documentation: Bump version

Add claude code multiplexer service
Fix compatibility with MPTCP
2026-04-14 04:38:28 +10:00 · 2025-10-21 18:23:11 +08:00 · 2025-10-21 18:23:11 +08:00 · 2025-10-18 16:01:43 +08:00 · 2025-10-16 23:25:42 +08:00 · 2025-10-16 22:33:23 +08:00
141 changed files with 4662 additions and 1146 deletions
--- a/.github/setup_go_for_windows7.sh
+++ b/.github/setup_go_for_windows7.sh
@@ -1,25 +1,27 @@
 #!/usr/bin/env bash

-VERSION="1.23.12"
+VERSION="1.25.3"

 mkdir -p $HOME/go
 cd $HOME/go
 wget "https://dl.google.com/go/go${VERSION}.linux-amd64.tar.gz"
 tar -xzf "go${VERSION}.linux-amd64.tar.gz"
-mv go go_legacy
-cd go_legacy
+mv go go_win7
+cd go_win7

 # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
-# this patch file only works on golang1.23.x
-# that means after golang1.24 release it must be changed
-# see: https://github.com/MetaCubeX/go/commits/release-branch.go1.23/
+# this patch file only works on golang1.25.x
+# that means after golang1.26 release it must be changed
+# see: https://github.com/MetaCubeX/go/commits/release-branch.go1.25/
 # revert:
 # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
 # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
 # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
 # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"

-curl https://github.com/MetaCubeX/go/commit/9ac42137ef6730e8b7daca016ece831297a1d75b.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/21290de8a4c91408de7c2b5b68757b1e90af49dd.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/6a31d3fa8e47ddabc10bd97bff10d9a85f4cfb76.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/69e2eed6dd0f6d815ebf15797761c13f31213dd6.diff | patch --verbose -p 1
+alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
+
+curl https://github.com/MetaCubeX/go/commit/8cb5472d94c34b88733a81091bd328e70ee565a4.diff | patch --verbose -p 1
+curl https://github.com/MetaCubeX/go/commit/6788c4c6f9fafb56729bad6b660f7ee2272d699f.diff | patch --verbose -p 1
+curl https://github.com/MetaCubeX/go/commit/a5b2168bb836ed9d6601c626f95e56c07923f906.diff | patch --verbose -p 1
+curl https://github.com/MetaCubeX/go/commit/f56f1e23507e646c85243a71bde7b9629b2f970c.diff | patch --verbose -p 1
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -46,7 +46,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.1
+          go-version: ^1.25.3
      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
@@ -88,15 +88,11 @@ jobs:
          - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64, openwrt: "loongarch64_generic" }

          - { os: windows, arch: amd64 }
-          - { os: windows, arch: amd64, legacy_go123: true, legacy_name: "windows-7" }
+          - { os: windows, arch: amd64, legacy_win7: true, legacy_name: "windows-7" }
          - { os: windows, arch: "386" }
-          - { os: windows, arch: "386", legacy_go123: true, legacy_name: "windows-7" }
+          - { os: windows, arch: "386", legacy_win7: true, legacy_name: "windows-7" }
          - { os: windows, arch: arm64 }

-          - { os: darwin, arch: amd64 }
-          - { os: darwin, arch: arm64 }
-          - { os: darwin, arch: amd64, legacy_go124: true, legacy_name: "macos-11" }
-
          - { os: android, arch: arm64, ndk: "aarch64-linux-android21" }
          - { os: android, arch: arm, ndk: "armv7a-linux-androideabi21" }
          - { os: android, arch: amd64, ndk: "x86_64-linux-android21" }
@@ -110,29 +106,29 @@ jobs:
        if: ${{ ! (matrix.legacy_go123 || matrix.legacy_go124) }}
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.1
+          go-version: ^1.25.3
      - name: Setup Go 1.24
        if: matrix.legacy_go124
        uses: actions/setup-go@v5
        with:
          go-version: ~1.24.6
-      - name: Cache Go 1.23
-        if: matrix.legacy_go123
-        id: cache-legacy-go
+      - name: Cache Go for Windows 7
+        if: matrix.legacy_win7
+        id: cache-go-for-windows7
        uses: actions/cache@v4
        with:
          path: |
-            ~/go/go_legacy
-          key: go_legacy_12312
-      - name: Setup Go 1.23
-        if: matrix.legacy_go123 && steps.cache-legacy-go.outputs.cache-hit != 'true'
+            ~/go/go_win7
+          key: go_win7_1253
+      - name: Setup Go for Windows 7
+        if: matrix.legacy_win7 && steps.cache-go-for-windows7.outputs.cache-hit != 'true'
        run: |-
-          .github/setup_legacy_go.sh
-      - name: Setup Go 1.23
-        if: matrix.legacy_go123
+          .github/setup_go_for_windows7.sh
+      - name: Setup Go for Windows 7
+        if: matrix.legacy_win7
        run: |-
-          echo "PATH=$HOME/go/go_legacy/bin:$PATH" >> $GITHUB_ENV
-          echo "GOROOT=$HOME/go/go_legacy" >> $GITHUB_ENV
+          echo "PATH=$HOME/go/go_win7/bin:$PATH" >> $GITHUB_ENV
+          echo "GOROOT=$HOME/go/go_win7" >> $GITHUB_ENV
      - name: Setup Android NDK
        if: matrix.os == 'android'
        uses: nttld/setup-ndk@v1
@@ -146,7 +142,7 @@ jobs:
      - name: Set build tags
        run: |
          set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale'
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,badlinkname,tfogo_checklinkname0'
          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
      - name: Build
        if: matrix.os != 'android'
@@ -285,6 +281,77 @@ jobs:
        with:
          name: binary-${{ matrix.os }}_${{ matrix.arch }}${{ matrix.goarm && format('v{0}', matrix.goarm) }}${{ matrix.go386 && format('_{0}', matrix.go386) }}${{ matrix.gomips && format('_{0}', matrix.gomips) }}${{ matrix.legacy_name && format('-legacy-{0}', matrix.legacy_name) }}
          path: "dist"
+  build_darwin:
+    name: Build Darwin binaries
+    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Binary'
+    runs-on: macos-latest
+    needs:
+      - calculate_version
+    strategy:
+      matrix:
+        include:
+          - { arch: amd64 }
+          - { arch: arm64 }
+          - { arch: amd64, legacy_go124: true, legacy_name: "macos-11" }
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        if: ${{ ! matrix.legacy_go124 }}
+        uses: actions/setup-go@v5
+        with:
+          go-version: ^1.25.3
+      - name: Setup Go 1.24
+        if: matrix.legacy_go124
+        uses: actions/setup-go@v5
+        with:
+          go-version: ~1.24.6
+      - name: Set tag
+        run: |-
+          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
+          git tag v${{ needs.calculate_version.outputs.version }} -f
+      - name: Set build tags
+        run: |
+          set -xeuo pipefail
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,badlinkname,tfogo_checklinkname0'
+          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
+      - name: Build
+        run: |
+          set -xeuo pipefail
+          mkdir -p dist
+          go build -v -trimpath -o dist/sing-box -tags "${BUILD_TAGS}" \
+          -ldflags '-s -buildid= -X github.com/sagernet/sing-box/constant.Version=${{ needs.calculate_version.outputs.version }} -checklinkname=0' \
+          ./cmd/sing-box
+        env:
+          CGO_ENABLED: "1"
+          GOOS: darwin
+          GOARCH: ${{ matrix.arch }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set name
+        run: |-
+          DIR_NAME="sing-box-${{ needs.calculate_version.outputs.version }}-darwin-${{ matrix.arch }}"
+          if [[ -n "${{ matrix.legacy_name }}" ]]; then
+            DIR_NAME="${DIR_NAME}-legacy-${{ matrix.legacy_name }}"
+          fi
+          echo "DIR_NAME=${DIR_NAME}" >> "${GITHUB_ENV}"
+      - name: Archive
+        run: |
+          set -xeuo pipefail
+          cd dist
+          mkdir -p "${DIR_NAME}"
+          cp ../LICENSE "${DIR_NAME}"
+          cp sing-box "${DIR_NAME}"
+          tar -czvf "${DIR_NAME}.tar.gz" "${DIR_NAME}"
+          rm -r "${DIR_NAME}"
+      - name: Cleanup
+        run: rm dist/sing-box
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: binary-darwin_${{ matrix.arch }}${{ matrix.legacy_name && format('-legacy-{0}', matrix.legacy_name) }}
+          path: "dist"
  build_android:
    name: Build Android
    if: github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Android'
@@ -300,7 +367,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.1
+          go-version: ^1.25.3
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
@@ -380,7 +447,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.1
+          go-version: ^1.25.3
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
@@ -432,7 +499,8 @@ jobs:
          SERVICE_ACCOUNT_CREDENTIALS: ${{ secrets.SERVICE_ACCOUNT_CREDENTIALS }}
  build_apple:
    name: Build Apple clients
-    runs-on: macos-15
+    runs-on: macos-26
+    if: false
    needs:
      - calculate_version
    strategy:
@@ -478,15 +546,7 @@ jobs:
        if: matrix.if
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.1
-      - name: Setup Xcode stable
-        if: matrix.if && github.ref == 'refs/heads/main-next'
-        run: |-
-          sudo xcode-select -s /Applications/Xcode_16.4.app
-      - name: Setup Xcode beta
-        if: matrix.if && github.ref == 'refs/heads/dev-next'
-        run: |-
-          sudo xcode-select -s /Applications/Xcode_16.4.app
+          go-version: ^1.25.3
      - name: Set tag
        if: matrix.if
        run: |-
@@ -626,6 +686,7 @@ jobs:
    needs:
      - calculate_version
      - build
+      - build_darwin
      - build_android
      - build_apple
    steps:
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -32,7 +32,7 @@ jobs:
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v8
        with:
-          version: latest
+          version: v2.4.0
          args: --timeout=30m
          install-mode: binary
          verify: false
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -30,7 +30,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.1
+          go-version: ^1.25.3
      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
@@ -71,7 +71,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.25.1
+          go-version: ^1.25.3
      - name: Setup Android NDK
        if: matrix.os == 'android'
        uses: nttld/setup-ndk@v1
@@ -85,7 +85,7 @@ jobs:
      - name: Set build tags
        run: |
          set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale'
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,badlinkname,tfogo_checklinkname0'
          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
      - name: Build
        run: |
--- a/.gitignore
+++ b/.gitignore
@@ -15,4 +15,6 @@
 .DS_Store
 /config.d/
 /venv/
-
+CLAUDE.md
+AGENTS.md
+/.claude/
--- a/.goreleaser.fury.yaml
+++ b/.goreleaser.fury.yaml
@@ -1,103 +0,0 @@
-project_name: sing-box
-builds:
-  - id: main
-    main: ./cmd/sing-box
-    flags:
-      - -v
-      - -trimpath
-    ldflags:
-      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }}
-      - -s
-      - -buildid=
-    tags:
-      - with_gvisor
-      - with_quic
-      - with_dhcp
-      - with_wireguard
-      - with_utls
-      - with_acme
-      - with_clash_api
-      - with_tailscale
-    env:
-      - CGO_ENABLED=0
-    targets:
-      - linux_386
-      - linux_amd64_v1
-      - linux_arm64
-      - linux_arm_7
-      - linux_s390x
-      - linux_riscv64
-      - linux_mips64le
-    mod_timestamp: '{{ .CommitTimestamp }}'
-snapshot:
-  name_template: "{{ .Version }}.{{ .ShortCommit }}"
-nfpms:
-  - &template
-    id: package
-    package_name: sing-box
-    file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
-    builds:
-      - main
-    homepage: https://sing-box.sagernet.org/
-    maintainer: nekohasekai <contact-git@sekai.icu>
-    description: The universal proxy platform.
-    license: GPLv3 or later
-    formats:
-      - deb
-      - rpm
-    priority: extra
-    contents:
-      - src: release/config/config.json
-        dst: /etc/sing-box/config.json
-        type: "config|noreplace"
-
-      - src: release/config/sing-box.service
-        dst: /usr/lib/systemd/system/sing-box.service
-      - src: release/config/sing-box@.service
-        dst: /usr/lib/systemd/system/sing-box@.service
-      - src: release/config/sing-box.sysusers
-        dst: /usr/lib/sysusers.d/sing-box.conf
-      - src: release/config/sing-box.rules
-        dst: /usr/share/polkit-1/rules.d/sing-box.rules
-      - src: release/config/sing-box-split-dns.xml
-        dst: /usr/share/dbus-1/system.d/sing-box-split-dns.conf
-
-      - src: release/completions/sing-box.bash
-        dst: /usr/share/bash-completion/completions/sing-box.bash
-      - src: release/completions/sing-box.fish
-        dst: /usr/share/fish/vendor_completions.d/sing-box.fish
-      - src: release/completions/sing-box.zsh
-        dst: /usr/share/zsh/site-functions/_sing-box
-
-      - src: LICENSE
-        dst: /usr/share/licenses/sing-box/LICENSE
-    deb:
-      signature:
-        key_file: "{{ .Env.NFPM_KEY_PATH }}"
-      fields:
-        Bugs: https://github.com/SagerNet/sing-box/issues
-    rpm:
-      signature:
-        key_file: "{{ .Env.NFPM_KEY_PATH }}"
-    conflicts:
-      - sing-box-beta
-  - id: package_beta
-    <<: *template
-    package_name: sing-box-beta
-    file_name_template: '{{ .ProjectName }}-beta_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
-    formats:
-      - deb
-      - rpm
-    conflicts:
-      - sing-box
-release:
-  disable: true
-furies:
-  - account: sagernet
-    ids:
-      - package
-    disable: "{{ not (not .Prerelease) }}"
-  - account: sagernet
-    ids:
-      - package_beta
-    disable: "{{ not .Prerelease }}"
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,213 +0,0 @@
-version: 2
-project_name: sing-box
-builds:
-  - &template
-    id: main
-    main: ./cmd/sing-box
-    flags:
-      - -v
-      - -trimpath
-    ldflags:
-      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }}
-      - -s
-      - -buildid=
-    tags:
-      - with_gvisor
-      - with_quic
-      - with_dhcp
-      - with_wireguard
-      - with_utls
-      - with_acme
-      - with_clash_api
-      - with_tailscale
-    env:
-      - CGO_ENABLED=0
-      - GOTOOLCHAIN=local
-    targets:
-      - linux_386
-      - linux_amd64_v1
-      - linux_arm64
-      - linux_arm_6
-      - linux_arm_7
-      - linux_s390x
-      - linux_riscv64
-      - linux_mips64le
-      - windows_amd64_v1
-      - windows_386
-      - windows_arm64
-      - darwin_amd64_v1
-      - darwin_arm64
-    mod_timestamp: '{{ .CommitTimestamp }}'
-  - id: legacy
-    <<: *template
-    tags:
-      - with_gvisor
-      - with_quic
-      - with_dhcp
-      - with_wireguard
-      - with_utls
-      - with_acme
-      - with_clash_api
-      - with_tailscale
-    env:
-      - CGO_ENABLED=0
-      - GOROOT={{ .Env.GOPATH }}/go_legacy
-    tool: "{{ .Env.GOPATH }}/go_legacy/bin/go"
-    targets:
-      - windows_amd64_v1
-      - windows_386
-  - id: android
-    <<: *template
-    env:
-      - CGO_ENABLED=1
-      - GOTOOLCHAIN=local
-    overrides:
-      - goos: android
-        goarch: arm
-        goarm: 7
-        env:
-          - CC=armv7a-linux-androideabi21-clang
-          - CXX=armv7a-linux-androideabi21-clang++
-      - goos: android
-        goarch: arm64
-        env:
-          - CC=aarch64-linux-android21-clang
-          - CXX=aarch64-linux-android21-clang++
-      - goos: android
-        goarch: 386
-        env:
-          - CC=i686-linux-android21-clang
-          - CXX=i686-linux-android21-clang++
-      - goos: android
-        goarch: amd64
-        goamd64: v1
-        env:
-          - CC=x86_64-linux-android21-clang
-          - CXX=x86_64-linux-android21-clang++
-    targets:
-      - android_arm_7
-      - android_arm64
-      - android_386
-      - android_amd64
-archives:
-  - &template
-    id: archive
-    builds:
-      - main
-      - android
-    formats:
-      - tar.gz
-    format_overrides:
-      - goos: windows
-        formats:
-          - zip
-    wrap_in_directory: true
-    files:
-      - LICENSE
-    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ if and .Mips (not (eq .Mips "hardfloat")) }}_{{ .Mips }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
-  - id: archive-legacy
-    <<: *template
-    builds:
-      - legacy
-    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}-legacy'
-nfpms:
-  - id: package
-    package_name: sing-box
-    file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ if and .Mips (not (eq .Mips "hardfloat")) }}_{{ .Mips }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
-    builds:
-      - main
-    homepage: https://sing-box.sagernet.org/
-    maintainer: nekohasekai <contact-git@sekai.icu>
-    description: The universal proxy platform.
-    license: GPLv3 or later
-    formats:
-      - deb
-      - rpm
-      - archlinux
-#      - apk
-#      - ipk
-    priority: extra
-    contents:
-      - src: release/config/config.json
-        dst: /etc/sing-box/config.json
-        type: "config|noreplace"
-
-      - src: release/config/sing-box.service
-        dst: /usr/lib/systemd/system/sing-box.service
-      - src: release/config/sing-box@.service
-        dst: /usr/lib/systemd/system/sing-box@.service
-      - src: release/config/sing-box.sysusers
-        dst: /usr/lib/sysusers.d/sing-box.conf
-      - src: release/config/sing-box.rules
-        dst: /usr/share/polkit-1/rules.d/sing-box.rules
-      - src: release/config/sing-box-split-dns.xml
-        dst: /usr/share/dbus-1/system.d/sing-box-split-dns.conf
-
-      - src: release/completions/sing-box.bash
-        dst: /usr/share/bash-completion/completions/sing-box.bash
-      - src: release/completions/sing-box.fish
-        dst: /usr/share/fish/vendor_completions.d/sing-box.fish
-      - src: release/completions/sing-box.zsh
-        dst: /usr/share/zsh/site-functions/_sing-box
-
-      - src: LICENSE
-        dst: /usr/share/licenses/sing-box/LICENSE
-    deb:
-      signature:
-        key_file: "{{ .Env.NFPM_KEY_PATH }}"
-      fields:
-        Bugs: https://github.com/SagerNet/sing-box/issues
-    rpm:
-      signature:
-        key_file: "{{ .Env.NFPM_KEY_PATH }}"
-    overrides:
-      apk:
-        contents:
-          - src: release/config/config.json
-            dst: /etc/sing-box/config.json
-            type: config
-
-          - src: release/config/sing-box.initd
-            dst: /etc/init.d/sing-box
-
-          - src: release/completions/sing-box.bash
-            dst: /usr/share/bash-completion/completions/sing-box.bash
-          - src: release/completions/sing-box.fish
-            dst: /usr/share/fish/vendor_completions.d/sing-box.fish
-          - src: release/completions/sing-box.zsh
-            dst: /usr/share/zsh/site-functions/_sing-box
-
-          - src: LICENSE
-            dst: /usr/share/licenses/sing-box/LICENSE
-      ipk:
-        contents:
-          - src: release/config/config.json
-            dst: /etc/sing-box/config.json
-            type: config
-
-          - src: release/config/openwrt.init
-            dst: /etc/init.d/sing-box
-          - src: release/config/openwrt.conf
-            dst: /etc/config/sing-box
-source:
-  enabled: false
-  name_template: '{{ .ProjectName }}-{{ .Version }}.source'
-  prefix_template: '{{ .ProjectName }}-{{ .Version }}/'
-checksum:
-  disable: true
-  name_template: '{{ .ProjectName }}-{{ .Version }}.checksum'
-signs:
-  - artifacts: checksum
-release:
-  github:
-    owner: SagerNet
-    name: sing-box
-  draft: true
-  prerelease: auto
-  mode: replace
-  ids:
-    - archive
-    - package
-  skip_upload: true
-partial:
-  by: target
--- a/2
+++ b/2
@@ -13,7 +13,7 @@ RUN set -ex \
    && export COMMIT=$(git rev-parse --short HEAD) \
    && export VERSION=$(go run ./cmd/internal/read_tag) \
    && go build -v -trimpath -tags \
-        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale" \
+        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,badlinkname,tfogo_checklinkname0" \
        -o /go/bin/sing-box \
        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid= -checklinkname=0" \
        ./cmd/sing-box
--- a/10
+++ b/10
@@ -1,6 +1,6 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS ?= with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale
+TAGS ?= with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale,with_ccm,badlinkname,tfogo_checklinkname0

 GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
@@ -17,6 +17,10 @@ build:
 	export GOTOOLCHAIN=local && \
 	go build $(MAIN_PARAMS) $(MAIN)

+race:
+	export GOTOOLCHAIN=local && \
+	go build -race $(MAIN_PARAMS) $(MAIN)
+
 ci_build:
 	export GOTOOLCHAIN=local && \
 	go build $(PARAMS) $(MAIN) && \
@@ -34,7 +38,7 @@ fmt:
 	@gci write --custom-order -s standard -s "prefix(github.com/sagernet/)" -s "default" .

 fmt_install:
-	go install -v mvdan.cc/gofumpt@latest
+	go install -v mvdan.cc/gofumpt@v0.8.0
 	go install -v github.com/daixiang0/gci@latest

 lint:
@@ -45,7 +49,7 @@ lint:
 	GOOS=freebsd golangci-lint run ./...

 lint_install:
-	go install -v github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
+	go install -v github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.4.0

 proto:
 	@go run ./cmd/internal/protogen
--- a/README.md
+++ b/README.md
@@ -1,3 +1,11 @@
+> Sponsored by [Warp](https://go.warp.dev/sing-box), built for coding with multiple AI agents
+
+<a href="https://go.warp.dev/sing-box">
+<img alt="Warp sponsorship" width="400" src="https://github.com/warpdotdev/brand-assets/raw/refs/heads/main/Github/Sponsor/Warp-Github-LG-02.png">
+</a>
+
+---
+
 # sing-box

 The universal proxy platform.
--- a/clients/android
+++ b/clients/android
--- a/clients/apple
+++ b/clients/apple
--- a/cmd/internal/build_libbox/main.go
+++ b/cmd/internal/build_libbox/main.go
@@ -62,7 +62,7 @@ func init() {
 	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=  -checklinkname=0")
 	debugFlags = append(debugFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -checklinkname=0")

-	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_clash_api", "with_conntrack")
+	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_clash_api", "with_conntrack", "badlinkname", "tfogo_checklinkname0")
 	macOSTags = append(macOSTags, "with_dhcp")
 	memcTags = append(memcTags, "with_tailscale")
 	notMemcTags = append(notMemcTags, "with_low_memory")
@@ -107,10 +107,8 @@ func buildAndroid() {
 	}

 	if !debugEnabled {
-		// sharedFlags[3] = sharedFlags[3] + " -checklinkname=0"
 		args = append(args, sharedFlags...)
 	} else {
-		// debugFlags[1] = debugFlags[1] + " -checklinkname=0"
 		args = append(args, debugFlags...)
 	}

--- a/cmd/sing-box/cmd_tools_fetch_http3.go
+++ b/cmd/sing-box/cmd_tools_fetch_http3.go
@@ -22,7 +22,7 @@ func initializeHTTP3Client(instance *box.Box) error {
 	}
 	http3Client = &http.Client{
 		Transport: &http3.Transport{
-			Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
+			Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (*quic.Conn, error) {
 				destination := M.ParseSocksaddr(addr)
 				udpConn, dErr := dialer.DialContext(ctx, N.NetworkUDP, destination)
 				if dErr != nil {
--- a/common/badtls/raw_conn.go
+++ b/common/badtls/raw_conn.go
@@ -1,4 +1,4 @@
-//go:build go1.25 && !without_badtls
+//go:build go1.25 && badlinkname

 package badtls

--- a/common/badtls/raw_half_conn.go
+++ b/common/badtls/raw_half_conn.go
@@ -1,4 +1,4 @@
-//go:build go1.25 && !without_badtls
+//go:build go1.25 && badlinkname

 package badtls

--- a/common/badtls/read_wait.go
+++ b/common/badtls/read_wait.go
@@ -1,4 +1,4 @@
-//go:build go1.25 && !without_badtls
+//go:build go1.25 && badlinkname

 package badtls

--- a/common/badtls/read_wait_stub.go
+++ b/common/badtls/read_wait_stub.go
@@ -1,4 +1,4 @@
-//go:build !go1.25 || without_badtls
+//go:build !go1.25 || !badlinkname

 package badtls

--- a/common/badtls/registry.go
+++ b/common/badtls/registry.go
@@ -1,4 +1,4 @@
-//go:build go1.25 && !without_badtls
+//go:build go1.25 && badlinkname

 package badtls

--- a/common/badtls/registry_utls.go
+++ b/common/badtls/registry_utls.go
@@ -1,4 +1,4 @@
-//go:build go1.25 && !without_badtls
+//go:build go1.25 && badlinkname

 package badtls

--- a/common/certificate/store.go
+++ b/common/certificate/store.go
@@ -7,6 +7,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"sync"

 	"github.com/sagernet/fswatch"
 	"github.com/sagernet/sing-box/adapter"
@@ -21,6 +22,7 @@ import (
 var _ adapter.CertificateStore = (*Store)(nil)

 type Store struct {
+	access                    sync.RWMutex
 	systemPool                *x509.CertPool
 	currentPool               *x509.CertPool
 	certificate               string
@@ -115,10 +117,14 @@ func (s *Store) Close() error {
 }

 func (s *Store) Pool() *x509.CertPool {
+	s.access.RLock()
+	defer s.access.RUnlock()
 	return s.currentPool
 }

 func (s *Store) update() error {
+	s.access.Lock()
+	defer s.access.Unlock()
 	var currentPool *x509.CertPool
 	if s.systemPool == nil {
 		currentPool = x509.NewCertPool()
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -20,6 +20,8 @@ import (
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/service"
+
+	"github.com/database64128/tfo-go/v2"
 )

 var (
@@ -28,8 +30,8 @@ var (
 )

 type DefaultDialer struct {
-	dialer4                tcpDialer
-	dialer6                tcpDialer
+	dialer4                tfo.Dialer
+	dialer6                tfo.Dialer
 	udpDialer4             net.Dialer
 	udpDialer6             net.Dialer
 	udpListener            net.ListenConfig
@@ -177,19 +179,10 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		udpAddr6 = M.SocksaddrFrom(bindAddr, 0).String()
 	}
 	if options.TCPMultiPath {
-		if !go121Available {
-			return nil, E.New("MultiPath TCP requires go1.21, please recompile your binary.")
-		}
-		setMultiPathTCP(&dialer4)
-	}
-	tcpDialer4, err := newTCPDialer(dialer4, options.TCPFastOpen)
-	if err != nil {
-		return nil, err
-	}
-	tcpDialer6, err := newTCPDialer(dialer6, options.TCPFastOpen)
-	if err != nil {
-		return nil, err
+		dialer4.SetMultipathTCP(true)
 	}
+	tcpDialer4 := tfo.Dialer{Dialer: dialer4, DisableTFO: !options.TCPFastOpen}
+	tcpDialer6 := tfo.Dialer{Dialer: dialer6, DisableTFO: !options.TCPFastOpen}
 	return &DefaultDialer{
 		dialer4:                tcpDialer4,
 		dialer6:                tcpDialer6,
@@ -269,7 +262,7 @@ func (d *DefaultDialer) DialParallelInterface(ctx context.Context, network strin
 	}
 	var dialer net.Dialer
 	if N.NetworkName(network) == N.NetworkTCP {
-		dialer = dialerFromTCPDialer(d.dialer4)
+		dialer = d.dialer4.Dialer
 	} else {
 		dialer = d.udpDialer4
 	}
@@ -317,9 +310,9 @@ func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksadd

 func (d *DefaultDialer) DialerForICMPDestination(destination netip.Addr) net.Dialer {
 	if !destination.Is6() {
-		return dialerFromTCPDialer(d.dialer6)
+		return d.dialer6.Dialer
 	} else {
-		return dialerFromTCPDialer(d.dialer4)
+		return d.dialer4.Dialer
 	}
 }

@@ -356,18 +349,8 @@ func (d *DefaultDialer) ListenSerialInterfacePacket(ctx context.Context, destina
 	return trackPacketConn(packetConn, nil)
 }

-func (d *DefaultDialer) ListenPacketCompat(network, address string) (net.PacketConn, error) {
-	udpListener := d.udpListener
-	udpListener.Control = control.Append(udpListener.Control, func(network, address string, conn syscall.RawConn) error {
-		for _, wgControlFn := range WgControlFns {
-			err := wgControlFn(network, address, conn)
-			if err != nil {
-				return err
-			}
-		}
-		return nil
-	})
-	return udpListener.ListenPacket(context.Background(), network, address)
+func (d *DefaultDialer) WireGuardControl() control.Func {
+	return d.udpListener.Control
 }

 func trackConn(conn net.Conn, err error) (net.Conn, error) {
--- a/common/dialer/default_go1.20.go
+++ b/common/dialer/default_go1.20.go
@@ -1,19 +0,0 @@
-//go:build go1.20
-
-package dialer
-
-import (
-	"net"
-
-	"github.com/metacubex/tfo-go"
-)
-
-type tcpDialer = tfo.Dialer
-
-func newTCPDialer(dialer net.Dialer, tfoEnabled bool) (tcpDialer, error) {
-	return tfo.Dialer{Dialer: dialer, DisableTFO: !tfoEnabled}, nil
-}
-
-func dialerFromTCPDialer(dialer tcpDialer) net.Dialer {
-	return dialer.Dialer
-}
--- a/common/dialer/default_go1.21.go
+++ b/common/dialer/default_go1.21.go
@@ -1,11 +0,0 @@
-//go:build go1.21
-
-package dialer
-
-import "net"
-
-const go121Available = true
-
-func setMultiPathTCP(dialer *net.Dialer) {
-	dialer.SetMultipathTCP(true)
-}
--- a/common/dialer/default_nongo1.20.go
+++ b/common/dialer/default_nongo1.20.go
@@ -1,22 +0,0 @@
-//go:build !go1.20
-
-package dialer
-
-import (
-	"net"
-
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-type tcpDialer = net.Dialer
-
-func newTCPDialer(dialer net.Dialer, tfoEnabled bool) (tcpDialer, error) {
-	if tfoEnabled {
-		return dialer, E.New("TCP Fast Open requires go1.20, please recompile your binary.")
-	}
-	return dialer, nil
-}
-
-func dialerFromTCPDialer(dialer tcpDialer) net.Dialer {
-	return dialer
-}
--- a/common/dialer/default_nongo1.21.go
+++ b/common/dialer/default_nongo1.21.go
@@ -1,12 +0,0 @@
-//go:build !go1.21
-
-package dialer
-
-import (
-	"net"
-)
-
-const go121Available = false
-
-func setMultiPathTCP(dialer *net.Dialer) {
-}
--- a/common/dialer/tfo.go
+++ b/common/dialer/tfo.go
@@ -1,5 +1,3 @@
-//go:build go1.20
-
 package dialer

 import (
@@ -16,7 +14,7 @@ import (
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"

-	"github.com/metacubex/tfo-go"
+	"github.com/database64128/tfo-go/v2"
 )

 type slowOpenConn struct {
@@ -32,7 +30,7 @@ type slowOpenConn struct {
 	err         error
 }

-func DialSlowContext(dialer *tcpDialer, ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+func DialSlowContext(dialer *tfo.Dialer, ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	if dialer.DisableTFO || N.NetworkName(network) != N.NetworkTCP {
 		switch N.NetworkName(network) {
 		case N.NetworkTCP, N.NetworkUDP:
--- a/common/dialer/tfo_stub.go
+++ b/common/dialer/tfo_stub.go
@@ -1,20 +0,0 @@
-//go:build !go1.20
-
-package dialer
-
-import (
-	"context"
-	"net"
-
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-func DialSlowContext(dialer *tcpDialer, ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	switch N.NetworkName(network) {
-	case N.NetworkTCP, N.NetworkUDP:
-		return dialer.DialContext(ctx, network, destination.String())
-	default:
-		return dialer.DialContext(ctx, network, destination.AddrString())
-	}
-}
--- a/common/dialer/wireguard.go
+++ b/common/dialer/wireguard.go
@@ -1,13 +1,9 @@
 package dialer

 import (
-	"net"
-
 	"github.com/sagernet/sing/common/control"
 )

 type WireGuardListener interface {
-	ListenPacketCompat(network, address string) (net.PacketConn, error)
+	WireGuardControl() control.Func
 }
-
-var WgControlFns []control.Func
--- a/common/ktls/ktls.go
+++ b/common/ktls/ktls.go
@@ -1,4 +1,4 @@
-//go:build linux && go1.25 && !without_badtls
+//go:build linux && go1.25 && badlinkname

 package ktls

--- a/common/ktls/ktls_alert.go
+++ b/common/ktls/ktls_alert.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux && go1.25 && !without_badtls
+//go:build linux && go1.25 && badlinkname

 package ktls

--- a/common/ktls/ktls_cipher_suites_linux.go
+++ b/common/ktls/ktls_cipher_suites_linux.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux && go1.25 && !without_badtls
+//go:build linux && go1.25 && badlinkname

 package ktls

--- a/common/ktls/ktls_close.go
+++ b/common/ktls/ktls_close.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux && go1.25 && !without_badtls
+//go:build linux && go1.25 && badlinkname

 package ktls

--- a/common/ktls/ktls_const.go
+++ b/common/ktls/ktls_const.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux && go1.25 && !without_badtls
+//go:build linux && go1.25 && badlinkname

 package ktls

--- a/common/ktls/ktls_handshake_messages.go
+++ b/common/ktls/ktls_handshake_messages.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux && go1.25 && !without_badtls
+//go:build linux && go1.25 && badlinkname

 package ktls

--- a/common/ktls/ktls_key_update.go
+++ b/common/ktls/ktls_key_update.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux && go1.25 && !without_badtls
+//go:build linux && go1.25 && badlinkname

 package ktls

--- a/common/ktls/ktls_linux.go
+++ b/common/ktls/ktls_linux.go
@@ -1,4 +1,4 @@
-//go:build linux && go1.25 && !without_badtls
+//go:build linux && go1.25 && badlinkname

 package ktls

--- a/common/ktls/ktls_prf.go
+++ b/common/ktls/ktls_prf.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux && go1.25 && !without_badtls
+//go:build linux && go1.25 && badlinkname

 package ktls

--- a/common/ktls/ktls_read.go
+++ b/common/ktls/ktls_read.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux && go1.25 && !without_badtls
+//go:build linux && go1.25 && badlinkname

 package ktls

--- a/common/ktls/ktls_read_wait.go
+++ b/common/ktls/ktls_read_wait.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux && go1.25 && !without_badtls
+//go:build linux && go1.25 && badlinkname

 package ktls

--- a/common/ktls/ktls_stub_nolinkname.go
+++ b/common/ktls/ktls_stub_nolinkname.go
@@ -0,0 +1,15 @@
+//go:build linux && go1.25 && !badlinkname
+
+package ktls
+
+import (
+	"context"
+
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	aTLS "github.com/sagernet/sing/common/tls"
+)
+
+func NewConn(ctx context.Context, logger logger.ContextLogger, conn aTLS.Conn, txOffload, rxOffload bool) (aTLS.Conn, error) {
+	return nil, E.New("kTLS requires build flags `badlinkname` and `-ldflags=-checklinkname=0`, please recompile your binary")
+}
--- a/common/ktls/ktls_stub_nonlinux.go
+++ b/common/ktls/ktls_stub_nonlinux.go
@@ -1,15 +1,15 @@
-//go:build !linux || !go1.25 || without_badtls
+//go:build !linux

 package ktls

 import (
 	"context"
-	"os"

+	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	aTLS "github.com/sagernet/sing/common/tls"
 )

 func NewConn(ctx context.Context, logger logger.ContextLogger, conn aTLS.Conn, txOffload, rxOffload bool) (aTLS.Conn, error) {
-	return nil, os.ErrInvalid
+	return nil, E.New("kTLS is only supported on Linux")
 }
--- a/common/ktls/ktls_stub_oldgo.go
+++ b/common/ktls/ktls_stub_oldgo.go
@@ -0,0 +1,15 @@
+//go:build linux && !go1.25
+
+package ktls
+
+import (
+	"context"
+
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	aTLS "github.com/sagernet/sing/common/tls"
+)
+
+func NewConn(ctx context.Context, logger logger.ContextLogger, conn aTLS.Conn, txOffload, rxOffload bool) (aTLS.Conn, error) {
+	return nil, E.New("kTLS requires Go 1.25 or later, please recompile your binary")
+}
--- a/common/ktls/ktls_write.go
+++ b/common/ktls/ktls_write.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux && go1.25 && !without_badtls
+//go:build linux && go1.25 && badlinkname

 package ktls

--- a/common/listener/listener_go121.go
+++ b/common/listener/listener_go121.go
@@ -1,11 +0,0 @@
-//go:build go1.21
-
-package listener
-
-import "net"
-
-const go121Available = true
-
-func setMultiPathTCP(listenConfig *net.ListenConfig) {
-	listenConfig.SetMultipathTCP(true)
-}
--- a/common/listener/listener_go123.go
+++ b/common/listener/listener_go123.go
@@ -1,16 +0,0 @@
-//go:build go1.23
-
-package listener
-
-import (
-	"net"
-	"time"
-)
-
-func setKeepAliveConfig(listener *net.ListenConfig, idle time.Duration, interval time.Duration) {
-	listener.KeepAliveConfig = net.KeepAliveConfig{
-		Enable:   true,
-		Idle:     idle,
-		Interval: interval,
-	}
-}
--- a/common/listener/listener_nongo121.go
+++ b/common/listener/listener_nongo121.go
@@ -1,10 +0,0 @@
-//go:build !go1.21
-
-package listener
-
-import "net"
-
-const go121Available = false
-
-func setMultiPathTCP(listenConfig *net.ListenConfig) {
-}
--- a/common/listener/listener_nongo123.go
+++ b/common/listener/listener_nongo123.go
@@ -1,15 +0,0 @@
-//go:build !go1.23
-
-package listener
-
-import (
-	"net"
-	"time"
-
-	"github.com/sagernet/sing/common/control"
-)
-
-func setKeepAliveConfig(listener *net.ListenConfig, idle time.Duration, interval time.Duration) {
-	listener.KeepAlive = idle
-	listener.Control = control.Append(listener.Control, control.SetKeepAlivePeriod(idle, interval))
-}
--- a/common/listener/listener_tcp.go
+++ b/common/listener/listener_tcp.go
@@ -17,7 +17,7 @@ import (
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/service"

