all: upd base docker

all: sync with master
all: fix chlog date
2025-04-10 20:35:55 +03:00 · 2025-04-08 19:57:40 +03:00 · 2025-03-21 13:28:43 +03:00 · 2025-03-20 18:30:28 +03:00 · 2025-03-19 17:40:40 +03:00 · 2025-03-19 16:44:03 +03:00
114 changed files with 2202 additions and 2473 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,8 +1,8 @@
 'name': 'build'

 'env':
-  'GO_VERSION': '1.24.1'
-  'NODE_VERSION': '18'
+  'GO_VERSION': '1.24.2'
+  'NODE_VERSION': '20'

 'on':
  'push':
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,7 +1,7 @@
 'name': 'lint'

 'env':
-  'GO_VERSION': '1.24.1'
+  'GO_VERSION': '1.24.2'

 'on':
  'push':
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,21 +9,88 @@ The format is based on [*Keep a Changelog*](https://keepachangelog.com/en/1.0.0/
 <!--
 ## [v0.108.0] – TBA

-## [v0.107.58] - 2025-03-11 (APPROX.)
+## [v0.107.61] - 2025-04-22 (APPROX.)

-See also the [v0.107.58 GitHub milestone][ms-v0.107.58].
+See also the [v0.107.61 GitHub milestone][ms-v0.107.61].

-[ms-v0.107.58]: https://github.com/AdguardTeam/AdGuardHome/milestone/93?closed=1
+[ms-v0.107.61]: https://github.com/AdguardTeam/AdGuardHome/milestone/96?closed=1

 NOTE: Add new changes BELOW THIS COMMENT.
 -->
+<!--
+NOTE: Add new changes ABOVE THIS COMMENT.
+-->
+
+## [v0.107.60] - 2025-04-14
+
+See also the [v0.107.60 GitHub milestone][ms-v0.107.60].
+
+### Security
+
+- Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in [1.24.2][go-1.24.2].
+
+### Changed
+
+- Alpine Linux version in `Dockerfile` has been updated to 3.21 ([#7588]).
+
+### Deprecated
+
+- Node 20 support, Node 22 will be required in future releases.
+
+    **NOTE:** `npm` may be replaced with a different tool, such as `pnpm` or `yarn`, in a future release.
+
+### Fixed
+
+- Filtering for DHCP clients ([#7734]).
+
+- Incorrect label on login page ([#7729]).
+
+- Validation process for the HTTPS port on the *Encryption Settings* page.
+
+### Removed
+
+- Node 18 support.
+
+[#7588]: https://github.com/AdguardTeam/AdGuardHome/issues/7588
+[#7729]: https://github.com/AdguardTeam/AdGuardHome/issues/7729
+[#7734]: https://github.com/AdguardTeam/AdGuardHome/issues/7734
+
+[go-1.24.2]: https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk
+[ms-v0.107.60]: https://github.com/AdguardTeam/AdGuardHome/milestone/95?closed=1
+
+## [v0.107.59] - 2025-03-21
+
+See also the [v0.107.59 GitHub milestone][ms-v0.107.59].
+
+### Fixed
+
+- Rules with the `client` modifier not working ([#7708]).
+
+- The search form not working in the query log ([#7704]).
+
+[#7704]: https://github.com/AdguardTeam/AdGuardHome/issues/7704
+[#7708]: https://github.com/AdguardTeam/AdGuardHome/issues/7708
+
+[ms-v0.107.59]: https://github.com/AdguardTeam/AdGuardHome/milestone/94?closed=1
+
+## [v0.107.58] - 2025-03-19
+
+See also the [v0.107.58 GitHub milestone][ms-v0.107.58].

 ### Security

 - Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in [1.24.1][go-1.24.1].

+### Added
+
+- The ability to check filtering rules for host names using an optional query type and optional ClientID or client IP address ([#4036]).
+
+- Optional `client` and `qtype` URL query parameters to the `GET /control/check_host` HTTP API.
+
 ### Fixed

+- Clearing the DNS cache on the *DNS settings* page now includes both global cache and custom client cache.
+
 - Invalid ICMPv6 Router Advertisement messages ([#7547]).

 - Disabled button for autofilled login form.
@@ -34,14 +101,12 @@ NOTE: Add new changes BELOW THIS COMMENT.

 - The formatting of large numbers in the clients tables on the *Client settings* page ([#7583]).

+[#4036]: https://github.com/AdguardTeam/AdGuardHome/issues/4036
 [#7547]: https://github.com/AdguardTeam/AdGuardHome/issues/7547
 [#7583]: https://github.com/AdguardTeam/AdGuardHome/issues/7583

 [go-1.24.1]: https://groups.google.com/g/golang-announce/c/4t3lzH3I0eI
-
-<!--
-NOTE: Add new changes ABOVE THIS COMMENT.
-->
+[ms-v0.107.58]: https://github.com/AdguardTeam/AdGuardHome/milestone/93?closed=1

 ## [v0.107.57] - 2025-02-20

@@ -3039,11 +3104,14 @@ See also the [v0.104.2 GitHub milestone][ms-v0.104.2].
 [ms-v0.104.2]: https://github.com/AdguardTeam/AdGuardHome/milestone/28?closed=1

 <!--
-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.58...HEAD
-[v0.107.58]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.57...v0.107.58
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.61...HEAD
+[v0.107.61]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.60...v0.107.61
 -->

-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.57...HEAD
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.60...HEAD
+[v0.107.60]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.59...v0.107.60
+[v0.107.59]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.58...v0.107.59
+[v0.107.58]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.57...v0.107.58
 [v0.107.57]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.56...v0.107.57
 [v0.107.56]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.55...v0.107.56
 [v0.107.55]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.54...v0.107.55
--- a/6
+++ b/6
@@ -27,7 +27,7 @@ DIST_DIR = dist
 GOAMD64 = v1
 GOPROXY = https://proxy.golang.org|direct
 GOTELEMETRY = off
-GOTOOLCHAIN = go1.24.1
+GOTOOLCHAIN = go1.24.2
 GPG_KEY = devteam@adguard.com
 GPG_KEY_PASSPHRASE = not-a-real-password
 NPM = npm
@@ -38,7 +38,6 @@ REVISION = $${REVISION:-$$(git rev-parse --short HEAD)}
 SIGN = 1
 SIGNER_API_KEY = not-a-real-key
 VERSION = v0.0.0
-YARN = yarn

