Pull request: 2471 defer

Merge in DNS/adguard-home from 2471-defer to master Updates #2471. * commit '1c754788f9139ed9741cf01c6d94bcced6909b8c': home: improve getCurrentUser home: improve checkSession Use a couple of defer in internal/home/auth.go
Pull request: all: support more $dnsrewrite rr types
2020-12-23 13:16:44 +03:00 · 2020-12-23 12:35:07 +03:00 · 2020-12-22 21:09:53 +03:00 · 2020-12-22 21:05:12 +03:00 · 2020-12-21 19:39:39 +01:00 · 2020-12-21 17:48:07 +03:00
48 changed files with 2129 additions and 652 deletions
--- a/.githooks/pre-commit
+++ b/.githooks/pre-commit
@@ -1,18 +1,13 @@
-#!/bin/bash
-set -e;
+#!/bin/sh

-found=0
-git diff --cached --name-only | grep -q '.js$' && found=1
-if [ $found == 1 ]; then
-    npm --prefix client run lint || exit 1
-    npm run test --prefix client || exit 1
+set -e -f -u
+
+if [ "$(git diff --cached --name-only -- '*.js')" ]
+then
+	make js-lint js-test
 fi

-found=0
-git diff --cached --name-only | grep -q '.go$' && found=1
-if [ $found == 1 ]; then
-	make go-lint || exit 1
-	go test ./... || exit 1
+if [ "$(git diff --cached --name-only -- '*.go' 'go.mod')" ]
+then
+	make go-lint go-test
 fi
-
-exit 0;
--- a/AGHTechDoc.md
+++ b/AGHTechDoc.md
@@ -1833,16 +1833,22 @@ Response:
 	200 OK

 	{
-	"reason":"FilteredBlackList",
-	"filter_id":1,
-	"rule":"||doubleclick.net^",
-	"service_name": "...", // set if reason=FilteredBlockedService
-
-	// if reason=ReasonRewrite:
-	"cname": "...",
-	"ip_addrs": ["1.2.3.4", ...],
+		"reason":"FilteredBlackList",
+		"rules":{
+			"filter_list_id":42,
+			"text":"||doubleclick.net^",
+		},
+		// If we have "reason":"FilteredBlockedService".
+		"service_name": "...",
+		// If we have "reason":"Rewrite".
+		"cname": "...",
+		"ip_addrs": ["1.2.3.4", ...]
 	}

+There are also deprecated properties `filter_id` and `rule` on the top level of
+the response object.  Their usaga should be replaced with
+`rules[*].filter_list_id` and `rules[*].text` correspondingly.  See the
+_OpenAPI_ documentation and the `./openapi/CHANGELOG.md` file.

 ## Log-in page

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,15 +15,19 @@ and this project adheres to

 ### Added

- Detecting of network interface configurated to have static IP address via
+- `$dnsrewrite` modifier for filters ([#2102]).
+- The host checking API and the query logs API can now return multiple matched
+  rules ([#2102]).
+- Detecting of network interface configured to have static IP address via
  `/etc/network/interfaces` ([#2302]).
- DNSCrypt protocol support [#1361].
+- DNSCrypt protocol support ([#1361]).
 - A 5 second wait period until a DHCP server's network interface gets an IP
  address ([#2304]).
 - `$dnstype` modifier for filters ([#2337]).
 - HTTP API request body size limit ([#2305]).

 [#1361]: https://github.com/AdguardTeam/AdGuardHome/issues/1361
+[#2102]: https://github.com/AdguardTeam/AdGuardHome/issues/2102
 [#2302]: https://github.com/AdguardTeam/AdGuardHome/issues/2302
 [#2304]: https://github.com/AdguardTeam/AdGuardHome/issues/2304
 [#2305]: https://github.com/AdguardTeam/AdGuardHome/issues/2305
@@ -31,6 +35,9 @@ and this project adheres to

 ### Changed

+- When `dns.bogus_nxdomain` option is used, the server will now transform
+  responses if there is at least one bogus address instead of all of them
+  ([#2394]).  The new behavior is the same as in `dnsmasq`.
 - Post-updating relaunch possibility is now determined OS-dependently ([#2231],
  [#2391]).
 - Made the mobileconfig HTTP API more robust and predictable, add parameters and
@@ -47,20 +54,27 @@ and this project adheres to
 [#2343]: https://github.com/AdguardTeam/AdGuardHome/issues/2343
 [#2358]: https://github.com/AdguardTeam/AdGuardHome/issues/2358
 [#2391]: https://github.com/AdguardTeam/AdGuardHome/issues/2391
+[#2394]: https://github.com/AdguardTeam/AdGuardHome/issues/2394

 ### Fixed

+- Inability to set DNS cache TTL limits ([#2459]).
+- Possible freezes on slower machines ([#2225]).
 - A mitigation against records being shown in the wrong order on the query log
  page ([#2293]).
 - A JSON parsing error in query log ([#2345]).
 - Incorrect detection of the IPv6 address of an interface as well as another
  infinite loop in the `/dhcp/find_active_dhcp` HTTP API ([#2355]).

+[#2225]: https://github.com/AdguardTeam/AdGuardHome/issues/2225
 [#2293]: https://github.com/AdguardTeam/AdGuardHome/issues/2293
 [#2345]: https://github.com/AdguardTeam/AdGuardHome/issues/2345
 [#2355]: https://github.com/AdguardTeam/AdGuardHome/issues/2355
+[#2459]: https://github.com/AdguardTeam/AdGuardHome/issues/2459

+### Removed

+- Support for pre-v0.99.3 format of query logs ([#2102]).

 ## [v0.104.3] - 2020-11-19

--- a/HACKING.md
+++ b/HACKING.md
@@ -78,6 +78,14 @@ The rules are mostly sorted in the alphabetical order.
 *  Prefer constants to variables where possible.  Reduce global variables.  Use
    [constant errors] instead of `errors.New`.

+ *  Unused arguments in anonymous functions must be called `_`:
+
+    ```go
+    v.onSuccess = func(_ int, msg string) {
+            // …
+    }
+    ```
+
 *  Use linters.

 *  Use named returns to improve readability of function signatures.
@@ -106,7 +114,16 @@ The rules are mostly sorted in the alphabetical order.
    ```go
    // Foo implements the Fooer interface for *foo.
    func (f *foo) Foo() {
-        // …
+            // …
+    }
+    ```
+
+    When the implemented interface is unexported:
+
+    ```go
+    // Unwrap implements the hidden wrapper interface for *fooError.
+    func (err *fooError) Unwrap() (unwrapped error) {
+            // …
    }
    ```

@@ -146,12 +163,15 @@ The rules are mostly sorted in the alphabetical order.

 ##  Shell Scripting

- *  Avoid bashisms, prefer *POSIX* features only.
+ *  Avoid bashisms and GNUisms, prefer *POSIX* features only.

 *  Prefer `'raw strings'` to `"double quoted strings"` whenever possible.

 *  Put spaces within `$( cmd )`, `$(( expr ))`, and `{ cmd; }`.

+ *  Put utility flags in the ASCII order and **don't** group them together.  For
+    example, `ls -1 -A -q`.
+
 *  `snake_case`, not `camelCase`.

 *  Use `set -e -f -u` and also `set -x` in verbose mode.
@@ -159,6 +179,24 @@ The rules are mostly sorted in the alphabetical order.
 *  Use the `"$var"` form instead of the `$var` form, unless word splitting is
    required.

+ *  When concatenating, always use the form with curly braces to prevent
+    accidental bad variable names.  That is, `"${var}_tmp.txt"` and **not**
+    `"$var_tmp.txt"`.  The latter will try to lookup variable `var_tmp`.
+
+ *  When concatenating, surround the whole string with quotes.  That is, use
+    this:
+
+    ```sh
+    dir="${TOP_DIR}/sub"
+    ```
+
+    And **not** this:
+
+    ```sh
+    # Bad!
+    dir="${TOP_DIR}"/sub
+    ```
+
 ##  Text, Including Comments

 *  End sentences with appropriate punctuation.
--- a/4
+++ b/4
@@ -35,6 +35,7 @@ GPG_KEY := devteam@adguard.com
 GPG_KEY_PASSPHRASE :=
 GPG_CMD := gpg --detach-sig --default-key $(GPG_KEY) --pinentry-mode loopback --passphrase $(GPG_KEY_PASSPHRASE)
 VERBOSE := -v
+REBUILD_CLIENT = 1

 # See release target
 DIST_DIR=dist
@@ -124,7 +125,8 @@ all: build
 init:
 	git config core.hooksPath .githooks

-build: client_with_deps
+build:
+	test '$(REBUILD_CLIENT)' = '1' && $(MAKE) client_with_deps || exit 0
 	$(GO) mod download
 	PATH=$(GOPATH)/bin:$(PATH) $(GO) generate ./...
 	CGO_ENABLED=0 $(GO) build -ldflags="-s -w -X main.version=$(VERSION) -X main.channel=$(CHANNEL) -X main.goarm=$(GOARM)"
--- a/README.md
+++ b/README.md
@@ -255,7 +255,7 @@ curl -sSL https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scrip

 * Beta channel builds
    * Linux: [64-bit](https://static.adguard.com/adguardhome/beta/AdGuardHome_linux_amd64.tar.gz), [32-bit](https://static.adguard.com/adguardhome/beta/AdGuardHome_linux_386.tar.gz)
-    * Linux ARM: [32-bit ARMv6](https://static.adguard.com/adguardhome/beta/AdGuardHome_linux_armv6.tar.gz) (recommended for Rapsberry Pi), [64-bit](https://static.adguard.com/adguardhome/beta/AdGuardHome_linux_arm64.tar.gz), [32-bit ARMv5](https://static.adguard.com/adguardhome/beta/AdGuardHome_linux_armv5.tar.gz), [32-bit ARMv7](https://static.adguard.com/adguardhome/beta/AdGuardHome_linux_armv7.tar.gz)
+    * Linux ARM: [32-bit ARMv6](https://static.adguard.com/adguardhome/beta/AdGuardHome_linux_armv6.tar.gz) (recommended for Raspberry Pi), [64-bit](https://static.adguard.com/adguardhome/beta/AdGuardHome_linux_arm64.tar.gz), [32-bit ARMv5](https://static.adguard.com/adguardhome/beta/AdGuardHome_linux_armv5.tar.gz), [32-bit ARMv7](https://static.adguard.com/adguardhome/beta/AdGuardHome_linux_armv7.tar.gz)
    * Linux MIPS: [32-bit MIPS](https://static.adguard.com/adguardhome/beta/AdGuardHome_linux_mips_softfloat.tar.gz), [32-bit MIPSLE](https://static.adguard.com/adguardhome/beta/AdGuardHome_linux_mipsle_softfloat.tar.gz), [64-bit MIPS](https://static.adguard.com/adguardhome/beta/AdGuardHome_linux_mips64_softfloat.tar.gz), [64-bit MIPSLE](https://static.adguard.com/adguardhome/beta/AdGuardHome_linux_mips64le_softfloat.tar.gz)
    * Windows: [64-bit](https://static.adguard.com/adguardhome/beta/AdGuardHome_windows_amd64.zip), [32-bit](https://static.adguard.com/adguardhome/beta/AdGuardHome_windows_386.zip)
    * MacOS: [64-bit](https://static.adguard.com/adguardhome/beta/AdGuardHome_darwin_amd64.zip), [32-bit](https://static.adguard.com/adguardhome/beta/AdGuardHome_darwin_386.zip)
@@ -264,7 +264,7 @@ curl -sSL https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scrip

 * Edge channel builds
    * Linux: [64-bit](https://static.adguard.com/adguardhome/edge/AdGuardHome_linux_amd64.tar.gz), [32-bit](https://static.adguard.com/adguardhome/edge/AdGuardHome_linux_386.tar.gz)
-    * Linux ARM: [32-bit ARMv6](https://static.adguard.com/adguardhome/edge/AdGuardHome_linux_armv6.tar.gz) (recommended for Rapsberry Pi), [64-bit](https://static.adguard.com/adguardhome/edge/AdGuardHome_linux_arm64.tar.gz), [32-bit ARMv5](https://static.adguard.com/adguardhome/edge/AdGuardHome_linux_armv5.tar.gz), [32-bit ARMv7](https://static.adguard.com/adguardhome/edge/AdGuardHome_linux_armv7.tar.gz)
+    * Linux ARM: [32-bit ARMv6](https://static.adguard.com/adguardhome/edge/AdGuardHome_linux_armv6.tar.gz) (recommended for Raspberry Pi), [64-bit](https://static.adguard.com/adguardhome/edge/AdGuardHome_linux_arm64.tar.gz), [32-bit ARMv5](https://static.adguard.com/adguardhome/edge/AdGuardHome_linux_armv5.tar.gz), [32-bit ARMv7](https://static.adguard.com/adguardhome/edge/AdGuardHome_linux_armv7.tar.gz)
    * Linux MIPS: [32-bit MIPS](https://static.adguard.com/adguardhome/edge/AdGuardHome_linux_mips_softfloat.tar.gz), [32-bit MIPSLE](https://static.adguard.com/adguardhome/edge/AdGuardHome_linux_mipsle_softfloat.tar.gz), [64-bit MIPS](https://static.adguard.com/adguardhome/edge/AdGuardHome_linux_mips64_softfloat.tar.gz), [64-bit MIPSLE](https://static.adguard.com/adguardhome/edge/AdGuardHome_linux_mips64le_softfloat.tar.gz)
    * Windows: [64-bit](https://static.adguard.com/adguardhome/edge/AdGuardHome_windows_amd64.zip), [32-bit](https://static.adguard.com/adguardhome/edge/AdGuardHome_windows_386.zip)
    * MacOS: [64-bit](https://static.adguard.com/adguardhome/edge/AdGuardHome_darwin_amd64.zip), [32-bit](https://static.adguard.com/adguardhome/edge/AdGuardHome_darwin_386.zip)
--- a/client/src/helpers/validators.js
+++ b/client/src/helpers/validators.js
@@ -64,7 +64,7 @@ export const validateClientId = (value) => {
    if (!value) {
        return undefined;
    }
-    const formattedValue = value ? value.trim() : value;
+    const formattedValue = value.trim();
    if (formattedValue && !(
        R_IPV4.test(formattedValue)
            || R_IPV6.test(formattedValue)
--- a/go.mod
+++ b/go.mod
@@ -3,12 +3,11 @@ module github.com/AdguardTeam/AdGuardHome
 go 1.14

 require (
-	github.com/AdguardTeam/dnsproxy v0.33.2
+	github.com/AdguardTeam/dnsproxy v0.33.7
 	github.com/AdguardTeam/golibs v0.4.4
-	github.com/AdguardTeam/urlfilter v0.13.0
+	github.com/AdguardTeam/urlfilter v0.14.1
 	github.com/NYTimes/gziphandler v1.1.1
-	github.com/ameshkov/dnscrypt/v2 v2.0.0
-	github.com/beefsack/go-rate v0.0.0-20200827232406-6cde80facd47 // indirect
+	github.com/ameshkov/dnscrypt/v2 v2.0.1
 	github.com/fsnotify/fsnotify v1.4.9
 	github.com/go-ping/ping v0.0.0-20201115131931-3300c582a663
 	github.com/gobuffalo/envy v1.9.0 // indirect
@@ -16,10 +15,8 @@ require (
 	github.com/gobuffalo/packr/v2 v2.8.1 // indirect
 	github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714
 	github.com/insomniacslk/dhcp v0.0.0-20201112113307-4de412bc85d8
-	github.com/joomcode/errorx v1.0.3 // indirect
 	github.com/kardianos/service v1.2.0
 	github.com/karrick/godirwalk v1.16.1 // indirect
-	github.com/lucas-clemente/quic-go v0.19.1 // indirect
 	github.com/mdlayher/ethernet v0.0.0-20190606142754-0394541c37b7
 	github.com/mdlayher/raw v0.0.0-20191009151244-50f2db8cc065
 	github.com/miekg/dns v1.1.35
@@ -30,14 +27,12 @@ require (
 	github.com/stretchr/testify v1.6.1
 	github.com/u-root/u-root v7.0.0+incompatible
 	go.etcd.io/bbolt v1.3.5
-	golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9
-	golang.org/x/net v0.0.0-20201110031124-69a78807bb2b
+	golang.org/x/crypto v0.0.0-20201217014255-9d1352758620
+	golang.org/x/net v0.0.0-20201216054612-986b41b23924
 	golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9 // indirect
-	golang.org/x/sys v0.0.0-20201119102817-f84b799fce68
-	golang.org/x/text v0.3.4 // indirect
+	golang.org/x/sys v0.0.0-20201214210602-f9fddec55a1e
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 	gopkg.in/yaml.v2 v2.3.0
-	gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 // indirect
 	howett.net/plist v0.0.0-20201026045517-117a925f2150
 )
--- a/go.sum
+++ b/go.sum
@@ -18,18 +18,16 @@ dmitri.shuralyov.com/html/belt v0.0.0-20180602232347-f7d459c86be0/go.mod h1:JLBr
 dmitri.shuralyov.com/service/change v0.0.0-20181023043359-a85b471d5412/go.mod h1:a1inKt/atXimZ4Mv927x+r7UpyzRUf4emIoiiSC2TN4=
 dmitri.shuralyov.com/state v0.0.0-20180228185332-28bcc343414c/go.mod h1:0PRwlb0D6DFvNNtx+9ybjezNCa8XF0xaYcETyp6rHWU=
 git.apache.org/thrift.git v0.0.0-20180902110319-2566ecd5d999/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg=
-github.com/AdguardTeam/dnsproxy v0.33.2 h1:k5aMcsw3TA/G2DR8EjIkwutDPuuRkKh8xij4cFWC6Fk=
-github.com/AdguardTeam/dnsproxy v0.33.2/go.mod h1:kLi6lMpErnZThy5haiRSis4q0KTB8uPWO4JQsU1EDJA=
+github.com/AdguardTeam/dnsproxy v0.33.7 h1:DXsLTJoBSUejB2ZqVHyMG0/kXD8PzuVPbLCsGKBdaDc=
+github.com/AdguardTeam/dnsproxy v0.33.7/go.mod h1:dkI9VWh43XlOzF2XogDm1EmoVl7PANOR4isQV6X9LZs=
 github.com/AdguardTeam/golibs v0.4.0/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
 github.com/AdguardTeam/golibs v0.4.2 h1:7M28oTZFoFwNmp8eGPb3ImmYbxGaJLyQXeIFVHjME0o=
 github.com/AdguardTeam/golibs v0.4.2/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
-github.com/AdguardTeam/golibs v0.4.3 h1:nXTLLLlIyU4BSRF0An5azS0uimSK/YpIMOBAO0/v1RY=
-github.com/AdguardTeam/golibs v0.4.3/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
 github.com/AdguardTeam/golibs v0.4.4 h1:cM9UySQiYFW79zo5XRwnaIWVzfW4eNXmZktMrWbthpw=
 github.com/AdguardTeam/golibs v0.4.4/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
 github.com/AdguardTeam/gomitmproxy v0.2.0/go.mod h1:Qdv0Mktnzer5zpdpi5rAwixNJzW2FN91LjKJCkVbYGU=
-github.com/AdguardTeam/urlfilter v0.13.0 h1:MfO46K81JVTkhgP6gRu/buKl5wAOSfusjiDwjT1JN1c=
-github.com/AdguardTeam/urlfilter v0.13.0/go.mod h1:klx4JbOfc4EaNb5lWLqOwfg+pVcyRukmoJRvO55lL5U=
+github.com/AdguardTeam/urlfilter v0.14.1 h1:imYls0fit9ojA6pP1hWFUEIjyoXbDF85ZM+G67bI48c=
+github.com/AdguardTeam/urlfilter v0.14.1/go.mod h1:klx4JbOfc4EaNb5lWLqOwfg+pVcyRukmoJRvO55lL5U=
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
@@ -44,8 +42,8 @@ github.com/aead/poly1305 v0.0.0-20180717145839-3fee0db0b635 h1:52m0LGchQBBVqJRyY
 github.com/aead/poly1305 v0.0.0-20180717145839-3fee0db0b635/go.mod h1:lmLxL+FV291OopO93Bwf9fQLQeLyt33VJRUg5VJ30us=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/ameshkov/dnscrypt/v2 v2.0.0 h1:i83G8MeGLrAFgUL8GSu98TVhtFDEifF7SIS7Qi/RZ3U=
-github.com/ameshkov/dnscrypt/v2 v2.0.0/go.mod h1:nbZnxJt4edIPx2Haa8n2XtC2g5AWcsdQiSuXkNH8eDI=
+github.com/ameshkov/dnscrypt/v2 v2.0.1 h1:igNVNM6NLBOqYUzHXaDUxn8i+wJXOsosY0/xEBirixA=
+github.com/ameshkov/dnscrypt/v2 v2.0.1/go.mod h1:nbZnxJt4edIPx2Haa8n2XtC2g5AWcsdQiSuXkNH8eDI=
 github.com/ameshkov/dnsstamps v1.0.1 h1:LhGvgWDzhNJh+kBQd/AfUlq1vfVe109huiXw4JhnPug=
 github.com/ameshkov/dnsstamps v1.0.1/go.mod h1:Ii3eUu73dx4Vw5O4wjzmT5+lkCwovjzaEZZ4gKyIH5A=
 github.com/ameshkov/dnsstamps v1.0.3 h1:Srzik+J9mivH1alRACTbys2xOxs0lRH9qnTA7Y1OYVo=
@@ -55,8 +53,6 @@ github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hC
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/beefsack/go-rate v0.0.0-20180408011153-efa7637bb9b6 h1:KXlsf+qt/X5ttPGEjR0tPH1xaWWoKBEg9Q1THAj2h3I=
-github.com/beefsack/go-rate v0.0.0-20180408011153-efa7637bb9b6/go.mod h1:6YNgTHLutezwnBvyneBbwvB8C82y3dcoOj5EQJIdGXA=
 github.com/beefsack/go-rate v0.0.0-20200827232406-6cde80facd47 h1:M57m0xQqZIhx7CEJgeLSvRFKEK1RjzRuIXiA3HfYU7g=
 github.com/beefsack/go-rate v0.0.0-20200827232406-6cde80facd47/go.mod h1:6YNgTHLutezwnBvyneBbwvB8C82y3dcoOj5EQJIdGXA=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
@@ -251,10 +247,8 @@ github.com/kr/pty v1.1.3/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/lucas-clemente/quic-go v0.18.1 h1:DMR7guC0NtVS8zNZR3IO7NARZvZygkSC56GGtC6cyys=
-github.com/lucas-clemente/quic-go v0.18.1/go.mod h1:yXttHsSNxQi8AWijC/vLP+OJczXqzHSOcJrM5ITUlCg=
-github.com/lucas-clemente/quic-go v0.19.1 h1:J9TkQJGJVOR3UmGhd4zdVYwKSA0EoXbLRf15uQJ6gT4=
-github.com/lucas-clemente/quic-go v0.19.1/go.mod h1:ZUygOqIoai0ASXXLJ92LTnKdbqh9MHCLTX6Nr1jUrK0=
+github.com/lucas-clemente/quic-go v0.19.3 h1:eCDQqvGBB+kCTkA0XrAFtNe81FMa0/fn4QSoeAbmiF4=
+github.com/lucas-clemente/quic-go v0.19.3/go.mod h1:ADXpNbTQjq1hIzCpB+y/k5iz4n4z4IwqoLb94Kh5Hu8=
 github.com/lunixbochs/vtclean v1.0.0/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
@@ -265,12 +259,9 @@ github.com/markbates/oncer v1.0.0 h1:E83IaVAHygyndzPimgUYJjbshhDTALZyXxvk9FOlQRY
 github.com/markbates/oncer v1.0.0/go.mod h1:Z59JA581E9GP6w96jai+TGqafHPW+cPfRxz2aSZ0mcI=
 github.com/markbates/safe v1.0.1 h1:yjZkbvRM6IzKj9tlu/zMJLS0n/V351OZWRnF3QfaUxI=
 github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0=
-github.com/marten-seemann/qpack v0.2.0/go.mod h1:F7Gl5L1jIgN1D11ucXefiuJS9UMVP2opoCp2jDKb7wc=
 github.com/marten-seemann/qpack v0.2.1/go.mod h1:F7Gl5L1jIgN1D11ucXefiuJS9UMVP2opoCp2jDKb7wc=
 github.com/marten-seemann/qtls v0.10.0 h1:ECsuYUKalRL240rRD4Ri33ISb7kAQ3qGDlrrl55b2pc=
 github.com/marten-seemann/qtls v0.10.0/go.mod h1:UvMd1oaYDACI99/oZUYLzMCkBXQVT0aGm99sJhbT8hs=
-github.com/marten-seemann/qtls-go1-15 v0.1.0 h1:i/YPXVxz8q9umso/5y474CNcHmTpA+5DH+mFPjx6PZg=
-github.com/marten-seemann/qtls-go1-15 v0.1.0/go.mod h1:GyFwywLKkRt+6mfU99csTEY1joMZz5vmB1WNZH3P81I=
 github.com/marten-seemann/qtls-go1-15 v0.1.1 h1:LIH6K34bPVttyXnUWixk0bzH6/N07VxbSabxn5A5gZQ=
 github.com/marten-seemann/qtls-go1-15 v0.1.1/go.mod h1:GyFwywLKkRt+6mfU99csTEY1joMZz5vmB1WNZH3P81I=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
@@ -289,7 +280,6 @@ github.com/microcosm-cc/bluemonday v1.0.1/go.mod h1:hsXNsILzKxV+sX77C5b8FSuKF00v
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/miekg/dns v1.1.29 h1:xHBEhR+t5RzcFJjBLJlax2daXOrTYtr9z4WdKEfWFzg=
 github.com/miekg/dns v1.1.29/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
-github.com/miekg/dns v1.1.34/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
 github.com/miekg/dns v1.1.35 h1:oTfOaDH+mZkdcgdIjH6yBajRGtIwcwcaR+rt23ZSrJs=
 github.com/miekg/dns v1.1.35/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
@@ -457,10 +447,10 @@ golang.org/x/crypto v0.0.0-20200221231518-2aa609cf4a9d/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897 h1:pLI5jrR7OSLijeIDcmRxNmw2api+jEfxLoykJVice/E=
-golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9 h1:phUcVbl53swtrUN8kQEXFhUxPlIlWyBfKmidCu7P95o=
-golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9 h1:sYNJzB4J8toYPQTM6pAkcmBRgw9SnQKP9oXCHfgy604=
+golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/crypto v0.0.0-20201217014255-9d1352758620 h1:3wPMTskHO3+O6jqTEXyFcsnuxMQOqYSaHsDxcbUXpqA=
+golang.org/x/crypto v0.0.0-20201217014255-9d1352758620/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -516,9 +506,12 @@ golang.org/x/net v0.0.0-20200707034311-ab3426394381 h1:VXak5I6aEWmAXeQjA+QSZzlgN
 golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200904194848-62affa334b73/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201016165138-7b1cca2348c0/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b h1:uwuIcX0g4Yl1NC5XAz37xsr2lTtcqevgzYNVt49waME=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201209123823-ac852fbbde11 h1:lwlPPsmjDKK0J6eG6xDWd5XPehI0R024zxjDnw3esPA=
+golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20201216054612-986b41b23924 h1:QsnDpLLOKwHBBDa8nDws4DYNc/ryVW2vCpxCs09d4PY=
+golang.org/x/net v0.0.0-20201216054612-986b41b23924/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -574,14 +567,19 @@ golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201015000850-e3ed0017c211/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201018230417-eeed37f84f13/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201101102859-da207088b7d1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201112073958-5cba982894dd h1:5CtCZbICpIOFdgO940moixOPjc0178IU44m4EjOO5IY=
 golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68 h1:nxC68pudNYkKU6jWhgrqdreuFiOQWj1Fs7T3VrH4Pjw=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201214095126-aec9a390925b h1:tv7/y4pd+sR8bcNb2D6o7BNU6zjWm0VjQLac+w7fNNM=
+golang.org/x/sys v0.0.0-20201214095126-aec9a390925b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201214210602-f9fddec55a1e h1:AyodaIpKjppX+cBfTASF2E1US3H2JFBj920Ot3rtDjs=
+golang.org/x/sys v0.0.0-20201214210602-f9fddec55a1e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221 h1:/ZHdbVpdR/jk3g30/d4yUL0JU9kksj8+F/bnQUVLGDM=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -696,8 +694,6 @@ gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c h1:grhR+C34yXImVGp7EzNk+DTIk+323eIUWOmEevy6bDo=
-gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ=
 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 grpc.go4.org v0.0.0-20170609214715-11d0a25b4919/go.mod h1:77eQGdRu53HpSqPFJFmuJdjuHRquDANNeA4x7B8WQ9o=
--- a/internal/dnsfilter/blocked.go
+++ b/internal/dnsfilter/blocked.go
@@ -188,7 +188,7 @@ func BlockedSvcKnown(s string) bool {
 }