-	"github.com/metacubex/tfo-go"
+	"github.com/database64128/tfo-go/v2"
 )

 func (l *Listener) ListenTCP() (net.Listener, error) {
@@ -46,13 +46,14 @@ func (l *Listener) ListenTCP() (net.Listener, error) {
 		if keepInterval == 0 {
 			keepInterval = C.TCPKeepAliveInterval
 		}
-		setKeepAliveConfig(&listenConfig, keepIdle, keepInterval)
+		listenConfig.KeepAliveConfig = net.KeepAliveConfig{
+			Enable:   true,
+			Idle:     keepIdle,
+			Interval: keepInterval,
+		}
 	}
 	if l.listenOptions.TCPMultiPath {
-		if !go121Available {
-			return nil, E.New("MultiPath TCP requires go1.21, please recompile your binary.")
-		}
-		setMultiPathTCP(&listenConfig)
+		listenConfig.SetMultipathTCP(true)
 	}
 	if l.tproxy {
 		listenConfig.Control = control.Append(listenConfig.Control, func(network, address string, conn syscall.RawConn) error {
--- a/common/tls/client.go
+++ b/common/tls/client.go
@@ -119,21 +119,19 @@ func (d *defaultDialer) dialContext(ctx context.Context, destination M.Socksaddr
 	if err != nil {
 		return nil, err
 	}
-	tlsConn, err := ClientHandshake(ctx, conn, d.config)
-	if err == nil {
-		return tlsConn, nil
-	}
-	conn.Close()
-	if echRetry {
+	tlsConn, err := aTLS.ClientHandshake(ctx, conn, d.config)
+	if err != nil {
+		conn.Close()
 		var echErr *tls.ECHRejectionError
-		if errors.As(err, &echErr) && len(echErr.RetryConfigList) > 0 {
+		if echRetry && errors.As(err, &echErr) && len(echErr.RetryConfigList) > 0 {
 			if echConfig, isECH := d.config.(ECHCapableConfig); isECH {
 				echConfig.SetECHConfigList(echErr.RetryConfigList)
+				return d.dialContext(ctx, destination, false)
 			}
 		}
-		return d.dialContext(ctx, destination, false)
+		return nil, err
 	}
-	return nil, err
+	return tlsConn, nil
 }

 func (d *defaultDialer) Upstream() any {
--- a/common/tls/ech.go
+++ b/common/tls/ech.go
@@ -69,11 +69,7 @@ func parseECHServerConfig(ctx context.Context, options option.InboundTLSOptions,
 	} else {
 		return E.New("missing ECH keys")
 	}
-	block, rest := pem.Decode(echKey)
-	if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
-		return E.New("invalid ECH keys pem")
-	}
-	echKeys, err := UnmarshalECHKeys(block.Bytes)
+	echKeys, err := parseECHKeys(echKey)
 	if err != nil {
 		return E.Cause(err, "parse ECH keys")
 	}
@@ -85,21 +81,29 @@ func parseECHServerConfig(ctx context.Context, options option.InboundTLSOptions,
 	return nil
 }

-func reloadECHKeys(echKeyPath string, tlsConfig *tls.Config) error {
-	echKey, err := os.ReadFile(echKeyPath)
+func (c *STDServerConfig) setECHServerConfig(echKey []byte) error {
+	echKeys, err := parseECHKeys(echKey)
 	if err != nil {
-		return E.Cause(err, "reload ECH keys from ", echKeyPath)
+		return err
 	}
+	c.access.Lock()
+	config := c.config.Clone()
+	config.EncryptedClientHelloKeys = echKeys
+	c.config = config
+	c.access.Unlock()
+	return nil
+}
+
+func parseECHKeys(echKey []byte) ([]tls.EncryptedClientHelloKey, error) {
 	block, _ := pem.Decode(echKey)
 	if block == nil || block.Type != "ECH KEYS" {
-		return E.New("invalid ECH keys pem")
+		return nil, E.New("invalid ECH keys pem")
 	}
 	echKeys, err := UnmarshalECHKeys(block.Bytes)
 	if err != nil {
-		return E.Cause(err, "parse ECH keys")
+		return nil, E.Cause(err, "parse ECH keys")
 	}
-	tlsConfig.EncryptedClientHelloKeys = echKeys
-	return nil
+	return echKeys, nil
 }

 type ECHClientConfig struct {
--- a/common/tls/ech_stub.go
+++ b/common/tls/ech_stub.go
@@ -1,23 +0,0 @@
-//go:build !go1.24
-
-package tls
-
-import (
-	"context"
-	"crypto/tls"
-
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-func parseECHClientConfig(ctx context.Context, clientConfig ECHCapableConfig, options option.OutboundTLSOptions) (Config, error) {
-	return nil, E.New("ECH requires go1.24, please recompile your binary.")
-}
-
-func parseECHServerConfig(ctx context.Context, options option.InboundTLSOptions, tlsConfig *tls.Config, echKeyPath *string) error {
-	return E.New("ECH requires go1.24, please recompile your binary.")
-}
-
-func reloadECHKeys(echKeyPath string, tlsConfig *tls.Config) error {
-	return E.New("ECH requires go1.24, please recompile your binary.")
-}
--- a/common/tls/reality_server.go
+++ b/common/tls/reality_server.go
@@ -68,7 +68,10 @@ func NewRealityServer(ctx context.Context, logger log.ContextLogger, options opt
 			return nil, E.New("unknown cipher_suite: ", cipherSuite)
 		}
 	}
-	if len(options.Certificate) > 0 || options.CertificatePath != "" {
+	if len(options.CurvePreferences) > 0 {
+		return nil, E.New("curve preferences is unavailable in reality")
+	}
+	if len(options.Certificate) > 0 || options.CertificatePath != "" || len(options.ClientCertificatePublicKeySHA256) > 0 {
 		return nil, E.New("certificate is unavailable in reality")
 	}
 	if len(options.Key) > 0 || options.KeyPath != "" {
--- a/common/tls/std_client.go
+++ b/common/tls/std_client.go
@@ -1,9 +1,12 @@
 package tls

 import (
+	"bytes"
 	"context"
+	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/base64"
 	"net"
 	"os"
 	"strings"
@@ -108,6 +111,15 @@ func NewSTDClient(ctx context.Context, logger logger.ContextLogger, serverAddres
 			return err
 		}
 	}
+	if len(options.CertificatePublicKeySHA256) > 0 {
+		if len(options.Certificate) > 0 || options.CertificatePath != "" {
+			return nil, E.New("certificate_public_key_sha256 is conflict with certificate or certificate_path")
+		}
+		tlsConfig.InsecureSkipVerify = true
+		tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+			return verifyPublicKeySHA256(options.CertificatePublicKeySHA256, rawCerts, tlsConfig.Time)
+		}
+	}
 	if len(options.ALPN) > 0 {
 		tlsConfig.NextProtos = options.ALPN
 	}
@@ -137,6 +149,9 @@ func NewSTDClient(ctx context.Context, logger logger.ContextLogger, serverAddres
 			return nil, E.New("unknown cipher_suite: ", cipherSuite)
 		}
 	}
+	for _, curve := range options.CurvePreferences {
+		tlsConfig.CurvePreferences = append(tlsConfig.CurvePreferences, tls.CurveID(curve))
+	}
 	var certificate []byte
 	if len(options.Certificate) > 0 {
 		certificate = []byte(strings.Join(options.Certificate, "\n"))
@@ -154,6 +169,35 @@ func NewSTDClient(ctx context.Context, logger logger.ContextLogger, serverAddres
 		}
 		tlsConfig.RootCAs = certPool
 	}
+	var clientCertificate []byte
+	if len(options.ClientCertificate) > 0 {
+		clientCertificate = []byte(strings.Join(options.ClientCertificate, "\n"))
+	} else if options.ClientCertificatePath != "" {
+		content, err := os.ReadFile(options.ClientCertificatePath)
+		if err != nil {
+			return nil, E.Cause(err, "read client certificate")
+		}
+		clientCertificate = content
+	}
+	var clientKey []byte
+	if len(options.ClientKey) > 0 {
+		clientKey = []byte(strings.Join(options.ClientKey, "\n"))
+	} else if options.ClientKeyPath != "" {
+		content, err := os.ReadFile(options.ClientKeyPath)
+		if err != nil {
+			return nil, E.Cause(err, "read client key")
+		}
+		clientKey = content
+	}
+	if len(clientCertificate) > 0 && len(clientKey) > 0 {
+		keyPair, err := tls.X509KeyPair(clientCertificate, clientKey)
+		if err != nil {
+			return nil, E.Cause(err, "parse client x509 key pair")
+		}
+		tlsConfig.Certificates = []tls.Certificate{keyPair}
+	} else if len(clientCertificate) > 0 || len(clientKey) > 0 {
+		return nil, E.New("client certificate and client key must be provided together")
+	}
 	var config Config = &STDClientConfig{ctx, &tlsConfig, options.Fragment, time.Duration(options.FragmentFallbackDelay), options.RecordFragment}
 	if options.ECH != nil && options.ECH.Enabled {
 		var err error
@@ -175,3 +219,22 @@ func NewSTDClient(ctx context.Context, logger logger.ContextLogger, serverAddres
 	}
 	return config, nil
 }
+
+func verifyPublicKeySHA256(knownHashValues [][]byte, rawCerts [][]byte, timeFunc func() time.Time) error {
+	leafCertificate, err := x509.ParseCertificate(rawCerts[0])
+	if err != nil {
+		return E.Cause(err, "failed to parse leaf certificate")
+	}
+
+	pubKeyBytes, err := x509.MarshalPKIXPublicKey(leafCertificate.PublicKey)
+	if err != nil {
+		return E.Cause(err, "failed to marshal public key")
+	}
+	hashValue := sha256.Sum256(pubKeyBytes)
+	for _, value := range knownHashValues {
+		if bytes.Equal(value, hashValue[:]) {
+			return nil
+		}
+	}
+	return E.New("unrecognized remote public key: ", base64.StdEncoding.EncodeToString(hashValue[:]))
+}
--- a/common/tls/std_server.go
+++ b/common/tls/std_server.go
@@ -3,9 +3,11 @@ package tls
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"net"
 	"os"
 	"strings"
+	"sync"
 	"time"

 	"github.com/sagernet/fswatch"
@@ -21,26 +23,36 @@ import (
 var errInsecureUnused = E.New("tls: insecure unused")

 type STDServerConfig struct {
-	config          *tls.Config
-	logger          log.Logger
-	acmeService     adapter.SimpleLifecycle
-	certificate     []byte
-	key             []byte
-	certificatePath string
-	keyPath         string
-	echKeyPath      string
-	watcher         *fswatch.Watcher
+	access                sync.RWMutex
+	config                *tls.Config
+	logger                log.Logger
+	acmeService           adapter.SimpleLifecycle
+	certificate           []byte
+	key                   []byte
+	certificatePath       string
+	keyPath               string
+	clientCertificatePath []string
+	echKeyPath            string
+	watcher               *fswatch.Watcher
 }

 func (c *STDServerConfig) ServerName() string {
+	c.access.RLock()
+	defer c.access.RUnlock()
 	return c.config.ServerName
 }

 func (c *STDServerConfig) SetServerName(serverName string) {
-	c.config.ServerName = serverName
+	c.access.Lock()
+	defer c.access.Unlock()
+	config := c.config.Clone()
+	config.ServerName = serverName
+	c.config = config
 }

 func (c *STDServerConfig) NextProtos() []string {
+	c.access.RLock()
+	defer c.access.RUnlock()
 	if c.acmeService != nil && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == ACMETLS1Protocol {
 		return c.config.NextProtos[1:]
 	} else {
@@ -49,11 +61,15 @@ func (c *STDServerConfig) NextProtos() []string {
 }

 func (c *STDServerConfig) SetNextProtos(nextProto []string) {
+	c.access.Lock()
+	defer c.access.Unlock()
+	config := c.config.Clone()
 	if c.acmeService != nil && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == ACMETLS1Protocol {
-		c.config.NextProtos = append(c.config.NextProtos[:1], nextProto...)
+		config.NextProtos = append(c.config.NextProtos[:1], nextProto...)
 	} else {
-		c.config.NextProtos = nextProto
+		config.NextProtos = nextProto
 	}
+	c.config = config
 }

 func (c *STDServerConfig) STDConfig() (*STDConfig, error) {
@@ -78,9 +94,6 @@ func (c *STDServerConfig) Start() error {
 	if c.acmeService != nil {
 		return c.acmeService.Start()
 	} else {
-		if c.certificatePath == "" && c.keyPath == "" {
-			return nil
-		}
 		err := c.startWatcher()
 		if err != nil {
 			c.logger.Warn("create fsnotify watcher: ", err)
@@ -100,6 +113,12 @@ func (c *STDServerConfig) startWatcher() error {
 	if c.echKeyPath != "" {
 		watchPath = append(watchPath, c.echKeyPath)
 	}
+	if len(c.clientCertificatePath) > 0 {
+		watchPath = append(watchPath, c.clientCertificatePath...)
+	}
+	if len(watchPath) == 0 {
+		return nil
+	}
 	watcher, err := fswatch.NewWatcher(fswatch.Options{
 		Path: watchPath,
 		Callback: func(path string) {
@@ -139,10 +158,42 @@ func (c *STDServerConfig) certificateUpdated(path string) error {
 		if err != nil {
 			return E.Cause(err, "reload key pair")
 		}
-		c.config.Certificates = []tls.Certificate{keyPair}
+		c.access.Lock()
+		config := c.config.Clone()
+		config.Certificates = []tls.Certificate{keyPair}
+		c.config = config
+		c.access.Unlock()
 		c.logger.Info("reloaded TLS certificate")
+	} else if common.Contains(c.clientCertificatePath, path) {
+		clientCertificateCA := x509.NewCertPool()
+		var reloaded bool
+		for _, certPath := range c.clientCertificatePath {
+			content, err := os.ReadFile(certPath)
+			if err != nil {
+				c.logger.Error(E.Cause(err, "reload certificate from ", c.clientCertificatePath))
+				continue
+			}
+			if !clientCertificateCA.AppendCertsFromPEM(content) {
+				c.logger.Error(E.New("invalid client certificate file: ", certPath))
+				continue
+			}
+			reloaded = true
+		}
+		if !reloaded {
+			return E.New("client certificates is empty")
+		}
+		c.access.Lock()
+		config := c.config.Clone()
+		config.ClientCAs = clientCertificateCA
+		c.config = config
+		c.access.Unlock()
+		c.logger.Info("reloaded client certificates")
 	} else if path == c.echKeyPath {
-		err := reloadECHKeys(c.echKeyPath, c.config)
+		echKey, err := os.ReadFile(c.echKeyPath)
+		if err != nil {
+			return E.Cause(err, "reload ECH keys from ", c.echKeyPath)
+		}
+		err = c.setECHServerConfig(echKey)
 		if err != nil {
 			return err
 		}
@@ -213,8 +264,14 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 			return nil, E.New("unknown cipher_suite: ", cipherSuite)
 		}
 	}
-	var certificate []byte
-	var key []byte
+	for _, curveID := range options.CurvePreferences {
+		tlsConfig.CurvePreferences = append(tlsConfig.CurvePreferences, tls.CurveID(curveID))
+	}
+	tlsConfig.ClientAuth = tls.ClientAuthType(options.ClientAuthentication)
+	var (
+		certificate []byte
+		key         []byte
+	)
 	if acmeService == nil {
 		if len(options.Certificate) > 0 {
 			certificate = []byte(strings.Join(options.Certificate, "\n"))
@@ -256,6 +313,43 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 			tlsConfig.Certificates = []tls.Certificate{keyPair}
 		}
 	}
+	if len(options.ClientCertificate) > 0 || len(options.ClientCertificatePath) > 0 {
+		if tlsConfig.ClientAuth == tls.NoClientCert {
+			tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+		}
+	}
+	if tlsConfig.ClientAuth == tls.VerifyClientCertIfGiven || tlsConfig.ClientAuth == tls.RequireAndVerifyClientCert {
+		if len(options.ClientCertificate) > 0 {
+			clientCertificateCA := x509.NewCertPool()
+			if !clientCertificateCA.AppendCertsFromPEM([]byte(strings.Join(options.ClientCertificate, "\n"))) {
+				return nil, E.New("invalid client certificate strings")
+			}
+			tlsConfig.ClientCAs = clientCertificateCA
+		} else if len(options.ClientCertificatePath) > 0 {
+			clientCertificateCA := x509.NewCertPool()
+			for _, path := range options.ClientCertificatePath {
+				content, err := os.ReadFile(path)
+				if err != nil {
+					return nil, E.Cause(err, "read client certificate from ", path)
+				}
+				if !clientCertificateCA.AppendCertsFromPEM(content) {
+					return nil, E.New("invalid client certificate file: ", path)
+				}
+			}
+			tlsConfig.ClientCAs = clientCertificateCA
+		} else if len(options.ClientCertificatePublicKeySHA256) > 0 {
+			if tlsConfig.ClientAuth == tls.RequireAndVerifyClientCert {
+				tlsConfig.ClientAuth = tls.RequireAnyClientCert
+			} else if tlsConfig.ClientAuth == tls.VerifyClientCertIfGiven {
+				tlsConfig.ClientAuth = tls.RequestClientCert
+			}
+			tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+				return verifyPublicKeySHA256(options.ClientCertificatePublicKeySHA256, rawCerts, tlsConfig.Time)
+			}
+		} else {
+			return nil, E.New("missing client_certificate, client_certificate_path or client_certificate_public_key_sha256 for client authentication")
+		}
+	}
 	var echKeyPath string
 	if options.ECH != nil && options.ECH.Enabled {
 		err = parseECHServerConfig(ctx, options, tlsConfig, &echKeyPath)
@@ -263,16 +357,23 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 			return nil, err
 		}
 	}
-	var config ServerConfig = &STDServerConfig{
-		config:          tlsConfig,
-		logger:          logger,
-		acmeService:     acmeService,
-		certificate:     certificate,
-		key:             key,
-		certificatePath: options.CertificatePath,
-		keyPath:         options.KeyPath,
-		echKeyPath:      echKeyPath,
+	serverConfig := &STDServerConfig{
+		config:                tlsConfig,
+		logger:                logger,
+		acmeService:           acmeService,
+		certificate:           certificate,
+		key:                   key,
+		certificatePath:       options.CertificatePath,
+		clientCertificatePath: options.ClientCertificatePath,
+		keyPath:               options.KeyPath,
+		echKeyPath:            echKeyPath,
 	}
+	serverConfig.config.GetConfigForClient = func(info *tls.ClientHelloInfo) (*tls.Config, error) {
+		serverConfig.access.Lock()
+		defer serverConfig.access.Unlock()
+		return serverConfig.config, nil
+	}
+	var config ServerConfig = serverConfig
 	if options.KernelTx || options.KernelRx {
 		if !C.IsLinux {
 			return nil, E.New("kTLS is only supported on Linux")
--- a/common/tls/utls_client.go
+++ b/common/tls/utls_client.go
@@ -167,6 +167,15 @@ func NewUTLSClient(ctx context.Context, logger logger.ContextLogger, serverAddre
 		}
 		tlsConfig.InsecureServerNameToVerify = serverName
 	}
+	if len(options.CertificatePublicKeySHA256) > 0 {
+		if len(options.Certificate) > 0 || options.CertificatePath != "" {
+			return nil, E.New("certificate_public_key_sha256 is conflict with certificate or certificate_path")
+		}
+		tlsConfig.InsecureSkipVerify = true
+		tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+			return verifyPublicKeySHA256(options.CertificatePublicKeySHA256, rawCerts, tlsConfig.Time)
+		}
+	}
 	if len(options.ALPN) > 0 {
 		tlsConfig.NextProtos = options.ALPN
 	}
@@ -213,6 +222,35 @@ func NewUTLSClient(ctx context.Context, logger logger.ContextLogger, serverAddre
 		}
 		tlsConfig.RootCAs = certPool
 	}
+	var clientCertificate []byte
+	if len(options.ClientCertificate) > 0 {
+		clientCertificate = []byte(strings.Join(options.ClientCertificate, "\n"))
+	} else if options.ClientCertificatePath != "" {
+		content, err := os.ReadFile(options.ClientCertificatePath)
+		if err != nil {
+			return nil, E.Cause(err, "read client certificate")
+		}
+		clientCertificate = content
+	}
+	var clientKey []byte
+	if len(options.ClientKey) > 0 {
+		clientKey = []byte(strings.Join(options.ClientKey, "\n"))
+	} else if options.ClientKeyPath != "" {
+		content, err := os.ReadFile(options.ClientKeyPath)
+		if err != nil {
+			return nil, E.Cause(err, "read client key")
+		}
+		clientKey = content
+	}
+	if len(clientCertificate) > 0 && len(clientKey) > 0 {
+		keyPair, err := utls.X509KeyPair(clientCertificate, clientKey)
+		if err != nil {
+			return nil, E.Cause(err, "parse client x509 key pair")
+		}
+		tlsConfig.Certificates = []utls.Certificate{keyPair}
+	} else if len(clientCertificate) > 0 || len(clientKey) > 0 {
+		return nil, E.New("client certificate and client key must be provided together")
+	}
 	id, err := uTLSClientHelloID(options.UTLS.Fingerprint)
 	if err != nil {
 		return nil, err
--- a/common/urltest/urltest.go
+++ b/common/urltest/urltest.go
@@ -46,15 +46,15 @@ func (s *HistoryStorage) LoadURLTestHistory(tag string) *adapter.URLTestHistory
 func (s *HistoryStorage) DeleteURLTestHistory(tag string) {
 	s.access.Lock()
 	delete(s.delayHistory, tag)
-	s.access.Unlock()
 	s.notifyUpdated()
+	s.access.Unlock()
 }

 func (s *HistoryStorage) StoreURLTestHistory(tag string, history *adapter.URLTestHistory) {
 	s.access.Lock()
 	s.delayHistory[tag] = history
-	s.access.Unlock()
 	s.notifyUpdated()
+	s.access.Unlock()
 }

 func (s *HistoryStorage) notifyUpdated() {
@@ -68,6 +68,8 @@ func (s *HistoryStorage) notifyUpdated() {
 }

 func (s *HistoryStorage) Close() error {
+	s.access.Lock()
+	defer s.access.Unlock()
 	s.updateHook = nil
 	return nil
 }
--- a/constant/proxy.go
+++ b/constant/proxy.go
@@ -28,6 +28,7 @@ const (
 	TypeDERP         = "derp"
 	TypeResolved     = "resolved"
 	TypeSSMAPI       = "ssm-api"
+	TypeCCM          = "ccm"
 )

 const (
--- a/dns/client.go
+++ b/dns/client.go
@@ -95,6 +95,20 @@ func (c *Client) Start() {
 	}
 }

