Bump version

platform: Fix android start
Fix udp nat for fakeip
2026-04-12 01:57:18 +10:00 · 2025-03-11 20:18:34 +08:00 · 2025-03-11 20:18:34 +08:00 · 2025-03-11 19:09:27 +08:00 · 2025-03-11 13:29:08 +08:00 · 2025-03-11 12:02:25 +08:00
156 changed files with 2412 additions and 5581 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -46,7 +46,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.23
+          go-version: ^1.24
      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
@@ -134,7 +134,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.23
+          go-version: ^1.24
      - name: Cache legacy Go
        if: matrix.require_legacy_go
        id: cache-legacy-go
@@ -144,7 +144,7 @@ jobs:
            ~/go/go1.20.14
          key: go120
      - name: Setup legacy Go
-        if: matrix.require_legacy_go == 'true' && steps.cache-legacy-go.outputs.cache-hit != 'true'
+        if: matrix.require_legacy_go && steps.cache-legacy-go.outputs.cache-hit != 'true'
        run: |-
          wget https://dl.google.com/go/go1.20.14.linux-amd64.tar.gz
          tar -xzf go1.20.14.linux-amd64.tar.gz
@@ -153,13 +153,13 @@ jobs:
        if: matrix.goos == 'android'
        uses: nttld/setup-ndk@v1
        with:
-          ndk-version: r28-beta2
+          ndk-version: r28
          local-cache: true
      - name: Setup Goreleaser
        uses: goreleaser/goreleaser-action@v6
        with:
          distribution: goreleaser-pro
-          version: latest
+          version: nightly
          install-only: true
      - name: Extract signing key
        run: |-
@@ -219,12 +219,12 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.23
+          go-version: ^1.24
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
        with:
-          ndk-version: r28-beta2
+          ndk-version: r28
      - name: Setup OpenJDK
        run: |-
          sudo apt update && sudo apt install -y openjdk-17-jdk-headless
@@ -256,9 +256,16 @@ jobs:
        with:
          path: ~/.gradle
          key: gradle-${{ hashFiles('**/*.gradle') }}
-      - name: Build
+      - name: Update version
+        if: github.event_name == 'workflow_dispatch'
        run: |-
          go run -v ./cmd/internal/update_android_version --ci
+      - name: Update nightly version
+        if: github.event_name != 'workflow_dispatch'
+        run: |-
+          go run -v ./cmd/internal/update_android_version --ci --nightly
+      - name: Build
+        run: |-
          mkdir clients/android/app/libs
          cp libbox.aar clients/android/app/libs
          cd clients/android
@@ -294,12 +301,12 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.23
+          go-version: ^1.24
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
        with:
-          ndk-version: r28-beta2
+          ndk-version: r28
      - name: Setup OpenJDK
        run: |-
          sudo apt update && sudo apt install -y openjdk-17-jdk-headless
@@ -392,7 +399,7 @@ jobs:
        if: matrix.if
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.23
+          go-version: ^1.24
      - name: Setup Xcode stable
        if: matrix.if && github.ref == 'refs/heads/main-next'
        run: |-
@@ -548,7 +555,7 @@ jobs:
        uses: goreleaser/goreleaser-action@v6
        with:
          distribution: goreleaser-pro
-          version: latest
+          version: 2.5.1
          install-only: true
      - name: Cache ghr
        uses: actions/cache@v4
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -28,7 +28,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.23
+          go-version: ^1.24
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v6
        with:
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -16,7 +16,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.23
+          go-version: ^1.24
      - name: Extract signing key
        run: |-
          mkdir -p $HOME/.gnupg
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -32,7 +32,6 @@ run:
    - with_reality_server
    - with_acme
    - with_clash_api
-    - badlinkname

 issues:
  exclude-dirs:
--- a/.goreleaser.fury.yaml
+++ b/.goreleaser.fury.yaml
@@ -6,10 +6,7 @@ builds:
      - -v
      - -trimpath
    ldflags:
-      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }}
-      - -s
-      - -buildid=
-      - -checklinkname=0
+      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }} -s -w -buildid=
    tags:
      - with_gvisor
      - with_quic
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -11,7 +11,6 @@ builds:
      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }}
      - -s
      - -buildid=
-      - -checklinkname=0
    tags:
      - with_gvisor
      - with_quic
@@ -53,7 +52,7 @@ builds:
    env:
      - CGO_ENABLED=0
      - GOROOT={{ .Env.GOPATH }}/go1.20.14
-    gobinary: "{{ .Env.GOPATH }}/go1.20.14/bin/go"
+    tool: "{{ .Env.GOPATH }}/go1.20.14/bin/go"
    targets:
      - windows_amd64_v1
      - windows_386
@@ -96,10 +95,12 @@ archives:
    builds:
      - main
      - android
-    format: tar.gz
+    formats:
+      - tar.gz
    format_overrides:
      - goos: windows
-        format: zip
+        formats:
+          - zip
    wrap_in_directory: true
    files:
      - LICENSE
--- a/4
+++ b/4
@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.23-alpine AS builder
+FROM --platform=$BUILDPLATFORM golang:1.24-alpine AS builder
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 COPY . /go/src/github.com/sagernet/sing-box
 WORKDIR /go/src/github.com/sagernet/sing-box
@@ -15,7 +15,7 @@ RUN set -ex \
    && go build -v -trimpath -tags \
        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api" \
        -o /go/bin/sing-box \
-        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid= -checklinkname=0" \
+        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid=" \
        ./cmd/sing-box
 FROM --platform=$TARGETPLATFORM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
--- a/5
+++ b/5
@@ -2,15 +2,14 @@ NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
 TAGS_GO120 = with_gvisor,with_dhcp,with_wireguard,with_reality_server,with_clash_api,with_quic,with_utls
 TAGS_GO121 = with_ech
-TAGS_GO123 = with_tailscale,badlinkname
-TAGS ?= $(TAGS_GO118),$(TAGS_GO120),$(TAGS_GO121),$(TAGS_GO123)
+TAGS ?= $(TAGS_GO118),$(TAGS_GO120),$(TAGS_GO121)
 TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server

 GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
 VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run ./cmd/internal/read_tag)

-PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid= -checklinkname=0"
+PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid="
 MAIN_PARAMS = $(PARAMS) -tags $(TAGS)
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)
--- a/adapter/dns.go
+++ b/adapter/dns.go
@@ -1,73 +0,0 @@
-package adapter
-
-import (
-	"context"
-	"net/netip"
-
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common/logger"
-
-	"github.com/miekg/dns"
-)
-
-type DNSRouter interface {
-	Lifecycle
-	Exchange(ctx context.Context, message *dns.Msg, options DNSQueryOptions) (*dns.Msg, error)
-	Lookup(ctx context.Context, domain string, options DNSQueryOptions) ([]netip.Addr, error)
-	ClearCache()
-	LookupReverseMapping(ip netip.Addr) (string, bool)
-	ResetNetwork()
-}
-
-type DNSClient interface {
-	Start()
-	Exchange(ctx context.Context, transport DNSTransport, message *dns.Msg, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error)
-	Lookup(ctx context.Context, transport DNSTransport, domain string, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error)
-	LookupCache(domain string, strategy C.DomainStrategy) ([]netip.Addr, bool)
-	ExchangeCache(ctx context.Context, message *dns.Msg) (*dns.Msg, bool)
-	ClearCache()
-}
-
-type DNSQueryOptions struct {
-	Transport    DNSTransport
-	Strategy     C.DomainStrategy
-	DisableCache bool
-	RewriteTTL   *uint32
-	ClientSubnet netip.Prefix
-}
-
-type RDRCStore interface {
-	LoadRDRC(transportName string, qName string, qType uint16) (rejected bool)
-	SaveRDRC(transportName string, qName string, qType uint16) error
-	SaveRDRCAsync(transportName string, qName string, qType uint16, logger logger.Logger)
-}
-
-type DNSTransport interface {
-	Type() string
-	Tag() string
-	Dependencies() []string
-	Reset()
-	Exchange(ctx context.Context, message *dns.Msg) (*dns.Msg, error)
-}
-
-type LegacyDNSTransport interface {
-	LegacyStrategy() C.DomainStrategy
-	LegacyClientSubnet() netip.Prefix
-}
-
-type DNSTransportRegistry interface {
-	option.DNSTransportOptionsRegistry
-	CreateDNSTransport(ctx context.Context, logger log.ContextLogger, tag string, transportType string, options any) (DNSTransport, error)
-}
-
-type DNSTransportManager interface {
-	Lifecycle
-	Transports() []DNSTransport
-	Transport(tag string) (DNSTransport, bool)
-	Default() DNSTransport
-	FakeIP() FakeIPTransport
-	Remove(tag string) error
-	Create(ctx context.Context, logger log.ContextLogger, tag string, outboundType string, options any) error
-}
--- a/adapter/experimental.go
+++ b/adapter/experimental.go
@@ -7,6 +7,7 @@ import (
 	"time"

 	"github.com/sagernet/sing-box/common/urltest"
+	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common/varbin"
 )

@@ -30,7 +31,7 @@ type CacheFile interface {
 	FakeIPStorage

 	StoreRDRC() bool
-	RDRCStore
+	dns.RDRCStore

 	LoadMode() string
 	StoreMode(mode string) error
@@ -38,17 +39,17 @@ type CacheFile interface {
 	StoreSelected(group string, selected string) error
 	LoadGroupExpand(group string) (isExpand bool, loaded bool)
 	StoreGroupExpand(group string, expand bool) error
-	LoadRuleSet(tag string) *SavedRuleSet
-	SaveRuleSet(tag string, set *SavedRuleSet) error
+	LoadRuleSet(tag string) *SavedBinary
+	SaveRuleSet(tag string, set *SavedBinary) error
 }

-type SavedRuleSet struct {
+type SavedBinary struct {
 	Content     []byte
 	LastUpdated time.Time
 	LastEtag    string
 }

-func (s *SavedRuleSet) MarshalBinary() ([]byte, error) {
+func (s *SavedBinary) MarshalBinary() ([]byte, error) {
 	var buffer bytes.Buffer
 	err := binary.Write(&buffer, binary.BigEndian, uint8(1))
 	if err != nil {
@@ -69,7 +70,7 @@ func (s *SavedRuleSet) MarshalBinary() ([]byte, error) {
 	return buffer.Bytes(), nil
 }

-func (s *SavedRuleSet) UnmarshalBinary(data []byte) error {
+func (s *SavedBinary) UnmarshalBinary(data []byte) error {
 	reader := bytes.NewReader(data)
 	var version uint8
 	err := binary.Read(reader, binary.BigEndian, &version)
--- a/adapter/fakeip.go
+++ b/adapter/fakeip.go
@@ -3,6 +3,7 @@ package adapter
 import (
 	"net/netip"

+	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common/logger"
 )

@@ -26,6 +27,6 @@ type FakeIPStorage interface {
 }

 type FakeIPTransport interface {
-	DNSTransport
+	dns.Transport
 	Store() FakeIPStore
 }
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -77,6 +77,8 @@ type InboundContext struct {
 	FallbackNetworkType []C.InterfaceType
 	FallbackDelay       time.Duration

+	DNSServer string
+
 	DestinationAddresses []netip.Addr
 	SourceGeoIPCode      string
 	GeoIPCode            string
--- a/adapter/network.go
+++ b/adapter/network.go
@@ -25,6 +25,7 @@ type NetworkManager interface {
 	PackageManager() tun.PackageManager
 	WIFIState() WIFIState
 	ResetNetwork()
+	UpdateWIFIState()
 }

 type NetworkOptions struct {
--- a/adapter/outbound/manager.go
+++ b/adapter/outbound/manager.go
@@ -23,7 +23,7 @@ type Manager struct {
 	registry                adapter.OutboundRegistry
 	endpoint                adapter.EndpointManager
 	defaultTag              string
-	access                  sync.RWMutex
+	access                  sync.Mutex
 	started                 bool
 	stage                   adapter.StartStage
 	outbounds               []adapter.Outbound
@@ -169,15 +169,15 @@ func (m *Manager) Close() error {
 }

 func (m *Manager) Outbounds() []adapter.Outbound {
-	m.access.RLock()
-	defer m.access.RUnlock()
+	m.access.Lock()
+	defer m.access.Unlock()
 	return m.outbounds
 }

 func (m *Manager) Outbound(tag string) (adapter.Outbound, bool) {
-	m.access.RLock()
+	m.access.Lock()
 	outbound, found := m.outboundByTag[tag]
-	m.access.RUnlock()
+	m.access.Unlock()
 	if found {
 		return outbound, true
 	}
@@ -185,8 +185,8 @@ func (m *Manager) Outbound(tag string) (adapter.Outbound, bool) {
 }

 func (m *Manager) Default() adapter.Outbound {
-	m.access.RLock()
-	defer m.access.RUnlock()
+	m.access.Lock()
+	defer m.access.Unlock()
 	if m.defaultOutbound != nil {
 		return m.defaultOutbound
 	} else {
@@ -196,9 +196,9 @@ func (m *Manager) Default() adapter.Outbound {

 func (m *Manager) Remove(tag string) error {
 	m.access.Lock()
-	defer m.access.Unlock()
 	outbound, found := m.outboundByTag[tag]
 	if !found {
+		m.access.Unlock()
 		return os.ErrInvalid
 	}
 	delete(m.outboundByTag, tag)
@@ -232,6 +232,7 @@ func (m *Manager) Remove(tag string) error {
 			})
 		}
 	}
+	m.access.Unlock()
 	if started {
 		return common.Close(outbound)
 	}
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -4,25 +4,42 @@ import (
 	"context"
 	"net"
 	"net/http"
+	"net/netip"
 	"sync"

+	"github.com/sagernet/sing-box/common/geoip"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-dns"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/x/list"

+	mdns "github.com/miekg/dns"
 	"go4.org/netipx"
 )

 type Router interface {
 	Lifecycle
+
+	FakeIPStore() FakeIPStore
+
 	ConnectionRouter
 	PreMatch(metadata InboundContext) error
 	ConnectionRouterEx
+
+	GeoIPReader() *geoip.Reader
+	LoadGeosite(code string) (Rule, error)
 	RuleSet(tag string) (RuleSet, bool)
 	NeedWIFIState() bool
+
+	Exchange(ctx context.Context, message *mdns.Msg) (*mdns.Msg, error)
+	Lookup(ctx context.Context, domain string, strategy dns.DomainStrategy) ([]netip.Addr, error)
+	LookupDefault(ctx context.Context, domain string) ([]netip.Addr, error)
+	ClearDNSCache()
 	Rules() []Rule
+
 	SetTracker(tracker ConnectionTracker)
+
 	ResetNetwork()
 }

--- a/adapter/rule.go
+++ b/adapter/rule.go
@@ -13,6 +13,7 @@ type Rule interface {
 	HeadlessRule
 	Service
 	Type() string
+	UpdateGeosite() error
 	Action() RuleAction
 }

--- a/box.go
+++ b/box.go
@@ -16,8 +16,6 @@ import (
 	"github.com/sagernet/sing-box/common/taskmonitor"
 	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/dns/transport/local"
 	"github.com/sagernet/sing-box/experimental"
 	"github.com/sagernet/sing-box/experimental/cachefile"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
@@ -36,19 +34,17 @@ import (
 var _ adapter.Service = (*Box)(nil)

 type Box struct {
-	createdAt    time.Time
-	logFactory   log.Factory
-	logger       log.ContextLogger
-	network      *route.NetworkManager
-	endpoint     *endpoint.Manager
-	inbound      *inbound.Manager
-	outbound     *outbound.Manager
-	dnsTransport *dns.TransportManager
-	dnsRouter    *dns.Router
-	connection   *route.ConnectionManager
-	router       *route.Router
-	services     []adapter.LifecycleService
-	done         chan struct{}
+	createdAt  time.Time
+	logFactory log.Factory
+	logger     log.ContextLogger
+	network    *route.NetworkManager
+	endpoint   *endpoint.Manager
+	inbound    *inbound.Manager
+	outbound   *outbound.Manager
+	connection *route.ConnectionManager
+	router     *route.Router
+	services   []adapter.LifecycleService
+	done       chan struct{}
 }

 type Options struct {
@@ -62,7 +58,6 @@ func Context(
 	inboundRegistry adapter.InboundRegistry,
 	outboundRegistry adapter.OutboundRegistry,
 	endpointRegistry adapter.EndpointRegistry,
-	dnsTransportRegistry adapter.DNSTransportRegistry,
 ) context.Context {
 	if service.FromContext[option.InboundOptionsRegistry](ctx) == nil ||
 		service.FromContext[adapter.InboundRegistry](ctx) == nil {
@@ -79,10 +74,6 @@ func Context(
 		ctx = service.ContextWith[option.EndpointOptionsRegistry](ctx, endpointRegistry)
 		ctx = service.ContextWith[adapter.EndpointRegistry](ctx, endpointRegistry)
 	}
-	if service.FromContext[adapter.DNSTransportRegistry](ctx) == nil {
-		ctx = service.ContextWith[option.DNSTransportOptionsRegistry](ctx, dnsTransportRegistry)
-		ctx = service.ContextWith[adapter.DNSTransportRegistry](ctx, dnsTransportRegistry)
-	}
 	return ctx
 }

@@ -97,7 +88,6 @@ func New(options Options) (*Box, error) {
 	endpointRegistry := service.FromContext[adapter.EndpointRegistry](ctx)
 	inboundRegistry := service.FromContext[adapter.InboundRegistry](ctx)
 	outboundRegistry := service.FromContext[adapter.OutboundRegistry](ctx)
-	dnsTransportRegistry := service.FromContext[adapter.DNSTransportRegistry](ctx)

 	if endpointRegistry == nil {
 		return nil, E.New("missing endpoint registry in context")
@@ -142,17 +132,13 @@ func New(options Options) (*Box, error) {
 	}

 	routeOptions := common.PtrValueOrDefault(options.Route)
-	dnsOptions := common.PtrValueOrDefault(options.DNS)
 	endpointManager := endpoint.NewManager(logFactory.NewLogger("endpoint"), endpointRegistry)
 	inboundManager := inbound.NewManager(logFactory.NewLogger("inbound"), inboundRegistry, endpointManager)
 	outboundManager := outbound.NewManager(logFactory.NewLogger("outbound"), outboundRegistry, endpointManager, routeOptions.Final)
-	dnsTransportManager := dns.NewTransportManager(logFactory.NewLogger("dns/transport"), dnsTransportRegistry, outboundManager, dnsOptions.Final)
 	service.MustRegister[adapter.EndpointManager](ctx, endpointManager)
 	service.MustRegister[adapter.InboundManager](ctx, inboundManager)
 	service.MustRegister[adapter.OutboundManager](ctx, outboundManager)
-	service.MustRegister[adapter.DNSTransportManager](ctx, dnsTransportManager)
-	dnsRouter := dns.NewRouter(ctx, logFactory, dnsOptions)
-	service.MustRegister[adapter.DNSRouter](ctx, dnsRouter)
+
 	networkManager, err := route.NewNetworkManager(ctx, logFactory.NewLogger("network"), routeOptions)
 	if err != nil {
 		return nil, E.Cause(err, "initialize network manager")
@@ -160,40 +146,18 @@ func New(options Options) (*Box, error) {
 	service.MustRegister[adapter.NetworkManager](ctx, networkManager)
 	connectionManager := route.NewConnectionManager(logFactory.NewLogger("connection"))
 	service.MustRegister[adapter.ConnectionManager](ctx, connectionManager)
-	router := route.NewRouter(ctx, logFactory, routeOptions, dnsOptions)
-	service.MustRegister[adapter.Router](ctx, router)
-	err = router.Initialize(routeOptions.Rules, routeOptions.RuleSet)
+	router, err := route.NewRouter(ctx, logFactory, routeOptions, common.PtrValueOrDefault(options.DNS))
 	if err != nil {
 		return nil, E.Cause(err, "initialize router")
 	}
+
 	ntpOptions := common.PtrValueOrDefault(options.NTP)
 	var timeService *tls.TimeServiceWrapper
 	if ntpOptions.Enabled {
 		timeService = new(tls.TimeServiceWrapper)
 		service.MustRegister[ntp.TimeService](ctx, timeService)
 	}
-	for i, transportOptions := range dnsOptions.Servers {
-		var tag string
-		if transportOptions.Tag != "" {
-			tag = transportOptions.Tag
-		} else {
-			tag = F.ToString(i)
-		}
-		err = dnsTransportManager.Create(
-			ctx,
-			logFactory.NewLogger(F.ToString("dns/", transportOptions.Type, "[", tag, "]")),
-			tag,
-			transportOptions.Type,
-			transportOptions.Options,
-		)
-		if err != nil {
-			return nil, E.Cause(err, "initialize inbound[", i, "]")
-		}
-	}
-	err = dnsRouter.Initialize(dnsOptions.Rules)
-	if err != nil {
-		return nil, E.Cause(err, "initialize dns router")
-	}
+
 	for i, endpointOptions := range options.Endpoints {
 		var tag string
 		if endpointOptions.Tag != "" {
@@ -201,8 +165,15 @@ func New(options Options) (*Box, error) {
 		} else {
 			tag = F.ToString(i)
 		}
+		endpointCtx := ctx
+		if tag != "" {
+			// TODO: remove this
+			endpointCtx = adapter.WithContext(endpointCtx, &adapter.InboundContext{
+				Outbound: tag,
+			})
+		}
 		err = endpointManager.Create(
-			ctx,
+			endpointCtx,
 			router,
 			logFactory.NewLogger(F.ToString("endpoint/", endpointOptions.Type, "[", tag, "]")),
 			tag,
@@ -267,13 +238,6 @@ func New(options Options) (*Box, error) {
 			option.DirectOutboundOptions{},
 		),
 	))
-	dnsTransportManager.Initialize(common.Must1(
-		local.NewTransport(
-			ctx,
-			logFactory.NewLogger("dns/local"),
-			"local",
-			option.LocalDNSServerOptions{},
-		)))
 	if platformInterface != nil {
 		err = platformInterface.Initialize(networkManager)
 		if err != nil {
@@ -309,7 +273,7 @@ func New(options Options) (*Box, error) {
 		}
 	}
 	if ntpOptions.Enabled {
-		ntpDialer, err := dialer.New(ctx, ntpOptions.DialerOptions, ntpOptions.ServerIsDomain())
+		ntpDialer, err := dialer.New(ctx, ntpOptions.DialerOptions)
 		if err != nil {
 			return nil, E.Cause(err, "create NTP service")
 		}
@@ -325,19 +289,17 @@ func New(options Options) (*Box, error) {
 		services = append(services, adapter.NewLifecycleService(ntpService, "ntp service"))
 	}
 	return &Box{
-		network:      networkManager,
-		endpoint:     endpointManager,
-		inbound:      inboundManager,
-		outbound:     outboundManager,
-		dnsTransport: dnsTransportManager,
-		dnsRouter:    dnsRouter,
-		connection:   connectionManager,
-		router:       router,
-		createdAt:    createdAt,
-		logFactory:   logFactory,
-		logger:       logFactory.Logger(),
-		services:     services,
-		done:         make(chan struct{}),
+		network:    networkManager,
+		endpoint:   endpointManager,
+		inbound:    inboundManager,
+		outbound:   outboundManager,
+		connection: connectionManager,
+		router:     router,
+		createdAt:  createdAt,
+		logFactory: logFactory,
+		logger:     logFactory.Logger(),
+		services:   services,
+		done:       make(chan struct{}),
 	}, nil
 }

@@ -391,11 +353,11 @@ func (s *Box) preStart() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStateInitialize, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint)
+	err = adapter.Start(adapter.StartStateInitialize, s.network, s.connection, s.router, s.outbound, s.inbound, s.endpoint)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStateStart, s.outbound, s.dnsTransport, s.dnsRouter, s.network, s.connection, s.router)
+	err = adapter.Start(adapter.StartStateStart, s.outbound, s.network, s.connection, s.router)
 	if err != nil {
 		return err
 	}
@@ -419,7 +381,7 @@ func (s *Box) start() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStatePostStart, s.outbound, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.inbound, s.endpoint)
+	err = adapter.Start(adapter.StartStatePostStart, s.outbound, s.network, s.connection, s.router, s.inbound, s.endpoint)
 	if err != nil {
 		return err
 	}
@@ -427,7 +389,7 @@ func (s *Box) start() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStateStarted, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint)
+	err = adapter.Start(adapter.StartStateStarted, s.network, s.connection, s.router, s.outbound, s.inbound, s.endpoint)
 	if err != nil {
 		return err
 	}
@@ -446,7 +408,7 @@ func (s *Box) Close() error {
 		close(s.done)
 	}
 	err := common.Close(
-		s.inbound, s.outbound, s.router, s.connection, s.dnsRouter, s.dnsTransport, s.network,
+		s.inbound, s.outbound, s.endpoint, s.router, s.connection, s.network,
 	)
 	for _, lifecycleService := range s.services {
 		err = E.Append(err, lifecycleService.Close(), func(err error) error {
--- a/clients/android
+++ b/clients/android
--- a/clients/apple
+++ b/clients/apple
--- a/cmd/internal/app_store_connect/main.go
+++ b/cmd/internal/app_store_connect/main.go
@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"os"
 	"strconv"
+	"strings"
 	"time"

 	"github.com/sagernet/asc-go/asc"
@@ -194,6 +195,10 @@ func publishTestflight(ctx context.Context) error {
 				log.Info(string(platform), " ", tag, " create submission")
 				_, _, err = client.TestFlight.CreateBetaAppReviewSubmission(ctx, build.ID)
 				if err != nil {
+					if strings.Contains(err.Error(), "ANOTHER_BUILD_IN_REVIEW") {
+						log.Error(err)
+						break
+					}
 					return err
 				}
 			}
--- a/cmd/internal/build_libbox/main.go
+++ b/cmd/internal/build_libbox/main.go
@@ -55,10 +55,10 @@ func init() {
 	if err != nil {
 		currentTag = "unknown"
 	}
-	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid= -checklinkname=0")
+	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=")
 	debugFlags = append(debugFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag)

-	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_ech", "with_utls", "with_clash_api", "with_tailscale")
+	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_ech", "with_utls", "with_clash_api")
 	iosTags = append(iosTags, "with_dhcp", "with_low_memory", "with_conntrack")
 	debugTags = append(debugTags, "debug")
 }
--- a/cmd/internal/build_shared/sdk.go
+++ b/cmd/internal/build_shared/sdk.go
@@ -48,7 +48,7 @@ func FindSDK() {
 }

 func findNDK() bool {
-	const fixedVersion = "28.0.12674087"
+	const fixedVersion = "28.0.13004108"
 	const versionFile = "source.properties"
 	if fixedPath := filepath.Join(androidSDKPath, "ndk", fixedVersion); rw.IsFile(filepath.Join(fixedPath, versionFile)) {
 		androidNDKPath = fixedPath
--- a/cmd/internal/update_android_version/main.go
+++ b/cmd/internal/update_android_version/main.go
@@ -13,10 +13,14 @@ import (
 	"github.com/sagernet/sing/common"
 )

-var flagRunInCI bool
+var (
+	flagRunInCI    bool
+	flagRunNightly bool
+)

 func init() {
 	flag.BoolVar(&flagRunInCI, "ci", false, "Run in CI")
+	flag.BoolVar(&flagRunNightly, "nightly", false, "Run nightly")
 }

 func main() {
@@ -46,21 +50,23 @@ func main() {
 		switch propPair[0] {
 		case "VERSION_NAME":
 			if propPair[1] != newVersion {
+				log.Info("updated version from ", propPair[1], " to ", newVersion)
 				versionUpdated = true
 				propPair[1] = newVersion
-				log.Info("updated version to ", newVersion)
 			}
 		case "GO_VERSION":
 			if propPair[1] != runtime.Version() {
+				log.Info("updated Go version from ", propPair[1], " to ", runtime.Version())
 				goVersionUpdated = true
 				propPair[1] = runtime.Version()
-				log.Info("updated Go version to ", runtime.Version())
 			}
 		}
 	}
 	if !(versionUpdated || goVersionUpdated) {
 		log.Info("version not changed")
 		return
+	} else if flagRunInCI && !flagRunNightly {
+		log.Fatal("version changed, commit changes first.")
 	}
 	for _, propPair := range propsList {
 		switch propPair[0] {
--- a/cmd/sing-box/cmd.go
+++ b/cmd/sing-box/cmd.go
@@ -69,5 +69,5 @@ func preRun(cmd *cobra.Command, args []string) {
 		configPaths = append(configPaths, "config.json")
 	}
 	globalCtx = service.ContextWith(globalCtx, deprecated.NewStderrManager(log.StdLogger()))
-	globalCtx = box.Context(globalCtx, include.InboundRegistry(), include.OutboundRegistry(), include.EndpointRegistry(), include.DNSTransportRegistry())
+	globalCtx = box.Context(globalCtx, include.InboundRegistry(), include.OutboundRegistry(), include.EndpointRegistry())
 }
--- a/cmd/sing-box/cmd_generate_tls.go
+++ b/cmd/sing-box/cmd_generate_tls.go
@@ -30,7 +30,7 @@ func init() {
 }

 func generateTLSKeyPair(serverName string) error {
-	privateKeyPem, publicKeyPem, err := tls.GenerateKeyPair(time.Now, serverName, time.Now().AddDate(0, flagGenerateTLSKeyPairMonths, 0))
+	privateKeyPem, publicKeyPem, err := tls.GenerateCertificate(nil, nil, time.Now, serverName, time.Now().AddDate(0, flagGenerateTLSKeyPairMonths, 0))
 	if err != nil {
 		return err
 	}
--- a/cmd/sing-box/cmd_rule_set_upgrade.go
+++ b/cmd/sing-box/cmd_rule_set_upgrade.go
@@ -61,14 +61,15 @@ func upgradeRuleSet(sourcePath string) error {
 		log.Info("already up-to-date")
 		return nil
 	}
-	plainRuleSet, err := plainRuleSetCompat.Upgrade()
+	plainRuleSetCompat.Options, err = plainRuleSetCompat.Upgrade()
 	if err != nil {
 		return err
 	}
+	plainRuleSetCompat.Version = C.RuleSetVersionCurrent
 	buffer := new(bytes.Buffer)
 	encoder := json.NewEncoder(buffer)
 	encoder.SetIndent("", "  ")
-	err = encoder.Encode(plainRuleSet)
+	err = encoder.Encode(plainRuleSetCompat)
 	if err != nil {
 		return E.Cause(err, "encode config")
 	}
--- a/common/dialer/default_parallel_interface.go
+++ b/common/dialer/default_parallel_interface.go
@@ -18,6 +18,7 @@ func (d *DefaultDialer) dialParallelInterface(ctx context.Context, dialer net.Di
 	if len(primaryInterfaces)+len(fallbackInterfaces) == 0 {
 		return nil, false, E.New("no available network interface")
 	}
+	defaultInterface := d.networkManager.InterfaceMonitor().DefaultInterface()
 	if fallbackDelay == 0 {
 		fallbackDelay = N.DefaultFallbackDelay
 	}
@@ -31,7 +32,9 @@ func (d *DefaultDialer) dialParallelInterface(ctx context.Context, dialer net.Di
 	results := make(chan dialResult) // unbuffered
 	startRacer := func(ctx context.Context, primary bool, iif adapter.NetworkInterface) {
 		perNetDialer := dialer
-		perNetDialer.Control = control.Append(perNetDialer.Control, control.BindToInterface(nil, iif.Name, iif.Index))
+		if defaultInterface == nil || iif.Index != defaultInterface.Index {
+			perNetDialer.Control = control.Append(perNetDialer.Control, control.BindToInterface(nil, iif.Name, iif.Index))
+		}
 		conn, err := perNetDialer.DialContext(ctx, network, addr)
 		if err != nil {
 			select {
@@ -89,6 +92,7 @@ func (d *DefaultDialer) dialParallelInterfaceFastFallback(ctx context.Context, d
 	if len(primaryInterfaces)+len(fallbackInterfaces) == 0 {
 		return nil, false, E.New("no available network interface")
 	}
+	defaultInterface := d.networkManager.InterfaceMonitor().DefaultInterface()
 	if fallbackDelay == 0 {
 		fallbackDelay = N.DefaultFallbackDelay
 	}
@@ -103,7 +107,9 @@ func (d *DefaultDialer) dialParallelInterfaceFastFallback(ctx context.Context, d
 	results := make(chan dialResult) // unbuffered
 	startRacer := func(ctx context.Context, primary bool, iif adapter.NetworkInterface) {
 		perNetDialer := dialer
-		perNetDialer.Control = control.Append(perNetDialer.Control, control.BindToInterface(nil, iif.Name, iif.Index))
+		if defaultInterface == nil || iif.Index != defaultInterface.Index {
+			perNetDialer.Control = control.Append(perNetDialer.Control, control.BindToInterface(nil, iif.Name, iif.Index))
+		}
 		conn, err := perNetDialer.DialContext(ctx, network, addr)
 		if err != nil {
 			select {
@@ -149,10 +155,13 @@ func (d *DefaultDialer) listenSerialInterfacePacket(ctx context.Context, listene
 	if len(primaryInterfaces)+len(fallbackInterfaces) == 0 {
 		return nil, E.New("no available network interface")
 	}
+	defaultInterface := d.networkManager.InterfaceMonitor().DefaultInterface()
 	var errors []error
 	for _, primaryInterface := range primaryInterfaces {
 		perNetListener := listener
-		perNetListener.Control = control.Append(perNetListener.Control, control.BindToInterface(nil, primaryInterface.Name, primaryInterface.Index))
+		if defaultInterface == nil || primaryInterface.Index != defaultInterface.Index {
+			perNetListener.Control = control.Append(perNetListener.Control, control.BindToInterface(nil, primaryInterface.Name, primaryInterface.Index))
+		}
 		conn, err := perNetListener.ListenPacket(ctx, network, addr)
 		if err == nil {
 			return conn, nil
@@ -161,7 +170,9 @@ func (d *DefaultDialer) listenSerialInterfacePacket(ctx context.Context, listene
 	}
 	for _, fallbackInterface := range fallbackInterfaces {
 		perNetListener := listener
-		perNetListener.Control = control.Append(perNetListener.Control, control.BindToInterface(nil, fallbackInterface.Name, fallbackInterface.Index))
+		if defaultInterface == nil || fallbackInterface.Index != defaultInterface.Index {
+			perNetListener.Control = control.Append(perNetListener.Control, control.BindToInterface(nil, fallbackInterface.Name, fallbackInterface.Index))
+		}
 		conn, err := perNetListener.ListenPacket(ctx, network, addr)
 		if err == nil {
 			return conn, nil
--- a/common/dialer/dialer.go
+++ b/common/dialer/dialer.go
@@ -8,15 +8,15 @@ import (

