+++ b/constant/proxy.go
@@ -19,11 +19,12 @@ const (
 	TypeTor          = "tor"
 	TypeSSH          = "ssh"
 	TypeShadowTLS    = "shadowtls"
 	TypeAnyTLS       = "anytls"
 	TypeShadowsocksR = "shadowsocksr"
 	TypeVLESS        = "vless"
 	TypeTUIC         = "tuic"
 	TypeHysteria2    = "hysteria2"
-	TypeNDIS         = "ndis"
+	TypeTailscale    = "tailscale"
 )
 const (
@@ -77,12 +78,12 @@ func ProxyDisplayName(proxyType string) string {
 		return "TUIC"
 	case TypeHysteria2:
 		return "Hysteria2"
 	case TypeAnyTLS:
 		return "AnyTLS"
 	case TypeSelector:
 		return "Selector"
 	case TypeURLTest:
 		return "URLTest"
 	case TypeNDIS:
 		return "NDIS"
 	default:
 		return "Unknown"
 	}
--- a/constant/rule.go
+++ b/constant/rule.go
@@ -33,6 +33,7 @@ const (
 	RuleActionTypeHijackDNS    = "hijack-dns"
 	RuleActionTypeSniff        = "sniff"
 	RuleActionTypeResolve      = "resolve"
 	RuleActionTypePredefined   = "predefined"
 )
 const (
--- a/constant/timeout.go
+++ b/constant/timeout.go
@@ -16,6 +16,7 @@ const (
 	StopTimeout                = 5 * time.Second
 	FatalStopTimeout           = 10 * time.Second
 	FakeIPMetadataSaveInterval = 10 * time.Second
 	TLSFragmentFallbackDelay   = 500 * time.Millisecond
 )
 var PortProtocols = map[uint16]string{
--- a/debug.go
+++ b/debug.go
@@ -3,6 +3,7 @@ package box
 import (
 	"runtime/debug"
 	"github.com/sagernet/sing-box/common/conntrack"
 	"github.com/sagernet/sing-box/option"
 )
@@ -25,5 +26,9 @@ func applyDebugOptions(options option.DebugOptions) {
 	}
 	if options.MemoryLimit != 0 {
 		debug.SetMemoryLimit(int64(float64(options.MemoryLimit) / 1.5))
 		conntrack.MemoryLimit = uint64(options.MemoryLimit)
 	}
 	if options.OOMKiller != nil {
 		conntrack.KillerEnabled = *options.OOMKiller
 	}
 }
--- a/dns/client.go
+++ b/dns/client.go
@@ -0,0 +1,633 @@
 package dns
 import (
 	"context"
 	"net"
 	"net/netip"
 	"strings"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/task"
 	"github.com/sagernet/sing/contrab/freelru"
 	"github.com/sagernet/sing/contrab/maphash"
 	dns "github.com/miekg/dns"
 )
 var (
 	ErrNoRawSupport           = E.New("no raw query support by current transport")
 	ErrNotCached              = E.New("not cached")
 	ErrResponseRejected       = E.New("response rejected")
 	ErrResponseRejectedCached = E.Extend(ErrResponseRejected, "cached")
 )
 var _ adapter.DNSClient = (*Client)(nil)
 type Client struct {
 	timeout          time.Duration
 	disableCache     bool
 	disableExpire    bool
 	independentCache bool
 	rdrc             adapter.RDRCStore
 	initRDRCFunc     func() adapter.RDRCStore
 	logger           logger.ContextLogger
 	cache            freelru.Cache[dns.Question, *dns.Msg]
 	transportCache   freelru.Cache[transportCacheKey, *dns.Msg]
 }
 type ClientOptions struct {
 	Timeout          time.Duration
 	DisableCache     bool
 	DisableExpire    bool
 	IndependentCache bool
 	CacheCapacity    uint32
 	RDRC             func() adapter.RDRCStore
 	Logger           logger.ContextLogger
 }
 func NewClient(options ClientOptions) *Client {
 	client := &Client{
 		timeout:          options.Timeout,
 		disableCache:     options.DisableCache,
 		disableExpire:    options.DisableExpire,
 		independentCache: options.IndependentCache,
 		initRDRCFunc:     options.RDRC,
 		logger:           options.Logger,
 	}
 	if client.timeout == 0 {
 		client.timeout = C.DNSTimeout
 	}
 	cacheCapacity := options.CacheCapacity
 	if cacheCapacity < 1024 {
 		cacheCapacity = 1024
 	}
 	if !client.disableCache {
 		if !client.independentCache {
 			client.cache = common.Must1(freelru.NewSharded[dns.Question, *dns.Msg](cacheCapacity, maphash.NewHasher[dns.Question]().Hash32))
 		} else {
 			client.transportCache = common.Must1(freelru.NewSharded[transportCacheKey, *dns.Msg](cacheCapacity, maphash.NewHasher[transportCacheKey]().Hash32))
 		}
 	}
 	return client
 }
 type transportCacheKey struct {
 	dns.Question
 	transportTag string
 }
 func (c *Client) Start() {
 	if c.initRDRCFunc != nil {
 		c.rdrc = c.initRDRCFunc()
 	}
 }
 func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, message *dns.Msg, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error) {
 	if len(message.Question) == 0 {
 		if c.logger != nil {
 			c.logger.WarnContext(ctx, "bad question size: ", len(message.Question))
 		}
 		responseMessage := dns.Msg{
 			MsgHdr: dns.MsgHdr{
 				Id:       message.Id,
 				Response: true,
 				Rcode:    dns.RcodeFormatError,
 			},
 			Question: message.Question,
 		}
 		return &responseMessage, nil
 	}
 	question := message.Question[0]
 	if options.ClientSubnet.IsValid() {
 		message = SetClientSubnet(message, options.ClientSubnet, true)
 	}
 	isSimpleRequest := len(message.Question) == 1 &&
 		len(message.Ns) == 0 &&
 		len(message.Extra) == 0 &&
 		!options.ClientSubnet.IsValid()
 	disableCache := !isSimpleRequest || c.disableCache || options.DisableCache
 	if !disableCache {
 		response, ttl := c.loadResponse(question, transport)
 		if response != nil {
 			logCachedResponse(c.logger, ctx, response, ttl)
 			response.Id = message.Id
 			return response, nil
 		}
 	}
 	if question.Qtype == dns.TypeA && options.Strategy == C.DomainStrategyIPv6Only || question.Qtype == dns.TypeAAAA && options.Strategy == C.DomainStrategyIPv4Only {
 		responseMessage := dns.Msg{
 			MsgHdr: dns.MsgHdr{
 				Id:       message.Id,
 				Response: true,
 				Rcode:    dns.RcodeSuccess,
 			},
 			Question: []dns.Question{question},
 		}
 		if c.logger != nil {
 			c.logger.DebugContext(ctx, "strategy rejected")
 		}
 		return &responseMessage, nil
 	}
 	messageId := message.Id
 	contextTransport, clientSubnetLoaded := transportTagFromContext(ctx)
 	if clientSubnetLoaded && transport.Tag() == contextTransport {
 		return nil, E.New("DNS query loopback in transport[", contextTransport, "]")
 	}
 	ctx = contextWithTransportTag(ctx, transport.Tag())
 	if responseChecker != nil && c.rdrc != nil {
 		rejected := c.rdrc.LoadRDRC(transport.Tag(), question.Name, question.Qtype)
 		if rejected {
 			return nil, ErrResponseRejectedCached
 		}
 	}
 	ctx, cancel := context.WithTimeout(ctx, c.timeout)
 	response, err := transport.Exchange(ctx, message)
 	cancel()
 	if err != nil {
 		return nil, err
 	}
 	/*if question.Qtype == dns.TypeA || question.Qtype == dns.TypeAAAA {
 		validResponse := response
 	loop:
 		for {
 			var (
 				addresses  int
 				queryCNAME string
 			)
 			for _, rawRR := range validResponse.Answer {
 				switch rr := rawRR.(type) {
 				case *dns.A:
 					break loop
 				case *dns.AAAA:
 					break loop
 				case *dns.CNAME:
 					queryCNAME = rr.Target
 				}
 			}
 			if queryCNAME == "" {
 				break
 			}
 			exMessage := *message
 			exMessage.Question = []dns.Question{{
 				Name:  queryCNAME,
 				Qtype: question.Qtype,
 			}}
 			validResponse, err = c.Exchange(ctx, transport, &exMessage, options, responseChecker)
 			if err != nil {
 				return nil, err
 			}
 		}
 		if validResponse != response {
 			response.Answer = append(response.Answer, validResponse.Answer...)