 // ApplyBlockedServices - set blocked services settings for this DNS request
-func (d *Dnsfilter) ApplyBlockedServices(setts *RequestFilteringSettings, list []string, global bool) {
+func (d *DNSFilter) ApplyBlockedServices(setts *RequestFilteringSettings, list []string, global bool) {
 	setts.ServicesRules = []ServiceEntry{}
 	if global {
 		d.confLock.RLock()
@@ -210,7 +210,7 @@ func (d *Dnsfilter) ApplyBlockedServices(setts *RequestFilteringSettings, list [
 	}
 }

-func (d *Dnsfilter) handleBlockedServicesList(w http.ResponseWriter, r *http.Request) {
+func (d *DNSFilter) handleBlockedServicesList(w http.ResponseWriter, r *http.Request) {
 	d.confLock.RLock()
 	list := d.Config.BlockedServices
 	d.confLock.RUnlock()
@@ -223,7 +223,7 @@ func (d *Dnsfilter) handleBlockedServicesList(w http.ResponseWriter, r *http.Req
 	}
 }

-func (d *Dnsfilter) handleBlockedServicesSet(w http.ResponseWriter, r *http.Request) {
+func (d *DNSFilter) handleBlockedServicesSet(w http.ResponseWriter, r *http.Request) {
 	list := []string{}
 	err := json.NewDecoder(r.Body).Decode(&list)
 	if err != nil {
@@ -241,7 +241,7 @@ func (d *Dnsfilter) handleBlockedServicesSet(w http.ResponseWriter, r *http.Requ
 }

 // registerBlockedServicesHandlers - register HTTP handlers
-func (d *Dnsfilter) registerBlockedServicesHandlers() {
+func (d *DNSFilter) registerBlockedServicesHandlers() {
 	d.Config.HTTPRegister("GET", "/control/blocked_services/list", d.handleBlockedServicesList)
 	d.Config.HTTPRegister("POST", "/control/blocked_services/set", d.handleBlockedServicesSet)
 }
--- a/internal/dnsfilter/dnsfilter.go
+++ b/internal/dnsfilter/dnsfilter.go
@@ -1,4 +1,4 @@
-// Package dnsfilter implements a DNS filter.
+// Package dnsfilter implements a DNS request and response filter.
 package dnsfilter

 import (
@@ -91,12 +91,12 @@ type filtersInitializerParams struct {
 	blockFilters []Filter
 }

-// Dnsfilter holds added rules and performs hostname matches against the rules
-type Dnsfilter struct {
+// DNSFilter matches hostnames and DNS requests against filtering rules.
+type DNSFilter struct {
 	rulesStorage         *filterlist.RuleStorage
 	filteringEngine      *urlfilter.DNSEngine
-	rulesStorageWhite    *filterlist.RuleStorage
-	filteringEngineWhite *urlfilter.DNSEngine
+	rulesStorageAllow    *filterlist.RuleStorage
+	filteringEngineAllow *urlfilter.DNSEngine
 	engineLock           sync.RWMutex

 	parentalServer       string // access via methods
@@ -127,13 +127,16 @@ const (

 	// NotFilteredNotFound - host was not find in any checks, default value for result
 	NotFilteredNotFound Reason = iota
-	// NotFilteredWhiteList - the host is explicitly whitelisted
-	NotFilteredWhiteList
+	// NotFilteredAllowList - the host is explicitly allowed
+	NotFilteredAllowList
+	// NotFilteredError is returned when there was an error during
+	// checking.  Reserved, currently unused.
+	NotFilteredError

 	// reasons for filtering

-	// FilteredBlackList - the host was matched to be advertising host
-	FilteredBlackList
+	// FilteredBlockList - the host was matched to be advertising host
+	FilteredBlockList
 	// FilteredSafeBrowsing - the host was matched to be malicious/phishing
 	FilteredSafeBrowsing
 	// FilteredParental - the host was matched to be outside of parental control settings
@@ -145,33 +148,45 @@ const (
 	// FilteredBlockedService - the host is blocked by "blocked services" settings
 	FilteredBlockedService

-	// ReasonRewrite - rewrite rule was applied
+	// ReasonRewrite is returned when there was a rewrite by
+	// a legacy DNS Rewrite rule.
 	ReasonRewrite

-	// RewriteEtcHosts - rewrite by /etc/hosts rule
-	RewriteEtcHosts
+	// RewriteAutoHosts is returned when there was a rewrite by
+	// autohosts rules (/etc/hosts and so on).
+	RewriteAutoHosts
+
+	// DNSRewriteRule is returned when a $dnsrewrite filter rule was
+	// applied.
+	DNSRewriteRule
 )

+// TODO(a.garipov): Resync with actual code names or replace completely
+// in HTTP API v1.
 var reasonNames = []string{
-	"NotFilteredNotFound",
-	"NotFilteredWhiteList",
-	"NotFilteredError",
+	NotFilteredNotFound:  "NotFilteredNotFound",
+	NotFilteredAllowList: "NotFilteredWhiteList",
+	NotFilteredError:     "NotFilteredError",

-	"FilteredBlackList",
-	"FilteredSafeBrowsing",
-	"FilteredParental",
-	"FilteredInvalid",
-	"FilteredSafeSearch",
-	"FilteredBlockedService",
+	FilteredBlockList:      "FilteredBlackList",
+	FilteredSafeBrowsing:   "FilteredSafeBrowsing",
+	FilteredParental:       "FilteredParental",
+	FilteredInvalid:        "FilteredInvalid",
+	FilteredSafeSearch:     "FilteredSafeSearch",
+	FilteredBlockedService: "FilteredBlockedService",

-	"Rewrite",
-	"RewriteEtcHosts",
+	ReasonRewrite: "Rewrite",
+
+	RewriteAutoHosts: "RewriteEtcHosts",
+
+	DNSRewriteRule: "DNSRewriteRule",
 }

 func (r Reason) String() string {
-	if uint(r) >= uint(len(reasonNames)) {
+	if r < 0 || int(r) >= len(reasonNames) {
 		return ""
 	}
+
 	return reasonNames[r]
 }

@@ -186,7 +201,7 @@ func (r Reason) In(reasons ...Reason) bool {
 }

 // GetConfig - get configuration
-func (d *Dnsfilter) GetConfig() RequestFilteringSettings {
+func (d *DNSFilter) GetConfig() RequestFilteringSettings {
 	c := RequestFilteringSettings{}
 	// d.confLock.RLock()
 	c.SafeSearchEnabled = d.Config.SafeSearchEnabled
@@ -197,7 +212,7 @@ func (d *Dnsfilter) GetConfig() RequestFilteringSettings {
 }

 // WriteDiskConfig - write configuration
-func (d *Dnsfilter) WriteDiskConfig(c *Config) {
+func (d *DNSFilter) WriteDiskConfig(c *Config) {
 	d.confLock.Lock()
 	*c = d.Config
 	c.Rewrites = rewriteArrayDup(d.Config.Rewrites)
@@ -208,7 +223,7 @@ func (d *Dnsfilter) WriteDiskConfig(c *Config) {
 // SetFilters - set new filters (synchronously or asynchronously)
 // When filters are set asynchronously, the old filters continue working until the new filters are ready.
 //  In this case the caller must ensure that the old filter files are intact.
-func (d *Dnsfilter) SetFilters(blockFilters, allowFilters []Filter, async bool) error {
+func (d *DNSFilter) SetFilters(blockFilters, allowFilters []Filter, async bool) error {
 	if async {
 		params := filtersInitializerParams{
 			allowFilters: allowFilters,
@@ -242,7 +257,7 @@ func (d *Dnsfilter) SetFilters(blockFilters, allowFilters []Filter, async bool)
 }

 // Starts initializing new filters by signal from channel
-func (d *Dnsfilter) filtersInitializer() {
+func (d *DNSFilter) filtersInitializer() {
 	for {
 		params := <-d.filtersInitializerChan
 		err := d.initFiltering(params.allowFilters, params.blockFilters)
@@ -254,13 +269,13 @@ func (d *Dnsfilter) filtersInitializer() {
 }

 // Close - close the object
-func (d *Dnsfilter) Close() {
+func (d *DNSFilter) Close() {
 	d.engineLock.Lock()
 	defer d.engineLock.Unlock()
 	d.reset()
 }

-func (d *Dnsfilter) reset() {
+func (d *DNSFilter) reset() {
 	var err error

 	if d.rulesStorage != nil {
@@ -270,16 +285,15 @@ func (d *Dnsfilter) reset() {
 		}
 	}

-	if d.rulesStorageWhite != nil {
-		err = d.rulesStorageWhite.Close()
+	if d.rulesStorageAllow != nil {
+		err = d.rulesStorageAllow.Close()
 		if err != nil {
-			log.Error("dnsfilter: rulesStorageWhite.Close: %s", err)
+			log.Error("dnsfilter: rulesStorageAllow.Close: %s", err)
 		}
 	}
 }

 type dnsFilterContext struct {
-	stats             Stats
 	safebrowsingCache cache.Cache
 	parentalCache     cache.Cache
 	safeSearchCache   cache.Cache
@@ -287,34 +301,63 @@ type dnsFilterContext struct {

 var gctx dnsFilterContext // global dnsfilter context

-// Result holds state of hostname check
-type Result struct {
-	IsFiltered bool   `json:",omitempty"` // True if the host name is filtered
-	Reason     Reason `json:",omitempty"` // Reason for blocking / unblocking
-	Rule       string `json:",omitempty"` // Original rule text
-	IP         net.IP `json:",omitempty"` // Not nil only in the case of a hosts file syntax
-	FilterID   int64  `json:",omitempty"` // Filter ID the rule belongs to
-
-	// for ReasonRewrite:
-	CanonName string `json:",omitempty"` // CNAME value
-
-	// for RewriteEtcHosts:
-	ReverseHosts []string `json:",omitempty"`
-
-	// for ReasonRewrite & RewriteEtcHosts:
-	IPList []net.IP `json:",omitempty"` // list of IP addresses
-
-	// for FilteredBlockedService:
-	ServiceName string `json:",omitempty"` // Name of the blocked service
+// ResultRule contains information about applied rules.
+type ResultRule struct {
+	// FilterListID is the ID of the rule's filter list.
+	FilterListID int64 `json:",omitempty"`
+	// Text is the text of the rule.
+	Text string `json:",omitempty"`
+	// IP is the host IP.  It is nil unless the rule uses the
+	// /etc/hosts syntax or the reason is FilteredSafeSearch.
+	IP net.IP `json:",omitempty"`
 }

-// Matched can be used to see if any match at all was found, no matter filtered or not
+// Result contains the result of a request check.
+//
+// All fields transitively have omitempty tags so that the query log
+// doesn't become too large.
+//
+// TODO(a.garipov): Clarify relationships between fields.  Perhaps
+// replace with a sum type or an interface?
+type Result struct {
+	// IsFiltered is true if the request is filtered.
+	IsFiltered bool `json:",omitempty"`
+
+	// Reason is the reason for blocking or unblocking the request.
+	Reason Reason `json:",omitempty"`
+
+	// Rules are applied rules.  If Rules are not empty, each rule
+	// is not nil.
+	Rules []*ResultRule `json:",omitempty"`
+
+	// ReverseHosts is the reverse lookup rewrite result.  It is
+	// empty unless Reason is set to RewriteAutoHosts.
+	ReverseHosts []string `json:",omitempty"`
+
+	// IPList is the lookup rewrite result.  It is empty unless
+	// Reason is set to RewriteAutoHosts or ReasonRewrite.
+	IPList []net.IP `json:",omitempty"`
+
+	// CanonName is the CNAME value from the lookup rewrite result.
+	// It is empty unless Reason is set to ReasonRewrite.
+	CanonName string `json:",omitempty"`
+
+	// ServiceName is the name of the blocked service.  It is empty
+	// unless Reason is set to FilteredBlockedService.
+	ServiceName string `json:",omitempty"`
+
+	// DNSRewriteResult is the $dnsrewrite filter rule result.
+	DNSRewriteResult *DNSRewriteResult `json:",omitempty"`
+}
+
+// Matched returns true if any match at all was found regardless of
+// whether it was filtered or not.
 func (r Reason) Matched() bool {
 	return r != NotFilteredNotFound
 }

-// CheckHostRules tries to match the host against filtering rules only
-func (d *Dnsfilter) CheckHostRules(host string, qtype uint16, setts *RequestFilteringSettings) (Result, error) {
+// CheckHostRules tries to match the host against filtering rules only.
+func (d *DNSFilter) CheckHostRules(host string, qtype uint16, setts *RequestFilteringSettings) (Result, error) {
 	if !setts.FilteringEnabled {
 		return Result{}, nil
 	}
@@ -322,9 +365,9 @@ func (d *Dnsfilter) CheckHostRules(host string, qtype uint16, setts *RequestFilt
 	return d.matchHost(host, qtype, *setts)
 }

-// CheckHost tries to match the host against filtering rules,
-// then safebrowsing and parental if they are enabled
-func (d *Dnsfilter) CheckHost(host string, qtype uint16, setts *RequestFilteringSettings) (Result, error) {
+// CheckHost tries to match the host against filtering rules, then
+// safebrowsing and parental control rules, if they are enabled.
+func (d *DNSFilter) CheckHost(host string, qtype uint16, setts *RequestFilteringSettings) (Result, error) {
 	// sometimes DNS clients will try to resolve ".", which is a request to get root servers
 	if host == "" {
 		return Result{Reason: NotFilteredNotFound}, nil
@@ -349,9 +392,6 @@ func (d *Dnsfilter) CheckHost(host string, qtype uint16, setts *RequestFiltering
 		}
 	}

-	// Then check the filter lists.
-	// if request is blocked -- it should be blocked.
-	// if it is whitelisted -- we should do nothing with it anymore.
 	if setts.FilteringEnabled {
 		result, err = d.matchHost(host, qtype, *setts)
 		if err != nil {
@@ -410,10 +450,10 @@ func (d *Dnsfilter) CheckHost(host string, qtype uint16, setts *RequestFiltering
 	return Result{}, nil
 }

-func (d *Dnsfilter) checkAutoHosts(host string, qtype uint16, result *Result) (matched bool) {
+func (d *DNSFilter) checkAutoHosts(host string, qtype uint16, result *Result) (matched bool) {
 	ips := d.Config.AutoHosts.Process(host, qtype)
 	if ips != nil {
-		result.Reason = RewriteEtcHosts
+		result.Reason = RewriteAutoHosts
 		result.IPList = ips

 		return true
@@ -421,7 +461,7 @@ func (d *Dnsfilter) checkAutoHosts(host string, qtype uint16, result *Result) (m

 	revHosts := d.Config.AutoHosts.ProcessReverse(host, qtype)
 	if len(revHosts) != 0 {
-		result.Reason = RewriteEtcHosts
+		result.Reason = RewriteAutoHosts

 		// TODO(a.garipov): Optimize this with a buffer.
 		result.ReverseHosts = make([]string, len(revHosts))
@@ -442,9 +482,7 @@ func (d *Dnsfilter) checkAutoHosts(host string, qtype uint16, result *Result) (m
 //  . repeat for the new domain name (Note: we return only the last CNAME)
 // . Find A or AAAA record for a domain name (exact match or by wildcard)
 //  . if found, set IP addresses (IPv4 or IPv6 depending on qtype) in Result.IPList array
-func (d *Dnsfilter) processRewrites(host string, qtype uint16) Result {
-	var res Result
-
+func (d *DNSFilter) processRewrites(host string, qtype uint16) (res Result) {
 	d.confLock.RLock()
 	defer d.confLock.RUnlock()

@@ -459,7 +497,8 @@ func (d *Dnsfilter) processRewrites(host string, qtype uint16) Result {
 		log.Debug("Rewrite: CNAME for %s is %s", host, rr[0].Answer)

 		if host == rr[0].Answer { // "host == CNAME" is an exception
-			res.Reason = 0
+			res.Reason = NotFilteredNotFound
+
 			return res
 		}

@@ -501,9 +540,16 @@ func matchBlockedServicesRules(host string, svcs []ServiceEntry) Result {
 				res.Reason = FilteredBlockedService
 				res.IsFiltered = true
 				res.ServiceName = s.Name
-				res.Rule = rule.Text()
-				log.Debug("Blocked Services: matched rule: %s  host: %s  service: %s",
-					res.Rule, host, s.Name)
+
+				ruleText := rule.Text()
+				res.Rules = []*ResultRule{{
+					FilterListID: int64(rule.GetFilterListID()),
+					Text:         ruleText,
+				}}
+
+				log.Debug("blocked services: matched rule: %s  host: %s  service: %s",
+					ruleText, host, s.Name)
+
 				return res
 			}
 		}
@@ -570,12 +616,12 @@ func createFilteringEngine(filters []Filter) (*filterlist.RuleStorage, *urlfilte
 }

 // Initialize urlfilter objects.
-func (d *Dnsfilter) initFiltering(allowFilters, blockFilters []Filter) error {
+func (d *DNSFilter) initFiltering(allowFilters, blockFilters []Filter) error {
 	rulesStorage, filteringEngine, err := createFilteringEngine(blockFilters)
 	if err != nil {
 		return err
 	}
-	rulesStorageWhite, filteringEngineWhite, err := createFilteringEngine(allowFilters)
+	rulesStorageAllow, filteringEngineAllow, err := createFilteringEngine(allowFilters)
 	if err != nil {
 		return err
 	}
@@ -584,8 +630,8 @@ func (d *Dnsfilter) initFiltering(allowFilters, blockFilters []Filter) error {
 	d.reset()
 	d.rulesStorage = rulesStorage
 	d.filteringEngine = filteringEngine
-	d.rulesStorageWhite = rulesStorageWhite
-	d.filteringEngineWhite = filteringEngineWhite
+	d.rulesStorageAllow = rulesStorageAllow
+	d.filteringEngineAllow = filteringEngineAllow
 	d.engineLock.Unlock()

 	// Make sure that the OS reclaims memory as soon as possible
@@ -595,9 +641,31 @@ func (d *Dnsfilter) initFiltering(allowFilters, blockFilters []Filter) error {
 	return nil
 }

+// matchHostProcessAllowList processes the allowlist logic of host
+// matching.
+func (d *DNSFilter) matchHostProcessAllowList(host string, dnsres urlfilter.DNSResult) (res Result, err error) {
+	var rule rules.Rule
+	if dnsres.NetworkRule != nil {
+		rule = dnsres.NetworkRule
+	} else if len(dnsres.HostRulesV4) > 0 {
+		rule = dnsres.HostRulesV4[0]
+	} else if len(dnsres.HostRulesV6) > 0 {
+		rule = dnsres.HostRulesV6[0]
+	}
+
+	if rule == nil {
+		return Result{}, fmt.Errorf("invalid dns result: rules are empty")
+	}
+
+	log.Debug("Filtering: found allowlist rule for host %q: %q  list_id: %d",
+		host, rule.Text(), rule.GetFilterListID())
+
+	return makeResult(rule, NotFilteredAllowList), nil
+}
+
 // matchHost is a low-level way to check only if hostname is filtered by rules,
 // skipping expensive safebrowsing and parental lookups.
-func (d *Dnsfilter) matchHost(host string, qtype uint16, setts RequestFilteringSettings) (Result, error) {
+func (d *DNSFilter) matchHost(host string, qtype uint16, setts RequestFilteringSettings) (res Result, err error) {
 	d.engineLock.RLock()
 	// Keep in mind that this lock must be held no just when calling Match()
 	//  but also while using the rules returned by it.
@@ -611,22 +679,10 @@ func (d *Dnsfilter) matchHost(host string, qtype uint16, setts RequestFilteringS
 		DNSType:          qtype,
 	}

-	if d.filteringEngineWhite != nil {
-		rr, ok := d.filteringEngineWhite.MatchRequest(ureq)
+	if d.filteringEngineAllow != nil {
+		dnsres, ok := d.filteringEngineAllow.MatchRequest(ureq)
 		if ok {
-			var rule rules.Rule
-			if rr.NetworkRule != nil {
-				rule = rr.NetworkRule
-			} else if rr.HostRulesV4 != nil {
-				rule = rr.HostRulesV4[0]
-			} else if rr.HostRulesV6 != nil {
-				rule = rr.HostRulesV6[0]
-			}
-
-			log.Debug("Filtering: found whitelist rule for host %q: %q  list_id: %d",
-				host, rule.Text(), rule.GetFilterListID())
-			res := makeResult(rule, NotFilteredWhiteList)
-			return res, nil
+			return d.matchHostProcessAllowList(host, dnsres)
 		}
 	}

@@ -634,68 +690,87 @@ func (d *Dnsfilter) matchHost(host string, qtype uint16, setts RequestFilteringS
 		return Result{}, nil
 	}