 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-dns"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/service"
 )

-func New(ctx context.Context, options option.DialerOptions, remoteIsDomain bool) (N.Dialer, error) {
+func New(ctx context.Context, options option.DialerOptions) (N.Dialer, error) {
 	if options.IsWireGuardListener {
 		return NewDefault(ctx, options)
 	}
@@ -36,26 +36,14 @@ func New(ctx context.Context, options option.DialerOptions, remoteIsDomain bool)
 		}
 		dialer = NewDetour(outboundManager, options.Detour)
 	}
-	if remoteIsDomain && options.Detour == "" && options.DomainResolver == "" {
-		deprecated.Report(ctx, deprecated.OptionMissingDomainResolverInDialOptions)
-	}
-	if (options.Detour == "" && remoteIsDomain) || options.DomainResolver != "" {
-		router := service.FromContext[adapter.DNSRouter](ctx)
+	if options.Detour == "" {
+		router := service.FromContext[adapter.Router](ctx)
 		if router != nil {
-			var resolveTransport adapter.DNSTransport
-			if options.DomainResolver != "" {
-				transport, loaded := service.FromContext[adapter.DNSTransportManager](ctx).Transport(options.DomainResolver)
-				if !loaded {
-					return nil, E.New("DNS server not found: " + options.DomainResolver)
-				}
-				resolveTransport = transport
-			}
 			dialer = NewResolveDialer(
 				router,
 				dialer,
 				options.Detour == "" && !options.TCPFastOpen,
-				resolveTransport,
-				C.DomainStrategy(options.DomainStrategy),
+				dns.DomainStrategy(options.DomainStrategy),
 				time.Duration(options.FallbackDelay))
 		}
 	}
@@ -73,20 +61,11 @@ func NewDirect(ctx context.Context, options option.DialerOptions) (ParallelInter
 	if err != nil {
 		return nil, err
 	}
-	var resolveTransport adapter.DNSTransport
-	if options.DomainResolver != "" {
-		transport, loaded := service.FromContext[adapter.DNSTransportManager](ctx).Transport(options.DomainResolver)
-		if !loaded {
-			return nil, E.New("DNS server not found: " + options.DomainResolver)
-		}
-		resolveTransport = transport
-	}
 	return NewResolveParallelInterfaceDialer(
-		service.FromContext[adapter.DNSRouter](ctx),
+		service.FromContext[adapter.Router](ctx),
 		dialer,
 		true,
-		resolveTransport,
-		C.DomainStrategy(options.DomainStrategy),
+		dns.DomainStrategy(options.DomainStrategy),
 		time.Duration(options.FallbackDelay),
 	), nil
 }
--- a/common/dialer/resolve.go
+++ b/common/dialer/resolve.go
@@ -3,11 +3,13 @@ package dialer
 import (
 	"context"
 	"net"
+	"net/netip"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
@@ -21,18 +23,16 @@ var (
 type resolveDialer struct {
 	dialer        N.Dialer
 	parallel      bool
-	router        adapter.DNSRouter
-	transport     adapter.DNSTransport
-	strategy      C.DomainStrategy
+	router        adapter.Router
+	strategy      dns.DomainStrategy
 	fallbackDelay time.Duration
 }

-func NewResolveDialer(router adapter.DNSRouter, dialer N.Dialer, parallel bool, transport adapter.DNSTransport, strategy C.DomainStrategy, fallbackDelay time.Duration) N.Dialer {
+func NewResolveDialer(router adapter.Router, dialer N.Dialer, parallel bool, strategy dns.DomainStrategy, fallbackDelay time.Duration) N.Dialer {
 	return &resolveDialer{
 		dialer,
 		parallel,
 		router,
-		transport,
 		strategy,
 		fallbackDelay,
 	}
@@ -43,13 +43,12 @@ type resolveParallelNetworkDialer struct {
 	dialer ParallelInterfaceDialer
 }

-func NewResolveParallelInterfaceDialer(router adapter.DNSRouter, dialer ParallelInterfaceDialer, parallel bool, transport adapter.DNSTransport, strategy C.DomainStrategy, fallbackDelay time.Duration) ParallelInterfaceDialer {
+func NewResolveParallelInterfaceDialer(router adapter.Router, dialer ParallelInterfaceDialer, parallel bool, strategy dns.DomainStrategy, fallbackDelay time.Duration) ParallelInterfaceDialer {
 	return &resolveParallelNetworkDialer{
 		resolveDialer{
 			dialer,
 			parallel,
 			router,
-			transport,
 			strategy,
 			fallbackDelay,
 		},
@@ -61,13 +60,22 @@ func (d *resolveDialer) DialContext(ctx context.Context, network string, destina
 	if !destination.IsFqdn() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
+	ctx, metadata := adapter.ExtendContext(ctx)
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
-	addresses, err := d.router.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{Transport: d.transport, Strategy: d.strategy})
+	metadata.Destination = destination
+	metadata.Domain = ""
+	var addresses []netip.Addr
+	var err error
+	if d.strategy == dns.DomainStrategyAsIS {
+		addresses, err = d.router.LookupDefault(ctx, destination.Fqdn)
+	} else {
+		addresses, err = d.router.Lookup(ctx, destination.Fqdn, d.strategy)
+	}
 	if err != nil {
 		return nil, err
 	}
 	if d.parallel {
-		return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == C.DomainStrategyPreferIPv6, d.fallbackDelay)
+		return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == dns.DomainStrategyPreferIPv6, d.fallbackDelay)
 	} else {
 		return N.DialSerial(ctx, d.dialer, network, destination, addresses)
 	}
@@ -77,8 +85,17 @@ func (d *resolveDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 	if !destination.IsFqdn() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
+	ctx, metadata := adapter.ExtendContext(ctx)
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
-	addresses, err := d.router.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{Transport: d.transport, Strategy: d.strategy})
+	metadata.Destination = destination
+	metadata.Domain = ""
+	var addresses []netip.Addr
+	var err error
+	if d.strategy == dns.DomainStrategyAsIS {
+		addresses, err = d.router.LookupDefault(ctx, destination.Fqdn)
+	} else {
+		addresses, err = d.router.Lookup(ctx, destination.Fqdn, d.strategy)
+	}
 	if err != nil {
 		return nil, err
 	}
@@ -93,8 +110,17 @@ func (d *resolveParallelNetworkDialer) DialParallelInterface(ctx context.Context
 	if !destination.IsFqdn() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
+	ctx, metadata := adapter.ExtendContext(ctx)
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
-	addresses, err := d.router.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{Transport: d.transport, Strategy: d.strategy})
+	metadata.Destination = destination
+	metadata.Domain = ""
+	var addresses []netip.Addr
+	var err error
+	if d.strategy == dns.DomainStrategyAsIS {
+		addresses, err = d.router.LookupDefault(ctx, destination.Fqdn)
+	} else {
+		addresses, err = d.router.Lookup(ctx, destination.Fqdn, d.strategy)
+	}
 	if err != nil {
 		return nil, err
 	}
@@ -102,7 +128,7 @@ func (d *resolveParallelNetworkDialer) DialParallelInterface(ctx context.Context
 		fallbackDelay = d.fallbackDelay
 	}
 	if d.parallel {
-		return DialParallelNetwork(ctx, d.dialer, network, destination, addresses, d.strategy == C.DomainStrategyPreferIPv6, strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
+		return DialParallelNetwork(ctx, d.dialer, network, destination, addresses, d.strategy == dns.DomainStrategyPreferIPv6, strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
 	} else {
 		return DialSerialNetwork(ctx, d.dialer, network, destination, addresses, strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
 	}
@@ -112,8 +138,17 @@ func (d *resolveParallelNetworkDialer) ListenSerialInterfacePacket(ctx context.C
 	if !destination.IsFqdn() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
+	ctx, metadata := adapter.ExtendContext(ctx)
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
-	addresses, err := d.router.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{Transport: d.transport, Strategy: d.strategy})
+	metadata.Destination = destination
+	metadata.Domain = ""
+	var addresses []netip.Addr
+	var err error
+	if d.strategy == dns.DomainStrategyAsIS {
+		addresses, err = d.router.LookupDefault(ctx, destination.Fqdn)
+	} else {
+		addresses, err = d.router.Lookup(ctx, destination.Fqdn, d.strategy)
+	}
 	if err != nil {
 		return nil, err
 	}
--- a/common/dialer/router.go
+++ b/common/dialer/router.go
@@ -7,27 +7,24 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/service"
 )

 type DefaultOutboundDialer struct {
-	outbound adapter.OutboundManager
+	outboundManager adapter.OutboundManager
 }

-func NewDefaultOutbound(ctx context.Context) N.Dialer {
-	return &DefaultOutboundDialer{
-		outbound: service.FromContext[adapter.OutboundManager](ctx),
-	}
+func NewDefaultOutbound(outboundManager adapter.OutboundManager) N.Dialer {
+	return &DefaultOutboundDialer{outboundManager: outboundManager}
 }

 func (d *DefaultOutboundDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	return d.outbound.Default().DialContext(ctx, network, destination)
+	return d.outboundManager.Default().DialContext(ctx, network, destination)
 }

 func (d *DefaultOutboundDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	return d.outbound.Default().ListenPacket(ctx, destination)
+	return d.outboundManager.Default().ListenPacket(ctx, destination)
 }

 func (d *DefaultOutboundDialer) Upstream() any {
-	return d.outbound.Default()
+	return d.outboundManager.Default()
 }
--- a/common/sniff/quic_test.go
+++ b/common/sniff/quic_test.go
@@ -12,6 +12,26 @@ import (
 	"github.com/stretchr/testify/require"
 )

+func TestSniffQUICChromeNew(t *testing.T) {
+	t.Parallel()
+	pkt, err := hex.DecodeString("ca0000000108e241a0c601413b4f004046006d8f15dae9999edf39d58df6762822b9a2ab996d7f6a10044338af3b51b1814bc4ac0fa5a87c34c6ae604af8cabc5957c5240174deefc8e378719ffdab2ae4e15bf4514bea4489ad89c322f75f9a383c90d126a0b21104cb519c2bb32e6a134e86896452e942b26c519b8c7ac9e4c99fae5e1f65cf08fb98443b30e4567932e8fb0789820d8f33037b59ac8113530258c9467dfb52489396dae01f099d28b234efa107fa411f2a1ffa2abe74988e03d662d4296024e95ce0fe1671724937157f77b84990478a2d4060676cf0827b4e8c600654111750414dafa0cccb332f3020c2922a015f445df5edc9c7d2d1ceea9fddcc9ff821c9183aa39a70da20fcc057579e1051c1c899148d6cf9d08b4919822082d040d1ce03ca4f216be6cb7ef03db6df0993ef1ccce5c8c648980554f41704526e1809d2545739f5872e75ec797db1c99f5682e2eda9363cb32aa367b7b363c782ddbacf874183cc15c8a2db068dd4093eebdd096ad33832a7939deb0a872279744f5a56dc001ba62fac973bf680f3b362bdd336add4dd102f462b773bf70bfce1921070a802a92025273a177186d1a643081b42175eb789ccddadb71033ef4feacbf6fd282ab622cf61669d73cda559e411c6ccdd8f003443b6933b7729b7a357aa4aa2fba0f365f829a4d497afb5dc2648a53bc9f3e786d955069d0a4781088a5463747dfe9958ea19ea444eae947ec6a67640955f710f93640084f3fbb8ad259b68dbc0ee0b7fab2d81bffd83ed8a6d33522dbfef43bec0a0fb4bdf1cb712dc4ced0680c0687fa240fd157baa232b1c84e14adce6421cf9270f9b3972f98fc67b344b8a4f1fb551e26f7f76d484ed9f8197f231dc5d9a44cc0ddce73d7f810a620851f4e97eb5037ab5135d7c3be5b80cc32d19910b8387aca64c93c02dc3e35238b78e6aff470722078982e58802844932b6041446bfdcc97ba640cbb86721bcd0f40f27b77aa6287ce5674ec1720134b9302875482c3269787e004b9edb483d44f326eef38c0e83cb46af96488c2e696bc2524567fb29c1e8edcd5a73615496d172d46a9d29e0505c0018b7bbb00165eca0389e09c4b1d73b6cc4a2f735a720650134a2e98e8105e20695cf231b92586237dfe0f99c897414e51c21627496276535f07abb53fb2b554376fe520fa45a3e944fd91dfe7a72aead08842b6b63d8edf861fb911954c83bd9a896eb9da4af5eff646455069d747facd4e77c254096843bff7c3e9031dbdf8dc37ea45f1122922fcbc322ec1378f3c7c1af0da62e1052e6210f1b23073f93a82d90e14cb20bc4501d487a1c848674d57a7c269b13590b3a99d8b8b4f6d0dfbd1d2cbbe7a32c0d5c84ae7ec438b0b19f3862d8fabaa828d06c7e3c6967405cd56a1ae90f38633e2ee0e3ecfca3df399fe12f029e0860a1a30da010300d0c94f0bf56091d00011488c1429928b21c739ebf50ba8be91116315d3173f6d2c56735722478c4d74392ba84d1727036b3d64e8c2263b0f33cb8086be587ca6b3940259c06afa2683868856529303ae12e91d7ca874568be7f2bfaa0656dfab0ed31ed90eaea10fb7f3433ec59a334abe6211d547fa0c825ac45d3691e749d15432008de83e9f6d98f368359137ae803d9189b3386f800c7c0cf4b615d1983cf82d9981a8105b60a80fe66c9b0d439b5ba153dd19e9e7483a01cf3b02b4597540b38e658d4eb8455e030b2bf2690bdd78c23f16fe5")
+	require.NoError(t, err)
+	var metadata adapter.InboundContext
+	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
+	require.Equal(t, metadata.Protocol, C.ProtocolQUIC)
+	require.Equal(t, metadata.Client, C.ClientChromium)
+	require.ErrorIs(t, err, sniff.ErrClientHelloFragmented)
+	pkt, err = hex.DecodeString("cc0000000108e241a0c601413b4f004046006d8f15dae9999edf39d58df6762822b9a2ab996d7f6a10044338af3b51b1814bc4ac0fa5a87c34c6ae604af8cabc5957c5240174deefc8e378719ffdab2ae4e15bf4514bea44894b626c685cd5d5c965f7e97b3a1bdc520b75813e747f37a3ae83ad38b9ca2acb0de4fc9424839a50c8fb815a62b498609fbbc59145698860e0509cc08a04d1b119daef844ba2f09c16e2665e5cc0b47624b71f7b950c54fd56b4a1fbb826cba44eeeee3949ced8f5de60d4c81b19ee59f75aa1abb33f22c6b13c27095eb1e99cff01fdc93e6e88da2622ee18c08a79f508befd7e33e99bca60e64bef9a47b764384bd93823daeeb6fcb4d7cfbc4ab53eff59b3636f6dcaaf229b5a94941b5712807166b9bd5e82cb4a9708a71451c4cd6f6e33fb2fe40c8c70dd51a30b37ff9c5e35783debde0093fde19ce074b4887b3c90980b107b9c0f32cf61a66f37c251b789abc4d27fc421207966846c8cc7faa42d9af6ad355a6bc94cb78223b612be8b3e2a4df61fee83a674a0ceb8b7c3a29b97102cda22fecdf6a4628e5b612bc17eab64d6f75feedd0b106c0419e484e66725759964cb5935ac5125e5ae920cd280bd40df57c1d7ae1845700bd4eb7b7ab12bc0850950bfe6e69edd6ac1daa5db2c2b07484327196e561c513462d72872dc6771c39f6b60d46a1f2c92343b7338450a0ef8e39f97fa70652b3a12cd04043698951627aaaa82cc95e76df92021d30e8014c984f12eea0143de8b17e5e4a36ec07bf4814251b391f168a59ef75afcd2319249aaba930f06bb7a11b9491e6f71b3d5774a6503a965e94edd0a67737282fc9cb0271779ff14151b7aa9267bb8f7d643185512515aeea513c0c98bfae782381a3317064195d8825cf8b25c17cdab5fced02612a3f2870e40df57e6ca3f08228a2b04e8de1425eb4b970118f9bbdc212223ff86a5d6b648cdf2366722f21de4b14a1014879eadb69215cdb1aa2a9f4f310ecfe3116214fe3ab0a23f4775a0a54b48d7dfd8f7283ed687b3ac7e1a7e42a0bdc3478aba8651c03e1e9cc9df17d106b8130afe854269b0103b7a696f452721887b19d8181830073c9f10684c65f96d3a6c6efbae044eec03d6399e001fa44d54635dc72f9b8ea6b87d0f452cad1e1e32273e2b47c40f2730235adcae8523b8282f86b8cf1ab63ae54aaa06130df3bbf6ecac7d7d1d43d2a87aea837267ff8ccfaa4b7e47b7ded909e6603d0b928a304f8915c839153598adc4178eb48bc0e98ad7793d7980275e1e491ba4847a4a04ae30fe7f5cc7d4b6f4f63a525e9964d72245860ca76a668a4654adb6619f16e9db79131e5675b93cafb96c92f1da8464d4fef2a22e7f9db695965fe2cc27ea30974629c8fe17cfa2f860179e1eb9faaa88a91ec9ce6da28c1a2894c3b932b5e1c807146718cc77ca13c61eaae00c7c99e019f599772064b198c5c2c5e863336367673630b417ac845ddb7c93b0856317e5d64bab208c5730abc2c63536784fbeaaec139dffc917e775715f1e42164ddef5138d4d163609ab3fbdcab968f8738385c0e7e34ff3cf7771a1dc5ba25a8850fdf96dabafa21f9065f307457ce9af4b7a73450c9d20a3b46fa8d3a1163d22bd01a7d17f0ec274181bf9640fa941427694bfeb1346089f7a851efe0fbb7a2041fa6bb6541ccbad77dd3e1a97999fc05f1fef070e7b5c4b385b8b2a8cc32483fdeba6a373970de2fa4139ba18e5916f949aab0aab2894")
+	require.NoError(t, err)
+	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
+	require.ErrorIs(t, err, sniff.ErrClientHelloFragmented)
+	pkt, err = hex.DecodeString("c20000000108e241a0c601413b4f004046006d8f15dae9999edf39d58df6762822b9a2ab996d7f6a10044338af3b51b1814bc4ac0fa5a87c34c6ae604af8cabc5957c5240174deefc8e378719ffdab2ae4e15bf4514bea4489e2ff30c43a5f63beb2e4501ce7754085bcbe838003a0b4bccb53863c0766df7eac073c2bdc170772b157997945acdc2ab2e84750cc9aa0ffa0fdc023da7fc565a14f87f7c563dbc9183dd226aab79957d263f66e64b85a1b15a24516bd2c7c04eea4fa0a34ef9849c21585db2e4adb7c05e265c4f38d8ffe4cbed0f3b0e68f3693bf1f726c3fb135b8e32a5d22931d7c55fc2ff4b9a354933ab14544df3cdaf3e3217dfb8d7feb3465dc34df6320ea486f12e5b2d609aaa5f4515c20c86fc440f8087be0ee3d339835746ae2573c2afdee6bb6ef7e9eb541feae9209391b2902cfb0bdaccd9da8d290714638b7da588d4a656ca6eabba78b7363922d6037cf060b161a42019d4feb4156459103cffdeefd0e63114af2b0e0c39e70ebc7fecb8dd1ebb8d60b2137f509bb7dcef5f1d3e06ab1d391466652d57440a410fb4f58a6ce1fb62feb453241f64e110709f59a3d9ebdac94f811337d0e4a80fd6b56b2a70cd6eebbf98e1661291da6bf5beb8b8afc376dfd20eb76afe709e8e8f28e0ef82105954e346546ad25973df43f4acddbec0ffd9b215f62abebebf71305b5ea993560316f69430bf5afe50420340622f802b5830f3bcebffff04980c75a59d28902879e5d51a4fb21062a4ae13c42297075b21d54ee04303879c1157e7470c1451673c98a2f3921f2f3e8f6acfe85b01caaca66b59e5ebffbfe68e5e9ab17e9a1b857eb409df91cb76767fc1814fd3c522a9b117edd0b02526e469cb4afb291a4dcc74c79b47ec6e7ce558c597129366f83ec306b11d2598c705fd4ee9ee99df6b7039bef13b08fc6f26853ad213829d24f895747d45a47414f931c583fb6c3e4f6c27d0c2b81a5f3cee390ec6314e1fec637e8d28b675e97caafdfbf8c25d34a635083a7553d219dd80dbb39087d74c6ad6192ca6f48a3ff8d47db41b2a492c63fcd780012780931dae0a325f9dcbd772d09a700f132c4bc1d9809b25b9751b694eb72a8ba4db7208d2b1bab63e1845208e4f841ea30218a559db98751589716b6d059ca673378f5fe7c7d8a1c82e14a561c47313bbcc278412ba86ffb2b87ec308eab9df696f5b4b54f8e361731bf232820a02a35fda7e5d4bf01b8f005ad299a055116e7b23c181f15a66442cf6032ca477bccc55b79d424eb4f245847bd81a581dc369dd20b1a4892733bde3c38e492c0039f69f2b947a4dc251a49ee7ccc0f36b3b75a555fa1d126db75f94dab60f52f6b15a877a0c380b59f82d35c570bc5f8051e9ef87db51f52383d47b50829b7f9e947ccc67aa280566aa48b4a85c1c7eca6f542789d8abcc050f1aa3cc221b6859656a21454aa21c7bfb9d12115f61c3ed46263ade68a8d3679fa62a659a5da7817406bd16618fccf33ed208ada1b03584e8b485d3cb6ed80a0774e60b6cd55aff64169ea998cf8235997049515abac58e0169ca07fb1c8c4c8b2803ba9d27b44c045d0a1cac86e5e188195c68001f53eb44851b6d821fc01ccbb41e27f38e6ddd66540c2d62ed6e0d551e22c0f26b60078c74a6302a1ed3d9e8fc0861257a63f6ac4e759fd54bff088becd28e30944a6c15db4fc8ae6244346869add946d9d92c430d737e042fa18b28a8ed64d1e8987ad9061cdc1335f")
+	require.NoError(t, err)
+	err = sniff.QUICClientHello(context.Background(), &metadata, pkt)
+	require.NoError(t, err)
+	require.Equal(t, "www.google.com", metadata.Domain)
+}
+
 func TestSniffQUICChromium(t *testing.T) {
 	t.Parallel()
 	pkt, err := hex.DecodeString("c30000000108f40d654cc09b27f5000044d08a94548e57e43cc5483f129986187c432d58d46674830442988f869566a6e31e2ae37c9f7acbf61cc81621594fab0b3dfdc1635460b32389563dc8e74006315661cd22694114612973c1c45910621713a48b375854f095e8a77ccf3afa64e972f0f7f7002f50e0b014b1b146ea47c07fb20b73ad5587872b51a0b3fafdf1c4cf4fe6f8b112142392efa25d993abe2f42582be145148bdfe12edcd96c3655b65a4781b093e5594ba8e3ae5320f12e8314fc3ca374128cc43381046c322b964681ed4395c813b28534505118201459665a44b8f0abead877de322e9040631d20b05f15b81fa7ff785d4041aecc37c7e2ccdc5d1532787ce566517e8985fd5c200dbfd1e67bc255efaba94cfc07bb52fea4a90887413b134f2715b5643542aa897c6116486f428d82da64d2a2c1e1bdd40bd592558901a554b003d6966ac5a7b8b9413eddbf6ef21f28386c74981e3ce1d724c341e95494907626659692720c81114ca4acea35a14c402cfa3dc2228446e78dc1b81fa4325cf7e314a9cad6a6bdff33b3351dcba74eb15fae67f1227283aa4cdd64bcadf8f19358333f8549b596f4350297b5c65274565869d497398339947b9d3d064e5b06d39d34b436d8a41c1a3880de10bd26c3b1c5b4e2a49b0d4d07b8d90cd9e92bc611564d19ea8ec33099e92033caf21f5307dbeaa4708b99eb313bff99e2081ac25fd12d6a72e8335e0724f6718fe023cd0ad0d6e6a6309f09c9c391eec2bc08e9c3210a043c08e1759f354c121f6517fff4d6e20711a871e41285d48d930352fddffb92c96ba57df045ce99f8bfdfa8edc0969ce68a51e9fbb4f54b956d9df74a9e4af27ed2b27839bce1cffeca8333c0aaee81a570217442f9029ba8fedb84a2cf4be4d910982d891ea00e816c7fb98e8020e896a9c6fdd9106611da0a99dde18df1b7a8f6327acb1eed9ad93314451e48cb0dfb9571728521ca3db2ac0968159d5622556a55d51a422d11995b650949aaefc5d24c16080446dfc4fbc10353f9f93ce161ab513367bb89ab83988e0630b689e174e27bcfcc31996ee7b0bca909e251b82d69a28fee5a5d662e127508cd19dbbe5097b7d5b62a49203d66764197a527e472e2627e44a93d44177dace9d60e7d0e03305ddf4cfe47cdf2362e14de79ef46a6763ce696cd7854a48d9419a0817507a4713ffd4977b906d4f2b5fb6dbe1bd15bc505d5fea582190bf531a45d5ee026da8918547fd5105f15e5d061c7b0cf80a34990366ed8e91e13c2f0d85e5dad537298808d193cf54b7eaac33f10051f74cb6b75e52f81618c36f03d86aef613ba237a1a793ba1539938a38f62ccaf7bd5f6c5e0ce53cde4012fcf2b758214a0422d2faaa798e86e19d7481b42df2b36a73d287ff28c20cce01ce598771fec16a8f1f00305c06010126013a6c1de9f589b4e79d693717cd88ad1c42a2d99fa96617ba0bc6365b68e21a70ebc447904aa27979e1514433cfd83bfec09f137c747d47582cb63eb28f873fb94cf7a59ff764ddfbb687d79a58bb10f85949269f7f72c611a5e0fbb52adfa298ff060ec2eb7216fd7302ea8fb07798cbb3be25cb53ac8161aac2b5bbcfbcfb01c113d28bd1cb0333fb89ac82a95930f7abded0a2f5a623cc6a1f62bf3f38ef1b81c1e50a634f657dbb6770e4af45879e2fb1e00c742e7b52205c8015b5c0f5b1e40186ff9aa7288ab3e01a51fb87761f9bc6837082af109b39cc9f620")
--- a/common/tls/ech_client.go
+++ b/common/tls/ech_client.go
@@ -15,8 +15,8 @@ import (

 	cftls "github.com/sagernet/cloudflare-tls"
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/dns"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-dns"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
 	"github.com/sagernet/sing/service"
@@ -215,7 +215,7 @@ func fetchECHClientConfig(ctx context.Context) func(_ context.Context, serverNam
 				},
 			},
 		}
-		response, err := service.FromContext[adapter.DNSRouter](ctx).Exchange(ctx, message, adapter.DNSQueryOptions{})
+		response, err := service.FromContext[adapter.Router](ctx).Exchange(ctx, message)
 		if err != nil {
 			return nil, err
 		}
--- a/common/tls/mkcert.go
+++ b/common/tls/mkcert.go
@@ -11,8 +11,8 @@ import (
 	"time"
 )

-func GenerateCertificate(timeFunc func() time.Time, serverName string) (*tls.Certificate, error) {
-	privateKeyPem, publicKeyPem, err := GenerateKeyPair(timeFunc, serverName, timeFunc().Add(time.Hour))
+func GenerateKeyPair(parent *x509.Certificate, parentKey any, timeFunc func() time.Time, serverName string) (*tls.Certificate, error) {
+	privateKeyPem, publicKeyPem, err := GenerateCertificate(parent, parentKey, timeFunc, serverName, timeFunc().Add(time.Hour))
 	if err != nil {
 		return nil, err
 	}
@@ -23,7 +23,7 @@ func GenerateCertificate(timeFunc func() time.Time, serverName string) (*tls.Cer
 	return &certificate, err
 }

-func GenerateKeyPair(timeFunc func() time.Time, serverName string, expire time.Time) (privateKeyPem []byte, publicKeyPem []byte, err error) {
+func GenerateCertificate(parent *x509.Certificate, parentKey any, timeFunc func() time.Time, serverName string, expire time.Time) (privateKeyPem []byte, publicKeyPem []byte, err error) {
 	if timeFunc == nil {
 		timeFunc = time.Now
 	}
@@ -47,7 +47,11 @@ func GenerateKeyPair(timeFunc func() time.Time, serverName string, expire time.T
 		},
 		DNSNames: []string{serverName},
 	}
-	publicDer, err := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key)
+	if parent == nil {
+		parent = template
+		parentKey = key
+	}
+	publicDer, err := x509.CreateCertificate(rand.Reader, template, parent, key.Public(), parentKey)
 	if err != nil {
 		return
 	}
--- a/common/tls/reality_server.go
+++ b/common/tls/reality_server.go
@@ -101,7 +101,7 @@ func NewRealityServer(ctx context.Context, logger log.Logger, options option.Inb
 		tlsConfig.ShortIds[shortID] = true
 	}

-	handshakeDialer, err := dialer.New(ctx, options.Reality.Handshake.DialerOptions, options.Reality.Handshake.ServerIsDomain())
+	handshakeDialer, err := dialer.New(ctx, options.Reality.Handshake.DialerOptions)
 	if err != nil {
 		return nil, err
 	}
--- a/common/tls/std_client.go
+++ b/common/tls/std_client.go
@@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"net"
+	"net/netip"
 	"os"
 	"strings"

@@ -50,7 +51,9 @@ func NewSTDClient(ctx context.Context, serverAddress string, options option.Outb
 	if options.ServerName != "" {
 		serverName = options.ServerName
 	} else if serverAddress != "" {
-		serverName = serverAddress
+		if _, err := netip.ParseAddr(serverName); err != nil {
+			serverName = serverAddress
+		}
 	}
 	if serverName == "" && !options.Insecure {
 		return nil, E.New("missing server_name or insecure=true")
--- a/common/tls/std_server.go
+++ b/common/tls/std_server.go
@@ -222,7 +222,7 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 		}
 		if certificate == nil && key == nil && options.Insecure {
 			tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
-				return GenerateCertificate(ntp.TimeFuncFromContext(ctx), info.ServerName)
+				return GenerateKeyPair(nil, nil, ntp.TimeFuncFromContext(ctx), info.ServerName)
 			}
 		} else {
 			if certificate == nil {
--- a/constant/dns.go
+++ b/constant/dns.go
@@ -1,34 +1,5 @@
 package constant

