Add Tailscale

.github/workflows/build.yml

@@ -0,0 +1,599 @@
+name: Build
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version name"
+        required: true
+        type: string
+      build:
+        description: "Build type"
+        required: true
+        type: choice
+        default: "All"
+        options:
+          - All
+          - Binary
+          - Android
+          - Apple
+          - app-store
+          - iOS
+          - macOS
+          - tvOS
+          - macOS-standalone
+          - publish-android
+  push:
+    branches:
+      - main-next
+      - dev-next
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}-${{ inputs.build }}
+  cancel-in-progress: true
+
+jobs:
+  calculate_version:
+    name: Calculate version
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.outputs.outputs.version }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ^1.23
+      - name: Check input version
+        if: github.event_name == 'workflow_dispatch'
+        run: |-
+          echo "version=${{ inputs.version }}" 
+          echo "version=${{ inputs.version }}" >> "$GITHUB_ENV"
+      - name: Calculate version
+        if: github.event_name != 'workflow_dispatch'
+        run: |-
+          go run -v ./cmd/internal/read_tag --nightly
+      - name: Set outputs
+        id: outputs
+        run: |-
+          echo "version=$version" >> "$GITHUB_OUTPUT"
+  build:
+    name: Build binary
+    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Binary'
+    runs-on: ubuntu-latest
+    needs:
+      - calculate_version
+    strategy:
+      matrix:
+        include:
+          - name: linux_386
+            goos: linux
+            goarch: 386
+          - name: linux_amd64
+            goos: linux
+            goarch: amd64
+          - name: linux_arm64
+            goos: linux
+            goarch: arm64
+          - name: linux_arm
+            goos: linux
+            goarch: arm
+            goarm: 6
+          - name: linux_arm_v7
+            goos: linux
+            goarch: arm
+            goarm: 7
+          - name: linux_s390x
+            goos: linux
+            goarch: s390x
+          - name: linux_riscv64
+            goos: linux
+            goarch: riscv64
+          - name: linux_mips64le
+            goos: linux
+            goarch: mips64le
+          - name: windows_amd64
+            goos: windows
+            goarch: amd64
+            require_legacy_go: true
+          - name: windows_386
+            goos: windows
+            goarch: 386
+            require_legacy_go: true
+          - name: windows_arm64
+            goos: windows
+            goarch: arm64
+          - name: darwin_arm64
+            goos: darwin
+            goarch: arm64
+          - name: darwin_amd64
+            goos: darwin
+            goarch: amd64
+            require_legacy_go: true
+          - name: android_arm64
+            goos: android
+            goarch: arm64
+          - name: android_arm
+            goos: android
+            goarch: arm
+            goarm: 7
+          - name: android_amd64
+            goos: android
+            goarch: amd64
+          - name: android_386
+            goos: android
+            goarch: 386
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ^1.23
+      - name: Cache legacy Go
+        if: matrix.require_legacy_go
+        id: cache-legacy-go
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/go/go1.20.14
+          key: go120
+      - name: Setup legacy Go
+        if: matrix.require_legacy_go == 'true' && steps.cache-legacy-go.outputs.cache-hit != 'true'
+        run: |-
+          wget https://dl.google.com/go/go1.20.14.linux-amd64.tar.gz
+          tar -xzf go1.20.14.linux-amd64.tar.gz
+          mv go $HOME/go/go1.20.14
+      - name: Setup Android NDK
+        if: matrix.goos == 'android'
+        uses: nttld/setup-ndk@v1
+        with:
+          ndk-version: r28-beta2
+          local-cache: true
+      - name: Setup Goreleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser-pro
+          version: latest
+          install-only: true
+      - name: Extract signing key
+        run: |-
+          mkdir -p $HOME/.gnupg
+          cat > $HOME/.gnupg/sagernet.key <<EOF
+          ${{ secrets.GPG_KEY }}
+          EOF
+          echo "HOME=$HOME" >> "$GITHUB_ENV"
+      - name: Set tag
+        run: |-
+          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
+          git tag v${{ needs.calculate_version.outputs.version }} -f
+      - name: Build
+        if: matrix.goos != 'android'
+        run: |-
+          goreleaser release --clean --split
+        env:
+          GOOS: ${{ matrix.goos }}
+          GOARCH: ${{ matrix.goarch }}
+          GOPATH: ${{ env.HOME }}/go
+          GOARM: ${{ matrix.goarm }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+          NFPM_KEY_PATH: ${{ env.HOME }}/.gnupg/sagernet.key
+          NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+      - name: Build Android
+        if: matrix.goos == 'android'
+        run: |-
+          go install -v ./cmd/internal/build
+          GOOS=$BUILD_GOOS GOARCH=$BUILD_GOARCH build goreleaser release --clean --split
+        env:
+          BUILD_GOOS: ${{ matrix.goos }}
+          BUILD_GOARCH: ${{ matrix.goarch }}
+          GOARM: ${{ matrix.goarm }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+          NFPM_KEY_PATH: ${{ env.HOME }}/.gnupg/sagernet.key
+          NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+      - name: Upload artifact
+        if: github.event_name == 'workflow_dispatch'
+        uses: actions/upload-artifact@v4
+        with:
+          name: binary-${{ matrix.name }}
+          path: 'dist'
+  build_android:
+    name: Build Android
+    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android'
+    runs-on: ubuntu-latest
+    needs:
+      - calculate_version
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        with:
+          fetch-depth: 0
+          submodules: 'recursive'
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ^1.23
+      - name: Setup Android NDK
+        id: setup-ndk
+        uses: nttld/setup-ndk@v1
+        with:
+          ndk-version: r28-beta2
+      - name: Setup OpenJDK
+        run: |-
+          sudo apt update && sudo apt install -y openjdk-17-jdk-headless
+          /usr/lib/jvm/java-17-openjdk-amd64/bin/java --version
+      - name: Set tag
+        run: |-
+          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
+          git tag v${{ needs.calculate_version.outputs.version }} -f
+      - name: Build library
+        run: |-
+          make lib_install
+          export PATH="$PATH:$(go env GOPATH)/bin"
+          make lib_android
+        env:
+          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
+          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
+      - name: Checkout main branch
+        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
+        run: |-
+          cd clients/android
+          git checkout main
+      - name: Checkout dev branch
+        if: github.ref == 'refs/heads/dev-next'
+        run: |-
+          cd clients/android
+          git checkout dev
+      - name: Gradle cache
+        uses: actions/cache@v4
+        with:
+          path: ~/.gradle
+          key: gradle-${{ hashFiles('**/*.gradle') }}
+      - name: Build
+        run: |-
+          go run -v ./cmd/internal/update_android_version --ci
+          mkdir clients/android/app/libs
+          cp libbox.aar clients/android/app/libs
+          cd clients/android
+          ./gradlew :app:assemblePlayRelease :app:assembleOtherRelease
+        env:
+          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
+          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
+          LOCAL_PROPERTIES: ${{ secrets.LOCAL_PROPERTIES }}
+      - name: Prepare upload
+        if: github.event_name == 'workflow_dispatch'
+        run: |-
+          mkdir -p dist/release
+          cp clients/android/app/build/outputs/apk/play/release/*.apk dist/release
+          cp clients/android/app/build/outputs/apk/other/release/*-universal.apk dist/release
+      - name: Upload artifact
+        if: github.event_name == 'workflow_dispatch'
+        uses: actions/upload-artifact@v4
+        with:
+          name: binary-android-apks
+          path: 'dist'
+  publish_android:
+    name: Publish Android
+    if: github.event_name == 'workflow_dispatch' && inputs.build == 'publish-android'
+    runs-on: ubuntu-latest
+    needs:
+      - calculate_version
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        with:
+          fetch-depth: 0
+          submodules: 'recursive'
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ^1.23
+      - name: Setup Android NDK
+        id: setup-ndk
+        uses: nttld/setup-ndk@v1
+        with:
+          ndk-version: r28-beta2
+      - name: Setup OpenJDK
+        run: |-
+          sudo apt update && sudo apt install -y openjdk-17-jdk-headless
+          /usr/lib/jvm/java-17-openjdk-amd64/bin/java --version
+      - name: Set tag
+        run: |-
+          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
+          git tag v${{ needs.calculate_version.outputs.version }} -f
+      - name: Build library
+        run: |-
+          make lib_install
+          export PATH="$PATH:$(go env GOPATH)/bin"
+          make lib_android
+        env:
+          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
+          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
+      - name: Checkout main branch
+        if: github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
+        run: |-
+          cd clients/android
+          git checkout main
+      - name: Checkout dev branch
+        if: github.ref == 'refs/heads/dev-next'
+        run: |-
+          cd clients/android
+          git checkout dev
+      - name: Gradle cache
+        uses: actions/cache@v4
+        with:
+          path: ~/.gradle
+          key: gradle-${{ hashFiles('**/*.gradle') }}
+      - name: Build
+        run: |-
+          go run -v ./cmd/internal/update_android_version --ci
+          mkdir clients/android/app/libs
+          cp libbox.aar clients/android/app/libs
+          cd clients/android
+          echo -n "$SERVICE_ACCOUNT_CREDENTIALS" | base64 --decode > service-account-credentials.json
+          ./gradlew :app:publishPlayReleaseBundle
+        env:
+          JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
+          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
+          LOCAL_PROPERTIES: ${{ secrets.LOCAL_PROPERTIES }}
+          SERVICE_ACCOUNT_CREDENTIALS: ${{ secrets.SERVICE_ACCOUNT_CREDENTIALS }}
+  build_apple:
+    name: Build Apple clients
+    runs-on: macos-15
+    needs:
+      - calculate_version
+    strategy:
+      matrix:
+        include:
+          - name: iOS
+            if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'app-store'|| inputs.build == 'iOS' }}
+            platform: ios
+            scheme: SFI
+            destination: 'generic/platform=iOS'
+            archive: build/SFI.xcarchive
+            upload: SFI/Upload.plist
+          - name: macOS
+            if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'app-store'|| inputs.build == 'macOS' }}
+            platform: macos
+            scheme: SFM
+            destination: 'generic/platform=macOS'
+            archive: build/SFM.xcarchive
+            upload: SFI/Upload.plist
+          - name: tvOS
+            if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'app-store'|| inputs.build == 'tvOS' }}
+            platform: tvos
+            scheme: SFT
+            destination: 'generic/platform=tvOS'
+            archive: build/SFT.xcarchive
+            upload: SFI/Upload.plist
+          - name: macOS-standalone
+            if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'macOS-standalone' }}
+            platform: macos
+            scheme: SFM.System
+            destination: 'generic/platform=macOS'
+            archive: build/SFM.System.xcarchive
+            export: SFM.System/Export.plist
+            export_path: build/SFM.System
+    steps:
+      - name: Checkout
+        if: matrix.if
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        with:
+          fetch-depth: 0
+          submodules: 'recursive'
+      - name: Setup Go
+        if: matrix.if
+        uses: actions/setup-go@v5
+        with:
+          go-version: ^1.23
+      - name: Setup Xcode stable
+        if: matrix.if && github.ref == 'refs/heads/main-next'
+        run: |-
+          sudo xcode-select -s /Applications/Xcode_16.2.app
+      - name: Setup Xcode beta
+        if: matrix.if && github.ref == 'refs/heads/dev-next'
+        run: |-
+          sudo xcode-select -s /Applications/Xcode_16.2.app
+      - name: Set tag
+        if: matrix.if
+        run: |-
+          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
+          git tag v${{ needs.calculate_version.outputs.version }} -f
+          echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
+      - name: Checkout main branch
+        if: matrix.if && github.ref == 'refs/heads/main-next' && github.event_name != 'workflow_dispatch'
+        run: |-
+          cd clients/apple
+          git checkout main
+      - name: Checkout dev branch
+        if: matrix.if && github.ref == 'refs/heads/dev-next'
+        run: |-
+          cd clients/apple
+          git checkout dev
+      - name: Setup certificates
+        if: matrix.if
+        run: |-
+          CERTIFICATE_PATH=$RUNNER_TEMP/Certificates.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/certificates.keychain-db
+          echo -n "$CERTIFICATES_P12" | base64 --decode -o $CERTIFICATE_PATH
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
+
+          PROFILES_ZIP_PATH=$RUNNER_TEMP/Profiles.zip
+          echo -n "$PROVISIONING_PROFILES" | base64 --decode -o $PROFILES_ZIP_PATH
+          
+          PROFILES_PATH="$HOME/Library/MobileDevice/Provisioning Profiles"
+          mkdir -p "$PROFILES_PATH"
+          unzip $PROFILES_ZIP_PATH -d "$PROFILES_PATH"
+          
+          ASC_KEY_PATH=$RUNNER_TEMP/Key.p12
+          echo -n "$ASC_KEY" | base64 --decode -o $ASC_KEY_PATH
+          
+          xcrun notarytool store-credentials "notarytool-password" \
+            --key $ASC_KEY_PATH \
+            --key-id $ASC_KEY_ID \
+            --issuer $ASC_KEY_ISSUER_ID
+          
+          echo "ASC_KEY_PATH=$ASC_KEY_PATH" >> "$GITHUB_ENV"
+          echo "ASC_KEY_ID=$ASC_KEY_ID" >> "$GITHUB_ENV"
+          echo "ASC_KEY_ISSUER_ID=$ASC_KEY_ISSUER_ID" >> "$GITHUB_ENV"
+        env:
+          CERTIFICATES_P12: ${{ secrets.CERTIFICATES_P12 }}
+          P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
+          KEYCHAIN_PASSWORD: ${{ secrets.P12_PASSWORD }}
+          PROVISIONING_PROFILES: ${{ secrets.PROVISIONING_PROFILES }}
+          ASC_KEY: ${{ secrets.ASC_KEY }}
+          ASC_KEY_ID: ${{ secrets.ASC_KEY_ID }}
+          ASC_KEY_ISSUER_ID: ${{ secrets.ASC_KEY_ISSUER_ID }}
+      - name: Build library
+        if: matrix.if
+        run: |-
+          make lib_install
+          export PATH="$PATH:$(go env GOPATH)/bin"
+          go run ./cmd/internal/build_libbox -target apple -platform ${{ matrix.platform }}
+          mv Libbox.xcframework clients/apple
+      - name: Update macOS version
+        if: matrix.if && matrix.name == 'macOS' && github.event_name == 'workflow_dispatch'
+        run: |-
+          MACOS_PROJECT_VERSION=$(go run -v ./cmd/internal/app_store_connect next_macos_project_version)
+          echo "MACOS_PROJECT_VERSION=$MACOS_PROJECT_VERSION"
+          echo "MACOS_PROJECT_VERSION=$MACOS_PROJECT_VERSION" >> "$GITHUB_ENV"
+      - name: Build
+        if: matrix.if
+        run: |-
+          go run -v ./cmd/internal/update_apple_version --ci
+          cd clients/apple
+          xcodebuild archive \
+            -scheme "${{ matrix.scheme }}" \
+            -configuration Release \
+            -destination "${{ matrix.destination }}" \
+            -archivePath "${{ matrix.archive }}" \
+            -allowProvisioningUpdates \
+            -authenticationKeyPath $ASC_KEY_PATH \
+            -authenticationKeyID $ASC_KEY_ID \
+            -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
+      - name: Upload to App Store Connect
+        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch'
+        run: |-
+          go run -v ./cmd/internal/app_store_connect cancel_app_store ${{ matrix.platform }}
+          cd clients/apple
+          xcodebuild -exportArchive \
+            -archivePath "${{ matrix.archive }}" \
+            -exportOptionsPlist ${{ matrix.upload }} \
+            -allowProvisioningUpdates \
+            -authenticationKeyPath $ASC_KEY_PATH \
+            -authenticationKeyID $ASC_KEY_ID \
+            -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
+      - name: Publish to TestFlight
+        if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch' && github.ref =='refs/heads/dev-next'
+        run: |-
+          go run -v ./cmd/internal/app_store_connect publish_testflight ${{ matrix.platform }}
+      - name: Build image
+        if: matrix.if && matrix.name == 'macOS-standalone' && github.event_name == 'workflow_dispatch'
+        run: |-
+          pushd clients/apple
+          xcodebuild -exportArchive \
+          	-archivePath "${{ matrix.archive }}" \
+          	-exportOptionsPlist ${{ matrix.export }} \
+          	-exportPath "${{ matrix.export_path }}"
+          brew install create-dmg
+          create-dmg \
+          	--volname "sing-box" \
+          	--volicon "${{ matrix.export_path }}/SFM.app/Contents/Resources/AppIcon.icns" \
+          	--icon "SFM.app" 0 0 \
+          		--hide-extension "SFM.app" \
+          		--app-drop-link 0 0 \
+          		--skip-jenkins \
+          	SFM.dmg "${{ matrix.export_path }}/SFM.app"
+          xcrun notarytool submit "SFM.dmg" --wait --keychain-profile "notarytool-password"          
+          cd "${{ matrix.archive }}"
+          zip -r SFM.dSYMs.zip dSYMs
+          popd
+          
+          mkdir -p dist/release
+          cp clients/apple/SFM.dmg "dist/release/SFM-${VERSION}-universal.dmg"
+          cp "clients/apple/${{ matrix.archive }}/SFM.dSYMs.zip" "dist/release/SFM-${VERSION}-universal.dSYMs.zip"
+      - name: Upload image
+        if: matrix.if && matrix.name == 'macOS-standalone' && github.event_name == 'workflow_dispatch'
+        uses: actions/upload-artifact@v4
+        with:
+          name: binary-macos-dmg
+          path: 'dist'
+  upload:
+    name: Upload builds
+    if: always() && github.event_name == 'workflow_dispatch' && (inputs.build == 'All' || inputs.build == 'Binary' || inputs.build == 'Android' || inputs.build == 'Apple' || inputs.build == 'macOS-standalone')
+    runs-on: ubuntu-latest
+    needs:
+      - calculate_version
+      - build
+      - build_android
+      - build_apple
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        with:
+          fetch-depth: 0
+      - name: Setup Goreleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser-pro
+          version: latest
+          install-only: true
+      - name: Cache ghr
+        uses: actions/cache@v4
+        id: cache-ghr
+        with:
+          path: |
+            ~/go/bin/ghr
+          key: ghr
+      - name: Setup ghr
+        if: steps.cache-ghr.outputs.cache-hit != 'true'
+        run: |-
+          cd $HOME
+          git clone https://github.com/nekohasekai/ghr ghr
+          cd ghr
+          go install -v .
+      - name: Set tag
+        run: |-
+          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
+          git tag v${{ needs.calculate_version.outputs.version }} -f
+          echo "VERSION=${{ needs.calculate_version.outputs.version }}" >> "$GITHUB_ENV"
+      - name: Download builds
+        uses: actions/download-artifact@v4
+        with:
+          path: dist
+          merge-multiple: true
+      - name: Merge builds
+        if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Binary'
+        run: |-
+          goreleaser continue --merge --skip publish
+          mkdir -p dist/release
+          mv dist/*/sing-box*{tar.gz,zip,deb,rpm,_amd64.pkg.tar.zst,_arm64.pkg.tar.zst} dist/release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+      - name: Upload builds
+        if: ${{ env.PUBLISHED == 'false' }}
+        run: |-
+          export PATH="$PATH:$HOME/go/bin"
+          ghr --replace --draft --prerelease -p 5 "v${VERSION}" dist/release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Replace builds
+        if: ${{ env.PUBLISHED != 'false' }}
+        run: |-
+          export PATH="$PATH:$HOME/go/bin"
+          ghr --replace -p 5 "v${VERSION}" dist/release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/debug.yml

@@ -1,219 +0,0 @@
-name: Debug build
-
-on:
-  push:
-    branches:
-      - stable-next
-      - main-next
-      - dev-next
-    paths-ignore:
-      - '**.md'
-      - '.github/**'
-      - '!.github/workflows/debug.yml'
-  pull_request:
-    branches:
-      - stable-next
-      - main-next
-      - dev-next
-
-jobs:
-  build:
-    name: Debug build
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
-        with:
-          fetch-depth: 0
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ^1.23
-      - name: Run Test
-        run: |
-          go test -v ./...
-  build_go120:
-    name: Debug build (Go 1.20)
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
-        with:
-          fetch-depth: 0
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ~1.20
-      - name: Cache go module
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/go/pkg/mod
-          key: go120-${{ hashFiles('**/go.sum') }}
-      - name: Run Test
-        run: make ci_build_go120
-  build_go121:
-    name: Debug build (Go 1.21)
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
-        with:
-          fetch-depth: 0
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ~1.21
-      - name: Cache go module
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/go/pkg/mod
-          key: go121-${{ hashFiles('**/go.sum') }}
-      - name: Run Test
-        run: make ci_build
-  build_go122:
-    name: Debug build (Go 1.22)
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
-        with:
-          fetch-depth: 0
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ~1.22
-      - name: Cache go module
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/go/pkg/mod
-          key: go122-${{ hashFiles('**/go.sum') }}
-      - name: Run Test
-        run: make ci_build
-  cross:
-    strategy:
-      matrix:
-        include:
-          # windows
-          - name: windows-amd64
-            goos: windows
-            goarch: amd64
-            goamd64: v1
-          - name: windows-amd64-v3
-            goos: windows
-            goarch: amd64
-            goamd64: v3
-          - name: windows-386
-            goos: windows
-            goarch: 386
-          - name: windows-arm64
-            goos: windows
-            goarch: arm64
-          - name: windows-arm32v7
-            goos: windows
-            goarch: arm
-            goarm: 7
-          
-          # linux
-          - name: linux-amd64
-            goos: linux
-            goarch: amd64
-            goamd64: v1
-          - name: linux-amd64-v3
-            goos: linux
-            goarch: amd64
-            goamd64: v3
-          - name: linux-386
-            goos: linux
-            goarch: 386
-          - name: linux-arm64
-            goos: linux
-            goarch: arm64
-          - name: linux-armv5
-            goos: linux
-            goarch: arm
-            goarm: 5
-          - name: linux-armv6
-            goos: linux
-            goarch: arm
-            goarm: 6
-          - name: linux-armv7
-            goos: linux
-            goarch: arm
-            goarm: 7
-          - name: linux-mips-softfloat
-            goos: linux
-            goarch: mips
-            gomips: softfloat
-          - name: linux-mips-hardfloat
-            goos: linux
-            goarch: mips
-            gomips: hardfloat
-          - name: linux-mipsel-softfloat
-            goos: linux
-            goarch: mipsle
-            gomips: softfloat
-          - name: linux-mipsel-hardfloat
-            goos: linux
-            goarch: mipsle
-            gomips: hardfloat
-          - name: linux-mips64
-            goos: linux
-            goarch: mips64
-          - name: linux-mips64el
-            goos: linux
-            goarch: mips64le
-          - name: linux-s390x
-            goos: linux
-            goarch: s390x
-          # darwin
-          - name: darwin-amd64
-            goos: darwin
-            goarch: amd64
-            goamd64: v1
-          - name: darwin-amd64-v3
-            goos: darwin
-            goarch: amd64
-            goamd64: v3
-          - name: darwin-arm64
-            goos: darwin
-            goarch: arm64
-          # freebsd
-          - name: freebsd-amd64
-            goos: freebsd
-            goarch: amd64
-            goamd64: v1
-          - name: freebsd-amd64-v3
-            goos: freebsd
-            goarch: amd64
-            goamd64: v3
-          - name: freebsd-386
-            goos: freebsd
-            goarch: 386
-          - name: freebsd-arm64
-            goos: freebsd
-            goarch: arm64
-      fail-fast: true
-    runs-on: ubuntu-latest
-    env:
-      GOOS: ${{ matrix.goos }}
-      GOARCH: ${{ matrix.goarch }}
-      GOAMD64: ${{ matrix.goamd64 }}
-      GOARM: ${{ matrix.goarm }}
-      GOMIPS: ${{ matrix.gomips }}
-      CGO_ENABLED: 0
-      TAGS: with_clash_api,with_quic
-    steps:
-      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
-        with:
-          fetch-depth: 0
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ^1.21
-      - name: Build
-        id: build
-        run: make

.github/workflows/linux.yml

@@ -22,7 +22,6 @@ jobs:
           mkdir -p $HOME/.gnupg
           cat > $HOME/.gnupg/sagernet.key <<EOF
           ${{ secrets.GPG_KEY }}
-          echo "HOME=$HOME" >> "$GITHUB_ENV"
           EOF
           echo "HOME=$HOME" >> "$GITHUB_ENV"
       - name: Publish release

.golangci.yml

@@ -22,6 +22,17 @@ linters-settings:
 
 run:
   go: "1.23"
+  build-tags:
+    - with_gvisor
+    - with_quic
+    - with_dhcp
+    - with_wireguard
+    - with_ech
+    - with_utls
+    - with_reality_server
+    - with_acme
+    - with_clash_api
+    - badlinkname
 
 issues:
   exclude-dirs:

.goreleaser.fury.yaml

@@ -6,7 +6,10 @@ builds:
       - -v
       - -trimpath
     ldflags:
-      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }} -s -w -buildid=
+      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }}
+      - -s
+      - -buildid=
+      - -checklinkname=0
     tags:
       - with_gvisor
       - with_quic

.goreleaser.yaml

@@ -11,6 +11,7 @@ builds:
       - -X github.com/sagernet/sing-box/constant.Version={{ .Version }}
       - -s
       - -buildid=
+      - -checklinkname=0
     tags:
       - with_gvisor
       - with_quic
@@ -200,4 +201,6 @@ release:
   ids:
     - archive
     - package
-  skip_upload: true
+  skip_upload: true
+partial:
+  by: target

Dockerfile

@@ -15,7 +15,7 @@ RUN set -ex \
     && go build -v -trimpath -tags \
         "with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api" \
         -o /go/bin/sing-box \
-        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid=" \
+        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid= -checklinkname=0" \
         ./cmd/sing-box
 FROM --platform=$TARGETPLATFORM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"

Makefile

@@ -2,14 +2,15 @@ NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
 TAGS_GO120 = with_gvisor,with_dhcp,with_wireguard,with_reality_server,with_clash_api,with_quic,with_utls
 TAGS_GO121 = with_ech
-TAGS ?= $(TAGS_GO118),$(TAGS_GO120),$(TAGS_GO121)
+TAGS_GO123 = with_tailscale,badlinkname
+TAGS ?= $(TAGS_GO118),$(TAGS_GO120),$(TAGS_GO121),$(TAGS_GO123)
 TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server
 
 GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
 VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run ./cmd/internal/read_tag)
 
-PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid="
+PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid= -checklinkname=0"
 MAIN_PARAMS = $(PARAMS) -tags $(TAGS)
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)
@@ -28,7 +29,7 @@ ci_build:
 	go build $(MAIN_PARAMS) $(MAIN)
 
 generate_completions:
-	go run -v --tags generate,generate_completions $(MAIN)
+	go run -v --tags $(TAGS),generate,generate_completions $(MAIN)
 
 install:
 	go build -o $(PREFIX)/bin/$(NAME) $(MAIN_PARAMS) $(MAIN)
@@ -71,7 +72,7 @@ release:
 		dist/*_amd64.pkg.tar.zst \
 		dist/*_arm64.pkg.tar.zst \
 		dist/release
-	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release
+	ghr --replace --draft --prerelease -p 5 "v${VERSION}" dist/release
 	rm -r dist/release
 
 release_repo:
@@ -90,7 +91,7 @@ upload_android:
 	mkdir -p dist/release_android
 	cp ../sing-box-for-android/app/build/outputs/apk/play/release/*.apk dist/release_android
 	cp ../sing-box-for-android/app/build/outputs/apk/other/release/*-universal.apk dist/release_android
-	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release_android
+	ghr --replace --draft --prerelease -p 5 "v${VERSION}" dist/release_android
 	rm -rf dist/release_android
 
 release_android: lib_android update_android_version build_android upload_android
@@ -99,9 +100,11 @@ publish_android:
 	cd ../sing-box-for-android && ./gradlew :app:publishPlayReleaseBundle && ./gradlew --stop
 
 # TODO: find why and remove `-destination 'generic/platform=iOS'`
+# TODO: remove xcode clean when fix control widget fixed
 build_ios:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFI.xcarchive && \
+	xcodebuild clean -scheme SFI && \
 	xcodebuild archive -scheme SFI -configuration Release -destination 'generic/platform=iOS' -archivePath build/SFI.xcarchive -allowProvisioningUpdates
 
 upload_ios_app_store:
@@ -180,10 +183,22 @@ release_tvos: build_tvos upload_tvos_app_store
 update_apple_version:
 	go run ./cmd/internal/update_apple_version
 
+update_macos_version:
+	MACOS_PROJECT_VERSION=$(shell go run -v ./cmd/internal/app_store_connect next_macos_project_version) go run ./cmd/internal/update_apple_version
+
 release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_standalone
 
 release_apple_beta: update_apple_version release_ios release_macos release_tvos
 
+publish_testflight:
+	go run -v ./cmd/internal/app_store_connect publish_testflight
+
+prepare_app_store:
+	go run -v ./cmd/internal/app_store_connect prepare_app_store
+
+publish_app_store:
+	go run -v ./cmd/internal/app_store_connect publish_app_store
+
 test:
 	@go test -v ./... && \
 	cd test && \
@@ -199,8 +214,14 @@ test_stdio:
 lib_android:
 	go run ./cmd/internal/build_libbox -target android
 