+func extractNegativeTTL(response *dns.Msg) (uint32, bool) {
+	for _, record := range response.Ns {
+		if soa, isSOA := record.(*dns.SOA); isSOA {
+			soaTTL := soa.Header().Ttl
+			soaMinimum := soa.Minttl
+			if soaTTL < soaMinimum {
+				return soaTTL, true
+			}
+			return soaMinimum, true
+		}
+	}
+	return 0, false
+}
+
 func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, message *dns.Msg, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error) {
 	if len(message.Question) == 0 {
 		if c.logger != nil {
@@ -214,6 +228,7 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 			response.Answer = append(response.Answer, validResponse.Answer...)
 		}
 	}*/
+	disableCache = disableCache || (response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError)
 	if responseChecker != nil {
 		var rejected bool
 		// TODO: add accept_any rule and support to check response instead of addresses
@@ -250,10 +265,17 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		}
 	}
 	var timeToLive uint32
-	for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
-		for _, record := range recordList {
-			if timeToLive == 0 || record.Header().Ttl > 0 && record.Header().Ttl < timeToLive {
-				timeToLive = record.Header().Ttl
+	if len(response.Answer) == 0 {
+		if soaTTL, hasSOA := extractNegativeTTL(response); hasSOA {
+			timeToLive = soaTTL
+		}
+	}
+	if timeToLive == 0 {
+		for _, recordList := range [][]dns.RR{response.Answer, response.Ns, response.Extra} {
+			for _, record := range recordList {
+				if timeToLive == 0 || record.Header().Ttl > 0 && record.Header().Ttl < timeToLive {
+					timeToLive = record.Header().Ttl
+				}
 			}
 		}
 	}
@@ -280,7 +302,7 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		}
 	}
 	logExchangedResponse(c.logger, ctx, response, timeToLive)
-	return response, err
+	return response, nil
 }

 func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, domain string, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error) {
@@ -363,14 +385,18 @@ func (c *Client) LookupCache(domain string, strategy C.DomainStrategy) ([]netip.
 			Qtype:  dns.TypeA,
 			Qclass: dns.ClassINET,
 		}, nil)
+		if response4 == nil {
+			return nil, false
+		}
 		response6, _ := c.loadResponse(dns.Question{
 			Name:   dnsName,
 			Qtype:  dns.TypeAAAA,
 			Qclass: dns.ClassINET,
 		}, nil)
-		if response4 != nil || response6 != nil {
-			return sortAddresses(MessageToAddresses(response4), MessageToAddresses(response6), strategy), true
+		if response6 == nil {
+			return nil, false
 		}
+		return sortAddresses(MessageToAddresses(response4), MessageToAddresses(response6), strategy), true
 	}
 	return nil, false
 }
--- a/dns/client_truncate.go
+++ b/dns/client_truncate.go
@@ -15,8 +15,7 @@ func TruncateDNSMessage(request *dns.Msg, response *dns.Msg, headroom int) (*buf
 	}
 	responseLen := response.Len()
 	if responseLen > maxLen {
-		copyResponse := *response
-		response = &copyResponse
+		response = response.Copy()
 		response.Truncate(maxLen)
 	}
 	buffer := buf.NewSize(headroom*2 + 1 + responseLen)
--- a/dns/rcode.go
+++ b/dns/rcode.go
@@ -5,6 +5,7 @@ import (
 )

 const (
+	RcodeSuccess     RcodeError = mDNS.RcodeSuccess
 	RcodeFormatError RcodeError = mDNS.RcodeFormatError
 	RcodeNameError   RcodeError = mDNS.RcodeNameError
 	RcodeRefused     RcodeError = mDNS.RcodeRefused
--- a/dns/router.go
+++ b/dns/router.go
@@ -386,12 +386,7 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 			if rule != nil {
 				switch action := rule.Action().(type) {
 				case *R.RuleActionReject:
-					switch action.Method {
-					case C.RuleActionRejectMethodDefault:
-						return nil, nil
-					case C.RuleActionRejectMethodDrop:
-						return nil, tun.ErrDrop
-					}
+					return nil, &R.RejectedError{Cause: action.Error(ctx)}
 				case *R.RuleActionPredefined:
 					if action.Rcode != mDNS.RcodeSuccess {
 						err = RcodeError(action.Rcode)
--- a/dns/transport/dhcp/dhcp.go
+++ b/dns/transport/dhcp/dhcp.go
@@ -2,10 +2,13 @@ package dhcp

 import (
 	"context"
+	"errors"
+	"io"
 	"net"
 	"runtime"
 	"strings"
 	"sync"
+	"syscall"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
@@ -195,7 +198,17 @@ func (t *Transport) fetchServers0(ctx context.Context, iface *control.Interface)
 	if runtime.GOOS == "linux" || runtime.GOOS == "android" {
 		listenAddr = "255.255.255.255:68"
 	}
-	packetConn, err := listener.ListenPacket(t.ctx, "udp4", listenAddr)
+	var (
+		packetConn net.PacketConn
+		err        error
+	)
+	for i := 0; i < 5; i++ {
+		packetConn, err = listener.ListenPacket(t.ctx, "udp4", listenAddr)
+		if err == nil || !errors.Is(err, syscall.EADDRINUSE) {
+			break
+		}
+		time.Sleep(time.Second)
+	}
 	if err != nil {
 		return err
 	}
@@ -232,6 +245,9 @@ func (t *Transport) fetchServersResponse(iface *control.Interface, packetConn ne
 	for {
 		_, _, err := buffer.ReadPacketFrom(packetConn)
 		if err != nil {
+			if errors.Is(err, io.ErrShortBuffer) {
+				continue
+			}
 			return err
 		}

--- a/dns/transport/dhcp/dhcp_shared.go
+++ b/dns/transport/dhcp/dhcp_shared.go
@@ -2,12 +2,13 @@ package dhcp

 import (
 	"context"
+	"errors"
 	"math/rand"
 	"strings"
-	"time"
+	"syscall"

-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/dns/transport"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
@@ -43,7 +44,7 @@ func (t *Transport) exchangeParallel(ctx context.Context, servers []M.Socksaddr,
 			if response.Rcode != mDNS.RcodeSuccess {
 				err = dns.RcodeError(response.Rcode)
 			} else if len(dns.MessageToAddresses(response)) == 0 {
-				err = E.New(fqdn, ": empty result")
+				err = dns.RcodeSuccess
 			}
 		}
 		select {
@@ -83,7 +84,7 @@ func (t *Transport) tryOneName(ctx context.Context, servers []M.Socksaddr, fqdn
 			server := servers[j]
 			question := message.Question[0]
 			question.Name = fqdn
-			response, err := t.exchangeOne(ctx, server, question, C.DNSTimeout, false, true)
+			response, err := t.exchangeOne(ctx, server, question)
 			if err != nil {
 				lastErr = err
 				continue
@@ -94,62 +95,77 @@ func (t *Transport) tryOneName(ctx context.Context, servers []M.Socksaddr, fqdn
 	return nil, E.Cause(lastErr, fqdn)
 }

-func (t *Transport) exchangeOne(ctx context.Context, server M.Socksaddr, question mDNS.Question, timeout time.Duration, useTCP, ad bool) (*mDNS.Msg, error) {
+func (t *Transport) exchangeOne(ctx context.Context, server M.Socksaddr, question mDNS.Question) (*mDNS.Msg, error) {
 	if server.Port == 0 {
 		server.Port = 53
 	}
-	var networks []string
-	if useTCP {
-		networks = []string{N.NetworkTCP}
-	} else {
-		networks = []string{N.NetworkUDP, N.NetworkTCP}
-	}
 	request := &mDNS.Msg{
 		MsgHdr: mDNS.MsgHdr{
 			Id:                uint16(rand.Uint32()),
 			RecursionDesired:  true,
-			AuthenticatedData: ad,
+			AuthenticatedData: true,
 		},
 		Question: []mDNS.Question{question},
 		Compress: true,
 	}
 	request.SetEdns0(buf.UDPBufferSize, false)
+	return t.exchangeUDP(ctx, server, request)
+}
+
+func (t *Transport) exchangeUDP(ctx context.Context, server M.Socksaddr, request *mDNS.Msg) (*mDNS.Msg, error) {
+	conn, err := t.dialer.DialContext(ctx, N.NetworkUDP, server)
+	if err != nil {
+		return nil, err
+	}
+	defer conn.Close()
+	if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
+		conn.SetDeadline(deadline)
+	}
 	buffer := buf.Get(buf.UDPBufferSize)
 	defer buf.Put(buffer)
-	for _, network := range networks {
-		ctx, cancel := context.WithDeadline(ctx, time.Now().Add(timeout))
-		defer cancel()
-		conn, err := t.dialer.DialContext(ctx, network, server)
-		if err != nil {
-			return nil, err
-		}
-		defer conn.Close()
-		if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
-			conn.SetDeadline(deadline)
-		}
-		rawMessage, err := request.PackBuffer(buffer)
-		if err != nil {
-			return nil, E.Cause(err, "pack request")
-		}
-		_, err = conn.Write(rawMessage)
-		if err != nil {
-			return nil, E.Cause(err, "write request")
-		}
-		n, err := conn.Read(buffer)
-		if err != nil {
-			return nil, E.Cause(err, "read response")
-		}
-		var response mDNS.Msg
-		err = response.Unpack(buffer[:n])
-		if err != nil {
-			return nil, E.Cause(err, "unpack response")
-		}
-		if response.Truncated && network == N.NetworkUDP {
-			continue
-		}
-		return &response, nil
+	rawMessage, err := request.PackBuffer(buffer)
+	if err != nil {
+		return nil, E.Cause(err, "pack request")
 	}
-	panic("unexpected")
+	_, err = conn.Write(rawMessage)
+	if err != nil {
+		if errors.Is(err, syscall.EMSGSIZE) {
+			return t.exchangeTCP(ctx, server, request)
+		}
+		return nil, E.Cause(err, "write request")
+	}
+	n, err := conn.Read(buffer)
+	if err != nil {
+		if errors.Is(err, syscall.EMSGSIZE) {
+			return t.exchangeTCP(ctx, server, request)
+		}
+		return nil, E.Cause(err, "read response")
+	}
+	var response mDNS.Msg
+	err = response.Unpack(buffer[:n])
+	if err != nil {
+		return nil, E.Cause(err, "unpack response")
+	}
+	if response.Truncated {
+		return t.exchangeTCP(ctx, server, request)
+	}
+	return &response, nil
+}
+
+func (t *Transport) exchangeTCP(ctx context.Context, server M.Socksaddr, request *mDNS.Msg) (*mDNS.Msg, error) {
+	conn, err := t.dialer.DialContext(ctx, N.NetworkTCP, server)
+	if err != nil {
+		return nil, err
+	}
+	defer conn.Close()
+	if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
+		conn.SetDeadline(deadline)
+	}
+	err = transport.WriteMessage(conn, 0, request)
+	if err != nil {
+		return nil, err
+	}
+	return transport.ReadMessage(conn)
 }

 func (t *Transport) nameList(name string) []string {
--- a/dns/transport/https.go
+++ b/dns/transport/https.go
@@ -25,7 +25,6 @@ import (
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	aTLS "github.com/sagernet/sing/common/tls"
 	sHTTP "github.com/sagernet/sing/protocol/http"

 	mDNS "github.com/miekg/dns"
@@ -47,7 +46,7 @@ type HTTPSTransport struct {
 	destination      *url.URL
 	headers          http.Header
 	transportAccess  sync.Mutex
-	transport        *http.Transport
+	transport        *HTTPSTransportWrapper
 	transportResetAt time.Time
 }

@@ -62,11 +61,8 @@ func NewHTTPS(ctx context.Context, logger log.ContextLogger, tag string, options
 	if err != nil {
 		return nil, err
 	}
-	if common.Error(tlsConfig.STDConfig()) == nil && !common.Contains(tlsConfig.NextProtos(), http2.NextProtoTLS) {
-		tlsConfig.SetNextProtos(append(tlsConfig.NextProtos(), http2.NextProtoTLS))
-	}
-	if !common.Contains(tlsConfig.NextProtos(), "http/1.1") {
-		tlsConfig.SetNextProtos(append(tlsConfig.NextProtos(), "http/1.1"))
+	if len(tlsConfig.NextProtos()) == 0 {
+		tlsConfig.SetNextProtos([]string{http2.NextProtoTLS, "http/1.1"})
 	}
 	headers := options.Headers.Build()
 	host := headers.Get("Host")
@@ -124,37 +120,13 @@ func NewHTTPSRaw(
 	serverAddr M.Socksaddr,
 	tlsConfig tls.Config,
 ) *HTTPSTransport {
-	var transport *http.Transport
-	if tlsConfig != nil {
-		transport = &http.Transport{
-			ForceAttemptHTTP2: true,
-			DialTLSContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-				tcpConn, hErr := dialer.DialContext(ctx, network, serverAddr)
-				if hErr != nil {
-					return nil, hErr
-				}
-				tlsConn, hErr := aTLS.ClientHandshake(ctx, tcpConn, tlsConfig)
-				if hErr != nil {
-					tcpConn.Close()
-					return nil, hErr
-				}
-				return tlsConn, nil
-			},
-		}
-	} else {
-		transport = &http.Transport{
-			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-				return dialer.DialContext(ctx, network, serverAddr)
-			},
-		}
-	}
 	return &HTTPSTransport{
 		TransportAdapter: adapter,
 		logger:           logger,
 		dialer:           dialer,
 		destination:      destination,
 		headers:          headers,
-		transport:        transport,
+		transport:        NewHTTPSTransportWrapper(tls.NewDialer(dialer, tlsConfig), serverAddr),
 	}
 }

--- a/dns/transport/https_transport.go
+++ b/dns/transport/https_transport.go
@@ -0,0 +1,80 @@
+package transport
+
+import (
+	"context"
+	"errors"
+	"net"
+	"net/http"
+	"sync/atomic"
+
+	"github.com/sagernet/sing-box/common/tls"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+
+	"golang.org/x/net/http2"
+)
+
+var errFallback = E.New("fallback to HTTP/1.1")
+
+type HTTPSTransportWrapper struct {
+	http2Transport *http2.Transport
+	httpTransport  *http.Transport
+	fallback       *atomic.Bool
+}
+
+func NewHTTPSTransportWrapper(dialer tls.Dialer, serverAddr M.Socksaddr) *HTTPSTransportWrapper {
+	var fallback atomic.Bool
+	return &HTTPSTransportWrapper{
+		http2Transport: &http2.Transport{
+			DialTLSContext: func(ctx context.Context, _, _ string, _ *tls.STDConfig) (net.Conn, error) {
+				tlsConn, err := dialer.DialTLSContext(ctx, serverAddr)
+				if err != nil {
+					return nil, err
+				}
+				state := tlsConn.ConnectionState()
+				if state.NegotiatedProtocol == http2.NextProtoTLS {
+					return tlsConn, nil
+				}
+				tlsConn.Close()
+				fallback.Store(true)
+				return nil, errFallback
+			},
+		},
+		httpTransport: &http.Transport{
+			DialTLSContext: func(ctx context.Context, _, _ string) (net.Conn, error) {
+				return dialer.DialTLSContext(ctx, serverAddr)
+			},
+		},
+		fallback: &fallback,
+	}
+}
+
+func (h *HTTPSTransportWrapper) RoundTrip(request *http.Request) (*http.Response, error) {
+	if h.fallback.Load() {
+		return h.httpTransport.RoundTrip(request)
+	} else {
+		response, err := h.http2Transport.RoundTrip(request)
+		if err != nil {
+			if errors.Is(err, errFallback) {
+				return h.httpTransport.RoundTrip(request)
+			}
+			return nil, err
+		}
+		return response, nil
+	}
+}
+
+func (h *HTTPSTransportWrapper) CloseIdleConnections() {
+	h.http2Transport.CloseIdleConnections()
+	h.httpTransport.CloseIdleConnections()
+}
+
+func (h *HTTPSTransportWrapper) Clone() *HTTPSTransportWrapper {
+	return &HTTPSTransportWrapper{
+		httpTransport: h.httpTransport,
+		http2Transport: &http2.Transport{
+			DialTLSContext: h.http2Transport.DialTLSContext,
+		},
+		fallback: h.fallback,
+	}
+}
--- a/dns/transport/local/local.go
+++ b/dns/transport/local/local.go
@@ -53,13 +53,15 @@ func (t *Transport) Start(stage adapter.StartStage) error {
 	switch stage {
 	case adapter.StartStateInitialize:
 		if !t.preferGo {
-			resolvedResolver, err := NewResolvedResolver(t.ctx, t.logger)
-			if err == nil {
-				err = resolvedResolver.Start()
+			if isSystemdResolvedManaged() {
+				resolvedResolver, err := NewResolvedResolver(t.ctx, t.logger)
 				if err == nil {
-					t.resolved = resolvedResolver
-				} else {
-					t.logger.Warn(E.Cause(err, "initialize resolved resolver"))
+					err = resolvedResolver.Start()
+					if err == nil {
+						t.resolved = resolvedResolver
+					} else {
+						t.logger.Warn(E.Cause(err, "initialize resolved resolver"))
+					}
 				}
 			}
 		}
@@ -82,12 +84,11 @@ func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg,
 		}
 	}
 	question := message.Question[0]
-	domain := dns.FqdnToDomain(question.Name)
 	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
-		addresses := t.hosts.Lookup(domain)
+		addresses := t.hosts.Lookup(dns.FqdnToDomain(question.Name))
 		if len(addresses) > 0 {
 			return dns.FixedResponse(message.Id, question, addresses, C.DefaultDNSTTL), nil
 		}
 	}
-	return t.exchange(ctx, message, domain)
+	return t.exchange(ctx, message, question.Name)
 }
--- a/dns/transport/local/local_darwin.go
+++ b/dns/transport/local/local_darwin.go
@@ -96,15 +96,14 @@ func (t *Transport) Close() error {