-const (
-	DefaultDNSTTL = 600
-)
-
-type DomainStrategy = uint8
-
-const (
-	DomainStrategyAsIS DomainStrategy = iota
-	DomainStrategyPreferIPv4
-	DomainStrategyPreferIPv6
-	DomainStrategyIPv4Only
-	DomainStrategyIPv6Only
-)
-
-const (
-	DNSTypeLegacy     = "legacy"
-	DNSTypeUDP        = "udp"
-	DNSTypeTCP        = "tcp"
-	DNSTypeTLS        = "tls"
-	DNSTypeHTTPS      = "https"
-	DNSTypeQUIC       = "quic"
-	DNSTypeHTTP3      = "h3"
-	DNSTypeLocal      = "local"
-	DNSTypePreDefined = "predefined"
-	DNSTypeFakeIP     = "fakeip"
-	DNSTypeDHCP       = "dhcp"
-	DNSTypeTailscale  = "tailscale"
-)
-
 const (
 	DNSProviderAliDNS     = "alidns"
 	DNSProviderCloudflare = "cloudflare"
--- a/constant/proxy.go
+++ b/constant/proxy.go
@@ -23,7 +23,6 @@ const (
 	TypeVLESS        = "vless"
 	TypeTUIC         = "tuic"
 	TypeHysteria2    = "hysteria2"
-	TypeTailscale    = "tailscale"
 )

