all: fix chlog link

Squashed commit of the following:

commit 284190f748345c7556e60b67f051ec5f6f080948
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Wed Dec 6 19:36:00 2023 +0300

    all: sync with master; upd chlog

.github/workflows/build.yml

@@ -1,7 +1,7 @@
 'name': 'build'
 
 'env':
-  'GO_VERSION': '1.20.11'
+  'GO_VERSION': '1.20.12'
   'NODE_VERSION': '16'
 
 'on':

.github/workflows/lint.yml

@@ -1,7 +1,7 @@
 'name': 'lint'
 
 'env':
-  'GO_VERSION': '1.20.11'
+  'GO_VERSION': '1.20.12'
 
 'on':
   'push':

CHANGELOG.md

@@ -14,20 +14,51 @@ and this project adheres to
 <!--
 ## [v0.108.0] - TBA
 
-## [v0.107.42] - 2023-12-06 (APPROX.)
+## [v0.107.44] - 2023-12-20 (APPROX.)
 
-See also the [v0.107.42 GitHub milestone][ms-v0.107.42].
+See also the [v0.107.44 GitHub milestone][ms-v0.107.44].
 
-[ms-v0.107.42]: https://github.com/AdguardTeam/AdGuardHome/milestone/77?closed=1
+[ms-v0.107.44]: https://github.com/AdguardTeam/AdGuardHome/milestone/79?closed=1
 
 NOTE: Add new changes BELOW THIS COMMENT.
 -->
 
+<!--
+NOTE: Add new changes ABOVE THIS COMMENT.
+-->
+
+
+
+## [v0.107.43] - 2023-12-11
+
+See also the [v0.107.43 GitHub milestone][ms-v0.107.43].
+
+### Fixed
+
+- Incorrect handling of IPv4-in-IPv6 addresses when binding to an unspecified
+  address on some machines ([#6510]).
+
+[#6510]: https://github.com/AdguardTeam/AdGuardHome/issues/6510
+
+[ms-v0.107.43]: https://github.com/AdguardTeam/AdGuardHome/milestone/78?closed=1
+
+
+
+## [v0.107.42] - 2023-12-07
+
+See also the [v0.107.42 GitHub milestone][ms-v0.107.42].
+
+### Security
+
+- Go version has been updated to prevent the possibility of exploiting the
+  CVE-2023-39326, CVE-2023-45283, and CVE-2023-45285 Go vulnerabilities fixed in
+  [Go 1.20.12][go-1.20.12].
+
 ### Added
 
-- Ability to set client's custom DNS cache ([#6362], [dnsproxy#169]).
+- Ability to set client's custom DNS cache ([#6263]).
 - Ability to disable plain-DNS serving through configuration file if an
-  encrypted protocol is already used ([#1660]).
+  encrypted protocol is already enabled ([#1660]).
 - Ability to specify rate limiting settings in the Web UI ([#6369]).
 
 ### Changed
@@ -49,16 +80,13 @@ NOTE: Add new changes BELOW THIS COMMENT.
 
 [#1660]: https://github.com/AdguardTeam/AdGuardHome/issues/1660
 [#5759]: https://github.com/AdguardTeam/AdGuardHome/issues/5759
-[#6362]: https://github.com/AdguardTeam/AdGuardHome/issues/6362
+[#6263]: https://github.com/AdguardTeam/AdGuardHome/issues/6263
 [#6369]: https://github.com/AdguardTeam/AdGuardHome/issues/6369
 [#6402]: https://github.com/AdguardTeam/AdGuardHome/issues/6402
 [#6420]: https://github.com/AdguardTeam/AdGuardHome/issues/6420
 
-[dnsproxy#169] https://github.com/AdguardTeam/dnsproxy/issues/169
-
-<!--
-NOTE: Add new changes ABOVE THIS COMMENT.
--->
+[go-1.20.12]:   https://groups.google.com/g/golang-announce/c/iLGK3x6yuNo/m/z6MJ-eB0AQAJ
+[ms-v0.107.42]: https://github.com/AdguardTeam/AdGuardHome/milestone/77?closed=1
 
 
 
@@ -2645,11 +2673,13 @@ See also the [v0.104.2 GitHub milestone][ms-v0.104.2].
 
 
 <!--
-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.42...HEAD
-[v0.107.42]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.41...v0.107.42
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.44...HEAD
+[v0.107.44]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.43...v0.107.44
 -->
 
-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.41...HEAD
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.43...HEAD
+[v0.107.43]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.42...v0.107.43
+[v0.107.42]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.41...v0.107.42
 [v0.107.41]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.40...v0.107.41
 [v0.107.40]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.39...v0.107.40
 [v0.107.39]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.38...v0.107.39

bamboo-specs/release.yaml

@@ -7,7 +7,7 @@
 # Make sure to sync any changes with the branch overrides below.
 'variables':
     'channel': 'edge'
-    'dockerGo': 'adguard/golang-ubuntu:7.5'
+    'dockerGo': 'adguard/golang-ubuntu:7.6'
 
 'stages':
   - 'Build frontend':
@@ -272,7 +272,7 @@
         # need to build a few of these.
         'variables':
             'channel': 'beta'
-            'dockerGo': 'adguard/golang-ubuntu:7.5'
+            'dockerGo': 'adguard/golang-ubuntu:7.6'
     # release-vX.Y.Z branches are the branches from which the actual final
     # release is built.
   - '^release-v[0-9]+\.[0-9]+\.[0-9]+':
@@ -287,4 +287,4 @@
         # are the ones that actually get released.
         'variables':
             'channel': 'release'
-            'dockerGo': 'adguard/golang-ubuntu:7.5'
+            'dockerGo': 'adguard/golang-ubuntu:7.6'

bamboo-specs/snapcraft.yaml

@@ -10,7 +10,7 @@
 # Make sure to sync any changes with the branch overrides below.
 'variables':
     'channel': 'edge'
-    'dockerGo': 'adguard/golang-ubuntu:7.5'
+    'dockerGo': 'adguard/golang-ubuntu:7.6'
     'snapcraftChannel': 'edge'
 
 'stages':
@@ -191,7 +191,7 @@
         # need to build a few of these.
         'variables':
             'channel': 'beta'
-            'dockerGo': 'adguard/golang-ubuntu:7.5'
+            'dockerGo': 'adguard/golang-ubuntu:7.6'
             'snapcraftChannel': 'beta'
     # release-vX.Y.Z branches are the branches from which the actual final
     # release is built.
@@ -207,5 +207,5 @@
         # are the ones that actually get released.
         'variables':
             'channel': 'release'
-            'dockerGo': 'adguard/golang-ubuntu:7.5'
+            'dockerGo': 'adguard/golang-ubuntu:7.6'
             'snapcraftChannel': 'candidate'

bamboo-specs/test.yaml

@@ -5,7 +5,7 @@
     'key': 'AHBRTSPECS'
     'name': 'AdGuard Home - Build and run tests'
 'variables':
-    'dockerGo': 'adguard/golang-ubuntu:7.5'
+    'dockerGo': 'adguard/golang-ubuntu:7.6'
 
 'stages':
   - 'Tests':

client/src/__locales/be.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "Налады кліентаў",
     "example_upstream_reserved": "upstream <0>для канкрэтных даменаў</0>;",
+    "example_multiple_upstreams_reserved": "некалькі DNS-сервераў <0>для канкрэтных даменаў</0>;",
     "example_upstream_comment": "каментар.",
     "upstream_parallel": "Ужыць адначасныя запыты да ўсіх сервераў для паскарэння апрацоўкі запыту",
     "parallel_requests": "Паралельныя запыты",
@@ -143,6 +144,8 @@
     "enforced_save_search": "Ужыты бяспечны пошук",
     "number_of_dns_query_to_safe_search": "Колькасць запытаў DNS для пошукавых сістэм, для якіх быў ужыты Бяспечны пошук",
     "average_processing_time": "Сярэдні час апрацоўкі запыту",
+    "average_upstream_response_time": "Сярэдні час водгуку upstream-сервера",
+    "response_time": "Час водгуку",
     "average_processing_time_hint": "Сярэдні час для апрацоўкі запыту DNS  у мілісекундах",
     "block_domain_use_filters_and_hosts": "Блакаваць дамены з выкарыстаннем фільтраў і файлаў хастоў",
     "filters_block_toggle_hint": "Вы можаце наладзіць правілы блакавання ў «<a>Фільтрах</a>».",
@@ -307,6 +310,15 @@
     "edns_use_custom_ip": "Выкарыстоўваць указаны IP для DNS",
     "edns_use_custom_ip_desc": "Дазволіць выкарыстоўваць уласны IP для DNS",
     "rate_limit_desc": "Абмежаванне на колькасць запытаў у секунду для кожнага кліента (0 — неабмежавана)",
+    "rate_limit_subnet_len_ipv4": "Даўжыня прэфікса падсеткі для адрасоў IPv4",
+    "rate_limit_subnet_len_ipv4_desc": "Даўжыня прэфікса падсеткі для адрасоў IPv4, якія выкарыстоўваюцца для абмежавання хуткасці. Значэнне па змаўчанні 24",
+    "rate_limit_subnet_len_ipv4_error": "Даўжыня прэфікса падсеткі IPv4 павінна быць ад 0 да 32",
+    "rate_limit_subnet_len_ipv6": "Даўжыня прэфікса падсеткі для адрасоў IPv6",
+    "rate_limit_subnet_len_ipv6_desc": "Даўжыня прэфікса падсеткі для адрасоў IPv6, якія выкарыстоўваюцца для абмежавання хуткасці. Значэнне па змаўчанні 56",
+    "rate_limit_subnet_len_ipv6_error": "Даўжыня прэфікса падсеткі IPv6 павінна быць ад 0 да 128",
+    "form_enter_rate_limit_subnet_len": "Увядзіце даўжыню прэфікса падсеткі для абмежавання хуткасці",
+    "rate_limit_whitelist": "Белы спіс з абмежаваннем хуткасці",
+    "rate_limit_whitelist_desc": "IP-адрасы выключаны з абмежавання хуткасці",
     "rate_limit_whitelist_placeholder": "Увядзіце па адным адрасе на радок",
     "blocking_ipv4_desc": "IP-адрас, што вяртаецца пры блакаванню A-запыту",
     "blocking_ipv6_desc": "IP-адрас, што вяртаецца пры блакаванню AAAA-запыту",
@@ -722,5 +734,8 @@
     "wednesday_short": "Ср.",
     "thursday_short": "Чц.",
     "friday_short": "Пт.",
-    "saturday_short": "Сб."
+    "saturday_short": "Сб.",
+    "upstream_dns_cache_configuration": "Канфігурацыя кэша upstream DNS-сервераў",
+    "enable_upstream_dns_cache": "Ўключыць кэшаванне для карыстацкай канфігурацыі upstream-сервераў гэтага кліента",
+    "dns_cache_size": "Памер кэша DNS, у байтах"
 }

client/src/__locales/cs.json

@@ -734,5 +734,8 @@
     "wednesday_short": "Středa",
     "thursday_short": "Čtvrtek",
     "friday_short": "Pátek",
-    "saturday_short": "Sobota"
+    "saturday_short": "Sobota",
+    "upstream_dns_cache_configuration": "Konfigurace mezipaměti odchozího DNS",
+    "enable_upstream_dns_cache": "Povolit ukládání do mezipaměti DNS pro vlastní konfiguraci odchozího připojení tohoto klienta",
+    "dns_cache_size": "Velikost mezipaměti DNS v bajtech"
 }

client/src/__locales/da.json

@@ -734,5 +734,8 @@
     "wednesday_short": "Ons",
     "thursday_short": "Tors",
     "friday_short": "Fre",
-    "saturday_short": "Lør"
+    "saturday_short": "Lør",
+    "upstream_dns_cache_configuration": "Upstream DNS-cacheopsætning",
+    "enable_upstream_dns_cache": "Aktivér DNS-cachelagring for denne klients tilpassede upstream-opsætning",
+    "dns_cache_size": "DNS-cachestørrelse i bytes"
 }

client/src/__locales/de.json

@@ -734,5 +734,8 @@
     "wednesday_short": "Mi",
     "thursday_short": "Do",
     "friday_short": "Fr",
-    "saturday_short": "Sa"
+    "saturday_short": "Sa",
+    "upstream_dns_cache_configuration": "Konfiguration des Upstream-DNS-Cache",
+    "enable_upstream_dns_cache": "Caching für die benutzerdefinierte Upstream-Server-Konfiguration dieses Clients aktivieren",
+    "dns_cache_size": "Größe des DNS-Cache, in Bytes"
 }

client/src/__locales/es.json

@@ -734,5 +734,8 @@
     "wednesday_short": "Mié.",
     "thursday_short": "Jue.",
     "friday_short": "Vie.",
-    "saturday_short": "Sáb."
+    "saturday_short": "Sáb.",
+    "upstream_dns_cache_configuration": "Configuración de la caché DNS upstream",
+    "enable_upstream_dns_cache": "Habilitar el almacenamiento en caché de DNS para la configuración personalizada de este cliente",
+    "dns_cache_size": "Tamaño de la caché DNS, en bytes"
 }

client/src/__locales/fi.json

@@ -734,5 +734,8 @@
     "wednesday_short": "Ke",
     "thursday_short": "To",
     "friday_short": "Pe",
-    "saturday_short": "La"
+    "saturday_short": "La",
+    "upstream_dns_cache_configuration": "Ylävirran DNS-välimuistin määritykset",
+    "enable_upstream_dns_cache": "Käytä DNS-välimuistia tämän päätelaitteen mukautetuissa ylävirtamäärityksissä",
+    "dns_cache_size": "DNS-välimuistin koko tavuina"
 }

client/src/__locales/fr.json

@@ -310,6 +310,15 @@
     "edns_use_custom_ip": "Utiliser une IP personnalisée pour EDNS",
     "edns_use_custom_ip_desc": "Autoriser l'utilisation d'une adresse IP personnalisée pour EDNS",
     "rate_limit_desc": "Le nombre de requêtes par seconde qu’un seul client est autorisé à faire. Le réglage 0 fait illimité.",
+    "rate_limit_subnet_len_ipv4": "Longueur du préfixe de sous-réseau pour les adresses IPv4",
+    "rate_limit_subnet_len_ipv4_desc": "Longueur du préfixe de sous-réseau pour les adresses IPv4 utilisé pour la limitation de vitesse. La valeur par défaut est 24",
+    "rate_limit_subnet_len_ipv4_error": "La longueur du préfixe du sous-réseau IPv4 doit être entre 0 et 32",
+    "rate_limit_subnet_len_ipv6": "Longueur du préfixe de sous-réseau pour les adresses IPv6",
+    "rate_limit_subnet_len_ipv6_desc": "Longueur du préfixe de sous-réseau pour les adresses IPv6 utilisé pour la limitation de débit. La valeur par défaut est 56",
+    "rate_limit_subnet_len_ipv6_error": "La longueur du préfixe du sous-réseau IPv6 doit être entre 0 et 128",
+    "form_enter_rate_limit_subnet_len": "Saisissez la longueur du préfixe de sous-réseau pour la limitation de débit",
+    "rate_limit_whitelist": "Liste d'autorisation de limitation de débit",
+    "rate_limit_whitelist_desc": "Adresses IP exclues de la limitation du débit",
     "rate_limit_whitelist_placeholder": "Saisissez une adresse IP par ligne",
     "blocking_ipv4_desc": "Adresse IP à renvoyer pour une demande A bloquée",
     "blocking_ipv6_desc": "Adresse IP à renvoyer pour une demande AAAA bloquée",
@@ -725,5 +734,8 @@
     "wednesday_short": "Mer.",
     "thursday_short": "Jeu.",
     "friday_short": "Ven.",
-    "saturday_short": "Sam."
+    "saturday_short": "Sam.",
+    "upstream_dns_cache_configuration": "Configuration du cache DNS en amont",
+    "enable_upstream_dns_cache": "Activer la mise en cache pour la configuration personnalisée du serveur en amont de ce client",
+    "dns_cache_size": "Taille du cache DNS, en bytes"
 }

client/src/__locales/hr.json

@@ -310,6 +310,15 @@
     "edns_use_custom_ip": "Koristi prilagođeni IP za EDNS",
     "edns_use_custom_ip_desc": "Dopusti korištenje prilagođenog IP-a za EDNS",
     "rate_limit_desc": "Broj zahtjeva u sekundi koji su dopušteni po jednom klijentu. Postavljanje na 0 znači neograničeno.",
+    "rate_limit_subnet_len_ipv4": "Duljina prefiksa podmreže za IPv4 adrese",
+    "rate_limit_subnet_len_ipv4_desc": "Duljina prefiksa podmreže za IPv4 adrese koje se koriste za ograničavanje brzine. Zadana vrijednost je 24",
+    "rate_limit_subnet_len_ipv4_error": "Dužina IPv4 prefiksa podmreže trebala bi biti između 0 i 32",
+    "rate_limit_subnet_len_ipv6": "Duljina prefiksa podmreže za IPv6 adrese",
+    "rate_limit_subnet_len_ipv6_desc": "Duljina prefiksa podmreže za IPv6 adrese koje se koriste za ograničavanje brzine. Zadana vrijednost je 56",
+    "rate_limit_subnet_len_ipv6_error": "Dužina IPv6 prefiksa podmreže trebala bi biti između 0 i 128",
+    "form_enter_rate_limit_subnet_len": "Unesite duljinu prefiksa podmreže za ograničenje brzine",
+    "rate_limit_whitelist": "Popis dopuštenih za ograničavanje brzine",
+    "rate_limit_whitelist_desc": "IP adrese isključene iz ograničenja brzine",
     "rate_limit_whitelist_placeholder": "Unesite jednu adresu poslužitelja po retku",
     "blocking_ipv4_desc": "Povratna IP adresa za blokirane A zahtjeve",
     "blocking_ipv6_desc": "Povratna IP adresa za blokirane AAAA zahtjeve",
@@ -725,5 +734,8 @@
     "wednesday_short": "Sri",
     "thursday_short": "Čet",
     "friday_short": "Pet",
-    "saturday_short": "Sub"
+    "saturday_short": "Sub",
+    "upstream_dns_cache_configuration": "Konfiguracija predmemoriranja upstream DNS poslužitelja",
+    "enable_upstream_dns_cache": "Uključite keširanje za korisničku konfiguraciju upstream servera ovog klijenta",
+    "dns_cache_size": "Veličina DNS predmemorije, u bajtovima"
 }