-	rr, ok := d.filteringEngine.MatchRequest(ureq)
-	if !ok {
+	dnsres, ok := d.filteringEngine.MatchRequest(ureq)
+
+	// Check DNS rewrites first, because the API there is a bit
+	// awkward.
+	if dnsr := dnsres.DNSRewrites(); len(dnsr) > 0 {
+		res = d.processDNSRewrites(dnsr)
+		if res.Reason == DNSRewriteRule && res.CanonName == host {
+			// A rewrite of a host to itself.  Go on and
+			// try matching other things.
+		} else {
+			return res, nil
+		}
+	} else if !ok {
 		return Result{}, nil
 	}

-	if rr.NetworkRule != nil {
+	if dnsres.NetworkRule != nil {
 		log.Debug("Filtering: found rule for host %q: %q  list_id: %d",
-			host, rr.NetworkRule.Text(), rr.NetworkRule.GetFilterListID())
-		reason := FilteredBlackList
-		if rr.NetworkRule.Whitelist {
-			reason = NotFilteredWhiteList
+			host, dnsres.NetworkRule.Text(), dnsres.NetworkRule.GetFilterListID())
+		reason := FilteredBlockList
+		if dnsres.NetworkRule.Whitelist {
+			reason = NotFilteredAllowList
 		}
-		res := makeResult(rr.NetworkRule, reason)
-		return res, nil
+
+		return makeResult(dnsres.NetworkRule, reason), nil
 	}

-	if qtype == dns.TypeA && rr.HostRulesV4 != nil {
-		rule := rr.HostRulesV4[0] // note that we process only 1 matched rule
+	if qtype == dns.TypeA && dnsres.HostRulesV4 != nil {
+		rule := dnsres.HostRulesV4[0] // note that we process only 1 matched rule
 		log.Debug("Filtering: found rule for host %q: %q  list_id: %d",
 			host, rule.Text(), rule.GetFilterListID())
-		res := makeResult(rule, FilteredBlackList)
-		res.IP = rule.IP.To4()
+		res = makeResult(rule, FilteredBlockList)
+		res.Rules[0].IP = rule.IP.To4()
+
 		return res, nil
 	}

-	if qtype == dns.TypeAAAA && rr.HostRulesV6 != nil {
-		rule := rr.HostRulesV6[0] // note that we process only 1 matched rule
+	if qtype == dns.TypeAAAA && dnsres.HostRulesV6 != nil {
+		rule := dnsres.HostRulesV6[0] // note that we process only 1 matched rule
 		log.Debug("Filtering: found rule for host %q: %q  list_id: %d",
 			host, rule.Text(), rule.GetFilterListID())
-		res := makeResult(rule, FilteredBlackList)
-		res.IP = rule.IP
+		res = makeResult(rule, FilteredBlockList)
+		res.Rules[0].IP = rule.IP
+
 		return res, nil
 	}

-	if rr.HostRulesV4 != nil || rr.HostRulesV6 != nil {
+	if dnsres.HostRulesV4 != nil || dnsres.HostRulesV6 != nil {
 		// Question Type doesn't match the host rules
 		// Return the first matched host rule, but without an IP address
 		var rule rules.Rule
-		if rr.HostRulesV4 != nil {
-			rule = rr.HostRulesV4[0]
-		} else if rr.HostRulesV6 != nil {
-			rule = rr.HostRulesV6[0]
+		if dnsres.HostRulesV4 != nil {
+			rule = dnsres.HostRulesV4[0]
+		} else if dnsres.HostRulesV6 != nil {
+			rule = dnsres.HostRulesV6[0]
 		}
 		log.Debug("Filtering: found rule for host %q: %q  list_id: %d",
 			host, rule.Text(), rule.GetFilterListID())
-		res := makeResult(rule, FilteredBlackList)
-		res.IP = net.IP{}
+		res = makeResult(rule, FilteredBlockList)
+		res.Rules[0].IP = net.IP{}
+
 		return res, nil
 	}

 	return Result{}, nil
 }

-// Construct Result object
+// makeResult returns a properly constructed Result.
 func makeResult(rule rules.Rule, reason Reason) Result {
-	res := Result{}
-	res.FilterID = int64(rule.GetFilterListID())
-	res.Rule = rule.Text()
-	res.Reason = reason
-	if reason == FilteredBlackList {
+	res := Result{
+		Reason: reason,
+		Rules: []*ResultRule{{
+			FilterListID: int64(rule.GetFilterListID()),
+			Text:         rule.Text(),
+		}},
+	}
+
+	if reason == FilteredBlockList {
 		res.IsFiltered = true
 	}
+
 	return res
 }

@@ -705,7 +780,7 @@ func InitModule() {
 }

 // New creates properly initialized DNS Filter that is ready to be used.
-func New(c *Config, blockFilters []Filter) *Dnsfilter {
+func New(c *Config, blockFilters []Filter) *DNSFilter {
 	if c != nil {
 		cacheConf := cache.Config{
 			EnableLRU: true,
@@ -727,7 +802,7 @@ func New(c *Config, blockFilters []Filter) *Dnsfilter {
 		}
 	}

-	d := new(Dnsfilter)
+	d := new(DNSFilter)

 	err := d.initSecurityServices()
 	if err != nil {
@@ -765,7 +840,7 @@ func New(c *Config, blockFilters []Filter) *Dnsfilter {
 // Start - start the module:
 // . start async filtering initializer goroutine
 // . register web handlers
-func (d *Dnsfilter) Start() {
+func (d *DNSFilter) Start() {
 	d.filtersInitializerChan = make(chan filtersInitializerParams, 1)
 	go d.filtersInitializer()

--- a/internal/dnsfilter/dnsfilter_test.go
+++ b/internal/dnsfilter/dnsfilter_test.go
@@ -41,7 +41,7 @@ func purgeCaches() {
 	}
 }

-func NewForTest(c *Config, filters []Filter) *Dnsfilter {
+func NewForTest(c *Config, filters []Filter) *DNSFilter {
 	setts = RequestFilteringSettings{}
 	setts.FilteringEnabled = true
 	if c != nil {
@@ -58,38 +58,48 @@ func NewForTest(c *Config, filters []Filter) *Dnsfilter {
 	return d
 }

-func (d *Dnsfilter) checkMatch(t *testing.T, hostname string) {
+func (d *DNSFilter) checkMatch(t *testing.T, hostname string) {
 	t.Helper()
-	ret, err := d.CheckHost(hostname, dns.TypeA, &setts)
+	res, err := d.CheckHost(hostname, dns.TypeA, &setts)
 	if err != nil {
 		t.Errorf("Error while matching host %s: %s", hostname, err)
 	}
-	if !ret.IsFiltered {
+	if !res.IsFiltered {
 		t.Errorf("Expected hostname %s to match", hostname)
 	}
 }

-func (d *Dnsfilter) checkMatchIP(t *testing.T, hostname, ip string, qtype uint16) {
+func (d *DNSFilter) checkMatchIP(t *testing.T, hostname, ip string, qtype uint16) {
 	t.Helper()
-	ret, err := d.CheckHost(hostname, qtype, &setts)
+
+	res, err := d.CheckHost(hostname, qtype, &setts)
 	if err != nil {
 		t.Errorf("Error while matching host %s: %s", hostname, err)
 	}
-	if !ret.IsFiltered {
+
+	if !res.IsFiltered {
 		t.Errorf("Expected hostname %s to match", hostname)
 	}
-	if ret.IP == nil || ret.IP.String() != ip {
-		t.Errorf("Expected ip %s to match, actual: %v", ip, ret.IP)
+
+	if len(res.Rules) == 0 {
+		t.Errorf("Expected result to have rules")
+
+		return
+	}
+
+	r := res.Rules[0]
+	if r.IP == nil || r.IP.String() != ip {
+		t.Errorf("Expected ip %s to match, actual: %v", ip, r.IP)
 	}
 }

-func (d *Dnsfilter) checkMatchEmpty(t *testing.T, hostname string) {
+func (d *DNSFilter) checkMatchEmpty(t *testing.T, hostname string) {
 	t.Helper()
-	ret, err := d.CheckHost(hostname, dns.TypeA, &setts)
+	res, err := d.CheckHost(hostname, dns.TypeA, &setts)
 	if err != nil {
 		t.Errorf("Error while matching host %s: %s", hostname, err)
 	}
-	if ret.IsFiltered {
+	if res.IsFiltered {
 		t.Errorf("Expected hostname %s to not match", hostname)
 	}
 }
@@ -120,26 +130,43 @@ func TestEtcHostsMatching(t *testing.T) {
 	d.checkMatchIP(t, "block.com", "0.0.0.0", dns.TypeA)

 	// ...but empty IPv6
-	ret, err := d.CheckHost("block.com", dns.TypeAAAA, &setts)
-	assert.True(t, err == nil && ret.IsFiltered && ret.IP != nil && len(ret.IP) == 0)
-	assert.True(t, ret.Rule == "0.0.0.0 block.com")
+	res, err := d.CheckHost("block.com", dns.TypeAAAA, &setts)
+	assert.Nil(t, err)
+	assert.True(t, res.IsFiltered)
+	if assert.Len(t, res.Rules, 1) {
+		assert.Equal(t, "0.0.0.0 block.com", res.Rules[0].Text)
+		assert.Len(t, res.Rules[0].IP, 0)
+	}

 	// IPv6
 	d.checkMatchIP(t, "ipv6.com", addr6, dns.TypeAAAA)

 	// ...but empty IPv4
-	ret, err = d.CheckHost("ipv6.com", dns.TypeA, &setts)
-	assert.True(t, err == nil && ret.IsFiltered && ret.IP != nil && len(ret.IP) == 0)
+	res, err = d.CheckHost("ipv6.com", dns.TypeA, &setts)
+	assert.Nil(t, err)
+	assert.True(t, res.IsFiltered)
+	if assert.Len(t, res.Rules, 1) {
+		assert.Equal(t, "::1  ipv6.com", res.Rules[0].Text)
+		assert.Len(t, res.Rules[0].IP, 0)
+	}

 	// 2 IPv4 (return only the first one)
-	ret, err = d.CheckHost("host2", dns.TypeA, &setts)
-	assert.True(t, err == nil && ret.IsFiltered)
-	assert.True(t, ret.IP != nil && ret.IP.Equal(net.ParseIP("0.0.0.1")))
+	res, err = d.CheckHost("host2", dns.TypeA, &setts)
+	assert.Nil(t, err)
+	assert.True(t, res.IsFiltered)
+	if assert.Len(t, res.Rules, 1) {
+		loopback4 := net.IP{0, 0, 0, 1}
+		assert.Equal(t, res.Rules[0].IP, loopback4)
+	}

 	// ...and 1 IPv6 address
-	ret, err = d.CheckHost("host2", dns.TypeAAAA, &setts)
-	assert.True(t, err == nil && ret.IsFiltered)
-	assert.True(t, ret.IP != nil && ret.IP.Equal(net.ParseIP("::1")))
+	res, err = d.CheckHost("host2", dns.TypeAAAA, &setts)
+	assert.Nil(t, err)
+	assert.True(t, res.IsFiltered)
+	if assert.Len(t, res.Rules, 1) {
+		loopback6 := net.IP{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1}
+		assert.Equal(t, res.Rules[0].IP, loopback6)
+	}
 }

 // SAFE BROWSING
@@ -151,7 +178,6 @@ func TestSafeBrowsing(t *testing.T) {

 	d := NewForTest(&Config{SafeBrowsingEnabled: true}, nil)
 	defer d.Close()
-	gctx.stats.Safebrowsing.Requests = 0
 	d.checkMatch(t, "wmconvirus.narod.ru")

 	assert.True(t, strings.Contains(logOutput.String(), "SafeBrowsing lookup for wmconvirus.narod.ru"))
@@ -206,13 +232,11 @@ func TestCheckHostSafeSearchYandex(t *testing.T) {

 	// Check host for each domain
 	for _, host := range yandex {
-		result, err := d.CheckHost(host, dns.TypeA, &setts)
-		if err != nil {
-			t.Errorf("SafeSearch doesn't work for yandex domain `%s` cause %s", host, err)
-		}
-
-		if result.IP.String() != "213.180.193.56" {
-			t.Errorf("SafeSearch doesn't work for yandex domain `%s`", host)
+		res, err := d.CheckHost(host, dns.TypeA, &setts)
+		assert.Nil(t, err)
+		assert.True(t, res.IsFiltered)
+		if assert.Len(t, res.Rules, 1) {
+			assert.Equal(t, res.Rules[0].IP.String(), "213.180.193.56")
 		}
 	}
 }
@@ -226,13 +250,11 @@ func TestCheckHostSafeSearchGoogle(t *testing.T) {

 	// Check host for each domain
 	for _, host := range googleDomains {
-		result, err := d.CheckHost(host, dns.TypeA, &setts)
-		if err != nil {
-			t.Errorf("SafeSearch doesn't work for %s cause %s", host, err)
-		}
-
-		if result.IP == nil {
-			t.Errorf("SafeSearch doesn't work for %s", host)
+		res, err := d.CheckHost(host, dns.TypeA, &setts)
+		assert.Nil(t, err)
+		assert.True(t, res.IsFiltered)
+		if assert.Len(t, res.Rules, 1) {
+			assert.NotEqual(t, res.Rules[0].IP.String(), "0.0.0.0")
 		}
 	}
 }
@@ -242,40 +264,30 @@ func TestSafeSearchCacheYandex(t *testing.T) {
 	defer d.Close()
 	domain := "yandex.ru"

-	var result Result
-	var err error
-
-	// Check host with disabled safesearch
-	result, err = d.CheckHost(domain, dns.TypeA, &setts)
-	if err != nil {
-		t.Fatalf("Cannot check host due to %s", err)
-	}
-	if result.IP != nil {
-		t.Fatalf("SafeSearch is not enabled but there is an answer for `%s` !", domain)
-	}
+	// Check host with disabled safesearch.
+	res, err := d.CheckHost(domain, dns.TypeA, &setts)
+	assert.Nil(t, err)
+	assert.False(t, res.IsFiltered)
+	assert.Len(t, res.Rules, 0)

 	d = NewForTest(&Config{SafeSearchEnabled: true}, nil)
 	defer d.Close()

-	result, err = d.CheckHost(domain, dns.TypeA, &setts)
+	res, err = d.CheckHost(domain, dns.TypeA, &setts)
 	if err != nil {
 		t.Fatalf("CheckHost for safesearh domain %s failed cause %s", domain, err)
 	}

-	// Fir yandex we already know valid ip
-	if result.IP.String() != "213.180.193.56" {
-		t.Fatalf("Wrong IP for %s safesearch: %s", domain, result.IP.String())
+	// For yandex we already know valid ip.
+	if assert.Len(t, res.Rules, 1) {
+		assert.Equal(t, res.Rules[0].IP.String(), "213.180.193.56")
 	}

-	// Check cache
+	// Check cache.
 	cachedValue, isFound := getCachedResult(gctx.safeSearchCache, domain)
-
-	if !isFound {
-		t.Fatalf("Safesearch cache doesn't work for %s!", domain)
-	}
-
-	if cachedValue.IP.String() != "213.180.193.56" {
-		t.Fatalf("Wrong IP in cache for %s safesearch: %s", domain, cachedValue.IP.String())
+	assert.True(t, isFound)
+	if assert.Len(t, cachedValue.Rules, 1) {
+		assert.Equal(t, cachedValue.Rules[0].IP.String(), "213.180.193.56")
 	}
 }

@@ -283,13 +295,10 @@ func TestSafeSearchCacheGoogle(t *testing.T) {
 	d := NewForTest(nil, nil)
 	defer d.Close()
 	domain := "www.google.ru"
-	result, err := d.CheckHost(domain, dns.TypeA, &setts)
-	if err != nil {
-		t.Fatalf("Cannot check host due to %s", err)
-	}
-	if result.IP != nil {
-		t.Fatalf("SafeSearch is not enabled but there is an answer!")
-	}
+	res, err := d.CheckHost(domain, dns.TypeA, &setts)
+	assert.Nil(t, err)
+	assert.False(t, res.IsFiltered)
+	assert.Len(t, res.Rules, 0)

 	d = NewForTest(&Config{SafeSearchEnabled: true}, nil)
 	defer d.Close()
@@ -313,25 +322,17 @@ func TestSafeSearchCacheGoogle(t *testing.T) {
 		}
 	}

-	result, err = d.CheckHost(domain, dns.TypeA, &setts)
-	if err != nil {
-		t.Fatalf("CheckHost for safesearh domain %s failed cause %s", domain, err)
+	res, err = d.CheckHost(domain, dns.TypeA, &setts)
+	assert.Nil(t, err)
+	if assert.Len(t, res.Rules, 1) {
+		assert.True(t, res.Rules[0].IP.Equal(ip))
 	}

-	if result.IP.String() != ip.String() {
-		t.Fatalf("Wrong IP for %s safesearch: %s.  Should be: %s",
-			domain, result.IP.String(), ip)
-	}
-
-	// Check cache
+	// Check cache.
 	cachedValue, isFound := getCachedResult(gctx.safeSearchCache, domain)
-
-	if !isFound {
-		t.Fatalf("Safesearch cache doesn't work for %s!", domain)
-	}
-
-	if cachedValue.IP.String() != ip.String() {
-		t.Fatalf("Wrong IP in cache for %s safesearch: %s", domain, cachedValue.IP.String())
+	assert.True(t, isFound)
+	if assert.Len(t, cachedValue.Rules, 1) {
+		assert.True(t, cachedValue.Rules[0].IP.Equal(ip))
 	}
 }

@@ -364,7 +365,7 @@ const nl = "\n"

 const (
 	blockingRules  = `||example.org^` + nl
-	whitelistRules = `||example.org^` + nl + `@@||test.example.org` + nl
+	allowlistRules = `||example.org^` + nl + `@@||test.example.org` + nl
 	importantRules = `@@||example.org^` + nl + `||test.example.org^$important` + nl
 	regexRules     = `/example\.org/` + nl + `@@||test.example.org^` + nl
 	maskRules      = `test*.example.org^` + nl + `exam*.com` + nl
@@ -379,49 +380,49 @@ var tests = []struct {
 	reason     Reason
 	dnsType    uint16
 }{
-	{"sanity", "||doubleclick.net^", "www.doubleclick.net", true, FilteredBlackList, dns.TypeA},
+	{"sanity", "||doubleclick.net^", "www.doubleclick.net", true, FilteredBlockList, dns.TypeA},
 	{"sanity", "||doubleclick.net^", "nodoubleclick.net", false, NotFilteredNotFound, dns.TypeA},
 	{"sanity", "||doubleclick.net^", "doubleclick.net.ru", false, NotFilteredNotFound, dns.TypeA},
 	{"sanity", "||doubleclick.net^", "wmconvirus.narod.ru", false, NotFilteredNotFound, dns.TypeA},

-	{"blocking", blockingRules, "example.org", true, FilteredBlackList, dns.TypeA},
-	{"blocking", blockingRules, "test.example.org", true, FilteredBlackList, dns.TypeA},
-	{"blocking", blockingRules, "test.test.example.org", true, FilteredBlackList, dns.TypeA},
+	{"blocking", blockingRules, "example.org", true, FilteredBlockList, dns.TypeA},
+	{"blocking", blockingRules, "test.example.org", true, FilteredBlockList, dns.TypeA},
+	{"blocking", blockingRules, "test.test.example.org", true, FilteredBlockList, dns.TypeA},
 	{"blocking", blockingRules, "testexample.org", false, NotFilteredNotFound, dns.TypeA},
 	{"blocking", blockingRules, "onemoreexample.org", false, NotFilteredNotFound, dns.TypeA},

-	{"whitelist", whitelistRules, "example.org", true, FilteredBlackList, dns.TypeA},
-	{"whitelist", whitelistRules, "test.example.org", false, NotFilteredWhiteList, dns.TypeA},
-	{"whitelist", whitelistRules, "test.test.example.org", false, NotFilteredWhiteList, dns.TypeA},
-	{"whitelist", whitelistRules, "testexample.org", false, NotFilteredNotFound, dns.TypeA},
-	{"whitelist", whitelistRules, "onemoreexample.org", false, NotFilteredNotFound, dns.TypeA},
+	{"allowlist", allowlistRules, "example.org", true, FilteredBlockList, dns.TypeA},
+	{"allowlist", allowlistRules, "test.example.org", false, NotFilteredAllowList, dns.TypeA},
+	{"allowlist", allowlistRules, "test.test.example.org", false, NotFilteredAllowList, dns.TypeA},
+	{"allowlist", allowlistRules, "testexample.org", false, NotFilteredNotFound, dns.TypeA},
+	{"allowlist", allowlistRules, "onemoreexample.org", false, NotFilteredNotFound, dns.TypeA},

-	{"important", importantRules, "example.org", false, NotFilteredWhiteList, dns.TypeA},
-	{"important", importantRules, "test.example.org", true, FilteredBlackList, dns.TypeA},
-	{"important", importantRules, "test.test.example.org", true, FilteredBlackList, dns.TypeA},
+	{"important", importantRules, "example.org", false, NotFilteredAllowList, dns.TypeA},
+	{"important", importantRules, "test.example.org", true, FilteredBlockList, dns.TypeA},
+	{"important", importantRules, "test.test.example.org", true, FilteredBlockList, dns.TypeA},
 	{"important", importantRules, "testexample.org", false, NotFilteredNotFound, dns.TypeA},
 	{"important", importantRules, "onemoreexample.org", false, NotFilteredNotFound, dns.TypeA},

-	{"regex", regexRules, "example.org", true, FilteredBlackList, dns.TypeA},
-	{"regex", regexRules, "test.example.org", false, NotFilteredWhiteList, dns.TypeA},
-	{"regex", regexRules, "test.test.example.org", false, NotFilteredWhiteList, dns.TypeA},
-	{"regex", regexRules, "testexample.org", true, FilteredBlackList, dns.TypeA},
-	{"regex", regexRules, "onemoreexample.org", true, FilteredBlackList, dns.TypeA},
+	{"regex", regexRules, "example.org", true, FilteredBlockList, dns.TypeA},
+	{"regex", regexRules, "test.example.org", false, NotFilteredAllowList, dns.TypeA},
+	{"regex", regexRules, "test.test.example.org", false, NotFilteredAllowList, dns.TypeA},
+	{"regex", regexRules, "testexample.org", true, FilteredBlockList, dns.TypeA},
+	{"regex", regexRules, "onemoreexample.org", true, FilteredBlockList, dns.TypeA},

-	{"mask", maskRules, "test.example.org", true, FilteredBlackList, dns.TypeA},
-	{"mask", maskRules, "test2.example.org", true, FilteredBlackList, dns.TypeA},
-	{"mask", maskRules, "example.com", true, FilteredBlackList, dns.TypeA},
-	{"mask", maskRules, "exampleeee.com", true, FilteredBlackList, dns.TypeA},
-	{"mask", maskRules, "onemoreexamsite.com", true, FilteredBlackList, dns.TypeA},
+	{"mask", maskRules, "test.example.org", true, FilteredBlockList, dns.TypeA},
+	{"mask", maskRules, "test2.example.org", true, FilteredBlockList, dns.TypeA},
+	{"mask", maskRules, "example.com", true, FilteredBlockList, dns.TypeA},
+	{"mask", maskRules, "exampleeee.com", true, FilteredBlockList, dns.TypeA},
+	{"mask", maskRules, "onemoreexamsite.com", true, FilteredBlockList, dns.TypeA},
 	{"mask", maskRules, "example.org", false, NotFilteredNotFound, dns.TypeA},
 	{"mask", maskRules, "testexample.org", false, NotFilteredNotFound, dns.TypeA},
 	{"mask", maskRules, "example.co.uk", false, NotFilteredNotFound, dns.TypeA},

 	{"dnstype", dnstypeRules, "onemoreexample.org", false, NotFilteredNotFound, dns.TypeA},
 	{"dnstype", dnstypeRules, "example.org", false, NotFilteredNotFound, dns.TypeA},
-	{"dnstype", dnstypeRules, "example.org", true, FilteredBlackList, dns.TypeAAAA},
-	{"dnstype", dnstypeRules, "test.example.org", false, NotFilteredWhiteList, dns.TypeA},
-	{"dnstype", dnstypeRules, "test.example.org", false, NotFilteredWhiteList, dns.TypeAAAA},
+	{"dnstype", dnstypeRules, "example.org", true, FilteredBlockList, dns.TypeAAAA},
+	{"dnstype", dnstypeRules, "test.example.org", false, NotFilteredAllowList, dns.TypeA},
+	{"dnstype", dnstypeRules, "test.example.org", false, NotFilteredAllowList, dns.TypeAAAA},
 }

 func TestMatching(t *testing.T) {
@@ -433,15 +434,15 @@ func TestMatching(t *testing.T) {
 			d := NewForTest(nil, filters)
 			defer d.Close()

