option: add round-trip test for DNSRuleAction with evaluate action

dns: add evaluate integration tests for response_rcode, response_ns, response_extra
dns: remove redundant DNSResponse assignment in addressLimitResponseCheck
2026-04-14 04:38:28 +10:00 · 2026-03-31 17:52:54 +08:00 · 2026-03-31 17:45:35 +08:00 · 2026-03-31 17:39:51 +08:00 · 2026-03-31 17:31:09 +08:00 · 2026-03-31 17:28:52 +08:00
268 changed files with 12727 additions and 25511 deletions
--- a/.github/CRONET_GO_VERSION
+++ b/.github/CRONET_GO_VERSION
@@ -1 +1 @@
-335e5bef5d88fc4474c9a70b865561f45a67de83
+ea7cd33752aed62603775af3df946c1b83f4b0b3
--- a/adapter/dns.go
+++ b/adapter/dns.go
@@ -3,7 +3,6 @@ package adapter
 import (
 	"context"
 	"net/netip"
-	"time"

 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
@@ -32,13 +31,12 @@ type DNSClient interface {
 }

 type DNSQueryOptions struct {
-	Transport              DNSTransport
-	Strategy               C.DomainStrategy
-	LookupStrategy         C.DomainStrategy
-	DisableCache           bool
-	DisableOptimisticCache bool
-	RewriteTTL             *uint32
-	ClientSubnet           netip.Prefix
+	Transport      DNSTransport
+	Strategy       C.DomainStrategy
+	LookupStrategy C.DomainStrategy
+	DisableCache   bool
+	RewriteTTL     *uint32
+	ClientSubnet   netip.Prefix
 }

 func DNSQueryOptionsFrom(ctx context.Context, options *option.DomainResolveOptions) (*DNSQueryOptions, error) {
@@ -51,12 +49,11 @@ func DNSQueryOptionsFrom(ctx context.Context, options *option.DomainResolveOptio
 		return nil, E.New("domain resolver not found: " + options.Server)
 	}
 	return &DNSQueryOptions{
-		Transport:              transport,
-		Strategy:               C.DomainStrategy(options.Strategy),
-		DisableCache:           options.DisableCache,
-		DisableOptimisticCache: options.DisableOptimisticCache,
-		RewriteTTL:             options.RewriteTTL,
-		ClientSubnet:           options.ClientSubnet.Build(netip.Prefix{}),
+		Transport:    transport,
+		Strategy:     C.DomainStrategy(options.Strategy),
+		DisableCache: options.DisableCache,
+		RewriteTTL:   options.RewriteTTL,
+		ClientSubnet: options.ClientSubnet.Build(netip.Prefix{}),
 	}, nil
 }

@@ -66,13 +63,6 @@ type RDRCStore interface {
 	SaveRDRCAsync(transportName string, qName string, qType uint16, logger logger.Logger)
 }

-type DNSCacheStore interface {
-	LoadDNSCache(transportName string, qName string, qType uint16) (rawMessage []byte, expireAt time.Time, loaded bool)
-	SaveDNSCache(transportName string, qName string, qType uint16, rawMessage []byte, expireAt time.Time) error
-	SaveDNSCacheAsync(transportName string, qName string, qType uint16, rawMessage []byte, expireAt time.Time, logger logger.Logger)
-	ClearDNSCache() error
-}
-
 type DNSTransport interface {
 	Lifecycle
 	Type() string
--- a/adapter/experimental.go
+++ b/adapter/experimental.go
@@ -47,12 +47,6 @@ type CacheFile interface {
 	StoreRDRC() bool
 	RDRCStore

-	StoreDNS() bool
-	DNSCacheStore
-
-	SetDisableExpire(disableExpire bool)
-	SetOptimisticTimeout(timeout time.Duration)
-
 	LoadMode() string
 	StoreMode(mode string) error
 	LoadSelected(group string) string
--- a/adapter/http.go
+++ b/adapter/http.go
@@ -1,22 +0,0 @@
-package adapter
-
-import (
-	"context"
-	"net/http"
-
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common/logger"
-)
-
-type HTTPTransport interface {
-	http.RoundTripper
-	CloseIdleConnections()
-	Clone() HTTPTransport
-	Close() error
-}
-
-type HTTPClientManager interface {
-	ResolveTransport(ctx context.Context, logger logger.ContextLogger, options option.HTTPClientOptions) (HTTPTransport, error)
-	DefaultTransport() HTTPTransport
-	ResetNetwork()
-}
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -99,10 +99,9 @@ type InboundContext struct {

 	SourceAddressMatch           bool
 	SourcePortMatch              bool
-	DestinationAddressMatch      bool
-	DestinationPortMatch         bool
-	DidMatch                     bool
-	IgnoreDestinationIPCIDRMatch bool
+	DestinationAddressMatch bool
+	DestinationPortMatch    bool
+	DidMatch                bool
 }

 func (c *InboundContext) ResetRuleCache() {
@@ -131,31 +130,19 @@ func DNSResponseAddresses(response *dns.Msg) []netip.Addr {
 	for _, rawRecord := range response.Answer {
 		switch record := rawRecord.(type) {
 		case *dns.A:
-			addr := M.AddrFromIP(record.A)
-			if addr.IsValid() {
-				addresses = append(addresses, addr)
-			}
+			addresses = append(addresses, M.AddrFromIP(record.A))
 		case *dns.AAAA:
-			addr := M.AddrFromIP(record.AAAA)
-			if addr.IsValid() {
-				addresses = append(addresses, addr)
-			}
+			addresses = append(addresses, M.AddrFromIP(record.AAAA))
 		case *dns.HTTPS:
 			for _, value := range record.SVCB.Value {
 				switch hint := value.(type) {
 				case *dns.SVCBIPv4Hint:
 					for _, ip := range hint.Hint {
-						addr := M.AddrFromIP(ip).Unmap()
-						if addr.IsValid() {
-							addresses = append(addresses, addr)
-						}
+						addresses = append(addresses, M.AddrFromIP(ip).Unmap())
 					}
 				case *dns.SVCBIPv6Hint:
 					for _, ip := range hint.Hint {
-						addr := M.AddrFromIP(ip)
-						if addr.IsValid() {
-							addresses = append(addresses, addr)
-						}
+						addresses = append(addresses, M.AddrFromIP(ip))
 					}
 				}
 			}
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -2,11 +2,17 @@ package adapter

 import (
 	"context"
+	"crypto/tls"
 	"net"
+	"net/http"
+	"sync"
 	"time"

+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-tun"
+	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/ntp"
 	"github.com/sagernet/sing/common/x/list"

 	"go4.org/netipx"
@@ -45,7 +51,7 @@ type ConnectionRouterEx interface {

 type RuleSet interface {
 	Name() string
-	StartContext(ctx context.Context) error
+	StartContext(ctx context.Context, startContext *HTTPStartContext) error
 	PostStart() error
 	Metadata() RuleSetMetadata
 	ExtractIPSet() []*netipx.IPSet
@@ -60,14 +66,55 @@ type RuleSet interface {

 type RuleSetUpdateCallback func(it RuleSet)

-type DNSRuleSetUpdateValidator interface {
-	ValidateRuleSetMetadataUpdate(tag string, metadata RuleSetMetadata) error
-}
-
-// ip_version is not a headless-rule item, so ContainsIPVersionRule is intentionally absent.
+// Rule-set metadata only exposes headless-rule capabilities that outer routers
+// need before evaluating nested matches. Headless rules do not support
+// ip_version, so there is intentionally no ContainsIPVersionRule flag here.
 type RuleSetMetadata struct {
 	ContainsProcessRule      bool
 	ContainsWIFIRule         bool
 	ContainsIPCIDRRule       bool
 	ContainsDNSQueryTypeRule bool
 }
+type HTTPStartContext struct {
+	ctx             context.Context
+	access          sync.Mutex
+	httpClientCache map[string]*http.Client
+}
+
+func NewHTTPStartContext(ctx context.Context) *HTTPStartContext {
+	return &HTTPStartContext{
+		ctx:             ctx,
+		httpClientCache: make(map[string]*http.Client),
+	}
+}
+
+func (c *HTTPStartContext) HTTPClient(detour string, dialer N.Dialer) *http.Client {
+	c.access.Lock()
+	defer c.access.Unlock()
+	if httpClient, loaded := c.httpClientCache[detour]; loaded {
+		return httpClient
+	}
+	httpClient := &http.Client{
+		Transport: &http.Transport{
+			ForceAttemptHTTP2:   true,
+			TLSHandshakeTimeout: C.TCPTimeout,
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				return dialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
+			},
+			TLSClientConfig: &tls.Config{
+				Time:    ntp.TimeFuncFromContext(c.ctx),
+				RootCAs: RootPoolFromContext(c.ctx),
+			},
+		},
+	}
+	c.httpClientCache[detour] = httpClient
+	return httpClient
+}
+
+func (c *HTTPStartContext) Close() {
+	c.access.Lock()
+	defer c.access.Unlock()
+	for _, client := range c.httpClientCache {
+		client.CloseIdleConnections()
+	}
+}
--- a/adapter/rule.go
+++ b/adapter/rule.go
@@ -32,7 +32,7 @@ type RuleAction interface {

 func IsFinalAction(action RuleAction) bool {
 	switch action.Type() {
-	case C.RuleActionTypeSniff, C.RuleActionTypeResolve, C.RuleActionTypeEvaluate:
+	case C.RuleActionTypeSniff, C.RuleActionTypeResolve:
 		return false
 	default:
 		return true
--- a/adapter/tailscale.go
+++ b/adapter/tailscale.go
@@ -1,49 +0,0 @@
-package adapter
-
-import "context"
-
-type TailscaleEndpoint interface {
-	SubscribeTailscaleStatus(ctx context.Context, fn func(*TailscaleEndpointStatus)) error
-	StartTailscalePing(ctx context.Context, peerIP string, fn func(*TailscalePingResult)) error
-}
-
-type TailscalePingResult struct {
-	LatencyMs      float64
-	IsDirect       bool
-	Endpoint       string
-	DERPRegionID   int32
-	DERPRegionCode string
-	Error          string
-}
-
-type TailscaleEndpointStatus struct {
-	BackendState   string
-	AuthURL        string
-	NetworkName    string
-	MagicDNSSuffix string
-	Self           *TailscalePeer
-	UserGroups     []*TailscaleUserGroup
-}
-
-type TailscaleUserGroup struct {
-	UserID        int64
-	LoginName     string
-	DisplayName   string
-	ProfilePicURL string
-	Peers         []*TailscalePeer
-}
-
-type TailscalePeer struct {
-	HostName       string
-	DNSName        string
-	OS             string
-	TailscaleIPs   []string
-	Online         bool
-	ExitNode       bool
-	ExitNodeOption bool
-	Active         bool
-	RxBytes        int64
-	TxBytes        int64
-	UserID         int64
-	KeyExpiry      int64
-}
--- a/box.go
+++ b/box.go
@@ -16,14 +16,13 @@ import (
 	boxService "github.com/sagernet/sing-box/adapter/service"
 	"github.com/sagernet/sing-box/common/certificate"
 	"github.com/sagernet/sing-box/common/dialer"
-	"github.com/sagernet/sing-box/common/httpclient"
 	"github.com/sagernet/sing-box/common/taskmonitor"
 	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/dns/transport/local"
 	"github.com/sagernet/sing-box/experimental"
 	"github.com/sagernet/sing-box/experimental/cachefile"
-	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/protocol/direct"
@@ -52,7 +51,6 @@ type Box struct {
 	dnsRouter           *dns.Router
 	connection          *route.ConnectionManager
 	router              *route.Router
-	httpClientService   adapter.LifecycleService
 	internalService     []adapter.LifecycleService
 	done                chan struct{}
 }
@@ -172,7 +170,6 @@ func New(options Options) (*Box, error) {
 	}

 	var internalServices []adapter.LifecycleService
-	routeOptions := common.PtrValueOrDefault(options.Route)
 	certificateOptions := common.PtrValueOrDefault(options.Certificate)
 	if C.IsAndroid || certificateOptions.Store != "" && certificateOptions.Store != C.CertificateStoreSystem ||
 		len(certificateOptions.Certificate) > 0 ||
@@ -185,6 +182,8 @@ func New(options Options) (*Box, error) {
 		service.MustRegister[adapter.CertificateStore](ctx, certificateStore)
 		internalServices = append(internalServices, certificateStore)
 	}
+
+	routeOptions := common.PtrValueOrDefault(options.Route)
 	dnsOptions := common.PtrValueOrDefault(options.DNS)
 	endpointManager := endpoint.NewManager(logFactory.NewLogger("endpoint"), endpointRegistry)
 	inboundManager := inbound.NewManager(logFactory.NewLogger("inbound"), inboundRegistry, endpointManager)
@@ -198,12 +197,8 @@ func New(options Options) (*Box, error) {
 	service.MustRegister[adapter.DNSTransportManager](ctx, dnsTransportManager)
 	service.MustRegister[adapter.ServiceManager](ctx, serviceManager)
 	service.MustRegister[adapter.CertificateProviderManager](ctx, certificateProviderManager)
-	dnsRouter, err := dns.NewRouter(ctx, logFactory, dnsOptions)
-	if err != nil {
-		return nil, E.Cause(err, "initialize DNS router")
-	}
+	dnsRouter := dns.NewRouter(ctx, logFactory, dnsOptions)
 	service.MustRegister[adapter.DNSRouter](ctx, dnsRouter)
-	service.MustRegister[adapter.DNSRuleSetUpdateValidator](ctx, dnsRouter)
 	networkManager, err := route.NewNetworkManager(ctx, logFactory.NewLogger("network"), routeOptions, dnsOptions)
 	if err != nil {
 		return nil, E.Cause(err, "initialize network manager")
@@ -211,10 +206,6 @@ func New(options Options) (*Box, error) {
 	service.MustRegister[adapter.NetworkManager](ctx, networkManager)
 	connectionManager := route.NewConnectionManager(logFactory.NewLogger("connection"))
 	service.MustRegister[adapter.ConnectionManager](ctx, connectionManager)
-	// Must register after ConnectionManager: the Apple HTTP engine's proxy bridge reads it from the context when Manager.Start resolves the default client.
-	httpClientManager := httpclient.NewManager(ctx, logFactory.NewLogger("httpclient"), options.HTTPClients, routeOptions.DefaultHTTPClient)
-	service.MustRegister[adapter.HTTPClientManager](ctx, httpClientManager)
-	httpClientService := adapter.LifecycleService(httpClientManager)
 	router := route.NewRouter(ctx, logFactory, routeOptions, dnsOptions)
 	service.MustRegister[adapter.Router](ctx, router)
 	err = router.Initialize(routeOptions.Rules, routeOptions.RuleSet)
@@ -366,20 +357,13 @@ func New(options Options) (*Box, error) {
 		)
 	})
 	dnsTransportManager.Initialize(func() (adapter.DNSTransport, error) {
-		return dnsTransportRegistry.CreateDNSTransport(
+		return local.NewTransport(
 			ctx,
 			logFactory.NewLogger("dns/local"),
 			"local",
-			C.DNSTypeLocal,
-			&option.LocalDNSServerOptions{},
+			option.LocalDNSServerOptions{},
 		)
 	})
-	httpClientManager.Initialize(func() (*httpclient.Transport, error) {
-		deprecated.Report(ctx, deprecated.OptionImplicitDefaultHTTPClient)
-		var httpClientOptions option.HTTPClientOptions
-		httpClientOptions.DefaultOutbound = true
-		return httpclient.NewTransport(ctx, logFactory.NewLogger("httpclient"), "", httpClientOptions)
-	})
 	if platformInterface != nil {
 		err = platformInterface.Initialize(networkManager)
 		if err != nil {
@@ -387,7 +371,7 @@ func New(options Options) (*Box, error) {
 		}
 	}
 	if needCacheFile {
-		cacheFile := cachefile.New(ctx, logFactory.NewLogger("cache-file"), common.PtrValueOrDefault(experimentalOptions.CacheFile))
+		cacheFile := cachefile.New(ctx, common.PtrValueOrDefault(experimentalOptions.CacheFile))
 		service.MustRegister[adapter.CacheFile](ctx, cacheFile)
 		internalServices = append(internalServices, cacheFile)
 	}
@@ -440,7 +424,6 @@ func New(options Options) (*Box, error) {
 		dnsRouter:           dnsRouter,
 		connection:          connectionManager,
 		router:              router,
-		httpClientService:   httpClientService,
 		createdAt:           createdAt,
 		logFactory:          logFactory,
 		logger:              logFactory.Logger(),
@@ -503,15 +486,7 @@ func (s *Box) preStart() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateStart, s.outbound, s.dnsTransport, s.network, s.connection)
-	if err != nil {
-		return err
-	}
-	err = adapter.StartNamed(s.logger, adapter.StartStateStart, []adapter.LifecycleService{s.httpClientService})
-	if err != nil {
-		return err
-	}
-	err = adapter.Start(s.logger, adapter.StartStateStart, s.router, s.dnsRouter)
+	err = adapter.Start(s.logger, adapter.StartStateStart, s.outbound, s.dnsTransport, s.network, s.connection, s.router, s.dnsRouter)
 	if err != nil {
 		return err
 	}
@@ -588,14 +563,6 @@ func (s *Box) Close() error {
 		})
 		s.logger.Trace("close ", closeItem.name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
 	}
-	if s.httpClientService != nil {
-		s.logger.Trace("close ", s.httpClientService.Name())
-		startTime := time.Now()
-		err = E.Append(err, s.httpClientService.Close(), func(err error) error {
-			return E.Cause(err, "close ", s.httpClientService.Name())
-		})
-		s.logger.Trace("close ", s.httpClientService.Name(), " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
-	}
 	for _, lifecycleService := range s.internalService {
 		s.logger.Trace("close ", lifecycleService.Name())
 		startTime := time.Now()
@@ -629,10 +596,6 @@ func (s *Box) Outbound() adapter.OutboundManager {
 	return s.outbound
 }

-func (s *Box) Endpoint() adapter.EndpointManager {
-	return s.endpoint
-}
-
 func (s *Box) LogFactory() log.Factory {
 	return s.logFactory
 }
--- a/clients/android
+++ b/clients/android
--- a/cmd/internal/build_libbox/main.go
+++ b/cmd/internal/build_libbox/main.go
@@ -204,9 +204,6 @@ func buildApple() {
 		"-target", bindTarget,
 		"-libname=box",
 		"-tags-not-macos=with_low_memory",
-		"-iosversion=15.0",
-		"-macosversion=13.0",
-		"-tvosversion=17.0",
 	}
 	//if !withTailscale {
 	//	args = append(args, "-tags-macos="+strings.Join(memcTags, ","))
--- a/cmd/internal/update_certificates/main.go
+++ b/cmd/internal/update_certificates/main.go
@@ -5,7 +5,6 @@ import (
 	"io"
 	"net/http"
 	"os"
-	"path/filepath"
 	"strings"

 	"github.com/sagernet/sing-box/log"
@@ -36,9 +35,21 @@ func updateMozillaIncludedRootCAs() error {
 		return err
 	}
 	geoIndex := slices.Index(header, "Geographic Focus")
+	nameIndex := slices.Index(header, "Common Name or Certificate Name")
 	certIndex := slices.Index(header, "PEM Info")

-	pemBundle := strings.Builder{}
+	generated := strings.Builder{}
+	generated.WriteString(`// Code generated by 'make update_certificates'. DO NOT EDIT.
+
+package certificate
+
+import "crypto/x509"
+
+var mozillaIncluded *x509.CertPool
+
+func init() {
+	mozillaIncluded = x509.NewCertPool()
+`)
 	for {
 		record, err := reader.Read()
 		if err == io.EOF {
@@ -49,12 +60,18 @@ func updateMozillaIncludedRootCAs() error {
 		if record[geoIndex] == "China" {
 			continue
 		}
+		generated.WriteString("\n	// ")
+		generated.WriteString(record[nameIndex])
+		generated.WriteString("\n")
+		generated.WriteString("	mozillaIncluded.AppendCertsFromPEM([]byte(`")
 		cert := record[certIndex]
+		// Remove single quotes
 		cert = cert[1 : len(cert)-1]
-		pemBundle.WriteString(cert)
-		pemBundle.WriteString("\n")
+		generated.WriteString(cert)
+		generated.WriteString("`))\n")
 	}
-	return writeGeneratedCertificateBundle("mozilla", "mozillaIncluded", pemBundle.String())
+	generated.WriteString("}\n")
+	return os.WriteFile("common/certificate/mozilla.go", []byte(generated.String()), 0o644)
 }

 func fetchChinaFingerprints() (map[string]bool, error) {
@@ -102,11 +119,23 @@ func updateChromeIncludedRootCAs() error {
 	if err != nil {
 		return err
 	}
+	subjectIndex := slices.Index(header, "Subject")
 	statusIndex := slices.Index(header, "Google Chrome Status")
 	certIndex := slices.Index(header, "X.509 Certificate (PEM)")
 	fingerprintIndex := slices.Index(header, "SHA-256 Fingerprint")

-	pemBundle := strings.Builder{}
+	generated := strings.Builder{}
+	generated.WriteString(`// Code generated by 'make update_certificates'. DO NOT EDIT.
+
+package certificate
+
+import "crypto/x509"
+
+var chromeIncluded *x509.CertPool
+
+func init() {
+	chromeIncluded = x509.NewCertPool()
+`)
 	for {
 		record, err := reader.Read()
 		if err == io.EOF {
@@ -120,39 +149,18 @@ func updateChromeIncludedRootCAs() error {
 		if chinaFingerprints[record[fingerprintIndex]] {
 			continue
 		}
+		generated.WriteString("\n	// ")
+		generated.WriteString(record[subjectIndex])
+		generated.WriteString("\n")
+		generated.WriteString("	chromeIncluded.AppendCertsFromPEM([]byte(`")
 		cert := record[certIndex]
+		// Remove single quotes if present
 		if len(cert) > 0 && cert[0] == '\'' {
 			cert = cert[1 : len(cert)-1]
 		}
-		pemBundle.WriteString(cert)
-		pemBundle.WriteString("\n")
+		generated.WriteString(cert)
+		generated.WriteString("`))\n")
 	}
-	return writeGeneratedCertificateBundle("chrome", "chromeIncluded", pemBundle.String())
-}
-
-func writeGeneratedCertificateBundle(name string, variableName string, pemBundle string) error {
-	goSource := `// Code generated by 'make update_certificates'. DO NOT EDIT.
-
-package certificate
-
-import (
-	"crypto/x509"
-	_ "embed"
-)
-
-//go:embed ` + name + `.pem
-var ` + variableName + `PEM string
-
-var ` + variableName + ` *x509.CertPool
-
-func init() {
-	` + variableName + ` = x509.NewCertPool()
-	` + variableName + `.AppendCertsFromPEM([]byte(` + variableName + `PEM))
-}
-`
-	err := os.WriteFile(filepath.Join("common/certificate", name+".pem"), []byte(pemBundle), 0o644)
-	if err != nil {
-		return err
-	}
-	return os.WriteFile(filepath.Join("common/certificate", name+".go"), []byte(goSource), 0o644)
+	generated.WriteString("}\n")
+	return os.WriteFile("common/certificate/chrome.go", []byte(generated.String()), 0o644)
 }
--- a/cmd/sing-box/cmd_rule_set_compile.go
+++ b/cmd/sing-box/cmd_rule_set_compile.go
@@ -82,11 +82,6 @@ func compileRuleSet(sourcePath string) error {
 }

 func downgradeRuleSetVersion(version uint8, options option.PlainRuleSet) uint8 {
-	if version == C.RuleSetVersion5 && !rule.HasHeadlessRule(options.Rules, func(rule option.DefaultHeadlessRule) bool {
-		return len(rule.PackageNameRegex) > 0
-	}) {
-		version = C.RuleSetVersion4
-	}
 	if version == C.RuleSetVersion4 && !rule.HasHeadlessRule(options.Rules, func(rule option.DefaultHeadlessRule) bool {
 		return rule.NetworkInterfaceAddress != nil && rule.NetworkInterfaceAddress.Size() > 0 ||
 			len(rule.DefaultInterfaceAddress) > 0
--- a/cmd/sing-box/cmd_tools_networkquality.go
+++ b/cmd/sing-box/cmd_tools_networkquality.go
@@ -1,121 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"os"
-	"strings"
-	"time"
-
-	"github.com/sagernet/sing-box/common/networkquality"
-	"github.com/sagernet/sing-box/log"
-
-	"github.com/spf13/cobra"
-)
-
-var (
-	commandNetworkQualityFlagConfigURL  string
-	commandNetworkQualityFlagSerial     bool
-	commandNetworkQualityFlagMaxRuntime int
-	commandNetworkQualityFlagHTTP3      bool
-)
-
-var commandNetworkQuality = &cobra.Command{
-	Use:   "networkquality",
-	Short: "Run a network quality test",
-	Run: func(cmd *cobra.Command, args []string) {
-		err := runNetworkQuality()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandNetworkQuality.Flags().StringVar(
-		&commandNetworkQualityFlagConfigURL,
-		"config-url", "",
-		"Network quality test config URL (default: Apple mensura)",
-	)
-	commandNetworkQuality.Flags().BoolVar(
-		&commandNetworkQualityFlagSerial,
-		"serial", false,
-		"Run download and upload tests sequentially instead of in parallel",
-	)
-	commandNetworkQuality.Flags().IntVar(
-		&commandNetworkQualityFlagMaxRuntime,
-		"max-runtime", int(networkquality.DefaultMaxRuntime/time.Second),
-		"Network quality maximum runtime in seconds",
-	)
-	commandNetworkQuality.Flags().BoolVar(
-		&commandNetworkQualityFlagHTTP3,
-		"http3", false,
-		"Use HTTP/3 (QUIC) for measurement traffic",
-	)
-	commandTools.AddCommand(commandNetworkQuality)
-}
-
-func runNetworkQuality() error {
-	instance, err := createPreStartedClient()
-	if err != nil {
-		return err
-	}
-	defer instance.Close()
-
-	dialer, err := createDialer(instance, commandToolsFlagOutbound)
-	if err != nil {
-		return err
-	}
-
-	httpClient := networkquality.NewHTTPClient(dialer)
-	defer httpClient.CloseIdleConnections()
-
-	measurementClientFactory, err := networkquality.NewOptionalHTTP3Factory(dialer, commandNetworkQualityFlagHTTP3)
-	if err != nil {
-		return err
-	}
-
-	fmt.Fprintln(os.Stderr, "==== NETWORK QUALITY TEST ====")
-
-	result, err := networkquality.Run(networkquality.Options{
-		ConfigURL:            commandNetworkQualityFlagConfigURL,
-		HTTPClient:           httpClient,
-		NewMeasurementClient: measurementClientFactory,
-		Serial:               commandNetworkQualityFlagSerial,
-		MaxRuntime:           time.Duration(commandNetworkQualityFlagMaxRuntime) * time.Second,
-		Context:              globalCtx,
-		OnProgress: func(p networkquality.Progress) {
-			if !commandNetworkQualityFlagSerial && p.Phase != networkquality.PhaseIdle {
-				fmt.Fprintf(os.Stderr, "\rDownload: %s  RPM: %d  Upload: %s  RPM: %d",
-					networkquality.FormatBitrate(p.DownloadCapacity), p.DownloadRPM,
-					networkquality.FormatBitrate(p.UploadCapacity), p.UploadRPM)
-				return
-			}
-			switch networkquality.Phase(p.Phase) {
-			case networkquality.PhaseIdle:
-				if p.IdleLatencyMs > 0 {
-					fmt.Fprintf(os.Stderr, "\rIdle Latency: %d ms", p.IdleLatencyMs)
-				} else {
-					fmt.Fprint(os.Stderr, "\rMeasuring idle latency...")
-				}
-			case networkquality.PhaseDownload:
-				fmt.Fprintf(os.Stderr, "\rDownload: %s  RPM: %d",
-					networkquality.FormatBitrate(p.DownloadCapacity), p.DownloadRPM)
-			case networkquality.PhaseUpload:
-				fmt.Fprintf(os.Stderr, "\rUpload: %s  RPM: %d",
-					networkquality.FormatBitrate(p.UploadCapacity), p.UploadRPM)
-			}
-		},
-	})
-	if err != nil {
-		return err
-	}
-
-	fmt.Fprintln(os.Stderr)
-	fmt.Fprintln(os.Stderr, strings.Repeat("-", 40))
-	fmt.Fprintf(os.Stderr, "Idle Latency:            %d ms\n", result.IdleLatencyMs)
-	fmt.Fprintf(os.Stderr, "Download Capacity:       %-20s Accuracy: %s\n", networkquality.FormatBitrate(result.DownloadCapacity), result.DownloadCapacityAccuracy)
-	fmt.Fprintf(os.Stderr, "Upload Capacity:         %-20s Accuracy: %s\n", networkquality.FormatBitrate(result.UploadCapacity), result.UploadCapacityAccuracy)
-	fmt.Fprintf(os.Stderr, "Download Responsiveness: %-20s Accuracy: %s\n", fmt.Sprintf("%d RPM", result.DownloadRPM), result.DownloadRPMAccuracy)
-	fmt.Fprintf(os.Stderr, "Upload Responsiveness:   %-20s Accuracy: %s\n", fmt.Sprintf("%d RPM", result.UploadRPM), result.UploadRPMAccuracy)
-	return nil
-}
--- a/cmd/sing-box/cmd_tools_stun.go
+++ b/cmd/sing-box/cmd_tools_stun.go
@@ -1,79 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"os"
-
-	"github.com/sagernet/sing-box/common/stun"
-	"github.com/sagernet/sing-box/log"
-
-	"github.com/spf13/cobra"
-)
-
-var commandSTUNFlagServer string
-
-var commandSTUN = &cobra.Command{
-	Use:   "stun",
-	Short: "Run a STUN test",
-	Args:  cobra.NoArgs,
-	Run: func(cmd *cobra.Command, args []string) {
-		err := runSTUN()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandSTUN.Flags().StringVarP(&commandSTUNFlagServer, "server", "s", stun.DefaultServer, "STUN server address")
-	commandTools.AddCommand(commandSTUN)
-}
-
-func runSTUN() error {
-	instance, err := createPreStartedClient()
-	if err != nil {
-		return err
-	}
-	defer instance.Close()
-
-	dialer, err := createDialer(instance, commandToolsFlagOutbound)
-	if err != nil {
-		return err
-	}
-
-	fmt.Fprintln(os.Stderr, "==== STUN TEST ====")
-
-	result, err := stun.Run(stun.Options{
-		Server:  commandSTUNFlagServer,
-		Dialer:  dialer,
-		Context: globalCtx,
-		OnProgress: func(p stun.Progress) {
-			switch p.Phase {
-			case stun.PhaseBinding:
-				if p.ExternalAddr != "" {
-					fmt.Fprintf(os.Stderr, "\rExternal Address: %s (%d ms)", p.ExternalAddr, p.LatencyMs)
-				} else {
-					fmt.Fprint(os.Stderr, "\rSending binding request...")
-				}
-			case stun.PhaseNATMapping:
-				fmt.Fprint(os.Stderr, "\rDetecting NAT mapping behavior...")
-			case stun.PhaseNATFiltering:
-				fmt.Fprint(os.Stderr, "\rDetecting NAT filtering behavior...")
-			}
-		},
-	})
-	if err != nil {
-		return err
-	}
-
-	fmt.Fprintln(os.Stderr)
-	fmt.Fprintf(os.Stderr, "External Address: %s\n", result.ExternalAddr)
-	fmt.Fprintf(os.Stderr, "Latency:          %d ms\n", result.LatencyMs)
-	if result.NATTypeSupported {
-		fmt.Fprintf(os.Stderr, "NAT Mapping:      %s\n", result.NATMapping)
-		fmt.Fprintf(os.Stderr, "NAT Filtering:    %s\n", result.NATFiltering)
-	} else {
-		fmt.Fprintln(os.Stderr, "NAT Type Detection: not supported by server")
-	}
-	return nil
-}
--- a/common/certificate/chrome.go
+++ b/common/certificate/chrome.go
--- a/common/certificate/chrome.pem
+++ b/common/certificate/chrome.pem
--- a/common/certificate/mozilla.go
+++ b/common/certificate/mozilla.go
--- a/common/certificate/mozilla.pem
+++ b/common/certificate/mozilla.pem
--- a/common/certificate/store.go
+++ b/common/certificate/store.go
@@ -22,10 +22,8 @@ var _ adapter.CertificateStore = (*Store)(nil)

 type Store struct {
 	access                    sync.RWMutex
-	store                     string
 	systemPool                *x509.CertPool
 	currentPool               *x509.CertPool
-	currentPEM                []string
 	certificate               string
 	certificatePaths          []string
 	certificateDirectoryPaths []string
@@ -63,7 +61,6 @@ func NewStore(ctx context.Context, logger logger.Logger, options option.Certific
 		return nil, E.New("unknown certificate store: ", options.Store)
 	}
 	store := &Store{
-		store:                     options.Store,
 		systemPool:                systemPool,
 		certificate:               strings.Join(options.Certificate, "\n"),
 		certificatePaths:          options.CertificatePath,
@@ -126,37 +123,19 @@ func (s *Store) Pool() *x509.CertPool {
 	return s.currentPool
 }

-func (s *Store) StoreKind() string {
-	return s.store
-}
-
-func (s *Store) CurrentPEM() []string {
-	s.access.RLock()
-	defer s.access.RUnlock()
-	return append([]string(nil), s.currentPEM...)
-}
-
 func (s *Store) update() error {
 	s.access.Lock()
 	defer s.access.Unlock()
 	var currentPool *x509.CertPool
-	var currentPEM []string
 	if s.systemPool == nil {
 		currentPool = x509.NewCertPool()
 	} else {
 		currentPool = s.systemPool.Clone()
 	}
-	switch s.store {
-	case C.CertificateStoreMozilla:
-		currentPEM = append(currentPEM, mozillaIncludedPEM)
-	case C.CertificateStoreChrome:
-		currentPEM = append(currentPEM, chromeIncludedPEM)
-	}
 	if s.certificate != "" {
 		if !currentPool.AppendCertsFromPEM([]byte(s.certificate)) {
 			return E.New("invalid certificate PEM strings")
 		}
-		currentPEM = append(currentPEM, s.certificate)
 	}
 	for _, path := range s.certificatePaths {
 		pemContent, err := os.ReadFile(path)
@@ -166,7 +145,6 @@ func (s *Store) update() error {
 		if !currentPool.AppendCertsFromPEM(pemContent) {
 			return E.New("invalid certificate PEM file: ", path)
 		}
-		currentPEM = append(currentPEM, string(pemContent))
 	}
 	var firstErr error
 	for _, directoryPath := range s.certificateDirectoryPaths {
@@ -179,8 +157,8 @@ func (s *Store) update() error {
 		}
 		for _, directoryEntry := range directoryEntries {
 			pemContent, err := os.ReadFile(filepath.Join(directoryPath, directoryEntry.Name()))
-			if err == nil && currentPool.AppendCertsFromPEM(pemContent) {
-				currentPEM = append(currentPEM, string(pemContent))
+			if err == nil {
+				currentPool.AppendCertsFromPEM(pemContent)
 			}
 		}
 	}
@@ -188,7 +166,6 @@ func (s *Store) update() error {
 		return firstErr
 	}
 	s.currentPool = currentPool
-	s.currentPEM = currentPEM
 	return nil
 }

--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -149,10 +149,7 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 	} else {
 		dialer.Timeout = C.TCPConnectTimeout
 	}
-	if options.DisableTCPKeepAlive {
-		dialer.KeepAlive = -1
-		dialer.KeepAliveConfig.Enable = false
-	} else {
+	if !options.DisableTCPKeepAlive {
 		keepIdle := time.Duration(options.TCPKeepAlive)
 		if keepIdle == 0 {
 			keepIdle = C.TCPKeepAliveInitial
--- a/common/dialer/detour.go
+++ b/common/dialer/detour.go
@@ -19,7 +19,6 @@ type DirectDialer interface {
 type DetourDialer struct {
 	outboundManager adapter.OutboundManager
 	detour          string
-	defaultOutbound bool
 	legacyDNSDialer bool
 	dialer          N.Dialer
 	initOnce        sync.Once
@@ -34,13 +33,6 @@ func NewDetour(outboundManager adapter.OutboundManager, detour string, legacyDNS
 	}
 }

-func NewDefaultOutboundDetour(outboundManager adapter.OutboundManager) N.Dialer {
-	return &DetourDialer{
-		outboundManager: outboundManager,
-		defaultOutbound: true,
-	}
-}
-
 func InitializeDetour(dialer N.Dialer) error {
 	detourDialer, isDetour := common.Cast[*DetourDialer](dialer)
 	if !isDetour {
@@ -55,18 +47,12 @@ func (d *DetourDialer) Dialer() (N.Dialer, error) {
 }

 func (d *DetourDialer) init() {
-	var dialer adapter.Outbound
-	if d.detour != "" {
-		var loaded bool
-		dialer, loaded = d.outboundManager.Outbound(d.detour)
-		if !loaded {
-			d.initErr = E.New("outbound detour not found: ", d.detour)
-			return
-		}
-	} else {
-		dialer = d.outboundManager.Default()
+	dialer, loaded := d.outboundManager.Outbound(d.detour)
+	if !loaded {
+		d.initErr = E.New("outbound detour not found: ", d.detour)
+		return
 	}
-	if !d.defaultOutbound && !d.legacyDNSDialer {
+	if !d.legacyDNSDialer {
 		if directDialer, isDirect := dialer.(DirectDialer); isDirect {
 			if directDialer.IsEmpty() {
 				d.initErr = E.New("detour to an empty direct outbound makes no sense")
--- a/common/dialer/dialer.go
+++ b/common/dialer/dialer.go
@@ -25,7 +25,6 @@ type Options struct {
 	NewDialer        bool
 	LegacyDNSDialer  bool
 	DirectOutbound   bool
-	DefaultOutbound  bool
 }