client/src/__locales/hu.json

@@ -734,5 +734,8 @@
     "wednesday_short": "Szer",
     "thursday_short": "Csüt",
     "friday_short": "Pén",
-    "saturday_short": "Szom"
+    "saturday_short": "Szom",
+    "upstream_dns_cache_configuration": "Upstream DNS gyorsítótár konfigurációja",
+    "enable_upstream_dns_cache": "A DNS gyorsítótárazásának engedélyezése az ügyfél egyéni upstream konfigurációjához",
+    "dns_cache_size": "DNS gyorsítótár mérete, bájtokban"
 }

client/src/__locales/id.json

@@ -734,5 +734,8 @@
     "wednesday_short": "Rab",
     "thursday_short": "Kam",
     "friday_short": "Jum",
-    "saturday_short": "Sab"
+    "saturday_short": "Sab",
+    "upstream_dns_cache_configuration": "Konfigurasi cache DNS upstream",
+    "enable_upstream_dns_cache": "Aktifkan cache DNS untuk konfigurasi upstream kustom klien ini",
+    "dns_cache_size": "Ukuran cache DNS, dalam byte"
 }

client/src/__locales/it.json

@@ -310,6 +310,15 @@
     "edns_use_custom_ip": "Usa IP personalizzato per EDNS",
     "edns_use_custom_ip_desc": "Consentire l'uso di un IP personalizzato per EDNS",
     "rate_limit_desc": "Il numero di richieste al secondo consentite da un singolo client. Impostare questo valore a 0 rimuove le limitazioni.",
+    "rate_limit_subnet_len_ipv4": "Lunghezza prefisso di sottorete per indirizzi IPv4",
+    "rate_limit_subnet_len_ipv4_desc": "Lunghezza prefisso sottorete per indirizzi IPv4 usati per la limitazione della velocità. Valore predefinito 24",
+    "rate_limit_subnet_len_ipv4_error": "La lunghezza del prefisso di sottorete IPv4 deve essere compresa tra 0 e 32",
+    "rate_limit_subnet_len_ipv6": "Lunghezza prefisso di sottorete per indirizzi IPv6",
+    "rate_limit_subnet_len_ipv6_desc": "Lunghezza prefisso di sottorete per indirizzi IPv6 usati per la limitazione della velocità. Valore predefinito 56",
+    "rate_limit_subnet_len_ipv6_error": "La lunghezza del prefisso di sottorete IPv6 deve essere compresa tra 0 e 128",
+    "form_enter_rate_limit_subnet_len": "Inserisci lunghezza prefisso di sottorete per limitazione velocità",
+    "rate_limit_whitelist": "Lista consentita per limitazione velocità",
+    "rate_limit_whitelist_desc": "Indirizzi IP esclusi dalla limitazione della velocità",
     "rate_limit_whitelist_placeholder": "Inserisci un indirizzo IP per riga",
     "blocking_ipv4_desc": "Indirizzo IP per una richiesta DNS IPv4 bloccata",
     "blocking_ipv6_desc": "Indirizzo IP restituito per una richiesta DNS IPv6 bloccata",
@@ -725,5 +734,8 @@
     "wednesday_short": "Mer",
     "thursday_short": "Gio",
     "friday_short": "Ven",
-    "saturday_short": "Sab"
+    "saturday_short": "Sab",
+    "upstream_dns_cache_configuration": "Configurazione cache DNS upstream",
+    "enable_upstream_dns_cache": "Abilita cache DNS per la configurazione upstream personalizzata del client",
+    "dns_cache_size": "Dimensioni cache DNS (in byte)"
 }

client/src/__locales/ja.json

@@ -734,5 +734,8 @@
     "wednesday_short": "水",
     "thursday_short": "木",
     "friday_short": "金",
-    "saturday_short": "土"
+    "saturday_short": "土",
+    "upstream_dns_cache_configuration": "Upstream DNS cache configuration（アップストリームDNSキャッシュの構成）",
+    "enable_upstream_dns_cache": "このクライアントのカスタムアップストリーム構成に対してDNSキャッシュを有効にする",
+    "dns_cache_size": "DNSキャッシュサイズ（バイト単位）"
 }

client/src/__locales/ko.json

@@ -310,6 +310,15 @@
     "edns_use_custom_ip": "EDNS에 사용자 지정 IP 사용",
     "edns_use_custom_ip_desc": "EDNS에 사용자 지정 IP 사용하도록 허용합니다.",
     "rate_limit_desc": "단일 클라이언트에서 허용 가능한 초 당 요청 생성 숫자 (0: 무제한)",
+    "rate_limit_subnet_len_ipv4": "IPv4 주소의 서브넷 접두사 길이",
+    "rate_limit_subnet_len_ipv4_desc": "속도 제한에 사용되는 IPv4 주소의 서브넷 접두사 길이입니다. 기본값은 24입니다.",
+    "rate_limit_subnet_len_ipv4_error": "IPv4 서브넷 접두사 길이는 0에서 32 사이여야 합니다.",
+    "rate_limit_subnet_len_ipv6": "IPv6 주소의 서브넷 접두사 길이",
+    "rate_limit_subnet_len_ipv6_desc": "속도 제한에 사용되는 IPv6 주소의 서브넷 접두사 길이입니다. 기본값은 56입니다.",
+    "rate_limit_subnet_len_ipv6_error": "IPv6 서브넷 접두사 길이는 0에서 128 사이여야 합니다.",
+    "form_enter_rate_limit_subnet_len": "속도 제한을 위한 서브넷 접두사 길이를 입력하세요",
+    "rate_limit_whitelist": "속도 제한 허용 목록",
+    "rate_limit_whitelist_desc": "속도 제한에서 제외되는 IP 주소",
     "rate_limit_whitelist_placeholder": "한 줄에 하나씩 IP 주소를 입력하세요.",
     "blocking_ipv4_desc": "차단된 A 요청에 대해서 반환할 IP 주소",
     "blocking_ipv6_desc": "차단된 AAAA 요청에 대해서 반환할 IP 주소",
@@ -725,5 +734,8 @@
     "wednesday_short": "수",
     "thursday_short": "목",
     "friday_short": "금",
-    "saturday_short": "토"
+    "saturday_short": "토",
+    "upstream_dns_cache_configuration": "업스트림 DNS 캐시 설정",
+    "enable_upstream_dns_cache": "이 클라이언트의 사용자 지정 업스트림 설정에서 DNS 캐싱 사용",
+    "dns_cache_size": "DNS 캐시 크기(바이트)"
 }

client/src/__locales/nl.json

@@ -734,5 +734,8 @@
     "wednesday_short": "wo",
     "thursday_short": "do",
     "friday_short": "vr",
-    "saturday_short": "za"
+    "saturday_short": "za",
+    "upstream_dns_cache_configuration": "Upstream DNS-cacheconfiguratie",
+    "enable_upstream_dns_cache": "DNS-caching inschakelen voor de aangepaste upstream-configuratie van deze client",
+    "dns_cache_size": "DNS-cachegrootte, in bytes"
 }

client/src/__locales/pl.json

@@ -734,5 +734,8 @@
     "wednesday_short": "Śro",
     "thursday_short": "Czw",
     "friday_short": "Pt",
-    "saturday_short": "Sob"
+    "saturday_short": "Sob",
+    "upstream_dns_cache_configuration": "Konfiguracja pamięci podręcznej upstream serwerów DNS",
+    "enable_upstream_dns_cache": "Włącz pamięć podręczną dla niestandardowej konfiguracji serwera upstream tego klienta",
+    "dns_cache_size": "Rozmiar pamięci podręcznej DNS, w bajtach"
 }

client/src/__locales/pt-br.json

@@ -734,5 +734,8 @@
     "wednesday_short": "Quar",
     "thursday_short": "Qui",
     "friday_short": "Sex",
-    "saturday_short": "Sab"
+    "saturday_short": "Sab",
+    "upstream_dns_cache_configuration": "Configuração do cache de DNS upstream",
+    "enable_upstream_dns_cache": "Ativar o armazenamento em cache do DNS para a configuração de upstream personalizada deste cliente",
+    "dns_cache_size": "Tamanho do cache do DNS, em bytes"
 }

client/src/__locales/pt-pt.json

@@ -734,5 +734,8 @@
     "wednesday_short": "Quarta",
     "thursday_short": "Quinta",
     "friday_short": "Sexta",
-    "saturday_short": "Sábado"
+    "saturday_short": "Sábado",
+    "upstream_dns_cache_configuration": "Configuração da cache do DNS upstream",
+    "enable_upstream_dns_cache": "Ativar o armazenamento em cache do DNS para a configuração de upstream personalizada deste cliente",
+    "dns_cache_size": "Tamanho da cache DNS, em bytes"
 }

client/src/__locales/ro.json

@@ -310,6 +310,15 @@
     "edns_use_custom_ip": "Utilizați IP personalizat pentru EDNS",
     "edns_use_custom_ip_desc": "Permiteți utilizarea IP-ului personalizat pentru EDNS",
     "rate_limit_desc": "Numărul de interogări pe secundă permise pe client. Setarea la 0 înseamnă că nu există limită.",
+    "rate_limit_subnet_len_ipv4": "Lungimea prefixului de subrețea pentru adrese IPv4",
+    "rate_limit_subnet_len_ipv4_desc": "Lungimea prefixului de subrețea pentru adresele IPv4 utilizate pentru limitarea ratei. Valoarea implicită este 24",
+    "rate_limit_subnet_len_ipv4_error": "Lungimea prefixului de subrețea IPv4 ar trebui să fie între 0 și 32",
+    "rate_limit_subnet_len_ipv6": "Lungimea prefixului de subrețea pentru adrese IPv6",
+    "rate_limit_subnet_len_ipv6_desc": "Lungimea prefixului de subrețea pentru adresele IPv6 utilizate pentru limitarea ratei. Valoarea implicită este 56",
+    "rate_limit_subnet_len_ipv6_error": "Lungimea prefixului de subrețea IPv6 ar trebui să fie între 0 și 128",
+    "form_enter_rate_limit_subnet_len": "Introduceți lungimea prefixului de subrețea pentru limitarea ratei",
+    "rate_limit_whitelist": "Lista permisă pentru limitarea ratei",
+    "rate_limit_whitelist_desc": "Adresele IP excluse de la limitarea ratei",
     "rate_limit_whitelist_placeholder": "Introduceți o adresă IP per linie",
     "blocking_ipv4_desc": "Adresa IP de returnat pentru o cerere A de blocare",
     "blocking_ipv6_desc": "Adresa IP de returnat pentru o cerere AAAA de blocare",
@@ -725,5 +734,8 @@
     "wednesday_short": "mi",
     "thursday_short": "jo",
     "friday_short": "vi",
-    "saturday_short": "sa"
+    "saturday_short": "sa",
+    "upstream_dns_cache_configuration": "Configurarea cache-ului DNS în amonte",
+    "enable_upstream_dns_cache": "Activați memoria cache DNS pentru configurația personalizată în amonte a acestui client",
+    "dns_cache_size": "Dimensiunea cache-ului DNS, în octeți"
 }

client/src/__locales/ru.json

@@ -734,5 +734,8 @@
     "wednesday_short": "Ср",
     "thursday_short": "Чт",
     "friday_short": "Пт",
-    "saturday_short": "Сб"
+    "saturday_short": "Сб",
+    "upstream_dns_cache_configuration": "Конфигурация кеша upstream DNS-серверов",
+    "enable_upstream_dns_cache": "Включить кеширование для пользовательской конфигурации upstream-серверов этого клиента",
+    "dns_cache_size": "Размер DNS-кеша в байтах"
 }

client/src/__locales/sk.json

@@ -734,5 +734,8 @@
     "wednesday_short": "Str",
     "thursday_short": "Štr",
     "friday_short": "Pia",
-    "saturday_short": "Sob"
+    "saturday_short": "Sob",
+    "upstream_dns_cache_configuration": "Konfigurácia cache pamäte DNS pre upstream",
+    "enable_upstream_dns_cache": "Zapnúť ukladanie DNS do cache pamäte pre vlastnú konfiguráciu odosielania tohto klienta",
+    "dns_cache_size": "Veľkosť cache pamäte DNS v bajtoch"
 }

client/src/__locales/sl.json

@@ -734,5 +734,8 @@
     "wednesday_short": "Sre",
     "thursday_short": "Čet",
     "friday_short": "Pet",
-    "saturday_short": "Sob"
+    "saturday_short": "Sob",
+    "upstream_dns_cache_configuration": "Nastavitve predpomnilnika gorvodnega DNS",
+    "enable_upstream_dns_cache": "Omogoči predpomnjenje nastavitev gorvodnega DNS po meri tega odjemalca",
+    "dns_cache_size": "Velikost predpomnilnika DNS, v bajtih"
 }

client/src/__locales/sr-cs.json

@@ -734,5 +734,8 @@
     "wednesday_short": "Sre",
     "thursday_short": "Čet",
     "friday_short": "Pet",
-    "saturday_short": "Sub"
+    "saturday_short": "Sub",
+    "upstream_dns_cache_configuration": "Konfiguracija keša upstream DNS servera",
+    "enable_upstream_dns_cache": "Uključite keširanje za korisničku konfiguraciju upstream servera ovog klijenta",
+    "dns_cache_size": "Veličina DNS keša, u bajtovima"
 }

client/src/__locales/sv.json

@@ -310,6 +310,14 @@
     "edns_use_custom_ip": "Använd anpassad IP för EDNS",
     "edns_use_custom_ip_desc": "Tillåt att använda anpassad IP för EDNS",
     "rate_limit_desc": "Antalet förfrågningar per sekund som tillåts per klient. Att sätta den till 0 innebär ingen gräns.",
+    "rate_limit_subnet_len_ipv4": "Prefixlängd för subnät för IPv4-adresser",
+    "rate_limit_subnet_len_ipv4_desc": "Subnätprefixlängd för IPv4-adresser som används för hastighetsbegränsning. Standard är 24",
+    "rate_limit_subnet_len_ipv4_error": "IPv4-subnätets prefixlängd ska vara mellan 0 och 32",
+    "rate_limit_subnet_len_ipv6": "Prefixlängd för subnät för IPv6-adresser",
+    "rate_limit_subnet_len_ipv6_desc": "Subnätprefixlängd för IPv6-adresser som används för hastighetsbegränsning. Standard är 56",
+    "rate_limit_subnet_len_ipv6_error": "IPv6-subnätets prefixlängd ska vara mellan 0 och 128",
+    "form_enter_rate_limit_subnet_len": "Ange subnätprefixlängd för hastighetsbegränsning",
+    "rate_limit_whitelist_desc": "IP-adresser uteslutna från hastighetsbegränsning",
     "rate_limit_whitelist_placeholder": "Ange en IP-adress per rad",
     "blocking_ipv4_desc": "IP adress som ska returneras för en blockerad A förfrågan",
     "blocking_ipv6_desc": "IP adress som ska returneras för en blockerad AAAA förfrågan",
@@ -725,5 +733,8 @@
     "wednesday_short": "Ons",
     "thursday_short": "Tor",
     "friday_short": "Fre",
-    "saturday_short": "Lör"
+    "saturday_short": "Lör",
+    "upstream_dns_cache_configuration": "Konfiguration av uppströms DNS-cache",
+    "enable_upstream_dns_cache": "Aktivera DNS-cachelagring för den här klientens anpassade uppströmskonfiguration",
+    "dns_cache_size": "DNS-cachestorlek, i byte"
 }

client/src/__locales/tr.json

@@ -322,7 +322,7 @@
     "rate_limit_whitelist_placeholder": "Her satıra bir IP adresi girin",
     "blocking_ipv4_desc": "Engellenen bir A isteği için geri döndürülecek IP adresi",
     "blocking_ipv6_desc": "Engellenen bir AAAA isteği için geri döndürülecek IP adresi",
-    "blocking_mode_default": "Varsayılan: Reklam engelleme tarzı kural tarafından engellendiğinde sıfır IP adresiyle (A için 0.0.0.0; :: AAAA için) yanıt verin; /etc/hosts-tarzı kural tarafından engellendiğinde, kuralda belirtilen IP adresiyle yanıt verin",
+    "blocking_mode_default": "Varsayılan: Reklam engelleme stili kuralı tarafından engellendiğinde sıfır IP adresiyle (A için 0.0.0.0; :: AAAA için) yanıt verin; /etc/hosts-tarzı kural tarafından engellendiğinde, kuralda belirtilen IP adresiyle yanıt verin",
     "blocking_mode_refused": "REFUSED: REFUSED koduyla yanıt verin",
     "blocking_mode_nxdomain": "NXDOMAIN: NXDOMAIN koduyla yanıt verin",
     "blocking_mode_null_ip": "Boş IP: Sıfır IP adresiyle yanıt verin (A için 0.0.0.0; :: AAAA için)",
@@ -734,5 +734,8 @@
     "wednesday_short": "Çar",
     "thursday_short": "Per",
     "friday_short": "Cum",
-    "saturday_short": "Cmt"
+    "saturday_short": "Cmt",
+    "upstream_dns_cache_configuration": "Üst kaynak DNS önbellek yapılandırması",
+    "enable_upstream_dns_cache": "Bu istemcinin özel üst kaynak yapılandırması için DNS önbelleğe almayı etkinleştir",
+    "dns_cache_size": "DNS önbellek boyutu, bayt cinsinden"
 }

