documentation: Bump version

documentation: Update DNS manual
dialer: Allow nil router
2024-05-03 17:41:59 +08:00 · 2024-05-03 17:41:27 +08:00 · 2024-05-03 17:41:27 +08:00 · 2024-05-03 17:41:27 +08:00 · 2024-05-03 17:41:27 +08:00 · 2024-05-03 17:41:20 +08:00
97 changed files with 1841 additions and 859 deletions
--- a/adapter/experimental.go
+++ b/adapter/experimental.go
@ -9,6 +9,7 @@ import (
 	"time"
 	"github.com/sagernet/sing-box/common/urltest"
 	"github.com/sagernet/sing-dns"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/rw"
 )
@ -30,6 +31,9 @@ type CacheFile interface {
 	StoreFakeIP() bool
 	FakeIPStorage
 	StoreRDRC() bool
 	dns.RDRCStore
 	LoadMode() string
 	StoreMode(mode string) error
 	LoadSelected(group string) string
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@ -51,11 +51,13 @@ type InboundContext struct {
 	// rule cache
-	IPCIDRMatchSource       bool
+	IPCIDRMatchSource            bool
-	SourceAddressMatch      bool
+	SourceAddressMatch           bool
-	SourcePortMatch         bool
+	SourcePortMatch              bool
-	DestinationAddressMatch bool
+	DestinationAddressMatch      bool
-	DestinationPortMatch    bool
+	DestinationPortMatch         bool
 	DidMatch                     bool
 	IgnoreDestinationIPCIDRMatch bool
 }
 func (c *InboundContext) ResetRuleCache() {
@ -64,6 +66,7 @@ func (c *InboundContext) ResetRuleCache() {
 	c.SourcePortMatch = false
 	c.DestinationAddressMatch = false
 	c.DestinationPortMatch = false
 	c.DidMatch = false
 }
 type inboundContextKey struct{}
--- a/adapter/router.go
+++ b/adapter/router.go
@ -71,6 +71,7 @@ func RouterFromContext(ctx context.Context) Router {
 type HeadlessRule interface {
 	Match(metadata *InboundContext) bool
 	String() string
 }
 type Rule interface {
@ -79,13 +80,15 @@ type Rule interface {
 	Type() string
 	UpdateGeosite() error
 	Outbound() string
 	String() string
 }
 type DNSRule interface {
 	Rule
 	DisableCache() bool
 	RewriteTTL() *uint32
 	ClientSubnet() *netip.Addr
 	WithAddressLimit() bool
 	MatchAddressLimit(metadata *InboundContext) bool
 }
 type RuleSet interface {
@ -99,6 +102,7 @@ type RuleSet interface {
 type RuleSetMetadata struct {
 	ContainsProcessRule bool
 	ContainsWIFIRule    bool
 	ContainsIPCIDRRule  bool
 }
 type RuleSetStartContext interface {
--- a/clients/android
+++ b/clients/android
@ -1 +1 @@
-Subproject commit 288a6f34db62f65399c7546373d9c1aab2072745
+Subproject commit c0ce4cc97d71ae9c02df93316d72feaf028df459
--- a/clients/apple
+++ b/clients/apple
@ -1 +1 @@
-Subproject commit 1c5bc23a25d71fd436e318c44d8fb855f56b91ed
+Subproject commit 17eec0861543489ad4519eef974c65d2a159244d
--- a/cmd/sing-box/cmd_rule_set_match.go
+++ b/cmd/sing-box/cmd_rule_set_match.go
@ -0,0 +1,86 @@
 package main
 import (
 	"bytes"
 	"io"
 	"os"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/srs"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/route"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
 	"github.com/spf13/cobra"
 )
 var flagRuleSetMatchFormat string
 var commandRuleSetMatch = &cobra.Command{
 	Use:   "match <rule-set path> <domain>",
 	Short: "Check if a domain matches the rule set",
 	Args:  cobra.ExactArgs(2),
 	Run: func(cmd *cobra.Command, args []string) {
 		err := ruleSetMatch(args[0], args[1])
 		if err != nil {
 			log.Fatal(err)
 		}
 	},
 }
 func init() {
 	commandRuleSetMatch.Flags().StringVarP(&flagRuleSetMatchFormat, "format", "f", "source", "rule-set format")
 	commandRuleSet.AddCommand(commandRuleSetMatch)
 }
 func ruleSetMatch(sourcePath string, domain string) error {
 	var (
 		reader io.Reader
 		err    error
 	)
 	if sourcePath == "stdin" {
 		reader = os.Stdin
 	} else {
 		reader, err = os.Open(sourcePath)
 		if err != nil {
 			return E.Cause(err, "read rule-set")
 		}
 	}
 	content, err := io.ReadAll(reader)
 	if err != nil {
 		return E.Cause(err, "read rule-set")
 	}
 	var plainRuleSet option.PlainRuleSet
 	switch flagRuleSetMatchFormat {
 	case C.RuleSetFormatSource:
 		var compat option.PlainRuleSetCompat
 		compat, err = json.UnmarshalExtended[option.PlainRuleSetCompat](content)
 		if err != nil {
 			return err
 		}
 		plainRuleSet = compat.Upgrade()
 	case C.RuleSetFormatBinary:
 		plainRuleSet, err = srs.Read(bytes.NewReader(content), false)
 		if err != nil {
 			return err
 		}
 	default:
 		return E.New("unknown rule set format: ", flagRuleSetMatchFormat)
 	}
 	for i, ruleOptions := range plainRuleSet.Rules {
 		var currentRule adapter.HeadlessRule
 		currentRule, err = route.NewHeadlessRule(nil, ruleOptions)
 		if err != nil {
 			return E.Cause(err, "parse rule_set.rules.[", i, "]")
 		}
 		if currentRule.Match(&adapter.InboundContext{
 			Domain: domain,
 		}) {
 			println("match rules.[", i, "]: "+currentRule.String())
 		}
 	}
 	return nil
 }
--- a/common/badtls/read_wait.go
+++ b/common/badtls/read_wait.go
@ -4,6 +4,8 @@ package badtls
 import (
 	"bytes"
 	"context"
 	"net"
 	"os"
 	"reflect"
 	"sync"
@ -18,20 +20,32 @@ import (
 var _ N.ReadWaiter = (*ReadWaitConn)(nil)
 type ReadWaitConn struct {
-	*tls.STDConn
+	tls.Conn
-	halfAccess      *sync.Mutex
+	halfAccess                    *sync.Mutex
-	rawInput        *bytes.Buffer
+	rawInput                      *bytes.Buffer
-	input           *bytes.Reader
+	input                         *bytes.Reader
-	hand            *bytes.Buffer
+	hand                          *bytes.Buffer
-	readWaitOptions N.ReadWaitOptions
+	readWaitOptions               N.ReadWaitOptions
 	tlsReadRecord                 func() error
 	tlsHandlePostHandshakeMessage func() error
 }
 func NewReadWaitConn(conn tls.Conn) (tls.Conn, error) {
-	stdConn, isSTDConn := conn.(*tls.STDConn)
+	var (
-	if !isSTDConn {
+		loaded                        bool
 		tlsReadRecord                 func() error
 		tlsHandlePostHandshakeMessage func() error
 	)
 	for _, tlsCreator := range tlsRegistry {
 		loaded, tlsReadRecord, tlsHandlePostHandshakeMessage = tlsCreator(conn)
 		if loaded {
 			break
 		}
 	}
 	if !loaded {
 		return nil, os.ErrInvalid
 	}
-	rawConn := reflect.Indirect(reflect.ValueOf(stdConn))
+	rawConn := reflect.Indirect(reflect.ValueOf(conn))
 	rawHalfConn := rawConn.FieldByName("in")
 	if !rawHalfConn.IsValid() || rawHalfConn.Kind() != reflect.Struct {
 		return nil, E.New("badtls: invalid half conn")
@ -57,11 +71,13 @@ func NewReadWaitConn(conn tls.Conn) (tls.Conn, error) {
 	}
 	hand := (*bytes.Buffer)(unsafe.Pointer(rawHand.UnsafeAddr()))
 	return &ReadWaitConn{
-		STDConn:    stdConn,
+		Conn:                          conn,
-		halfAccess: halfAccess,
+		halfAccess:                    halfAccess,
-		rawInput:   rawInput,
+		rawInput:                      rawInput,
-		input:      input,
+		input:                         input,
-		hand:       hand,
+		hand:                          hand,
 		tlsReadRecord:                 tlsReadRecord,
 		tlsHandlePostHandshakeMessage: tlsHandlePostHandshakeMessage,
 	}, nil
 }
@ -71,19 +87,19 @@ func (c *ReadWaitConn) InitializeReadWaiter(options N.ReadWaitOptions) (needCopy
 }
 func (c *ReadWaitConn) WaitReadBuffer() (buffer *buf.Buffer, err error) {
-	err = c.Handshake()
+	err = c.HandshakeContext(context.Background())
 	if err != nil {
 		return
 	}
 	c.halfAccess.Lock()
 	defer c.halfAccess.Unlock()
 	for c.input.Len() == 0 {
-		err = tlsReadRecord(c.STDConn)
+		err = c.tlsReadRecord()
 		if err != nil {
 			return
 		}
 		for c.hand.Len() > 0 {
-			err = tlsHandlePostHandshakeMessage(c.STDConn)
+			err = c.tlsHandlePostHandshakeMessage()
 			if err != nil {
 				return
 			}
@ -100,7 +116,7 @@ func (c *ReadWaitConn) WaitReadBuffer() (buffer *buf.Buffer, err error) {
 	if n != 0 && c.input.Len() == 0 && c.rawInput.Len() > 0 &&
 		// recordType(c.rawInput.Bytes()[0]) == recordTypeAlert {
 		c.rawInput.Bytes()[0] == 21 {
-		_ = tlsReadRecord(c.STDConn)
+		_ = c.tlsReadRecord()
 		// return n, err // will be io.EOF on closeNotify
 	}
@ -109,11 +125,27 @@ func (c *ReadWaitConn) WaitReadBuffer() (buffer *buf.Buffer, err error) {
 }
 func (c *ReadWaitConn) Upstream() any {
-	return c.STDConn
+	return c.Conn
 }
-//go:linkname tlsReadRecord crypto/tls.(*Conn).readRecord
+var tlsRegistry []func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error)
 func tlsReadRecord(c *tls.STDConn) error
-//go:linkname tlsHandlePostHandshakeMessage crypto/tls.(*Conn).handlePostHandshakeMessage
+func init() {
-func tlsHandlePostHandshakeMessage(c *tls.STDConn) error
+	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error) {
 		tlsConn, loaded := conn.(*tls.STDConn)
 		if !loaded {
 			return
 		}
 		return true, func() error {
 				return stdTLSReadRecord(tlsConn)
 			}, func() error {
 				return stdTLSHandlePostHandshakeMessage(tlsConn)
 			}
 	})
 }
 //go:linkname stdTLSReadRecord crypto/tls.(*Conn).readRecord
 func stdTLSReadRecord(c *tls.STDConn) error
 //go:linkname stdTLSHandlePostHandshakeMessage crypto/tls.(*Conn).handlePostHandshakeMessage
 func stdTLSHandlePostHandshakeMessage(c *tls.STDConn) error
--- a/common/badtls/read_wait_ech.go
+++ b/common/badtls/read_wait_ech.go
@ -0,0 +1,31 @@
 //go:build go1.21 && !without_badtls && with_ech
 package badtls
 import (
 	"net"
 	_ "unsafe"
 	"github.com/sagernet/cloudflare-tls"
 	"github.com/sagernet/sing/common"
 )
 func init() {
 	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error) {
 		tlsConn, loaded := common.Cast[*tls.Conn](conn)
 		if !loaded {
 			return
 		}
 		return true, func() error {
 				return echReadRecord(tlsConn)
 			}, func() error {
 				return echHandlePostHandshakeMessage(tlsConn)
 			}
 	})
 }
 //go:linkname echReadRecord github.com/sagernet/cloudflare-tls.(*Conn).readRecord
 func echReadRecord(c *tls.Conn) error
 //go:linkname echHandlePostHandshakeMessage github.com/sagernet/cloudflare-tls.(*Conn).handlePostHandshakeMessage
 func echHandlePostHandshakeMessage(c *tls.Conn) error
--- a/common/badtls/read_wait_utls.go
+++ b/common/badtls/read_wait_utls.go
@ -0,0 +1,31 @@
 //go:build go1.21 && !without_badtls && with_utls
 package badtls
 import (
 	"net"
 	_ "unsafe"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/utls"
 )
 func init() {
 	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error) {
 		tlsConn, loaded := common.Cast[*tls.UConn](conn)
 		if !loaded {
 			return
 		}
 		return true, func() error {
 				return utlsReadRecord(tlsConn.Conn)
 			}, func() error {
 				return utlsHandlePostHandshakeMessage(tlsConn.Conn)
 			}
 	})
 }
 //go:linkname utlsReadRecord github.com/sagernet/utls.(*Conn).readRecord
 func utlsReadRecord(c *tls.Conn) error
 //go:linkname utlsHandlePostHandshakeMessage github.com/sagernet/utls.(*Conn).handlePostHandshakeMessage
 func utlsHandlePostHandshakeMessage(c *tls.Conn) error
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@ -32,14 +32,20 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 	var dialer net.Dialer
 	var listener net.ListenConfig
 	if options.BindInterface != "" {
-		bindFunc := control.BindToInterface(router.InterfaceFinder(), options.BindInterface, -1)
+		var interfaceFinder control.InterfaceFinder
 		if router != nil {
 			interfaceFinder = router.InterfaceFinder()
 		} else {
 			interfaceFinder = control.NewDefaultInterfaceFinder()
 		}
 		bindFunc := control.BindToInterface(interfaceFinder, options.BindInterface, -1)
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
-	} else if router.AutoDetectInterface() {
+	} else if router != nil && router.AutoDetectInterface() {
 		bindFunc := router.AutoDetectInterfaceFunc()
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
-	} else if router.DefaultInterface() != "" {
+	} else if router != nil && router.DefaultInterface() != "" {
 		bindFunc := control.BindToInterface(router.InterfaceFinder(), router.DefaultInterface(), -1)
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
@ -47,7 +53,7 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 	if options.RoutingMark != 0 {
 		dialer.Control = control.Append(dialer.Control, control.RoutingMark(options.RoutingMark))
 		listener.Control = control.Append(listener.Control, control.RoutingMark(options.RoutingMark))
-	} else if router.DefaultMark() != 0 {
+	} else if router != nil && router.DefaultMark() != 0 {
 		dialer.Control = control.Append(dialer.Control, control.RoutingMark(router.DefaultMark()))
 		listener.Control = control.Append(listener.Control, control.RoutingMark(router.DefaultMark()))
 	}
@ -63,6 +69,9 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 	} else {
 		dialer.Timeout = C.TCPTimeout
 	}
 	// TODO: Add an option to customize the keep alive period
 	dialer.KeepAlive = C.TCPKeepAliveInitial
 	dialer.Control = control.Append(dialer.Control, control.SetKeepAlivePeriod(C.TCPKeepAliveInitial, C.TCPKeepAliveInterval))
 	var udpFragment bool
 	if options.UDPFragment != nil {
 		udpFragment = *options.UDPFragment
--- a/common/dialer/dialer.go
+++ b/common/dialer/dialer.go
@ -13,6 +13,9 @@ func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error)
 	if options.IsWireGuardListener {
 		return NewDefault(router, options)
 	}
 	if router == nil {
 		return NewDefault(nil, options)
 	}
 	var (
 		dialer N.Dialer
 		err    error
--- a/common/process/searcher_windows.go
+++ b/common/process/searcher_windows.go
@ -223,7 +223,7 @@ func getExecPathFromPID(pid uint32) (string, error) {
 	r1, _, err := syscall.SyscallN(
 		procQueryFullProcessImageNameW.Addr(),
 		uintptr(h),
-		uintptr(1),
+		uintptr(0),
 		uintptr(unsafe.Pointer(&buf[0])),
 		uintptr(unsafe.Pointer(&size)),
 	)
--- a/common/tls/ech_quic.go
+++ b/common/tls/ech_quic.go
@ -27,11 +27,10 @@ func (c *echClientConfig) DialEarly(ctx context.Context, conn net.PacketConn, ad
 	return quic.DialEarly(ctx, conn, addr, c.config, config)
 }
-func (c *echClientConfig) CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, quicConfig *quic.Config, enableDatagrams bool) http.RoundTripper {
+func (c *echClientConfig) CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, quicConfig *quic.Config) http.RoundTripper {
 	return &http3.RoundTripper{
 		TLSClientConfig: c.config,
-		QuicConfig:      quicConfig,
+		QUICConfig:      quicConfig,
 		EnableDatagrams: enableDatagrams,
 		Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
 			quicConn, err := quic.DialEarly(ctx, conn, serverAddr.UDPAddr(), tlsCfg, cfg)
 			if err != nil {
--- a/constant/quic.go
+++ b/constant/quic.go
@ -0,0 +1,5 @@
 //go:build with_quic
 package constant
 const WithQUIC = true
--- a/constant/quic_stub.go
+++ b/constant/quic_stub.go
@ -0,0 +1,5 @@
 //go:build !with_quic
 package constant
 const WithQUIC = false
--- a/constant/timeout.go
+++ b/constant/timeout.go
@ -3,6 +3,8 @@ package constant
 import "time"
 const (
 	TCPKeepAliveInitial        = 10 * time.Minute
 	TCPKeepAliveInterval       = 75 * time.Second
 	TCPTimeout                 = 5 * time.Second
 	ReadPayloadTimeout         = 300 * time.Millisecond
 	DNSTimeout                 = 10 * time.Second
--- a/docs/changelog.md
+++ b/docs/changelog.md
@ -2,6 +2,26 @@
 icon: material/alert-decagram
 ---
 #### 1.9.0-rc.15
 * Fixes and improvements
 #### 1.8.13
 * Fix fake-ip mapping
 * Fixes and improvements
 #### 1.9.0-rc.14
 * Fixes and improvements
 #### 1.9.0-rc.13
 * Update Hysteria protocol
 * Update quic-go to v0.43.0
 * Update gVisor to 20240422.0
 * Fixes and improvements
 #### 1.8.12
 * Now we have official APT and DNF repositories **1**
@ -12,6 +32,10 @@ icon: material/alert-decagram
 Including stable and beta versions, see https://sing-box.sagernet.org/installation/package-manager/
 #### 1.9.0-rc.11
 * Fixes and improvements
 #### 1.8.11
 * Fixes and improvements
@ -20,6 +44,24 @@ Including stable and beta versions, see https://sing-box.sagernet.org/installati
 * Fixes and improvements
 #### 1.9.0-beta.17
 * Update `quic-go` to v0.42.0
 * Fixes and improvements
 #### 1.9.0-beta.16
 * Fixes and improvements
 _Our Testflight distribution has been temporarily blocked by Apple (possibly due to too many beta versions)
 and you cannot join the test, install or update the sing-box beta app right now.
 Please wait patiently for processing._
 #### 1.9.0-beta.14
 * Update gVisor to 20240212.0-65-g71212d503
 * Fixes and improvements
 #### 1.8.9
 * Fixes and improvements
@ -28,14 +70,125 @@ Including stable and beta versions, see https://sing-box.sagernet.org/installati
 * Fixes and improvements
 #### 1.9.0-beta.7
 * Fixes and improvements
 #### 1.9.0-beta.6
 * Fix address filter DNS rule items **1**
 * Fix DNS outbound responding with wrong data
 * Fixes and improvements
 **1**:
 Fixed an issue where address filter DNS rule was incorrectly rejected under certain circumstances.
 If you have enabled `store_rdrc` to save results, consider clearing the cache file.
 #### 1.8.7
 * Fixes and improvements
 #### 1.9.0-alpha.15
 * Fixes and improvements
 #### 1.9.0-alpha.14
 * Improve DNS truncate behavior
 * Fixes and improvements
 #### 1.9.0-alpha.13
 * Fixes and improvements
 #### 1.8.6
 * Fixes and improvements
 #### 1.9.0-alpha.12
 * Handle Windows power events
 * Always disable cache for fake-ip DNS transport if `dns.independent_cache` disabled
 * Fixes and improvements
 #### 1.9.0-alpha.11
 * Fix missing `rule_set_ipcidr_match_source` item in DNS rules **1**
 * Fixes and improvements
 **1**:
 See [DNS Rule](/configuration/dns/rule/).
 #### 1.9.0-alpha.10
 * Add `bypass_domain` and `search_domain` platform HTTP proxy options **1**
 * Fixes and improvements
 **1**:
 See [TUN](/configuration/inbound/tun) inbound.
 #### 1.9.0-alpha.8
 * Add rejected DNS response cache support **1**
 * Fixes and improvements
 **1**:
 The new feature allows you to cache the check results of
 [Address filter DNS rule items](/configuration/dns/rule/#address-filter-fields) until expiration.
 #### 1.9.0-alpha.7
 * Update gVisor to 20240206.0
 * Fixes and improvements
 #### 1.9.0-alpha.6
 * Fixes and improvements
 #### 1.9.0-alpha.3
 * Update `quic-go` to v0.41.0
 * Fixes and improvements
 #### 1.9.0-alpha.2
 * Add support for `client-subnet` DNS options **1**
 * Fixes and improvements
 **1**:
 See [DNS](/configuration/dns), [DNS Server](/configuration/dns/server) and [DNS Rules](/configuration/dns/rule).
 Since this feature makes the scenario mentioned in `alpha.1` no longer leak DNS requests,
 the [Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users) has been updated.
 #### 1.9.0-alpha.1
 * `domain_suffix` behavior update **1**
 * `process_path` format update on Windows **2**
 * Add address filter DNS rule items **3**
 **1**:
 See [Migration](/migration/#domain_suffix-behavior-update).
 **2**:
 See [Migration](/migration/#process_path-format-update-on-windows).