+lib_android_debug:
+	go run ./cmd/internal/build_libbox -target android -debug
+
+lib_apple:
+	go run ./cmd/internal/build_libbox -target apple
+
 lib_ios:
-	go run ./cmd/internal/build_libbox -target ios
+	go run ./cmd/internal/build_libbox -target apple -platform ios -debug
 
 lib:
 	go run ./cmd/internal/build_libbox -target android

adapter/connections.go

@@ -0,0 +1,14 @@
+package adapter
+
+import (
+	"context"
+	"net"
+
+	N "github.com/sagernet/sing/common/network"
+)
+
+type ConnectionManager interface {
+	Lifecycle
+	NewConnection(ctx context.Context, this N.Dialer, conn net.Conn, metadata InboundContext, onClose N.CloseHandlerFunc)
+	NewPacketConnection(ctx context.Context, this N.Dialer, conn N.PacketConn, metadata InboundContext, onClose N.CloseHandlerFunc)
+}

adapter/dns.go

@@ -0,0 +1,73 @@
+package adapter
+
+import (
+	"context"
+	"net/netip"
+
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common/logger"
+
+	"github.com/miekg/dns"
+)
+
+type DNSRouter interface {
+	Lifecycle
+	Exchange(ctx context.Context, message *dns.Msg, options DNSQueryOptions) (*dns.Msg, error)
+	Lookup(ctx context.Context, domain string, options DNSQueryOptions) ([]netip.Addr, error)
+	ClearCache()
+	LookupReverseMapping(ip netip.Addr) (string, bool)
+	ResetNetwork()
+}
+
+type DNSClient interface {
+	Start()
+	Exchange(ctx context.Context, transport DNSTransport, message *dns.Msg, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error)
+	Lookup(ctx context.Context, transport DNSTransport, domain string, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error)
+	LookupCache(domain string, strategy C.DomainStrategy) ([]netip.Addr, bool)
+	ExchangeCache(ctx context.Context, message *dns.Msg) (*dns.Msg, bool)
+	ClearCache()
+}
+
+type DNSQueryOptions struct {
+	Transport    DNSTransport
+	Strategy     C.DomainStrategy
+	DisableCache bool
+	RewriteTTL   *uint32
+	ClientSubnet netip.Prefix
+}
+
+type RDRCStore interface {
+	LoadRDRC(transportName string, qName string, qType uint16) (rejected bool)
+	SaveRDRC(transportName string, qName string, qType uint16) error
+	SaveRDRCAsync(transportName string, qName string, qType uint16, logger logger.Logger)
+}
+
+type DNSTransport interface {
+	Type() string
+	Tag() string
+	Dependencies() []string
+	Reset()
+	Exchange(ctx context.Context, message *dns.Msg) (*dns.Msg, error)
+}
+
+type LegacyDNSTransport interface {
+	LegacyStrategy() C.DomainStrategy
+	LegacyClientSubnet() netip.Prefix
+}
+
+type DNSTransportRegistry interface {
+	option.DNSTransportOptionsRegistry
+	CreateDNSTransport(ctx context.Context, logger log.ContextLogger, tag string, transportType string, options any) (DNSTransport, error)
+}
+
+type DNSTransportManager interface {
+	Lifecycle
+	Transports() []DNSTransport
+	Transport(tag string) (DNSTransport, bool)
+	Default() DNSTransport
+	FakeIP() FakeIPTransport
+	Remove(tag string) error
+	Create(ctx context.Context, logger log.ContextLogger, tag string, outboundType string, options any) error
+}

adapter/endpoint.go

@@ -0,0 +1,28 @@
+package adapter
+
+import (
+	"context"
+
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+)
+
+type Endpoint interface {
+	Lifecycle
+	Type() string
+	Tag() string
+	Outbound
+}
+
+type EndpointRegistry interface {
+	option.EndpointOptionsRegistry
+	Create(ctx context.Context, router Router, logger log.ContextLogger, tag string, endpointType string, options any) (Endpoint, error)
+}
+
+type EndpointManager interface {
+	Lifecycle
+	Endpoints() []Endpoint
+	Get(tag string) (Endpoint, bool)
+	Remove(tag string) error
+	Create(ctx context.Context, router Router, logger log.ContextLogger, tag string, endpointType string, options any) error
+}

adapter/endpoint/adapter.go

@@ -0,0 +1,43 @@
+package endpoint
+
+import "github.com/sagernet/sing-box/option"
+
+type Adapter struct {
+	endpointType string
+	endpointTag  string
+	network      []string
+	dependencies []string
+}
+
+func NewAdapter(endpointType string, endpointTag string, network []string, dependencies []string) Adapter {
+	return Adapter{
+		endpointType: endpointType,
+		endpointTag:  endpointTag,
+		network:      network,
+		dependencies: dependencies,
+	}
+}
+
+func NewAdapterWithDialerOptions(endpointType string, endpointTag string, network []string, dialOptions option.DialerOptions) Adapter {
+	var dependencies []string
+	if dialOptions.Detour != "" {
+		dependencies = []string{dialOptions.Detour}
+	}
+	return NewAdapter(endpointType, endpointTag, network, dependencies)
+}
+
+func (a *Adapter) Type() string {
+	return a.endpointType
+}
+
+func (a *Adapter) Tag() string {
+	return a.endpointTag
+}
+
+func (a *Adapter) Network() []string {
+	return a.network
+}
+
+func (a *Adapter) Dependencies() []string {
+	return a.dependencies
+}

adapter/endpoint/manager.go

@@ -0,0 +1,147 @@
+package endpoint
+
+import (
+	"context"
+	"os"
+	"sync"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/taskmonitor"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+var _ adapter.EndpointManager = (*Manager)(nil)
+
+type Manager struct {
+	logger        log.ContextLogger
+	registry      adapter.EndpointRegistry
+	access        sync.Mutex
+	started       bool
+	stage         adapter.StartStage
+	endpoints     []adapter.Endpoint
+	endpointByTag map[string]adapter.Endpoint
+}
+
+func NewManager(logger log.ContextLogger, registry adapter.EndpointRegistry) *Manager {
+	return &Manager{
+		logger:        logger,
+		registry:      registry,
+		endpointByTag: make(map[string]adapter.Endpoint),
+	}
+}
+
+func (m *Manager) Start(stage adapter.StartStage) error {
+	m.access.Lock()
+	defer m.access.Unlock()
+	if m.started && m.stage >= stage {
+		panic("already started")
+	}
+	m.started = true
+	m.stage = stage
+	if stage == adapter.StartStateStart {
+		// started with outbound manager
+		return nil
+	}
+	for _, endpoint := range m.endpoints {
+		err := adapter.LegacyStart(endpoint, stage)
+		if err != nil {
+			return E.Cause(err, stage, " endpoint/", endpoint.Type(), "[", endpoint.Tag(), "]")
+		}
+	}
+	return nil
+}
+
+func (m *Manager) Close() error {
+	m.access.Lock()
+	defer m.access.Unlock()
+	if !m.started {
+		return nil
+	}
+	m.started = false
+	endpoints := m.endpoints
+	m.endpoints = nil
+	monitor := taskmonitor.New(m.logger, C.StopTimeout)
+	var err error
+	for _, endpoint := range endpoints {
+		monitor.Start("close endpoint/", endpoint.Type(), "[", endpoint.Tag(), "]")
+		err = E.Append(err, endpoint.Close(), func(err error) error {
+			return E.Cause(err, "close endpoint/", endpoint.Type(), "[", endpoint.Tag(), "]")
+		})
+		monitor.Finish()
+	}
+	return nil
+}
+
+func (m *Manager) Endpoints() []adapter.Endpoint {
+	m.access.Lock()
+	defer m.access.Unlock()
+	return m.endpoints
+}
+
+func (m *Manager) Get(tag string) (adapter.Endpoint, bool) {
+	m.access.Lock()
+	defer m.access.Unlock()
+	endpoint, found := m.endpointByTag[tag]
+	return endpoint, found
+}
+
+func (m *Manager) Remove(tag string) error {
+	m.access.Lock()
+	endpoint, found := m.endpointByTag[tag]
+	if !found {
+		m.access.Unlock()
+		return os.ErrInvalid
+	}
+	delete(m.endpointByTag, tag)
+	index := common.Index(m.endpoints, func(it adapter.Endpoint) bool {
+		return it == endpoint
+	})
+	if index == -1 {
+		panic("invalid endpoint index")
+	}
+	m.endpoints = append(m.endpoints[:index], m.endpoints[index+1:]...)
+	started := m.started
+	m.access.Unlock()
+	if started {
+		return endpoint.Close()
+	}
+	return nil
+}
+
+func (m *Manager) Create(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, outboundType string, options any) error {
+	endpoint, err := m.registry.Create(ctx, router, logger, tag, outboundType, options)
+	if err != nil {
+		return err
+	}
+	m.access.Lock()
+	defer m.access.Unlock()
+	if m.started {
+		for _, stage := range adapter.ListStartStages {
+			err = adapter.LegacyStart(endpoint, stage)
+			if err != nil {
+				return E.Cause(err, stage, " endpoint/", endpoint.Type(), "[", endpoint.Tag(), "]")
+			}
+		}
+	}
+	if existsEndpoint, loaded := m.endpointByTag[tag]; loaded {
+		if m.started {
+			err = existsEndpoint.Close()
+			if err != nil {
+				return E.Cause(err, "close endpoint/", existsEndpoint.Type(), "[", existsEndpoint.Tag(), "]")
+			}
+		}
+		existsIndex := common.Index(m.endpoints, func(it adapter.Endpoint) bool {
+			return it == existsEndpoint
+		})
+		if existsIndex == -1 {
+			panic("invalid endpoint index")
+		}
+		m.endpoints = append(m.endpoints[:existsIndex], m.endpoints[existsIndex+1:]...)
+	}
+	m.endpoints = append(m.endpoints, endpoint)
+	m.endpointByTag[tag] = endpoint
+	return nil
+}

adapter/endpoint/registry.go

@@ -0,0 +1,72 @@
+package endpoint
+
+import (
+	"context"
+	"sync"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+type ConstructorFunc[T any] func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options T) (adapter.Endpoint, error)
+
+func Register[Options any](registry *Registry, outboundType string, constructor ConstructorFunc[Options]) {
+	registry.register(outboundType, func() any {
+		return new(Options)
+	}, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, rawOptions any) (adapter.Endpoint, error) {
+		var options *Options
+		if rawOptions != nil {
+			options = rawOptions.(*Options)
+		}
+		return constructor(ctx, router, logger, tag, common.PtrValueOrDefault(options))
+	})
+}
+
+var _ adapter.EndpointRegistry = (*Registry)(nil)
+
+type (
+	optionsConstructorFunc func() any
+	constructorFunc        func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options any) (adapter.Endpoint, error)
+)
+
+type Registry struct {
+	access      sync.Mutex
+	optionsType map[string]optionsConstructorFunc
+	constructor map[string]constructorFunc
+}
+
+func NewRegistry() *Registry {
+	return &Registry{
+		optionsType: make(map[string]optionsConstructorFunc),
+		constructor: make(map[string]constructorFunc),
+	}
+}
+
+func (m *Registry) CreateOptions(outboundType string) (any, bool) {
+	m.access.Lock()
+	defer m.access.Unlock()
+	optionsConstructor, loaded := m.optionsType[outboundType]
+	if !loaded {
+		return nil, false
+	}
+	return optionsConstructor(), true
+}
+
+func (m *Registry) Create(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, outboundType string, options any) (adapter.Endpoint, error) {
+	m.access.Lock()
+	defer m.access.Unlock()
+	constructor, loaded := m.constructor[outboundType]
+	if !loaded {
+		return nil, E.New("outbound type not found: " + outboundType)
+	}
+	return constructor(ctx, router, logger, tag, options)
+}
+
+func (m *Registry) register(outboundType string, optionsConstructor optionsConstructorFunc, constructor constructorFunc) {
+	m.access.Lock()
+	defer m.access.Unlock()
+	m.optionsType[outboundType] = optionsConstructor
+	m.constructor[outboundType] = constructor
+}

adapter/experimental.go

@@ -7,7 +7,6 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/common/urltest"
-	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common/varbin"
 )
 
@@ -31,7 +30,7 @@ type CacheFile interface {
 	FakeIPStorage
 
 	StoreRDRC() bool
-	dns.RDRCStore
+	RDRCStore
 
 	LoadMode() string
 	StoreMode(mode string) error

adapter/fakeip.go

@@ -3,7 +3,6 @@ package adapter
 import (
 	"net/netip"
 
-	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common/logger"
 )
 
@@ -27,6 +26,6 @@ type FakeIPStorage interface {
 }
 
 type FakeIPTransport interface {
-	dns.Transport
+	DNSTransport
 	Store() FakeIPStore
 }

adapter/handler.go

@@ -46,6 +46,9 @@ type PacketConnectionHandlerEx interface {
 	NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, metadata InboundContext, onClose N.CloseHandlerFunc)
 }
 
+// Deprecated: use TCPConnectionHandlerEx instead
+//
+//nolint:staticcheck
 type UpstreamHandlerAdapter interface {
 	N.TCPConnectionHandler
 	N.UDPConnectionHandler

adapter/inbound.go

@@ -13,7 +13,7 @@ import (
 )
 
 type Inbound interface {
-	Service
+	Lifecycle
 	Type() string
 	Tag() string
 }
@@ -65,16 +65,17 @@ type InboundContext struct {
 	LastInbound              string
 	OriginDestination        M.Socksaddr
 	RouteOriginalDestination M.Socksaddr
-	// Deprecated
+	// Deprecated: to be removed
+	//nolint:staticcheck
 	InboundOptions            option.InboundOptions
 	UDPDisableDomainUnmapping bool
 	UDPConnect                bool
-	NetworkStrategy           C.NetworkStrategy
+	UDPTimeout                time.Duration
-	NetworkType               []C.InterfaceType
-	FallbackNetworkType       []C.InterfaceType
-	FallbackDelay             time.Duration
 
-	DNSServer string
+	NetworkStrategy     *C.NetworkStrategy
+	NetworkType         []C.InterfaceType
+	FallbackNetworkType []C.InterfaceType
+	FallbackDelay       time.Duration
 
 	DestinationAddresses []netip.Addr
 	SourceGeoIPCode      string

adapter/inbound/manager.go

@@ -18,6 +18,7 @@ var _ adapter.InboundManager = (*Manager)(nil)
 type Manager struct {
 	logger       log.ContextLogger
 	registry     adapter.InboundRegistry
+	endpoint     adapter.EndpointManager
 	access       sync.Mutex
 	started      bool
 	stage        adapter.StartStage
@@ -25,10 +26,11 @@ type Manager struct {
 	inboundByTag map[string]adapter.Inbound
 }
 
-func NewManager(logger log.ContextLogger, registry adapter.InboundRegistry) *Manager {
+func NewManager(logger log.ContextLogger, registry adapter.InboundRegistry, endpoint adapter.EndpointManager) *Manager {
 	return &Manager{
 		logger:       logger,
 		registry:     registry,
+		endpoint:     endpoint,
 		inboundByTag: make(map[string]adapter.Inbound),
 	}
 }
@@ -79,9 +81,12 @@ func (m *Manager) Inbounds() []adapter.Inbound {
 
 func (m *Manager) Get(tag string) (adapter.Inbound, bool) {
 	m.access.Lock()
-	defer m.access.Unlock()
 	inbound, found := m.inboundByTag[tag]
-	return inbound, found
+	m.access.Unlock()
+	if found {
+		return inbound, true
+	}
+	return m.endpoint.Get(tag)
 }
 
 func (m *Manager) Remove(tag string) error {

adapter/lifecycle_legacy.go

@@ -1,6 +1,9 @@
 package adapter
 
 func LegacyStart(starter any, stage StartStage) error {
+	if lifecycle, isLifecycle := starter.(Lifecycle); isLifecycle {
+		return lifecycle.Start(stage)
+	}
 	switch stage {
 	case StartStateInitialize:
 		if preStarter, isPreStarter := starter.(interface {

adapter/network.go

@@ -28,7 +28,7 @@ type NetworkManager interface {
 }
 
 type NetworkOptions struct {
-	NetworkStrategy     C.NetworkStrategy
+	NetworkStrategy     *C.NetworkStrategy
 	NetworkType         []C.InterfaceType
 	FallbackNetworkType []C.InterfaceType
 	FallbackDelay       time.Duration

adapter/outbound/adapter.go

@@ -5,35 +5,35 @@ import (
 )
 
 type Adapter struct {
-	protocol     string
+	outboundType string
+	outboundTag  string
 	network      []string
-	tag          string
 	dependencies []string
 }
 
-func NewAdapter(protocol string, network []string, tag string, dependencies []string) Adapter {
+func NewAdapter(outboundType string, outboundTag string, network []string, dependencies []string) Adapter {
 	return Adapter{
-		protocol:     protocol,
+		outboundType: outboundType,
+		outboundTag:  outboundTag,
 		network:      network,
-		tag:          tag,
 		dependencies: dependencies,
 	}
 }
 
-func NewAdapterWithDialerOptions(protocol string, network []string, tag string, dialOptions option.DialerOptions) Adapter {
+func NewAdapterWithDialerOptions(outboundType string, outboundTag string, network []string, dialOptions option.DialerOptions) Adapter {
 	var dependencies []string
 	if dialOptions.Detour != "" {
 		dependencies = []string{dialOptions.Detour}
 	}
-	return NewAdapter(protocol, network, tag, dependencies)
+	return NewAdapter(outboundType, outboundTag, network, dependencies)
 }
 
 func (a *Adapter) Type() string {
-	return a.protocol
+	return a.outboundType
 }
 
 func (a *Adapter) Tag() string {
-	return a.tag
+	return a.outboundTag
 }
 
 func (a *Adapter) Network() []string {

adapter/outbound/default.go

@@ -1,157 +0,0 @@
-package outbound
-
-import (
-	"context"
-	"net"
-	"net/netip"
-	"os"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/dialer"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/buf"
-	"github.com/sagernet/sing/common/bufio"
-	"github.com/sagernet/sing/common/canceler"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-func NewConnection(ctx context.Context, this N.Dialer, conn net.Conn, metadata adapter.InboundContext) error {
-	defer conn.Close()
-	ctx = adapter.WithContext(ctx, &metadata)
-	var outConn net.Conn
-	var err error
-	if len(metadata.DestinationAddresses) > 0 {
-		outConn, err = dialer.DialSerialNetwork(ctx, this, N.NetworkTCP, metadata.Destination, metadata.DestinationAddresses, metadata.NetworkStrategy, metadata.NetworkType, metadata.FallbackNetworkType, metadata.FallbackDelay)
-	} else {
-		outConn, err = this.DialContext(ctx, N.NetworkTCP, metadata.Destination)
-	}
-	if err != nil {
-		return N.ReportHandshakeFailure(conn, err)
-	}
-	err = N.ReportConnHandshakeSuccess(conn, outConn)
-	if err != nil {
-		outConn.Close()
-		return err
-	}
-	return CopyEarlyConn(ctx, conn, outConn)
-}
-
-func NewPacketConnection(ctx context.Context, this N.Dialer, conn N.PacketConn, metadata adapter.InboundContext) error {
-	defer conn.Close()
-	ctx = adapter.WithContext(ctx, &metadata)
-	var (
-		outPacketConn      net.PacketConn
-		outConn            net.Conn
-		destinationAddress netip.Addr
-		err                error
-	)
-	if metadata.UDPConnect {
-		if len(metadata.DestinationAddresses) > 0 {
-			if parallelDialer, isParallelDialer := this.(dialer.ParallelInterfaceDialer); isParallelDialer {
-				outConn, err = dialer.DialSerialNetwork(ctx, parallelDialer, N.NetworkUDP, metadata.Destination, metadata.DestinationAddresses, metadata.NetworkStrategy, metadata.NetworkType, metadata.FallbackNetworkType, metadata.FallbackDelay)
-			} else {
-				outConn, err = N.DialSerial(ctx, this, N.NetworkUDP, metadata.Destination, metadata.DestinationAddresses)
-			}
-		} else {
-			outConn, err = this.DialContext(ctx, N.NetworkUDP, metadata.Destination)
-		}
-		if err != nil {
-			return N.ReportHandshakeFailure(conn, err)
-		}
-		outPacketConn = bufio.NewUnbindPacketConn(outConn)
-		connRemoteAddr := M.AddrFromNet(outConn.RemoteAddr())
-		if connRemoteAddr != metadata.Destination.Addr {
-			destinationAddress = connRemoteAddr
-		}
-	} else {
-		if len(metadata.DestinationAddresses) > 0 {
-			outPacketConn, destinationAddress, err = dialer.ListenSerialNetworkPacket(ctx, this, metadata.Destination, metadata.DestinationAddresses, metadata.NetworkStrategy, metadata.NetworkType, metadata.FallbackNetworkType, metadata.FallbackDelay)
-		} else {
-			outPacketConn, err = this.ListenPacket(ctx, metadata.Destination)
-		}
-		if err != nil {
-			return N.ReportHandshakeFailure(conn, err)
-		}
-	}
-	err = N.ReportPacketConnHandshakeSuccess(conn, outPacketConn)
-	if err != nil {
-		outPacketConn.Close()
-		return err
-	}
-	if destinationAddress.IsValid() {
-		var originDestination M.Socksaddr
-		if metadata.RouteOriginalDestination.IsValid() {
-			originDestination = metadata.RouteOriginalDestination
-		} else {
-			originDestination = metadata.Destination
-		}
-		if metadata.Destination != M.SocksaddrFrom(destinationAddress, metadata.Destination.Port) {
-			if metadata.UDPDisableDomainUnmapping {
-				outPacketConn = bufio.NewUnidirectionalNATPacketConn(bufio.NewPacketConn(outPacketConn), M.SocksaddrFrom(destinationAddress, metadata.Destination.Port), originDestination)
-			} else {
-				outPacketConn = bufio.NewNATPacketConn(bufio.NewPacketConn(outPacketConn), M.SocksaddrFrom(destinationAddress, metadata.Destination.Port), originDestination)
-			}
-		}
-		if natConn, loaded := common.Cast[bufio.NATPacketConn](conn); loaded {
-			natConn.UpdateDestination(destinationAddress)
-		}
-	}
-	switch metadata.Protocol {
-	case C.ProtocolSTUN:
-		ctx, conn = canceler.NewPacketConn(ctx, conn, C.STUNTimeout)
-	case C.ProtocolQUIC:
-		ctx, conn = canceler.NewPacketConn(ctx, conn, C.QUICTimeout)
-	case C.ProtocolDNS:
-		ctx, conn = canceler.NewPacketConn(ctx, conn, C.DNSTimeout)
-	}
-	return bufio.CopyPacketConn(ctx, conn, bufio.NewPacketConn(outPacketConn))
-}
-
-func CopyEarlyConn(ctx context.Context, conn net.Conn, serverConn net.Conn) error {
-	if cachedReader, isCached := conn.(N.CachedReader); isCached {
-		payload := cachedReader.ReadCached()
-		if payload != nil && !payload.IsEmpty() {
-			_, err := serverConn.Write(payload.Bytes())
-			payload.Release()
-			if err != nil {
-				serverConn.Close()
-				return err
-			}
-			return bufio.CopyConn(ctx, conn, serverConn)
-		}
-	}
-	if earlyConn, isEarlyConn := common.Cast[N.EarlyConn](serverConn); isEarlyConn && earlyConn.NeedHandshake() {
-		payload := buf.NewPacket()
-		err := conn.SetReadDeadline(time.Now().Add(C.ReadPayloadTimeout))
-		if err != os.ErrInvalid {
-			if err != nil {
-				payload.Release()
-				serverConn.Close()
-				return err
-			}
-			_, err = payload.ReadOnceFrom(conn)
-			if err != nil && !E.IsTimeout(err) {
-				payload.Release()
-				serverConn.Close()
-				return E.Cause(err, "read payload")
-			}
-			err = conn.SetReadDeadline(time.Time{})
-			if err != nil {
-				payload.Release()
-				serverConn.Close()
-				return err
-			}
-		}
-		_, err = serverConn.Write(payload.Bytes())
-		payload.Release()
-		if err != nil {
-			serverConn.Close()
-			return N.ReportHandshakeFailure(conn, err)
-		}
-	}
-	return bufio.CopyConn(ctx, conn, serverConn)
-}

adapter/outbound/manager.go

@@ -21,8 +21,9 @@ var _ adapter.OutboundManager = (*Manager)(nil)
 type Manager struct {
 	logger                  log.ContextLogger
 	registry                adapter.OutboundRegistry
+	endpoint                adapter.EndpointManager
 	defaultTag              string
-	access                  sync.Mutex
+	access                  sync.RWMutex
 	started                 bool
 	stage                   adapter.StartStage
 	outbounds               []adapter.Outbound
@@ -32,10 +33,11 @@ type Manager struct {
 	defaultOutboundFallback adapter.Outbound
 }
 
-func NewManager(logger logger.ContextLogger, registry adapter.OutboundRegistry, defaultTag string) *Manager {
+func NewManager(logger logger.ContextLogger, registry adapter.OutboundRegistry, endpoint adapter.EndpointManager, defaultTag string) *Manager {
 	return &Manager{
 		logger:        logger,
 		registry:      registry,
+		endpoint:      endpoint,
 		defaultTag:    defaultTag,
 		outboundByTag: make(map[string]adapter.Outbound),
 		dependByTag:   make(map[string][]string),
@@ -56,7 +58,14 @@ func (m *Manager) Start(stage adapter.StartStage) error {
 	outbounds := m.outbounds
 	m.access.Unlock()
 	if stage == adapter.StartStateStart {
-		return m.startOutbounds(outbounds)
+		if m.defaultTag != "" && m.defaultOutbound == nil {
+			defaultEndpoint, loaded := m.endpoint.Get(m.defaultTag)
+			if !loaded {
+				return E.New("default outbound not found: ", m.defaultTag)
+			}
+			m.defaultOutbound = defaultEndpoint
+		}
+		return m.startOutbounds(append(outbounds, common.Map(m.endpoint.Endpoints(), func(it adapter.Endpoint) adapter.Outbound { return it })...))
 	} else {
 		for _, outbound := range outbounds {
 			err := adapter.LegacyStart(outbound, stage)
@@ -87,7 +96,14 @@ func (m *Manager) startOutbounds(outbounds []adapter.Outbound) error {
 			}
 			started[outboundTag] = true
 			canContinue = true
-			if starter, isStarter := outboundToStart.(interface {
+			if starter, isStarter := outboundToStart.(adapter.Lifecycle); isStarter {
+				monitor.Start("start outbound/", outboundToStart.Type(), "[", outboundTag, "]")
+				err := starter.Start(adapter.StartStateStart)
+				monitor.Finish()
+				if err != nil {
+					return E.Cause(err, "start outbound/", outboundToStart.Type(), "[", outboundTag, "]")
+				}
+			} else if starter, isStarter := outboundToStart.(interface {
 				Start() error
 			}); isStarter {
 				monitor.Start("start outbound/", outboundToStart.Type(), "[", outboundTag, "]")
@@ -153,21 +169,24 @@ func (m *Manager) Close() error {
 }
 
 func (m *Manager) Outbounds() []adapter.Outbound {
-	m.access.Lock()
+	m.access.RLock()
-	defer m.access.Unlock()
+	defer m.access.RUnlock()
 	return m.outbounds
 }
 
 func (m *Manager) Outbound(tag string) (adapter.Outbound, bool) {
-	m.access.Lock()
+	m.access.RLock()
-	defer m.access.Unlock()
 	outbound, found := m.outboundByTag[tag]
-	return outbound, found
+	m.access.RUnlock()
+	if found {
+		return outbound, true
+	}
+	return m.endpoint.Get(tag)
 }
 
 func (m *Manager) Default() adapter.Outbound {
-	m.access.Lock()
+	m.access.RLock()
-	defer m.access.Unlock()
+	defer m.access.RUnlock()
 	if m.defaultOutbound != nil {
 		return m.defaultOutbound
 	} else {
@@ -177,9 +196,9 @@ func (m *Manager) Default() adapter.Outbound {
 
 func (m *Manager) Remove(tag string) error {
 	m.access.Lock()
+	defer m.access.Unlock()
 	outbound, found := m.outboundByTag[tag]
 	if !found {
-		m.access.Unlock()
 		return os.ErrInvalid
 	}
 	delete(m.outboundByTag, tag)
@@ -213,7 +232,6 @@ func (m *Manager) Remove(tag string) error {
 			})
 		}
 	}
-	m.access.Unlock()
 	if started {
 		return common.Close(outbound)
 	}

adapter/router.go

@@ -4,42 +4,25 @@ import (
 	"context"
 	"net"
 	"net/http"
-	"net/netip"
 	"sync"
 
-	"github.com/sagernet/sing-box/common/geoip"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-dns"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/x/list"
 
-	mdns "github.com/miekg/dns"
 	"go4.org/netipx"
 )
 
 type Router interface {
 	Lifecycle
-
-	FakeIPStore() FakeIPStore
-
 	ConnectionRouter
 	PreMatch(metadata InboundContext) error
 	ConnectionRouterEx
-
-	GeoIPReader() *geoip.Reader
-	LoadGeosite(code string) (Rule, error)
 	RuleSet(tag string) (RuleSet, bool)
 	NeedWIFIState() bool
-
-	Exchange(ctx context.Context, message *mdns.Msg) (*mdns.Msg, error)
-	Lookup(ctx context.Context, domain string, strategy dns.DomainStrategy) ([]netip.Addr, error)
-	LookupDefault(ctx context.Context, domain string) ([]netip.Addr, error)
-	ClearDNSCache()
 	Rules() []Rule
-
 	SetTracker(tracker ConnectionTracker)
-
 	ResetNetwork()
 }
 

adapter/rule.go

@@ -13,7 +13,6 @@ type Rule interface {
 	HeadlessRule
 	Service
 	Type() string
-	UpdateGeosite() error
 	Action() RuleAction
 }
 

adapter/upstream_legacy.go

@@ -18,6 +18,8 @@ type (
 )
 
 // Deprecated
+//
+//nolint:staticcheck
 func NewUpstreamHandler(
 	metadata InboundContext,
 	connectionHandler ConnectionHandlerFunc,
@@ -34,7 +36,9 @@ func NewUpstreamHandler(
 
 var _ UpstreamHandlerAdapter = (*myUpstreamHandlerWrapper)(nil)
 
-// Deprecated
+// Deprecated: use myUpstreamHandlerWrapperEx instead.
+//
+//nolint:staticcheck
 type myUpstreamHandlerWrapper struct {
 	metadata          InboundContext
 	connectionHandler ConnectionHandlerFunc
@@ -42,6 +46,7 @@ type myUpstreamHandlerWrapper struct {
 	errorHandler      E.Handler
 }
 
+// Deprecated: use myUpstreamHandlerWrapperEx instead.
 func (w *myUpstreamHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
 	myMetadata := w.metadata
 	if metadata.Source.IsValid() {
@@ -53,6 +58,7 @@ func (w *myUpstreamHandlerWrapper) NewConnection(ctx context.Context, conn net.C
 	return w.connectionHandler(ctx, conn, myMetadata)
 }
 
+// Deprecated: use myUpstreamHandlerWrapperEx instead.
 func (w *myUpstreamHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
 	myMetadata := w.metadata
 	if metadata.Source.IsValid() {
@@ -64,11 +70,12 @@ func (w *myUpstreamHandlerWrapper) NewPacketConnection(ctx context.Context, conn
 	return w.packetHandler(ctx, conn, myMetadata)
 }
 
+// Deprecated: use myUpstreamHandlerWrapperEx instead.
 func (w *myUpstreamHandlerWrapper) NewError(ctx context.Context, err error) {
 	w.errorHandler.NewError(ctx, err)
 }
 
-// Deprecated
+// Deprecated: removed
 func UpstreamMetadata(metadata InboundContext) M.Metadata {
 	return M.Metadata{
 		Source:      metadata.Source,
@@ -76,14 +83,14 @@ func UpstreamMetadata(metadata InboundContext) M.Metadata {
 	}
 }
 
-// Deprecated
+// Deprecated: Use NewUpstreamContextHandlerEx instead.
 type myUpstreamContextHandlerWrapper struct {
 	connectionHandler ConnectionHandlerFunc
 	packetHandler     PacketConnectionHandlerFunc
 	errorHandler      E.Handler
 }
 
-// Deprecated
+// Deprecated: Use NewUpstreamContextHandlerEx instead.
 func NewUpstreamContextHandler(
 	connectionHandler ConnectionHandlerFunc,
 	packetHandler PacketConnectionHandlerFunc,
@@ -96,6 +103,7 @@ func NewUpstreamContextHandler(
 	}
 }
 
+// Deprecated: Use NewUpstreamContextHandlerEx instead.
 func (w *myUpstreamContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
 	myMetadata := ContextFrom(ctx)
 	if metadata.Source.IsValid() {
@@ -107,6 +115,7 @@ func (w *myUpstreamContextHandlerWrapper) NewConnection(ctx context.Context, con
 	return w.connectionHandler(ctx, conn, *myMetadata)
 }
 
+// Deprecated: Use NewUpstreamContextHandlerEx instead.
 func (w *myUpstreamContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
 	myMetadata := ContextFrom(ctx)
 	if metadata.Source.IsValid() {
@@ -118,6 +127,7 @@ func (w *myUpstreamContextHandlerWrapper) NewPacketConnection(ctx context.Contex
 	return w.packetHandler(ctx, conn, *myMetadata)
 }
 
+// Deprecated: Use NewUpstreamContextHandlerEx instead.
 func (w *myUpstreamContextHandlerWrapper) NewError(ctx context.Context, err error) {
 	w.errorHandler.NewError(ctx, err)
 }
@@ -149,12 +159,15 @@ func NewRouteContextHandler(
 var _ UpstreamHandlerAdapter = (*routeHandlerWrapper)(nil)
 
 // Deprecated: Use ConnectionRouterEx instead.
+//
+//nolint:staticcheck
 type routeHandlerWrapper struct {
 	metadata InboundContext
 	router   ConnectionRouter
 	logger   logger.ContextLogger
 }
 
+// Deprecated: Use ConnectionRouterEx instead.
 func (w *routeHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
 	myMetadata := w.metadata
 	if metadata.Source.IsValid() {
@@ -166,6 +179,7 @@ func (w *routeHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn,
 	return w.router.RouteConnection(ctx, conn, myMetadata)
 }
 
+// Deprecated: Use ConnectionRouterEx instead.
 func (w *routeHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
 	myMetadata := w.metadata
 	if metadata.Source.IsValid() {
@@ -177,6 +191,7 @@ func (w *routeHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.Pa
 	return w.router.RoutePacketConnection(ctx, conn, myMetadata)
 }
 
+// Deprecated: Use ConnectionRouterEx instead.
 func (w *routeHandlerWrapper) NewError(ctx context.Context, err error) {
 	w.logger.ErrorContext(ctx, err)
 }
@@ -189,6 +204,7 @@ type routeContextHandlerWrapper struct {
 	logger logger.ContextLogger
 }
 
+// Deprecated: Use ConnectionRouterEx instead.
 func (w *routeContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
 	myMetadata := ContextFrom(ctx)
 	if metadata.Source.IsValid() {
@@ -200,6 +216,7 @@ func (w *routeContextHandlerWrapper) NewConnection(ctx context.Context, conn net
 	return w.router.RouteConnection(ctx, conn, *myMetadata)
 }
 
+// Deprecated: Use ConnectionRouterEx instead.
 func (w *routeContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
 	myMetadata := ContextFrom(ctx)
 	if metadata.Source.IsValid() {
@@ -211,6 +228,7 @@ func (w *routeContextHandlerWrapper) NewPacketConnection(ctx context.Context, co
 	return w.router.RoutePacketConnection(ctx, conn, *myMetadata)
 }
 
+// Deprecated: Use ConnectionRouterEx instead.
 func (w *routeContextHandlerWrapper) NewError(ctx context.Context, err error) {
 	w.logger.ErrorContext(ctx, err)
 }

box.go

@@ -9,11 +9,15 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/adapter/endpoint"
 	"github.com/sagernet/sing-box/adapter/inbound"
 	"github.com/sagernet/sing-box/adapter/outbound"
 	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/common/taskmonitor"
+	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/dns/transport/local"
 	"github.com/sagernet/sing-box/experimental"
 	"github.com/sagernet/sing-box/experimental/cachefile"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
@@ -32,15 +36,19 @@ import (
 var _ adapter.Service = (*Box)(nil)
 
 type Box struct {
-	createdAt  time.Time
+	createdAt    time.Time
-	logFactory log.Factory
+	logFactory   log.Factory
-	logger     log.ContextLogger
+	logger       log.ContextLogger
-	network    *route.NetworkManager
+	network      *route.NetworkManager
-	router     *route.Router
+	endpoint     *endpoint.Manager
-	inbound    *inbound.Manager
+	inbound      *inbound.Manager
-	outbound   *outbound.Manager
+	outbound     *outbound.Manager
-	services   []adapter.LifecycleService
+	dnsTransport *dns.TransportManager
-	done       chan struct{}
+	dnsRouter    *dns.Router
+	connection   *route.ConnectionManager
+	router       *route.Router
+	services     []adapter.LifecycleService
+	done         chan struct{}
 }
 
 type Options struct {
@@ -53,6 +61,8 @@ func Context(
 	ctx context.Context,
 	inboundRegistry adapter.InboundRegistry,
 	outboundRegistry adapter.OutboundRegistry,
+	endpointRegistry adapter.EndpointRegistry,
+	dnsTransportRegistry adapter.DNSTransportRegistry,
 ) context.Context {
 	if service.FromContext[option.InboundOptionsRegistry](ctx) == nil ||
 		service.FromContext[adapter.InboundRegistry](ctx) == nil {
@@ -64,6 +74,15 @@ func Context(
 		ctx = service.ContextWith[option.OutboundOptionsRegistry](ctx, outboundRegistry)
 		ctx = service.ContextWith[adapter.OutboundRegistry](ctx, outboundRegistry)
 	}
+	if service.FromContext[option.EndpointOptionsRegistry](ctx) == nil ||
+		service.FromContext[adapter.EndpointRegistry](ctx) == nil {
+		ctx = service.ContextWith[option.EndpointOptionsRegistry](ctx, endpointRegistry)
+		ctx = service.ContextWith[adapter.EndpointRegistry](ctx, endpointRegistry)
+	}
+	if service.FromContext[adapter.DNSTransportRegistry](ctx) == nil {
+		ctx = service.ContextWith[option.DNSTransportOptionsRegistry](ctx, dnsTransportRegistry)
+		ctx = service.ContextWith[adapter.DNSTransportRegistry](ctx, dnsTransportRegistry)
+	}
 	return ctx
 }
 
@@ -75,12 +94,17 @@ func New(options Options) (*Box, error) {
 	}
 	ctx = service.ContextWithDefaultRegistry(ctx)
 
