tools: Network Quality

tun: Fixes
oom-killer: Free memory on pressure notification and use gradual interval backoff
2026-04-13 20:28:32 +10:00 · 2026-04-08 14:44:14 +08:00 · 2026-04-07 23:39:49 +08:00 · 2026-04-07 23:38:44 +08:00 · 2026-04-07 23:37:48 +08:00 · 2026-04-07 23:37:48 +08:00
307 changed files with 21569 additions and 2542 deletions
--- a/.fpm_systemd
+++ b/.fpm_systemd
@@ -4,6 +4,7 @@
 --license GPL-3.0-or-later
 --description "The universal proxy platform."
 --url "https://sing-box.sagernet.org/"
+--vendor SagerNet
 --maintainer "nekohasekai <contact-git@sekai.icu>"
 --deb-field "Bug: https://github.com/SagerNet/sing-box/issues"
 --no-deb-generate-changes
--- a/.github/CRONET_GO_VERSION
+++ b/.github/CRONET_GO_VERSION
@@ -1 +1 @@
-cba7b9ac0399055aa49fbdc57c03c374f58e1597
+ea7cd33752aed62603775af3df946c1b83f4b0b3
--- a/.github/build_alpine_apk.sh
+++ b/.github/build_alpine_apk.sh
@@ -0,0 +1,81 @@
+#!/usr/bin/env bash
+
+set -e -o pipefail
+
+ARCHITECTURE="$1"
+VERSION="$2"
+BINARY_PATH="$3"
+OUTPUT_PATH="$4"
+
+if [ -z "$ARCHITECTURE" ] || [ -z "$VERSION" ] || [ -z "$BINARY_PATH" ] || [ -z "$OUTPUT_PATH" ]; then
+  echo "Usage: $0 <architecture> <version> <binary_path> <output_path>"
+  exit 1
+fi
+
+PROJECT=$(cd "$(dirname "$0")/.."; pwd)
+
+# Convert version to APK format:
+#   1.13.0-beta.8  -> 1.13.0_beta8-r0
+#   1.13.0-rc.3    -> 1.13.0_rc3-r0
+#   1.13.0         -> 1.13.0-r0
+APK_VERSION=$(echo "$VERSION" | sed -E 's/-([a-z]+)\.([0-9]+)/_\1\2/')
+APK_VERSION="${APK_VERSION}-r0"
+
+ROOT_DIR=$(mktemp -d)
+trap 'rm -rf "$ROOT_DIR"' EXIT
+
+# Binary
+install -Dm755 "$BINARY_PATH" "$ROOT_DIR/usr/bin/sing-box"
+
+# Config files
+install -Dm644 "$PROJECT/release/config/config.json" "$ROOT_DIR/etc/sing-box/config.json"
+install -Dm755 "$PROJECT/release/config/sing-box.initd" "$ROOT_DIR/etc/init.d/sing-box"
+install -Dm644 "$PROJECT/release/config/sing-box.confd" "$ROOT_DIR/etc/conf.d/sing-box"
+
+# Service files
+install -Dm644 "$PROJECT/release/config/sing-box.service" "$ROOT_DIR/usr/lib/systemd/system/sing-box.service"
+install -Dm644 "$PROJECT/release/config/sing-box@.service" "$ROOT_DIR/usr/lib/systemd/system/sing-box@.service"
+
+# Completions
+install -Dm644 "$PROJECT/release/completions/sing-box.bash" "$ROOT_DIR/usr/share/bash-completion/completions/sing-box.bash"
+install -Dm644 "$PROJECT/release/completions/sing-box.fish" "$ROOT_DIR/usr/share/fish/vendor_completions.d/sing-box.fish"
+install -Dm644 "$PROJECT/release/completions/sing-box.zsh" "$ROOT_DIR/usr/share/zsh/site-functions/_sing-box"
+
+# License
+install -Dm644 "$PROJECT/LICENSE" "$ROOT_DIR/usr/share/licenses/sing-box/LICENSE"
+
+# APK metadata
+PACKAGES_DIR="$ROOT_DIR/lib/apk/packages"
+mkdir -p "$PACKAGES_DIR"
+
+# .conffiles
+cat > "$PACKAGES_DIR/.conffiles" <<'EOF'
+/etc/conf.d/sing-box
+/etc/init.d/sing-box
+/etc/sing-box/config.json
+EOF
+
+# .conffiles_static (sha256 checksums)
+while IFS= read -r conffile; do
+  sha256=$(sha256sum "$ROOT_DIR$conffile" | cut -d' ' -f1)
+  echo "$conffile $sha256"
+done < "$PACKAGES_DIR/.conffiles" > "$PACKAGES_DIR/.conffiles_static"
+
+# .list (all files, excluding lib/apk/packages/ metadata)
+(cd "$ROOT_DIR" && find . -type f -o -type l) \
+  | sed 's|^\./|/|' \
+  | grep -v '^/lib/apk/packages/' \
+  | sort > "$PACKAGES_DIR/.list"
+
+# Build APK
+apk mkpkg \
+  --info "name:sing-box" \
+  --info "version:${APK_VERSION}" \
+  --info "description:The universal proxy platform." \
+  --info "arch:${ARCHITECTURE}" \
+  --info "license:GPL-3.0-or-later with name use or association addition" \
+  --info "origin:sing-box" \
+  --info "url:https://sing-box.sagernet.org/" \
+  --info "maintainer:nekohasekai <contact-git@sekai.icu>" \
+  --files "$ROOT_DIR" \
+  --output "$OUTPUT_PATH"
--- a/.github/build_openwrt_apk.sh
+++ b/.github/build_openwrt_apk.sh
@@ -0,0 +1,80 @@
+#!/usr/bin/env bash
+
+set -e -o pipefail
+
+ARCHITECTURE="$1"
+VERSION="$2"
+BINARY_PATH="$3"
+OUTPUT_PATH="$4"
+
+if [ -z "$ARCHITECTURE" ] || [ -z "$VERSION" ] || [ -z "$BINARY_PATH" ] || [ -z "$OUTPUT_PATH" ]; then
+  echo "Usage: $0 <architecture> <version> <binary_path> <output_path>"
+  exit 1
+fi
+
+PROJECT=$(cd "$(dirname "$0")/.."; pwd)
+
+# Convert version to APK format:
+#   1.13.0-beta.8  -> 1.13.0_beta8-r0
+#   1.13.0-rc.3    -> 1.13.0_rc3-r0
+#   1.13.0         -> 1.13.0-r0
+APK_VERSION=$(echo "$VERSION" | sed -E 's/-([a-z]+)\.([0-9]+)/_\1\2/')
+APK_VERSION="${APK_VERSION}-r0"
+
+ROOT_DIR=$(mktemp -d)
+trap 'rm -rf "$ROOT_DIR"' EXIT
+
+# Binary
+install -Dm755 "$BINARY_PATH" "$ROOT_DIR/usr/bin/sing-box"
+
+# Config files
+install -Dm644 "$PROJECT/release/config/config.json" "$ROOT_DIR/etc/sing-box/config.json"
+install -Dm644 "$PROJECT/release/config/openwrt.conf" "$ROOT_DIR/etc/config/sing-box"
+install -Dm755 "$PROJECT/release/config/openwrt.init" "$ROOT_DIR/etc/init.d/sing-box"
+install -Dm644 "$PROJECT/release/config/openwrt.keep" "$ROOT_DIR/lib/upgrade/keep.d/sing-box"
+
+# Completions
+install -Dm644 "$PROJECT/release/completions/sing-box.bash" "$ROOT_DIR/usr/share/bash-completion/completions/sing-box.bash"
+install -Dm644 "$PROJECT/release/completions/sing-box.fish" "$ROOT_DIR/usr/share/fish/vendor_completions.d/sing-box.fish"
+install -Dm644 "$PROJECT/release/completions/sing-box.zsh" "$ROOT_DIR/usr/share/zsh/site-functions/_sing-box"
+
+# License
+install -Dm644 "$PROJECT/LICENSE" "$ROOT_DIR/usr/share/licenses/sing-box/LICENSE"
+
+# APK metadata
+PACKAGES_DIR="$ROOT_DIR/lib/apk/packages"
+mkdir -p "$PACKAGES_DIR"
+
+# .conffiles
+cat > "$PACKAGES_DIR/.conffiles" <<'EOF'
+/etc/config/sing-box
+/etc/sing-box/config.json
+EOF
+
+# .conffiles_static (sha256 checksums)
+while IFS= read -r conffile; do
+  sha256=$(sha256sum "$ROOT_DIR$conffile" | cut -d' ' -f1)
+  echo "$conffile $sha256"
+done < "$PACKAGES_DIR/.conffiles" > "$PACKAGES_DIR/.conffiles_static"
+
+# .list (all files, excluding lib/apk/packages/ metadata)
+(cd "$ROOT_DIR" && find . -type f -o -type l) \
+  | sed 's|^\./|/|' \
+  | grep -v '^/lib/apk/packages/' \
+  | sort > "$PACKAGES_DIR/.list"
+
+# Build APK
+apk mkpkg \
+  --info "name:sing-box" \
+  --info "version:${APK_VERSION}" \
+  --info "description:The universal proxy platform." \
+  --info "arch:${ARCHITECTURE}" \
+  --info "license:GPL-3.0-or-later" \
+  --info "origin:sing-box" \
+  --info "url:https://sing-box.sagernet.org/" \
+  --info "maintainer:nekohasekai <contact-git@sekai.icu>" \
+  --info "depends:ca-bundle kmod-inet-diag kmod-tun firewall4 kmod-nft-queue" \
+  --info "provider-priority:100" \
+  --script "pre-deinstall:${PROJECT}/release/config/openwrt.prerm" \
+  --files "$ROOT_DIR" \
+  --output "$OUTPUT_PATH"
--- a/.github/detect_track.sh
+++ b/.github/detect_track.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+branches=$(git branch -r --contains HEAD)
+if echo "$branches" | grep -q 'origin/stable'; then
+  track=stable
+elif echo "$branches" | grep -q 'origin/testing'; then
+  track=testing
+elif echo "$branches" | grep -q 'origin/oldstable'; then
+  track=oldstable
+else
+  echo "ERROR: HEAD is not on any known release branch (stable/testing/oldstable)" >&2
+  exit 1
+fi
+
+if [[ "$track" == "stable" ]]; then
+  tag=$(git describe --tags --exact-match HEAD 2>/dev/null || true)
+  if [[ -n "$tag" && "$tag" == *"-"* ]]; then
+    track=beta
+  fi
+fi
+
+case "$track" in
+  stable)    name=sing-box;           docker_tag=latest ;;
+  beta)      name=sing-box-beta;      docker_tag=latest-beta ;;
+  testing)   name=sing-box-testing;   docker_tag=latest-testing ;;
+  oldstable) name=sing-box-oldstable; docker_tag=latest-oldstable ;;
+esac
+
+echo "track=${track} name=${name} docker_tag=${docker_tag}" >&2
+echo "TRACK=${track}" >> "$GITHUB_ENV"
+echo "NAME=${name}" >> "$GITHUB_ENV"
+echo "DOCKER_TAG=${docker_tag}" >> "$GITHUB_ENV"
--- a/.github/setup_go_for_macos1013.sh
+++ b/.github/setup_go_for_macos1013.sh
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+VERSION="1.25.8"
+PATCH_COMMITS=(
+  "afe69d3cec1c6dcf0f1797b20546795730850070"
+  "1ed289b0cf87dc5aae9c6fe1aa5f200a83412938"
+)
+CURL_ARGS=(
+  -fL
+  --silent
+  --show-error
+)
+
+if [[ -n "${GITHUB_TOKEN:-}" ]]; then
+  CURL_ARGS+=(-H "Authorization: Bearer ${GITHUB_TOKEN}")
+fi
+
+mkdir -p "$HOME/go"
+cd "$HOME/go"
+wget "https://dl.google.com/go/go${VERSION}.darwin-arm64.tar.gz"
+tar -xzf "go${VERSION}.darwin-arm64.tar.gz"
+#cp -a go go_bootstrap
+mv go go_osx
+cd go_osx
+
+# these patch URLs only work on golang1.25.x
+# that means after golang1.26 release it must be changed
+# see: https://github.com/SagerNet/go/commits/release-branch.go1.25/
+# revert:
+# 33d3f603c1: "cmd/link/internal/ld: use 12.0.0 OS/SDK versions for macOS linking"
+# 937368f84e: "crypto/x509: change how we retrieve chains on darwin"
+
+for patch_commit in "${PATCH_COMMITS[@]}"; do
+  curl "${CURL_ARGS[@]}" "https://github.com/SagerNet/go/commit/${patch_commit}.diff" | patch --verbose -p 1
+done
+
+# Rebuild is not needed: we build with CGO_ENABLED=1, so Apple's external
+# linker handles LC_BUILD_VERSION via MACOSX_DEPLOYMENT_TARGET, and the
+# stdlib (crypto/x509) is compiled from patched src automatically.
+#cd src
+#GOROOT_BOOTSTRAP="$HOME/go/go_bootstrap" ./make.bash
+#cd ../..
+#rm -rf go_bootstrap "go${VERSION}.darwin-arm64.tar.gz"
--- a/.github/setup_go_for_windows7.sh
+++ b/.github/setup_go_for_windows7.sh
@@ -1,16 +1,35 @@
 #!/usr/bin/env bash

-VERSION="1.25.7"
+set -euo pipefail

-mkdir -p $HOME/go
-cd $HOME/go
+VERSION="1.25.8"
+PATCH_COMMITS=(
+  "466f6c7a29bc098b0d4c987b803c779222894a11"
+  "1bdabae205052afe1dadb2ad6f1ba612cdbc532a"
+  "a90777dcf692dd2168577853ba743b4338721b06"
+  "f6bddda4e8ff58a957462a1a09562924d5f3d05c"
+  "bed309eff415bcb3c77dd4bc3277b682b89a388d"
+  "34b899c2fb39b092db4fa67c4417e41dc046be4b"
+)
+CURL_ARGS=(
+  -fL
+  --silent
+  --show-error
+)
+
+if [[ -n "${GITHUB_TOKEN:-}" ]]; then
+  CURL_ARGS+=(-H "Authorization: Bearer ${GITHUB_TOKEN}")
+fi
+
+mkdir -p "$HOME/go"
+cd "$HOME/go"
 wget "https://dl.google.com/go/go${VERSION}.linux-amd64.tar.gz"
 tar -xzf "go${VERSION}.linux-amd64.tar.gz"
 mv go go_win7
 cd go_win7

 # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
-# this patch file only works on golang1.25.x
+# these patch URLs only work on golang1.25.x
 # that means after golang1.26 release it must be changed
 # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.25/
 # revert:
@@ -18,10 +37,10 @@ cd go_win7
 # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
 # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
 # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
+# fixes:
+# bed309eff415bcb3c77dd4bc3277b682b89a388d: "Fix os.RemoveAll not working on Windows7"
+# 34b899c2fb39b092db4fa67c4417e41dc046be4b: "Revert \"os: remove 5ms sleep on Windows in (*Process).Wait\""

-alias curl='curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}"'
-
-curl https://github.com/MetaCubeX/go/commit/8cb5472d94c34b88733a81091bd328e70ee565a4.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/6788c4c6f9fafb56729bad6b660f7ee2272d699f.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/a5b2168bb836ed9d6601c626f95e56c07923f906.diff | patch --verbose -p 1
-curl https://github.com/MetaCubeX/go/commit/f56f1e23507e646c85243a71bde7b9629b2f970c.diff | patch --verbose -p 1
+for patch_commit in "${PATCH_COMMITS[@]}"; do
+  curl "${CURL_ARGS[@]}" "https://github.com/MetaCubeX/go/commit/${patch_commit}.diff" | patch --verbose -p 1
+done
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -47,7 +47,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.7
+          go-version: ~1.25.8
      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
@@ -72,27 +72,27 @@ jobs:
        include:
          - { os: linux, arch: amd64, variant: purego, naive: true }
          - { os: linux, arch: amd64, variant: glibc, naive: true }
-          - { os: linux, arch: amd64, variant: musl, naive: true, debian: amd64, rpm: x86_64, pacman: x86_64, openwrt: "x86_64" }
+          - { os: linux, arch: amd64, variant: musl, naive: true, debian: amd64, rpm: x86_64, pacman: x86_64, alpine: x86_64, openwrt: "x86_64" }

          - { os: linux, arch: arm64, variant: purego, naive: true }
          - { os: linux, arch: arm64, variant: glibc, naive: true }
-          - { os: linux, arch: arm64, variant: musl, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64, openwrt: "aarch64_cortex-a53 aarch64_cortex-a72 aarch64_cortex-a76 aarch64_generic" }
+          - { os: linux, arch: arm64, variant: musl, naive: true, debian: arm64, rpm: aarch64, pacman: aarch64, alpine: aarch64, openwrt: "aarch64_cortex-a53 aarch64_cortex-a72 aarch64_cortex-a76 aarch64_generic" }

          - { os: linux, arch: "386", go386: sse2 }
          - { os: linux, arch: "386", variant: glibc, naive: true, go386: sse2 }
-          - { os: linux, arch: "386", variant: musl, naive: true, go386: sse2, debian: i386, rpm: i386, openwrt: "i386_pentium4" }
+          - { os: linux, arch: "386", variant: musl, naive: true, go386: sse2, debian: i386, rpm: i386, alpine: x86, openwrt: "i386_pentium4" }

          - { os: linux, arch: arm, goarm: "7" }
          - { os: linux, arch: arm, variant: glibc, naive: true, goarm: "7" }
-          - { os: linux, arch: arm, variant: musl, naive: true, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl, openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }
+          - { os: linux, arch: arm, variant: musl, naive: true, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl, alpine: armv7, openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }

          - { os: linux, arch: mipsle, gomips: hardfloat, naive: true, variant: glibc }
          - { os: linux, arch: mipsle, gomips: softfloat, naive: true, variant: musl, debian: mipsel, rpm: mipsel, openwrt: "mipsel_24kc mipsel_74kc mipsel_mips32" }
          - { os: linux, arch: mips64le, gomips: hardfloat, naive: true, variant: glibc, debian: mips64el, rpm: mips64el }
          - { os: linux, arch: riscv64, naive: true, variant: glibc }
-          - { os: linux, arch: riscv64, naive: true, variant: musl, debian: riscv64, rpm: riscv64, openwrt: "riscv64_generic" }
+          - { os: linux, arch: riscv64, naive: true, variant: musl, debian: riscv64, rpm: riscv64, alpine: riscv64, openwrt: "riscv64_generic" }
          - { os: linux, arch: loong64, naive: true, variant: glibc }
-          - { os: linux, arch: loong64, naive: true, variant: musl, debian: loongarch64, rpm: loongarch64, openwrt: "loongarch64_generic" }
+          - { os: linux, arch: loong64, naive: true, variant: musl, debian: loongarch64, rpm: loongarch64, alpine: loongarch64, openwrt: "loongarch64_generic" }

          - { os: linux, arch: "386", go386: softfloat, openwrt: "i386_pentium-mmx" }
          - { os: linux, arch: arm, goarm: "5", openwrt: "arm_arm926ej-s arm_cortex-a7 arm_cortex-a9 arm_fa526 arm_xscale" }
@@ -121,15 +121,10 @@ jobs:
        with:
          fetch-depth: 0
      - name: Setup Go
-        if: ${{ ! (matrix.legacy_win7 || matrix.legacy_go124) }}
+        if: ${{ ! matrix.legacy_win7 }}
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.7
-      - name: Setup Go 1.24
-        if: matrix.legacy_go124
-        uses: actions/setup-go@v5
-        with:
-          go-version: ~1.24.10
+          go-version: ~1.25.8
      - name: Cache Go for Windows 7
        if: matrix.legacy_win7
        id: cache-go-for-windows7
@@ -137,9 +132,11 @@ jobs:
        with:
          path: |
            ~/go/go_win7
-          key: go_win7_1255
+          key: go_win7_1258
      - name: Setup Go for Windows 7
        if: matrix.legacy_win7 && steps.cache-go-for-windows7.outputs.cache-hit != 'true'
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
        run: |-
          .github/setup_go_for_windows7.sh
      - name: Setup Go for Windows 7
@@ -399,6 +396,30 @@ jobs:
            .github/deb2ipk.sh "$architecture" "dist/openwrt.deb" "dist/sing-box_${{ needs.calculate_version.outputs.version }}_openwrt_${architecture}.ipk"
          done
          rm "dist/openwrt.deb"
+      - name: Install apk-tools
+        if: matrix.openwrt != '' || matrix.alpine != ''
+        run: |-
+          docker run --rm -v /usr/local/bin:/mnt alpine:edge sh -c "apk add --no-cache apk-tools-static && cp /sbin/apk.static /mnt/apk && chmod +x /mnt/apk"
+      - name: Package OpenWrt APK
+        if: matrix.openwrt != ''
+        run: |-
+          set -xeuo pipefail
+          for architecture in ${{ matrix.openwrt }}; do
+            .github/build_openwrt_apk.sh \
+              "$architecture" \
+              "${{ needs.calculate_version.outputs.version }}" \
+              "dist/sing-box" \
+              "dist/sing-box_${{ needs.calculate_version.outputs.version }}_openwrt_${architecture}.apk"
+          done
+      - name: Package Alpine APK
+        if: matrix.alpine != ''
+        run: |-
+          set -xeuo pipefail
+          .github/build_alpine_apk.sh \
+            "${{ matrix.alpine }}" \
+            "${{ needs.calculate_version.outputs.version }}" \
+            "dist/sing-box" \
+            "dist/sing-box_${{ needs.calculate_version.outputs.version }}_linux_${{ matrix.alpine }}.apk"
      - name: Archive
        run: |
          set -xeuo pipefail
@@ -434,22 +455,36 @@ jobs:
        include:
          - { arch: amd64 }
          - { arch: arm64 }
-          - { arch: amd64, legacy_go124: true, legacy_name: "macos-11" }
+          - { arch: amd64, legacy_osx: true, legacy_name: "macos-10.13" }
    steps:
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          fetch-depth: 0
      - name: Setup Go
-        if: ${{ ! matrix.legacy_go124 }}
+        if: ${{ ! matrix.legacy_osx }}
        uses: actions/setup-go@v5
        with:
          go-version: ^1.25.3
-      - name: Setup Go 1.24
-        if: matrix.legacy_go124
-        uses: actions/setup-go@v5
+      - name: Cache Go for macOS 10.13
+        if: matrix.legacy_osx
+        id: cache-go-for-macos1013
+        uses: actions/cache@v4
        with:
-          go-version: ~1.24.6
+          path: |
+            ~/go/go_osx
+          key: go_osx_1258
+      - name: Setup Go for macOS 10.13
+        if: matrix.legacy_osx && steps.cache-go-for-macos1013.outputs.cache-hit != 'true'
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |-
+          .github/setup_go_for_macos1013.sh
+      - name: Setup Go for macOS 10.13
+        if: matrix.legacy_osx
+        run: |-
+          echo "PATH=$HOME/go/go_osx/bin:$PATH" >> $GITHUB_ENV
+          echo "GOROOT=$HOME/go/go_osx" >> $GITHUB_ENV
      - name: Set tag
        run: |-
          git ls-remote --exit-code --tags origin v${{ needs.calculate_version.outputs.version }} || echo "PUBLISHED=false" >> "$GITHUB_ENV"
@@ -457,7 +492,7 @@ jobs:
      - name: Set build tags
        run: |
          set -xeuo pipefail
-          if [[ "${{ matrix.legacy_go124 }}" != "true" ]]; then
+          if [[ "${{ matrix.legacy_osx }}" != "true" ]]; then
            TAGS=$(cat release/DEFAULT_BUILD_TAGS)
          else
            TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)
@@ -477,6 +512,7 @@ jobs:
          CGO_ENABLED: "1"
          GOOS: darwin
          GOARCH: ${{ matrix.arch }}
+          MACOSX_DEPLOYMENT_TARGET: ${{ matrix.legacy_osx && '10.13' || '' }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Set name
        run: |-
@@ -605,7 +641,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.7
+          go-version: ~1.25.8
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
@@ -695,7 +731,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.7
+          go-version: ~1.25.8
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
@@ -794,7 +830,7 @@ jobs:
        if: matrix.if
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.7
+          go-version: ~1.25.8
      - name: Set tag
        if: matrix.if
        run: |-
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -19,7 +19,6 @@ env:
 jobs:
  build_binary:
    name: Build binary
-    if: github.event_name != 'release' || github.event.release.target_commitish != 'oldstable'
    runs-on: ubuntu-latest
    strategy:
      fail-fast: true
@@ -56,7 +55,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.7
+          go-version: ~1.25.8
      - name: Clone cronet-go
        if: matrix.naive
        run: |
@@ -260,13 +259,13 @@ jobs:
          fi
          echo "ref=$ref"
          echo "ref=$ref" >> $GITHUB_OUTPUT
-          if [[ $ref == *"-"* ]]; then
-            latest=latest-beta
-          else
-            latest=latest
-          fi
-          echo "latest=$latest"
-          echo "latest=$latest" >> $GITHUB_OUTPUT
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        with:
+          ref: ${{ steps.ref.outputs.ref }}
+          fetch-depth: 0
+      - name: Detect track
+        run: bash .github/detect_track.sh
      - name: Download digests
        uses: actions/download-artifact@v5
        with:
@@ -286,11 +285,11 @@ jobs:
        working-directory: /tmp/digests
        run: |
          docker buildx imagetools create \
-            -t "${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.latest }}" \
+            -t "${{ env.REGISTRY_IMAGE }}:${{ env.DOCKER_TAG }}" \
            -t "${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}" \
            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
      - name: Inspect image
        if: github.event_name != 'push'
        run: |
-          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.latest }}
+          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ env.DOCKER_TAG }}
          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.ref.outputs.ref }}
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -11,11 +11,6 @@ on:
        description: "Version name"
        required: true
        type: string
-      forceBeta:
-        description: "Force beta"
-        required: false
-        type: boolean
-        default: false
  release:
    types:
      - published
@@ -23,7 +18,6 @@ on:
 jobs:
  calculate_version:
    name: Calculate version
-    if: github.event_name != 'release' || github.event.release.target_commitish != 'oldstable'
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.outputs.outputs.version }}
@@ -35,7 +29,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.7
+          go-version: ~1.25.8
      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
@@ -78,7 +72,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ~1.25.7
+          go-version: ~1.25.8
      - name: Clone cronet-go
        if: matrix.naive
        run: |
@@ -168,14 +162,8 @@ jobs:
      - name: Set mtime
        run: |-
          TZ=UTC touch -t '197001010000' dist/sing-box
-      - name: Set name
-        if: (! contains(needs.calculate_version.outputs.version, '-')) && !inputs.forceBeta
-        run: |-
-          echo "NAME=sing-box" >> "$GITHUB_ENV"
-      - name: Set beta name
-        if: contains(needs.calculate_version.outputs.version, '-') || inputs.forceBeta
-        run: |-
-          echo "NAME=sing-box-beta" >> "$GITHUB_ENV"
+      - name: Detect track
+        run: bash .github/detect_track.sh
      - name: Set version
        run: |-
          PKG_VERSION="${{ needs.calculate_version.outputs.version }}"
--- a/adapter/certificate/adapter.go
+++ b/adapter/certificate/adapter.go
@@ -0,0 +1,21 @@
+package certificate
+
+type Adapter struct {
+	providerType string
+	providerTag  string
+}
+
+func NewAdapter(providerType string, providerTag string) Adapter {
+	return Adapter{
+		providerType: providerType,
+		providerTag:  providerTag,
+	}
+}
+
+func (a *Adapter) Type() string {
+	return a.providerType
+}
+
+func (a *Adapter) Tag() string {
+	return a.providerTag
+}
--- a/adapter/certificate/manager.go
+++ b/adapter/certificate/manager.go
@@ -0,0 +1,158 @@
+package certificate
+
+import (
+	"context"
+	"os"
+	"sync"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/taskmonitor"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
+)
+
+var _ adapter.CertificateProviderManager = (*Manager)(nil)
+
+type Manager struct {
+	logger        log.ContextLogger
+	registry      adapter.CertificateProviderRegistry
+	access        sync.Mutex
+	started       bool
+	stage         adapter.StartStage
+	providers     []adapter.CertificateProviderService
+	providerByTag map[string]adapter.CertificateProviderService
+}
+
+func NewManager(logger log.ContextLogger, registry adapter.CertificateProviderRegistry) *Manager {
+	return &Manager{
+		logger:        logger,
+		registry:      registry,
+		providerByTag: make(map[string]adapter.CertificateProviderService),
+	}
+}
+
+func (m *Manager) Start(stage adapter.StartStage) error {
+	m.access.Lock()
+	if m.started && m.stage >= stage {
+		panic("already started")
+	}
+	m.started = true
+	m.stage = stage
+	providers := m.providers
+	m.access.Unlock()
+	for _, provider := range providers {
+		name := "certificate-provider/" + provider.Type() + "[" + provider.Tag() + "]"
+		m.logger.Trace(stage, " ", name)
+		startTime := time.Now()
+		err := adapter.LegacyStart(provider, stage)
+		if err != nil {
+			return E.Cause(err, stage, " ", name)
+		}
+		m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
+	}
+	return nil
+}
+
+func (m *Manager) Close() error {
+	m.access.Lock()
+	defer m.access.Unlock()
+	if !m.started {
+		return nil
+	}
+	m.started = false
+	providers := m.providers
+	m.providers = nil
+	monitor := taskmonitor.New(m.logger, C.StopTimeout)
+	var err error
+	for _, provider := range providers {
+		name := "certificate-provider/" + provider.Type() + "[" + provider.Tag() + "]"
+		m.logger.Trace("close ", name)
+		startTime := time.Now()
+		monitor.Start("close ", name)
+		err = E.Append(err, provider.Close(), func(err error) error {
+			return E.Cause(err, "close ", name)
+		})
+		monitor.Finish()
+		m.logger.Trace("close ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
+	}
+	return err
+}
+
+func (m *Manager) CertificateProviders() []adapter.CertificateProviderService {
+	m.access.Lock()
+	defer m.access.Unlock()
+	return m.providers
+}
+
+func (m *Manager) Get(tag string) (adapter.CertificateProviderService, bool) {
+	m.access.Lock()
+	provider, found := m.providerByTag[tag]
+	m.access.Unlock()
+	return provider, found
+}
+
+func (m *Manager) Remove(tag string) error {
+	m.access.Lock()
+	provider, found := m.providerByTag[tag]
+	if !found {
+		m.access.Unlock()
+		return os.ErrInvalid
+	}
+	delete(m.providerByTag, tag)
+	index := common.Index(m.providers, func(it adapter.CertificateProviderService) bool {
+		return it == provider
+	})
+	if index == -1 {
+		panic("invalid certificate provider index")
+	}
+	m.providers = append(m.providers[:index], m.providers[index+1:]...)
+	started := m.started
+	m.access.Unlock()
+	if started {
+		return provider.Close()
+	}
+	return nil
+}
+
+func (m *Manager) Create(ctx context.Context, logger log.ContextLogger, tag string, providerType string, options any) error {
+	provider, err := m.registry.Create(ctx, logger, tag, providerType, options)
+	if err != nil {
+		return err
+	}
+	m.access.Lock()
+	defer m.access.Unlock()
+	if m.started {
+		name := "certificate-provider/" + provider.Type() + "[" + provider.Tag() + "]"
+		for _, stage := range adapter.ListStartStages {
+			m.logger.Trace(stage, " ", name)
+			startTime := time.Now()
+			err = adapter.LegacyStart(provider, stage)
+			if err != nil {
+				return E.Cause(err, stage, " ", name)
+			}
+			m.logger.Trace(stage, " ", name, " completed (", F.Seconds(time.Since(startTime).Seconds()), "s)")
+		}
+	}
+	if existsProvider, loaded := m.providerByTag[tag]; loaded {
+		if m.started {
+			err = existsProvider.Close()
+			if err != nil {
+				return E.Cause(err, "close certificate-provider/", existsProvider.Type(), "[", existsProvider.Tag(), "]")
+			}
+		}
+		existsIndex := common.Index(m.providers, func(it adapter.CertificateProviderService) bool {
+			return it == existsProvider
+		})
+		if existsIndex == -1 {
+			panic("invalid certificate provider index")
+		}
+		m.providers = append(m.providers[:existsIndex], m.providers[existsIndex+1:]...)
+	}
+	m.providers = append(m.providers, provider)
+	m.providerByTag[tag] = provider
+	return nil
+}
--- a/adapter/certificate/registry.go
+++ b/adapter/certificate/registry.go
@@ -0,0 +1,72 @@
+package certificate
+
+import (
+	"context"
+	"sync"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+type ConstructorFunc[T any] func(ctx context.Context, logger log.ContextLogger, tag string, options T) (adapter.CertificateProviderService, error)
+
+func Register[Options any](registry *Registry, providerType string, constructor ConstructorFunc[Options]) {
+	registry.register(providerType, func() any {
+		return new(Options)
+	}, func(ctx context.Context, logger log.ContextLogger, tag string, rawOptions any) (adapter.CertificateProviderService, error) {
+		var options *Options
+		if rawOptions != nil {
+			options = rawOptions.(*Options)
+		}
+		return constructor(ctx, logger, tag, common.PtrValueOrDefault(options))
+	})
+}
+
+var _ adapter.CertificateProviderRegistry = (*Registry)(nil)
+
+type (
+	optionsConstructorFunc func() any
+	constructorFunc        func(ctx context.Context, logger log.ContextLogger, tag string, options any) (adapter.CertificateProviderService, error)
+)
+
+type Registry struct {
+	access      sync.Mutex
+	optionsType map[string]optionsConstructorFunc
+	constructor map[string]constructorFunc
+}
+
+func NewRegistry() *Registry {
+	return &Registry{
+		optionsType: make(map[string]optionsConstructorFunc),
+		constructor: make(map[string]constructorFunc),
+	}
+}
+
+func (m *Registry) CreateOptions(providerType string) (any, bool) {
+	m.access.Lock()
+	defer m.access.Unlock()
+	optionsConstructor, loaded := m.optionsType[providerType]
+	if !loaded {
+		return nil, false
+	}
+	return optionsConstructor(), true
+}
+
+func (m *Registry) Create(ctx context.Context, logger log.ContextLogger, tag string, providerType string, options any) (adapter.CertificateProviderService, error) {
+	m.access.Lock()
+	defer m.access.Unlock()
+	constructor, loaded := m.constructor[providerType]
+	if !loaded {
+		return nil, E.New("certificate provider type not found: " + providerType)
+	}
+	return constructor(ctx, logger, tag, options)
+}
+
+func (m *Registry) register(providerType string, optionsConstructor optionsConstructorFunc, constructor constructorFunc) {
+	m.access.Lock()
+	defer m.access.Unlock()
+	m.optionsType[providerType] = optionsConstructor
+	m.constructor[providerType] = constructor
+}
--- a/adapter/certificate_provider.go
+++ b/adapter/certificate_provider.go
@@ -0,0 +1,38 @@
+package adapter
+
+import (
+	"context"
+	"crypto/tls"
+
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+)
+
+type CertificateProvider interface {
+	GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error)
+}
+
+type ACMECertificateProvider interface {
+	CertificateProvider
+	GetACMENextProtos() []string
+}
+
+type CertificateProviderService interface {
+	Lifecycle
+	Type() string
+	Tag() string
+	CertificateProvider
+}
+
+type CertificateProviderRegistry interface {
+	option.CertificateProviderOptionsRegistry
+	Create(ctx context.Context, logger log.ContextLogger, tag string, providerType string, options any) (CertificateProviderService, error)
+}
+
+type CertificateProviderManager interface {
+	Lifecycle
+	CertificateProviders() []CertificateProviderService
+	Get(tag string) (CertificateProviderService, bool)
+	Remove(tag string) error
+	Create(ctx context.Context, logger log.ContextLogger, tag string, providerType string, options any) error
+}
--- a/adapter/dns.go
+++ b/adapter/dns.go
@@ -25,8 +25,8 @@ type DNSRouter interface {

 type DNSClient interface {
 	Start()
-	Exchange(ctx context.Context, transport DNSTransport, message *dns.Msg, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error)
-	Lookup(ctx context.Context, transport DNSTransport, domain string, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error)
+	Exchange(ctx context.Context, transport DNSTransport, message *dns.Msg, options DNSQueryOptions, responseChecker func(response *dns.Msg) bool) (*dns.Msg, error)
+	Lookup(ctx context.Context, transport DNSTransport, domain string, options DNSQueryOptions, responseChecker func(response *dns.Msg) bool) ([]netip.Addr, error)
 	ClearCache()
 }

@@ -72,11 +72,6 @@ type DNSTransport interface {
 	Exchange(ctx context.Context, message *dns.Msg) (*dns.Msg, error)
 }

-type LegacyDNSTransport interface {
-	LegacyStrategy() C.DomainStrategy
-	LegacyClientSubnet() netip.Prefix
-}
-
 type DNSTransportRegistry interface {
 	option.DNSTransportOptionsRegistry
 	CreateDNSTransport(ctx context.Context, logger log.ContextLogger, tag string, transportType string, options any) (DNSTransport, error)
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -2,6 +2,7 @@ package adapter

 import (
 	"context"
+	"net"
 	"net/netip"
 	"time"

@@ -9,6 +10,8 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	M "github.com/sagernet/sing/common/metadata"
+
+	"github.com/miekg/dns"
 )

 type Inbound interface {
@@ -78,12 +81,16 @@ type InboundContext struct {
 	FallbackNetworkType []C.InterfaceType
 	FallbackDelay       time.Duration

-	DestinationAddresses []netip.Addr
-	SourceGeoIPCode      string
-	GeoIPCode            string
-	ProcessInfo          *ConnectionOwner
-	QueryType            uint16
-	FakeIP               bool
+	DestinationAddresses                []netip.Addr
+	DNSResponse                         *dns.Msg
+	DestinationAddressMatchFromResponse bool
+	SourceGeoIPCode                     string
+	GeoIPCode                           string
+	ProcessInfo                         *ConnectionOwner
+	SourceMACAddress                    net.HardwareAddr
+	SourceHostname                      string
+	QueryType                           uint16
+	FakeIP                              bool

 	// rule cache

@@ -101,6 +108,10 @@ type InboundContext struct {
 func (c *InboundContext) ResetRuleCache() {
 	c.IPCIDRMatchSource = false
 	c.IPCIDRAcceptEmpty = false
+	c.ResetRuleMatchCache()
+}
+
+func (c *InboundContext) ResetRuleMatchCache() {
 	c.SourceAddressMatch = false
 	c.SourcePortMatch = false
 	c.DestinationAddressMatch = false
@@ -108,6 +119,51 @@ func (c *InboundContext) ResetRuleCache() {
 	c.DidMatch = false
 }

+func (c *InboundContext) DNSResponseAddressesForMatch() []netip.Addr {
+	return DNSResponseAddresses(c.DNSResponse)
+}
+
+func DNSResponseAddresses(response *dns.Msg) []netip.Addr {
+	if response == nil || response.Rcode != dns.RcodeSuccess {
+		return nil
+	}
+	addresses := make([]netip.Addr, 0, len(response.Answer))
+	for _, rawRecord := range response.Answer {
+		switch record := rawRecord.(type) {
+		case *dns.A:
+			addr := M.AddrFromIP(record.A)
+			if addr.IsValid() {
+				addresses = append(addresses, addr)
+			}
+		case *dns.AAAA:
+			addr := M.AddrFromIP(record.AAAA)
+			if addr.IsValid() {
+				addresses = append(addresses, addr)
+			}
+		case *dns.HTTPS:
+			for _, value := range record.SVCB.Value {
+				switch hint := value.(type) {
+				case *dns.SVCBIPv4Hint:
+					for _, ip := range hint.Hint {
+						addr := M.AddrFromIP(ip).Unmap()
+						if addr.IsValid() {
+							addresses = append(addresses, addr)
+						}
+					}
+				case *dns.SVCBIPv6Hint:
+					for _, ip := range hint.Hint {
+						addr := M.AddrFromIP(ip)
+						if addr.IsValid() {
+							addresses = append(addresses, addr)
+						}
+					}
+				}
+			}
+		}
+	}
+	return addresses
+}
+
 type inboundContextKey struct{}

 func WithContext(ctx context.Context, inboundContext *InboundContext) context.Context {
--- a/adapter/inbound_test.go
+++ b/adapter/inbound_test.go
@@ -0,0 +1,45 @@
+package adapter
+
+import (
+	"net"
+	"net/netip"
+	"testing"
+
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/require"
+)
+
+func TestDNSResponseAddressesUnmapsHTTPSIPv4Hints(t *testing.T) {
+	t.Parallel()
+
+	ipv4Hint := net.ParseIP("1.1.1.1")
+	require.NotNil(t, ipv4Hint)
+
+	response := &dns.Msg{
+		MsgHdr: dns.MsgHdr{
+			Response: true,
+			Rcode:    dns.RcodeSuccess,
+		},
+		Answer: []dns.RR{
+			&dns.HTTPS{
+				SVCB: dns.SVCB{
+					Hdr: dns.RR_Header{
+						Name:   dns.Fqdn("example.com"),
+						Rrtype: dns.TypeHTTPS,
+						Class:  dns.ClassINET,
+						Ttl:    60,
+					},
+					Priority: 1,
+					Target:   ".",
+					Value: []dns.SVCBKeyValue{
+						&dns.SVCBIPv4Hint{Hint: []net.IP{ipv4Hint}},
+					},
+				},
+			},
+		},
+	}
+
+	addresses := DNSResponseAddresses(response)
+	require.Equal(t, []netip.Addr{netip.MustParseAddr("1.1.1.1")}, addresses)
+	require.True(t, addresses[0].Is4())
+}
--- a/adapter/neighbor.go
+++ b/adapter/neighbor.go
@@ -0,0 +1,23 @@
+package adapter
+
+import (
+	"net"
+	"net/netip"
+)
+
+type NeighborEntry struct {
+	Address    netip.Addr
+	MACAddress net.HardwareAddr
+	Hostname   string
+}
+
+type NeighborResolver interface {
+	LookupMAC(address netip.Addr) (net.HardwareAddr, bool)
+	LookupHostname(address netip.Addr) (string, bool)
+	Start() error
+	Close() error
+}
+
+type NeighborUpdateListener interface {
+	UpdateNeighborTable(entries []NeighborEntry)
+}
--- a/adapter/platform.go
+++ b/adapter/platform.go
@@ -36,6 +36,10 @@ type PlatformInterface interface {

 	UsePlatformNotification() bool
 	SendNotification(notification *Notification) error
+
+	UsePlatformNeighborResolver() bool
+	StartNeighborMonitor(listener NeighborUpdateListener) error
+	CloseNeighborMonitor(listener NeighborUpdateListener) error
 }

 type FindConnectionOwnerRequest struct {
@@ -47,11 +51,11 @@ type FindConnectionOwnerRequest struct {
 }

 type ConnectionOwner struct {
-	ProcessID          uint32
-	UserId             int32
-	UserName           string
-	ProcessPath        string
-	AndroidPackageName string
+	ProcessID           uint32
+	UserId              int32
+	UserName            string
+	ProcessPath         string
+	AndroidPackageNames []string
 }

 type Notification struct {
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -26,6 +26,8 @@ type Router interface {
 	RuleSet(tag string) (RuleSet, bool)
 	Rules() []Rule
 	NeedFindProcess() bool
+	NeedFindNeighbor() bool
+	NeighborResolver() NeighborResolver
 	AppendTracker(tracker ConnectionTracker)
 	ResetNetwork()
 }
@@ -64,10 +66,16 @@ type RuleSet interface {

 type RuleSetUpdateCallback func(it RuleSet)

+type DNSRuleSetUpdateValidator interface {
+	ValidateRuleSetMetadataUpdate(tag string, metadata RuleSetMetadata) error
+}
+
+// ip_version is not a headless-rule item, so ContainsIPVersionRule is intentionally absent.
 type RuleSetMetadata struct {
-	ContainsProcessRule bool
-	ContainsWIFIRule    bool
-	ContainsIPCIDRRule  bool
+	ContainsProcessRule      bool
+	ContainsWIFIRule         bool
+	ContainsIPCIDRRule       bool
+	ContainsDNSQueryTypeRule bool
 }
 type HTTPStartContext struct {
 	ctx             context.Context
--- a/adapter/rule.go
+++ b/adapter/rule.go
@@ -2,6 +2,8 @@ package adapter

 import (
 	C "github.com/sagernet/sing-box/constant"
+
+	"github.com/miekg/dns"
 )

 type HeadlessRule interface {
@@ -18,8 +20,9 @@ type Rule interface {

 type DNSRule interface {
 	Rule
+	LegacyPreMatch(metadata *InboundContext) bool
 	WithAddressLimit() bool
-	MatchAddressLimit(metadata *InboundContext) bool
+	MatchAddressLimit(metadata *InboundContext, response *dns.Msg) bool
 }

 type RuleAction interface {
@@ -29,7 +32,7 @@ type RuleAction interface {

 func IsFinalAction(action RuleAction) bool {
 	switch action.Type() {
-	case C.RuleActionTypeSniff, C.RuleActionTypeResolve:
+	case C.RuleActionTypeSniff, C.RuleActionTypeResolve, C.RuleActionTypeEvaluate:
 		return false
 	default:
 		return true
--- a/box.go
+++ b/box.go
@@ -9,6 +9,7 @@ import (
 	"time"

