Merge branch 'master' into 4927-refactor-tls

home: refactor more
home: refactor tls
2022-11-22 17:10:40 +03:00 · 2022-11-21 19:45:18 +03:00 · 2022-11-21 19:05:49 +03:00
99 changed files with 1878 additions and 2790 deletions
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -7,9 +7,9 @@
    'name': 'AdGuard filters issues'
    'url': 'https://link.adtidy.org/forward.html?action=report&app=home&from=github'
  - 'about': >
-        Please send requests for new blocked services and vetted filtering lists
+        Please send requests for addition to the vetted filtering lists to the
-        to the Hostlists Registry repository
+        Hostlists Registry repository.
-    'name': 'Blocked services and vetted filtering rule lists: AdGuard Hostlists Registry'
+    'name': 'AdGuard Hostlists Registry'
    'url': 'https://github.com/AdguardTeam/HostlistsRegistry'
  - 'about': >
        Please use GitHub Discussions for questions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,7 +1,7 @@
 'name': 'build'
 'env':
-  'GO_VERSION': '1.18.9'
+  'GO_VERSION': '1.18.8'
  'NODE_VERSION': '14'
 'on':
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,7 +1,7 @@
 'name': 'lint'
 'env':
-  'GO_VERSION': '1.18.9'
+  'GO_VERSION': '1.18.8'
 'on':
  'push':
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,117 +12,26 @@ and this project adheres to
 ## [Unreleased]
 <!--
-## [v0.108.0] - TBA
+## [v0.108.0] - TBA (APPROX.)
 -->
 <!--
-## [v0.107.22] - 2222-12-28 (APPROX.)
+## [v0.107.19] - 2022-11-23 (APPROX.)
 See also the [v0.107.22 GitHub milestone][ms-v0.107.22].
 [ms-v0.107.22]: https://github.com/AdguardTeam/AdGuardHome/milestone/58?closed=1
 -->
 ## [v0.107.21] - 2122-12-15
 See also the [v0.107.21 GitHub milestone][ms-v0.107.21].
 ### Changed
 - The URLs of the default filters for new installations are synchronized to
  those introduced in v0.107.20 ([#5238]).
  **NOTE:** Some users may need to re-add the lists from the vetted filter lists
  to update the URLs to the new ones.  Custom filters added by users themselves
  do not require re-adding.
 ### Fixed
 - `AdGuardHome --update` freezing when another instance of AdGuard Home is
  running ([#4223], [#5191]).
 - The `--update` flag performing an update even with the same version.
 - Failing HTTPS redirection on saving the encryption settings ([#4898]).
 - Zeroing rules counter of erroneusly edited filtering rule lists ([#5290]).
 - Filters updating strategy, which could sometimes lead to use of broken or
  incompletely downloaded lists ([#5258]).
 - Errors popping up during updates of settings, which could sometimes cause the
  server to stop responding ([#5251]).
 [#4898]: https://github.com/AdguardTeam/AdGuardHome/issues/4898
 [#5191]: https://github.com/AdguardTeam/AdGuardHome/issues/5191
 [#5238]: https://github.com/AdguardTeam/AdGuardHome/issues/5238
 [#5251]: https://github.com/AdguardTeam/AdGuardHome/issues/5251
 [#5258]: https://github.com/AdguardTeam/AdGuardHome/issues/5258
 [#5290]: https://github.com/AdguardTeam/AdGuardHome/issues/5290
 [ms-v0.107.21]: https://github.com/AdguardTeam/AdGuardHome/milestone/57?closed=1
 ## [v0.107.20] - 2022-12-07
 See also the [v0.107.20 GitHub milestone][ms-v0.107.20].
 ### Security
 - Go version has been updated to prevent the possibility of exploiting the
  CVE-2022-41717 and CVE-2022-41720 Go vulnerabilities fixed in [Go
  1.18.9][go-1.18.9].
 ### Added
 - The ability to clear the DNS cache ([#5190]).
 ### Changed
 - DHCP server initialization errors are now logged at debug level if the server
  itself disabled ([#4944]).
 ### Fixed
 - Wrong validation error messages on the DHCP configuration page ([#5208]).
 - Slow upstream checks making the API unresponsive ([#5193]).
 - The TLS initialization errors preventing AdGuard Home from starting ([#5189]).
  Instead, AdGuard Home disables encryption and shows an error message on the
  encryption settings page in the UI, which was the intended previous behavior.
 - URLs of some vetted blocklists.
 [#4944]: https://github.com/AdguardTeam/AdGuardHome/issues/4944
 [#5189]: https://github.com/AdguardTeam/AdGuardHome/issues/5189
 [#5190]: https://github.com/AdguardTeam/AdGuardHome/issues/5190
 [#5193]: https://github.com/AdguardTeam/AdGuardHome/issues/5193
 [#5208]: https://github.com/AdguardTeam/AdGuardHome/issues/5208
 [go-1.18.9]:    https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU
 [ms-v0.107.20]: https://github.com/AdguardTeam/AdGuardHome/milestone/56?closed=1
 ## [v0.107.19] - 2022-11-23
 See also the [v0.107.19 GitHub milestone][ms-v0.107.19].
 [ms-v0.107.19]: https://github.com/AdguardTeam/AdGuardHome/milestone/55?closed=1
 -->
 ### Added
 - The ability to block popular Mastodon instances
  ([AdguardTeam/HostlistsRegistry#100]).
 - The new `--update` command-line option, which allows updating AdGuard Home
  silently ([#4223]).
 ### Changed
 - Minor UI changes.
 [#4223]: https://github.com/AdguardTeam/AdGuardHome/issues/4223
 [ms-v0.107.19]: https://github.com/AdguardTeam/AdGuardHome/milestone/55?closed=1
 [AdguardTeam/HostlistsRegistry#100]: https://github.com/AdguardTeam/HostlistsRegistry/pull/100
 ## [v0.107.18] - 2022-11-08
@@ -1518,14 +1427,11 @@ See also the [v0.104.2 GitHub milestone][ms-v0.104.2].
 <!--
-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.22...HEAD
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.19...HEAD
-[v0.107.22]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.21...v0.107.22
+[v0.107.19]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.18...v0.107.19
 -->
-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.21...HEAD
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.18...HEAD
 [v0.107.21]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.20...v0.107.21
 [v0.107.20]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.19...v0.107.20
 [v0.107.19]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.18...v0.107.19
 [v0.107.18]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.17...v0.107.18
 [v0.107.17]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.16...v0.107.17
 [v0.107.16]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.15...v0.107.16
--- a/bamboo-specs/release.yaml
+++ b/bamboo-specs/release.yaml
@@ -7,7 +7,7 @@
 # Make sure to sync any changes with the branch overrides below.
 'variables':
  'channel': 'edge'
-  'dockerGo': 'adguard/golang-ubuntu:5.4'
+  'dockerGo': 'adguard/golang-ubuntu:5.3'
 'stages':
 - 'Build frontend':
@@ -322,7 +322,7 @@
    # need to build a few of these.
    'variables':
      'channel': 'beta'
-      'dockerGo': 'adguard/golang-ubuntu:5.4'
+      'dockerGo': 'adguard/golang-ubuntu:5.3'
 # release-vX.Y.Z branches are the branches from which the actual final release
 # is built.
 - '^release-v[0-9]+\.[0-9]+\.[0-9]+':
@@ -337,4 +337,4 @@
    # are the ones that actually get released.
    'variables':
      'channel': 'release'
-      'dockerGo': 'adguard/golang-ubuntu:5.4'
+      'dockerGo': 'adguard/golang-ubuntu:5.3'
--- a/bamboo-specs/test.yaml
+++ b/bamboo-specs/test.yaml
@@ -5,7 +5,7 @@
  'key': 'AHBRTSPECS'
  'name': 'AdGuard Home - Build and run tests'
 'variables':
-  'dockerGo': 'adguard/golang-ubuntu:5.4'
+  'dockerGo': 'adguard/golang-ubuntu:5.3'
 'stages':
 - 'Tests':
--- a/client/src/__locales/ar.json
+++ b/client/src/__locales/ar.json
@@ -392,7 +392,6 @@
    "encryption_issuer": "المصدر",
    "encryption_hostnames": "اسم المستضيف",
    "encryption_reset": "هل أنت متأكد أنك تريد إعادة تعيين إعدادات التشفير؟",
    "encryption_warning": "تحذير",
    "topline_expiring_certificate": "شهادة SSL الخاصة بك على وشك الانتهاء. قم بتحديث <0>إعدادات التشفير</0>.",
    "topline_expired_certificate": "انتهت صلاحية شهادة SSL الخاصة بك. قم بتحديث <0>إعدادات التشفير</0>.",
    "form_error_port_range": "أدخل رقم المنفذ في النطاق 80-65535",
--- a/client/src/__locales/be.json
+++ b/client/src/__locales/be.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "Налады DHCP IPv6",
    "form_error_required": "Абавязковае поле",
    "form_error_ip4_format": "Няслушны IPv4-адрас",
    "form_error_ip4_range_start_format": "Няслушны IPv4-адрас пачатку дыяпазону",
    "form_error_ip4_range_end_format": "Няслушны IPv4-адрас канца дыяпазону",
    "form_error_ip4_gateway_format": "Няслушны IPv4-адрас шлюза",
    "form_error_ip6_format": "Няслушны IPv6-адрас",
    "form_error_ip_format": "Няслушны IP-адрас",
@@ -49,6 +51,7 @@
    "out_of_range_error": "Павінна быць па-за дыяпазонам «{{start}}»-«{{end}}»",
    "lower_range_start_error": "Павінна быць менш за пачатак дыяпазону",
    "greater_range_start_error": "Павінна быць больш за пачатак дыяпазону",
    "greater_range_end_error": "Павінна быць больш за канец дыяпазону",
    "subnet_error": "Адрасы павінны быць усярэдзіне адной падсеткі",
    "gateway_or_subnet_invalid": "Некарэктная маска падсеткі",
    "dhcp_form_gateway_input": "IP-адрас шлюза",
@@ -390,7 +393,6 @@
    "encryption_issuer": "Выдавец",
    "encryption_hostnames": "Імёны хастоў",
    "encryption_reset": "Вы ўпэўнены, што хочаце скінуць налады шыфравання?",
    "encryption_warning": "Папярэджанне",
    "topline_expiring_certificate": "Ваш SSL-сертыфікат хутка мінае. Абновіце <0>Налады шыфравання</0>.",
    "topline_expired_certificate": "Ваш SSL-сертыфікат мінуў. Абновіце <0>Налады шыфравання</0>.",
    "form_error_port_range": "Увядзіце нумар порта з інтэрвалу 80-65535",
@@ -635,8 +637,5 @@
    "safe_browsing": "Бяспечны інтэрнэт",
    "served_from_cache": "{{value}} <i>(атрымана з кэша)</i>",
    "form_error_password_length": "Пароль павінен быць не менш за {{value}} сімвалаў",
-    "anonymizer_notification": "<0>Заўвага:</0> Ананімізацыя IP уключана. Вы можаце адключыць яго ў <1>Агульных наладах</1> .",
+    "anonymizer_notification": "<0>Заўвага:</0> Ананімізацыя IP уключана. Вы можаце адключыць яго ў <1>Агульных наладах</1> ."
    "confirm_dns_cache_clear": "Вы ўпэўнены, што хочаце ачысціць кэш DNS?",
    "cache_cleared": "Кэш DNS паспяхова ачышчаны",
    "clear_cache": "Ачысціць кэш"
 }
--- a/client/src/__locales/bg.json
+++ b/client/src/__locales/bg.json
@@ -244,7 +244,6 @@
    "encryption_issuer": "Изпълнител",
    "encryption_hostnames": "Имена на хоста",
    "encryption_reset": "Сигурни ли сте че искате да изтриете настройките за криптиране?",
    "encryption_warning": "Внимание",
    "topline_expiring_certificate": "Вашият SSL сертификат изтича. Обнови <0>Настройки за криптиране</0>.",
    "topline_expired_certificate": "Вашият SSL сертификат е изтекъл. Обнови <0>Настройки за криптиране</0>.",
    "form_error_port_range": "Въведете порт в диапазона 80-65535",
--- a/client/src/__locales/cs.json
+++ b/client/src/__locales/cs.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "Nastavení DHCP IPv6",
    "form_error_required": "Povinné pole",
    "form_error_ip4_format": "Neplatná adresa IPv4",
    "form_error_ip4_range_start_format": "Neplatná adresa IPv4 na začátku rozsahu",
    "form_error_ip4_range_end_format": "Neplatná adresa IPv4 na konci rozsahu",
    "form_error_ip4_gateway_format": "Neplatná adresa IPv4 brány",
    "form_error_ip6_format": "Neplatná adresa IPv6",
    "form_error_ip_format": "Neplatná IP adresa",
@@ -49,6 +51,7 @@
    "out_of_range_error": "Musí být mimo rozsah \"{{start}}\"-\"{{end}}\"",
    "lower_range_start_error": "Musí být menší než začátek rozsahu",
    "greater_range_start_error": "Musí být větší než začátek rozsahu",
    "greater_range_end_error": "Musí být větší než konec rozsahu",
    "subnet_error": "Adresy musí být v jedné podsíti",
    "gateway_or_subnet_invalid": "Neplatná maska podsítě",
    "dhcp_form_gateway_input": "IP brána",
@@ -390,7 +393,6 @@
    "encryption_issuer": "Vydavatel",
    "encryption_hostnames": "Názvy hostitelů",
    "encryption_reset": "Opravdu chcete obnovit nastavení šifrování?",
    "encryption_warning": "Varování",
    "topline_expiring_certificate": "Váš SSL certifikát brzy vyprší. Aktualizujte <0>Nastavení šifrování</0>.",
    "topline_expired_certificate": "Váš SSL certifikát vypršel. Aktualizujte <0>Nastavení šifrování</0>.",
    "form_error_port_range": "Zadejte číslo portu v rozmezí 80-65535",
@@ -635,8 +637,5 @@
    "safe_browsing": "Bezpečné prohlížení",
    "served_from_cache": "{{value}} <i>(převzato z mezipaměti)</i>",
    "form_error_password_length": "Heslo musí být alespoň {{value}} znaků dlouhé",
-    "anonymizer_notification": "<0>Poznámka:</0> Anonymizace IP je zapnuta. Můžete ji vypnout v <1>Obecných nastaveních</1>.",
+    "anonymizer_notification": "<0>Poznámka:</0> Anonymizace IP je zapnuta. Můžete ji vypnout v <1>Obecných nastaveních</1>."
    "confirm_dns_cache_clear": "Opravdu chcete vymazat mezipaměť DNS?",
    "cache_cleared": "Mezipaměť DNS úspěšně vymazána",
    "clear_cache": "Vymazat mezipaměť"
 }
--- a/client/src/__locales/da.json
+++ b/client/src/__locales/da.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "DHCP IPv6-indstillinger",
    "form_error_required": "Obligatorisk felt",
    "form_error_ip4_format": "Ugyldig IPv4-adresse",
    "form_error_ip4_range_start_format": "Ugyldig IPv4-startadresse for området",
    "form_error_ip4_range_end_format": "Ugyldig IPv4-slutadresse for området",
    "form_error_ip4_gateway_format": "Ugyldig IPv4 gateway-adresse",
    "form_error_ip6_format": "Ugyldig IPv6-adresse",
    "form_error_ip_format": "Ugyldig IP-adresse",
@@ -49,8 +51,9 @@
    "out_of_range_error": "Skal være uden for området \"{{start}}\"-\"{{end}}\"",
    "lower_range_start_error": "Skal være mindre end starten på området",
    "greater_range_start_error": "Skal være større end starten på området",
    "greater_range_end_error": "Skal være større end områdeslutning",
    "subnet_error": "Adresser ska være i ét undernet",
-    "gateway_or_subnet_invalid": "Ugyldig undernetmaske",
+    "gateway_or_subnet_invalid": "Undernetmaske ugyldig",
    "dhcp_form_gateway_input": "Gateway IP",
    "dhcp_form_subnet_input": "Undernetmaske",
    "dhcp_form_range_title": "Interval af IP-adresser",
@@ -390,7 +393,6 @@
    "encryption_issuer": "Udsteder",
    "encryption_hostnames": "Værtsnavne",
    "encryption_reset": "Sikker på, at du vil nulstille krypteringsindstillingerne?",
    "encryption_warning": "Advarsel",
    "topline_expiring_certificate": "Dit SSL-certifikat er ved at udløbe. Opdatér <0>Krypteringsindstillinger</0>.",
    "topline_expired_certificate": "Dit SSL-certifikat er udløbet. Opdatér <0>Krypteringsindstillinger</0>.",
    "form_error_port_range": "Angiv portnummer i intervallet 80-65535",
@@ -635,8 +637,5 @@
    "safe_browsing": "Sikker Browsing",
    "served_from_cache": "{{value}} <i>(leveret fra cache)</i>",
    "form_error_password_length": "Adgangskoden skal udgøre mindst {{value}} tegn.",
-    "anonymizer_notification": "<0>Bemærk:</0> IP-anonymisering er aktiveret. Det kan deaktiveres via <1>Generelle indstillinger</1>.",
+    "anonymizer_notification": "<0>Bemærk:</0> IP-anonymisering er aktiveret. Det kan deaktiveres via <1>Generelle indstillinger</1>."
    "confirm_dns_cache_clear": "Sikker på, at DNS-cache skal ryddes?",
    "cache_cleared": "DNS-cache hermed ryddet",
    "clear_cache": "Ryd cache"
 }
--- a/client/src/__locales/de.json
+++ b/client/src/__locales/de.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "DHCP-IPv6-Einstellungen",
    "form_error_required": "Pflichtfeld",
    "form_error_ip4_format": "Ungültige IPv4-Adresse",
    "form_error_ip4_range_start_format": "Ungültiger Bereichsbeginn der IPv4-Adresse",
    "form_error_ip4_range_end_format": "Ungültiges Bereichsende der IPv4-Adresse",
    "form_error_ip4_gateway_format": "Ungültige IPv4-Adresse des Gateways",
    "form_error_ip6_format": "Ungültige IPv6-Adresse",
    "form_error_ip_format": "Ungültige IP-Adresse",
@@ -49,6 +51,7 @@
    "out_of_range_error": "Muss außerhalb des Bereichs „{{start}}“-„{{end}}“ liegen",
    "lower_range_start_error": "Muss niedriger als der Bereichsbeginn sein",
    "greater_range_start_error": "Muss größer als der Bereichsbeginn sein",
    "greater_range_end_error": "Muss größer als das Bereichsende sein",
    "subnet_error": "Die Adressen müssen innerhalb eines Subnetzes liegen",
    "gateway_or_subnet_invalid": "Ungültige Subnetzmaske",
    "dhcp_form_gateway_input": "Gateway-IP",
@@ -390,7 +393,6 @@
    "encryption_issuer": "Ausgestellt von",
    "encryption_hostnames": "Hostnamen",
    "encryption_reset": "Möchten Sie die Verschlüsselungseinstellungen wirklich zurücksetzen?",
    "encryption_warning": "Warnhinweis",
    "topline_expiring_certificate": "Ihr SSL-Zertifikat läuft demnächst ab. Aktualisieren Sie Ihre <0>Verschlüsselungseinstellungen</0>.",
    "topline_expired_certificate": "Ihr SSL-Zertifikat ist abgelaufen. Aktualisieren Sie Ihre <0>Verschlüsselungseinstellungen</0>.",
    "form_error_port_range": "Geben Sie die Portnummer zwischen 80 und 65535 ein",
@@ -635,8 +637,5 @@
    "safe_browsing": "Internetsicherheit",
    "served_from_cache": "{{value}} <i>(aus dem Cache abgerufen)</i>",
    "form_error_password_length": "Das Passwort muss mindestens {{value}} Zeichen enthalten",
-    "anonymizer_notification": "<0>Hinweis:</0> Die IP-Anonymisierung ist aktiviert. Sie können sie in den <1>Allgemeinen Einstellungen</1> deaktivieren.",
+    "anonymizer_notification": "<0>Hinweis:</0> Die IP-Anonymisierung ist aktiviert. Sie können sie in den <1>Allgemeinen Einstellungen</1> deaktivieren."
    "confirm_dns_cache_clear": "Möchten Sie den DNS-Cache wirklich leeren?",
    "cache_cleared": "DNS-Cache erfolgreich geleert",
    "clear_cache": "Cache leeren"
 }
--- a/client/src/__locales/en.json
+++ b/client/src/__locales/en.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "DHCP IPv6 Settings",
    "form_error_required": "Required field",
    "form_error_ip4_format": "Invalid IPv4 address",
    "form_error_ip4_range_start_format": "Invalid IPv4 address of the range start",
    "form_error_ip4_range_end_format": "Invalid IPv4 address of the range end",
    "form_error_ip4_gateway_format": "Invalid IPv4 address of the gateway",
    "form_error_ip6_format": "Invalid IPv6 address",
    "form_error_ip_format": "Invalid IP address",
@@ -49,8 +51,9 @@
    "out_of_range_error": "Must be out of range \"{{start}}\"-\"{{end}}\"",
    "lower_range_start_error": "Must be lower than range start",
    "greater_range_start_error": "Must be greater than range start",
    "greater_range_end_error": "Must be greater than range end",
    "subnet_error": "Addresses must be in one subnet",
-    "gateway_or_subnet_invalid": "Invalid subnet mask",
+    "gateway_or_subnet_invalid": "Subnet mask invalid",
    "dhcp_form_gateway_input": "Gateway IP",
    "dhcp_form_subnet_input": "Subnet mask",
    "dhcp_form_range_title": "Range of IP addresses",
@@ -635,8 +638,5 @@
    "safe_browsing": "Safe Browsing",
    "served_from_cache": "{{value}} <i>(served from cache)</i>",
    "form_error_password_length": "Password must be at least {{value}} characters long",
-    "anonymizer_notification": "<0>Note:</0> IP anonymization is enabled. You can disable it in <1>General settings</1>.",
+    "anonymizer_notification": "<0>Note:</0> IP anonymization is enabled. You can disable it in <1>General settings</1>."
    "confirm_dns_cache_clear": "Are you sure you want to clear DNS cache?",
    "cache_cleared": "DNS cache successfully cleared",
    "clear_cache": "Clear cache"
 }
--- a/client/src/__locales/es.json
+++ b/client/src/__locales/es.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "Configuración DHCP IPv6",
    "form_error_required": "Campo obligatorio",
    "form_error_ip4_format": "Dirección IPv4 no válida",
    "form_error_ip4_range_start_format": "Dirección IPv4 no válida del inicio de rango",
    "form_error_ip4_range_end_format": "Dirección IPv4 no válida del final de rango",
    "form_error_ip4_gateway_format": "Dirección IPv4 no válida de la puerta de enlace",
    "form_error_ip6_format": "Dirección IPv6 no válida",
    "form_error_ip_format": "Dirección IP no válida",
@@ -49,6 +51,7 @@
    "out_of_range_error": "Debe estar fuera del rango \"{{start}}\"-\"{{end}}\"",
    "lower_range_start_error": "Debe ser inferior que el inicio de rango",
    "greater_range_start_error": "Debe ser mayor que el inicio de rango",
    "greater_range_end_error": "Debe ser mayor que el final de rango",
    "subnet_error": "Las direcciones deben estar en una subred",
    "gateway_or_subnet_invalid": "Máscara de subred no válida",
    "dhcp_form_gateway_input": "IP de puerta de enlace",
@@ -390,7 +393,6 @@
    "encryption_issuer": "Emisor",
    "encryption_hostnames": "Nombres de hosts",
    "encryption_reset": "¿Estás seguro de que deseas restablecer la configuración de cifrado?",
    "encryption_warning": "Advertencia",
    "topline_expiring_certificate": "Tu certificado SSL está a punto de expirar. Actualiza la <0>configuración de cifrado</0>.",
    "topline_expired_certificate": "Tu certificado SSL ha expirado. Actualiza la <0>configuración de cifrado</0>.",
    "form_error_port_range": "Ingresa el número del puerto en el rango de 80 a 65535",
@@ -635,8 +637,5 @@
    "safe_browsing": "Navegación segura",
    "served_from_cache": "{{value}} <i>(servido desde la caché)</i>",
    "form_error_password_length": "La contraseña debe tener al menos {{value}} caracteres",
-    "anonymizer_notification": "<0>Nota:</0> La anonimización de IP está habilitada. Puedes deshabilitarla en <1>Configuración general</1>.",
+    "anonymizer_notification": "<0>Nota:</0> La anonimización de IP está habilitada. Puedes deshabilitarla en <1>Configuración general</1>."
    "confirm_dns_cache_clear": "¿Estás seguro de que deseas borrar la caché de DNS?",
    "cache_cleared": "Caché DNS borrado con éxito",
    "clear_cache": "Borrar caché"
 }
--- a/client/src/__locales/fa.json
+++ b/client/src/__locales/fa.json
@@ -361,7 +361,6 @@
    "encryption_issuer": "صادر کننده",
    "encryption_hostnames": "نام میزبان",
    "encryption_reset": "آیا میخواهید تنظیمات رمزگُذاری به پیش فرض بازگردد؟",
    "encryption_warning": "هشدار",
    "topline_expiring_certificate": "گواهینامه اِس اِس اِل شما در صدد انقضاء است.  <0>تنظیمات رمزگُذاری</0> را بروز رسانی کنید.",
    "topline_expired_certificate": "گواهینامه اِس اِس اِل شما منقضی شده است. <0>تنظیمات رمزگُذاری</0> را بروز رسانی کنید.",
    "form_error_port_range": "مقدار پورت را در محدوده 80-65535 وارد کنید",
--- a/client/src/__locales/fi.json
+++ b/client/src/__locales/fi.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "DHCP:n IPv6-asetukset",
    "form_error_required": "Pakollinen kenttä",
    "form_error_ip4_format": "Virheellinen IPv4-osoite",
    "form_error_ip4_range_start_format": "Virheellinen IPv4-osoitealueen aloitusosoite",
    "form_error_ip4_range_end_format": "Virheellinen IPv4-osoitealueen päätösosoite",
    "form_error_ip4_gateway_format": "Virheellinen yhdyskäytävän IPv4-osoite",
    "form_error_ip6_format": "Virheellinen IPv6-osoite",
    "form_error_ip_format": "Virheellinen IP-osoite",
@@ -49,6 +51,7 @@
    "out_of_range_error": "Oltava alueen \"{{start}}\" - \"{{end}}\" ulkopuolella",
    "lower_range_start_error": "Oltava alueen aloitusarvoa pienempi",
    "greater_range_start_error": "Oltava alueen aloitusarvoa suurempi",
    "greater_range_end_error": "Oltava alueen päätösarvoa pienempi",
    "subnet_error": "Osoitteiden tulee olla yhdessä aliverkossa",
    "gateway_or_subnet_invalid": "Virheellinen aliverkon peite",
    "dhcp_form_gateway_input": "Yhdyskäytävän IP-osoite",
@@ -390,7 +393,6 @@
    "encryption_issuer": "Toimittaja",
    "encryption_hostnames": "Isäntänimet",
    "encryption_reset": "Haluatko varmasti palauttaa salausasetukset?",
    "encryption_warning": "Varoitus",
    "topline_expiring_certificate": "SSL-varmenteesi on erääntymässä. Päivitä <0>Salausasetukset</0>.",
    "topline_expired_certificate": "SSL-varmenteesi on erääntynyt. Päivitä <0>Salausasetukset</0>.",
    "form_error_port_range": "Syötä portti väliltä 80-65535",
@@ -540,8 +542,8 @@
    "descr": "Kuvaus",
    "whois": "WHOIS",
    "filtering_rules_learn_more": "<0>Lue lisää</0> omien hosts-listojesi luonnista.",
-    "blocked_by_response": "Estetty vastauksen CNAME:n tai IP:n perusteella",
+    "blocked_by_response": "Vastauksen sisältämän CNAME:n tai IP:n estämä",
-    "blocked_by_cname_or_ip": "Estetty CNAME:n tai IP:n perusteella",
+    "blocked_by_cname_or_ip": "CNAME:n tai IP:n estämä",
    "try_again": "Yritä uudelleen",
    "domain_desc": "Syötä korvattava verkkotunnus tai jokerimerkki.",
    "example_rewrite_domain": "korvaa vain tämän verkkotunnuksen vastaukset",
@@ -635,8 +637,5 @@
    "safe_browsing": "Turvallinen selaus",
    "served_from_cache": "{{value}} <i>(jaettu välimuistista)</i>",
    "form_error_password_length": "Salasanan on oltava ainakin {{value}} merkkiä",
-    "anonymizer_notification": "<0>Huomioi:</0> IP-osoitteen anonymisointi on käytössä. Voit poistaa sen käytöstä <1>Yleisistä asetuksista</1>.",
+    "anonymizer_notification": "<0>Huomioi:</0> IP-osoitteen anonymisointi on käytössä. Voit poistaa sen käytöstä <1>Yleisistä asetuksista</1>."
    "confirm_dns_cache_clear": "Haluatko varmasti tyhjentää DNS-välimuistin?",
    "cache_cleared": "DNS-välimuistin tyhjennys onnistui",
    "clear_cache": "Tyhjennä välimuisti"
 }
--- a/client/src/__locales/fr.json
+++ b/client/src/__locales/fr.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "Paramètres IPv6 du DHCP",
    "form_error_required": "Champ requis",
    "form_error_ip4_format": "Adresse IPv4 invalide",
    "form_error_ip4_range_start_format": "Adresse de début de plage IPv4 incorrecte",
    "form_error_ip4_range_end_format": "Adresse de fin de plage IPv4 incorrecte",
    "form_error_ip4_gateway_format": "Adresse de passerelle IPv4 invalide",
    "form_error_ip6_format": "Adresse IPv6 invalide",
    "form_error_ip_format": "Adresse IP invalide",
@@ -49,8 +51,9 @@
    "out_of_range_error": "Doit être hors plage « {{start}} » - « {{end}} »",
    "lower_range_start_error": "Doit être inférieur au début de plage",
    "greater_range_start_error": "Doit être supérieur au début de plage",
    "greater_range_end_error": "Doit être supérieur à la fin de plage",
    "subnet_error": "Les adresses doivent être dans le même sous-réseau",
-    "gateway_or_subnet_invalid": "Masque de sous-réseau invalide.",
+    "gateway_or_subnet_invalid": "Masque de sous-réseau invalide",
    "dhcp_form_gateway_input": "IP de la passerelle",
    "dhcp_form_subnet_input": "Masque de sous-réseau",
    "dhcp_form_range_title": "Rangée des adresses IP",
@@ -390,7 +393,6 @@
    "encryption_issuer": "Émetteur",
    "encryption_hostnames": "Noms d'hôte",
    "encryption_reset": "Voulez-vous vraiment réinitialiser les paramètres de chiffrement ?",
    "encryption_warning": "Attention",
    "topline_expiring_certificate": "Votre certificat SSL est sur le point d'expirer. Mettez à jour vos <0>Paramètres de chiffrement</0>.",
    "topline_expired_certificate": "Votre certificat SSL a expiré. Mettez à jour vos <0>Paramètres de chiffrement</0>.",
    "form_error_port_range": "Saisissez une valeur de port entre 80 et 65535",
@@ -635,8 +637,5 @@
    "safe_browsing": "Navigation sécurisée",
    "served_from_cache": "{{value}} <i>(depuis le cache)</i>",
    "form_error_password_length": "Le mot de passe doit comporter au moins {{value}} caractères",
-    "anonymizer_notification": "<0>Note :</0> L'anonymisation IP est activée. Vous pouvez la désactiver dans les <1>paramètres généraux</1>.",
+    "anonymizer_notification": "<0>Note :</0> L'anonymisation IP est activée. Vous pouvez la désactiver dans les <1>paramètres généraux</1>."
    "confirm_dns_cache_clear": "Voulez-vous vraiment vider le cache DNS ?",
    "cache_cleared": "Le cache DNS a été vidé",
    "clear_cache": "Vider le cache"
 }
--- a/client/src/__locales/hr.json
+++ b/client/src/__locales/hr.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "DHCP IPv6 postavke",
    "form_error_required": "Obavezno polje",
    "form_error_ip4_format": "Nevažeća IPv4 adresa",
    "form_error_ip4_range_start_format": "Nepravilan početak ranga IPv4 adresa",
    "form_error_ip4_range_end_format": "Nepravilan kraj ranga IPv4 adresa",
    "form_error_ip4_gateway_format": "Nepravilna IPV4 adresa čvora",
    "form_error_ip6_format": "Nevažeći IPv6 adresa",
    "form_error_ip_format": "Nepravilna IP adresa",
@@ -49,8 +51,9 @@
    "out_of_range_error": "Mora biti izvan ranga \"{{start}}\"-\"{{end}}\"",
    "lower_range_start_error": "Mora biti niže od početnog ranga",
    "greater_range_start_error": "Mora biti veće od krajnjeg ranga",
    "greater_range_end_error": "Mora biti veće od krajnjeg ranga",
    "subnet_error": "Adrese moraju biti iz iste podmreže",
-    "gateway_or_subnet_invalid": "Nevažeća podmrežna maska",
+    "gateway_or_subnet_invalid": "Maska podmreže je neprvilna",
    "dhcp_form_gateway_input": "Gateway IP",
    "dhcp_form_subnet_input": "Subnet maskiranje",
    "dhcp_form_range_title": "Raspon IP adresa",
@@ -390,7 +393,6 @@
    "encryption_issuer": "Izdavač",
    "encryption_hostnames": "Nazivi računala",
    "encryption_reset": "Jeste li sigurni da želite poništiti postavke šifriranja?",
    "encryption_warning": "Upozorenje",
    "topline_expiring_certificate": "Vaš SSL certifikat uskoro ističe. Ažurirajte <0>Postavke šifriranja</0>.",
    "topline_expired_certificate": "Vaš SSL certifikat je istekao. Ažurirajte <0>Postavke šifriranja</0>.",
    "form_error_port_range": "Unesite broj porta od 80 do 65536",
@@ -635,8 +637,5 @@
    "safe_browsing": "Sigurno surfanje",
    "served_from_cache": "{{value}} <i>(dohvaćeno iz predmemorije)</i>",
    "form_error_password_length": "Lozinka mora imati najmanje {{value}} znakova",
-    "anonymizer_notification": "<0>Napomena:</0>IP anonimizacija je omogućena. Možete ju onemogućiti u <1>općim postavkama</1>.",
+    "anonymizer_notification": "<0>Napomena:</0>IP anonimizacija je omogućena. Možete ju onemogućiti u <1>općim postavkama</1>."
    "confirm_dns_cache_clear": "Jeste li sigurni da želite očistiti DNS predmemoriju?",
    "cache_cleared": "DNS predmemorija je uspješno izbrisana",
    "clear_cache": "Očisti predmemoriju"
 }
--- a/client/src/__locales/hu.json
+++ b/client/src/__locales/hu.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "DHCP IPv6 Beállítások",
    "form_error_required": "Kötelező mező",
    "form_error_ip4_format": "Érvénytelen IPv4 cím",
    "form_error_ip4_range_start_format": "Érvénytelen IPv4-cím a tartomány kezdetéhez",
    "form_error_ip4_range_end_format": "Érvénytelen IPv4-cím a tartomány végén",
    "form_error_ip4_gateway_format": "Az átjáróhoz (gateway) érvénytelen IPv4 cím lett megadva",
    "form_error_ip6_format": "Érvénytelen IPv6 cím",
    "form_error_ip_format": "Érvénytelen IP-cím",
@@ -49,6 +51,7 @@
    "out_of_range_error": "A következő tartományon kívül legyen: \"{{start}}\"-\"{{end}}\"",
    "lower_range_start_error": "Kisebb legyen, mint a tartomány kezdete",
    "greater_range_start_error": "Nagyobbnak kell lennie, mint a tartomány kezdete",
    "greater_range_end_error": "Nagyobb legyen, mint a tartomány vége",
    "subnet_error": "A címeknek egy alhálózatban kell lenniük",
    "gateway_or_subnet_invalid": "Az alhálózati maszk érvénytelen",
    "dhcp_form_gateway_input": "Átjáró IP",
@@ -390,7 +393,6 @@
    "encryption_issuer": "Kibocsátó",
    "encryption_hostnames": "Hosztnevek",
    "encryption_reset": "Biztosan visszaállítja a titkosítási beállításokat?",
    "encryption_warning": "Figyelmeztetés",
    "topline_expiring_certificate": "Az SSL-tanúsítványa hamarosan lejár. Frissítse a <0>Titkosítási beállításokat</0>.",
    "topline_expired_certificate": "Az SSL-tanúsítványa lejárt. Frissítse a <0>Titkosítási beállításokat</0>.",
    "form_error_port_range": "Adjon meg egy portszámot a 80-65535 tartományon belül",
@@ -635,8 +637,5 @@
    "safe_browsing": "Biztonságos böngészés",
    "served_from_cache": "{{value}} <i>(gyorsítótárból kiszolgálva)</i>",
    "form_error_password_length": "A jelszó legalább {{value}} karakter hosszú kell, hogy legyen",
-    "anonymizer_notification": "<0>Megjegyzés:</0> Az IP anonimizálás engedélyezve van. Az <1>Általános beállításoknál letilthatja</1> .",
+    "anonymizer_notification": "<0>Megjegyzés:</0> Az IP anonimizálás engedélyezve van. Az <1>Általános beállításoknál letilthatja</1> ."