 **3**:
 The new DNS feature allows you to more precisely bypass Chinese websites via **DNS leaks**. Do not use plain local DNS
 if using this method.
 See [Address Filter Fields](/configuration/dns/rule#address-filter-fields).
 [Client example](/manual/proxy/client#traffic-bypass-usage-for-chinese-users) updated.
 #### 1.8.5
 * Fixes and improvements
@ -385,7 +538,7 @@ see [TCP Brutal](/configuration/shared/tcp-brutal/) for details.
 **5**:
-Only supported in graphical clients on Android and iOS.
+Only supported in graphical clients on Android and Apple platforms.
 #### 1.7.0-rc.3
@ -422,7 +575,7 @@ Only supported in graphical clients on Android and iOS.
 **1**:
-Only supported in graphical clients on Android and iOS.
+Only supported in graphical clients on Android and Apple platforms.
 #### 1.7.0-beta.3
--- a/docs/configuration/dns/index.md
+++ b/docs/configuration/dns/index.md
@ -1,3 +1,11 @@
 ---
 icon: material/new-box
 ---
 !!! quote "Changes in sing-box 1.9.0"
    :material-plus: [client_subnet](#client_subnet)
 # DNS
 ### Structure
@ -13,6 +21,7 @@
    "disable_expire": false,
    "independent_cache": false,
    "reverse_mapping": false,
    "client_subnet": "",
    "fakeip": {}
  }
 }
@ -21,8 +30,8 @@
 ### Fields
-| Key      | Format                         |
+| Key      | Format                          |
-|----------|--------------------------------|
+|----------|---------------------------------|
 | `server` | List of [DNS Server](./server/) |
 | `rules`  | List of [DNS Rule](./rule/)     |
 | `fakeip` | [FakeIP](./fakeip/)             |
@ -60,6 +69,10 @@ Stores a reverse mapping of IP addresses after responding to a DNS query in orde
 Since this process relies on the act of resolving domain names by an application before making a request, it can be
 problematic in environments such as macOS, where DNS is proxied and cached by the system.
-#### fakeip
+#### client_subnet
-[FakeIP](./fakeip/) settings.
+!!! question "Since sing-box 1.9.0"
 Append a `edns0-subnet` OPT extra record with the specified IP address to every query by default.
 Can be overrides by `servers.[].client_subnet` or `rules.[].client_subnet`.
--- a/docs/configuration/dns/index.zh.md
+++ b/docs/configuration/dns/index.zh.md
@ -1,3 +1,11 @@
 ---
 icon: material/new-box
 ---
 !!! quote "sing-box 1.9.0 中的更改"
    :material-plus: [client_subnet](#client_subnet)
 # DNS
 ### 结构
@ -13,6 +21,7 @@
    "disable_expire": false,
    "independent_cache": false,
    "reverse_mapping": false,
    "client_subnet": "",
    "fakeip": {}
  }
 }
@ -58,6 +67,14 @@
 由于此过程依赖于应用程序在发出请求之前解析域名的行为，因此在 macOS 等 DNS 由系统代理和缓存的环境中可能会出现问题。
 #### client_subnet
 !!! question "自 sing-box 1.9.0 起"
 默认情况下，将带有指定 IP 地址的 `edns0-subnet` OPT 附加记录附加到每个查询。
 可以被 `servers.[].client_subnet` 或 `rules.[].client_subnet` 覆盖。
 #### fakeip
 [FakeIP](./fakeip/) 设置。
--- a/docs/configuration/dns/rule.md
+++ b/docs/configuration/dns/rule.md
@ -1,7 +1,15 @@
 ---
-icon: material/alert-decagram
+icon: material/new-box
 ---
 !!! quote "Changes in sing-box 1.9.0"
    :material-plus: [geoip](#geoip)  
    :material-plus: [ip_cidr](#ip_cidr)  
    :material-plus: [ip_is_private](#ip_is_private)  
    :material-plus: [client_subnet](#client_subnet)
    :material-plus: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)
 !!! quote "Changes in sing-box 1.8.0"
    :material-plus: [rule_set](#rule_set)  
@ -53,11 +61,19 @@ icon: material/alert-decagram
        "source_geoip": [
          "private"
        ],
        "geoip": [
          "cn"
        ],
        "source_ip_cidr": [
          "10.0.0.0/24",
          "192.168.0.1"
        ],
        "source_ip_is_private": false,
        "ip_cidr": [
          "10.0.0.0/24",
          "192.168.0.1"
        ],
        "ip_is_private": false,
        "source_port": [
          12345
        ],
@ -101,13 +117,15 @@ icon: material/alert-decagram
          "geoip-cn",
          "geosite-cn"
        ],
        "rule_set_ipcidr_match_source": false,
        "invert": false,
        "outbound": [
          "direct"
        ],
        "server": "local",
        "disable_cache": false,
-        "rewrite_ttl": 100
+        "rewrite_ttl": 100,
        "client_subnet": "127.0.0.1"
      },
      {
        "type": "logical",
@ -115,7 +133,8 @@ icon: material/alert-decagram
        "rules": [],
        "server": "local",
        "disable_cache": false,
-        "rewrite_ttl": 100
+        "rewrite_ttl": 100,
        "client_subnet": "127.0.0.1"
      }
    ]
  }
@ -266,11 +285,9 @@ Match Clash mode.
 #### wifi_ssid
 <!-- md:version 1.7.0-beta.4 -->
 !!! quote ""
-    Only supported in graphical clients on Android and iOS.
+    Only supported in graphical clients on Android and Apple platforms.
 Match WiFi SSID.
@ -278,7 +295,7 @@ Match WiFi SSID.
 !!! quote ""
-    Only supported in graphical clients on Android and iOS.
+    Only supported in graphical clients on Android and Apple platforms.
 Match WiFi BSSID.
@ -288,6 +305,12 @@ Match WiFi BSSID.
 Match [Rule Set](/configuration/route/#rule_set).
 #### rule_set_ipcidr_match_source
 !!! question "Since sing-box 1.9.0"
 Make `ipcidr` in rule sets match the source IP.
 #### invert
 Invert match result.
@ -312,6 +335,44 @@ Disable cache and save cache in this query.
 Rewrite TTL in DNS responses.
 #### client_subnet
 !!! question "Since sing-box 1.9.0"
 Append a `edns0-subnet` OPT extra record with the specified IP address to every query by default.
 Will overrides `dns.client_subnet` and `servers.[].client_subnet`.
 ### Address Filter Fields
 Only takes effect for IP address requests. When the query results do not match the address filtering rule items, the current rule will be skipped.
 !!! info ""
    `ip_cidr` items in included rule sets also takes effect as an address filtering field.
 !!! note ""
    Enable `experimental.cache_file.store_rdrc` to cache results.
 #### geoip
 !!! question "Since sing-box 1.9.0"
 Match GeoIP with query response.
 #### ip_cidr
 !!! question "Since sing-box 1.9.0"
 Match IP CIDR with query response.
 #### ip_is_private
 !!! question "Since sing-box 1.9.0"
 Match private IP with query response.
 ### Logical Fields
 #### type
--- a/docs/configuration/dns/rule.zh.md
+++ b/docs/configuration/dns/rule.zh.md
@ -1,7 +1,15 @@
 ---
-icon: material/alert-decagram
+icon: material/new-box
 ---
 !!! quote "sing-box 1.9.0 中的更改"
    :material-plus: [geoip](#geoip)  
    :material-plus: [ip_cidr](#ip_cidr)  
    :material-plus: [ip_is_private](#ip_is_private)  
    :material-plus: [client_subnet](#client_subnet)
    :material-plus: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)
 !!! quote "sing-box 1.8.0 中的更改"
    :material-plus: [rule_set](#rule_set)  
@ -53,10 +61,19 @@ icon: material/alert-decagram
        "source_geoip": [
          "private"
        ],
        "geoip": [
          "cn"
        ],
        "source_ip_cidr": [
-          "10.0.0.0/24"
+          "10.0.0.0/24",
          "192.168.0.1"
        ],
        "source_ip_is_private": false,
        "ip_cidr": [
          "10.0.0.0/24",
          "192.168.0.1"
        ],
        "ip_is_private": false,
        "source_port": [
          12345
        ],
@ -100,19 +117,22 @@ icon: material/alert-decagram
          "geoip-cn",
          "geosite-cn"
        ],
        "rule_set_ipcidr_match_source": false,
        "invert": false,
        "outbound": [
          "direct"
        ],
        "server": "local",
-        "disable_cache": false
+        "disable_cache": false,
        "client_subnet": "127.0.0.1"
      },
      {
        "type": "logical",
        "mode": "and",
        "rules": [],
        "server": "local",
-        "disable_cache": false
+        "disable_cache": false,
        "client_subnet": "127.0.0.1"
      }
    ]
  }
@ -265,7 +285,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 !!! quote ""
-    仅在 Android 与 iOS 的图形客户端中支持。
+    仅在 Android 与 Apple 平台图形客户端中支持。
 匹配 WiFi SSID。
@ -273,7 +293,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 !!! quote ""
-    仅在 Android 与 iOS 的图形客户端中支持。
+    仅在 Android 与 Apple 平台图形客户端中支持。
 匹配 WiFi BSSID。
@ -283,6 +303,12 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 匹配[规则集](/zh/configuration/route/#rule_set)。
 #### rule_set_ipcidr_match_source
 !!! question "自 sing-box 1.9.0 起"
 使规则集中的 `ipcidr` 规则匹配源 IP。
 #### invert
 反选匹配结果。
@ -307,6 +333,44 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 重写 DNS 回应中的 TTL。
 #### client_subnet
 !!! question "自 sing-box 1.9.0 起"
 默认情况下，将带有指定 IP 地址的 `edns0-subnet` OPT 附加记录附加到每个查询。
 将覆盖 `dns.client_subnet` 与 `servers.[].client_subnet`。
 ### 地址筛选字段
 仅对IP地址请求生效。 当查询结果与地址筛选规则项不匹配时，将跳过当前规则。
 !!! info ""
    引用的规则集中的 `ip_cidr` 项也作为地址筛选字段生效。
 !!! note ""
    启用 `experimental.cache_file.store_rdrc` 以缓存结果。
 #### geoip
 !!! question "自 sing-box 1.9.0 起"
 与查询响应匹配 GeoIP。
 #### ip_cidr
 !!! question "自 sing-box 1.9.0 起"
 与查询相应匹配 IP CIDR。
 #### ip_is_private
 !!! question "自 sing-box 1.9.0 起"
 与查询响应匹配非公开 IP。
 ### 逻辑字段
 #### type
@ -319,4 +383,4 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 #### rules
-包括的规则。
+包括的规则。
--- a/docs/configuration/dns/server.md
+++ b/docs/configuration/dns/server.md
@ -1,3 +1,11 @@
 ---
 icon: material/new-box
 ---
 !!! quote "Changes in sing-box 1.9.0"
    :material-plus: [client_subnet](#client_subnet)
 ### Structure
 ```json
@ -5,17 +13,17 @@
  "dns": {
    "servers": [
      {
-        "tag": "google",
+        "tag": "",
-        "address": "tls://dns.google",
+        "address": "",
-        "address_resolver": "local",
+        "address_resolver": "",
-        "address_strategy": "prefer_ipv4",
+        "address_strategy": "",
-        "strategy": "ipv4_only",
+        "strategy": "",
-        "detour": "direct"
+        "detour": "",
        "client_subnet": ""
      }
    ]
  }
 }
 ```
 ### Fields
@ -80,10 +88,20 @@ Default domain strategy for resolving the domain names.
 One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
-Take no effect if override by other settings.
+Take no effect if overridden by other settings.
 #### detour
 Tag of an outbound for connecting to the dns server.
 Default outbound will be used if empty.
 #### client_subnet
 !!! question "Since sing-box 1.9.0"
 Append a `edns0-subnet` OPT extra record with the specified IP address to every query by default.
 Can be overrides by `rules.[].client_subnet`.
 Will overrides `dns.client_subnet`.
--- a/docs/configuration/dns/server.zh.md
+++ b/docs/configuration/dns/server.zh.md
@ -1,3 +1,11 @@
 ---
 icon: material/new-box
 ---
 !!! quote "sing-box 1.9.0 中的更改"
    :material-plus: [client_subnet](#client_subnet)
 ### 结构
 ```json
@ -5,17 +13,17 @@
  "dns": {
    "servers": [
      {
-        "tag": "google",
+        "tag": "",
-        "address": "tls://dns.google",
+        "address": "",
-        "address_resolver": "local",
+        "address_resolver": "",
-        "address_strategy": "prefer_ipv4",
+        "address_strategy": "",
-        "strategy": "ipv4_only",
+        "strategy": "",
-        "detour": "direct"
+        "detour": "",
        "client_subnet": ""
      }
    ]
  }
 }
 ```
 ### 字段
@ -87,3 +95,13 @@ DNS 服务器的地址。
 用于连接到 DNS 服务器的出站的标签。
 如果为空，将使用默认出站。
 #### client_subnet
 !!! question "自 sing-box 1.9.0 起"
 默认情况下，将带有指定 IP 地址的 `edns0-subnet` OPT 附加记录附加到每个查询。
 可以被 `rules.[].client_subnet` 覆盖。
 将覆盖 `dns.client_subnet`。
--- a/docs/configuration/experimental/cache-file.md
+++ b/docs/configuration/experimental/cache-file.md
@ -4,6 +4,11 @@ icon: material/new-box
 !!! question "Since sing-box 1.8.0"
 !!! quote "Changes in sing-box 1.9.0"
    :material-plus: [store_rdrc](#store_rdrc)  
    :material-plus: [rdrc_timeout](#rdrc_timeout)  
 ### Structure
 ```json
@ -11,7 +16,9 @@ icon: material/new-box
  "enabled": true,
  "path": "",
  "cache_id": "",
-  "store_fakeip": false
+  "store_fakeip": false,
  "store_rdrc": false,
  "rdrc_timeout": ""
 }
 ```
@ -29,6 +36,23 @@ Path to the cache file.
 #### cache_id
-Identifier in cache file.
+Identifier in the cache file
 If not empty, configuration specified data will use a separate store keyed by it.
 #### store_fakeip
 Store fakeip in the cache file
 #### store_rdrc
 Store rejected DNS response cache in the cache file
 The check results of [Address filter DNS rule items](/configuration/dns/rule/#address-filter-fields)
 will be cached until expiration.
 #### rdrc_timeout
 Timeout of rejected DNS response cache.
 `7d` is used by default.
--- a/docs/configuration/experimental/cache-file.zh.md
+++ b/docs/configuration/experimental/cache-file.zh.md
@ -4,6 +4,11 @@ icon: material/new-box
 !!! question "自 sing-box 1.8.0 起"
 !!! quote "sing-box 1.9.0 中的更改"
    :material-plus: [store_rdrc](#store_rdrc)  
    :material-plus: [rdrc_timeout](#rdrc_timeout)  
 ### 结构
 ```json
@ -11,7 +16,9 @@ icon: material/new-box
  "enabled": true,
  "path": "",
  "cache_id": "",
-  "store_fakeip": false
+  "store_fakeip": false,
  "store_rdrc": false,
  "rdrc_timeout": ""
 }
 ```
@ -30,3 +37,19 @@ icon: material/new-box
 缓存文件中的标识符。
 如果不为空，配置特定的数据将使用由其键控的单独存储。
 #### store_fakeip
 将 fakeip 存储在缓存文件中。
 #### store_rdrc
 将拒绝的 DNS 响应缓存存储在缓存文件中。
 [地址筛选 DNS 规则项](/zh/configuration/dns/rule/#_3) 的检查结果将被缓存至过期。
 #### rdrc_timeout
 拒绝的 DNS 响应缓存超时。
 默认使用 `7d`。
--- a/docs/configuration/experimental/clash-api.md
+++ b/docs/configuration/experimental/clash-api.md
@ -1,7 +1,3 @@
 ---
 icon: material/alert-decagram
 ---
 !!! quote "Changes in sing-box 1.8.0"
    :material-delete-alert: [store_mode](#store_mode)  
--- a/docs/configuration/experimental/clash-api.zh.md
+++ b/docs/configuration/experimental/clash-api.zh.md
@ -1,7 +1,3 @@
 ---
 icon: material/alert-decagram
 ---
 !!! quote "sing-box 1.8.0 中的更改"
    :material-delete-alert: [store_mode](#store_mode)  
--- a/docs/configuration/experimental/index.md
+++ b/docs/configuration/experimental/index.md
@ -1,7 +1,3 @@
 ---
 icon: material/alert-decagram
 ---
 # Experimental
 !!! quote "Changes in sing-box 1.8.0"
--- a/docs/configuration/experimental/index.zh.md
+++ b/docs/configuration/experimental/index.zh.md
@ -1,7 +1,3 @@
 ---
 icon: material/alert-decagram
 ---
 # 实验性
 !!! quote "sing-box 1.8.0 中的更改"
--- a/docs/configuration/inbound/http.md
+++ b/docs/configuration/inbound/http.md
@ -42,6 +42,6 @@ No authentication required if empty.
 !!! warning ""
-    To work on Android and iOS without privileges, use tun.platform.http_proxy instead.
+    To work on Android and Apple platforms without privileges, use tun.platform.http_proxy instead.
 Automatically set system proxy configuration when start and clean up when stop.
--- a/docs/configuration/inbound/mixed.md
+++ b/docs/configuration/inbound/mixed.md
@ -39,6 +39,6 @@ No authentication required if empty.
 !!! warning ""
-    To work on Android and iOS without privileges, use tun.platform.http_proxy instead.
+    To work on Android and Apple platforms without privileges, use tun.platform.http_proxy instead.
 Automatically set system proxy configuration when start and clean up when stop.
--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@ -1,7 +1,12 @@
 ---
-icon: material/alert-decagram
+icon: material/new-box
 ---
 !!! quote "Changes in sing-box 1.9.0"
    :material-plus: [platform.http_proxy.bypass_domain](#platformhttp_proxybypass_domain)  
    :material-plus: [platform.http_proxy.match_domain](#platformhttp_proxymatch_domain)  
 !!! quote "Changes in sing-box 1.8.0"
    :material-plus: [gso](#gso)  
@ -73,7 +78,9 @@ icon: material/alert-decagram
    "http_proxy": {
      "enabled": false,
      "server": "127.0.0.1",
-      "server_port": 8080
+      "server_port": 8080,
      "bypass_domain": [],
      "match_domain": []
    }
  },
@ -260,6 +267,38 @@ Platform-specific settings, provided by client applications.
 System HTTP proxy settings.
 #### platform.http_proxy.enabled
 Enable system HTTP proxy.
 #### platform.http_proxy.server
 ==Required==
 HTTP proxy server address.
 #### platform.http_proxy.server_port
 ==Required==
 HTTP proxy server port.
 #### platform.http_proxy.bypass_domain
 !!! note ""
    On Apple platforms, `bypass_domain` items matches hostname **suffixes**.
 Hostnames that bypass the HTTP proxy.
 #### platform.http_proxy.match_domain
 !!! quote ""
    Only supported in graphical clients on Apple platforms.
 Hostnames that use the HTTP proxy.
 ### Listen Fields
 See [Listen Fields](/configuration/shared/listen/) for details.
--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@ -1,7 +1,12 @@
 ---
-icon: material/alert-decagram
+icon: material/new-box
 ---
 !!! quote "sing-box 1.9.0 中的更改"
    :material-plus: [platform.http_proxy.bypass_domain](#platformhttp_proxybypass_domain)  
    :material-plus: [platform.http_proxy.match_domain](#platformhttp_proxymatch_domain)  
 !!! quote "sing-box 1.8.0 中的更改"
    :material-plus: [gso](#gso)  
@ -73,7 +78,9 @@ icon: material/alert-decagram
    "http_proxy": {
      "enabled": false,
      "server": "127.0.0.1",
-      "server_port": 8080
+      "server_port": 8080,
      "bypass_domain": [],
      "match_domain": []
    }
  },
@ -257,6 +264,38 @@ TCP/IP 栈。
 系统 HTTP 代理设置。
 ##### platform.http_proxy.enabled
 启用系统 HTTP 代理。
 ##### platform.http_proxy.server
 ==必填==
 系统 HTTP 代理服务器地址。
 ##### platform.http_proxy.server_port
 ==必填==
 系统 HTTP 代理服务器端口。
 ##### platform.http_proxy.bypass_domain
 !!! note ""
  在 Apple 平台，`bypass_domain` 项匹配主机名 **后缀**.
 绕过代理的主机名列表。
 ##### platform.http_proxy.match_domain
 !!! quote ""
    仅在 Apple 平台图形客户端中支持。
 代理的主机名列表。
 ### 监听字段
 参阅 [监听字段](/zh/configuration/shared/listen/)。
--- a/docs/configuration/outbound/wireguard.md
+++ b/docs/configuration/outbound/wireguard.md
@ -1,7 +1,3 @@
 ---
 icon: material/new-box
 ---
 !!! quote "Changes in sing-box 1.8.0"
    :material-plus: [gso](#gso)  
--- a/docs/configuration/outbound/wireguard.zh.md
+++ b/docs/configuration/outbound/wireguard.zh.md
@ -1,7 +1,3 @@
 ---
 icon: material/new-box
 ---
 !!! quote "sing-box 1.8.0 中的更改"
    :material-plus: [gso](#gso)  
--- a/docs/configuration/route/index.md
+++ b/docs/configuration/route/index.md
@ -1,7 +1,3 @@
 ---
 icon: material/alert-decagram
 ---
 # Route
 !!! quote "Changes in sing-box 1.8.0"
--- a/docs/configuration/route/index.zh.md
+++ b/docs/configuration/route/index.zh.md
@ -1,7 +1,3 @@
 ---
 icon: material/alert-decagram
 ---
 # 路由
 !!! quote "sing-box 1.8.0 中的更改"
--- a/docs/configuration/route/rule.md
+++ b/docs/configuration/route/rule.md
@ -1,7 +1,3 @@
 ---
 icon: material/alert-decagram
 ---
 !!! quote "Changes in sing-box 1.8.0"
    :material-plus: [rule_set](#rule_set)  
@ -109,6 +105,7 @@ icon: material/alert-decagram
          "geoip-cn",
          "geosite-cn"
        ],
        "rule_set_ipcidr_match_source": false,
        "invert": false,
        "outbound": "direct"
      },
@ -284,7 +281,7 @@ Match Clash mode.