 	"github.com/sagernet/sing-box/adapter"
+	boxCertificate "github.com/sagernet/sing-box/adapter/certificate"
 	"github.com/sagernet/sing-box/adapter/endpoint"
 	"github.com/sagernet/sing-box/adapter/inbound"
 	"github.com/sagernet/sing-box/adapter/outbound"
@@ -37,20 +38,21 @@ import (
 var _ adapter.SimpleLifecycle = (*Box)(nil)

 type Box struct {
-	createdAt       time.Time
-	logFactory      log.Factory
-	logger          log.ContextLogger
-	network         *route.NetworkManager
-	endpoint        *endpoint.Manager
-	inbound         *inbound.Manager
-	outbound        *outbound.Manager
-	service         *boxService.Manager
-	dnsTransport    *dns.TransportManager
-	dnsRouter       *dns.Router
-	connection      *route.ConnectionManager
-	router          *route.Router
-	internalService []adapter.LifecycleService
-	done            chan struct{}
+	createdAt           time.Time
+	logFactory          log.Factory
+	logger              log.ContextLogger
+	network             *route.NetworkManager
+	endpoint            *endpoint.Manager
+	inbound             *inbound.Manager
+	outbound            *outbound.Manager
+	service             *boxService.Manager
+	certificateProvider *boxCertificate.Manager
+	dnsTransport        *dns.TransportManager
+	dnsRouter           *dns.Router
+	connection          *route.ConnectionManager
+	router              *route.Router
+	internalService     []adapter.LifecycleService
+	done                chan struct{}
 }

 type Options struct {
@@ -66,6 +68,7 @@ func Context(
 	endpointRegistry adapter.EndpointRegistry,
 	dnsTransportRegistry adapter.DNSTransportRegistry,
 	serviceRegistry adapter.ServiceRegistry,
+	certificateProviderRegistry adapter.CertificateProviderRegistry,
 ) context.Context {
 	if service.FromContext[option.InboundOptionsRegistry](ctx) == nil ||
 		service.FromContext[adapter.InboundRegistry](ctx) == nil {
@@ -90,6 +93,10 @@ func Context(
 		ctx = service.ContextWith[option.ServiceOptionsRegistry](ctx, serviceRegistry)
 		ctx = service.ContextWith[adapter.ServiceRegistry](ctx, serviceRegistry)
 	}
+	if service.FromContext[adapter.CertificateProviderRegistry](ctx) == nil {
+		ctx = service.ContextWith[option.CertificateProviderOptionsRegistry](ctx, certificateProviderRegistry)
+		ctx = service.ContextWith[adapter.CertificateProviderRegistry](ctx, certificateProviderRegistry)
+	}
 	return ctx
 }

@@ -106,6 +113,7 @@ func New(options Options) (*Box, error) {
 	outboundRegistry := service.FromContext[adapter.OutboundRegistry](ctx)
 	dnsTransportRegistry := service.FromContext[adapter.DNSTransportRegistry](ctx)
 	serviceRegistry := service.FromContext[adapter.ServiceRegistry](ctx)
+	certificateProviderRegistry := service.FromContext[adapter.CertificateProviderRegistry](ctx)

 	if endpointRegistry == nil {
 		return nil, E.New("missing endpoint registry in context")
@@ -122,6 +130,9 @@ func New(options Options) (*Box, error) {
 	if serviceRegistry == nil {
 		return nil, E.New("missing service registry in context")
 	}
+	if certificateProviderRegistry == nil {
+		return nil, E.New("missing certificate provider registry in context")
+	}

 	ctx = pause.WithDefaultManager(ctx)
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
@@ -160,10 +171,7 @@ func New(options Options) (*Box, error) {

 	var internalServices []adapter.LifecycleService
 	certificateOptions := common.PtrValueOrDefault(options.Certificate)
-	if C.IsAndroid || certificateOptions.Store != "" && certificateOptions.Store != C.CertificateStoreSystem ||
-		len(certificateOptions.Certificate) > 0 ||
-		len(certificateOptions.CertificatePath) > 0 ||
-		len(certificateOptions.CertificateDirectoryPath) > 0 {
+	if C.IsAndroid || C.IsDarwin || certificateOptions.Store != "" {
 		certificateStore, err := certificate.NewStore(ctx, logFactory.NewLogger("certificate"), certificateOptions)
 		if err != nil {
 			return nil, err
@@ -179,13 +187,16 @@ func New(options Options) (*Box, error) {
 	outboundManager := outbound.NewManager(logFactory.NewLogger("outbound"), outboundRegistry, endpointManager, routeOptions.Final)
 	dnsTransportManager := dns.NewTransportManager(logFactory.NewLogger("dns/transport"), dnsTransportRegistry, outboundManager, dnsOptions.Final)
 	serviceManager := boxService.NewManager(logFactory.NewLogger("service"), serviceRegistry)
+	certificateProviderManager := boxCertificate.NewManager(logFactory.NewLogger("certificate-provider"), certificateProviderRegistry)
 	service.MustRegister[adapter.EndpointManager](ctx, endpointManager)
 	service.MustRegister[adapter.InboundManager](ctx, inboundManager)
 	service.MustRegister[adapter.OutboundManager](ctx, outboundManager)
 	service.MustRegister[adapter.DNSTransportManager](ctx, dnsTransportManager)
 	service.MustRegister[adapter.ServiceManager](ctx, serviceManager)
+	service.MustRegister[adapter.CertificateProviderManager](ctx, certificateProviderManager)
 	dnsRouter := dns.NewRouter(ctx, logFactory, dnsOptions)
 	service.MustRegister[adapter.DNSRouter](ctx, dnsRouter)
+	service.MustRegister[adapter.DNSRuleSetUpdateValidator](ctx, dnsRouter)
 	networkManager, err := route.NewNetworkManager(ctx, logFactory.NewLogger("network"), routeOptions, dnsOptions)
 	if err != nil {
 		return nil, E.Cause(err, "initialize network manager")
@@ -272,6 +283,24 @@ func New(options Options) (*Box, error) {
 			return nil, E.Cause(err, "initialize inbound[", i, "]")
 		}
 	}
+	for i, serviceOptions := range options.Services {
+		var tag string
+		if serviceOptions.Tag != "" {
+			tag = serviceOptions.Tag
+		} else {
+			tag = F.ToString(i)
+		}
+		err = serviceManager.Create(
+			ctx,
+			logFactory.NewLogger(F.ToString("service/", serviceOptions.Type, "[", tag, "]")),
+			tag,
+			serviceOptions.Type,
+			serviceOptions.Options,
+		)
+		if err != nil {
+			return nil, E.Cause(err, "initialize service[", i, "]")
+		}
+	}
 	for i, outboundOptions := range options.Outbounds {
 		var tag string
 		if outboundOptions.Tag != "" {
@@ -298,22 +327,22 @@ func New(options Options) (*Box, error) {
 			return nil, E.Cause(err, "initialize outbound[", i, "]")
 		}
 	}
-	for i, serviceOptions := range options.Services {
+	for i, certificateProviderOptions := range options.CertificateProviders {
 		var tag string
-		if serviceOptions.Tag != "" {
-			tag = serviceOptions.Tag
+		if certificateProviderOptions.Tag != "" {
+			tag = certificateProviderOptions.Tag
 		} else {
 			tag = F.ToString(i)
 		}
-		err = serviceManager.Create(
+		err = certificateProviderManager.Create(
 			ctx,
-			logFactory.NewLogger(F.ToString("service/", serviceOptions.Type, "[", tag, "]")),
+			logFactory.NewLogger(F.ToString("certificate-provider/", certificateProviderOptions.Type, "[", tag, "]")),
 			tag,
-			serviceOptions.Type,
-			serviceOptions.Options,
+			certificateProviderOptions.Type,
+			certificateProviderOptions.Options,
 		)
 		if err != nil {
-			return nil, E.Cause(err, "initialize service[", i, "]")
+			return nil, E.Cause(err, "initialize certificate provider[", i, "]")
 		}
 	}
 	outboundManager.Initialize(func() (adapter.Outbound, error) {
@@ -383,20 +412,21 @@ func New(options Options) (*Box, error) {
 		internalServices = append(internalServices, adapter.NewLifecycleService(ntpService, "ntp service"))
 	}
 	return &Box{
-		network:         networkManager,
-		endpoint:        endpointManager,
-		inbound:         inboundManager,
-		outbound:        outboundManager,
-		dnsTransport:    dnsTransportManager,
-		service:         serviceManager,
-		dnsRouter:       dnsRouter,
-		connection:      connectionManager,
-		router:          router,
-		createdAt:       createdAt,
-		logFactory:      logFactory,
-		logger:          logFactory.Logger(),
-		internalService: internalServices,
-		done:            make(chan struct{}),
+		network:             networkManager,
+		endpoint:            endpointManager,
+		inbound:             inboundManager,
+		outbound:            outboundManager,
+		dnsTransport:        dnsTransportManager,
+		service:             serviceManager,
+		certificateProvider: certificateProviderManager,
+		dnsRouter:           dnsRouter,
+		connection:          connectionManager,
+		router:              router,
+		createdAt:           createdAt,
+		logFactory:          logFactory,
+		logger:              logFactory.Logger(),
+		internalService:     internalServices,
+		done:                make(chan struct{}),
 	}, nil
 }

@@ -450,11 +480,11 @@ func (s *Box) preStart() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateInitialize, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
+	err = adapter.Start(s.logger, adapter.StartStateInitialize, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service, s.certificateProvider)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateStart, s.outbound, s.dnsTransport, s.dnsRouter, s.network, s.connection, s.router)
+	err = adapter.Start(s.logger, adapter.StartStateStart, s.outbound, s.dnsTransport, s.network, s.connection, s.router, s.dnsRouter)
 	if err != nil {
 		return err
 	}
@@ -470,11 +500,19 @@ func (s *Box) start() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateStart, s.inbound, s.endpoint, s.service)
+	err = adapter.Start(s.logger, adapter.StartStateStart, s.endpoint)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStatePostStart, s.outbound, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.inbound, s.endpoint, s.service)
+	err = adapter.Start(s.logger, adapter.StartStateStart, s.certificateProvider)
+	if err != nil {
+		return err
+	}
+	err = adapter.Start(s.logger, adapter.StartStateStart, s.inbound, s.service)
+	if err != nil {
+		return err
+	}
+	err = adapter.Start(s.logger, adapter.StartStatePostStart, s.outbound, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.endpoint, s.certificateProvider, s.inbound, s.service)
 	if err != nil {
 		return err
 	}
@@ -482,7 +520,7 @@ func (s *Box) start() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(s.logger, adapter.StartStateStarted, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
+	err = adapter.Start(s.logger, adapter.StartStateStarted, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.endpoint, s.certificateProvider, s.inbound, s.service)
 	if err != nil {
 		return err
 	}
@@ -506,8 +544,9 @@ func (s *Box) Close() error {
 		service adapter.Lifecycle
 	}{
 		{"service", s.service},
-		{"endpoint", s.endpoint},
 		{"inbound", s.inbound},
+		{"certificate-provider", s.certificateProvider},
+		{"endpoint", s.endpoint},
 		{"outbound", s.outbound},
 		{"router", s.router},
 		{"connection", s.connection},
--- a/clients/android
+++ b/clients/android
--- a/clients/apple
+++ b/clients/apple
--- a/cmd/sing-box/cmd_tools_networkquality.go
+++ b/cmd/sing-box/cmd_tools_networkquality.go
@@ -0,0 +1,122 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/sagernet/sing-box/common/networkquality"
+	"github.com/sagernet/sing-box/log"
+
+	"github.com/spf13/cobra"
+)
+
+var (
+	commandNetworkQualityFlagConfigURL  string
+	commandNetworkQualityFlagSerial     bool
+	commandNetworkQualityFlagMaxRuntime int
+)
+
+var commandNetworkQuality = &cobra.Command{
+	Use:   "networkquality",
+	Short: "Run a network quality test",
+	Run: func(cmd *cobra.Command, args []string) {
+		err := runNetworkQuality()
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func init() {
+	commandNetworkQuality.Flags().StringVar(
+		&commandNetworkQualityFlagConfigURL,
+		"config-url", "",
+		"Network quality test config URL (default: Apple mensura)",
+	)
+	commandNetworkQuality.Flags().BoolVar(
+		&commandNetworkQualityFlagSerial,
+		"serial", false,
+		"Run download and upload tests sequentially instead of in parallel",
+	)
+	commandNetworkQuality.Flags().IntVar(
+		&commandNetworkQualityFlagMaxRuntime,
+		"max-runtime", int(networkquality.DefaultMaxRuntime/time.Second),
+		"Network quality maximum runtime in seconds",
+	)
+	commandTools.AddCommand(commandNetworkQuality)
+}
+
+func runNetworkQuality() error {
+	instance, err := createPreStartedClient()
+	if err != nil {
+		return err
+	}
+	defer instance.Close()
+
+	dialer, err := createDialer(instance, commandToolsFlagOutbound)
+	if err != nil {
+		return err
+	}
+
+	httpClient := networkquality.NewHTTPClient(dialer)
+	defer httpClient.CloseIdleConnections()
+
+	fmt.Fprintln(os.Stderr, "==== NETWORK QUALITY TEST ====")
+
+	result, err := networkquality.Run(networkquality.Options{
+		ConfigURL:  commandNetworkQualityFlagConfigURL,
+		HTTPClient: httpClient,
+		Serial:     commandNetworkQualityFlagSerial,
+		MaxRuntime: time.Duration(commandNetworkQualityFlagMaxRuntime) * time.Second,
+		Context:    globalCtx,
+		OnProgress: func(p networkquality.Progress) {
+			if !commandNetworkQualityFlagSerial && p.Phase != networkquality.PhaseIdle {
+				fmt.Fprintf(os.Stderr, "\rDownload: %s  RPM: %d  Upload: %s  RPM: %d",
+					formatBitrate(p.DownloadCapacity), p.DownloadRPM,
+					formatBitrate(p.UploadCapacity), p.UploadRPM)
+				return
+			}
+			switch networkquality.Phase(p.Phase) {
+			case networkquality.PhaseIdle:
+				if p.IdleLatencyMs > 0 {
+					fmt.Fprintf(os.Stderr, "\rIdle Latency: %d ms", p.IdleLatencyMs)
+				} else {
+					fmt.Fprint(os.Stderr, "\rMeasuring idle latency...")
+				}
+			case networkquality.PhaseDownload:
+				fmt.Fprintf(os.Stderr, "\rDownload: %s  RPM: %d",
+					formatBitrate(p.DownloadCapacity), p.DownloadRPM)
+			case networkquality.PhaseUpload:
+				fmt.Fprintf(os.Stderr, "\rUpload: %s  RPM: %d",
+					formatBitrate(p.UploadCapacity), p.UploadRPM)
+			}
+		},
+	})
+	if err != nil {
+		return err
+	}
+
+	fmt.Fprintln(os.Stderr)
+	fmt.Fprintln(os.Stderr, strings.Repeat("-", 40))
+	fmt.Fprintf(os.Stderr, "Idle Latency:            %d ms\n", result.IdleLatencyMs)
+	fmt.Fprintf(os.Stderr, "Download Capacity:       %-20s Accuracy: %s\n", formatBitrate(result.DownloadCapacity), result.DownloadCapacityAccuracy)
+	fmt.Fprintf(os.Stderr, "Upload Capacity:         %-20s Accuracy: %s\n", formatBitrate(result.UploadCapacity), result.UploadCapacityAccuracy)
+	fmt.Fprintf(os.Stderr, "Download Responsiveness: %-20s Accuracy: %s\n", fmt.Sprintf("%d RPM", result.DownloadRPM), result.DownloadRPMAccuracy)
+	fmt.Fprintf(os.Stderr, "Upload Responsiveness:   %-20s Accuracy: %s\n", fmt.Sprintf("%d RPM", result.UploadRPM), result.UploadRPMAccuracy)
+	return nil
+}
+
+func formatBitrate(bps int64) string {
+	switch {
+	case bps >= 1_000_000_000:
+		return fmt.Sprintf("%.1f Gbps", float64(bps)/1_000_000_000)
+	case bps >= 1_000_000:
+		return fmt.Sprintf("%.1f Mbps", float64(bps)/1_000_000)
+	case bps >= 1_000:
+		return fmt.Sprintf("%.1f Kbps", float64(bps)/1_000)
+	default:
+		return fmt.Sprintf("%d bps", bps)
+	}
+}
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -239,7 +239,7 @@ func setMarkWrapper(networkManager adapter.NetworkManager, mark uint32, isDefaul
 func (d *DefaultDialer) DialContext(ctx context.Context, network string, address M.Socksaddr) (net.Conn, error) {
 	if !address.IsValid() {
 		return nil, E.New("invalid address")
-	} else if address.IsFqdn() {
+	} else if address.IsDomain() {
 		return nil, E.New("domain not resolved")
 	}
 	if d.networkStrategy == nil {
@@ -329,9 +329,9 @@ func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksadd

 func (d *DefaultDialer) DialerForICMPDestination(destination netip.Addr) net.Dialer {
 	if !destination.Is6() {
-		return d.dialer6.Dialer
-	} else {
 		return d.dialer4.Dialer
+	} else {
+		return d.dialer6.Dialer
 	}
 }

--- a/common/dialer/resolve.go
+++ b/common/dialer/resolve.go
@@ -96,7 +96,7 @@ func (d *resolveDialer) DialContext(ctx context.Context, network string, destina
 	if err != nil {
 		return nil, err
 	}
-	if !destination.IsFqdn() {
+	if !destination.IsDomain() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
@@ -116,7 +116,7 @@ func (d *resolveDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 	if err != nil {
 		return nil, err
 	}
-	if !destination.IsFqdn() {
+	if !destination.IsDomain() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
@@ -144,7 +144,7 @@ func (d *resolveParallelNetworkDialer) DialParallelInterface(ctx context.Context
 	if err != nil {
 		return nil, err
 	}
-	if !destination.IsFqdn() {
+	if !destination.IsDomain() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
@@ -167,7 +167,7 @@ func (d *resolveParallelNetworkDialer) ListenSerialInterfacePacket(ctx context.C
 	if err != nil {
 		return nil, err
 	}
-	if !destination.IsFqdn() {
+	if !destination.IsDomain() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
--- a/common/ktls/ktls_read.go
+++ b/common/ktls/ktls_read.go
@@ -12,6 +12,7 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"unsafe"
 )

 func (c *Conn) Read(b []byte) (int, error) {
@@ -229,7 +230,7 @@ func (c *Conn) readRawRecord() (typ uint8, data []byte, err error) {
 	record := c.rawConn.RawInput.Next(recordHeaderLen + n)
 	data, typ, err = c.rawConn.In.Decrypt(record)
 	if err != nil {
-		err = c.rawConn.In.SetErrorLocked(c.sendAlert(uint8(err.(tls.AlertError))))
+		err = c.rawConn.In.SetErrorLocked(c.sendAlert(*(*uint8)((*[2]unsafe.Pointer)(unsafe.Pointer(&err))[1])))
 		return
 	}
 	return
--- a/common/listener/listener.go
+++ b/common/listener/listener.go
@@ -151,6 +151,7 @@ func ListenNetworkNamespace[T any](nameOrPath string, block func() (T, error)) (
 		if err != nil {
 			return common.DefaultValue[T](), E.Cause(err, "get current netns")
 		}
+		defer currentNs.Close()
 		defer netns.Set(currentNs)
 		var targetNs netns.NsHandle
 		if strings.HasPrefix(nameOrPath, "/") {
--- a/common/networkquality/http.go
+++ b/common/networkquality/http.go
@@ -0,0 +1,109 @@
+package networkquality
+
+import (
+	"context"
+	"net"
+	"net/http"
+	"strings"
+
+	C "github.com/sagernet/sing-box/constant"
+	sBufio "github.com/sagernet/sing/common/bufio"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+// NewHTTPClient creates an http.Client that dials through the given dialer.
+// The dialer should already handle DNS resolution if needed.
+func NewHTTPClient(dialer N.Dialer) *http.Client {
+	transport := &http.Transport{
+		ForceAttemptHTTP2:   true,
+		TLSHandshakeTimeout: C.TCPTimeout,
+	}
+	if dialer != nil {
+		transport.DialContext = func(ctx context.Context, network string, addr string) (net.Conn, error) {
+			return dialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
+		}
+	}
+	return &http.Client{Transport: transport}
+}
+
+func baseTransportFromClient(client *http.Client) (*http.Transport, error) {
+	if client == nil {
+		return nil, E.New("http client is nil")
+	}
+	if client.Transport == nil {
+		return http.DefaultTransport.(*http.Transport).Clone(), nil
+	}
+	transport, ok := client.Transport.(*http.Transport)
+	if !ok {
+		return nil, E.New("http client transport must be *http.Transport")
+	}
+	return transport.Clone(), nil
+}
+
+func newMeasurementClient(
+	baseClient *http.Client,
+	connectEndpoint string,
+	singleConnection bool,
+	disableKeepAlives bool,
+	readCounters []N.CountFunc,
+	writeCounters []N.CountFunc,
+) (*http.Client, error) {
+	transport, err := baseTransportFromClient(baseClient)
+	if err != nil {
+		return nil, err
+	}
+	transport.DisableCompression = true
+	transport.DisableKeepAlives = disableKeepAlives
+	if singleConnection {
+		transport.MaxConnsPerHost = 1
+		transport.MaxIdleConnsPerHost = 1
+		transport.MaxIdleConns = 1
+	}
+
+	baseDialContext := transport.DialContext
+	if baseDialContext == nil {
+		dialer := &net.Dialer{}
+		baseDialContext = dialer.DialContext
+	}
+	connectEndpoint = strings.TrimSpace(connectEndpoint)
+	transport.DialContext = func(ctx context.Context, network string, addr string) (net.Conn, error) {
+		dialAddr := addr
+		if connectEndpoint != "" {
+			dialAddr = rewriteDialAddress(addr, connectEndpoint)
+		}
+		conn, dialErr := baseDialContext(ctx, network, dialAddr)
+		if dialErr != nil {
+			return nil, dialErr
+		}
+		if len(readCounters) > 0 || len(writeCounters) > 0 {
+			return sBufio.NewCounterConn(conn, readCounters, writeCounters), nil
+		}
+		return conn, nil
+	}
+
+	return &http.Client{
+		Transport:     transport,
+		CheckRedirect: baseClient.CheckRedirect,
+		Jar:           baseClient.Jar,
+		Timeout:       baseClient.Timeout,
+	}, nil
+}
+
+func rewriteDialAddress(addr string, connectEndpoint string) string {
+	host, port, err := net.SplitHostPort(addr)
+	if err != nil {
+		return addr
+	}
+	endpointHost, endpointPort, err := net.SplitHostPort(connectEndpoint)
+	if err == nil {
+		host = endpointHost
+		if endpointPort != "" {
+			port = endpointPort
+		}
+	} else if connectEndpoint != "" {
+		host = connectEndpoint
+	}
+	return net.JoinHostPort(host, port)
+}
--- a/common/networkquality/networkquality.go
+++ b/common/networkquality/networkquality.go
--- a/common/process/searcher.go
+++ b/common/process/searcher.go
@@ -14,6 +14,7 @@ import (

 type Searcher interface {
 	FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error)
+	Close() error
 }

 var ErrNotFound = E.New("process not found")
@@ -28,7 +29,7 @@ func FindProcessInfo(searcher Searcher, ctx context.Context, network string, sou
 	if err != nil {
 		return nil, err
 	}
-	if info.UserId != -1 {
+	if info.UserId != -1 && info.UserName == "" {
 		osUser, _ := user.LookupId(F.ToString(info.UserId))
 		if osUser != nil {
 			info.UserName = osUser.Username
--- a/common/process/searcher_android.go
+++ b/common/process/searcher_android.go
@@ -6,6 +6,7 @@ import (

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-tun"
+	"github.com/sagernet/sing/common"
 )

 var _ Searcher = (*androidSearcher)(nil)
@@ -18,22 +19,30 @@ func NewSearcher(config Config) (Searcher, error) {
 	return &androidSearcher{config.PackageManager}, nil
 }

+func (s *androidSearcher) Close() error {
+	return nil
+}
+
 func (s *androidSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
-	_, uid, err := resolveSocketByNetlink(network, source, destination)
+	family, protocol, err := socketDiagSettings(network, source)
 	if err != nil {
 		return nil, err
 	}
-	if sharedPackage, loaded := s.packageManager.SharedPackageByID(uid % 100000); loaded {
-		return &adapter.ConnectionOwner{
-			UserId:             int32(uid),
-			AndroidPackageName: sharedPackage,
-		}, nil
+	_, uid, err := querySocketDiagOnce(family, protocol, source)
+	if err != nil {
+		return nil, err
 	}
-	if packageName, loaded := s.packageManager.PackageByID(uid % 100000); loaded {
-		return &adapter.ConnectionOwner{
-			UserId:             int32(uid),
-			AndroidPackageName: packageName,
-		}, nil
+	appID := uid % 100000
+	var packageNames []string
+	if sharedPackage, loaded := s.packageManager.SharedPackageByID(appID); loaded {
+		packageNames = append(packageNames, sharedPackage)
 	}
-	return &adapter.ConnectionOwner{UserId: int32(uid)}, nil
+	if packages, loaded := s.packageManager.PackagesByID(appID); loaded {
+		packageNames = append(packageNames, packages...)
+	}
+	packageNames = common.Uniq(packageNames)
+	return &adapter.ConnectionOwner{
+		UserId:              int32(uid),
+		AndroidPackageNames: packageNames,
+	}, nil
 }
--- a/common/process/searcher_darwin.go
+++ b/common/process/searcher_darwin.go
@@ -1,19 +1,15 @@
+//go:build darwin
+
 package process

 import (
 	"context"
-	"encoding/binary"
 	"net/netip"
-	"os"
 	"strconv"
 	"strings"
 	"syscall"
-	"unsafe"

 	"github.com/sagernet/sing-box/adapter"
-	N "github.com/sagernet/sing/common/network"
-
-	"golang.org/x/sys/unix"
 )

 var _ Searcher = (*darwinSearcher)(nil)
@@ -24,12 +20,12 @@ func NewSearcher(_ Config) (Searcher, error) {
 	return &darwinSearcher{}, nil
 }

+func (d *darwinSearcher) Close() error {
+	return nil
+}
+
 func (d *darwinSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
-	processName, err := findProcessName(network, source.Addr(), int(source.Port()))
-	if err != nil {
-		return nil, err
-	}
-	return &adapter.ConnectionOwner{ProcessPath: processName, UserId: -1}, nil
+	return FindDarwinConnectionOwner(network, source, destination)
 }

 var structSize = func() int {
@@ -47,107 +43,3 @@ var structSize = func() int {
 		return 384
 	}
 }()
-
-func findProcessName(network string, ip netip.Addr, port int) (string, error) {
-	var spath string
-	switch network {
-	case N.NetworkTCP:
-		spath = "net.inet.tcp.pcblist_n"
-	case N.NetworkUDP:
-		spath = "net.inet.udp.pcblist_n"
-	default:
-		return "", os.ErrInvalid
-	}
-
-	isIPv4 := ip.Is4()
-
-	value, err := unix.SysctlRaw(spath)
-	if err != nil {
-		return "", err
-	}
-
-	buf := value
-
-	// from darwin-xnu/bsd/netinet/in_pcblist.c:get_pcblist_n
-	// size/offset are round up (aligned) to 8 bytes in darwin
-	// rup8(sizeof(xinpcb_n)) + rup8(sizeof(xsocket_n)) +
-	// 2 * rup8(sizeof(xsockbuf_n)) + rup8(sizeof(xsockstat_n))
-	itemSize := structSize
-	if network == N.NetworkTCP {
-		// rup8(sizeof(xtcpcb_n))
-		itemSize += 208
-	}
-
-	var fallbackUDPProcess string
-	// skip the first xinpgen(24 bytes) block
-	for i := 24; i+itemSize <= len(buf); i += itemSize {
-		// offset of xinpcb_n and xsocket_n
-		inp, so := i, i+104
-
-		srcPort := binary.BigEndian.Uint16(buf[inp+18 : inp+20])
-		if uint16(port) != srcPort {
-			continue
-		}
-
-		// xinpcb_n.inp_vflag
-		flag := buf[inp+44]
-
-		var srcIP netip.Addr
-		srcIsIPv4 := false
-		switch {
-		case flag&0x1 > 0 && isIPv4:
-			// ipv4
-			srcIP = netip.AddrFrom4([4]byte(buf[inp+76 : inp+80]))
-			srcIsIPv4 = true
-		case flag&0x2 > 0 && !isIPv4:
-			// ipv6
-			srcIP = netip.AddrFrom16([16]byte(buf[inp+64 : inp+80]))
-		default:
-			continue
-		}
-
-		if ip == srcIP {
-			// xsocket_n.so_last_pid
-			pid := readNativeUint32(buf[so+68 : so+72])
-			return getExecPathFromPID(pid)
-		}
-
-		// udp packet connection may be not equal with srcIP
-		if network == N.NetworkUDP && srcIP.IsUnspecified() && isIPv4 == srcIsIPv4 {
-			pid := readNativeUint32(buf[so+68 : so+72])
-			fallbackUDPProcess, _ = getExecPathFromPID(pid)
-		}
-	}
-
-	if network == N.NetworkUDP && len(fallbackUDPProcess) > 0 {
-		return fallbackUDPProcess, nil
-	}
-
-	return "", ErrNotFound
-}
-
-func getExecPathFromPID(pid uint32) (string, error) {
-	const (
-		procpidpathinfo     = 0xb
-		procpidpathinfosize = 1024
-		proccallnumpidinfo  = 0x2
-	)
-	buf := make([]byte, procpidpathinfosize)
-	_, _, errno := syscall.Syscall6(
-		syscall.SYS_PROC_INFO,
-		proccallnumpidinfo,
-		uintptr(pid),
-		procpidpathinfo,
-		0,
-		uintptr(unsafe.Pointer(&buf[0])),
-		procpidpathinfosize)
-	if errno != 0 {
-		return "", errno
-	}
-
-	return unix.ByteSliceToString(buf), nil
-}
-
-func readNativeUint32(b []byte) uint32 {
-	return *(*uint32)(unsafe.Pointer(&b[0]))
-}
--- a/common/process/searcher_darwin_shared.go
+++ b/common/process/searcher_darwin_shared.go
@@ -0,0 +1,269 @@
+//go:build darwin
+
+package process
+
+import (
+	"encoding/binary"
+	"net/netip"
+	"os"
+	"sync"
+	"syscall"
+	"time"
+	"unsafe"
+
+	"github.com/sagernet/sing-box/adapter"
+	N "github.com/sagernet/sing/common/network"
+
+	"golang.org/x/sys/unix"
+)
+
+const (
+	darwinSnapshotTTL = 200 * time.Millisecond
+
+	darwinXinpgenSize        = 24
+	darwinXsocketOffset      = 104
+	darwinXinpcbForeignPort  = 16
+	darwinXinpcbLocalPort    = 18
+	darwinXinpcbVFlag        = 44
+	darwinXinpcbForeignAddr  = 48
+	darwinXinpcbLocalAddr    = 64
+	darwinXinpcbIPv4Addr     = 12
+	darwinXsocketUID         = 64
+	darwinXsocketLastPID     = 68
+	darwinTCPExtraStructSize = 208
+)
+
+type darwinConnectionEntry struct {
+	localAddr  netip.Addr
+	remoteAddr netip.Addr
+	localPort  uint16
+	remotePort uint16
+	pid        uint32
+	uid        int32
+}
+
+type darwinConnectionMatchKind uint8
+
+const (
+	darwinConnectionMatchExact darwinConnectionMatchKind = iota
+	darwinConnectionMatchLocalFallback
+	darwinConnectionMatchWildcardFallback
+)
+
+type darwinSnapshot struct {
+	createdAt time.Time
+	entries   []darwinConnectionEntry
+}
+
+type darwinConnectionFinder struct {
+	access    sync.Mutex
+	ttl       time.Duration
+	snapshots map[string]darwinSnapshot
+	builder   func(string) (darwinSnapshot, error)
+}
+
+var sharedDarwinConnectionFinder = newDarwinConnectionFinder(darwinSnapshotTTL)
+
+func newDarwinConnectionFinder(ttl time.Duration) *darwinConnectionFinder {
+	return &darwinConnectionFinder{
+		ttl:       ttl,
+		snapshots: make(map[string]darwinSnapshot),
+		builder:   buildDarwinSnapshot,
+	}
+}
+
+func FindDarwinConnectionOwner(network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
+	return sharedDarwinConnectionFinder.find(network, source, destination)
+}
+
+func (f *darwinConnectionFinder) find(network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
+	networkName := N.NetworkName(network)
+	source = normalizeDarwinAddrPort(source)
+	destination = normalizeDarwinAddrPort(destination)
+	var lastOwner *adapter.ConnectionOwner
+	for attempt := 0; attempt < 2; attempt++ {
+		snapshot, fromCache, err := f.loadSnapshot(networkName, attempt > 0)
+		if err != nil {
+			return nil, err
+		}
+		entry, matchKind, err := matchDarwinConnectionEntry(snapshot.entries, networkName, source, destination)
+		if err != nil {
+			if err == ErrNotFound && fromCache {
+				continue
+			}
+			return nil, err
+		}
+		if fromCache && matchKind != darwinConnectionMatchExact {
+			continue
+		}
+		owner := &adapter.ConnectionOwner{
+			UserId: entry.uid,
+		}
+		lastOwner = owner
+		if entry.pid == 0 {
+			return owner, nil
+		}
+		processPath, err := getExecPathFromPID(entry.pid)
+		if err == nil {
+			owner.ProcessPath = processPath
+			return owner, nil
+		}
+		if fromCache {
+			continue
+		}
+		return owner, nil
+	}
+	if lastOwner != nil {
+		return lastOwner, nil
+	}
+	return nil, ErrNotFound
+}
+
+func (f *darwinConnectionFinder) loadSnapshot(network string, forceRefresh bool) (darwinSnapshot, bool, error) {
+	f.access.Lock()
+	defer f.access.Unlock()
+	if !forceRefresh {
+		if snapshot, loaded := f.snapshots[network]; loaded && time.Since(snapshot.createdAt) < f.ttl {
+			return snapshot, true, nil
+		}
+	}
+	snapshot, err := f.builder(network)
+	if err != nil {
+		return darwinSnapshot{}, false, err
+	}
+	f.snapshots[network] = snapshot
+	return snapshot, false, nil
+}
+
+func buildDarwinSnapshot(network string) (darwinSnapshot, error) {
+	spath, itemSize, err := darwinSnapshotSettings(network)
+	if err != nil {
+		return darwinSnapshot{}, err
+	}
+	value, err := unix.SysctlRaw(spath)
+	if err != nil {
+		return darwinSnapshot{}, err
+	}
+	return darwinSnapshot{
+		createdAt: time.Now(),
+		entries:   parseDarwinSnapshot(value, itemSize),
+	}, nil
+}
+
+func darwinSnapshotSettings(network string) (string, int, error) {
+	itemSize := structSize
+	switch network {
+	case N.NetworkTCP:
+		return "net.inet.tcp.pcblist_n", itemSize + darwinTCPExtraStructSize, nil
+	case N.NetworkUDP:
+		return "net.inet.udp.pcblist_n", itemSize, nil
+	default:
+		return "", 0, os.ErrInvalid
+	}
+}
+
+func parseDarwinSnapshot(buf []byte, itemSize int) []darwinConnectionEntry {
+	entries := make([]darwinConnectionEntry, 0, (len(buf)-darwinXinpgenSize)/itemSize)
+	for i := darwinXinpgenSize; i+itemSize <= len(buf); i += itemSize {
+		inp := i
+		so := i + darwinXsocketOffset
+		entry, ok := parseDarwinConnectionEntry(buf[inp:so], buf[so:so+structSize-darwinXsocketOffset])
+		if ok {
+			entries = append(entries, entry)
+		}
+	}
+	return entries
+}
+
+func parseDarwinConnectionEntry(inp []byte, so []byte) (darwinConnectionEntry, bool) {
+	if len(inp) < darwinXsocketOffset || len(so) < structSize-darwinXsocketOffset {
+		return darwinConnectionEntry{}, false
+	}
+	entry := darwinConnectionEntry{
+		remotePort: binary.BigEndian.Uint16(inp[darwinXinpcbForeignPort : darwinXinpcbForeignPort+2]),
+		localPort:  binary.BigEndian.Uint16(inp[darwinXinpcbLocalPort : darwinXinpcbLocalPort+2]),
+		pid:        binary.NativeEndian.Uint32(so[darwinXsocketLastPID : darwinXsocketLastPID+4]),
+		uid:        int32(binary.NativeEndian.Uint32(so[darwinXsocketUID : darwinXsocketUID+4])),
+	}
+	flag := inp[darwinXinpcbVFlag]
+	switch {
+	case flag&0x1 != 0:
+		entry.remoteAddr = netip.AddrFrom4([4]byte(inp[darwinXinpcbForeignAddr+darwinXinpcbIPv4Addr : darwinXinpcbForeignAddr+darwinXinpcbIPv4Addr+4]))
+		entry.localAddr = netip.AddrFrom4([4]byte(inp[darwinXinpcbLocalAddr+darwinXinpcbIPv4Addr : darwinXinpcbLocalAddr+darwinXinpcbIPv4Addr+4]))
+		return entry, true
+	case flag&0x2 != 0:
+		entry.remoteAddr = netip.AddrFrom16([16]byte(inp[darwinXinpcbForeignAddr : darwinXinpcbForeignAddr+16]))
+		entry.localAddr = netip.AddrFrom16([16]byte(inp[darwinXinpcbLocalAddr : darwinXinpcbLocalAddr+16]))
+		return entry, true
+	default:
+		return darwinConnectionEntry{}, false
+	}
+}
+
+func matchDarwinConnectionEntry(entries []darwinConnectionEntry, network string, source netip.AddrPort, destination netip.AddrPort) (darwinConnectionEntry, darwinConnectionMatchKind, error) {
+	sourceAddr := source.Addr()
+	if !sourceAddr.IsValid() {
+		return darwinConnectionEntry{}, darwinConnectionMatchExact, os.ErrInvalid
+	}
+	var localFallback darwinConnectionEntry
+	var hasLocalFallback bool
+	var wildcardFallback darwinConnectionEntry
+	var hasWildcardFallback bool
+	for _, entry := range entries {
+		if entry.localPort != source.Port() || sourceAddr.BitLen() != entry.localAddr.BitLen() {
+			continue
+		}
+		if entry.localAddr == sourceAddr && destination.IsValid() && entry.remotePort == destination.Port() && entry.remoteAddr == destination.Addr() {
+			return entry, darwinConnectionMatchExact, nil
+		}
+		if !destination.IsValid() && entry.localAddr == sourceAddr {
+			return entry, darwinConnectionMatchExact, nil
+		}
+		if network != N.NetworkUDP {
+			continue
+		}
+		if !hasLocalFallback && entry.localAddr == sourceAddr {
+			hasLocalFallback = true
+			localFallback = entry
+		}
+		if !hasWildcardFallback && entry.localAddr.IsUnspecified() {
+			hasWildcardFallback = true
+			wildcardFallback = entry
+		}
+	}
+	if hasLocalFallback {
+		return localFallback, darwinConnectionMatchLocalFallback, nil
+	}
+	if hasWildcardFallback {
+		return wildcardFallback, darwinConnectionMatchWildcardFallback, nil
+	}
+	return darwinConnectionEntry{}, darwinConnectionMatchExact, ErrNotFound
+}
+
+func normalizeDarwinAddrPort(addrPort netip.AddrPort) netip.AddrPort {
+	if !addrPort.IsValid() {
+		return addrPort
+	}
+	return netip.AddrPortFrom(addrPort.Addr().Unmap(), addrPort.Port())
+}
+
+func getExecPathFromPID(pid uint32) (string, error) {
+	const (
+		procpidpathinfo     = 0xb
+		procpidpathinfosize = 1024
+		proccallnumpidinfo  = 0x2
+	)
+	buf := make([]byte, procpidpathinfosize)
+	_, _, errno := syscall.Syscall6(
+		syscall.SYS_PROC_INFO,
+		proccallnumpidinfo,
+		uintptr(pid),
+		procpidpathinfo,
+		0,
+		uintptr(unsafe.Pointer(&buf[0])),
+		procpidpathinfosize)
+	if errno != 0 {
+		return "", errno
+	}
+	return unix.ByteSliceToString(buf), nil
+}
--- a/common/process/searcher_linux.go
+++ b/common/process/searcher_linux.go
@@ -4,33 +4,82 @@ package process

 import (
 	"context"
+	"errors"
 	"net/netip"
+	"syscall"
+	"time"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
+	E "github.com/sagernet/sing/common/exceptions"
 )

 var _ Searcher = (*linuxSearcher)(nil)

 type linuxSearcher struct {
-	logger log.ContextLogger
+	logger           log.ContextLogger
+	diagConns        [4]*socketDiagConn
+	processPathCache *uidProcessPathCache
 }

 func NewSearcher(config Config) (Searcher, error) {
-	return &linuxSearcher{config.Logger}, nil
+	searcher := &linuxSearcher{
+		logger:           config.Logger,
+		processPathCache: newUIDProcessPathCache(time.Second),
+	}
+	for _, family := range []uint8{syscall.AF_INET, syscall.AF_INET6} {
+		for _, protocol := range []uint8{syscall.IPPROTO_TCP, syscall.IPPROTO_UDP} {
+			searcher.diagConns[socketDiagConnIndex(family, protocol)] = newSocketDiagConn(family, protocol)
+		}
+	}
+	return searcher, nil
+}
+
+func (s *linuxSearcher) Close() error {
+	var errs []error
+	for _, conn := range s.diagConns {
+		if conn == nil {
+			continue
+		}
+		errs = append(errs, conn.Close())
+	}
+	return E.Errors(errs...)
 }

 func (s *linuxSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
-	inode, uid, err := resolveSocketByNetlink(network, source, destination)
+	inode, uid, err := s.resolveSocketByNetlink(network, source, destination)
 	if err != nil {
 		return nil, err
 	}
-	processPath, err := resolveProcessNameByProcSearch(inode, uid)
+	processInfo := &adapter.ConnectionOwner{
+		UserId: int32(uid),
+	}
+	processPath, err := s.processPathCache.findProcessPath(inode, uid)
 	if err != nil {
 		s.logger.DebugContext(ctx, "find process path: ", err)
+	} else {
+		processInfo.ProcessPath = processPath
 	}
-	return &adapter.ConnectionOwner{
-		UserId:      int32(uid),
-		ProcessPath: processPath,
-	}, nil
+	return processInfo, nil
+}
+
+func (s *linuxSearcher) resolveSocketByNetlink(network string, source netip.AddrPort, destination netip.AddrPort) (inode, uid uint32, err error) {
+	family, protocol, err := socketDiagSettings(network, source)
+	if err != nil {
+		return 0, 0, err
+	}
+	conn := s.diagConns[socketDiagConnIndex(family, protocol)]
+	if conn == nil {
+		return 0, 0, E.New("missing socket diag connection for family=", family, " protocol=", protocol)
+	}
+	if destination.IsValid() && source.Addr().BitLen() == destination.Addr().BitLen() {
+		inode, uid, err = conn.query(source, destination)
+		if err == nil {
+			return inode, uid, nil
+		}
+		if !errors.Is(err, ErrNotFound) {
+			return 0, 0, err
+		}
+	}
+	return querySocketDiagOnce(family, protocol, source)
 }
--- a/common/process/searcher_linux_shared.go
+++ b/common/process/searcher_linux_shared.go
@@ -3,43 +3,67 @@
 package process

 import (
-	"bytes"
 	"encoding/binary"
-	"fmt"
-	"net"
+	"errors"
 	"net/netip"
 	"os"
-	"path"
+	"path/filepath"
 	"strings"
+	"sync"
 	"syscall"
+	"time"
 	"unicode"
-	"unsafe"

-	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/contrab/freelru"
+	"github.com/sagernet/sing/contrab/maphash"
 )

-// from https://github.com/vishvananda/netlink/blob/bca67dfc8220b44ef582c9da4e9172bf1c9ec973/nl/nl_linux.go#L52-L62
-var nativeEndian = func() binary.ByteOrder {
-	var x uint32 = 0x01020304
-	if *(*byte)(unsafe.Pointer(&x)) == 0x01 {
-		return binary.BigEndian
-	}
-
-	return binary.LittleEndian
-}()
-
 const (
-	sizeOfSocketDiagRequest = syscall.SizeofNlMsghdr + 8 + 48
-	socketDiagByFamily      = 20
-	pathProc                = "/proc"
+	sizeOfSocketDiagRequestData = 56
+	sizeOfSocketDiagRequest     = syscall.SizeofNlMsghdr + sizeOfSocketDiagRequestData
+	socketDiagResponseMinSize   = 72
+	socketDiagByFamily          = 20
+	pathProc                    = "/proc"
 )

-func resolveSocketByNetlink(network string, source netip.AddrPort, destination netip.AddrPort) (inode, uid uint32, err error) {
-	var family uint8
-	var protocol uint8
+type socketDiagConn struct {
+	access   sync.Mutex
+	family   uint8
+	protocol uint8
+	fd       int
+}