    "confirm_dns_cache_clear": "Biztos benne, hogy törölni szeretné a DNS-gyorsítótárat?",
    "cache_cleared": "A DNS gyorsítótár sikeresen törlődött",
    "clear_cache": "Gyorsítótár törlése"
 }
--- a/client/src/__locales/id.json
+++ b/client/src/__locales/id.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "Pengaturan DHCP IPv6",
    "form_error_required": "Kolom yang harus diisi",
    "form_error_ip4_format": "Alamat IPv4 tidak valid",
    "form_error_ip4_range_start_format": "Alamat IPv4 tidak valid dari rentang awal",
    "form_error_ip4_range_end_format": "Alamat IPv4 tidak valid dari rentang akhir",
    "form_error_ip4_gateway_format": "Alamat IPv4 gateway tidak valid",
    "form_error_ip6_format": "Alamat IPv6 tidak valid",
    "form_error_ip_format": "Alamat IP tidak valid",
@@ -49,6 +51,7 @@
    "out_of_range_error": "Harus di luar rentang \"{{start}}\"-\"{{end}}\"",
    "lower_range_start_error": "Harus lebih rendah dari rentang awal",
    "greater_range_start_error": "Harus lebih besar dari rentang awal",
    "greater_range_end_error": "Harus lebih besar dari rentang akhir",
    "subnet_error": "Alamat harus dalam satu subnet",
    "gateway_or_subnet_invalid": "Subnet mask tidak valid",
    "dhcp_form_gateway_input": "IP gateway",
@@ -390,7 +393,6 @@
    "encryption_issuer": "Penerbit",
    "encryption_hostnames": "Nama host",
    "encryption_reset": "Anda yakin ingin mengatur ulang pengaturan enkripsi?",
    "encryption_warning": "Perhatian",
    "topline_expiring_certificate": "Sertifikat SSL Anda hampir kedaluwarsa. Perbarui <0>Pengaturan enkripsi</0>.",
    "topline_expired_certificate": "Sertifikat SSL Anda kedaluwarsa. Perbarui <0>Pengaturan enkripsi</0>.",
    "form_error_port_range": "Masukkan nomor port di kisaran 80-65535",
@@ -635,8 +637,5 @@
    "safe_browsing": "Penjelajahan Aman",
    "served_from_cache": "{{value}} <i>(disajikan dari cache)</i>",
    "form_error_password_length": "Kata sandi harus minimal {{value}} karakter",
-    "anonymizer_notification": "<0>Catatan:</0> Anonimisasi IP diaktifkan. Anda dapat menonaktifkannya di <1>Pengaturan umum</1> .",
+    "anonymizer_notification": "<0>Catatan:</0> Anonimisasi IP diaktifkan. Anda dapat menonaktifkannya di <1>Pengaturan umum</1> ."
    "confirm_dns_cache_clear": "Apakah Anda yakin ingin menghapus cache DNS?",
    "cache_cleared": "Cache DNS berhasil dibersihkan",
    "clear_cache": "Hapus cache"
 }
--- a/client/src/__locales/it.json
+++ b/client/src/__locales/it.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "Impostazioni DHCP IPv6",
    "form_error_required": "Campo richiesto",
    "form_error_ip4_format": "Indirizzo IPv4 non valido",
    "form_error_ip4_range_start_format": "Indirizzo IPV4 non valido dell'intervallo iniziale",
    "form_error_ip4_range_end_format": "Indirizzo IPV4 non valido dell'intervallo finale",
    "form_error_ip4_gateway_format": "Indirizzo gateway IPv4 non valido",
    "form_error_ip6_format": "Indirizzo IPv6 non valido",
    "form_error_ip_format": "Indirizzo IP non valido",
@@ -49,6 +51,7 @@
    "out_of_range_error": "Deve essere fuori intervallo \"{{start}}\"-\"{{end}}\"",
    "lower_range_start_error": "Deve essere inferiore dell'intervallo di inizio",
    "greater_range_start_error": "Deve essere maggiore dell'intervallo di inizio",
    "greater_range_end_error": "Deve essere maggiore dell'intervallo di fine",
    "subnet_error": "Gli indirizzi devono trovarsi in una sottorete",
    "gateway_or_subnet_invalid": "Maschera di sottorete non valida",
    "dhcp_form_gateway_input": "IP Gateway",
@@ -390,7 +393,6 @@
    "encryption_issuer": "Emittente",
    "encryption_hostnames": "Nomi host",
    "encryption_reset": "Sei sicuro di voler ripristinare le impostazioni di crittografia?",
    "encryption_warning": "Attenzione",
    "topline_expiring_certificate": "Il tuo certificato SSL sta per scadere. Aggiorna le<0> Impostazioni di crittografia </ 0>.",
    "topline_expired_certificate": "Il tuo certificato SSL è scaduto. Aggiorna le <0> Impostazioni di crittografia </ 0>.",
    "form_error_port_range": "Immettere il valore della porta nell'intervallo 80-65535",
@@ -635,8 +637,5 @@
    "safe_browsing": "Navigazione Sicura",
    "served_from_cache": "{{value}} <i>(fornito dalla cache)</i>",
    "form_error_password_length": "La password deve contenere almeno {{value}} caratteri",
-    "anonymizer_notification": "<0>Attenzione:</0> L'anonimizzazione dell'IP è abilitata. Puoi disabilitarla in <1>Impostazioni generali</1>.",
+    "anonymizer_notification": "<0>Attenzione:</0> L'anonimizzazione dell'IP è abilitata. Puoi disabilitarla in <1>Impostazioni generali</1>."
    "confirm_dns_cache_clear": "Sei sicuro di voler cancellare la cache DNS?",
    "cache_cleared": "Cache DNS è stata cancellata correttamente",
    "clear_cache": "Cancella cache"
 }
--- a/client/src/__locales/ja.json
+++ b/client/src/__locales/ja.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "DHCP IPv6 設定",
    "form_error_required": "必須項目です",
    "form_error_ip4_format": "IPv4アドレスが無効です",
    "form_error_ip4_range_start_format": "範囲開始のIPv4アドレスが無効です",
    "form_error_ip4_range_end_format": "範囲終了のIPv4アドレスが無効です",
    "form_error_ip4_gateway_format": "ゲートウェイのIPv4アドレスが無効です",
    "form_error_ip6_format": "IPv6アドレスが無効です",
    "form_error_ip_format": "IPアドレスが無効です",
@@ -49,6 +51,7 @@
    "out_of_range_error": "\"{{start}}\"〜\"{{end}}\" の範囲外である必要があります",
    "lower_range_start_error": "範囲開始よりも低い値である必要があります",
    "greater_range_start_error": "範囲開始値より大きい値でなければなりません",
    "greater_range_end_error": "範囲終了値より大きい値でなければなりません",
    "subnet_error": "両アドレスが同じサブネット内にある必要があります",
    "gateway_or_subnet_invalid": "サブネットマスクが無効です",
    "dhcp_form_gateway_input": "ゲートウェイIP",
@@ -390,7 +393,6 @@
    "encryption_issuer": "発行者",
    "encryption_hostnames": "ホスト名",
    "encryption_reset": "暗号化設定をリセットして良いですか？",
    "encryption_warning": "警告",
    "topline_expiring_certificate": "SSL証明書は期限切れになります。<0>暗号化設定</0>を更新します。",
    "topline_expired_certificate": "SSL証明書は期限切れです。<0>暗号化設定</0>を更新します。",
    "form_error_port_range": "80〜65535 の範囲内でポート番号を入力してください",
@@ -635,8 +637,5 @@
    "safe_browsing": "セーフブラウジング",
    "served_from_cache": "{{value}} <i>(キャッシュから応答)</i>",
    "form_error_password_length": "パスワードは{{value}}文字以上にしてください",
-    "anonymizer_notification": "【<0>注意</0>】IPの匿名化が有効になっています。 <1>一般設定</1>で無効にできます。",
+    "anonymizer_notification": "【<0>注意</0>】IPの匿名化が有効になっています。 <1>一般設定</1>で無効にできます。"
    "confirm_dns_cache_clear": "DNS キャッシュをクリアしてもよろしいですか？",
    "cache_cleared": "DNSキャッシュのクリア完了です。",
    "clear_cache": "キャッシュをクリアする"
 }
--- a/client/src/__locales/ko.json
+++ b/client/src/__locales/ko.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "DHCP IPv6 설정",
    "form_error_required": "필수 영역",
    "form_error_ip4_format": "잘못된 IPv4 형식",
    "form_error_ip4_range_start_format": "잘못된 범위 시작 IPv4 형식",
    "form_error_ip4_range_end_format": "잘못된 범위 종료 IPv4 형식",
    "form_error_ip4_gateway_format": "잘못된 게이트웨이 IPv4 형식",
    "form_error_ip6_format": "잘못된 IPv6 주소",
    "form_error_ip_format": "잘못된 IP 주소",
@@ -49,6 +51,7 @@
    "out_of_range_error": "'{{start}}'-'{{end}}' 범위 밖이어야 합니다",
    "lower_range_start_error": "범위 시작보다 작은 값이어야 합니다",
    "greater_range_start_error": "범위 시작보다 큰 값이어야 합니다",
    "greater_range_end_error": "범위 종료보다 큰 값이어야 합니다",
    "subnet_error": "주소는 하나의 서브넷에 있어야 합니다",
    "gateway_or_subnet_invalid": "잘못된 서브넷 마스크",
    "dhcp_form_gateway_input": "게이트웨이 IP",
@@ -220,7 +223,7 @@
    "example_upstream_tcp_hostname": "일반 DNS (TCP를 통한, 호스트명);",
    "all_lists_up_to_date_toast": "모든 리스트가 이미 최신입니다",
    "updated_upstream_dns_toast": "업스트림 서버가 성공적으로 저장되었습니다",
-    "dns_test_ok_toast": "지정된 DNS 서버가 올바르게 작동하고 있습니다.",
+    "dns_test_ok_toast": "특정 DNS 서버들은 정상적으로 동작 중입니다",
    "dns_test_not_ok_toast": "서버 '{{key}}': 사용할 수 없습니다, 제대로 작성했는지 확인하세요",
    "dns_test_warning_toast": "업스트림 '{{key}}'이(가) 테스트 요청에 응답하지 않으며 제대로 작동하지 않을 수 있습니다",
    "unblock": "차단 해제",
@@ -390,7 +393,6 @@
    "encryption_issuer": "발행자",
    "encryption_hostnames": "호스트 이름",
    "encryption_reset": "암호화 설정을 재설정하시겠습니까?",
    "encryption_warning": "경고",
    "topline_expiring_certificate": "SSL 인증서가 곧 만료됩니다. 업데이트<0> 암호화 설정</0>.",
    "topline_expired_certificate": "SSL 인증서가 만료되었습니다. 업데이트<0> 암호화 설정</0>.",
    "form_error_port_range": "80-65535 범위의 포트 번호를 입력하세요",
@@ -635,8 +637,5 @@
    "safe_browsing": "세이프 브라우징",
    "served_from_cache": "{{value}} <i>(캐시에서 제공)</i>",
    "form_error_password_length": "비밀번호는 {{value}}자 이상이어야 합니다",
-    "anonymizer_notification": "<0>참고:</0> IP 익명화가 활성화되었습니다. <1>일반 설정</1>에서 비활성화할 수 있습니다.",
+    "anonymizer_notification": "<0>참고:</0> IP 익명화가 활성화되었습니다. <1>일반 설정</1>에서 비활성화할 수 있습니다."
    "confirm_dns_cache_clear": "정말로 DNS 캐시를 지우시겠습니까?",
    "cache_cleared": "DNS 캐시를 성공적으로 지웠습니다",
    "clear_cache": "캐시 지우기"
 }
--- a/client/src/__locales/nl.json
+++ b/client/src/__locales/nl.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "DHCP IPv6 instellingen",
    "form_error_required": "Vereist veld",
    "form_error_ip4_format": "Ongeldig IPv4-adres",
    "form_error_ip4_range_start_format": "Ongeldig IPv4-adres start bereik",
    "form_error_ip4_range_end_format": "Ongeldig IPv4-adres einde bereik",
    "form_error_ip4_gateway_format": "Ongeldig IPv4-adres van de gateway",
    "form_error_ip6_format": "Ongeldig IPv6-adres",
    "form_error_ip_format": "Ongeldig IP-adres",
@@ -49,8 +51,9 @@
    "out_of_range_error": "Moet buiten bereik zijn \"{{start}}\"-\"{{end}}\"",
    "lower_range_start_error": "Moet lager zijn dan begin reeks",
    "greater_range_start_error": "Moet groter zijn dan begin reeks",
    "greater_range_end_error": "Moet groter zijn dan einde reeks",
    "subnet_error": "Adressen moeten in één subnet vallen",
-    "gateway_or_subnet_invalid": "Ongeldig subnetmasker",
+    "gateway_or_subnet_invalid": "Subnetmasker ongeldig",
    "dhcp_form_gateway_input": "Gateway IP",
    "dhcp_form_subnet_input": "Subnet mask",
    "dhcp_form_range_title": "Bereik van IP adressen",
@@ -390,7 +393,6 @@
    "encryption_issuer": "Uitgever",
    "encryption_hostnames": "Hostnamen",
    "encryption_reset": "Ben je zeker dat je de encryptie instellingen wil resetten?",
    "encryption_warning": "Waarschuwing",
    "topline_expiring_certificate": "Jouw SSL-certificaat vervalt binnenkort. Werk de <0>encryptie-instellingen</0> bij.",
    "topline_expired_certificate": "Jouw SSL-certificaat is vervallen. Werk de <0>encryptie-instellingen</0> bij.",
    "form_error_port_range": "Poortnummer invoeren tussen 80 en 65535",
@@ -635,8 +637,5 @@
    "safe_browsing": "Veilig browsen",
    "served_from_cache": "{{value}} <i>(geleverd vanuit cache)</i>",
    "form_error_password_length": "Wachtwoord moet minimaal {{value}} tekens lang zijn",
-    "anonymizer_notification": "<0>Opmerking:</0> IP-anonimisering is ingeschakeld. Je kunt het uitschakelen in <1>Algemene instellingen</1>.",
+    "anonymizer_notification": "<0>Opmerking:</0> IP-anonimisering is ingeschakeld. Je kunt het uitschakelen in <1>Algemene instellingen</1>."
    "confirm_dns_cache_clear": "Weet je zeker dat je de DNS-cache wilt wissen?",
    "cache_cleared": "DNS-cache succesvol gewist",
    "clear_cache": "Cache wissen"
 }
--- a/client/src/__locales/no.json
+++ b/client/src/__locales/no.json
@@ -373,7 +373,6 @@
    "encryption_issuer": "Utsteder",
    "encryption_hostnames": "Vertsnavn",
    "encryption_reset": "Er du sikker på at du vil tilbakestille krypteringsinnstillingene?",
    "encryption_warning": "Advarsel",
    "topline_expiring_certificate": "Ditt SSL-sertifikat er i ferd med å utløpe. Oppdater <0>Krypteringsinnstillinger</0>.",
    "topline_expired_certificate": "SSL-sertifikatet har utløpt. Oppdater <0>Krypteringsinnstillinger</0>.",
    "form_error_port_range": "Skriv inn et portnummer i området 80-65535",
--- a/client/src/__locales/pl.json
+++ b/client/src/__locales/pl.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "Ustawienia serwera DHCP IPv6",
    "form_error_required": "Pole wymagane",
    "form_error_ip4_format": "Nieprawidłowy adres IPv4",
    "form_error_ip4_range_start_format": "Nieprawidłowy adres IPv4 początku zakresu",
    "form_error_ip4_range_end_format": "Nieprawidłowy adres IPv4 końca zakresu",
    "form_error_ip4_gateway_format": "Nieprawidłowy adres IPv4 bramy",
    "form_error_ip6_format": "Nieprawidłowy adres IPv6",
    "form_error_ip_format": "Nieprawidłowy adres IP",
@@ -49,6 +51,7 @@
    "out_of_range_error": "Musi być spoza zakresu \"{{start}}\"-\"{{end}}\"",
    "lower_range_start_error": "Musi być niższy niż początek zakresu",
    "greater_range_start_error": "Musi być większy niż początek zakresu",
    "greater_range_end_error": "Musi być większy niż koniec zakresu",
    "subnet_error": "Adresy muszą należeć do jednej podsieci",
    "gateway_or_subnet_invalid": "Nieprawidłowa maska podsieci",
    "dhcp_form_gateway_input": "Adres IP bramy",
@@ -390,7 +393,6 @@
    "encryption_issuer": "Zgłaszający",
    "encryption_hostnames": "Nazwy hostów",
    "encryption_reset": "Czy na pewno chcesz zresetować ustawienia szyfrowania?",
    "encryption_warning": "Uwaga!",
    "topline_expiring_certificate": "Twój certyfikat SSL wkrótce wygaśnie. Zaktualizuj <0>Ustawienia szyfrowania</0>.",
    "topline_expired_certificate": "Twój certyfikat SSL wygasł. Zaktualizuj <0>Ustawienia szyfrowania</0>.",
    "form_error_port_range": "Wpisz numer portu z zakresu 80-65535",
@@ -635,8 +637,5 @@
    "safe_browsing": "Bezpieczne przeglądanie",
    "served_from_cache": "{{value}} <i>(podawane z pamięci podręcznej)</i>",
    "form_error_password_length": "Hasło musi mieć co najmniej {{value}} znaków",
-    "anonymizer_notification": "<0>Uwaga:</0> Anonimizacja IP jest włączona. Możesz ją wyłączyć w <1>Ustawieniach ogólnych</1>.",
+    "anonymizer_notification": "<0>Uwaga:</0> Anonimizacja IP jest włączona. Możesz ją wyłączyć w <1>Ustawieniach ogólnych</1>."
    "confirm_dns_cache_clear": "Czy na pewno chcesz wyczyścić pamięć podręczną DNS?",
    "cache_cleared": "Pamięć podręczna DNS została pomyślnie wyczyszczona",
    "clear_cache": "Wyczyść pamięć podręczną"
 }
--- a/client/src/__locales/pt-br.json
+++ b/client/src/__locales/pt-br.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "Configurações DHCP IPv6",
    "form_error_required": "Campo obrigatório",
    "form_error_ip4_format": "Endereço de IPv4 inválido",
    "form_error_ip4_range_start_format": "Endereço IPv4 de início de intervalo inválido",
    "form_error_ip4_range_end_format": "Endereço IPv4 de fim de intervalo inválido.",
    "form_error_ip4_gateway_format": "Endereço IPv4 de gateway inválido",
    "form_error_ip6_format": "Endereço de IPv6 inválido",
    "form_error_ip_format": "Endereço de IP inválido",
@@ -49,6 +51,7 @@
    "out_of_range_error": "Deve estar fora do intervalo \"{{start}}\"-\"{{end}}\"",
    "lower_range_start_error": "Deve ser inferior ao início do intervalo",
    "greater_range_start_error": "Deve ser maior que o início do intervalo",
    "greater_range_end_error": "Deve ser maior que o fim do intervalo",
    "subnet_error": "Endereços devem estar em uma sub-rede",
    "gateway_or_subnet_invalid": "Máscara de sub-rede inválida",
    "dhcp_form_gateway_input": "IP do gateway",
@@ -390,7 +393,6 @@
    "encryption_issuer": "Emissor",
    "encryption_hostnames": "Nomes dos servidores",
    "encryption_reset": "Você tem certeza de que deseja redefinir a configuração de criptografia?",
    "encryption_warning": "Aviso",
    "topline_expiring_certificate": "Seu certificado SSL está prestes a expirar. Atualize suas <0>configurações de criptografia</]0>",
    "topline_expired_certificate": "Seu certificado SSL está expirado. Atualize suas <0>configurações de criptografia</0>",
    "form_error_port_range": "Digite um número de porta entre 80 e 65535",
@@ -635,8 +637,5 @@
    "safe_browsing": "Navegação segura",
    "served_from_cache": "{{value}} <i>(servido do cache)</i>",
    "form_error_password_length": "A senha deve ter pelo menos {{value}} caracteres",
-    "anonymizer_notification": "<0>Observação:</0> A anonimização de IP está ativada. Você pode desativá-lo em <1>Configurações gerais</1>.",
+    "anonymizer_notification": "<0>Observação:</0> A anonimização de IP está ativada. Você pode desativá-lo em <1>Configurações gerais</1>."
    "confirm_dns_cache_clear": "Tem certeza de que deseja limpar o cache DNS?",
    "cache_cleared": "Cache DNS limpo com sucesso",
    "clear_cache": "Limpar cache"
 }
--- a/client/src/__locales/pt-pt.json
+++ b/client/src/__locales/pt-pt.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "Definições DHCP IPv6",
    "form_error_required": "Campo obrigatório",
    "form_error_ip4_format": "Endereço de IPv4 inválido",
    "form_error_ip4_range_start_format": "Endereço IPv4 de início de intervalo inválido",
    "form_error_ip4_range_end_format": "Endereço IPv4 de fim de intervalo inválido",
    "form_error_ip4_gateway_format": "Endereço IPv4 de gateway inválido",
    "form_error_ip6_format": "Endereço de IPv6 inválido",
    "form_error_ip_format": "Endereço de email inválido",
@@ -49,6 +51,7 @@
    "out_of_range_error": "Deve estar fora do intervalo \"{{start}}\"-\"{{end}}\"",
    "lower_range_start_error": "Deve ser inferior ao início do intervalo",
    "greater_range_start_error": "Deve ser maior que o início do intervalo",
    "greater_range_end_error": "Deve ser maior que o fim do intervalo",
    "subnet_error": "Os endereços devem estar em uma sub-rede",
    "gateway_or_subnet_invalid": "Máscara de sub-rede inválida",
    "dhcp_form_gateway_input": "IP do gateway",
@@ -390,7 +393,6 @@
    "encryption_issuer": "Emissor",
    "encryption_hostnames": "Nomes dos servidores",
    "encryption_reset": "Tem a certeza de que deseja repor a definição de criptografia?",
    "encryption_warning": "Aviso",
    "topline_expiring_certificate": "O seu certificado SSL está prestes a expirar. Atualize as suas <0>definições de criptografia</0>.",
    "topline_expired_certificate": "O seu certificado SSL está expirado. Atualize as suas <0>definições de criptografia</0>.",
    "form_error_port_range": "Digite um numero de porta entre 80 e 65535",
@@ -635,8 +637,5 @@
    "safe_browsing": "Navegação segura",
    "served_from_cache": "{{value}} <i>(servido do cache)</i>",
    "form_error_password_length": "A palavra-passe deve ter pelo menos {{value}} caracteres",
-    "anonymizer_notification": "<0>Observação:</0> A anonimização de IP está ativada. Você pode desativá-la em <1>Definições gerais</1>.",
+    "anonymizer_notification": "<0>Observação:</0> A anonimização de IP está ativada. Você pode desativá-la em <1>Definições gerais</1>."
    "confirm_dns_cache_clear": "Tem certeza de que quer limpar a cache DNS?",
    "cache_cleared": "O cache DNS foi apagado com sucesso",
    "clear_cache": "Limpar cache"
 }
--- a/client/src/__locales/ro.json
+++ b/client/src/__locales/ro.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "Setări DHCP IPv6",
    "form_error_required": "Câmp obligatoriu",
    "form_error_ip4_format": "Adresă IPv4 nevalidă",
    "form_error_ip4_range_start_format": "Adresă IPv4 nevalidă pentru începutul intervalului",
    "form_error_ip4_range_end_format": "Adresă IPv4 nevalidă a sfârșitului intervalului",
    "form_error_ip4_gateway_format": "Adresă IPv4 nevalidă a gateway-ului",
    "form_error_ip6_format": "Adresa IPv6 nevalidă",
    "form_error_ip_format": "Adresă IP nevalidă",
@@ -49,6 +51,7 @@
    "out_of_range_error": "Trebuie să fie în afara intervalului „{{start}}”-„{{end}}”",
    "lower_range_start_error": "Trebuie să fie mai mică decât începutul intervalului",
    "greater_range_start_error": "Trebuie să fie mai mare decât începutul intervalului",
    "greater_range_end_error": "Trebuie să fie mai mare decât sfârșitul intervalului",
    "subnet_error": "Adresele trebuie să fie în aceeași subrețea",
    "gateway_or_subnet_invalid": "Mască de subrețea nevalidă",
    "dhcp_form_gateway_input": "IP Gateway",
@@ -390,7 +393,6 @@
    "encryption_issuer": "Emitent",
    "encryption_hostnames": "Nume de host",
    "encryption_reset": "Sunteți sigur că doriți să resetați setările de criptare?",
    "encryption_warning": "Avertisment",
    "topline_expiring_certificate": "Certificatul dvs. SSL este pe cale să expire. Actualizați <0>Setările de criptare</0>.",
    "topline_expired_certificate": "Certificatul dvs. SSL a expirat. Actualizați <0>Setările de criptare</0>.",
    "form_error_port_range": "Introduceți valoarea portului între 80-65535",
@@ -635,8 +637,5 @@
    "safe_browsing": "Navigare în siguranță",
    "served_from_cache": "{{value}} <i>(furnizat din cache)</i>",
    "form_error_password_length": "Parola trebuie să aibă cel puțin {{value}} caractere",
-    "anonymizer_notification": "<0>Nota:</0> Anonimizarea IP este activată. Puteți să o dezactivați în <1>Setări generale</1>.",
+    "anonymizer_notification": "<0>Nota:</0> Anonimizarea IP este activată. Puteți să o dezactivați în <1>Setări generale</1>."
    "confirm_dns_cache_clear": "Sunteți sigur că doriți să ștergeți memoria cache DNS?",
    "cache_cleared": "Cache-ul DNS a fost golit cu succes",
    "clear_cache": "Goliți memoria cache"
 }
--- a/client/src/__locales/ru.json
+++ b/client/src/__locales/ru.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "Настройки DHCP IPv6",
    "form_error_required": "Обязательное поле",
    "form_error_ip4_format": "Некорректный IPv4-адрес",
    "form_error_ip4_range_start_format": "Некорректный IPv4-адрес начала диапазона",
    "form_error_ip4_range_end_format": "Некорректный IPv4-адрес конца диапазона",
    "form_error_ip4_gateway_format": "Некорректный IPv4-адрес шлюза",
    "form_error_ip6_format": "Некорректный IPv6-адрес",
    "form_error_ip_format": "Некорректный IP-адрес",
@@ -49,6 +51,7 @@
    "out_of_range_error": "Должно быть вне диапазона «{{start}}»-«{{end}}»",
    "lower_range_start_error": "Должно быть меньше начала диапазона",
    "greater_range_start_error": "Должно быть больше начала диапазона",
    "greater_range_end_error": "Должно быть больше конца диапазона",
    "subnet_error": "Адреса должны быть внутри одной подсети",
    "gateway_or_subnet_invalid": "Некорректная маска подсети",
    "dhcp_form_gateway_input": "IP-адрес шлюза",
@@ -390,7 +393,6 @@
    "encryption_issuer": "Издатель",
    "encryption_hostnames": "Имена хостов",
    "encryption_reset": "Вы уверены, что хотите сбросить настройки шифрования?",
    "encryption_warning": "Предупреждение",
    "topline_expiring_certificate": "Ваш SSL-сертификат скоро истекает. Обновите <0>Настройки шифрования</0>.",
    "topline_expired_certificate": "Ваш SSL-сертификат истёк. Обновите <0>Настройки шифрования</0>.",
    "form_error_port_range": "Введите номер порта из интервала 80-65535",
@@ -635,8 +637,5 @@
    "safe_browsing": "Безопасный интернет",
    "served_from_cache": "{{value}} <i>(получено из кеша)</i>",
    "form_error_password_length": "Пароль должен быть длиной не меньше {{value}} символов",
-    "anonymizer_notification": "<0>Внимание:</0> включена анонимизация IP-адресов. Вы можете отключить её в разделе <1>Основные настройки</1>.",
+    "anonymizer_notification": "<0>Внимание:</0> включена анонимизация IP-адресов. Вы можете отключить её в разделе <1>Основные настройки</1>."
    "confirm_dns_cache_clear": "Вы уверены, что хотите очистить кеш DNS?",
    "cache_cleared": "Кеш DNS успешно очищен",
    "clear_cache": "Очистить кеш"
 }
--- a/client/src/__locales/sk.json
+++ b/client/src/__locales/sk.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "Nastavenia DHCP IPv6",
    "form_error_required": "Povinná položka.",
    "form_error_ip4_format": "Neplatná IPv4 adresa",
    "form_error_ip4_range_start_format": "Neplatný začiatok rozsahu IPv4 formátu",
    "form_error_ip4_range_end_format": "Neplatný koniec rozsahu IPv4 formátu",
    "form_error_ip4_gateway_format": "Neplatná IPv4 adresa brány",
    "form_error_ip6_format": "Neplatná IPv6 adresa",
    "form_error_ip_format": "Neplatná IP adresa",
@@ -49,6 +51,7 @@
    "out_of_range_error": "Musí byť mimo rozsahu \"{{start}}\"-\"{{end}}\"",
    "lower_range_start_error": "Musí byť nižšie ako začiatok rozsahu",
    "greater_range_start_error": "Musí byť väčšie ako začiatok rozsahu",
    "greater_range_end_error": "Musí byť väčšie ako koniec rozsahu",
    "subnet_error": "Adresy musia byť v spoločnej podsieti",
    "gateway_or_subnet_invalid": "Maska podsiete je neplatná",
    "dhcp_form_gateway_input": "IP brána",
@@ -390,7 +393,6 @@
    "encryption_issuer": "Vydavateľ",
    "encryption_hostnames": "Názvy hostiteľov",
    "encryption_reset": "Naozaj chcete obnoviť nastavenia šifrovania?",
    "encryption_warning": "Varovanie",
    "topline_expiring_certificate": "Váš SSL certifikát čoskoro vyprší. Aktualizujte <0>Nastavenia šifrovania</0>.",
    "topline_expired_certificate": "Váš SSL certifikát vypršal. Aktualizujte <0>Nastavenia šifrovania</0>.",
    "form_error_port_range": "Zadajte číslo portu v rozsahu 80-65535",
@@ -635,8 +637,5 @@
    "safe_browsing": "Bezpečné prehliadanie",
    "served_from_cache": "{{value}} <i>(prevzatá z cache pamäte)</i>",
    "form_error_password_length": "Heslo musí mať dĺžku aspoň {{value}} znakov",
-    "anonymizer_notification": "<0>Poznámka:</0> Anonymizácia IP je zapnutá. Môžete ju vypnúť vo <1>Všeobecných nastaveniach</1>.",
+    "anonymizer_notification": "<0>Poznámka:</0> Anonymizácia IP je zapnutá. Môžete ju vypnúť vo <1>Všeobecných nastaveniach</1>."
    "confirm_dns_cache_clear": "Naozaj chcete vymazať vyrovnávaciu pamäť DNS?",
    "cache_cleared": "Vyrovnávacia pamäť DNS bola úspešne vymazaná",
    "clear_cache": "Vymazať vyrovnávaciu pamäť"
 }
--- a/client/src/__locales/sl.json
+++ b/client/src/__locales/sl.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "Nastavitve DHCP IPv6",
    "form_error_required": "Zahtevano polje.",
    "form_error_ip4_format": "Neveljaven naslov IPv4.",
    "form_error_ip4_range_start_format": "Neveljaven začetek razpona naslova IPv4",
    "form_error_ip4_range_end_format": "Neveljaven konec razpona naslova IPv4",
    "form_error_ip4_gateway_format": "Neveljaven naslov IPv4 prehoda",
    "form_error_ip6_format": "Neveljaven naslov IPv6",
    "form_error_ip_format": "Neveljaven naslov IP",
@@ -49,6 +51,7 @@
    "out_of_range_error": "Mora biti izven razpona \"{{start}}\"-\"{{end}}\"",
    "lower_range_start_error": "Mora biti manjši od začetka razpona",
    "greater_range_start_error": "Mora biti večji od začetka razpona",
    "greater_range_end_error": "Mora biti večji od konca razpona",
    "subnet_error": "Naslovi morajo biti v enem podomrežju",
    "gateway_or_subnet_invalid": "Maska podomrežja ni veljavna",
    "dhcp_form_gateway_input": "IP prehoda",
@@ -390,7 +393,6 @@
    "encryption_issuer": "Izdajatelj",
    "encryption_hostnames": "Imena gostiteljev",
    "encryption_reset": "Ali ste prepričani, da želite ponastaviti nastavitve šifriranja?",
    "encryption_warning": "Opozorilo",
    "topline_expiring_certificate": "Vaš e digitalno potrdilo SSL bo kmalu poteklol. Posodobite <0>Nastavitve šifriranja</0>.",
    "topline_expired_certificate": "Vaše digitalno potrdilo SSL je poteklo. Posodobi <0>Nastavitve šifriranja</0>.",
    "form_error_port_range": "Vnesite številko vrat v razponu med 80-65535",
@@ -635,8 +637,5 @@
    "safe_browsing": "Varno brskanje",
    "served_from_cache": "{{value}} <i>(postreženo iz predpomnilnika)</i>",
    "form_error_password_length": "Geslo mora vsebovati najmanj {{value}} znakov",
-    "anonymizer_notification": "<0>Opomba:</0> Anonimizacija IP je omogočena. Onemogočite ga lahko v <1>Splošnih nastavitvah</1>.",
+    "anonymizer_notification": "<0>Opomba:</0> Anonimizacija IP je omogočena. Onemogočite ga lahko v <1>Splošnih nastavitvah</1>."
    "confirm_dns_cache_clear": "Ali ste prepričani, da želite počistiti predpomnilnik DNS?",
    "cache_cleared": "Predpomnilnik DNS je bil uspešno počiščen",
    "clear_cache": "Počisti predpomnilnik"
 }
--- a/client/src/__locales/sr-cs.json
+++ b/client/src/__locales/sr-cs.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "DHCP IPv6 postavke",
    "form_error_required": "Obavezno polje",
    "form_error_ip4_format": "Nevažeća IPv4 adresa",
    "form_error_ip4_range_start_format": "Nevažeća IPv4 addresa početnog opsega",
    "form_error_ip4_range_end_format": "Nevažeća IPv4 addresa završnog opsega",
    "form_error_ip4_gateway_format": "Nevažeća IPv4 addresa prozala",
    "form_error_ip6_format": "Nevažeća IPv6 adresa",
    "form_error_ip_format": "Nevažeća IP adresa",
@@ -49,6 +51,7 @@
    "out_of_range_error": "Mora biti izvan opsega \"{{start}}\"-\"{{end}}\"",
    "lower_range_start_error": "Mora biti manje od početnog opsega",
    "greater_range_start_error": "Mora biti veće od početnog opsega",
    "greater_range_end_error": "Mora biti veće od završnog opsega",
    "subnet_error": "Asrese moraju biti u jednoj subnet",
    "gateway_or_subnet_invalid": "Subnet mask nevažeća",
    "dhcp_form_gateway_input": "IP mrežnog prolaza",
@@ -390,7 +393,6 @@
    "encryption_issuer": "Izdavač",
    "encryption_hostnames": "Imena hostova",
    "encryption_reset": "Jeste li sigurni da želite dda resetujete postavke šifrovanja?",
    "encryption_warning": "Upozorenje",
    "topline_expiring_certificate": "Vaš SSL sertifikat uskoro ističe. Ažurirajte <0>postavke šifrovanja</0>.",
    "topline_expired_certificate": "Vaš SSL sertifikat je istekao. Ažurirajte <0>postavke šifrovanja</0>.",
    "form_error_port_range": "Unesite vrednost porta u opsegu od 80-65535",
@@ -635,8 +637,5 @@
    "safe_browsing": "Sigurno pregledanje",
    "served_from_cache": "{{value}} <i>(posluženo iz predmemorije)</i>",
    "form_error_password_length": "Lozinka mora imati najmanje {{value}} znakova",
-    "anonymizer_notification": "<0>Nota:</0> IP prepoznavanje je omogućeno. Možete ga onemogućiti u opštim <1>postavkama</1>.",
+    "anonymizer_notification": "<0>Nota:</0> IP prepoznavanje je omogućeno. Možete ga onemogućiti u opštim <1>postavkama</1>."
    "confirm_dns_cache_clear": "Želite li zaista da obrišite DNS keš?",
    "cache_cleared": "DNS keš je uspešno očišćen",
    "clear_cache": "Obriši keš memoriju"
 }
--- a/client/src/__locales/sv.json
+++ b/client/src/__locales/sv.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "DHCP IPv6 inställningar",
    "form_error_required": "Obligatoriskt fält",
    "form_error_ip4_format": "Ogiltig IPv4-adress",
    "form_error_ip4_range_start_format": "Ogiltig IPv4-adress för starten av intervallet",
    "form_error_ip4_range_end_format": "Ogiltig IPv4-adress för slutet av intervallet",
    "form_error_ip4_gateway_format": "Ogiltig IPv4 adress för gatewayen",
    "form_error_ip6_format": "Ogiltig IPv6-adress",
    "form_error_ip_format": "Ogiltig IP-adress",
@@ -49,6 +51,7 @@
    "out_of_range_error": "Måste vara utanför intervallet \"{{start}}\"-\"{{end}}\"",
    "lower_range_start_error": "Måste vara lägre än starten på intervallet",
    "greater_range_start_error": "Måste vara högre än starten på intervallet",
    "greater_range_end_error": "Måste vara större än intervallets slut",
    "subnet_error": "Adresser måste finnas i ett subnät",
    "gateway_or_subnet_invalid": "Subnätmask ogiltig",
    "dhcp_form_gateway_input": "Gateway-IP",
@@ -390,7 +393,6 @@
    "encryption_issuer": "Utgivare",
    "encryption_hostnames": "Värdnamn",
    "encryption_reset": "Är du säker på att du vill återställa krypteringsinställningarna?",
    "encryption_warning": "Varning",
    "topline_expiring_certificate": "Ditt SSL-certifikat håller på att gå ut. <0>Krypteringsinställningar</0>.",
    "topline_expired_certificate": "Ditt SSL-certifikat har gått ut. Uppdatera <0>Krypteringsinställningar</0>-",
    "form_error_port_range": "Ange ett portnummer inom värdena 80-65535",
@@ -635,8 +637,5 @@
    "safe_browsing": "Säker surfning",
    "served_from_cache": "{{value}} <i>(levereras från cache)</i>",
    "form_error_password_length": "Lösenordet måste vara minst {{value}} tecken långt",
-    "anonymizer_notification": "<0>Observera:</0> IP-anonymisering är aktiverad. Du kan inaktivera den i <1>Allmänna inställningar</1>.",
+    "anonymizer_notification": "<0>Observera:</0> IP-anonymisering är aktiverad. Du kan inaktivera den i <1>Allmänna inställningar</1>."