 		}
 	}*/
 	if responseChecker != nil {
 		addr, addrErr := MessageToAddresses(response)
 		if addrErr != nil || !responseChecker(addr) {
 			if c.rdrc != nil {
 				c.rdrc.SaveRDRCAsync(transport.Tag(), question.Name, question.Qtype, c.logger)
 			}
 			logRejectedResponse(c.logger, ctx, response)
 			return response, ErrResponseRejected
 		}
 	}
 	if question.Qtype == dns.TypeHTTPS {
 		if options.Strategy == C.DomainStrategyIPv4Only || options.Strategy == C.DomainStrategyIPv6Only {
 			for _, rr := range response.Answer {
 				https, isHTTPS := rr.(*dns.HTTPS)
 				if !isHTTPS {
 					continue
 				}
 				content := https.SVCB
 				content.Value = common.Filter(content.Value, func(it dns.SVCBKeyValue) bool {
 					if options.Strategy == C.DomainStrategyIPv4Only {
 						return it.Key() != dns.SVCB_IPV6HINT
 					} else {
 						return it.Key() != dns.SVCB_IPV4HINT
 					}
 				})
 				https.SVCB = content
 			}
 		}
 	}
 	var timeToLive uint32
 	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
 		for _, record := range recordList {
 			if timeToLive == 0 || record.Header().Ttl > 0 && record.Header().Ttl < timeToLive {
 				timeToLive = record.Header().Ttl
 			}
 		}
 	}
 	if options.RewriteTTL != nil {
 		timeToLive = *options.RewriteTTL
 	}
 	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
 		for _, record := range recordList {
 			record.Header().Ttl = timeToLive
 		}
 	}
 	response.Id = messageId
 	if !disableCache {
 		c.storeCache(transport, question, response, timeToLive)
 	}
 	logExchangedResponse(c.logger, ctx, response, timeToLive)
 	return response, err
 }
 func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, domain string, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error) {
 	domain = FqdnToDomain(domain)
 	dnsName := dns.Fqdn(domain)
 	if options.Strategy == C.DomainStrategyIPv4Only {
 		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, options, responseChecker)
 	} else if options.Strategy == C.DomainStrategyIPv6Only {
 		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, options, responseChecker)
 	}
 	var response4 []netip.Addr
 	var response6 []netip.Addr
 	var group task.Group
 	group.Append("exchange4", func(ctx context.Context) error {
 		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, options, responseChecker)
 		if err != nil {
 			return err
 		}
 		response4 = response
 		return nil
 	})
 	group.Append("exchange6", func(ctx context.Context) error {
 		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, options, responseChecker)
 		if err != nil {
 			return err
 		}
 		response6 = response
 		return nil
 	})
 	err := group.Run(ctx)
 	if len(response4) == 0 && len(response6) == 0 {
 		return nil, err
 	}
 	return sortAddresses(response4, response6, options.Strategy), nil
 }
 func (c *Client) ClearCache() {
 	if c.cache != nil {
 		c.cache.Purge()
 	}
 	if c.transportCache != nil {
 		c.transportCache.Purge()
 	}
 }
 func (c *Client) LookupCache(domain string, strategy C.DomainStrategy) ([]netip.Addr, bool) {
 	if c.disableCache || c.independentCache {
 		return nil, false
 	}
 	if dns.IsFqdn(domain) {
 		domain = domain[:len(domain)-1]
 	}
 	dnsName := dns.Fqdn(domain)
 	if strategy == C.DomainStrategyIPv4Only {
 		response, err := c.questionCache(dns.Question{
 			Name:   dnsName,
 			Qtype:  dns.TypeA,
 			Qclass: dns.ClassINET,
 		}, nil)
 		if err != ErrNotCached {
 			return response, true
 		}
 	} else if strategy == C.DomainStrategyIPv6Only {
 		response, err := c.questionCache(dns.Question{
 			Name:   dnsName,
 			Qtype:  dns.TypeAAAA,
 			Qclass: dns.ClassINET,
 		}, nil)
 		if err != ErrNotCached {
 			return response, true
 		}
 	} else {
 		response4, _ := c.questionCache(dns.Question{
 			Name:   dnsName,
 			Qtype:  dns.TypeA,
 			Qclass: dns.ClassINET,
 		}, nil)
 		response6, _ := c.questionCache(dns.Question{
 			Name:   dnsName,
 			Qtype:  dns.TypeAAAA,
 			Qclass: dns.ClassINET,
 		}, nil)
 		if len(response4) > 0 || len(response6) > 0 {
 			return sortAddresses(response4, response6, strategy), true
 		}
 	}
 	return nil, false
 }
 func (c *Client) ExchangeCache(ctx context.Context, message *dns.Msg) (*dns.Msg, bool) {
 	if c.disableCache || c.independentCache || len(message.Question) != 1 {
 		return nil, false
 	}
 	question := message.Question[0]
 	response, ttl := c.loadResponse(question, nil)
 	if response == nil {
 		return nil, false
 	}
 	logCachedResponse(c.logger, ctx, response, ttl)
 	response.Id = message.Id
 	return response, true
 }
 func sortAddresses(response4 []netip.Addr, response6 []netip.Addr, strategy C.DomainStrategy) []netip.Addr {
 	if strategy == C.DomainStrategyPreferIPv6 {
 		return append(response6, response4...)
 	} else {
 		return append(response4, response6...)
 	}
 }
 func (c *Client) storeCache(transport adapter.DNSTransport, question dns.Question, message *dns.Msg, timeToLive uint32) {
 	if timeToLive == 0 {
 		return
 	}
 	if c.disableExpire {
 		if !c.independentCache {
 			c.cache.Add(question, message)
 		} else {
 			c.transportCache.Add(transportCacheKey{
 				Question:     question,
 				transportTag: transport.Tag(),
 			}, message)
 		}
 		return
 	}
 	if !c.independentCache {
 		c.cache.AddWithLifetime(question, message, time.Second*time.Duration(timeToLive))
 	} else {
 		c.transportCache.AddWithLifetime(transportCacheKey{
 			Question:     question,
 			transportTag: transport.Tag(),
 		}, message, time.Second*time.Duration(timeToLive))
 	}
 }
 func (c *Client) lookupToExchange(ctx context.Context, transport adapter.DNSTransport, name string, qType uint16, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error) {
 	question := dns.Question{
 		Name:   name,
 		Qtype:  qType,
 		Qclass: dns.ClassINET,
 	}
 	disableCache := c.disableCache || options.DisableCache
 	if !disableCache {
 		cachedAddresses, err := c.questionCache(question, transport)
 		if err != ErrNotCached {
 			return cachedAddresses, err
 		}
 	}
 	message := dns.Msg{
 		MsgHdr: dns.MsgHdr{
 			RecursionDesired: true,
 		},
 		Question: []dns.Question{question},
 	}
 	response, err := c.Exchange(ctx, transport, &message, options, responseChecker)
 	if err != nil {
 		return nil, err
 	}
 	return MessageToAddresses(response)
 }
 func (c *Client) questionCache(question dns.Question, transport adapter.DNSTransport) ([]netip.Addr, error) {
 	response, _ := c.loadResponse(question, transport)
 	if response == nil {
 		return nil, ErrNotCached
 	}
 	return MessageToAddresses(response)
 }
 func (c *Client) loadResponse(question dns.Question, transport adapter.DNSTransport) (*dns.Msg, int) {
 	var (
 		response *dns.Msg
 		loaded   bool
 	)
 	if c.disableExpire {
 		if !c.independentCache {
 			response, loaded = c.cache.Get(question)
 		} else {
 			response, loaded = c.transportCache.Get(transportCacheKey{
 				Question:     question,
 				transportTag: transport.Tag(),
 			})
 		}
 		if !loaded {
 			return nil, 0
 		}
 		return response.Copy(), 0
 	} else {
 		var expireAt time.Time
 		if !c.independentCache {
 			response, expireAt, loaded = c.cache.GetWithLifetime(question)
 		} else {
 			response, expireAt, loaded = c.transportCache.GetWithLifetime(transportCacheKey{
 				Question:     question,
 				transportTag: transport.Tag(),
 			})
 		}
 		if !loaded {
 			return nil, 0
 		}
 		timeNow := time.Now()
 		if timeNow.After(expireAt) {
 			if !c.independentCache {
 				c.cache.Remove(question)
 			} else {
 				c.transportCache.Remove(transportCacheKey{
 					Question:     question,
 					transportTag: transport.Tag(),
 				})
 			}
 			return nil, 0
 		}
 		var originTTL int
 		for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
 			for _, record := range recordList {
 				if originTTL == 0 || record.Header().Ttl > 0 && int(record.Header().Ttl) < originTTL {
 					originTTL = int(record.Header().Ttl)
 				}
 			}
 		}
 		nowTTL := int(expireAt.Sub(timeNow).Seconds())
 		if nowTTL < 0 {
 			nowTTL = 0
 		}
 		response = response.Copy()
 		if originTTL > 0 {
 			duration := uint32(originTTL - nowTTL)
 			for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
 				for _, record := range recordList {
 					record.Header().Ttl = record.Header().Ttl - duration
 				}
 			}
 		} else {
 			for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
 				for _, record := range recordList {
 					record.Header().Ttl = uint32(nowTTL)
 				}
 			}
 		}
 		return response, nowTTL
 	}
 }
 func MessageToAddresses(response *dns.Msg) ([]netip.Addr, error) {
 	if response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError {
 		return nil, RcodeError(response.Rcode)
 	}
 	addresses := make([]netip.Addr, 0, len(response.Answer))
 	for _, rawAnswer := range response.Answer {
 		switch answer := rawAnswer.(type) {
 		case *dns.A:
 			addresses = append(addresses, M.AddrFromIP(answer.A))
 		case *dns.AAAA:
 			addresses = append(addresses, M.AddrFromIP(answer.AAAA))
 		case *dns.HTTPS:
 			for _, value := range answer.SVCB.Value {
 				if value.Key() == dns.SVCB_IPV4HINT || value.Key() == dns.SVCB_IPV6HINT {
 					addresses = append(addresses, common.Map(strings.Split(value.String(), ","), M.ParseAddr)...)