-			ret, err := d.CheckHost(test.hostname, test.dnsType, &setts)
+			res, err := d.CheckHost(test.hostname, test.dnsType, &setts)
 			if err != nil {
 				t.Errorf("Error while matching host %s: %s", test.hostname, err)
 			}
-			if ret.IsFiltered != test.isFiltered {
-				t.Errorf("Hostname %s has wrong result (%v must be %v)", test.hostname, ret.IsFiltered, test.isFiltered)
+			if res.IsFiltered != test.isFiltered {
+				t.Errorf("Hostname %s has wrong result (%v must be %v)", test.hostname, res.IsFiltered, test.isFiltered)
 			}
-			if ret.Reason != test.reason {
-				t.Errorf("Hostname %s has wrong reason (%v must be %v)", test.hostname, ret.Reason.String(), test.reason.String())
+			if res.Reason != test.reason {
+				t.Errorf("Hostname %s has wrong reason (%v must be %v)", test.hostname, res.Reason.String(), test.reason.String())
 			}
 		})
 	}
@@ -466,16 +467,20 @@ func TestWhitelist(t *testing.T) {
 	defer d.Close()

 	// matched by white filter
-	ret, err := d.CheckHost("host1", dns.TypeA, &setts)
+	res, err := d.CheckHost("host1", dns.TypeA, &setts)
 	assert.True(t, err == nil)
-	assert.True(t, !ret.IsFiltered && ret.Reason == NotFilteredWhiteList)
-	assert.True(t, ret.Rule == "||host1^")
+	assert.True(t, !res.IsFiltered && res.Reason == NotFilteredAllowList)
+	if assert.Len(t, res.Rules, 1) {
+		assert.True(t, res.Rules[0].Text == "||host1^")
+	}

 	// not matched by white filter, but matched by block filter
-	ret, err = d.CheckHost("host2", dns.TypeA, &setts)
+	res, err = d.CheckHost("host2", dns.TypeA, &setts)
 	assert.True(t, err == nil)
-	assert.True(t, ret.IsFiltered && ret.Reason == FilteredBlackList)
-	assert.True(t, ret.Rule == "||host2^")
+	assert.True(t, res.IsFiltered && res.Reason == FilteredBlockList)
+	if assert.Len(t, res.Rules, 1) {
+		assert.True(t, res.Rules[0].Text == "||host2^")
+	}
 }

 // CLIENT SETTINGS
@@ -506,8 +511,8 @@ func TestClientSettings(t *testing.T) {

 	// blocked by filters
 	r, _ = d.CheckHost("example.org", dns.TypeA, &setts)
-	if !r.IsFiltered || r.Reason != FilteredBlackList {
-		t.Fatalf("CheckHost FilteredBlackList")
+	if !r.IsFiltered || r.Reason != FilteredBlockList {
+		t.Fatalf("CheckHost FilteredBlockList")
 	}

 	// blocked by parental
@@ -559,11 +564,11 @@ func BenchmarkSafeBrowsing(b *testing.B) {
 	defer d.Close()
 	for n := 0; n < b.N; n++ {
 		hostname := "wmconvirus.narod.ru"
-		ret, err := d.CheckHost(hostname, dns.TypeA, &setts)
+		res, err := d.CheckHost(hostname, dns.TypeA, &setts)
 		if err != nil {
 			b.Errorf("Error while matching host %s: %s", hostname, err)
 		}
-		if !ret.IsFiltered {
+		if !res.IsFiltered {
 			b.Errorf("Expected hostname %s to match", hostname)
 		}
 	}
@@ -575,11 +580,11 @@ func BenchmarkSafeBrowsingParallel(b *testing.B) {
 	b.RunParallel(func(pb *testing.PB) {
 		for pb.Next() {
 			hostname := "wmconvirus.narod.ru"
-			ret, err := d.CheckHost(hostname, dns.TypeA, &setts)
+			res, err := d.CheckHost(hostname, dns.TypeA, &setts)
 			if err != nil {
 				b.Errorf("Error while matching host %s: %s", hostname, err)
 			}
-			if !ret.IsFiltered {
+			if !res.IsFiltered {
 				b.Errorf("Expected hostname %s to match", hostname)
 			}
 		}
--- a/internal/dnsfilter/dnsrewrite.go
+++ b/internal/dnsfilter/dnsrewrite.go
@@ -0,0 +1,80 @@
+package dnsfilter
+
+import (
+	"github.com/AdguardTeam/urlfilter/rules"
+	"github.com/miekg/dns"
+)
+
+// DNSRewriteResult is the result of application of $dnsrewrite rules.
+type DNSRewriteResult struct {
+	Response DNSRewriteResultResponse `json:",omitempty"`
+	RCode    rules.RCode              `json:",omitempty"`
+}
+
+// DNSRewriteResultResponse is the collection of DNS response records
+// the server returns.
+type DNSRewriteResultResponse map[rules.RRType][]rules.RRValue
+
+// processDNSRewrites processes DNS rewrite rules in dnsr.  It returns
+// an empty result if dnsr is empty.  Otherwise, the result will have
+// either CanonName or DNSRewriteResult set.
+func (d *DNSFilter) processDNSRewrites(dnsr []*rules.NetworkRule) (res Result) {
+	if len(dnsr) == 0 {
+		return Result{}
+	}
+
+	var rules []*ResultRule
+	dnsrr := &DNSRewriteResult{
+		Response: DNSRewriteResultResponse{},
+	}
+
+	for _, nr := range dnsr {
+		dr := nr.DNSRewrite
+		if dr.NewCNAME != "" {
+			// NewCNAME rules have a higher priority than
+			// the other rules.
+			rules := []*ResultRule{{
+				FilterListID: int64(nr.GetFilterListID()),
+				Text:         nr.RuleText,
+			}}
+
+			return Result{
+				Reason:    DNSRewriteRule,
+				Rules:     rules,
+				CanonName: dr.NewCNAME,
+			}
+		}
+
+		switch dr.RCode {
+		case dns.RcodeSuccess:
+			dnsrr.RCode = dr.RCode
+			dnsrr.Response[dr.RRType] = append(dnsrr.Response[dr.RRType], dr.Value)
+			rules = append(rules, &ResultRule{
+				FilterListID: int64(nr.GetFilterListID()),
+				Text:         nr.RuleText,
+			})
+		default:
+			// RcodeRefused and other such codes have higher
+			// priority.  Return immediately.
+			rules := []*ResultRule{{
+				FilterListID: int64(nr.GetFilterListID()),
+				Text:         nr.RuleText,
+			}}
+			dnsrr = &DNSRewriteResult{
+				RCode: dr.RCode,
+			}
+
+			return Result{
+				Reason:           DNSRewriteRule,
+				Rules:            rules,
+				DNSRewriteResult: dnsrr,
+			}
+		}
+	}
+
+	return Result{
+		Reason:           DNSRewriteRule,
+		Rules:            rules,
+		DNSRewriteResult: dnsrr,
+	}
+}
--- a/internal/dnsfilter/dnsrewrite_test.go
+++ b/internal/dnsfilter/dnsrewrite_test.go
@@ -0,0 +1,202 @@
+package dnsfilter
+
+import (
+	"net"
+	"path"
+	"testing"
+
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDNSFilter_CheckHostRules_dnsrewrite(t *testing.T) {
+	const text = `
+|cname^$dnsrewrite=new_cname
+
+|a_record^$dnsrewrite=127.0.0.1
+
+|aaaa_record^$dnsrewrite=::1
+
+|txt_record^$dnsrewrite=NOERROR;TXT;hello_world
+
+|refused^$dnsrewrite=REFUSED
+
+|a_records^$dnsrewrite=127.0.0.1
+|a_records^$dnsrewrite=127.0.0.2
+
+|aaaa_records^$dnsrewrite=::1
+|aaaa_records^$dnsrewrite=::2
+
+|disable_one^$dnsrewrite=127.0.0.1
+|disable_one^$dnsrewrite=127.0.0.2
+@@||disable_one^$dnsrewrite=127.0.0.1
+
+|disable_cname^$dnsrewrite=127.0.0.1
+|disable_cname^$dnsrewrite=new_cname
+@@||disable_cname^$dnsrewrite=new_cname
+
+|disable_cname_many^$dnsrewrite=127.0.0.1
+|disable_cname_many^$dnsrewrite=new_cname_1
+|disable_cname_many^$dnsrewrite=new_cname_2
+@@||disable_cname_many^$dnsrewrite=new_cname_1
+
+|disable_all^$dnsrewrite=127.0.0.1
+|disable_all^$dnsrewrite=127.0.0.2
+@@||disable_all^$dnsrewrite
+`
+	f := NewForTest(nil, []Filter{{ID: 0, Data: []byte(text)}})
+	setts := &RequestFilteringSettings{
+		FilteringEnabled: true,
+	}
+
+	ipv4p1 := net.IPv4(127, 0, 0, 1)
+	ipv4p2 := net.IPv4(127, 0, 0, 2)
+	ipv6p1 := net.IP{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1}
+	ipv6p2 := net.IP{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2}
+
+	t.Run("cname", func(t *testing.T) {
+		dtyp := dns.TypeA
+		host := path.Base(t.Name())
+
+		res, err := f.CheckHostRules(host, dtyp, setts)
+		assert.Nil(t, err)
+		assert.Equal(t, "new_cname", res.CanonName)
+	})
+
+	t.Run("a_record", func(t *testing.T) {
+		dtyp := dns.TypeA
+		host := path.Base(t.Name())
+
+		res, err := f.CheckHostRules(host, dtyp, setts)
+		assert.Nil(t, err)
+
+		if dnsrr := res.DNSRewriteResult; assert.NotNil(t, dnsrr) {
+			assert.Equal(t, dns.RcodeSuccess, dnsrr.RCode)
+			if ipVals := dnsrr.Response[dtyp]; assert.Len(t, ipVals, 1) {
+				assert.Equal(t, ipv4p1, ipVals[0])
+			}
+		}
+	})
+
+	t.Run("aaaa_record", func(t *testing.T) {
+		dtyp := dns.TypeAAAA
+		host := path.Base(t.Name())
+
+		res, err := f.CheckHostRules(host, dtyp, setts)
+		assert.Nil(t, err)
+
+		if dnsrr := res.DNSRewriteResult; assert.NotNil(t, dnsrr) {
+			assert.Equal(t, dns.RcodeSuccess, dnsrr.RCode)
+			if ipVals := dnsrr.Response[dtyp]; assert.Len(t, ipVals, 1) {
+				assert.Equal(t, ipv6p1, ipVals[0])
+			}
+		}
+	})
+
+	t.Run("txt_record", func(t *testing.T) {
+		dtyp := dns.TypeTXT
+		host := path.Base(t.Name())
+		res, err := f.CheckHostRules(host, dtyp, setts)
+		assert.Nil(t, err)
+
+		if dnsrr := res.DNSRewriteResult; assert.NotNil(t, dnsrr) {
+			assert.Equal(t, dns.RcodeSuccess, dnsrr.RCode)
+			if strVals := dnsrr.Response[dtyp]; assert.Len(t, strVals, 1) {
+				assert.Equal(t, "hello_world", strVals[0])
+			}
+		}
+	})
+
+	t.Run("refused", func(t *testing.T) {
+		host := path.Base(t.Name())
+		res, err := f.CheckHostRules(host, dns.TypeA, setts)
+		assert.Nil(t, err)
+
+		if dnsrr := res.DNSRewriteResult; assert.NotNil(t, dnsrr) {
+			assert.Equal(t, dns.RcodeRefused, dnsrr.RCode)
+		}
+	})
+
+	t.Run("a_records", func(t *testing.T) {
+		dtyp := dns.TypeA
+		host := path.Base(t.Name())
+
+		res, err := f.CheckHostRules(host, dtyp, setts)
+		assert.Nil(t, err)
+
+		if dnsrr := res.DNSRewriteResult; assert.NotNil(t, dnsrr) {
+			assert.Equal(t, dns.RcodeSuccess, dnsrr.RCode)
+			if ipVals := dnsrr.Response[dtyp]; assert.Len(t, ipVals, 2) {
+				assert.Equal(t, ipv4p1, ipVals[0])
+				assert.Equal(t, ipv4p2, ipVals[1])
+			}
+		}
+	})
+
+	t.Run("aaaa_records", func(t *testing.T) {
+		dtyp := dns.TypeAAAA
+		host := path.Base(t.Name())
+
+		res, err := f.CheckHostRules(host, dtyp, setts)
+		assert.Nil(t, err)
+
+		if dnsrr := res.DNSRewriteResult; assert.NotNil(t, dnsrr) {
+			assert.Equal(t, dns.RcodeSuccess, dnsrr.RCode)
+			if ipVals := dnsrr.Response[dtyp]; assert.Len(t, ipVals, 2) {
+				assert.Equal(t, ipv6p1, ipVals[0])
+				assert.Equal(t, ipv6p2, ipVals[1])
+			}
+		}
+	})
+
+	t.Run("disable_one", func(t *testing.T) {
+		dtyp := dns.TypeA
+		host := path.Base(t.Name())
+
+		res, err := f.CheckHostRules(host, dtyp, setts)
+		assert.Nil(t, err)
+
+		if dnsrr := res.DNSRewriteResult; assert.NotNil(t, dnsrr) {
+			assert.Equal(t, dns.RcodeSuccess, dnsrr.RCode)
+			if ipVals := dnsrr.Response[dtyp]; assert.Len(t, ipVals, 1) {
+				assert.Equal(t, ipv4p2, ipVals[0])
+			}
+		}
+	})
+
+	t.Run("disable_cname", func(t *testing.T) {
+		dtyp := dns.TypeA
+		host := path.Base(t.Name())
+
+		res, err := f.CheckHostRules(host, dtyp, setts)
+		assert.Nil(t, err)
+		assert.Equal(t, "", res.CanonName)
+
+		if dnsrr := res.DNSRewriteResult; assert.NotNil(t, dnsrr) {
+			assert.Equal(t, dns.RcodeSuccess, dnsrr.RCode)
+			if ipVals := dnsrr.Response[dtyp]; assert.Len(t, ipVals, 1) {
+				assert.Equal(t, ipv4p1, ipVals[0])
+			}
+		}
+	})
+
+	t.Run("disable_cname_many", func(t *testing.T) {
+		dtyp := dns.TypeA
+		host := path.Base(t.Name())
+
+		res, err := f.CheckHostRules(host, dtyp, setts)
+		assert.Nil(t, err)
+		assert.Equal(t, "new_cname_2", res.CanonName)
+		assert.Nil(t, res.DNSRewriteResult)
+	})
+
+	t.Run("disable_all", func(t *testing.T) {
+		dtyp := dns.TypeA
+		host := path.Base(t.Name())
+
+		res, err := f.CheckHostRules(host, dtyp, setts)
+		assert.Nil(t, err)
+		assert.Equal(t, "", res.CanonName)
+		assert.Len(t, res.Rules, 0)
+	})
+}
--- a/internal/dnsfilter/rewrites.go
+++ b/internal/dnsfilter/rewrites.go
@@ -95,7 +95,7 @@ func (r *RewriteEntry) prepare() {
 	}
 }

-func (d *Dnsfilter) prepareRewrites() {
+func (d *DNSFilter) prepareRewrites() {
 	for i := range d.Rewrites {
 		d.Rewrites[i].prepare()
 	}
@@ -148,7 +148,7 @@ type rewriteEntryJSON struct {
 	Answer string `json:"answer"`
 }

-func (d *Dnsfilter) handleRewriteList(w http.ResponseWriter, r *http.Request) {
+func (d *DNSFilter) handleRewriteList(w http.ResponseWriter, r *http.Request) {
 	arr := []*rewriteEntryJSON{}

 	d.confLock.Lock()
@@ -169,7 +169,7 @@ func (d *Dnsfilter) handleRewriteList(w http.ResponseWriter, r *http.Request) {
 	}
 }

-func (d *Dnsfilter) handleRewriteAdd(w http.ResponseWriter, r *http.Request) {
+func (d *DNSFilter) handleRewriteAdd(w http.ResponseWriter, r *http.Request) {
 	jsent := rewriteEntryJSON{}
 	err := json.NewDecoder(r.Body).Decode(&jsent)
 	if err != nil {
@@ -191,7 +191,7 @@ func (d *Dnsfilter) handleRewriteAdd(w http.ResponseWriter, r *http.Request) {
 	d.Config.ConfigModified()
 }

-func (d *Dnsfilter) handleRewriteDelete(w http.ResponseWriter, r *http.Request) {
+func (d *DNSFilter) handleRewriteDelete(w http.ResponseWriter, r *http.Request) {
 	jsent := rewriteEntryJSON{}
 	err := json.NewDecoder(r.Body).Decode(&jsent)
 	if err != nil {
@@ -218,7 +218,7 @@ func (d *Dnsfilter) handleRewriteDelete(w http.ResponseWriter, r *http.Request)
 	d.Config.ConfigModified()
 }

-func (d *Dnsfilter) registerRewritesHandlers() {
+func (d *DNSFilter) registerRewritesHandlers() {
 	d.Config.HTTPRegister("GET", "/control/rewrite/list", d.handleRewriteList)
 	d.Config.HTTPRegister("POST", "/control/rewrite/add", d.handleRewriteAdd)
 	d.Config.HTTPRegister("POST", "/control/rewrite/delete", d.handleRewriteDelete)
--- a/internal/dnsfilter/rewrites_test.go
+++ b/internal/dnsfilter/rewrites_test.go
@@ -9,7 +9,7 @@ import (
 )

 func TestRewrites(t *testing.T) {
-	d := Dnsfilter{}
+	d := DNSFilter{}
 	// CNAME, A, AAAA
 	d.Rewrites = []RewriteEntry{
 		{"somecname", "somehost.com", 0, nil},
@@ -104,7 +104,7 @@ func TestRewrites(t *testing.T) {
 }

 func TestRewritesLevels(t *testing.T) {
-	d := Dnsfilter{}
+	d := DNSFilter{}
 	// exact host, wildcard L2, wildcard L3
 	d.Rewrites = []RewriteEntry{
 		{"host.com", "1.1.1.1", 0, nil},
@@ -133,7 +133,7 @@ func TestRewritesLevels(t *testing.T) {
 }

 func TestRewritesExceptionCNAME(t *testing.T) {
-	d := Dnsfilter{}
+	d := DNSFilter{}
 	// wildcard; exception for a sub-domain
 	d.Rewrites = []RewriteEntry{
 		{"*.host.com", "2.2.2.2", 0, nil},
@@ -153,7 +153,7 @@ func TestRewritesExceptionCNAME(t *testing.T) {
 }

 func TestRewritesExceptionWC(t *testing.T) {
-	d := Dnsfilter{}
+	d := DNSFilter{}
 	// wildcard; exception for a sub-wildcard
 	d.Rewrites = []RewriteEntry{
 		{"*.host.com", "2.2.2.2", 0, nil},
@@ -173,7 +173,7 @@ func TestRewritesExceptionWC(t *testing.T) {
 }

 func TestRewritesExceptionIP(t *testing.T) {
-	d := Dnsfilter{}
+	d := DNSFilter{}
 	// exception for AAAA record
 	d.Rewrites = []RewriteEntry{
 		{"host.com", "1.2.3.4", 0, nil},
--- a/internal/dnsfilter/safebrowsing.go
+++ b/internal/dnsfilter/safebrowsing.go
@@ -1,5 +1,3 @@
-// Safe Browsing, Parental Control
-
 package dnsfilter

 import (
@@ -22,6 +20,8 @@ import (
 	"golang.org/x/net/publicsuffix"
 )

+// Safe browsing and parental control methods.
+
 const (
 	dnsTimeout                = 3 * time.Second
 	defaultSafebrowsingServer = `https://dns-family.adguard.com/dns-query`
@@ -30,7 +30,7 @@ const (
 	pcTXTSuffix               = `pc.dns.adguard.com.`
 )

-func (d *Dnsfilter) initSecurityServices() error {
+func (d *DNSFilter) initSecurityServices() error {
 	var err error
 	d.safeBrowsingServer = defaultSafebrowsingServer
 	d.parentalServer = defaultParentalServer
@@ -287,7 +287,7 @@ func check(c *sbCtx, r Result, u upstream.Upstream) (Result, error) {
 	return Result{}, nil
 }

-func (d *Dnsfilter) checkSafeBrowsing(host string) (Result, error) {
+func (d *DNSFilter) checkSafeBrowsing(host string) (Result, error) {
 	if log.GetLevel() >= log.DEBUG {
 		timer := log.StartTimer()
 		defer timer.LogElapsed("SafeBrowsing lookup for %s", host)
@@ -301,12 +301,14 @@ func (d *Dnsfilter) checkSafeBrowsing(host string) (Result, error) {
 	res := Result{
 		IsFiltered: true,
 		Reason:     FilteredSafeBrowsing,
-		Rule:       "adguard-malware-shavar",
+		Rules: []*ResultRule{{
+			Text: "adguard-malware-shavar",
+		}},
 	}
 	return check(ctx, res, d.safeBrowsingUpstream)
 }

-func (d *Dnsfilter) checkParental(host string) (Result, error) {
+func (d *DNSFilter) checkParental(host string) (Result, error) {
 	if log.GetLevel() >= log.DEBUG {
 		timer := log.StartTimer()
 		defer timer.LogElapsed("Parental lookup for %s", host)
@@ -320,7 +322,9 @@ func (d *Dnsfilter) checkParental(host string) (Result, error) {
 	res := Result{
 		IsFiltered: true,
 		Reason:     FilteredParental,
-		Rule:       "parental CATEGORY_BLACKLISTED",
+		Rules: []*ResultRule{{
+			Text: "parental CATEGORY_BLACKLISTED",
+		}},
 	}
 	return check(ctx, res, d.parentalUpstream)
 }
@@ -331,17 +335,17 @@ func httpError(r *http.Request, w http.ResponseWriter, code int, format string,
 	http.Error(w, text, code)
 }

-func (d *Dnsfilter) handleSafeBrowsingEnable(w http.ResponseWriter, r *http.Request) {
+func (d *DNSFilter) handleSafeBrowsingEnable(w http.ResponseWriter, r *http.Request) {
 	d.Config.SafeBrowsingEnabled = true
 	d.Config.ConfigModified()
 }

-func (d *Dnsfilter) handleSafeBrowsingDisable(w http.ResponseWriter, r *http.Request) {
+func (d *DNSFilter) handleSafeBrowsingDisable(w http.ResponseWriter, r *http.Request) {
 	d.Config.SafeBrowsingEnabled = false
 	d.Config.ConfigModified()
 }

-func (d *Dnsfilter) handleSafeBrowsingStatus(w http.ResponseWriter, r *http.Request) {
+func (d *DNSFilter) handleSafeBrowsingStatus(w http.ResponseWriter, r *http.Request) {
 	data := map[string]interface{}{
 		"enabled": d.Config.SafeBrowsingEnabled,
 	}
@@ -358,17 +362,17 @@ func (d *Dnsfilter) handleSafeBrowsingStatus(w http.ResponseWriter, r *http.Requ
 	}
 }

-func (d *Dnsfilter) handleParentalEnable(w http.ResponseWriter, r *http.Request) {
+func (d *DNSFilter) handleParentalEnable(w http.ResponseWriter, r *http.Request) {
 	d.Config.ParentalEnabled = true
 	d.Config.ConfigModified()
 }

-func (d *Dnsfilter) handleParentalDisable(w http.ResponseWriter, r *http.Request) {
+func (d *DNSFilter) handleParentalDisable(w http.ResponseWriter, r *http.Request) {
 	d.Config.ParentalEnabled = false
 	d.Config.ConfigModified()
 }

-func (d *Dnsfilter) handleParentalStatus(w http.ResponseWriter, r *http.Request) {
+func (d *DNSFilter) handleParentalStatus(w http.ResponseWriter, r *http.Request) {
 	data := map[string]interface{}{
 		"enabled": d.Config.ParentalEnabled,
 	}
@@ -386,7 +390,7 @@ func (d *Dnsfilter) handleParentalStatus(w http.ResponseWriter, r *http.Request)
 	}
 }

-func (d *Dnsfilter) registerSecurityHandlers() {
+func (d *DNSFilter) registerSecurityHandlers() {
 	d.Config.HTTPRegister("POST", "/control/safebrowsing/enable", d.handleSafeBrowsingEnable)
 	d.Config.HTTPRegister("POST", "/control/safebrowsing/disable", d.handleSafeBrowsingDisable)
 	d.Config.HTTPRegister("GET", "/control/safebrowsing/status", d.handleSafeBrowsingStatus)
--- a/internal/dnsfilter/safebrowsing_test.go
+++ b/internal/dnsfilter/safebrowsing_test.go
--- a/internal/dnsfilter/safesearch.go
+++ b/internal/dnsfilter/safesearch.go
@@ -18,7 +18,7 @@ import (
 expire byte[4]
 res Result
 */
-func (d *Dnsfilter) setCacheResult(cache cache.Cache, host string, res Result) int {
+func (d *DNSFilter) setCacheResult(cache cache.Cache, host string, res Result) int {
 	var buf bytes.Buffer

 	expire := uint(time.Now().Unix()) + d.Config.CacheTime*60
@@ -63,12 +63,12 @@ func getCachedResult(cache cache.Cache, host string) (Result, bool) {
 }