 const (
--- a/dns/client.go
+++ b/dns/client.go
@@ -1,563 +0,0 @@
-package dns
-
-import (
-	"context"
-	"net"
-	"net/netip"
-	"strings"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	"github.com/sagernet/sing/common/task"
-	"github.com/sagernet/sing/contrab/freelru"
-	"github.com/sagernet/sing/contrab/maphash"
-
-	"github.com/miekg/dns"
-)
-
-var (
-	ErrNoRawSupport           = E.New("no raw query support by current transport")
-	ErrNotCached              = E.New("not cached")
-	ErrResponseRejected       = E.New("response rejected")
-	ErrResponseRejectedCached = E.Extend(ErrResponseRejected, "cached")
-)
-
-var _ adapter.DNSClient = (*Client)(nil)
-
-type Client struct {
-	timeout          time.Duration
-	disableCache     bool
-	disableExpire    bool
-	independentCache bool
-	rdrc             adapter.RDRCStore
-	initRDRCFunc     func() adapter.RDRCStore
-	logger           logger.ContextLogger
-	cache            freelru.Cache[dns.Question, *dns.Msg]
-	transportCache   freelru.Cache[transportCacheKey, *dns.Msg]
-}
-
-type ClientOptions struct {
-	Timeout          time.Duration
-	DisableCache     bool
-	DisableExpire    bool
-	IndependentCache bool
-	CacheCapacity    uint32
-	RDRC             func() adapter.RDRCStore
-	Logger           logger.ContextLogger
-}
-
-func NewClient(options ClientOptions) *Client {
-	client := &Client{
-		timeout:          options.Timeout,
-		disableCache:     options.DisableCache,
-		disableExpire:    options.DisableExpire,
-		independentCache: options.IndependentCache,
-		initRDRCFunc:     options.RDRC,
-		logger:           options.Logger,
-	}
-	if client.timeout == 0 {
-		client.timeout = C.DNSTimeout
-	}
-	cacheCapacity := options.CacheCapacity
-	if cacheCapacity < 1024 {
-		cacheCapacity = 1024
-	}
-	if !client.disableCache {
-		if !client.independentCache {
-			client.cache = common.Must1(freelru.NewSharded[dns.Question, *dns.Msg](cacheCapacity, maphash.NewHasher[dns.Question]().Hash32))
-		} else {
-			client.transportCache = common.Must1(freelru.NewSharded[transportCacheKey, *dns.Msg](cacheCapacity, maphash.NewHasher[transportCacheKey]().Hash32))
-		}
-	}
-	return client
-}
-
-type transportCacheKey struct {
-	dns.Question
-	transportTag string
-}
-
-func (c *Client) Start() {
-	if c.initRDRCFunc != nil {
-		c.rdrc = c.initRDRCFunc()
-	}
-}
-
-func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, message *dns.Msg, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error) {
-	if len(message.Question) == 0 {
-		if c.logger != nil {
-			c.logger.WarnContext(ctx, "bad question size: ", len(message.Question))
-		}
-		responseMessage := dns.Msg{
-			MsgHdr: dns.MsgHdr{
-				Id:       message.Id,
-				Response: true,
-				Rcode:    dns.RcodeFormatError,
-			},
-			Question: message.Question,
-		}
-		return &responseMessage, nil
-	}
-	question := message.Question[0]
-	if options.ClientSubnet.IsValid() {
-		message = SetClientSubnet(message, options.ClientSubnet, true)
-	}
-	isSimpleRequest := len(message.Question) == 1 &&
-		len(message.Ns) == 0 &&
-		len(message.Extra) == 0 &&
-		!options.ClientSubnet.IsValid()
-	disableCache := !isSimpleRequest || c.disableCache || options.DisableCache
-	if !disableCache {
-		response, ttl := c.loadResponse(question, transport)
-		if response != nil {
-			logCachedResponse(c.logger, ctx, response, ttl)
-			response.Id = message.Id
-			return response, nil
-		}
-	}
-	if question.Qtype == dns.TypeA && options.Strategy == C.DomainStrategyIPv6Only || question.Qtype == dns.TypeAAAA && options.Strategy == C.DomainStrategyIPv4Only {
-		responseMessage := dns.Msg{
-			MsgHdr: dns.MsgHdr{
-				Id:       message.Id,
-				Response: true,
-				Rcode:    dns.RcodeSuccess,
-			},
-			Question: []dns.Question{question},
-		}
-		if c.logger != nil {
-			c.logger.DebugContext(ctx, "strategy rejected")
-		}
-		return &responseMessage, nil
-	}
-	messageId := message.Id
-	contextTransport, clientSubnetLoaded := transportTagFromContext(ctx)
-	if clientSubnetLoaded && transport.Tag() == contextTransport {
-		return nil, E.New("DNS query loopback in transport[", contextTransport, "]")
-	}
-	ctx = contextWithTransportTag(ctx, transport.Tag())
-	if responseChecker != nil && c.rdrc != nil {
-		rejected := c.rdrc.LoadRDRC(transport.Tag(), question.Name, question.Qtype)
-		if rejected {
-			return nil, ErrResponseRejectedCached
-		}
-	}
-	ctx, cancel := context.WithTimeout(ctx, c.timeout)
-	response, err := transport.Exchange(ctx, message)
-	cancel()
-	if err != nil {
-		return nil, err
-	}
-	/*if question.Qtype == dns.TypeA || question.Qtype == dns.TypeAAAA {
-		validResponse := response
-	loop:
-		for {
-			var (
-				addresses  int
-				queryCNAME string
-			)
-			for _, rawRR := range validResponse.Answer {
-				switch rr := rawRR.(type) {
-				case *dns.A:
-					break loop
-				case *dns.AAAA:
-					break loop
-				case *dns.CNAME:
-					queryCNAME = rr.Target
-				}
-			}
-			if queryCNAME == "" {
-				break
-			}
-			exMessage := *message
-			exMessage.Question = []dns.Question{{
-				Name:  queryCNAME,
-				Qtype: question.Qtype,
-			}}
-			validResponse, err = c.Exchange(ctx, transport, &exMessage, options, responseChecker)
-			if err != nil {
-				return nil, err
-			}
-		}
-		if validResponse != response {
-			response.Answer = append(response.Answer, validResponse.Answer...)
-		}
-	}*/
-	if responseChecker != nil {
-		addr, addrErr := MessageToAddresses(response)
-		if addrErr != nil || !responseChecker(addr) {
-			if c.rdrc != nil {
-				c.rdrc.SaveRDRCAsync(transport.Tag(), question.Name, question.Qtype, c.logger)
-			}
-			logRejectedResponse(c.logger, ctx, response)
-			return response, ErrResponseRejected
-		}
-	}
-	if question.Qtype == dns.TypeHTTPS {
-		if options.Strategy == C.DomainStrategyIPv4Only || options.Strategy == C.DomainStrategyIPv6Only {
-			for _, rr := range response.Answer {
-				https, isHTTPS := rr.(*dns.HTTPS)
-				if !isHTTPS {
-					continue
-				}
-				content := https.SVCB
-				content.Value = common.Filter(content.Value, func(it dns.SVCBKeyValue) bool {
-					if options.Strategy == C.DomainStrategyIPv4Only {
-						return it.Key() != dns.SVCB_IPV6HINT
-					} else {
-						return it.Key() != dns.SVCB_IPV4HINT
-					}
-				})
-				https.SVCB = content
-			}
-		}
-	}
-	var timeToLive uint32
-	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
-		for _, record := range recordList {
-			if timeToLive == 0 || record.Header().Ttl > 0 && record.Header().Ttl < timeToLive {
-				timeToLive = record.Header().Ttl
-			}
-		}
-	}
-	if options.RewriteTTL != nil {
-		timeToLive = *options.RewriteTTL
-	}
-	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
-		for _, record := range recordList {
-			record.Header().Ttl = timeToLive
-		}
-	}
-	response.Id = messageId
-	if !disableCache {
-		c.storeCache(transport, question, response, timeToLive)
-	}
-	logExchangedResponse(c.logger, ctx, response, timeToLive)
-	return response, err
-}
-
-func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, domain string, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error) {
-	domain = FqdnToDomain(domain)
-	dnsName := dns.Fqdn(domain)
-	if options.Strategy == C.DomainStrategyIPv4Only {
-		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, options, responseChecker)
-	} else if options.Strategy == C.DomainStrategyIPv6Only {
-		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, options, responseChecker)
-	}
-	var response4 []netip.Addr
-	var response6 []netip.Addr
-	var group task.Group
-	group.Append("exchange4", func(ctx context.Context) error {
-		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, options, responseChecker)
-		if err != nil {
-			return err
-		}
-		response4 = response
-		return nil
-	})
-	group.Append("exchange6", func(ctx context.Context) error {
-		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, options, responseChecker)
-		if err != nil {
-			return err
-		}
-		response6 = response
-		return nil
-	})
-	err := group.Run(ctx)
-	if len(response4) == 0 && len(response6) == 0 {
-		return nil, err
-	}
-	return sortAddresses(response4, response6, options.Strategy), nil
-}
-
-func (c *Client) ClearCache() {
-	if c.cache != nil {
-		c.cache.Purge()
-	}
-	if c.transportCache != nil {
-		c.transportCache.Purge()
-	}
-}
-
-func (c *Client) LookupCache(domain string, strategy C.DomainStrategy) ([]netip.Addr, bool) {
-	if c.disableCache || c.independentCache {
-		return nil, false
-	}
-	if dns.IsFqdn(domain) {
-		domain = domain[:len(domain)-1]
-	}
-	dnsName := dns.Fqdn(domain)
-	if strategy == C.DomainStrategyIPv4Only {
-		response, err := c.questionCache(dns.Question{
-			Name:   dnsName,
-			Qtype:  dns.TypeA,
-			Qclass: dns.ClassINET,
-		}, nil)
-		if err != ErrNotCached {
-			return response, true
-		}
-	} else if strategy == C.DomainStrategyIPv6Only {
-		response, err := c.questionCache(dns.Question{
-			Name:   dnsName,
-			Qtype:  dns.TypeAAAA,
-			Qclass: dns.ClassINET,
-		}, nil)
-		if err != ErrNotCached {
-			return response, true
-		}
-	} else {
-		response4, _ := c.questionCache(dns.Question{
-			Name:   dnsName,
-			Qtype:  dns.TypeA,
-			Qclass: dns.ClassINET,
-		}, nil)
-		response6, _ := c.questionCache(dns.Question{
-			Name:   dnsName,
-			Qtype:  dns.TypeAAAA,
-			Qclass: dns.ClassINET,
-		}, nil)
-		if len(response4) > 0 || len(response6) > 0 {
-			return sortAddresses(response4, response6, strategy), true
-		}
-	}
-	return nil, false
-}
-
-func (c *Client) ExchangeCache(ctx context.Context, message *dns.Msg) (*dns.Msg, bool) {
-	if c.disableCache || c.independentCache || len(message.Question) != 1 {
-		return nil, false
-	}
-	question := message.Question[0]
-	response, ttl := c.loadResponse(question, nil)
-	if response == nil {
-		return nil, false
-	}
-	logCachedResponse(c.logger, ctx, response, ttl)
-	response.Id = message.Id
-	return response, true
-}
-
-func sortAddresses(response4 []netip.Addr, response6 []netip.Addr, strategy C.DomainStrategy) []netip.Addr {
-	if strategy == C.DomainStrategyPreferIPv6 {
-		return append(response6, response4...)
-	} else {
-		return append(response4, response6...)
-	}
-}
-
-func (c *Client) storeCache(transport adapter.DNSTransport, question dns.Question, message *dns.Msg, timeToLive uint32) {
-	if timeToLive == 0 {
-		return
-	}
-	if c.disableExpire {
-		if !c.independentCache {
-			c.cache.Add(question, message)
-		} else {
-			c.transportCache.Add(transportCacheKey{
-				Question:     question,
-				transportTag: transport.Tag(),
-			}, message)
-		}
-		return
-	}
-	if !c.independentCache {
-		c.cache.AddWithLifetime(question, message, time.Second*time.Duration(timeToLive))
-	} else {
-		c.transportCache.AddWithLifetime(transportCacheKey{
-			Question:     question,
-			transportTag: transport.Tag(),
-		}, message, time.Second*time.Duration(timeToLive))
-	}
-}
-
-func (c *Client) lookupToExchange(ctx context.Context, transport adapter.DNSTransport, name string, qType uint16, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error) {
-	question := dns.Question{
-		Name:   name,
-		Qtype:  qType,
-		Qclass: dns.ClassINET,
-	}
-	disableCache := c.disableCache || options.DisableCache
-	if !disableCache {
-		cachedAddresses, err := c.questionCache(question, transport)
-		if err != ErrNotCached {
-			return cachedAddresses, err
-		}
-	}
-	message := dns.Msg{
-		MsgHdr: dns.MsgHdr{
-			RecursionDesired: true,
-		},
-		Question: []dns.Question{question},
-	}
-	response, err := c.Exchange(ctx, transport, &message, options, responseChecker)
-	if err != nil {
-		return nil, err
-	}
-	return MessageToAddresses(response)
-}
-
-func (c *Client) questionCache(question dns.Question, transport adapter.DNSTransport) ([]netip.Addr, error) {
-	response, _ := c.loadResponse(question, transport)
-	if response == nil {
-		return nil, ErrNotCached
-	}
-	return MessageToAddresses(response)
-}
-
-func (c *Client) loadResponse(question dns.Question, transport adapter.DNSTransport) (*dns.Msg, int) {
-	var (
-		response *dns.Msg
-		loaded   bool
-	)
-	if c.disableExpire {
-		if !c.independentCache {
-			response, loaded = c.cache.Get(question)
-		} else {
-			response, loaded = c.transportCache.Get(transportCacheKey{
-				Question:     question,
-				transportTag: transport.Tag(),
-			})
-		}
-		if !loaded {
-			return nil, 0
-		}
-		return response.Copy(), 0
-	} else {
-		var expireAt time.Time
-		if !c.independentCache {
-			response, expireAt, loaded = c.cache.GetWithLifetime(question)
-		} else {
-			response, expireAt, loaded = c.transportCache.GetWithLifetime(transportCacheKey{
-				Question:     question,
-				transportTag: transport.Tag(),
-			})
-		}
-		if !loaded {
-			return nil, 0
-		}
-		timeNow := time.Now()
-		if timeNow.After(expireAt) {
-			if !c.independentCache {
-				c.cache.Remove(question)
-			} else {
-				c.transportCache.Remove(transportCacheKey{
-					Question:     question,
-					transportTag: transport.Tag(),
-				})
-			}
-			return nil, 0
-		}
-		var originTTL int
-		for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
-			for _, record := range recordList {
-				if originTTL == 0 || record.Header().Ttl > 0 && int(record.Header().Ttl) < originTTL {
-					originTTL = int(record.Header().Ttl)
-				}
-			}
-		}
-		nowTTL := int(expireAt.Sub(timeNow).Seconds())
-		if nowTTL < 0 {
-			nowTTL = 0
-		}
-		response = response.Copy()
-		if originTTL > 0 {
-			duration := uint32(originTTL - nowTTL)
-			for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
-				for _, record := range recordList {
-					record.Header().Ttl = record.Header().Ttl - duration
-				}
-			}
-		} else {
-			for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
-				for _, record := range recordList {
-					record.Header().Ttl = uint32(nowTTL)
-				}
-			}
-		}
-		return response, nowTTL
-	}
-}
-
-func MessageToAddresses(response *dns.Msg) ([]netip.Addr, error) {
-	if response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError {
-		return nil, RCodeError(response.Rcode)
-	}
-	addresses := make([]netip.Addr, 0, len(response.Answer))
-	for _, rawAnswer := range response.Answer {
-		switch answer := rawAnswer.(type) {
-		case *dns.A:
-			addresses = append(addresses, M.AddrFromIP(answer.A))
-		case *dns.AAAA:
-			addresses = append(addresses, M.AddrFromIP(answer.AAAA))
-		case *dns.HTTPS:
-			for _, value := range answer.SVCB.Value {
-				if value.Key() == dns.SVCB_IPV4HINT || value.Key() == dns.SVCB_IPV6HINT {
-					addresses = append(addresses, common.Map(strings.Split(value.String(), ","), M.ParseAddr)...)
-				}
-			}
-		}
-	}
-	return addresses, nil
-}
-
-func wrapError(err error) error {
-	switch dnsErr := err.(type) {
-	case *net.DNSError:
-		if dnsErr.IsNotFound {
-			return RCodeNameError
-		}
-	case *net.AddrError:
-		return RCodeNameError
-	}
-	return err
-}
-
-type transportKey struct{}
-
-func contextWithTransportTag(ctx context.Context, transportTag string) context.Context {
-	return context.WithValue(ctx, transportKey{}, transportTag)
-}
-
-func transportTagFromContext(ctx context.Context) (string, bool) {
-	value, loaded := ctx.Value(transportKey{}).(string)
-	return value, loaded
-}
-
-func FixedResponse(id uint16, question dns.Question, addresses []netip.Addr, timeToLive uint32) *dns.Msg {
-	response := dns.Msg{
-		MsgHdr: dns.MsgHdr{
-			Id:       id,
-			Rcode:    dns.RcodeSuccess,
-			Response: true,
-		},
-		Question: []dns.Question{question},
-	}
-	for _, address := range addresses {
-		if address.Is4() {
-			response.Answer = append(response.Answer, &dns.A{
-				Hdr: dns.RR_Header{
-					Name:   question.Name,
-					Rrtype: dns.TypeA,
-					Class:  dns.ClassINET,
-					Ttl:    timeToLive,
-				},
-				A: address.AsSlice(),
-			})
-		} else {
-			response.Answer = append(response.Answer, &dns.AAAA{
-				Hdr: dns.RR_Header{
-					Name:   question.Name,
-					Rrtype: dns.TypeAAAA,
-					Class:  dns.ClassINET,
-					Ttl:    timeToLive,
-				},
-				AAAA: address.AsSlice(),
-			})
-		}
-	}
-	return &response
-}
--- a/dns/client_log.go
+++ b/dns/client_log.go
@@ -1,69 +0,0 @@
-package dns
-
-import (
-	"context"
-	"strings"
-
-	"github.com/sagernet/sing/common/logger"
-
-	"github.com/miekg/dns"
-)
-
-func logCachedResponse(logger logger.ContextLogger, ctx context.Context, response *dns.Msg, ttl int) {
-	if logger == nil || len(response.Question) == 0 {
-		return
-	}
-	domain := FqdnToDomain(response.Question[0].Name)
-	logger.DebugContext(ctx, "cached ", domain, " ", dns.RcodeToString[response.Rcode], " ", ttl)
-	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
-		for _, record := range recordList {
-			logger.InfoContext(ctx, "cached ", dns.Type(record.Header().Rrtype).String(), " ", FormatQuestion(record.String()))
-		}
-	}
-}
-
-func logExchangedResponse(logger logger.ContextLogger, ctx context.Context, response *dns.Msg, ttl uint32) {
-	if logger == nil || len(response.Question) == 0 {
-		return
-	}
-	domain := FqdnToDomain(response.Question[0].Name)
-	logger.DebugContext(ctx, "exchanged ", domain, " ", dns.RcodeToString[response.Rcode], " ", ttl)
-	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
-		for _, record := range recordList {
-			logger.InfoContext(ctx, "exchanged ", dns.Type(record.Header().Rrtype).String(), " ", FormatQuestion(record.String()))
-		}
-	}
-}
-
-func logRejectedResponse(logger logger.ContextLogger, ctx context.Context, response *dns.Msg) {
-	if logger == nil || len(response.Question) == 0 {
-		return
-	}
-	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
-		for _, record := range recordList {
-			logger.InfoContext(ctx, "rejected ", dns.Type(record.Header().Rrtype).String(), " ", FormatQuestion(record.String()))
-		}
-	}
-}
-
-func FqdnToDomain(fqdn string) string {
-	if dns.IsFqdn(fqdn) {
-		return fqdn[:len(fqdn)-1]
-	}
-	return fqdn
-}
-
-func FormatQuestion(string string) string {
-	for strings.HasPrefix(string, ";") {
-		string = string[1:]
-	}
-	string = strings.ReplaceAll(string, "\t", " ")
-	string = strings.ReplaceAll(string, "\n", " ")
-	string = strings.ReplaceAll(string, ";; ", " ")
-	string = strings.ReplaceAll(string, "; ", " ")
-
-	for strings.Contains(string, "  ") {
-		string = strings.ReplaceAll(string, "  ", " ")
-	}
-	return strings.TrimSpace(string)
-}
--- a/dns/client_truncate.go
+++ b/dns/client_truncate.go
@@ -1,29 +0,0 @@
-package dns
-
-import (
-	"github.com/sagernet/sing/common/buf"
-
-	"github.com/miekg/dns"
-)
-
-func TruncateDNSMessage(request *dns.Msg, response *dns.Msg, headroom int) (*buf.Buffer, error) {
-	maxLen := 512
-	if edns0Option := request.IsEdns0(); edns0Option != nil {
-		if udpSize := int(edns0Option.UDPSize()); udpSize > 512 {
-			maxLen = udpSize
-		}
-	}
-	responseLen := response.Len()
-	if responseLen > maxLen {
-		response.Truncate(maxLen)
-	}
-	buffer := buf.NewSize(headroom*2 + 1 + responseLen)
-	buffer.Resize(headroom, 0)
-	rawMessage, err := response.PackBuffer(buffer.FreeBytes())
-	if err != nil {
-		buffer.Release()
-		return nil, err
-	}
-	buffer.Truncate(len(rawMessage))
-	return buffer, nil
-}
--- a/dns/extension_edns0_subnet.go
+++ b/dns/extension_edns0_subnet.go
@@ -1,56 +0,0 @@
-package dns
-
-import (
-	"net/netip"
-
-	"github.com/miekg/dns"
-)
-
-func SetClientSubnet(message *dns.Msg, clientSubnet netip.Prefix, override bool) *dns.Msg {
-	var (
-		optRecord    *dns.OPT
-		subnetOption *dns.EDNS0_SUBNET
-	)
-findExists:
-	for _, record := range message.Extra {
-		var isOPTRecord bool
-		if optRecord, isOPTRecord = record.(*dns.OPT); isOPTRecord {
-			for _, option := range optRecord.Option {
-				var isEDNS0Subnet bool
-				subnetOption, isEDNS0Subnet = option.(*dns.EDNS0_SUBNET)
-				if isEDNS0Subnet {
-					if !override {
-						return message
-					}
-					break findExists
-				}
-			}
-		}
-	}
-	if optRecord == nil {
-		exMessage := *message
-		message = &exMessage
-		optRecord = &dns.OPT{
-			Hdr: dns.RR_Header{
-				Name:   ".",
-				Rrtype: dns.TypeOPT,
-			},
-		}
-		message.Extra = append(message.Extra, optRecord)
-	} else {
-		message = message.Copy()
-	}
-	if subnetOption == nil {
-		subnetOption = new(dns.EDNS0_SUBNET)
-		optRecord.Option = append(optRecord.Option, subnetOption)
-	}
-	subnetOption.Code = dns.EDNS0SUBNET
-	if clientSubnet.Addr().Is4() {
-		subnetOption.Family = 1
-	} else {
-		subnetOption.Family = 2
-	}
-	subnetOption.SourceNetmask = uint8(clientSubnet.Bits())
-	subnetOption.Address = clientSubnet.Addr().AsSlice()
-	return message
-}
--- a/dns/rcode.go
+++ b/dns/rcode.go
@@ -1,33 +0,0 @@
-package dns
-
-import F "github.com/sagernet/sing/common/format"
-
-const (
-	RCodeSuccess        RCodeError = 0 // NoError
-	RCodeFormatError    RCodeError = 1 // FormErr
-	RCodeServerFailure  RCodeError = 2 // ServFail
-	RCodeNameError      RCodeError = 3 // NXDomain
-	RCodeNotImplemented RCodeError = 4 // NotImp
-	RCodeRefused        RCodeError = 5 // Refused
-)
-
-type RCodeError uint16
-
-func (e RCodeError) Error() string {
-	switch e {
-	case RCodeSuccess:
-		return "success"
-	case RCodeFormatError:
-		return "format error"
-	case RCodeServerFailure:
-		return "server failure"
-	case RCodeNameError:
-		return "name error"
-	case RCodeNotImplemented:
-		return "not implemented"
-	case RCodeRefused:
-		return "refused"
-	default:
-		return F.ToString("unknown error: ", uint16(e))
-	}
-}
--- a/dns/router.go
+++ b/dns/router.go
@@ -1,430 +0,0 @@
-package dns
-
-import (
-	"context"
-	"errors"
-	"net/netip"
-	"strings"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/taskmonitor"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/libbox/platform"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	R "github.com/sagernet/sing-box/route/rule"
-	"github.com/sagernet/sing-tun"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	F "github.com/sagernet/sing/common/format"
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	"github.com/sagernet/sing/contrab/freelru"
-	"github.com/sagernet/sing/contrab/maphash"
-	"github.com/sagernet/sing/service"
-
-	mDNS "github.com/miekg/dns"
-)
-
-var _ adapter.DNSRouter = (*Router)(nil)
-
-type Router struct {
-	ctx                   context.Context
-	logger                logger.ContextLogger
-	transport             adapter.DNSTransportManager
-	outbound              adapter.OutboundManager
-	client                adapter.DNSClient
-	rules                 []adapter.DNSRule
-	defaultDomainStrategy C.DomainStrategy
-	dnsReverseMapping     freelru.Cache[netip.Addr, string]
-	platformInterface     platform.Interface
-}
-
-func NewRouter(ctx context.Context, logFactory log.Factory, options option.DNSOptions) *Router {
-	router := &Router{
-		ctx:                   ctx,
-		logger:                logFactory.NewLogger("dns"),
-		transport:             service.FromContext[adapter.DNSTransportManager](ctx),
-		outbound:              service.FromContext[adapter.OutboundManager](ctx),
-		rules:                 make([]adapter.DNSRule, 0, len(options.Rules)),
-		defaultDomainStrategy: C.DomainStrategy(options.Strategy),
-	}
-	router.client = NewClient(ClientOptions{
-		DisableCache:     options.DNSClientOptions.DisableCache,
-		DisableExpire:    options.DNSClientOptions.DisableExpire,
-		IndependentCache: options.DNSClientOptions.IndependentCache,
-		CacheCapacity:    options.DNSClientOptions.CacheCapacity,
-		RDRC: func() adapter.RDRCStore {
-			cacheFile := service.FromContext[adapter.CacheFile](ctx)
-			if cacheFile == nil {
-				return nil
-			}
-			if !cacheFile.StoreRDRC() {
-				return nil
-			}
-			return cacheFile
-		},
-		Logger: router.logger,
-	})
-	if options.ReverseMapping {
-		router.dnsReverseMapping = common.Must1(freelru.NewSharded[netip.Addr, string](1024, maphash.NewHasher[netip.Addr]().Hash32))
-	}
-	return router
-}
-
-func (r *Router) Initialize(rules []option.DNSRule) error {
-	for i, ruleOptions := range rules {
-		dnsRule, err := R.NewDNSRule(r.ctx, r.logger, ruleOptions, true)
-		if err != nil {
-			return E.Cause(err, "parse dns rule[", i, "]")
-		}
-		r.rules = append(r.rules, dnsRule)
-	}
-	return nil
-}
-
-func (r *Router) Start(stage adapter.StartStage) error {
-	monitor := taskmonitor.New(r.logger, C.StartTimeout)
-	switch stage {
-	case adapter.StartStateStart:
-		monitor.Start("initialize DNS client")
-		r.client.Start()
-		monitor.Finish()
-
-		for i, rule := range r.rules {
-			monitor.Start("initialize DNS rule[", i, "]")
-			err := rule.Start()
-			monitor.Finish()
-			if err != nil {
-				return E.Cause(err, "initialize DNS rule[", i, "]")
-			}
-		}
-	}
-	return nil
-}
-
-func (r *Router) Close() error {
-	monitor := taskmonitor.New(r.logger, C.StopTimeout)
-	var err error
-	for i, rule := range r.rules {
-		monitor.Start("close dns rule[", i, "]")
-		err = E.Append(err, rule.Close(), func(err error) error {
-			return E.Cause(err, "close dns rule[", i, "]")
-		})
-		monitor.Finish()
-	}
-	return err
-}
-
-func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int, isAddressQuery bool, options *adapter.DNSQueryOptions) (adapter.DNSTransport, adapter.DNSRule, int) {
-	metadata := adapter.ContextFrom(ctx)
-	if metadata == nil {
-		panic("no context")
-	}
-	var currentRuleIndex int
-	if ruleIndex != -1 {
-		currentRuleIndex = ruleIndex + 1
-	}
-	for ; currentRuleIndex < len(r.rules); currentRuleIndex++ {
-		currentRule := r.rules[currentRuleIndex]
-		if currentRule.WithAddressLimit() && !isAddressQuery {
-			continue
-		}
-		metadata.ResetRuleCache()
-		if currentRule.Match(metadata) {
-			displayRuleIndex := currentRuleIndex
-			if displayRuleIndex != -1 {
-				displayRuleIndex += displayRuleIndex + 1
-			}
-			ruleDescription := currentRule.String()
-			if ruleDescription != "" {
-				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] ", currentRule, " => ", currentRule.Action())
-			} else {
-				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
-			}
-			switch action := currentRule.Action().(type) {
-			case *R.RuleActionDNSRoute:
-				transport, loaded := r.transport.Transport(action.Server)
-				if !loaded {
-					r.logger.ErrorContext(ctx, "transport not found: ", action.Server)
-					continue
-				}
-				isFakeIP := transport.Type() == C.DNSTypeFakeIP
-				if isFakeIP && !allowFakeIP {
-					continue
-				}
-				if isFakeIP || action.DisableCache {
-					options.DisableCache = true
-				}
-				if action.RewriteTTL != nil {
-					options.RewriteTTL = action.RewriteTTL
-				}
-				if action.ClientSubnet.IsValid() {
-					options.ClientSubnet = action.ClientSubnet
-				}
-				if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
-					if options.Strategy == C.DomainStrategyAsIS {
-						options.Strategy = legacyTransport.LegacyStrategy()
-					}
-					if !options.ClientSubnet.IsValid() {
-						options.ClientSubnet = legacyTransport.LegacyClientSubnet()
-					}
-				}
-				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
-				return transport, currentRule, currentRuleIndex
-			case *R.RuleActionDNSRouteOptions:
-				if action.DisableCache {
-					options.DisableCache = true
-				}
-				if action.RewriteTTL != nil {
-					options.RewriteTTL = action.RewriteTTL
-				}
-				if action.ClientSubnet.IsValid() {
-					options.ClientSubnet = action.ClientSubnet
-				}
-				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
-			case *R.RuleActionReject:
-				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
-				return nil, currentRule, currentRuleIndex
-			}
-		}
-	}
-	return r.transport.Default(), nil, -1
-}
-
-func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapter.DNSQueryOptions) (*mDNS.Msg, error) {
-	if len(message.Question) != 1 {
-		r.logger.WarnContext(ctx, "bad question size: ", len(message.Question))
-		responseMessage := mDNS.Msg{
-			MsgHdr: mDNS.MsgHdr{
-				Id:       message.Id,
-				Response: true,
-				Rcode:    mDNS.RcodeFormatError,
-			},
-			Question: message.Question,
-		}
-		return &responseMessage, nil
-	}
-	r.logger.DebugContext(ctx, "exchange ", FormatQuestion(message.Question[0].String()))
-	var (
-		transport adapter.DNSTransport
-		err       error
-	)
-	response, cached := r.client.ExchangeCache(ctx, message)
-	if !cached {
-		var metadata *adapter.InboundContext
-		ctx, metadata = adapter.ExtendContext(ctx)
-		metadata.Destination = M.Socksaddr{}
-		metadata.QueryType = message.Question[0].Qtype
-		switch metadata.QueryType {
-		case mDNS.TypeA:
-			metadata.IPVersion = 4
-		case mDNS.TypeAAAA:
-			metadata.IPVersion = 6
-		}
-		metadata.Domain = FqdnToDomain(message.Question[0].Name)
-		if options.Transport != nil {
-			transport = options.Transport
-			if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
-				if options.Strategy == C.DomainStrategyAsIS {
-					options.Strategy = legacyTransport.LegacyStrategy()
-				}
-				if !options.ClientSubnet.IsValid() {
-					options.ClientSubnet = legacyTransport.LegacyClientSubnet()
-				}
-			}
-			if options.Strategy == C.DomainStrategyAsIS {
-				options.Strategy = r.defaultDomainStrategy
-			}
-			response, err = r.client.Exchange(ctx, transport, message, options, nil)
-		} else {
-			var (
-				rule      adapter.DNSRule
-				ruleIndex int
-			)
-			ruleIndex = -1
-			for {
-				dnsCtx := adapter.OverrideContext(ctx)
-				transport, rule, ruleIndex = r.matchDNS(ctx, true, ruleIndex, isAddressQuery(message), &options)
-				if rule != nil {
-					switch action := rule.Action().(type) {
-					case *R.RuleActionReject:
-						switch action.Method {
-						case C.RuleActionRejectMethodDefault:
-							return FixedResponse(message.Id, message.Question[0], nil, 0), nil
-						case C.RuleActionRejectMethodDrop:
-							return nil, tun.ErrDrop
-						}
-					}
-				}
-				var responseCheck func(responseAddrs []netip.Addr) bool
-				if rule != nil && rule.WithAddressLimit() {
-					responseCheck = func(responseAddrs []netip.Addr) bool {
-						metadata.DestinationAddresses = responseAddrs
-						return rule.MatchAddressLimit(metadata)
-					}
-				}
-				if options.Strategy == C.DomainStrategyAsIS {
-					options.Strategy = r.defaultDomainStrategy
-				}
-				response, err = r.client.Exchange(dnsCtx, transport, message, options, responseCheck)
-				var rejected bool
-				if err != nil {
-					if errors.Is(err, ErrResponseRejectedCached) {
-						rejected = true
-						r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())), " (cached)")
-					} else if errors.Is(err, ErrResponseRejected) {
-						rejected = true
-						r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())))
-					} else if len(message.Question) > 0 {
-						r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for ", FormatQuestion(message.Question[0].String())))
-					} else {
-						r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for <empty query>"))
-					}
-				}
-				if responseCheck != nil && rejected {
-					continue
-				}
-				break
-			}
-		}
-	}
-	if err != nil {
-		return nil, err
-	}
-	if r.dnsReverseMapping != nil && len(message.Question) > 0 && response != nil && len(response.Answer) > 0 {
-		if transport.Type() != C.DNSTypeFakeIP {
-			for _, answer := range response.Answer {
-				switch record := answer.(type) {
-				case *mDNS.A:
-					r.dnsReverseMapping.AddWithLifetime(M.AddrFromIP(record.A), FqdnToDomain(record.Hdr.Name), time.Duration(record.Hdr.Ttl)*time.Second)
-				case *mDNS.AAAA:
-					r.dnsReverseMapping.AddWithLifetime(M.AddrFromIP(record.AAAA), FqdnToDomain(record.Hdr.Name), time.Duration(record.Hdr.Ttl)*time.Second)
-				}
-			}
-		}
-	}
-	return response, nil
-}
-
-func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQueryOptions) ([]netip.Addr, error) {
-	var (
-		responseAddrs []netip.Addr
-		cached        bool
-		err           error
-	)
-	printResult := func() {
-		if err != nil {
-			if errors.Is(err, ErrResponseRejectedCached) {
-				r.logger.DebugContext(ctx, "response rejected for ", domain, " (cached)")
-			} else if errors.Is(err, ErrResponseRejected) {
-				r.logger.DebugContext(ctx, "response rejected for ", domain)
-			} else {
-				r.logger.ErrorContext(ctx, E.Cause(err, "lookup failed for ", domain))
-			}
-		} else if len(responseAddrs) == 0 {
-			r.logger.ErrorContext(ctx, "lookup failed for ", domain, ": empty result")
-			err = RCodeNameError
-		}
-	}
-	responseAddrs, cached = r.client.LookupCache(domain, options.Strategy)
-	if cached {
-		if len(responseAddrs) == 0 {
-			return nil, RCodeNameError
-		}
-		return responseAddrs, nil
-	}
-	r.logger.DebugContext(ctx, "lookup domain ", domain)
-	ctx, metadata := adapter.ExtendContext(ctx)
-	metadata.Destination = M.Socksaddr{}
-	metadata.Domain = domain
-	if options.Transport != nil {
-		transport := options.Transport
-		if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
-			if options.Strategy == C.DomainStrategyAsIS {
-				options.Strategy = r.defaultDomainStrategy
-			}
-			if !options.ClientSubnet.IsValid() {
-				options.ClientSubnet = legacyTransport.LegacyClientSubnet()
-			}
-		}
-		if options.Strategy == C.DomainStrategyAsIS {
-			options.Strategy = r.defaultDomainStrategy
-		}
-		responseAddrs, err = r.client.Lookup(ctx, transport, domain, options, nil)
-	} else {
-		var (
-			transport adapter.DNSTransport
-			rule      adapter.DNSRule
-			ruleIndex int
-		)
-		ruleIndex = -1
-		for {
-			dnsCtx := adapter.OverrideContext(ctx)
-			transport, rule, ruleIndex = r.matchDNS(ctx, false, ruleIndex, true, &options)
-			if rule != nil {
-				switch action := rule.Action().(type) {
-				case *R.RuleActionReject:
-					switch action.Method {
-					case C.RuleActionRejectMethodDefault:
-						return nil, nil
-					case C.RuleActionRejectMethodDrop:
-						return nil, tun.ErrDrop
-					}
-				}
-			}
-			var responseCheck func(responseAddrs []netip.Addr) bool
-			if rule != nil && rule.WithAddressLimit() {
-				responseCheck = func(responseAddrs []netip.Addr) bool {
-					metadata.DestinationAddresses = responseAddrs
-					return rule.MatchAddressLimit(metadata)
-				}
-			}
-			if options.Strategy == C.DomainStrategyAsIS {
-				options.Strategy = r.defaultDomainStrategy
-			}
-			responseAddrs, err = r.client.Lookup(dnsCtx, transport, domain, options, responseCheck)
-			if responseCheck == nil || err == nil {
-				break
-			}
-			printResult()
-		}
-	}
-	printResult()
-	if len(responseAddrs) > 0 {
-		r.logger.InfoContext(ctx, "lookup succeed for ", domain, ": ", strings.Join(F.MapToString(responseAddrs), " "))
-	}
-	return responseAddrs, err
-}
-
-func isAddressQuery(message *mDNS.Msg) bool {
-	for _, question := range message.Question {
-		if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA || question.Qtype == mDNS.TypeHTTPS {
-			return true
-		}
-	}
-	return false
-}
-
-func (r *Router) ClearCache() {
-	r.client.ClearCache()
-	if r.platformInterface != nil {
-		r.platformInterface.ClearDNSCache()
-	}
-}
-
-func (r *Router) LookupReverseMapping(ip netip.Addr) (string, bool) {
-	if r.dnsReverseMapping == nil {
-		return "", false
-	}
-	domain, loaded := r.dnsReverseMapping.Get(ip)
-	return domain, loaded
-}
-
-func (r *Router) ResetNetwork() {
-	r.ClearCache()
-	for _, transport := range r.transport.Transports() {
-		transport.Reset()
-	}
-}
--- a/dns/transport/fakeip/fakeip.go
+++ b/dns/transport/fakeip/fakeip.go
@@ -1,56 +0,0 @@
-package fakeip
-
-import (
-	"context"
-	"net/netip"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-
-	mDNS "github.com/miekg/dns"
-)
-
-func RegisterTransport(registry *dns.TransportRegistry) {
-	dns.RegisterTransport[option.FakeIPDNSServerOptions](registry, C.DNSTypeFakeIP, NewTransport)
-}
-
-var _ adapter.FakeIPTransport = (*Transport)(nil)
-
-type Transport struct {
-	dns.TransportAdapter
-	logger logger.ContextLogger
-	store  adapter.FakeIPStore
-}
-
-func NewTransport(ctx context.Context, logger log.ContextLogger, tag string, options option.FakeIPDNSServerOptions) (adapter.DNSTransport, error) {
-	store := NewStore(ctx, logger, options.Inet4Range.Build(netip.Prefix{}), options.Inet6Range.Build(netip.Prefix{}))
-	return &Transport{
-		TransportAdapter: dns.NewTransportAdapter(C.DNSTypeFakeIP, tag, nil),
-		logger:           logger,
-		store:            store,
-	}, nil
-}
-
-func (t *Transport) Reset() {
-}
-
-func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	question := message.Question[0]
-	if question.Qtype != mDNS.TypeA && question.Qtype != mDNS.TypeAAAA {
-		return nil, E.New("only IP queries are supported by fakeip")
-	}
-	address, err := t.store.Create(question.Name, question.Qtype == mDNS.TypeAAAA)
-	if err != nil {
-		return nil, err
-	}
-	return dns.FixedResponse(message.Id, question, []netip.Addr{address}, C.DefaultDNSTTL), nil
-}
-
-func (t *Transport) Store() adapter.FakeIPStore {
-	return t.store
-}
--- a/dns/transport/https.go
+++ b/dns/transport/https.go
@@ -1,193 +0,0 @@
-package transport
-
-import (
-	"bytes"
-	"context"
-	"io"
-	"net"
-	"net/http"
-	"net/url"
-	"strconv"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/tls"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/buf"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-	aTLS "github.com/sagernet/sing/common/tls"
-	sHTTP "github.com/sagernet/sing/protocol/http"
-
-	mDNS "github.com/miekg/dns"
-	"golang.org/x/net/http2"
-)
-
-const MimeType = "application/dns-message"
-
-var _ adapter.DNSTransport = (*HTTPSTransport)(nil)
-
-func RegisterHTTPS(registry *dns.TransportRegistry) {
-	dns.RegisterTransport[option.RemoteHTTPSDNSServerOptions](registry, C.DNSTypeHTTPS, NewHTTPS)
-}
-
-type HTTPSTransport struct {
-	dns.TransportAdapter
-	logger      logger.ContextLogger
-	dialer      N.Dialer
-	destination *url.URL
-	headers     http.Header
-	transport   *http.Transport
-}
-
-func NewHTTPS(ctx context.Context, logger log.ContextLogger, tag string, options option.RemoteHTTPSDNSServerOptions) (adapter.DNSTransport, error) {
-	transportDialer, err := dns.NewRemoteDialer(ctx, options.RemoteDNSServerOptions)
-	if err != nil {
-		return nil, err
-	}
-	tlsOptions := common.PtrValueOrDefault(options.TLS)
-	tlsOptions.Enabled = true
-	tlsConfig, err := tls.NewClient(ctx, options.Server, tlsOptions)
-	if err != nil {
-		return nil, err
-	}
-	if common.Error(tlsConfig.Config()) == nil && !common.Contains(tlsConfig.NextProtos(), http2.NextProtoTLS) {
-		tlsConfig.SetNextProtos(append(tlsConfig.NextProtos(), http2.NextProtoTLS))
-	}
-	if !common.Contains(tlsConfig.NextProtos(), "http/1.1") {
-		tlsConfig.SetNextProtos(append(tlsConfig.NextProtos(), "http/1.1"))
-	}
-	destinationURL := url.URL{
-		Scheme: "https",
-		Host:   options.Host,
-	}
-	if destinationURL.Host == "" {
-		destinationURL.Host = options.Server
-	}
-	if options.ServerPort != 0 && options.ServerPort != 443 {
-		destinationURL.Host = net.JoinHostPort(destinationURL.Host, strconv.Itoa(int(options.ServerPort)))
-	}
-	path := options.Path
-	if path == "" {
-		path = "/dns-query"
-	}
-	err = sHTTP.URLSetPath(&destinationURL, path)
-	if err != nil {
-		return nil, err
-	}
-	serverAddr := options.ServerOptions.Build()
-	if serverAddr.Port == 0 {
-		serverAddr.Port = 443
-	}
-	return NewHTTPSRaw(
-		dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeHTTPS, tag, options.RemoteDNSServerOptions),
-		logger,
-		transportDialer,
-		&destinationURL,
-		options.Headers.Build(),
-		serverAddr,
-		tlsConfig,
-	), nil
-}
-
-func NewHTTPSRaw(
-	adapter dns.TransportAdapter,
-	logger log.ContextLogger,
-	dialer N.Dialer,
-	destination *url.URL,
-	headers http.Header,
-	serverAddr M.Socksaddr,
-	tlsConfig tls.Config,
-) *HTTPSTransport {
-	var transport *http.Transport
-	if tlsConfig != nil {
-		transport = &http.Transport{
-			ForceAttemptHTTP2: true,
-			DialTLSContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-				tcpConn, hErr := dialer.DialContext(ctx, network, serverAddr)
-				if hErr != nil {
-					return nil, hErr
-				}
-				tlsConn, hErr := aTLS.ClientHandshake(ctx, tcpConn, tlsConfig)
-				if hErr != nil {
-					tcpConn.Close()
-					return nil, hErr
-				}
-				return tlsConn, nil
-			},
-		}
-	} else {
-		transport = &http.Transport{
-			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-				return dialer.DialContext(ctx, network, serverAddr)
-			},
-		}
-	}
-	return &HTTPSTransport{
-		TransportAdapter: adapter,
-		logger:           logger,
-		dialer:           dialer,
-		destination:      destination,
-		headers:          headers,
-		transport:        transport,
-	}
-}
-
-func (t *HTTPSTransport) Reset() {
-	t.transport.CloseIdleConnections()
-	t.transport = t.transport.Clone()
-}
-
-func (t *HTTPSTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	exMessage := *message
-	exMessage.Id = 0
-	exMessage.Compress = true
-	requestBuffer := buf.NewSize(1 + message.Len())
-	rawMessage, err := exMessage.PackBuffer(requestBuffer.FreeBytes())
-	if err != nil {
-		requestBuffer.Release()
-		return nil, err
-	}
-	request, err := http.NewRequestWithContext(ctx, http.MethodPost, t.destination.String(), bytes.NewReader(rawMessage))
-	if err != nil {
-		requestBuffer.Release()
-		return nil, err
-	}
-	request.Header = t.headers.Clone()
-	request.Header.Set("Content-Type", MimeType)
-	request.Header.Set("Accept", MimeType)
-	response, err := t.transport.RoundTrip(request)
-	requestBuffer.Release()
-	if err != nil {
-		return nil, err
-	}
-	defer response.Body.Close()
-	if response.StatusCode != http.StatusOK {
-		return nil, E.New("unexpected status: ", response.Status)
-	}
-	var responseMessage mDNS.Msg
-	if response.ContentLength > 0 {
-		responseBuffer := buf.NewSize(int(response.ContentLength))
-		_, err = responseBuffer.ReadFullFrom(response.Body, int(response.ContentLength))
-		if err != nil {
-			return nil, err
-		}
-		err = responseMessage.Unpack(responseBuffer.Bytes())
-		responseBuffer.Release()
-	} else {
-		rawMessage, err = io.ReadAll(response.Body)
-		if err != nil {
-			return nil, err
-		}
-		err = responseMessage.Unpack(rawMessage)
-	}
-	if err != nil {
-		return nil, err
-	}
-	return &responseMessage, nil
-}
--- a/dns/transport/local/local.go
+++ b/dns/transport/local/local.go
@@ -1,177 +0,0 @@
-package local
-
-import (
-	"context"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/buf"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-
-	mDNS "github.com/miekg/dns"
-)
-
-func RegisterTransport(registry *dns.TransportRegistry) {
-	dns.RegisterTransport[option.LocalDNSServerOptions](registry, C.DNSTypeLocal, NewTransport)
-}
-
-var _ adapter.DNSTransport = (*Transport)(nil)
-
-type Transport struct {
-	dns.TransportAdapter
-	dialer N.Dialer
-}
-
-func NewTransport(ctx context.Context, logger log.ContextLogger, tag string, options option.LocalDNSServerOptions) (adapter.DNSTransport, error) {
-	transportDialer, err := dns.NewLocalDialer(ctx, options)
-	if err != nil {
-		return nil, err
-	}
-	return &Transport{
-		TransportAdapter: dns.NewTransportAdapterWithLocalOptions(C.DNSTypeTCP, tag, options),
-		dialer:           transportDialer,
-	}, nil
-}
-
-func (t *Transport) Reset() {
-}
-
-func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	question := message.Question[0]
-	domain := dns.FqdnToDomain(question.Name)
-	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
-		addressStrings, _ := lookupStaticHost(domain)
-		if len(addressStrings) > 0 {
-			return dns.FixedResponse(message.Id, question, common.Map(addressStrings, M.ParseAddr), C.DefaultDNSTTL), nil
-		}
-	}
-	systemConfig := getSystemDNSConfig()
-	if systemConfig.singleRequest || !(message.Question[0].Qtype == mDNS.TypeA || message.Question[0].Qtype == mDNS.TypeAAAA) {
-		return t.exchangeSingleRequest(ctx, systemConfig, message, domain)
-	} else {
-		return t.exchangeParallel(ctx, systemConfig, message, domain)
-	}
-}
-
-func (t *Transport) exchangeSingleRequest(ctx context.Context, systemConfig *dnsConfig, message *mDNS.Msg, domain string) (*mDNS.Msg, error) {
-	var lastErr error
-	for _, fqdn := range nameList(systemConfig, domain) {
-		response, err := t.tryOneName(ctx, systemConfig, fqdn, message)
-		if err != nil {
-			lastErr = err
-			continue
-		}
-		return response, nil
-	}
-	return nil, lastErr
-}
-
-func (t *Transport) exchangeParallel(ctx context.Context, systemConfig *dnsConfig, message *mDNS.Msg, domain string) (*mDNS.Msg, error) {
-	returned := make(chan struct{})
-	defer close(returned)
-	type queryResult struct {
-		response *mDNS.Msg
-		err      error
-	}
-	results := make(chan queryResult)
-	startRacer := func(ctx context.Context, fqdn string) {
-		response, err := t.tryOneName(ctx, systemConfig, fqdn, message)
-		select {
-		case results <- queryResult{response, err}:
-		case <-returned:
-		}
-	}
-	queryCtx, queryCancel := context.WithCancel(ctx)
-	defer queryCancel()
-	for _, fqdn := range nameList(systemConfig, domain) {
-		go startRacer(queryCtx, fqdn)
-	}
-	select {
-	case <-ctx.Done():
-		return nil, ctx.Err()
-	case result := <-results:
-		return result.response, result.err
-	}
-}
-
-func (t *Transport) tryOneName(ctx context.Context, config *dnsConfig, fqdn string, message *mDNS.Msg) (*mDNS.Msg, error) {
-	serverOffset := config.serverOffset()
-	sLen := uint32(len(config.servers))
-	var lastErr error
-	for i := 0; i < config.attempts; i++ {
-		for j := uint32(0); j < sLen; j++ {
-			server := config.servers[(serverOffset+j)%sLen]
-			question := message.Question[0]
-			question.Name = fqdn
-			response, err := t.exchangeOne(ctx, M.ParseSocksaddr(server), question, config.timeout, config.useTCP, config.trustAD)
-			if err != nil {
-				lastErr = err
-				continue
-			}
-			return response, nil
-		}
-	}
-	return nil, lastErr
-}
-
-func (t *Transport) exchangeOne(ctx context.Context, server M.Socksaddr, question mDNS.Question, timeout time.Duration, useTCP, ad bool) (*mDNS.Msg, error) {
-	var networks []string
-	if useTCP {
-		networks = []string{N.NetworkTCP}
-	} else {
-		networks = []string{N.NetworkUDP, N.NetworkTCP}
-	}
-	request := &mDNS.Msg{
-		MsgHdr: mDNS.MsgHdr{
-			Id:                uint16(randInt()),
-			RecursionDesired:  true,
-			AuthenticatedData: ad,
-		},
-		Question: []mDNS.Question{question},
-		Compress: true,
-	}
-	request.SetEdns0(maxDNSPacketSize, false)
-	buffer := buf.Get(buf.UDPBufferSize)
-	defer buf.Put(buffer)
-	for _, network := range networks {
-		ctx, cancel := context.WithDeadline(ctx, time.Now().Add(timeout))
-		defer cancel()
-		conn, err := t.dialer.DialContext(ctx, network, server)
-		if err != nil {
-			return nil, err
-		}
-		defer conn.Close()
-		if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
-			conn.SetDeadline(deadline)
-		}
-		rawMessage, err := request.PackBuffer(buffer)
-		if err != nil {
-			return nil, E.Cause(err, "pack request")
-		}
-		_, err = conn.Write(rawMessage)
-		if err != nil {
-			return nil, E.Cause(err, "write request")
-		}
-		n, err := conn.Read(buffer)
-		if err != nil {
-			return nil, E.Cause(err, "read response")
-		}
-		var response mDNS.Msg
-		err = response.Unpack(buffer[:n])
-		if err != nil {
-			return nil, E.Cause(err, "unpack response")
-		}
-		if response.Truncated && network == N.NetworkUDP {
-			continue
-		}
-		return &response, nil
-	}
-	panic("unexpected")
-}
--- a/dns/transport/local/local_badlinkname.go
+++ b/dns/transport/local/local_badlinkname.go
@@ -1,19 +0,0 @@
-//go:build badlinkname
-
-package local
-
-import (
-	_ "unsafe"
-)
-
-//go:linkname getSystemDNSConfig net.getSystemDNSConfig
-func getSystemDNSConfig() *dnsConfig
-
-//go:linkname nameList net.(*dnsConfig).nameList
-func nameList(c *dnsConfig, name string) []string
-
-//go:linkname lookupStaticHost net.lookupStaticHost
-func lookupStaticHost(host string) ([]string, string)
-
-//go:linkname splitHostZone net.splitHostZone
-func splitHostZone(s string) (host, zone string)
--- a/dns/transport/local/local_linkname.go
+++ b/dns/transport/local/local_linkname.go
@@ -1,44 +0,0 @@
-package local
-
-import (
-	"sync/atomic"
-	"time"
-	_ "unsafe"
-)
-
-const (
-	// net.maxDNSPacketSize
-	maxDNSPacketSize = 1232
-)
-
-type dnsConfig struct {
-	servers       []string      // server addresses (in host:port form) to use
-	search        []string      // rooted suffixes to append to local name
-	ndots         int           // number of dots in name to trigger absolute lookup
-	timeout       time.Duration // wait before giving up on a query, including retries
-	attempts      int           // lost packets before giving up on server
-	rotate        bool          // round robin among servers
-	unknownOpt    bool          // anything unknown was encountered
-	lookup        []string      // OpenBSD top-level database "lookup" order
-	err           error         // any error that occurs during open of resolv.conf
-	mtime         time.Time     // time of resolv.conf modification
-	soffset       uint32        // used by serverOffset
-	singleRequest bool          // use sequential A and AAAA queries instead of parallel queries
-	useTCP        bool          // force usage of TCP for DNS resolutions
-	trustAD       bool          // add AD flag to queries
-	noReload      bool          // do not check for config file updates
-}
-
-func (c *dnsConfig) serverOffset() uint32 {
-	if c.rotate {
-		return atomic.AddUint32(&c.soffset, 1) - 1 // return 0 to start
-	}
-	return 0
-}
-
-//go:linkname runtime_rand runtime.rand
-func runtime_rand() uint64
-
-func randInt() int {
-	return int(uint(runtime_rand()) >> 1) // clear sign bit
-}
--- a/dns/transport/local/local_notbadlinkname.go
+++ b/dns/transport/local/local_notbadlinkname.go
@@ -1,19 +0,0 @@
-//go:build !badlinkname
-
-package local
-
-func getSystemDNSConfig() *dnsConfig {
-	panic("stub")
-}
-
-func nameList(c *dnsConfig, name string) []string {
-	panic("stub")
-}
-
-func lookupStaticHost(host string) ([]string, string) {
-	panic("stub")
-}
-
-func splitHostZone(s string) (host, zone string) {
-	panic("stub")
-}
--- a/dns/transport/predefined.go
+++ b/dns/transport/predefined.go
@@ -1,82 +0,0 @@
-package transport
-
-import (
-	"context"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-
-	mDNS "github.com/miekg/dns"
-)
-
-var _ adapter.DNSTransport = (*PredefinedTransport)(nil)
-
-func RegisterPredefined(registry *dns.TransportRegistry) {
-	dns.RegisterTransport[option.PredefinedDNSServerOptions](registry, C.DNSTypePreDefined, NewPredefined)
-}
-
-type PredefinedTransport struct {
-	dns.TransportAdapter
-	responses []*predefinedResponse
-}
-
-type predefinedResponse struct {
-	questions []mDNS.Question
-	answer    *mDNS.Msg
-}
-
-func NewPredefined(ctx context.Context, logger log.ContextLogger, tag string, options option.PredefinedDNSServerOptions) (adapter.DNSTransport, error) {
-	var responses []*predefinedResponse
-	for _, response := range options.Responses {
-		questions, msg, err := response.Build()
-		if err != nil {
-			return nil, err
-		}
-		responses = append(responses, &predefinedResponse{
-			questions: questions,
-			answer:    msg,
-		})
-	}
-	if len(responses) == 0 {
-		return nil, E.New("empty predefined responses")
-	}
-	return &PredefinedTransport{
-		TransportAdapter: dns.NewTransportAdapter(C.DNSTypePreDefined, tag, nil),
-		responses:        responses,
-	}, nil
-}
-
-func (t *PredefinedTransport) Reset() {
-}
-
-func (t *PredefinedTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	for _, response := range t.responses {
-		for _, question := range response.questions {
-			if func() bool {
-				if question.Name == "" && question.Qtype == mDNS.TypeNone {
-					return true
-				} else if question.Name == "" {
-					return common.Any(message.Question, func(it mDNS.Question) bool {
-						return it.Qtype == question.Qtype
-					})
-				} else if question.Qtype == mDNS.TypeNone {
-					return common.Any(message.Question, func(it mDNS.Question) bool {
-						return it.Name == question.Name
-					})
-				} else {
-					return common.Contains(message.Question, question)
-				}
-			}() {
-				copyAnswer := *response.answer
-				copyAnswer.Id = message.Id
-				return &copyAnswer, nil
-			}
-		}
-	}
-	return nil, dns.RCodeNameError
-}
--- a/dns/transport/quic/http3.go
+++ b/dns/transport/quic/http3.go
@@ -1,156 +0,0 @@
-package quic
-
-import (
-	"bytes"
-	"context"
-	"io"
-	"net"
-	"net/http"
-	"net/url"
-	"strconv"
-
-	"github.com/sagernet/quic-go"
-	"github.com/sagernet/quic-go/http3"
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/tls"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/dns/transport"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/buf"
-	"github.com/sagernet/sing/common/bufio"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-	sHTTP "github.com/sagernet/sing/protocol/http"
-
-	mDNS "github.com/miekg/dns"
-)
-
-var _ adapter.DNSTransport = (*HTTP3Transport)(nil)
-
-func RegisterHTTP3Transport(registry *dns.TransportRegistry) {
-	dns.RegisterTransport[option.RemoteHTTPSDNSServerOptions](registry, C.DNSTypeHTTP3, NewHTTP3)
-}
-
-type HTTP3Transport struct {
-	dns.TransportAdapter
-	logger      logger.ContextLogger
-	dialer      N.Dialer
-	destination *url.URL
-	headers     http.Header
-	transport   *http3.Transport
-}
-
-func NewHTTP3(ctx context.Context, logger log.ContextLogger, tag string, options option.RemoteHTTPSDNSServerOptions) (adapter.DNSTransport, error) {
-	transportDialer, err := dns.NewRemoteDialer(ctx, options.RemoteDNSServerOptions)
-	if err != nil {
-		return nil, err
-	}
-	tlsOptions := common.PtrValueOrDefault(options.TLS)
-	tlsOptions.Enabled = true
-	tlsConfig, err := tls.NewClient(ctx, options.Server, tlsOptions)
-	if err != nil {
-		return nil, err
-	}
-	stdConfig, err := tlsConfig.Config()
-	if err != nil {
-		return nil, err
-	}
-	destinationURL := url.URL{
-		Scheme: "HTTP3",
-		Host:   options.Host,
-	}
-	if destinationURL.Host == "" {
-		destinationURL.Host = options.Server
-	}
-	if options.ServerPort != 0 && options.ServerPort != 443 {
-		destinationURL.Host = net.JoinHostPort(destinationURL.Host, strconv.Itoa(int(options.ServerPort)))
-	}
-	path := options.Path
-	if path == "" {
-		path = "/dns-query"
-	}
-	err = sHTTP.URLSetPath(&destinationURL, path)
-	if err != nil {
-		return nil, err
-	}
-	serverAddr := options.ServerOptions.Build()
-	if serverAddr.Port == 0 {
-		serverAddr.Port = 443
-	}
-	return &HTTP3Transport{
-		TransportAdapter: dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeHTTP3, tag, options.RemoteDNSServerOptions),
-		logger:           logger,
-		dialer:           transportDialer,
-		destination:      &destinationURL,
-		headers:          options.Headers.Build(),
-		transport: &http3.Transport{
-			Dial: func(ctx context.Context, addr string, tlsCfg *tls.STDConfig, cfg *quic.Config) (quic.EarlyConnection, error) {
-				destinationAddr := M.ParseSocksaddr(addr)
-				conn, dialErr := transportDialer.DialContext(ctx, N.NetworkUDP, destinationAddr)
-				if dialErr != nil {
-					return nil, dialErr
-				}
-				return quic.DialEarly(ctx, bufio.NewUnbindPacketConn(conn), conn.RemoteAddr(), tlsCfg, cfg)
-			},
-			TLSClientConfig: stdConfig,
-		},
-	}, nil
-}
-
-func (t *HTTP3Transport) Reset() {
-	t.transport.Close()
-}
-
-func (t *HTTP3Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	exMessage := *message
-	exMessage.Id = 0
-	exMessage.Compress = true
-	requestBuffer := buf.NewSize(1 + message.Len())
-	rawMessage, err := exMessage.PackBuffer(requestBuffer.FreeBytes())
-	if err != nil {
-		requestBuffer.Release()
-		return nil, err
-	}
-	request, err := http.NewRequestWithContext(ctx, http.MethodPost, t.destination.String(), bytes.NewReader(rawMessage))
-	if err != nil {
-		requestBuffer.Release()
-		return nil, err
-	}
-	request.Header = t.headers.Clone()
-	request.Header.Set("Content-Type", transport.MimeType)
-	request.Header.Set("Accept", transport.MimeType)
-	response, err := t.transport.RoundTrip(request)
-	requestBuffer.Release()
-	if err != nil {
-		return nil, err
-	}
-	defer response.Body.Close()
-	if response.StatusCode != http.StatusOK {
-		return nil, E.New("unexpected status: ", response.Status)
-	}
-	var responseMessage mDNS.Msg
-	if response.ContentLength > 0 {
-		responseBuffer := buf.NewSize(int(response.ContentLength))
-		_, err = responseBuffer.ReadFullFrom(response.Body, int(response.ContentLength))
-		if err != nil {
-			return nil, err
-		}
-		err = responseMessage.Unpack(responseBuffer.Bytes())
-		responseBuffer.Release()
-	} else {
-		rawMessage, err = io.ReadAll(response.Body)
-		if err != nil {
-			return nil, err
-		}
-		err = responseMessage.Unpack(rawMessage)
-	}
-	if err != nil {
-		return nil, err
-	}
-	return &responseMessage, nil
-}
--- a/dns/transport/quic/quic.go
+++ b/dns/transport/quic/quic.go
@@ -1,174 +0,0 @@
-package quic
-
-import (
-	"context"
-	"errors"
-	"sync"
-
-	"github.com/sagernet/quic-go"
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/tls"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/dns/transport"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	sQUIC "github.com/sagernet/sing-quic"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/bufio"
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-
-	mDNS "github.com/miekg/dns"
-)
-
-var _ adapter.DNSTransport = (*Transport)(nil)
-
-func RegisterTransport(registry *dns.TransportRegistry) {
-	dns.RegisterTransport[option.RemoteTLSDNSServerOptions](registry, C.DNSTypeQUIC, NewQUIC)
-}
-
-type Transport struct {
-	dns.TransportAdapter
-	ctx        context.Context
-	logger     logger.ContextLogger
-	dialer     N.Dialer
-	serverAddr M.Socksaddr
-	tlsConfig  tls.Config
-	access     sync.Mutex
-	connection quic.EarlyConnection
-}
-
-func NewQUIC(ctx context.Context, logger log.ContextLogger, tag string, options option.RemoteTLSDNSServerOptions) (adapter.DNSTransport, error) {
-	transportDialer, err := dns.NewRemoteDialer(ctx, options.RemoteDNSServerOptions)
-	if err != nil {
-		return nil, err
-	}
-	tlsOptions := common.PtrValueOrDefault(options.TLS)
-	tlsOptions.Enabled = true
-	tlsConfig, err := tls.NewClient(ctx, options.Server, tlsOptions)
-	if err != nil {
-		return nil, err
-	}
-	if len(tlsConfig.NextProtos()) == 0 {
-		tlsConfig.SetNextProtos([]string{"doq"})
-	}
-	serverAddr := options.ServerOptions.Build()
-	if serverAddr.Port == 0 {
-		serverAddr.Port = 853
-	}
-	return &Transport{
-		TransportAdapter: dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeQUIC, tag, options.RemoteDNSServerOptions),
-		ctx:              ctx,
-		logger:           logger,
-		dialer:           transportDialer,
-		serverAddr:       serverAddr,
-		tlsConfig:        tlsConfig,
-	}, nil
-}
-
-func (t *Transport) Reset() {
-	t.access.Lock()
-	defer t.access.Unlock()
-	connection := t.connection
-	if connection != nil {
-		connection.CloseWithError(0, "")
-	}
-}
-
-func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	var (
-		conn     quic.Connection
-		err      error
-		response *mDNS.Msg
-	)
-	for i := 0; i < 2; i++ {
-		conn, err = t.openConnection()
-		if err != nil {
-			return nil, err
-		}
-		response, err = t.exchange(ctx, message, conn)
-		if err == nil {
-			return response, nil
-		} else if !isQUICRetryError(err) {
-			return nil, err
-		} else {
-			conn.CloseWithError(quic.ApplicationErrorCode(0), "")
-			continue
-		}
-	}
-	return nil, err
-}
-
-func (t *Transport) openConnection() (quic.EarlyConnection, error) {
-	connection := t.connection
-	if connection != nil && !common.Done(connection.Context()) {
-		return connection, nil
-	}
-	t.access.Lock()
-	defer t.access.Unlock()
-	connection = t.connection
-	if connection != nil && !common.Done(connection.Context()) {
-		return connection, nil
-	}
-	conn, err := t.dialer.DialContext(t.ctx, N.NetworkUDP, t.serverAddr)
-	if err != nil {
-		return nil, err
-	}
-	earlyConnection, err := sQUIC.DialEarly(
-		t.ctx,
-		bufio.NewUnbindPacketConn(conn),
-		t.serverAddr.UDPAddr(),
-		t.tlsConfig,
-		nil,
-	)
-	if err != nil {
-		return nil, err
-	}
-	t.connection = earlyConnection
-	return earlyConnection, nil
-}
-
-func (t *Transport) exchange(ctx context.Context, message *mDNS.Msg, conn quic.Connection) (*mDNS.Msg, error) {
-	stream, err := conn.OpenStreamSync(ctx)
-	if err != nil {
-		return nil, err
-	}
-	defer stream.Close()
-	defer stream.CancelRead(0)
-	err = transport.WriteMessage(stream, 0, message)
-	if err != nil {
-		return nil, err
-	}
-	return transport.ReadMessage(stream)
-}
-
-// https://github.com/AdguardTeam/dnsproxy/blob/fd1868577652c639cce3da00e12ca548f421baf1/upstream/upstream_quic.go#L394
-func isQUICRetryError(err error) (ok bool) {
-	var qAppErr *quic.ApplicationError
-	if errors.As(err, &qAppErr) && qAppErr.ErrorCode == 0 {
-		return true
-	}
-
-	var qIdleErr *quic.IdleTimeoutError
-	if errors.As(err, &qIdleErr) {
-		return true
-	}
-
-	var resetErr *quic.StatelessResetError
-	if errors.As(err, &resetErr) {
-		return true
-	}
-
-	var qTransportError *quic.TransportError
-	if errors.As(err, &qTransportError) && qTransportError.ErrorCode == quic.NoError {
-		return true
-	}
-
-	if errors.Is(err, quic.Err0RTTRejected) {
-		return true
-	}
-
-	return false
-}
--- a/dns/transport/tcp.go
+++ b/dns/transport/tcp.go
@@ -1,99 +0,0 @@
-package transport
-
-import (
-	"context"
-	"encoding/binary"
-	"io"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/buf"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-
-	mDNS "github.com/miekg/dns"
-)
-
-var _ adapter.DNSTransport = (*TCPTransport)(nil)
-
-func RegisterTCP(registry *dns.TransportRegistry) {
-	dns.RegisterTransport[option.RemoteDNSServerOptions](registry, C.DNSTypeTCP, NewTCP)
-}
-
-type TCPTransport struct {
-	dns.TransportAdapter
-	dialer     N.Dialer
-	serverAddr M.Socksaddr
-}
-
-func NewTCP(ctx context.Context, logger log.ContextLogger, tag string, options option.RemoteDNSServerOptions) (adapter.DNSTransport, error) {
-	transportDialer, err := dns.NewRemoteDialer(ctx, options)
-	if err != nil {
-		return nil, err
-	}
-	serverAddr := options.ServerOptions.Build()
-	if serverAddr.Port == 0 {
-		serverAddr.Port = 53
-	}
-	return &TCPTransport{
-		TransportAdapter: dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeTCP, tag, options),
-		dialer:           transportDialer,
-		serverAddr:       serverAddr,
-	}, nil
-}
-
-func (t *TCPTransport) Reset() {
-}
-
-func (t *TCPTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	conn, err := t.dialer.DialContext(ctx, N.NetworkTCP, t.serverAddr)
-	if err != nil {
-		return nil, err
-	}
-	defer conn.Close()
-	err = WriteMessage(conn, 0, message)
-	if err != nil {
-		return nil, err
-	}
-	return ReadMessage(conn)
-}
-
-func ReadMessage(reader io.Reader) (*mDNS.Msg, error) {
-	var responseLen uint16
-	err := binary.Read(reader, binary.BigEndian, &responseLen)
-	if err != nil {
-		return nil, err
-	}
-	if responseLen < 10 {
-		return nil, mDNS.ErrShortRead
-	}
-	buffer := buf.NewSize(int(responseLen))
-	defer buffer.Release()
-	_, err = buffer.ReadFullFrom(reader, int(responseLen))
-	if err != nil {
-		return nil, err
-	}
-	var message mDNS.Msg
-	err = message.Unpack(buffer.Bytes())
-	return &message, err
-}
-
-func WriteMessage(writer io.Writer, messageId uint16, message *mDNS.Msg) error {
-	requestLen := message.Len()
-	buffer := buf.NewSize(3 + requestLen)
-	defer buffer.Release()
-	common.Must(binary.Write(buffer, binary.BigEndian, uint16(requestLen)))
-	exMessage := *message
-	exMessage.Id = messageId
-	exMessage.Compress = true
-	rawMessage, err := exMessage.PackBuffer(buffer.FreeBytes())
-	if err != nil {
-		return err
-	}
-	buffer.Truncate(2 + len(rawMessage))
-	return common.Error(writer.Write(buffer.Bytes()))
-}
--- a/dns/transport/tls.go
+++ b/dns/transport/tls.go
@@ -1,115 +0,0 @@
-package transport
-
-import (
-	"context"
-	"sync"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/tls"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/x/list"
-
-	mDNS "github.com/miekg/dns"
-)
-
-var _ adapter.DNSTransport = (*TLSTransport)(nil)
-
-func RegisterTLS(registry *dns.TransportRegistry) {
-	dns.RegisterTransport[option.RemoteTLSDNSServerOptions](registry, C.DNSTypeTLS, NewTLS)
-}
-
-type TLSTransport struct {
-	dns.TransportAdapter
-	logger      logger.ContextLogger
-	dialer      N.Dialer
-	serverAddr  M.Socksaddr
-	tlsConfig   tls.Config
-	access      sync.Mutex
-	connections list.List[*tlsDNSConn]
-}
-
-type tlsDNSConn struct {
-	tls.Conn
-	queryId uint16
-}
-
-func NewTLS(ctx context.Context, logger log.ContextLogger, tag string, options option.RemoteTLSDNSServerOptions) (adapter.DNSTransport, error) {
-	transportDialer, err := dns.NewRemoteDialer(ctx, options.RemoteDNSServerOptions)
-	if err != nil {
-		return nil, err
-	}
-	tlsOptions := common.PtrValueOrDefault(options.TLS)
-	tlsOptions.Enabled = true
-	tlsConfig, err := tls.NewClient(ctx, options.Server, tlsOptions)
-	if err != nil {
-		return nil, err
-	}
-	serverAddr := options.ServerOptions.Build()
-	if serverAddr.Port == 0 {
-		serverAddr.Port = 853
-	}
-	return &TLSTransport{
-		TransportAdapter: dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeTLS, tag, options.RemoteDNSServerOptions),
-		logger:           logger,
-		dialer:           transportDialer,
-		serverAddr:       serverAddr,
-		tlsConfig:        tlsConfig,
-	}, nil
-}
-
-func (t *TLSTransport) Reset() {
-	t.access.Lock()
-	defer t.access.Unlock()
-	for connection := t.connections.Front(); connection != nil; connection = connection.Next() {
-		connection.Value.Close()
-	}
-	t.connections.Init()
-}
-
-func (t *TLSTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	t.access.Lock()
-	conn := t.connections.PopFront()
-	t.access.Unlock()
-	if conn != nil {
-		response, err := t.exchange(message, conn)
-		if err == nil {
-			return response, nil
-		}
-	}
-	tcpConn, err := t.dialer.DialContext(ctx, N.NetworkTCP, t.serverAddr)
-	if err != nil {
-		return nil, err
-	}
-	tlsConn, err := tls.ClientHandshake(ctx, tcpConn, t.tlsConfig)
-	if err != nil {
-		tcpConn.Close()
-		return nil, err
-	}
-	return t.exchange(message, &tlsDNSConn{Conn: tlsConn})
-}
-
-func (t *TLSTransport) exchange(message *mDNS.Msg, conn *tlsDNSConn) (*mDNS.Msg, error) {
-	conn.queryId++
-	err := WriteMessage(conn, conn.queryId, message)
-	if err != nil {
-		conn.Close()
-		return nil, E.Cause(err, "write request")
-	}
-	response, err := ReadMessage(conn)
-	if err != nil {
-		conn.Close()
-		return nil, E.Cause(err, "read response")
-	}
-	t.access.Lock()
-	t.connections.PushBack(conn)
-	t.access.Unlock()
-	return response, nil
-}
--- a/dns/transport/udp.go
+++ b/dns/transport/udp.go
@@ -1,217 +0,0 @@
-package transport
-
-import (
-	"context"
-	"net"
-	"os"
-	"sync"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common/buf"
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-
-	mDNS "github.com/miekg/dns"
-)
-
-var _ adapter.DNSTransport = (*UDPTransport)(nil)
-
-func RegisterUDP(registry *dns.TransportRegistry) {
-	dns.RegisterTransport[option.RemoteDNSServerOptions](registry, C.DNSTypeUDP, NewUDP)
-}
-
-type UDPTransport struct {
-	dns.TransportAdapter
-	logger       logger.ContextLogger
-	dialer       N.Dialer
-	serverAddr   M.Socksaddr
-	udpSize      int
-	tcpTransport *TCPTransport
-	access       sync.Mutex
-	conn         *dnsConnection
-	done         chan struct{}
-}
-
-func NewUDP(ctx context.Context, logger log.ContextLogger, tag string, options option.RemoteDNSServerOptions) (adapter.DNSTransport, error) {
-	transportDialer, err := dns.NewRemoteDialer(ctx, options)
-	if err != nil {
-		return nil, err
-	}
-	serverAddr := options.ServerOptions.Build()
-	if serverAddr.Port == 0 {
-		serverAddr.Port = 53
-	}
-	return NewUDPRaw(logger, dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeUDP, tag, options), transportDialer, serverAddr), nil
-}
-
-func NewUDPRaw(logger logger.ContextLogger, adapter dns.TransportAdapter, dialer N.Dialer, serverAddr M.Socksaddr) *UDPTransport {
-	return &UDPTransport{
-		TransportAdapter: adapter,
-		logger:           logger,
-		dialer:           dialer,
-		serverAddr:       serverAddr,
-		udpSize:          512,
-		tcpTransport: &TCPTransport{
-			dialer:     dialer,
-			serverAddr: serverAddr,
-		},
-		done: make(chan struct{}),
-	}
-}
-
-func (t *UDPTransport) Reset() {
-	t.access.Lock()
-	defer t.access.Unlock()
-	close(t.done)
-	t.done = make(chan struct{})
-}
-
-func (t *UDPTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	response, err := t.exchange(ctx, message)
-	if err != nil {
-		return nil, err
-	}
-	if response.Truncated {
-		t.logger.InfoContext(ctx, "response truncated, retrying with TCP")
-		return t.tcpTransport.Exchange(ctx, message)
-	}
-	return response, nil
-}
-
-func (t *UDPTransport) exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	conn, err := t.open(ctx)
-	if err != nil {
-		return nil, err
-	}
-	if edns0Opt := message.IsEdns0(); edns0Opt != nil {
-		if udpSize := int(edns0Opt.UDPSize()); udpSize > t.udpSize {
-			t.udpSize = udpSize
-		}
-	}
-	buffer := buf.NewSize(1 + message.Len())
-	defer buffer.Release()
-	exMessage := *message
-	exMessage.Compress = true
-	messageId := message.Id
-	callback := &dnsCallback{
-		done: make(chan struct{}),
-	}
-	conn.access.Lock()
-	conn.queryId++
-	exMessage.Id = conn.queryId
-	conn.callbacks[exMessage.Id] = callback
-	conn.access.Unlock()
-	defer func() {
-		conn.access.Lock()
-		delete(conn.callbacks, messageId)
-		conn.access.Unlock()
-		callback.access.Lock()
-		select {
-		case <-callback.done:
-		default:
-			close(callback.done)
-		}
-		callback.access.Unlock()
-	}()
-	rawMessage, err := exMessage.PackBuffer(buffer.FreeBytes())
-	if err != nil {
-		return nil, err
-	}
-	_, err = conn.Write(rawMessage)
-	if err != nil {
-		conn.Close(err)
-		return nil, err
-	}
-	select {
-	case <-callback.done:
-		callback.message.Id = messageId
-		return callback.message, nil
-	case <-conn.done:
-		return nil, conn.err
-	case <-t.done:
-		return nil, os.ErrClosed
-	case <-ctx.Done():
-		conn.Close(ctx.Err())
-		return nil, ctx.Err()
-	}
-}
-
-func (t *UDPTransport) open(ctx context.Context) (*dnsConnection, error) {
-	t.access.Lock()
-	defer t.access.Unlock()
-	conn, err := t.dialer.DialContext(ctx, N.NetworkUDP, t.serverAddr)
-	if err != nil {
-		return nil, err
-	}
-	dnsConn := &dnsConnection{
-		Conn:      conn,
-		done:      make(chan struct{}),
-		callbacks: make(map[uint16]*dnsCallback),
-	}
-	go t.recvLoop(dnsConn)
-	return dnsConn, nil
-}
-
-func (t *UDPTransport) recvLoop(conn *dnsConnection) {
-	for {
-		buffer := buf.NewSize(t.udpSize)
-		_, err := buffer.ReadOnceFrom(conn)
-		if err != nil {
-			buffer.Release()
-			conn.Close(err)
-			return
-		}
-		var message mDNS.Msg
-		err = message.Unpack(buffer.Bytes())
-		buffer.Release()
-		if err != nil {
-			conn.Close(err)
-			return
-		}
-		conn.access.RLock()
-		callback, loaded := conn.callbacks[message.Id]
-		conn.access.RUnlock()
-		if !loaded {
-			continue
-		}
-		callback.access.Lock()
-		select {
-		case <-callback.done:
-		default:
-			callback.message = &message
-			close(callback.done)
-		}
-		callback.access.Unlock()
-	}
-}
-
-type dnsConnection struct {
-	net.Conn
-	access    sync.RWMutex
-	done      chan struct{}
-	closeOnce sync.Once
-	err       error
-	queryId   uint16
-	callbacks map[uint16]*dnsCallback
-}
-
-func (c *dnsConnection) Close(err error) {
-	c.access.Lock()
-	defer c.access.Unlock()
-	c.closeOnce.Do(func() {
-		close(c.done)
-		c.err = err
-	})
-	c.Conn.Close()
-}
-
-type dnsCallback struct {
-	access  sync.Mutex
-	message *mDNS.Msg
-	done    chan struct{}
-}
--- a/dns/transport_adapter.go
+++ b/dns/transport_adapter.go
@@ -1,70 +0,0 @@
-package dns
-
-import (
-	"net/netip"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/option"
-)
-
-var _ adapter.LegacyDNSTransport = (*TransportAdapter)(nil)
-
-type TransportAdapter struct {
-	transportType string
-	transportTag  string
-	dependencies  []string
-	strategy      C.DomainStrategy
-	clientSubnet  netip.Prefix
-}
-
-func NewTransportAdapter(transportType string, transportTag string, dependencies []string) TransportAdapter {
-	return TransportAdapter{
-		transportType: transportType,
-		transportTag:  transportTag,
-		dependencies:  dependencies,
-	}
-}
-
-func NewTransportAdapterWithLocalOptions(transportType string, transportTag string, localOptions option.LocalDNSServerOptions) TransportAdapter {
-	return TransportAdapter{
-		transportType: transportType,
-		transportTag:  transportTag,
-		strategy:      C.DomainStrategy(localOptions.LegacyStrategy),
-		clientSubnet:  localOptions.LegacyClientSubnet,
-	}
-}
-
-func NewTransportAdapterWithRemoteOptions(transportType string, transportTag string, remoteOptions option.RemoteDNSServerOptions) TransportAdapter {
-	var dependencies []string
-	if remoteOptions.AddressResolver != "" {
-		dependencies = []string{remoteOptions.AddressResolver}
-	}
-	return TransportAdapter{
-		transportType: transportType,
-		transportTag:  transportTag,
-		dependencies:  dependencies,
-		strategy:      C.DomainStrategy(remoteOptions.LegacyStrategy),
-		clientSubnet:  remoteOptions.LegacyClientSubnet,
-	}
-}
-
-func (a *TransportAdapter) Type() string {
-	return a.transportType
-}
-
-func (a *TransportAdapter) Tag() string {
-	return a.transportTag
-}
-
-func (a *TransportAdapter) Dependencies() []string {
-	return a.dependencies
-}
-
-func (a *TransportAdapter) LegacyStrategy() C.DomainStrategy {
-	return a.strategy
-}
-
-func (a *TransportAdapter) LegacyClientSubnet() netip.Prefix {
-	return a.clientSubnet
-}
--- a/dns/transport_dialer.go
+++ b/dns/transport_dialer.go
@@ -1,101 +0,0 @@
-package dns
-
-import (
-	"context"
-	"net"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/dialer"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/service"
-)
-
-func NewLocalDialer(ctx context.Context, options option.LocalDNSServerOptions) (N.Dialer, error) {
-	if options.LegacyDefaultDialer {
-		return dialer.NewDefaultOutbound(ctx), nil
-	} else {
-		return dialer.New(ctx, options.DialerOptions, false)
-	}
-}
-
-func NewRemoteDialer(ctx context.Context, options option.RemoteDNSServerOptions) (N.Dialer, error) {
-	var (
-		transportDialer N.Dialer
-		err             error
-	)
-	if options.LegacyDefaultDialer {
-		transportDialer = dialer.NewDefaultOutbound(ctx)
-	} else {
-		transportDialer, err = dialer.New(ctx, options.DialerOptions, options.ServerIsDomain())
-	}
-	if err != nil {
-		return nil, err
-	}
-	if options.AddressResolver != "" {
-		transport := service.FromContext[adapter.DNSTransportManager](ctx)
-		resolverTransport, loaded := transport.Transport(options.AddressResolver)
-		if !loaded {
-			return nil, E.New("address resolver not found: ", options.AddressResolver)
-		}
-		transportDialer = NewTransportDialer(transportDialer, service.FromContext[adapter.DNSRouter](ctx), resolverTransport, C.DomainStrategy(options.AddressStrategy), time.Duration(options.AddressFallbackDelay))
-	} else if options.ServerIsDomain() {
-		return nil, E.New("missing address resolver for server: ", options.Server)
-	}
-	return transportDialer, nil
-}
-
-type TransportDialer struct {
-	dialer        N.Dialer
-	dnsRouter     adapter.DNSRouter
-	transport     adapter.DNSTransport
-	strategy      C.DomainStrategy
-	fallbackDelay time.Duration
-}
-
-func NewTransportDialer(dialer N.Dialer, dnsRouter adapter.DNSRouter, transport adapter.DNSTransport, strategy C.DomainStrategy, fallbackDelay time.Duration) *TransportDialer {
-	return &TransportDialer{
-		dialer,
-		dnsRouter,
-		transport,
-		strategy,
-		fallbackDelay,
-	}
-}
-
-func (d *TransportDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	if destination.IsIP() {
-		return d.dialer.DialContext(ctx, network, destination)
-	}
-	addresses, err := d.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{
-		Transport: d.transport,
-		Strategy:  d.strategy,
-	})
-	if err != nil {
-		return nil, err
-	}
-	return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == C.DomainStrategyPreferIPv6, d.fallbackDelay)
-}
-
-func (d *TransportDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	if destination.IsIP() {
-		return d.dialer.ListenPacket(ctx, destination)
-	}
-	addresses, err := d.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{
-		Transport: d.transport,
-		Strategy:  d.strategy,
-	})
-	if err != nil {
-		return nil, err
-	}
-	conn, _, err := N.ListenSerial(ctx, d.dialer, destination, addresses)
-	return conn, err
-}
-
-func (d *TransportDialer) Upstream() any {
-	return d.dialer
-}
--- a/dns/transport_manager.go
+++ b/dns/transport_manager.go
@@ -1,288 +0,0 @@
-package dns
-
-import (
-	"context"
-	"io"
-	"os"
-	"strings"
-	"sync"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/taskmonitor"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-)
-
-var _ adapter.DNSTransportManager = (*TransportManager)(nil)
-
-type TransportManager struct {
-	logger                   log.ContextLogger
-	registry                 adapter.DNSTransportRegistry
-	outbound                 adapter.OutboundManager
-	defaultTag               string
-	access                   sync.RWMutex
-	started                  bool
-	stage                    adapter.StartStage
-	transports               []adapter.DNSTransport
-	transportByTag           map[string]adapter.DNSTransport
-	dependByTag              map[string][]string
-	defaultTransport         adapter.DNSTransport
-	defaultTransportFallback adapter.DNSTransport
-	fakeIPTransport          adapter.FakeIPTransport
-}
-
-func NewTransportManager(logger logger.ContextLogger, registry adapter.DNSTransportRegistry, outbound adapter.OutboundManager, defaultTag string) *TransportManager {
-	return &TransportManager{
-		logger:         logger,
-		registry:       registry,
-		outbound:       outbound,
-		defaultTag:     defaultTag,
-		transportByTag: make(map[string]adapter.DNSTransport),
-		dependByTag:    make(map[string][]string),
-	}
-}
-
-func (m *TransportManager) Initialize(defaultTransportFallback adapter.DNSTransport) {
-	m.defaultTransportFallback = defaultTransportFallback
-}
-
-func (m *TransportManager) Start(stage adapter.StartStage) error {
-	m.access.Lock()
-	if m.started && m.stage >= stage {
-		panic("already started")
-	}
-	m.started = true
-	m.stage = stage
-	outbounds := m.transports
-	m.access.Unlock()
-	if stage == adapter.StartStateStart {
-		return m.startTransports(m.transports)
-	} else {
-		for _, outbound := range outbounds {
-			err := adapter.LegacyStart(outbound, stage)
-			if err != nil {
-				return E.Cause(err, stage, " dns/", outbound.Type(), "[", outbound.Tag(), "]")
-			}
-		}
-	}
-	return nil
-}
-
-func (m *TransportManager) startTransports(transports []adapter.DNSTransport) error {
-	monitor := taskmonitor.New(m.logger, C.StartTimeout)
-	started := make(map[string]bool)
-	for {
-		canContinue := false
-	startOne:
-		for _, transportToStart := range transports {
-			transportTag := transportToStart.Tag()
-			if started[transportTag] {
-				continue
-			}
-			dependencies := transportToStart.Dependencies()
-			for _, dependency := range dependencies {
-				if !started[dependency] {
-					continue startOne
-				}
-			}
-			started[transportTag] = true
-			canContinue = true
-			if starter, isStarter := transportToStart.(adapter.Lifecycle); isStarter {
-				monitor.Start("start dns/", transportToStart.Type(), "[", transportTag, "]")
-				err := starter.Start(adapter.StartStateStart)
-				monitor.Finish()
-				if err != nil {
-					return E.Cause(err, "start dns/", transportToStart.Type(), "[", transportTag, "]")
-				}
-			}
-		}
-		if len(started) == len(transports) {
-			break
-		}
-		if canContinue {
-			continue
-		}
-		currentTransport := common.Find(transports, func(it adapter.DNSTransport) bool {
-			return !started[it.Tag()]
-		})
-		var lintTransport func(oTree []string, oCurrent adapter.DNSTransport) error
-		lintTransport = func(oTree []string, oCurrent adapter.DNSTransport) error {
-			problemTransportTag := common.Find(oCurrent.Dependencies(), func(it string) bool {
-				return !started[it]
-			})
-			if common.Contains(oTree, problemTransportTag) {
-				return E.New("circular server dependency: ", strings.Join(oTree, " -> "), " -> ", problemTransportTag)
-			}
-			m.access.Lock()
-			problemTransport := m.transportByTag[problemTransportTag]
-			m.access.Unlock()
-			if problemTransport == nil {
-				return E.New("dependency[", problemTransportTag, "] not found for server[", oCurrent.Tag(), "]")
-			}
-			return lintTransport(append(oTree, problemTransportTag), problemTransport)
-		}
-		return lintTransport([]string{currentTransport.Tag()}, currentTransport)
-	}
-	return nil
-}
-
-func (m *TransportManager) Close() error {
-	monitor := taskmonitor.New(m.logger, C.StopTimeout)
-	m.access.Lock()
-	if !m.started {
-		m.access.Unlock()
-		return nil
-	}
-	m.started = false
-	transports := m.transports
-	m.transports = nil
-	m.access.Unlock()
-	var err error
-	for _, transport := range transports {
-		if closer, isCloser := transport.(io.Closer); isCloser {
-			monitor.Start("close server/", transport.Type(), "[", transport.Tag(), "]")
-			err = E.Append(err, closer.Close(), func(err error) error {
-				return E.Cause(err, "close server/", transport.Type(), "[", transport.Tag(), "]")
-			})
-			monitor.Finish()
-		}
-	}
-	return nil
-}
-
-func (m *TransportManager) Transports() []adapter.DNSTransport {
-	m.access.RLock()
-	defer m.access.RUnlock()
-	return m.transports
-}
-
-func (m *TransportManager) Transport(tag string) (adapter.DNSTransport, bool) {
-	m.access.RLock()
-	outbound, found := m.transportByTag[tag]
-	m.access.RUnlock()
-	return outbound, found
-}
-
-func (m *TransportManager) Default() adapter.DNSTransport {
-	m.access.RLock()
-	defer m.access.RUnlock()
-	if m.defaultTransport != nil {
-		return m.defaultTransport
-	} else {
-		return m.defaultTransportFallback
-	}
-}
-
-func (m *TransportManager) FakeIP() adapter.FakeIPTransport {
-	m.access.RLock()
-	defer m.access.RUnlock()
-	return m.fakeIPTransport
-}
-
-func (m *TransportManager) Remove(tag string) error {
-	m.access.Lock()
-	defer m.access.Unlock()
-	transport, found := m.transportByTag[tag]
-	if !found {
-		return os.ErrInvalid
-	}
-	delete(m.transportByTag, tag)
-	index := common.Index(m.transports, func(it adapter.DNSTransport) bool {
-		return it == transport
-	})
-	if index == -1 {
-		panic("invalid inbound index")
-	}
-	m.transports = append(m.transports[:index], m.transports[index+1:]...)
-	started := m.started
-	if m.defaultTransport == transport {
-		if len(m.transports) > 0 {
-			nextTransport := m.transports[0]
-			if nextTransport.Type() != C.DNSTypeFakeIP {
-				return E.New("default server cannot be fakeip")
-			}
-			m.defaultTransport = nextTransport
-			m.logger.Info("updated default server to ", m.defaultTransport.Tag())
-		} else {
-			m.defaultTransport = nil
-		}
-	}
-	dependBy := m.dependByTag[tag]
-	if len(dependBy) > 0 {
-		return E.New("server[", tag, "] is depended by ", strings.Join(dependBy, ", "))
-	}
-	dependencies := transport.Dependencies()
-	for _, dependency := range dependencies {
-		if len(m.dependByTag[dependency]) == 1 {
-			delete(m.dependByTag, dependency)
-		} else {
-			m.dependByTag[dependency] = common.Filter(m.dependByTag[dependency], func(it string) bool {
-				return it != tag
-			})
-		}
-	}
-	if started {
-		transport.Reset()
-	}
-	return nil
-}
-
-func (m *TransportManager) Create(ctx context.Context, logger log.ContextLogger, tag string, transportType string, options any) error {
-	if tag == "" {
-		return os.ErrInvalid
-	}
-	transport, err := m.registry.CreateDNSTransport(ctx, logger, tag, transportType, options)
-	if err != nil {
-		return err
-	}
-	m.access.Lock()
-	defer m.access.Unlock()
-	if m.started {
-		for _, stage := range adapter.ListStartStages {
-			err = adapter.LegacyStart(transport, stage)
-			if err != nil {
-				return E.Cause(err, stage, " dns/", transport.Type(), "[", transport.Tag(), "]")
-			}
-		}
-	}
-	if existsTransport, loaded := m.transportByTag[tag]; loaded {
-		if m.started {
-			err = common.Close(existsTransport)
-			if err != nil {
-				return E.Cause(err, "close dns/", existsTransport.Type(), "[", existsTransport.Tag(), "]")
-			}
-		}
-		existsIndex := common.Index(m.transports, func(it adapter.DNSTransport) bool {
-			return it == existsTransport
-		})
-		if existsIndex == -1 {
-			panic("invalid inbound index")
-		}
-		m.transports = append(m.transports[:existsIndex], m.transports[existsIndex+1:]...)
-	}
-	m.transports = append(m.transports, transport)
-	m.transportByTag[tag] = transport
-	dependencies := transport.Dependencies()
-	for _, dependency := range dependencies {
-		m.dependByTag[dependency] = append(m.dependByTag[dependency], tag)
-	}
-	if tag == m.defaultTag || (m.defaultTag == "" && m.defaultTransport == nil) {
-		if transport.Type() == C.DNSTypeFakeIP {
-			return E.New("default server cannot be fakeip")
-		}
-		m.defaultTransport = transport
-		if m.started {
-			m.logger.Info("updated default server to ", transport.Tag())
-		}
-	}
-	if transport.Type() == C.DNSTypeFakeIP {
-		if m.fakeIPTransport != nil {
-			return E.New("multiple fakeip server are not supported")
-		}
-		m.fakeIPTransport = transport.(adapter.FakeIPTransport)
-	}
-	return nil
-}
--- a/dns/transport_registry.go
+++ b/dns/transport_registry.go
@@ -1,72 +0,0 @@
-package dns
-
-import (
-	"context"
-	"sync"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-type TransportConstructorFunc[T any] func(ctx context.Context, logger log.ContextLogger, tag string, options T) (adapter.DNSTransport, error)
-
-func RegisterTransport[Options any](registry *TransportRegistry, transportType string, constructor TransportConstructorFunc[Options]) {
-	registry.register(transportType, func() any {
-		return new(Options)
-	}, func(ctx context.Context, logger log.ContextLogger, tag string, rawOptions any) (adapter.DNSTransport, error) {
-		var options *Options
-		if rawOptions != nil {
-			options = rawOptions.(*Options)
-		}
-		return constructor(ctx, logger, tag, common.PtrValueOrDefault(options))
-	})
-}
-
-var _ adapter.DNSTransportRegistry = (*TransportRegistry)(nil)
-
-type (
-	optionsConstructorFunc func() any
-	constructorFunc        func(ctx context.Context, logger log.ContextLogger, tag string, options any) (adapter.DNSTransport, error)
-)
-
-type TransportRegistry struct {
-	access       sync.Mutex
-	optionsType  map[string]optionsConstructorFunc
-	constructors map[string]constructorFunc
-}
-
-func NewTransportRegistry() *TransportRegistry {
-	return &TransportRegistry{
-		optionsType:  make(map[string]optionsConstructorFunc),
-		constructors: make(map[string]constructorFunc),
-	}
-}
-
-func (r *TransportRegistry) CreateOptions(transportType string) (any, bool) {
-	r.access.Lock()
-	defer r.access.Unlock()
-	optionsConstructor, loaded := r.optionsType[transportType]
-	if !loaded {
-		return nil, false
-	}
-	return optionsConstructor(), true
-}
-
-func (r *TransportRegistry) CreateDNSTransport(ctx context.Context, logger log.ContextLogger, tag string, transportType string, options any) (adapter.DNSTransport, error) {
-	r.access.Lock()
-	defer r.access.Unlock()
-	constructor, loaded := r.constructors[transportType]
-	if !loaded {
-		return nil, E.New("transport type not found: " + transportType)
-	}
-	return constructor(ctx, logger, tag, options)
-}
-
-func (r *TransportRegistry) register(transportType string, optionsConstructor optionsConstructorFunc, constructor constructorFunc) {
-	r.access.Lock()
-	defer r.access.Unlock()
-	r.optionsType[transportType] = optionsConstructor
-	r.constructors[transportType] = constructor
-}
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,10 +2,146 @@
 icon: material/alert-decagram
 ---