 !!! quote ""
-    Only supported in graphical clients on Android and iOS.
+    Only supported in graphical clients on Android and Apple platforms.
 Match WiFi SSID.
@ -292,7 +289,7 @@ Match WiFi SSID.
 !!! quote ""
-    Only supported in graphical clients on Android and iOS.
+    Only supported in graphical clients on Android and Apple platforms.
 Match WiFi BSSID.
--- a/docs/configuration/route/rule.zh.md
+++ b/docs/configuration/route/rule.zh.md
@ -1,7 +1,3 @@
 ---
 icon: material/alert-decagram
 ---
 !!! quote "sing-box 1.8.0 中的更改"
    :material-plus: [rule_set](#rule_set)  
@ -107,6 +103,7 @@ icon: material/alert-decagram
          "geoip-cn",
          "geosite-cn"
        ],
        "rule_set_ipcidr_match_source": false,
        "invert": false,
        "outbound": "direct"
      },
@ -282,7 +279,7 @@ icon: material/alert-decagram
 !!! quote ""
-    仅在 Android 与 iOS 的图形客户端中支持。
+    仅在 Android 与 Apple 平台图形客户端中支持。
 匹配 WiFi SSID。
@ -290,7 +287,7 @@ icon: material/alert-decagram
 !!! quote ""
-    仅在 Android 与 iOS 的图形客户端中支持。
+    仅在 Android 与 Apple 平台图形客户端中支持。
 匹配 WiFi BSSID。
--- a/docs/configuration/rule-set/headless-rule.md
+++ b/docs/configuration/rule-set/headless-rule.md
@ -1,7 +1,3 @@
 ---
 icon: material/new-box
 ---
 ### Structure
 !!! question "Since sing-box 1.8.0"
@ -128,7 +124,7 @@ Match source IP CIDR.
 !!! info ""
-    `ip_cidr` is an alias for `source_ip_cidr` when the Rule Set is used in DNS rules or `rule_set_ipcidr_match_source` enabled in route rules.
+    `ip_cidr` is an alias for `source_ip_cidr` when `rule_set_ipcidr_match_source` enabled in route/DNS rules.
 Match IP CIDR.
@ -172,7 +168,7 @@ Match android package name.
 !!! quote ""
-    Only supported in graphical clients on Android and iOS.
+    Only supported in graphical clients on Android and Apple platforms.
 Match WiFi SSID.
@ -180,7 +176,7 @@ Match WiFi SSID.
 !!! quote ""
-    Only supported in graphical clients on Android and iOS.
+    Only supported in graphical clients on Android and Apple platforms.
 Match WiFi BSSID.
--- a/docs/configuration/rule-set/index.md
+++ b/docs/configuration/rule-set/index.md
@ -1,7 +1,3 @@
 ---
 icon: material/new-box
 ---
 # Rule Set
 !!! question "Since sing-box 1.8.0"
--- a/docs/configuration/rule-set/source-format.md
+++ b/docs/configuration/rule-set/source-format.md
@ -1,7 +1,3 @@
 ---
 icon: material/new-box
 ---
 # Source Format
 !!! question "Since sing-box 1.8.0"
--- a/docs/configuration/shared/tls.md
+++ b/docs/configuration/shared/tls.md
@ -1,8 +1,3 @@
 ---
 icon: material/alert-decagram
 ---
 !!! quote "Changes in sing-box 1.8.0"
    :material-alert-decagram: [utls](#utls)  
--- a/docs/configuration/shared/tls.zh.md
+++ b/docs/configuration/shared/tls.zh.md
@ -1,7 +1,3 @@
 ---
 icon: material/alert-decagram
 ---
 !!! quote "sing-box 1.8.0 中的更改"
    :material-alert-decagram: [utls](#utls)  
--- a/docs/installation/build-from-source.md
+++ b/docs/installation/build-from-source.md
@ -57,16 +57,16 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
 | Build Tag                          | Enabled by default | Description                                                                                                                                                                                                                                                                                                                    |
 |------------------------------------|--------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `with_quic`                        | :material-check:   | Build with QUIC support, see [QUIC and HTTP3 DNS transports](/configuration/dns/server/), [Naive inbound](/configuration/inbound/naive/), [Hysteria Inbound](/configuration/inbound/hysteria/), [Hysteria Outbound](/configuration/outbound/hysteria/) and [V2Ray Transport#QUIC](/configuration/shared/v2ray-transport#quic). |
-| `with_grpc`                        | :material-close:️                 | Build with standard gRPC support, see [V2Ray Transport#gRPC](/configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                      |
+| `with_grpc`                        | :material-close:️  | Build with standard gRPC support, see [V2Ray Transport#gRPC](/configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                      |
 | `with_dhcp`                        | :material-check:   | Build with DHCP support, see [DHCP DNS transport](/configuration/dns/server/).                                                                                                                                                                                                                                                 |
 | `with_wireguard`                   | :material-check:   | Build with WireGuard support, see [WireGuard outbound](/configuration/outbound/wireguard/).                                                                                                                                                                                                                                    |
-| `with_ech`                         | :material-check:                  | Build with TLS ECH extension support for TLS outbound, see [TLS](/configuration/shared/tls#ech).                                                                                                                                                                                                                               |
+| `with_ech`                         | :material-check:   | Build with TLS ECH extension support for TLS outbound, see [TLS](/configuration/shared/tls#ech).                                                                                                                                                                                                                               |
-| `with_utls`                        | :material-check:                  | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](/configuration/shared/tls#utls).                                                                                                                                                                                          |
+| `with_utls`                        | :material-check:   | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](/configuration/shared/tls#utls).                                                                                                                                                                                          |
 | `with_reality_server`              | :material-check:   | Build with reality TLS server support,  see [TLS](/configuration/shared/tls/).                                                                                                                                                                                                                                                 |
 | `with_acme`                        | :material-check:   | Build with ACME TLS certificate issuer support, see [TLS](/configuration/shared/tls/).                                                                                                                                                                                                                                         |
-| `with_clash_api`                   | :material-check:                  | Build with Clash API support, see [Experimental](/configuration/experimental#clash-api-fields).                                                                                                                                                                                                                                |
+| `with_clash_api`                   | :material-check:   | Build with Clash API support, see [Experimental](/configuration/experimental#clash-api-fields).                                                                                                                                                                                                                                |
-| `with_v2ray_api`                   | :material-close:️                 | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
+| `with_v2ray_api`                   | :material-close:️  | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
-| `with_gvisor`                      | :material-check:                  | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
+| `with_gvisor`                      | :material-check:   | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
 | `with_embedded_tor` (CGO required) | :material-close:️  | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                             |
 It is not recommended to change the default build tag list unless you really know what you are adding.
--- a/docs/installation/build-from-source.zh.md
+++ b/docs/installation/build-from-source.zh.md
@ -54,19 +54,19 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
 ## :material-folder-settings: 构建标记
-| 构建标记                               | 默认启动              | 说明                                                                                                                                                                                                                                                                                                                         |
+| 构建标记                               | 默认启动              | 说明                                                                                                                                                                                                                                                                                                                             |
-|------------------------------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|------------------------------------|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `with_quic`                        | :material-check:  | Build with QUIC support, see [QUIC and HTTP3 DNS transports](/configuration/dns/server/), [Naive inbound](/configuration/inbound/naive/), [Hysteria Inbound](/configuration/inbound/hysteria/), [Hysteria Outbound](/configuration/outbound/hysteria/) and [V2Ray Transport#QUIC](/configuration/shared/v2ray-transport#quic). |
-| `with_grpc`                        | :material-close:️ | Build with standard gRPC support, see [V2Ray Transport#gRPC](/configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                  |
+| `with_grpc`                        | :material-close:️ | Build with standard gRPC support, see [V2Ray Transport#gRPC](/configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                      |
-| `with_dhcp`                        | :material-check:  | Build with DHCP support, see [DHCP DNS transport](/configuration/dns/server/).                                                                                                                                                                                                                                              |
+| `with_dhcp`                        | :material-check:  | Build with DHCP support, see [DHCP DNS transport](/configuration/dns/server/).                                                                                                                                                                                                                                                 |
-| `with_wireguard`                   | :material-check:  | Build with WireGuard support, see [WireGuard outbound](/configuration/outbound/wireguard/).                                                                                                                                                                                                                                 |
+| `with_wireguard`                   | :material-check:  | Build with WireGuard support, see [WireGuard outbound](/configuration/outbound/wireguard/).                                                                                                                                                                                                                                    |
-| `with_ech`                         | :material-check:  | Build with TLS ECH extension support for TLS outbound, see [TLS](/configuration/shared/tls#ech).                                                                                                                                                                                                                           |
+| `with_ech`                         | :material-check:  | Build with TLS ECH extension support for TLS outbound, see [TLS](/configuration/shared/tls#ech).                                                                                                                                                                                                                               |
-| `with_utls`                        | :material-check:  | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](/configuration/shared/tls#utls).                                                                                                                                                                                      |
+| `with_utls`                        | :material-check:  | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](/configuration/shared/tls#utls).                                                                                                                                                                                          |
-| `with_reality_server`              | :material-check:  | Build with reality TLS server support,  see [TLS](/configuration/shared/tls/).                                                                                                                                                                                                                                              |
+| `with_reality_server`              | :material-check:  | Build with reality TLS server support,  see [TLS](/configuration/shared/tls/).                                                                                                                                                                                                                                                 |
-| `with_acme`                        | :material-check:  | Build with ACME TLS certificate issuer support, see [TLS](/configuration/shared/tls/).                                                                                                                                                                                                                                      |
+| `with_acme`                        | :material-check:  | Build with ACME TLS certificate issuer support, see [TLS](/configuration/shared/tls/).                                                                                                                                                                                                                                         |
-| `with_clash_api`                   | :material-check:  | Build with Clash API support, see [Experimental](/configuration/experimental#clash-api-fields).                                                                                                                                                                                                                            |
+| `with_clash_api`                   | :material-check:  | Build with Clash API support, see [Experimental](/configuration/experimental#clash-api-fields).                                                                                                                                                                                                                                |
-| `with_v2ray_api`                   | :material-close:️ | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                            |
+| `with_v2ray_api`                   | :material-close:️ | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
-| `with_gvisor`                      | :material-check:  | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                               |
+| `with_gvisor`                      | :material-check:  | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
-| `with_embedded_tor` (CGO required) | :material-close:️ | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                          |
+| `with_embedded_tor` (CGO required) | :material-close:️ | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                             |
 除非您确实知道您正在启用什么，否则不建议更改默认构建标签列表。
--- a/docs/installation/package-manager.md
+++ b/docs/installation/package-manager.md
@ -57,38 +57,38 @@ icon: material/package
 === ":material-linux: Linux"
-    | Type     | Platform      | Link                    | Command                      | Actively maintained |
+    | Type     | Platform      | Command                      | Link                                                                                                          |
-    |----------|---------------|-------------------------|------------------------------|---------------------|
+    |----------|---------------|------------------------------|---------------------------------------------------------------------------------------------------------------|
-    | APK      | Alpine        | [sing-box][alpine]      | `apk add sing-box`           | :material-check:    |
+    | AUR      | Arch Linux    | `? -S sing-box`              | [![AUR package](https://repology.org/badge/version-for-repo/aur/sing-box.svg)][aur]                           |
-    | AUR      | Arch Linux    | [sing-box][aur] ᴬᵁᴿ     | `? -S sing-box`              | :material-check:    |
+    | nixpkgs  | NixOS         | `nix-env -iA nixos.sing-box` | [![nixpkgs unstable package](https://repology.org/badge/version-for-repo/nix_unstable/sing-box.svg)][nixpkgs] |
-    | nixpkgs  | NixOS         | [sing-box][nixpkgs]     | `nix-env -iA nixos.sing-box` | :material-check:    |
+    | Homebrew | macOS / Linux | `brew install sing-box`      | [![Homebrew package](https://repology.org/badge/version-for-repo/homebrew/sing-box.svg)][brew]                |
-    | Homebrew | macOS / Linux | [sing-box][brew]        | `brew install sing-box`      | :material-check:    |
+    | APK      | Alpine        | `apk add sing-box`           | [![Alpine Linux Edge package](https://repology.org/badge/version-for-repo/alpine_edge/sing-box.svg)][alpine]  |
 === ":material-apple: macOS"
-    | Type     | Platform | Link             | Command                 | Actively maintained |
+    | Type     | Platform | Command                 | Link                                                                                           |
-    |----------|----------|------------------|-------------------------|---------------------|
+    |----------|----------|-------------------------|------------------------------------------------------------------------------------------------|
-    | Homebrew | macOS    | [sing-box][brew] | `brew install sing-box` | :material-check:    |
+    | Homebrew | macOS    | `brew install sing-box` | [![Homebrew package](https://repology.org/badge/version-for-repo/homebrew/sing-box.svg)][brew] |
 === ":material-microsoft-windows: Windows"
-    | Type       | Platform           | Link                | Command                      | Actively maintained |
+    | Type       | Platform | Command                   | Link                                                                                                |
-    |------------|--------------------|---------------------|------------------------------|---------------------|
+    |------------|----------|---------------------------|-----------------------------------------------------------------------------------------------------|
-    | Scoop      | Windows            | [sing-box][scoop]   | `scoop install sing-box`     | :material-check:    |
+    | Scoop      | Windows  | `scoop install sing-box`  | [![Scoop package](https://repology.org/badge/version-for-repo/scoop/sing-box.svg)][scoop]           |
-    | Chocolatey | Windows            | [sing-box][choco]   | `choco install sing-box`     | :material-check:    |
+    | Chocolatey | Windows  | `choco install sing-box`  | [![Chocolatey package](https://repology.org/badge/version-for-repo/chocolatey/sing-box.svg)][choco] |
-    | winget     | Windows            | [sing-box][winget]  | `winget install sing-box`    | :material-alert:    |
+    | winget     | Windows  | `winget install sing-box` | [![winget package](https://repology.org/badge/version-for-repo/winget/sing-box.svg)][winget]        |
 === ":material-android: Android"
-    | Type       | Platform           | Link                | Command                      | Actively maintained |
+    | Type   | Platform | Command            | Link                                                                                         |
-    |------------|--------------------|---------------------|------------------------------|---------------------|
+    |--------|----------|--------------------|----------------------------------------------------------------------------------------------|
-    | Termux     | Android            | [sing-box][termux]  | `pkg add sing-box`           | :material-check:    |
+    | Termux | Android  | `pkg add sing-box` | [![Termux package](https://repology.org/badge/version-for-repo/termux/sing-box.svg)][termux] |
 === ":material-freebsd: FreeBSD"
-    | Type       | Platform | Link              | Command                | Actively maintained |
+    | Type       | Platform | Command                | Link                                                                                       |
-    |------------|----------|-------------------|------------------------|---------------------|
+    |------------|----------|------------------------|--------------------------------------------------------------------------------------------|
-    | FreshPorts | FreeBSD  | [sing-box][ports] | `pkg install sing-box` | :material-alert:    |
+    | FreshPorts | FreeBSD  | `pkg install sing-box` | [![FreeBSD port](https://repology.org/badge/version-for-repo/freebsd/sing-box.svg)][ports] |
 ## :material-book-multiple: Service Management
--- a/docs/installation/package-manager.zh.md
+++ b/docs/installation/package-manager.zh.md
@ -57,38 +57,38 @@ icon: material/package
 === ":material-linux: Linux"
-    | 类型       | 平台         | 链接                  | 命令                           | 活跃维护             |
+    | 类型       | 平台            | 链接                           | 命令                                                                                                            |
-    |----------|------------|---------------------|------------------------------|------------------|
+    |----------|---------------|------------------------------|---------------------------------------------------------------------------------------------------------------|
-    | Alpine   | Alpine     | [sing-box][alpine]  | `apk add sing-box`           | :material-check: |
+    | AUR      | Arch Linux    | `? -S sing-box`              | [![AUR package](https://repology.org/badge/version-for-repo/aur/sing-box.svg)][aur]                           |
-    | AUR      | Arch Linux | [sing-box][aur] ᴬᵁᴿ | `? -S sing-box`              | :material-check: |
+    | nixpkgs  | NixOS         | `nix-env -iA nixos.sing-box` | [![nixpkgs unstable package](https://repology.org/badge/version-for-repo/nix_unstable/sing-box.svg)][nixpkgs] |
-    | nixpkgs  | NixOS      | [sing-box][nixpkgs] | `nix-env -iA nixos.sing-box` | :material-check: |
+    | Homebrew | macOS / Linux | `brew install sing-box`      | [![Homebrew package](https://repology.org/badge/version-for-repo/homebrew/sing-box.svg)][brew]                |
-    | Homebrew | Linux      | [sing-box][brew]    | `brew install sing-box`      | :material-check: |
+    | APK      | Alpine        | `apk add sing-box`           | [![Alpine Linux Edge package](https://repology.org/badge/version-for-repo/alpine_edge/sing-box.svg)][alpine]  |
 === ":material-apple: macOS"
-    | 类型       | 平台    | 链接               | 命令                      | 活跃维护             |
+    | 类型       | 平台    | 链接                      | 命令                                                                                             |
-    |----------|-------|------------------|-------------------------|------------------|
+    |----------|-------|-------------------------|------------------------------------------------------------------------------------------------|
-    | Homebrew | macOS | [sing-box][brew] | `brew install sing-box` | :material-check: |
+    | Homebrew | macOS | `brew install sing-box` | [![Homebrew package](https://repology.org/badge/version-for-repo/homebrew/sing-box.svg)][brew] |
 === ":material-microsoft-windows: Windows"
-    | 类型         | 平台      | 链接                 | 命令                        | 活跃维护             |
+    | 类型         | 平台      | 链接                        | 命令                                                                                                  |
-    |------------|---------|--------------------|---------------------------|------------------|
+    |------------|---------|---------------------------|-----------------------------------------------------------------------------------------------------|
-    | Scoop      | Windows | [sing-box][scoop]  | `scoop install sing-box`  | :material-check: |
+    | Scoop      | Windows | `scoop install sing-box`  | [![Scoop package](https://repology.org/badge/version-for-repo/scoop/sing-box.svg)][scoop]           |
-    | Chocolatey | Windows | [sing-box][choco]  | `choco install sing-box`  | :material-check: |
+    | Chocolatey | Windows | `choco install sing-box`  | [![Chocolatey package](https://repology.org/badge/version-for-repo/chocolatey/sing-box.svg)][choco] |
-    | winget     | Windows | [sing-box][winget] | `winget install sing-box` | :material-alert: |
+    | winget     | Windows | `winget install sing-box` | [![winget package](https://repology.org/badge/version-for-repo/winget/sing-box.svg)][winget]        |
 === ":material-android: Android"
-    | 类型     | 平台      | 链接                 | 命令                 | 活跃维护             |
+    | 类型     | 平台      | 链接                 | 命令                                                                                           |
-    |--------|---------|--------------------|--------------------|------------------|
+    |--------|---------|--------------------|----------------------------------------------------------------------------------------------|
-    | Termux | Android | [sing-box][termux] | `pkg add sing-box` | :material-check: |
+    | Termux | Android | `pkg add sing-box` | [![Termux package](https://repology.org/badge/version-for-repo/termux/sing-box.svg)][termux] |
 === ":material-freebsd: FreeBSD"
-    | 类型         | 平台      | 链接                | 命令                     | 活跃维护             |
+    | 类型         | 平台      | 链接                     | 命令                                                                                         |
-    |------------|---------|-------------------|------------------------|------------------|
+    |------------|---------|------------------------|--------------------------------------------------------------------------------------------|
-    | FreshPorts | FreeBSD | [sing-box][ports] | `pkg install sing-box` | :material-alert: |
+    | FreshPorts | FreeBSD | `pkg install sing-box` | [![FreeBSD port](https://repology.org/badge/version-for-repo/freebsd/sing-box.svg)][ports] |
 ## :material-book-multiple: 服务管理
--- a/docs/installation/tools/sing-box.repo
+++ b/docs/installation/tools/sing-box.repo
@ -1,7 +1,6 @@
 [sing-box]
 name=sing-box
 baseurl=https://rpm.sagernet.org/
 metalink=https://sing-box.app/sing-box.repo
 enabled=1
 repo_gpgcheck=1
 gpgcheck=1
--- a/docs/manual/proxy/client.md
+++ b/docs/manual/proxy/client.md
@ -290,52 +290,6 @@ flowchart TB
 === ":material-dns: DNS rules"
    !!! info
        DNS rules are optional if FakeIP is used.
    ```json
    {
      "dns": {
        "servers": [
          {
            "tag": "google",
            "address": "tls://8.8.8.8"
          },
          {
            "tag": "local",
            "address": "223.5.5.5",
            "detour": "direct"
          }
        ],
        "rules": [
          {
            "outbound": "any",
            "server": "local"
          },
          {
            "clash_mode": "Direct",
            "server": "local"
          },
          {
            "clash_mode": "Global",
            "server": "google"
          },
          {
            "geosite": "geolocation-cn",
            "server": "local"
          }
        ]
      }
    }
    ```
 === ":material-dns: DNS rules (1.8.0+)"
    !!! info
        DNS rules are optional if FakeIP is used.