 // TODO: merge with NewWithOptions
@@ -43,26 +42,19 @@ func NewWithOptions(options Options) (N.Dialer, error) {
 		dialer N.Dialer
 		err    error
 	)
-	hasDetour := dialOptions.Detour != "" || options.DefaultOutbound
 	if dialOptions.Detour != "" {
 		outboundManager := service.FromContext[adapter.OutboundManager](options.Context)
 		if outboundManager == nil {
 			return nil, E.New("missing outbound manager")
 		}
 		dialer = NewDetour(outboundManager, dialOptions.Detour, options.LegacyDNSDialer)
-	} else if options.DefaultOutbound {
-		outboundManager := service.FromContext[adapter.OutboundManager](options.Context)
-		if outboundManager == nil {
-			return nil, E.New("missing outbound manager")
-		}
-		dialer = NewDefaultOutboundDetour(outboundManager)
 	} else {
 		dialer, err = NewDefault(options.Context, dialOptions)
 		if err != nil {
 			return nil, err
 		}
 	}
-	if options.RemoteIsDomain && (!hasDetour || options.ResolverOnDetour || dialOptions.DomainResolver != nil && dialOptions.DomainResolver.Server != "") {
+	if options.RemoteIsDomain && (dialOptions.Detour == "" || options.ResolverOnDetour || dialOptions.DomainResolver != nil && dialOptions.DomainResolver.Server != "") {
 		networkManager := service.FromContext[adapter.NetworkManager](options.Context)
 		dnsTransport := service.FromContext[adapter.DNSTransportManager](options.Context)
 		var defaultOptions adapter.NetworkOptions
@@ -95,12 +87,11 @@ func NewWithOptions(options Options) (N.Dialer, error) {
 			}
 			server = dialOptions.DomainResolver.Server
 			dnsQueryOptions = adapter.DNSQueryOptions{
-				Transport:              transport,
-				Strategy:               strategy,
-				DisableCache:           dialOptions.DomainResolver.DisableCache,
-				DisableOptimisticCache: dialOptions.DomainResolver.DisableOptimisticCache,
-				RewriteTTL:             dialOptions.DomainResolver.RewriteTTL,
-				ClientSubnet:           dialOptions.DomainResolver.ClientSubnet.Build(netip.Prefix{}),
+				Transport:    transport,
+				Strategy:     strategy,
+				DisableCache: dialOptions.DomainResolver.DisableCache,
+				RewriteTTL:   dialOptions.DomainResolver.RewriteTTL,
+				ClientSubnet: dialOptions.DomainResolver.ClientSubnet.Build(netip.Prefix{}),
 			}
 			resolveFallbackDelay = time.Duration(dialOptions.FallbackDelay)
 		} else if options.DirectResolver {
--- a/common/httpclient/apple_transport_darwin.go
+++ b/common/httpclient/apple_transport_darwin.go
@@ -1,442 +0,0 @@
-//go:build darwin && cgo
-
-package httpclient
-
-/*
-#cgo CFLAGS: -x objective-c -fobjc-arc
-#cgo LDFLAGS: -framework Foundation -framework Security
-
-#include <stdlib.h>
-#include "apple_transport_darwin.h"
-*/
-import "C"
-
-import (
-	"bytes"
-	"context"
-	"crypto/sha256"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"strings"
-	"sync"
-	"sync/atomic"
-	"unsafe"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/proxybridge"
-	boxTLS "github.com/sagernet/sing-box/common/tls"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	N "github.com/sagernet/sing/common/network"
-)
-
-const applePinnedHashSize = sha256.Size
-
-func verifyApplePinnedPublicKeySHA256(flatHashes []byte, leafCertificate []byte) error {
-	if len(flatHashes)%applePinnedHashSize != 0 {
-		return E.New("invalid pinned public key list")
-	}
-	knownHashes := make([][]byte, 0, len(flatHashes)/applePinnedHashSize)
-	for offset := 0; offset < len(flatHashes); offset += applePinnedHashSize {
-		knownHashes = append(knownHashes, append([]byte(nil), flatHashes[offset:offset+applePinnedHashSize]...))
-	}
-	return boxTLS.VerifyPublicKeySHA256(knownHashes, [][]byte{leafCertificate})
-}
-
-//export box_apple_http_verify_public_key_sha256
-func box_apple_http_verify_public_key_sha256(knownHashValues *C.uint8_t, knownHashValuesLen C.size_t, leafCert *C.uint8_t, leafCertLen C.size_t) *C.char {
-	flatHashes := C.GoBytes(unsafe.Pointer(knownHashValues), C.int(knownHashValuesLen))
-	leafCertificate := C.GoBytes(unsafe.Pointer(leafCert), C.int(leafCertLen))
-	err := verifyApplePinnedPublicKeySHA256(flatHashes, leafCertificate)
-	if err == nil {
-		return nil
-	}
-	return C.CString(err.Error())
-}
-
-type appleSessionConfig struct {
-	serverName             string
-	minVersion             uint16
-	maxVersion             uint16
-	insecure               bool
-	anchorPEM              string
-	anchorOnly             bool
-	pinnedPublicKeySHA256s []byte
-}
-
-type appleTransportShared struct {
-	logger logger.ContextLogger
-	bridge *proxybridge.Bridge
-	config appleSessionConfig
-	refs   atomic.Int32
-}
-
-type appleTransport struct {
-	shared  *appleTransportShared
-	access  sync.Mutex
-	session *C.box_apple_http_session_t
-	closed  bool
-}
-
-type errorTransport struct {
-	err error
-}
-
-func newAppleTransport(ctx context.Context, logger logger.ContextLogger, rawDialer N.Dialer, options option.HTTPClientOptions) (adapter.HTTPTransport, error) {
-	sessionConfig, err := newAppleSessionConfig(ctx, options)
-	if err != nil {
-		return nil, err
-	}
-	bridge, err := proxybridge.New(ctx, logger, "apple http proxy", rawDialer)
-	if err != nil {
-		return nil, err
-	}
-	shared := &appleTransportShared{
-		logger: logger,
-		bridge: bridge,
-		config: sessionConfig,
-	}
-	shared.refs.Store(1)
-	session, err := shared.newSession()
-	if err != nil {
-		bridge.Close()
-		return nil, err
-	}
-	return &appleTransport{
-		shared:  shared,
-		session: session,
-	}, nil
-}
-
-func newAppleSessionConfig(ctx context.Context, options option.HTTPClientOptions) (appleSessionConfig, error) {
-	version := options.Version
-	if version == 0 {
-		version = 2
-	}
-	switch version {
-	case 2:
-	case 1:
-		return appleSessionConfig{}, E.New("HTTP/1.1 is unsupported in Apple HTTP engine")
-	case 3:
-		return appleSessionConfig{}, E.New("HTTP/3 is unsupported in Apple HTTP engine")
-	default:
-		return appleSessionConfig{}, E.New("unknown HTTP version: ", version)
-	}
-	if options.DisableVersionFallback {
-		return appleSessionConfig{}, E.New("disable_version_fallback is unsupported in Apple HTTP engine")
-	}
-	if options.HTTP2Options != (option.HTTP2Options{}) {
-		return appleSessionConfig{}, E.New("HTTP/2 options are unsupported in Apple HTTP engine")
-	}
-	if options.HTTP3Options != (option.QUICOptions{}) {
-		return appleSessionConfig{}, E.New("QUIC options are unsupported in Apple HTTP engine")
-	}
-
-	tlsOptions := common.PtrValueOrDefault(options.TLS)
-	if tlsOptions.Engine != "" {
-		return appleSessionConfig{}, E.New("tls.engine is unsupported in Apple HTTP engine")
-	}
-	if len(tlsOptions.ALPN) > 0 {
-		return appleSessionConfig{}, E.New("tls.alpn is unsupported in Apple HTTP engine")
-	}
-	validated, err := boxTLS.ValidateAppleTLSOptions(ctx, tlsOptions, "Apple HTTP engine")
-	if err != nil {
-		return appleSessionConfig{}, err
-	}
-
-	config := appleSessionConfig{
-		serverName: tlsOptions.ServerName,
-		minVersion: validated.MinVersion,
-		maxVersion: validated.MaxVersion,
-		insecure:   tlsOptions.Insecure || len(tlsOptions.CertificatePublicKeySHA256) > 0,
-		anchorPEM:  validated.AnchorPEM,
-		anchorOnly: validated.AnchorOnly,
-	}
-	if len(tlsOptions.CertificatePublicKeySHA256) > 0 {
-		config.pinnedPublicKeySHA256s = make([]byte, 0, len(tlsOptions.CertificatePublicKeySHA256)*applePinnedHashSize)
-		for _, hashValue := range tlsOptions.CertificatePublicKeySHA256 {
-			if len(hashValue) != applePinnedHashSize {
-				return appleSessionConfig{}, E.New("invalid certificate_public_key_sha256 length: ", len(hashValue))
-			}
-			config.pinnedPublicKeySHA256s = append(config.pinnedPublicKeySHA256s, hashValue...)
-		}
-	}
-	return config, nil
-}
-
-func (s *appleTransportShared) retain() {
-	s.refs.Add(1)
-}
-
-func (s *appleTransportShared) release() error {
-	if s.refs.Add(-1) == 0 {
-		return s.bridge.Close()
-	}
-	return nil
-}
-
-func (s *appleTransportShared) newSession() (*C.box_apple_http_session_t, error) {
-	cProxyHost := C.CString("127.0.0.1")
-	defer C.free(unsafe.Pointer(cProxyHost))
-	cProxyUsername := C.CString(s.bridge.Username())
-	defer C.free(unsafe.Pointer(cProxyUsername))
-	cProxyPassword := C.CString(s.bridge.Password())
-	defer C.free(unsafe.Pointer(cProxyPassword))
-	var cAnchorPEM *C.char
-	if s.config.anchorPEM != "" {
-		cAnchorPEM = C.CString(s.config.anchorPEM)
-		defer C.free(unsafe.Pointer(cAnchorPEM))
-	}
-	var pinnedPointer *C.uint8_t
-	if len(s.config.pinnedPublicKeySHA256s) > 0 {
-		pinnedPointer = (*C.uint8_t)(C.CBytes(s.config.pinnedPublicKeySHA256s))
-		defer C.free(unsafe.Pointer(pinnedPointer))
-	}
-	cConfig := C.box_apple_http_session_config_t{
-		proxy_host:                   cProxyHost,
-		proxy_port:                   C.int(s.bridge.Port()),
-		proxy_username:               cProxyUsername,
-		proxy_password:               cProxyPassword,
-		min_tls_version:              C.uint16_t(s.config.minVersion),
-		max_tls_version:              C.uint16_t(s.config.maxVersion),
-		insecure:                     C.bool(s.config.insecure),
-		anchor_pem:                   cAnchorPEM,
-		anchor_pem_len:               C.size_t(len(s.config.anchorPEM)),
-		anchor_only:                  C.bool(s.config.anchorOnly),
-		pinned_public_key_sha256:     pinnedPointer,
-		pinned_public_key_sha256_len: C.size_t(len(s.config.pinnedPublicKeySHA256s)),
-	}
-	var cErr *C.char
-	session := C.box_apple_http_session_create(&cConfig, &cErr)
-	if session != nil {
-		return session, nil
-	}
-	return nil, appleCStringError(cErr, "create Apple HTTP session")
-}
-
-func (t *appleTransport) RoundTrip(request *http.Request) (*http.Response, error) {
-	if requestRequiresHTTP1(request) {
-		return nil, E.New("HTTP upgrade requests are unsupported in Apple HTTP engine")
-	}
-	if request.URL == nil {
-		return nil, E.New("missing request URL")
-	}
-	switch request.URL.Scheme {
-	case "http", "https":
-	default:
-		return nil, E.New("unsupported URL scheme: ", request.URL.Scheme)
-	}
-	if request.URL.Scheme == "https" && t.shared.config.serverName != "" && !strings.EqualFold(t.shared.config.serverName, request.URL.Hostname()) {
-		return nil, E.New("tls.server_name is unsupported in Apple HTTP engine unless it matches request host")
-	}
-	var body []byte
-	if request.Body != nil && request.Body != http.NoBody {
-		defer request.Body.Close()
-		var err error
-		body, err = io.ReadAll(request.Body)
-		if err != nil {
-			return nil, err
-		}
-	}
-	headerKeys, headerValues := flattenRequestHeaders(request)
-	cMethod := C.CString(request.Method)
-	defer C.free(unsafe.Pointer(cMethod))
-	cURL := C.CString(request.URL.String())
-	defer C.free(unsafe.Pointer(cURL))
-	cHeaderKeys := make([]*C.char, len(headerKeys))
-	cHeaderValues := make([]*C.char, len(headerValues))
-	defer func() {
-		for _, ptr := range cHeaderKeys {
-			C.free(unsafe.Pointer(ptr))
-		}
-		for _, ptr := range cHeaderValues {
-			C.free(unsafe.Pointer(ptr))
-		}
-	}()
-	for index, value := range headerKeys {
-		cHeaderKeys[index] = C.CString(value)
-	}
-	for index, value := range headerValues {
-		cHeaderValues[index] = C.CString(value)
-	}
-	var headerKeysPointer **C.char
-	var headerValuesPointer **C.char
-	if len(cHeaderKeys) > 0 {
-		pointerArraySize := C.size_t(len(cHeaderKeys)) * C.size_t(unsafe.Sizeof((*C.char)(nil)))
-		headerKeysPointer = (**C.char)(C.malloc(pointerArraySize))
-		defer C.free(unsafe.Pointer(headerKeysPointer))
-		headerValuesPointer = (**C.char)(C.malloc(pointerArraySize))
-		defer C.free(unsafe.Pointer(headerValuesPointer))
-		copy(unsafe.Slice(headerKeysPointer, len(cHeaderKeys)), cHeaderKeys)
-		copy(unsafe.Slice(headerValuesPointer, len(cHeaderValues)), cHeaderValues)
-	}
-	var bodyPointer *C.uint8_t
-	if len(body) > 0 {
-		bodyPointer = (*C.uint8_t)(C.CBytes(body))
-		defer C.free(unsafe.Pointer(bodyPointer))
-	}
-	cRequest := C.box_apple_http_request_t{
-		method:        cMethod,
-		url:           cURL,
-		header_keys:   (**C.char)(headerKeysPointer),
-		header_values: (**C.char)(headerValuesPointer),
-		header_count:  C.size_t(len(cHeaderKeys)),
-		body:          bodyPointer,
-		body_len:      C.size_t(len(body)),
-	}
-	var cErr *C.char
-	var task *C.box_apple_http_task_t
-	t.access.Lock()
-	if t.session == nil {
-		t.access.Unlock()
-		return nil, net.ErrClosed
-	}
-	// Keep the session attached until NSURLSession has created the task.
-	task = C.box_apple_http_session_send_async(t.session, &cRequest, &cErr)
-	t.access.Unlock()
-	if task == nil {
-		return nil, appleCStringError(cErr, "create Apple HTTP request")
-	}
-	cancelDone := make(chan struct{})
-	cancelExit := make(chan struct{})
-	go func() {
-		defer close(cancelExit)
-		select {
-		case <-request.Context().Done():
-			C.box_apple_http_task_cancel(task)
-		case <-cancelDone:
-		}
-	}()
-	cResponse := C.box_apple_http_task_wait(task, &cErr)
-	close(cancelDone)
-	<-cancelExit
-	C.box_apple_http_task_close(task)
-	if cResponse == nil {
-		err := appleCStringError(cErr, "Apple HTTP request failed")
-		if request.Context().Err() != nil {
-			return nil, request.Context().Err()
-		}
-		return nil, err
-	}
-	defer C.box_apple_http_response_free(cResponse)
-	return parseAppleHTTPResponse(request, cResponse), nil
-}
-
-func (t *appleTransport) CloseIdleConnections() {
-	t.access.Lock()
-	if t.closed {
-		t.access.Unlock()
-		return
-	}
-	t.access.Unlock()
-	newSession, err := t.shared.newSession()
-	if err != nil {
-		t.shared.logger.Error(E.Cause(err, "reset Apple HTTP session"))
-		return
-	}
-	t.access.Lock()
-	if t.closed {
-		t.access.Unlock()
-		C.box_apple_http_session_close(newSession)
-		return
-	}
-	oldSession := t.session
-	t.session = newSession
-	t.access.Unlock()
-	C.box_apple_http_session_retire(oldSession)
-}
-
-func (t *appleTransport) Clone() adapter.HTTPTransport {
-	t.shared.retain()
-	session, err := t.shared.newSession()
-	if err != nil {
-		_ = t.shared.release()
-		return &errorTransport{err: err}
-	}
-	return &appleTransport{
-		shared:  t.shared,
-		session: session,
-	}
-}
-
-func (t *appleTransport) Close() error {
-	t.access.Lock()
-	if t.closed {
-		t.access.Unlock()
-		return nil
-	}
-	t.closed = true
-	session := t.session
-	t.session = nil
-	t.access.Unlock()
-	C.box_apple_http_session_close(session)
-	return t.shared.release()
-}
-
-func (t *errorTransport) RoundTrip(request *http.Request) (*http.Response, error) {
-	return nil, t.err
-}
-
-func (t *errorTransport) CloseIdleConnections() {
-}
-
-func (t *errorTransport) Clone() adapter.HTTPTransport {
-	return &errorTransport{err: t.err}
-}
-
-func (t *errorTransport) Close() error {
-	return nil
-}
-
-func flattenRequestHeaders(request *http.Request) ([]string, []string) {
-	var (
-		keys   []string
-		values []string
-	)
-	for key, headerValues := range request.Header {
-		for _, value := range headerValues {
-			keys = append(keys, key)
-			values = append(values, value)
-		}
-	}
-	if request.Host != "" {
-		keys = append(keys, "Host")
-		values = append(values, request.Host)
-	}
-	return keys, values
-}
-
-func parseAppleHTTPResponse(request *http.Request, response *C.box_apple_http_response_t) *http.Response {
-	headers := make(http.Header)
-	headerKeys := unsafe.Slice(response.header_keys, int(response.header_count))
-	headerValues := unsafe.Slice(response.header_values, int(response.header_count))
-	for index := range headerKeys {
-		headers.Add(C.GoString(headerKeys[index]), C.GoString(headerValues[index]))
-	}
-	body := bytes.NewReader(C.GoBytes(unsafe.Pointer(response.body), C.int(response.body_len)))
-	// NSURLSession's completion-handler API does not expose the negotiated protocol;
-	// callers that read Response.Proto will see HTTP/1.1 even when the wire was HTTP/2.
-	return &http.Response{
-		StatusCode:    int(response.status_code),
-		Status:        fmt.Sprintf("%d %s", int(response.status_code), http.StatusText(int(response.status_code))),
-		Proto:         "HTTP/1.1",
-		ProtoMajor:    1,
-		ProtoMinor:    1,
-		Header:        headers,
-		Body:          io.NopCloser(body),
-		ContentLength: int64(body.Len()),
-		Request:       request,
-	}
-}
-
-func appleCStringError(cErr *C.char, message string) error {
-	if cErr == nil {
-		return E.New(message)
-	}
-	defer C.free(unsafe.Pointer(cErr))
-	return E.New(message, ": ", C.GoString(cErr))
-}
--- a/common/httpclient/apple_transport_darwin.h
+++ b/common/httpclient/apple_transport_darwin.h
@@ -1,69 +0,0 @@
-#include <stdbool.h>
-#include <stddef.h>
-#include <stdint.h>
-
-typedef struct box_apple_http_session box_apple_http_session_t;
-typedef struct box_apple_http_task box_apple_http_task_t;
-
-typedef struct box_apple_http_session_config {
-	const char *proxy_host;
-	int proxy_port;
-	const char *proxy_username;
-	const char *proxy_password;
-	uint16_t min_tls_version;
-	uint16_t max_tls_version;
-	bool insecure;
-	const char *anchor_pem;
-	size_t anchor_pem_len;
-	bool anchor_only;
-	const uint8_t *pinned_public_key_sha256;
-	size_t pinned_public_key_sha256_len;
-} box_apple_http_session_config_t;
-
-typedef struct box_apple_http_request {
-	const char *method;
-	const char *url;
-	const char **header_keys;
-	const char **header_values;
-	size_t header_count;
-	const uint8_t *body;
-	size_t body_len;
-} box_apple_http_request_t;
-
-typedef struct box_apple_http_response {
-	int status_code;
-	char **header_keys;
-	char **header_values;
-	size_t header_count;
-	uint8_t *body;
-	size_t body_len;
-	char *error;
-} box_apple_http_response_t;
-
-box_apple_http_session_t *box_apple_http_session_create(
-	const box_apple_http_session_config_t *config,
-	char **error_out
-);
-void box_apple_http_session_retire(box_apple_http_session_t *session);
-void box_apple_http_session_close(box_apple_http_session_t *session);
-
-box_apple_http_task_t *box_apple_http_session_send_async(
-	box_apple_http_session_t *session,
-	const box_apple_http_request_t *request,
-	char **error_out
-);
-box_apple_http_response_t *box_apple_http_task_wait(
-	box_apple_http_task_t *task,
-	char **error_out
-);
-void box_apple_http_task_cancel(box_apple_http_task_t *task);
-void box_apple_http_task_close(box_apple_http_task_t *task);
-
-void box_apple_http_response_free(box_apple_http_response_t *response);
-
-char *box_apple_http_verify_public_key_sha256(
-	uint8_t *known_hash_values,
-	size_t known_hash_values_len,
-	uint8_t *leaf_cert,
-	size_t leaf_cert_len
-);
--- a/common/httpclient/apple_transport_darwin.m
+++ b/common/httpclient/apple_transport_darwin.m
@@ -1,386 +0,0 @@
-#import "apple_transport_darwin.h"
-
-#import <CoreFoundation/CFStream.h>
-#import <Foundation/Foundation.h>
-#import <Security/Security.h>
-#import <dispatch/dispatch.h>
-#import <stdlib.h>
-#import <string.h>
-
-typedef struct box_apple_http_session {
-	void *handle;
-} box_apple_http_session_t;
-
-typedef struct box_apple_http_task {
-	void *task;
-	void *done_semaphore;
-	box_apple_http_response_t *response;
-	char *error;
-} box_apple_http_task_t;
-
-static void box_set_error_string(char **error_out, NSString *message) {
-	if (error_out == NULL || *error_out != NULL) {
-		return;
-	}
-	const char *utf8 = [message UTF8String];
-	*error_out = strdup(utf8 != NULL ? utf8 : "unknown error");
-}
-
-static void box_set_error_from_nserror(char **error_out, NSError *error) {
-	if (error == nil) {
-		box_set_error_string(error_out, @"unknown error");
-		return;
-	}
-	box_set_error_string(error_out, error.localizedDescription ?: error.description);
-}
-
-static NSArray *box_parse_certificates_from_pem(const char *pem, size_t pem_len) {
-	if (pem == NULL || pem_len == 0) {
-		return @[];
-	}
-	NSString *content = [[NSString alloc] initWithBytes:pem length:pem_len encoding:NSUTF8StringEncoding];
-	if (content == nil) {
-		return @[];
-	}
-	NSString *beginMarker = @"-----BEGIN CERTIFICATE-----";
-	NSString *endMarker = @"-----END CERTIFICATE-----";
-	NSMutableArray *certificates = [NSMutableArray array];
-	NSUInteger searchFrom = 0;
-	while (searchFrom < content.length) {
-		NSRange beginRange = [content rangeOfString:beginMarker options:0 range:NSMakeRange(searchFrom, content.length - searchFrom)];
-		if (beginRange.location == NSNotFound) {
-			break;
-		}
-		NSUInteger bodyStart = beginRange.location + beginRange.length;
-		NSRange endRange = [content rangeOfString:endMarker options:0 range:NSMakeRange(bodyStart, content.length - bodyStart)];
-		if (endRange.location == NSNotFound) {
-			break;
-		}
-		NSString *base64Section = [content substringWithRange:NSMakeRange(bodyStart, endRange.location - bodyStart)];
-		NSArray<NSString *> *components = [base64Section componentsSeparatedByCharactersInSet:[NSCharacterSet whitespaceAndNewlineCharacterSet]];
-		NSString *base64Content = [components componentsJoinedByString:@""];
-		NSData *der = [[NSData alloc] initWithBase64EncodedString:base64Content options:0];
-		if (der != nil) {
-			SecCertificateRef certificate = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)der);
-			if (certificate != NULL) {
-				[certificates addObject:(__bridge id)certificate];
-				CFRelease(certificate);
-			}
-		}
-		searchFrom = endRange.location + endRange.length;
-	}
-	return certificates;
-}
-
-static bool box_evaluate_trust(SecTrustRef trustRef, NSArray *anchors, bool anchor_only) {
-	if (trustRef == NULL) {
-		return false;
-	}
-	if (anchors.count > 0 || anchor_only) {
-		CFMutableArrayRef anchorArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
-		for (id certificate in anchors) {
-			CFArrayAppendValue(anchorArray, (__bridge const void *)certificate);
-		}
-		SecTrustSetAnchorCertificates(trustRef, anchorArray);
-		SecTrustSetAnchorCertificatesOnly(trustRef, anchor_only);
-		CFRelease(anchorArray);
-	}
-	CFErrorRef error = NULL;
-	bool result = SecTrustEvaluateWithError(trustRef, &error);
-	if (error != NULL) {
-		CFRelease(error);
-	}
-	return result;
-}
-
-static box_apple_http_response_t *box_create_response(NSHTTPURLResponse *httpResponse, NSData *data) {
-	box_apple_http_response_t *response = calloc(1, sizeof(box_apple_http_response_t));
-	response->status_code = (int)httpResponse.statusCode;
-	NSDictionary *headers = httpResponse.allHeaderFields;
-	response->header_count = headers.count;
-	if (response->header_count > 0) {
-		response->header_keys = calloc(response->header_count, sizeof(char *));
-		response->header_values = calloc(response->header_count, sizeof(char *));
-		NSUInteger index = 0;
-		for (id key in headers) {
-			NSString *keyString = [[key description] copy];
-			NSString *valueString = [[headers[key] description] copy];
-			response->header_keys[index] = strdup(keyString.UTF8String ?: "");
-			response->header_values[index] = strdup(valueString.UTF8String ?: "");
-			index++;
-		}
-	}
-	if (data.length > 0) {
-		response->body_len = data.length;
-		response->body = malloc(data.length);
-		memcpy(response->body, data.bytes, data.length);
-	}
-	return response;
-}
-
-@interface BoxAppleHTTPSessionDelegate : NSObject <NSURLSessionTaskDelegate, NSURLSessionDataDelegate>
-@property(nonatomic, assign) BOOL insecure;
-@property(nonatomic, assign) BOOL anchorOnly;
-@property(nonatomic, strong) NSArray *anchors;
-@property(nonatomic, strong) NSData *pinnedPublicKeyHashes;
-@end
-
-@implementation BoxAppleHTTPSessionDelegate
-
- (void)URLSession:(NSURLSession *)session
-              task:(NSURLSessionTask *)task
-willPerformHTTPRedirection:(NSHTTPURLResponse *)response
-        newRequest:(NSURLRequest *)request
- completionHandler:(void (^)(NSURLRequest * _Nullable))completionHandler {
-	completionHandler(nil);
-}
-
- (void)URLSession:(NSURLSession *)session
-              task:(NSURLSessionTask *)task
-didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge
- completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential * _Nullable credential))completionHandler {
-	if (![challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
-		completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);
-		return;
-	}
-	SecTrustRef trustRef = challenge.protectionSpace.serverTrust;
-	if (trustRef == NULL) {
-		completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
-		return;
-	}
-	BOOL needsCustomHandling = self.insecure || self.anchorOnly || self.anchors.count > 0 || self.pinnedPublicKeyHashes.length > 0;
-	if (!needsCustomHandling) {
-		completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);
-		return;
-	}
-	BOOL ok = YES;
-	if (!self.insecure) {
-		if (self.anchorOnly || self.anchors.count > 0) {
-			ok = box_evaluate_trust(trustRef, self.anchors, self.anchorOnly);
-		} else {
-			CFErrorRef error = NULL;
-			ok = SecTrustEvaluateWithError(trustRef, &error);
-			if (error != NULL) {
-				CFRelease(error);
-			}
-		}
-	}
-	if (ok && self.pinnedPublicKeyHashes.length > 0) {
-		CFArrayRef certificateChain = SecTrustCopyCertificateChain(trustRef);
-		SecCertificateRef leafCertificate = NULL;
-		if (certificateChain != NULL && CFArrayGetCount(certificateChain) > 0) {
-			leafCertificate = (SecCertificateRef)CFArrayGetValueAtIndex(certificateChain, 0);
-		}
-		if (leafCertificate == NULL) {
-			ok = NO;
-		} else {
-			NSData *leafData = CFBridgingRelease(SecCertificateCopyData(leafCertificate));
-			char *pinError = box_apple_http_verify_public_key_sha256(
-				(uint8_t *)self.pinnedPublicKeyHashes.bytes,
-				self.pinnedPublicKeyHashes.length,
-				(uint8_t *)leafData.bytes,
-				leafData.length
-			);
-			if (pinError != NULL) {
-				free(pinError);
-				ok = NO;
-			}
-		}
-		if (certificateChain != NULL) {
-			CFRelease(certificateChain);
-		}
-	}
-	if (!ok) {
-		completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
-		return;
-	}
-	completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:trustRef]);
-}
-
-@end
-
-@interface BoxAppleHTTPSessionHandle : NSObject
-@property(nonatomic, strong) NSURLSession *session;
-@property(nonatomic, strong) BoxAppleHTTPSessionDelegate *delegate;
-@end
-
-@implementation BoxAppleHTTPSessionHandle
-@end
-
-box_apple_http_session_t *box_apple_http_session_create(
-	const box_apple_http_session_config_t *config,
-	char **error_out
-) {
-	@autoreleasepool {
-		NSURLSessionConfiguration *sessionConfig = [NSURLSessionConfiguration ephemeralSessionConfiguration];
-		sessionConfig.URLCache = nil;
-		sessionConfig.HTTPCookieStorage = nil;
-		sessionConfig.URLCredentialStorage = nil;
-		sessionConfig.HTTPShouldSetCookies = NO;
-		if (config != NULL && config->proxy_host != NULL && config->proxy_port > 0) {
-			NSMutableDictionary *proxyDictionary = [NSMutableDictionary dictionary];
-			proxyDictionary[(__bridge NSString *)kCFStreamPropertySOCKSProxyHost] = [NSString stringWithUTF8String:config->proxy_host];
-			proxyDictionary[(__bridge NSString *)kCFStreamPropertySOCKSProxyPort] = @(config->proxy_port);
-			proxyDictionary[(__bridge NSString *)kCFStreamPropertySOCKSVersion] = (__bridge NSString *)kCFStreamSocketSOCKSVersion5;
-			if (config->proxy_username != NULL) {
-				proxyDictionary[(__bridge NSString *)kCFStreamPropertySOCKSUser] = [NSString stringWithUTF8String:config->proxy_username];
-			}
-			if (config->proxy_password != NULL) {
-				proxyDictionary[(__bridge NSString *)kCFStreamPropertySOCKSPassword] = [NSString stringWithUTF8String:config->proxy_password];
-			}
-			sessionConfig.connectionProxyDictionary = proxyDictionary;
-		}
-		if (config != NULL && config->min_tls_version != 0) {
-			sessionConfig.TLSMinimumSupportedProtocolVersion = (tls_protocol_version_t)config->min_tls_version;
-		}
-		if (config != NULL && config->max_tls_version != 0) {
-			sessionConfig.TLSMaximumSupportedProtocolVersion = (tls_protocol_version_t)config->max_tls_version;
-		}
-		BoxAppleHTTPSessionDelegate *delegate = [[BoxAppleHTTPSessionDelegate alloc] init];
-		if (config != NULL) {
-			delegate.insecure = config->insecure;
-			delegate.anchorOnly = config->anchor_only;
-			delegate.anchors = box_parse_certificates_from_pem(config->anchor_pem, config->anchor_pem_len);
-			if (config->pinned_public_key_sha256 != NULL && config->pinned_public_key_sha256_len > 0) {
-				delegate.pinnedPublicKeyHashes = [NSData dataWithBytes:config->pinned_public_key_sha256 length:config->pinned_public_key_sha256_len];
-			}
-		}
-		NSURLSession *session = [NSURLSession sessionWithConfiguration:sessionConfig delegate:delegate delegateQueue:nil];
-		if (session == nil) {
-			box_set_error_string(error_out, @"create URLSession");
-			return NULL;
-		}
-		BoxAppleHTTPSessionHandle *handle = [[BoxAppleHTTPSessionHandle alloc] init];
-		handle.session = session;
-		handle.delegate = delegate;
-		box_apple_http_session_t *sessionHandle = calloc(1, sizeof(box_apple_http_session_t));
-		sessionHandle->handle = (__bridge_retained void *)handle;
-		return sessionHandle;
-	}
-}
-
-void box_apple_http_session_retire(box_apple_http_session_t *session) {
-	if (session == NULL || session->handle == NULL) {
-		return;
-	}
-	BoxAppleHTTPSessionHandle *handle = (__bridge_transfer BoxAppleHTTPSessionHandle *)session->handle;
-	[handle.session finishTasksAndInvalidate];
-	free(session);
-}
-
-void box_apple_http_session_close(box_apple_http_session_t *session) {
-	if (session == NULL || session->handle == NULL) {
-		return;
-	}
-	BoxAppleHTTPSessionHandle *handle = (__bridge_transfer BoxAppleHTTPSessionHandle *)session->handle;
-	[handle.session invalidateAndCancel];
-	free(session);
-}
-
-box_apple_http_task_t *box_apple_http_session_send_async(
-	box_apple_http_session_t *session,
-	const box_apple_http_request_t *request,
-	char **error_out
-) {
-	@autoreleasepool {
-		if (session == NULL || session->handle == NULL || request == NULL || request->method == NULL || request->url == NULL) {
-			box_set_error_string(error_out, @"invalid apple HTTP request");
-			return NULL;
-		}
-		BoxAppleHTTPSessionHandle *handle = (__bridge BoxAppleHTTPSessionHandle *)session->handle;
-		NSURL *requestURL = [NSURL URLWithString:[NSString stringWithUTF8String:request->url]];
-		if (requestURL == nil) {
-			box_set_error_string(error_out, @"invalid request URL");
-			return NULL;
-		}
-		NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:requestURL];
-		urlRequest.HTTPMethod = [NSString stringWithUTF8String:request->method];
-		for (size_t index = 0; index < request->header_count; index++) {
-			const char *key = request->header_keys[index];
-			const char *value = request->header_values[index];
-			if (key == NULL || value == NULL) {
-				continue;
-			}
-			[urlRequest addValue:[NSString stringWithUTF8String:value] forHTTPHeaderField:[NSString stringWithUTF8String:key]];
-		}
-		if (request->body != NULL && request->body_len > 0) {
-			urlRequest.HTTPBody = [NSData dataWithBytes:request->body length:request->body_len];
-		}
-		box_apple_http_task_t *task = calloc(1, sizeof(box_apple_http_task_t));
-		dispatch_semaphore_t doneSemaphore = dispatch_semaphore_create(0);
-		task->done_semaphore = (__bridge_retained void *)doneSemaphore;
-		NSURLSessionDataTask *dataTask = [handle.session dataTaskWithRequest:urlRequest completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
-			if (error != nil) {
-				box_set_error_from_nserror(&task->error, error);
-			} else if (![response isKindOfClass:[NSHTTPURLResponse class]]) {
-				box_set_error_string(&task->error, @"unexpected HTTP response type");
-			} else {
-				task->response = box_create_response((NSHTTPURLResponse *)response, data ?: [NSData data]);
-			}
-			dispatch_semaphore_signal((__bridge dispatch_semaphore_t)task->done_semaphore);
-		}];
-		if (dataTask == nil) {
-			box_set_error_string(error_out, @"create data task");
-			box_apple_http_task_close(task);
-			return NULL;
-		}
-		task->task = (__bridge_retained void *)dataTask;
-		[dataTask resume];
-		return task;
-	}
-}
-
-box_apple_http_response_t *box_apple_http_task_wait(
-	box_apple_http_task_t *task,
-	char **error_out
-) {
-	if (task == NULL || task->done_semaphore == NULL) {
-		box_set_error_string(error_out, @"invalid apple HTTP task");
-		return NULL;
-	}
-	dispatch_semaphore_wait((__bridge dispatch_semaphore_t)task->done_semaphore, DISPATCH_TIME_FOREVER);
-	if (task->error != NULL) {
-		box_set_error_string(error_out, [NSString stringWithUTF8String:task->error]);
-		return NULL;
-	}
-	return task->response;
-}
-
-void box_apple_http_task_cancel(box_apple_http_task_t *task) {
-	if (task == NULL || task->task == NULL) {
-		return;
-	}
-	NSURLSessionTask *nsTask = (__bridge NSURLSessionTask *)task->task;
-	[nsTask cancel];
-}
-
-void box_apple_http_task_close(box_apple_http_task_t *task) {
-	if (task == NULL) {
-		return;
-	}
-	if (task->task != NULL) {
-		__unused NSURLSessionTask *nsTask = (__bridge_transfer NSURLSessionTask *)task->task;
-		task->task = NULL;
-	}
-	if (task->done_semaphore != NULL) {
-		__unused dispatch_semaphore_t doneSemaphore = (__bridge_transfer dispatch_semaphore_t)task->done_semaphore;
-		task->done_semaphore = NULL;
-	}
-	free(task->error);
-	free(task);
-}
-
-void box_apple_http_response_free(box_apple_http_response_t *response) {
-	if (response == NULL) {
-		return;
-	}
-	for (size_t index = 0; index < response->header_count; index++) {
-		free(response->header_keys[index]);
-		free(response->header_values[index]);
-	}
-	free(response->header_keys);
-	free(response->header_values);
-	free(response->body);
-	free(response->error);
-	free(response);
-}
--- a/common/httpclient/apple_transport_darwin_test.go
+++ b/common/httpclient/apple_transport_darwin_test.go
@@ -1,876 +0,0 @@
-//go:build darwin && cgo
-
-package httpclient
-
-import (
-	"bytes"
-	"context"
-	"crypto/sha256"
-	stdtls "crypto/tls"
-	"crypto/x509"
-	"errors"
-	"io"
-	"net"
-	"net/http"
-	"net/http/httptest"
-	"net/url"
-	"slices"
-	"strconv"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-	boxTLS "github.com/sagernet/sing-box/common/tls"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-box/route"
-	"github.com/sagernet/sing/common/json/badoption"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/service"
-)
-
-const appleHTTPTestTimeout = 5 * time.Second
-
-const appleHTTPRecoveryLoops = 5
-
-type appleHTTPTestDialer struct {
-	dialer   net.Dialer
-	listener net.ListenConfig
-	hostMap  map[string]string
-}
-
-type appleHTTPObservedRequest struct {
-	method     string
-	body       string
-	host       string
-	values     []string
-	protoMajor int
-}
-
-type appleHTTPTestServer struct {
-	server         *httptest.Server
-	baseURL        string
-	dialHost       string
-	certificate    stdtls.Certificate
-	certificatePEM string
-	publicKeyHash  []byte
-}
-
-func TestNewAppleSessionConfig(t *testing.T) {
-	serverCertificate, serverCertificatePEM := newAppleHTTPTestCertificate(t, "localhost")
-	serverHash := certificatePublicKeySHA256(t, serverCertificate.Certificate[0])
-	otherHash := bytes.Repeat([]byte{0x7f}, applePinnedHashSize)
-
-	testCases := []struct {
-		name    string
-		options option.HTTPClientOptions
-		check   func(t *testing.T, config appleSessionConfig)
-		wantErr string
-	}{
-		{
-			name: "success with certificate anchors",
-			options: option.HTTPClientOptions{
-				Version: 2,
-				DialerOptions: option.DialerOptions{
-					ConnectTimeout: badoption.Duration(2 * time.Second),
-				},
-				OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-					TLS: &option.OutboundTLSOptions{
-						Enabled:     true,
-						ServerName:  "localhost",
-						MinVersion:  "1.2",
-						MaxVersion:  "1.3",
-						Certificate: badoption.Listable[string]{serverCertificatePEM},
-					},
-				},
-			},
-			check: func(t *testing.T, config appleSessionConfig) {
-				t.Helper()
-				if config.serverName != "localhost" {
-					t.Fatalf("unexpected server name: %q", config.serverName)
-				}
-				if config.minVersion != stdtls.VersionTLS12 {
-					t.Fatalf("unexpected min version: %x", config.minVersion)
-				}
-				if config.maxVersion != stdtls.VersionTLS13 {
-					t.Fatalf("unexpected max version: %x", config.maxVersion)
-				}
-				if config.insecure {
-					t.Fatal("unexpected insecure flag")
-				}
-				if !config.anchorOnly {
-					t.Fatal("expected anchor_only")
-				}
-				if !strings.Contains(config.anchorPEM, "BEGIN CERTIFICATE") {
-					t.Fatalf("unexpected anchor pem: %q", config.anchorPEM)
-				}
-				if len(config.pinnedPublicKeySHA256s) != 0 {
-					t.Fatalf("unexpected pinned hashes: %d", len(config.pinnedPublicKeySHA256s))
-				}
-			},
-		},
-		{
-			name: "success with flattened pins",
-			options: option.HTTPClientOptions{
-				Version: 2,
-				OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-					TLS: &option.OutboundTLSOptions{
-						Enabled:                    true,
-						Insecure:                   true,
-						CertificatePublicKeySHA256: badoption.Listable[[]byte]{serverHash, otherHash},
-					},
-				},
-			},
-			check: func(t *testing.T, config appleSessionConfig) {
-				t.Helper()
-				if !config.insecure {
-					t.Fatal("expected insecure flag")
-				}
-				if len(config.pinnedPublicKeySHA256s) != 2*applePinnedHashSize {
-					t.Fatalf("unexpected flattened pin length: %d", len(config.pinnedPublicKeySHA256s))
-				}
-				if !bytes.Equal(config.pinnedPublicKeySHA256s[:applePinnedHashSize], serverHash) {
-					t.Fatal("unexpected first pin")
-				}
-				if !bytes.Equal(config.pinnedPublicKeySHA256s[applePinnedHashSize:], otherHash) {
-					t.Fatal("unexpected second pin")
-				}
-				if config.anchorPEM != "" {
-					t.Fatalf("unexpected anchor pem: %q", config.anchorPEM)
-				}
-				if config.anchorOnly {
-					t.Fatal("unexpected anchor_only")
-				}
-			},
-		},
-		{
-			name:    "http11 unsupported",
-			options: option.HTTPClientOptions{Version: 1},
-			wantErr: "HTTP/1.1 is unsupported in Apple HTTP engine",
-		},
-		{
-			name:    "http3 unsupported",
-			options: option.HTTPClientOptions{Version: 3},
-			wantErr: "HTTP/3 is unsupported in Apple HTTP engine",
-		},
-		{
-			name:    "unknown version",
-			options: option.HTTPClientOptions{Version: 9},
-			wantErr: "unknown HTTP version: 9",
-		},
-		{
-			name: "disable version fallback unsupported",
-			options: option.HTTPClientOptions{
-				DisableVersionFallback: true,
-			},
-			wantErr: "disable_version_fallback is unsupported in Apple HTTP engine",
-		},
-		{
-			name: "http2 options unsupported",
-			options: option.HTTPClientOptions{
-				HTTP2Options: option.HTTP2Options{
-					IdleTimeout: badoption.Duration(time.Second),
-				},
-			},
-			wantErr: "HTTP/2 options are unsupported in Apple HTTP engine",
-		},
-		{
-			name: "quic options unsupported",
-			options: option.HTTPClientOptions{
-				HTTP3Options: option.QUICOptions{
-					InitialPacketSize: 1200,
-				},
-			},
-			wantErr: "QUIC options are unsupported in Apple HTTP engine",
-		},
-		{
-			name: "tls engine unsupported",
-			options: option.HTTPClientOptions{
-				OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-					TLS: &option.OutboundTLSOptions{Engine: "go"},
-				},
-			},
-			wantErr: "tls.engine is unsupported in Apple HTTP engine",
-		},
-		{
-			name: "disable sni unsupported",
-			options: option.HTTPClientOptions{
-				OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-					TLS: &option.OutboundTLSOptions{DisableSNI: true},
-				},
-			},
-			wantErr: "disable_sni is unsupported in Apple HTTP engine",
-		},
-		{
-			name: "alpn unsupported",
-			options: option.HTTPClientOptions{
-				OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-					TLS: &option.OutboundTLSOptions{
-						ALPN: badoption.Listable[string]{"h2"},
-					},
-				},
-			},
-			wantErr: "tls.alpn is unsupported in Apple HTTP engine",
-		},
-		{
-			name: "cipher suites unsupported",
-			options: option.HTTPClientOptions{
-				OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-					TLS: &option.OutboundTLSOptions{
-						CipherSuites: badoption.Listable[string]{"TLS_AES_128_GCM_SHA256"},
-					},
-				},
-			},
-			wantErr: "cipher_suites is unsupported in Apple HTTP engine",
-		},
-		{
-			name: "curve preferences unsupported",
-			options: option.HTTPClientOptions{
-				OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-					TLS: &option.OutboundTLSOptions{
-						CurvePreferences: badoption.Listable[option.CurvePreference]{option.CurvePreference(option.X25519)},
-					},
-				},
-			},
-			wantErr: "curve_preferences is unsupported in Apple HTTP engine",
-		},
-		{
-			name: "client certificate unsupported",
-			options: option.HTTPClientOptions{
-				OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-					TLS: &option.OutboundTLSOptions{
-						ClientCertificate: badoption.Listable[string]{"client-certificate"},
-						ClientKey:         badoption.Listable[string]{"client-key"},
-					},
-				},
-			},
-			wantErr: "client certificate is unsupported in Apple HTTP engine",
-		},
-		{
-			name: "tls fragment unsupported",
-			options: option.HTTPClientOptions{
-				OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-					TLS: &option.OutboundTLSOptions{Fragment: true},
-				},
-			},
-			wantErr: "tls fragment is unsupported in Apple HTTP engine",
-		},
-		{
-			name: "ktls unsupported",
-			options: option.HTTPClientOptions{
-				OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-					TLS: &option.OutboundTLSOptions{KernelTx: true},
-				},
-			},
-			wantErr: "ktls is unsupported in Apple HTTP engine",
-		},
-		{
-			name: "ech unsupported",
-			options: option.HTTPClientOptions{
-				OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-					TLS: &option.OutboundTLSOptions{
-						ECH: &option.OutboundECHOptions{Enabled: true},
-					},
-				},
-			},
-			wantErr: "ech is unsupported in Apple HTTP engine",
-		},
-		{
-			name: "utls unsupported",
-			options: option.HTTPClientOptions{
-				OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-					TLS: &option.OutboundTLSOptions{
-						UTLS: &option.OutboundUTLSOptions{Enabled: true},
-					},
-				},
-			},
-			wantErr: "utls is unsupported in Apple HTTP engine",
-		},
-		{
-			name: "reality unsupported",
-			options: option.HTTPClientOptions{
-				OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-					TLS: &option.OutboundTLSOptions{
-						Reality: &option.OutboundRealityOptions{Enabled: true},
-					},
-				},
-			},
-			wantErr: "reality is unsupported in Apple HTTP engine",
-		},
-		{
-			name: "pin and certificate conflict",
-			options: option.HTTPClientOptions{
-				OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-					TLS: &option.OutboundTLSOptions{
-						Certificate:                badoption.Listable[string]{serverCertificatePEM},
-						CertificatePublicKeySHA256: badoption.Listable[[]byte]{serverHash},
-					},
-				},
-			},
-			wantErr: "certificate_public_key_sha256 is conflict with certificate or certificate_path",
-		},
-		{
-			name: "invalid min version",
-			options: option.HTTPClientOptions{
-				OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-					TLS: &option.OutboundTLSOptions{MinVersion: "bogus"},
-				},
-			},
-			wantErr: "parse min_version",
-		},
-		{
-			name: "invalid max version",
-			options: option.HTTPClientOptions{
-				OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-					TLS: &option.OutboundTLSOptions{MaxVersion: "bogus"},
-				},
-			},
-			wantErr: "parse max_version",
-		},
-		{
-			name: "invalid pin length",
-			options: option.HTTPClientOptions{
-				OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-					TLS: &option.OutboundTLSOptions{
-						CertificatePublicKeySHA256: badoption.Listable[[]byte]{{0x01, 0x02}},
-					},
-				},
-			},
-			wantErr: "invalid certificate_public_key_sha256 length: 2",
-		},
-	}
-
-	for _, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			config, err := newAppleSessionConfig(context.Background(), testCase.options)
-			if testCase.wantErr != "" {
-				if err == nil {
-					t.Fatal("expected error")
-				}
-				if !strings.Contains(err.Error(), testCase.wantErr) {
-					t.Fatalf("unexpected error: %v", err)
-				}
-				return
-			}
-			if err != nil {
-				t.Fatal(err)
-			}
-			if testCase.check != nil {
-				testCase.check(t, config)
-			}
-		})
-	}
-}
-
-func TestAppleTransportVerifyPublicKeySHA256(t *testing.T) {
-	serverCertificate, _ := newAppleHTTPTestCertificate(t, "localhost")
-	goodHash := certificatePublicKeySHA256(t, serverCertificate.Certificate[0])
-	badHash := append([]byte(nil), goodHash...)
-	badHash[0] ^= 0xff
-
-	err := verifyApplePinnedPublicKeySHA256(goodHash, serverCertificate.Certificate[0])
-	if err != nil {
-		t.Fatalf("expected correct pin to succeed: %v", err)
-	}
-
-	err = verifyApplePinnedPublicKeySHA256(badHash, serverCertificate.Certificate[0])
-	if err == nil {
-		t.Fatal("expected incorrect pin to fail")
-	}
-	if !strings.Contains(err.Error(), "unrecognized remote public key") {
-		t.Fatalf("unexpected pin mismatch error: %v", err)
-	}
-
-	err = verifyApplePinnedPublicKeySHA256(goodHash[:applePinnedHashSize-1], serverCertificate.Certificate[0])
-	if err == nil {
-		t.Fatal("expected malformed pin list to fail")
-	}
-	if !strings.Contains(err.Error(), "invalid pinned public key list") {
-		t.Fatalf("unexpected malformed pin error: %v", err)
-	}
-}
-
-func TestAppleTransportRoundTripHTTPS(t *testing.T) {
-	requests := make(chan appleHTTPObservedRequest, 1)
-	server := startAppleHTTPTestServer(t, func(w http.ResponseWriter, r *http.Request) {
-		body, err := io.ReadAll(r.Body)
-		if err != nil {
-			t.Error(err)
-			http.Error(w, err.Error(), http.StatusInternalServerError)
-			return
-		}
-		requests <- appleHTTPObservedRequest{
-			method:     r.Method,
-			body:       string(body),
-			host:       r.Host,
-			values:     append([]string(nil), r.Header.Values("X-Test")...),
-			protoMajor: r.ProtoMajor,
-		}
-		w.Header().Set("X-Reply", "apple")
-		w.WriteHeader(http.StatusCreated)
-		_, _ = w.Write([]byte("response body"))
-	})
-
-	transport := newAppleHTTPTestTransport(t, server, option.HTTPClientOptions{
-		Version: 2,
-		OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-			TLS: appleHTTPServerTLSOptions(server),
-		},
-	})
-
-	request, err := http.NewRequest(http.MethodPost, server.URL("/roundtrip"), bytes.NewReader([]byte("request body")))
-	if err != nil {
-		t.Fatal(err)
-	}
-	request.Header.Add("X-Test", "one")
-	request.Header.Add("X-Test", "two")
-	request.Host = "custom.example"
-
-	response, err := transport.RoundTrip(request)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer response.Body.Close()
-
-	responseBody := readResponseBody(t, response)
-	if response.StatusCode != http.StatusCreated {
-		t.Fatalf("unexpected status code: %d", response.StatusCode)
-	}
-	if response.Status != "201 Created" {
-		t.Fatalf("unexpected status: %q", response.Status)
-	}
-	if response.Header.Get("X-Reply") != "apple" {
-		t.Fatalf("unexpected response header: %q", response.Header.Get("X-Reply"))
-	}
-	if responseBody != "response body" {
-		t.Fatalf("unexpected response body: %q", responseBody)
-	}
-	if response.ContentLength != int64(len(responseBody)) {
-		t.Fatalf("unexpected content length: %d", response.ContentLength)
-	}
-
-	observed := waitObservedRequest(t, requests)
-	if observed.method != http.MethodPost {
-		t.Fatalf("unexpected method: %q", observed.method)
-	}
-	if observed.body != "request body" {
-		t.Fatalf("unexpected request body: %q", observed.body)
-	}
-	if observed.host != "custom.example" {
-		t.Fatalf("unexpected host: %q", observed.host)
-	}
-	if observed.protoMajor != 2 {
-		t.Fatalf("expected HTTP/2 request, got HTTP/%d", observed.protoMajor)
-	}
-	var normalizedValues []string
-	for _, value := range observed.values {
-		for _, part := range strings.Split(value, ",") {
-			normalizedValues = append(normalizedValues, strings.TrimSpace(part))
-		}
-	}
-	slices.Sort(normalizedValues)
-	if !slices.Equal(normalizedValues, []string{"one", "two"}) {
-		t.Fatalf("unexpected header values: %#v", observed.values)
-	}
-}
-
-func TestAppleTransportPinnedPublicKey(t *testing.T) {
-	server := startAppleHTTPTestServer(t, func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusOK)
-		_, _ = w.Write([]byte("pinned"))
-	})
-
-	goodTransport := newAppleHTTPTestTransport(t, server, option.HTTPClientOptions{
-		Version: 2,
-		OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-			TLS: &option.OutboundTLSOptions{
-				Enabled:                    true,
-				ServerName:                 "localhost",
-				Insecure:                   true,
-				CertificatePublicKeySHA256: badoption.Listable[[]byte]{server.publicKeyHash},
-			},
-		},
-	})
-
-	response, err := goodTransport.RoundTrip(newAppleHTTPRequest(t, http.MethodGet, server.URL("/good"), nil))
-	if err != nil {
-		t.Fatalf("expected pinned request to succeed: %v", err)
-	}
-	response.Body.Close()
-
-	badHash := append([]byte(nil), server.publicKeyHash...)
-	badHash[0] ^= 0xff
-	badTransport := newAppleHTTPTestTransport(t, server, option.HTTPClientOptions{
-		Version: 2,
-		OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-			TLS: &option.OutboundTLSOptions{
-				Enabled:                    true,
-				ServerName:                 "localhost",
-				Insecure:                   true,
-				CertificatePublicKeySHA256: badoption.Listable[[]byte]{badHash},
-			},
-		},
-	})
-
-	response, err = badTransport.RoundTrip(newAppleHTTPRequest(t, http.MethodGet, server.URL("/bad"), nil))
-	if err == nil {
-		response.Body.Close()
-		t.Fatal("expected incorrect pinned public key to fail")
-	}
-}
-
-func TestAppleTransportGuardrails(t *testing.T) {
-	testCases := []struct {
-		name          string
-		options       option.HTTPClientOptions
-		buildRequest  func(t *testing.T) *http.Request
-		wantErrSubstr string
-	}{
-		{
-			name: "websocket upgrade rejected",
-			options: option.HTTPClientOptions{
-				Version: 2,
-			},
-			buildRequest: func(t *testing.T) *http.Request {
-				t.Helper()
-				request := newAppleHTTPRequest(t, http.MethodGet, "https://localhost/socket", nil)
-				request.Header.Set("Connection", "Upgrade")
-				request.Header.Set("Upgrade", "websocket")
-				return request
-			},
-			wantErrSubstr: "HTTP upgrade requests are unsupported in Apple HTTP engine",
-		},
-		{
-			name: "missing url rejected",
-			options: option.HTTPClientOptions{
-				Version: 2,
-			},
-			buildRequest: func(t *testing.T) *http.Request {
-				t.Helper()
-				return &http.Request{Method: http.MethodGet}
-			},
-			wantErrSubstr: "missing request URL",
-		},
-		{
-			name: "unsupported scheme rejected",
-			options: option.HTTPClientOptions{
-				Version: 2,
-			},
-			buildRequest: func(t *testing.T) *http.Request {
-				t.Helper()
-				return newAppleHTTPRequest(t, http.MethodGet, "ftp://localhost/file", nil)
-			},
-			wantErrSubstr: "unsupported URL scheme: ftp",
-		},
-		{
-			name: "server name mismatch rejected",
-			options: option.HTTPClientOptions{
-				Version: 2,
-				OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-					TLS: &option.OutboundTLSOptions{
-						Enabled:    true,
-						ServerName: "example.com",
-					},
-				},
-			},
-			buildRequest: func(t *testing.T) *http.Request {
-				t.Helper()
-				return newAppleHTTPRequest(t, http.MethodGet, "https://localhost/path", nil)
-			},
-			wantErrSubstr: "tls.server_name is unsupported in Apple HTTP engine unless it matches request host",
-		},
-	}
-
-	for _, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			transport := newAppleHTTPTestTransport(t, nil, testCase.options)
-			response, err := transport.RoundTrip(testCase.buildRequest(t))
-			if err == nil {
-				response.Body.Close()
-				t.Fatal("expected error")
-			}
-			if !strings.Contains(err.Error(), testCase.wantErrSubstr) {
-				t.Fatalf("unexpected error: %v", err)
-			}
-		})
-	}
-}
-
-func TestAppleTransportCancellationRecovery(t *testing.T) {
-	server := startAppleHTTPTestServer(t, func(w http.ResponseWriter, r *http.Request) {
-		switch r.URL.Path {
-		case "/block":
-			select {
-			case <-r.Context().Done():
-				return
-			case <-time.After(appleHTTPTestTimeout):
-				http.Error(w, "request was not canceled", http.StatusGatewayTimeout)
-			}
-		default:
-			w.WriteHeader(http.StatusOK)
-			_, _ = w.Write([]byte("ok"))
-		}
-	})
-
-	transport := newAppleHTTPTestTransport(t, server, option.HTTPClientOptions{
-		Version: 2,
-		OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-			TLS: appleHTTPServerTLSOptions(server),
-		},
-	})
-
-	for index := 0; index < appleHTTPRecoveryLoops; index++ {
-		ctx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
-		request := newAppleHTTPRequestWithContext(t, ctx, http.MethodGet, server.URL("/block"), nil)
-		response, err := transport.RoundTrip(request)
-		cancel()
-		if err == nil {
-			response.Body.Close()
-			t.Fatalf("iteration %d: expected cancellation error", index)
-		}
-		if !errors.Is(err, context.DeadlineExceeded) && !errors.Is(err, context.Canceled) {
-			t.Fatalf("iteration %d: unexpected cancellation error: %v", index, err)
-		}
-
-		response, err = transport.RoundTrip(newAppleHTTPRequest(t, http.MethodGet, server.URL("/ok"), nil))
-		if err != nil {
-			t.Fatalf("iteration %d: follow-up request failed: %v", index, err)
-		}
-		if body := readResponseBody(t, response); body != "ok" {
-			response.Body.Close()
-			t.Fatalf("iteration %d: unexpected follow-up body: %q", index, body)
-		}
-		response.Body.Close()
-	}
-}
-
-func TestAppleTransportLifecycle(t *testing.T) {
-	server := startAppleHTTPTestServer(t, func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusOK)
-		_, _ = w.Write([]byte("ok"))
-	})
-
-	transport := newAppleHTTPTestTransport(t, server, option.HTTPClientOptions{
-		Version: 2,
-		OutboundTLSOptionsContainer: option.OutboundTLSOptionsContainer{
-			TLS: appleHTTPServerTLSOptions(server),
-		},
-	})
-	clone := transport.Clone()
-	t.Cleanup(func() {
-		_ = clone.Close()
-	})
-
-	assertAppleHTTPSucceeds(t, transport, server.URL("/original"))
-	assertAppleHTTPSucceeds(t, clone, server.URL("/clone"))
-
-	transport.CloseIdleConnections()
-	assertAppleHTTPSucceeds(t, transport, server.URL("/reset"))
-
-	if err := transport.Close(); err != nil {
-		t.Fatal(err)
-	}
-
-	response, err := transport.RoundTrip(newAppleHTTPRequest(t, http.MethodGet, server.URL("/closed"), nil))
-	if err == nil {
-		response.Body.Close()
-		t.Fatal("expected closed transport to fail")
-	}
-	if !errors.Is(err, net.ErrClosed) {
-		t.Fatalf("unexpected closed transport error: %v", err)
-	}
-
-	assertAppleHTTPSucceeds(t, clone, server.URL("/clone-after-original-close"))
-
-	clone.CloseIdleConnections()
-	assertAppleHTTPSucceeds(t, clone, server.URL("/clone-reset"))
-
-	if err := clone.Close(); err != nil {
-		t.Fatal(err)
-	}
-	response, err = clone.RoundTrip(newAppleHTTPRequest(t, http.MethodGet, server.URL("/clone-closed"), nil))
-	if err == nil {
-		response.Body.Close()
-		t.Fatal("expected closed clone to fail")
-	}
-	if !errors.Is(err, net.ErrClosed) {
-		t.Fatalf("unexpected closed clone error: %v", err)
-	}
-}
-
-func startAppleHTTPTestServer(t *testing.T, handler http.HandlerFunc) *appleHTTPTestServer {
-	t.Helper()
-
-	serverCertificate, serverCertificatePEM := newAppleHTTPTestCertificate(t, "localhost")
-	server := httptest.NewUnstartedServer(handler)
-	server.EnableHTTP2 = true
-	server.TLS = &stdtls.Config{
-		Certificates: []stdtls.Certificate{serverCertificate},
-		MinVersion:   stdtls.VersionTLS12,
-	}
-	server.StartTLS()
-	t.Cleanup(server.Close)
-
-	parsedURL, err := url.Parse(server.URL)
-	if err != nil {
-		t.Fatal(err)
-	}
-	baseURL := *parsedURL
-	baseURL.Host = net.JoinHostPort("localhost", parsedURL.Port())
-
-	return &appleHTTPTestServer{
-		server:         server,
-		baseURL:        baseURL.String(),
-		dialHost:       parsedURL.Hostname(),
-		certificate:    serverCertificate,
-		certificatePEM: serverCertificatePEM,
-		publicKeyHash:  certificatePublicKeySHA256(t, serverCertificate.Certificate[0]),
-	}
-}
-
-func (s *appleHTTPTestServer) URL(path string) string {
-	if path == "" {
-		return s.baseURL
-	}
-	if strings.HasPrefix(path, "/") {
-		return s.baseURL + path
-	}
-	return s.baseURL + "/" + path
-}
-
-func newAppleHTTPTestTransport(t *testing.T, server *appleHTTPTestServer, options option.HTTPClientOptions) adapter.HTTPTransport {
-	t.Helper()
-
-	ctx := service.ContextWith[adapter.ConnectionManager](
-		context.Background(),
-		route.NewConnectionManager(log.NewNOPFactory().NewLogger("connection")),
-	)
-	dialer := &appleHTTPTestDialer{
-		hostMap: make(map[string]string),
-	}
-	if server != nil {
-		dialer.hostMap["localhost"] = server.dialHost
-	}
-
-	transport, err := newAppleTransport(ctx, log.NewNOPFactory().NewLogger("httpclient"), dialer, options)
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Cleanup(func() {
-		_ = transport.Close()
-	})
-	return transport
-}
-
-func (d *appleHTTPTestDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	host := destination.AddrString()
-	if destination.IsDomain() {
-		host = destination.Fqdn
-		if mappedHost, loaded := d.hostMap[host]; loaded {
-			host = mappedHost
-		}
-	}
-	return d.dialer.DialContext(ctx, network, net.JoinHostPort(host, strconv.Itoa(int(destination.Port))))
-}
-
-func (d *appleHTTPTestDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	host := destination.AddrString()
-	if destination.IsDomain() {
-		host = destination.Fqdn
-		if mappedHost, loaded := d.hostMap[host]; loaded {
-			host = mappedHost
-		}
-	}
-	if host == "" {
-		host = "127.0.0.1"
-	}
-	return d.listener.ListenPacket(ctx, N.NetworkUDP, net.JoinHostPort(host, strconv.Itoa(int(destination.Port))))
-}
-
-func newAppleHTTPTestCertificate(t *testing.T, serverName string) (stdtls.Certificate, string) {
-	t.Helper()
-
-	privateKeyPEM, certificatePEM, err := boxTLS.GenerateCertificate(nil, nil, time.Now, serverName, time.Now().Add(time.Hour))
-	if err != nil {
-		t.Fatal(err)
-	}
-	certificate, err := stdtls.X509KeyPair(certificatePEM, privateKeyPEM)
-	if err != nil {
-		t.Fatal(err)
-	}
-	return certificate, string(certificatePEM)
-}
-
-func certificatePublicKeySHA256(t *testing.T, certificateDER []byte) []byte {
-	t.Helper()
-
-	certificate, err := x509.ParseCertificate(certificateDER)
-	if err != nil {
-		t.Fatal(err)
-	}
-	publicKeyDER, err := x509.MarshalPKIXPublicKey(certificate.PublicKey)
-	if err != nil {
-		t.Fatal(err)
-	}
-	hashValue := sha256.Sum256(publicKeyDER)
-	return append([]byte(nil), hashValue[:]...)
-}
-
-func appleHTTPServerTLSOptions(server *appleHTTPTestServer) *option.OutboundTLSOptions {
-	return &option.OutboundTLSOptions{
-		Enabled:     true,
-		ServerName:  "localhost",
-		Certificate: badoption.Listable[string]{server.certificatePEM},
-	}
-}
-
-func newAppleHTTPRequest(t *testing.T, method string, rawURL string, body []byte) *http.Request {
-	t.Helper()
-	return newAppleHTTPRequestWithContext(t, context.Background(), method, rawURL, body)
-}
-
-func newAppleHTTPRequestWithContext(t *testing.T, ctx context.Context, method string, rawURL string, body []byte) *http.Request {
-	t.Helper()
-	request, err := http.NewRequestWithContext(ctx, method, rawURL, bytes.NewReader(body))
-	if err != nil {
-		t.Fatal(err)
-	}
-	return request
-}
-
-func waitObservedRequest(t *testing.T, requests <-chan appleHTTPObservedRequest) appleHTTPObservedRequest {
-	t.Helper()
-
-	select {
-	case request := <-requests:
-		return request
-	case <-time.After(appleHTTPTestTimeout):
-		t.Fatal("timed out waiting for observed request")
-		return appleHTTPObservedRequest{}
-	}
-}
-
-func readResponseBody(t *testing.T, response *http.Response) string {
-	t.Helper()
-
-	body, err := io.ReadAll(response.Body)
-	if err != nil {
-		t.Fatal(err)
-	}
-	return string(body)
-}
-
-func assertAppleHTTPSucceeds(t *testing.T, transport adapter.HTTPTransport, rawURL string) {
-	t.Helper()
-
-	response, err := transport.RoundTrip(newAppleHTTPRequest(t, http.MethodGet, rawURL, nil))
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer response.Body.Close()
-	if body := readResponseBody(t, response); body != "ok" {
-		t.Fatalf("unexpected response body: %q", body)
-	}
-}
--- a/common/httpclient/apple_transport_stub.go
+++ b/common/httpclient/apple_transport_stub.go
@@ -1,17 +0,0 @@
-//go:build !darwin || !cgo
-
-package httpclient
-
-import (
-	"context"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	N "github.com/sagernet/sing/common/network"
-)
-
-func newAppleTransport(ctx context.Context, logger logger.ContextLogger, rawDialer N.Dialer, options option.HTTPClientOptions) (adapter.HTTPTransport, error) {
-	return nil, E.New("Apple HTTP engine is not available on non-Apple platforms")
-}
--- a/common/httpclient/client.go
+++ b/common/httpclient/client.go
@@ -1,182 +0,0 @@
-package httpclient
-
-import (
-	"context"
-	"net/http"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/dialer"
-	"github.com/sagernet/sing-box/common/tls"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	N "github.com/sagernet/sing/common/network"
-)
-
-type Transport struct {
-	transport adapter.HTTPTransport
-	dialer    N.Dialer
-	headers   http.Header
-	host      string
-	tag       string
-}
-
-func NewTransport(ctx context.Context, logger logger.ContextLogger, tag string, options option.HTTPClientOptions) (*Transport, error) {
-	rawDialer, err := dialer.NewWithOptions(dialer.Options{
-		Context:          ctx,
-		Options:          options.DialerOptions,
-		RemoteIsDomain:   true,
-		DirectResolver:   options.DirectResolver,
-		ResolverOnDetour: options.ResolveOnDetour,
-		NewDialer:        options.ResolveOnDetour,
-		DefaultOutbound:  options.DefaultOutbound,
-	})
-	if err != nil {
-		return nil, err
-	}
-	switch options.Engine {
-	case C.TLSEngineApple:
-		transport, transportErr := newAppleTransport(ctx, logger, rawDialer, options)
-		if transportErr != nil {
-			return nil, transportErr
-		}
-		headers := options.Headers.Build()
-		host := headers.Get("Host")
-		headers.Del("Host")
-		return &Transport{
-			transport: transport,
-			dialer:    rawDialer,
-			headers:   headers,
-			host:      host,
-			tag:       tag,
-		}, nil
-	case C.TLSEngineDefault, "go":
-	default:
-		return nil, E.New("unknown HTTP engine: ", options.Engine)
-	}
-	tlsOptions := common.PtrValueOrDefault(options.TLS)
-	tlsOptions.Enabled = true
-	baseTLSConfig, err := tls.NewClientWithOptions(tls.ClientOptions{
-		Context:              ctx,
-		Logger:               logger,
-		Options:              tlsOptions,
-		AllowEmptyServerName: true,
-	})
-	if err != nil {
-		return nil, err
-	}
-	return NewTransportWithDialer(rawDialer, baseTLSConfig, tag, options)
-}
-
-func NewTransportWithDialer(rawDialer N.Dialer, baseTLSConfig tls.Config, tag string, options option.HTTPClientOptions) (*Transport, error) {
-	transport, err := newTransport(rawDialer, baseTLSConfig, options)
-	if err != nil {
-		return nil, err
-	}
-	headers := options.Headers.Build()
-	host := headers.Get("Host")
-	headers.Del("Host")
-	return &Transport{
-		transport: transport,
-		dialer:    rawDialer,
-		headers:   headers,
-		host:      host,
-		tag:       tag,
-	}, nil
-}
-
-func newTransport(rawDialer N.Dialer, baseTLSConfig tls.Config, options option.HTTPClientOptions) (adapter.HTTPTransport, error) {
-	version := options.Version
-	if version == 0 {
-		version = 2
-	}
-	fallbackDelay := time.Duration(options.DialerOptions.FallbackDelay)
-	if fallbackDelay == 0 {
-		fallbackDelay = 300 * time.Millisecond
-	}
-	var transport adapter.HTTPTransport
-	var err error
-	switch version {
-	case 1:
-		transport = newHTTP1Transport(rawDialer, baseTLSConfig)
-	case 2:
-		if options.DisableVersionFallback {
-			transport, err = newHTTP2Transport(rawDialer, baseTLSConfig, options.HTTP2Options)
-		} else {
-			transport, err = newHTTP2FallbackTransport(rawDialer, baseTLSConfig, options.HTTP2Options)
-		}
-	case 3:
-		if baseTLSConfig != nil {
-			_, err = baseTLSConfig.STDConfig()
-			if err != nil {
-				return nil, err
-			}
-		}
-		if options.DisableVersionFallback {
-			transport, err = newHTTP3Transport(rawDialer, baseTLSConfig, options.HTTP3Options)
-		} else {
-			var h2Fallback adapter.HTTPTransport
-			h2Fallback, err = newHTTP2FallbackTransport(rawDialer, baseTLSConfig, options.HTTP2Options)
-			if err != nil {
-				return nil, err
-			}
-			transport, err = newHTTP3FallbackTransport(rawDialer, baseTLSConfig, h2Fallback, options.HTTP3Options, fallbackDelay)
-		}
-	default:
-		return nil, E.New("unknown HTTP version: ", version)
-	}
-	if err != nil {
-		return nil, err
-	}
-	return transport, nil
-}
-
-func (c *Transport) RoundTrip(request *http.Request) (*http.Response, error) {
-	if c.tag == "" && len(c.headers) == 0 && c.host == "" {
-		return c.transport.RoundTrip(request)
-	}
-	if c.tag != "" {
-		if transportTag, loaded := transportTagFromContext(request.Context()); loaded && transportTag == c.tag {
-			return nil, E.New("HTTP request loopback in transport[", c.tag, "]")
-		}
-		request = request.Clone(contextWithTransportTag(request.Context(), c.tag))
-	} else {
-		request = request.Clone(request.Context())
-	}
-	applyHeaders(request, c.headers, c.host)
-	return c.transport.RoundTrip(request)
-}
-
-func (c *Transport) CloseIdleConnections() {
-	c.transport.CloseIdleConnections()
-}
-
-func (c *Transport) Clone() adapter.HTTPTransport {
-	return &Transport{
-		transport: c.transport.Clone(),
-		dialer:    c.dialer,
-		headers:   c.headers.Clone(),
-		host:      c.host,
-		tag:       c.tag,
-	}
-}
-
-func (c *Transport) Close() error {
-	return c.transport.Close()
-}
-
-// InitializeDetour eagerly resolves the detour dialer backing transport so that
-// detour misconfigurations surface at startup instead of on the first request.
-func InitializeDetour(transport adapter.HTTPTransport) error {
-	if shared, isShared := transport.(*sharedTransport); isShared {
-		transport = shared.HTTPTransport
-	}
-	inner, isInner := transport.(*Transport)
-	if !isInner {
-		return nil
-	}
-	return dialer.InitializeDetour(inner.dialer)
-}
--- a/common/httpclient/context.go
+++ b/common/httpclient/context.go
@@ -1,14 +0,0 @@
-package httpclient
-
-import "context"
-
-type transportKey struct{}
-
-func contextWithTransportTag(ctx context.Context, transportTag string) context.Context {
-	return context.WithValue(ctx, transportKey{}, transportTag)
-}
-
-func transportTagFromContext(ctx context.Context) (string, bool) {
-	value, loaded := ctx.Value(transportKey{}).(string)
-	return value, loaded
-}
--- a/common/httpclient/helpers.go
+++ b/common/httpclient/helpers.go
@@ -1,86 +0,0 @@
-package httpclient
-
-import (
-	"context"
-	stdTLS "crypto/tls"
-	"io"
-	"net"
-	"net/http"
-	"strings"
-
-	"github.com/sagernet/sing-box/common/tls"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-func dialTLS(ctx context.Context, rawDialer N.Dialer, baseTLSConfig tls.Config, destination M.Socksaddr, nextProtos []string, expectProto string) (net.Conn, error) {
-	if baseTLSConfig == nil {
-		return nil, E.New("TLS transport unavailable")
-	}
-	tlsConfig := baseTLSConfig.Clone()
-	if tlsConfig.ServerName() == "" && destination.IsValid() {
-		tlsConfig.SetServerName(destination.AddrString())
-	}
-	tlsConfig.SetNextProtos(nextProtos)
-	conn, err := rawDialer.DialContext(ctx, N.NetworkTCP, destination)
-	if err != nil {
-		return nil, err
-	}
-	tlsConn, err := tls.ClientHandshake(ctx, conn, tlsConfig)
-	if err != nil {
-		conn.Close()
-		return nil, err
-	}
-	if expectProto != "" && tlsConn.ConnectionState().NegotiatedProtocol != expectProto {
-		tlsConn.Close()
-		return nil, errHTTP2Fallback
-	}
-	return tlsConn, nil
-}
-
-func applyHeaders(request *http.Request, headers http.Header, host string) {
-	for header, values := range headers {
-		request.Header[header] = append([]string(nil), values...)
-	}
-	if host != "" {
-		request.Host = host
-	}
-}
-
-func requestRequiresHTTP1(request *http.Request) bool {
-	return strings.Contains(strings.ToLower(request.Header.Get("Connection")), "upgrade") &&
-		strings.EqualFold(request.Header.Get("Upgrade"), "websocket")
-}
-
-func requestReplayable(request *http.Request) bool {
-	return request.Body == nil || request.Body == http.NoBody || request.GetBody != nil
-}
-
-func cloneRequestForRetry(request *http.Request) *http.Request {
-	cloned := request.Clone(request.Context())
-	if request.Body != nil && request.Body != http.NoBody && request.GetBody != nil {
-		cloned.Body = mustGetBody(request)
-	}
-	return cloned
-}
-
-func mustGetBody(request *http.Request) io.ReadCloser {
-	body, err := request.GetBody()
-	if err != nil {
-		panic(err)
-	}
-	return body
-}
-
-func buildSTDTLSConfig(baseTLSConfig tls.Config, destination M.Socksaddr, nextProtos []string) (*stdTLS.Config, error) {
-	if baseTLSConfig == nil {
-		return nil, nil
-	}
-	tlsConfig := baseTLSConfig.Clone()
-	if tlsConfig.ServerName() == "" && destination.IsValid() {
-		tlsConfig.SetServerName(destination.AddrString())
-	}
-	tlsConfig.SetNextProtos(nextProtos)
-	return tlsConfig.STDConfig()
-}
--- a/common/httpclient/http1_transport.go
+++ b/common/httpclient/http1_transport.go
@@ -1,47 +0,0 @@
-package httpclient
-
-import (
-	"context"
-	"net"
-	"net/http"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/tls"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-type http1Transport struct {
-	transport *http.Transport
-}
-
-func newHTTP1Transport(rawDialer N.Dialer, baseTLSConfig tls.Config) *http1Transport {
-	transport := &http.Transport{
-		DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-			return rawDialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
-		},
-	}
-	if baseTLSConfig != nil {
-		transport.DialTLSContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
-			return dialTLS(ctx, rawDialer, baseTLSConfig, M.ParseSocksaddr(addr), []string{"http/1.1"}, "")
-		}
-	}
-	return &http1Transport{transport: transport}
-}
-
-func (t *http1Transport) RoundTrip(request *http.Request) (*http.Response, error) {
-	return t.transport.RoundTrip(request)
-}
-
-func (t *http1Transport) CloseIdleConnections() {
-	t.transport.CloseIdleConnections()
-}
-
-func (t *http1Transport) Clone() adapter.HTTPTransport {
-	return &http1Transport{transport: t.transport.Clone()}
-}
-
-func (t *http1Transport) Close() error {
-	t.CloseIdleConnections()
-	return nil
-}
--- a/common/httpclient/http2_config.go
+++ b/common/httpclient/http2_config.go
@@ -1,42 +0,0 @@
-package httpclient
-
-import (
-	stdTLS "crypto/tls"
-	"net/http"
-	"time"
-
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-
-	"golang.org/x/net/http2"
-)
-
-func CloneHTTP2Transport(transport *http2.Transport) *http2.Transport {
-	return &http2.Transport{
-		ReadIdleTimeout: transport.ReadIdleTimeout,
-		PingTimeout:     transport.PingTimeout,
-		DialTLSContext:  transport.DialTLSContext,
-	}
-}
-
-func ConfigureHTTP2Transport(options option.HTTP2Options) (*http2.Transport, error) {
-	stdTransport := &http.Transport{
-		TLSClientConfig: &stdTLS.Config{},
-		HTTP2: &http.HTTP2Config{
-			MaxReceiveBufferPerStream:     int(options.StreamReceiveWindow.Value()),
-			MaxReceiveBufferPerConnection: int(options.ConnectionReceiveWindow.Value()),
-			MaxConcurrentStreams:          options.MaxConcurrentStreams,
-			SendPingTimeout:               time.Duration(options.KeepAlivePeriod),
-			PingTimeout:                   time.Duration(options.IdleTimeout),
-		},
-	}
-	h2Transport, err := http2.ConfigureTransports(stdTransport)
-	if err != nil {
-		return nil, E.Cause(err, "configure HTTP/2 transport")
-	}
-	// ConfigureTransports binds ConnPool to the throwaway http.Transport; sever it so DialTLSContext is used directly.
-	h2Transport.ConnPool = nil
-	h2Transport.ReadIdleTimeout = time.Duration(options.KeepAlivePeriod)
-	h2Transport.PingTimeout = time.Duration(options.IdleTimeout)
-	return h2Transport, nil
-}
--- a/common/httpclient/http2_fallback_transport.go
+++ b/common/httpclient/http2_fallback_transport.go
@@ -1,93 +0,0 @@
-package httpclient
-
-import (
-	"context"
-	stdTLS "crypto/tls"
-	"errors"
-	"net"
-	"net/http"
-	"sync/atomic"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/tls"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-
-	"golang.org/x/net/http2"
-)
-
-var errHTTP2Fallback = E.New("fallback to HTTP/1.1")
-
-type http2FallbackTransport struct {
-	h2Transport *http2.Transport
-	h1Transport *http1Transport
-	h2Fallback  *atomic.Bool
-}
-
-func newHTTP2FallbackTransport(rawDialer N.Dialer, baseTLSConfig tls.Config, options option.HTTP2Options) (*http2FallbackTransport, error) {
-	h1 := newHTTP1Transport(rawDialer, baseTLSConfig)
-	var fallback atomic.Bool
-	h2Transport, err := ConfigureHTTP2Transport(options)
-	if err != nil {
-		return nil, err
-	}
-	h2Transport.DialTLSContext = func(ctx context.Context, network, addr string, _ *stdTLS.Config) (net.Conn, error) {
-		conn, dialErr := dialTLS(ctx, rawDialer, baseTLSConfig, M.ParseSocksaddr(addr), []string{http2.NextProtoTLS, "http/1.1"}, http2.NextProtoTLS)
-		if dialErr != nil {
-			if errors.Is(dialErr, errHTTP2Fallback) {
-				fallback.Store(true)
-			}
-			return nil, dialErr
-		}
-		return conn, nil
-	}
-	return &http2FallbackTransport{
-		h2Transport: h2Transport,
-		h1Transport: h1,
-		h2Fallback:  &fallback,
-	}, nil
-}
-
-func (t *http2FallbackTransport) RoundTrip(request *http.Request) (*http.Response, error) {
-	return t.roundTrip(request, true)
-}
-
-func (t *http2FallbackTransport) roundTrip(request *http.Request, allowHTTP1Fallback bool) (*http.Response, error) {
-	if request.URL.Scheme != "https" || requestRequiresHTTP1(request) {
-		return t.h1Transport.RoundTrip(request)
-	}
-	if t.h2Fallback.Load() {
-		if !allowHTTP1Fallback {
-			return nil, errHTTP2Fallback
-		}
-		return t.h1Transport.RoundTrip(request)
-	}
-	response, err := t.h2Transport.RoundTrip(request)
-	if err == nil {
-		return response, nil
-	}
-	if !errors.Is(err, errHTTP2Fallback) || !allowHTTP1Fallback {
-		return nil, err
-	}
-	return t.h1Transport.RoundTrip(cloneRequestForRetry(request))
-}
-
-func (t *http2FallbackTransport) CloseIdleConnections() {
-	t.h1Transport.CloseIdleConnections()
-	t.h2Transport.CloseIdleConnections()
-}
-
-func (t *http2FallbackTransport) Clone() adapter.HTTPTransport {
-	return &http2FallbackTransport{
-		h2Transport: CloneHTTP2Transport(t.h2Transport),
-		h1Transport: t.h1Transport.Clone().(*http1Transport),
-		h2Fallback:  t.h2Fallback,
-	}
-}
-
-func (t *http2FallbackTransport) Close() error {
-	t.CloseIdleConnections()
-	return nil
-}
--- a/common/httpclient/http2_transport.go
+++ b/common/httpclient/http2_transport.go
@@ -1,60 +0,0 @@
-package httpclient
-
-import (
-	"context"
-	stdTLS "crypto/tls"
-	"net"
-	"net/http"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/tls"
-	"github.com/sagernet/sing-box/option"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-
-	"golang.org/x/net/http2"
-)
-
-type http2Transport struct {
-	h2Transport *http2.Transport
-	h1Transport *http1Transport
-}
-
-func newHTTP2Transport(rawDialer N.Dialer, baseTLSConfig tls.Config, options option.HTTP2Options) (*http2Transport, error) {
-	h1 := newHTTP1Transport(rawDialer, baseTLSConfig)
-	h2Transport, err := ConfigureHTTP2Transport(options)
-	if err != nil {
-		return nil, err
-	}
-	h2Transport.DialTLSContext = func(ctx context.Context, network, addr string, _ *stdTLS.Config) (net.Conn, error) {
-		return dialTLS(ctx, rawDialer, baseTLSConfig, M.ParseSocksaddr(addr), []string{http2.NextProtoTLS}, http2.NextProtoTLS)
-	}
-	return &http2Transport{
-		h2Transport: h2Transport,
-		h1Transport: h1,
-	}, nil
-}
-
-func (t *http2Transport) RoundTrip(request *http.Request) (*http.Response, error) {
-	if request.URL.Scheme != "https" || requestRequiresHTTP1(request) {
-		return t.h1Transport.RoundTrip(request)
-	}
-	return t.h2Transport.RoundTrip(request)
-}
-
-func (t *http2Transport) CloseIdleConnections() {
-	t.h1Transport.CloseIdleConnections()
-	t.h2Transport.CloseIdleConnections()
-}
-
-func (t *http2Transport) Clone() adapter.HTTPTransport {
-	return &http2Transport{
-		h2Transport: CloneHTTP2Transport(t.h2Transport),
-		h1Transport: t.h1Transport.Clone().(*http1Transport),
-	}
-}
-
-func (t *http2Transport) Close() error {
-	t.CloseIdleConnections()
-	return nil
-}
--- a/common/httpclient/http3_transport.go
+++ b/common/httpclient/http3_transport.go
@@ -1,312 +0,0 @@
-//go:build with_quic
-
-package httpclient
-
-import (
-	"context"
-	stdTLS "crypto/tls"
-	"errors"
-	"net/http"
-	"sync"
-	"time"
-
-	"github.com/sagernet/quic-go"
-	"github.com/sagernet/quic-go/http3"
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/tls"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common/bufio"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-type http3Transport struct {
-	h3Transport *http3.Transport
-}
-
-type http3FallbackTransport struct {
-	h3Transport   *http3.Transport
-	h2Fallback    adapter.HTTPTransport
-	fallbackDelay time.Duration
-	brokenAccess  sync.Mutex
-	brokenUntil   time.Time
-	brokenBackoff time.Duration
-}
-
-func newHTTP3RoundTripper(
-	rawDialer N.Dialer,
-	baseTLSConfig tls.Config,
-	options option.QUICOptions,
-) *http3.Transport {
-	var handshakeTimeout time.Duration
-	if baseTLSConfig != nil {
-		handshakeTimeout = baseTLSConfig.HandshakeTimeout()
-	}
-	quicConfig := &quic.Config{
-		InitialStreamReceiveWindow:     options.StreamReceiveWindow.Value(),
-		MaxStreamReceiveWindow:         options.StreamReceiveWindow.Value(),
-		InitialConnectionReceiveWindow: options.ConnectionReceiveWindow.Value(),
-		MaxConnectionReceiveWindow:     options.ConnectionReceiveWindow.Value(),
-		KeepAlivePeriod:                time.Duration(options.KeepAlivePeriod),
-		MaxIdleTimeout:                 time.Duration(options.IdleTimeout),
-		DisablePathMTUDiscovery:        options.DisablePathMTUDiscovery,
-	}
-	if options.InitialPacketSize > 0 {
-		quicConfig.InitialPacketSize = uint16(options.InitialPacketSize)
-	}
-	if options.MaxConcurrentStreams > 0 {
-		quicConfig.MaxIncomingStreams = int64(options.MaxConcurrentStreams)
-	}
-	if handshakeTimeout > 0 {
-		quicConfig.HandshakeIdleTimeout = handshakeTimeout
-	}
-	h3Transport := &http3.Transport{
-		TLSClientConfig: &stdTLS.Config{},
-		QUICConfig:      quicConfig,
-		Dial: func(ctx context.Context, addr string, tlsConfig *stdTLS.Config, quicConfig *quic.Config) (*quic.Conn, error) {
-			if handshakeTimeout > 0 && quicConfig.HandshakeIdleTimeout == 0 {
-				quicConfig = quicConfig.Clone()
-				quicConfig.HandshakeIdleTimeout = handshakeTimeout
-			}
-			if baseTLSConfig != nil {
-				var err error
-				tlsConfig, err = buildSTDTLSConfig(baseTLSConfig, M.ParseSocksaddr(addr), []string{http3.NextProtoH3})
-				if err != nil {
-					return nil, err
-				}
-			} else {
-				tlsConfig = tlsConfig.Clone()
-				tlsConfig.NextProtos = []string{http3.NextProtoH3}
-			}
-			conn, err := rawDialer.DialContext(ctx, N.NetworkUDP, M.ParseSocksaddr(addr))
-			if err != nil {
-				return nil, err
-			}
-			quicConn, err := quic.DialEarly(ctx, bufio.NewUnbindPacketConn(conn), conn.RemoteAddr(), tlsConfig, quicConfig)
-			if err != nil {
-				conn.Close()
-				return nil, err
-			}
-			return quicConn, nil
-		},
-	}
-	return h3Transport
-}
-
-func newHTTP3Transport(
-	rawDialer N.Dialer,
-	baseTLSConfig tls.Config,
-	options option.QUICOptions,
-) (adapter.HTTPTransport, error) {
-	return &http3Transport{
-		h3Transport: newHTTP3RoundTripper(rawDialer, baseTLSConfig, options),
-	}, nil
-}
-
-func newHTTP3FallbackTransport(
-	rawDialer N.Dialer,
-	baseTLSConfig tls.Config,
-	h2Fallback adapter.HTTPTransport,
-	options option.QUICOptions,
-	fallbackDelay time.Duration,
-) (adapter.HTTPTransport, error) {
-	return &http3FallbackTransport{
-		h3Transport:   newHTTP3RoundTripper(rawDialer, baseTLSConfig, options),
-		h2Fallback:    h2Fallback,
-		fallbackDelay: fallbackDelay,
-	}, nil
-}
-
-func (t *http3Transport) RoundTrip(request *http.Request) (*http.Response, error) {
-	return t.h3Transport.RoundTrip(request)
-}
-
-func (t *http3Transport) CloseIdleConnections() {
-	t.h3Transport.CloseIdleConnections()
-}
-
-func (t *http3Transport) Close() error {
-	t.CloseIdleConnections()
-	return t.h3Transport.Close()
-}
-
-func (t *http3Transport) Clone() adapter.HTTPTransport {
-	return &http3Transport{
-		h3Transport: t.h3Transport,
-	}
-}
-
-func (t *http3FallbackTransport) RoundTrip(request *http.Request) (*http.Response, error) {
-	if request.URL.Scheme != "https" || requestRequiresHTTP1(request) {
-		return t.h2Fallback.RoundTrip(request)
-	}
-	return t.roundTripHTTP3(request)
-}
-
-func (t *http3FallbackTransport) roundTripHTTP3(request *http.Request) (*http.Response, error) {
-	if t.h3Broken() {
-		return t.h2FallbackRoundTrip(request)
-	}
-	response, err := t.h3Transport.RoundTripOpt(request, http3.RoundTripOpt{OnlyCachedConn: true})
-	if err == nil {
-		t.clearH3Broken()
-		return response, nil
-	}
-	if !errors.Is(err, http3.ErrNoCachedConn) {
-		t.markH3Broken()
-		return t.h2FallbackRoundTrip(cloneRequestForRetry(request))
-	}
-	if !requestReplayable(request) {
-		response, err = t.h3Transport.RoundTrip(request)
-		if err == nil {
-			t.clearH3Broken()
-			return response, nil
-		}
-		t.markH3Broken()
-		return nil, err
-	}
-	return t.roundTripHTTP3Race(request)
-}
-
-func (t *http3FallbackTransport) roundTripHTTP3Race(request *http.Request) (*http.Response, error) {
-	ctx, cancel := context.WithCancel(request.Context())
-	defer cancel()
-	type result struct {
-		response *http.Response
-		err      error
-		h3       bool
-	}
-	results := make(chan result, 2)
-	startRoundTrip := func(request *http.Request, useH3 bool) {
-		request = request.WithContext(ctx)
-		var (
-			response *http.Response
-			err      error
-		)
-		if useH3 {
-			response, err = t.h3Transport.RoundTrip(request)
-		} else {
-			response, err = t.h2FallbackRoundTrip(request)
-		}
-		results <- result{response: response, err: err, h3: useH3}
-	}
-	goroutines := 1
-	received := 0
-	drainRemaining := func() {
-		cancel()
-		for range goroutines - received {
-			go func() {
-				loser := <-results
-				if loser.response != nil && loser.response.Body != nil {
-					loser.response.Body.Close()
-				}
-			}()
-		}
-	}
-	go startRoundTrip(cloneRequestForRetry(request), true)
-	timer := time.NewTimer(t.fallbackDelay)
-	defer timer.Stop()
-	var (
-		h3Err       error
-		fallbackErr error
-	)
-	for {
-		select {
-		case <-timer.C:
-			if goroutines == 1 {
-				goroutines++
-				go startRoundTrip(cloneRequestForRetry(request), false)
-			}
-		case raceResult := <-results:
-			received++
-			if raceResult.err == nil {
-				if raceResult.h3 {
-					t.clearH3Broken()
-				}
-				drainRemaining()
-				return raceResult.response, nil
-			}
-			if raceResult.h3 {
-				t.markH3Broken()
-				h3Err = raceResult.err
-				if goroutines == 1 {
-					goroutines++
-					if !timer.Stop() {
-						select {
-						case <-timer.C:
-						default:
-						}
-					}
-					go startRoundTrip(cloneRequestForRetry(request), false)
-				}
-			} else {
-				fallbackErr = raceResult.err
-			}
-			if received < goroutines {
-				continue
-			}
-			drainRemaining()
-			switch {
-			case h3Err != nil && fallbackErr != nil:
-				return nil, E.Errors(h3Err, fallbackErr)
-			case fallbackErr != nil:
-				return nil, fallbackErr
-			default:
-				return nil, h3Err
-			}
-		}
-	}
-}
-
-func (t *http3FallbackTransport) h2FallbackRoundTrip(request *http.Request) (*http.Response, error) {
-	if fallback, isFallback := t.h2Fallback.(*http2FallbackTransport); isFallback {
-		return fallback.roundTrip(request, true)
-	}
-	return t.h2Fallback.RoundTrip(request)
-}
-
-func (t *http3FallbackTransport) CloseIdleConnections() {
-	t.h3Transport.CloseIdleConnections()
-	t.h2Fallback.CloseIdleConnections()
-}
-
-func (t *http3FallbackTransport) Close() error {
-	t.CloseIdleConnections()
-	return t.h3Transport.Close()
-}
-
-func (t *http3FallbackTransport) Clone() adapter.HTTPTransport {
-	return &http3FallbackTransport{
-		h3Transport:   t.h3Transport,
-		h2Fallback:    t.h2Fallback.Clone(),
-		fallbackDelay: t.fallbackDelay,
-	}
-}
-
-func (t *http3FallbackTransport) h3Broken() bool {
-	t.brokenAccess.Lock()
-	defer t.brokenAccess.Unlock()
-	return !t.brokenUntil.IsZero() && time.Now().Before(t.brokenUntil)
-}
-
-func (t *http3FallbackTransport) clearH3Broken() {
-	t.brokenAccess.Lock()
-	t.brokenUntil = time.Time{}
-	t.brokenBackoff = 0
-	t.brokenAccess.Unlock()
-}
-
-func (t *http3FallbackTransport) markH3Broken() {
-	t.brokenAccess.Lock()
-	defer t.brokenAccess.Unlock()
-	if t.brokenBackoff == 0 {
-		t.brokenBackoff = 5 * time.Minute
-	} else {
-		t.brokenBackoff *= 2
-		if t.brokenBackoff > 48*time.Hour {
-			t.brokenBackoff = 48 * time.Hour
-		}
-	}
-	t.brokenUntil = time.Now().Add(t.brokenBackoff)
-}
--- a/common/httpclient/http3_transport_stub.go
+++ b/common/httpclient/http3_transport_stub.go
@@ -1,31 +0,0 @@
-//go:build !with_quic
-
-package httpclient
-
-import (
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/tls"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-	N "github.com/sagernet/sing/common/network"
-)
-
-func newHTTP3FallbackTransport(
-	rawDialer N.Dialer,
-	baseTLSConfig tls.Config,
-	h2Fallback adapter.HTTPTransport,
-	options option.QUICOptions,
-	fallbackDelay time.Duration,
-) (adapter.HTTPTransport, error) {
-	return nil, E.New("HTTP/3 requires building with the with_quic tag")
-}
-
-func newHTTP3Transport(
-	rawDialer N.Dialer,
-	baseTLSConfig tls.Config,
-	options option.QUICOptions,
-) (adapter.HTTPTransport, error) {
-	return nil, E.New("HTTP/3 requires building with the with_quic tag")
-}
--- a/common/httpclient/manager.go
+++ b/common/httpclient/manager.go
@@ -1,164 +0,0 @@
-package httpclient
-
-import (
-	"context"
-	"sync"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-)
-
-var (
-	_ adapter.HTTPClientManager = (*Manager)(nil)
-	_ adapter.LifecycleService  = (*Manager)(nil)
-)
-
-type Manager struct {
-	ctx                      context.Context
-	logger                   log.ContextLogger
-	access                   sync.Mutex
-	defines                  map[string]option.HTTPClient
-	transports               map[string]*Transport
-	defaultTag               string
-	defaultTransport         adapter.HTTPTransport
-	defaultTransportFallback func() (*Transport, error)
-	fallbackTransport        *Transport
-}
-
-func NewManager(ctx context.Context, logger log.ContextLogger, clients []option.HTTPClient, defaultHTTPClient string) *Manager {
-	defines := make(map[string]option.HTTPClient, len(clients))
-	for _, client := range clients {
-		defines[client.Tag] = client
-	}
-	defaultTag := defaultHTTPClient
-	if defaultTag == "" && len(clients) > 0 {
-		defaultTag = clients[0].Tag
-	}
-	return &Manager{
-		ctx:        ctx,
-		logger:     logger,
-		defines:    defines,
-		transports: make(map[string]*Transport),
-		defaultTag: defaultTag,
-	}
-}
-
-func (m *Manager) Initialize(defaultTransportFallback func() (*Transport, error)) {
-	m.defaultTransportFallback = defaultTransportFallback
-}
-
-func (m *Manager) Name() string {
-	return "http-client"
-}
-
-func (m *Manager) Start(stage adapter.StartStage) error {
-	if stage != adapter.StartStateStart {
-		return nil
-	}
-	if m.defaultTag != "" {
-		transport, err := m.resolveShared(m.defaultTag)
-		if err != nil {
-			return E.Cause(err, "resolve default http client")
-		}
-		m.defaultTransport = transport
-	} else if m.defaultTransportFallback != nil {
-		transport, err := m.defaultTransportFallback()
-		if err != nil {
-			return E.Cause(err, "create default http client")
-		}
-		m.defaultTransport = transport
-		m.fallbackTransport = transport
-	}
-	return nil
-}
-
-func (m *Manager) DefaultTransport() adapter.HTTPTransport {
-	if m.defaultTransport == nil {
-		return nil
-	}
-	return &sharedTransport{m.defaultTransport}
-}
-
-func (m *Manager) ResolveTransport(ctx context.Context, logger logger.ContextLogger, options option.HTTPClientOptions) (adapter.HTTPTransport, error) {
-	if options.Tag != "" {
-		if options.ResolveOnDetour {
-			define, loaded := m.defines[options.Tag]
-			if !loaded {
-				return nil, E.New("http_client not found: ", options.Tag)
-			}
-			resolvedOptions := define.Options()
-			resolvedOptions.ResolveOnDetour = true
-			return NewTransport(ctx, logger, options.Tag, resolvedOptions)
-		}
-		transport, err := m.resolveShared(options.Tag)
-		if err != nil {
-			return nil, err
-		}
-		return &sharedTransport{transport}, nil
-	}
-	return NewTransport(ctx, logger, "", options)
-}
-
-func (m *Manager) resolveShared(tag string) (adapter.HTTPTransport, error) {
-	m.access.Lock()
-	defer m.access.Unlock()
-	if transport, loaded := m.transports[tag]; loaded {
-		return transport, nil
-	}
-	define, loaded := m.defines[tag]
-	if !loaded {
-		return nil, E.New("http_client not found: ", tag)
-	}
-	transport, err := NewTransport(m.ctx, m.logger, tag, define.Options())
-	if err != nil {
-		return nil, E.Cause(err, "create shared http_client[", tag, "]")
-	}
-	m.transports[tag] = transport
-	return transport, nil
-}
-
-type sharedTransport struct {
-	adapter.HTTPTransport
-}
-
-func (t *sharedTransport) CloseIdleConnections() {
-}
-
-func (t *sharedTransport) Close() error {
-	return nil
-}
-
-func (m *Manager) ResetNetwork() {
-	m.access.Lock()
-	defer m.access.Unlock()
-	for _, transport := range m.transports {
-		transport.CloseIdleConnections()
-	}
-	if m.fallbackTransport != nil {
-		m.fallbackTransport.CloseIdleConnections()
-	}
-}
-
-func (m *Manager) Close() error {
-	m.access.Lock()
-	defer m.access.Unlock()
-	if m.transports == nil {
-		return nil
-	}
-	var err error
-	for _, transport := range m.transports {
-		err = E.Append(err, transport.Close(), func(err error) error {
-			return E.Cause(err, "close http client")
-		})
-	}
-	if m.fallbackTransport != nil {
-		err = E.Append(err, m.fallbackTransport.Close(), func(err error) error {
-			return E.Cause(err, "close default http client")
-		})
-	}
-	m.transports = nil
-	return err
-}
--- a/common/listener/listener_tcp.go
+++ b/common/listener/listener_tcp.go
@@ -37,10 +37,7 @@ func (l *Listener) ListenTCP() (net.Listener, error) {
 	if l.listenOptions.ReuseAddr {
 		listenConfig.Control = control.Append(listenConfig.Control, control.ReuseAddr())
 	}
-	if l.listenOptions.DisableTCPKeepAlive {
-		listenConfig.KeepAlive = -1
-		listenConfig.KeepAliveConfig.Enable = false
-	} else {
+	if !l.listenOptions.DisableTCPKeepAlive {
 		keepIdle := time.Duration(l.listenOptions.TCPKeepAlive)
 		if keepIdle == 0 {
 			keepIdle = C.TCPKeepAliveInitial
--- a/common/networkquality/http.go
+++ b/common/networkquality/http.go
@@ -1,142 +0,0 @@
-package networkquality
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"net/http"
-	"strings"
-
-	C "github.com/sagernet/sing-box/constant"
-	sBufio "github.com/sagernet/sing/common/bufio"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-func FormatBitrate(bps int64) string {
-	switch {
-	case bps >= 1_000_000_000:
-		return fmt.Sprintf("%.1f Gbps", float64(bps)/1_000_000_000)
-	case bps >= 1_000_000:
-		return fmt.Sprintf("%.1f Mbps", float64(bps)/1_000_000)
-	case bps >= 1_000:
-		return fmt.Sprintf("%.1f Kbps", float64(bps)/1_000)
-	default:
-		return fmt.Sprintf("%d bps", bps)
-	}
-}
-
-func NewHTTPClient(dialer N.Dialer) *http.Client {
-	transport := &http.Transport{
-		ForceAttemptHTTP2:   true,
-		TLSHandshakeTimeout: C.TCPTimeout,
-	}
-	if dialer != nil {
-		transport.DialContext = func(ctx context.Context, network string, addr string) (net.Conn, error) {
-			return dialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
-		}
-	}
-	return &http.Client{Transport: transport}
-}
-
-func baseTransportFromClient(client *http.Client) (*http.Transport, error) {
-	if client == nil {
-		return nil, E.New("http client is nil")
-	}
-	if client.Transport == nil {
-		return http.DefaultTransport.(*http.Transport).Clone(), nil
-	}
-	transport, ok := client.Transport.(*http.Transport)
-	if !ok {
-		return nil, E.New("http client transport must be *http.Transport")
-	}
-	return transport.Clone(), nil
-}
-
-func newMeasurementClient(
-	baseClient *http.Client,
-	connectEndpoint string,
-	singleConnection bool,
-	disableKeepAlives bool,
-	readCounters []N.CountFunc,
-	writeCounters []N.CountFunc,
-) (*http.Client, error) {
-	transport, err := baseTransportFromClient(baseClient)
-	if err != nil {
-		return nil, err
-	}
-	transport.DisableCompression = true
-	transport.DisableKeepAlives = disableKeepAlives
-	if singleConnection {
-		transport.MaxConnsPerHost = 1
-		transport.MaxIdleConnsPerHost = 1
-		transport.MaxIdleConns = 1
-	}
-
-	baseDialContext := transport.DialContext
-	if baseDialContext == nil {
-		dialer := &net.Dialer{}
-		baseDialContext = dialer.DialContext
-	}
-	transport.DialContext = func(ctx context.Context, network string, addr string) (net.Conn, error) {
-		dialAddr := addr
-		if connectEndpoint != "" {
-			dialAddr = rewriteDialAddress(addr, connectEndpoint)
-		}
-		conn, dialErr := baseDialContext(ctx, network, dialAddr)
-		if dialErr != nil {
-			return nil, dialErr
-		}
-		if len(readCounters) > 0 || len(writeCounters) > 0 {
-			return sBufio.NewCounterConn(conn, readCounters, writeCounters), nil
-		}
-		return conn, nil
-	}
-
-	return &http.Client{
-		Transport:     transport,
-		CheckRedirect: baseClient.CheckRedirect,
-		Jar:           baseClient.Jar,
-		Timeout:       baseClient.Timeout,
-	}, nil
-}
-
-type MeasurementClientFactory func(
-	connectEndpoint string,
-	singleConnection bool,
-	disableKeepAlives bool,
-	readCounters []N.CountFunc,
-	writeCounters []N.CountFunc,
-) (*http.Client, error)
-
-func defaultMeasurementClientFactory(baseClient *http.Client) MeasurementClientFactory {
-	return func(connectEndpoint string, singleConnection, disableKeepAlives bool, readCounters, writeCounters []N.CountFunc) (*http.Client, error) {
-		return newMeasurementClient(baseClient, connectEndpoint, singleConnection, disableKeepAlives, readCounters, writeCounters)
-	}
-}
-
-func NewOptionalHTTP3Factory(dialer N.Dialer, useHTTP3 bool) (MeasurementClientFactory, error) {
-	if !useHTTP3 {
-		return nil, nil
-	}
-	return NewHTTP3MeasurementClientFactory(dialer)
-}
-
-func rewriteDialAddress(addr string, connectEndpoint string) string {
-	connectEndpoint = strings.TrimSpace(connectEndpoint)
-	host, port, err := net.SplitHostPort(addr)
-	if err != nil {
-		return addr
-	}
-	endpointHost, endpointPort, err := net.SplitHostPort(connectEndpoint)
-	if err == nil {
-		host = endpointHost
-		if endpointPort != "" {
-			port = endpointPort
-		}
-	} else if connectEndpoint != "" {
-		host = connectEndpoint
-	}
-	return net.JoinHostPort(host, port)
-}
--- a/common/networkquality/http3.go
+++ b/common/networkquality/http3.go
@@ -1,55 +0,0 @@
-//go:build with_quic
-
-package networkquality
-
-import (
-	"context"
-	"crypto/tls"
-	"net"
-	"net/http"
-
-	"github.com/sagernet/quic-go"
-	"github.com/sagernet/quic-go/http3"
-	sBufio "github.com/sagernet/sing/common/bufio"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-func NewHTTP3MeasurementClientFactory(dialer N.Dialer) (MeasurementClientFactory, error) {
-	// singleConnection and disableKeepAlives are not applied:
-	// HTTP/3 multiplexes streams over a single QUIC connection by default.
-	return func(connectEndpoint string, _, _ bool, readCounters, writeCounters []N.CountFunc) (*http.Client, error) {
-		transport := &http3.Transport{
-			Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (*quic.Conn, error) {
-				dialAddr := addr
-				if connectEndpoint != "" {
-					dialAddr = rewriteDialAddress(addr, connectEndpoint)
-				}
-				destination := M.ParseSocksaddr(dialAddr)
-				var udpConn net.Conn
-				var dialErr error
-				if dialer != nil {
-					udpConn, dialErr = dialer.DialContext(ctx, N.NetworkUDP, destination)
-				} else {
-					var netDialer net.Dialer
-					udpConn, dialErr = netDialer.DialContext(ctx, N.NetworkUDP, destination.String())
-				}
-				if dialErr != nil {
-					return nil, dialErr
-				}
-				wrappedConn := udpConn
-				if len(readCounters) > 0 || len(writeCounters) > 0 {
-					wrappedConn = sBufio.NewCounterConn(udpConn, readCounters, writeCounters)
-				}
-				packetConn := sBufio.NewUnbindPacketConn(wrappedConn)
-				quicConn, dialErr := quic.DialEarly(ctx, packetConn, udpConn.RemoteAddr(), tlsCfg, cfg)
-				if dialErr != nil {
-					udpConn.Close()
-					return nil, dialErr
-				}
-				return quicConn, nil
-			},
-		}
-		return &http.Client{Transport: transport}, nil
-	}, nil
-}
--- a/common/networkquality/http3_stub.go
+++ b/common/networkquality/http3_stub.go
@@ -1,12 +0,0 @@
-//go:build !with_quic
-
-package networkquality
-
-import (
-	C "github.com/sagernet/sing-box/constant"
-	N "github.com/sagernet/sing/common/network"
-)
-
-func NewHTTP3MeasurementClientFactory(dialer N.Dialer) (MeasurementClientFactory, error) {
-	return nil, C.ErrQUICNotIncluded
-}
--- a/common/networkquality/networkquality.go
+++ b/common/networkquality/networkquality.go
--- a/common/proxybridge/bridge.go
+++ b/common/proxybridge/bridge.go
@@ -1,115 +0,0 @@
-package proxybridge
-
-import (
-	std_bufio "bufio"
-	"context"
-	"crypto/rand"
-	"encoding/hex"
-	"net"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/auth"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/protocol/socks"
-	"github.com/sagernet/sing/service"
-)
-
-type Bridge struct {
-	ctx           context.Context
-	logger        logger.ContextLogger
-	tag           string
-	dialer        N.Dialer
-	connection    adapter.ConnectionManager
-	tcpListener   *net.TCPListener
-	username      string
-	password      string
-	authenticator *auth.Authenticator
-}
-
-func New(ctx context.Context, logger logger.ContextLogger, tag string, dialer N.Dialer) (*Bridge, error) {
-	username := randomHex(16)
-	password := randomHex(16)
-	tcpListener, err := net.ListenTCP("tcp", &net.TCPAddr{IP: net.IPv4(127, 0, 0, 1)})
-	if err != nil {
-		return nil, err
-	}
-	bridge := &Bridge{
-		ctx:           ctx,
-		logger:        logger,
-		tag:           tag,
-		dialer:        dialer,
-		connection:    service.FromContext[adapter.ConnectionManager](ctx),
-		tcpListener:   tcpListener,
-		username:      username,
-		password:      password,
-		authenticator: auth.NewAuthenticator([]auth.User{{Username: username, Password: password}}),
-	}
-	go bridge.acceptLoop()
-	return bridge, nil
-}
-
-func randomHex(size int) string {
-	raw := make([]byte, size)
-	rand.Read(raw)
-	return hex.EncodeToString(raw)
-}
-
-func (b *Bridge) Port() uint16 {
-	return M.SocksaddrFromNet(b.tcpListener.Addr()).Port
-}
-
-func (b *Bridge) Username() string {
-	return b.username
-}
-
-func (b *Bridge) Password() string {
-	return b.password
-}
-
-func (b *Bridge) Close() error {
-	return common.Close(b.tcpListener)
-}
-
-func (b *Bridge) acceptLoop() {
-	for {
-		tcpConn, err := b.tcpListener.AcceptTCP()
-		if err != nil {
-			return
-		}
-		ctx := log.ContextWithNewID(b.ctx)
-		go func() {
-			hErr := socks.HandleConnectionEx(ctx, tcpConn, std_bufio.NewReader(tcpConn), b.authenticator, b, nil, 0, M.SocksaddrFromNet(tcpConn.RemoteAddr()), nil)
-			if hErr == nil {
-				return
-			}
-			if E.IsClosedOrCanceled(hErr) {
-				b.logger.DebugContext(ctx, E.Cause(hErr, b.tag, " connection closed"))
-				return
-			}
-			b.logger.ErrorContext(ctx, E.Cause(hErr, b.tag))
-		}()
-	}
-}
-
-func (b *Bridge) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	var metadata adapter.InboundContext
-	metadata.Source = source
-	metadata.Destination = destination
-	metadata.Network = N.NetworkTCP
-	b.logger.InfoContext(ctx, b.tag, " connection to ", metadata.Destination)
-	b.connection.NewConnection(ctx, b.dialer, conn, metadata, onClose)
-}
-
-func (b *Bridge) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
-	var metadata adapter.InboundContext
-	metadata.Source = source
-	metadata.Destination = destination
-	metadata.Network = N.NetworkUDP
-	b.logger.InfoContext(ctx, b.tag, " packet connection to ", metadata.Destination)
-	b.connection.NewPacketConnection(ctx, b.dialer, conn, metadata, onClose)
-}
--- a/common/srs/binary.go
+++ b/common/srs/binary.go
@@ -46,7 +46,6 @@ const (
 	ruleItemNetworkIsConstrained
 	ruleItemNetworkInterfaceAddress
 	ruleItemDefaultInterfaceAddress
-	ruleItemPackageNameRegex
 	ruleItemFinal uint8 = 0xFF
 )