-#### 1.11.0-beta.23
+### 1.11.5

 * Fixes and improvements

+_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected)._
+
+### 1.11.4
+
+* Fixes and improvements
+
+### 1.11.3
+
+* Fixes and improvements
+
+_This version overwrites 1.11.2, as incorrect binaries were released due to a bug in the continuous integration process._
+
+### 1.11.1
+
+* Fixes and improvements
+
+### 1.11.0
+
+Important changes since 1.10:
+
+* Introducing rule actions **1**
+* Improve tun compatibility **3**
+* Merge route options to route actions **4**
+* Add `network_type`, `network_is_expensive` and `network_is_constrainted` rule items **5**
+* Add multi network dialing **6**
+* Add `cache_capacity` DNS option **7**
+* Add `override_address` and `override_port` route options **8**
+* Upgrade WireGuard outbound to endpoint **9**
+* Add UDP GSO support for WireGuard
+* Make GSO adaptive **10**
+* Add UDP timeout route option **11**
+* Add more masquerade options for hysteria2 **12**
+* Add `rule-set merge` command
+* Add port hopping support for Hysteria2 **13**
+* Hysteria2 `ignore_client_bandwidth` behavior update **14**
+
+**1**:
+
+New rule actions replace legacy inbound fields and special outbound fields,
+and can be used for pre-matching **2**.
+
+See [Rule](/configuration/route/rule/),
+[Rule Action](/configuration/route/rule_action/),
+[DNS Rule](/configuration/dns/rule/) and
+[DNS Rule Action](/configuration/dns/rule_action/).
+
+For migration, see
+[Migrate legacy special outbounds to rule actions](/migration/#migrate-legacy-special-outbounds-to-rule-actions),
+[Migrate legacy inbound fields to rule actions](/migration/#migrate-legacy-inbound-fields-to-rule-actions)
+and [Migrate legacy DNS route options to rule actions](/migration/#migrate-legacy-dns-route-options-to-rule-actions).
+
+**2**:
+
+Similar to Surge's pre-matching.
+
+Specifically, new rule actions allow you to reject connections with
+TCP RST (for TCP connections) and ICMP port unreachable (for UDP packets)
+before connection established to improve tun's compatibility.
+
+See [Rule Action](/configuration/route/rule_action/).
+
+**3**:
+
+When `gvisor` tun stack is enabled, even if the request passes routing,
+if the outbound connection establishment fails,
+the connection still does not need to be established and a TCP RST is replied.
+
+**4**:
+
+Route options in DNS route actions will no longer be considered deprecated,
+see [DNS Route Action](/configuration/dns/rule_action/).
+
+Also, now `udp_disable_domain_unmapping` and `udp_connect` can also be configured in route action,
+see [Route Action](/configuration/route/rule_action/).
+
+**5**:
+
+When using in graphical clients, new routing rule items allow you to match on
+network type (WIFI, cellular, etc.), whether the network is expensive, and whether Low Data Mode is enabled.
+
+See [Route Rule](/configuration/route/rule/), [DNS Route Rule](/configuration/dns/rule/)
+and [Headless Rule](/configuration/rule-set/headless-rule/).
+
+**6**:
+
+Similar to Surge's strategy.
+
+New options allow you to connect using multiple network interfaces,
+prefer or only use one type of interface,
+and configure a timeout to fallback to other interfaces.
+
+See [Dial Fields](/configuration/shared/dial/#network_strategy),
+[Rule Action](/configuration/route/rule_action/#network_strategy)
+and [Route](/configuration/route/#default_network_strategy).
+
+**7**:
+
+See [DNS](/configuration/dns/#cache_capacity).
+
+**8**:
+
+See [Rule Action](/configuration/route/#override_address) and
+[Migrate destination override fields to route options](/migration/#migrate-destination-override-fields-to-route-options).
+
+**9**:
+
+The new WireGuard endpoint combines inbound and outbound capabilities,
+and the old outbound will be removed in sing-box 1.13.0.
+
+See [Endpoint](/configuration/endpoint/), [WireGuard Endpoint](/configuration/endpoint/wireguard/)
+and [Migrate WireGuard outbound fields to route options](/migration/#migrate-wireguard-outbound-to-endpoint).
+
+**10**:
+
+For WireGuard outbound and endpoint, GSO will be automatically enabled when available,
+see [WireGuard Outbound](/configuration/outbound/wireguard/#gso).
+
+For TUN, GSO has been removed,
+see [Deprecated](/deprecated/#gso-option-in-tun).
+
+**11**:
+
+See [Rule Action](/configuration/route/rule_action/#udp_timeout).
+
+**12**:
+
+See [Hysteria2](/configuration/inbound/hysteria2/#masquerade).
+
+**13**:
+
+See [Hysteria2](/configuration/outbound/hysteria2/).
+
+**14**:
+
+When `up_mbps` and `down_mbps` are set, `ignore_client_bandwidth` instead denies clients from using BBR CC.
+
 ### 1.10.7

 * Fixes and improvements
--- a/docs/clients/apple/index.md
+++ b/docs/clients/apple/index.md
@@ -7,6 +7,10 @@ icon: material/apple
 SFI/SFM/SFT allows users to manage and run local or remote sing-box configuration files, and provides
 platform-specific function implementation, such as TUN transparent proxy implementation.