 // SafeSearchDomain returns replacement address for search engine
-func (d *Dnsfilter) SafeSearchDomain(host string) (string, bool) {
+func (d *DNSFilter) SafeSearchDomain(host string) (string, bool) {
 	val, ok := safeSearchDomains[host]
 	return val, ok
 }

-func (d *Dnsfilter) checkSafeSearch(host string) (Result, error) {
+func (d *DNSFilter) checkSafeSearch(host string) (Result, error) {
 	if log.GetLevel() >= log.DEBUG {
 		timer := log.StartTimer()
 		defer timer.LogElapsed("SafeSearch: lookup for %s", host)
@@ -87,49 +87,52 @@ func (d *Dnsfilter) checkSafeSearch(host string) (Result, error) {
 		return Result{}, nil
 	}

-	res := Result{IsFiltered: true, Reason: FilteredSafeSearch}
+	res := Result{
+		IsFiltered: true,
+		Reason:     FilteredSafeSearch,
+		Rules:      []*ResultRule{{}},
+	}
+
 	if ip := net.ParseIP(safeHost); ip != nil {
-		res.IP = ip
+		res.Rules[0].IP = ip
 		valLen := d.setCacheResult(gctx.safeSearchCache, host, res)
 		log.Debug("SafeSearch: stored in cache: %s (%d bytes)", host, valLen)
+
 		return res, nil
 	}

 	// TODO this address should be resolved with upstream that was configured in dnsforward
-	addrs, err := net.LookupIP(safeHost)
+	ips, err := net.LookupIP(safeHost)
 	if err != nil {
 		log.Tracef("SafeSearchDomain for %s was found but failed to lookup for %s cause %s", host, safeHost, err)
 		return Result{}, err
 	}

-	for _, i := range addrs {
-		if ipv4 := i.To4(); ipv4 != nil {
-			res.IP = ipv4
-			break
+	for _, ip := range ips {
+		if ipv4 := ip.To4(); ipv4 != nil {
+			res.Rules[0].IP = ipv4
+
+			l := d.setCacheResult(gctx.safeSearchCache, host, res)
+			log.Debug("SafeSearch: stored in cache: %s (%d bytes)", host, l)
+
+			return res, nil
 		}
 	}

-	if len(res.IP) == 0 {
-		return Result{}, fmt.Errorf("no ipv4 addresses in safe search response for %s", safeHost)
-	}
-
-	// Cache result
-	valLen := d.setCacheResult(gctx.safeSearchCache, host, res)
-	log.Debug("SafeSearch: stored in cache: %s (%d bytes)", host, valLen)
-	return res, nil
+	return Result{}, fmt.Errorf("no ipv4 addresses in safe search response for %s", safeHost)
 }

-func (d *Dnsfilter) handleSafeSearchEnable(w http.ResponseWriter, r *http.Request) {
+func (d *DNSFilter) handleSafeSearchEnable(w http.ResponseWriter, r *http.Request) {
 	d.Config.SafeSearchEnabled = true
 	d.Config.ConfigModified()
 }

-func (d *Dnsfilter) handleSafeSearchDisable(w http.ResponseWriter, r *http.Request) {
+func (d *DNSFilter) handleSafeSearchDisable(w http.ResponseWriter, r *http.Request) {
 	d.Config.SafeSearchEnabled = false
 	d.Config.ConfigModified()
 }

-func (d *Dnsfilter) handleSafeSearchStatus(w http.ResponseWriter, r *http.Request) {
+func (d *DNSFilter) handleSafeSearchStatus(w http.ResponseWriter, r *http.Request) {
 	data := map[string]interface{}{
 		"enabled": d.Config.SafeSearchEnabled,
 	}
--- a/internal/dnsforward/dns.go
+++ b/internal/dnsforward/dns.go
@@ -366,7 +366,9 @@ func processFilteringAfterResponse(ctx *dnsContext) int {
 	var err error

 	switch res.Reason {
-	case dnsfilter.ReasonRewrite:
+	case dnsfilter.ReasonRewrite,
+		dnsfilter.DNSRewriteRule:
+
 		if len(ctx.origQuestion.Name) == 0 {
 			// origQuestion is set in case we get only CNAME without IP from rewrites table
 			break
@@ -377,12 +379,12 @@ func processFilteringAfterResponse(ctx *dnsContext) int {

 		if len(d.Res.Answer) != 0 {
 			answer := []dns.RR{}
-			answer = append(answer, s.genCNAMEAnswer(d.Req, res.CanonName))
-			answer = append(answer, d.Res.Answer...) // host -> IP
+			answer = append(answer, s.genAnswerCNAME(d.Req, res.CanonName))
+			answer = append(answer, d.Res.Answer...)
 			d.Res.Answer = answer
 		}

-	case dnsfilter.NotFilteredWhiteList:
+	case dnsfilter.NotFilteredAllowList:
 		// nothing

 	default:
--- a/internal/dnsforward/dnsforward.go
+++ b/internal/dnsforward/dnsforward.go
@@ -48,7 +48,7 @@ var webRegistered bool
 // The zero Server is empty and ready for use.
 type Server struct {
 	dnsProxy   *proxy.Proxy          // DNS proxy instance
-	dnsFilter  *dnsfilter.Dnsfilter  // DNS filter instance
+	dnsFilter  *dnsfilter.DNSFilter  // DNS filter instance
 	dhcpServer dhcpd.ServerInterface // DHCP server instance (optional)
 	queryLog   querylog.QueryLog     // Query log instance
 	stats      stats.Stats
@@ -74,7 +74,7 @@ type Server struct {

 // DNSCreateParams - parameters for NewServer()
 type DNSCreateParams struct {
-	DNSFilter  *dnsfilter.Dnsfilter
+	DNSFilter  *dnsfilter.DNSFilter
 	Stats      stats.Stats
 	QueryLog   querylog.QueryLog
 	DHCPServer dhcpd.ServerInterface
--- a/internal/dnsforward/dnsforward_test.go
+++ b/internal/dnsforward/dnsforward_test.go
@@ -296,7 +296,7 @@ func TestBlockedRequest(t *testing.T) {

 func TestServerCustomClientUpstream(t *testing.T) {
 	s := createTestServer(t)
-	s.conf.GetCustomUpstreamByClient = func(clientAddr string) *proxy.UpstreamConfig {
+	s.conf.GetCustomUpstreamByClient = func(_ string) *proxy.UpstreamConfig {
 		uc := &proxy.UpstreamConfig{}
 		u := &testUpstream{}
 		u.ipv4 = map[string][]net.IP{}
@@ -473,7 +473,7 @@ func TestBlockCNAME(t *testing.T) {
 func TestClientRulesForCNAMEMatching(t *testing.T) {
 	s := createTestServer(t)
 	testUpstm := &testUpstream{testCNAMEs, testIPv4, nil}
-	s.conf.FilterHandler = func(clientAddr string, settings *dnsfilter.RequestFilteringSettings) {
+	s.conf.FilterHandler = func(_ string, settings *dnsfilter.RequestFilteringSettings) {
 		settings.FilteringEnabled = false
 	}
 	err := s.startWithUpstream(testUpstm)
@@ -863,6 +863,8 @@ func sendTestMessages(t *testing.T, conn *dns.Conn) {
 }

 func exchangeAndAssertResponse(t *testing.T, client *dns.Client, addr net.Addr, host, ip string) {
+	t.Helper()
+
 	req := createTestMessage(host)
 	reply, _, err := client.Exchange(req, addr.String())
 	if err != nil {
@@ -900,6 +902,8 @@ func assertGoogleAResponse(t *testing.T, reply *dns.Msg) {
 }

 func assertResponse(t *testing.T, reply *dns.Msg, ip string) {
+	t.Helper()
+
 	if len(reply.Answer) != 1 {
 		t.Fatalf("DNS server returned reply with wrong number of answers - %d", len(reply.Answer))
 	}
--- a/internal/dnsforward/dnsrewrite.go
+++ b/internal/dnsforward/dnsrewrite.go
@@ -0,0 +1,107 @@
+package dnsforward
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/AdguardTeam/AdGuardHome/internal/agherr"
+	"github.com/AdguardTeam/AdGuardHome/internal/dnsfilter"
+	"github.com/AdguardTeam/dnsproxy/proxy"
+	"github.com/AdguardTeam/golibs/log"
+	"github.com/AdguardTeam/urlfilter/rules"
+	"github.com/miekg/dns"
+)
+
+// filterDNSRewriteResponse handles a single DNS rewrite response entry.
+// It returns the properly constructed answer resource record.
+func (s *Server) filterDNSRewriteResponse(req *dns.Msg, rr rules.RRType, v rules.RRValue) (ans dns.RR, err error) {
+	// TODO(a.garipov): As more types are added, we will probably want to
+	// use a handler-oriented approach here.  So, think of a way to decouple
+	// the answer generation logic from the Server.
+
+	switch rr {
+	case dns.TypeA, dns.TypeAAAA:
+		ip, ok := v.(net.IP)
+		if !ok {
+			return nil, fmt.Errorf("value for rr type %d has type %T, not net.IP", rr, v)
+		}
+
+		if rr == dns.TypeA {
+			return s.genAnswerA(req, ip.To4()), nil
+		}
+
+		return s.genAnswerAAAA(req, ip), nil
+	case dns.TypePTR,
+		dns.TypeTXT:
+		str, ok := v.(string)
+		if !ok {
+			return nil, fmt.Errorf("value for rr type %d has type %T, not string", rr, v)
+		}
+
+		if rr == dns.TypeTXT {
+			return s.genAnswerTXT(req, []string{str}), nil
+		}
+
+		return s.genAnswerPTR(req, str), nil
+	case dns.TypeMX:
+		mx, ok := v.(*rules.DNSMX)
+		if !ok {
+			return nil, fmt.Errorf("value for rr type %d has type %T, not *rules.DNSMX", rr, v)
+		}
+
+		return s.genAnswerMX(req, mx), nil
+	case dns.TypeHTTPS,
+		dns.TypeSVCB:
+		svcb, ok := v.(*rules.DNSSVCB)
+		if !ok {
+			return nil, fmt.Errorf("value for rr type %d has type %T, not *rules.DNSSVCB", rr, v)
+		}
+
+		if rr == dns.TypeHTTPS {
+			return s.genAnswerHTTPS(req, svcb), nil
+		}
+
+		return s.genAnswerSVCB(req, svcb), nil
+	default:
+		log.Debug("don't know how to handle dns rr type %d, skipping", rr)
+
+		return nil, nil
+	}
+}
+
+// filterDNSRewrite handles dnsrewrite filters.  It constructs a DNS
+// response and sets it into d.Res.
+func (s *Server) filterDNSRewrite(req *dns.Msg, res dnsfilter.Result, d *proxy.DNSContext) (err error) {
+	resp := s.makeResponse(req)
+	dnsrr := res.DNSRewriteResult
+	if dnsrr == nil {
+		return agherr.Error("no dns rewrite rule content")
+	}
+
+	resp.Rcode = dnsrr.RCode
+	if resp.Rcode != dns.RcodeSuccess {
+		d.Res = resp
+
+		return nil
+	}
+
+	if dnsrr.Response == nil {
+		return agherr.Error("no dns rewrite rule responses")
+	}
+
+	rr := req.Question[0].Qtype
+	values := dnsrr.Response[rr]
+	for i, v := range values {
+		var ans dns.RR
+		ans, err = s.filterDNSRewriteResponse(req, rr, v)
+		if err != nil {
+			return fmt.Errorf("dns rewrite response for %d[%d]: %w", rr, i, err)
+		}
+
+		resp.Answer = append(resp.Answer, ans)
+	}
+
+	d.Res = resp
+
+	return nil
+}
--- a/internal/dnsforward/filter.go
+++ b/internal/dnsforward/filter.go
@@ -42,7 +42,8 @@ func (s *Server) getClientRequestFilteringSettings(d *proxy.DNSContext) *dnsfilt
 	return &setts
 }

-// filterDNSRequest applies the dnsFilter and sets d.Res if the request was filtered
+// filterDNSRequest applies the dnsFilter and sets d.Res if the request
+// was filtered.
 func (s *Server) filterDNSRequest(ctx *dnsContext) (*dnsfilter.Result, error) {
 	d := ctx.proxyCtx
 	req := d.Req
@@ -52,13 +53,17 @@ func (s *Server) filterDNSRequest(ctx *dnsContext) (*dnsfilter.Result, error) {
 		// Return immediately if there's an error
 		return nil, fmt.Errorf("dnsfilter failed to check host %q: %w", host, err)
 	} else if res.IsFiltered {
-		log.Tracef("Host %s is filtered, reason - %q, matched rule: %q", host, res.Reason, res.Rule)
+		log.Tracef("Host %s is filtered, reason - %q, matched rule: %q", host, res.Reason, res.Rules[0].Text)
 		d.Res = s.genDNSFilterMessage(d, &res)
-	} else if res.Reason == dnsfilter.ReasonRewrite && len(res.CanonName) != 0 && len(res.IPList) == 0 {
+	} else if res.Reason.In(dnsfilter.ReasonRewrite, dnsfilter.DNSRewriteRule) &&
+		res.CanonName != "" &&
+		len(res.IPList) == 0 {
+		// Resolve the new canonical name, not the original host
+		// name.  The original question is readded in
+		// processFilteringAfterResponse.
 		ctx.origQuestion = d.Req.Question[0]
-		// resolve canonical name, not the original host name
 		d.Req.Question[0].Name = dns.Fqdn(res.CanonName)
-	} else if res.Reason == dnsfilter.RewriteEtcHosts && len(res.ReverseHosts) != 0 {
+	} else if res.Reason == dnsfilter.RewriteAutoHosts && len(res.ReverseHosts) != 0 {
 		resp := s.makeResponse(req)
 		for _, h := range res.ReverseHosts {
 			hdr := dns.RR_Header{
@@ -77,28 +82,33 @@ func (s *Server) filterDNSRequest(ctx *dnsContext) (*dnsfilter.Result, error) {
 		}

 		d.Res = resp
-	} else if res.Reason == dnsfilter.ReasonRewrite || res.Reason == dnsfilter.RewriteEtcHosts {
+	} else if res.Reason == dnsfilter.ReasonRewrite || res.Reason == dnsfilter.RewriteAutoHosts {
 		resp := s.makeResponse(req)

 		name := host
 		if len(res.CanonName) != 0 {
-			resp.Answer = append(resp.Answer, s.genCNAMEAnswer(req, res.CanonName))
+			resp.Answer = append(resp.Answer, s.genAnswerCNAME(req, res.CanonName))
 			name = res.CanonName
 		}

 		for _, ip := range res.IPList {
 			if req.Question[0].Qtype == dns.TypeA {
-				a := s.genAAnswer(req, ip.To4())
+				a := s.genAnswerA(req, ip.To4())
 				a.Hdr.Name = dns.Fqdn(name)
 				resp.Answer = append(resp.Answer, a)
 			} else if req.Question[0].Qtype == dns.TypeAAAA {
-				a := s.genAAAAAnswer(req, ip)
+				a := s.genAnswerAAAA(req, ip)
 				a.Hdr.Name = dns.Fqdn(name)
 				resp.Answer = append(resp.Answer, a)
 			}
 		}

 		d.Res = resp
+	} else if res.Reason == dnsfilter.DNSRewriteRule {
+		err = s.filterDNSRewrite(req, res, d)
+		if err != nil {
+			return nil, err
+		}
 	}

 	return &res, err
--- a/internal/dnsforward/http.go
+++ b/internal/dnsforward/http.go
@@ -167,11 +167,12 @@ func (req *dnsConfig) checkCacheTTL() bool {
 	if req.CacheMinTTL == nil && req.CacheMaxTTL == nil {
 		return true
 	}
+
 	var min, max uint32
 	if req.CacheMinTTL != nil {
 		min = *req.CacheMinTTL
 	}
-	if req.CacheMaxTTL == nil {
+	if req.CacheMaxTTL != nil {
 		max = *req.CacheMaxTTL
 	}

--- a/internal/dnsforward/msg.go
+++ b/internal/dnsforward/msg.go
@@ -7,16 +7,22 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/dnsfilter"
 	"github.com/AdguardTeam/dnsproxy/proxy"
 	"github.com/AdguardTeam/golibs/log"
+	"github.com/AdguardTeam/urlfilter/rules"
 	"github.com/miekg/dns"
 )

 // Create a DNS response by DNS request and set necessary flags
-func (s *Server) makeResponse(req *dns.Msg) *dns.Msg {
-	resp := dns.Msg{}
+func (s *Server) makeResponse(req *dns.Msg) (resp *dns.Msg) {
+	resp = &dns.Msg{
+		MsgHdr: dns.MsgHdr{
+			RecursionAvailable: true,
+		},
+		Compress: true,
+	}
+
 	resp.SetReply(req)
-	resp.RecursionAvailable = true
-	resp.Compress = true
-	return &resp
+
+	return resp
 }

 // genDNSFilterMessage generates a DNS message corresponding to the filtering result
@@ -39,8 +45,10 @@ func (s *Server) genDNSFilterMessage(d *proxy.DNSContext, result *dnsfilter.Resu
 		// If the query was filtered by "Safe search", dnsfilter also must return
 		// the IP address that must be used in response.
 		// In this case regardless of the filtering method, we should return it
-		if result.Reason == dnsfilter.FilteredSafeSearch && result.IP != nil {
-			return s.genResponseWithIP(m, result.IP)
+		if result.Reason == dnsfilter.FilteredSafeSearch &&
+			len(result.Rules) > 0 &&
+			result.Rules[0].IP != nil {
+			return s.genResponseWithIP(m, result.Rules[0].IP)
 		}

 		if s.conf.BlockingMode == "null_ip" {
@@ -68,8 +76,8 @@ func (s *Server) genDNSFilterMessage(d *proxy.DNSContext, result *dnsfilter.Resu
 		// Default blocking mode
 		// If there's an IP specified in the rule, return it
 		// For host-type rules, return null IP
-		if result.IP != nil {
-			return s.genResponseWithIP(m, result.IP)
+		if len(result.Rules) > 0 && result.Rules[0].IP != nil {
+			return s.genResponseWithIP(m, result.Rules[0].IP)
 		}

 		return s.makeResponseNullIP(m)
@@ -85,38 +93,66 @@ func (s *Server) genServerFailure(request *dns.Msg) *dns.Msg {

 func (s *Server) genARecord(request *dns.Msg, ip net.IP) *dns.Msg {
 	resp := s.makeResponse(request)
-	resp.Answer = append(resp.Answer, s.genAAnswer(request, ip))
+	resp.Answer = append(resp.Answer, s.genAnswerA(request, ip))
 	return resp
 }

 func (s *Server) genAAAARecord(request *dns.Msg, ip net.IP) *dns.Msg {
 	resp := s.makeResponse(request)
-	resp.Answer = append(resp.Answer, s.genAAAAAnswer(request, ip))
+	resp.Answer = append(resp.Answer, s.genAnswerAAAA(request, ip))
 	return resp
 }

-func (s *Server) genAAnswer(req *dns.Msg, ip net.IP) *dns.A {
-	answer := new(dns.A)
-	answer.Hdr = dns.RR_Header{
+func (s *Server) hdr(req *dns.Msg, rrType rules.RRType) (h dns.RR_Header) {
+	return dns.RR_Header{
 		Name:   req.Question[0].Name,
-		Rrtype: dns.TypeA,
+		Rrtype: rrType,
 		Ttl:    s.conf.BlockedResponseTTL,
 		Class:  dns.ClassINET,
 	}
-	answer.A = ip
-	return answer
 }

-func (s *Server) genAAAAAnswer(req *dns.Msg, ip net.IP) *dns.AAAA {
-	answer := new(dns.AAAA)
-	answer.Hdr = dns.RR_Header{
-		Name:   req.Question[0].Name,
-		Rrtype: dns.TypeAAAA,
-		Ttl:    s.conf.BlockedResponseTTL,
-		Class:  dns.ClassINET,
+func (s *Server) genAnswerA(req *dns.Msg, ip net.IP) (ans *dns.A) {
+	return &dns.A{
+		Hdr: s.hdr(req, dns.TypeA),
+		A:   ip,
+	}
+}
+
+func (s *Server) genAnswerAAAA(req *dns.Msg, ip net.IP) (ans *dns.AAAA) {
+	return &dns.AAAA{
+		Hdr:  s.hdr(req, dns.TypeAAAA),
+		AAAA: ip,
+	}
+}
+
+func (s *Server) genAnswerCNAME(req *dns.Msg, cname string) (ans *dns.CNAME) {
+	return &dns.CNAME{
+		Hdr:    s.hdr(req, dns.TypeCNAME),
+		Target: dns.Fqdn(cname),
+	}
+}
+
+func (s *Server) genAnswerMX(req *dns.Msg, mx *rules.DNSMX) (ans *dns.MX) {
+	return &dns.MX{
+		Hdr:        s.hdr(req, dns.TypePTR),
+		Preference: mx.Preference,
+		Mx:         mx.Exchange,
+	}
+}
+
+func (s *Server) genAnswerPTR(req *dns.Msg, ptr string) (ans *dns.PTR) {
+	return &dns.PTR{
+		Hdr: s.hdr(req, dns.TypePTR),
+		Ptr: ptr,
+	}
+}
+
+func (s *Server) genAnswerTXT(req *dns.Msg, strs []string) (ans *dns.TXT) {
+	return &dns.TXT{
+		Hdr: s.hdr(req, dns.TypeTXT),
+		Txt: strs,
 	}
-	answer.AAAA = ip
-	return answer
 }

 // generate DNS response message with an IP address
@@ -179,19 +215,6 @@ func (s *Server) genBlockedHost(request *dns.Msg, newAddr string, d *proxy.DNSCo
 	return resp
 }

-// Make a CNAME response
-func (s *Server) genCNAMEAnswer(req *dns.Msg, cname string) *dns.CNAME {
-	answer := new(dns.CNAME)
-	answer.Hdr = dns.RR_Header{
-		Name:   req.Question[0].Name,
-		Rrtype: dns.TypeCNAME,
-		Ttl:    s.conf.BlockedResponseTTL,
-		Class:  dns.ClassINET,
-	}
-	answer.Target = dns.Fqdn(cname)
-	return answer
-}
-
 // Create REFUSED DNS response
 func (s *Server) makeResponseREFUSED(request *dns.Msg) *dns.Msg {
 	resp := dns.Msg{}
--- a/internal/dnsforward/stats.go
+++ b/internal/dnsforward/stats.go
@@ -91,7 +91,7 @@ func (s *Server) updateStats(d *proxy.DNSContext, elapsed time.Duration, res dns
 	case dnsfilter.FilteredSafeSearch:
 		e.Result = stats.RSafeSearch