 				}
 			}
 		}
 	}
 	return addresses, nil
 }
 func wrapError(err error) error {
 	switch dnsErr := err.(type) {
 	case *net.DNSError:
 		if dnsErr.IsNotFound {
 			return RcodeNameError
 		}
 	case *net.AddrError:
 		return RcodeNameError
 	}
 	return err
 }
 type transportKey struct{}
 func contextWithTransportTag(ctx context.Context, transportTag string) context.Context {
 	return context.WithValue(ctx, transportKey{}, transportTag)
 }
 func transportTagFromContext(ctx context.Context) (string, bool) {
 	value, loaded := ctx.Value(transportKey{}).(string)
 	return value, loaded
 }
 func FixedResponse(id uint16, question dns.Question, addresses []netip.Addr, timeToLive uint32) *dns.Msg {
 	response := dns.Msg{
 		MsgHdr: dns.MsgHdr{
 			Id:       id,
 			Rcode:    dns.RcodeSuccess,
 			Response: true,
 		},
 		Question: []dns.Question{question},
 	}
 	for _, address := range addresses {
 		if address.Is4() && question.Qtype == dns.TypeA {
 			response.Answer = append(response.Answer, &dns.A{
 				Hdr: dns.RR_Header{
 					Name:   question.Name,
 					Rrtype: dns.TypeA,
 					Class:  dns.ClassINET,
 					Ttl:    timeToLive,
 				},
 				A: address.AsSlice(),
 			})
 		} else if address.Is6() && question.Qtype == dns.TypeAAAA {
 			response.Answer = append(response.Answer, &dns.AAAA{
 				Hdr: dns.RR_Header{
 					Name:   question.Name,
 					Rrtype: dns.TypeAAAA,
 					Class:  dns.ClassINET,
 					Ttl:    timeToLive,
 				},
 				AAAA: address.AsSlice(),
 			})
 		}
 	}
 	return &response
 }
 func FixedResponseCNAME(id uint16, question dns.Question, record string, timeToLive uint32) *dns.Msg {
 	response := dns.Msg{
 		MsgHdr: dns.MsgHdr{
 			Id:       id,
 			Rcode:    dns.RcodeSuccess,
 			Response: true,
 		},
 		Question: []dns.Question{question},
 		Answer: []dns.RR{
 			&dns.CNAME{
 				Hdr: dns.RR_Header{
 					Name:   question.Name,
 					Rrtype: dns.TypeCNAME,
 					Class:  dns.ClassINET,
 					Ttl:    timeToLive,
 				},
 				Target: record,
 			},
 		},
 	}
 	return &response
 }
 func FixedResponseTXT(id uint16, question dns.Question, records []string, timeToLive uint32) *dns.Msg {
 	response := dns.Msg{
 		MsgHdr: dns.MsgHdr{
 			Id:       id,
 			Rcode:    dns.RcodeSuccess,
 			Response: true,
 		},
 		Question: []dns.Question{question},
 		Answer: []dns.RR{
 			&dns.TXT{
 				Hdr: dns.RR_Header{
 					Name:   question.Name,
 					Rrtype: dns.TypeA,
 					Class:  dns.ClassINET,
 					Ttl:    timeToLive,
 				},
 				Txt: records,
 			},
 		},
 	}
 	return &response
 }
 func FixedResponseMX(id uint16, question dns.Question, records []*net.MX, timeToLive uint32) *dns.Msg {
 	response := dns.Msg{
 		MsgHdr: dns.MsgHdr{
 			Id:       id,
 			Rcode:    dns.RcodeSuccess,
 			Response: true,
 		},
 		Question: []dns.Question{question},
 	}
 	for _, record := range records {
 		response.Answer = append(response.Answer, &dns.MX{
 			Hdr: dns.RR_Header{
 				Name:   question.Name,
 				Rrtype: dns.TypeA,
 				Class:  dns.ClassINET,
 				Ttl:    timeToLive,
 			},
 			Preference: record.Pref,
 			Mx:         record.Host,
 		})
 	}
 	return &response
 }
--- a/dns/client_log.go
+++ b/dns/client_log.go
@@ -0,0 +1,69 @@
 package dns
 import (
 	"context"
 	"strings"
 	"github.com/sagernet/sing/common/logger"
 	"github.com/miekg/dns"
 )
 func logCachedResponse(logger logger.ContextLogger, ctx context.Context, response *dns.Msg, ttl int) {
 	if logger == nil || len(response.Question) == 0 {
 		return
 	}
 	domain := FqdnToDomain(response.Question[0].Name)
 	logger.DebugContext(ctx, "cached ", domain, " ", dns.RcodeToString[response.Rcode], " ", ttl)
 	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
 		for _, record := range recordList {
 			logger.InfoContext(ctx, "cached ", dns.Type(record.Header().Rrtype).String(), " ", FormatQuestion(record.String()))
 		}
 	}
 }
 func logExchangedResponse(logger logger.ContextLogger, ctx context.Context, response *dns.Msg, ttl uint32) {
 	if logger == nil || len(response.Question) == 0 {
 		return
 	}
 	domain := FqdnToDomain(response.Question[0].Name)
 	logger.DebugContext(ctx, "exchanged ", domain, " ", dns.RcodeToString[response.Rcode], " ", ttl)
 	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
 		for _, record := range recordList {
 			logger.InfoContext(ctx, "exchanged ", dns.Type(record.Header().Rrtype).String(), " ", FormatQuestion(record.String()))
 		}
 	}
 }
 func logRejectedResponse(logger logger.ContextLogger, ctx context.Context, response *dns.Msg) {
 	if logger == nil || len(response.Question) == 0 {
 		return
 	}
 	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
 		for _, record := range recordList {
 			logger.InfoContext(ctx, "rejected ", dns.Type(record.Header().Rrtype).String(), " ", FormatQuestion(record.String()))
 		}
 	}
 }
 func FqdnToDomain(fqdn string) string {
 	if dns.IsFqdn(fqdn) {
 		return fqdn[:len(fqdn)-1]
 	}
 	return fqdn
 }
 func FormatQuestion(string string) string {
 	for strings.HasPrefix(string, ";") {
 		string = string[1:]
 	}
 	string = strings.ReplaceAll(string, "\t", " ")
 	string = strings.ReplaceAll(string, "\n", " ")
 	string = strings.ReplaceAll(string, ";; ", " ")
 	string = strings.ReplaceAll(string, "; ", " ")
 	for strings.Contains(string, "  ") {
 		string = strings.ReplaceAll(string, "  ", " ")
 	}
 	return strings.TrimSpace(string)
 }
--- a/dns/client_truncate.go
+++ b/dns/client_truncate.go
@@ -0,0 +1,31 @@
 package dns
 import (
 	"github.com/sagernet/sing/common/buf"
 	"github.com/miekg/dns"
 )
 func TruncateDNSMessage(request *dns.Msg, response *dns.Msg, headroom int) (*buf.Buffer, error) {
 	maxLen := 512
 	if edns0Option := request.IsEdns0(); edns0Option != nil {
 		if udpSize := int(edns0Option.UDPSize()); udpSize > 512 {
 			maxLen = udpSize
 		}
 	}
 	responseLen := response.Len()
 	if responseLen > maxLen {
 		copyResponse := *response
 		response = &copyResponse
 		response.Truncate(maxLen)
 	}
 	buffer := buf.NewSize(headroom*2 + 1 + responseLen)
 	buffer.Resize(headroom, 0)
 	rawMessage, err := response.PackBuffer(buffer.FreeBytes())
 	if err != nil {
 		buffer.Release()
 		return nil, err
 	}
 	buffer.Truncate(len(rawMessage))
 	return buffer, nil
 }
--- a/dns/extension_edns0_subnet.go
+++ b/dns/extension_edns0_subnet.go
@@ -0,0 +1,56 @@
 package dns
 import (
 	"net/netip"
 	"github.com/miekg/dns"
 )
 func SetClientSubnet(message *dns.Msg, clientSubnet netip.Prefix, override bool) *dns.Msg {
 	var (
 		optRecord    *dns.OPT
 		subnetOption *dns.EDNS0_SUBNET
 	)
 findExists:
 	for _, record := range message.Extra {
 		var isOPTRecord bool
 		if optRecord, isOPTRecord = record.(*dns.OPT); isOPTRecord {
 			for _, option := range optRecord.Option {
 				var isEDNS0Subnet bool
 				subnetOption, isEDNS0Subnet = option.(*dns.EDNS0_SUBNET)
 				if isEDNS0Subnet {
 					if !override {
 						return message
 					}
 					break findExists
 				}
 			}
 		}
 	}
 	if optRecord == nil {
 		exMessage := *message
 		message = &exMessage
 		optRecord = &dns.OPT{
 			Hdr: dns.RR_Header{
 				Name:   ".",
 				Rrtype: dns.TypeOPT,
 			},
 		}
 		message.Extra = append(message.Extra, optRecord)
 	} else {
 		message = message.Copy()
 	}
 	if subnetOption == nil {
 		subnetOption = new(dns.EDNS0_SUBNET)