+!!! failure ""
+
+    We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected).
+
 ## :material-graph: Requirements

 * iOS 15.0+ / macOS 13.0+ / Apple tvOS 17.0+
--- a/docs/configuration/index.zh.md
+++ b/docs/configuration/index.zh.md
@@ -8,6 +8,7 @@ sing-box 使用 JSON 作为配置文件格式。
 {
  "log": {},
  "dns": {},
+  "ntp": {},
  "endpoints": [],
  "inbounds": [],
  "outbounds": [],
@@ -22,6 +23,7 @@ sing-box 使用 JSON 作为配置文件格式。
 |----------------|------------------------|
 | `log`          | [日志](./log/)           |
 | `dns`          | [DNS](./dns/)          |
+| `ntp`          | [NTP](./ntp/)          |
 | `endpoints`    | [端点](./endpoint/)      |
 | `inbounds`     | [入站](./inbound/)       |
 | `outbounds`    | [出站](./outbound/)      |
--- a/docs/configuration/outbound/block.md
+++ b/docs/configuration/outbound/block.md
@@ -8,7 +8,7 @@ icon: material/delete-clock

 ### Structure

-```json F
+```json
 {
  "type": "block",
  "tag": "block"
--- a/docs/configuration/outbound/wireguard.zh.md
+++ b/docs/configuration/outbound/wireguard.zh.md
@@ -4,7 +4,7 @@ icon: material/delete-clock

 !!! failure "已在 sing-box 1.11.0 废弃"

-    WireGuard 出站已被启用，且将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/migration/#migrate-wireguard-outbound-to-endpoint)。
+    WireGuard 出站已被弃用，且将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/migration/#migrate-wireguard-outbound-to-endpoint)。

 !!! quote "sing-box 1.11.0 中的更改"

--- a/docs/configuration/route/rule_action.md
+++ b/docs/configuration/route/rule_action.md
@@ -31,6 +31,45 @@ Tag of target outbound.

 See `route-options` fields below.

+### reject
+
+```json
+{
+  "action": "reject",
+  "method": "default", // default
+  "no_drop": false
+}
+```
+
+`reject` reject connections
+
+The specified method is used for reject tun connections if `sniff` action has not been performed yet.
+
+For non-tun connections and already established connections, will just be closed.
+
+#### method
+
+- `default`: Reply with TCP RST for TCP connections, and ICMP port unreachable for UDP packets.
+- `drop`: Drop packets.
+
+#### no_drop
+
+If not enabled, `method` will be temporarily overwritten to `drop` after 50 triggers in 30s.
+
+Not available when `method` is set to drop.
+
+### hijack-dns
+
+```json
+{
+  "action": "hijack-dns"
+}
+```
+
+`hijack-dns` hijack DNS requests to the sing-box DNS module.
+
+## Non-final actions
+
 ### route-options

 ```json
@@ -109,45 +148,6 @@ If no protocol is sniffed, the following ports will be recognized as protocols b
 | 443  | `quic`   |
 | 3478 | `stun`   |

-### reject
-
-```json
-{
-  "action": "reject",
-  "method": "default", // default
-  "no_drop": false
-}
-```
-
-`reject` reject connections
-
-The specified method is used for reject tun connections if `sniff` action has not been performed yet.
-
-For non-tun connections and already established connections, will just be closed.
-
-#### method
-
- `default`: Reply with TCP RST for TCP connections, and ICMP port unreachable for UDP packets.
- `drop`: Drop packets.
-
-#### no_drop
-
-If not enabled, `method` will be temporarily overwritten to `drop` after 50 triggers in 30s.
-
-Not available when `method` is set to drop.
-
-### hijack-dns
-
-```json
-{
-  "action": "hijack-dns"
-}
-```
-
-`hijack-dns` hijack DNS requests to the sing-box DNS module.
-
-## Non-final actions
-
 ### sniff

 ```json
--- a/docs/configuration/route/rule_action.zh.md
+++ b/docs/configuration/route/rule_action.zh.md
@@ -27,6 +27,45 @@ icon: material/new-box

 参阅下方的 `route-options` 字段。

+### reject
+
+```json
+{
+  "action": "reject",
+  "method": "default",  // 默认
+  "no_drop": false
+}
+```
+
+`reject` 拒绝连接。
+
+如果尚未执行 `sniff` 操作，则将使用指定方法拒绝 tun 连接。
+
+对于非 tun 连接和已建立的连接，将直接关闭。
+
+#### method
+
+- `default`: 对于 TCP 连接回复 RST，对于 UDP 包回复 ICMP 端口不可达。
+- `drop`: 丢弃数据包。
+
+#### no_drop
+
+如果未启用，则 30 秒内触发 50 次后，`method` 将被暂时覆盖为 `drop`。
+
+当 `method` 设为 `drop` 时不可用。
+
+### hijack-dns
+
+```json
+{
+  "action": "hijack-dns"
+}
+```
+
+`hijack-dns` 劫持 DNS 请求至 sing-box DNS 模块。
+
+## 非最终动作
+
 ### route-options

 ```json
@@ -107,45 +146,6 @@ UDP 连接超时时间。
 | 443  | `quic` |
 | 3478 | `stun` |

-### reject
-
-```json
-{
-  "action": "reject",
-  "method": "default",  // 默认
-  "no_drop": false
-}
-```
-
-`reject` 拒绝连接。
-
-如果尚未执行 `sniff` 操作，则将使用指定方法拒绝 tun 连接。
-
-对于非 tun 连接和已建立的连接，将直接关闭。
-
-#### method
-
- `default`: 对于 TCP 连接回复 RST，对于 UDP 包回复 ICMP 端口不可达。
- `drop`: 丢弃数据包。
-
-#### no_drop
-
-如果未启用，则 30 秒内触发 50 次后，`method` 将被暂时覆盖为 `drop`。
-
-当 `method` 设为 `drop` 时不可用。
-
-### hijack-dns
-
-```json
-{
-  "action": "hijack-dns"
-}
-```
-
-`hijack-dns` 劫持 DNS 请求至 sing-box DNS 模块。
-
-## 非最终动作
-
 ### sniff

 ```json
--- a/docs/configuration/rule-set/index.md
+++ b/docs/configuration/rule-set/index.md
@@ -74,7 +74,7 @@ Tag of rule-set.

 ==Required==

-List of [Headless Rule](../headless-rule/).
+List of [Headless Rule](./headless-rule/).

 ### Local or Remote Fields

--- a/docs/configuration/rule-set/index.zh.md
+++ b/docs/configuration/rule-set/index.zh.md
@@ -74,7 +74,7 @@ icon: material/new-box

 ==必填==

-一组 [无头规则](../headless-rule/).
+一组 [无头规则](./headless-rule/).

 ### 本地或远程字段

--- a/docs/configuration/shared/udp-over-tcp.md
+++ b/docs/configuration/shared/udp-over-tcp.md
@@ -31,12 +31,11 @@ The protocol version, `1` or `2`.

 ### Application support

-| Project      | UoT v1               | UoT v2                                                                                                            |
-|--------------|----------------------|-------------------------------------------------------------------------------------------------------------------|
-| sing-box     | v0 (2022/08/11)      | v1.2-beta9                                                                                                        |
-| Xray-core    | v1.5.7 (2022/06/05)  | [f57ec13](https://github.com/XTLS/Xray-core/commit/f57ec1388084df041a2289bacab14e446bf1b357) (Not released)       |
-| Clash.Meta   | v1.12.0 (2022/07/02) | [8cb67b6](https://github.com/MetaCubeX/Clash.Meta/commit/8cb67b6480649edfa45dcc9ac89ce0789651e8b3) (Not released) |
-| Shadowrocket | v2.2.12 (2022/08/13) | /                                                                                                                 |
+| Project      | UoT v1               | UoT v2               |
+|--------------|----------------------|----------------------|
+| sing-box     | v0 (2022/08/11)      | v1.2-beta9           |
+| Clash.Meta   | v1.12.0 (2022/07/02) | v1.14.3 (2023/03/31) |
+| Shadowrocket | v2.2.12 (2022/08/13) | /                    |

 ### Protocol details

@@ -50,7 +49,13 @@ The client requests the magic address to the upper layer proxy protocol to indic
 |------|----------|-------|--------|----------|
 | u8   | variable | u16be | u16be  | variable |

-**ATYP / address / port**: Uses the SOCKS address format.
+**ATYP / address / port**: Uses the SOCKS address format, but with different address types:
+
+| ATYP   | Address type |
+|--------|--------------|
+| `0x00` | IPv4 Address |
+| `0x01` | IPv6 Address |
+| `0x02` | Domain Name  |

 #### Protocol version 2

--- a/docs/migration.md
+++ b/docs/migration.md
@@ -108,7 +108,7 @@ Inbound fields are deprecated and can be replaced by rule actions.

 !!! info "References"

-    [Listen Fields](/configuration/inbound/listen/) /
+    [Listen Fields](/configuration/shared/listen/) /
    [Rule](/configuration/route/rule/) / 
    [Rule Action](/configuration/route/rule_action/) / 
    [DNS Rule](/configuration/dns/rule/) / 
--- a/experimental/cachefile/cache.go
+++ b/experimental/cachefile/cache.go
@@ -284,8 +284,8 @@ func (c *CacheFile) StoreGroupExpand(group string, isExpand bool) error {
 	})
 }

-func (c *CacheFile) LoadRuleSet(tag string) *adapter.SavedRuleSet {
-	var savedSet adapter.SavedRuleSet
+func (c *CacheFile) LoadRuleSet(tag string) *adapter.SavedBinary {
+	var savedSet adapter.SavedBinary
 	err := c.DB.View(func(t *bbolt.Tx) error {
 		bucket := c.bucket(t, bucketRuleSet)
 		if bucket == nil {
@@ -303,7 +303,7 @@ func (c *CacheFile) LoadRuleSet(tag string) *adapter.SavedRuleSet {
 	return &savedSet
 }

-func (c *CacheFile) SaveRuleSet(tag string, set *adapter.SavedRuleSet) error {
+func (c *CacheFile) SaveRuleSet(tag string, set *adapter.SavedBinary) error {
 	return c.DB.Batch(func(t *bbolt.Tx) error {
 		bucket, err := c.createBucket(t, bucketRuleSet)
 		if err != nil {
--- a/experimental/clashapi/dns.go
+++ b/experimental/clashapi/dns.go
@@ -13,13 +13,13 @@ import (
 	"github.com/miekg/dns"
 )

-func dnsRouter(router adapter.DNSRouter) http.Handler {
+func dnsRouter(router adapter.Router) http.Handler {
 	r := chi.NewRouter()
 	r.Get("/query", queryDNS(router))
 	return r
 }

-func queryDNS(router adapter.DNSRouter) func(w http.ResponseWriter, r *http.Request) {
+func queryDNS(router adapter.Router) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		name := r.URL.Query().Get("name")
 		qTypeStr := r.URL.Query().Get("type")
@@ -39,7 +39,7 @@ func queryDNS(router adapter.DNSRouter) func(w http.ResponseWriter, r *http.Requ

 		msg := dns.Msg{}
 		msg.SetQuestion(dns.Fqdn(name), qType)
-		resp, err := router.Exchange(ctx, &msg, adapter.DNSQueryOptions{})
+		resp, err := router.Exchange(ctx, &msg)
 		if err != nil {
 			render.Status(r, http.StatusInternalServerError)
 			render.JSON(w, r, newError(err.Error()))
--- a/experimental/clashapi/server.go
+++ b/experimental/clashapi/server.go
@@ -42,7 +42,6 @@ var _ adapter.ClashServer = (*Server)(nil)
 type Server struct {
 	ctx            context.Context
 	router         adapter.Router
-	dnsRouter      adapter.DNSRouter
 	outbound       adapter.OutboundManager
 	endpoint       adapter.EndpointManager
 	logger         log.Logger
@@ -63,12 +62,11 @@ func NewServer(ctx context.Context, logFactory log.ObservableFactory, options op
 	trafficManager := trafficontrol.NewManager()
 	chiRouter := chi.NewRouter()
 	s := &Server{
-		ctx:       ctx,
-		router:    service.FromContext[adapter.Router](ctx),
-		dnsRouter: service.FromContext[adapter.DNSRouter](ctx),
-		outbound:  service.FromContext[adapter.OutboundManager](ctx),
-		endpoint:  service.FromContext[adapter.EndpointManager](ctx),
-		logger:    logFactory.NewLogger("clash-api"),
+		ctx:      ctx,
+		router:   service.FromContext[adapter.Router](ctx),
+		outbound: service.FromContext[adapter.OutboundManager](ctx),
+		endpoint: service.FromContext[adapter.EndpointManager](ctx),
+		logger:   logFactory.NewLogger("clash-api"),
 		httpServer: &http.Server{
 			Addr:    options.ExternalController,
 			Handler: chiRouter,
@@ -123,7 +121,7 @@ func NewServer(ctx context.Context, logFactory log.ObservableFactory, options op
 		r.Mount("/script", scriptRouter())
 		r.Mount("/profile", profileRouter())
 		r.Mount("/cache", cacheRouter(ctx))
-		r.Mount("/dns", dnsRouter(s.dnsRouter))
+		r.Mount("/dns", dnsRouter(s.router))

 		s.setupMetaAPI(r)
 	})
@@ -131,7 +129,7 @@ func NewServer(ctx context.Context, logFactory log.ObservableFactory, options op
 		s.externalUI = filemanager.BasePath(ctx, os.ExpandEnv(options.ExternalUI))
 		chiRouter.Group(func(r chi.Router) {
 			r.Get("/ui", http.RedirectHandler("/ui/", http.StatusMovedPermanently).ServeHTTP)
-			r.Handle("/ui/*", http.StripPrefix("/ui/", http.FileServer(http.Dir(s.externalUI))))
+			r.Handle("/ui/*", http.StripPrefix("/ui/", http.FileServer(Dir(s.externalUI))))
 		})
 	}
 	return s, nil
@@ -223,7 +221,7 @@ func (s *Server) SetMode(newMode string) {
 		default:
 		}
 	}
-	s.dnsRouter.ClearCache()
+	s.router.ClearDNSCache()
 	cacheFile := service.FromContext[adapter.CacheFile](s.ctx)
 	if cacheFile != nil {
 		err := cacheFile.StoreMode(newMode)
--- a/experimental/clashapi/server_fs.go
+++ b/experimental/clashapi/server_fs.go
@@ -0,0 +1,18 @@
+package clashapi
+
+import "net/http"
+
+type Dir http.Dir
+
+func (d Dir) Open(name string) (http.File, error) {
+	file, err := http.Dir(d).Open(name)
+	if err != nil {
+		return nil, err
+	}
+	return &fileWrapper{file}, nil
+}
+
+// workaround for #2345 #2596
+type fileWrapper struct {
+	http.File
+}
--- a/experimental/clashapi/server_resources.go
+++ b/experimental/clashapi/server_resources.go
@@ -41,7 +41,6 @@ func (s *Server) downloadExternalUI() error {
 	} else {
 		downloadURL = "https://github.com/MetaCubeX/Yacd-meta/archive/gh-pages.zip"
 	}
-	s.logger.Info("downloading external ui")
 	var detour adapter.Outbound
 	if s.externalUIDownloadDetour != "" {
 		outbound, loaded := s.outbound.Outbound(s.externalUIDownloadDetour)
@@ -53,6 +52,7 @@ func (s *Server) downloadExternalUI() error {
 		outbound := s.outbound.Default()
 		detour = outbound
 	}
+	s.logger.Info("downloading external ui using outbound/", detour.Type(), "[", detour.Tag(), "]")
 	httpClient := &http.Client{
 		Transport: &http.Transport{
 			ForceAttemptHTTP2:   true,
@@ -71,15 +71,15 @@ func (s *Server) downloadExternalUI() error {
 	if response.StatusCode != http.StatusOK {
 		return E.New("download external ui failed: ", response.Status)
 	}
-	err = s.downloadZIP(filepath.Base(downloadURL), response.Body, s.externalUI)
+	err = s.downloadZIP(response.Body, s.externalUI)
 	if err != nil {
 		removeAllInDirectory(s.externalUI)
 	}
 	return err
 }

-func (s *Server) downloadZIP(name string, body io.Reader, output string) error {
-	tempFile, err := filemanager.CreateTemp(s.ctx, name)
+func (s *Server) downloadZIP(body io.Reader, output string) error {
+	tempFile, err := filemanager.CreateTemp(s.ctx, "external-ui.zip")
 	if err != nil {
 		return err
 	}
--- a/experimental/deprecated/constants.go
+++ b/experimental/deprecated/constants.go
@@ -146,35 +146,6 @@ var OptionTUNGSO = Note{
 	EnvName:           "TUN_GSO",
 }

-var OptionLegacyDNSTransport = Note{
-	Name:              "legacy-dns-transport",
-	Description:       "legacy DNS transport",
-	DeprecatedVersion: "1.12.0",
-	ScheduledVersion:  "1.14.0",
-	EnvName:           "LEGACY_DNS_TRANSPORT",
-}
-
-var OptionLegacyDNSFakeIPOptions = Note{
-	Name:              "legacy-dns-fakeip-options",
-	Description:       "legacy DNS fakeip options",
-	DeprecatedVersion: "1.12.0",
-	ScheduledVersion:  "1.14.0",
-}
-
-var OptionOutboundDNSRuleItem = Note{
-	Name:              "outbound-dns-rule-item",
-	Description:       "outbound DNS rule item",
-	DeprecatedVersion: "1.12.0",
-	ScheduledVersion:  "1.14.0",
-}
-
-var OptionMissingDomainResolverInDialOptions = Note{
-	Name:              "missing-domain-resolver-in-dial-options",
-	Description:       "missing domain resolver in dial options",
-	DeprecatedVersion: "1.12.0",
-	ScheduledVersion:  "1.14.0",
-}
-
 var Options = []Note{
 	OptionBadMatchSource,
 	OptionGEOIP,
@@ -186,8 +157,4 @@ var Options = []Note{
 	OptionWireGuardOutbound,
 	OptionWireGuardGSO,
 	OptionTUNGSO,
-	OptionLegacyDNSTransport,
-	OptionLegacyDNSFakeIPOptions,
-	OptionOutboundDNSRuleItem,
-	OptionMissingDomainResolverInDialOptions,
 }
--- a/experimental/libbox/command_power.go
+++ b/experimental/libbox/command_power.go
@@ -4,7 +4,6 @@ import (
 	"encoding/binary"
 	"net"

-	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/varbin"
 )

@@ -18,19 +17,7 @@ func (c *CommandClient) ServiceReload() error {
 	if err != nil {
 		return err
 	}
-	var hasError bool
-	err = binary.Read(conn, binary.BigEndian, &hasError)
-	if err != nil {
-		return err
-	}
-	if hasError {
-		errorMessage, err := varbin.ReadValue[string](conn, binary.BigEndian)
-		if err != nil {
-			return err
-		}
-		return E.New(errorMessage)
-	}
-	return nil
+	return readError(conn)
 }

 func (s *CommandServer) handleServiceReload(conn net.Conn) error {
@@ -55,19 +42,7 @@ func (c *CommandClient) ServiceClose() error {
 	if err != nil {
 		return err
 	}
-	var hasError bool
-	err = binary.Read(conn, binary.BigEndian, &hasError)
-	if err != nil {
-		return nil
-	}
-	if hasError {
-		errorMessage, err := varbin.ReadValue[string](conn, binary.BigEndian)
-		if err != nil {
-			return nil
-		}
-		return E.New(errorMessage)
-	}
-	return nil
+	return readError(conn)
 }

 func (s *CommandServer) handleServiceClose(conn net.Conn) error {
--- a/experimental/libbox/config.go
+++ b/experimental/libbox/config.go
@@ -9,11 +9,8 @@ import (
 	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/process"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/dns"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/include"
-	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
@@ -24,18 +21,6 @@ import (
 	"github.com/sagernet/sing/service"
 )

-func BaseContext(platformInterface PlatformInterface) context.Context {
-	dnsRegistry := include.DNSTransportRegistry()
-	if platformInterface != nil {
-		if localTransport := platformInterface.LocalDNSTransport(); localTransport != nil {
-			dns.RegisterTransport[option.LocalDNSServerOptions](dnsRegistry, C.DNSTypeLocal, func(ctx context.Context, logger log.ContextLogger, tag string, options option.LocalDNSServerOptions) (adapter.DNSTransport, error) {
-				return newPlatformTransport(localTransport, tag, options), nil
-			})
-		}
-	}
-	return box.Context(context.Background(), include.InboundRegistry(), include.OutboundRegistry(), include.EndpointRegistry(), dnsRegistry)
-}
-
 func parseConfig(ctx context.Context, configContent string) (option.Options, error) {
 	options, err := json.UnmarshalExtendedContext[option.Options](ctx, []byte(configContent))
 	if err != nil {
@@ -45,7 +30,7 @@ func parseConfig(ctx context.Context, configContent string) (option.Options, err
 }

 func CheckConfig(configContent string) error {
-	ctx := BaseContext(nil)
+	ctx := box.Context(context.Background(), include.InboundRegistry(), include.OutboundRegistry(), include.EndpointRegistry())
 	options, err := parseConfig(ctx, configContent)
 	if err != nil {
 		return err
@@ -81,10 +66,6 @@ func (s *platformInterfaceStub) OpenTun(options *tun.Options, platformOptions op
 	return nil, os.ErrInvalid
 }

-func (s *platformInterfaceStub) UpdateRouteOptions(options *tun.Options, platformInterface option.TunPlatformOptions) error {
-	return os.ErrInvalid
-}
-
 func (s *platformInterfaceStub) UsePlatformDefaultInterfaceMonitor() bool {
 	return true
 }
@@ -150,7 +131,7 @@ func (s *platformInterfaceStub) SendNotification(notification *platform.Notifica
 }

 func FormatConfig(configContent string) (*StringBox, error) {
-	options, err := parseConfig(BaseContext(nil), configContent)
+	options, err := parseConfig(box.Context(context.Background(), include.InboundRegistry(), include.OutboundRegistry(), include.EndpointRegistry()), configContent)
 	if err != nil {
 		return nil, err
 	}
--- a/experimental/libbox/dns.go
+++ b/experimental/libbox/dns.go
@@ -6,10 +6,7 @@ import (
 	"strings"
 	"syscall"

-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
@@ -24,80 +21,118 @@ type LocalDNSTransport interface {
 	Exchange(ctx *ExchangeContext, message []byte) error
 }

-var _ adapter.DNSTransport = (*platformTransport)(nil)
+func RegisterLocalDNSTransport(transport LocalDNSTransport) {
+	if transport == nil {
+		dns.RegisterTransport([]string{"local"}, func(options dns.TransportOptions) (dns.Transport, error) {
+			return dns.NewLocalTransport(options), nil
+		})
+	} else {
+		dns.RegisterTransport([]string{"local"}, func(options dns.TransportOptions) (dns.Transport, error) {
+			return &platformLocalDNSTransport{
+				iif: transport,
+			}, nil
+		})
+	}
+}

-type platformTransport struct {
-	dns.TransportAdapter
+var _ dns.Transport = (*platformLocalDNSTransport)(nil)
+
+type platformLocalDNSTransport struct {
 	iif LocalDNSTransport
 }

-func newPlatformTransport(iif LocalDNSTransport, tag string, options option.LocalDNSServerOptions) *platformTransport {
-	return &platformTransport{
-		TransportAdapter: dns.NewTransportAdapterWithLocalOptions(C.DNSTypeLocal, tag, options),
-		iif:              iif,
+func (p *platformLocalDNSTransport) Name() string {
+	return "local"
+}
+
+func (p *platformLocalDNSTransport) Start() error {
+	return nil
+}
+
+func (p *platformLocalDNSTransport) Reset() {
+}
+
+func (p *platformLocalDNSTransport) Close() error {
+	return nil
+}
+
+func (p *platformLocalDNSTransport) Raw() bool {
+	return p.iif.Raw()
+}
+
+func (p *platformLocalDNSTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	messageBytes, err := message.Pack()
+	if err != nil {
+		return nil, err
 	}
-}
-
-func (p *platformTransport) Reset() {
-}
-
-func (p *platformTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	response := &ExchangeContext{
 		context: ctx,
 	}
-	if p.iif.Raw() {
-		messageBytes, err := message.Pack()
+	var responseMessage *mDNS.Msg
+	var group task.Group
+	group.Append0(func(ctx context.Context) error {
+		err = p.iif.Exchange(response, messageBytes)
 		if err != nil {
-			return nil, err
+			return err
 		}
-		var responseMessage *mDNS.Msg
-		var group task.Group
-		group.Append0(func(ctx context.Context) error {
-			err = p.iif.Exchange(response, messageBytes)
-			if err != nil {
-				return err
-			}
-			if response.error != nil {
-				return response.error
-			}
-			responseMessage = &response.message
-			return nil
-		})
-		err = group.Run(ctx)
-		if err != nil {
-			return nil, err
+		if response.error != nil {
+			return response.error
 		}
-		return responseMessage, nil
-	} else {
-		question := message.Question[0]
-		var network string
-		switch question.Qtype {
-		case mDNS.TypeA:
-			network = "ip4"
-		case mDNS.TypeAAAA:
-			network = "ip6"
-		default:
-			return nil, E.New("only IP queries are supported by current version of Android")
-		}
-		var responseAddrs []netip.Addr
-		var group task.Group
-		group.Append0(func(ctx context.Context) error {
-			err := p.iif.Lookup(response, network, question.Name)
-			if err != nil {
-				return err
-			}
-			if response.error != nil {
-				return response.error
-			}
-			responseAddrs = response.addresses
-			return nil
-		})
-		err := group.Run(ctx)
-		if err != nil {
-			return nil, err
-		}
-		return dns.FixedResponse(message.Id, question, responseAddrs, C.DefaultDNSTTL), nil
+		responseMessage = &response.message
+		return nil
+	})
+	err = group.Run(ctx)
+	if err != nil {
+		return nil, err
 	}
+	return responseMessage, nil
+}
+
+func (p *platformLocalDNSTransport) Lookup(ctx context.Context, domain string, strategy dns.DomainStrategy) ([]netip.Addr, error) {
+	var network string
+	switch strategy {
+	case dns.DomainStrategyUseIPv4:
+		network = "ip4"
+	case dns.DomainStrategyPreferIPv6:
+		network = "ip6"
+	default:
+		network = "ip"
+	}
+	response := &ExchangeContext{
+		context: ctx,
+	}
+	var responseAddr []netip.Addr
+	var group task.Group
+	group.Append0(func(ctx context.Context) error {
+		err := p.iif.Lookup(response, network, domain)
+		if err != nil {
+			return err
+		}
+		if response.error != nil {
+			return response.error
+		}
+		switch strategy {
+		case dns.DomainStrategyUseIPv4:
+			responseAddr = common.Filter(response.addresses, func(it netip.Addr) bool {
+				return it.Is4()
+			})
+		case dns.DomainStrategyPreferIPv6:
+			responseAddr = common.Filter(response.addresses, func(it netip.Addr) bool {
+				return it.Is6()
+			})
+		default:
+			responseAddr = response.addresses
+		}
+		/*if len(responseAddr) == 0 {
+			response.error = dns.RCodeSuccess
+		}*/
+		return nil
+	})
+	err := group.Run(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return responseAddr, nil
 }

 type Func interface {
--- a/experimental/libbox/monitor.go
+++ b/experimental/libbox/monitor.go
@@ -56,7 +56,12 @@ func (m *platformDefaultInterfaceMonitor) UnregisterCallback(element *list.Eleme

 func (m *platformDefaultInterfaceMonitor) UpdateDefaultInterface(interfaceName string, interfaceIndex32 int32, isExpensive bool, isConstrained bool) {
 	if sFixAndroidStack {
-		go m.updateDefaultInterface(interfaceName, interfaceIndex32, isExpensive, isConstrained)
+		done := make(chan struct{})
+		go func() {
+			m.updateDefaultInterface(interfaceName, interfaceIndex32, isExpensive, isConstrained)
+			close(done)
+		}()
+		<-done
 	} else {
 		m.updateDefaultInterface(interfaceName, interfaceIndex32, isExpensive, isConstrained)
 	}
--- a/experimental/libbox/platform.go
+++ b/experimental/libbox/platform.go
@@ -6,11 +6,9 @@ import (
 )

 type PlatformInterface interface {
-	LocalDNSTransport() LocalDNSTransport
 	UsePlatformAutoDetectInterfaceControl() bool
 	AutoDetectInterfaceControl(fd int32) error
 	OpenTun(options TunOptions) (int32, error)
-	UpdateRouteOptions(options TunOptions) error
 	WriteLog(message string)
 	UseProcFS() bool
 	FindConnectionOwner(ipProtocol int32, sourceAddress string, sourcePort int32, destinationAddress string, destinationPort int32) (int32, error)
--- a/experimental/libbox/platform/interface.go
+++ b/experimental/libbox/platform/interface.go
@@ -13,7 +13,6 @@ type Interface interface {
 	UsePlatformAutoDetectInterfaceControl() bool
 	AutoDetectInterfaceControl(fd int) error
 	OpenTun(options *tun.Options, platformOptions option.TunPlatformOptions) (tun.Tun, error)
-	UpdateRouteOptions(options *tun.Options, platformOptions option.TunPlatformOptions) error
 	CreateDefaultInterfaceMonitor(logger logger.Logger) tun.DefaultInterfaceMonitor
 	Interfaces() ([]adapter.NetworkInterface, error)
 	UnderNetworkExtension() bool
--- a/experimental/libbox/service.go
+++ b/experimental/libbox/service.go
@@ -18,6 +18,7 @@ import (
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/experimental/libbox/internal/procfs"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
+	"github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-tun"
@@ -43,7 +44,7 @@ type BoxService struct {
 }

 func NewService(configContent string, platformInterface PlatformInterface) (*BoxService, error) {
-	ctx := BaseContext(platformInterface)
+	ctx := box.Context(context.Background(), include.InboundRegistry(), include.OutboundRegistry(), include.EndpointRegistry())
 	ctx = filemanager.WithDefault(ctx, sWorkingPath, sTempPath, sUserID, sGroupID)
 	service.MustRegister[deprecated.Manager](ctx, new(deprecatedManager))
 	options, err := parseConfig(ctx, configContent)
@@ -173,20 +174,6 @@ func (w *platformInterfaceWrapper) OpenTun(options *tun.Options, platformOptions
 	return tun.New(*options)
 }

-func (w *platformInterfaceWrapper) UpdateRouteOptions(options *tun.Options, platformOptions option.TunPlatformOptions) error {
-	if len(options.IncludeUID) > 0 || len(options.ExcludeUID) > 0 {
-		return E.New("android: unsupported uid options")
-	}
-	if len(options.IncludeAndroidUser) > 0 {
-		return E.New("android: unsupported android_user option")
-	}
-	routeRanges, err := options.BuildAutoRouteRanges(true)
-	if err != nil {
-		return err
-	}
-	return w.iif.UpdateRouteOptions(&tunOptions{options, routeRanges, platformOptions})
-}
-
 func (w *platformInterfaceWrapper) CreateDefaultInterfaceMonitor(logger logger.Logger) tun.DefaultInterfaceMonitor {
 	return &platformDefaultInterfaceMonitor{
 		platformInterfaceWrapper: w,
@@ -205,9 +192,6 @@ func (w *platformInterfaceWrapper) Interfaces() ([]adapter.NetworkInterface, err
 			continue
 		}
 		w.defaultInterfaceAccess.Lock()
-		// (GOOS=windows) SA4006: this value of `isDefault` is never used
-		// Why not used?
-		//nolint:staticcheck
 		isDefault := w.defaultInterface != nil && int(netInterface.Index) == w.defaultInterface.Index
 		w.defaultInterfaceAccess.Unlock()
 		interfaces = append(interfaces, adapter.NetworkInterface{
--- a/experimental/libbox/service_pause.go
+++ b/experimental/libbox/service_pause.go
@@ -31,3 +31,7 @@ func (s *BoxService) Wake() {
 func (s *BoxService) ResetNetwork() {
 	s.instance.Router().ResetNetwork()
 }
+
+func (s *BoxService) UpdateWIFIState() {
+	s.instance.Network().UpdateWIFIState()
+}
--- a/experimental/locale/locale.go
+++ b/experimental/locale/locale.go
@@ -7,11 +7,13 @@ var (

 type Locale struct {
 	// deprecated messages for graphical clients
+	Locale                  string
 	DeprecatedMessage       string
 	DeprecatedMessageNoLink string
 }

 var defaultLocal = &Locale{
+	Locale:                  "en_US",
 	DeprecatedMessage:       "%s is deprecated in sing-box %s and will be removed in sing-box %s please checkout documentation for migration.",
 	DeprecatedMessageNoLink: "%s is deprecated in sing-box %s and will be removed in sing-box %s.",
 }
--- a/experimental/locale/locale_zh_CN.go
+++ b/experimental/locale/locale_zh_CN.go
@@ -4,6 +4,7 @@ var warningMessageForEndUsers = "\n\n如果您不明白此消息意味着什么

 func init() {
 	localeRegistry["zh_CN"] = &Locale{
+		Locale:                  "zh_CN",
 		DeprecatedMessage:       "%s 已在 sing-box %s 中被弃用，且将在 sing-box %s 中被移除，请参阅迁移指南。" + warningMessageForEndUsers,
 		DeprecatedMessageNoLink: "%s 已在 sing-box %s 中被弃用，且将在 sing-box %s 中被移除。" + warningMessageForEndUsers,
 	}
--- a/go.mod
+++ b/go.mod
@@ -1,23 +1,21 @@
 module github.com/sagernet/sing-box