-	case dnsfilter.FilteredBlackList:
+	case dnsfilter.FilteredBlockList:
 		fallthrough
 	case dnsfilter.FilteredInvalid:
 		fallthrough
--- a/internal/dnsforward/svcbmsg.go
+++ b/internal/dnsforward/svcbmsg.go
@@ -0,0 +1,168 @@
+package dnsforward
+
+import (
+	"encoding/base64"
+	"net"
+	"strconv"
+
+	"github.com/AdguardTeam/golibs/log"
+	"github.com/AdguardTeam/urlfilter/rules"
+	"github.com/miekg/dns"
+)
+
+// genAnswerHTTPS returns a properly initialized HTTPS resource record.
+//
+// See the comment on genAnswerSVCB for a list of current restrictions on
+// parameter values.
+func (s *Server) genAnswerHTTPS(req *dns.Msg, svcb *rules.DNSSVCB) (ans *dns.HTTPS) {
+	ans = &dns.HTTPS{
+		SVCB: *s.genAnswerSVCB(req, svcb),
+	}
+
+	ans.Hdr.Rrtype = dns.TypeHTTPS
+
+	return ans
+}
+
+// strToSVCBKey is the string-to-svcb-key mapping.
+//
+// See https://github.com/miekg/dns/blob/23c4faca9d32b0abbb6e179aa1aadc45ac53a916/svcb.go#L27.
+//
+// TODO(a.garipov): Propose exporting this API or something similar in the
+// github.com/miekg/dns module.
+var strToSVCBKey = map[string]dns.SVCBKey{
+	"alpn":            dns.SVCB_ALPN,
+	"echconfig":       dns.SVCB_ECHCONFIG,
+	"ipv4hint":        dns.SVCB_IPV4HINT,
+	"ipv6hint":        dns.SVCB_IPV6HINT,
+	"mandatory":       dns.SVCB_MANDATORY,
+	"no-default-alpn": dns.SVCB_NO_DEFAULT_ALPN,
+	"port":            dns.SVCB_PORT,
+}
+
+// svcbKeyHandler is a handler for one SVCB parameter key.
+type svcbKeyHandler func(valStr string) (val dns.SVCBKeyValue)
+
+// svcbKeyHandlers are the supported SVCB parameters handlers.
+var svcbKeyHandlers = map[string]svcbKeyHandler{
+	"alpn": func(valStr string) (val dns.SVCBKeyValue) {
+		return &dns.SVCBAlpn{
+			Alpn: []string{valStr},
+		}
+	},
+
+	"echconfig": func(valStr string) (val dns.SVCBKeyValue) {
+		ech, err := base64.StdEncoding.DecodeString(valStr)
+		if err != nil {
+			log.Debug("can't parse svcb/https echconfig: %s; ignoring", err)
+
+			return nil
+		}
+
+		return &dns.SVCBECHConfig{
+			ECH: ech,
+		}
+	},
+
+	"ipv4hint": func(valStr string) (val dns.SVCBKeyValue) {
+		ip := net.ParseIP(valStr)
+		if ip4 := ip.To4(); ip == nil || ip4 == nil {
+			log.Debug("can't parse svcb/https ipv4 hint %q; ignoring", valStr)
+
+			return nil
+		}
+
+		return &dns.SVCBIPv4Hint{
+			Hint: []net.IP{ip},
+		}
+	},
+
+	"ipv6hint": func(valStr string) (val dns.SVCBKeyValue) {
+		ip := net.ParseIP(valStr)
+		if ip == nil {
+			log.Debug("can't parse svcb/https ipv6 hint %q; ignoring", valStr)
+
+			return nil
+		}
+
+		return &dns.SVCBIPv6Hint{
+			Hint: []net.IP{ip},
+		}
+	},
+
+	"mandatory": func(valStr string) (val dns.SVCBKeyValue) {
+		code, ok := strToSVCBKey[valStr]
+		if !ok {
+			log.Debug("unknown svcb/https mandatory key %q, ignoring", valStr)
+
+			return nil
+		}
+
+		return &dns.SVCBMandatory{
+			Code: []dns.SVCBKey{code},
+		}
+	},
+
+	"no-default-alpn": func(_ string) (val dns.SVCBKeyValue) {
+		return &dns.SVCBNoDefaultAlpn{}
+	},
+
+	"port": func(valStr string) (val dns.SVCBKeyValue) {
+		port64, err := strconv.ParseUint(valStr, 10, 16)
+		if err != nil {
+			log.Debug("can't parse svcb/https port: %s; ignoring", err)
+
+			return nil
+		}
+
+		return &dns.SVCBPort{
+			Port: uint16(port64),
+		}
+	},
+}
+
+// genAnswerSVCB returns a properly initialized SVCB resource record.
+//
+// Currently, there are several restrictions on how the parameters are parsed.
+// Firstly, the parsing of non-contiguous values isn't supported.  Secondly, the
+// parsing of value-lists is not supported either.
+//
+//   ipv4hint=127.0.0.1             // Supported.
+//   ipv4hint="127.0.0.1"           // Unsupported.
+//   ipv4hint=127.0.0.1,127.0.0.2   // Unsupported.
+//   ipv4hint="127.0.0.1,127.0.0.2" // Unsupported.
+//
+// TODO(a.garipov): Support all of these.
+func (s *Server) genAnswerSVCB(req *dns.Msg, svcb *rules.DNSSVCB) (ans *dns.SVCB) {
+	ans = &dns.SVCB{
+		Hdr:      s.hdr(req, dns.TypeSVCB),
+		Priority: svcb.Priority,
+		Target:   svcb.Target,
+	}
+	if len(svcb.Params) == 0 {
+		return ans
+	}
+
+	values := make([]dns.SVCBKeyValue, 0, len(svcb.Params))
+	for k, valStr := range svcb.Params {
+		handler, ok := svcbKeyHandlers[k]
+		if !ok {
+			log.Debug("unknown svcb/https key %q, ignoring", k)
+
+			continue
+		}
+
+		val := handler(valStr)
+		if val == nil {
+			continue
+		}
+
+		values = append(values, val)
+	}
+
+	if len(values) > 0 {
+		ans.Value = values
+	}
+
+	return ans
+}
--- a/internal/dnsforward/svcbmsg_test.go
+++ b/internal/dnsforward/svcbmsg_test.go
@@ -0,0 +1,154 @@
+package dnsforward
+
+import (
+	"net"
+	"testing"
+
+	"github.com/AdguardTeam/urlfilter/rules"
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGenAnswerHTTPS_andSVCB(t *testing.T) {
+	// Preconditions.
+
+	s := &Server{
+		conf: ServerConfig{
+			FilteringConfig: FilteringConfig{
+				BlockedResponseTTL: 3600,
+			},
+		},
+	}
+
+	req := &dns.Msg{
+		Question: []dns.Question{{
+			Name: "abcd",
+		}},
+	}
+
+	// Constants and helper values.
+
+	const host = "example.com"
+	const prio = 32
+
+	ip4 := net.IPv4(127, 0, 0, 1)
+	ip6 := net.IP{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1}
+
+	// Helper functions.
+
+	dnssvcb := func(key, value string) (svcb *rules.DNSSVCB) {
+		svcb = &rules.DNSSVCB{
+			Target:   host,
+			Priority: prio,
+		}
+
+		if key == "" {
+			return svcb
+		}
+
+		svcb.Params = map[string]string{
+			key: value,
+		}
+
+		return svcb
+	}
+
+	wantsvcb := func(kv dns.SVCBKeyValue) (want *dns.SVCB) {
+		want = &dns.SVCB{
+			Hdr:      s.hdr(req, dns.TypeSVCB),
+			Priority: prio,
+			Target:   host,
+		}
+
+		if kv == nil {
+			return want
+		}
+
+		want.Value = []dns.SVCBKeyValue{kv}
+
+		return want
+	}
+
+	// Tests.
+
+	testCases := []struct {
+		svcb *rules.DNSSVCB
+		want *dns.SVCB
+		name string
+	}{{
+		svcb: dnssvcb("", ""),
+		want: wantsvcb(nil),
+		name: "no_params",
+	}, {
+		svcb: dnssvcb("foo", "bar"),
+		want: wantsvcb(nil),
+		name: "invalid",
+	}, {
+		svcb: dnssvcb("alpn", "h3"),
+		want: wantsvcb(&dns.SVCBAlpn{Alpn: []string{"h3"}}),
+		name: "alpn",
+	}, {
+		svcb: dnssvcb("echconfig", "AAAA"),
+		want: wantsvcb(&dns.SVCBECHConfig{ECH: []byte{0, 0, 0}}),
+		name: "echconfig",
+	}, {
+		svcb: dnssvcb("echconfig", "%BAD%"),
+		want: wantsvcb(nil),
+		name: "echconfig_invalid",
+	}, {
+		svcb: dnssvcb("ipv4hint", "127.0.0.1"),
+		want: wantsvcb(&dns.SVCBIPv4Hint{Hint: []net.IP{ip4}}),
+		name: "ipv4hint",
+	}, {
+		svcb: dnssvcb("ipv4hint", "127.0.01"),
+		want: wantsvcb(nil),
+		name: "ipv4hint_invalid",
+	}, {
+		svcb: dnssvcb("ipv6hint", "::1"),
+		want: wantsvcb(&dns.SVCBIPv6Hint{Hint: []net.IP{ip6}}),
+		name: "ipv6hint",
+	}, {
+		svcb: dnssvcb("ipv6hint", ":::1"),
+		want: wantsvcb(nil),
+		name: "ipv6hint_invalid",
+	}, {
+		svcb: dnssvcb("mandatory", "alpn"),
+		want: wantsvcb(&dns.SVCBMandatory{Code: []dns.SVCBKey{dns.SVCB_ALPN}}),
+		name: "mandatory",
+	}, {
+		svcb: dnssvcb("mandatory", "alpnn"),
+		want: wantsvcb(nil),
+		name: "mandatory_invalid",
+	}, {
+		svcb: dnssvcb("no-default-alpn", ""),
+		want: wantsvcb(&dns.SVCBNoDefaultAlpn{}),
+		name: "no-default-alpn",
+	}, {
+		svcb: dnssvcb("port", "8080"),
+		want: wantsvcb(&dns.SVCBPort{Port: 8080}),
+		name: "port",
+	}, {
+		svcb: dnssvcb("port", "1005008080"),
+		want: wantsvcb(nil),
+		name: "port",
+	}}
+
+	for _, tc := range testCases {
+		t.Run("https", func(t *testing.T) {
+			t.Run(tc.name, func(t *testing.T) {
+				want := &dns.HTTPS{SVCB: *tc.want}
+				want.Hdr.Rrtype = dns.TypeHTTPS
+
+				got := s.genAnswerHTTPS(req, tc.svcb)
+				assert.Equal(t, want, got)
+			})
+		})
+
+		t.Run("svcb", func(t *testing.T) {
+			t.Run(tc.name, func(t *testing.T) {
+				got := s.genAnswerSVCB(req, tc.svcb)
+				assert.Equal(t, tc.want, got)
+			})
+		})
+	}
+}
--- a/internal/home/auth.go
+++ b/internal/home/auth.go
@@ -59,10 +59,10 @@ func (s *session) deserialize(data []byte) bool {
 // Auth - global object
 type Auth struct {
 	db         *bbolt.DB
-	sessions   map[string]*session // session name -> session data
-	lock       sync.Mutex
+	sessions   map[string]*session
 	users      []User
-	sessionTTL uint32 // in seconds
+	lock       sync.Mutex
+	sessionTTL uint32
 }

 // User object
@@ -223,24 +223,35 @@ func (a *Auth) removeSession(sess []byte) {
 	log.Debug("Auth: removed session from DB")
 }

-// CheckSession - check if session is valid
-// Return 0 if OK;  -1 if session doesn't exist;  1 if session has expired
-func (a *Auth) CheckSession(sess string) int {
+// checkSessionResult is the result of checking a session.
+type checkSessionResult int
+
+// checkSessionResult constants.
+const (
+	checkSessionOK       checkSessionResult = 0
+	checkSessionNotFound checkSessionResult = -1
+	checkSessionExpired  checkSessionResult = 1
+)
+
+// checkSession checks if the session is valid.
+func (a *Auth) checkSession(sess string) (res checkSessionResult) {
 	now := uint32(time.Now().UTC().Unix())
 	update := false

 	a.lock.Lock()
+	defer a.lock.Unlock()
+
 	s, ok := a.sessions[sess]
 	if !ok {
-		a.lock.Unlock()
-		return -1
+		return checkSessionNotFound
 	}
+
 	if s.expire <= now {
 		delete(a.sessions, sess)
 		key, _ := hex.DecodeString(sess)
 		a.removeSession(key)
-		a.lock.Unlock()
-		return 1
+
+		return checkSessionExpired
 	}

 	newExpire := now + a.sessionTTL
@@ -250,8 +261,6 @@ func (a *Auth) CheckSession(sess string) int {
 		s.expire = newExpire
 	}

-	a.lock.Unlock()
-
 	if update {
 		key, _ := hex.DecodeString(sess)
 		if a.storeSession(key, s) {
@@ -259,7 +268,7 @@ func (a *Auth) CheckSession(sess string) int {
 		}
 	}

-	return 0
+	return checkSessionOK
 }

 // RemoveSession - remove session
@@ -392,8 +401,8 @@ func optionalAuthThird(w http.ResponseWriter, r *http.Request) (authFirst bool)
 		ok = true

 	} else if err == nil {
-		r := Context.auth.CheckSession(cookie.Value)
-		if r == 0 {
+		r := Context.auth.checkSession(cookie.Value)
+		if r == checkSessionOK {
 			ok = true
 		} else if r < 0 {
 			log.Debug("Auth: invalid cookie value: %s", cookie)
@@ -434,12 +443,13 @@ func optionalAuth(handler func(http.ResponseWriter, *http.Request)) func(http.Re
 			authRequired := Context.auth != nil && Context.auth.AuthRequired()
 			cookie, err := r.Cookie(sessionCookieName)
 			if authRequired && err == nil {
-				r := Context.auth.CheckSession(cookie.Value)
-				if r == 0 {
+				r := Context.auth.checkSession(cookie.Value)
+				if r == checkSessionOK {
 					w.Header().Set("Location", "/")
 					w.WriteHeader(http.StatusFound)
+
 					return
-				} else if r < 0 {
+				} else if r == checkSessionNotFound {
 					log.Debug("Auth: invalid cookie value: %s", cookie)
 				}
 			}
@@ -503,32 +513,34 @@ func (a *Auth) UserFind(login, password string) User {
 	return User{}
 }

-// GetCurrentUser - get the current user
-func (a *Auth) GetCurrentUser(r *http.Request) User {
+// getCurrentUser returns the current user.  It returns an empty User if the
+// user is not found.
+func (a *Auth) getCurrentUser(r *http.Request) User {
 	cookie, err := r.Cookie(sessionCookieName)
 	if err != nil {
-		// there's no Cookie, check Basic authentication
+		// There's no Cookie, check Basic authentication.
 		user, pass, ok := r.BasicAuth()
 		if ok {
-			u := Context.auth.UserFind(user, pass)
-			return u
+			return Context.auth.UserFind(user, pass)
 		}
+
 		return User{}
 	}

 	a.lock.Lock()
+	defer a.lock.Unlock()
+
 	s, ok := a.sessions[cookie.Value]
 	if !ok {
-		a.lock.Unlock()
 		return User{}
 	}
+
 	for _, u := range a.users {
 		if u.Name == s.userName {
-			a.lock.Unlock()
 			return u
 		}
 	}
-	a.lock.Unlock()
+
 	return User{}
 }

--- a/internal/home/auth_test.go
+++ b/internal/home/auth_test.go
@@ -38,7 +38,7 @@ func TestAuth(t *testing.T) {
 	user := User{Name: "name"}
 	a.UserAdd(&user, "password")

-	assert.True(t, a.CheckSession("notfound") == -1)
+	assert.Equal(t, checkSessionNotFound, a.checkSession("notfound"))
 	a.RemoveSession("notfound")

 	sess, err := getSession(&users[0])
@@ -49,13 +49,13 @@ func TestAuth(t *testing.T) {
 	// check expiration
 	s.expire = uint32(now)
 	a.addSession(sess, &s)
-	assert.True(t, a.CheckSession(sessStr) == 1)
+	assert.Equal(t, checkSessionExpired, a.checkSession(sessStr))

 	// add session with TTL = 2 sec
 	s = session{}
 	s.expire = uint32(time.Now().UTC().Unix() + 2)
 	a.addSession(sess, &s)
-	assert.True(t, a.CheckSession(sessStr) == 0)
+	assert.Equal(t, checkSessionOK, a.checkSession(sessStr))

 	a.Close()

@@ -63,8 +63,8 @@ func TestAuth(t *testing.T) {
 	a = InitAuth(fn, users, 60)

 	// the session is still alive
-	assert.True(t, a.CheckSession(sessStr) == 0)
-	// reset our expiration time because CheckSession() has just updated it
+	assert.Equal(t, checkSessionOK, a.checkSession(sessStr))
+	// reset our expiration time because checkSession() has just updated it
 	s.expire = uint32(time.Now().UTC().Unix() + 2)
 	a.storeSession(sess, &s)
 	a.Close()
@@ -76,7 +76,7 @@ func TestAuth(t *testing.T) {

 	// load and remove expired sessions
 	a = InitAuth(fn, users, 60)
-	assert.True(t, a.CheckSession(sessStr) == -1)
+	assert.Equal(t, checkSessionNotFound, a.checkSession(sessStr))

 	a.Close()
 	os.Remove(fn)
@@ -111,7 +111,7 @@ func TestAuthHTTP(t *testing.T) {
 	Context.auth = InitAuth(fn, users, 60)

 	handlerCalled := false
-	handler := func(w http.ResponseWriter, r *http.Request) {
+	handler := func(_ http.ResponseWriter, _ *http.Request) {
 		handlerCalled = true
 	}
 	handler2 := optionalAuth(handler)
--- a/internal/home/control.go
+++ b/internal/home/control.go
@@ -89,7 +89,7 @@ type profileJSON struct {

 func handleGetProfile(w http.ResponseWriter, r *http.Request) {
 	pj := profileJSON{}
-	u := Context.auth.GetCurrentUser(r)
+	u := Context.auth.getCurrentUser(r)
 	pj.Name = u.Name

 	data, err := json.Marshal(pj)
--- a/internal/home/controlfiltering.go
+++ b/internal/home/controlfiltering.go
@@ -346,10 +346,25 @@ func (f *Filtering) handleFilteringConfig(w http.ResponseWriter, r *http.Request
 	enableFilters(true)
 }

+type checkHostRespRule struct {
+	FilterListID int64  `json:"filter_list_id"`
+	Text         string `json:"text"`
+}
+
 type checkHostResp struct {
-	Reason   string `json:"reason"`
-	FilterID int64  `json:"filter_id"`
-	Rule     string `json:"rule"`
+	Reason string `json:"reason"`
+
+	// FilterID is the ID of the rule's filter list.
+	//
+	// Deprecated: Use Rules[*].FilterListID.
+	FilterID int64 `json:"filter_id"`
+
+	// Rule is the text of the matched rule.
+	//
+	// Deprecated: Use Rules[*].Text.
+	Rule string `json:"rule"`
+
+	Rules []*checkHostRespRule `json:"rules"`

 	// for FilteredBlockedService:
 	SvcName string `json:"service_name"`
@@ -374,11 +389,23 @@ func (f *Filtering) handleCheckHost(w http.ResponseWriter, r *http.Request) {

 	resp := checkHostResp{}
 	resp.Reason = result.Reason.String()
-	resp.FilterID = result.FilterID
-	resp.Rule = result.Rule
 	resp.SvcName = result.ServiceName
 	resp.CanonName = result.CanonName
 	resp.IPList = result.IPList
+
+	if len(result.Rules) > 0 {
+		resp.FilterID = result.Rules[0].FilterListID
+		resp.Rule = result.Rules[0].Text
+	}
+
+	resp.Rules = make([]*checkHostRespRule, len(result.Rules))
+	for i, r := range result.Rules {
+		resp.Rules[i] = &checkHostRespRule{
+			FilterListID: r.FilterListID,
+			Text:         r.Text,
+		}
+	}
+
 	js, err := json.Marshal(resp)
 	if err != nil {
 		httpError(w, http.StatusInternalServerError, "json encode: %s", err)
--- a/internal/home/home.go
+++ b/internal/home/home.go
@@ -58,7 +58,7 @@ type homeContext struct {
 	dnsServer  *dnsforward.Server   // DNS module
 	rdns       *RDNS                // rDNS module
 	whois      *Whois               // WHOIS module
-	dnsFilter  *dnsfilter.Dnsfilter // DNS filtering module
+	dnsFilter  *dnsfilter.DNSFilter // DNS filtering module
 	dhcpServer *dhcpd.Server        // DHCP module
 	auth       *Auth                // HTTP authentication module
 	filters    Filtering            // DNS filtering module
--- a/internal/querylog/decode.go
+++ b/internal/querylog/decode.go
@@ -4,11 +4,13 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"io"
+	"net"
 	"strings"
 	"time"

 	"github.com/AdguardTeam/AdGuardHome/internal/dnsfilter"
 	"github.com/AdguardTeam/golibs/log"
+	"github.com/AdguardTeam/urlfilter/rules"
 	"github.com/miekg/dns"
 )

