dns: serialize rebuilds and keep last good rules on failure

Remove SetIncludeAllowed(true) from the DNS record zone parser.
The $INCLUDE directive allows opening arbitrary files via os.Open,
which is unnecessary and dangerous when parsing a single record string
from configuration (especially remote profiles).

Fix displayRuleIndex arithmetic in dns/router.go that computed
2*index+1 instead of the correct 0-based index. This was a
reintroduction of a bug previously fixed in be8ee370a. Both
matchDNS and logRuleMatch now use the index directly, matching
the pattern in route/route.go.

.fpm_systemd

@@ -4,6 +4,7 @@
 --license GPL-3.0-or-later
 --description "The universal proxy platform."
 --url "https://sing-box.sagernet.org/"
+--vendor SagerNet
 --maintainer "nekohasekai <contact-git@sekai.icu>"
 --deb-field "Bug: https://github.com/SagerNet/sing-box/issues"
 --no-deb-generate-changes

adapter/dns.go

@@ -25,8 +25,8 @@ type DNSRouter interface {
 
 type DNSClient interface {
 	Start()
-	Exchange(ctx context.Context, transport DNSTransport, message *dns.Msg, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error)
-	Lookup(ctx context.Context, transport DNSTransport, domain string, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error)
+	Exchange(ctx context.Context, transport DNSTransport, message *dns.Msg, options DNSQueryOptions, responseChecker func(response *dns.Msg) bool) (*dns.Msg, error)
+	Lookup(ctx context.Context, transport DNSTransport, domain string, options DNSQueryOptions, responseChecker func(response *dns.Msg) bool) ([]netip.Addr, error)
 	ClearCache()
 }
 
@@ -72,11 +72,6 @@ type DNSTransport interface {
 	Exchange(ctx context.Context, message *dns.Msg) (*dns.Msg, error)
 }
 
-type LegacyDNSTransport interface {
-	LegacyStrategy() C.DomainStrategy
-	LegacyClientSubnet() netip.Prefix
-}
-
 type DNSTransportRegistry interface {
 	option.DNSTransportOptionsRegistry
 	CreateDNSTransport(ctx context.Context, logger log.ContextLogger, tag string, transportType string, options any) (DNSTransport, error)

adapter/inbound.go

@@ -10,6 +10,8 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	M "github.com/sagernet/sing/common/metadata"
+
+	"github.com/miekg/dns"
 )
 
 type Inbound interface {
@@ -79,14 +81,16 @@ type InboundContext struct {
 	FallbackNetworkType []C.InterfaceType
 	FallbackDelay       time.Duration
 
-	DestinationAddresses []netip.Addr
-	SourceGeoIPCode      string
-	GeoIPCode            string
-	ProcessInfo          *ConnectionOwner
-	SourceMACAddress     net.HardwareAddr
-	SourceHostname       string
-	QueryType            uint16
-	FakeIP               bool
+	DestinationAddresses                []netip.Addr
+	DNSResponse                         *dns.Msg
+	DestinationAddressMatchFromResponse bool
+	SourceGeoIPCode                     string
+	GeoIPCode                           string
+	ProcessInfo                         *ConnectionOwner
+	SourceMACAddress                    net.HardwareAddr
+	SourceHostname                      string
+	QueryType                           uint16
+	FakeIP                              bool
 
 	// rule cache
 
@@ -115,6 +119,46 @@ func (c *InboundContext) ResetRuleMatchCache() {
 	c.DidMatch = false
 }
 
+func (c *InboundContext) DestinationAddressesForMatch() []netip.Addr {
+	if c.DestinationAddressMatchFromResponse {
+		return DNSResponseAddresses(c.DNSResponse)
+	}
+	return c.DestinationAddresses
+}
+
+func (c *InboundContext) DNSResponseAddressesForMatch() []netip.Addr {
+	return DNSResponseAddresses(c.DNSResponse)
+}
+
+func DNSResponseAddresses(response *dns.Msg) []netip.Addr {
+	if response == nil || response.Rcode != dns.RcodeSuccess {
+		return nil
+	}
+	addresses := make([]netip.Addr, 0, len(response.Answer))
+	for _, rawRecord := range response.Answer {
+		switch record := rawRecord.(type) {
+		case *dns.A:
+			addresses = append(addresses, M.AddrFromIP(record.A))
+		case *dns.AAAA:
+			addresses = append(addresses, M.AddrFromIP(record.AAAA))
+		case *dns.HTTPS:
+			for _, value := range record.SVCB.Value {
+				switch hint := value.(type) {
+				case *dns.SVCBIPv4Hint:
+					for _, ip := range hint.Hint {
+						addresses = append(addresses, M.AddrFromIP(ip).Unmap())
+					}
+				case *dns.SVCBIPv6Hint:
+					for _, ip := range hint.Hint {
+						addresses = append(addresses, M.AddrFromIP(ip))
+					}
+				}
+			}
+		}
+	}
+	return addresses
+}
+
 type inboundContextKey struct{}
 
 func WithContext(ctx context.Context, inboundContext *InboundContext) context.Context {

adapter/inbound_test.go

@@ -0,0 +1,45 @@
+package adapter
+
+import (
+	"net"
+	"net/netip"
+	"testing"
+
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/require"
+)
+
+func TestDNSResponseAddressesUnmapsHTTPSIPv4Hints(t *testing.T) {
+	t.Parallel()
+
+	ipv4Hint := net.ParseIP("1.1.1.1")
+	require.NotNil(t, ipv4Hint)
+
+	response := &dns.Msg{
+		MsgHdr: dns.MsgHdr{
+			Response: true,
+			Rcode:    dns.RcodeSuccess,
+		},
+		Answer: []dns.RR{
+			&dns.HTTPS{
+				SVCB: dns.SVCB{
+					Hdr: dns.RR_Header{
+						Name:   dns.Fqdn("example.com"),
+						Rrtype: dns.TypeHTTPS,
+						Class:  dns.ClassINET,
+						Ttl:    60,
+					},
+					Priority: 1,
+					Target:   ".",
+					Value: []dns.SVCBKeyValue{
+						&dns.SVCBIPv4Hint{Hint: []net.IP{ipv4Hint}},
+					},
+				},
+			},
+		},
+	}
+
+	addresses := DNSResponseAddresses(response)
+	require.Equal(t, []netip.Addr{netip.MustParseAddr("1.1.1.1")}, addresses)
+	require.True(t, addresses[0].Is4())
+}

adapter/router.go

@@ -66,10 +66,14 @@ type RuleSet interface {
 
 type RuleSetUpdateCallback func(it RuleSet)
 
+// Rule-set metadata only exposes headless-rule capabilities that outer routers
+// need before evaluating nested matches. Headless rules do not support
+// ip_version, so there is intentionally no ContainsIPVersionRule flag here.
 type RuleSetMetadata struct {
-	ContainsProcessRule bool
-	ContainsWIFIRule    bool
-	ContainsIPCIDRRule  bool
+	ContainsProcessRule      bool
+	ContainsWIFIRule         bool
+	ContainsIPCIDRRule       bool
+	ContainsDNSQueryTypeRule bool
 }
 type HTTPStartContext struct {
 	ctx             context.Context

adapter/rule.go

@@ -2,6 +2,8 @@ package adapter
 
 import (
 	C "github.com/sagernet/sing-box/constant"
+
+	"github.com/miekg/dns"
 )
 
 type HeadlessRule interface {
@@ -18,8 +20,9 @@ type Rule interface {
 
 type DNSRule interface {
 	Rule
+	LegacyPreMatch(metadata *InboundContext) bool
 	WithAddressLimit() bool
-	MatchAddressLimit(metadata *InboundContext) bool
+	MatchAddressLimit(metadata *InboundContext, response *dns.Msg) bool
 }
 
 type RuleAction interface {

box.go

@@ -486,7 +486,7 @@ func (s *Box) preStart() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateStart, s.outbound, s.dnsTransport, s.dnsRouter, s.network, s.connection, s.router)
+	err = adapter.Start(s.logger, adapter.StartStateStart, s.outbound, s.dnsTransport, s.network, s.connection, s.router, s.dnsRouter)
 	if err != nil {
 		return err
 	}

constant/dns.go

@@ -15,19 +15,18 @@ const (
 )
 
 const (
-	DNSTypeLegacy      = "legacy"
-	DNSTypeLegacyRcode = "legacy_rcode"
-	DNSTypeUDP         = "udp"
-	DNSTypeTCP         = "tcp"
-	DNSTypeTLS         = "tls"
-	DNSTypeHTTPS       = "https"
-	DNSTypeQUIC        = "quic"
-	DNSTypeHTTP3       = "h3"
-	DNSTypeLocal       = "local"
-	DNSTypeHosts       = "hosts"
-	DNSTypeFakeIP      = "fakeip"
-	DNSTypeDHCP        = "dhcp"
-	DNSTypeTailscale   = "tailscale"
+	DNSTypeLegacy    = "legacy"
+	DNSTypeUDP       = "udp"
+	DNSTypeTCP       = "tcp"
+	DNSTypeTLS       = "tls"
+	DNSTypeHTTPS     = "https"
+	DNSTypeQUIC      = "quic"
+	DNSTypeHTTP3     = "h3"
+	DNSTypeLocal     = "local"
+	DNSTypeHosts     = "hosts"
+	DNSTypeFakeIP    = "fakeip"
+	DNSTypeDHCP      = "dhcp"
+	DNSTypeTailscale = "tailscale"
 )
 
 const (

constant/rule.go

@@ -29,6 +29,7 @@ const (
 const (
 	RuleActionTypeRoute        = "route"
 	RuleActionTypeRouteOptions = "route-options"
+	RuleActionTypeEvaluate     = "evaluate"
 	RuleActionTypeDirect       = "direct"
 	RuleActionTypeBypass       = "bypass"
 	RuleActionTypeReject       = "reject"

dns/client.go

@@ -5,7 +5,6 @@ import (
 	"errors"
 	"net"
 	"net/netip"
-	"strings"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
@@ -14,7 +13,6 @@ import (
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/task"
 	"github.com/sagernet/sing/contrab/freelru"
 	"github.com/sagernet/sing/contrab/maphash"
@@ -109,7 +107,7 @@ func extractNegativeTTL(response *dns.Msg) (uint32, bool) {
 	return 0, false
 }
 
-func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, message *dns.Msg, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error) {
+func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, message *dns.Msg, options adapter.DNSQueryOptions, responseChecker func(response *dns.Msg) bool) (*dns.Msg, error) {
 	if len(message.Question) == 0 {
 		if c.logger != nil {
 			c.logger.WarnContext(ctx, "bad question size: ", len(message.Question))
@@ -239,13 +237,10 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 	disableCache = disableCache || (response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError)
 	if responseChecker != nil {
 		var rejected bool
-		// TODO: add accept_any rule and support to check response instead of addresses
 		if response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError {
 			rejected = true
-		} else if len(response.Answer) == 0 {
-			rejected = !responseChecker(nil)
 		} else {
-			rejected = !responseChecker(MessageToAddresses(response))
+			rejected = !responseChecker(response)
 		}
 		if rejected {
 			if !disableCache && c.rdrc != nil {
@@ -315,7 +310,7 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 	return response, nil
 }
 
-func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, domain string, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error) {
+func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, domain string, options adapter.DNSQueryOptions, responseChecker func(response *dns.Msg) bool) ([]netip.Addr, error) {
 	domain = FqdnToDomain(domain)
 	dnsName := dns.Fqdn(domain)
 	var strategy C.DomainStrategy
@@ -400,7 +395,7 @@ func (c *Client) storeCache(transport adapter.DNSTransport, question dns.Questio
 	}
 }
 
-func (c *Client) lookupToExchange(ctx context.Context, transport adapter.DNSTransport, name string, qType uint16, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error) {
+func (c *Client) lookupToExchange(ctx context.Context, transport adapter.DNSTransport, name string, qType uint16, options adapter.DNSQueryOptions, responseChecker func(response *dns.Msg) bool) ([]netip.Addr, error) {
 	question := dns.Question{
 		Name:   name,
 		Qtype:  qType,
@@ -515,25 +510,7 @@ func (c *Client) loadResponse(question dns.Question, transport adapter.DNSTransp
 }
 
 func MessageToAddresses(response *dns.Msg) []netip.Addr {
-	if response == nil || response.Rcode != dns.RcodeSuccess {
-		return nil
-	}
-	addresses := make([]netip.Addr, 0, len(response.Answer))
-	for _, rawAnswer := range response.Answer {
-		switch answer := rawAnswer.(type) {
-		case *dns.A:
-			addresses = append(addresses, M.AddrFromIP(answer.A))
-		case *dns.AAAA:
-			addresses = append(addresses, M.AddrFromIP(answer.AAAA))
-		case *dns.HTTPS:
-			for _, value := range answer.SVCB.Value {
-				if value.Key() == dns.SVCB_IPV4HINT || value.Key() == dns.SVCB_IPV6HINT {
-					addresses = append(addresses, common.Map(strings.Split(value.String(), ","), M.ParseAddr)...)
-				}
-			}
-		}
-	}
-	return addresses
+	return adapter.DNSResponseAddresses(response)
 }
 
 func wrapError(err error) error {

dns/repro_test.go

@@ -0,0 +1,111 @@
+package dns
+
+import (
+	"context"
+	"errors"
+	"net/netip"
+	"testing"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common/json/badoption"
+
+	mDNS "github.com/miekg/dns"
+	"github.com/stretchr/testify/require"
+)
+
+func TestReproLookupWithRulesUsesRequestStrategy(t *testing.T) {
+	t.Parallel()
+
+	defaultTransport := &fakeDNSTransport{tag: "default", transportType: C.DNSTypeUDP}
+	var qTypes []uint16
+	router := newTestRouter(t, nil, &fakeDNSTransportManager{
+		defaultTransport: defaultTransport,
+		transports: map[string]adapter.DNSTransport{
+			"default": defaultTransport,
+		},
+	}, &fakeDNSClient{
+		exchange: func(transport adapter.DNSTransport, message *mDNS.Msg) (*mDNS.Msg, error) {
+			qTypes = append(qTypes, message.Question[0].Qtype)
+			if message.Question[0].Qtype == mDNS.TypeA {
+				return FixedResponse(0, message.Question[0], []netip.Addr{netip.MustParseAddr("2.2.2.2")}, 60), nil
+			}
+			return FixedResponse(0, message.Question[0], []netip.Addr{netip.MustParseAddr("2001:db8::1")}, 60), nil
+		},
+	})
+
+	addrs, err := router.Lookup(context.Background(), "example.com", adapter.DNSQueryOptions{
+		Strategy: C.DomainStrategyIPv4Only,
+	})
+	require.NoError(t, err)
+	require.Equal(t, []uint16{mDNS.TypeA}, qTypes)
+	require.Equal(t, []netip.Addr{netip.MustParseAddr("2.2.2.2")}, addrs)
+}
+
+func TestReproLogicalMatchResponseIPCIDR(t *testing.T) {
+	t.Parallel()
+
+	transportManager := &fakeDNSTransportManager{
+		defaultTransport: &fakeDNSTransport{tag: "default", transportType: C.DNSTypeUDP},
+		transports: map[string]adapter.DNSTransport{
+			"upstream": &fakeDNSTransport{tag: "upstream", transportType: C.DNSTypeUDP},
+			"selected": &fakeDNSTransport{tag: "selected", transportType: C.DNSTypeUDP},
+			"default":  &fakeDNSTransport{tag: "default", transportType: C.DNSTypeUDP},
+		},
+	}
+	client := &fakeDNSClient{
+		exchange: func(transport adapter.DNSTransport, message *mDNS.Msg) (*mDNS.Msg, error) {
+			switch transport.Tag() {
+			case "upstream":
+				return FixedResponse(0, message.Question[0], []netip.Addr{netip.MustParseAddr("1.1.1.1")}, 60), nil
+			case "selected":
+				return FixedResponse(0, message.Question[0], []netip.Addr{netip.MustParseAddr("8.8.8.8")}, 60), nil
+			default:
+				return nil, errors.New("unexpected transport")
+			}
+		},
+	}
+	rules := []option.DNSRule{
+		{
+			Type: C.RuleTypeDefault,
+			DefaultOptions: option.DefaultDNSRule{
+				RawDefaultDNSRule: option.RawDefaultDNSRule{
+					Domain: badoption.Listable[string]{"example.com"},
+				},
+				DNSRuleAction: option.DNSRuleAction{
+					Action:       C.RuleActionTypeEvaluate,
+					RouteOptions: option.DNSRouteActionOptions{Server: "upstream"},
+				},
+			},
+		},
+		{
+			Type: C.RuleTypeLogical,
+			LogicalOptions: option.LogicalDNSRule{
+				RawLogicalDNSRule: option.RawLogicalDNSRule{
+					Mode: C.LogicalTypeOr,
+					Rules: []option.DNSRule{{
+						Type: C.RuleTypeDefault,
+						DefaultOptions: option.DefaultDNSRule{
+							RawDefaultDNSRule: option.RawDefaultDNSRule{
+								MatchResponse: true,
+								IPCIDR:        badoption.Listable[string]{"1.1.1.0/24"},
+							},
+						},
+					}},
+				},
+				DNSRuleAction: option.DNSRuleAction{
+					Action:       C.RuleActionTypeRoute,
+					RouteOptions: option.DNSRouteActionOptions{Server: "selected"},
+				},
+			},
+		},
+	}
+	router := newTestRouter(t, rules, transportManager, client)
+
+	response, err := router.Exchange(context.Background(), &mDNS.Msg{
+		Question: []mDNS.Question{fixedQuestion("example.com", mDNS.TypeA)},
+	}, adapter.DNSQueryOptions{})
+	require.NoError(t, err)
+	require.Equal(t, []netip.Addr{netip.MustParseAddr("8.8.8.8")}, MessageToAddresses(response))
+}

dns/router.go

@@ -5,11 +5,13 @@ import (
 	"errors"
 	"net/netip"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/taskmonitor"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	R "github.com/sagernet/sing-box/route/rule"
@@ -19,6 +21,8 @@ import (
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing/common/task"
+	"github.com/sagernet/sing/common/x/list"
 	"github.com/sagernet/sing/contrab/freelru"
 	"github.com/sagernet/sing/contrab/maphash"
 	"github.com/sagernet/sing/service"
@@ -28,16 +32,29 @@ import (
 
 var _ adapter.DNSRouter = (*Router)(nil)
 
+type dnsRuleSetCallback struct {
+	ruleSet adapter.RuleSet
+	element *list.Element[adapter.RuleSetUpdateCallback]
+}
+
 type Router struct {
-	ctx                   context.Context
-	logger                logger.ContextLogger
-	transport             adapter.DNSTransportManager
-	outbound              adapter.OutboundManager
-	client                adapter.DNSClient
-	rules                 []adapter.DNSRule
-	defaultDomainStrategy C.DomainStrategy
-	dnsReverseMapping     freelru.Cache[netip.Addr, string]
-	platformInterface     adapter.PlatformInterface
+	ctx                             context.Context
+	logger                          logger.ContextLogger
+	transport                       adapter.DNSTransportManager
+	outbound                        adapter.OutboundManager
+	client                          adapter.DNSClient
+	rawRules                        []option.DNSRule
+	rules                           []adapter.DNSRule
+	defaultDomainStrategy           C.DomainStrategy
+	dnsReverseMapping               freelru.Cache[netip.Addr, string]
+	platformInterface               adapter.PlatformInterface
+	legacyDNSMode                   bool
+	rulesAccess                     sync.RWMutex
+	rebuildAccess                   sync.Mutex
+	closing                         bool
+	ruleSetCallbacks                []dnsRuleSetCallback
+	addressFilterDeprecatedReported bool
+	ruleStrategyDeprecatedReported  bool
 }
 
 func NewRouter(ctx context.Context, logFactory log.Factory, options option.DNSOptions) *Router {
@@ -46,6 +63,7 @@ func NewRouter(ctx context.Context, logFactory log.Factory, options option.DNSOp
 		logger:                logFactory.NewLogger("dns"),
 		transport:             service.FromContext[adapter.DNSTransportManager](ctx),
 		outbound:              service.FromContext[adapter.OutboundManager](ctx),
+		rawRules:              make([]option.DNSRule, 0, len(options.Rules)),
 		rules:                 make([]adapter.DNSRule, 0, len(options.Rules)),
 		defaultDomainStrategy: C.DomainStrategy(options.Strategy),
 	}
@@ -74,13 +92,12 @@ func NewRouter(ctx context.Context, logFactory log.Factory, options option.DNSOp
 }
 
 func (r *Router) Initialize(rules []option.DNSRule) error {
-	for i, ruleOptions := range rules {
-		dnsRule, err := R.NewDNSRule(r.ctx, r.logger, ruleOptions, true)
-		if err != nil {
-			return E.Cause(err, "parse dns rule[", i, "]")
-		}
-		r.rules = append(r.rules, dnsRule)
+	r.rawRules = append(r.rawRules[:0], rules...)
+	newRules, _, err := r.buildRules(false)
+	if err != nil {
+		return err
 	}
+	closeRules(newRules)
 	return nil
 }
 
@@ -92,12 +109,24 @@ func (r *Router) Start(stage adapter.StartStage) error {
 		r.client.Start()
 		monitor.Finish()
 
-		for i, rule := range r.rules {
-			monitor.Start("initialize DNS rule[", i, "]")
-			err := rule.Start()
+		monitor.Start("initialize DNS rules")
+		err := r.rebuildRules(true)
+		monitor.Finish()
+		if err != nil {
+			return err
+		}
+		monitor.Start("register DNS rule-set callbacks")
+		needsRulesRefresh, err := r.registerRuleSetCallbacks()
+		monitor.Finish()
+		if err != nil {
+			return err
+		}
+		if needsRulesRefresh {
+			monitor.Start("refresh DNS rules after callback registration")
+			err = r.rebuildRules(true)
 			monitor.Finish()
 			if err != nil {
-				return E.Cause(err, "initialize DNS rule[", i, "]")
+				r.logger.Error(E.Cause(err, "refresh DNS rules after callback registration"))
 			}
 		}
 	}
@@ -106,8 +135,18 @@ func (r *Router) Start(stage adapter.StartStage) error {
 
 func (r *Router) Close() error {
 	monitor := taskmonitor.New(r.logger, C.StopTimeout)
+	r.rulesAccess.Lock()
+	r.closing = true
+	callbacks := r.ruleSetCallbacks
+	r.ruleSetCallbacks = nil
+	runtimeRules := r.rules
+	r.rules = nil
+	for _, callback := range callbacks {
+		callback.ruleSet.UnregisterCallback(callback.element)
+	}
+	r.rulesAccess.Unlock()
 	var err error
-	for i, rule := range r.rules {
+	for i, rule := range runtimeRules {
 		monitor.Start("close dns rule[", i, "]")
 		err = E.Append(err, rule.Close(), func(err error) error {
 			return E.Cause(err, "close dns rule[", i, "]")
@@ -117,6 +156,151 @@ func (r *Router) Close() error {
 	return err
 }
 