client/src/__locales/uk.json

@@ -734,5 +734,8 @@
     "wednesday_short": "СР",
     "thursday_short": "ЧТ",
     "friday_short": "ПТ",
-    "saturday_short": "СБ"
+    "saturday_short": "СБ",
+    "upstream_dns_cache_configuration": "Конфігурація кешу upstream DNS-серверів",
+    "enable_upstream_dns_cache": "Увімкнути кешування для користувацької конфігурації upstream-серверів цього клієнта",
+    "dns_cache_size": "Розмір кешу DNS, у байтах"
 }

client/src/__locales/vi.json

@@ -734,5 +734,8 @@
     "wednesday_short": "Thứ 4",
     "thursday_short": "Thứ 5",
     "friday_short": "Thứ 6",
-    "saturday_short": "Thứ 7"
+    "saturday_short": "Thứ 7",
+    "upstream_dns_cache_configuration": "Cấu hình bộ nhớ đệm upstream của các máy chủ DNS",
+    "enable_upstream_dns_cache": "Bật bộ nhớ cache cho cấu hình ngược dòng của máy chủ upstream của khách hàng này",
+    "dns_cache_size": "Kích thước bộ nhớ cache DNS, tính bằng byte"
 }

client/src/__locales/zh-cn.json

@@ -734,5 +734,8 @@
     "wednesday_short": "周三",
     "thursday_short": "周四",
     "friday_short": "周五",
-    "saturday_short": "周六"
+    "saturday_short": "周六",
+    "upstream_dns_cache_configuration": "上游 DNS 缓存配置",
+    "enable_upstream_dns_cache": "为该客户端的自定义上游配置启用 DNS 缓存",
+    "dns_cache_size": "DNS 缓存大小，单位：字节"
 }

client/src/__locales/zh-tw.json

@@ -734,5 +734,8 @@
     "wednesday_short": "週三",
     "thursday_short": "週四",
     "friday_short": "週五",
-    "saturday_short": "週六"
+    "saturday_short": "週六",
+    "upstream_dns_cache_configuration": "上游 DNS 快取設定",
+    "enable_upstream_dns_cache": "啟用本用戶端自訂上游配置的 DNS 快取",
+    "dns_cache_size": "DNS 快取大小，單位：位元"
 }

client/src/helpers/trackers/trackers.json

@@ -1,5 +1,5 @@
 {
-    "timeUpdated": "2023-11-10T12:55:56.663Z",
+    "timeUpdated": "2023-12-01T15:24:07.522Z",
     "categories": {
         "0": "audio_video_player",
         "1": "comments",
@@ -640,7 +640,8 @@
             "name": "AdChina",
             "categoryId": 4,
             "url": "http://www.adchina.com/",
-            "companyId": "alibaba"
+            "companyId": null,
+            "source": "AdGuard"
         },
         "adcito": {
             "name": "Adcito",
@@ -1321,6 +1322,13 @@
             "companyId": "adobe",
             "source": "AdGuard"
         },
+        "adobe_experience_league": {
+            "name": "Adobe Experience League",
+            "categoryId": 6,
+            "url": "https://experienceleague.adobe.com/",
+            "companyId": "adobe",
+            "source": "AdGuard"
+        },
         "adobe_login": {
             "name": "Adobe Login",
             "categoryId": 2,
@@ -2281,27 +2289,29 @@
             "name": "Alibaba",
             "categoryId": 8,
             "url": "http://www.alibaba.com/",
-            "companyId": "alibaba"
+            "companyId": "softbank",
+            "source": "AdGuard"
         },
         "alibaba_cloud": {
             "name": "Alibaba Cloud",
             "categoryId": 10,
             "url": "https://www.alibabacloud.com/",
-            "companyId": "alibaba",
+            "companyId": "softbank",
             "source": "AdGuard"
         },
         "alibaba_ucbrowser": {
             "name": "UC Browser",
             "categoryId": 8,
             "url": "https://ucweb.com/",
-            "companyId": "alibaba",
+            "companyId": "softbank",
             "source": "AdGuard"
         },
         "alipay.com": {
             "name": "Alipay",
             "categoryId": 2,
-            "url": "https://www.alipay.com/",
-            "companyId": "alibaba"
+            "url": "https://global.alipay.com/",
+            "companyId": "softbank",
+            "source": "AdGuard"
         },
         "alivechat": {
             "name": "AliveChat",
@@ -3767,10 +3777,11 @@
             "companyId": "branica"
         },
         "braze": {
-            "name": "Braze",
+            "name": "Braze, Inc.",
             "categoryId": 6,
             "url": "https://www.braze.com/",
-            "companyId": "braze_inc"
+            "companyId": "braze",
+            "source": "AdGuard"
         },
         "brealtime": {
             "name": "EMX Digital",
@@ -12534,7 +12545,7 @@
             "name": "Network Time Protocol",
             "categoryId": 5,
             "url": "https://ntp.org/",
-            "companyId": "ntppool",
+            "companyId": "network_time_foundation",
             "source": "AdGuard"
         },
         "nttcom_online_marketing_solutions": {
@@ -17062,7 +17073,8 @@
             "name": "Taobao",
             "categoryId": 4,
             "url": "https://world.taobao.com/",
-            "companyId": "alibaba"
+            "companyId": "softbank",
+            "source": "AdGuard"
         },
         "tapad": {
             "name": "Tapad",
@@ -20431,6 +20443,7 @@
         "nedstat.com": "adobe_experience_cloud",
         "omtrdc.net": "adobe_experience_cloud",
         "sitestat.com": "adobe_experience_cloud",
+        "adobedc.net": "adobe_experience_league",
         "adobelogin.com": "adobe_login",
         "adobetag.com": "adobe_tagmanager",
         "typekit.com": "adobe_typekit",
@@ -21046,6 +21059,7 @@
         "brandwire.tv": "brandwire.tv",
         "branica.com": "branica",
         "appboycdn.com": "braze",
+        "braze.com": "braze",
         "brealtime.com": "brealtime",
         "bridgetrack.com": "bridgetrack",
         "brightcove.com": "brightcove",
@@ -23140,8 +23154,11 @@
         "s-microsoft.com": "microsoft",
         "trouter.io": "microsoft",
         "windows.net": "microsoft",
+        "aka.ms": "microsoft",
+        "microsoftazuread-sso.com": "microsoft",
         "bingapis.com": "microsoft",
         "msauth.net": "microsoft",
+        "msauthimages.net": "microsoft",
         "msftauth.net": "microsoft",
         "msftstatic.com": "microsoft",
         "msidentity.com": "microsoft",
@@ -23232,10 +23249,13 @@
         "mrpdata.net": "mrpdata",
         "mrskincash.com": "mrskincash",
         "a-msedge.net": "msedge",
+        "b-msedge.net": "msedge",
         "e-msedge.net": "msedge",
+        "k-msedge.net": "msedge",
         "l-msedge.net": "msedge",
         "s-msedge.net": "msedge",
         "t-msedge.net": "msedge",
+        "wac-msedge.net": "msedge",
         "msn.com": "msn",
         "s-msn.com": "msn",
         "musculahq.appspot.com": "muscula",

go.mod

@@ -3,8 +3,8 @@ module github.com/AdguardTeam/AdGuardHome
 go 1.20
 
 require (
-	github.com/AdguardTeam/dnsproxy v0.59.1
-	github.com/AdguardTeam/golibs v0.17.2
+	github.com/AdguardTeam/dnsproxy v0.60.1
+	github.com/AdguardTeam/golibs v0.18.0
 	github.com/AdguardTeam/urlfilter v0.17.3
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/ameshkov/dnscrypt/v2 v2.2.7
@@ -17,7 +17,7 @@ require (
 	github.com/google/gopacket v1.1.19
 	github.com/google/renameio/v2 v2.0.0
 	github.com/google/uuid v1.4.0
-	github.com/insomniacslk/dhcp v0.0.0-20231016090811-6a2c8fbdcc1c
+	github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2
 	github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86
 	github.com/kardianos/service v1.2.2
 	github.com/mdlayher/ethernet v0.0.0-20220221185849-529eae5b6118
@@ -26,18 +26,18 @@ require (
 	// TODO(a.garipov): This package is deprecated; find a new one or use our
 	// own code for that.  Perhaps, use gopacket.
 	github.com/mdlayher/raw v0.1.0
-	github.com/miekg/dns v1.1.56
+	github.com/miekg/dns v1.1.57
 	github.com/quic-go/quic-go v0.40.0
 	github.com/stretchr/testify v1.8.4
 	github.com/ti-mo/netfilter v0.5.1
 	go.etcd.io/bbolt v1.3.8
-	golang.org/x/crypto v0.15.0
-	golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa
-	golang.org/x/net v0.18.0
-	golang.org/x/sys v0.14.0
+	golang.org/x/crypto v0.16.0
+	golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb
+	golang.org/x/net v0.19.0
+	golang.org/x/sys v0.15.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 	gopkg.in/yaml.v3 v3.0.1
-	howett.net/plist v1.0.0
+	howett.net/plist v1.0.1
 )
 
 require (
@@ -47,12 +47,12 @@ require (
 	github.com/beefsack/go-rate v0.0.0-20220214233405-116f4ca011a0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
-	github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a // indirect
+	github.com/google/pprof v0.0.0-20231205033806-a5a03c77bf08 // indirect
 	// TODO(a.garipov): Upgrade to v0.5.0 once we switch to Go 1.21+.
 	github.com/mdlayher/socket v0.4.1 // indirect
-	github.com/onsi/ginkgo/v2 v2.13.1 // indirect
+	github.com/onsi/ginkgo/v2 v2.13.2 // indirect
 	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
-	github.com/pierrec/lz4/v4 v4.1.18 // indirect
+	github.com/pierrec/lz4/v4 v4.1.19 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
@@ -62,5 +62,5 @@ require (
 	golang.org/x/mod v0.14.0 // indirect
 	golang.org/x/sync v0.5.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
-	golang.org/x/tools v0.15.0 // indirect
+	golang.org/x/tools v0.16.0 // indirect
 )

go.sum

@@ -1,7 +1,7 @@
-github.com/AdguardTeam/dnsproxy v0.59.1 h1:G/6T32EuPF0rhRkACkLFwD0pajI9351a1LACpuA2UcE=
-github.com/AdguardTeam/dnsproxy v0.59.1/go.mod h1:ZvkbM71HwpilgkCnTubDiR4Ba6x5Qvnhy2iasMWaTDM=
-github.com/AdguardTeam/golibs v0.17.2 h1:vg6wHMjUKscnyPGRvxS5kAt7Uw4YxcJiITZliZ476W8=
-github.com/AdguardTeam/golibs v0.17.2/go.mod h1:DKhCIXHcUYtBhU8ibTLKh1paUL96n5zhQBlx763sj+U=
+github.com/AdguardTeam/dnsproxy v0.60.1 h1:YveGe7UZLaAiePkaV3orkc0IIfPX9vi/qQDIFdeO//A=
+github.com/AdguardTeam/dnsproxy v0.60.1/go.mod h1:B7FvvTFQZBfey1cJXQo732EyCLX6xj4JqrciCawATzg=
+github.com/AdguardTeam/golibs v0.18.0 h1:ckS2YK7t2Ub6UkXl0fnreVaM15Zb07Hh1gmFqttjpWg=
+github.com/AdguardTeam/golibs v0.18.0/go.mod h1:DKhCIXHcUYtBhU8ibTLKh1paUL96n5zhQBlx763sj+U=
 github.com/AdguardTeam/urlfilter v0.17.3 h1:fg/ObbnO0Cv6aw0tW6N/ETDMhhNvmcUUOZ7HlmKC3rw=
 github.com/AdguardTeam/urlfilter v0.17.3/go.mod h1:Jru7jFfeH2CoDf150uDs+rRYcZBzHHBz05r9REyDKyE=
 github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
@@ -41,16 +41,16 @@ github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
-github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a h1:fEBsGL/sjAuJrgah5XqmmYsTLzJp/TO9Lhy39gkverk=
-github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
+github.com/google/pprof v0.0.0-20231205033806-a5a03c77bf08 h1:PxlBVtIFHR/mtWk2i0gTEdCz+jBnqiuHNSki0epDbVs=
+github.com/google/pprof v0.0.0-20231205033806-a5a03c77bf08/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
 github.com/google/renameio/v2 v2.0.0 h1:UifI23ZTGY8Tt29JbYFiuyIU3eX+RNFtUwefq9qAhxg=
 github.com/google/renameio/v2 v2.0.0/go.mod h1:BtmJXm5YlszgC+TD4HOEEUFgkJP3nLxehU6hfe7jRt4=
 github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4=
 github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714 h1:/jC7qQFrv8CrSJVmaolDVOxTfS9kc36uB6H40kdbQq8=
-github.com/insomniacslk/dhcp v0.0.0-20231016090811-6a2c8fbdcc1c h1:PgxFEySCI41sH0mB7/2XswdXbUykQsRUGod8Rn+NubM=
-github.com/insomniacslk/dhcp v0.0.0-20231016090811-6a2c8fbdcc1c/go.mod h1:3A9PQ1cunSDF/1rbTq99Ts4pVnycWg+vlPkfeD2NLFI=
+github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 h1:9K06NfxkBh25x56yVhWWlKFE8YpicaSfHwoV8SFbueA=
+github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2/go.mod h1:3A9PQ1cunSDF/1rbTq99Ts4pVnycWg+vlPkfeD2NLFI=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/josharian/native v1.0.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
@@ -73,17 +73,17 @@ github.com/mdlayher/raw v0.1.0/go.mod h1:yXnxvs6c0XoF/aK52/H5PjsVHmWBCFfZUfoh/Y5
 github.com/mdlayher/socket v0.2.1/go.mod h1:QLlNPkFR88mRUNQIzRBMfXxwKal8H7u1h3bL1CV+f0E=
 github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
 github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
-github.com/miekg/dns v1.1.56 h1:5imZaSeoRNvpM9SzWNhEcP9QliKiz20/dA2QabIGVnE=
-github.com/miekg/dns v1.1.56/go.mod h1:cRm6Oo2C8TY9ZS/TqsSrseAcncm74lfK5G+ikN2SWWY=
+github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=
+github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
-github.com/onsi/ginkgo/v2 v2.13.1 h1:LNGfMbR2OVGBfXjvRZIZ2YCTQdGKtPLvuI1rMCCj3OU=
-github.com/onsi/ginkgo/v2 v2.13.1/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM=
+github.com/onsi/ginkgo/v2 v2.13.2 h1:Bi2gGVkfn6gQcjNjZJVO8Gf0FHzMPf2phUei9tejVMs=
+github.com/onsi/ginkgo/v2 v2.13.2/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM=
 github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg=
 github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pierrec/lz4/v4 v4.1.14/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
-github.com/pierrec/lz4/v4 v4.1.18 h1:xaKrnTkyoqfh1YItXl56+6KJNVYWlEEPuAQW9xsplYQ=
-github.com/pierrec/lz4/v4 v4.1.18/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
+github.com/pierrec/lz4/v4 v4.1.19 h1:tYLzDnjDXh9qIxSTKHwXwOYmm9d887Y7Y1ZkyXYHAN4=
+github.com/pierrec/lz4/v4 v4.1.19/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -118,10 +118,10 @@ go.uber.org/mock v0.3.0 h1:3mUxI1No2/60yUYax92Pt8eNOEecx2D3lcXZh2NEZJo=
 go.uber.org/mock v0.3.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA=
-golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g=
-golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa h1:FRnLl4eNAQl8hwxVVC17teOw8kdjVDVAiFMtgUdTSRQ=
-golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa/go.mod h1:zk2irFbV9DP96SEBUUAy67IdHUaZuSnrz1n472HUCLE=
+golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY=
+golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb h1:c0vyKkb6yr3KR7jEfJaOSv4lG7xPkbN6r52aJz1d8a8=
+golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
@@ -132,8 +132,8 @@ golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
-golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg=
-golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ=
+golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
+golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
@@ -149,8 +149,8 @@ golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.4.1-0.20230131160137-e7d7f63158de/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
-golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -158,8 +158,8 @@ golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.15.0 h1:zdAyfUGbYmuVokhzVmghFl2ZJh5QhcfebBgmVPFYA+8=
-golang.org/x/tools v0.15.0/go.mod h1:hpksKq4dtpQWS1uQ61JkdqWM3LscIS6Slf+VVkm+wQk=
+golang.org/x/tools v0.16.0 h1:GO788SKMRunPIBCXiQyo2AaexLstOrVhuAL5YwsckQM=
+golang.org/x/tools v0.16.0/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw=
@@ -171,5 +171,5 @@ gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
-howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
+howett.net/plist v1.0.1 h1:37GdZ8tP09Q35o9ych3ehygcsL+HqKSwzctveSlarvM=
+howett.net/plist v1.0.1/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=

internal/dnsforward/config.go

@@ -67,7 +67,7 @@ type Config struct {
 	RatelimitSubnetLenIPv6 int `yaml:"ratelimit_subnet_len_ipv6"`
 
 	// RatelimitWhitelist is the list of whitelisted client IP addresses.
-	RatelimitWhitelist []string `yaml:"ratelimit_whitelist"`
+	RatelimitWhitelist []netip.Addr `yaml:"ratelimit_whitelist"`
 