 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	question := message.Question[0]
-	domain := dns.FqdnToDomain(question.Name)
 	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
-		addresses := t.hosts.Lookup(domain)
+		addresses := t.hosts.Lookup(dns.FqdnToDomain(question.Name))
 		if len(addresses) > 0 {
 			return dns.FixedResponse(message.Id, question, addresses, C.DefaultDNSTTL), nil
 		}
 	}
 	if !t.fallback {
-		return t.exchange(ctx, message, domain)
+		return t.exchange(ctx, message, question.Name)
 	}
 	if !C.IsIos {
 		if t.dhcpTransport != nil {
@@ -116,7 +115,7 @@ func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg,
 	}
 	if t.preferGo {
 		// Assuming the user knows what they are doing, we still execute the query which will fail.
-		return t.exchange(ctx, message, domain)
+		return t.exchange(ctx, message, question.Name)
 	}
 	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
 		var network string
@@ -125,7 +124,7 @@ func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg,
 		} else {
 			network = "ip6"
 		}
-		addresses, err := t.resolver.LookupNetIP(ctx, network, domain)
+		addresses, err := t.resolver.LookupNetIP(ctx, network, question.Name)
 		if err != nil {
 			var dnsError *net.DNSError
 			if errors.As(err, &dnsError) && dnsError.IsNotFound {
--- a/dns/transport/local/local_resolved_linux.go
+++ b/dns/transport/local/local_resolved_linux.go
@@ -1,9 +1,11 @@
 package local

 import (
+	"bufio"
 	"context"
 	"errors"
 	"os"
+	"strings"
 	"sync"
 	"sync/atomic"

@@ -22,6 +24,25 @@ import (
 	mDNS "github.com/miekg/dns"
 )

+func isSystemdResolvedManaged() bool {
+	resolvContent, err := os.Open("/etc/resolv.conf")
+	if err != nil {
+		return false
+	}
+	defer resolvContent.Close()
+	scanner := bufio.NewScanner(resolvContent)
+	for scanner.Scan() {
+		line := strings.TrimSpace(scanner.Text())
+		if line == "" || line[0] != '#' {
+			return false
+		}
+		if strings.Contains(line, "systemd-resolved") {
+			return true
+		}
+	}
+	return false
+}
+
 type DBusResolvedResolver struct {
 	ctx               context.Context
 	logger            logger.ContextLogger
@@ -188,7 +209,7 @@ func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*ResolvedObje
 		int32(defaultInterface.Index),
 	)
 	if call.Err != nil {
-		return nil, err
+		return nil, call.Err
 	}
 	var linkPath dbus.ObjectPath
 	err = call.Store(&linkPath)
@@ -214,15 +235,12 @@ func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*ResolvedObje
 				return nil, E.New("No appropriate name servers or networks for name found")
 			}
 		}
-		return &ResolvedObject{
-			BusObject: dbusObject,
-		}, nil
-	} else {
-		return &ResolvedObject{
-			BusObject:      dbusObject,
-			InterfaceIndex: int32(defaultInterface.Index),
-		}, nil
+		return nil, E.New("link has no DNS servers configured")
 	}
+	return &ResolvedObject{
+		BusObject:      dbusObject,
+		InterfaceIndex: int32(defaultInterface.Index),
+	}, nil
 }

 func (t *DBusResolvedResolver) updateDefaultInterface(defaultInterface *control.Interface, flags int) {
--- a/dns/transport/local/local_resolved_stub.go
+++ b/dns/transport/local/local_resolved_stub.go
@@ -9,6 +9,10 @@ import (
 	"github.com/sagernet/sing/common/logger"
 )

+func isSystemdResolvedManaged() bool {
+	return false
+}
+
 func NewResolvedResolver(ctx context.Context, logger logger.ContextLogger) (ResolvedResolver, error) {
 	return nil, os.ErrInvalid
 }
--- a/dns/transport/local/local_shared.go
+++ b/dns/transport/local/local_shared.go
@@ -2,11 +2,13 @@ package local

 import (
 	"context"
-	"fmt"
+	"errors"
 	"math/rand"
+	"syscall"
 	"time"

 	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/dns/transport"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
@@ -17,7 +19,6 @@ import (

 func (t *Transport) exchange(ctx context.Context, message *mDNS.Msg, domain string) (*mDNS.Msg, error) {
 	systemConfig := getSystemDNSConfig(t.ctx)
-	fmt.Println(systemConfig.servers)
 	if systemConfig.singleRequest || !(message.Question[0].Qtype == mDNS.TypeA || message.Question[0].Qtype == mDNS.TypeAAAA) {
 		return t.exchangeSingleRequest(ctx, systemConfig, message, domain)
 	} else {
@@ -108,12 +109,6 @@ func (t *Transport) exchangeOne(ctx context.Context, server M.Socksaddr, questio
 	if server.Port == 0 {
 		server.Port = 53
 	}
-	var networks []string
-	if useTCP {
-		networks = []string{N.NetworkTCP}
-	} else {
-		networks = []string{N.NetworkUDP, N.NetworkTCP}
-	}
 	request := &mDNS.Msg{
 		MsgHdr: mDNS.MsgHdr{
 			Id:                uint16(rand.Uint32()),
@@ -124,40 +119,73 @@ func (t *Transport) exchangeOne(ctx context.Context, server M.Socksaddr, questio
 		Compress: true,
 	}
 	request.SetEdns0(buf.UDPBufferSize, false)
+	if !useTCP {
+		return t.exchangeUDP(ctx, server, request, timeout)
+	} else {
+		return t.exchangeTCP(ctx, server, request, timeout)
+	}
+}
+
+func (t *Transport) exchangeUDP(ctx context.Context, server M.Socksaddr, request *mDNS.Msg, timeout time.Duration) (*mDNS.Msg, error) {
+	conn, err := t.dialer.DialContext(ctx, N.NetworkUDP, server)
+	if err != nil {
+		return nil, err
+	}
+	defer conn.Close()
+	if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
+		newDeadline := time.Now().Add(timeout)
+		if deadline.After(newDeadline) {
+			deadline = newDeadline
+		}
+		conn.SetDeadline(deadline)
+	}
 	buffer := buf.Get(buf.UDPBufferSize)
 	defer buf.Put(buffer)
-	for _, network := range networks {
-		ctx, cancel := context.WithDeadline(ctx, time.Now().Add(timeout))
-		defer cancel()
-		conn, err := t.dialer.DialContext(ctx, network, server)
-		if err != nil {
-			return nil, err
-		}
-		defer conn.Close()
-		if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
-			conn.SetDeadline(deadline)
-		}
-		rawMessage, err := request.PackBuffer(buffer)
-		if err != nil {
-			return nil, E.Cause(err, "pack request")
-		}
-		_, err = conn.Write(rawMessage)
-		if err != nil {
-			return nil, E.Cause(err, "write request")
-		}
-		n, err := conn.Read(buffer)
-		if err != nil {
-			return nil, E.Cause(err, "read response")
-		}
-		var response mDNS.Msg
-		err = response.Unpack(buffer[:n])
-		if err != nil {
-			return nil, E.Cause(err, "unpack response")
-		}
-		if response.Truncated && network == N.NetworkUDP {
-			continue
-		}
-		return &response, nil
+	rawMessage, err := request.PackBuffer(buffer)
+	if err != nil {
+		return nil, E.Cause(err, "pack request")
 	}
-	panic("unexpected")
+	_, err = conn.Write(rawMessage)
+	if err != nil {
+		if errors.Is(err, syscall.EMSGSIZE) {
+			return t.exchangeTCP(ctx, server, request, timeout)
+		}
+		return nil, E.Cause(err, "write request")
+	}
+	n, err := conn.Read(buffer)
+	if err != nil {
+		if errors.Is(err, syscall.EMSGSIZE) {
+			return t.exchangeTCP(ctx, server, request, timeout)
+		}
+		return nil, E.Cause(err, "read response")
+	}
+	var response mDNS.Msg
+	err = response.Unpack(buffer[:n])
+	if err != nil {
+		return nil, E.Cause(err, "unpack response")
+	}
+	if response.Truncated {
+		return t.exchangeTCP(ctx, server, request, timeout)
+	}
+	return &response, nil
+}
+
+func (t *Transport) exchangeTCP(ctx context.Context, server M.Socksaddr, request *mDNS.Msg, timeout time.Duration) (*mDNS.Msg, error) {
+	conn, err := t.dialer.DialContext(ctx, N.NetworkTCP, server)
+	if err != nil {
+		return nil, err
+	}
+	defer conn.Close()
+	if deadline, loaded := ctx.Deadline(); loaded && !deadline.IsZero() {
+		newDeadline := time.Now().Add(timeout)
+		if deadline.After(newDeadline) {
+			deadline = newDeadline
+		}
+		conn.SetDeadline(deadline)
+	}
+	err = transport.WriteMessage(conn, 0, request)
+	if err != nil {
+		return nil, err
+	}
+	return transport.ReadMessage(conn)
 }
--- a/dns/transport/quic/http3.go
+++ b/dns/transport/quic/http3.go
@@ -102,7 +102,7 @@ func NewHTTP3(ctx context.Context, logger log.ContextLogger, tag string, options
 		destination:      &destinationURL,
 		headers:          headers,
 		transport: &http3.Transport{
-			Dial: func(ctx context.Context, addr string, tlsCfg *tls.STDConfig, cfg *quic.Config) (quic.EarlyConnection, error) {
+			Dial: func(ctx context.Context, addr string, tlsCfg *tls.STDConfig, cfg *quic.Config) (*quic.Conn, error) {
 				conn, dialErr := transportDialer.DialContext(ctx, N.NetworkUDP, serverAddr)
 				if dialErr != nil {
 					return nil, dialErr
--- a/dns/transport/quic/quic.go
+++ b/dns/transport/quic/quic.go
@@ -38,7 +38,7 @@ type Transport struct {
 	serverAddr M.Socksaddr
 	tlsConfig  tls.Config
 	access     sync.Mutex
-	connection quic.EarlyConnection
+	connection *quic.Conn
 }

 func NewQUIC(ctx context.Context, logger log.ContextLogger, tag string, options option.RemoteTLSDNSServerOptions) (adapter.DNSTransport, error) {
@@ -88,7 +88,7 @@ func (t *Transport) Close() error {

 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	var (
-		conn     quic.Connection
+		conn     *quic.Conn
 		err      error
 		response *mDNS.Msg
 	)
@@ -110,7 +110,7 @@ func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg,
 	return nil, err
 }

-func (t *Transport) openConnection() (quic.EarlyConnection, error) {
+func (t *Transport) openConnection() (*quic.Conn, error) {
 	connection := t.connection
 	if connection != nil && !common.Done(connection.Context()) {
 		return connection, nil
@@ -139,7 +139,7 @@ func (t *Transport) openConnection() (quic.EarlyConnection, error) {
 	return earlyConnection, nil
 }

-func (t *Transport) exchange(ctx context.Context, message *mDNS.Msg, conn quic.Connection) (*mDNS.Msg, error) {
+func (t *Transport) exchange(ctx context.Context, message *mDNS.Msg, conn *quic.Conn) (*mDNS.Msg, error) {
 	stream, err := conn.OpenStreamSync(ctx)
 	if err != nil {
 		return nil, err
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,6 +2,78 @@
 icon: material/alert-decagram
 ---

+#### 1.13.0-alpha.24
+
+* Add Claude Code Multiplexer service **1**
+* Fixes and improvements
+
+**1**:
+
+CCM (Claude Code Multiplexer) service allows you to access your local Claude Code subscription remotely through custom tokens, eliminating the need for OAuth authentication on remote clients.
+
+See [CCM](/configuration/service/ccm).
+
+#### 1.13.0-alpha.23
+
+* Fix compatibility with MPTCP **1**
+* Fixes and improvements
+
+**1**:
+
+`auto_redirect` now rejects MPTCP connections by default to fix compatibility issues,
+but you can change it to bypass the sing-box via the new `exclude_mptcp` option.
+
+See [TUN](/configuration/inbound/tun/#exclude_mptcp).
+
+#### 1.13.0-alpha.22
+
+* Update uTLS to v1.8.1 **1**
+* Fixes and improvements
+
+**1**:
+
+This update fixes an critical issue that could cause simulated Chrome fingerprints to be detected,
+see https://github.com/refraction-networking/utls/pull/375.
+
+#### 1.12.10
+
+* Update uTLS to v1.8.1 **1**
+* Fixes and improvements
+
+**1**:
+
+This update fixes an critical issue that could cause simulated Chrome fingerprints to be detected,
+see https://github.com/refraction-networking/utls/pull/375.
+
+#### 1.13.0-alpha.21
+
+* Fix missing mTLS support in client options **1**
+* Fixes and improvements
+
+See [TLS](/configuration/shared/tls/).
+
+#### 1.12.9
+
+* Fixes and improvements
+
+#### 1.13.0-alpha.16
+
+* Add curve preferences, pinned public key SHA256 and mTLS for TLS options **1**
+* Fixes and improvements
+
+See [TLS](/configuration/shared/tls/).
+
+#### 1.13.0-alpha.15
+
+* Update quic-go to v0.54.0
+* Update gVisor to v20250811
+* Update Tailscale to v1.86.5
+* Fixes and improvements
+
+#### 1.12.8
+
+* Fixes and improvements
+
 #### 1.13.0-alpha.11

 * Fixes and improvements
@@ -101,7 +173,8 @@ See [Tailscale](/configuration/endpoint/tailscale/).

 Due to maintenance difficulties, sing-box 1.12.0 requires at least Go 1.23 to compile.

-For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches from [MetaCubeX/go](https://github.com/MetaCubeX/go).
+For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches
+from [MetaCubeX/go](https://github.com/MetaCubeX/go).

 **7**:

@@ -163,7 +236,8 @@ See [Tun](/configuration/inbound/tun/#loopback_address).

 We have significantly improved the performance of tun inbound on Apple platforms, especially in the gVisor stack.

-The following data was tested using [tun_bench](https://github.com/SagerNet/sing-box/blob/dev-next/cmd/internal/tun_bench/main.go) on M4 MacBook pro.
+The following data was tested
+using [tun_bench](https://github.com/SagerNet/sing-box/blob/dev-next/cmd/internal/tun_bench/main.go) on M4 MacBook pro.

 | Version     | Stack  | MTU   | Upload | Download |
 |-------------|--------|-------|--------|----------|
@@ -182,8 +256,8 @@ The following data was tested using [tun_bench](https://github.com/SagerNet/sing

 **18**:

-We continue to experience issues updating our sing-box apps on the App Store and Play Store. 
-Until we rewrite and resubmit the apps, they are considered irrecoverable. 
+We continue to experience issues updating our sing-box apps on the App Store and Play Store.
+Until we rewrite and resubmit the apps, they are considered irrecoverable.
 Therefore, after this release, we will not be repeating this notice unless there is new information.

 ### 1.11.15
@@ -464,7 +538,8 @@ See [AnyTLS Inbound](/configuration/inbound/anytls/) and [AnyTLS Outbound](/conf

 **2**:

-`resolve` route action now accepts `disable_cache` and other options like in DNS route actions, see [Route Action](/configuration/route/rule_action).
+`resolve` route action now accepts `disable_cache` and other options like in DNS route actions,
+see [Route Action](/configuration/route/rule_action).

 **3**:

@@ -495,7 +570,8 @@ See [Tailscale](/configuration/endpoint/tailscale/).

 Due to maintenance difficulties, sing-box 1.12.0 requires at least Go 1.23 to compile.

-For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches from [MetaCubeX/go](https://github.com/MetaCubeX/go).
+For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches
+from [MetaCubeX/go](https://github.com/MetaCubeX/go).