+func (r *Router) rebuildRules(startRules bool) error {
+	r.rebuildAccess.Lock()
+	defer r.rebuildAccess.Unlock()
+	if r.isClosing() {
+		return nil
+	}
+	newRules, legacyDNSMode, err := r.buildRules(startRules)
+	if err != nil {
+		if r.isClosing() {
+			return nil
+		}
+		return err
+	}
+	shouldReportAddressFilterDeprecated := startRules &&
+		legacyDNSMode &&
+		!r.addressFilterDeprecatedReported &&
+		common.Any(newRules, func(rule adapter.DNSRule) bool { return rule.WithAddressLimit() })
+	shouldReportRuleStrategyDeprecated := startRules &&
+		legacyDNSMode &&
+		!r.ruleStrategyDeprecatedReported &&
+		hasDNSRuleActionStrategy(r.rawRules)
+	r.rulesAccess.Lock()
+	if r.closing {
+		r.rulesAccess.Unlock()
+		closeRules(newRules)
+		return nil
+	}
+	oldRules := r.rules
+	r.rules = newRules
+	r.legacyDNSMode = legacyDNSMode
+	if shouldReportAddressFilterDeprecated {
+		r.addressFilterDeprecatedReported = true
+	}
+	if shouldReportRuleStrategyDeprecated {
+		r.ruleStrategyDeprecatedReported = true
+	}
+	r.rulesAccess.Unlock()
+	closeRules(oldRules)
+	if shouldReportAddressFilterDeprecated {
+		deprecated.Report(r.ctx, deprecated.OptionLegacyDNSAddressFilter)
+	}
+	if shouldReportRuleStrategyDeprecated {
+		deprecated.Report(r.ctx, deprecated.OptionLegacyDNSRuleStrategy)
+	}
+	return nil
+}
+
+func (r *Router) isClosing() bool {
+	r.rulesAccess.RLock()
+	defer r.rulesAccess.RUnlock()
+	return r.closing
+}
+
+func (r *Router) buildRules(startRules bool) ([]adapter.DNSRule, bool, error) {
+	for i, ruleOptions := range r.rawRules {
+		err := R.ValidateNoNestedDNSRuleActions(ruleOptions)
+		if err != nil {
+			return nil, false, E.Cause(err, "parse dns rule[", i, "]")
+		}
+	}
+	router := service.FromContext[adapter.Router](r.ctx)
+	legacyDNSMode, err := resolveLegacyDNSMode(router, r.rawRules)
+	if err != nil {
+		return nil, false, err
+	}
+	if !legacyDNSMode {
+		err = validateLegacyDNSModeDisabledRules(r.rawRules)
+		if err != nil {
+			return nil, false, err
+		}
+	}
+	newRules := make([]adapter.DNSRule, 0, len(r.rawRules))
+	for i, ruleOptions := range r.rawRules {
+		dnsRule, err := R.NewDNSRule(r.ctx, r.logger, ruleOptions, true, legacyDNSMode)
+		if err != nil {
+			closeRules(newRules)
+			return nil, false, E.Cause(err, "parse dns rule[", i, "]")
+		}
+		newRules = append(newRules, dnsRule)
+	}
+	if startRules {
+		for i, rule := range newRules {
+			err := rule.Start()
+			if err != nil {
+				closeRules(newRules)
+				return nil, false, E.Cause(err, "initialize DNS rule[", i, "]")
+			}
+		}
+	}
+	return newRules, legacyDNSMode, nil
+}
+
+func closeRules(rules []adapter.DNSRule) {
+	for _, rule := range rules {
+		_ = rule.Close()
+	}
+}
+
+func (r *Router) registerRuleSetCallbacks() (bool, error) {
+	tags := referencedDNSRuleSetTags(r.rawRules)
+	if len(tags) == 0 {
+		return false, nil
+	}
+	r.rulesAccess.RLock()
+	if len(r.ruleSetCallbacks) > 0 {
+		r.rulesAccess.RUnlock()
+		return true, nil
+	}
+	r.rulesAccess.RUnlock()
+	router := service.FromContext[adapter.Router](r.ctx)
+	if router == nil {
+		return false, E.New("router service not found")
+	}
+	callbacks := make([]dnsRuleSetCallback, 0, len(tags))
+	for _, tag := range tags {
+		ruleSet, loaded := router.RuleSet(tag)
+		if !loaded {
+			for _, callback := range callbacks {
+				callback.ruleSet.UnregisterCallback(callback.element)
+			}
+			return false, E.New("rule-set not found: ", tag)
+		}
+		element := ruleSet.RegisterCallback(func(adapter.RuleSet) {
+			err := r.rebuildRules(true)
+			if err != nil {
+				r.logger.Error(E.Cause(err, "rebuild DNS rules after rule-set update"))
+			}
+		})
+		callbacks = append(callbacks, dnsRuleSetCallback{
+			ruleSet: ruleSet,
+			element: element,
+		})
+	}
+	r.rulesAccess.Lock()
+	if len(r.ruleSetCallbacks) == 0 {
+		r.ruleSetCallbacks = callbacks
+		callbacks = nil
+	}
+	r.rulesAccess.Unlock()
+	for _, callback := range callbacks {
+		callback.ruleSet.UnregisterCallback(callback.element)
+	}
+	return true, nil
+}
+
 func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int, isAddressQuery bool, options *adapter.DNSQueryOptions) (adapter.DNSTransport, adapter.DNSRule, int) {
 	metadata := adapter.ContextFrom(ctx)
 	if metadata == nil {
@@ -132,16 +316,12 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 			continue
 		}
 		metadata.ResetRuleCache()
-		if currentRule.Match(metadata) {
-			displayRuleIndex := currentRuleIndex
-			if displayRuleIndex != -1 {
-				displayRuleIndex += displayRuleIndex + 1
-			}
-			ruleDescription := currentRule.String()
-			if ruleDescription != "" {
-				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] ", currentRule, " => ", currentRule.Action())
+		metadata.DestinationAddressMatchFromResponse = false
+		if currentRule.LegacyPreMatch(metadata) {
+			if ruleDescription := currentRule.String(); ruleDescription != "" {
+				r.logger.DebugContext(ctx, "match[", currentRuleIndex, "] ", currentRule, " => ", currentRule.Action())
 			} else {
-				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
+				r.logger.DebugContext(ctx, "match[", currentRuleIndex, "] => ", currentRule.Action())
 			}
 			switch action := currentRule.Action().(type) {
 			case *R.RuleActionDNSRoute:
@@ -166,14 +346,6 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 				if action.ClientSubnet.IsValid() {
 					options.ClientSubnet = action.ClientSubnet
 				}
-				if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
-					if options.Strategy == C.DomainStrategyAsIS {
-						options.Strategy = legacyTransport.LegacyStrategy()
-					}
-					if !options.ClientSubnet.IsValid() {
-						options.ClientSubnet = legacyTransport.LegacyClientSubnet()
-					}
-				}
 				return transport, currentRule, currentRuleIndex
 			case *R.RuleActionDNSRouteOptions:
 				if action.Strategy != C.DomainStrategyAsIS {
@@ -196,15 +368,279 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 		}
 	}
 	transport := r.transport.Default()
-	if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
-		if options.Strategy == C.DomainStrategyAsIS {
-			options.Strategy = legacyTransport.LegacyStrategy()
+	return transport, nil, -1
+}
+
+func (r *Router) applyDNSRouteOptions(options *adapter.DNSQueryOptions, routeOptions R.RuleActionDNSRouteOptions) {
+	if routeOptions.DisableCache {
+		options.DisableCache = true
+	}
+	if routeOptions.RewriteTTL != nil {
+		options.RewriteTTL = routeOptions.RewriteTTL
+	}
+	if routeOptions.ClientSubnet.IsValid() {
+		options.ClientSubnet = routeOptions.ClientSubnet
+	}
+}
+
+type dnsRouteStatus uint8
+
+const (
+	dnsRouteStatusMissing dnsRouteStatus = iota
+	dnsRouteStatusSkipped
+	dnsRouteStatusResolved
+)
+
+func (r *Router) resolveDNSRoute(action *R.RuleActionDNSRoute, allowFakeIP bool, options *adapter.DNSQueryOptions) (adapter.DNSTransport, dnsRouteStatus) {
+	transport, loaded := r.transport.Transport(action.Server)
+	if !loaded {
+		return nil, dnsRouteStatusMissing
+	}
+	isFakeIP := transport.Type() == C.DNSTypeFakeIP
+	if isFakeIP && !allowFakeIP {
+		return transport, dnsRouteStatusSkipped
+	}
+	r.applyDNSRouteOptions(options, action.RuleActionDNSRouteOptions)
+	if isFakeIP {
+		options.DisableCache = true
+	}
+	return transport, dnsRouteStatusResolved
+}
+
+func (r *Router) logRuleMatch(ctx context.Context, ruleIndex int, currentRule adapter.DNSRule) {
+	if ruleDescription := currentRule.String(); ruleDescription != "" {
+		r.logger.DebugContext(ctx, "match[", ruleIndex, "] ", currentRule, " => ", currentRule.Action())
+	} else {
+		r.logger.DebugContext(ctx, "match[", ruleIndex, "] => ", currentRule.Action())
+	}
+}
+
+type exchangeWithRulesResult struct {
+	response     *mDNS.Msg
+	transport    adapter.DNSTransport
+	rejectAction *R.RuleActionReject
+	err          error
+}
+
+func (r *Router) exchangeWithRules(ctx context.Context, message *mDNS.Msg, options adapter.DNSQueryOptions, allowFakeIP bool) exchangeWithRulesResult {
+	metadata := adapter.ContextFrom(ctx)
+	if metadata == nil {
+		panic("no context")
+	}
+	effectiveOptions := options
+	var savedResponse *mDNS.Msg
+	for currentRuleIndex, currentRule := range r.rules {
+		metadata.ResetRuleCache()
+		metadata.DNSResponse = savedResponse
+		metadata.DestinationAddressMatchFromResponse = false
+		if !currentRule.Match(metadata) {
+			continue
 		}
-		if !options.ClientSubnet.IsValid() {
-			options.ClientSubnet = legacyTransport.LegacyClientSubnet()
+		r.logRuleMatch(ctx, currentRuleIndex, currentRule)
+		switch action := currentRule.Action().(type) {
+		case *R.RuleActionDNSRouteOptions:
+			r.applyDNSRouteOptions(&effectiveOptions, *action)
+		case *R.RuleActionEvaluate:
+			queryOptions := effectiveOptions
+			transport, status := r.resolveDNSRoute(&R.RuleActionDNSRoute{
+				Server:                    action.Server,
+				RuleActionDNSRouteOptions: action.RuleActionDNSRouteOptions,
+			}, allowFakeIP, &queryOptions)
+			switch status {
+			case dnsRouteStatusMissing:
+				r.logger.ErrorContext(ctx, "transport not found: ", action.Server)
+				savedResponse = nil
+				continue
+			case dnsRouteStatusSkipped:
+				continue
+			}
+			exchangeOptions := queryOptions
+			if exchangeOptions.Strategy == C.DomainStrategyAsIS {
+				exchangeOptions.Strategy = r.defaultDomainStrategy
+			}
+			response, err := r.client.Exchange(adapter.OverrideContext(ctx), transport, message, exchangeOptions, nil)
+			if err != nil {
+				r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for ", FormatQuestion(message.Question[0].String())))
+				savedResponse = nil
+				continue
+			}
+			savedResponse = response
+		case *R.RuleActionDNSRoute:
+			queryOptions := effectiveOptions
+			transport, status := r.resolveDNSRoute(action, allowFakeIP, &queryOptions)
+			switch status {
+			case dnsRouteStatusMissing:
+				r.logger.ErrorContext(ctx, "transport not found: ", action.Server)
+				continue
+			case dnsRouteStatusSkipped:
+				continue
+			}
+			exchangeOptions := queryOptions
+			if exchangeOptions.Strategy == C.DomainStrategyAsIS {
+				exchangeOptions.Strategy = r.defaultDomainStrategy
+			}
+			response, err := r.client.Exchange(adapter.OverrideContext(ctx), transport, message, exchangeOptions, nil)
+			return exchangeWithRulesResult{
+				response:  response,
+				transport: transport,
+				err:       err,
+			}
+		case *R.RuleActionReject:
+			switch action.Method {
+			case C.RuleActionRejectMethodDefault:
+				return exchangeWithRulesResult{
+					response: &mDNS.Msg{
+						MsgHdr: mDNS.MsgHdr{
+							Id:       message.Id,
+							Rcode:    mDNS.RcodeRefused,
+							Response: true,
+						},
+						Question: []mDNS.Question{message.Question[0]},
+					},
+					rejectAction: action,
+				}
+			case C.RuleActionRejectMethodDrop:
+				return exchangeWithRulesResult{
+					rejectAction: action,
+					err:          tun.ErrDrop,
+				}
+			}
+		case *R.RuleActionPredefined:
+			return exchangeWithRulesResult{
+				response: action.Response(message),
+			}
 		}
 	}
-	return transport, nil, -1
+	queryOptions := effectiveOptions
+	transport := r.transport.Default()
+	exchangeOptions := queryOptions
+	if exchangeOptions.Strategy == C.DomainStrategyAsIS {
+		exchangeOptions.Strategy = r.defaultDomainStrategy
+	}
+	response, err := r.client.Exchange(adapter.OverrideContext(ctx), transport, message, exchangeOptions, nil)
+	return exchangeWithRulesResult{
+		response:  response,
+		transport: transport,
+		err:       err,
+	}
+}
+
+type lookupWithRulesResponse struct {
+	addresses []netip.Addr
+}
+
+func (r *Router) resolveLookupStrategy(options adapter.DNSQueryOptions) C.DomainStrategy {
+	if options.LookupStrategy != C.DomainStrategyAsIS {
+		return options.LookupStrategy
+	}
+	if options.Strategy != C.DomainStrategyAsIS {
+		return options.Strategy
+	}
+	return r.defaultDomainStrategy
+}
+
+func lookupStrategyAllowsQueryType(strategy C.DomainStrategy, qType uint16) bool {
+	switch strategy {
+	case C.DomainStrategyIPv4Only:
+		return qType == mDNS.TypeA
+	case C.DomainStrategyIPv6Only:
+		return qType == mDNS.TypeAAAA
+	default:
+		return true
+	}
+}
+
+func withLookupQueryMetadata(ctx context.Context, qType uint16) context.Context {
+	ctx, metadata := adapter.ExtendContext(ctx)
+	metadata.QueryType = qType
+	metadata.IPVersion = 0
+	switch qType {
+	case mDNS.TypeA:
+		metadata.IPVersion = 4
+	case mDNS.TypeAAAA:
+		metadata.IPVersion = 6
+	}
+	return ctx
+}
+
+func filterAddressesByQueryType(addresses []netip.Addr, qType uint16) []netip.Addr {
+	switch qType {
+	case mDNS.TypeA:
+		return common.Filter(addresses, func(address netip.Addr) bool {
+			return address.Is4()
+		})
+	case mDNS.TypeAAAA:
+		return common.Filter(addresses, func(address netip.Addr) bool {
+			return address.Is6()
+		})
+	default:
+		return addresses
+	}
+}
+
+func (r *Router) lookupWithRules(ctx context.Context, domain string, options adapter.DNSQueryOptions) ([]netip.Addr, error) {
+	strategy := r.resolveLookupStrategy(options)
+	lookupOptions := options
+	if strategy != C.DomainStrategyAsIS {
+		lookupOptions.Strategy = strategy
+	}
+	if strategy == C.DomainStrategyIPv4Only {
+		response, err := r.lookupWithRulesType(ctx, domain, mDNS.TypeA, lookupOptions)
+		return response.addresses, err
+	}
+	if strategy == C.DomainStrategyIPv6Only {
+		response, err := r.lookupWithRulesType(ctx, domain, mDNS.TypeAAAA, lookupOptions)
+		return response.addresses, err
+	}
+	var (
+		response4 lookupWithRulesResponse
+		response6 lookupWithRulesResponse
+	)
+	var group task.Group
+	group.Append("exchange4", func(ctx context.Context) error {
+		result, err := r.lookupWithRulesType(ctx, domain, mDNS.TypeA, lookupOptions)
+		response4 = result
+		return err
+	})
+	group.Append("exchange6", func(ctx context.Context) error {
+		result, err := r.lookupWithRulesType(ctx, domain, mDNS.TypeAAAA, lookupOptions)
+		response6 = result
+		return err
+	})
+	err := group.Run(ctx)
+	if len(response4.addresses) == 0 && len(response6.addresses) == 0 {
+		return nil, err
+	}
+	return sortAddresses(response4.addresses, response6.addresses, strategy), nil
+}
+
+func (r *Router) lookupWithRulesType(ctx context.Context, domain string, qType uint16, options adapter.DNSQueryOptions) (lookupWithRulesResponse, error) {
+	request := &mDNS.Msg{
+		MsgHdr: mDNS.MsgHdr{
+			RecursionDesired: true,
+		},
+		Question: []mDNS.Question{{
+			Name:   mDNS.Fqdn(FqdnToDomain(domain)),
+			Qtype:  qType,
+			Qclass: mDNS.ClassINET,
+		}},
+	}
+	exchangeResult := r.exchangeWithRules(withLookupQueryMetadata(ctx, qType), request, options, false)
+	result := lookupWithRulesResponse{}
+	if exchangeResult.rejectAction != nil {
+		return result, exchangeResult.rejectAction.Error(ctx)
+	}
+	if exchangeResult.err != nil {
+		return result, exchangeResult.err
+	}
+	if exchangeResult.response.Rcode != mDNS.RcodeSuccess {
+		return result, RcodeError(exchangeResult.response.Rcode)
+	}
+	if !lookupStrategyAllowsQueryType(r.resolveLookupStrategy(options), qType) {
+		return result, nil
+	}
+	result.addresses = filterAddressesByQueryType(MessageToAddresses(exchangeResult.response), qType)
+	return result, nil
 }
 
 func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapter.DNSQueryOptions) (*mDNS.Msg, error) {
@@ -220,6 +656,8 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 		}
 		return &responseMessage, nil
 	}
+	r.rulesAccess.RLock()
+	defer r.rulesAccess.RUnlock()
 	r.logger.DebugContext(ctx, "exchange ", FormatQuestion(message.Question[0].String()))
 	var (
 		response  *mDNS.Msg
@@ -230,6 +668,8 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 	ctx, metadata = adapter.ExtendContext(ctx)
 	metadata.Destination = M.Socksaddr{}
 	metadata.QueryType = message.Question[0].Qtype
+	metadata.DNSResponse = nil
+	metadata.DestinationAddressMatchFromResponse = false
 	switch metadata.QueryType {
 	case mDNS.TypeA:
 		metadata.IPVersion = 4
@@ -239,18 +679,13 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 	metadata.Domain = FqdnToDomain(message.Question[0].Name)
 	if options.Transport != nil {
 		transport = options.Transport
-		if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
-			if options.Strategy == C.DomainStrategyAsIS {
-				options.Strategy = legacyTransport.LegacyStrategy()
-			}
-			if !options.ClientSubnet.IsValid() {
-				options.ClientSubnet = legacyTransport.LegacyClientSubnet()
-			}
-		}
 		if options.Strategy == C.DomainStrategyAsIS {
 			options.Strategy = r.defaultDomainStrategy
 		}
 		response, err = r.client.Exchange(ctx, transport, message, options, nil)
+	} else if !r.legacyDNSMode {
+		exchangeResult := r.exchangeWithRules(ctx, message, options, true)
+		response, transport, err = exchangeResult.response, exchangeResult.transport, exchangeResult.err
 	} else {
 		var (
 			rule      adapter.DNSRule
@@ -325,6 +760,8 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 }
 
 func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQueryOptions) ([]netip.Addr, error) {
+	r.rulesAccess.RLock()
+	defer r.rulesAccess.RUnlock()
 	var (
 		responseAddrs []netip.Addr
 		err           error
@@ -338,6 +775,8 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 				r.logger.DebugContext(ctx, "response rejected for ", domain, " (cached)")
 			} else if errors.Is(err, ErrResponseRejected) {
 				r.logger.DebugContext(ctx, "response rejected for ", domain)
+			} else if R.IsRejected(err) {
+				r.logger.DebugContext(ctx, "lookup rejected for ", domain)
 			} else {
 				r.logger.ErrorContext(ctx, E.Cause(err, "lookup failed for ", domain))
 			}
@@ -350,20 +789,16 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Destination = M.Socksaddr{}
 	metadata.Domain = FqdnToDomain(domain)
+	metadata.DNSResponse = nil
+	metadata.DestinationAddressMatchFromResponse = false
 	if options.Transport != nil {
 		transport := options.Transport
-		if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
-			if options.Strategy == C.DomainStrategyAsIS {
-				options.Strategy = legacyTransport.LegacyStrategy()
-			}
-			if !options.ClientSubnet.IsValid() {
-				options.ClientSubnet = legacyTransport.LegacyClientSubnet()
-			}
-		}
 		if options.Strategy == C.DomainStrategyAsIS {
 			options.Strategy = r.defaultDomainStrategy
 		}
 		responseAddrs, err = r.client.Lookup(ctx, transport, domain, options, nil)
+	} else if !r.legacyDNSMode {
+		responseAddrs, err = r.lookupWithRules(ctx, domain, options)
 	} else {
 		var (
 			transport adapter.DNSTransport
@@ -425,15 +860,15 @@ func isAddressQuery(message *mDNS.Msg) bool {
 	return false
 }
 
-func addressLimitResponseCheck(rule adapter.DNSRule, metadata *adapter.InboundContext) func(responseAddrs []netip.Addr) bool {
+func addressLimitResponseCheck(rule adapter.DNSRule, metadata *adapter.InboundContext) func(response *mDNS.Msg) bool {
 	if rule == nil || !rule.WithAddressLimit() {
 		return nil
 	}
 	responseMetadata := *metadata
-	return func(responseAddrs []netip.Addr) bool {
+	return func(response *mDNS.Msg) bool {
 		checkMetadata := responseMetadata
-		checkMetadata.DestinationAddresses = responseAddrs
-		return rule.MatchAddressLimit(&checkMetadata)
+		checkMetadata.DNSResponse = response
+		return rule.MatchAddressLimit(&checkMetadata, response)
 	}
 }
 
@@ -458,3 +893,238 @@ func (r *Router) ResetNetwork() {
 		transport.Reset()
 	}
 }
+
+func defaultRuleNeedsLegacyDNSModeFromAddressFilter(rule option.DefaultDNSRule) bool {
+	if rule.IPAcceptAny || rule.RuleSetIPCIDRAcceptEmpty { //nolint:staticcheck
+		return true
+	}
+	return !rule.MatchResponse && (len(rule.IPCIDR) > 0 || rule.IPIsPrivate)
+}
+
+func hasResponseMatchFields(rule option.DefaultDNSRule) bool {
+	return rule.ResponseRcode != nil ||
+		len(rule.ResponseAnswer) > 0 ||
+		len(rule.ResponseNs) > 0 ||
+		len(rule.ResponseExtra) > 0
+}
+
+func defaultRuleDisablesLegacyDNSMode(rule option.DefaultDNSRule) bool {
+	return rule.MatchResponse ||
+		hasResponseMatchFields(rule) ||
+		rule.Action == C.RuleActionTypeEvaluate ||
+		rule.IPVersion > 0 ||
+		len(rule.QueryType) > 0
+}
+
+func resolveLegacyDNSMode(router adapter.Router, rules []option.DNSRule) (bool, error) {
+	legacyDNSModeDisabled, needsLegacyDNSMode, needsLegacyDNSModeFromStrategy, err := dnsRuleModeRequirements(router, rules)
+	if err != nil {
+		return false, err
+	}
+	if legacyDNSModeDisabled && needsLegacyDNSModeFromStrategy {
+		return false, E.New("DNS rule action strategy is only supported in legacyDNSMode")
+	}
+	if legacyDNSModeDisabled {
+		return false, nil
+	}
+	return needsLegacyDNSMode, nil
+}
+
+func dnsRuleModeRequirements(router adapter.Router, rules []option.DNSRule) (bool, bool, bool, error) {
+	var legacyDNSModeDisabled bool
+	var needsLegacyDNSMode bool
+	var needsLegacyDNSModeFromStrategy bool
+	for i, rule := range rules {
+		ruleLegacyDNSModeDisabled, ruleNeedsLegacyDNSMode, ruleNeedsLegacyDNSModeFromStrategy, err := dnsRuleModeRequirementsInRule(router, rule)
+		if err != nil {
+			return false, false, false, E.Cause(err, "dns rule[", i, "]")
+		}
+		legacyDNSModeDisabled = legacyDNSModeDisabled || ruleLegacyDNSModeDisabled
+		needsLegacyDNSMode = needsLegacyDNSMode || ruleNeedsLegacyDNSMode
+		needsLegacyDNSModeFromStrategy = needsLegacyDNSModeFromStrategy || ruleNeedsLegacyDNSModeFromStrategy
+	}
+	return legacyDNSModeDisabled, needsLegacyDNSMode, needsLegacyDNSModeFromStrategy, nil
+}
+
+func dnsRuleModeRequirementsInRule(router adapter.Router, rule option.DNSRule) (bool, bool, bool, error) {
+	switch rule.Type {
+	case "", C.RuleTypeDefault:
+		return dnsRuleModeRequirementsInDefaultRule(router, rule.DefaultOptions)
+	case C.RuleTypeLogical:
+		legacyDNSModeDisabled := dnsRuleActionType(rule) == C.RuleActionTypeEvaluate
+		needsLegacyDNSModeFromStrategy := dnsRuleActionHasStrategy(rule.LogicalOptions.DNSRuleAction)
+		needsLegacyDNSMode := needsLegacyDNSModeFromStrategy
+		for i, subRule := range rule.LogicalOptions.Rules {
+			subLegacyDNSModeDisabled, subNeedsLegacyDNSMode, subNeedsLegacyDNSModeFromStrategy, err := dnsRuleModeRequirementsInRule(router, subRule)
+			if err != nil {
+				return false, false, false, E.Cause(err, "sub rule[", i, "]")
+			}
+			legacyDNSModeDisabled = legacyDNSModeDisabled || subLegacyDNSModeDisabled
+			needsLegacyDNSMode = needsLegacyDNSMode || subNeedsLegacyDNSMode
+			needsLegacyDNSModeFromStrategy = needsLegacyDNSModeFromStrategy || subNeedsLegacyDNSModeFromStrategy
+		}
+		return legacyDNSModeDisabled, needsLegacyDNSMode, needsLegacyDNSModeFromStrategy, nil
+	default:
+		return false, false, false, nil
+	}
+}
+
+func dnsRuleModeRequirementsInDefaultRule(router adapter.Router, rule option.DefaultDNSRule) (bool, bool, bool, error) {
+	legacyDNSModeDisabled := defaultRuleDisablesLegacyDNSMode(rule)
+	needsLegacyDNSModeFromStrategy := dnsRuleActionHasStrategy(rule.DNSRuleAction)
+	needsLegacyDNSMode := defaultRuleNeedsLegacyDNSModeFromAddressFilter(rule) || needsLegacyDNSModeFromStrategy
+	if len(rule.RuleSet) == 0 {
+		return legacyDNSModeDisabled, needsLegacyDNSMode, needsLegacyDNSModeFromStrategy, nil
+	}
+	if router == nil {
+		return false, false, false, E.New("router service not found")
+	}
+	for _, tag := range rule.RuleSet {
+		ruleSet, loaded := router.RuleSet(tag)
+		if !loaded {
+			return false, false, false, E.New("rule-set not found: ", tag)
+		}
+		metadata := ruleSet.Metadata()
+		// Rule sets are built from headless rules, so query_type is the only
+		// per-query DNS predicate they can contribute here. ip_version is not a
+		// headless-rule item and is therefore intentionally absent from metadata.
+		legacyDNSModeDisabled = legacyDNSModeDisabled || metadata.ContainsDNSQueryTypeRule
+		if !rule.RuleSetIPCIDRMatchSource && metadata.ContainsIPCIDRRule {
+			needsLegacyDNSMode = true
+		}
+	}
+	return legacyDNSModeDisabled, needsLegacyDNSMode, needsLegacyDNSModeFromStrategy, nil
+}
+
+func referencedDNSRuleSetTags(rules []option.DNSRule) []string {
+	tagMap := make(map[string]bool)
+	var walkRule func(rule option.DNSRule)
+	walkRule = func(rule option.DNSRule) {
+		switch rule.Type {
+		case "", C.RuleTypeDefault:
+			for _, tag := range rule.DefaultOptions.RuleSet {
+				tagMap[tag] = true
+			}
+		case C.RuleTypeLogical:
+			for _, subRule := range rule.LogicalOptions.Rules {
+				walkRule(subRule)
+			}
+		}
+	}
+	for _, rule := range rules {
+		walkRule(rule)
+	}
+	tags := make([]string, 0, len(tagMap))
+	for tag := range tagMap {
+		if tag != "" {
+			tags = append(tags, tag)
+		}
+	}
+	return tags
+}
+
+func validateLegacyDNSModeDisabledRules(rules []option.DNSRule) error {
+	for i, rule := range rules {
+		consumesResponse, err := validateLegacyDNSModeDisabledRuleTree(rule)
+		if err != nil {
+			return E.Cause(err, "validate dns rule[", i, "]")
+		}
+		action := dnsRuleActionType(rule)
+		if action == C.RuleActionTypeEvaluate && consumesResponse {
+			return E.New("dns rule[", i, "]: evaluate rule cannot consume response state")
+		}
+	}
+	return nil
+}
+
+func validateLegacyDNSModeDisabledRuleTree(rule option.DNSRule) (bool, error) {
+	switch rule.Type {
+	case "", C.RuleTypeDefault:
+		return validateLegacyDNSModeDisabledDefaultRule(rule.DefaultOptions)
+	case C.RuleTypeLogical:
+		var consumesResponse bool
+		for i, subRule := range rule.LogicalOptions.Rules {
+			subConsumesResponse, err := validateLegacyDNSModeDisabledRuleTree(subRule)
+			if err != nil {
+				return false, E.Cause(err, "sub rule[", i, "]")
+			}
+			consumesResponse = consumesResponse || subConsumesResponse
+		}
+		return consumesResponse, nil
+	default:
+		return false, nil
+	}
+}
+
+func validateLegacyDNSModeDisabledDefaultRule(rule option.DefaultDNSRule) (bool, error) {
+	hasResponseRecords := hasResponseMatchFields(rule)
+	if hasResponseRecords && !rule.MatchResponse {
+		return false, E.New("response_* items require match_response")
+	}
+	if (len(rule.IPCIDR) > 0 || rule.IPIsPrivate) && !rule.MatchResponse {
+		return false, E.New("ip_cidr and ip_is_private require match_response when legacyDNSMode is disabled")
+	}
+	// Intentionally do not reject rule_set here. A referenced rule set may mix
+	// destination-IP predicates with pre-response predicates such as domain items.
+	// When match_response is false, those destination-IP branches fail closed during
+	// pre-response evaluation instead of consuming DNS response state, while sibling
+	// non-response branches remain matchable.
+	if rule.IPAcceptAny { //nolint:staticcheck
+		return false, E.New("ip_accept_any is removed when legacyDNSMode is disabled, use ip_cidr with match_response")
+	}
+	if rule.RuleSetIPCIDRAcceptEmpty { //nolint:staticcheck
+		return false, E.New("rule_set_ip_cidr_accept_empty is removed when legacyDNSMode is disabled")
+	}
+	return rule.MatchResponse, nil
+}
+
+func hasDNSRuleActionStrategy(rules []option.DNSRule) bool {
+	for _, rule := range rules {
+		if dnsRuleHasActionStrategy(rule) {
+			return true
+		}
+	}
+	return false
+}
+
+func dnsRuleHasActionStrategy(rule option.DNSRule) bool {
+	switch rule.Type {
+	case "", C.RuleTypeDefault:
+		return dnsRuleActionHasStrategy(rule.DefaultOptions.DNSRuleAction)
+	case C.RuleTypeLogical:
+		if dnsRuleActionHasStrategy(rule.LogicalOptions.DNSRuleAction) {
+			return true
+		}
+		return hasDNSRuleActionStrategy(rule.LogicalOptions.Rules)
+	default:
+		return false
+	}
+}
+
+func dnsRuleActionHasStrategy(action option.DNSRuleAction) bool {
+	switch action.Action {
+	case "", C.RuleActionTypeRoute, C.RuleActionTypeEvaluate:
+		return C.DomainStrategy(action.RouteOptions.Strategy) != C.DomainStrategyAsIS
+	case C.RuleActionTypeRouteOptions:
+		return C.DomainStrategy(action.RouteOptionsOptions.Strategy) != C.DomainStrategyAsIS
+	default:
+		return false
+	}
+}
+
+func dnsRuleActionType(rule option.DNSRule) string {
+	switch rule.Type {
+	case "", C.RuleTypeDefault:
+		if rule.DefaultOptions.Action == "" {
+			return C.RuleActionTypeRoute
+		}
+		return rule.DefaultOptions.Action
+	case C.RuleTypeLogical:
+		if rule.LogicalOptions.Action == "" {
+			return C.RuleActionTypeRoute
+		}
+		return rule.LogicalOptions.Action
+	default:
+		return ""
+	}
+}

dns/transport_adapter.go

@@ -1,21 +1,13 @@
 package dns
 
 import (
-	"net/netip"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 )
 
-var _ adapter.LegacyDNSTransport = (*TransportAdapter)(nil)
-
 type TransportAdapter struct {
 	transportType string
 	transportTag  string
 	dependencies  []string
-	strategy      C.DomainStrategy
-	clientSubnet  netip.Prefix
 }
 
 func NewTransportAdapter(transportType string, transportTag string, dependencies []string) TransportAdapter {
@@ -35,8 +27,6 @@ func NewTransportAdapterWithLocalOptions(transportType string, transportTag stri
 		transportType: transportType,
 		transportTag:  transportTag,
 		dependencies:  dependencies,
-		strategy:      C.DomainStrategy(localOptions.LegacyStrategy),
-		clientSubnet:  localOptions.LegacyClientSubnet,
 	}
 }
 
@@ -45,15 +35,10 @@ func NewTransportAdapterWithRemoteOptions(transportType string, transportTag str
 	if remoteOptions.DomainResolver != nil && remoteOptions.DomainResolver.Server != "" {
 		dependencies = append(dependencies, remoteOptions.DomainResolver.Server)
 	}
-	if remoteOptions.LegacyAddressResolver != "" {
-		dependencies = append(dependencies, remoteOptions.LegacyAddressResolver)
-	}
 	return TransportAdapter{
 		transportType: transportType,
 		transportTag:  transportTag,
 		dependencies:  dependencies,
-		strategy:      C.DomainStrategy(remoteOptions.LegacyStrategy),
-		clientSubnet:  remoteOptions.LegacyClientSubnet,
 	}
 }
 
@@ -68,11 +53,3 @@ func (a *TransportAdapter) Tag() string {
 func (a *TransportAdapter) Dependencies() []string {
 	return a.dependencies
 }
-
-func (a *TransportAdapter) LegacyStrategy() C.DomainStrategy {
-	return a.strategy
-}
-
-func (a *TransportAdapter) LegacyClientSubnet() netip.Prefix {
-	return a.clientSubnet
-}

dns/transport_dialer.go

@@ -2,104 +2,25 @@ package dns
 
 import (
 	"context"
-	"net"
-	"time"
 
-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/service"
 )
 
 func NewLocalDialer(ctx context.Context, options option.LocalDNSServerOptions) (N.Dialer, error) {
-	if options.LegacyDefaultDialer {
-		return dialer.NewDefaultOutbound(ctx), nil
-	} else {
-		return dialer.NewWithOptions(dialer.Options{
-			Context:         ctx,
-			Options:         options.DialerOptions,
-			DirectResolver:  true,
-			LegacyDNSDialer: options.Legacy,
-		})
-	}
+	return dialer.NewWithOptions(dialer.Options{
+		Context:        ctx,
+		Options:        options.DialerOptions,
+		DirectResolver: true,
+	})
 }
 
 func NewRemoteDialer(ctx context.Context, options option.RemoteDNSServerOptions) (N.Dialer, error) {
-	if options.LegacyDefaultDialer {
-		transportDialer := dialer.NewDefaultOutbound(ctx)
-		if options.LegacyAddressResolver != "" {
-			transport := service.FromContext[adapter.DNSTransportManager](ctx)
-			resolverTransport, loaded := transport.Transport(options.LegacyAddressResolver)
-			if !loaded {
-				return nil, E.New("address resolver not found: ", options.LegacyAddressResolver)
-			}
-			transportDialer = newTransportDialer(transportDialer, service.FromContext[adapter.DNSRouter](ctx), resolverTransport, C.DomainStrategy(options.LegacyAddressStrategy), time.Duration(options.LegacyAddressFallbackDelay))
-		} else if options.ServerIsDomain() {
-			return nil, E.New("missing address resolver for server: ", options.Server)
-		}
-		return transportDialer, nil
-	} else {
-		return dialer.NewWithOptions(dialer.Options{
-			Context:         ctx,
-			Options:         options.DialerOptions,
-			RemoteIsDomain:  options.ServerIsDomain(),
-			DirectResolver:  true,
-			LegacyDNSDialer: options.Legacy,
-		})
-	}
-}
-
-type legacyTransportDialer struct {
-	dialer        N.Dialer
-	dnsRouter     adapter.DNSRouter
-	transport     adapter.DNSTransport
-	strategy      C.DomainStrategy
-	fallbackDelay time.Duration
-}
-
-func newTransportDialer(dialer N.Dialer, dnsRouter adapter.DNSRouter, transport adapter.DNSTransport, strategy C.DomainStrategy, fallbackDelay time.Duration) *legacyTransportDialer {
-	return &legacyTransportDialer{
-		dialer,
-		dnsRouter,
-		transport,
-		strategy,
-		fallbackDelay,
-	}
-}
-
-func (d *legacyTransportDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	if destination.IsIP() {
-		return d.dialer.DialContext(ctx, network, destination)
-	}
-	addresses, err := d.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{
-		Transport: d.transport,
-		Strategy:  d.strategy,
+	return dialer.NewWithOptions(dialer.Options{
+		Context:        ctx,
+		Options:        options.DialerOptions,
+		RemoteIsDomain: options.ServerIsDomain(),
+		DirectResolver: true,
 	})
-	if err != nil {
-		return nil, err
-	}
-	return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == C.DomainStrategyPreferIPv6, d.fallbackDelay)
-}
-
-func (d *legacyTransportDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	if destination.IsIP() {
-		return d.dialer.ListenPacket(ctx, destination)
-	}
-	addresses, err := d.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{
-		Transport: d.transport,
-		Strategy:  d.strategy,
-	})
-	if err != nil {
-		return nil, err
-	}
-	conn, _, err := N.ListenSerial(ctx, d.dialer, destination, addresses)
-	return conn, err
-}
-
-func (d *legacyTransportDialer) Upstream() any {
-	return d.dialer
 }

docs/changelog.md

@@ -2,6 +2,23 @@
 icon: material/alert-decagram
 ---
 
+#### 1.14.0-alpha.8
+
+* Add BBR profile and hop interval randomization for Hysteria2 **1**
+* Fixes and improvements
+
+**1**:
+
+See [Hysteria2 Inbound](/configuration/inbound/hysteria2/#bbr_profile) and [Hysteria2 Outbound](/configuration/outbound/hysteria2/#bbr_profile).
+
+#### 1.14.0-alpha.8
+
+* Fixes and improvements
+
+#### 1.13.5
+
+* Fixes and improvements
+
 #### 1.14.0-alpha.7
 
 * Fixes and improvements

docs/configuration/dns/fakeip.md

@@ -1,10 +1,10 @@
 ---
-icon: material/delete-clock
+icon: material/note-remove
 ---
 
-!!! failure "Deprecated in sing-box 1.12.0"
+!!! failure "Removed in sing-box 1.14.0"
 
-    Legacy fake-ip configuration is deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-servers).
+    Legacy fake-ip configuration is deprecated in sing-box 1.12.0 and removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-servers).
 