 	// RefuseAny, if true, refuse ANY requests.
 	RefuseAny bool `yaml:"refuse_any"`
@@ -298,24 +298,24 @@ type ServerConfig struct {
 func (s *Server) newProxyConfig() (conf *proxy.Config, err error) {
 	srvConf := s.conf
 	conf = &proxy.Config{
-		HTTP3:                   srvConf.ServeHTTP3,
-		Ratelimit:               int(srvConf.Ratelimit),
-		RatelimitSubnetMaskIPv4: net.CIDRMask(srvConf.RatelimitSubnetLenIPv4, netutil.IPv4BitLen),
-		RatelimitSubnetMaskIPv6: net.CIDRMask(srvConf.RatelimitSubnetLenIPv6, netutil.IPv6BitLen),
-		RatelimitWhitelist:      srvConf.RatelimitWhitelist,
-		RefuseAny:               srvConf.RefuseAny,
-		TrustedProxies:          srvConf.TrustedProxies,
-		CacheMinTTL:             srvConf.CacheMinTTL,
-		CacheMaxTTL:             srvConf.CacheMaxTTL,
-		CacheOptimistic:         srvConf.CacheOptimistic,
-		UpstreamConfig:          srvConf.UpstreamConfig,
-		BeforeRequestHandler:    s.beforeRequestHandler,
-		RequestHandler:          s.handleDNSRequest,
-		HTTPSServerName:         aghhttp.UserAgent(),
-		EnableEDNSClientSubnet:  srvConf.EDNSClientSubnet.Enabled,
-		MaxGoroutines:           int(srvConf.MaxGoroutines),
-		UseDNS64:                srvConf.UseDNS64,
-		DNS64Prefs:              srvConf.DNS64Prefixes,
+		HTTP3:                  srvConf.ServeHTTP3,
+		Ratelimit:              int(srvConf.Ratelimit),
+		RatelimitSubnetLenIPv4: srvConf.RatelimitSubnetLenIPv4,
+		RatelimitSubnetLenIPv6: srvConf.RatelimitSubnetLenIPv6,
+		RatelimitWhitelist:     srvConf.RatelimitWhitelist,
+		RefuseAny:              srvConf.RefuseAny,
+		TrustedProxies:         srvConf.TrustedProxies,
+		CacheMinTTL:            srvConf.CacheMinTTL,
+		CacheMaxTTL:            srvConf.CacheMaxTTL,
+		CacheOptimistic:        srvConf.CacheOptimistic,
+		UpstreamConfig:         srvConf.UpstreamConfig,
+		BeforeRequestHandler:   s.beforeRequestHandler,
+		RequestHandler:         s.handleDNSRequest,
+		HTTPSServerName:        aghhttp.UserAgent(),
+		EnableEDNSClientSubnet: srvConf.EDNSClientSubnet.Enabled,
+		MaxGoroutines:          int(srvConf.MaxGoroutines),
+		UseDNS64:               srvConf.UseDNS64,
+		DNS64Prefs:             srvConf.DNS64Prefixes,
 	}
 
 	if srvConf.EDNSClientSubnet.UseCustom {

internal/dnsforward/configvalidator.go

@@ -0,0 +1,349 @@
+package dnsforward
+
+import (
+	"fmt"
+	"strings"
+	"sync"
+
+	"github.com/AdguardTeam/dnsproxy/upstream"
+	"github.com/AdguardTeam/golibs/errors"
+	"github.com/AdguardTeam/golibs/log"
+	"github.com/miekg/dns"
+	"golang.org/x/exp/slices"
+)
+
+// upstreamConfigValidator parses the [*proxy.UpstreamConfig] and checks the
+// actual DNS availability of each upstream.
+type upstreamConfigValidator struct {
+	// general is the general upstream configuration.
+	general []*upstreamResult
+
+	// fallback is the fallback upstream configuration.
+	fallback []*upstreamResult
+
+	// private is the private upstream configuration.
+	private []*upstreamResult
+}
+
+// upstreamResult is a result of validation of an [upstream.Upstream] within an
+// [proxy.UpstreamConfig].
+type upstreamResult struct {
+	// server is the parsed upstream.  It is nil when there was an error during
+	// parsing.
+	server upstream.Upstream
+
+	// err is the error either from parsing or from checking the upstream.
+	err error
+
+	// original is the piece of configuration that have either been turned to an
+	// upstream or caused an error.
+	original string
+
+	// isSpecific is true if the upstream is domain-specific.
+	isSpecific bool
+}
+
+// compare compares two [upstreamResult]s.  It returns 0 if they are equal, -1
+// if ur should be sorted before other, and 1 otherwise.
+//
+// TODO(e.burkov):  Perhaps it makes sense to sort the results with errors near
+// the end.
+func (ur *upstreamResult) compare(other *upstreamResult) (res int) {
+	return strings.Compare(ur.original, other.original)
+}
+
+// newUpstreamConfigValidator parses the upstream configuration and returns a
+// validator for it.  cv already contains the parsed upstreams along with errors
+// related.
+func newUpstreamConfigValidator(
+	general []string,
+	fallback []string,
+	private []string,
+	opts *upstream.Options,
+) (cv *upstreamConfigValidator) {
+	cv = &upstreamConfigValidator{}
+
+	for _, line := range general {
+		cv.general = cv.insertLineResults(cv.general, line, opts)
+	}
+	for _, line := range fallback {
+		cv.fallback = cv.insertLineResults(cv.fallback, line, opts)
+	}
+	for _, line := range private {
+		cv.private = cv.insertLineResults(cv.private, line, opts)
+	}
+
+	return cv
+}
+
+// insertLineResults parses line and inserts the result into s.  It can insert
+// multiple results as well as none.
+func (cv *upstreamConfigValidator) insertLineResults(
+	s []*upstreamResult,
+	line string,
+	opts *upstream.Options,
+) (result []*upstreamResult) {
+	upstreams, isSpecific, err := splitUpstreamLine(line)
+	if err != nil {
+		return cv.insert(s, &upstreamResult{
+			err:      err,
+			original: line,
+		})
+	}
+
+	for _, upstreamAddr := range upstreams {
+		var res *upstreamResult
+		if upstreamAddr != "#" {
+			res = cv.parseUpstream(upstreamAddr, opts)
+		} else if !isSpecific {
+			res = &upstreamResult{
+				err:      errNotDomainSpecific,
+				original: upstreamAddr,
+			}
+		} else {
+			continue
+		}
+
+		res.isSpecific = isSpecific
+		s = cv.insert(s, res)
+	}
+
+	return s
+}
+
+// insert inserts r into slice in a sorted order, except duplicates.  slice must
+// not be nil.
+func (cv *upstreamConfigValidator) insert(
+	s []*upstreamResult,
+	r *upstreamResult,
+) (result []*upstreamResult) {
+	i, has := slices.BinarySearchFunc(s, r, (*upstreamResult).compare)
+	if has {
+		log.Debug("dnsforward: duplicate configuration %q", r.original)
+
+		return s
+	}
+
+	return slices.Insert(s, i, r)
+}
+
+// parseUpstream parses addr and returns the result of parsing.  It returns nil
+// if the specified server points at the default upstream server which is
+// validated separately.
+func (cv *upstreamConfigValidator) parseUpstream(
+	addr string,
+	opts *upstream.Options,
+) (r *upstreamResult) {
+	// Check if the upstream has a valid protocol prefix.
+	//
+	// TODO(e.burkov):  Validate the domain name.
+	if proto, _, ok := strings.Cut(addr, "://"); ok {
+		if !slices.Contains(protocols, proto) {
+			return &upstreamResult{
+				err:      fmt.Errorf("bad protocol %q", proto),
+				original: addr,
+			}
+		}
+	}
+
+	ups, err := upstream.AddressToUpstream(addr, opts)
+
+	return &upstreamResult{
+		server:   ups,
+		err:      err,
+		original: addr,
+	}
+}
+
+// check tries to exchange with each successfully parsed upstream and enriches
+// the results with the healthcheck errors.  It should not be called after the
+// [upsConfValidator.close] method, since it makes no sense to check the closed
+// upstreams.
+func (cv *upstreamConfigValidator) check() {
+	const (
+		// testTLD is the special-use fully-qualified domain name for testing
+		// the DNS server reachability.
+		//
+		// See https://datatracker.ietf.org/doc/html/rfc6761#section-6.2.
+		testTLD = "test."
+
+		// inAddrARPATLD is the special-use fully-qualified domain name for PTR
+		// IP address resolution.
+		//
+		// See https://datatracker.ietf.org/doc/html/rfc1035#section-3.5.
+		inAddrARPATLD = "in-addr.arpa."
+	)
+
+	commonChecker := &healthchecker{
+		hostname: testTLD,
+		qtype:    dns.TypeA,
+		ansEmpty: true,
+	}
+
+	arpaChecker := &healthchecker{
+		hostname: inAddrARPATLD,
+		qtype:    dns.TypePTR,
+		ansEmpty: false,
+	}
+
+	wg := &sync.WaitGroup{}
+	wg.Add(len(cv.general) + len(cv.fallback) + len(cv.private))
+
+	for _, res := range cv.general {
+		go cv.checkSrv(res, wg, commonChecker)
+	}
+	for _, res := range cv.fallback {
+		go cv.checkSrv(res, wg, commonChecker)
+	}
+	for _, res := range cv.private {
+		go cv.checkSrv(res, wg, arpaChecker)
+	}
+
+	wg.Wait()
+}
+
+// checkSrv runs hc on the server from res, if any, and stores any occurred
+// error in res.  wg is always marked done in the end.  It used to be called in
+// a separate goroutine.
+func (cv *upstreamConfigValidator) checkSrv(
+	res *upstreamResult,
+	wg *sync.WaitGroup,
+	hc *healthchecker,
+) {
+	defer wg.Done()
+
+	if res.server == nil {
+		return
+	}
+
+	res.err = hc.check(res.server)
+	if res.err != nil && res.isSpecific {
+		res.err = domainSpecificTestError{Err: res.err}
+	}
+}
+
+// close closes all the upstreams that were successfully parsed.  It enriches
+// the results with deferred closing errors.
+func (cv *upstreamConfigValidator) close() {
+	for _, slice := range [][]*upstreamResult{cv.general, cv.fallback, cv.private} {
+		for _, r := range slice {
+			if r.server != nil {
+				r.err = errors.WithDeferred(r.err, r.server.Close())
+			}
+		}
+	}
+}
+
+// status returns all the data collected during parsing, healthcheck, and
+// closing of the upstreams.  The returned map is keyed by the original upstream
+// configuration piece and contains the corresponding error or "OK" if there was
+// no error.
+func (cv *upstreamConfigValidator) status() (results map[string]string) {
+	result := map[string]string{}
+
+	for _, res := range cv.general {
+		resultToStatus("general", res, result)
+	}
+	for _, res := range cv.fallback {
+		resultToStatus("fallback", res, result)
+	}
+	for _, res := range cv.private {
+		resultToStatus("private", res, result)
+	}
+
+	return result
+}
+
+// resultToStatus puts "OK" or an error message from res into resMap.  section
+// is the name of the upstream configuration section, i.e. "general",
+// "fallback", or "private", and only used for logging.
+//
+// TODO(e.burkov):  Currently, the HTTP handler expects that all the results are
+// put together in a single map, which may lead to collisions, see AG-27539.
+// Improve the results compilation.
+func resultToStatus(section string, res *upstreamResult, resMap map[string]string) {
+	val := "OK"
+	if res.err != nil {
+		val = res.err.Error()
+	}
+
+	prevVal := resMap[res.original]
+	switch prevVal {
+	case "":
+		resMap[res.original] = val
+	case val:
+		log.Debug("dnsforward: duplicating %s config line %q", section, res.original)
+	default:
+		log.Debug(
+			"dnsforward: warning: %s config line %q (%v) had different result %v",
+			section,
+			val,
+			res.original,
+			prevVal,
+		)
+	}
+}
+
+// domainSpecificTestError is a wrapper for errors returned by checkDNS to mark
+// the tested upstream domain-specific and therefore consider its errors
+// non-critical.
+//
+// TODO(a.garipov):  Some common mechanism of distinguishing between errors and
+// warnings (non-critical errors) is desired.
+type domainSpecificTestError struct {
+	// Err is the actual error occurred during healthcheck test.
+	Err error
+}
+
+// type check
+var _ error = domainSpecificTestError{}
+
+// Error implements the [error] interface for domainSpecificTestError.
+func (err domainSpecificTestError) Error() (msg string) {
+	return fmt.Sprintf("WARNING: %s", err.Err)
+}
+
+// type check
+var _ errors.Wrapper = domainSpecificTestError{}
+
+// Unwrap implements the [errors.Wrapper] interface for domainSpecificTestError.
+func (err domainSpecificTestError) Unwrap() (wrapped error) {
+	return err.Err
+}
+
+// healthchecker checks the upstream's status by exchanging with it.
+type healthchecker struct {
+	// hostname is the name of the host to put into healthcheck DNS request.
+	hostname string
+
+	// qtype is the type of DNS request to use for healthcheck.
+	qtype uint16
+
+	// ansEmpty defines if the answer section within the response is expected to
+	// be empty.
+	ansEmpty bool
+}
+
+// check exchanges with u and validates the response.
+func (h *healthchecker) check(u upstream.Upstream) (err error) {
+	req := &dns.Msg{
+		MsgHdr: dns.MsgHdr{
+			Id:               dns.Id(),
+			RecursionDesired: true,
+		},
+		Question: []dns.Question{{
+			Name:   h.hostname,
+			Qtype:  h.qtype,
+			Qclass: dns.ClassINET,
+		}},
+	}
+
+	reply, err := u.Exchange(req)
+	if err != nil {
+		return fmt.Errorf("couldn't communicate with upstream: %w", err)
+	} else if h.ansEmpty && len(reply.Answer) > 0 {
+		return errWrongResponse
+	}
+
+	return nil
+}

internal/dnsforward/dialcontext.go

@@ -4,6 +4,8 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"net/netip"
+	"strconv"
 	"time"
 
 	"github.com/AdguardTeam/golibs/errors"
@@ -11,10 +13,12 @@ import (
 )
 
 // DialContext is an [aghnet.DialContextFunc] that uses s to resolve hostnames.
+// addr should be a valid host:port address, where host could be a domain name
+// or an IP address.
 func (s *Server) DialContext(ctx context.Context, network, addr string) (conn net.Conn, err error) {
 	log.Debug("dnsforward: dialing %q for network %q", addr, network)
 
-	host, port, err := net.SplitHostPort(addr)
+	host, portStr, err := net.SplitHostPort(addr)
 	if err != nil {
 		return nil, err
 	}
@@ -28,21 +32,24 @@ func (s *Server) DialContext(ctx context.Context, network, addr string) (conn ne
 		return dialer.DialContext(ctx, network, addr)
 	}
 
-	addrs, err := s.Resolve(host)
+	port, err := strconv.Atoi(portStr)
 	if err != nil {
-		return nil, fmt.Errorf("resolving %q: %w", host, err)
+		return nil, fmt.Errorf("invalid port %s: %w", portStr, err)
 	}
 
-	log.Debug("dnsforward: resolving %q: %v", host, addrs)
-
-	if len(addrs) == 0 {
+	ips, err := s.Resolve(ctx, network, host)
+	if err != nil {
+		return nil, fmt.Errorf("resolving %q: %w", host, err)
+	} else if len(ips) == 0 {
 		return nil, fmt.Errorf("no addresses for host %q", host)
 	}
 
+	log.Debug("dnsforward: resolved %q: %v", host, ips)
+
 	var dialErrs []error
-	for _, a := range addrs {
-		addr = net.JoinHostPort(a.String(), port)
-		conn, err = dialer.DialContext(ctx, network, addr)
+	for _, ip := range ips {
+		addrPort := netip.AddrPortFrom(ip, uint16(port))
+		conn, err = dialer.DialContext(ctx, network, addrPort.String())
 		if err != nil {
 			dialErrs = append(dialErrs, err)
 

internal/dnsforward/dnsforward.go

@@ -2,6 +2,7 @@
 package dnsforward
 
 import (
+	"context"
 	"fmt"
 	"io"
 	"net"
@@ -35,6 +36,11 @@ import (
 // DefaultTimeout is the default upstream timeout
 const DefaultTimeout = 10 * time.Second
 
+// defaultLocalTimeout is the default timeout for resolving addresses from
+// locally-served networks.  It is assumed that local resolvers should work much
+// faster than ordinary upstreams.
+const defaultLocalTimeout = 1 * time.Second
+
 // defaultClientIDCacheCount is the default count of items in the LRU ClientID
 // cache.  The assumption here is that there won't be more than this many
 // requests between the BeforeRequestHandler stage and the actual processing.
@@ -241,7 +247,6 @@ func NewServer(p DNSCreateParams) (s *Server, err error) {
 		privateNets: p.PrivateNets,
 		// TODO(e.burkov):  Use some case-insensitive string comparison.
 		localDomainSuffix: strings.ToLower(localDomainSuffix),
-		etcHosts:          p.EtcHosts,
 		recDetector:       newRecursionDetector(recursionTTL, cachedRecurrentReqNum),
 		clientIDCache: cache.New(cache.Config{
 			EnableLRU: true,
@@ -252,6 +257,9 @@ func NewServer(p DNSCreateParams) (s *Server, err error) {
 			ServePlainDNS: true,
 		},
 	}
+	if p.EtcHosts != nil {
+		s.etcHosts = p.EtcHosts
+	}
 
 	s.sysResolvers, err = sysresolv.NewSystemResolvers(nil, defaultPlainDNSPort)
 	if err != nil {
@@ -293,7 +301,7 @@ func (s *Server) WriteDiskConfig(c *Config) {
 
 	sc := s.conf.Config
 	*c = sc
-	c.RatelimitWhitelist = stringutil.CloneSlice(sc.RatelimitWhitelist)
+	c.RatelimitWhitelist = slices.Clone(sc.RatelimitWhitelist)
 	c.BootstrapDNS = stringutil.CloneSlice(sc.BootstrapDNS)
 	c.FallbackDNS = stringutil.CloneSlice(sc.FallbackDNS)
 	c.AllowedClients = stringutil.CloneSlice(sc.AllowedClients)
@@ -324,15 +332,14 @@ func (s *Server) AddrProcConfig() (c *client.DefaultAddrProcConfig) {
 	}
 }
 
-// Resolve - get IP addresses by host name from an upstream server.
-// No request/response filtering is performed.
-// Query log and Stats are not updated.
-// This method may be called before Start().
-func (s *Server) Resolve(host string) ([]net.IPAddr, error) {
+// Resolve gets IP addresses by host name from an upstream server.  No
+// request/response filtering is performed.  Query log and Stats are not
+// updated.  This method may be called before [Server.Start].
+func (s *Server) Resolve(ctx context.Context, net, host string) (addr []netip.Addr, err error) {
 	s.serverLock.RLock()
 	defer s.serverLock.RUnlock()
 