+	endpointRegistry := service.FromContext[adapter.EndpointRegistry](ctx)
 	inboundRegistry := service.FromContext[adapter.InboundRegistry](ctx)
+	outboundRegistry := service.FromContext[adapter.OutboundRegistry](ctx)
+	dnsTransportRegistry := service.FromContext[adapter.DNSTransportRegistry](ctx)
+
+	if endpointRegistry == nil {
+		return nil, E.New("missing endpoint registry in context")
+	}
 	if inboundRegistry == nil {
 		return nil, E.New("missing inbound registry in context")
 	}
-
-	outboundRegistry := service.FromContext[adapter.OutboundRegistry](ctx)
 	if outboundRegistry == nil {
 		return nil, E.New("missing outbound registry in context")
 	}
@@ -118,20 +142,77 @@ func New(options Options) (*Box, error) {
 	}
 
 	routeOptions := common.PtrValueOrDefault(options.Route)
-	inboundManager := inbound.NewManager(logFactory.NewLogger("inbound"), inboundRegistry)
+	dnsOptions := common.PtrValueOrDefault(options.DNS)
-	outboundManager := outbound.NewManager(logFactory.NewLogger("outbound"), outboundRegistry, routeOptions.Final)
+	endpointManager := endpoint.NewManager(logFactory.NewLogger("endpoint"), endpointRegistry)
+	inboundManager := inbound.NewManager(logFactory.NewLogger("inbound"), inboundRegistry, endpointManager)
+	outboundManager := outbound.NewManager(logFactory.NewLogger("outbound"), outboundRegistry, endpointManager, routeOptions.Final)
+	dnsTransportManager := dns.NewTransportManager(logFactory.NewLogger("dns/transport"), dnsTransportRegistry, outboundManager, dnsOptions.Final)
+	service.MustRegister[adapter.EndpointManager](ctx, endpointManager)
 	service.MustRegister[adapter.InboundManager](ctx, inboundManager)
 	service.MustRegister[adapter.OutboundManager](ctx, outboundManager)
-
+	service.MustRegister[adapter.DNSTransportManager](ctx, dnsTransportManager)
+	dnsRouter := dns.NewRouter(ctx, logFactory, dnsOptions)
+	service.MustRegister[adapter.DNSRouter](ctx, dnsRouter)
 	networkManager, err := route.NewNetworkManager(ctx, logFactory.NewLogger("network"), routeOptions)
 	if err != nil {
 		return nil, E.Cause(err, "initialize network manager")
 	}
 	service.MustRegister[adapter.NetworkManager](ctx, networkManager)
-	router, err := route.NewRouter(ctx, logFactory, routeOptions, common.PtrValueOrDefault(options.DNS))
+	connectionManager := route.NewConnectionManager(logFactory.NewLogger("connection"))
+	service.MustRegister[adapter.ConnectionManager](ctx, connectionManager)
+	router := route.NewRouter(ctx, logFactory, routeOptions, dnsOptions)
+	service.MustRegister[adapter.Router](ctx, router)
+	err = router.Initialize(routeOptions.Rules, routeOptions.RuleSet)
 	if err != nil {
 		return nil, E.Cause(err, "initialize router")
 	}
+	ntpOptions := common.PtrValueOrDefault(options.NTP)
+	var timeService *tls.TimeServiceWrapper
+	if ntpOptions.Enabled {
+		timeService = new(tls.TimeServiceWrapper)
+		service.MustRegister[ntp.TimeService](ctx, timeService)
+	}
+	for i, transportOptions := range dnsOptions.Servers {
+		var tag string
+		if transportOptions.Tag != "" {
+			tag = transportOptions.Tag
+		} else {
+			tag = F.ToString(i)
+		}
+		err = dnsTransportManager.Create(
+			ctx,
+			logFactory.NewLogger(F.ToString("dns/", transportOptions.Type, "[", tag, "]")),
+			tag,
+			transportOptions.Type,
+			transportOptions.Options,
+		)
+		if err != nil {
+			return nil, E.Cause(err, "initialize inbound[", i, "]")
+		}
+	}
+	err = dnsRouter.Initialize(dnsOptions.Rules)
+	if err != nil {
+		return nil, E.Cause(err, "initialize dns router")
+	}
+	for i, endpointOptions := range options.Endpoints {
+		var tag string
+		if endpointOptions.Tag != "" {
+			tag = endpointOptions.Tag
+		} else {
+			tag = F.ToString(i)
+		}
+		err = endpointManager.Create(
+			ctx,
+			router,
+			logFactory.NewLogger(F.ToString("endpoint/", endpointOptions.Type, "[", tag, "]")),
+			tag,
+			endpointOptions.Type,
+			endpointOptions.Options,
+		)
+		if err != nil {
+			return nil, E.Cause(err, "initialize inbound[", i, "]")
+		}
+	}
 	for i, inboundOptions := range options.Inbounds {
 		var tag string
 		if inboundOptions.Tag != "" {
@@ -139,7 +220,8 @@ func New(options Options) (*Box, error) {
 		} else {
 			tag = F.ToString(i)
 		}
-		err = inboundManager.Create(ctx,
+		err = inboundManager.Create(
+			ctx,
 			router,
 			logFactory.NewLogger(F.ToString("inbound/", inboundOptions.Type, "[", tag, "]")),
 			tag,
@@ -185,6 +267,13 @@ func New(options Options) (*Box, error) {
 			option.DirectOutboundOptions{},
 		),
 	))
+	dnsTransportManager.Initialize(common.Must1(
+		local.NewTransport(
+			ctx,
+			logFactory.NewLogger("dns/local"),
+			"local",
+			option.LocalDNSServerOptions{},
+		)))
 	if platformInterface != nil {
 		err = platformInterface.Initialize(networkManager)
 		if err != nil {
@@ -219,13 +308,12 @@ func New(options Options) (*Box, error) {
 			service.MustRegister[adapter.V2RayServer](ctx, v2rayServer)
 		}
 	}
-	ntpOptions := common.PtrValueOrDefault(options.NTP)
 	if ntpOptions.Enabled {
-		ntpDialer, err := dialer.New(ctx, ntpOptions.DialerOptions)
+		ntpDialer, err := dialer.New(ctx, ntpOptions.DialerOptions, ntpOptions.ServerIsDomain())
 		if err != nil {
 			return nil, E.Cause(err, "create NTP service")
 		}
-		timeService := ntp.NewService(ntp.Options{
+		ntpService := ntp.NewService(ntp.Options{
 			Context:       ctx,
 			Dialer:        ntpDialer,
 			Logger:        logFactory.NewLogger("ntp"),
@@ -233,19 +321,23 @@ func New(options Options) (*Box, error) {
 			Interval:      time.Duration(ntpOptions.Interval),
 			WriteToSystem: ntpOptions.WriteToSystem,
 		})
-		service.MustRegister[ntp.TimeService](ctx, timeService)
+		timeService.TimeService = ntpService
-		services = append(services, adapter.NewLifecycleService(timeService, "ntp service"))
+		services = append(services, adapter.NewLifecycleService(ntpService, "ntp service"))
 	}
 	return &Box{
-		network:    networkManager,
+		network:      networkManager,
-		router:     router,
+		endpoint:     endpointManager,
-		inbound:    inboundManager,
+		inbound:      inboundManager,
-		outbound:   outboundManager,
+		outbound:     outboundManager,
-		createdAt:  createdAt,
+		dnsTransport: dnsTransportManager,
-		logFactory: logFactory,
+		dnsRouter:    dnsRouter,
-		logger:     logFactory.Logger(),
+		connection:   connectionManager,
-		services:   services,
+		router:       router,
-		done:       make(chan struct{}),
+		createdAt:    createdAt,
+		logFactory:   logFactory,
+		logger:       logFactory.Logger(),
+		services:     services,
+		done:         make(chan struct{}),
 	}, nil
 }
 
@@ -299,11 +391,11 @@ func (s *Box) preStart() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStateInitialize, s.network, s.router, s.outbound, s.inbound)
+	err = adapter.Start(adapter.StartStateInitialize, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStateStart, s.outbound, s.network, s.router)
+	err = adapter.Start(adapter.StartStateStart, s.outbound, s.dnsTransport, s.dnsRouter, s.network, s.connection, s.router)
 	if err != nil {
 		return err
 	}
@@ -323,7 +415,11 @@ func (s *Box) start() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStatePostStart, s.outbound, s.network, s.router, s.inbound)
+	err = adapter.Start(adapter.StartStateStart, s.endpoint)
+	if err != nil {
+		return err
+	}
+	err = adapter.Start(adapter.StartStatePostStart, s.outbound, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.inbound, s.endpoint)
 	if err != nil {
 		return err
 	}
@@ -331,7 +427,7 @@ func (s *Box) start() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStateStarted, s.network, s.router, s.outbound, s.inbound)
+	err = adapter.Start(adapter.StartStateStarted, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint)
 	if err != nil {
 		return err
 	}
@@ -350,7 +446,7 @@ func (s *Box) Close() error {
 		close(s.done)
 	}
 	err := common.Close(
-		s.inbound, s.outbound, s.router, s.network,
+		s.inbound, s.outbound, s.router, s.connection, s.dnsRouter, s.dnsTransport, s.network,
 	)
 	for _, lifecycleService := range s.services {
 		err = E.Append(err, lifecycleService.Close(), func(err error) error {

cmd/internal/app_store_connect/main.go

@@ -0,0 +1,445 @@
+package main
+
+import (
+	"context"
+	"net/http"
+	"os"
+	"strconv"
+	"time"
+
+	"github.com/sagernet/asc-go/asc"
+	"github.com/sagernet/sing-box/cmd/internal/build_shared"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
+)
+
+func main() {
+	ctx := context.Background()
+	switch os.Args[1] {
+	case "next_macos_project_version":
+		err := fetchMacOSVersion(ctx)
+		if err != nil {
+			log.Fatal(err)
+		}
+	case "publish_testflight":
+		err := publishTestflight(ctx)
+		if err != nil {
+			log.Fatal(err)
+		}
+	case "cancel_app_store":
+		err := cancelAppStore(ctx, os.Args[2])
+		if err != nil {
+			log.Fatal(err)
+		}
+	case "prepare_app_store":
+		err := prepareAppStore(ctx)
+		if err != nil {
+			log.Fatal(err)
+		}
+	case "publish_app_store":
+		err := publishAppStore(ctx)
+		if err != nil {
+			log.Fatal(err)
+		}
+	default:
+		log.Fatal("unknown action: ", os.Args[1])
+	}
+}
+
+const (
+	appID   = "6673731168"
+	groupID = "5c5f3b78-b7a0-40c0-bcad-e6ef87bbefda"
+)
+
+func createClient(expireDuration time.Duration) *asc.Client {
+	privateKey, err := os.ReadFile(os.Getenv("ASC_KEY_PATH"))
+	if err != nil {
+		log.Fatal(err)
+	}
+	tokenConfig, err := asc.NewTokenConfig(os.Getenv("ASC_KEY_ID"), os.Getenv("ASC_KEY_ISSUER_ID"), expireDuration, privateKey)
+	if err != nil {
+		log.Fatal(err)
+	}
+	return asc.NewClient(tokenConfig.Client())
+}
+
+func fetchMacOSVersion(ctx context.Context) error {
+	client := createClient(time.Minute)
+	versions, _, err := client.Apps.ListAppStoreVersionsForApp(ctx, appID, &asc.ListAppStoreVersionsQuery{
+		FilterPlatform: []string{"MAC_OS"},
+	})
+	if err != nil {
+		return err
+	}
+	var versionID string
+findVersion:
+	for _, version := range versions.Data {
+		switch *version.Attributes.AppStoreState {
+		case asc.AppStoreVersionStateReadyForSale,
+			asc.AppStoreVersionStatePendingDeveloperRelease:
+			versionID = version.ID
+			break findVersion
+		}
+	}
+	if versionID == "" {
+		return E.New("no version found")
+	}
+	latestBuild, _, err := client.Builds.GetBuildForAppStoreVersion(ctx, versionID, &asc.GetBuildForAppStoreVersionQuery{})
+	if err != nil {
+		return err
+	}
+	versionInt, err := strconv.Atoi(*latestBuild.Data.Attributes.Version)
+	if err != nil {
+		return E.Cause(err, "parse version code")
+	}
+	os.Stdout.WriteString(F.ToString(versionInt+1, "\n"))
+	return nil
+}
+
+func publishTestflight(ctx context.Context) error {
+	tagVersion, err := build_shared.ReadTagVersion()
+	if err != nil {
+		return err
+	}
+	tag := tagVersion.VersionString()
+	client := createClient(10 * time.Minute)
+
+	log.Info(tag, " list build IDs")
+	buildIDsResponse, _, err := client.TestFlight.ListBuildIDsForBetaGroup(ctx, groupID, nil)
+	if err != nil {
+		return err
+	}
+	buildIDs := common.Map(buildIDsResponse.Data, func(it asc.RelationshipData) string {
+		return it.ID
+	})
+	var platforms []asc.Platform
+	if len(os.Args) == 3 {
+		switch os.Args[2] {
+		case "ios":
+			platforms = []asc.Platform{asc.PlatformIOS}
+		case "macos":
+			platforms = []asc.Platform{asc.PlatformMACOS}
+		case "tvos":
+			platforms = []asc.Platform{asc.PlatformTVOS}
+		default:
+			return E.New("unknown platform: ", os.Args[2])
+		}
+	} else {
+		platforms = []asc.Platform{
+			asc.PlatformIOS,
+			asc.PlatformMACOS,
+			asc.PlatformTVOS,
+		}
+	}
+	for _, platform := range platforms {
+		log.Info(string(platform), " list builds")
+		for {
+			builds, _, err := client.Builds.ListBuilds(ctx, &asc.ListBuildsQuery{
+				FilterApp:                       []string{appID},
+				FilterPreReleaseVersionPlatform: []string{string(platform)},
+			})
+			if err != nil {
+				return err
+			}
+			build := builds.Data[0]
+			if common.Contains(buildIDs, build.ID) || time.Since(build.Attributes.UploadedDate.Time) > 5*time.Minute {
+				log.Info(string(platform), " ", tag, " waiting for process")
+				time.Sleep(15 * time.Second)
+				continue
+			}
+			if *build.Attributes.ProcessingState != "VALID" {
+				log.Info(string(platform), " ", tag, " waiting for process: ", *build.Attributes.ProcessingState)
+				time.Sleep(15 * time.Second)
+				continue
+			}
+			log.Info(string(platform), " ", tag, " list localizations")
+			localizations, _, err := client.TestFlight.ListBetaBuildLocalizationsForBuild(ctx, build.ID, nil)
+			if err != nil {
+				return err
+			}
+			localization := common.Find(localizations.Data, func(it asc.BetaBuildLocalization) bool {
+				return *it.Attributes.Locale == "en-US"
+			})
+			if localization.ID == "" {
+				log.Fatal(string(platform), " ", tag, " no en-US localization found")
+			}
+			if localization.Attributes == nil || localization.Attributes.WhatsNew == nil || *localization.Attributes.WhatsNew == "" {
+				log.Info(string(platform), " ", tag, " update localization")
+				_, _, err = client.TestFlight.UpdateBetaBuildLocalization(ctx, localization.ID, common.Ptr(
+					F.ToString("sing-box ", tagVersion.String()),
+				))
+				if err != nil {
+					return err
+				}
+			}
+			log.Info(string(platform), " ", tag, " publish")
+			response, err := client.TestFlight.AddBuildsToBetaGroup(ctx, groupID, []string{build.ID})
+			if response != nil && response.StatusCode == http.StatusUnprocessableEntity {
+				log.Info("waiting for process")
+				time.Sleep(15 * time.Second)
+				continue
+			} else if err != nil {
+				return err
+			}
+			log.Info(string(platform), " ", tag, " list submissions")
+			betaSubmissions, _, err := client.TestFlight.ListBetaAppReviewSubmissions(ctx, &asc.ListBetaAppReviewSubmissionsQuery{
+				FilterBuild: []string{build.ID},
+			})
+			if err != nil {
+				return err
+			}
+			if len(betaSubmissions.Data) == 0 {
+				log.Info(string(platform), " ", tag, " create submission")
+				_, _, err = client.TestFlight.CreateBetaAppReviewSubmission(ctx, build.ID)
+				if err != nil {
+					return err
+				}
+			}
+			break
+		}
+	}
+	return nil
+}
+
+func cancelAppStore(ctx context.Context, platform string) error {
+	switch platform {
+	case "ios":
+		platform = string(asc.PlatformIOS)
+	case "macos":
+		platform = string(asc.PlatformMACOS)
+	case "tvos":
+		platform = string(asc.PlatformTVOS)
+	}
+	tag, err := build_shared.ReadTag()
+	if err != nil {
+		return err
+	}
+	client := createClient(time.Minute)
+	for {
+		log.Info(platform, " list versions")
+		versions, response, err := client.Apps.ListAppStoreVersionsForApp(ctx, appID, &asc.ListAppStoreVersionsQuery{
+			FilterPlatform: []string{string(platform)},
+		})
+		if isRetryable(response) {
+			continue
+		} else if err != nil {
+			return err
+		}
+		version := common.Find(versions.Data, func(it asc.AppStoreVersion) bool {
+			return *it.Attributes.VersionString == tag
+		})
+		if version.ID == "" {
+			return nil
+		}
+		log.Info(platform, " ", tag, " get submission")
+		submission, response, err := client.Submission.GetAppStoreVersionSubmissionForAppStoreVersion(ctx, version.ID, nil)
+		if response != nil && response.StatusCode == http.StatusNotFound {
+			return nil
+		}
+		if isRetryable(response) {
+			continue
+		} else if err != nil {
+			return err
+		}
+		log.Info(platform, " ", tag, " delete submission")
+		_, err = client.Submission.DeleteSubmission(ctx, submission.Data.ID)
+		if err != nil {
+			return err
+		}
+		return nil
+	}
+}
+
+func prepareAppStore(ctx context.Context) error {
+	tag, err := build_shared.ReadTag()
+	if err != nil {
+		return err
+	}
+	client := createClient(time.Minute)
+	for _, platform := range []asc.Platform{
+		asc.PlatformIOS,
+		asc.PlatformMACOS,
+		asc.PlatformTVOS,
+	} {
+		log.Info(string(platform), " list versions")
+		versions, _, err := client.Apps.ListAppStoreVersionsForApp(ctx, appID, &asc.ListAppStoreVersionsQuery{
+			FilterPlatform: []string{string(platform)},
+		})
+		if err != nil {
+			return err
+		}
+		version := common.Find(versions.Data, func(it asc.AppStoreVersion) bool {
+			return *it.Attributes.VersionString == tag
+		})
+		log.Info(string(platform), " ", tag, " list builds")
+		builds, _, err := client.Builds.ListBuilds(ctx, &asc.ListBuildsQuery{
+			FilterApp:                       []string{appID},
+			FilterPreReleaseVersionPlatform: []string{string(platform)},
+		})
+		if err != nil {
+			return err
+		}
+		if len(builds.Data) == 0 {
+			log.Fatal(platform, " ", tag, " no build found")
+		}
+		buildID := common.Ptr(builds.Data[0].ID)
+		if version.ID == "" {
+			log.Info(string(platform), " ", tag, " create version")
+			newVersion, _, err := client.Apps.CreateAppStoreVersion(ctx, asc.AppStoreVersionCreateRequestAttributes{
+				Platform:      platform,
+				VersionString: tag,
+			}, appID, buildID)
+			if err != nil {
+				return err
+			}
+			version = newVersion.Data
+
+		} else {
+			log.Info(string(platform), " ", tag, " check build")
+			currentBuild, response, err := client.Apps.GetBuildIDForAppStoreVersion(ctx, version.ID)
+			if err != nil {
+				return err
+			}
+			if response.StatusCode != http.StatusOK || currentBuild.Data.ID != *buildID {
+				switch *version.Attributes.AppStoreState {
+				case asc.AppStoreVersionStatePrepareForSubmission,
+					asc.AppStoreVersionStateRejected,
+					asc.AppStoreVersionStateDeveloperRejected:
+				case asc.AppStoreVersionStateWaitingForReview,
+					asc.AppStoreVersionStateInReview,
+					asc.AppStoreVersionStatePendingDeveloperRelease:
+					submission, _, err := client.Submission.GetAppStoreVersionSubmissionForAppStoreVersion(ctx, version.ID, nil)
+					if err != nil {
+						return err
+					}
+					if submission != nil {
+						log.Info(string(platform), " ", tag, " delete submission")
+						_, err = client.Submission.DeleteSubmission(ctx, submission.Data.ID)
+						if err != nil {
+							return err
+						}
+						time.Sleep(5 * time.Second)
+					}
+				default:
+					log.Fatal(string(platform), " ", tag, " unknown state ", string(*version.Attributes.AppStoreState))
+				}
+				log.Info(string(platform), " ", tag, " update build")
+				response, err = client.Apps.UpdateBuildForAppStoreVersion(ctx, version.ID, buildID)
+				if err != nil {
+					return err
+				}
+				if response.StatusCode != http.StatusNoContent {
+					response.Write(os.Stderr)
+					log.Fatal(string(platform), " ", tag, " unexpected response: ", response.Status)
+				}
+			} else {
+				switch *version.Attributes.AppStoreState {
+				case asc.AppStoreVersionStatePrepareForSubmission,
+					asc.AppStoreVersionStateRejected,
+					asc.AppStoreVersionStateDeveloperRejected:
+				case asc.AppStoreVersionStateWaitingForReview,
+					asc.AppStoreVersionStateInReview,
+					asc.AppStoreVersionStatePendingDeveloperRelease:
+					continue
+				default:
+					log.Fatal(string(platform), " ", tag, " unknown state ", string(*version.Attributes.AppStoreState))
+				}
+			}
+		}
+		log.Info(string(platform), " ", tag, " list localization")
+		localizations, _, err := client.Apps.ListLocalizationsForAppStoreVersion(ctx, version.ID, nil)
+		if err != nil {
+			return err
+		}
+		localization := common.Find(localizations.Data, func(it asc.AppStoreVersionLocalization) bool {
+			return *it.Attributes.Locale == "en-US"
+		})
+		if localization.ID == "" {
+			log.Info(string(platform), " ", tag, " no en-US localization found")
+		}
+		if localization.Attributes == nil || localization.Attributes.WhatsNew == nil || *localization.Attributes.WhatsNew == "" {
+			log.Info(string(platform), " ", tag, " update localization")
+			_, _, err = client.Apps.UpdateAppStoreVersionLocalization(ctx, localization.ID, &asc.AppStoreVersionLocalizationUpdateRequestAttributes{
+				PromotionalText: common.Ptr("Yet another distribution for sing-box, the universal proxy platform."),
+				WhatsNew:        common.Ptr(F.ToString("sing-box ", tag, ": Fixes and improvements.")),
+			})
+			if err != nil {
+				return err
+			}
+		}
+		log.Info(string(platform), " ", tag, " create submission")
+	fixSubmit:
+		for {
+			_, response, err := client.Submission.CreateSubmission(ctx, version.ID)
+			if err != nil {
+				switch response.StatusCode {
+				case http.StatusInternalServerError:
+					continue
+				default:
+					return err
+				}
+			}
+			switch response.StatusCode {
+			case http.StatusCreated:
+				break fixSubmit
+			default:
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func publishAppStore(ctx context.Context) error {
+	tag, err := build_shared.ReadTag()
+	if err != nil {
+		return err
+	}
+	client := createClient(time.Minute)
+	for _, platform := range []asc.Platform{
+		asc.PlatformIOS,
+		asc.PlatformMACOS,
+		asc.PlatformTVOS,
+	} {
+		log.Info(string(platform), " list versions")
+		versions, _, err := client.Apps.ListAppStoreVersionsForApp(ctx, appID, &asc.ListAppStoreVersionsQuery{
+			FilterPlatform: []string{string(platform)},
+		})
+		if err != nil {
+			return err
+		}
+		version := common.Find(versions.Data, func(it asc.AppStoreVersion) bool {
+			return *it.Attributes.VersionString == tag
+		})
+		switch *version.Attributes.AppStoreState {
+		case asc.AppStoreVersionStatePrepareForSubmission, asc.AppStoreVersionStateDeveloperRejected:
+			log.Fatal(string(platform), " ", tag, " not submitted")
+		case asc.AppStoreVersionStateWaitingForReview,
+			asc.AppStoreVersionStateInReview:
+			log.Warn(string(platform), " ", tag, " waiting for review")
+			continue
+		case asc.AppStoreVersionStatePendingDeveloperRelease:
+		default:
+			log.Fatal(string(platform), " ", tag, " unknown state ", string(*version.Attributes.AppStoreState))
+		}
+		_, _, err = client.Publishing.CreatePhasedRelease(ctx, common.Ptr(asc.PhasedReleaseStateComplete), version.ID)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func isRetryable(response *asc.Response) bool {
+	if response == nil {
+		return false
+	}
+	switch response.StatusCode {
+	case http.StatusInternalServerError, http.StatusUnprocessableEntity:
+		return true
+	default:
+		return false
+	}
+}

cmd/internal/build_libbox/main.go

@@ -10,17 +10,21 @@ import (
 	_ "github.com/sagernet/gomobile"
 	"github.com/sagernet/sing-box/cmd/internal/build_shared"
 	"github.com/sagernet/sing-box/log"
+	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/rw"
+	"github.com/sagernet/sing/common/shell"
 )
 
 var (
 	debugEnabled bool
 	target       string
+	platform     string
 )
 
 func init() {
 	flag.BoolVar(&debugEnabled, "debug", false, "enable debug")
 	flag.StringVar(&target, "target", "android", "target platform")
+	flag.StringVar(&platform, "platform", "", "specify platform")
 }
 
 func main() {
@@ -31,8 +35,8 @@ func main() {
 	switch target {
 	case "android":
 		buildAndroid()
-	case "ios":
+	case "apple":
-		buildiOS()
+		buildApple()
 	}
 }
 
@@ -51,10 +55,10 @@ func init() {
 	if err != nil {
 		currentTag = "unknown"
 	}
-	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=")
+	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid= -checklinkname=0")
 	debugFlags = append(debugFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag)
 
-	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_ech", "with_utls", "with_clash_api")
+	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_ech", "with_utls", "with_clash_api", "with_tailscale")
 	iosTags = append(iosTags, "with_dhcp", "with_low_memory", "with_conntrack")
 	debugTags = append(debugTags, "debug")
 }
@@ -62,9 +66,35 @@ func init() {
 func buildAndroid() {
 	build_shared.FindSDK()
 
+	var javaPath string
+	javaHome := os.Getenv("JAVA_HOME")
+	if javaHome == "" {
+		javaPath = "java"
+	} else {
+		javaPath = filepath.Join(javaHome, "bin", "java")
+	}
+
+	javaVersion, err := shell.Exec(javaPath, "--version").ReadOutput()
+	if err != nil {
+		log.Fatal(E.Cause(err, "check java version"))
+	}
+	if !strings.Contains(javaVersion, "openjdk 17") {
+		log.Fatal("java version should be openjdk 17")
+	}
+
+	var bindTarget string
+	if platform != "" {
+		bindTarget = platform
+	} else if debugEnabled {
+		bindTarget = "android/arm64"
+	} else {
+		bindTarget = "android"
+	}
+
 	args := []string{
 		"bind",
 		"-v",
+		"-target", bindTarget,
 		"-androidapi", "21",
 		"-javapkg=io.nekohasekai",
 		"-libname=box",
@@ -86,7 +116,7 @@ func buildAndroid() {
 	command := exec.Command(build_shared.GoBinPath+"/gomobile", args...)
 	command.Stdout = os.Stdout
 	command.Stderr = os.Stderr
-	err := command.Run()
+	err = command.Run()
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -103,11 +133,20 @@ func buildAndroid() {
 	}
 }
 
-func buildiOS() {
+func buildApple() {
+	var bindTarget string
+	if platform != "" {
+		bindTarget = platform
+	} else if debugEnabled {
+		bindTarget = "ios"
+	} else {
+		bindTarget = "ios,tvos,macos"
+	}
+
 	args := []string{
 		"bind",
 		"-v",
-		"-target", "ios,iossimulator,tvos,tvossimulator,macos",
+		"-target", bindTarget,
 		"-libname=box",
 	}
 	if !debugEnabled {

cmd/internal/build_shared/sdk.go

@@ -11,9 +11,7 @@ import (
 
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/rw"
-	"github.com/sagernet/sing/common/shell"
 )
 
 var (
@@ -42,14 +40,6 @@ func FindSDK() {
 		log.Fatal("android NDK not found")
 	}
 
-	javaVersion, err := shell.Exec("java", "--version").ReadOutput()
-	if err != nil {
-		log.Fatal(E.Cause(err, "check java version"))
-	}
-	if !strings.Contains(javaVersion, "openjdk 17") {
-		log.Fatal("java version should be openjdk 17")
-	}
-
 	os.Setenv("ANDROID_HOME", androidSDKPath)
 	os.Setenv("ANDROID_SDK_HOME", androidSDKPath)
 	os.Setenv("ANDROID_NDK_HOME", androidNDKPath)
@@ -58,12 +48,16 @@ func FindSDK() {
 }
 
 func findNDK() bool {
-	const fixedVersion = "26.2.11394342"
+	const fixedVersion = "28.0.12674087"
 	const versionFile = "source.properties"
 	if fixedPath := filepath.Join(androidSDKPath, "ndk", fixedVersion); rw.IsFile(filepath.Join(fixedPath, versionFile)) {
 		androidNDKPath = fixedPath
 		return true
 	}
+	if ndkHomeEnv := os.Getenv("ANDROID_NDK_HOME"); rw.IsFile(filepath.Join(ndkHomeEnv, versionFile)) {
+		androidNDKPath = ndkHomeEnv
+		return true
+	}
 	ndkVersions, err := os.ReadDir(filepath.Join(androidSDKPath, "ndk"))
 	if err != nil {
 		return false

cmd/internal/build_shared/tag.go

@@ -20,6 +20,11 @@ func ReadTag() (string, error) {
 	return version.String() + "-" + shortCommit, nil
 }
 
+func ReadTagVersionRev() (badversion.Version, error) {
+	currentTagRev := common.Must1(shell.Exec("git", "describe", "--tags", "--abbrev=0").ReadOutput())
+	return badversion.Parse(currentTagRev[1:]), nil
+}
+
 func ReadTagVersion() (badversion.Version, error) {
 	currentTag := common.Must1(shell.Exec("git", "describe", "--tags").ReadOutput())
 	currentTagRev := common.Must1(shell.Exec("git", "describe", "--tags", "--abbrev=0").ReadOutput())

cmd/internal/read_tag/main.go

@@ -1,21 +1,62 @@
 package main
 
 import (
+	"flag"
 	"os"
 
 	"github.com/sagernet/sing-box/cmd/internal/build_shared"
 	"github.com/sagernet/sing-box/log"
 )
 
+var nightly bool
+
+func init() {
+	flag.BoolVar(&nightly, "nightly", false, "Print nightly tag")
+}
+
 func main() {
-	currentTag, err := build_shared.ReadTag()
+	flag.Parse()
-	if err != nil {
+	if nightly {
-		log.Error(err)
+		version, err := build_shared.ReadTagVersionRev()
-		_, err = os.Stdout.WriteString("unknown\n")
+		if err != nil {
+			log.Fatal(err)
+		}
+		var versionStr string
+		if version.PreReleaseIdentifier != "" {
+			versionStr = version.VersionString() + "-nightly"
+		} else {
+			version.Patch++
+			versionStr = version.VersionString() + "-nightly"
+		}
+		err = setGitHubEnv("version", versionStr)
+		if err != nil {
+			log.Fatal(err)
+		}
 	} else {
-		_, err = os.Stdout.WriteString(currentTag + "\n")
+		tag, err := build_shared.ReadTag()
-	}
+		if err != nil {
-	if err != nil {
+			log.Error(err)
-		log.Error(err)
+			os.Stdout.WriteString("unknown\n")
+		} else {
+			os.Stdout.WriteString(tag + "\n")
+		}
 	}
 }
+
+func setGitHubEnv(name string, value string) error {
+	outputFile, err := os.OpenFile(os.Getenv("GITHUB_ENV"), os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0o644)
+	if err != nil {
+		return err
+	}
+	_, err = outputFile.WriteString(name + "=" + value + "\n")
+	if err != nil {
+		outputFile.Close()
+		return err
+	}
+	err = outputFile.Close()
+	if err != nil {
+		return err
+	}
+	os.Stderr.WriteString(name + "=" + value + "\n")
+	return nil
+}

cmd/internal/update_android_version/main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"flag"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -12,9 +13,22 @@ import (
 	"github.com/sagernet/sing/common"
 )
 
+var flagRunInCI bool
+
+func init() {
+	flag.BoolVar(&flagRunInCI, "ci", false, "Run in CI")
+}
+
 func main() {
-	newVersion := common.Must1(build_shared.ReadTagVersion())
+	flag.Parse()
-	androidPath, err := filepath.Abs("../sing-box-for-android")
+	newVersion := common.Must1(build_shared.ReadTag())
+	var androidPath string
+	if flagRunInCI {
+		androidPath = "clients/android"
+	} else {
+		androidPath = "../sing-box-for-android"
+	}
+	androidPath, err := filepath.Abs(androidPath)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -31,10 +45,10 @@ func main() {
 	for _, propPair := range propsList {
 		switch propPair[0] {
 		case "VERSION_NAME":
-			if propPair[1] != newVersion.String() {
+			if propPair[1] != newVersion {
 				versionUpdated = true
-				propPair[1] = newVersion.String()
+				propPair[1] = newVersion
-				log.Info("updated version to ", newVersion.String())
+				log.Info("updated version to ", newVersion)
 			}
 		case "GO_VERSION":
 			if propPair[1] != runtime.Version() {

cmd/internal/update_apple_version/main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"flag"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -13,9 +14,22 @@ import (
 	"howett.net/plist"
 )
 