 ### Structure
 

docs/configuration/dns/fakeip.zh.md

@@ -1,10 +1,10 @@
 ---
-icon: material/delete-clock
+icon: material/note-remove
 ---
 
-!!! failure "已在 sing-box 1.12.0 废弃"
+!!! failure "已在 sing-box 1.14.0 移除"
 
-    旧的 fake-ip 配置已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式)。
+    旧的 fake-ip 配置已在 sing-box 1.12.0 废弃且已在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式)。
 
 ### 结构
 

docs/configuration/dns/index.md

@@ -39,7 +39,7 @@ icon: material/alert-decagram
 |----------|---------------------------------|
 | `server` | List of [DNS Server](./server/) |
 | `rules`  | List of [DNS Rule](./rule/)     |
-| `fakeip` | [FakeIP](./fakeip/)             |
+| `fakeip` | :material-note-remove: [FakeIP](./fakeip/) |
 
 #### final
 
@@ -88,4 +88,4 @@ Append a `edns0-subnet` OPT extra record with the specified IP prefix to every q
 
 If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
 
-Can be overrides by `servers.[].client_subnet` or `rules.[].client_subnet`.
+Can be overridden by `servers.[].client_subnet` or `rules.[].client_subnet`.

docs/configuration/dns/index.zh.md

@@ -88,6 +88,6 @@ LRU 缓存容量。
 
 可以被 `servers.[].client_subnet` 或 `rules.[].client_subnet` 覆盖。
 
-#### fakeip
+#### fakeip :material-note-remove:
 
 [FakeIP](./fakeip/) 设置。

docs/configuration/dns/rule.md

@@ -4,8 +4,15 @@ icon: material/alert-decagram
 
 !!! quote "Changes in sing-box 1.14.0"
 
+    :material-plus: [match_response](#match_response)  
+    :material-plus: [response_rcode](#response_rcode)  
+    :material-plus: [response_answer](#response_answer)  
+    :material-plus: [response_ns](#response_ns)  
+    :material-plus: [response_extra](#response_extra)  
     :material-plus: [source_mac_address](#source_mac_address)  
-    :material-plus: [source_hostname](#source_hostname)
+    :material-plus: [source_hostname](#source_hostname)  
+    :material-delete-clock: [ip_accept_any](#ip_accept_any)  
+    :material-delete-clock: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)
 
 !!! quote "Changes in sing-box 1.13.0"
 
@@ -94,12 +101,6 @@ icon: material/alert-decagram
           "192.168.0.1"
         ],
         "source_ip_is_private": false,
-        "ip_cidr": [
-          "10.0.0.0/24",
-          "192.168.0.1"
-        ],
-        "ip_is_private": false,
-        "ip_accept_any": false,
         "source_port": [
           12345
         ],
@@ -171,7 +172,16 @@ icon: material/alert-decagram
           "geosite-cn"
         ],
         "rule_set_ip_cidr_match_source": false,
-        "rule_set_ip_cidr_accept_empty": false,
+        "match_response": false,
+        "ip_cidr": [
+          "10.0.0.0/24",
+          "192.168.0.1"
+        ],
+        "ip_is_private": false,
+        "response_rcode": "",
+        "response_answer": [],
+        "response_ns": [],
+        "response_extra": [],
         "invert": false,
         "outbound": [
           "direct"
@@ -180,7 +190,9 @@ icon: material/alert-decagram
         "server": "local",
 
         // Deprecated
-        
+
+        "ip_accept_any": false,
+        "rule_set_ip_cidr_accept_empty": false,
         "rule_set_ipcidr_match_source": false,
         "geosite": [
           "cn"
@@ -477,6 +489,17 @@ Make `ip_cidr` rule items in rule-sets match the source IP.
 
 Make `ip_cidr` rule items in rule-sets match the source IP.
 
+#### match_response
+
+!!! question "Since sing-box 1.14.0"
+
+Enable response-based matching. When enabled, this rule matches against DNS response data
+(set by a preceding [`evaluate`](/configuration/dns/rule_action/#evaluate) action)
+instead of only matching the original query.
+
+Required for `response_rcode`, `response_answer`, `response_ns`, `response_extra` fields.
+Also required for `ip_cidr` and `ip_is_private` when `legacyDNSMode` is disabled.
+
 #### invert
 
 Invert match result.
@@ -547,24 +570,69 @@ Match GeoIP with query response.
 
 Match IP CIDR with query response.
 
+When `legacyDNSMode` is disabled, `match_response` must be set to `true`.
+
 #### ip_is_private
 
 !!! question "Since sing-box 1.9.0"
 
 Match private IP with query response.
 
+When `legacyDNSMode` is disabled, `match_response` must be set to `true`.
+
 #### rule_set_ip_cidr_accept_empty
 
 !!! question "Since sing-box 1.10.0"
 
+!!! failure "Deprecated in sing-box 1.14.0"
+
+    `rule_set_ip_cidr_accept_empty` is deprecated and will be removed in sing-box 1.16.0.
+    Only supported in `legacyDNSMode`.
+
 Make `ip_cidr` rules in rule-sets accept empty query response.
 
 #### ip_accept_any
 
 !!! question "Since sing-box 1.12.0"
 
+!!! failure "Deprecated in sing-box 1.14.0"
+
+    `ip_accept_any` is deprecated and will be removed in sing-box 1.16.0.
+    Only supported in `legacyDNSMode`. Use `match_response` with response items instead.
+
 Match any IP with query response.
 
+### Response Fields
+
+!!! question "Since sing-box 1.14.0"
+
+Match fields for DNS response data. Require `match_response` to be set to `true`
+and a preceding rule with [`evaluate`](/configuration/dns/rule_action/#evaluate) action to populate the response.
+
+#### response_rcode
+
+Match DNS response code.
+
+Accepted values are the same as in the [predefined action rcode](/configuration/dns/rule_action/#rcode).
+
+#### response_answer
+
+Match DNS answer records.
+
+Record format is the same as in [predefined action answer](/configuration/dns/rule_action/#answer).
+
+#### response_ns
+
+Match DNS name server records.
+
+Record format is the same as in [predefined action ns](/configuration/dns/rule_action/#ns).
+
+#### response_extra
+
+Match DNS extra records.
+
+Record format is the same as in [predefined action extra](/configuration/dns/rule_action/#extra).
+
 ### Logical Fields
 
 #### type

docs/configuration/dns/rule.zh.md

@@ -4,8 +4,15 @@ icon: material/alert-decagram
 
 !!! quote "sing-box 1.14.0 中的更改"
 
+    :material-plus: [match_response](#match_response)  
+    :material-plus: [response_rcode](#response_rcode)  
+    :material-plus: [response_answer](#response_answer)  
+    :material-plus: [response_ns](#response_ns)  
+    :material-plus: [response_extra](#response_extra)  
     :material-plus: [source_mac_address](#source_mac_address)  
-    :material-plus: [source_hostname](#source_hostname)
+    :material-plus: [source_hostname](#source_hostname)  
+    :material-delete-clock: [ip_accept_any](#ip_accept_any)  
+    :material-delete-clock: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)
 
 !!! quote "sing-box 1.13.0 中的更改"
 
@@ -94,12 +101,6 @@ icon: material/alert-decagram
           "192.168.0.1"
         ],
         "source_ip_is_private": false,
-        "ip_cidr": [
-          "10.0.0.0/24",
-          "192.168.0.1"
-        ],
-        "ip_is_private": false,
-        "ip_accept_any": false,
         "source_port": [
           12345
         ],
@@ -171,7 +172,16 @@ icon: material/alert-decagram
           "geosite-cn"
         ],
         "rule_set_ip_cidr_match_source": false,
-        "rule_set_ip_cidr_accept_empty": false,
+        "match_response": false,
+        "ip_cidr": [
+          "10.0.0.0/24",
+          "192.168.0.1"
+        ],
+        "ip_is_private": false,
+        "response_rcode": "",
+        "response_answer": [],
+        "response_ns": [],
+        "response_extra": [],
         "invert": false,
         "outbound": [
           "direct"
@@ -180,6 +190,9 @@ icon: material/alert-decagram
         "server": "local",
 
         // 已弃用
+
+        "ip_accept_any": false,
+        "rule_set_ip_cidr_accept_empty": false,
         "rule_set_ipcidr_match_source": false,
         "geosite": [
           "cn"
@@ -476,6 +489,15 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
 
 使规则集中的 `ip_cidr` 规则匹配源 IP。
 
+#### match_response
+
+!!! question "自 sing-box 1.14.0 起"
+
+启用响应匹配。启用后，此规则将匹配 DNS 响应数据（由前序 [`evaluate`](/zh/configuration/dns/rule_action/#evaluate) 动作设置），而不仅是匹配原始查询。
+
+`response_rcode`、`response_answer`、`response_ns`、`response_extra` 字段需要此选项。
+当 `legacyDNSMode` 未启用时，`ip_cidr` 和 `ip_is_private` 也需要此选项。
+
 #### invert
 
 反选匹配结果。
@@ -547,24 +569,69 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
 
 与查询响应匹配 IP CIDR。
 
+当 `legacyDNSMode` 未启用时，`match_response` 必须设为 `true`。
+
 #### ip_is_private
 
 !!! question "自 sing-box 1.9.0 起"
 
 与查询响应匹配非公开 IP。
 
+当 `legacyDNSMode` 未启用时，`match_response` 必须设为 `true`。
+
 #### ip_accept_any
 
 !!! question "自 sing-box 1.12.0 起"
 
+!!! failure "已在 sing-box 1.14.0 废弃"
+
+    `ip_accept_any` 已废弃且将在 sing-box 1.16.0 中被移除。
+    仅在 `legacyDNSMode` 中可用。请使用 `match_response` 和响应项替代。
+
 匹配任意 IP。
 
 #### rule_set_ip_cidr_accept_empty
 
 !!! question "自 sing-box 1.10.0 起"
 
+!!! failure "已在 sing-box 1.14.0 废弃"
+
+    `rule_set_ip_cidr_accept_empty` 已废弃且将在 sing-box 1.16.0 中被移除。
+    仅在 `legacyDNSMode` 中可用。
+
 使规则集中的 `ip_cidr` 规则接受空查询响应。
 
+### 响应字段
+
+!!! question "自 sing-box 1.14.0 起"
+
+DNS 响应数据的匹配字段。需要将 `match_response` 设为 `true`，
+且需要前序规则使用 [`evaluate`](/zh/configuration/dns/rule_action/#evaluate) 动作来填充响应。
+
+#### response_rcode
+
+匹配 DNS 响应码。
+
+接受的值与 [predefined 动作 rcode](/zh/configuration/dns/rule_action/#rcode) 中相同。
+
+#### response_answer
+
+匹配 DNS 应答记录。
+
+记录格式与 [predefined 动作 answer](/zh/configuration/dns/rule_action/#answer) 中相同。
+
+#### response_ns
+
+匹配 DNS 名称服务器记录。
+
+记录格式与 [predefined 动作 ns](/zh/configuration/dns/rule_action/#ns) 中相同。
+
+#### response_extra
+
+匹配 DNS 额外记录。
+
+记录格式与 [predefined 动作 extra](/zh/configuration/dns/rule_action/#extra) 中相同。
+
 ### 逻辑字段
 
 #### type

docs/configuration/dns/rule_action.md

@@ -2,6 +2,11 @@
 icon: material/new-box
 ---
 
+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [evaluate](#evaluate)  
+    :material-delete-clock: [strategy](#strategy)
+
 !!! quote "Changes in sing-box 1.12.0"
 
     :material-plus: [strategy](#strategy)  
@@ -34,7 +39,11 @@ Tag of target server.
 
 !!! question "Since sing-box 1.12.0"
 
-Set domain strategy for this query.
+!!! warning
+
+    `strategy` is deprecated and only supported in `legacyDNSMode`.
+
+Set domain strategy for this query in `legacyDNSMode`.
 
 One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
 
@@ -52,7 +61,49 @@ Append a `edns0-subnet` OPT extra record with the specified IP prefix to every q
 
 If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
 
-Will overrides `dns.client_subnet`.
+Will override `dns.client_subnet`.
+
+### evaluate
+
+!!! question "Since sing-box 1.14.0"
+
+```json
+{
+  "action": "evaluate",
+  "server": "",
+  "disable_cache": false,
+  "rewrite_ttl": null,
+  "client_subnet": null
+}
+```
+
+`evaluate` sends a DNS query to the specified server and saves the response for subsequent rules
+to match against using [`match_response`](/configuration/dns/rule/#match_response) and response fields.
+Unlike `route`, it does **not** terminate rule evaluation.
+
+Only allowed on top-level DNS rules (not inside logical sub-rules).
+
+#### server
+
+==Required==
+
+Tag of target server.
+
+#### disable_cache
+
+Disable cache and save cache in this query.
+
+#### rewrite_ttl
+
+Rewrite TTL in DNS responses.
+
+#### client_subnet
+
+Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
+
+If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
+
+Will override `dns.client_subnet`.
 
 ### route-options
 

docs/configuration/dns/rule_action.zh.md

@@ -2,6 +2,11 @@
 icon: material/new-box
 ---
 
+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [evaluate](#evaluate)  
+    :material-delete-clock: [strategy](#strategy)
+
 !!! quote "sing-box 1.12.0 中的更改"
 
     :material-plus: [strategy](#strategy)  
@@ -34,7 +39,11 @@ icon: material/new-box
 
 !!! question "自 sing-box 1.12.0 起"
 
-为此查询设置域名策略。
+!!! warning
+
+    `strategy` 已废弃，且仅在 `legacyDNSMode` 中可用。
+
+在 `legacyDNSMode` 中为此查询设置域名策略。
 
 可选项：`prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
 
@@ -54,6 +63,46 @@ icon: material/new-box
 
 将覆盖 `dns.client_subnet`.
 
+### evaluate
+
+!!! question "自 sing-box 1.14.0 起"
+
+```json
+{
+  "action": "evaluate",
+  "server": "",
+  "disable_cache": false,
+  "rewrite_ttl": null,
+  "client_subnet": null
+}
+```
+
+`evaluate` 向指定服务器发送 DNS 查询并保存响应，供后续规则通过 [`match_response`](/zh/configuration/dns/rule/#match_response) 和响应字段进行匹配。与 `route` 不同，它**不会**终止规则评估。
+
+仅允许在顶层 DNS 规则中使用（不可在逻辑子规则内部使用）。
+
+#### server
+
+==必填==
+
+目标 DNS 服务器的标签。
+
+#### disable_cache
+
+在此查询中禁用缓存。
+
+#### rewrite_ttl
+
+重写 DNS 回应中的 TTL。
+
+#### client_subnet
+
+默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
+
+如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
+
+将覆盖 `dns.client_subnet`.
+
 ### route-options
 
 ```json
@@ -84,7 +133,7 @@ icon: material/new-box
 - `default`: 返回 REFUSED。
 - `drop`: 丢弃请求。
 
-默认使用 `defualt`。
+默认使用 `default`。
 
 #### no_drop
 

docs/configuration/dns/server/index.md

@@ -29,7 +29,7 @@ The type of the DNS server.
 
 | Type            | Format                    |
 |-----------------|---------------------------|
-| empty (default) | [Legacy](./legacy/)       |
+| empty (default) | :material-note-remove: [Legacy](./legacy/) |
 | `local`         | [Local](./local/)         |
 | `hosts`         | [Hosts](./hosts/)         |
 | `tcp`           | [TCP](./tcp/)             |

docs/configuration/dns/server/index.zh.md

@@ -29,7 +29,7 @@ DNS 服务器的类型。
 
 | 类型              | 格式                        |
 |-----------------|---------------------------|
-| empty (default) | [Legacy](./legacy/)       |
+| empty (default) | :material-note-remove: [Legacy](./legacy/) |
 | `local`         | [Local](./local/)         |
 | `hosts`         | [Hosts](./hosts/)         |
 | `tcp`           | [TCP](./tcp/)             |

docs/configuration/dns/server/legacy.md

@@ -1,10 +1,10 @@
 ---
-icon: material/delete-clock
+icon: material/note-remove
 ---
 
-!!! failure "Deprecated in sing-box 1.12.0"
+!!! failure "Removed in sing-box 1.14.0"
 
-    Legacy DNS servers is deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-servers).
+    Legacy DNS servers are deprecated in sing-box 1.12.0 and removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-servers).
 
 !!! quote "Changes in sing-box 1.9.0"
 
@@ -108,6 +108,6 @@ Append a `edns0-subnet` OPT extra record with the specified IP prefix to every q
 
 If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
 
-Can be overrides by `rules.[].client_subnet`.
+Can be overridden by `rules.[].client_subnet`.
 
-Will overrides `dns.client_subnet`.
+Will override `dns.client_subnet`.

docs/configuration/dns/server/legacy.zh.md

@@ -1,10 +1,10 @@
 ---
-icon: material/delete-clock
+icon: material/note-remove
 ---
 
-!!! failure "Deprecated in sing-box 1.12.0"
+!!! failure "已在 sing-box 1.14.0 移除"
 
-    旧的 DNS 服务器配置已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式)。
+    旧的 DNS 服务器配置已在 sing-box 1.12.0 废弃且已在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式)。
 
 !!! quote "sing-box 1.9.0 中的更改"
 

docs/configuration/inbound/hysteria2.md

@@ -2,6 +2,10 @@
 icon: material/alert-decagram
 ---
 
+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [bbr_profile](#bbr_profile)
+
 !!! quote "Changes in sing-box 1.11.0"
 
     :material-alert: [masquerade](#masquerade)  
@@ -31,6 +35,7 @@ icon: material/alert-decagram
   "ignore_client_bandwidth": false,
   "tls": {},
   "masquerade": "", // or {}
+  "bbr_profile": "",
   "brutal_debug": false
 }
 ```
@@ -141,6 +146,14 @@ Fixed response headers.
 
 Fixed response content.
 
+#### bbr_profile
+
+!!! question "Since sing-box 1.14.0"
+
+BBR congestion control algorithm profile, one of `conservative` `standard` `aggressive`.
+
+`standard` is used by default.
+
 #### brutal_debug
 
 Enable debug information logging for Hysteria Brutal CC.

docs/configuration/inbound/hysteria2.zh.md

@@ -2,6 +2,10 @@
 icon: material/alert-decagram
 ---
 
+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [bbr_profile](#bbr_profile)
+
 !!! quote "sing-box 1.11.0 中的更改"
 
     :material-alert: [masquerade](#masquerade)  
@@ -31,6 +35,7 @@ icon: material/alert-decagram
   "ignore_client_bandwidth": false,
   "tls": {},
   "masquerade": "", // 或 {}
+  "bbr_profile": "",
   "brutal_debug": false
 }
 ```
@@ -138,6 +143,14 @@ HTTP3 服务器认证失败时的行为 （对象配置）。
 
 固定响应内容。
 
+#### bbr_profile
+
+!!! question "自 sing-box 1.14.0 起"
+
+BBR 拥塞控制算法配置，可选 `conservative` `standard` `aggressive`。
+
+默认使用 `standard`。
+
 #### brutal_debug
 
 启用 Hysteria Brutal CC 的调试信息日志记录。

docs/configuration/outbound/hysteria2.md

@@ -1,3 +1,8 @@
+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [hop_interval_max](#hop_interval_max)  
+    :material-plus: [bbr_profile](#bbr_profile)
+
 !!! quote "Changes in sing-box 1.11.0"
 
     :material-plus: [server_ports](#server_ports)  
@@ -9,13 +14,14 @@
 {
   "type": "hysteria2",
   "tag": "hy2-out",
-  
+
   "server": "127.0.0.1",
   "server_port": 1080,
   "server_ports": [
     "2080:3000"
   ],
   "hop_interval": "",
+  "hop_interval_max": "",
   "up_mbps": 100,
   "down_mbps": 100,
   "obfs": {
@@ -25,8 +31,9 @@
   "password": "goofy_ahh_password",
   "network": "tcp",
   "tls": {},
+  "bbr_profile": "",
   "brutal_debug": false,
-  
+
   ... // Dial Fields
 }
 ```
@@ -75,6 +82,14 @@ Port hopping interval.
 
 `30s` is used by default.
 
+#### hop_interval_max
+
+!!! question "Since sing-box 1.14.0"
+
+Maximum port hopping interval, used for randomization.
+
+If set, the actual hop interval will be randomly chosen between `hop_interval` and `hop_interval_max`.
+
 #### up_mbps, down_mbps
 
 Max bandwidth, in Mbps.
@@ -109,6 +124,14 @@ Both is enabled by default.
 
 TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
 
+#### bbr_profile
+
+!!! question "Since sing-box 1.14.0"
+
+BBR congestion control algorithm profile, one of `conservative` `standard` `aggressive`.
+
+`standard` is used by default.
+
 #### brutal_debug
 
 Enable debug information logging for Hysteria Brutal CC.

docs/configuration/outbound/hysteria2.zh.md

@@ -1,3 +1,8 @@
+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [hop_interval_max](#hop_interval_max)  
+    :material-plus: [bbr_profile](#bbr_profile)
+
 !!! quote "sing-box 1.11.0 中的更改"
 