 		optRecord.Option = append(optRecord.Option, subnetOption)
 	}
 	subnetOption.Code = dns.EDNS0SUBNET
 	if clientSubnet.Addr().Is4() {
 		subnetOption.Family = 1
 	} else {
 		subnetOption.Family = 2
 	}
 	subnetOption.SourceNetmask = uint8(clientSubnet.Bits())
 	subnetOption.Address = clientSubnet.Addr().AsSlice()
 	return message
 }
--- a/dns/rcode.go
+++ b/dns/rcode.go
@@ -0,0 +1,17 @@
 package dns
 import (
 	mDNS "github.com/miekg/dns"
 )
 const (
 	RcodeFormatError RcodeError = mDNS.RcodeFormatError
 	RcodeNameError   RcodeError = mDNS.RcodeNameError
 	RcodeRefused     RcodeError = mDNS.RcodeRefused
 )
 type RcodeError int
 func (e RcodeError) Error() string {
 	return mDNS.RcodeToString[int(e)]
 }
--- a/dns/router.go
+++ b/dns/router.go
@@ -0,0 +1,454 @@
 package dns
 import (
 	"context"
 	"errors"
 	"net/netip"
 	"strings"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/taskmonitor"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	R "github.com/sagernet/sing-box/route/rule"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/contrab/freelru"
 	"github.com/sagernet/sing/contrab/maphash"
 	"github.com/sagernet/sing/service"
 	mDNS "github.com/miekg/dns"
 )
 var _ adapter.DNSRouter = (*Router)(nil)
 type Router struct {
 	ctx                   context.Context
 	logger                logger.ContextLogger
 	transport             adapter.DNSTransportManager
 	outbound              adapter.OutboundManager
 	client                adapter.DNSClient
 	rules                 []adapter.DNSRule
 	defaultDomainStrategy C.DomainStrategy
 	dnsReverseMapping     freelru.Cache[netip.Addr, string]
 	platformInterface     platform.Interface
 }
 func NewRouter(ctx context.Context, logFactory log.Factory, options option.DNSOptions) *Router {
 	router := &Router{
 		ctx:                   ctx,
 		logger:                logFactory.NewLogger("dns"),
 		transport:             service.FromContext[adapter.DNSTransportManager](ctx),
 		outbound:              service.FromContext[adapter.OutboundManager](ctx),
 		rules:                 make([]adapter.DNSRule, 0, len(options.Rules)),
 		defaultDomainStrategy: C.DomainStrategy(options.Strategy),
 	}
 	router.client = NewClient(ClientOptions{
 		DisableCache:     options.DNSClientOptions.DisableCache,
 		DisableExpire:    options.DNSClientOptions.DisableExpire,
 		IndependentCache: options.DNSClientOptions.IndependentCache,
 		CacheCapacity:    options.DNSClientOptions.CacheCapacity,
 		RDRC: func() adapter.RDRCStore {
 			cacheFile := service.FromContext[adapter.CacheFile](ctx)
 			if cacheFile == nil {
 				return nil
 			}
 			if !cacheFile.StoreRDRC() {
 				return nil
 			}
 			return cacheFile
 		},
 		Logger: router.logger,
 	})
 	if options.ReverseMapping {
 		router.dnsReverseMapping = common.Must1(freelru.NewSharded[netip.Addr, string](1024, maphash.NewHasher[netip.Addr]().Hash32))
 	}
 	return router
 }
 func (r *Router) Initialize(rules []option.DNSRule) error {
 	for i, ruleOptions := range rules {
 		dnsRule, err := R.NewDNSRule(r.ctx, r.logger, ruleOptions, true)
 		if err != nil {
 			return E.Cause(err, "parse dns rule[", i, "]")
 		}
 		r.rules = append(r.rules, dnsRule)
 	}
 	return nil
 }
 func (r *Router) Start(stage adapter.StartStage) error {
 	monitor := taskmonitor.New(r.logger, C.StartTimeout)
 	switch stage {
 	case adapter.StartStateStart:
 		monitor.Start("initialize DNS client")
 		r.client.Start()
 		monitor.Finish()
 		for i, rule := range r.rules {
 			monitor.Start("initialize DNS rule[", i, "]")
 			err := rule.Start()
 			monitor.Finish()
 			if err != nil {
 				return E.Cause(err, "initialize DNS rule[", i, "]")
 			}
 		}
 	}
 	return nil
 }
 func (r *Router) Close() error {
 	monitor := taskmonitor.New(r.logger, C.StopTimeout)
 	var err error
 	for i, rule := range r.rules {
 		monitor.Start("close dns rule[", i, "]")
 		err = E.Append(err, rule.Close(), func(err error) error {
 			return E.Cause(err, "close dns rule[", i, "]")
 		})
 		monitor.Finish()
 	}
 	return err
 }
 func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int, isAddressQuery bool, options *adapter.DNSQueryOptions) (adapter.DNSTransport, adapter.DNSRule, int) {
 	metadata := adapter.ContextFrom(ctx)
 	if metadata == nil {
 		panic("no context")
 	}
 	var currentRuleIndex int
 	if ruleIndex != -1 {
 		currentRuleIndex = ruleIndex + 1
 	}
 	for ; currentRuleIndex < len(r.rules); currentRuleIndex++ {
 		currentRule := r.rules[currentRuleIndex]
 		if currentRule.WithAddressLimit() && !isAddressQuery {
 			continue
 		}
 		metadata.ResetRuleCache()
 		if currentRule.Match(metadata) {
 			displayRuleIndex := currentRuleIndex
 			if displayRuleIndex != -1 {
 				displayRuleIndex += displayRuleIndex + 1
 			}
 			ruleDescription := currentRule.String()
 			if ruleDescription != "" {
 				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] ", currentRule, " => ", currentRule.Action())
 			} else {
 				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
 			}
 			switch action := currentRule.Action().(type) {
 			case *R.RuleActionDNSRoute:
 				transport, loaded := r.transport.Transport(action.Server)
 				if !loaded {
 					r.logger.ErrorContext(ctx, "transport not found: ", action.Server)
 					continue
 				}
 				isFakeIP := transport.Type() == C.DNSTypeFakeIP
 				if isFakeIP && !allowFakeIP {
 					continue
 				}
 				if action.Strategy != C.DomainStrategyAsIS {
 					options.Strategy = action.Strategy
 				}
 				if isFakeIP || action.DisableCache {
 					options.DisableCache = true
 				}
 				if action.RewriteTTL != nil {
 					options.RewriteTTL = action.RewriteTTL
 				}
 				if action.ClientSubnet.IsValid() {
 					options.ClientSubnet = action.ClientSubnet
 				}
 				if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
 					if options.Strategy == C.DomainStrategyAsIS {
 						options.Strategy = legacyTransport.LegacyStrategy()
 					}
 					if !options.ClientSubnet.IsValid() {
 						options.ClientSubnet = legacyTransport.LegacyClientSubnet()
 					}
 				}
 				return transport, currentRule, currentRuleIndex
 			case *R.RuleActionDNSRouteOptions:
 				if action.Strategy != C.DomainStrategyAsIS {
 					options.Strategy = action.Strategy
 				}
 				if action.DisableCache {
 					options.DisableCache = true
 				}
 				if action.RewriteTTL != nil {
 					options.RewriteTTL = action.RewriteTTL
 				}
 				if action.ClientSubnet.IsValid() {
 					options.ClientSubnet = action.ClientSubnet
 				}
 			case *R.RuleActionReject:
 				return nil, currentRule, currentRuleIndex
 			case *R.RuleActionPredefined:
 				return nil, currentRule, currentRuleIndex
 			}
 		}
 	}
 	return r.transport.Default(), nil, -1
 }
 func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapter.DNSQueryOptions) (*mDNS.Msg, error) {
 	if len(message.Question) != 1 {
 		r.logger.WarnContext(ctx, "bad question size: ", len(message.Question))
 		responseMessage := mDNS.Msg{
 			MsgHdr: mDNS.MsgHdr{
 				Id:       message.Id,
 				Response: true,
 				Rcode:    mDNS.RcodeFormatError,
 			},
 			Question: message.Question,
 		}
 		return &responseMessage, nil
 	}
 	r.logger.DebugContext(ctx, "exchange ", FormatQuestion(message.Question[0].String()))
 	var (
 		transport adapter.DNSTransport