    ```json
    {
      "dns": {
@ -382,74 +336,180 @@ flowchart TB
    }
    ```
-=== ":material-router-network: Route rules"
+=== ":material-dns: DNS rules (Enhanced, but slower) (1.9.0+)"
-    ```json
+    === ":material-shield-off: With DNS leaks"
-    {
+
-      "outbounds": [
+        ```json
        {
-          "type": "direct",
+          "dns": {
-          "tag": "direct"
+            "servers": [
        },
        {
          "type": "block",
          "tag": "block"
        }
      ],
      "route": {
        "rules": [
          {
            "type": "logical",
            "mode": "or",
            "rules": [
              {
-                "protocol": "dns"
+                "tag": "google",
                "address": "tls://8.8.8.8"
              },
              {
-                "port": 53
+                "tag": "local",
                "address": "https://223.5.5.5/dns-query",
                "detour": "direct"
              }
            ],
            "outbound": "dns"
          },
          {
            "geoip": "private",
            "outbound": "direct"
          },
          {
            "clash_mode": "Direct",
            "outbound": "direct"
          },
          {
            "clash_mode": "Global",
            "outbound": "default"
          },
          {
            "type": "logical",
            "mode": "or",
            "rules": [
              {
-                "port": 853
+                "outbound": "any",
                "server": "local"
              },
              {
-                "network": "udp",
+                "clash_mode": "Direct",
-                "port": 443
+                "server": "local"
              },
              {
-                "protocol": "stun"
+                "clash_mode": "Global",
                "server": "google"
              },
              {
                "rule_set": "geosite-geolocation-cn",
                "server": "local"
              },
              {
                "clash_mode": "Default",
                "server": "google"
              },
              {
                "type": "logical",
                "mode": "and",
                "rules": [
                  {
                    "rule_set": "geosite-geolocation-!cn",
                    "invert": true
                  },
                  {
                    "rule_set": "geoip-cn"
                  }
                ],
                "server": "local"
              }
-            ],
+            ]
            "outbound": "block"
          },
-          {
+          "route": {
-            "geosite": "geolocation-cn",
+            "rule_set": [
-            "outbound": "direct"
+              {
                "type": "remote",
                "tag": "geosite-geolocation-cn",
                "format": "binary",
                "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-cn.srs"
              },
              {
                "type": "remote",
                "tag": "geosite-geolocation-!cn",
                "format": "binary",
                "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-!cn.srs"
              },
              {
                "type": "remote",
                "tag": "geoip-cn",
                "format": "binary",
                "url": "https://raw.githubusercontent.com/SagerNet/sing-geoip/rule-set/geoip-cn.srs"
              }
            ]
          },
          "experimental": {
            "cache_file": {
              "enabled": true,
              "store_rdrc": true
            },
            "clash_api": {
              "default_mode": "Enhanced"
            }
          }
-        ]
+        }
-      }
+        ```
    }
    ```
-=== ":material-router-network: Route rules (1.8.0+)"
+    === ":material-security: Without DNS leaks, but slower (1.9.0-alpha.2+)"
        ```json
        {
          "dns": {
            "servers": [
              {
                "tag": "google",
                "address": "tls://8.8.8.8"
              },
              {
                "tag": "local",
                "address": "https://223.5.5.5/dns-query",
                "detour": "direct"
              }
            ],
            "rules": [
              {
                "outbound": "any",
                "server": "local"
              },
              {
                "clash_mode": "Direct",
                "server": "local"
              },
              {
                "clash_mode": "Global",
                "server": "google"
              },
              {
                "rule_set": "geosite-geolocation-cn",
                "server": "local"
              },
              {
                "type": "logical",
                "mode": "and",
                "rules": [
                  {
                    "rule_set": "geosite-geolocation-!cn",
                    "invert": true
                  },
                  {
                    "rule_set": "geoip-cn"
                  }
                ],
                "server": "google",
                "client_subnet": "114.114.114.114" // Any China client IP address
              }
            ]
          },
          "route": {
            "rule_set": [
              {
                "type": "remote",
                "tag": "geosite-geolocation-cn",
                "format": "binary",
                "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-cn.srs"
              },
              {
                "type": "remote",
                "tag": "geosite-geolocation-!cn",
                "format": "binary",
                "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-!cn.srs"
              },
              {
                "type": "remote",
                "tag": "geoip-cn",
                "format": "binary",
                "url": "https://raw.githubusercontent.com/SagerNet/sing-geoip/rule-set/geoip-cn.srs"
              }
            ]
          },
          "experimental": {
            "cache_file": {
              "enabled": true,
              "store_rdrc": true
            },
            "clash_api": {
              "default_mode": "Enhanced"
            }
          }
        }
        ```
 === ":material-router-network: Route rules"
    ```json
    {
--- a/docs/migration.md
+++ b/docs/migration.md
@ -2,6 +2,28 @@
 icon: material/arrange-bring-forward
 ---
 ## 1.9.0
 !!! warning "Unstable"
    This version is still under development, and the following migration guide may be changed in the future.
 ### `domain_suffix` behavior update
 For historical reasons, sing-box's `domain_suffix` rule matches literal prefixes instead of the same as other projects.
 sing-box 1.9.0 modifies the behavior of `domain_suffix`: If the rule value is prefixed with `.`,
 the behavior is unchanged, otherwise it matches `(domain|.+\.domain)` instead.
 ### `process_path` format update on Windows
 The `process_path` rule of sing-box is inherited from Clash,
 the original code uses the local system's path format (e.g. `\Device\HarddiskVolume1\folder\program.exe`),
 but when the device has multiple disks, the HarddiskVolume serial number is not stable.
 sing-box 1.9.0 make QueryFullProcessImageNameW output a Win32 path (such as `C:\folder\program.exe`),
 which will disrupt the existing `process_path` use cases in Windows.
 ## 1.8.0
 ### :material-close-box: Migrate cache file from Clash API to independent options
--- a/docs/migration.zh.md
+++ b/docs/migration.zh.md
@ -2,6 +2,27 @@
 icon: material/arrange-bring-forward
 ---
 ## 1.9.0
 !!! warning "不稳定的"
    该版本仍在开发中，迁移指南可能将在未来更改。
 ### `domain_suffix` 行为更新
 由于历史原因，sing-box 的 `domain_suffix` 规则匹配字面前缀，而不与其他项目相同。
 sing-box 1.9.0 修改了 `domain_suffix` 的行为：如果规则值以 `.` 为前缀则行为不变，否则改为匹配 `(domain|.+\.domain)`。
 ### 对 Windows 上 `process_path` 格式的更新
 sing-box 的 `process_path` 规则继承自Clash，
 原始代码使用本地系统的路径格式（例如 `\Device\HarddiskVolume1\folder\program.exe`），
 但是当设备有多个硬盘时，该 HarddiskVolume 系列号并不稳定。
 sing-box 1.9.0 使 QueryFullProcessImageNameW 输出 Win32 路径（如 `C:\folder\program.exe`），
 这将会破坏现有的 Windows `process_path` 用例。
 ## 1.8.0
 ### :material-close-box: 将缓存文件从 Clash API 迁移到独立选项
--- a/experimental/cachefile/cache.go
+++ b/experimental/cachefile/cache.go
@ -29,6 +29,7 @@ var (
 		string(bucketExpand),
 		string(bucketMode),
 		string(bucketRuleSet),
 		string(bucketRDRC),
 	}
 	cacheIDDefault = []byte("default")
@ -37,17 +38,25 @@ var (
 var _ adapter.CacheFile = (*CacheFile)(nil)
 type CacheFile struct {
-	ctx         context.Context
+	ctx               context.Context
-	path        string
+	path              string
-	cacheID     []byte
+	cacheID           []byte
-	storeFakeIP bool
+	storeFakeIP       bool
-
+	storeRDRC         bool
 	rdrcTimeout       time.Duration
 	DB                *bbolt.DB
-	saveAccess        sync.RWMutex
+	saveMetadataTimer *time.Timer
 	saveFakeIPAccess  sync.RWMutex
 	saveDomain        map[netip.Addr]string
 	saveAddress4      map[string]netip.Addr
 	saveAddress6      map[string]netip.Addr
-	saveMetadataTimer *time.Timer
+	saveRDRCAccess    sync.RWMutex
 	saveRDRC          map[saveRDRCCacheKey]bool
 }
 type saveRDRCCacheKey struct {
 	TransportName string
 	QuestionName  string
 }
 func New(ctx context.Context, options option.CacheFileOptions) *CacheFile {
@ -61,14 +70,25 @@ func New(ctx context.Context, options option.CacheFileOptions) *CacheFile {
 	if options.CacheID != "" {
 		cacheIDBytes = append([]byte{0}, []byte(options.CacheID)...)
 	}
 	var rdrcTimeout time.Duration
 	if options.StoreRDRC {
 		if options.RDRCTimeout > 0 {
 			rdrcTimeout = time.Duration(options.RDRCTimeout)
 		} else {
 			rdrcTimeout = 7 * 24 * time.Hour
 		}
 	}
 	return &CacheFile{
 		ctx:          ctx,
 		path:         filemanager.BasePath(ctx, path),
 		cacheID:      cacheIDBytes,
 		storeFakeIP:  options.StoreFakeIP,
 		storeRDRC:    options.StoreRDRC,
 		rdrcTimeout:  rdrcTimeout,
 		saveDomain:   make(map[netip.Addr]string),
 		saveAddress4: make(map[string]netip.Addr),
 		saveAddress6: make(map[string]netip.Addr),
 		saveRDRC:     make(map[saveRDRCCacheKey]bool),
 	}
 }
--- a/experimental/cachefile/fakeip.go
+++ b/experimental/cachefile/fakeip.go
@ -97,7 +97,7 @@ func (c *CacheFile) FakeIPStore(address netip.Addr, domain string) error {
 }
 func (c *CacheFile) FakeIPStoreAsync(address netip.Addr, domain string, logger logger.Logger) {
-	c.saveAccess.Lock()
+	c.saveFakeIPAccess.Lock()
 	if oldDomain, loaded := c.saveDomain[address]; loaded {
 		if address.Is4() {
 			delete(c.saveAddress4, oldDomain)
@ -111,27 +111,27 @@ func (c *CacheFile) FakeIPStoreAsync(address netip.Addr, domain string, logger l
 	} else {
 		c.saveAddress6[domain] = address
 	}
-	c.saveAccess.Unlock()
+	c.saveFakeIPAccess.Unlock()
 	go func() {
 		err := c.FakeIPStore(address, domain)
 		if err != nil {
-			logger.Warn("save FakeIP address pair: ", err)
+			logger.Warn("save FakeIP cache: ", err)
 		}
-		c.saveAccess.Lock()
+		c.saveFakeIPAccess.Lock()
 		delete(c.saveDomain, address)
 		if address.Is4() {
 			delete(c.saveAddress4, domain)
 		} else {
 			delete(c.saveAddress6, domain)
 		}
-		c.saveAccess.Unlock()
+		c.saveFakeIPAccess.Unlock()
 	}()
 }
 func (c *CacheFile) FakeIPLoad(address netip.Addr) (string, bool) {
-	c.saveAccess.RLock()
+	c.saveFakeIPAccess.RLock()
 	cachedDomain, cached := c.saveDomain[address]
-	c.saveAccess.RUnlock()
+	c.saveFakeIPAccess.RUnlock()
 	if cached {
 		return cachedDomain, true
 	}
@ -152,13 +152,13 @@ func (c *CacheFile) FakeIPLoadDomain(domain string, isIPv6 bool) (netip.Addr, bo
 		cachedAddress netip.Addr
 		cached        bool
 	)
-	c.saveAccess.RLock()
+	c.saveFakeIPAccess.RLock()
 	if !isIPv6 {
 		cachedAddress, cached = c.saveAddress4[domain]
 	} else {
 		cachedAddress, cached = c.saveAddress6[domain]
 	}
-	c.saveAccess.RUnlock()
+	c.saveFakeIPAccess.RUnlock()
 	if cached {
 		return cachedAddress, true
 	}
--- a/experimental/cachefile/rdrc.go
+++ b/experimental/cachefile/rdrc.go
@ -0,0 +1,101 @@
 package cachefile
 import (
 	"encoding/binary"
 	"time"
 	"github.com/sagernet/bbolt"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/logger"
 )
 var bucketRDRC = []byte("rdrc")
 func (c *CacheFile) StoreRDRC() bool {
 	return c.storeRDRC
 }
 func (c *CacheFile) RDRCTimeout() time.Duration {
 	return c.rdrcTimeout
 }
 func (c *CacheFile) LoadRDRC(transportName string, qName string) (rejected bool) {
 	c.saveRDRCAccess.RLock()
 	rejected, cached := c.saveRDRC[saveRDRCCacheKey{transportName, qName}]
 	c.saveRDRCAccess.RUnlock()
 	if cached {
 		return
 	}
 	var deleteCache bool
 	err := c.DB.View(func(tx *bbolt.Tx) error {
 		bucket := c.bucket(tx, bucketRDRC)
 		if bucket == nil {
 			return nil
 		}
 		bucket = bucket.Bucket([]byte(transportName))
 		if bucket == nil {
 			return nil
 		}
 		content := bucket.Get([]byte(qName))
 		if content == nil {
 			return nil
 		}
 		expiresAt := time.Unix(int64(binary.BigEndian.Uint64(content)), 0)
 		if time.Now().After(expiresAt) {
 			deleteCache = true
 			return nil
 		}
 		rejected = true
 		return nil
 	})
 	if err != nil {
 		return
 	}
 	if deleteCache {
 		c.DB.Update(func(tx *bbolt.Tx) error {
 			bucket := c.bucket(tx, bucketRDRC)
 			if bucket == nil {
 				return nil
 			}
 			bucket = bucket.Bucket([]byte(transportName))
 			if bucket == nil {
 				return nil
 			}
 			return bucket.Delete([]byte(qName))
 		})
 	}
 	return
 }
 func (c *CacheFile) SaveRDRC(transportName string, qName string) error {
 	return c.DB.Batch(func(tx *bbolt.Tx) error {
 		bucket, err := c.createBucket(tx, bucketRDRC)
 		if err != nil {
 			return err
 		}
 		bucket, err = bucket.CreateBucketIfNotExists([]byte(transportName))
 		if err != nil {
 			return err
 		}
 		expiresAt := buf.Get(8)
 		defer buf.Put(expiresAt)
 		binary.BigEndian.PutUint64(expiresAt, uint64(time.Now().Add(c.rdrcTimeout).Unix()))
 		return bucket.Put([]byte(qName), expiresAt)
 	})
 }
 func (c *CacheFile) SaveRDRCAsync(transportName string, qName string, logger logger.Logger) {
 	saveKey := saveRDRCCacheKey{transportName, qName}
 	c.saveRDRCAccess.Lock()
 	c.saveRDRC[saveKey] = true
 	c.saveRDRCAccess.Unlock()
 	go func() {
 		err := c.SaveRDRC(transportName, qName)
 		if err != nil {
 			logger.Warn("save RDRC: ", err)
 		}
 		c.saveRDRCAccess.Lock()
 		delete(c.saveRDRC, saveKey)
 		c.saveRDRCAccess.Unlock()
 	}()
 }
--- a/experimental/clashapi.go
+++ b/experimental/clashapi.go
@ -3,6 +3,7 @@ package experimental
 import (
 	"context"
 	"os"
 	"sort"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
@ -27,11 +28,26 @@ func NewClashServer(ctx context.Context, router adapter.Router, logFactory log.O
 }
 func CalculateClashModeList(options option.Options) []string {
-	var clashMode []string
+	var clashModes []string
-	clashMode = append(clashMode, extraClashModeFromRule(common.PtrValueOrDefault(options.Route).Rules)...)
+	clashModes = append(clashModes, extraClashModeFromRule(common.PtrValueOrDefault(options.Route).Rules)...)
-	clashMode = append(clashMode, extraClashModeFromDNSRule(common.PtrValueOrDefault(options.DNS).Rules)...)
+	clashModes = append(clashModes, extraClashModeFromDNSRule(common.PtrValueOrDefault(options.DNS).Rules)...)