 NEXTAPI = 0

@@ -139,5 +138,4 @@ txt-lint: ; $(ENV) "$(SHELL)" ./scripts/make/txt-lint.sh
 md-lint:  ; $(ENV_MISC) "$(SHELL)" ./scripts/make/md-lint.sh
 sh-lint:  ; $(ENV_MISC) "$(SHELL)" ./scripts/make/sh-lint.sh

-openapi-lint: ; cd ./openapi/ && $(YARN) test
-openapi-show: ; cd ./openapi/ && $(YARN) start
+# TODO(a.garipov):  Re-add openapi-lint.
--- a/README.md
+++ b/README.md
@@ -205,9 +205,9 @@ Run `make init` to prepare the development environment.

 You will need this to build AdGuard Home:

- [Go](https://golang.org/dl/) v1.23 or later;
- [Node.js](https://nodejs.org/en/download/) v18.18 or later;
- [npm](https://www.npmjs.com/) v8 or later;
+- [Go](https://golang.org/dl/) v1.24 or later;
+- [Node.js](https://nodejs.org/en/download/) v20.19 or later;
+- [npm](https://www.npmjs.com/) v10.8 or later;

 ### <a href="#building" id="building" name="building">Building</a>

--- a/bamboo-specs/release.yaml
+++ b/bamboo-specs/release.yaml
@@ -7,8 +7,8 @@
 # Make sure to sync any changes with the branch overrides below.
 'variables':
    'channel': 'edge'
-    'dockerFrontend': 'adguard/home-js-builder:2.1-bullseye'
-    'dockerGo': 'adguard/go-builder:1.24.1--1'
+    'dockerFrontend': 'adguard/home-js-builder:3.0'
+    'dockerGo': 'adguard/go-builder:1.24.2--1'

 'stages':
  - 'Build frontend':
@@ -50,7 +50,7 @@
    'docker':
        'image': '${bamboo.dockerFrontend}'
        'volumes':
-            '${system.YARN_DIR}': '${bamboo.cacheYarn}'
+            '${system.NPM_DIR}': '${bamboo.cacheNpm}'
    'key': 'BF'
    'other':
        'clean-working-dir': true
@@ -157,6 +157,7 @@

                # Print Docker info.
                docker info
+                docker buildx version

                # Prepare and push the build.
                env \
@@ -277,8 +278,8 @@
        # need to build a few of these.
        'variables':
            'channel': 'beta'
-            'dockerFrontend': 'adguard/home-js-builder:2.1-bullseye'
-            'dockerGo': 'adguard/go-builder:1.24.1--1'
+            'dockerFrontend': 'adguard/home-js-builder:3.0'
+            'dockerGo': 'adguard/go-builder:1.24.2--1'
    # release-vX.Y.Z branches are the branches from which the actual final
    # release is built.
  - '^release-v[0-9]+\.[0-9]+\.[0-9]+':
@@ -293,5 +294,5 @@
        # are the ones that actually get released.
        'variables':
            'channel': 'release'
-            'dockerFrontend': 'adguard/home-js-builder:2.1-bullseye'
-            'dockerGo': 'adguard/go-builder:1.24.1--1'
+            'dockerFrontend': 'adguard/home-js-builder:3.0'
+            'dockerGo': 'adguard/go-builder:1.24.2--1'
--- a/bamboo-specs/test.yaml
+++ b/bamboo-specs/test.yaml
@@ -5,8 +5,8 @@
    'key': 'AHBRTSPECS'
    'name': 'AdGuard Home - Build and run tests'
 'variables':
-    'dockerFrontend': 'adguard/home-js-builder:2.1-bullseye'
-    'dockerGo': 'adguard/go-builder:1.24.1--1'
+    'dockerFrontend': 'adguard/home-js-builder:3.0'
+    'dockerGo': 'adguard/go-builder:1.24.2--1'
    'channel': 'development'