+var flagRunInCI bool
+
+func init() {
+	flag.BoolVar(&flagRunInCI, "ci", false, "Run in CI")
+}
+
 func main() {
+	flag.Parse()
 	newVersion := common.Must1(build_shared.ReadTagVersion())
-	applePath, err := filepath.Abs("../sing-box-for-apple")
+	var applePath string
+	if flagRunInCI {
+		applePath = "clients/apple"
+	} else {
+		applePath = "../sing-box-for-apple"
+	}
+	applePath, err := filepath.Abs(applePath)
 	if err != nil {
 		log.Fatal(err)
 	}

cmd/sing-box/cmd.go

@@ -69,5 +69,5 @@ func preRun(cmd *cobra.Command, args []string) {
 		configPaths = append(configPaths, "config.json")
 	}
 	globalCtx = service.ContextWith(globalCtx, deprecated.NewStderrManager(log.StdLogger()))
-	globalCtx = box.Context(globalCtx, include.InboundRegistry(), include.OutboundRegistry())
+	globalCtx = box.Context(globalCtx, include.InboundRegistry(), include.OutboundRegistry(), include.EndpointRegistry(), include.DNSTransportRegistry())
 }

cmd/sing-box/cmd_merge.go

@@ -18,7 +18,7 @@ import (
 )
 
 var commandMerge = &cobra.Command{
-	Use:   "merge <output>",
+	Use:   "merge <output-path>",
 	Short: "Merge configurations",
 	Run: func(cmd *cobra.Command, args []string) {
 		err := merge(args[0])

cmd/sing-box/cmd_rule_set_merge.go

@@ -0,0 +1,162 @@
+package main
+
+import (
+	"bytes"
+	"io"
+	"os"
+	"path/filepath"
+	"sort"
+	"strings"
+
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json"
+	"github.com/sagernet/sing/common/json/badjson"
+	"github.com/sagernet/sing/common/rw"
+
+	"github.com/spf13/cobra"
+)
+
+var (
+	ruleSetPaths       []string
+	ruleSetDirectories []string
+)
+
+var commandRuleSetMerge = &cobra.Command{
+	Use:   "merge <output-path>",
+	Short: "Merge rule-set source files",
+	Run: func(cmd *cobra.Command, args []string) {
+		err := mergeRuleSet(args[0])
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+	Args: cobra.ExactArgs(1),
+}
+
+func init() {
+	commandRuleSetMerge.Flags().StringArrayVarP(&ruleSetPaths, "config", "c", nil, "set input rule-set file path")
+	commandRuleSetMerge.Flags().StringArrayVarP(&ruleSetDirectories, "config-directory", "C", nil, "set input rule-set directory path")
+	commandRuleSet.AddCommand(commandRuleSetMerge)
+}
+
+type RuleSetEntry struct {
+	content []byte
+	path    string
+	options option.PlainRuleSetCompat
+}
+
+func readRuleSetAt(path string) (*RuleSetEntry, error) {
+	var (
+		configContent []byte
+		err           error
+	)
+	if path == "stdin" {
+		configContent, err = io.ReadAll(os.Stdin)
+	} else {
+		configContent, err = os.ReadFile(path)
+	}
+	if err != nil {
+		return nil, E.Cause(err, "read config at ", path)
+	}
+	options, err := json.UnmarshalExtendedContext[option.PlainRuleSetCompat](globalCtx, configContent)
+	if err != nil {
+		return nil, E.Cause(err, "decode config at ", path)
+	}
+	return &RuleSetEntry{
+		content: configContent,
+		path:    path,
+		options: options,
+	}, nil
+}
+
+func readRuleSet() ([]*RuleSetEntry, error) {
+	var optionsList []*RuleSetEntry
+	for _, path := range ruleSetPaths {
+		optionsEntry, err := readRuleSetAt(path)
+		if err != nil {
+			return nil, err
+		}
+		optionsList = append(optionsList, optionsEntry)
+	}
+	for _, directory := range ruleSetDirectories {
+		entries, err := os.ReadDir(directory)
+		if err != nil {
+			return nil, E.Cause(err, "read rule-set directory at ", directory)
+		}
+		for _, entry := range entries {
+			if !strings.HasSuffix(entry.Name(), ".json") || entry.IsDir() {
+				continue
+			}
+			optionsEntry, err := readRuleSetAt(filepath.Join(directory, entry.Name()))
+			if err != nil {
+				return nil, err
+			}
+			optionsList = append(optionsList, optionsEntry)
+		}
+	}
+	sort.Slice(optionsList, func(i, j int) bool {
+		return optionsList[i].path < optionsList[j].path
+	})
+	return optionsList, nil
+}
+
+func readRuleSetAndMerge() (option.PlainRuleSetCompat, error) {
+	optionsList, err := readRuleSet()
+	if err != nil {
+		return option.PlainRuleSetCompat{}, err
+	}
+	if len(optionsList) == 1 {
+		return optionsList[0].options, nil
+	}
+	var optionVersion uint8
+	for _, options := range optionsList {
+		if optionVersion < options.options.Version {
+			optionVersion = options.options.Version
+		}
+	}
+	var mergedMessage json.RawMessage
+	for _, options := range optionsList {
+		mergedMessage, err = badjson.MergeJSON(globalCtx, options.options.RawMessage, mergedMessage, false)
+		if err != nil {
+			return option.PlainRuleSetCompat{}, E.Cause(err, "merge config at ", options.path)
+		}
+	}
+	mergedOptions, err := json.UnmarshalExtendedContext[option.PlainRuleSetCompat](globalCtx, mergedMessage)
+	if err != nil {
+		return option.PlainRuleSetCompat{}, E.Cause(err, "unmarshal merged config")
+	}
+	mergedOptions.Version = optionVersion
+	return mergedOptions, nil
+}
+
+func mergeRuleSet(outputPath string) error {
+	mergedOptions, err := readRuleSetAndMerge()
+	if err != nil {
+		return err
+	}
+	buffer := new(bytes.Buffer)
+	encoder := json.NewEncoder(buffer)
+	encoder.SetIndent("", "  ")
+	err = encoder.Encode(mergedOptions)
+	if err != nil {
+		return E.Cause(err, "encode config")
+	}
+	if existsContent, err := os.ReadFile(outputPath); err != nil {
+		if string(existsContent) == buffer.String() {
+			return nil
+		}
+	}
+	err = rw.MkdirParent(outputPath)
+	if err != nil {
+		return err
+	}
+	err = os.WriteFile(outputPath, buffer.Bytes(), 0o644)
+	if err != nil {
+		return err
+	}
+	outputPath, _ = filepath.Abs(outputPath)
+	os.Stderr.WriteString(outputPath + "\n")
+	return nil
+}

cmd/sing-box/cmd_tools.go

@@ -30,7 +30,7 @@ func createPreStartedClient() (*box.Box, error) {
 			return nil, err
 		}
 	}
-	instance, err := box.New(box.Options{Options: options})
+	instance, err := box.New(box.Options{Context: globalCtx, Options: options})
 	if err != nil {
 		return nil, E.Cause(err, "create service")
 	}

cmd/sing-box/cmd_tools_fetch_http3.go

@@ -21,7 +21,7 @@ func initializeHTTP3Client(instance *box.Box) error {
 		return err
 	}
 	http3Client = &http.Client{
-		Transport: &http3.RoundTripper{
+		Transport: &http3.Transport{
 			Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
 				destination := M.ParseSocksaddr(addr)
 				udpConn, dErr := dialer.DialContext(ctx, N.NetworkUDP, destination)

cmd/sing-box/cmd_tools_synctime.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"os"
 
-	"github.com/sagernet/sing-box/common/settings"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -58,7 +57,7 @@ func syncTime() error {
 		return err
 	}
 	if commandSyncTimeWrite {
-		err = settings.SetSystemTime(response.Time)
+		err = ntp.SetSystemTime(response.Time)
 		if err != nil {
 			return E.Cause(err, "write time to system")
 		}

common/dialer/default.go

@@ -2,13 +2,16 @@ package dialer
 
 import (
 	"context"
+	"errors"
 	"net"
 	"net/netip"
+	"syscall"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/conntrack"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/atomic"
@@ -16,6 +19,7 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/service"
 )
 
 var (
@@ -24,31 +28,36 @@ var (
 )
 
 type DefaultDialer struct {
-	dialer4              tcpDialer
+	dialer4                tcpDialer
-	dialer6              tcpDialer
+	dialer6                tcpDialer
-	udpDialer4           net.Dialer
+	udpDialer4             net.Dialer
-	udpDialer6           net.Dialer
+	udpDialer6             net.Dialer
-	udpListener          net.ListenConfig
+	udpListener            net.ListenConfig
-	udpAddr4             string
+	udpAddr4               string
-	udpAddr6             string
+	udpAddr6               string
-	isWireGuardListener  bool
+	isWireGuardListener    bool
-	networkManager       adapter.NetworkManager
+	networkManager         adapter.NetworkManager
-	networkStrategy      C.NetworkStrategy
+	networkStrategy        *C.NetworkStrategy
-	networkType          []C.InterfaceType
+	defaultNetworkStrategy bool
-	fallbackNetworkType  []C.InterfaceType
+	networkType            []C.InterfaceType
-	networkFallbackDelay time.Duration
+	fallbackNetworkType    []C.InterfaceType
-	networkLastFallback  atomic.TypedValue[time.Time]
+	networkFallbackDelay   time.Duration
+	networkLastFallback    atomic.TypedValue[time.Time]
 }
 
-func NewDefault(networkManager adapter.NetworkManager, options option.DialerOptions) (*DefaultDialer, error) {
+func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDialer, error) {
+	networkManager := service.FromContext[adapter.NetworkManager](ctx)
+	platformInterface := service.FromContext[platform.Interface](ctx)
+
 	var (
-		dialer               net.Dialer
+		dialer                 net.Dialer
-		listener             net.ListenConfig
+		listener               net.ListenConfig
-		interfaceFinder      control.InterfaceFinder
+		interfaceFinder        control.InterfaceFinder
-		networkStrategy      C.NetworkStrategy
+		networkStrategy        *C.NetworkStrategy
-		networkType          []C.InterfaceType
+		defaultNetworkStrategy bool
-		fallbackNetworkType  []C.InterfaceType
+		networkType            []C.InterfaceType
-		networkFallbackDelay time.Duration
+		fallbackNetworkType    []C.InterfaceType
+		networkFallbackDelay   time.Duration
 	)
 	if networkManager != nil {
 		interfaceFinder = networkManager.InterfaceFinder()
@@ -74,39 +83,52 @@ func NewDefault(networkManager adapter.NetworkManager, options option.DialerOpti
 			listener.Control = control.Append(listener.Control, control.RoutingMark(autoRedirectOutputMark))
 		}
 	}
-	if C.NetworkStrategy(options.NetworkStrategy) != C.NetworkStrategyDefault {
+	disableDefaultBind := options.BindInterface != "" || options.Inet4BindAddress != nil || options.Inet6BindAddress != nil
-		if options.BindInterface != "" || options.Inet4BindAddress != nil || options.Inet6BindAddress != nil {
+	if disableDefaultBind || options.TCPFastOpen {
-			return nil, E.New("`network_strategy` is conflict with `bind_interface`, `inet4_bind_address` and `inet6_bind_address`")
+		if options.NetworkStrategy != nil || len(options.NetworkType) > 0 && options.FallbackNetworkType == nil && options.FallbackDelay == 0 {
-		}
+			return nil, E.New("`network_strategy` is conflict with `bind_interface`, `inet4_bind_address`, `inet6_bind_address` and `tcp_fast_open`")
-		networkStrategy = C.NetworkStrategy(options.NetworkStrategy)
-		networkType = common.Map(options.NetworkType, option.InterfaceType.Build)
-		fallbackNetworkType = common.Map(options.FallbackNetworkType, option.InterfaceType.Build)
-		networkFallbackDelay = time.Duration(options.NetworkFallbackDelay)
-		if networkManager == nil || !networkManager.AutoDetectInterface() {
-			return nil, E.New("`route.auto_detect_interface` is require by `network_strategy`")
 		}
 	}
-	if networkManager != nil && options.BindInterface == "" && options.Inet4BindAddress == nil && options.Inet6BindAddress == nil {
+
+	if networkManager != nil {
 		defaultOptions := networkManager.DefaultOptions()
-		if defaultOptions.BindInterface != "" {
+		if !disableDefaultBind {
-			bindFunc := control.BindToInterface(networkManager.InterfaceFinder(), defaultOptions.BindInterface, -1)
+			if defaultOptions.BindInterface != "" {
-			dialer.Control = control.Append(dialer.Control, bindFunc)
+				bindFunc := control.BindToInterface(networkManager.InterfaceFinder(), defaultOptions.BindInterface, -1)
-			listener.Control = control.Append(listener.Control, bindFunc)
-		} else if networkManager.AutoDetectInterface() {
-			if defaultOptions.NetworkStrategy != C.NetworkStrategyDefault && C.NetworkStrategy(options.NetworkStrategy) == C.NetworkStrategyDefault {
-				networkStrategy = defaultOptions.NetworkStrategy
-				networkType = defaultOptions.NetworkType
-				fallbackNetworkType = defaultOptions.FallbackNetworkType
-				networkFallbackDelay = defaultOptions.FallbackDelay
-				bindFunc := networkManager.ProtectFunc()
-				dialer.Control = control.Append(dialer.Control, bindFunc)
-				listener.Control = control.Append(listener.Control, bindFunc)
-			} else {
-				bindFunc := networkManager.AutoDetectInterfaceFunc()
 				dialer.Control = control.Append(dialer.Control, bindFunc)
 				listener.Control = control.Append(listener.Control, bindFunc)
+			} else if networkManager.AutoDetectInterface() {
+				if platformInterface != nil {
+					networkStrategy = (*C.NetworkStrategy)(options.NetworkStrategy)
+					if networkStrategy == nil {
+						networkStrategy = common.Ptr(C.NetworkStrategyDefault)
+						defaultNetworkStrategy = true
+					}
+					networkType = common.Map(options.NetworkType, option.InterfaceType.Build)
+					fallbackNetworkType = common.Map(options.FallbackNetworkType, option.InterfaceType.Build)
+					if networkStrategy == nil && len(networkType) == 0 && len(fallbackNetworkType) == 0 {
+						networkStrategy = defaultOptions.NetworkStrategy
+						networkType = defaultOptions.NetworkType
+						fallbackNetworkType = defaultOptions.FallbackNetworkType
+					}
+					networkFallbackDelay = time.Duration(options.FallbackDelay)
+					if networkFallbackDelay == 0 && defaultOptions.FallbackDelay != 0 {
+						networkFallbackDelay = defaultOptions.FallbackDelay
+					}
+					bindFunc := networkManager.ProtectFunc()
+					dialer.Control = control.Append(dialer.Control, bindFunc)
+					listener.Control = control.Append(listener.Control, bindFunc)
+				} else {
+					bindFunc := networkManager.AutoDetectInterfaceFunc()
+					dialer.Control = control.Append(dialer.Control, bindFunc)
+					listener.Control = control.Append(listener.Control, bindFunc)
+				}
 			}
 		}
+		if options.RoutingMark == 0 && defaultOptions.RoutingMark != 0 {
+			dialer.Control = control.Append(dialer.Control, control.RoutingMark(defaultOptions.RoutingMark))
+			listener.Control = control.Append(listener.Control, control.RoutingMark(defaultOptions.RoutingMark))
+		}
 	}
 	if options.ReuseAddr {
 		listener.Control = control.Append(listener.Control, control.ReuseAddr())
@@ -166,9 +188,6 @@ func NewDefault(networkManager adapter.NetworkManager, options option.DialerOpti
 			listener.Control = control.Append(listener.Control, controlFn)
 		}
 	}
-	if networkStrategy != C.NetworkStrategyDefault && options.TCPFastOpen {
-		return nil, E.New("`tcp_fast_open` is conflict with `network_strategy` or `route.default_network_strategy`")
-	}
 	tcpDialer4, err := newTCPDialer(dialer4, options.TCPFastOpen)
 	if err != nil {
 		return nil, err
@@ -178,19 +197,20 @@ func NewDefault(networkManager adapter.NetworkManager, options option.DialerOpti
 		return nil, err
 	}
 	return &DefaultDialer{
-		dialer4:              tcpDialer4,
+		dialer4:                tcpDialer4,
-		dialer6:              tcpDialer6,
+		dialer6:                tcpDialer6,
-		udpDialer4:           udpDialer4,
+		udpDialer4:             udpDialer4,
-		udpDialer6:           udpDialer6,
+		udpDialer6:             udpDialer6,
-		udpListener:          listener,
+		udpListener:            listener,
-		udpAddr4:             udpAddr4,
+		udpAddr4:               udpAddr4,
-		udpAddr6:             udpAddr6,
+		udpAddr6:               udpAddr6,
-		isWireGuardListener:  options.IsWireGuardListener,
+		isWireGuardListener:    options.IsWireGuardListener,
-		networkManager:       networkManager,
+		networkManager:         networkManager,
-		networkStrategy:      networkStrategy,
+		networkStrategy:        networkStrategy,
-		networkType:          networkType,
+		defaultNetworkStrategy: defaultNetworkStrategy,
-		fallbackNetworkType:  fallbackNetworkType,
+		networkType:            networkType,
-		networkFallbackDelay: networkFallbackDelay,
+		fallbackNetworkType:    fallbackNetworkType,
+		networkFallbackDelay:   networkFallbackDelay,
 	}, nil
 }
 
@@ -198,7 +218,7 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 	if !address.IsValid() {
 		return nil, E.New("invalid address")
 	}
-	if d.networkStrategy == C.NetworkStrategyDefault {
+	if d.networkStrategy == nil {
 		switch N.NetworkName(network) {
 		case N.NetworkUDP:
 			if !address.IsIPv6() {
@@ -217,12 +237,21 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 	}
 }
 
-func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network string, address M.Socksaddr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
+func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network string, address M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
-	if strategy == C.NetworkStrategyDefault {
+	if strategy == nil {
+		strategy = d.networkStrategy
+	}
+	if strategy == nil {
 		return d.DialContext(ctx, network, address)
 	}
-	if !d.networkManager.AutoDetectInterface() {
+	if len(interfaceType) == 0 {
-		return nil, E.New("`route.auto_detect_interface` is require by `network_strategy`")
+		interfaceType = d.networkType
+	}
+	if len(fallbackInterfaceType) == 0 {
+		fallbackInterfaceType = d.fallbackNetworkType
+	}
+	if fallbackDelay == 0 {
+		fallbackDelay = d.networkFallbackDelay
 	}
 	var dialer net.Dialer
 	if N.NetworkName(network) == N.NetworkTCP {
@@ -237,12 +266,18 @@ func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network strin
 		err       error
 	)
 	if !fastFallback {
-		conn, isPrimary, err = d.dialParallelInterface(ctx, dialer, network, address.String(), strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
+		conn, isPrimary, err = d.dialParallelInterface(ctx, dialer, network, address.String(), *strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
 	} else {
-		conn, isPrimary, err = d.dialParallelInterfaceFastFallback(ctx, dialer, network, address.String(), strategy, interfaceType, fallbackInterfaceType, fallbackDelay, d.networkLastFallback.Store)
+		conn, isPrimary, err = d.dialParallelInterfaceFastFallback(ctx, dialer, network, address.String(), *strategy, interfaceType, fallbackInterfaceType, fallbackDelay, d.networkLastFallback.Store)
 	}
 	if err != nil {
-		return nil, err
+		// bind interface failed on legacy xiaomi systems
+		if d.defaultNetworkStrategy && errors.Is(err, syscall.EPERM) {
+			d.networkStrategy = nil
+			return d.DialContext(ctx, network, address)
+		} else {
+			return nil, err
+		}
 	}
 	if !fastFallback && !isPrimary {
 		d.networkLastFallback.Store(time.Now())
@@ -251,7 +286,7 @@ func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network strin
 }
 
 func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	if d.networkStrategy == C.NetworkStrategyDefault {
+	if d.networkStrategy == nil {
 		if destination.IsIPv6() {
 			return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6))
 		} else if destination.IsIPv4() && !destination.Addr.IsUnspecified() {
@@ -264,22 +299,41 @@ func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 	}
 }
 
-func (d *DefaultDialer) ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error) {
+func (d *DefaultDialer) ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error) {
-	if strategy == C.NetworkStrategyDefault {
+	if strategy == nil {
+		strategy = d.networkStrategy
+	}
+	if strategy == nil {
 		return d.ListenPacket(ctx, destination)
 	}
-	if !d.networkManager.AutoDetectInterface() {
+	if len(interfaceType) == 0 {
-		return nil, E.New("`route.auto_detect_interface` is require by `network_strategy`")
+		interfaceType = d.networkType
+	}
+	if len(fallbackInterfaceType) == 0 {
+		fallbackInterfaceType = d.fallbackNetworkType
+	}
+	if fallbackDelay == 0 {
+		fallbackDelay = d.networkFallbackDelay
 	}
 	network := N.NetworkUDP
 	if destination.IsIPv4() && !destination.Addr.IsUnspecified() {
 		network += "4"
 	}
-	return trackPacketConn(d.listenSerialInterfacePacket(ctx, d.udpListener, network, "", strategy, interfaceType, fallbackInterfaceType, fallbackDelay))
+	packetConn, err := d.listenSerialInterfacePacket(ctx, d.udpListener, network, "", *strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
+	if err != nil {
+		// bind interface failed on legacy xiaomi systems
+		if d.defaultNetworkStrategy && errors.Is(err, syscall.EPERM) {
+			d.networkStrategy = nil
+			return d.ListenPacket(ctx, destination)
+		} else {
+			return nil, err
+		}
+	}
+	return trackPacketConn(packetConn, nil)
 }
 
 func (d *DefaultDialer) ListenPacketCompat(network, address string) (net.PacketConn, error) {
-	return trackPacketConn(d.listenSerialInterfacePacket(context.Background(), d.udpListener, network, address, d.networkStrategy, d.networkType, d.fallbackNetworkType, d.networkFallbackDelay))
+	return d.udpListener.ListenPacket(context.Background(), network, address)
 }
 
 func trackConn(conn net.Conn, err error) (net.Conn, error) {

common/dialer/default_parallel_interface.go

@@ -35,12 +35,12 @@ func (d *DefaultDialer) dialParallelInterface(ctx context.Context, dialer net.Di
 		conn, err := perNetDialer.DialContext(ctx, network, addr)
 		if err != nil {
 			select {
-			case results <- dialResult{error: E.Cause(err, "dial ", iif.Name, " (", iif.Name, ")"), primary: primary}:
+			case results <- dialResult{error: E.Cause(err, "dial ", iif.Name, " (", iif.Index, ")"), primary: primary}:
 			case <-returned:
 			}
 		} else {
 			select {
-			case results <- dialResult{Conn: conn}:
+			case results <- dialResult{Conn: conn, primary: primary}:
 			case <-returned:
 				conn.Close()
 			}
@@ -107,12 +107,12 @@ func (d *DefaultDialer) dialParallelInterfaceFastFallback(ctx context.Context, d
 		conn, err := perNetDialer.DialContext(ctx, network, addr)
 		if err != nil {
 			select {
-			case results <- dialResult{error: E.Cause(err, "dial ", iif.Name, " (", iif.Name, ")"), primary: primary}:
+			case results <- dialResult{error: E.Cause(err, "dial ", iif.Name, " (", iif.Index, ")"), primary: primary}:
 			case <-returned:
 			}
 		} else {
 			select {
-			case results <- dialResult{Conn: conn}:
+			case results <- dialResult{Conn: conn, primary: primary}:
 			case <-returned:
 				if primary && time.Since(startAt) <= fallbackDelay {
 					resetFastFallback(time.Time{})
@@ -149,9 +149,6 @@ func (d *DefaultDialer) listenSerialInterfacePacket(ctx context.Context, listene
 	if len(primaryInterfaces)+len(fallbackInterfaces) == 0 {
 		return nil, E.New("no available network interface")
 	}
-	if fallbackDelay == 0 {
-		fallbackDelay = N.DefaultFallbackDelay
-	}
 	var errors []error
 	for _, primaryInterface := range primaryInterfaces {
 		perNetListener := listener
@@ -160,7 +157,7 @@ func (d *DefaultDialer) listenSerialInterfacePacket(ctx context.Context, listene
 		if err == nil {
 			return conn, nil
 		}
-		errors = append(errors, E.Cause(err, "listen ", primaryInterface.Name, " (", primaryInterface.Name, ")"))
+		errors = append(errors, E.Cause(err, "listen ", primaryInterface.Name, " (", primaryInterface.Index, ")"))
 	}
 	for _, fallbackInterface := range fallbackInterfaces {
 		perNetListener := listener
@@ -169,7 +166,7 @@ func (d *DefaultDialer) listenSerialInterfacePacket(ctx context.Context, listene
 		if err == nil {
 			return conn, nil
 		}
-		errors = append(errors, E.Cause(err, "listen ", fallbackInterface.Name, " (", fallbackInterface.Name, ")"))
+		errors = append(errors, E.Cause(err, "listen ", fallbackInterface.Name, " (", fallbackInterface.Index, ")"))
 	}
 	return nil, E.Errors(errors...)
 }
@@ -180,44 +177,57 @@ func selectInterfaces(networkManager adapter.NetworkManager, strategy C.NetworkS
 	case C.NetworkStrategyDefault:
 		if len(interfaceType) == 0 {
 			defaultIf := networkManager.InterfaceMonitor().DefaultInterface()
-			for _, iif := range interfaces {
+			if defaultIf != nil {
-				if iif.Index == defaultIf.Index {
+				for _, iif := range interfaces {
-					primaryInterfaces = append(primaryInterfaces, iif)
+					if iif.Index == defaultIf.Index {
-				} else {
+						primaryInterfaces = append(primaryInterfaces, iif)
-					fallbackInterfaces = append(fallbackInterfaces, iif)
+					}
 				}
+			} else {
+				primaryInterfaces = interfaces
 			}
 		} else {
-			primaryInterfaces = common.Filter(interfaces, func(iif adapter.NetworkInterface) bool {
+			primaryInterfaces = common.Filter(interfaces, func(it adapter.NetworkInterface) bool {
-				return common.Contains(interfaceType, iif.Type)
+				return common.Contains(interfaceType, it.Type)
 			})
 		}
 	case C.NetworkStrategyHybrid:
 		if len(interfaceType) == 0 {
 			primaryInterfaces = interfaces
 		} else {
-			primaryInterfaces = common.Filter(interfaces, func(iif adapter.NetworkInterface) bool {
+			primaryInterfaces = common.Filter(interfaces, func(it adapter.NetworkInterface) bool {
-				return common.Contains(interfaceType, iif.Type)
+				return common.Contains(interfaceType, it.Type)
 			})
 		}
 	case C.NetworkStrategyFallback:
 		if len(interfaceType) == 0 {
 			defaultIf := networkManager.InterfaceMonitor().DefaultInterface()
-			for _, iif := range interfaces {
+			if defaultIf != nil {
-				if iif.Index == defaultIf.Index {
+				for _, iif := range interfaces {
-					primaryInterfaces = append(primaryInterfaces, iif)
+					if iif.Index == defaultIf.Index {
-				} else {
+						primaryInterfaces = append(primaryInterfaces, iif)
-					fallbackInterfaces = append(fallbackInterfaces, iif)
+						break
+					}
 				}
+			} else {
+				primaryInterfaces = interfaces
 			}
 		} else {
-			primaryInterfaces = common.Filter(interfaces, func(iif adapter.NetworkInterface) bool {
+			primaryInterfaces = common.Filter(interfaces, func(it adapter.NetworkInterface) bool {
-				return common.Contains(interfaceType, iif.Type)
+				return common.Contains(interfaceType, it.Type)
+			})
+		}
+		if len(fallbackInterfaceType) == 0 {
+			fallbackInterfaces = common.Filter(interfaces, func(it adapter.NetworkInterface) bool {
+				return !common.Any(primaryInterfaces, func(iif adapter.NetworkInterface) bool {
+					return it.Index == iif.Index
+				})
+			})
+		} else {
+			fallbackInterfaces = common.Filter(interfaces, func(iif adapter.NetworkInterface) bool {
+				return common.Contains(fallbackInterfaceType, iif.Type)
 			})
 		}
-		fallbackInterfaces = common.Filter(interfaces, func(iif adapter.NetworkInterface) bool {
-			return common.Contains(fallbackInterfaceType, iif.Type)
-		})
 	}
 	return primaryInterfaces, fallbackInterfaces
 }

common/dialer/default_parallel_network.go

@@ -13,7 +13,13 @@ import (
 	N "github.com/sagernet/sing/common/network"
 )
 
-func DialSerialNetwork(ctx context.Context, dialer N.Dialer, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
+func DialSerialNetwork(ctx context.Context, dialer N.Dialer, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
+	if len(destinationAddresses) == 0 {
+		if !destination.IsIP() {
+			panic("invalid usage")
+		}
+		destinationAddresses = []netip.Addr{destination.Addr}
+	}
 	if parallelDialer, isParallel := dialer.(ParallelNetworkDialer); isParallel {
 		return parallelDialer.DialParallelNetwork(ctx, network, destination, destinationAddresses, strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
 	}
@@ -38,7 +44,14 @@ func DialSerialNetwork(ctx context.Context, dialer N.Dialer, network string, des
 	return nil, E.Errors(errors...)
 }
 
-func DialParallelNetwork(ctx context.Context, dialer ParallelInterfaceDialer, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, preferIPv6 bool, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
+func DialParallelNetwork(ctx context.Context, dialer ParallelInterfaceDialer, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, preferIPv6 bool, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
+	if len(destinationAddresses) == 0 {
+		if !destination.IsIP() {
+			panic("invalid usage")
+		}
+		destinationAddresses = []netip.Addr{destination.Addr}
+	}
+
 	if fallbackDelay == 0 {
 		fallbackDelay = N.DefaultFallbackDelay
 	}
@@ -116,7 +129,13 @@ func DialParallelNetwork(ctx context.Context, dialer ParallelInterfaceDialer, ne
 	}
 }
 
-func ListenSerialNetworkPacket(ctx context.Context, dialer N.Dialer, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error) {
+func ListenSerialNetworkPacket(ctx context.Context, dialer N.Dialer, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error) {
+	if len(destinationAddresses) == 0 {
+		if !destination.IsIP() {
+			panic("invalid usage")
+		}
+		destinationAddresses = []netip.Addr{destination.Addr}
+	}
 	if parallelDialer, isParallel := dialer.(ParallelNetworkDialer); isParallel {
 		return parallelDialer.ListenSerialNetworkPacket(ctx, destination, destinationAddresses, strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
 	}

common/dialer/dialer.go

@@ -8,25 +8,24 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-dns"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/service"
 )
 
-func New(ctx context.Context, options option.DialerOptions) (N.Dialer, error) {
+func New(ctx context.Context, options option.DialerOptions, remoteIsDomain bool) (N.Dialer, error) {
-	networkManager := service.FromContext[adapter.NetworkManager](ctx)
 	if options.IsWireGuardListener {
-		return NewDefault(networkManager, options)
+		return NewDefault(ctx, options)
 	}
 	var (
 		dialer N.Dialer
 		err    error
 	)
 	if options.Detour == "" {
-		dialer, err = NewDefault(networkManager, options)
+		dialer, err = NewDefault(ctx, options)
 		if err != nil {
 			return nil, err
 		}
@@ -37,17 +36,26 @@ func New(ctx context.Context, options option.DialerOptions) (N.Dialer, error) {
 		}
 		dialer = NewDetour(outboundManager, options.Detour)
 	}
-	if networkManager == nil {
+	if remoteIsDomain && options.Detour == "" && options.DomainResolver == "" {
-		return NewDefault(networkManager, options)
+		deprecated.Report(ctx, deprecated.OptionMissingDomainResolverInDialOptions)
 	}
-	if options.Detour == "" {
+	if (options.Detour == "" && remoteIsDomain) || options.DomainResolver != "" {
-		router := service.FromContext[adapter.Router](ctx)
+		router := service.FromContext[adapter.DNSRouter](ctx)
 		if router != nil {
+			var resolveTransport adapter.DNSTransport
+			if options.DomainResolver != "" {
+				transport, loaded := service.FromContext[adapter.DNSTransportManager](ctx).Transport(options.DomainResolver)
+				if !loaded {
+					return nil, E.New("DNS server not found: " + options.DomainResolver)
+				}
+				resolveTransport = transport
+			}
 			dialer = NewResolveDialer(
 				router,
 				dialer,
 				options.Detour == "" && !options.TCPFastOpen,
-				dns.DomainStrategy(options.DomainStrategy),
+				resolveTransport,
+				C.DomainStrategy(options.DomainStrategy),
 				time.Duration(options.FallbackDelay))
 		}
 	}
@@ -58,30 +66,38 @@ func NewDirect(ctx context.Context, options option.DialerOptions) (ParallelInter
 	if options.Detour != "" {
 		return nil, E.New("`detour` is not supported in direct context")
 	}
-	networkManager := service.FromContext[adapter.NetworkManager](ctx)
 	if options.IsWireGuardListener {
-		return NewDefault(networkManager, options)
+		return NewDefault(ctx, options)
 	}
-	dialer, err := NewDefault(networkManager, options)
+	dialer, err := NewDefault(ctx, options)
 	if err != nil {
 		return nil, err
 	}
+	var resolveTransport adapter.DNSTransport
+	if options.DomainResolver != "" {
+		transport, loaded := service.FromContext[adapter.DNSTransportManager](ctx).Transport(options.DomainResolver)
+		if !loaded {
+			return nil, E.New("DNS server not found: " + options.DomainResolver)
+		}
+		resolveTransport = transport
+	}
 	return NewResolveParallelInterfaceDialer(
-		service.FromContext[adapter.Router](ctx),
+		service.FromContext[adapter.DNSRouter](ctx),
 		dialer,
 		true,
-		dns.DomainStrategy(options.DomainStrategy),
+		resolveTransport,
+		C.DomainStrategy(options.DomainStrategy),
 		time.Duration(options.FallbackDelay),
 	), nil
 }
 
 type ParallelInterfaceDialer interface {
 	N.Dialer
-	DialParallelInterface(ctx context.Context, network string, destination M.Socksaddr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
+	DialParallelInterface(ctx context.Context, network string, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
-	ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error)
+	ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error)
 }
 
 type ParallelNetworkDialer interface {
-	DialParallelNetwork(ctx context.Context, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
+	DialParallelNetwork(ctx context.Context, network string, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error)
-	ListenSerialNetworkPacket(ctx context.Context, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error)
+	ListenSerialNetworkPacket(ctx context.Context, destination M.Socksaddr, destinationAddresses []netip.Addr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, netip.Addr, error)
 }

common/dialer/resolve.go

@@ -3,13 +3,11 @@ package dialer
 import (
 	"context"
 	"net"
-	"net/netip"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
@@ -23,16 +21,18 @@ var (
 type resolveDialer struct {
 	dialer        N.Dialer
 	parallel      bool
-	router        adapter.Router
+	router        adapter.DNSRouter
-	strategy      dns.DomainStrategy
+	transport     adapter.DNSTransport
+	strategy      C.DomainStrategy
 	fallbackDelay time.Duration
 }
 