@@ -216,8 +215,6 @@ func readDefaultRule(reader varbin.Reader, recover bool) (rule option.DefaultHea
 			rule.ProcessPathRegex, err = readRuleItemString(reader)
 		case ruleItemPackageName:
 			rule.PackageName, err = readRuleItemString(reader)
-		case ruleItemPackageNameRegex:
-			rule.PackageNameRegex, err = readRuleItemString(reader)
 		case ruleItemWIFISSID:
 			rule.WIFISSID, err = readRuleItemString(reader)
 		case ruleItemWIFIBSSID:
@@ -397,15 +394,6 @@ func writeDefaultRule(writer varbin.Writer, rule option.DefaultHeadlessRule, gen
 			return err
 		}
 	}
-	if len(rule.PackageNameRegex) > 0 {
-		if generateVersion < C.RuleSetVersion5 {
-			return E.New("`package_name_regex` rule item is only supported in version 5 or later")
-		}
-		err = writeRuleItemString(writer, ruleItemPackageNameRegex, rule.PackageNameRegex)
-		if err != nil {
-			return err
-		}
-	}
 	if len(rule.NetworkType) > 0 {
 		if generateVersion < C.RuleSetVersion3 {
 			return E.New("`network_type` rule item is only supported in version 3 or later")
--- a/common/stun/stun.go
+++ b/common/stun/stun.go
@@ -1,612 +0,0 @@
-package stun
-
-import (
-	"context"
-	"crypto/rand"
-	"encoding/binary"
-	"fmt"
-	"net"
-	"net/netip"
-	"time"
-
-	"github.com/sagernet/sing/common/bufio"
-	"github.com/sagernet/sing/common/bufio/deadline"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-const (
-	DefaultServer = "stun.voipgate.com:3478"
-
-	magicCookie = 0x2112A442
-	headerSize  = 20
-
-	bindingRequest         = 0x0001
-	bindingSuccessResponse = 0x0101
-	bindingErrorResponse   = 0x0111
-
-	attrMappedAddress    = 0x0001
-	attrChangeRequest    = 0x0003
-	attrErrorCode        = 0x0009
-	attrXORMappedAddress = 0x0020
-	attrOtherAddress     = 0x802c
-
-	familyIPv4 = 0x01
-	familyIPv6 = 0x02
-
-	changeIP   = 0x04
-	changePort = 0x02
-
-	defaultRTO    = 500 * time.Millisecond
-	minRTO        = 250 * time.Millisecond
-	maxRetransmit = 2
-)
-
-type Phase int32
-
-const (
-	PhaseBinding Phase = iota
-	PhaseNATMapping
-	PhaseNATFiltering
-	PhaseDone
-)
-
-type NATMapping int32
-
-const (
-	NATMappingUnknown NATMapping = iota
-	_                            // reserved
-	NATMappingEndpointIndependent
-	NATMappingAddressDependent
-	NATMappingAddressAndPortDependent
-)
-
-func (m NATMapping) String() string {
-	switch m {
-	case NATMappingEndpointIndependent:
-		return "Endpoint Independent"
-	case NATMappingAddressDependent:
-		return "Address Dependent"
-	case NATMappingAddressAndPortDependent:
-		return "Address and Port Dependent"
-	default:
-		return "Unknown"
-	}
-}
-
-type NATFiltering int32
-
-const (
-	NATFilteringUnknown NATFiltering = iota
-	NATFilteringEndpointIndependent
-	NATFilteringAddressDependent
-	NATFilteringAddressAndPortDependent
-)
-
-func (f NATFiltering) String() string {
-	switch f {
-	case NATFilteringEndpointIndependent:
-		return "Endpoint Independent"
-	case NATFilteringAddressDependent:
-		return "Address Dependent"
-	case NATFilteringAddressAndPortDependent:
-		return "Address and Port Dependent"
-	default:
-		return "Unknown"
-	}
-}
-
-type TransactionID [12]byte
-
-type Options struct {
-	Server     string
-	Dialer     N.Dialer
-	Context    context.Context
-	OnProgress func(Progress)
-}
-
-type Progress struct {
-	Phase        Phase
-	ExternalAddr string
-	LatencyMs    int32
-	NATMapping   NATMapping
-	NATFiltering NATFiltering
-}
-
-type Result struct {
-	ExternalAddr     string
-	LatencyMs        int32
-	NATMapping       NATMapping
-	NATFiltering     NATFiltering
-	NATTypeSupported bool
-}
-
-type parsedResponse struct {
-	xorMappedAddr netip.AddrPort
-	mappedAddr    netip.AddrPort
-	otherAddr     netip.AddrPort
-}
-
-func (r *parsedResponse) externalAddr() (netip.AddrPort, bool) {
-	if r.xorMappedAddr.IsValid() {
-		return r.xorMappedAddr, true
-	}
-	if r.mappedAddr.IsValid() {
-		return r.mappedAddr, true
-	}
-	return netip.AddrPort{}, false
-}
-
-type stunAttribute struct {
-	typ   uint16
-	value []byte
-}
-
-func newTransactionID() TransactionID {
-	var id TransactionID
-	_, _ = rand.Read(id[:])
-	return id
-}
-
-func buildBindingRequest(txID TransactionID, attrs ...stunAttribute) []byte {
-	attrLen := 0
-	for _, attr := range attrs {
-		attrLen += 4 + len(attr.value) + paddingLen(len(attr.value))
-	}
-
-	buf := make([]byte, headerSize+attrLen)
-	binary.BigEndian.PutUint16(buf[0:2], bindingRequest)
-	binary.BigEndian.PutUint16(buf[2:4], uint16(attrLen))
-	binary.BigEndian.PutUint32(buf[4:8], magicCookie)
-	copy(buf[8:20], txID[:])
-
-	offset := headerSize
-	for _, attr := range attrs {
-		binary.BigEndian.PutUint16(buf[offset:offset+2], attr.typ)
-		binary.BigEndian.PutUint16(buf[offset+2:offset+4], uint16(len(attr.value)))
-		copy(buf[offset+4:offset+4+len(attr.value)], attr.value)
-		offset += 4 + len(attr.value) + paddingLen(len(attr.value))
-	}
-
-	return buf
-}
-
-func changeRequestAttr(flags byte) stunAttribute {
-	return stunAttribute{
-		typ:   attrChangeRequest,
-		value: []byte{0, 0, 0, flags},
-	}
-}
-
-func parseResponse(data []byte, expectedTxID TransactionID) (*parsedResponse, error) {
-	if len(data) < headerSize {
-		return nil, E.New("response too short")
-	}
-
-	msgType := binary.BigEndian.Uint16(data[0:2])
-	if msgType&0xC000 != 0 {
-		return nil, E.New("invalid STUN message: top 2 bits not zero")
-	}
-
-	cookie := binary.BigEndian.Uint32(data[4:8])
-	if cookie != magicCookie {
-		return nil, E.New("invalid magic cookie")
-	}
-
-	var txID TransactionID
-	copy(txID[:], data[8:20])
-	if txID != expectedTxID {
-		return nil, E.New("transaction ID mismatch")
-	}
-
-	msgLen := int(binary.BigEndian.Uint16(data[2:4]))
-	if msgLen > len(data)-headerSize {
-		return nil, E.New("message length exceeds data")
-	}
-
-	attrData := data[headerSize : headerSize+msgLen]
-
-	if msgType == bindingErrorResponse {
-		return nil, parseErrorResponse(attrData)
-	}
-	if msgType != bindingSuccessResponse {
-		return nil, E.New("unexpected message type: ", fmt.Sprintf("0x%04x", msgType))
-	}
-
-	resp := &parsedResponse{}
-	offset := 0
-	for offset+4 <= len(attrData) {
-		attrType := binary.BigEndian.Uint16(attrData[offset : offset+2])
-		attrLen := int(binary.BigEndian.Uint16(attrData[offset+2 : offset+4]))
-		if offset+4+attrLen > len(attrData) {
-			break
-		}
-		attrValue := attrData[offset+4 : offset+4+attrLen]
-
-		switch attrType {
-		case attrXORMappedAddress:
-			addr, err := parseXORMappedAddress(attrValue, txID)
-			if err == nil {
-				resp.xorMappedAddr = addr
-			}
-		case attrMappedAddress:
-			addr, err := parseMappedAddress(attrValue)
-			if err == nil {
-				resp.mappedAddr = addr
-			}
-		case attrOtherAddress:
-			addr, err := parseMappedAddress(attrValue)
-			if err == nil {
-				resp.otherAddr = addr
-			}
-		}
-
-		offset += 4 + attrLen + paddingLen(attrLen)
-	}
-
-	return resp, nil
-}
-
-func parseErrorResponse(data []byte) error {
-	offset := 0
-	for offset+4 <= len(data) {
-		attrType := binary.BigEndian.Uint16(data[offset : offset+2])
-		attrLen := int(binary.BigEndian.Uint16(data[offset+2 : offset+4]))
-		if offset+4+attrLen > len(data) {
-			break
-		}
-		if attrType == attrErrorCode && attrLen >= 4 {
-			attrValue := data[offset+4 : offset+4+attrLen]
-			class := int(attrValue[2] & 0x07)
-			number := int(attrValue[3])
-			code := class*100 + number
-			if attrLen > 4 {
-				return E.New("STUN error ", code, ": ", string(attrValue[4:]))
-			}
-			return E.New("STUN error ", code)
-		}
-		offset += 4 + attrLen + paddingLen(attrLen)
-	}
-	return E.New("STUN error response")
-}
-
-func parseXORMappedAddress(data []byte, txID TransactionID) (netip.AddrPort, error) {
-	if len(data) < 4 {
-		return netip.AddrPort{}, E.New("XOR-MAPPED-ADDRESS too short")
-	}
-
-	family := data[1]
-	xPort := binary.BigEndian.Uint16(data[2:4])
-	port := xPort ^ uint16(magicCookie>>16)
-
-	switch family {
-	case familyIPv4:
-		if len(data) < 8 {
-			return netip.AddrPort{}, E.New("XOR-MAPPED-ADDRESS IPv4 too short")
-		}
-		var ip [4]byte
-		binary.BigEndian.PutUint32(ip[:], binary.BigEndian.Uint32(data[4:8])^magicCookie)
-		return netip.AddrPortFrom(netip.AddrFrom4(ip), port), nil
-	case familyIPv6:
-		if len(data) < 20 {
-			return netip.AddrPort{}, E.New("XOR-MAPPED-ADDRESS IPv6 too short")
-		}
-		var ip [16]byte
-		var xorKey [16]byte
-		binary.BigEndian.PutUint32(xorKey[0:4], magicCookie)
-		copy(xorKey[4:16], txID[:])
-		for i := range 16 {
-			ip[i] = data[4+i] ^ xorKey[i]
-		}
-		return netip.AddrPortFrom(netip.AddrFrom16(ip), port), nil
-	default:
-		return netip.AddrPort{}, E.New("unknown address family: ", family)
-	}
-}
-
-func parseMappedAddress(data []byte) (netip.AddrPort, error) {
-	if len(data) < 4 {
-		return netip.AddrPort{}, E.New("MAPPED-ADDRESS too short")
-	}
-
-	family := data[1]
-	port := binary.BigEndian.Uint16(data[2:4])
-
-	switch family {
-	case familyIPv4:
-		if len(data) < 8 {
-			return netip.AddrPort{}, E.New("MAPPED-ADDRESS IPv4 too short")
-		}
-		return netip.AddrPortFrom(
-			netip.AddrFrom4([4]byte{data[4], data[5], data[6], data[7]}), port,
-		), nil
-	case familyIPv6:
-		if len(data) < 20 {
-			return netip.AddrPort{}, E.New("MAPPED-ADDRESS IPv6 too short")
-		}
-		var ip [16]byte
-		copy(ip[:], data[4:20])
-		return netip.AddrPortFrom(netip.AddrFrom16(ip), port), nil
-	default:
-		return netip.AddrPort{}, E.New("unknown address family: ", family)
-	}
-}
-
-func roundTrip(conn net.PacketConn, addr net.Addr, txID TransactionID, attrs []stunAttribute, rto time.Duration) (*parsedResponse, time.Duration, error) {
-	request := buildBindingRequest(txID, attrs...)
-	currentRTO := rto
-	retransmitCount := 0
-
-	sendTime := time.Now()
-	_, err := conn.WriteTo(request, addr)
-	if err != nil {
-		return nil, 0, E.Cause(err, "send STUN request")
-	}
-
-	buf := make([]byte, 1024)
-	for {
-		err = conn.SetReadDeadline(sendTime.Add(currentRTO))
-		if err != nil {
-			return nil, 0, E.Cause(err, "set read deadline")
-		}
-
-		n, _, readErr := conn.ReadFrom(buf)
-		if readErr != nil {
-			if E.IsTimeout(readErr) && retransmitCount < maxRetransmit {
-				retransmitCount++
-				currentRTO *= 2
-				sendTime = time.Now()
-				_, err = conn.WriteTo(request, addr)
-				if err != nil {
-					return nil, 0, E.Cause(err, "retransmit STUN request")
-				}
-				continue
-			}
-			return nil, 0, E.Cause(readErr, "read STUN response")
-		}
-
-		if n < headerSize || buf[0]&0xC0 != 0 ||
-			binary.BigEndian.Uint32(buf[4:8]) != magicCookie {
-			continue
-		}
-		var receivedTxID TransactionID
-		copy(receivedTxID[:], buf[8:20])
-		if receivedTxID != txID {
-			continue
-		}
-
-		latency := time.Since(sendTime)
-
-		resp, parseErr := parseResponse(buf[:n], txID)
-		if parseErr != nil {
-			return nil, 0, parseErr
-		}
-
-		return resp, latency, nil
-	}
-}
-
-func Run(options Options) (*Result, error) {
-	ctx := options.Context
-	if ctx == nil {
-		ctx = context.Background()
-	}
-
-	server := options.Server
-	if server == "" {
-		server = DefaultServer
-	}
-	serverSocksaddr := M.ParseSocksaddr(server)
-	if serverSocksaddr.Port == 0 {
-		serverSocksaddr.Port = 3478
-	}
-
-	reportProgress := options.OnProgress
-	if reportProgress == nil {
-		reportProgress = func(Progress) {}
-	}
-
-	var (
-		packetConn net.PacketConn
-		serverAddr net.Addr
-		err        error
-	)
-
-	if options.Dialer != nil {
-		packetConn, err = options.Dialer.ListenPacket(ctx, serverSocksaddr)
-		if err != nil {
-			return nil, E.Cause(err, "create UDP socket")
-		}
-		serverAddr = serverSocksaddr
-	} else {
-		serverUDPAddr, resolveErr := net.ResolveUDPAddr("udp", serverSocksaddr.String())
-		if resolveErr != nil {
-			return nil, E.Cause(resolveErr, "resolve STUN server")
-		}
-		packetConn, err = net.ListenPacket("udp", "")
-		if err != nil {
-			return nil, E.Cause(err, "create UDP socket")
-		}
-		serverAddr = serverUDPAddr
-	}
-	defer func() {
-		_ = packetConn.Close()
-	}()
-	if deadline.NeedAdditionalReadDeadline(packetConn) {
-		packetConn = deadline.NewPacketConn(bufio.NewPacketConn(packetConn))
-	}
-
-	select {
-	case <-ctx.Done():
-		return nil, ctx.Err()
-	default:
-	}
-
-	rto := defaultRTO
-
-	// Phase 1: Binding
-	reportProgress(Progress{Phase: PhaseBinding})
-
-	txID := newTransactionID()
-	resp, latency, err := roundTrip(packetConn, serverAddr, txID, nil, rto)
-	if err != nil {
-		return nil, E.Cause(err, "binding request")
-	}
-
-	rto = max(minRTO, 3*latency)
-
-	externalAddr, ok := resp.externalAddr()
-	if !ok {
-		return nil, E.New("no mapped address in response")
-	}
-
-	result := &Result{
-		ExternalAddr: externalAddr.String(),
-		LatencyMs:    int32(latency.Milliseconds()),
-	}
-
-	reportProgress(Progress{
-		Phase:        PhaseBinding,
-		ExternalAddr: result.ExternalAddr,
-		LatencyMs:    result.LatencyMs,
-	})
-
-	otherAddr := resp.otherAddr
-	if !otherAddr.IsValid() {
-		result.NATTypeSupported = false
-		reportProgress(Progress{
-			Phase:        PhaseDone,
-			ExternalAddr: result.ExternalAddr,
-			LatencyMs:    result.LatencyMs,
-		})
-		return result, nil
-	}
-	result.NATTypeSupported = true
-
-	select {
-	case <-ctx.Done():
-		return result, nil
-	default:
-	}
-
-	// Phase 2: NAT Mapping Detection (RFC 5780 Section 4.3)
-	reportProgress(Progress{
-		Phase:        PhaseNATMapping,
-		ExternalAddr: result.ExternalAddr,
-		LatencyMs:    result.LatencyMs,
-	})
-
-	result.NATMapping = detectNATMapping(
-		packetConn, serverSocksaddr.Port, externalAddr, otherAddr, rto,
-	)
-
-	reportProgress(Progress{
-		Phase:        PhaseNATMapping,
-		ExternalAddr: result.ExternalAddr,
-		LatencyMs:    result.LatencyMs,
-		NATMapping:   result.NATMapping,
-	})
-
-	select {
-	case <-ctx.Done():
-		return result, nil
-	default:
-	}
-
-	// Phase 3: NAT Filtering Detection (RFC 5780 Section 4.4)
-	reportProgress(Progress{
-		Phase:        PhaseNATFiltering,
-		ExternalAddr: result.ExternalAddr,
-		LatencyMs:    result.LatencyMs,
-		NATMapping:   result.NATMapping,
-	})
-
-	result.NATFiltering = detectNATFiltering(packetConn, serverAddr, rto)
-
-	reportProgress(Progress{
-		Phase:        PhaseDone,
-		ExternalAddr: result.ExternalAddr,
-		LatencyMs:    result.LatencyMs,
-		NATMapping:   result.NATMapping,
-		NATFiltering: result.NATFiltering,
-	})
-
-	return result, nil
-}
-
-func detectNATMapping(
-	conn net.PacketConn,
-	serverPort uint16,
-	externalAddr netip.AddrPort,
-	otherAddr netip.AddrPort,
-	rto time.Duration,
-) NATMapping {
-	// Mapping Test II: Send to other_ip:server_port
-	testIIAddr := net.UDPAddrFromAddrPort(
-		netip.AddrPortFrom(otherAddr.Addr(), serverPort),
-	)
-	txID2 := newTransactionID()
-	resp2, _, err := roundTrip(conn, testIIAddr, txID2, nil, rto)
-	if err != nil {
-		return NATMappingUnknown
-	}
-
-	externalAddr2, ok := resp2.externalAddr()
-	if !ok {
-		return NATMappingUnknown
-	}
-
-	if externalAddr == externalAddr2 {
-		return NATMappingEndpointIndependent
-	}
-
-	// Mapping Test III: Send to other_ip:other_port
-	testIIIAddr := net.UDPAddrFromAddrPort(otherAddr)
-	txID3 := newTransactionID()
-	resp3, _, err := roundTrip(conn, testIIIAddr, txID3, nil, rto)
-	if err != nil {
-		return NATMappingUnknown
-	}
-
-	externalAddr3, ok := resp3.externalAddr()
-	if !ok {
-		return NATMappingUnknown
-	}
-
-	if externalAddr2 == externalAddr3 {
-		return NATMappingAddressDependent
-	}
-	return NATMappingAddressAndPortDependent
-}
-
-func detectNATFiltering(
-	conn net.PacketConn,
-	serverAddr net.Addr,
-	rto time.Duration,
-) NATFiltering {
-	// Filtering Test II: Request response from different IP and port
-	txID := newTransactionID()
-	_, _, err := roundTrip(conn, serverAddr, txID,
-		[]stunAttribute{changeRequestAttr(changeIP | changePort)}, rto)
-	if err == nil {
-		return NATFilteringEndpointIndependent
-	}
-
-	// Filtering Test III: Request response from different port only
-	txID = newTransactionID()
-	_, _, err = roundTrip(conn, serverAddr, txID,
-		[]stunAttribute{changeRequestAttr(changePort)}, rto)
-	if err == nil {
-		return NATFilteringAddressDependent
-	}
-
-	return NATFilteringAddressAndPortDependent
-}
-
-func paddingLen(n int) int {
-	if n%4 == 0 {
-		return 0
-	}
-	return 4 - n%4
-}
--- a/common/tls/apple_client.go
+++ b/common/tls/apple_client.go
@@ -1,214 +0,0 @@
-//go:build darwin && cgo
-
-package tls
-
-import (
-	"context"
-	"net"
-	"os"
-	"strings"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-	boxConstant "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-	"github.com/sagernet/sing/service"
-)
-
-type appleCertificateStore interface {
-	StoreKind() string
-	CurrentPEM() []string
-}
-
-type appleClientConfig struct {
-	serverName                 string
-	nextProtos                 []string
-	handshakeTimeout           time.Duration
-	minVersion                 uint16
-	maxVersion                 uint16
-	insecure                   bool
-	anchorPEM                  string
-	anchorOnly                 bool
-	certificatePublicKeySHA256 [][]byte
-}
-
-func (c *appleClientConfig) ServerName() string {
-	return c.serverName
-}
-
-func (c *appleClientConfig) SetServerName(serverName string) {
-	c.serverName = serverName
-}
-
-func (c *appleClientConfig) NextProtos() []string {
-	return c.nextProtos
-}
-
-func (c *appleClientConfig) SetNextProtos(nextProto []string) {
-	c.nextProtos = append(c.nextProtos[:0], nextProto...)
-}
-
-func (c *appleClientConfig) HandshakeTimeout() time.Duration {
-	return c.handshakeTimeout
-}
-
-func (c *appleClientConfig) SetHandshakeTimeout(timeout time.Duration) {
-	c.handshakeTimeout = timeout
-}
-
-func (c *appleClientConfig) STDConfig() (*STDConfig, error) {
-	return nil, E.New("unsupported usage for Apple TLS engine")
-}
-
-func (c *appleClientConfig) Client(conn net.Conn) (Conn, error) {
-	return nil, os.ErrInvalid
-}
-
-func (c *appleClientConfig) Clone() Config {
-	return &appleClientConfig{
-		serverName:                 c.serverName,
-		nextProtos:                 append([]string(nil), c.nextProtos...),
-		handshakeTimeout:           c.handshakeTimeout,
-		minVersion:                 c.minVersion,
-		maxVersion:                 c.maxVersion,
-		insecure:                   c.insecure,
-		anchorPEM:                  c.anchorPEM,
-		anchorOnly:                 c.anchorOnly,
-		certificatePublicKeySHA256: append([][]byte(nil), c.certificatePublicKeySHA256...),
-	}
-}
-
-func newAppleClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions, allowEmptyServerName bool) (Config, error) {
-	validated, err := ValidateAppleTLSOptions(ctx, options, "Apple TLS engine")
-	if err != nil {
-		return nil, err
-	}
-
-	var serverName string
-	if options.ServerName != "" {
-		serverName = options.ServerName
-	} else if serverAddress != "" {
-		serverName = serverAddress
-	}
-	if serverName == "" && !options.Insecure && !allowEmptyServerName {
-		return nil, errMissingServerName
-	}
-
-	var handshakeTimeout time.Duration
-	if options.HandshakeTimeout > 0 {
-		handshakeTimeout = options.HandshakeTimeout.Build()
-	} else {
-		handshakeTimeout = boxConstant.TCPTimeout
-	}
-
-	return &appleClientConfig{
-		serverName:                 serverName,
-		nextProtos:                 append([]string(nil), options.ALPN...),
-		handshakeTimeout:           handshakeTimeout,
-		minVersion:                 validated.MinVersion,
-		maxVersion:                 validated.MaxVersion,
-		insecure:                   options.Insecure || len(options.CertificatePublicKeySHA256) > 0,
-		anchorPEM:                  validated.AnchorPEM,
-		anchorOnly:                 validated.AnchorOnly,
-		certificatePublicKeySHA256: append([][]byte(nil), options.CertificatePublicKeySHA256...),
-	}, nil
-}
-
-type AppleTLSValidated struct {
-	MinVersion uint16
-	MaxVersion uint16
-	AnchorPEM  string
-	AnchorOnly bool
-}
-
-func ValidateAppleTLSOptions(ctx context.Context, options option.OutboundTLSOptions, engineName string) (AppleTLSValidated, error) {
-	if options.Reality != nil && options.Reality.Enabled {
-		return AppleTLSValidated{}, E.New("reality is unsupported in ", engineName)
-	}
-	if options.UTLS != nil && options.UTLS.Enabled {
-		return AppleTLSValidated{}, E.New("utls is unsupported in ", engineName)
-	}
-	if options.ECH != nil && options.ECH.Enabled {
-		return AppleTLSValidated{}, E.New("ech is unsupported in ", engineName)
-	}
-	if options.DisableSNI {
-		return AppleTLSValidated{}, E.New("disable_sni is unsupported in ", engineName)
-	}
-	if len(options.CipherSuites) > 0 {
-		return AppleTLSValidated{}, E.New("cipher_suites is unsupported in ", engineName)
-	}
-	if len(options.CurvePreferences) > 0 {
-		return AppleTLSValidated{}, E.New("curve_preferences is unsupported in ", engineName)
-	}
-	if len(options.ClientCertificate) > 0 || options.ClientCertificatePath != "" || len(options.ClientKey) > 0 || options.ClientKeyPath != "" {
-		return AppleTLSValidated{}, E.New("client certificate is unsupported in ", engineName)
-	}
-	if options.Fragment || options.RecordFragment {
-		return AppleTLSValidated{}, E.New("tls fragment is unsupported in ", engineName)
-	}
-	if options.KernelTx || options.KernelRx {
-		return AppleTLSValidated{}, E.New("ktls is unsupported in ", engineName)
-	}
-	if len(options.CertificatePublicKeySHA256) > 0 && (len(options.Certificate) > 0 || options.CertificatePath != "") {
-		return AppleTLSValidated{}, E.New("certificate_public_key_sha256 is conflict with certificate or certificate_path")
-	}
-	var minVersion uint16
-	if options.MinVersion != "" {
-		var err error
-		minVersion, err = ParseTLSVersion(options.MinVersion)
-		if err != nil {
-			return AppleTLSValidated{}, E.Cause(err, "parse min_version")
-		}
-	}
-	var maxVersion uint16
-	if options.MaxVersion != "" {
-		var err error
-		maxVersion, err = ParseTLSVersion(options.MaxVersion)
-		if err != nil {
-			return AppleTLSValidated{}, E.Cause(err, "parse max_version")
-		}
-	}
-	anchorPEM, anchorOnly, err := AppleAnchorPEM(ctx, options)
-	if err != nil {
-		return AppleTLSValidated{}, err
-	}
-	return AppleTLSValidated{
-		MinVersion: minVersion,
-		MaxVersion: maxVersion,
-		AnchorPEM:  anchorPEM,
-		AnchorOnly: anchorOnly,
-	}, nil
-}
-
-func AppleAnchorPEM(ctx context.Context, options option.OutboundTLSOptions) (string, bool, error) {
-	if len(options.Certificate) > 0 {
-		return strings.Join(options.Certificate, "\n"), true, nil
-	}
-	if options.CertificatePath != "" {
-		content, err := os.ReadFile(options.CertificatePath)
-		if err != nil {
-			return "", false, E.Cause(err, "read certificate")
-		}
-		return string(content), true, nil
-	}
-
-	certificateStore := service.FromContext[adapter.CertificateStore](ctx)
-	if certificateStore == nil {
-		return "", false, nil
-	}
-	store, ok := certificateStore.(appleCertificateStore)
-	if !ok {
-		return "", false, nil
-	}
-
-	switch store.StoreKind() {
-	case boxConstant.CertificateStoreSystem, "":
-		return strings.Join(store.CurrentPEM(), "\n"), false, nil
-	case boxConstant.CertificateStoreMozilla, boxConstant.CertificateStoreChrome, boxConstant.CertificateStoreNone:
-		return strings.Join(store.CurrentPEM(), "\n"), true, nil
-	default:
-		return "", false, E.New("unsupported certificate store for Apple TLS engine: ", store.StoreKind())
-	}
-}
--- a/common/tls/apple_client_platform.go
+++ b/common/tls/apple_client_platform.go
@@ -1,414 +0,0 @@
-//go:build darwin && cgo
-
-package tls
-
-/*
-#cgo CFLAGS: -x objective-c -fobjc-arc
-#cgo LDFLAGS: -framework Foundation -framework Network -framework Security
-
-#include <stdlib.h>
-#include "apple_client_platform.h"
-*/
-import "C"
-
-import (
-	"context"
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/binary"
-	"io"
-	"math"
-	"net"
-	"os"
-	"strings"
-	"sync"
-	"syscall"
-	"time"
-	"unsafe"
-
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-
-	"golang.org/x/sys/unix"
-)
-
-func (c *appleClientConfig) ClientHandshake(ctx context.Context, conn net.Conn) (Conn, error) {
-	rawSyscallConn, ok := common.Cast[syscall.Conn](conn)
-	if !ok {
-		return nil, E.New("apple TLS: requires fd-backed TCP connection")
-	}
-	syscallConn, err := rawSyscallConn.SyscallConn()
-	if err != nil {
-		return nil, E.Cause(err, "access raw connection")
-	}
-
-	var dupFD int
-	controlErr := syscallConn.Control(func(fd uintptr) {
-		dupFD, err = unix.Dup(int(fd))
-	})
-	if controlErr != nil {
-		return nil, E.Cause(controlErr, "access raw connection")
-	}
-	if err != nil {
-		return nil, E.Cause(err, "duplicate raw connection")
-	}
-
-	serverName := c.serverName
-	serverNamePtr := cStringOrNil(serverName)
-	defer cFree(serverNamePtr)
-
-	alpn := strings.Join(c.nextProtos, "\n")
-	alpnPtr := cStringOrNil(alpn)
-	defer cFree(alpnPtr)
-
-	anchorPEMPtr := cStringOrNil(c.anchorPEM)
-	defer cFree(anchorPEMPtr)
-
-	var errorPtr *C.char
-	client := C.box_apple_tls_client_create(
-		C.int(dupFD),
-		serverNamePtr,
-		alpnPtr,
-		C.size_t(len(alpn)),
-		C.uint16_t(c.minVersion),
-		C.uint16_t(c.maxVersion),
-		C.bool(c.insecure),
-		anchorPEMPtr,
-		C.size_t(len(c.anchorPEM)),
-		C.bool(c.anchorOnly),
-		&errorPtr,
-	)
-	if client == nil {
-		if errorPtr != nil {
-			defer C.free(unsafe.Pointer(errorPtr))
-			return nil, E.New(C.GoString(errorPtr))
-		}
-		return nil, E.New("apple TLS: create connection")
-	}
-	if err = waitAppleTLSClientReady(ctx, client); err != nil {
-		C.box_apple_tls_client_cancel(client)
-		C.box_apple_tls_client_free(client)
-		return nil, err
-	}
-
-	var state C.box_apple_tls_state_t
-	stateOK := C.box_apple_tls_client_copy_state(client, &state, &errorPtr)
-	if !bool(stateOK) {
-		C.box_apple_tls_client_cancel(client)
-		C.box_apple_tls_client_free(client)
-		if errorPtr != nil {
-			defer C.free(unsafe.Pointer(errorPtr))
-			return nil, E.New(C.GoString(errorPtr))
-		}
-		return nil, E.New("apple TLS: read metadata")
-	}
-	defer C.box_apple_tls_state_free(&state)
-
-	connectionState, rawCerts, err := parseAppleTLSState(&state)
-	if err != nil {
-		C.box_apple_tls_client_cancel(client)
-		C.box_apple_tls_client_free(client)
-		return nil, err
-	}
-	if len(c.certificatePublicKeySHA256) > 0 {
-		err = VerifyPublicKeySHA256(c.certificatePublicKeySHA256, rawCerts)
-		if err != nil {
-			C.box_apple_tls_client_cancel(client)
-			C.box_apple_tls_client_free(client)
-			return nil, err
-		}
-	}
-
-	return &appleTLSConn{
-		rawConn: conn,
-		client:  client,
-		state:   connectionState,
-		closed:  make(chan struct{}),
-	}, nil
-}
-
-const appleTLSHandshakePollInterval = 100 * time.Millisecond
-
-func waitAppleTLSClientReady(ctx context.Context, client *C.box_apple_tls_client_t) error {
-	for {
-		if err := ctx.Err(); err != nil {
-			C.box_apple_tls_client_cancel(client)
-			return err
-		}
-
-		waitTimeout := appleTLSHandshakePollInterval
-		if deadline, loaded := ctx.Deadline(); loaded {
-			remaining := time.Until(deadline)
-			if remaining <= 0 {
-				C.box_apple_tls_client_cancel(client)
-				if err := ctx.Err(); err != nil {
-					return err
-				}
-				return context.DeadlineExceeded
-			}
-			if remaining < waitTimeout {
-				waitTimeout = remaining
-			}
-		}
-
-		var errorPtr *C.char
-		waitResult := C.box_apple_tls_client_wait_ready(client, C.int(timeoutFromDuration(waitTimeout)), &errorPtr)
-		switch waitResult {
-		case 1:
-			return nil
-		case -2:
-			continue
-		case 0:
-			if errorPtr != nil {
-				defer C.free(unsafe.Pointer(errorPtr))
-				return E.New(C.GoString(errorPtr))
-			}
-			return E.New("apple TLS: handshake failed")
-		default:
-			return E.New("apple TLS: invalid handshake state")
-		}
-	}
-}
-
-type appleTLSConn struct {
-	rawConn net.Conn
-	client  *C.box_apple_tls_client_t
-	state   tls.ConnectionState
-
-	readAccess  sync.Mutex
-	writeAccess sync.Mutex
-	stateAccess sync.RWMutex
-	closeOnce   sync.Once
-	ioAccess    sync.Mutex
-	ioGroup     sync.WaitGroup
-	closed      chan struct{}
-	readEOF     bool
-}
-
-func (c *appleTLSConn) Read(p []byte) (int, error) {
-	c.readAccess.Lock()
-	defer c.readAccess.Unlock()
-	if c.readEOF {
-		return 0, io.EOF
-	}
-	if len(p) == 0 {
-		return 0, nil
-	}
-
-	client, err := c.acquireClient()
-	if err != nil {
-		return 0, err
-	}
-	defer c.releaseClient()
-
-	var eof C.bool
-	var errorPtr *C.char
-	n := C.box_apple_tls_client_read(client, unsafe.Pointer(&p[0]), C.size_t(len(p)), &eof, &errorPtr)
-	switch {
-	case n >= 0:
-		if bool(eof) {
-			c.readEOF = true
-			if n == 0 {
-				return 0, io.EOF
-			}
-		}
-		return int(n), nil
-	default:
-		if errorPtr != nil {
-			defer C.free(unsafe.Pointer(errorPtr))
-			if c.isClosed() {
-				return 0, net.ErrClosed
-			}
-			return 0, E.New(C.GoString(errorPtr))
-		}
-		return 0, net.ErrClosed
-	}
-}
-
-func (c *appleTLSConn) Write(p []byte) (int, error) {
-	c.writeAccess.Lock()
-	defer c.writeAccess.Unlock()
-	if len(p) == 0 {
-		return 0, nil
-	}
-
-	client, err := c.acquireClient()
-	if err != nil {
-		return 0, err
-	}
-	defer c.releaseClient()
-
-	var errorPtr *C.char
-	n := C.box_apple_tls_client_write(client, unsafe.Pointer(&p[0]), C.size_t(len(p)), &errorPtr)
-	if n >= 0 {
-		return int(n), nil
-	}
-	if errorPtr != nil {
-		defer C.free(unsafe.Pointer(errorPtr))
-		if c.isClosed() {
-			return 0, net.ErrClosed
-		}
-		return 0, E.New(C.GoString(errorPtr))
-	}
-	return 0, net.ErrClosed
-}
-
-func (c *appleTLSConn) Close() error {
-	var closeErr error
-	c.closeOnce.Do(func() {
-		close(c.closed)
-		C.box_apple_tls_client_cancel(c.client)
-		closeErr = c.rawConn.Close()
-		c.ioAccess.Lock()
-		c.ioGroup.Wait()
-		C.box_apple_tls_client_free(c.client)
-		c.client = nil
-		c.ioAccess.Unlock()
-	})
-	return closeErr
-}
-
-func (c *appleTLSConn) LocalAddr() net.Addr {
-	return c.rawConn.LocalAddr()
-}
-
-func (c *appleTLSConn) RemoteAddr() net.Addr {
-	return c.rawConn.RemoteAddr()
-}
-
-func (c *appleTLSConn) SetDeadline(t time.Time) error {
-	return os.ErrInvalid
-}
-
-func (c *appleTLSConn) SetReadDeadline(t time.Time) error {
-	return os.ErrInvalid
-}
-
-func (c *appleTLSConn) SetWriteDeadline(t time.Time) error {
-	return os.ErrInvalid
-}
-
-func (c *appleTLSConn) NeedAdditionalReadDeadline() bool {
-	return true
-}
-
-func (c *appleTLSConn) isClosed() bool {
-	select {
-	case <-c.closed:
-		return true
-	default:
-		return false
-	}
-}
-
-func (c *appleTLSConn) acquireClient() (*C.box_apple_tls_client_t, error) {
-	c.ioAccess.Lock()
-	defer c.ioAccess.Unlock()
-	if c.isClosed() {
-		return nil, net.ErrClosed
-	}
-	client := c.client
-	if client == nil {
-		return nil, net.ErrClosed
-	}
-	c.ioGroup.Add(1)
-	return client, nil
-}
-
-func (c *appleTLSConn) releaseClient() {
-	c.ioGroup.Done()
-}
-
-func (c *appleTLSConn) NetConn() net.Conn {
-	return c.rawConn
-}
-
-func (c *appleTLSConn) HandshakeContext(ctx context.Context) error {
-	return nil
-}
-
-func (c *appleTLSConn) ConnectionState() ConnectionState {
-	c.stateAccess.RLock()
-	defer c.stateAccess.RUnlock()
-	return c.state
-}
-
-func parseAppleTLSState(state *C.box_apple_tls_state_t) (tls.ConnectionState, [][]byte, error) {
-	rawCerts, peerCertificates, err := parseAppleCertChain(state.peer_cert_chain, state.peer_cert_chain_len)
-	if err != nil {
-		return tls.ConnectionState{}, nil, err
-	}
-	var negotiatedProtocol string
-	if state.alpn != nil {
-		negotiatedProtocol = C.GoString(state.alpn)
-	}
-	var serverName string
-	if state.server_name != nil {
-		serverName = C.GoString(state.server_name)
-	}
-	return tls.ConnectionState{
-		Version:            uint16(state.version),
-		HandshakeComplete:  true,
-		CipherSuite:        uint16(state.cipher_suite),
-		NegotiatedProtocol: negotiatedProtocol,
-		ServerName:         serverName,
-		PeerCertificates:   peerCertificates,
-	}, rawCerts, nil
-}
-
-func parseAppleCertChain(chain *C.uint8_t, chainLen C.size_t) ([][]byte, []*x509.Certificate, error) {
-	if chain == nil || chainLen == 0 {
-		return nil, nil, nil
-	}
-	chainBytes := C.GoBytes(unsafe.Pointer(chain), C.int(chainLen))
-	var (
-		rawCerts         [][]byte
-		peerCertificates []*x509.Certificate
-	)
-	for len(chainBytes) >= 4 {
-		certificateLen := binary.BigEndian.Uint32(chainBytes[:4])
-		chainBytes = chainBytes[4:]
-		if len(chainBytes) < int(certificateLen) {
-			return nil, nil, E.New("apple TLS: invalid certificate chain")
-		}
-		certificateData := append([]byte(nil), chainBytes[:certificateLen]...)
-		certificate, err := x509.ParseCertificate(certificateData)
-		if err != nil {
-			return nil, nil, E.Cause(err, "parse peer certificate")
-		}
-		rawCerts = append(rawCerts, certificateData)
-		peerCertificates = append(peerCertificates, certificate)
-		chainBytes = chainBytes[certificateLen:]
-	}
-	if len(chainBytes) != 0 {
-		return nil, nil, E.New("apple TLS: invalid certificate chain")
-	}
-	return rawCerts, peerCertificates, nil
-}
-
-func timeoutFromDuration(timeout time.Duration) int {
-	if timeout <= 0 {
-		return 0
-	}
-	timeoutMilliseconds := int64(timeout / time.Millisecond)
-	if timeout%time.Millisecond != 0 {
-		timeoutMilliseconds++
-	}
-	if timeoutMilliseconds > math.MaxInt32 {
-		return math.MaxInt32
-	}
-	return int(timeoutMilliseconds)
-}
-
-func cStringOrNil(value string) *C.char {
-	if value == "" {
-		return nil
-	}
-	return C.CString(value)
-}
-
-func cFree(pointer *C.char) {
-	if pointer != nil {
-		C.free(unsafe.Pointer(pointer))
-	}
-}
--- a/common/tls/apple_client_platform.h
+++ b/common/tls/apple_client_platform.h
@@ -1,37 +0,0 @@
-#include <stdbool.h>
-#include <stddef.h>
-#include <stdint.h>
-#include <unistd.h>
-
-typedef struct box_apple_tls_client box_apple_tls_client_t;
-
-typedef struct box_apple_tls_state {
-	uint16_t version;
-	uint16_t cipher_suite;
-	char *alpn;
-	char *server_name;
-	uint8_t *peer_cert_chain;
-	size_t peer_cert_chain_len;
-} box_apple_tls_state_t;
-
-box_apple_tls_client_t *box_apple_tls_client_create(
-	int connected_socket,
-	const char *server_name,
-	const char *alpn,
-	size_t alpn_len,
-	uint16_t min_version,
-	uint16_t max_version,
-	bool insecure,
-	const char *anchor_pem,
-	size_t anchor_pem_len,
-	bool anchor_only,
-	char **error_out
-);
-
-int box_apple_tls_client_wait_ready(box_apple_tls_client_t *client, int timeout_msec, char **error_out);
-void box_apple_tls_client_cancel(box_apple_tls_client_t *client);
-void box_apple_tls_client_free(box_apple_tls_client_t *client);
-ssize_t box_apple_tls_client_read(box_apple_tls_client_t *client, void *buffer, size_t buffer_len, bool *eof_out, char **error_out);
-ssize_t box_apple_tls_client_write(box_apple_tls_client_t *client, const void *buffer, size_t buffer_len, char **error_out);
-bool box_apple_tls_client_copy_state(box_apple_tls_client_t *client, box_apple_tls_state_t *state, char **error_out);
-void box_apple_tls_state_free(box_apple_tls_state_t *state);
--- a/common/tls/apple_client_platform.m
+++ b/common/tls/apple_client_platform.m
@@ -1,631 +0,0 @@
-#import "apple_client_platform.h"
-
-#import <Foundation/Foundation.h>
-#import <Network/Network.h>
-#import <Security/Security.h>
-#import <Security/SecProtocolMetadata.h>
-#import <Security/SecProtocolOptions.h>
-#import <Security/SecProtocolTypes.h>
-#import <arpa/inet.h>
-#import <dlfcn.h>
-#import <dispatch/dispatch.h>
-#import <stdatomic.h>
-#import <stdlib.h>
-#import <string.h>
-#import <unistd.h>
-
-typedef nw_connection_t _Nullable (*box_nw_connection_create_with_connected_socket_and_parameters_f)(int connected_socket, nw_parameters_t parameters);
-typedef const char * _Nullable (*box_sec_protocol_metadata_string_accessor_f)(sec_protocol_metadata_t metadata);
-
-typedef struct box_apple_tls_client {
-	void *connection;
-	void *queue;
-	void *ready_semaphore;
-	atomic_int ref_count;
-	atomic_bool ready;
-	atomic_bool ready_done;
-	char *ready_error;
-	box_apple_tls_state_t state;
-} box_apple_tls_client_t;
-
-static nw_connection_t box_apple_tls_connection(box_apple_tls_client_t *client) {
-	if (client == NULL || client->connection == NULL) {
-		return nil;
-	}
-	return (__bridge nw_connection_t)client->connection;
-}
-
-static dispatch_queue_t box_apple_tls_client_queue(box_apple_tls_client_t *client) {
-	if (client == NULL || client->queue == NULL) {
-		return nil;
-	}
-	return (__bridge dispatch_queue_t)client->queue;
-}
-
-static dispatch_semaphore_t box_apple_tls_ready_semaphore(box_apple_tls_client_t *client) {
-	if (client == NULL || client->ready_semaphore == NULL) {
-		return nil;
-	}
-	return (__bridge dispatch_semaphore_t)client->ready_semaphore;
-}
-
-static void box_apple_tls_state_reset(box_apple_tls_state_t *state) {
-	if (state == NULL) {
-		return;
-	}
-	free(state->alpn);
-	free(state->server_name);
-	free(state->peer_cert_chain);
-	memset(state, 0, sizeof(box_apple_tls_state_t));
-}
-
-static void box_apple_tls_client_destroy(box_apple_tls_client_t *client) {
-	free(client->ready_error);
-	box_apple_tls_state_reset(&client->state);
-	if (client->ready_semaphore != NULL) {
-		CFBridgingRelease(client->ready_semaphore);
-	}
-	if (client->connection != NULL) {
-		CFBridgingRelease(client->connection);
-	}
-	if (client->queue != NULL) {
-		CFBridgingRelease(client->queue);
-	}
-	free(client);
-}
-
-static void box_apple_tls_client_release(box_apple_tls_client_t *client) {
-	if (client == NULL) {
-		return;
-	}
-	if (atomic_fetch_sub(&client->ref_count, 1) == 1) {
-		box_apple_tls_client_destroy(client);
-	}
-}
-
-static void box_set_error_string(char **error_out, NSString *message) {
-	if (error_out == NULL || *error_out != NULL) {
-		return;
-	}
-	const char *utf8 = [message UTF8String];
-	*error_out = strdup(utf8 != NULL ? utf8 : "unknown error");
-}
-
-static void box_set_error_message(char **error_out, const char *message) {
-	if (error_out == NULL || *error_out != NULL) {
-		return;
-	}
-	*error_out = strdup(message != NULL ? message : "unknown error");
-}
-
-static void box_set_error_from_nw_error(char **error_out, nw_error_t error) {
-	if (error == NULL) {
-		box_set_error_message(error_out, "unknown network error");
-		return;
-	}
-	CFErrorRef cfError = nw_error_copy_cf_error(error);
-	if (cfError == NULL) {
-		box_set_error_message(error_out, "unknown network error");
-		return;
-	}
-	NSString *description = [(__bridge NSError *)cfError description];
-	box_set_error_string(error_out, description);
-	CFRelease(cfError);
-}
-
-static char *box_apple_tls_metadata_copy_negotiated_protocol(sec_protocol_metadata_t metadata) {
-	static box_sec_protocol_metadata_string_accessor_f copy_fn;
-	static box_sec_protocol_metadata_string_accessor_f get_fn;
-	static dispatch_once_t onceToken;
-	dispatch_once(&onceToken, ^{
-		copy_fn = (box_sec_protocol_metadata_string_accessor_f)dlsym(RTLD_DEFAULT, "sec_protocol_metadata_copy_negotiated_protocol");
-		get_fn = (box_sec_protocol_metadata_string_accessor_f)dlsym(RTLD_DEFAULT, "sec_protocol_metadata_get_negotiated_protocol");
-	});
-	if (copy_fn != NULL) {
-		return (char *)copy_fn(metadata);
-	}
-	if (get_fn != NULL) {
-		const char *protocol = get_fn(metadata);
-		if (protocol != NULL) {
-			return strdup(protocol);
-		}
-	}
-	return NULL;
-}
-
-static char *box_apple_tls_metadata_copy_server_name(sec_protocol_metadata_t metadata) {
-	static box_sec_protocol_metadata_string_accessor_f copy_fn;
-	static box_sec_protocol_metadata_string_accessor_f get_fn;
-	static dispatch_once_t onceToken;
-	dispatch_once(&onceToken, ^{
-		copy_fn = (box_sec_protocol_metadata_string_accessor_f)dlsym(RTLD_DEFAULT, "sec_protocol_metadata_copy_server_name");
-		get_fn = (box_sec_protocol_metadata_string_accessor_f)dlsym(RTLD_DEFAULT, "sec_protocol_metadata_get_server_name");
-	});
-	if (copy_fn != NULL) {
-		return (char *)copy_fn(metadata);
-	}
-	if (get_fn != NULL) {
-		const char *server_name = get_fn(metadata);
-		if (server_name != NULL) {
-			return strdup(server_name);
-		}
-	}
-	return NULL;
-}
-
-static NSArray<NSString *> *box_split_lines(const char *content, size_t content_len) {
-	if (content == NULL || content_len == 0) {
-		return @[];
-	}
-	NSString *string = [[NSString alloc] initWithBytes:content length:content_len encoding:NSUTF8StringEncoding];
-	if (string == nil) {
-		return @[];
-	}
-	NSMutableArray<NSString *> *lines = [NSMutableArray array];
-	[string enumerateLinesUsingBlock:^(NSString *line, BOOL *stop) {
-		if (line.length > 0) {
-			[lines addObject:line];
-		}
-	}];
-	return lines;
-}
-
-static NSArray *box_parse_certificates_from_pem(const char *pem, size_t pem_len) {
-	if (pem == NULL || pem_len == 0) {
-		return @[];
-	}
-	NSString *content = [[NSString alloc] initWithBytes:pem length:pem_len encoding:NSUTF8StringEncoding];
-	if (content == nil) {
-		return @[];
-	}
-	NSString *beginMarker = @"-----BEGIN CERTIFICATE-----";
-	NSString *endMarker = @"-----END CERTIFICATE-----";
-	NSMutableArray *certificates = [NSMutableArray array];
-	NSUInteger searchFrom = 0;
-	while (searchFrom < content.length) {
-		NSRange beginRange = [content rangeOfString:beginMarker options:0 range:NSMakeRange(searchFrom, content.length - searchFrom)];
-		if (beginRange.location == NSNotFound) {
-			break;
-		}
-		NSUInteger bodyStart = beginRange.location + beginRange.length;
-		NSRange endRange = [content rangeOfString:endMarker options:0 range:NSMakeRange(bodyStart, content.length - bodyStart)];
-		if (endRange.location == NSNotFound) {
-			break;
-		}
-		NSString *base64Section = [content substringWithRange:NSMakeRange(bodyStart, endRange.location - bodyStart)];
-		NSArray<NSString *> *components = [base64Section componentsSeparatedByCharactersInSet:[NSCharacterSet whitespaceAndNewlineCharacterSet]];
-		NSString *base64Content = [components componentsJoinedByString:@""];
-		NSData *der = [[NSData alloc] initWithBase64EncodedString:base64Content options:0];
-		if (der != nil) {
-			SecCertificateRef certificate = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)der);
-			if (certificate != NULL) {
-				[certificates addObject:(__bridge id)certificate];
-				CFRelease(certificate);
-			}
-		}
-		searchFrom = endRange.location + endRange.length;
-	}
-	return certificates;
-}
-
-static bool box_evaluate_trust(sec_trust_t trust, NSArray *anchors, bool anchor_only) {
-	bool result = false;
-	SecTrustRef trustRef = sec_trust_copy_ref(trust);
-	if (trustRef == NULL) {
-		return false;
-	}
-	if (anchors.count > 0 || anchor_only) {
-		CFMutableArrayRef anchorArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
-		for (id certificate in anchors) {
-			CFArrayAppendValue(anchorArray, (__bridge const void *)certificate);
-		}
-		SecTrustSetAnchorCertificates(trustRef, anchorArray);
-		SecTrustSetAnchorCertificatesOnly(trustRef, anchor_only);
-		CFRelease(anchorArray);
-	}
-	CFErrorRef error = NULL;
-	result = SecTrustEvaluateWithError(trustRef, &error);
-	if (error != NULL) {
-		CFRelease(error);
-	}
-	CFRelease(trustRef);
-	return result;
-}
-
-static nw_connection_t box_apple_tls_create_connection(int connected_socket, nw_parameters_t parameters) {
-	static box_nw_connection_create_with_connected_socket_and_parameters_f create_fn;
-	static dispatch_once_t onceToken;
-	dispatch_once(&onceToken, ^{
-		char name[] = "sretemarap_dna_tekcos_detcennoc_htiw_etaerc_noitcennoc_wn";
-		for (size_t i = 0, j = sizeof(name) - 2; i < j; i++, j--) {
-			char t = name[i];
-			name[i] = name[j];
-			name[j] = t;
-		}
-		create_fn = (box_nw_connection_create_with_connected_socket_and_parameters_f)dlsym(RTLD_DEFAULT, name);
-	});
-	if (create_fn == NULL) {
-		return nil;
-	}
-	return create_fn(connected_socket, parameters);
-}
-
-static bool box_apple_tls_state_copy(const box_apple_tls_state_t *source, box_apple_tls_state_t *destination) {
-	memset(destination, 0, sizeof(box_apple_tls_state_t));
-	destination->version = source->version;
-	destination->cipher_suite = source->cipher_suite;
-	if (source->alpn != NULL) {
-		destination->alpn = strdup(source->alpn);
-		if (destination->alpn == NULL) {
-			goto oom;
-		}
-	}
-	if (source->server_name != NULL) {
-		destination->server_name = strdup(source->server_name);
-		if (destination->server_name == NULL) {
-			goto oom;
-		}
-	}
-	if (source->peer_cert_chain_len > 0) {
-		destination->peer_cert_chain = malloc(source->peer_cert_chain_len);
-		if (destination->peer_cert_chain == NULL) {
-			goto oom;
-		}
-		memcpy(destination->peer_cert_chain, source->peer_cert_chain, source->peer_cert_chain_len);
-		destination->peer_cert_chain_len = source->peer_cert_chain_len;
-	}
-	return true;
-
-oom:
-	box_apple_tls_state_reset(destination);
-	return false;
-}
-
-static bool box_apple_tls_state_load(nw_connection_t connection, box_apple_tls_state_t *state, char **error_out) {
-	box_apple_tls_state_reset(state);
-	if (connection == nil) {
-		box_set_error_message(error_out, "apple TLS: invalid client");
-		return false;
-	}
-
-	nw_protocol_definition_t tls_definition = nw_protocol_copy_tls_definition();
-	nw_protocol_metadata_t metadata = nw_connection_copy_protocol_metadata(connection, tls_definition);
-	if (metadata == NULL || !nw_protocol_metadata_is_tls(metadata)) {
-		box_set_error_message(error_out, "apple TLS: metadata unavailable");
-		return false;
-	}
-
-	sec_protocol_metadata_t sec_metadata = nw_tls_copy_sec_protocol_metadata(metadata);
-	if (sec_metadata == NULL) {
-		box_set_error_message(error_out, "apple TLS: metadata unavailable");
-		return false;
-	}
-
-	state->version = (uint16_t)sec_protocol_metadata_get_negotiated_tls_protocol_version(sec_metadata);
-	state->cipher_suite = (uint16_t)sec_protocol_metadata_get_negotiated_tls_ciphersuite(sec_metadata);
-	state->alpn = box_apple_tls_metadata_copy_negotiated_protocol(sec_metadata);
-	state->server_name = box_apple_tls_metadata_copy_server_name(sec_metadata);
-
-	NSMutableData *chain_data = [NSMutableData data];
-	sec_protocol_metadata_access_peer_certificate_chain(sec_metadata, ^(sec_certificate_t certificate) {
-		SecCertificateRef certificate_ref = sec_certificate_copy_ref(certificate);
-		if (certificate_ref == NULL) {
-			return;
-		}
-		CFDataRef certificate_data = SecCertificateCopyData(certificate_ref);
-		CFRelease(certificate_ref);
-		if (certificate_data == NULL) {
-			return;
-		}
-		uint32_t certificate_len = (uint32_t)CFDataGetLength(certificate_data);
-		uint32_t network_len = htonl(certificate_len);
-		[chain_data appendBytes:&network_len length:sizeof(network_len)];
-		[chain_data appendBytes:CFDataGetBytePtr(certificate_data) length:certificate_len];
-		CFRelease(certificate_data);
-	});
-	if (chain_data.length > 0) {
-		state->peer_cert_chain = malloc(chain_data.length);
-		if (state->peer_cert_chain == NULL) {
-			box_set_error_message(error_out, "apple TLS: out of memory");
-			box_apple_tls_state_reset(state);
-			return false;
-		}
-		memcpy(state->peer_cert_chain, chain_data.bytes, chain_data.length);
-		state->peer_cert_chain_len = chain_data.length;
-	}
-	return true;
-}
-
-box_apple_tls_client_t *box_apple_tls_client_create(
-	int connected_socket,
-	const char *server_name,
-	const char *alpn,
-	size_t alpn_len,
-	uint16_t min_version,
-	uint16_t max_version,
-	bool insecure,
-	const char *anchor_pem,
-	size_t anchor_pem_len,
-	bool anchor_only,
-	char **error_out
-) {
-	box_apple_tls_client_t *client = calloc(1, sizeof(box_apple_tls_client_t));
-	if (client == NULL) {
-		close(connected_socket);
-		box_set_error_message(error_out, "apple TLS: out of memory");
-		return NULL;
-	}
-	client->queue = (__bridge_retained void *)dispatch_queue_create("sing-box.apple-private-tls", DISPATCH_QUEUE_SERIAL);
-	client->ready_semaphore = (__bridge_retained void *)dispatch_semaphore_create(0);
-	atomic_init(&client->ref_count, 1);
-	atomic_init(&client->ready, false);
-	atomic_init(&client->ready_done, false);
-
-	NSArray<NSString *> *alpnList = box_split_lines(alpn, alpn_len);
-	NSArray *anchors = box_parse_certificates_from_pem(anchor_pem, anchor_pem_len);
-	nw_parameters_t parameters = nw_parameters_create_secure_tcp(^(nw_protocol_options_t tls_options) {
-		sec_protocol_options_t sec_options = nw_tls_copy_sec_protocol_options(tls_options);
-		if (min_version != 0) {
-			sec_protocol_options_set_min_tls_protocol_version(sec_options, (tls_protocol_version_t)min_version);
-		}
-		if (max_version != 0) {
-			sec_protocol_options_set_max_tls_protocol_version(sec_options, (tls_protocol_version_t)max_version);
-		}
-		if (server_name != NULL && server_name[0] != '\0') {
-			sec_protocol_options_set_tls_server_name(sec_options, server_name);
-		}
-		for (NSString *protocol in alpnList) {
-			sec_protocol_options_add_tls_application_protocol(sec_options, protocol.UTF8String);
-		}
-		sec_protocol_options_set_peer_authentication_required(sec_options, !insecure);
-		if (insecure) {
-			sec_protocol_options_set_verify_block(sec_options, ^(sec_protocol_metadata_t metadata, sec_trust_t trust, sec_protocol_verify_complete_t complete) {
-				complete(true);
-			}, box_apple_tls_client_queue(client));
-		} else if (anchors.count > 0 || anchor_only) {
-			sec_protocol_options_set_verify_block(sec_options, ^(sec_protocol_metadata_t metadata, sec_trust_t trust, sec_protocol_verify_complete_t complete) {
-				complete(box_evaluate_trust(trust, anchors, anchor_only));
-			}, box_apple_tls_client_queue(client));
-		}
-	}, NW_PARAMETERS_DEFAULT_CONFIGURATION);
-
-	nw_connection_t connection = box_apple_tls_create_connection(connected_socket, parameters);
-	if (connection == NULL) {
-		close(connected_socket);
-		if (client->ready_semaphore != NULL) {
-			CFBridgingRelease(client->ready_semaphore);
-		}
-		if (client->queue != NULL) {
-			CFBridgingRelease(client->queue);
-		}
-		free(client);
-		box_set_error_message(error_out, "apple TLS: failed to create connection");
-		return NULL;
-	}
-
-	client->connection = (__bridge_retained void *)connection;
-	atomic_fetch_add(&client->ref_count, 1);
-
-	nw_connection_set_state_changed_handler(connection, ^(nw_connection_state_t state, nw_error_t error) {
-		switch (state) {
-		case nw_connection_state_ready:
-			if (!atomic_load(&client->ready_done)) {
-				atomic_store(&client->ready, box_apple_tls_state_load(connection, &client->state, &client->ready_error));
-				atomic_store(&client->ready_done, true);
-				dispatch_semaphore_signal(box_apple_tls_ready_semaphore(client));
-			}
-			break;
-		case nw_connection_state_failed:
-			if (!atomic_load(&client->ready_done)) {
-				box_set_error_from_nw_error(&client->ready_error, error);
-				atomic_store(&client->ready_done, true);
-				dispatch_semaphore_signal(box_apple_tls_ready_semaphore(client));
-			}
-			break;
-		case nw_connection_state_cancelled:
-			if (!atomic_load(&client->ready_done)) {
-				box_set_error_from_nw_error(&client->ready_error, error);
-				atomic_store(&client->ready_done, true);
-				dispatch_semaphore_signal(box_apple_tls_ready_semaphore(client));
-			}
-			box_apple_tls_client_release(client);
-			break;
-		default:
-			break;
-		}
-	});
-	nw_connection_set_queue(connection, box_apple_tls_client_queue(client));
-	nw_connection_start(connection);
-	return client;
-}
-
-int box_apple_tls_client_wait_ready(box_apple_tls_client_t *client, int timeout_msec, char **error_out) {
-	dispatch_semaphore_t ready_semaphore = box_apple_tls_ready_semaphore(client);
-	if (ready_semaphore == nil) {
-		box_set_error_message(error_out, "apple TLS: invalid client");
-		return 0;
-	}
-	if (!atomic_load(&client->ready_done)) {
-		dispatch_time_t timeout = DISPATCH_TIME_FOREVER;
-		if (timeout_msec >= 0) {
-			timeout = dispatch_time(DISPATCH_TIME_NOW, (int64_t)timeout_msec * NSEC_PER_MSEC);
-		}
-		long wait_result = dispatch_semaphore_wait(ready_semaphore, timeout);
-		if (wait_result != 0) {
-			return -2;
-		}
-	}
-	if (atomic_load(&client->ready)) {
-		return 1;
-	}
-	if (client->ready_error != NULL) {
-		if (error_out != NULL) {
-			*error_out = client->ready_error;
-			client->ready_error = NULL;
-		} else {
-			free(client->ready_error);
-			client->ready_error = NULL;
-		}
-	} else {
-		box_set_error_message(error_out, "apple TLS: handshake failed");
-	}
-	return 0;
-}
-
-void box_apple_tls_client_cancel(box_apple_tls_client_t *client) {
-	if (client == NULL) {
-		return;
-	}
-	nw_connection_t connection = box_apple_tls_connection(client);
-	if (connection != nil) {
-		nw_connection_cancel(connection);
-	}
-}
-
-void box_apple_tls_client_free(box_apple_tls_client_t *client) {
-	if (client == NULL) {
-		return;
-	}
-	nw_connection_t connection = box_apple_tls_connection(client);
-	if (connection != nil) {
-		nw_connection_cancel(connection);
-	}
-	box_apple_tls_client_release(client);
-}
-
-ssize_t box_apple_tls_client_read(box_apple_tls_client_t *client, void *buffer, size_t buffer_len, bool *eof_out, char **error_out) {
-	nw_connection_t connection = box_apple_tls_connection(client);
-	if (connection == nil) {
-		box_set_error_message(error_out, "apple TLS: invalid client");
-		return -1;
-	}
-
-	dispatch_semaphore_t read_semaphore = dispatch_semaphore_create(0);
-	__block NSData *content_data = nil;
-	__block bool read_eof = false;
-	__block char *local_error = NULL;
-
-	nw_connection_receive(connection, 1, (uint32_t)buffer_len, ^(dispatch_data_t content, nw_content_context_t context, bool is_complete, nw_error_t error) {
-		if (content != NULL) {
-			const void *mapped = NULL;
-			size_t mapped_len = 0;
-			dispatch_data_t mapped_data = dispatch_data_create_map(content, &mapped, &mapped_len);
-			if (mapped != NULL && mapped_len > 0) {
-				content_data = [NSData dataWithBytes:mapped length:mapped_len];
-			}
-			(void)mapped_data;
-		}
-		if (error != NULL && content_data.length == 0) {
-			box_set_error_from_nw_error(&local_error, error);
-		}
-		if (is_complete && (context == NULL || nw_content_context_get_is_final(context))) {
-			read_eof = true;
-		}
-		dispatch_semaphore_signal(read_semaphore);
-	});
-
-	dispatch_semaphore_wait(read_semaphore, DISPATCH_TIME_FOREVER);
-	if (local_error != NULL) {
-		if (error_out != NULL) {
-			*error_out = local_error;
-		} else {
-			free(local_error);
-		}
-		return -1;
-	}
-	if (eof_out != NULL) {
-		*eof_out = read_eof;
-	}
-	if (content_data == nil || content_data.length == 0) {
-		return 0;
-	}
-	memcpy(buffer, content_data.bytes, content_data.length);
-	return (ssize_t)content_data.length;
-}
-
-ssize_t box_apple_tls_client_write(box_apple_tls_client_t *client, const void *buffer, size_t buffer_len, char **error_out) {
-	nw_connection_t connection = box_apple_tls_connection(client);
-	if (connection == nil) {
-		box_set_error_message(error_out, "apple TLS: invalid client");
-		return -1;
-	}
-	if (buffer_len == 0) {
-		return 0;
-	}
-
-	void *content_copy = malloc(buffer_len);
-	dispatch_queue_t queue = box_apple_tls_client_queue(client);
-	if (content_copy == NULL) {
-		free(content_copy);
-		box_set_error_message(error_out, "apple TLS: out of memory");
-		return -1;
-	}
-	if (queue == nil) {
-		free(content_copy);
-		box_set_error_message(error_out, "apple TLS: invalid client");
-		return -1;
-	}
-	memcpy(content_copy, buffer, buffer_len);
-	dispatch_data_t content = dispatch_data_create(content_copy, buffer_len, queue, ^{
-		free(content_copy);
-	});
-
-	dispatch_semaphore_t write_semaphore = dispatch_semaphore_create(0);
-	__block char *local_error = NULL;
-
-	nw_connection_send(connection, content, NW_CONNECTION_DEFAULT_STREAM_CONTEXT, false, ^(nw_error_t error) {
-		if (error != NULL) {
-			box_set_error_from_nw_error(&local_error, error);
-		}
-		dispatch_semaphore_signal(write_semaphore);
-	});
-
-	dispatch_semaphore_wait(write_semaphore, DISPATCH_TIME_FOREVER);
-	if (local_error != NULL) {
-		if (error_out != NULL) {
-			*error_out = local_error;
-		} else {
-			free(local_error);
-		}
-		return -1;
-	}
-	return (ssize_t)buffer_len;
-}
-
-bool box_apple_tls_client_copy_state(box_apple_tls_client_t *client, box_apple_tls_state_t *state, char **error_out) {
-	dispatch_queue_t queue = box_apple_tls_client_queue(client);
-	if (queue == nil || state == NULL) {
-		box_set_error_message(error_out, "apple TLS: invalid client");
-		return false;
-	}
-	memset(state, 0, sizeof(box_apple_tls_state_t));
-	__block bool copied = false;
-	__block char *local_error = NULL;
-	dispatch_sync(queue, ^{
-		if (!atomic_load(&client->ready)) {
-			box_set_error_message(&local_error, "apple TLS: metadata unavailable");
-			return;
-		}
-		if (!box_apple_tls_state_copy(&client->state, state)) {
-			box_set_error_message(&local_error, "apple TLS: out of memory");
-			return;
-		}
-		copied = true;
-	});
-	if (copied) {
-		return true;
-	}
-	if (local_error != NULL) {
-		if (error_out != NULL) {
-			*error_out = local_error;
-		} else {
-			free(local_error);
-		}
-	}
-	box_apple_tls_state_reset(state);
-	return false;
-}
-
-void box_apple_tls_state_free(box_apple_tls_state_t *state) {
-	box_apple_tls_state_reset(state);
-}
--- a/common/tls/apple_client_platform_test.go
+++ b/common/tls/apple_client_platform_test.go
@@ -1,301 +0,0 @@
-//go:build darwin && cgo
-
-package tls
-
-import (
-	"context"
-	stdtls "crypto/tls"
-	"net"
-	"testing"
-	"time"
-
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common/json/badoption"
-	"github.com/sagernet/sing/common/logger"
-)
-
-const appleTLSTestTimeout = 5 * time.Second
-
-const (
-	appleTLSSuccessHandshakeLoops = 20
-	appleTLSFailureRecoveryLoops  = 10
-)
-
-type appleTLSServerResult struct {
-	state stdtls.ConnectionState
-	err   error
-}
-
-func TestAppleClientHandshakeAppliesALPNAndVersion(t *testing.T) {
-	serverCertificate, serverCertificatePEM := newAppleTestCertificate(t, "localhost")
-	for index := 0; index < appleTLSSuccessHandshakeLoops; index++ {
-		serverResult, serverAddress := startAppleTLSTestServer(t, &stdtls.Config{
-			Certificates: []stdtls.Certificate{serverCertificate},
-			MinVersion:   stdtls.VersionTLS12,
-			MaxVersion:   stdtls.VersionTLS12,
-			NextProtos:   []string{"h2"},
-		})
-
-		clientConn, err := newAppleTestClientConn(t, serverAddress, option.OutboundTLSOptions{
-			Enabled:     true,
-			Engine:      "apple",
-			ServerName:  "localhost",
-			MinVersion:  "1.2",
-			MaxVersion:  "1.2",
-			ALPN:        badoption.Listable[string]{"h2"},
-			Certificate: badoption.Listable[string]{serverCertificatePEM},
-		})
-		if err != nil {
-			t.Fatalf("iteration %d: %v", index, err)
-		}
-
-		clientState := clientConn.ConnectionState()
-		if clientState.Version != stdtls.VersionTLS12 {
-			_ = clientConn.Close()
-			t.Fatalf("iteration %d: unexpected negotiated version: %x", index, clientState.Version)
-		}
-		if clientState.NegotiatedProtocol != "h2" {
-			_ = clientConn.Close()
-			t.Fatalf("iteration %d: unexpected negotiated protocol: %q", index, clientState.NegotiatedProtocol)
-		}
-		_ = clientConn.Close()
-
-		result := <-serverResult
-		if result.err != nil {
-			t.Fatalf("iteration %d: %v", index, result.err)
-		}
-		if result.state.Version != stdtls.VersionTLS12 {
-			t.Fatalf("iteration %d: server negotiated unexpected version: %x", index, result.state.Version)
-		}
-		if result.state.NegotiatedProtocol != "h2" {
-			t.Fatalf("iteration %d: server negotiated unexpected protocol: %q", index, result.state.NegotiatedProtocol)
-		}
-	}
-}
-
-func TestAppleClientHandshakeRejectsVersionMismatch(t *testing.T) {
-	serverCertificate, serverCertificatePEM := newAppleTestCertificate(t, "localhost")
-	serverResult, serverAddress := startAppleTLSTestServer(t, &stdtls.Config{
-		Certificates: []stdtls.Certificate{serverCertificate},
-		MinVersion:   stdtls.VersionTLS13,
-		MaxVersion:   stdtls.VersionTLS13,
-	})
-
-	clientConn, err := newAppleTestClientConn(t, serverAddress, option.OutboundTLSOptions{
-		Enabled:     true,
-		Engine:      "apple",
-		ServerName:  "localhost",
-		MaxVersion:  "1.2",
-		Certificate: badoption.Listable[string]{serverCertificatePEM},
-	})
-	if err == nil {
-		clientConn.Close()
-		t.Fatal("expected version mismatch handshake to fail")
-	}
-
-	if result := <-serverResult; result.err == nil {
-		t.Fatal("expected server handshake to fail on version mismatch")
-	}
-}
-
-func TestAppleClientHandshakeRejectsServerNameMismatch(t *testing.T) {
-	serverCertificate, serverCertificatePEM := newAppleTestCertificate(t, "localhost")
-	serverResult, serverAddress := startAppleTLSTestServer(t, &stdtls.Config{
-		Certificates: []stdtls.Certificate{serverCertificate},
-	})
-
-	clientConn, err := newAppleTestClientConn(t, serverAddress, option.OutboundTLSOptions{
-		Enabled:     true,
-		Engine:      "apple",
-		ServerName:  "example.com",
-		Certificate: badoption.Listable[string]{serverCertificatePEM},
-	})
-	if err == nil {
-		clientConn.Close()
-		t.Fatal("expected server name mismatch handshake to fail")
-	}
-
-	if result := <-serverResult; result.err == nil {
-		t.Fatal("expected server handshake to fail on server name mismatch")
-	}
-}
-
-func TestAppleClientHandshakeRecoversAfterFailure(t *testing.T) {
-	serverCertificate, serverCertificatePEM := newAppleTestCertificate(t, "localhost")
-	testCases := []struct {
-		name          string
-		serverConfig  *stdtls.Config
-		clientOptions option.OutboundTLSOptions
-	}{
-		{
-			name: "version mismatch",
-			serverConfig: &stdtls.Config{
-				Certificates: []stdtls.Certificate{serverCertificate},
-				MinVersion:   stdtls.VersionTLS13,
-				MaxVersion:   stdtls.VersionTLS13,
-			},
-			clientOptions: option.OutboundTLSOptions{
-				Enabled:     true,
-				Engine:      "apple",
-				ServerName:  "localhost",
-				MaxVersion:  "1.2",
-				Certificate: badoption.Listable[string]{serverCertificatePEM},
-			},
-		},
-		{
-			name: "server name mismatch",
-			serverConfig: &stdtls.Config{
-				Certificates: []stdtls.Certificate{serverCertificate},
-			},
-			clientOptions: option.OutboundTLSOptions{
-				Enabled:     true,
-				Engine:      "apple",
-				ServerName:  "example.com",
-				Certificate: badoption.Listable[string]{serverCertificatePEM},
-			},
-		},
-	}
-	successClientOptions := option.OutboundTLSOptions{
-		Enabled:     true,
-		Engine:      "apple",
-		ServerName:  "localhost",
-		MinVersion:  "1.2",
-		MaxVersion:  "1.2",
-		ALPN:        badoption.Listable[string]{"h2"},
-		Certificate: badoption.Listable[string]{serverCertificatePEM},
-	}
-
-	for _, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			for index := 0; index < appleTLSFailureRecoveryLoops; index++ {
-				failedResult, failedAddress := startAppleTLSTestServer(t, testCase.serverConfig)
-				failedConn, err := newAppleTestClientConn(t, failedAddress, testCase.clientOptions)
-				if err == nil {
-					_ = failedConn.Close()
-					t.Fatalf("iteration %d: expected handshake failure", index)
-				}
-				if result := <-failedResult; result.err == nil {
-					t.Fatalf("iteration %d: expected server handshake failure", index)
-				}
-
-				successResult, successAddress := startAppleTLSTestServer(t, &stdtls.Config{
-					Certificates: []stdtls.Certificate{serverCertificate},
-					MinVersion:   stdtls.VersionTLS12,
-					MaxVersion:   stdtls.VersionTLS12,
-					NextProtos:   []string{"h2"},
-				})
-				successConn, err := newAppleTestClientConn(t, successAddress, successClientOptions)
-				if err != nil {
-					t.Fatalf("iteration %d: follow-up handshake failed: %v", index, err)
-				}
-				clientState := successConn.ConnectionState()
-				if clientState.NegotiatedProtocol != "h2" {
-					_ = successConn.Close()
-					t.Fatalf("iteration %d: unexpected negotiated protocol after failure: %q", index, clientState.NegotiatedProtocol)
-				}
-				_ = successConn.Close()
-
-				result := <-successResult
-				if result.err != nil {
-					t.Fatalf("iteration %d: follow-up server handshake failed: %v", index, result.err)
-				}
-				if result.state.NegotiatedProtocol != "h2" {
-					t.Fatalf("iteration %d: follow-up server negotiated unexpected protocol: %q", index, result.state.NegotiatedProtocol)
-				}
-			}
-		})
-	}
-}
-
-func newAppleTestCertificate(t *testing.T, serverName string) (stdtls.Certificate, string) {
-	t.Helper()
-
-	privateKeyPEM, certificatePEM, err := GenerateCertificate(nil, nil, time.Now, serverName, time.Now().Add(time.Hour))
-	if err != nil {
-		t.Fatal(err)
-	}
-	certificate, err := stdtls.X509KeyPair(certificatePEM, privateKeyPEM)
-	if err != nil {
-		t.Fatal(err)
-	}
-	return certificate, string(certificatePEM)
-}
-
-func startAppleTLSTestServer(t *testing.T, tlsConfig *stdtls.Config) (<-chan appleTLSServerResult, string) {
-	t.Helper()
-
-	listener, err := net.Listen("tcp", "127.0.0.1:0")
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Cleanup(func() {
-		listener.Close()
-	})
-
-	if tcpListener, isTCP := listener.(*net.TCPListener); isTCP {
-		err = tcpListener.SetDeadline(time.Now().Add(appleTLSTestTimeout))
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-
-	result := make(chan appleTLSServerResult, 1)
-	go func() {
-		defer close(result)
-
-		conn, err := listener.Accept()
-		if err != nil {
-			result <- appleTLSServerResult{err: err}
-			return
-		}
-		defer conn.Close()
-
-		err = conn.SetDeadline(time.Now().Add(appleTLSTestTimeout))
-		if err != nil {
-			result <- appleTLSServerResult{err: err}
-			return
-		}
-
-		tlsConn := stdtls.Server(conn, tlsConfig)
-		defer tlsConn.Close()
-
-		err = tlsConn.Handshake()
-		if err != nil {
-			result <- appleTLSServerResult{err: err}
-			return
-		}
-
-		result <- appleTLSServerResult{state: tlsConn.ConnectionState()}
-	}()
-
-	return result, listener.Addr().String()
-}
-
-func newAppleTestClientConn(t *testing.T, serverAddress string, options option.OutboundTLSOptions) (Conn, error) {
-	t.Helper()
-
-	ctx, cancel := context.WithTimeout(context.Background(), appleTLSTestTimeout)
-	t.Cleanup(cancel)
-
-	clientConfig, err := NewClientWithOptions(ClientOptions{
-		Context:       ctx,
-		Logger:        logger.NOP(),
-		ServerAddress: "",
-		Options:       options,
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	conn, err := net.DialTimeout("tcp", serverAddress, appleTLSTestTimeout)
-	if err != nil {
-		return nil, err
-	}
-
-	tlsConn, err := ClientHandshake(ctx, conn, clientConfig)
-	if err != nil {
-		conn.Close()
-		return nil, err
-	}
-	return tlsConn, nil
-}
--- a/common/tls/apple_client_stub.go
+++ b/common/tls/apple_client_stub.go
@@ -1,15 +0,0 @@
-//go:build !darwin || !cgo
-
-package tls
-
-import (
-	"context"
-
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
-)
-
-func newAppleClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions, allowEmptyServerName bool) (Config, error) {
-	return nil, E.New("Apple TLS engine is not available on non-Apple platforms")
-}
--- a/common/tls/client.go
+++ b/common/tls/client.go
@@ -10,15 +10,12 @@ import (
 	"github.com/sagernet/sing-box/common/badtls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	aTLS "github.com/sagernet/sing/common/tls"
 )