 'stages':
@@ -39,7 +39,7 @@
    'docker':
        'image': '${bamboo.dockerFrontend}'
        'volumes':
-            '${system.YARN_DIR}': '${bamboo.cacheYarn}'
+            '${system.NPM_DIR}': '${bamboo.cacheNpm}'
    'key': 'JSTEST'
    'other':
        'clean-working-dir': true
@@ -103,7 +103,7 @@
    'docker':
        'image': '${bamboo.dockerFrontend}'
        'volumes':
-            '${system.YARN_DIR}': '${bamboo.cacheYarn}'
+            '${system.NPM_DIR}': '${bamboo.cacheNpm}'
    'key': 'BF'
    'other':
         'clean-working-dir': true
@@ -178,7 +178,7 @@
    'docker':
        'image': '${bamboo.dockerFrontend}'
        'volumes':
-            '${system.YARN_DIR}': '${bamboo.cacheYarn}'
+            '${system.NPM_DIR}': '${bamboo.cacheNpm}'
    'key': 'E2ETEST'
    'other':
        'clean-working-dir': true
@@ -233,6 +233,6 @@
        # Set the default release channel on the release branch to beta, as we
        # may need to build a few of these.
        'variables':
-            'dockerFrontend': 'adguard/home-js-builder:2.1-bullseye'
-            'dockerGo': 'adguard/go-builder:1.24.1--1'
+            'dockerFrontend': 'adguard/home-js-builder:3.0'
+            'dockerGo': 'adguard/go-builder:1.24.2--1'
            'channel': 'candidate'
--- a/client/src/__locales/cs.json
+++ b/client/src/__locales/cs.json
@@ -620,6 +620,10 @@
    "check_cname": "CNAME: {{cname}}",
    "check_reason": "Důvod: {{reason}}",
    "check_service": "Název služby: {{service}}",
+    "check_hostname": "Název hostitele nebo domény",
+    "check_client_id": "Identifikátor klienta (ClientID nebo IP adresa)",
+    "check_enter_client_id": "Zadejte identifikátor klienta",
+    "check_dns_record": "Vyberte typ DNS záznamu",
    "service_name": "Název služby",
    "check_not_found": "Nenalezeno ve Vašich seznamech filtrů",
    "client_confirm_block": "Opravdu chcete zablokovat klienta „{{ip}}“?",
--- a/client/src/__locales/da.json
+++ b/client/src/__locales/da.json
@@ -620,6 +620,10 @@
    "check_cname": "CNAME: {{cname}}",
    "check_reason": "Årsag: {{reason}}",
    "check_service": "Tjenestenavn: {{service}}",
+    "check_hostname": "Værts- eller domænenavn",
+    "check_client_id": "Klientidentifikator (ClientID eller IP-adresse)",
+    "check_enter_client_id": "Angiv klientidentifikator",
+    "check_dns_record": "Vælg DNS-posttype",
    "service_name": "Tjenestenavn",
    "check_not_found": "Ikke fundet i dine filterlister",
    "client_confirm_block": "Sikker på, at du vil blokere klienten \"{{ip}}\"?",
--- a/client/src/__locales/de.json
+++ b/client/src/__locales/de.json
@@ -97,9 +97,9 @@
    "settings": "Einstellungen",
    "filters": "Filter",
    "filter": "Filter",
-    "query_log": "Anfragenprotokoll",
+    "query_log": "Abfrageprotokoll",
    "compact": "Kompakt",
-    "nothing_found": "Nichts gefunden\n",
+    "nothing_found": "Nichts gefunden",
    "faq": "FAQ",
    "version": "Version",
    "address": "Adresse",
@@ -199,7 +199,7 @@
    "cancel_btn": "Abbrechen",
    "enter_name_hint": "Name eingeben",
    "enter_url_or_path_hint": "URL oder absoluten Pfad der Liste eingeben",
-    "check_updates_btn": "Nach Aktualisierungen suchen",
+    "check_updates_btn": "Nach Updates suchen",
    "new_blocklist": "Neue Sperrliste",
    "new_allowlist": "Neue Positivliste",
    "edit_blocklist": "Sperrliste bearbeiten",
@@ -566,7 +566,7 @@
    "ignore_domains": "Ignorierte Domains (durch Zeilenumbruch getrennt)",
    "ignore_domains_title": "Ignorierte Domains",
    "ignore_domains_desc_stats": "Abfragen, die diesen Regeln entsprechen, werden nicht in die Statistik aufgenommen",
-    "ignore_domains_desc_query": "Abfragen, die diesen Regeln entsprechen, werden nicht in das Anfragenprotokoll aufgenommen",
+    "ignore_domains_desc_query": "Abfragen, die diesen Regeln entsprechen, werden nicht in das Abfrageprotokoll aufgenommen",
    "interval_hours": "{{count}} Stunde",
    "interval_hours_plural": "{{count}} Stunden",
    "filters_configuration": "Filterkonfiguration",
@@ -620,6 +620,10 @@
    "check_cname": "CNAME: {{cname}}",
    "check_reason": "Grund: {{reason}}",
    "check_service": "Dienstname: {{service}}",
+    "check_hostname": "Hostname oder Domainname",
+    "check_client_id": "Client-Kennung (ClientID oder IP-Adresse)",
+    "check_enter_client_id": "Client-Kennung eingeben",
+    "check_dns_record": "DNS-Datensatztyp auswählen",
    "service_name": "Name des Dienstes",
    "check_not_found": "Nicht in Ihren Filterlisten enthalten",
    "client_confirm_block": "Möchten Sie den Client „{{ip}}“ wirklich sperren?",
--- a/client/src/__locales/en.json
+++ b/client/src/__locales/en.json
@@ -620,6 +620,10 @@
    "check_cname": "CNAME: {{cname}}",
    "check_reason": "Reason: {{reason}}",
    "check_service": "Service name: {{service}}",
+    "check_hostname": "Hostname or domain name",
+    "check_client_id": "Client identifier (ClientID or IP address)",
+    "check_enter_client_id": "Enter client identifier",
+    "check_dns_record": "Select DNS record type",
    "service_name": "Service name",
    "check_not_found": "Not found in your filter lists",
    "client_confirm_block": "Are you sure you want to block the client \"{{ip}}\"?",
--- a/client/src/__locales/es.json