-	return s.internalProxy.LookupIPAddr(host)
+	return s.internalProxy.LookupNetIP(ctx, net, host)
 }
 
 const (
@@ -459,11 +466,6 @@ func (s *Server) startLocked() error {
 	return err
 }
 
-// defaultLocalTimeout is the default timeout for resolving addresses from
-// locally-served networks.  It is assumed that local resolvers should work much
-// faster than ordinary upstreams.
-const defaultLocalTimeout = 1 * time.Second
-
 // setupLocalResolvers initializes the resolvers for local addresses.  It
 // assumes s.serverLock is locked or the Server not running.
 func (s *Server) setupLocalResolvers(boot upstream.Resolver) (err error) {
@@ -601,7 +603,7 @@ func (s *Server) prepareInternalDNS() (boot upstream.Resolver, err error) {
 		return nil, err
 	}
 
-	err = s.prepareUpstreamSettings(boot)
+	err = s.prepareUpstreamSettings(s.bootstrap)
 	if err != nil {
 		// Don't wrap the error, because it's informative enough as is.
 		return s.bootstrap, err

internal/dnsforward/dnsforward_test.go

@@ -54,13 +54,10 @@ const (
 	testMessagesCount = 10
 )
 
-// testClientAddr is the common net.Addr for tests.
+// testClientAddrPort is the common net.Addr for tests.
 //
 // TODO(a.garipov): Use more.
-var testClientAddr net.Addr = &net.TCPAddr{
-	IP:   net.IP{1, 2, 3, 4},
-	Port: 12345,
-}
+var testClientAddrPort = netip.MustParseAddrPort("1.2.3.4:12345")
 
 func startDeferStop(t *testing.T, s *Server) {
 	t.Helper()

internal/dnsforward/filter.go

@@ -10,7 +10,6 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/dnsproxy/proxy"
 	"github.com/AdguardTeam/golibs/log"
-	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/AdguardTeam/urlfilter/rules"
 	"github.com/miekg/dns"
 	"golang.org/x/exp/slices"
@@ -28,8 +27,7 @@ func (s *Server) beforeRequestHandler(
 		return false, fmt.Errorf("getting clientid: %w", err)
 	}
 
-	addrPort := netutil.NetAddrToAddrPort(pctx.Addr)
-	blocked, _ := s.IsBlockedClient(addrPort.Addr(), clientID)
+	blocked, _ := s.IsBlockedClient(pctx.Addr.Addr(), clientID)
 	if blocked {
 		return s.preBlockedResponse(pctx)
 	}
@@ -60,8 +58,7 @@ func (s *Server) clientRequestFilteringSettings(dctx *dnsContext) (setts *filter
 	setts = s.dnsFilter.Settings()
 	setts.ProtectionEnabled = dctx.protectionEnabled
 	if s.conf.FilterHandler != nil {
-		addrPort := netutil.NetAddrToAddrPort(dctx.proxyCtx.Addr)
-		s.conf.FilterHandler(addrPort.Addr(), dctx.clientID, setts)
+		s.conf.FilterHandler(dctx.proxyCtx.Addr.Addr(), dctx.clientID, setts)
 	}
 
 	return setts

internal/dnsforward/filter_test.go

@@ -187,7 +187,7 @@ func TestHandleDNSRequest_handleDNSRequest(t *testing.T) {
 		dctx := &proxy.DNSContext{
 			Proto: proxy.ProtoUDP,
 			Req:   tc.req,
-			Addr:  &net.UDPAddr{IP: net.IP{127, 0, 0, 1}, Port: 1},
+			Addr:  testClientAddrPort,
 		}
 
 		t.Run(tc.name, func(t *testing.T) {
@@ -326,7 +326,7 @@ func TestHandleDNSRequest_filterDNSResponse(t *testing.T) {
 				Proto: proxy.ProtoUDP,
 				Req:   tc.req,
 				Res:   resp,
-				Addr:  &net.UDPAddr{IP: net.IP{127, 0, 0, 1}, Port: 1},
+				Addr:  testClientAddrPort,
 			}
 
 			dctx := &dnsContext{

internal/dnsforward/http.go

@@ -4,23 +4,17 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"net"
 	"net/http"
 	"net/netip"
-	"strings"
-	"sync"
 	"time"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
-	"github.com/AdguardTeam/dnsproxy/proxy"
 	"github.com/AdguardTeam/dnsproxy/upstream"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/AdguardTeam/golibs/stringutil"
-	"github.com/miekg/dns"
-	"golang.org/x/exp/maps"
 	"golang.org/x/exp/slices"
 )
 
@@ -58,7 +52,7 @@ type jsonDNSConfig struct {
 	RatelimitSubnetLenIPv6 *int `json:"ratelimit_subnet_len_ipv6"`
 
 	// RatelimitWhitelist is a list of IP addresses excluded from rate limiting.
-	RatelimitWhitelist *[]string `json:"ratelimit_whitelist"`
+	RatelimitWhitelist *[]netip.Addr `json:"ratelimit_whitelist"`
 
 	// BlockingMode defines the way blocked responses are constructed.
 	BlockingMode *filtering.BlockingMode `json:"blocking_mode"`
@@ -135,7 +129,7 @@ func (s *Server) getDNSConfig() (c *jsonDNSConfig) {
 	ratelimit := s.conf.Ratelimit
 	ratelimitSubnetLenIPv4 := s.conf.RatelimitSubnetLenIPv4
 	ratelimitSubnetLenIPv6 := s.conf.RatelimitSubnetLenIPv6
-	ratelimitWhitelist := stringutil.CloneSliceOrEmpty(s.conf.RatelimitWhitelist)
+	ratelimitWhitelist := append([]netip.Addr{}, s.conf.RatelimitWhitelist...)
 
 	customIP := s.conf.EDNSClientSubnet.CustomIP
 	enableEDNSClientSubnet := s.conf.EDNSClientSubnet.Enabled
@@ -297,12 +291,6 @@ func (req *jsonDNSConfig) validate(privateNets netutil.SubnetSet) (err error) {
 		return err
 	}
 
-	err = req.checkRatelimitWhitelist()
-	if err != nil {
-		// Don't wrap the error since it's informative enough as is.
-		return err
-	}
-
 	err = req.checkBlockingMode()
 	if err != nil {
 		// Don't wrap the error since it's informative enough as is.
@@ -411,21 +399,6 @@ func checkInclusion(ptr *int, minN, maxN int) (err error) {
 	return nil
 }
 
-// checkRatelimitWhitelist returns an error if any of IP addresses is invalid.
-func (req *jsonDNSConfig) checkRatelimitWhitelist() (err error) {
-	if req.RatelimitWhitelist == nil {
-		return nil
-	}
-
-	for i, ipStr := range *req.RatelimitWhitelist {
-		if _, err = netip.ParseAddr(ipStr); err != nil {
-			return fmt.Errorf("ratelimit whitelist: at index %d: %w", i, err)
-		}
-	}
-
-	return nil
-}
-
 // handleSetConfig handles requests to the POST /control/dns_config endpoint.
 func (s *Server) handleSetConfig(w http.ResponseWriter, r *http.Request) {
 	req := &jsonDNSConfig{}
@@ -546,365 +519,6 @@ type upstreamJSON struct {
 	PrivateUpstreams []string `json:"private_upstream"`
 }
 
-// IsCommentOrEmpty returns true if s starts with a "#" character or is empty.
-// This function is useful for filtering out non-upstream lines from upstream
-// configs.
-func IsCommentOrEmpty(s string) (ok bool) {
-	return len(s) == 0 || s[0] == '#'
-}
-
-// newUpstreamConfig validates upstreams and returns an appropriate upstream
-// configuration or nil if it can't be built.
-//
-// TODO(e.burkov):  Perhaps proxy.ParseUpstreamsConfig should validate upstreams
-// slice already so that this function may be considered useless.
-func newUpstreamConfig(upstreams []string) (conf *proxy.UpstreamConfig, err error) {
-	// No need to validate comments and empty lines.
-	upstreams = stringutil.FilterOut(upstreams, IsCommentOrEmpty)
-	if len(upstreams) == 0 {
-		// Consider this case valid since it means the default server should be
-		// used.
-		return nil, nil
-	}
-
-	err = validateUpstreamConfig(upstreams)
-	if err != nil {
-		// Don't wrap the error since it's informative enough as is.
-		return nil, err
-	}
-
-	conf, err = proxy.ParseUpstreamsConfig(
-		upstreams,
-		&upstream.Options{
-			Bootstrap: net.DefaultResolver,
-			Timeout:   DefaultTimeout,
-		},
-	)
-	if err != nil {
-		// Don't wrap the error since it's informative enough as is.
-		return nil, err
-	} else if len(conf.Upstreams) == 0 {
-		return nil, errors.Error("no default upstreams specified")
-	}
-
-	return conf, nil
-}
-
-// validateUpstreamConfig validates each upstream from the upstream
-// configuration and returns an error if any upstream is invalid.
-//
-// TODO(e.burkov):  Move into aghnet or even into dnsproxy.
-func validateUpstreamConfig(conf []string) (err error) {
-	for _, u := range conf {
-		var ups []string
-		var domains []string
-		ups, domains, err = separateUpstream(u)
-		if err != nil {
-			// Don't wrap the error since it's informative enough as is.
-			return err
-		}
-
-		for _, addr := range ups {
-			_, err = validateUpstream(addr, domains)
-			if err != nil {
-				return fmt.Errorf("validating upstream %q: %w", addr, err)
-			}
-		}
-	}
-
-	return nil
-}
-
-// ValidateUpstreams validates each upstream and returns an error if any
-// upstream is invalid or if there are no default upstreams specified.
-//
-// TODO(e.burkov):  Move into aghnet or even into dnsproxy.
-func ValidateUpstreams(upstreams []string) (err error) {
-	_, err = newUpstreamConfig(upstreams)
-
-	return err
-}
-
-// ValidateUpstreamsPrivate validates each upstream and returns an error if any
-// upstream is invalid or if there are no default upstreams specified.  It also
-// checks each domain of domain-specific upstreams for being ARPA pointing to
-// a locally-served network.  privateNets must not be nil.
-func ValidateUpstreamsPrivate(upstreams []string, privateNets netutil.SubnetSet) (err error) {
-	conf, err := newUpstreamConfig(upstreams)
-	if err != nil {
-		return fmt.Errorf("creating config: %w", err)
-	}
-
-	if conf == nil {
-		return nil
-	}
-
-	keys := maps.Keys(conf.DomainReservedUpstreams)
-	slices.Sort(keys)
-
-	var errs []error
-	for _, domain := range keys {
-		var subnet netip.Prefix
-		subnet, err = extractARPASubnet(domain)
-		if err != nil {
-			errs = append(errs, err)
-
-			continue
-		}
-
-		if !privateNets.Contains(subnet.Addr().AsSlice()) {
-			errs = append(
-				errs,
-				fmt.Errorf("arpa domain %q should point to a locally-served network", domain),
-			)
-		}
-	}
-
-	return errors.Annotate(errors.Join(errs...), "checking domain-specific upstreams: %w")
-}
-
-var protocols = []string{
-	"h3://",
-	"https://",
-	"quic://",
-	"sdns://",
-	"tcp://",
-	"tls://",
-	"udp://",
-}
-
-// validateUpstream returns an error if u alongside with domains is not a valid
-// upstream configuration.  useDefault is true if the upstream is
-// domain-specific and is configured to point at the default upstream server
-// which is validated separately.  The upstream is considered domain-specific
-// only if domains is at least not nil.
-func validateUpstream(u string, domains []string) (useDefault bool, err error) {
-	// The special server address '#' means that default server must be used.
-	if useDefault = u == "#" && domains != nil; useDefault {
-		return useDefault, nil
-	}
-
-	// Check if the upstream has a valid protocol prefix.
-	//
-	// TODO(e.burkov):  Validate the domain name.
-	for _, proto := range protocols {
-		if strings.HasPrefix(u, proto) {
-			return false, nil
-		}
-	}
-
-	if proto, _, ok := strings.Cut(u, "://"); ok {
-		return false, fmt.Errorf("bad protocol %q", proto)
-	}
-
-	// Check if upstream is either an IP or IP with port.
-	if _, err = netip.ParseAddr(u); err == nil {
-		return false, nil
-	} else if _, err = netip.ParseAddrPort(u); err == nil {
-		return false, nil
-	}
-
-	return false, err
-}
-
-// separateUpstream returns the upstreams and the specified domains.  domains
-// is nil when the upstream is not domains-specific.  Otherwise it may also be
-// empty.
-func separateUpstream(upstreamStr string) (upstreams, domains []string, err error) {
-	if !strings.HasPrefix(upstreamStr, "[/") {
-		return []string{upstreamStr}, nil, nil
-	}
-
-	defer func() { err = errors.Annotate(err, "bad upstream for domain %q: %w", upstreamStr) }()
-
-	parts := strings.Split(upstreamStr[2:], "/]")
-	switch len(parts) {
-	case 2:
-		// Go on.
-	case 1:
-		return nil, nil, errors.Error("missing separator")
-	default:
-		return nil, nil, errors.Error("duplicated separator")
-	}
-
-	for i, host := range strings.Split(parts[0], "/") {
-		if host == "" {
-			continue
-		}
-
-		err = netutil.ValidateDomainName(strings.TrimPrefix(host, "*."))
-		if err != nil {
-			return nil, nil, fmt.Errorf("domain at index %d: %w", i, err)
-		}
-
-		domains = append(domains, host)
-	}
-
-	return strings.Fields(parts[1]), domains, nil
-}
-
-// healthCheckFunc is a signature of function to check if upstream exchanges
-// properly.
-type healthCheckFunc func(u upstream.Upstream) (err error)
-
-// checkDNSUpstreamExc checks if the DNS upstream exchanges correctly.
-func checkDNSUpstreamExc(u upstream.Upstream) (err error) {
-	// testTLD is the special-use fully-qualified domain name for testing the
-	// DNS server reachability.
-	//
-	// See https://datatracker.ietf.org/doc/html/rfc6761#section-6.2.
-	const testTLD = "test."
-
-	req := &dns.Msg{
-		MsgHdr: dns.MsgHdr{
-			Id:               dns.Id(),
-			RecursionDesired: true,
-		},
-		Question: []dns.Question{{
-			Name:   testTLD,
-			Qtype:  dns.TypeA,
-			Qclass: dns.ClassINET,
-		}},
-	}
-
-	var reply *dns.Msg
-	reply, err = u.Exchange(req)
-	if err != nil {
-		return fmt.Errorf("couldn't communicate with upstream: %w", err)
-	} else if len(reply.Answer) != 0 {
-		return errors.Error("wrong response")
-	}
-
-	return nil
-}
-
-// checkPrivateUpstreamExc checks if the upstream for resolving private
-// addresses exchanges correctly.
-//
-// TODO(e.burkov):  Think about testing the ip6.arpa. as well.
-func checkPrivateUpstreamExc(u upstream.Upstream) (err error) {
-	// inAddrArpaTLD is the special-use fully-qualified domain name for PTR IP
-	// address resolution.
-	//
-	// See https://datatracker.ietf.org/doc/html/rfc1035#section-3.5.
-	const inAddrArpaTLD = "in-addr.arpa."
-
-	req := &dns.Msg{
-		MsgHdr: dns.MsgHdr{
-			Id:               dns.Id(),
-			RecursionDesired: true,
-		},
-		Question: []dns.Question{{
-			Name:   inAddrArpaTLD,
-			Qtype:  dns.TypePTR,
-			Qclass: dns.ClassINET,
-		}},
-	}
-
-	if _, err = u.Exchange(req); err != nil {
-		return fmt.Errorf("couldn't communicate with upstream: %w", err)
-	}
-
-	return nil
-}
-
-// domainSpecificTestError is a wrapper for errors returned by checkDNS to mark
-// the tested upstream domain-specific and therefore consider its errors
-// non-critical.
-//
-// TODO(a.garipov):  Some common mechanism of distinguishing between errors and
-// warnings (non-critical errors) is desired.
-type domainSpecificTestError struct {
-	error
-}
-
-// Error implements the [error] interface for domainSpecificTestError.
-func (err domainSpecificTestError) Error() (msg string) {
-	return fmt.Sprintf("WARNING: %s", err.error)
-}
-
-// checkDNS parses line, creates DNS upstreams using opts, and checks if the
-// upstreams are exchanging correctly.  It saves the result into a sync.Map
-// where key is an upstream address and value is "OK", if the upstream
-// exchanges correctly, or text of the error.  It is intended to be used as a
-// goroutine.
-//
-// TODO(s.chzhen):  Separate to a different structure/file.
-func (s *Server) checkDNS(
-	line string,
-	opts *upstream.Options,
-	check healthCheckFunc,
-	wg *sync.WaitGroup,
-	m *sync.Map,
-) {
-	defer wg.Done()
-	defer log.OnPanic("dnsforward: checking upstreams")
-
-	upstreams, domains, err := separateUpstream(line)
-	if err != nil {
-		err = fmt.Errorf("wrong upstream format: %w", err)
-		m.Store(line, err.Error())
-
-		return
-	}
-
-	specific := len(domains) > 0
-
-	for _, upstreamAddr := range upstreams {
-		var useDefault bool
-		useDefault, err = validateUpstream(upstreamAddr, domains)
-		if err != nil {
-			err = fmt.Errorf("wrong upstream format: %w", err)
-			m.Store(upstreamAddr, err.Error())
-
-			continue
-		}
-
-		if useDefault {
-			continue
-		}
-
-		log.Debug("dnsforward: checking if upstream %q works", upstreamAddr)
-
-		err = s.checkUpstreamAddr(upstreamAddr, specific, opts, check)
-		if err != nil {
-			m.Store(upstreamAddr, err.Error())
-		} else {
-			m.Store(upstreamAddr, "OK")
-		}
-	}
-}
-
-// checkUpstreamAddr creates the DNS upstream using opts and information from
-// [s.dnsFilter.EtcHosts].  Checks if the DNS upstream exchanges correctly.  It
-// returns an error if addr is not valid DNS upstream address or the upstream
-// is not exchanging correctly.
-func (s *Server) checkUpstreamAddr(
-	addr string,
-	specific bool,
-	opts *upstream.Options,
-	check healthCheckFunc,
-) (err error) {
-	defer func() {
-		if err != nil && specific {
-			err = domainSpecificTestError{error: err}
-		}
-	}()
-
-	u, err := upstream.AddressToUpstream(addr, &upstream.Options{
-		Bootstrap:  opts.Bootstrap,
-		Timeout:    opts.Timeout,
-		PreferIPv6: opts.PreferIPv6,
-	})
-	if err != nil {
-		return fmt.Errorf("creating upstream for %q: %w", addr, err)
-	}
-
-	defer func() { err = errors.WithDeferred(err, u.Close()) }()
-
-	return check(u)
-}
-
 // closeBoots closes all the provided bootstrap servers and logs errors if any.
 func closeBoots(boots []*upstream.UpstreamResolver) {
 	for _, c := range boots {
@@ -942,36 +556,11 @@ func (s *Server) handleTestUpstreamDNS(w http.ResponseWriter, r *http.Request) {
 	}
 	defer closeBoots(boots)
 