-var errMissingServerName = E.New("missing server_name or insecure=true")
-
 func NewDialerFromOptions(ctx context.Context, logger logger.ContextLogger, dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
 	if !options.Enabled {
 		return dialer, nil
@@ -45,12 +42,11 @@ func NewClient(ctx context.Context, logger logger.ContextLogger, serverAddress s
 }

 type ClientOptions struct {
-	Context              context.Context
-	Logger               logger.ContextLogger
-	ServerAddress        string
-	Options              option.OutboundTLSOptions
-	AllowEmptyServerName bool
-	KTLSCompatible       bool
+	Context        context.Context
+	Logger         logger.ContextLogger
+	ServerAddress  string
+	Options        option.OutboundTLSOptions
+	KTLSCompatible bool
 }

 func NewClientWithOptions(options ClientOptions) (Config, error) {
@@ -65,22 +61,17 @@ func NewClientWithOptions(options ClientOptions) (Config, error) {
 	if options.Options.KernelRx {
 		options.Logger.Warn("enabling kTLS RX will definitely reduce performance, please checkout https://sing-box.sagernet.org/configuration/shared/tls/#kernel_rx")
 	}
-	switch options.Options.Engine {
-	case C.TLSEngineDefault, "go":
-	case C.TLSEngineApple:
-		return newAppleClient(options.Context, options.Logger, options.ServerAddress, options.Options, options.AllowEmptyServerName)
-	default:
-		return nil, E.New("unknown tls engine: ", options.Options.Engine)
-	}
 	if options.Options.Reality != nil && options.Options.Reality.Enabled {
-		return newRealityClient(options.Context, options.Logger, options.ServerAddress, options.Options, options.AllowEmptyServerName)
+		return NewRealityClient(options.Context, options.Logger, options.ServerAddress, options.Options)
 	} else if options.Options.UTLS != nil && options.Options.UTLS.Enabled {
-		return newUTLSClient(options.Context, options.Logger, options.ServerAddress, options.Options, options.AllowEmptyServerName)
+		return NewUTLSClient(options.Context, options.Logger, options.ServerAddress, options.Options)
 	}
-	return newSTDClient(options.Context, options.Logger, options.ServerAddress, options.Options, options.AllowEmptyServerName)
+	return NewSTDClient(options.Context, options.Logger, options.ServerAddress, options.Options)
 }

 func ClientHandshake(ctx context.Context, conn net.Conn, config Config) (Conn, error) {
+	ctx, cancel := context.WithTimeout(ctx, C.TCPTimeout)
+	defer cancel()
 	tlsConn, err := aTLS.ClientHandshake(ctx, conn, config)
 	if err != nil {
 		return nil, err
--- a/common/tls/reality_client.go
+++ b/common/tls/reality_client.go
@@ -52,15 +52,11 @@ type RealityClientConfig struct {
 }

 func NewRealityClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
-	return newRealityClient(ctx, logger, serverAddress, options, false)
-}
-
-func newRealityClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions, allowEmptyServerName bool) (Config, error) {
 	if options.UTLS == nil || !options.UTLS.Enabled {
 		return nil, E.New("uTLS is required by reality client")
 	}