+++ b/client/src/__locales/es.json
@@ -1,16 +1,16 @@
 {
    "client_settings": "Configuración de clientes",
-    "example_upstream_reserved": "un DNS de subida <0>para un dominio específico</0>.",
-    "example_multiple_upstreams_reserved": "múltiples upstreams <0>para dominios específicos</0>;",
+    "example_upstream_reserved": "un proveedor DNS <0>para un dominio específico</0>.",
+    "example_multiple_upstreams_reserved": "múltiples proveedores DNS <0>para dominios específicos</0>.",
    "example_upstream_comment": "un comentario.",
-    "upstream_parallel": "Usar consultas paralelas para acelerar la resolución al consultar simultáneamente a todos los servidores DNS de subida.",
+    "upstream_parallel": "Usar consultas paralelas para acelerar la resolución al consultar simultáneamente a todos los proveedores DNS.",
    "parallel_requests": "Consultas paralelas",
    "load_balancing": "Balanceo de carga",
-    "load_balancing_desc": "Consulta un servidor Dns upstream a la vez.<br/>AdGuard Home utiliza un algoritmo aleatorio ponderado para seleccionar los servidores con el menor número de fallos y el menor tiempo medio de búsqueda.",
+    "load_balancing_desc": "Consulta un proveedor DNS a la vez.<br/>AdGuard Home utiliza un algoritmo aleatorio ponderado para seleccionar los servidores con el menor número de fallos y el menor tiempo promedio de búsqueda.",
    "bootstrap_dns": "Servidores DNS de arranque",
-    "bootstrap_dns_desc": "Direcciones IP de servidores DNS utilizadas para resolver direcciones IP de los solucionadores DoH/DoT que especifiques como ascendentes. No se permiten comentarios.",
+    "bootstrap_dns_desc": "Direcciones IP de los servidores DNS utilizados para resolver las direcciones IP de los resolutores DoH/DoT que especifiques como proveedores DNS. No se permiten comentarios.",
    "fallback_dns_title": "Servidores DNS alternativos",
-    "fallback_dns_desc": "Lista de servidores DNS alternativos utilizados cuando los servidores DNS de subida no responden. La sintaxis es la misma que en el campo de los principales DNS de subida anterior.",
+    "fallback_dns_desc": "Lista de servidores DNS alternativos utilizados cuando los proveedores DNS no responden. La sintaxis es la misma que en el campo de los principales proveedores DNS anterior.",
    "fallback_dns_placeholder": "Ingresa un servidor DNS alternativo por línea",
    "local_ptr_title": "Servidores DNS inversos y privados",
    "local_ptr_desc": "Los servidores DNS que AdGuard Home utiliza para consultas PTR, SOA y NS privadas. La petición se considera privada si solicita un dominio ARPA que contiene una subred dentro de rangos IP privados, por ejemplo \"192.168.12.34\", y procede de un cliente con dirección privada. Si no se configura, AdGuard Home utiliza las direcciones de los resolvedores DNS predeterminados de tu sistema operativo, excepto las direcciones del propio AdGuard Home.",
@@ -18,9 +18,9 @@
    "local_ptr_no_default_resolver": "AdGuard Home no pudo determinar los resolutores DNS inversos y privados adecuados para este sistema.",
    "local_ptr_placeholder": "Ingresa una dirección IP por línea",
    "resolve_clients_title": "Habilitar la resolución inversa de las direcciones IP de clientes",
-    "resolve_clients_desc": "Resolve de manera inversa las direcciones IP de los clientes a sus nombres de hosts enviando consultas PTR a los resolutores correspondientes (servidores DNS privados para clientes locales, servidores DNS de subida para clientes con direcciones IP públicas).",
+    "resolve_clients_desc": "Resuelve de manera inversa las direcciones IP de los clientes a sus nombres de hosts enviando consultas PTR a los resolutores correspondientes (servidores DNS privados para clientes locales, proveedores DNS para clientes con direcciones IP públicas).",
    "use_private_ptr_resolvers_title": "Usar resolutores DNS inversos y privados",
-    "use_private_ptr_resolvers_desc": "Resolver las peticiones PTR, SOA y NS para dominios ARPA que contienen direcciones privadas utilizando servidores upstream privados, DHCP, /etc/hosts, etc. Si se desactiva, AdGuard Home responde a todas estas consultas con NXDOMAIN.",
+    "use_private_ptr_resolvers_desc": "Resuelve peticiones PTR, SOA y NS para dominios ARPA que contienen direcciones IP privadas a través de proveedores DNS privados, DHCP, /etc/hosts, etc. Si se deshabilita, AdGuard Home responderá a todas estas peticiones con NXDOMAIN.",
    "check_dhcp_servers": "Comprobar si hay servidores DHCP",
    "save_config": "Guardar configuración",
    "enabled_dhcp": "Servidor DHCP habilitado",
@@ -132,8 +132,8 @@
    "top_clients": "Clientes más frecuentes",
    "no_clients_found": "No se han encontrado clientes",
    "general_statistics": "Estadísticas generales",
-    "top_upstreams": "DNS de subida más frecuentes",
-    "no_upstreams_data_found": "No se han encontrado datos de DNS de subida",
+    "top_upstreams": "Proveedores DNS más frecuentes",
+    "no_upstreams_data_found": "No se han encontrado datos de proveedores DNS",
    "number_of_dns_query_days": "Número de consultas DNS procesadas durante el último {{count}} día",
    "number_of_dns_query_days_plural": "Número de consultas DNS procesadas durante los últimos {{count}} días",