 ### 1.11.3

--- a/docs/configuration/certificate/index.zh.md
+++ b/docs/configuration/certificate/index.zh.md
@@ -0,0 +1,54 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.12.0 起"
+
+# 证书
+
+### 结构
+
+```json
+{
+  "store": "",
+  "certificate": [],
+  "certificate_path": [],
+  "certificate_directory_path": []
+}
+```
+
+!!! note ""
+
+    当内容只有一项时，可以忽略 JSON 数组 [] 标签
+
+### 字段
+
+#### store
+
+默认的 X509 受信任 CA 证书列表。
+
+| 类型                | 描述                                                                                       |
+|--------------------|--------------------------------------------------------------------------------------------|
+| `system`（默认）    | 系统受信任的 CA 证书                                                                        |
+| `mozilla`          | [Mozilla 包含列表](https://wiki.mozilla.org/CA/Included_Certificates)（已移除中国 CA 证书） |
+| `none`             | 空列表                                                                                     |
+
+#### certificate
+
+要信任的证书行数组，PEM 格式。
+
+#### certificate_path
+
+!!! note ""
+
+    文件修改时将自动重新加载。
+
+要信任的证书路径，PEM 格式。
+
+#### certificate_directory_path
+
+!!! note ""
+
+    文件修改时将自动重新加载。
+
+搜索要信任的证书的目录路径，PEM 格式。
--- a/docs/configuration/dns/server/dhcp.zh.md
+++ b/docs/configuration/dns/server/dhcp.zh.md
@@ -0,0 +1,38 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.12.0 起"
+
+# DHCP
+
+### 结构
+
+```json
+{
+  "dns": {
+    "servers": [
+      {
+        "type": "dhcp",
+        "tag": "",
+
+        "interface": "",
+
+        // 拨号字段
+      }
+    ]
+  }
+}
+```
+
+### 字段
+
+#### interface
+
+要监听的网络接口名称。
+
+默认使用默认接口。
+
+### 拨号字段
+
+参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。
--- a/docs/configuration/dns/server/fakeip.zh.md
+++ b/docs/configuration/dns/server/fakeip.zh.md
@@ -0,0 +1,35 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.12.0 起"
+
+# Fake IP
+
+### 结构
+
+```json
+{
+  "dns": {
+    "servers": [
+      {
+        "type": "fakeip",
+        "tag": "",
+
+        "inet4_range": "198.18.0.0/15",
+        "inet6_range": "fc00::/18"
+      }
+    ]
+  }
+}
+```
+
+### 字段
+
+#### inet4_range
+
+FakeIP 的 IPv4 地址范围。
+
+#### inet6_range
+
+FakeIP 的 IPv6 地址范围。
--- a/docs/configuration/dns/server/hosts.zh.md
+++ b/docs/configuration/dns/server/hosts.zh.md
@@ -0,0 +1,96 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.12.0 起"
+
+# Hosts
+
+### 结构
+
+```json
+{
+  "dns": {
+    "servers": [
+      {
+        "type": "hosts",
+        "tag": "",
+
+        "path": [],
+        "predefined": {}
+      }
+    ]
+  }
+}
+```
+
+!!! note ""
+
+    当内容只有一项时，可以忽略 JSON 数组 [] 标签
+
+### 字段
+
+#### path
+
+hosts 文件路径列表。
+
+默认使用 `/etc/hosts`。
+
+在 Windows 上默认使用 `C:\Windows\System32\Drivers\etc\hosts`。
+
+示例：
+
+```json
+{
+  // "path": "/etc/hosts"
+
+  "path": [
+    "/etc/hosts",
+    "$HOME/.hosts"
+  ]
+}
+```
+
+#### predefined
+
+预定义的 hosts。
+
+示例：
+
+```json
+{
+  "predefined": {
+    "www.google.com": "127.0.0.1",
+    "localhost": [
+      "127.0.0.1",
+      "::1"
+    ]
+  }
+}
+```
+
+### 示例
+
+=== "如果可用则使用 hosts"
+
+    ```json
+    {
+      "dns": {
+        "servers": [
+          {
+            ...
+          },
+          {
+            "type": "hosts",
+            "tag": "hosts"
+          }
+        ],
+        "rules": [
+          {
+            "ip_accept_any": true,
+            "server": "hosts"
+          }
+        ]
+      }
+    }
+    ```
--- a/docs/configuration/dns/server/http3.zh.md
+++ b/docs/configuration/dns/server/http3.zh.md
@@ -0,0 +1,71 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.12.0 起"
+
+# DNS over HTTP3 (DoH3)
+
+### 结构
+
+```json
+{
+  "dns": {
+    "servers": [
+      {
+        "type": "h3",
+        "tag": "",
+
+        "server": "",
+        "server_port": 443,
+
+        "path": "",
+        "headers": {},
+
+        "tls": {},
+
+        // 拨号字段
+      }
+    ]
+  }
+}
+```
+
+!!! info "与旧版 H3 服务器的区别"
+
+    * 旧服务器默认使用默认出站，除非指定了绕行；新服务器像出站一样使用拨号器，相当于默认使用空的直连出站。
+    * 旧服务器使用 `address_resolver` 和 `address_strategy` 来解析服务器中的域名；新服务器改用 [拨号字段](/zh/configuration/shared/dial/) 中的 `domain_resolver` 和 `domain_strategy`。
+
+### 字段
+
+#### server
+
+==必填==
+
+DNS 服务器的地址。
+
+如果使用域名，还必须设置 `domain_resolver` 来解析 IP 地址。
+
+#### server_port
+
+DNS 服务器的端口。
+
+默认使用 `443`。
+
+#### path
+
+DNS 服务器的路径。
+
+默认使用 `/dns-query`。
+
+#### headers
+
+发送到 DNS 服务器的额外标头。
+
+#### tls
+
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+
+### 拨号字段
+
+参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。
--- a/docs/configuration/dns/server/https.zh.md
+++ b/docs/configuration/dns/server/https.zh.md
@@ -0,0 +1,71 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.12.0 起"
+
+# DNS over HTTPS (DoH)
+
+### 结构
+
+```json
+{
+  "dns": {
+    "servers": [
+      {
+        "type": "https",
+        "tag": "",
+
+        "server": "",
+        "server_port": 443,
+
+        "path": "",
+        "headers": {},
+
+        "tls": {},
+
+        // 拨号字段
+      }
+    ]
+  }
+}
+```
+
+!!! info "与旧版 HTTPS 服务器的区别"
+
+    * 旧服务器默认使用默认出站，除非指定了绕行；新服务器像出站一样使用拨号器，相当于默认使用空的直连出站。
+    * 旧服务器使用 `address_resolver` 和 `address_strategy` 来解析服务器中的域名；新服务器改用 [拨号字段](/zh/configuration/shared/dial/) 中的 `domain_resolver` 和 `domain_strategy`。
+
+### 字段
+
+#### server
+
+==必填==
+
+DNS 服务器的地址。
+
+如果使用域名，还必须设置 `domain_resolver` 来解析 IP 地址。
+
+#### server_port
+
+DNS 服务器的端口。
+
+默认使用 `443`。
+
+#### path
+
+DNS 服务器的路径。
+
+默认使用 `/dns-query`。
+
+#### headers
+
+发送到 DNS 服务器的额外标头。
+
+#### tls
+
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+
+### 拨号字段
+
+参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。
--- a/docs/configuration/dns/server/local.zh.md
+++ b/docs/configuration/dns/server/local.zh.md
@@ -0,0 +1,61 @@
+---
+icon: material/new-box
+---
+
+!!! quote "sing-box 1.13.0 中的更改"
+
+    :material-plus: [prefer_go](#prefer_go)
+
+!!! question "自 sing-box 1.12.0 起"
+
+# Local
+
+### 结构
+
+```json
+{
+  "dns": {
+    "servers": [
+      {
+        "type": "local",
+        "tag": "",
+        "prefer_go": false,
+
+        // 拨号字段
+      }
+    ]
+  }
+}
+```
+
+!!! info "与旧版本地服务器的区别"
+
+    * 旧的传统本地服务器只处理 IP 请求；新的服务器处理所有类型的请求，并支持 IP 请求的并发处理。
+    * 旧的本地服务器默认使用默认出站，除非指定了绕行；新服务器像出站一样使用拨号器，相当于默认使用空的直连出站。
+
+### 字段
+
+#### prefer_go
+
+!!! question "自 sing-box 1.13.0 起"
+
+启用后，`local` DNS 服务器将尽可能通过拨号自身来解析 DNS。
+
+具体来说，它禁用了在 sing-box 1.13.0 中作为功能添加的以下行为：
+
+1. 在 Apple 平台上：尝试在 NetworkExtension 中使用 `getaddrinfo` 解析 A/AAAA 请求。
+2. 在 Linux 上：当可用时通过 `systemd-resolvd` 的 DBus 接口进行解析。
+
+作为唯一的例外，它无法禁用以下行为：
+
+1. 在 Android 图形客户端中，
+`local` 将始终通过平台接口解析 DNS，
+因为没有其他方法来获取上游 DNS 服务器；
+在运行 Android 10 以下版本的设备上，此接口只能解析 A/AAAA 请求。
+
+2. 在 macOS 上，`local` 会在 Network Extension 中首先尝试 DHCP，由于 DHCP 遵循拨号字段，
+它不会被 `prefer_go` 禁用。
+
+### 拨号字段
+
+参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。
--- a/docs/configuration/dns/server/quic.zh.md
+++ b/docs/configuration/dns/server/quic.zh.md
@@ -0,0 +1,58 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.12.0 起"
+
+# DNS over QUIC (DoQ)
+
+### 结构
+
+```json
+{
+  "dns": {
+    "servers": [
+      {
+        "type": "quic",
+        "tag": "",
+
+        "server": "",
+        "server_port": 853,
+
+        "tls": {},
+
+        // 拨号字段
+      }
+    ]
+  }
+}
+```
+
+!!! info "与旧版 QUIC 服务器的区别"
+
+    * 旧服务器默认使用默认出站，除非指定了绕行；新服务器像出站一样使用拨号器，相当于默认使用空的直连出站。
+    * 旧服务器使用 `address_resolver` 和 `address_strategy` 来解析服务器中的域名；新服务器改用 [拨号字段](/zh/configuration/shared/dial/) 中的 `domain_resolver` 和 `domain_strategy`。
+
+### 字段
+
+#### server
+
+==必填==
+
+DNS 服务器的地址。
+
+如果使用域名，还必须设置 `domain_resolver` 来解析 IP 地址。
+
+#### server_port
+
+DNS 服务器的端口。
+
+默认使用 `853`。
+
+#### tls
+
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+
+### 拨号字段
+
+参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。
--- a/docs/configuration/dns/server/resolved.zh.md
+++ b/docs/configuration/dns/server/resolved.zh.md
@@ -0,0 +1,83 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.12.0 起"
+
+# Resolved
+
+```json
+{
+  "dns": {
+    "servers": [
+      {
+        "type": "resolved",
+        "tag": "",
+
+        "service": "resolved",
+        "accept_default_resolvers": false
+      }
+    ]
+  }
+}
+```
+
+### 字段
+
+#### service
+
+==必填==
+
+[Resolved 服务](/zh/configuration/service/resolved) 的标签。
+
+#### accept_default_resolvers
+
+指示是否除了匹配域名外，还应接受默认 DNS 解析器以进行回退查询。
+
+具体来说，默认 DNS 解析器是设置了 `SetLinkDefaultRoute` 或 `SetLinkDomains ~.` 的 DNS 服务器。
+
+如果未启用，对于不匹配搜索域或匹配域的请求，将返回 `NXDOMAIN`。
+
+### 示例
+
+=== "仅分割 DNS"
+
+    ```json
+    {
+      "dns": {
+        "servers": [
+          {
+            "type": "local",
+            "tag": "local"
+          },
+          {
+            "type": "resolved",
+            "tag": "resolved",
+            "service": "resolved"
+          }
+        ],
+        "rules": [
+          {
+            "ip_accept_any": true,
+            "server": "resolved"
+          }
+        ]
+      }
+    }
+    ```
+
+=== "用作全局 DNS"
+
+    ```json
+    {
+      "dns": {
+        "servers": [
+          {
+            "type": "resolved",
+            "service": "resolved",
+            "accept_default_resolvers": true
+          }
+        ]
+      }
+    }
+    ```
--- a/docs/configuration/dns/server/tailscale.zh.md
+++ b/docs/configuration/dns/server/tailscale.zh.md
@@ -0,0 +1,83 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.12.0 起"
+
+# Tailscale
+
+### 结构
+
+```json
+{
+  "dns": {
+    "servers": [
+      {
+        "type": "tailscale",
+        "tag": "",
+
+        "endpoint": "ts-ep",
+        "accept_default_resolvers": false
+      }
+    ]
+  }
+}
+```
+
+### 字段
+
+#### endpoint
+
+==必填==
+
+[Tailscale 端点](/zh/configuration/endpoint/tailscale) 的标签。
+
+#### accept_default_resolvers
+
+指示是否除了 MagicDNS 外，还应接受默认 DNS 解析器以进行回退查询。
+
+如果未启用，对于非 Tailscale 域名查询将返回 `NXDOMAIN`。
+
+### 示例
+
+=== "仅 MagicDNS"
+
+    ```json
+    {
+      "dns": {
+        "servers": [
+          {
+            "type": "local",
+            "tag": "local"
+          },
+          {
+            "type": "tailscale",
+            "tag": "ts",
+            "endpoint": "ts-ep"
+          }
+        ],
+        "rules": [
+          {
+            "ip_accept_any": true,
+            "server": "ts"
+          }
+        ]
+      }
+    }
+    ```
+
+=== "用作全局 DNS"
+
+    ```json
+    {
+      "dns": {
+        "servers": [
+          {
+            "type": "tailscale",
+            "endpoint": "ts-ep",
+            "accept_default_resolvers": true
+          }
+        ]
+      }
+    }
+    ```
--- a/docs/configuration/dns/server/tcp.zh.md
+++ b/docs/configuration/dns/server/tcp.zh.md
@@ -0,0 +1,52 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.12.0 起"
+
+# TCP
+
+### 结构
+
+```json
+{
+  "dns": {
+    "servers": [
+      {
+        "type": "tcp",
+        "tag": "",
+
+        "server": "",
+        "server_port": 53,
+
+        // 拨号字段
+      }
+    ]
+  }
+}
+```
+
+!!! info "与旧版 TCP 服务器的区别"
+
+    * 旧服务器默认使用默认出站，除非指定了绕行；新服务器像出站一样使用拨号器，相当于默认使用空的直连出站。
+    * 旧服务器使用 `address_resolver` 和 `address_strategy` 来解析服务器中的域名；新服务器改用 [拨号字段](/zh/configuration/shared/dial/) 中的 `domain_resolver` 和 `domain_strategy`。
+
+### 字段
+
+#### server
+
+==必填==
+
+DNS 服务器的地址。
+
+如果使用域名，还必须设置 `domain_resolver` 来解析 IP 地址。
+
+#### server_port
+
+DNS 服务器的端口。
+
+默认使用 `53`。
+
+### 拨号字段
+
+参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。
--- a/docs/configuration/dns/server/tls.zh.md
+++ b/docs/configuration/dns/server/tls.zh.md
@@ -0,0 +1,58 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.12.0 起"
+
+# DNS over TLS (DoT)
+
+### 结构
+
+```json
+{
+  "dns": {
+    "servers": [
+      {
+        "type": "tls",
+        "tag": "",
+
+        "server": "",
+        "server_port": 853,
+
+        "tls": {},
+
+        // 拨号字段
+      }
+    ]
+  }
+}
+```
+
+!!! info "与旧版 TLS 服务器的区别"
+
+    * 旧服务器默认使用默认出站，除非指定了绕行；新服务器像出站一样使用拨号器，相当于默认使用空的直连出站。
+    * 旧服务器使用 `address_resolver` 和 `address_strategy` 来解析服务器中的域名；新服务器改用 [拨号字段](/zh/configuration/shared/dial/) 中的 `domain_resolver` 和 `domain_strategy`。
+
+### 字段
+
+#### server
+
+==必填==
+
+DNS 服务器的地址。
+
+如果使用域名，还必须设置 `domain_resolver` 来解析 IP 地址。
+
+#### server_port
+
+DNS 服务器的端口。
+
+默认使用 `853`。
+
+#### tls
+
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+
+### 拨号字段
+
+参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。
--- a/docs/configuration/dns/server/udp.zh.md
+++ b/docs/configuration/dns/server/udp.zh.md
@@ -0,0 +1,52 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.12.0 起"
+
+# UDP
+
+### 结构
+
+```json
+{
+  "dns": {
+    "servers": [
+      {
+        "type": "udp",
+        "tag": "",
+
+        "server": "",
+        "server_port": 53,
+
+        // 拨号字段
+      }
+    ]
+  }
+}
+```
+
+!!! info "与旧版 UDP 服务器的区别"
+
+    * 旧服务器默认使用默认出站，除非指定了绕行；新服务器像出站一样使用拨号器，相当于默认使用空的直连出站。
+    * 旧服务器使用 `address_resolver` 和 `address_strategy` 来解析服务器中的域名；新服务器改用 [拨号字段](/zh/configuration/shared/dial/) 中的 `domain_resolver` 和 `domain_strategy`。
+
+### 字段
+
+#### server
+
+==必填==
+
+DNS 服务器的地址。
+
+如果使用域名，还必须设置 `domain_resolver` 来解析 IP 地址。
+
+#### server_port
+
+DNS 服务器的端口。
+
+默认使用 `53`。
+
+### 拨号字段
+
+参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。
--- a/docs/configuration/endpoint/tailscale.zh.md
+++ b/docs/configuration/endpoint/tailscale.zh.md
@@ -0,0 +1,103 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.12.0 起"
+
+### 结构
+
+```json
+{
+  "type": "tailscale",
+  "tag": "ts-ep",
+  "state_directory": "",
+  "auth_key": "",
+  "control_url": "",
+  "ephemeral": false,
+  "hostname": "",
+  "accept_routes": false,
+  "exit_node": "",
+  "exit_node_allow_lan_access": false,
+  "advertise_routes": [],
+  "advertise_exit_node": false,
+  "udp_timeout": "5m",
+
+  ... // 拨号字段
+}
+```
+
+### 字段
+
+#### state_directory
+
+存储 Tailscale 状态的目录。
+
+默认使用 `tailscale`。
+
+示例：`$HOME/.tailscale`
+
+#### auth_key
+
+!!! note
+
+    认证密钥不是必需的。默认情况下，sing-box 将记录登录 URL（或在图形客户端上弹出通知）。
+
+用于创建节点的认证密钥。如果节点已经创建（从之前存储的状态），则不使用此字段。
+
+#### control_url
+
+协调服务器 URL。
+
+默认使用 `https://controlplane.tailscale.com`。
+
+#### ephemeral
+
+指示实例是否应注册为临时节点 (https://tailscale.com/s/ephemeral-nodes)。
+
+#### hostname
+
+节点的主机名。
+
+默认使用系统主机名。
+
+示例：`localhost`
+
+#### accept_routes
+
+指示节点是否应接受其他节点通告的路由。
+
+#### exit_node
+
+要使用的出口节点名称或 IP 地址。
+
+#### exit_node_allow_lan_access
+
+!!! note
+
+    当出口节点没有相应的通告路由时，即使设置了 `exit_node_allow_lan_access`，私有流量也无法路由到出口节点。
+
+指示本地可访问的子网应该直接路由还是通过出口节点路由。
+
+#### advertise_routes
+
+通告到 Tailscale 网络的 CIDR 前缀，作为可通过当前节点访问的路由。
+
+示例：`["192.168.1.1/24"]`
+
+#### advertise_exit_node
+
+指示节点是否应将自己通告为出口节点。
+
+#### udp_timeout
+
+UDP NAT 过期时间。
+
+默认使用 `5m`。
+
+### 拨号字段
+
+!!! note
+
+    Tailscale 端点中的拨号字段仅控制它如何连接到控制平面，与实际连接无关。
+
+参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。
--- a/docs/configuration/inbound/trojan.zh.md
+++ b/docs/configuration/inbound/trojan.zh.md
@@ -43,13 +43,11 @@ Trojan 用户。

 #### tls

-==如果启用 HTTP3 则必填==
-
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

 #### fallback

-!!! quote ""
+!!! failure ""

    没有证据表明 GFW 基于 HTTP 响应检测并阻止 Trojan 服务器，并且在服务器上打开标准 http/s 端口是一个更大的特征。

--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@@ -2,6 +2,10 @@
 icon: material/new-box
 ---

+!!! quote "Changes in sing-box 1.13.0"
+
+    :material-plus: [exclude_mptcp](#exclude_mptcp)
+
 !!! quote "Changes in sing-box 1.12.0"

    :material-plus: [loopback_address](#loopback_address)
@@ -63,6 +67,7 @@ icon: material/new-box
  "auto_redirect": true,
  "auto_redirect_input_mark": "0x2023",
  "auto_redirect_output_mark": "0x2024",
+  "exclude_mptcp": false,
  "loopback_address": [
    "10.7.0.1"
  ],
@@ -278,6 +283,20 @@ Connection output mark used by `auto_redirect`.

 `0x2024` is used by default.