-func NewResolveDialer(router adapter.Router, dialer N.Dialer, parallel bool, strategy dns.DomainStrategy, fallbackDelay time.Duration) N.Dialer {
+func NewResolveDialer(router adapter.DNSRouter, dialer N.Dialer, parallel bool, transport adapter.DNSTransport, strategy C.DomainStrategy, fallbackDelay time.Duration) N.Dialer {
 	return &resolveDialer{
 		dialer,
 		parallel,
 		router,
+		transport,
 		strategy,
 		fallbackDelay,
 	}
@@ -43,12 +43,13 @@ type resolveParallelNetworkDialer struct {
 	dialer ParallelInterfaceDialer
 }
 
-func NewResolveParallelInterfaceDialer(router adapter.Router, dialer ParallelInterfaceDialer, parallel bool, strategy dns.DomainStrategy, fallbackDelay time.Duration) ParallelInterfaceDialer {
+func NewResolveParallelInterfaceDialer(router adapter.DNSRouter, dialer ParallelInterfaceDialer, parallel bool, transport adapter.DNSTransport, strategy C.DomainStrategy, fallbackDelay time.Duration) ParallelInterfaceDialer {
 	return &resolveParallelNetworkDialer{
 		resolveDialer{
 			dialer,
 			parallel,
 			router,
+			transport,
 			strategy,
 			fallbackDelay,
 		},
@@ -60,22 +61,13 @@ func (d *resolveDialer) DialContext(ctx context.Context, network string, destina
 	if !destination.IsFqdn() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
-	ctx, metadata := adapter.ExtendContext(ctx)
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
-	metadata.Destination = destination
+	addresses, err := d.router.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{Transport: d.transport, Strategy: d.strategy})
-	metadata.Domain = ""
-	var addresses []netip.Addr
-	var err error
-	if d.strategy == dns.DomainStrategyAsIS {
-		addresses, err = d.router.LookupDefault(ctx, destination.Fqdn)
-	} else {
-		addresses, err = d.router.Lookup(ctx, destination.Fqdn, d.strategy)
-	}
 	if err != nil {
 		return nil, err
 	}
 	if d.parallel {
-		return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == dns.DomainStrategyPreferIPv6, d.fallbackDelay)
+		return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == C.DomainStrategyPreferIPv6, d.fallbackDelay)
 	} else {
 		return N.DialSerial(ctx, d.dialer, network, destination, addresses)
 	}
@@ -85,17 +77,8 @@ func (d *resolveDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 	if !destination.IsFqdn() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
-	ctx, metadata := adapter.ExtendContext(ctx)
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
-	metadata.Destination = destination
+	addresses, err := d.router.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{Transport: d.transport, Strategy: d.strategy})
-	metadata.Domain = ""
-	var addresses []netip.Addr
-	var err error
-	if d.strategy == dns.DomainStrategyAsIS {
-		addresses, err = d.router.LookupDefault(ctx, destination.Fqdn)
-	} else {
-		addresses, err = d.router.Lookup(ctx, destination.Fqdn, d.strategy)
-	}
 	if err != nil {
 		return nil, err
 	}
@@ -106,21 +89,12 @@ func (d *resolveDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 	return bufio.NewNATPacketConn(bufio.NewPacketConn(conn), M.SocksaddrFrom(destinationAddress, destination.Port), destination), nil
 }
 
-func (d *resolveParallelNetworkDialer) DialParallelInterface(ctx context.Context, network string, destination M.Socksaddr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
+func (d *resolveParallelNetworkDialer) DialParallelInterface(ctx context.Context, network string, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.Conn, error) {
 	if !destination.IsFqdn() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
-	ctx, metadata := adapter.ExtendContext(ctx)
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
-	metadata.Destination = destination
+	addresses, err := d.router.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{Transport: d.transport, Strategy: d.strategy})
-	metadata.Domain = ""
-	var addresses []netip.Addr
-	var err error
-	if d.strategy == dns.DomainStrategyAsIS {
-		addresses, err = d.router.LookupDefault(ctx, destination.Fqdn)
-	} else {
-		addresses, err = d.router.Lookup(ctx, destination.Fqdn, d.strategy)
-	}
 	if err != nil {
 		return nil, err
 	}
@@ -128,27 +102,18 @@ func (d *resolveParallelNetworkDialer) DialParallelInterface(ctx context.Context
 		fallbackDelay = d.fallbackDelay
 	}
 	if d.parallel {
-		return DialParallelNetwork(ctx, d.dialer, network, destination, addresses, d.strategy == dns.DomainStrategyPreferIPv6, strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
+		return DialParallelNetwork(ctx, d.dialer, network, destination, addresses, d.strategy == C.DomainStrategyPreferIPv6, strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
 	} else {
 		return DialSerialNetwork(ctx, d.dialer, network, destination, addresses, strategy, interfaceType, fallbackInterfaceType, fallbackDelay)
 	}
 }
 
-func (d *resolveParallelNetworkDialer) ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error) {
+func (d *resolveParallelNetworkDialer) ListenSerialInterfacePacket(ctx context.Context, destination M.Socksaddr, strategy *C.NetworkStrategy, interfaceType []C.InterfaceType, fallbackInterfaceType []C.InterfaceType, fallbackDelay time.Duration) (net.PacketConn, error) {
 	if !destination.IsFqdn() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
-	ctx, metadata := adapter.ExtendContext(ctx)
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
-	metadata.Destination = destination
+	addresses, err := d.router.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{Transport: d.transport, Strategy: d.strategy})
-	metadata.Domain = ""
-	var addresses []netip.Addr
-	var err error
-	if d.strategy == dns.DomainStrategyAsIS {
-		addresses, err = d.router.LookupDefault(ctx, destination.Fqdn)
-	} else {
-		addresses, err = d.router.Lookup(ctx, destination.Fqdn, d.strategy)
-	}
 	if err != nil {
 		return nil, err
 	}

common/dialer/router.go

@@ -7,24 +7,27 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/service"
 )
 
 type DefaultOutboundDialer struct {
-	outboundManager adapter.OutboundManager
+	outbound adapter.OutboundManager
 }
 
-func NewDefaultOutbound(outboundManager adapter.OutboundManager) N.Dialer {
+func NewDefaultOutbound(ctx context.Context) N.Dialer {
-	return &DefaultOutboundDialer{outboundManager: outboundManager}
+	return &DefaultOutboundDialer{
+		outbound: service.FromContext[adapter.OutboundManager](ctx),
+	}
 }
 
 func (d *DefaultOutboundDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	return d.outboundManager.Default().DialContext(ctx, network, destination)
+	return d.outbound.Default().DialContext(ctx, network, destination)
 }
 
 func (d *DefaultOutboundDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	return d.outboundManager.Default().ListenPacket(ctx, destination)
+	return d.outbound.Default().ListenPacket(ctx, destination)
 }
 
 func (d *DefaultOutboundDialer) Upstream() any {
-	return d.outboundManager.Default()
+	return d.outbound.Default()
 }

common/mux/router.go

@@ -41,10 +41,10 @@ func NewRouterWithOptions(router adapter.ConnectionRouterEx, logger logger.Conte
 		NewStreamContext: func(ctx context.Context, conn net.Conn) context.Context {
 			return log.ContextWithNewID(ctx)
 		},
-		Logger:  logger,
+		Logger:    logger,
-		Handler: adapter.NewRouteContextHandler(router, logger),
+		HandlerEx: adapter.NewRouteContextHandlerEx(router),
-		Padding: options.Padding,
+		Padding:   options.Padding,
-		Brutal:  brutalOptions,
+		Brutal:    brutalOptions,
 	})
 	if err != nil {
 		return nil, err
@@ -52,6 +52,7 @@ func NewRouterWithOptions(router adapter.ConnectionRouterEx, logger logger.Conte
 	return &Router{router, service}, nil
 }
 
+// Deprecated: Use RouteConnectionEx instead.
 func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
 	if metadata.Destination == mux.Destination {
 		// TODO: check if WithContext is necessary
@@ -61,6 +62,7 @@ func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata ad
 	}
 }
 
+// Deprecated: Use RoutePacketConnectionEx instead.
 func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
 	return r.router.RoutePacketConnection(ctx, conn, metadata)
 }

common/settings/time_stub.go

@@ -1,12 +0,0 @@
-//go:build !(windows || linux || darwin)
-
-package settings
-
-import (
-	"os"
-	"time"
-)
-
-func SetSystemTime(nowTime time.Time) error {
-	return os.ErrInvalid
-}

common/settings/time_unix.go

@@ -1,14 +0,0 @@
-//go:build linux || darwin
-
-package settings
-
-import (
-	"time"
-
-	"golang.org/x/sys/unix"
-)
-
-func SetSystemTime(nowTime time.Time) error {
-	timeVal := unix.NsecToTimeval(nowTime.UnixNano())
-	return unix.Settimeofday(&timeVal)
-}

common/settings/time_windows.go

@@ -1,32 +0,0 @@
-package settings
-
-import (
-	"time"
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-)
-
-func SetSystemTime(nowTime time.Time) error {
-	var systemTime windows.Systemtime
-	systemTime.Year = uint16(nowTime.Year())
-	systemTime.Month = uint16(nowTime.Month())
-	systemTime.Day = uint16(nowTime.Day())
-	systemTime.Hour = uint16(nowTime.Hour())
-	systemTime.Minute = uint16(nowTime.Minute())
-	systemTime.Second = uint16(nowTime.Second())
-	systemTime.Milliseconds = uint16(nowTime.UnixMilli() - nowTime.Unix()*1000)
-
-	dllKernel32 := windows.NewLazySystemDLL("kernel32.dll")
-	proc := dllKernel32.NewProc("SetSystemTime")
-
-	_, _, err := proc.Call(
-		uintptr(unsafe.Pointer(&systemTime)),
-	)
-
-	if err != nil && err.Error() != "The operation completed successfully." {
-		return err
-	}
-
-	return nil
-}

common/tls/ech_client.go

@@ -15,8 +15,8 @@ import (
 
 	cftls "github.com/sagernet/cloudflare-tls"
 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/dns"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-dns"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
 	"github.com/sagernet/sing/service"
@@ -64,6 +64,7 @@ type echConnWrapper struct {
 
 func (c *echConnWrapper) ConnectionState() tls.ConnectionState {
 	state := c.Conn.ConnectionState()
+	//nolint:staticcheck
 	return tls.ConnectionState{
 		Version:                     state.Version,
 		HandshakeComplete:           state.HandshakeComplete,
@@ -214,7 +215,7 @@ func fetchECHClientConfig(ctx context.Context) func(_ context.Context, serverNam
 				},
 			},
 		}
-		response, err := service.FromContext[adapter.Router](ctx).Exchange(ctx, message)
+		response, err := service.FromContext[adapter.DNSRouter](ctx).Exchange(ctx, message, adapter.DNSQueryOptions{})
 		if err != nil {
 			return nil, err
 		}

common/tls/ech_keygen.go

@@ -147,6 +147,9 @@ func echKeygen(version uint16, serverName string, conf []myECHKeyConfig, suite [
 		pair.rawConf = b
 
 		secBuf, err := sec.MarshalBinary()
+		if err != nil {
+			return nil, E.Cause(err, "serialize ECH private key")
+		}
 		sk := []byte{}
 		sk = be.AppendUint16(sk, uint16(len(secBuf)))
 		sk = append(sk, secBuf...)

common/tls/ech_quic.go

@@ -28,7 +28,7 @@ func (c *echClientConfig) DialEarly(ctx context.Context, conn net.PacketConn, ad
 }
 
 func (c *echClientConfig) CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, quicConfig *quic.Config) http.RoundTripper {
-	return &http3.RoundTripper{
+	return &http3.Transport{
 		TLSClientConfig: c.config,
 		QUICConfig:      quicConfig,
 		Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {

common/tls/ech_server.go

@@ -97,6 +97,10 @@ func (c *echServerConfig) startWatcher() error {
 	if err != nil {
 		return err
 	}
+	err = watcher.Start()
+	if err != nil {
+		return err
+	}
 	c.watcher = watcher
 	return nil
 }
@@ -232,7 +236,7 @@ func NewECHServer(ctx context.Context, logger log.Logger, options option.Inbound
 	var echKey []byte
 	if len(options.ECH.Key) > 0 {
 		echKey = []byte(strings.Join(options.ECH.Key, "\n"))
-	} else if options.KeyPath != "" {
+	} else if options.ECH.KeyPath != "" {
 		content, err := os.ReadFile(options.ECH.KeyPath)
 		if err != nil {
 			return nil, E.Cause(err, "read ECH key")

common/tls/reality_client.go

@@ -184,7 +184,7 @@ func (e *RealityClientConfig) ClientHandshake(ctx context.Context, conn net.Conn
 		return nil, E.New("reality verification failed")
 	}
 
-	return &utlsConnWrapper{uConn}, nil
+	return &realityClientConnWrapper{uConn}, nil
 }
 
 func realityClientFallback(uConn net.Conn, serverName string, fingerprint utls.ClientHelloID) {
@@ -249,3 +249,36 @@ func (c *realityVerifier) VerifyPeerCertificate(rawCerts [][]byte, verifiedChain
 	}
 	return nil
 }
+
+type realityClientConnWrapper struct {
+	*utls.UConn
+}
+
+func (c *realityClientConnWrapper) ConnectionState() tls.ConnectionState {
+	state := c.Conn.ConnectionState()
+	//nolint:staticcheck
+	return tls.ConnectionState{
+		Version:                     state.Version,
+		HandshakeComplete:           state.HandshakeComplete,
+		DidResume:                   state.DidResume,
+		CipherSuite:                 state.CipherSuite,
+		NegotiatedProtocol:          state.NegotiatedProtocol,
+		NegotiatedProtocolIsMutual:  state.NegotiatedProtocolIsMutual,
+		ServerName:                  state.ServerName,
+		PeerCertificates:            state.PeerCertificates,
+		VerifiedChains:              state.VerifiedChains,
+		SignedCertificateTimestamps: state.SignedCertificateTimestamps,
+		OCSPResponse:                state.OCSPResponse,
+		TLSUnique:                   state.TLSUnique,
+	}
+}
+
+func (c *realityClientConnWrapper) Upstream() any {
+	return c.UConn
+}
+
+// Due to low implementation quality, the reality server intercepted half close and caused memory leaks.
+// We fixed it by calling Close() directly.
+func (c *realityClientConnWrapper) CloseWrite() error {
+	return c.Close()
+}

common/tls/reality_server.go

@@ -101,7 +101,7 @@ func NewRealityServer(ctx context.Context, logger log.Logger, options option.Inb
 		tlsConfig.ShortIds[shortID] = true
 	}
 
-	handshakeDialer, err := dialer.New(ctx, options.Reality.Handshake.DialerOptions)
+	handshakeDialer, err := dialer.New(ctx, options.Reality.Handshake.DialerOptions, options.Reality.Handshake.ServerIsDomain())
 	if err != nil {
 		return nil, err
 	}
@@ -174,6 +174,7 @@ type realityConnWrapper struct {
 
 func (c *realityConnWrapper) ConnectionState() ConnectionState {
 	state := c.Conn.ConnectionState()
+	//nolint:staticcheck
 	return tls.ConnectionState{
 		Version:                     state.Version,
 		HandshakeComplete:           state.HandshakeComplete,
@@ -193,3 +194,9 @@ func (c *realityConnWrapper) ConnectionState() ConnectionState {
 func (c *realityConnWrapper) Upstream() any {
 	return c.Conn
 }
+
+// Due to low implementation quality, the reality server intercepted half close and caused memory leaks.
+// We fixed it by calling Close() directly.
+func (c *realityConnWrapper) CloseWrite() error {
+	return c.Close()
+}

common/tls/std_client.go

@@ -5,7 +5,6 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"net"
-	"net/netip"
 	"os"
 	"strings"
 
@@ -51,9 +50,7 @@ func NewSTDClient(ctx context.Context, serverAddress string, options option.Outb
 	if options.ServerName != "" {
 		serverName = options.ServerName
 	} else if serverAddress != "" {
-		if _, err := netip.ParseAddr(serverName); err != nil {
+		serverName = serverAddress
-			serverName = serverAddress
-		}
 	}
 	if serverName == "" && !options.Insecure {
 		return nil, E.New("missing server_name or insecure=true")

common/tls/std_server.go

@@ -106,6 +106,10 @@ func (c *STDServerConfig) startWatcher() error {
 	if err != nil {
 		return err
 	}
+	err = watcher.Start()
+	if err != nil {
+		return err
+	}
 	c.watcher = watcher
 	return nil
 }

common/tls/time_wrapper.go

@@ -0,0 +1,22 @@
+package tls
+
+import (
+	"time"
+
+	"github.com/sagernet/sing/common/ntp"
+)
+
+type TimeServiceWrapper struct {
+	ntp.TimeService
+}
+
+func (w *TimeServiceWrapper) TimeFunc() func() time.Time {
+	if w.TimeService == nil {
+		return nil
+	}
+	return w.TimeService.TimeFunc()
+}
+
+func (w *TimeServiceWrapper) Upstream() any {
+	return w.TimeService
+}

common/tls/utls_client.go

@@ -69,6 +69,7 @@ type utlsConnWrapper struct {
 
 func (c *utlsConnWrapper) ConnectionState() tls.ConnectionState {
 	state := c.Conn.ConnectionState()
+	//nolint:staticcheck
 	return tls.ConnectionState{
 		Version:                     state.Version,
 		HandshakeComplete:           state.HandshakeComplete,

constant/dns.go

@@ -1,5 +1,34 @@
 package constant
 
+const (
+	DefaultDNSTTL = 600
+)
+
+type DomainStrategy = uint8
+
+const (
+	DomainStrategyAsIS DomainStrategy = iota
+	DomainStrategyPreferIPv4
+	DomainStrategyPreferIPv6
+	DomainStrategyIPv4Only
+	DomainStrategyIPv6Only
+)
+
+const (
+	DNSTypeLegacy     = "legacy"
+	DNSTypeUDP        = "udp"
+	DNSTypeTCP        = "tcp"
+	DNSTypeTLS        = "tls"
+	DNSTypeHTTPS      = "https"
+	DNSTypeQUIC       = "quic"
+	DNSTypeHTTP3      = "h3"
+	DNSTypeLocal      = "local"
+	DNSTypePreDefined = "predefined"
+	DNSTypeFakeIP     = "fakeip"
+	DNSTypeDHCP       = "dhcp"
+	DNSTypeTailscale  = "tailscale"
+)
+
 const (
 	DNSProviderAliDNS     = "alidns"
 	DNSProviderCloudflare = "cloudflare"

constant/hysteria2.go

@@ -0,0 +1,7 @@
+package constant
+
+const (
+	Hysterai2MasqueradeTypeFile   = "file"
+	Hysterai2MasqueradeTypeProxy  = "proxy"
+	Hysterai2MasqueradeTypeString = "string"
+)

constant/protocol.go

@@ -10,6 +10,7 @@ const (
 	ProtocolDTLS       = "dtls"
 	ProtocolSSH        = "ssh"
 	ProtocolRDP        = "rdp"
+	ProtocolNTP        = "ntp"
 )
 
 const (

constant/proxy.go

@@ -23,6 +23,7 @@ const (
 	TypeVLESS        = "vless"
 	TypeTUIC         = "tuic"
 	TypeHysteria2    = "hysteria2"
+	TypeTailscale    = "tailscale"
 )
 
 const (

constant/timeout.go

@@ -9,8 +9,6 @@ const (
 	TCPTimeout                 = 15 * time.Second
 	ReadPayloadTimeout         = 300 * time.Millisecond
 	DNSTimeout                 = 10 * time.Second
-	QUICTimeout                = 30 * time.Second
-	STUNTimeout                = 15 * time.Second
 	UDPTimeout                 = 5 * time.Minute
 	DefaultURLTestInterval     = 3 * time.Minute
 	DefaultURLTestIdleTimeout  = 30 * time.Minute
@@ -19,3 +17,18 @@ const (
 	FatalStopTimeout           = 10 * time.Second
 	FakeIPMetadataSaveInterval = 10 * time.Second
 )
+
+var PortProtocols = map[uint16]string{
+	53:   ProtocolDNS,
+	123:  ProtocolNTP,
+	3478: ProtocolSTUN,
+	443:  ProtocolQUIC,
+}
+
+var ProtocolTimeouts = map[string]time.Duration{
+	ProtocolDNS:  10 * time.Second,
+	ProtocolNTP:  10 * time.Second,
+	ProtocolSTUN: 10 * time.Second,
+	ProtocolQUIC: 30 * time.Second,
+	ProtocolDTLS: 30 * time.Second,
+}

debug_http.go

@@ -46,7 +46,7 @@ func applyDebugListenOption(options option.DebugOptions) {
 
 			encoder := json.NewEncoder(writer)
 			encoder.SetIndent("", "  ")
-			encoder.Encode(memObject)
+			encoder.Encode(&memObject)
 		})
 		r.Route("/pprof", func(r chi.Router) {
 			r.HandleFunc("/", func(writer http.ResponseWriter, request *http.Request) {

dns/client.go

@@ -0,0 +1,563 @@
+package dns
+
+import (
+	"context"
+	"net"
+	"net/netip"
+	"strings"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing/common/task"
+	"github.com/sagernet/sing/contrab/freelru"
+	"github.com/sagernet/sing/contrab/maphash"
+
+	"github.com/miekg/dns"
+)
+
+var (
+	ErrNoRawSupport           = E.New("no raw query support by current transport")
+	ErrNotCached              = E.New("not cached")
+	ErrResponseRejected       = E.New("response rejected")
+	ErrResponseRejectedCached = E.Extend(ErrResponseRejected, "cached")
+)
+
+var _ adapter.DNSClient = (*Client)(nil)
+
+type Client struct {
+	timeout          time.Duration
+	disableCache     bool
+	disableExpire    bool
+	independentCache bool
+	rdrc             adapter.RDRCStore
+	initRDRCFunc     func() adapter.RDRCStore
+	logger           logger.ContextLogger
+	cache            freelru.Cache[dns.Question, *dns.Msg]
+	transportCache   freelru.Cache[transportCacheKey, *dns.Msg]
+}
+
+type ClientOptions struct {
+	Timeout          time.Duration
+	DisableCache     bool
+	DisableExpire    bool
+	IndependentCache bool
+	CacheCapacity    uint32
+	RDRC             func() adapter.RDRCStore
+	Logger           logger.ContextLogger
+}
+
+func NewClient(options ClientOptions) *Client {
+	client := &Client{
+		timeout:          options.Timeout,
+		disableCache:     options.DisableCache,
+		disableExpire:    options.DisableExpire,
+		independentCache: options.IndependentCache,
+		initRDRCFunc:     options.RDRC,
+		logger:           options.Logger,
+	}
+	if client.timeout == 0 {
+		client.timeout = C.DNSTimeout
+	}
+	cacheCapacity := options.CacheCapacity
+	if cacheCapacity < 1024 {
+		cacheCapacity = 1024
+	}
+	if !client.disableCache {
+		if !client.independentCache {
+			client.cache = common.Must1(freelru.NewSharded[dns.Question, *dns.Msg](cacheCapacity, maphash.NewHasher[dns.Question]().Hash32))
+		} else {
+			client.transportCache = common.Must1(freelru.NewSharded[transportCacheKey, *dns.Msg](cacheCapacity, maphash.NewHasher[transportCacheKey]().Hash32))
+		}
+	}
+	return client
+}
+
+type transportCacheKey struct {
+	dns.Question
+	transportTag string
+}
+
+func (c *Client) Start() {
+	if c.initRDRCFunc != nil {
+		c.rdrc = c.initRDRCFunc()
+	}
+}
+
+func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, message *dns.Msg, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error) {
+	if len(message.Question) == 0 {
+		if c.logger != nil {
+			c.logger.WarnContext(ctx, "bad question size: ", len(message.Question))
+		}
+		responseMessage := dns.Msg{
+			MsgHdr: dns.MsgHdr{
+				Id:       message.Id,
+				Response: true,
+				Rcode:    dns.RcodeFormatError,
+			},
+			Question: message.Question,
+		}
+		return &responseMessage, nil
+	}
+	question := message.Question[0]
+	if options.ClientSubnet.IsValid() {
+		message = SetClientSubnet(message, options.ClientSubnet, true)
+	}
+	isSimpleRequest := len(message.Question) == 1 &&
+		len(message.Ns) == 0 &&
+		len(message.Extra) == 0 &&
+		!options.ClientSubnet.IsValid()
+	disableCache := !isSimpleRequest || c.disableCache || options.DisableCache
+	if !disableCache {
+		response, ttl := c.loadResponse(question, transport)
+		if response != nil {
+			logCachedResponse(c.logger, ctx, response, ttl)
+			response.Id = message.Id
+			return response, nil
+		}
+	}
+	if question.Qtype == dns.TypeA && options.Strategy == C.DomainStrategyIPv6Only || question.Qtype == dns.TypeAAAA && options.Strategy == C.DomainStrategyIPv4Only {
+		responseMessage := dns.Msg{
+			MsgHdr: dns.MsgHdr{
+				Id:       message.Id,
+				Response: true,
+				Rcode:    dns.RcodeSuccess,
+			},
+			Question: []dns.Question{question},
+		}
+		if c.logger != nil {
+			c.logger.DebugContext(ctx, "strategy rejected")
+		}
+		return &responseMessage, nil
+	}
+	messageId := message.Id
+	contextTransport, clientSubnetLoaded := transportTagFromContext(ctx)
+	if clientSubnetLoaded && transport.Tag() == contextTransport {
+		return nil, E.New("DNS query loopback in transport[", contextTransport, "]")
+	}
+	ctx = contextWithTransportTag(ctx, transport.Tag())
+	if responseChecker != nil && c.rdrc != nil {
+		rejected := c.rdrc.LoadRDRC(transport.Tag(), question.Name, question.Qtype)
+		if rejected {
+			return nil, ErrResponseRejectedCached
+		}
+	}
+	ctx, cancel := context.WithTimeout(ctx, c.timeout)
+	response, err := transport.Exchange(ctx, message)
+	cancel()
+	if err != nil {
+		return nil, err
+	}
+	/*if question.Qtype == dns.TypeA || question.Qtype == dns.TypeAAAA {
+		validResponse := response
+	loop:
+		for {
+			var (
+				addresses  int
+				queryCNAME string
+			)
+			for _, rawRR := range validResponse.Answer {
+				switch rr := rawRR.(type) {
+				case *dns.A:
+					break loop
+				case *dns.AAAA:
+					break loop
+				case *dns.CNAME:
+					queryCNAME = rr.Target
+				}
+			}
+			if queryCNAME == "" {
+				break
+			}
+			exMessage := *message
+			exMessage.Question = []dns.Question{{
+				Name:  queryCNAME,
+				Qtype: question.Qtype,
+			}}
+			validResponse, err = c.Exchange(ctx, transport, &exMessage, options, responseChecker)
+			if err != nil {
+				return nil, err
+			}
+		}
+		if validResponse != response {
+			response.Answer = append(response.Answer, validResponse.Answer...)
+		}
+	}*/
+	if responseChecker != nil {
+		addr, addrErr := MessageToAddresses(response)
+		if addrErr != nil || !responseChecker(addr) {
+			if c.rdrc != nil {
+				c.rdrc.SaveRDRCAsync(transport.Tag(), question.Name, question.Qtype, c.logger)
+			}
+			logRejectedResponse(c.logger, ctx, response)
+			return response, ErrResponseRejected
+		}
+	}
+	if question.Qtype == dns.TypeHTTPS {
+		if options.Strategy == C.DomainStrategyIPv4Only || options.Strategy == C.DomainStrategyIPv6Only {
+			for _, rr := range response.Answer {
+				https, isHTTPS := rr.(*dns.HTTPS)
+				if !isHTTPS {
+					continue
+				}
+				content := https.SVCB
+				content.Value = common.Filter(content.Value, func(it dns.SVCBKeyValue) bool {
+					if options.Strategy == C.DomainStrategyIPv4Only {
+						return it.Key() != dns.SVCB_IPV6HINT
+					} else {
+						return it.Key() != dns.SVCB_IPV4HINT
+					}
+				})
+				https.SVCB = content
+			}
+		}
+	}
+	var timeToLive uint32
+	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
+		for _, record := range recordList {
+			if timeToLive == 0 || record.Header().Ttl > 0 && record.Header().Ttl < timeToLive {
+				timeToLive = record.Header().Ttl
+			}
+		}
+	}
+	if options.RewriteTTL != nil {
+		timeToLive = *options.RewriteTTL
+	}
+	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
+		for _, record := range recordList {
+			record.Header().Ttl = timeToLive
+		}
+	}
+	response.Id = messageId
+	if !disableCache {
+		c.storeCache(transport, question, response, timeToLive)
+	}
+	logExchangedResponse(c.logger, ctx, response, timeToLive)
+	return response, err
+}
+
+func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, domain string, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error) {
+	domain = FqdnToDomain(domain)
+	dnsName := dns.Fqdn(domain)
+	if options.Strategy == C.DomainStrategyIPv4Only {
+		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, options, responseChecker)
+	} else if options.Strategy == C.DomainStrategyIPv6Only {
+		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, options, responseChecker)
+	}
+	var response4 []netip.Addr
+	var response6 []netip.Addr
+	var group task.Group
+	group.Append("exchange4", func(ctx context.Context) error {
+		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, options, responseChecker)
+		if err != nil {
+			return err
+		}
+		response4 = response
+		return nil
+	})
+	group.Append("exchange6", func(ctx context.Context) error {
+		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, options, responseChecker)
+		if err != nil {
+			return err
+		}
+		response6 = response
+		return nil
+	})
+	err := group.Run(ctx)
+	if len(response4) == 0 && len(response6) == 0 {
+		return nil, err
+	}
+	return sortAddresses(response4, response6, options.Strategy), nil
+}
+
+func (c *Client) ClearCache() {
+	if c.cache != nil {
+		c.cache.Purge()
+	}
+	if c.transportCache != nil {
+		c.transportCache.Purge()
+	}
+}
+
+func (c *Client) LookupCache(domain string, strategy C.DomainStrategy) ([]netip.Addr, bool) {
+	if c.disableCache || c.independentCache {
+		return nil, false
+	}
+	if dns.IsFqdn(domain) {
+		domain = domain[:len(domain)-1]
+	}
+	dnsName := dns.Fqdn(domain)
+	if strategy == C.DomainStrategyIPv4Only {
+		response, err := c.questionCache(dns.Question{
+			Name:   dnsName,
+			Qtype:  dns.TypeA,
+			Qclass: dns.ClassINET,
+		}, nil)
+		if err != ErrNotCached {
+			return response, true
+		}
+	} else if strategy == C.DomainStrategyIPv6Only {
+		response, err := c.questionCache(dns.Question{
+			Name:   dnsName,
+			Qtype:  dns.TypeAAAA,
+			Qclass: dns.ClassINET,
+		}, nil)
+		if err != ErrNotCached {
+			return response, true
+		}
+	} else {
+		response4, _ := c.questionCache(dns.Question{
+			Name:   dnsName,
+			Qtype:  dns.TypeA,
+			Qclass: dns.ClassINET,
+		}, nil)
+		response6, _ := c.questionCache(dns.Question{
+			Name:   dnsName,
+			Qtype:  dns.TypeAAAA,
+			Qclass: dns.ClassINET,
+		}, nil)
+		if len(response4) > 0 || len(response6) > 0 {
+			return sortAddresses(response4, response6, strategy), true
+		}
+	}
+	return nil, false
+}
+
+func (c *Client) ExchangeCache(ctx context.Context, message *dns.Msg) (*dns.Msg, bool) {
+	if c.disableCache || c.independentCache || len(message.Question) != 1 {
+		return nil, false
+	}
+	question := message.Question[0]
+	response, ttl := c.loadResponse(question, nil)
+	if response == nil {
+		return nil, false
+	}
+	logCachedResponse(c.logger, ctx, response, ttl)
+	response.Id = message.Id
+	return response, true
+}
+
+func sortAddresses(response4 []netip.Addr, response6 []netip.Addr, strategy C.DomainStrategy) []netip.Addr {
+	if strategy == C.DomainStrategyPreferIPv6 {
+		return append(response6, response4...)
+	} else {
+		return append(response4, response6...)
+	}
+}
+
+func (c *Client) storeCache(transport adapter.DNSTransport, question dns.Question, message *dns.Msg, timeToLive uint32) {
+	if timeToLive == 0 {
+		return
+	}
+	if c.disableExpire {
+		if !c.independentCache {
+			c.cache.Add(question, message)
+		} else {
+			c.transportCache.Add(transportCacheKey{
+				Question:     question,
+				transportTag: transport.Tag(),
+			}, message)
+		}
+		return
+	}
+	if !c.independentCache {
+		c.cache.AddWithLifetime(question, message, time.Second*time.Duration(timeToLive))
+	} else {
+		c.transportCache.AddWithLifetime(transportCacheKey{
+			Question:     question,
+			transportTag: transport.Tag(),
+		}, message, time.Second*time.Duration(timeToLive))
+	}
+}
+
+func (c *Client) lookupToExchange(ctx context.Context, transport adapter.DNSTransport, name string, qType uint16, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error) {
+	question := dns.Question{
+		Name:   name,
+		Qtype:  qType,
+		Qclass: dns.ClassINET,
+	}
+	disableCache := c.disableCache || options.DisableCache
+	if !disableCache {
+		cachedAddresses, err := c.questionCache(question, transport)
+		if err != ErrNotCached {
+			return cachedAddresses, err
+		}
+	}
+	message := dns.Msg{
+		MsgHdr: dns.MsgHdr{
+			RecursionDesired: true,
+		},
+		Question: []dns.Question{question},
+	}
+	response, err := c.Exchange(ctx, transport, &message, options, responseChecker)
+	if err != nil {
+		return nil, err
+	}
+	return MessageToAddresses(response)
+}
+
+func (c *Client) questionCache(question dns.Question, transport adapter.DNSTransport) ([]netip.Addr, error) {
+	response, _ := c.loadResponse(question, transport)
+	if response == nil {
+		return nil, ErrNotCached
+	}
+	return MessageToAddresses(response)
+}
+
+func (c *Client) loadResponse(question dns.Question, transport adapter.DNSTransport) (*dns.Msg, int) {
+	var (
+		response *dns.Msg
+		loaded   bool
+	)
+	if c.disableExpire {
+		if !c.independentCache {
+			response, loaded = c.cache.Get(question)
+		} else {
+			response, loaded = c.transportCache.Get(transportCacheKey{
+				Question:     question,
+				transportTag: transport.Tag(),
+			})
+		}
+		if !loaded {
+			return nil, 0
+		}
+		return response.Copy(), 0
+	} else {
+		var expireAt time.Time
+		if !c.independentCache {
+			response, expireAt, loaded = c.cache.GetWithLifetime(question)
+		} else {
+			response, expireAt, loaded = c.transportCache.GetWithLifetime(transportCacheKey{
+				Question:     question,
+				transportTag: transport.Tag(),
+			})
+		}
+		if !loaded {
+			return nil, 0
+		}
+		timeNow := time.Now()
+		if timeNow.After(expireAt) {
+			if !c.independentCache {
+				c.cache.Remove(question)
+			} else {
+				c.transportCache.Remove(transportCacheKey{
+					Question:     question,
+					transportTag: transport.Tag(),
+				})
+			}
+			return nil, 0
+		}
+		var originTTL int
+		for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
+			for _, record := range recordList {
+				if originTTL == 0 || record.Header().Ttl > 0 && int(record.Header().Ttl) < originTTL {
+					originTTL = int(record.Header().Ttl)
+				}
+			}
+		}
+		nowTTL := int(expireAt.Sub(timeNow).Seconds())
+		if nowTTL < 0 {
+			nowTTL = 0
+		}
+		response = response.Copy()
+		if originTTL > 0 {
+			duration := uint32(originTTL - nowTTL)
+			for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
+				for _, record := range recordList {
+					record.Header().Ttl = record.Header().Ttl - duration
+				}
+			}
+		} else {
+			for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
+				for _, record := range recordList {
+					record.Header().Ttl = uint32(nowTTL)
+				}
+			}
+		}
+		return response, nowTTL
+	}
+}
+
+func MessageToAddresses(response *dns.Msg) ([]netip.Addr, error) {
+	if response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError {
+		return nil, RCodeError(response.Rcode)
+	}
+	addresses := make([]netip.Addr, 0, len(response.Answer))
+	for _, rawAnswer := range response.Answer {
+		switch answer := rawAnswer.(type) {
+		case *dns.A:
+			addresses = append(addresses, M.AddrFromIP(answer.A))
+		case *dns.AAAA:
+			addresses = append(addresses, M.AddrFromIP(answer.AAAA))
+		case *dns.HTTPS:
+			for _, value := range answer.SVCB.Value {
+				if value.Key() == dns.SVCB_IPV4HINT || value.Key() == dns.SVCB_IPV6HINT {
+					addresses = append(addresses, common.Map(strings.Split(value.String(), ","), M.ParseAddr)...)
+				}
+			}
+		}
+	}
+	return addresses, nil
+}
+
+func wrapError(err error) error {
+	switch dnsErr := err.(type) {
+	case *net.DNSError:
+		if dnsErr.IsNotFound {
+			return RCodeNameError
+		}
+	case *net.AddrError:
+		return RCodeNameError
+	}
+	return err
+}
+
+type transportKey struct{}
+
+func contextWithTransportTag(ctx context.Context, transportTag string) context.Context {
+	return context.WithValue(ctx, transportKey{}, transportTag)
+}
+
+func transportTagFromContext(ctx context.Context) (string, bool) {
+	value, loaded := ctx.Value(transportKey{}).(string)
+	return value, loaded
+}
+
+func FixedResponse(id uint16, question dns.Question, addresses []netip.Addr, timeToLive uint32) *dns.Msg {
+	response := dns.Msg{
+		MsgHdr: dns.MsgHdr{
+			Id:       id,
+			Rcode:    dns.RcodeSuccess,
+			Response: true,
+		},
+		Question: []dns.Question{question},
+	}
+	for _, address := range addresses {
+		if address.Is4() {
+			response.Answer = append(response.Answer, &dns.A{
+				Hdr: dns.RR_Header{
+					Name:   question.Name,
+					Rrtype: dns.TypeA,
+					Class:  dns.ClassINET,
+					Ttl:    timeToLive,
+				},
+				A: address.AsSlice(),
+			})
+		} else {
+			response.Answer = append(response.Answer, &dns.AAAA{
+				Hdr: dns.RR_Header{
+					Name:   question.Name,
+					Rrtype: dns.TypeAAAA,
+					Class:  dns.ClassINET,
+					Ttl:    timeToLive,
+				},
+				AAAA: address.AsSlice(),
+			})
+		}
+	}
+	return &response
+}