     :material-plus: [server_ports](#server_ports)  
@@ -16,6 +21,7 @@
     "2080:3000"
   ],
   "hop_interval": "",
+  "hop_interval_max": "",
   "up_mbps": 100,
   "down_mbps": 100,
   "obfs": {
@@ -25,8 +31,9 @@
   "password": "goofy_ahh_password",
   "network": "tcp",
   "tls": {},
+  "bbr_profile": "",
   "brutal_debug": false,
-  
+
   ... // 拨号字段
 }
 ```
@@ -73,6 +80,14 @@
 
 默认使用 `30s`。
 
+#### hop_interval_max
+
+!!! question "自 sing-box 1.14.0 起"
+
+最大端口跳跃间隔，用于随机化。
+
+如果设置，实际跳跃间隔将在 `hop_interval` 和 `hop_interval_max` 之间随机选择。
+
 #### up_mbps, down_mbps
 
 最大带宽。
@@ -107,6 +122,14 @@ QUIC 流量混淆器密码.
 
 TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
 
+#### bbr_profile
+
+!!! question "自 sing-box 1.14.0 起"
+
+BBR 拥塞控制算法配置，可选 `conservative` `standard` `aggressive`。
+
+默认使用 `standard`。
+
 #### brutal_debug
 
 启用 Hysteria Brutal CC 的调试信息日志记录。

docs/configuration/route/index.md

@@ -153,7 +153,7 @@ Automatically detected from common DHCP servers (dnsmasq, odhcpd, ISC dhcpd, Kea
 
 See [Dial Fields](/configuration/shared/dial/#domain_resolver) for details.
 
-Can be overrides by `outbound.domain_resolver`.
+Can be overridden by `outbound.domain_resolver`.
 
 #### default_network_strategy
 
@@ -163,7 +163,7 @@ See [Dial Fields](/configuration/shared/dial/#network_strategy) for details.
 
 Takes no effect if `outbound.bind_interface`, `outbound.inet4_bind_address` or `outbound.inet6_bind_address` is set.
 
-Can be overrides by `outbound.network_strategy`.
+Can be overridden by `outbound.network_strategy`.
 
 Conflicts with `default_interface`.
 

docs/configuration/route/rule_action.md

@@ -316,4 +316,4 @@ Append a `edns0-subnet` OPT extra record with the specified IP prefix to every q
 
 If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
 
-Will overrides `dns.client_subnet`.
+Will override `dns.client_subnet`.

docs/deprecated.md

@@ -14,6 +14,36 @@ check [Migration](../migration/#migrate-inline-acme-to-certificate-provider).
 
 Old fields will be removed in sing-box 1.16.0.
 
+#### `strategy` in DNS rule actions
+
+`strategy` in DNS rule actions is deprecated
+and only supported in `legacyDNSMode`.
+
+Old fields will be removed in sing-box 1.16.0.
+
+#### `ip_accept_any` in DNS rules
+
+`ip_accept_any` in DNS rules is deprecated
+and only supported in `legacyDNSMode`.
+Use `match_response` with response items instead.
+
+Old fields will be removed in sing-box 1.16.0.
+
+#### `rule_set_ip_cidr_accept_empty` in DNS rules
+
+`rule_set_ip_cidr_accept_empty` in DNS rules is deprecated
+and only supported in `legacyDNSMode`.
+
+Old fields will be removed in sing-box 1.16.0.
+
+#### Legacy address filter DNS rule items
+
+Legacy address filter DNS rule items (`ip_cidr`, `ip_is_private` without `match_response`)
+are deprecated and only supported in `legacyDNSMode`.
+Use `match_response` with the `evaluate` action instead.
+
+Old behavior will be removed in sing-box 1.16.0.
+
 ## 1.12.0
 
 #### Legacy DNS server formats
@@ -21,7 +51,7 @@ Old fields will be removed in sing-box 1.16.0.
 DNS servers are refactored,
 check [Migration](../migration/#migrate-to-new-dns-servers).
 
-Compatibility for old formats will be removed in sing-box 1.14.0.
+Old formats were removed in sing-box 1.14.0.
 
 #### `outbound` DNS rule item
 

docs/deprecated.zh.md

@@ -14,6 +14,36 @@ TLS 中的内联 ACME 选项（`tls.acme`）已废弃，
 
 旧字段将在 sing-box 1.16.0 中被移除。
 
+#### DNS 规则动作中的 `strategy`
+
+DNS 规则动作中的 `strategy` 已废弃，
+且仅在 `legacyDNSMode` 中可用。
+
+旧字段将在 sing-box 1.16.0 中被移除。
+
+#### DNS 规则中的 `ip_accept_any`
+
+DNS 规则中的 `ip_accept_any` 已废弃，
+且仅在 `legacyDNSMode` 中可用。
+请使用 `match_response` 和响应项替代。
+
+旧字段将在 sing-box 1.16.0 中被移除。
+
+#### DNS 规则中的 `rule_set_ip_cidr_accept_empty`
+
+DNS 规则中的 `rule_set_ip_cidr_accept_empty` 已废弃，
+且仅在 `legacyDNSMode` 中可用。
+
+旧字段将在 sing-box 1.16.0 中被移除。
+
+#### 旧的地址筛选 DNS 规则项
+
+旧的地址筛选 DNS 规则项（不使用 `match_response` 的 `ip_cidr`、`ip_is_private`）已废弃，
+且仅在 `legacyDNSMode` 中可用。
+请使用 `match_response` 和 `evaluate` 动作替代。
+
+旧行为将在 sing-box 1.16.0 中被移除。
+
 ## 1.12.0
 
 #### 旧的 DNS 服务器格式
@@ -21,7 +51,7 @@ TLS 中的内联 ACME 选项（`tls.acme`）已废弃，
 DNS 服务器已重构，
 参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式).
 
-对旧格式的兼容性将在 sing-box 1.14.0 中被移除。
+旧格式已在 sing-box 1.14.0 中被移除。
 
 #### `outbound` DNS 规则项
 

experimental/deprecated/constants.go

@@ -57,24 +57,6 @@ func (n Note) MessageWithLink() string {
 	}
 }
 
-var OptionLegacyDNSTransport = Note{
-	Name:              "legacy-dns-transport",
-	Description:       "legacy DNS servers",
-	DeprecatedVersion: "1.12.0",
-	ScheduledVersion:  "1.14.0",
-	EnvName:           "LEGACY_DNS_SERVERS",
-	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-to-new-dns-server-formats",
-}
-
-var OptionLegacyDNSFakeIPOptions = Note{
-	Name:              "legacy-dns-fakeip-options",
-	Description:       "legacy DNS fakeip options",
-	DeprecatedVersion: "1.12.0",
-	ScheduledVersion:  "1.14.0",
-	EnvName:           "LEGACY_DNS_FAKEIP_OPTIONS",
-	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-to-new-dns-server-formats",
-}
-
 var OptionOutboundDNSRuleItem = Note{
 	Name:              "outbound-dns-rule-item",
 	Description:       "outbound DNS rule item",
@@ -111,11 +93,45 @@ var OptionInlineACME = Note{
 	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-inline-acme-to-certificate-provider",
 }
 
+var OptionIPAcceptAny = Note{
+	Name:              "dns-rule-ip-accept-any",
+	Description:       "`ip_accept_any` in DNS rules",
+	DeprecatedVersion: "1.14.0",
+	ScheduledVersion:  "1.16.0",
+	MigrationLink:     "https://sing-box.sagernet.org/configuration/dns/rule/",
+}
+
+var OptionRuleSetIPCIDRAcceptEmpty = Note{
+	Name:              "dns-rule-rule-set-ip-cidr-accept-empty",
+	Description:       "`rule_set_ip_cidr_accept_empty` in DNS rules",
+	DeprecatedVersion: "1.14.0",
+	ScheduledVersion:  "1.16.0",
+	MigrationLink:     "https://sing-box.sagernet.org/configuration/dns/rule/",
+}
+
+var OptionLegacyDNSAddressFilter = Note{
+	Name:              "legacy-dns-address-filter",
+	Description:       "legacy address filter DNS rule items",
+	DeprecatedVersion: "1.14.0",
+	ScheduledVersion:  "1.16.0",
+	MigrationLink:     "https://sing-box.sagernet.org/configuration/dns/rule/",
+}
+
+var OptionLegacyDNSRuleStrategy = Note{
+	Name:              "legacy-dns-rule-strategy",
+	Description:       "`strategy` in DNS rule actions",
+	DeprecatedVersion: "1.14.0",
+	ScheduledVersion:  "1.16.0",
+	MigrationLink:     "https://sing-box.sagernet.org/configuration/dns/rule_action/",
+}
+
 var Options = []Note{
-	OptionLegacyDNSTransport,
-	OptionLegacyDNSFakeIPOptions,
 	OptionOutboundDNSRuleItem,
 	OptionMissingDomainResolver,
 	OptionLegacyDomainStrategyOptions,
 	OptionInlineACME,
+	OptionIPAcceptAny,
+	OptionRuleSetIPCIDRAcceptEmpty,
+	OptionLegacyDNSAddressFilter,
+	OptionLegacyDNSRuleStrategy,
 }

go.mod

@@ -37,13 +37,13 @@ require (
 	github.com/sagernet/gomobile v0.1.12
 	github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1
 	github.com/sagernet/quic-go v0.59.0-sing-box-mod.4
-	github.com/sagernet/sing v0.8.3-0.20260315153529-ed51f65fbfde
+	github.com/sagernet/sing v0.8.3
 	github.com/sagernet/sing-mux v0.3.4
-	github.com/sagernet/sing-quic v0.6.0
+	github.com/sagernet/sing-quic v0.6.2-0.20260330152607-bf674c163212
 	github.com/sagernet/sing-shadowsocks v0.2.8
 	github.com/sagernet/sing-shadowsocks2 v0.2.1
 	github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11
-	github.com/sagernet/sing-tun v0.8.7-0.20260327130747-85dc2d52a0b8
+	github.com/sagernet/sing-tun v0.8.7-0.20260323120017-8eb4e8acfc2d
 	github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1
 	github.com/sagernet/smux v1.5.50-sing-box-mod.1
 	github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.7

go.sum

@@ -236,20 +236,20 @@ github.com/sagernet/nftables v0.3.0-beta.4 h1:kbULlAwAC3jvdGAC1P5Fa3GSxVwQJibNen
 github.com/sagernet/nftables v0.3.0-beta.4/go.mod h1:OQXAjvjNGGFxaTgVCSTRIhYB5/llyVDeapVoENYBDS8=
 github.com/sagernet/quic-go v0.59.0-sing-box-mod.4 h1:6qvrUW79S+CrPwWz6cMePXohgjHoKxLo3c+MDhNwc3o=
 github.com/sagernet/quic-go v0.59.0-sing-box-mod.4/go.mod h1:OqILvS182CyOol5zNNo6bguvOGgXzV459+chpRaUC+4=
-github.com/sagernet/sing v0.8.3-0.20260315153529-ed51f65fbfde h1:RNQzlpnsXIuu1HGts/fIzJ1PR7RhrzaNlU52MDyiX1c=
-github.com/sagernet/sing v0.8.3-0.20260315153529-ed51f65fbfde/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
+github.com/sagernet/sing v0.8.3 h1:zGMy9M1deBPEew9pCYIUHKeE+/lDQ5A2CBqjBjjzqkA=
+github.com/sagernet/sing v0.8.3/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/sagernet/sing-mux v0.3.4 h1:ZQplKl8MNXutjzbMVtWvWG31fohhgOfCuUZR4dVQ8+s=
 github.com/sagernet/sing-mux v0.3.4/go.mod h1:QvlKMyNBNrQoyX4x+gq028uPbLM2XeRpWtDsWBJbFSk=
-github.com/sagernet/sing-quic v0.6.0 h1:dhrFnP45wgVKEOT1EvtsToxdzRnHIDIAgj6WHV9pLyM=
-github.com/sagernet/sing-quic v0.6.0/go.mod h1:K5bWvITOm4vE10fwLfrWpw27bCoVJ+tfQ79tOWg+Ko8=
+github.com/sagernet/sing-quic v0.6.2-0.20260330152607-bf674c163212 h1:7mFOUqy+DyOj7qKGd1X54UMXbnbJiiMileK/tn17xYc=
+github.com/sagernet/sing-quic v0.6.2-0.20260330152607-bf674c163212/go.mod h1:K5bWvITOm4vE10fwLfrWpw27bCoVJ+tfQ79tOWg+Ko8=
 github.com/sagernet/sing-shadowsocks v0.2.8 h1:PURj5PRoAkqeHh2ZW205RWzN9E9RtKCVCzByXruQWfE=
 github.com/sagernet/sing-shadowsocks v0.2.8/go.mod h1:lo7TWEMDcN5/h5B8S0ew+r78ZODn6SwVaFhvB6H+PTI=
 github.com/sagernet/sing-shadowsocks2 v0.2.1 h1:dWV9OXCeFPuYGHb6IRqlSptVnSzOelnqqs2gQ2/Qioo=
 github.com/sagernet/sing-shadowsocks2 v0.2.1/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11 h1:tK+75l64tm9WvEFrYRE1t0YxoFdWQqw/h7Uhzj0vJ+w=
 github.com/sagernet/sing-shadowtls v0.2.1-0.20250503051639-fcd445d33c11/go.mod h1:sWqKnGlMipCHaGsw1sTTlimyUpgzP4WP3pjhCsYt9oA=
-github.com/sagernet/sing-tun v0.8.7-0.20260327130747-85dc2d52a0b8 h1:YxCs60xDya7R4NT+89v4Il+LjsSfCT/ceHegpe0xuls=
-github.com/sagernet/sing-tun v0.8.7-0.20260327130747-85dc2d52a0b8/go.mod h1:pLCo4o+LacXEzz0bhwhJkKBjLlKOGPBNOAZ97ZVZWzs=
+github.com/sagernet/sing-tun v0.8.7-0.20260323120017-8eb4e8acfc2d h1:vi0j6301f6H8t2GYgAC2PA2AdnGdMwkP34B4+N03Qt4=
+github.com/sagernet/sing-tun v0.8.7-0.20260323120017-8eb4e8acfc2d/go.mod h1:pLCo4o+LacXEzz0bhwhJkKBjLlKOGPBNOAZ97ZVZWzs=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1 h1:aSwUNYUkVyVvdmBSufR8/nRFonwJeKSIROxHcm5br9o=
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1/go.mod h1:P11scgTxMxVVQ8dlM27yNm3Cro40mD0+gHbnqrNGDuY=
 github.com/sagernet/smux v1.5.50-sing-box-mod.1 h1:XkJcivBC9V4wBjiGXIXZ229aZCU1hzcbp6kSkkyQ478=

option/dns.go

@@ -3,19 +3,14 @@ package option
 import (
 	"context"
 	"net/netip"
-	"net/url"
 
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/deprecated"
-	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
 	"github.com/sagernet/sing/common/json/badjson"
 	"github.com/sagernet/sing/common/json/badoption"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/service"
-
-	"github.com/miekg/dns"
 )
 
 type RawDNSOptions struct {
@@ -26,80 +21,29 @@ type RawDNSOptions struct {
 	DNSClientOptions
 }
 
-type LegacyDNSOptions struct {
-	FakeIP *LegacyDNSFakeIPOptions `json:"fakeip,omitempty"`
-}
-
 type DNSOptions struct {
 	RawDNSOptions
-	LegacyDNSOptions
 }
 
-type contextKeyDontUpgrade struct{}
+const (
+	legacyDNSFakeIPRemovedMessage = "legacy DNS fakeip options are deprecated in sing-box 1.12.0 and removed in sing-box 1.14.0, checkout migration: https://sing-box.sagernet.org/migration/#migrate-to-new-dns-server-formats"
+	legacyDNSServerRemovedMessage = "legacy DNS server formats are deprecated in sing-box 1.12.0 and removed in sing-box 1.14.0, checkout migration: https://sing-box.sagernet.org/migration/#migrate-to-new-dns-server-formats"
+)
 
-func ContextWithDontUpgrade(ctx context.Context) context.Context {
-	return context.WithValue(ctx, (*contextKeyDontUpgrade)(nil), true)
-}
-
-func dontUpgradeFromContext(ctx context.Context) bool {
-	return ctx.Value((*contextKeyDontUpgrade)(nil)) == true
+type removedLegacyDNSOptions struct {
+	FakeIP json.RawMessage `json:"fakeip,omitempty"`
 }
 
 func (o *DNSOptions) UnmarshalJSONContext(ctx context.Context, content []byte) error {
-	err := json.UnmarshalContext(ctx, content, &o.LegacyDNSOptions)
+	var legacyOptions removedLegacyDNSOptions
+	err := json.UnmarshalContext(ctx, content, &legacyOptions)
 	if err != nil {
 		return err
 	}
-	dontUpgrade := dontUpgradeFromContext(ctx)
-	legacyOptions := o.LegacyDNSOptions
-	if !dontUpgrade {
-		if o.FakeIP != nil && o.FakeIP.Enabled {
-			deprecated.Report(ctx, deprecated.OptionLegacyDNSFakeIPOptions)
-			ctx = context.WithValue(ctx, (*LegacyDNSFakeIPOptions)(nil), o.FakeIP)
-		}
-		o.LegacyDNSOptions = LegacyDNSOptions{}
+	if len(legacyOptions.FakeIP) != 0 {
+		return E.New(legacyDNSFakeIPRemovedMessage)
 	}
-	err = badjson.UnmarshallExcludedContext(ctx, content, legacyOptions, &o.RawDNSOptions)
-	if err != nil {
-		return err
-	}
-	if !dontUpgrade {
-		rcodeMap := make(map[string]int)
-		o.Servers = common.Filter(o.Servers, func(it DNSServerOptions) bool {
-			if it.Type == C.DNSTypeLegacyRcode {
-				rcodeMap[it.Tag] = it.Options.(int)
-				return false
-			}
-			return true
-		})
-		if len(rcodeMap) > 0 {
-			for i := 0; i < len(o.Rules); i++ {
-				rewriteRcode(rcodeMap, &o.Rules[i])
-			}
-		}
-	}
-	return nil
-}
-
-func rewriteRcode(rcodeMap map[string]int, rule *DNSRule) {
-	switch rule.Type {
-	case C.RuleTypeDefault:
-		rewriteRcodeAction(rcodeMap, &rule.DefaultOptions.DNSRuleAction)
-	case C.RuleTypeLogical:
-		rewriteRcodeAction(rcodeMap, &rule.LogicalOptions.DNSRuleAction)
-	}
-}
-
-func rewriteRcodeAction(rcodeMap map[string]int, ruleAction *DNSRuleAction) {
-	if ruleAction.Action != C.RuleActionTypeRoute {
-		return
-	}
-	rcode, loaded := rcodeMap[ruleAction.RouteOptions.Server]
-	if !loaded {
-		return
-	}
-	ruleAction.Action = C.RuleActionTypePredefined
-	ruleAction.PredefinedOptions.Rcode = common.Ptr(DNSRCode(rcode))
+	return badjson.UnmarshallExcludedContext(ctx, content, legacyOptions, &o.RawDNSOptions)
 }
 
 type DNSClientOptions struct {
@@ -111,12 +55,6 @@ type DNSClientOptions struct {
 	ClientSubnet     *badoption.Prefixable `json:"client_subnet,omitempty"`
 }
 
-type LegacyDNSFakeIPOptions struct {
-	Enabled    bool              `json:"enabled,omitempty"`
-	Inet4Range *badoption.Prefix `json:"inet4_range,omitempty"`
-	Inet6Range *badoption.Prefix `json:"inet6_range,omitempty"`
-}
-
 type DNSTransportOptionsRegistry interface {
 	CreateOptions(transportType string) (any, bool)
 }
@@ -129,10 +67,6 @@ type _DNSServerOptions struct {
 type DNSServerOptions _DNSServerOptions
 
 func (o *DNSServerOptions) MarshalJSONContext(ctx context.Context) ([]byte, error) {
-	switch o.Type {
-	case C.DNSTypeLegacy:
-		o.Type = ""
-	}
 	return badjson.MarshallObjectsContext(ctx, (*_DNSServerOptions)(o), o.Options)
 }
 
@@ -148,9 +82,7 @@ func (o *DNSServerOptions) UnmarshalJSONContext(ctx context.Context, content []b
 	var options any
 	switch o.Type {
 	case "", C.DNSTypeLegacy:
-		o.Type = C.DNSTypeLegacy
-		options = new(LegacyDNSServerOptions)
-		deprecated.Report(ctx, deprecated.OptionLegacyDNSTransport)
+		return E.New(legacyDNSServerRemovedMessage)
 	default:
 		var loaded bool
 		options, loaded = registry.CreateOptions(o.Type)
@@ -163,169 +95,6 @@ func (o *DNSServerOptions) UnmarshalJSONContext(ctx context.Context, content []b
 		return err
 	}
 	o.Options = options
-	if o.Type == C.DNSTypeLegacy && !dontUpgradeFromContext(ctx) {
-		err = o.Upgrade(ctx)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (o *DNSServerOptions) Upgrade(ctx context.Context) error {
-	if o.Type != C.DNSTypeLegacy {
-		return nil
-	}
-	options := o.Options.(*LegacyDNSServerOptions)
-	serverURL, _ := url.Parse(options.Address)
-	var serverType string
-	if serverURL != nil && serverURL.Scheme != "" {
-		serverType = serverURL.Scheme
-	} else {
-		switch options.Address {
-		case "local", "fakeip":
-			serverType = options.Address
-		default:
-			serverType = C.DNSTypeUDP
-		}
-	}
-	remoteOptions := RemoteDNSServerOptions{
-		RawLocalDNSServerOptions: RawLocalDNSServerOptions{
-			DialerOptions: DialerOptions{
-				Detour: options.Detour,
-				DomainResolver: &DomainResolveOptions{
-					Server:   options.AddressResolver,
-					Strategy: options.AddressStrategy,
-				},
-				FallbackDelay: options.AddressFallbackDelay,
-			},
-			Legacy:              true,
-			LegacyStrategy:      options.Strategy,
-			LegacyDefaultDialer: options.Detour == "",
-			LegacyClientSubnet:  options.ClientSubnet.Build(netip.Prefix{}),
-		},
-		LegacyAddressResolver:      options.AddressResolver,
-		LegacyAddressStrategy:      options.AddressStrategy,
-		LegacyAddressFallbackDelay: options.AddressFallbackDelay,
-	}
-	switch serverType {
-	case C.DNSTypeLocal:
-		o.Type = C.DNSTypeLocal
-		o.Options = &LocalDNSServerOptions{
-			RawLocalDNSServerOptions: remoteOptions.RawLocalDNSServerOptions,
-		}
-	case C.DNSTypeUDP:
-		o.Type = C.DNSTypeUDP
-		o.Options = &remoteOptions
-		var serverAddr M.Socksaddr
-		if serverURL == nil || serverURL.Scheme == "" {
-			serverAddr = M.ParseSocksaddr(options.Address)
-		} else {
-			serverAddr = M.ParseSocksaddr(serverURL.Host)
-		}
-		if !serverAddr.IsValid() {
-			return E.New("invalid server address")
-		}
-		remoteOptions.Server = serverAddr.AddrString()
-		if serverAddr.Port != 0 && serverAddr.Port != 53 {
-			remoteOptions.ServerPort = serverAddr.Port
-		}
-	case C.DNSTypeTCP:
-		o.Type = C.DNSTypeTCP
-		o.Options = &remoteOptions
-		if serverURL == nil {
-			return E.New("invalid server address")
-		}
-		serverAddr := M.ParseSocksaddr(serverURL.Host)
-		if !serverAddr.IsValid() {
-			return E.New("invalid server address")
-		}
-		remoteOptions.Server = serverAddr.AddrString()
-		if serverAddr.Port != 0 && serverAddr.Port != 53 {
-			remoteOptions.ServerPort = serverAddr.Port
-		}
-	case C.DNSTypeTLS, C.DNSTypeQUIC:
-		o.Type = serverType
-		if serverURL == nil {
-			return E.New("invalid server address")
-		}
-		serverAddr := M.ParseSocksaddr(serverURL.Host)
-		if !serverAddr.IsValid() {
-			return E.New("invalid server address")
-		}
-		remoteOptions.Server = serverAddr.AddrString()
-		if serverAddr.Port != 0 && serverAddr.Port != 853 {
-			remoteOptions.ServerPort = serverAddr.Port
-		}
-		o.Options = &RemoteTLSDNSServerOptions{
-			RemoteDNSServerOptions: remoteOptions,
-		}
-	case C.DNSTypeHTTPS, C.DNSTypeHTTP3:
-		o.Type = serverType
-		httpsOptions := RemoteHTTPSDNSServerOptions{
-			RemoteTLSDNSServerOptions: RemoteTLSDNSServerOptions{
-				RemoteDNSServerOptions: remoteOptions,
-			},
-		}
-		o.Options = &httpsOptions
-		if serverURL == nil {
-			return E.New("invalid server address")
-		}
-		serverAddr := M.ParseSocksaddr(serverURL.Host)
-		if !serverAddr.IsValid() {
-			return E.New("invalid server address")
-		}
-		httpsOptions.Server = serverAddr.AddrString()
-		if serverAddr.Port != 0 && serverAddr.Port != 443 {
-			httpsOptions.ServerPort = serverAddr.Port
-		}
-		if serverURL.Path != "/dns-query" {
-			httpsOptions.Path = serverURL.Path
-		}
-	case "rcode":
-		var rcode int
-		if serverURL == nil {
-			return E.New("invalid server address")
-		}
-		switch serverURL.Host {
-		case "success":
-			rcode = dns.RcodeSuccess
-		case "format_error":
-			rcode = dns.RcodeFormatError
-		case "server_failure":
-			rcode = dns.RcodeServerFailure
-		case "name_error":
-			rcode = dns.RcodeNameError
-		case "not_implemented":
-			rcode = dns.RcodeNotImplemented
-		case "refused":
-			rcode = dns.RcodeRefused
-		default:
-			return E.New("unknown rcode: ", serverURL.Host)
-		}
-		o.Type = C.DNSTypeLegacyRcode
-		o.Options = rcode
-	case C.DNSTypeDHCP:
-		o.Type = C.DNSTypeDHCP
-		dhcpOptions := DHCPDNSServerOptions{}
-		if serverURL == nil {
-			return E.New("invalid server address")
-		}
-		if serverURL.Host != "" && serverURL.Host != "auto" {
-			dhcpOptions.Interface = serverURL.Host
-		}
-		o.Options = &dhcpOptions
-	case C.DNSTypeFakeIP:
-		o.Type = C.DNSTypeFakeIP
-		fakeipOptions := FakeIPDNSServerOptions{}
-		if legacyOptions, loaded := ctx.Value((*LegacyDNSFakeIPOptions)(nil)).(*LegacyDNSFakeIPOptions); loaded {
-			fakeipOptions.Inet4Range = legacyOptions.Inet4Range
-			fakeipOptions.Inet6Range = legacyOptions.Inet6Range
-		}
-		o.Options = &fakeipOptions
-	default:
-		return E.New("unsupported DNS server scheme: ", serverType)
-	}
 	return nil
 }
 
@@ -350,16 +119,6 @@ func (o *DNSServerAddressOptions) ReplaceServerOptions(options ServerOptions) {
 	*o = DNSServerAddressOptions(options)
 }
 
-type LegacyDNSServerOptions struct {
-	Address              string                `json:"address"`
-	AddressResolver      string                `json:"address_resolver,omitempty"`
-	AddressStrategy      DomainStrategy        `json:"address_strategy,omitempty"`
-	AddressFallbackDelay badoption.Duration    `json:"address_fallback_delay,omitempty"`
-	Strategy             DomainStrategy        `json:"strategy,omitempty"`
-	Detour               string                `json:"detour,omitempty"`
-	ClientSubnet         *badoption.Prefixable `json:"client_subnet,omitempty"`
-}
-
 type HostsDNSServerOptions struct {
 	Path       badoption.Listable[string]                                `json:"path,omitempty"`
 	Predefined *badjson.TypedMap[string, badoption.Listable[netip.Addr]] `json:"predefined,omitempty"`
@@ -367,10 +126,6 @@ type HostsDNSServerOptions struct {
 
 type RawLocalDNSServerOptions struct {
 	DialerOptions
-	Legacy              bool           `json:"-"`
-	LegacyStrategy      DomainStrategy `json:"-"`
-	LegacyDefaultDialer bool           `json:"-"`
-	LegacyClientSubnet  netip.Prefix   `json:"-"`
 }
 
 type LocalDNSServerOptions struct {
@@ -381,9 +136,6 @@ type LocalDNSServerOptions struct {
 type RemoteDNSServerOptions struct {
 	RawLocalDNSServerOptions
 	DNSServerAddressOptions
-	LegacyAddressResolver      string             `json:"-"`
-	LegacyAddressStrategy      DomainStrategy     `json:"-"`
-	LegacyAddressFallbackDelay badoption.Duration `json:"-"`
 }
 
 type RemoteTLSDNSServerOptions struct {

option/dns_record.go

@@ -2,6 +2,7 @@ package option
 
 import (
 	"encoding/base64"
+	"strings"
 
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -11,6 +12,8 @@ import (
 	"github.com/miekg/dns"
 )
 
+const defaultDNSRecordTTL uint32 = 3600
+
 type DNSRCode int
 
 func (r DNSRCode) MarshalJSON() ([]byte, error) {
@@ -76,10 +79,13 @@ func (o *DNSRecordOptions) UnmarshalJSON(data []byte) error {
 	if err == nil {
 		return o.unmarshalBase64(binary)
 	}
-	record, err := dns.NewRR(stringValue)
+	record, err := parseDNSRecord(stringValue)
 	if err != nil {
 		return err
 	}
+	if record == nil {
+		return E.New("empty DNS record")
+	}
 	if a, isA := record.(*dns.A); isA {
 		a.A = M.AddrFromIP(a.A).Unmap().AsSlice()
 	}
@@ -87,6 +93,16 @@ func (o *DNSRecordOptions) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
+func parseDNSRecord(stringValue string) (dns.RR, error) {
+	if len(stringValue) > 0 && stringValue[len(stringValue)-1] != '\n' {
+		stringValue += "\n"
+	}
+	parser := dns.NewZoneParser(strings.NewReader(stringValue), "", "")
+	parser.SetDefaultTTL(defaultDNSRecordTTL)
+	record, _ := parser.Next()
+	return record, parser.Err()
+}
+
 func (o *DNSRecordOptions) unmarshalBase64(binary []byte) error {
 	record, _, err := dns.UnpackRR(binary, 0)
 	if err != nil {
@@ -100,3 +116,10 @@ func (o *DNSRecordOptions) unmarshalBase64(binary []byte) error {
 func (o DNSRecordOptions) Build() dns.RR {
 	return o.RR
 }
+
+func (o DNSRecordOptions) Match(record dns.RR) bool {
+	if o.RR == nil || record == nil {
+		return false
+	}
+	return dns.IsDuplicate(o.RR, record)
+}

option/dns_record_test.go

@@ -0,0 +1,52 @@
+package option
+
+import (
+	"testing"
+
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/require"
+)
+
+func mustRecordOptions(t *testing.T, record string) DNSRecordOptions {
+	t.Helper()
+	var value DNSRecordOptions
+	require.NoError(t, value.UnmarshalJSON([]byte(`"`+record+`"`)))
+	return value
+}
+
+func TestDNSRecordOptionsUnmarshalJSONAcceptsFullyQualifiedNames(t *testing.T) {
+	t.Parallel()
+
+	for _, record := range []string{
+		"example.com. A 1.1.1.1",
+		"www.example.com. IN CNAME example.com.",
+	} {
+		value := mustRecordOptions(t, record)
+		require.NotNil(t, value.RR)
+	}
+}
+
+func TestDNSRecordOptionsUnmarshalJSONRejectsRelativeNames(t *testing.T) {
+	t.Parallel()
+
+	for _, record := range []string{
+		"@ IN A 1.1.1.1",
+		"www IN CNAME example.com.",
+		"example.com. IN CNAME @",
+		"example.com. IN CNAME www",
+	} {
+		var value DNSRecordOptions
+		err := value.UnmarshalJSON([]byte(`"` + record + `"`))
+		require.Error(t, err)
+	}
+}
+
+func TestDNSRecordOptionsMatchIgnoresTTL(t *testing.T) {
+	t.Parallel()
+
+	expected := mustRecordOptions(t, "example.com. 600 IN A 1.1.1.1")
+	record, err := dns.NewRR("example.com. 60 IN A 1.1.1.1")
+	require.NoError(t, err)
+
+	require.True(t, expected.Match(record))
+}

option/dns_test.go

@@ -0,0 +1,72 @@
+package option
+
+import (
+	"context"
+	"testing"
+
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing/common/json"
+	"github.com/sagernet/sing/service"
+
+	"github.com/stretchr/testify/require"
+)
+
+type stubDNSTransportOptionsRegistry struct{}
+
+func (stubDNSTransportOptionsRegistry) CreateOptions(transportType string) (any, bool) {
+	switch transportType {
+	case C.DNSTypeUDP:
+		return new(RemoteDNSServerOptions), true
+	case C.DNSTypeFakeIP:
+		return new(FakeIPDNSServerOptions), true
+	default:
+		return nil, false
+	}
+}
+
+func TestDNSOptionsRejectsLegacyFakeIPOptions(t *testing.T) {
+	t.Parallel()
+
+	ctx := service.ContextWith[DNSTransportOptionsRegistry](context.Background(), stubDNSTransportOptionsRegistry{})
+	var options DNSOptions
+	err := json.UnmarshalContext(ctx, []byte(`{
+		"fakeip": {
+			"enabled": true,
+			"inet4_range": "198.18.0.0/15"
+		}
+	}`), &options)
+	require.EqualError(t, err, legacyDNSFakeIPRemovedMessage)
+}
+
+func TestDNSServerOptionsRejectsLegacyFormats(t *testing.T) {
+	t.Parallel()
+
+	ctx := service.ContextWith[DNSTransportOptionsRegistry](context.Background(), stubDNSTransportOptionsRegistry{})
+	testCases := []string{
+		`{"address":"1.1.1.1"}`,
+		`{"type":"legacy","address":"1.1.1.1"}`,
+	}
+	for _, content := range testCases {
+		var options DNSServerOptions
+		err := json.UnmarshalContext(ctx, []byte(content), &options)
+		require.EqualError(t, err, legacyDNSServerRemovedMessage)
+	}
+}
+
+func TestDNSOptionsAcceptsTypedServers(t *testing.T) {
+	t.Parallel()
+
+	ctx := service.ContextWith[DNSTransportOptionsRegistry](context.Background(), stubDNSTransportOptionsRegistry{})
+	var options DNSOptions
+	err := json.UnmarshalContext(ctx, []byte(`{
+		"servers": [
+			{"type": "udp", "tag": "default", "server": "1.1.1.1"},
+			{"type": "fakeip", "tag": "fake", "inet4_range": "198.18.0.0/15"}
+		]
+	}`), &options)
+	require.NoError(t, err)
+	require.Len(t, options.Servers, 2)
+	require.Equal(t, C.DNSTypeUDP, options.Servers[0].Type)
+	require.Equal(t, "1.1.1.1", options.Servers[0].Options.(*RemoteDNSServerOptions).Server)
+	require.Equal(t, C.DNSTypeFakeIP, options.Servers[1].Type)
+}

option/hysteria2.go

@@ -19,6 +19,7 @@ type Hysteria2InboundOptions struct {
 	IgnoreClientBandwidth bool            `json:"ignore_client_bandwidth,omitempty"`
 	InboundTLSOptionsContainer