+#### exclude_mptcp
+
+!!! question "Since sing-box 1.13.0"
+
+!!! quote ""
+
+    Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.
+
+MPTCP cannot be transparently proxied due to protocol limitations.
+
+Such traffic is usually created by Apple systems.
+
+When enabled, MPTCP connections will bypass sing-box and connect directly, otherwise, will be rejected to avoid errors by default.
+
 #### loopback_address

 !!! question "Since sing-box 1.12.0"
--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@@ -2,6 +2,10 @@
 icon: material/new-box
 ---

+!!! quote "sing-box 1.13.0 中的更改"
+
+    :material-plus: [exclude_mptcp](#exclude_mptcp)
+
 !!! quote "sing-box 1.12.0 中的更改"

    :material-plus: [loopback_address](#loopback_address)
@@ -63,6 +67,7 @@ icon: material/new-box
  "auto_redirect": true,
  "auto_redirect_input_mark": "0x2023",
  "auto_redirect_output_mark": "0x2024",
+  "exclude_mptcp": false,
  "loopback_address": [
    "10.7.0.1"
  ],
@@ -277,6 +282,20 @@ tun 接口的 IPv6 前缀。

 默认使用 `0x2024`。

+#### exclude_mptcp
+
+!!! question "自 sing-box 1.13.0 起"
+
+!!! quote ""
+
+    仅支持 Linux，且需要 nftables，`auto_route` 和 `auto_redirect` 已启用。 
+
+由于协议限制，MPTCP 无法被透明代理。
+
+此类流量通常由 Apple 系统创建。
+
+启用时，MPTCP 连接将绕过 sing-box 直接连接，否则，将被拒绝以避免错误。
+
 #### loopback_address

 !!! question "自 sing-box 1.12.0 起"
--- a/docs/configuration/service/ccm.md
+++ b/docs/configuration/service/ccm.md
@@ -0,0 +1,104 @@
+---
+icon: material/new-box
+---
+
+!!! question "Since sing-box 1.13.0"
+
+# CCM
+
+CCM (Claude Code Multiplexer) service is a multiplexing service that allows you to access your local Claude Code subscription remotely through custom tokens.
+
+It handles OAuth authentication with Claude's API on your local machine while allowing remote Claude Code to authenticate using Auth Tokens via the `ANTHROPIC_AUTH_TOKEN` environment variable.
+
+### Structure
+
+```json
+{
+  "type": "ccm",
+
+  ... // Listen Fields
+
+  "credential_path": "",
+  "usages_path": "",
+  "users": [],
+  "headers": {},
+  "detour": "",
+  "tls": {}
+}
+```
+
+### Listen Fields
+
+See [Listen Fields](/configuration/shared/listen/) for details.
+
+### Fields
+
+#### credential_path
+
+Path to the Claude Code OAuth credentials file.
+
+Defaults to `~/.claude/.credentials.json` if not specified.
+
+On macOS, credentials are read from the system keychain first, then fall back to the file if unavailable.
+
+Refreshed tokens are automatically written back to the same location.
+
+#### usages_path
+
+Path to the file for storing aggregated API usage statistics.
+
+Usage tracking is disabled if not specified.
+
+When enabled, the service tracks and saves comprehensive statistics including:
+- Request counts
+- Token usage (input, output, cache read, cache creation)
+- Calculated costs in USD based on Claude API pricing
+
+Statistics are organized by model, context window (200k standard vs 1M premium), and optionally by user when authentication is enabled.
+
+The statistics file is automatically saved every minute and upon service shutdown.
+
+#### users
+
+List of authorized users for token authentication.
+
+If empty, no authentication is required.
+
+Claude Code authenticates by setting the `ANTHROPIC_AUTH_TOKEN` environment variable to their token value.
+
+#### headers
+
+Custom HTTP headers to send to the Claude API.
+
+These headers will override any existing headers with the same name.
+
+#### detour
+
+Outbound tag for connecting to the Claude API.
+
+#### tls
+
+TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
+
+### Example
+
+```json
+{
+  "services": [
+    {
+      "type": "ccm",
+      "listen": "127.0.0.1",
+      "listen_port": 8080
+    }
+  ]
+}
+```
+
+Connect to the CCM service:
+
+```bash
+export ANTHROPIC_BASE_URL="http://127.0.0.1:8080"
+export ANTHROPIC_AUTH_TOKEN="sk-ant-ccm-auth-token-not-required-in-this-context"
+
+claude
+```
--- a/docs/configuration/service/ccm.zh.md
+++ b/docs/configuration/service/ccm.zh.md
@@ -0,0 +1,104 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.13.0 起"
+
+# CCM
+
+CCM（Claude Code 多路复用器）服务是一个多路复用服务，允许您通过自定义令牌远程访问本地的 Claude Code 订阅。
+
+它在本地机器上处理与 Claude API 的 OAuth 身份验证，同时允许远程 Claude Code 通过 `ANTHROPIC_AUTH_TOKEN` 环境变量使用认证令牌进行身份验证。
+
+### 结构
+
+```json
+{
+  "type": "ccm",
+
+  ... // 监听字段
+
+  "credential_path": "",
+  "usages_path": "",
+  "users": [],
+  "headers": {},
+  "detour": "",
+  "tls": {}
+}
+```
+
+### 监听字段
+
+参阅 [监听字段](/zh/configuration/shared/listen/) 了解详情。
+
+### 字段
+
+#### credential_path
+
+Claude Code OAuth 凭据文件的路径。
+
+如果未指定，默认使用 `~/.claude/.credentials.json`。
+
+在 macOS 上，首先从系统钥匙串读取凭据，如果不可用则回退到文件。
+
+刷新的令牌会自动写回相同位置。
+
+#### usages_path
+
+用于存储聚合 API 使用统计信息的文件路径。
+
+如果未指定，使用跟踪将被禁用。
+
+启用后，服务会跟踪并保存全面的统计信息，包括：
+- 请求计数
+- 令牌使用量（输入、输出、缓存读取、缓存创建）
+- 基于 Claude API 定价计算的美元成本
+
+统计信息按模型、上下文窗口（200k 标准版 vs 1M 高级版）以及可选的用户（启用身份验证时）进行组织。
+
+统计文件每分钟自动保存一次，并在服务关闭时保存。
+
+#### users
+
+用于令牌身份验证的授权用户列表。
+
+如果为空，则不需要身份验证。
+
+Claude Code 通过设置 `ANTHROPIC_AUTH_TOKEN` 环境变量为其令牌值进行身份验证。
+
+#### headers
+
+发送到 Claude API 的自定义 HTTP 头。
+
+这些头会覆盖同名的现有头。
+
+#### detour
+
+用于连接 Claude API 的出站标签。
+
+#### tls
+
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+
+### 示例
+
+```json
+{
+  "services": [
+    {
+      "type": "ccm",
+      "listen": "127.0.0.1",
+      "listen_port": 8080
+    }
+  ]
+}
+```
+
+连接到 CCM 服务：
+
+```bash
+export ANTHROPIC_BASE_URL="http://127.0.0.1:8080"
+export ANTHROPIC_AUTH_TOKEN="sk-ant-ccm-auth-token-not-required-in-this-context"
+
+claude
+```
--- a/docs/configuration/service/derp.zh.md
+++ b/docs/configuration/service/derp.zh.md
@@ -0,0 +1,135 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.12.0 起"
+
+# DERP
+
+DERP 服务是一个 Tailscale DERP 服务器，类似于 [derper](https://pkg.go.dev/tailscale.com/cmd/derper)。
+
+### 结构
+
+```json
+{
+  "type": "derp",
+
+  ... // 监听字段
+
+  "tls": {},
+  "config_path": "",
+  "verify_client_endpoint": [],
+  "verify_client_url": [],
+  "home": "",
+  "mesh_with": [],
+  "mesh_psk": "",
+  "mesh_psk_file": "",
+  "stun": {}
+}
+```
+
+### 监听字段
+
+参阅 [监听字段](/zh/configuration/shared/listen/) 了解详情。
+
+### 字段
+
+#### tls
+
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+
+#### config_path
+
+==必填==
+
+Derper 配置文件路径。
+
+示例：`derper.key`
+
+#### verify_client_endpoint
+
+用于验证客户端的 Tailscale 端点标签。
+
+#### verify_client_url
+
+用于验证客户端的 URL。
+
+对象格式：
+
+```json
+{
+  "url": "https://my-headscale.com/verify",
+
+  ... // 拨号字段
+}
+```
+
+将数组值设置为字符串 `__URL__` 等同于配置：
+
+```json
+{ "url": __URL__ }
+```
+
+#### home
+
+在根路径提供的内容。可以留空（默认值，显示默认主页）、`blank` 显示空白页面，或一个重定向的 URL。
+
+#### mesh_with
+
+与其他 DERP 服务器组网。
+
+对象格式：
+
+```json
+{
+  "server": "",
+  "server_port": "",
+  "host": "",
+  "tls": {},
+
+  ... // 拨号字段
+}
+```
+
+对象字段：
+
+- `server`：**必填** DERP 服务器地址。
+- `server_port`：**必填** DERP 服务器端口。
+- `host`：自定义 DERP 主机名。
+- `tls`：[TLS](/zh/configuration/shared/tls/#outbound)
+- `拨号字段`：[拨号字段](/zh/configuration/shared/dial/)
+
+#### mesh_psk
+
+DERP 组网的预共享密钥。
+
+#### mesh_psk_file
+
+DERP 组网的预共享密钥文件。
+
+#### stun
+
+STUN 服务器监听选项。
+
+对象格式：
+
+```json
+{
+  "enabled": true,
+
+  ... // 监听字段
+}
+```
+
+对象字段：
+
+- `enabled`：**必填** 启用 STUN 服务器。
+- `listen`：**必填** STUN 服务器监听地址，默认为 `::`。
+- `listen_port`：**必填** STUN 服务器监听端口，默认为 `3478`。
+- `其他监听字段`：[监听字段](/zh/configuration/shared/listen/)
+
+将 `stun` 值设置为数字 `__PORT__` 等同于配置：
+
+```json
+{ "enabled": true, "listen_port": __PORT__ }
+```
--- a/docs/configuration/service/index.md
+++ b/docs/configuration/service/index.md
@@ -23,6 +23,7 @@ icon: material/new-box

 | Type       | Format                 |
 |------------|------------------------|
+| `ccm`      | [CCM](./ccm)           |
 | `derp`     | [DERP](./derp)         |
 | `resolved` | [Resolved](./resolved) |
 | `ssm-api`  | [SSM API](./ssm-api)   |
--- a/docs/configuration/service/index.zh.md
+++ b/docs/configuration/service/index.zh.md
@@ -0,0 +1,33 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.12.0 起"
+
+# 服务
+
+### 结构
+
+```json
+{
+  "services": [
+    {
+      "type": "",
+      "tag": ""
+    }
+  ]
+}
+```
+
+### 字段
+
+| 类型       | 格式                   |
+|-----------|------------------------|
+| `ccm`     | [CCM](./ccm)           |
+| `derp`    | [DERP](./derp)         |
+| `resolved`| [Resolved](./resolved) |
+| `ssm-api` | [SSM API](./ssm-api)   |
+
+#### tag
+
+端点的标签。
--- a/docs/configuration/service/resolved.zh.md
+++ b/docs/configuration/service/resolved.zh.md
@@ -0,0 +1,44 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.12.0 起"
+
+# Resolved
+
+Resolved 服务是一个伪造的 systemd-resolved DBUS 服务，用于从其他程序
+（如 NetworkManager）接收 DNS 设置并提供 DNS 解析。
+
+另请参阅：[Resolved DNS 服务器](/zh/configuration/dns/server/resolved/)
+
+### 结构
+
+```json
+{
+  "type": "resolved",
+
+  ... // 监听字段
+}
+```
+
+### 监听字段
+
+参阅 [监听字段](/zh/configuration/shared/listen/) 了解详情。
+
+### 字段
+
+#### listen
+
+==必填==
+
+监听地址。
+
+默认使用 `127.0.0.53`。
+
+#### listen_port
+
+==必填==
+
+监听端口。
+
+默认使用 `53`。
--- a/docs/configuration/service/ssm-api.zh.md
+++ b/docs/configuration/service/ssm-api.zh.md
@@ -0,0 +1,58 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.12.0 起"
+
+# SSM API
+
+SSM API 服务是一个用于管理 Shadowsocks 服务器的 RESTful API 服务器。
+
+参阅 https://github.com/Shadowsocks-NET/shadowsocks-specs/blob/main/2023-1-shadowsocks-server-management-api-v1.md
+
+### 结构
+
+```json
+{
+  "type": "ssm-api",
+
+  ... // 监听字段
+
+  "servers": {},
+  "cache_path": "",
+  "tls": {}
+}
+```
+
+### 监听字段
+
+参阅 [监听字段](/zh/configuration/shared/listen/) 了解详情。
+
+### 字段
+
+#### servers
+
+==必填==
+
+从 HTTP 端点到 [Shadowsocks 入站](/zh/configuration/inbound/shadowsocks) 标签的映射对象。
+
+选定的 Shadowsocks 入站必须配置启用 [managed](/zh/configuration/inbound/shadowsocks#managed)。
+
+示例：
+
+```json
+{
+  "servers": {
+    "/": "ss-in"
+  }
+}
+```
+
+#### cache_path
+
+如果设置，当服务器即将停止时，流量和用户状态将保存到指定的 JSON 文件中，
+以便在下次启动时恢复。
+
+#### tls
+
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
--- a/docs/configuration/shared/tls.md
+++ b/docs/configuration/shared/tls.md
@@ -4,8 +4,16 @@ icon: material/new-box

 !!! quote "Changes in sing-box 1.13.0"

-    :material-plus: [kernel_tx](#kernel_tx)  
+    :material-plus: [kernel_tx](#kernel_tx)
    :material-plus: [kernel_rx](#kernel_rx)
+    :material-plus: [curve_preferences](#curve_preferences)
+    :material-plus: [certificate_public_key_sha256](#certificate_public_key_sha256)
+    :material-plus: [client_certificate](#client_certificate)
+    :material-plus: [client_certificate_path](#client_certificate_path)
+    :material-plus: [client_key](#client_key)
+    :material-plus: [client_key_path](#client_key_path)
+    :material-plus: [client_authentication](#client_authentication)
+    :material-plus: [client_certificate_public_key_sha256](#client_certificate_public_key_sha256)

 !!! quote "Changes in sing-box 1.12.0"

@@ -29,8 +37,13 @@ icon: material/new-box
  "min_version": "",
  "max_version": "",
  "cipher_suites": [],
+  "curve_preferences": [],
  "certificate": [],
  "certificate_path": "",
+  "client_authentication": "",
+  "client_certificate": [],
+  "client_certificate_path": [],
+  "client_certificate_public_key_sha256": [],
  "key": [],
  "key_path": "",
  "kernel_tx": false,
@@ -90,8 +103,14 @@ icon: material/new-box
  "min_version": "",
  "max_version": "",
  "cipher_suites": [],
+  "curve_preferences": [],
  "certificate": "",
  "certificate_path": "",
+  "certificate_public_key_sha256": [],
+  "client_certificate": [],
+  "client_certificate_path": "",
+  "client_key": [],
+  "client_key_path": "",
  "fragment": false,
  "fragment_fallback_delay": "",
  "record_fragment": false,
@@ -195,14 +214,29 @@ By default, the maximum version is currently TLS 1.3.

 #### cipher_suites

-A list of enabled TLS 1.0–1.2 cipher suites. The order of the list is ignored.
+List of enabled TLS 1.0–1.2 cipher suites. The order of the list is ignored.
 Note that TLS 1.3 cipher suites are not configurable.

 If empty, a safe default list is used. The default cipher suites might change over time.

+#### curve_preferences
+
+!!! question "Since sing-box 1.13.0"
+
+Set of supported key exchange mechanisms. The order of the list is ignored, and key exchange mechanisms are chosen
+from this list using an internal preference order by Golang.
+
+Available values, also the default list:
+
+* `P256`
+* `P384`
+* `P521`
+* `X25519`
+* `X25519MLKEM768`
+
 #### certificate

-The server certificate line array, in PEM format.
+Server certificates chain line array, in PEM format.

 #### certificate_path

@@ -210,7 +244,58 @@ The server certificate line array, in PEM format.

    Will be automatically reloaded if file modified.

-The path to the server certificate, in PEM format.
+The path to server certificate chain, in PEM format.
+
+
+#### certificate_public_key_sha256
+
+!!! question "Since sing-box 1.13.0"
+
+==Client only==
+
+List of SHA-256 hashes of server certificate public keys, in base64 format.
+
+To generate the SHA-256 hash for a certificate's public key, use the following commands:
+
+```bash
+# For a certificate file
+openssl x509 -in certificate.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
+
+# For a certificate from a remote server
+echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
+```
+
+#### client_certificate
+
+!!! question "Since sing-box 1.13.0"
+
+==Client only==
+
+Client certificate chain line array, in PEM format.
+
+#### client_certificate_path
+
+!!! question "Since sing-box 1.13.0"
+
+==Client only==
+
+The path to client certificate chain, in PEM format.
+
+#### client_key
+
+!!! question "Since sing-box 1.13.0"
+
+==Client only==
+
+Client private key line array, in PEM format.
+
+#### client_key_path
+
+!!! question "Since sing-box 1.13.0"
+
+==Client only==
+
+The path to client private key, in PEM format.

 #### key

@@ -228,6 +313,63 @@ The server private key line array, in PEM format.

 The path to the server private key, in PEM format.

+#### client_authentication
+
+!!! question "Since sing-box 1.13.0"
+
+==Server only==
+
+The type of client authentication to use.
+
+Available values:
+
+* `no` (default)
+* `request`
+* `require-any`
+* `verify-if-given`
+* `require-and-verify`
+
+One of `client_certificate`, `client_certificate_path`, or `client_certificate_public_key_sha256` is required
+if this option is set to `verify-if-given`, or `require-and-verify`.
+
+#### client_certificate
+
+!!! question "Since sing-box 1.13.0"
+
+==Server only==
+
+Client certificate chain line array, in PEM format.
+
+#### client_certificate_path
+
+!!! question "Since sing-box 1.13.0"
+
+==Server only==
+
+!!! note ""
+
+    Will be automatically reloaded if file modified.
+
+List of path to client certificate chain, in PEM format.
+
+#### client_certificate_public_key_sha256
+
+!!! question "Since sing-box 1.13.0"
+
+==Server only==
+
+List of SHA-256 hashes of client certificate public keys, in base64 format.
+
+To generate the SHA-256 hash for a certificate's public key, use the following commands:
+
+```bash
+# For a certificate file
+openssl x509 -in certificate.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
+
+# For a certificate from a remote server
+echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
+```
+
 #### kernel_tx

 !!! question "Since sing-box 1.13.0"
--- a/docs/configuration/shared/tls.zh.md
+++ b/docs/configuration/shared/tls.zh.md
@@ -1,18 +1,26 @@
 ---
-icon: material/alert-decagram
+icon: material/new-box
 ---

 !!! quote "sing-box 1.13.0 中的更改"

-    :material-plus: [kernel_tx](#kernel_tx)  
+    :material-plus: [kernel_tx](#kernel_tx)
    :material-plus: [kernel_rx](#kernel_rx)
+    :material-plus: [curve_preferences](#curve_preferences)
+    :material-plus: [certificate_public_key_sha256](#certificate_public_key_sha256)
+    :material-plus: [client_certificate](#client_certificate)
+    :material-plus: [client_certificate_path](#client_certificate_path)
+    :material-plus: [client_key](#client_key)
+    :material-plus: [client_key_path](#client_key_path)
+    :material-plus: [client_authentication](#client_authentication)
+    :material-plus: [client_certificate_public_key_sha256](#client_certificate_public_key_sha256)

 !!! quote "sing-box 1.12.0 中的更改"

-    :material-plus: [tls_fragment](#tls_fragment)  
-    :material-plus: [tls_fragment_fallback_delay](#tls_fragment_fallback_delay)  
-    :material-plus: [tls_record_fragment](#tls_record_fragment)  
-    :material-delete-clock: [ech.pq_signature_schemes_enabled](#pq_signature_schemes_enabled)  
+    :material-plus: [fragment](#fragment)
+    :material-plus: [fragment_fallback_delay](#fragment_fallback_delay)
+    :material-plus: [record_fragment](#record_fragment)
+    :material-delete-clock: [ech.pq_signature_schemes_enabled](#pq_signature_schemes_enabled)
    :material-delete-clock: [ech.dynamic_record_sizing_disabled](#dynamic_record_sizing_disabled)