    "confirm_dns_cache_clear": "Är du säker på att du vill rensa DNS-cache?",
    "cache_cleared": "DNS-cacheminnet har rensats",
    "clear_cache": "Rensa cache"
 }
--- a/client/src/__locales/th.json
+++ b/client/src/__locales/th.json
@@ -262,7 +262,6 @@
    "encryption_issuer": "ผู้ออกใบรับรอง:",
    "encryption_hostnames": "ชื่อโฮส",
    "encryption_reset": "คุณแน่ใจนะว่าจะล้างค่าการเข้ารหัส?",
    "encryption_warning": "คำเตือน",
    "topline_expiring_certificate": "ใบรับรอง SSL ของคุณกำลังจะหมดอายุ กรุณาอัปเดท <0>การตั้งค่าเข้ารหัส</0>.",
    "topline_expired_certificate": "ใบรับรอง SSL ของคุณหมดอายุแล้ว กรุณาอัปเดท <0>การตั้งค่าเข้ารหัส</0>.",
    "form_error_port_unsafe": "เป็นพอร์ทที่ไม่ปลอดภัย",
--- a/client/src/__locales/tr.json
+++ b/client/src/__locales/tr.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "DHCP IPv6 Ayarları",
    "form_error_required": "Gerekli alan",
    "form_error_ip4_format": "Geçersiz IPv4 adresi",
    "form_error_ip4_range_start_format": "Geçersiz başlangıç aralığı IPv4 biçimi",
    "form_error_ip4_range_end_format": "Geçersiz bitiş aralığı IPv4 adresi",
    "form_error_ip4_gateway_format": "Geçersiz ağ geçidi IPv4 adresi",
    "form_error_ip6_format": "Geçersiz IPv6 adresi",
    "form_error_ip_format": "Geçersiz IP adresi",
@@ -49,8 +51,9 @@
    "out_of_range_error": "\"{{start}}\"-\"{{end}}\" aralığının dışında olmalıdır",
    "lower_range_start_error": "Başlangıç aralığından daha düşük olmalıdır",
    "greater_range_start_error": "Başlangıç aralığından daha büyük olmalıdır",
    "greater_range_end_error": "Bitiş aralığından daha büyük olmalıdır",
    "subnet_error": "Adresler bir alt ağda olmalıdır",
-    "gateway_or_subnet_invalid": "Geçersiz alt ağ maskesi",
+    "gateway_or_subnet_invalid": "Alt ağ maskesi geçersiz",
    "dhcp_form_gateway_input": "Ağ geçidi IP",
    "dhcp_form_subnet_input": "Alt ağ maskesi",
    "dhcp_form_range_title": "IP adresi aralığı",
@@ -390,7 +393,6 @@
    "encryption_issuer": "Sağlayan",
    "encryption_hostnames": "Ana makine adları",
    "encryption_reset": "Şifreleme ayarlarını sıfırlamak istediğinizden emin misiniz?",
    "encryption_warning": "Uyarı",
    "topline_expiring_certificate": "SSL sertifikanızın süresi sona üzere. <0>Şifreleme ayarlarını</0> güncelleyin.",
    "topline_expired_certificate": "SSL sertifikanızın süresi sona erdi. <0>Şifreleme ayarlarını</0> güncelleyin.",
    "form_error_port_range": "80-65535 aralığında geçerli bir bağlantı noktası değeri girin",
@@ -635,8 +637,5 @@
    "safe_browsing": "Güvenli Gezinti",
    "served_from_cache": "{{value}} <i>(önbellekten kullanıldı)</i>",
    "form_error_password_length": "Parola en az {{value}} karakter uzunluğunda olmalıdır",
-    "anonymizer_notification": "<0>Not:</0> IP anonimleştirme etkinleştirildi. Bunu <1>Genel ayarlardan</1> devre dışı bırakabilirsiniz.",
+    "anonymizer_notification": "<0>Not:</0> IP anonimleştirme etkinleştirildi. Bunu <1>Genel ayarlardan</1> devre dışı bırakabilirsiniz."
    "confirm_dns_cache_clear": "DNS önbelleğini temizlemek istediğinizden emin misiniz?",
    "cache_cleared": "DNS önbelleği başarıyla temizlendi",
    "clear_cache": "Önbelleği temizle"
 }
--- a/client/src/__locales/uk.json
+++ b/client/src/__locales/uk.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "Налаштування DHCP IPv6",
    "form_error_required": "Обов'язкове поле",
    "form_error_ip4_format": "Неправильна IPv4-адреса",
    "form_error_ip4_range_start_format": "Неправильна IPv4-адреса початку діапазону",
    "form_error_ip4_range_end_format": "Неправильна IPv4-адреса кінця діапазону",
    "form_error_ip4_gateway_format": "Неправильна IPv4-адреса шлюзу",
    "form_error_ip6_format": "Неправильна IPv6-адреса",
    "form_error_ip_format": "Неправильна IP-адреса",
@@ -49,6 +51,7 @@
    "out_of_range_error": "Не повинна бути в діапазоні «{{start}}»−«{{end}}»",
    "lower_range_start_error": "Має бути меншим за початкову адресу",
    "greater_range_start_error": "Має бути більшим за початкову адресу",
    "greater_range_end_error": "Має бути більшим за кінцеву адресу",
    "subnet_error": "Адреси повинні бути в одній підмережі",
    "gateway_or_subnet_invalid": "Неправильна маска підмережі",
    "dhcp_form_gateway_input": "IP-адреса шлюзу",
@@ -368,7 +371,7 @@
    "encryption_redirect": "Автоматично перенаправляти на HTTPS",
    "encryption_redirect_desc": "Якщо встановлено, AdGuard Home автоматично перенаправить вас з HTTP на адреси HTTPS.",
    "encryption_https": "Порт HTTPS",
-    "encryption_https_desc": "Якщо HTTPS-порт налаштовано, інтерфейс адміністратора AdGuard Home буде доступний через HTTPS, а також сервер DNS-over-HTTPS буде доступний за адресою '/dns-query'.",
+    "encryption_https_desc": "Якщо HTTPS-порт налаштовано, інтерфейс адміністратора AdGuard Home буде доступний через HTTPS, а також DNS-over-HTTPS-сервер буде доступний за адресою /dns-query.",
    "encryption_dot": "Порт DNS-over-TLS",
    "encryption_dot_desc": "Якщо цей порт налаштовано, AdGuard Home запустить на цьому порту сервер DNS-over-TLS.",
    "encryption_doq": "Порт DNS-over-QUIC",
@@ -390,7 +393,6 @@
    "encryption_issuer": "Видавець",
    "encryption_hostnames": "Назви вузлів",
    "encryption_reset": "Ви впевнені, що хочете скинути налаштування шифрування?",
    "encryption_warning": "Попередження",
    "topline_expiring_certificate": "Ваш сертифікат SSL скоро закінчиться. Оновіть <0>Налаштування шифрування</0>.",
    "topline_expired_certificate": "Термін дії вашого сертифіката SSL закінчився. Оновіть <0>Налаштування шифрування</0>.",
    "form_error_port_range": "Введіть значення порту в діапазоні 80−65535",
@@ -635,8 +637,5 @@
    "safe_browsing": "Безпечний перегляд",
    "served_from_cache": "{{value}} <i>(отримано з кешу)</i>",
    "form_error_password_length": "Пароль мусить мати принаймні {{value}} символів",
-    "anonymizer_notification": "<0>Примітка:</0> IP-анонімізацію ввімкнено. Ви можете вимкнути його в <1>Загальні налаштування</1> .",
+    "anonymizer_notification": "<0>Примітка:</0> IP-анонімізацію ввімкнено. Ви можете вимкнути його в <1>Загальні налаштування</1> ."
    "confirm_dns_cache_clear": "Ви впевнені, що бажаєте очистити кеш DNS?",
    "cache_cleared": "Кеш DNS успішно очищено",
    "clear_cache": "Очистити кеш"
 }
--- a/client/src/__locales/vi.json
+++ b/client/src/__locales/vi.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "Cài đặt DHCP IPv6",
    "form_error_required": "Trường bắt buộc",
    "form_error_ip4_format": "Địa chỉ IPv4 không hợp lệ",
    "form_error_ip4_range_start_format": "Địa chỉ IPv4 không hợp lệ của phạm vi bắt đầu",
    "form_error_ip4_range_end_format": "Địa chỉ IPv4 không hợp lệ của cuối phạm vi",
    "form_error_ip4_gateway_format": "Địa chỉ IPv4 không hợp lệ của cổng kết nối",
    "form_error_ip6_format": "Địa chỉ IPv6 không hợp lệ",
    "form_error_ip_format": "Địa chỉ IP không hợp lệ",
@@ -49,6 +51,7 @@
    "out_of_range_error": "Phải nằm ngoài phạm vi \"{{start}}\"-\"{{end}}\"",
    "lower_range_start_error": "Phải thấp hơn khởi động phạm vi",
    "greater_range_start_error": "Phải lớn hơn khoảng bắt đầu",
    "greater_range_end_error": "Phải lớn hơn phạm vi kết thúc",
    "subnet_error": "Địa chỉ phải nằm trong một mạng con",
    "gateway_or_subnet_invalid": "Mặt nạ mạng con không hợp lệ",
    "dhcp_form_gateway_input": "Cổng IP",
@@ -390,7 +393,6 @@
    "encryption_issuer": "Phát hành",
    "encryption_hostnames": "Tên máy chủ",
    "encryption_reset": "Bạn có chắc chắn muốn đặt lại cài đặt mã hóa?",
    "encryption_warning": "Cảnh báo",
    "topline_expiring_certificate": "Chứng chỉ SSL của bạn sắp hết hạn. Cập nhật <0>Cài đặt mã hóa</0>.",
    "topline_expired_certificate": "Chứng chỉ SSL của bạn đã hết hạn. Cập nhật <0>Cài đặt mã hóa</0>.",
    "form_error_port_range": "Nhập giá trị cổng trong phạm vi 80-65535",
@@ -635,8 +637,5 @@
    "safe_browsing": "Duyệt web an toàn",
    "served_from_cache": "{{value}} <i>(được phục vụ từ bộ nhớ cache)</i>",
    "form_error_password_length": "Mật khẩu phải có ít nhất {{value}} ký tự",
-    "anonymizer_notification": "<0> Lưu ý:</0> Tính năng ẩn danh IP được bật. Bạn có thể tắt nó trong <1> Cài đặt chung</1>.",
+    "anonymizer_notification": "<0> Lưu ý:</0> Tính năng ẩn danh IP được bật. Bạn có thể tắt nó trong <1> Cài đặt chung</1>."
    "confirm_dns_cache_clear": "Bạn có chắc chắn muốn xóa bộ đệm ẩn DNS không?",
    "cache_cleared": "Đã xóa thành công bộ đệm DNS",
    "clear_cache": "Xóa bộ nhớ cache"
 }
--- a/client/src/__locales/zh-cn.json
+++ b/client/src/__locales/zh-cn.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "DHCP IPv6设置",
    "form_error_required": "必填字段",
    "form_error_ip4_format": "无效的 IPv4 地址",
    "form_error_ip4_range_start_format": "范围起始值的 IPv4 地址无效",
    "form_error_ip4_range_end_format": "范围终值的 IPv4 地址无效",
    "form_error_ip4_gateway_format": "网关 IPv4 地址无效",
    "form_error_ip6_format": "无效的 IPv6 地址",
    "form_error_ip_format": "无效的 IP 地址",
@@ -49,6 +51,7 @@
    "out_of_range_error": "必定超出了范围 \"{{start}}\"-\"{{end}}\"",
    "lower_range_start_error": "必须小于范围起始值",
    "greater_range_start_error": "必须大于范围起始值",
    "greater_range_end_error": "必须大于范围终值",
    "subnet_error": "地址必须在一个子网内",
    "gateway_or_subnet_invalid": "子网掩码无效",
    "dhcp_form_gateway_input": "网关 IP",
@@ -390,7 +393,6 @@
    "encryption_issuer": "颁发者",
    "encryption_hostnames": "主机名",
    "encryption_reset": "您确定想要重置加密设置？",
    "encryption_warning": "警告",
    "topline_expiring_certificate": "您的 SSL 证书即将过期。请更新 <0>加密设置</0> 。",
    "topline_expired_certificate": "您的 SSL 证书已过期。请更新 <0>加密设置</0> 。",
    "form_error_port_range": "输入 80 - 65535 范围内的端口值",
@@ -635,8 +637,5 @@
    "safe_browsing": "安全浏览",
    "served_from_cache": "{{value}}<i>(由缓存提供)</i>",
    "form_error_password_length": "密码必须至少有 {{value}} 个字符",
-    "anonymizer_notification": "<0>注意：</0> IP 匿名化已启用。您可以在<1>常规设置</1>中禁用它。",
+    "anonymizer_notification": "<0>注意：</0> IP 匿名化已启用。您可以在<1>常规设置</1>中禁用它。"
    "confirm_dns_cache_clear": "您确定要清除 DNS 缓存吗？",
    "cache_cleared": "已成功清除 DNS 缓存",
    "clear_cache": "清除缓存"
 }
--- a/client/src/__locales/zh-hk.json
+++ b/client/src/__locales/zh-hk.json
@@ -381,7 +381,6 @@
    "encryption_issuer": "簽發者",
    "encryption_hostnames": "主機名稱",
    "encryption_reset": "您確定要重設加密設定嗎？",
    "encryption_warning": "警告",
    "topline_expiring_certificate": "您的 SSL 憑證即將到期。請前往<0>加密設定</0>更新。",
    "topline_expired_certificate": "您的 SSL 憑證已到期。請前往<0>加密設定</0>更新。",
    "form_error_port_range": "輸入範圍 80-65535 中的值",
--- a/client/src/__locales/zh-tw.json
+++ b/client/src/__locales/zh-tw.json
@@ -37,6 +37,8 @@
    "dhcp_ipv6_settings": "DHCP IPv6 設定",
    "form_error_required": "必填的欄位",
    "form_error_ip4_format": "無效的 IPv4 位址",
    "form_error_ip4_range_start_format": "無效起始範圍的 IPv4 位址",
    "form_error_ip4_range_end_format": "無效結束範圍的 IPv4 位址",
    "form_error_ip4_gateway_format": "無效閘道的 IPv4 位址",
    "form_error_ip6_format": "無效的 IPv6 位址",
    "form_error_ip_format": "無效的 IP 位址",
@@ -49,6 +51,7 @@
    "out_of_range_error": "必須在\"{{start}}\"-\"{{end}}\"範圍之外",
    "lower_range_start_error": "必須低於起始範圍",
    "greater_range_start_error": "必須大於起始範圍",
    "greater_range_end_error": "必須大於結束範圍",
    "subnet_error": "位址必須在子網路中",
    "gateway_or_subnet_invalid": "無效的子網路遮罩",
    "dhcp_form_gateway_input": "閘道 IP",
@@ -390,7 +393,6 @@
    "encryption_issuer": "簽發者",
    "encryption_hostnames": "主機名稱",
    "encryption_reset": "您確定您想要重置加密設定嗎？",
    "encryption_warning": "警告",
    "topline_expiring_certificate": "您的安全通訊端層（SSL）憑證即將到期。更新<0>加密設定</0>。",
    "topline_expired_certificate": "您的安全通訊端層（SSL）憑證為已到期的。更新<0>加密設定</0>。",
    "form_error_port_range": "輸入在 80-65535 之範圍內的連接埠號碼",
@@ -635,8 +637,5 @@
    "safe_browsing": "安全瀏覽",
    "served_from_cache": "{{value}} <i>(由快取提供)</i>",
    "form_error_password_length": "密碼必須為至少長 {{value}} 個字元",
-    "anonymizer_notification": "<0>注意：</0>IP 匿名化被啟用。您可在<1>一般設定</1>中禁用它。",
+    "anonymizer_notification": "<0>注意：</0>IP 匿名化被啟用。您可在<1>一般設定</1>中禁用它。"
    "confirm_dns_cache_clear": "您確定您想要清除 DNS 快取嗎？",
    "cache_cleared": "DNS 快取被成功地清除",
    "clear_cache": "清除快取"
 }
--- a/client/src/actions/dnsConfig.js
+++ b/client/src/actions/dnsConfig.js
@@ -1,5 +1,4 @@
 import { createAction } from 'redux-actions';
 import i18next from 'i18next';
 import apiClient from '../api/Api';
 import { splitByNewLine } from '../helpers/helpers';
@@ -20,22 +19,6 @@ export const getDnsConfig = () => async (dispatch) => {
    }
 };
 export const clearDnsCacheRequest = createAction('CLEAR_DNS_CACHE_REQUEST');
 export const clearDnsCacheFailure = createAction('CLEAR_DNS_CACHE_FAILURE');
 export const clearDnsCacheSuccess = createAction('CLEAR_DNS_CACHE_SUCCESS');
 export const clearDnsCache = () => async (dispatch) => {
    dispatch(clearDnsCacheRequest());
    try {
        const data = await apiClient.clearCache();
        dispatch(clearDnsCacheSuccess(data));
        dispatch(addSuccessToast(i18next.t('cache_cleared')));
    } catch (error) {
        dispatch(addErrorToast({ error }));
        dispatch(clearDnsCacheFailure());
    }
 };
 export const setDnsConfigRequest = createAction('SET_DNS_CONFIG_REQUEST');
 export const setDnsConfigFailure = createAction('SET_DNS_CONFIG_FAILURE');
 export const setDnsConfigSuccess = createAction('SET_DNS_CONFIG_SUCCESS');
--- a/client/src/actions/encryption.js
+++ b/client/src/actions/encryption.js
@@ -41,12 +41,6 @@ export const setTlsConfig = (config) => async (dispatch, getState) => {
        response.certificate_chain = atob(response.certificate_chain);
        response.private_key = atob(response.private_key);
        if (values.enabled && values.force_https && window.location.protocol === 'http:') {
            window.location.reload();
            return;
        }
        redirectToCurrentProtocol(response, httpPort);
        const dnsStatus = await apiClient.getGlobalStatus();
        if (dnsStatus) {
            dispatch(dnsStatusSuccess(dnsStatus));
@@ -54,6 +48,7 @@ export const setTlsConfig = (config) => async (dispatch, getState) => {
        dispatch(setTlsConfigSuccess(response));
        dispatch(addSuccessToast('encryption_config_saved'));
        redirectToCurrentProtocol(response, httpPort);
    } catch (error) {
        dispatch(addErrorToast({ error }));
        dispatch(setTlsConfigFailure());
--- a/client/src/api/Api.js
+++ b/client/src/api/Api.js
@@ -593,14 +593,6 @@ class Api {
        };
        return this.makeRequest(path, method, config);
    }
    // Cache
    CLEAR_CACHE = { path: 'cache_clear', method: 'POST' };
    clearCache() {
        const { path, method } = this.CLEAR_CACHE;
        return this.makeRequest(path, method);
    }
 }
 const apiClient = new Api();
--- a/client/src/components/Logs/Filters/Form.js
+++ b/client/src/components/Logs/Filters/Form.js
@@ -155,7 +155,7 @@ const Form = (props) => {
                    name={FORM_NAMES.search}
                    component={renderFilterField}
                    type="text"
-                    className={classNames('form-control form-control--search form-control--transparent', className)}
+                    className={classNames('form-control--search form-control--transparent', className)}
                    placeholder={t('domain_or_client')}
                    tooltip={t('query_log_strict_search')}
                    onClearInputClick={onInputClear}
--- a/client/src/components/Logs/Logs.css
+++ b/client/src/components/Logs/Logs.css
@@ -103,12 +103,14 @@
 }
 .form-control--search {
    box-shadow: 0 1px 0 #ddd;
    padding: 0 2.5rem;
    height: 2.25rem;
    flex-grow: 1;
 }
 .form-control--transparent {
    border: 0 solid transparent !important;
    background-color: transparent !important;
 }
@@ -172,8 +174,10 @@
    display: inline-flex;
    align-items: center;
    justify-content: center;
-    width: 2.5rem;
+
-    height: 2.5rem;
+    --size: 2.5rem;
    width: var(--size);
    height: var(--size);
    padding: 0;
    margin-left: 0.9375rem;
    background-color: transparent;
@@ -470,7 +474,7 @@
 .filteringRules__filter {
    font-style: italic;
-    font-weight: 400;
+    font-weight: normal;
    margin-bottom: 1rem;
 }
--- a/client/src/components/Settings/Clients/Form.js
+++ b/client/src/components/Settings/Clients/Form.js
@@ -11,13 +11,12 @@ import Select from 'react-select';
 import i18n from '../../../i18n';
 import Tabs from '../../ui/Tabs';
 import Examples from '../Dns/Upstream/Examples';
-import { toggleAllServices, trimLinesAndRemoveEmpty } from '../../../helpers/helpers';
+import { toggleAllServices } from '../../../helpers/helpers';
 import {
    renderInputField,
    renderGroupField,
    CheckboxField,
    renderServiceField,
    renderTextareaField,
 } from '../../../helpers/form';
 import { validateClientId, validateRequiredValue } from '../../../helpers/validators';
 import { CLIENT_ID_LINK, FORM_NAME } from '../../../helpers/constants';
@@ -231,11 +230,10 @@ let Form = (props) => {
                <Field
                    id="upstreams"
                    name="upstreams"
-                    component={renderTextareaField}
+                    component="textarea"
                    type="text"
                    className="form-control form-control--textarea mb-5"
                    placeholder={t('upstream_dns')}
                    normalizeOnBlur={trimLinesAndRemoveEmpty}
                />
                <Examples />
            </div>,
--- a/client/src/components/Settings/Dhcp/FormDHCPv4.js
+++ b/client/src/components/Settings/Dhcp/FormDHCPv4.js
@@ -74,6 +74,7 @@ const FormDHCPv4 = ({
                        className="form-control"
                        placeholder={t(ipv4placeholders.subnet_mask)}
                        validate={[
                            validateIpv4,
                            validateRequired,
                            validateGatewaySubnetMask,
                        ]}
@@ -96,6 +97,7 @@ const FormDHCPv4 = ({
                                placeholder={t(ipv4placeholders.range_start)}
                                validate={[
                                    validateIpv4,
                                    validateGatewaySubnetMask,
                                    validateIpForGatewaySubnetMask,
                                ]}
                                disabled={!isInterfaceIncludesIpv4}
@@ -111,6 +113,7 @@ const FormDHCPv4 = ({
                                validate={[
                                    validateIpv4,
                                    validateIpv4RangeEnd,
                                    validateGatewaySubnetMask,
                                    validateIpForGatewaySubnetMask,
                                ]}
                                disabled={!isInterfaceIncludesIpv4}
--- a/client/src/components/Settings/Dns/Cache/Form.js
+++ b/client/src/components/Settings/Dns/Cache/Form.js
@@ -2,12 +2,10 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Field, reduxForm } from 'redux-form';
 import { Trans, useTranslation } from 'react-i18next';
-import { shallowEqual, useDispatch, useSelector } from 'react-redux';
+import { shallowEqual, useSelector } from 'react-redux';
 import { renderInputField, toNumber, CheckboxField } from '../../../../helpers/form';
 import { CACHE_CONFIG_FIELDS, FORM_NAME, UINT32_RANGE } from '../../../../helpers/constants';
 import { replaceZeroWithEmptyString } from '../../../../helpers/helpers';
 import { clearDnsCache } from '../../../../actions/dnsConfig';
 const INPUTS_FIELDS = [
    {
@@ -34,7 +32,6 @@ const Form = ({
    handleSubmit, submitting, invalid,
 }) => {
    const { t } = useTranslation();
    const dispatch = useDispatch();
    const { processingSetConfig } = useSelector((state) => state.dnsConfig, shallowEqual);
    const {
@@ -43,12 +40,6 @@ const Form = ({
    const minExceedsMax = cache_ttl_min > cache_ttl_max;
    const handleClearCache = () => {
        if (window.confirm(t('confirm_dns_cache_clear'))) {
            dispatch(clearDnsCache());
        }
    };
    return <form onSubmit={handleSubmit}>
        <div className="row">
            {INPUTS_FIELDS.map(({
@@ -106,13 +97,6 @@ const Form = ({
        >
            <Trans>save_btn</Trans>
        </button>
        <button
            type="button"
            className="btn btn-outline-secondary btn-standard form__button"
            onClick={handleClearCache}
        >
            <Trans>clear_cache</Trans>
        </button>
    </form>;
 };
--- a/client/src/helpers/constants.js
+++ b/client/src/helpers/constants.js
@@ -390,7 +390,6 @@ export const SPECIAL_FILTER_ID = {
    PARENTAL: -3,
    SAFE_BROWSING: -4,
    SAFE_SEARCH: -5,
    REWRITES: -6,
 };
 export const BLOCK_ACTIONS = {
--- a/client/src/helpers/filters/filters.js
+++ b/client/src/helpers/filters/filters.js
@@ -26,229 +26,199 @@ export default {
            "name": "1Hosts (Lite)",
            "categoryId": "general",
            "homepage": "https://badmojr.github.io/1Hosts/",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_24.txt"
+            "source": "https://badmojr.gitlab.io/1hosts/Lite/adblock.txt"
        },
        "1hosts_mini": {
            "name": "1Hosts (mini)",
            "categoryId": "general",
            "homepage": "https://badmojr.github.io/1Hosts/",
            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_38.txt"
        },
        "CHN_adrules": {
            "name": "CHN: AdRules DNS List",
            "categoryId": "regional",
            "homepage": "https://github.com/Cats-Team/AdRules",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_29.txt"
+            "source": "https://raw.githubusercontent.com/Cats-Team/AdRules/main/dns.txt"
        },
        "CHN_anti_ad": {
            "name": "CHN: anti-AD",
            "categoryId": "regional",
            "homepage": "https://anti-ad.net/",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_21.txt"
+            "source": "https://anti-ad.net/easylist.txt"
        },
        "HUN_hufilter": {
            "name": "HUN: Hufilter",
            "categoryId": "regional",
            "homepage": "https://github.com/hufilter/hufilter",
            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_35.txt"
        },
        "IDN_abpindo": {
            "name": "IDN: ABPindo",
            "categoryId": "regional",
            "homepage": "https://github.com/ABPindo/indonesianadblockrules",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_22.txt"
+            "source": "https://raw.githubusercontent.com/ABPindo/indonesianadblockrules/master/subscriptions/aghome.txt"
        },
        "IRN_unwanted_iranian_domains": {
            "name": "IRN: PersianBlocker list",
            "categoryId": "regional",
            "homepage": "https://github.com/MasterKia/PersianBlocker",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_19.txt"
+            "source": "https://raw.githubusercontent.com/MasterKia/PersianBlocker/main/PersianBlockerHosts.txt"
        },
        "ITA_filtri_dns": {
            "name": "ITA: Filtri-DNS",
            "categoryId": "regional",
            "homepage": "https://filtri-dns.ga/",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_18.txt"
+            "source": "https://filtri-dns.ga/filtri.txt"
        },
        "KOR_list_kr": {
            "name": "KOR: List-KR DNS",
            "categoryId": "regional",
            "homepage": "https://github.com/List-KR/List-KR",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_25.txt"
+            "source": "https://github.com/List-KR/List-KR"
        },
        "KOR_youslist": {
            "name": "KOR: YousList",
            "categoryId": "regional",
            "homepage": "https://github.com/yous/YousList",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_15.txt"
+            "source": "https://raw.githubusercontent.com/yous/YousList/master/hosts.txt"
        },
        "LIT_easylist_lithuania": {
            "name": "LIT: EasyList Lithuania",
            "categoryId": "regional",
            "homepage": "https://github.com/EasyList-Lithuania/easylist_lithuania",
            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_36.txt"
        },
        "MKD_macedonian_pi_hole_blocklist": {
            "name": "MKD: Macedonian Pi-hole Blocklist",
            "categoryId": "regional",
            "homepage": "https://github.com/cchevy/macedonian-pi-hole-blocklist",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_20.txt"
+            "source": "https://raw.githubusercontent.com/cchevy/macedonian-pi-hole-blocklist/master/hosts.txt"
        },
        "NOR_dandelion_sprouts_anti_malware_list": {
            "name": "NOR: Dandelion Sprouts nordiske filtre",
            "categoryId": "regional",
            "homepage": "https://github.com/DandelionSprout/adfilt",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_13.txt"
+            "source": "https://raw.githubusercontent.com/DandelionSprout/adfilt/master/NorwegianExperimentalList%20alternate%20versions/NordicFiltersAdGuardHome.txt"
        },
        "POL_polish_filters_for_pi_hole": {
            "name": "POL: Polish filters for Pi hole",
            "categoryId": "regional",
            "homepage": "https://www.certyficate.it/",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_14.txt"
+            "source": "https://raw.githubusercontent.com/MajkiIT/polish-ads-filter/master/polish-pihole-filters/hostfile.txt"
        },
        "SWE_frellwit_swedish_hosts_file": {
            "name": "SWE: Frellwit's Swedish Hosts File",
            "categoryId": "regional",
            "homepage": "https://github.com/lassekongo83/Frellwits-filter-lists/",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_17.txt"
+            "source": "https://raw.githubusercontent.com/lassekongo83/Frellwits-filter-lists/master/Frellwits-Swedish-Hosts-File.txt"
        },
        "TUR_turk_adlist": {
            "name": "TUR: turk-adlist",
            "categoryId": "regional",
            "homepage": "https://github.com/bkrucarci/turk-adlist",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_26.txt"
+            "source": "https://raw.githubusercontent.com/bkrucarci/turk-adlist/master/hosts"
        },
        "VNM_abpvn": {
            "name": "VNM: ABPVN List",
            "categoryId": "regional",
            "homepage": "http://abpvn.com/",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_16.txt"
+            "source": "https://abpvn.com/android/abpvn.txt"
        },
        "adguard_dns_filter": {
            "name": "AdGuard DNS filter",
            "categoryId": "general",
            "homepage": "https://github.com/AdguardTeam/AdGuardSDNSFilter",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt"
+            "source": "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt"
        },
        "adway_default_blocklist": {
            "name": "AdAway Default Blocklist",
            "categoryId": "general",
            "homepage": "https://github.com/AdAway/adaway.github.io/",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt"
+            "source": "https://adaway.org/hosts.txt"
        },
        "curben_phishing_filter": {
            "name": "Phishing URL Blocklist (PhishTank and OpenPhish)",
            "categoryId": "security",
            "homepage": "https://gitlab.com/malware-filter/phishing-filter",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_30.txt"
+            "source": "https://malware-filter.gitlab.io/malware-filter/phishing-filter-agh.txt"
        },
        "dan_pollocks_list": {
            "name": "Dan Pollock's List",
            "categoryId": "general",
            "homepage": "https://someonewhocares.org/",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_4.txt"
+            "source": "https://someonewhocares.org/hosts/zero/hosts"
        },
        "dandelion_sprouts_anti_malware_list": {
            "name": "Dandelion Sprout's Anti-Malware List",
            "categoryId": "security",
            "homepage": "https://github.com/DandelionSprout/adfilt",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_12.txt"
+            "source": "https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareAdGuardHome.txt"
        },
        "dandelion_sprouts_game_console_adblock_list": {
            "name": "Dandelion Sprout's Game Console Adblock List",
            "categoryId": "other",
            "homepage": "https://github.com/DandelionSprout/adfilt",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_6.txt"
+            "source": "https://raw.githubusercontent.com/DandelionSprout/adfilt/master/GameConsoleAdblockList.txt"
        },
        "energized_spark": {
            "name": "Energized Spark",
            "categoryId": "general",
            "homepage": "https://energized.pro/",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_28.txt"
+            "source": "https://block.energized.pro/spark/formats/filter"
        },
        "hagezi_personal": {
            "name": "HaGeZi Personal Black \u0026 White",
            "categoryId": "general",
            "homepage": "https://github.com/hagezi/dns-blocklists",
            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_34.txt"
        },
        "no_google": {
            "name": "No Google",
            "categoryId": "other",
            "homepage": "https://github.com/nickspaargaren/no-google",
            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_37.txt"
        },
        "nocoin_filter_list": {
            "name": "NoCoin Filter List",
            "categoryId": "security",
            "homepage": "https://github.com/hoshsadiq/adblock-nocoin-list/",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_8.txt"
+            "source": "https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt"
        },
        "notracking_hosts_blocklists": {
            "name": "The NoTracking blocklist",
            "categoryId": "general",
            "homepage": "https://github.com/notracking/hosts-blocklists",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_32.txt"
+            "source": "https://raw.githubusercontent.com/notracking/hosts-blocklists/master/adblock/adblock.txt"
        },
        "oisd_basic": {
            "name": "OISD Blocklist Basic",
            "categoryId": "general",
            "homepage": "https://oisd.nl/",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_5.txt"
+            "source": "https://abp.oisd.nl/basic/"
        },
        "oisd_full": {
            "name": "OISD Blocklist Full",
            "categoryId": "general",
            "homepage": "https://oisd.nl/",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_27.txt"
+            "source": "https://abp.oisd.nl/"
        },
        "perflyst_dandelion_sprout_smart_tv_blocklist_for_adguard_home": {
            "name": "Perflyst and Dandelion Sprout's Smart-TV Blocklist",
            "categoryId": "other",
            "homepage": "https://github.com/Perflyst/PiHoleBlocklist",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_7.txt"
+            "source": "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV-AGH.txt"
        },
        "peter_lowe_list": {
            "name": "Peter Lowe's Blocklist",
            "categoryId": "general",
            "homepage": "https://pgl.yoyo.org/adservers/",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_3.txt"
+            "source": "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=adblockplus\u0026showintro=1\u0026mimetype=plaintext"
        },
        "scam_blocklist_by_durablenapkin": {
            "name": "Scam Blocklist by DurableNapkin",
            "categoryId": "security",
            "homepage": "https://github.com/durablenapkin/scamblocklist",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_10.txt"
+            "source": "https://raw.githubusercontent.com/durablenapkin/scamblocklist/master/adguard.txt"
        },
        "staklerware_indicators_list": {
            "name": "Stalkerware Indicators List",
            "categoryId": "security",
            "homepage": "https://github.com/AssoEchap/stalkerware-indicators",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_31.txt"
+            "source": "https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts"
        },
        "steven_blacks_list": {
            "name": "Steven Black's List",
            "categoryId": "general",
            "homepage": "https://github.com/StevenBlack/hosts",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_33.txt"
+            "source": "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
        },
        "the_big_list_of_hacked_malware_web_sites": {
            "name": "The Big List of Hacked Malware Web Sites",
            "categoryId": "security",
            "homepage": "https://github.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt"
+            "source": "https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hosts"
        },
        "urlhaus_filter_online": {
            "name": "Malicious URL Blocklist (URLHaus)",
            "categoryId": "security",
            "homepage": "https://gitlab.com/malware-filter/urlhaus-filter",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt"
+            "source": "https://malware-filter.gitlab.io/malware-filter/urlhaus-filter-agh.txt"
        },
        "windowsspyblocker_hosts_spy_rules": {
            "name": "WindowsSpyBlocker - Hosts spy rules",
            "categoryId": "other",
            "homepage": "https://github.com/crazy-max/WindowsSpyBlocker",
-            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_23.txt"
+            "source": "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt"
        }
    }
 }
--- a/client/src/helpers/validators.js
+++ b/client/src/helpers/validators.js
@@ -77,11 +77,11 @@ export const validateNotInRange = (value, allValues) => {
    const { range_start, range_end } = allValues.v4;
    if (range_start && validateIpv4(range_start)) {
-        return undefined;
+        return 'form_error_ip4_range_start_format';
    }
    if (range_end && validateIpv4(range_end)) {
-        return undefined;
+        return 'form_error_ip4_range_end_format';
    }
    const isAboveMin = range_start && ip4ToInt(value) >= ip4ToInt(range_start);
@@ -94,6 +94,14 @@ export const validateNotInRange = (value, allValues) => {
        });
    }
    if (!range_end && isAboveMin) {
        return 'lower_range_start_error';
    }
    if (!range_start && isBelowMax) {
        return 'greater_range_end_error';
    }
    return undefined;
 };
@@ -110,7 +118,7 @@ export const validateGatewaySubnetMask = (_, allValues) => {
    const { subnet_mask, gateway_ip } = allValues.v4;
    if (validateIpv4(gateway_ip)) {
-        return 'gateway_or_subnet_invalid';
+        return 'form_error_ip4_gateway_format';
    }
    return parseSubnetMask(subnet_mask) ? undefined : 'gateway_or_subnet_invalid';
@@ -130,10 +138,6 @@ export const validateIpForGatewaySubnetMask = (value, allValues) => {
        gateway_ip, subnet_mask,
    } = allValues.v4;
    if ((gateway_ip && validateIpv4(gateway_ip)) || (subnet_mask && validateIpv4(subnet_mask))) {
        return undefined;
    }
    const subnetPrefix = parseSubnetMask(subnet_mask);
    if (!isIpInCidr(value, `${gateway_ip}/${subnetPrefix}`)) {
--- a/go.mod
+++ b/go.mod
@@ -3,7 +3,7 @@ module github.com/AdguardTeam/AdGuardHome
 go 1.18
 require (
-	github.com/AdguardTeam/dnsproxy v0.46.5
+	github.com/AdguardTeam/dnsproxy v0.46.2
 	github.com/AdguardTeam/golibs v0.11.3
 	github.com/AdguardTeam/urlfilter v0.16.0
 	github.com/NYTimes/gziphandler v1.1.1
@@ -18,7 +18,7 @@ require (
 	github.com/google/uuid v1.3.0
 	github.com/insomniacslk/dhcp v0.0.0-20221001123530-5308ebe5334c
 	github.com/kardianos/service v1.2.2
-	github.com/lucas-clemente/quic-go v0.31.0
+	github.com/lucas-clemente/quic-go v0.29.2
 	github.com/mdlayher/ethernet v0.0.0-20220221185849-529eae5b6118
 	github.com/mdlayher/netlink v1.6.2
 	// TODO(a.garipov): This package is deprecated; find a new one or use
@@ -30,8 +30,8 @@ require (
 	go.etcd.io/bbolt v1.3.6
 	golang.org/x/crypto v0.1.0
 	golang.org/x/exp v0.0.0-20221106115401-f9659909a136
-	golang.org/x/net v0.4.0
+	golang.org/x/net v0.1.0
-	golang.org/x/sys v0.3.0
+	golang.org/x/sys v0.2.0
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 	gopkg.in/yaml.v3 v3.0.1
 	howett.net/plist v1.0.0
@@ -47,20 +47,23 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
 	github.com/golang/mock v1.6.0 // indirect
 	github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 // indirect
 	github.com/josharian/native v1.0.0 // indirect
 	github.com/marten-seemann/qpack v0.3.0 // indirect
 	github.com/marten-seemann/qtls-go1-18 v0.1.3 // indirect
 	github.com/marten-seemann/qtls-go1-19 v0.1.1 // indirect
 	github.com/mdlayher/packet v1.0.0 // indirect
 	github.com/mdlayher/socket v0.2.3 // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/onsi/ginkgo v1.16.5 // indirect
 	github.com/onsi/ginkgo/v2 v2.5.0 // indirect
 	github.com/onsi/gomega v1.24.0 // indirect
 	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/u-root/uio v0.0.0-20220204230159-dac05f7d2cb4 // indirect
 	golang.org/x/mod v0.6.0 // indirect
 	golang.org/x/sync v0.1.0 // indirect
-	golang.org/x/text v0.5.0 // indirect
+	golang.org/x/text v0.4.0 // indirect
 	golang.org/x/tools v0.2.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,5 @@
-github.com/AdguardTeam/dnsproxy v0.46.5 h1:TiJZhwaIDDaKkqEfJ9AD9aroFjcHN8oEbKB8WfTjSIs=
+github.com/AdguardTeam/dnsproxy v0.46.2 h1:ZUKM713Ts5meYQqk6cJkUBMCFSWqFPXTgjXkN4RI1Vo=
-github.com/AdguardTeam/dnsproxy v0.46.5/go.mod h1:yKBVgFlE6CqTQtye++3e7SATaMPc4Ixij+KkHsM6HhM=
+github.com/AdguardTeam/dnsproxy v0.46.2/go.mod h1:PAmRzFqls0E92XTglyY2ESAqMAzZJhHKErG1ZpRnpjA=
 github.com/AdguardTeam/golibs v0.4.0/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
 github.com/AdguardTeam/golibs v0.10.4/go.mod h1:rSfQRGHIdgfxriDDNgNJ7HmE5zRoURq8R+VdR81Zuzw=
 github.com/AdguardTeam/golibs v0.11.3 h1:Oif+REq2WLycQ2Xm3ZPmJdfftptss0HbGWbxdFaC310=
@@ -25,9 +25,6 @@ github.com/beefsack/go-rate v0.0.0-20220214233405-116f4ca011a0 h1:0b2vaepXIfMsG+
 github.com/beefsack/go-rate v0.0.0-20220214233405-116f4ca011a0/go.mod h1:6YNgTHLutezwnBvyneBbwvB8C82y3dcoOj5EQJIdGXA=
 github.com/bluele/gcache v0.0.2 h1:WcbfdXICg7G/DGBh1PFfcirkWOQV+v077yF1pSy3DGw=
 github.com/bluele/gcache v0.0.2/go.mod h1:m15KV+ECjptwSPxKhOhQoAFQVtUFjTVkc3H8o0t/fp0=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -37,6 +34,8 @@ github.com/digineo/go-ipset/v2 v2.2.1/go.mod h1:wBsNzJlZlABHUITkesrggFnZQtgW5wkq
 github.com/dimfeld/httptreemux/v5 v5.5.0 h1:p8jkiMrCuZ0CmhwYLcbNbl7DDo21fozhKHQ2PccwOFQ=
 github.com/dimfeld/httptreemux/v5 v5.5.0/go.mod h1:QeEylH57C0v3VO0tkKraVz9oD3Uu93CKPnTLbsidvSw=
 github.com/fanliao/go-promise v0.0.0-20141029170127-1890db352a72/go.mod h1:PjfxuH4FZdUyfMdtBio2lsRr1AKEaVPwelzuHuh8Lqc=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
 github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
@@ -48,6 +47,13 @@ github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8Wd
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
 github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
 github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -60,17 +66,15 @@ github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 h1:yAJXTCF9TqKcTiHJAE8dj7HMvPfh66eeA2JYW7eFpSE=
 github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/renameio v1.0.1 h1:Lh/jXZmvZxb0BBeSY5VKEfidcbcbenKjZFzM/q0fSeU=
 github.com/google/renameio v1.0.1/go.mod h1:t/HQoYBZSsWSNK35C6CO/TpPLDVWvxOHboWUAweKUpk=
 github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714 h1:/jC7qQFrv8CrSJVmaolDVOxTfS9kc36uB6H40kdbQq8=
 github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714/go.mod h1:2Goc3h8EklBH5mspfHFxBnEoURQCGzQQH1ga9Myjvis=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/insomniacslk/dhcp v0.0.0-20221001123530-5308ebe5334c h1:OCFM4+DXTWfNlyeoddrTwdup/ztkGSyAMR2UGcPckNQ=
 github.com/insomniacslk/dhcp v0.0.0-20221001123530-5308ebe5334c/go.mod h1:h+MxyHxRg9NH3terB1nfRIUaQEcI0XOVkdR9LNBlp8E=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
@@ -87,8 +91,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/lucas-clemente/quic-go v0.31.0 h1:MfNp3fk0wjWRajw6quMFA3ap1AVtlU+2mtwmbVogB2M=
+github.com/lucas-clemente/quic-go v0.29.2 h1:O8Mt0O6LpvEW+wfC40vZdcw0DngwYzoxq5xULZNzSI8=
-github.com/lucas-clemente/quic-go v0.31.0/go.mod h1:0wFbizLgYzqHqtlyxyCaJKlE7bYgE6JQ+54TLd/Dq2g=
+github.com/lucas-clemente/quic-go v0.29.2/go.mod h1:g6/h9YMmLuU54tL1gW25uIi3VlBp3uv+sBihplIuskE=
 github.com/marten-seemann/qpack v0.3.0 h1:UiWstOgT8+znlkDPOg2+3rIuYXJ2CnGDkGUXN6ki6hE=
 github.com/marten-seemann/qpack v0.3.0/go.mod h1:cGfKPBiP4a9EQdxCwEwI/GEeWAsjSekBvx/X8mh58+g=
 github.com/marten-seemann/qtls-go1-18 v0.1.3 h1:R4H2Ks8P6pAtUagjFty2p7BVHn3XiwDAl7TTQf5h7TI=
@@ -120,9 +124,19 @@ github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
 github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
 github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
 github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
 github.com/onsi/ginkgo/v2 v2.5.0 h1:TRtrvv2vdQqzkwrQ1ke6vtXf7IK34RBUJafIy1wMwls=
 github.com/onsi/ginkgo/v2 v2.5.0/go.mod h1:Luc4sArBICYCS8THh8v3i3i5CuSZO+RaQRaJoeNwomw=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.24.0 h1:+0glovB9Jd6z3VR+ScSwQqXVTIfJcGA9UBM8yzQxhqg=
 github.com/onsi/gomega v1.24.0/go.mod h1:Z/NWtiqwBrwUt4/2loMmHL63EDLnYHmVbuBpDr2vQAg=
 github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -154,6 +168,7 @@ github.com/tklauser/numcpus v0.3.0/go.mod h1:yFGUr7TUHQRAhyqBcEg0Ge34zDBAsIvJJcy
 github.com/u-root/uio v0.0.0-20210528114334-82958018845c/go.mod h1:LpEX5FO/cB+WF4TYGY1V5qktpaZLkKkSegbr0V4eYXA=
 github.com/u-root/uio v0.0.0-20220204230159-dac05f7d2cb4 h1:hl6sK6aFgTLISijk6xIzeqnPzQcsLqqvL6vEfTPinME=
 github.com/u-root/uio v0.0.0-20220204230159-dac05f7d2cb4/go.mod h1:LpEX5FO/cB+WF4TYGY1V5qktpaZLkKkSegbr0V4eYXA=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 go.etcd.io/bbolt v1.3.6 h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU=
 go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
@@ -166,9 +181,11 @@ golang.org/x/exp v0.0.0-20221106115401-f9659909a136 h1:Fq7F/w7MAa1KJ5bt2aJ62ihqp
 golang.org/x/exp v0.0.0-20221106115401-f9659909a136/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0 h1:b9gGHsz9/HhJ3HF5DHQytPpuwocVTChQJK3AvoLRD5I=
 golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190419010253-1f3472d942ba/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -178,8 +195,10 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191007182048-72f939374954/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201016165138-7b1cca2348c0/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
@@ -187,13 +206,16 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
 golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210929193557-e81a3d93ecf6/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220923203811-8be639271d50/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
-golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU=
+golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0=
-golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
+golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220923202941-7f9b1623fab7/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190322080309-f49334f85ddc/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -202,10 +224,13 @@ golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190418153312-f0ce4c0180be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606122018-79a91cf218c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -213,6 +238,7 @@ golang.org/x/sys v0.0.0-20201015000850-e3ed0017c211/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20201017003518-b09fb700fbb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201101102859-da207088b7d1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -228,8 +254,8 @@ golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
+golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A=
-golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -237,12 +263,13 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM=
+golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg=
-golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.2.0 h1:G6AHpWxTMGY1KyEYoAQ5WTtIekUUvDNjan3ugu60JvE=
@@ -251,15 +278,26 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
 google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
--- a/internal/aghnet/hostscontainer_windows.go
+++ b/internal/aghnet/hostscontainer_windows.go
@@ -15,7 +15,7 @@ import (
 func defaultHostsPaths() (paths []string) {
 	sysDir, err := windows.GetSystemDirectory()
 	if err != nil {
-		log.Error("aghnet: getting system directory: %s", err)
+		log.Error("getting system directory: %s", err)
 		return []string{}
 	}
--- a/internal/aghos/os.go
+++ b/internal/aghos/os.go
@@ -168,11 +168,11 @@ func IsOpenWrt() (ok bool) {
 	return isOpenWrt()
 }
-// RootDirFS returns the [fs.FS] rooted at the operating system's root.  On
+// RootDirFS returns the fs.FS rooted at the operating system's root.