-	wg := &sync.WaitGroup{}
-	m := &sync.Map{}
+	cv := newUpstreamConfigValidator(req.Upstreams, req.FallbackDNS, req.PrivateUpstreams, opts)
+	cv.check()
+	cv.close()
 
-	wg.Add(len(req.Upstreams) + len(req.FallbackDNS) + len(req.PrivateUpstreams))
-
-	for _, ups := range req.Upstreams {
-		go s.checkDNS(ups, opts, checkDNSUpstreamExc, wg, m)
-	}
-	for _, ups := range req.FallbackDNS {
-		go s.checkDNS(ups, opts, checkDNSUpstreamExc, wg, m)
-	}
-	for _, ups := range req.PrivateUpstreams {
-		go s.checkDNS(ups, opts, checkPrivateUpstreamExc, wg, m)
-	}
-
-	wg.Wait()
-
-	result := map[string]string{}
-	m.Range(func(k, v any) bool {
-		// TODO(e.burkov):  The upstreams used for both common and private
-		// resolving should be reported separately.
-		ups := k.(string)
-		status := v.(string)
-
-		result[ups] = status
-
-		return true
-	})
-
-	aghhttp.WriteJSONResponseOK(w, r, result)
+	aghhttp.WriteJSONResponseOK(w, r, cv.status())
 }
 
 // handleCacheClear is the handler for the POST /control/cache_clear HTTP API.

internal/dnsforward/http_test.go

@@ -195,9 +195,8 @@ func TestDNSForwardHTTP_handleSetConfig(t *testing.T) {
 		name:    "ratelimit_subnet_len",
 		wantSet: "",
 	}, {
-		name: "ratelimit_whitelist_not_ip",
-		wantSet: `validating dns config: ratelimit whitelist: at index 1: ParseAddr("not.ip"): ` +
-			`unexpected character (at "not.ip")`,
+		name:    "ratelimit_whitelist_not_ip",
+		wantSet: `decoding request: ParseAddr("not.ip"): unexpected character (at "not.ip")`,
 	}, {
 		name:    "edns_cs_enabled",
 		wantSet: "",
@@ -363,7 +362,7 @@ func TestValidateUpstreams(t *testing.T) {
 		set:     []string{"123.3.7m"},
 	}, {
 		name: "invalid",
-		wantErr: `bad upstream for domain "[/host.com]tls://dns.adguard.com": ` +
+		wantErr: `splitting upstream line "[/host.com]tls://dns.adguard.com": ` +
 			`missing separator`,
 		set: []string{"[/host.com]tls://dns.adguard.com"},
 	}, {
@@ -389,7 +388,7 @@ func TestValidateUpstreams(t *testing.T) {
 		},
 	}, {
 		name: "bad_domain",
-		wantErr: `bad upstream for domain "[/!/]8.8.8.8": domain at index 0: ` +
+		wantErr: `splitting upstream line "[/!/]8.8.8.8": domain at index 0: ` +
 			`bad domain name "!": bad top-level domain name label "!": ` +
 			`bad top-level domain name label rune '!'`,
 		set: []string{"[/!/]8.8.8.8"},
@@ -477,25 +476,15 @@ func newLocalUpstreamListener(t *testing.T, port uint16, handler dns.Handler) (r
 }
 
 func TestServer_HandleTestUpstreamDNS(t *testing.T) {
-	goodHandler := dns.HandlerFunc(func(w dns.ResponseWriter, m *dns.Msg) {
+	hdlr := dns.HandlerFunc(func(w dns.ResponseWriter, m *dns.Msg) {
 		err := w.WriteMsg(new(dns.Msg).SetReply(m))
 		require.NoError(testutil.PanicT{}, err)
 	})
-	badHandler := dns.HandlerFunc(func(w dns.ResponseWriter, _ *dns.Msg) {
-		err := w.WriteMsg(new(dns.Msg))
-		require.NoError(testutil.PanicT{}, err)
-	})
 
-	goodUps := (&url.URL{
+	ups := (&url.URL{
 		Scheme: "tcp",
-		Host:   newLocalUpstreamListener(t, 0, goodHandler).String(),
+		Host:   newLocalUpstreamListener(t, 0, hdlr).String(),
 	}).String()
-	badUps := (&url.URL{
-		Scheme: "tcp",
-		Host:   newLocalUpstreamListener(t, 0, badHandler).String(),
-	}).String()
-
-	goodAndBadUps := strings.Join([]string{goodUps, badUps}, " ")
 
 	const (
 		upsTimeout = 100 * time.Millisecond
@@ -504,7 +493,7 @@ func TestServer_HandleTestUpstreamDNS(t *testing.T) {
 		upstreamHost  = "custom.localhost"
 	)
 
-	hostsListener := newLocalUpstreamListener(t, 0, goodHandler)
+	hostsListener := newLocalUpstreamListener(t, 0, hdlr)
 	hostsUps := (&url.URL{
 		Scheme: "tcp",
 		Host:   netutil.JoinHostPort(upstreamHost, hostsListener.Port()),
@@ -545,43 +534,6 @@ func TestServer_HandleTestUpstreamDNS(t *testing.T) {
 		wantResp map[string]any
 		name     string
 	}{{
-		body: map[string]any{
-			"upstream_dns": []string{goodUps},
-		},
-		wantResp: map[string]any{
-			goodUps: "OK",
-		},
-		name: "success",
-	}, {
-		body: map[string]any{
-			"upstream_dns": []string{badUps},
-		},
-		wantResp: map[string]any{
-			badUps: `couldn't communicate with upstream: exchanging with ` +
-				badUps + ` over tcp: dns: id mismatch`,
-		},
-		name: "broken",
-	}, {
-		body: map[string]any{
-			"upstream_dns": []string{goodUps, badUps},
-		},
-		wantResp: map[string]any{
-			goodUps: "OK",
-			badUps: `couldn't communicate with upstream: exchanging with ` +
-				badUps + ` over tcp: dns: id mismatch`,
-		},
-		name: "both",
-	}, {
-		body: map[string]any{
-			"upstream_dns": []string{"[/domain.example/]" + badUps},
-		},
-		wantResp: map[string]any{
-			badUps: `WARNING: couldn't communicate ` +
-				`with upstream: exchanging with ` + badUps + ` over tcp: ` +
-				`dns: id mismatch`,
-		},
-		name: "domain_specific_error",
-	}, {
 		body: map[string]any{
 			"upstream_dns": []string{hostsUps},
 		},
@@ -591,63 +543,12 @@ func TestServer_HandleTestUpstreamDNS(t *testing.T) {
 		name: "etc_hosts",
 	}, {
 		body: map[string]any{
-			"fallback_dns": []string{goodUps},
+			"upstream_dns": []string{ups, "#this.is.comment"},
 		},
 		wantResp: map[string]any{
-			goodUps: "OK",
+			ups: "OK",
 		},
-		name: "fallback_success",
-	}, {
-		body: map[string]any{
-			"fallback_dns": []string{badUps},
-		},
-		wantResp: map[string]any{
-			badUps: `couldn't communicate with upstream: exchanging with ` +
-				badUps + ` over tcp: dns: id mismatch`,
-		},
-		name: "fallback_broken",
-	}, {
-		body: map[string]any{
-			"fallback_dns": []string{goodUps, "#this.is.comment"},
-		},
-		wantResp: map[string]any{
-			goodUps: "OK",
-		},
-		name: "fallback_comment_mix",
-	}, {
-		body: map[string]any{
-			"upstream_dns": []string{"[/domain.example/]" + goodUps + " " + badUps},
-		},
-		wantResp: map[string]any{
-			goodUps: "OK",
-			badUps: `WARNING: couldn't communicate ` +
-				`with upstream: exchanging with ` + badUps + ` over tcp: ` +
-				`dns: id mismatch`,
-		},
-		name: "multiple_domain_specific_upstreams",
-	}, {
-		body: map[string]any{
-			"upstream_dns": []string{"[/domain.example/]/]1.2.3.4"},
-		},
-		wantResp: map[string]any{
-			"[/domain.example/]/]1.2.3.4": `wrong upstream format: ` +
-				`bad upstream for domain "[/domain.example/]/]1.2.3.4": ` +
-				`duplicated separator`,
-		},
-		name: "bad_specification",
-	}, {
-		body: map[string]any{
-			"upstream_dns":     []string{"[/domain.example/]" + goodAndBadUps},
-			"fallback_dns":     []string{"[/domain.example/]" + goodAndBadUps},
-			"private_upstream": []string{"[/domain.example/]" + goodAndBadUps},
-		},
-		wantResp: map[string]any{
-			goodUps: "OK",
-			badUps: `WARNING: couldn't communicate ` +
-				`with upstream: exchanging with ` + badUps + ` over tcp: ` +
-				`dns: id mismatch`,
-		},
-		name: "all_different",
+		name: "comment_mix",
 	}}
 
 	for _, tc := range testCases {

internal/dnsforward/process.go

@@ -191,7 +191,7 @@ func (s *Server) processInitial(dctx *dnsContext) (rc resultCode) {
 	defer log.Debug("dnsforward: finished processing initial")
 
 	pctx := dctx.proxyCtx
-	s.processClientIP(pctx.Addr)
+	s.processClientIP(pctx.Addr.Addr())
 
 	q := pctx.Req.Question[0]
 	qt := q.Qtype
@@ -228,9 +228,8 @@ func (s *Server) processInitial(dctx *dnsContext) (rc resultCode) {
 }
 
 // processClientIP sends the client IP address to s.addrProc, if needed.
-func (s *Server) processClientIP(addr net.Addr) {
-	clientIP := netutil.NetAddrToAddrPort(addr).Addr()
-	if clientIP == (netip.Addr{}) {
+func (s *Server) processClientIP(addr netip.Addr) {
+	if !addr.IsValid() {
 		log.Info("dnsforward: warning: bad client addr %q", addr)
 
 		return
@@ -241,7 +240,7 @@ func (s *Server) processClientIP(addr net.Addr) {
 	s.serverLock.RLock()
 	defer s.serverLock.RUnlock()
 
-	s.addrProc.Process(clientIP)
+	s.addrProc.Process(addr)
 }
 
 // processDDRQuery responds to Discovery of Designated Resolvers (DDR) SVCB
@@ -351,12 +350,7 @@ func (s *Server) processDetermineLocal(dctx *dnsContext) (rc resultCode) {
 
 	rc = resultCodeSuccess
 
-	var ip net.IP
-	if ip, _ = netutil.IPAndPortFromAddr(dctx.proxyCtx.Addr); ip == nil {
-		return rc
-	}
-
-	dctx.isLocalClient = s.privateNets.Contains(ip)
+	dctx.isLocalClient = s.privateNets.Contains(dctx.proxyCtx.Addr.Addr().AsSlice())
 
 	return rc
 }
@@ -831,12 +825,12 @@ func (s *Server) dhcpHostFromRequest(q *dns.Question) (reqHost string) {
 
 // setCustomUpstream sets custom upstream settings in pctx, if necessary.
 func (s *Server) setCustomUpstream(pctx *proxy.DNSContext, clientID string) {
-	if pctx.Addr == nil || s.conf.ClientsContainer == nil {
+	if !pctx.Addr.IsValid() || s.conf.ClientsContainer == nil {
 		return
 	}
 
 	// Use the ClientID first, since it has a higher priority.
-	id := stringutil.Coalesce(clientID, ipStringFromAddr(pctx.Addr))
+	id := stringutil.Coalesce(clientID, pctx.Addr.Addr().String())
 	upsConf, err := s.conf.ClientsContainer.UpstreamConfigByID(id, s.bootstrap)
 	if err != nil {
 		log.Error("dnsforward: getting custom upstreams for client %s: %s", id, err)

internal/dnsforward/process_internal_test.go

@@ -97,14 +97,14 @@ func TestServer_ProcessInitial(t *testing.T) {
 			dctx := &dnsContext{
 				proxyCtx: &proxy.DNSContext{
 					Req:       createTestMessageWithType(tc.target, tc.qType),
-					Addr:      testClientAddr,
+					Addr:      testClientAddrPort,
 					RequestID: 1234,
 				},
 			}
 
 			gotRC := s.processInitial(dctx)
 			assert.Equal(t, tc.wantRC, gotRC)
-			assert.Equal(t, netutil.NetAddrToAddrPort(testClientAddr).Addr(), gotAddr)
+			assert.Equal(t, testClientAddrPort.Addr(), gotAddr)
 
 			if tc.wantRCode > 0 {
 				gotResp := dctx.proxyCtx.Res
@@ -201,7 +201,7 @@ func TestServer_ProcessFilteringAfterResponse(t *testing.T) {
 					Proto: proxy.ProtoUDP,
 					Req:   tc.req,
 					Res:   resp,
-					Addr:  testClientAddr,
+					Addr:  testClientAddrPort,
 				},
 			}
 
@@ -397,33 +397,27 @@ func TestServer_ProcessDetermineLocal(t *testing.T) {
 	}
 
 	testCases := []struct {
-		want  assert.BoolAssertionFunc
-		name  string
-		cliIP net.IP
+		want    assert.BoolAssertionFunc
+		name    string
+		cliAddr netip.AddrPort
 	}{{
-		want:  assert.True,
-		name:  "local",
-		cliIP: net.IP{192, 168, 0, 1},
+		want:    assert.True,
+		name:    "local",
+		cliAddr: netip.MustParseAddrPort("192.168.0.1:1"),
 	}, {
-		want:  assert.False,
-		name:  "external",
-		cliIP: net.IP{250, 249, 0, 1},
+		want:    assert.False,
+		name:    "external",
+		cliAddr: netip.MustParseAddrPort("250.249.0.1:1"),
 	}, {
-		want:  assert.False,
-		name:  "invalid",
-		cliIP: net.IP{1, 2, 3, 4, 5},
-	}, {
-		want:  assert.False,
-		name:  "nil",
-		cliIP: nil,
+		want:    assert.False,
+		name:    "invalid",
+		cliAddr: netip.AddrPort{},
 	}}
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			proxyCtx := &proxy.DNSContext{
-				Addr: &net.TCPAddr{
-					IP: tc.cliIP,
-				},
+				Addr: tc.cliAddr,
 			}
 			dctx := &dnsContext{
 				proxyCtx: proxyCtx,
@@ -711,31 +705,31 @@ func TestServer_ProcessRestrictLocal(t *testing.T) {
 		name     string
 		want     string
 		question net.IP
-		cliIP    net.IP
+		cliAddr  netip.AddrPort
 		wantLen  int
 	}{{
 		name:     "from_local_to_external",
 		want:     "host1.example.net.",
 		question: net.IP{254, 253, 252, 251},
-		cliIP:    net.IP{192, 168, 10, 10},
+		cliAddr:  netip.MustParseAddrPort("192.168.10.10:1"),
 		wantLen:  1,
 	}, {
 		name:     "from_external_for_local",
 		want:     "",
 		question: net.IP{192, 168, 1, 1},
-		cliIP:    net.IP{254, 253, 252, 251},
+		cliAddr:  netip.MustParseAddrPort("254.253.252.251:1"),
 		wantLen:  0,
 	}, {
 		name:     "from_local_for_local",
 		want:     "some.local-client.",
 		question: net.IP{192, 168, 1, 1},
-		cliIP:    net.IP{192, 168, 1, 2},
+		cliAddr:  netip.MustParseAddrPort("192.168.1.2:1"),
 		wantLen:  1,
 	}, {
 		name:     "from_external_for_external",
 		want:     "host1.example.net.",
 		question: net.IP{254, 253, 252, 251},
-		cliIP:    net.IP{254, 253, 252, 255},
+		cliAddr:  netip.MustParseAddrPort("254.253.252.255:1"),
 		wantLen:  1,
 	}}
 
@@ -747,9 +741,7 @@ func TestServer_ProcessRestrictLocal(t *testing.T) {
 		pctx := &proxy.DNSContext{
 			Proto: proxy.ProtoTCP,
 			Req:   req,
-			Addr: &net.TCPAddr{
-				IP: tc.cliIP,
-			},
+			Addr:  tc.cliAddr,
 		}
 
 		t.Run(tc.name, func(t *testing.T) {
@@ -794,7 +786,7 @@ func TestServer_ProcessLocalPTR_usingResolvers(t *testing.T) {
 	var dnsCtx *dnsContext
 	setup := func(use bool) {
 		proxyCtx = &proxy.DNSContext{
-			Addr: testClientAddr,
+			Addr: testClientAddrPort,
 			Req:  createTestMessageWithType(reqAddr, dns.TypePTR),
 		}
 		dnsCtx = &dnsContext{

internal/dnsforward/stats.go

@@ -10,9 +10,7 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/stats"
 	"github.com/AdguardTeam/dnsproxy/proxy"
 	"github.com/AdguardTeam/golibs/log"
-	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/miekg/dns"
-	"golang.org/x/exp/slices"
 )
 