 		err       error
 	)
 	response, cached := r.client.ExchangeCache(ctx, message)
 	if !cached {
 		var metadata *adapter.InboundContext
 		ctx, metadata = adapter.ExtendContext(ctx)
 		metadata.Destination = M.Socksaddr{}
 		metadata.QueryType = message.Question[0].Qtype
 		switch metadata.QueryType {
 		case mDNS.TypeA:
 			metadata.IPVersion = 4
 		case mDNS.TypeAAAA:
 			metadata.IPVersion = 6
 		}
 		metadata.Domain = FqdnToDomain(message.Question[0].Name)
 		if options.Transport != nil {
 			transport = options.Transport
 			if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
 				if options.Strategy == C.DomainStrategyAsIS {
 					options.Strategy = legacyTransport.LegacyStrategy()
 				}
 				if !options.ClientSubnet.IsValid() {
 					options.ClientSubnet = legacyTransport.LegacyClientSubnet()
 				}
 			}
 			if options.Strategy == C.DomainStrategyAsIS {
 				options.Strategy = r.defaultDomainStrategy
 			}
 			response, err = r.client.Exchange(ctx, transport, message, options, nil)
 		} else {
 			var (
 				rule      adapter.DNSRule
 				ruleIndex int
 			)
 			ruleIndex = -1
 			for {
 				dnsCtx := adapter.OverrideContext(ctx)
 				dnsOptions := options
 				transport, rule, ruleIndex = r.matchDNS(ctx, true, ruleIndex, isAddressQuery(message), &dnsOptions)
 				if rule != nil {
 					switch action := rule.Action().(type) {
 					case *R.RuleActionReject:
 						switch action.Method {
 						case C.RuleActionRejectMethodDefault:
 							return FixedResponse(message.Id, message.Question[0], nil, 0), nil
 						case C.RuleActionRejectMethodDrop:
 							return nil, tun.ErrDrop
 						}
 					case *R.RuleActionPredefined:
 						return action.Response(message), nil
 					}
 				}
 				var responseCheck func(responseAddrs []netip.Addr) bool
 				if rule != nil && rule.WithAddressLimit() {
 					responseCheck = func(responseAddrs []netip.Addr) bool {
 						metadata.DestinationAddresses = responseAddrs
 						return rule.MatchAddressLimit(metadata)
 					}
 				}
 				if dnsOptions.Strategy == C.DomainStrategyAsIS {
 					dnsOptions.Strategy = r.defaultDomainStrategy
 				}
 				response, err = r.client.Exchange(dnsCtx, transport, message, dnsOptions, responseCheck)
 				var rejected bool
 				if err != nil {
 					if errors.Is(err, ErrResponseRejectedCached) {
 						rejected = true
 						r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())), " (cached)")
 					} else if errors.Is(err, ErrResponseRejected) {
 						rejected = true
 						r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())))
 					} else if len(message.Question) > 0 {
 						r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for ", FormatQuestion(message.Question[0].String())))
 					} else {
 						r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for <empty query>"))
 					}
 				}
 				if responseCheck != nil && rejected {
 					continue
 				}
 				break
 			}
 		}
 	}
 	if err != nil {
 		return nil, err
 	}
 	if r.dnsReverseMapping != nil && len(message.Question) > 0 && response != nil && len(response.Answer) > 0 {
 		if transport == nil || transport.Type() != C.DNSTypeFakeIP {
 			for _, answer := range response.Answer {
 				switch record := answer.(type) {
 				case *mDNS.A:
 					r.dnsReverseMapping.AddWithLifetime(M.AddrFromIP(record.A), FqdnToDomain(record.Hdr.Name), time.Duration(record.Hdr.Ttl)*time.Second)
 				case *mDNS.AAAA:
 					r.dnsReverseMapping.AddWithLifetime(M.AddrFromIP(record.AAAA), FqdnToDomain(record.Hdr.Name), time.Duration(record.Hdr.Ttl)*time.Second)
 				}
 			}
 		}
 	}
 	return response, nil
 }
 func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQueryOptions) ([]netip.Addr, error) {
 	var (
 		responseAddrs []netip.Addr
 		cached        bool
 		err           error
 	)
 	printResult := func() {
 		if err != nil {
 			if errors.Is(err, ErrResponseRejectedCached) {
 				r.logger.DebugContext(ctx, "response rejected for ", domain, " (cached)")
 			} else if errors.Is(err, ErrResponseRejected) {
 				r.logger.DebugContext(ctx, "response rejected for ", domain)
 			} else {
 				r.logger.ErrorContext(ctx, E.Cause(err, "lookup failed for ", domain))
 			}
 		} else if len(responseAddrs) == 0 {
 			r.logger.ErrorContext(ctx, "lookup failed for ", domain, ": empty result")
 			err = RcodeNameError
 		}
 	}
 	responseAddrs, cached = r.client.LookupCache(domain, options.Strategy)
 	if cached {
 		if len(responseAddrs) == 0 {
 			return nil, RcodeNameError
 		}
 		return responseAddrs, nil
 	}
 	r.logger.DebugContext(ctx, "lookup domain ", domain)
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Destination = M.Socksaddr{}
 	metadata.Domain = FqdnToDomain(domain)
 	if options.Transport != nil {
 		transport := options.Transport
 		if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
 			if options.Strategy == C.DomainStrategyAsIS {
 				options.Strategy = r.defaultDomainStrategy
 			}
 			if !options.ClientSubnet.IsValid() {
 				options.ClientSubnet = legacyTransport.LegacyClientSubnet()
 			}
 		}
 		if options.Strategy == C.DomainStrategyAsIS {
 			options.Strategy = r.defaultDomainStrategy
 		}
 		responseAddrs, err = r.client.Lookup(ctx, transport, domain, options, nil)
 	} else {
 		var (
 			transport adapter.DNSTransport
 			rule      adapter.DNSRule
 			ruleIndex int
 		)
 		ruleIndex = -1
 		for {
 			dnsCtx := adapter.OverrideContext(ctx)
 			dnsOptions := options
 			transport, rule, ruleIndex = r.matchDNS(ctx, false, ruleIndex, true, &dnsOptions)
 			if rule != nil {
 				switch action := rule.Action().(type) {
 				case *R.RuleActionReject:
 					switch action.Method {
 					case C.RuleActionRejectMethodDefault:
 						return nil, nil
 					case C.RuleActionRejectMethodDrop:
 						return nil, tun.ErrDrop
 					}
 				case *R.RuleActionPredefined:
 					if action.Rcode != mDNS.RcodeSuccess {
 						err = RcodeError(action.Rcode)
 					} else {
 						for _, answer := range action.Answer {
 							switch record := answer.(type) {
 							case *mDNS.A:
 								responseAddrs = append(responseAddrs, M.AddrFromIP(record.A))
 							case *mDNS.AAAA:
 								responseAddrs = append(responseAddrs, M.AddrFromIP(record.AAAA))
 							}
 						}
 					}
 					goto response
 				}
 			}
 			var responseCheck func(responseAddrs []netip.Addr) bool
 			if rule != nil && rule.WithAddressLimit() {
 				responseCheck = func(responseAddrs []netip.Addr) bool {
 					metadata.DestinationAddresses = responseAddrs
 					return rule.MatchAddressLimit(metadata)
 				}
 			}
 			if dnsOptions.Strategy == C.DomainStrategyAsIS {
 				dnsOptions.Strategy = r.defaultDomainStrategy
 			}
 			responseAddrs, err = r.client.Lookup(dnsCtx, transport, domain, dnsOptions, responseCheck)
 			if responseCheck == nil || err == nil {
 				break
 			}
 			printResult()
 		}
 	}
 response:
 	printResult()
 	if len(responseAddrs) > 0 {
 		r.logger.InfoContext(ctx, "lookup succeed for ", domain, ": ", strings.Join(F.MapToString(responseAddrs), " "))
 	}
 	return responseAddrs, err
 }
 func isAddressQuery(message *mDNS.Msg) bool {
 	for _, question := range message.Question {
 		if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA || question.Qtype == mDNS.TypeHTTPS {
 			return true
 		}
 	}