 // Windows it returns the fs.FS rooted at the volume of the system directory
 // (usually, C:).
 func RootDirFS() (fsys fs.FS) {
-	return rootDirFS()
+	// Use empty string since os.DirFS implicitly prepends a slash to it.  This
 	// behavior is undocumented but it currently works.
 	return os.DirFS("")
 }
 // NotifyReconfigureSignal notifies c on receiving reconfigure signals.
--- a/internal/aghos/os_unix.go
+++ b/internal/aghos/os_unix.go
@@ -3,17 +3,12 @@
 package aghos
 import (
 	"io/fs"
 	"os"
 	"os/signal"
 	"golang.org/x/sys/unix"
 )
 func rootDirFS() (fsys fs.FS) {
 	return os.DirFS("/")
 }
 func notifyReconfigureSignal(c chan<- os.Signal) {
 	signal.Notify(c, unix.SIGHUP)
 }
--- a/internal/aghos/os_windows.go
+++ b/internal/aghos/os_windows.go
@@ -3,29 +3,13 @@
 package aghos
 import (
 	"io/fs"
 	"os"
 	"os/signal"
 	"path/filepath"
 	"syscall"
 	"github.com/AdguardTeam/golibs/log"
 	"golang.org/x/sys/windows"
 )
 func rootDirFS() (fsys fs.FS) {
 	// TODO(a.garipov): Use a better way if golang/go#44279 is ever resolved.
 	sysDir, err := windows.GetSystemDirectory()
 	if err != nil {
 		log.Error("aghos: getting root filesystem: %s; using C:", err)
 		// Assume that C: is the safe default.
 		return os.DirFS("C:")
 	}
 	return os.DirFS(filepath.VolumeName(sysDir))
 }
 func setRlimit(val uint64) (err error) {
 	return Unsupported("setrlimit")
 }
--- a/internal/dhcpd/config.go
+++ b/internal/dhcpd/config.go
@@ -137,14 +137,14 @@ func (c *V4ServerConf) Validate() (err error) {
 	gatewayIP, err := ensureV4(c.GatewayIP, "address")
 	if err != nil {
-		// Don't wrap the error since it's informative enough as is and there is
+		// Don't wrap an errors since it's informative enough as is and there is
 		// an annotation deferred already.
 		return err
 	}
 	subnetMask, err := ensureV4(c.SubnetMask, "subnet mask")
 	if err != nil {
-		// Don't wrap the error since it's informative enough as is and there is
+		// Don't wrap an errors since it's informative enough as is and there is
 		// an annotation deferred already.
 		return err
 	}
@@ -155,21 +155,20 @@ func (c *V4ServerConf) Validate() (err error) {
 	rangeStart, err := ensureV4(c.RangeStart, "address")
 	if err != nil {
-		// Don't wrap the error since it's informative enough as is and there is
+		// Don't wrap an errors since it's informative enough as is and there is
 		// an annotation deferred already.
 		return err
 	}
 	rangeEnd, err := ensureV4(c.RangeEnd, "address")
 	if err != nil {
-		// Don't wrap the error since it's informative enough as is and there is
+		// Don't wrap an errors since it's informative enough as is and there is
 		// an annotation deferred already.
 		return err
 	}
 	c.ipRange, err = newIPRange(rangeStart.AsSlice(), rangeEnd.AsSlice())
 	if err != nil {
-		// Don't wrap the error since it's informative enough as is and there is
+		// Don't wrap an errors since it's informative enough as is and there is
 		// an annotation deferred already.
 		return err
 	}
--- a/internal/dhcpd/dhcpd.go
+++ b/internal/dhcpd/dhcpd.go
@@ -219,6 +219,8 @@ var _ Interface = (*server)(nil)
 // Create initializes and returns the DHCP server handling both address
 // families.  It also registers the corresponding HTTP API endpoints.
 //
 // TODO(e.burkov):  Don't register handlers, see TODO on [aghhttp.RegisterFunc].
 func Create(conf *ServerConfig) (s *server, err error) {
 	s = &server{
 		conf: &ServerConfig{
@@ -235,8 +237,6 @@ func Create(conf *ServerConfig) (s *server, err error) {
 		},
 	}
 	// TODO(e.burkov):  Don't register handlers, see TODO on
 	// [aghhttp.RegisterFunc].
 	s.registerHandlers()
 	v4conf := conf.Conf4
@@ -250,7 +250,7 @@ func Create(conf *ServerConfig) (s *server, err error) {
 			return nil, fmt.Errorf("creating dhcpv4 srv: %w", err)
 		}
-		log.Debug("dhcpd: warning: creating dhcpv4 srv: %s", err)
+		log.Error("creating dhcpv4 srv: %s", err)
 	}
 	v6conf := conf.Conf6
--- a/internal/dnsforward/config.go
+++ b/internal/dnsforward/config.go
@@ -145,7 +145,8 @@ type FilteringConfig struct {
 	IpsetListFileName string `yaml:"ipset_file"`
 }
-// TLSConfig is the TLS configuration for HTTPS, DNS-over-HTTPS, and DNS-over-TLS
+// TLSConfig is the TLS configuration for HTTPS, DNS-over-HTTPS, DNS-over-TLS,
 // and DNS-over-QUIC.
 type TLSConfig struct {
 	cert tls.Certificate
--- a/internal/dnsforward/dnsforward.go
+++ b/internal/dnsforward/dnsforward.go
@@ -530,14 +530,14 @@ func validateBlockingMode(mode BlockingMode, blockingIPv4, blockingIPv6 net.IP)
 // prepareInternalProxy initializes the DNS proxy that is used for internal DNS
 // queries, such as public clients PTR resolving and updater hostname resolving.
 func (s *Server) prepareInternalProxy() (err error) {
 	srvConf := s.conf
 	conf := &proxy.Config{
 		CacheEnabled:   true,
 		CacheSizeBytes: 4096,
-		UpstreamConfig: srvConf.UpstreamConfig,
+		UpstreamConfig: s.conf.UpstreamConfig,
 		MaxGoroutines:  int(s.conf.MaxGoroutines),
 	}
 	srvConf := s.conf
 	setProxyUpstreamMode(
 		conf,
 		srvConf.AllServers,
@@ -570,32 +570,46 @@ func (s *Server) Stop() error {
 // stopLocked stops the DNS server without locking.  For internal use only.
 func (s *Server) stopLocked() (err error) {
 	// TODO(e.burkov, a.garipov):  Return critical errors, not just log them.
 	// This will require filtering all the non-critical errors in
 	// [upstream.Upstream] implementations.
 	if s.dnsProxy != nil {
 		err = s.dnsProxy.Stop()
 		if err != nil {
-			log.Error("dnsforward: closing primary resolvers: %s", err)
+			return fmt.Errorf("closing primary resolvers: %w", err)
 		}
 	}
 	var errs []error
 	if upsConf := s.internalProxy.UpstreamConfig; upsConf != nil {
 		const action = "closing internal resolvers"
 		err = upsConf.Close()
 		if err != nil {
-			log.Error("dnsforward: closing internal resolvers: %s", err)
+			if errors.Is(err, net.ErrClosed) {
 				log.Debug("dnsforward: %s: %s", action, err)
 			} else {
 				errs = append(errs, fmt.Errorf("%s: %w", action, err))
 			}
 		}
 	}
 	if upsConf := s.localResolvers.UpstreamConfig; upsConf != nil {
 		const action = "closing local resolvers"
 		err = upsConf.Close()
 		if err != nil {
-			log.Error("dnsforward: closing local resolvers: %s", err)
+			if errors.Is(err, net.ErrClosed) {
 				log.Debug("dnsforward: %s: %s", action, err)
 			} else {
 				errs = append(errs, fmt.Errorf("%s: %w", action, err))
 			}
 		}
 	}
-	s.isRunning = false
+	if len(errs) > 0 {
 		return errors.List("stopping dns server", errs...)
 	} else {
 		s.isRunning = false
 	}
 	return nil
 }
--- a/internal/dnsforward/dnsforward_test.go
+++ b/internal/dnsforward/dnsforward_test.go
@@ -22,7 +22,6 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/aghtest"
 	"github.com/AdguardTeam/AdGuardHome/internal/dhcpd"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering/rewrite"
 	"github.com/AdguardTeam/dnsproxy/proxy"
 	"github.com/AdguardTeam/dnsproxy/upstream"
 	"github.com/AdguardTeam/golibs/netutil"
@@ -68,7 +67,7 @@ func createTestServer(
 		ID: 0, Data: []byte(rules),
 	}}
-	f, err := filtering.New(filterConf, filters, nil)
+	f, err := filtering.New(filterConf, filters)
 	require.NoError(t, err)
 	f.SetEnabled(true)
@@ -761,7 +760,7 @@ func TestBlockedCustomIP(t *testing.T) {
 		Data: []byte(rules),
 	}}
-	f, err := filtering.New(&filtering.Config{}, filters, nil)
+	f, err := filtering.New(&filtering.Config{}, filters)
 	require.NoError(t, err)
 	s, err := NewServer(DNSCreateParams{
@@ -881,22 +880,21 @@ func TestBlockedBySafeBrowsing(t *testing.T) {
 func TestRewrite(t *testing.T) {
 	c := &filtering.Config{
-		Rewrites: []*filtering.RewriteItem{{
+		Rewrites: []*filtering.LegacyRewrite{{
 			Domain: "test.com",
 			Answer: "1.2.3.4",
 			Type:   dns.TypeA,
 		}, {
 			Domain: "alias.test.com",
 			Answer: "test.com",
 			Type:   dns.TypeCNAME,
 		}, {
 			Domain: "my.alias.example.org",
 			Answer: "example.org",
 			Type:   dns.TypeCNAME,
 		}},
 	}
-
+	f, err := filtering.New(c, nil)
 	rewriteStorage, err := rewrite.NewDefaultStorage(c.Rewrites)
 	require.NoError(t, err)
 	f, err := filtering.New(c, nil, rewriteStorage)
 	require.NoError(t, err)
 	f.SetEnabled(true)
@@ -947,12 +945,6 @@ func TestRewrite(t *testing.T) {
 		assert.Empty(t, reply.Answer)
 		req = createTestMessageWithType("test.com.", dns.TypeTXT)
 		reply, eerr = dns.Exchange(req, addr.String())
 		require.NoError(t, eerr)
 		assert.Empty(t, reply.Answer)
 		req = createTestMessageWithType("alias.test.com.", dns.TypeA)
 		reply, eerr = dns.Exchange(req, addr.String())
 		require.NoError(t, eerr)
@@ -960,15 +952,8 @@ func TestRewrite(t *testing.T) {
 		require.Len(t, reply.Answer, 2)
 		assert.Equal(t, "test.com.", reply.Answer[0].(*dns.CNAME).Target)
 		assert.Equal(t, dns.TypeA, reply.Answer[1].Header().Rrtype)
 		assert.True(t, net.IP{1, 2, 3, 4}.Equal(reply.Answer[1].(*dns.A).A))
 		req = createTestMessageWithType("alias.test.com.", dns.TypeTXT)
 		reply, eerr = dns.Exchange(req, addr.String())
 		require.NoError(t, eerr)
 		assert.Empty(t, reply.Answer)
 		req = createTestMessageWithType("my.alias.example.org.", dns.TypeA)
 		reply, eerr = dns.Exchange(req, addr.String())
 		require.NoError(t, eerr)
@@ -982,12 +967,6 @@ func TestRewrite(t *testing.T) {
 		assert.Equal(t, "example.org.", reply.Answer[0].(*dns.CNAME).Target)
 		assert.Equal(t, dns.TypeA, reply.Answer[1].Header().Rrtype)
 		req = createTestMessageWithType("my.alias.test.com.", dns.TypeTXT)
 		reply, eerr = dns.Exchange(req, addr.String())
 		require.NoError(t, eerr)
 		assert.Empty(t, reply.Answer)
 	}
 	for _, protect := range []bool{true, false} {
@@ -1032,7 +1011,7 @@ var testDHCP = &dhcpd.MockInterface{
 func TestPTRResponseFromDHCPLeases(t *testing.T) {
 	const localDomain = "lan"
-	flt, err := filtering.New(&filtering.Config{}, nil, nil)
+	flt, err := filtering.New(&filtering.Config{}, nil)
 	require.NoError(t, err)
 	s, err := NewServer(DNSCreateParams{
@@ -1106,7 +1085,7 @@ func TestPTRResponseFromHosts(t *testing.T) {
 	flt, err := filtering.New(&filtering.Config{
 		EtcHosts: hc,
-	}, nil, nil)
+	}, nil)
 	require.NoError(t, err)
 	flt.SetEnabled(true)
--- a/internal/dnsforward/filter_test.go
+++ b/internal/dnsforward/filter_test.go
@@ -35,7 +35,7 @@ func TestHandleDNSRequest_filterDNSResponse(t *testing.T) {
 		ID: 0, Data: []byte(rules),
 	}}
-	f, err := filtering.New(&filtering.Config{}, filters, nil)
+	f, err := filtering.New(&filtering.Config{}, filters)
 	require.NoError(t, err)
 	f.SetEnabled(true)
--- a/internal/dnsforward/http.go
+++ b/internal/dnsforward/http.go
@@ -3,7 +3,6 @@ package dnsforward
 import (
 	"encoding/json"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"net/netip"
@@ -566,11 +565,6 @@ type domainSpecificTestError struct {
 	error
 }
 // Error implements the [error] interface for domainSpecificTestError.
 func (err domainSpecificTestError) Error() (msg string) {
 	return fmt.Sprintf("WARNING: %s", err.error)
 }
 // checkDNS checks the upstream server defined by upstreamConfigStr using
 // healthCheck for actually exchange messages.  It uses bootstrap to resolve the
 // upstream's address.
@@ -637,54 +631,44 @@ func (s *Server) handleTestUpstreamDNS(w http.ResponseWriter, r *http.Request) {
 	result := map[string]string{}
 	bootstraps := req.BootstrapDNS
 	timeout := s.conf.UpstreamTimeout
 	for _, host := range req.Upstreams {
 		err = checkDNS(host, bootstraps, timeout, checkDNSUpstreamExc)
 		if err != nil {
 			log.Info("%v", err)
 			result[host] = err.Error()
 			if _, ok := err.(domainSpecificTestError); ok {
 				result[host] = fmt.Sprintf("WARNING: %s", result[host])
 			}
-	type upsCheckResult = struct {
+			continue
 		res  string
 		host string
 	}
 	upsNum := len(req.Upstreams) + len(req.PrivateUpstreams)
 	resCh := make(chan upsCheckResult, upsNum)
 	checkUps := func(ups string, healthCheck healthCheckFunc) {
 		res := upsCheckResult{
 			host: ups,
 		}
 		defer func() { resCh <- res }()
-		checkErr := checkDNS(ups, bootstraps, timeout, healthCheck)
+		result[host] = "OK"
-		if checkErr != nil {
+	}
-			res.res = checkErr.Error()
+
-		} else {
+	for _, host := range req.PrivateUpstreams {
-			res.res = "OK"
+		err = checkDNS(host, bootstraps, timeout, checkPrivateUpstreamExc)
 		if err != nil {
 			log.Info("%v", err)
 			// TODO(e.burkov): If passed upstream have already written an error
 			// above, we rewriting the error for it.  These cases should be
 			// handled properly instead.
 			result[host] = err.Error()
 			if _, ok := err.(domainSpecificTestError); ok {
 				result[host] = fmt.Sprintf("WARNING: %s", result[host])
 			}
 			continue
 		}
 	}
-	for _, ups := range req.Upstreams {
+		result[host] = "OK"
 		go checkUps(ups, checkDNSUpstreamExc)
 	}
 	for _, ups := range req.PrivateUpstreams {
 		go checkUps(ups, checkPrivateUpstreamExc)
 	}
 	for i := 0; i < upsNum; i++ {
 		pair := <-resCh
 		// TODO(e.burkov):  The upstreams used for both common and private
 		// resolving should be reported separately.
 		result[pair.host] = pair.res
 	}
 	close(resCh)
 	_ = aghhttp.WriteJSONResponse(w, r, result)
 }
 // handleCacheClear is the handler for the POST /control/cache_clear HTTP API.
 func (s *Server) handleCacheClear(w http.ResponseWriter, _ *http.Request) {
 	s.dnsProxy.ClearCache()
 	_, _ = io.WriteString(w, "OK")
 }
 // handleDoH is the DNS-over-HTTPs handler.
 //
 // Control flow:
@@ -719,8 +703,6 @@ func (s *Server) registerHandlers() {
 	s.conf.HTTPRegister(http.MethodGet, "/control/access/list", s.handleAccessList)
 	s.conf.HTTPRegister(http.MethodPost, "/control/access/set", s.handleAccessSet)
 	s.conf.HTTPRegister(http.MethodPost, "/control/cache_clear", s.handleCacheClear)
 	// Register both versions, with and without the trailing slash, to
 	// prevent a 301 Moved Permanently redirect when clients request the
 	// path without the trailing slash.  Those redirects break some clients.
--- a/internal/dnsforward/http_test.go
+++ b/internal/dnsforward/http_test.go
@@ -7,20 +7,16 @@ import (
 	"net"
 	"net/http"
 	"net/http/httptest"
 	"net/netip"
 	"net/url"
 	"os"
 	"path/filepath"
 	"strings"
 	"testing"
 	"time"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/AdguardTeam/golibs/testutil"
 	"github.com/miekg/dns"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -396,141 +392,3 @@ func TestValidateUpstreamsPrivate(t *testing.T) {
 		})
 	}
 }
 func newLocalUpstreamListener(t *testing.T, port int, handler dns.Handler) (real net.Addr) {
 	startCh := make(chan struct{})
 	upsSrv := &dns.Server{
 		Addr:              netip.AddrPortFrom(netutil.IPv4Localhost(), uint16(port)).String(),
 		Net:               "tcp",
 		Handler:           handler,
 		NotifyStartedFunc: func() { close(startCh) },
 	}
 	go func() {
 		t := testutil.PanicT{}
 		err := upsSrv.ListenAndServe()
 		require.NoError(t, err)
 	}()
 	<-startCh
 	testutil.CleanupAndRequireSuccess(t, upsSrv.Shutdown)
 	return upsSrv.Listener.Addr()
 }
 func TestServer_handleTestUpstreaDNS(t *testing.T) {
 	goodHandler := dns.HandlerFunc(func(w dns.ResponseWriter, m *dns.Msg) {
 		err := w.WriteMsg(new(dns.Msg).SetReply(m))
 		require.NoError(testutil.PanicT{}, err)
 	})
 	badHandler := dns.HandlerFunc(func(w dns.ResponseWriter, _ *dns.Msg) {
 		err := w.WriteMsg(new(dns.Msg))
 		require.NoError(testutil.PanicT{}, err)
 	})
 	goodUps := (&url.URL{
 		Scheme: "tcp",
 		Host:   newLocalUpstreamListener(t, 0, goodHandler).String(),
 	}).String()
 	badUps := (&url.URL{
 		Scheme: "tcp",
 		Host:   newLocalUpstreamListener(t, 0, badHandler).String(),
 	}).String()
 	const upsTimeout = 100 * time.Millisecond
 	srv := createTestServer(t, &filtering.Config{}, ServerConfig{
 		UDPListenAddrs:  []*net.UDPAddr{{}},
 		TCPListenAddrs:  []*net.TCPAddr{{}},
 		UpstreamTimeout: upsTimeout,
 	}, nil)
 	startDeferStop(t, srv)
 	testCases := []struct {
 		body     map[string]any
 		wantResp map[string]any
 		name     string
 	}{{
 		body: map[string]any{
 			"upstream_dns": []string{goodUps},
 		},
 		wantResp: map[string]any{
 			goodUps: "OK",
 		},
 		name: "success",
 	}, {
 		body: map[string]any{
 			"upstream_dns": []string{badUps},
 		},
 		wantResp: map[string]any{
 			badUps: `upstream "` + badUps + `" fails to exchange: ` +
 				`couldn't communicate with upstream: dns: id mismatch`,
 		},
 		name: "broken",
 	}, {
 		body: map[string]any{
 			"upstream_dns": []string{goodUps, badUps},
 		},
 		wantResp: map[string]any{
 			goodUps: "OK",
 			badUps: `upstream "` + badUps + `" fails to exchange: ` +
 				`couldn't communicate with upstream: dns: id mismatch`,
 		},
 		name: "both",
 	}}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			reqBody, err := json.Marshal(tc.body)
 			require.NoError(t, err)
 			w := httptest.NewRecorder()
 			r, err := http.NewRequest(http.MethodPost, "", bytes.NewReader(reqBody))
 			require.NoError(t, err)
 			srv.handleTestUpstreamDNS(w, r)
 			require.Equal(t, http.StatusOK, w.Code)
 			resp := map[string]any{}
 			err = json.NewDecoder(w.Body).Decode(&resp)
 			require.NoError(t, err)
 			assert.Equal(t, tc.wantResp, resp)
 		})
 	}
 	t.Run("timeout", func(t *testing.T) {
 		slowHandler := dns.HandlerFunc(func(w dns.ResponseWriter, m *dns.Msg) {
 			time.Sleep(upsTimeout * 2)
 			writeErr := w.WriteMsg(new(dns.Msg).SetReply(m))
 			require.NoError(testutil.PanicT{}, writeErr)
 		})
 		sleepyUps := (&url.URL{
 			Scheme: "tcp",
 			Host:   newLocalUpstreamListener(t, 0, slowHandler).String(),
 		}).String()
 		req := map[string]any{
 			"upstream_dns": []string{sleepyUps},
 		}
 		reqBody, err := json.Marshal(req)
 		require.NoError(t, err)
 		w := httptest.NewRecorder()
 		r, err := http.NewRequest(http.MethodPost, "", bytes.NewReader(reqBody))
 		require.NoError(t, err)
 		srv.handleTestUpstreamDNS(w, r)
 		require.Equal(t, http.StatusOK, w.Code)
 		resp := map[string]any{}
 		err = json.NewDecoder(w.Body).Decode(&resp)
 		require.NoError(t, err)
 		require.Contains(t, resp, sleepyUps)
 		require.IsType(t, "", resp[sleepyUps])
 		sleepyRes, _ := resp[sleepyUps].(string)
 		// TODO(e.burkov):  Improve the format of an error in dnsproxy.
 		assert.True(t, strings.HasSuffix(sleepyRes, "i/o timeout"))
 	})
 }
--- a/internal/filtering/filter.go
+++ b/internal/filtering/filter.go
@@ -2,7 +2,6 @@ package filtering
 import (
 	"bufio"
 	"bytes"
 	"fmt"
 	"hash/crc32"
 	"io"
@@ -13,7 +12,6 @@ import (
 	"strings"
 	"time"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/stringutil"
@@ -99,15 +97,14 @@ func (d *DNSFilter) filterSetProperties(
 		filt.URL,
 	)
-	defer func(oldURL, oldName string, oldEnabled bool, oldUpdated time.Time, oldRulesCount int) {
+	defer func(oldURL, oldName string, oldEnabled bool, oldUpdated time.Time) {
 		if err != nil {
 			filt.URL = oldURL
 			filt.Name = oldName
 			filt.Enabled = oldEnabled
 			filt.LastUpdated = oldUpdated
 			filt.RulesCount = oldRulesCount
 		}
-	}(filt.URL, filt.Name, filt.Enabled, filt.LastUpdated, filt.RulesCount)
+	}(filt.URL, filt.Name, filt.Enabled, filt.LastUpdated)
 	filt.Name = newList.Name
@@ -137,8 +134,8 @@ func (d *DNSFilter) filterSetProperties(
 		// TODO(e.burkov):  The validation of the contents of the new URL is
 		// currently skipped if the rule list is disabled.  This makes it
 		// possible to set a bad rules source, but the validation should still
-		// kick in when the filter is enabled.  Consider changing this behavior
+		// kick in when the filter is enabled.  Consider making changing this
-		// to be stricter.
+		// behavior to be stricter.
 		filt.unload()
 	}
@@ -272,10 +269,10 @@ func (d *DNSFilter) periodicallyRefreshFilters() {
 // already going on.
 //
 // TODO(e.burkov):  Get rid of the concurrency pattern which requires the
-// [sync.Mutex.TryLock].
+// sync.Mutex.TryLock.
 func (d *DNSFilter) tryRefreshFilters(block, allow, force bool) (updated int, isNetworkErr, ok bool) {
 	if ok = d.refreshLock.TryLock(); !ok {
-		return 0, false, false
+		return 0, false, ok
 	}
 	defer d.refreshLock.Unlock()
@@ -430,124 +427,52 @@ func (d *DNSFilter) refreshFiltersIntl(block, allow, force bool) (int, bool) {
 	return updNum, false
 }
-// isPrintableText returns true if data is printable UTF-8 text with CR, LF, TAB
+// Allows printable UTF-8 text with CR, LF, TAB characters
-// characters.
+func isPrintableText(data []byte, len int) bool {
-//
+	for i := 0; i < len; i++ {
-// TODO(e.burkov):  Investigate the purpose of this and improve the
+		c := data[i]
 // implementation.  Perhaps, use something from the unicode package.
 func isPrintableText(data string) (ok bool) {
 	for _, c := range []byte(data) {
 		if (c >= ' ' && c != 0x7f) || c == '\n' || c == '\r' || c == '\t' {
 			continue
 		}
 		return false
 	}
 	return true
 }
-// scanLinesWithBreak is essentially a [bufio.ScanLines] which keeps trailing
+// A helper function that parses filter contents and returns a number of rules and a filter name (if there's any)
-// line breaks.
+func (d *DNSFilter) parseFilterContents(file io.Reader) (int, uint32, string) {
-func scanLinesWithBreak(data []byte, atEOF bool) (advance int, token []byte, err error) {
+	rulesCount := 0
-	if atEOF && len(data) == 0 {
+	name := ""
-		return 0, nil, nil
+	seenTitle := false
-	}
+	r := bufio.NewReader(file)
-
+	checksum := uint32(0)
 	if i := bytes.IndexByte(data, '\n'); i >= 0 {
 		return i + 1, data[0 : i+1], nil
 	}
 	if atEOF {
 		return len(data), data, nil
 	}
 	// Request more data.
 	return 0, nil, nil
 }
 // parseFilter copies filter's content from src to dst and returns the number of
 // rules, name, number of bytes written, checksum, and title of the parsed list.
 // dst must not be nil.
 func (d *DNSFilter) parseFilter(
 	src io.Reader,
 	dst io.Writer,
 ) (rulesNum, written int, checksum uint32, title string, err error) {
 	scanner := bufio.NewScanner(src)
 	scanner.Split(scanLinesWithBreak)
 	titleFound := false
 	for n := 0; scanner.Scan(); written += n {
 		line := scanner.Text()
 		var isRule bool
 		var likelyTitle string
 		isRule, likelyTitle, err = d.parseFilterLine(line, !titleFound, written == 0)
 		if err != nil {
 			return 0, written, 0, "", err
 		}
 		if isRule {
 			rulesNum++
 		} else if likelyTitle != "" {
 			title, titleFound = likelyTitle, true
 		}
 	for {
 		line, err := r.ReadString('\n')
 		checksum = crc32.Update(checksum, crc32.IEEETable, []byte(line))
-		n, err = dst.Write([]byte(line))
+		line = strings.TrimSpace(line)
 		if len(line) == 0 {
 			//
 		} else if line[0] == '!' {
 			m := d.filterTitleRegexp.FindAllStringSubmatch(line, -1)
 			if len(m) > 0 && len(m[0]) >= 2 && !seenTitle {
 				name = m[0][1]
 				seenTitle = true
 			}
 		} else if line[0] == '#' {
 			//
 		} else {
 			rulesCount++
 		}
 		if err != nil {
-			return 0, written, 0, "", fmt.Errorf("writing filter line: %w", err)
+			break
 		}
 	}
-	if err = scanner.Err(); err != nil {
+	return rulesCount, checksum, name
 		return 0, written, 0, "", fmt.Errorf("scanning filter contents: %w", err)
 	}
 	return rulesNum, written, checksum, title, nil
 }
 // parseFilterLine returns true if the passed line is a rule.  line is
 // considered a rule if it's not a comment and contains no title.
 func (d *DNSFilter) parseFilterLine(
 	line string,
 	lookForTitle bool,
 	testHTML bool,
 ) (isRule bool, title string, err error) {
 	if !isPrintableText(line) {
 		return false, "", errors.Error("filter contains non-printable characters")
 	}
 	line = strings.TrimSpace(line)
 	if line == "" || line[0] == '#' {
 		return false, "", nil
 	}
 	if testHTML && isHTML(line) {
 		return false, "", errors.Error("data is HTML, not plain text")
 	}
 	if line[0] == '!' && lookForTitle {
 		match := d.filterTitleRegexp.FindStringSubmatch(line)
 		if len(match) > 1 {
 			title = match[1]
 		}
 		return false, title, nil
 	}
 	return true, "", nil
 }
 // isHTML returns true if the line contains HTML tags instead of plain text.