-	clashMode = common.FilterNotDefault(common.Uniq(clashMode))
+	clashModes = common.FilterNotDefault(common.Uniq(clashModes))
-	return clashMode
+	predefinedOrder := []string{
 		"Rule", "Global", "Direct",
 	}
 	var newClashModes []string
 	for _, mode := range clashModes {
 		if !common.Contains(predefinedOrder, mode) {
 			newClashModes = append(newClashModes, mode)
 		}
 	}
 	sort.Strings(newClashModes)
 	for _, mode := range predefinedOrder {
 		if common.Contains(clashModes, mode) {
 			newClashModes = append(newClashModes, mode)
 		}
 	}
 	return newClashModes
 }
 func extraClashModeFromRule(rules []option.Rule) []string {
--- a/experimental/libbox/config.go
+++ b/experimental/libbox/config.go
@ -9,7 +9,6 @@ import (
 	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/process"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
@ -75,7 +74,7 @@ func (s *platformInterfaceStub) UsePlatformInterfaceGetter() bool {
 	return true
 }
-func (s *platformInterfaceStub) Interfaces() ([]platform.NetworkInterface, error) {
+func (s *platformInterfaceStub) Interfaces() ([]control.Interface, error) {
 	return nil, os.ErrInvalid
 }
--- a/experimental/libbox/dns.go
+++ b/experimental/libbox/dns.go
@ -9,9 +9,7 @@ import (
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/task"
 	mDNS "github.com/miekg/dns"
@ -25,9 +23,11 @@ type LocalDNSTransport interface {
 func RegisterLocalDNSTransport(transport LocalDNSTransport) {
 	if transport == nil {
-		dns.RegisterTransport([]string{"local"}, dns.CreateLocalTransport)
+		dns.RegisterTransport([]string{"local"}, func(options dns.TransportOptions) (dns.Transport, error) {
 			return dns.NewLocalTransport(options), nil
 		})
 	} else {
-		dns.RegisterTransport([]string{"local"}, func(name string, ctx context.Context, logger logger.ContextLogger, dialer N.Dialer, link string) (dns.Transport, error) {
+		dns.RegisterTransport([]string{"local"}, func(options dns.TransportOptions) (dns.Transport, error) {
 			return &platformLocalDNSTransport{
 				iif: transport,
 			}, nil
--- a/experimental/libbox/platform/interface.go
+++ b/experimental/libbox/platform/interface.go
@ -2,7 +2,6 @@ package platform
 import (
 	"context"
 	"net/netip"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/process"
@ -20,16 +19,9 @@ type Interface interface {
 	UsePlatformDefaultInterfaceMonitor() bool
 	CreateDefaultInterfaceMonitor(logger logger.Logger) tun.DefaultInterfaceMonitor
 	UsePlatformInterfaceGetter() bool
-	Interfaces() ([]NetworkInterface, error)
+	Interfaces() ([]control.Interface, error)
 	UnderNetworkExtension() bool
 	ClearDNSCache()
 	ReadWIFIState() adapter.WIFIState
 	process.Searcher
 }
 type NetworkInterface struct {
 	Index     int
 	MTU       int
 	Name      string
 	Addresses []netip.Prefix
 }
--- a/experimental/libbox/service.go
+++ b/experimental/libbox/service.go
@ -192,14 +192,14 @@ func (w *platformInterfaceWrapper) UsePlatformInterfaceGetter() bool {
 	return w.iif.UsePlatformInterfaceGetter()
 }
-func (w *platformInterfaceWrapper) Interfaces() ([]platform.NetworkInterface, error) {
+func (w *platformInterfaceWrapper) Interfaces() ([]control.Interface, error) {
 	interfaceIterator, err := w.iif.GetInterfaces()
 	if err != nil {
 		return nil, err
 	}
-	var interfaces []platform.NetworkInterface
+	var interfaces []control.Interface
 	for _, netInterface := range iteratorToArray[*NetworkInterface](interfaceIterator) {
-		interfaces = append(interfaces, platform.NetworkInterface{
+		interfaces = append(interfaces, control.Interface{
 			Index:     int(netInterface.Index),
 			MTU:       int(netInterface.MTU),
 			Name:      netInterface.Name,
--- a/experimental/libbox/setup.go
+++ b/experimental/libbox/setup.go
@ -7,6 +7,7 @@ import (
 	"github.com/sagernet/sing-box/common/humanize"
 	C "github.com/sagernet/sing-box/constant"
 	_ "github.com/sagernet/sing-box/include"
 )
 var (
--- a/experimental/libbox/tun.go
+++ b/experimental/libbox/tun.go
@ -28,6 +28,8 @@ type TunOptions interface {
 	IsHTTPProxyEnabled() bool
 	GetHTTPProxyServer() string
 	GetHTTPProxyServerPort() int32
 	GetHTTPProxyBypassDomain() StringIterator
 	GetHTTPProxyMatchDomain() StringIterator
 }
 type RoutePrefix struct {
@ -156,3 +158,11 @@ func (o *tunOptions) GetHTTPProxyServer() string {
 func (o *tunOptions) GetHTTPProxyServerPort() int32 {
 	return int32(o.TunPlatformOptions.HTTPProxy.ServerPort)
 }
 func (o *tunOptions) GetHTTPProxyBypassDomain() StringIterator {
 	return newIterator(o.TunPlatformOptions.HTTPProxy.BypassDomain)
 }
 func (o *tunOptions) GetHTTPProxyMatchDomain() StringIterator {
 	return newIterator(o.TunPlatformOptions.HTTPProxy.MatchDomain)
 }
--- a/go.mod
+++ b/go.mod
@ -23,17 +23,17 @@ require (
 	github.com/sagernet/bbolt v0.0.0-20231014093535-ea5cb2fe9f0a
 	github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1
 	github.com/sagernet/gomobile v0.1.3
-	github.com/sagernet/gvisor v0.0.0-20231209105102-8d27a30e436e
+	github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f
-	github.com/sagernet/quic-go v0.40.1
+	github.com/sagernet/quic-go v0.43.0-beta.3
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.3.8
+	github.com/sagernet/sing v0.4.0-beta.18
-	github.com/sagernet/sing-dns v0.1.14
+	github.com/sagernet/sing-dns v0.2.0-beta.16
 	github.com/sagernet/sing-mux v0.2.0
-	github.com/sagernet/sing-quic v0.1.12
+	github.com/sagernet/sing-quic v0.2.0-beta.1
 	github.com/sagernet/sing-shadowsocks v0.2.6
 	github.com/sagernet/sing-shadowsocks2 v0.2.0
 	github.com/sagernet/sing-shadowtls v0.1.4
-	github.com/sagernet/sing-tun v0.2.6
+	github.com/sagernet/sing-tun v0.2.8-beta.1
 	github.com/sagernet/sing-vmess v0.1.8
 	github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7
 	github.com/sagernet/tfo-go v0.0.0-20231209031829-7b5343ac1dc6
--- a/go.sum
+++ b/go.sum
@ -97,31 +97,31 @@ github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1 h1:YbmpqPQ
 github.com/sagernet/cloudflare-tls v0.0.0-20231208171750-a4483c1b7cd1/go.mod h1:J2yAxTFPDjrDPhuAi9aWFz2L3ox9it4qAluBBbN0H5k=
 github.com/sagernet/gomobile v0.1.3 h1:ohjIb1Ou2+1558PnZour3od69suSuvkdSVOlO1tC4B8=
 github.com/sagernet/gomobile v0.1.3/go.mod h1:Pqq2+ZVvs10U7xK+UwJgwYWUykewi8H6vlslAO73n9E=
-github.com/sagernet/gvisor v0.0.0-20231209105102-8d27a30e436e h1:DOkjByVeAR56dkszjnMZke4wr7yM/1xHaJF3G9olkEE=
+github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f h1:NkhuupzH5ch7b/Y/6ZHJWrnNLoiNnSJaow6DPb8VW2I=
-github.com/sagernet/gvisor v0.0.0-20231209105102-8d27a30e436e/go.mod h1:fLxq/gtp0qzkaEwywlRRiGmjOK5ES/xUzyIKIFP2Asw=
+github.com/sagernet/gvisor v0.0.0-20240428053021-e691de28565f/go.mod h1:KXmw+ouSJNOsuRpg4wgwwCQuunrGz4yoAqQjsLjc6N0=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/sagernet/quic-go v0.40.1 h1:qLeTIJR0d0JWRmDWo346nLsVN6EWihd1kalJYPEd0TM=
+github.com/sagernet/quic-go v0.43.0-beta.3 h1:qclJbbpgZe76EH62Bdu3LfDSC2zmuxj7zXCpdQBbe7c=
-github.com/sagernet/quic-go v0.40.1/go.mod h1:CcKTpzTAISxrM4PA5M20/wYuz9Tj6Tx4DwGbNl9UQrU=
+github.com/sagernet/quic-go v0.43.0-beta.3/go.mod h1:3EtxR1Yaa1FZu6jFPiBHpOAdhOxL4A3EPxmiVgjJvVM=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing v0.3.8 h1:gm4JKalPhydMYX2zFOTnnd4TXtM/16WFRqSjMepYQQk=
+github.com/sagernet/sing v0.4.0-beta.18 h1:oK+pvyXnFwxwvQkeUqgxIeATiMHcrH5doLKKDGNmQkU=
-github.com/sagernet/sing v0.3.8/go.mod h1:+60H3Cm91RnL9dpVGWDPHt0zTQImO9Vfqt9a4rSambI=
+github.com/sagernet/sing v0.4.0-beta.18/go.mod h1:PFQKbElc2Pke7faBLv8oEba5ehtKO21Ho+TkYemTI3Y=
-github.com/sagernet/sing-dns v0.1.14 h1:kxE/Ik3jMXmD3sXsdt9MgrNzLFWt64mghV+MQqzyf40=
+github.com/sagernet/sing-dns v0.2.0-beta.16 h1:bzd4B8eHD7/WO3HrYknvgE8A56/R3n5oXBjNF97iPzQ=
-github.com/sagernet/sing-dns v0.1.14/go.mod h1:AA+vZMNovuPN5i/sPnfF6756Nq94nzb5nXodMWbta5w=
+github.com/sagernet/sing-dns v0.2.0-beta.16/go.mod h1:XU6Vqr6aHcMz/34Fcv8jmXpRCEuShzW+B7Qg1Xe1nxY=
 github.com/sagernet/sing-mux v0.2.0 h1:4C+vd8HztJCWNYfufvgL49xaOoOHXty2+EAjnzN3IYo=
 github.com/sagernet/sing-mux v0.2.0/go.mod h1:khzr9AOPocLa+g53dBplwNDz4gdsyx/YM3swtAhlkHQ=
-github.com/sagernet/sing-quic v0.1.12 h1:4KjG7LASZck0svGDfzf3aVNidRRQRC/w2HUMk/PHiNE=
+github.com/sagernet/sing-quic v0.2.0-beta.1 h1:XR8KPYs50MNcFMR2/lh4eOonYeV15eJolAAWCQZpStI=
-github.com/sagernet/sing-quic v0.1.12/go.mod h1:L+VtzvuPbf8VW8F4R7KiygqpXY4lO7t2wwcQuHjh8Ew=
+github.com/sagernet/sing-quic v0.2.0-beta.1/go.mod h1:tVUFk5lcW22Bl0ChWlt4Lo93jw0qir3X1fk2ZSypaA4=
 github.com/sagernet/sing-shadowsocks v0.2.6 h1:xr7ylAS/q1cQYS8oxKKajhuQcchd5VJJ4K4UZrrpp0s=
 github.com/sagernet/sing-shadowsocks v0.2.6/go.mod h1:j2YZBIpWIuElPFL/5sJAj470bcn/3QQ5lxZUNKLDNAM=
 github.com/sagernet/sing-shadowsocks2 v0.2.0 h1:wpZNs6wKnR7mh1wV9OHwOyUr21VkS3wKFHi+8XwgADg=
 github.com/sagernet/sing-shadowsocks2 v0.2.0/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.1.4 h1:aTgBSJEgnumzFenPvc+kbD9/W0PywzWevnVpEx6Tw3k=
 github.com/sagernet/sing-shadowtls v0.1.4/go.mod h1:F8NBgsY5YN2beQavdgdm1DPlhaKQlaL6lpDdcBglGK4=
-github.com/sagernet/sing-tun v0.2.6 h1:FKXzh34uuO5RStBgf3Zi+Txan5eS9YTVOQrJRAbJBHk=
+github.com/sagernet/sing-tun v0.2.8-beta.1 h1:9loO5/Jqa+54NDi5mKh/CS6LlKsROCSnNQ+jgMcnI+I=
-github.com/sagernet/sing-tun v0.2.6/go.mod h1:MKAAHUzVfj7d9zos4lsz6wjXu86/mJyd/gejiAnWj/w=
+github.com/sagernet/sing-tun v0.2.8-beta.1/go.mod h1:xPaOkQhngPMILx+/9DMLCFl4vSxUU2tMnCPSlf05HLo=
 github.com/sagernet/sing-vmess v0.1.8 h1:XVWad1RpTy9b5tPxdm5MCU8cGfrTGdR8qCq6HV2aCNc=
 github.com/sagernet/sing-vmess v0.1.8/go.mod h1:vhx32UNzTDUkNwOyIjcZQohre1CaytquC5mPplId8uA=
 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ=
--- a/inbound/default_tcp.go
+++ b/inbound/default_tcp.go
@ -5,7 +5,9 @@ import (
 	"net"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
@ -16,6 +18,9 @@ func (a *myInboundAdapter) ListenTCP() (net.Listener, error) {
 	bindAddr := M.SocksaddrFrom(a.listenOptions.Listen.Build(), a.listenOptions.ListenPort)
 	var tcpListener net.Listener
 	var listenConfig net.ListenConfig
 	// TODO: Add an option to customize the keep alive period
 	listenConfig.KeepAlive = C.TCPKeepAliveInitial
 	listenConfig.Control = control.Append(listenConfig.Control, control.SetKeepAlivePeriod(C.TCPKeepAliveInitial, C.TCPKeepAliveInterval))
 	if a.listenOptions.TCPMultiPath {
 		if !go121Available {
 			return nil, E.New("MultiPath TCP requires go1.21, please recompile your binary.")
--- a/inbound/naive.go
+++ b/inbound/naive.go
@ -15,7 +15,6 @@ import (
 	"github.com/sagernet/sing-box/common/tls"
 	"github.com/sagernet/sing-box/common/uot"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
@ -109,8 +108,8 @@ func (n *Naive) Start() error {
 	if common.Contains(n.network, N.NetworkUDP) {
 		err := n.configureHTTP3Listener()
-		if !include.WithQUIC && len(n.network) > 1 {
+		if !C.WithQUIC && len(n.network) > 1 {
-			log.Warn(E.Cause(err, "naive http3 disabled"))
+			n.logger.Warn(E.Cause(err, "naive http3 disabled"))
 		} else if err != nil {
 			return err
 		}
--- a/include/dhcp_stub.go
+++ b/include/dhcp_stub.go
@ -3,16 +3,12 @@
 package include
 import (
 	"context"
 	"github.com/sagernet/sing-dns"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	N "github.com/sagernet/sing/common/network"
 )
 func init() {
-	dns.RegisterTransport([]string{"dhcp"}, func(name string, ctx context.Context, logger logger.ContextLogger, dialer N.Dialer, link string) (dns.Transport, error) {
+	dns.RegisterTransport([]string{"dhcp"}, func(options dns.TransportOptions) (dns.Transport, error) {
 		return nil, E.New(`DHCP is not included in this build, rebuild with -tags with_dhcp`)
 	})
 }
--- a/include/quic.go
+++ b/include/quic.go
@ -6,5 +6,3 @@ import (
 	_ "github.com/sagernet/sing-box/transport/v2rayquic"
 	_ "github.com/sagernet/sing-dns/quic"
 )
 const WithQUIC = true
--- a/include/quic_stub.go
+++ b/include/quic_stub.go
@ -11,15 +11,12 @@ import (
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/transport/v2ray"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 const WithQUIC = false
 func init() {
-	dns.RegisterTransport([]string{"quic", "h3"}, func(name string, ctx context.Context, logger logger.ContextLogger, dialer N.Dialer, link string) (dns.Transport, error) {
+	dns.RegisterTransport([]string{"quic", "h3"}, func(options dns.TransportOptions) (dns.Transport, error) {
 		return nil, C.ErrQUICNotIncluded
 	})
 	v2ray.RegisterQUICConstructor(
--- a/include/tz_android.go
+++ b/include/tz_android.go
@ -0,0 +1,21 @@
 // Copyright 2014 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // kanged from https://github.com/golang/mobile/blob/c713f31d574bb632a93f169b2cc99c9e753fef0e/app/android.go#L89
 package include
 // #include <time.h>
 import "C"
 import "time"
 func init() {
 	var currentT C.time_t
 	var currentTM C.struct_tm
 	C.time(&currentT)
 	C.localtime_r(&currentT, &currentTM)
 	tzOffset := int(currentTM.tm_gmtoff)
 	tz := C.GoString(currentTM.tm_zone)
 	time.Local = time.FixedZone(tz, tzOffset)
 }
--- a/include/tz_ios.go
+++ b/include/tz_ios.go
@ -0,0 +1,30 @@
 package include
 /*
 #cgo CFLAGS: -x objective-c
 #cgo LDFLAGS: -framework Foundation
 #import <Foundation/Foundation.h>
 const char* getSystemTimeZone() {
    NSTimeZone *timeZone = [NSTimeZone systemTimeZone];
    NSString *timeZoneName = [timeZone description];
    return [timeZoneName UTF8String];
 }
 */
 import "C"
 import (
 	"strings"
 	"time"
 )
 func init() {
 	tzDescription := C.GoString(C.getSystemTimeZone())
 	if len(tzDescription) == 0 {
 		return
 	}
 	location, err := time.LoadLocation(strings.Split(tzDescription, " ")[0])
 	if err != nil {
 		return
 	}
 	time.Local = location
 }
--- a/log/observable.go
+++ b/log/observable.go
@ -53,7 +53,9 @@ func NewDefaultFactory(
 	if platformWriter != nil {
 		factory.platformFormatter.DisableColors = platformWriter.DisableColors()
 	}
-	factory.observer = observable.NewObserver[Entry](factory.subscriber, 64)
+	if needObservable {
 		factory.observer = observable.NewObserver[Entry](factory.subscriber, 64)
 	}
 	return factory
 }
@ -72,7 +74,7 @@ func (f *defaultFactory) Start() error {
 func (f *defaultFactory) Close() error {
 	return common.Close(
 		common.PtrOrNil(f.file),
-		f.observer,
+		f.subscriber,
 	)
 }
--- a/ntp/service.go
+++ b/ntp/service.go
@ -1,112 +0,0 @@
 package ntp
 import (
 	"context"
 	"os"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/common/settings"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/ntp"
 )
 var _ ntp.TimeService = (*Service)(nil)
 type Service struct {
 	ctx           context.Context
 	cancel        common.ContextCancelCauseFunc
 	server        M.Socksaddr
 	writeToSystem bool
 	dialer        N.Dialer
 	logger        logger.Logger
 	ticker        *time.Ticker
 	clockOffset   time.Duration
 }
 func NewService(ctx context.Context, router adapter.Router, logger logger.Logger, options option.NTPOptions) (*Service, error) {
 	ctx, cancel := common.ContextWithCancelCause(ctx)
 	server := M.ParseSocksaddrHostPort(options.Server, options.ServerPort)
 	if server.Port == 0 {
 		server.Port = 123
 	}
 	var interval time.Duration
 	if options.Interval > 0 {
 		interval = time.Duration(options.Interval)
 	} else {
 		interval = 30 * time.Minute
 	}
 	outboundDialer, err := dialer.New(router, options.DialerOptions)
 	if err != nil {
 		return nil, err
 	}
 	return &Service{
 		ctx:           ctx,
 		cancel:        cancel,
 		server:        server,
 		writeToSystem: options.WriteToSystem,
 		dialer:        outboundDialer,
 		logger:        logger,
 		ticker:        time.NewTicker(interval),
 	}, nil
 }
 func (s *Service) Start() error {
 	err := s.update()
 	if err != nil {
 		return E.Cause(err, "initialize time")
 	}
 	s.logger.Info("updated time: ", s.TimeFunc()().Local().Format(C.TimeLayout))
 	go s.loopUpdate()
 	return nil
 }
 func (s *Service) Close() error {
 	s.ticker.Stop()
 	s.cancel(os.ErrClosed)
 	return nil
 }
 func (s *Service) TimeFunc() func() time.Time {
 	return func() time.Time {
 		return time.Now().Add(s.clockOffset)
 	}
 }
 func (s *Service) loopUpdate() {
 	for {
 		select {
 		case <-s.ctx.Done():
 			return
 		case <-s.ticker.C:
 		}
 		err := s.update()
 		if err == nil {
 			s.logger.Debug("updated time: ", s.TimeFunc()().Local().Format(C.TimeLayout))
 		} else {
 			s.logger.Warn("update time: ", err)
 		}
 	}
 }
 func (s *Service) update() error {
 	response, err := ntp.Exchange(s.ctx, s.dialer, s.server)
 	if err != nil {
 		return err
 	}
 	s.clockOffset = response.ClockOffset
 	if s.writeToSystem {
 		writeErr := settings.SetSystemTime(s.TimeFunc()())
 		if writeErr != nil {
 			s.logger.Warn("write time to system: ", writeErr)
 		}
 	}
 	return nil
 }
--- a/option/dns.go
+++ b/option/dns.go
@ -19,6 +19,7 @@ type DNSServerOptions struct {
 	AddressFallbackDelay Duration       `json:"address_fallback_delay,omitempty"`
 	Strategy             DomainStrategy `json:"strategy,omitempty"`
 	Detour               string         `json:"detour,omitempty"`
 	ClientSubnet         *ListenAddress `json:"client_subnet,omitempty"`
 }
 type DNSClientOptions struct {
@ -26,6 +27,7 @@ type DNSClientOptions struct {
 	DisableCache     bool           `json:"disable_cache,omitempty"`
 	DisableExpire    bool           `json:"disable_expire,omitempty"`
 	IndependentCache bool           `json:"independent_cache,omitempty"`
 	ClientSubnet     *ListenAddress `json:"client_subnet,omitempty"`
 }
 type DNSFakeIPOptions struct {
--- a/option/experimental.go
+++ b/option/experimental.go
@ -8,10 +8,12 @@ type ExperimentalOptions struct {
 }
 type CacheFileOptions struct {
-	Enabled     bool   `json:"enabled,omitempty"`
+	Enabled     bool     `json:"enabled,omitempty"`
-	Path        string `json:"path,omitempty"`
+	Path        string   `json:"path,omitempty"`
-	CacheID     string `json:"cache_id,omitempty"`
+	CacheID     string   `json:"cache_id,omitempty"`
-	StoreFakeIP bool   `json:"store_fakeip,omitempty"`
+	StoreFakeIP bool     `json:"store_fakeip,omitempty"`
 	StoreRDRC   bool     `json:"store_rdrc,omitempty"`
 	RDRCTimeout Duration `json:"rdrc_timeout,omitempty"`
 }
 type ClashAPIOptions struct {
--- a/option/ntp.go
+++ b/option/ntp.go
@ -2,9 +2,8 @@ package option
 type NTPOptions struct {
 	Enabled       bool     `json:"enabled,omitempty"`
 	Server        string   `json:"server,omitempty"`
 	ServerPort    uint16   `json:"server_port,omitempty"`
 	Interval      Duration `json:"interval,omitempty"`
 	WriteToSystem bool     `json:"write_to_system,omitempty"`
 	ServerOptions
 	DialerOptions
 }
--- a/option/rule_dns.go
+++ b/option/rule_dns.go
@ -65,38 +65,43 @@ func (r DNSRule) IsValid() bool {
 }
 type DefaultDNSRule struct {
-	Inbound           Listable[string]       `json:"inbound,omitempty"`
+	Inbound                  Listable[string]       `json:"inbound,omitempty"`
-	IPVersion         int                    `json:"ip_version,omitempty"`
+	IPVersion                int                    `json:"ip_version,omitempty"`
-	QueryType         Listable[DNSQueryType] `json:"query_type,omitempty"`
+	QueryType                Listable[DNSQueryType] `json:"query_type,omitempty"`
-	Network           Listable[string]       `json:"network,omitempty"`
+	Network                  Listable[string]       `json:"network,omitempty"`
-	AuthUser          Listable[string]       `json:"auth_user,omitempty"`
+	AuthUser                 Listable[string]       `json:"auth_user,omitempty"`
-	Protocol          Listable[string]       `json:"protocol,omitempty"`
+	Protocol                 Listable[string]       `json:"protocol,omitempty"`
-	Domain            Listable[string]       `json:"domain,omitempty"`