@@ -85,54 +87,6 @@ var logEntryHandlers = map[string]logEntryHandler{
 		ent.OrigAnswer, err = base64.StdEncoding.DecodeString(v)
 		return err
 	},
-	"IsFiltered": func(t json.Token, ent *logEntry) error {
-		v, ok := t.(bool)
-		if !ok {
-			return nil
-		}
-		ent.Result.IsFiltered = v
-		return nil
-	},
-	"Rule": func(t json.Token, ent *logEntry) error {
-		v, ok := t.(string)
-		if !ok {
-			return nil
-		}
-		ent.Result.Rule = v
-		return nil
-	},
-	"FilterID": func(t json.Token, ent *logEntry) error {
-		v, ok := t.(json.Number)
-		if !ok {
-			return nil
-		}
-		i, err := v.Int64()
-		if err != nil {
-			return err
-		}
-		ent.Result.FilterID = i
-		return nil
-	},
-	"Reason": func(t json.Token, ent *logEntry) error {
-		v, ok := t.(json.Number)
-		if !ok {
-			return nil
-		}
-		i, err := v.Int64()
-		if err != nil {
-			return err
-		}
-		ent.Result.Reason = dnsfilter.Reason(i)
-		return nil
-	},
-	"ServiceName": func(t json.Token, ent *logEntry) error {
-		v, ok := t.(string)
-		if !ok {
-			return nil
-		}
-		ent.Result.ServiceName = v
-		return nil
-	},
 	"Upstream": func(t json.Token, ent *logEntry) error {
 		v, ok := t.(string)
 		if !ok {
@@ -153,42 +107,411 @@ var logEntryHandlers = map[string]logEntryHandler{
 		ent.Elapsed = time.Duration(i)
 		return nil
 	},
-	"Result": func(json.Token, *logEntry) error {
-		return nil
-	},
-	"Question": func(t json.Token, ent *logEntry) error {
-		v, ok := t.(string)
+}
+
+var resultHandlers = map[string]logEntryHandler{
+	"IsFiltered": func(t json.Token, ent *logEntry) error {
+		v, ok := t.(bool)
 		if !ok {
 			return nil
 		}
-		var qstr []byte
-		qstr, err := base64.StdEncoding.DecodeString(v)
-		if err != nil {
-			return err
-		}
-		q := new(dns.Msg)
-		err = q.Unpack(qstr)
-		if err != nil {
-			return err
-		}
-		ent.QHost = q.Question[0].Name
-		if len(ent.QHost) == 0 {
-			return nil // nil???
-		}
-		ent.QHost = ent.QHost[:len(ent.QHost)-1]
-		ent.QType = dns.TypeToString[q.Question[0].Qtype]
-		ent.QClass = dns.ClassToString[q.Question[0].Qclass]
+		ent.Result.IsFiltered = v
 		return nil
 	},
-	"Time": func(t json.Token, ent *logEntry) error {
-		v, ok := t.(string)
+	"Rule": func(t json.Token, ent *logEntry) error {
+		s, ok := t.(string)
 		if !ok {
 			return nil
 		}
-		var err error
-		ent.Time, err = time.Parse(time.RFC3339, v)
-		return err
+
+		l := len(ent.Result.Rules)
+		if l == 0 {
+			ent.Result.Rules = []*dnsfilter.ResultRule{{}}
+			l++
+		}
+
+		ent.Result.Rules[l-1].Text = s
+
+		return nil
 	},
+	"FilterID": func(t json.Token, ent *logEntry) error {
+		n, ok := t.(json.Number)
+		if !ok {
+			return nil
+		}
+
+		i, err := n.Int64()
+		if err != nil {
+			return err
+		}
+
+		l := len(ent.Result.Rules)
+		if l == 0 {
+			ent.Result.Rules = []*dnsfilter.ResultRule{{}}
+			l++
+		}
+
+		ent.Result.Rules[l-1].FilterListID = i
+
+		return nil
+	},
+	"Reason": func(t json.Token, ent *logEntry) error {
+		v, ok := t.(json.Number)
+		if !ok {
+			return nil
+		}
+		i, err := v.Int64()
+		if err != nil {
+			return err
+		}
+		ent.Result.Reason = dnsfilter.Reason(i)
+		return nil
+	},
+	"ServiceName": func(t json.Token, ent *logEntry) error {
+		s, ok := t.(string)
+		if !ok {
+			return nil
+		}
+
+		ent.Result.ServiceName = s
+
+		return nil
+	},
+	"CanonName": func(t json.Token, ent *logEntry) error {
+		s, ok := t.(string)
+		if !ok {
+			return nil
+		}
+
+		ent.Result.CanonName = s
+
+		return nil
+	},
+}
+
+func decodeResultRuleKey(key string, i int, dec *json.Decoder, ent *logEntry) {
+	switch key {
+	case "FilterListID":
+		vToken, err := dec.Token()
+		if err != nil {
+			if err != io.EOF {
+				log.Debug("decodeResultRuleKey %s err: %s", key, err)
+			}
+
+			return
+		}
+
+		if len(ent.Result.Rules) < i+1 {
+			ent.Result.Rules = append(ent.Result.Rules, &dnsfilter.ResultRule{})
+		}
+
+		if n, ok := vToken.(json.Number); ok {
+			ent.Result.Rules[i].FilterListID, _ = n.Int64()
+		}
+	case "IP":
+		vToken, err := dec.Token()
+		if err != nil {
+			if err != io.EOF {
+				log.Debug("decodeResultRuleKey %s err: %s", key, err)
+			}
+
+			return
+		}
+
+		if len(ent.Result.Rules) < i+1 {
+			ent.Result.Rules = append(ent.Result.Rules, &dnsfilter.ResultRule{})
+		}
+
+		if ipStr, ok := vToken.(string); ok {
+			ent.Result.Rules[i].IP = net.ParseIP(ipStr)
+		}
+	case "Text":
+		vToken, err := dec.Token()
+		if err != nil {
+			if err != io.EOF {
+				log.Debug("decodeResultRuleKey %s err: %s", key, err)
+			}
+
+			return
+		}
+
+		if len(ent.Result.Rules) < i+1 {
+			ent.Result.Rules = append(ent.Result.Rules, &dnsfilter.ResultRule{})
+		}
+
+		if s, ok := vToken.(string); ok {
+			ent.Result.Rules[i].Text = s
+		}
+	default:
+		// Go on.
+	}
+}
+
+func decodeResultRules(dec *json.Decoder, ent *logEntry) {
+	for {
+		delimToken, err := dec.Token()
+		if err != nil {
+			if err != io.EOF {
+				log.Debug("decodeResultRules err: %s", err)
+			}
+
+			return
+		}
+
+		if d, ok := delimToken.(json.Delim); ok {
+			if d != '[' {
+				log.Debug("decodeResultRules: unexpected delim %q", d)
+			}
+		} else {
+			return
+		}
+
+		i := 0
+		for {
+			keyToken, err := dec.Token()
+			if err != nil {
+				if err != io.EOF {
+					log.Debug("decodeResultRules err: %s", err)
+				}
+
+				return
+			}
+
+			if d, ok := keyToken.(json.Delim); ok {
+				if d == '}' {
+					i++
+				} else if d == ']' {
+					return
+				}
+
+				continue
+			}
+
+			key, ok := keyToken.(string)
+			if !ok {
+				log.Debug("decodeResultRules: keyToken is %T (%[1]v) and not string", keyToken)
+
+				return
+			}
+
+			decodeResultRuleKey(key, i, dec, ent)
+		}
+	}
+}
+
+func decodeResultReverseHosts(dec *json.Decoder, ent *logEntry) {
+	for {
+		itemToken, err := dec.Token()
+		if err != nil {
+			if err != io.EOF {
+				log.Debug("decodeResultReverseHosts err: %s", err)
+			}
+
+			return
+		}
+
+		switch v := itemToken.(type) {
+		case json.Delim:
+			if v == '[' {
+				continue
+			} else if v == ']' {
+				return
+			}
+
+			log.Debug("decodeResultReverseHosts: unexpected delim %q", v)
+
+			return
+		case string:
+			ent.Result.ReverseHosts = append(ent.Result.ReverseHosts, v)
+		default:
+			continue
+		}
+	}
+}
+
+func decodeResultIPList(dec *json.Decoder, ent *logEntry) {
+	for {
+		itemToken, err := dec.Token()
+		if err != nil {
+			if err != io.EOF {
+				log.Debug("decodeResultIPList err: %s", err)
+			}
+
+			return
+		}
+
+		switch v := itemToken.(type) {
+		case json.Delim:
+			if v == '[' {
+				continue
+			} else if v == ']' {
+				return
+			}
+
+			log.Debug("decodeResultIPList: unexpected delim %q", v)
+
+			return
+		case string:
+			ip := net.ParseIP(v)
+			if ip != nil {
+				ent.Result.IPList = append(ent.Result.IPList, ip)
+			}
+		default:
+			continue
+		}
+	}
+}
+
+func decodeResultDNSRewriteResult(dec *json.Decoder, ent *logEntry) {
+	for {
+		keyToken, err := dec.Token()
+		if err != nil {
+			if err != io.EOF {
+				log.Debug("decodeResultDNSRewriteResult err: %s", err)
+			}
+
+			return
+		}
+
+		if d, ok := keyToken.(json.Delim); ok {
+			if d == '}' {
+				return
+			}
+
+			continue
+		}
+
+		key, ok := keyToken.(string)
+		if !ok {
+			log.Debug("decodeResultDNSRewriteResult: keyToken is %T (%[1]v) and not string", keyToken)
+
+			return
+		}
+
+		// TODO(a.garipov): Refactor this into a separate
+		// function à la decodeResultRuleKey if we keep this
+		// code for a longer time than planned.
+		switch key {
+		case "RCode":
+			vToken, err := dec.Token()
+			if err != nil {
+				if err != io.EOF {
+					log.Debug("decodeResultDNSRewriteResult err: %s", err)
+				}
+
+				return
+			}
+
+			if ent.Result.DNSRewriteResult == nil {
+				ent.Result.DNSRewriteResult = &dnsfilter.DNSRewriteResult{}
+			}
+
+			if n, ok := vToken.(json.Number); ok {
+				rcode64, _ := n.Int64()
+				ent.Result.DNSRewriteResult.RCode = rules.RCode(rcode64)
+			}
+
+			continue
+		case "Response":
+			if ent.Result.DNSRewriteResult == nil {
+				ent.Result.DNSRewriteResult = &dnsfilter.DNSRewriteResult{}
+			}
+
+			if ent.Result.DNSRewriteResult.Response == nil {
+				ent.Result.DNSRewriteResult.Response = dnsfilter.DNSRewriteResultResponse{}
+			}
+
+			// TODO(a.garipov): I give up.  This whole file
+			// is a mess.  Luckily, we can assume that this
+			// field is relatively rare and just use the
+			// normal decoding and correct the values.
+			err = dec.Decode(&ent.Result.DNSRewriteResult.Response)
+			if err != nil {
+				log.Debug("decodeResultDNSRewriteResult response err: %s", err)
+			}
+
+			for rrType, rrValues := range ent.Result.DNSRewriteResult.Response {
+				switch rrType {
+				case dns.TypeA, dns.TypeAAAA:
+					for i, v := range rrValues {
+						s, _ := v.(string)
+						rrValues[i] = net.ParseIP(s)
+					}
+				default:
+					// Go on.
+				}
+			}
+
+			continue
+		default:
+			// Go on.
+		}
+	}
+}
+
+func decodeResult(dec *json.Decoder, ent *logEntry) {
+	for {
+		keyToken, err := dec.Token()
+		if err != nil {
+			if err != io.EOF {
+				log.Debug("decodeResult err: %s", err)
+			}
+
+			return
+		}
+
+		if d, ok := keyToken.(json.Delim); ok {
+			if d == '}' {
+				return
+			}
+
+			continue
+		}
+
+		key, ok := keyToken.(string)
+		if !ok {
+			log.Debug("decodeResult: keyToken is %T (%[1]v) and not string", keyToken)
+
+			return
+		}
+
+		switch key {
+		case "ReverseHosts":
+			decodeResultReverseHosts(dec, ent)
+
+			continue
+		case "IPList":
+			decodeResultIPList(dec, ent)
+
+			continue
+		case "Rules":
+			decodeResultRules(dec, ent)
+
+			continue
+		case "DNSRewriteResult":
+			decodeResultDNSRewriteResult(dec, ent)
+
+			continue
+		default:
+			// Go on.
+		}
+
+		handler, ok := resultHandlers[key]
+		if !ok {
+			continue
+		}
+
+		val, err := dec.Token()
+		if err != nil {
+			return
+		}
+
+		if err = handler(val, ent); err != nil {
+			log.Debug("decodeResult handler err: %s", err)
+
+			return
+		}
+	}
 }

 func decodeLogEntry(ent *logEntry, str string) {
@@ -200,18 +523,27 @@ func decodeLogEntry(ent *logEntry, str string) {
 			if err != io.EOF {
 				log.Debug("decodeLogEntry err: %s", err)
 			}
+
 			return
 		}
+
 		if _, ok := keyToken.(json.Delim); ok {
 			continue
 		}

 		key, ok := keyToken.(string)
 		if !ok {
-			log.Debug("decodeLogEntry: keyToken is %T and not string", keyToken)
+			log.Debug("decodeLogEntry: keyToken is %T (%[1]v) and not string", keyToken)
+
 			return
 		}

+		if key == "Result" {
+			decodeResult(dec, ent)
+
+			continue
+		}
+
 		handler, ok := logEntryHandlers[key]
 		if !ok {
 			continue
@@ -223,7 +555,8 @@ func decodeLogEntry(ent *logEntry, str string) {
 		}

 		if err = handler(val, ent); err != nil {
-			log.Debug("decodeLogEntry err: %s", err)
+			log.Debug("decodeLogEntry handler err: %s", err)
+
 			return
 		}
 	}
--- a/internal/querylog/decode_test.go
+++ b/internal/querylog/decode_test.go
@@ -2,107 +2,181 @@ package querylog

 import (
 	"bytes"
+	"encoding/base64"
+	"net"
 	"strings"
 	"testing"
+	"time"

+	"github.com/AdguardTeam/AdGuardHome/internal/dnsfilter"
 	"github.com/AdguardTeam/AdGuardHome/internal/testutil"
 	"github.com/AdguardTeam/golibs/log"
+	"github.com/AdguardTeam/urlfilter/rules"
+	"github.com/miekg/dns"
 	"github.com/stretchr/testify/assert"
 )

-func TestDecode_decodeQueryLog(t *testing.T) {
+func TestDecodeLogEntry(t *testing.T) {
 	logOutput := &bytes.Buffer{}

 	testutil.ReplaceLogWriter(t, logOutput)
 	testutil.ReplaceLogLevel(t, log.DEBUG)

+	t.Run("success", func(t *testing.T) {
+		const ansStr = `Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==`
+		const data = `{"IP":"127.0.0.1",` +
+			`"T":"2020-11-25T18:55:56.519796+03:00",` +
+			`"QH":"an.yandex.ru",` +
+			`"QT":"A",` +
+			`"QC":"IN",` +
+			`"CP":"",` +
+			`"Answer":"` + ansStr + `",` +
+			`"Result":{` +
+			`"IsFiltered":true,` +
+			`"Reason":3,` +
+			`"ReverseHosts":["example.net"],` +
+			`"IPList":["127.0.0.2"],` +
+			`"Rules":[{"FilterListID":42,"Text":"||an.yandex.ru","IP":"127.0.0.2"},` +
+			`{"FilterListID":43,"Text":"||an2.yandex.ru","IP":"127.0.0.3"}],` +
+			`"CanonName":"example.com",` +
+			`"ServiceName":"example.org",` +
+			`"DNSRewriteResult":{"RCode":0,"Response":{"1":["127.0.0.2"]}}},` +
+			`"Elapsed":837429}`
+
+		ans, err := base64.StdEncoding.DecodeString(ansStr)
+		assert.Nil(t, err)
+
+		want := &logEntry{
+			IP:          "127.0.0.1",
+			Time:        time.Date(2020, 11, 25, 15, 55, 56, 519796000, time.UTC),
+			QHost:       "an.yandex.ru",
+			QType:       "A",
+			QClass:      "IN",
+			ClientProto: "",
+			Answer:      ans,
+			Result: dnsfilter.Result{
+				IsFiltered:   true,
+				Reason:       dnsfilter.FilteredBlockList,
+				ReverseHosts: []string{"example.net"},
+				IPList:       []net.IP{net.IPv4(127, 0, 0, 2)},
+				Rules: []*dnsfilter.ResultRule{{
+					FilterListID: 42,
+					Text:         "||an.yandex.ru",
+					IP:           net.IPv4(127, 0, 0, 2),
+				}, {
+					FilterListID: 43,
+					Text:         "||an2.yandex.ru",
+					IP:           net.IPv4(127, 0, 0, 3),
+				}},
+				CanonName:   "example.com",
+				ServiceName: "example.org",
+				DNSRewriteResult: &dnsfilter.DNSRewriteResult{
+					RCode: dns.RcodeSuccess,
+					Response: dnsfilter.DNSRewriteResultResponse{
+						dns.TypeA: []rules.RRValue{net.IPv4(127, 0, 0, 2)},
+					},
+				},
+			},
+			Elapsed: 837429,
+		}
+
+		got := &logEntry{}
+		decodeLogEntry(got, data)
+
+		s := logOutput.String()
+		assert.Equal(t, "", s)
+
+		// Correct for time zones.
+		got.Time = got.Time.UTC()
+		assert.Equal(t, want, got)
+	})
+
 	testCases := []struct {
 		name string
 		log  string
 		want string
 	}{{
-		name: "back_compatibility_all_right",
-		log:  `{"Question":"ULgBAAABAAAAAAAAC2FkZ3VhcmR0ZWFtBmdpdGh1YgJpbwAAHAAB","Answer":"ULiBgAABAAAAAQAAC2FkZ3VhcmR0ZWFtBmdpdGh1YgJpbwAAHAABwBgABgABAAADQgBLB25zLTE2MjIJYXdzZG5zLTEwAmNvAnVrABFhd3NkbnMtaG9zdG1hc3RlcgZhbWF6b24DY29tAAAAAAEAABwgAAADhAASdQAAAVGA","Result":{},"Time":"2020-11-13T12:41:25.970861+03:00","Elapsed":244066501,"IP":"127.0.0.1","Upstream":"https://1.1.1.1:443/dns-query"}`,
-		want: "default",
+		name: "all_right_old_rule",
+		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3,"Rule":"||an.yandex.","FilterID":1,"ReverseHosts":["example.com"],"IPList":["127.0.0.1"]},"Elapsed":837429}`,
+		want: "",
 	}, {
-		name: "back_compatibility_bad_msg",
-		log:  `{"Question":"","Answer":"ULiBgAABAAAAAQAAC2FkZ3VhcmR0ZWFtBmdpdGh1YgJpbwAAHAABwBgABgABAAADQgBLB25zLTE2MjIJYXdzZG5zLTEwAmNvAnVrABFhd3NkbnMtaG9zdG1hc3RlcgZhbWF6b24DY29tAAAAAAEAABwgAAADhAASdQAAAVGA","Result":{},"Time":"2020-11-13T12:41:25.970861+03:00","Elapsed":244066501,"IP":"127.0.0.1","Upstream":"https://1.1.1.1:443/dns-query"}`,
-		want: "decodeLogEntry err: dns: overflow unpacking uint16\n",
-	}, {
-		name: "back_compatibility_bad_decoding",
-		log:  `{"Question":"LgBAAABAAAAAAAAC2FkZ3VhcmR0ZWFtBmdpdGh1YgJpbwAAHAAB","Answer":"ULiBgAABAAAAAQAAC2FkZ3VhcmR0ZWFtBmdpdGh1YgJpbwAAHAABwBgABgABAAADQgBLB25zLTE2MjIJYXdzZG5zLTEwAmNvAnVrABFhd3NkbnMtaG9zdG1hc3RlcgZhbWF6b24DY29tAAAAAAEAABwgAAADhAASdQAAAVGA","Result":{},"Time":"2020-11-13T12:41:25.970861+03:00","Elapsed":244066501,"IP":"127.0.0.1","Upstream":"https://1.1.1.1:443/dns-query"}`,
-		want: "decodeLogEntry err: illegal base64 data at input byte 48\n",
-	}, {
-		name: "modern_all_right",
-		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3,"Rule":"||an.yandex.","FilterID":1},"Elapsed":837429}`,
-		want: "default",
-	}, {
-		name: "bad_filter_id",
-		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3,"Rule":"||an.yandex.","FilterID":1.5},"Elapsed":837429}`,
-		want: "decodeLogEntry err: strconv.ParseInt: parsing \"1.5\": invalid syntax\n",
+		name: "bad_filter_id_old_rule",
+		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3,"FilterID":1.5},"Elapsed":837429}`,
+		want: "decodeResult handler err: strconv.ParseInt: parsing \"1.5\": invalid syntax\n",
 	}, {
 		name: "bad_is_filtered",
-		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":trooe,"Reason":3,"Rule":"||an.yandex.","FilterID":1},"Elapsed":837429}`,
-		want: "default",
+		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":trooe,"Reason":3},"Elapsed":837429}`,
+		want: "decodeLogEntry err: invalid character 'o' in literal true (expecting 'u')\n",
 	}, {
 		name: "bad_elapsed",
-		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3,"Rule":"||an.yandex.","FilterID":1},"Elapsed":-1}`,
-		want: "default",
+		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3},"Elapsed":-1}`,
+		want: "",
 	}, {
 		name: "bad_ip",
-		log:  `{"IP":127001,"T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3,"Rule":"||an.yandex.","FilterID":1},"Elapsed":837429}`,
-		want: "default",
+		log:  `{"IP":127001,"T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3},"Elapsed":837429}`,
+		want: "",
 	}, {
 		name: "bad_time",
-		log:  `{"IP":"127.0.0.1","T":"12/09/1998T15:00:00.000000+05:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3,"Rule":"||an.yandex.","FilterID":1},"Elapsed":837429}`,
-		want: "decodeLogEntry err: parsing time \"12/09/1998T15:00:00.000000+05:00\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"9/1998T15:00:00.000000+05:00\" as \"2006\"\n",
+		log:  `{"IP":"127.0.0.1","T":"12/09/1998T15:00:00.000000+05:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3},"Elapsed":837429}`,
+		want: "decodeLogEntry handler err: parsing time \"12/09/1998T15:00:00.000000+05:00\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"9/1998T15:00:00.000000+05:00\" as \"2006\"\n",
 	}, {
 		name: "bad_host",
-		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":6,"QT":"A","QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3,"Rule":"||an.yandex.","FilterID":1},"Elapsed":837429}`,
-		want: "default",
+		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":6,"QT":"A","QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3},"Elapsed":837429}`,
+		want: "",
 	}, {
 		name: "bad_type",
-		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":true,"QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3,"Rule":"||an.yandex.","FilterID":1},"Elapsed":837429}`,
-		want: "default",
+		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":true,"QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3},"Elapsed":837429}`,
+		want: "",
 	}, {
 		name: "bad_class",
-		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":false,"CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3,"Rule":"||an.yandex.","FilterID":1},"Elapsed":837429}`,
-		want: "default",
+		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":false,"CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3},"Elapsed":837429}`,
+		want: "",
 	}, {
 		name: "bad_client_proto",
-		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":8,"Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3,"Rule":"||an.yandex.","FilterID":1},"Elapsed":837429}`,
-		want: "default",
+		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":8,"Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3},"Elapsed":837429}`,
+		want: "",
 	}, {
 		name: "very_bad_client_proto",
-		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"dog","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3,"Rule":"||an.yandex.","FilterID":1},"Elapsed":837429}`,
-		want: "decodeLogEntry err: invalid client proto: \"dog\"\n",
+		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"dog","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3},"Elapsed":837429}`,
+		want: "decodeLogEntry handler err: invalid client proto: \"dog\"\n",
 	}, {
 		name: "bad_answer",
-		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"","Answer":0.9,"Result":{"IsFiltered":true,"Reason":3,"Rule":"||an.yandex.","FilterID":1},"Elapsed":837429}`,
-		want: "default",
+		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"","Answer":0.9,"Result":{"IsFiltered":true,"Reason":3},"Elapsed":837429}`,
+		want: "",
 	}, {
 		name: "very_bad_answer",
-		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3,"Rule":"||an.yandex.","FilterID":1},"Elapsed":837429}`,
-		want: "decodeLogEntry err: illegal base64 data at input byte 61\n",
+		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3},"Elapsed":837429}`,
+		want: "decodeLogEntry handler err: illegal base64 data at input byte 61\n",
 	}, {
 		name: "bad_rule",
-		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3,"Rule":false,"FilterID":1},"Elapsed":837429}`,
-		want: "default",
+		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3,"Rule":false},"Elapsed":837429}`,
+		want: "",
 	}, {
 		name: "bad_reason",
-		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":true,"Rule":"||an.yandex.","FilterID":1},"Elapsed":837429}`,
-		want: "default",
+		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":true},"Elapsed":837429}`,
+		want: "",
+	}, {
+		name: "bad_reverse_hosts",
+		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3,"ReverseHosts":[{}]},"Elapsed":837429}`,
+		want: "decodeResultReverseHosts: unexpected delim \"{\"\n",
+	}, {
+		name: "bad_ip_list",
+		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3,"ReverseHosts":["example.net"],"IPList":[{}]},"Elapsed":837429}`,
+		want: "decodeResultIPList: unexpected delim \"{\"\n",
 	}}

 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			_, err := logOutput.Write([]byte("default"))
-			assert.Nil(t, err)
-
 			l := &logEntry{}
 			decodeLogEntry(l, tc.log)

-			assert.True(t, strings.HasSuffix(logOutput.String(), tc.want), logOutput.String())
+			s := logOutput.String()
+			if tc.want == "" {
+				assert.Equal(t, "", s)
+			} else {
+				assert.True(t, strings.HasSuffix(s, tc.want),
+					"got %q", s)
+			}

 			logOutput.Reset()
 		})
--- a/internal/querylog/json.go
+++ b/internal/querylog/json.go
@@ -6,10 +6,13 @@ import (
 	"strconv"
 	"time"

+	"github.com/AdguardTeam/AdGuardHome/internal/dnsfilter"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/miekg/dns"
 )

+// TODO(a.garipov): Use a proper structured approach here.
+
 // Get Client IP address
 func (l *queryLog) getClientIP(clientIP string) string {
 	if l.conf.AnonymizeClientIP {
@@ -29,10 +32,12 @@ func (l *queryLog) getClientIP(clientIP string) string {
 	return clientIP
 }

-// entriesToJSON - converts log entries to JSON
-func (l *queryLog) entriesToJSON(entries []*logEntry, oldest time.Time) map[string]interface{} {
-	// init the response object
-	data := []map[string]interface{}{}
+// jobject is a JSON object alias.
+type jobject = map[string]interface{}
+
+// entriesToJSON converts query log entries to JSON.
+func (l *queryLog) entriesToJSON(entries []*logEntry, oldest time.Time) (res jobject) {
+	data := []jobject{}

 	// the elements order is already reversed (from newer to older)
 	for i := 0; i < len(entries); i++ {
@@ -41,17 +46,18 @@ func (l *queryLog) entriesToJSON(entries []*logEntry, oldest time.Time) map[stri
 		data = append(data, jsonEntry)
 	}

-	result := map[string]interface{}{}
-	result["oldest"] = ""
-	if !oldest.IsZero() {
-		result["oldest"] = oldest.Format(time.RFC3339Nano)
+	res = jobject{
+		"data":   data,
+		"oldest": "",
+	}
+	if !oldest.IsZero() {
+		res["oldest"] = oldest.Format(time.RFC3339Nano)
 	}
-	result["data"] = data

-	return result
+	return res
 }

-func (l *queryLog) logEntryToJSONEntry(entry *logEntry) map[string]interface{} {
+func (l *queryLog) logEntryToJSONEntry(entry *logEntry) (jsonEntry jobject) {
 	var msg *dns.Msg

 	if len(entry.Answer) > 0 {
@@ -62,17 +68,18 @@ func (l *queryLog) logEntryToJSONEntry(entry *logEntry) map[string]interface{} {
 		}
 	}

-	jsonEntry := map[string]interface{}{
+	jsonEntry = jobject{
 		"reason":       entry.Result.Reason.String(),
 		"elapsedMs":    strconv.FormatFloat(entry.Elapsed.Seconds()*1000, 'f', -1, 64),
 		"time":         entry.Time.Format(time.RFC3339Nano),
 		"client":       l.getClientIP(entry.IP),
 		"client_proto": entry.ClientProto,
-	}
-	jsonEntry["question"] = map[string]interface{}{
-		"host":  entry.QHost,
-		"type":  entry.QType,
-		"class": entry.QClass,
+		"upstream":     entry.Upstream,
+		"question": jobject{
+			"host":  entry.QHost,
+			"type":  entry.QType,
+			"class": entry.QClass,
+		},
 	}

 	if msg != nil {
@@ -83,12 +90,15 @@ func (l *queryLog) logEntryToJSONEntry(entry *logEntry) map[string]interface{} {
 		if opt != nil {
 			dnssecOk = opt.Do()
 		}
+
 		jsonEntry["answer_dnssec"] = dnssecOk
 	}

-	if len(entry.Result.Rule) > 0 {
-		jsonEntry["rule"] = entry.Result.Rule
-		jsonEntry["filterId"] = entry.Result.FilterID
+	jsonEntry["rules"] = resultRulesToJSONRules(entry.Result.Rules)
+
+	if len(entry.Result.Rules) > 0 && len(entry.Result.Rules[0].Text) > 0 {
+		jsonEntry["rule"] = entry.Result.Rules[0].Text
+		jsonEntry["filterId"] = entry.Result.Rules[0].FilterListID
 	}

 	if len(entry.Result.ServiceName) != 0 {
@@ -113,20 +123,30 @@ func (l *queryLog) logEntryToJSONEntry(entry *logEntry) map[string]interface{} {
 		}
 	}

-	jsonEntry["upstream"] = entry.Upstream
-
 	return jsonEntry
 }

-func answerToMap(a *dns.Msg) []map[string]interface{} {
+func resultRulesToJSONRules(rules []*dnsfilter.ResultRule) (jsonRules []jobject) {
+	jsonRules = make([]jobject, len(rules))
+	for i, r := range rules {
+		jsonRules[i] = jobject{
+			"filter_list_id": r.FilterListID,
+			"text":           r.Text,
+		}
+	}
+
+	return jsonRules
+}
+
+func answerToMap(a *dns.Msg) (answers []jobject) {
 	if a == nil || len(a.Answer) == 0 {
 		return nil
 	}