 // line shouldn have no leading space symbols.
 //
 // TODO(ameshkov):  It actually gives too much false-positives.  Perhaps, just
 // check if trimmed string begins with angle bracket.
 func isHTML(line string) (ok bool) {
 	line = strings.ToLower(line)
 	return strings.HasPrefix(line, "<html") || strings.HasPrefix(line, "<!doctype")
 }
 // Perform upgrade on a filter and update LastUpdated value
@@ -560,10 +485,57 @@ func (d *DNSFilter) update(filter *FilterYAML) (bool, error) {
 			log.Error("os.Chtimes(): %v", e)
 		}
 	}
 	return b, err
 }
 func (d *DNSFilter) read(reader io.Reader, tmpFile *os.File, filter *FilterYAML) (int, error) {
 	htmlTest := true
 	firstChunk := make([]byte, 4*1024)
 	firstChunkLen := 0
 	buf := make([]byte, 64*1024)
 	total := 0
 	for {
 		n, err := reader.Read(buf)
 		total += n
 		if htmlTest {
 			num := len(firstChunk) - firstChunkLen
 			if n < num {
 				num = n
 			}
 			copied := copy(firstChunk[firstChunkLen:], buf[:num])
 			firstChunkLen += copied
 			if firstChunkLen == len(firstChunk) || err == io.EOF {
 				if !isPrintableText(firstChunk, firstChunkLen) {
 					return total, fmt.Errorf("data contains non-printable characters")
 				}
 				s := strings.ToLower(string(firstChunk))
 				if strings.Contains(s, "<html") || strings.Contains(s, "<!doctype") {
 					return total, fmt.Errorf("data is HTML, not plain text")
 				}
 				htmlTest = false
 				firstChunk = nil
 			}
 		}
 		_, err2 := tmpFile.Write(buf[:n])
 		if err2 != nil {
 			return total, err2
 		}
 		if err == io.EOF {
 			return total, nil
 		}
 		if err != nil {
 			log.Printf("Couldn't fetch filter contents from URL %s, skipping: %s", filter.URL, err)
 			return total, err
 		}
 	}
 }
 // finalizeUpdate closes and gets rid of temporary file f with filter's content
 // according to updated.  It also saves new values of flt's name, rules number
 // and checksum if sucсeeded.
@@ -580,8 +552,7 @@ func (d *DNSFilter) finalizeUpdate(
 	// Close the file before renaming it because it's required on Windows.
 	//
 	// See https://github.com/adguardTeam/adGuardHome/issues/1553.
-	err = file.Close()
+	if err = file.Close(); err != nil {
 	if err != nil {
 		return fmt.Errorf("closing temporary file: %w", err)
 	}
@@ -593,18 +564,38 @@ func (d *DNSFilter) finalizeUpdate(
 	log.Printf("saving filter %d contents to: %s", flt.ID, flt.Path(d.DataDir))
-	// Don't use renamio or maybe packages, since those will require loading the
+	if err = os.Rename(tmpFileName, flt.Path(d.DataDir)); err != nil {
 	// whole filter content to the memory on Windows.
 	err = os.Rename(tmpFileName, flt.Path(d.DataDir))
 	if err != nil {
 		return errors.WithDeferred(err, os.Remove(tmpFileName))
 	}
-	flt.Name, flt.checksum, flt.RulesCount = aghalg.Coalesce(flt.Name, name), cs, rnum
+	flt.Name = stringutil.Coalesce(flt.Name, name)
 	flt.checksum = cs
 	flt.RulesCount = rnum
 	return nil
 }
 // processUpdate copies filter's content from src to dst and returns the name,
 // rules number, and checksum for it.  It also returns the number of bytes read
 // from src.
 func (d *DNSFilter) processUpdate(
 	src io.Reader,
 	dst *os.File,
 	flt *FilterYAML,
 ) (name string, rnum int, cs uint32, n int, err error) {
 	if n, err = d.read(src, dst, flt); err != nil {
 		return "", 0, 0, 0, err
 	}
 	if _, err = dst.Seek(0, io.SeekStart); err != nil {
 		return "", 0, 0, 0, err
 	}
 	rnum, cs, name = d.parseFilterContents(dst)
 	return name, rnum, cs, n, nil
 }
 // updateIntl updates the flt rewriting it's actual file.  It returns true if
 // the actual update has been performed.
 func (d *DNSFilter) updateIntl(flt *FilterYAML) (ok bool, err error) {
@@ -621,21 +612,31 @@ func (d *DNSFilter) updateIntl(flt *FilterYAML) (ok bool, err error) {
 	}
 	defer func() {
 		err = errors.WithDeferred(err, d.finalizeUpdate(tmpFile, flt, ok, name, rnum, cs))
-		if ok && err == nil {
+		ok = ok && err == nil
 		if ok {
 			log.Printf("updated filter %d: %d bytes, %d rules", flt.ID, n, rnum)
 		}
 	}()
-	// Change the default 0o600 permission to something more acceptable by end
+	// Change the default 0o600 permission to something more acceptable by
-	// users.
+	// end users.
 	//
 	// See https://github.com/AdguardTeam/AdGuardHome/issues/3198.
 	if err = tmpFile.Chmod(0o644); err != nil {
 		return false, fmt.Errorf("changing file mode: %w", err)
 	}
-	var rc io.ReadCloser
+	var r io.Reader
-	if !filepath.IsAbs(flt.URL) {
+	if filepath.IsAbs(flt.URL) {
 		var file io.ReadCloser
 		file, err = os.Open(flt.URL)
 		if err != nil {
 			return false, fmt.Errorf("open file: %w", err)
 		}
 		defer func() { err = errors.WithDeferred(err, file.Close()) }()
 		r = file
 	} else {
 		var resp *http.Response
 		resp, err = d.HTTPClient.Get(flt.URL)
 		if err != nil {
@@ -648,30 +649,24 @@ func (d *DNSFilter) updateIntl(flt *FilterYAML) (ok bool, err error) {
 		if resp.StatusCode != http.StatusOK {
 			log.Printf("got status code %d from %s, skip", resp.StatusCode, flt.URL)
-			return false, fmt.Errorf("got status code %d, want %d", resp.StatusCode, http.StatusOK)
+			return false, fmt.Errorf("got status code != 200: %d", resp.StatusCode)
 		}
-		rc = resp.Body
+		r = resp.Body
 	} else {
 		rc, err = os.Open(flt.URL)
 		if err != nil {
 			return false, fmt.Errorf("open file: %w", err)
 		}
 		defer func() { err = errors.WithDeferred(err, rc.Close()) }()
 	}
-	rnum, n, cs, name, err = d.parseFilter(rc, tmpFile)
+	name, rnum, cs, n, err = d.processUpdate(r, tmpFile, flt)
-	return cs != flt.checksum && err == nil, err
+	return cs != flt.checksum, err
 }
 // loads filter contents from the file in dataDir
-func (d *DNSFilter) load(flt *FilterYAML) (err error) {
+func (d *DNSFilter) load(filter *FilterYAML) (err error) {
-	fileName := flt.Path(d.DataDir)
+	filterFilePath := filter.Path(d.DataDir)
-	log.Debug("filtering: loading filter %d from %s", flt.ID, fileName)
+	log.Tracef("filtering: loading filter %d from %s", filter.ID, filterFilePath)
-	file, err := os.Open(fileName)
+	file, err := os.Open(filterFilePath)
 	if errors.Is(err, os.ErrNotExist) {
 		// Do nothing, file doesn't exist.
 		return nil
@@ -685,14 +680,13 @@ func (d *DNSFilter) load(flt *FilterYAML) (err error) {
 		return fmt.Errorf("getting filter file stat: %w", err)
 	}
-	log.Debug("filtering: file %s, id %d, length %d", fileName, flt.ID, st.Size())
+	log.Tracef("filtering: File %s, id %d, length %d", filterFilePath, filter.ID, st.Size())
-	rulesCount, _, checksum, _, err := d.parseFilter(file, io.Discard)
+	rulesCount, checksum, _ := d.parseFilterContents(file)
 	if err != nil {
 		return fmt.Errorf("parsing filter file: %w", err)
 	}
-	flt.RulesCount, flt.checksum, flt.LastUpdated = rulesCount, checksum, st.ModTime()
+	filter.RulesCount = rulesCount
 	filter.checksum = checksum
 	filter.LastUpdated = st.ModTime()
 	return nil
 }
--- a/internal/filtering/filter_test.go
+++ b/internal/filtering/filter_test.go
@@ -4,23 +4,33 @@ import (
 	"io/fs"
 	"net"
 	"net/http"
 	"net/netip"
 	"net/url"
 	"os"
 	"path/filepath"
 	"testing"
 	"time"
-	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
+	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/AdguardTeam/golibs/testutil"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
-// serveHTTPLocally starts a new HTTP server, that handles its index with h.  It
+// serveFiltersLocally is a helper that concurrently listens on a free port to
-// also gracefully closes the listener when the test under t finishes.
+// respond with fltContent.  It also gracefully closes the listener when the
-func serveHTTPLocally(t *testing.T, h http.Handler) (urlStr string) {
+// test under t finishes.
 func serveFiltersLocally(t *testing.T, fltContent []byte) (ipp netip.AddrPort) {
 	t.Helper()
 	h := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		pt := testutil.PanicT{}
 		n, werr := w.Write(fltContent)
 		require.NoError(pt, werr)
 		require.Equal(pt, len(fltContent), n)
 	})
 	l, err := net.Listen("tcp", ":0")
 	require.NoError(t, err)
@@ -28,26 +38,9 @@ func serveHTTPLocally(t *testing.T, h http.Handler) (urlStr string) {
 	testutil.CleanupAndRequireSuccess(t, l.Close)
 	addr := l.Addr()
-	require.IsType(t, (*net.TCPAddr)(nil), addr)
+	require.IsType(t, new(net.TCPAddr), addr)
-	return (&url.URL{
+	return netip.AddrPortFrom(netutil.IPv4Localhost(), uint16(addr.(*net.TCPAddr).Port))
 		Scheme: aghhttp.SchemeHTTP,
 		Host:   addr.String(),
 	}).String()
 }
 // serveFiltersLocally is a helper that concurrently listens on a free port to
 // respond with fltContent.
 func serveFiltersLocally(t *testing.T, fltContent []byte) (urlStr string) {
 	t.Helper()
 	return serveHTTPLocally(t, http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		pt := testutil.PanicT{}
 		n, werr := w.Write(fltContent)
 		require.NoError(pt, werr)
 		require.Equal(pt, len(fltContent), n)
 	}))
 }
 func TestFilters(t *testing.T) {
@@ -68,11 +61,14 @@ func TestFilters(t *testing.T) {
 		HTTPClient: &http.Client{
 			Timeout: 5 * time.Second,
 		},
-	}, nil, nil)
+	}, nil)
 	require.NoError(t, err)
 	f := &FilterYAML{
-		URL: addr,
+		URL: (&url.URL{
 			Scheme: "http",
 			Host:   addr.String(),
 		}).String(),
 	}
 	updateAndAssert := func(t *testing.T, want require.BoolAssertionFunc, wantRulesCount int) {
@@ -107,7 +103,11 @@ func TestFilters(t *testing.T) {
 		anotherContent := []byte(`||example.com^`)
 		oldURL := f.URL
-		f.URL = serveFiltersLocally(t, anotherContent)
+		ipp := serveFiltersLocally(t, anotherContent)
 		f.URL = (&url.URL{
 			Scheme: "http",
 			Host:   ipp.String(),
 		}).String()
 		t.Cleanup(func() { f.URL = oldURL })
 		updateAndAssert(t, require.True, 1)
--- a/internal/filtering/filtering.go
+++ b/internal/filtering/filtering.go
@@ -40,7 +40,6 @@ const (
 	ParentalListID
 	SafeBrowsingListID
 	SafeSearchListID
 	RewritesListID
 )
 // ServiceEntry - blocked service array element
@@ -90,7 +89,7 @@ type Config struct {
 	ParentalCacheSize     uint `yaml:"parental_cache_size"`     // (in bytes)
 	CacheTime             uint `yaml:"cache_time"`              // Element's TTL (in minutes)
-	Rewrites []*RewriteItem `yaml:"rewrites"`
+	Rewrites []*LegacyRewrite `yaml:"rewrites"`
 	// Names of services to block (globally).
 	// Per-client settings can override this configuration.
@@ -190,12 +189,8 @@ type DNSFilter struct {
 	// filterTitleRegexp is the regular expression to retrieve a name of a
 	// filter list.
 	//
 	// TODO(e.burkov):  Don't use regexp for such a simple text processing task.
 	filterTitleRegexp *regexp.Regexp
 	rewriteStorage RewriteStorage
 	hostCheckers []hostChecker
 }
@@ -317,7 +312,7 @@ func (d *DNSFilter) WriteDiskConfig(c *Config) {
 		defer d.confLock.Unlock()
 		*c = d.Config
-		c.Rewrites = slices.Clone(c.Rewrites)
+		c.Rewrites = cloneRewrites(c.Rewrites)
 	}()
 	d.filtersMu.RLock()
@@ -328,6 +323,16 @@ func (d *DNSFilter) WriteDiskConfig(c *Config) {
 	c.UserRules = slices.Clone(d.UserRules)
 }
 // cloneRewrites returns a deep copy of entries.
 func cloneRewrites(entries []*LegacyRewrite) (clone []*LegacyRewrite) {
 	clone = make([]*LegacyRewrite, len(entries))
 	for i, rw := range entries {
 		clone[i] = rw.clone()
 	}
 	return clone
 }
 // SetFilters sets new filters, synchronously or asynchronously.  When filters
 // are set asynchronously, the old filters continue working until the new
 // filters are ready.
@@ -538,52 +543,75 @@ func (d *DNSFilter) matchSysHosts(
 // CNAME, breaking loops in the process.
 //
 // Secondly, it finds A or AAAA rewrites for host and, if found, sets res.IPList
-// accordingly.
+// accordingly.  If the found rewrite has a special value of "A" or "AAAA", the
 // result is an exception.
 func (d *DNSFilter) processRewrites(host string, qtype uint16) (res Result) {
 	d.confLock.RLock()
 	defer d.confLock.RUnlock()
-	if d.rewriteStorage == nil {
+	rewrites, matched := findRewrites(d.Rewrites, host, qtype)
-		return res
+	if !matched {
 		return Result{}
 	}
-	dnsr := d.rewriteStorage.MatchRequest(&urlfilter.DNSRequest{
+	res.Reason = Rewritten
 		Hostname: host,
 		DNSType:  qtype,
 	})
-	setRewriteResult(&res, host, dnsr, qtype)
+	cnames := stringutil.NewSet()
 	origHost := host
 	for matched && len(rewrites) > 0 && rewrites[0].Type == dns.TypeCNAME {
 		rw := rewrites[0]
 		rwPat := rw.Domain
 		rwAns := rw.Answer
 		log.Debug("rewrite: cname for %s is %s", host, rwAns)
 		if origHost == rwAns || rwPat == rwAns {
 			// Either a request for the hostname itself or a rewrite of
 			// a pattern onto itself, both of which are an exception rules.
 			// Return a not filtered result.
 			return Result{}
 		} else if host == rwAns && isWildcard(rwPat) {
 			// An "*.example.com → sub.example.com" rewrite matching in a loop.
 			//
 			// See https://github.com/AdguardTeam/AdGuardHome/issues/4016.
 			res.CanonName = host
 			break
 		}
 		host = rwAns
 		if cnames.Has(host) {
 			log.Info("rewrite: cname loop for %q on %q", origHost, host)
 			return res
 		}
 		cnames.Add(host)
 		res.CanonName = host
 		rewrites, matched = findRewrites(d.Rewrites, host, qtype)
 	}
 	setRewriteResult(&res, host, rewrites, qtype)
 	return res
 }
 // setRewriteResult sets the Reason or IPList of res if necessary.  res must not
 // be nil.
-func setRewriteResult(res *Result, host string, dnsr []*rules.DNSRewrite, qtype uint16) {
+func setRewriteResult(res *Result, host string, rewrites []*LegacyRewrite, qtype uint16) {
-	if len(dnsr) == 0 {
+	for _, rw := range rewrites {
-		res.Reason = NotFilteredNotFound
+		if rw.Type == qtype && (qtype == dns.TypeA || qtype == dns.TypeAAAA) {
 			if rw.IP == nil {
 				// "A"/"AAAA" exception: allow getting from upstream.
 				res.Reason = NotFilteredNotFound
-		return
+				return
 	}
 	res.Reason = Rewritten
 	for _, dnsRewrite := range dnsr {
 		if dnsRewrite.RRType == qtype && (qtype == dns.TypeA || qtype == dns.TypeAAAA) {
 			ip, ok := dnsRewrite.Value.(net.IP)
 			if !ok || ip == nil {
 				continue
 			}
-			if qtype == dns.TypeA {
+			res.IPList = append(res.IPList, rw.IP)
 				ip = ip.To4()
 			}
-			res.IPList = append(res.IPList, ip)
+			log.Debug("rewrite: a/aaaa for %s is %s", host, rw.IP)
 			log.Debug("rewrite: a/aaaa for %s is %s", host, ip)
 		} else if dnsRewrite.NewCNAME != "" {
 			res.CanonName = dnsRewrite.NewCNAME
 		}
 	}
 }
@@ -896,7 +924,7 @@ func InitModule() {
 // New creates properly initialized DNS Filter that is ready to be used.  c must
 // be non-nil.
-func New(c *Config, blockFilters []Filter, rewriteStorage RewriteStorage) (d *DNSFilter, err error) {
+func New(c *Config, blockFilters []Filter) (d *DNSFilter, err error) {
 	d = &DNSFilter{
 		resolver:          net.DefaultResolver,
 		refreshLock:       &sync.Mutex{},
@@ -949,7 +977,11 @@ func New(c *Config, blockFilters []Filter, rewriteStorage RewriteStorage) (d *DN
 	d.Config = *c
 	d.filtersMu = &sync.RWMutex{}
-	d.rewriteStorage = rewriteStorage
+
 	err = d.prepareRewrites()
 	if err != nil {
 		return nil, fmt.Errorf("rewrites: preparing: %s", err)
 	}
 	bsvcs := []string{}
 	for _, s := range d.BlockedServices {
--- a/internal/filtering/filtering_test.go
+++ b/internal/filtering/filtering_test.go
@@ -46,7 +46,6 @@ func newForTest(t testing.TB, c *Config, filters []Filter) (f *DNSFilter, setts
 		ProtectionEnabled: true,
 		FilteringEnabled:  true,
 	}
 	if c != nil {
 		c.SafeBrowsingCacheSize = 10000
 		c.ParentalCacheSize = 10000
@@ -59,8 +58,7 @@ func newForTest(t testing.TB, c *Config, filters []Filter) (f *DNSFilter, setts
 		// It must not be nil.
 		c = &Config{}
 	}
-
+	f, err := New(c, filters)
 	f, err := New(c, filters, nil)
 	require.NoError(t, err)
 	purgeCaches(f)
@@ -419,275 +417,274 @@ func TestMatching(t *testing.T) {
 		host           string
 		wantReason     Reason
 		wantIsFiltered bool
-		qtype          uint16
+		wantDNSType    uint16
 	}{{
 		name:           "sanity",
 		rules:          "||doubleclick.net^",
 		host:           "www.doubleclick.net",
 		wantIsFiltered: true,
 		wantReason:     FilteredBlockList,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "sanity",
 		rules:          "||doubleclick.net^",
 		host:           "nodoubleclick.net",
 		wantIsFiltered: false,
 		wantReason:     NotFilteredNotFound,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "sanity",
 		rules:          "||doubleclick.net^",
 		host:           "doubleclick.net.ru",
 		wantIsFiltered: false,
 		wantReason:     NotFilteredNotFound,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "sanity",
 		rules:          "||doubleclick.net^",
 		host:           sbBlocked,
 		wantIsFiltered: false,
 		wantReason:     NotFilteredNotFound,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "blocking",
 		rules:          blockingRules,
 		host:           "example.org",
 		wantIsFiltered: true,
 		wantReason:     FilteredBlockList,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "blocking",
 		rules:          blockingRules,
 		host:           "test.example.org",
 		wantIsFiltered: true,
 		wantReason:     FilteredBlockList,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "blocking",
 		rules:          blockingRules,
 		host:           "test.test.example.org",
 		wantIsFiltered: true,
 		wantReason:     FilteredBlockList,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "blocking",
 		rules:          blockingRules,
 		host:           "testexample.org",
 		wantIsFiltered: false,
 		wantReason:     NotFilteredNotFound,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "blocking",
 		rules:          blockingRules,
 		host:           "onemoreexample.org",
 		wantIsFiltered: false,
 		wantReason:     NotFilteredNotFound,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "allowlist",
 		rules:          allowlistRules,
 		host:           "example.org",
 		wantIsFiltered: true,
 		wantReason:     FilteredBlockList,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "allowlist",
 		rules:          allowlistRules,
 		host:           "test.example.org",
 		wantIsFiltered: false,
 		wantReason:     NotFilteredAllowList,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "allowlist",
 		rules:          allowlistRules,
 		host:           "test.test.example.org",
 		wantIsFiltered: false,
 		wantReason:     NotFilteredAllowList,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "allowlist",
 		rules:          allowlistRules,
 		host:           "testexample.org",
 		wantIsFiltered: false,
 		wantReason:     NotFilteredNotFound,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "allowlist",
 		rules:          allowlistRules,
 		host:           "onemoreexample.org",
 		wantIsFiltered: false,
 		wantReason:     NotFilteredNotFound,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "important",
 		rules:          importantRules,
 		host:           "example.org",
 		wantIsFiltered: false,
 		wantReason:     NotFilteredAllowList,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "important",
 		rules:          importantRules,
 		host:           "test.example.org",
 		wantIsFiltered: true,
 		wantReason:     FilteredBlockList,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "important",
 		rules:          importantRules,
 		host:           "test.test.example.org",
 		wantIsFiltered: true,
 		wantReason:     FilteredBlockList,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "important",
 		rules:          importantRules,
 		host:           "testexample.org",
 		wantIsFiltered: false,
 		wantReason:     NotFilteredNotFound,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "important",
 		rules:          importantRules,
 		host:           "onemoreexample.org",
 		wantIsFiltered: false,
 		wantReason:     NotFilteredNotFound,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "regex",
 		rules:          regexRules,
 		host:           "example.org",
 		wantIsFiltered: true,
 		wantReason:     FilteredBlockList,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "regex",
 		rules:          regexRules,
 		host:           "test.example.org",
 		wantIsFiltered: false,
 		wantReason:     NotFilteredAllowList,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "regex",
 		rules:          regexRules,
 		host:           "test.test.example.org",
 		wantIsFiltered: false,
 		wantReason:     NotFilteredAllowList,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "regex",
 		rules:          regexRules,
 		host:           "testexample.org",
 		wantIsFiltered: true,
 		wantReason:     FilteredBlockList,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "regex",
 		rules:          regexRules,
 		host:           "onemoreexample.org",
 		wantIsFiltered: true,
 		wantReason:     FilteredBlockList,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "mask",
 		rules:          maskRules,
 		host:           "test.example.org",
 		wantIsFiltered: true,
 		wantReason:     FilteredBlockList,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "mask",
 		rules:          maskRules,
 		host:           "test2.example.org",
 		wantIsFiltered: true,
 		wantReason:     FilteredBlockList,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "mask",
 		rules:          maskRules,
 		host:           "example.com",
 		wantIsFiltered: true,
 		wantReason:     FilteredBlockList,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "mask",
 		rules:          maskRules,
 		host:           "exampleeee.com",
 		wantIsFiltered: true,
 		wantReason:     FilteredBlockList,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "mask",
 		rules:          maskRules,
 		host:           "onemoreexamsite.com",
 		wantIsFiltered: true,
 		wantReason:     FilteredBlockList,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "mask",
 		rules:          maskRules,
 		host:           "example.org",
 		wantIsFiltered: false,
 		wantReason:     NotFilteredNotFound,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "mask",
 		rules:          maskRules,
 		host:           "testexample.org",
 		wantIsFiltered: false,
 		wantReason:     NotFilteredNotFound,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "mask",
 		rules:          maskRules,
 		host:           "example.co.uk",
 		wantIsFiltered: false,
 		wantReason:     NotFilteredNotFound,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "dnstype",
 		rules:          dnstypeRules,
 		host:           "onemoreexample.org",
 		wantIsFiltered: false,
 		wantReason:     NotFilteredNotFound,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "dnstype",
 		rules:          dnstypeRules,
 		host:           "example.org",
 		wantIsFiltered: false,
 		wantReason:     NotFilteredNotFound,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "dnstype",
 		rules:          dnstypeRules,
 		host:           "example.org",
 		wantIsFiltered: true,
 		wantReason:     FilteredBlockList,
-		qtype:          dns.TypeAAAA,
+		wantDNSType:    dns.TypeAAAA,
 	}, {
 		name:           "dnstype",
 		rules:          dnstypeRules,
 		host:           "test.example.org",
 		wantIsFiltered: false,
 		wantReason:     NotFilteredAllowList,
-		qtype:          dns.TypeA,
+		wantDNSType:    dns.TypeA,
 	}, {
 		name:           "dnstype",
 		rules:          dnstypeRules,
 		host:           "test.example.org",
 		wantIsFiltered: false,
 		wantReason:     NotFilteredAllowList,
-		qtype:          dns.TypeAAAA,
+		wantDNSType:    dns.TypeAAAA,
 	}}
 	for _, tc := range testCases {
 		t.Run(fmt.Sprintf("%s-%s", tc.name, tc.host), func(t *testing.T) {
 			filters := []Filter{{ID: 0, Data: []byte(tc.rules)}}
 			d, setts := newForTest(t, nil, filters)
 			t.Cleanup(d.Close)
-			res, err := d.CheckHost(tc.host, tc.qtype, setts)
+			res, err := d.CheckHost(tc.host, tc.wantDNSType, setts)
 			require.NoError(t, err)
 			assert.Equalf(t, tc.wantIsFiltered, res.IsFiltered, "Hostname %s has wrong result (%v must be %v)", tc.host, res.IsFiltered, tc.wantIsFiltered)
--- a/internal/filtering/http_test.go
+++ b/internal/filtering/http_test.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"testing"
 	"time"
@@ -29,7 +30,11 @@ func TestDNSFilter_handleFilteringSetURL(t *testing.T) {
 		endpoint: &badRulesEndpoint,
 		content:  []byte(`<html></html>`),
 	}} {
-		*rulesSource.endpoint = serveFiltersLocally(t, rulesSource.content)
+		ipp := serveFiltersLocally(t, rulesSource.content)
 		*rulesSource.endpoint = (&url.URL{
 			Scheme: "http",
 			Host:   ipp.String(),
 		}).String()
 	}
 	testCases := []struct {
@@ -105,7 +110,7 @@ func TestDNSFilter_handleFilteringSetURL(t *testing.T) {
 				},
 				ConfigModified: func() { confModifiedCalled = true },
 				DataDir:        filtersDir,
-			}, nil, nil)
+			}, nil)
 			require.NoError(t, err)
 			t.Cleanup(d.Close)
--- a/internal/filtering/rewrite.go
+++ b/internal/filtering/rewrite.go
@@ -1,42 +0,0 @@
 package filtering
 import (
 	"github.com/AdguardTeam/urlfilter"
 	"github.com/AdguardTeam/urlfilter/rules"
 )
 // RewriteStorage is a storage for rewrite rules.
 type RewriteStorage interface {
 	// MatchRequest returns matching dnsrewrites for the specified request.
 	MatchRequest(dReq *urlfilter.DNSRequest) (rws []*rules.DNSRewrite)
 	// Add adds item to the storage.
 	Add(item *RewriteItem) (err error)
 	// Remove deletes item from the storage.
 	Remove(item *RewriteItem) (err error)
 	// List returns all items from the storage.
 	List() (items []*RewriteItem)
 }
 // RewriteItem is a single DNS rewrite record.
 type RewriteItem struct {
 	// Domain is the domain pattern for which this rewrite should work.
 	Domain string `yaml:"domain" json:"domain"`
 	// Answer is the IP address, canonical name, or one of the special
 	// values: "A" or "AAAA".
 	Answer string `yaml:"answer" json:"answer"`
 }
 // Equal returns true if rw is Equal to other.
 func (rw *RewriteItem) Equal(other *RewriteItem) (ok bool) {
 	if rw == nil {
 		return other == nil
 	} else if other == nil {
 		return false
 	}
 	return *rw == *other
 }
--- a/internal/filtering/rewrite/storage.go
+++ b/internal/filtering/rewrite/storage.go
@@ -1,276 +0,0 @@
 // Package rewrite implements DNS Rewrites storage and request matching.
 package rewrite
 import (
 	"fmt"
 	"net/netip"
 	"strings"
 	"sync"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/stringutil"
 	"github.com/AdguardTeam/urlfilter"
 	"github.com/AdguardTeam/urlfilter/filterlist"
 	"github.com/AdguardTeam/urlfilter/rules"
 	"github.com/miekg/dns"
 	"golang.org/x/exp/slices"
 )
 // DefaultStorage is the default storage for rewrite rules.
 type DefaultStorage struct {
 	// mu protects items.
 	mu *sync.RWMutex
 	// engine is the DNS filtering engine.
 	engine *urlfilter.DNSEngine
 	// ruleList is the filtering rule ruleList used by the engine.
 	ruleList filterlist.RuleList
 	// rewrites stores the rewrite entries from configuration.
 	rewrites []*filtering.RewriteItem
 	// urlFilterID is the synthetic integer identifier for the urlfilter engine.
 	//
 	// TODO(a.garipov): Change the type to a string in module urlfilter and
 	// remove this crutch.
 	urlFilterID int
 }
 // NewDefaultStorage returns new rewrites storage.  listID is used as an
 // identifier of the underlying rules list.  rewrites must not be nil.
 func NewDefaultStorage(rewrites []*filtering.RewriteItem) (s *DefaultStorage, err error) {
 	s = &DefaultStorage{
 		mu:          &sync.RWMutex{},
 		urlFilterID: filtering.RewritesListID,
 		rewrites:    rewrites,
 	}
 	err = s.resetRules()
 	if err != nil {
 		return nil, err
 	}
 	return s, nil
 }
 // type check
 var _ filtering.RewriteStorage = (*DefaultStorage)(nil)
 // MatchRequest implements the [RewriteStorage] interface for *DefaultStorage.
 func (s *DefaultStorage) MatchRequest(dReq *urlfilter.DNSRequest) (rws []*rules.DNSRewrite) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	rrules := s.rewriteRulesForReq(dReq)
 	if len(rrules) == 0 {
 		return nil
 	}
 	// TODO(a.garipov): Check cnames for cycles on initialization.
 	cnames := stringutil.NewSet()
 	host := dReq.Hostname
 	var lastCNAMERule *rules.NetworkRule
 	for len(rrules) > 0 && rrules[0].DNSRewrite != nil && rrules[0].DNSRewrite.NewCNAME != "" {
 		lastCNAMERule = rrules[0]
 		lastDNSRewrite := lastCNAMERule.DNSRewrite
 		rwAns := lastDNSRewrite.NewCNAME
 		log.Debug("rewrite: cname for %s is %s", host, rwAns)
 		if dReq.Hostname == rwAns {
 			// A request for the hostname itself.
 			// TODO(d.kolyshev): Check rewrite of a pattern onto itself.
 			log.Debug("rewrite: request for hostname itself for %q", dReq.Hostname)
 			return nil
 		}
 		if host == rwAns && isWildcard(lastCNAMERule.RuleText) {
 			// An "*.example.com → sub.example.com" rewrite matching in a loop.
 			//
 			// See https://github.com/AdguardTeam/AdGuardHome/issues/4016.
 			log.Debug("rewrite: cname wildcard loop for %q on %q", dReq.Hostname, rwAns)
 			return []*rules.DNSRewrite{lastDNSRewrite}
 		}
 		if cnames.Has(rwAns) {
 			log.Info("rewrite: cname loop for %q on %q", dReq.Hostname, rwAns)
 			return nil
 		}
 		cnames.Add(rwAns)
 		drules := s.rewriteRulesForReq(&urlfilter.DNSRequest{
 			Hostname: rwAns,
 			DNSType:  dReq.DNSType,
 		})
 		if drules == nil {
 			break
 		}
 		rrules = drules
 		host = rwAns
 	}
 	return s.collectDNSRewrites(rrules, lastCNAMERule, dReq.DNSType)
 }
 // collectDNSRewrites filters DNSRewrite by question type.
 func (s *DefaultStorage) collectDNSRewrites(
 	rewrites []*rules.NetworkRule,
 	cnameRule *rules.NetworkRule,
 	qtyp uint16,
 ) (rws []*rules.DNSRewrite) {
 	if cnameRule != nil {
 		rewrites = append([]*rules.NetworkRule{cnameRule}, rewrites...)
 	}
 	for _, rewrite := range rewrites {
 		dnsRewrite := rewrite.DNSRewrite
 		if matchesQType(dnsRewrite, qtyp) {
 			rws = append(rws, dnsRewrite)
 		}
 	}
 	return rws
 }
 // rewriteRulesForReq returns matching dnsrewrite rules.
 func (s *DefaultStorage) rewriteRulesForReq(dReq *urlfilter.DNSRequest) (rules []*rules.NetworkRule) {
 	res, _ := s.engine.MatchRequest(dReq)
 	return res.DNSRewrites()
 }
 // Add implements the [RewriteStorage] interface for *DefaultStorage.
 func (s *DefaultStorage) Add(item *filtering.RewriteItem) (err error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	// TODO(d.kolyshev): Handle duplicate items.
 	s.rewrites = append(s.rewrites, item)
 	return s.resetRules()
 }
 // Remove implements the [RewriteStorage] interface for *DefaultStorage.
 func (s *DefaultStorage) Remove(item *filtering.RewriteItem) (err error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	arr := []*filtering.RewriteItem{}
 	// TODO(d.kolyshev): Use slices.IndexFunc + slices.Delete?
 	for _, ent := range s.rewrites {
 		if ent.Equal(item) {
 			log.Debug("rewrite: removed element: %s -> %s", ent.Domain, ent.Answer)
 			continue
 		}
 		arr = append(arr, ent)
 	}
 	s.rewrites = arr
 	return s.resetRules()
 }
 // List implements the [RewriteStorage] interface for *DefaultStorage.
 func (s *DefaultStorage) List() (items []*filtering.RewriteItem) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	return slices.Clone(s.rewrites)
 }
 // resetRules resets the filtering rules.
 func (s *DefaultStorage) resetRules() (err error) {
 	// TODO(a.garipov): Use strings.Builder.
 	var rulesText []string
 	for _, rewrite := range s.rewrites {
 		rulesText = append(rulesText, toRule(rewrite))
 	}
 	strList := &filterlist.StringRuleList{
 		ID:             s.urlFilterID,
 		RulesText:      strings.Join(rulesText, "\n"),
 		IgnoreCosmetic: true,
 	}
 	rs, err := filterlist.NewRuleStorage([]filterlist.RuleList{strList})
 	if err != nil {
 		return fmt.Errorf("creating list storage: %w", err)
 	}
 	s.ruleList = strList
 	s.engine = urlfilter.NewDNSEngine(rs)
 	log.Info("rewrite: filter %d: reset %d rules", s.urlFilterID, s.engine.RulesCount)
 	return nil
 }
 // matchesQType returns true if dnsrewrite matches the question type qt.
 func matchesQType(dnsrr *rules.DNSRewrite, qt uint16) (ok bool) {
 	switch qt {
 	case dns.TypeA:
 		return dnsrr.RRType != dns.TypeAAAA
 	case dns.TypeAAAA:
 		return dnsrr.RRType != dns.TypeA
 	default:
 		return true
 	}
 }
 // isWildcard returns true if pat is a wildcard domain pattern.
 func isWildcard(pat string) (res bool) {
 	return strings.HasPrefix(pat, "|*.")
 }
 // toRule converts rw to a filter rule.
 func toRule(rw *filtering.RewriteItem) (res string) {
 	if rw == nil {
 		return ""
 	}
 	domain := strings.ToLower(rw.Domain)
 	dType, exception := rewriteParams(rw)
 	dTypeKey := dns.TypeToString[dType]
 	if exception {
 		return fmt.Sprintf("@@||%s^$dnstype=%s,dnsrewrite", domain, dTypeKey)
 	}
 	return fmt.Sprintf("|%s^$dnsrewrite=NOERROR;%s;%s", domain, dTypeKey, rw.Answer)
 }
 // RewriteParams returns dns request type and exception flag for rw.
 func rewriteParams(rw *filtering.RewriteItem) (dType uint16, exception bool) {
 	switch rw.Answer {
 	case "AAAA":
 		return dns.TypeAAAA, true
 	case "A":
 		return dns.TypeA, true
 	default:
 		// Go on.