+type uidProcessPathCache struct {
+	cache freelru.Cache[uint32, *uidProcessPaths]
+}
+
+type uidProcessPaths struct {
+	entries map[uint32]string
+}
+
+func newSocketDiagConn(family, protocol uint8) *socketDiagConn {
+	return &socketDiagConn{
+		family:   family,
+		protocol: protocol,
+		fd:       -1,
+	}
+}
+
+func socketDiagConnIndex(family, protocol uint8) int {
+	index := 0
+	if protocol == syscall.IPPROTO_UDP {
+		index += 2
+	}
+	if family == syscall.AF_INET6 {
+		index++
+	}
+	return index
+}
+
+func socketDiagSettings(network string, source netip.AddrPort) (family, protocol uint8, err error) {
 	switch network {
 	case N.NetworkTCP:
 		protocol = syscall.IPPROTO_TCP
@@ -48,151 +72,308 @@ func resolveSocketByNetlink(network string, source netip.AddrPort, destination n
 	default:
 		return 0, 0, os.ErrInvalid
 	}
-
-	if source.Addr().Is4() {
+	switch {
+	case source.Addr().Is4():
 		family = syscall.AF_INET
-	} else {
+	case source.Addr().Is6():
 		family = syscall.AF_INET6
+	default:
+		return 0, 0, os.ErrInvalid
 	}
-
-	req := packSocketDiagRequest(family, protocol, source)
-
-	socket, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_DGRAM, syscall.NETLINK_INET_DIAG)
-	if err != nil {
-		return 0, 0, E.Cause(err, "dial netlink")
-	}
-	defer syscall.Close(socket)
-
-	syscall.SetsockoptTimeval(socket, syscall.SOL_SOCKET, syscall.SO_SNDTIMEO, &syscall.Timeval{Usec: 100})
-	syscall.SetsockoptTimeval(socket, syscall.SOL_SOCKET, syscall.SO_RCVTIMEO, &syscall.Timeval{Usec: 100})
-
-	err = syscall.Connect(socket, &syscall.SockaddrNetlink{
-		Family: syscall.AF_NETLINK,
-		Pad:    0,
-		Pid:    0,
-		Groups: 0,
-	})
-	if err != nil {
-		return
-	}
-
-	_, err = syscall.Write(socket, req)
-	if err != nil {
-		return 0, 0, E.Cause(err, "write netlink request")
-	}
-
-	buffer := buf.New()
-	defer buffer.Release()
-
-	n, err := syscall.Read(socket, buffer.FreeBytes())
-	if err != nil {
-		return 0, 0, E.Cause(err, "read netlink response")
-	}
-
-	buffer.Truncate(n)
-
-	messages, err := syscall.ParseNetlinkMessage(buffer.Bytes())
-	if err != nil {
-		return 0, 0, E.Cause(err, "parse netlink message")
-	} else if len(messages) == 0 {
-		return 0, 0, E.New("unexcepted netlink response")
-	}
-
-	message := messages[0]
-	if message.Header.Type&syscall.NLMSG_ERROR != 0 {
-		return 0, 0, E.New("netlink message: NLMSG_ERROR")
-	}
-
-	inode, uid = unpackSocketDiagResponse(&messages[0])
-	return
+	return family, protocol, nil
 }

-func packSocketDiagRequest(family, protocol byte, source netip.AddrPort) []byte {
-	s := make([]byte, 16)
-	copy(s, source.Addr().AsSlice())
-
-	buf := make([]byte, sizeOfSocketDiagRequest)
-
-	nativeEndian.PutUint32(buf[0:4], sizeOfSocketDiagRequest)
-	nativeEndian.PutUint16(buf[4:6], socketDiagByFamily)
-	nativeEndian.PutUint16(buf[6:8], syscall.NLM_F_REQUEST|syscall.NLM_F_DUMP)
-	nativeEndian.PutUint32(buf[8:12], 0)
-	nativeEndian.PutUint32(buf[12:16], 0)
-
-	buf[16] = family
-	buf[17] = protocol
-	buf[18] = 0
-	buf[19] = 0
-	nativeEndian.PutUint32(buf[20:24], 0xFFFFFFFF)
-
-	binary.BigEndian.PutUint16(buf[24:26], source.Port())
-	binary.BigEndian.PutUint16(buf[26:28], 0)
-
-	copy(buf[28:44], s)
-	copy(buf[44:60], net.IPv6zero)
-
-	nativeEndian.PutUint32(buf[60:64], 0)
-	nativeEndian.PutUint64(buf[64:72], 0xFFFFFFFFFFFFFFFF)
-
-	return buf
+func newUIDProcessPathCache(ttl time.Duration) *uidProcessPathCache {
+	cache := common.Must1(freelru.NewSharded[uint32, *uidProcessPaths](64, maphash.NewHasher[uint32]().Hash32))
+	cache.SetLifetime(ttl)
+	return &uidProcessPathCache{cache: cache}
 }

-func unpackSocketDiagResponse(msg *syscall.NetlinkMessage) (inode, uid uint32) {
-	if len(msg.Data) < 72 {
-		return 0, 0
+func (c *uidProcessPathCache) findProcessPath(targetInode, uid uint32) (string, error) {
+	if cached, ok := c.cache.Get(uid); ok {
+		if processPath, found := cached.entries[targetInode]; found {
+			return processPath, nil
+		}
 	}
-
-	data := msg.Data
-
-	uid = nativeEndian.Uint32(data[64:68])
-	inode = nativeEndian.Uint32(data[68:72])
-
-	return
-}
-
-func resolveProcessNameByProcSearch(inode, uid uint32) (string, error) {
-	files, err := os.ReadDir(pathProc)
+	processPaths, err := buildProcessPathByUIDCache(uid)
 	if err != nil {
 		return "", err
 	}
+	c.cache.Add(uid, &uidProcessPaths{entries: processPaths})
+	processPath, found := processPaths[targetInode]
+	if !found {
+		return "", E.New("process of uid(", uid, "), inode(", targetInode, ") not found")
+	}
+	return processPath, nil
+}

+func (c *socketDiagConn) Close() error {
+	c.access.Lock()
+	defer c.access.Unlock()
+	return c.closeLocked()
+}
+
+func (c *socketDiagConn) query(source netip.AddrPort, destination netip.AddrPort) (inode, uid uint32, err error) {
+	c.access.Lock()
+	defer c.access.Unlock()
+	request := packSocketDiagRequest(c.family, c.protocol, source, destination, false)
+	for attempt := 0; attempt < 2; attempt++ {
+		err = c.ensureOpenLocked()
+		if err != nil {
+			return 0, 0, E.Cause(err, "dial netlink")
+		}
+		inode, uid, err = querySocketDiag(c.fd, request)
+		if err == nil || errors.Is(err, ErrNotFound) {
+			return inode, uid, err
+		}
+		if !shouldRetrySocketDiag(err) {
+			return 0, 0, err
+		}
+		_ = c.closeLocked()
+	}
+	return 0, 0, err
+}
+
+func querySocketDiagOnce(family, protocol uint8, source netip.AddrPort) (inode, uid uint32, err error) {
+	fd, err := openSocketDiag()
+	if err != nil {
+		return 0, 0, E.Cause(err, "dial netlink")
+	}
+	defer syscall.Close(fd)
+	return querySocketDiag(fd, packSocketDiagRequest(family, protocol, source, netip.AddrPort{}, true))
+}
+
+func (c *socketDiagConn) ensureOpenLocked() error {
+	if c.fd != -1 {
+		return nil
+	}
+	fd, err := openSocketDiag()
+	if err != nil {
+		return err
+	}
+	c.fd = fd
+	return nil
+}
+
+func openSocketDiag() (int, error) {
+	fd, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_DGRAM|syscall.SOCK_CLOEXEC, syscall.NETLINK_INET_DIAG)
+	if err != nil {
+		return -1, err
+	}
+	timeout := &syscall.Timeval{Usec: 100}
+	if err = syscall.SetsockoptTimeval(fd, syscall.SOL_SOCKET, syscall.SO_SNDTIMEO, timeout); err != nil {
+		syscall.Close(fd)
+		return -1, err
+	}
+	if err = syscall.SetsockoptTimeval(fd, syscall.SOL_SOCKET, syscall.SO_RCVTIMEO, timeout); err != nil {
+		syscall.Close(fd)
+		return -1, err
+	}
+	if err = syscall.Connect(fd, &syscall.SockaddrNetlink{
+		Family: syscall.AF_NETLINK,
+		Pid:    0,
+		Groups: 0,
+	}); err != nil {
+		syscall.Close(fd)
+		return -1, err
+	}
+	return fd, nil
+}
+
+func (c *socketDiagConn) closeLocked() error {
+	if c.fd == -1 {
+		return nil
+	}
+	err := syscall.Close(c.fd)
+	c.fd = -1
+	return err
+}
+
+func packSocketDiagRequest(family, protocol byte, source netip.AddrPort, destination netip.AddrPort, dump bool) []byte {
+	request := make([]byte, sizeOfSocketDiagRequest)
+
+	binary.NativeEndian.PutUint32(request[0:4], sizeOfSocketDiagRequest)
+	binary.NativeEndian.PutUint16(request[4:6], socketDiagByFamily)
+	flags := uint16(syscall.NLM_F_REQUEST)
+	if dump {
+		flags |= syscall.NLM_F_DUMP
+	}
+	binary.NativeEndian.PutUint16(request[6:8], flags)
+	binary.NativeEndian.PutUint32(request[8:12], 0)
+	binary.NativeEndian.PutUint32(request[12:16], 0)
+
+	request[16] = family
+	request[17] = protocol
+	request[18] = 0
+	request[19] = 0
+	if dump {
+		binary.NativeEndian.PutUint32(request[20:24], 0xFFFFFFFF)
+	}
+	requestSource := source
+	requestDestination := destination
+	if protocol == syscall.IPPROTO_UDP && !dump && destination.IsValid() {
+		// udp_dump_one expects the exact-match endpoints reversed for historical reasons.
+		requestSource, requestDestination = destination, source
+	}
+	binary.BigEndian.PutUint16(request[24:26], requestSource.Port())
+	binary.BigEndian.PutUint16(request[26:28], requestDestination.Port())
+	if family == syscall.AF_INET6 {
+		copy(request[28:44], requestSource.Addr().AsSlice())
+		if requestDestination.IsValid() {
+			copy(request[44:60], requestDestination.Addr().AsSlice())
+		}
+	} else {
+		copy(request[28:32], requestSource.Addr().AsSlice())
+		if requestDestination.IsValid() {
+			copy(request[44:48], requestDestination.Addr().AsSlice())
+		}
+	}
+	binary.NativeEndian.PutUint32(request[60:64], 0)
+	binary.NativeEndian.PutUint64(request[64:72], 0xFFFFFFFFFFFFFFFF)
+	return request
+}
+
+func querySocketDiag(fd int, request []byte) (inode, uid uint32, err error) {
+	_, err = syscall.Write(fd, request)
+	if err != nil {
+		return 0, 0, E.Cause(err, "write netlink request")
+	}
+	buffer := make([]byte, 64<<10)
+	n, err := syscall.Read(fd, buffer)
+	if err != nil {
+		return 0, 0, E.Cause(err, "read netlink response")
+	}
+	messages, err := syscall.ParseNetlinkMessage(buffer[:n])
+	if err != nil {
+		return 0, 0, E.Cause(err, "parse netlink message")
+	}
+	return unpackSocketDiagMessages(messages)
+}
+
+func unpackSocketDiagMessages(messages []syscall.NetlinkMessage) (inode, uid uint32, err error) {
+	for _, message := range messages {
+		switch message.Header.Type {
+		case syscall.NLMSG_DONE:
+			continue
+		case syscall.NLMSG_ERROR:
+			err = unpackSocketDiagError(&message)
+			if err != nil {
+				return 0, 0, err
+			}
+		case socketDiagByFamily:
+			inode, uid = unpackSocketDiagResponse(&message)
+			if inode != 0 || uid != 0 {
+				return inode, uid, nil
+			}
+		}
+	}
+	return 0, 0, ErrNotFound
+}
+
+func unpackSocketDiagResponse(msg *syscall.NetlinkMessage) (inode, uid uint32) {
+	if len(msg.Data) < socketDiagResponseMinSize {
+		return 0, 0
+	}
+	uid = binary.NativeEndian.Uint32(msg.Data[64:68])
+	inode = binary.NativeEndian.Uint32(msg.Data[68:72])
+	return inode, uid
+}
+
+func unpackSocketDiagError(msg *syscall.NetlinkMessage) error {
+	if len(msg.Data) < 4 {
+		return E.New("netlink message: NLMSG_ERROR")
+	}
+	errno := int32(binary.NativeEndian.Uint32(msg.Data[:4]))
+	if errno == 0 {
+		return nil
+	}
+	if errno < 0 {
+		errno = -errno
+	}
+	sysErr := syscall.Errno(errno)
+	switch sysErr {
+	case syscall.ENOENT, syscall.ESRCH:
+		return ErrNotFound
+	default:
+		return E.New("netlink message: ", sysErr)
+	}
+}
+
+func shouldRetrySocketDiag(err error) bool {
+	return err != nil && !errors.Is(err, ErrNotFound)
+}
+
+func buildProcessPathByUIDCache(uid uint32) (map[uint32]string, error) {
+	files, err := os.ReadDir(pathProc)
+	if err != nil {
+		return nil, err
+	}
 	buffer := make([]byte, syscall.PathMax)
-	socket := []byte(fmt.Sprintf("socket:[%d]", inode))
-
-	for _, f := range files {
-		if !f.IsDir() || !isPid(f.Name()) {
+	processPaths := make(map[uint32]string)
+	for _, file := range files {
+		if !file.IsDir() || !isPid(file.Name()) {
 			continue
 		}
-
-		info, err := f.Info()
+		info, err := file.Info()
 		if err != nil {
-			return "", err
+			if isIgnorableProcError(err) {
+				continue
+			}
+			return nil, err
 		}
 		if info.Sys().(*syscall.Stat_t).Uid != uid {
 			continue
 		}
-
-		processPath := path.Join(pathProc, f.Name())
-		fdPath := path.Join(processPath, "fd")
-
+		processPath := filepath.Join(pathProc, file.Name())
+		fdPath := filepath.Join(processPath, "fd")
+		exePath, err := os.Readlink(filepath.Join(processPath, "exe"))
+		if err != nil {
+			if isIgnorableProcError(err) {
+				continue
+			}
+			return nil, err
+		}
 		fds, err := os.ReadDir(fdPath)
 		if err != nil {
 			continue
 		}
-
 		for _, fd := range fds {
-			n, err := syscall.Readlink(path.Join(fdPath, fd.Name()), buffer)
+			n, err := syscall.Readlink(filepath.Join(fdPath, fd.Name()), buffer)
 			if err != nil {
 				continue
 			}
-
-			if bytes.Equal(buffer[:n], socket) {
-				return os.Readlink(path.Join(processPath, "exe"))
+			inode, ok := parseSocketInode(buffer[:n])
+			if !ok {
+				continue
+			}
+			if _, loaded := processPaths[inode]; !loaded {
+				processPaths[inode] = exePath
 			}
 		}
 	}
+	return processPaths, nil
+}

-	return "", fmt.Errorf("process of uid(%d),inode(%d) not found", uid, inode)
+func isIgnorableProcError(err error) bool {
+	return os.IsNotExist(err) || os.IsPermission(err)
+}
+
+func parseSocketInode(link []byte) (uint32, bool) {
+	const socketPrefix = "socket:["
+	if len(link) <= len(socketPrefix) || string(link[:len(socketPrefix)]) != socketPrefix || link[len(link)-1] != ']' {
+		return 0, false
+	}
+	var inode uint64
+	for _, char := range link[len(socketPrefix) : len(link)-1] {
+		if char < '0' || char > '9' {
+			return 0, false
+		}
+		inode = inode*10 + uint64(char-'0')
+		if inode > uint64(^uint32(0)) {
+			return 0, false
+		}
+	}
+	return uint32(inode), true
 }

 func isPid(s string) bool {
--- a/common/process/searcher_linux_shared_test.go
+++ b/common/process/searcher_linux_shared_test.go
@@ -0,0 +1,60 @@
+//go:build linux
+
+package process
+
+import (
+	"net"
+	"net/netip"
+	"os"
+	"syscall"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestQuerySocketDiagUDPExact(t *testing.T) {
+	t.Parallel()
+	server, err := net.ListenUDP("udp4", &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
+	require.NoError(t, err)
+	defer server.Close()
+
+	client, err := net.DialUDP("udp4", nil, server.LocalAddr().(*net.UDPAddr))
+	require.NoError(t, err)
+	defer client.Close()
+
+	err = client.SetDeadline(time.Now().Add(time.Second))
+	require.NoError(t, err)
+	_, err = client.Write([]byte{0})
+	require.NoError(t, err)
+
+	err = server.SetReadDeadline(time.Now().Add(time.Second))
+	require.NoError(t, err)
+	buffer := make([]byte, 1)
+	_, _, err = server.ReadFromUDP(buffer)
+	require.NoError(t, err)
+
+	source := addrPortFromUDPAddr(t, client.LocalAddr())
+	destination := addrPortFromUDPAddr(t, client.RemoteAddr())
+
+	fd, err := openSocketDiag()
+	require.NoError(t, err)
+	defer syscall.Close(fd)
+
+	inode, uid, err := querySocketDiag(fd, packSocketDiagRequest(syscall.AF_INET, syscall.IPPROTO_UDP, source, destination, false))
+	require.NoError(t, err)
+	require.NotZero(t, inode)
+	require.EqualValues(t, os.Getuid(), uid)
+}
+
+func addrPortFromUDPAddr(t *testing.T, addr net.Addr) netip.AddrPort {
+	t.Helper()
+
+	udpAddr, ok := addr.(*net.UDPAddr)
+	require.True(t, ok)
+
+	ip, ok := netip.AddrFromSlice(udpAddr.IP)
+	require.True(t, ok)
+
+	return netip.AddrPortFrom(ip.Unmap(), uint16(udpAddr.Port))
+}
--- a/common/process/searcher_windows.go
+++ b/common/process/searcher_windows.go
@@ -28,6 +28,10 @@ func initWin32API() error {
 	return winiphlpapi.LoadExtendedTable()
 }

+func (s *windowsSearcher) Close() error {
+	return nil
+}
+
 func (s *windowsSearcher) FindProcessInfo(ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*adapter.ConnectionOwner, error) {
 	pid, err := winiphlpapi.FindPid(network, source)
 	if err != nil {
--- a/common/tls/acme.go
+++ b/common/tls/acme.go
@@ -38,37 +38,6 @@ func (w *acmeWrapper) Close() error {
 	return nil
 }

-type acmeLogWriter struct {
-	logger logger.Logger
-}
-
-func (w *acmeLogWriter) Write(p []byte) (n int, err error) {
-	logLine := strings.ReplaceAll(string(p), "	", ": ")
-	switch {
-	case strings.HasPrefix(logLine, "error: "):
-		w.logger.Error(logLine[7:])
-	case strings.HasPrefix(logLine, "warn: "):
-		w.logger.Warn(logLine[6:])
-	case strings.HasPrefix(logLine, "info: "):
-		w.logger.Info(logLine[6:])
-	case strings.HasPrefix(logLine, "debug: "):
-		w.logger.Debug(logLine[7:])
-	default:
-		w.logger.Debug(logLine)
-	}
-	return len(p), nil
-}
-
-func (w *acmeLogWriter) Sync() error {
-	return nil
-}
-
-func encoderConfig() zapcore.EncoderConfig {
-	config := zap.NewProductionEncoderConfig()
-	config.TimeKey = zapcore.OmitKey
-	return config
-}
-
 func startACME(ctx context.Context, logger logger.Logger, options option.InboundACMEOptions) (*tls.Config, adapter.SimpleLifecycle, error) {
 	var acmeServer string
 	switch options.Provider {
@@ -91,8 +60,8 @@ func startACME(ctx context.Context, logger logger.Logger, options option.Inbound
 		storage = certmagic.Default.Storage
 	}
 	zapLogger := zap.New(zapcore.NewCore(
-		zapcore.NewConsoleEncoder(encoderConfig()),
-		&acmeLogWriter{logger: logger},
+		zapcore.NewConsoleEncoder(ACMEEncoderConfig()),
+		&ACMELogWriter{Logger: logger},
 		zap.DebugLevel,
 	))
 	config := &certmagic.Config{
@@ -158,7 +127,7 @@ func startACME(ctx context.Context, logger logger.Logger, options option.Inbound
 	} else {
 		tlsConfig = &tls.Config{
 			GetCertificate: config.GetCertificate,
-			NextProtos:     []string{ACMETLS1Protocol},
+			NextProtos:     []string{C.ACMETLS1Protocol},
 		}
 	}
 	return tlsConfig, &acmeWrapper{ctx: ctx, cfg: config, cache: cache, domain: options.Domain}, nil
--- a/common/tls/acme_logger.go
+++ b/common/tls/acme_logger.go
@@ -0,0 +1,41 @@
+package tls
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing/common/logger"
+
+	"go.uber.org/zap"
+	"go.uber.org/zap/zapcore"
+)
+
+type ACMELogWriter struct {
+	Logger logger.Logger
+}
+
+func (w *ACMELogWriter) Write(p []byte) (n int, err error) {
+	logLine := strings.ReplaceAll(string(p), "	", ": ")
+	switch {
+	case strings.HasPrefix(logLine, "error: "):
+		w.Logger.Error(logLine[7:])
+	case strings.HasPrefix(logLine, "warn: "):
+		w.Logger.Warn(logLine[6:])
+	case strings.HasPrefix(logLine, "info: "):
+		w.Logger.Info(logLine[6:])
+	case strings.HasPrefix(logLine, "debug: "):
+		w.Logger.Debug(logLine[7:])
+	default:
+		w.Logger.Debug(logLine)
+	}
+	return len(p), nil
+}
+
+func (w *ACMELogWriter) Sync() error {
+	return nil
+}
+
+func ACMEEncoderConfig() zapcore.EncoderConfig {
+	config := zap.NewProductionEncoderConfig()
+	config.TimeKey = zapcore.OmitKey
+	return config
+}
--- a/common/tls/reality_server.go
+++ b/common/tls/reality_server.go
@@ -32,6 +32,10 @@ type RealityServerConfig struct {
 func NewRealityServer(ctx context.Context, logger log.ContextLogger, options option.InboundTLSOptions) (ServerConfig, error) {
 	var tlsConfig utls.RealityConfig

+	if options.CertificateProvider != nil {
+		return nil, E.New("certificate_provider is unavailable in reality")
+	}
+	//nolint:staticcheck
 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
 		return nil, E.New("acme is unavailable in reality")
 	}
--- a/common/tls/std_server.go
+++ b/common/tls/std_server.go
@@ -13,19 +13,87 @@ import (
 	"github.com/sagernet/fswatch"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
+	"github.com/sagernet/sing/service"
 )

 var errInsecureUnused = E.New("tls: insecure unused")

+type managedCertificateProvider interface {
+	adapter.CertificateProvider
+	adapter.SimpleLifecycle
+}
+
+type sharedCertificateProvider struct {
+	tag      string
+	manager  adapter.CertificateProviderManager
+	provider adapter.CertificateProviderService
+}
+
+func (p *sharedCertificateProvider) Start() error {
+	provider, found := p.manager.Get(p.tag)
+	if !found {
+		return E.New("certificate provider not found: ", p.tag)
+	}
+	p.provider = provider
+	return nil
+}
+
+func (p *sharedCertificateProvider) Close() error {
+	return nil
+}
+
+func (p *sharedCertificateProvider) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	return p.provider.GetCertificate(hello)
+}
+
+func (p *sharedCertificateProvider) GetACMENextProtos() []string {
+	return getACMENextProtos(p.provider)
+}
+
+type inlineCertificateProvider struct {
+	provider adapter.CertificateProviderService
+}
+
+func (p *inlineCertificateProvider) Start() error {
+	for _, stage := range adapter.ListStartStages {
+		err := adapter.LegacyStart(p.provider, stage)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (p *inlineCertificateProvider) Close() error {
+	return p.provider.Close()
+}
+
+func (p *inlineCertificateProvider) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	return p.provider.GetCertificate(hello)
+}
+
+func (p *inlineCertificateProvider) GetACMENextProtos() []string {
+	return getACMENextProtos(p.provider)
+}
+
+func getACMENextProtos(provider adapter.CertificateProvider) []string {
+	if acmeProvider, isACME := provider.(adapter.ACMECertificateProvider); isACME {
+		return acmeProvider.GetACMENextProtos()
+	}
+	return nil
+}
+
 type STDServerConfig struct {
 	access                sync.RWMutex
 	config                *tls.Config
 	logger                log.Logger
+	certificateProvider   managedCertificateProvider
 	acmeService           adapter.SimpleLifecycle
 	certificate           []byte
 	key                   []byte
@@ -53,18 +121,17 @@ func (c *STDServerConfig) SetServerName(serverName string) {
 func (c *STDServerConfig) NextProtos() []string {
 	c.access.RLock()
 	defer c.access.RUnlock()
-	if c.acmeService != nil && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == ACMETLS1Protocol {
+	if c.hasACMEALPN() && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == C.ACMETLS1Protocol {
 		return c.config.NextProtos[1:]
-	} else {
-		return c.config.NextProtos
 	}
+	return c.config.NextProtos
 }

 func (c *STDServerConfig) SetNextProtos(nextProto []string) {
 	c.access.Lock()
 	defer c.access.Unlock()
 	config := c.config.Clone()
-	if c.acmeService != nil && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == ACMETLS1Protocol {
+	if c.hasACMEALPN() && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == C.ACMETLS1Protocol {
 		config.NextProtos = append(c.config.NextProtos[:1], nextProto...)
 	} else {
 		config.NextProtos = nextProto
@@ -72,6 +139,18 @@ func (c *STDServerConfig) SetNextProtos(nextProto []string) {
 	c.config = config
 }

+func (c *STDServerConfig) hasACMEALPN() bool {
+	if c.acmeService != nil {
+		return true
+	}
+	if c.certificateProvider != nil {
+		if acmeProvider, isACME := c.certificateProvider.(adapter.ACMECertificateProvider); isACME {
+			return len(acmeProvider.GetACMENextProtos()) > 0
+		}
+	}
+	return false
+}
+
 func (c *STDServerConfig) STDConfig() (*STDConfig, error) {
 	return c.config, nil
 }
@@ -91,15 +170,39 @@ func (c *STDServerConfig) Clone() Config {
 }

 func (c *STDServerConfig) Start() error {
-	if c.acmeService != nil {
-		return c.acmeService.Start()
-	} else {
-		err := c.startWatcher()
+	if c.certificateProvider != nil {
+		err := c.certificateProvider.Start()
 		if err != nil {
-			c.logger.Warn("create fsnotify watcher: ", err)
+			return err
+		}
+		if acmeProvider, isACME := c.certificateProvider.(adapter.ACMECertificateProvider); isACME {
+			nextProtos := acmeProvider.GetACMENextProtos()
+			if len(nextProtos) > 0 {
+				c.access.Lock()
+				config := c.config.Clone()
+				mergedNextProtos := append([]string{}, nextProtos...)
+				for _, nextProto := range config.NextProtos {
+					if !common.Contains(mergedNextProtos, nextProto) {
+						mergedNextProtos = append(mergedNextProtos, nextProto)
+					}
+				}
+				config.NextProtos = mergedNextProtos
+				c.config = config
+				c.access.Unlock()
+			}
 		}
-		return nil
 	}
+	if c.acmeService != nil {
+		err := c.acmeService.Start()
+		if err != nil {
+			return err
+		}
+	}
+	err := c.startWatcher()
+	if err != nil {
+		c.logger.Warn("create fsnotify watcher: ", err)
+	}
+	return nil
 }

 func (c *STDServerConfig) startWatcher() error {
@@ -203,23 +306,34 @@ func (c *STDServerConfig) certificateUpdated(path string) error {
 }

 func (c *STDServerConfig) Close() error {
-	if c.acmeService != nil {
-		return c.acmeService.Close()
-	}
-	if c.watcher != nil {
-		return c.watcher.Close()
-	}
-	return nil
+	return common.Close(c.certificateProvider, c.acmeService, c.watcher)
 }

 func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.InboundTLSOptions) (ServerConfig, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
+	//nolint:staticcheck
+	if options.CertificateProvider != nil && options.ACME != nil {
+		return nil, E.New("certificate_provider and acme are mutually exclusive")
+	}
 	var tlsConfig *tls.Config
+	var certificateProvider managedCertificateProvider
 	var acmeService adapter.SimpleLifecycle
 	var err error
-	if options.ACME != nil && len(options.ACME.Domain) > 0 {
+	if options.CertificateProvider != nil {
+		certificateProvider, err = newCertificateProvider(ctx, logger, options.CertificateProvider)
+		if err != nil {
+			return nil, err
+		}
+		tlsConfig = &tls.Config{
+			GetCertificate: certificateProvider.GetCertificate,
+		}
+		if options.Insecure {
+			return nil, errInsecureUnused
+		}
+	} else if options.ACME != nil && len(options.ACME.Domain) > 0 { //nolint:staticcheck
+		deprecated.Report(ctx, deprecated.OptionInlineACME)
 		//nolint:staticcheck
 		tlsConfig, acmeService, err = startACME(ctx, logger, common.PtrValueOrDefault(options.ACME))
 		if err != nil {
@@ -272,7 +386,7 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 		certificate []byte
 		key         []byte
 	)
-	if acmeService == nil {
+	if certificateProvider == nil && acmeService == nil {
 		if len(options.Certificate) > 0 {
 			certificate = []byte(strings.Join(options.Certificate, "\n"))
 		} else if options.CertificatePath != "" {
@@ -360,6 +474,7 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 	serverConfig := &STDServerConfig{
 		config:                tlsConfig,
 		logger:                logger,
+		certificateProvider:   certificateProvider,
 		acmeService:           acmeService,
 		certificate:           certificate,
 		key:                   key,
@@ -369,8 +484,8 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 		echKeyPath:            echKeyPath,
 	}
 	serverConfig.config.GetConfigForClient = func(info *tls.ClientHelloInfo) (*tls.Config, error) {
-		serverConfig.access.Lock()
-		defer serverConfig.access.Unlock()
+		serverConfig.access.RLock()
+		defer serverConfig.access.RUnlock()
 		return serverConfig.config, nil
 	}
 	var config ServerConfig = serverConfig
@@ -387,3 +502,27 @@ func NewSTDServer(ctx context.Context, logger log.ContextLogger, options option.
 	}
 	return config, nil
 }
+
+func newCertificateProvider(ctx context.Context, logger log.ContextLogger, options *option.CertificateProviderOptions) (managedCertificateProvider, error) {
+	if options.IsShared() {
+		manager := service.FromContext[adapter.CertificateProviderManager](ctx)
+		if manager == nil {
+			return nil, E.New("missing certificate provider manager in context")
+		}
+		return &sharedCertificateProvider{
+			tag:     options.Tag,
+			manager: manager,
+		}, nil
+	}
+	registry := service.FromContext[adapter.CertificateProviderRegistry](ctx)
+	if registry == nil {
+		return nil, E.New("missing certificate provider registry in context")
+	}
+	provider, err := registry.Create(ctx, logger, "", options.Type, options.Options)
+	if err != nil {
+		return nil, E.Cause(err, "create inline certificate provider")
+	}
+	return &inlineCertificateProvider{
+		provider: provider,
+	}, nil
+}
--- a/constant/dns.go
+++ b/constant/dns.go
@@ -15,19 +15,18 @@ const (
 )

 const (
-	DNSTypeLegacy      = "legacy"
-	DNSTypeLegacyRcode = "legacy_rcode"
-	DNSTypeUDP         = "udp"
-	DNSTypeTCP         = "tcp"
-	DNSTypeTLS         = "tls"
-	DNSTypeHTTPS       = "https"
-	DNSTypeQUIC        = "quic"
-	DNSTypeHTTP3       = "h3"
-	DNSTypeLocal       = "local"
-	DNSTypeHosts       = "hosts"
-	DNSTypeFakeIP      = "fakeip"
-	DNSTypeDHCP        = "dhcp"
-	DNSTypeTailscale   = "tailscale"
+	DNSTypeLegacy    = "legacy"
+	DNSTypeUDP       = "udp"
+	DNSTypeTCP       = "tcp"
+	DNSTypeTLS       = "tls"
+	DNSTypeHTTPS     = "https"
+	DNSTypeQUIC      = "quic"
+	DNSTypeHTTP3     = "h3"
+	DNSTypeLocal     = "local"
+	DNSTypeHosts     = "hosts"
+	DNSTypeFakeIP    = "fakeip"
+	DNSTypeDHCP      = "dhcp"
+	DNSTypeTailscale = "tailscale"
 )

 const (
--- a/constant/proxy.go
+++ b/constant/proxy.go
@@ -1,36 +1,38 @@
 package constant

 const (
-	TypeTun          = "tun"
-	TypeRedirect     = "redirect"
-	TypeTProxy       = "tproxy"
-	TypeDirect       = "direct"
-	TypeBlock        = "block"
-	TypeDNS          = "dns"
-	TypeSOCKS        = "socks"
-	TypeHTTP         = "http"
-	TypeMixed        = "mixed"
-	TypeShadowsocks  = "shadowsocks"
-	TypeVMess        = "vmess"
-	TypeTrojan       = "trojan"
-	TypeNaive        = "naive"
-	TypeWireGuard    = "wireguard"
-	TypeHysteria     = "hysteria"
-	TypeTor          = "tor"
-	TypeSSH          = "ssh"
-	TypeShadowTLS    = "shadowtls"
-	TypeAnyTLS       = "anytls"
-	TypeShadowsocksR = "shadowsocksr"
-	TypeVLESS        = "vless"
-	TypeTUIC         = "tuic"
-	TypeHysteria2    = "hysteria2"
-	TypeTailscale    = "tailscale"
-	TypeDERP         = "derp"
-	TypeResolved     = "resolved"
-	TypeSSMAPI       = "ssm-api"
-	TypeCCM          = "ccm"
-	TypeOCM          = "ocm"
-	TypeOOMKiller    = "oom-killer"
+	TypeTun                = "tun"
+	TypeRedirect           = "redirect"
+	TypeTProxy             = "tproxy"
+	TypeDirect             = "direct"
+	TypeBlock              = "block"
+	TypeDNS                = "dns"
+	TypeSOCKS              = "socks"
+	TypeHTTP               = "http"
+	TypeMixed              = "mixed"
+	TypeShadowsocks        = "shadowsocks"
+	TypeVMess              = "vmess"
+	TypeTrojan             = "trojan"
+	TypeNaive              = "naive"
+	TypeWireGuard          = "wireguard"
+	TypeHysteria           = "hysteria"
+	TypeTor                = "tor"
+	TypeSSH                = "ssh"
+	TypeShadowTLS          = "shadowtls"
+	TypeAnyTLS             = "anytls"
+	TypeShadowsocksR       = "shadowsocksr"
+	TypeVLESS              = "vless"
+	TypeTUIC               = "tuic"
+	TypeHysteria2          = "hysteria2"
+	TypeTailscale          = "tailscale"
+	TypeDERP               = "derp"
+	TypeResolved           = "resolved"
+	TypeSSMAPI             = "ssm-api"
+	TypeCCM                = "ccm"
+	TypeOCM                = "ocm"
+	TypeOOMKiller          = "oom-killer"
+	TypeACME               = "acme"
+	TypeCloudflareOriginCA = "cloudflare-origin-ca"
 )

 const (
--- a/constant/rule.go
+++ b/constant/rule.go
@@ -29,6 +29,8 @@ const (
 const (
 	RuleActionTypeRoute        = "route"
 	RuleActionTypeRouteOptions = "route-options"
+	RuleActionTypeEvaluate     = "evaluate"
+	RuleActionTypeRespond      = "respond"
 	RuleActionTypeDirect       = "direct"
 	RuleActionTypeBypass       = "bypass"
 	RuleActionTypeReject       = "reject"
--- a/common/tls/acme_contstant.go
+++ b/common/tls/acme_contstant.go
@@ -1,3 +1,3 @@
-package tls
+package constant

 const ACMETLS1Protocol = "acme-tls/1"
--- a/daemon/instance.go
+++ b/daemon/instance.go
@@ -87,12 +87,17 @@ func (s *StartedService) newInstance(profileContent string, overrideOptions *Ove
 			}
 		}
 	}
-	if s.oomKiller && C.IsIos {
+	if s.oomKillerEnabled {
 		if !common.Any(options.Services, func(it option.Service) bool {
 			return it.Type == C.TypeOOMKiller
 		}) {
+			oomOptions := &option.OOMKillerServiceOptions{
+				KillerDisabled:      s.oomKillerDisabled,
+				MemoryLimitOverride: s.oomMemoryLimit,
+			}
 			options.Services = append(options.Services, option.Service{
-				Type: C.TypeOOMKiller,
+				Type:    C.TypeOOMKiller,
+				Options: oomOptions,
 			})
 		}
 	}
--- a/daemon/platform.go
+++ b/daemon/platform.go
@@ -5,5 +5,6 @@ type PlatformHandler interface {
 	ServiceReload() error
 	SystemProxyStatus() (*SystemProxyStatus, error)
 	SetSystemProxyEnabled(enabled bool) error
+	TriggerNativeCrash() error
 	WriteDebugMessage(message string)
 }
--- a/daemon/started_service.go
+++ b/daemon/started_service.go
@@ -8,12 +8,15 @@ import (
 	"time"

 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/dialer"
+	"github.com/sagernet/sing-box/common/networkquality"
 	"github.com/sagernet/sing-box/common/urltest"
 	"github.com/sagernet/sing-box/experimental/clashapi"
 	"github.com/sagernet/sing-box/experimental/clashapi/trafficontrol"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/protocol/group"
+	"github.com/sagernet/sing-box/service/oomkiller"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/batch"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -24,6 +27,8 @@ import (

 	"github.com/gofrs/uuid/v5"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/emptypb"
 )

@@ -32,10 +37,12 @@ var _ StartedServiceServer = (*StartedService)(nil)
 type StartedService struct {
 	ctx context.Context
 	// platform adapter.PlatformInterface
-	handler     PlatformHandler
-	debug       bool
-	logMaxLines int
-	oomKiller   bool
+	handler           PlatformHandler
+	debug             bool
+	logMaxLines       int
+	oomKillerEnabled  bool
+	oomKillerDisabled bool
+	oomMemoryLimit    uint64
 	// workingDirectory string
 	// tempDirectory    string
 	// userID           int
@@ -64,10 +71,12 @@ type StartedService struct {
 type ServiceOptions struct {
 	Context context.Context
 	// Platform           adapter.PlatformInterface
-	Handler     PlatformHandler
-	Debug       bool
-	LogMaxLines int
-	OOMKiller   bool
+	Handler           PlatformHandler
+	Debug             bool
+	LogMaxLines       int
+	OOMKillerEnabled  bool
+	OOMKillerDisabled bool
+	OOMMemoryLimit    uint64
 	// WorkingDirectory   string
 	// TempDirectory      string
 	// UserID             int
@@ -79,10 +88,12 @@ func NewStartedService(options ServiceOptions) *StartedService {
 	s := &StartedService{
 		ctx: options.Context,
 		// platform:                options.Platform,
-		handler:     options.Handler,
-		debug:       options.Debug,
-		logMaxLines: options.LogMaxLines,
-		oomKiller:   options.OOMKiller,
+		handler:           options.Handler,
+		debug:             options.Debug,
+		logMaxLines:       options.LogMaxLines,
+		oomKillerEnabled:  options.OOMKillerEnabled,
+		oomKillerDisabled: options.OOMKillerDisabled,
+		oomMemoryLimit:    options.OOMMemoryLimit,
 		// workingDirectory: options.WorkingDirectory,
 		// tempDirectory:    options.TempDirectory,
 		// userID:           options.UserID,
@@ -168,7 +179,7 @@ func (s *StartedService) waitForStarted(ctx context.Context) error {
 func (s *StartedService) StartOrReloadService(profileContent string, options *OverrideOptions) error {
 	s.serviceAccess.Lock()
 	switch s.serviceStatus.Status {
-	case ServiceStatus_IDLE, ServiceStatus_STARTED, ServiceStatus_STARTING:
+	case ServiceStatus_IDLE, ServiceStatus_STARTED, ServiceStatus_STARTING, ServiceStatus_FATAL:
 	default:
 		s.serviceAccess.Unlock()
 		return os.ErrInvalid
@@ -226,13 +237,14 @@ func (s *StartedService) CloseService() error {
 		return os.ErrInvalid
 	}
 	s.updateStatus(ServiceStatus_STOPPING)
-	if s.instance != nil {
-		err := s.instance.Close()
+	instance := s.instance
+	s.instance = nil
+	if instance != nil {
+		err := instance.Close()
 		if err != nil {
 			return s.updateStatusError(err)
 		}
 	}
-	s.instance = nil
 	s.startedAt = time.Time{}
 	s.updateStatus(ServiceStatus_IDLE)
 	s.serviceAccess.Unlock()
@@ -684,6 +696,41 @@ func (s *StartedService) SetSystemProxyEnabled(ctx context.Context, request *Set
 	return nil, err
 }

+func (s *StartedService) TriggerDebugCrash(ctx context.Context, request *DebugCrashRequest) (*emptypb.Empty, error) {
+	if !s.debug {
+		return nil, status.Error(codes.PermissionDenied, "debug crash trigger unavailable")
+	}
+	if request == nil {
+		return nil, status.Error(codes.InvalidArgument, "missing debug crash request")
+	}
+	switch request.Type {
+	case DebugCrashRequest_GO:
+		time.AfterFunc(200*time.Millisecond, func() {
+			panic("debug go crash")
+		})
+	case DebugCrashRequest_NATIVE:
+		err := s.handler.TriggerNativeCrash()
+		if err != nil {
+			return nil, err
+		}
+	default:
+		return nil, status.Error(codes.InvalidArgument, "unknown debug crash type")
+	}
+	return &emptypb.Empty{}, nil
+}
+
+func (s *StartedService) TriggerOOMReport(ctx context.Context, _ *emptypb.Empty) (*emptypb.Empty, error) {
+	instance := s.Instance()
+	if instance == nil {
+		return nil, status.Error(codes.FailedPrecondition, "service not started")
+	}
+	reporter := service.FromContext[oomkiller.OOMReporter](instance.ctx)
+	if reporter == nil {
+		return nil, status.Error(codes.Unavailable, "OOM reporter not available")
+	}
+	return &emptypb.Empty{}, reporter.WriteReport(memory.Total())
+}
+
 func (s *StartedService) SubscribeConnections(request *SubscribeConnectionsRequest, server grpc.ServerStreamingServer[ConnectionEvents]) error {
 	err := s.waitForStarted(server.Context())
 	if err != nil {
@@ -949,11 +996,11 @@ func buildConnectionProto(metadata *trafficontrol.TrackerMetadata) *Connection {
 	var processInfo *ProcessInfo
 	if metadata.Metadata.ProcessInfo != nil {
 		processInfo = &ProcessInfo{
-			ProcessId:   metadata.Metadata.ProcessInfo.ProcessID,
-			UserId:      metadata.Metadata.ProcessInfo.UserId,
-			UserName:    metadata.Metadata.ProcessInfo.UserName,
-			ProcessPath: metadata.Metadata.ProcessInfo.ProcessPath,
-			PackageName: metadata.Metadata.ProcessInfo.AndroidPackageName,
+			ProcessId:    metadata.Metadata.ProcessInfo.ProcessID,
+			UserId:       metadata.Metadata.ProcessInfo.UserId,
+			UserName:     metadata.Metadata.ProcessInfo.UserName,
+			ProcessPath:  metadata.Metadata.ProcessInfo.ProcessPath,
+			PackageNames: metadata.Metadata.ProcessInfo.AndroidPackageNames,
 		}
 	}
 	return &Connection{
@@ -1018,9 +1065,12 @@ func (s *StartedService) GetDeprecatedWarnings(ctx context.Context, empty *empty
 	return &DeprecatedWarnings{
 		Warnings: common.Map(notes, func(it deprecated.Note) *DeprecatedWarning {
 			return &DeprecatedWarning{
-				Message:       it.Message(),
-				Impending:     it.Impending(),
-				MigrationLink: it.MigrationLink,
+				Message:           it.Message(),
+				Impending:         it.Impending(),
+				MigrationLink:     it.MigrationLink,
+				Description:       it.Description,
+				DeprecatedVersion: it.DeprecatedVersion,
+				ScheduledVersion:  it.ScheduledVersion,
 			}
 		}),
 	}, nil
@@ -1032,6 +1082,149 @@ func (s *StartedService) GetStartedAt(ctx context.Context, empty *emptypb.Empty)
 	return &StartedAt{StartedAt: s.startedAt.UnixMilli()}, nil
 }