+	Domain                   Listable[string]       `json:"domain,omitempty"`
-	DomainSuffix      Listable[string]       `json:"domain_suffix,omitempty"`
+	DomainSuffix             Listable[string]       `json:"domain_suffix,omitempty"`
-	DomainKeyword     Listable[string]       `json:"domain_keyword,omitempty"`
+	DomainKeyword            Listable[string]       `json:"domain_keyword,omitempty"`
-	DomainRegex       Listable[string]       `json:"domain_regex,omitempty"`
+	DomainRegex              Listable[string]       `json:"domain_regex,omitempty"`
-	Geosite           Listable[string]       `json:"geosite,omitempty"`
+	Geosite                  Listable[string]       `json:"geosite,omitempty"`
-	SourceGeoIP       Listable[string]       `json:"source_geoip,omitempty"`
+	SourceGeoIP              Listable[string]       `json:"source_geoip,omitempty"`
-	SourceIPCIDR      Listable[string]       `json:"source_ip_cidr,omitempty"`
+	GeoIP                    Listable[string]       `json:"geoip,omitempty"`
-	SourceIPIsPrivate bool                   `json:"source_ip_is_private,omitempty"`
+	IPCIDR                   Listable[string]       `json:"ip_cidr,omitempty"`
-	SourcePort        Listable[uint16]       `json:"source_port,omitempty"`
+	IPIsPrivate              bool                   `json:"ip_is_private,omitempty"`
-	SourcePortRange   Listable[string]       `json:"source_port_range,omitempty"`
+	SourceIPCIDR             Listable[string]       `json:"source_ip_cidr,omitempty"`
-	Port              Listable[uint16]       `json:"port,omitempty"`
+	SourceIPIsPrivate        bool                   `json:"source_ip_is_private,omitempty"`
-	PortRange         Listable[string]       `json:"port_range,omitempty"`
+	SourcePort               Listable[uint16]       `json:"source_port,omitempty"`
-	ProcessName       Listable[string]       `json:"process_name,omitempty"`
+	SourcePortRange          Listable[string]       `json:"source_port_range,omitempty"`
-	ProcessPath       Listable[string]       `json:"process_path,omitempty"`
+	Port                     Listable[uint16]       `json:"port,omitempty"`
-	PackageName       Listable[string]       `json:"package_name,omitempty"`
+	PortRange                Listable[string]       `json:"port_range,omitempty"`
-	User              Listable[string]       `json:"user,omitempty"`
+	ProcessName              Listable[string]       `json:"process_name,omitempty"`
-	UserID            Listable[int32]        `json:"user_id,omitempty"`
+	ProcessPath              Listable[string]       `json:"process_path,omitempty"`
-	Outbound          Listable[string]       `json:"outbound,omitempty"`
+	PackageName              Listable[string]       `json:"package_name,omitempty"`
-	ClashMode         string                 `json:"clash_mode,omitempty"`
+	User                     Listable[string]       `json:"user,omitempty"`
-	WIFISSID          Listable[string]       `json:"wifi_ssid,omitempty"`
+	UserID                   Listable[int32]        `json:"user_id,omitempty"`
-	WIFIBSSID         Listable[string]       `json:"wifi_bssid,omitempty"`
+	Outbound                 Listable[string]       `json:"outbound,omitempty"`
-	RuleSet           Listable[string]       `json:"rule_set,omitempty"`
+	ClashMode                string                 `json:"clash_mode,omitempty"`
-	Invert            bool                   `json:"invert,omitempty"`
+	WIFISSID                 Listable[string]       `json:"wifi_ssid,omitempty"`
-	Server            string                 `json:"server,omitempty"`
+	WIFIBSSID                Listable[string]       `json:"wifi_bssid,omitempty"`
-	DisableCache      bool                   `json:"disable_cache,omitempty"`
+	RuleSet                  Listable[string]       `json:"rule_set,omitempty"`
-	RewriteTTL        *uint32                `json:"rewrite_ttl,omitempty"`
+	RuleSetIPCIDRMatchSource bool                   `json:"rule_set_ipcidr_match_source,omitempty"`
 	Invert                   bool                   `json:"invert,omitempty"`
 	Server                   string                 `json:"server,omitempty"`
 	DisableCache             bool                   `json:"disable_cache,omitempty"`
 	RewriteTTL               *uint32                `json:"rewrite_ttl,omitempty"`
 	ClientSubnet             *ListenAddress         `json:"client_subnet,omitempty"`
 }
 func (r DefaultDNSRule) IsValid() bool {
@ -105,16 +110,18 @@ func (r DefaultDNSRule) IsValid() bool {
 	defaultValue.Server = r.Server
 	defaultValue.DisableCache = r.DisableCache
 	defaultValue.RewriteTTL = r.RewriteTTL
 	defaultValue.ClientSubnet = r.ClientSubnet
 	return !reflect.DeepEqual(r, defaultValue)
 }
 type LogicalDNSRule struct {
-	Mode         string    `json:"mode"`
+	Mode         string         `json:"mode"`
-	Rules        []DNSRule `json:"rules,omitempty"`
+	Rules        []DNSRule      `json:"rules,omitempty"`
-	Invert       bool      `json:"invert,omitempty"`
+	Invert       bool           `json:"invert,omitempty"`
-	Server       string    `json:"server,omitempty"`
+	Server       string         `json:"server,omitempty"`
-	DisableCache bool      `json:"disable_cache,omitempty"`
+	DisableCache bool           `json:"disable_cache,omitempty"`
-	RewriteTTL   *uint32   `json:"rewrite_ttl,omitempty"`
+	RewriteTTL   *uint32        `json:"rewrite_ttl,omitempty"`
 	ClientSubnet *ListenAddress `json:"client_subnet,omitempty"`
 }
 func (r LogicalDNSRule) IsValid() bool {
--- a/option/tun_platform.go
+++ b/option/tun_platform.go
@ -7,4 +7,6 @@ type TunPlatformOptions struct {
 type HTTPProxyOptions struct {
 	Enabled bool `json:"enabled,omitempty"`
 	ServerOptions
 	BypassDomain Listable[string] `json:"bypass_domain,omitempty"`
 	MatchDomain  Listable[string] `json:"match_domain,omitempty"`
 }
--- a/outbound/direct.go
+++ b/outbound/direct.go
@ -51,7 +51,7 @@ func NewDirect(router adapter.Router, logger log.ContextLogger, tag string, opti
 		domainStrategy: dns.DomainStrategy(options.DomainStrategy),
 		fallbackDelay:  time.Duration(options.FallbackDelay),
 		dialer:         outboundDialer,
-		loopBack:       newLoopBackDetector(),
+		loopBack:       newLoopBackDetector(router),
 	}
 	if options.ProxyProtocol != 0 {
 		return nil, E.New("Proxy Protocol is deprecated and removed in sing-box 1.6.0")
--- a/outbound/direct_loopback_detect.go
+++ b/outbound/direct_loopback_detect.go
@ -5,21 +5,22 @@ import (
 	"net/netip"
 	"sync"
 	"github.com/sagernet/sing-box/adapter"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 type loopBackDetector struct {
-	// router           adapter.Router
+	router           adapter.Router
 	connAccess       sync.RWMutex
 	packetConnAccess sync.RWMutex
 	connMap          map[netip.AddrPort]netip.AddrPort
 	packetConnMap    map[uint16]uint16
 }
-func newLoopBackDetector( /*router adapter.Router*/ ) *loopBackDetector {
+func newLoopBackDetector(router adapter.Router) *loopBackDetector {
 	return &loopBackDetector{
-		// router:        router,
+		router:        router,
 		connMap:       make(map[netip.AddrPort]netip.AddrPort),
 		packetConnMap: make(map[uint16]uint16),
 	}
@ -31,12 +32,12 @@ func (l *loopBackDetector) NewConn(conn net.Conn) net.Conn {
 		return conn
 	}
 	if udpConn, isUDPConn := conn.(abstractUDPConn); isUDPConn {
-		/*if !source.Addr().IsLoopback() {
+		if !source.Addr().IsLoopback() {
 			_, err := l.router.InterfaceFinder().InterfaceByAddr(source.Addr())
 			if err != nil {
 				return conn
 			}
-		}*/
+		}
 		if !N.IsPublicAddr(source.Addr()) {
 			return conn
 		}
@ -57,6 +58,12 @@ func (l *loopBackDetector) NewPacketConn(conn N.NetPacketConn, destination M.Soc
 	if !source.IsValid() {
 		return conn
 	}
 	if !source.Addr().IsLoopback() {
 		_, err := l.router.InterfaceFinder().InterfaceByAddr(source.Addr())
 		if err != nil {
 			return conn
 		}
 	}
 	l.packetConnAccess.Lock()
 	l.packetConnMap[source.Port()] = destination.AddrPort().Port()
 	l.packetConnAccess.Unlock()
@ -74,12 +81,12 @@ func (l *loopBackDetector) CheckPacketConn(source netip.AddrPort, local netip.Ad
 	if !source.IsValid() {
 		return false
 	}
-	/*if !source.Addr().IsLoopback() {
+	if !source.Addr().IsLoopback() {
 		_, err := l.router.InterfaceFinder().InterfaceByAddr(source.Addr())
 		if err != nil {
 			return false
 		}
-	}*/
+	}
 	if N.IsPublicAddr(source.Addr()) {
 		return false
 	}
--- a/outbound/dns.go
+++ b/outbound/dns.go
@ -46,8 +46,8 @@ func (d *DNS) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.Pa
 }
 func (d *DNS) NewConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
 	metadata.Destination = M.Socksaddr{}
 	defer conn.Close()
 	ctx = adapter.WithContext(ctx, &metadata)
 	for {
 		err := d.handleConnection(ctx, conn, metadata)
 		if err != nil {
@ -98,6 +98,7 @@ func (d *DNS) handleConnection(ctx context.Context, conn net.Conn, metadata adap
 }
 func (d *DNS) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
 	metadata.Destination = M.Socksaddr{}
 	var reader N.PacketReader = conn
 	var counters []N.CountFunc
 	var cachedPackets []*N.PacketBuffer
@ -111,14 +112,11 @@ func (d *DNS) NewPacketConnection(ctx context.Context, conn N.PacketConn, metada
 			}
 		}
 		if readWaiter, created := bufio.CreatePacketReadWaiter(reader); created {
-			readWaiter.InitializeReadWaiter(N.ReadWaitOptions{
+			readWaiter.InitializeReadWaiter(N.ReadWaitOptions{})
 				MTU: dns.FixedPacketSize,
 			})
 			return d.newPacketConnection(ctx, conn, readWaiter, counters, cachedPackets, metadata)
 		}
 		break
 	}
 	ctx = adapter.WithContext(ctx, &metadata)
 	fastClose, cancel := common.ContextWithCancelCause(ctx)
 	timeout := canceler.New(fastClose, cancel, C.DNSTimeout)
 	var group task.Group
@ -167,15 +165,11 @@ func (d *DNS) NewPacketConnection(ctx context.Context, conn N.PacketConn, metada
 					return err
 				}
 				timeout.Update()
-				responseBuffer := buf.NewPacket()
+				responseBuffer, err := dns.TruncateDNSMessage(&message, response, 1024)
 				responseBuffer.Resize(1024, 0)
 				n, err := response.PackBuffer(responseBuffer.FreeBytes())
 				if err != nil {
 					cancel(err)
 					responseBuffer.Release()
 					return err
 				}
 				responseBuffer.Truncate(len(n))
 				err = conn.WritePacket(responseBuffer, destination)
 				if err != nil {
 					cancel(err)
@ -241,16 +235,11 @@ func (d *DNS) newPacketConnection(ctx context.Context, conn N.PacketConn, readWa
 					return err
 				}
 				timeout.Update()
-				response = truncateDNSMessage(response, 512) // TODO: add an option to custom UDP buffer size
+				responseBuffer, err := dns.TruncateDNSMessage(&message, response, 1024)
 				responseBuffer := buf.NewSize(dns.FixedPacketSize)
 				responseBuffer.Resize(1024, 0)
 				n, err := response.PackBuffer(responseBuffer.FreeBytes())
 				if err != nil {
 					cancel(err)
 					responseBuffer.Release()
 					return err
 				}
 				responseBuffer.Truncate(len(n))
 				err = conn.WritePacket(responseBuffer, destination)
 				if err != nil {
 					cancel(err)
@ -264,22 +253,3 @@ func (d *DNS) newPacketConnection(ctx context.Context, conn N.PacketConn, readWa
 	})
 	return group.Run(fastClose)
 }
 func truncateDNSMessage(response *mDNS.Msg, maxLen int) *mDNS.Msg {
 	responseLen := response.Len()
 	if responseLen <= maxLen {
 		return response
 	}
 	newResponse := *response
 	response = &newResponse
 	for len(response.Answer) > 0 && responseLen > maxLen {
 		response.Answer = response.Answer[:len(response.Answer)-1]
 		response.Truncated = true
 		responseLen = response.Len()
 	}
 	if responseLen > maxLen {
 		response.Ns = nil
 		response.Extra = nil
 	}
 	return response
 }
--- a/route/interface_finder.go
+++ b/route/interface_finder.go
@ -1,54 +0,0 @@
 package route
 import (
 	"net"
 	"github.com/sagernet/sing/common/control"
 )
 var _ control.InterfaceFinder = (*myInterfaceFinder)(nil)
 type myInterfaceFinder struct {
 	interfaces []net.Interface
 }
 func (f *myInterfaceFinder) update() error {
 	ifs, err := net.Interfaces()
 	if err != nil {
 		return err
 	}
 	f.interfaces = ifs
 	return nil
 }
 func (f *myInterfaceFinder) updateInterfaces(interfaces []net.Interface) {
 	f.interfaces = interfaces
 }
 func (f *myInterfaceFinder) InterfaceIndexByName(name string) (interfaceIndex int, err error) {
 	for _, netInterface := range f.interfaces {
 		if netInterface.Name == name {
 			return netInterface.Index, nil
 		}
 	}
 	netInterface, err := net.InterfaceByName(name)
 	if err != nil {
 		return
 	}
 	f.update()
 	return netInterface.Index, nil
 }
 func (f *myInterfaceFinder) InterfaceNameByIndex(index int) (interfaceName string, err error) {
 	for _, netInterface := range f.interfaces {
 		if netInterface.Index == index {
 			return netInterface.Name, nil
 		}
 	}
 	netInterface, err := net.InterfaceByIndex(index)
 	if err != nil {
 		return
 	}
 	f.update()
 	return netInterface.Name, nil
 }
--- a/route/router.go
+++ b/route/router.go
@ -8,6 +8,7 @@ import (
 	"net/url"
 	"os"
 	"os/user"
 	"runtime"
 	"strings"
 	"time"
@ -22,7 +23,6 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/ntp"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/outbound"
 	"github.com/sagernet/sing-box/transport/fakeip"
@ -39,9 +39,10 @@ import (
 	F "github.com/sagernet/sing/common/format"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	serviceNTP "github.com/sagernet/sing/common/ntp"
+	"github.com/sagernet/sing/common/ntp"
 	"github.com/sagernet/sing/common/task"
 	"github.com/sagernet/sing/common/uot"
 	"github.com/sagernet/sing/common/winpowrprof"
 	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/pause"
 )
@ -78,13 +79,14 @@ type Router struct {
 	transportDomainStrategy            map[dns.Transport]dns.DomainStrategy
 	dnsReverseMapping                  *DNSReverseMapping
 	fakeIPStore                        adapter.FakeIPStore
-	interfaceFinder                    myInterfaceFinder
+	interfaceFinder                    *control.DefaultInterfaceFinder
 	autoDetectInterface                bool
 	defaultInterface                   string
 	defaultMark                        int
 	networkMonitor                     tun.NetworkUpdateMonitor
 	interfaceMonitor                   tun.DefaultInterfaceMonitor
 	packageManager                     tun.PackageManager
 	powerListener                      winpowrprof.EventListener
 	processSearcher                    process.Searcher
 	timeService                        *ntp.Service
 	pauseManager                       pause.Manager
@ -122,6 +124,7 @@ func NewRouter(
 		needFindProcess:       hasRule(options.Rules, isProcessRule) || hasDNSRule(dnsOptions.Rules, isProcessDNSRule) || options.FindProcess,
 		defaultDetour:         options.Final,
 		defaultDomainStrategy: dns.DomainStrategy(dnsOptions.Strategy),
 		interfaceFinder:       control.NewDefaultInterfaceFinder(),
 		autoDetectInterface:   options.AutoDetectInterface,
 		defaultInterface:      options.DefaultInterface,
 		defaultMark:           options.DefaultMark,
@ -136,7 +139,17 @@ func NewRouter(
 		DisableCache:     dnsOptions.DNSClientOptions.DisableCache,
 		DisableExpire:    dnsOptions.DNSClientOptions.DisableExpire,
 		IndependentCache: dnsOptions.DNSClientOptions.IndependentCache,
-		Logger:           router.dnsLogger,
+		RDRC: func() dns.RDRCStore {
 			cacheFile := service.FromContext[adapter.CacheFile](ctx)
 			if cacheFile == nil {
 				return nil
 			}
 			if !cacheFile.StoreRDRC() {
 				return nil
 			}
 			return cacheFile
 		},
 		Logger: router.dnsLogger,
 	})
 	for i, ruleOptions := range options.Rules {
 		routeRule, err := NewRule(router, router.logger, ruleOptions, true)
@ -222,7 +235,20 @@ func NewRouter(
 					return nil, E.New("parse dns server[", tag, "]: missing address_resolver")
 				}
 			}
-			transport, err := dns.CreateTransport(tag, ctx, logFactory.NewLogger(F.ToString("dns/transport[", tag, "]")), detour, server.Address)
+			var clientSubnet netip.Addr
 			if server.ClientSubnet != nil {
 				clientSubnet = server.ClientSubnet.Build()
 			} else if dnsOptions.ClientSubnet != nil {
 				clientSubnet = dnsOptions.ClientSubnet.Build()
 			}
 			transport, err := dns.CreateTransport(dns.TransportOptions{
 				Context:      ctx,
 				Logger:       logFactory.NewLogger(F.ToString("dns/transport[", tag, "]")),
 				Name:         tag,
 				Dialer:       detour,
 				Address:      server.Address,
 				ClientSubnet: clientSubnet,
 			})
 			if err != nil {
 				return nil, E.Cause(err, "parse dns server[", tag, "]")
 			}
@ -262,7 +288,12 @@ func NewRouter(
 	}
 	if defaultTransport == nil {
 		if len(transports) == 0 {
-			transports = append(transports, dns.NewLocalTransport("local", N.SystemDialer))
+			transports = append(transports, common.Must1(dns.CreateTransport(dns.TransportOptions{
 				Context: ctx,
 				Name:    "local",
 				Address: "local",
 				Dialer:  common.Must1(dialer.NewDefault(router, option.DialerOptions{})),
 			})))
 		}
 		defaultTransport = transports[0]
 	}
@ -303,7 +334,7 @@ func NewRouter(
 			}
 			router.networkMonitor = networkMonitor
 			networkMonitor.RegisterCallback(func() {
-				_ = router.interfaceFinder.update()
+				_ = router.interfaceFinder.Update()
 			})
 			interfaceMonitor, err := tun.NewDefaultInterfaceMonitor(router.networkMonitor, router.logger, tun.DefaultInterfaceMonitorOptions{
 				OverrideAndroidVPN:    options.OverrideAndroidVPN,
@ -321,12 +352,28 @@ func NewRouter(
 		router.interfaceMonitor = interfaceMonitor
 	}
-	if ntpOptions.Enabled {
+	if runtime.GOOS == "windows" {
-		timeService, err := ntp.NewService(ctx, router, logFactory.NewLogger("ntp"), ntpOptions)
+		powerListener, err := winpowrprof.NewEventListener(router.notifyWindowsPowerEvent)
 		if err != nil {
-			return nil, err
+			return nil, E.Cause(err, "initialize power listener")
 		}
-		service.ContextWith[serviceNTP.TimeService](ctx, timeService)
+		router.powerListener = powerListener
 	}
 	if ntpOptions.Enabled {
 		ntpDialer, err := dialer.New(router, ntpOptions.DialerOptions)
 		if err != nil {
 			return nil, E.Cause(err, "create NTP service")
 		}
 		timeService := ntp.NewService(ntp.Options{
 			Context:       ctx,
 			Dialer:        ntpDialer,
 			Logger:        logFactory.NewLogger("ntp"),
 			Server:        ntpOptions.ServerOptions.Build(),
 			Interval:      time.Duration(ntpOptions.Interval),
 			WriteToSystem: ntpOptions.WriteToSystem,
 		})
 		service.MustRegister[ntp.TimeService](ctx, timeService)
 		router.timeService = timeService
 	}
 	return router, nil
@ -560,6 +607,16 @@ func (r *Router) Start() error {
 			}
 		}
 	}
 	if r.powerListener != nil {
 		monitor.Start("start power listener")
 		err := r.powerListener.Start()
 		monitor.Finish()
 		if err != nil {
 			return E.Cause(err, "start power listener")
 		}
 	}
 	if (needWIFIStateFromRuleSet || r.needWIFIState) && r.platformInterface != nil {
 		monitor.Start("initialize WIFI state")
 		r.needWIFIState = true
@ -578,6 +635,11 @@ func (r *Router) Start() error {
 			return E.Cause(err, "initialize rule[", i, "]")
 		}
 	}
 	monitor.Start("initialize DNS client")
 	r.dnsClient.Start()
 	monitor.Finish()
 	for i, rule := range r.dnsRules {
 		monitor.Start("initialize DNS rule[", i, "]")
 		err := rule.Start()
@ -657,6 +719,13 @@ func (r *Router) Close() error {
 		})
 		monitor.Finish()
 	}
 	if r.powerListener != nil {
 		monitor.Start("close power listener")
 		err = E.Append(err, r.powerListener.Close(), func(err error) error {
 			return E.Cause(err, "close power listener")
 		})
 		monitor.Finish()
 	}
 	if r.timeService != nil {