-	uClient, err := newUTLSClient(ctx, logger, serverAddress, options, allowEmptyServerName)
+	uClient, err := NewUTLSClient(ctx, logger, serverAddress, options)
 	if err != nil {
 		return nil, err
 	}
@@ -112,14 +108,6 @@ func (e *RealityClientConfig) SetNextProtos(nextProto []string) {
 	e.uClient.SetNextProtos(nextProto)
 }

-func (e *RealityClientConfig) HandshakeTimeout() time.Duration {
-	return e.uClient.HandshakeTimeout()
-}
-
-func (e *RealityClientConfig) SetHandshakeTimeout(timeout time.Duration) {
-	e.uClient.SetHandshakeTimeout(timeout)
-}
-
 func (e *RealityClientConfig) STDConfig() (*STDConfig, error) {
 	return nil, E.New("unsupported usage for reality")
 }
--- a/common/tls/reality_server.go
+++ b/common/tls/reality_server.go
@@ -26,8 +26,7 @@ import (
 var _ ServerConfigCompat = (*RealityServerConfig)(nil)

 type RealityServerConfig struct {
-	config           *utls.RealityConfig
-	handshakeTimeout time.Duration
+	config *utls.RealityConfig
 }

 func NewRealityServer(ctx context.Context, logger log.ContextLogger, options option.InboundTLSOptions) (ServerConfig, error) {
@@ -131,16 +130,7 @@ func NewRealityServer(ctx context.Context, logger log.ContextLogger, options opt
 	if options.ECH != nil && options.ECH.Enabled {
 		return nil, E.New("Reality is conflict with ECH")
 	}
-	var handshakeTimeout time.Duration
-	if options.HandshakeTimeout > 0 {
-		handshakeTimeout = options.HandshakeTimeout.Build()
-	} else {
-		handshakeTimeout = C.TCPTimeout
-	}
-	var config ServerConfig = &RealityServerConfig{
-		config:           &tlsConfig,
-		handshakeTimeout: handshakeTimeout,
-	}
+	var config ServerConfig = &RealityServerConfig{&tlsConfig}
 	if options.KernelTx || options.KernelRx {
 		if !C.IsLinux {
 			return nil, E.New("kTLS is only supported on Linux")
@@ -171,14 +161,6 @@ func (c *RealityServerConfig) SetNextProtos(nextProto []string) {
 	c.config.NextProtos = nextProto
 }

-func (c *RealityServerConfig) HandshakeTimeout() time.Duration {
-	return c.handshakeTimeout
-}
-
-func (c *RealityServerConfig) SetHandshakeTimeout(timeout time.Duration) {
-	c.handshakeTimeout = timeout
-}
-
 func (c *RealityServerConfig) STDConfig() (*tls.Config, error) {
 	return nil, E.New("unsupported usage for reality")
 }
@@ -209,8 +191,7 @@ func (c *RealityServerConfig) ServerHandshake(ctx context.Context, conn net.Conn

 func (c *RealityServerConfig) Clone() Config {
 	return &RealityServerConfig{
-		config:           c.config.Clone(),
-		handshakeTimeout: c.handshakeTimeout,
+		config: c.config.Clone(),
 	}
 }

--- a/common/tls/server.go
+++ b/common/tls/server.go
@@ -46,11 +46,8 @@ func NewServerWithOptions(options ServerOptions) (ServerConfig, error) {
 }

 func ServerHandshake(ctx context.Context, conn net.Conn, config ServerConfig) (Conn, error) {
-	if config.HandshakeTimeout() == 0 {
-		var cancel context.CancelFunc
-		ctx, cancel = context.WithTimeout(ctx, C.TCPTimeout)
-		defer cancel()
-	}
+	ctx, cancel := context.WithTimeout(ctx, C.TCPTimeout)
+	defer cancel()
 	tlsConn, err := aTLS.ServerHandshake(ctx, conn, config)
 	if err != nil {
 		return nil, err
--- a/common/tls/std_client.go
+++ b/common/tls/std_client.go
@@ -24,30 +24,16 @@ import (
 type STDClientConfig struct {
 	ctx                   context.Context
 	config                *tls.Config
-	serverName            string
-	disableSNI            bool
-	verifyServerName      bool
-	handshakeTimeout      time.Duration
 	fragment              bool
 	fragmentFallbackDelay time.Duration
 	recordFragment        bool
 }

 func (c *STDClientConfig) ServerName() string {
-	return c.serverName
+	return c.config.ServerName
 }

 func (c *STDClientConfig) SetServerName(serverName string) {
-	c.serverName = serverName
-	if c.disableSNI {
-		c.config.ServerName = ""
-		if c.verifyServerName {
-			c.config.VerifyConnection = verifyConnection(c.config.RootCAs, c.config.Time, serverName)
-		} else {
-			c.config.VerifyConnection = nil
-		}
-		return
-	}
 	c.config.ServerName = serverName
 }

@@ -59,14 +45,6 @@ func (c *STDClientConfig) SetNextProtos(nextProto []string) {
 	c.config.NextProtos = nextProto
 }

-func (c *STDClientConfig) HandshakeTimeout() time.Duration {
-	return c.handshakeTimeout
-}
-
-func (c *STDClientConfig) SetHandshakeTimeout(timeout time.Duration) {
-	c.handshakeTimeout = timeout
-}
-
 func (c *STDClientConfig) STDConfig() (*STDConfig, error) {
 	return c.config, nil
 }
@@ -79,19 +57,13 @@ func (c *STDClientConfig) Client(conn net.Conn) (Conn, error) {
 }

 func (c *STDClientConfig) Clone() Config {
-	cloned := &STDClientConfig{
+	return &STDClientConfig{
 		ctx:                   c.ctx,
 		config:                c.config.Clone(),
-		serverName:            c.serverName,
-		disableSNI:            c.disableSNI,
-		verifyServerName:      c.verifyServerName,
-		handshakeTimeout:      c.handshakeTimeout,
 		fragment:              c.fragment,
 		fragmentFallbackDelay: c.fragmentFallbackDelay,
 		recordFragment:        c.recordFragment,
 	}
-	cloned.SetServerName(cloned.serverName)
-	return cloned
 }

 func (c *STDClientConfig) ECHConfigList() []byte {
@@ -103,27 +75,41 @@ func (c *STDClientConfig) SetECHConfigList(EncryptedClientHelloConfigList []byte
 }

 func NewSTDClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
-	return newSTDClient(ctx, logger, serverAddress, options, false)
-}
-
-func newSTDClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions, allowEmptyServerName bool) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
 	} else if serverAddress != "" {
 		serverName = serverAddress
 	}
-	if serverName == "" && !options.Insecure && !allowEmptyServerName {
-		return nil, errMissingServerName
+	if serverName == "" && !options.Insecure {
+		return nil, E.New("missing server_name or insecure=true")
 	}

 	var tlsConfig tls.Config
 	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	tlsConfig.RootCAs = adapter.RootPoolFromContext(ctx)
+	if !options.DisableSNI {
+		tlsConfig.ServerName = serverName
+	}
 	if options.Insecure {
 		tlsConfig.InsecureSkipVerify = options.Insecure
 	} else if options.DisableSNI {
 		tlsConfig.InsecureSkipVerify = true
+		tlsConfig.VerifyConnection = func(state tls.ConnectionState) error {
+			verifyOptions := x509.VerifyOptions{
+				Roots:         tlsConfig.RootCAs,
+				DNSName:       serverName,
+				Intermediates: x509.NewCertPool(),
+			}
+			for _, cert := range state.PeerCertificates[1:] {
+				verifyOptions.Intermediates.AddCert(cert)
+			}
+			if tlsConfig.Time != nil {
+				verifyOptions.CurrentTime = tlsConfig.Time()
+			}
+			_, err := state.PeerCertificates[0].Verify(verifyOptions)
+			return err
+		}
 	}
 	if len(options.CertificatePublicKeySHA256) > 0 {
 		if len(options.Certificate) > 0 || options.CertificatePath != "" {
@@ -131,7 +117,7 @@ func newSTDClient(ctx context.Context, logger logger.ContextLogger, serverAddres
 		}
 		tlsConfig.InsecureSkipVerify = true
 		tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-			return VerifyPublicKeySHA256(options.CertificatePublicKeySHA256, rawCerts)
+			return verifyPublicKeySHA256(options.CertificatePublicKeySHA256, rawCerts, tlsConfig.Time)
 		}
 	}
 	if len(options.ALPN) > 0 {
@@ -212,24 +198,7 @@ func newSTDClient(ctx context.Context, logger logger.ContextLogger, serverAddres
 	} else if len(clientCertificate) > 0 || len(clientKey) > 0 {
 		return nil, E.New("client certificate and client key must be provided together")
 	}
-	var handshakeTimeout time.Duration
-	if options.HandshakeTimeout > 0 {
-		handshakeTimeout = options.HandshakeTimeout.Build()
-	} else {
-		handshakeTimeout = C.TCPTimeout
-	}
-	var config Config = &STDClientConfig{
-		ctx:                   ctx,
-		config:                &tlsConfig,
-		serverName:            serverName,
-		disableSNI:            options.DisableSNI,
-		verifyServerName:      options.DisableSNI && !options.Insecure,
-		handshakeTimeout:      handshakeTimeout,
-		fragment:              options.Fragment,
-		fragmentFallbackDelay: time.Duration(options.FragmentFallbackDelay),
-		recordFragment:        options.RecordFragment,
-	}
-	config.SetServerName(serverName)
+	var config Config = &STDClientConfig{ctx, &tlsConfig, options.Fragment, time.Duration(options.FragmentFallbackDelay), options.RecordFragment}
 	if options.ECH != nil && options.ECH.Enabled {
 		var err error
 		config, err = parseECHClientConfig(ctx, config.(ECHCapableConfig), options)
@@ -251,28 +220,7 @@ func newSTDClient(ctx context.Context, logger logger.ContextLogger, serverAddres
 	return config, nil
 }

-func verifyConnection(rootCAs *x509.CertPool, timeFunc func() time.Time, serverName string) func(state tls.ConnectionState) error {
-	return func(state tls.ConnectionState) error {
-		if serverName == "" {
-			return errMissingServerName
-		}
-		verifyOptions := x509.VerifyOptions{
-			Roots:         rootCAs,
-			DNSName:       serverName,
-			Intermediates: x509.NewCertPool(),
-		}
-		for _, cert := range state.PeerCertificates[1:] {
-			verifyOptions.Intermediates.AddCert(cert)
-		}
-		if timeFunc != nil {
-			verifyOptions.CurrentTime = timeFunc()
-		}
-		_, err := state.PeerCertificates[0].Verify(verifyOptions)
-		return err
-	}
-}
-
-func VerifyPublicKeySHA256(knownHashValues [][]byte, rawCerts [][]byte) error {
+func verifyPublicKeySHA256(knownHashValues [][]byte, rawCerts [][]byte, timeFunc func() time.Time) error {
 	leafCertificate, err := x509.ParseCertificate(rawCerts[0])
 	if err != nil {
 		return E.Cause(err, "failed to parse leaf certificate")
--- a/common/tls/std_server.go
+++ b/common/tls/std_server.go
@@ -92,7 +92,6 @@ func getACMENextProtos(provider adapter.CertificateProvider) []string {
 type STDServerConfig struct {
 	access                sync.RWMutex
 	config                *tls.Config
-	handshakeTimeout      time.Duration
 	logger                log.Logger
 	certificateProvider   managedCertificateProvider
 	acmeService           adapter.SimpleLifecycle
@@ -140,18 +139,6 @@ func (c *STDServerConfig) SetNextProtos(nextProto []string) {
 	c.config = config
 }

-func (c *STDServerConfig) HandshakeTimeout() time.Duration {
-	c.access.RLock()
-	defer c.access.RUnlock()
-	return c.handshakeTimeout
-}
-
-func (c *STDServerConfig) SetHandshakeTimeout(timeout time.Duration) {
-	c.access.Lock()
-	defer c.access.Unlock()
-	c.handshakeTimeout = timeout
-}
-
 func (c *STDServerConfig) hasACMEALPN() bool {
 	if c.acmeService != nil {
 		return true
@@ -178,8 +165,7 @@ func (c *STDServerConfig) Server(conn net.Conn) (Conn, error) {

 func (c *STDServerConfig) Clone() Config {
 	return &STDServerConfig{
-		config:           c.config.Clone(),
-		handshakeTimeout: c.handshakeTimeout,
+		config: c.config.Clone(),
 	}
 }

@@ -472,7 +458,7 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 				tlsConfig.ClientAuth = tls.RequestClientCert
 			}
 			tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-				return VerifyPublicKeySHA256(options.ClientCertificatePublicKeySHA256, rawCerts)
+				return verifyPublicKeySHA256(options.ClientCertificatePublicKeySHA256, rawCerts, tlsConfig.Time)
 			}
 		} else {
 			return nil, E.New("missing client_certificate, client_certificate_path or client_certificate_public_key_sha256 for client authentication")
@@ -485,15 +471,8 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 			return nil, err
 		}
 	}
-	var handshakeTimeout time.Duration
-	if options.HandshakeTimeout > 0 {
-		handshakeTimeout = options.HandshakeTimeout.Build()
-	} else {
-		handshakeTimeout = C.TCPTimeout
-	}
 	serverConfig := &STDServerConfig{
 		config:                tlsConfig,
-		handshakeTimeout:      handshakeTimeout,
 		logger:                logger,
 		certificateProvider:   certificateProvider,
 		acmeService:           acmeService,
--- a/common/tls/utls_client.go
+++ b/common/tls/utls_client.go
@@ -28,10 +28,6 @@ import (
 type UTLSClientConfig struct {
 	ctx                   context.Context
 	config                *utls.Config
-	serverName            string
-	disableSNI            bool
-	verifyServerName      bool
-	handshakeTimeout      time.Duration
 	id                    utls.ClientHelloID
 	fragment              bool
 	fragmentFallbackDelay time.Duration
@@ -39,20 +35,10 @@ type UTLSClientConfig struct {
 }

 func (c *UTLSClientConfig) ServerName() string {
-	return c.serverName
+	return c.config.ServerName
 }

 func (c *UTLSClientConfig) SetServerName(serverName string) {
-	c.serverName = serverName
-	if c.disableSNI {
-		c.config.ServerName = ""
-		if c.verifyServerName {
-			c.config.InsecureServerNameToVerify = serverName
-		} else {
-			c.config.InsecureServerNameToVerify = ""
-		}
-		return
-	}
 	c.config.ServerName = serverName
 }

@@ -67,14 +53,6 @@ func (c *UTLSClientConfig) SetNextProtos(nextProto []string) {
 	c.config.NextProtos = nextProto
 }

-func (c *UTLSClientConfig) HandshakeTimeout() time.Duration {
-	return c.handshakeTimeout
-}
-
-func (c *UTLSClientConfig) SetHandshakeTimeout(timeout time.Duration) {
-	c.handshakeTimeout = timeout
-}
-
 func (c *UTLSClientConfig) STDConfig() (*STDConfig, error) {
 	return nil, E.New("unsupported usage for uTLS")
 }
@@ -91,20 +69,9 @@ func (c *UTLSClientConfig) SetSessionIDGenerator(generator func(clientHello []by
 }

 func (c *UTLSClientConfig) Clone() Config {
-	cloned := &UTLSClientConfig{
-		ctx:                   c.ctx,
-		config:                c.config.Clone(),
-		serverName:            c.serverName,
-		disableSNI:            c.disableSNI,
-		verifyServerName:      c.verifyServerName,
-		handshakeTimeout:      c.handshakeTimeout,
-		id:                    c.id,
-		fragment:              c.fragment,
-		fragmentFallbackDelay: c.fragmentFallbackDelay,
-		recordFragment:        c.recordFragment,
+	return &UTLSClientConfig{
+		c.ctx, c.config.Clone(), c.id, c.fragment, c.fragmentFallbackDelay, c.recordFragment,
 	}
-	cloned.SetServerName(cloned.serverName)
-	return cloned
 }

 func (c *UTLSClientConfig) ECHConfigList() []byte {
@@ -176,29 +143,29 @@ func (c *utlsALPNWrapper) HandshakeContext(ctx context.Context) error {
 }

 func NewUTLSClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
-	return newUTLSClient(ctx, logger, serverAddress, options, false)
-}
-
-func newUTLSClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions, allowEmptyServerName bool) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
 	} else if serverAddress != "" {
 		serverName = serverAddress
 	}
-	if serverName == "" && !options.Insecure && !allowEmptyServerName {
-		return nil, errMissingServerName
+	if serverName == "" && !options.Insecure {
+		return nil, E.New("missing server_name or insecure=true")
 	}

 	var tlsConfig utls.Config
 	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	tlsConfig.RootCAs = adapter.RootPoolFromContext(ctx)
+	if !options.DisableSNI {
+		tlsConfig.ServerName = serverName
+	}
 	if options.Insecure {
 		tlsConfig.InsecureSkipVerify = options.Insecure
 	} else if options.DisableSNI {
 		if options.Reality != nil && options.Reality.Enabled {
 			return nil, E.New("disable_sni is unsupported in reality")
 		}
+		tlsConfig.InsecureServerNameToVerify = serverName
 	}
 	if len(options.CertificatePublicKeySHA256) > 0 {
 		if len(options.Certificate) > 0 || options.CertificatePath != "" {
@@ -206,7 +173,7 @@ func newUTLSClient(ctx context.Context, logger logger.ContextLogger, serverAddre
 		}
 		tlsConfig.InsecureSkipVerify = true
 		tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-			return VerifyPublicKeySHA256(options.CertificatePublicKeySHA256, rawCerts)
+			return verifyPublicKeySHA256(options.CertificatePublicKeySHA256, rawCerts, tlsConfig.Time)
 		}
 	}
 	if len(options.ALPN) > 0 {
@@ -284,29 +251,11 @@ func newUTLSClient(ctx context.Context, logger logger.ContextLogger, serverAddre
 	} else if len(clientCertificate) > 0 || len(clientKey) > 0 {
 		return nil, E.New("client certificate and client key must be provided together")
 	}
-	var handshakeTimeout time.Duration
-	if options.HandshakeTimeout > 0 {
-		handshakeTimeout = options.HandshakeTimeout.Build()
-	} else {
-		handshakeTimeout = C.TCPTimeout
-	}
 	id, err := uTLSClientHelloID(options.UTLS.Fingerprint)
 	if err != nil {
 		return nil, err
 	}
-	var config Config = &UTLSClientConfig{
-		ctx:                   ctx,
-		config:                &tlsConfig,
-		serverName:            serverName,
-		disableSNI:            options.DisableSNI,
-		verifyServerName:      options.DisableSNI && !options.Insecure,
-		handshakeTimeout:      handshakeTimeout,
-		id:                    id,
-		fragment:              options.Fragment,
-		fragmentFallbackDelay: time.Duration(options.FragmentFallbackDelay),
-		recordFragment:        options.RecordFragment,
-	}
-	config.SetServerName(serverName)
+	var config Config = &UTLSClientConfig{ctx, &tlsConfig, id, options.Fragment, time.Duration(options.FragmentFallbackDelay), options.RecordFragment}
 	if options.ECH != nil && options.ECH.Enabled {
 		if options.Reality != nil && options.Reality.Enabled {
 			return nil, E.New("Reality is conflict with ECH")
--- a/common/tls/utls_stub.go
+++ b/common/tls/utls_stub.go
@@ -12,18 +12,10 @@ import (
 )

 func NewUTLSClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
-	return newUTLSClient(ctx, logger, serverAddress, options, false)
-}
-
-func newUTLSClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions, allowEmptyServerName bool) (Config, error) {
 	return nil, E.New(`uTLS is not included in this build, rebuild with -tags with_utls`)
 }

 func NewRealityClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
-	return newRealityClient(ctx, logger, serverAddress, options, false)
-}
-
-func newRealityClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions, allowEmptyServerName bool) (Config, error) {
 	return nil, E.New(`uTLS, which is required by reality is not included in this build, rebuild with -tags with_utls`)
 }

--- a/constant/proxy.go
+++ b/constant/proxy.go
@@ -25,7 +25,6 @@ const (
 	TypeTUIC               = "tuic"
 	TypeHysteria2          = "hysteria2"
 	TypeTailscale          = "tailscale"
-	TypeCloudflared        = "cloudflared"
 	TypeDERP               = "derp"
 	TypeResolved           = "resolved"
 	TypeSSMAPI             = "ssm-api"
@@ -91,8 +90,6 @@ func ProxyDisplayName(proxyType string) string {
 		return "AnyTLS"
 	case TypeTailscale:
 		return "Tailscale"
-	case TypeCloudflared:
-		return "Cloudflared"
 	case TypeSelector:
 		return "Selector"
 	case TypeURLTest:
--- a/constant/rule.go
+++ b/constant/rule.go
@@ -23,15 +23,13 @@ const (
 	RuleSetVersion2
 	RuleSetVersion3
 	RuleSetVersion4
-	RuleSetVersion5
-	RuleSetVersionCurrent = RuleSetVersion5
+	RuleSetVersionCurrent = RuleSetVersion4
 )

 const (
 	RuleActionTypeRoute        = "route"
 	RuleActionTypeRouteOptions = "route-options"
 	RuleActionTypeEvaluate     = "evaluate"
-	RuleActionTypeRespond      = "respond"
 	RuleActionTypeDirect       = "direct"
 	RuleActionTypeBypass       = "bypass"
 	RuleActionTypeReject       = "reject"
--- a/constant/tls.go
+++ b/constant/tls.go
@@ -1,8 +1,3 @@
 package constant

 const ACMETLS1Protocol = "acme-tls/1"
-
-const (
-	TLSEngineDefault = ""
-	TLSEngineApple   = "apple"
-)
--- a/daemon/instance.go
+++ b/daemon/instance.go
@@ -87,17 +87,12 @@ func (s *StartedService) newInstance(profileContent string, overrideOptions *Ove
 			}
 		}
 	}
-	if s.oomKillerEnabled {
+	if s.oomKiller && C.IsIos {
 		if !common.Any(options.Services, func(it option.Service) bool {
 			return it.Type == C.TypeOOMKiller
 		}) {
-			oomOptions := &option.OOMKillerServiceOptions{
-				KillerDisabled:      s.oomKillerDisabled,
-				MemoryLimitOverride: s.oomMemoryLimit,
-			}
 			options.Services = append(options.Services, option.Service{
-				Type:    C.TypeOOMKiller,
-				Options: oomOptions,
+				Type: C.TypeOOMKiller,
 			})
 		}
 	}
--- a/daemon/platform.go
+++ b/daemon/platform.go
@@ -5,6 +5,5 @@ type PlatformHandler interface {
 	ServiceReload() error
 	SystemProxyStatus() (*SystemProxyStatus, error)
 	SetSystemProxyEnabled(enabled bool) error
-	TriggerNativeCrash() error
 	WriteDebugMessage(message string)
 }
--- a/daemon/started_service.go
+++ b/daemon/started_service.go
@@ -6,20 +6,14 @@ import (
 	"runtime"
 	"sync"
 	"time"
-	"unsafe"

 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/dialer"
-	"github.com/sagernet/sing-box/common/networkquality"
-	"github.com/sagernet/sing-box/common/stun"
 	"github.com/sagernet/sing-box/common/urltest"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental/clashapi"
 	"github.com/sagernet/sing-box/experimental/clashapi/trafficontrol"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/protocol/group"
-	"github.com/sagernet/sing-box/service/oomkiller"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/batch"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -30,8 +24,6 @@ import (

 	"github.com/gofrs/uuid/v5"
 	"google.golang.org/grpc"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/emptypb"
 )

@@ -40,12 +32,10 @@ var _ StartedServiceServer = (*StartedService)(nil)
 type StartedService struct {
 	ctx context.Context
 	// platform adapter.PlatformInterface
-	handler           PlatformHandler
-	debug             bool
-	logMaxLines       int
-	oomKillerEnabled  bool
-	oomKillerDisabled bool
-	oomMemoryLimit    uint64
+	handler     PlatformHandler
+	debug       bool
+	logMaxLines int
+	oomKiller   bool
 	// workingDirectory string
 	// tempDirectory    string
 	// userID           int
@@ -74,12 +64,10 @@ type StartedService struct {
 type ServiceOptions struct {
 	Context context.Context
 	// Platform           adapter.PlatformInterface
-	Handler           PlatformHandler
-	Debug             bool
-	LogMaxLines       int
-	OOMKillerEnabled  bool
-	OOMKillerDisabled bool
-	OOMMemoryLimit    uint64
+	Handler     PlatformHandler
+	Debug       bool
+	LogMaxLines int
+	OOMKiller   bool
 	// WorkingDirectory   string
 	// TempDirectory      string
 	// UserID             int
@@ -91,12 +79,10 @@ func NewStartedService(options ServiceOptions) *StartedService {
 	s := &StartedService{
 		ctx: options.Context,
 		// platform:                options.Platform,
-		handler:           options.Handler,
-		debug:             options.Debug,
-		logMaxLines:       options.LogMaxLines,
-		oomKillerEnabled:  options.OOMKillerEnabled,
-		oomKillerDisabled: options.OOMKillerDisabled,
-		oomMemoryLimit:    options.OOMMemoryLimit,
+		handler:     options.Handler,
+		debug:       options.Debug,
+		logMaxLines: options.LogMaxLines,
+		oomKiller:   options.OOMKiller,
 		// workingDirectory: options.WorkingDirectory,
 		// tempDirectory:    options.TempDirectory,
 		// userID:           options.UserID,
@@ -696,42 +682,7 @@ func (s *StartedService) SetSystemProxyEnabled(ctx context.Context, request *Set
 	if err != nil {
 		return nil, err
 	}
-	return &emptypb.Empty{}, nil
-}
-
-func (s *StartedService) TriggerDebugCrash(ctx context.Context, request *DebugCrashRequest) (*emptypb.Empty, error) {
-	if !s.debug {
-		return nil, status.Error(codes.PermissionDenied, "debug crash trigger unavailable")
-	}
-	if request == nil {
-		return nil, status.Error(codes.InvalidArgument, "missing debug crash request")
-	}
-	switch request.Type {
-	case DebugCrashRequest_GO:
-		time.AfterFunc(200*time.Millisecond, func() {
-			*(*int)(unsafe.Pointer(uintptr(0))) = 0
-		})
-	case DebugCrashRequest_NATIVE:
-		err := s.handler.TriggerNativeCrash()
-		if err != nil {
-			return nil, err
-		}
-	default:
-		return nil, status.Error(codes.InvalidArgument, "unknown debug crash type")
-	}
-	return &emptypb.Empty{}, nil
-}
-
-func (s *StartedService) TriggerOOMReport(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error) {
-	instance := s.Instance()
-	if instance == nil {
-		return nil, status.Error(codes.FailedPrecondition, "service not started")
-	}
-	reporter := service.FromContext[oomkiller.OOMReporter](instance.ctx)
-	if reporter == nil {
-		return nil, status.Error(codes.Unavailable, "OOM reporter not available")
-	}
-	return &emptypb.Empty{}, reporter.WriteReport(memory.Total())
+	return nil, err
 }

 func (s *StartedService) SubscribeConnections(request *SubscribeConnectionsRequest, server grpc.ServerStreamingServer[ConnectionEvents]) error {
@@ -1068,12 +1019,9 @@ func (s *StartedService) GetDeprecatedWarnings(ctx context.Context, empty *empty
 	return &DeprecatedWarnings{
 		Warnings: common.Map(notes, func(it deprecated.Note) *DeprecatedWarning {
 			return &DeprecatedWarning{
-				Message:           it.Message(),
-				Impending:         it.Impending(),
-				MigrationLink:     it.MigrationLink,
-				Description:       it.Description,
-				DeprecatedVersion: it.DeprecatedVersion,
-				ScheduledVersion:  it.ScheduledVersion,
+				Message:       it.Message(),
+				Impending:     it.Impending(),
+				MigrationLink: it.MigrationLink,
 			}
 		}),
 	}, nil
@@ -1085,386 +1033,6 @@ func (s *StartedService) GetStartedAt(ctx context.Context, empty *emptypb.Empty)
 	return &StartedAt{StartedAt: s.startedAt.UnixMilli()}, nil
 }

-func (s *StartedService) SubscribeOutbounds(_ *emptypb.Empty, server grpc.ServerStreamingServer[OutboundList]) error {
-	err := s.waitForStarted(server.Context())
-	if err != nil {
-		return err
-	}
-	subscription, done, err := s.urlTestObserver.Subscribe()
-	if err != nil {
-		return err
-	}
-	defer s.urlTestObserver.UnSubscribe(subscription)
-	for {
-		s.serviceAccess.RLock()
-		if s.serviceStatus.Status != ServiceStatus_STARTED {
-			s.serviceAccess.RUnlock()
-			return os.ErrInvalid
-		}
-		boxService := s.instance
-		s.serviceAccess.RUnlock()
-		historyStorage := boxService.urlTestHistoryStorage
-		var list OutboundList
-		for _, ob := range boxService.instance.Outbound().Outbounds() {
-			item := &GroupItem{
-				Tag:  ob.Tag(),
-				Type: ob.Type(),
-			}
-			if history := historyStorage.LoadURLTestHistory(adapter.OutboundTag(ob)); history != nil {
-				item.UrlTestTime = history.Time.Unix()
-				item.UrlTestDelay = int32(history.Delay)
-			}
-			list.Outbounds = append(list.Outbounds, item)
-		}
-		for _, ep := range boxService.instance.Endpoint().Endpoints() {
-			item := &GroupItem{
-				Tag:  ep.Tag(),
-				Type: ep.Type(),
-			}
-			if history := historyStorage.LoadURLTestHistory(adapter.OutboundTag(ep)); history != nil {
-				item.UrlTestTime = history.Time.Unix()
-				item.UrlTestDelay = int32(history.Delay)
-			}
-			list.Outbounds = append(list.Outbounds, item)
-		}
-		err = server.Send(&list)
-		if err != nil {
-			return err
-		}
-		select {
-		case <-subscription:
-		case <-s.ctx.Done():
-			return s.ctx.Err()
-		case <-server.Context().Done():
-			return server.Context().Err()
-		case <-done:
-			return nil
-		}
-	}
-}
-
-func resolveOutbound(instance *Instance, tag string) (adapter.Outbound, error) {
-	if tag == "" {
-		return instance.instance.Outbound().Default(), nil
-	}
-	outbound, loaded := instance.instance.Outbound().Outbound(tag)
-	if !loaded {
-		return nil, E.New("outbound not found: ", tag)
-	}
-	return outbound, nil
-}
-
-func (s *StartedService) StartNetworkQualityTest(
-	request *NetworkQualityTestRequest,
-	server grpc.ServerStreamingServer[NetworkQualityTestProgress],
-) error {
-	err := s.waitForStarted(server.Context())
-	if err != nil {
-		return err
-	}
-	s.serviceAccess.RLock()
-	boxService := s.instance
-	s.serviceAccess.RUnlock()
-
-	outbound, err := resolveOutbound(boxService, request.OutboundTag)
-	if err != nil {
-		return err
-	}
-
-	resolvedDialer := dialer.NewResolveDialer(boxService.ctx, outbound, true, "", adapter.DNSQueryOptions{}, 0)
-	httpClient := networkquality.NewHTTPClient(resolvedDialer)
-	defer httpClient.CloseIdleConnections()
-
-	measurementClientFactory, err := networkquality.NewOptionalHTTP3Factory(resolvedDialer, request.Http3)
-	if err != nil {
-		return err
-	}
-
-	result, nqErr := networkquality.Run(networkquality.Options{
-		ConfigURL:            request.ConfigURL,
-		HTTPClient:           httpClient,
-		NewMeasurementClient: measurementClientFactory,
-		Serial:               request.Serial,
-		MaxRuntime:           time.Duration(request.MaxRuntimeSeconds) * time.Second,
-		Context:              server.Context(),
-		OnProgress: func(p networkquality.Progress) {
-			_ = server.Send(&NetworkQualityTestProgress{
-				Phase:                    int32(p.Phase),
-				DownloadCapacity:         p.DownloadCapacity,
-				UploadCapacity:           p.UploadCapacity,
-				DownloadRPM:              p.DownloadRPM,
-				UploadRPM:                p.UploadRPM,
-				IdleLatencyMs:            p.IdleLatencyMs,
-				ElapsedMs:                p.ElapsedMs,
-				DownloadCapacityAccuracy: int32(p.DownloadCapacityAccuracy),
-				UploadCapacityAccuracy:   int32(p.UploadCapacityAccuracy),
-				DownloadRPMAccuracy:      int32(p.DownloadRPMAccuracy),
-				UploadRPMAccuracy:        int32(p.UploadRPMAccuracy),
-			})
-		},
-	})
-	if nqErr != nil {
-		return server.Send(&NetworkQualityTestProgress{
-			IsFinal: true,
-			Error:   nqErr.Error(),
-		})
-	}
-	return server.Send(&NetworkQualityTestProgress{
-		Phase:                    int32(networkquality.PhaseDone),
-		DownloadCapacity:         result.DownloadCapacity,
-		UploadCapacity:           result.UploadCapacity,
-		DownloadRPM:              result.DownloadRPM,
-		UploadRPM:                result.UploadRPM,
-		IdleLatencyMs:            result.IdleLatencyMs,
-		IsFinal:                  true,
-		DownloadCapacityAccuracy: int32(result.DownloadCapacityAccuracy),
-		UploadCapacityAccuracy:   int32(result.UploadCapacityAccuracy),
-		DownloadRPMAccuracy:      int32(result.DownloadRPMAccuracy),
-		UploadRPMAccuracy:        int32(result.UploadRPMAccuracy),
-	})
-}
-
-func (s *StartedService) StartSTUNTest(
-	request *STUNTestRequest,
-	server grpc.ServerStreamingServer[STUNTestProgress],
-) error {
-	err := s.waitForStarted(server.Context())
-	if err != nil {
-		return err
-	}
-	s.serviceAccess.RLock()
-	boxService := s.instance
-	s.serviceAccess.RUnlock()
-
-	outbound, err := resolveOutbound(boxService, request.OutboundTag)
-	if err != nil {
-		return err
-	}
-
-	resolvedDialer := dialer.NewResolveDialer(boxService.ctx, outbound, true, "", adapter.DNSQueryOptions{}, 0)
-
-	result, stunErr := stun.Run(stun.Options{
-		Server:  request.Server,
-		Dialer:  resolvedDialer,
-		Context: server.Context(),
-		OnProgress: func(p stun.Progress) {
-			_ = server.Send(&STUNTestProgress{
-				Phase:        int32(p.Phase),
-				ExternalAddr: p.ExternalAddr,
-				LatencyMs:    p.LatencyMs,
-				NatMapping:   int32(p.NATMapping),
-				NatFiltering: int32(p.NATFiltering),
-			})
-		},
-	})
-	if stunErr != nil {
-		return server.Send(&STUNTestProgress{
-			IsFinal: true,
-			Error:   stunErr.Error(),
-		})
-	}
-	return server.Send(&STUNTestProgress{
-		Phase:            int32(stun.PhaseDone),
-		ExternalAddr:     result.ExternalAddr,
-		LatencyMs:        result.LatencyMs,
-		NatMapping:       int32(result.NATMapping),
-		NatFiltering:     int32(result.NATFiltering),
-		IsFinal:          true,
-		NatTypeSupported: result.NATTypeSupported,
-	})
-}
-
-func (s *StartedService) SubscribeTailscaleStatus(
-	_ *emptypb.Empty,
-	server grpc.ServerStreamingServer[TailscaleStatusUpdate],
-) error {
-	err := s.waitForStarted(server.Context())
-	if err != nil {
-		return err
-	}
-	s.serviceAccess.RLock()
-	boxService := s.instance
-	s.serviceAccess.RUnlock()
-
-	endpointManager := service.FromContext[adapter.EndpointManager](boxService.ctx)
-	if endpointManager == nil {
-		return status.Error(codes.FailedPrecondition, "endpoint manager not available")
-	}
-
-	type tailscaleEndpoint struct {
-		tag      string
-		provider adapter.TailscaleEndpoint
-	}
-	var endpoints []tailscaleEndpoint
-	for _, endpoint := range endpointManager.Endpoints() {
-		if endpoint.Type() != C.TypeTailscale {
-			continue
-		}
-		provider, loaded := endpoint.(adapter.TailscaleEndpoint)
-		if !loaded {
-			continue
-		}
-		endpoints = append(endpoints, tailscaleEndpoint{
-			tag:      endpoint.Tag(),
-			provider: provider,
-		})
-	}
-	if len(endpoints) == 0 {
-		return status.Error(codes.NotFound, "no Tailscale endpoint found")
-	}
-
-	type taggedStatus struct {
-		tag    string
-		status *adapter.TailscaleEndpointStatus
-	}
-	updates := make(chan taggedStatus, len(endpoints))
-	ctx, cancel := context.WithCancel(server.Context())
-	defer cancel()
-
-	var waitGroup sync.WaitGroup
-	for _, endpoint := range endpoints {
-		waitGroup.Add(1)
-		go func(tag string, provider adapter.TailscaleEndpoint) {
-			defer waitGroup.Done()
-			_ = provider.SubscribeTailscaleStatus(ctx, func(endpointStatus *adapter.TailscaleEndpointStatus) {
-				select {
-				case updates <- taggedStatus{tag: tag, status: endpointStatus}:
-				case <-ctx.Done():
-				}
-			})
-		}(endpoint.tag, endpoint.provider)
-	}
-
-	go func() {
-		waitGroup.Wait()
-		close(updates)
-	}()
-
-	var tags []string
-	statuses := make(map[string]*adapter.TailscaleEndpointStatus, len(endpoints))
-	for update := range updates {
-		if _, exists := statuses[update.tag]; !exists {
-			tags = append(tags, update.tag)
-		}
-		statuses[update.tag] = update.status
-		protoEndpoints := make([]*TailscaleEndpointStatus, 0, len(statuses))
-		for _, tag := range tags {
-			protoEndpoints = append(protoEndpoints, tailscaleEndpointStatusToProto(tag, statuses[tag]))
-		}
-		sendErr := server.Send(&TailscaleStatusUpdate{
-			Endpoints: protoEndpoints,
-		})
-		if sendErr != nil {
-			return sendErr
-		}
-	}
-	return nil
-}
-
-func tailscaleEndpointStatusToProto(tag string, s *adapter.TailscaleEndpointStatus) *TailscaleEndpointStatus {
-	userGroups := make([]*TailscaleUserGroup, len(s.UserGroups))
-	for i, group := range s.UserGroups {
-		peers := make([]*TailscalePeer, len(group.Peers))
-		for j, peer := range group.Peers {
-			peers[j] = tailscalePeerToProto(peer)
-		}
-		userGroups[i] = &TailscaleUserGroup{
-			UserID:        group.UserID,
-			LoginName:     group.LoginName,
-			DisplayName:   group.DisplayName,
-			ProfilePicURL: group.ProfilePicURL,
-			Peers:         peers,
-		}
-	}
-	result := &TailscaleEndpointStatus{
-		EndpointTag:    tag,
-		BackendState:   s.BackendState,
-		AuthURL:        s.AuthURL,
-		NetworkName:    s.NetworkName,
-		MagicDNSSuffix: s.MagicDNSSuffix,
-		UserGroups:     userGroups,
-	}
-	if s.Self != nil {
-		result.Self = tailscalePeerToProto(s.Self)
-	}
-	return result
-}
-
-func tailscalePeerToProto(peer *adapter.TailscalePeer) *TailscalePeer {
-	return &TailscalePeer{
-		HostName:       peer.HostName,
-		DnsName:        peer.DNSName,
-		Os:             peer.OS,
-		TailscaleIPs:   peer.TailscaleIPs,
-		Online:         peer.Online,
-		ExitNode:       peer.ExitNode,
-		ExitNodeOption: peer.ExitNodeOption,
-		Active:         peer.Active,
-		RxBytes:        peer.RxBytes,
-		TxBytes:        peer.TxBytes,
-		KeyExpiry:      peer.KeyExpiry,
-	}
-}
-
-func (s *StartedService) StartTailscalePing(
-	request *TailscalePingRequest,
-	server grpc.ServerStreamingServer[TailscalePingResponse],
-) error {
-	err := s.waitForStarted(server.Context())
-	if err != nil {
-		return err
-	}
-	s.serviceAccess.RLock()
-	boxService := s.instance
-	s.serviceAccess.RUnlock()
-
-	endpointManager := service.FromContext[adapter.EndpointManager](boxService.ctx)
-	if endpointManager == nil {
-		return status.Error(codes.FailedPrecondition, "endpoint manager not available")
-	}
-
-	var provider adapter.TailscaleEndpoint
-	if request.EndpointTag != "" {
-		endpoint, loaded := endpointManager.Get(request.EndpointTag)
-		if !loaded {
-			return status.Error(codes.NotFound, "endpoint not found: "+request.EndpointTag)
-		}
-		if endpoint.Type() != C.TypeTailscale {
-			return status.Error(codes.InvalidArgument, "endpoint is not Tailscale: "+request.EndpointTag)
-		}
-		pingProvider, loaded := endpoint.(adapter.TailscaleEndpoint)
-		if !loaded {
-			return status.Error(codes.FailedPrecondition, "endpoint does not support ping")
-		}
-		provider = pingProvider
-	} else {
-		for _, endpoint := range endpointManager.Endpoints() {
-			if endpoint.Type() != C.TypeTailscale {
-				continue
-			}
-			pingProvider, loaded := endpoint.(adapter.TailscaleEndpoint)
-			if loaded {
-				provider = pingProvider
-				break
-			}
-		}
-		if provider == nil {
-			return status.Error(codes.NotFound, "no Tailscale endpoint found")
-		}
-	}
-
-	return provider.StartTailscalePing(server.Context(), request.PeerIP, func(result *adapter.TailscalePingResult) {
-		_ = server.Send(&TailscalePingResponse{
-			LatencyMs:      result.LatencyMs,
-			IsDirect:       result.IsDirect,
-			Endpoint:       result.Endpoint,
-			DerpRegionID:   result.DERPRegionID,
-			DerpRegionCode: result.DERPRegionCode,
-			Error:          result.Error,
-		})
-	})
-}
-
 func (s *StartedService) mustEmbedUnimplementedStartedServiceServer() {
 }

--- a/daemon/started_service.pb.go
+++ b/daemon/started_service.pb.go
--- a/daemon/started_service.proto
+++ b/daemon/started_service.proto
@@ -26,20 +26,12 @@ service StartedService {

  rpc GetSystemProxyStatus(google.protobuf.Empty) returns(SystemProxyStatus) {}
  rpc SetSystemProxyEnabled(SetSystemProxyEnabledRequest) returns(google.protobuf.Empty) {}
-  rpc TriggerDebugCrash(DebugCrashRequest) returns(google.protobuf.Empty) {}
-  rpc TriggerOOMReport(google.protobuf.Empty) returns(google.protobuf.Empty) {}

  rpc SubscribeConnections(SubscribeConnectionsRequest) returns(stream ConnectionEvents) {}
  rpc CloseConnection(CloseConnectionRequest) returns(google.protobuf.Empty) {}
  rpc CloseAllConnections(google.protobuf.Empty) returns(google.protobuf.Empty) {}
  rpc GetDeprecatedWarnings(google.protobuf.Empty) returns(DeprecatedWarnings) {}
  rpc GetStartedAt(google.protobuf.Empty) returns(StartedAt) {}
-
-  rpc SubscribeOutbounds(google.protobuf.Empty) returns (stream OutboundList) {}
-  rpc StartNetworkQualityTest(NetworkQualityTestRequest) returns (stream NetworkQualityTestProgress) {}
-  rpc StartSTUNTest(STUNTestRequest) returns (stream STUNTestProgress) {}
-  rpc SubscribeTailscaleStatus(google.protobuf.Empty) returns (stream TailscaleStatusUpdate) {}
-  rpc StartTailscalePing(TailscalePingRequest) returns (stream TailscalePingResponse) {}
 }

 message ServiceStatus {
@@ -149,15 +141,6 @@ message SetSystemProxyEnabledRequest {
  bool enabled = 1;
 }

-message DebugCrashRequest {
-  enum Type {
-    GO = 0;
-    NATIVE = 1;
-  }
-
-  Type type = 1;
-}
-
 message SubscribeConnectionsRequest {
  int64 interval = 1;
 }
@@ -227,105 +210,8 @@ message DeprecatedWarning {
  string message = 1;
  bool impending = 2;
  string migrationLink = 3;
-  string description = 4;
-  string deprecatedVersion = 5;
-  string scheduledVersion = 6;
 }

 message StartedAt {
  int64 startedAt = 1;
-}
-
-message OutboundList {
-  repeated GroupItem outbounds = 1;
-}
-
-message NetworkQualityTestRequest {
-  string configURL = 1;
-  string outboundTag = 2;
-  bool serial = 3;
-  int32 maxRuntimeSeconds = 4;
-  bool http3 = 5;
-}
-
-message NetworkQualityTestProgress {
-  int32 phase = 1;
-  int64 downloadCapacity = 2;
-  int64 uploadCapacity = 3;
-  int32 downloadRPM = 4;
-  int32 uploadRPM = 5;
-  int32 idleLatencyMs = 6;
-  int64 elapsedMs = 7;
-  bool isFinal = 8;
-  string error = 9;
-  int32 downloadCapacityAccuracy = 10;
-  int32 uploadCapacityAccuracy = 11;
-  int32 downloadRPMAccuracy = 12;
-  int32 uploadRPMAccuracy = 13;
-}
-
-message STUNTestRequest {
-  string server = 1;
-  string outboundTag = 2;
-}
-
-message STUNTestProgress {
-  int32 phase = 1;
-  string externalAddr = 2;
-  int32 latencyMs = 3;
-  int32 natMapping = 4;
-  int32 natFiltering = 5;
-  bool isFinal = 6;
-  string error = 7;
-  bool natTypeSupported = 8;
-}
-
-message TailscaleStatusUpdate {
-  repeated TailscaleEndpointStatus endpoints = 1;
-}
-
-message TailscaleEndpointStatus {
-  string endpointTag = 1;
-  string backendState = 2;
-  string authURL = 3;
-  string networkName = 4;
-  string magicDNSSuffix = 5;
-  TailscalePeer self = 6;
-  repeated TailscaleUserGroup userGroups = 7;
-}
-
-message TailscaleUserGroup {
-  int64 userID = 1;
-  string loginName = 2;
-  string displayName = 3;
-  string profilePicURL = 4;
-  repeated TailscalePeer peers = 5;
-}
-
-message TailscalePeer {
-  string hostName = 1;
-  string dnsName = 2;
-  string os = 3;
-  repeated string tailscaleIPs = 4;
-  bool online = 5;
-  bool exitNode = 6;
-  bool exitNodeOption = 7;
-  bool active = 8;
-  int64 rxBytes = 9;
-  int64 txBytes = 10;
-  int64 keyExpiry = 11;
-}
-
-message TailscalePingRequest {
-  string endpointTag = 1;
-  string peerIP = 2;
-}
-
-message TailscalePingResponse {
-  double latencyMs = 1;
-  bool isDirect = 2;
-  string endpoint = 3;
-  int32 derpRegionID = 4;
-  string derpRegionCode = 5;
-  string error = 6;
-}
+}
--- a/daemon/started_service_grpc.pb.go
+++ b/daemon/started_service_grpc.pb.go
@@ -15,34 +15,27 @@ import (
 const _ = grpc.SupportPackageIsVersion9

 const (
-	StartedService_StopService_FullMethodName              = "/daemon.StartedService/StopService"
-	StartedService_ReloadService_FullMethodName            = "/daemon.StartedService/ReloadService"
-	StartedService_SubscribeServiceStatus_FullMethodName   = "/daemon.StartedService/SubscribeServiceStatus"
-	StartedService_SubscribeLog_FullMethodName             = "/daemon.StartedService/SubscribeLog"
-	StartedService_GetDefaultLogLevel_FullMethodName       = "/daemon.StartedService/GetDefaultLogLevel"
-	StartedService_ClearLogs_FullMethodName                = "/daemon.StartedService/ClearLogs"
-	StartedService_SubscribeStatus_FullMethodName          = "/daemon.StartedService/SubscribeStatus"
-	StartedService_SubscribeGroups_FullMethodName          = "/daemon.StartedService/SubscribeGroups"
-	StartedService_GetClashModeStatus_FullMethodName       = "/daemon.StartedService/GetClashModeStatus"
-	StartedService_SubscribeClashMode_FullMethodName       = "/daemon.StartedService/SubscribeClashMode"
-	StartedService_SetClashMode_FullMethodName             = "/daemon.StartedService/SetClashMode"
-	StartedService_URLTest_FullMethodName                  = "/daemon.StartedService/URLTest"
-	StartedService_SelectOutbound_FullMethodName           = "/daemon.StartedService/SelectOutbound"
-	StartedService_SetGroupExpand_FullMethodName           = "/daemon.StartedService/SetGroupExpand"
-	StartedService_GetSystemProxyStatus_FullMethodName     = "/daemon.StartedService/GetSystemProxyStatus"
-	StartedService_SetSystemProxyEnabled_FullMethodName    = "/daemon.StartedService/SetSystemProxyEnabled"
-	StartedService_TriggerDebugCrash_FullMethodName        = "/daemon.StartedService/TriggerDebugCrash"
-	StartedService_TriggerOOMReport_FullMethodName         = "/daemon.StartedService/TriggerOOMReport"
-	StartedService_SubscribeConnections_FullMethodName     = "/daemon.StartedService/SubscribeConnections"
-	StartedService_CloseConnection_FullMethodName          = "/daemon.StartedService/CloseConnection"
-	StartedService_CloseAllConnections_FullMethodName      = "/daemon.StartedService/CloseAllConnections"
-	StartedService_GetDeprecatedWarnings_FullMethodName    = "/daemon.StartedService/GetDeprecatedWarnings"
-	StartedService_GetStartedAt_FullMethodName             = "/daemon.StartedService/GetStartedAt"
-	StartedService_SubscribeOutbounds_FullMethodName       = "/daemon.StartedService/SubscribeOutbounds"
-	StartedService_StartNetworkQualityTest_FullMethodName  = "/daemon.StartedService/StartNetworkQualityTest"
-	StartedService_StartSTUNTest_FullMethodName            = "/daemon.StartedService/StartSTUNTest"
-	StartedService_SubscribeTailscaleStatus_FullMethodName = "/daemon.StartedService/SubscribeTailscaleStatus"
-	StartedService_StartTailscalePing_FullMethodName       = "/daemon.StartedService/StartTailscalePing"
+	StartedService_StopService_FullMethodName            = "/daemon.StartedService/StopService"
+	StartedService_ReloadService_FullMethodName          = "/daemon.StartedService/ReloadService"
+	StartedService_SubscribeServiceStatus_FullMethodName = "/daemon.StartedService/SubscribeServiceStatus"
+	StartedService_SubscribeLog_FullMethodName           = "/daemon.StartedService/SubscribeLog"
+	StartedService_GetDefaultLogLevel_FullMethodName     = "/daemon.StartedService/GetDefaultLogLevel"
+	StartedService_ClearLogs_FullMethodName              = "/daemon.StartedService/ClearLogs"
+	StartedService_SubscribeStatus_FullMethodName        = "/daemon.StartedService/SubscribeStatus"
+	StartedService_SubscribeGroups_FullMethodName        = "/daemon.StartedService/SubscribeGroups"
+	StartedService_GetClashModeStatus_FullMethodName     = "/daemon.StartedService/GetClashModeStatus"
+	StartedService_SubscribeClashMode_FullMethodName     = "/daemon.StartedService/SubscribeClashMode"
+	StartedService_SetClashMode_FullMethodName           = "/daemon.StartedService/SetClashMode"
+	StartedService_URLTest_FullMethodName                = "/daemon.StartedService/URLTest"
+	StartedService_SelectOutbound_FullMethodName         = "/daemon.StartedService/SelectOutbound"
+	StartedService_SetGroupExpand_FullMethodName         = "/daemon.StartedService/SetGroupExpand"
+	StartedService_GetSystemProxyStatus_FullMethodName   = "/daemon.StartedService/GetSystemProxyStatus"
+	StartedService_SetSystemProxyEnabled_FullMethodName  = "/daemon.StartedService/SetSystemProxyEnabled"
+	StartedService_SubscribeConnections_FullMethodName   = "/daemon.StartedService/SubscribeConnections"
+	StartedService_CloseConnection_FullMethodName        = "/daemon.StartedService/CloseConnection"
+	StartedService_CloseAllConnections_FullMethodName    = "/daemon.StartedService/CloseAllConnections"
+	StartedService_GetDeprecatedWarnings_FullMethodName  = "/daemon.StartedService/GetDeprecatedWarnings"
+	StartedService_GetStartedAt_FullMethodName           = "/daemon.StartedService/GetStartedAt"
 )

 // StartedServiceClient is the client API for StartedService service.
@@ -65,18 +58,11 @@ type StartedServiceClient interface {
 	SetGroupExpand(ctx context.Context, in *SetGroupExpandRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	GetSystemProxyStatus(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*SystemProxyStatus, error)
 	SetSystemProxyEnabled(ctx context.Context, in *SetSystemProxyEnabledRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
-	TriggerDebugCrash(ctx context.Context, in *DebugCrashRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
-	TriggerOOMReport(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	SubscribeConnections(ctx context.Context, in *SubscribeConnectionsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[ConnectionEvents], error)
 	CloseConnection(ctx context.Context, in *CloseConnectionRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	CloseAllConnections(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	GetDeprecatedWarnings(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*DeprecatedWarnings, error)
 	GetStartedAt(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*StartedAt, error)
-	SubscribeOutbounds(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (grpc.ServerStreamingClient[OutboundList], error)
-	StartNetworkQualityTest(ctx context.Context, in *NetworkQualityTestRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[NetworkQualityTestProgress], error)
-	StartSTUNTest(ctx context.Context, in *STUNTestRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[STUNTestProgress], error)
-	SubscribeTailscaleStatus(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (grpc.ServerStreamingClient[TailscaleStatusUpdate], error)
-	StartTailscalePing(ctx context.Context, in *TailscalePingRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[TailscalePingResponse], error)
 }

 type startedServiceClient struct {
@@ -292,26 +278,6 @@ func (c *startedServiceClient) SetSystemProxyEnabled(ctx context.Context, in *Se
 	return out, nil
 }