 	return false
 }
 func (r *Router) ClearCache() {
 	r.client.ClearCache()
 	if r.platformInterface != nil {
 		r.platformInterface.ClearDNSCache()
 	}
 }
 func (r *Router) LookupReverseMapping(ip netip.Addr) (string, bool) {
 	if r.dnsReverseMapping == nil {
 		return "", false
 	}
 	domain, loaded := r.dnsReverseMapping.Get(ip)
 	return domain, loaded
 }
 func (r *Router) ResetNetwork() {
 	r.ClearCache()
 	for _, transport := range r.transport.Transports() {
 		transport.Close()
 	}
 }
--- a/dns/transport/dhcp/dhcp.go
+++ b/dns/transport/dhcp/dhcp.go
@@ -3,9 +3,6 @@ package dhcp
 import (
 	"context"
 	"net"
 	"net/netip"
 	"net/url"
 	"os"
 	"runtime"
 	"strings"
 	"sync"
@@ -14,13 +11,18 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/dns"
 	"github.com/sagernet/sing-box/dns/transport"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/task"
 	"github.com/sagernet/sing/common/x/list"
 	"github.com/sagernet/sing/service"
@@ -29,62 +31,54 @@ import (
 	mDNS "github.com/miekg/dns"
 )
-func init() {
+func RegisterTransport(registry *dns.TransportRegistry) {
-	dns.RegisterTransport([]string{"dhcp"}, func(options dns.TransportOptions) (dns.Transport, error) {
+	dns.RegisterTransport[option.DHCPDNSServerOptions](registry, C.DNSTypeDHCP, NewTransport)
 		return NewTransport(options)
 	})
 }
 var _ adapter.DNSTransport = (*Transport)(nil)
 type Transport struct {
-	options           dns.TransportOptions
+	dns.TransportAdapter
-	router            adapter.Router
+	ctx               context.Context
 	dialer            N.Dialer
 	logger            logger.ContextLogger
 	networkManager    adapter.NetworkManager
 	interfaceName     string
 	autoInterface     bool
 	interfaceCallback *list.Element[tun.DefaultInterfaceUpdateCallback]
-	transports        []dns.Transport
+	transports        []adapter.DNSTransport
 	updateAccess      sync.Mutex
 	updatedAt         time.Time
 }
-func NewTransport(options dns.TransportOptions) (*Transport, error) {
+func NewTransport(ctx context.Context, logger log.ContextLogger, tag string, options option.DHCPDNSServerOptions) (adapter.DNSTransport, error) {
-	linkURL, err := url.Parse(options.Address)
+	transportDialer, err := dns.NewLocalDialer(ctx, options.LocalDNSServerOptions)
 	if err != nil {
 		return nil, err
 	}
-	if linkURL.Host == "" {
+	return &Transport{
-		return nil, E.New("missing interface name for DHCP")
+		TransportAdapter: dns.NewTransportAdapterWithLocalOptions(C.DNSTypeDHCP, tag, options.LocalDNSServerOptions),
-	}
+		ctx:              ctx,
-	transport := &Transport{
+		dialer:           transportDialer,
-		options:        options,
+		logger:           logger,
-		networkManager: service.FromContext[adapter.NetworkManager](options.Context),
+		networkManager:   service.FromContext[adapter.NetworkManager](ctx),
-		interfaceName:  linkURL.Host,
+		interfaceName:    options.Interface,
-		autoInterface:  linkURL.Host == "auto",
+	}, nil
 	}
 	return transport, nil
 }
-func (t *Transport) Name() string {
+func (t *Transport) Start(stage adapter.StartStage) error {
-	return t.options.Name
+	if stage != adapter.StartStateStart {
-}
+		return nil
-
+	}
 func (t *Transport) Start() error {
 	err := t.fetchServers()
 	if err != nil {
 		return err
 	}
-	if t.autoInterface {
+	if t.interfaceName == "" {
 		t.interfaceCallback = t.networkManager.InterfaceMonitor().RegisterCallback(t.interfaceUpdated)
 	}
 	return nil
 }
 func (t *Transport) Reset() {
 	for _, transport := range t.transports {
 		transport.Reset()
 	}
 }
 func (t *Transport) Close() error {
 	for _, transport := range t.transports {
 		transport.Close()
@@ -95,10 +89,6 @@ func (t *Transport) Close() error {
 	return nil
 }
 func (t *Transport) Raw() bool {
 	return true
 }
 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	err := t.fetchServers()
 	if err != nil {
@@ -120,7 +110,7 @@ func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg,
 }
 func (t *Transport) fetchInterface() (*control.Interface, error) {
-	if t.autoInterface {
+	if t.interfaceName == "" {
 		if t.networkManager.InterfaceMonitor() == nil {
 			return nil, E.New("missing monitor for auto DHCP, set route.auto_detect_interface")
 		}
@@ -152,8 +142,8 @@ func (t *Transport) updateServers() error {
 		return E.Cause(err, "dhcp: prepare interface")
 	}
-	t.options.Logger.Info("dhcp: query DNS servers on ", iface.Name)
+	t.logger.Info("dhcp: query DNS servers on ", iface.Name)
-	fetchCtx, cancel := context.WithTimeout(t.options.Context, C.DHCPTimeout)
+	fetchCtx, cancel := context.WithTimeout(t.ctx, C.DHCPTimeout)
 	err = t.fetchServers0(fetchCtx, iface)
 	cancel()
 	if err != nil {
@@ -169,7 +159,7 @@ func (t *Transport) updateServers() error {
 func (t *Transport) interfaceUpdated(defaultInterface *control.Interface, flags int) {
 	err := t.updateServers()
 	if err != nil {
-		t.options.Logger.Error("update servers: ", err)
+		t.logger.Error("update servers: ", err)
 	}
 }
@@ -181,7 +171,7 @@ func (t *Transport) fetchServers0(ctx context.Context, iface *control.Interface)
 	if runtime.GOOS == "linux" || runtime.GOOS == "android" {
 		listenAddr = "255.255.255.255:68"
 	}
-	packetConn, err := listener.ListenPacket(t.options.Context, "udp4", listenAddr)
+	packetConn, err := listener.ListenPacket(t.ctx, "udp4", listenAddr)
 	if err != nil {
 		return err
 	}
@@ -219,17 +209,17 @@ func (t *Transport) fetchServersResponse(iface *control.Interface, packetConn ne
 		dhcpPacket, err := dhcpv4.FromBytes(buffer.Bytes())
 		if err != nil {
-			t.options.Logger.Trace("dhcp: parse DHCP response: ", err)
+			t.logger.Trace("dhcp: parse DHCP response: ", err)
 			return err
 		}
 		if dhcpPacket.MessageType() != dhcpv4.MessageTypeOffer {
-			t.options.Logger.Trace("dhcp: expected OFFER response, but got ", dhcpPacket.MessageType())
+			t.logger.Trace("dhcp: expected OFFER response, but got ", dhcpPacket.MessageType())
 			continue
 		}
 		if dhcpPacket.TransactionID != transactionID {
-			t.options.Logger.Trace("dhcp: expected transaction ID ", transactionID, ", but got ", dhcpPacket.TransactionID)
+			t.logger.Trace("dhcp: expected transaction ID ", transactionID, ", but got ", dhcpPacket.TransactionID)
 			continue
 		}
@@ -237,36 +227,23 @@ func (t *Transport) fetchServersResponse(iface *control.Interface, packetConn ne
 		if len(dns) == 0 {
 			return nil
 		}
-
+		return t.recreateServers(iface, common.Map(dns, func(it net.IP) M.Socksaddr {
-		var addrs []netip.Addr
+			return M.SocksaddrFrom(M.AddrFromIP(it), 53)
-		for _, ip := range dns {
+		}))
 			addr, _ := netip.AddrFromSlice(ip)
 			addrs = append(addrs, addr.Unmap())
 		}
 		return t.recreateServers(iface, addrs)
 	}
 }
-func (t *Transport) recreateServers(iface *control.Interface, serverAddrs []netip.Addr) error {
+func (t *Transport) recreateServers(iface *control.Interface, serverAddrs []M.Socksaddr) error {
 	if len(serverAddrs) > 0 {
-		t.options.Logger.Info("dhcp: updated DNS servers from ", iface.Name, ": [", strings.Join(common.Map(serverAddrs, func(it netip.Addr) string {
+		t.logger.Info("dhcp: updated DNS servers from ", iface.Name, ": [", strings.Join(common.Map(serverAddrs, M.Socksaddr.String), ","), "]")
 			return it.String()
 		}), ","), "]")
 	}