 	Masquerade  *Hysteria2Masquerade `json:"masquerade,omitempty"`
+	BBRProfile  string               `json:"bbr_profile,omitempty"`
 	BrutalDebug bool                 `json:"brutal_debug,omitempty"`
 }
 
@@ -112,13 +113,15 @@ type Hysteria2MasqueradeString struct {
 type Hysteria2OutboundOptions struct {
 	DialerOptions
 	ServerOptions
-	ServerPorts badoption.Listable[string] `json:"server_ports,omitempty"`
-	HopInterval badoption.Duration         `json:"hop_interval,omitempty"`
-	UpMbps      int                        `json:"up_mbps,omitempty"`
-	DownMbps    int                        `json:"down_mbps,omitempty"`
-	Obfs        *Hysteria2Obfs             `json:"obfs,omitempty"`
-	Password    string                     `json:"password,omitempty"`
-	Network     NetworkList                `json:"network,omitempty"`
+	ServerPorts    badoption.Listable[string] `json:"server_ports,omitempty"`
+	HopInterval    badoption.Duration         `json:"hop_interval,omitempty"`
+	HopIntervalMax badoption.Duration         `json:"hop_interval_max,omitempty"`
+	UpMbps         int                        `json:"up_mbps,omitempty"`
+	DownMbps       int                        `json:"down_mbps,omitempty"`
+	Obfs           *Hysteria2Obfs             `json:"obfs,omitempty"`
+	Password       string                     `json:"password,omitempty"`
+	Network        NetworkList                `json:"network,omitempty"`
 	OutboundTLSOptionsContainer
-	BrutalDebug bool `json:"brutal_debug,omitempty"`
+	BBRProfile  string `json:"bbr_profile,omitempty"`
+	BrutalDebug bool   `json:"brutal_debug,omitempty"`
 }

option/rule.go

@@ -1,6 +1,7 @@
 package option
 
 import (
+	"context"
 	"reflect"
 
 	C "github.com/sagernet/sing-box/constant"
@@ -33,26 +34,24 @@ func (r Rule) MarshalJSON() ([]byte, error) {
 	return badjson.MarshallObjects((_Rule)(r), v)
 }
 
-func (r *Rule) UnmarshalJSON(bytes []byte) error {
-	err := json.Unmarshal(bytes, (*_Rule)(r))
+func (r *Rule) UnmarshalJSONContext(ctx context.Context, bytes []byte) error {
+	err := json.UnmarshalContext(ctx, bytes, (*_Rule)(r))
+	if err != nil {
+		return err
+	}
+	payload, err := rulePayloadWithoutType(ctx, bytes)
 	if err != nil {
 		return err
 	}
-	var v any
 	switch r.Type {
 	case "", C.RuleTypeDefault:
 		r.Type = C.RuleTypeDefault
-		v = &r.DefaultOptions
+		return unmarshalDefaultRuleContext(ctx, payload, &r.DefaultOptions)
 	case C.RuleTypeLogical:
-		v = &r.LogicalOptions
+		return unmarshalLogicalRuleContext(ctx, payload, &r.LogicalOptions)
 	default:
 		return E.New("unknown rule type: " + r.Type)
 	}
-	err = badjson.UnmarshallExcluded(bytes, (*_Rule)(r), v)
-	if err != nil {
-		return err
-	}
-	return nil
 }
 
 func (r Rule) IsValid() bool {
@@ -160,6 +159,64 @@ func (r *LogicalRule) UnmarshalJSON(data []byte) error {
 	return badjson.UnmarshallExcluded(data, &r.RawLogicalRule, &r.RuleAction)
 }
 
+func rulePayloadWithoutType(ctx context.Context, data []byte) ([]byte, error) {
+	var content badjson.JSONObject
+	err := content.UnmarshalJSONContext(ctx, data)
+	if err != nil {
+		return nil, err
+	}
+	content.Remove("type")
+	return content.MarshalJSONContext(ctx)
+}
+
+func unmarshalDefaultRuleContext(ctx context.Context, data []byte, rule *DefaultRule) error {
+	rawAction, routeOptions, err := inspectRouteRuleAction(ctx, data)
+	if err != nil {
+		return err
+	}
+	err = rejectNestedRouteRuleAction(ctx, data)
+	if err != nil {
+		return err
+	}
+	depth := nestedRuleDepth(ctx)
+	err = json.UnmarshalContext(ctx, data, &rule.RawDefaultRule)
+	if err != nil {
+		return err
+	}
+	err = badjson.UnmarshallExcludedContext(ctx, data, &rule.RawDefaultRule, &rule.RuleAction)
+	if err != nil {
+		return err
+	}
+	if depth > 0 && rawAction == "" && routeOptions == (RouteActionOptions{}) {
+		rule.RuleAction = RuleAction{}
+	}
+	return nil
+}
+
+func unmarshalLogicalRuleContext(ctx context.Context, data []byte, rule *LogicalRule) error {
+	rawAction, routeOptions, err := inspectRouteRuleAction(ctx, data)
+	if err != nil {
+		return err
+	}
+	err = rejectNestedRouteRuleAction(ctx, data)
+	if err != nil {
+		return err
+	}
+	depth := nestedRuleDepth(ctx)
+	err = json.UnmarshalContext(nestedRuleChildContext(ctx), data, &rule.RawLogicalRule)
+	if err != nil {
+		return err
+	}
+	err = badjson.UnmarshallExcludedContext(ctx, data, &rule.RawLogicalRule, &rule.RuleAction)
+	if err != nil {
+		return err
+	}
+	if depth > 0 && rawAction == "" && routeOptions == (RouteActionOptions{}) {
+		rule.RuleAction = RuleAction{}
+	}
+	return nil
+}
+
 func (r *LogicalRule) IsValid() bool {
 	return len(r.Rules) > 0 && common.All(r.Rules, Rule.IsValid)
 }

option/rule_action.go

@@ -115,6 +115,8 @@ func (r DNSRuleAction) MarshalJSON() ([]byte, error) {
 	case C.RuleActionTypeRoute:
 		r.Action = ""
 		v = r.RouteOptions
+	case C.RuleActionTypeEvaluate:
+		v = r.RouteOptions
 	case C.RuleActionTypeRouteOptions:
 		v = r.RouteOptionsOptions
 	case C.RuleActionTypeReject:
@@ -137,6 +139,8 @@ func (r *DNSRuleAction) UnmarshalJSONContext(ctx context.Context, data []byte) e
 	case "", C.RuleActionTypeRoute:
 		r.Action = C.RuleActionTypeRoute
 		v = &r.RouteOptions
+	case C.RuleActionTypeEvaluate:
+		v = &r.RouteOptions
 	case C.RuleActionTypeRouteOptions:
 		v = &r.RouteOptionsOptions
 	case C.RuleActionTypeReject:

option/rule_dns.go

@@ -35,7 +35,7 @@ func (r DNSRule) MarshalJSON() ([]byte, error) {
 }
 
 func (r *DNSRule) UnmarshalJSONContext(ctx context.Context, bytes []byte) error {
-	err := json.Unmarshal(bytes, (*_DNSRule)(r))
+	err := json.UnmarshalContext(ctx, bytes, (*_DNSRule)(r))
 	if err != nil {
 		return err
 	}
@@ -78,12 +78,6 @@ type RawDefaultDNSRule struct {
 	DomainSuffix             badoption.Listable[string]                                                  `json:"domain_suffix,omitempty"`
 	DomainKeyword            badoption.Listable[string]                                                  `json:"domain_keyword,omitempty"`
 	DomainRegex              badoption.Listable[string]                                                  `json:"domain_regex,omitempty"`
-	Geosite                  badoption.Listable[string]                                                  `json:"geosite,omitempty"`
-	SourceGeoIP              badoption.Listable[string]                                                  `json:"source_geoip,omitempty"`
-	GeoIP                    badoption.Listable[string]                                                  `json:"geoip,omitempty"`
-	IPCIDR                   badoption.Listable[string]                                                  `json:"ip_cidr,omitempty"`
-	IPIsPrivate              bool                                                                        `json:"ip_is_private,omitempty"`
-	IPAcceptAny              bool                                                                        `json:"ip_accept_any,omitempty"`
 	SourceIPCIDR             badoption.Listable[string]                                                  `json:"source_ip_cidr,omitempty"`
 	SourceIPIsPrivate        bool                                                                        `json:"source_ip_is_private,omitempty"`
 	SourcePort               badoption.Listable[uint16]                                                  `json:"source_port,omitempty"`
@@ -110,9 +104,23 @@ type RawDefaultDNSRule struct {
 	SourceHostname           badoption.Listable[string]                                                  `json:"source_hostname,omitempty"`
 	RuleSet                  badoption.Listable[string]                                                  `json:"rule_set,omitempty"`
 	RuleSetIPCIDRMatchSource bool                                                                        `json:"rule_set_ip_cidr_match_source,omitempty"`
-	RuleSetIPCIDRAcceptEmpty bool                                                                        `json:"rule_set_ip_cidr_accept_empty,omitempty"`
+	MatchResponse            bool                                                                        `json:"match_response,omitempty"`
+	IPCIDR                   badoption.Listable[string]                                                  `json:"ip_cidr,omitempty"`
+	IPIsPrivate              bool                                                                        `json:"ip_is_private,omitempty"`
+	ResponseRcode            *DNSRCode                                                                   `json:"response_rcode,omitempty"`
+	ResponseAnswer           badoption.Listable[DNSRecordOptions]                                        `json:"response_answer,omitempty"`
+	ResponseNs               badoption.Listable[DNSRecordOptions]                                        `json:"response_ns,omitempty"`
+	ResponseExtra            badoption.Listable[DNSRecordOptions]                                        `json:"response_extra,omitempty"`
 	Invert                   bool                                                                        `json:"invert,omitempty"`
 
+	// Deprecated: removed in sing-box 1.12.0
+	Geosite     badoption.Listable[string] `json:"geosite,omitempty"`
+	SourceGeoIP badoption.Listable[string] `json:"source_geoip,omitempty"`
+	GeoIP       badoption.Listable[string] `json:"geoip,omitempty"`
+	// Deprecated: use match_response with response items
+	IPAcceptAny bool `json:"ip_accept_any,omitempty"`
+	// Deprecated: removed in sing-box 1.11.0
+	RuleSetIPCIDRAcceptEmpty bool `json:"rule_set_ip_cidr_accept_empty,omitempty"`
 	// Deprecated: renamed to rule_set_ip_cidr_match_source
 	Deprecated_RulesetIPCIDRMatchSource bool `json:"rule_set_ipcidr_match_source,omitempty"`
 }
@@ -127,11 +135,27 @@ func (r DefaultDNSRule) MarshalJSON() ([]byte, error) {
 }
 
 func (r *DefaultDNSRule) UnmarshalJSONContext(ctx context.Context, data []byte) error {
-	err := json.UnmarshalContext(ctx, data, &r.RawDefaultDNSRule)
+	rawAction, routeOptions, err := inspectDNSRuleAction(ctx, data)
 	if err != nil {
 		return err
 	}
-	return badjson.UnmarshallExcludedContext(ctx, data, &r.RawDefaultDNSRule, &r.DNSRuleAction)
+	err = rejectNestedDNSRuleAction(ctx, data)
+	if err != nil {
+		return err
+	}
+	depth := nestedRuleDepth(ctx)
+	err = json.UnmarshalContext(ctx, data, &r.RawDefaultDNSRule)
+	if err != nil {
+		return err
+	}
+	err = badjson.UnmarshallExcludedContext(ctx, data, &r.RawDefaultDNSRule, &r.DNSRuleAction)
+	if err != nil {
+		return err
+	}
+	if depth > 0 && rawAction == "" && routeOptions == (DNSRouteActionOptions{}) {
+		r.DNSRuleAction = DNSRuleAction{}
+	}
+	return nil
 }
 
 func (r DefaultDNSRule) IsValid() bool {
@@ -156,11 +180,27 @@ func (r LogicalDNSRule) MarshalJSON() ([]byte, error) {
 }
 
 func (r *LogicalDNSRule) UnmarshalJSONContext(ctx context.Context, data []byte) error {
-	err := json.Unmarshal(data, &r.RawLogicalDNSRule)
+	rawAction, routeOptions, err := inspectDNSRuleAction(ctx, data)
 	if err != nil {
 		return err
 	}
-	return badjson.UnmarshallExcludedContext(ctx, data, &r.RawLogicalDNSRule, &r.DNSRuleAction)
+	err = rejectNestedDNSRuleAction(ctx, data)
+	if err != nil {
+		return err
+	}
+	depth := nestedRuleDepth(ctx)
+	err = json.UnmarshalContext(nestedRuleChildContext(ctx), data, &r.RawLogicalDNSRule)
+	if err != nil {
+		return err
+	}
+	err = badjson.UnmarshallExcludedContext(ctx, data, &r.RawLogicalDNSRule, &r.DNSRuleAction)
+	if err != nil {
+		return err
+	}
+	if depth > 0 && rawAction == "" && routeOptions == (DNSRouteActionOptions{}) {
+		r.DNSRuleAction = DNSRuleAction{}
+	}
+	return nil
 }
 
 func (r *LogicalDNSRule) IsValid() bool {

option/rule_nested.go

@@ -0,0 +1,133 @@
+package option
+
+import (
+	"context"
+	"reflect"
+	"strings"
+
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json"
+	"github.com/sagernet/sing/common/json/badjson"
+)
+
+type nestedRuleDepthContextKey struct{}
+
+const (
+	routeRuleActionNestedUnsupportedMessage = "rule action is not supported in nested rules"
+	dnsRuleActionNestedUnsupportedMessage   = "DNS rule action is not supported in nested rules"
+)
+
+var (
+	routeRuleActionKeys = jsonFieldNames(reflect.TypeFor[_RuleAction](), reflect.TypeFor[RouteActionOptions]())
+	dnsRuleActionKeys   = jsonFieldNames(reflect.TypeFor[_DNSRuleAction](), reflect.TypeFor[DNSRouteActionOptions]())
+)
+
+func nestedRuleChildContext(ctx context.Context) context.Context {
+	return context.WithValue(ctx, nestedRuleDepthContextKey{}, nestedRuleDepth(ctx)+1)
+}
+
+func rejectNestedRouteRuleAction(ctx context.Context, content []byte) error {
+	return rejectNestedRuleAction(ctx, content, routeRuleActionKeys, routeRuleActionNestedUnsupportedMessage)
+}
+
+func rejectNestedDNSRuleAction(ctx context.Context, content []byte) error {
+	return rejectNestedRuleAction(ctx, content, dnsRuleActionKeys, dnsRuleActionNestedUnsupportedMessage)
+}
+
+func nestedRuleDepth(ctx context.Context) int {
+	depth, _ := ctx.Value(nestedRuleDepthContextKey{}).(int)
+	return depth
+}
+
+func rejectNestedRuleAction(ctx context.Context, content []byte, keys []string, message string) error {
+	if nestedRuleDepth(ctx) == 0 {
+		return nil
+	}
+	hasActionKey, err := hasAnyJSONKey(ctx, content, keys...)
+	if err != nil {
+		return err
+	}
+	if hasActionKey {
+		return E.New(message)
+	}
+	return nil
+}
+
+func hasAnyJSONKey(ctx context.Context, content []byte, keys ...string) (bool, error) {
+	var object badjson.JSONObject
+	err := object.UnmarshalJSONContext(ctx, content)
+	if err != nil {
+		return false, err
+	}
+	for _, key := range keys {
+		if object.ContainsKey(key) {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+func inspectRouteRuleAction(ctx context.Context, content []byte) (string, RouteActionOptions, error) {
+	var rawAction _RuleAction
+	err := json.UnmarshalContext(ctx, content, &rawAction)
+	if err != nil {
+		return "", RouteActionOptions{}, err
+	}
+	var routeOptions RouteActionOptions
+	err = json.UnmarshalContext(ctx, content, &routeOptions)
+	if err != nil {
+		return "", RouteActionOptions{}, err
+	}
+	return rawAction.Action, routeOptions, nil
+}
+
+func inspectDNSRuleAction(ctx context.Context, content []byte) (string, DNSRouteActionOptions, error) {
+	var rawAction _DNSRuleAction
+	err := json.UnmarshalContext(ctx, content, &rawAction)
+	if err != nil {
+		return "", DNSRouteActionOptions{}, err
+	}
+	var routeOptions DNSRouteActionOptions
+	err = json.UnmarshalContext(ctx, content, &routeOptions)
+	if err != nil {
+		return "", DNSRouteActionOptions{}, err
+	}
+	return rawAction.Action, routeOptions, nil
+}
+
+func jsonFieldNames(types ...reflect.Type) []string {
+	fieldMap := make(map[string]struct{})
+	for _, fieldType := range types {
+		appendJSONFieldNames(fieldMap, fieldType)
+	}
+	fieldNames := make([]string, 0, len(fieldMap))
+	for fieldName := range fieldMap {
+		fieldNames = append(fieldNames, fieldName)
+	}
+	return fieldNames
+}
+
+func appendJSONFieldNames(fieldMap map[string]struct{}, fieldType reflect.Type) {
+	for fieldType.Kind() == reflect.Pointer {
+		fieldType = fieldType.Elem()
+	}
+	if fieldType.Kind() != reflect.Struct {
+		return
+	}
+	for i := range fieldType.NumField() {
+		field := fieldType.Field(i)
+		tagValue := field.Tag.Get("json")
+		tagName, _, _ := strings.Cut(tagValue, ",")
+		if tagName == "-" {
+			continue
+		}
+		if field.Anonymous && tagName == "" {
+			appendJSONFieldNames(fieldMap, field.Type)
+			continue
+		}
+		if tagName == "" {
+			tagName = field.Name
+		}
+		fieldMap[tagName] = struct{}{}
+	}
+}

option/rule_nested_test.go

@@ -0,0 +1,271 @@
+package option
+
+import (
+	"context"
+	"testing"
+
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing/common/json"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestRuleRejectsNestedDefaultRuleAction(t *testing.T) {
+	t.Parallel()
+
+	var rule Rule
+	err := json.UnmarshalContext(context.Background(), []byte(`{
+		"type": "logical",
+		"mode": "and",
+		"rules": [
+			{"domain": "example.com", "outbound": "direct"}
+		]
+	}`), &rule)
+	require.ErrorContains(t, err, routeRuleActionNestedUnsupportedMessage)
+}
+
+func TestRuleRejectsNestedLogicalRuleAction(t *testing.T) {
+	t.Parallel()
+
+	var rule Rule
+	err := json.UnmarshalContext(context.Background(), []byte(`{
+		"type": "logical",
+		"mode": "and",
+		"rules": [
+			{
+				"type": "logical",
+				"mode": "or",
+				"action": "route",
+				"outbound": "direct",
+				"rules": [{"domain": "example.com"}]
+			}
+		]
+	}`), &rule)
+	require.ErrorContains(t, err, routeRuleActionNestedUnsupportedMessage)
+}
+
+func TestRuleRejectsNestedDefaultRuleZeroValueOutbound(t *testing.T) {
+	t.Parallel()
+
+	var rule Rule
+	err := json.UnmarshalContext(context.Background(), []byte(`{
+		"type": "logical",
+		"mode": "and",
+		"rules": [
+			{"domain": "example.com", "outbound": ""}
+		]
+	}`), &rule)
+	require.ErrorContains(t, err, routeRuleActionNestedUnsupportedMessage)
+}
+
+func TestRuleRejectsNestedDefaultRuleZeroValueRouteOption(t *testing.T) {
+	t.Parallel()
+
+	var rule Rule
+	err := json.UnmarshalContext(context.Background(), []byte(`{
+		"type": "logical",
+		"mode": "and",
+		"rules": [
+			{"domain": "example.com", "udp_connect": false}
+		]
+	}`), &rule)
+	require.ErrorContains(t, err, routeRuleActionNestedUnsupportedMessage)
+}
+
+func TestRuleRejectsNestedLogicalRuleZeroValueAction(t *testing.T) {
+	t.Parallel()
+
+	var rule Rule
+	err := json.UnmarshalContext(context.Background(), []byte(`{
+		"type": "logical",
+		"mode": "and",
+		"rules": [
+			{
+				"type": "logical",
+				"mode": "or",
+				"action": "",
+				"rules": [{"domain": "example.com"}]
+			}
+		]
+	}`), &rule)
+	require.ErrorContains(t, err, routeRuleActionNestedUnsupportedMessage)
+}
+
+func TestRuleRejectsNestedLogicalRuleZeroValueRouteOption(t *testing.T) {
+	t.Parallel()
+
+	var rule Rule
+	err := json.UnmarshalContext(context.Background(), []byte(`{
+		"type": "logical",
+		"mode": "and",
+		"rules": [
+			{
+				"type": "logical",
+				"mode": "or",
+				"override_port": 0,
+				"rules": [{"domain": "example.com"}]
+			}
+		]
+	}`), &rule)
+	require.ErrorContains(t, err, routeRuleActionNestedUnsupportedMessage)
+}
+
+func TestRuleAllowsTopLevelLogicalAction(t *testing.T) {
+	t.Parallel()
+
+	var rule Rule
+	err := json.UnmarshalContext(context.Background(), []byte(`{
+		"type": "logical",
+		"mode": "and",
+		"outbound": "direct",
+		"rules": [{"domain": "example.com"}]
+	}`), &rule)
+	require.NoError(t, err)
+	require.Equal(t, C.RuleActionTypeRoute, rule.LogicalOptions.Action)
+	require.Equal(t, "direct", rule.LogicalOptions.RouteOptions.Outbound)
+}
+
+func TestRuleLeavesUnknownNestedKeysToNormalValidation(t *testing.T) {
+	t.Parallel()
+
+	var rule Rule
+	err := json.UnmarshalContext(context.Background(), []byte(`{
+		"type": "logical",
+		"mode": "and",
+		"rules": [
+			{"domain": "example.com", "foo": "bar"}
+		]
+	}`), &rule)
+	require.ErrorContains(t, err, "unknown field")
+	require.NotContains(t, err.Error(), routeRuleActionNestedUnsupportedMessage)
+}
+
+func TestDNSRuleRejectsNestedDefaultRuleAction(t *testing.T) {
+	t.Parallel()
+
+	var rule DNSRule
+	err := json.UnmarshalContext(context.Background(), []byte(`{
+		"type": "logical",
+		"mode": "and",
+		"rules": [
+			{"domain": "example.com", "server": "default"}
+		]
+	}`), &rule)
+	require.ErrorContains(t, err, dnsRuleActionNestedUnsupportedMessage)
+}
+
+func TestDNSRuleRejectsNestedLogicalRuleAction(t *testing.T) {
+	t.Parallel()
+
+	var rule DNSRule
+	err := json.UnmarshalContext(context.Background(), []byte(`{
+		"type": "logical",
+		"mode": "and",
+		"rules": [
+			{
+				"type": "logical",
+				"mode": "or",
+				"action": "route",
+				"server": "default",
+				"rules": [{"domain": "example.com"}]
+			}
+		]
+	}`), &rule)
+	require.ErrorContains(t, err, dnsRuleActionNestedUnsupportedMessage)
+}
+
+func TestDNSRuleRejectsNestedDefaultRuleZeroValueServer(t *testing.T) {
+	t.Parallel()
+
+	var rule DNSRule
+	err := json.UnmarshalContext(context.Background(), []byte(`{
+		"type": "logical",
+		"mode": "and",
+		"rules": [
+			{"domain": "example.com", "server": ""}
+		]
+	}`), &rule)
+	require.ErrorContains(t, err, dnsRuleActionNestedUnsupportedMessage)
+}
+
+func TestDNSRuleRejectsNestedDefaultRuleZeroValueRouteOption(t *testing.T) {
+	t.Parallel()
+
+	var rule DNSRule
+	err := json.UnmarshalContext(context.Background(), []byte(`{
+		"type": "logical",
+		"mode": "and",
+		"rules": [
+			{"domain": "example.com", "disable_cache": false}
+		]
+	}`), &rule)
+	require.ErrorContains(t, err, dnsRuleActionNestedUnsupportedMessage)
+}
+
+func TestDNSRuleRejectsNestedLogicalRuleZeroValueAction(t *testing.T) {
+	t.Parallel()
+
+	var rule DNSRule
+	err := json.UnmarshalContext(context.Background(), []byte(`{
+		"type": "logical",
+		"mode": "and",
+		"rules": [
+			{
+				"type": "logical",
+				"mode": "or",
+				"action": "",
+				"rules": [{"domain": "example.com"}]
+			}
+		]
+	}`), &rule)
+	require.ErrorContains(t, err, dnsRuleActionNestedUnsupportedMessage)
+}
+
+func TestDNSRuleRejectsNestedLogicalRuleZeroValueRouteOption(t *testing.T) {
+	t.Parallel()
+
+	var rule DNSRule
+	err := json.UnmarshalContext(context.Background(), []byte(`{
+		"type": "logical",
+		"mode": "and",
+		"rules": [
+			{
+				"type": "logical",
+				"mode": "or",
+				"disable_cache": false,
+				"rules": [{"domain": "example.com"}]
+			}
+		]
+	}`), &rule)
+	require.ErrorContains(t, err, dnsRuleActionNestedUnsupportedMessage)
+}
+
+func TestDNSRuleAllowsTopLevelLogicalAction(t *testing.T) {
+	t.Parallel()
+
+	var rule DNSRule
+	err := json.UnmarshalContext(context.Background(), []byte(`{
+		"type": "logical",
+		"mode": "and",
+		"server": "default",
+		"rules": [{"domain": "example.com"}]
+	}`), &rule)
+	require.NoError(t, err)
+	require.Equal(t, C.RuleActionTypeRoute, rule.LogicalOptions.Action)
+	require.Equal(t, "default", rule.LogicalOptions.RouteOptions.Server)
+}
+
+func TestDNSRuleLeavesUnknownNestedKeysToNormalValidation(t *testing.T) {
+	t.Parallel()
+
+	var rule DNSRule
+	err := json.UnmarshalContext(context.Background(), []byte(`{
+		"type": "logical",
+		"mode": "and",
+		"rules": [
+			{"domain": "example.com", "foo": "bar"}
+		]
+	}`), &rule)
+	require.ErrorContains(t, err, "unknown field")
+	require.NotContains(t, err.Error(), dnsRuleActionNestedUnsupportedMessage)
+}

protocol/hysteria2/inbound.go

@@ -125,6 +125,7 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 		UDPTimeout:            udpTimeout,
 		Handler:               inbound,
 		MasqueradeHandler:     masqueradeHandler,
+		BBRProfile:            options.BBRProfile,
 	})
 	if err != nil {
 		return nil, err

protocol/hysteria2/outbound.go

@@ -73,12 +73,14 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 		ServerAddress:      options.ServerOptions.Build(),
 		ServerPorts:        options.ServerPorts,
 		HopInterval:        time.Duration(options.HopInterval),
+		HopIntervalMax:     time.Duration(options.HopIntervalMax),
 		SendBPS:            uint64(options.UpMbps * hysteria.MbpsToBps),
 		ReceiveBPS:         uint64(options.DownMbps * hysteria.MbpsToBps),
 		SalamanderPassword: salamanderPassword,
 		Password:           options.Password,
 		TLSConfig:          tlsConfig,
 		UDPDisabled:        !common.Contains(networkList, N.NetworkUDP),
+		BBRProfile:         options.BBRProfile,
 	})
 	if err != nil {
 		return nil, err

protocol/naive/inbound.go

@@ -29,7 +29,10 @@ import (
 	"golang.org/x/net/http2/h2c"
 )
 
-var ConfigureHTTP3ListenerFunc func(ctx context.Context, logger logger.Logger, listener *listener.Listener, handler http.Handler, tlsConfig tls.ServerConfig, options option.NaiveInboundOptions) (io.Closer, error)
+var (
+	ConfigureHTTP3ListenerFunc func(ctx context.Context, logger logger.Logger, listener *listener.Listener, handler http.Handler, tlsConfig tls.ServerConfig, options option.NaiveInboundOptions) (io.Closer, error)
+	WrapError                  func(error) error
+)
 
 func RegisterInbound(registry *inbound.Registry) {
 	inbound.Register[option.NaiveInboundOptions](registry, C.TypeNaive, NewInbound)

protocol/naive/inbound_conn.go

@@ -179,18 +179,18 @@ type naiveConn struct {
 
 func (c *naiveConn) Read(p []byte) (n int, err error) {
 	n, err = c.readWithPadding(c.Conn, p)
-	return n, baderror.WrapH2(err)
+	return n, wrapError(err)
 }
 
 func (c *naiveConn) Write(p []byte) (n int, err error) {
 	n, err = c.writeChunked(c.Conn, p)
-	return n, baderror.WrapH2(err)
+	return n, wrapError(err)
 }
 
 func (c *naiveConn) WriteBuffer(buffer *buf.Buffer) error {
 	defer buffer.Release()
 	err := c.writeBufferWithPadding(c.Conn, buffer)
-	return baderror.WrapH2(err)
+	return wrapError(err)
 }
 
 func (c *naiveConn) FrontHeadroom() int      { return c.frontHeadroom() }
@@ -210,7 +210,7 @@ type naiveH2Conn struct {
 
 func (c *naiveH2Conn) Read(p []byte) (n int, err error) {
 	n, err = c.readWithPadding(c.reader, p)
-	return n, baderror.WrapH2(err)
+	return n, wrapError(err)
 }
 
 func (c *naiveH2Conn) Write(p []byte) (n int, err error) {
@@ -218,7 +218,7 @@ func (c *naiveH2Conn) Write(p []byte) (n int, err error) {
 	if err == nil {
 		c.flusher.Flush()
 	}
-	return n, baderror.WrapH2(err)
+	return n, wrapError(err)
 }
 
 func (c *naiveH2Conn) WriteBuffer(buffer *buf.Buffer) error {
@@ -227,7 +227,15 @@ func (c *naiveH2Conn) WriteBuffer(buffer *buf.Buffer) error {
 	if err == nil {
 		c.flusher.Flush()
 	}
-	return baderror.WrapH2(err)
+	return wrapError(err)
+}
+
+func wrapError(err error) error {
+	err = baderror.WrapH2(err)
+	if WrapError != nil {
+		err = WrapError(err)
+	}
+	return err
 }
 
 func (c *naiveH2Conn) Close() error {

protocol/naive/quic/inbound_init.go

@@ -124,4 +124,5 @@ func init() {
 
 		return quicListener, nil
 	}
+	naive.WrapError = qtls.WrapError
 }

protocol/tailscale/endpoint.go

@@ -614,7 +614,7 @@ func (t *Endpoint) ListenPacket(ctx context.Context, destination M.Socksaddr) (n
 	return packetConn, nil
 }
 
-func (t *Endpoint) PrepareConnection(ctx context.Context, network string, source M.Socksaddr, destination M.Socksaddr, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
+func (t *Endpoint) PrepareConnection(network string, source M.Socksaddr, destination M.Socksaddr, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
 	tsFilter := t.filter.Load()
 	if tsFilter != nil {
 		var ipProto ipproto.Proto

protocol/tun/inbound.go

@@ -245,7 +245,6 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 		inbound.autoRedirect, err = tun.NewAutoRedirect(tun.AutoRedirectOptions{
 			TunOptions:             &inbound.tunOptions,
 			Context:                ctx,
-			ConnContext:            log.ContextWithNewID,
 			Handler:                (*autoRedirectHandler)(inbound),
 			Logger:                 logger,
 			NetworkMonitor:         networkManager.NetworkMonitor(),
@@ -258,7 +257,7 @@ func NewInbound(ctx context.Context, router adapter.Router, logger log.ContextLo
 		if err != nil {
 			return nil, E.Cause(err, "initialize auto-redirect")
 		}
-		if C.IsLinux {
+		if !C.IsAndroid {
 			inbound.tunOptions.AutoRedirectMarkMode = true
 			err = networkManager.RegisterAutoRedirectOutputMark(inbound.tunOptions.AutoRedirectOutputMark)
 			if err != nil {
@@ -454,7 +453,7 @@ func (t *Inbound) Close() error {
 	)
 }
 