    "number_of_dns_query_hours": "Número de consultas DNS procesadas durante la última {{count}} hora",
@@ -144,7 +144,7 @@
    "enforced_save_search": "Búsquedas seguras forzadas",
    "number_of_dns_query_to_safe_search": "Número de peticiones DNS a los motores de búsqueda para los que se aplicó la búsqueda segura forzada",
    "average_processing_time": "Tiempo promedio de procesamiento",
-    "average_upstream_response_time": "Tiempo promedio de respuesta upstream",
+    "average_upstream_response_time": "Tiempo promedio de respuesta del proveedor DNS",
    "response_time": "Tiempo de respuesta",
    "average_processing_time_hint": "Tiempo promedio en milisegundos al procesar una petición DNS",
    "block_domain_use_filters_and_hosts": "Bloquear dominios usando filtros y archivos hosts",
@@ -157,7 +157,7 @@
    "enforce_save_search_hint": "AdGuard Home reforzará la búsqueda segura en los siguientes motores de búsqueda: Google, YouTube, Bing, DuckDuckGo, Ecosia, Yandex y Pixabay.",
    "no_servers_specified": "No hay servidores especificados",
    "general_settings": "Configuración general",
-    "dns_settings": "Configuración del DNS",
+    "dns_settings": "Configuración DNS",
    "dns_blocklists": "Listas de bloqueo DNS",
    "dns_allowlists": "Listas de permitido DNS",
    "dns_blocklists_desc": "AdGuard Home bloqueará los dominios que coincidan con las listas de bloqueo.",
@@ -165,12 +165,12 @@
    "custom_filtering_rules": "Reglas de filtrado personalizado",
    "encryption_settings": "Configuración de cifrado",
    "dhcp_settings": "Configuración DHCP",
-    "upstream_dns": "Servidores DNS de subida",
-    "upstream_dns_help": "Ingresa una dirección de servidor por línea. <a>Más información</a> sobre la configuración de los servidores DNS de subida.",
+    "upstream_dns": "Proveedores DNS",
+    "upstream_dns_help": "Ingresa una dirección de servidor por línea. <a>Más información</a> sobre la configuración de los proveedores DNS.",
    "upstream_dns_configured_in_file": "Configurado en {{path}}",
-    "test_upstream_btn": "Probar DNS de subida",
-    "upstreams": "DNS de subida",
-    "upstream": "DNS de subida",
+    "test_upstream_btn": "Probar proveedores DNS",
+    "upstreams": "Proveedores DNS",
+    "upstream": "Proveedor DNS",
    "apply_btn": "Aplicar",
    "disabled_filtering_toast": "Filtrado deshabilitado",
    "enabled_filtering_toast": "Filtrado habilitado",
@@ -233,11 +233,11 @@
    "example_upstream_tcp_port": "DNS regular (mediante TCP, con puerto).",
    "example_upstream_tcp_hostname": "DNS regular (mediante TCP, nombre del host).",
    "all_lists_up_to_date_toast": "Todas las listas ya están actualizadas",
-    "updated_upstream_dns_toast": "Servidores DNS de subida guardados correctamente",
+    "updated_upstream_dns_toast": "Proveedores DNS guardados correctamente",
    "dns_test_ok_toast": "Los servidores DNS especificados funcionan correctamente",
    "dns_test_not_ok_toast": "Servidor \"{{key}}\": no se puede utilizar, por favor revisa si lo has escrito correctamente",
    "dns_test_parsing_error_toast": "No se pudo utilizar la sección {{section}}: línea {{line}}:, verifica si la escribiste correctamente",
-    "dns_test_warning_toast": "DNS de subida \"{{key}}\" no responde a las peticiones de prueba y es posible que no funcione correctamente",
+    "dns_test_warning_toast": "Proveedor DNS \"{{key}}\" no responde a las peticiones de prueba y es posible que no funcione correctamente",
    "unblock": "Desbloquear",
    "block": "Bloquear",
    "disallow_this_client": "No permitir a este cliente",
@@ -294,9 +294,9 @@
    "blocked_response_ttl": "Respuesta TTL bloqueada",
    "blocked_response_ttl_desc": "Especifica durante cuántos segundos los clientes deben almacenar en cache una respuesta filtrada",
    "form_enter_blocked_response_ttl": "Ingresa el TTL de respuesta bloqueada (segundos)",
-    "upstream_timeout": "Tiempo de espera del upstream",
-    "upstream_timeout_desc": "Especifica el número de segundos que se debe esperar para recibir una respuesta del servidor upstream",
-    "form_enter_upstream_timeout": "Ingresa la duración del tiempo de espera del servidor DNS upstream en segundos",
+    "upstream_timeout": "Tiempo de espera del proveedor DNS",
+    "upstream_timeout_desc": "Especifica el número de segundos que se debe esperar para recibir una respuesta del proveedor DNS",
+    "form_enter_upstream_timeout": "Ingresa la duración de tiempo de espera del proveedor DNS en segundos",
    "dnscrypt": "DNSCrypt",
    "dns_over_https": "DNS mediante HTTPS",
    "dns_over_tls": "DNS mediante TLS",
@@ -311,7 +311,7 @@
    "form_enter_rate_limit": "Ingresa el límite de cantidad",
    "rate_limit": "Límite de cantidad",
    "edns_enable": "Habilitar subred de cliente EDNS",
-    "edns_cs_desc": "Añade la opción subred de cliente EDNS (ECS) a las peticiones del DNS de subida y registra los valores enviados por los clientes en el registro de consultas.",
+    "edns_cs_desc": "Añade la opción subred de cliente EDNS (ECS) a las peticiones del proveedor DNS y registra los valores enviados por los clientes en el registro de consultas.",
    "edns_use_custom_ip": "Usar IP personalizada para EDNS",
    "edns_use_custom_ip_desc": "Permitir el uso de IP personalizadas para EDNS",