-	serverDialer := common.Must1(dialer.NewDefault(t.options.Context, option.DialerOptions{
+	serverDialer := common.Must1(dialer.NewDefault(t.ctx, option.DialerOptions{
 		BindInterface:      iface.Name,
 		UDPFragmentDefault: true,
 	}))
-	var transports []dns.Transport
+	var transports []adapter.DNSTransport
 	for _, serverAddr := range serverAddrs {
-		newOptions := t.options
+		transports = append(transports, transport.NewUDPRaw(t.logger, t.TransportAdapter, serverDialer, serverAddr))
 		newOptions.Address = serverAddr.String()
 		newOptions.Dialer = serverDialer
 		serverTransport, err := dns.NewUDPTransport(newOptions)
 		if err != nil {
 			return E.Cause(err, "create UDP transport from DHCP result: ", serverAddr)
 		}
 		transports = append(transports, serverTransport)
 	}
 	for _, transport := range t.transports {
 		transport.Close()
@@ -274,7 +251,3 @@ func (t *Transport) recreateServers(iface *control.Interface, serverAddrs []neti
 	t.transports = transports
 	return nil
 }
 func (t *Transport) Lookup(ctx context.Context, domain string, strategy dns.DomainStrategy) ([]netip.Addr, error) {
 	return nil, os.ErrInvalid
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
世界	bf9c0ea0d5	documentation: Bump version	2025-04-02 16:54:50 +08:00
世界	63d7444512	Allow direct outbounds without `domain_resolver`	2025-04-02 16:54:49 +08:00
世界	3533a86e53	Fix Tailscale dialer	2025-04-02 16:54:49 +08:00
dyhkwong	80d55f3d55	Fix DNS over QUIC stream close	2025-04-02 16:54:49 +08:00
anytls	cd506f1e50	Update anytls Co-authored-by: anytls <anytls>	2025-04-02 16:54:48 +08:00
Rambling2076	5990cc18ff	Fix missing `with_tailscale` in Dockerfile Signed-off-by: Rambling2076 <Rambling2076@proton.me>	2025-04-02 16:54:48 +08:00
世界	a44c7ffb91	Fail when default DNS server not found	2025-04-02 16:54:48 +08:00
世界	8292ac1043	Update gVisor to 20250319.0	2025-04-02 16:54:48 +08:00
世界	30c1c364b3	release: Do not build tailscale on iOS and tvOS	2025-04-02 16:54:47 +08:00
世界	a64c520de2	Explicitly reject detour to empty direct outbounds	2025-04-02 16:54:47 +08:00
世界	74bfea713d	Add netns support	2025-04-02 16:54:47 +08:00
世界	63f10d37ff	Add wildcard name support for predefined records	2025-04-02 16:54:46 +08:00
世界	8c231fbc38	Remove map usage in options	2025-04-02 16:54:46 +08:00
世界	1cfbee8293	Fix unhandled DNS loop	2025-04-02 16:54:46 +08:00
世界	529d41ed6a	Add wildcard-sni support for shadow-tls inbound	2025-04-02 16:54:46 +08:00
世界	8af464eb7e	Fix Tailscale DNS	2025-04-02 16:51:29 +08:00
k9982874	3766bbbf9d	Add ntp protocol sniffing	2025-04-02 16:51:28 +08:00
世界	0d65af5d0a	option: Fix marshal legacy DNS options	2025-04-02 16:51:28 +08:00
世界	439f3c05ec	Make `domain_resolver` optional when only one DNS server is configured	2025-04-02 16:51:28 +08:00
世界	e3a1e71e4d	Fix DNS lookup context pollution	2025-04-02 16:51:27 +08:00
世界	83c284749e	Fix http3 DNS server connecting to wrong address	2025-04-02 16:51:26 +08:00
Restia-Ashbell	d95fc51be4	documentation: Fix typo	2025-04-02 16:51:26 +08:00
anytls	6cccfafc10	Update sing-anytls Co-authored-by: anytls <anytls>	2025-04-02 16:51:25 +08:00
k9982874	650e85e684	Fix hosts DNS server	2025-04-02 16:51:25 +08:00
世界	edfd6fb29d	Fix UDP DNS server crash	2025-04-02 16:51:25 +08:00
世界	452ca3f5e6	documentation: Fix missing `ip_accept_any` DNS rule option	2025-04-02 16:51:24 +08:00
世界	693da37d62	Fix anytls dialer usage	2025-04-02 16:51:24 +08:00
世界	4f902b8507	Move predefined DNS server to rule action	2025-04-02 16:51:23 +08:00
世界	de9ceb82bb	Fix domain resolver on direct outbound	2025-04-02 16:51:23 +08:00
Zephyruso	112508ccbb	Fix missing AnyTLS display name	2025-04-02 16:51:23 +08:00
anytls	6fb224dd05	Update sing-anytls Co-authored-by: anytls <anytls>	2025-04-02 16:51:23 +08:00
Estel	683c5b71ed	documentation: Fix typo Signed-off-by: Estel <callmebedrockdigger@gmail.com>	2025-04-02 16:51:23 +08:00
TargetLocked	174b857658	Fix parsing legacy DNS options	2025-04-02 16:51:22 +08:00
世界	5d63c7a0da	Fix DNS fallback	2025-04-02 16:51:21 +08:00
世界	09f89b4181	documentation: Fix missing hosts DNS server	2025-04-02 16:51:21 +08:00
anytls	c9522fd6d6	Add MinIdleSession option to AnyTLS outbound Co-authored-by: anytls <anytls>	2025-04-02 16:51:21 +08:00
ReleTor	9e9886b140	documentation: Minor fixes	2025-04-02 16:51:21 +08:00
libtry486	f5dc2ec1dc	documentation: Fix typo fix typo Signed-off-by: libtry486 <89328481+libtry486@users.noreply.github.com>	2025-04-02 16:51:21 +08:00
Alireza Ahmadi	e0202da833	Fix Outbound deadlock	2025-04-02 16:51:20 +08:00
世界	db01fe90e4	documentation: Fix AnyTLS doc	2025-04-02 16:51:20 +08:00
anytls	104ea172c0	Add AnyTLS protocol	2025-04-02 16:51:20 +08:00
世界	341958d7c1	Migrate to stdlib ECH support	2025-04-02 16:51:19 +08:00
世界	05fea2a199	Add fallback local DNS server for iOS	2025-04-02 16:51:18 +08:00
世界	cc294c4616	Get darwin local DNS server from libresolv	2025-04-02 16:51:18 +08:00
世界	b99c6a0025	Improve resolve action	2025-04-02 16:51:18 +08:00
世界	845138a1d8	Fix toolchain version	2025-04-02 16:51:17 +08:00
世界	0645ebe73f	Add back port hopping to hysteria 1	2025-04-02 16:51:17 +08:00
世界	1847cb6dfb	Update dependencies	2025-04-02 16:51:17 +08:00
xchacha20-poly1305	1dd716453d	Remove single quotes of raw Moziila certs	2025-04-02 16:51:16 +08:00
世界	456eb3dcdc	Add Tailscale endpoint	2025-04-02 16:51:16 +08:00
世界	8f9454ce72	Build legacy binaries with latest Go	2025-04-02 16:51:15 +08:00
世界	3bae0c96bc	documentation: Remove outdated icons	2025-04-02 16:51:15 +08:00
世界	0153fc7e08	documentation: Certificate store	2025-04-02 16:51:15 +08:00
世界	a52ee299e6	documentation: TLS fragment	2025-04-02 16:51:15 +08:00
世界	bf0e71f32a	documentation: Outbound domain resolver	2025-04-02 16:51:15 +08:00
世界	b2dcb4dc03	documentation: Refactor DNS	2025-04-02 16:51:13 +08:00
世界	221c003ce0	Add certificate store	2025-04-02 16:51:13 +08:00
世界	8b7c8dcdb4	Add TLS fragment support	2025-04-02 16:51:13 +08:00
世界	360b25e53c	refactor: Outbound domain resolver	2025-04-02 16:51:12 +08:00
世界	6c9e61a0a0	refactor: DNS	2025-04-02 16:51:12 +08:00
世界	572ee775b1	Bump version	2025-04-02 16:50:36 +08:00
世界	4f98009a15	Improve auto redirect	2025-04-02 16:50:36 +08:00
世界	0d54aee584	test: Force auto-redirect mark mode	2025-04-02 13:44:39 +08:00
世界	f4c29840c3	Fix DNS sniffer	2025-03-31 20:45:04 +08:00
世界	47fc3ebda4	Add duplicate tag check	2025-03-29 23:10:22 +08:00
世界	9774a659b0	Fix DoQ / truncate DNS message	2025-03-29 17:41:22 +08:00
世界	2e4a6de4e7	release: Fix read tag	2025-03-27 20:30:57 +08:00
世界	a530e424e9	Bump version	2025-03-27 18:17:39 +08:00
世界	0bfd487ee9	Fix udpnat2 handler again	2025-03-27 18:17:39 +08:00
世界	6aae834493	release: Fix workflow	2025-03-27 18:17:39 +08:00
世界	f56131f38e	Make linter happy	2025-03-24 20:38:42 +08:00
世界	273a11d550	Fix crash on udpnat2 handler	2025-03-24 18:14:32 +08:00
世界	ae8ce75e41	Fix websocket crash	2025-03-24 17:44:14 +08:00
世界	d6d94b689f	release: Replace goreleaser build with scripts	2025-03-24 13:48:37 +08:00
世界	30d785f1ee	release: Use fake goreleaser key	2025-03-21 22:25:51 +08:00
世界	db5ec3cdfc	Fix connectionCopyEarly	2025-03-21 10:51:16 +08:00
世界	9aca54d039	Fix socks5 UDP	2025-03-16 14:46:44 +08:00
世界	d55d5009c2	Fix processing multiple sniffs	2025-03-16 09:21:54 +08:00
世界	4f3ee61104	Fix copy early conn	2025-03-15 08:09:04 +08:00