dns/client_log.go

@@ -0,0 +1,69 @@
+package dns
+
+import (
+	"context"
+	"strings"
+
+	"github.com/sagernet/sing/common/logger"
+
+	"github.com/miekg/dns"
+)
+
+func logCachedResponse(logger logger.ContextLogger, ctx context.Context, response *dns.Msg, ttl int) {
+	if logger == nil || len(response.Question) == 0 {
+		return
+	}
+	domain := FqdnToDomain(response.Question[0].Name)
+	logger.DebugContext(ctx, "cached ", domain, " ", dns.RcodeToString[response.Rcode], " ", ttl)
+	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
+		for _, record := range recordList {
+			logger.InfoContext(ctx, "cached ", dns.Type(record.Header().Rrtype).String(), " ", FormatQuestion(record.String()))
+		}
+	}
+}
+
+func logExchangedResponse(logger logger.ContextLogger, ctx context.Context, response *dns.Msg, ttl uint32) {
+	if logger == nil || len(response.Question) == 0 {
+		return
+	}
+	domain := FqdnToDomain(response.Question[0].Name)
+	logger.DebugContext(ctx, "exchanged ", domain, " ", dns.RcodeToString[response.Rcode], " ", ttl)
+	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
+		for _, record := range recordList {
+			logger.InfoContext(ctx, "exchanged ", dns.Type(record.Header().Rrtype).String(), " ", FormatQuestion(record.String()))
+		}
+	}
+}
+
+func logRejectedResponse(logger logger.ContextLogger, ctx context.Context, response *dns.Msg) {
+	if logger == nil || len(response.Question) == 0 {
+		return
+	}
+	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
+		for _, record := range recordList {
+			logger.InfoContext(ctx, "rejected ", dns.Type(record.Header().Rrtype).String(), " ", FormatQuestion(record.String()))
+		}
+	}
+}
+
+func FqdnToDomain(fqdn string) string {
+	if dns.IsFqdn(fqdn) {
+		return fqdn[:len(fqdn)-1]
+	}
+	return fqdn
+}
+
+func FormatQuestion(string string) string {
+	for strings.HasPrefix(string, ";") {
+		string = string[1:]
+	}
+	string = strings.ReplaceAll(string, "\t", " ")
+	string = strings.ReplaceAll(string, "\n", " ")
+	string = strings.ReplaceAll(string, ";; ", " ")
+	string = strings.ReplaceAll(string, "; ", " ")
+
+	for strings.Contains(string, "  ") {
+		string = strings.ReplaceAll(string, "  ", " ")
+	}
+	return strings.TrimSpace(string)
+}

dns/client_truncate.go

@@ -0,0 +1,29 @@
+package dns
+
+import (
+	"github.com/sagernet/sing/common/buf"
+
+	"github.com/miekg/dns"
+)
+
+func TruncateDNSMessage(request *dns.Msg, response *dns.Msg, headroom int) (*buf.Buffer, error) {
+	maxLen := 512
+	if edns0Option := request.IsEdns0(); edns0Option != nil {
+		if udpSize := int(edns0Option.UDPSize()); udpSize > 512 {
+			maxLen = udpSize
+		}
+	}
+	responseLen := response.Len()
+	if responseLen > maxLen {
+		response.Truncate(maxLen)
+	}
+	buffer := buf.NewSize(headroom*2 + 1 + responseLen)
+	buffer.Resize(headroom, 0)
+	rawMessage, err := response.PackBuffer(buffer.FreeBytes())
+	if err != nil {
+		buffer.Release()
+		return nil, err
+	}
+	buffer.Truncate(len(rawMessage))
+	return buffer, nil
+}

dns/extension_edns0_subnet.go

@@ -0,0 +1,56 @@
+package dns
+
+import (
+	"net/netip"
+
+	"github.com/miekg/dns"
+)
+
+func SetClientSubnet(message *dns.Msg, clientSubnet netip.Prefix, override bool) *dns.Msg {
+	var (
+		optRecord    *dns.OPT
+		subnetOption *dns.EDNS0_SUBNET
+	)
+findExists:
+	for _, record := range message.Extra {
+		var isOPTRecord bool
+		if optRecord, isOPTRecord = record.(*dns.OPT); isOPTRecord {
+			for _, option := range optRecord.Option {
+				var isEDNS0Subnet bool
+				subnetOption, isEDNS0Subnet = option.(*dns.EDNS0_SUBNET)
+				if isEDNS0Subnet {
+					if !override {
+						return message
+					}
+					break findExists
+				}
+			}
+		}
+	}
+	if optRecord == nil {
+		exMessage := *message
+		message = &exMessage
+		optRecord = &dns.OPT{
+			Hdr: dns.RR_Header{
+				Name:   ".",
+				Rrtype: dns.TypeOPT,
+			},
+		}
+		message.Extra = append(message.Extra, optRecord)
+	} else {
+		message = message.Copy()
+	}
+	if subnetOption == nil {
+		subnetOption = new(dns.EDNS0_SUBNET)
+		optRecord.Option = append(optRecord.Option, subnetOption)
+	}
+	subnetOption.Code = dns.EDNS0SUBNET
+	if clientSubnet.Addr().Is4() {
+		subnetOption.Family = 1
+	} else {
+		subnetOption.Family = 2
+	}
+	subnetOption.SourceNetmask = uint8(clientSubnet.Bits())
+	subnetOption.Address = clientSubnet.Addr().AsSlice()
+	return message
+}

dns/rcode.go

@@ -0,0 +1,33 @@
+package dns
+
+import F "github.com/sagernet/sing/common/format"
+
+const (
+	RCodeSuccess        RCodeError = 0 // NoError
+	RCodeFormatError    RCodeError = 1 // FormErr
+	RCodeServerFailure  RCodeError = 2 // ServFail
+	RCodeNameError      RCodeError = 3 // NXDomain
+	RCodeNotImplemented RCodeError = 4 // NotImp
+	RCodeRefused        RCodeError = 5 // Refused
+)
+
+type RCodeError uint16
+
+func (e RCodeError) Error() string {
+	switch e {
+	case RCodeSuccess:
+		return "success"
+	case RCodeFormatError:
+		return "format error"
+	case RCodeServerFailure:
+		return "server failure"
+	case RCodeNameError:
+		return "name error"
+	case RCodeNotImplemented:
+		return "not implemented"
+	case RCodeRefused:
+		return "refused"
+	default:
+		return F.ToString("unknown error: ", uint16(e))
+	}
+}

dns/router.go

@@ -0,0 +1,430 @@
+package dns
+
+import (
+	"context"
+	"errors"
+	"net/netip"
+	"strings"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/taskmonitor"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/experimental/libbox/platform"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	R "github.com/sagernet/sing-box/route/rule"
+	"github.com/sagernet/sing-tun"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing/contrab/freelru"
+	"github.com/sagernet/sing/contrab/maphash"
+	"github.com/sagernet/sing/service"
+
+	mDNS "github.com/miekg/dns"
+)
+
+var _ adapter.DNSRouter = (*Router)(nil)
+
+type Router struct {
+	ctx                   context.Context
+	logger                logger.ContextLogger
+	transport             adapter.DNSTransportManager
+	outbound              adapter.OutboundManager
+	client                adapter.DNSClient
+	rules                 []adapter.DNSRule
+	defaultDomainStrategy C.DomainStrategy
+	dnsReverseMapping     freelru.Cache[netip.Addr, string]
+	platformInterface     platform.Interface
+}
+
+func NewRouter(ctx context.Context, logFactory log.Factory, options option.DNSOptions) *Router {
+	router := &Router{
+		ctx:                   ctx,
+		logger:                logFactory.NewLogger("dns"),
+		transport:             service.FromContext[adapter.DNSTransportManager](ctx),
+		outbound:              service.FromContext[adapter.OutboundManager](ctx),
+		rules:                 make([]adapter.DNSRule, 0, len(options.Rules)),
+		defaultDomainStrategy: C.DomainStrategy(options.Strategy),
+	}
+	router.client = NewClient(ClientOptions{
+		DisableCache:     options.DNSClientOptions.DisableCache,
+		DisableExpire:    options.DNSClientOptions.DisableExpire,
+		IndependentCache: options.DNSClientOptions.IndependentCache,
+		CacheCapacity:    options.DNSClientOptions.CacheCapacity,
+		RDRC: func() adapter.RDRCStore {
+			cacheFile := service.FromContext[adapter.CacheFile](ctx)
+			if cacheFile == nil {
+				return nil
+			}
+			if !cacheFile.StoreRDRC() {
+				return nil
+			}
+			return cacheFile
+		},
+		Logger: router.logger,
+	})
+	if options.ReverseMapping {
+		router.dnsReverseMapping = common.Must1(freelru.NewSharded[netip.Addr, string](1024, maphash.NewHasher[netip.Addr]().Hash32))
+	}
+	return router
+}
+
+func (r *Router) Initialize(rules []option.DNSRule) error {
+	for i, ruleOptions := range rules {
+		dnsRule, err := R.NewDNSRule(r.ctx, r.logger, ruleOptions, true)
+		if err != nil {
+			return E.Cause(err, "parse dns rule[", i, "]")
+		}
+		r.rules = append(r.rules, dnsRule)
+	}
+	return nil
+}
+
+func (r *Router) Start(stage adapter.StartStage) error {
+	monitor := taskmonitor.New(r.logger, C.StartTimeout)
+	switch stage {
+	case adapter.StartStateStart:
+		monitor.Start("initialize DNS client")
+		r.client.Start()
+		monitor.Finish()
+
+		for i, rule := range r.rules {
+			monitor.Start("initialize DNS rule[", i, "]")
+			err := rule.Start()
+			monitor.Finish()
+			if err != nil {
+				return E.Cause(err, "initialize DNS rule[", i, "]")
+			}
+		}
+	}
+	return nil
+}
+
+func (r *Router) Close() error {
+	monitor := taskmonitor.New(r.logger, C.StopTimeout)
+	var err error
+	for i, rule := range r.rules {
+		monitor.Start("close dns rule[", i, "]")
+		err = E.Append(err, rule.Close(), func(err error) error {
+			return E.Cause(err, "close dns rule[", i, "]")
+		})
+		monitor.Finish()
+	}
+	return err
+}
+
+func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int, isAddressQuery bool, options *adapter.DNSQueryOptions) (adapter.DNSTransport, adapter.DNSRule, int) {
+	metadata := adapter.ContextFrom(ctx)
+	if metadata == nil {
+		panic("no context")
+	}
+	var currentRuleIndex int
+	if ruleIndex != -1 {
+		currentRuleIndex = ruleIndex + 1
+	}
+	for ; currentRuleIndex < len(r.rules); currentRuleIndex++ {
+		currentRule := r.rules[currentRuleIndex]
+		if currentRule.WithAddressLimit() && !isAddressQuery {
+			continue
+		}
+		metadata.ResetRuleCache()
+		if currentRule.Match(metadata) {
+			displayRuleIndex := currentRuleIndex
+			if displayRuleIndex != -1 {
+				displayRuleIndex += displayRuleIndex + 1
+			}
+			ruleDescription := currentRule.String()
+			if ruleDescription != "" {
+				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] ", currentRule, " => ", currentRule.Action())
+			} else {
+				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
+			}
+			switch action := currentRule.Action().(type) {
+			case *R.RuleActionDNSRoute:
+				transport, loaded := r.transport.Transport(action.Server)
+				if !loaded {
+					r.logger.ErrorContext(ctx, "transport not found: ", action.Server)
+					continue
+				}
+				isFakeIP := transport.Type() == C.DNSTypeFakeIP
+				if isFakeIP && !allowFakeIP {
+					continue
+				}
+				if isFakeIP || action.DisableCache {
+					options.DisableCache = true
+				}
+				if action.RewriteTTL != nil {
+					options.RewriteTTL = action.RewriteTTL
+				}
+				if action.ClientSubnet.IsValid() {
+					options.ClientSubnet = action.ClientSubnet
+				}
+				if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
+					if options.Strategy == C.DomainStrategyAsIS {
+						options.Strategy = legacyTransport.LegacyStrategy()
+					}
+					if !options.ClientSubnet.IsValid() {
+						options.ClientSubnet = legacyTransport.LegacyClientSubnet()
+					}
+				}
+				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
+				return transport, currentRule, currentRuleIndex
+			case *R.RuleActionDNSRouteOptions:
+				if action.DisableCache {
+					options.DisableCache = true
+				}
+				if action.RewriteTTL != nil {
+					options.RewriteTTL = action.RewriteTTL
+				}
+				if action.ClientSubnet.IsValid() {
+					options.ClientSubnet = action.ClientSubnet
+				}
+				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
+			case *R.RuleActionReject:
+				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
+				return nil, currentRule, currentRuleIndex
+			}
+		}
+	}
+	return r.transport.Default(), nil, -1
+}
+
+func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapter.DNSQueryOptions) (*mDNS.Msg, error) {
+	if len(message.Question) != 1 {
+		r.logger.WarnContext(ctx, "bad question size: ", len(message.Question))
+		responseMessage := mDNS.Msg{
+			MsgHdr: mDNS.MsgHdr{
+				Id:       message.Id,
+				Response: true,
+				Rcode:    mDNS.RcodeFormatError,
+			},
+			Question: message.Question,
+		}
+		return &responseMessage, nil
+	}
+	r.logger.DebugContext(ctx, "exchange ", FormatQuestion(message.Question[0].String()))
+	var (
+		transport adapter.DNSTransport
+		err       error
+	)
+	response, cached := r.client.ExchangeCache(ctx, message)
+	if !cached {
+		var metadata *adapter.InboundContext
+		ctx, metadata = adapter.ExtendContext(ctx)
+		metadata.Destination = M.Socksaddr{}
+		metadata.QueryType = message.Question[0].Qtype
+		switch metadata.QueryType {
+		case mDNS.TypeA:
+			metadata.IPVersion = 4
+		case mDNS.TypeAAAA:
+			metadata.IPVersion = 6
+		}
+		metadata.Domain = FqdnToDomain(message.Question[0].Name)
+		if options.Transport != nil {
+			transport = options.Transport
+			if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
+				if options.Strategy == C.DomainStrategyAsIS {
+					options.Strategy = legacyTransport.LegacyStrategy()
+				}
+				if !options.ClientSubnet.IsValid() {
+					options.ClientSubnet = legacyTransport.LegacyClientSubnet()
+				}
+			}
+			if options.Strategy == C.DomainStrategyAsIS {
+				options.Strategy = r.defaultDomainStrategy
+			}
+			response, err = r.client.Exchange(ctx, transport, message, options, nil)
+		} else {
+			var (
+				rule      adapter.DNSRule
+				ruleIndex int
+			)
+			ruleIndex = -1
+			for {
+				dnsCtx := adapter.OverrideContext(ctx)
+				transport, rule, ruleIndex = r.matchDNS(ctx, true, ruleIndex, isAddressQuery(message), &options)
+				if rule != nil {
+					switch action := rule.Action().(type) {
+					case *R.RuleActionReject:
+						switch action.Method {
+						case C.RuleActionRejectMethodDefault:
+							return FixedResponse(message.Id, message.Question[0], nil, 0), nil
+						case C.RuleActionRejectMethodDrop:
+							return nil, tun.ErrDrop
+						}
+					}
+				}
+				var responseCheck func(responseAddrs []netip.Addr) bool
+				if rule != nil && rule.WithAddressLimit() {
+					responseCheck = func(responseAddrs []netip.Addr) bool {
+						metadata.DestinationAddresses = responseAddrs
+						return rule.MatchAddressLimit(metadata)
+					}
+				}
+				if options.Strategy == C.DomainStrategyAsIS {
+					options.Strategy = r.defaultDomainStrategy
+				}
+				response, err = r.client.Exchange(dnsCtx, transport, message, options, responseCheck)
+				var rejected bool
+				if err != nil {
+					if errors.Is(err, ErrResponseRejectedCached) {
+						rejected = true
+						r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())), " (cached)")
+					} else if errors.Is(err, ErrResponseRejected) {
+						rejected = true
+						r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())))
+					} else if len(message.Question) > 0 {
+						r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for ", FormatQuestion(message.Question[0].String())))
+					} else {
+						r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for <empty query>"))
+					}
+				}
+				if responseCheck != nil && rejected {
+					continue
+				}
+				break
+			}
+		}
+	}
+	if err != nil {
+		return nil, err
+	}
+	if r.dnsReverseMapping != nil && len(message.Question) > 0 && response != nil && len(response.Answer) > 0 {
+		if transport.Type() != C.DNSTypeFakeIP {
+			for _, answer := range response.Answer {
+				switch record := answer.(type) {
+				case *mDNS.A:
+					r.dnsReverseMapping.AddWithLifetime(M.AddrFromIP(record.A), FqdnToDomain(record.Hdr.Name), time.Duration(record.Hdr.Ttl)*time.Second)
+				case *mDNS.AAAA:
+					r.dnsReverseMapping.AddWithLifetime(M.AddrFromIP(record.AAAA), FqdnToDomain(record.Hdr.Name), time.Duration(record.Hdr.Ttl)*time.Second)
+				}
+			}
+		}
+	}
+	return response, nil
+}
+
+func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQueryOptions) ([]netip.Addr, error) {
+	var (
+		responseAddrs []netip.Addr
+		cached        bool
+		err           error
+	)
+	printResult := func() {
+		if err != nil {
+			if errors.Is(err, ErrResponseRejectedCached) {
+				r.logger.DebugContext(ctx, "response rejected for ", domain, " (cached)")
+			} else if errors.Is(err, ErrResponseRejected) {
+				r.logger.DebugContext(ctx, "response rejected for ", domain)
+			} else {
+				r.logger.ErrorContext(ctx, E.Cause(err, "lookup failed for ", domain))
+			}
+		} else if len(responseAddrs) == 0 {
+			r.logger.ErrorContext(ctx, "lookup failed for ", domain, ": empty result")
+			err = RCodeNameError
+		}
+	}
+	responseAddrs, cached = r.client.LookupCache(domain, options.Strategy)
+	if cached {
+		if len(responseAddrs) == 0 {
+			return nil, RCodeNameError
+		}
+		return responseAddrs, nil
+	}
+	r.logger.DebugContext(ctx, "lookup domain ", domain)
+	ctx, metadata := adapter.ExtendContext(ctx)
+	metadata.Destination = M.Socksaddr{}
+	metadata.Domain = domain
+	if options.Transport != nil {
+		transport := options.Transport
+		if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
+			if options.Strategy == C.DomainStrategyAsIS {
+				options.Strategy = r.defaultDomainStrategy
+			}
+			if !options.ClientSubnet.IsValid() {
+				options.ClientSubnet = legacyTransport.LegacyClientSubnet()
+			}
+		}
+		if options.Strategy == C.DomainStrategyAsIS {
+			options.Strategy = r.defaultDomainStrategy
+		}
+		responseAddrs, err = r.client.Lookup(ctx, transport, domain, options, nil)
+	} else {
+		var (
+			transport adapter.DNSTransport
+			rule      adapter.DNSRule
+			ruleIndex int
+		)
+		ruleIndex = -1
+		for {
+			dnsCtx := adapter.OverrideContext(ctx)
+			transport, rule, ruleIndex = r.matchDNS(ctx, false, ruleIndex, true, &options)
+			if rule != nil {
+				switch action := rule.Action().(type) {
+				case *R.RuleActionReject:
+					switch action.Method {
+					case C.RuleActionRejectMethodDefault:
+						return nil, nil
+					case C.RuleActionRejectMethodDrop:
+						return nil, tun.ErrDrop
+					}
+				}
+			}
+			var responseCheck func(responseAddrs []netip.Addr) bool
+			if rule != nil && rule.WithAddressLimit() {
+				responseCheck = func(responseAddrs []netip.Addr) bool {
+					metadata.DestinationAddresses = responseAddrs
+					return rule.MatchAddressLimit(metadata)
+				}
+			}
+			if options.Strategy == C.DomainStrategyAsIS {
+				options.Strategy = r.defaultDomainStrategy
+			}
+			responseAddrs, err = r.client.Lookup(dnsCtx, transport, domain, options, responseCheck)
+			if responseCheck == nil || err == nil {
+				break
+			}
+			printResult()
+		}
+	}
+	printResult()
+	if len(responseAddrs) > 0 {
+		r.logger.InfoContext(ctx, "lookup succeed for ", domain, ": ", strings.Join(F.MapToString(responseAddrs), " "))
+	}
+	return responseAddrs, err
+}
+
+func isAddressQuery(message *mDNS.Msg) bool {
+	for _, question := range message.Question {
+		if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA || question.Qtype == mDNS.TypeHTTPS {
+			return true
+		}
+	}
+	return false
+}
+
+func (r *Router) ClearCache() {
+	r.client.ClearCache()
+	if r.platformInterface != nil {
+		r.platformInterface.ClearDNSCache()
+	}
+}
+
+func (r *Router) LookupReverseMapping(ip netip.Addr) (string, bool) {
+	if r.dnsReverseMapping == nil {
+		return "", false
+	}
+	domain, loaded := r.dnsReverseMapping.Get(ip)
+	return domain, loaded
+}
+
+func (r *Router) ResetNetwork() {
+	r.ClearCache()
+	for _, transport := range r.transport.Transports() {
+		transport.Reset()
+	}
+}

dns/transport/dhcp/dhcp.go

@@ -3,9 +3,6 @@ package dhcp
 import (
 	"context"
 	"net"
-	"net/netip"
-	"net/url"
-	"os"
 	"runtime"
 	"strings"
 	"sync"
@@ -14,13 +11,18 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/dns/transport"
+	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/task"
 	"github.com/sagernet/sing/common/x/list"
 	"github.com/sagernet/sing/service"
@@ -29,76 +31,70 @@ import (
 	mDNS "github.com/miekg/dns"
 )
 
-func init() {
+func RegisterTransport(registry *dns.TransportRegistry) {
-	dns.RegisterTransport([]string{"dhcp"}, func(options dns.TransportOptions) (dns.Transport, error) {
+	dns.RegisterTransport[option.DHCPDNSServerOptions](registry, C.DNSTypeDHCP, NewTransport)
-		return NewTransport(options)
-	})
 }
 
+var _ adapter.DNSTransport = (*Transport)(nil)
+
 type Transport struct {
-	options           dns.TransportOptions
+	dns.TransportAdapter
-	router            adapter.Router
+	ctx               context.Context
+	dialer            N.Dialer
+	logger            logger.ContextLogger
 	networkManager    adapter.NetworkManager
 	interfaceName     string
-	autoInterface     bool
 	interfaceCallback *list.Element[tun.DefaultInterfaceUpdateCallback]
-	transports        []dns.Transport
+	transports        []adapter.DNSTransport
 	updateAccess      sync.Mutex
 	updatedAt         time.Time
 }
 
-func NewTransport(options dns.TransportOptions) (*Transport, error) {
+func NewTransport(ctx context.Context, logger log.ContextLogger, tag string, options option.DHCPDNSServerOptions) (adapter.DNSTransport, error) {
-	linkURL, err := url.Parse(options.Address)
+	transportDialer, err := dns.NewLocalDialer(ctx, options.LocalDNSServerOptions)
 	if err != nil {
 		return nil, err
 	}
-	if linkURL.Host == "" {
+	return &Transport{
-		return nil, E.New("missing interface name for DHCP")
+		TransportAdapter: dns.NewTransportAdapterWithLocalOptions(C.DNSTypeDHCP, tag, options.LocalDNSServerOptions),
-	}
+		ctx:              ctx,
-	transport := &Transport{
+		dialer:           transportDialer,
-		options:        options,
+		logger:           logger,
-		networkManager: service.FromContext[adapter.NetworkManager](options.Context),
+		networkManager:   service.FromContext[adapter.NetworkManager](ctx),
-		interfaceName:  linkURL.Host,
+		interfaceName:    options.Interface,
-		autoInterface:  linkURL.Host == "auto",
+	}, nil
-	}
-	return transport, nil
 }
 
-func (t *Transport) Name() string {
+func (t *Transport) Start(stage adapter.StartStage) error {
-	return t.options.Name
+	if stage != adapter.StartStateStart {
-}
+		return nil
-
+	}
-func (t *Transport) Start() error {
 	err := t.fetchServers()
 	if err != nil {
 		return err
 	}
-	if t.autoInterface {
+	if t.interfaceName == "" {
 		t.interfaceCallback = t.networkManager.InterfaceMonitor().RegisterCallback(t.interfaceUpdated)
 	}
 	return nil
 }
 
+func (t *Transport) Close() error {
+	for _, transport := range t.transports {
+		transport.Reset()
+	}
+	if t.interfaceCallback != nil {
+		t.networkManager.InterfaceMonitor().UnregisterCallback(t.interfaceCallback)
+	}
+	return nil
+}
+
 func (t *Transport) Reset() {
 	for _, transport := range t.transports {
 		transport.Reset()
 	}
 }
 
-func (t *Transport) Close() error {
-	for _, transport := range t.transports {
-		transport.Close()
-	}
-	if t.interfaceCallback != nil {
-		t.networkManager.InterfaceMonitor().UnregisterCallback(t.interfaceCallback)
-	}
-	return nil
-}
-
-func (t *Transport) Raw() bool {
-	return true
-}
-
 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	err := t.fetchServers()
 	if err != nil {
@@ -120,7 +116,7 @@ func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg,
 }
 
 func (t *Transport) fetchInterface() (*control.Interface, error) {
-	if t.autoInterface {
+	if t.interfaceName == "" {
 		if t.networkManager.InterfaceMonitor() == nil {
 			return nil, E.New("missing monitor for auto DHCP, set route.auto_detect_interface")
 		}
@@ -152,8 +148,8 @@ func (t *Transport) updateServers() error {
 		return E.Cause(err, "dhcp: prepare interface")
 	}
 
-	t.options.Logger.Info("dhcp: query DNS servers on ", iface.Name)
+	t.logger.Info("dhcp: query DNS servers on ", iface.Name)
-	fetchCtx, cancel := context.WithTimeout(t.options.Context, C.DHCPTimeout)
+	fetchCtx, cancel := context.WithTimeout(t.ctx, C.DHCPTimeout)
 	err = t.fetchServers0(fetchCtx, iface)
 	cancel()
 	if err != nil {
@@ -169,7 +165,7 @@ func (t *Transport) updateServers() error {
 func (t *Transport) interfaceUpdated(defaultInterface *control.Interface, flags int) {
 	err := t.updateServers()
 	if err != nil {
-		t.options.Logger.Error("update servers: ", err)
+		t.logger.Error("update servers: ", err)
 	}
 }
 
@@ -181,7 +177,7 @@ func (t *Transport) fetchServers0(ctx context.Context, iface *control.Interface)
 	if runtime.GOOS == "linux" || runtime.GOOS == "android" {
 		listenAddr = "255.255.255.255:68"
 	}
-	packetConn, err := listener.ListenPacket(t.options.Context, "udp4", listenAddr)
+	packetConn, err := listener.ListenPacket(t.ctx, "udp4", listenAddr)
 	if err != nil {
 		return err
 	}
@@ -219,17 +215,17 @@ func (t *Transport) fetchServersResponse(iface *control.Interface, packetConn ne
 
 		dhcpPacket, err := dhcpv4.FromBytes(buffer.Bytes())
 		if err != nil {
-			t.options.Logger.Trace("dhcp: parse DHCP response: ", err)
+			t.logger.Trace("dhcp: parse DHCP response: ", err)
 			return err
 		}
 
 		if dhcpPacket.MessageType() != dhcpv4.MessageTypeOffer {
-			t.options.Logger.Trace("dhcp: expected OFFER response, but got ", dhcpPacket.MessageType())
+			t.logger.Trace("dhcp: expected OFFER response, but got ", dhcpPacket.MessageType())
 			continue
 		}
 
 		if dhcpPacket.TransactionID != transactionID {
-			t.options.Logger.Trace("dhcp: expected transaction ID ", transactionID, ", but got ", dhcpPacket.TransactionID)
+			t.logger.Trace("dhcp: expected transaction ID ", transactionID, ", but got ", dhcpPacket.TransactionID)
 			continue
 		}
 
@@ -237,44 +233,27 @@ func (t *Transport) fetchServersResponse(iface *control.Interface, packetConn ne
 		if len(dns) == 0 {
 			return nil
 		}
-
+		return t.recreateServers(iface, common.Map(dns, func(it net.IP) M.Socksaddr {
-		var addrs []netip.Addr
+			return M.SocksaddrFrom(M.AddrFromIP(it), 53)
-		for _, ip := range dns {
+		}))
-			addr, _ := netip.AddrFromSlice(ip)
-			addrs = append(addrs, addr.Unmap())
-		}
-		return t.recreateServers(iface, addrs)
 	}
 }
 