-func (c *startedServiceClient) TriggerDebugCrash(ctx context.Context, in *DebugCrashRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(emptypb.Empty)
-	err := c.cc.Invoke(ctx, StartedService_TriggerDebugCrash_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-func (c *startedServiceClient) TriggerOOMReport(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(emptypb.Empty)
-	err := c.cc.Invoke(ctx, StartedService_TriggerOOMReport_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
 func (c *startedServiceClient) SubscribeConnections(ctx context.Context, in *SubscribeConnectionsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[ConnectionEvents], error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[5], StartedService_SubscribeConnections_FullMethodName, cOpts...)
@@ -371,101 +337,6 @@ func (c *startedServiceClient) GetStartedAt(ctx context.Context, in *emptypb.Emp
 	return out, nil
 }

-func (c *startedServiceClient) SubscribeOutbounds(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (grpc.ServerStreamingClient[OutboundList], error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[6], StartedService_SubscribeOutbounds_FullMethodName, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	x := &grpc.GenericClientStream[emptypb.Empty, OutboundList]{ClientStream: stream}
-	if err := x.ClientStream.SendMsg(in); err != nil {
-		return nil, err
-	}
-	if err := x.ClientStream.CloseSend(); err != nil {
-		return nil, err
-	}
-	return x, nil
-}
-
-// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
-type StartedService_SubscribeOutboundsClient = grpc.ServerStreamingClient[OutboundList]
-
-func (c *startedServiceClient) StartNetworkQualityTest(ctx context.Context, in *NetworkQualityTestRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[NetworkQualityTestProgress], error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[7], StartedService_StartNetworkQualityTest_FullMethodName, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	x := &grpc.GenericClientStream[NetworkQualityTestRequest, NetworkQualityTestProgress]{ClientStream: stream}
-	if err := x.ClientStream.SendMsg(in); err != nil {
-		return nil, err
-	}
-	if err := x.ClientStream.CloseSend(); err != nil {
-		return nil, err
-	}
-	return x, nil
-}
-
-// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
-type StartedService_StartNetworkQualityTestClient = grpc.ServerStreamingClient[NetworkQualityTestProgress]
-
-func (c *startedServiceClient) StartSTUNTest(ctx context.Context, in *STUNTestRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[STUNTestProgress], error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[8], StartedService_StartSTUNTest_FullMethodName, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	x := &grpc.GenericClientStream[STUNTestRequest, STUNTestProgress]{ClientStream: stream}
-	if err := x.ClientStream.SendMsg(in); err != nil {
-		return nil, err
-	}
-	if err := x.ClientStream.CloseSend(); err != nil {
-		return nil, err
-	}
-	return x, nil
-}
-
-// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
-type StartedService_StartSTUNTestClient = grpc.ServerStreamingClient[STUNTestProgress]
-
-func (c *startedServiceClient) SubscribeTailscaleStatus(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (grpc.ServerStreamingClient[TailscaleStatusUpdate], error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[9], StartedService_SubscribeTailscaleStatus_FullMethodName, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	x := &grpc.GenericClientStream[emptypb.Empty, TailscaleStatusUpdate]{ClientStream: stream}
-	if err := x.ClientStream.SendMsg(in); err != nil {
-		return nil, err
-	}
-	if err := x.ClientStream.CloseSend(); err != nil {
-		return nil, err
-	}
-	return x, nil
-}
-
-// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
-type StartedService_SubscribeTailscaleStatusClient = grpc.ServerStreamingClient[TailscaleStatusUpdate]
-
-func (c *startedServiceClient) StartTailscalePing(ctx context.Context, in *TailscalePingRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[TailscalePingResponse], error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[10], StartedService_StartTailscalePing_FullMethodName, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	x := &grpc.GenericClientStream[TailscalePingRequest, TailscalePingResponse]{ClientStream: stream}
-	if err := x.ClientStream.SendMsg(in); err != nil {
-		return nil, err
-	}
-	if err := x.ClientStream.CloseSend(); err != nil {
-		return nil, err
-	}
-	return x, nil
-}
-
-// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
-type StartedService_StartTailscalePingClient = grpc.ServerStreamingClient[TailscalePingResponse]
-
 // StartedServiceServer is the server API for StartedService service.
 // All implementations must embed UnimplementedStartedServiceServer
 // for forward compatibility.
@@ -486,18 +357,11 @@ type StartedServiceServer interface {
 	SetGroupExpand(context.Context, *SetGroupExpandRequest) (*emptypb.Empty, error)
 	GetSystemProxyStatus(context.Context, *emptypb.Empty) (*SystemProxyStatus, error)
 	SetSystemProxyEnabled(context.Context, *SetSystemProxyEnabledRequest) (*emptypb.Empty, error)
-	TriggerDebugCrash(context.Context, *DebugCrashRequest) (*emptypb.Empty, error)
-	TriggerOOMReport(context.Context, *emptypb.Empty) (*emptypb.Empty, error)
 	SubscribeConnections(*SubscribeConnectionsRequest, grpc.ServerStreamingServer[ConnectionEvents]) error
 	CloseConnection(context.Context, *CloseConnectionRequest) (*emptypb.Empty, error)
 	CloseAllConnections(context.Context, *emptypb.Empty) (*emptypb.Empty, error)
 	GetDeprecatedWarnings(context.Context, *emptypb.Empty) (*DeprecatedWarnings, error)
 	GetStartedAt(context.Context, *emptypb.Empty) (*StartedAt, error)
-	SubscribeOutbounds(*emptypb.Empty, grpc.ServerStreamingServer[OutboundList]) error
-	StartNetworkQualityTest(*NetworkQualityTestRequest, grpc.ServerStreamingServer[NetworkQualityTestProgress]) error
-	StartSTUNTest(*STUNTestRequest, grpc.ServerStreamingServer[STUNTestProgress]) error
-	SubscribeTailscaleStatus(*emptypb.Empty, grpc.ServerStreamingServer[TailscaleStatusUpdate]) error
-	StartTailscalePing(*TailscalePingRequest, grpc.ServerStreamingServer[TailscalePingResponse]) error
 	mustEmbedUnimplementedStartedServiceServer()
 }

@@ -572,14 +436,6 @@ func (UnimplementedStartedServiceServer) SetSystemProxyEnabled(context.Context,
 	return nil, status.Error(codes.Unimplemented, "method SetSystemProxyEnabled not implemented")
 }

-func (UnimplementedStartedServiceServer) TriggerDebugCrash(context.Context, *DebugCrashRequest) (*emptypb.Empty, error) {
-	return nil, status.Error(codes.Unimplemented, "method TriggerDebugCrash not implemented")
-}
-
-func (UnimplementedStartedServiceServer) TriggerOOMReport(context.Context, *emptypb.Empty) (*emptypb.Empty, error) {
-	return nil, status.Error(codes.Unimplemented, "method TriggerOOMReport not implemented")
-}
-
 func (UnimplementedStartedServiceServer) SubscribeConnections(*SubscribeConnectionsRequest, grpc.ServerStreamingServer[ConnectionEvents]) error {
 	return status.Error(codes.Unimplemented, "method SubscribeConnections not implemented")
 }
@@ -599,26 +455,6 @@ func (UnimplementedStartedServiceServer) GetDeprecatedWarnings(context.Context,
 func (UnimplementedStartedServiceServer) GetStartedAt(context.Context, *emptypb.Empty) (*StartedAt, error) {
 	return nil, status.Error(codes.Unimplemented, "method GetStartedAt not implemented")
 }
-
-func (UnimplementedStartedServiceServer) SubscribeOutbounds(*emptypb.Empty, grpc.ServerStreamingServer[OutboundList]) error {
-	return status.Error(codes.Unimplemented, "method SubscribeOutbounds not implemented")
-}
-
-func (UnimplementedStartedServiceServer) StartNetworkQualityTest(*NetworkQualityTestRequest, grpc.ServerStreamingServer[NetworkQualityTestProgress]) error {
-	return status.Error(codes.Unimplemented, "method StartNetworkQualityTest not implemented")
-}
-
-func (UnimplementedStartedServiceServer) StartSTUNTest(*STUNTestRequest, grpc.ServerStreamingServer[STUNTestProgress]) error {
-	return status.Error(codes.Unimplemented, "method StartSTUNTest not implemented")
-}
-
-func (UnimplementedStartedServiceServer) SubscribeTailscaleStatus(*emptypb.Empty, grpc.ServerStreamingServer[TailscaleStatusUpdate]) error {
-	return status.Error(codes.Unimplemented, "method SubscribeTailscaleStatus not implemented")
-}
-
-func (UnimplementedStartedServiceServer) StartTailscalePing(*TailscalePingRequest, grpc.ServerStreamingServer[TailscalePingResponse]) error {
-	return status.Error(codes.Unimplemented, "method StartTailscalePing not implemented")
-}
 func (UnimplementedStartedServiceServer) mustEmbedUnimplementedStartedServiceServer() {}
 func (UnimplementedStartedServiceServer) testEmbeddedByValue()                        {}

@@ -893,42 +729,6 @@ func _StartedService_SetSystemProxyEnabled_Handler(srv interface{}, ctx context.
 	return interceptor(ctx, in, info, handler)
 }

-func _StartedService_TriggerDebugCrash_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(DebugCrashRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(StartedServiceServer).TriggerDebugCrash(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: StartedService_TriggerDebugCrash_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(StartedServiceServer).TriggerDebugCrash(ctx, req.(*DebugCrashRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-func _StartedService_TriggerOOMReport_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(emptypb.Empty)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(StartedServiceServer).TriggerOOMReport(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: StartedService_TriggerOOMReport_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(StartedServiceServer).TriggerOOMReport(ctx, req.(*emptypb.Empty))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
 func _StartedService_SubscribeConnections_Handler(srv interface{}, stream grpc.ServerStream) error {
 	m := new(SubscribeConnectionsRequest)
 	if err := stream.RecvMsg(m); err != nil {
@@ -1012,61 +812,6 @@ func _StartedService_GetStartedAt_Handler(srv interface{}, ctx context.Context,
 	return interceptor(ctx, in, info, handler)
 }

-func _StartedService_SubscribeOutbounds_Handler(srv interface{}, stream grpc.ServerStream) error {
-	m := new(emptypb.Empty)
-	if err := stream.RecvMsg(m); err != nil {
-		return err
-	}
-	return srv.(StartedServiceServer).SubscribeOutbounds(m, &grpc.GenericServerStream[emptypb.Empty, OutboundList]{ServerStream: stream})
-}
-
-// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
-type StartedService_SubscribeOutboundsServer = grpc.ServerStreamingServer[OutboundList]
-
-func _StartedService_StartNetworkQualityTest_Handler(srv interface{}, stream grpc.ServerStream) error {
-	m := new(NetworkQualityTestRequest)
-	if err := stream.RecvMsg(m); err != nil {
-		return err
-	}
-	return srv.(StartedServiceServer).StartNetworkQualityTest(m, &grpc.GenericServerStream[NetworkQualityTestRequest, NetworkQualityTestProgress]{ServerStream: stream})
-}
-
-// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
-type StartedService_StartNetworkQualityTestServer = grpc.ServerStreamingServer[NetworkQualityTestProgress]
-
-func _StartedService_StartSTUNTest_Handler(srv interface{}, stream grpc.ServerStream) error {
-	m := new(STUNTestRequest)
-	if err := stream.RecvMsg(m); err != nil {
-		return err
-	}
-	return srv.(StartedServiceServer).StartSTUNTest(m, &grpc.GenericServerStream[STUNTestRequest, STUNTestProgress]{ServerStream: stream})
-}
-
-// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
-type StartedService_StartSTUNTestServer = grpc.ServerStreamingServer[STUNTestProgress]
-
-func _StartedService_SubscribeTailscaleStatus_Handler(srv interface{}, stream grpc.ServerStream) error {
-	m := new(emptypb.Empty)
-	if err := stream.RecvMsg(m); err != nil {
-		return err
-	}
-	return srv.(StartedServiceServer).SubscribeTailscaleStatus(m, &grpc.GenericServerStream[emptypb.Empty, TailscaleStatusUpdate]{ServerStream: stream})
-}
-
-// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
-type StartedService_SubscribeTailscaleStatusServer = grpc.ServerStreamingServer[TailscaleStatusUpdate]
-
-func _StartedService_StartTailscalePing_Handler(srv interface{}, stream grpc.ServerStream) error {
-	m := new(TailscalePingRequest)
-	if err := stream.RecvMsg(m); err != nil {
-		return err
-	}
-	return srv.(StartedServiceServer).StartTailscalePing(m, &grpc.GenericServerStream[TailscalePingRequest, TailscalePingResponse]{ServerStream: stream})
-}
-
-// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
-type StartedService_StartTailscalePingServer = grpc.ServerStreamingServer[TailscalePingResponse]
-
 // StartedService_ServiceDesc is the grpc.ServiceDesc for StartedService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -1118,14 +863,6 @@ var StartedService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "SetSystemProxyEnabled",
 			Handler:    _StartedService_SetSystemProxyEnabled_Handler,
 		},
-		{
-			MethodName: "TriggerDebugCrash",
-			Handler:    _StartedService_TriggerDebugCrash_Handler,
-		},
-		{
-			MethodName: "TriggerOOMReport",
-			Handler:    _StartedService_TriggerOOMReport_Handler,
-		},
 		{
 			MethodName: "CloseConnection",
 			Handler:    _StartedService_CloseConnection_Handler,
@@ -1174,31 +911,6 @@ var StartedService_ServiceDesc = grpc.ServiceDesc{
 			Handler:       _StartedService_SubscribeConnections_Handler,
 			ServerStreams: true,
 		},
-		{
-			StreamName:    "SubscribeOutbounds",
-			Handler:       _StartedService_SubscribeOutbounds_Handler,
-			ServerStreams: true,
-		},
-		{
-			StreamName:    "StartNetworkQualityTest",
-			Handler:       _StartedService_StartNetworkQualityTest_Handler,
-			ServerStreams: true,
-		},
-		{
-			StreamName:    "StartSTUNTest",
-			Handler:       _StartedService_StartSTUNTest_Handler,
-			ServerStreams: true,
-		},
-		{
-			StreamName:    "SubscribeTailscaleStatus",
-			Handler:       _StartedService_SubscribeTailscaleStatus_Handler,
-			ServerStreams: true,
-		},
-		{
-			StreamName:    "StartTailscalePing",
-			Handler:       _StartedService_StartTailscalePing_Handler,
-			ServerStreams: true,
-		},
 	},
 	Metadata: "daemon/started_service.proto",
 }
--- a/dns/client.go
+++ b/dns/client.go
@@ -30,63 +30,59 @@ var (
 var _ adapter.DNSClient = (*Client)(nil)

 type Client struct {
-	ctx               context.Context
-	timeout           time.Duration
-	disableCache      bool
-	disableExpire     bool
-	optimisticTimeout time.Duration
-	cacheCapacity     uint32
-	clientSubnet      netip.Prefix
-	rdrc              adapter.RDRCStore
-	initRDRCFunc      func() adapter.RDRCStore
-	dnsCache          adapter.DNSCacheStore
-	initDNSCacheFunc  func() adapter.DNSCacheStore
-	logger            logger.ContextLogger
-	cache             freelru.Cache[dnsCacheKey, *dns.Msg]
-	cacheLock         compatible.Map[dnsCacheKey, chan struct{}]
-	backgroundRefresh compatible.Map[dnsCacheKey, struct{}]
+	timeout            time.Duration
+	disableCache       bool
+	disableExpire      bool
+	independentCache   bool
+	clientSubnet       netip.Prefix
+	rdrc               adapter.RDRCStore
+	initRDRCFunc       func() adapter.RDRCStore
+	logger             logger.ContextLogger
+	cache              freelru.Cache[dns.Question, *dns.Msg]
+	cacheLock          compatible.Map[dns.Question, chan struct{}]
+	transportCache     freelru.Cache[transportCacheKey, *dns.Msg]
+	transportCacheLock compatible.Map[dns.Question, chan struct{}]
 }

 type ClientOptions struct {
-	Context           context.Context
-	Timeout           time.Duration
-	DisableCache      bool
-	DisableExpire     bool
-	OptimisticTimeout time.Duration
-	CacheCapacity     uint32
-	ClientSubnet      netip.Prefix
-	RDRC              func() adapter.RDRCStore
-	DNSCache          func() adapter.DNSCacheStore
-	Logger            logger.ContextLogger
+	Timeout          time.Duration
+	DisableCache     bool
+	DisableExpire    bool
+	IndependentCache bool
+	CacheCapacity    uint32
+	ClientSubnet     netip.Prefix
+	RDRC             func() adapter.RDRCStore
+	Logger           logger.ContextLogger
 }

 func NewClient(options ClientOptions) *Client {
-	cacheCapacity := options.CacheCapacity
-	if cacheCapacity < 1024 {
-		cacheCapacity = 1024
-	}
 	client := &Client{
-		ctx:               options.Context,
-		timeout:           options.Timeout,
-		disableCache:      options.DisableCache,
-		disableExpire:     options.DisableExpire,
-		optimisticTimeout: options.OptimisticTimeout,
-		cacheCapacity:     cacheCapacity,
-		clientSubnet:      options.ClientSubnet,
-		initRDRCFunc:      options.RDRC,
-		initDNSCacheFunc:  options.DNSCache,
-		logger:            options.Logger,
+		timeout:          options.Timeout,
+		disableCache:     options.DisableCache,
+		disableExpire:    options.DisableExpire,
+		independentCache: options.IndependentCache,
+		clientSubnet:     options.ClientSubnet,
+		initRDRCFunc:     options.RDRC,
+		logger:           options.Logger,
 	}
 	if client.timeout == 0 {
 		client.timeout = C.DNSTimeout
 	}
-	if !client.disableCache && client.initDNSCacheFunc == nil {
-		client.initializeMemoryCache()
+	cacheCapacity := options.CacheCapacity
+	if cacheCapacity < 1024 {
+		cacheCapacity = 1024
+	}
+	if !client.disableCache {
+		if !client.independentCache {
+			client.cache = common.Must1(freelru.NewSharded[dns.Question, *dns.Msg](cacheCapacity, maphash.NewHasher[dns.Question]().Hash32))
+		} else {
+			client.transportCache = common.Must1(freelru.NewSharded[transportCacheKey, *dns.Msg](cacheCapacity, maphash.NewHasher[transportCacheKey]().Hash32))
+		}
 	}
 	return client
 }

-type dnsCacheKey struct {
+type transportCacheKey struct {
 	dns.Question
 	transportTag string
 }
@@ -95,19 +91,6 @@ func (c *Client) Start() {
 	if c.initRDRCFunc != nil {
 		c.rdrc = c.initRDRCFunc()
 	}
-	if c.initDNSCacheFunc != nil {
-		c.dnsCache = c.initDNSCacheFunc()
-	}
-	if c.dnsCache == nil {
-		c.initializeMemoryCache()
-	}
-}
-
-func (c *Client) initializeMemoryCache() {
-	if c.disableCache || c.cache != nil {
-		return
-	}
-	c.cache = common.Must1(freelru.NewSharded[dnsCacheKey, *dns.Msg](c.cacheCapacity, maphash.NewHasher[dnsCacheKey]().Hash32))
 }

 func extractNegativeTTL(response *dns.Msg) (uint32, bool) {
@@ -124,37 +107,6 @@ func extractNegativeTTL(response *dns.Msg) (uint32, bool) {
 	return 0, false
 }

-func computeTimeToLive(response *dns.Msg) uint32 {
-	var timeToLive uint32
-	if len(response.Answer) == 0 {
-		if soaTTL, hasSOA := extractNegativeTTL(response); hasSOA {
-			return soaTTL
-		}
-	}
-	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
-		for _, record := range recordList {
-			if record.Header().Rrtype == dns.TypeOPT {
-				continue
-			}
-			if timeToLive == 0 || record.Header().Ttl > 0 && record.Header().Ttl < timeToLive {
-				timeToLive = record.Header().Ttl
-			}
-		}
-	}
-	return timeToLive
-}
-
-func normalizeTTL(response *dns.Msg, timeToLive uint32) {
-	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
-		for _, record := range recordList {
-			if record.Header().Rrtype == dns.TypeOPT {
-				continue
-			}
-			record.Header().Ttl = timeToLive
-		}
-	}
-}
-
 func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, message *dns.Msg, options adapter.DNSQueryOptions, responseChecker func(response *dns.Msg) bool) (*dns.Msg, error) {
 	if len(message.Question) == 0 {
 		if c.logger != nil {
@@ -169,7 +121,13 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		}
 		return FixedResponseStatus(message, dns.RcodeSuccess), nil
 	}
-	message = c.prepareExchangeMessage(message, options)
+	clientSubnet := options.ClientSubnet
+	if !clientSubnet.IsValid() {
+		clientSubnet = c.clientSubnet
+	}
+	if clientSubnet.IsValid() {
+		message = SetClientSubnet(message, clientSubnet)
+	}

 	isSimpleRequest := len(message.Question) == 1 &&
 		len(message.Ns) == 0 &&
@@ -181,32 +139,40 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		!options.ClientSubnet.IsValid()
 	disableCache := !isSimpleRequest || c.disableCache || options.DisableCache
 	if !disableCache {
-		cacheKey := dnsCacheKey{Question: question, transportTag: transport.Tag()}
-		cond, loaded := c.cacheLock.LoadOrStore(cacheKey, make(chan struct{}))
-		if loaded {
-			select {
-			case <-cond:
-			case <-ctx.Done():
-				return nil, ctx.Err()
+		if c.cache != nil {
+			cond, loaded := c.cacheLock.LoadOrStore(question, make(chan struct{}))
+			if loaded {
+				select {
+				case <-cond:
+				case <-ctx.Done():
+					return nil, ctx.Err()
+				}
+			} else {
+				defer func() {
+					c.cacheLock.Delete(question)
+					close(cond)
+				}()
+			}
+		} else if c.transportCache != nil {
+			cond, loaded := c.transportCacheLock.LoadOrStore(question, make(chan struct{}))
+			if loaded {
+				select {
+				case <-cond:
+				case <-ctx.Done():
+					return nil, ctx.Err()
+				}
+			} else {
+				defer func() {
+					c.transportCacheLock.Delete(question)
+					close(cond)
+				}()
 			}
-		} else {
-			defer func() {
-				c.cacheLock.Delete(cacheKey)
-				close(cond)
-			}()
 		}
-		response, ttl, isStale := c.loadResponse(question, transport)
+		response, ttl := c.loadResponse(question, transport)
 		if response != nil {
-			if isStale && !options.DisableOptimisticCache {
-				c.backgroundRefreshDNS(transport, question, message.Copy(), options, responseChecker)
-				logOptimisticResponse(c.logger, ctx, response)
-				response.Id = message.Id
-				return response, nil
-			} else if !isStale {
-				logCachedResponse(c.logger, ctx, response, ttl)
-				response.Id = message.Id
-				return response, nil
-			}
+			logCachedResponse(c.logger, ctx, response, ttl)
+			response.Id = message.Id
+			return response, nil
 		}
 	}

@@ -222,10 +188,52 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 			return nil, ErrResponseRejectedCached
 		}
 	}
-	response, err := c.exchangeToTransport(ctx, transport, message)
+	ctx, cancel := context.WithTimeout(ctx, c.timeout)
+	response, err := transport.Exchange(ctx, message)
+	cancel()
 	if err != nil {
-		return nil, err
+		var rcodeError RcodeError
+		if errors.As(err, &rcodeError) {
+			response = FixedResponseStatus(message, int(rcodeError))
+		} else {
+			return nil, err
+		}
 	}
+	/*if question.Qtype == dns.TypeA || question.Qtype == dns.TypeAAAA {
+		validResponse := response
+	loop:
+		for {
+			var (
+				addresses  int
+				queryCNAME string
+			)
+			for _, rawRR := range validResponse.Answer {
+				switch rr := rawRR.(type) {
+				case *dns.A:
+					break loop
+				case *dns.AAAA:
+					break loop
+				case *dns.CNAME:
+					queryCNAME = rr.Target
+				}
+			}
+			if queryCNAME == "" {
+				break
+			}
+			exMessage := *message
+			exMessage.Question = []dns.Question{{
+				Name:  queryCNAME,
+				Qtype: question.Qtype,
+			}}
+			validResponse, err = c.Exchange(ctx, transport, &exMessage, options, responseChecker)
+			if err != nil {
+				return nil, err
+			}
+		}
+		if validResponse != response {
+			response.Answer = append(response.Answer, validResponse.Answer...)
+		}
+	}*/
 	disableCache = disableCache || (response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError)
 	if responseChecker != nil {
 		var rejected bool
@@ -242,7 +250,48 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 			return response, ErrResponseRejected
 		}
 	}
-	timeToLive := applyResponseOptions(question, response, options)
+	if question.Qtype == dns.TypeHTTPS {
+		if options.Strategy == C.DomainStrategyIPv4Only || options.Strategy == C.DomainStrategyIPv6Only {
+			for _, rr := range response.Answer {
+				https, isHTTPS := rr.(*dns.HTTPS)
+				if !isHTTPS {
+					continue
+				}
+				content := https.SVCB
+				content.Value = common.Filter(content.Value, func(it dns.SVCBKeyValue) bool {
+					if options.Strategy == C.DomainStrategyIPv4Only {
+						return it.Key() != dns.SVCB_IPV6HINT
+					} else {
+						return it.Key() != dns.SVCB_IPV4HINT
+					}
+				})
+				https.SVCB = content
+			}
+		}
+	}
+	var timeToLive uint32
+	if len(response.Answer) == 0 {
+		if soaTTL, hasSOA := extractNegativeTTL(response); hasSOA {
+			timeToLive = soaTTL
+		}
+	}
+	if timeToLive == 0 {
+		for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
+			for _, record := range recordList {
+				if timeToLive == 0 || record.Header().Ttl > 0 && record.Header().Ttl < timeToLive {
+					timeToLive = record.Header().Ttl
+				}
+			}
+		}
+	}
+	if options.RewriteTTL != nil {
+		timeToLive = *options.RewriteTTL
+	}
+	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
+		for _, record := range recordList {
+			record.Header().Ttl = timeToLive
+		}
+	}
 	if !disableCache {
 		c.storeCache(transport, question, response, timeToLive)
 	}
@@ -308,12 +357,8 @@ func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, dom
 func (c *Client) ClearCache() {
 	if c.cache != nil {
 		c.cache.Purge()
-	}
-	if c.dnsCache != nil {
-		err := c.dnsCache.ClearDNSCache()
-		if err != nil && c.logger != nil {
-			c.logger.Warn("clear DNS cache: ", err)
-		}
+	} else if c.transportCache != nil {
+		c.transportCache.Purge()
 	}
 }

@@ -329,22 +374,24 @@ func (c *Client) storeCache(transport adapter.DNSTransport, question dns.Questio
 	if timeToLive == 0 {
 		return
 	}
-	if c.dnsCache != nil {
-		packed, err := message.Pack()
-		if err == nil {
-			expireAt := time.Now().Add(time.Second * time.Duration(timeToLive))
-			c.dnsCache.SaveDNSCacheAsync(transport.Tag(), question.Name, question.Qtype, packed, expireAt, c.logger)
-		}
-		return
-	}
-	if c.cache == nil {
-		return
-	}
-	key := dnsCacheKey{Question: question, transportTag: transport.Tag()}
 	if c.disableExpire {
-		c.cache.Add(key, message.Copy())
+		if !c.independentCache {
+			c.cache.Add(question, message)
+		} else {
+			c.transportCache.Add(transportCacheKey{
+				Question:     question,
+				transportTag: transport.Tag(),
+			}, message)
+		}
 	} else {
-		c.cache.AddWithLifetime(key, message.Copy(), time.Second*time.Duration(timeToLive))
+		if !c.independentCache {
+			c.cache.AddWithLifetime(question, message, time.Second*time.Duration(timeToLive))
+		} else {
+			c.transportCache.AddWithLifetime(transportCacheKey{
+				Question:     question,
+				transportTag: transport.Tag(),
+			}, message, time.Second*time.Duration(timeToLive))
+		}
 	}
 }

@@ -354,19 +401,19 @@ func (c *Client) lookupToExchange(ctx context.Context, transport adapter.DNSTran
 		Qtype:  qType,
 		Qclass: dns.ClassINET,
 	}
+	disableCache := c.disableCache || options.DisableCache
+	if !disableCache {
+		cachedAddresses, err := c.questionCache(question, transport)
+		if err != ErrNotCached {
+			return cachedAddresses, err
+		}
+	}
 	message := dns.Msg{
 		MsgHdr: dns.MsgHdr{
 			RecursionDesired: true,
 		},
 		Question: []dns.Question{question},
 	}
-	disableCache := c.disableCache || options.DisableCache
-	if !disableCache {
-		cachedAddresses, err := c.questionCache(ctx, transport, &message, options, responseChecker)
-		if err != ErrNotCached {
-			return cachedAddresses, err
-		}
-	}
 	response, err := c.Exchange(ctx, transport, &message, options, responseChecker)
 	if err != nil {
 		return nil, err
@@ -377,177 +424,89 @@ func (c *Client) lookupToExchange(ctx context.Context, transport adapter.DNSTran
 	return MessageToAddresses(response), nil
 }

-func (c *Client) questionCache(ctx context.Context, transport adapter.DNSTransport, message *dns.Msg, options adapter.DNSQueryOptions, responseChecker func(response *dns.Msg) bool) ([]netip.Addr, error) {
-	question := message.Question[0]
-	response, _, isStale := c.loadResponse(question, transport)
+func (c *Client) questionCache(question dns.Question, transport adapter.DNSTransport) ([]netip.Addr, error) {
+	response, _ := c.loadResponse(question, transport)
 	if response == nil {
 		return nil, ErrNotCached
 	}
-	if isStale {
-		if options.DisableOptimisticCache {
-			return nil, ErrNotCached
-		}
-		c.backgroundRefreshDNS(transport, question, c.prepareExchangeMessage(message.Copy(), options), options, responseChecker)
-		logOptimisticResponse(c.logger, ctx, response)
-	}
 	if response.Rcode != dns.RcodeSuccess {
 		return nil, RcodeError(response.Rcode)
 	}
 	return MessageToAddresses(response), nil
 }

-func (c *Client) loadResponse(question dns.Question, transport adapter.DNSTransport) (*dns.Msg, int, bool) {
-	if c.dnsCache != nil {
-		return c.loadPersistentResponse(question, transport)
-	}
-	if c.cache == nil {
-		return nil, 0, false
-	}
-	key := dnsCacheKey{Question: question, transportTag: transport.Tag()}
+func (c *Client) loadResponse(question dns.Question, transport adapter.DNSTransport) (*dns.Msg, int) {
+	var (
+		response *dns.Msg
+		loaded   bool
+	)
 	if c.disableExpire {
-		response, loaded := c.cache.Get(key)
-		if !loaded {
-			return nil, 0, false
-		}
-		return response.Copy(), 0, false
-	}
-	response, expireAt, loaded := c.cache.GetWithLifetimeNoExpire(key)
-	if !loaded {
-		return nil, 0, false
-	}
-	timeNow := time.Now()
-	if timeNow.After(expireAt) {
-		if c.optimisticTimeout > 0 && timeNow.Before(expireAt.Add(c.optimisticTimeout)) {
-			response = response.Copy()
-			normalizeTTL(response, 1)
-			return response, 0, true
-		}
-		c.cache.Remove(key)
-		return nil, 0, false
-	}
-	nowTTL := int(expireAt.Sub(timeNow).Seconds())
-	if nowTTL < 0 {
-		nowTTL = 0
-	}
-	response = response.Copy()
-	normalizeTTL(response, uint32(nowTTL))
-	return response, nowTTL, false
-}
-
-func (c *Client) loadPersistentResponse(question dns.Question, transport adapter.DNSTransport) (*dns.Msg, int, bool) {
-	rawMessage, expireAt, loaded := c.dnsCache.LoadDNSCache(transport.Tag(), question.Name, question.Qtype)
-	if !loaded {
-		return nil, 0, false
-	}
-	response := new(dns.Msg)
-	err := response.Unpack(rawMessage)
-	if err != nil {
-		return nil, 0, false
-	}
-	if c.disableExpire {
-		return response, 0, false
-	}
-	timeNow := time.Now()
-	if timeNow.After(expireAt) {
-		if c.optimisticTimeout > 0 && timeNow.Before(expireAt.Add(c.optimisticTimeout)) {
-			normalizeTTL(response, 1)
-			return response, 0, true
-		}
-		return nil, 0, false
-	}
-	nowTTL := int(expireAt.Sub(timeNow).Seconds())
-	if nowTTL < 0 {
-		nowTTL = 0
-	}
-	normalizeTTL(response, uint32(nowTTL))
-	return response, nowTTL, false
-}
-
-func applyResponseOptions(question dns.Question, response *dns.Msg, options adapter.DNSQueryOptions) uint32 {
-	if question.Qtype == dns.TypeHTTPS && (options.Strategy == C.DomainStrategyIPv4Only || options.Strategy == C.DomainStrategyIPv6Only) {
-		for _, rr := range response.Answer {
-			https, isHTTPS := rr.(*dns.HTTPS)
-			if !isHTTPS {
-				continue
-			}
-			content := https.SVCB
-			content.Value = common.Filter(content.Value, func(it dns.SVCBKeyValue) bool {
-				if options.Strategy == C.DomainStrategyIPv4Only {
-					return it.Key() != dns.SVCB_IPV6HINT
-				}
-				return it.Key() != dns.SVCB_IPV4HINT
+		if !c.independentCache {
+			response, loaded = c.cache.Get(question)
+		} else {
+			response, loaded = c.transportCache.Get(transportCacheKey{
+				Question:     question,
+				transportTag: transport.Tag(),
 			})
-			https.SVCB = content
 		}
-	}
-	timeToLive := computeTimeToLive(response)
-	if options.RewriteTTL != nil {
-		timeToLive = *options.RewriteTTL
-	}
-	normalizeTTL(response, timeToLive)
-	return timeToLive
-}
-
-func (c *Client) backgroundRefreshDNS(transport adapter.DNSTransport, question dns.Question, message *dns.Msg, options adapter.DNSQueryOptions, responseChecker func(response *dns.Msg) bool) {
-	key := dnsCacheKey{Question: question, transportTag: transport.Tag()}
-	_, loaded := c.backgroundRefresh.LoadOrStore(key, struct{}{})
-	if loaded {
-		return
-	}
-	go func() {
-		defer c.backgroundRefresh.Delete(key)
-		ctx := contextWithTransportTag(c.ctx, transport.Tag())
-		response, err := c.exchangeToTransport(ctx, transport, message)
-		if err != nil {
-			if c.logger != nil {
-				c.logger.Debug("optimistic refresh failed for ", FqdnToDomain(question.Name), ": ", err)
-			}
-			return
+		if !loaded {
+			return nil, 0
 		}
-		if responseChecker != nil {
-			var rejected bool
-			if response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError {
-				rejected = true
+		return response.Copy(), 0
+	} else {
+		var expireAt time.Time
+		if !c.independentCache {
+			response, expireAt, loaded = c.cache.GetWithLifetime(question)
+		} else {
+			response, expireAt, loaded = c.transportCache.GetWithLifetime(transportCacheKey{
+				Question:     question,
+				transportTag: transport.Tag(),
+			})
+		}
+		if !loaded {
+			return nil, 0
+		}
+		timeNow := time.Now()
+		if timeNow.After(expireAt) {
+			if !c.independentCache {
+				c.cache.Remove(question)
 			} else {
-				rejected = !responseChecker(response)
+				c.transportCache.Remove(transportCacheKey{
+					Question:     question,
+					transportTag: transport.Tag(),
+				})
 			}
-			if rejected {
-				if c.rdrc != nil {
-					c.rdrc.SaveRDRCAsync(transport.Tag(), question.Name, question.Qtype, c.logger)
-				}
-				return
-			}
-		} else if response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError {
-			return
+			return nil, 0
 		}
-		timeToLive := applyResponseOptions(question, response, options)
-		c.storeCache(transport, question, response, timeToLive)
-	}()
-}
-
-func (c *Client) prepareExchangeMessage(message *dns.Msg, options adapter.DNSQueryOptions) *dns.Msg {
-	clientSubnet := options.ClientSubnet
-	if !clientSubnet.IsValid() {
-		clientSubnet = c.clientSubnet
+		var originTTL int
+		for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
+			for _, record := range recordList {
+				if originTTL == 0 || record.Header().Ttl > 0 && int(record.Header().Ttl) < originTTL {
+					originTTL = int(record.Header().Ttl)
+				}
+			}
+		}
+		nowTTL := int(expireAt.Sub(timeNow).Seconds())
+		if nowTTL < 0 {
+			nowTTL = 0
+		}
+		response = response.Copy()
+		if originTTL > 0 {
+			duration := uint32(originTTL - nowTTL)
+			for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
+				for _, record := range recordList {
+					record.Header().Ttl = record.Header().Ttl - duration
+				}
+			}
+		} else {
+			for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
+				for _, record := range recordList {
+					record.Header().Ttl = uint32(nowTTL)
+				}
+			}
+		}
+		return response, nowTTL
 	}
-	if clientSubnet.IsValid() {
-		message = SetClientSubnet(message, clientSubnet)
-	}
-	return message
-}
-
-func (c *Client) exchangeToTransport(ctx context.Context, transport adapter.DNSTransport, message *dns.Msg) (*dns.Msg, error) {
-	ctx, cancel := context.WithTimeout(ctx, c.timeout)
-	defer cancel()
-	response, err := transport.Exchange(ctx, message)
-	if err == nil {
-		return response, nil
-	}
-	var rcodeError RcodeError
-	if errors.As(err, &rcodeError) {
-		return FixedResponseStatus(message, int(rcodeError)), nil
-	}
-	return nil, err
 }

 func MessageToAddresses(response *dns.Msg) []netip.Addr {
--- a/dns/client_log.go
+++ b/dns/client_log.go
@@ -22,19 +22,6 @@ func logCachedResponse(logger logger.ContextLogger, ctx context.Context, respons
 	}
 }

-func logOptimisticResponse(logger logger.ContextLogger, ctx context.Context, response *dns.Msg) {
-	if logger == nil || len(response.Question) == 0 {
-		return
-	}
-	domain := FqdnToDomain(response.Question[0].Name)
-	logger.DebugContext(ctx, "optimistic ", domain, " ", dns.RcodeToString[response.Rcode])
-	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
-		for _, record := range recordList {
-			logger.InfoContext(ctx, "optimistic ", dns.Type(record.Header().Rrtype).String(), " ", FormatQuestion(record.String()))
-		}
-	}
-}
-
 func logExchangedResponse(logger logger.ContextLogger, ctx context.Context, response *dns.Msg, ttl uint32) {
 	if logger == nil || len(response.Question) == 0 {
 		return
--- a/dns/rcode.go
+++ b/dns/rcode.go
@@ -5,11 +5,10 @@ import (
 )

 const (
-	RcodeSuccess       RcodeError = mDNS.RcodeSuccess
-	RcodeServerFailure RcodeError = mDNS.RcodeServerFailure
-	RcodeFormatError   RcodeError = mDNS.RcodeFormatError
-	RcodeNameError     RcodeError = mDNS.RcodeNameError
-	RcodeRefused       RcodeError = mDNS.RcodeRefused
+	RcodeSuccess     RcodeError = mDNS.RcodeSuccess
+	RcodeFormatError RcodeError = mDNS.RcodeFormatError
+	RcodeNameError   RcodeError = mDNS.RcodeNameError
+	RcodeRefused     RcodeError = mDNS.RcodeRefused
 )

 type RcodeError int
--- a/dns/router.go
+++ b/dns/router.go
@@ -6,6 +6,7 @@ import (
 	"net/netip"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
@@ -22,6 +23,7 @@ import (
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/task"
+	"github.com/sagernet/sing/common/x/list"
 	"github.com/sagernet/sing/contrab/freelru"
 	"github.com/sagernet/sing/contrab/maphash"
 	"github.com/sagernet/sing/service"
@@ -29,62 +31,84 @@ import (
 	mDNS "github.com/miekg/dns"
 )

-var (
-	_ adapter.DNSRouter                 = (*Router)(nil)
-	_ adapter.DNSRuleSetUpdateValidator = (*Router)(nil)
-)
+var _ adapter.DNSRouter = (*Router)(nil)

-type Router struct {
-	ctx                   context.Context
-	logger                logger.ContextLogger
-	transport             adapter.DNSTransportManager
-	outbound              adapter.OutboundManager
-	client                adapter.DNSClient
-	rawRules              []option.DNSRule
-	rules                 []adapter.DNSRule
-	defaultDomainStrategy C.DomainStrategy
-	dnsReverseMapping     freelru.Cache[netip.Addr, string]
-	platformInterface     adapter.PlatformInterface
-	legacyDNSMode         bool
-	rulesAccess           sync.RWMutex
-	started               bool
-	closing               bool
+type dnsRuleSetCallback struct {
+	ruleSet adapter.RuleSet
+	element *list.Element[adapter.RuleSetUpdateCallback]
 }

-func NewRouter(ctx context.Context, logFactory log.Factory, options option.DNSOptions) (*Router, error) {
+type rulesSnapshot struct {
+	rules         []adapter.DNSRule
+	legacyDNSMode bool
+	references    atomic.Int64
+}
+
+func newRulesSnapshot(rules []adapter.DNSRule, legacyDNSMode bool) *rulesSnapshot {
+	snapshot := &rulesSnapshot{
+		rules:         rules,
+		legacyDNSMode: legacyDNSMode,
+	}
+	snapshot.references.Store(1)
+	return snapshot
+}
+
+func (s *rulesSnapshot) retain() {
+	if s == nil {
+		return
+	}
+	s.references.Add(1)
+}
+
+func (s *rulesSnapshot) release() {
+	if s == nil {
+		return
+	}
+	references := s.references.Add(-1)
+	switch {
+	case references > 0:
+	case references == 0:
+		closeRules(s.rules)
+	default:
+		panic("dns: negative rules snapshot references")
+	}
+}
+
+type Router struct {
+	ctx                             context.Context
+	logger                          logger.ContextLogger
+	transport                       adapter.DNSTransportManager
+	outbound                        adapter.OutboundManager
+	client                          adapter.DNSClient
+	rawRules                        []option.DNSRule
+	currentRules                    atomic.Pointer[rulesSnapshot]
+	defaultDomainStrategy           C.DomainStrategy
+	dnsReverseMapping               freelru.Cache[netip.Addr, string]
+	platformInterface               adapter.PlatformInterface
+	rebuildAccess                   sync.Mutex
+	stateAccess                     sync.Mutex
+	closing                         bool
+	ruleSetCallbacks                []dnsRuleSetCallback
+	addressFilterDeprecatedReported bool
+	ruleStrategyDeprecatedReported  bool
+}
+
+func NewRouter(ctx context.Context, logFactory log.Factory, options option.DNSOptions) *Router {
 	router := &Router{
 		ctx:                   ctx,
 		logger:                logFactory.NewLogger("dns"),
 		transport:             service.FromContext[adapter.DNSTransportManager](ctx),
 		outbound:              service.FromContext[adapter.OutboundManager](ctx),
 		rawRules:              make([]option.DNSRule, 0, len(options.Rules)),
-		rules:                 make([]adapter.DNSRule, 0, len(options.Rules)),
 		defaultDomainStrategy: C.DomainStrategy(options.Strategy),
 	}
-	if options.DNSClientOptions.IndependentCache {
-		deprecated.Report(ctx, deprecated.OptionIndependentDNSCache)
-	}
-	var optimisticTimeout time.Duration
-	optimisticOptions := common.PtrValueOrDefault(options.DNSClientOptions.Optimistic)
-	if optimisticOptions.Enabled {
-		if options.DNSClientOptions.DisableCache {
-			return nil, E.New("`optimistic` is conflict with `disable_cache`")
-		}
-		if options.DNSClientOptions.DisableExpire {
-			return nil, E.New("`optimistic` is conflict with `disable_expire`")
-		}
-		optimisticTimeout = time.Duration(optimisticOptions.Timeout)
-		if optimisticTimeout == 0 {
-			optimisticTimeout = 3 * 24 * time.Hour
-		}
-	}
+	router.currentRules.Store(newRulesSnapshot(make([]adapter.DNSRule, 0, len(options.Rules)), false))
 	router.client = NewClient(ClientOptions{
-		Context:           ctx,
-		DisableCache:      options.DNSClientOptions.DisableCache,
-		DisableExpire:     options.DNSClientOptions.DisableExpire,
-		OptimisticTimeout: optimisticTimeout,
-		CacheCapacity:     options.DNSClientOptions.CacheCapacity,
-		ClientSubnet:      options.DNSClientOptions.ClientSubnet.Build(netip.Prefix{}),
+		DisableCache:     options.DNSClientOptions.DisableCache,
+		DisableExpire:    options.DNSClientOptions.DisableExpire,
+		IndependentCache: options.DNSClientOptions.IndependentCache,
+		CacheCapacity:    options.DNSClientOptions.CacheCapacity,
+		ClientSubnet:     options.DNSClientOptions.ClientSubnet.Build(netip.Prefix{}),
 		RDRC: func() adapter.RDRCStore {
 			cacheFile := service.FromContext[adapter.CacheFile](ctx)
 			if cacheFile == nil {
@@ -95,29 +119,17 @@ func NewRouter(ctx context.Context, logFactory log.Factory, options option.DNSOp
 			}
 			return cacheFile
 		},
-		DNSCache: func() adapter.DNSCacheStore {
-			cacheFile := service.FromContext[adapter.CacheFile](ctx)
-			if cacheFile == nil {
-				return nil
-			}
-			if !cacheFile.StoreDNS() {
-				return nil
-			}
-			cacheFile.SetDisableExpire(options.DNSClientOptions.DisableExpire)
-			cacheFile.SetOptimisticTimeout(optimisticTimeout)
-			return cacheFile
-		},
 		Logger: router.logger,
 	})
 	if options.ReverseMapping {
 		router.dnsReverseMapping = common.Must1(freelru.NewSharded[netip.Addr, string](1024, maphash.NewHasher[netip.Addr]().Hash32))
 	}
-	return router, nil
+	return router
 }

 func (r *Router) Initialize(rules []option.DNSRule) error {
 	r.rawRules = append(r.rawRules[:0], rules...)
-	newRules, _, _, err := r.buildRules(false)
+	newRules, _, err := r.buildRules(false)
 	if err != nil {
 		return err
 	}
@@ -134,74 +146,132 @@ func (r *Router) Start(stage adapter.StartStage) error {
 		monitor.Finish()

 		monitor.Start("initialize DNS rules")
-		newRules, legacyDNSMode, modeFlags, err := r.buildRules(true)
+		err := r.rebuildRules(true)
 		monitor.Finish()
 		if err != nil {
 			return err
 		}
-		r.rulesAccess.Lock()
-		if r.closing {
-			r.rulesAccess.Unlock()
-			closeRules(newRules)
-			return nil
+		monitor.Start("register DNS rule-set callbacks")
+		needsRulesRefresh, err := r.registerRuleSetCallbacks()
+		monitor.Finish()
+		if err != nil {
+			return err
 		}
-		r.rules = newRules
-		r.legacyDNSMode = legacyDNSMode
-		r.started = true
-		r.rulesAccess.Unlock()
-		if legacyDNSMode && common.Any(newRules, func(rule adapter.DNSRule) bool { return rule.WithAddressLimit() }) {
-			deprecated.Report(r.ctx, deprecated.OptionLegacyDNSAddressFilter)
-		}
-		if legacyDNSMode && modeFlags.neededFromStrategy {
-			deprecated.Report(r.ctx, deprecated.OptionLegacyDNSRuleStrategy)
+		if needsRulesRefresh {
+			monitor.Start("refresh DNS rules after callback registration")
+			err = r.rebuildRules(true)
+			monitor.Finish()
+			if err != nil {
+				r.logger.Error(E.Cause(err, "refresh DNS rules after callback registration"))
+			}
 		}
 	}
 	return nil
 }

 func (r *Router) Close() error {
-	r.rulesAccess.Lock()
+	r.stateAccess.Lock()
 	if r.closing {
-		r.rulesAccess.Unlock()
+		r.stateAccess.Unlock()
 		return nil
 	}
 	r.closing = true
-	runtimeRules := r.rules
-	r.rules = nil
-	r.rulesAccess.Unlock()
-	closeRules(runtimeRules)
+	callbacks := r.ruleSetCallbacks
+	r.ruleSetCallbacks = nil
+	oldSnapshot := r.currentRules.Swap(nil)
+	for _, callback := range callbacks {
+		callback.ruleSet.UnregisterCallback(callback.element)
+	}
+	r.stateAccess.Unlock()
+	oldSnapshot.release()
 	return nil
 }

-func (r *Router) buildRules(startRules bool) ([]adapter.DNSRule, bool, dnsRuleModeFlags, error) {
+func (r *Router) rebuildRules(startRules bool) error {
+	r.rebuildAccess.Lock()
+	defer r.rebuildAccess.Unlock()
+	if r.isClosing() {
+		return nil
+	}
+	newRules, legacyDNSMode, err := r.buildRules(startRules)
+	if err != nil {
+		if r.isClosing() {
+			return nil
+		}
+		return err
+	}
+	shouldReportAddressFilterDeprecated := startRules &&
+		legacyDNSMode &&
+		!r.addressFilterDeprecatedReported &&
+		common.Any(newRules, func(rule adapter.DNSRule) bool { return rule.WithAddressLimit() })
+	shouldReportRuleStrategyDeprecated := startRules &&
+		legacyDNSMode &&
+		!r.ruleStrategyDeprecatedReported &&
+		hasDNSRuleActionStrategy(r.rawRules)
+	newSnapshot := newRulesSnapshot(newRules, legacyDNSMode)
+	r.stateAccess.Lock()
+	if r.closing {
+		r.stateAccess.Unlock()
+		newSnapshot.release()
+		return nil
+	}
+	if shouldReportAddressFilterDeprecated {
+		r.addressFilterDeprecatedReported = true
+	}
+	if shouldReportRuleStrategyDeprecated {
+		r.ruleStrategyDeprecatedReported = true
+	}
+	oldSnapshot := r.currentRules.Swap(newSnapshot)
+	r.stateAccess.Unlock()
+	oldSnapshot.release()
+	if shouldReportAddressFilterDeprecated {
+		deprecated.Report(r.ctx, deprecated.OptionLegacyDNSAddressFilter)
+	}
+	if shouldReportRuleStrategyDeprecated {
+		deprecated.Report(r.ctx, deprecated.OptionLegacyDNSRuleStrategy)
+	}
+	return nil
+}
+
+func (r *Router) isClosing() bool {
+	r.stateAccess.Lock()
+	defer r.stateAccess.Unlock()
+	return r.closing
+}
+
+func (r *Router) acquireRulesSnapshot() *rulesSnapshot {
+	r.stateAccess.Lock()
+	defer r.stateAccess.Unlock()
+	snapshot := r.currentRules.Load()
+	snapshot.retain()
+	return snapshot
+}
+
+func (r *Router) buildRules(startRules bool) ([]adapter.DNSRule, bool, error) {
 	for i, ruleOptions := range r.rawRules {
 		err := R.ValidateNoNestedDNSRuleActions(ruleOptions)
 		if err != nil {
-			return nil, false, dnsRuleModeFlags{}, E.Cause(err, "parse dns rule[", i, "]")
+			return nil, false, E.Cause(err, "parse dns rule[", i, "]")
 		}
 	}
 	router := service.FromContext[adapter.Router](r.ctx)
-	legacyDNSMode, modeFlags, err := resolveLegacyDNSMode(router, r.rawRules, nil)
+	legacyDNSMode, err := resolveLegacyDNSMode(router, r.rawRules)
 	if err != nil {
-		return nil, false, dnsRuleModeFlags{}, err
+		return nil, false, err
 	}
 	if !legacyDNSMode {
 		err = validateLegacyDNSModeDisabledRules(r.rawRules)
 		if err != nil {
-			return nil, false, dnsRuleModeFlags{}, err
+			return nil, false, err
 		}
 	}
-	err = validateEvaluateFakeIPRules(r.rawRules, r.transport)
-	if err != nil {
-		return nil, false, dnsRuleModeFlags{}, err
-	}
 	newRules := make([]adapter.DNSRule, 0, len(r.rawRules))
 	for i, ruleOptions := range r.rawRules {
 		var dnsRule adapter.DNSRule
 		dnsRule, err = R.NewDNSRule(r.ctx, r.logger, ruleOptions, true, legacyDNSMode)
 		if err != nil {
 			closeRules(newRules)
-			return nil, false, dnsRuleModeFlags{}, E.Cause(err, "parse dns rule[", i, "]")
+			return nil, false, E.Cause(err, "parse dns rule[", i, "]")
 		}
 		newRules = append(newRules, dnsRule)
 	}
@@ -210,11 +280,11 @@ func (r *Router) buildRules(startRules bool) ([]adapter.DNSRule, bool, dnsRuleMo
 			err = rule.Start()
 			if err != nil {
 				closeRules(newRules)
-				return nil, false, dnsRuleModeFlags{}, E.Cause(err, "initialize DNS rule[", i, "]")
+				return nil, false, E.Cause(err, "initialize DNS rule[", i, "]")
 			}
 		}
 	}
-	return newRules, legacyDNSMode, modeFlags, nil
+	return newRules, legacyDNSMode, nil
 }

 func closeRules(rules []adapter.DNSRule) {
@@ -223,53 +293,51 @@ func closeRules(rules []adapter.DNSRule) {
 	}
 }

-func (r *Router) ValidateRuleSetMetadataUpdate(tag string, metadata adapter.RuleSetMetadata) error {
-	if len(r.rawRules) == 0 {
-		return nil
+func (r *Router) registerRuleSetCallbacks() (bool, error) {
+	tags := referencedDNSRuleSetTags(r.rawRules)
+	if len(tags) == 0 {
+		return false, nil
 	}
+	r.stateAccess.Lock()
+	if len(r.ruleSetCallbacks) > 0 {
+		r.stateAccess.Unlock()
+		return true, nil
+	}
+	r.stateAccess.Unlock()
 	router := service.FromContext[adapter.Router](r.ctx)
 	if router == nil {
-		return E.New("router service not found")
+		return false, E.New("router service not found")
 	}
-	overrides := map[string]adapter.RuleSetMetadata{
-		tag: metadata,
-	}
-	r.rulesAccess.RLock()
-	started := r.started
-	legacyDNSMode := r.legacyDNSMode
-	closing := r.closing
-	r.rulesAccess.RUnlock()
-	if closing {
-		return nil
-	}
-	if !started {
-		candidateLegacyDNSMode, _, err := resolveLegacyDNSMode(router, r.rawRules, overrides)
-		if err != nil {
-			return err
-		}
-		if !candidateLegacyDNSMode {
-			return validateLegacyDNSModeDisabledRules(r.rawRules)
-		}
-		return nil
-	}
-	candidateLegacyDNSMode, flags, err := resolveLegacyDNSMode(router, r.rawRules, overrides)
-	if err != nil {
-		return err
-	}
-	if legacyDNSMode {
-		if !candidateLegacyDNSMode && flags.disabled {
-			err := validateLegacyDNSModeDisabledRules(r.rawRules)
-			if err != nil {
-				return err
+	callbacks := make([]dnsRuleSetCallback, 0, len(tags))
+	for _, tag := range tags {
+		ruleSet, loaded := router.RuleSet(tag)
+		if !loaded {
+			for _, callback := range callbacks {
+				callback.ruleSet.UnregisterCallback(callback.element)
 			}
-			return E.New(deprecated.OptionLegacyDNSAddressFilter.MessageWithLink())
+			return false, E.New("rule-set not found: ", tag)
 		}
-		return nil
+		element := ruleSet.RegisterCallback(func(adapter.RuleSet) {
+			err := r.rebuildRules(true)
+			if err != nil {
+				r.logger.Error(E.Cause(err, "rebuild DNS rules after rule-set update"))
+			}
+		})
+		callbacks = append(callbacks, dnsRuleSetCallback{
+			ruleSet: ruleSet,
+			element: element,
+		})
 	}
-	if candidateLegacyDNSMode {
-		return E.New(deprecated.OptionLegacyDNSAddressFilter.MessageWithLink())
+	r.stateAccess.Lock()
+	if len(r.ruleSetCallbacks) == 0 {
+		r.ruleSetCallbacks = callbacks
+		callbacks = nil
 	}
-	return nil
+	r.stateAccess.Unlock()
+	for _, callback := range callbacks {
+		callback.ruleSet.UnregisterCallback(callback.element)
+	}
+	return true, nil
 }

 func (r *Router) matchDNS(ctx context.Context, rules []adapter.DNSRule, allowFakeIP bool, ruleIndex int, isAddressQuery bool, options *adapter.DNSQueryOptions) (adapter.DNSTransport, adapter.DNSRule, int) {
@@ -349,9 +417,6 @@ func (r *Router) applyDNSRouteOptions(options *adapter.DNSQueryOptions, routeOpt
 	if routeOptions.DisableCache {
 		options.DisableCache = true
 	}
-	if routeOptions.DisableOptimisticCache {
-		options.DisableOptimisticCache = true
-	}
 	if routeOptions.RewriteTTL != nil {
 		options.RewriteTTL = routeOptions.RewriteTTL
 	}
@@ -368,8 +433,8 @@ const (
 	dnsRouteStatusResolved
 )