世界	96eb98c00a	Fix httpupgrade crash	2025-03-14 17:17:28 +08:00
世界	68ce9577c6	Fix context in v2ray http transports	2025-03-14 17:07:17 +08:00
世界	3ae036e997	Downgrade goreleaser to stable since nfpm fixed	2025-03-13 18:53:19 +08:00
世界	5da2d1d470	release: Fix goreleaser version	2025-03-12 16:15:50 +08:00
世界	8e2baf40f1	Bump version	2025-03-11 20:18:34 +08:00
世界	c24c40dfee	platform: Fix android start	2025-03-11 20:18:34 +08:00
世界	32e52ce1ed	Fix udp nat for fakeip	2025-03-11 19:09:27 +08:00
世界	ed46438359	release: Use nightly goreleaser to fix rpm bug	2025-03-11 13:29:08 +08:00
世界	0b5490d5a3	Fix resolve domain for WireGuard	2025-03-11 12:02:25 +08:00
Tal Rasha	2d73ef511d	Fix grpclite memory leak Co-authored-by: talrasha007 <talrasha007@gmail.om>	2025-03-10 14:48:02 +08:00
Mahdi	63e6c85f6f	Fix shadowsocks UoT	2025-03-10 14:47:59 +08:00
世界	8946a6d2d0	release: Use latest goreleaser	2025-03-09 15:27:04 +08:00
世界	d3132645fb	documentation: Fix description of the UoT protocol	2025-03-09 15:26:42 +08:00
世界	373f158fe0	Fix download external ui with query params	2025-03-09 15:26:36 +08:00
世界	ce36835fab	Fix override destination	2025-03-09 15:25:06 +08:00
世界	619fa671d7	Skip binding to the default interface as it will fail on some Android devices	2025-02-26 07:25:35 +08:00
世界	eb07c7a79e	Bump version	2025-02-24 07:27:55 +08:00
Gavin Luo	7eb3535094	release: Fix systemd permissions	2025-02-24 07:27:55 +08:00
世界	93b68312cf	platform: Add update WIFI state func	2025-02-23 08:35:30 +08:00
世界	97ce666e43	Fix http.FileServer short write	2025-02-23 08:35:30 +08:00
世界	4000e1e66d	release: Fix update android version	2025-02-23 08:35:30 +08:00
世界	270740e859	Fix crash on route address set update	2025-02-23 08:35:30 +08:00
世界	6cad142cfe	Bump Go to go1.24	2025-02-23 08:35:30 +08:00
世界	093013687c	Fix sniff QUIC hidden in three or more packets	2025-02-18 18:14:59 +08:00
世界	ff31c469a0	Override version	2025-02-11 15:55:15 +08:00
世界	fbe390268c	Bump version	2025-02-11 01:32:14 +08:00
世界	07ac01dcb7	platform: Update NDK to r28	2025-02-11 01:32:14 +08:00
ReleTor	badfdb62cd	documentation: Fixes	2025-02-11 01:32:14 +08:00
printfer	986a410b30	documentation: Fix migration links	2025-02-11 01:32:14 +08:00
世界	9db2d58545	Fix override address	2025-02-11 01:32:14 +08:00
世界	4eed46ac59	Fix respond ICMP echo	2025-02-10 15:12:10 +08:00
世界	abc38d1dab	Fix udpnat2 crash	2025-02-10 15:11:26 +08:00
世界	8d6c4f1289	release: Skip testflight when another build in review	2025-02-06 12:02:47 +08:00
世界	a2d40eb8b8	Fix override UDP destination	2025-02-06 11:20:35 +08:00
世界	17b502bb4b	Update dependencies	2025-02-06 09:08:52 +08:00
世界	a0d4421085	Update quic-go to v0.49.0	2025-02-06 08:50:21 +08:00
世界	0d443072d1	Fix panic in auto-redirect initialize	2025-02-06 08:49:25 +08:00
世界	c9fb99b799	Fix missing ENOTCONN in IsClosed check	2025-02-06 08:48:49 +08:00
世界	92d245ad04	Bump version	2025-02-05 09:59:52 +08:00
世界	0908627297	Fix crash on remote rule-set stop	2025-02-05 08:58:10 +08:00
世界	7f79458b4f	Minor updates	2025-02-01 19:49:33 +08:00
世界	9b4c11ba95	Fix rule-set not closed	2025-02-01 19:49:33 +08:00
世界	27c31eac5d	Fix local rule-set not updated	2025-02-01 19:42:21 +08:00
世界	bab8dc0b82	Fix missing handshake for early conn	2025-01-31 12:57:35 +08:00
世界	d09d2fb665	Bump version	2025-01-30 15:09:54 +08:00
世界	e64cf3b7df	Do not set address sets to routes on Apple platforms Network Extension was observed to stop for unknown reasons	2025-01-27 13:40:39 +08:00
世界	9b73222314	documentation: Bump version	2025-01-27 10:53:14 +08:00
世界	3923b57abf	release: Update NDK to r28-beta3	2025-01-27 10:53:14 +08:00
世界	4807e64609	documentation: Fix typo	2025-01-27 10:04:07 +08:00
世界	eeb37d89f1	Fix rule-set upgrade command	2025-01-27 09:50:27 +08:00
世界	08c1ec4b7e	Fix legacy routes	2025-01-27 09:50:27 +08:00
HystericalDragon	6b4cf67add	Fix endpoints not close	2025-01-27 09:50:27 +08:00
世界	e65926fd08	Fix tests	2025-01-13 15:14:30 +08:00
世界	f2ec319fe1	Fix system time	2025-01-13 15:14:30 +08:00
世界	32377a61b7	Add port hopping for hysteria2	2025-01-13 15:14:30 +08:00
世界	7aac801ccd	tun: Set address sets to routes	2025-01-13 15:14:30 +08:00
世界	96fdf59ee4	Fix default dialer on legacy xiaomi systems	2025-01-13 15:14:30 +08:00
世界	50b8f3ab94	Add `rule-set merge` command	2025-01-13 15:14:30 +08:00
世界	ff7aaf977b	Fix DNS match	2025-01-13 15:14:30 +08:00
世界	9a1efbe54d	Fix domain strategy	2025-01-13 15:14:30 +08:00
世界	906c21f458	Fix time service	2025-01-13 15:14:30 +08:00
世界	d5e7af7a7e	Fix socks5 UDP implementation	2025-01-13 15:14:30 +08:00
世界	4d41f03bd5	clash-api: Fix missing endpoints	2025-01-13 15:14:30 +08:00
世界	30704a15a7	hysteria2: Add more masquerade options	2025-01-13 15:14:30 +08:00
世界	83889178ed	Improve timeouts	2025-01-13 15:14:30 +08:00
世界	1d2720bf5e	Add UDP timeout route option	2025-01-13 15:14:30 +08:00
世界	c4b6d0eadb	Make GSO adaptive	2025-01-13 15:14:30 +08:00
世界	0c66888691	Fix lint	2025-01-13 15:14:30 +08:00
世界	68781387fe	refactor: WireGuard endpoint	2025-01-13 15:14:30 +08:00
世界	fd299a0961	refactor: connection manager	2025-01-13 15:14:30 +08:00
世界	285a82050c	documentation: Fix typo	2025-01-13 15:14:30 +08:00
世界	2dbb8c55c9	Add override destination to route options	2025-01-13 15:14:30 +08:00
世界	effcf39469	Add `dns.cache_capacity`	2025-01-13 15:14:30 +08:00
世界	9db9484863	Refactor multi networks strategy	2025-01-13 15:14:30 +08:00
世界	ca813f461b	documentation: Remove unused titles	2025-01-13 15:14:30 +08:00
世界	bb46cdb2b3	Add multi network dialing	2025-01-13 15:14:30 +08:00
世界	dcb10c21a1	documentation: Merge route options to route actions	2025-01-13 15:14:29 +08:00
世界	05ea0ca00e	Add `network_[type/is_expensive/is_constrained]` rule items	2025-01-13 15:14:29 +08:00
世界	c098f282b1	Merge route options to route actions	2025-01-13 15:14:29 +08:00
世界	ecf82d197c	refactor: Platform Interfaces	2025-01-13 15:14:29 +08:00
世界	9afe75586a	refactor: Extract services form router	2025-01-13 15:14:29 +08:00
世界	a1be455202	refactor: Modular network manager	2025-01-13 15:14:29 +08:00
世界	19fb214226	refactor: Modular inbound/outbound manager	2025-01-13 15:14:29 +08:00
世界	28ec898a8c	documentation: Add rule action	2025-01-13 15:14:29 +08:00
世界	467b1bbeeb	documentation: Update the scheduled removal time of deprecated features	2025-01-13 15:14:29 +08:00
世界	02ab8ce806	documentation: Remove outdated icons	2025-01-13 15:14:29 +08:00
世界	ce69e620e9	Migrate bad options to library	2025-01-13 15:14:29 +08:00
世界	1133cf3ef5	Implement udp connect	2025-01-13 15:14:29 +08:00
世界	59a607e303	Implement new deprecated warnings	2025-01-13 15:14:29 +08:00
世界	313be3d7a4	Improve rule actions	2025-01-13 15:14:29 +08:00
世界	4fe40fcee0	Remove unused reject methods	2025-01-13 15:14:29 +08:00
世界	e233fd4fe5	refactor: Modular inbounds/outbounds	2025-01-13 15:14:29 +08:00
世界	9f7683818f	Implement dns-hijack	2025-01-13 15:14:29 +08:00
世界	179e3cb2f5	Implement resolve(server)	2025-01-13 15:14:29 +08:00
世界	41b960552d	Implement TCP and ICMP rejects	2025-01-13 15:14:29 +08:00
世界	8304295c48	Crazy sekai overturns the small pond	2025-01-13 15:14:29 +08:00
世界	253b41936e	Bump version	2025-01-11 20:58:00 +08:00
世界	ce5b4b06b5	auto-redirect: Fix fetch interfaces	2025-01-07 21:24:52 +08:00
世界	50f5006c43	Fix leak in reality server	2025-01-07 17:27:10 +08:00
世界	e42ff22c2e	quic: Fix source not unwrapped	2025-01-07 17:27:10 +08:00