    "rate_limit_desc": "Número de peticiones por segundo permitidas por cliente. Establecerlo en 0 significa que no hay límite.",
@@ -335,7 +335,7 @@
    "theme_auto": "Auto",
    "theme_light": "Claro",
    "theme_dark": "Oscuro",
-    "upstream_dns_client_desc": "Si se mantiene este campo vacío, AdGuard Home utilizará los servidores configurados en la <0>configuración del DNS</0>.",
+    "upstream_dns_client_desc": "Si se mantiene este campo vacío, AdGuard Home utilizará los servidores configurados en la <0>configuración DNS</0>.",
    "tracker_source": "Fuente del rastreador",
    "source_label": "Fuente",
    "found_in_known_domain_db": "Encontrado en la base de datos de dominios conocidos.",
@@ -596,12 +596,12 @@
    "example_rewrite_wildcard": "reescribe las respuestas para todos los subdominios de <0>ejemplo.org</0>.",
    "rewrite_ip_address": "Dirección IP: utiliza esta IP en una respuesta A o AAAA",
    "rewrite_domain_name": "Nombre de dominio: añade un registro CNAME",
-    "rewrite_A": "<0>A</0>: valor especial, mantiene registros <0>A</0> del DNS de subida",
-    "rewrite_AAAA": "<0>AAAA</0>: valor especial, mantiene registros <0>AAAA</0> del DNS de subida",
+    "rewrite_A": "<0>A</0>: valor especial, mantiene registros <0>A</0> del proveedor DNS",
+    "rewrite_AAAA": "<0>AAAA</0>: valor especial, mantiene registros <0>AAAA</0> del proveedor DNS",
    "disable_ipv6": "Deshabilitar resolución de direcciones IPv6",
    "disable_ipv6_desc": "Descarta todas las consultas de DNS para direcciones IPv6 (tipo AAAA) y elimina las sugerencias de IPv6 de las respuestas HTTPS.",
    "fastest_addr": "Dirección IP más rápida",
-    "fastest_addr_desc": "Espera a que respondan <b>todos</b> los servidores DNS, mide la velocidad de conexión TCP de cada servidor y devuelve la Dirección IP del servidor con la velocidad de conexión más rápida.<br/>Este modo puede ralentizar significativamente las consultas DNS, si uno o más servidores DNS de upstream no están respondiendo. Asegúrate de que tus servidores DNS upstream sean estables y tu tiempo de espera de upstream sea bajo.",
+    "fastest_addr_desc": "Espera respuestas de <b>todos</b> los servidores DNS, mide la velocidad de conexión TCP de cada servidor y devuelve la dirección IP del servidor con la velocidad de conexión más rápida.<br/>Este modo puede ralentizar significativamente las consultas DNS, si uno o más proveedores DNS no responden. Asegúrate de que tus proveedores DNS sean estables y de que el tiempo de espera tu proveedor DNS sea bajo.",
    "autofix_warning_text": "Si haces clic en \"Corregir\", AdGuard Home configurará tu sistema para utilizar el servidor DNS de AdGuard Home.",
    "autofix_warning_list": "Realizará estas tareas: <0>Deshabilitar el sistema DNSStubListener</0> <0>Establecer la dirección del servidor DNS en 127.0.0.1</0> <0>Reemplazar el destino del enlace simbólico de /etc/resolv.conf por /run/systemd/resolve/resolv.conf</0> <0>Detener DNSStubListener (recargar el servicio systemd-resolved)</0>",
    "autofix_warning_result": "Como resultado, todas las peticiones DNS de tu sistema serán procesadas por AdGuard Home de manera predeterminada.",
@@ -620,6 +620,10 @@
    "check_cname": "CNAME: {{cname}}",
    "check_reason": "Razón: {{reason}}",
    "check_service": "Nombre del servicio: {{service}}",
+    "check_hostname": "Nombre de host o nombre de dominio",
+    "check_client_id": "Identificador del cliente (ClientID o dirección IP)",
+    "check_enter_client_id": "Ingresa el identificador del cliente",
+    "check_dns_record": "Selecciona el tipo de registro DNS",
    "service_name": "Nombre del servicio",
    "check_not_found": "No se ha encontrado en tus listas de filtros",
    "client_confirm_block": "¿Estás seguro de que deseas bloquear al cliente \"{{ip}}\"?",
@@ -658,7 +662,7 @@
    "enter_cache_size": "Ingresa el tamaño de la caché (bytes)",
    "enter_cache_ttl_min_override": "Ingresa el TTL mínimo (en segundos)",
    "enter_cache_ttl_max_override": "Ingresa el TTL máximo (en segundos)",
-    "cache_ttl_min_override_desc": "Amplía el corto tiempo de vida (segundos) de los valores recibidos del servidor DNS de subida al almacenar en caché las respuestas DNS.",
+    "cache_ttl_min_override_desc": "Amplía el corto tiempo de vida (segundos) de los valores recibidos del proveedor DNS al almacenar en caché las respuestas DNS.",
    "cache_ttl_max_override_desc": "Establece un valor de tiempo de vida (segundos) máximo para las entradas en la caché DNS.",
    "ttl_cache_validation": "La anulación TTL mínimo de la caché debe ser menor o igual al máximo",
    "cache_optimistic": "Caché optimista",
@@ -744,7 +748,7 @@
    "thursday_short": "Jue.",
    "friday_short": "Vie.",
    "saturday_short": "Sáb.",
-    "upstream_dns_cache_configuration": "Configuración de la caché DNS upstream",
-    "enable_upstream_dns_cache": "Habilitar el almacenamiento en caché de DNS para la configuración personalizada de este cliente",
+    "upstream_dns_cache_configuration": "Configuración de la caché del proveedor DNS",
+    "enable_upstream_dns_cache": "Habilitar el almacenamiento en caché del DNS para la configuración personalizada de este cliente",
    "dns_cache_size": "Tamaño de la caché DNS, en bytes"