-	answers := []map[string]interface{}{}
+	answers = []jobject{}
 	for _, k := range a.Answer {
 		header := k.Header()
-		answer := map[string]interface{}{
+		answer := jobject{
 			"type": dns.TypeToString[header.Rrtype],
 			"ttl":  header.Ttl,
 		}
--- a/internal/querylog/qlog_test.go
+++ b/internal/querylog/qlog_test.go
@@ -236,10 +236,12 @@ func addEntry(l *queryLog, host, answerStr, client string) {
 	a.Answer = append(a.Answer, answer)
 	res := dnsfilter.Result{
 		IsFiltered:  true,
-		Rule:        "SomeRule",
 		Reason:      dnsfilter.ReasonRewrite,
 		ServiceName: "SomeService",
-		FilterID:    1,
+		Rules: []*dnsfilter.ResultRule{{
+			FilterListID: 1,
+			Text:         "SomeRule",
+		}},
 	}
 	params := AddParams{
 		Question:   &q,
--- a/internal/querylog/searchcriteria.go
+++ b/internal/querylog/searchcriteria.go
@@ -115,14 +115,14 @@ func (c *searchCriteria) ctFilteringStatusCase(res dnsfilter.Result) bool {
 	case filteringStatusFiltered:
 		return res.IsFiltered ||
 			res.Reason.In(
-				dnsfilter.NotFilteredWhiteList,
+				dnsfilter.NotFilteredAllowList,
 				dnsfilter.ReasonRewrite,
-				dnsfilter.RewriteEtcHosts,
+				dnsfilter.RewriteAutoHosts,
 			)

 	case filteringStatusBlocked:
 		return res.IsFiltered &&
-			res.Reason.In(dnsfilter.FilteredBlackList, dnsfilter.FilteredBlockedService)
+			res.Reason.In(dnsfilter.FilteredBlockList, dnsfilter.FilteredBlockedService)

 	case filteringStatusBlockedService:
 		return res.IsFiltered && res.Reason == dnsfilter.FilteredBlockedService
@@ -134,19 +134,19 @@ func (c *searchCriteria) ctFilteringStatusCase(res dnsfilter.Result) bool {
 		return res.IsFiltered && res.Reason == dnsfilter.FilteredSafeBrowsing

 	case filteringStatusWhitelisted:
-		return res.Reason == dnsfilter.NotFilteredWhiteList
+		return res.Reason == dnsfilter.NotFilteredAllowList

 	case filteringStatusRewritten:
-		return res.Reason.In(dnsfilter.ReasonRewrite, dnsfilter.RewriteEtcHosts)
+		return res.Reason.In(dnsfilter.ReasonRewrite, dnsfilter.RewriteAutoHosts)

 	case filteringStatusSafeSearch:
 		return res.IsFiltered && res.Reason == dnsfilter.FilteredSafeSearch

 	case filteringStatusProcessed:
 		return !res.Reason.In(
-			dnsfilter.FilteredBlackList,
+			dnsfilter.FilteredBlockList,
 			dnsfilter.FilteredBlockedService,
-			dnsfilter.NotFilteredWhiteList,
+			dnsfilter.NotFilteredAllowList,
 		)

 	default:
--- a/internal/tools/go.mod
+++ b/internal/tools/go.mod
@@ -18,7 +18,7 @@ require (
 	golang.org/x/mod v0.4.0 // indirect
 	golang.org/x/tools v0.0.0-20201208062317-e652b2f42cc7
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	honnef.co/go/tools v0.0.1-2020.1.6
+	honnef.co/go/tools v0.1.0
 	mvdan.cc/gofumpt v0.0.0-20201129102820-5c11c50e9475
 	mvdan.cc/unparam v0.0.0-20200501210554-b37ab49443f7
 )
--- a/internal/tools/go.sum
+++ b/internal/tools/go.sum
@@ -123,6 +123,7 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200410194907-79a7a3126eef/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200426102838-f3a5411a4c3b/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200609164405-eb789aa7ce50/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200710042808-f1c4188a97a1/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20201007032633-0806396f153e/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
@@ -158,6 +159,8 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 honnef.co/go/tools v0.0.1-2020.1.6 h1:W18jzjh8mfPez+AwGLxmOImucz/IFjpNlrKVnaj2YVc=
 honnef.co/go/tools v0.0.1-2020.1.6/go.mod h1:pyyisuGw24ruLjrr1ddx39WE0y9OooInRzEYLhQB2YY=
+honnef.co/go/tools v0.1.0 h1:AWNL1W1i7f0wNZ8VwOKNJ0sliKvOF/adn0EHenfUh+c=
+honnef.co/go/tools v0.1.0/go.mod h1:XtegFAyX/PfluP4921rXU5IkjkqBCDnUq4W8VCIoKvM=
 mvdan.cc/gofumpt v0.0.0-20201129102820-5c11c50e9475 h1:5ZmJGYyuTlhdlIpRxSFhdJqkXQweXETFCEaLhRAX3e8=
 mvdan.cc/gofumpt v0.0.0-20201129102820-5c11c50e9475/go.mod h1:E4LOcu9JQEtnYXtB1Y51drqh2Qr2Ngk9J3YrRCwcbd0=
 mvdan.cc/unparam v0.0.0-20200501210554-b37ab49443f7 h1:kAREL6MPwpsk1/PQPFD3Eg7WAQR5mPTWZJaBiG5LDbY=
--- a/openapi/CHANGELOG.md
+++ b/openapi/CHANGELOG.md
@@ -1,5 +1,67 @@
 # AdGuard Home API Change Log

+<!-- TODO(a.garipov): Reformat in accordance with the KeepAChangelog spec. -->
+
+## v0.105: API changes
+
+### New `"reason"` in `GET /filtering/check_host` and `GET /querylog`
+
+* The new `DNSRewriteRule` reason is added to `GET /filtering/check_host` and
+  `GET /querylog`.
+
+* Also, the reason which was incorrectly documented as `"ReasonRewrite"` is now
+  correctly documented as `"Rewrite"`, and the previously undocumented
+  `"RewriteEtcHosts"` is now documented as well.
+
+### Multiple matched rules in `GET /filtering/check_host` and `GET /querylog`
+
+* The properties `rule` and `filter_id` are now deprecated.  API users should
+  inspect the newly-added `rules` object array instead.  For most rules, it's
+  either empty or contains one object, which contains the same things as the old
+  two properties did, but under more correct names:
+
+  ```js
+  {
+    // …
+
+    // Deprecated.
+    "rule": "||example.com^",
+    // Deprecated.
+    "filter_id": 42,
+    // Newly-added.
+    "rules": [{
+      "text": "||example.com^",
+      "filter_list_id": 42
+    }]
+  }
+  ```
+
+  For `$dnsrewrite` rules, they contain all rules that contributed to the
+  result.  For example, if you have the following filtering rules:
+
+  ```
+  ||example.com^$dnsrewrite=127.0.0.1
+  ||example.com^$dnsrewrite=127.0.0.2
+  ```
+
+  The `"rules"` will be something like:
+
+  ```js
+  {
+    // …
+
+    "rules": [{
+      "text": "||example.com^$dnsrewrite=127.0.0.1",
+      "filter_list_id": 0
+    }, {
+      "text": "||example.com^$dnsrewrite=127.0.0.2",
+      "filter_list_id": 0
+    }]
+  }
+  ```
+
+  The old fields will be removed in v0.106.0.
+
 ## v0.103: API changes

 ### API: replace settings in GET /control/dns_info & POST /control/dns_config
--- a/openapi/openapi.yaml
+++ b/openapi/openapi.yaml
@@ -2,9 +2,9 @@
 'info':
  'title': 'AdGuard Home'
  'description': >
-    AdGuard Home REST API.  Our admin web interface is built on top of this REST
-    API.
-  'version': '0.104'
+    AdGuard Home REST-ish API.  Our admin web interface is built on top of this
+    REST-ish API.
+  'version': '0.105'
  'contact':
    'name': 'AdGuard Home'
    'url': 'https://github.com/AdguardTeam/AdGuardHome'
@@ -523,7 +523,7 @@
        Reload filtering rules from URLs.  This might be needed if new URL was
        just added and you dont want to wait for automatic refresh to kick in.
        This API request is ratelimited, so you can call it freely as often as
-        you like, it wont create unneccessary burden on servers that host the
+        you like, it wont create unnecessary burden on servers that host the
        URL.  This should work as intended, a `force` parameter is offered as
        last-resort attempt to make filter lists fresh.  If you ever find
        yourself using `force` to make something work that otherwise wont, this
@@ -1246,7 +1246,7 @@
      'properties':
        'reason':
          'type': 'string'
-          'description': 'DNS filter status'
+          'description': 'Request filtering status.'
          'enum':
          - 'NotFilteredNotFound'
          - 'NotFilteredWhiteList'
@@ -1257,24 +1257,41 @@
          - 'FilteredInvalid'
          - 'FilteredSafeSearch'
          - 'FilteredBlockedService'
-          - 'ReasonRewrite'
+          - 'Rewrite'
+          - 'RewriteEtcHosts'
+          - 'DNSRewriteRule'
        'filter_id':
+          'deprecated': true
+          'description': >
+            In case if there's a rule applied to this DNS request, this is ID of
+            the filter list that the rule belongs to.
+
+            Deprecated: use `rules[*].filter_list_id` instead.
          'type': 'integer'
        'rule':
+          'deprecated': true
          'type': 'string'
          'example': '||example.org^'
-          'description': 'Filtering rule applied to the request (if any)'
+          'description': >
+            Filtering rule applied to the request (if any).
+
+            Deprecated: use `rules[*].text` instead.
+        'rules':
+          'description': 'Applied rules.'
+          'type': 'array'
+          'items':
+            '$ref': '#/components/schemas/ResultRule'
        'service_name':
          'type': 'string'
          'description': 'Set if reason=FilteredBlockedService'
        'cname':
          'type': 'string'
-          'description': 'Set if reason=ReasonRewrite'
+          'description': 'Set if reason=Rewrite'
        'ip_addrs':
          'type': 'array'
          'items':
            'type': 'string'
-          'description': 'Set if reason=ReasonRewrite'
+          'description': 'Set if reason=Rewrite'
    'FilterRefreshResponse':
      'type': 'object'
      'description': '/filtering/refresh response data'
@@ -1610,18 +1627,30 @@
        'question':
          '$ref': '#/components/schemas/DnsQuestion'
        'filterId':
+          'deprecated': true
          'type': 'integer'
          'example': 123123
          'description': >
            In case if there's a rule applied to this DNS request, this is ID of
-            the filter that rule belongs to.
+            the filter list that the rule belongs to.
+
+            Deprecated: use `rules[*].filter_list_id` instead.
        'rule':
+          'deprecated': true
          'type': 'string'
          'example': '||example.org^'
-          'description': 'Filtering rule applied to the request (if any)'
+          'description': >
+            Filtering rule applied to the request (if any).
+
+            Deprecated: use `rules[*].text` instead.
+        'rules':
+          'description': 'Applied rules.'
+          'type': 'array'
+          'items':
+            '$ref': '#/components/schemas/ResultRule'
        'reason':
          'type': 'string'
-          'description': 'DNS filter status'
+          'description': 'Request filtering status.'
          'enum':
          - 'NotFilteredNotFound'
          - 'NotFilteredWhiteList'
@@ -1632,7 +1661,9 @@
          - 'FilteredInvalid'
          - 'FilteredSafeSearch'
          - 'FilteredBlockedService'
-          - 'ReasonRewrite'
+          - 'Rewrite'
+          - 'RewriteEtcHosts'
+          - 'DNSRewriteRule'
        'service_name':
          'type': 'string'
          'description': 'Set if reason=FilteredBlockedService'
@@ -1668,6 +1699,22 @@
        'anonymize_client_ip':
          'type': 'boolean'
          'description': "Anonymize clients' IP addresses"
+    'ResultRule':
+      'description': 'Applied rule.'
+      'properties':
+        'filter_list_id':
+          'description': >
+            In case if there's a rule applied to this DNS request, this is ID of
+            the filter list that the rule belongs to.
+          'example': 123123
+          'format': 'int64'
+          'type': 'integer'
+        'text':
+          'description': >
+            The text of the filtering rule applied to the request (if any).
+          'example': '||example.org^'
+          'type': 'string'
+      'type': 'object'
    'TlsConfig':
      'type': 'object'
      'description': 'TLS configuration settings and status'
--- a/scripts/go-lint.sh
+++ b/scripts/go-lint.sh
@@ -95,7 +95,7 @@ ineffassign .

 unparam ./...

-misspell --error ./...
+git ls-files -- '*.go' '*.md' '*.yaml' '*.yml' | xargs misspell --error

 looppointer ./...

@@ -112,4 +112,4 @@ exit_on_output sh -c '
 		{ grep -e "defer" -e "_test\.go:" -v || exit 0; }
 '

-staticcheck --checks='all' ./...
+staticcheck ./...
--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -190,6 +190,7 @@ main() {
    SCRIPT_URL="https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh"
    URL="https://static.adguard.com/adguardhome/${CHANNEL}/${PKG_NAME}"
    OUT_DIR=/opt
+    AGH_DIR="${OUT_DIR}/AdGuardHome"

    # Root check
    if [ "$(id -u)" -eq 0 ]; then
@@ -208,22 +209,22 @@ main() {
        fi
    fi

-    log_info "AdGuard Home will be installed to ${OUT_DIR}/AdGuardHome"
+    log_info "AdGuard Home will be installed to ${AGH_DIR}"

-    [ -d "${OUT_DIR}/AdGuardHome" ] && error_exit "Directory ${OUT_DIR}/AdGuardHome already exists, abort installation"
+    [ -d "${AGH_DIR}" ] && [ -n "$(ls -1 -A -q ${AGH_DIR})" ] && error_exit "Directory ${AGH_DIR} is not empty, abort installation"

    download "${URL}" "${PKG_NAME}" || error_exit "Cannot download the package"

    unpack "${PKG_NAME}" "${OUT_DIR}" "${PKG_EXT}" || error_exit "Cannot unpack the package"

    # Install AdGuard Home service and run it
-    ${OUT_DIR}/AdGuardHome/AdGuardHome -s install || error_exit "Cannot install AdGuardHome as a service"
+    ${AGH_DIR}/AdGuardHome -s install || error_exit "Cannot install AdGuardHome as a service"

    rm "${PKG_NAME}"

    log_info "AdGuard Home is now installed and running."
    log_info "You can control the service status with the following commands:"
-    log_info "  sudo ${OUT_DIR}/AdGuardHome/AdGuardHome -s start|stop|restart|status|install|uninstall"
+    log_info "  sudo ${AGH_DIR}/AdGuardHome -s start|stop|restart|status|install|uninstall"
 }

 main "$@"
--- a/scripts/querylog/anonymize.js
+++ b/scripts/querylog/anonymize.js
@@ -2,11 +2,6 @@ const fs = require('fs');
 const readline = require('readline');
 const dnsPacket = require('dns-packet')

-const decodeBase64 = (data) => {
-    let buff = new Buffer(data, 'base64');
-    return buff.toString('ascii');
-}
-
 const processLineByLine = async (source, callback) => {
    const fileStream = fs.createReadStream(source);

--- a/scripts/translations/README.md
+++ b/scripts/translations/README.md
@@ -1,4 +1,4 @@
-## Twosky intergration script
+## Twosky integration script

 ### Usage

--- a/staticcheck.conf
+++ b/staticcheck.conf
@@ -0,0 +1,17 @@
+checks = ["all"]
+initialisms = [
+  # See https://github.com/dominikh/go-tools/blob/master/config/config.go.
+  "inherit"
+, "DHCP"
+, "DOH"
+, "DOQ"
+, "DOT"
+, "EDNS"
+, "MX"
+, "PTR"
+, "QUIC"
+, "SDNS"
+, "SVCB"
+]
+dot_import_whitelist = []
+http_status_code_whitelist = []
Author	SHA1	Message	Date
Ainar Garipov	e829e7a064	Pull request: 2471 defer Merge in DNS/adguard-home from 2471-defer to master Updates #2471. * commit '1c754788f9139ed9741cf01c6d94bcced6909b8c': home: improve getCurrentUser home: improve checkSession Use a couple of defer in internal/home/auth.go	2020-12-23 13:16:44 +03:00
Ainar Garipov	fc79e2e8f8	Pull request: all: support more $dnsrewrite rr types Merge in DNS/adguard-home from 2102-dnsrewrite-2 to master Updates #2102. Updates #2452. Squashed commit of the following: commit b41e57731b4f276e97202e172fa400067174653d Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Dec 22 20:40:56 2020 +0300 dnsforward: improve naming commit 70b832ce969d8cdcf4224d221e5e1e2057fba6ee Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Dec 22 19:36:21 2020 +0300 all: support more $dnsrewrite rr types	2020-12-23 12:35:07 +03:00
Ainar Garipov	1c754788f9	home: improve getCurrentUser	2020-12-22 21:09:53 +03:00
Ainar Garipov	925c5df801	home: improve checkSession	2020-12-22 21:05:12 +03:00
jvoisin	7eb3e00b35	Use a couple of defer in internal/home/auth.go	2020-12-21 19:39:39 +01:00
Ainar Garipov	bdff46ec1d	Pull request: all: add $dnsrewrite handling Merge in DNS/adguard-home from 2102-dnsrewrite to master Updates #2102. Squashed commit of the following: commit 8490fc18179d38c4b162ff9b257fea1f8535afbd Merge: d9448ddca `e7f7799b3` Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Mon Dec 21 16:44:00 2020 +0300 Merge branch 'master' into 2102-dnsrewrite commit d9448ddca6d4ef3635d767e3e496e44c35d3fc6e Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Mon Dec 21 15:44:54 2020 +0300 querylog: support dnsrewrite rules commit 40aa5d30acddf29fb90d249d8806941c6e1915a4 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Dec 18 19:27:40 2020 +0300 all: improve documentation commit f776a0cd63b1640ba1e5210d9301e2a2801fd824 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Dec 18 19:09:08 2020 +0300 dnsfilter: prevent panics, improve docs commit e14073b7500d9ed827a151c5b8fb863c980c10e8 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Dec 4 15:51:02 2020 +0300 all: add $dnsrewrite handling	2020-12-21 17:48:07 +03:00
Artem Baskal	e7f7799b3e	client: Remove a superfluous condition * commit '61691fdedbe1002699f773892fff687ed7b31204': Remove a superfluous condition	2020-12-21 16:25:37 +03:00
Artem Baskal	da9e92ad6d	client: Remove an unused function * commit '2f265f249e5bc4d20a7a35ab10274c84baa9eba3': Remove an unused function	2020-12-21 16:25:14 +03:00
jvoisin	61691fdedb	Remove a superfluous condition `value` is always evaluated to true, due to the check on the previous line	2020-12-21 13:53:19 +01:00
jvoisin	2f265f249e	Remove an unused function	2020-12-21 13:51:08 +01:00
Eugene Burkov	f165fd91c0	Pull request: fix dns cache ttl check Merge in DNS/adguard-home from 2459-dns-ttl to master Updates #2459. Squashed commit of the following: commit 27e74e30b202ab5163ebdbc2c00622099b11a1ff Author: Eugene Burkov <e.burkov@adguard.com> Date: Mon Dec 21 15:00:46 2020 +0300 all: log changes commit e476fa5c4b8fd3896fa401f4dc546a5d937746eb Author: Eugene Burkov <e.burkov@adguard.com> Date: Mon Dec 21 14:55:30 2020 +0300 dnsforward: fix dns cache ttl check	2020-12-21 15:43:27 +03:00
Eugene Burkov	49c55e356f	Pull request: install check Merge in DNS/adguard-home from 2453-install-check to master Closes #2453. Squashed commit of the following: commit b3123d7171ff5d1e00d8bcbb5cbe7fcf7a142a3c Author: Eugene Burkov <e.burkov@adguard.com> Date: Fri Dec 18 14:00:26 2020 +0300 all: fix quotes commit 27e17f9543250d912dd559c9ba2e01e35636551f Author: Eugene Burkov <e.burkov@adguard.com> Date: Fri Dec 18 13:34:00 2020 +0300 all: improve install script commit e9a927ffabc04dcd223bfc0b3b2541c7d5b96b61 Author: Eugene Burkov <e.burkov@adguard.com> Date: Fri Dec 18 13:22:05 2020 +0300 all: add directory emptiness check	2020-12-18 14:19:42 +03:00
Ainar Garipov	5f84cb1afe	Pull request: all: update dnsproxy Merge in DNS/adguard-home from update-dnsproxy to master Squashed commit of the following: commit 2d6e80975eeef9e3851b705df592f651a9127c22 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Thu Dec 17 18:09:20 2020 +0300 all: update dnsproxy	2020-12-17 18:20:34 +03:00
Eugene Burkov	66d593bb0c	Pull request: fix docs Merge in DNS/adguard-home from fix-docs to master Squashed commit of the following: commit 81d3ada1917816752ee55f93d478d324a7c7e2f4 Author: Eugene Burkov <e.burkov@adguard.com> Date: Thu Dec 17 17:35:23 2020 +0300 all: correct the wording commit a69a63be6218ef8d9211f753e13cb5e469d7a704 Author: Eugene Burkov <e.burkov@adguard.com> Date: Thu Dec 17 17:30:49 2020 +0300 all: log changes	2020-12-17 17:47:14 +03:00
Eugene Burkov	fd7b061dd6	Pull request: 2225 daily freeze fix Merge in DNS/adguard-home from 2225-fix-freezes to master Updates #2225. Squashed commit of the following: commit 02a472120e9b4a0bc13129adb85eed5d9fd810a2 Author: Eugene Burkov <e.burkov@adguard.com> Date: Thu Dec 17 14:10:20 2020 +0300 all: go mod tidy commit 6cfc23b780cf5da58719620ea5cd1fd3980c631e Author: Eugene Burkov <e.burkov@adguard.com> Date: Thu Dec 17 14:06:28 2020 +0300 all: upd dnsproxy dependency	2020-12-17 14:18:29 +03:00
Ainar Garipov	2e8352d31c	Pull request #886 : all: allow multiple rules in dns filter results Merge in DNS/adguard-home from 2102-rules-result to master Updates #2102. Squashed commit of the following: commit 47b2aa94c56b37be492c3c01e8111054612d9722 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Thu Dec 17 13:12:27 2020 +0300 querylog: remove pre-v0.99.3 compatibility code commit 2af0ee43c2444a7d842fcff057f2ba02f300244b Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Thu Dec 17 13:00:27 2020 +0300 all: improve documentation commit 3add300a42f0aa67bb315a448e294636c85d0b3b Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Dec 16 18:30:01 2020 +0300 all: improve changelog commit e04ef701fc2de7f4453729e617641c47e0883679 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Dec 16 17:56:53 2020 +0300 all: improve code and documentation commit 4f04845ae275ae4291869e00c62e4ff81b01eaa3 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Dec 16 17:01:08 2020 +0300 all: document changes, improve api commit bc59b7656a402d0c65f13bd74a71d8dda6a8a65d Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Dec 15 18:22:01 2020 +0300 all: allow multiple rules in dns filter results	2020-12-17 13:32:46 +03:00
Ainar Garipov	2c56a68597	Pull request: all: update dnsproxy Merge in DNS/adguard-home from 2394-update-dnsproxy to master Updates #2394. Squashed commit of the following: commit 57526d188055af7d63b8d2fa0cc339612ff4c098 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Dec 16 14:43:29 2020 +0300 all: document changes commit acdfd6c219b0570770faf291fadc69ec1855baf4 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Dec 16 14:28:23 2020 +0300 all: update dnsproxy	2020-12-16 16:35:57 +03:00
Ainar Garipov	a2d39c810a	Pull request: dnsfilter: restore enum value Merge in DNS/adguard-home from fix-filter-names to master Squashed commit of the following: commit 620d80df12878a1b236abb26cd2a331df998a3d5 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Mon Dec 14 20:02:41 2020 +0300 dnsfilter: restore enum value	2020-12-14 20:12:57 +03:00
Ainar Garipov	0cddf4c11d	Pull request: Update quic-go to v0.19.3 Merge in DNS/adguard-home from 2417-update-quic-go to master * commit '2c2a359d0ad26748b672c1b99aac92c5a4823039': Update quic-go to v0.19.3	2020-12-14 16:38:21 +03:00
Aaron Bieber	2c2a359d0a	Update quic-go to v0.19.3 quic-go at version 0.19.1 has a bug that prevents it from building on systems that don't have IP_RECVTOS. Version 0.19.3 contains a fix: https://github.com/lucas-clemente/quic-go/pull/2886	2020-12-11 08:20:45 -07:00