-go 1.23.1
-
-toolchain go1.23.2
+go 1.20

 require (
 	github.com/caddyserver/certmagic v0.20.0
 	github.com/cloudflare/circl v1.3.7
 	github.com/cretz/bine v0.2.0
-	github.com/go-chi/chi/v5 v5.1.0
+	github.com/go-chi/chi/v5 v5.2.1
 	github.com/go-chi/render v1.0.3
 	github.com/gofrs/uuid/v5 v5.3.0
-	github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2
+	github.com/insomniacslk/dhcp v0.0.0-20250109001534-8abf58130905
 	github.com/libdns/alidns v1.0.3
 	github.com/libdns/cloudflare v0.1.1
 	github.com/logrusorgru/aurora v2.0.3+incompatible
-	github.com/metacubex/tfo-go v0.0.0-20241006021335-daedaf0ca7aa
+	github.com/metacubex/tfo-go v0.0.0-20241231083714-66613d49c422
 	github.com/mholt/acmez v1.2.0
-	github.com/miekg/dns v1.1.62
+	github.com/miekg/dns v1.1.63
 	github.com/oschwald/maxminddb-golang v1.12.0
 	github.com/sagernet/asc-go v0.0.0-20241217030726-d563060fe4e1
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a
@@ -26,116 +24,81 @@ require (
 	github.com/sagernet/fswatch v0.1.1
 	github.com/sagernet/gomobile v0.1.4
 	github.com/sagernet/gvisor v0.0.0-20241123041152-536d05261cff
-	github.com/sagernet/quic-go v0.48.2-beta.1
+	github.com/sagernet/quic-go v0.49.0-beta.1
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.6.0-beta.12
-	github.com/sagernet/sing-mux v0.3.0-alpha.1
-	github.com/sagernet/sing-quic v0.4.0-beta.4
+	github.com/sagernet/sing v0.6.3
+	github.com/sagernet/sing-dns v0.4.0
+	github.com/sagernet/sing-mux v0.3.1
+	github.com/sagernet/sing-quic v0.4.0
 	github.com/sagernet/sing-shadowsocks v0.2.7
 	github.com/sagernet/sing-shadowsocks2 v0.2.0
-	github.com/sagernet/sing-shadowtls v0.2.0-alpha.2
-	github.com/sagernet/sing-tun v0.6.0-beta.8
-	github.com/sagernet/sing-vmess v0.2.0-beta.2
+	github.com/sagernet/sing-shadowtls v0.2.0
+	github.com/sagernet/sing-tun v0.6.1
+	github.com/sagernet/sing-vmess v0.2.0
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7
-	github.com/sagernet/tailscale v0.0.0-20241203114627-8b68177dbcc1
 	github.com/sagernet/utls v1.6.7
 	github.com/sagernet/wireguard-go v0.0.1-beta.5
 	github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854
 	github.com/spf13/cobra v1.8.1
-	github.com/stretchr/testify v1.9.0
+	github.com/stretchr/testify v1.10.0
 	go.uber.org/zap v1.27.0
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.31.0
+	golang.org/x/crypto v0.32.0
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
 	golang.org/x/mod v0.20.0
-	golang.org/x/net v0.31.0
-	golang.org/x/sys v0.28.0
+	golang.org/x/net v0.34.0
+	golang.org/x/sys v0.30.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	google.golang.org/grpc v1.63.2
 	google.golang.org/protobuf v1.33.0
 	howett.net/plist v1.0.1
 )

+//replace github.com/sagernet/sing => ../sing
+
 require (
-	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/ajg/form v1.5.1 // indirect
-	github.com/akutz/memconn v0.1.0 // indirect
-	github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa // indirect
-	github.com/andybalholm/brotli v1.1.0 // indirect
-	github.com/bits-and-blooms/bitset v1.13.0 // indirect
+	github.com/andybalholm/brotli v1.0.6 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/coder/websocket v1.8.12 // indirect
-	github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 // indirect
-	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1 // indirect
-	github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
-	github.com/fxamacker/cbor/v2 v2.6.0 // indirect
-	github.com/gaissmai/bart v0.11.1 // indirect
-	github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
-	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
+	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/gobwas/httphead v0.1.0 // indirect
 	github.com/gobwas/pool v0.2.1 // indirect
-	github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/google/nftables v0.2.1-0.20240414091927-5e242ec57806 // indirect
-	github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 // indirect
-	github.com/google/uuid v1.6.0 // indirect
-	github.com/gorilla/csrf v1.7.2 // indirect
-	github.com/gorilla/securecookie v1.1.2 // indirect
+	github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a // indirect
 	github.com/hashicorp/yamux v0.1.2 // indirect
-	github.com/hdevalence/ed25519consensus v0.2.0 // indirect
-	github.com/illarion/gonotify/v2 v2.0.3 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 // indirect
-	github.com/jsimonetti/rtnetlink v1.4.0 // indirect
-	github.com/klauspost/compress v1.17.11 // indirect
+	github.com/josharian/native v1.1.0 // indirect
+	github.com/klauspost/compress v1.17.4 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
-	github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a // indirect
 	github.com/libdns/libdns v0.2.2 // indirect
-	github.com/mdlayher/genetlink v1.3.2 // indirect
 	github.com/mdlayher/netlink v1.7.2 // indirect
-	github.com/mdlayher/sdnotify v1.0.0 // indirect
-	github.com/mdlayher/socket v0.5.0 // indirect
-	github.com/mitchellh/go-ps v1.0.0 // indirect
-	github.com/onsi/ginkgo/v2 v2.17.2 // indirect
-	github.com/pierrec/lz4/v4 v4.1.21 // indirect
-	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus-community/pro-bing v0.4.0 // indirect
+	github.com/mdlayher/socket v0.4.1 // indirect
+	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
+	github.com/onsi/ginkgo/v2 v2.9.7 // indirect
+	github.com/pierrec/lz4/v4 v4.1.14 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
 	github.com/quic-go/qtls-go1-20 v0.4.1 // indirect
-	github.com/safchain/ethtool v0.3.0 // indirect
 	github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a // indirect
 	github.com/sagernet/nftables v0.3.0-beta.4 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e // indirect
-	github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 // indirect
-	github.com/tailscale/golang-x-crypto v0.0.0-20240604161659-3fde5e568aa4 // indirect
-	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 // indirect
-	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a // indirect
-	github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7 // indirect
-	github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4 // indirect
-	github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1 // indirect
-	github.com/tcnksm/go-httpstat v0.2.0 // indirect
-	github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e // indirect
+	github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
-	github.com/x448/float16 v0.8.4 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect
 	golang.org/x/sync v0.10.0 // indirect
-	golang.org/x/term v0.27.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
 	golang.org/x/tools v0.24.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
-	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de // indirect
+	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.3.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,69 +1,39 @@
-filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
-filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
 github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
-github.com/akutz/memconn v0.1.0 h1:NawI0TORU4hcOMsMr11g7vwlCdkYeLKXBcxWu2W/P8A=
-github.com/akutz/memconn v0.1.0/go.mod h1:Jo8rI7m0NieZyLI5e2CDlRdRqRRB4S7Xp77ukDjH+Fw=
-github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
-github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
-github.com/andybalholm/brotli v1.1.0 h1:eLKJA0d02Lf0mVpIDgYnqXcUn0GqVmEFny3VuID1U3M=
-github.com/andybalholm/brotli v1.1.0/go.mod h1:sms7XGricyQI9K10gOSf56VKKWS4oLer58Q+mhRPtnY=
-github.com/bits-and-blooms/bitset v1.13.0 h1:bAQ9OPNFYbGHV6Nez0tmNI0RiEu7/hxlYJRUA0wFAVE=
-github.com/bits-and-blooms/bitset v1.13.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
+github.com/andybalholm/brotli v1.0.6 h1:Yf9fFpf49Zrxb9NlQaluyE92/+X7UVHlhMNJN2sxfOI=
+github.com/andybalholm/brotli v1.0.6/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 github.com/caddyserver/certmagic v0.20.0 h1:bTw7LcEZAh9ucYCRXyCpIrSAGplplI0vGYJ4BpCQ/Fc=
 github.com/caddyserver/certmagic v0.20.0/go.mod h1:N4sXgpICQUskEWpj7zVzvWD41p3NYacrNoZYiRM2jTg=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk=
-github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso=
 github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
 github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
-github.com/coder/websocket v1.8.12 h1:5bUXkEPPIbewrnkU8LTCLVaxi4N4J8ahufH2vlo4NAo=
-github.com/coder/websocket v1.8.12/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
-github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 h1:8h5+bWd7R6AYUslN6c6iuZWTKsKxUFDlpnmilO6R2n0=
-github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/cretz/bine v0.2.0 h1:8GiDRGlTgz+o8H9DSnsl+5MeBK4HsExxgl6WgzOCuZo=
 github.com/cretz/bine v0.2.0/go.mod h1:WU4o9QR9wWp8AVKtTM1XD5vUHkEqnf2vVSo6dBqbetI=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
-github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa h1:h8TfIT1xc8FWbwwpmHn1J5i43Y0uZP97GqasGCzSRJk=
-github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa/go.mod h1:Nx87SkVqTKd8UtT+xu7sM/l+LgXs6c0aHrlKusR+2EQ=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1 h1:CaO/zOnF8VvUfEbhRatPcwKVWamvbYd8tQGRWacE9kU=
 github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1/go.mod h1:+hnT3ywWDTAFrW5aE+u2Sa/wT555ZqwoCS+pk3p6ry4=
-github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e h1:vUmf0yezR0y7jJ5pceLHthLaYf4bA5T14B6q39S4q2Q=
-github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e/go.mod h1:YTIHhz/QFSYnu/EhlF2SpU2Uk+32abacUYA5ZPljz1A=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
-github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA=
-github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
-github.com/gaissmai/bart v0.11.1 h1:5Uv5XwsaFBRo4E5VBcb9TzY8B7zxFf+U7isDxqOrRfc=
-github.com/gaissmai/bart v0.11.1/go.mod h1:KHeYECXQiBjTzQz/om2tqn3sZF1J7hw9m6z41ftj3fg=
-github.com/github/fakeca v0.1.0 h1:Km/MVOFvclqxPM9dZBC4+QE564nU4gz4iZ0D9pMw28I=
-github.com/github/fakeca v0.1.0/go.mod h1:+bormgoGMMuamOscx7N91aOuUST7wdaJ2rNjeohylyo=
-github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw=
-github.com/go-chi/chi/v5 v5.1.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8=
+github.com/go-chi/chi/v5 v5.2.1/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
 github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=
 github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
-github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0 h1:ymLjT4f35nQbASLnvxEde4XOBL+Sn7rFuV+FOJqkljg=
-github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0/go.mod h1:6daplAwHHGbUGib4990V3Il26O0OC4aRyvewaaAihaA=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
 github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
 github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
-github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
-github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
 github.com/gobwas/httphead v0.1.0 h1:exrUm0f4YX0L7EBwZHuCF4GDp8aJfVeBrlLQrs6NqWU=
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
 github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
-github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 h1:sQspH8M4niEijh3PFscJRLDnkL547IeP7kpPe3uUhEg=
-github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466/go.mod h1:ZiQxhyQ+bbbfxUKVvjfO498oPYvtYhZzycal3G/NHmU=
 github.com/gofrs/uuid/v5 v5.3.0 h1:m0mUMr+oVYUdxpMLgSYCZiXe7PuVPnI94+OMeVBNedk=
 github.com/gofrs/uuid/v5 v5.3.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
@@ -71,41 +41,26 @@ github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
-github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
-github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/nftables v0.2.1-0.20240414091927-5e242ec57806 h1:wG8RYIyctLhdFk6Vl1yPGtSRtwGpVkWyZww1OCil2MI=
-github.com/google/nftables v0.2.1-0.20240414091927-5e242ec57806/go.mod h1:Beg6V6zZ3oEn0JuiUQ4wqwuyqqzasOltcoXPtgLbFp4=
-github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg=
-github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw=
-github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
-github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gorilla/csrf v1.7.2 h1:oTUjx0vyf2T+wkrx09Trsev1TE+/EbDAeHtSTbtC2eI=
-github.com/gorilla/csrf v1.7.2/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
-github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
-github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
+github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a h1:fEBsGL/sjAuJrgah5XqmmYsTLzJp/TO9Lhy39gkverk=
+github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
 github.com/hashicorp/yamux v0.1.2 h1:XtB8kyFOyHXYVFnwT5C3+Bdo8gArse7j2AQ0DA0Uey8=
 github.com/hashicorp/yamux v0.1.2/go.mod h1:C+zze2n6e/7wshOZep2A70/aQU6QBRWJO/G6FT1wIns=
-github.com/hdevalence/ed25519consensus v0.2.0 h1:37ICyZqdyj0lAZ8P4D1d1id3HqbbG1N3iBb1Tb4rdcU=
-github.com/hdevalence/ed25519consensus v0.2.0/go.mod h1:w3BHWjwJbFU29IRHL1Iqkw3sus+7FctEyM4RqDxYNzo=
-github.com/illarion/gonotify/v2 v2.0.3 h1:B6+SKPo/0Sw8cRJh1aLzNEeNVFfzE3c6N+o+vyxM+9A=
-github.com/illarion/gonotify/v2 v2.0.3/go.mod h1:38oIJTgFqupkEydkkClkbL6i5lXV/bxdH9do5TALPEE=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 h1:9K06NfxkBh25x56yVhWWlKFE8YpicaSfHwoV8SFbueA=
-github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2/go.mod h1:3A9PQ1cunSDF/1rbTq99Ts4pVnycWg+vlPkfeD2NLFI=
+github.com/insomniacslk/dhcp v0.0.0-20250109001534-8abf58130905 h1:q3OEI9RaN/wwcx+qgGo6ZaoJkCiDYe/gjDLfq7lQQF4=
+github.com/insomniacslk/dhcp v0.0.0-20250109001534-8abf58130905/go.mod h1:VvGYjkZoJyKqlmT1yzakUs4mfKMNB0XdODP0+rdml6k=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
-github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 h1:elKwZS1OcdQ0WwEDBeqxKwb7WB62QX8bvZ/FJnVXIfk=
-github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86/go.mod h1:aFAMtuldEgx/4q7iSGazk22+IcgvtiC+HIimFO9XlS8=
-github.com/jsimonetti/rtnetlink v1.4.0 h1:Z1BF0fRgcETPEa0Kt0MRk3yV5+kF1FWTni6KUFKrq2I=
-github.com/jsimonetti/rtnetlink v1.4.0/go.mod h1:5W1jDvWdnthFJ7fxYX1GMK07BUpI4oskfOqvPteYS6E=
-github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
-github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
+github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
+github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
+github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4=
+github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM=
 github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
 github.com/klauspost/cpuid/v2 v2.2.5 h1:0E5MSMDEoAulmXNFquVs//DdoomxaoTY1kUhbc/qbZg=
 github.com/klauspost/cpuid/v2 v2.2.5/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
-github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a h1:+RR6SqnTkDLWyICxS1xpjCi/3dhyV+TgZwA6Ww3KncQ=
-github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a/go.mod h1:YTtCCM3ryyfiu4F7t8HQ1mxvp1UBdWM2r6Xa+nGWvDk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/libdns/alidns v1.0.3 h1:LFHuGnbseq5+HCeGa1aW8awyX/4M2psB9962fdD2+yQ=
 github.com/libdns/alidns v1.0.3/go.mod h1:e18uAG6GanfRhcJj6/tps2rCMzQJaYVcGKT+ELjdjGE=
 github.com/libdns/cloudflare v0.1.1 h1:FVPfWwP8zZCqj268LZjmkDleXlHPlFU9KC4OJ3yn054=
@@ -115,45 +70,32 @@ github.com/libdns/libdns v0.2.2 h1:O6ws7bAfRPaBsgAYt8MDe2HcNBGC29hkZ9MX2eUSX3s=
 github.com/libdns/libdns v0.2.2/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
 github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczGlG91VSDkswnjF5A8=
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
-github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
-github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o=
 github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
 github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
-github.com/mdlayher/sdnotify v1.0.0 h1:Ma9XeLVN/l0qpyx1tNeMSeTjCPH6NtuD6/N9XdTlQ3c=
-github.com/mdlayher/sdnotify v1.0.0/go.mod h1:HQUmpM4XgYkhDLtd+Uad8ZFK1T9D5+pNxnXQjCeJlGE=
-github.com/mdlayher/socket v0.5.0 h1:ilICZmJcQz70vrWVes1MFera4jGiWNocSkykwwoy3XI=
-github.com/mdlayher/socket v0.5.0/go.mod h1:WkcBFfvyG8QENs5+hfQPl1X6Jpd2yeLIYgrGFmJiJxI=
-github.com/metacubex/tfo-go v0.0.0-20241006021335-daedaf0ca7aa h1:9mcjV+RGZVC3reJBNDjjNPyS8PmFG97zq56X7WNaFO4=
-github.com/metacubex/tfo-go v0.0.0-20241006021335-daedaf0ca7aa/go.mod h1:4tLB5c8U0CxpkFM+AJJB77jEaVDbLH5XQvy42vAGsWw=
+github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
+github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
+github.com/metacubex/tfo-go v0.0.0-20241231083714-66613d49c422 h1:zGeQt3UyNydIVrMRB97AA5WsYEau/TyCnRtTf1yUmJY=
+github.com/metacubex/tfo-go v0.0.0-20241231083714-66613d49c422/go.mod h1:l9oLnLoEXyGZ5RVLsh7QCC5XsouTUyKk4F2nLm2DHLw=
 github.com/mholt/acmez v1.2.0 h1:1hhLxSgY5FvH5HCnGUuwbKY2VQVo8IU7rxXKSnZ7F30=
 github.com/mholt/acmez v1.2.0/go.mod h1:VT9YwH1xgNX1kmYY89gY8xPJC84BFAisjo8Egigt4kE=
-github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
-github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
-github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
-github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
-github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 h1:zYyBkD/k9seD2A7fsi6Oo2LfFZAehjjQMERAvZLEDnQ=
-github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646/go.mod h1:jpp1/29i3P1S/RLdc7JQKbRpFeM1dOBd8T9ki5s+AY8=
-github.com/onsi/ginkgo/v2 v2.17.2 h1:7eMhcy3GimbsA3hEnVKdw/PQM9XN9krpKVXsZdph0/g=
-github.com/onsi/ginkgo/v2 v2.17.2/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc=
-github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk=
-github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0=
+github.com/miekg/dns v1.1.63 h1:8M5aAw6OMZfFXTT7K5V0Eu5YiiL8l7nUAkyN6C9YwaY=
+github.com/miekg/dns v1.1.63/go.mod h1:6NGHfjhpmr5lt3XPLuyfDJi5AXbNIPM9PY6H6sF1Nfs=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
+github.com/onsi/ginkgo/v2 v2.9.7 h1:06xGQy5www2oN160RtEZoTvnP2sPhEfePYmCDc2szss=
+github.com/onsi/ginkgo/v2 v2.9.7/go.mod h1:cxrmXWykAwTwhQsJOPfdIDiJ+l2RYq7U8hFU+M/1uw0=
+github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU=
 github.com/oschwald/maxminddb-golang v1.12.0 h1:9FnTOD0YOhP7DGxGsq4glzpGy5+w7pq50AS6wALUMYs=
 github.com/oschwald/maxminddb-golang v1.12.0/go.mod h1:q0Nob5lTCqyQ8WT6FYgS1L7PXKVVbgiymefNwIjPzgY=
+github.com/pierrec/lz4/v4 v4.1.14 h1:+fL8AQEZtz/ijeNnpduH0bROTu0O3NZAlPjQxGn8LwE=
 github.com/pierrec/lz4/v4 v4.1.14/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
-github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
-github.com/pierrec/lz4/v4 v4.1.21/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
-github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus-community/pro-bing v0.4.0 h1:YMbv+i08gQz97OZZBwLyvmmQEEzyfyrrjEaAchdy3R4=
-github.com/prometheus-community/pro-bing v0.4.0/go.mod h1:b7wRYZtCcPmt4Sz319BykUU241rWLe1VFXyiyWK/dH4=
 github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
 github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
 github.com/quic-go/qtls-go1-20 v0.4.1 h1:D33340mCNDAIKBqXuAvexTNMUByrYmFYVfKfDN5nfFs=
 github.com/quic-go/qtls-go1-20 v0.4.1/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/safchain/ethtool v0.3.0 h1:gimQJpsI6sc1yIqP/y8GYgiXn/NjgvpM0RNoWLVVmP0=
-github.com/safchain/ethtool v0.3.0/go.mod h1:SA9BwrgyAqNo7M+uaL6IYbxpm5wk3L7Mm6ocLW+CJUs=
 github.com/sagernet/asc-go v0.0.0-20241217030726-d563060fe4e1 h1:qi+ijeREa0yfAaO+NOcZ81gv4uzOfALUIdhkiIFvmG4=
 github.com/sagernet/asc-go v0.0.0-20241217030726-d563060fe4e1/go.mod h1:JULDuzTMn2gyZFcjpTVZP4/UuwAdbHJ0bum2RdjXojU=
 github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a h1:+NkI2670SQpQWvkkD2QgdTuzQG263YZ+2emfpeyGqW0=
@@ -172,31 +114,31 @@ github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a h1:ObwtHN2VpqE0ZN
 github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
 github.com/sagernet/nftables v0.3.0-beta.4 h1:kbULlAwAC3jvdGAC1P5Fa3GSxVwQJibNenDW2zaXr8I=
 github.com/sagernet/nftables v0.3.0-beta.4/go.mod h1:OQXAjvjNGGFxaTgVCSTRIhYB5/llyVDeapVoENYBDS8=
-github.com/sagernet/quic-go v0.48.2-beta.1 h1:W0plrLWa1XtOWDTdX3CJwxmQuxkya12nN5BRGZ87kEg=
-github.com/sagernet/quic-go v0.48.2-beta.1/go.mod h1:1WgdDIVD1Gybp40JTWketeSfKA/+or9YMLaG5VeTk4k=
+github.com/sagernet/quic-go v0.49.0-beta.1 h1:3LdoCzVVfYRibZns1tYWSIoB65fpTmrwy+yfK8DQ8Jk=
+github.com/sagernet/quic-go v0.49.0-beta.1/go.mod h1:uesWD1Ihrldq1M3XtjuEvIUqi8WHNsRs71b3Lt1+p/U=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing v0.6.0-beta.12 h1:2DnTJcvypK3/PM/8JjmgG8wVK48gdcpRwU98c4J/a7s=
-github.com/sagernet/sing v0.6.0-beta.12/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
-github.com/sagernet/sing-mux v0.3.0-alpha.1 h1:IgNX5bJBpL41gGbp05pdDOvh/b5eUQ6cv9240+Ngipg=
-github.com/sagernet/sing-mux v0.3.0-alpha.1/go.mod h1:FTcImmdfW38Lz7b+HQ+mxxOth1lz4ao8uEnz+MwIJQE=
-github.com/sagernet/sing-quic v0.4.0-beta.4 h1:kKiMLGaxvVLDCSvCMYo4PtWd1xU6FTL7xvUAQfXO09g=
-github.com/sagernet/sing-quic v0.4.0-beta.4/go.mod h1:1UNObFodd8CnS3aCT53x9cigjPSCl3P//8dfBMCwBDM=
+github.com/sagernet/sing v0.6.3 h1:J1spMc6LMlqUvRjWjvNMAcbvACDneqxB9zxfLuS0UTE=
+github.com/sagernet/sing v0.6.3/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/sing-dns v0.4.0 h1:+mNoOuR3nljjouCH+qMg4zHI1+R9T2ReblGFkZPEndc=
+github.com/sagernet/sing-dns v0.4.0/go.mod h1:dweQs54ng2YGzoJfz+F9dGuDNdP5pJ3PLeggnK5VWc8=
+github.com/sagernet/sing-mux v0.3.1 h1:kvCc8HyGAskDHDQ0yQvoTi/7J4cZPB/VJMsAM3MmdQI=
+github.com/sagernet/sing-mux v0.3.1/go.mod h1:Mkdz8LnDstthz0HWuA/5foncnDIdcNN5KZ6AdJX+x78=
+github.com/sagernet/sing-quic v0.4.0 h1:E4geazHk/UrJTXMlT+CBCKmn8V86RhtNeczWtfeoEFc=
+github.com/sagernet/sing-quic v0.4.0/go.mod h1:c+CytOEyeN20KCTFIP8YQUkNDVFLSzjrEPqP7Hlnxys=
 github.com/sagernet/sing-shadowsocks v0.2.7 h1:zaopR1tbHEw5Nk6FAkM05wCslV6ahVegEZaKMv9ipx8=
 github.com/sagernet/sing-shadowsocks v0.2.7/go.mod h1:0rIKJZBR65Qi0zwdKezt4s57y/Tl1ofkaq6NlkzVuyE=
 github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wKFHi+8XwgADg=
 github.com/sagernet/sing-shadowsocks2 v0.2.0/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
-github.com/sagernet/sing-shadowtls v0.2.0-alpha.2 h1:RPrpgAdkP5td0vLfS5ldvYosFjSsZtRPxiyLV6jyKg0=
-github.com/sagernet/sing-shadowtls v0.2.0-alpha.2/go.mod h1:0j5XlzKxaWRIEjc1uiSKmVoWb0k+L9QgZVb876+thZA=
-github.com/sagernet/sing-tun v0.6.0-beta.8 h1:GFNt/w8r1v30zC/hfCytk8C9+N/f1DfvosFXJkyJlrw=
-github.com/sagernet/sing-tun v0.6.0-beta.8/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
-github.com/sagernet/sing-vmess v0.2.0-beta.2 h1:obAkAL35X7ql4RnGzDg4dBYIRpGXRKqcN4LyLZpZGSs=
-github.com/sagernet/sing-vmess v0.2.0-beta.2/go.mod h1:HGhf9XUdeE2iOWrX0hQNFgXPbKyGlzpeYFyX0c/pykk=
+github.com/sagernet/sing-shadowtls v0.2.0 h1:cLKe4OAOFwuhmAIuPLj//CIL7Q9js+pIDardhJ+/osk=
+github.com/sagernet/sing-shadowtls v0.2.0/go.mod h1:agU+Fw5X+xnWVyRHyFthoZCX3MfWKCFPm4JUf+1oaxo=
+github.com/sagernet/sing-tun v0.6.1 h1:4l0+gnEKcGjlWfUVTD+W0BRApqIny/lU2ZliurE+VMo=
+github.com/sagernet/sing-tun v0.6.1/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
+github.com/sagernet/sing-vmess v0.2.0 h1:pCMGUXN2k7RpikQV65/rtXtDHzb190foTfF9IGTMZrI=
+github.com/sagernet/sing-vmess v0.2.0/go.mod h1:jDAZ0A0St1zVRkyvhAPRySOFfhC+4SQtO5VYyeFotgA=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7/go.mod h1:FP9X2xjT/Az1EsG/orYYoC+5MojWnuI7hrffz8fGwwo=
-github.com/sagernet/tailscale v0.0.0-20241203114627-8b68177dbcc1 h1:7KzocP8ewushqpf/zsgt3LnSevK5IPNPorb/lfT6RYY=
-github.com/sagernet/tailscale v0.0.0-20241203114627-8b68177dbcc1/go.mod h1:xIn0nkXVWp45voGMMzAXvgzwsQ+2CGCiTt9LkHONbSE=
 github.com/sagernet/utls v1.6.7 h1:Ep3+aJ8FUGGta+II2IEVNUc3EDhaRCZINWkj/LloIA8=
 github.com/sagernet/utls v1.6.7/go.mod h1:Uua1TKO/FFuAhLr9rkaVnnrTmmiItzDjv1BUb2+ERwM=
 github.com/sagernet/wireguard-go v0.0.1-beta.5 h1:aBEsxJUMEONwOZqKPIkuAcv4zJV5p6XlzEN04CF0FXc=
@@ -208,36 +150,14 @@ github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3k
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e h1:PtWT87weP5LWHEY//SWsYkSO3RWRZo4OSWagh3YD2vQ=
-github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e/go.mod h1:XrBNfAFN+pwoWuksbFS9Ccxnopa15zJGgXRFN90l3K4=
-github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 h1:Gzfnfk2TWrk8Jj4P4c1a3CtQyMaTVCznlkLZI++hok4=
-github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55/go.mod h1:4k4QO+dQ3R5FofL+SanAUZe+/QfeK0+OIuwDIRu2vSg=
-github.com/tailscale/golang-x-crypto v0.0.0-20240604161659-3fde5e568aa4 h1:rXZGgEa+k2vJM8xT0PoSKfVXwFGPQ3z3CJfmnHJkZZw=
-github.com/tailscale/golang-x-crypto v0.0.0-20240604161659-3fde5e568aa4/go.mod h1:ikbF+YT089eInTp9f2vmvy4+ZVnW5hzX1q2WknxSprQ=
-github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 h1:4chzWmimtJPxRs2O36yuGRW3f9SYV+bMTTvMBI0EKio=
-github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05/go.mod h1:PdCqy9JzfWMJf1H5UJW2ip33/d4YkoKN0r67yKH1mG8=
-github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a h1:SJy1Pu0eH1C29XwJucQo73FrleVK6t4kYz4NVhp34Yw=
-github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a/go.mod h1:DFSS3NAGHthKo1gTlmEcSBiZrRJXi28rLNd/1udP1c8=
-github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7 h1:uFsXVBE9Qr4ZoF094vE6iYTLDl0qCiKzYXlL6UeWObU=
-github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
-github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4 h1:Gz0rz40FvFVLTBk/K8UNAenb36EbDSnh+q7Z9ldcC8w=
-github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4/go.mod h1:phI29ccmHQBc+wvroosENp1IF9195449VDnFDhJ4rJU=
-github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1 h1:tdUdyPqJ0C97SJfjB9tW6EylTtreyee9C44de+UBG0g=
-github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
-github.com/tc-hib/winres v0.2.1 h1:YDE0FiP0VmtRaDn7+aaChp1KiF4owBiJa5l964l5ujA=
-github.com/tc-hib/winres v0.2.1/go.mod h1:C/JaNhH3KBvhNKVbvdlDWkbMDO9H4fKKDaN7/07SSuk=
-github.com/tcnksm/go-httpstat v0.2.0 h1:rP7T5e5U2HfmOBmZzGgGZjBQ5/GluWUylujl0tJ04I0=
-github.com/tcnksm/go-httpstat v0.2.0/go.mod h1:s3JVJFtQxtBEBC9dwcdTTXS9xFnM3SXAZwPG41aurT8=
-github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e h1:BA9O3BmlTmpjbvajAwzWx4Wo2TRVdpPXZEeemGQcajw=
-github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
-github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 h1:tHNk7XK9GkmKUR6Gh8gVBKXc2MVSZ4G/NnWLtzw4gNA=
+github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
 github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
 github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
-github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
-github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/zeebo/assert v1.1.0 h1:hU1L1vLTHsnO8x8c9KAR5GmM5QscxHg5RNU5z5qbUWY=
 github.com/zeebo/assert v1.1.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
 github.com/zeebo/blake3 v0.2.3 h1:TFoLXsjeXqRNFxSbk35Dk4YtszE/MQQGK10BH4ptoTg=
@@ -245,47 +165,36 @@ github.com/zeebo/blake3 v0.2.3/go.mod h1:mjJjZpnsyIVtVgTOSpJ9vmRE4wgDeyt2HU3qXvv
 github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo=
 github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
-go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go4.org/mem v0.0.0-20220726221520-4f986261bf13 h1:CbZeCBZ0aZj8EfVgnqQcYZgf0lpZ3H9rmp5nkDTAst8=
-go4.org/mem v0.0.0-20220726221520-4f986261bf13/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
-golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
+golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
-golang.org/x/image v0.18.0 h1:jGzIakQa/ZXI1I0Fxvaa9W7yP25TqT6cHIHn+6CqvSQ=
-golang.org/x/image v0.18.0/go.mod h1:4yyo5vMFQjVjUcVk4jEQcU9MGy/rulF5WvUILseCM2E=
 golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0=
 golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo=
-golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
+golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
 golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220817070843-5a390386f1f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.4.1-0.20230131160137-e7d7f63158de/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
-golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
-golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
@@ -295,23 +204,21 @@ golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24=
 golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80=
-golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
-golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de h1:cZGRis4/ot9uVm639a+rHCUaG0JJHEsdyzSQTMX+suY=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:H4O17MA/PE9BsGx3w+a+W2VOLLD1Qf7oJneAoU6WktY=
 google.golang.org/grpc v1.63.2 h1:MUeiw1B2maTVZthpU5xvASfTh3LDbxHd6IJ6QQVU+xM=
 google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA=
 google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
 google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
@@ -320,5 +227,3 @@ howett.net/plist v1.0.1 h1:37GdZ8tP09Q35o9ych3ehygcsL+HqKSwzctveSlarvM=
 howett.net/plist v1.0.1/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
 lukechampine.com/blake3 v1.3.0 h1:sJ3XhFINmHSrYCgl958hscfIa3bw8x4DqMP3u1YvoYE=
 lukechampine.com/blake3 v1.3.0/go.mod h1:0OFRp7fBtAylGVCO40o87sbupkyIGgbpv1+M1k1LM6k=
-software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k=
-software.sslmate.com/src/go-pkcs12 v0.4.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
--- a/include/dhcp.go
+++ b/include/dhcp.go
@@ -2,11 +2,4 @@

 package include

-import (
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/dns/transport/dhcp"
-)
-
-func registerDHCPTransport(registry *dns.TransportRegistry) {
-	dhcp.RegisterTransport(registry)
-}
+import _ "github.com/sagernet/sing-box/transport/dhcp"
--- a/include/dhcp_stub.go
+++ b/include/dhcp_stub.go
@@ -3,18 +3,12 @@
 package include

 import (
-	"context"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-dns"
 	E "github.com/sagernet/sing/common/exceptions"
 )