 	}
 	addr, err := netip.ParseAddr(rw.Answer)
 	if err != nil {
 		// TODO(d.kolyshev): Validate rw.Answer as a domain name.
 		return dns.TypeCNAME, false
 	}
 	if addr.Is4() {
 		dType = dns.TypeA
 	} else {
 		dType = dns.TypeAAAA
 	}
 	return dType, false
 }
--- a/internal/filtering/rewrite/storage_test.go
+++ b/internal/filtering/rewrite/storage_test.go
@@ -1,647 +0,0 @@
 package rewrite
 import (
 	"net"
 	"testing"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/urlfilter"
 	"github.com/AdguardTeam/urlfilter/rules"
 	"github.com/miekg/dns"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func TestNewDefaultStorage(t *testing.T) {
 	items := []*filtering.RewriteItem{{
 		Domain: "example.com",
 		Answer: "answer.com",
 	}}
 	s, err := NewDefaultStorage(items)
 	require.NoError(t, err)
 	require.Len(t, s.List(), 1)
 }
 func TestDefaultStorage_CRUD(t *testing.T) {
 	var items []*filtering.RewriteItem
 	s, err := NewDefaultStorage(items)
 	require.NoError(t, err)
 	require.Len(t, s.List(), 0)
 	item := &filtering.RewriteItem{Domain: "example.com", Answer: "answer.com"}
 	err = s.Add(item)
 	require.NoError(t, err)
 	list := s.List()
 	require.Len(t, list, 1)
 	require.True(t, item.Equal(list[0]))
 	err = s.Remove(item)
 	require.NoError(t, err)
 	require.Len(t, s.List(), 0)
 }
 func TestDefaultStorage_MatchRequest(t *testing.T) {
 	items := []*filtering.RewriteItem{{
 		// This one and below are about CNAME, A and AAAA.
 		Domain: "somecname",
 		Answer: "somehost.com",
 	}, {
 		Domain: "somehost.com",
 		Answer: "0.0.0.0",
 	}, {
 		Domain: "host.com",
 		Answer: "1.2.3.4",
 	}, {
 		Domain: "host.com",
 		Answer: "1.2.3.5",
 	}, {
 		Domain: "host.com",
 		Answer: "1:2:3::4",
 	}, {
 		Domain: "www.host.com",
 		Answer: "host.com",
 	}, {
 		// This one is a wildcard.
 		Domain: "*.host.com",
 		Answer: "1.2.3.5",
 	}, {
 		// This one and below are about wildcard overriding.
 		Domain: "a.host.com",
 		Answer: "1.2.3.4",
 	}, {
 		// This one is about CNAME and wildcard interacting.
 		Domain: "*.host2.com",
 		Answer: "host.com",
 	}, {
 		// This one and below are about 2 level CNAME.
 		Domain: "b.host.com",
 		Answer: "somecname",
 	}, {
 		// This one and below are about 2 level CNAME and wildcard.
 		Domain: "b.host3.com",
 		Answer: "a.host3.com",
 	}, {
 		Domain: "a.host3.com",
 		Answer: "x.host.com",
 	}, {
 		Domain: "*.hostboth.com",
 		Answer: "1.2.3.6",
 	}, {
 		Domain: "*.hostboth.com",
 		Answer: "1234::5678",
 	}, {
 		Domain: "BIGHOST.COM",
 		Answer: "1.2.3.7",
 	}, {
 		Domain: "*.issue4016.com",
 		Answer: "sub.issue4016.com",
 	}}
 	s, err := NewDefaultStorage(items)
 	require.NoError(t, err)
 	testCases := []struct {
 		name            string
 		host            string
 		wantDNSRewrites []*rules.DNSRewrite
 		dtyp            uint16
 	}{{
 		name:            "not_filtered_not_found",
 		host:            "hoost.com",
 		wantDNSRewrites: nil,
 		dtyp:            dns.TypeA,
 	}, {
 		name: "other_qtype",
 		host: "www.host.com",
 		wantDNSRewrites: []*rules.DNSRewrite{{
 			Value:    nil,
 			NewCNAME: "host.com",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeNone,
 		}, {
 			Value:    net.IP{1, 2, 3, 4}.To16(),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeA,
 		}, {
 			Value:    net.IP{1, 2, 3, 5}.To16(),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeA,
 		}, {
 			Value:    net.ParseIP("1:2:3::4"),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeAAAA,
 		}},
 		dtyp: dns.TypeMX,
 	}, {
 		name: "rewritten_a",
 		host: "www.host.com",
 		wantDNSRewrites: []*rules.DNSRewrite{{
 			Value:    nil,
 			NewCNAME: "host.com",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeNone,
 		}, {
 			Value:    net.IP{1, 2, 3, 4}.To16(),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeA,
 		}, {
 			Value:    net.IP{1, 2, 3, 5}.To16(),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeA,
 		}},
 		dtyp: dns.TypeA,
 	}, {
 		name: "rewritten_aaaa",
 		host: "www.host.com",
 		wantDNSRewrites: []*rules.DNSRewrite{{
 			Value:    nil,
 			NewCNAME: "host.com",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeNone,
 		}, {
 			Value:    net.ParseIP("1:2:3::4"),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeAAAA,
 		}},
 		dtyp: dns.TypeAAAA,
 	}, {
 		name: "wildcard_match",
 		host: "abc.host.com",
 		wantDNSRewrites: []*rules.DNSRewrite{{
 			Value:    net.IP{1, 2, 3, 5}.To16(),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeA,
 		}},
 		dtyp: dns.TypeA,
 	}, {
 		name: "wildcard_override",
 		host: "a.host.com",
 		wantDNSRewrites: []*rules.DNSRewrite{{
 			Value:    net.IP{1, 2, 3, 4}.To16(),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeA,
 		}, {
 			Value:    net.IP{1, 2, 3, 5}.To16(),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeA,
 		}},
 		dtyp: dns.TypeA,
 	}, {
 		name: "wildcard_cname_interaction",
 		host: "www.host2.com",
 		wantDNSRewrites: []*rules.DNSRewrite{{
 			Value:    nil,
 			NewCNAME: "host.com",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeNone,
 		}, {
 			Value:    net.IP{1, 2, 3, 4}.To16(),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeA,
 		}, {
 			Value:    net.IP{1, 2, 3, 5}.To16(),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeA,
 		}},
 		dtyp: dns.TypeA,
 	}, {
 		name: "two_cnames",
 		host: "b.host.com",
 		wantDNSRewrites: []*rules.DNSRewrite{{
 			Value:    nil,
 			NewCNAME: "somehost.com",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeNone,
 		}, {
 			Value:    net.IP{0, 0, 0, 0}.To16(),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeA,
 		}},
 		dtyp: dns.TypeA,
 	}, {
 		name: "two_cnames_and_wildcard",
 		host: "b.host3.com",
 		wantDNSRewrites: []*rules.DNSRewrite{{
 			Value:    nil,
 			NewCNAME: "x.host.com",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeNone,
 		}, {
 			Value:    net.IP{1, 2, 3, 5}.To16(),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeA,
 		}},
 		dtyp: dns.TypeA,
 	}, {
 		name: "issue3343",
 		host: "www.hostboth.com",
 		wantDNSRewrites: []*rules.DNSRewrite{{
 			Value:    net.ParseIP("1234::5678"),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeAAAA,
 		}},
 		dtyp: dns.TypeAAAA,
 	}, {
 		name: "issue3351",
 		host: "bighost.com",
 		wantDNSRewrites: []*rules.DNSRewrite{{
 			Value:    net.IP{1, 2, 3, 7}.To16(),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeA,
 		}},
 		dtyp: dns.TypeA,
 	}, {
 		name: "issue4008",
 		host: "somehost.com",
 		wantDNSRewrites: []*rules.DNSRewrite{{
 			Value:    net.IP{0, 0, 0, 0}.To16(),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeA,
 		}},
 		dtyp: dns.TypeHTTPS,
 	}, {
 		name: "issue4016",
 		host: "www.issue4016.com",
 		wantDNSRewrites: []*rules.DNSRewrite{{
 			Value:    nil,
 			NewCNAME: "sub.issue4016.com",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeNone,
 		}},
 		dtyp: dns.TypeA,
 	}, {
 		name:            "issue4016_self",
 		host:            "sub.issue4016.com",
 		wantDNSRewrites: nil,
 		dtyp:            dns.TypeA,
 	}}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			dnsRewrites := s.MatchRequest(&urlfilter.DNSRequest{
 				Hostname: tc.host,
 				DNSType:  tc.dtyp,
 			})
 			assert.Equal(t, tc.wantDNSRewrites, dnsRewrites)
 		})
 	}
 }
 func TestDefaultStorage_MatchRequest_Levels(t *testing.T) {
 	// Exact host, wildcard L2, wildcard L3.
 	items := []*filtering.RewriteItem{{
 		Domain: "host.com",
 		Answer: "1.1.1.1",
 	}, {
 		Domain: "*.host.com",
 		Answer: "2.2.2.2",
 	}, {
 		Domain: "*.sub.host.com",
 		Answer: "3.3.3.3",
 	}}
 	s, err := NewDefaultStorage(items)
 	require.NoError(t, err)
 	testCases := []struct {
 		name            string
 		host            string
 		wantDNSRewrites []*rules.DNSRewrite
 		dtyp            uint16
 	}{{
 		name: "exact_match",
 		host: "host.com",
 		wantDNSRewrites: []*rules.DNSRewrite{{
 			Value:    net.IP{1, 1, 1, 1}.To16(),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeA,
 		}},
 		dtyp: dns.TypeA,
 	}, {
 		name: "l2_match",
 		host: "sub.host.com",
 		wantDNSRewrites: []*rules.DNSRewrite{{
 			Value:    net.IP{2, 2, 2, 2}.To16(),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeA,
 		}},
 		dtyp: dns.TypeA,
 	}, {
 		name: "l3_match",
 		host: "my.sub.host.com",
 		wantDNSRewrites: []*rules.DNSRewrite{{
 			Value:    net.IP{3, 3, 3, 3}.To16(),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeA,
 		}, {
 			Value:    net.IP{2, 2, 2, 2}.To16(),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeA,
 		}},
 		dtyp: dns.TypeA,
 	}}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			dnsRewrites := s.MatchRequest(&urlfilter.DNSRequest{
 				Hostname: tc.host,
 				DNSType:  tc.dtyp,
 			})
 			assert.Equal(t, tc.wantDNSRewrites, dnsRewrites)
 		})
 	}
 }
 func TestDefaultStorage_MatchRequest_ExceptionCNAME(t *testing.T) {
 	// Wildcard and exception for a sub-domain.
 	items := []*filtering.RewriteItem{{
 		Domain: "*.host.com",
 		Answer: "2.2.2.2",
 	}, {
 		Domain: "sub.host.com",
 		Answer: "sub.host.com",
 	}, {
 		Domain: "*.sub.host.com",
 		Answer: "sub.host.com",
 	}}
 	s, err := NewDefaultStorage(items)
 	require.NoError(t, err)
 	testCases := []struct {
 		name            string
 		host            string
 		wantDNSRewrites []*rules.DNSRewrite
 		dtyp            uint16
 	}{{
 		name: "match_subdomain",
 		host: "my.host.com",
 		wantDNSRewrites: []*rules.DNSRewrite{{
 			Value:    net.IP{2, 2, 2, 2}.To16(),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeA,
 		}},
 		dtyp: dns.TypeA,
 	}, {
 		name:            "exception_cname",
 		host:            "sub.host.com",
 		wantDNSRewrites: nil,
 		dtyp:            dns.TypeA,
 	}, {
 		name:            "exception_wildcard",
 		host:            "my.sub.host.com",
 		wantDNSRewrites: nil,
 		dtyp:            dns.TypeA,
 	}}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			dnsRewrites := s.MatchRequest(&urlfilter.DNSRequest{
 				Hostname: tc.host,
 				DNSType:  tc.dtyp,
 			})
 			assert.Equal(t, tc.wantDNSRewrites, dnsRewrites)
 		})
 	}
 }
 func TestDefaultStorage_MatchRequest_CNAMEs(t *testing.T) {
 	// Two cname rules for one subdomain
 	items := []*filtering.RewriteItem{{
 		Domain: "cname.org",
 		Answer: "1.1.1.1",
 	}, {
 		Domain: "sub_cname.org",
 		Answer: "2.2.2.2",
 	}, {
 		Domain: "*.host.com",
 		Answer: "cname.org",
 	}, {
 		Domain: "*.sub.host.com",
 		Answer: "sub_cname.org",
 	}}
 	s, err := NewDefaultStorage(items)
 	require.NoError(t, err)
 	testCases := []struct {
 		name            string
 		host            string
 		wantDNSRewrites []*rules.DNSRewrite
 		dtyp            uint16
 	}{{
 		name: "match_my_domain",
 		host: "my.host.com",
 		wantDNSRewrites: []*rules.DNSRewrite{{
 			Value:    nil,
 			NewCNAME: "cname.org",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeNone,
 		}, {
 			Value:    net.IP{1, 1, 1, 1}.To16(),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeA,
 		}},
 		dtyp: dns.TypeA,
 	}, {
 		name: "match_sub_my_domain",
 		host: "my.sub.host.com",
 		wantDNSRewrites: []*rules.DNSRewrite{{
 			Value:    nil,
 			NewCNAME: "cname.org",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeNone,
 		}, {
 			Value:    net.IP{1, 1, 1, 1}.To16(),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeA,
 		}},
 		dtyp: dns.TypeA,
 	}}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			dnsRewrites := s.MatchRequest(&urlfilter.DNSRequest{
 				Hostname: tc.host,
 				DNSType:  tc.dtyp,
 			})
 			assert.Equal(t, tc.wantDNSRewrites, dnsRewrites)
 		})
 	}
 }
 func TestDefaultStorage_MatchRequest_ExceptionIP(t *testing.T) {
 	// Exception for AAAA record.
 	items := []*filtering.RewriteItem{{
 		Domain: "host.com",
 		Answer: "1.2.3.4",
 	}, {
 		Domain: "host.com",
 		Answer: "AAAA",
 	}, {
 		Domain: "host2.com",
 		Answer: "::1",
 	}, {
 		Domain: "host2.com",
 		Answer: "A",
 	}, {
 		Domain: "host3.com",
 		Answer: "A",
 	}}
 	s, err := NewDefaultStorage(items)
 	require.NoError(t, err)
 	testCases := []struct {
 		name            string
 		host            string
 		wantDNSRewrites []*rules.DNSRewrite
 		dtyp            uint16
 	}{{
 		name: "match_A",
 		host: "host.com",
 		wantDNSRewrites: []*rules.DNSRewrite{{
 			Value:    net.IP{1, 2, 3, 4}.To16(),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeA,
 		}},
 		dtyp: dns.TypeA,
 	}, {
 		name:            "exception_AAAA_host.com",
 		host:            "host.com",
 		wantDNSRewrites: nil,
 		dtyp:            dns.TypeAAAA,
 	}, {
 		name:            "exception_A_host2.com",
 		host:            "host2.com",
 		wantDNSRewrites: nil,
 		dtyp:            dns.TypeA,
 	}, {
 		name: "match_AAAA_host2.com",
 		host: "host2.com",
 		wantDNSRewrites: []*rules.DNSRewrite{{
 			Value:    net.ParseIP("::1"),
 			NewCNAME: "",
 			RCode:    dns.RcodeSuccess,
 			RRType:   dns.TypeAAAA,
 		}},
 		dtyp: dns.TypeAAAA,
 	}, {
 		name:            "exception_A_host3.com",
 		host:            "host3.com",
 		wantDNSRewrites: nil,
 		dtyp:            dns.TypeA,
 	}, {
 		name:            "match_AAAA_host3.com",
 		host:            "host3.com",
 		wantDNSRewrites: nil,
 		dtyp:            dns.TypeAAAA,
 	}}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			dnsRewrites := s.MatchRequest(&urlfilter.DNSRequest{
 				Hostname: tc.host,
 				DNSType:  tc.dtyp,
 			})
 			assert.Equal(t, tc.wantDNSRewrites, dnsRewrites)
 		})
 	}
 }
 func TestToRule(t *testing.T) {
 	const testDomain = "example.org"
 	testCases := []struct {
 		name string
 		item *filtering.RewriteItem
 		want string
 	}{{
 		name: "nil",
 		item: nil,
 		want: "",
 	}, {
 		name: "a_rule",
 		item: &filtering.RewriteItem{
 			Domain: testDomain,
 			Answer: "1.1.1.1",
 		},
 		want: "|example.org^$dnsrewrite=NOERROR;A;1.1.1.1",
 	}, {
 		name: "aaaa_rule",
 		item: &filtering.RewriteItem{
 			Domain: testDomain,
 			Answer: "1:2:3::4",
 		},
 		want: "|example.org^$dnsrewrite=NOERROR;AAAA;1:2:3::4",
 	}, {
 		name: "cname_rule",
 		item: &filtering.RewriteItem{
 			Domain: testDomain,
 			Answer: "other.org",
 		},
 		want: "|example.org^$dnsrewrite=NOERROR;CNAME;other.org",
 	}, {
 		name: "wildcard_rule",
 		item: &filtering.RewriteItem{
 			Domain: "*.example.org",
 			Answer: "other.org",
 		},
 		want: "|*.example.org^$dnsrewrite=NOERROR;CNAME;other.org",
 	}, {
 		name: "aaaa_exception",
 		item: &filtering.RewriteItem{
 			Domain: testDomain,
 			Answer: "A",
 		},
 		want: "@@||example.org^$dnstype=A,dnsrewrite",
 	}, {
 		name: "aaaa_exception",
 		item: &filtering.RewriteItem{
 			Domain: testDomain,
 			Answer: "AAAA",
 		},
 		want: "@@||example.org^$dnstype=AAAA,dnsrewrite",
 	}}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			res := toRule(tc.item)
 			assert.Equal(t, tc.want, res)
 		})
 	}
 }
--- a/internal/filtering/rewrite_test.go
+++ b/internal/filtering/rewrite_test.go
@@ -1,61 +0,0 @@
 package filtering
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestItem_equal(t *testing.T) {
 	const (
 		testDomain = "example.org"
 		testAnswer = "1.1.1.1"
 	)
 	testItem := &RewriteItem{
 		Domain: testDomain,
 		Answer: testAnswer,
 	}
 	testCases := []struct {
 		name  string
 		left  *RewriteItem
 		right *RewriteItem
 		want  bool
 	}{{
 		name:  "nil_left",
 		left:  nil,
 		right: testItem,
 		want:  false,
 	}, {
 		name:  "nil_right",
 		left:  testItem,
 		right: nil,
 		want:  false,
 	}, {
 		name:  "nils",
 		left:  nil,
 		right: nil,
 		want:  true,
 	}, {
 		name:  "equal",
 		left:  testItem,
 		right: testItem,
 		want:  true,
 	}, {
 		name: "distinct",
 		left: testItem,
 		right: &RewriteItem{
 			Domain: "other",
 			Answer: "other",
 		},
 		want: false,
 	}}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			res := tc.left.Equal(tc.right)
 			assert.Equal(t, tc.want, res)
 		})
 	}
 }
--- a/internal/filtering/rewritehttp.go
+++ b/internal/filtering/rewritehttp.go
@@ -1,65 +0,0 @@
 package filtering
 import (
 	"encoding/json"
 	"net/http"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/golibs/log"
 )
 // handleRewriteList is the handler for the GET /control/rewrite/list HTTP API.
 func (d *DNSFilter) handleRewriteList(w http.ResponseWriter, r *http.Request) {
 	_ = aghhttp.WriteJSONResponse(w, r, d.rewriteStorage.List())
 }
 // handleRewriteAdd is the handler for the POST /control/rewrite/add HTTP API.
 func (d *DNSFilter) handleRewriteAdd(w http.ResponseWriter, r *http.Request) {
 	rw := &RewriteItem{}
 	err := json.NewDecoder(r.Body).Decode(rw)
 	if err != nil {
 		aghhttp.Error(r, w, http.StatusBadRequest, "json.Decode: %s", err)
 		return
 	}
 	err = d.rewriteStorage.Add(rw)
 	if err != nil {
 		aghhttp.Error(r, w, http.StatusBadRequest, "add rewrite: %s", err)
 		return
 	}
 	log.Debug("rewrite: added element: %s -> %s", rw.Domain, rw.Answer)
 	d.confLock.Lock()
 	d.Config.Rewrites = d.rewriteStorage.List()
 	d.confLock.Unlock()
 	d.Config.ConfigModified()
 }
 // handleRewriteDelete is the handler for the POST /control/rewrite/delete HTTP
 // API.
 func (d *DNSFilter) handleRewriteDelete(w http.ResponseWriter, r *http.Request) {
 	entDel := RewriteItem{}
 	err := json.NewDecoder(r.Body).Decode(&entDel)
 	if err != nil {
 		aghhttp.Error(r, w, http.StatusBadRequest, "json.Decode: %s", err)
 		return
 	}
 	err = d.rewriteStorage.Remove(&entDel)
 	if err != nil {
 		aghhttp.Error(r, w, http.StatusBadRequest, "remove rewrite: %s", err)
 		return
 	}
 	d.confLock.Lock()
 	d.Config.Rewrites = d.rewriteStorage.List()
 	d.confLock.Unlock()
 	d.Config.ConfigModified()
 }
--- a/internal/filtering/rewrites.go
+++ b/internal/filtering/rewrites.go
@@ -0,0 +1,306 @@
 // DNS Rewrites
 package filtering
 import (
 	"encoding/json"
 	"fmt"
 	"net"
 	"net/http"
 	"sort"
 	"strings"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/miekg/dns"
 	"golang.org/x/exp/slices"
 )
 // LegacyRewrite is a single legacy DNS rewrite record.
 //
 // Instances of *LegacyRewrite must never be nil.
 type LegacyRewrite struct {
 	// Domain is the domain pattern for which this rewrite should work.
 	Domain string `yaml:"domain"`
 	// Answer is the IP address, canonical name, or one of the special
 	// values: "A" or "AAAA".
 	Answer string `yaml:"answer"`
 	// IP is the IP address that should be used in the response if Type is
 	// dns.TypeA or dns.TypeAAAA.
 	IP net.IP `yaml:"-"`
 	// Type is the DNS record type: A, AAAA, or CNAME.
 	Type uint16 `yaml:"-"`
 }
 // clone returns a deep clone of rw.
 func (rw *LegacyRewrite) clone() (cloneRW *LegacyRewrite) {
 	return &LegacyRewrite{
 		Domain: rw.Domain,
 		Answer: rw.Answer,
 		IP:     slices.Clone(rw.IP),
 		Type:   rw.Type,
 	}
 }
 // equal returns true if the rw is equal to the other.
 func (rw *LegacyRewrite) equal(other *LegacyRewrite) (ok bool) {
 	return rw.Domain == other.Domain && rw.Answer == other.Answer
 }
 // matchesQType returns true if the entry matches the question type qt.
 func (rw *LegacyRewrite) matchesQType(qt uint16) (ok bool) {
 	// Add CNAMEs, since they match for all types requests.
 	if rw.Type == dns.TypeCNAME {
 		return true
 	}
 	// Reject types other than A and AAAA.
 	if qt != dns.TypeA && qt != dns.TypeAAAA {
 		return false
 	}
 	// If the types match or the entry is set to allow only the other type,
 	// include them.
 	return rw.Type == qt || rw.IP == nil
 }
 // normalize makes sure that the a new or decoded entry is normalized with
 // regards to domain name case, IP length, and so on.
 //
 // If rw is nil, it returns an errors.
 func (rw *LegacyRewrite) normalize() (err error) {
 	if rw == nil {
 		return errors.Error("nil rewrite entry")
 	}
 	// TODO(a.garipov): Write a case-agnostic version of strings.HasSuffix and
 	// use it in matchDomainWildcard instead of using strings.ToLower
 	// everywhere.
 	rw.Domain = strings.ToLower(rw.Domain)
 	switch rw.Answer {
 	case "AAAA":
 		rw.IP = nil
 		rw.Type = dns.TypeAAAA
 		return nil
 	case "A":
 		rw.IP = nil
 		rw.Type = dns.TypeA
 		return nil
 	default:
 		// Go on.
 	}
 	ip := net.ParseIP(rw.Answer)
 	if ip == nil {
 		rw.Type = dns.TypeCNAME
 		return nil
 	}
 	ip4 := ip.To4()
 	if ip4 != nil {
 		rw.IP = ip4
 		rw.Type = dns.TypeA
 	} else {
 		rw.IP = ip
 		rw.Type = dns.TypeAAAA
 	}
 	return nil
 }
 // isWildcard returns true if pat is a wildcard domain pattern.
 func isWildcard(pat string) bool {
 	return len(pat) > 1 && pat[0] == '*' && pat[1] == '.'
 }
 // matchDomainWildcard returns true if host matches the wildcard pattern.
 func matchDomainWildcard(host, wildcard string) (ok bool) {
 	return isWildcard(wildcard) && strings.HasSuffix(host, wildcard[1:])
 }
 // rewritesSorted is a slice of legacy rewrites for sorting.
 //
 // The sorting priority:
 //
 //  1. A and AAAA > CNAME
 //  2. wildcard > exact
 //  3. lower level wildcard > higher level wildcard
 //
 // TODO(a.garipov):  Replace with slices.Sort.
 type rewritesSorted []*LegacyRewrite
 // Len implements the sort.Interface interface for rewritesSorted.
 func (a rewritesSorted) Len() (l int) { return len(a) }
 // Swap implements the sort.Interface interface for rewritesSorted.
 func (a rewritesSorted) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
 // Less implements the sort.Interface interface for rewritesSorted.
 func (a rewritesSorted) Less(i, j int) (less bool) {
 	ith, jth := a[i], a[j]
 	if ith.Type == dns.TypeCNAME && jth.Type != dns.TypeCNAME {
 		return true
 	} else if ith.Type != dns.TypeCNAME && jth.Type == dns.TypeCNAME {
 		return false
 	}
 	if iw, jw := isWildcard(ith.Domain), isWildcard(jth.Domain); iw != jw {
 		return jw
 	}
 	// Both are either wildcards or not.
 	return len(ith.Domain) > len(jth.Domain)
 }
 // prepareRewrites normalizes and validates all legacy DNS rewrites.
 func (d *DNSFilter) prepareRewrites() (err error) {
 	for i, r := range d.Rewrites {
 		err = r.normalize()
 		if err != nil {
 			return fmt.Errorf("at index %d: %w", i, err)
 		}
 	}
 	return nil
 }
 // findRewrites returns the list of matched rewrite entries.  If rewrites are
 // empty, but matched is true, the domain is found among the rewrite rules but
 // not for this question type.
 //
 // The result priority is: CNAME, then A and AAAA; exact, then wildcard.  If the
 // host is matched exactly, wildcard entries aren't returned.  If the host
 // matched by wildcards, return the most specific for the question type.
 func findRewrites(
 	entries []*LegacyRewrite,
 	host string,
 	qtype uint16,
 ) (rewrites []*LegacyRewrite, matched bool) {
 	for _, e := range entries {
 		if e.Domain != host && !matchDomainWildcard(host, e.Domain) {
 			continue
 		}
 		matched = true
 		if e.matchesQType(qtype) {
 			rewrites = append(rewrites, e)
 		}
 	}
 	if len(rewrites) == 0 {
 		return nil, matched
 	}
 	sort.Sort(rewritesSorted(rewrites))
 	for i, r := range rewrites {
 		if isWildcard(r.Domain) {
 			// Don't use rewrites[:0], because we need to return at least one
 			// item here.
 			rewrites = rewrites[:max(1, i)]
 			break
 		}
 	}
 	return rewrites, matched
 }
 func max(a, b int) int {
 	if a > b {
 		return a
 	}
 	return b
 }
 type rewriteEntryJSON struct {
 	Domain string `json:"domain"`
 	Answer string `json:"answer"`
 }
 func (d *DNSFilter) handleRewriteList(w http.ResponseWriter, r *http.Request) {
 	arr := []*rewriteEntryJSON{}
 	d.confLock.Lock()
 	for _, ent := range d.Config.Rewrites {
 		jsent := rewriteEntryJSON{
 			Domain: ent.Domain,
 			Answer: ent.Answer,
 		}
 		arr = append(arr, &jsent)
 	}
 	d.confLock.Unlock()
 	_ = aghhttp.WriteJSONResponse(w, r, arr)
 }
 func (d *DNSFilter) handleRewriteAdd(w http.ResponseWriter, r *http.Request) {
 	rwJSON := rewriteEntryJSON{}
 	err := json.NewDecoder(r.Body).Decode(&rwJSON)
 	if err != nil {
 		aghhttp.Error(r, w, http.StatusBadRequest, "json.Decode: %s", err)
 		return
 	}
 	rw := &LegacyRewrite{
 		Domain: rwJSON.Domain,
 		Answer: rwJSON.Answer,
 	}
 	err = rw.normalize()
 	if err != nil {
 		// Shouldn't happen currently, since normalize only returns a non-nil
 		// error when a rewrite is nil, but be change-proof.
 		aghhttp.Error(r, w, http.StatusBadRequest, "normalizing: %s", err)
 		return
 	}
 	d.confLock.Lock()
 	d.Config.Rewrites = append(d.Config.Rewrites, rw)
 	d.confLock.Unlock()
 	log.Debug("rewrite: added element: %s -> %s [%d]", rw.Domain, rw.Answer, len(d.Config.Rewrites))
 	d.Config.ConfigModified()
 }
 func (d *DNSFilter) handleRewriteDelete(w http.ResponseWriter, r *http.Request) {
 	jsent := rewriteEntryJSON{}
 	err := json.NewDecoder(r.Body).Decode(&jsent)
 	if err != nil {
 		aghhttp.Error(r, w, http.StatusBadRequest, "json.Decode: %s", err)
 		return
 	}
 	entDel := &LegacyRewrite{
 		Domain: jsent.Domain,
 		Answer: jsent.Answer,
 	}
 	arr := []*LegacyRewrite{}
 	d.confLock.Lock()
 	for _, ent := range d.Config.Rewrites {
 		if ent.equal(entDel) {
 			log.Debug("rewrite: removed element: %s -> %s", ent.Domain, ent.Answer)
 			continue
 		}
 		arr = append(arr, ent)
 	}
 	d.Config.Rewrites = arr
 	d.confLock.Unlock()
 	d.Config.ConfigModified()
 }
--- a/internal/filtering/rewrites_test.go
+++ b/internal/filtering/rewrites_test.go
@@ -0,0 +1,371 @@
 package filtering
 import (
 	"net"
 	"testing"
 	"github.com/miekg/dns"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 // TODO(e.burkov): All the tests in this file may and should me merged together.
 func TestRewrites(t *testing.T) {
 	d, _ := newForTest(t, nil, nil)
 	t.Cleanup(d.Close)
 	d.Rewrites = []*LegacyRewrite{{
 		// This one and below are about CNAME, A and AAAA.
 		Domain: "somecname",
 		Answer: "somehost.com",
 	}, {
 		Domain: "somehost.com",
 		Answer: "0.0.0.0",
 	}, {
 		Domain: "host.com",
 		Answer: "1.2.3.4",
 	}, {
 		Domain: "host.com",
 		Answer: "1.2.3.5",
 	}, {
 		Domain: "host.com",
 		Answer: "1:2:3::4",
 	}, {
 		Domain: "www.host.com",
 		Answer: "host.com",
 	}, {
 		// This one is a wildcard.
 		Domain: "*.host.com",
 		Answer: "1.2.3.5",
 	}, {
 		// This one and below are about wildcard overriding.
 		Domain: "a.host.com",
 		Answer: "1.2.3.4",
 	}, {
 		// This one is about CNAME and wildcard interacting.
 		Domain: "*.host2.com",
 		Answer: "host.com",
 	}, {
 		// This one and below are about 2 level CNAME.
 		Domain: "b.host.com",
 		Answer: "somecname",
 	}, {
 		// This one and below are about 2 level CNAME and wildcard.
 		Domain: "b.host3.com",
 		Answer: "a.host3.com",
 	}, {
 		Domain: "a.host3.com",
 		Answer: "x.host.com",
 	}, {
 		Domain: "*.hostboth.com",
 		Answer: "1.2.3.6",
 	}, {
 		Domain: "*.hostboth.com",
 		Answer: "1234::5678",
 	}, {
 		Domain: "BIGHOST.COM",
 		Answer: "1.2.3.7",
 	}, {
 		Domain: "*.issue4016.com",
 		Answer: "sub.issue4016.com",
 	}}
 	require.NoError(t, d.prepareRewrites())
 	testCases := []struct {
 		name       string
 		host       string
 		wantCName  string
 		wantIPs    []net.IP
 		wantReason Reason
 		dtyp       uint16
 	}{{
 		name:       "not_filtered_not_found",
 		host:       "hoost.com",
 		wantCName:  "",
 		wantIPs:    nil,
 		wantReason: NotFilteredNotFound,
 		dtyp:       dns.TypeA,
 	}, {
 		name:       "rewritten_a",
 		host:       "www.host.com",
 		wantCName:  "host.com",
 		wantIPs:    []net.IP{{1, 2, 3, 4}, {1, 2, 3, 5}},
 		wantReason: Rewritten,
 		dtyp:       dns.TypeA,
 	}, {
 		name:       "rewritten_aaaa",
 		host:       "www.host.com",
 		wantCName:  "host.com",
 		wantIPs:    []net.IP{net.ParseIP("1:2:3::4")},
 		wantReason: Rewritten,
 		dtyp:       dns.TypeAAAA,
 	}, {
 		name:       "wildcard_match",
 		host:       "abc.host.com",
 		wantCName:  "",
 		wantIPs:    []net.IP{{1, 2, 3, 5}},
 		wantReason: Rewritten,
 		dtyp:       dns.TypeA,
 	}, {
 		name:       "wildcard_override",
 		host:       "a.host.com",
 		wantCName:  "",
 		wantIPs:    []net.IP{{1, 2, 3, 4}},
 		wantReason: Rewritten,
 		dtyp:       dns.TypeA,
 	}, {
 		name:       "wildcard_cname_interaction",
 		host:       "www.host2.com",
 		wantCName:  "host.com",
 		wantIPs:    []net.IP{{1, 2, 3, 4}, {1, 2, 3, 5}},
 		wantReason: Rewritten,
 		dtyp:       dns.TypeA,
 	}, {
 		name:       "two_cnames",
 		host:       "b.host.com",
 		wantCName:  "somehost.com",
 		wantIPs:    []net.IP{{0, 0, 0, 0}},
 		wantReason: Rewritten,
 		dtyp:       dns.TypeA,
 	}, {
 		name:       "two_cnames_and_wildcard",
 		host:       "b.host3.com",
 		wantCName:  "x.host.com",
 		wantIPs:    []net.IP{{1, 2, 3, 5}},
 		wantReason: Rewritten,
 		dtyp:       dns.TypeA,
 	}, {
 		name:       "issue3343",
 		host:       "www.hostboth.com",
 		wantCName:  "",
 		wantIPs:    []net.IP{net.ParseIP("1234::5678")},
 		wantReason: Rewritten,
 		dtyp:       dns.TypeAAAA,
 	}, {
 		name:       "issue3351",
 		host:       "bighost.com",
 		wantCName:  "",
 		wantIPs:    []net.IP{{1, 2, 3, 7}},
 		wantReason: Rewritten,
 		dtyp:       dns.TypeA,
 	}, {
 		name:       "issue4008",
 		host:       "somehost.com",
 		wantCName:  "",
 		wantIPs:    nil,
 		wantReason: Rewritten,
 		dtyp:       dns.TypeHTTPS,
 	}, {
 		name:       "issue4016",
 		host:       "www.issue4016.com",
 		wantCName:  "sub.issue4016.com",
 		wantIPs:    nil,
 		wantReason: Rewritten,
 		dtyp:       dns.TypeA,
 	}, {
 		name:       "issue4016_self",
 		host:       "sub.issue4016.com",
 		wantCName:  "",
 		wantIPs:    nil,
 		wantReason: NotFilteredNotFound,
 		dtyp:       dns.TypeA,
 	}}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			r := d.processRewrites(tc.host, tc.dtyp)
 			require.Equalf(t, tc.wantReason, r.Reason, "got %s", r.Reason)
 			if tc.wantCName != "" {
 				assert.Equal(t, tc.wantCName, r.CanonName)
 			}
 			assert.Equal(t, tc.wantIPs, r.IPList)
 		})
 	}
 }
 func TestRewritesLevels(t *testing.T) {
 	d, _ := newForTest(t, nil, nil)
 	t.Cleanup(d.Close)
 	// Exact host, wildcard L2, wildcard L3.
 	d.Rewrites = []*LegacyRewrite{{
 		Domain: "host.com",
 		Answer: "1.1.1.1",
 		Type:   dns.TypeA,
 	}, {
 		Domain: "*.host.com",
 		Answer: "2.2.2.2",
 		Type:   dns.TypeA,
 	}, {
 		Domain: "*.sub.host.com",
 		Answer: "3.3.3.3",
 		Type:   dns.TypeA,
 	}}
 	require.NoError(t, d.prepareRewrites())
 	testCases := []struct {
 		name string
 		host string
 		want net.IP
 	}{{
 		name: "exact_match",
 		host: "host.com",
 		want: net.IP{1, 1, 1, 1},
 	}, {
 		name: "l2_match",
 		host: "sub.host.com",
 		want: net.IP{2, 2, 2, 2},
 	}, {
 		name: "l3_match",
 		host: "my.sub.host.com",
 		want: net.IP{3, 3, 3, 3},
 	}}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			r := d.processRewrites(tc.host, dns.TypeA)
 			assert.Equal(t, Rewritten, r.Reason)
 			require.Len(t, r.IPList, 1)
 		})
 	}
 }
 func TestRewritesExceptionCNAME(t *testing.T) {
 	d, _ := newForTest(t, nil, nil)
 	t.Cleanup(d.Close)
 	// Wildcard and exception for a sub-domain.
 	d.Rewrites = []*LegacyRewrite{{
 		Domain: "*.host.com",
 		Answer: "2.2.2.2",
 	}, {
 		Domain: "sub.host.com",
 		Answer: "sub.host.com",
 	}, {
 		Domain: "*.sub.host.com",
 		Answer: "*.sub.host.com",
 	}}
 	require.NoError(t, d.prepareRewrites())
 	testCases := []struct {
 		name string
 		host string
 		want net.IP
 	}{{
 		name: "match_subdomain",
 		host: "my.host.com",
 		want: net.IP{2, 2, 2, 2},
 	}, {
 		name: "exception_cname",
 		host: "sub.host.com",
 		want: nil,
 	}, {
 		name: "exception_wildcard",
 		host: "my.sub.host.com",
 		want: nil,
 	}}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			r := d.processRewrites(tc.host, dns.TypeA)
 			if tc.want == nil {
 				assert.Equal(t, NotFilteredNotFound, r.Reason, "got %s", r.Reason)
 				return
 			}
 			assert.Equal(t, Rewritten, r.Reason)
 			require.Len(t, r.IPList, 1)
 			assert.True(t, tc.want.Equal(r.IPList[0]))
 		})
 	}
 }
 func TestRewritesExceptionIP(t *testing.T) {
 	d, _ := newForTest(t, nil, nil)
 	t.Cleanup(d.Close)
 	// Exception for AAAA record.