-func (t *Inbound) PrepareConnection(ctx context.Context, network string, source M.Socksaddr, destination M.Socksaddr, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
+func (t *Inbound) PrepareConnection(network string, source M.Socksaddr, destination M.Socksaddr, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
 	var ipVersion uint8
 	if !destination.IsIPv6() {
 		ipVersion = 4
@@ -512,35 +511,21 @@ func (t *Inbound) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn,
 
 type autoRedirectHandler Inbound
 
-func autoRedirectProcessInfoFromContext(ctx context.Context) *adapter.ConnectionOwner {
-	metadata := tun.AutoRedirectMetadataFromContext(ctx)
-	if metadata == nil {
-		return nil
-	}
-	return &adapter.ConnectionOwner{
-		ProcessID:   metadata.ProcessID,
-		ProcessPath: metadata.ProcessPath,
-		UserId:      metadata.UserId,
-	}
-}
-
-func (t *autoRedirectHandler) PrepareConnection(ctx context.Context, network string, source M.Socksaddr, destination M.Socksaddr, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
+func (t *autoRedirectHandler) PrepareConnection(network string, source M.Socksaddr, destination M.Socksaddr, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
 	var ipVersion uint8
 	if !destination.IsIPv6() {
 		ipVersion = 4
 	} else {
 		ipVersion = 6
 	}
-	metadata := adapter.InboundContext{
+	routeDestination, err := t.router.PreMatch(adapter.InboundContext{
 		Inbound:     t.tag,
 		InboundType: C.TypeTun,
 		IPVersion:   ipVersion,
 		Network:     network,
 		Source:      source,
 		Destination: destination,
-		ProcessInfo: autoRedirectProcessInfoFromContext(ctx),
-	}
-	routeDestination, err := t.router.PreMatch(metadata, routeContext, timeout, true)
+	}, routeContext, timeout, true)
 	if err != nil {
 		switch {
 		case rule.IsBypassed(err):
@@ -557,12 +542,12 @@ func (t *autoRedirectHandler) PrepareConnection(ctx context.Context, network str
 }
 
 func (t *autoRedirectHandler) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
+	ctx = log.ContextWithNewID(ctx)
 	var metadata adapter.InboundContext
 	metadata.Inbound = t.tag
 	metadata.InboundType = C.TypeTun
 	metadata.Source = source
 	metadata.Destination = destination
-	metadata.ProcessInfo = autoRedirectProcessInfoFromContext(ctx)
 
 	t.logger.InfoContext(ctx, "inbound redirect connection from ", metadata.Source)
 	t.logger.InfoContext(ctx, "inbound connection to ", metadata.Destination)

protocol/wireguard/endpoint.go

@@ -129,7 +129,7 @@ func (w *Endpoint) Close() error {
 	return w.endpoint.Close()
 }
 
-func (w *Endpoint) PrepareConnection(ctx context.Context, network string, source M.Socksaddr, destination M.Socksaddr, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
+func (w *Endpoint) PrepareConnection(network string, source M.Socksaddr, destination M.Socksaddr, routeContext tun.DirectRouteContext, timeout time.Duration) (tun.DirectRouteDestination, error) {
 	var ipVersion uint8
 	if !destination.IsIPv6() {
 		ipVersion = 4

route/network.go

@@ -393,9 +393,6 @@ func (r *NetworkManager) AutoRedirectOutputMark() uint32 {
 }
 
 func (r *NetworkManager) AutoRedirectOutputMarkFunc() control.Func {
-	if !C.IsLinux || C.IsAndroid {
-		return nil
-	}
 	return func(network, address string, conn syscall.RawConn) error {
 		if r.autoRedirectOutputMark == 0 {
 			return nil

route/router.go

@@ -70,6 +70,10 @@ func NewRouter(ctx context.Context, logFactory log.Factory, options option.Route
 
 func (r *Router) Initialize(rules []option.Rule, ruleSets []option.RuleSet) error {
 	for i, options := range rules {
+		err := R.ValidateNoNestedRuleActions(options)
+		if err != nil {
+			return E.Cause(err, "parse rule[", i, "]")
+		}
 		rule, err := R.NewRule(r.ctx, r.logger, options, false)
 		if err != nil {
 			return E.Cause(err, "parse rule[", i, "]")

route/rule/nested_action.go

@@ -0,0 +1,76 @@
+package rule
+
+import (
+	"reflect"
+
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+const (
+	routeRuleActionNestedUnsupportedMessage = "rule action is not supported in nested rules"
+	dnsRuleActionNestedUnsupportedMessage   = "DNS rule action is not supported in nested rules"
+)
+
+func ValidateNoNestedRuleActions(rule option.Rule) error {
+	return validateNoNestedRuleActions(rule, false)
+}
+
+func ValidateNoNestedDNSRuleActions(rule option.DNSRule) error {
+	return validateNoNestedDNSRuleActions(rule, false)
+}
+
+func validateNoNestedRuleActions(rule option.Rule, nested bool) error {
+	if nested && ruleHasConfiguredAction(rule) {
+		return E.New(routeRuleActionNestedUnsupportedMessage)
+	}
+	if rule.Type != C.RuleTypeLogical {
+		return nil
+	}
+	for i, subRule := range rule.LogicalOptions.Rules {
+		err := validateNoNestedRuleActions(subRule, true)
+		if err != nil {
+			return E.Cause(err, "sub rule[", i, "]")
+		}
+	}
+	return nil
+}
+
+func validateNoNestedDNSRuleActions(rule option.DNSRule, nested bool) error {
+	if nested && dnsRuleHasConfiguredAction(rule) {
+		return E.New(dnsRuleActionNestedUnsupportedMessage)
+	}
+	if rule.Type != C.RuleTypeLogical {
+		return nil
+	}
+	for i, subRule := range rule.LogicalOptions.Rules {
+		err := validateNoNestedDNSRuleActions(subRule, true)
+		if err != nil {
+			return E.Cause(err, "sub rule[", i, "]")
+		}
+	}
+	return nil
+}
+
+func ruleHasConfiguredAction(rule option.Rule) bool {
+	switch rule.Type {
+	case "", C.RuleTypeDefault:
+		return !reflect.DeepEqual(rule.DefaultOptions.RuleAction, option.RuleAction{})
+	case C.RuleTypeLogical:
+		return !reflect.DeepEqual(rule.LogicalOptions.RuleAction, option.RuleAction{})
+	default:
+		return false
+	}
+}
+
+func dnsRuleHasConfiguredAction(rule option.DNSRule) bool {
+	switch rule.Type {
+	case "", C.RuleTypeDefault:
+		return !reflect.DeepEqual(rule.DefaultOptions.DNSRuleAction, option.DNSRuleAction{})
+	case C.RuleTypeLogical:
+		return !reflect.DeepEqual(rule.LogicalOptions.DNSRuleAction, option.DNSRuleAction{})
+	default:
+		return false
+	}
+}

route/rule/nested_action_test.go

@@ -0,0 +1,137 @@
+package rule
+
+import (
+	"context"
+	"testing"
+
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common/json"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewRulePreservesImplicitTopLevelDefaultAction(t *testing.T) {
+	t.Parallel()
+
+	var options option.Rule
+	err := json.UnmarshalContext(context.Background(), []byte(`{
+		"domain": "example.com"
+	}`), &options)
+	require.NoError(t, err)
+
+	rule, err := NewRule(context.Background(), log.NewNOPFactory().NewLogger("router"), options, false)
+	require.NoError(t, err)
+	require.NotNil(t, rule.Action())
+	require.Equal(t, C.RuleActionTypeRoute, rule.Action().Type())
+}
+
+func TestNewRuleAllowsNestedRuleWithoutAction(t *testing.T) {
+	t.Parallel()
+
+	var options option.Rule
+	err := json.UnmarshalContext(context.Background(), []byte(`{
+		"type": "logical",
+		"mode": "and",
+		"rules": [
+			{"domain": "example.com"}
+		]
+	}`), &options)
+	require.NoError(t, err)
+
+	rule, err := NewRule(context.Background(), log.NewNOPFactory().NewLogger("router"), options, false)
+	require.NoError(t, err)
+	require.NotNil(t, rule.Action())
+	require.Equal(t, C.RuleActionTypeRoute, rule.Action().Type())
+}
+
+func TestNewRuleRejectsNestedRuleAction(t *testing.T) {
+	t.Parallel()
+
+	_, err := NewRule(context.Background(), log.NewNOPFactory().NewLogger("router"), option.Rule{
+		Type: C.RuleTypeLogical,
+		LogicalOptions: option.LogicalRule{
+			RawLogicalRule: option.RawLogicalRule{
+				Mode: C.LogicalTypeAnd,
+				Rules: []option.Rule{{
+					Type: C.RuleTypeDefault,
+					DefaultOptions: option.DefaultRule{
+						RuleAction: option.RuleAction{
+							Action: C.RuleActionTypeRoute,
+							RouteOptions: option.RouteActionOptions{
+								Outbound: "direct",
+							},
+						},
+					},
+				}},
+			},
+		},
+	}, false)
+	require.ErrorContains(t, err, routeRuleActionNestedUnsupportedMessage)
+}
+
+func TestNewDNSRulePreservesImplicitTopLevelDefaultAction(t *testing.T) {
+	t.Parallel()
+
+	var options option.DNSRule
+	err := json.UnmarshalContext(context.Background(), []byte(`{
+		"domain": "example.com"
+	}`), &options)
+	require.NoError(t, err)
+
+	rule, err := NewDNSRule(context.Background(), log.NewNOPFactory().NewLogger("dns"), options, false, false)
+	require.NoError(t, err)
+	require.NotNil(t, rule.Action())
+	require.Equal(t, C.RuleActionTypeRoute, rule.Action().Type())
+}
+
+func TestNewDNSRuleAllowsNestedRuleWithoutAction(t *testing.T) {
+	t.Parallel()
+
+	var options option.DNSRule
+	err := json.UnmarshalContext(context.Background(), []byte(`{
+		"type": "logical",
+		"mode": "and",
+		"rules": [
+			{"domain": "example.com"}
+		]
+	}`), &options)
+	require.NoError(t, err)
+
+	rule, err := NewDNSRule(context.Background(), log.NewNOPFactory().NewLogger("dns"), options, false, false)
+	require.NoError(t, err)
+	require.NotNil(t, rule.Action())
+	require.Equal(t, C.RuleActionTypeRoute, rule.Action().Type())
+}
+
+func TestNewDNSRuleRejectsNestedRuleAction(t *testing.T) {
+	t.Parallel()
+
+	_, err := NewDNSRule(context.Background(), log.NewNOPFactory().NewLogger("dns"), option.DNSRule{
+		Type: C.RuleTypeLogical,
+		LogicalOptions: option.LogicalDNSRule{
+			RawLogicalDNSRule: option.RawLogicalDNSRule{
+				Mode: C.LogicalTypeAnd,
+				Rules: []option.DNSRule{{
+					Type: C.RuleTypeDefault,
+					DefaultOptions: option.DefaultDNSRule{
+						DNSRuleAction: option.DNSRuleAction{
+							Action: C.RuleActionTypeRoute,
+							RouteOptions: option.DNSRouteActionOptions{
+								Server: "default",
+							},
+						},
+					},
+				}},
+			},
+			DNSRuleAction: option.DNSRuleAction{
+				Action: C.RuleActionTypeRoute,
+				RouteOptions: option.DNSRouteActionOptions{
+					Server: "default",
+				},
+			},
+		},
+	}, true, false)
+	require.ErrorContains(t, err, dnsRuleActionNestedUnsupportedMessage)
+}

route/rule/rule_abstract.go

@@ -56,7 +56,7 @@ func (r *abstractDefaultRule) Match(metadata *adapter.InboundContext) bool {
 }
 
 func (r *abstractDefaultRule) destinationIPCIDRMatchesSource(metadata *adapter.InboundContext) bool {
-	return !metadata.IgnoreDestinationIPCIDRMatch && metadata.IPCIDRMatchSource && len(r.destinationIPCIDRItems) > 0
+	return metadata.IPCIDRMatchSource && len(r.destinationIPCIDRItems) > 0
 }
 
 func (r *abstractDefaultRule) destinationIPCIDRMatchesDestination(metadata *adapter.InboundContext) bool {
@@ -156,10 +156,6 @@ func (r *abstractDefaultRule) matchStatesWithBase(metadata *adapter.InboundConte
 		return r.invertedFailure(inheritedBase)
 	}
 	if r.invert {
-		// DNS pre-lookup defers destination address-limit checks until the response phase.
-		if metadata.IgnoreDestinationIPCIDRMatch && stateSet == emptyRuleMatchState() && !metadata.DidMatch && len(r.destinationIPCIDRItems) > 0 {
-			return emptyRuleMatchState().withBase(inheritedBase)
-		}
 		return 0
 	}
 	return stateSet

route/rule/rule_action.go

@@ -132,6 +132,16 @@ func NewDNSRuleAction(logger logger.ContextLogger, action option.DNSRuleAction)
 				ClientSubnet: netip.Prefix(common.PtrValueOrDefault(action.RouteOptions.ClientSubnet)),
 			},
 		}
+	case C.RuleActionTypeEvaluate:
+		return &RuleActionEvaluate{
+			Server: action.RouteOptions.Server,
+			RuleActionDNSRouteOptions: RuleActionDNSRouteOptions{
+				Strategy:     C.DomainStrategy(action.RouteOptions.Strategy),
+				DisableCache: action.RouteOptions.DisableCache,
+				RewriteTTL:   action.RouteOptions.RewriteTTL,
+				ClientSubnet: netip.Prefix(common.PtrValueOrDefault(action.RouteOptions.ClientSubnet)),
+			},
+		}
 	case C.RuleActionTypeRouteOptions:
 		return &RuleActionDNSRouteOptions{
 			Strategy:     C.DomainStrategy(action.RouteOptionsOptions.Strategy),
@@ -266,18 +276,35 @@ func (r *RuleActionDNSRoute) Type() string {
 }
 
 func (r *RuleActionDNSRoute) String() string {
+	return formatDNSRouteAction("route", r.Server, r.RuleActionDNSRouteOptions)
+}
+
+type RuleActionEvaluate struct {
+	Server string
+	RuleActionDNSRouteOptions
+}
+
+func (r *RuleActionEvaluate) Type() string {
+	return C.RuleActionTypeEvaluate
+}
+
+func (r *RuleActionEvaluate) String() string {
+	return formatDNSRouteAction("evaluate", r.Server, r.RuleActionDNSRouteOptions)
+}
+
+func formatDNSRouteAction(action string, server string, options RuleActionDNSRouteOptions) string {
 	var descriptions []string
-	descriptions = append(descriptions, r.Server)
-	if r.DisableCache {
+	descriptions = append(descriptions, server)
+	if options.DisableCache {
 		descriptions = append(descriptions, "disable-cache")
 	}
-	if r.RewriteTTL != nil {
-		descriptions = append(descriptions, F.ToString("rewrite-ttl=", *r.RewriteTTL))
+	if options.RewriteTTL != nil {
+		descriptions = append(descriptions, F.ToString("rewrite-ttl=", *options.RewriteTTL))
 	}
-	if r.ClientSubnet.IsValid() {
-		descriptions = append(descriptions, F.ToString("client-subnet=", r.ClientSubnet))
+	if options.ClientSubnet.IsValid() {
+		descriptions = append(descriptions, F.ToString("client-subnet=", options.ClientSubnet))
 	}
-	return F.ToString("route(", strings.Join(descriptions, ","), ")")
+	return F.ToString(action, "(", strings.Join(descriptions, ","), ")")
 }
 
 type RuleActionDNSRouteOptions struct {

route/rule/rule_default.go

@@ -326,6 +326,10 @@ func NewLogicalRule(ctx context.Context, logger log.ContextLogger, options optio
 		return nil, E.New("unknown logical mode: ", options.Mode)
 	}
 	for i, subOptions := range options.Rules {
+		err = validateNoNestedRuleActions(subOptions, true)
+		if err != nil {
+			return nil, E.Cause(err, "sub rule[", i, "]")
+		}
 		subRule, err := NewRule(ctx, logger, subOptions, false)
 		if err != nil {
 			return nil, E.Cause(err, "sub rule[", i, "]")

route/rule/rule_dns.go

@@ -5,37 +5,46 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/service"
+
+	"github.com/miekg/dns"
 )
 
-func NewDNSRule(ctx context.Context, logger log.ContextLogger, options option.DNSRule, checkServer bool) (adapter.DNSRule, error) {
+func NewDNSRule(ctx context.Context, logger log.ContextLogger, options option.DNSRule, checkServer bool, legacyDNSMode bool) (adapter.DNSRule, error) {
 	switch options.Type {
 	case "", C.RuleTypeDefault:
 		if !options.DefaultOptions.IsValid() {
 			return nil, E.New("missing conditions")
 		}
+		if !checkServer && options.DefaultOptions.Action == C.RuleActionTypeEvaluate {
+			return nil, E.New(options.DefaultOptions.Action, " is only allowed on top-level DNS rules")
+		}
 		switch options.DefaultOptions.Action {
-		case "", C.RuleActionTypeRoute:
+		case "", C.RuleActionTypeRoute, C.RuleActionTypeEvaluate:
 			if options.DefaultOptions.RouteOptions.Server == "" && checkServer {
 				return nil, E.New("missing server field")
 			}
 		}
-		return NewDefaultDNSRule(ctx, logger, options.DefaultOptions)
+		return NewDefaultDNSRule(ctx, logger, options.DefaultOptions, legacyDNSMode)
 	case C.RuleTypeLogical:
 		if !options.LogicalOptions.IsValid() {
 			return nil, E.New("missing conditions")
 		}
+		if !checkServer && options.LogicalOptions.Action == C.RuleActionTypeEvaluate {
+			return nil, E.New(options.LogicalOptions.Action, " is only allowed on top-level DNS rules")
+		}
 		switch options.LogicalOptions.Action {
-		case "", C.RuleActionTypeRoute:
+		case "", C.RuleActionTypeRoute, C.RuleActionTypeEvaluate:
 			if options.LogicalOptions.RouteOptions.Server == "" && checkServer {
 				return nil, E.New("missing server field")
 			}
 		}
-		return NewLogicalDNSRule(ctx, logger, options.LogicalOptions)
+		return NewLogicalDNSRule(ctx, logger, options.LogicalOptions, legacyDNSMode)
 	default:
 		return nil, E.New("unknown rule type: ", options.Type)
 	}
@@ -45,18 +54,20 @@ var _ adapter.DNSRule = (*DefaultDNSRule)(nil)
 
 type DefaultDNSRule struct {
 	abstractDefaultRule
+	matchResponse bool
 }
 
 func (r *DefaultDNSRule) matchStates(metadata *adapter.InboundContext) ruleMatchStateSet {
 	return r.abstractDefaultRule.matchStates(metadata)
 }
 
-func NewDefaultDNSRule(ctx context.Context, logger log.ContextLogger, options option.DefaultDNSRule) (*DefaultDNSRule, error) {
+func NewDefaultDNSRule(ctx context.Context, logger log.ContextLogger, options option.DefaultDNSRule, legacyDNSMode bool) (*DefaultDNSRule, error) {
 	rule := &DefaultDNSRule{
 		abstractDefaultRule: abstractDefaultRule{
 			invert: options.Invert,
 			action: NewDNSRuleAction(logger, options.DNSRuleAction),
 		},
+		matchResponse: options.MatchResponse,
 	}
 	if len(options.Inbound) > 0 {
 		item := NewInboundRule(options.Inbound)
@@ -116,7 +127,7 @@ func NewDefaultDNSRule(ctx context.Context, logger log.ContextLogger, options op
 		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
-	if len(options.Geosite) > 0 {
+	if len(options.Geosite) > 0 { //nolint:staticcheck
 		return nil, E.New("geosite database is deprecated in sing-box 1.8.0 and removed in sing-box 1.12.0")
 	}
 	if len(options.SourceGeoIP) > 0 {
@@ -151,11 +162,36 @@ func NewDefaultDNSRule(ctx context.Context, logger log.ContextLogger, options op
 		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
-	if options.IPAcceptAny {
+	if options.IPAcceptAny { //nolint:staticcheck
+		if legacyDNSMode {
+			deprecated.Report(ctx, deprecated.OptionIPAcceptAny)
+		} else {
+			return nil, E.New("ip_accept_any is removed when legacyDNSMode is disabled, use ip_cidr with match_response")
+		}
 		item := NewIPAcceptAnyItem()
 		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
+	if options.ResponseRcode != nil {
+		item := NewDNSResponseRCodeItem(int(*options.ResponseRcode))
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.ResponseAnswer) > 0 {
+		item := NewDNSResponseRecordItem("response_answer", options.ResponseAnswer, dnsResponseAnswers)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.ResponseNs) > 0 {
+		item := NewDNSResponseRecordItem("response_ns", options.ResponseNs, dnsResponseNS)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.ResponseExtra) > 0 {
+		item := NewDNSResponseRecordItem("response_extra", options.ResponseExtra, dnsResponseExtra)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
 	if len(options.SourcePort) > 0 {
 		item := NewPortItem(true, options.SourcePort)
 		rule.sourcePortItems = append(rule.sourcePortItems, item)
@@ -284,7 +320,14 @@ func NewDefaultDNSRule(ctx context.Context, logger log.ContextLogger, options op
 		if options.RuleSetIPCIDRMatchSource {
 			matchSource = true
 		}
-		item := NewRuleSetItem(router, options.RuleSet, matchSource, options.RuleSetIPCIDRAcceptEmpty)
+		if options.RuleSetIPCIDRAcceptEmpty { //nolint:staticcheck
+			if legacyDNSMode {
+				deprecated.Report(ctx, deprecated.OptionRuleSetIPCIDRAcceptEmpty)
+			} else {
+				return nil, E.New("rule_set_ip_cidr_accept_empty is removed when legacyDNSMode is disabled")
+			}
+		}
+		item := NewRuleSetItem(router, options.RuleSet, matchSource, options.RuleSetIPCIDRAcceptEmpty) //nolint:staticcheck
 		rule.ruleSetItem = item
 		rule.allItems = append(rule.allItems, item)
 	}
@@ -309,15 +352,46 @@ func (r *DefaultDNSRule) WithAddressLimit() bool {
 }
 
 func (r *DefaultDNSRule) Match(metadata *adapter.InboundContext) bool {
-	metadata.IgnoreDestinationIPCIDRMatch = true
-	defer func() {
-		metadata.IgnoreDestinationIPCIDRMatch = false
-	}()
-	return !r.matchStates(metadata).isEmpty()
+	return !r.matchStatesForMatch(metadata).isEmpty()
 }
 
-func (r *DefaultDNSRule) MatchAddressLimit(metadata *adapter.InboundContext) bool {
-	return !r.matchStates(metadata).isEmpty()
+func (r *DefaultDNSRule) LegacyPreMatch(metadata *adapter.InboundContext) bool {
+	if r.matchResponse {
+		return !r.legacyMatchStatesForMatch(metadata).isEmpty()
+	}
+	return !r.abstractDefaultRule.legacyMatchStates(metadata).isEmpty()
+}
+
+func (r *DefaultDNSRule) matchStatesForMatch(metadata *adapter.InboundContext) ruleMatchStateSet {
+	return r.matchStatesForMatchWithMissingResponse(metadata, true)
+}
+
+func (r *DefaultDNSRule) legacyMatchStatesForMatch(metadata *adapter.InboundContext) ruleMatchStateSet {
+	return r.matchStatesForMatchWithMissingResponse(metadata, false)
+}
+
+func (r *DefaultDNSRule) matchStatesForMatchWithMissingResponse(metadata *adapter.InboundContext, ordinaryFailure bool) ruleMatchStateSet {
+	if r.matchResponse {
+		if metadata.DNSResponse == nil {
+			if ordinaryFailure {
+				return r.abstractDefaultRule.invertedFailure(0)
+			}
+			return 0
+		}
+		matchMetadata := *metadata
+		matchMetadata.IgnoreDestinationIPCIDRMatch = false
+		matchMetadata.DestinationAddressMatchFromResponse = true
+		return r.abstractDefaultRule.matchStates(&matchMetadata)
+	}
+	return r.abstractDefaultRule.matchStates(metadata)
+}
+
+func (r *DefaultDNSRule) MatchAddressLimit(metadata *adapter.InboundContext, response *dns.Msg) bool {
+	matchMetadata := *metadata
+	matchMetadata.DNSResponse = response
+	matchMetadata.IgnoreDestinationIPCIDRMatch = false
+	matchMetadata.DestinationAddressMatchFromResponse = true
+	return !r.abstractDefaultRule.matchStates(&matchMetadata).isEmpty()
 }
 
 var _ adapter.DNSRule = (*LogicalDNSRule)(nil)
@@ -330,7 +404,53 @@ func (r *LogicalDNSRule) matchStates(metadata *adapter.InboundContext) ruleMatch
 	return r.abstractLogicalRule.matchStates(metadata)
 }
 
-func NewLogicalDNSRule(ctx context.Context, logger log.ContextLogger, options option.LogicalDNSRule) (*LogicalDNSRule, error) {
+func matchDNSHeadlessRuleStatesForMatch(rule adapter.HeadlessRule, metadata *adapter.InboundContext) ruleMatchStateSet {
+	switch rule := rule.(type) {
+	case *DefaultDNSRule:
+		return rule.matchStatesForMatch(metadata)
+	case *LogicalDNSRule:
+		return rule.matchStatesForMatch(metadata)
+	default:
+		return matchHeadlessRuleStates(rule, metadata)
+	}
+}
+
+func (r *LogicalDNSRule) matchStatesForMatch(metadata *adapter.InboundContext) ruleMatchStateSet {
+	var stateSet ruleMatchStateSet
+	if r.mode == C.LogicalTypeAnd {
+		stateSet = emptyRuleMatchState()
+		for _, rule := range r.rules {
+			nestedMetadata := *metadata
+			nestedMetadata.ResetRuleCache()
+			nestedStateSet := matchDNSHeadlessRuleStatesForMatch(rule, &nestedMetadata)
+			if nestedStateSet.isEmpty() {
+				if r.invert {
+					return emptyRuleMatchState()
+				}
+				return 0
+			}
+			stateSet = stateSet.combine(nestedStateSet)
+		}
+	} else {
+		for _, rule := range r.rules {
+			nestedMetadata := *metadata
+			nestedMetadata.ResetRuleCache()
+			stateSet = stateSet.merge(matchDNSHeadlessRuleStatesForMatch(rule, &nestedMetadata))
+		}
+		if stateSet.isEmpty() {
+			if r.invert {
+				return emptyRuleMatchState()
+			}
+			return 0
+		}
+	}
+	if r.invert {
+		return 0
+	}
+	return stateSet
+}
+
+func NewLogicalDNSRule(ctx context.Context, logger log.ContextLogger, options option.LogicalDNSRule, legacyDNSMode bool) (*LogicalDNSRule, error) {
 	r := &LogicalDNSRule{
 		abstractLogicalRule: abstractLogicalRule{
 			rules:  make([]adapter.HeadlessRule, len(options.Rules)),
@@ -347,7 +467,11 @@ func NewLogicalDNSRule(ctx context.Context, logger log.ContextLogger, options op
 		return nil, E.New("unknown logical mode: ", options.Mode)
 	}
 	for i, subRule := range options.Rules {
-		rule, err := NewDNSRule(ctx, logger, subRule, false)
+		err := validateNoNestedDNSRuleActions(subRule, true)
+		if err != nil {
+			return nil, E.Cause(err, "sub rule[", i, "]")
+		}
+		rule, err := NewDNSRule(ctx, logger, subRule, false, legacyDNSMode)
 		if err != nil {
 			return nil, E.Cause(err, "sub rule[", i, "]")
 		}
@@ -377,13 +501,17 @@ func (r *LogicalDNSRule) WithAddressLimit() bool {
 }
 
 func (r *LogicalDNSRule) Match(metadata *adapter.InboundContext) bool {
-	metadata.IgnoreDestinationIPCIDRMatch = true
-	defer func() {
-		metadata.IgnoreDestinationIPCIDRMatch = false
-	}()
-	return !r.matchStates(metadata).isEmpty()
+	return !r.matchStatesForMatch(metadata).isEmpty()
 }
 
-func (r *LogicalDNSRule) MatchAddressLimit(metadata *adapter.InboundContext) bool {
-	return !r.matchStates(metadata).isEmpty()
+func (r *LogicalDNSRule) LegacyPreMatch(metadata *adapter.InboundContext) bool {
+	return !r.abstractLogicalRule.legacyMatchStates(metadata).isEmpty()
+}
+
+func (r *LogicalDNSRule) MatchAddressLimit(metadata *adapter.InboundContext, response *dns.Msg) bool {
+	matchMetadata := *metadata
+	matchMetadata.DNSResponse = response
+	matchMetadata.IgnoreDestinationIPCIDRMatch = false
+	matchMetadata.DestinationAddressMatchFromResponse = true
+	return !r.abstractLogicalRule.matchStates(&matchMetadata).isEmpty()
 }

route/rule/rule_dns_legacy.go

@@ -0,0 +1,754 @@
+package rule
+
+import (
+	"net/netip"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing/common"
+
+	"go4.org/netipx"
+)
+
+type legacyResponseLiteralKind uint8
+
+const (
+	legacyLiteralRequireEmpty legacyResponseLiteralKind = iota
+	legacyLiteralRequireNonEmpty
+	legacyLiteralRequireSet
+	legacyLiteralForbidSet
+)
+
+type legacyResponseLiteral struct {
+	kind  legacyResponseLiteralKind
+	ipSet *netipx.IPSet
+}
+
+type legacyResponseFormulaKind uint8
+
+const (
+	legacyFormulaFalse legacyResponseFormulaKind = iota
+	legacyFormulaTrue
+	legacyFormulaLiteral
+	legacyFormulaAnd
+	legacyFormulaOr
+)
+
+type legacyResponseFormula struct {
+	kind     legacyResponseFormulaKind
+	literal  legacyResponseLiteral
+	children []legacyResponseFormula
+}
+
+type legacyResponseConstraint struct {
+	requireEmpty    bool
+	requireNonEmpty bool
+	requiredSets    []*netipx.IPSet
+	forbiddenSet    *netipx.IPSet
+}
+
+const (
+	legacyRuleMatchDeferredDestinationAddress ruleMatchState = 1 << 4
+	legacyRuleMatchStateCount                                = 32
+)
+
+type legacyRuleMatchStateSet [legacyRuleMatchStateCount]legacyResponseFormula
+
+var (
+	legacyAllIPSet = func() *netipx.IPSet {
+		var builder netipx.IPSetBuilder
+		builder.Complement()
+		return common.Must1(builder.IPSet())
+	}()
+	legacyNonPublicIPSet = func() *netipx.IPSet {
+		var builder netipx.IPSetBuilder
+		for _, prefix := range []string{
+			"0.0.0.0/32",
+			"10.0.0.0/8",
+			"127.0.0.0/8",
+			"169.254.0.0/16",
+			"172.16.0.0/12",
+			"192.168.0.0/16",
+			"224.0.0.0/4",
+			"::/128",
+			"::1/128",
+			"fc00::/7",
+			"fe80::/10",
+			"ff00::/8",
+		} {
+			builder.AddPrefix(netip.MustParsePrefix(prefix))
+		}
+		return common.Must1(builder.IPSet())
+	}()
+)
+
+func legacyFalseFormula() legacyResponseFormula {
+	return legacyResponseFormula{}
+}
+
+func legacyTrueFormula() legacyResponseFormula {
+	return legacyResponseFormula{kind: legacyFormulaTrue}
+}
+
+func legacyLiteralFormula(literal legacyResponseLiteral) legacyResponseFormula {
+	return legacyResponseFormula{
+		kind:    legacyFormulaLiteral,
+		literal: literal,
+	}
+}
+
+func (f legacyResponseFormula) isFalse() bool {
+	return f.kind == legacyFormulaFalse
+}
+
+func (f legacyResponseFormula) isTrue() bool {
+	return f.kind == legacyFormulaTrue
+}
+
+func (f legacyResponseFormula) or(other legacyResponseFormula) legacyResponseFormula {
+	return legacyOrFormulas(f, other)
+}
+
+func (f legacyResponseFormula) and(other legacyResponseFormula) legacyResponseFormula {
+	return legacyAndFormulas(f, other)
+}
+
+func (f legacyResponseFormula) not() legacyResponseFormula {
+	switch f.kind {
+	case legacyFormulaFalse:
+		return legacyTrueFormula()
+	case legacyFormulaTrue:
+		return legacyFalseFormula()
+	case legacyFormulaLiteral:
+		return legacyLiteralFormula(legacyNegateResponseLiteral(f.literal))
+	case legacyFormulaAnd:
+		negated := make([]legacyResponseFormula, 0, len(f.children))
+		for _, child := range f.children {
+			negated = append(negated, child.not())
+		}
+		return legacyOrFormulas(negated...)
+	case legacyFormulaOr:
+		negated := make([]legacyResponseFormula, 0, len(f.children))
+		for _, child := range f.children {
+			negated = append(negated, child.not())
+		}
+		return legacyAndFormulas(negated...)
+	default:
+		panic("unknown legacy response formula kind")
+	}
+}
+
+func legacyNegateResponseLiteral(literal legacyResponseLiteral) legacyResponseLiteral {
+	switch literal.kind {
+	case legacyLiteralRequireEmpty:
+		return legacyResponseLiteral{kind: legacyLiteralRequireNonEmpty}
+	case legacyLiteralRequireNonEmpty:
+		return legacyResponseLiteral{kind: legacyLiteralRequireEmpty}
+	case legacyLiteralRequireSet:
+		return legacyResponseLiteral{kind: legacyLiteralForbidSet, ipSet: literal.ipSet}
+	case legacyLiteralForbidSet:
+		return legacyResponseLiteral{kind: legacyLiteralRequireSet, ipSet: literal.ipSet}
+	default:
+		panic("unknown legacy response literal kind")
+	}
+}
+
+func legacyOrFormulas(formulas ...legacyResponseFormula) legacyResponseFormula {
+	children := make([]legacyResponseFormula, 0, len(formulas))
+	for _, formula := range formulas {
+		if formula.isFalse() {
+			continue
+		}
+		if formula.isTrue() {
+			return legacyTrueFormula()
+		}
+		if formula.kind == legacyFormulaOr {
+			children = append(children, formula.children...)
+			continue
+		}
+		children = append(children, formula)
+	}
+	switch len(children) {
+	case 0:
+		return legacyFalseFormula()
+	case 1:
+		return children[0]
+	default:
+		return legacyResponseFormula{
+			kind:     legacyFormulaOr,
+			children: children,
+		}
+	}
+}
+
+func legacyAndFormulas(formulas ...legacyResponseFormula) legacyResponseFormula {
+	children := make([]legacyResponseFormula, 0, len(formulas))
+	for _, formula := range formulas {
+		if formula.isFalse() {
+			return legacyFalseFormula()
+		}
+		if formula.isTrue() {
+			continue
+		}
+		if formula.kind == legacyFormulaAnd {
+			children = append(children, formula.children...)
+			continue
+		}
+		children = append(children, formula)
+	}
+	switch len(children) {
+	case 0:
+		return legacyTrueFormula()
+	case 1:
+		return children[0]
+	}
+	result := legacyResponseFormula{
+		kind:     legacyFormulaAnd,
+		children: children,
+	}
+	if !result.satisfiable() {
+		return legacyFalseFormula()
+	}
+	return result
+}
+
+func (f legacyResponseFormula) satisfiable() bool {
+	return legacyResponseFormulasSatisfiable(legacyResponseConstraint{}, []legacyResponseFormula{f})
+}
+
+func legacyResponseFormulasSatisfiable(constraint legacyResponseConstraint, formulas []legacyResponseFormula) bool {
+	stack := append(make([]legacyResponseFormula, 0, len(formulas)), formulas...)
+	var disjunctions []legacyResponseFormula
+	for len(stack) > 0 {
+		formula := stack[len(stack)-1]
+		stack = stack[:len(stack)-1]
+		switch formula.kind {
+		case legacyFormulaFalse:
+			return false
+		case legacyFormulaTrue:
+			continue
+		case legacyFormulaLiteral:
+			var ok bool
+			constraint, ok = constraint.withLiteral(formula.literal)
+			if !ok {
+				return false
+			}
+		case legacyFormulaAnd:
+			stack = append(stack, formula.children...)
+		case legacyFormulaOr:
+			if len(formula.children) == 0 {
+				return false
+			}
+			disjunctions = append(disjunctions, formula)
+		default:
+			panic("unknown legacy response formula kind")
+		}
+	}
+	if len(disjunctions) == 0 {
+		return true
+	}
+	bestIndex := 0
+	for i := 1; i < len(disjunctions); i++ {
+		if len(disjunctions[i].children) < len(disjunctions[bestIndex].children) {
+			bestIndex = i
+		}
+	}
+	selected := disjunctions[bestIndex]
+	remaining := make([]legacyResponseFormula, 0, len(disjunctions)-1)
+	remaining = append(remaining, disjunctions[:bestIndex]...)
+	remaining = append(remaining, disjunctions[bestIndex+1:]...)
+	for _, child := range selected.children {
+		nextFormulas := make([]legacyResponseFormula, 0, len(remaining)+1)
+		nextFormulas = append(nextFormulas, remaining...)
+		nextFormulas = append(nextFormulas, child)
+		if legacyResponseFormulasSatisfiable(constraint, nextFormulas) {
+			return true
+		}
+	}
+	return false
+}
+
+func (c legacyResponseConstraint) withLiteral(literal legacyResponseLiteral) (legacyResponseConstraint, bool) {
+	switch literal.kind {
+	case legacyLiteralRequireEmpty:
+		c.requireEmpty = true
+	case legacyLiteralRequireNonEmpty:
+		c.requireNonEmpty = true
+	case legacyLiteralRequireSet:
+		requiredSets := make([]*netipx.IPSet, len(c.requiredSets)+1)
+		copy(requiredSets, c.requiredSets)
+		requiredSets[len(c.requiredSets)] = literal.ipSet
+		c.requiredSets = requiredSets
+	case legacyLiteralForbidSet:
+		c.forbiddenSet = legacyUnionIPSets(c.forbiddenSet, literal.ipSet)
+	default:
+		panic("unknown legacy response literal kind")
+	}
+	return c, c.satisfiable()
+}
+
+func (c legacyResponseConstraint) satisfiable() bool {
+	if c.requireEmpty && (c.requireNonEmpty || len(c.requiredSets) > 0) {
+		return false
+	}
+	if c.requireEmpty {
+		return true
+	}
+	for _, required := range c.requiredSets {
+		if !legacyIPSetHasAllowedIP(required, c.forbiddenSet) {
+			return false
+		}
+	}
+	if c.requireNonEmpty && len(c.requiredSets) == 0 {
+		return legacyIPSetHasAllowedIP(legacyAllIPSet, c.forbiddenSet)
+	}
+	return true
+}
+
+func legacyUnionIPSets(left *netipx.IPSet, right *netipx.IPSet) *netipx.IPSet {
+	if left == nil {
+		return right
+	}
+	if right == nil {
+		return left
+	}
+	var builder netipx.IPSetBuilder
+	builder.AddSet(left)
+	builder.AddSet(right)
+	return common.Must1(builder.IPSet())
+}
+
+func legacyIPSetHasAllowedIP(required *netipx.IPSet, forbidden *netipx.IPSet) bool {
+	if required == nil {
+		required = legacyAllIPSet
+	}
+	if forbidden == nil {
+		return len(required.Ranges()) > 0
+	}
+	builder := netipx.IPSetBuilder{}
+	builder.AddSet(required)
+	builder.RemoveSet(forbidden)
+	remaining := common.Must1(builder.IPSet())
+	return len(remaining.Ranges()) > 0
+}
+
+func legacySingleRuleMatchState(state ruleMatchState) legacyRuleMatchStateSet {
+	return legacySingleRuleMatchStateWithFormula(state, legacyTrueFormula())
+}
+
+func legacySingleRuleMatchStateWithFormula(state ruleMatchState, formula legacyResponseFormula) legacyRuleMatchStateSet {
+	var stateSet legacyRuleMatchStateSet
+	if !formula.isFalse() {
+		stateSet[state] = formula
+	}
+	return stateSet
+}
+
+func (s legacyRuleMatchStateSet) isEmpty() bool {
+	for _, formula := range s {
+		if !formula.isFalse() {
+			return false
+		}
+	}
+	return true
+}
+
+func (s legacyRuleMatchStateSet) merge(other legacyRuleMatchStateSet) legacyRuleMatchStateSet {
+	var merged legacyRuleMatchStateSet
+	for state := ruleMatchState(0); state < legacyRuleMatchStateCount; state++ {
+		merged[state] = s[state].or(other[state])
+	}
+	return merged
+}
+
+func (s legacyRuleMatchStateSet) combine(other legacyRuleMatchStateSet) legacyRuleMatchStateSet {
+	if s.isEmpty() || other.isEmpty() {
+		return legacyRuleMatchStateSet{}
+	}
+	var combined legacyRuleMatchStateSet
+	for left := ruleMatchState(0); left < legacyRuleMatchStateCount; left++ {
+		if s[left].isFalse() {
+			continue
+		}
+		for right := ruleMatchState(0); right < legacyRuleMatchStateCount; right++ {
+			if other[right].isFalse() {
+				continue
+			}
+			combined[left|right] = combined[left|right].or(s[left].and(other[right]))
+		}
+	}
+	return combined
+}
+
+func (s legacyRuleMatchStateSet) withBase(base ruleMatchState) legacyRuleMatchStateSet {
+	if s.isEmpty() {
+		return legacyRuleMatchStateSet{}
+	}
+	var withBase legacyRuleMatchStateSet
+	for state := ruleMatchState(0); state < legacyRuleMatchStateCount; state++ {
+		if s[state].isFalse() {
+			continue
+		}
+		withBase[state|base] = withBase[state|base].or(s[state])
+	}
+	return withBase
+}
+
+func (s legacyRuleMatchStateSet) filter(allowed func(ruleMatchState) bool) legacyRuleMatchStateSet {
+	var filtered legacyRuleMatchStateSet
+	for state := ruleMatchState(0); state < legacyRuleMatchStateCount; state++ {
+		if s[state].isFalse() {
+			continue
+		}
+		if allowed(state) {
+			filtered[state] = s[state]
+		}
+	}
+	return filtered
+}
+
+func (s legacyRuleMatchStateSet) addBit(bit ruleMatchState) legacyRuleMatchStateSet {
+	var withBit legacyRuleMatchStateSet
+	for state := ruleMatchState(0); state < legacyRuleMatchStateCount; state++ {
+		if s[state].isFalse() {
+			continue
+		}
+		withBit[state|bit] = withBit[state|bit].or(s[state])
+	}
+	return withBit
+}
+
+func (s legacyRuleMatchStateSet) branchOnBit(bit ruleMatchState, condition legacyResponseFormula) legacyRuleMatchStateSet {
+	if condition.isFalse() {
+		return s
+	}
+	if condition.isTrue() {
+		return s.addBit(bit)
+	}
+	var branched legacyRuleMatchStateSet
+	conditionFalse := condition.not()
+	for state := ruleMatchState(0); state < legacyRuleMatchStateCount; state++ {
+		if s[state].isFalse() {
+			continue
+		}
+		if state.has(bit) {
+			branched[state] = branched[state].or(s[state])
+			continue
+		}
+		branched[state] = branched[state].or(s[state].and(conditionFalse))
+		branched[state|bit] = branched[state|bit].or(s[state].and(condition))
+	}
+	return branched
+}
+
+func (s legacyRuleMatchStateSet) andFormula(formula legacyResponseFormula) legacyRuleMatchStateSet {
+	if formula.isFalse() || s.isEmpty() {
+		return legacyRuleMatchStateSet{}
+	}
+	if formula.isTrue() {
+		return s
+	}
+	var result legacyRuleMatchStateSet
+	for state := ruleMatchState(0); state < legacyRuleMatchStateCount; state++ {
+		if s[state].isFalse() {
+			continue
+		}
+		result[state] = s[state].and(formula)
+	}
+	return result
+}
+
+func (s legacyRuleMatchStateSet) anyFormula() legacyResponseFormula {
+	var formula legacyResponseFormula
+	for _, stateFormula := range s {
+		formula = formula.or(stateFormula)
+	}
+	return formula
+}
+
+type legacyRuleStateMatcher interface {
+	legacyMatchStates(metadata *adapter.InboundContext) legacyRuleMatchStateSet
+}
+
+type legacyRuleStateMatcherWithBase interface {
+	legacyMatchStatesWithBase(metadata *adapter.InboundContext, base ruleMatchState) legacyRuleMatchStateSet
+}
+
+func legacyMatchHeadlessRuleStates(rule adapter.HeadlessRule, metadata *adapter.InboundContext) legacyRuleMatchStateSet {
+	return legacyMatchHeadlessRuleStatesWithBase(rule, metadata, 0)
+}
+
+func legacyMatchHeadlessRuleStatesWithBase(rule adapter.HeadlessRule, metadata *adapter.InboundContext, base ruleMatchState) legacyRuleMatchStateSet {
+	if matcher, loaded := rule.(legacyRuleStateMatcherWithBase); loaded {
+		return matcher.legacyMatchStatesWithBase(metadata, base)
+	}
+	if matcher, loaded := rule.(legacyRuleStateMatcher); loaded {
+		return matcher.legacyMatchStates(metadata).withBase(base)
+	}
+	if rule.Match(metadata) {
+		return legacySingleRuleMatchState(base)
+	}
+	return legacyRuleMatchStateSet{}
+}
+
+func legacyMatchRuleItemStatesWithBase(item RuleItem, metadata *adapter.InboundContext, base ruleMatchState) legacyRuleMatchStateSet {
+	if matcher, loaded := item.(legacyRuleStateMatcherWithBase); loaded {
+		return matcher.legacyMatchStatesWithBase(metadata, base)
+	}
+	if matcher, loaded := item.(legacyRuleStateMatcher); loaded {
+		return matcher.legacyMatchStates(metadata).withBase(base)
+	}
+	if item.Match(metadata) {
+		return legacySingleRuleMatchState(base)
+	}
+	return legacyRuleMatchStateSet{}
+}
+
+func (r *DefaultHeadlessRule) legacyMatchStates(metadata *adapter.InboundContext) legacyRuleMatchStateSet {
+	return r.abstractDefaultRule.legacyMatchStates(metadata)
+}
+
+func (r *LogicalHeadlessRule) legacyMatchStates(metadata *adapter.InboundContext) legacyRuleMatchStateSet {
+	return r.abstractLogicalRule.legacyMatchStates(metadata)
+}
+
+func (r *RuleSetItem) legacyMatchStates(metadata *adapter.InboundContext) legacyRuleMatchStateSet {
+	return r.legacyMatchStatesWithBase(metadata, 0)
+}
+
+func (r *RuleSetItem) legacyMatchStatesWithBase(metadata *adapter.InboundContext, base ruleMatchState) legacyRuleMatchStateSet {
+	var stateSet legacyRuleMatchStateSet
+	for _, ruleSet := range r.setList {
+		nestedMetadata := *metadata
+		nestedMetadata.ResetRuleMatchCache()
+		nestedMetadata.IPCIDRMatchSource = r.ipCidrMatchSource
+		nestedMetadata.IPCIDRAcceptEmpty = r.ipCidrAcceptEmpty
+		stateSet = stateSet.merge(legacyMatchHeadlessRuleStatesWithBase(ruleSet, &nestedMetadata, base))
+	}
+	return stateSet
+}
+
+func (s *LocalRuleSet) legacyMatchStates(metadata *adapter.InboundContext) legacyRuleMatchStateSet {
+	return s.legacyMatchStatesWithBase(metadata, 0)
+}
+
+func (s *LocalRuleSet) legacyMatchStatesWithBase(metadata *adapter.InboundContext, base ruleMatchState) legacyRuleMatchStateSet {
+	var stateSet legacyRuleMatchStateSet
+	for _, rule := range s.rules {
+		nestedMetadata := *metadata
+		nestedMetadata.ResetRuleMatchCache()
+		stateSet = stateSet.merge(legacyMatchHeadlessRuleStatesWithBase(rule, &nestedMetadata, base))
+	}
+	return stateSet
+}
+
+func (s *RemoteRuleSet) legacyMatchStates(metadata *adapter.InboundContext) legacyRuleMatchStateSet {
+	return s.legacyMatchStatesWithBase(metadata, 0)
+}
+
+func (s *RemoteRuleSet) legacyMatchStatesWithBase(metadata *adapter.InboundContext, base ruleMatchState) legacyRuleMatchStateSet {
+	var stateSet legacyRuleMatchStateSet
+	for _, rule := range s.rules {
+		nestedMetadata := *metadata
+		nestedMetadata.ResetRuleMatchCache()
+		stateSet = stateSet.merge(legacyMatchHeadlessRuleStatesWithBase(rule, &nestedMetadata, base))
+	}
+	return stateSet
+}
+
+func (r *abstractDefaultRule) legacyMatchStates(metadata *adapter.InboundContext) legacyRuleMatchStateSet {
+	return r.legacyMatchStatesWithBase(metadata, 0)
+}
+
+func (r *abstractDefaultRule) legacyMatchStatesWithBase(metadata *adapter.InboundContext, inheritedBase ruleMatchState) legacyRuleMatchStateSet {
+	if len(r.allItems) == 0 {
+		return legacySingleRuleMatchState(inheritedBase)
+	}
+	evaluationBase := inheritedBase
+	if r.invert {
+		evaluationBase = 0
+	}
+	stateSet := legacySingleRuleMatchState(evaluationBase)
+	if len(r.sourceAddressItems) > 0 {
+		metadata.DidMatch = true
+		if matchAnyItem(r.sourceAddressItems, metadata) {
+			stateSet = stateSet.addBit(ruleMatchSourceAddress)
+		}
+	}
+	if r.destinationIPCIDRMatchesSource(metadata) {
+		metadata.DidMatch = true
+		stateSet = stateSet.branchOnBit(ruleMatchSourceAddress, legacyDestinationIPFormula(r.destinationIPCIDRItems, metadata))
+	}
+	if len(r.sourcePortItems) > 0 {
+		metadata.DidMatch = true
+		if matchAnyItem(r.sourcePortItems, metadata) {
+			stateSet = stateSet.addBit(ruleMatchSourcePort)
+		}
+	}
+	if len(r.destinationAddressItems) > 0 {
+		metadata.DidMatch = true
+		if matchAnyItem(r.destinationAddressItems, metadata) {
+			stateSet = stateSet.addBit(ruleMatchDestinationAddress)
+		}
+	}
+	if r.legacyDestinationIPCIDRMatchesDestination(metadata) {
+		metadata.DidMatch = true
+		stateSet = stateSet.branchOnBit(legacyRuleMatchDeferredDestinationAddress, legacyDestinationIPFormula(r.destinationIPCIDRItems, metadata))
+	}
+	if len(r.destinationPortItems) > 0 {
+		metadata.DidMatch = true
+		if matchAnyItem(r.destinationPortItems, metadata) {
+			stateSet = stateSet.addBit(ruleMatchDestinationPort)
+		}
+	}
+	for _, item := range r.items {
+		metadata.DidMatch = true
+		if !item.Match(metadata) {
+			if r.invert {
+				return legacySingleRuleMatchState(inheritedBase)
+			}
+			return legacyRuleMatchStateSet{}
+		}
+	}
+	if r.ruleSetItem != nil {
+		metadata.DidMatch = true
+		var merged legacyRuleMatchStateSet
+		for state := ruleMatchState(0); state < legacyRuleMatchStateCount; state++ {
+			if stateSet[state].isFalse() {
+				continue
+			}
+			nestedStateSet := legacyMatchRuleItemStatesWithBase(r.ruleSetItem, metadata, state)
+			merged = merged.merge(nestedStateSet.andFormula(stateSet[state]))
+		}
+		stateSet = merged
+	}
+	stateSet = stateSet.filter(func(state ruleMatchState) bool {
+		if r.legacyRequiresSourceAddressMatch(metadata) && !state.has(ruleMatchSourceAddress) {
+			return false
+		}
+		if len(r.sourcePortItems) > 0 && !state.has(ruleMatchSourcePort) {
+			return false
+		}
+		if r.legacyRequiresDestinationAddressMatch(metadata) && !state.has(ruleMatchDestinationAddress) {
+			return false
+		}
+		if r.legacyRequiresDeferredDestinationAddressMatch(metadata) && !state.has(legacyRuleMatchDeferredDestinationAddress) {
+			return false
+		}
+		if len(r.destinationPortItems) > 0 && !state.has(ruleMatchDestinationPort) {
+			return false
+		}
+		return true
+	})
+	if r.invert {
+		return legacySingleRuleMatchStateWithFormula(inheritedBase, stateSet.anyFormula().not())
+	}
+	return stateSet
+}
+
+func (r *abstractDefaultRule) legacyRequiresSourceAddressMatch(metadata *adapter.InboundContext) bool {
+	return len(r.sourceAddressItems) > 0 || r.destinationIPCIDRMatchesSource(metadata)
+}
+
+func (r *abstractDefaultRule) legacyDestinationIPCIDRMatchesDestination(metadata *adapter.InboundContext) bool {
+	return !metadata.IPCIDRMatchSource && len(r.destinationIPCIDRItems) > 0
+}
+
+func (r *abstractDefaultRule) legacyRequiresDestinationAddressMatch(metadata *adapter.InboundContext) bool {
+	return len(r.destinationAddressItems) > 0
+}
+
+func (r *abstractDefaultRule) legacyRequiresDeferredDestinationAddressMatch(metadata *adapter.InboundContext) bool {
+	return r.legacyDestinationIPCIDRMatchesDestination(metadata)
+}
+
+func (r *abstractLogicalRule) legacyMatchStates(metadata *adapter.InboundContext) legacyRuleMatchStateSet {
+	return r.legacyMatchStatesWithBase(metadata, 0)
+}
+
+func (r *abstractLogicalRule) legacyMatchStatesWithBase(metadata *adapter.InboundContext, base ruleMatchState) legacyRuleMatchStateSet {
+	evaluationBase := base
+	if r.invert {
+		evaluationBase = 0
+	}
+	var stateSet legacyRuleMatchStateSet
+	if r.mode == C.LogicalTypeAnd {
+		stateSet = legacySingleRuleMatchState(evaluationBase)
+		for _, rule := range r.rules {
+			nestedMetadata := *metadata
+			nestedMetadata.ResetRuleCache()
+			stateSet = stateSet.combine(legacyMatchHeadlessRuleStatesWithBase(rule, &nestedMetadata, evaluationBase))
+			if stateSet.isEmpty() && !r.invert {
+				return legacyRuleMatchStateSet{}
+			}
+		}
+	} else {
+		for _, rule := range r.rules {
+			nestedMetadata := *metadata
+			nestedMetadata.ResetRuleCache()
+			stateSet = stateSet.merge(legacyMatchHeadlessRuleStatesWithBase(rule, &nestedMetadata, evaluationBase))
+		}
+	}
+	if r.invert {
+		return legacySingleRuleMatchStateWithFormula(base, stateSet.anyFormula().not())
+	}
+	return stateSet
+}
+
+func legacyDestinationIPFormula(items []RuleItem, metadata *adapter.InboundContext) legacyResponseFormula {
+	if legacyDestinationIPResolved(metadata) {
+		if matchAnyItem(items, metadata) {
+			return legacyTrueFormula()
+		}
+		return legacyFalseFormula()
+	}
+	var formula legacyResponseFormula
+	for _, rawItem := range items {
+		switch item := rawItem.(type) {
+		case *IPCIDRItem:
+			if item.isSource || metadata.IPCIDRMatchSource {
+				if item.Match(metadata) {
+					return legacyTrueFormula()
+				}
+				continue
+			}
+			formula = formula.or(legacyLiteralFormula(legacyResponseLiteral{
+				kind:  legacyLiteralRequireSet,
+				ipSet: item.ipSet,
+			}))
+			if metadata.IPCIDRAcceptEmpty {
+				formula = formula.or(legacyLiteralFormula(legacyResponseLiteral{
+					kind: legacyLiteralRequireEmpty,
+				}))
+			}
+		case *IPIsPrivateItem:
+			if item.isSource {
+				if item.Match(metadata) {
+					return legacyTrueFormula()
+				}
+				continue
+			}
+			formula = formula.or(legacyLiteralFormula(legacyResponseLiteral{
+				kind:  legacyLiteralRequireSet,
+				ipSet: legacyNonPublicIPSet,
+			}))
+		case *IPAcceptAnyItem:
+			formula = formula.or(legacyLiteralFormula(legacyResponseLiteral{
+				kind: legacyLiteralRequireNonEmpty,
+			}))
+		default:
+			if rawItem.Match(metadata) {
+				return legacyTrueFormula()
+			}
+		}
+	}
+	return formula
+}
+
+func legacyDestinationIPResolved(metadata *adapter.InboundContext) bool {
+	return metadata.IPCIDRMatchSource ||
+		metadata.DestinationAddressMatchFromResponse ||
+		metadata.DNSResponse != nil ||
+		metadata.Destination.IsIP() ||
+		len(metadata.DestinationAddresses) > 0
+}

route/rule/rule_item_cidr.go

@@ -76,11 +76,26 @@ func (r *IPCIDRItem) Match(metadata *adapter.InboundContext) bool {
 	if r.isSource || metadata.IPCIDRMatchSource {
 		return r.ipSet.Contains(metadata.Source.Addr)
 	}
+	if metadata.DestinationAddressMatchFromResponse {
+		addresses := metadata.DNSResponseAddressesForMatch()
+		if len(addresses) == 0 {
+			// Legacy rule_set_ip_cidr_accept_empty only applies when the DNS response
+			// does not expose any address answers for matching.
+			return metadata.IPCIDRAcceptEmpty
+		}
+		for _, address := range addresses {
+			if r.ipSet.Contains(address) {
+				return true
+			}
+		}
+		return false
+	}
 	if metadata.Destination.IsIP() {
 		return r.ipSet.Contains(metadata.Destination.Addr)
 	}
-	if len(metadata.DestinationAddresses) > 0 {
-		for _, address := range metadata.DestinationAddresses {
+	addresses := metadata.DestinationAddresses
+	if len(addresses) > 0 {
+		for _, address := range addresses {
 			if r.ipSet.Contains(address) {
 				return true
 			}

route/rule/rule_item_ip_accept_any.go

@@ -13,6 +13,9 @@ func NewIPAcceptAnyItem() *IPAcceptAnyItem {
 }
 
 func (r *IPAcceptAnyItem) Match(metadata *adapter.InboundContext) bool {
+	if metadata.DestinationAddressMatchFromResponse {
+		return len(metadata.DNSResponseAddressesForMatch()) > 0
+	}
 	return len(metadata.DestinationAddresses) > 0
 }
 

route/rule/rule_item_ip_is_private.go

@@ -1,8 +1,6 @@
 package rule
 
 import (
-	"net/netip"
-
 	"github.com/sagernet/sing-box/adapter"
 	N "github.com/sagernet/sing/common/network"
 )
@@ -18,21 +16,24 @@ func NewIPIsPrivateItem(isSource bool) *IPIsPrivateItem {
 }
 
 func (r *IPIsPrivateItem) Match(metadata *adapter.InboundContext) bool {
-	var destination netip.Addr
 	if r.isSource {
-		destination = metadata.Source.Addr
-	} else {
-		destination = metadata.Destination.Addr
+		return !N.IsPublicAddr(metadata.Source.Addr)
 	}
-	if destination.IsValid() {
-		return !N.IsPublicAddr(destination)
-	}
-	if !r.isSource {
-		for _, destinationAddress := range metadata.DestinationAddresses {
+	if metadata.DestinationAddressMatchFromResponse {
+		for _, destinationAddress := range metadata.DNSResponseAddressesForMatch() {
 			if !N.IsPublicAddr(destinationAddress) {
 				return true
 			}
 		}
+		return false
+	}
+	if metadata.Destination.Addr.IsValid() {
+		return !N.IsPublicAddr(metadata.Destination.Addr)
+	}
+	for _, destinationAddress := range metadata.DestinationAddresses {
+		if !N.IsPublicAddr(destinationAddress) {
+			return true
+		}
 	}
 	return false
 }

route/rule/rule_item_response_rcode.go

@@ -0,0 +1,24 @@
+package rule
+
+import (
+	"github.com/sagernet/sing-box/adapter"
+	F "github.com/sagernet/sing/common/format"
+)
+
+var _ RuleItem = (*DNSResponseRCodeItem)(nil)
+
+type DNSResponseRCodeItem struct {
+	rcode int
+}
+
+func NewDNSResponseRCodeItem(rcode int) *DNSResponseRCodeItem {
+	return &DNSResponseRCodeItem{rcode: rcode}
+}
+
+func (r *DNSResponseRCodeItem) Match(metadata *adapter.InboundContext) bool {
+	return metadata.DNSResponse != nil && metadata.DNSResponse.Rcode == r.rcode
+}
+
+func (r *DNSResponseRCodeItem) String() string {
+	return F.ToString("response_rcode=", r.rcode)
+}

route/rule/rule_item_response_record.go

@@ -0,0 +1,63 @@
+package rule
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/option"
+
+	"github.com/miekg/dns"
+)
+
+var _ RuleItem = (*DNSResponseRecordItem)(nil)
+
+type DNSResponseRecordItem struct {
+	field    string
+	records  []option.DNSRecordOptions
+	selector func(*dns.Msg) []dns.RR
+}
+
+func NewDNSResponseRecordItem(field string, records []option.DNSRecordOptions, selector func(*dns.Msg) []dns.RR) *DNSResponseRecordItem {
+	return &DNSResponseRecordItem{
+		field:    field,
+		records:  records,
+		selector: selector,
+	}
+}
+
+func (r *DNSResponseRecordItem) Match(metadata *adapter.InboundContext) bool {
+	if metadata.DNSResponse == nil {
+		return false
+	}
+	records := r.selector(metadata.DNSResponse)
+	for _, expected := range r.records {
+		for _, record := range records {
+			if expected.Match(record) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func (r *DNSResponseRecordItem) String() string {
+	descriptions := make([]string, 0, len(r.records))
+	for _, record := range r.records {
+		if record.RR != nil {
+			descriptions = append(descriptions, record.RR.String())
+		}
+	}
+	return r.field + "=[" + strings.Join(descriptions, " ") + "]"
+}
+
+func dnsResponseAnswers(message *dns.Msg) []dns.RR {
+	return message.Answer
+}
+
+func dnsResponseNS(message *dns.Msg) []dns.RR {
+	return message.Ns
+}
+
+func dnsResponseExtra(message *dns.Msg) []dns.RR {
+	return message.Extra
+}

route/rule/rule_item_rule_set.go

@@ -29,9 +29,11 @@ func NewRuleSetItem(router adapter.Router, tagList []string, ipCIDRMatchSource b
 }
 
 func (r *RuleSetItem) Start() error {
+	_ = r.Close()
 	for _, tag := range r.tagList {
 		ruleSet, loaded := r.router.RuleSet(tag)
 		if !loaded {
+			_ = r.Close()
 			return E.New("rule-set not found: ", tag)
 		}
 		ruleSet.IncRef()
@@ -40,6 +42,15 @@ func (r *RuleSetItem) Start() error {
 	return nil
 }
 
+func (r *RuleSetItem) Close() error {
+	for _, ruleSet := range r.setList {
+		ruleSet.DecRef()
+	}
+	clear(r.setList)
+	r.setList = nil
+	return nil
+}
+
 func (r *RuleSetItem) Match(metadata *adapter.InboundContext) bool {
 	return !r.matchStates(metadata).isEmpty()
 }

route/rule/rule_item_rule_set_test.go

@@ -0,0 +1,139 @@
+package rule
+
+import (
+	"context"
+	"net"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-tun"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/x/list"
+
+	"github.com/stretchr/testify/require"
+	"go4.org/netipx"
+)
+
+type ruleSetItemTestRouter struct {
+	ruleSets map[string]adapter.RuleSet
+}
+
+func (r *ruleSetItemTestRouter) Start(adapter.StartStage) error { return nil }
+func (r *ruleSetItemTestRouter) Close() error                   { return nil }
+func (r *ruleSetItemTestRouter) PreMatch(adapter.InboundContext, tun.DirectRouteContext, time.Duration, bool) (tun.DirectRouteDestination, error) {
+	return nil, nil
+}
+
+func (r *ruleSetItemTestRouter) RouteConnection(context.Context, net.Conn, adapter.InboundContext) error {
+	return nil
+}
+
+func (r *ruleSetItemTestRouter) RoutePacketConnection(context.Context, N.PacketConn, adapter.InboundContext) error {
+	return nil
+}
+
+func (r *ruleSetItemTestRouter) RouteConnectionEx(context.Context, net.Conn, adapter.InboundContext, N.CloseHandlerFunc) {
+}
+
+func (r *ruleSetItemTestRouter) RoutePacketConnectionEx(context.Context, N.PacketConn, adapter.InboundContext, N.CloseHandlerFunc) {
+}
+
+func (r *ruleSetItemTestRouter) RuleSet(tag string) (adapter.RuleSet, bool) {
+	ruleSet, loaded := r.ruleSets[tag]
+	return ruleSet, loaded
+}
+func (r *ruleSetItemTestRouter) Rules() []adapter.Rule                      { return nil }
+func (r *ruleSetItemTestRouter) NeedFindProcess() bool                      { return false }
+func (r *ruleSetItemTestRouter) NeedFindNeighbor() bool                     { return false }