 // Write Stats data and logs
@@ -25,13 +23,12 @@ func (s *Server) processQueryLogsAndStats(dctx *dnsContext) (rc resultCode) {
 	host := aghnet.NormalizeDomain(q.Name)
 	processingTime := time.Since(dctx.startTime)
 
-	ip, _ := netutil.IPAndPortFromAddr(pctx.Addr)
-	ip = slices.Clone(ip)
+	ip := pctx.Addr.Addr().AsSlice()
 	s.anonymizer.Load()(ip)
 
 	log.Debug("dnsforward: client ip for stats and querylog: %s", ip)
 
-	ipStr := ip.String()
+	ipStr := pctx.Addr.Addr().String()
 	ids := []string{ipStr, dctx.clientID}
 	qt, cl := q.Qtype, q.Qclass
 

internal/dnsforward/stats_test.go

@@ -1,7 +1,7 @@
 package dnsforward
 
 import (
-	"net"
+	"net/netip"
 	"testing"
 	"time"
 
@@ -65,7 +65,7 @@ func TestServer_ProcessQueryLogsAndStats(t *testing.T) {
 		name           string
 		domain         string
 		proto          proxy.Proto
-		addr           net.Addr
+		addr           netip.AddrPort
 		clientID       string
 		wantLogProto   querylog.ClientProto
 		wantStatClient string
@@ -76,7 +76,7 @@ func TestServer_ProcessQueryLogsAndStats(t *testing.T) {
 		name:           "success_udp",
 		domain:         domain,
 		proto:          proxy.ProtoUDP,
-		addr:           &net.UDPAddr{IP: net.IP{1, 2, 3, 4}, Port: 1234},
+		addr:           testClientAddrPort,
 		clientID:       "",
 		wantLogProto:   "",
 		wantStatClient: "1.2.3.4",
@@ -87,7 +87,7 @@ func TestServer_ProcessQueryLogsAndStats(t *testing.T) {
 		name:           "success_tls_clientid",
 		domain:         domain,
 		proto:          proxy.ProtoTLS,
-		addr:           &net.TCPAddr{IP: net.IP{1, 2, 3, 4}, Port: 1234},
+		addr:           testClientAddrPort,
 		clientID:       "cli42",
 		wantLogProto:   querylog.ClientProtoDoT,
 		wantStatClient: "cli42",
@@ -98,7 +98,7 @@ func TestServer_ProcessQueryLogsAndStats(t *testing.T) {
 		name:           "success_tls",
 		domain:         domain,
 		proto:          proxy.ProtoTLS,
-		addr:           &net.TCPAddr{IP: net.IP{1, 2, 3, 4}, Port: 1234},
+		addr:           testClientAddrPort,
 		clientID:       "",
 		wantLogProto:   querylog.ClientProtoDoT,
 		wantStatClient: "1.2.3.4",
@@ -109,7 +109,7 @@ func TestServer_ProcessQueryLogsAndStats(t *testing.T) {
 		name:           "success_quic",
 		domain:         domain,
 		proto:          proxy.ProtoQUIC,
-		addr:           &net.UDPAddr{IP: net.IP{1, 2, 3, 4}, Port: 1234},
+		addr:           testClientAddrPort,
 		clientID:       "",
 		wantLogProto:   querylog.ClientProtoDoQ,
 		wantStatClient: "1.2.3.4",
@@ -120,7 +120,7 @@ func TestServer_ProcessQueryLogsAndStats(t *testing.T) {
 		name:           "success_https",
 		domain:         domain,
 		proto:          proxy.ProtoHTTPS,
-		addr:           &net.TCPAddr{IP: net.IP{1, 2, 3, 4}, Port: 1234},
+		addr:           testClientAddrPort,
 		clientID:       "",
 		wantLogProto:   querylog.ClientProtoDoH,
 		wantStatClient: "1.2.3.4",
@@ -131,7 +131,7 @@ func TestServer_ProcessQueryLogsAndStats(t *testing.T) {
 		name:           "success_dnscrypt",
 		domain:         domain,
 		proto:          proxy.ProtoDNSCrypt,
-		addr:           &net.TCPAddr{IP: net.IP{1, 2, 3, 4}, Port: 1234},
+		addr:           testClientAddrPort,
 		clientID:       "",
 		wantLogProto:   querylog.ClientProtoDNSCrypt,
 		wantStatClient: "1.2.3.4",
@@ -142,7 +142,7 @@ func TestServer_ProcessQueryLogsAndStats(t *testing.T) {
 		name:           "success_udp_filtered",
 		domain:         domain,
 		proto:          proxy.ProtoUDP,
-		addr:           &net.UDPAddr{IP: net.IP{1, 2, 3, 4}, Port: 1234},
+		addr:           testClientAddrPort,
 		clientID:       "",
 		wantLogProto:   "",
 		wantStatClient: "1.2.3.4",
@@ -153,7 +153,7 @@ func TestServer_ProcessQueryLogsAndStats(t *testing.T) {
 		name:           "success_udp_sb",
 		domain:         domain,
 		proto:          proxy.ProtoUDP,
-		addr:           &net.UDPAddr{IP: net.IP{1, 2, 3, 4}, Port: 1234},
+		addr:           testClientAddrPort,
 		clientID:       "",
 		wantLogProto:   "",
 		wantStatClient: "1.2.3.4",
@@ -164,7 +164,7 @@ func TestServer_ProcessQueryLogsAndStats(t *testing.T) {
 		name:           "success_udp_ss",
 		domain:         domain,
 		proto:          proxy.ProtoUDP,
-		addr:           &net.UDPAddr{IP: net.IP{1, 2, 3, 4}, Port: 1234},
+		addr:           testClientAddrPort,
 		clientID:       "",
 		wantLogProto:   "",
 		wantStatClient: "1.2.3.4",
@@ -175,7 +175,7 @@ func TestServer_ProcessQueryLogsAndStats(t *testing.T) {
 		name:           "success_udp_pc",
 		domain:         domain,
 		proto:          proxy.ProtoUDP,
-		addr:           &net.UDPAddr{IP: net.IP{1, 2, 3, 4}, Port: 1234},
+		addr:           testClientAddrPort,
 		clientID:       "",
 		wantLogProto:   "",
 		wantStatClient: "1.2.3.4",
@@ -186,10 +186,10 @@ func TestServer_ProcessQueryLogsAndStats(t *testing.T) {
 		name:           "success_udp_pc_empty_fqdn",
 		domain:         ".",
 		proto:          proxy.ProtoUDP,
-		addr:           &net.UDPAddr{IP: net.IP{1, 2, 3, 5}, Port: 1234},
+		addr:           netip.MustParseAddrPort("4.3.2.1:1234"),
 		clientID:       "",
 		wantLogProto:   "",
-		wantStatClient: "1.2.3.5",
+		wantStatClient: "4.3.2.1",
 		wantCode:       resultCodeSuccess,
 		reason:         filtering.FilteredParental,
 		wantStatResult: stats.RParental,

internal/dnsforward/upstreams.go

@@ -2,14 +2,43 @@ package dnsforward
 
 import (
 	"fmt"
+	"net"
+	"net/netip"
 	"os"
+	"strings"
 	"time"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/AdguardTeam/dnsproxy/proxy"
 	"github.com/AdguardTeam/dnsproxy/upstream"
+	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
+	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/AdguardTeam/golibs/stringutil"
+	"golang.org/x/exp/maps"
+	"golang.org/x/exp/slices"
+)
+
+const (
+	// errNotDomainSpecific is returned when the upstream should be
+	// domain-specific, but isn't.
+	errNotDomainSpecific errors.Error = "not a domain-specific upstream"
+
+	// errMissingSeparator is returned when the domain-specific part of the
+	// upstream configuration line isn't closed.
+	errMissingSeparator errors.Error = "missing separator"
+
+	// errDupSeparator is returned when the domain-specific part of the upstream
+	// configuration line contains more than one ending separator.
+	errDupSeparator errors.Error = "duplicated separator"
+
+	// errNoDefaultUpstreams is returned when there are no default upstreams
+	// specified in the upstream configuration.
+	errNoDefaultUpstreams errors.Error = "no default upstreams specified"
+
+	// errWrongResponse is returned when the checked upstream replies in an
+	// unexpected way.
+	errWrongResponse errors.Error = "wrong response"
 )
 
 // loadUpstreams parses upstream DNS servers from the configured file or from
@@ -158,3 +187,183 @@ func (s *Server) createBootstrap(
 
 	return r, boots, nil
 }
+
+// IsCommentOrEmpty returns true if s starts with a "#" character or is empty.
+// This function is useful for filtering out non-upstream lines from upstream
+// configs.
+func IsCommentOrEmpty(s string) (ok bool) {
+	return len(s) == 0 || s[0] == '#'
+}
+
+// newUpstreamConfig validates upstreams and returns an appropriate upstream
+// configuration or nil if it can't be built.
+//
+// TODO(e.burkov):  Perhaps proxy.ParseUpstreamsConfig should validate upstreams
+// slice already so that this function may be considered useless.
+func newUpstreamConfig(upstreams []string) (conf *proxy.UpstreamConfig, err error) {
+	// No need to validate comments and empty lines.
+	upstreams = stringutil.FilterOut(upstreams, IsCommentOrEmpty)
+	if len(upstreams) == 0 {
+		// Consider this case valid since it means the default server should be
+		// used.
+		return nil, nil
+	}
+
+	err = validateUpstreamConfig(upstreams)
+	if err != nil {
+		// Don't wrap the error since it's informative enough as is.
+		return nil, err
+	}
+
+	conf, err = proxy.ParseUpstreamsConfig(
+		upstreams,
+		&upstream.Options{
+			Bootstrap: net.DefaultResolver,
+			Timeout:   DefaultTimeout,
+		},
+	)
+	if err != nil {
+		// Don't wrap the error since it's informative enough as is.
+		return nil, err
+	} else if len(conf.Upstreams) == 0 {
+		return nil, errNoDefaultUpstreams
+	}
+
+	return conf, nil
+}
+
+// validateUpstreamConfig validates each upstream from the upstream
+// configuration and returns an error if any upstream is invalid.
+//
+// TODO(e.burkov):  Merge with [upstreamConfigValidator] somehow.
+func validateUpstreamConfig(conf []string) (err error) {
+	for _, u := range conf {
+		var ups []string
+		var isSpecific bool
+		ups, isSpecific, err = splitUpstreamLine(u)
+		if err != nil {
+			// Don't wrap the error since it's informative enough as is.
+			return err
+		}
+
+		for _, addr := range ups {
+			_, err = validateUpstream(addr, isSpecific)
+			if err != nil {
+				return fmt.Errorf("validating upstream %q: %w", addr, err)
+			}
+		}
+	}
+
+	return nil
+}
+
+// ValidateUpstreams validates each upstream and returns an error if any
+// upstream is invalid or if there are no default upstreams specified.
+//
+// TODO(e.burkov):  Merge with [upstreamConfigValidator] somehow.
+func ValidateUpstreams(upstreams []string) (err error) {
+	_, err = newUpstreamConfig(upstreams)
+
+	return err
+}
+
+// ValidateUpstreamsPrivate validates each upstream and returns an error if any
+// upstream is invalid or if there are no default upstreams specified.  It also
+// checks each domain of domain-specific upstreams for being ARPA pointing to
+// a locally-served network.  privateNets must not be nil.
+func ValidateUpstreamsPrivate(upstreams []string, privateNets netutil.SubnetSet) (err error) {
+	conf, err := newUpstreamConfig(upstreams)
+	if err != nil {
+		return fmt.Errorf("creating config: %w", err)
+	}
+
+	if conf == nil {
+		return nil
+	}
+
+	keys := maps.Keys(conf.DomainReservedUpstreams)
+	slices.Sort(keys)
+
+	var errs []error
+	for _, domain := range keys {
+		var subnet netip.Prefix
+		subnet, err = extractARPASubnet(domain)
+		if err != nil {
+			errs = append(errs, err)
+
+			continue
+		}
+
+		if !privateNets.Contains(subnet.Addr().AsSlice()) {
+			errs = append(
+				errs,
+				fmt.Errorf("arpa domain %q should point to a locally-served network", domain),
+			)
+		}
+	}
+
+	return errors.Annotate(errors.Join(errs...), "checking domain-specific upstreams: %w")
+}
+
+// protocols are the supported URL schemes for upstreams.
+var protocols = []string{"h3", "https", "quic", "sdns", "tcp", "tls", "udp"}
+
+// validateUpstream returns an error if u alongside with domains is not a valid
+// upstream configuration.  useDefault is true if the upstream is
+// domain-specific and is configured to point at the default upstream server
+// which is validated separately.  The upstream is considered domain-specific
+// only if domains is at least not nil.
+func validateUpstream(u string, isSpecific bool) (useDefault bool, err error) {
+	// The special server address '#' means that default server must be used.
+	if useDefault = u == "#" && isSpecific; useDefault {
+		return useDefault, nil
+	}
+
+	// Check if the upstream has a valid protocol prefix.
+	//
+	// TODO(e.burkov):  Validate the domain name.
+	if proto, _, ok := strings.Cut(u, "://"); ok {
+		if !slices.Contains(protocols, proto) {
+			return false, fmt.Errorf("bad protocol %q", proto)
+		}
+	} else if _, err = netip.ParseAddr(u); err == nil {
+		return false, nil
+	} else if _, err = netip.ParseAddrPort(u); err == nil {
+		return false, nil
+	}
+
+	return false, err
+}
+
+// splitUpstreamLine returns the upstreams and the specified domains.  domains
+// is nil when the upstream is not domains-specific.  Otherwise it may also be
+// empty.
+func splitUpstreamLine(upstreamStr string) (upstreams []string, isSpecific bool, err error) {
+	if !strings.HasPrefix(upstreamStr, "[/") {
+		return []string{upstreamStr}, false, nil
+	}
+
+	defer func() { err = errors.Annotate(err, "splitting upstream line %q: %w", upstreamStr) }()
+
+	doms, ups, found := strings.Cut(upstreamStr[2:], "/]")
+	if !found {
+		return nil, false, errMissingSeparator
+	} else if strings.Contains(ups, "/]") {
+		return nil, false, errDupSeparator
+	}
+
+	for i, host := range strings.Split(doms, "/") {
+		if host == "" {
+			continue
+		}
+
+		err = netutil.ValidateDomainName(strings.TrimPrefix(host, "*."))
+		if err != nil {
+			return nil, false, fmt.Errorf("domain at index %d: %w", i, err)
+		}
+
+		isSpecific = true
+	}
+
+	return strings.Fields(ups), isSpecific, nil
+}