+func (s *StartedService) ListOutbounds(ctx context.Context, _ *emptypb.Empty) (*OutboundList, error) {
+	s.serviceAccess.RLock()
+	if s.serviceStatus.Status != ServiceStatus_STARTED {
+		s.serviceAccess.RUnlock()
+		return nil, os.ErrInvalid
+	}
+	boxService := s.instance
+	s.serviceAccess.RUnlock()
+	historyStorage := boxService.urlTestHistoryStorage
+	outbounds := boxService.instance.Outbound().Outbounds()
+	var list OutboundList
+	for _, ob := range outbounds {
+		item := &GroupItem{
+			Tag:  ob.Tag(),
+			Type: ob.Type(),
+		}
+		if history := historyStorage.LoadURLTestHistory(adapter.OutboundTag(ob)); history != nil {
+			item.UrlTestTime = history.Time.Unix()
+			item.UrlTestDelay = int32(history.Delay)
+		}
+		list.Outbounds = append(list.Outbounds, item)
+	}
+	return &list, nil
+}
+
+func (s *StartedService) SubscribeOutbounds(_ *emptypb.Empty, server grpc.ServerStreamingServer[OutboundList]) error {
+	err := s.waitForStarted(server.Context())
+	if err != nil {
+		return err
+	}
+	subscription, done, err := s.urlTestObserver.Subscribe()
+	if err != nil {
+		return err
+	}
+	defer s.urlTestObserver.UnSubscribe(subscription)
+	for {
+		s.serviceAccess.RLock()
+		if s.serviceStatus.Status != ServiceStatus_STARTED {
+			s.serviceAccess.RUnlock()
+			return os.ErrInvalid
+		}
+		boxService := s.instance
+		s.serviceAccess.RUnlock()
+		historyStorage := boxService.urlTestHistoryStorage
+		outbounds := boxService.instance.Outbound().Outbounds()
+		var list OutboundList
+		for _, ob := range outbounds {
+			item := &GroupItem{
+				Tag:  ob.Tag(),
+				Type: ob.Type(),
+			}
+			if history := historyStorage.LoadURLTestHistory(adapter.OutboundTag(ob)); history != nil {
+				item.UrlTestTime = history.Time.Unix()
+				item.UrlTestDelay = int32(history.Delay)
+			}
+			list.Outbounds = append(list.Outbounds, item)
+		}
+		err = server.Send(&list)
+		if err != nil {
+			return err
+		}
+		select {
+		case <-subscription:
+		case <-s.ctx.Done():
+			return s.ctx.Err()
+		case <-server.Context().Done():
+			return server.Context().Err()
+		case <-done:
+			return nil
+		}
+	}
+}
+
+func (s *StartedService) StartNetworkQualityTest(
+	request *NetworkQualityTestRequest,
+	server grpc.ServerStreamingServer[NetworkQualityTestProgress],
+) error {
+	err := s.waitForStarted(server.Context())
+	if err != nil {
+		return err
+	}
+	s.serviceAccess.RLock()
+	boxService := s.instance
+	s.serviceAccess.RUnlock()
+
+	var outbound adapter.Outbound
+	if request.OutboundTag == "" {
+		outbound = boxService.instance.Outbound().Default()
+	} else {
+		var loaded bool
+		outbound, loaded = boxService.instance.Outbound().Outbound(request.OutboundTag)
+		if !loaded {
+			return E.New("outbound not found: ", request.OutboundTag)
+		}
+	}
+
+	resolvedDialer := dialer.NewResolveDialer(boxService.ctx, outbound, true, "", adapter.DNSQueryOptions{}, 0)
+	httpClient := networkquality.NewHTTPClient(resolvedDialer)
+	defer httpClient.CloseIdleConnections()
+
+	result, nqErr := networkquality.Run(networkquality.Options{
+		ConfigURL:  request.ConfigURL,
+		HTTPClient: httpClient,
+		Serial:     request.Serial,
+		MaxRuntime: time.Duration(request.MaxRuntimeSeconds) * time.Second,
+		Context:    server.Context(),
+		OnProgress: func(p networkquality.Progress) {
+			_ = server.Send(&NetworkQualityTestProgress{
+				Phase:                    int32(p.Phase),
+				DownloadCapacity:         p.DownloadCapacity,
+				UploadCapacity:           p.UploadCapacity,
+				DownloadRPM:              p.DownloadRPM,
+				UploadRPM:                p.UploadRPM,
+				IdleLatencyMs:            p.IdleLatencyMs,
+				ElapsedMs:                p.ElapsedMs,
+				DownloadCapacityAccuracy: int32(p.DownloadCapacityAccuracy),
+				UploadCapacityAccuracy:   int32(p.UploadCapacityAccuracy),
+				DownloadRPMAccuracy:      int32(p.DownloadRPMAccuracy),
+				UploadRPMAccuracy:        int32(p.UploadRPMAccuracy),
+			})
+		},
+	})
+	if nqErr != nil {
+		return server.Send(&NetworkQualityTestProgress{
+			IsFinal: true,
+			Error:   nqErr.Error(),
+		})
+	}
+	return server.Send(&NetworkQualityTestProgress{
+		Phase:                    int32(networkquality.PhaseDone),
+		DownloadCapacity:         result.DownloadCapacity,
+		UploadCapacity:           result.UploadCapacity,
+		DownloadRPM:              result.DownloadRPM,
+		UploadRPM:                result.UploadRPM,
+		IdleLatencyMs:            result.IdleLatencyMs,
+		IsFinal:                  true,
+		DownloadCapacityAccuracy: int32(result.DownloadCapacityAccuracy),
+		UploadCapacityAccuracy:   int32(result.UploadCapacityAccuracy),
+		DownloadRPMAccuracy:      int32(result.DownloadRPMAccuracy),
+		UploadRPMAccuracy:        int32(result.UploadRPMAccuracy),
+	})
+}
+
 func (s *StartedService) mustEmbedUnimplementedStartedServiceServer() {
 }

--- a/daemon/started_service.pb.go
+++ b/daemon/started_service.pb.go
@@ -182,6 +182,52 @@ func (ServiceStatus_Type) EnumDescriptor() ([]byte, []int) {
 	return file_daemon_started_service_proto_rawDescGZIP(), []int{0, 0}
 }

+type DebugCrashRequest_Type int32
+
+const (
+	DebugCrashRequest_GO     DebugCrashRequest_Type = 0
+	DebugCrashRequest_NATIVE DebugCrashRequest_Type = 1
+)
+
+// Enum value maps for DebugCrashRequest_Type.
+var (
+	DebugCrashRequest_Type_name = map[int32]string{
+		0: "GO",
+		1: "NATIVE",
+	}
+	DebugCrashRequest_Type_value = map[string]int32{
+		"GO":     0,
+		"NATIVE": 1,
+	}
+)
+
+func (x DebugCrashRequest_Type) Enum() *DebugCrashRequest_Type {
+	p := new(DebugCrashRequest_Type)
+	*p = x
+	return p
+}
+
+func (x DebugCrashRequest_Type) String() string {
+	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (DebugCrashRequest_Type) Descriptor() protoreflect.EnumDescriptor {
+	return file_daemon_started_service_proto_enumTypes[3].Descriptor()
+}
+
+func (DebugCrashRequest_Type) Type() protoreflect.EnumType {
+	return &file_daemon_started_service_proto_enumTypes[3]
+}
+
+func (x DebugCrashRequest_Type) Number() protoreflect.EnumNumber {
+	return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use DebugCrashRequest_Type.Descriptor instead.
+func (DebugCrashRequest_Type) EnumDescriptor() ([]byte, []int) {
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{16, 0}
+}
+
 type ServiceStatus struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Status        ServiceStatus_Type     `protobuf:"varint,1,opt,name=status,proto3,enum=daemon.ServiceStatus_Type" json:"status,omitempty"`
@@ -1062,6 +1108,50 @@ func (x *SetSystemProxyEnabledRequest) GetEnabled() bool {
 	return false
 }

+type DebugCrashRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Type          DebugCrashRequest_Type `protobuf:"varint,1,opt,name=type,proto3,enum=daemon.DebugCrashRequest_Type" json:"type,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *DebugCrashRequest) Reset() {
+	*x = DebugCrashRequest{}
+	mi := &file_daemon_started_service_proto_msgTypes[16]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *DebugCrashRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DebugCrashRequest) ProtoMessage() {}
+
+func (x *DebugCrashRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_started_service_proto_msgTypes[16]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use DebugCrashRequest.ProtoReflect.Descriptor instead.
+func (*DebugCrashRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{16}
+}
+
+func (x *DebugCrashRequest) GetType() DebugCrashRequest_Type {
+	if x != nil {
+		return x.Type
+	}
+	return DebugCrashRequest_GO
+}
+
 type SubscribeConnectionsRequest struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Interval      int64                  `protobuf:"varint,1,opt,name=interval,proto3" json:"interval,omitempty"`
@@ -1071,7 +1161,7 @@ type SubscribeConnectionsRequest struct {

 func (x *SubscribeConnectionsRequest) Reset() {
 	*x = SubscribeConnectionsRequest{}
-	mi := &file_daemon_started_service_proto_msgTypes[16]
+	mi := &file_daemon_started_service_proto_msgTypes[17]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1083,7 +1173,7 @@ func (x *SubscribeConnectionsRequest) String() string {
 func (*SubscribeConnectionsRequest) ProtoMessage() {}

 func (x *SubscribeConnectionsRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[16]
+	mi := &file_daemon_started_service_proto_msgTypes[17]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1096,7 +1186,7 @@ func (x *SubscribeConnectionsRequest) ProtoReflect() protoreflect.Message {

 // Deprecated: Use SubscribeConnectionsRequest.ProtoReflect.Descriptor instead.
 func (*SubscribeConnectionsRequest) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{16}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{17}
 }

 func (x *SubscribeConnectionsRequest) GetInterval() int64 {
@@ -1120,7 +1210,7 @@ type ConnectionEvent struct {

 func (x *ConnectionEvent) Reset() {
 	*x = ConnectionEvent{}
-	mi := &file_daemon_started_service_proto_msgTypes[17]
+	mi := &file_daemon_started_service_proto_msgTypes[18]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1132,7 +1222,7 @@ func (x *ConnectionEvent) String() string {
 func (*ConnectionEvent) ProtoMessage() {}

 func (x *ConnectionEvent) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[17]
+	mi := &file_daemon_started_service_proto_msgTypes[18]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1145,7 +1235,7 @@ func (x *ConnectionEvent) ProtoReflect() protoreflect.Message {

 // Deprecated: Use ConnectionEvent.ProtoReflect.Descriptor instead.
 func (*ConnectionEvent) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{17}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{18}
 }

 func (x *ConnectionEvent) GetType() ConnectionEventType {
@@ -1200,7 +1290,7 @@ type ConnectionEvents struct {

 func (x *ConnectionEvents) Reset() {
 	*x = ConnectionEvents{}
-	mi := &file_daemon_started_service_proto_msgTypes[18]
+	mi := &file_daemon_started_service_proto_msgTypes[19]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1212,7 +1302,7 @@ func (x *ConnectionEvents) String() string {
 func (*ConnectionEvents) ProtoMessage() {}

 func (x *ConnectionEvents) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[18]
+	mi := &file_daemon_started_service_proto_msgTypes[19]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1225,7 +1315,7 @@ func (x *ConnectionEvents) ProtoReflect() protoreflect.Message {

 // Deprecated: Use ConnectionEvents.ProtoReflect.Descriptor instead.
 func (*ConnectionEvents) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{18}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{19}
 }

 func (x *ConnectionEvents) GetEvents() []*ConnectionEvent {
@@ -1272,7 +1362,7 @@ type Connection struct {

 func (x *Connection) Reset() {
 	*x = Connection{}
-	mi := &file_daemon_started_service_proto_msgTypes[19]
+	mi := &file_daemon_started_service_proto_msgTypes[20]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1284,7 +1374,7 @@ func (x *Connection) String() string {
 func (*Connection) ProtoMessage() {}

 func (x *Connection) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[19]
+	mi := &file_daemon_started_service_proto_msgTypes[20]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1297,7 +1387,7 @@ func (x *Connection) ProtoReflect() protoreflect.Message {

 // Deprecated: Use Connection.ProtoReflect.Descriptor instead.
 func (*Connection) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{19}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{20}
 }

 func (x *Connection) GetId() string {
@@ -1460,14 +1550,14 @@ type ProcessInfo struct {
 	UserId        int32                  `protobuf:"varint,2,opt,name=userId,proto3" json:"userId,omitempty"`
 	UserName      string                 `protobuf:"bytes,3,opt,name=userName,proto3" json:"userName,omitempty"`
 	ProcessPath   string                 `protobuf:"bytes,4,opt,name=processPath,proto3" json:"processPath,omitempty"`
-	PackageName   string                 `protobuf:"bytes,5,opt,name=packageName,proto3" json:"packageName,omitempty"`
+	PackageNames  []string               `protobuf:"bytes,5,rep,name=packageNames,proto3" json:"packageNames,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }

 func (x *ProcessInfo) Reset() {
 	*x = ProcessInfo{}
-	mi := &file_daemon_started_service_proto_msgTypes[20]
+	mi := &file_daemon_started_service_proto_msgTypes[21]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1479,7 +1569,7 @@ func (x *ProcessInfo) String() string {
 func (*ProcessInfo) ProtoMessage() {}

 func (x *ProcessInfo) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[20]
+	mi := &file_daemon_started_service_proto_msgTypes[21]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1492,7 +1582,7 @@ func (x *ProcessInfo) ProtoReflect() protoreflect.Message {

 // Deprecated: Use ProcessInfo.ProtoReflect.Descriptor instead.
 func (*ProcessInfo) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{20}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{21}
 }

 func (x *ProcessInfo) GetProcessId() uint32 {
@@ -1523,11 +1613,11 @@ func (x *ProcessInfo) GetProcessPath() string {
 	return ""
 }

-func (x *ProcessInfo) GetPackageName() string {
+func (x *ProcessInfo) GetPackageNames() []string {
 	if x != nil {
-		return x.PackageName
+		return x.PackageNames
 	}
-	return ""
+	return nil
 }

 type CloseConnectionRequest struct {
@@ -1539,7 +1629,7 @@ type CloseConnectionRequest struct {

 func (x *CloseConnectionRequest) Reset() {
 	*x = CloseConnectionRequest{}
-	mi := &file_daemon_started_service_proto_msgTypes[21]
+	mi := &file_daemon_started_service_proto_msgTypes[22]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1551,7 +1641,7 @@ func (x *CloseConnectionRequest) String() string {
 func (*CloseConnectionRequest) ProtoMessage() {}

 func (x *CloseConnectionRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[21]
+	mi := &file_daemon_started_service_proto_msgTypes[22]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1564,7 +1654,7 @@ func (x *CloseConnectionRequest) ProtoReflect() protoreflect.Message {

 // Deprecated: Use CloseConnectionRequest.ProtoReflect.Descriptor instead.
 func (*CloseConnectionRequest) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{21}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{22}
 }

 func (x *CloseConnectionRequest) GetId() string {
@@ -1583,7 +1673,7 @@ type DeprecatedWarnings struct {

 func (x *DeprecatedWarnings) Reset() {
 	*x = DeprecatedWarnings{}
-	mi := &file_daemon_started_service_proto_msgTypes[22]
+	mi := &file_daemon_started_service_proto_msgTypes[23]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1595,7 +1685,7 @@ func (x *DeprecatedWarnings) String() string {
 func (*DeprecatedWarnings) ProtoMessage() {}

 func (x *DeprecatedWarnings) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[22]
+	mi := &file_daemon_started_service_proto_msgTypes[23]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1608,7 +1698,7 @@ func (x *DeprecatedWarnings) ProtoReflect() protoreflect.Message {

 // Deprecated: Use DeprecatedWarnings.ProtoReflect.Descriptor instead.
 func (*DeprecatedWarnings) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{22}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{23}
 }

 func (x *DeprecatedWarnings) GetWarnings() []*DeprecatedWarning {
@@ -1619,17 +1709,20 @@ func (x *DeprecatedWarnings) GetWarnings() []*DeprecatedWarning {
 }

 type DeprecatedWarning struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	Message       string                 `protobuf:"bytes,1,opt,name=message,proto3" json:"message,omitempty"`
-	Impending     bool                   `protobuf:"varint,2,opt,name=impending,proto3" json:"impending,omitempty"`
-	MigrationLink string                 `protobuf:"bytes,3,opt,name=migrationLink,proto3" json:"migrationLink,omitempty"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
+	state             protoimpl.MessageState `protogen:"open.v1"`
+	Message           string                 `protobuf:"bytes,1,opt,name=message,proto3" json:"message,omitempty"`
+	Impending         bool                   `protobuf:"varint,2,opt,name=impending,proto3" json:"impending,omitempty"`
+	MigrationLink     string                 `protobuf:"bytes,3,opt,name=migrationLink,proto3" json:"migrationLink,omitempty"`
+	Description       string                 `protobuf:"bytes,4,opt,name=description,proto3" json:"description,omitempty"`
+	DeprecatedVersion string                 `protobuf:"bytes,5,opt,name=deprecatedVersion,proto3" json:"deprecatedVersion,omitempty"`
+	ScheduledVersion  string                 `protobuf:"bytes,6,opt,name=scheduledVersion,proto3" json:"scheduledVersion,omitempty"`
+	unknownFields     protoimpl.UnknownFields
+	sizeCache         protoimpl.SizeCache
 }

 func (x *DeprecatedWarning) Reset() {
 	*x = DeprecatedWarning{}
-	mi := &file_daemon_started_service_proto_msgTypes[23]
+	mi := &file_daemon_started_service_proto_msgTypes[24]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1641,7 +1734,7 @@ func (x *DeprecatedWarning) String() string {
 func (*DeprecatedWarning) ProtoMessage() {}

 func (x *DeprecatedWarning) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[23]
+	mi := &file_daemon_started_service_proto_msgTypes[24]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1654,7 +1747,7 @@ func (x *DeprecatedWarning) ProtoReflect() protoreflect.Message {

 // Deprecated: Use DeprecatedWarning.ProtoReflect.Descriptor instead.
 func (*DeprecatedWarning) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{23}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{24}
 }

 func (x *DeprecatedWarning) GetMessage() string {
@@ -1678,6 +1771,27 @@ func (x *DeprecatedWarning) GetMigrationLink() string {
 	return ""
 }

+func (x *DeprecatedWarning) GetDescription() string {
+	if x != nil {
+		return x.Description
+	}
+	return ""
+}
+
+func (x *DeprecatedWarning) GetDeprecatedVersion() string {
+	if x != nil {
+		return x.DeprecatedVersion
+	}
+	return ""
+}
+
+func (x *DeprecatedWarning) GetScheduledVersion() string {
+	if x != nil {
+		return x.ScheduledVersion
+	}
+	return ""
+}
+
 type StartedAt struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	StartedAt     int64                  `protobuf:"varint,1,opt,name=startedAt,proto3" json:"startedAt,omitempty"`
@@ -1687,7 +1801,7 @@ type StartedAt struct {

 func (x *StartedAt) Reset() {
 	*x = StartedAt{}
-	mi := &file_daemon_started_service_proto_msgTypes[24]
+	mi := &file_daemon_started_service_proto_msgTypes[25]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1699,7 +1813,7 @@ func (x *StartedAt) String() string {
 func (*StartedAt) ProtoMessage() {}

 func (x *StartedAt) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[24]
+	mi := &file_daemon_started_service_proto_msgTypes[25]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1712,7 +1826,7 @@ func (x *StartedAt) ProtoReflect() protoreflect.Message {

 // Deprecated: Use StartedAt.ProtoReflect.Descriptor instead.
 func (*StartedAt) Descriptor() ([]byte, []int) {
-	return file_daemon_started_service_proto_rawDescGZIP(), []int{24}
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{25}
 }

 func (x *StartedAt) GetStartedAt() int64 {
@@ -1722,6 +1836,258 @@ func (x *StartedAt) GetStartedAt() int64 {
 	return 0
 }

+type OutboundList struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Outbounds     []*GroupItem           `protobuf:"bytes,1,rep,name=outbounds,proto3" json:"outbounds,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *OutboundList) Reset() {
+	*x = OutboundList{}
+	mi := &file_daemon_started_service_proto_msgTypes[26]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *OutboundList) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*OutboundList) ProtoMessage() {}
+
+func (x *OutboundList) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_started_service_proto_msgTypes[26]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use OutboundList.ProtoReflect.Descriptor instead.
+func (*OutboundList) Descriptor() ([]byte, []int) {
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{26}
+}
+
+func (x *OutboundList) GetOutbounds() []*GroupItem {
+	if x != nil {
+		return x.Outbounds
+	}
+	return nil
+}
+
+type NetworkQualityTestRequest struct {
+	state             protoimpl.MessageState `protogen:"open.v1"`
+	ConfigURL         string                 `protobuf:"bytes,1,opt,name=configURL,proto3" json:"configURL,omitempty"`
+	OutboundTag       string                 `protobuf:"bytes,2,opt,name=outboundTag,proto3" json:"outboundTag,omitempty"`
+	Serial            bool                   `protobuf:"varint,3,opt,name=serial,proto3" json:"serial,omitempty"`
+	MaxRuntimeSeconds int32                  `protobuf:"varint,4,opt,name=maxRuntimeSeconds,proto3" json:"maxRuntimeSeconds,omitempty"`
+	unknownFields     protoimpl.UnknownFields
+	sizeCache         protoimpl.SizeCache
+}
+
+func (x *NetworkQualityTestRequest) Reset() {
+	*x = NetworkQualityTestRequest{}
+	mi := &file_daemon_started_service_proto_msgTypes[27]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *NetworkQualityTestRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*NetworkQualityTestRequest) ProtoMessage() {}
+
+func (x *NetworkQualityTestRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_started_service_proto_msgTypes[27]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use NetworkQualityTestRequest.ProtoReflect.Descriptor instead.
+func (*NetworkQualityTestRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{27}
+}
+
+func (x *NetworkQualityTestRequest) GetConfigURL() string {
+	if x != nil {
+		return x.ConfigURL
+	}
+	return ""
+}
+
+func (x *NetworkQualityTestRequest) GetOutboundTag() string {
+	if x != nil {
+		return x.OutboundTag
+	}
+	return ""
+}
+
+func (x *NetworkQualityTestRequest) GetSerial() bool {
+	if x != nil {
+		return x.Serial
+	}
+	return false
+}
+
+func (x *NetworkQualityTestRequest) GetMaxRuntimeSeconds() int32 {
+	if x != nil {
+		return x.MaxRuntimeSeconds
+	}
+	return 0
+}
+
+type NetworkQualityTestProgress struct {
+	state                    protoimpl.MessageState `protogen:"open.v1"`
+	Phase                    int32                  `protobuf:"varint,1,opt,name=phase,proto3" json:"phase,omitempty"`
+	DownloadCapacity         int64                  `protobuf:"varint,2,opt,name=downloadCapacity,proto3" json:"downloadCapacity,omitempty"`
+	UploadCapacity           int64                  `protobuf:"varint,3,opt,name=uploadCapacity,proto3" json:"uploadCapacity,omitempty"`
+	DownloadRPM              int32                  `protobuf:"varint,4,opt,name=downloadRPM,proto3" json:"downloadRPM,omitempty"`
+	UploadRPM                int32                  `protobuf:"varint,5,opt,name=uploadRPM,proto3" json:"uploadRPM,omitempty"`
+	IdleLatencyMs            int32                  `protobuf:"varint,6,opt,name=idleLatencyMs,proto3" json:"idleLatencyMs,omitempty"`
+	ElapsedMs                int64                  `protobuf:"varint,7,opt,name=elapsedMs,proto3" json:"elapsedMs,omitempty"`
+	IsFinal                  bool                   `protobuf:"varint,8,opt,name=isFinal,proto3" json:"isFinal,omitempty"`
+	Error                    string                 `protobuf:"bytes,9,opt,name=error,proto3" json:"error,omitempty"`
+	DownloadCapacityAccuracy int32                  `protobuf:"varint,10,opt,name=downloadCapacityAccuracy,proto3" json:"downloadCapacityAccuracy,omitempty"`
+	UploadCapacityAccuracy   int32                  `protobuf:"varint,11,opt,name=uploadCapacityAccuracy,proto3" json:"uploadCapacityAccuracy,omitempty"`
+	DownloadRPMAccuracy      int32                  `protobuf:"varint,12,opt,name=downloadRPMAccuracy,proto3" json:"downloadRPMAccuracy,omitempty"`
+	UploadRPMAccuracy        int32                  `protobuf:"varint,13,opt,name=uploadRPMAccuracy,proto3" json:"uploadRPMAccuracy,omitempty"`
+	unknownFields            protoimpl.UnknownFields
+	sizeCache                protoimpl.SizeCache
+}
+
+func (x *NetworkQualityTestProgress) Reset() {
+	*x = NetworkQualityTestProgress{}
+	mi := &file_daemon_started_service_proto_msgTypes[28]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *NetworkQualityTestProgress) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*NetworkQualityTestProgress) ProtoMessage() {}
+
+func (x *NetworkQualityTestProgress) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_started_service_proto_msgTypes[28]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use NetworkQualityTestProgress.ProtoReflect.Descriptor instead.
+func (*NetworkQualityTestProgress) Descriptor() ([]byte, []int) {
+	return file_daemon_started_service_proto_rawDescGZIP(), []int{28}
+}
+
+func (x *NetworkQualityTestProgress) GetPhase() int32 {
+	if x != nil {
+		return x.Phase
+	}
+	return 0
+}
+
+func (x *NetworkQualityTestProgress) GetDownloadCapacity() int64 {
+	if x != nil {
+		return x.DownloadCapacity
+	}
+	return 0
+}
+
+func (x *NetworkQualityTestProgress) GetUploadCapacity() int64 {
+	if x != nil {
+		return x.UploadCapacity
+	}
+	return 0
+}
+
+func (x *NetworkQualityTestProgress) GetDownloadRPM() int32 {
+	if x != nil {
+		return x.DownloadRPM
+	}
+	return 0
+}
+
+func (x *NetworkQualityTestProgress) GetUploadRPM() int32 {
+	if x != nil {
+		return x.UploadRPM
+	}
+	return 0
+}
+
+func (x *NetworkQualityTestProgress) GetIdleLatencyMs() int32 {
+	if x != nil {
+		return x.IdleLatencyMs
+	}
+	return 0
+}
+
+func (x *NetworkQualityTestProgress) GetElapsedMs() int64 {
+	if x != nil {
+		return x.ElapsedMs
+	}
+	return 0
+}
+
+func (x *NetworkQualityTestProgress) GetIsFinal() bool {
+	if x != nil {
+		return x.IsFinal
+	}
+	return false
+}
+
+func (x *NetworkQualityTestProgress) GetError() string {
+	if x != nil {
+		return x.Error
+	}
+	return ""
+}
+
+func (x *NetworkQualityTestProgress) GetDownloadCapacityAccuracy() int32 {
+	if x != nil {
+		return x.DownloadCapacityAccuracy
+	}
+	return 0
+}
+
+func (x *NetworkQualityTestProgress) GetUploadCapacityAccuracy() int32 {
+	if x != nil {
+		return x.UploadCapacityAccuracy
+	}
+	return 0
+}
+
+func (x *NetworkQualityTestProgress) GetDownloadRPMAccuracy() int32 {
+	if x != nil {
+		return x.DownloadRPMAccuracy
+	}
+	return 0
+}
+
+func (x *NetworkQualityTestProgress) GetUploadRPMAccuracy() int32 {
+	if x != nil {
+		return x.UploadRPMAccuracy
+	}
+	return 0
+}
+
 type Log_Message struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Level         LogLevel               `protobuf:"varint,1,opt,name=level,proto3,enum=daemon.LogLevel" json:"level,omitempty"`
@@ -1732,7 +2098,7 @@ type Log_Message struct {

 func (x *Log_Message) Reset() {
 	*x = Log_Message{}
-	mi := &file_daemon_started_service_proto_msgTypes[25]
+	mi := &file_daemon_started_service_proto_msgTypes[29]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1744,7 +2110,7 @@ func (x *Log_Message) String() string {
 func (*Log_Message) ProtoMessage() {}

 func (x *Log_Message) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_started_service_proto_msgTypes[25]
+	mi := &file_daemon_started_service_proto_msgTypes[29]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1845,7 +2211,13 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\tavailable\x18\x01 \x01(\bR\tavailable\x12\x18\n" +
 	"\aenabled\x18\x02 \x01(\bR\aenabled\"8\n" +
 	"\x1cSetSystemProxyEnabledRequest\x12\x18\n" +
-	"\aenabled\x18\x01 \x01(\bR\aenabled\"9\n" +
+	"\aenabled\x18\x01 \x01(\bR\aenabled\"c\n" +
+	"\x11DebugCrashRequest\x122\n" +
+	"\x04type\x18\x01 \x01(\x0e2\x1e.daemon.DebugCrashRequest.TypeR\x04type\"\x1a\n" +
+	"\x04Type\x12\x06\n" +
+	"\x02GO\x10\x00\x12\n" +
+	"\n" +
+	"\x06NATIVE\x10\x01\"9\n" +
 	"\x1bSubscribeConnectionsRequest\x12\x1a\n" +
 	"\binterval\x18\x01 \x01(\x03R\binterval\"\xea\x01\n" +
 	"\x0fConnectionEvent\x12/\n" +
@@ -1884,23 +2256,48 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\boutbound\x18\x13 \x01(\tR\boutbound\x12\"\n" +
 	"\foutboundType\x18\x14 \x01(\tR\foutboundType\x12\x1c\n" +
 	"\tchainList\x18\x15 \x03(\tR\tchainList\x125\n" +
-	"\vprocessInfo\x18\x16 \x01(\v2\x13.daemon.ProcessInfoR\vprocessInfo\"\xa3\x01\n" +
+	"\vprocessInfo\x18\x16 \x01(\v2\x13.daemon.ProcessInfoR\vprocessInfo\"\xa5\x01\n" +
 	"\vProcessInfo\x12\x1c\n" +
 	"\tprocessId\x18\x01 \x01(\rR\tprocessId\x12\x16\n" +
 	"\x06userId\x18\x02 \x01(\x05R\x06userId\x12\x1a\n" +
 	"\buserName\x18\x03 \x01(\tR\buserName\x12 \n" +
-	"\vprocessPath\x18\x04 \x01(\tR\vprocessPath\x12 \n" +
-	"\vpackageName\x18\x05 \x01(\tR\vpackageName\"(\n" +
+	"\vprocessPath\x18\x04 \x01(\tR\vprocessPath\x12\"\n" +
+	"\fpackageNames\x18\x05 \x03(\tR\fpackageNames\"(\n" +
 	"\x16CloseConnectionRequest\x12\x0e\n" +
 	"\x02id\x18\x01 \x01(\tR\x02id\"K\n" +
 	"\x12DeprecatedWarnings\x125\n" +
-	"\bwarnings\x18\x01 \x03(\v2\x19.daemon.DeprecatedWarningR\bwarnings\"q\n" +
+	"\bwarnings\x18\x01 \x03(\v2\x19.daemon.DeprecatedWarningR\bwarnings\"\xed\x01\n" +
 	"\x11DeprecatedWarning\x12\x18\n" +
 	"\amessage\x18\x01 \x01(\tR\amessage\x12\x1c\n" +
 	"\timpending\x18\x02 \x01(\bR\timpending\x12$\n" +
-	"\rmigrationLink\x18\x03 \x01(\tR\rmigrationLink\")\n" +
+	"\rmigrationLink\x18\x03 \x01(\tR\rmigrationLink\x12 \n" +
+	"\vdescription\x18\x04 \x01(\tR\vdescription\x12,\n" +
+	"\x11deprecatedVersion\x18\x05 \x01(\tR\x11deprecatedVersion\x12*\n" +
+	"\x10scheduledVersion\x18\x06 \x01(\tR\x10scheduledVersion\")\n" +
 	"\tStartedAt\x12\x1c\n" +
-	"\tstartedAt\x18\x01 \x01(\x03R\tstartedAt*U\n" +
+	"\tstartedAt\x18\x01 \x01(\x03R\tstartedAt\"?\n" +
+	"\fOutboundList\x12/\n" +
+	"\toutbounds\x18\x01 \x03(\v2\x11.daemon.GroupItemR\toutbounds\"\xa1\x01\n" +
+	"\x19NetworkQualityTestRequest\x12\x1c\n" +
+	"\tconfigURL\x18\x01 \x01(\tR\tconfigURL\x12 \n" +
+	"\voutboundTag\x18\x02 \x01(\tR\voutboundTag\x12\x16\n" +
+	"\x06serial\x18\x03 \x01(\bR\x06serial\x12,\n" +
+	"\x11maxRuntimeSeconds\x18\x04 \x01(\x05R\x11maxRuntimeSeconds\"\x8e\x04\n" +
+	"\x1aNetworkQualityTestProgress\x12\x14\n" +
+	"\x05phase\x18\x01 \x01(\x05R\x05phase\x12*\n" +
+	"\x10downloadCapacity\x18\x02 \x01(\x03R\x10downloadCapacity\x12&\n" +
+	"\x0euploadCapacity\x18\x03 \x01(\x03R\x0euploadCapacity\x12 \n" +
+	"\vdownloadRPM\x18\x04 \x01(\x05R\vdownloadRPM\x12\x1c\n" +
+	"\tuploadRPM\x18\x05 \x01(\x05R\tuploadRPM\x12$\n" +
+	"\ridleLatencyMs\x18\x06 \x01(\x05R\ridleLatencyMs\x12\x1c\n" +
+	"\telapsedMs\x18\a \x01(\x03R\telapsedMs\x12\x18\n" +
+	"\aisFinal\x18\b \x01(\bR\aisFinal\x12\x14\n" +
+	"\x05error\x18\t \x01(\tR\x05error\x12:\n" +
+	"\x18downloadCapacityAccuracy\x18\n" +
+	" \x01(\x05R\x18downloadCapacityAccuracy\x126\n" +
+	"\x16uploadCapacityAccuracy\x18\v \x01(\x05R\x16uploadCapacityAccuracy\x120\n" +
+	"\x13downloadRPMAccuracy\x18\f \x01(\x05R\x13downloadRPMAccuracy\x12,\n" +
+	"\x11uploadRPMAccuracy\x18\r \x01(\x05R\x11uploadRPMAccuracy*U\n" +
 	"\bLogLevel\x12\t\n" +
 	"\x05PANIC\x10\x00\x12\t\n" +
 	"\x05FATAL\x10\x01\x12\t\n" +
@@ -1912,7 +2309,7 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\x13ConnectionEventType\x12\x18\n" +
 	"\x14CONNECTION_EVENT_NEW\x10\x00\x12\x1b\n" +
 	"\x17CONNECTION_EVENT_UPDATE\x10\x01\x12\x1b\n" +
-	"\x17CONNECTION_EVENT_CLOSED\x10\x022\xe5\v\n" +
+	"\x17CONNECTION_EVENT_CLOSED\x10\x022\xe4\x0e\n" +
 	"\x0eStartedService\x12=\n" +
 	"\vStopService\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\x12?\n" +
 	"\rReloadService\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\x12K\n" +
@@ -1929,12 +2326,17 @@ const file_daemon_started_service_proto_rawDesc = "" +
 	"\x0eSelectOutbound\x12\x1d.daemon.SelectOutboundRequest\x1a\x16.google.protobuf.Empty\"\x00\x12I\n" +
 	"\x0eSetGroupExpand\x12\x1d.daemon.SetGroupExpandRequest\x1a\x16.google.protobuf.Empty\"\x00\x12K\n" +
 	"\x14GetSystemProxyStatus\x12\x16.google.protobuf.Empty\x1a\x19.daemon.SystemProxyStatus\"\x00\x12W\n" +
-	"\x15SetSystemProxyEnabled\x12$.daemon.SetSystemProxyEnabledRequest\x1a\x16.google.protobuf.Empty\"\x00\x12Y\n" +
+	"\x15SetSystemProxyEnabled\x12$.daemon.SetSystemProxyEnabledRequest\x1a\x16.google.protobuf.Empty\"\x00\x12H\n" +
+	"\x11TriggerDebugCrash\x12\x19.daemon.DebugCrashRequest\x1a\x16.google.protobuf.Empty\"\x00\x12D\n" +
+	"\x10TriggerOOMReport\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\"\x00\x12Y\n" +
 	"\x14SubscribeConnections\x12#.daemon.SubscribeConnectionsRequest\x1a\x18.daemon.ConnectionEvents\"\x000\x01\x12K\n" +
 	"\x0fCloseConnection\x12\x1e.daemon.CloseConnectionRequest\x1a\x16.google.protobuf.Empty\"\x00\x12G\n" +
 	"\x13CloseAllConnections\x12\x16.google.protobuf.Empty\x1a\x16.google.protobuf.Empty\"\x00\x12M\n" +
 	"\x15GetDeprecatedWarnings\x12\x16.google.protobuf.Empty\x1a\x1a.daemon.DeprecatedWarnings\"\x00\x12;\n" +
-	"\fGetStartedAt\x12\x16.google.protobuf.Empty\x1a\x11.daemon.StartedAt\"\x00B%Z#github.com/sagernet/sing-box/daemonb\x06proto3"
+	"\fGetStartedAt\x12\x16.google.protobuf.Empty\x1a\x11.daemon.StartedAt\"\x00\x12?\n" +
+	"\rListOutbounds\x12\x16.google.protobuf.Empty\x1a\x14.daemon.OutboundList\"\x00\x12F\n" +
+	"\x12SubscribeOutbounds\x12\x16.google.protobuf.Empty\x1a\x14.daemon.OutboundList\"\x000\x01\x12d\n" +
+	"\x17StartNetworkQualityTest\x12!.daemon.NetworkQualityTestRequest\x1a\".daemon.NetworkQualityTestProgress\"\x000\x01B%Z#github.com/sagernet/sing-box/daemonb\x06proto3"

 var (
 	file_daemon_started_service_proto_rawDescOnce sync.Once
@@ -1949,101 +2351,118 @@ func file_daemon_started_service_proto_rawDescGZIP() []byte {
 }

 var (
-	file_daemon_started_service_proto_enumTypes = make([]protoimpl.EnumInfo, 3)
-	file_daemon_started_service_proto_msgTypes  = make([]protoimpl.MessageInfo, 26)
+	file_daemon_started_service_proto_enumTypes = make([]protoimpl.EnumInfo, 4)
+	file_daemon_started_service_proto_msgTypes  = make([]protoimpl.MessageInfo, 30)
 	file_daemon_started_service_proto_goTypes   = []any{
 		(LogLevel)(0),                        // 0: daemon.LogLevel
 		(ConnectionEventType)(0),             // 1: daemon.ConnectionEventType
 		(ServiceStatus_Type)(0),              // 2: daemon.ServiceStatus.Type
-		(*ServiceStatus)(nil),                // 3: daemon.ServiceStatus
-		(*ReloadServiceRequest)(nil),         // 4: daemon.ReloadServiceRequest
-		(*SubscribeStatusRequest)(nil),       // 5: daemon.SubscribeStatusRequest
-		(*Log)(nil),                          // 6: daemon.Log
-		(*DefaultLogLevel)(nil),              // 7: daemon.DefaultLogLevel
-		(*Status)(nil),                       // 8: daemon.Status
-		(*Groups)(nil),                       // 9: daemon.Groups
-		(*Group)(nil),                        // 10: daemon.Group
-		(*GroupItem)(nil),                    // 11: daemon.GroupItem
-		(*URLTestRequest)(nil),               // 12: daemon.URLTestRequest
-		(*SelectOutboundRequest)(nil),        // 13: daemon.SelectOutboundRequest
-		(*SetGroupExpandRequest)(nil),        // 14: daemon.SetGroupExpandRequest
-		(*ClashMode)(nil),                    // 15: daemon.ClashMode
-		(*ClashModeStatus)(nil),              // 16: daemon.ClashModeStatus
-		(*SystemProxyStatus)(nil),            // 17: daemon.SystemProxyStatus
-		(*SetSystemProxyEnabledRequest)(nil), // 18: daemon.SetSystemProxyEnabledRequest
-		(*SubscribeConnectionsRequest)(nil),  // 19: daemon.SubscribeConnectionsRequest
-		(*ConnectionEvent)(nil),              // 20: daemon.ConnectionEvent
-		(*ConnectionEvents)(nil),             // 21: daemon.ConnectionEvents
-		(*Connection)(nil),                   // 22: daemon.Connection
-		(*ProcessInfo)(nil),                  // 23: daemon.ProcessInfo
-		(*CloseConnectionRequest)(nil),       // 24: daemon.CloseConnectionRequest
-		(*DeprecatedWarnings)(nil),           // 25: daemon.DeprecatedWarnings
-		(*DeprecatedWarning)(nil),            // 26: daemon.DeprecatedWarning
-		(*StartedAt)(nil),                    // 27: daemon.StartedAt
-		(*Log_Message)(nil),                  // 28: daemon.Log.Message
-		(*emptypb.Empty)(nil),                // 29: google.protobuf.Empty
+		(DebugCrashRequest_Type)(0),          // 3: daemon.DebugCrashRequest.Type
+		(*ServiceStatus)(nil),                // 4: daemon.ServiceStatus
+		(*ReloadServiceRequest)(nil),         // 5: daemon.ReloadServiceRequest
+		(*SubscribeStatusRequest)(nil),       // 6: daemon.SubscribeStatusRequest
+		(*Log)(nil),                          // 7: daemon.Log
+		(*DefaultLogLevel)(nil),              // 8: daemon.DefaultLogLevel
+		(*Status)(nil),                       // 9: daemon.Status
+		(*Groups)(nil),                       // 10: daemon.Groups
+		(*Group)(nil),                        // 11: daemon.Group
+		(*GroupItem)(nil),                    // 12: daemon.GroupItem
+		(*URLTestRequest)(nil),               // 13: daemon.URLTestRequest
+		(*SelectOutboundRequest)(nil),        // 14: daemon.SelectOutboundRequest
+		(*SetGroupExpandRequest)(nil),        // 15: daemon.SetGroupExpandRequest
+		(*ClashMode)(nil),                    // 16: daemon.ClashMode
+		(*ClashModeStatus)(nil),              // 17: daemon.ClashModeStatus
+		(*SystemProxyStatus)(nil),            // 18: daemon.SystemProxyStatus
+		(*SetSystemProxyEnabledRequest)(nil), // 19: daemon.SetSystemProxyEnabledRequest
+		(*DebugCrashRequest)(nil),            // 20: daemon.DebugCrashRequest
+		(*SubscribeConnectionsRequest)(nil),  // 21: daemon.SubscribeConnectionsRequest
+		(*ConnectionEvent)(nil),              // 22: daemon.ConnectionEvent
+		(*ConnectionEvents)(nil),             // 23: daemon.ConnectionEvents
+		(*Connection)(nil),                   // 24: daemon.Connection
+		(*ProcessInfo)(nil),                  // 25: daemon.ProcessInfo
+		(*CloseConnectionRequest)(nil),       // 26: daemon.CloseConnectionRequest
+		(*DeprecatedWarnings)(nil),           // 27: daemon.DeprecatedWarnings
+		(*DeprecatedWarning)(nil),            // 28: daemon.DeprecatedWarning
+		(*StartedAt)(nil),                    // 29: daemon.StartedAt
+		(*OutboundList)(nil),                 // 30: daemon.OutboundList
+		(*NetworkQualityTestRequest)(nil),    // 31: daemon.NetworkQualityTestRequest
+		(*NetworkQualityTestProgress)(nil),   // 32: daemon.NetworkQualityTestProgress
+		(*Log_Message)(nil),                  // 33: daemon.Log.Message
+		(*emptypb.Empty)(nil),                // 34: google.protobuf.Empty
 	}
 )