-func registerDHCPTransport(registry *dns.TransportRegistry) {
-	dns.RegisterTransport[option.DHCPDNSServerOptions](registry, C.DNSTypeDHCP, func(ctx context.Context, logger log.ContextLogger, tag string, options option.DHCPDNSServerOptions) (adapter.DNSTransport, error) {
+func init() {
+	dns.RegisterTransport([]string{"dhcp"}, func(options dns.TransportOptions) (dns.Transport, error) {
 		return nil, E.New(`DHCP is not included in this build, rebuild with -tags with_dhcp`)
 	})
 }
--- a/include/quic.go
+++ b/include/quic.go
@@ -5,13 +5,12 @@ package include
 import (
 	"github.com/sagernet/sing-box/adapter/inbound"
 	"github.com/sagernet/sing-box/adapter/outbound"
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/dns/transport/quic"
 	"github.com/sagernet/sing-box/protocol/hysteria"
 	"github.com/sagernet/sing-box/protocol/hysteria2"
 	_ "github.com/sagernet/sing-box/protocol/naive/quic"
 	"github.com/sagernet/sing-box/protocol/tuic"
 	_ "github.com/sagernet/sing-box/transport/v2rayquic"
+	_ "github.com/sagernet/sing-dns/quic"
 )

 func registerQUICInbounds(registry *inbound.Registry) {
@@ -25,8 +24,3 @@ func registerQUICOutbounds(registry *outbound.Registry) {
 	tuic.RegisterOutbound(registry)
 	hysteria2.RegisterOutbound(registry)
 }
-
-func registerQUICTransports(registry *dns.TransportRegistry) {
-	quic.RegisterTransport(registry)
-	quic.RegisterHTTP3Transport(registry)
-}
--- a/include/quic_stub.go
+++ b/include/quic_stub.go
@@ -13,17 +13,20 @@ import (
 	"github.com/sagernet/sing-box/common/listener"
 	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/dns"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/protocol/naive"
 	"github.com/sagernet/sing-box/transport/v2ray"
+	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )

 func init() {
+	dns.RegisterTransport([]string{"quic", "h3"}, func(options dns.TransportOptions) (dns.Transport, error) {
+		return nil, C.ErrQUICNotIncluded
+	})
 	v2ray.RegisterQUICConstructor(
 		func(ctx context.Context, logger logger.ContextLogger, options option.V2RayQUICOptions, tlsConfig tls.ServerConfig, handler adapter.V2RayServerTransportHandler) (adapter.V2RayServerTransport, error) {
 			return nil, C.ErrQUICNotIncluded
@@ -60,12 +63,3 @@ func registerQUICOutbounds(registry *outbound.Registry) {
 		return nil, C.ErrQUICNotIncluded
 	})
 }
-
-func registerQUICTransports(registry *dns.TransportRegistry) {
-	dns.RegisterTransport[option.RemoteTLSDNSServerOptions](registry, C.DNSTypeQUIC, func(ctx context.Context, logger log.ContextLogger, tag string, options option.RemoteTLSDNSServerOptions) (adapter.DNSTransport, error) {
-		return nil, C.ErrQUICNotIncluded
-	})
-	dns.RegisterTransport[option.RemoteHTTPSDNSServerOptions](registry, C.DNSTypeHTTP3, func(ctx context.Context, logger log.ContextLogger, tag string, options option.RemoteHTTPSDNSServerOptions) (adapter.DNSTransport, error) {
-		return nil, C.ErrQUICNotIncluded
-	})
-}
--- a/include/registry.go
+++ b/include/registry.go
@@ -8,15 +8,11 @@ import (
 	"github.com/sagernet/sing-box/adapter/inbound"
 	"github.com/sagernet/sing-box/adapter/outbound"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/dns/transport"
-	"github.com/sagernet/sing-box/dns/transport/fakeip"
-	"github.com/sagernet/sing-box/dns/transport/local"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/protocol/block"
 	"github.com/sagernet/sing-box/protocol/direct"
-	protocolDNS "github.com/sagernet/sing-box/protocol/dns"
+	"github.com/sagernet/sing-box/protocol/dns"
 	"github.com/sagernet/sing-box/protocol/group"
 	"github.com/sagernet/sing-box/protocol/http"
 	"github.com/sagernet/sing-box/protocol/mixed"
@@ -65,7 +61,7 @@ func OutboundRegistry() *outbound.Registry {
 	direct.RegisterOutbound(registry)

 	block.RegisterOutbound(registry)
-	protocolDNS.RegisterOutbound(registry)
+	dns.RegisterOutbound(registry)

 	group.RegisterSelector(registry)
 	group.RegisterURLTest(registry)
@@ -91,25 +87,6 @@ func EndpointRegistry() *endpoint.Registry {
 	registry := endpoint.NewRegistry()

 	registerWireGuardEndpoint(registry)
-	registerTailscaleEndpoint(registry)
-
-	return registry
-}
-
-func DNSTransportRegistry() *dns.TransportRegistry {
-	registry := dns.NewTransportRegistry()
-
-	transport.RegisterTCP(registry)
-	transport.RegisterUDP(registry)
-	transport.RegisterTLS(registry)
-	transport.RegisterHTTPS(registry)
-	transport.RegisterPredefined(registry)
-	local.RegisterTransport(registry)
-	fakeip.RegisterTransport(registry)
-
-	registerQUICTransports(registry)
-	registerDHCPTransport(registry)
-	registerTailscaleTransport(registry)

 	return registry
 }
--- a/include/tailscale.go
+++ b/include/tailscale.go
@@ -1,17 +0,0 @@
-//go:build with_tailscale
-
-package include
-
-import (
-	"github.com/sagernet/sing-box/adapter/endpoint"
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/protocol/tailscale"
-)
-
-func registerTailscaleEndpoint(registry *endpoint.Registry) {
-	tailscale.RegisterEndpoint(registry)
-}
-
-func registerTailscaleTransport(registry *dns.TransportRegistry) {
-	tailscale.RegistryTransport(registry)
-}
--- a/include/tailscale_stub.go
+++ b/include/tailscale_stub.go
@@ -1,27 +0,0 @@
-//go:build !with_tailscale
-
-package include
-
-import (
-	"context"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/adapter/endpoint"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-func registerTailscaleEndpoint(registry *endpoint.Registry) {
-	endpoint.Register[option.TailscaleEndpointOptions](registry, C.TypeTailscale, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.TailscaleEndpointOptions) (adapter.Endpoint, error) {
-		return nil, E.New(`Tailscale is not included in this build, rebuild with -tags with_tailscale`)
-	})
-}
-
-func registerTailscaleTransport(registry *dns.TransportRegistry) {
-	dns.RegisterTransport[option.TailscaleDNSServerOptions](registry, C.DNSTypeTailscale, func(ctx context.Context, logger log.ContextLogger, tag string, options option.TailscaleDNSServerOptions) (adapter.DNSTransport, error) {
-		return nil, E.New(`Tailscale is not included in this build, rebuild with -tags with_tailscale`)
-	})
-}
--- a/option/dns.go
+++ b/option/dns.go
@@ -1,52 +1,29 @@
 package option

 import (
-	"context"
 	"net/netip"
-	"net/url"

-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/deprecated"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/json"
-	"github.com/sagernet/sing/common/json/badjson"
 	"github.com/sagernet/sing/common/json/badoption"
-	M "github.com/sagernet/sing/common/metadata"
-	"github.com/sagernet/sing/service"
-
-	"github.com/miekg/dns"
 )

-type RawDNSOptions struct {
-	Servers        []NewDNSServerOptions `json:"servers,omitempty"`
-	Rules          []DNSRule             `json:"rules,omitempty"`
-	Final          string                `json:"final,omitempty"`
-	ReverseMapping bool                  `json:"reverse_mapping,omitempty"`
+type DNSOptions struct {
+	Servers        []DNSServerOptions `json:"servers,omitempty"`
+	Rules          []DNSRule          `json:"rules,omitempty"`
+	Final          string             `json:"final,omitempty"`
+	ReverseMapping bool               `json:"reverse_mapping,omitempty"`
+	FakeIP         *DNSFakeIPOptions  `json:"fakeip,omitempty"`
 	DNSClientOptions
 }

-type LegacyDNSOptions struct {
-	FakeIP *LegacyDNSFakeIPOptions `json:"fakeip,omitempty"`
-}
-
-type DNSOptions struct {
-	RawDNSOptions
-	LegacyDNSOptions
-}
-
-func (o *DNSOptions) UnmarshalJSONContext(ctx context.Context, content []byte) error {
-	err := json.UnmarshalContext(ctx, content, &o.LegacyDNSOptions)
-	if err != nil {
-		return err
-	}
-	if o.FakeIP != nil && o.FakeIP.Enabled {
-		deprecated.Report(ctx, deprecated.OptionLegacyDNSFakeIPOptions)
-		ctx = context.WithValue(ctx, (*LegacyDNSFakeIPOptions)(nil), o.FakeIP)
-	}
-	legacyOptions := o.LegacyDNSOptions
-	o.LegacyDNSOptions = LegacyDNSOptions{}
-	return badjson.UnmarshallExcludedContext(ctx, content, legacyOptions, &o.RawDNSOptions)
+type DNSServerOptions struct {
+	Tag                  string                `json:"tag,omitempty"`
+	Address              string                `json:"address"`
+	AddressResolver      string                `json:"address_resolver,omitempty"`
+	AddressStrategy      DomainStrategy        `json:"address_strategy,omitempty"`
+	AddressFallbackDelay badoption.Duration    `json:"address_fallback_delay,omitempty"`
+	Strategy             DomainStrategy        `json:"strategy,omitempty"`
+	Detour               string                `json:"detour,omitempty"`
+	ClientSubnet         *badoption.Prefixable `json:"client_subnet,omitempty"`
 }

 type DNSClientOptions struct {
@@ -58,241 +35,8 @@ type DNSClientOptions struct {
 	ClientSubnet     *badoption.Prefixable `json:"client_subnet,omitempty"`
 }

-type LegacyDNSFakeIPOptions struct {
-	Enabled    bool              `json:"enabled,omitempty"`
-	Inet4Range *badoption.Prefix `json:"inet4_range,omitempty"`
-	Inet6Range *badoption.Prefix `json:"inet6_range,omitempty"`
-}
-
-type DNSTransportOptionsRegistry interface {
-	CreateOptions(transportType string) (any, bool)
-}
-
-type _NewDNSServerOptions struct {
-	Type    string `json:"type,omitempty"`
-	Tag     string `json:"tag,omitempty"`
-	Options any    `json:"-"`
-}
-
-type NewDNSServerOptions _NewDNSServerOptions
-
-func (o *NewDNSServerOptions) MarshalJSONContext(ctx context.Context) ([]byte, error) {
-	return badjson.MarshallObjectsContext(ctx, (*_NewDNSServerOptions)(o), o.Options)
-}
-
-func (o *NewDNSServerOptions) UnmarshalJSONContext(ctx context.Context, content []byte) error {
-	err := json.UnmarshalContext(ctx, content, (*_NewDNSServerOptions)(o))
-	if err != nil {
-		return err
-	}
-	registry := service.FromContext[DNSTransportOptionsRegistry](ctx)
-	if registry == nil {
-		return E.New("missing outbound options registry in context")
-	}
-	var options any
-	switch o.Type {
-	case "", C.DNSTypeLegacy:
-		o.Type = C.DNSTypeLegacy
-		options = new(LegacyDNSServerOptions)
-		deprecated.Report(ctx, deprecated.OptionLegacyDNSTransport)
-	default:
-		var loaded bool
-		options, loaded = registry.CreateOptions(o.Type)
-		if !loaded {
-			return E.New("unknown transport type: ", o.Type)
-		}
-	}
-	err = badjson.UnmarshallExcludedContext(ctx, content, (*_Outbound)(o), options)
-	if err != nil {
-		return err
-	}
-	o.Options = options
-	if o.Type == C.DNSTypeLegacy {
-		err = o.Upgrade(ctx)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (o *NewDNSServerOptions) Upgrade(ctx context.Context) error {
-	if o.Type != C.DNSTypeLegacy {
-		return nil
-	}
-	options := o.Options.(*LegacyDNSServerOptions)
-	serverURL, _ := url.Parse(options.Address)
-	var serverType string
-	if serverURL.Scheme != "" {
-		serverType = serverURL.Scheme
-	} else {
-		serverType = C.DNSTypeUDP
-	}
-	remoteOptions := RemoteDNSServerOptions{
-		LocalDNSServerOptions: LocalDNSServerOptions{
-			DialerOptions: DialerOptions{
-				Detour: options.Detour,
-			},
-			LegacyStrategy:      options.Strategy,
-			LegacyDefaultDialer: options.Detour == "",
-			LegacyClientSubnet:  options.ClientSubnet.Build(netip.Prefix{}),
-		},
-		AddressResolver:      options.AddressResolver,
-		AddressStrategy:      options.AddressStrategy,
-		AddressFallbackDelay: options.AddressFallbackDelay,
-	}
-	switch serverType {
-	case C.DNSTypeUDP:
-		o.Type = C.DNSTypeUDP
-		o.Options = &remoteOptions
-		var serverAddr M.Socksaddr
-		if serverURL.Scheme == "" {
-			serverAddr = M.ParseSocksaddr(options.Address)
-		} else {
-			serverAddr = M.ParseSocksaddr(serverURL.Host)
-		}
-		if !serverAddr.IsValid() {
-			return E.New("invalid server address")
-		}
-		remoteOptions.Server = serverAddr.Addr.String()
-		if serverAddr.Port != 0 && serverAddr.Port != 53 {
-			remoteOptions.ServerPort = serverAddr.Port
-		}
-	case C.DNSTypeTCP:
-		o.Type = C.DNSTypeTCP
-		o.Options = &remoteOptions
-		serverAddr := M.ParseSocksaddr(serverURL.Host)
-		if !serverAddr.IsValid() {
-			return E.New("invalid server address")
-		}
-		remoteOptions.Server = serverAddr.Addr.String()
-		if serverAddr.Port != 0 && serverAddr.Port != 53 {
-			remoteOptions.ServerPort = serverAddr.Port
-		}
-	case C.DNSTypeTLS, C.DNSTypeQUIC:
-		o.Type = serverType
-		tlsOptions := RemoteTLSDNSServerOptions{
-			RemoteDNSServerOptions: remoteOptions,
-		}
-		o.Options = &tlsOptions
-		serverAddr := M.ParseSocksaddr(serverURL.Host)
-		if !serverAddr.IsValid() {
-			return E.New("invalid server address")
-		}
-		tlsOptions.Server = serverAddr.Addr.String()
-		if serverAddr.Port != 0 && serverAddr.Port != 853 {
-			tlsOptions.ServerPort = serverAddr.Port
-		}
-	case C.DNSTypeHTTPS, C.DNSTypeHTTP3:
-		o.Type = serverType
-		httpsOptions := RemoteHTTPSDNSServerOptions{
-			RemoteTLSDNSServerOptions: RemoteTLSDNSServerOptions{
-				RemoteDNSServerOptions: remoteOptions,
-			},
-		}
-		o.Options = &httpsOptions
-		serverAddr := M.ParseSocksaddr(serverURL.Host)
-		if !serverAddr.IsValid() {
-			return E.New("invalid server address")
-		}
-		httpsOptions.Server = serverAddr.Addr.String()
-		if serverAddr.Port != 0 && serverAddr.Port != 443 {
-			httpsOptions.ServerPort = serverAddr.Port
-		}
-		if serverURL.Path != "/dns-query" {
-			httpsOptions.Path = serverURL.Path
-		}
-	case "rcode":
-		var rcode int
-		switch serverURL.Host {
-		case "success":
-			rcode = dns.RcodeSuccess
-		case "format_error":
-			rcode = dns.RcodeFormatError
-		case "server_failure":
-			rcode = dns.RcodeServerFailure
-		case "name_error":
-			rcode = dns.RcodeNameError
-		case "not_implemented":
-			rcode = dns.RcodeNotImplemented
-		case "refused":
-			rcode = dns.RcodeRefused
-		default:
-			return E.New("unknown rcode: ", serverURL.Host)
-		}
-		o.Type = C.DNSTypePreDefined
-		o.Options = &PredefinedDNSServerOptions{
-			Responses: []DNSResponseOptions{
-				{
-					RCode: common.Ptr(DNSRCode(rcode)),
-				},
-			},
-		}
-	case "dhcp":
-		o.Type = C.DNSTypeDHCP
-		dhcpOptions := DHCPDNSServerOptions{}
-		if serverURL.Host != "" && serverURL.Host != "auto" {
-			dhcpOptions.Interface = serverURL.Host
-		}
-		o.Options = &dhcpOptions
-	case "fakeip":
-		o.Type = C.DNSTypeFakeIP
-		fakeipOptions := FakeIPDNSServerOptions{}
-		if legacyOptions, loaded := ctx.Value((*LegacyDNSFakeIPOptions)(nil)).(*LegacyDNSFakeIPOptions); loaded {
-			fakeipOptions.Inet4Range = legacyOptions.Inet4Range
-			fakeipOptions.Inet6Range = legacyOptions.Inet6Range
-		}
-		o.Options = &fakeipOptions
-	default:
-		return E.New("unsupported DNS server scheme: ", serverType)
-	}
-	return nil
-}
-
-type LegacyDNSServerOptions struct {
-	Address              string                `json:"address"`
-	AddressResolver      string                `json:"address_resolver,omitempty"`
-	AddressStrategy      DomainStrategy        `json:"address_strategy,omitempty"`
-	AddressFallbackDelay badoption.Duration    `json:"address_fallback_delay,omitempty"`
-	Strategy             DomainStrategy        `json:"strategy,omitempty"`
-	Detour               string                `json:"detour,omitempty"`
-	ClientSubnet         *badoption.Prefixable `json:"client_subnet,omitempty"`
-}
-
-type LocalDNSServerOptions struct {
-	DialerOptions
-	LegacyStrategy      DomainStrategy `json:"-"`
-	LegacyDefaultDialer bool           `json:"-"`
-	LegacyClientSubnet  netip.Prefix   `json:"-"`
-}
-
-type RemoteDNSServerOptions struct {
-	LocalDNSServerOptions
-	ServerOptions
-	AddressResolver      string             `json:"address_resolver,omitempty"`
-	AddressStrategy      DomainStrategy     `json:"address_strategy,omitempty"`
-	AddressFallbackDelay badoption.Duration `json:"address_fallback_delay,omitempty"`
-}
-
-type RemoteTLSDNSServerOptions struct {
-	RemoteDNSServerOptions
-	OutboundTLSOptionsContainer
-}
-
-type RemoteHTTPSDNSServerOptions struct {
-	RemoteTLSDNSServerOptions
-	Host    string               `json:"host,omitempty"`
-	Path    string               `json:"path,omitempty"`
-	Method  string               `json:"method,omitempty"`
-	Headers badoption.HTTPHeader `json:"headers,omitempty"`
-}
-
-type FakeIPDNSServerOptions struct {
-	Inet4Range *badoption.Prefix `json:"inet4_range,omitempty"`
-	Inet6Range *badoption.Prefix `json:"inet6_range,omitempty"`
-}
-
-type DHCPDNSServerOptions struct {
-	LocalDNSServerOptions
-	Interface string `json:"interface,omitempty"`
+type DNSFakeIPOptions struct {
+	Enabled    bool          `json:"enabled,omitempty"`
+	Inet4Range *netip.Prefix `json:"inet4_range,omitempty"`
+	Inet6Range *netip.Prefix `json:"inet6_range,omitempty"`
 }
--- a/option/dns_record.go
+++ b/option/dns_record.go
@@ -1,154 +0,0 @@
-package option
-
-import (
-	"encoding/base64"
-
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/buf"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/json"
-	"github.com/sagernet/sing/common/json/badoption"
-
-	"github.com/miekg/dns"
-)
-
-type PredefinedDNSServerOptions struct {
-	Responses []DNSResponseOptions `json:"responses,omitempty"`
-}
-
-type DNSResponseOptions struct {
-	Query     badoption.Listable[string]       `json:"query,omitempty"`
-	QueryType badoption.Listable[DNSQueryType] `json:"query_type,omitempty"`
-
-	RCode  *DNSRCode                            `json:"rcode,omitempty"`
-	Answer badoption.Listable[DNSRecordOptions] `json:"answer,omitempty"`
-	Ns     badoption.Listable[DNSRecordOptions] `json:"ns,omitempty"`
-	Extra  badoption.Listable[DNSRecordOptions] `json:"extra,omitempty"`
-}
-
-type DNSRCode int
-
-func (r DNSRCode) MarshalJSON() ([]byte, error) {
-	rCodeValue, loaded := dns.RcodeToString[int(r)]
-	if loaded {
-		return json.Marshal(rCodeValue)
-	}
-	return json.Marshal(int(r))
-}
-
-func (r *DNSRCode) UnmarshalJSON(bytes []byte) error {
-	var intValue int
-	err := json.Unmarshal(bytes, &intValue)
-	if err == nil {
-		*r = DNSRCode(intValue)
-		return nil
-	}
-	var stringValue string
-	err = json.Unmarshal(bytes, &stringValue)
-	if err != nil {
-		return err
-	}
-	rCodeValue, loaded := dns.StringToRcode[stringValue]
-	if !loaded {
-		return E.New("unknown rcode: " + stringValue)
-	}
-	*r = DNSRCode(rCodeValue)
-	return nil
-}
-
-func (r *DNSRCode) Build() int {
-	if r == nil {
-		return dns.RcodeSuccess
-	}
-	return int(*r)
-}
-
-func (o DNSResponseOptions) Build() ([]dns.Question, *dns.Msg, error) {
-	var questions []dns.Question
-	if len(o.Query) == 0 && len(o.QueryType) == 0 {
-		questions = []dns.Question{{Qclass: dns.ClassINET}}
-	} else if len(o.Query) == 0 {
-		for _, queryType := range o.QueryType {
-			questions = append(questions, dns.Question{
-				Qtype:  uint16(queryType),
-				Qclass: dns.ClassINET,
-			})
-		}
-	} else if len(o.QueryType) == 0 {
-		for _, domain := range o.Query {
-			questions = append(questions, dns.Question{
-				Name:   dns.Fqdn(domain),
-				Qclass: dns.ClassINET,
-			})
-		}
-	} else {
-		for _, queryType := range o.QueryType {
-			for _, domain := range o.Query {
-				questions = append(questions, dns.Question{
-					Name:   dns.Fqdn(domain),
-					Qtype:  uint16(queryType),
-					Qclass: dns.ClassINET,
-				})
-			}
-		}
-	}
-	return questions, &dns.Msg{
-		MsgHdr: dns.MsgHdr{
-			Response: true,
-			Rcode:    o.RCode.Build(),
-		},
-		Answer: common.Map(o.Answer, DNSRecordOptions.build),
-		Ns:     common.Map(o.Ns, DNSRecordOptions.build),
-		Extra:  common.Map(o.Extra, DNSRecordOptions.build),
-	}, nil
-}
-
-type DNSRecordOptions struct {
-	dns.RR
-	fromBase64 bool
-}
-
-func (o DNSRecordOptions) MarshalJSON() ([]byte, error) {
-	if o.fromBase64 {
-		buffer := buf.Get(dns.Len(o.RR))
-		defer buf.Put(buffer)
-		offset, err := dns.PackRR(o.RR, buffer, 0, nil, false)
-		if err != nil {
-			return nil, err
-		}
-		return json.Marshal(base64.StdEncoding.EncodeToString(buffer[:offset]))
-	}
-	return json.Marshal(o.RR.String())
-}
-
-func (o *DNSRecordOptions) UnmarshalJSON(data []byte) error {
-	var stringValue string
-	err := json.Unmarshal(data, &stringValue)
-	if err != nil {
-		return err
-	}
-	binary, err := base64.StdEncoding.DecodeString(stringValue)
-	if err == nil {
-		return o.unmarshalBase64(binary)
-	}
-	record, err := dns.NewRR(stringValue)
-	if err != nil {
-		return err
-	}
-	o.RR = record
-	return nil
-}
-
-func (o *DNSRecordOptions) unmarshalBase64(binary []byte) error {
-	record, _, err := dns.UnpackRR(binary, 0)
-	if err != nil {
-		return E.New("parse binary DNS record")
-	}
-	o.RR = record
-	o.fromBase64 = true
-	return nil
-}
-
-func (o DNSRecordOptions) build() dns.RR {
-	return o.RR
-}
--- a/option/outbound.go
+++ b/option/outbound.go
@@ -77,7 +77,6 @@ type DialerOptions struct {
 	TCPMultiPath        bool                              `json:"tcp_multi_path,omitempty"`
 	UDPFragment         *bool                             `json:"udp_fragment,omitempty"`
 	UDPFragmentDefault  bool                              `json:"-"`
-	DomainResolver      string                            `json:"domain_resolver,omitempty"`
 	DomainStrategy      DomainStrategy                    `json:"domain_strategy,omitempty"`
 	NetworkStrategy     *NetworkStrategy                  `json:"network_strategy,omitempty"`
 	NetworkType         badoption.Listable[InterfaceType] `json:"network_type,omitempty"`
@@ -108,10 +107,6 @@ func (o ServerOptions) Build() M.Socksaddr {
 	return M.ParseSocksaddrHostPort(o.Server, o.ServerPort)
 }

-func (o ServerOptions) ServerIsDomain() bool {
-	return M.IsDomainName(o.Server)
-}
-
 func (o *ServerOptions) TakeServerOptions() ServerOptions {
 	return *o
 }
--- a/option/rule_action.go
+++ b/option/rule_action.go
@@ -7,6 +7,7 @@ import (
 	"time"

 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-dns"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
 	"github.com/sagernet/sing/common/json/badjson"
@@ -224,7 +225,7 @@ func (d DirectActionOptions) Descriptions() []string {
 	if d.UDPFragment != nil {
 		descriptions = append(descriptions, "udp_fragment="+fmt.Sprint(*d.UDPFragment))
 	}
-	if d.DomainStrategy != DomainStrategy(C.DomainStrategyAsIS) {
+	if d.DomainStrategy != DomainStrategy(dns.DomainStrategyAsIS) {
 		descriptions = append(descriptions, "domain_strategy="+d.DomainStrategy.String())
 	}
 	if d.FallbackDelay != 0 {
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
世界	8e2baf40f1	Bump version	2025-03-11 20:18:34 +08:00
世界	c24c40dfee	platform: Fix android start	2025-03-11 20:18:34 +08:00
世界	32e52ce1ed	Fix udp nat for fakeip	2025-03-11 19:09:27 +08:00
世界	ed46438359	release: Use nightly goreleaser to fix rpm bug	2025-03-11 13:29:08 +08:00
世界	0b5490d5a3	Fix resolve domain for WireGuard	2025-03-11 12:02:25 +08:00
Tal Rasha	2d73ef511d	Fix grpclite memory leak Co-authored-by: talrasha007 <talrasha007@gmail.om>	2025-03-10 14:48:02 +08:00
Mahdi	63e6c85f6f	Fix shadowsocks UoT	2025-03-10 14:47:59 +08:00
世界	8946a6d2d0	release: Use latest goreleaser	2025-03-09 15:27:04 +08:00
世界	d3132645fb	documentation: Fix description of the UoT protocol	2025-03-09 15:26:42 +08:00
世界	373f158fe0	Fix download external ui with query params	2025-03-09 15:26:36 +08:00
世界	ce36835fab	Fix override destination	2025-03-09 15:25:06 +08:00
世界	619fa671d7	Skip binding to the default interface as it will fail on some Android devices	2025-02-26 07:25:35 +08:00
世界	eb07c7a79e	Bump version	2025-02-24 07:27:55 +08:00
Gavin Luo	7eb3535094	release: Fix systemd permissions	2025-02-24 07:27:55 +08:00
世界	93b68312cf	platform: Add update WIFI state func	2025-02-23 08:35:30 +08:00
世界	97ce666e43	Fix http.FileServer short write	2025-02-23 08:35:30 +08:00
世界	4000e1e66d	release: Fix update android version	2025-02-23 08:35:30 +08:00
世界	270740e859	Fix crash on route address set update	2025-02-23 08:35:30 +08:00
世界	6cad142cfe	Bump Go to go1.24	2025-02-23 08:35:30 +08:00
世界	093013687c	Fix sniff QUIC hidden in three or more packets	2025-02-18 18:14:59 +08:00
世界	ff31c469a0	Override version	2025-02-11 15:55:15 +08:00
世界	fbe390268c	Bump version	2025-02-11 01:32:14 +08:00
世界	07ac01dcb7	platform: Update NDK to r28	2025-02-11 01:32:14 +08:00
ReleTor	badfdb62cd	documentation: Fixes	2025-02-11 01:32:14 +08:00
printfer	986a410b30	documentation: Fix migration links	2025-02-11 01:32:14 +08:00
世界	9db2d58545	Fix override address	2025-02-11 01:32:14 +08:00
世界	4eed46ac59	Fix respond ICMP echo	2025-02-10 15:12:10 +08:00
世界	abc38d1dab	Fix udpnat2 crash	2025-02-10 15:11:26 +08:00
世界	8d6c4f1289	release: Skip testflight when another build in review	2025-02-06 12:02:47 +08:00
世界	a2d40eb8b8	Fix override UDP destination	2025-02-06 11:20:35 +08:00
世界	17b502bb4b	Update dependencies	2025-02-06 09:08:52 +08:00
世界	a0d4421085	Update quic-go to v0.49.0	2025-02-06 08:50:21 +08:00
世界	0d443072d1	Fix panic in auto-redirect initialize	2025-02-06 08:49:25 +08:00
世界	c9fb99b799	Fix missing ENOTCONN in IsClosed check	2025-02-06 08:48:49 +08:00
世界	92d245ad04	Bump version	2025-02-05 09:59:52 +08:00
世界	0908627297	Fix crash on remote rule-set stop	2025-02-05 08:58:10 +08:00
世界	7f79458b4f	Minor updates	2025-02-01 19:49:33 +08:00
世界	9b4c11ba95	Fix rule-set not closed	2025-02-01 19:49:33 +08:00
世界	27c31eac5d	Fix local rule-set not updated	2025-02-01 19:42:21 +08:00
世界	bab8dc0b82	Fix missing handshake for early conn	2025-01-31 12:57:35 +08:00
世界	d09d2fb665	Bump version	2025-01-30 15:09:54 +08:00
世界	e64cf3b7df	Do not set address sets to routes on Apple platforms Network Extension was observed to stop for unknown reasons	2025-01-27 13:40:39 +08:00
世界	9b73222314	documentation: Bump version	2025-01-27 10:53:14 +08:00
世界	3923b57abf	release: Update NDK to r28-beta3	2025-01-27 10:53:14 +08:00
世界	4807e64609	documentation: Fix typo	2025-01-27 10:04:07 +08:00
世界	eeb37d89f1	Fix rule-set upgrade command	2025-01-27 09:50:27 +08:00
世界	08c1ec4b7e	Fix legacy routes	2025-01-27 09:50:27 +08:00
HystericalDragon	6b4cf67add	Fix endpoints not close	2025-01-27 09:50:27 +08:00
世界	e65926fd08	Fix tests	2025-01-13 15:14:30 +08:00
世界	f2ec319fe1	Fix system time	2025-01-13 15:14:30 +08:00
世界	32377a61b7	Add port hopping for hysteria2	2025-01-13 15:14:30 +08:00
世界	7aac801ccd	tun: Set address sets to routes	2025-01-13 15:14:30 +08:00
世界	96fdf59ee4	Fix default dialer on legacy xiaomi systems	2025-01-13 15:14:30 +08:00
世界	50b8f3ab94	Add `rule-set merge` command	2025-01-13 15:14:30 +08:00
世界	ff7aaf977b	Fix DNS match	2025-01-13 15:14:30 +08:00
世界	9a1efbe54d	Fix domain strategy	2025-01-13 15:14:30 +08:00
世界	906c21f458	Fix time service	2025-01-13 15:14:30 +08:00
世界	d5e7af7a7e	Fix socks5 UDP implementation	2025-01-13 15:14:30 +08:00
世界	4d41f03bd5	clash-api: Fix missing endpoints	2025-01-13 15:14:30 +08:00
世界	30704a15a7	hysteria2: Add more masquerade options	2025-01-13 15:14:30 +08:00
世界	83889178ed	Improve timeouts	2025-01-13 15:14:30 +08:00
世界	1d2720bf5e	Add UDP timeout route option	2025-01-13 15:14:30 +08:00
世界	c4b6d0eadb	Make GSO adaptive	2025-01-13 15:14:30 +08:00
世界	0c66888691	Fix lint	2025-01-13 15:14:30 +08:00
世界	68781387fe	refactor: WireGuard endpoint	2025-01-13 15:14:30 +08:00
世界	fd299a0961	refactor: connection manager	2025-01-13 15:14:30 +08:00
世界	285a82050c	documentation: Fix typo	2025-01-13 15:14:30 +08:00
世界	2dbb8c55c9	Add override destination to route options	2025-01-13 15:14:30 +08:00
世界	effcf39469	Add `dns.cache_capacity`	2025-01-13 15:14:30 +08:00
世界	9db9484863	Refactor multi networks strategy	2025-01-13 15:14:30 +08:00
世界	ca813f461b	documentation: Remove unused titles	2025-01-13 15:14:30 +08:00
世界	bb46cdb2b3	Add multi network dialing	2025-01-13 15:14:30 +08:00
世界	dcb10c21a1	documentation: Merge route options to route actions	2025-01-13 15:14:29 +08:00
世界	05ea0ca00e	Add `network_[type/is_expensive/is_constrained]` rule items	2025-01-13 15:14:29 +08:00
世界	c098f282b1	Merge route options to route actions	2025-01-13 15:14:29 +08:00
世界	ecf82d197c	refactor: Platform Interfaces	2025-01-13 15:14:29 +08:00
世界	9afe75586a	refactor: Extract services form router	2025-01-13 15:14:29 +08:00
世界	a1be455202	refactor: Modular network manager	2025-01-13 15:14:29 +08:00
世界	19fb214226	refactor: Modular inbound/outbound manager	2025-01-13 15:14:29 +08:00
世界	28ec898a8c	documentation: Add rule action	2025-01-13 15:14:29 +08:00
世界	467b1bbeeb	documentation: Update the scheduled removal time of deprecated features	2025-01-13 15:14:29 +08:00
世界	02ab8ce806	documentation: Remove outdated icons	2025-01-13 15:14:29 +08:00
世界	ce69e620e9	Migrate bad options to library	2025-01-13 15:14:29 +08:00
世界	1133cf3ef5	Implement udp connect	2025-01-13 15:14:29 +08:00
世界	59a607e303	Implement new deprecated warnings	2025-01-13 15:14:29 +08:00
世界	313be3d7a4	Improve rule actions	2025-01-13 15:14:29 +08:00
世界	4fe40fcee0	Remove unused reject methods	2025-01-13 15:14:29 +08:00
世界	e233fd4fe5	refactor: Modular inbounds/outbounds	2025-01-13 15:14:29 +08:00
世界	9f7683818f	Implement dns-hijack	2025-01-13 15:14:29 +08:00
世界	179e3cb2f5	Implement resolve(server)	2025-01-13 15:14:29 +08:00
世界	41b960552d	Implement TCP and ICMP rejects	2025-01-13 15:14:29 +08:00
世界	8304295c48	Crazy sekai overturns the small pond	2025-01-13 15:14:29 +08:00