-func (r *Router) resolveDNSRoute(server string, routeOptions R.RuleActionDNSRouteOptions, allowFakeIP bool, options *adapter.DNSQueryOptions) (adapter.DNSTransport, dnsRouteStatus) {
-	transport, loaded := r.transport.Transport(server)
+func (r *Router) resolveDNSRoute(action *R.RuleActionDNSRoute, allowFakeIP bool, options *adapter.DNSQueryOptions) (adapter.DNSTransport, dnsRouteStatus) {
+	transport, loaded := r.transport.Transport(action.Server)
 	if !loaded {
 		return nil, dnsRouteStatusMissing
 	}
@@ -377,7 +442,7 @@ func (r *Router) resolveDNSRoute(server string, routeOptions R.RuleActionDNSRout
 	if isFakeIP && !allowFakeIP {
 		return transport, dnsRouteStatusSkipped
 	}
-	r.applyDNSRouteOptions(options, routeOptions)
+	r.applyDNSRouteOptions(options, action.RuleActionDNSRouteOptions)
 	if isFakeIP {
 		options.DisableCache = true
 	}
@@ -399,19 +464,16 @@ type exchangeWithRulesResult struct {
 	err          error
 }

-const dnsRespondMissingResponseMessage = "respond action requires an evaluated response from a preceding evaluate action"
-
 func (r *Router) exchangeWithRules(ctx context.Context, rules []adapter.DNSRule, message *mDNS.Msg, options adapter.DNSQueryOptions, allowFakeIP bool) exchangeWithRulesResult {
 	metadata := adapter.ContextFrom(ctx)
 	if metadata == nil {
 		panic("no context")
 	}
 	effectiveOptions := options
-	var evaluatedResponse *mDNS.Msg
-	var evaluatedTransport adapter.DNSTransport
+	var savedResponse *mDNS.Msg
 	for currentRuleIndex, currentRule := range rules {
 		metadata.ResetRuleCache()
-		metadata.DNSResponse = evaluatedResponse
+		metadata.DNSResponse = savedResponse
 		metadata.DestinationAddressMatchFromResponse = false
 		if !currentRule.Match(metadata) {
 			continue
@@ -422,40 +484,35 @@ func (r *Router) exchangeWithRules(ctx context.Context, rules []adapter.DNSRule,
 			r.applyDNSRouteOptions(&effectiveOptions, *action)
 		case *R.RuleActionEvaluate:
 			queryOptions := effectiveOptions
-			transport, loaded := r.transport.Transport(action.Server)
-			if !loaded {
+			transport, status := r.resolveDNSRoute(&R.RuleActionDNSRoute{
+				Server:                    action.Server,
+				RuleActionDNSRouteOptions: action.RuleActionDNSRouteOptions,
+			}, allowFakeIP, &queryOptions)
+			switch status {
+			case dnsRouteStatusMissing:
 				r.logger.ErrorContext(ctx, "transport not found: ", action.Server)
-				evaluatedResponse = nil
-				evaluatedTransport = nil
+				savedResponse = nil
+				continue
+			case dnsRouteStatusSkipped:
 				continue
 			}
-			r.applyDNSRouteOptions(&queryOptions, action.RuleActionDNSRouteOptions)
 			exchangeOptions := queryOptions
 			if exchangeOptions.Strategy == C.DomainStrategyAsIS {
 				exchangeOptions.Strategy = r.defaultDomainStrategy
 			}
 			response, err := r.client.Exchange(adapter.OverrideContext(ctx), transport, message, exchangeOptions, nil)
 			if err != nil {
+				if E.IsClosedOrCanceled(err) {
+					return exchangeWithRulesResult{err: err}
+				}
 				r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for ", FormatQuestion(message.Question[0].String())))
-				evaluatedResponse = nil
-				evaluatedTransport = nil
+				savedResponse = nil
 				continue
 			}
-			evaluatedResponse = response
-			evaluatedTransport = transport
-		case *R.RuleActionRespond:
-			if evaluatedResponse == nil {
-				return exchangeWithRulesResult{
-					err: E.New(dnsRespondMissingResponseMessage),
-				}
-			}
-			return exchangeWithRulesResult{
-				response:  evaluatedResponse,
-				transport: evaluatedTransport,
-			}
+			savedResponse = response
 		case *R.RuleActionDNSRoute:
 			queryOptions := effectiveOptions
-			transport, status := r.resolveDNSRoute(action.Server, action.RuleActionDNSRouteOptions, allowFakeIP, &queryOptions)
+			transport, status := r.resolveDNSRoute(action, allowFakeIP, &queryOptions)
 			switch status {
 			case dnsRouteStatusMissing:
 				r.logger.ErrorContext(ctx, "transport not found: ", action.Server)
@@ -512,6 +569,10 @@ func (r *Router) exchangeWithRules(ctx context.Context, rules []adapter.DNSRule,
 	}
 }

+type lookupWithRulesResponse struct {
+	addresses []netip.Addr
+}
+
 func (r *Router) resolveLookupStrategy(options adapter.DNSQueryOptions) C.DomainStrategy {
 	if options.LookupStrategy != C.DomainStrategyAsIS {
 		return options.LookupStrategy
@@ -557,14 +618,16 @@ func (r *Router) lookupWithRules(ctx context.Context, rules []adapter.DNSRule, d
 		lookupOptions.Strategy = strategy
 	}
 	if strategy == C.DomainStrategyIPv4Only {
-		return r.lookupWithRulesType(ctx, rules, domain, mDNS.TypeA, lookupOptions)
+		response, err := r.lookupWithRulesType(ctx, rules, domain, mDNS.TypeA, lookupOptions)
+		return response.addresses, err
 	}
 	if strategy == C.DomainStrategyIPv6Only {
-		return r.lookupWithRulesType(ctx, rules, domain, mDNS.TypeAAAA, lookupOptions)
+		response, err := r.lookupWithRulesType(ctx, rules, domain, mDNS.TypeAAAA, lookupOptions)
+		return response.addresses, err
 	}
 	var (
-		response4 []netip.Addr
-		response6 []netip.Addr
+		response4 lookupWithRulesResponse
+		response6 lookupWithRulesResponse
 	)
 	var group task.Group
 	group.Append("exchange4", func(ctx context.Context) error {
@@ -578,13 +641,13 @@ func (r *Router) lookupWithRules(ctx context.Context, rules []adapter.DNSRule, d
 		return err
 	})
 	err := group.Run(ctx)
-	if len(response4) == 0 && len(response6) == 0 {
+	if len(response4.addresses) == 0 && len(response6.addresses) == 0 {
 		return nil, err
 	}
-	return sortAddresses(response4, response6, strategy), nil
+	return sortAddresses(response4.addresses, response6.addresses, strategy), nil
 }

-func (r *Router) lookupWithRulesType(ctx context.Context, rules []adapter.DNSRule, domain string, qType uint16, options adapter.DNSQueryOptions) ([]netip.Addr, error) {
+func (r *Router) lookupWithRulesType(ctx context.Context, rules []adapter.DNSRule, domain string, qType uint16, options adapter.DNSQueryOptions) (lookupWithRulesResponse, error) {
 	request := &mDNS.Msg{
 		MsgHdr: mDNS.MsgHdr{
 			RecursionDesired: true,
@@ -596,16 +659,18 @@ func (r *Router) lookupWithRulesType(ctx context.Context, rules []adapter.DNSRul
 		}},
 	}
 	exchangeResult := r.exchangeWithRules(withLookupQueryMetadata(ctx, qType), rules, request, options, false)
+	result := lookupWithRulesResponse{}
 	if exchangeResult.rejectAction != nil {
-		return nil, exchangeResult.rejectAction.Error(ctx)
+		return result, exchangeResult.rejectAction.Error(ctx)
 	}
 	if exchangeResult.err != nil {
-		return nil, exchangeResult.err
+		return result, exchangeResult.err
 	}
 	if exchangeResult.response.Rcode != mDNS.RcodeSuccess {
-		return nil, RcodeError(exchangeResult.response.Rcode)
+		return result, RcodeError(exchangeResult.response.Rcode)
 	}
-	return filterAddressesByQueryType(MessageToAddresses(exchangeResult.response), qType), nil
+	result.addresses = filterAddressesByQueryType(MessageToAddresses(exchangeResult.response), qType)
+	return result, nil
 }

 func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapter.DNSQueryOptions) (*mDNS.Msg, error) {
@@ -621,14 +686,16 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 		}
 		return &responseMessage, nil
 	}
-	r.rulesAccess.RLock()
-	if r.closing {
-		r.rulesAccess.RUnlock()
-		return nil, E.New("dns router closed")
+	snapshot := r.acquireRulesSnapshot()
+	defer snapshot.release()
+	var (
+		rules         []adapter.DNSRule
+		legacyDNSMode bool
+	)
+	if snapshot != nil {
+		rules = snapshot.rules
+		legacyDNSMode = snapshot.legacyDNSMode
 	}
-	rules := r.rules
-	legacyDNSMode := r.legacyDNSMode
-	r.rulesAccess.RUnlock()
 	r.logger.DebugContext(ctx, "exchange ", FormatQuestion(message.Question[0].String()))
 	var (
 		response  *mDNS.Msg
@@ -734,14 +801,16 @@ done:
 }

 func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQueryOptions) ([]netip.Addr, error) {
-	r.rulesAccess.RLock()
-	if r.closing {
-		r.rulesAccess.RUnlock()
-		return nil, E.New("dns router closed")
+	snapshot := r.acquireRulesSnapshot()
+	defer snapshot.release()
+	var (
+		rules         []adapter.DNSRule
+		legacyDNSMode bool
+	)
+	if snapshot != nil {
+		rules = snapshot.rules
+		legacyDNSMode = snapshot.legacyDNSMode
 	}
-	rules := r.rules
-	legacyDNSMode := r.legacyDNSMode
-	r.rulesAccess.RUnlock()
 	var (
 		responseAddrs []netip.Addr
 		err           error
@@ -874,10 +943,10 @@ func (r *Router) ResetNetwork() {
 }

 func defaultRuleNeedsLegacyDNSModeFromAddressFilter(rule option.DefaultDNSRule) bool {
-	if rule.RuleSetIPCIDRAcceptEmpty { //nolint:staticcheck
+	if rule.IPAcceptAny || rule.RuleSetIPCIDRAcceptEmpty { //nolint:staticcheck
 		return true
 	}
-	return !rule.MatchResponse && (rule.IPAcceptAny || len(rule.IPCIDR) > 0 || rule.IPIsPrivate)
+	return !rule.MatchResponse && (len(rule.IPCIDR) > 0 || rule.IPIsPrivate)
 }

 func hasResponseMatchFields(rule option.DefaultDNSRule) bool {
@@ -891,111 +960,88 @@ func defaultRuleDisablesLegacyDNSMode(rule option.DefaultDNSRule) bool {
 	return rule.MatchResponse ||
 		hasResponseMatchFields(rule) ||
 		rule.Action == C.RuleActionTypeEvaluate ||
-		rule.Action == C.RuleActionTypeRespond ||
 		rule.IPVersion > 0 ||
 		len(rule.QueryType) > 0
 }

-type dnsRuleModeFlags struct {
-	disabled           bool
-	needed             bool
-	neededFromStrategy bool
-}
-
-func (f *dnsRuleModeFlags) merge(other dnsRuleModeFlags) {
-	f.disabled = f.disabled || other.disabled
-	f.needed = f.needed || other.needed
-	f.neededFromStrategy = f.neededFromStrategy || other.neededFromStrategy
-}
-
-func resolveLegacyDNSMode(router adapter.Router, rules []option.DNSRule, metadataOverrides map[string]adapter.RuleSetMetadata) (bool, dnsRuleModeFlags, error) {
-	flags, err := dnsRuleModeRequirements(router, rules, metadataOverrides)
+func resolveLegacyDNSMode(router adapter.Router, rules []option.DNSRule) (bool, error) {
+	legacyDNSModeDisabled, needsLegacyDNSMode, needsLegacyDNSModeFromStrategy, err := dnsRuleModeRequirements(router, rules)
 	if err != nil {
-		return false, flags, err
+		return false, err
 	}
-	if flags.disabled && flags.neededFromStrategy {
-		return false, flags, E.New(deprecated.OptionLegacyDNSRuleStrategy.MessageWithLink())
+	if legacyDNSModeDisabled && needsLegacyDNSModeFromStrategy {
+		return false, E.New("DNS rule action strategy is only supported in legacyDNSMode")
 	}
-	if flags.disabled {
-		return false, flags, nil
+	if legacyDNSModeDisabled {
+		return false, nil
 	}
-	return flags.needed, flags, nil
+	return needsLegacyDNSMode, nil
 }

-func dnsRuleModeRequirements(router adapter.Router, rules []option.DNSRule, metadataOverrides map[string]adapter.RuleSetMetadata) (dnsRuleModeFlags, error) {
-	var flags dnsRuleModeFlags
+func dnsRuleModeRequirements(router adapter.Router, rules []option.DNSRule) (bool, bool, bool, error) {
+	var legacyDNSModeDisabled bool
+	var needsLegacyDNSMode bool
+	var needsLegacyDNSModeFromStrategy bool
 	for i, rule := range rules {
-		ruleFlags, err := dnsRuleModeRequirementsInRule(router, rule, metadataOverrides)
+		ruleLegacyDNSModeDisabled, ruleNeedsLegacyDNSMode, ruleNeedsLegacyDNSModeFromStrategy, err := dnsRuleModeRequirementsInRule(router, rule)
 		if err != nil {
-			return dnsRuleModeFlags{}, E.Cause(err, "dns rule[", i, "]")
+			return false, false, false, E.Cause(err, "dns rule[", i, "]")
 		}
-		flags.merge(ruleFlags)
+		legacyDNSModeDisabled = legacyDNSModeDisabled || ruleLegacyDNSModeDisabled
+		needsLegacyDNSMode = needsLegacyDNSMode || ruleNeedsLegacyDNSMode
+		needsLegacyDNSModeFromStrategy = needsLegacyDNSModeFromStrategy || ruleNeedsLegacyDNSModeFromStrategy
 	}
-	return flags, nil
+	return legacyDNSModeDisabled, needsLegacyDNSMode, needsLegacyDNSModeFromStrategy, nil
 }

-func dnsRuleModeRequirementsInRule(router adapter.Router, rule option.DNSRule, metadataOverrides map[string]adapter.RuleSetMetadata) (dnsRuleModeFlags, error) {
+func dnsRuleModeRequirementsInRule(router adapter.Router, rule option.DNSRule) (bool, bool, bool, error) {
 	switch rule.Type {
 	case "", C.RuleTypeDefault:
-		return dnsRuleModeRequirementsInDefaultRule(router, rule.DefaultOptions, metadataOverrides)
+		return dnsRuleModeRequirementsInDefaultRule(router, rule.DefaultOptions)
 	case C.RuleTypeLogical:
-		flags := dnsRuleModeFlags{
-			disabled: dnsRuleActionType(rule) == C.RuleActionTypeEvaluate ||
-				dnsRuleActionType(rule) == C.RuleActionTypeRespond ||
-				dnsRuleActionDisablesLegacyDNSMode(rule.LogicalOptions.DNSRuleAction),
-			neededFromStrategy: dnsRuleActionHasStrategy(rule.LogicalOptions.DNSRuleAction),
-		}
-		flags.needed = flags.neededFromStrategy
+		legacyDNSModeDisabled := dnsRuleActionType(rule) == C.RuleActionTypeEvaluate
+		needsLegacyDNSModeFromStrategy := dnsRuleActionHasStrategy(rule.LogicalOptions.DNSRuleAction)
+		needsLegacyDNSMode := needsLegacyDNSModeFromStrategy
 		for i, subRule := range rule.LogicalOptions.Rules {
-			subFlags, err := dnsRuleModeRequirementsInRule(router, subRule, metadataOverrides)
+			subLegacyDNSModeDisabled, subNeedsLegacyDNSMode, subNeedsLegacyDNSModeFromStrategy, err := dnsRuleModeRequirementsInRule(router, subRule)
 			if err != nil {
-				return dnsRuleModeFlags{}, E.Cause(err, "sub rule[", i, "]")
+				return false, false, false, E.Cause(err, "sub rule[", i, "]")
 			}
-			flags.merge(subFlags)
+			legacyDNSModeDisabled = legacyDNSModeDisabled || subLegacyDNSModeDisabled
+			needsLegacyDNSMode = needsLegacyDNSMode || subNeedsLegacyDNSMode
+			needsLegacyDNSModeFromStrategy = needsLegacyDNSModeFromStrategy || subNeedsLegacyDNSModeFromStrategy
 		}
-		return flags, nil
+		return legacyDNSModeDisabled, needsLegacyDNSMode, needsLegacyDNSModeFromStrategy, nil
 	default:
-		return dnsRuleModeFlags{}, nil
+		return false, false, false, nil
 	}
 }

-func dnsRuleModeRequirementsInDefaultRule(router adapter.Router, rule option.DefaultDNSRule, metadataOverrides map[string]adapter.RuleSetMetadata) (dnsRuleModeFlags, error) {
-	flags := dnsRuleModeFlags{
-		disabled:           defaultRuleDisablesLegacyDNSMode(rule) || dnsRuleActionDisablesLegacyDNSMode(rule.DNSRuleAction),
-		neededFromStrategy: dnsRuleActionHasStrategy(rule.DNSRuleAction),
-	}
-	flags.needed = defaultRuleNeedsLegacyDNSModeFromAddressFilter(rule) || flags.neededFromStrategy
+func dnsRuleModeRequirementsInDefaultRule(router adapter.Router, rule option.DefaultDNSRule) (bool, bool, bool, error) {
+	legacyDNSModeDisabled := defaultRuleDisablesLegacyDNSMode(rule)
+	needsLegacyDNSModeFromStrategy := dnsRuleActionHasStrategy(rule.DNSRuleAction)
+	needsLegacyDNSMode := defaultRuleNeedsLegacyDNSModeFromAddressFilter(rule) || needsLegacyDNSModeFromStrategy
 	if len(rule.RuleSet) == 0 {
-		return flags, nil
+		return legacyDNSModeDisabled, needsLegacyDNSMode, needsLegacyDNSModeFromStrategy, nil
 	}
 	if router == nil {
-		return dnsRuleModeFlags{}, E.New("router service not found")
+		return false, false, false, E.New("router service not found")
 	}
 	for _, tag := range rule.RuleSet {
-		metadata, err := lookupDNSRuleSetMetadata(router, tag, metadataOverrides)
-		if err != nil {
-			return dnsRuleModeFlags{}, err
+		ruleSet, loaded := router.RuleSet(tag)
+		if !loaded {
+			return false, false, false, E.New("rule-set not found: ", tag)
 		}
-		// ip_version is not a headless-rule item, so ContainsIPVersionRule is intentionally absent.
-		flags.disabled = flags.disabled || metadata.ContainsDNSQueryTypeRule
+		metadata := ruleSet.Metadata()
+		// Rule sets are built from headless rules, so query_type is the only
+		// per-query DNS predicate they can contribute here. ip_version is not a
+		// headless-rule item and is therefore intentionally absent from metadata.
+		legacyDNSModeDisabled = legacyDNSModeDisabled || metadata.ContainsDNSQueryTypeRule
 		if !rule.RuleSetIPCIDRMatchSource && metadata.ContainsIPCIDRRule {
-			flags.needed = true
+			needsLegacyDNSMode = true
 		}
 	}
-	return flags, nil
-}
-
-func lookupDNSRuleSetMetadata(router adapter.Router, tag string, metadataOverrides map[string]adapter.RuleSetMetadata) (adapter.RuleSetMetadata, error) {
-	if metadataOverrides != nil {
-		if metadata, loaded := metadataOverrides[tag]; loaded {
-			return metadata, nil
-		}
-	}
-	ruleSet, loaded := router.RuleSet(tag)
-	if !loaded {
-		return adapter.RuleSetMetadata{}, E.New("rule-set not found: ", tag)
-	}
-	return ruleSet.Metadata(), nil
+	return legacyDNSModeDisabled, needsLegacyDNSMode, needsLegacyDNSModeFromStrategy, nil
 }

 func referencedDNSRuleSetTags(rules []option.DNSRule) []string {
@@ -1026,39 +1072,15 @@ func referencedDNSRuleSetTags(rules []option.DNSRule) []string {
 }

 func validateLegacyDNSModeDisabledRules(rules []option.DNSRule) error {
-	var seenEvaluate bool
 	for i, rule := range rules {
-		requiresPriorEvaluate, err := validateLegacyDNSModeDisabledRuleTree(rule)
+		consumesResponse, err := validateLegacyDNSModeDisabledRuleTree(rule)
 		if err != nil {
 			return E.Cause(err, "validate dns rule[", i, "]")
 		}
-		if requiresPriorEvaluate && !seenEvaluate {
-			return E.New("dns rule[", i, "]: response-based matching requires a preceding evaluate action")
+		action := dnsRuleActionType(rule)
+		if action == C.RuleActionTypeEvaluate && consumesResponse {
+			return E.New("dns rule[", i, "]: evaluate rule cannot consume response state")
 		}
-		if dnsRuleActionType(rule) == C.RuleActionTypeEvaluate {
-			seenEvaluate = true
-		}
-	}
-	return nil
-}
-
-func validateEvaluateFakeIPRules(rules []option.DNSRule, transportManager adapter.DNSTransportManager) error {
-	if transportManager == nil {
-		return nil
-	}
-	for i, rule := range rules {
-		if dnsRuleActionType(rule) != C.RuleActionTypeEvaluate {
-			continue
-		}
-		server := dnsRuleActionServer(rule)
-		if server == "" {
-			continue
-		}
-		transport, loaded := transportManager.Transport(server)
-		if !loaded || transport.Type() != C.DNSTypeFakeIP {
-			continue
-		}
-		return E.New("dns rule[", i, "]: evaluate action cannot use fakeip server: ", server)
 	}
 	return nil
 }
@@ -1068,15 +1090,15 @@ func validateLegacyDNSModeDisabledRuleTree(rule option.DNSRule) (bool, error) {
 	case "", C.RuleTypeDefault:
 		return validateLegacyDNSModeDisabledDefaultRule(rule.DefaultOptions)
 	case C.RuleTypeLogical:
-		requiresPriorEvaluate := dnsRuleActionType(rule) == C.RuleActionTypeRespond
+		var consumesResponse bool
 		for i, subRule := range rule.LogicalOptions.Rules {
-			subRequiresPriorEvaluate, err := validateLegacyDNSModeDisabledRuleTree(subRule)
+			subConsumesResponse, err := validateLegacyDNSModeDisabledRuleTree(subRule)
 			if err != nil {
 				return false, E.Cause(err, "sub rule[", i, "]")
 			}
-			requiresPriorEvaluate = requiresPriorEvaluate || subRequiresPriorEvaluate
+			consumesResponse = consumesResponse || subConsumesResponse
 		}
-		return requiresPriorEvaluate, nil
+		return consumesResponse, nil
 	default:
 		return false, nil
 	}
@@ -1084,26 +1106,44 @@ func validateLegacyDNSModeDisabledRuleTree(rule option.DNSRule) (bool, error) {

 func validateLegacyDNSModeDisabledDefaultRule(rule option.DefaultDNSRule) (bool, error) {
 	hasResponseRecords := hasResponseMatchFields(rule)
-	if (hasResponseRecords || len(rule.IPCIDR) > 0 || rule.IPIsPrivate || rule.IPAcceptAny) && !rule.MatchResponse {
-		return false, E.New("Response Match Fields (ip_cidr, ip_is_private, ip_accept_any, response_rcode, response_answer, response_ns, response_extra) require match_response to be enabled")
+	if hasResponseRecords && !rule.MatchResponse {
+		return false, E.New("response_* items require match_response")
+	}
+	if (len(rule.IPCIDR) > 0 || rule.IPIsPrivate) && !rule.MatchResponse {
+		return false, E.New("ip_cidr and ip_is_private require match_response when legacyDNSMode is disabled")
 	}
 	// Intentionally do not reject rule_set here. A referenced rule set may mix
 	// destination-IP predicates with pre-response predicates such as domain items.
 	// When match_response is false, those destination-IP branches fail closed during
 	// pre-response evaluation instead of consuming DNS response state, while sibling
 	// non-response branches remain matchable.
-	if rule.RuleSetIPCIDRAcceptEmpty { //nolint:staticcheck
-		return false, E.New(deprecated.OptionRuleSetIPCIDRAcceptEmpty.MessageWithLink())
+	if rule.IPAcceptAny { //nolint:staticcheck
+		return false, E.New("ip_accept_any is removed when legacyDNSMode is disabled, use ip_cidr with match_response")
 	}
-	return rule.MatchResponse || rule.Action == C.RuleActionTypeRespond, nil
+	if rule.RuleSetIPCIDRAcceptEmpty { //nolint:staticcheck
+		return false, E.New("rule_set_ip_cidr_accept_empty is removed when legacyDNSMode is disabled")
+	}
+	return rule.MatchResponse, nil
 }

-func dnsRuleActionDisablesLegacyDNSMode(action option.DNSRuleAction) bool {
-	switch action.Action {
-	case "", C.RuleActionTypeRoute, C.RuleActionTypeEvaluate:
-		return action.RouteOptions.DisableOptimisticCache
-	case C.RuleActionTypeRouteOptions:
-		return action.RouteOptionsOptions.DisableOptimisticCache
+func hasDNSRuleActionStrategy(rules []option.DNSRule) bool {
+	for _, rule := range rules {
+		if dnsRuleHasActionStrategy(rule) {
+			return true
+		}
+	}
+	return false
+}
+
+func dnsRuleHasActionStrategy(rule option.DNSRule) bool {
+	switch rule.Type {
+	case "", C.RuleTypeDefault:
+		return dnsRuleActionHasStrategy(rule.DefaultOptions.DNSRuleAction)
+	case C.RuleTypeLogical:
+		if dnsRuleActionHasStrategy(rule.LogicalOptions.DNSRuleAction) {
+			return true
+		}
+		return hasDNSRuleActionStrategy(rule.LogicalOptions.Rules)
 	default:
 		return false
 	}
@@ -1136,14 +1176,3 @@ func dnsRuleActionType(rule option.DNSRule) string {
 		return ""
 	}
 }
-
-func dnsRuleActionServer(rule option.DNSRule) string {
-	switch rule.Type {
-	case "", C.RuleTypeDefault:
-		return rule.DefaultOptions.RouteOptions.Server
-	case C.RuleTypeLogical:
-		return rule.LogicalOptions.RouteOptions.Server
-	default:
-		return ""
-	}
-}
--- a/dns/router_test.go
+++ b/dns/router_test.go
--- a/dns/transport/https.go
+++ b/dns/transport/https.go
@@ -3,18 +3,17 @@ package transport
 import (
 	"bytes"
 	"context"
-	"encoding/base64"
 	"errors"
 	"io"
 	"net"
 	"net/http"
 	"net/url"
-	"strings"
+	"strconv"
 	"sync"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/httpclient"
+	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/dns"
@@ -27,9 +26,9 @@ import (
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	sHTTP "github.com/sagernet/sing/protocol/http"
-	"github.com/sagernet/sing/service"

 	mDNS "github.com/miekg/dns"
+	"golang.org/x/net/http2"
 )

 const MimeType = "application/dns-message"
@@ -43,20 +42,57 @@ func RegisterHTTPS(registry *dns.TransportRegistry) {
 type HTTPSTransport struct {
 	dns.TransportAdapter
 	logger           logger.ContextLogger
+	dialer           N.Dialer
 	destination      *url.URL
-	method           string
-	host             string
-	queryHeaders     http.Header
+	headers          http.Header
 	transportAccess  sync.Mutex
-	transport        adapter.HTTPTransport
+	transport        *HTTPSTransportWrapper
 	transportResetAt time.Time
 }

 func NewHTTPS(ctx context.Context, logger log.ContextLogger, tag string, options option.RemoteHTTPSDNSServerOptions) (adapter.DNSTransport, error) {
+	transportDialer, err := dns.NewRemoteDialer(ctx, options.RemoteDNSServerOptions)
+	if err != nil {
+		return nil, err
+	}
+	tlsOptions := common.PtrValueOrDefault(options.TLS)
+	tlsOptions.Enabled = true
+	tlsConfig, err := tls.NewClient(ctx, logger, options.Server, tlsOptions)
+	if err != nil {
+		return nil, err
+	}
+	if len(tlsConfig.NextProtos()) == 0 {
+		tlsConfig.SetNextProtos([]string{http2.NextProtoTLS, "http/1.1"})
+	}
 	headers := options.Headers.Build()
 	host := headers.Get("Host")
-	headers.Del("Host")
-	headers.Set("Accept", MimeType)
+	if host != "" {
+		headers.Del("Host")
+	} else {
+		if tlsConfig.ServerName() != "" {
+			host = tlsConfig.ServerName()
+		} else {
+			host = options.Server
+		}
+	}
+	destinationURL := url.URL{
+		Scheme: "https",
+		Host:   host,
+	}
+	if destinationURL.Host == "" {
+		destinationURL.Host = options.Server
+	}
+	if options.ServerPort != 0 && options.ServerPort != 443 {
+		destinationURL.Host = net.JoinHostPort(destinationURL.Host, strconv.Itoa(int(options.ServerPort)))
+	}
+	path := options.Path
+	if path == "" {
+		path = "/dns-query"
+	}
+	err = sHTTP.URLSetPath(&destinationURL, path)
+	if err != nil {
+		return nil, err
+	}
 	serverAddr := options.DNSServerAddressOptions.Build()
 	if serverAddr.Port == 0 {
 		serverAddr.Port = 443
@@ -64,123 +100,56 @@ func NewHTTPS(ctx context.Context, logger log.ContextLogger, tag string, options
 	if !serverAddr.IsValid() {
 		return nil, E.New("invalid server address: ", serverAddr)
 	}
-	destinationURL := url.URL{
-		Scheme: "https",
-		Host:   doHURLHost(serverAddr, 443),
-	}
-	path := options.Path
-	if path == "" {
-		path = "/dns-query"
-	}
-	err := sHTTP.URLSetPath(&destinationURL, path)
-	if err != nil {
-		return nil, err
-	}
-	method := strings.ToUpper(options.Method)
-	if method == "" {
-		method = http.MethodPost
-	}
-	switch method {
-	case http.MethodGet, http.MethodPost:
-	default:
-		return nil, E.New("unsupported HTTPS DNS method: ", options.Method)
-	}
-	if method == http.MethodPost {
-		headers.Set("Content-Type", MimeType)
-	}
-	httpClientOptions := options.HTTPClientOptions
-	tlsOptions := common.PtrValueOrDefault(httpClientOptions.TLS)
-	tlsOptions.Enabled = true
-	httpClientOptions.TLS = &tlsOptions
-	httpClientOptions.Tag = ""
-	httpClientOptions.Headers = nil
-	if options.ServerIsDomain() {
-		httpClientOptions.DirectResolver = true
-	}
-	httpClientManager := service.FromContext[adapter.HTTPClientManager](ctx)
-	transport, err := httpClientManager.ResolveTransport(ctx, logger, httpClientOptions)
-	if err != nil {
-		return nil, err
-	}
-	remoteOptions := option.RemoteDNSServerOptions{
-		RawLocalDNSServerOptions: option.RawLocalDNSServerOptions{
-			DialerOptions: options.DialerOptions,
-		},
-		DNSServerAddressOptions: options.DNSServerAddressOptions,
-	}
-	return &HTTPSTransport{
-		TransportAdapter: dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeHTTPS, tag, remoteOptions),
-		logger:           logger,
-		destination:      &destinationURL,
-		method:           method,
-		host:             host,
-		queryHeaders:     headers,
-		transport:        transport,
-	}, nil
+	return NewHTTPSRaw(
+		dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeHTTPS, tag, options.RemoteDNSServerOptions),
+		logger,
+		transportDialer,
+		&destinationURL,
+		headers,
+		serverAddr,
+		tlsConfig,
+	), nil
 }

-func NewHTTPRaw(
+func NewHTTPSRaw(
 	adapter dns.TransportAdapter,
-	logger logger.ContextLogger,
+	logger log.ContextLogger,
 	dialer N.Dialer,
 	destination *url.URL,
 	headers http.Header,
+	serverAddr M.Socksaddr,
 	tlsConfig tls.Config,
-	method string,
-) (*HTTPSTransport, error) {
-	if destination.Scheme == "https" && tlsConfig == nil {
-		return nil, E.New("TLS transport unavailable")
-	}
-	queryHeaders := headers.Clone()
-	host := queryHeaders.Get("Host")
-	queryHeaders.Del("Host")
-	queryHeaders.Set("Accept", MimeType)
-	if method == http.MethodPost {
-		queryHeaders.Set("Content-Type", MimeType)
-	}
-	currentTransport, err := httpclient.NewTransportWithDialer(dialer, tlsConfig, "", option.HTTPClientOptions{})
-	if err != nil {
-		return nil, err
-	}
+) *HTTPSTransport {
 	return &HTTPSTransport{
 		TransportAdapter: adapter,
 		logger:           logger,
+		dialer:           dialer,
 		destination:      destination,
-		method:           method,
-		host:             host,
-		queryHeaders:     queryHeaders,
-		transport:        currentTransport,
-	}, nil
+		headers:          headers,
+		transport:        NewHTTPSTransportWrapper(tls.NewDialer(dialer, tlsConfig), serverAddr),
+	}
 }

 func (t *HTTPSTransport) Start(stage adapter.StartStage) error {
 	if stage != adapter.StartStateStart {
 		return nil
 	}
-	return httpclient.InitializeDetour(t.transport)
+	return dialer.InitializeDetour(t.dialer)
 }

 func (t *HTTPSTransport) Close() error {
 	t.transportAccess.Lock()
 	defer t.transportAccess.Unlock()
-	if t.transport == nil {
-		return nil
-	}
-	err := t.transport.Close()
-	t.transport = nil
-	return err
+	t.transport.CloseIdleConnections()
+	t.transport = t.transport.Clone()
+	return nil
 }

 func (t *HTTPSTransport) Reset() {
 	t.transportAccess.Lock()
 	defer t.transportAccess.Unlock()
-	if t.transport == nil {
-		return
-	}
-	oldTransport := t.transport
-	oldTransport.CloseIdleConnections()
-	// Close is intentionally avoided here because some Clone implementations share transport state.
-	t.transport = oldTransport.Clone()
+	t.transport.CloseIdleConnections()
+	t.transport = t.transport.Clone()
 }

 func (t *HTTPSTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
@@ -190,12 +159,11 @@ func (t *HTTPSTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS
 		if errors.Is(err, context.DeadlineExceeded) {
 			t.transportAccess.Lock()
 			defer t.transportAccess.Unlock()
-			if t.transport == nil || t.transportResetAt.After(startAt) {
+			if t.transportResetAt.After(startAt) {
 				return nil, err
 			}
-			oldTransport := t.transport
-			oldTransport.CloseIdleConnections()
-			t.transport = oldTransport.Clone()
+			t.transport.CloseIdleConnections()
+			t.transport = t.transport.Clone()
 			t.transportResetAt = time.Now()
 		}
 		return nil, err
@@ -213,32 +181,17 @@ func (t *HTTPSTransport) exchange(ctx context.Context, message *mDNS.Msg) (*mDNS
 		requestBuffer.Release()
 		return nil, err
 	}
-	requestURL := *t.destination
-	var request *http.Request
-	switch t.method {
-	case http.MethodGet:
-		query := requestURL.Query()
-		query.Set("dns", base64.RawURLEncoding.EncodeToString(rawMessage))
-		requestURL.RawQuery = query.Encode()
-		request, err = http.NewRequestWithContext(ctx, http.MethodGet, requestURL.String(), nil)
-	default:
-		request, err = http.NewRequestWithContext(ctx, http.MethodPost, requestURL.String(), bytes.NewReader(rawMessage))
-	}
+	request, err := http.NewRequestWithContext(ctx, http.MethodPost, t.destination.String(), bytes.NewReader(rawMessage))
 	if err != nil {
 		requestBuffer.Release()
 		return nil, err
 	}
-	request.Header = t.queryHeaders.Clone()
-	if t.host != "" {
-		request.Host = t.host
-	}
+	request.Header = t.headers.Clone()
+	request.Header.Set("Content-Type", MimeType)
+	request.Header.Set("Accept", MimeType)
 	t.transportAccess.Lock()
 	currentTransport := t.transport
 	t.transportAccess.Unlock()
-	if currentTransport == nil {
-		requestBuffer.Release()
-		return nil, net.ErrClosed
-	}
 	response, err := currentTransport.RoundTrip(request)
 	requestBuffer.Release()
 	if err != nil {
@@ -269,13 +222,3 @@ func (t *HTTPSTransport) exchange(ctx context.Context, message *mDNS.Msg) (*mDNS
 	}
 	return &responseMessage, nil
 }
-
-func doHURLHost(serverAddr M.Socksaddr, defaultPort uint16) string {
-	if serverAddr.Port != defaultPort {
-		return serverAddr.String()
-	}
-	if serverAddr.IsIPv6() {
-		return "[" + serverAddr.AddrString() + "]"
-	}
-	return serverAddr.AddrString()
-}
--- a/dns/transport/https_transport.go
+++ b/dns/transport/https_transport.go
@@ -0,0 +1,80 @@
+package transport
+
+import (
+	"context"
+	"errors"
+	"net"
+	"net/http"
+	"sync/atomic"
+
+	"github.com/sagernet/sing-box/common/tls"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+
+	"golang.org/x/net/http2"
+)
+
+var errFallback = E.New("fallback to HTTP/1.1")
+
+type HTTPSTransportWrapper struct {
+	http2Transport *http2.Transport
+	httpTransport  *http.Transport
+	fallback       *atomic.Bool
+}
+
+func NewHTTPSTransportWrapper(dialer tls.Dialer, serverAddr M.Socksaddr) *HTTPSTransportWrapper {
+	var fallback atomic.Bool
+	return &HTTPSTransportWrapper{
+		http2Transport: &http2.Transport{
+			DialTLSContext: func(ctx context.Context, _, _ string, _ *tls.STDConfig) (net.Conn, error) {
+				tlsConn, err := dialer.DialTLSContext(ctx, serverAddr)
+				if err != nil {
+					return nil, err
+				}
+				state := tlsConn.ConnectionState()
+				if state.NegotiatedProtocol == http2.NextProtoTLS {
+					return tlsConn, nil
+				}
+				tlsConn.Close()
+				fallback.Store(true)
+				return nil, errFallback
+			},
+		},
+		httpTransport: &http.Transport{
+			DialTLSContext: func(ctx context.Context, _, _ string) (net.Conn, error) {
+				return dialer.DialTLSContext(ctx, serverAddr)
+			},
+		},
+		fallback: &fallback,
+	}
+}
+
+func (h *HTTPSTransportWrapper) RoundTrip(request *http.Request) (*http.Response, error) {
+	if h.fallback.Load() {
+		return h.httpTransport.RoundTrip(request)
+	} else {
+		response, err := h.http2Transport.RoundTrip(request)
+		if err != nil {
+			if errors.Is(err, errFallback) {
+				return h.httpTransport.RoundTrip(request)
+			}
+			return nil, err
+		}
+		return response, nil
+	}
+}
+
+func (h *HTTPSTransportWrapper) CloseIdleConnections() {
+	h.http2Transport.CloseIdleConnections()
+	h.httpTransport.CloseIdleConnections()
+}
+
+func (h *HTTPSTransportWrapper) Clone() *HTTPSTransportWrapper {
+	return &HTTPSTransportWrapper{
+		httpTransport: h.httpTransport,
+		http2Transport: &http2.Transport{
+			DialTLSContext: h.http2Transport.DialTLSContext,
+		},
+		fallback: h.fallback,
+	}
+}
--- a/dns/transport/local/local_darwin.go
+++ b/dns/transport/local/local_darwin.go
@@ -4,6 +4,8 @@ package local

 import (
 	"context"
+	"errors"
+	"net"

 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
@@ -12,6 +14,7 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
@@ -32,8 +35,10 @@ type Transport struct {
 	logger        logger.ContextLogger
 	hosts         *hosts.File
 	dialer        N.Dialer
+	preferGo      bool
 	fallback      bool
 	dhcpTransport dhcpTransport
+	resolver      net.Resolver
 }

 type dhcpTransport interface {
@@ -47,12 +52,14 @@ func NewTransport(ctx context.Context, logger log.ContextLogger, tag string, opt
 	if err != nil {
 		return nil, err
 	}
+	transportAdapter := dns.NewTransportAdapterWithLocalOptions(C.DNSTypeLocal, tag, options)
 	return &Transport{
-		TransportAdapter: dns.NewTransportAdapterWithLocalOptions(C.DNSTypeLocal, tag, options),
+		TransportAdapter: transportAdapter,
 		ctx:              ctx,
 		logger:           logger,
 		hosts:            hosts.NewFile(hosts.DefaultPath),
 		dialer:           transportDialer,
+		preferGo:         options.PreferGo,
 	}, nil
 }

@@ -90,3 +97,44 @@ func (t *Transport) Reset() {
 		t.dhcpTransport.Reset()
 	}
 }
+
+func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	question := message.Question[0]
+	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
+		addresses := t.hosts.Lookup(dns.FqdnToDomain(question.Name))
+		if len(addresses) > 0 {
+			return dns.FixedResponse(message.Id, question, addresses, C.DefaultDNSTTL), nil
+		}
+	}
+	if !t.fallback {
+		return t.exchange(ctx, message, question.Name)
+	}
+	if t.dhcpTransport != nil {
+		dhcpTransports := t.dhcpTransport.Fetch()
+		if len(dhcpTransports) > 0 {
+			return t.dhcpTransport.Exchange0(ctx, message, dhcpTransports)
+		}
+	}
+	if t.preferGo {
+		// Assuming the user knows what they are doing, we still execute the query which will fail.
+		return t.exchange(ctx, message, question.Name)
+	}
+	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
+		var network string
+		if question.Qtype == mDNS.TypeA {
+			network = "ip4"
+		} else {
+			network = "ip6"
+		}
+		addresses, err := t.resolver.LookupNetIP(ctx, network, question.Name)
+		if err != nil {
+			var dnsError *net.DNSError
+			if errors.As(err, &dnsError) && dnsError.IsNotFound {
+				return nil, dns.RcodeRefused
+			}
+			return nil, err
+		}
+		return dns.FixedResponse(message.Id, question, addresses, C.DefaultDNSTTL), nil
+	}
+	return nil, E.New("only A and AAAA queries are supported on Apple platforms when using TUN and DHCP unavailable.")
+}
--- a/dns/transport/local/local_darwin_cgo.go
+++ b/dns/transport/local/local_darwin_cgo.go
@@ -1,249 +0,0 @@
-//go:build darwin
-
-package local
-
-/*
-#include <stdlib.h>
-#include <dns.h>
-#include <resolv.h>
-
-static void *cgo_dns_open_super() {
-	return (void *)dns_open(NULL);
-}
-
-static void cgo_dns_close(void *opaque) {
-	if (opaque != NULL) dns_free((dns_handle_t)opaque);
-}
-
-static int cgo_dns_search(void *opaque, const char *name, int class, int type,
-	unsigned char *answer, int anslen) {
-	dns_handle_t handle = (dns_handle_t)opaque;
-	struct sockaddr_storage from;
-	uint32_t fromlen = sizeof(from);
-	return dns_search(handle, name, class, type, (char *)answer, anslen, (struct sockaddr *)&from, &fromlen);
-}
-
-static void *cgo_res_init() {
-	res_state state = calloc(1, sizeof(struct __res_state));
-	if (state == NULL) return NULL;
-	if (res_ninit(state) != 0) {
-		free(state);
-		return NULL;
-	}
-	return state;
-}
-
-static void cgo_res_destroy(void *opaque) {
-	res_state state = (res_state)opaque;
-	res_ndestroy(state);
-	free(state);
-}
-
-static int cgo_res_nsearch(void *opaque, const char *dname, int class, int type,
-	unsigned char *answer, int anslen,
-	int timeout_seconds,
-	int *out_h_errno) {
-	res_state state = (res_state)opaque;
-	state->retrans = timeout_seconds;
-	state->retry = 1;
-	int n = res_nsearch(state, dname, class, type, answer, anslen);
-	if (n < 0) {
-		*out_h_errno = state->res_h_errno;
-	}
-	return n;
-}
-*/
-import "C"
-
-import (
-	"context"
-	"errors"
-	"time"
-	"unsafe"
-
-	boxC "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/dns"
-	E "github.com/sagernet/sing/common/exceptions"
-
-	mDNS "github.com/miekg/dns"
-)
-
-const (
-	darwinResolverHostNotFound = 1
-	darwinResolverTryAgain     = 2
-	darwinResolverNoRecovery   = 3
-	darwinResolverNoData       = 4
-
-	darwinResolverMaxPacketSize = 65535
-)
-
-var errDarwinNeedLargerBuffer = errors.New("darwin resolver response truncated")
-
-func darwinLookupSystemDNS(name string, class, qtype, timeoutSeconds int) (*mDNS.Msg, error) {
-	response, err := darwinSearchWithSystemRouting(name, class, qtype)
-	if err == nil {
-		return response, nil
-	}
-	fallbackResponse, fallbackErr := darwinSearchWithResolv(name, class, qtype, timeoutSeconds)
-	if fallbackErr == nil || fallbackResponse != nil {
-		return fallbackResponse, fallbackErr
-	}
-	return nil, E.Errors(
-		E.Cause(err, "dns_search"),
-		E.Cause(fallbackErr, "res_nsearch"),
-	)
-}
-
-func darwinSearchWithSystemRouting(name string, class, qtype int) (*mDNS.Msg, error) {
-	handle := C.cgo_dns_open_super()
-	if handle == nil {
-		return nil, E.New("dns_open failed")
-	}
-	defer C.cgo_dns_close(handle)
-
-	cName := C.CString(name)
-	defer C.free(unsafe.Pointer(cName))
-
-	bufSize := 1232
-	for {
-		answer := make([]byte, bufSize)
-		n := C.cgo_dns_search(handle, cName, C.int(class), C.int(qtype),
-			(*C.uchar)(unsafe.Pointer(&answer[0])), C.int(len(answer)))
-		if n <= 0 {
-			return nil, E.New("dns_search failed for ", name)
-		}
-		if int(n) > bufSize {
-			bufSize = int(n)
-			continue
-		}
-		return unpackDarwinResolverMessage(answer[:int(n)], "dns_search")
-	}
-}
-
-func darwinSearchWithResolv(name string, class, qtype int, timeoutSeconds int) (*mDNS.Msg, error) {
-	state := C.cgo_res_init()
-	if state == nil {
-		return nil, E.New("res_ninit failed")
-	}
-	defer C.cgo_res_destroy(state)
-
-	cName := C.CString(name)
-	defer C.free(unsafe.Pointer(cName))
-
-	bufSize := 1232
-	for {
-		answer := make([]byte, bufSize)
-		var hErrno C.int
-		n := C.cgo_res_nsearch(state, cName, C.int(class), C.int(qtype),
-			(*C.uchar)(unsafe.Pointer(&answer[0])), C.int(len(answer)),
-			C.int(timeoutSeconds),
-			&hErrno)
-		if n >= 0 {
-			if int(n) > bufSize {
-				bufSize = int(n)
-				continue
-			}
-			return unpackDarwinResolverMessage(answer[:int(n)], "res_nsearch")
-		}
-		response, err := handleDarwinResolvFailure(name, answer, int(hErrno))
-		if err == nil {
-			return response, nil
-		}
-		if errors.Is(err, errDarwinNeedLargerBuffer) && bufSize < darwinResolverMaxPacketSize {
-			bufSize *= 2
-			if bufSize > darwinResolverMaxPacketSize {
-				bufSize = darwinResolverMaxPacketSize
-			}
-			continue
-		}
-		return nil, err
-	}
-}
-
-func unpackDarwinResolverMessage(packet []byte, source string) (*mDNS.Msg, error) {
-	var response mDNS.Msg
-	err := response.Unpack(packet)
-	if err != nil {
-		return nil, E.Cause(err, "unpack ", source, " response")
-	}
-	return &response, nil
-}
-
-func handleDarwinResolvFailure(name string, answer []byte, hErrno int) (*mDNS.Msg, error) {
-	response, err := unpackDarwinResolverMessage(answer, "res_nsearch failure")
-	if err == nil && response.Response {
-		if response.Truncated && len(answer) < darwinResolverMaxPacketSize {
-			return nil, errDarwinNeedLargerBuffer
-		}
-		return response, nil
-	}
-	return nil, darwinResolverHErrno(name, hErrno)
-}
-
-func darwinResolverHErrno(name string, hErrno int) error {
-	switch hErrno {
-	case darwinResolverHostNotFound:
-		return dns.RcodeNameError
-	case darwinResolverTryAgain:
-		return dns.RcodeServerFailure
-	case darwinResolverNoRecovery:
-		return dns.RcodeServerFailure
-	case darwinResolverNoData:
-		return dns.RcodeSuccess
-	default:
-		return E.New("res_nsearch: unknown error ", hErrno, " for ", name)
-	}
-}
-
-func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	question := message.Question[0]
-	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
-		addresses := t.hosts.Lookup(dns.FqdnToDomain(question.Name))
-		if len(addresses) > 0 {
-			return dns.FixedResponse(message.Id, question, addresses, boxC.DefaultDNSTTL), nil
-		}
-	}
-	if t.fallback && t.dhcpTransport != nil {
-		dhcpServers := t.dhcpTransport.Fetch()
-		if len(dhcpServers) > 0 {
-			return t.dhcpTransport.Exchange0(ctx, message, dhcpServers)
-		}
-	}
-	name := question.Name
-	timeoutSeconds := int(boxC.DNSTimeout / time.Second)
-	if deadline, hasDeadline := ctx.Deadline(); hasDeadline {
-		remaining := time.Until(deadline)
-		if remaining <= 0 {
-			return nil, context.DeadlineExceeded
-		}
-		seconds := int(remaining.Seconds())
-		if seconds < 1 {
-			seconds = 1
-		}
-		timeoutSeconds = seconds
-	}
-	type resolvResult struct {
-		response *mDNS.Msg
-		err      error
-	}
-	resultCh := make(chan resolvResult, 1)
-	go func() {
-		response, err := darwinLookupSystemDNS(name, int(question.Qclass), int(question.Qtype), timeoutSeconds)
-		resultCh <- resolvResult{response, err}
-	}()
-	var result resolvResult
-	select {
-	case <-ctx.Done():
-		return nil, ctx.Err()
-	case result = <-resultCh:
-	}
-	if result.err != nil {
-		var rcodeError dns.RcodeError
-		if errors.As(result.err, &rcodeError) {
-			return dns.FixedResponseStatus(message, int(rcodeError)), nil
-		}
-		return nil, result.err
-	}
-	result.response.Id = message.Id
-	return result.response, nil
-}
--- a/dns/transport/local/local_shared.go
+++ b/dns/transport/local/local_shared.go
@@ -1,5 +1,3 @@
-//go:build !darwin
-
 package local

 import (
--- a/dns/transport/quic/http3.go
+++ b/dns/transport/quic/http3.go
@@ -9,7 +9,6 @@ import (
 	"net/url"
 	"strconv"
 	"sync"
-	"time"

 	"github.com/sagernet/quic-go"
 	"github.com/sagernet/quic-go/http3"
@@ -41,23 +40,18 @@ func RegisterHTTP3Transport(registry *dns.TransportRegistry) {

 type HTTP3Transport struct {
 	dns.TransportAdapter
-	logger           logger.ContextLogger
-	dialer           N.Dialer
-	destination      *url.URL
-	headers          http.Header
-	handshakeTimeout time.Duration
-	serverAddr       M.Socksaddr
-	tlsConfig        *tls.STDConfig
-	transportAccess  sync.Mutex
-	transport        *http3.Transport
+	logger          logger.ContextLogger
+	dialer          N.Dialer
+	destination     *url.URL
+	headers         http.Header
+	serverAddr      M.Socksaddr
+	tlsConfig       *tls.STDConfig
+	transportAccess sync.Mutex
+	transport       *http3.Transport
 }

 func NewHTTP3(ctx context.Context, logger log.ContextLogger, tag string, options option.RemoteHTTPSDNSServerOptions) (adapter.DNSTransport, error) {
-	remoteOptions := option.RemoteDNSServerOptions{
-		DNSServerAddressOptions: options.DNSServerAddressOptions,
-	}
-	remoteOptions.DialerOptions = options.DialerOptions
-	transportDialer, err := dns.NewRemoteDialer(ctx, remoteOptions)
+	transportDialer, err := dns.NewRemoteDialer(ctx, options.RemoteDNSServerOptions)
 	if err != nil {
 		return nil, err
 	}
@@ -67,7 +61,6 @@ func NewHTTP3(ctx context.Context, logger log.ContextLogger, tag string, options
 	if err != nil {
 		return nil, err
 	}
-	handshakeTimeout := tlsConfig.HandshakeTimeout()
 	stdConfig, err := tlsConfig.STDConfig()
 	if err != nil {
 		return nil, err
@@ -109,12 +102,11 @@ func NewHTTP3(ctx context.Context, logger log.ContextLogger, tag string, options
 		return nil, E.New("invalid server address: ", serverAddr)
 	}
 	t := &HTTP3Transport{
-		TransportAdapter: dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeHTTP3, tag, remoteOptions),
+		TransportAdapter: dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeHTTP3, tag, options.RemoteDNSServerOptions),
 		logger:           logger,
 		dialer:           transportDialer,
 		destination:      &destinationURL,
 		headers:          headers,
-		handshakeTimeout: handshakeTimeout,
 		serverAddr:       serverAddr,
 		tlsConfig:        stdConfig,
 	}
@@ -123,17 +115,8 @@ func NewHTTP3(ctx context.Context, logger log.ContextLogger, tag string, options
 }

 func (t *HTTP3Transport) newTransport() *http3.Transport {
-	quicConfig := &quic.Config{}
-	if t.handshakeTimeout > 0 {
-		quicConfig.HandshakeIdleTimeout = t.handshakeTimeout
-	}
 	return &http3.Transport{
-		QUICConfig: quicConfig,
 		Dial: func(ctx context.Context, addr string, tlsCfg *tls.STDConfig, cfg *quic.Config) (*quic.Conn, error) {
-			if t.handshakeTimeout > 0 && cfg.HandshakeIdleTimeout == 0 {
-				cfg = cfg.Clone()
-				cfg.HandshakeIdleTimeout = t.handshakeTimeout
-			}
 			conn, dialErr := t.dialer.DialContext(ctx, N.NetworkUDP, t.serverAddr)
 			if dialErr != nil {
 				return nil, dialErr
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,88 +2,6 @@
 icon: material/alert-decagram
 ---

-#### 1.14.0-alpha.11
-
-* Add optimistic DNS cache **1**
-* Update NaiveProxy to 147.0.7727.49
-* Fixes and improvements
-
-**1**:
-
-Optimistic DNS cache returns an expired cached response immediately while
-refreshing it in the background, reducing tail latency for repeated
-queries. Enabled via [`optimistic`](/configuration/dns/#optimistic)
-in DNS options, and can be persisted across restarts with the new
-[`store_dns`](/configuration/experimental/cache-file/#store_dns) cache
-file option. A per-query
-[`disable_optimistic_cache`](/configuration/dns/rule_action/#disable_optimistic_cache)
-field is also available on DNS rule actions and the `resolve` route rule
-action.
-
-This deprecates the `independent_cache` DNS option (the DNS cache now
-always keys by transport) and the `store_rdrc` cache file option
-(replaced by `store_dns`); both will be removed in sing-box 1.16.0.
-See [Migration](/migration/#migrate-independent-dns-cache).
-
-#### 1.14.0-alpha.10
-
-* Add `evaluate` DNS rule action and Response Match Fields **1**
-* `ip_version` and `query_type` now also take effect on internal DNS lookups **2**
-* Add `package_name_regex` route, DNS and headless rule item **3**
-* Add cloudflared inbound **4**
-* Fixes and improvements
-
-**1**:
-
-Response Match Fields
-([`response_rcode`](/configuration/dns/rule/#response_rcode),
-[`response_answer`](/configuration/dns/rule/#response_answer),
-[`response_ns`](/configuration/dns/rule/#response_ns),
-and [`response_extra`](/configuration/dns/rule/#response_extra))
-match the evaluated DNS response. They are gated by the new
-[`match_response`](/configuration/dns/rule/#match_response) field and
-populated by a preceding
-[`evaluate`](/configuration/dns/rule_action/#evaluate) DNS rule action;
-the evaluated response can also be returned directly by a
-[`respond`](/configuration/dns/rule_action/#respond) action.
-
-This deprecates the Legacy Address Filter Fields (`ip_cidr`,
-`ip_is_private` without `match_response`) in DNS rules, the Legacy
-`strategy` DNS rule action option, and the Legacy
-`rule_set_ip_cidr_accept_empty` DNS rule item; all three will be removed
-in sing-box 1.16.0.
-See [Migration](/migration/#migrate-address-filter-fields-to-response-matching).
-
-**2**:
-
-`ip_version` and `query_type` in DNS rules, together with `query_type` in
-referenced rule-sets, now take effect on every DNS rule evaluation,
-including matches from internal domain resolutions that do not target a
-specific DNS server (for example a `resolve` route rule action without
-`server` set). In earlier versions they were silently ignored in that
-path. Combining these fields with any of the legacy DNS fields deprecated
-in **1** in the same DNS configuration is no longer supported and is
-rejected at startup.
-See [Migration](/migration/#ip_version-and-query_type-behavior-changes-in-dns-rules).
-
-**3**:
-
-See [Route Rule](/configuration/route/rule/#package_name_regex),
-[DNS Rule](/configuration/dns/rule/#package_name_regex) and
-[Headless Rule](/configuration/rule-set/headless-rule/#package_name_regex).
-
-**4**:
-
-See [Cloudflared](/configuration/inbound/cloudflared/).
-
-#### 1.13.7
-
-* Fixes and improvement
-
-#### 1.13.6
-
-* Fixes and improvements
-
 #### 1.14.0-alpha.8

 * Add BBR profile and hop interval randomization for Hysteria2 **1**
@@ -826,7 +744,7 @@ DNS servers are refactored for better performance and scalability.