 var file_daemon_started_service_proto_depIdxs = []int32{
 	2,  // 0: daemon.ServiceStatus.status:type_name -> daemon.ServiceStatus.Type
-	28, // 1: daemon.Log.messages:type_name -> daemon.Log.Message
+	33, // 1: daemon.Log.messages:type_name -> daemon.Log.Message
 	0,  // 2: daemon.DefaultLogLevel.level:type_name -> daemon.LogLevel
-	10, // 3: daemon.Groups.group:type_name -> daemon.Group
-	11, // 4: daemon.Group.items:type_name -> daemon.GroupItem
-	1,  // 5: daemon.ConnectionEvent.type:type_name -> daemon.ConnectionEventType
-	22, // 6: daemon.ConnectionEvent.connection:type_name -> daemon.Connection
-	20, // 7: daemon.ConnectionEvents.events:type_name -> daemon.ConnectionEvent
-	23, // 8: daemon.Connection.processInfo:type_name -> daemon.ProcessInfo
-	26, // 9: daemon.DeprecatedWarnings.warnings:type_name -> daemon.DeprecatedWarning
-	0,  // 10: daemon.Log.Message.level:type_name -> daemon.LogLevel
-	29, // 11: daemon.StartedService.StopService:input_type -> google.protobuf.Empty
-	29, // 12: daemon.StartedService.ReloadService:input_type -> google.protobuf.Empty
-	29, // 13: daemon.StartedService.SubscribeServiceStatus:input_type -> google.protobuf.Empty
-	29, // 14: daemon.StartedService.SubscribeLog:input_type -> google.protobuf.Empty
-	29, // 15: daemon.StartedService.GetDefaultLogLevel:input_type -> google.protobuf.Empty
-	29, // 16: daemon.StartedService.ClearLogs:input_type -> google.protobuf.Empty
-	5,  // 17: daemon.StartedService.SubscribeStatus:input_type -> daemon.SubscribeStatusRequest
-	29, // 18: daemon.StartedService.SubscribeGroups:input_type -> google.protobuf.Empty
-	29, // 19: daemon.StartedService.GetClashModeStatus:input_type -> google.protobuf.Empty
-	29, // 20: daemon.StartedService.SubscribeClashMode:input_type -> google.protobuf.Empty
-	15, // 21: daemon.StartedService.SetClashMode:input_type -> daemon.ClashMode
-	12, // 22: daemon.StartedService.URLTest:input_type -> daemon.URLTestRequest
-	13, // 23: daemon.StartedService.SelectOutbound:input_type -> daemon.SelectOutboundRequest
-	14, // 24: daemon.StartedService.SetGroupExpand:input_type -> daemon.SetGroupExpandRequest
-	29, // 25: daemon.StartedService.GetSystemProxyStatus:input_type -> google.protobuf.Empty
-	18, // 26: daemon.StartedService.SetSystemProxyEnabled:input_type -> daemon.SetSystemProxyEnabledRequest
-	19, // 27: daemon.StartedService.SubscribeConnections:input_type -> daemon.SubscribeConnectionsRequest
-	24, // 28: daemon.StartedService.CloseConnection:input_type -> daemon.CloseConnectionRequest
-	29, // 29: daemon.StartedService.CloseAllConnections:input_type -> google.protobuf.Empty
-	29, // 30: daemon.StartedService.GetDeprecatedWarnings:input_type -> google.protobuf.Empty
-	29, // 31: daemon.StartedService.GetStartedAt:input_type -> google.protobuf.Empty
-	29, // 32: daemon.StartedService.StopService:output_type -> google.protobuf.Empty
-	29, // 33: daemon.StartedService.ReloadService:output_type -> google.protobuf.Empty
-	3,  // 34: daemon.StartedService.SubscribeServiceStatus:output_type -> daemon.ServiceStatus
-	6,  // 35: daemon.StartedService.SubscribeLog:output_type -> daemon.Log
-	7,  // 36: daemon.StartedService.GetDefaultLogLevel:output_type -> daemon.DefaultLogLevel
-	29, // 37: daemon.StartedService.ClearLogs:output_type -> google.protobuf.Empty
-	8,  // 38: daemon.StartedService.SubscribeStatus:output_type -> daemon.Status
-	9,  // 39: daemon.StartedService.SubscribeGroups:output_type -> daemon.Groups
-	16, // 40: daemon.StartedService.GetClashModeStatus:output_type -> daemon.ClashModeStatus
-	15, // 41: daemon.StartedService.SubscribeClashMode:output_type -> daemon.ClashMode
-	29, // 42: daemon.StartedService.SetClashMode:output_type -> google.protobuf.Empty
-	29, // 43: daemon.StartedService.URLTest:output_type -> google.protobuf.Empty
-	29, // 44: daemon.StartedService.SelectOutbound:output_type -> google.protobuf.Empty
-	29, // 45: daemon.StartedService.SetGroupExpand:output_type -> google.protobuf.Empty
-	17, // 46: daemon.StartedService.GetSystemProxyStatus:output_type -> daemon.SystemProxyStatus
-	29, // 47: daemon.StartedService.SetSystemProxyEnabled:output_type -> google.protobuf.Empty
-	21, // 48: daemon.StartedService.SubscribeConnections:output_type -> daemon.ConnectionEvents
-	29, // 49: daemon.StartedService.CloseConnection:output_type -> google.protobuf.Empty
-	29, // 50: daemon.StartedService.CloseAllConnections:output_type -> google.protobuf.Empty
-	25, // 51: daemon.StartedService.GetDeprecatedWarnings:output_type -> daemon.DeprecatedWarnings
-	27, // 52: daemon.StartedService.GetStartedAt:output_type -> daemon.StartedAt
-	32, // [32:53] is the sub-list for method output_type
-	11, // [11:32] is the sub-list for method input_type
-	11, // [11:11] is the sub-list for extension type_name
-	11, // [11:11] is the sub-list for extension extendee
-	0,  // [0:11] is the sub-list for field type_name
+	11, // 3: daemon.Groups.group:type_name -> daemon.Group
+	12, // 4: daemon.Group.items:type_name -> daemon.GroupItem
+	3,  // 5: daemon.DebugCrashRequest.type:type_name -> daemon.DebugCrashRequest.Type
+	1,  // 6: daemon.ConnectionEvent.type:type_name -> daemon.ConnectionEventType
+	24, // 7: daemon.ConnectionEvent.connection:type_name -> daemon.Connection
+	22, // 8: daemon.ConnectionEvents.events:type_name -> daemon.ConnectionEvent
+	25, // 9: daemon.Connection.processInfo:type_name -> daemon.ProcessInfo
+	28, // 10: daemon.DeprecatedWarnings.warnings:type_name -> daemon.DeprecatedWarning
+	12, // 11: daemon.OutboundList.outbounds:type_name -> daemon.GroupItem
+	0,  // 12: daemon.Log.Message.level:type_name -> daemon.LogLevel
+	34, // 13: daemon.StartedService.StopService:input_type -> google.protobuf.Empty
+	34, // 14: daemon.StartedService.ReloadService:input_type -> google.protobuf.Empty
+	34, // 15: daemon.StartedService.SubscribeServiceStatus:input_type -> google.protobuf.Empty
+	34, // 16: daemon.StartedService.SubscribeLog:input_type -> google.protobuf.Empty
+	34, // 17: daemon.StartedService.GetDefaultLogLevel:input_type -> google.protobuf.Empty
+	34, // 18: daemon.StartedService.ClearLogs:input_type -> google.protobuf.Empty
+	6,  // 19: daemon.StartedService.SubscribeStatus:input_type -> daemon.SubscribeStatusRequest
+	34, // 20: daemon.StartedService.SubscribeGroups:input_type -> google.protobuf.Empty
+	34, // 21: daemon.StartedService.GetClashModeStatus:input_type -> google.protobuf.Empty
+	34, // 22: daemon.StartedService.SubscribeClashMode:input_type -> google.protobuf.Empty
+	16, // 23: daemon.StartedService.SetClashMode:input_type -> daemon.ClashMode
+	13, // 24: daemon.StartedService.URLTest:input_type -> daemon.URLTestRequest
+	14, // 25: daemon.StartedService.SelectOutbound:input_type -> daemon.SelectOutboundRequest
+	15, // 26: daemon.StartedService.SetGroupExpand:input_type -> daemon.SetGroupExpandRequest
+	34, // 27: daemon.StartedService.GetSystemProxyStatus:input_type -> google.protobuf.Empty
+	19, // 28: daemon.StartedService.SetSystemProxyEnabled:input_type -> daemon.SetSystemProxyEnabledRequest
+	20, // 29: daemon.StartedService.TriggerDebugCrash:input_type -> daemon.DebugCrashRequest
+	34, // 30: daemon.StartedService.TriggerOOMReport:input_type -> google.protobuf.Empty
+	21, // 31: daemon.StartedService.SubscribeConnections:input_type -> daemon.SubscribeConnectionsRequest
+	26, // 32: daemon.StartedService.CloseConnection:input_type -> daemon.CloseConnectionRequest
+	34, // 33: daemon.StartedService.CloseAllConnections:input_type -> google.protobuf.Empty
+	34, // 34: daemon.StartedService.GetDeprecatedWarnings:input_type -> google.protobuf.Empty
+	34, // 35: daemon.StartedService.GetStartedAt:input_type -> google.protobuf.Empty
+	34, // 36: daemon.StartedService.ListOutbounds:input_type -> google.protobuf.Empty
+	34, // 37: daemon.StartedService.SubscribeOutbounds:input_type -> google.protobuf.Empty
+	31, // 38: daemon.StartedService.StartNetworkQualityTest:input_type -> daemon.NetworkQualityTestRequest
+	34, // 39: daemon.StartedService.StopService:output_type -> google.protobuf.Empty
+	34, // 40: daemon.StartedService.ReloadService:output_type -> google.protobuf.Empty
+	4,  // 41: daemon.StartedService.SubscribeServiceStatus:output_type -> daemon.ServiceStatus
+	7,  // 42: daemon.StartedService.SubscribeLog:output_type -> daemon.Log
+	8,  // 43: daemon.StartedService.GetDefaultLogLevel:output_type -> daemon.DefaultLogLevel
+	34, // 44: daemon.StartedService.ClearLogs:output_type -> google.protobuf.Empty
+	9,  // 45: daemon.StartedService.SubscribeStatus:output_type -> daemon.Status
+	10, // 46: daemon.StartedService.SubscribeGroups:output_type -> daemon.Groups
+	17, // 47: daemon.StartedService.GetClashModeStatus:output_type -> daemon.ClashModeStatus
+	16, // 48: daemon.StartedService.SubscribeClashMode:output_type -> daemon.ClashMode
+	34, // 49: daemon.StartedService.SetClashMode:output_type -> google.protobuf.Empty
+	34, // 50: daemon.StartedService.URLTest:output_type -> google.protobuf.Empty
+	34, // 51: daemon.StartedService.SelectOutbound:output_type -> google.protobuf.Empty
+	34, // 52: daemon.StartedService.SetGroupExpand:output_type -> google.protobuf.Empty
+	18, // 53: daemon.StartedService.GetSystemProxyStatus:output_type -> daemon.SystemProxyStatus
+	34, // 54: daemon.StartedService.SetSystemProxyEnabled:output_type -> google.protobuf.Empty
+	34, // 55: daemon.StartedService.TriggerDebugCrash:output_type -> google.protobuf.Empty
+	34, // 56: daemon.StartedService.TriggerOOMReport:output_type -> google.protobuf.Empty
+	23, // 57: daemon.StartedService.SubscribeConnections:output_type -> daemon.ConnectionEvents
+	34, // 58: daemon.StartedService.CloseConnection:output_type -> google.protobuf.Empty
+	34, // 59: daemon.StartedService.CloseAllConnections:output_type -> google.protobuf.Empty
+	27, // 60: daemon.StartedService.GetDeprecatedWarnings:output_type -> daemon.DeprecatedWarnings
+	29, // 61: daemon.StartedService.GetStartedAt:output_type -> daemon.StartedAt
+	30, // 62: daemon.StartedService.ListOutbounds:output_type -> daemon.OutboundList
+	30, // 63: daemon.StartedService.SubscribeOutbounds:output_type -> daemon.OutboundList
+	32, // 64: daemon.StartedService.StartNetworkQualityTest:output_type -> daemon.NetworkQualityTestProgress
+	39, // [39:65] is the sub-list for method output_type
+	13, // [13:39] is the sub-list for method input_type
+	13, // [13:13] is the sub-list for extension type_name
+	13, // [13:13] is the sub-list for extension extendee
+	0,  // [0:13] is the sub-list for field type_name
 }

 func init() { file_daemon_started_service_proto_init() }
@@ -2056,8 +2475,8 @@ func file_daemon_started_service_proto_init() {
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_daemon_started_service_proto_rawDesc), len(file_daemon_started_service_proto_rawDesc)),
-			NumEnums:      3,
-			NumMessages:   26,
+			NumEnums:      4,
+			NumMessages:   30,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
--- a/daemon/started_service.proto
+++ b/daemon/started_service.proto
@@ -26,12 +26,18 @@ service StartedService {

  rpc GetSystemProxyStatus(google.protobuf.Empty) returns(SystemProxyStatus) {}
  rpc SetSystemProxyEnabled(SetSystemProxyEnabledRequest) returns(google.protobuf.Empty) {}
+  rpc TriggerDebugCrash(DebugCrashRequest) returns(google.protobuf.Empty) {}
+  rpc TriggerOOMReport(google.protobuf.Empty) returns(google.protobuf.Empty) {}

  rpc SubscribeConnections(SubscribeConnectionsRequest) returns(stream ConnectionEvents) {}
  rpc CloseConnection(CloseConnectionRequest) returns(google.protobuf.Empty) {}
  rpc CloseAllConnections(google.protobuf.Empty) returns(google.protobuf.Empty) {}
  rpc GetDeprecatedWarnings(google.protobuf.Empty) returns(DeprecatedWarnings) {}
  rpc GetStartedAt(google.protobuf.Empty) returns(StartedAt) {}
+
+  rpc ListOutbounds(google.protobuf.Empty) returns (OutboundList) {}
+  rpc SubscribeOutbounds(google.protobuf.Empty) returns (stream OutboundList) {}
+  rpc StartNetworkQualityTest(NetworkQualityTestRequest) returns (stream NetworkQualityTestProgress) {}
 }

 message ServiceStatus {
@@ -141,6 +147,15 @@ message SetSystemProxyEnabledRequest {
  bool enabled = 1;
 }

+message DebugCrashRequest {
+  enum Type {
+    GO = 0;
+    NATIVE = 1;
+  }
+
+  Type type = 1;
+}
+
 message SubscribeConnectionsRequest {
  int64 interval = 1;
 }
@@ -195,7 +210,7 @@ message ProcessInfo {
  int32 userId = 2;
  string userName = 3;
  string processPath = 4;
-  string packageName = 5;
+  repeated string packageNames = 5;
 }

 message CloseConnectionRequest {
@@ -210,8 +225,38 @@ message DeprecatedWarning {
  string message = 1;
  bool impending = 2;
  string migrationLink = 3;
+  string description = 4;
+  string deprecatedVersion = 5;
+  string scheduledVersion = 6;
 }

 message StartedAt {
  int64 startedAt = 1;
-}
+}
+
+message OutboundList {
+  repeated GroupItem outbounds = 1;
+}
+
+message NetworkQualityTestRequest {
+  string configURL = 1;
+  string outboundTag = 2;
+  bool serial = 3;
+  int32 maxRuntimeSeconds = 4;
+}
+
+message NetworkQualityTestProgress {
+  int32 phase = 1;
+  int64 downloadCapacity = 2;
+  int64 uploadCapacity = 3;
+  int32 downloadRPM = 4;
+  int32 uploadRPM = 5;
+  int32 idleLatencyMs = 6;
+  int64 elapsedMs = 7;
+  bool isFinal = 8;
+  string error = 9;
+  int32 downloadCapacityAccuracy = 10;
+  int32 uploadCapacityAccuracy = 11;
+  int32 downloadRPMAccuracy = 12;
+  int32 uploadRPMAccuracy = 13;
+}
--- a/daemon/started_service_grpc.pb.go
+++ b/daemon/started_service_grpc.pb.go
@@ -15,27 +15,32 @@ import (
 const _ = grpc.SupportPackageIsVersion9

 const (
-	StartedService_StopService_FullMethodName            = "/daemon.StartedService/StopService"
-	StartedService_ReloadService_FullMethodName          = "/daemon.StartedService/ReloadService"
-	StartedService_SubscribeServiceStatus_FullMethodName = "/daemon.StartedService/SubscribeServiceStatus"
-	StartedService_SubscribeLog_FullMethodName           = "/daemon.StartedService/SubscribeLog"
-	StartedService_GetDefaultLogLevel_FullMethodName     = "/daemon.StartedService/GetDefaultLogLevel"
-	StartedService_ClearLogs_FullMethodName              = "/daemon.StartedService/ClearLogs"
-	StartedService_SubscribeStatus_FullMethodName        = "/daemon.StartedService/SubscribeStatus"
-	StartedService_SubscribeGroups_FullMethodName        = "/daemon.StartedService/SubscribeGroups"
-	StartedService_GetClashModeStatus_FullMethodName     = "/daemon.StartedService/GetClashModeStatus"
-	StartedService_SubscribeClashMode_FullMethodName     = "/daemon.StartedService/SubscribeClashMode"
-	StartedService_SetClashMode_FullMethodName           = "/daemon.StartedService/SetClashMode"
-	StartedService_URLTest_FullMethodName                = "/daemon.StartedService/URLTest"
-	StartedService_SelectOutbound_FullMethodName         = "/daemon.StartedService/SelectOutbound"
-	StartedService_SetGroupExpand_FullMethodName         = "/daemon.StartedService/SetGroupExpand"
-	StartedService_GetSystemProxyStatus_FullMethodName   = "/daemon.StartedService/GetSystemProxyStatus"
-	StartedService_SetSystemProxyEnabled_FullMethodName  = "/daemon.StartedService/SetSystemProxyEnabled"
-	StartedService_SubscribeConnections_FullMethodName   = "/daemon.StartedService/SubscribeConnections"
-	StartedService_CloseConnection_FullMethodName        = "/daemon.StartedService/CloseConnection"
-	StartedService_CloseAllConnections_FullMethodName    = "/daemon.StartedService/CloseAllConnections"
-	StartedService_GetDeprecatedWarnings_FullMethodName  = "/daemon.StartedService/GetDeprecatedWarnings"
-	StartedService_GetStartedAt_FullMethodName           = "/daemon.StartedService/GetStartedAt"
+	StartedService_StopService_FullMethodName             = "/daemon.StartedService/StopService"
+	StartedService_ReloadService_FullMethodName           = "/daemon.StartedService/ReloadService"
+	StartedService_SubscribeServiceStatus_FullMethodName  = "/daemon.StartedService/SubscribeServiceStatus"
+	StartedService_SubscribeLog_FullMethodName            = "/daemon.StartedService/SubscribeLog"
+	StartedService_GetDefaultLogLevel_FullMethodName      = "/daemon.StartedService/GetDefaultLogLevel"
+	StartedService_ClearLogs_FullMethodName               = "/daemon.StartedService/ClearLogs"
+	StartedService_SubscribeStatus_FullMethodName         = "/daemon.StartedService/SubscribeStatus"
+	StartedService_SubscribeGroups_FullMethodName         = "/daemon.StartedService/SubscribeGroups"
+	StartedService_GetClashModeStatus_FullMethodName      = "/daemon.StartedService/GetClashModeStatus"
+	StartedService_SubscribeClashMode_FullMethodName      = "/daemon.StartedService/SubscribeClashMode"
+	StartedService_SetClashMode_FullMethodName            = "/daemon.StartedService/SetClashMode"
+	StartedService_URLTest_FullMethodName                 = "/daemon.StartedService/URLTest"
+	StartedService_SelectOutbound_FullMethodName          = "/daemon.StartedService/SelectOutbound"
+	StartedService_SetGroupExpand_FullMethodName          = "/daemon.StartedService/SetGroupExpand"
+	StartedService_GetSystemProxyStatus_FullMethodName    = "/daemon.StartedService/GetSystemProxyStatus"
+	StartedService_SetSystemProxyEnabled_FullMethodName   = "/daemon.StartedService/SetSystemProxyEnabled"
+	StartedService_TriggerDebugCrash_FullMethodName       = "/daemon.StartedService/TriggerDebugCrash"
+	StartedService_TriggerOOMReport_FullMethodName        = "/daemon.StartedService/TriggerOOMReport"
+	StartedService_SubscribeConnections_FullMethodName    = "/daemon.StartedService/SubscribeConnections"
+	StartedService_CloseConnection_FullMethodName         = "/daemon.StartedService/CloseConnection"
+	StartedService_CloseAllConnections_FullMethodName     = "/daemon.StartedService/CloseAllConnections"
+	StartedService_GetDeprecatedWarnings_FullMethodName   = "/daemon.StartedService/GetDeprecatedWarnings"
+	StartedService_GetStartedAt_FullMethodName            = "/daemon.StartedService/GetStartedAt"
+	StartedService_ListOutbounds_FullMethodName           = "/daemon.StartedService/ListOutbounds"
+	StartedService_SubscribeOutbounds_FullMethodName      = "/daemon.StartedService/SubscribeOutbounds"
+	StartedService_StartNetworkQualityTest_FullMethodName = "/daemon.StartedService/StartNetworkQualityTest"
 )

 // StartedServiceClient is the client API for StartedService service.
@@ -58,11 +63,16 @@ type StartedServiceClient interface {
 	SetGroupExpand(ctx context.Context, in *SetGroupExpandRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	GetSystemProxyStatus(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*SystemProxyStatus, error)
 	SetSystemProxyEnabled(ctx context.Context, in *SetSystemProxyEnabledRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
+	TriggerDebugCrash(ctx context.Context, in *DebugCrashRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
+	TriggerOOMReport(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	SubscribeConnections(ctx context.Context, in *SubscribeConnectionsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[ConnectionEvents], error)
 	CloseConnection(ctx context.Context, in *CloseConnectionRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	CloseAllConnections(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	GetDeprecatedWarnings(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*DeprecatedWarnings, error)
 	GetStartedAt(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*StartedAt, error)
+	ListOutbounds(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*OutboundList, error)
+	SubscribeOutbounds(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (grpc.ServerStreamingClient[OutboundList], error)
+	StartNetworkQualityTest(ctx context.Context, in *NetworkQualityTestRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[NetworkQualityTestProgress], error)
 }

 type startedServiceClient struct {
@@ -278,6 +288,26 @@ func (c *startedServiceClient) SetSystemProxyEnabled(ctx context.Context, in *Se
 	return out, nil
 }

+func (c *startedServiceClient) TriggerDebugCrash(ctx context.Context, in *DebugCrashRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(emptypb.Empty)
+	err := c.cc.Invoke(ctx, StartedService_TriggerDebugCrash_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *startedServiceClient) TriggerOOMReport(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(emptypb.Empty)
+	err := c.cc.Invoke(ctx, StartedService_TriggerOOMReport_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *startedServiceClient) SubscribeConnections(ctx context.Context, in *SubscribeConnectionsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[ConnectionEvents], error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[5], StartedService_SubscribeConnections_FullMethodName, cOpts...)
@@ -337,6 +367,54 @@ func (c *startedServiceClient) GetStartedAt(ctx context.Context, in *emptypb.Emp
 	return out, nil
 }

+func (c *startedServiceClient) ListOutbounds(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*OutboundList, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(OutboundList)
+	err := c.cc.Invoke(ctx, StartedService_ListOutbounds_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *startedServiceClient) SubscribeOutbounds(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (grpc.ServerStreamingClient[OutboundList], error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[6], StartedService_SubscribeOutbounds_FullMethodName, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &grpc.GenericClientStream[emptypb.Empty, OutboundList]{ClientStream: stream}
+	if err := x.ClientStream.SendMsg(in); err != nil {
+		return nil, err
+	}
+	if err := x.ClientStream.CloseSend(); err != nil {
+		return nil, err
+	}
+	return x, nil
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type StartedService_SubscribeOutboundsClient = grpc.ServerStreamingClient[OutboundList]
+
+func (c *startedServiceClient) StartNetworkQualityTest(ctx context.Context, in *NetworkQualityTestRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[NetworkQualityTestProgress], error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	stream, err := c.cc.NewStream(ctx, &StartedService_ServiceDesc.Streams[7], StartedService_StartNetworkQualityTest_FullMethodName, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &grpc.GenericClientStream[NetworkQualityTestRequest, NetworkQualityTestProgress]{ClientStream: stream}
+	if err := x.ClientStream.SendMsg(in); err != nil {
+		return nil, err
+	}
+	if err := x.ClientStream.CloseSend(); err != nil {
+		return nil, err
+	}
+	return x, nil
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type StartedService_StartNetworkQualityTestClient = grpc.ServerStreamingClient[NetworkQualityTestProgress]
+
 // StartedServiceServer is the server API for StartedService service.
 // All implementations must embed UnimplementedStartedServiceServer
 // for forward compatibility.
@@ -357,11 +435,16 @@ type StartedServiceServer interface {
 	SetGroupExpand(context.Context, *SetGroupExpandRequest) (*emptypb.Empty, error)
 	GetSystemProxyStatus(context.Context, *emptypb.Empty) (*SystemProxyStatus, error)
 	SetSystemProxyEnabled(context.Context, *SetSystemProxyEnabledRequest) (*emptypb.Empty, error)
+	TriggerDebugCrash(context.Context, *DebugCrashRequest) (*emptypb.Empty, error)
+	TriggerOOMReport(context.Context, *emptypb.Empty) (*emptypb.Empty, error)
 	SubscribeConnections(*SubscribeConnectionsRequest, grpc.ServerStreamingServer[ConnectionEvents]) error
 	CloseConnection(context.Context, *CloseConnectionRequest) (*emptypb.Empty, error)
 	CloseAllConnections(context.Context, *emptypb.Empty) (*emptypb.Empty, error)
 	GetDeprecatedWarnings(context.Context, *emptypb.Empty) (*DeprecatedWarnings, error)
 	GetStartedAt(context.Context, *emptypb.Empty) (*StartedAt, error)
+	ListOutbounds(context.Context, *emptypb.Empty) (*OutboundList, error)
+	SubscribeOutbounds(*emptypb.Empty, grpc.ServerStreamingServer[OutboundList]) error
+	StartNetworkQualityTest(*NetworkQualityTestRequest, grpc.ServerStreamingServer[NetworkQualityTestProgress]) error
 	mustEmbedUnimplementedStartedServiceServer()
 }

@@ -436,6 +519,14 @@ func (UnimplementedStartedServiceServer) SetSystemProxyEnabled(context.Context,
 	return nil, status.Error(codes.Unimplemented, "method SetSystemProxyEnabled not implemented")
 }

+func (UnimplementedStartedServiceServer) TriggerDebugCrash(context.Context, *DebugCrashRequest) (*emptypb.Empty, error) {
+	return nil, status.Error(codes.Unimplemented, "method TriggerDebugCrash not implemented")
+}
+
+func (UnimplementedStartedServiceServer) TriggerOOMReport(context.Context, *emptypb.Empty) (*emptypb.Empty, error) {
+	return nil, status.Error(codes.Unimplemented, "method TriggerOOMReport not implemented")
+}
+
 func (UnimplementedStartedServiceServer) SubscribeConnections(*SubscribeConnectionsRequest, grpc.ServerStreamingServer[ConnectionEvents]) error {
 	return status.Error(codes.Unimplemented, "method SubscribeConnections not implemented")
 }
@@ -455,6 +546,18 @@ func (UnimplementedStartedServiceServer) GetDeprecatedWarnings(context.Context,
 func (UnimplementedStartedServiceServer) GetStartedAt(context.Context, *emptypb.Empty) (*StartedAt, error) {
 	return nil, status.Error(codes.Unimplemented, "method GetStartedAt not implemented")
 }
+
+func (UnimplementedStartedServiceServer) ListOutbounds(context.Context, *emptypb.Empty) (*OutboundList, error) {
+	return nil, status.Error(codes.Unimplemented, "method ListOutbounds not implemented")
+}
+
+func (UnimplementedStartedServiceServer) SubscribeOutbounds(*emptypb.Empty, grpc.ServerStreamingServer[OutboundList]) error {
+	return status.Error(codes.Unimplemented, "method SubscribeOutbounds not implemented")
+}
+
+func (UnimplementedStartedServiceServer) StartNetworkQualityTest(*NetworkQualityTestRequest, grpc.ServerStreamingServer[NetworkQualityTestProgress]) error {
+	return status.Error(codes.Unimplemented, "method StartNetworkQualityTest not implemented")
+}
 func (UnimplementedStartedServiceServer) mustEmbedUnimplementedStartedServiceServer() {}
 func (UnimplementedStartedServiceServer) testEmbeddedByValue()                        {}

@@ -729,6 +832,42 @@ func _StartedService_SetSystemProxyEnabled_Handler(srv interface{}, ctx context.
 	return interceptor(ctx, in, info, handler)
 }

+func _StartedService_TriggerDebugCrash_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DebugCrashRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(StartedServiceServer).TriggerDebugCrash(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: StartedService_TriggerDebugCrash_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(StartedServiceServer).TriggerDebugCrash(ctx, req.(*DebugCrashRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _StartedService_TriggerOOMReport_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(emptypb.Empty)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(StartedServiceServer).TriggerOOMReport(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: StartedService_TriggerOOMReport_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(StartedServiceServer).TriggerOOMReport(ctx, req.(*emptypb.Empty))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _StartedService_SubscribeConnections_Handler(srv interface{}, stream grpc.ServerStream) error {
 	m := new(SubscribeConnectionsRequest)
 	if err := stream.RecvMsg(m); err != nil {
@@ -812,6 +951,46 @@ func _StartedService_GetStartedAt_Handler(srv interface{}, ctx context.Context,
 	return interceptor(ctx, in, info, handler)
 }

+func _StartedService_ListOutbounds_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(emptypb.Empty)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(StartedServiceServer).ListOutbounds(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: StartedService_ListOutbounds_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(StartedServiceServer).ListOutbounds(ctx, req.(*emptypb.Empty))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _StartedService_SubscribeOutbounds_Handler(srv interface{}, stream grpc.ServerStream) error {
+	m := new(emptypb.Empty)
+	if err := stream.RecvMsg(m); err != nil {
+		return err
+	}
+	return srv.(StartedServiceServer).SubscribeOutbounds(m, &grpc.GenericServerStream[emptypb.Empty, OutboundList]{ServerStream: stream})
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type StartedService_SubscribeOutboundsServer = grpc.ServerStreamingServer[OutboundList]
+
+func _StartedService_StartNetworkQualityTest_Handler(srv interface{}, stream grpc.ServerStream) error {
+	m := new(NetworkQualityTestRequest)
+	if err := stream.RecvMsg(m); err != nil {
+		return err
+	}
+	return srv.(StartedServiceServer).StartNetworkQualityTest(m, &grpc.GenericServerStream[NetworkQualityTestRequest, NetworkQualityTestProgress]{ServerStream: stream})
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type StartedService_StartNetworkQualityTestServer = grpc.ServerStreamingServer[NetworkQualityTestProgress]
+
 // StartedService_ServiceDesc is the grpc.ServiceDesc for StartedService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -863,6 +1042,14 @@ var StartedService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "SetSystemProxyEnabled",
 			Handler:    _StartedService_SetSystemProxyEnabled_Handler,
 		},
+		{
+			MethodName: "TriggerDebugCrash",
+			Handler:    _StartedService_TriggerDebugCrash_Handler,
+		},
+		{
+			MethodName: "TriggerOOMReport",
+			Handler:    _StartedService_TriggerOOMReport_Handler,
+		},
 		{
 			MethodName: "CloseConnection",
 			Handler:    _StartedService_CloseConnection_Handler,
@@ -879,6 +1066,10 @@ var StartedService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "GetStartedAt",
 			Handler:    _StartedService_GetStartedAt_Handler,
 		},
+		{
+			MethodName: "ListOutbounds",
+			Handler:    _StartedService_ListOutbounds_Handler,
+		},
 	},
 	Streams: []grpc.StreamDesc{
 		{
@@ -911,6 +1102,16 @@ var StartedService_ServiceDesc = grpc.ServiceDesc{
 			Handler:       _StartedService_SubscribeConnections_Handler,
 			ServerStreams: true,
 		},
+		{
+			StreamName:    "SubscribeOutbounds",
+			Handler:       _StartedService_SubscribeOutbounds_Handler,
+			ServerStreams: true,
+		},
+		{
+			StreamName:    "StartNetworkQualityTest",
+			Handler:       _StartedService_StartNetworkQualityTest_Handler,
+			ServerStreams: true,
+		},
 	},
 	Metadata: "daemon/started_service.proto",
 }
--- a/dns/client.go
+++ b/dns/client.go
@@ -5,7 +5,6 @@ import (
 	"errors"
 	"net"
 	"net/netip"
-	"strings"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
@@ -14,7 +13,6 @@ import (
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/task"
 	"github.com/sagernet/sing/contrab/freelru"
 	"github.com/sagernet/sing/contrab/maphash"
@@ -109,7 +107,7 @@ func extractNegativeTTL(response *dns.Msg) (uint32, bool) {
 	return 0, false
 }

-func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, message *dns.Msg, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error) {
+func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, message *dns.Msg, options adapter.DNSQueryOptions, responseChecker func(response *dns.Msg) bool) (*dns.Msg, error) {
 	if len(message.Question) == 0 {
 		if c.logger != nil {
 			c.logger.WarnContext(ctx, "bad question size: ", len(message.Question))
@@ -239,13 +237,10 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 	disableCache = disableCache || (response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError)
 	if responseChecker != nil {
 		var rejected bool
-		// TODO: add accept_any rule and support to check response instead of addresses
 		if response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError {
 			rejected = true
-		} else if len(response.Answer) == 0 {
-			rejected = !responseChecker(nil)
 		} else {
-			rejected = !responseChecker(MessageToAddresses(response))
+			rejected = !responseChecker(response)
 		}
 		if rejected {
 			if !disableCache && c.rdrc != nil {
@@ -315,7 +310,7 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 	return response, nil
 }

-func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, domain string, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error) {
+func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, domain string, options adapter.DNSQueryOptions, responseChecker func(response *dns.Msg) bool) ([]netip.Addr, error) {
 	domain = FqdnToDomain(domain)
 	dnsName := dns.Fqdn(domain)
 	var strategy C.DomainStrategy
@@ -324,16 +319,20 @@ func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, dom
 	} else {
 		strategy = options.Strategy
 	}
+	lookupOptions := options
+	if options.LookupStrategy != C.DomainStrategyAsIS {
+		lookupOptions.Strategy = strategy
+	}
 	if strategy == C.DomainStrategyIPv4Only {
-		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, options, responseChecker)
+		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, lookupOptions, responseChecker)
 	} else if strategy == C.DomainStrategyIPv6Only {
-		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, options, responseChecker)
+		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, lookupOptions, responseChecker)
 	}
 	var response4 []netip.Addr
 	var response6 []netip.Addr
 	var group task.Group
 	group.Append("exchange4", func(ctx context.Context) error {
-		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, options, responseChecker)
+		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, lookupOptions, responseChecker)
 		if err != nil {
 			return err
 		}
@@ -341,7 +340,7 @@ func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, dom
 		return nil
 	})
 	group.Append("exchange6", func(ctx context.Context) error {
-		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, options, responseChecker)
+		response, err := c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, lookupOptions, responseChecker)
 		if err != nil {
 			return err
 		}
@@ -396,7 +395,7 @@ func (c *Client) storeCache(transport adapter.DNSTransport, question dns.Questio
 	}
 }

-func (c *Client) lookupToExchange(ctx context.Context, transport adapter.DNSTransport, name string, qType uint16, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error) {
+func (c *Client) lookupToExchange(ctx context.Context, transport adapter.DNSTransport, name string, qType uint16, options adapter.DNSQueryOptions, responseChecker func(response *dns.Msg) bool) ([]netip.Addr, error) {
 	question := dns.Question{
 		Name:   name,
 		Qtype:  qType,
@@ -511,25 +510,7 @@ func (c *Client) loadResponse(question dns.Question, transport adapter.DNSTransp
 }

 func MessageToAddresses(response *dns.Msg) []netip.Addr {
-	if response == nil || response.Rcode != dns.RcodeSuccess {
-		return nil
-	}
-	addresses := make([]netip.Addr, 0, len(response.Answer))
-	for _, rawAnswer := range response.Answer {
-		switch answer := rawAnswer.(type) {
-		case *dns.A:
-			addresses = append(addresses, M.AddrFromIP(answer.A))
-		case *dns.AAAA:
-			addresses = append(addresses, M.AddrFromIP(answer.AAAA))
-		case *dns.HTTPS:
-			for _, value := range answer.SVCB.Value {
-				if value.Key() == dns.SVCB_IPV4HINT || value.Key() == dns.SVCB_IPV6HINT {
-					addresses = append(addresses, common.Map(strings.Split(value.String(), ","), M.ParseAddr)...)
-				}
-			}
-		}
-	}
-	return addresses
+	return adapter.DNSResponseAddresses(response)
 }

 func wrapError(err error) error {
--- a/dns/repro_test.go
+++ b/dns/repro_test.go
@@ -0,0 +1,111 @@
+package dns
+
+import (
+	"context"
+	"net/netip"
+	"testing"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json/badoption"
+
+	mDNS "github.com/miekg/dns"
+	"github.com/stretchr/testify/require"
+)
+
+func TestReproLookupWithRulesUsesRequestStrategy(t *testing.T) {
+	t.Parallel()
+
+	defaultTransport := &fakeDNSTransport{tag: "default", transportType: C.DNSTypeUDP}
+	var qTypes []uint16
+	router := newTestRouter(t, nil, &fakeDNSTransportManager{
+		defaultTransport: defaultTransport,
+		transports: map[string]adapter.DNSTransport{
+			"default": defaultTransport,
+		},
+	}, &fakeDNSClient{
+		exchange: func(transport adapter.DNSTransport, message *mDNS.Msg) (*mDNS.Msg, error) {
+			qTypes = append(qTypes, message.Question[0].Qtype)
+			if message.Question[0].Qtype == mDNS.TypeA {
+				return FixedResponse(0, message.Question[0], []netip.Addr{netip.MustParseAddr("2.2.2.2")}, 60), nil
+			}
+			return FixedResponse(0, message.Question[0], []netip.Addr{netip.MustParseAddr("2001:db8::1")}, 60), nil
+		},
+	})
+
+	addresses, err := router.Lookup(context.Background(), "example.com", adapter.DNSQueryOptions{
+		Strategy: C.DomainStrategyIPv4Only,
+	})
+	require.NoError(t, err)
+	require.Equal(t, []uint16{mDNS.TypeA}, qTypes)
+	require.Equal(t, []netip.Addr{netip.MustParseAddr("2.2.2.2")}, addresses)
+}
+
+func TestReproLogicalMatchResponseIPCIDR(t *testing.T) {
+	t.Parallel()
+
+	transportManager := &fakeDNSTransportManager{
+		defaultTransport: &fakeDNSTransport{tag: "default", transportType: C.DNSTypeUDP},
+		transports: map[string]adapter.DNSTransport{
+			"upstream": &fakeDNSTransport{tag: "upstream", transportType: C.DNSTypeUDP},
+			"selected": &fakeDNSTransport{tag: "selected", transportType: C.DNSTypeUDP},
+			"default":  &fakeDNSTransport{tag: "default", transportType: C.DNSTypeUDP},
+		},
+	}
+	client := &fakeDNSClient{
+		exchange: func(transport adapter.DNSTransport, message *mDNS.Msg) (*mDNS.Msg, error) {
+			switch transport.Tag() {
+			case "upstream":
+				return FixedResponse(0, message.Question[0], []netip.Addr{netip.MustParseAddr("1.1.1.1")}, 60), nil
+			case "selected":
+				return FixedResponse(0, message.Question[0], []netip.Addr{netip.MustParseAddr("8.8.8.8")}, 60), nil
+			default:
+				return nil, E.New("unexpected transport")
+			}
+		},
+	}
+	rules := []option.DNSRule{
+		{
+			Type: C.RuleTypeDefault,
+			DefaultOptions: option.DefaultDNSRule{
+				RawDefaultDNSRule: option.RawDefaultDNSRule{
+					Domain: badoption.Listable[string]{"example.com"},
+				},
+				DNSRuleAction: option.DNSRuleAction{
+					Action:       C.RuleActionTypeEvaluate,
+					RouteOptions: option.DNSRouteActionOptions{Server: "upstream"},
+				},
+			},
+		},
+		{
+			Type: C.RuleTypeLogical,
+			LogicalOptions: option.LogicalDNSRule{
+				RawLogicalDNSRule: option.RawLogicalDNSRule{
+					Mode: C.LogicalTypeOr,
+					Rules: []option.DNSRule{{
+						Type: C.RuleTypeDefault,
+						DefaultOptions: option.DefaultDNSRule{
+							RawDefaultDNSRule: option.RawDefaultDNSRule{
+								MatchResponse: true,
+								IPCIDR:        badoption.Listable[string]{"1.1.1.0/24"},
+							},
+						},
+					}},
+				},
+				DNSRuleAction: option.DNSRuleAction{
+					Action:       C.RuleActionTypeRoute,
+					RouteOptions: option.DNSRouteActionOptions{Server: "selected"},
+				},
+			},
+		},
+	}
+	router := newTestRouter(t, rules, transportManager, client)
+
+	response, err := router.Exchange(context.Background(), &mDNS.Msg{
+		Question: []mDNS.Question{fixedQuestion("example.com", mDNS.TypeA)},
+	}, adapter.DNSQueryOptions{})
+	require.NoError(t, err)
+	require.Equal(t, []netip.Addr{netip.MustParseAddr("8.8.8.8")}, MessageToAddresses(response))
+}
--- a/dns/router.go
+++ b/dns/router.go
@@ -5,11 +5,13 @@ import (
 	"errors"
 	"net/netip"
 	"strings"
+	"sync"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/taskmonitor"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	R "github.com/sagernet/sing-box/route/rule"
@@ -19,6 +21,7 @@ import (
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing/common/task"
 	"github.com/sagernet/sing/contrab/freelru"
 	"github.com/sagernet/sing/contrab/maphash"
 	"github.com/sagernet/sing/service"
@@ -26,7 +29,10 @@ import (
 	mDNS "github.com/miekg/dns"
 )

-var _ adapter.DNSRouter = (*Router)(nil)
+var (
+	_ adapter.DNSRouter                 = (*Router)(nil)
+	_ adapter.DNSRuleSetUpdateValidator = (*Router)(nil)
+)

 type Router struct {
 	ctx                   context.Context
@@ -34,10 +40,15 @@ type Router struct {
 	transport             adapter.DNSTransportManager
 	outbound              adapter.OutboundManager
 	client                adapter.DNSClient
+	rawRules              []option.DNSRule
 	rules                 []adapter.DNSRule
 	defaultDomainStrategy C.DomainStrategy
 	dnsReverseMapping     freelru.Cache[netip.Addr, string]
 	platformInterface     adapter.PlatformInterface
+	legacyDNSMode         bool
+	rulesAccess           sync.RWMutex
+	started               bool
+	closing               bool
 }

 func NewRouter(ctx context.Context, logFactory log.Factory, options option.DNSOptions) *Router {
@@ -46,6 +57,7 @@ func NewRouter(ctx context.Context, logFactory log.Factory, options option.DNSOp
 		logger:                logFactory.NewLogger("dns"),
 		transport:             service.FromContext[adapter.DNSTransportManager](ctx),
 		outbound:              service.FromContext[adapter.OutboundManager](ctx),
+		rawRules:              make([]option.DNSRule, 0, len(options.Rules)),
 		rules:                 make([]adapter.DNSRule, 0, len(options.Rules)),
 		defaultDomainStrategy: C.DomainStrategy(options.Strategy),
 	}
@@ -74,13 +86,12 @@ func NewRouter(ctx context.Context, logFactory log.Factory, options option.DNSOp
 }

 func (r *Router) Initialize(rules []option.DNSRule) error {
-	for i, ruleOptions := range rules {
-		dnsRule, err := R.NewDNSRule(r.ctx, r.logger, ruleOptions, true)
-		if err != nil {
-			return E.Cause(err, "parse dns rule[", i, "]")
-		}
-		r.rules = append(r.rules, dnsRule)
+	r.rawRules = append(r.rawRules[:0], rules...)
+	newRules, _, _, err := r.buildRules(false)
+	if err != nil {
+		return err
 	}
+	closeRules(newRules)
 	return nil
 }

@@ -92,32 +103,146 @@ func (r *Router) Start(stage adapter.StartStage) error {
 		r.client.Start()
 		monitor.Finish()

-		for i, rule := range r.rules {
-			monitor.Start("initialize DNS rule[", i, "]")
-			err := rule.Start()
-			monitor.Finish()
-			if err != nil {
-				return E.Cause(err, "initialize DNS rule[", i, "]")
-			}
+		monitor.Start("initialize DNS rules")
+		newRules, legacyDNSMode, modeFlags, err := r.buildRules(true)
+		monitor.Finish()
+		if err != nil {
+			return err
+		}
+		r.rulesAccess.Lock()
+		if r.closing {
+			r.rulesAccess.Unlock()
+			closeRules(newRules)
+			return nil
+		}
+		r.rules = newRules
+		r.legacyDNSMode = legacyDNSMode
+		r.started = true
+		r.rulesAccess.Unlock()
+		if legacyDNSMode && common.Any(newRules, func(rule adapter.DNSRule) bool { return rule.WithAddressLimit() }) {
+			deprecated.Report(r.ctx, deprecated.OptionLegacyDNSAddressFilter)
+		}
+		if legacyDNSMode && modeFlags.neededFromStrategy {
+			deprecated.Report(r.ctx, deprecated.OptionLegacyDNSRuleStrategy)
 		}
 	}
 	return nil
 }

 func (r *Router) Close() error {
-	monitor := taskmonitor.New(r.logger, C.StopTimeout)
-	var err error
-	for i, rule := range r.rules {
-		monitor.Start("close dns rule[", i, "]")
-		err = E.Append(err, rule.Close(), func(err error) error {
-			return E.Cause(err, "close dns rule[", i, "]")
-		})
-		monitor.Finish()
+	r.rulesAccess.Lock()
+	if r.closing {
+		r.rulesAccess.Unlock()
+		return nil
 	}
-	return err
+	r.closing = true
+	runtimeRules := r.rules
+	r.rules = nil
+	r.rulesAccess.Unlock()
+	closeRules(runtimeRules)
+	return nil
 }