 	d.Rewrites = []*LegacyRewrite{{
 		Domain: "host.com",
 		Answer: "1.2.3.4",
 		Type:   dns.TypeA,
 	}, {
 		Domain: "host.com",
 		Answer: "AAAA",
 		Type:   dns.TypeAAAA,
 	}, {
 		Domain: "host2.com",
 		Answer: "::1",
 		Type:   dns.TypeAAAA,
 	}, {
 		Domain: "host2.com",
 		Answer: "A",
 		Type:   dns.TypeA,
 	}, {
 		Domain: "host3.com",
 		Answer: "A",
 		Type:   dns.TypeA,
 	}}
 	require.NoError(t, d.prepareRewrites())
 	testCases := []struct {
 		name string
 		host string
 		want []net.IP
 		dtyp uint16
 	}{{
 		name: "match_A",
 		host: "host.com",
 		want: []net.IP{{1, 2, 3, 4}},
 		dtyp: dns.TypeA,
 	}, {
 		name: "exception_AAAA_host.com",
 		host: "host.com",
 		want: nil,
 		dtyp: dns.TypeAAAA,
 	}, {
 		name: "exception_A_host2.com",
 		host: "host2.com",
 		want: nil,
 		dtyp: dns.TypeA,
 	}, {
 		name: "match_AAAA_host2.com",
 		host: "host2.com",
 		want: []net.IP{net.ParseIP("::1")},
 		dtyp: dns.TypeAAAA,
 	}, {
 		name: "exception_A_host3.com",
 		host: "host3.com",
 		want: nil,
 		dtyp: dns.TypeA,
 	}, {
 		name: "match_AAAA_host3.com",
 		host: "host3.com",
 		want: []net.IP{},
 		dtyp: dns.TypeAAAA,
 	}}
 	for _, tc := range testCases {
 		t.Run(tc.name+"_"+tc.host, func(t *testing.T) {
 			r := d.processRewrites(tc.host, tc.dtyp)
 			if tc.want == nil {
 				assert.Equal(t, NotFilteredNotFound, r.Reason)
 				return
 			}
 			assert.Equalf(t, Rewritten, r.Reason, "got %s", r.Reason)
 			require.Len(t, r.IPList, len(tc.want))
 			for _, ip := range tc.want {
 				assert.True(t, ip.Equal(r.IPList[0]))
 			}
 		})
 	}
 }
--- a/internal/filtering/servicelist.go
+++ b/internal/filtering/servicelist.go
@@ -246,111 +246,6 @@ var blockedServices = []blockedService{{
 	Rules: []string{
 		"||mail.ru^",
 	},
 }, {
 	ID:      "mastodon",
 	Name:    "Mastodon",
 	IconSVG: []byte("<svg xmlns=\"http://www.w3.org/2000/svg\" fill=\"currentColor\" viewBox=\"0 0 512 512\"><path d=\"M433 179.11c0-97.2-63.71-125.7-63.71-125.7-62.52-28.7-228.56-28.4-290.48 0 0 0-63.72 28.5-63.72 125.7 0 115.7-6.6 259.4 105.63 289.1 40.51 10.7 75.32 13 103.33 11.4 50.81-2.8 79.32-18.1 79.32-18.1l-1.7-36.9s-36.31 11.4-77.12 10.1c-40.41-1.4-83-4.4-89.63-54a102.54 102.54 0 0 1-.9-13.9c85.63 20.9 158.65 9.1 178.75 6.7 56.12-6.7 105-41.3 111.23-72.9 9.8-49.8 9-121.5 9-121.5zm-75.12 125.2h-46.63v-114.2c0-49.7-64-51.6-64 6.9v62.5h-46.33V197c0-58.5-64-56.6-64-6.9v114.2H90.19c0-122.1-5.2-147.9 18.41-175 25.9-28.9 79.82-30.8 103.83 6.1l11.6 19.5 11.6-19.5c24.11-37.1 78.12-34.8 103.83-6.1 23.71 27.3 18.4 53 18.4 175z\"/></svg>"),
 	Rules: []string{
 		"||aus.social^",
 		"||awscommunity.social^",
 		"||dresden.network^",
 		"||fedibird.com^",
 		"||fosstodon.org^",
 		"||glasgow.social^",
 		"||h4.io^",
 		"||hachyderm.io^",
 		"||hessen.social^",
 		"||home.social^",
 		"||hostux.social^",
 		"||ieji.de^",
 		"||indieweb.social^",
 		"||infosec.exchange^",
 		"||ioc.exchange^",
 		"||kolektiva.social^",
 		"||livellosegreto.it^",
 		"||lor.sh^",
 		"||m.cmx.im^",
 		"||mas.to^",
 		"||masto.ai^",
 		"||masto.es^",
 		"||masto.nobigtech.es^",
 		"||masto.pt^",
 		"||mastodon.au^",
 		"||mastodon.bida.im^",
 		"||mastodon.com.tr^",
 		"||mastodon.eus^",
 		"||mastodon.ie^",
 		"||mastodon.iriseden.eu^",
 		"||mastodon.lol^",
 		"||mastodon.nl^",
 		"||mastodon.nu^",
 		"||mastodon.nz^",
 		"||mastodon.online^",
 		"||mastodon.online^",
 		"||mastodon.scot^",
 		"||mastodon.sdf.org^",
 		"||mastodon.social^",
 		"||mastodon.social^",
 		"||mastodon.top^",
 		"||mastodon.uno^",
 		"||mastodon.world^",
 		"||mastodon.zaclys.com^",
 		"||mastodonapp.uk^",
 		"||mastodont.cat^",
 		"||mastodontech.de^",
 		"||mastodontti.fi^",
 		"||mastouille.fr^",
 		"||mathstodon.xyz^",
 		"||meow.social^",
 		"||metalhead.club^",
 		"||mindly.social^",
 		"||mstdn.ca^",
 		"||mstdn.jp^",
 		"||mstdn.party^",
 		"||mstdn.social^",
 		"||muenchen.social^",
 		"||muenster.im^",
 		"||newsie.social^",
 		"||noc.social^",
 		"||norden.social^",
 		"||nrw.social^",
 		"||o3o.ca^",
 		"||ohai.social^",
 		"||pewtix.com^",
 		"||phpc.social^",
 		"||piaille.fr^",
 		"||pol.social^",
 		"||qdon.space^",
 		"||ravenation.club^",
 		"||rollenspiel.social^",
 		"||ruby.social^",
 		"||ruhr.social^",
 		"||sfba.social^",
 		"||socel.net^",
 		"||social.anoxinon.de^",
 		"||social.cologne^",
 		"||social.dev-wiki.de^",
 		"||social.linux.pizza^",
 		"||social.politicaconciencia.org^",
 		"||social.vivaldi.net^",
 		"||sself.co^",
 		"||sueden.social^",
 		"||tech.lgbt^",
 		"||techhub.social^",
 		"||theblower.au^",
 		"||tkz.one^",
 		"||todon.eu^",
 		"||toot.aquilenet.fr^",
 		"||toot.community^",
 		"||toot.funami.tech^",
 		"||toot.wales^",
 		"||troet.cafe^",
 		"||twingyeo.kr^",
 		"||union.place^",
 		"||universeodon.com^",
 		"||urbanists.social^",
 		"||wxw.moe^",
 	},
 }, {
 	ID:      "minecraft",
 	Name:    "Minecraft",
@@ -540,7 +435,6 @@ var blockedServices = []blockedService{{
 	Name:    "Twitter",
 	IconSVG: []byte("<svg xmlns=\"http://www.w3.org/2000/svg\" fill=\"currentColor\" viewBox=\"0 0 24 24\"><path d=\"M22.398 5.55a8.583 8.583 0 0 1-2.449.673 4.252 4.252 0 0 0 1.875-2.364 8.66 8.66 0 0 1-2.71 1.04A4.251 4.251 0 0 0 16 3.546a4.27 4.27 0 0 0-4.266 4.27c0 .335.036.66.11.972a12.126 12.126 0 0 1-8.797-4.46 4.259 4.259 0 0 0-.578 2.148c0 1.48.754 2.785 1.898 3.55a4.273 4.273 0 0 1-1.933-.535v.055a4.27 4.27 0 0 0 3.425 4.183c-.359.098-.734.149-1.125.149-.273 0-.543-.027-.804-.074a4.276 4.276 0 0 0 3.988 2.965 8.562 8.562 0 0 1-5.3 1.824 8.82 8.82 0 0 1-1.02-.059 12.088 12.088 0 0 0 6.543 1.918c7.851 0 12.14-6.504 12.14-12.144 0-.184-.004-.368-.011-.551a8.599 8.599 0 0 0 2.128-2.207zm0 0\" /></svg>"),
 	Rules: []string{
 		"||pscp.tv^",
 		"||t.co^",
 		"||twimg.com^",
 		"||twitter.com^",
--- a/internal/home/config.go
+++ b/internal/home/config.go
@@ -20,6 +20,7 @@ import (
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/timeutil"
 	"github.com/google/renameio/maybe"
 	"golang.org/x/exp/slices"
 	yaml "gopkg.in/yaml.v3"
 )
@@ -113,8 +114,8 @@ type configuration struct {
 	// An active session is automatically refreshed once a day.
 	WebSessionTTLHours uint32 `yaml:"web_session_ttl"`
-	DNS dnsConfig         `yaml:"dns"`
+	DNS dnsConfig        `yaml:"dns"`
-	TLS tlsConfigSettings `yaml:"tls"`
+	TLS tlsConfiguration `yaml:"tls"`
 	// Filters reflects the filters from [filtering.Config].  It's cloned to the
 	// config used in the filtering module at the startup.  Afterwards it's
@@ -199,7 +200,8 @@ type dnsConfig struct {
 	UseHTTP3Upstreams bool `yaml:"use_http3_upstreams"`
 }
-type tlsConfigSettings struct {
+// tlsConfiguration is the on-disk TLS configuration.
 type tlsConfiguration struct {
 	Enabled         bool   `yaml:"enabled" json:"enabled"`                                 // Enabled is the encryption (DoT/DoH/HTTPS) status
 	ServerName      string `yaml:"server_name" json:"server_name,omitempty"`               // ServerName is the hostname of your HTTPS/TLS server
 	ForceHTTPS      bool   `yaml:"force_https" json:"force_https"`                         // ForceHTTPS: if true, forces HTTP->HTTPS redirect
@@ -223,6 +225,29 @@ type tlsConfigSettings struct {
 	dnsforward.TLSConfig `yaml:",inline" json:",inline"`
 }
 // cloneForEncoding returns a clone of c with all top-level fields of c and all
 // exported and YAML-encoded fields of c.TLSConfig cloned.
 //
 // TODO(a.garipov): This is better than races, but still not good enough.
 func (c *tlsConfiguration) cloneForEncoding() (cloned *tlsConfiguration) {
 	if c == nil {
 		return nil
 	}
 	v := *c
 	cloned = &v
 	cloned.TLSConfig = dnsforward.TLSConfig{
 		CertificateChain:   c.CertificateChain,
 		PrivateKey:         c.PrivateKey,
 		CertificatePath:    c.CertificatePath,
 		PrivateKeyPath:     c.PrivateKeyPath,
 		OverrideTLSCiphers: slices.Clone(c.OverrideTLSCiphers),
 		StrictSNICheck:     c.StrictSNICheck,
 	}
 	return cloned
 }
 // config is the global configuration structure.
 //
 // TODO(a.garipov, e.burkov): This global is awful and must be removed.
@@ -273,25 +298,20 @@ var config = &configuration{
 		UpstreamTimeout: timeutil.Duration{Duration: dnsforward.DefaultTimeout},
 		UsePrivateRDNS:  true,
 	},
-	TLS: tlsConfigSettings{
+	TLS: tlsConfiguration{
 		PortHTTPS:       defaultPortHTTPS,
 		PortDNSOverTLS:  defaultPortTLS, // needs to be passed through to dnsproxy
 		PortDNSOverQUIC: defaultPortQUIC,
 	},
 	// NOTE: Keep these parameters in sync with the one put into
 	// client/src/helpers/filters/filters.js by scripts/vetted-filters.
 	//
 	// TODO(a.garipov): Think of a way to make scripts/vetted-filters update
 	// these as well if necessary.
 	Filters: []filtering.FilterYAML{{
 		Filter:  filtering.Filter{ID: 1},
 		Enabled: true,
-		URL:     "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt",
+		URL:     "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt",
 		Name:    "AdGuard DNS filter",
 	}, {
 		Filter:  filtering.Filter{ID: 2},
 		Enabled: false,
-		URL:     "https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt",
+		URL:     "https://adaway.org/hosts.txt",
 		Name:    "AdAway Default Blocklist",
 	}},
 	DHCP: &dhcpd.ServerConfig{
@@ -447,7 +467,7 @@ func (c *configuration) write() (err error) {
 	}
 	if Context.tls != nil {
-		tlsConf := tlsConfigSettings{}
+		tlsConf := tlsConfiguration{}
 		Context.tls.WriteDiskConfig(&tlsConf)
 		config.TLS = tlsConf
 	}
--- a/internal/home/controlupdate.go
+++ b/internal/home/controlupdate.go
@@ -123,7 +123,7 @@ func handleUpdate(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	err = Context.updater.Update(false)
+	err = Context.updater.Update()
 	if err != nil {
 		aghhttp.Error(r, w, http.StatusInternalServerError, "%s", err)
@@ -154,7 +154,7 @@ func (vr *versionResponse) setAllowedToAutoUpdate() (err error) {
 		return nil
 	}
-	tlsConf := &tlsConfigSettings{}
+	tlsConf := &tlsConfiguration{}
 	Context.tls.WriteDiskConfig(tlsConf)
 	canUpdate := true
@@ -172,7 +172,7 @@ func (vr *versionResponse) setAllowedToAutoUpdate() (err error) {
 // tlsConfUsesPrivilegedPorts returns true if the provided TLS configuration
 // indicates that privileged ports are used.
-func tlsConfUsesPrivilegedPorts(c *tlsConfigSettings) (ok bool) {
+func tlsConfUsesPrivilegedPorts(c *tlsConfiguration) (ok bool) {
 	return c.Enabled && (c.PortHTTPS < 1024 || c.PortDNSOverTLS < 1024 || c.PortDNSOverQUIC < 1024)
 }
--- a/internal/home/dns.go
+++ b/internal/home/dns.go
@@ -9,12 +9,9 @@ import (
 	"path/filepath"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/AdguardTeam/AdGuardHome/internal/dhcpd"
 	"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering/rewrite"
 	"github.com/AdguardTeam/AdGuardHome/internal/querylog"
 	"github.com/AdguardTeam/AdGuardHome/internal/stats"
 	"github.com/AdguardTeam/dnsproxy/proxy"
@@ -42,13 +39,17 @@ func onConfigModified() {
 	}
 }
-// initDNS updates all the fields of the [Context] needed to initialize the DNS
+// initDNSServer creates an instance of the dnsforward.Server
-// server and initializes it at last.  It also must not be called unless
+// Please note that we must do it even if we don't start it
-// [config] and [Context] are initialized.
+// so that we had access to the query log and the stats
-func initDNS() (err error) {
+func initDNSServer() (err error) {
 	baseDir := Context.getDataDir()
-	anonymizer := config.anonymizer()
+	var anonFunc aghnet.IPMutFunc
 	if config.DNS.AnonymizeClientIP {
 		anonFunc = querylog.AnonymizeIP
 	}
 	anonymizer := aghnet.NewIPMut(anonFunc)
 	statsConf := stats.Config{
 		Filename:       filepath.Join(baseDir, "stats.db"),
@@ -75,57 +76,40 @@ func initDNS() (err error) {
 	}
 	Context.queryLog = querylog.New(conf)
-	rewriteStorage, err := rewrite.NewDefaultStorage(config.DNS.DnsfilterConf.Rewrites)
+	Context.filters, err = filtering.New(config.DNS.DnsfilterConf, nil)
 	if err != nil {
 		return fmt.Errorf("rewrites: init: %w", err)
 	}
 	Context.filters, err = filtering.New(config.DNS.DnsfilterConf, nil, rewriteStorage)
 	if err != nil {
 		// Don't wrap the error, since it's informative enough as is.
 		return err
 	}
-	tlsConf := &tlsConfigSettings{}
+	var privateNets netutil.SubnetSet
-	Context.tls.WriteDiskConfig(tlsConf)
+	switch len(config.DNS.PrivateNets) {
 	case 0:
 		// Use an optimized locally-served matcher.
 		privateNets = netutil.SubnetSetFunc(netutil.IsLocallyServed)
 	case 1:
 		privateNets, err = netutil.ParseSubnet(config.DNS.PrivateNets[0])
 		if err != nil {
 			return fmt.Errorf("preparing the set of private subnets: %w", err)
 		}
 	default:
 		var nets []*net.IPNet
 		nets, err = netutil.ParseSubnets(config.DNS.PrivateNets...)
 		if err != nil {
 			return fmt.Errorf("preparing the set of private subnets: %w", err)
 		}
-	return initDNSServer(
+		privateNets = netutil.SliceSubnetSet(nets)
 		Context.filters,
 		Context.stats,
 		Context.queryLog,
 		Context.dhcpServer,
 		anonymizer,
 		httpRegister,
 		tlsConf,
 	)
 }
 // initDNSServer initializes the [context.dnsServer].  To only use the internal
 // proxy, none of the arguments are required, but tlsConf still must not be nil,
 // in other cases all the arguments also must not be nil.  It also must not be
 // called unless [config] and [Context] are initialized.
 func initDNSServer(
 	filters *filtering.DNSFilter,
 	sts stats.Interface,
 	qlog querylog.QueryLog,
 	dhcpSrv dhcpd.Interface,
 	anonymizer *aghnet.IPMut,
 	httpReg aghhttp.RegisterFunc,
 	tlsConf *tlsConfigSettings,
 ) (err error) {
 	privateNets, err := parseSubnetSet(config.DNS.PrivateNets)
 	if err != nil {
 		return fmt.Errorf("preparing set of private subnets: %w", err)
 	}
 	p := dnsforward.DNSCreateParams{
-		DNSFilter:   filters,
+		DNSFilter:   Context.filters,
-		Stats:       sts,
+		Stats:       Context.stats,
-		QueryLog:    qlog,
+		QueryLog:    Context.queryLog,
 		PrivateNets: privateNets,
 		Anonymizer:  anonymizer,
 		LocalDomain: config.DHCP.LocalDomainName,
-		DHCPServer:  dhcpSrv,
+		DHCPServer:  Context.dhcpServer,
 	}
 	Context.dnsServer, err = dnsforward.NewServer(p)
@@ -136,15 +120,15 @@ func initDNSServer(
 	}
 	Context.clients.dnsServer = Context.dnsServer
-
+	var dnsConfig dnsforward.ServerConfig
-	dnsConf, err := generateServerConfig(tlsConf, httpReg)
+	dnsConfig, err = generateServerConfig()
 	if err != nil {
 		closeDNSServer()
 		return fmt.Errorf("generateServerConfig: %w", err)
 	}
-	err = Context.dnsServer.Prepare(&dnsConf)
+	err = Context.dnsServer.Prepare(&dnsConfig)
 	if err != nil {
 		closeDNSServer()
@@ -162,32 +146,6 @@ func initDNSServer(
 	return nil
 }
 // parseSubnetSet parses a slice of subnets.  If the slice is empty, it returns
 // a subnet set that matches all locally served networks, see
 // [netutil.IsLocallyServed].
 func parseSubnetSet(nets []string) (s netutil.SubnetSet, err error) {
 	switch len(nets) {
 	case 0:
 		// Use an optimized function-based matcher.
 		return netutil.SubnetSetFunc(netutil.IsLocallyServed), nil
 	case 1:
 		s, err = netutil.ParseSubnet(nets[0])
 		if err != nil {
 			return nil, err
 		}
 		return s, nil
 	default:
 		var nets []*net.IPNet
 		nets, err = netutil.ParseSubnets(config.DNS.PrivateNets...)
 		if err != nil {
 			return nil, err
 		}
 		return netutil.SliceSubnetSet(nets), nil
 	}
 }
 func isRunning() bool {
 	return Context.dnsServer != nil && Context.dnsServer.IsRunning()
 }
@@ -235,10 +193,7 @@ func ipsToUDPAddrs(ips []netip.Addr, port int) (udpAddrs []*net.UDPAddr) {
 	return udpAddrs
 }
-func generateServerConfig(
+func generateServerConfig() (newConf dnsforward.ServerConfig, err error) {
 	tlsConf *tlsConfigSettings,
 	httpReg aghhttp.RegisterFunc,
 ) (newConf dnsforward.ServerConfig, err error) {
 	dnsConf := config.DNS
 	hosts := aghalg.CoalesceSlice(dnsConf.BindHosts, []netip.Addr{netutil.IPv4Localhost()})
 	newConf = dnsforward.ServerConfig{
@@ -246,10 +201,12 @@ func generateServerConfig(
 		TCPListenAddrs:  ipsToTCPAddrs(hosts, dnsConf.Port),
 		FilteringConfig: dnsConf.FilteringConfig,
 		ConfigModified:  onConfigModified,
-		HTTPRegister:    httpReg,
+		HTTPRegister:    httpRegister,
 		OnDNSRequest:    onDNSRequest,
 	}
 	tlsConf := tlsConfiguration{}
 	Context.tls.WriteDiskConfig(&tlsConf)
 	if tlsConf.Enabled {
 		newConf.TLSConfig = tlsConf.TLSConfig
 		newConf.TLSConfig.ServerName = tlsConf.ServerName
@@ -267,7 +224,7 @@ func generateServerConfig(
 		}
 		if tlsConf.PortDNSCrypt != 0 {
-			newConf.DNSCryptConfig, err = newDNSCrypt(hosts, *tlsConf)
+			newConf.DNSCryptConfig, err = newDNSCrypt(hosts, tlsConf)
 			if err != nil {
 				// Don't wrap the error, because it's already
 				// wrapped by newDNSCrypt.
@@ -293,7 +250,7 @@ func generateServerConfig(
 	return newConf, nil
 }
-func newDNSCrypt(hosts []netip.Addr, tlsConf tlsConfigSettings) (dnscc dnsforward.DNSCryptConfig, err error) {
+func newDNSCrypt(hosts []netip.Addr, tlsConf tlsConfiguration) (dnscc dnsforward.DNSCryptConfig, err error) {
 	if tlsConf.DNSCryptConfigFile == "" {
 		return dnscc, errors.Error("no dnscrypt_config_file")
 	}
@@ -331,7 +288,7 @@ type dnsEncryption struct {
 }
 func getDNSEncryption() (de dnsEncryption) {
-	tlsConf := tlsConfigSettings{}
+	tlsConf := tlsConfiguration{}
 	Context.tls.WriteDiskConfig(&tlsConf)
@@ -456,11 +413,7 @@ func startDNSServer() error {
 func reconfigureDNSServer() (err error) {
 	var newConf dnsforward.ServerConfig
-
+	newConf, err = generateServerConfig()
 	tlsConf := &tlsConfigSettings{}
 	Context.tls.WriteDiskConfig(tlsConf)
 	newConf, err = generateServerConfig(tlsConf, httpRegister)
 	if err != nil {
 		return fmt.Errorf("generating forwarding dns server config: %w", err)
 	}
--- a/internal/home/home.go
+++ b/internal/home/home.go
@@ -455,10 +455,6 @@ func run(opts options, clientBuildFS fs.FS) {
 	err = setupConfig(opts)
 	fatalOnError(err)
 	// TODO(e.burkov):  This could be made earlier, probably as the option's
 	// effect.
 	cmdlineUpdate(opts)
 	if !Context.firstRun {
 		// Save the updated config
 		err = config.write()
@@ -516,17 +512,16 @@ func run(opts options, clientBuildFS fs.FS) {
 	}
 	config.Users = nil
-	Context.tls, err = newTLSManager(config.TLS)
+	Context.tls, err = newTLSManager(&config.TLS)
 	if err != nil {
-		log.Error("initializing tls: %s", err)
+		log.Fatalf("initializing tls: %s", err)
 		onConfigModified()
 	}
 	Context.web, err = initWeb(opts, clientBuildFS)
 	fatalOnError(err)
 	if !Context.firstRun {
-		err = initDNS()
+		err = initDNSServer()
 		fatalOnError(err)
 		Context.tls.start()
@@ -547,24 +542,20 @@ func run(opts options, clientBuildFS fs.FS) {
 		}
 	}
 	// TODO(a.garipov): This could be made much earlier and could be done on
 	// the first run as well, but to achieve this we need to bypass requests
 	// over dnsforward resolver.
 	cmdlineUpdate(opts)
 	Context.web.Start()
 	// wait indefinitely for other go-routines to complete their job
 	select {}
 }
 func (c *configuration) anonymizer() (ipmut *aghnet.IPMut) {
 	var anonFunc aghnet.IPMutFunc
 	if c.DNS.AnonymizeClientIP {
 		anonFunc = querylog.AnonymizeIP
 	}
 	return aghnet.NewIPMut(anonFunc)
 }
 // startMods initializes and starts the DNS server after installation.
-func startMods() (err error) {
+func startMods() error {
-	err = initDNS()
+	err := initDNSServer()
 	if err != nil {
 		return err
 	}
@@ -826,7 +817,7 @@ func printWebAddrs(proto, addr string, port, betaPort int) {
 // printHTTPAddresses prints the IP addresses which user can use to access the
 // admin interface.  proto is either schemeHTTP or schemeHTTPS.
 func printHTTPAddresses(proto string) {
-	tlsConf := tlsConfigSettings{}
+	tlsConf := tlsConfiguration{}
 	if Context.tls != nil {
 		Context.tls.WriteDiskConfig(&tlsConf)
 	}
@@ -935,8 +926,8 @@ func getHTTPProxy(_ *http.Request) (*url.URL, error) {
 // jsonError is a generic JSON error response.
 //
-// TODO(a.garipov): Merge together with the implementations in [dhcpd] and other
+// TODO(a.garipov): Merge together with the implementations in .../dhcpd and
-// packages after refactoring the web handler registering.
+// other packages after refactoring the web handler registering.
 type jsonError struct {
 	// Message is the error message, an opaque string.
 	Message string `json:"message"`
@@ -948,40 +939,30 @@ func cmdlineUpdate(opts options) {
 		return
 	}
-	// Initialize the DNS server to use the internal resolver which the updater
+	log.Info("starting update")
 	// needs to be able to resolve the update source hostname.
 	//
 	// TODO(e.burkov):  We could probably initialize the internal resolver
 	// separately.
 	err := initDNSServer(nil, nil, nil, nil, nil, nil, &tlsConfigSettings{})
 	fatalOnError(err)
-	log.Info("cmdline update: performing update")
+	if Context.firstRun {
 		log.Info("update not allowed on first run")
-	updater := Context.updater
+		os.Exit(0)
 	info, err := updater.VersionInfo(true)
 	if err != nil {
 		vcu := updater.VersionCheckURL()
 		log.Error("getting version info from %s: %s", vcu, err)
 		os.Exit(1)
 	}
-	if info.NewVersion == version.Version() {
+	_, err := Context.updater.VersionInfo(true)
 	if err != nil {
 		vcu := Context.updater.VersionCheckURL()
 		log.Error("getting version info from %s: %s", vcu, err)
 		os.Exit(0)
 	}
 	if Context.updater.NewVersion() == "" {
 		log.Info("no updates available")
 		os.Exit(0)
 	}
-	err = updater.Update(Context.firstRun)
+	err = Context.updater.Update()
 	fatalOnError(err)
 	err = restartService()
 	if err != nil {
 		log.Debug("restarting service: %s", err)
 		log.Info("AdGuard Home was not installed as a service. " +
 			"Please restart running instances of AdGuardHome manually.")
 	}
 	os.Exit(0)
 }
--- a/internal/home/mobileconfig_test.go
+++ b/internal/home/mobileconfig_test.go
@@ -32,7 +32,11 @@ func setupDNSIPs(t testing.TB) {
 		},
 	}
-	Context.tls = &tlsManager{}
+	var err error
 	Context.tls, err = newTLSManager(&tlsConfiguration{
 		Enabled: true,
 	})
 	require.NoError(t, err)
 }
 func TestHandleMobileConfigDoH(t *testing.T) {
@@ -65,7 +69,11 @@ func TestHandleMobileConfigDoH(t *testing.T) {
 		oldTLSConf := Context.tls
 		t.Cleanup(func() { Context.tls = oldTLSConf })
-		Context.tls = &tlsManager{conf: tlsConfigSettings{}}
+		var err error
 		Context.tls, err = newTLSManager(&tlsConfiguration{
 			Enabled: true,
 		})
 		require.NoError(t, err)
 		r, err := http.NewRequest(http.MethodGet, "https://example.com:12345/apple/doh.mobileconfig", nil)
 		require.NoError(t, err)
@@ -137,7 +145,11 @@ func TestHandleMobileConfigDoT(t *testing.T) {
 		oldTLSConf := Context.tls
 		t.Cleanup(func() { Context.tls = oldTLSConf })
-		Context.tls = &tlsManager{conf: tlsConfigSettings{}}
+		var err error
 		Context.tls, err = newTLSManager(&tlsConfiguration{
 			Enabled: true,
 		})
 		require.NoError(t, err)
 		r, err := http.NewRequest(http.MethodGet, "https://example.com:12345/apple/dot.mobileconfig", nil)
 		require.NoError(t, err)
--- a/internal/home/options.go
+++ b/internal/home/options.go
@@ -229,7 +229,7 @@ var cmdLineOpts = []cmdLineOpt{{
 	updateNoValue:   func(o options) (options, error) { o.performUpdate = true; return o, nil },
 	effect:          nil,
 	serialize:       func(o options) (val string, ok bool) { return "", o.performUpdate },
-	description:     "Update the current binary and restart the service in case it's installed.",
+	description:     "Update application and exit.",
 	longName:        "update",
 	shortName:       "",
 }, {
--- a/internal/home/service.go
+++ b/internal/home/service.go
@@ -159,38 +159,6 @@ func sendSigReload() {
 	log.Debug("service: sent signal to pid %d", pid)
 }
 // restartService restarts the service.  It returns error if the service is not
 // running.
 func restartService() (err error) {
 	// Call chooseSystem explicitly to introduce OpenBSD support for service
 	// package.  It's a noop for other GOOS values.
 	chooseSystem()
 	pwd, err := os.Getwd()
 	if err != nil {
 		return fmt.Errorf("getting current directory: %w", err)
 	}
 	svcConfig := &service.Config{
 		Name:             serviceName,
 		DisplayName:      serviceDisplayName,
 		Description:      serviceDescription,
 		WorkingDirectory: pwd,
 	}
 	configureService(svcConfig)
 	var s service.Service
 	if s, err = service.New(&program{}, svcConfig); err != nil {
 		return fmt.Errorf("initializing service: %w", err)
 	}
 	if err = svcAction(s, "restart"); err != nil {
 		return fmt.Errorf("restarting service: %w", err)
 	}
 	return nil
 }
 // handleServiceControlAction one of the possible control actions:
 //
 //   - install:  Installs a service/daemon.
--- a/internal/home/service_linux.go
+++ b/internal/home/service_linux.go
@@ -7,8 +7,6 @@ import (
 	"github.com/kardianos/service"
 )
 // chooseSystem checks the current system detected and substitutes it with local
 // implementation if needed.
 func chooseSystem() {
 	sys := service.ChosenSystem()
 	// By default, package service uses the SysV system if it cannot detect
--- a/internal/home/service_openbsd.go
+++ b/internal/home/service_openbsd.go
@@ -30,8 +30,6 @@ import (
 // sysVersion is the version of local service.System interface implementation.
 const sysVersion = "openbsd-runcom"
 // chooseSystem checks the current system detected and substitutes it with local
 // implementation if needed.
 func chooseSystem() {
 	service.ChooseSystem(openbsdSystem{})
 }
--- a/internal/home/tls.go
+++ b/internal/home/tls.go
@@ -8,53 +8,46 @@ import (
 	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
 	"net/http"
 	"os"
 	"strings"
 	"sync"
 	"time"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
 	"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/google/go-cmp/cmp"
 )
 // tlsManager contains the current configuration and state of AdGuard Home TLS
 // encryption.
 type tlsManager struct {
-	// status is the current status of the configuration.  It is never nil.
+	// mu protects all fields.
-	status *tlsConfigStatus
+	mu *sync.RWMutex
 	// certLastMod is the last modification time of the certificate file.
 	certLastMod time.Time
-	confLock sync.Mutex
+	// status is the current status of the configuration.  It is never nil.
-	conf     tlsConfigSettings
+	status *tlsConfigStatus
 	// conf is the current TLS configuration.
 	conf *tlsConfiguration
 }
-// newTLSManager initializes the manager of TLS configuration.  m is always
+// newTLSManager initializes the TLS configuration.
-// non-nil while any returned error indicates that the TLS configuration isn't
+func newTLSManager(conf *tlsConfiguration) (m *tlsManager, err error) {
 // valid.  Thus TLS may be initialized later, e.g. via the web UI.
 func newTLSManager(conf tlsConfigSettings) (m *tlsManager, err error) {
 	m = &tlsManager{
 		status: &tlsConfigStatus{},
 		mu:     &sync.RWMutex{},
 		conf:   conf,
 	}
 	if m.conf.Enabled {
 		err = m.load()
 		if err != nil {
-			m.conf.Enabled = false
+			return nil, err
 			return m, err
 		}
 		m.setCertFileTime()
@@ -63,9 +56,19 @@ func newTLSManager(conf tlsConfigSettings) (m *tlsManager, err error) {
 	return m, nil
 }
 // confForEncoding returns a partial clone of the current TLS configuration.  It
 // is safe for concurrent use.
 func (m *tlsManager) confForEncoding() (conf *tlsConfiguration) {
 	m.mu.RLock()
 	defer m.mu.RUnlock()
 	return m.conf.cloneForEncoding()
 }
 // load reloads the TLS configuration from files or data from the config file.
 // m.mu is expected to be locked for writing.
 func (m *tlsManager) load() (err error) {
-	err = loadTLSConf(&m.conf, m.status)
+	err = loadTLSConf(m.conf, m.status)
 	if err != nil {
 		return fmt.Errorf("loading config: %w", err)
 	}
@@ -74,14 +77,12 @@ func (m *tlsManager) load() (err error) {
 }
 // WriteDiskConfig - write config
-func (m *tlsManager) WriteDiskConfig(conf *tlsConfigSettings) {
+func (m *tlsManager) WriteDiskConfig(conf *tlsConfiguration) {
-	m.confLock.Lock()
+	*conf = *m.confForEncoding()
 	*conf = m.conf
 	m.confLock.Unlock()
 }
 // setCertFileTime sets t.certLastMod from the certificate.  If there are
-// errors, setCertFileTime logs them.
+// errors, setCertFileTime logs them.  mu is expected to be locked for writing.
 func (m *tlsManager) setCertFileTime() {
 	if len(m.conf.CertificatePath) == 0 {
 		return
@@ -101,27 +102,22 @@ func (m *tlsManager) setCertFileTime() {
 func (m *tlsManager) start() {
 	m.registerWebHandlers()
 	m.confLock.Lock()
 	tlsConf := m.conf
 	m.confLock.Unlock()
 	// The background context is used because the TLSConfigChanged wraps context
 	// with timeout on its own and shuts down the server, which handles current
 	// request.
-	Context.web.TLSConfigChanged(context.Background(), tlsConf)
+	Context.web.TLSConfigChanged(context.Background(), m.confForEncoding())
 }
-// reload updates the configuration and restarts t.
+// reload updates the configuration and restarts m.
 func (m *tlsManager) reload() {
-	m.confLock.Lock()
+	m.mu.Lock()
-	tlsConf := m.conf
+	defer m.mu.Unlock()
 	m.confLock.Unlock()
-	if !tlsConf.Enabled || len(tlsConf.CertificatePath) == 0 {
+	if !m.conf.Enabled || len(m.conf.CertificatePath) == 0 {
 		return
 	}
-	fi, err := os.Stat(tlsConf.CertificatePath)
+	fi, err := os.Stat(m.conf.CertificatePath)
 	if err != nil {
 		log.Error("tls: %s", err)
@@ -136,9 +132,7 @@ func (m *tlsManager) reload() {
 	log.Debug("tls: certificate file is modified")
 	m.confLock.Lock()
 	err = m.load()
 	m.confLock.Unlock()
 	if err != nil {
 		log.Error("tls: reloading: %s", err)
@@ -149,19 +143,15 @@ func (m *tlsManager) reload() {
 	_ = reconfigureDNSServer()
 	m.confLock.Lock()
 	tlsConf = m.conf
 	m.confLock.Unlock()
 	// The background context is used because the TLSConfigChanged wraps context
 	// with timeout on its own and shuts down the server, which handles current
 	// request.
-	Context.web.TLSConfigChanged(context.Background(), tlsConf)
+	Context.web.TLSConfigChanged(context.Background(), m.conf)
 }
 // loadTLSConf loads and validates the TLS configuration.  The returned error is
 // also set in status.WarningValidation.