-func (t *Transport) recreateServers(iface *control.Interface, serverAddrs []netip.Addr) error {
+func (t *Transport) recreateServers(iface *control.Interface, serverAddrs []M.Socksaddr) error {
 	if len(serverAddrs) > 0 {
-		t.options.Logger.Info("dhcp: updated DNS servers from ", iface.Name, ": [", strings.Join(common.Map(serverAddrs, func(it netip.Addr) string {
+		t.logger.Info("dhcp: updated DNS servers from ", iface.Name, ": [", strings.Join(common.Map(serverAddrs, M.Socksaddr.String), ","), "]")
-			return it.String()
-		}), ","), "]")
 	}
-	serverDialer := common.Must1(dialer.NewDefault(t.networkManager, option.DialerOptions{
+	serverDialer := common.Must1(dialer.NewDefault(t.ctx, option.DialerOptions{
 		BindInterface:      iface.Name,
 		UDPFragmentDefault: true,
 	}))
-	var transports []dns.Transport
+	var transports []adapter.DNSTransport
 	for _, serverAddr := range serverAddrs {
-		newOptions := t.options
+		transports = append(transports, transport.NewUDPRaw(t.logger, t.TransportAdapter, serverDialer, serverAddr))
-		newOptions.Address = serverAddr.String()
-		newOptions.Dialer = serverDialer
-		serverTransport, err := dns.NewUDPTransport(newOptions)
-		if err != nil {
-			return E.Cause(err, "create UDP transport from DHCP result: ", serverAddr)
-		}
-		transports = append(transports, serverTransport)
 	}
 	for _, transport := range t.transports {
-		transport.Close()
+		transport.Reset()
 	}
 	t.transports = transports
 	return nil
 }
-
-func (t *Transport) Lookup(ctx context.Context, domain string, strategy dns.DomainStrategy) ([]netip.Addr, error) {
-	return nil, os.ErrInvalid
-}

dns/transport/fakeip/fakeip.go

@@ -0,0 +1,56 @@
+package fakeip
+
+import (
+	"context"
+	"net/netip"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+
+	mDNS "github.com/miekg/dns"
+)
+
+func RegisterTransport(registry *dns.TransportRegistry) {
+	dns.RegisterTransport[option.FakeIPDNSServerOptions](registry, C.DNSTypeFakeIP, NewTransport)
+}
+
+var _ adapter.FakeIPTransport = (*Transport)(nil)
+
+type Transport struct {
+	dns.TransportAdapter
+	logger logger.ContextLogger
+	store  adapter.FakeIPStore
+}
+
+func NewTransport(ctx context.Context, logger log.ContextLogger, tag string, options option.FakeIPDNSServerOptions) (adapter.DNSTransport, error) {
+	store := NewStore(ctx, logger, options.Inet4Range.Build(netip.Prefix{}), options.Inet6Range.Build(netip.Prefix{}))
+	return &Transport{
+		TransportAdapter: dns.NewTransportAdapter(C.DNSTypeFakeIP, tag, nil),
+		logger:           logger,
+		store:            store,
+	}, nil
+}
+
+func (t *Transport) Reset() {
+}
+
+func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	question := message.Question[0]
+	if question.Qtype != mDNS.TypeA && question.Qtype != mDNS.TypeAAAA {
+		return nil, E.New("only IP queries are supported by fakeip")
+	}
+	address, err := t.store.Create(question.Name, question.Qtype == mDNS.TypeAAAA)
+	if err != nil {
+		return nil, err
+	}
+	return dns.FixedResponse(message.Id, question, []netip.Addr{address}, C.DefaultDNSTTL), nil
+}
+
+func (t *Transport) Store() adapter.FakeIPStore {
+	return t.store
+}

dns/transport/https.go

@@ -0,0 +1,193 @@
+package transport
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"strconv"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/tls"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/buf"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	aTLS "github.com/sagernet/sing/common/tls"
+	sHTTP "github.com/sagernet/sing/protocol/http"
+
+	mDNS "github.com/miekg/dns"
+	"golang.org/x/net/http2"
+)
+
+const MimeType = "application/dns-message"
+
+var _ adapter.DNSTransport = (*HTTPSTransport)(nil)
+
+func RegisterHTTPS(registry *dns.TransportRegistry) {
+	dns.RegisterTransport[option.RemoteHTTPSDNSServerOptions](registry, C.DNSTypeHTTPS, NewHTTPS)
+}
+
+type HTTPSTransport struct {
+	dns.TransportAdapter
+	logger      logger.ContextLogger
+	dialer      N.Dialer
+	destination *url.URL
+	headers     http.Header
+	transport   *http.Transport
+}
+
+func NewHTTPS(ctx context.Context, logger log.ContextLogger, tag string, options option.RemoteHTTPSDNSServerOptions) (adapter.DNSTransport, error) {
+	transportDialer, err := dns.NewRemoteDialer(ctx, options.RemoteDNSServerOptions)
+	if err != nil {
+		return nil, err
+	}
+	tlsOptions := common.PtrValueOrDefault(options.TLS)
+	tlsOptions.Enabled = true
+	tlsConfig, err := tls.NewClient(ctx, options.Server, tlsOptions)
+	if err != nil {
+		return nil, err
+	}
+	if common.Error(tlsConfig.Config()) == nil && !common.Contains(tlsConfig.NextProtos(), http2.NextProtoTLS) {
+		tlsConfig.SetNextProtos(append(tlsConfig.NextProtos(), http2.NextProtoTLS))
+	}
+	if !common.Contains(tlsConfig.NextProtos(), "http/1.1") {
+		tlsConfig.SetNextProtos(append(tlsConfig.NextProtos(), "http/1.1"))
+	}
+	destinationURL := url.URL{
+		Scheme: "https",
+		Host:   options.Host,
+	}
+	if destinationURL.Host == "" {
+		destinationURL.Host = options.Server
+	}
+	if options.ServerPort != 0 && options.ServerPort != 443 {
+		destinationURL.Host = net.JoinHostPort(destinationURL.Host, strconv.Itoa(int(options.ServerPort)))
+	}
+	path := options.Path
+	if path == "" {
+		path = "/dns-query"
+	}
+	err = sHTTP.URLSetPath(&destinationURL, path)
+	if err != nil {
+		return nil, err
+	}
+	serverAddr := options.ServerOptions.Build()
+	if serverAddr.Port == 0 {
+		serverAddr.Port = 443
+	}
+	return NewHTTPSRaw(
+		dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeHTTPS, tag, options.RemoteDNSServerOptions),
+		logger,
+		transportDialer,
+		&destinationURL,
+		options.Headers.Build(),
+		serverAddr,
+		tlsConfig,
+	), nil
+}
+
+func NewHTTPSRaw(
+	adapter dns.TransportAdapter,
+	logger log.ContextLogger,
+	dialer N.Dialer,
+	destination *url.URL,
+	headers http.Header,
+	serverAddr M.Socksaddr,
+	tlsConfig tls.Config,
+) *HTTPSTransport {
+	var transport *http.Transport
+	if tlsConfig != nil {
+		transport = &http.Transport{
+			ForceAttemptHTTP2: true,
+			DialTLSContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				tcpConn, hErr := dialer.DialContext(ctx, network, serverAddr)
+				if hErr != nil {
+					return nil, hErr
+				}
+				tlsConn, hErr := aTLS.ClientHandshake(ctx, tcpConn, tlsConfig)
+				if hErr != nil {
+					tcpConn.Close()
+					return nil, hErr
+				}
+				return tlsConn, nil
+			},
+		}
+	} else {
+		transport = &http.Transport{
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				return dialer.DialContext(ctx, network, serverAddr)
+			},
+		}
+	}
+	return &HTTPSTransport{
+		TransportAdapter: adapter,
+		logger:           logger,
+		dialer:           dialer,
+		destination:      destination,
+		headers:          headers,
+		transport:        transport,
+	}
+}
+
+func (t *HTTPSTransport) Reset() {
+	t.transport.CloseIdleConnections()
+	t.transport = t.transport.Clone()
+}
+
+func (t *HTTPSTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	exMessage := *message
+	exMessage.Id = 0
+	exMessage.Compress = true
+	requestBuffer := buf.NewSize(1 + message.Len())
+	rawMessage, err := exMessage.PackBuffer(requestBuffer.FreeBytes())
+	if err != nil {
+		requestBuffer.Release()
+		return nil, err
+	}
+	request, err := http.NewRequestWithContext(ctx, http.MethodPost, t.destination.String(), bytes.NewReader(rawMessage))
+	if err != nil {
+		requestBuffer.Release()
+		return nil, err
+	}
+	request.Header = t.headers.Clone()
+	request.Header.Set("Content-Type", MimeType)
+	request.Header.Set("Accept", MimeType)
+	response, err := t.transport.RoundTrip(request)
+	requestBuffer.Release()
+	if err != nil {
+		return nil, err
+	}
+	defer response.Body.Close()
+	if response.StatusCode != http.StatusOK {
+		return nil, E.New("unexpected status: ", response.Status)
+	}
+	var responseMessage mDNS.Msg
+	if response.ContentLength > 0 {
+		responseBuffer := buf.NewSize(int(response.ContentLength))
+		_, err = responseBuffer.ReadFullFrom(response.Body, int(response.ContentLength))
+		if err != nil {
+			return nil, err
+		}
+		err = responseMessage.Unpack(responseBuffer.Bytes())
+		responseBuffer.Release()
+	} else {
+		rawMessage, err = io.ReadAll(response.Body)
+		if err != nil {
+			return nil, err
+		}
+		err = responseMessage.Unpack(rawMessage)
+	}
+	if err != nil {
+		return nil, err
+	}
+	return &responseMessage, nil
+}

dns/transport/local/local.go

@@ -0,0 +1,177 @@
+package local
+
+import (
+	"context"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/buf"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+
+	mDNS "github.com/miekg/dns"
+)
+
+func RegisterTransport(registry *dns.TransportRegistry) {
+	dns.RegisterTransport[option.LocalDNSServerOptions](registry, C.DNSTypeLocal, NewTransport)
+}
+
+var _ adapter.DNSTransport = (*Transport)(nil)
+
+type Transport struct {
+	dns.TransportAdapter
+	dialer N.Dialer
+}
+
+func NewTransport(ctx context.Context, logger log.ContextLogger, tag string, options option.LocalDNSServerOptions) (adapter.DNSTransport, error) {
+	transportDialer, err := dns.NewLocalDialer(ctx, options)
+	if err != nil {
+		return nil, err
+	}
+	return &Transport{
+		TransportAdapter: dns.NewTransportAdapterWithLocalOptions(C.DNSTypeTCP, tag, options),
+		dialer:           transportDialer,
+	}, nil
+}
+
+func (t *Transport) Reset() {
+}
+
+func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	question := message.Question[0]
+	domain := dns.FqdnToDomain(question.Name)
+	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
+		addressStrings, _ := lookupStaticHost(domain)
+		if len(addressStrings) > 0 {
+			return dns.FixedResponse(message.Id, question, common.Map(addressStrings, M.ParseAddr), C.DefaultDNSTTL), nil
+		}
+	}
+	systemConfig := getSystemDNSConfig()
+	if systemConfig.singleRequest || !(message.Question[0].Qtype == mDNS.TypeA || message.Question[0].Qtype == mDNS.TypeAAAA) {
+		return t.exchangeSingleRequest(ctx, systemConfig, message, domain)
+	} else {
+		return t.exchangeParallel(ctx, systemConfig, message, domain)
+	}
+}
+
+func (t *Transport) exchangeSingleRequest(ctx context.Context, systemConfig *dnsConfig, message *mDNS.Msg, domain string) (*mDNS.Msg, error) {
+	var lastErr error
+	for _, fqdn := range nameList(systemConfig, domain) {
+		response, err := t.tryOneName(ctx, systemConfig, fqdn, message)
+		if err != nil {
+			lastErr = err
+			continue
+		}
+		return response, nil
+	}
+	return nil, lastErr
+}
+
+func (t *Transport) exchangeParallel(ctx context.Context, systemConfig *dnsConfig, message *mDNS.Msg, domain string) (*mDNS.Msg, error) {
+	returned := make(chan struct{})
+	defer close(returned)
+	type queryResult struct {
+		response *mDNS.Msg
+		err      error
+	}
+	results := make(chan queryResult)
+	startRacer := func(ctx context.Context, fqdn string) {
+		response, err := t.tryOneName(ctx, systemConfig, fqdn, message)
+		select {
+		case results <- queryResult{response, err}:
+		case <-returned:
+		}
+	}
+	queryCtx, queryCancel := context.WithCancel(ctx)
+	defer queryCancel()
+	for _, fqdn := range nameList(systemConfig, domain) {
+		go startRacer(queryCtx, fqdn)
+	}
+	select {
+	case <-ctx.Done():
+		return nil, ctx.Err()
+	case result := <-results:
+		return result.response, result.err
+	}
+}
+
+func (t *Transport) tryOneName(ctx context.Context, config *dnsConfig, fqdn string, message *mDNS.Msg) (*mDNS.Msg, error) {
+	serverOffset := config.serverOffset()
+	sLen := uint32(len(config.servers))
+	var lastErr error
+	for i := 0; i < config.attempts; i++ {
+		for j := uint32(0); j < sLen; j++ {
+			server := config.servers[(serverOffset+j)%sLen]
+			question := message.Question[0]
+			question.Name = fqdn
+			response, err := t.exchangeOne(ctx, M.ParseSocksaddr(server), question, config.timeout, config.useTCP, config.trustAD)
+			if err != nil {
+				lastErr = err
+				continue
+			}
+			return response, nil
+		}
+	}
+	return nil, lastErr
+}
+
+func (t *Transport) exchangeOne(ctx context.Context, server M.Socksaddr, question mDNS.Question, timeout time.Duration, useTCP, ad bool) (*mDNS.Msg, error) {
+	var networks []string
+	if useTCP {
+		networks = []string{N.NetworkTCP}
+	} else {
+		networks = []string{N.NetworkUDP, N.NetworkTCP}
+	}
+	request := &mDNS.Msg{
+		MsgHdr: mDNS.MsgHdr{
+			Id:                uint16(randInt()),
+			RecursionDesired:  true,
+			AuthenticatedData: ad,
+		},
+		Question: []mDNS.Question{question},
+		Compress: true,
+	}
+	request.SetEdns0(maxDNSPacketSize, false)
+	buffer := buf.Get(buf.UDPBufferSize)
+	defer buf.Put(buffer)
+	for _, network := range networks {
+		ctx, cancel := context.WithDeadline(ctx, time.Now().Add(timeout))
+		defer cancel()
+		conn, err := t.dialer.DialContext(ctx, network, server)
+		if err != nil {
+			return nil, err
+		}
+		defer conn.Close()
+		if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
+			conn.SetDeadline(deadline)
+		}
+		rawMessage, err := request.PackBuffer(buffer)
+		if err != nil {
+			return nil, E.Cause(err, "pack request")
+		}
+		_, err = conn.Write(rawMessage)
+		if err != nil {
+			return nil, E.Cause(err, "write request")
+		}
+		n, err := conn.Read(buffer)
+		if err != nil {
+			return nil, E.Cause(err, "read response")
+		}
+		var response mDNS.Msg
+		err = response.Unpack(buffer[:n])
+		if err != nil {
+			return nil, E.Cause(err, "unpack response")
+		}
+		if response.Truncated && network == N.NetworkUDP {
+			continue
+		}
+		return &response, nil
+	}
+	panic("unexpected")
+}

dns/transport/local/local_badlinkname.go

@@ -0,0 +1,19 @@
+//go:build badlinkname
+
+package local
+
+import (
+	_ "unsafe"
+)
+
+//go:linkname getSystemDNSConfig net.getSystemDNSConfig
+func getSystemDNSConfig() *dnsConfig
+
+//go:linkname nameList net.(*dnsConfig).nameList
+func nameList(c *dnsConfig, name string) []string
+
+//go:linkname lookupStaticHost net.lookupStaticHost
+func lookupStaticHost(host string) ([]string, string)
+
+//go:linkname splitHostZone net.splitHostZone
+func splitHostZone(s string) (host, zone string)

dns/transport/local/local_linkname.go

@@ -0,0 +1,44 @@
+package local
+
+import (
+	"sync/atomic"
+	"time"
+	_ "unsafe"
+)
+
+const (
+	// net.maxDNSPacketSize
+	maxDNSPacketSize = 1232
+)
+
+type dnsConfig struct {
+	servers       []string      // server addresses (in host:port form) to use
+	search        []string      // rooted suffixes to append to local name
+	ndots         int           // number of dots in name to trigger absolute lookup
+	timeout       time.Duration // wait before giving up on a query, including retries
+	attempts      int           // lost packets before giving up on server
+	rotate        bool          // round robin among servers
+	unknownOpt    bool          // anything unknown was encountered
+	lookup        []string      // OpenBSD top-level database "lookup" order
+	err           error         // any error that occurs during open of resolv.conf
+	mtime         time.Time     // time of resolv.conf modification
+	soffset       uint32        // used by serverOffset
+	singleRequest bool          // use sequential A and AAAA queries instead of parallel queries
+	useTCP        bool          // force usage of TCP for DNS resolutions
+	trustAD       bool          // add AD flag to queries
+	noReload      bool          // do not check for config file updates
+}
+
+func (c *dnsConfig) serverOffset() uint32 {
+	if c.rotate {
+		return atomic.AddUint32(&c.soffset, 1) - 1 // return 0 to start
+	}
+	return 0
+}
+
+//go:linkname runtime_rand runtime.rand
+func runtime_rand() uint64
+
+func randInt() int {
+	return int(uint(runtime_rand()) >> 1) // clear sign bit
+}

dns/transport/local/local_notbadlinkname.go

@@ -0,0 +1,19 @@
+//go:build !badlinkname
+
+package local
+
+func getSystemDNSConfig() *dnsConfig {
+	panic("stub")
+}
+
+func nameList(c *dnsConfig, name string) []string {
+	panic("stub")
+}
+
+func lookupStaticHost(host string) ([]string, string) {
+	panic("stub")
+}
+
+func splitHostZone(s string) (host, zone string) {
+	panic("stub")
+}

dns/transport/predefined.go

@@ -0,0 +1,82 @@
+package transport
+
+import (
+	"context"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+
+	mDNS "github.com/miekg/dns"
+)
+
+var _ adapter.DNSTransport = (*PredefinedTransport)(nil)
+
+func RegisterPredefined(registry *dns.TransportRegistry) {
+	dns.RegisterTransport[option.PredefinedDNSServerOptions](registry, C.DNSTypePreDefined, NewPredefined)
+}
+
+type PredefinedTransport struct {
+	dns.TransportAdapter
+	responses []*predefinedResponse
+}
+
+type predefinedResponse struct {
+	questions []mDNS.Question
+	answer    *mDNS.Msg
+}
+
+func NewPredefined(ctx context.Context, logger log.ContextLogger, tag string, options option.PredefinedDNSServerOptions) (adapter.DNSTransport, error) {
+	var responses []*predefinedResponse
+	for _, response := range options.Responses {
+		questions, msg, err := response.Build()
+		if err != nil {
+			return nil, err
+		}
+		responses = append(responses, &predefinedResponse{
+			questions: questions,
+			answer:    msg,
+		})
+	}
+	if len(responses) == 0 {
+		return nil, E.New("empty predefined responses")
+	}
+	return &PredefinedTransport{
+		TransportAdapter: dns.NewTransportAdapter(C.DNSTypePreDefined, tag, nil),
+		responses:        responses,
+	}, nil
+}
+
+func (t *PredefinedTransport) Reset() {
+}
+
+func (t *PredefinedTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	for _, response := range t.responses {
+		for _, question := range response.questions {
+			if func() bool {
+				if question.Name == "" && question.Qtype == mDNS.TypeNone {
+					return true
+				} else if question.Name == "" {
+					return common.Any(message.Question, func(it mDNS.Question) bool {
+						return it.Qtype == question.Qtype
+					})
+				} else if question.Qtype == mDNS.TypeNone {
+					return common.Any(message.Question, func(it mDNS.Question) bool {
+						return it.Name == question.Name
+					})
+				} else {
+					return common.Contains(message.Question, question)
+				}
+			}() {
+				copyAnswer := *response.answer
+				copyAnswer.Id = message.Id
+				return &copyAnswer, nil
+			}
+		}
+	}
+	return nil, dns.RCodeNameError
+}

dns/transport/quic/http3.go

@@ -0,0 +1,156 @@
+package quic
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"strconv"
+
+	"github.com/sagernet/quic-go"
+	"github.com/sagernet/quic-go/http3"
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/tls"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/dns/transport"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/bufio"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	sHTTP "github.com/sagernet/sing/protocol/http"
+
+	mDNS "github.com/miekg/dns"
+)
+
+var _ adapter.DNSTransport = (*HTTP3Transport)(nil)
+
+func RegisterHTTP3Transport(registry *dns.TransportRegistry) {
+	dns.RegisterTransport[option.RemoteHTTPSDNSServerOptions](registry, C.DNSTypeHTTP3, NewHTTP3)
+}
+
+type HTTP3Transport struct {
+	dns.TransportAdapter
+	logger      logger.ContextLogger
+	dialer      N.Dialer
+	destination *url.URL
+	headers     http.Header
+	transport   *http3.Transport
+}
+
+func NewHTTP3(ctx context.Context, logger log.ContextLogger, tag string, options option.RemoteHTTPSDNSServerOptions) (adapter.DNSTransport, error) {
+	transportDialer, err := dns.NewRemoteDialer(ctx, options.RemoteDNSServerOptions)
+	if err != nil {
+		return nil, err
+	}
+	tlsOptions := common.PtrValueOrDefault(options.TLS)
+	tlsOptions.Enabled = true
+	tlsConfig, err := tls.NewClient(ctx, options.Server, tlsOptions)
+	if err != nil {
+		return nil, err
+	}
+	stdConfig, err := tlsConfig.Config()
+	if err != nil {
+		return nil, err
+	}
+	destinationURL := url.URL{
+		Scheme: "HTTP3",
+		Host:   options.Host,
+	}
+	if destinationURL.Host == "" {
+		destinationURL.Host = options.Server
+	}
+	if options.ServerPort != 0 && options.ServerPort != 443 {
+		destinationURL.Host = net.JoinHostPort(destinationURL.Host, strconv.Itoa(int(options.ServerPort)))
+	}
+	path := options.Path
+	if path == "" {
+		path = "/dns-query"
+	}
+	err = sHTTP.URLSetPath(&destinationURL, path)
+	if err != nil {
+		return nil, err
+	}
+	serverAddr := options.ServerOptions.Build()
+	if serverAddr.Port == 0 {
+		serverAddr.Port = 443
+	}
+	return &HTTP3Transport{
+		TransportAdapter: dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeHTTP3, tag, options.RemoteDNSServerOptions),
+		logger:           logger,
+		dialer:           transportDialer,
+		destination:      &destinationURL,
+		headers:          options.Headers.Build(),
+		transport: &http3.Transport{
+			Dial: func(ctx context.Context, addr string, tlsCfg *tls.STDConfig, cfg *quic.Config) (quic.EarlyConnection, error) {
+				destinationAddr := M.ParseSocksaddr(addr)
+				conn, dialErr := transportDialer.DialContext(ctx, N.NetworkUDP, destinationAddr)
+				if dialErr != nil {
+					return nil, dialErr
+				}
+				return quic.DialEarly(ctx, bufio.NewUnbindPacketConn(conn), conn.RemoteAddr(), tlsCfg, cfg)
+			},
+			TLSClientConfig: stdConfig,
+		},
+	}, nil
+}
+
+func (t *HTTP3Transport) Reset() {
+	t.transport.Close()
+}
+
+func (t *HTTP3Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	exMessage := *message
+	exMessage.Id = 0
+	exMessage.Compress = true
+	requestBuffer := buf.NewSize(1 + message.Len())
+	rawMessage, err := exMessage.PackBuffer(requestBuffer.FreeBytes())
+	if err != nil {
+		requestBuffer.Release()
+		return nil, err
+	}
+	request, err := http.NewRequestWithContext(ctx, http.MethodPost, t.destination.String(), bytes.NewReader(rawMessage))
+	if err != nil {
+		requestBuffer.Release()
+		return nil, err
+	}
+	request.Header = t.headers.Clone()
+	request.Header.Set("Content-Type", transport.MimeType)
+	request.Header.Set("Accept", transport.MimeType)
+	response, err := t.transport.RoundTrip(request)
+	requestBuffer.Release()
+	if err != nil {
+		return nil, err
+	}
+	defer response.Body.Close()
+	if response.StatusCode != http.StatusOK {
+		return nil, E.New("unexpected status: ", response.Status)
+	}
+	var responseMessage mDNS.Msg
+	if response.ContentLength > 0 {
+		responseBuffer := buf.NewSize(int(response.ContentLength))
+		_, err = responseBuffer.ReadFullFrom(response.Body, int(response.ContentLength))
+		if err != nil {
+			return nil, err
+		}
+		err = responseMessage.Unpack(responseBuffer.Bytes())
+		responseBuffer.Release()
+	} else {
+		rawMessage, err = io.ReadAll(response.Body)
+		if err != nil {
+			return nil, err
+		}
+		err = responseMessage.Unpack(rawMessage)
+	}
+	if err != nil {
+		return nil, err
+	}
+	return &responseMessage, nil
+}

dns/transport/quic/quic.go

@@ -0,0 +1,174 @@
+package quic
+
+import (
+	"context"
+	"errors"
+	"sync"
+
+	"github.com/sagernet/quic-go"
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/tls"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/dns/transport"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	sQUIC "github.com/sagernet/sing-quic"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/bufio"
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+
+	mDNS "github.com/miekg/dns"
+)
+
+var _ adapter.DNSTransport = (*Transport)(nil)
+
+func RegisterTransport(registry *dns.TransportRegistry) {
+	dns.RegisterTransport[option.RemoteTLSDNSServerOptions](registry, C.DNSTypeQUIC, NewQUIC)
+}
+
+type Transport struct {
+	dns.TransportAdapter
+	ctx        context.Context
+	logger     logger.ContextLogger
+	dialer     N.Dialer
+	serverAddr M.Socksaddr
+	tlsConfig  tls.Config
+	access     sync.Mutex
+	connection quic.EarlyConnection
+}
+
+func NewQUIC(ctx context.Context, logger log.ContextLogger, tag string, options option.RemoteTLSDNSServerOptions) (adapter.DNSTransport, error) {
+	transportDialer, err := dns.NewRemoteDialer(ctx, options.RemoteDNSServerOptions)
+	if err != nil {
+		return nil, err
+	}
+	tlsOptions := common.PtrValueOrDefault(options.TLS)
+	tlsOptions.Enabled = true
+	tlsConfig, err := tls.NewClient(ctx, options.Server, tlsOptions)
+	if err != nil {
+		return nil, err
+	}
+	if len(tlsConfig.NextProtos()) == 0 {
+		tlsConfig.SetNextProtos([]string{"doq"})
+	}
+	serverAddr := options.ServerOptions.Build()
+	if serverAddr.Port == 0 {
+		serverAddr.Port = 853
+	}
+	return &Transport{
+		TransportAdapter: dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeQUIC, tag, options.RemoteDNSServerOptions),
+		ctx:              ctx,
+		logger:           logger,
+		dialer:           transportDialer,
+		serverAddr:       serverAddr,
+		tlsConfig:        tlsConfig,
+	}, nil
+}
+
+func (t *Transport) Reset() {
+	t.access.Lock()
+	defer t.access.Unlock()
+	connection := t.connection
+	if connection != nil {
+		connection.CloseWithError(0, "")
+	}
+}
+
+func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	var (
+		conn     quic.Connection
+		err      error
+		response *mDNS.Msg
+	)
+	for i := 0; i < 2; i++ {
+		conn, err = t.openConnection()
+		if err != nil {
+			return nil, err
+		}
+		response, err = t.exchange(ctx, message, conn)
+		if err == nil {
+			return response, nil
+		} else if !isQUICRetryError(err) {
+			return nil, err
+		} else {
+			conn.CloseWithError(quic.ApplicationErrorCode(0), "")
+			continue
+		}
+	}
+	return nil, err
+}
+
+func (t *Transport) openConnection() (quic.EarlyConnection, error) {
+	connection := t.connection
+	if connection != nil && !common.Done(connection.Context()) {
+		return connection, nil
+	}
+	t.access.Lock()
+	defer t.access.Unlock()
+	connection = t.connection
+	if connection != nil && !common.Done(connection.Context()) {
+		return connection, nil
+	}
+	conn, err := t.dialer.DialContext(t.ctx, N.NetworkUDP, t.serverAddr)
+	if err != nil {
+		return nil, err
+	}
+	earlyConnection, err := sQUIC.DialEarly(
+		t.ctx,
+		bufio.NewUnbindPacketConn(conn),
+		t.serverAddr.UDPAddr(),
+		t.tlsConfig,
+		nil,
+	)
+	if err != nil {
+		return nil, err
+	}
+	t.connection = earlyConnection
+	return earlyConnection, nil
+}
+
+func (t *Transport) exchange(ctx context.Context, message *mDNS.Msg, conn quic.Connection) (*mDNS.Msg, error) {
+	stream, err := conn.OpenStreamSync(ctx)
+	if err != nil {
+		return nil, err
+	}
+	defer stream.Close()
+	defer stream.CancelRead(0)
+	err = transport.WriteMessage(stream, 0, message)
+	if err != nil {
+		return nil, err
+	}
+	return transport.ReadMessage(stream)
+}
+
+// https://github.com/AdguardTeam/dnsproxy/blob/fd1868577652c639cce3da00e12ca548f421baf1/upstream/upstream_quic.go#L394
+func isQUICRetryError(err error) (ok bool) {
+	var qAppErr *quic.ApplicationError
+	if errors.As(err, &qAppErr) && qAppErr.ErrorCode == 0 {
+		return true
+	}
+
+	var qIdleErr *quic.IdleTimeoutError
+	if errors.As(err, &qIdleErr) {
+		return true
+	}
+
+	var resetErr *quic.StatelessResetError
+	if errors.As(err, &resetErr) {
+		return true
+	}
+
+	var qTransportError *quic.TransportError
+	if errors.As(err, &qTransportError) && qTransportError.ErrorCode == quic.NoError {
+		return true
+	}
+
+	if errors.Is(err, quic.Err0RTTRejected) {
+		return true
+	}
+
+	return false
+}

dns/transport/tcp.go

@@ -0,0 +1,99 @@
+package transport
+
+import (
+	"context"
+	"encoding/binary"
+	"io"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/buf"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+
+	mDNS "github.com/miekg/dns"
+)
+
+var _ adapter.DNSTransport = (*TCPTransport)(nil)
+
+func RegisterTCP(registry *dns.TransportRegistry) {
+	dns.RegisterTransport[option.RemoteDNSServerOptions](registry, C.DNSTypeTCP, NewTCP)
+}
+
+type TCPTransport struct {
+	dns.TransportAdapter
+	dialer     N.Dialer
+	serverAddr M.Socksaddr
+}
+
+func NewTCP(ctx context.Context, logger log.ContextLogger, tag string, options option.RemoteDNSServerOptions) (adapter.DNSTransport, error) {
+	transportDialer, err := dns.NewRemoteDialer(ctx, options)
+	if err != nil {
+		return nil, err
+	}
+	serverAddr := options.ServerOptions.Build()
+	if serverAddr.Port == 0 {
+		serverAddr.Port = 53
+	}
+	return &TCPTransport{
+		TransportAdapter: dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeTCP, tag, options),
+		dialer:           transportDialer,
+		serverAddr:       serverAddr,
+	}, nil
+}
+
+func (t *TCPTransport) Reset() {
+}
+
+func (t *TCPTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	conn, err := t.dialer.DialContext(ctx, N.NetworkTCP, t.serverAddr)
+	if err != nil {
+		return nil, err
+	}
+	defer conn.Close()
+	err = WriteMessage(conn, 0, message)
+	if err != nil {
+		return nil, err
+	}
+	return ReadMessage(conn)
+}
+
+func ReadMessage(reader io.Reader) (*mDNS.Msg, error) {
+	var responseLen uint16
+	err := binary.Read(reader, binary.BigEndian, &responseLen)
+	if err != nil {
+		return nil, err
+	}
+	if responseLen < 10 {
+		return nil, mDNS.ErrShortRead
+	}
+	buffer := buf.NewSize(int(responseLen))
+	defer buffer.Release()
+	_, err = buffer.ReadFullFrom(reader, int(responseLen))
+	if err != nil {
+		return nil, err
+	}
+	var message mDNS.Msg
+	err = message.Unpack(buffer.Bytes())
+	return &message, err
+}
+
+func WriteMessage(writer io.Writer, messageId uint16, message *mDNS.Msg) error {
+	requestLen := message.Len()
+	buffer := buf.NewSize(3 + requestLen)
+	defer buffer.Release()
+	common.Must(binary.Write(buffer, binary.BigEndian, uint16(requestLen)))
+	exMessage := *message
+	exMessage.Id = messageId
+	exMessage.Compress = true
+	rawMessage, err := exMessage.PackBuffer(buffer.FreeBytes())
+	if err != nil {
+		return err
+	}
+	buffer.Truncate(2 + len(rawMessage))
+	return common.Error(writer.Write(buffer.Bytes()))
+}

dns/transport/tls.go

@@ -0,0 +1,115 @@
+package transport
+
+import (
+	"context"
+	"sync"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/tls"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/x/list"
+
+	mDNS "github.com/miekg/dns"
+)
+
+var _ adapter.DNSTransport = (*TLSTransport)(nil)
+
+func RegisterTLS(registry *dns.TransportRegistry) {
+	dns.RegisterTransport[option.RemoteTLSDNSServerOptions](registry, C.DNSTypeTLS, NewTLS)
+}
+
+type TLSTransport struct {
+	dns.TransportAdapter
+	logger      logger.ContextLogger
+	dialer      N.Dialer
+	serverAddr  M.Socksaddr
+	tlsConfig   tls.Config
+	access      sync.Mutex
+	connections list.List[*tlsDNSConn]
+}
+
+type tlsDNSConn struct {
+	tls.Conn
+	queryId uint16
+}
+
+func NewTLS(ctx context.Context, logger log.ContextLogger, tag string, options option.RemoteTLSDNSServerOptions) (adapter.DNSTransport, error) {
+	transportDialer, err := dns.NewRemoteDialer(ctx, options.RemoteDNSServerOptions)
+	if err != nil {
+		return nil, err
+	}
+	tlsOptions := common.PtrValueOrDefault(options.TLS)
+	tlsOptions.Enabled = true
+	tlsConfig, err := tls.NewClient(ctx, options.Server, tlsOptions)
+	if err != nil {
+		return nil, err
+	}
+	serverAddr := options.ServerOptions.Build()
+	if serverAddr.Port == 0 {
+		serverAddr.Port = 853
+	}
+	return &TLSTransport{
+		TransportAdapter: dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeTLS, tag, options.RemoteDNSServerOptions),
+		logger:           logger,
+		dialer:           transportDialer,
+		serverAddr:       serverAddr,
+		tlsConfig:        tlsConfig,
+	}, nil
+}
+
+func (t *TLSTransport) Reset() {
+	t.access.Lock()
+	defer t.access.Unlock()
+	for connection := t.connections.Front(); connection != nil; connection = connection.Next() {
+		connection.Value.Close()
+	}
+	t.connections.Init()
+}
+
+func (t *TLSTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	t.access.Lock()
+	conn := t.connections.PopFront()
+	t.access.Unlock()
+	if conn != nil {
+		response, err := t.exchange(message, conn)
+		if err == nil {
+			return response, nil
+		}
+	}
+	tcpConn, err := t.dialer.DialContext(ctx, N.NetworkTCP, t.serverAddr)
+	if err != nil {
+		return nil, err
+	}
+	tlsConn, err := tls.ClientHandshake(ctx, tcpConn, t.tlsConfig)
+	if err != nil {
+		tcpConn.Close()
+		return nil, err
+	}
+	return t.exchange(message, &tlsDNSConn{Conn: tlsConn})
+}
+
+func (t *TLSTransport) exchange(message *mDNS.Msg, conn *tlsDNSConn) (*mDNS.Msg, error) {
+	conn.queryId++
+	err := WriteMessage(conn, conn.queryId, message)
+	if err != nil {
+		conn.Close()
+		return nil, E.Cause(err, "write request")
+	}
+	response, err := ReadMessage(conn)
+	if err != nil {
+		conn.Close()
+		return nil, E.Cause(err, "read response")
+	}
+	t.access.Lock()
+	t.connections.PushBack(conn)
+	t.access.Unlock()
+	return response, nil
+}