-func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int, isAddressQuery bool, options *adapter.DNSQueryOptions) (adapter.DNSTransport, adapter.DNSRule, int) {
+func (r *Router) buildRules(startRules bool) ([]adapter.DNSRule, bool, dnsRuleModeFlags, error) {
+	for i, ruleOptions := range r.rawRules {
+		err := R.ValidateNoNestedDNSRuleActions(ruleOptions)
+		if err != nil {
+			return nil, false, dnsRuleModeFlags{}, E.Cause(err, "parse dns rule[", i, "]")
+		}
+	}
+	router := service.FromContext[adapter.Router](r.ctx)
+	legacyDNSMode, modeFlags, err := resolveLegacyDNSMode(router, r.rawRules, nil)
+	if err != nil {
+		return nil, false, dnsRuleModeFlags{}, err
+	}
+	if !legacyDNSMode {
+		err = validateLegacyDNSModeDisabledRules(r.rawRules)
+		if err != nil {
+			return nil, false, dnsRuleModeFlags{}, err
+		}
+	}
+	err = validateEvaluateFakeIPRules(r.rawRules, r.transport)
+	if err != nil {
+		return nil, false, dnsRuleModeFlags{}, err
+	}
+	newRules := make([]adapter.DNSRule, 0, len(r.rawRules))
+	for i, ruleOptions := range r.rawRules {
+		var dnsRule adapter.DNSRule
+		dnsRule, err = R.NewDNSRule(r.ctx, r.logger, ruleOptions, true, legacyDNSMode)
+		if err != nil {
+			closeRules(newRules)
+			return nil, false, dnsRuleModeFlags{}, E.Cause(err, "parse dns rule[", i, "]")
+		}
+		newRules = append(newRules, dnsRule)
+	}
+	if startRules {
+		for i, rule := range newRules {
+			err = rule.Start()
+			if err != nil {
+				closeRules(newRules)
+				return nil, false, dnsRuleModeFlags{}, E.Cause(err, "initialize DNS rule[", i, "]")
+			}
+		}
+	}
+	return newRules, legacyDNSMode, modeFlags, nil
+}
+
+func closeRules(rules []adapter.DNSRule) {
+	for _, rule := range rules {
+		_ = rule.Close()
+	}
+}
+
+func (r *Router) ValidateRuleSetMetadataUpdate(tag string, metadata adapter.RuleSetMetadata) error {
+	if len(r.rawRules) == 0 {
+		return nil
+	}
+	router := service.FromContext[adapter.Router](r.ctx)
+	if router == nil {
+		return E.New("router service not found")
+	}
+	overrides := map[string]adapter.RuleSetMetadata{
+		tag: metadata,
+	}
+	r.rulesAccess.RLock()
+	started := r.started
+	legacyDNSMode := r.legacyDNSMode
+	closing := r.closing
+	r.rulesAccess.RUnlock()
+	if closing {
+		return nil
+	}
+	if !started {
+		candidateLegacyDNSMode, _, err := resolveLegacyDNSMode(router, r.rawRules, overrides)
+		if err != nil {
+			return err
+		}
+		if !candidateLegacyDNSMode {
+			return validateLegacyDNSModeDisabledRules(r.rawRules)
+		}
+		return nil
+	}
+	candidateLegacyDNSMode, flags, err := resolveLegacyDNSMode(router, r.rawRules, overrides)
+	if err != nil {
+		return err
+	}
+	if legacyDNSMode {
+		if !candidateLegacyDNSMode && flags.disabled {
+			err := validateLegacyDNSModeDisabledRules(r.rawRules)
+			if err != nil {
+				return err
+			}
+			return E.New(deprecated.OptionLegacyDNSAddressFilter.MessageWithLink())
+		}
+		return nil
+	}
+	if candidateLegacyDNSMode {
+		return E.New(deprecated.OptionLegacyDNSAddressFilter.MessageWithLink())
+	}
+	return nil
+}
+
+func (r *Router) matchDNS(ctx context.Context, rules []adapter.DNSRule, allowFakeIP bool, ruleIndex int, isAddressQuery bool, options *adapter.DNSQueryOptions) (adapter.DNSTransport, adapter.DNSRule, int) {
 	metadata := adapter.ContextFrom(ctx)
 	if metadata == nil {
 		panic("no context")
@@ -126,22 +251,18 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 	if ruleIndex != -1 {
 		currentRuleIndex = ruleIndex + 1
 	}
-	for ; currentRuleIndex < len(r.rules); currentRuleIndex++ {
-		currentRule := r.rules[currentRuleIndex]
+	for ; currentRuleIndex < len(rules); currentRuleIndex++ {
+		currentRule := rules[currentRuleIndex]
 		if currentRule.WithAddressLimit() && !isAddressQuery {
 			continue
 		}
 		metadata.ResetRuleCache()
-		if currentRule.Match(metadata) {
-			displayRuleIndex := currentRuleIndex
-			if displayRuleIndex != -1 {
-				displayRuleIndex += displayRuleIndex + 1
-			}
-			ruleDescription := currentRule.String()
-			if ruleDescription != "" {
-				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] ", currentRule, " => ", currentRule.Action())
+		metadata.DestinationAddressMatchFromResponse = false
+		if currentRule.LegacyPreMatch(metadata) {
+			if ruleDescription := currentRule.String(); ruleDescription != "" {
+				r.logger.DebugContext(ctx, "match[", currentRuleIndex, "] ", currentRule, " => ", currentRule.Action())
 			} else {
-				r.logger.DebugContext(ctx, "match[", displayRuleIndex, "] => ", currentRule.Action())
+				r.logger.DebugContext(ctx, "match[", currentRuleIndex, "] => ", currentRule.Action())
 			}
 			switch action := currentRule.Action().(type) {
 			case *R.RuleActionDNSRoute:
@@ -166,14 +287,6 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 				if action.ClientSubnet.IsValid() {
 					options.ClientSubnet = action.ClientSubnet
 				}
-				if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
-					if options.Strategy == C.DomainStrategyAsIS {
-						options.Strategy = legacyTransport.LegacyStrategy()
-					}
-					if !options.ClientSubnet.IsValid() {
-						options.ClientSubnet = legacyTransport.LegacyClientSubnet()
-					}
-				}
 				return transport, currentRule, currentRuleIndex
 			case *R.RuleActionDNSRouteOptions:
 				if action.Strategy != C.DomainStrategyAsIS {
@@ -195,7 +308,271 @@ func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, ruleIndex int,
 			}
 		}
 	}
-	return r.transport.Default(), nil, -1
+	transport := r.transport.Default()
+	return transport, nil, -1
+}
+
+func (r *Router) applyDNSRouteOptions(options *adapter.DNSQueryOptions, routeOptions R.RuleActionDNSRouteOptions) {
+	// Strategy is intentionally skipped here. A non-default DNS rule action strategy
+	// forces legacy mode via resolveLegacyDNSMode, so this path is only reachable
+	// when strategy remains at its default value.
+	if routeOptions.DisableCache {
+		options.DisableCache = true
+	}
+	if routeOptions.RewriteTTL != nil {
+		options.RewriteTTL = routeOptions.RewriteTTL
+	}
+	if routeOptions.ClientSubnet.IsValid() {
+		options.ClientSubnet = routeOptions.ClientSubnet
+	}
+}
+
+type dnsRouteStatus uint8
+
+const (
+	dnsRouteStatusMissing dnsRouteStatus = iota
+	dnsRouteStatusSkipped
+	dnsRouteStatusResolved
+)
+
+func (r *Router) resolveDNSRoute(server string, routeOptions R.RuleActionDNSRouteOptions, allowFakeIP bool, options *adapter.DNSQueryOptions) (adapter.DNSTransport, dnsRouteStatus) {
+	transport, loaded := r.transport.Transport(server)
+	if !loaded {
+		return nil, dnsRouteStatusMissing
+	}
+	isFakeIP := transport.Type() == C.DNSTypeFakeIP
+	if isFakeIP && !allowFakeIP {
+		return transport, dnsRouteStatusSkipped
+	}
+	r.applyDNSRouteOptions(options, routeOptions)
+	if isFakeIP {
+		options.DisableCache = true
+	}
+	return transport, dnsRouteStatusResolved
+}
+
+func (r *Router) logRuleMatch(ctx context.Context, ruleIndex int, currentRule adapter.DNSRule) {
+	if ruleDescription := currentRule.String(); ruleDescription != "" {
+		r.logger.DebugContext(ctx, "match[", ruleIndex, "] ", currentRule, " => ", currentRule.Action())
+	} else {
+		r.logger.DebugContext(ctx, "match[", ruleIndex, "] => ", currentRule.Action())
+	}
+}
+
+type exchangeWithRulesResult struct {
+	response     *mDNS.Msg
+	transport    adapter.DNSTransport
+	rejectAction *R.RuleActionReject
+	err          error
+}
+
+const dnsRespondMissingResponseMessage = "respond action requires an evaluated response from a preceding evaluate action"
+
+func (r *Router) exchangeWithRules(ctx context.Context, rules []adapter.DNSRule, message *mDNS.Msg, options adapter.DNSQueryOptions, allowFakeIP bool) exchangeWithRulesResult {
+	metadata := adapter.ContextFrom(ctx)
+	if metadata == nil {
+		panic("no context")
+	}
+	effectiveOptions := options
+	var evaluatedResponse *mDNS.Msg
+	var evaluatedTransport adapter.DNSTransport
+	for currentRuleIndex, currentRule := range rules {
+		metadata.ResetRuleCache()
+		metadata.DNSResponse = evaluatedResponse
+		metadata.DestinationAddressMatchFromResponse = false
+		if !currentRule.Match(metadata) {
+			continue
+		}
+		r.logRuleMatch(ctx, currentRuleIndex, currentRule)
+		switch action := currentRule.Action().(type) {
+		case *R.RuleActionDNSRouteOptions:
+			r.applyDNSRouteOptions(&effectiveOptions, *action)
+		case *R.RuleActionEvaluate:
+			queryOptions := effectiveOptions
+			transport, loaded := r.transport.Transport(action.Server)
+			if !loaded {
+				r.logger.ErrorContext(ctx, "transport not found: ", action.Server)
+				evaluatedResponse = nil
+				evaluatedTransport = nil
+				continue
+			}
+			r.applyDNSRouteOptions(&queryOptions, action.RuleActionDNSRouteOptions)
+			exchangeOptions := queryOptions
+			if exchangeOptions.Strategy == C.DomainStrategyAsIS {
+				exchangeOptions.Strategy = r.defaultDomainStrategy
+			}
+			response, err := r.client.Exchange(adapter.OverrideContext(ctx), transport, message, exchangeOptions, nil)
+			if err != nil {
+				r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for ", FormatQuestion(message.Question[0].String())))
+				evaluatedResponse = nil
+				evaluatedTransport = nil
+				continue
+			}
+			evaluatedResponse = response
+			evaluatedTransport = transport
+		case *R.RuleActionRespond:
+			if evaluatedResponse == nil {
+				return exchangeWithRulesResult{
+					err: E.New(dnsRespondMissingResponseMessage),
+				}
+			}
+			return exchangeWithRulesResult{
+				response:  evaluatedResponse,
+				transport: evaluatedTransport,
+			}
+		case *R.RuleActionDNSRoute:
+			queryOptions := effectiveOptions
+			transport, status := r.resolveDNSRoute(action.Server, action.RuleActionDNSRouteOptions, allowFakeIP, &queryOptions)
+			switch status {
+			case dnsRouteStatusMissing:
+				r.logger.ErrorContext(ctx, "transport not found: ", action.Server)
+				continue
+			case dnsRouteStatusSkipped:
+				continue
+			}
+			exchangeOptions := queryOptions
+			if exchangeOptions.Strategy == C.DomainStrategyAsIS {
+				exchangeOptions.Strategy = r.defaultDomainStrategy
+			}
+			response, err := r.client.Exchange(adapter.OverrideContext(ctx), transport, message, exchangeOptions, nil)
+			return exchangeWithRulesResult{
+				response:  response,
+				transport: transport,
+				err:       err,
+			}
+		case *R.RuleActionReject:
+			switch action.Method {
+			case C.RuleActionRejectMethodDefault:
+				return exchangeWithRulesResult{
+					response: &mDNS.Msg{
+						MsgHdr: mDNS.MsgHdr{
+							Id:       message.Id,
+							Rcode:    mDNS.RcodeRefused,
+							Response: true,
+						},
+						Question: []mDNS.Question{message.Question[0]},
+					},
+					rejectAction: action,
+				}
+			case C.RuleActionRejectMethodDrop:
+				return exchangeWithRulesResult{
+					rejectAction: action,
+					err:          tun.ErrDrop,
+				}
+			}
+		case *R.RuleActionPredefined:
+			return exchangeWithRulesResult{
+				response: action.Response(message),
+			}
+		}
+	}
+	transport := r.transport.Default()
+	exchangeOptions := effectiveOptions
+	if exchangeOptions.Strategy == C.DomainStrategyAsIS {
+		exchangeOptions.Strategy = r.defaultDomainStrategy
+	}
+	response, err := r.client.Exchange(adapter.OverrideContext(ctx), transport, message, exchangeOptions, nil)
+	return exchangeWithRulesResult{
+		response:  response,
+		transport: transport,
+		err:       err,
+	}
+}
+
+func (r *Router) resolveLookupStrategy(options adapter.DNSQueryOptions) C.DomainStrategy {
+	if options.LookupStrategy != C.DomainStrategyAsIS {
+		return options.LookupStrategy
+	}
+	if options.Strategy != C.DomainStrategyAsIS {
+		return options.Strategy
+	}
+	return r.defaultDomainStrategy
+}
+
+func withLookupQueryMetadata(ctx context.Context, qType uint16) context.Context {
+	ctx, metadata := adapter.ExtendContext(ctx)
+	metadata.QueryType = qType
+	metadata.IPVersion = 0
+	switch qType {
+	case mDNS.TypeA:
+		metadata.IPVersion = 4
+	case mDNS.TypeAAAA:
+		metadata.IPVersion = 6
+	}
+	return ctx
+}
+
+func filterAddressesByQueryType(addresses []netip.Addr, qType uint16) []netip.Addr {
+	switch qType {
+	case mDNS.TypeA:
+		return common.Filter(addresses, func(address netip.Addr) bool {
+			return address.Is4()
+		})
+	case mDNS.TypeAAAA:
+		return common.Filter(addresses, func(address netip.Addr) bool {
+			return address.Is6()
+		})
+	default:
+		return addresses
+	}
+}
+
+func (r *Router) lookupWithRules(ctx context.Context, rules []adapter.DNSRule, domain string, options adapter.DNSQueryOptions) ([]netip.Addr, error) {
+	strategy := r.resolveLookupStrategy(options)
+	lookupOptions := options
+	if strategy != C.DomainStrategyAsIS {
+		lookupOptions.Strategy = strategy
+	}
+	if strategy == C.DomainStrategyIPv4Only {
+		return r.lookupWithRulesType(ctx, rules, domain, mDNS.TypeA, lookupOptions)
+	}
+	if strategy == C.DomainStrategyIPv6Only {
+		return r.lookupWithRulesType(ctx, rules, domain, mDNS.TypeAAAA, lookupOptions)
+	}
+	var (
+		response4 []netip.Addr
+		response6 []netip.Addr
+	)
+	var group task.Group
+	group.Append("exchange4", func(ctx context.Context) error {
+		result, err := r.lookupWithRulesType(ctx, rules, domain, mDNS.TypeA, lookupOptions)
+		response4 = result
+		return err
+	})
+	group.Append("exchange6", func(ctx context.Context) error {
+		result, err := r.lookupWithRulesType(ctx, rules, domain, mDNS.TypeAAAA, lookupOptions)
+		response6 = result
+		return err
+	})
+	err := group.Run(ctx)
+	if len(response4) == 0 && len(response6) == 0 {
+		return nil, err
+	}
+	return sortAddresses(response4, response6, strategy), nil
+}
+
+func (r *Router) lookupWithRulesType(ctx context.Context, rules []adapter.DNSRule, domain string, qType uint16, options adapter.DNSQueryOptions) ([]netip.Addr, error) {
+	request := &mDNS.Msg{
+		MsgHdr: mDNS.MsgHdr{
+			RecursionDesired: true,
+		},
+		Question: []mDNS.Question{{
+			Name:   mDNS.Fqdn(domain),
+			Qtype:  qType,
+			Qclass: mDNS.ClassINET,
+		}},
+	}
+	exchangeResult := r.exchangeWithRules(withLookupQueryMetadata(ctx, qType), rules, request, options, false)
+	if exchangeResult.rejectAction != nil {
+		return nil, exchangeResult.rejectAction.Error(ctx)
+	}
+	if exchangeResult.err != nil {
+		return nil, exchangeResult.err
+	}
+	if exchangeResult.response.Rcode != mDNS.RcodeSuccess {
+		return nil, RcodeError(exchangeResult.response.Rcode)
+	}
+	return filterAddressesByQueryType(MessageToAddresses(exchangeResult.response), qType), nil
 }

 func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapter.DNSQueryOptions) (*mDNS.Msg, error) {
@@ -211,6 +588,13 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 		}
 		return &responseMessage, nil
 	}
+	r.rulesAccess.RLock()
+	defer r.rulesAccess.RUnlock()
+	if r.closing {
+		return nil, E.New("dns router closed")
+	}
+	rules := r.rules
+	legacyDNSMode := r.legacyDNSMode
 	r.logger.DebugContext(ctx, "exchange ", FormatQuestion(message.Question[0].String()))
 	var (
 		response  *mDNS.Msg
@@ -221,6 +605,8 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 	ctx, metadata = adapter.ExtendContext(ctx)
 	metadata.Destination = M.Socksaddr{}
 	metadata.QueryType = message.Question[0].Qtype
+	metadata.DNSResponse = nil
+	metadata.DestinationAddressMatchFromResponse = false
 	switch metadata.QueryType {
 	case mDNS.TypeA:
 		metadata.IPVersion = 4
@@ -230,18 +616,13 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 	metadata.Domain = FqdnToDomain(message.Question[0].Name)
 	if options.Transport != nil {
 		transport = options.Transport
-		if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
-			if options.Strategy == C.DomainStrategyAsIS {
-				options.Strategy = legacyTransport.LegacyStrategy()
-			}
-			if !options.ClientSubnet.IsValid() {
-				options.ClientSubnet = legacyTransport.LegacyClientSubnet()
-			}
-		}
 		if options.Strategy == C.DomainStrategyAsIS {
 			options.Strategy = r.defaultDomainStrategy
 		}
 		response, err = r.client.Exchange(ctx, transport, message, options, nil)
+	} else if !legacyDNSMode {
+		exchangeResult := r.exchangeWithRules(ctx, rules, message, options, true)
+		response, transport, err = exchangeResult.response, exchangeResult.transport, exchangeResult.err
 	} else {
 		var (
 			rule      adapter.DNSRule
@@ -251,7 +632,7 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 		for {
 			dnsCtx := adapter.OverrideContext(ctx)
 			dnsOptions := options
-			transport, rule, ruleIndex = r.matchDNS(ctx, true, ruleIndex, isAddressQuery(message), &dnsOptions)
+			transport, rule, ruleIndex = r.matchDNS(ctx, rules, true, ruleIndex, isAddressQuery(message), &dnsOptions)
 			if rule != nil {
 				switch action := rule.Action().(type) {
 				case *R.RuleActionReject:
@@ -269,7 +650,9 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 						return nil, tun.ErrDrop
 					}
 				case *R.RuleActionPredefined:
-					return action.Response(message), nil
+					err = nil
+					response = action.Response(message)
+					goto done
 				}
 			}
 			responseCheck := addressLimitResponseCheck(rule, metadata)
@@ -297,6 +680,7 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 			break
 		}
 	}
+done:
 	if err != nil {
 		return nil, err
 	}
@@ -316,6 +700,13 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 }

 func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQueryOptions) ([]netip.Addr, error) {
+	r.rulesAccess.RLock()
+	defer r.rulesAccess.RUnlock()
+	if r.closing {
+		return nil, E.New("dns router closed")
+	}
+	rules := r.rules
+	legacyDNSMode := r.legacyDNSMode
 	var (
 		responseAddrs []netip.Addr
 		err           error
@@ -329,6 +720,8 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 				r.logger.DebugContext(ctx, "response rejected for ", domain, " (cached)")
 			} else if errors.Is(err, ErrResponseRejected) {
 				r.logger.DebugContext(ctx, "response rejected for ", domain)
+			} else if R.IsRejected(err) {
+				r.logger.DebugContext(ctx, "lookup rejected for ", domain)
 			} else {
 				r.logger.ErrorContext(ctx, E.Cause(err, "lookup failed for ", domain))
 			}
@@ -341,20 +734,16 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 	ctx, metadata := adapter.ExtendContext(ctx)
 	metadata.Destination = M.Socksaddr{}
 	metadata.Domain = FqdnToDomain(domain)
+	metadata.DNSResponse = nil
+	metadata.DestinationAddressMatchFromResponse = false
 	if options.Transport != nil {
 		transport := options.Transport
-		if legacyTransport, isLegacy := transport.(adapter.LegacyDNSTransport); isLegacy {
-			if options.Strategy == C.DomainStrategyAsIS {
-				options.Strategy = r.defaultDomainStrategy
-			}
-			if !options.ClientSubnet.IsValid() {
-				options.ClientSubnet = legacyTransport.LegacyClientSubnet()
-			}
-		}
 		if options.Strategy == C.DomainStrategyAsIS {
 			options.Strategy = r.defaultDomainStrategy
 		}
 		responseAddrs, err = r.client.Lookup(ctx, transport, domain, options, nil)
+	} else if !legacyDNSMode {
+		responseAddrs, err = r.lookupWithRules(ctx, rules, domain, options)
 	} else {
 		var (
 			transport adapter.DNSTransport
@@ -365,7 +754,7 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 		for {
 			dnsCtx := adapter.OverrideContext(ctx)
 			dnsOptions := options
-			transport, rule, ruleIndex = r.matchDNS(ctx, false, ruleIndex, true, &dnsOptions)
+			transport, rule, ruleIndex = r.matchDNS(ctx, rules, false, ruleIndex, true, &dnsOptions)
 			if rule != nil {
 				switch action := rule.Action().(type) {
 				case *R.RuleActionReject:
@@ -416,15 +805,14 @@ func isAddressQuery(message *mDNS.Msg) bool {
 	return false
 }

-func addressLimitResponseCheck(rule adapter.DNSRule, metadata *adapter.InboundContext) func(responseAddrs []netip.Addr) bool {
+func addressLimitResponseCheck(rule adapter.DNSRule, metadata *adapter.InboundContext) func(response *mDNS.Msg) bool {
 	if rule == nil || !rule.WithAddressLimit() {
 		return nil
 	}
 	responseMetadata := *metadata
-	return func(responseAddrs []netip.Addr) bool {
+	return func(response *mDNS.Msg) bool {
 		checkMetadata := responseMetadata
-		checkMetadata.DestinationAddresses = responseAddrs
-		return rule.MatchAddressLimit(&checkMetadata)
+		return rule.MatchAddressLimit(&checkMetadata, response)
 	}
 }

@@ -449,3 +837,268 @@ func (r *Router) ResetNetwork() {
 		transport.Reset()
 	}
 }
+
+func defaultRuleNeedsLegacyDNSModeFromAddressFilter(rule option.DefaultDNSRule) bool {
+	if rule.IPAcceptAny || rule.RuleSetIPCIDRAcceptEmpty { //nolint:staticcheck
+		return true
+	}
+	return !rule.MatchResponse && (len(rule.IPCIDR) > 0 || rule.IPIsPrivate)
+}
+
+func hasResponseMatchFields(rule option.DefaultDNSRule) bool {
+	return rule.ResponseRcode != nil ||
+		len(rule.ResponseAnswer) > 0 ||
+		len(rule.ResponseNs) > 0 ||
+		len(rule.ResponseExtra) > 0
+}
+
+func defaultRuleDisablesLegacyDNSMode(rule option.DefaultDNSRule) bool {
+	return rule.MatchResponse ||
+		hasResponseMatchFields(rule) ||
+		rule.Action == C.RuleActionTypeEvaluate ||
+		rule.Action == C.RuleActionTypeRespond ||
+		rule.IPVersion > 0 ||
+		len(rule.QueryType) > 0
+}
+
+type dnsRuleModeFlags struct {
+	disabled           bool
+	needed             bool
+	neededFromStrategy bool
+}
+
+func (f *dnsRuleModeFlags) merge(other dnsRuleModeFlags) {
+	f.disabled = f.disabled || other.disabled
+	f.needed = f.needed || other.needed
+	f.neededFromStrategy = f.neededFromStrategy || other.neededFromStrategy
+}
+
+func resolveLegacyDNSMode(router adapter.Router, rules []option.DNSRule, metadataOverrides map[string]adapter.RuleSetMetadata) (bool, dnsRuleModeFlags, error) {
+	flags, err := dnsRuleModeRequirements(router, rules, metadataOverrides)
+	if err != nil {
+		return false, flags, err
+	}
+	if flags.disabled && flags.neededFromStrategy {
+		return false, flags, E.New(deprecated.OptionLegacyDNSRuleStrategy.MessageWithLink())
+	}
+	if flags.disabled {
+		return false, flags, nil
+	}
+	return flags.needed, flags, nil
+}
+
+func dnsRuleModeRequirements(router adapter.Router, rules []option.DNSRule, metadataOverrides map[string]adapter.RuleSetMetadata) (dnsRuleModeFlags, error) {
+	var flags dnsRuleModeFlags
+	for i, rule := range rules {
+		ruleFlags, err := dnsRuleModeRequirementsInRule(router, rule, metadataOverrides)
+		if err != nil {
+			return dnsRuleModeFlags{}, E.Cause(err, "dns rule[", i, "]")
+		}
+		flags.merge(ruleFlags)
+	}
+	return flags, nil
+}
+
+func dnsRuleModeRequirementsInRule(router adapter.Router, rule option.DNSRule, metadataOverrides map[string]adapter.RuleSetMetadata) (dnsRuleModeFlags, error) {
+	switch rule.Type {
+	case "", C.RuleTypeDefault:
+		return dnsRuleModeRequirementsInDefaultRule(router, rule.DefaultOptions, metadataOverrides)
+	case C.RuleTypeLogical:
+		flags := dnsRuleModeFlags{
+			disabled:           dnsRuleActionType(rule) == C.RuleActionTypeEvaluate || dnsRuleActionType(rule) == C.RuleActionTypeRespond,
+			neededFromStrategy: dnsRuleActionHasStrategy(rule.LogicalOptions.DNSRuleAction),
+		}
+		flags.needed = flags.neededFromStrategy
+		for i, subRule := range rule.LogicalOptions.Rules {
+			subFlags, err := dnsRuleModeRequirementsInRule(router, subRule, metadataOverrides)
+			if err != nil {
+				return dnsRuleModeFlags{}, E.Cause(err, "sub rule[", i, "]")
+			}
+			flags.merge(subFlags)
+		}
+		return flags, nil
+	default:
+		return dnsRuleModeFlags{}, nil
+	}
+}
+
+func dnsRuleModeRequirementsInDefaultRule(router adapter.Router, rule option.DefaultDNSRule, metadataOverrides map[string]adapter.RuleSetMetadata) (dnsRuleModeFlags, error) {
+	flags := dnsRuleModeFlags{
+		disabled:           defaultRuleDisablesLegacyDNSMode(rule),
+		neededFromStrategy: dnsRuleActionHasStrategy(rule.DNSRuleAction),
+	}
+	flags.needed = defaultRuleNeedsLegacyDNSModeFromAddressFilter(rule) || flags.neededFromStrategy
+	if len(rule.RuleSet) == 0 {
+		return flags, nil
+	}
+	if router == nil {
+		return dnsRuleModeFlags{}, E.New("router service not found")
+	}
+	for _, tag := range rule.RuleSet {
+		metadata, err := lookupDNSRuleSetMetadata(router, tag, metadataOverrides)
+		if err != nil {
+			return dnsRuleModeFlags{}, err
+		}
+		// ip_version is not a headless-rule item, so ContainsIPVersionRule is intentionally absent.
+		flags.disabled = flags.disabled || metadata.ContainsDNSQueryTypeRule
+		if !rule.RuleSetIPCIDRMatchSource && metadata.ContainsIPCIDRRule {
+			flags.needed = true
+		}
+	}
+	return flags, nil
+}
+
+func lookupDNSRuleSetMetadata(router adapter.Router, tag string, metadataOverrides map[string]adapter.RuleSetMetadata) (adapter.RuleSetMetadata, error) {
+	if metadataOverrides != nil {
+		if metadata, loaded := metadataOverrides[tag]; loaded {
+			return metadata, nil
+		}
+	}
+	ruleSet, loaded := router.RuleSet(tag)
+	if !loaded {
+		return adapter.RuleSetMetadata{}, E.New("rule-set not found: ", tag)
+	}
+	return ruleSet.Metadata(), nil
+}
+
+func referencedDNSRuleSetTags(rules []option.DNSRule) []string {
+	tagMap := make(map[string]bool)
+	var walkRule func(rule option.DNSRule)
+	walkRule = func(rule option.DNSRule) {
+		switch rule.Type {
+		case "", C.RuleTypeDefault:
+			for _, tag := range rule.DefaultOptions.RuleSet {
+				tagMap[tag] = true
+			}
+		case C.RuleTypeLogical:
+			for _, subRule := range rule.LogicalOptions.Rules {
+				walkRule(subRule)
+			}
+		}
+	}
+	for _, rule := range rules {
+		walkRule(rule)
+	}
+	tags := make([]string, 0, len(tagMap))
+	for tag := range tagMap {
+		if tag != "" {
+			tags = append(tags, tag)
+		}
+	}
+	return tags
+}
+
+func validateLegacyDNSModeDisabledRules(rules []option.DNSRule) error {
+	var seenEvaluate bool
+	for i, rule := range rules {
+		requiresPriorEvaluate, err := validateLegacyDNSModeDisabledRuleTree(rule)
+		if err != nil {
+			return E.Cause(err, "validate dns rule[", i, "]")
+		}
+		if requiresPriorEvaluate && !seenEvaluate {
+			return E.New("dns rule[", i, "]: response-based matching requires a preceding evaluate action")
+		}
+		if dnsRuleActionType(rule) == C.RuleActionTypeEvaluate {
+			seenEvaluate = true
+		}
+	}
+	return nil
+}
+
+func validateEvaluateFakeIPRules(rules []option.DNSRule, transportManager adapter.DNSTransportManager) error {
+	if transportManager == nil {
+		return nil
+	}
+	for i, rule := range rules {
+		if dnsRuleActionType(rule) != C.RuleActionTypeEvaluate {
+			continue
+		}
+		server := dnsRuleActionServer(rule)
+		if server == "" {
+			continue
+		}
+		transport, loaded := transportManager.Transport(server)
+		if !loaded || transport.Type() != C.DNSTypeFakeIP {
+			continue
+		}
+		return E.New("dns rule[", i, "]: evaluate action cannot use fakeip server: ", server)
+	}
+	return nil
+}
+
+func validateLegacyDNSModeDisabledRuleTree(rule option.DNSRule) (bool, error) {
+	switch rule.Type {
+	case "", C.RuleTypeDefault:
+		return validateLegacyDNSModeDisabledDefaultRule(rule.DefaultOptions)
+	case C.RuleTypeLogical:
+		requiresPriorEvaluate := dnsRuleActionType(rule) == C.RuleActionTypeRespond
+		for i, subRule := range rule.LogicalOptions.Rules {
+			subRequiresPriorEvaluate, err := validateLegacyDNSModeDisabledRuleTree(subRule)
+			if err != nil {
+				return false, E.Cause(err, "sub rule[", i, "]")
+			}
+			requiresPriorEvaluate = requiresPriorEvaluate || subRequiresPriorEvaluate
+		}
+		return requiresPriorEvaluate, nil
+	default:
+		return false, nil
+	}
+}
+
+func validateLegacyDNSModeDisabledDefaultRule(rule option.DefaultDNSRule) (bool, error) {
+	hasResponseRecords := hasResponseMatchFields(rule)
+	if (hasResponseRecords || len(rule.IPCIDR) > 0 || rule.IPIsPrivate) && !rule.MatchResponse {
+		return false, E.New("Response Match Fields (ip_cidr, ip_is_private, response_rcode, response_answer, response_ns, response_extra) require match_response to be enabled")
+	}
+	// Intentionally do not reject rule_set here. A referenced rule set may mix
+	// destination-IP predicates with pre-response predicates such as domain items.
+	// When match_response is false, those destination-IP branches fail closed during
+	// pre-response evaluation instead of consuming DNS response state, while sibling
+	// non-response branches remain matchable.
+	if rule.IPAcceptAny { //nolint:staticcheck
+		return false, E.New(deprecated.OptionIPAcceptAny.MessageWithLink())
+	}
+	if rule.RuleSetIPCIDRAcceptEmpty { //nolint:staticcheck
+		return false, E.New(deprecated.OptionRuleSetIPCIDRAcceptEmpty.MessageWithLink())
+	}
+	return rule.MatchResponse || rule.Action == C.RuleActionTypeRespond, nil
+}
+
+func dnsRuleActionHasStrategy(action option.DNSRuleAction) bool {
+	switch action.Action {
+	case "", C.RuleActionTypeRoute, C.RuleActionTypeEvaluate:
+		return C.DomainStrategy(action.RouteOptions.Strategy) != C.DomainStrategyAsIS
+	case C.RuleActionTypeRouteOptions:
+		return C.DomainStrategy(action.RouteOptionsOptions.Strategy) != C.DomainStrategyAsIS
+	default:
+		return false
+	}
+}
+
+func dnsRuleActionType(rule option.DNSRule) string {
+	switch rule.Type {
+	case "", C.RuleTypeDefault:
+		if rule.DefaultOptions.Action == "" {
+			return C.RuleActionTypeRoute
+		}
+		return rule.DefaultOptions.Action
+	case C.RuleTypeLogical:
+		if rule.LogicalOptions.Action == "" {
+			return C.RuleActionTypeRoute
+		}
+		return rule.LogicalOptions.Action
+	default:
+		return ""
+	}
+}
+
+func dnsRuleActionServer(rule option.DNSRule) string {
+	switch rule.Type {
+	case "", C.RuleTypeDefault:
+		return rule.DefaultOptions.RouteOptions.Server
+	case C.RuleTypeLogical:
+		return rule.LogicalOptions.RouteOptions.Server
+	default:
+		return ""
+	}
+}
--- a/dns/router_test.go
+++ b/dns/router_test.go
--- a/dns/transport/connector.go
+++ b/dns/transport/connector.go
@@ -4,6 +4,9 @@ import (
 	"context"
 	"net"
 	"sync"
+	"time"
+
+	E "github.com/sagernet/sing/common/exceptions"
 )

 type ConnectorCallbacks[T any] struct {
@@ -16,10 +19,11 @@ type Connector[T any] struct {
 	dial      func(ctx context.Context) (T, error)
 	callbacks ConnectorCallbacks[T]

-	access        sync.Mutex
-	connection    T
-	hasConnection bool
-	connecting    chan struct{}
+	access           sync.Mutex
+	connection       T
+	hasConnection    bool
+	connectionCancel context.CancelFunc
+	connecting       chan struct{}

 	closeCtx context.Context
 	closed   bool
@@ -47,6 +51,16 @@ func NewSingleflightConnector(closeCtx context.Context, dial func(context.Contex
 	})
 }

+type contextKeyConnecting struct{}
+
+var errRecursiveConnectorDial = E.New("recursive connector dial")
+
+type connectorDialResult[T any] struct {
+	connection T
+	cancel     context.CancelFunc
+	err        error
+}
+
 func (c *Connector[T]) Get(ctx context.Context) (T, error) {
 	var zero T
 	for {
@@ -64,6 +78,14 @@ func (c *Connector[T]) Get(ctx context.Context) (T, error) {
 		}

 		c.hasConnection = false
+		if c.connectionCancel != nil {
+			c.connectionCancel()
+			c.connectionCancel = nil
+		}
+		if isRecursiveConnectorDial(ctx, c) {
+			c.access.Unlock()
+			return zero, errRecursiveConnectorDial
+		}

 		if c.connecting != nil {
 			connecting := c.connecting
@@ -79,48 +101,134 @@ func (c *Connector[T]) Get(ctx context.Context) (T, error) {
 			}
 		}

-		c.connecting = make(chan struct{})
-		c.access.Unlock()
-
-		connection, err := c.dialWithCancellation(ctx)
-
-		c.access.Lock()
-		close(c.connecting)
-		c.connecting = nil
-
-		if err != nil {
+		if err := ctx.Err(); err != nil {
 			c.access.Unlock()
 			return zero, err
 		}

-		if c.closed {
-			c.callbacks.Close(connection)
-			c.access.Unlock()
-			return zero, ErrTransportClosed
-		}
-
-		c.connection = connection
-		c.hasConnection = true
-		result := c.connection
+		connecting := make(chan struct{})
+		c.connecting = connecting
+		dialContext := context.WithValue(ctx, contextKeyConnecting{}, c)
+		dialResult := make(chan connectorDialResult[T], 1)
 		c.access.Unlock()

-		return result, nil
+		go func() {
+			connection, cancel, err := c.dialWithCancellation(dialContext)
+			dialResult <- connectorDialResult[T]{
+				connection: connection,
+				cancel:     cancel,
+				err:        err,
+			}
+		}()
+
+		select {
+		case result := <-dialResult:
+			return c.completeDial(ctx, connecting, result)
+		case <-ctx.Done():
+			go func() {
+				result := <-dialResult
+				_, _ = c.completeDial(ctx, connecting, result)
+			}()
+			return zero, ctx.Err()
+		case <-c.closeCtx.Done():
+			go func() {
+				result := <-dialResult
+				_, _ = c.completeDial(ctx, connecting, result)
+			}()
+			return zero, ErrTransportClosed
+		}
 	}
 }

-func (c *Connector[T]) dialWithCancellation(ctx context.Context) (T, error) {
-	dialCtx, cancel := context.WithCancel(ctx)
-	defer cancel()
+func isRecursiveConnectorDial[T any](ctx context.Context, connector *Connector[T]) bool {
+	dialConnector, loaded := ctx.Value(contextKeyConnecting{}).(*Connector[T])
+	return loaded && dialConnector == connector
+}

-	go func() {
-		select {
-		case <-c.closeCtx.Done():
-			cancel()
-		case <-dialCtx.Done():
+func (c *Connector[T]) completeDial(ctx context.Context, connecting chan struct{}, result connectorDialResult[T]) (T, error) {
+	var zero T
+
+	c.access.Lock()
+	defer c.access.Unlock()
+	defer func() {
+		if c.connecting == connecting {
+			c.connecting = nil
 		}
+		close(connecting)
 	}()

-	return c.dial(dialCtx)
+	if result.err != nil {
+		return zero, result.err
+	}
+	if c.closed || c.closeCtx.Err() != nil {
+		result.cancel()
+		c.callbacks.Close(result.connection)
+		return zero, ErrTransportClosed
+	}
+	if err := ctx.Err(); err != nil {
+		result.cancel()
+		c.callbacks.Close(result.connection)
+		return zero, err
+	}
+
+	c.connection = result.connection
+	c.hasConnection = true
+	c.connectionCancel = result.cancel
+	return c.connection, nil
+}
+
+func (c *Connector[T]) dialWithCancellation(ctx context.Context) (T, context.CancelFunc, error) {
+	var zero T
+	if err := ctx.Err(); err != nil {
+		return zero, nil, err
+	}
+	connCtx, cancel := context.WithCancel(c.closeCtx)
+
+	var (
+		stateAccess  sync.Mutex
+		dialComplete bool
+	)
+	stopCancel := context.AfterFunc(ctx, func() {
+		stateAccess.Lock()
+		if !dialComplete {
+			cancel()
+		}
+		stateAccess.Unlock()
+	})
+	select {
+	case <-ctx.Done():
+		stateAccess.Lock()
+		dialComplete = true
+		stateAccess.Unlock()
+		stopCancel()
+		cancel()
+		return zero, nil, ctx.Err()
+	default:
+	}
+
+	connection, err := c.dial(valueContext{connCtx, ctx})
+	stateAccess.Lock()
+	dialComplete = true
+	stateAccess.Unlock()
+	stopCancel()
+	if err != nil {
+		cancel()
+		return zero, nil, err
+	}
+	return connection, cancel, nil
+}
+
+type valueContext struct {
+	context.Context
+	parent context.Context
+}
+
+func (v valueContext) Value(key any) any {
+	return v.parent.Value(key)
+}
+
+func (v valueContext) Deadline() (time.Time, bool) {
+	return v.parent.Deadline()
 }

 func (c *Connector[T]) Close() error {
@@ -132,6 +240,10 @@ func (c *Connector[T]) Close() error {
 	}
 	c.closed = true

+	if c.connectionCancel != nil {
+		c.connectionCancel()
+		c.connectionCancel = nil
+	}
 	if c.hasConnection {
 		c.callbacks.Close(c.connection)
 		c.hasConnection = false
@@ -144,6 +256,10 @@ func (c *Connector[T]) Reset() {
 	c.access.Lock()
 	defer c.access.Unlock()

+	if c.connectionCancel != nil {
+		c.connectionCancel()
+		c.connectionCancel = nil
+	}
 	if c.hasConnection {
 		c.callbacks.Reset(c.connection)
 		c.hasConnection = false
--- a/dns/transport/connector_test.go
+++ b/dns/transport/connector_test.go
@@ -0,0 +1,407 @@
+package transport
+
+import (
+	"context"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+type testConnectorConnection struct{}
+
+func TestConnectorRecursiveGetFailsFast(t *testing.T) {
+	t.Parallel()
+
+	var (
+		dialCount  atomic.Int32
+		closeCount atomic.Int32
+		connector  *Connector[*testConnectorConnection]
+	)
+
+	dial := func(ctx context.Context) (*testConnectorConnection, error) {
+		dialCount.Add(1)
+		_, err := connector.Get(ctx)
+		if err != nil {
+			return nil, err
+		}
+		return &testConnectorConnection{}, nil
+	}
+
+	connector = NewConnector(context.Background(), dial, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {
+			closeCount.Add(1)
+		},
+		Reset: func(connection *testConnectorConnection) {
+			closeCount.Add(1)
+		},
+	})
+
+	_, err := connector.Get(context.Background())
+	require.ErrorIs(t, err, errRecursiveConnectorDial)
+	require.EqualValues(t, 1, dialCount.Load())
+	require.EqualValues(t, 0, closeCount.Load())
+}
+
+func TestConnectorRecursiveGetAcrossConnectorsAllowed(t *testing.T) {
+	t.Parallel()
+
+	var (
+		outerDialCount atomic.Int32
+		innerDialCount atomic.Int32
+		outerConnector *Connector[*testConnectorConnection]
+		innerConnector *Connector[*testConnectorConnection]
+	)
+
+	innerConnector = NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		innerDialCount.Add(1)
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	outerConnector = NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		outerDialCount.Add(1)
+		_, err := innerConnector.Get(ctx)
+		if err != nil {
+			return nil, err
+		}
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	_, err := outerConnector.Get(context.Background())
+	require.NoError(t, err)
+	require.EqualValues(t, 1, outerDialCount.Load())
+	require.EqualValues(t, 1, innerDialCount.Load())
+}
+
+func TestConnectorDialContextPreservesValueAndDeadline(t *testing.T) {
+	t.Parallel()
+
+	type contextKey struct{}
+
+	var (
+		dialValue       any
+		dialDeadline    time.Time
+		dialHasDeadline bool
+	)
+
+	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		dialValue = ctx.Value(contextKey{})
+		dialDeadline, dialHasDeadline = ctx.Deadline()
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	deadline := time.Now().Add(time.Minute)
+	requestContext, cancel := context.WithDeadline(context.WithValue(context.Background(), contextKey{}, "test-value"), deadline)
+	defer cancel()
+
+	_, err := connector.Get(requestContext)
+	require.NoError(t, err)
+	require.Equal(t, "test-value", dialValue)
+	require.True(t, dialHasDeadline)
+	require.WithinDuration(t, deadline, dialDeadline, time.Second)
+}
+
+func TestConnectorDialSkipsCanceledRequest(t *testing.T) {
+	t.Parallel()
+
+	var dialCount atomic.Int32
+	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		dialCount.Add(1)
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	requestContext, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	_, err := connector.Get(requestContext)
+	require.ErrorIs(t, err, context.Canceled)
+	require.EqualValues(t, 0, dialCount.Load())
+}
+
+func TestConnectorCanceledRequestDoesNotCacheConnection(t *testing.T) {
+	t.Parallel()
+
+	var (
+		dialCount  atomic.Int32
+		closeCount atomic.Int32
+	)
+	dialStarted := make(chan struct{}, 1)
+	releaseDial := make(chan struct{})
+
+	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		dialCount.Add(1)
+		select {
+		case dialStarted <- struct{}{}:
+		default:
+		}
+		<-releaseDial
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {
+			closeCount.Add(1)
+		},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	requestContext, cancel := context.WithCancel(context.Background())
+	result := make(chan error, 1)
+	go func() {
+		_, err := connector.Get(requestContext)
+		result <- err
+	}()
+
+	<-dialStarted
+	cancel()
+	close(releaseDial)
+
+	err := <-result
+	require.ErrorIs(t, err, context.Canceled)
+	require.EqualValues(t, 1, dialCount.Load())
+	require.Eventually(t, func() bool {
+		return closeCount.Load() == 1
+	}, time.Second, 10*time.Millisecond)
+
+	_, err = connector.Get(context.Background())
+	require.NoError(t, err)
+	require.EqualValues(t, 2, dialCount.Load())
+}
+
+func TestConnectorCanceledRequestReturnsBeforeIgnoredDialCompletes(t *testing.T) {
+	t.Parallel()
+
+	var (
+		dialCount  atomic.Int32
+		closeCount atomic.Int32
+	)
+	dialStarted := make(chan struct{}, 1)
+	releaseDial := make(chan struct{})
+
+	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		dialCount.Add(1)
+		select {
+		case dialStarted <- struct{}{}:
+		default:
+		}
+		<-releaseDial
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {
+			closeCount.Add(1)
+		},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	requestContext, cancel := context.WithCancel(context.Background())
+	result := make(chan error, 1)
+	go func() {
+		_, err := connector.Get(requestContext)
+		result <- err
+	}()
+
+	<-dialStarted
+	cancel()
+
+	select {
+	case err := <-result:
+		require.ErrorIs(t, err, context.Canceled)
+	case <-time.After(time.Second):
+		t.Fatal("Get did not return after request cancel")
+	}
+
+	require.EqualValues(t, 1, dialCount.Load())
+	require.EqualValues(t, 0, closeCount.Load())
+
+	close(releaseDial)
+
+	require.Eventually(t, func() bool {
+		return closeCount.Load() == 1
+	}, time.Second, 10*time.Millisecond)
+
+	_, err := connector.Get(context.Background())
+	require.NoError(t, err)
+	require.EqualValues(t, 2, dialCount.Load())
+}
+
+func TestConnectorWaiterDoesNotStartNewDialBeforeCanceledDialCompletes(t *testing.T) {
+	t.Parallel()
+
+	var (
+		dialCount  atomic.Int32
+		closeCount atomic.Int32
+	)
+	firstDialStarted := make(chan struct{}, 1)
+	secondDialStarted := make(chan struct{}, 1)
+	releaseFirstDial := make(chan struct{})
+
+	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		attempt := dialCount.Add(1)
+		switch attempt {
+		case 1:
+			select {
+			case firstDialStarted <- struct{}{}:
+			default:
+			}
+			<-releaseFirstDial
+		case 2:
+			select {
+			case secondDialStarted <- struct{}{}:
+			default:
+			}
+		}
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {
+			closeCount.Add(1)
+		},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	requestContext, cancel := context.WithCancel(context.Background())
+	firstResult := make(chan error, 1)
+	go func() {
+		_, err := connector.Get(requestContext)
+		firstResult <- err
+	}()
+
+	<-firstDialStarted
+	cancel()
+
+	secondResult := make(chan error, 1)
+	go func() {
+		_, err := connector.Get(context.Background())
+		secondResult <- err
+	}()
+
+	select {
+	case <-secondDialStarted:
+		t.Fatal("second dial started before first dial completed")
+	case <-time.After(100 * time.Millisecond):
+	}
+
+	select {
+	case err := <-firstResult:
+		require.ErrorIs(t, err, context.Canceled)
+	case <-time.After(time.Second):
+		t.Fatal("first Get did not return after request cancel")
+	}
+
+	close(releaseFirstDial)
+
+	require.Eventually(t, func() bool {
+		return closeCount.Load() == 1
+	}, time.Second, 10*time.Millisecond)
+
+	select {
+	case <-secondDialStarted:
+	case <-time.After(time.Second):
+		t.Fatal("second dial did not start after first dial completed")
+	}
+
+	err := <-secondResult
+	require.NoError(t, err)
+	require.EqualValues(t, 2, dialCount.Load())
+}
+
+func TestConnectorDialContextNotCanceledByRequestContextAfterDial(t *testing.T) {
+	t.Parallel()
+
+	var dialContext context.Context
+	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		dialContext = ctx
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	requestContext, cancel := context.WithCancel(context.Background())
+	_, err := connector.Get(requestContext)
+	require.NoError(t, err)
+	require.NotNil(t, dialContext)
+
+	cancel()
+
+	select {
+	case <-dialContext.Done():
+		t.Fatal("dial context canceled by request context after successful dial")
+	case <-time.After(100 * time.Millisecond):
+	}
+
+	err = connector.Close()
+	require.NoError(t, err)
+}
+
+func TestConnectorDialContextCanceledOnClose(t *testing.T) {
+	t.Parallel()
+
+	var dialContext context.Context
+	connector := NewConnector(context.Background(), func(ctx context.Context) (*testConnectorConnection, error) {
+		dialContext = ctx
+		return &testConnectorConnection{}, nil
+	}, ConnectorCallbacks[*testConnectorConnection]{
+		IsClosed: func(connection *testConnectorConnection) bool {
+			return false
+		},
+		Close: func(connection *testConnectorConnection) {},
+		Reset: func(connection *testConnectorConnection) {},
+	})
+
+	_, err := connector.Get(context.Background())
+	require.NoError(t, err)
+	require.NotNil(t, dialContext)
+
+	select {
+	case <-dialContext.Done():
+		t.Fatal("dial context canceled before connector close")
+	default:
+	}
+
+	err = connector.Close()
+	require.NoError(t, err)
+
+	select {
+	case <-dialContext.Done():
+	case <-time.After(time.Second):
+		t.Fatal("dial context not canceled after connector close")
+	}
+}
--- a/dns/transport/dhcp/dhcp_shared.go
+++ b/dns/transport/dhcp/dhcp_shared.go
@@ -7,7 +7,6 @@ import (
 	"strings"
 	"syscall"