 		monitor.Start("close time service")
 		err = E.Append(err, r.timeService.Close(), func(err error) error {
@ -1028,24 +1097,18 @@ func (r *Router) match0(ctx context.Context, metadata *adapter.InboundContext, d
 }
 func (r *Router) InterfaceFinder() control.InterfaceFinder {
-	return &r.interfaceFinder
+	return r.interfaceFinder
 }
 func (r *Router) UpdateInterfaces() error {
 	if r.platformInterface == nil || !r.platformInterface.UsePlatformInterfaceGetter() {
-		return r.interfaceFinder.update()
+		return r.interfaceFinder.Update()
 	} else {
 		interfaces, err := r.platformInterface.Interfaces()
 		if err != nil {
 			return err
 		}
-		r.interfaceFinder.updateInterfaces(common.Map(interfaces, func(it platform.NetworkInterface) net.Interface {
+		r.interfaceFinder.UpdateInterfaces(interfaces)
 			return net.Interface{
 				Name:  it.Name,
 				Index: it.Index,
 				MTU:   it.MTU,
 			}
 		}))
 		return nil
 	}
 }
@ -1189,3 +1252,19 @@ func (r *Router) updateWIFIState() {
 		}
 	}
 }
 func (r *Router) notifyWindowsPowerEvent(event int) {
 	switch event {
 	case winpowrprof.EVENT_SUSPEND:
 		r.pauseManager.DevicePause()
 		_ = r.ResetNetwork()
 	case winpowrprof.EVENT_RESUME:
 		if !r.pauseManager.IsDevicePaused() {
 			return
 		}
 		fallthrough
 	case winpowrprof.EVENT_RESUME_AUTOMATIC:
 		r.pauseManager.DeviceWake()
 		_ = r.ResetNetwork()
 	}
 }
--- a/route/router_dns.go
+++ b/route/router_dns.go
@ -2,13 +2,13 @@ package route
 import (
 	"context"
 	"errors"
 	"net/netip"
 	"strings"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common/cache"
 	E "github.com/sagernet/sing/common/exceptions"
@ -37,41 +37,55 @@ func (m *DNSReverseMapping) Query(address netip.Addr) (string, bool) {
 	return domain, loaded
 }
-func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool) (context.Context, dns.Transport, dns.DomainStrategy) {
+func (r *Router) matchDNS(ctx context.Context, allowFakeIP bool, index int) (context.Context, dns.Transport, dns.DomainStrategy, adapter.DNSRule, int) {
 	metadata := adapter.ContextFrom(ctx)
 	if metadata == nil {
 		panic("no context")
 	}
-	for i, rule := range r.dnsRules {
+	if index < len(r.dnsRules) {
-		metadata.ResetRuleCache()
+		dnsRules := r.dnsRules
-		if rule.Match(metadata) {
+		if index != -1 {
-			detour := rule.Outbound()
+			dnsRules = dnsRules[index+1:]
-			transport, loaded := r.transportMap[detour]
+		}
-			if !loaded {
+		for currentRuleIndex, rule := range dnsRules {
-				r.dnsLogger.ErrorContext(ctx, "transport not found: ", detour)
+			metadata.ResetRuleCache()
-				continue
+			if rule.Match(metadata) {
-			}
+				detour := rule.Outbound()
-			if _, isFakeIP := transport.(adapter.FakeIPTransport); isFakeIP && !allowFakeIP {
+				transport, loaded := r.transportMap[detour]
-				continue
+				if !loaded {
-			}
+					r.dnsLogger.ErrorContext(ctx, "transport not found: ", detour)
-			r.dnsLogger.DebugContext(ctx, "match[", i, "] ", rule.String(), " => ", detour)
+					continue
-			if rule.DisableCache() {
+				}
-				ctx = dns.ContextWithDisableCache(ctx, true)
+				_, isFakeIP := transport.(adapter.FakeIPTransport)
-			}
+				if isFakeIP && !allowFakeIP {
-			if rewriteTTL := rule.RewriteTTL(); rewriteTTL != nil {
+					continue
-				ctx = dns.ContextWithRewriteTTL(ctx, *rewriteTTL)
+				}
-			}
+				ruleIndex := currentRuleIndex
-			if domainStrategy, dsLoaded := r.transportDomainStrategy[transport]; dsLoaded {
+				if index != -1 {
-				return ctx, transport, domainStrategy
+					ruleIndex += index + 1
-			} else {
+				}
-				return ctx, transport, r.defaultDomainStrategy
+				r.dnsLogger.DebugContext(ctx, "match[", ruleIndex, "] ", rule.String(), " => ", detour)
 				if isFakeIP || rule.DisableCache() {
 					ctx = dns.ContextWithDisableCache(ctx, true)
 				}
 				if rewriteTTL := rule.RewriteTTL(); rewriteTTL != nil {
 					ctx = dns.ContextWithRewriteTTL(ctx, *rewriteTTL)
 				}
 				if clientSubnet := rule.ClientSubnet(); clientSubnet != nil {
 					ctx = dns.ContextWithClientSubnet(ctx, *clientSubnet)
 				}
 				if domainStrategy, dsLoaded := r.transportDomainStrategy[transport]; dsLoaded {
 					return ctx, transport, domainStrategy, rule, ruleIndex
 				} else {
 					return ctx, transport, r.defaultDomainStrategy, rule, ruleIndex
 				}
 			}
 		}
 	}
 	if domainStrategy, dsLoaded := r.transportDomainStrategy[r.defaultTransport]; dsLoaded {
-		return ctx, r.defaultTransport, domainStrategy
+		return ctx, r.defaultTransport, domainStrategy, nil, -1
 	} else {
-		return ctx, r.defaultTransport, r.defaultDomainStrategy
+		return ctx, r.defaultTransport, r.defaultDomainStrategy, nil, -1
 	}
 }
@ -80,13 +94,15 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, er
 		r.dnsLogger.DebugContext(ctx, "exchange ", formatQuestion(message.Question[0].String()))
 	}
 	var (
-		response *mDNS.Msg
+		response  *mDNS.Msg
-		cached   bool
+		cached    bool
-		err      error
+		transport dns.Transport
 		err       error
 	)
 	response, cached = r.dnsClient.ExchangeCache(ctx, message)
 	if !cached {
-		ctx, metadata := adapter.AppendContext(ctx)
+		var metadata *adapter.InboundContext
 		ctx, metadata = adapter.AppendContext(ctx)
 		if len(message.Question) > 0 {
 			metadata.QueryType = message.Question[0].Qtype
 			switch metadata.QueryType {
@ -97,50 +113,134 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, er
 			}
 			metadata.Domain = fqdnToDomain(message.Question[0].Name)
 		}
-		ctx, transport, strategy := r.matchDNS(ctx, true)
+		var (
-		ctx, cancel := context.WithTimeout(ctx, C.DNSTimeout)
+			strategy  dns.DomainStrategy
-		defer cancel()
+			rule      adapter.DNSRule
-		response, err = r.dnsClient.Exchange(ctx, transport, message, strategy)
+			ruleIndex int
-		if err != nil && len(message.Question) > 0 {
+		)
-			r.dnsLogger.ErrorContext(ctx, E.Cause(err, "exchange failed for ", formatQuestion(message.Question[0].String())))
+		ruleIndex = -1
 		for {
 			var (
 				dnsCtx       context.Context
 				cancel       context.CancelFunc
 				addressLimit bool
 			)
 			dnsCtx, transport, strategy, rule, ruleIndex = r.matchDNS(ctx, true, ruleIndex)
 			dnsCtx, cancel = context.WithTimeout(dnsCtx, C.DNSTimeout)
 			if rule != nil && rule.WithAddressLimit() && isAddressQuery(message) {
 				addressLimit = true
 				response, err = r.dnsClient.ExchangeWithResponseCheck(dnsCtx, transport, message, strategy, func(response *mDNS.Msg) bool {
 					metadata.DestinationAddresses, _ = dns.MessageToAddresses(response)
 					return rule.MatchAddressLimit(metadata)
 				})
 			} else {
 				addressLimit = false
 				response, err = r.dnsClient.Exchange(dnsCtx, transport, message, strategy)
 			}
 			cancel()
 			var rejected bool
 			if err != nil {
 				if errors.Is(err, dns.ErrResponseRejectedCached) {
 					rejected = true
 					r.dnsLogger.DebugContext(ctx, E.Cause(err, "response rejected for ", formatQuestion(message.Question[0].String())), " (cached)")
 				} else if errors.Is(err, dns.ErrResponseRejected) {
 					rejected = true
 					r.dnsLogger.DebugContext(ctx, E.Cause(err, "response rejected for ", formatQuestion(message.Question[0].String())))
 				} else if len(message.Question) > 0 {
 					r.dnsLogger.ErrorContext(ctx, E.Cause(err, "exchange failed for ", formatQuestion(message.Question[0].String())))
 				} else {
 					r.dnsLogger.ErrorContext(ctx, E.Cause(err, "exchange failed for <empty query>"))
 				}
 			}
 			if addressLimit && rejected {
 				continue
 			}
 			break
 		}
 	}
-	if len(message.Question) > 0 && response != nil {
+	if err != nil {
-		LogDNSAnswers(r.dnsLogger, ctx, message.Question[0].Name, response.Answer)
+		return nil, err
 	}
 	if r.dnsReverseMapping != nil && len(message.Question) > 0 && response != nil && len(response.Answer) > 0 {
-		for _, answer := range response.Answer {
+		if _, isFakeIP := transport.(adapter.FakeIPTransport); !isFakeIP {
-			switch record := answer.(type) {
+			for _, answer := range response.Answer {
-			case *mDNS.A:
+				switch record := answer.(type) {
-				r.dnsReverseMapping.Save(M.AddrFromIP(record.A), fqdnToDomain(record.Hdr.Name), int(record.Hdr.Ttl))
+				case *mDNS.A:
-			case *mDNS.AAAA:
+					r.dnsReverseMapping.Save(M.AddrFromIP(record.A), fqdnToDomain(record.Hdr.Name), int(record.Hdr.Ttl))
-				r.dnsReverseMapping.Save(M.AddrFromIP(record.AAAA), fqdnToDomain(record.Hdr.Name), int(record.Hdr.Ttl))
+				case *mDNS.AAAA:
 					r.dnsReverseMapping.Save(M.AddrFromIP(record.AAAA), fqdnToDomain(record.Hdr.Name), int(record.Hdr.Ttl))
 				}
 			}
 		}
 	}
-	return response, err
+	return response, nil
 }
 func (r *Router) Lookup(ctx context.Context, domain string, strategy dns.DomainStrategy) ([]netip.Addr, error) {
 	var (
 		responseAddrs []netip.Addr
 		cached        bool
 		err           error
 	)
 	responseAddrs, cached = r.dnsClient.LookupCache(ctx, domain, strategy)
 	if cached {
 		return responseAddrs, nil
 	}
 	r.dnsLogger.DebugContext(ctx, "lookup domain ", domain)
 	ctx, metadata := adapter.AppendContext(ctx)
 	metadata.Domain = domain
-	ctx, transport, transportStrategy := r.matchDNS(ctx, false)
+	var (
-	if strategy == dns.DomainStrategyAsIS {
+		transport         dns.Transport
-		strategy = transportStrategy
+		transportStrategy dns.DomainStrategy
 		rule              adapter.DNSRule
 		ruleIndex         int
 	)
 	ruleIndex = -1
 	for {
 		var (
 			dnsCtx       context.Context
 			cancel       context.CancelFunc
 			addressLimit bool
 		)
 		metadata.ResetRuleCache()
 		metadata.DestinationAddresses = nil
 		dnsCtx, transport, transportStrategy, rule, ruleIndex = r.matchDNS(ctx, false, ruleIndex)
 		if strategy == dns.DomainStrategyAsIS {
 			strategy = transportStrategy
 		}
 		dnsCtx, cancel = context.WithTimeout(dnsCtx, C.DNSTimeout)
 		if rule != nil && rule.WithAddressLimit() {
 			addressLimit = true
 			responseAddrs, err = r.dnsClient.LookupWithResponseCheck(dnsCtx, transport, domain, strategy, func(responseAddrs []netip.Addr) bool {
 				metadata.DestinationAddresses = responseAddrs
 				return rule.MatchAddressLimit(metadata)
 			})
 		} else {
 			addressLimit = false
 			responseAddrs, err = r.dnsClient.Lookup(dnsCtx, transport, domain, strategy)
 		}
 		cancel()
 		if err != nil {
 			if errors.Is(err, dns.ErrResponseRejectedCached) {
 				r.dnsLogger.DebugContext(ctx, "response rejected for ", domain, " (cached)")
 			} else if errors.Is(err, dns.ErrResponseRejected) {
 				r.dnsLogger.DebugContext(ctx, "response rejected for ", domain)
 			} else {
 				r.dnsLogger.ErrorContext(ctx, E.Cause(err, "lookup failed for ", domain))
 			}
 		} else if len(responseAddrs) == 0 {
 			r.dnsLogger.ErrorContext(ctx, "lookup failed for ", domain, ": empty result")
 			err = dns.RCodeNameError
 		}
 		if !addressLimit || err == nil {
 			break
 		}
 	}
-	ctx, cancel := context.WithTimeout(ctx, C.DNSTimeout)
+	if len(responseAddrs) > 0 {
-	defer cancel()
+		r.dnsLogger.InfoContext(ctx, "lookup succeed for ", domain, ": ", strings.Join(F.MapToString(responseAddrs), " "))
 	addrs, err := r.dnsClient.Lookup(ctx, transport, domain, strategy)
 	if len(addrs) > 0 {
 		r.dnsLogger.InfoContext(ctx, "lookup succeed for ", domain, ": ", strings.Join(F.MapToString(addrs), " "))
 	} else if err != nil {
 		r.dnsLogger.ErrorContext(ctx, E.Cause(err, "lookup failed for ", domain))
 	} else {
 		r.dnsLogger.ErrorContext(ctx, "lookup failed for ", domain, ": empty result")
 		err = dns.RCodeNameError
 	}
-	return addrs, err
+	return responseAddrs, err
 }
 func (r *Router) LookupDefault(ctx context.Context, domain string) ([]netip.Addr, error) {
@ -154,10 +254,13 @@ func (r *Router) ClearDNSCache() {
 	}
 }
-func LogDNSAnswers(logger log.ContextLogger, ctx context.Context, domain string, answers []mDNS.RR) {
+func isAddressQuery(message *mDNS.Msg) bool {
-	for _, answer := range answers {
+	for _, question := range message.Question {
-		logger.InfoContext(ctx, "exchanged ", domain, " ", mDNS.Type(answer.Header().Rrtype).String(), " ", formatQuestion(answer.String()))
+		if question.Qtype == mDNS.TypeA || question.Qtype == mDNS.TypeAAAA {
 			return true
 		}
 	}
 	return false
 }
 func fqdnToDomain(fqdn string) string {
--- a/route/router_rule.go
+++ b/route/router_rule.go
@ -59,7 +59,7 @@ func isGeoIPRule(rule option.DefaultRule) bool {
 }
 func isGeoIPDNSRule(rule option.DefaultDNSRule) bool {
-	return len(rule.SourceGeoIP) > 0 && common.Any(rule.SourceGeoIP, notPrivateNode)
+	return len(rule.SourceGeoIP) > 0 && common.Any(rule.SourceGeoIP, notPrivateNode) || len(rule.GeoIP) > 0 && common.Any(rule.GeoIP, notPrivateNode)
 }
 func isGeositeRule(rule option.DefaultRule) bool {
@ -97,3 +97,7 @@ func isWIFIDNSRule(rule option.DefaultDNSRule) bool {
 func isWIFIHeadlessRule(rule option.DefaultHeadlessRule) bool {
 	return len(rule.WIFISSID) > 0 || len(rule.WIFIBSSID) > 0
 }
 func isIPCIDRHeadlessRule(rule option.DefaultHeadlessRule) bool {
 	return len(rule.IPCIDR) > 0 || rule.IPSet != nil
 }
--- a/route/rule_abstract.go
+++ b/route/rule_abstract.go
@ -15,6 +15,7 @@ type abstractDefaultRule struct {
 	sourceAddressItems      []RuleItem
 	sourcePortItems         []RuleItem
 	destinationAddressItems []RuleItem
 	destinationIPCIDRItems  []RuleItem
 	destinationPortItems    []RuleItem
 	allItems                []RuleItem
 	ruleSetItem             RuleItem
@ -64,6 +65,7 @@ func (r *abstractDefaultRule) Match(metadata *adapter.InboundContext) bool {
 	}
 	if len(r.sourceAddressItems) > 0 && !metadata.SourceAddressMatch {
 		metadata.DidMatch = true
 		for _, item := range r.sourceAddressItems {
 			if item.Match(metadata) {
 				metadata.SourceAddressMatch = true
@ -73,6 +75,7 @@ func (r *abstractDefaultRule) Match(metadata *adapter.InboundContext) bool {
 	}
 	if len(r.sourcePortItems) > 0 && !metadata.SourcePortMatch {
 		metadata.DidMatch = true
 		for _, item := range r.sourcePortItems {
 			if item.Match(metadata) {
 				metadata.SourcePortMatch = true
@ -82,6 +85,7 @@ func (r *abstractDefaultRule) Match(metadata *adapter.InboundContext) bool {
 	}
 	if len(r.destinationAddressItems) > 0 && !metadata.DestinationAddressMatch {
 		metadata.DidMatch = true
 		for _, item := range r.destinationAddressItems {
 			if item.Match(metadata) {
 				metadata.DestinationAddressMatch = true
@ -90,7 +94,18 @@ func (r *abstractDefaultRule) Match(metadata *adapter.InboundContext) bool {
 		}
 	}
 	if !metadata.IgnoreDestinationIPCIDRMatch && len(r.destinationIPCIDRItems) > 0 && !metadata.DestinationAddressMatch {
 		metadata.DidMatch = true
 		for _, item := range r.destinationIPCIDRItems {
 			if item.Match(metadata) {
 				metadata.DestinationAddressMatch = true
 				break
 			}
 		}
 	}
 	if len(r.destinationPortItems) > 0 && !metadata.DestinationPortMatch {
 		metadata.DidMatch = true
 		for _, item := range r.destinationPortItems {
 			if item.Match(metadata) {
 				metadata.DestinationPortMatch = true
@ -100,6 +115,9 @@ func (r *abstractDefaultRule) Match(metadata *adapter.InboundContext) bool {
 	}
 	for _, item := range r.items {
 		if _, isRuleSet := item.(*RuleSetItem); !isRuleSet {
 			metadata.DidMatch = true
 		}
 		if !item.Match(metadata) {
 			return r.invert
 		}
@ -113,7 +131,7 @@ func (r *abstractDefaultRule) Match(metadata *adapter.InboundContext) bool {
 		return r.invert
 	}
-	if len(r.destinationAddressItems) > 0 && !metadata.DestinationAddressMatch {
+	if ((!metadata.IgnoreDestinationIPCIDRMatch && len(r.destinationIPCIDRItems) > 0) || len(r.destinationAddressItems) > 0) && !metadata.DestinationAddressMatch {
 		return r.invert
 	}
@ -121,6 +139,10 @@ func (r *abstractDefaultRule) Match(metadata *adapter.InboundContext) bool {
 		return r.invert
 	}
 	if !metadata.DidMatch {
 		return true
 	}
 	return !r.invert
 }
--- a/route/rule_default.go
+++ b/route/rule_default.go
@ -109,7 +109,7 @@ func NewDefaultRule(router adapter.Router, logger log.ContextLogger, options opt
 	}
 	if len(options.GeoIP) > 0 {
 		item := NewGeoIPItem(router, logger, false, options.GeoIP)
-		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.SourceIPCIDR) > 0 {
@ -130,12 +130,12 @@ func NewDefaultRule(router adapter.Router, logger log.ContextLogger, options opt
 		if err != nil {
 			return nil, E.Cause(err, "ipcidr")
 		}
-		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if options.IPIsPrivate {
 		item := NewIPIsPrivateItem(false)
-		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.SourcePort) > 0 {
--- a/route/rule_dns.go
+++ b/route/rule_dns.go
@ -1,10 +1,13 @@
 package route
 import (
 	"net/netip"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 )
@ -37,6 +40,7 @@ type DefaultDNSRule struct {
 	abstractDefaultRule
 	disableCache bool
 	rewriteTTL   *uint32
 	clientSubnet *netip.Addr
 }
 func NewDefaultDNSRule(router adapter.Router, logger log.ContextLogger, options option.DefaultDNSRule) (*DefaultDNSRule, error) {
@ -47,6 +51,7 @@ func NewDefaultDNSRule(router adapter.Router, logger log.ContextLogger, options
 		},
 		disableCache: options.DisableCache,
 		rewriteTTL:   options.RewriteTTL,
 		clientSubnet: (*netip.Addr)(options.ClientSubnet),
 	}
 	if len(options.Inbound) > 0 {
 		item := NewInboundRule(options.Inbound)
@ -111,6 +116,11 @@ func NewDefaultDNSRule(router adapter.Router, logger log.ContextLogger, options
 		rule.sourceAddressItems = append(rule.sourceAddressItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.GeoIP) > 0 {
 		item := NewGeoIPItem(router, logger, false, options.GeoIP)
 		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.SourceIPCIDR) > 0 {
 		item, err := NewIPCIDRItem(true, options.SourceIPCIDR)
 		if err != nil {
@ -119,11 +129,24 @@ func NewDefaultDNSRule(router adapter.Router, logger log.ContextLogger, options
 		rule.sourceAddressItems = append(rule.sourceAddressItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.IPCIDR) > 0 {
 		item, err := NewIPCIDRItem(false, options.IPCIDR)
 		if err != nil {
 			return nil, E.Cause(err, "ip_cidr")
 		}
 		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if options.SourceIPIsPrivate {
 		item := NewIPIsPrivateItem(true)
 		rule.sourceAddressItems = append(rule.sourceAddressItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if options.IPIsPrivate {
 		item := NewIPIsPrivateItem(false)
 		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.SourcePort) > 0 {
 		item := NewPortItem(true, options.SourcePort)
 		rule.sourcePortItems = append(rule.sourcePortItems, item)
@ -196,7 +219,7 @@ func NewDefaultDNSRule(router adapter.Router, logger log.ContextLogger, options
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.RuleSet) > 0 {
-		item := NewRuleSetItem(router, options.RuleSet, false)
+		item := NewRuleSetItem(router, options.RuleSet, options.RuleSetIPCIDRMatchSource)
 		rule.items = append(rule.items, item)
 		rule.allItems = append(rule.allItems, item)
 	}
@ -211,12 +234,45 @@ func (r *DefaultDNSRule) RewriteTTL() *uint32 {
 	return r.rewriteTTL
 }
 func (r *DefaultDNSRule) ClientSubnet() *netip.Addr {
 	return r.clientSubnet
 }
 func (r *DefaultDNSRule) WithAddressLimit() bool {
 	if len(r.destinationIPCIDRItems) > 0 {
 		return true
 	}
 	for _, rawRule := range r.items {
 		ruleSet, isRuleSet := rawRule.(*RuleSetItem)
 		if !isRuleSet {
 			continue
 		}
 		if ruleSet.ContainsDestinationIPCIDRRule() {
 			return true
 		}
 	}
 	return false
 }
 func (r *DefaultDNSRule) Match(metadata *adapter.InboundContext) bool {
 	metadata.IgnoreDestinationIPCIDRMatch = true
 	defer func() {
 		metadata.IgnoreDestinationIPCIDRMatch = false