 !!! quote "sing-box 1.10.0 中的更改"
@@ -29,8 +37,13 @@ icon: material/alert-decagram
  "min_version": "",
  "max_version": "",
  "cipher_suites": [],
+  "curve_preferences": [],
  "certificate": [],
  "certificate_path": "",
+  "client_authentication": "",
+  "client_certificate": [],
+  "client_certificate_path": [],
+  "client_certificate_public_key_sha256": [],
  "key": [],
  "key_path": "",
  "kernel_tx": false,
@@ -90,17 +103,25 @@ icon: material/alert-decagram
  "min_version": "",
  "max_version": "",
  "cipher_suites": [],
-  "certificate": [],
+  "curve_preferences": [],
+  "certificate": "",
  "certificate_path": "",
+  "certificate_public_key_sha256": [],
+  "client_certificate": [],
+  "client_certificate_path": "",
+  "client_key": [],
+  "client_key_path": "",
  "fragment": false,
  "fragment_fallback_delay": "",
  "record_fragment": false,
  "ech": {
    "enabled": false,
-    "pq_signature_schemes_enabled": false,
-    "dynamic_record_sizing_disabled": false,
    "config": [],
-    "config_path": ""
+    "config_path": "",
+
+    // 废弃的
+    "pq_signature_schemes_enabled": false,
+    "dynamic_record_sizing_disabled": false
  },
  "utls": {
    "enabled": false,
@@ -191,13 +212,27 @@ TLS 版本值：

 #### cipher_suites

-启用的 TLS 1.0-1.2密码套件的列表。列表的顺序被忽略。请注意，TLS 1.3 的密码套件是不可配置的。
+启用的 TLS 1.0–1.2 密码套件列表。列表的顺序被忽略。请注意，TLS 1.3 的密码套件是不可配置的。

 如果为空，则使用安全的默认列表。默认密码套件可能会随着时间的推移而改变。

+#### curve_preferences
+
+!!! question "自 sing-box 1.13.0 起"
+
+支持的密钥交换机制集合。列表的顺序被忽略，密钥交换机制通过 Golang 的内部偏好顺序从此列表中选择。
+
+可用值，同时也是默认列表：
+
+* `P256`
+* `P384`
+* `P521`
+* `X25519`
+* `X25519MLKEM768`
+
 #### certificate

-服务器 PEM 证书行数组。
+服务器证书链行数组，PEM 格式。

 #### certificate_path

@@ -205,7 +240,57 @@ TLS 版本值：

    文件更改时将自动重新加载。

-服务器 PEM 证书路径。
+服务器证书链路径，PEM 格式。
+
+#### certificate_public_key_sha256
+
+!!! question "自 sing-box 1.13.0 起"
+
+==仅客户端==
+
+服务器证书公钥的 SHA-256 哈希列表，base64 格式。
+
+要生成证书公钥的 SHA-256 哈希，请使用以下命令：
+
+```bash
+# 对于证书文件
+openssl x509 -in certificate.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
+
+# 对于远程服务器的证书
+echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
+```
+
+#### client_certificate
+
+!!! question "自 sing-box 1.13.0 起"
+
+==仅客户端==
+
+客户端证书链行数组，PEM 格式。
+
+#### client_certificate_path
+
+!!! question "自 sing-box 1.13.0 起"
+
+==仅客户端==
+
+客户端证书链路径，PEM 格式。
+
+#### client_key
+
+!!! question "自 sing-box 1.13.0 起"
+
+==仅客户端==
+
+客户端私钥行数组，PEM 格式。
+
+#### client_key_path
+
+!!! question "自 sing-box 1.13.0 起"
+
+==仅客户端==
+
+客户端私钥路径，PEM 格式。

 #### key

@@ -221,7 +306,68 @@ TLS 版本值：

 ==仅服务器==

-服务器 PEM 私钥路径。
+!!! note ""
+
+    文件更改时将自动重新加载。
+
+服务器私钥路径，PEM 格式。
+
+#### client_authentication
+
+!!! question "自 sing-box 1.13.0 起"
+
+==仅服务器==
+
+要使用的客户端身份验证类型。
+
+可用值：
+
+* `no`（默认）
+* `request`
+* `require-any`
+* `verify-if-given`
+* `require-and-verify`
+
+如果此选项设置为 `verify-if-given` 或 `require-and-verify`，
+则需要 `client_certificate`、`client_certificate_path` 或 `client_certificate_public_key_sha256` 中的一个。
+
+#### client_certificate
+
+!!! question "自 sing-box 1.13.0 起"
+
+==仅服务器==
+
+客户端证书链行数组，PEM 格式。
+
+#### client_certificate_path
+
+!!! question "自 sing-box 1.13.0 起"
+
+==仅服务器==
+
+!!! note ""
+
+    文件更改时将自动重新加载。
+
+客户端证书链路径列表，PEM 格式。
+
+#### client_certificate_public_key_sha256
+
+!!! question "自 sing-box 1.13.0 起"
+
+==仅服务器==
+
+客户端证书公钥的 SHA-256 哈希列表，base64 格式。
+
+要生成证书公钥的 SHA-256 哈希，请使用以下命令：
+
+```bash
+# 对于证书文件
+openssl x509 -in certificate.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
+
+# 对于远程服务器的证书
+echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
+```

 #### kernel_tx

@@ -300,44 +446,11 @@ uTLS 是 "crypto/tls" 的一个分支，它提供了 ClientHello 指纹识别阻

 默认使用 chrome 指纹。

-## ECH 字段
+### ECH 字段

-ECH (Encrypted Client Hello) 是一个 TLS 扩展，它允许客户端加密其 ClientHello 的第一部分
-信息。
+ECH (Encrypted Client Hello) 是一个 TLS 扩展，它允许客户端加密其 ClientHello 的第一部分信息。

-ECH 配置和密钥可以通过 `sing-box generate ech-keypair [--pq-signature-schemes-enabled]` 生成。
-
-#### key
-
-==仅服务器==
-
-ECH PEM 密钥行数组
-
-#### key_path
-
-==仅服务器==
-
-!!! note ""
-
-    文件更改时将自动重新加载。
-
-ECH PEM 密钥路径
-
-#### config
-
-==仅客户端==
-
-ECH PEM 配置行数组
-
-如果为空，将尝试从 DNS 加载。
-
-#### config_path
-
-==仅客户端==
-
-ECH PEM 配置路径
-
-如果为空，将尝试从 DNS 加载。
+ECH 密钥和配置可以通过 `sing-box generate ech-keypair` 生成。

 #### pq_signature_schemes_enabled

@@ -347,8 +460,6 @@ ECH PEM 配置路径

 启用对后量子对等证书签名方案的支持。

-建议匹配 `sing-box generate ech-keypair` 的参数。
-
 #### dynamic_record_sizing_disabled

 !!! failure "已在 sing-box 1.12.0 废弃"
@@ -357,57 +468,91 @@ ECH PEM 配置路径

 禁用 TLS 记录的自适应大小调整。

-如果为 true，则始终使用最大可能的 TLS 记录大小。
-如果为 false，则可能会调整 TLS 记录的大小以尝试改善延迟。
+当为 true 时，总是使用最大可能的 TLS 记录大小。
+当为 false 时，可能会调整 TLS 记录的大小以尝试改善延迟。

-#### tls_fragment
+#### key
+
+==仅服务器==
+
+ECH 密钥行数组，PEM 格式。
+
+#### key_path
+
+==仅服务器==
+
+!!! note ""
+
+    文件更改时将自动重新加载。
+
+ECH 密钥路径，PEM 格式。
+
+#### config
+
+==仅客户端==
+
+ECH 配置行数组，PEM 格式。
+
+如果为空，将尝试从 DNS 加载。
+
+#### config_path
+
+==仅客户端==
+
+ECH 配置路径，PEM 格式。
+
+如果为空，将尝试从 DNS 加载。
+
+#### fragment

 !!! question "自 sing-box 1.12.0 起"

 ==仅客户端==

-通过分段 TLS 握手数据包来绕过防火墙检测。
+通过分段 TLS 握手数据包来绕过防火墙。

-此功能旨在规避基于**明文数据包匹配**的简单防火墙，不应该用于规避真的审查。
+此功能旨在规避基于**明文数据包匹配**的简单防火墙，不应该用于规避真正的审查。

-由于性能不佳，请首先尝试 `tls_record_fragment`，且仅应用于已知被阻止的服务器名称。
+由于性能不佳，请首先尝试 `record_fragment`，且仅应用于已知被阻止的服务器名称。

-在 Linux、Apple 平台和需要管理员权限的 Windows 系统上，可自动检测等待时间。
-若无法自动检测，将回退使用 `tls_fragment_fallback_delay` 指定的固定等待时间。
+在 Linux、Apple 平台和（需要管理员权限的）Windows 系统上，
+可以自动检测等待时间。否则，将回退到
+等待 `fragment_fallback_delay` 指定的固定时间。

-此外，若实际等待时间小于 20 毫秒，同样会回退至固定等待时间模式，因为此时判定目标处于本地或透明代理之后。
+此外，如果实际等待时间少于 20ms，也会回退到等待固定时间，
+因为目标被认为是本地的或在透明代理后面。

-#### tls_fragment_fallback_delay
+#### fragment_fallback_delay

 !!! question "自 sing-box 1.12.0 起"

 ==仅客户端==

-当 TLS 分片功能无法自动判定等待时间时使用的回退值。
+当 TLS 分段无法自动确定等待时间时使用的回退值。

 默认使用 `500ms`。

-#### tls_record_fragment
-
-==仅客户端==
+#### record_fragment

 !!! question "自 sing-box 1.12.0 起"

-通过分段 TLS 握手数据包到多个 TLS 记录来绕过防火墙检测。
+==仅客户端==
+
+将 TLS 握手分段为多个 TLS 记录以绕过防火墙。

 ### ACME 字段

 #### domain

-一组域名。
+域名列表。

-默认禁用 ACME。
+如果为空则禁用 ACME。

 #### data_directory

-ACME 数据目录。
+ACME 数据存储目录。

-默认使用 `$XDG_DATA_HOME/certmagic|$HOME/.local/share/certmagic`。
+如果为空则使用 `$XDG_DATA_HOME/certmagic|$HOME/.local/share/certmagic`。

 #### default_server_name

@@ -445,12 +590,11 @@ ACME 数据目录。

 #### external_account

-EAB（外部帐户绑定）包含将 ACME 帐户绑定或映射到其他已知帐户所需的信息由 CA。
+EAB（外部帐户绑定）包含将 ACME 帐户绑定或映射到 CA 已知的其他帐户所需的信息。

-外部帐户绑定“用于将 ACME 帐户与非 ACME 系统中的现有帐户相关联，例如 CA 客户数据库。
+外部帐户绑定"用于将 ACME 帐户与非 ACME 系统中的现有帐户相关联，例如 CA 客户数据库。

-为了启用 ACME 帐户绑定，运行 ACME 服务器的 CA 需要向 ACME 客户端提供 MAC 密钥和密钥标识符，使用 ACME 之外的一些机制。
-§7.3.4
+为了启用 ACME 帐户绑定，运行 ACME 服务器的 CA 需要使用 ACME 之外的某种机制向 ACME 客户端提供 MAC 密钥和密钥标识符。§7.3.4

 #### external_account.key_id

@@ -500,6 +644,8 @@ ACME DNS01 验证字段。如果配置，将禁用其他验证方法。

 #### max_time_difference

-服务器与和客户端之间允许的最大时间差。
+==仅服务器==

-默认禁用检查。
+服务器和客户端之间的最大时间差。
+
+如果为空则禁用检查。
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
世界	00bde8c682	documentation: Bump version	2025-10-21 18:23:11 +08:00
世界	d5d0f79a29	Add claude code multiplexer service	2025-10-21 18:23:11 +08:00
世界	a514ff8f8e	Fix compatibility with MPTCP	2025-10-18 16:01:43 +08:00
世界	cf5d767010	Use a more conservative strategy for resolving with systemd-resolved for local DNS server	2025-10-16 23:25:42 +08:00
世界	d35ce5961f	Fix missing mTLS support in client options	2025-10-16 22:33:23 +08:00
世界	7c295acb68	Add curve preferences, pinned public key SHA256 and mTLS for TLS options	2025-10-16 22:33:23 +08:00
世界	22a0c4ff7e	Fix WireGuard input packet	2025-10-16 22:33:23 +08:00
世界	eb0d90fac9	Update tfo-go to latest	2025-10-16 22:33:16 +08:00
世界	be0d5c88c0	Remove compatibility codes	2025-10-16 22:32:45 +08:00
世界	99ff60dbf9	Do not use linkname by default to simplify debugging	2025-10-16 22:32:44 +08:00
世界	440bc52adc	documentation: Update chinese translations	2025-10-16 22:32:44 +08:00
世界	a120003f4e	Update quic-go to v0.54.0	2025-10-16 22:32:44 +08:00
世界	13dc72c21b	Update WireGuard and Tailscale	2025-10-16 22:32:37 +08:00
世界	5453800a53	Fix preConnectionCopy	2025-10-16 22:31:08 +08:00
世界	0546d8c1b2	Fix ping domain	2025-10-16 22:31:07 +08:00
世界	1073ceb741	release: Fix linux build	2025-10-16 22:31:07 +08:00
世界	c8efe05647	Improve ktls rx error handling	2025-10-16 22:31:07 +08:00
世界	8486748f3f	Improve compatibility for kTLS	2025-10-16 22:31:06 +08:00
世界	281f4d17ab	ktls: Add warning for inappropriate scenarios	2025-10-16 22:31:06 +08:00
世界	f18bcdafd7	Add support for kTLS Reference: https://gitlab.com/go-extension/tls	2025-10-16 22:31:06 +08:00
世界	955e3f35e9	Add proxy support for ICMP echo request	2025-10-16 22:31:05 +08:00
世界	2d78675919	Fix resolve using resolved	2025-10-16 22:30:48 +08:00
世界	e6e1f79762	documentation: Update behavior of `local` DNS server on darwin	2025-10-16 22:30:48 +08:00
世界	a6879c43f8	Remove use of ldflags `-checklinkname=0` on darwin	2025-10-16 22:30:47 +08:00
世界	384e993cf8	Fix legacy DNS config	2025-10-16 22:30:47 +08:00
世界	2364be4996	Fix rule-set format	2025-10-16 22:30:46 +08:00
世界	bbe5063fad	documentation: Remove outdated icons	2025-10-16 22:30:46 +08:00
世界	51aca02b24	documentation: Improve `local` DNS server	2025-10-16 22:30:46 +08:00
世界	384f5211d8	Stop using DHCP on iOS and tvOS We do not have the `com.apple.developer.networking.multicast` entitlement and are unable to obtain it for non-technical reasons.	2025-10-16 22:30:46 +08:00
世界	f61b5b6c8f	Improve `local` DNS server on darwin We mistakenly believed that `libresolv`'s `search` function worked correctly in NetworkExtension, but it seems only `getaddrinfo` does. This commit changes the behavior of the `local` DNS server in NetworkExtension to prefer DHCP, falling back to `getaddrinfo` if DHCP servers are unavailable. It's worth noting that `prefer_go` does not disable DHCP since it respects Dial Fields, but `getaddrinfo` does the opposite. The new behavior only applies to NetworkExtension, not to all scenarios (primarily command-line binaries) as it did previously. In addition, this commit also improves the DHCP DNS server to use the same robust query logic as `local`.	2025-10-16 22:30:45 +08:00
世界	38828d829b	Use resolved in local DNS server if available	2025-10-16 22:30:44 +08:00
xchacha20-poly1305	1bba3e73f1	Fix rule set version	2025-10-16 22:30:44 +08:00
世界	5483695f8a	documentation: Add `preferred_by` route rule item	2025-10-16 22:30:44 +08:00
世界	3ff6df244c	Add `preferred_by` route rule item	2025-10-16 22:30:43 +08:00
世界	740da4467e	documentation: Add interface address rule items	2025-10-16 22:30:43 +08:00
世界	41db8b8647	Add interface address rule items	2025-10-16 22:30:43 +08:00
世界	32bf1db663	Fix ECH retry support	2025-10-16 22:30:43 +08:00
neletor	30f7ceec79	Add support for ech retry configs	2025-10-16 22:30:43 +08:00
Zephyruso	3eb3ad6522	Add `/dns/flush-clash` meta api	2025-10-16 22:30:43 +08:00
世界	5de6f4a14f	Fix tailscale not enforcing NoLogsNoSupport	2025-10-16 22:30:08 +08:00
世界	5658830077	Fix trailing dot handling in local DNS transport	2025-10-16 21:43:12 +08:00
世界	0e50edc009	documentation: Add appreciate for Warp	2025-10-16 21:43:12 +08:00
世界	444f454810	Bump version	2025-10-14 23:43:36 +08:00
世界	d0e1fd6c7e	Update Go to 1.25.3	2025-10-14 23:43:36 +08:00
世界	17b4d1e010	Update uTLS to v1.8.1	2025-10-14 23:40:19 +08:00
世界	06791470c9	Fix DNS reject panic	2025-10-14 23:40:19 +08:00
世界	ef14c8ca0e	Disable TCP slow open for anytls Fixes #3459	2025-10-14 23:40:19 +08:00
世界	36dc883c7c	Fix DNS negative caching to comply with RFC 2308	2025-10-09 23:45:23 +08:00
Mahdi	6557bd7029	Fix dns cache in lookup	2025-10-09 23:45:23 +08:00
世界	41b30c91d9	Improve HTTPS DNS transport	2025-10-09 23:45:23 +08:00
世界	0f767d5ce1	Update .gitignore	2025-10-07 13:37:11 +08:00
世界	328a6de797	Bump version	2025-10-05 17:58:21 +08:00
Mahdi	886be6414d	Fix dns truncate	2025-10-05 17:58:21 +08:00
世界	9362d3cab3	Attempt to fix leak in quic-go	2025-10-01 11:59:17 +08:00
世界	ced2e39dbf	Update dependencies	2025-10-01 11:55:33 +08:00
anytls	2159d8877b	Update anytls v0.0.11 Co-authored-by: anytls <anytls>	2025-10-01 10:23:15 +08:00
世界	cb7dba3eff	release: Improve publish testflight	2025-10-01 10:22:44 +08:00
世界	d9d7f7880d	Pin gofumpt and golangci-lint versions As we don't want to remove naked returns	2025-09-23 16:33:42 +08:00
世界	a031aaf2c0	Do not reset network on sleep or wake	2025-09-23 16:17:44 +08:00
世界	4bca951773	Fix adguard matcher	2025-09-23 16:12:29 +08:00
世界	140735dbde	Fix websocket log handling	2025-09-23 16:12:29 +08:00
世界	714a68bba1	Update .gitignore	2025-09-23 16:12:29 +08:00
世界	573c6179ab	Bump version	2025-09-13 13:16:13 +08:00
世界	510bf05e36	Fix UDP exchange for local/dhcp DNS servers	2025-09-13 12:26:48 +08:00
世界	ae852e0be4	Bump version	2025-09-13 03:09:10 +08:00
世界	1955002ed8	Do not cache DNS responses with empty answers	2025-09-13 03:04:08 +08:00
世界	44559fb7b9	Bump version	2025-09-13 00:07:57 +08:00
世界	0977c5cf73	release: Disable Apple platform CI builds, since ``-allowProvisioningUpdates` is broken by Apple	2025-09-13 00:07:57 +08:00
世界	07697bf931	release: Fix xcode build	2025-09-12 22:57:44 +08:00
世界	5d1d1a1456	Fix TCP exchange for local/dhcp DNS servers	2025-09-12 21:58:48 +08:00
世界	146383499e	Fix race codes	2025-09-12 21:58:48 +08:00
世界	e81a76fdf9	Fix DNS exchange	2025-09-12 18:05:02 +08:00
世界	de13137418	Fix auto redirect	2025-09-12 11:04:12 +08:00
世界	e42b818c2a	Fix dhcp fetch	2025-09-12 11:03:13 +08:00