dns/transport/udp.go

@@ -0,0 +1,217 @@
+package transport
+
+import (
+	"context"
+	"net"
+	"os"
+	"sync"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+
+	mDNS "github.com/miekg/dns"
+)
+
+var _ adapter.DNSTransport = (*UDPTransport)(nil)
+
+func RegisterUDP(registry *dns.TransportRegistry) {
+	dns.RegisterTransport[option.RemoteDNSServerOptions](registry, C.DNSTypeUDP, NewUDP)
+}
+
+type UDPTransport struct {
+	dns.TransportAdapter
+	logger       logger.ContextLogger
+	dialer       N.Dialer
+	serverAddr   M.Socksaddr
+	udpSize      int
+	tcpTransport *TCPTransport
+	access       sync.Mutex
+	conn         *dnsConnection
+	done         chan struct{}
+}
+
+func NewUDP(ctx context.Context, logger log.ContextLogger, tag string, options option.RemoteDNSServerOptions) (adapter.DNSTransport, error) {
+	transportDialer, err := dns.NewRemoteDialer(ctx, options)
+	if err != nil {
+		return nil, err
+	}
+	serverAddr := options.ServerOptions.Build()
+	if serverAddr.Port == 0 {
+		serverAddr.Port = 53
+	}
+	return NewUDPRaw(logger, dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeUDP, tag, options), transportDialer, serverAddr), nil
+}
+
+func NewUDPRaw(logger logger.ContextLogger, adapter dns.TransportAdapter, dialer N.Dialer, serverAddr M.Socksaddr) *UDPTransport {
+	return &UDPTransport{
+		TransportAdapter: adapter,
+		logger:           logger,
+		dialer:           dialer,
+		serverAddr:       serverAddr,
+		udpSize:          512,
+		tcpTransport: &TCPTransport{
+			dialer:     dialer,
+			serverAddr: serverAddr,
+		},
+		done: make(chan struct{}),
+	}
+}
+
+func (t *UDPTransport) Reset() {
+	t.access.Lock()
+	defer t.access.Unlock()
+	close(t.done)
+	t.done = make(chan struct{})
+}
+
+func (t *UDPTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	response, err := t.exchange(ctx, message)
+	if err != nil {
+		return nil, err
+	}
+	if response.Truncated {
+		t.logger.InfoContext(ctx, "response truncated, retrying with TCP")
+		return t.tcpTransport.Exchange(ctx, message)
+	}
+	return response, nil
+}
+
+func (t *UDPTransport) exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	conn, err := t.open(ctx)
+	if err != nil {
+		return nil, err
+	}
+	if edns0Opt := message.IsEdns0(); edns0Opt != nil {
+		if udpSize := int(edns0Opt.UDPSize()); udpSize > t.udpSize {
+			t.udpSize = udpSize
+		}
+	}
+	buffer := buf.NewSize(1 + message.Len())
+	defer buffer.Release()
+	exMessage := *message
+	exMessage.Compress = true
+	messageId := message.Id
+	callback := &dnsCallback{
+		done: make(chan struct{}),
+	}
+	conn.access.Lock()
+	conn.queryId++
+	exMessage.Id = conn.queryId
+	conn.callbacks[exMessage.Id] = callback
+	conn.access.Unlock()
+	defer func() {
+		conn.access.Lock()
+		delete(conn.callbacks, messageId)
+		conn.access.Unlock()
+		callback.access.Lock()
+		select {
+		case <-callback.done:
+		default:
+			close(callback.done)
+		}
+		callback.access.Unlock()
+	}()
+	rawMessage, err := exMessage.PackBuffer(buffer.FreeBytes())
+	if err != nil {
+		return nil, err
+	}
+	_, err = conn.Write(rawMessage)
+	if err != nil {
+		conn.Close(err)
+		return nil, err
+	}
+	select {
+	case <-callback.done:
+		callback.message.Id = messageId
+		return callback.message, nil
+	case <-conn.done:
+		return nil, conn.err
+	case <-t.done:
+		return nil, os.ErrClosed
+	case <-ctx.Done():
+		conn.Close(ctx.Err())
+		return nil, ctx.Err()
+	}
+}
+
+func (t *UDPTransport) open(ctx context.Context) (*dnsConnection, error) {
+	t.access.Lock()
+	defer t.access.Unlock()
+	conn, err := t.dialer.DialContext(ctx, N.NetworkUDP, t.serverAddr)
+	if err != nil {
+		return nil, err
+	}
+	dnsConn := &dnsConnection{
+		Conn:      conn,
+		done:      make(chan struct{}),
+		callbacks: make(map[uint16]*dnsCallback),
+	}
+	go t.recvLoop(dnsConn)
+	return dnsConn, nil
+}
+
+func (t *UDPTransport) recvLoop(conn *dnsConnection) {
+	for {
+		buffer := buf.NewSize(t.udpSize)
+		_, err := buffer.ReadOnceFrom(conn)
+		if err != nil {
+			buffer.Release()
+			conn.Close(err)
+			return
+		}
+		var message mDNS.Msg
+		err = message.Unpack(buffer.Bytes())
+		buffer.Release()
+		if err != nil {
+			conn.Close(err)
+			return
+		}
+		conn.access.RLock()
+		callback, loaded := conn.callbacks[message.Id]
+		conn.access.RUnlock()
+		if !loaded {
+			continue
+		}
+		callback.access.Lock()
+		select {
+		case <-callback.done:
+		default:
+			callback.message = &message
+			close(callback.done)
+		}
+		callback.access.Unlock()
+	}
+}
+
+type dnsConnection struct {
+	net.Conn
+	access    sync.RWMutex
+	done      chan struct{}
+	closeOnce sync.Once
+	err       error
+	queryId   uint16
+	callbacks map[uint16]*dnsCallback
+}
+
+func (c *dnsConnection) Close(err error) {
+	c.access.Lock()
+	defer c.access.Unlock()
+	c.closeOnce.Do(func() {
+		close(c.done)
+		c.err = err
+	})
+	c.Conn.Close()
+}
+
+type dnsCallback struct {
+	access  sync.Mutex
+	message *mDNS.Msg
+	done    chan struct{}
+}

dns/transport_adapter.go

@@ -0,0 +1,70 @@
+package dns
+
+import (
+	"net/netip"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/option"
+)
+
+var _ adapter.LegacyDNSTransport = (*TransportAdapter)(nil)
+
+type TransportAdapter struct {
+	transportType string
+	transportTag  string
+	dependencies  []string
+	strategy      C.DomainStrategy
+	clientSubnet  netip.Prefix
+}
+
+func NewTransportAdapter(transportType string, transportTag string, dependencies []string) TransportAdapter {
+	return TransportAdapter{
+		transportType: transportType,
+		transportTag:  transportTag,
+		dependencies:  dependencies,
+	}
+}
+
+func NewTransportAdapterWithLocalOptions(transportType string, transportTag string, localOptions option.LocalDNSServerOptions) TransportAdapter {
+	return TransportAdapter{
+		transportType: transportType,
+		transportTag:  transportTag,
+		strategy:      C.DomainStrategy(localOptions.LegacyStrategy),
+		clientSubnet:  localOptions.LegacyClientSubnet,
+	}
+}
+
+func NewTransportAdapterWithRemoteOptions(transportType string, transportTag string, remoteOptions option.RemoteDNSServerOptions) TransportAdapter {
+	var dependencies []string
+	if remoteOptions.AddressResolver != "" {
+		dependencies = []string{remoteOptions.AddressResolver}
+	}
+	return TransportAdapter{
+		transportType: transportType,
+		transportTag:  transportTag,
+		dependencies:  dependencies,
+		strategy:      C.DomainStrategy(remoteOptions.LegacyStrategy),
+		clientSubnet:  remoteOptions.LegacyClientSubnet,
+	}
+}
+
+func (a *TransportAdapter) Type() string {
+	return a.transportType
+}
+
+func (a *TransportAdapter) Tag() string {
+	return a.transportTag
+}
+
+func (a *TransportAdapter) Dependencies() []string {
+	return a.dependencies
+}
+
+func (a *TransportAdapter) LegacyStrategy() C.DomainStrategy {
+	return a.strategy
+}
+
+func (a *TransportAdapter) LegacyClientSubnet() netip.Prefix {
+	return a.clientSubnet
+}

dns/transport_dialer.go

@@ -0,0 +1,101 @@
+package dns
+
+import (
+	"context"
+	"net"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/dialer"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/service"
+)
+
+func NewLocalDialer(ctx context.Context, options option.LocalDNSServerOptions) (N.Dialer, error) {
+	if options.LegacyDefaultDialer {
+		return dialer.NewDefaultOutbound(ctx), nil
+	} else {
+		return dialer.New(ctx, options.DialerOptions, false)
+	}
+}
+
+func NewRemoteDialer(ctx context.Context, options option.RemoteDNSServerOptions) (N.Dialer, error) {
+	var (
+		transportDialer N.Dialer
+		err             error
+	)
+	if options.LegacyDefaultDialer {
+		transportDialer = dialer.NewDefaultOutbound(ctx)
+	} else {
+		transportDialer, err = dialer.New(ctx, options.DialerOptions, options.ServerIsDomain())
+	}
+	if err != nil {
+		return nil, err
+	}
+	if options.AddressResolver != "" {
+		transport := service.FromContext[adapter.DNSTransportManager](ctx)
+		resolverTransport, loaded := transport.Transport(options.AddressResolver)
+		if !loaded {
+			return nil, E.New("address resolver not found: ", options.AddressResolver)
+		}
+		transportDialer = NewTransportDialer(transportDialer, service.FromContext[adapter.DNSRouter](ctx), resolverTransport, C.DomainStrategy(options.AddressStrategy), time.Duration(options.AddressFallbackDelay))
+	} else if options.ServerIsDomain() {
+		return nil, E.New("missing address resolver for server: ", options.Server)
+	}
+	return transportDialer, nil
+}
+
+type TransportDialer struct {
+	dialer        N.Dialer
+	dnsRouter     adapter.DNSRouter
+	transport     adapter.DNSTransport
+	strategy      C.DomainStrategy
+	fallbackDelay time.Duration
+}
+
+func NewTransportDialer(dialer N.Dialer, dnsRouter adapter.DNSRouter, transport adapter.DNSTransport, strategy C.DomainStrategy, fallbackDelay time.Duration) *TransportDialer {
+	return &TransportDialer{
+		dialer,
+		dnsRouter,
+		transport,
+		strategy,
+		fallbackDelay,
+	}
+}
+
+func (d *TransportDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	if destination.IsIP() {
+		return d.dialer.DialContext(ctx, network, destination)
+	}
+	addresses, err := d.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{
+		Transport: d.transport,
+		Strategy:  d.strategy,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == C.DomainStrategyPreferIPv6, d.fallbackDelay)
+}
+
+func (d *TransportDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	if destination.IsIP() {
+		return d.dialer.ListenPacket(ctx, destination)
+	}
+	addresses, err := d.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{
+		Transport: d.transport,
+		Strategy:  d.strategy,
+	})
+	if err != nil {
+		return nil, err
+	}
+	conn, _, err := N.ListenSerial(ctx, d.dialer, destination, addresses)
+	return conn, err
+}
+
+func (d *TransportDialer) Upstream() any {
+	return d.dialer
+}

dns/transport_manager.go

@@ -0,0 +1,288 @@
+package dns
+
+import (
+	"context"
+	"io"
+	"os"
+	"strings"
+	"sync"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/taskmonitor"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+)
+
+var _ adapter.DNSTransportManager = (*TransportManager)(nil)
+
+type TransportManager struct {
+	logger                   log.ContextLogger
+	registry                 adapter.DNSTransportRegistry
+	outbound                 adapter.OutboundManager
+	defaultTag               string
+	access                   sync.RWMutex
+	started                  bool
+	stage                    adapter.StartStage
+	transports               []adapter.DNSTransport
+	transportByTag           map[string]adapter.DNSTransport
+	dependByTag              map[string][]string
+	defaultTransport         adapter.DNSTransport
+	defaultTransportFallback adapter.DNSTransport
+	fakeIPTransport          adapter.FakeIPTransport
+}
+
+func NewTransportManager(logger logger.ContextLogger, registry adapter.DNSTransportRegistry, outbound adapter.OutboundManager, defaultTag string) *TransportManager {
+	return &TransportManager{
+		logger:         logger,
+		registry:       registry,
+		outbound:       outbound,
+		defaultTag:     defaultTag,
+		transportByTag: make(map[string]adapter.DNSTransport),
+		dependByTag:    make(map[string][]string),
+	}
+}
+
+func (m *TransportManager) Initialize(defaultTransportFallback adapter.DNSTransport) {
+	m.defaultTransportFallback = defaultTransportFallback
+}
+
+func (m *TransportManager) Start(stage adapter.StartStage) error {
+	m.access.Lock()
+	if m.started && m.stage >= stage {
+		panic("already started")
+	}
+	m.started = true
+	m.stage = stage
+	outbounds := m.transports
+	m.access.Unlock()
+	if stage == adapter.StartStateStart {
+		return m.startTransports(m.transports)
+	} else {
+		for _, outbound := range outbounds {
+			err := adapter.LegacyStart(outbound, stage)
+			if err != nil {
+				return E.Cause(err, stage, " dns/", outbound.Type(), "[", outbound.Tag(), "]")
+			}
+		}
+	}
+	return nil
+}
+
+func (m *TransportManager) startTransports(transports []adapter.DNSTransport) error {
+	monitor := taskmonitor.New(m.logger, C.StartTimeout)
+	started := make(map[string]bool)
+	for {
+		canContinue := false
+	startOne:
+		for _, transportToStart := range transports {
+			transportTag := transportToStart.Tag()
+			if started[transportTag] {
+				continue
+			}
+			dependencies := transportToStart.Dependencies()
+			for _, dependency := range dependencies {
+				if !started[dependency] {
+					continue startOne
+				}
+			}
+			started[transportTag] = true
+			canContinue = true
+			if starter, isStarter := transportToStart.(adapter.Lifecycle); isStarter {
+				monitor.Start("start dns/", transportToStart.Type(), "[", transportTag, "]")
+				err := starter.Start(adapter.StartStateStart)
+				monitor.Finish()
+				if err != nil {
+					return E.Cause(err, "start dns/", transportToStart.Type(), "[", transportTag, "]")
+				}
+			}
+		}
+		if len(started) == len(transports) {
+			break
+		}
+		if canContinue {
+			continue
+		}
+		currentTransport := common.Find(transports, func(it adapter.DNSTransport) bool {
+			return !started[it.Tag()]
+		})
+		var lintTransport func(oTree []string, oCurrent adapter.DNSTransport) error
+		lintTransport = func(oTree []string, oCurrent adapter.DNSTransport) error {
+			problemTransportTag := common.Find(oCurrent.Dependencies(), func(it string) bool {
+				return !started[it]
+			})
+			if common.Contains(oTree, problemTransportTag) {
+				return E.New("circular server dependency: ", strings.Join(oTree, " -> "), " -> ", problemTransportTag)
+			}
+			m.access.Lock()
+			problemTransport := m.transportByTag[problemTransportTag]
+			m.access.Unlock()
+			if problemTransport == nil {
+				return E.New("dependency[", problemTransportTag, "] not found for server[", oCurrent.Tag(), "]")
+			}
+			return lintTransport(append(oTree, problemTransportTag), problemTransport)
+		}
+		return lintTransport([]string{currentTransport.Tag()}, currentTransport)
+	}
+	return nil
+}
+
+func (m *TransportManager) Close() error {
+	monitor := taskmonitor.New(m.logger, C.StopTimeout)
+	m.access.Lock()
+	if !m.started {
+		m.access.Unlock()
+		return nil
+	}
+	m.started = false
+	transports := m.transports
+	m.transports = nil
+	m.access.Unlock()
+	var err error
+	for _, transport := range transports {
+		if closer, isCloser := transport.(io.Closer); isCloser {
+			monitor.Start("close server/", transport.Type(), "[", transport.Tag(), "]")
+			err = E.Append(err, closer.Close(), func(err error) error {
+				return E.Cause(err, "close server/", transport.Type(), "[", transport.Tag(), "]")
+			})
+			monitor.Finish()
+		}
+	}
+	return nil
+}
+
+func (m *TransportManager) Transports() []adapter.DNSTransport {
+	m.access.RLock()
+	defer m.access.RUnlock()
+	return m.transports
+}
+
+func (m *TransportManager) Transport(tag string) (adapter.DNSTransport, bool) {
+	m.access.RLock()
+	outbound, found := m.transportByTag[tag]
+	m.access.RUnlock()
+	return outbound, found
+}
+
+func (m *TransportManager) Default() adapter.DNSTransport {
+	m.access.RLock()
+	defer m.access.RUnlock()
+	if m.defaultTransport != nil {
+		return m.defaultTransport
+	} else {
+		return m.defaultTransportFallback
+	}
+}
+
+func (m *TransportManager) FakeIP() adapter.FakeIPTransport {
+	m.access.RLock()
+	defer m.access.RUnlock()
+	return m.fakeIPTransport
+}
+
+func (m *TransportManager) Remove(tag string) error {
+	m.access.Lock()
+	defer m.access.Unlock()
+	transport, found := m.transportByTag[tag]
+	if !found {
+		return os.ErrInvalid
+	}
+	delete(m.transportByTag, tag)
+	index := common.Index(m.transports, func(it adapter.DNSTransport) bool {
+		return it == transport
+	})
+	if index == -1 {
+		panic("invalid inbound index")
+	}
+	m.transports = append(m.transports[:index], m.transports[index+1:]...)
+	started := m.started
+	if m.defaultTransport == transport {
+		if len(m.transports) > 0 {
+			nextTransport := m.transports[0]
+			if nextTransport.Type() != C.DNSTypeFakeIP {
+				return E.New("default server cannot be fakeip")
+			}
+			m.defaultTransport = nextTransport
+			m.logger.Info("updated default server to ", m.defaultTransport.Tag())
+		} else {
+			m.defaultTransport = nil
+		}
+	}
+	dependBy := m.dependByTag[tag]
+	if len(dependBy) > 0 {
+		return E.New("server[", tag, "] is depended by ", strings.Join(dependBy, ", "))
+	}
+	dependencies := transport.Dependencies()
+	for _, dependency := range dependencies {
+		if len(m.dependByTag[dependency]) == 1 {
+			delete(m.dependByTag, dependency)
+		} else {
+			m.dependByTag[dependency] = common.Filter(m.dependByTag[dependency], func(it string) bool {
+				return it != tag
+			})
+		}
+	}
+	if started {
+		transport.Reset()
+	}
+	return nil
+}
+
+func (m *TransportManager) Create(ctx context.Context, logger log.ContextLogger, tag string, transportType string, options any) error {
+	if tag == "" {
+		return os.ErrInvalid
+	}
+	transport, err := m.registry.CreateDNSTransport(ctx, logger, tag, transportType, options)
+	if err != nil {
+		return err
+	}
+	m.access.Lock()
+	defer m.access.Unlock()
+	if m.started {
+		for _, stage := range adapter.ListStartStages {
+			err = adapter.LegacyStart(transport, stage)
+			if err != nil {
+				return E.Cause(err, stage, " dns/", transport.Type(), "[", transport.Tag(), "]")
+			}
+		}
+	}
+	if existsTransport, loaded := m.transportByTag[tag]; loaded {
+		if m.started {
+			err = common.Close(existsTransport)
+			if err != nil {
+				return E.Cause(err, "close dns/", existsTransport.Type(), "[", existsTransport.Tag(), "]")
+			}
+		}
+		existsIndex := common.Index(m.transports, func(it adapter.DNSTransport) bool {
+			return it == existsTransport
+		})
+		if existsIndex == -1 {
+			panic("invalid inbound index")
+		}
+		m.transports = append(m.transports[:existsIndex], m.transports[existsIndex+1:]...)
+	}
+	m.transports = append(m.transports, transport)
+	m.transportByTag[tag] = transport
+	dependencies := transport.Dependencies()
+	for _, dependency := range dependencies {
+		m.dependByTag[dependency] = append(m.dependByTag[dependency], tag)
+	}
+	if tag == m.defaultTag || (m.defaultTag == "" && m.defaultTransport == nil) {
+		if transport.Type() == C.DNSTypeFakeIP {
+			return E.New("default server cannot be fakeip")
+		}
+		m.defaultTransport = transport
+		if m.started {
+			m.logger.Info("updated default server to ", transport.Tag())
+		}
+	}
+	if transport.Type() == C.DNSTypeFakeIP {
+		if m.fakeIPTransport != nil {
+			return E.New("multiple fakeip server are not supported")
+		}
+		m.fakeIPTransport = transport.(adapter.FakeIPTransport)
+	}
+	return nil
+}

dns/transport_registry.go

@@ -0,0 +1,72 @@
+package dns
+
+import (
+	"context"
+	"sync"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+type TransportConstructorFunc[T any] func(ctx context.Context, logger log.ContextLogger, tag string, options T) (adapter.DNSTransport, error)
+
+func RegisterTransport[Options any](registry *TransportRegistry, transportType string, constructor TransportConstructorFunc[Options]) {
+	registry.register(transportType, func() any {
+		return new(Options)
+	}, func(ctx context.Context, logger log.ContextLogger, tag string, rawOptions any) (adapter.DNSTransport, error) {
+		var options *Options
+		if rawOptions != nil {
+			options = rawOptions.(*Options)
+		}
+		return constructor(ctx, logger, tag, common.PtrValueOrDefault(options))
+	})
+}
+
+var _ adapter.DNSTransportRegistry = (*TransportRegistry)(nil)
+
+type (
+	optionsConstructorFunc func() any
+	constructorFunc        func(ctx context.Context, logger log.ContextLogger, tag string, options any) (adapter.DNSTransport, error)
+)
+
+type TransportRegistry struct {
+	access       sync.Mutex
+	optionsType  map[string]optionsConstructorFunc
+	constructors map[string]constructorFunc
+}
+
+func NewTransportRegistry() *TransportRegistry {
+	return &TransportRegistry{
+		optionsType:  make(map[string]optionsConstructorFunc),
+		constructors: make(map[string]constructorFunc),
+	}
+}
+
+func (r *TransportRegistry) CreateOptions(transportType string) (any, bool) {
+	r.access.Lock()
+	defer r.access.Unlock()
+	optionsConstructor, loaded := r.optionsType[transportType]
+	if !loaded {
+		return nil, false
+	}
+	return optionsConstructor(), true
+}
+
+func (r *TransportRegistry) CreateDNSTransport(ctx context.Context, logger log.ContextLogger, tag string, transportType string, options any) (adapter.DNSTransport, error) {
+	r.access.Lock()
+	defer r.access.Unlock()
+	constructor, loaded := r.constructors[transportType]
+	if !loaded {
+		return nil, E.New("transport type not found: " + transportType)
+	}
+	return constructor(ctx, logger, tag, options)
+}
+
+func (r *TransportRegistry) register(transportType string, optionsConstructor optionsConstructorFunc, constructor constructorFunc) {
+	r.access.Lock()
+	defer r.access.Unlock()
+	r.optionsType[transportType] = optionsConstructor
+	r.constructors[transportType] = constructor
+}

docs/changelog.md

@@ -2,6 +2,111 @@
 icon: material/alert-decagram
 ---
 
+#### 1.11.0-beta.23
+
+* Fixes and improvements
+
+### 1.10.7
+
+* Fixes and improvements
+
+#### 1.11.0-beta.20
+
+* Hysteria2 `ignore_client_bandwidth` behavior update **1**
+* Fixes and improvements
+
+**1**:
+
+When `up_mbps` and `down_mbps` are set, `ignore_client_bandwidth` instead denies clients from using BBR CC.
+
+See [Hysteria2](/configuration/inbound/hysteria2/#ignore_client_bandwidth).
+
+#### 1.11.0-beta.17
+
+* Add port hopping support for Hysteria2 **1**
+* Fixes and improvements
+
+**1**:
+
+See [Hysteria2](/configuration/outbound/hysteria2/).
+
+#### 1.11.0-beta.14
+
+* Allow adding route (exclude) address sets to routes **1**
+* Fixes and improvements
+
+**1**:
+
+When `auto_redirect` is not enabled, directly add `route[_exclude]_address_set`
+to tun routes (equivalent to `route[_exclude]_address`).
+
+Note that it **doesn't work on the Android graphical client** due to
+the Android VpnService not being able to handle a large number of routes (DeadSystemException),
+but otherwise it works fine on all command line clients and Apple platforms.
+
+See [route_address_set](/configuration/inbound/tun/#route_address_set) and
+[route_exclude_address_set](/configuration/inbound/tun/#route_exclude_address_set).
+
+#### 1.11.0-beta.12
+
+* Add `rule-set merge` command
+* Fixes and improvements
+
+#### 1.11.0-beta.3
+
+* Add more masquerade options for hysteria2 **1**
+* Fixes and improvements
+
+**1**:
+
+See [Hysteria2](/configuration/inbound/hysteria2/#masquerade).
+
+#### 1.11.0-alpha.25
+
+* Update quic-go to v0.48.2
+* Fixes and improvements
+
+#### 1.11.0-alpha.22
+
+* Add UDP timeout route option **1**
+* Fixes and improvements
+
+**1**:
+
+See [Rule Action](/configuration/route/rule_action/#udp_timeout).
+
+#### 1.11.0-alpha.20
+
+* Add UDP GSO support for WireGuard
+* Make GSO adaptive **1**
+
+**1**:
+
+For WireGuard outbound and endpoint, GSO will be automatically enabled when available,
+see [WireGuard Outbound](/configuration/outbound/wireguard/#gso).
+
+For TUN, GSO has been removed,
+see [Deprecated](/deprecated/#gso-option-in-tun).
+
+#### 1.11.0-alpha.19
+
+* Upgrade WireGuard outbound to endpoint **1**
+* Fixes and improvements
+
+**1**:
+
+The new WireGuard endpoint combines inbound and outbound capabilities,
+and the old outbound will be removed in sing-box 1.13.0.
+
+See [Endpoint](/configuration/endpoint/), [WireGuard Endpoint](/configuration/endpoint/wireguard/)
+and [Migrate WireGuard outbound fields to route options](/migration/#migrate-wireguard-outbound-to-endpoint).
+
+### 1.10.2
+
+* Add deprecated warnings
+* Fix proxying websocket connections in HTTP/mixed inbounds
+* Fixes and improvements
+
 #### 1.11.0-alpha.18
 
 * Fixes and improvements

docs/configuration/dns/rule.zh.md

@@ -379,7 +379,7 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
 
 !!! failure "已在 sing-box 1.10.0 废弃"
 
-    `rule_set_ipcidr_match_source` 已重命名为 `rule_set_ip_cidr_match_source` 且将在 sing-box 1.11.0 移除。
+    `rule_set_ipcidr_match_source` 已重命名为 `rule_set_ip_cidr_match_source` 且将在 sing-box 1.11.0 中被移除。
 
 使规则集中的 `ip_cidr` 规则匹配源 IP。
 

docs/configuration/endpoint/index.md

@@ -0,0 +1,32 @@
+---
+icon: material/new-box
+---
+
+!!! question "Since sing-box 1.11.0"
+
+# Endpoint
+
+Endpoint is protocols that has both inbound and outbound behavior.
+
+### Structure
+
+```json
+{
+  "endpoints": [
+    {
+      "type": "",
+      "tag": ""
+    }
+  ]
+}
+```
+
+### Fields
+
+| Type        | Format                    |
+|-------------|---------------------------|
+| `wireguard` | [WireGuard](./wireguard/) |
+
+#### tag
+
+The tag of the endpoint.

docs/configuration/endpoint/index.zh.md

@@ -0,0 +1,32 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.11.0 起"
+
+# 端点
+
+端点是具有入站和出站行为的协议。
+
+### 结构
+
+```json
+{
+  "endpoints": [
+    {
+      "type": "",
+      "tag": ""
+    }
+  ]
+}
+```
+
+### 字段
+
+| 类型          | 格式                        | 
+|-------------|---------------------------|
+| `wireguard` | [WireGuard](./wiregaurd/) | 
+
+#### tag
+
+端点的标签。

docs/configuration/endpoint/wireguard.md

@@ -0,0 +1,133 @@
+---
+icon: material/new-box
+---
+
+!!! question "Since sing-box 1.11.0"
+
+### Structure
+
+```json
+{
+  "type": "wireguard",
+  "tag": "wg-ep",
+  
+  "system": false,
+  "name": "",
+  "mtu": 1408,
+  "address": [],
+  "private_key": "",
+  "listen_port": 10000,
+  "peers": [
+    {
+      "address": "127.0.0.1",
+      "port": 10001,
+      "public_key": "",
+      "pre_shared_key": "",
+      "allowed_ips": [],
+      "persistent_keepalive_interval": 0,
+      "reserved": [0, 0, 0]
+    }
+  ],
+  "udp_timeout": "",
+  "workers": 0,
+ 
+  ... // Dial Fields
+}
+```
+
+!!! note ""
+
+    You can ignore the JSON Array [] tag when the content is only one item
+
+### Fields
+
+#### system
+
+Use system interface.
+
+Requires privilege and cannot conflict with exists system interfaces.
+
+#### name
+
+Custom interface name for system interface.
+
+#### mtu
+
+WireGuard MTU.
+
+`1408` will be used by default.
+
+#### address
+
+==Required==
+
+List of IP (v4 or v6) address prefixes to be assigned to the interface.
+
+#### private_key
+
+==Required==
+
+WireGuard requires base64-encoded public and private keys. These can be generated using the wg(8) utility:
+
+```shell
+wg genkey
+echo "private key" || wg pubkey
+```
+
+or `sing-box generate wg-keypair`.
+
+#### peers
+
+==Required==
+
+List of WireGuard peers.
+
+#### peers.address
+
+WireGuard peer address.
+
+#### peers.port
+
+WireGuard peer port.
+
+#### peers.public_key
+
+==Required==
+
+WireGuard peer public key.
+
+#### peers.pre_shared_key
+
+WireGuard peer pre-shared key.
+
+#### peers.allowed_ips
+
+==Required==
+
+WireGuard allowed IPs.
+
+#### peers.persistent_keepalive_interval
+
+WireGuard persistent keepalive interval, in seconds.
+
+Disabled by default.
+
+#### peers.reserved
+
+WireGuard reserved field bytes.
+
+#### udp_timeout
+
+UDP NAT expiration time.
+
+`5m` will be used by default.
+
+#### workers
+
+WireGuard worker count.
+
+CPU count is used by default.
+
+### Dial Fields
+
+See [Dial Fields](/configuration/shared/dial/) for details.

docs/configuration/endpoint/wireguard.zh.md

@@ -0,0 +1,135 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.11.0 起"
+
+### 结构
+
+```json
+{
+  "type": "wireguard",
+  "tag": "wg-ep",
+
+  "system": false,
+  "name": "",
+  "mtu": 1408,
+  "address": [],
+  "private_key": "",
+  "listen_port": 10000,
+  "peers": [
+    {
+      "address": "127.0.0.1",
+      "port": 10001,
+      "public_key": "",
+      "pre_shared_key": "",
+      "allowed_ips": [],
+      "persistent_keepalive_interval": 0,
+      "reserved": [0, 0, 0]
+    }
+  ],
+  "udp_timeout": "",
+  "workers": 0,
+
+  ... // 拨号字段
+}
+```
+
+!!! note ""
+
+    当内容只有一项时，可以忽略 JSON 数组 [] 标签
+
+### 字段
+
+#### system_interface
+
+使用系统设备。
+
+需要特权且不能与已有系统接口冲突。
+
+#### name
+
+为系统接口自定义设备名称。
+
+#### mtu
+
+WireGuard MTU。
+
+默认使用 1408。
+
+#### address
+
+==必填==
+
+接口的 IPv4/IPv6 地址或地址段的列表您。
+
+要分配给接口的 IP（v4 或 v6）地址段列表。
+
+#### private_key
+
+==必填==
+
+WireGuard 需要 base64 编码的公钥和私钥。 这些可以使用 wg(8) 实用程序生成：
+
+```shell
+wg genkey
+echo "private key" || wg pubkey
+```
+
+或 `sing-box generate wg-keypair`.
+
+#### peers
+
+==必填==
+
+WireGuard 对等方的列表。
+
+#### peers.address
+
+对等方的 IP 地址。
+
+#### peers.port
+
+对等方的 WireGuard 端口。
+
+#### peers.public_key
+
+==必填==
+
+对等方的 WireGuard 公钥。
+
+#### peers.pre_shared_key
+
+对等方的预共享密钥。
+
+#### peers.allowed_ips
+
+==必填==
+
+对等方的允许 IP 地址。
+
+#### peers.persistent_keepalive_interval
+
+对等方的持久性保持活动间隔，以秒为单位。
+
+默认禁用。
+
+#### peers.reserved
+
+对等方的保留字段字节。
+
+#### udp_timeout
+
+UDP NAT 过期时间。
+
+默认使用 `5m`。
+
+#### workers
+
+WireGuard worker 数量。
+
+默认使用 CPU 数量。
+
+### 拨号字段
+
+参阅 [拨号字段](/zh/configuration/shared/dial/)。