 See [DNS server](/configuration/dns/server/).

-For migration, see [Migrate to new DNS server formats](/migration/#migrate-to-new-dns-server-formats).
+For migration, see [Migrate to new DNS server formats](/migration/#migrate-to-new-dns-servers).

 Compatibility for old formats will be removed in sing-box 1.14.0.

@@ -1296,7 +1214,7 @@ DNS servers are refactored for better performance and scalability.

 See [DNS server](/configuration/dns/server/).

-For migration, see [Migrate to new DNS server formats](/migration/#migrate-to-new-dns-server-formats).
+For migration, see [Migrate to new DNS server formats](/migration/#migrate-to-new-dns-servers).

 Compatibility for old formats will be removed in sing-box 1.14.0.

@@ -2132,7 +2050,7 @@ See [Migration](/migration/#process_path-format-update-on-windows).
 The new DNS feature allows you to more precisely bypass Chinese websites via **DNS leaks**. Do not use plain local DNS
 if using this method.

-See [Legacy Address Filter Fields](/configuration/dns/rule#legacy-address-filter-fields).
+See [Address Filter Fields](/configuration/dns/rule#address-filter-fields).

 [Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users) updated.

@@ -2146,7 +2064,7 @@ the [Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users
 **5**:

 The new feature allows you to cache the check results of
-[Legacy Address Filter Fields](/configuration/dns/rule/#legacy-address-filter-fields) until expiration.
+[Address filter DNS rule items](/configuration/dns/rule/#address-filter-fields) until expiration.

 **6**:

@@ -2327,7 +2245,7 @@ See [TUN](/configuration/inbound/tun) inbound.
 **1**:

 The new feature allows you to cache the check results of
-[Legacy Address Filter Fields](/configuration/dns/rule/#legacy-address-filter-fields) until expiration.
+[Address filter DNS rule items](/configuration/dns/rule/#address-filter-fields) until expiration.

 #### 1.9.0-alpha.7

@@ -2374,7 +2292,7 @@ See [Migration](/migration/#process_path-format-update-on-windows).
 The new DNS feature allows you to more precisely bypass Chinese websites via **DNS leaks**. Do not use plain local DNS
 if using this method.

-See [Legacy Address Filter Fields](/configuration/dns/rule#legacy-address-filter-fields).
+See [Address Filter Fields](/configuration/dns/rule#address-filter-fields).

 [Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users) updated.

--- a/docs/clients/android/features.md
+++ b/docs/clients/android/features.md
@@ -42,7 +42,6 @@ SFA provides an unprivileged TUN implementation through Android VpnService.
 | `process_path`        | :material-close: | No permission                     |
 | `process_path_regex`  | :material-close: | No permission                     |
 | `package_name`        | :material-check: | /                                 |
-| `package_name_regex`  | :material-check: | /                                 |
 | `user`                | :material-close: | Use `package_name` instead        |
 | `user_id`             | :material-close: | Use `package_name` instead        |
 | `wifi_ssid`           | :material-check: | Fine location permission required |
--- a/docs/clients/apple/features.md
+++ b/docs/clients/apple/features.md
@@ -44,7 +44,6 @@ SFI/SFM/SFT provides an unprivileged TUN implementation through NetworkExtension
 | `process_path`        | :material-close: | No permission         |
 | `process_path_regex`  | :material-close: | No permission         |
 | `package_name`        | :material-close: | /                     |
-| `package_name_regex`  | :material-close: | /                     |
 | `user`                | :material-close: | No permission         |
 | `user_id`             | :material-close: | No permission         |
 | `wifi_ssid`           | :material-alert: | Only supported on iOS |
--- a/docs/configuration/dns/fakeip.md
+++ b/docs/configuration/dns/fakeip.md
@@ -4,7 +4,7 @@ icon: material/note-remove

 !!! failure "Removed in sing-box 1.14.0"

-    Legacy fake-ip configuration is deprecated in sing-box 1.12.0 and removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-server-formats).
+    Legacy fake-ip configuration is deprecated in sing-box 1.12.0 and removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-servers).

 ### Structure

@@ -26,6 +26,6 @@ Enable FakeIP service.

 IPv4 address range for FakeIP.

-#### inet6_range
+#### inet6_address

 IPv6 address range for FakeIP.
--- a/docs/configuration/dns/index.md
+++ b/docs/configuration/dns/index.md
@@ -2,11 +2,6 @@
 icon: material/alert-decagram
 ---

-!!! quote "Changes in sing-box 1.14.0"
-
-    :material-delete-clock: [independent_cache](#independent_cache)  
-    :material-plus: [optimistic](#optimistic)
-
 !!! quote "Changes in sing-box 1.12.0"

    :material-decagram: [servers](#servers)
@@ -30,7 +25,6 @@ icon: material/alert-decagram
    "disable_expire": false,
    "independent_cache": false,
    "cache_capacity": 0,
-    "optimistic": false, // or {}
    "reverse_mapping": false,
    "client_subnet": "",
    "fakeip": {}
@@ -63,20 +57,12 @@ One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.

 Disable dns cache.

-Conflict with `optimistic`.
-
 #### disable_expire

 Disable dns cache expire.

-Conflict with `optimistic`.
-
 #### independent_cache

-!!! failure "Deprecated in sing-box 1.14.0"
-
-    `independent_cache` is deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-independent-dns-cache).
-
 Make each DNS server's cache independent for special purposes. If enabled, will slightly degrade performance.

 #### cache_capacity
@@ -87,34 +73,6 @@ LRU cache capacity.

 Value less than 1024 will be ignored.

-#### optimistic
-
-!!! question "Since sing-box 1.14.0"
-
-Enable optimistic DNS caching. When a cached DNS entry has expired but is still within the timeout window,
-the stale response is returned immediately while a background refresh is triggered.
-
-Conflict with `disable_cache` and `disable_expire`.
-
-Accepts a boolean or an object. When set to `true`, the default timeout of `3d` is used.
-
-```json
-{
-  "enabled": true,
-  "timeout": "3d"
-}
-```
-
-##### enabled
-
-Enable optimistic DNS caching.
-
-##### timeout
-
-The maximum time an expired cache entry can be served optimistically.
-
-`3d` is used by default.
-
 #### reverse_mapping

 Stores a reverse mapping of IP addresses after responding to a DNS query in order to provide domain names when routing.
--- a/docs/configuration/dns/index.zh.md
+++ b/docs/configuration/dns/index.zh.md
@@ -2,11 +2,6 @@
 icon: material/alert-decagram
 ---

-!!! quote "sing-box 1.14.0 中的更改"
-
-    :material-delete-clock: [independent_cache](#independent_cache)  
-    :material-plus: [optimistic](#optimistic)
-
 !!! quote "sing-box 1.12.0 中的更改"

    :material-decagram: [servers](#servers)
@@ -30,7 +25,6 @@ icon: material/alert-decagram
    "disable_expire": false,
    "independent_cache": false,
    "cache_capacity": 0,
-    "optimistic": false, // or {}
    "reverse_mapping": false,
    "client_subnet": "",
    "fakeip": {}
@@ -62,20 +56,12 @@ icon: material/alert-decagram

 禁用 DNS 缓存。

-与 `optimistic` 冲突。
-
 #### disable_expire

 禁用 DNS 缓存过期。

-与 `optimistic` 冲突。
-
 #### independent_cache

-!!! failure "已在 sing-box 1.14.0 废弃"
-
-    `independent_cache` 已在 sing-box 1.14.0 废弃，且将在 sing-box 1.16.0 中被移除，参阅[迁移指南](/zh/migration/#迁移-independent-dns-cache)。
-
 使每个 DNS 服务器的缓存独立，以满足特殊目的。如果启用，将轻微降低性能。

 #### cache_capacity
@@ -86,34 +72,6 @@ LRU 缓存容量。

 小于 1024 的值将被忽略。

-#### optimistic
-
-!!! question "自 sing-box 1.14.0 起"
-
-启用乐观 DNS 缓存。当缓存的 DNS 条目已过期但仍在超时窗口内时，
-立即返回过期的响应，同时在后台触发刷新。
-
-与 `disable_cache` 和 `disable_expire` 冲突。
-
-接受布尔值或对象。当设置为 `true` 时，使用默认超时 `3d`。
-
-```json
-{
-  "enabled": true,
-  "timeout": "3d"
-}
-```
-
-##### enabled
-
-启用乐观 DNS 缓存。
-
-##### timeout
-
-过期缓存条目可被乐观提供的最长时间。
-
-默认使用 `3d`。
-
 #### reverse_mapping

 在响应 DNS 查询后存储 IP 地址的反向映射以为路由目的提供域名。
--- a/docs/configuration/dns/rule.md
+++ b/docs/configuration/dns/rule.md
@@ -4,17 +4,15 @@ icon: material/alert-decagram

 !!! quote "Changes in sing-box 1.14.0"

-    :material-plus: [source_mac_address](#source_mac_address)  
-    :material-plus: [source_hostname](#source_hostname)  
    :material-plus: [match_response](#match_response)  
-    :material-delete-clock: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)  
    :material-plus: [response_rcode](#response_rcode)  
    :material-plus: [response_answer](#response_answer)  
    :material-plus: [response_ns](#response_ns)  
    :material-plus: [response_extra](#response_extra)  
-    :material-plus: [package_name_regex](#package_name_regex)  
-    :material-alert: [ip_version](#ip_version)  
-    :material-alert: [query_type](#query_type)
+    :material-plus: [source_mac_address](#source_mac_address)  
+    :material-plus: [source_hostname](#source_hostname)  
+    :material-delete-clock: [ip_accept_any](#ip_accept_any)  
+    :material-delete-clock: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)

 !!! quote "Changes in sing-box 1.13.0"

@@ -132,9 +130,6 @@ icon: material/alert-decagram
        "package_name": [
          "com.termux"
        ],
-        "package_name_regex": [
-          "^com\\.termux.*"
-        ],
        "user": [
          "sekai"
        ],
@@ -183,7 +178,6 @@ icon: material/alert-decagram
          "192.168.0.1"
        ],
        "ip_is_private": false,
-        "ip_accept_any": false,
        "response_rcode": "",
        "response_answer": [],
        "response_ns": [],
@@ -197,6 +191,7 @@ icon: material/alert-decagram

        // Deprecated

+        "ip_accept_any": false,
        "rule_set_ip_cidr_accept_empty": false,
        "rule_set_ipcidr_match_source": false,
        "geosite": [
@@ -245,46 +240,12 @@ Tags of [Inbound](/configuration/inbound/).

 #### ip_version

-!!! quote "Changes in sing-box 1.14.0"
-
-    This field now also applies when a DNS rule is matched from an internal
-    domain resolution that does not target a specific DNS server, such as a
-    [`resolve`](../../route/rule_action/#resolve) route rule action without a
-    `server` set. In earlier versions, only DNS queries received from a
-    client evaluated this field. See
-    [Migration](/migration/#ip_version-and-query_type-behavior-changes-in-dns-rules)
-    for the full list.
-
-    Setting this field makes the DNS rule incompatible in the same DNS
-    configuration with Legacy Address Filter Fields in DNS rules, the Legacy
-    `strategy` DNS rule action option, and the Legacy
-    `rule_set_ip_cidr_accept_empty` DNS rule item. To combine with
-    address-based filtering, use the [`evaluate`](../rule_action/#evaluate)
-    action and [`match_response`](#match_response).
-
 4 (A DNS query) or 6 (AAAA DNS query).

 Not limited if empty.

 #### query_type

-!!! quote "Changes in sing-box 1.14.0"
-
-    This field now also applies when a DNS rule is matched from an internal
-    domain resolution that does not target a specific DNS server, such as a
-    [`resolve`](../../route/rule_action/#resolve) route rule action without a
-    `server` set. In earlier versions, only DNS queries received from a
-    client evaluated this field. See
-    [Migration](/migration/#ip_version-and-query_type-behavior-changes-in-dns-rules)
-    for the full list.
-
-    Setting this field makes the DNS rule incompatible in the same DNS
-    configuration with Legacy Address Filter Fields in DNS rules, the Legacy
-    `strategy` DNS rule action option, and the Legacy
-    `rule_set_ip_cidr_accept_empty` DNS rule item. To combine with
-    address-based filtering, use the [`evaluate`](../rule_action/#evaluate)
-    action and [`match_response`](#match_response).
-
 DNS query type. Values can be integers or type name strings.

 #### network
@@ -387,12 +348,6 @@ Match process path using regular expression.

 Match android package name.

-#### package_name_regex
-
-!!! question "Since sing-box 1.14.0"
-
-Match android package name using regular expression.
-
 #### user

 !!! quote ""
@@ -538,20 +493,12 @@ Make `ip_cidr` rule items in rule-sets match the source IP.

 !!! question "Since sing-box 1.14.0"

-Enable response-based matching. When enabled, this rule matches against the evaluated response
+Enable response-based matching. When enabled, this rule matches against DNS response data
 (set by a preceding [`evaluate`](/configuration/dns/rule_action/#evaluate) action)
 instead of only matching the original query.

-The evaluated response can also be returned directly by a later [`respond`](/configuration/dns/rule_action/#respond) action.
-
-Required for Response Match Fields (`response_rcode`, `response_answer`, `response_ns`, `response_extra`).
-Also required for `ip_cidr`, `ip_is_private`, and `ip_accept_any` when used with `evaluate` or Response Match Fields.
-
-#### ip_accept_any
-
-!!! question "Since sing-box 1.12.0"
-
-Match when the DNS query response contains at least one address.
+Required for `response_rcode`, `response_answer`, `response_ns`, `response_extra` fields.
+Also required for `ip_cidr` and `ip_is_private` when `legacyDNSMode` is disabled.

 #### invert

@@ -597,12 +544,16 @@ See [DNS Rule Actions](../rule_action/) for details.

    Moved to [DNS Rule Action](../rule_action#route).

-### Legacy Address Filter Fields
+### Legacy DNS Mode

-!!! failure "Deprecated in sing-box 1.14.0"
+`legacyDNSMode` is an internal compatibility mode that is automatically detected from your DNS rule
+configuration. It is disabled when any rule uses features introduced in sing-box 1.14.0 such as
+`evaluate`, `match_response`, response fields (`response_rcode`, `response_answer`, etc.),
+`query_type`, or `ip_version`. When disabled, `ip_cidr` and `ip_is_private` require `match_response`
+to be set, and deprecated fields like `strategy`, `ip_accept_any`, and `rule_set_ip_cidr_accept_empty`
+are no longer accepted.

-    Legacy Address Filter Fields are deprecated and will be removed in sing-box 1.16.0,
-    check [Migration](/migration/#migrate-address-filter-fields-to-response-matching).
+### Address Filter Fields

 Only takes effect for address requests (A/AAAA/HTTPS). When the query results do not match the address filtering rule items, the current rule will be skipped.

@@ -628,8 +579,7 @@ Match GeoIP with query response.

 Match IP CIDR with query response.

-As a Legacy Address Filter Field, deprecated. Use with `match_response` instead,
-check [Migration](/migration/#migrate-address-filter-fields-to-response-matching).
+When `legacyDNSMode` is disabled, `match_response` must be set to `true`.

 #### ip_is_private

@@ -637,8 +587,7 @@ check [Migration](/migration/#migrate-address-filter-fields-to-response-matching

 Match private IP with query response.

-As a Legacy Address Filter Field, deprecated. Use with `match_response` instead,
-check [Migration](/migration/#migrate-address-filter-fields-to-response-matching).
+When `legacyDNSMode` is disabled, `match_response` must be set to `true`.

 #### rule_set_ip_cidr_accept_empty

@@ -646,20 +595,29 @@ check [Migration](/migration/#migrate-address-filter-fields-to-response-matching

 !!! failure "Deprecated in sing-box 1.14.0"

-    `rule_set_ip_cidr_accept_empty` is deprecated and will be removed in sing-box 1.16.0,
-    check [Migration](/migration/#migrate-address-filter-fields-to-response-matching).
+    `rule_set_ip_cidr_accept_empty` is deprecated and will be removed in sing-box 1.16.0.
+    Only supported in `legacyDNSMode`.

 Make `ip_cidr` rules in rule-sets accept empty query response.

-### Response Match Fields
+#### ip_accept_any
+
+!!! question "Since sing-box 1.12.0"
+
+!!! failure "Deprecated in sing-box 1.14.0"
+
+    `ip_accept_any` is deprecated and will be removed in sing-box 1.16.0.
+    Only supported in `legacyDNSMode`. Use `match_response` with response items instead.
+
+Match any IP with query response.
+
+### Response Fields

 !!! question "Since sing-box 1.14.0"

-Match fields for the evaluated response. Require `match_response` to be set to `true`
+Match fields for DNS response data. Require `match_response` to be set to `true`
 and a preceding rule with [`evaluate`](/configuration/dns/rule_action/#evaluate) action to populate the response.

-That evaluated response may also be returned directly by a later [`respond`](/configuration/dns/rule_action/#respond) action.
-
 #### response_rcode

 Match DNS response code.
--- a/docs/configuration/dns/rule.zh.md
+++ b/docs/configuration/dns/rule.zh.md
@@ -4,17 +4,15 @@ icon: material/alert-decagram

 !!! quote "sing-box 1.14.0 中的更改"

-    :material-plus: [source_mac_address](#source_mac_address)  
-    :material-plus: [source_hostname](#source_hostname)  
    :material-plus: [match_response](#match_response)  
-    :material-delete-clock: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)  
    :material-plus: [response_rcode](#response_rcode)  
    :material-plus: [response_answer](#response_answer)  
    :material-plus: [response_ns](#response_ns)  
    :material-plus: [response_extra](#response_extra)  
-    :material-plus: [package_name_regex](#package_name_regex)  
-    :material-alert: [ip_version](#ip_version)  
-    :material-alert: [query_type](#query_type)
+    :material-plus: [source_mac_address](#source_mac_address)  
+    :material-plus: [source_hostname](#source_hostname)  
+    :material-delete-clock: [ip_accept_any](#ip_accept_any)  
+    :material-delete-clock: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)

 !!! quote "sing-box 1.13.0 中的更改"

@@ -132,9 +130,6 @@ icon: material/alert-decagram
        "package_name": [
          "com.termux"
        ],
-        "package_name_regex": [
-          "^com\\.termux.*"
-        ],
        "user": [
          "sekai"
        ],
@@ -183,7 +178,6 @@ icon: material/alert-decagram
          "192.168.0.1"
        ],
        "ip_is_private": false,
-        "ip_accept_any": false,
        "response_rcode": "",
        "response_answer": [],
        "response_ns": [],
@@ -197,6 +191,7 @@ icon: material/alert-decagram

        // 已弃用

+        "ip_accept_any": false,
        "rule_set_ip_cidr_accept_empty": false,
        "rule_set_ipcidr_match_source": false,
        "geosite": [
@@ -245,38 +240,12 @@ icon: material/alert-decagram

 #### ip_version

-!!! quote "sing-box 1.14.0 中的更改"
-
-    此字段现在也会在 DNS 规则被未指定具体 DNS 服务器的内部域名解析匹配时生效，
-    例如未设置 `server` 的 [`resolve`](../../route/rule_action/#resolve) 路由规则动作。
-    此前只有来自客户端的 DNS 查询才会评估此字段。完整列表参阅
-    [迁移指南](/zh/migration/#dns-规则中的-ip_version-和-query_type-行为更改)。
-
-    在 DNS 规则中设置此字段后，该 DNS 规则在同一 DNS 配置中不能与
-    旧版地址筛选字段 (DNS 规则)、旧版 DNS 规则动作 `strategy` 选项，
-    或旧版 `rule_set_ip_cidr_accept_empty` DNS 规则项共存。如需与
-    基于地址的筛选组合，请使用 [`evaluate`](../rule_action/#evaluate) 动作和
-    [`match_response`](#match_response)。
-
 4 (A DNS 查询) 或 6 (AAAA DNS 查询)。

 默认不限制。

 #### query_type

-!!! quote "sing-box 1.14.0 中的更改"
-
-    此字段现在也会在 DNS 规则被未指定具体 DNS 服务器的内部域名解析匹配时生效，
-    例如未设置 `server` 的 [`resolve`](../../route/rule_action/#resolve) 路由规则动作。
-    此前只有来自客户端的 DNS 查询才会评估此字段。完整列表参阅
-    [迁移指南](/zh/migration/#dns-规则中的-ip_version-和-query_type-行为更改)。
-
-    在 DNS 规则中设置此字段后，该 DNS 规则在同一 DNS 配置中不能与
-    旧版地址筛选字段 (DNS 规则)、旧版 DNS 规则动作 `strategy` 选项，
-    或旧版 `rule_set_ip_cidr_accept_empty` DNS 规则项共存。如需与
-    基于地址的筛选组合，请使用 [`evaluate`](../rule_action/#evaluate) 动作和
-    [`match_response`](#match_response)。
-
 DNS 查询类型。值可以为整数或者类型名称字符串。

 #### network
@@ -379,12 +348,6 @@ DNS 查询类型。值可以为整数或者类型名称字符串。

 匹配 Android 应用包名。

-#### package_name_regex
-
-!!! question "自 sing-box 1.14.0 起"
-
-使用正则表达式匹配 Android 应用包名。
-
 #### user

 !!! quote ""
@@ -530,18 +493,10 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.

 !!! question "自 sing-box 1.14.0 起"

-启用响应匹配。启用后，此规则将匹配已评估的响应（由前序 [`evaluate`](/zh/configuration/dns/rule_action/#evaluate) 动作设置），而不仅是匹配原始查询。
+启用响应匹配。启用后，此规则将匹配 DNS 响应数据（由前序 [`evaluate`](/zh/configuration/dns/rule_action/#evaluate) 动作设置），而不仅是匹配原始查询。

-该已评估的响应也可以被后续的 [`respond`](/zh/configuration/dns/rule_action/#respond) 动作直接返回。
-
-响应匹配字段（`response_rcode`、`response_answer`、`response_ns`、`response_extra`）需要此选项。
-当与 `evaluate` 或响应匹配字段一起使用时，`ip_cidr`、`ip_is_private` 和 `ip_accept_any` 也需要此选项。
-
-#### ip_accept_any
-
-!!! question "自 sing-box 1.12.0 起"
-
-当 DNS 查询响应包含至少一个地址时匹配。
+`response_rcode`、`response_answer`、`response_ns`、`response_extra` 字段需要此选项。
+当 `legacyDNSMode` 未启用时，`ip_cidr` 和 `ip_is_private` 也需要此选项。

 #### invert

@@ -587,12 +542,15 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.

    已移动到 [DNS 规则动作](../rule_action#route).

-### 旧版地址筛选字段
+### Legacy DNS Mode

-!!! failure "已在 sing-box 1.14.0 废弃"
+`legacyDNSMode` 是一种内部兼容模式，会根据 DNS 规则配置自动检测。
+当任何规则使用了 sing-box 1.14.0 引入的特性（如 `evaluate`、`match_response`、
+响应字段（`response_rcode`、`response_answer` 等）、`query_type` 或 `ip_version`）时，
+该模式将被自动禁用。禁用后，`ip_cidr` 和 `ip_is_private` 需要设置 `match_response`，
+且已废弃的字段（如 `strategy`、`ip_accept_any`、`rule_set_ip_cidr_accept_empty`）将不再被接受。

-    旧版地址筛选字段已废弃，且将在 sing-box 1.16.0 中被移除，
-    参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。
+### 地址筛选字段

 仅对地址请求 (A/AAAA/HTTPS) 生效。 当查询结果与地址筛选规则项不匹配时，将跳过当前规则。

@@ -619,8 +577,7 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.

 与查询响应匹配 IP CIDR。

-作为旧版地址筛选字段已废弃。请改为配合 `match_response` 使用，
-参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。
+当 `legacyDNSMode` 未启用时，`match_response` 必须设为 `true`。

 #### ip_is_private

@@ -628,8 +585,7 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.

 与查询响应匹配非公开 IP。

-作为旧版地址筛选字段已废弃。请改为配合 `match_response` 使用，
-参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。
+当 `legacyDNSMode` 未启用时，`match_response` 必须设为 `true`。

 #### rule_set_ip_cidr_accept_empty

@@ -637,20 +593,29 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.

 !!! failure "已在 sing-box 1.14.0 废弃"

-    `rule_set_ip_cidr_accept_empty` 已废弃且将在 sing-box 1.16.0 中被移除，
-    参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。
+    `rule_set_ip_cidr_accept_empty` 已废弃且将在 sing-box 1.16.0 中被移除。
+    仅在 `legacyDNSMode` 中可用。

 使规则集中的 `ip_cidr` 规则接受空查询响应。

-### 响应匹配字段
+#### ip_accept_any
+
+!!! question "自 sing-box 1.12.0 起"
+
+!!! failure "已在 sing-box 1.14.0 废弃"
+
+    `ip_accept_any` 已废弃且将在 sing-box 1.16.0 中被移除。
+    仅在 `legacyDNSMode` 中可用。请使用 `match_response` 和响应项替代。
+
+匹配任意 IP。
+
+### 响应字段

 !!! question "自 sing-box 1.14.0 起"

-已评估的响应的匹配字段。需要将 `match_response` 设为 `true`，
+DNS 响应数据的匹配字段。需要将 `match_response` 设为 `true`，
 且需要前序规则使用 [`evaluate`](/zh/configuration/dns/rule_action/#evaluate) 动作来填充响应。

-该已评估的响应也可以被后续的 [`respond`](/zh/configuration/dns/rule_action/#respond) 动作直接返回。
-
 #### response_rcode

 匹配 DNS 响应码。
--- a/docs/configuration/dns/rule_action.md
+++ b/docs/configuration/dns/rule_action.md
@@ -4,10 +4,8 @@ icon: material/new-box

 !!! quote "Changes in sing-box 1.14.0"

-    :material-delete-clock: [strategy](#strategy)  
    :material-plus: [evaluate](#evaluate)  
-    :material-plus: [respond](#respond)  
-    :material-plus: [disable_optimistic_cache](#disable_optimistic_cache)
+    :material-delete-clock: [strategy](#strategy)

 !!! quote "Changes in sing-box 1.12.0"

@@ -24,7 +22,6 @@ icon: material/new-box
  "server": "",
  "strategy": "",
  "disable_cache": false,
-  "disable_optimistic_cache": false,
  "rewrite_ttl": null,
  "client_subnet": null
 }
@@ -46,7 +43,7 @@ Tag of target server.

    `strategy` is deprecated in sing-box 1.14.0 and will be removed in sing-box 1.16.0.

-Set domain strategy for this query.
+Set domain strategy for this query. Only supported when `legacyDNSMode` is active.

 One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.

@@ -54,12 +51,6 @@ One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.

 Disable cache and save cache in this query.

-#### disable_optimistic_cache
-
-!!! question "Since sing-box 1.14.0"
-
-Disable optimistic DNS caching in this query.
-
 #### rewrite_ttl

 Rewrite TTL in DNS responses.
@@ -81,20 +72,16 @@ Will override `dns.client_subnet`.
  "action": "evaluate",
  "server": "",
  "disable_cache": false,
-  "disable_optimistic_cache": false,
  "rewrite_ttl": null,
  "client_subnet": null
 }
 ```

-`evaluate` sends a DNS query to the specified server and saves the evaluated response for subsequent rules
+`evaluate` sends a DNS query to the specified server and saves the response for subsequent rules
 to match against using [`match_response`](/configuration/dns/rule/#match_response) and response fields.
 Unlike `route`, it does **not** terminate rule evaluation.

 Only allowed on top-level DNS rules (not inside logical sub-rules).
-Rules that use [`match_response`](/configuration/dns/rule/#match_response) or Response Match Fields
-require a preceding top-level rule with `evaluate` action. A rule's own `evaluate` action
-does not satisfy this requirement, because matching happens before the action runs.

 #### server

@@ -106,12 +93,6 @@ Tag of target server.

 Disable cache and save cache in this query.

-#### disable_optimistic_cache
-
-!!! question "Since sing-box 1.14.0"
-
-Disable optimistic DNS caching in this query.
-
 #### rewrite_ttl

 Rewrite TTL in DNS responses.
@@ -124,29 +105,12 @@ If value is an IP address instead of prefix, `/32` or `/128` will be appended au

 Will override `dns.client_subnet`.

-### respond
-
-!!! question "Since sing-box 1.14.0"
-
-```json
-{
-  "action": "respond"
-}
-```
-
-`respond` terminates rule evaluation and returns the evaluated response from a preceding [`evaluate`](/configuration/dns/rule_action/#evaluate) action.
-
-This action does not send a new DNS query and has no extra options.
-
-Only allowed after a preceding top-level `evaluate` rule. If the action is reached without an evaluated response at runtime, the request fails with an error instead of falling through to later rules.
-
 ### route-options

 ```json
 {
  "action": "route-options",
  "disable_cache": false,
-  "disable_optimistic_cache": false,
  "rewrite_ttl": null,
  "client_subnet": null
 }
--- a/docs/configuration/dns/rule_action.zh.md
+++ b/docs/configuration/dns/rule_action.zh.md
@@ -4,10 +4,8 @@ icon: material/new-box

 !!! quote "sing-box 1.14.0 中的更改"

-    :material-delete-clock: [strategy](#strategy)  
    :material-plus: [evaluate](#evaluate)  
-    :material-plus: [respond](#respond)  
-    :material-plus: [disable_optimistic_cache](#disable_optimistic_cache)
+    :material-delete-clock: [strategy](#strategy)

 !!! quote "sing-box 1.12.0 中的更改"

@@ -24,7 +22,6 @@ icon: material/new-box
  "server": "",
  "strategy": "",
  "disable_cache": false,
-  "disable_optimistic_cache": false,
  "rewrite_ttl": null,
  "client_subnet": null
 }
@@ -46,7 +43,7 @@ icon: material/new-box

    `strategy` 已在 sing-box 1.14.0 废弃，且将在 sing-box 1.16.0 中被移除。

-为此查询设置域名策略。
+为此查询设置域名策略。仅在 `legacyDNSMode` 启用时可用。

 可选项：`prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。

@@ -54,12 +51,6 @@ icon: material/new-box

 在此查询中禁用缓存。

-#### disable_optimistic_cache
-
-!!! question "自 sing-box 1.14.0 起"
-
-在此查询中禁用乐观 DNS 缓存。
-
 #### rewrite_ttl

 重写 DNS 回应中的 TTL。
@@ -81,18 +72,14 @@ icon: material/new-box
  "action": "evaluate",
  "server": "",
  "disable_cache": false,
-  "disable_optimistic_cache": false,
  "rewrite_ttl": null,
  "client_subnet": null
 }
 ```

-`evaluate` 向指定服务器发送 DNS 查询并保存已评估的响应，供后续规则通过 [`match_response`](/zh/configuration/dns/rule/#match_response) 和响应字段进行匹配。与 `route` 不同，它**不会**终止规则评估。
+`evaluate` 向指定服务器发送 DNS 查询并保存响应，供后续规则通过 [`match_response`](/zh/configuration/dns/rule/#match_response) 和响应字段进行匹配。与 `route` 不同，它**不会**终止规则评估。

 仅允许在顶层 DNS 规则中使用（不可在逻辑子规则内部使用）。
-使用 [`match_response`](/zh/configuration/dns/rule/#match_response) 或响应匹配字段的规则，
-需要位于更早的顶层 `evaluate` 规则之后。规则自身的 `evaluate` 动作不能满足这个条件，
-因为匹配发生在动作执行之前。

 #### server

@@ -104,12 +91,6 @@ icon: material/new-box

 在此查询中禁用缓存。

-#### disable_optimistic_cache
-
-!!! question "自 sing-box 1.14.0 起"
-
-在此查询中禁用乐观 DNS 缓存。
-
 #### rewrite_ttl

 重写 DNS 回应中的 TTL。
@@ -122,29 +103,12 @@ icon: material/new-box

 将覆盖 `dns.client_subnet`.

-### respond
-
-!!! question "自 sing-box 1.14.0 起"
-
-```json
-{
-  "action": "respond"
-}
-```
-
-`respond` 会终止规则评估，并直接返回前序 [`evaluate`](/zh/configuration/dns/rule_action/#evaluate) 动作保存的已评估的响应。
-
-此动作不会发起新的 DNS 查询，也没有额外选项。
-
-只能用于前面已有顶层 `evaluate` 规则的场景。如果运行时命中该动作时没有已评估的响应，则请求会直接返回错误，而不是继续匹配后续规则。
-
 ### route-options

 ```json
 {
  "action": "route-options",
  "disable_cache": false,
-  "disable_optimistic_cache": false,
  "rewrite_ttl": null,
  "client_subnet": null
 }
--- a/docs/configuration/dns/server/hosts.md
+++ b/docs/configuration/dns/server/hosts.md
@@ -73,55 +73,24 @@ Example:

 === "Use hosts if available"

-    === ":material-card-multiple: sing-box 1.14.0"
-
-        ```json
-        {
-          "dns": {
-            "servers": [
-              {
-                ...
-              },
-              {
-                "type": "hosts",
-                "tag": "hosts"
-              }
-            ],
-            "rules": [
-              {
-                "action": "evaluate",
-                "server": "hosts"
-              },
-              {
-                "match_response": true,
-                "ip_accept_any": true,
-                "action": "respond"
-              }
-            ]
+    ```json
+    {
+      "dns": {
+        "servers": [
+          {
+            ...
+          },
+          {
+            "type": "hosts",
+            "tag": "hosts"
          }
-        }
-        ```
-
-    === ":material-card-remove: sing-box < 1.14.0"
-
-        ```json
-        {
-          "dns": {
-            "servers": [
-              {
-                ...
-              },
-              {
-                "type": "hosts",
-                "tag": "hosts"
-              }
-            ],
-            "rules": [
-              {
-                "ip_accept_any": true,
-                "server": "hosts"
-              }
-            ]
+        ],
+        "rules": [
+          {
+            "ip_accept_any": true,
+            "server": "hosts"
          }
-        }
-        ```
+        ]
+      }
+    }
+    ```
--- a/docs/configuration/dns/server/hosts.zh.md
+++ b/docs/configuration/dns/server/hosts.zh.md
@@ -73,55 +73,24 @@ hosts 文件路径列表。

 === "如果可用则使用 hosts"

-    === ":material-card-multiple: sing-box 1.14.0"
-
-        ```json
-        {
-          "dns": {
-            "servers": [
-              {
-                ...
-              },
-              {
-                "type": "hosts",
-                "tag": "hosts"
-              }
-            ],
-            "rules": [
-              {
-                "action": "evaluate",
-                "server": "hosts"
-              },
-              {
-                "match_response": true,
-                "ip_accept_any": true,
-                "action": "respond"
-              }
-            ]
+    ```json
+    {
+      "dns": {
+        "servers": [
+          {
+            ...
+          },
+          {
+            "type": "hosts",
+            "tag": "hosts"
          }
-        }
-        ```
-
-    === ":material-card-remove: sing-box < 1.14.0"
-
-        ```json
-        {
-          "dns": {
-            "servers": [
-              {
-                ...
-              },
-              {
-                "type": "hosts",
-                "tag": "hosts"
-              }
-            ],
-            "rules": [
-              {
-                "ip_accept_any": true,
-                "server": "hosts"
-              }
-            ]
+        ],
+        "rules": [
+          {
+            "ip_accept_any": true,
+            "server": "hosts"
          }
-        }
-        ```
+        ]
+      }
+    }
+    ```
--- a/docs/configuration/dns/server/http3.md
+++ b/docs/configuration/dns/server/http3.md
@@ -2,10 +2,6 @@
 icon: material/new-box
 ---

-!!! quote "Changes in sing-box 1.14.0"
-
-    :material-alert: `headers`, `tls`, Dial Fields moved to [HTTP Client Fields](#http-client-fields)
-
 !!! question "Since sing-box 1.12.0"

 # DNS over HTTP3 (DoH3)
@@ -19,20 +15,27 @@ icon: material/new-box
      {
        "type": "h3",
        "tag": "",
-
+        
        "server": "",
-        "server_port": 0,
-
+        "server_port": 443,
+        
        "path": "",
-        "method": "",
-
-        ... // HTTP Client Fields
+        "headers": {},
+        
+        "tls": {},
+        
+        // Dial Fields
      }
    ]
  }
 }
 ```

+!!! info "Difference from legacy H3 server"
+
+    * The old server uses default outbound by default unless detour is specified; the new one uses dialer just like outbound, which is equivalent to using an empty direct outbound by default.
+    * The old server uses `address_resolver` and `address_strategy` to resolve the domain name in the server; the new one uses `domain_resolver` and `domain_strategy` in [Dial Fields](/configuration/shared/dial/) instead.
+
 ### Fields

 #### server
@@ -55,14 +58,14 @@ The path of the DNS server.

 `/dns-query` will be used by default.

-#### method
+#### headers

-HTTP request method.
+Additional headers to be sent to the DNS server.

-Available values: `GET`, `POST`.
+#### tls

-`POST` will be used by default.
+TLS configuration, see [TLS](/configuration/shared/tls/#outbound).

-### HTTP Client Fields
+### Dial Fields

-See [HTTP Client Fields](/configuration/shared/http-client/) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/dns/server/http3.zh.md
+++ b/docs/configuration/dns/server/http3.zh.md
@@ -2,10 +2,6 @@
 icon: material/new-box
 ---

-!!! quote "sing-box 1.14.0 中的更改"
-
-    :material-alert: `headers`、`tls`、拨号字段已移至 [HTTP 客户端字段](#http-客户端字段)
-
 !!! question "自 sing-box 1.12.0 起"

 # DNS over HTTP3 (DoH3)
@@ -21,18 +17,25 @@ icon: material/new-box
        "tag": "",

        "server": "",
-        "server_port": 0,
+        "server_port": 443,

        "path": "",
-        "method": "",
+        "headers": {},

-        ... // HTTP 客户端字段
+        "tls": {},
+
+        // 拨号字段
      }
    ]
  }
 }
 ```

+!!! info "与旧版 H3 服务器的区别"
+
+    * 旧服务器默认使用默认出站，除非指定了绕行；新服务器像出站一样使用拨号器，相当于默认使用空的直连出站。
+    * 旧服务器使用 `address_resolver` 和 `address_strategy` 来解析服务器中的域名；新服务器改用 [拨号字段](/zh/configuration/shared/dial/) 中的 `domain_resolver` 和 `domain_strategy`。
+
 ### 字段

 #### server
@@ -55,14 +58,14 @@ DNS 服务器的路径。

 默认使用 `/dns-query`。

-#### method
+#### headers

-HTTP 请求方法。
+发送到 DNS 服务器的额外标头。

-可用值：`GET`、`POST`。
+#### tls

-默认使用 `POST`。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#出站)。

-### HTTP 客户端字段
+### 拨号字段

-参阅 [HTTP 客户端字段](/zh/configuration/shared/http-client/) 了解详情。
+参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。
--- a/docs/configuration/dns/server/https.md
+++ b/docs/configuration/dns/server/https.md
@@ -2,10 +2,6 @@
 icon: material/new-box
 ---

-!!! quote "Changes in sing-box 1.14.0"
-
-    :material-alert: `headers`, `tls`, Dial Fields moved to [HTTP Client Fields](#http-client-fields)
-
 !!! question "Since sing-box 1.12.0"

 # DNS over HTTPS (DoH)
@@ -19,20 +15,27 @@ icon: material/new-box
      {
        "type": "https",
        "tag": "",
-
+        
        "server": "",
-        "server_port": 0,
-
+        "server_port": 443,
+        
        "path": "",
-        "method": "",
-
-        ... // HTTP Client Fields
+        "headers": {},
+        
+        "tls": {},
+        
+        // Dial Fields
      }
    ]
  }
 }
 ```

+!!! info "Difference from legacy HTTPS server"
+
+    * The old server uses default outbound by default unless detour is specified; the new one uses dialer just like outbound, which is equivalent to using an empty direct outbound by default.
+    * The old server uses `address_resolver` and `address_strategy` to resolve the domain name in the server; the new one uses `domain_resolver` and `domain_strategy` in [Dial Fields](/configuration/shared/dial/) instead.
+
 ### Fields

 #### server
@@ -55,14 +58,14 @@ The path of the DNS server.

 `/dns-query` will be used by default.

-#### method
+#### headers

-HTTP request method.
+Additional headers to be sent to the DNS server.

-Available values: `GET`, `POST`.
+#### tls

-`POST` will be used by default.
+TLS configuration, see [TLS](/configuration/shared/tls/#outbound).

-### HTTP Client Fields
+### Dial Fields

-See [HTTP Client Fields](/configuration/shared/http-client/) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/dns/server/https.zh.md
+++ b/docs/configuration/dns/server/https.zh.md
@@ -2,10 +2,6 @@
 icon: material/new-box
 ---

-!!! quote "sing-box 1.14.0 中的更改"
-
-    :material-alert: `headers`、`tls`、拨号字段已移至 [HTTP 客户端字段](#http-客户端字段)
-
 !!! question "自 sing-box 1.12.0 起"

 # DNS over HTTPS (DoH)
@@ -21,18 +17,25 @@ icon: material/new-box
        "tag": "",

        "server": "",
-        "server_port": 0,
+        "server_port": 443,

        "path": "",
-        "method": "",
+        "headers": {},

-        ... // HTTP 客户端字段
+        "tls": {},
+
+        // 拨号字段
      }
    ]
  }
 }
 ```

+!!! info "与旧版 HTTPS 服务器的区别"
+
+    * 旧服务器默认使用默认出站，除非指定了绕行；新服务器像出站一样使用拨号器，相当于默认使用空的直连出站。
+    * 旧服务器使用 `address_resolver` 和 `address_strategy` 来解析服务器中的域名；新服务器改用 [拨号字段](/zh/configuration/shared/dial/) 中的 `domain_resolver` 和 `domain_strategy`。
+
 ### 字段

 #### server
@@ -55,14 +58,14 @@ DNS 服务器的路径。

 默认使用 `/dns-query`。

-#### method
+#### headers

-HTTP 请求方法。
+发送到 DNS 服务器的额外标头。

-可用值：`GET`、`POST`。
+#### tls

-默认使用 `POST`。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#出站)。

-### HTTP 客户端字段
+### 拨号字段

-参阅 [HTTP 客户端字段](/zh/configuration/shared/http-client/) 了解详情。
+参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。
--- a/docs/configuration/dns/server/legacy.md
+++ b/docs/configuration/dns/server/legacy.md
@@ -4,7 +4,7 @@ icon: material/note-remove

 !!! failure "Removed in sing-box 1.14.0"

-    Legacy DNS servers are deprecated in sing-box 1.12.0 and removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-server-formats).
+    Legacy DNS servers are deprecated in sing-box 1.12.0 and removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-servers).

 !!! quote "Changes in sing-box 1.9.0"

--- a/docs/configuration/dns/server/resolved.md
+++ b/docs/configuration/dns/server/resolved.md
@@ -43,62 +43,29 @@ If not enabled, `NXDOMAIN` will be returned for requests that do not match searc

 === "Split DNS only"

-    === ":material-card-multiple: sing-box 1.14.0"
-
-        ```json
-        {
-          "dns": {
-            "servers": [
-              {
-                "type": "local",
-                "tag": "local"
-              },
-              {
-                "type": "resolved",
-                "tag": "resolved",
-                "service": "resolved"
-              }
-            ],
-            "rules": [
-              {
-                "action": "evaluate",
-                "server": "resolved"
-              },
-              {
-                "match_response": true,
-                "ip_accept_any": true,
-                "action": "respond"
-              }
-            ]
+    ```json
+    {
+      "dns": {
+        "servers": [
+          {
+            "type": "local",
+            "tag": "local"
+          },
+          {
+            "type": "resolved",
+            "tag": "resolved",
+            "service": "resolved"
          }
-        }
-        ```
-
-    === ":material-card-remove: sing-box < 1.14.0"
-
-        ```json
-        {
-          "dns": {
-            "servers": [
-              {
-                "type": "local",
-                "tag": "local"
-              },
-              {
-                "type": "resolved",
-                "tag": "resolved",
-                "service": "resolved"
-              }
-            ],
-            "rules": [
-              {
-                "ip_accept_any": true,
-                "server": "resolved"
-              }
-            ]
+        ],
+        "rules": [
+          {
+            "ip_accept_any": true,
+            "server": "resolved"
          }
-        }
-        ```
+        ]
+      }
+    }
+    ```

 === "Use as global DNS"

--- a/docs/configuration/dns/server/resolved.zh.md
+++ b/docs/configuration/dns/server/resolved.zh.md
@@ -42,62 +42,29 @@ icon: material/new-box

 === "仅分割 DNS"

-    === ":material-card-multiple: sing-box 1.14.0"
-
-        ```json
-        {
-          "dns": {
-            "servers": [
-              {
-                "type": "local",
-                "tag": "local"
-              },
-              {
-                "type": "resolved",
-                "tag": "resolved",
-                "service": "resolved"
-              }
-            ],
-            "rules": [
-              {
-                "action": "evaluate",
-                "server": "resolved"
-              },
-              {
-                "match_response": true,
-                "ip_accept_any": true,
-                "action": "respond"
-              }
-            ]
+    ```json
+    {
+      "dns": {
+        "servers": [
+          {
+            "type": "local",
+            "tag": "local"
+          },
+          {
+            "type": "resolved",
+            "tag": "resolved",
+            "service": "resolved"
          }
-        }
-        ```
-
-    === ":material-card-remove: sing-box < 1.14.0"
-
-        ```json
-        {
-          "dns": {
-            "servers": [
-              {
-                "type": "local",
-                "tag": "local"
-              },
-              {
-                "type": "resolved",
-                "tag": "resolved",
-                "service": "resolved"
-              }
-            ],
-            "rules": [
-              {
-                "ip_accept_any": true,
-                "server": "resolved"
-              }
-            ]
+        ],
+        "rules": [
+          {
+            "ip_accept_any": true,
+            "server": "resolved"
          }
-        }
-        ```
+        ]
+      }
+    }
+    ```

 === "用作全局 DNS"

--- a/docs/configuration/dns/server/tailscale.md
+++ b/docs/configuration/dns/server/tailscale.md
@@ -42,62 +42,29 @@ if not enabled, `NXDOMAIN` will be returned for non-Tailscale domain queries.

 === "MagicDNS only"

-    === ":material-card-multiple: sing-box 1.14.0"
-
-        ```json
-        {
-          "dns": {
-            "servers": [
-              {
-                "type": "local",
-                "tag": "local"
-              },
-              {
-                "type": "tailscale",
-                "tag": "ts",
-                "endpoint": "ts-ep"
-              }
-            ],
-            "rules": [
-              {
-                "action": "evaluate",
-                "server": "ts"
-              },
-              {
-                "match_response": true,
-                "ip_accept_any": true,
-                "action": "respond"
-              }
-            ]
+    ```json
+    {
+      "dns": {
+        "servers": [
+          {
+            "type": "local",
+            "tag": "local"
+          },
+          {
+            "type": "tailscale",
+            "tag": "ts",
+            "endpoint": "ts-ep"
          }
-        }
-        ```
-
-    === ":material-card-remove: sing-box < 1.14.0"
-
-        ```json
-        {
-          "dns": {
-            "servers": [
-              {
-                "type": "local",
-                "tag": "local"
-              },
-              {
-                "type": "tailscale",
-                "tag": "ts",
-                "endpoint": "ts-ep"
-              }
-            ],
-            "rules": [
-              {
-                "ip_accept_any": true,
-                "server": "ts"
-              }
-            ]
+        ],
+        "rules": [
+          {
+            "ip_accept_any": true,
+            "server": "ts"
          }
-        }
-        ```
+        ]
+      }
+    }
+    ```

 === "Use as global DNS"

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
世界	470c605118	option: add round-trip test for DNSRuleAction with evaluate action	2026-03-31 17:52:54 +08:00
世界	3795ac1503	dns: add evaluate integration tests for response_rcode, response_ns, response_extra	2026-03-31 17:45:35 +08:00
世界	8be4f38eaf	dns: remove redundant DNSResponse assignment in addressLimitResponseCheck MatchAddressLimit internally copies metadata and sets DNSResponse, making the prior assignment in the closure unnecessary.	2026-03-31 17:39:51 +08:00
世界	4152022b89	dns: remove redundant queryOptions variable	2026-03-31 17:31:09 +08:00
世界	5b01eaa149	dns: remove dead lookupStrategyAllowsQueryType helper	2026-03-31 17:28:52 +08:00
世界	3d32ad79cd	dns: remove dead lookup strategy guard in lookupWithRulesType	2026-03-31 17:24:03 +08:00
世界	e49a7bcc86	adapter: remove unused DestinationAddressesForMatch	2026-03-31 17:21:06 +08:00
世界	c94696df9e	dns: fix variable shadowing in matchDNSHeadlessRuleStatesForMatch	2026-03-31 17:17:26 +08:00
世界	a7c4096a07	dns: fix err shadowing in buildRules Reuse the outer err variable in the rule-construction and rule-startup loops instead of redeclaring it with :=, and declare dnsRule separately.	2026-03-31 17:13:18 +08:00
世界	0e87476ee5	dns: return immediately on context cancellation in evaluate exchange	2026-03-31 17:08:52 +08:00
世界	21f3acef81	dns: reject method `reply` is not supported for DNS rules Add config-time validation in NewDNSRule that rejects RejectMethodReply for both default and logical DNS rules, matching the existing TCP/UDP validation in route/route.go.	2026-03-31 16:53:57 +08:00
世界	861fa897e0	dns: improve test coverage and cleanup - Add t.Cleanup(router.Close) in newTestRouter for automatic cleanup - Remove unnecessary testCase loop variable capture (Go 1.22+) - Add tests for reject drop action, route_options effect, and chained evaluate response overwrite	2026-03-31 15:53:38 +08:00
世界	c471d7fee7	dns: fix test style issues in repro_test.go - Rename addrs to addresses per naming conventions - Replace errors.New with E.New per error-handling rules	2026-03-31 15:53:30 +08:00
世界	7de00c7cd1	fix: add missing EnvName, document Strategy invariant, improve rcode display - Add EnvName to four new deprecation constants so users can suppress warnings via ENABLE_DEPRECATED_* environment variables - Add comment explaining why applyDNSRouteOptions skips Strategy - Use dns.RcodeToString in DNSResponseRCodeItem.String() for readability - Remove redundant Fqdn(FqdnToDomain(domain)) round-trip	2026-03-31 15:47:29 +08:00
世界	29024191ee	docs: fix strategy deprecation format, explain legacyDNSMode, unify CN/EN order - Use standard !!! failure block for strategy deprecation notice - Add Legacy DNS Mode section explaining automatic mode detection - Reorder ip_accept_any/rule_set_ip_cidr_accept_empty in Chinese docs to match English	2026-03-31 15:43:04 +08:00
世界	16480095f7	dns: populate reverse mapping for legacy predefined responses The legacy path returned predefined responses early, bypassing the reverse mapping cache. Use goto to reach the shared post-exchange block so both legacy and new paths record predefined A/AAAA answers.	2026-03-31 15:37:10 +08:00
世界	cf33f1f375	route/rule: remove dead IgnoreDestinationIPCIDRMatch field The field was never set to true after the legacy pre-match refactor in `3549c02b8`. Remove the declaration, guard check, and redundant false assignments.	2026-03-31 15:29:50 +08:00
世界	1d872a6835	dns: use refcounted snapshot to narrow rule lock scope Exchange and Lookup held rulesAccess.RLock across all DNS network I/O, blocking rebuildRules from swapping in new rules until every in-flight query finished. Replace the RWMutex with an atomic pointer to a refcounted rulesSnapshot so queries only hold a snapshot reference during execution, allowing concurrent rule rebuilds.	2026-03-31 15:29:16 +08:00
世界	fb19bf6111	dns: serialize rebuilds and keep last good rules on failure	2026-03-31 13:15:25 +08:00
世界	da210af48d	docs: fix grammar errors and typos	2026-03-31 10:24:40 +08:00
世界	6a351be73a	Suppress SA1019 lint warnings for intentional deprecated field usage	2026-03-31 07:56:13 +08:00
世界	1913376113	docs: add evaluate action, response matching fields, and deprecation notices	2026-03-31 07:56:13 +08:00
世界	b05f58b469	Use typed SVCB hint structs instead of string parsing	2026-03-31 07:56:13 +08:00
世界	baf1da892b	option: reject nested rule actions	2026-03-31 07:56:13 +08:00
世界	f3c8fe59ac	dns: make rule strategy legacy-only	2026-03-31 07:56:13 +08:00
世界	117422db68	Make DNS match_response fail as a normal condition	2026-03-31 07:56:13 +08:00
世界	5b32dbf57f	Fix DNS rule-set ref handling	2026-03-31 07:56:12 +08:00
世界	d103fc2aea	Fix legacy DNS rule_set accept_empty matching	2026-03-31 07:56:12 +08:00
世界	532f350637	dns: restore lookup reject semantics	2026-03-31 07:56:12 +08:00
世界	d82e7cd4b6	Fix DNS record parser file inclusion and rule match log index Remove SetIncludeAllowed(true) from the DNS record zone parser. The $INCLUDE directive allows opening arbitrary files via os.Open, which is unnecessary and dangerous when parsing a single record string from configuration (especially remote profiles). Fix displayRuleIndex arithmetic in dns/router.go that computed 2*index+1 instead of the correct 0-based index. This was a reintroduction of a bug previously fixed in `be8ee370a`. Both matchDNS and logRuleMatch now use the index directly, matching the pattern in route/route.go.	2026-03-31 07:56:12 +08:00
世界	f628519333	Fix DNS record parsing and shutdown race	2026-03-31 07:56:12 +08:00
世界	7def08b5a1	dns: restore init validation and fix rule-set query type	2026-03-31 07:56:12 +08:00
世界	8ba8ad5f0c	dns: make rule path selection rule-set aware	2026-03-31 07:56:12 +08:00
世界	07f2fd65b2	dns: complete lookup rule execution in new mode	2026-03-31 07:56:11 +08:00
世界	31c707f8e8	Fix legacy DNS negation expansion	2026-03-31 07:56:11 +08:00
世界	3549c02b8c	dns: isolate legacy pre-match semantics	2026-03-31 07:56:11 +08:00
世界	e5aaf782c6	dns: preserve legacy address-filter pre-match semantics Legacy DNS address-filter mode still accepts destination-side IP predicates with a deprecation warning, but the recent evaluate/ match_response refactor started evaluating those predicates during pre-response Match(). That broke rules whose transport selection must be deferred until MatchAddressLimit() can inspect the upstream reply. Restore the old defer behavior by reintroducing an internal IgnoreDestinationIPCIDRMatch flag on InboundContext and using it only for legacy pre-response DNS matching. Default and logical DNS rules now carry the legacy mode bit, set the ignore flag on metadata copies while performing pre-response Match(), and explicitly clear it again for match_response and MatchAddressLimit() so response-phase matching still checks the returned addresses. Add regression coverage for direct legacy destination-IP rules, rule_set-backed CIDR rules, logical wrappers, and the legacy Lookup router path, including fallback after a rejected response. This keeps legacy configs working without changing new-mode evaluate semantics. Tests: go test ./route/rule ./dns Tests: make	2026-03-31 07:56:11 +08:00
世界	5b08ae150f	Remove legacy DNS server formats	2026-03-31 07:56:11 +08:00
世界	704482bb4a	dns: document non-response rule_set address-filter semantics	2026-03-31 07:56:11 +08:00
世界	5436192ada	Fix DNS pre-match CIDR fail-closed semantics	2026-03-31 07:56:10 +08:00
世界	d2f005aea3	Fix DNS evaluate regressions	2026-03-31 07:56:10 +08:00
世界	dc9b2089ea	dns: use response-only address matching	2026-03-31 07:56:10 +08:00
世界	b16b6f8b18	Fix DNS match_response response address handling	2026-03-31 07:56:10 +08:00
世界	ab414f20f5	Fix DNS record parsing and matching regressions	2026-03-31 07:56:10 +08:00
世界	f8cbe27b39	Fix DNS evaluate routing regressions	2026-03-31 07:56:10 +08:00
世界	2544d26664	Reorder DNS rule item fields: match_response above address filter and response items, deprecated fields at bottom	2026-03-31 07:56:09 +08:00
世界	bcaba94c61	Add evaluate DNS rule action and related rule items	2026-03-31 07:56:09 +08:00
世界	ebf8a213b6	Bump version	2026-03-31 00:38:42 +08:00
世界	ab323e0eb9	Add BBR profile and hop interval randomization for Hysteria2	2026-03-31 00:38:42 +08:00
nekohasekai	2132e68d3a	Refactor ACME support to certificate provider	2026-03-30 23:21:50 +08:00
世界	47742abe93	cronet-go: Update chromium to 145.0.7632.159	2026-03-30 23:21:50 +08:00
世界	77e51035bd	documentation: Update descriptions for neighbor rules	2026-03-30 23:21:50 +08:00
世界	eeb5dead2a	Add macOS support for MAC and hostname rule items	2026-03-30 23:21:50 +08:00
世界	45339d101b	Add Android support for MAC and hostname rule items	2026-03-30 23:21:50 +08:00
世界	04c0490992	Add MAC and hostname rule items	2026-03-30 23:21:50 +08:00