-	"github.com/sagernet/sing-box/dns"
 	"github.com/sagernet/sing-box/dns/transport"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -40,13 +39,6 @@ func (t *Transport) exchangeParallel(ctx context.Context, servers []M.Socksaddr,
 	results := make(chan queryResult)
 	startRacer := func(ctx context.Context, fqdn string) {
 		response, err := t.tryOneName(ctx, servers, fqdn, message)
-		if err == nil {
-			if response.Rcode != mDNS.RcodeSuccess {
-				err = dns.RcodeError(response.Rcode)
-			} else if len(dns.MessageToAddresses(response)) == 0 {
-				err = dns.RcodeSuccess
-			}
-		}
 		select {
 		case results <- queryResult{response, err}:
 		case <-returned:
--- a/dns/transport/local/local.go
+++ b/dns/transport/local/local.go
@@ -81,10 +81,7 @@ func (t *Transport) Reset() {

 func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
 	if t.resolved != nil {
-		resolverObject := t.resolved.Object()
-		if resolverObject != nil {
-			return t.resolved.Exchange(resolverObject, ctx, message)
-		}
+		return t.resolved.Exchange(ctx, message)
 	}
 	question := message.Question[0]
 	if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
--- a/dns/transport/local/local_resolved.go
+++ b/dns/transport/local/local_resolved.go
@@ -9,6 +9,5 @@ import (
 type ResolvedResolver interface {
 	Start() error
 	Close() error
-	Object() any
-	Exchange(object any, ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error)
+	Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error)
 }
--- a/dns/transport/local/local_resolved_linux.go
+++ b/dns/transport/local/local_resolved_linux.go
@@ -4,19 +4,26 @@ import (
 	"bufio"
 	"context"
 	"errors"
+	"net/netip"
 	"os"
 	"strings"
 	"sync"
 	"sync/atomic"

 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/dialer"
+	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/dns"
+	dnsTransport "github.com/sagernet/sing-box/dns/transport"
+	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/service/resolved"
 	"github.com/sagernet/sing-tun"
-	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/x/list"
 	"github.com/sagernet/sing/service"

@@ -49,13 +56,23 @@ type DBusResolvedResolver struct {
 	interfaceMonitor  tun.DefaultInterfaceMonitor
 	interfaceCallback *list.Element[tun.DefaultInterfaceUpdateCallback]
 	systemBus         *dbus.Conn
-	resoledObject     atomic.Pointer[ResolvedObject]
+	savedServerSet    atomic.Pointer[resolvedServerSet]
 	closeOnce         sync.Once
 }

-type ResolvedObject struct {
-	dbus.BusObject
-	InterfaceIndex int32
+type resolvedServerSet struct {
+	servers []resolvedServer
+}
+
+type resolvedServer struct {
+	primaryTransport  adapter.DNSTransport
+	fallbackTransport adapter.DNSTransport
+}
+
+type resolvedServerSpecification struct {
+	address    netip.Addr
+	port       uint16
+	serverName string
 }

 func NewResolvedResolver(ctx context.Context, logger logger.ContextLogger) (ResolvedResolver, error) {
@@ -82,17 +99,31 @@ func (t *DBusResolvedResolver) Start() error {
 		"org.freedesktop.DBus",
 		"NameOwnerChanged",
 		dbus.WithMatchSender("org.freedesktop.DBus"),
-		dbus.WithMatchArg(0, "org.freedesktop.resolve1.Manager"),
+		dbus.WithMatchArg(0, "org.freedesktop.resolve1"),
 	).Err
 	if err != nil {
 		return E.Cause(err, "configure resolved restart listener")
 	}
+	err = t.systemBus.BusObject().AddMatchSignal(
+		"org.freedesktop.DBus.Properties",
+		"PropertiesChanged",
+		dbus.WithMatchSender("org.freedesktop.resolve1"),
+		dbus.WithMatchArg(0, "org.freedesktop.resolve1.Manager"),
+	).Err
+	if err != nil {
+		return E.Cause(err, "configure resolved properties listener")
+	}
 	go t.loopUpdateStatus()
 	return nil
 }

 func (t *DBusResolvedResolver) Close() error {
+	var closeErr error
 	t.closeOnce.Do(func() {
+		serverSet := t.savedServerSet.Swap(nil)
+		if serverSet != nil {
+			closeErr = serverSet.Close()
+		}
 		if t.interfaceCallback != nil {
 			t.interfaceMonitor.UnregisterCallback(t.interfaceCallback)
 		}
@@ -100,99 +131,97 @@ func (t *DBusResolvedResolver) Close() error {
 			_ = t.systemBus.Close()
 		}
 	})
-	return nil
+	return closeErr
 }

-func (t *DBusResolvedResolver) Object() any {
-	return common.PtrOrNil(t.resoledObject.Load())
-}
-
-func (t *DBusResolvedResolver) Exchange(object any, ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
-	question := message.Question[0]
-	resolvedObject := object.(*ResolvedObject)
-	call := resolvedObject.CallWithContext(
-		ctx,
-		"org.freedesktop.resolve1.Manager.ResolveRecord",
-		0,
-		resolvedObject.InterfaceIndex,
-		question.Name,
-		question.Qclass,
-		question.Qtype,
-		uint64(0),
-	)
-	if call.Err != nil {
-		var dbusError dbus.Error
-		if errors.As(call.Err, &dbusError) && dbusError.Name == "org.freedesktop.resolve1.NoNameServers" {
-			t.updateStatus()
+func (t *DBusResolvedResolver) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, error) {
+	serverSet := t.savedServerSet.Load()
+	if serverSet == nil {
+		var err error
+		serverSet, err = t.checkResolved(context.Background())
+		if err != nil {
+			return nil, err
+		}
+		previousServerSet := t.savedServerSet.Swap(serverSet)
+		if previousServerSet != nil {
+			_ = previousServerSet.Close()
 		}
-		return nil, E.Cause(call.Err, " resolve record via resolved")
 	}
-	var (
-		records  []resolved.ResourceRecord
-		outflags uint64
-	)
-	err := call.Store(&records, &outflags)
-	if err != nil {
+	response, err := t.exchangeServerSet(ctx, message, serverSet)
+	if err == nil {
+		return response, nil
+	}
+	t.updateStatus()
+	refreshedServerSet := t.savedServerSet.Load()
+	if refreshedServerSet == nil || refreshedServerSet == serverSet {
 		return nil, err
 	}
-	response := &mDNS.Msg{
-		MsgHdr: mDNS.MsgHdr{
-			Id:                 message.Id,
-			Response:           true,
-			Authoritative:      true,
-			RecursionDesired:   true,
-			RecursionAvailable: true,
-			Rcode:              mDNS.RcodeSuccess,
-		},
-		Question: []mDNS.Question{question},
-	}
-	for _, record := range records {
-		var rr mDNS.RR
-		rr, _, err = mDNS.UnpackRR(record.Data, 0)
-		if err != nil {
-			return nil, E.Cause(err, "unpack resource record")
-		}
-		response.Answer = append(response.Answer, rr)
-	}
-	return response, nil
+	return t.exchangeServerSet(ctx, message, refreshedServerSet)
 }

 func (t *DBusResolvedResolver) loopUpdateStatus() {
 	signalChan := make(chan *dbus.Signal, 1)
 	t.systemBus.Signal(signalChan)
 	for signal := range signalChan {
-		var restarted bool
-		if signal.Name == "org.freedesktop.DBus.NameOwnerChanged" {
-			if len(signal.Body) != 3 || signal.Body[2].(string) == "" {
+		switch signal.Name {
+		case "org.freedesktop.DBus.NameOwnerChanged":
+			if len(signal.Body) != 3 {
+				continue
+			}
+			newOwner, loaded := signal.Body[2].(string)
+			if !loaded || newOwner == "" {
+				continue
+			}
+			t.updateStatus()
+		case "org.freedesktop.DBus.Properties.PropertiesChanged":
+			if !shouldUpdateResolvedServerSet(signal) {
 				continue
-			} else {
-				restarted = true
 			}
-		}
-		if restarted {
 			t.updateStatus()
 		}
 	}
 }

 func (t *DBusResolvedResolver) updateStatus() {
-	dbusObject, err := t.checkResolved(context.Background())
-	oldValue := t.resoledObject.Swap(dbusObject)
+	serverSet, err := t.checkResolved(context.Background())
+	oldServerSet := t.savedServerSet.Swap(serverSet)
+	if oldServerSet != nil {
+		_ = oldServerSet.Close()
+	}
 	if err != nil {
 		var dbusErr dbus.Error
-		if !errors.As(err, &dbusErr) || dbusErr.Name != "org.freedesktop.DBus.Error.NameHasNoOwnerCould" {
+		if !errors.As(err, &dbusErr) || dbusErr.Name != "org.freedesktop.DBus.Error.NameHasNoOwner" {
 			t.logger.Debug(E.Cause(err, "systemd-resolved service unavailable"))
 		}
-		if oldValue != nil {
+		if oldServerSet != nil {
 			t.logger.Debug("systemd-resolved service is gone")
 		}
 		return
-	} else if oldValue == nil {
+	} else if oldServerSet == nil {
 		t.logger.Debug("using systemd-resolved service as resolver")
 	}
 }

-func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*ResolvedObject, error) {
+func (t *DBusResolvedResolver) exchangeServerSet(ctx context.Context, message *mDNS.Msg, serverSet *resolvedServerSet) (*mDNS.Msg, error) {
+	if serverSet == nil || len(serverSet.servers) == 0 {
+		return nil, E.New("link has no DNS servers configured")
+	}
+	var lastError error
+	for _, server := range serverSet.servers {
+		response, err := server.primaryTransport.Exchange(ctx, message)
+		if err != nil && server.fallbackTransport != nil {
+			response, err = server.fallbackTransport.Exchange(ctx, message)
+		}
+		if err != nil {
+			lastError = err
+			continue
+		}
+		return response, nil
+	}
+	return nil, lastError
+}
+
+func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*resolvedServerSet, error) {
 	dbusObject := t.systemBus.Object("org.freedesktop.resolve1", "/org/freedesktop/resolve1")
 	err := dbusObject.Call("org.freedesktop.DBus.Peer.Ping", 0).Err
 	if err != nil {
@@ -220,16 +249,19 @@ func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*ResolvedObje
 	if linkObject == nil {
 		return nil, E.New("missing link object for default interface")
 	}
-	dnsProp, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNS")
+	dnsOverTLSMode, err := loadResolvedLinkDNSOverTLS(linkObject)
 	if err != nil {
 		return nil, err
 	}
-	var linkDNS []resolved.LinkDNS
-	err = dnsProp.Store(&linkDNS)
+	linkDNSEx, err := loadResolvedLinkDNSEx(linkObject)
 	if err != nil {
 		return nil, err
 	}
-	if len(linkDNS) == 0 {
+	linkDNS, err := loadResolvedLinkDNS(linkObject)
+	if err != nil {
+		return nil, err
+	}
+	if len(linkDNSEx) == 0 && len(linkDNS) == 0 {
 		for _, inbound := range service.FromContext[adapter.InboundManager](t.ctx).Inbounds() {
 			if inbound.Type() == C.TypeTun {
 				return nil, E.New("No appropriate name servers or networks for name found")
@@ -237,12 +269,233 @@ func (t *DBusResolvedResolver) checkResolved(ctx context.Context) (*ResolvedObje
 		}
 		return nil, E.New("link has no DNS servers configured")
 	}
-	return &ResolvedObject{
-		BusObject:      dbusObject,
-		InterfaceIndex: int32(defaultInterface.Index),
+	serverDialer, err := dialer.NewDefault(t.ctx, option.DialerOptions{
+		BindInterface:      defaultInterface.Name,
+		UDPFragmentDefault: true,
+	})
+	if err != nil {
+		return nil, err
+	}
+	var serverSpecifications []resolvedServerSpecification
+	if len(linkDNSEx) > 0 {
+		for _, entry := range linkDNSEx {
+			serverSpecification, loaded := buildResolvedServerSpecification(defaultInterface.Name, entry.Address, entry.Port, entry.Name)
+			if !loaded {
+				continue
+			}
+			serverSpecifications = append(serverSpecifications, serverSpecification)
+		}
+	} else {
+		for _, entry := range linkDNS {
+			serverSpecification, loaded := buildResolvedServerSpecification(defaultInterface.Name, entry.Address, 0, "")
+			if !loaded {
+				continue
+			}
+			serverSpecifications = append(serverSpecifications, serverSpecification)
+		}
+	}
+	if len(serverSpecifications) == 0 {
+		return nil, E.New("no valid DNS servers on link")
+	}
+	serverSet := &resolvedServerSet{
+		servers: make([]resolvedServer, 0, len(serverSpecifications)),
+	}
+	for _, serverSpecification := range serverSpecifications {
+		server, createErr := t.createResolvedServer(serverDialer, dnsOverTLSMode, serverSpecification)
+		if createErr != nil {
+			_ = serverSet.Close()
+			return nil, createErr
+		}
+		serverSet.servers = append(serverSet.servers, server)
+	}
+	return serverSet, nil
+}
+
+func (t *DBusResolvedResolver) createResolvedServer(serverDialer N.Dialer, dnsOverTLSMode string, serverSpecification resolvedServerSpecification) (resolvedServer, error) {
+	if dnsOverTLSMode == "yes" {
+		primaryTransport, err := t.createResolvedTransport(serverDialer, serverSpecification, true)
+		if err != nil {
+			return resolvedServer{}, err
+		}
+		return resolvedServer{
+			primaryTransport: primaryTransport,
+		}, nil
+	}
+	if dnsOverTLSMode == "opportunistic" {
+		primaryTransport, err := t.createResolvedTransport(serverDialer, serverSpecification, true)
+		if err != nil {
+			return resolvedServer{}, err
+		}
+		fallbackTransport, err := t.createResolvedTransport(serverDialer, serverSpecification, false)
+		if err != nil {
+			_ = primaryTransport.Close()
+			return resolvedServer{}, err
+		}
+		return resolvedServer{
+			primaryTransport:  primaryTransport,
+			fallbackTransport: fallbackTransport,
+		}, nil
+	}
+	primaryTransport, err := t.createResolvedTransport(serverDialer, serverSpecification, false)
+	if err != nil {
+		return resolvedServer{}, err
+	}
+	return resolvedServer{
+		primaryTransport: primaryTransport,
 	}, nil
 }

+func (t *DBusResolvedResolver) createResolvedTransport(serverDialer N.Dialer, serverSpecification resolvedServerSpecification, useTLS bool) (adapter.DNSTransport, error) {
+	serverAddress := M.SocksaddrFrom(serverSpecification.address, resolvedServerPort(serverSpecification.port, useTLS))
+	if useTLS {
+		tlsAddress := serverSpecification.address
+		if tlsAddress.Zone() != "" {
+			tlsAddress = tlsAddress.WithZone("")
+		}
+		serverName := serverSpecification.serverName
+		if serverName == "" {
+			serverName = tlsAddress.String()
+		}
+		tlsConfig, err := tls.NewClient(t.ctx, t.logger, tlsAddress.String(), option.OutboundTLSOptions{
+			Enabled:    true,
+			ServerName: serverName,
+		})
+		if err != nil {
+			return nil, err
+		}
+		serverTransport := dnsTransport.NewTLSRaw(t.logger, dns.NewTransportAdapter(C.DNSTypeTLS, "", nil), serverDialer, serverAddress, tlsConfig)
+		err = serverTransport.Start(adapter.StartStateStart)
+		if err != nil {
+			_ = serverTransport.Close()
+			return nil, err
+		}
+		return serverTransport, nil
+	}
+	serverTransport := dnsTransport.NewUDPRaw(t.logger, dns.NewTransportAdapter(C.DNSTypeUDP, "", nil), serverDialer, serverAddress)
+	err := serverTransport.Start(adapter.StartStateStart)
+	if err != nil {
+		_ = serverTransport.Close()
+		return nil, err
+	}
+	return serverTransport, nil
+}
+
+func (s *resolvedServerSet) Close() error {
+	var errors []error
+	for _, server := range s.servers {
+		errors = append(errors, server.primaryTransport.Close())
+		if server.fallbackTransport != nil {
+			errors = append(errors, server.fallbackTransport.Close())
+		}
+	}
+	return E.Errors(errors...)
+}
+
+func buildResolvedServerSpecification(interfaceName string, rawAddress []byte, port uint16, serverName string) (resolvedServerSpecification, bool) {
+	address, loaded := netip.AddrFromSlice(rawAddress)
+	if !loaded {
+		return resolvedServerSpecification{}, false
+	}
+	if address.Is6() && address.IsLinkLocalUnicast() && address.Zone() == "" {
+		address = address.WithZone(interfaceName)
+	}
+	return resolvedServerSpecification{
+		address:    address,
+		port:       port,
+		serverName: serverName,
+	}, true
+}
+
+func resolvedServerPort(port uint16, useTLS bool) uint16 {
+	if port > 0 {
+		return port
+	}
+	if useTLS {
+		return 853
+	}
+	return 53
+}
+
+func loadResolvedLinkDNS(linkObject dbus.BusObject) ([]resolved.LinkDNS, error) {
+	dnsProperty, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNS")
+	if err != nil {
+		if isResolvedUnknownPropertyError(err) {
+			return nil, nil
+		}
+		return nil, err
+	}
+	var linkDNS []resolved.LinkDNS
+	err = dnsProperty.Store(&linkDNS)
+	if err != nil {
+		return nil, err
+	}
+	return linkDNS, nil
+}
+
+func loadResolvedLinkDNSEx(linkObject dbus.BusObject) ([]resolved.LinkDNSEx, error) {
+	dnsProperty, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNSEx")
+	if err != nil {
+		if isResolvedUnknownPropertyError(err) {
+			return nil, nil
+		}
+		return nil, err
+	}
+	var linkDNSEx []resolved.LinkDNSEx
+	err = dnsProperty.Store(&linkDNSEx)
+	if err != nil {
+		return nil, err
+	}
+	return linkDNSEx, nil
+}
+
+func loadResolvedLinkDNSOverTLS(linkObject dbus.BusObject) (string, error) {
+	dnsOverTLSProperty, err := linkObject.GetProperty("org.freedesktop.resolve1.Link.DNSOverTLS")
+	if err != nil {
+		if isResolvedUnknownPropertyError(err) {
+			return "", nil
+		}
+		return "", err
+	}
+	var dnsOverTLSMode string
+	err = dnsOverTLSProperty.Store(&dnsOverTLSMode)
+	if err != nil {
+		return "", err
+	}
+	return dnsOverTLSMode, nil
+}
+
+func isResolvedUnknownPropertyError(err error) bool {
+	var dbusError dbus.Error
+	return errors.As(err, &dbusError) && dbusError.Name == "org.freedesktop.DBus.Error.UnknownProperty"
+}
+
+func shouldUpdateResolvedServerSet(signal *dbus.Signal) bool {
+	if len(signal.Body) != 3 {
+		return true
+	}
+	changedProperties, loaded := signal.Body[1].(map[string]dbus.Variant)
+	if !loaded {
+		return true
+	}
+	for propertyName := range changedProperties {
+		switch propertyName {
+		case "DNS", "DNSEx", "DNSOverTLS":
+			return true
+		}
+	}
+	invalidatedProperties, loaded := signal.Body[2].([]string)
+	if !loaded {
+		return true
+	}
+	for _, propertyName := range invalidatedProperties {
+		switch propertyName {
+		case "DNS", "DNSEx", "DNSOverTLS":
+			return true
+		}
+	}
+	return false
+}
+
 func (t *DBusResolvedResolver) updateDefaultInterface(defaultInterface *control.Interface, flags int) {
 	t.updateStatus()
 }
--- a/dns/transport/local/local_shared.go
+++ b/dns/transport/local/local_shared.go
@@ -7,7 +7,6 @@ import (
 	"syscall"
 	"time"

-	"github.com/sagernet/sing-box/dns"
 	"github.com/sagernet/sing-box/dns/transport"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -49,13 +48,6 @@ func (t *Transport) exchangeParallel(ctx context.Context, systemConfig *dnsConfi
 	results := make(chan queryResult)
 	startRacer := func(ctx context.Context, fqdn string) {
 		response, err := t.tryOneName(ctx, systemConfig, fqdn, message)
-		if err == nil {
-			if response.Rcode != mDNS.RcodeSuccess {
-				err = dns.RcodeError(response.Rcode)
-			} else if len(dns.MessageToAddresses(response)) == 0 {
-				err = E.New(fqdn, ": empty result")
-			}
-		}
 		select {
 		case results <- queryResult{response, err}:
 		case <-returned:
--- a/dns/transport_adapter.go
+++ b/dns/transport_adapter.go
@@ -1,21 +1,13 @@
 package dns

 import (
-	"net/netip"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 )

-var _ adapter.LegacyDNSTransport = (*TransportAdapter)(nil)
-
 type TransportAdapter struct {
 	transportType string
 	transportTag  string
 	dependencies  []string
-	strategy      C.DomainStrategy
-	clientSubnet  netip.Prefix
 }

 func NewTransportAdapter(transportType string, transportTag string, dependencies []string) TransportAdapter {
@@ -35,8 +27,6 @@ func NewTransportAdapterWithLocalOptions(transportType string, transportTag stri
 		transportType: transportType,
 		transportTag:  transportTag,
 		dependencies:  dependencies,
-		strategy:      C.DomainStrategy(localOptions.LegacyStrategy),
-		clientSubnet:  localOptions.LegacyClientSubnet,
 	}
 }

@@ -45,15 +35,10 @@ func NewTransportAdapterWithRemoteOptions(transportType string, transportTag str
 	if remoteOptions.DomainResolver != nil && remoteOptions.DomainResolver.Server != "" {
 		dependencies = append(dependencies, remoteOptions.DomainResolver.Server)
 	}
-	if remoteOptions.LegacyAddressResolver != "" {
-		dependencies = append(dependencies, remoteOptions.LegacyAddressResolver)
-	}
 	return TransportAdapter{
 		transportType: transportType,
 		transportTag:  transportTag,
 		dependencies:  dependencies,
-		strategy:      C.DomainStrategy(remoteOptions.LegacyStrategy),
-		clientSubnet:  remoteOptions.LegacyClientSubnet,
 	}
 }

@@ -68,11 +53,3 @@ func (a *TransportAdapter) Tag() string {
 func (a *TransportAdapter) Dependencies() []string {
 	return a.dependencies
 }
-
-func (a *TransportAdapter) LegacyStrategy() C.DomainStrategy {
-	return a.strategy
-}
-
-func (a *TransportAdapter) LegacyClientSubnet() netip.Prefix {
-	return a.clientSubnet
-}
--- a/dns/transport_dialer.go
+++ b/dns/transport_dialer.go
@@ -2,104 +2,25 @@ package dns

 import (
 	"context"
-	"net"
-	"time"

-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/service"
 )

 func NewLocalDialer(ctx context.Context, options option.LocalDNSServerOptions) (N.Dialer, error) {
-	if options.LegacyDefaultDialer {
-		return dialer.NewDefaultOutbound(ctx), nil
-	} else {
-		return dialer.NewWithOptions(dialer.Options{
-			Context:         ctx,
-			Options:         options.DialerOptions,
-			DirectResolver:  true,
-			LegacyDNSDialer: options.Legacy,
-		})
-	}
+	return dialer.NewWithOptions(dialer.Options{
+		Context:        ctx,
+		Options:        options.DialerOptions,
+		DirectResolver: true,
+	})
 }

 func NewRemoteDialer(ctx context.Context, options option.RemoteDNSServerOptions) (N.Dialer, error) {
-	if options.LegacyDefaultDialer {
-		transportDialer := dialer.NewDefaultOutbound(ctx)
-		if options.LegacyAddressResolver != "" {
-			transport := service.FromContext[adapter.DNSTransportManager](ctx)
-			resolverTransport, loaded := transport.Transport(options.LegacyAddressResolver)
-			if !loaded {
-				return nil, E.New("address resolver not found: ", options.LegacyAddressResolver)
-			}
-			transportDialer = newTransportDialer(transportDialer, service.FromContext[adapter.DNSRouter](ctx), resolverTransport, C.DomainStrategy(options.LegacyAddressStrategy), time.Duration(options.LegacyAddressFallbackDelay))
-		} else if options.ServerIsDomain() {
-			return nil, E.New("missing address resolver for server: ", options.Server)
-		}
-		return transportDialer, nil
-	} else {
-		return dialer.NewWithOptions(dialer.Options{
-			Context:         ctx,
-			Options:         options.DialerOptions,
-			RemoteIsDomain:  options.ServerIsDomain(),
-			DirectResolver:  true,
-			LegacyDNSDialer: options.Legacy,
-		})
-	}
-}
-
-type legacyTransportDialer struct {
-	dialer        N.Dialer
-	dnsRouter     adapter.DNSRouter
-	transport     adapter.DNSTransport
-	strategy      C.DomainStrategy
-	fallbackDelay time.Duration
-}
-
-func newTransportDialer(dialer N.Dialer, dnsRouter adapter.DNSRouter, transport adapter.DNSTransport, strategy C.DomainStrategy, fallbackDelay time.Duration) *legacyTransportDialer {
-	return &legacyTransportDialer{
-		dialer,
-		dnsRouter,
-		transport,
-		strategy,
-		fallbackDelay,
-	}
-}
-
-func (d *legacyTransportDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	if destination.IsIP() {
-		return d.dialer.DialContext(ctx, network, destination)
-	}
-	addresses, err := d.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{
-		Transport: d.transport,
-		Strategy:  d.strategy,
+	return dialer.NewWithOptions(dialer.Options{
+		Context:        ctx,
+		Options:        options.DialerOptions,
+		RemoteIsDomain: options.ServerIsDomain(),
+		DirectResolver: true,
 	})
-	if err != nil {
-		return nil, err
-	}
-	return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == C.DomainStrategyPreferIPv6, d.fallbackDelay)
-}
-
-func (d *legacyTransportDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	if destination.IsIP() {
-		return d.dialer.ListenPacket(ctx, destination)
-	}
-	addresses, err := d.dnsRouter.Lookup(ctx, destination.Fqdn, adapter.DNSQueryOptions{
-		Transport: d.transport,
-		Strategy:  d.strategy,
-	})
-	if err != nil {
-		return nil, err
-	}
-	conn, _, err := N.ListenSerial(ctx, d.dialer, destination, addresses)
-	return conn, err
-}
-
-func (d *legacyTransportDialer) Upstream() any {
-	return d.dialer
 }
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -2,6 +2,139 @@
 icon: material/alert-decagram
 ---

+#### 1.14.0-alpha.9
+
+* Fixes and improvements
+
+#### 1.13.6
+
+* Fixes and improvements
+
+#### 1.14.0-alpha.8
+
+* Add BBR profile and hop interval randomization for Hysteria2 **1**
+* Fixes and improvements
+
+**1**:
+
+See [Hysteria2 Inbound](/configuration/inbound/hysteria2/#bbr_profile) and [Hysteria2 Outbound](/configuration/outbound/hysteria2/#bbr_profile).
+
+#### 1.14.0-alpha.8
+
+* Fixes and improvements
+
+#### 1.13.5
+
+* Fixes and improvements
+
+#### 1.14.0-alpha.7
+
+* Fixes and improvements
+
+#### 1.13.4
+
+* Fixes and improvements
+
+#### 1.14.0-alpha.4
+
+* Refactor ACME support to certificate provider system **1**
+* Add Cloudflare Origin CA certificate provider **2**
+* Add Tailscale certificate provider **3**
+* Fixes and improvements
+
+**1**:
+
+See [Certificate Provider](/configuration/shared/certificate-provider/) and [Migration](/migration/#migrate-inline-acme-to-certificate-provider).
+
+**2**:
+
+See [Cloudflare Origin CA](/configuration/shared/certificate-provider/cloudflare-origin-ca).
+
+**3**:
+
+See [Tailscale](/configuration/shared/certificate-provider/tailscale).
+
+#### 1.13.3
+
+* Add OpenWrt and Alpine APK packages to release **1**
+* Backport to macOS 10.13 High Sierra **2**
+* OCM service: Add WebSocket support for Responses API **3**
+* Fixes and improvements
+
+**1**:
+
+Alpine APK files use `linux` in the filename to distinguish from OpenWrt APKs which use the `openwrt` prefix:
+
+- OpenWrt: `sing-box_{version}_openwrt_{architecture}.apk`
+- Alpine: `sing-box_{version}_linux_{architecture}.apk`
+
+**2**:
+
+Legacy macOS binaries (with `-legacy-macos-10.13` suffix) now support
+macOS 10.13 High Sierra, built using Go 1.25 with patches
+from [SagerNet/go](https://github.com/SagerNet/go).
+
+**3**:
+
+See [OCM](/configuration/service/ocm).
+
+#### 1.12.24
+
+* Fixes and improvements
+
+#### 1.14.0-alpha.2
+
+* Add OpenWrt and Alpine APK packages to release **1**
+* Backport to macOS 10.13 High Sierra **2**
+* OCM service: Add WebSocket support for Responses API **3**
+* Fixes and improvements
+
+**1**:
+
+Alpine APK files use `linux` in the filename to distinguish from OpenWrt APKs which use the `openwrt` prefix:
+
+- OpenWrt: `sing-box_{version}_openwrt_{architecture}.apk`
+- Alpine: `sing-box_{version}_linux_{architecture}.apk`
+
+**2**:
+
+Legacy macOS binaries (with `-legacy-macos-10.13` suffix) now support
+macOS 10.13 High Sierra, built using Go 1.25 with patches
+from [SagerNet/go](https://github.com/SagerNet/go).
+
+**3**:
+
+See [OCM](/configuration/service/ocm).
+
+#### 1.14.0-alpha.1
+
+* Add `source_mac_address` and `source_hostname` rule items **1**
+* Add `include_mac_address` and `exclude_mac_address` TUN options **2**
+* Update NaiveProxy to 145.0.7632.159 **3**
+* Fixes and improvements
+
+**1**:
+
+New rule items for matching LAN devices by MAC address and hostname via neighbor resolution.
+Supported on Linux, macOS, or in graphical clients on Android and macOS.
+
+See [Route Rule](/configuration/route/rule/#source_mac_address), [DNS Rule](/configuration/dns/rule/#source_mac_address) and [Neighbor Resolution](/configuration/shared/neighbor/).
+
+**2**:
+
+Limit or exclude devices from TUN routing by MAC address.
+Only supported on Linux with `auto_route` and `auto_redirect` enabled.
+
+See [TUN](/configuration/inbound/tun/#include_mac_address).
+
+**3**:
+
+This is not an official update from NaiveProxy. Instead, it's a Chromium codebase update maintained by Project S.
+
+#### 1.13.2
+
+* Fixes and improvements
+
 #### 1.13.1

 * Fixes and improvements
@@ -619,7 +752,7 @@ DNS servers are refactored for better performance and scalability.

 See [DNS server](/configuration/dns/server/).

-For migration, see [Migrate to new DNS server formats](/migration/#migrate-to-new-dns-servers).
+For migration, see [Migrate to new DNS server formats](/migration/#migrate-to-new-dns-server-formats).

 Compatibility for old formats will be removed in sing-box 1.14.0.

@@ -1089,7 +1222,7 @@ DNS servers are refactored for better performance and scalability.

 See [DNS server](/configuration/dns/server/).

-For migration, see [Migrate to new DNS server formats](/migration/#migrate-to-new-dns-servers).
+For migration, see [Migrate to new DNS server formats](/migration/#migrate-to-new-dns-server-formats).

 Compatibility for old formats will be removed in sing-box 1.14.0.

@@ -1925,7 +2058,7 @@ See [Migration](/migration/#process_path-format-update-on-windows).
 The new DNS feature allows you to more precisely bypass Chinese websites via **DNS leaks**. Do not use plain local DNS
 if using this method.

-See [Address Filter Fields](/configuration/dns/rule#address-filter-fields).
+See [Legacy Address Filter Fields](/configuration/dns/rule#legacy-address-filter-fields).

 [Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users) updated.

@@ -1939,7 +2072,7 @@ the [Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users
 **5**:

 The new feature allows you to cache the check results of
-[Address filter DNS rule items](/configuration/dns/rule/#address-filter-fields) until expiration.
+[Legacy Address Filter Fields](/configuration/dns/rule/#legacy-address-filter-fields) until expiration.

 **6**:

@@ -2120,7 +2253,7 @@ See [TUN](/configuration/inbound/tun) inbound.
 **1**:

 The new feature allows you to cache the check results of
-[Address filter DNS rule items](/configuration/dns/rule/#address-filter-fields) until expiration.
+[Legacy Address Filter Fields](/configuration/dns/rule/#legacy-address-filter-fields) until expiration.

 #### 1.9.0-alpha.7

@@ -2167,7 +2300,7 @@ See [Migration](/migration/#process_path-format-update-on-windows).
 The new DNS feature allows you to more precisely bypass Chinese websites via **DNS leaks**. Do not use plain local DNS
 if using this method.

-See [Address Filter Fields](/configuration/dns/rule#address-filter-fields).
+See [Legacy Address Filter Fields](/configuration/dns/rule#legacy-address-filter-fields).

 [Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users) updated.

--- a/docs/configuration/dns/fakeip.md
+++ b/docs/configuration/dns/fakeip.md
@@ -1,10 +1,10 @@
 ---
-icon: material/delete-clock
+icon: material/note-remove
 ---

-!!! failure "Deprecated in sing-box 1.12.0"
+!!! failure "Removed in sing-box 1.14.0"

-    Legacy fake-ip configuration is deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-servers).
+    Legacy fake-ip configuration is deprecated in sing-box 1.12.0 and removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-server-formats).

 ### Structure

@@ -26,6 +26,6 @@ Enable FakeIP service.

 IPv4 address range for FakeIP.

-#### inet6_address
+#### inet6_range

 IPv6 address range for FakeIP.
--- a/docs/configuration/dns/fakeip.zh.md
+++ b/docs/configuration/dns/fakeip.zh.md
@@ -1,10 +1,10 @@
 ---
-icon: material/delete-clock
+icon: material/note-remove
 ---

-!!! failure "已在 sing-box 1.12.0 废弃"
+!!! failure "已在 sing-box 1.14.0 移除"

-    旧的 fake-ip 配置已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/migration/#migrate-to-new-dns-servers)。
+    旧的 fake-ip 配置已在 sing-box 1.12.0 废弃且已在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式)。

 ### 结构

--- a/docs/configuration/dns/index.md
+++ b/docs/configuration/dns/index.md
@@ -39,7 +39,7 @@ icon: material/alert-decagram
 |----------|---------------------------------|
 | `server` | List of [DNS Server](./server/) |
 | `rules`  | List of [DNS Rule](./rule/)     |
-| `fakeip` | [FakeIP](./fakeip/)             |
+| `fakeip` | :material-note-remove: [FakeIP](./fakeip/) |

 #### final

@@ -88,4 +88,4 @@ Append a `edns0-subnet` OPT extra record with the specified IP prefix to every q

 If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.

-Can be overrides by `servers.[].client_subnet` or `rules.[].client_subnet`.
+Can be overridden by `servers.[].client_subnet` or `rules.[].client_subnet`.
--- a/docs/configuration/dns/index.zh.md
+++ b/docs/configuration/dns/index.zh.md
@@ -88,6 +88,6 @@ LRU 缓存容量。

 可以被 `servers.[].client_subnet` 或 `rules.[].client_subnet` 覆盖。

-#### fakeip
+#### fakeip :material-note-remove:

 [FakeIP](./fakeip/) 设置。
--- a/docs/configuration/dns/rule.md
+++ b/docs/configuration/dns/rule.md
@@ -2,6 +2,18 @@
 icon: material/alert-decagram
 ---

+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [source_mac_address](#source_mac_address)  
+    :material-plus: [source_hostname](#source_hostname)  
+    :material-plus: [match_response](#match_response)  
+    :material-delete-clock: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)  
+    :material-delete-clock: [ip_accept_any](#ip_accept_any)  
+    :material-plus: [response_rcode](#response_rcode)  
+    :material-plus: [response_answer](#response_answer)  
+    :material-plus: [response_ns](#response_ns)  
+    :material-plus: [response_extra](#response_extra)
+
 !!! quote "Changes in sing-box 1.13.0"

    :material-plus: [interface_address](#interface_address)  
@@ -89,12 +101,6 @@ icon: material/alert-decagram
          "192.168.0.1"
        ],
        "source_ip_is_private": false,
-        "ip_cidr": [
-          "10.0.0.0/24",
-          "192.168.0.1"
-        ],
-        "ip_is_private": false,
-        "ip_accept_any": false,
        "source_port": [
          12345
        ],
@@ -149,6 +155,12 @@ icon: material/alert-decagram
        "default_interface_address": [
          "2000::/3"
        ],
+        "source_mac_address": [
+          "00:11:22:33:44:55"
+        ],
+        "source_hostname": [
+          "my-device"
+        ],
        "wifi_ssid": [
          "My WIFI"
        ],
@@ -160,7 +172,16 @@ icon: material/alert-decagram
          "geosite-cn"
        ],
        "rule_set_ip_cidr_match_source": false,
-        "rule_set_ip_cidr_accept_empty": false,
+        "match_response": false,
+        "ip_cidr": [
+          "10.0.0.0/24",
+          "192.168.0.1"
+        ],
+        "ip_is_private": false,
+        "response_rcode": "",
+        "response_answer": [],
+        "response_ns": [],
+        "response_extra": [],
        "invert": false,
        "outbound": [
          "direct"
@@ -169,7 +190,9 @@ icon: material/alert-decagram
        "server": "local",

        // Deprecated
-        
+
+        "ip_accept_any": false,
+        "rule_set_ip_cidr_accept_empty": false,
        "rule_set_ipcidr_match_source": false,
        "geosite": [
          "cn"
@@ -209,7 +232,7 @@ icon: material/alert-decagram
    (`source_port` || `source_port_range`) &&  
    `other fields`

-    Additionally, included rule-sets can be considered merged rather than as a single rule sub-item.
+    Additionally, each branch inside an included rule-set can be considered merged into the outer rule, while different branches keep OR semantics.

 #### inbound

@@ -408,6 +431,26 @@ Matches network interface (same values as `network_type`) address.

 Match default interface address.

+#### source_mac_address
+
+!!! question "Since sing-box 1.14.0"
+
+!!! quote ""
+
+    Only supported on Linux, macOS, or in graphical clients on Android and macOS. See [Neighbor Resolution](/configuration/shared/neighbor/) for setup.
+
+Match source device MAC address.
+
+#### source_hostname
+
+!!! question "Since sing-box 1.14.0"
+
+!!! quote ""
+
+    Only supported on Linux, macOS, or in graphical clients on Android and macOS. See [Neighbor Resolution](/configuration/shared/neighbor/) for setup.
+
+Match source device hostname from DHCP leases.
+
 #### wifi_ssid

 !!! quote ""
@@ -446,6 +489,19 @@ Make `ip_cidr` rule items in rule-sets match the source IP.

 Make `ip_cidr` rule items in rule-sets match the source IP.

+#### match_response
+
+!!! question "Since sing-box 1.14.0"
+
+Enable response-based matching. When enabled, this rule matches against the evaluated response
+(set by a preceding [`evaluate`](/configuration/dns/rule_action/#evaluate) action)
+instead of only matching the original query.
+
+The evaluated response can also be returned directly by a later [`respond`](/configuration/dns/rule_action/#respond) action.
+
+Required for Response Match Fields (`response_rcode`, `response_answer`, `response_ns`, `response_extra`).
+Also required for `ip_cidr` and `ip_is_private` when used with `evaluate` or Response Match Fields.
+
 #### invert

 Invert match result.
@@ -490,7 +546,12 @@ See [DNS Rule Actions](../rule_action/) for details.

    Moved to [DNS Rule Action](../rule_action#route).

-### Address Filter Fields
+### Legacy Address Filter Fields
+
+!!! failure "Deprecated in sing-box 1.14.0"
+
+    Legacy Address Filter Fields are deprecated and will be removed in sing-box 1.16.0,
+    check [Migration](/migration/#migrate-address-filter-fields-to-response-matching).

 Only takes effect for address requests (A/AAAA/HTTPS). When the query results do not match the address filtering rule items, the current rule will be skipped.

@@ -516,24 +577,73 @@ Match GeoIP with query response.

 Match IP CIDR with query response.

+As a Legacy Address Filter Field, deprecated. Use with `match_response` instead,
+check [Migration](/migration/#migrate-address-filter-fields-to-response-matching).
+
 #### ip_is_private

 !!! question "Since sing-box 1.9.0"

 Match private IP with query response.

+As a Legacy Address Filter Field, deprecated. Use with `match_response` instead,
+check [Migration](/migration/#migrate-address-filter-fields-to-response-matching).
+
 #### rule_set_ip_cidr_accept_empty

 !!! question "Since sing-box 1.10.0"

+!!! failure "Deprecated in sing-box 1.14.0"
+
+    `rule_set_ip_cidr_accept_empty` is deprecated and will be removed in sing-box 1.16.0,
+    check [Migration](/migration/#migrate-address-filter-fields-to-response-matching).
+
 Make `ip_cidr` rules in rule-sets accept empty query response.