+func (r *ruleSetItemTestRouter) NeighborResolver() adapter.NeighborResolver { return nil }
+func (r *ruleSetItemTestRouter) AppendTracker(adapter.ConnectionTracker)    {}
+func (r *ruleSetItemTestRouter) ResetNetwork()                              {}
+
+type countingRuleSet struct {
+	name string
+	refs atomic.Int32
+}
+
+func (s *countingRuleSet) Name() string                                                  { return s.name }
+func (s *countingRuleSet) StartContext(context.Context, *adapter.HTTPStartContext) error { return nil }
+func (s *countingRuleSet) PostStart() error                                              { return nil }
+func (s *countingRuleSet) Metadata() adapter.RuleSetMetadata                             { return adapter.RuleSetMetadata{} }
+func (s *countingRuleSet) ExtractIPSet() []*netipx.IPSet                                 { return nil }
+func (s *countingRuleSet) IncRef()                                                       { s.refs.Add(1) }
+func (s *countingRuleSet) DecRef() {
+	if s.refs.Add(-1) < 0 {
+		panic("rule-set: negative refs")
+	}
+}
+func (s *countingRuleSet) Cleanup() {}
+func (s *countingRuleSet) RegisterCallback(adapter.RuleSetUpdateCallback) *list.Element[adapter.RuleSetUpdateCallback] {
+	return nil
+}
+func (s *countingRuleSet) UnregisterCallback(*list.Element[adapter.RuleSetUpdateCallback]) {}
+func (s *countingRuleSet) Close() error                                                    { return nil }
+func (s *countingRuleSet) Match(*adapter.InboundContext) bool                              { return true }
+func (s *countingRuleSet) String() string                                                  { return s.name }
+func (s *countingRuleSet) RefCount() int32                                                 { return s.refs.Load() }
+
+func TestRuleSetItemCloseReleasesRefs(t *testing.T) {
+	t.Parallel()
+
+	firstSet := &countingRuleSet{name: "first"}
+	secondSet := &countingRuleSet{name: "second"}
+	item := NewRuleSetItem(&ruleSetItemTestRouter{
+		ruleSets: map[string]adapter.RuleSet{
+			"first":  firstSet,
+			"second": secondSet,
+		},
+	}, []string{"first", "second"}, false, false)
+
+	require.NoError(t, item.Start())
+	require.EqualValues(t, 1, firstSet.RefCount())
+	require.EqualValues(t, 1, secondSet.RefCount())
+
+	require.NoError(t, item.Close())
+	require.Zero(t, firstSet.RefCount())
+	require.Zero(t, secondSet.RefCount())
+
+	require.NoError(t, item.Close())
+	require.Zero(t, firstSet.RefCount())
+	require.Zero(t, secondSet.RefCount())
+}
+
+func TestRuleSetItemStartRollbackOnFailure(t *testing.T) {
+	t.Parallel()
+
+	firstSet := &countingRuleSet{name: "first"}
+	item := NewRuleSetItem(&ruleSetItemTestRouter{
+		ruleSets: map[string]adapter.RuleSet{
+			"first": firstSet,
+		},
+	}, []string{"first", "missing"}, false, false)
+
+	err := item.Start()
+	require.ErrorContains(t, err, "rule-set not found: missing")
+	require.Zero(t, firstSet.RefCount())
+	require.Empty(t, item.setList)
+}
+
+func TestRuleSetItemRestartKeepsBalancedRefs(t *testing.T) {
+	t.Parallel()
+
+	firstSet := &countingRuleSet{name: "first"}
+	item := NewRuleSetItem(&ruleSetItemTestRouter{
+		ruleSets: map[string]adapter.RuleSet{
+			"first": firstSet,
+		},
+	}, []string{"first"}, false, false)
+
+	require.NoError(t, item.Start())
+	require.EqualValues(t, 1, firstSet.RefCount())
+
+	require.NoError(t, item.Start())
+	require.EqualValues(t, 1, firstSet.RefCount())
+
+	require.NoError(t, item.Close())
+	require.Zero(t, firstSet.RefCount())
+}

route/rule/rule_set.go

@@ -69,3 +69,7 @@ func isWIFIHeadlessRule(rule option.DefaultHeadlessRule) bool {
 func isIPCIDRHeadlessRule(rule option.DefaultHeadlessRule) bool {
 	return len(rule.IPCIDR) > 0 || rule.IPSet != nil
 }
+
+func isDNSQueryTypeHeadlessRule(rule option.DefaultHeadlessRule) bool {
+	return len(rule.QueryType) > 0
+}

route/rule/rule_set_local.go

@@ -141,6 +141,7 @@ func (s *LocalRuleSet) reloadRules(headlessRules []option.HeadlessRule) error {
 	metadata.ContainsProcessRule = HasHeadlessRule(headlessRules, isProcessHeadlessRule)
 	metadata.ContainsWIFIRule = HasHeadlessRule(headlessRules, isWIFIHeadlessRule)
 	metadata.ContainsIPCIDRRule = HasHeadlessRule(headlessRules, isIPCIDRHeadlessRule)
+	metadata.ContainsDNSQueryTypeRule = HasHeadlessRule(headlessRules, isDNSQueryTypeHeadlessRule)
 	s.access.Lock()
 	s.rules = rules
 	s.metadata = metadata

route/rule/rule_set_remote.go

@@ -193,6 +193,7 @@ func (s *RemoteRuleSet) loadBytes(content []byte) error {
 	s.metadata.ContainsProcessRule = HasHeadlessRule(plainRuleSet.Rules, isProcessHeadlessRule)
 	s.metadata.ContainsWIFIRule = HasHeadlessRule(plainRuleSet.Rules, isWIFIHeadlessRule)
 	s.metadata.ContainsIPCIDRRule = HasHeadlessRule(plainRuleSet.Rules, isIPCIDRHeadlessRule)
+	s.metadata.ContainsDNSQueryTypeRule = HasHeadlessRule(plainRuleSet.Rules, isDNSQueryTypeHeadlessRule)
 	s.rules = rules
 	callbacks := s.callbacks.Array()
 	s.access.Unlock()

route/rule/rule_set_semantics_test.go

@@ -2,6 +2,7 @@ package rule
 
 import (
 	"context"
+	"net"
 	"net/netip"
 	"strings"
 	"testing"
@@ -14,6 +15,7 @@ import (
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 
+	mDNS "github.com/miekg/dns"
 	"github.com/stretchr/testify/require"
 )
 
@@ -581,7 +583,7 @@ func TestDNSRuleSetSemantics(t *testing.T) {
 			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
 			addDestinationIPCIDRItem(t, rule, []string{"203.0.113.0/24"})
 		})
-		require.True(t, rule.MatchAddressLimit(&metadata))
+		require.True(t, rule.MatchAddressLimit(&metadata, dnsResponseForTest(netip.MustParseAddr("203.0.113.1"))))
 	})
 	t.Run("dns keeps ruleset or semantics", func(t *testing.T) {
 		t.Parallel()
@@ -596,7 +598,7 @@ func TestDNSRuleSetSemantics(t *testing.T) {
 			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{emptyStateSet, destinationStateSet}})
 			addDestinationIPCIDRItem(t, rule, []string{"203.0.113.0/24"})
 		})
-		require.True(t, rule.MatchAddressLimit(&metadata))
+		require.True(t, rule.MatchAddressLimit(&metadata, dnsResponseForTest(netip.MustParseAddr("203.0.113.1"))))
 	})
 	t.Run("ruleset ip cidr flags stay scoped", func(t *testing.T) {
 		t.Parallel()
@@ -610,10 +612,508 @@ func TestDNSRuleSetSemantics(t *testing.T) {
 				ipCidrAcceptEmpty: true,
 			})
 		})
-		require.True(t, rule.MatchAddressLimit(&metadata))
+		require.True(t, rule.MatchAddressLimit(&metadata, dnsResponseForTest(netip.MustParseAddr("203.0.113.1"))))
+		require.False(t, rule.MatchAddressLimit(&metadata, dnsResponseForTest(netip.MustParseAddr("8.8.8.8"))))
+		require.True(t, rule.MatchAddressLimit(&metadata, dnsResponseForTest()))
 		require.False(t, metadata.IPCIDRMatchSource)
 		require.False(t, metadata.IPCIDRAcceptEmpty)
 	})
+	t.Run("pre lookup ruleset only deferred fields fail closed", func(t *testing.T) {
+		t.Parallel()
+		metadata := testMetadata("lookup.example")
+		ruleSet := newLocalRuleSetForTest("dns-prelookup-ipcidr", headlessDefaultRule(t, func(rule *abstractDefaultRule) {
+			addDestinationIPCIDRItem(t, rule, []string{"203.0.113.0/24"})
+		}))
+		rule := dnsRuleForTest(func(rule *abstractDefaultRule) {
+			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
+		})
+		// This is accepted without match_response so mixed rule_set deployments keep
+		// working; the destination-IP-only branch simply cannot match before a DNS
+		// response is available.
+		require.False(t, rule.Match(&metadata))
+	})
+	t.Run("pre lookup ruleset destination cidr does not fall back to other predicates", func(t *testing.T) {
+		t.Parallel()
+		metadata := testMetadata("lookup.example")
+		ruleSet := newLocalRuleSetForTest("dns-prelookup-network-and-ipcidr", headlessDefaultRule(t, func(rule *abstractDefaultRule) {
+			addOtherItem(rule, NewNetworkItem([]string{N.NetworkTCP}))
+			addDestinationIPCIDRItem(t, rule, []string{"203.0.113.0/24"})
+		}))
+		rule := dnsRuleForTest(func(rule *abstractDefaultRule) {
+			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
+		})
+		require.False(t, rule.Match(&metadata))
+	})
+	t.Run("pre lookup mixed ruleset still matches non response branch", func(t *testing.T) {
+		t.Parallel()
+		metadata := testMetadata("www.example.com")
+		ruleSet := newLocalRuleSetForTest(
+			"dns-prelookup-mixed",
+			headlessDefaultRule(t, func(rule *abstractDefaultRule) {
+				addOtherItem(rule, NewNetworkItem([]string{N.NetworkTCP}))
+				addDestinationIPCIDRItem(t, rule, []string{"203.0.113.0/24"})
+			}),
+			headlessDefaultRule(t, func(rule *abstractDefaultRule) {
+				addDestinationAddressItem(t, rule, nil, []string{"example.com"})
+			}),
+		)
+		rule := dnsRuleForTest(func(rule *abstractDefaultRule) {
+			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
+		})
+		// Destination-IP predicates inside rule_set fail closed before the DNS response,
+		// but they must not force validation errors or suppress sibling non-response
+		// branches.
+		require.True(t, rule.Match(&metadata))
+	})
+}
+
+func TestDNSMatchResponseRuleSetDestinationCIDRUsesDNSResponse(t *testing.T) {
+	t.Parallel()
+
+	ruleSet := newLocalRuleSetForTest("dns-response-ipcidr", headlessDefaultRule(t, func(rule *abstractDefaultRule) {
+		addDestinationIPCIDRItem(t, rule, []string{"203.0.113.0/24"})
+	}))
+	rule := dnsRuleForTest(func(rule *abstractDefaultRule) {
+		addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
+	})
+	rule.matchResponse = true
+
+	matchedMetadata := testMetadata("lookup.example")
+	matchedMetadata.DNSResponse = dnsResponseForTest(netip.MustParseAddr("203.0.113.1"))
+	require.True(t, rule.Match(&matchedMetadata))
+	require.Empty(t, matchedMetadata.DestinationAddresses)
+
+	unmatchedMetadata := testMetadata("lookup.example")
+	unmatchedMetadata.DNSResponse = dnsResponseForTest(netip.MustParseAddr("8.8.8.8"))
+	require.False(t, rule.Match(&unmatchedMetadata))
+}
+
+func TestDNSMatchResponseMissingResponseUsesBooleanSemantics(t *testing.T) {
+	t.Parallel()
+
+	t.Run("plain rule remains false", func(t *testing.T) {
+		t.Parallel()
+
+		rule := dnsRuleForTest(func(rule *abstractDefaultRule) {})
+		rule.matchResponse = true
+
+		metadata := testMetadata("lookup.example")
+		require.False(t, rule.Match(&metadata))
+	})
+
+	t.Run("invert rule becomes true", func(t *testing.T) {
+		t.Parallel()
+
+		rule := dnsRuleForTest(func(rule *abstractDefaultRule) {
+			rule.invert = true
+		})
+		rule.matchResponse = true
+
+		metadata := testMetadata("lookup.example")
+		require.True(t, rule.Match(&metadata))
+	})
+
+	t.Run("logical wrapper respects inverted child", func(t *testing.T) {
+		t.Parallel()
+
+		nestedRule := dnsRuleForTest(func(rule *abstractDefaultRule) {
+			rule.invert = true
+		})
+		nestedRule.matchResponse = true
+
+		logicalRule := &LogicalDNSRule{
+			abstractLogicalRule: abstractLogicalRule{
+				rules: []adapter.HeadlessRule{nestedRule},
+				mode:  C.LogicalTypeAnd,
+			},
+		}
+
+		metadata := testMetadata("lookup.example")
+		require.True(t, logicalRule.Match(&metadata))
+	})
+}
+
+func TestDNSLegacyMatchResponseMissingResponseStillFailsClosed(t *testing.T) {
+	t.Parallel()
+
+	rule := dnsRuleForTest(func(rule *abstractDefaultRule) {
+		rule.invert = true
+	})
+	rule.matchResponse = true
+
+	metadata := testMetadata("lookup.example")
+	require.False(t, rule.LegacyPreMatch(&metadata))
+}
+
+func TestDNSAddressLimitIgnoresDestinationAddresses(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name              string
+		build             func(*testing.T, *abstractDefaultRule)
+		matchedResponse   *mDNS.Msg
+		unmatchedResponse *mDNS.Msg
+	}{
+		{
+			name: "ip_cidr",
+			build: func(t *testing.T, rule *abstractDefaultRule) {
+				t.Helper()
+				addDestinationIPCIDRItem(t, rule, []string{"203.0.113.0/24"})
+			},
+			matchedResponse:   dnsResponseForTest(netip.MustParseAddr("203.0.113.1")),
+			unmatchedResponse: dnsResponseForTest(netip.MustParseAddr("8.8.8.8")),
+		},
+		{
+			name: "ip_is_private",
+			build: func(t *testing.T, rule *abstractDefaultRule) {
+				t.Helper()
+				addDestinationIPIsPrivateItem(rule)
+			},
+			matchedResponse:   dnsResponseForTest(netip.MustParseAddr("10.0.0.1")),
+			unmatchedResponse: dnsResponseForTest(netip.MustParseAddr("8.8.8.8")),
+		},
+		{
+			name: "ip_accept_any",
+			build: func(t *testing.T, rule *abstractDefaultRule) {
+				t.Helper()
+				addDestinationIPAcceptAnyItem(rule)
+			},
+			matchedResponse:   dnsResponseForTest(netip.MustParseAddr("203.0.113.1")),
+			unmatchedResponse: dnsResponseForTest(),
+		},
+	}
+	for _, testCase := range testCases {
+		testCase := testCase
+		t.Run(testCase.name, func(t *testing.T) {
+			t.Parallel()
+			rule := dnsRuleForTest(func(rule *abstractDefaultRule) {
+				testCase.build(t, rule)
+			})
+
+			mismatchMetadata := testMetadata("lookup.example")
+			mismatchMetadata.DestinationAddresses = []netip.Addr{netip.MustParseAddr("203.0.113.1")}
+			require.False(t, rule.MatchAddressLimit(&mismatchMetadata, testCase.unmatchedResponse))
+
+			matchMetadata := testMetadata("lookup.example")
+			matchMetadata.DestinationAddresses = []netip.Addr{netip.MustParseAddr("8.8.8.8")}
+			require.True(t, rule.MatchAddressLimit(&matchMetadata, testCase.matchedResponse))
+		})
+	}
+}
+
+func TestDNSLegacyAddressLimitPreLookupDefersDirectRules(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name              string
+		build             func(*testing.T, *abstractDefaultRule)
+		matchedResponse   *mDNS.Msg
+		unmatchedResponse *mDNS.Msg
+	}{
+		{
+			name: "ip_cidr",
+			build: func(t *testing.T, rule *abstractDefaultRule) {
+				t.Helper()
+				addDestinationIPCIDRItem(t, rule, []string{"203.0.113.0/24"})
+			},
+			matchedResponse:   dnsResponseForTest(netip.MustParseAddr("203.0.113.1")),
+			unmatchedResponse: dnsResponseForTest(netip.MustParseAddr("8.8.8.8")),
+		},
+		{
+			name: "ip_is_private",
+			build: func(t *testing.T, rule *abstractDefaultRule) {
+				t.Helper()
+				addDestinationIPIsPrivateItem(rule)
+			},
+			matchedResponse:   dnsResponseForTest(netip.MustParseAddr("10.0.0.1")),
+			unmatchedResponse: dnsResponseForTest(netip.MustParseAddr("8.8.8.8")),
+		},
+		{
+			name: "ip_accept_any",
+			build: func(t *testing.T, rule *abstractDefaultRule) {
+				t.Helper()
+				addDestinationIPAcceptAnyItem(rule)
+			},
+			matchedResponse:   dnsResponseForTest(netip.MustParseAddr("203.0.113.1")),
+			unmatchedResponse: dnsResponseForTest(),
+		},
+	}
+	for _, testCase := range testCases {
+		testCase := testCase
+		t.Run(testCase.name, func(t *testing.T) {
+			t.Parallel()
+
+			rule := dnsRuleForTest(func(rule *abstractDefaultRule) {
+				testCase.build(t, rule)
+			})
+
+			preLookupMetadata := testMetadata("lookup.example")
+			require.True(t, rule.LegacyPreMatch(&preLookupMetadata))
+
+			matchedMetadata := testMetadata("lookup.example")
+			require.True(t, rule.MatchAddressLimit(&matchedMetadata, testCase.matchedResponse))
+
+			unmatchedMetadata := testMetadata("lookup.example")
+			require.False(t, rule.MatchAddressLimit(&unmatchedMetadata, testCase.unmatchedResponse))
+		})
+	}
+}
+
+func TestDNSLegacyAddressLimitPreLookupDefersRuleSetDestinationCIDR(t *testing.T) {
+	t.Parallel()
+
+	ruleSet := newLocalRuleSetForTest("dns-legacy-ipcidr", headlessDefaultRule(t, func(rule *abstractDefaultRule) {
+		addDestinationIPCIDRItem(t, rule, []string{"203.0.113.0/24"})
+	}))
+	rule := dnsRuleForTest(func(rule *abstractDefaultRule) {
+		addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
+	})
+
+	preLookupMetadata := testMetadata("lookup.example")
+	require.True(t, rule.LegacyPreMatch(&preLookupMetadata))
+
+	matchedMetadata := testMetadata("lookup.example")
+	require.True(t, rule.MatchAddressLimit(&matchedMetadata, dnsResponseForTest(netip.MustParseAddr("203.0.113.1"))))
+
+	unmatchedMetadata := testMetadata("lookup.example")
+	require.False(t, rule.MatchAddressLimit(&unmatchedMetadata, dnsResponseForTest(netip.MustParseAddr("8.8.8.8"))))
+}
+
+func TestDNSLegacyLogicalAddressLimitPreLookupDefersNestedRules(t *testing.T) {
+	t.Parallel()
+
+	nestedRule := dnsRuleForTest(func(rule *abstractDefaultRule) {
+		addDestinationIPIsPrivateItem(rule)
+	})
+	logicalRule := &LogicalDNSRule{
+		abstractLogicalRule: abstractLogicalRule{
+			rules: []adapter.HeadlessRule{nestedRule},
+			mode:  C.LogicalTypeAnd,
+		},
+	}
+
+	preLookupMetadata := testMetadata("lookup.example")
+	require.True(t, logicalRule.LegacyPreMatch(&preLookupMetadata))
+
+	matchedMetadata := testMetadata("lookup.example")
+	require.True(t, logicalRule.MatchAddressLimit(&matchedMetadata, dnsResponseForTest(netip.MustParseAddr("10.0.0.1"))))
+
+	unmatchedMetadata := testMetadata("lookup.example")
+	require.False(t, logicalRule.MatchAddressLimit(&unmatchedMetadata, dnsResponseForTest(netip.MustParseAddr("8.8.8.8"))))
+}
+
+func TestDNSLegacyInvertAddressLimitPreLookupRegression(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name           string
+		build          func(*testing.T, *abstractDefaultRule)
+		matchedAddrs   []netip.Addr
+		unmatchedAddrs []netip.Addr
+	}{
+		{
+			name: "ip_cidr",
+			build: func(t *testing.T, rule *abstractDefaultRule) {
+				t.Helper()
+				addDestinationIPCIDRItem(t, rule, []string{"203.0.113.0/24"})
+			},
+			matchedAddrs:   []netip.Addr{netip.MustParseAddr("203.0.113.1")},
+			unmatchedAddrs: []netip.Addr{netip.MustParseAddr("8.8.8.8")},
+		},
+		{
+			name: "ip_is_private",
+			build: func(t *testing.T, rule *abstractDefaultRule) {
+				t.Helper()
+				addDestinationIPIsPrivateItem(rule)
+			},
+			matchedAddrs:   []netip.Addr{netip.MustParseAddr("10.0.0.1")},
+			unmatchedAddrs: []netip.Addr{netip.MustParseAddr("8.8.8.8")},
+		},
+		{
+			name: "ip_accept_any",
+			build: func(t *testing.T, rule *abstractDefaultRule) {
+				t.Helper()
+				addDestinationIPAcceptAnyItem(rule)
+			},
+			matchedAddrs: []netip.Addr{netip.MustParseAddr("203.0.113.1")},
+		},
+	}
+	for _, testCase := range testCases {
+		testCase := testCase
+		t.Run(testCase.name, func(t *testing.T) {
+			t.Parallel()
+
+			rule := dnsRuleForTest(func(rule *abstractDefaultRule) {
+				rule.invert = true
+				testCase.build(t, rule)
+			})
+
+			preLookupMetadata := testMetadata("lookup.example")
+			require.True(t, rule.LegacyPreMatch(&preLookupMetadata))
+
+			matchedMetadata := testMetadata("lookup.example")
+			require.False(t, rule.MatchAddressLimit(&matchedMetadata, dnsResponseForTest(testCase.matchedAddrs...)))
+
+			unmatchedMetadata := testMetadata("lookup.example")
+			require.True(t, rule.MatchAddressLimit(&unmatchedMetadata, dnsResponseForTest(testCase.unmatchedAddrs...)))
+		})
+	}
+}
+
+func TestDNSLegacyInvertLogicalAddressLimitPreLookupRegression(t *testing.T) {
+	t.Parallel()
+
+	t.Run("wrapper invert keeps nested deferred rule matchable", func(t *testing.T) {
+		t.Parallel()
+
+		nestedRule := dnsRuleForTest(func(rule *abstractDefaultRule) {
+			addDestinationIPIsPrivateItem(rule)
+		})
+		logicalRule := &LogicalDNSRule{
+			abstractLogicalRule: abstractLogicalRule{
+				rules:  []adapter.HeadlessRule{nestedRule},
+				mode:   C.LogicalTypeAnd,
+				invert: true,
+			},
+		}
+
+		preLookupMetadata := testMetadata("lookup.example")
+		require.True(t, logicalRule.LegacyPreMatch(&preLookupMetadata))
+
+		matchedMetadata := testMetadata("lookup.example")
+		require.False(t, logicalRule.MatchAddressLimit(&matchedMetadata, dnsResponseForTest(netip.MustParseAddr("10.0.0.1"))))
+
+		unmatchedMetadata := testMetadata("lookup.example")
+		require.True(t, logicalRule.MatchAddressLimit(&unmatchedMetadata, dnsResponseForTest(netip.MustParseAddr("8.8.8.8"))))
+	})
+
+	t.Run("inverted deferred child does not suppress branch", func(t *testing.T) {
+		t.Parallel()
+
+		logicalRule := &LogicalDNSRule{
+			abstractLogicalRule: abstractLogicalRule{
+				rules: []adapter.HeadlessRule{
+					dnsRuleForTest(func(rule *abstractDefaultRule) {
+						rule.invert = true
+						addDestinationIPIsPrivateItem(rule)
+					}),
+				},
+				mode: C.LogicalTypeAnd,
+			},
+		}
+
+		preLookupMetadata := testMetadata("lookup.example")
+		require.True(t, logicalRule.LegacyPreMatch(&preLookupMetadata))
+	})
+}
+
+func TestDNSLegacyInvertRuleSetAddressLimitPreLookupRegression(t *testing.T) {
+	t.Parallel()
+
+	ruleSet := newLocalRuleSetForTest("dns-legacy-invert-ipcidr", headlessDefaultRule(t, func(rule *abstractDefaultRule) {
+		rule.invert = true
+		addDestinationIPCIDRItem(t, rule, []string{"203.0.113.0/24"})
+	}))
+	rule := dnsRuleForTest(func(rule *abstractDefaultRule) {
+		addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
+	})
+
+	preLookupMetadata := testMetadata("lookup.example")
+	require.True(t, rule.LegacyPreMatch(&preLookupMetadata))
+
+	matchedMetadata := testMetadata("lookup.example")
+	require.False(t, rule.MatchAddressLimit(&matchedMetadata, dnsResponseForTest(netip.MustParseAddr("203.0.113.1"))))
+
+	unmatchedMetadata := testMetadata("lookup.example")
+	require.True(t, rule.MatchAddressLimit(&unmatchedMetadata, dnsResponseForTest(netip.MustParseAddr("8.8.8.8"))))
+}
+
+func TestDNSLegacyInvertNegationStressRegression(t *testing.T) {
+	t.Parallel()
+
+	const branchCount = 20
+	unmatchedResponse := dnsResponseForTest(netip.MustParseAddr("203.0.113.250"))
+
+	t.Run("logical wrapper", func(t *testing.T) {
+		t.Parallel()
+
+		branches := make([]adapter.HeadlessRule, 0, branchCount)
+		var matchedAddrs []netip.Addr
+		for i := 0; i < branchCount; i++ {
+			firstCIDR, secondCIDR, branchAddrs := legacyNegationBranchCIDRs(i)
+			if matchedAddrs == nil {
+				matchedAddrs = branchAddrs
+			}
+			branches = append(branches, &LogicalDNSRule{
+				abstractLogicalRule: abstractLogicalRule{
+					mode: C.LogicalTypeAnd,
+					rules: []adapter.HeadlessRule{
+						dnsRuleForTest(func(rule *abstractDefaultRule) {
+							addDestinationIPCIDRItem(t, rule, []string{firstCIDR})
+						}),
+						dnsRuleForTest(func(rule *abstractDefaultRule) {
+							addDestinationIPCIDRItem(t, rule, []string{secondCIDR})
+						}),
+					},
+				},
+			})
+		}
+
+		rule := &LogicalDNSRule{
+			abstractLogicalRule: abstractLogicalRule{
+				rules:  branches,
+				mode:   C.LogicalTypeOr,
+				invert: true,
+			},
+		}
+
+		preLookupMetadata := testMetadata("lookup.example")
+		require.True(t, rule.LegacyPreMatch(&preLookupMetadata))
+
+		matchedMetadata := testMetadata("lookup.example")
+		require.False(t, rule.MatchAddressLimit(&matchedMetadata, dnsResponseForTest(matchedAddrs...)))
+
+		unmatchedMetadata := testMetadata("lookup.example")
+		require.True(t, rule.MatchAddressLimit(&unmatchedMetadata, unmatchedResponse))
+	})
+
+	t.Run("ruleset wrapper", func(t *testing.T) {
+		t.Parallel()
+
+		branches := make([]adapter.HeadlessRule, 0, branchCount)
+		var matchedAddrs []netip.Addr
+		for i := 0; i < branchCount; i++ {
+			firstCIDR, secondCIDR, branchAddrs := legacyNegationBranchCIDRs(i)
+			if matchedAddrs == nil {
+				matchedAddrs = branchAddrs
+			}
+			branches = append(branches, headlessLogicalRule(
+				C.LogicalTypeAnd,
+				false,
+				headlessDefaultRule(t, func(rule *abstractDefaultRule) {
+					addDestinationIPCIDRItem(t, rule, []string{firstCIDR})
+				}),
+				headlessDefaultRule(t, func(rule *abstractDefaultRule) {
+					addDestinationIPCIDRItem(t, rule, []string{secondCIDR})
+				}),
+			))
+		}
+
+		ruleSet := newLocalRuleSetForTest("dns-legacy-negation-stress", branches...)
+		rule := dnsRuleForTest(func(rule *abstractDefaultRule) {
+			rule.invert = true
+			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
+		})
+
+		preLookupMetadata := testMetadata("lookup.example")
+		require.True(t, rule.LegacyPreMatch(&preLookupMetadata))
+
+		matchedMetadata := testMetadata("lookup.example")
+		require.False(t, rule.MatchAddressLimit(&matchedMetadata, dnsResponseForTest(matchedAddrs...)))
+
+		unmatchedMetadata := testMetadata("lookup.example")
+		require.True(t, rule.MatchAddressLimit(&unmatchedMetadata, unmatchedResponse))
+	})
 }
 
 func TestDNSInvertAddressLimitPreLookupRegression(t *testing.T) {
@@ -665,14 +1165,14 @@ func TestDNSInvertAddressLimitPreLookupRegression(t *testing.T) {
 
 			matchedMetadata := testMetadata("lookup.example")
 			matchedMetadata.DestinationAddresses = testCase.matchedAddrs
-			require.False(t, rule.MatchAddressLimit(&matchedMetadata))
+			require.False(t, rule.MatchAddressLimit(&matchedMetadata, dnsResponseForTest(testCase.matchedAddrs...)))
 
 			unmatchedMetadata := testMetadata("lookup.example")
 			unmatchedMetadata.DestinationAddresses = testCase.unmatchedAddrs
-			require.True(t, rule.MatchAddressLimit(&unmatchedMetadata))
+			require.True(t, rule.MatchAddressLimit(&unmatchedMetadata, dnsResponseForTest(testCase.unmatchedAddrs...)))
 		})
 	}
-	t.Run("mixed resolved and deferred fields keep old pre lookup false", func(t *testing.T) {
+	t.Run("mixed resolved and deferred fields invert matches pre lookup", func(t *testing.T) {
 		t.Parallel()
 		metadata := testMetadata("lookup.example")
 		rule := dnsRuleForTest(func(rule *abstractDefaultRule) {
@@ -680,9 +1180,9 @@ func TestDNSInvertAddressLimitPreLookupRegression(t *testing.T) {
 			addOtherItem(rule, NewNetworkItem([]string{N.NetworkTCP}))
 			addDestinationIPCIDRItem(t, rule, []string{"203.0.113.0/24"})
 		})
-		require.False(t, rule.Match(&metadata))
+		require.True(t, rule.Match(&metadata))
 	})
-	t.Run("ruleset only deferred fields keep old pre lookup false", func(t *testing.T) {
+	t.Run("ruleset only deferred fields invert matches pre lookup", func(t *testing.T) {
 		t.Parallel()
 		metadata := testMetadata("lookup.example")
 		ruleSet := newLocalRuleSetForTest("dns-ruleset-ipcidr", headlessDefaultRule(t, func(rule *abstractDefaultRule) {
@@ -692,7 +1192,7 @@ func TestDNSInvertAddressLimitPreLookupRegression(t *testing.T) {
 			rule.invert = true
 			addRuleSetItem(rule, &RuleSetItem{setList: []adapter.RuleSet{ruleSet}})
 		})
-		require.False(t, rule.Match(&metadata))
+		require.True(t, rule.Match(&metadata))
 	})
 }
 
@@ -763,6 +1263,45 @@ func testMetadata(domain string) adapter.InboundContext {
 	}
 }
 
+func dnsResponseForTest(addresses ...netip.Addr) *mDNS.Msg {
+	response := &mDNS.Msg{
+		MsgHdr: mDNS.MsgHdr{
+			Response: true,
+			Rcode:    mDNS.RcodeSuccess,
+		},
+	}
+	for _, address := range addresses {
+		if address.Is4() {
+			response.Answer = append(response.Answer, &mDNS.A{
+				Hdr: mDNS.RR_Header{
+					Name:   mDNS.Fqdn("lookup.example"),
+					Rrtype: mDNS.TypeA,
+					Class:  mDNS.ClassINET,
+					Ttl:    60,
+				},
+				A: net.IP(append([]byte(nil), address.AsSlice()...)),
+			})
+		} else {
+			response.Answer = append(response.Answer, &mDNS.AAAA{
+				Hdr: mDNS.RR_Header{
+					Name:   mDNS.Fqdn("lookup.example"),
+					Rrtype: mDNS.TypeAAAA,
+					Class:  mDNS.ClassINET,
+					Ttl:    60,
+				},
+				AAAA: net.IP(append([]byte(nil), address.AsSlice()...)),
+			})
+		}
+	}
+	return response
+}
+
+func legacyNegationBranchCIDRs(index int) (string, string, []netip.Addr) {
+	first := netip.AddrFrom4([4]byte{198, 18, 0, byte(index*2 + 1)})
+	second := netip.AddrFrom4([4]byte{198, 18, 0, byte(index*2 + 2)})
+	return first.String() + "/32", second.String() + "/32", []netip.Addr{first, second}
+}
+
 func addRuleSetItem(rule *abstractDefaultRule, item *RuleSetItem) {
 	rule.ruleSetItem = item
 	rule.allItems = append(rule.allItems, item)