 }
--- a/client/src/__locales/fr.json
+++ b/client/src/__locales/fr.json
@@ -620,6 +620,10 @@
    "check_cname": "CNAME : {{cname}}",
    "check_reason": "Raison : {{reason}}",
    "check_service": "Nom du service : {{service}}",
+    "check_hostname": "Nom d'hôte ou nom de domaine",
+    "check_client_id": "Identifiant du client (ClientID ou adresse IP)",
+    "check_enter_client_id": "Saisissez l'identifiant du client",
+    "check_dns_record": "Sélectionnez le type d'enregistrement DNS",
    "service_name": "Nom du service",
    "check_not_found": "Introuvable dans vos listes de filtres",
    "client_confirm_block": "Voulez-vous vraiment bloquer le client « {{ip}} » ?",
--- a/client/src/__locales/it.json
+++ b/client/src/__locales/it.json
@@ -620,6 +620,10 @@
    "check_cname": "CNAME: {{cname}}",
    "check_reason": "Motivo: {{reason}}",
    "check_service": "Nome servizio: {{service}}",
+    "check_hostname": "Nome host o nome di dominio",
+    "check_client_id": "Identificatore client (ClientID o indirizzo IP)",
+    "check_enter_client_id": "Inserisci identificatore client",
+    "check_dns_record": "Seleziona il tipo di registrazione DNS",
    "service_name": "Nome servizio",
    "check_not_found": "Non trovato negli elenchi dei filtri",
    "client_confirm_block": "Sei sicuro di voler bloccare il client \"{{ip}}\"?",
--- a/client/src/__locales/ja.json
+++ b/client/src/__locales/ja.json
@@ -620,6 +620,10 @@
    "check_cname": "CNAME: {{cname}}",
    "check_reason": "理由: {{reason}}",
    "check_service": "サービス名: {{service}}",
+    "check_hostname": "ホスト名またはドメイン名",
+    "check_client_id": "クライアント識別子 (ClientID または IP アドレス)",
+    "check_enter_client_id": "クライアント識別子を入力してください",
+    "check_dns_record": "DNSレコードタイプ（DNS record type）を選択",
    "service_name": "サービス名",
    "check_not_found": "フィルタ一覧には見つかりません",
    "client_confirm_block": "クライアント\"{{ip}}\"をブロックしてもよろしいですか？",
--- a/client/src/__locales/ko.json
+++ b/client/src/__locales/ko.json
@@ -620,6 +620,10 @@
    "check_cname": "CNAME: {{cname}}",
    "check_reason": "이유: {{reason}}",
    "check_service": "서비스 이름: {{service}}",
+    "check_hostname": "호스트 이름 또는 도메인 이름",
+    "check_client_id": "클라이언트 식별자(클라이언트 ID 또는 IP 주소)",
+    "check_enter_client_id": "클라이언트 식별자 입력",
+    "check_dns_record": "DNS 레코드 유형 선택",
    "service_name": "서비스 이름",
    "check_not_found": "필터 목록에서 찾을 수 없음",
    "client_confirm_block": "정말로 클라이언트 '{{ip}}'을(를) 차단하시겠습니까?",
--- a/client/src/__locales/nl.json
+++ b/client/src/__locales/nl.json
@@ -620,6 +620,10 @@
    "check_cname": "CNAME: {{cname}}",
    "check_reason": "Reden: {{reason}}",
    "check_service": "Servicenaam: {{service}}",
+    "check_hostname": "Hostnaam of domeinnaam",
+    "check_client_id": "Client identificator (ClientID of IP-adres)",
+    "check_enter_client_id": "Voer Client identificator in",
+    "check_dns_record": "Selecteer type DNS-record",
    "service_name": "Naam service",
    "check_not_found": "Niet in je lijst met filters gevonden",
    "client_confirm_block": "Weet je zeker dat je client \"{{ip}}\" wil blokkeren?",
--- a/client/src/__locales/no.json
+++ b/client/src/__locales/no.json
@@ -106,7 +106,6 @@
    "stats_malware_phishing": "Blokkert skadevare/phishing",
    "stats_adult": "Blokkerte voksennettsteder",
    "stats_query_domain": "Mest forespurte domener",
-    "for_last_24_hours": "de siste 24 timene",
    "for_last_days": "for den siste {{count}} dagen",
    "for_last_days_plural": "de siste {{count}} dagene",
    "stats_disabled": "Statistikkene har blitt skrudd av. Du kan skru den på fra <0>innstillingssiden</0>.",
@@ -121,7 +120,6 @@
    "no_upstreams_data_found": "Ingen oppstrøms servere data funnet",
    "number_of_dns_query_days": "Antall DNS-spørringer behandlet for de siste {{count}} dagene",
    "number_of_dns_query_days_plural": "Antall DNS-forespørsler som ble behandlet de siste {{count}} dagene",
-    "number_of_dns_query_24_hours": "Antall DNS-forespørsler som ble behandlet de siste 24 timene",
    "number_of_dns_query_blocked_24_hours": "Antall DNS-forespørsler som ble blokkert av adblock-filtre, hosts-lister, og domene-lister",
    "number_of_dns_query_blocked_24_hours_by_sec": "Antall DNS-forespørsler som ble blokkert av AdGuard sin nettlesersikkerhetsmodul",
    "number_of_dns_query_blocked_24_hours_adult": "Antall voksennettsteder som ble blokkert",
@@ -266,6 +264,7 @@
    "custom_ip": "Tilpasset IP",
    "blocking_ipv4": "IPv4-blokkering",
    "blocking_ipv6": "IPv6-blokkering",
+    "blocked_response_ttl": "Blokkert svar TTL",
    "dnscrypt": "DNSCrypt",
    "dns_over_https": "DNS-over-HTTPS",
    "dns_over_tls": "DNS-over-TLS",
@@ -627,7 +626,6 @@
    "use_saved_key": "Bruk den tidligere lagrede nøkkelen",
    "parental_control": "Foreldrekontroll",
    "safe_browsing": "Sikker surfing",
-    "served_from_cache": "{{value}} <i>(formidlet fra mellomlageret)</i>",
    "theme_dark_desc": "Mørkt tema",
    "theme_light_desc": "Lyst tema",
    "disable_notify_until_tomorrow": "Deaktiver beskyttelsen til i morgen",
--- a/client/src/__locales/pt-br.json
+++ b/client/src/__locales/pt-br.json
@@ -620,6 +620,10 @@
    "check_cname": "CNAME: {{cname}}",
    "check_reason": "Motivo: {{reason}}",
    "check_service": "Nome do serviço: {{service}}",