 	}()
 	return r.abstractDefaultRule.Match(metadata)
 }
 func (r *DefaultDNSRule) MatchAddressLimit(metadata *adapter.InboundContext) bool {
 	return r.abstractDefaultRule.Match(metadata)
 }
 var _ adapter.DNSRule = (*LogicalDNSRule)(nil)
 type LogicalDNSRule struct {
 	abstractLogicalRule
 	disableCache bool
 	rewriteTTL   *uint32
 	clientSubnet *netip.Addr
 }
 func NewLogicalDNSRule(router adapter.Router, logger log.ContextLogger, options option.LogicalDNSRule) (*LogicalDNSRule, error) {
@ -254,3 +310,51 @@ func (r *LogicalDNSRule) DisableCache() bool {
 func (r *LogicalDNSRule) RewriteTTL() *uint32 {
 	return r.rewriteTTL
 }
 func (r *LogicalDNSRule) ClientSubnet() *netip.Addr {
 	return r.clientSubnet
 }
 func (r *LogicalDNSRule) WithAddressLimit() bool {
 	for _, rawRule := range r.rules {
 		switch rule := rawRule.(type) {
 		case *DefaultDNSRule:
 			if rule.WithAddressLimit() {
 				return true
 			}
 		case *LogicalDNSRule:
 			if rule.WithAddressLimit() {
 				return true
 			}
 		}
 	}
 	return false
 }
 func (r *LogicalDNSRule) Match(metadata *adapter.InboundContext) bool {
 	if r.mode == C.LogicalTypeAnd {
 		return common.All(r.rules, func(it adapter.HeadlessRule) bool {
 			metadata.ResetRuleCache()
 			return it.(adapter.DNSRule).Match(metadata)
 		}) != r.invert
 	} else {
 		return common.Any(r.rules, func(it adapter.HeadlessRule) bool {
 			metadata.ResetRuleCache()
 			return it.(adapter.DNSRule).Match(metadata)
 		}) != r.invert
 	}
 }
 func (r *LogicalDNSRule) MatchAddressLimit(metadata *adapter.InboundContext) bool {
 	if r.mode == C.LogicalTypeAnd {
 		return common.All(r.rules, func(it adapter.HeadlessRule) bool {
 			metadata.ResetRuleCache()
 			return it.(adapter.DNSRule).MatchAddressLimit(metadata)
 		}) != r.invert
 	} else {
 		return common.Any(r.rules, func(it adapter.HeadlessRule) bool {
 			metadata.ResetRuleCache()
 			return it.(adapter.DNSRule).MatchAddressLimit(metadata)
 		}) != r.invert
 	}
 }
--- a/route/rule_headless.go
+++ b/route/rule_headless.go
@ -80,11 +80,11 @@ func NewDefaultHeadlessRule(router adapter.Router, options option.DefaultHeadles
 		if err != nil {
 			return nil, E.Cause(err, "ipcidr")
 		}
-		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
 		rule.allItems = append(rule.allItems, item)
 	} else if options.IPSet != nil {
 		item := NewRawIPCIDRItem(false, options.IPSet)
-		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.SourcePort) > 0 {
@ -129,14 +129,18 @@ func NewDefaultHeadlessRule(router adapter.Router, options option.DefaultHeadles
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.WIFISSID) > 0 {
-		item := NewWIFISSIDItem(router, options.WIFISSID)
+		if router != nil {
-		rule.items = append(rule.items, item)
+			item := NewWIFISSIDItem(router, options.WIFISSID)
-		rule.allItems = append(rule.allItems, item)
+			rule.items = append(rule.items, item)
 			rule.allItems = append(rule.allItems, item)
 		}
 	}
 	if len(options.WIFIBSSID) > 0 {
-		item := NewWIFIBSSIDItem(router, options.WIFIBSSID)
+		if router != nil {
-		rule.items = append(rule.items, item)
+			item := NewWIFIBSSIDItem(router, options.WIFIBSSID)
-		rule.allItems = append(rule.allItems, item)
+			rule.items = append(rule.items, item)
 			rule.allItems = append(rule.allItems, item)
 		}
 	}
 	return rule, nil
 }
--- a/route/rule_item_rule_set.go
+++ b/route/rule_item_rule_set.go
@ -4,6 +4,7 @@ import (
 	"strings"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 )
@ -13,7 +14,7 @@ var _ RuleItem = (*RuleSetItem)(nil)
 type RuleSetItem struct {
 	router            adapter.Router
 	tagList           []string
-	setList           []adapter.HeadlessRule
+	setList           []adapter.RuleSet
 	ipcidrMatchSource bool
 }
@ -46,6 +47,15 @@ func (r *RuleSetItem) Match(metadata *adapter.InboundContext) bool {
 	return false
 }
 func (r *RuleSetItem) ContainsDestinationIPCIDRRule() bool {
 	if r.ipcidrMatchSource {
 		return false
 	}
 	return common.Any(r.setList, func(ruleSet adapter.RuleSet) bool {
 		return ruleSet.Metadata().ContainsIPCIDRRule
 	})
 }
 func (r *RuleSetItem) String() string {
 	if len(r.tagList) == 1 {
 		return F.ToString("rule_set=", r.tagList[0])
--- a/route/rule_set_local.go
+++ b/route/rule_set_local.go
@ -3,12 +3,14 @@ package route
 import (
 	"context"
 	"os"
 	"strings"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/srs"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/json"
 )
@ -55,6 +57,7 @@ func NewLocalRuleSet(router adapter.Router, options option.RuleSet) (*LocalRuleS
 	var metadata adapter.RuleSetMetadata
 	metadata.ContainsProcessRule = hasHeadlessRule(plainRuleSet.Rules, isProcessHeadlessRule)
 	metadata.ContainsWIFIRule = hasHeadlessRule(plainRuleSet.Rules, isWIFIHeadlessRule)
 	metadata.ContainsIPCIDRRule = hasHeadlessRule(plainRuleSet.Rules, isIPCIDRHeadlessRule)
 	return &LocalRuleSet{rules, metadata}, nil
 }
@ -67,6 +70,10 @@ func (s *LocalRuleSet) Match(metadata *adapter.InboundContext) bool {
 	return false
 }
 func (s *LocalRuleSet) String() string {
 	return strings.Join(F.MapToString(s.rules), " ")
 }
 func (s *LocalRuleSet) StartContext(ctx context.Context, startContext adapter.RuleSetStartContext) error {
 	return nil
 }
--- a/route/rule_set_remote.go
+++ b/route/rule_set_remote.go
@ -7,6 +7,7 @@ import (
 	"net"
 	"net/http"
 	"runtime"
 	"strings"
 	"time"
 	"github.com/sagernet/sing-box/adapter"
@ -14,6 +15,7 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/json"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
@ -68,6 +70,10 @@ func (s *RemoteRuleSet) Match(metadata *adapter.InboundContext) bool {
 	return false
 }
 func (s *RemoteRuleSet) String() string {
 	return strings.Join(F.MapToString(s.rules), " ")
 }
 func (s *RemoteRuleSet) StartContext(ctx context.Context, startContext adapter.RuleSetStartContext) error {
 	var dialer N.Dialer
 	if s.options.RemoteOptions.DownloadDetour != "" {
@ -150,6 +156,7 @@ func (s *RemoteRuleSet) loadBytes(content []byte) error {
 	}
 	s.metadata.ContainsProcessRule = hasHeadlessRule(plainRuleSet.Rules, isProcessHeadlessRule)
 	s.metadata.ContainsWIFIRule = hasHeadlessRule(plainRuleSet.Rules, isWIFIHeadlessRule)
 	s.metadata.ContainsIPCIDRRule = hasHeadlessRule(plainRuleSet.Rules, isIPCIDRHeadlessRule)
 	s.rules = rules
 	return nil
 }
--- a/transport/dhcp/server.go
+++ b/transport/dhcp/server.go
@ -21,9 +21,6 @@ import (
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/task"
 	"github.com/sagernet/sing/common/x/list"
@ -32,14 +29,14 @@ import (
 )
 func init() {
-	dns.RegisterTransport([]string{"dhcp"}, NewTransport)
+	dns.RegisterTransport([]string{"dhcp"}, func(options dns.TransportOptions) (dns.Transport, error) {
 		return NewTransport(options)
 	})
 }
 type Transport struct {
-	name              string
+	options           dns.TransportOptions
 	ctx               context.Context
 	router            adapter.Router
 	logger            logger.Logger
 	interfaceName     string
 	autoInterface     bool
 	interfaceCallback *list.Element[tun.DefaultInterfaceUpdateCallback]
@ -48,23 +45,21 @@ type Transport struct {
 	updatedAt         time.Time
 }
-func NewTransport(name string, ctx context.Context, logger logger.ContextLogger, dialer N.Dialer, link string) (dns.Transport, error) {
+func NewTransport(options dns.TransportOptions) (*Transport, error) {
-	linkURL, err := url.Parse(link)
+	linkURL, err := url.Parse(options.Address)
 	if err != nil {
 		return nil, err
 	}
 	if linkURL.Host == "" {
 		return nil, E.New("missing interface name for DHCP")
 	}
-	router := adapter.RouterFromContext(ctx)
+	router := adapter.RouterFromContext(options.Context)
 	if router == nil {
 		return nil, E.New("missing router in context")
 	}
 	transport := &Transport{
-		name:          name,
+		options:       options,
 		ctx:           ctx,
 		router:        router,
 		logger:        logger,
 		interfaceName: linkURL.Host,
 		autoInterface: linkURL.Host == "auto",
 	}
@ -72,7 +67,7 @@ func NewTransport(name string, ctx context.Context, logger logger.ContextLogger,
 }
 func (t *Transport) Name() string {
-	return t.name
+	return t.options.Name
 }
 func (t *Transport) Start() error {
@ -158,8 +153,8 @@ func (t *Transport) updateServers() error {
 		return E.Cause(err, "dhcp: prepare interface")
 	}
-	t.logger.Info("dhcp: query DNS servers on ", iface.Name)
+	t.options.Logger.Info("dhcp: query DNS servers on ", iface.Name)
-	fetchCtx, cancel := context.WithTimeout(t.ctx, C.DHCPTimeout)
+	fetchCtx, cancel := context.WithTimeout(t.options.Context, C.DHCPTimeout)
 	err = t.fetchServers0(fetchCtx, iface)
 	cancel()
 	if err != nil {
@ -175,7 +170,7 @@ func (t *Transport) updateServers() error {
 func (t *Transport) interfaceUpdated(int) {
 	err := t.updateServers()
 	if err != nil {
-		t.logger.Error("update servers: ", err)
+		t.options.Logger.Error("update servers: ", err)
 	}
 }
@ -187,7 +182,7 @@ func (t *Transport) fetchServers0(ctx context.Context, iface *net.Interface) err
 	if runtime.GOOS == "linux" || runtime.GOOS == "android" {
 		listenAddr = "255.255.255.255:68"
 	}
-	packetConn, err := listener.ListenPacket(t.ctx, "udp4", listenAddr)
+	packetConn, err := listener.ListenPacket(t.options.Context, "udp4", listenAddr)
 	if err != nil {
 		return err
 	}
@ -225,17 +220,17 @@ func (t *Transport) fetchServersResponse(iface *net.Interface, packetConn net.Pa
 		dhcpPacket, err := dhcpv4.FromBytes(buffer.Bytes())
 		if err != nil {
-			t.logger.Trace("dhcp: parse DHCP response: ", err)
+			t.options.Logger.Trace("dhcp: parse DHCP response: ", err)
 			return err
 		}
 		if dhcpPacket.MessageType() != dhcpv4.MessageTypeOffer {
-			t.logger.Trace("dhcp: expected OFFER response, but got ", dhcpPacket.MessageType())
+			t.options.Logger.Trace("dhcp: expected OFFER response, but got ", dhcpPacket.MessageType())
 			continue
 		}
 		if dhcpPacket.TransactionID != transactionID {
-			t.logger.Trace("dhcp: expected transaction ID ", transactionID, ", but got ", dhcpPacket.TransactionID)
+			t.options.Logger.Trace("dhcp: expected transaction ID ", transactionID, ", but got ", dhcpPacket.TransactionID)
 			continue
 		}
@ -255,20 +250,22 @@ func (t *Transport) fetchServersResponse(iface *net.Interface, packetConn net.Pa
 func (t *Transport) recreateServers(iface *net.Interface, serverAddrs []netip.Addr) error {
 	if len(serverAddrs) > 0 {
-		t.logger.Info("dhcp: updated DNS servers from ", iface.Name, ": [", strings.Join(common.Map(serverAddrs, func(it netip.Addr) string {
+		t.options.Logger.Info("dhcp: updated DNS servers from ", iface.Name, ": [", strings.Join(common.Map(serverAddrs, func(it netip.Addr) string {
 			return it.String()
 		}), ","), "]")
 	}
 	serverDialer := common.Must1(dialer.NewDefault(t.router, option.DialerOptions{
 		BindInterface:      iface.Name,
 		UDPFragmentDefault: true,
 	}))
 	var transports []dns.Transport
 	for _, serverAddr := range serverAddrs {
-		serverTransport, err := dns.NewUDPTransport(t.name, t.ctx, serverDialer, M.Socksaddr{Addr: serverAddr, Port: 53})
+		newOptions := t.options
 		newOptions.Address = serverAddr.String()
 		newOptions.Dialer = serverDialer
 		serverTransport, err := dns.NewUDPTransport(newOptions)
 		if err != nil {
-			return err
+			return E.Cause(err, "create UDP transport from DHCP result: ", serverAddr)
 		}
 		transports = append(transports, serverTransport)
 	}
--- a/transport/fakeip/packet.go
+++ b/transport/fakeip/packet.go
@ -1,55 +0,0 @@
 package fakeip
 import (
 	"github.com/sagernet/sing/common/buf"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 var _ N.PacketConn = (*NATPacketConn)(nil)
 type NATPacketConn struct {
 	N.PacketConn
 	origin      M.Socksaddr
 	destination M.Socksaddr
 }
 func NewNATPacketConn(conn N.PacketConn, origin M.Socksaddr, destination M.Socksaddr) *NATPacketConn {
 	return &NATPacketConn{
 		PacketConn:  conn,
 		origin:      socksaddrWithoutPort(origin),
 		destination: socksaddrWithoutPort(destination),
 	}
 }
 func (c *NATPacketConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksaddr, err error) {
 	destination, err = c.PacketConn.ReadPacket(buffer)
 	if socksaddrWithoutPort(destination) == c.origin {
 		destination = M.Socksaddr{
 			Addr: c.destination.Addr,
 			Fqdn: c.destination.Fqdn,
 			Port: destination.Port,
 		}
 	}
 	return
 }
 func (c *NATPacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
 	if socksaddrWithoutPort(destination) == c.destination {
 		destination = M.Socksaddr{
 			Addr: c.origin.Addr,
 			Fqdn: c.origin.Fqdn,
 			Port: destination.Port,
 		}
 	}
 	return c.PacketConn.WritePacket(buffer, destination)
 }
 func (c *NATPacketConn) Upstream() any {
 	return c.PacketConn
 }
 func socksaddrWithoutPort(destination M.Socksaddr) M.Socksaddr {
 	destination.Port = 0
 	return destination
 }
--- a/transport/fakeip/packet_wait.go
+++ b/transport/fakeip/packet_wait.go
@ -1,37 +0,0 @@
 package fakeip
 import (
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 func (c *NATPacketConn) CreatePacketReadWaiter() (N.PacketReadWaiter, bool) {
 	waiter, created := bufio.CreatePacketReadWaiter(c.PacketConn)
 	if !created {
 		return nil, false
 	}
 	return &waitNATPacketConn{c, waiter}, true
 }
 type waitNATPacketConn struct {
 	*NATPacketConn
 	readWaiter N.PacketReadWaiter
 }
 func (c *waitNATPacketConn) InitializeReadWaiter(options N.ReadWaitOptions) (needCopy bool) {
 	return c.readWaiter.InitializeReadWaiter(options)
 }
 func (c *waitNATPacketConn) WaitReadPacket() (buffer *buf.Buffer, destination M.Socksaddr, err error) {
 	buffer, destination, err = c.readWaiter.WaitReadPacket()
 	if err == nil && socksaddrWithoutPort(destination) == c.origin {
 		destination = M.Socksaddr{
 			Addr: c.destination.Addr,
 			Fqdn: c.destination.Fqdn,
 			Port: destination.Port,
 		}
 	}
 	return
 }
--- a/transport/fakeip/server.go
+++ b/transport/fakeip/server.go
@ -9,7 +9,6 @@ import (
 	"github.com/sagernet/sing-dns"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	N "github.com/sagernet/sing/common/network"
 	mDNS "github.com/miekg/dns"
 )
@ -20,7 +19,9 @@ var (
 )
 func init() {
-	dns.RegisterTransport([]string{"fakeip"}, NewTransport)
+	dns.RegisterTransport([]string{"fakeip"}, func(options dns.TransportOptions) (dns.Transport, error) {
 		return NewTransport(options)
 	})
 }
 type Transport struct {
@ -30,15 +31,15 @@ type Transport struct {
 	logger logger.ContextLogger
 }
-func NewTransport(name string, ctx context.Context, logger logger.ContextLogger, dialer N.Dialer, link string) (dns.Transport, error) {
+func NewTransport(options dns.TransportOptions) (*Transport, error) {
-	router := adapter.RouterFromContext(ctx)
+	router := adapter.RouterFromContext(options.Context)
 	if router == nil {
 		return nil, E.New("missing router in context")
 	}
 	return &Transport{
-		name:   name,
+		name:   options.Name,
 		router: router,
-		logger: logger,
+		logger: options.Logger,
 	}, nil
 }
--- a/transport/wireguard/device_stack.go
+++ b/transport/wireguard/device_stack.go
@ -34,7 +34,7 @@ type StackDevice struct {
 	stack          *stack.Stack
 	mtu            uint32
 	events         chan wgTun.Event
-	outbound       chan stack.PacketBufferPtr
+	outbound       chan *stack.PacketBuffer
 	packetOutbound chan *buf.Buffer
 	done           chan struct{}
 	dispatcher     stack.NetworkDispatcher
@ -52,7 +52,7 @@ func NewStackDevice(localAddresses []netip.Prefix, mtu uint32) (*StackDevice, er
 		stack:          ipStack,
 		mtu:            mtu,
 		events:         make(chan wgTun.Event, 1),
-		outbound:       make(chan stack.PacketBufferPtr, 256),
+		outbound:       make(chan *stack.PacketBuffer, 256),
 		packetOutbound: make(chan *buf.Buffer, 256),
 		done:           make(chan struct{}),
 	}
@ -283,10 +283,10 @@ func (ep *wireEndpoint) ARPHardwareType() header.ARPHardwareType {
 	return header.ARPHardwareNone
 }
-func (ep *wireEndpoint) AddHeader(buffer stack.PacketBufferPtr) {
+func (ep *wireEndpoint) AddHeader(buffer *stack.PacketBuffer) {
 }
-func (ep *wireEndpoint) ParseHeader(ptr stack.PacketBufferPtr) bool {
+func (ep *wireEndpoint) ParseHeader(ptr *stack.PacketBuffer) bool {
 	return true
 }
Author	SHA1	Message	Date
世界	3fb98f6549	documentation: Bump version	2024-05-03 17:41:59 +08:00
世界	3f48b1bcb2	documentation: Update DNS manual	2024-05-03 17:41:27 +08:00
世界	3e055fae5d	dialer: Allow nil router	2024-05-03 17:41:27 +08:00
世界	79e3e7de7f	Add `rule-set match` command	2024-05-03 17:41:27 +08:00
世界	db85b4b4dc	Add `bypass_domain` and `search_domain` platform HTTP proxy options	2024-05-03 17:41:27 +08:00
世界	014e7fa657	Update gVisor to 20240422.0	2024-05-03 17:41:20 +08:00
世界	12fab046f0	Update quic-go to v0.43.0	2024-05-03 17:38:51 +08:00
世界	d432552614	Fixed order for Clash modes	2024-05-03 17:38:51 +08:00
气息	6a17c756ba	Fix DNS exchange index Signed-off-by: 气息 <qdshizh@gmail.com>	2024-05-03 17:38:50 +08:00
dyhkwong	1ef68d9ec6	Always disable cache for fake-ip servers	2024-05-03 17:38:50 +08:00
PuerNya	e823a2f202	Always disable cache for fake-ip DNS transport if `independent_cache` disabled	2024-05-03 17:38:50 +08:00
世界	229b30aa3d	Fix missing `rule_set_ipcidr_match_source` item in DNS rules	2024-05-03 17:38:50 +08:00
世界	fbdac078dc	Improve DNS truncate behavior	2024-05-03 17:38:50 +08:00
世界	d5713fd44e	Fix DNS fallthrough incorrectly	2024-05-03 17:38:50 +08:00
世界	8c7b71f582	Add rejected DNS response cache support	2024-05-03 17:38:50 +08:00
世界	2e731f9011	Add support for `client-subnet` DNS options	2024-05-03 17:38:49 +08:00
世界	4d43dc38fb	Add address filter support for DNS rules	2024-05-03 17:38:49 +08:00
世界	ac7cf6fb72	Fix timezone for Android and iOS	2024-05-03 17:38:49 +08:00
世界	0f54e7525f	Improve loopback detector	2024-05-03 17:38:49 +08:00
世界	1e1b41d45a	Remove unused fakeip packet conn	2024-05-03 17:38:49 +08:00
世界	e916b38237	Set the default TCP keep alive period	2024-05-03 17:38:48 +08:00
世界	3fe486b40b	Migrate ntp service to library	2024-05-03 17:38:48 +08:00
世界	d703e843e5	Handle Windows power events	2024-05-03 17:38:48 +08:00
世界	cfe9ef4caf	Improve domain suffix match behavior For historical reasons, sing-box's `domain_suffix` rule matches literal prefixes instead of the same as other projects. This change modifies the behavior of `domain_suffix`: If the rule value is prefixed with `.`, the behavior is unchanged, otherwise it matches `(domain\|.+\.domain)` instead.	2024-05-03 17:38:48 +08:00
世界	a889c2cae7	Remove `PROCESS_NAME_NATIVE` dwFlag in process query output The `process_path` rule of sing-box is inherited from Clash, the original code uses the local system's path format (e.g. `\Device\HarddiskVolume1\folder\program.exe`), but when the device has multiple disks, the HarddiskVolume serial number is not stable. This change make QueryFullProcessImageNameW output a Win32 path (such as `C:\folder\program.exe`), which will disrupt the existing `process_path` use cases in Windows.	2024-05-03 17:38:48 +08:00
世界	205106167d	badtls: Support uTLS and TLS ECH for read waiter	2024-05-03 17:38:48 +08:00
世界	742adacce7	Bump version	2024-05-03 17:38:26 +08:00
世界	32e1d5a5e2	documentation: Update package status	2024-05-03 17:38:26 +08:00
世界	cb9f4ce597	Minor fixes	2024-05-03 15:34:47 +08:00
世界	4b1a6185ba	Fix DNF repo	2024-04-29 23:13:04 +08:00
		`@ -1 +1 @@`
			`Subproject commit 288a6f34db62f65399c7546373d9c1aab2072745`				`Subproject commit c0ce4cc97d71ae9c02df93316d72feaf028df459`
		`@ -1 +1 @@`
			`Subproject commit 1c5bc23a25d71fd436e318c44d8fb855f56b91ed`				`Subproject commit 17eec0861543489ad4519eef974c65d2a159244d`