 #### ip_accept_any

 !!! question "Since sing-box 1.12.0"

+!!! failure "Deprecated in sing-box 1.14.0"
+
+    `ip_accept_any` is deprecated and will be removed in sing-box 1.16.0,
+    check [Migration](/migration/#migrate-address-filter-fields-to-response-matching).
+
 Match any IP with query response.

+### Response Match Fields
+
+!!! question "Since sing-box 1.14.0"
+
+Match fields for the evaluated response. Require `match_response` to be set to `true`
+and a preceding rule with [`evaluate`](/configuration/dns/rule_action/#evaluate) action to populate the response.
+
+That evaluated response may also be returned directly by a later [`respond`](/configuration/dns/rule_action/#respond) action.
+
+#### response_rcode
+
+Match DNS response code.
+
+Accepted values are the same as in the [predefined action rcode](/configuration/dns/rule_action/#rcode).
+
+#### response_answer
+
+Match DNS answer records.
+
+Record format is the same as in [predefined action answer](/configuration/dns/rule_action/#answer).
+
+#### response_ns
+
+Match DNS name server records.
+
+Record format is the same as in [predefined action ns](/configuration/dns/rule_action/#ns).
+
+#### response_extra
+
+Match DNS extra records.
+
+Record format is the same as in [predefined action extra](/configuration/dns/rule_action/#extra).
+
 ### Logical Fields

 #### type
@@ -546,4 +656,4 @@ Match any IP with query response.

 #### rules

-Included rules.
+Included rules.
--- a/docs/configuration/dns/rule.zh.md
+++ b/docs/configuration/dns/rule.zh.md
@@ -2,6 +2,18 @@
 icon: material/alert-decagram
 ---

+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [source_mac_address](#source_mac_address)  
+    :material-plus: [source_hostname](#source_hostname)  
+    :material-plus: [match_response](#match_response)  
+    :material-delete-clock: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)  
+    :material-delete-clock: [ip_accept_any](#ip_accept_any)  
+    :material-plus: [response_rcode](#response_rcode)  
+    :material-plus: [response_answer](#response_answer)  
+    :material-plus: [response_ns](#response_ns)  
+    :material-plus: [response_extra](#response_extra)
+
 !!! quote "sing-box 1.13.0 中的更改"

    :material-plus: [interface_address](#interface_address)  
@@ -89,12 +101,6 @@ icon: material/alert-decagram
          "192.168.0.1"
        ],
        "source_ip_is_private": false,
-        "ip_cidr": [
-          "10.0.0.0/24",
-          "192.168.0.1"
-        ],
-        "ip_is_private": false,
-        "ip_accept_any": false,
        "source_port": [
          12345
        ],
@@ -149,6 +155,12 @@ icon: material/alert-decagram
        "default_interface_address": [
          "2000::/3"
        ],
+        "source_mac_address": [
+          "00:11:22:33:44:55"
+        ],
+        "source_hostname": [
+          "my-device"
+        ],
        "wifi_ssid": [
          "My WIFI"
        ],
@@ -160,7 +172,16 @@ icon: material/alert-decagram
          "geosite-cn"
        ],
        "rule_set_ip_cidr_match_source": false,
-        "rule_set_ip_cidr_accept_empty": false,
+        "match_response": false,
+        "ip_cidr": [
+          "10.0.0.0/24",
+          "192.168.0.1"
+        ],
+        "ip_is_private": false,
+        "response_rcode": "",
+        "response_answer": [],
+        "response_ns": [],
+        "response_extra": [],
        "invert": false,
        "outbound": [
          "direct"
@@ -169,6 +190,9 @@ icon: material/alert-decagram
        "server": "local",

        // 已弃用
+
+        "ip_accept_any": false,
+        "rule_set_ip_cidr_accept_empty": false,
        "rule_set_ipcidr_match_source": false,
        "geosite": [
          "cn"
@@ -208,7 +232,7 @@ icon: material/alert-decagram
    (`source_port` || `source_port_range`) &&  
    `other fields`

-    另外，引用的规则集可视为被合并，而不是作为一个单独的规则子项。
+    另外，引用规则集中的每个分支都可视为与外层规则合并，不同分支之间仍保持 OR 语义。

 #### inbound

@@ -256,7 +280,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。

 !!! failure "已在 sing-box 1.12.0 中被移除"

-    GeoSite 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geosite)。
+    GeoSite 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-geosite-到规则集)。

 匹配 Geosite。

@@ -264,7 +288,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。

 !!! failure "已在 sing-box 1.12.0 中被移除"

-    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geoip)。
+    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-geoip-到规则集)。

 匹配源 GeoIP。

@@ -407,6 +431,26 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.

 匹配默认接口地址。

+#### source_mac_address
+
+!!! question "自 sing-box 1.14.0 起"
+
+!!! quote ""
+
+    仅支持 Linux、macOS，或在 Android 和 macOS 图形客户端中支持。参阅 [邻居解析](/configuration/shared/neighbor/) 了解设置方法。
+
+匹配源设备 MAC 地址。
+
+#### source_hostname
+
+!!! question "自 sing-box 1.14.0 起"
+
+!!! quote ""
+
+    仅支持 Linux、macOS，或在 Android 和 macOS 图形客户端中支持。参阅 [邻居解析](/configuration/shared/neighbor/) 了解设置方法。
+
+匹配源设备从 DHCP 租约获取的主机名。
+
 #### wifi_ssid

 !!! quote ""
@@ -445,6 +489,17 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.

 使规则集中的 `ip_cidr` 规则匹配源 IP。

+#### match_response
+
+!!! question "自 sing-box 1.14.0 起"
+
+启用响应匹配。启用后，此规则将匹配已评估的响应（由前序 [`evaluate`](/zh/configuration/dns/rule_action/#evaluate) 动作设置），而不仅是匹配原始查询。
+
+该已评估的响应也可以被后续的 [`respond`](/zh/configuration/dns/rule_action/#respond) 动作直接返回。
+
+响应匹配字段（`response_rcode`、`response_answer`、`response_ns`、`response_extra`）需要此选项。
+当与 `evaluate` 或响应匹配字段一起使用时，`ip_cidr` 和 `ip_is_private` 也需要此选项。
+
 #### invert

 反选匹配结果。
@@ -453,7 +508,7 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.

 !!! failure "已在 sing-box 1.12.0 废弃"

-    `outbound` 规则项已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/migration/#migrate-outbound-dns-rule-items-to-domain-resolver)。
+    `outbound` 规则项已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-outbound-dns-规则项到域解析选项)。

 匹配出站。

@@ -489,7 +544,12 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.

    已移动到 [DNS 规则动作](../rule_action#route).

-### 地址筛选字段
+### 旧版地址筛选字段
+
+!!! failure "已在 sing-box 1.14.0 废弃"
+
+    旧版地址筛选字段已废弃，且将在 sing-box 1.16.0 中被移除，
+    参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。

 仅对地址请求 (A/AAAA/HTTPS) 生效。 当查询结果与地址筛选规则项不匹配时，将跳过当前规则。

@@ -505,7 +565,7 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.

 !!! failure "已在 sing-box 1.12.0 中被移除"

-    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geoip)。
+    GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移-geoip-到规则集)。


 与查询响应匹配 GeoIP。
@@ -516,24 +576,73 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.

 与查询响应匹配 IP CIDR。

+作为旧版地址筛选字段已废弃。请改为配合 `match_response` 使用，
+参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。
+
 #### ip_is_private

 !!! question "自 sing-box 1.9.0 起"

 与查询响应匹配非公开 IP。

-#### ip_accept_any
-
-!!! question "自 sing-box 1.12.0 起"
-
-匹配任意 IP。
+作为旧版地址筛选字段已废弃。请改为配合 `match_response` 使用，
+参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。

 #### rule_set_ip_cidr_accept_empty

 !!! question "自 sing-box 1.10.0 起"

+!!! failure "已在 sing-box 1.14.0 废弃"
+
+    `rule_set_ip_cidr_accept_empty` 已废弃且将在 sing-box 1.16.0 中被移除，
+    参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。
+
 使规则集中的 `ip_cidr` 规则接受空查询响应。

+#### ip_accept_any
+
+!!! question "自 sing-box 1.12.0 起"
+
+!!! failure "已在 sing-box 1.14.0 废弃"
+
+    `ip_accept_any` 已废弃且将在 sing-box 1.16.0 中被移除，
+    参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。
+
+匹配任意 IP。
+
+### 响应匹配字段
+
+!!! question "自 sing-box 1.14.0 起"
+
+已评估的响应的匹配字段。需要将 `match_response` 设为 `true`，
+且需要前序规则使用 [`evaluate`](/zh/configuration/dns/rule_action/#evaluate) 动作来填充响应。
+
+该已评估的响应也可以被后续的 [`respond`](/zh/configuration/dns/rule_action/#respond) 动作直接返回。
+
+#### response_rcode
+
+匹配 DNS 响应码。
+
+接受的值与 [predefined 动作 rcode](/zh/configuration/dns/rule_action/#rcode) 中相同。
+
+#### response_answer
+
+匹配 DNS 应答记录。
+
+记录格式与 [predefined 动作 answer](/zh/configuration/dns/rule_action/#answer) 中相同。
+
+#### response_ns
+
+匹配 DNS 名称服务器记录。
+
+记录格式与 [predefined 动作 ns](/zh/configuration/dns/rule_action/#ns) 中相同。
+
+#### response_extra
+
+匹配 DNS 额外记录。
+
+记录格式与 [predefined 动作 extra](/zh/configuration/dns/rule_action/#extra) 中相同。
+
 ### 逻辑字段

 #### type
@@ -550,4 +659,4 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.

 ==必填==

-包括的规则。
+包括的规则。
--- a/docs/configuration/dns/rule_action.md
+++ b/docs/configuration/dns/rule_action.md
@@ -2,6 +2,12 @@
 icon: material/new-box
 ---

+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-delete-clock: [strategy](#strategy)  
+    :material-plus: [evaluate](#evaluate)  
+    :material-plus: [respond](#respond)
+
 !!! quote "Changes in sing-box 1.12.0"

    :material-plus: [strategy](#strategy)  
@@ -34,7 +40,11 @@ Tag of target server.

 !!! question "Since sing-box 1.12.0"

-Set domain strategy for this query.
+!!! failure "Deprecated in sing-box 1.14.0"
+
+    `strategy` is deprecated in sing-box 1.14.0 and will be removed in sing-box 1.16.0.
+
+Set domain strategy for this query. Deprecated, check [Migration](/migration/#migrate-dns-rule-action-strategy-to-rule-items).

 One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.

@@ -52,7 +62,68 @@ Append a `edns0-subnet` OPT extra record with the specified IP prefix to every q

 If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.

-Will overrides `dns.client_subnet`.
+Will override `dns.client_subnet`.
+
+### evaluate
+
+!!! question "Since sing-box 1.14.0"
+
+```json
+{
+  "action": "evaluate",
+  "server": "",
+  "disable_cache": false,
+  "rewrite_ttl": null,
+  "client_subnet": null
+}
+```
+
+`evaluate` sends a DNS query to the specified server and saves the evaluated response for subsequent rules
+to match against using [`match_response`](/configuration/dns/rule/#match_response) and response fields.
+Unlike `route`, it does **not** terminate rule evaluation.
+
+Only allowed on top-level DNS rules (not inside logical sub-rules).
+Rules that use [`match_response`](/configuration/dns/rule/#match_response) or Response Match Fields
+require a preceding top-level rule with `evaluate` action. A rule's own `evaluate` action
+does not satisfy this requirement, because matching happens before the action runs.
+
+#### server
+
+==Required==
+
+Tag of target server.
+
+#### disable_cache
+
+Disable cache and save cache in this query.
+
+#### rewrite_ttl
+
+Rewrite TTL in DNS responses.
+
+#### client_subnet
+
+Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
+
+If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
+
+Will override `dns.client_subnet`.
+
+### respond
+
+!!! question "Since sing-box 1.14.0"
+
+```json
+{
+  "action": "respond"
+}
+```
+
+`respond` terminates rule evaluation and returns the evaluated response from a preceding [`evaluate`](/configuration/dns/rule_action/#evaluate) action.
+
+This action does not send a new DNS query and has no extra options.
+
+Only allowed after a preceding top-level `evaluate` rule. If the action is reached without an evaluated response at runtime, the request fails with an error instead of falling through to later rules.

 ### route-options

--- a/docs/configuration/dns/rule_action.zh.md
+++ b/docs/configuration/dns/rule_action.zh.md
@@ -2,6 +2,12 @@
 icon: material/new-box
 ---

+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-delete-clock: [strategy](#strategy)  
+    :material-plus: [evaluate](#evaluate)  
+    :material-plus: [respond](#respond)
+
 !!! quote "sing-box 1.12.0 中的更改"

    :material-plus: [strategy](#strategy)  
@@ -34,7 +40,11 @@ icon: material/new-box

 !!! question "自 sing-box 1.12.0 起"

-为此查询设置域名策略。
+!!! failure "已在 sing-box 1.14.0 废弃"
+
+    `strategy` 已在 sing-box 1.14.0 废弃，且将在 sing-box 1.16.0 中被移除。
+
+为此查询设置域名策略。已废弃，参阅[迁移指南](/zh/migration/#迁移-dns-规则动作-strategy-到规则项)。

 可选项：`prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。

@@ -54,6 +64,65 @@ icon: material/new-box

 将覆盖 `dns.client_subnet`.

+### evaluate
+
+!!! question "自 sing-box 1.14.0 起"
+
+```json
+{
+  "action": "evaluate",
+  "server": "",
+  "disable_cache": false,
+  "rewrite_ttl": null,
+  "client_subnet": null
+}
+```
+
+`evaluate` 向指定服务器发送 DNS 查询并保存已评估的响应，供后续规则通过 [`match_response`](/zh/configuration/dns/rule/#match_response) 和响应字段进行匹配。与 `route` 不同，它**不会**终止规则评估。
+
+仅允许在顶层 DNS 规则中使用（不可在逻辑子规则内部使用）。
+使用 [`match_response`](/zh/configuration/dns/rule/#match_response) 或响应匹配字段的规则，
+需要位于更早的顶层 `evaluate` 规则之后。规则自身的 `evaluate` 动作不能满足这个条件，
+因为匹配发生在动作执行之前。
+
+#### server
+
+==必填==
+
+目标 DNS 服务器的标签。
+
+#### disable_cache
+
+在此查询中禁用缓存。
+
+#### rewrite_ttl
+
+重写 DNS 回应中的 TTL。
+
+#### client_subnet
+
+默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
+
+如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
+
+将覆盖 `dns.client_subnet`.
+
+### respond
+
+!!! question "自 sing-box 1.14.0 起"
+
+```json
+{
+  "action": "respond"
+}
+```
+
+`respond` 会终止规则评估，并直接返回前序 [`evaluate`](/zh/configuration/dns/rule_action/#evaluate) 动作保存的已评估的响应。
+
+此动作不会发起新的 DNS 查询，也没有额外选项。
+
+只能用于前面已有顶层 `evaluate` 规则的场景。如果运行时命中该动作时没有已评估的响应，则请求会直接返回错误，而不是继续匹配后续规则。
+
 ### route-options

 ```json
@@ -84,7 +153,7 @@ icon: material/new-box
 - `default`: 返回 REFUSED。
 - `drop`: 丢弃请求。

-默认使用 `defualt`。
+默认使用 `default`。

 #### no_drop

--- a/docs/configuration/dns/server/http3.zh.md
+++ b/docs/configuration/dns/server/http3.zh.md
@@ -64,7 +64,7 @@ DNS 服务器的路径。

 #### tls

-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#出站)。

 ### 拨号字段

--- a/docs/configuration/dns/server/https.zh.md
+++ b/docs/configuration/dns/server/https.zh.md
@@ -64,7 +64,7 @@ DNS 服务器的路径。

 #### tls

-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#出站)。

 ### 拨号字段

--- a/docs/configuration/dns/server/index.md
+++ b/docs/configuration/dns/server/index.md
@@ -29,7 +29,7 @@ The type of the DNS server.

 | Type            | Format                    |
 |-----------------|---------------------------|
-| empty (default) | [Legacy](./legacy/)       |
+| empty (default) | :material-note-remove: [Legacy](./legacy/) |
 | `local`         | [Local](./local/)         |
 | `hosts`         | [Hosts](./hosts/)         |
 | `tcp`           | [TCP](./tcp/)             |
--- a/docs/configuration/dns/server/index.zh.md
+++ b/docs/configuration/dns/server/index.zh.md
@@ -29,7 +29,7 @@ DNS 服务器的类型。

 | 类型              | 格式                        |
 |-----------------|---------------------------|
-| empty (default) | [Legacy](./legacy/)       |
+| empty (default) | :material-note-remove: [Legacy](./legacy/) |
 | `local`         | [Local](./local/)         |
 | `hosts`         | [Hosts](./hosts/)         |
 | `tcp`           | [TCP](./tcp/)             |
--- a/docs/configuration/dns/server/legacy.md
+++ b/docs/configuration/dns/server/legacy.md
@@ -1,10 +1,10 @@
 ---
-icon: material/delete-clock
+icon: material/note-remove
 ---

-!!! failure "Deprecated in sing-box 1.12.0"
+!!! failure "Removed in sing-box 1.14.0"

-    Legacy DNS servers is deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-servers).
+    Legacy DNS servers are deprecated in sing-box 1.12.0 and removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-server-formats).

 !!! quote "Changes in sing-box 1.9.0"

@@ -108,6 +108,6 @@ Append a `edns0-subnet` OPT extra record with the specified IP prefix to every q

 If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.

-Can be overrides by `rules.[].client_subnet`.
+Can be overridden by `rules.[].client_subnet`.

-Will overrides `dns.client_subnet`.
+Will override `dns.client_subnet`.
--- a/docs/configuration/dns/server/legacy.zh.md
+++ b/docs/configuration/dns/server/legacy.zh.md
@@ -1,10 +1,10 @@
 ---
-icon: material/delete-clock
+icon: material/note-remove
 ---

-!!! failure "Deprecated in sing-box 1.12.0"
+!!! failure "已在 sing-box 1.14.0 移除"

-    旧的 DNS 服务器配置已废弃且将在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/migration/#migrate-to-new-dns-servers)。
+    旧的 DNS 服务器配置已在 sing-box 1.12.0 废弃且已在 sing-box 1.14.0 中被移除，参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式)。

 !!! quote "sing-box 1.9.0 中的更改"

--- a/docs/configuration/dns/server/quic.zh.md
+++ b/docs/configuration/dns/server/quic.zh.md
@@ -51,7 +51,7 @@ DNS 服务器的端口。

 #### tls

-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#出站)。

 ### 拨号字段

--- a/docs/configuration/dns/server/tls.zh.md
+++ b/docs/configuration/dns/server/tls.zh.md
@@ -51,7 +51,7 @@ DNS 服务器的端口。

 #### tls

-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#出站)。

 ### 拨号字段

--- a/docs/configuration/experimental/cache-file.md
+++ b/docs/configuration/experimental/cache-file.md
@@ -44,7 +44,7 @@ Store fakeip in the cache file

 Store rejected DNS response cache in the cache file

-The check results of [Address filter DNS rule items](/configuration/dns/rule/#address-filter-fields)
+The check results of [Legacy Address Filter Fields](/configuration/dns/rule/#legacy-address-filter-fields)
 will be cached until expiration.

 #### rdrc_timeout
--- a/docs/configuration/experimental/cache-file.zh.md
+++ b/docs/configuration/experimental/cache-file.zh.md
@@ -42,7 +42,7 @@

 将拒绝的 DNS 响应缓存存储在缓存文件中。

-[地址筛选 DNS 规则项](/zh/configuration/dns/rule/#_3) 的检查结果将被缓存至过期。
+[旧版地址筛选字段](/zh/configuration/dns/rule/#旧版地址筛选字段) 的检查结果将被缓存至过期。

 #### rdrc_timeout

--- a/docs/configuration/experimental/v2ray-api.zh.md
+++ b/docs/configuration/experimental/v2ray-api.zh.md
@@ -1,6 +1,6 @@
 !!! quote ""

-    默认安装不包含 V2Ray API，参阅 [安装](/zh/installation/build-from-source/#_5)。
+    默认安装不包含 V2Ray API，参阅 [安装](/zh/installation/build-from-source/#构建标记)。

 ### 结构

--- a/docs/configuration/inbound/anytls.zh.md
+++ b/docs/configuration/inbound/anytls.zh.md
@@ -58,4 +58,4 @@ AnyTLS 填充方案行数组。

 #### tls

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
--- a/docs/configuration/inbound/http.zh.md
+++ b/docs/configuration/inbound/http.zh.md
@@ -26,7 +26,7 @@

 #### tls

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。

 #### users

--- a/docs/configuration/inbound/hysteria.zh.md
+++ b/docs/configuration/inbound/hysteria.zh.md
@@ -104,4 +104,4 @@ base64 编码的认证密码。

 ==必填==

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
--- a/docs/configuration/inbound/hysteria2.md
+++ b/docs/configuration/inbound/hysteria2.md
@@ -2,6 +2,10 @@
 icon: material/alert-decagram
 ---

+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [bbr_profile](#bbr_profile)
+
 !!! quote "Changes in sing-box 1.11.0"

    :material-alert: [masquerade](#masquerade)  
@@ -31,6 +35,7 @@ icon: material/alert-decagram
  "ignore_client_bandwidth": false,
  "tls": {},
  "masquerade": "", // or {}
+  "bbr_profile": "",
  "brutal_debug": false
 }
 ```
@@ -141,6 +146,14 @@ Fixed response headers.

 Fixed response content.

+#### bbr_profile
+
+!!! question "Since sing-box 1.14.0"
+
+BBR congestion control algorithm profile, one of `conservative` `standard` `aggressive`.
+
+`standard` is used by default.
+
 #### brutal_debug

 Enable debug information logging for Hysteria Brutal CC.
--- a/docs/configuration/inbound/hysteria2.zh.md
+++ b/docs/configuration/inbound/hysteria2.zh.md
@@ -2,6 +2,10 @@
 icon: material/alert-decagram
 ---

+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [bbr_profile](#bbr_profile)
+
 !!! quote "sing-box 1.11.0 中的更改"

    :material-alert: [masquerade](#masquerade)  
@@ -31,6 +35,7 @@ icon: material/alert-decagram
  "ignore_client_bandwidth": false,
  "tls": {},
  "masquerade": "", // 或 {}
+  "bbr_profile": "",
  "brutal_debug": false
 }
 ```
@@ -38,7 +43,7 @@ icon: material/alert-decagram
 !!! warning "与官方 Hysteria2 的区别"

    官方程序支持一种名为 **userpass** 的验证方式，
-    本质上上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
+    本质上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
    要将 sing-box 与官方程序一起使用， 您需要填写该组合作为实际密码。

 ### 监听字段
@@ -85,7 +90,7 @@ Hysteria 用户

 ==必填==

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。

 #### masquerade

@@ -138,6 +143,14 @@ HTTP3 服务器认证失败时的行为 （对象配置）。

 固定响应内容。

+#### bbr_profile
+
+!!! question "自 sing-box 1.14.0 起"
+
+BBR 拥塞控制算法配置，可选 `conservative` `standard` `aggressive`。
+
+默认使用 `standard`。
+
 #### brutal_debug

 启用 Hysteria Brutal CC 的调试信息日志记录。
--- a/docs/configuration/inbound/naive.zh.md
+++ b/docs/configuration/inbound/naive.zh.md
@@ -60,4 +60,4 @@ QUIC 拥塞控制算法。

 #### tls

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
--- a/docs/configuration/inbound/shadowsocks.zh.md
+++ b/docs/configuration/inbound/shadowsocks.zh.md
@@ -93,4 +93,4 @@

 #### multiplex

-参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#入站)。
--- a/docs/configuration/inbound/trojan.zh.md
+++ b/docs/configuration/inbound/trojan.zh.md
@@ -43,7 +43,7 @@ Trojan 用户。

 #### tls

-TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#入站)。

 #### fallback

@@ -61,7 +61,7 @@ TLS 配置，参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

 #### multiplex

-参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#入站)。

 #### transport

--- a/docs/configuration/inbound/tuic.zh.md
+++ b/docs/configuration/inbound/tuic.zh.md
@@ -75,4 +75,4 @@ QUIC 拥塞控制算法

 ==必填==

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@@ -2,6 +2,15 @@
 icon: material/new-box
 ---

+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [include_mac_address](#include_mac_address)  
+    :material-plus: [exclude_mac_address](#exclude_mac_address)
+
+!!! quote "Changes in sing-box 1.13.3"
+
+    :material-alert: [strict_route](#strict_route)
+
 !!! quote "Changes in sing-box 1.13.0"

    :material-plus: [auto_redirect_reset_mark](#auto_redirect_reset_mark)  
@@ -125,6 +134,12 @@ icon: material/new-box
  "exclude_package": [
    "com.android.captiveportallogin"
  ],
+  "include_mac_address": [
+    "00:11:22:33:44:55"
+  ],
+  "exclude_mac_address": [
+    "66:77:88:99:aa:bb"
+  ],
  "platform": {
    "http_proxy": {
      "enabled": false,
@@ -348,6 +363,9 @@ Enforce strict routing rules when `auto_route` is enabled:

 * Let unsupported network unreachable
 * For legacy reasons, when neither `strict_route` nor `auto_redirect` are enabled, all ICMP traffic will not go through TUN.
+* When `auto_redirect` is enabled, `strict_route` also affects `SO_BINDTODEVICE` traffic:
+    * Enabled: `SO_BINDTODEVICE` traffic is redirected through sing-box.
+    * Disabled: `SO_BINDTODEVICE` traffic bypasses sing-box.

 *In Windows*:

@@ -548,6 +566,30 @@ Limit android packages in route.

 Exclude android packages in route.

+#### include_mac_address
+
+!!! question "Since sing-box 1.14.0"
+
+!!! quote ""
+
+    Only supported on Linux with `auto_route` and `auto_redirect` enabled.
+
+Limit MAC addresses in route. Not limited by default.
+
+Conflict with `exclude_mac_address`.
+
+#### exclude_mac_address
+
+!!! question "Since sing-box 1.14.0"
+
+!!! quote ""
+
+    Only supported on Linux with `auto_route` and `auto_redirect` enabled.
+
+Exclude MAC addresses in route.
+
+Conflict with `include_mac_address`.
+
 #### platform

 Platform-specific settings, provided by client applications.
--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@@ -2,6 +2,15 @@
 icon: material/new-box
 ---

+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [include_mac_address](#include_mac_address)  
+    :material-plus: [exclude_mac_address](#exclude_mac_address)
+
+!!! quote "sing-box 1.13.3 中的更改"
+
+    :material-alert: [strict_route](#strict_route)
+
 !!! quote "sing-box 1.13.0 中的更改"

    :material-plus: [auto_redirect_reset_mark](#auto_redirect_reset_mark)  
@@ -126,6 +135,12 @@ icon: material/new-box
  "exclude_package": [
    "com.android.captiveportallogin"
  ],
+  "include_mac_address": [
+    "00:11:22:33:44:55"
+  ],
+  "exclude_mac_address": [
+    "66:77:88:99:aa:bb"
+  ],
  "platform": {
    "http_proxy": {
      "enabled": false,
@@ -347,6 +362,9 @@ tun 接口的 IPv6 前缀。

 * 使不支持的网络不可达。
 * 出于历史遗留原因，当未启用 `strict_route` 或 `auto_redirect` 时，所有 ICMP 流量将不会通过 TUN。
+* 当启用 `auto_redirect` 时，`strict_route` 也影响 `SO_BINDTODEVICE` 流量：
+    * 启用：`SO_BINDTODEVICE` 流量被重定向通过 sing-box。
+    * 禁用：`SO_BINDTODEVICE` 流量绕过 sing-box。

 *在 Windows 中*：

@@ -536,6 +554,30 @@ TCP/IP 栈。

 排除路由的 Android 应用包名。

+#### include_mac_address
+
+!!! question "自 sing-box 1.14.0 起"
+
+!!! quote ""
+
+    仅支持 Linux，且需要 `auto_route` 和 `auto_redirect` 已启用。
+
+限制被路由的 MAC 地址。默认不限制。
+
+与 `exclude_mac_address` 冲突。
+
+#### exclude_mac_address
+
+!!! question "自 sing-box 1.14.0 起"
+
+!!! quote ""
+
+    仅支持 Linux，且需要 `auto_route` 和 `auto_redirect` 已启用。
+
+排除路由的 MAC 地址。
+
+与 `include_mac_address` 冲突。
+
 #### platform

 平台特定的设置，由客户端应用提供。
--- a/docs/configuration/inbound/vless.zh.md
+++ b/docs/configuration/inbound/vless.zh.md
@@ -48,11 +48,11 @@ VLESS 子协议。

 #### tls

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。

 #### multiplex

-参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#入站)。

 #### transport

--- a/docs/configuration/inbound/vmess.zh.md
+++ b/docs/configuration/inbound/vmess.zh.md
@@ -43,11 +43,11 @@ VMess 用户。

 #### tls

-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。

 #### multiplex

-参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#入站)。

 #### transport

--- a/docs/configuration/index.md
+++ b/docs/configuration/index.md
@@ -1,7 +1,6 @@
 # Introduction

 sing-box uses JSON for configuration files.
-
 ### Structure

 ```json
@@ -10,6 +9,7 @@ sing-box uses JSON for configuration files.
  "dns": {},
  "ntp": {},
  "certificate": {},
+  "certificate_providers": [],
  "endpoints": [],
  "inbounds": [],
  "outbounds": [],
@@ -27,6 +27,7 @@ sing-box uses JSON for configuration files.
 | `dns`          | [DNS](./dns/)                   |
 | `ntp`          | [NTP](./ntp/)                   |
 | `certificate`  | [Certificate](./certificate/)   |
+| `certificate_providers` | [Certificate Provider](./shared/certificate-provider/) |
 | `endpoints`    | [Endpoint](./endpoint/)         |
 | `inbounds`     | [Inbound](./inbound/)           |
 | `outbounds`    | [Outbound](./outbound/)         |
@@ -50,4 +51,4 @@ sing-box format -w -c config.json -D config_directory

 ```bash
 sing-box merge output.json -c config.json -D config_directory
-```
+```
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
世界	f4de7d622a	tools: Network Quality	2026-04-08 14:44:14 +08:00
世界	fcd2b90852	tun: Fixes	2026-04-07 23:39:49 +08:00
世界	0d772e6893	oom-killer: Free memory on pressure notification and use gradual interval backoff	2026-04-07 23:38:44 +08:00
世界	4806d5e588	Fix deprecated warning double-formatting on localized clients	2026-04-07 23:37:48 +08:00
世界	2df43e4d1b	platform: Fix set local	2026-04-07 23:37:48 +08:00
世界	5cbd7974df	Reformat code	2026-04-07 23:37:41 +08:00
nekohasekai	63b79b3087	Add evaluate DNS rule action and related rule items	2026-04-07 20:02:32 +08:00
世界	a8feb5aa21	tun: Reduce iOS TCP buffers	2026-04-07 14:17:18 +08:00
世界	62cb06c02f	Also enable certificate store by default on Apple platforms `SecTrustEvaluateWithError` is serial	2026-04-07 13:43:10 +08:00
世界	00ec31142f	Bump version	2026-04-06 23:39:52 +08:00
世界	83a0b44659	platform: Add OOM Report & Crash Rerport	2026-04-06 23:36:06 +08:00
世界	95fd74a9f9	Add BBR profile and hop interval randomization for Hysteria2	2026-04-06 23:36:06 +08:00
nekohasekai	d98ab6f1b8	Refactor ACME support to certificate provider	2026-04-06 23:36:05 +08:00
世界	b1379a23a5	cronet-go: Update chromium to 145.0.7632.159	2026-04-06 23:36:05 +08:00
世界	c79a3a81e7	documentation: Update descriptions for neighbor rules	2026-04-06 23:36:05 +08:00
世界	18e64323ef	Add macOS support for MAC and hostname rule items	2026-04-06 23:36:05 +08:00
世界	594932a226	Add Android support for MAC and hostname rule items	2026-04-06 23:36:05 +08:00
世界	793ad6ffc5	Add MAC and hostname rule items	2026-04-06 23:36:05 +08:00
世界	813b634d08	Bump version	2026-04-06 23:09:11 +08:00
hdrover	d9b435fb62	Fix naive inbound padding bytes	2026-04-06 22:33:11 +08:00
世界	354b4b040e	sing: Fix vectorised readv iovec length calculation This does not seem to affect any actual paths in the sing-box.	2026-04-01 16:16:58 +08:00
世界	7ffdc48b49	Bump version	2026-03-30 23:03:43 +08:00
世界	e15bdf11eb	sing: Minor fixes	2026-03-30 22:58:11 +08:00
世界	e3bcb06c3e	platform: Add HTTPResponse.WriteToWithProgress	2026-03-30 22:42:36 +08:00
世界	84d2280960	quic: Fix protocol client close & Sync hysteria bbr fix	2026-03-30 22:42:36 +08:00
世界	4fd2532b0a	Fix naive quic error message	2026-03-30 22:42:36 +08:00
Zhengchao Ding	02ccde6c71	fix(rpm): add vendor field to fpm config to avoid (none) vendor Co-authored-by: Hyper <hypar@disroot.org>	2026-03-30 22:09:54 +08:00
世界	e98b4ad449	Fix WireGuard shutdown race crashing Stop peer goroutines before closing the TUN device to prevent RoutineSequentialReceiver from calling Write on a nil dispatcher.	2026-03-26 16:33:21 +08:00
世界	d09182614c	Bump version	2026-03-26 13:28:33 +08:00
世界	6381de7bab	route: Fix query_type never matching in rule_set headless rules	2026-03-26 13:26:18 +08:00
世界	b0c6762bc1	route: merge rule_set branches into outer rules Treat rule_set items as merged branches instead of standalone boolean sub-items. Evaluate each branch inside a referenced rule-set as if it were merged into the outer rule and keep OR semantics between branches. This lets outer grouped fields satisfy matching groups inside a branch without introducing a standalone outer fallback or cross-branch state union. Keep inherited grouped state outside inverted default and logical branches. Negated rule-set branches now evaluate !(...) against their own conditions and only reapply the outer grouped match after negation succeeds, so configs like outer-group && !inner-condition continue to work. Add regression tests for same-group merged matches, cross-group and extra-AND failures, DNS merged-branch behaviour, and inverted merged branches. Update the route and DNS rule docs to clarify that rule-set branches merge into the outer rule while keeping OR semantics between branches.	2026-03-25 14:00:29 +08:00
世界	7425100bac	release: Refactor release tracks for Linux packages and Docker Support 4 release tracks instead of 2: - sing-box / latest (stable release) - sing-box-beta / latest-beta (stable pre-release) - sing-box-testing / latest-testing (testing branch) - sing-box-oldstable / latest-oldstable (oldstable branch) Track is detected via git branch --contains and git tag, replacing the old version-string hyphen check.	2026-03-24 15:03:43 +08:00
世界	d454aa0fdf	route: formalize nested rule_set group-state semantics Before `795d1c289`, nested rule-set evaluation reused the parent rule match cache. In practice, this meant these fields leaked across nested evaluation: - SourceAddressMatch - SourcePortMatch - DestinationAddressMatch - DestinationPortMatch - DidMatch That leak had two opposite effects. First, it made included rule-sets partially behave like the docs' "merged" semantics. For example, if an outer route rule had: rule_set = ["geosite-additional-!cn"] ip_cidr = 104.26.10.0/24 and the inline rule-set matched `domain_suffix = speedtest.net`, the inner match could set `DestinationAddressMatch = true` and the outer rule would then pass its destination-address group check. This is why some `rule_set + ip_cidr` combinations used to work. But the same leak also polluted sibling rules and sibling rule-sets. A branch could partially match one group, then fail later, and still leave that group cache set for the next branch. This broke cases such as gh-3485: with `rule_set = [test1, test2]`, `test1` could touch destination-address cache before an AdGuard `@@` exclusion made the whole branch fail, and `test2` would then run against dirty state. `795d1c289` fixed that by cloning metadata for nested rule-set/rule evaluation and resetting the rule match cache for each branch. That stopped sibling pollution, but it also removed the only mechanism by which a successful nested branch could affect the parent rule's grouped matching state. As a result, nested rule-sets became pure boolean sub-items against the outer rule. The previous example stopped working: the inner `domain_suffix = speedtest.net` still matched, but the outer rule no longer observed any destination-address-group success, so it fell through to `final`. This change makes the semantics explicit instead of relying on cache side effects: - `rule_set: ["a", "b"]` is OR - rules inside one rule-set are OR - each nested branch is evaluated in isolation - failed branches contribute no grouped match state - a successful branch contributes its grouped match state back to the parent rule - grouped state from different rule-sets must not be combined together to satisfy one outer rule In other words, rule-sets now behave as "OR branches whose successful group matches merge into the outer rule", which matches the documented intent without reintroducing cross-branch cache leakage.	2026-03-24 15:03:43 +08:00
世界	a3623eb41a	tun: Fix system stack rewriting TUN subnet destinations to loopback	2026-03-23 19:38:55 +08:00
世界	72bc4c1f87	Fix DNS transport returning error for empty AAAA response Closes #3925	2026-03-23 19:21:55 +08:00
世界	9ac1e2ff32	Match `package_name` in `process_path` rule on Android	2026-03-23 18:57:35 +08:00
世界	0045103d14	Fix `package_name` shared uid matching	2026-03-23 18:57:35 +08:00
世界	d2a933784c	Optimize Darwin process finder	2026-03-23 18:57:35 +08:00
世界	3f05a37f65	Optimize Linux process finder	2026-03-23 18:57:35 +08:00
世界	b8e5a71450	Add process information cache to avoid duplicate lookups PreMatch and full match phases each created a fresh InboundContext, causing process search (expensive OS syscalls) to run twice per connection. Use a freelru ShardedLRU cache with 200ms TTL to serve the second lookup from cache.	2026-03-23 14:26:45 +08:00
世界	c13faa8e3c	tailscale: Only set ProcessLocalIPs/ProcessSubnets for fake TUN	2026-03-23 14:16:40 +08:00
世界	7623bcd19e	Fix DialerForICMPDestination	2026-03-23 13:58:55 +08:00
世界	795d1c2892	Fix nested rule-set match cache isolation	2026-03-23 12:26:19 +08:00
世界	6913b11e0a	Reject removed legacy inbound fields instead of silently ignoring	2026-03-21 17:16:10 +08:00
世界	1e57c06295	daemon: Allow StartOrReloadService to recover from FATAL state	2026-03-21 13:37:14 +08:00
世界	ea464cef8d	daemon: Fix CloseService leaving instance non-nil on close error	2026-03-21 13:23:57 +08:00
Andrew Novikov	a8e3cd3256	tun: Fix nfqueue not working in prerouting	2026-03-17 11:05:40 +08:00
世界	686cf1f304	documentation: Fix Chinese link anchors	2026-03-16 12:24:10 +08:00
世界	9fbfb87723	documentation: Fix unicode heading anchors	2026-03-16 12:10:32 +08:00
世界	d2fa21d07b	Deprecate Socksaddr.IsFqdn: do not reject potentially valid domain names	2026-03-16 09:37:59 +08:00
世界	d3768cca36	Bump version	2026-03-15 17:56:37 +08:00
世界	0889ddd001	Fix connector canceled dial cleanup	2026-03-15 17:56:37 +08:00
深鸣	f46fbf188a	documentation: Minor fixes	2026-03-15 17:56:37 +08:00
世界	f2d15139f5	tun: Fix nftables single include_uid not working	2026-03-15 16:58:34 +08:00
世界	041646b728	Fix kTLS crash	2026-03-14 21:38:38 +08:00
世界	b990de2e12	tun: Fix "Fix auto_redirect dropping SO_BINDTODEVICE traffic"	2026-03-14 21:38:38 +08:00
世界	fe585157d2	Bump version	2026-03-14 21:38:38 +08:00
世界	eed6a36e5d	tun：Fix auto_redirect dropping SO_BINDTODEVICE traffic	2026-03-14 21:38:38 +08:00
世界	eb0f38544c	tailscale: Fix system interface rules	2026-03-14 21:38:38 +08:00
世界	54468a1a2a	platform: Add f-droid update helpers	2026-03-11 20:41:29 +08:00
世界	8289bbd846	Add Alpine APK packaging to CI build Add fpm-based Alpine APK packaging alongside existing DEB/RPM/Pacman packages. Alpine APKs use `linux` in the filename to distinguish from OpenWrt APKs which use the `openwrt` prefix.	2026-03-11 20:41:29 +08:00
世界	49c450d942	ccm/ocm: Fix missing metering for 1M context and /fast mode CCM: Fix 1M context detection - use prefix match for versioned beta strings (e.g. "context-1m-2025-08-07") and include cache tokens in the 200K threshold check per Anthropic billing docs. OCM: Add GPT-5.4 family pricing (standard/priority/flex) with extended context (>272K) premium pricing support. Add context window tracking to usage combinations, mirroring CCM's pattern. Update normalizeGPT5Model defaults to latest known models.	2026-03-11 20:41:29 +08:00
世界	a7ee943216	Fix tailscale connections	2026-03-11 00:27:15 +08:00
世界	8bb4c4dd32	documentation: Update ocm/ccm examples	2026-03-10 22:04:12 +08:00
世界	67621ee6ba	Fix OCM websocket proxy lifecycle and headers	2026-03-10 22:04:11 +08:00
世界	a09ffe6a0f	ccm/ocm: Add `by_user_and_week` cost summary	2026-03-10 22:04:11 +08:00
世界	e0be8743f6	ocm: Add Responses WebSocket API proxy and fix client config docs Support the OpenAI Responses WebSocket API (`wss://.../v1/responses`) for bidirectional frame proxying with usage tracking. Fix Codex CLI client config examples to use profiles and correct flags. Update openai-go v3.24.0 → v3.26.0.	2026-03-10 22:04:11 +08:00
世界	0b04528803	tailscaile: Fix using TUN auto redirect with tailscale system interface	2026-03-10 22:04:11 +08:00
世界	65875e6dac	tailscale: Use system dialer for system interface * Revert "Fix netstack TCP connections with system interface	2026-03-10 19:50:16 +08:00
世界	4d6fb1d38d	Fix legacy DNS `client_subnet` options not working	2026-03-09 20:18:47 +08:00
世界	305b930d90	release: Fix default config	2026-03-09 20:18:43 +08:00
世界	bc3884ca91	release: Add openwrt apk build	2026-03-09 20:18:40 +08:00
世界	df0bf927e4	Fix missing `with_gvisor` build tag for tailscale	2026-03-09 20:18:28 +08:00
世界	efe20ea51c	release: Backport Go 1.25 to macOS 10.13	2026-03-09 20:13:36 +08:00
世界	e21a72fcd1	Fix websocket connection and goroutine leaks in Clash API Co-authored-by: traitman <112139837+traitman@users.noreply.github.com>	2026-03-09 20:06:34 +08:00
世界	e1477bd065	documentation: Update cronet-go descriptions	2026-03-09 20:06:34 +08:00
世界	aa495fce38	Fix local DNS transport CNAME chain broken with systemd-resolved Replace D-Bus ResolveRecord API with direct raw DNS queries to upstream servers obtained from systemd-resolved's per-interface link properties.	2026-03-09 20:06:34 +08:00
世界	9cd60c28c0	tailscale: Fix inbound UDP packet connection	2026-03-09 20:06:34 +08:00
Heng lu	2ba896c5ac	Fix netns fd leak in ListenNetworkNamespace	2026-03-09 20:06:34 +08:00
Oleg Artyomov	1d388547ee	service/ccm: strip Accept-Encoding before forwarding to avoid untracked usage When clients (e.g. Node.js Anthropic SDK) explicitly set Accept-Encoding: gzip, Go's http.Transport does not transparently decompress the response body, because it only does so when it added the header itself. This causes CCM's json.Unmarshal to receive raw gzip bytes, silently failing to parse usage data and leaving the usage counter unchanged. Fix: remove Accept-Encoding from the outgoing proxy request. Transport adds it automatically and transparently decompresses response.Body before CCM reads it. Wire compression (CCM→Anthropic) is preserved — Transport still negotiates gzip. Only CCM→localhost path is affected; compression on loopback has no practical benefit.	2026-03-09 20:06:34 +08:00
世界	e343cec4d5	Fix legacy DNS defaults on final transport	2026-03-09 20:06:34 +08:00
世界	d58efc5d01	cronet-go: Fix library search path	2026-03-09 20:06:34 +08:00
世界	4b26ab16fb	Bump version	2026-03-07 16:13:23 +08:00
世界	0e27312eda	Update Go to 1.25.8	2026-03-07 16:13:23 +08:00
世界	4e0a953b98	sing: Revert "Relax domain name validation to support non-standard characters"	2026-03-07 15:44:40 +08:00
世界	27c5b0b1af	Fix DNS exchange failure and recursion deadlock in connector Co-authored-by: everyx <lunt.luo@gmail.com>	2026-03-06 15:31:22 +08:00
dyhkwong	84019b06d9	Fix v2ray HTTP transport server	2026-03-06 10:13:39 +08:00