internal/dnsforward/upstreams_internal_test.go

@@ -0,0 +1,223 @@
+package dnsforward
+
+import (
+	"net"
+	"net/url"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/AdguardTeam/dnsproxy/upstream"
+	"github.com/AdguardTeam/golibs/testutil"
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestUpstreamConfigValidator(t *testing.T) {
+	goodHandler := dns.HandlerFunc(func(w dns.ResponseWriter, m *dns.Msg) {
+		err := w.WriteMsg(new(dns.Msg).SetReply(m))
+		require.NoError(testutil.PanicT{}, err)
+	})
+	badHandler := dns.HandlerFunc(func(w dns.ResponseWriter, _ *dns.Msg) {
+		err := w.WriteMsg(new(dns.Msg))
+		require.NoError(testutil.PanicT{}, err)
+	})
+
+	goodUps := (&url.URL{
+		Scheme: "tcp",
+		Host:   newLocalUpstreamListener(t, 0, goodHandler).String(),
+	}).String()
+	badUps := (&url.URL{
+		Scheme: "tcp",
+		Host:   newLocalUpstreamListener(t, 0, badHandler).String(),
+	}).String()
+
+	goodAndBadUps := strings.Join([]string{goodUps, badUps}, " ")
+
+	// upsTimeout restricts the checking process to prevent the test from
+	// hanging.
+	const upsTimeout = 100 * time.Millisecond
+
+	testCases := []struct {
+		want     map[string]string
+		name     string
+		general  []string
+		fallback []string
+		private  []string
+	}{{
+		name:    "success",
+		general: []string{goodUps},
+		want: map[string]string{
+			goodUps: "OK",
+		},
+	}, {
+		name:    "broken",
+		general: []string{badUps},
+		want: map[string]string{
+			badUps: `couldn't communicate with upstream: exchanging with ` +
+				badUps + ` over tcp: dns: id mismatch`,
+		},
+	}, {
+		name:    "both",
+		general: []string{goodUps, badUps, goodUps},
+		want: map[string]string{
+			goodUps: "OK",
+			badUps: `couldn't communicate with upstream: exchanging with ` +
+				badUps + ` over tcp: dns: id mismatch`,
+		},
+	}, {
+		name:    "domain_specific_error",
+		general: []string{"[/domain.example/]" + badUps},
+		want: map[string]string{
+			badUps: `WARNING: couldn't communicate ` +
+				`with upstream: exchanging with ` + badUps + ` over tcp: ` +
+				`dns: id mismatch`,
+		},
+	}, {
+		name:     "fallback_success",
+		fallback: []string{goodUps},
+		want: map[string]string{
+			goodUps: "OK",
+		},
+	}, {
+		name:     "fallback_broken",
+		fallback: []string{badUps},
+		want: map[string]string{
+			badUps: `couldn't communicate with upstream: exchanging with ` +
+				badUps + ` over tcp: dns: id mismatch`,
+		},
+	}, {
+		name:    "multiple_domain_specific_upstreams",
+		general: []string{"[/domain.example/]" + goodAndBadUps},
+		want: map[string]string{
+			goodUps: "OK",
+			badUps: `WARNING: couldn't communicate ` +
+				`with upstream: exchanging with ` + badUps + ` over tcp: ` +
+				`dns: id mismatch`,
+		},
+	}, {
+		name:    "bad_specification",
+		general: []string{"[/domain.example/]/]1.2.3.4"},
+		want: map[string]string{
+			"[/domain.example/]/]1.2.3.4": `splitting upstream line ` +
+				`"[/domain.example/]/]1.2.3.4": duplicated separator`,
+		},
+	}, {
+		name:     "all_different",
+		general:  []string{"[/domain.example/]" + goodAndBadUps},
+		fallback: []string{"[/domain.example/]" + goodAndBadUps},
+		private:  []string{"[/domain.example/]" + goodAndBadUps},
+		want: map[string]string{
+			goodUps: "OK",
+			badUps: `WARNING: couldn't communicate ` +
+				`with upstream: exchanging with ` + badUps + ` over tcp: ` +
+				`dns: id mismatch`,
+		},
+	}, {
+		name:     "bad_specific_domains",
+		general:  []string{"[/example/]/]" + goodUps},
+		fallback: []string{"[/example/" + goodUps},
+		private:  []string{"[/example//bad.123/]" + goodUps},
+		want: map[string]string{
+			`[/example/]/]` + goodUps: `splitting upstream line ` +
+				`"[/example/]/]` + goodUps + `": duplicated separator`,
+			`[/example/` + goodUps: `splitting upstream line ` +
+				`"[/example/` + goodUps + `": missing separator`,
+			`[/example//bad.123/]` + goodUps: `splitting upstream line ` +
+				`"[/example//bad.123/]` + goodUps + `": domain at index 2: ` +
+				`bad domain name "bad.123": ` +
+				`bad top-level domain name label "123": all octets are numeric`,
+		},
+	}, {
+		name: "non-specific_default",
+		general: []string{
+			"#",
+			"[/example/]#",
+		},
+		want: map[string]string{
+			"#": "not a domain-specific upstream",
+		},
+	}, {
+		name: "bad_proto",
+		general: []string{
+			"bad://1.2.3.4",
+		},
+		want: map[string]string{
+			"bad://1.2.3.4": `bad protocol "bad"`,
+		},
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			cv := newUpstreamConfigValidator(tc.general, tc.fallback, tc.private, &upstream.Options{
+				Timeout:   upsTimeout,
+				Bootstrap: net.DefaultResolver,
+			})
+			cv.check()
+			cv.close()
+
+			assert.Equal(t, tc.want, cv.status())
+		})
+	}
+}
+
+func TestUpstreamConfigValidator_Check_once(t *testing.T) {
+	type signal = struct{}
+
+	reqCh := make(chan signal)
+	hdlr := dns.HandlerFunc(func(w dns.ResponseWriter, m *dns.Msg) {
+		pt := testutil.PanicT{}
+
+		err := w.WriteMsg(new(dns.Msg).SetReply(m))
+		require.NoError(pt, err)
+
+		testutil.RequireSend(pt, reqCh, signal{}, testTimeout)
+	})
+
+	addr := (&url.URL{
+		Scheme: "tcp",
+		Host:   newLocalUpstreamListener(t, 0, hdlr).String(),
+	}).String()
+	twoAddrs := strings.Join([]string{addr, addr}, " ")
+
+	wantStatus := map[string]string{
+		addr: "OK",
+	}
+
+	testCases := []struct {
+		name string
+		ups  []string
+	}{{
+		name: "common",
+		ups:  []string{addr, addr, addr},
+	}, {
+		name: "domain-specific",
+		ups:  []string{"[/one.example/]" + addr, "[/two.example/]" + twoAddrs},
+	}, {
+		name: "both",
+		ups:  []string{addr, "[/one.example/]" + addr, addr, "[/two.example/]" + twoAddrs},
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			cv := newUpstreamConfigValidator(tc.ups, nil, nil, &upstream.Options{
+				Timeout: testTimeout,
+			})
+
+			go func() {
+				cv.check()
+				testutil.RequireSend(testutil.PanicT{}, reqCh, signal{}, testTimeout)
+			}()
+
+			// Wait for the only request to be sent.
+			testutil.RequireReceive(t, reqCh, testTimeout)
+
+			// Wait for the check to finish.
+			testutil.RequireReceive(t, reqCh, testTimeout)
+
+			cv.close()
+			require.Equal(t, wantStatus, cv.status())
+		})
+	}
+}

internal/home/dns.go

@@ -540,11 +540,13 @@ type safeSearchResolver struct{}
 var _ filtering.Resolver = safeSearchResolver{}
 
 // LookupIP implements [filtering.Resolver] interface for safeSearchResolver.
-// It returns the slice of net.IP with IPv4 and IPv6 instances.
-//
-// TODO(a.garipov): Support network.
-func (r safeSearchResolver) LookupIP(_ context.Context, _, host string) (ips []net.IP, err error) {
-	addrs, err := Context.dnsServer.Resolve(host)
+// It returns the slice of net.Addr with IPv4 and IPv6 instances.
+func (r safeSearchResolver) LookupIP(
+	ctx context.Context,
+	network string,
+	host string,
+) (ips []net.IP, err error) {
+	addrs, err := Context.dnsServer.Resolve(ctx, network, host)
 	if err != nil {
 		return nil, err
 	}
@@ -554,7 +556,7 @@ func (r safeSearchResolver) LookupIP(_ context.Context, _, host string) (ips []n
 	}
 
 	for _, a := range addrs {
-		ips = append(ips, a.IP)
+		ips = append(ips, a.AsSlice())
 	}
 
 	return ips, nil

internal/ipset/ipset_linux.go

@@ -101,6 +101,7 @@ func (qc *queryConn) listAll() (sets []props, err error) {
 type ipsetConn interface {
 	Add(name string, entries ...*ipset.Entry) (err error)
 	Close() (err error)
+	Header(name string) (p *ipset.HeaderPolicy, err error)
 	listAll() (sets []props, err error)
 }
 
@@ -112,6 +113,9 @@ type props struct {
 	// name of the ipset.
 	name string
 
+	// typeName of the ipset.
+	typeName string
+
 	// family of the IP addresses in the ipset.
 	family netfilter.ProtoFamily
 
@@ -148,6 +152,8 @@ func (p *props) parseAttribute(a netfilter.Attribute) {
 	case ipset.AttrSetName:
 		// Trim the null character.
 		p.name = string(bytes.Trim(a.Data, "\x00"))
+	case ipset.AttrTypeName:
+		p.typeName = string(bytes.Trim(a.Data, "\x00"))
 	case ipset.AttrFamily:
 		p.family = netfilter.ProtoFamily(a.Data[0])
 	default:
@@ -263,8 +269,9 @@ func (m *manager) parseIpsetConfig(ipsetConf []string) (err error) {
 		return err
 	}
 
+	currentlyKnown := map[string]props{}
 	for _, p := range all {
-		m.nameToIpset[p.name] = p
+		currentlyKnown[p.name] = p
 	}
 
 	for i, confStr := range ipsetConf {
@@ -275,7 +282,7 @@ func (m *manager) parseIpsetConfig(ipsetConf []string) (err error) {
 		}
 
 		var ipsets []props
-		ipsets, err = m.ipsets(ipsetNames)
+		ipsets, err = m.ipsets(ipsetNames, currentlyKnown)
 		if err != nil {
 			return fmt.Errorf("getting ipsets from config line at idx %d: %w", i, err)
 		}
@@ -288,18 +295,64 @@ func (m *manager) parseIpsetConfig(ipsetConf []string) (err error) {
 	return nil
 }
 
-// ipsets returns currently known ipsets.
-func (m *manager) ipsets(names []string) (sets []props, err error) {
+// ipsetProps returns the properties of an ipset with the given name.
+//
+// Additional header data query.  See https://github.com/AdguardTeam/AdGuardHome/issues/6420.
+//
+// TODO(s.chzhen):  Use *props.
+func (m *manager) ipsetProps(name string) (p props, err error) {
+	// The family doesn't seem to matter when we use a header query, so
+	// query only the IPv4 one.
+	//
+	// TODO(a.garipov): Find out if this is a bug or a feature.
+	var res *ipset.HeaderPolicy
+	res, err = m.ipv4Conn.Header(name)
+	if err != nil {
+		return props{}, err
+	}
+
+	if res == nil || res.Family == nil {
+		return props{}, errors.Error("empty response or no family data")
+	}
+
+	family := netfilter.ProtoFamily(res.Family.Value)
+	if family != netfilter.ProtoIPv4 && family != netfilter.ProtoIPv6 {
+		return props{}, fmt.Errorf("unexpected ipset family %q", family)
+	}
+
+	typeName := res.TypeName.Get()
+
+	return props{
+		name:         name,
+		typeName:     typeName,
+		family:       family,
+		isPersistent: false,
+	}, nil
+}
+
+// ipsets returns ipset properties of currently known ipsets.  It also makes an
+// additional ipset header data query if needed.
+func (m *manager) ipsets(names []string, currentlyKnown map[string]props) (sets []props, err error) {
 	for _, n := range names {
-		p, ok := m.nameToIpset[n]
+		p, ok := currentlyKnown[n]
 		if !ok {
 			return nil, fmt.Errorf("unknown ipset %q", n)
 		}
 
 		if p.family != netfilter.ProtoIPv4 && p.family != netfilter.ProtoIPv6 {
-			return nil, fmt.Errorf("%q unexpected ipset family %q", p.name, p.family)
+			log.Debug("ipset: getting properties: %q %q unexpected ipset family %q",
+				p.name,
+				p.typeName,
+				p.family,
+			)
+
+			p, err = m.ipsetProps(n)
+			if err != nil {
+				return nil, fmt.Errorf("%q %q making header query: %w", p.name, p.typeName, err)
+			}
 		}
 
+		m.nameToIpset[n] = p
 		sets = append(sets, p)
 	}
 
@@ -340,6 +393,8 @@ func newManagerWithDialer(ipsetConf []string, dial dialer) (mgr Manager, err err
 		return nil, fmt.Errorf("getting ipsets: %w", err)
 	}
 
+	log.Debug("ipset: initialized")
+
 	return m, nil
 }
 
@@ -408,7 +463,7 @@ func (m *manager) addIPs(host string, set props, ips []net.IP) (n int, err error
 
 	err = conn.Add(set.name, entries...)
 	if err != nil {
-		return 0, fmt.Errorf("adding %q%s to ipset %q: %w", host, ips, set.name, err)
+		return 0, fmt.Errorf("adding %q%s to %q %q: %w", host, ips, set.name, set.typeName, err)
 	}
 
 	// Only add these to the cache once we're sure that all of them were
@@ -444,10 +499,10 @@ func (m *manager) addToSets(
 				return n, err
 			}
 		default:
-			return n, fmt.Errorf("unexpected family %s for ipset %q", set.family, set.name)
+			return n, fmt.Errorf("%q %q unexpected family %q", set.name, set.typeName, set.family)
 		}
 
-		log.Debug("ipset: added %d ips to set %s", nn, set.name)
+		log.Debug("ipset: added %d ips to set %q %q", nn, set.name, set.typeName)
 
 		n += nn
 	}

internal/ipset/ipset_linux_internal_test.go

@@ -47,6 +47,11 @@ func (c *fakeConn) Close() (err error) {
 	return nil
 }
 
+// Header implements the [ipsetConn] interface for *fakeConn.
+func (c *fakeConn) Header(_ string) (_ *ipset.HeaderPolicy, _ error) {
+	return nil, nil
+}
+
 // listAll implements the [ipsetConn] interface for *fakeConn.
 func (c *fakeConn) listAll() (sets []props, err error) {
 	return c.sets, nil

internal/schedule/schedule.go

@@ -339,9 +339,6 @@ func (r dayRange) toDayConfigJSON() (j *dayConfigJSON) {
 
 // weeklyConfigJSON is the JSON configuration structure of Weekly.
 type weeklyConfigJSON struct {
-	// TimeZone is the local time zone.
-	TimeZone string `json:"time_zone"`
-
 	// Days of the week.
 
 	Sunday    *dayConfigJSON `json:"sun,omitempty"`
@@ -351,6 +348,9 @@ type weeklyConfigJSON struct {
 	Thursday  *dayConfigJSON `json:"thu,omitempty"`
 	Friday    *dayConfigJSON `json:"fri,omitempty"`
 	Saturday  *dayConfigJSON `json:"sat,omitempty"`
+
+	// TimeZone is the local time zone.
+	TimeZone string `json:"time_zone"`
 }
 
 // dayConfigJSON is the JSON configuration structure of dayRange.

internal/schedule/schedule_internal_test.go

@@ -163,10 +163,10 @@ yaml: "bad"
 	}
 
 	testCases := []struct {
+		want       *Weekly
 		name       string
 		wantErrMsg string
 		data       []byte
-		want       *Weekly
 	}{{
 		name:       "empty",
 		wantErrMsg: "",
@@ -228,9 +228,9 @@ func TestWeekly_MarshalYAML(t *testing.T) {
 	}
 
 	testCases := []struct {
+		want *Weekly
 		name string
 		data []byte
-		want *Weekly
 	}{{
 		name: "empty",
 		data: []byte(""),
@@ -263,8 +263,8 @@ func TestWeekly_MarshalYAML(t *testing.T) {
 func TestWeekly_Validate(t *testing.T) {
 	testCases := []struct {
 		name       string
-		in         dayRange
 		wantErrMsg string
+		in         dayRange
 	}{{
 		name:       "empty",
 		wantErrMsg: "",
@@ -298,8 +298,8 @@ func TestWeekly_Validate(t *testing.T) {
 func TestDayRange_Validate(t *testing.T) {
 	testCases := []struct {
 		name       string
-		in         dayRange
 		wantErrMsg string
+		in         dayRange
 	}{{
 		name:       "empty",
 		wantErrMsg: "",
@@ -413,10 +413,10 @@ func TestWeekly_UnmarshalJSON(t *testing.T) {
 	}
 
 	testCases := []struct {
+		want       *Weekly
 		name       string
 		wantErrMsg string
 		data       []byte
-		want       *Weekly
 	}{{
 		name:       "empty",
 		wantErrMsg: "unexpected end of JSON input",
@@ -478,9 +478,9 @@ func TestWeekly_MarshalJSON(t *testing.T) {
 	}
 
 	testCases := []struct {
+		want *Weekly
 		name string
 		data []byte
-		want *Weekly
 	}{{
 		name: "empty",
 		data: []byte(""),

internal/tools/go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/kyoh86/looppointer v0.2.1
 	github.com/securego/gosec/v2 v2.18.2
 	github.com/uudashr/gocognit v1.1.2
-	golang.org/x/tools v0.15.0
+	golang.org/x/tools v0.16.0
 	golang.org/x/vuln v1.0.1
 	honnef.co/go/tools v0.4.6
 	mvdan.cc/gofumpt v0.5.0
@@ -26,9 +26,9 @@ require (
 	github.com/kyoh86/nolint v0.0.1 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect
-	golang.org/x/exp/typeparams v0.0.0-20231110203233-9a3e6036ecaa // indirect
+	golang.org/x/exp/typeparams v0.0.0-20231127185646-65229373498e // indirect
 	golang.org/x/mod v0.14.0 // indirect
 	golang.org/x/sync v0.5.0 // indirect
-	golang.org/x/sys v0.14.0 // indirect
+	golang.org/x/sys v0.15.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

internal/tools/go.sum

@@ -49,8 +49,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/exp v0.0.0-20230321023759-10a507213a29 h1:ooxPy7fPvB4kwsA2h+iBNHkAbp/4JxTSwCmvdjEYmug=
 golang.org/x/exp v0.0.0-20230321023759-10a507213a29/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
-golang.org/x/exp/typeparams v0.0.0-20231110203233-9a3e6036ecaa h1:wJBD77KpXKOckDJT0rqU5EwZDmxcmTh6aXVpU6s6GBg=
-golang.org/x/exp/typeparams v0.0.0-20231110203233-9a3e6036ecaa/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
+golang.org/x/exp/typeparams v0.0.0-20231127185646-65229373498e h1:Iel2aGgaO80fSb1N54L7SE6XMeVvYy6caKt8u/5LvR8=
+golang.org/x/exp/typeparams v0.0.0-20231127185646-65229373498e/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY=
@@ -63,7 +63,7 @@ golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81R
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg=
+golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -79,8 +79,8 @@ golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220702020025-31831981b65f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
-golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -93,8 +93,8 @@ golang.org/x/tools v0.0.0-20201007032633-0806396f153e/go.mod h1:z6u4i615ZeAfBE4X
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E=
 golang.org/x/tools v0.1.11/go.mod h1:SgwaegtQh8clINPpECJMqnxLv9I09HLqnW3RMqW0CA4=
-golang.org/x/tools v0.15.0 h1:zdAyfUGbYmuVokhzVmghFl2ZJh5QhcfebBgmVPFYA+8=
-golang.org/x/tools v0.15.0/go.mod h1:hpksKq4dtpQWS1uQ61JkdqWM3LscIS6Slf+VVkm+wQk=
+golang.org/x/tools v0.16.0 h1:GO788SKMRunPIBCXiQyo2AaexLstOrVhuAL5YwsckQM=
+golang.org/x/tools v0.16.0/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
 golang.org/x/vuln v1.0.1 h1:KUas02EjQK5LTuIx1OylBQdKKZ9jeugs+HiqO5HormU=
 golang.org/x/vuln v1.0.1/go.mod h1:bb2hMwln/tqxg32BNY4CcxHWtHXuYa3SbIBmtsyjxtM=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

scripts/make/go-lint.sh

@@ -35,7 +35,7 @@ set -f -u
 go_version="$( "${GO:-go}" version )"
 readonly go_version
 
-go_min_version='go1.20.11'
+go_min_version='go1.20.12'
 go_version_msg="
 warning: your go version (${go_version}) is different from the recommended minimal one (${go_min_version}).
 if you have the version installed, please set the GO environment variable.