-func loadTLSConf(tlsConf *tlsConfigSettings, status *tlsConfigStatus) (err error) {
+func loadTLSConf(tlsConf *tlsConfiguration, status *tlsConfigStatus) (err error) {
 	defer func() {
 		if err != nil {
 			status.WarningValidation = err.Error()
@@ -176,13 +166,10 @@ func loadTLSConf(tlsConf *tlsConfigSettings, status *tlsConfigStatus) (err error
 	tlsConf.PrivateKeyData = []byte(tlsConf.PrivateKey)
 	if tlsConf.CertificatePath != "" {
-		if tlsConf.CertificateChain != "" {
+		err = loadCert(tlsConf)
 			return errors.Error("certificate data and file can't be set together")
 		}
 		tlsConf.CertificateChainData, err = os.ReadFile(tlsConf.CertificatePath)
 		if err != nil {
-			return fmt.Errorf("reading cert file: %w", err)
+			// Don't wrap the error, since it's informative enough as is.
 			return err
 		}
 		// Set status.ValidCert to true to signal the frontend that the
@@ -191,13 +178,10 @@ func loadTLSConf(tlsConf *tlsConfigSettings, status *tlsConfigStatus) (err error
 	}
 	if tlsConf.PrivateKeyPath != "" {
-		if tlsConf.PrivateKey != "" {
+		err = loadPKey(tlsConf)
 			return errors.Error("private key data and file can't be set together")
 		}
 		tlsConf.PrivateKeyData, err = os.ReadFile(tlsConf.PrivateKeyPath)
 		if err != nil {
-			return fmt.Errorf("reading key file: %w", err)
+			// Don't wrap the error, since it's informative enough as is.
 			return err
 		}
 		status.ValidKey = true
@@ -216,278 +200,29 @@ func loadTLSConf(tlsConf *tlsConfigSettings, status *tlsConfigStatus) (err error
 	return nil
 }
-// tlsConfigStatus contains the status of a certificate chain and key pair.
+// loadCert loads the certificate from file, if necessary.
-type tlsConfigStatus struct {
+func loadCert(tlsConf *tlsConfiguration) (err error) {
-	// Subject is the subject of the first certificate in the chain.
+	if tlsConf.CertificateChain != "" {
-	Subject string `json:"subject,omitempty"`
+		return errors.Error("certificate data and file can't be set together")
 	// Issuer is the issuer of the first certificate in the chain.
 	Issuer string `json:"issuer,omitempty"`
 	// KeyType is the type of the private key.
 	KeyType string `json:"key_type,omitempty"`
 	// NotBefore is the NotBefore field of the first certificate in the chain.
 	NotBefore time.Time `json:"not_before,omitempty"`
 	// NotAfter is the NotAfter field of the first certificate in the chain.
 	NotAfter time.Time `json:"not_after,omitempty"`
 	// WarningValidation is a validation warning message with the issue
 	// description.
 	WarningValidation string `json:"warning_validation,omitempty"`
 	// DNSNames is the value of SubjectAltNames field of the first certificate
 	// in the chain.
 	DNSNames []string `json:"dns_names"`
 	// ValidCert is true if the specified certificate chain is a valid chain of
 	// X509 certificates.
 	ValidCert bool `json:"valid_cert"`
 	// ValidChain is true if the specified certificate chain is verified and
 	// issued by a known CA.
 	ValidChain bool `json:"valid_chain"`
 	// ValidKey is true if the key is a valid private key.
 	ValidKey bool `json:"valid_key"`
 	// ValidPair is true if both certificate and private key are correct for
 	// each other.
 	ValidPair bool `json:"valid_pair"`
 }
 // tlsConfig is the TLS configuration and status response.
 type tlsConfig struct {
 	*tlsConfigStatus     `json:",inline"`
 	tlsConfigSettingsExt `json:",inline"`
 }
 // tlsConfigSettingsExt is used to (un)marshal the PrivateKeySaved field to
 // ensure that clients don't send and receive previously saved private keys.
 type tlsConfigSettingsExt struct {
 	tlsConfigSettings `json:",inline"`
 	// PrivateKeySaved is true if the private key is saved as a string and omit
 	// key from answer.
 	PrivateKeySaved bool `yaml:"-" json:"private_key_saved,inline"`
 }
 func (m *tlsManager) handleTLSStatus(w http.ResponseWriter, r *http.Request) {
 	m.confLock.Lock()
 	data := tlsConfig{
 		tlsConfigSettingsExt: tlsConfigSettingsExt{
 			tlsConfigSettings: m.conf,
 		},
 		tlsConfigStatus: m.status,
 	}
 	m.confLock.Unlock()
-	marshalTLS(w, r, data)
+	tlsConf.CertificateChainData, err = os.ReadFile(tlsConf.CertificatePath)
 }
 func (m *tlsManager) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
 	setts, err := unmarshalTLS(r)
 	if err != nil {
-		aghhttp.Error(r, w, http.StatusBadRequest, "Failed to unmarshal TLS config: %s", err)
+		return fmt.Errorf("reading cert file: %w", err)
 		return
 	}
-	if setts.PrivateKeySaved {
+	return nil
 		setts.PrivateKey = m.conf.PrivateKey
 	}
 	if setts.Enabled {
 		err = validatePorts(
 			tcpPort(config.BindPort),
 			tcpPort(config.BetaBindPort),
 			tcpPort(setts.PortHTTPS),
 			tcpPort(setts.PortDNSOverTLS),
 			tcpPort(setts.PortDNSCrypt),
 			udpPort(config.DNS.Port),
 			udpPort(setts.PortDNSOverQUIC),
 		)
 		if err != nil {
 			aghhttp.Error(r, w, http.StatusBadRequest, "%s", err)
 			return
 		}
 	}
 	if !webCheckPortAvailable(setts.PortHTTPS) {
 		aghhttp.Error(
 			r,
 			w,
 			http.StatusBadRequest,
 			"port %d is not available, cannot enable HTTPS on it",
 			setts.PortHTTPS,
 		)
 		return
 	}
 	// Skip the error check, since we are only interested in the value of
 	// status.WarningValidation.
 	status := &tlsConfigStatus{}
 	_ = loadTLSConf(&setts.tlsConfigSettings, status)
 	resp := tlsConfig{
 		tlsConfigSettingsExt: setts,
 		tlsConfigStatus:      status,
 	}
 	marshalTLS(w, r, resp)
 }
-func (m *tlsManager) setConfig(newConf tlsConfigSettings, status *tlsConfigStatus) (restartHTTPS bool) {
+// loadPKey loads the private key from file, if necessary.
-	m.confLock.Lock()
+func loadPKey(tlsConf *tlsConfiguration) (err error) {
-	defer m.confLock.Unlock()
+	if tlsConf.PrivateKey != "" {
-
+		return errors.Error("private key data and file cannot be set together")
 	// Reset the DNSCrypt data before comparing, since we currently do not
 	// accept these from the frontend.
 	//
 	// TODO(a.garipov): Define a custom comparer for dnsforward.TLSConfig.
 	newConf.DNSCryptConfigFile = m.conf.DNSCryptConfigFile
 	newConf.PortDNSCrypt = m.conf.PortDNSCrypt
 	if !cmp.Equal(m.conf, newConf, cmp.AllowUnexported(dnsforward.TLSConfig{})) {
 		log.Info("tls config has changed, restarting https server")
 		restartHTTPS = true
 	} else {
 		log.Info("tls: config has not changed")
 	}
-	// Note: don't do just `t.conf = data` because we must preserve all other members of t.conf
+	tlsConf.PrivateKeyData, err = os.ReadFile(tlsConf.PrivateKeyPath)
 	m.conf.Enabled = newConf.Enabled
 	m.conf.ServerName = newConf.ServerName
 	m.conf.ForceHTTPS = newConf.ForceHTTPS
 	m.conf.PortHTTPS = newConf.PortHTTPS
 	m.conf.PortDNSOverTLS = newConf.PortDNSOverTLS
 	m.conf.PortDNSOverQUIC = newConf.PortDNSOverQUIC
 	m.conf.CertificateChain = newConf.CertificateChain
 	m.conf.CertificatePath = newConf.CertificatePath
 	m.conf.CertificateChainData = newConf.CertificateChainData
 	m.conf.PrivateKey = newConf.PrivateKey
 	m.conf.PrivateKeyPath = newConf.PrivateKeyPath
 	m.conf.PrivateKeyData = newConf.PrivateKeyData
 	m.status = status
 	return restartHTTPS
 }
 func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
 	req, err := unmarshalTLS(r)
 	if err != nil {
-		aghhttp.Error(r, w, http.StatusBadRequest, "Failed to unmarshal TLS config: %s", err)
+		return fmt.Errorf("reading key file: %w", err)
 		return
 	}
 	if req.PrivateKeySaved {
 		req.PrivateKey = m.conf.PrivateKey
 	}
 	if req.Enabled {
 		err = validatePorts(
 			tcpPort(config.BindPort),
 			tcpPort(config.BetaBindPort),
 			tcpPort(req.PortHTTPS),
 			tcpPort(req.PortDNSOverTLS),
 			tcpPort(req.PortDNSCrypt),
 			udpPort(config.DNS.Port),
 			udpPort(req.PortDNSOverQUIC),
 		)
 		if err != nil {
 			aghhttp.Error(r, w, http.StatusBadRequest, "%s", err)
 			return
 		}
 	}
 	// TODO(e.burkov):  Investigate and perhaps check other ports.
 	if !webCheckPortAvailable(req.PortHTTPS) {
 		aghhttp.Error(
 			r,
 			w,
 			http.StatusBadRequest,
 			"port %d is not available, cannot enable https on it",
 			req.PortHTTPS,
 		)
 		return
 	}
 	status := &tlsConfigStatus{}
 	err = loadTLSConf(&req.tlsConfigSettings, status)
 	if err != nil {
 		resp := tlsConfig{
 			tlsConfigSettingsExt: req,
 			tlsConfigStatus:      status,
 		}
 		marshalTLS(w, r, resp)
 		return
 	}
 	restartHTTPS := m.setConfig(req.tlsConfigSettings, status)
 	m.setCertFileTime()
 	onConfigModified()
 	err = reconfigureDNSServer()
 	if err != nil {
 		aghhttp.Error(r, w, http.StatusInternalServerError, "%s", err)
 		return
 	}
 	resp := tlsConfig{
 		tlsConfigSettingsExt: req,
 		tlsConfigStatus:      m.status,
 	}
 	marshalTLS(w, r, resp)
 	if f, ok := w.(http.Flusher); ok {
 		f.Flush()
 	}
 	// The background context is used because the TLSConfigChanged wraps context
 	// with timeout on its own and shuts down the server, which handles current
 	// request. It is also should be done in a separate goroutine due to the
 	// same reason.
 	if restartHTTPS {
 		go func() {
 			Context.web.TLSConfigChanged(context.Background(), req.tlsConfigSettings)
 		}()
 	}
 }
 // validatePorts validates the uniqueness of TCP and UDP ports for AdGuard Home
 // DNS protocols.
 func validatePorts(
 	bindPort, betaBindPort, dohPort, dotPort, dnscryptTCPPort tcpPort,
 	dnsPort, doqPort udpPort,
 ) (err error) {
 	tcpPorts := aghalg.UniqChecker[tcpPort]{}
 	addPorts(
 		tcpPorts,
 		tcpPort(bindPort),
 		tcpPort(betaBindPort),
 		tcpPort(dohPort),
 		tcpPort(dotPort),
 		tcpPort(dnscryptTCPPort),
 	)
 	err = tcpPorts.Validate()
 	if err != nil {
 		return fmt.Errorf("validating tcp ports: %w", err)
 	}
 	udpPorts := aghalg.UniqChecker[udpPort]{}
 	addPorts(udpPorts, udpPort(dnsPort), udpPort(doqPort))
 	err = udpPorts.Validate()
 	if err != nil {
 		return fmt.Errorf("validating udp ports: %w", err)
 	}
 	return nil
@@ -704,61 +439,3 @@ func parsePrivateKey(der []byte) (key crypto.PrivateKey, typ string, err error)
 	return nil, "", errors.Error("tls: failed to parse private key")
 }
 // unmarshalTLS handles base64-encoded certificates transparently
 func unmarshalTLS(r *http.Request) (tlsConfigSettingsExt, error) {
 	data := tlsConfigSettingsExt{}
 	err := json.NewDecoder(r.Body).Decode(&data)
 	if err != nil {
 		return data, fmt.Errorf("failed to parse new TLS config json: %w", err)
 	}
 	if data.CertificateChain != "" {
 		var cert []byte
 		cert, err = base64.StdEncoding.DecodeString(data.CertificateChain)
 		if err != nil {
 			return data, fmt.Errorf("failed to base64-decode certificate chain: %w", err)
 		}
 		data.CertificateChain = string(cert)
 		if data.CertificatePath != "" {
 			return data, fmt.Errorf("certificate data and file can't be set together")
 		}
 	}
 	if data.PrivateKey != "" {
 		var key []byte
 		key, err = base64.StdEncoding.DecodeString(data.PrivateKey)
 		if err != nil {
 			return data, fmt.Errorf("failed to base64-decode private key: %w", err)
 		}
 		data.PrivateKey = string(key)
 		if data.PrivateKeyPath != "" {
 			return data, fmt.Errorf("private key data and file can't be set together")
 		}
 	}
 	return data, nil
 }
 func marshalTLS(w http.ResponseWriter, r *http.Request, data tlsConfig) {
 	if data.CertificateChain != "" {
 		encoded := base64.StdEncoding.EncodeToString([]byte(data.CertificateChain))
 		data.CertificateChain = encoded
 	}
 	if data.PrivateKey != "" {
 		data.PrivateKeySaved = true
 		data.PrivateKey = ""
 	}
 	_ = aghhttp.WriteJSONResponse(w, r, data)
 }
 // registerWebHandlers registers HTTP handlers for TLS configuration.
 func (m *tlsManager) registerWebHandlers() {
 	httpRegister(http.MethodGet, "/control/tls/status", m.handleTLSStatus)
 	httpRegister(http.MethodPost, "/control/tls/configure", m.handleTLSConfigure)
 	httpRegister(http.MethodPost, "/control/tls/validate", m.handleTLSValidate)
 }
--- a/internal/home/tlshttp.go
+++ b/internal/home/tlshttp.go
@@ -0,0 +1,362 @@
 package home
 import (
 	"context"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"time"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/google/go-cmp/cmp"
 )
 // Encryption Settings HTTP API
 // tlsConfigStatus contains the status of a certificate chain and key pair.
 type tlsConfigStatus struct {
 	// Subject is the subject of the first certificate in the chain.
 	Subject string `json:"subject,omitempty"`
 	// Issuer is the issuer of the first certificate in the chain.
 	Issuer string `json:"issuer,omitempty"`
 	// KeyType is the type of the private key.
 	KeyType string `json:"key_type,omitempty"`
 	// NotBefore is the NotBefore field of the first certificate in the chain.
 	NotBefore time.Time `json:"not_before,omitempty"`
 	// NotAfter is the NotAfter field of the first certificate in the chain.
 	NotAfter time.Time `json:"not_after,omitempty"`
 	// WarningValidation is a validation warning message with the issue
 	// description.
 	WarningValidation string `json:"warning_validation,omitempty"`
 	// DNSNames is the value of SubjectAltNames field of the first certificate
 	// in the chain.
 	DNSNames []string `json:"dns_names"`
 	// ValidCert is true if the specified certificate chain is a valid chain of
 	// X509 certificates.
 	ValidCert bool `json:"valid_cert"`
 	// ValidChain is true if the specified certificate chain is verified and
 	// issued by a known CA.
 	ValidChain bool `json:"valid_chain"`
 	// ValidKey is true if the key is a valid private key.
 	ValidKey bool `json:"valid_key"`
 	// ValidPair is true if both certificate and private key are correct for
 	// each other.
 	ValidPair bool `json:"valid_pair"`
 }
 // tlsConfigResp is the TLS configuration and status response.
 type tlsConfigResp struct {
 	*tlsConfigStatus
 	*tlsConfiguration
 	// PrivateKeySaved is true if the private key is saved as a string and omit
 	// key from answer.
 	PrivateKeySaved bool `yaml:"-" json:"private_key_saved"`
 }
 // tlsConfigReq is the TLS configuration request.
 type tlsConfigReq struct {
 	tlsConfiguration
 	// PrivateKeySaved is true if the private key is saved as a string and omit
 	// key from answer.
 	PrivateKeySaved bool `yaml:"-" json:"private_key_saved"`
 }
 // handleTLSStatus is the handler for the GET /control/tls/status HTTP API.
 func (m *tlsManager) handleTLSStatus(w http.ResponseWriter, r *http.Request) {
 	var resp *tlsConfigResp
 	func() {
 		m.mu.RLock()
 		defer m.mu.RUnlock()
 		resp = &tlsConfigResp{
 			tlsConfigStatus:  m.status,
 			tlsConfiguration: m.conf.cloneForEncoding(),
 		}
 	}()
 	marshalTLS(w, r, resp)
 }
 // handleTLSValidate is the handler for the POST /control/tls/validate HTTP API.
 func (m *tlsManager) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
 	req, err := unmarshalTLS(r)
 	if err != nil {
 		aghhttp.Error(r, w, http.StatusBadRequest, "Failed to unmarshal TLS config: %s", err)
 		return
 	}
 	if req.PrivateKeySaved {
 		req.PrivateKey = m.confForEncoding().PrivateKey
 	}
 	if req.Enabled {
 		err = validatePorts(
 			tcpPort(config.BindPort),
 			tcpPort(config.BetaBindPort),
 			tcpPort(req.PortHTTPS),
 			tcpPort(req.PortDNSOverTLS),
 			tcpPort(req.PortDNSCrypt),
 			udpPort(config.DNS.Port),
 			udpPort(req.PortDNSOverQUIC),
 		)
 		if err != nil {
 			aghhttp.Error(r, w, http.StatusBadRequest, "%s", err)
 			return
 		}
 	}
 	if !webCheckPortAvailable(req.PortHTTPS) {
 		aghhttp.Error(
 			r,
 			w,
 			http.StatusBadRequest,
 			"port %d is not available, cannot enable HTTPS on it",
 			req.PortHTTPS,
 		)
 		return
 	}
 	resp := &tlsConfigResp{
 		tlsConfigStatus:  &tlsConfigStatus{},
 		tlsConfiguration: &req.tlsConfiguration,
 	}
 	// Skip the error check, since we are only interested in the value of
 	// resl.tlsConfigStatus.WarningValidation.
 	_ = loadTLSConf(resp.tlsConfiguration, resp.tlsConfigStatus)
 	marshalTLS(w, r, resp)
 }
 // validatePorts validates the uniqueness of TCP and UDP ports for AdGuard Home
 // DNS protocols.
 func validatePorts(
 	bindPort, betaBindPort, dohPort, dotPort, dnscryptTCPPort tcpPort,
 	dnsPort, doqPort udpPort,
 ) (err error) {
 	tcpPorts := aghalg.UniqChecker[tcpPort]{}
 	addPorts(
 		tcpPorts,
 		tcpPort(bindPort),
 		tcpPort(betaBindPort),
 		tcpPort(dohPort),
 		tcpPort(dotPort),
 		tcpPort(dnscryptTCPPort),
 	)
 	err = tcpPorts.Validate()
 	if err != nil {
 		return fmt.Errorf("validating tcp ports: %w", err)
 	}
 	udpPorts := aghalg.UniqChecker[udpPort]{}
 	addPorts(udpPorts, udpPort(dnsPort), udpPort(doqPort))
 	err = udpPorts.Validate()
 	if err != nil {
 		return fmt.Errorf("validating udp ports: %w", err)
 	}
 	return nil
 }
 // handleTLSConfigure is the handler for the POST /control/tls/configure HTTP
 // API.
 func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
 	req, err := unmarshalTLS(r)
 	if err != nil {
 		aghhttp.Error(r, w, http.StatusBadRequest, "Failed to unmarshal TLS config: %s", err)
 		return
 	}
 	if req.PrivateKeySaved {
 		req.PrivateKey = m.confForEncoding().PrivateKey
 	}
 	if req.Enabled {
 		err = validatePorts(
 			tcpPort(config.BindPort),
 			tcpPort(config.BetaBindPort),
 			tcpPort(req.PortHTTPS),
 			tcpPort(req.PortDNSOverTLS),
 			tcpPort(req.PortDNSCrypt),
 			udpPort(config.DNS.Port),
 			udpPort(req.PortDNSOverQUIC),
 		)
 		if err != nil {
 			aghhttp.Error(r, w, http.StatusBadRequest, "%s", err)
 			return
 		}
 	}
 	// TODO(e.burkov):  Investigate and perhaps check other ports.
 	if !webCheckPortAvailable(req.PortHTTPS) {
 		aghhttp.Error(
 			r,
 			w,
 			http.StatusBadRequest,
 			"port %d is not available, cannot enable https on it",
 			req.PortHTTPS,
 		)
 		return
 	}
 	resp := &tlsConfigResp{
 		tlsConfigStatus:  &tlsConfigStatus{},
 		tlsConfiguration: &req.tlsConfiguration,
 	}
 	err = loadTLSConf(resp.tlsConfiguration, resp.tlsConfigStatus)
 	if err != nil {
 		marshalTLS(w, r, resp)
 		return
 	}
 	restartRequired := m.setConf(resp)
 	onConfigModified()
 	err = reconfigureDNSServer()
 	if err != nil {
 		aghhttp.Error(r, w, http.StatusInternalServerError, "%s", err)
 		return
 	}
 	resp.tlsConfiguration = m.confForEncoding()
 	marshalTLS(w, r, resp)
 	if f, ok := w.(http.Flusher); ok {
 		f.Flush()
 	}
 	// The background context is used because the TLSConfigChanged wraps context
 	// with timeout on its own and shuts down the server, which handles current
 	// request. It is also should be done in a separate goroutine due to the
 	// same reason.
 	if restartRequired {
 		go func() {
 			Context.web.TLSConfigChanged(context.Background(), resp.tlsConfiguration)
 		}()
 	}
 }
 // setConf sets the necessary values from the new configuration.
 func (m *tlsManager) setConf(newConf *tlsConfigResp) (restartRequired bool) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	// Reset the DNSCrypt data before comparing, since we currently do not
 	// accept these from the frontend.
 	//
 	// TODO(a.garipov): Define a custom comparer for dnsforward.TLSConfig.
 	newConf.DNSCryptConfigFile = m.conf.DNSCryptConfigFile
 	newConf.PortDNSCrypt = m.conf.PortDNSCrypt
 	if !cmp.Equal(m.conf, newConf, cmp.AllowUnexported(dnsforward.TLSConfig{})) {
 		log.Info("tls: config has changed, restarting https server")
 		restartRequired = true
 	} else {
 		log.Info("tls: config has not changed")
 	}
 	// Do not just write "m.conf = *newConf.tlsConfiguration", because all other
 	// members of m.conf must be preserved.
 	m.conf.Enabled = newConf.Enabled
 	m.conf.ServerName = newConf.ServerName
 	m.conf.ForceHTTPS = newConf.ForceHTTPS
 	m.conf.PortHTTPS = newConf.PortHTTPS
 	m.conf.PortDNSOverTLS = newConf.PortDNSOverTLS
 	m.conf.PortDNSOverQUIC = newConf.PortDNSOverQUIC
 	m.conf.CertificateChain = newConf.CertificateChain
 	m.conf.CertificatePath = newConf.CertificatePath
 	m.conf.CertificateChainData = newConf.CertificateChainData
 	m.conf.PrivateKey = newConf.PrivateKey
 	m.conf.PrivateKeyPath = newConf.PrivateKeyPath
 	m.conf.PrivateKeyData = newConf.PrivateKeyData
 	m.setCertFileTime()
 	m.status = newConf.tlsConfigStatus
 	return restartRequired
 }
 // marshalTLS handles Base64-encoded certificates transparently.
 func marshalTLS(w http.ResponseWriter, r *http.Request, conf *tlsConfigResp) {
 	if conf.CertificateChain != "" {
 		encoded := base64.StdEncoding.EncodeToString([]byte(conf.CertificateChain))
 		conf.CertificateChain = encoded
 	}
 	if conf.PrivateKey != "" {
 		conf.PrivateKeySaved = true
 		conf.PrivateKey = ""
 	}
 	_ = aghhttp.WriteJSONResponse(w, r, conf)
 }
 // unmarshalTLS handles Base64-encoded certificates transparently.
 func unmarshalTLS(r *http.Request) (req *tlsConfigReq, err error) {
 	req = &tlsConfigReq{}
 	err = json.NewDecoder(r.Body).Decode(req)
 	if err != nil {
 		return nil, fmt.Errorf("parsing tls config: %w", err)
 	}
 	if req.CertificateChain != "" {
 		var cert []byte
 		cert, err = base64.StdEncoding.DecodeString(req.CertificateChain)
 		if err != nil {
 			return nil, fmt.Errorf("failed to base64-decode certificate chain: %w", err)
 		}
 		req.CertificateChain = string(cert)
 		if req.CertificatePath != "" {
 			return nil, fmt.Errorf("certificate data and file can't be set together")
 		}
 	}
 	if req.PrivateKey != "" {
 		var key []byte
 		key, err = base64.StdEncoding.DecodeString(req.PrivateKey)
 		if err != nil {
 			return nil, fmt.Errorf("failed to base64-decode private key: %w", err)
 		}
 		req.PrivateKey = string(key)
 		if req.PrivateKeyPath != "" {
 			return nil, fmt.Errorf("private key data and file can't be set together")
 		}
 	}
 	return req, nil
 }
 // registerWebHandlers registers HTTP handlers for TLS configuration.
 func (m *tlsManager) registerWebHandlers() {
 	httpRegister(http.MethodGet, "/control/tls/status", m.handleTLSStatus)
 	httpRegister(http.MethodPost, "/control/tls/configure", m.handleTLSConfigure)
 	httpRegister(http.MethodPost, "/control/tls/validate", m.handleTLSValidate)
 }
--- a/internal/home/web.go
+++ b/internal/home/web.go
@@ -143,7 +143,7 @@ func webCheckPortAvailable(port int) (ok bool) {
 // TLSConfigChanged updates the TLS configuration and restarts the HTTPS server
 // if necessary.
-func (web *Web) TLSConfigChanged(ctx context.Context, tlsConf tlsConfigSettings) {
+func (web *Web) TLSConfigChanged(ctx context.Context, tlsConf *tlsConfiguration) {
 	log.Debug("web: applying new tls configuration")
 	web.conf.PortHTTPS = tlsConf.PortHTTPS
 	web.forceHTTPS = (tlsConf.ForceHTTPS && tlsConf.Enabled && tlsConf.PortHTTPS != 0)
--- a/internal/stats/stats.go
+++ b/internal/stats/stats.go
@@ -180,7 +180,7 @@ func withRecovered(orig *error) {
 // type check
 var _ Interface = (*StatsCtx)(nil)
-// Start implements the [Interface] interface for *StatsCtx.
+// Start implements the Interface interface for *StatsCtx.
 func (s *StatsCtx) Start() {
 	s.initWeb()
--- a/internal/updater/check.go
+++ b/internal/updater/check.go
@@ -61,7 +61,7 @@ func (u *Updater) VersionInfo(forceRecheck bool) (vi VersionInfo, err error) {
 		return VersionInfo{}, fmt.Errorf("updater: HTTP GET %s: %w", vcu, err)
 	}
-	u.prevCheckTime = now
+	u.prevCheckTime = time.Now()
 	u.prevCheckResult, u.prevCheckError = u.parseVersionResponse(body)
 	return u.prevCheckResult, u.prevCheckError
@@ -92,11 +92,7 @@ func (u *Updater) parseVersionResponse(data []byte) (VersionInfo, error) {
 	info.AnnouncementURL = versionJSON["announcement_url"]
 	packageURL, ok := u.downloadURL(versionJSON)
-	if !ok {
+	info.CanAutoUpdate = aghalg.BoolToNullBool(ok && info.NewVersion != u.version)
 		return info, fmt.Errorf("version.json: packageURL not found")
 	}
 	info.CanAutoUpdate = aghalg.BoolToNullBool(info.NewVersion != u.version)
 	u.newVersion = info.NewVersion
 	u.packageURL = packageURL
--- a/internal/updater/updater.go
+++ b/internal/updater/updater.go
@@ -104,58 +104,49 @@ func NewUpdater(conf *Config) *Updater {
 	}
 }
-// Update performs the auto-update.  It returns an error if the update failed.
+// Update performs the auto-update.
-// If firstRun is true, it assumes the configuration file doesn't exist.
+func (u *Updater) Update() (err error) {
 func (u *Updater) Update(firstRun bool) (err error) {
 	u.mu.Lock()
 	defer u.mu.Unlock()
 	log.Info("updater: updating")
-	defer func() {
+	defer func() { log.Info("updater: finished; errors: %v", err) }()
 		if err != nil {
 			log.Error("updater: failed: %v", err)
 		} else {
 			log.Info("updater: finished")
 		}
 	}()
 	execPath, err := os.Executable()
 	if err != nil {
-		return fmt.Errorf("getting executable path: %w", err)
+		return err
 	}
 	err = u.prepare(execPath)
 	if err != nil {
-		return fmt.Errorf("preparing: %w", err)
+		return err
 	}
 	defer u.clean()
-	err = u.downloadPackageFile()
+	err = u.downloadPackageFile(u.packageURL, u.packageName)
 	if err != nil {
-		return fmt.Errorf("downloading package file: %w", err)
+		return err
 	}
 	err = u.unpack()
 	if err != nil {
-		return fmt.Errorf("unpacking: %w", err)
+		return err
 	}
-	if !firstRun {
+	err = u.check()
 		err = u.check()
 		if err != nil {
 			return fmt.Errorf("checking config: %w", err)
 		}
 	}
 	err = u.backup(firstRun)
 	if err != nil {
-		return fmt.Errorf("making backup: %w", err)
+		return err
 	}
 	err = u.backup()
 	if err != nil {
 		return err
 	}
 	err = u.replace()
 	if err != nil {
-		return fmt.Errorf("replacing: %w", err)
+		return err
 	}
 	return nil
@@ -183,7 +174,7 @@ func (u *Updater) prepare(exePath string) (err error) {
 	_, pkgNameOnly := filepath.Split(u.packageURL)
 	if pkgNameOnly == "" {
-		return fmt.Errorf("invalid PackageURL: %q", u.packageURL)
+		return fmt.Errorf("invalid PackageURL")
 	}
 	u.packageName = filepath.Join(u.updateDir, pkgNameOnly)
@@ -213,7 +204,6 @@ func (u *Updater) prepare(exePath string) (err error) {
 	return nil
 }
 // unpack extracts the files from the downloaded archive.
 func (u *Updater) unpack() error {
 	var err error
 	_, pkgNameOnly := filepath.Split(u.packageURL)
@@ -238,48 +228,38 @@ func (u *Updater) unpack() error {
 	return nil
 }
 // check returns an error if the configuration file couldn't be used with the
 // version of AdGuard Home just downloaded.
 func (u *Updater) check() error {
 	log.Debug("updater: checking configuration")
 	err := copyFile(u.confName, filepath.Join(u.updateDir, "AdGuardHome.yaml"))
 	if err != nil {
 		return fmt.Errorf("copyFile() failed: %w", err)
 	}
 	cmd := exec.Command(u.updateExeName, "--check-config")
 	err = cmd.Run()
 	if err != nil || cmd.ProcessState.ExitCode() != 0 {
 		return fmt.Errorf("exec.Command(): %s %d", err, cmd.ProcessState.ExitCode())
 	}
 	return nil
 }
-// backup makes a backup of the current configuration and supporting files.  It
+func (u *Updater) backup() error {
 // ignores the configuration file if firstRun is true.
 func (u *Updater) backup(firstRun bool) (err error) {
 	log.Debug("updater: backing up current configuration")
 	_ = os.Mkdir(u.backupDir, 0o755)
-	if !firstRun {
+	err := copyFile(u.confName, filepath.Join(u.backupDir, "AdGuardHome.yaml"))
-		err = copyFile(u.confName, filepath.Join(u.backupDir, "AdGuardHome.yaml"))
+	if err != nil {
-		if err != nil {
+		return fmt.Errorf("copyFile() failed: %w", err)
 			return fmt.Errorf("copyFile() failed: %w", err)
 		}
 	}
 	wd := u.workDir
 	err = copySupportingFiles(u.unpackedFiles, wd, u.backupDir)
 	if err != nil {
-		return fmt.Errorf("copySupportingFiles(%s, %s) failed: %s", wd, u.backupDir, err)
+		return fmt.Errorf("copySupportingFiles(%s, %s) failed: %s",
 			wd, u.backupDir, err)
 	}
 	return nil
 }
 // replace moves the current executable with the updated one and also copies the
 // supporting files.
 func (u *Updater) replace() error {
 	err := copySupportingFiles(u.unpackedFiles, u.updateDir, u.workDir)
 	if err != nil {
@@ -307,7 +287,6 @@ func (u *Updater) replace() error {
 	return nil
 }
 // clean removes the temporary directory itself and all it's contents.
 func (u *Updater) clean() {
 	_ = os.RemoveAll(u.updateDir)
 }
@@ -318,9 +297,9 @@ func (u *Updater) clean() {
 const MaxPackageFileSize = 32 * 1024 * 1024
 // Download package file and save it to disk
-func (u *Updater) downloadPackageFile() (err error) {
+func (u *Updater) downloadPackageFile(url, filename string) (err error) {
 	var resp *http.Response
-	resp, err = u.client.Get(u.packageURL)
+	resp, err = u.client.Get(url)
 	if err != nil {
 		return fmt.Errorf("http request failed: %w", err)
 	}
@@ -342,7 +321,7 @@ func (u *Updater) downloadPackageFile() (err error) {
 	_ = os.Mkdir(u.updateDir, 0o755)
 	log.Debug("updater: saving package to file")
-	err = os.WriteFile(u.packageName, body, 0o644)
+	err = os.WriteFile(filename, body, 0o644)
 	if err != nil {
 		return fmt.Errorf("os.WriteFile() failed: %w", err)
 	}
--- a/internal/updater/updater_test.go
+++ b/internal/updater/updater_test.go
@@ -136,10 +136,10 @@ func TestUpdate(t *testing.T) {
 	u.packageURL = fakeURL.String()
 	require.NoError(t, u.prepare(exePath))
-	require.NoError(t, u.downloadPackageFile())
+	require.NoError(t, u.downloadPackageFile(u.packageURL, u.packageName))
 	require.NoError(t, u.unpack())
 	// require.NoError(t, u.check())
-	require.NoError(t, u.backup(false))
+	require.NoError(t, u.backup())
 	require.NoError(t, u.replace())
 	u.clean()
@@ -215,10 +215,10 @@ func TestUpdateWindows(t *testing.T) {
 	u.packageURL = fakeURL.String()
 	require.NoError(t, u.prepare(exePath))
-	require.NoError(t, u.downloadPackageFile())
+	require.NoError(t, u.downloadPackageFile(u.packageURL, u.packageName))
 	require.NoError(t, u.unpack())
 	// assert.Nil(t, u.check())
-	require.NoError(t, u.backup(false))
+	require.NoError(t, u.backup())
 	require.NoError(t, u.replace())
 	u.clean()
--- a/openapi/CHANGELOG.md
+++ b/openapi/CHANGELOG.md
@@ -6,14 +6,6 @@
 ## v0.107.20: API Changes
 ### `POST /control/cache_clear`
 * The new `POST /control/cache_clear` HTTP API allows clearing the DNS cache.
 ## v0.107.17: API Changes
 ### `GET /control/blocked_services/services` is deprecated
--- a/openapi/openapi.yaml
+++ b/openapi/openapi.yaml
@@ -94,15 +94,6 @@
      'responses':
        '200':
          'description': 'OK'
  '/cache_clear':
    'post':
      'tags':
      - 'global'
      'operationId': 'cacheClear'
      'summary': 'Clear DNS cache'
      'responses':
        '200':
          'description': 'OK'
  '/test_upstream_dns':
    'post':
      'tags':
--- a/scripts/make/go-lint.sh
+++ b/scripts/make/go-lint.sh
@@ -227,9 +227,9 @@ gocyclo --over 13 ./internal/dhcpd ./internal/filtering/ ./internal/home/
 # Apply stricter standards to new or somewhat refactored code.
 gocyclo --over 10 ./internal/aghio/ ./internal/aghnet/ ./internal/aghos/\
-	./internal/aghtest/ ./internal/dnsforward/ ./internal/filtering/rewrite/\
+	./internal/aghtest/ ./internal/dnsforward/ ./internal/stats/\
-  ./internal/stats/ ./internal/tools/ ./internal/updater/ ./internal/next/\
+	./internal/tools/ ./internal/updater/ ./internal/next/ ./internal/version/\
-  ./internal/version/ ./scripts/vetted-filters/ ./main.go
+	./scripts/vetted-filters/ ./main.go
 ineffassign ./...
--- a/scripts/vetted-filters/main.go
+++ b/scripts/vetted-filters/main.go
@@ -74,11 +74,7 @@ func main() {
 			Name:       f.Name,
 			CategoryID: cat,
 			Homepage:   f.Homepage,
-			// NOTE: The source URL in filters.json is not guaranteed to contain
+			Source:     f.SourceURL,
 			// the URL of the filtering rule list.  So, use our mirror for the
 			// vetted blocklists, which are mostly guaranteed to be valid and
 			// available lists.
 			Source: f.DownloadURL,
 		}
 	}
@@ -118,11 +114,11 @@ type hlFilters struct {
 // hlFiltersFilter is the JSON structure for a filter in the Hostlists Registry.
 type hlFiltersFilter struct {
-	DownloadURL string   `json:"downloadUrl"`
+	FilterID  string   `json:"filterId"`
-	FilterID    string   `json:"filterId"`
+	Name      string   `json:"name"`
-	Homepage    string   `json:"homepage"`
+	Homepage  string   `json:"homepage"`
-	Name        string   `json:"name"`
+	SourceURL string   `json:"sourceUrl"`
-	Tags        []string `json:"tags"`
+	Tags      []string `json:"tags"`
 }
 // category returns the AdGuard Home category for this filter.  If there is no
Author	SHA1	Message	Date
Ainar Garipov	0c7d56dca3	Merge branch 'master' into 4927-refactor-tls	2022-11-22 17:10:40 +03:00
Ainar Garipov	f36efa26a4	home: refactor more	2022-11-21 19:45:18 +03:00
Ainar Garipov	a8850059db	home: refactor tls	2022-11-21 19:05:49 +03:00