+    "check_hostname": "Nome do anfitrião ou nome de domínio",
+    "check_client_id": "Identificador do cliente (ClienteID ou endereço de IP)",
+    "check_enter_client_id": "Insira o identificador do cliente",
+    "check_dns_record": "Selecione o tipo de registro DNS",
    "service_name": "Nome do serviço",
    "check_not_found": "Não encontrado em suas listas de filtros",
    "client_confirm_block": "Você tem certeza de que deseja bloquear o cliente \"{{ip}}\"?",
--- a/client/src/__locales/pt-pt.json
+++ b/client/src/__locales/pt-pt.json
@@ -620,6 +620,10 @@
    "check_cname": "CNAME: {{cname}}",
    "check_reason": "Motivo: {{reason}}",
    "check_service": "Nome do serviço: {{service}}",
+    "check_hostname": "Nome do hospedeiro ou nome de domínio",
+    "check_client_id": "Identificador do cliente (ClientID ou endereço IP)",
+    "check_enter_client_id": "Insira o identificador do cliente",
+    "check_dns_record": "Selecione o tipo de registro DNS",
    "service_name": "Nome do serviço",
    "check_not_found": "Não encontrado nas tuas listas de filtros",
    "client_confirm_block": "Você tem certeza de que deseja bloquear o cliente \"{{ip}}\"?",
--- a/client/src/__locales/ru.json
+++ b/client/src/__locales/ru.json
@@ -620,6 +620,10 @@
    "check_cname": "CNAME: {{cname}}",
    "check_reason": "Причина: {{reason}}",
    "check_service": "Название сервиса: {{service}}",
+    "check_hostname": "Имя хоста или домена",
+    "check_client_id": "Идентификатор клиента (ClientID или IP-адрес)",
+    "check_enter_client_id": "Введите идентификатор клиента",
+    "check_dns_record": "Выберите тип DNS-записи",
    "service_name": "Имя сервиса",
    "check_not_found": "Не найдено в вашем списке фильтров",
    "client_confirm_block": "Вы уверены, что хотите заблокировать клиента «{{ip}}»?",
--- a/client/src/__locales/sk.json
+++ b/client/src/__locales/sk.json
@@ -620,6 +620,10 @@
    "check_cname": "CNAME: {{cname}}",
    "check_reason": "Dôvod: {{reason}}",
    "check_service": "Meno služby: {{service}}",
+    "check_hostname": "Názov hostiteľa alebo názov domény",
+    "check_client_id": "Identifikátor klienta (ClientID alebo IP adresa)",
+    "check_enter_client_id": "Zadajte identifikátor klienta",
+    "check_dns_record": "Vyberte typ DNS záznamu",
    "service_name": "Názov služby",
    "check_not_found": "Nenašlo sa vo Vašom zozname filtrov",
    "client_confirm_block": "Naozaj chcete zablokovať klienta \"{{ip}}\"?",
--- a/client/src/__locales/tr.json
+++ b/client/src/__locales/tr.json
@@ -620,6 +620,10 @@
    "check_cname": "CNAME: {{cname}}",
    "check_reason": "Sebep: {{reason}}",
    "check_service": "Hizmet adı: {{service}}",
+    "check_hostname": "Ana makine adı veya alan adı",
+    "check_client_id": "İstemci tanımlayıcısı (ClientID veya IP adresi)",
+    "check_enter_client_id": "İstemci tanımlayıcısı girin",
+    "check_dns_record": "DNS kayıt türünü seçin",
    "service_name": "Hizmet adı",
    "check_not_found": "Filtre listelerinizde bulunamadı",
    "client_confirm_block": "\"{{ip}}\" istemcisini engellemek istediğinizden emin misiniz?",
--- a/client/src/__locales/zh-cn.json
+++ b/client/src/__locales/zh-cn.json
@@ -620,6 +620,10 @@
    "check_cname": "CNAME: {{cname}}",
    "check_reason": "原因：{{reason}}",
    "check_service": "服务名称：{{service}}",
+    "check_hostname": "主机名或域名",
+    "check_client_id": "客户端标识符（ClientID 或 IP 地址）",
+    "check_enter_client_id": "输入客户端标识符",
+    "check_dns_record": "选择 DNS 记录类型",
    "service_name": "服务名称",
    "check_not_found": "未在您的筛选列表中找到",
    "client_confirm_block": "确定要阻止客户端 \"{{ip}}\"?",
--- a/client/src/__locales/zh-tw.json
+++ b/client/src/__locales/zh-tw.json
@@ -1,6 +1,6 @@
 {
    "client_settings": "用戶端設定",
-    "example_upstream_reserved": "<0>供特定的網域</0>之上游；",
+    "example_upstream_reserved": "<0>特定網域</0>的上游；",
    "example_multiple_upstreams_reserved": "<0>特定網域</0>的多個上游伺服器；",
    "example_upstream_comment": "註解。",
    "upstream_parallel": "透過同時地查詢所有上游的伺服器，使用並行的查詢以加速解析。",
@@ -20,7 +20,7 @@
    "resolve_clients_title": "啟用用戶端的 IP 位址之反向的解析",
    "resolve_clients_desc": "透過傳送指標（PTR）查詢到對應的解析器（私人 DNS 伺服器供區域的用戶端，上游的伺服器供有公共 IP 位址的用戶端），反向地解析用戶端的 IP 位址變為它們的主機名稱。",
    "use_private_ptr_resolvers_title": "使用私人反向的 DNS 解析器",
-    "use_private_ptr_resolvers_desc": "使用私人上游伺服器、DHCP、/etc/hosts 等方式解析包含私人 IP 位址的 ARPA 網域的 PTR、SOA 和 NS 請求。如果停用，AdGuard Home 將對所有此類請求以 NXDOMAIN 回應。",
+    "use_private_ptr_resolvers_desc": "透過私有上游伺服器、DHCP 或 /etc/hosts 等管道，解析含有私有 IP 位址的 ARPA 網域的 PTR、SOA 與 NS 請求。若停用此功能，AdGuard Home 將以 NXDOMAIN 回應所有相關請求。",
    "check_dhcp_servers": "檢查動態主機設定協定（DHCP）伺服器",
    "save_config": "儲存配置",
    "enabled_dhcp": "動態主機設定協定（DHCP）伺服器被啟用",
@@ -112,8 +112,8 @@
    "privacy_policy": "隱私政策",
    "enable_protection": "啟用防護",
    "enabled_protection": "已啟用防護",
-    "disable_protection": "禁用防護",
-    "disabled_protection": "已禁用防護",
+    "disable_protection": "停用防護",
+    "disabled_protection": "已停用防護",
    "refresh_statics": "重新整理統計資料",
    "dns_query": "DNS 查詢",
    "blocked_by": "<0>被過濾器封鎖</0>",
@@ -124,8 +124,8 @@
    "for_last_hours_plural": "在過去的 {{count}} 小時內",
    "for_last_days": "在最近的 {{count}} 日內",
    "for_last_days_plural": "在最近的 {{count}} 日內",
-    "stats_disabled": "該統計資料已被禁用。您可從<0>設定頁面</0>中打開它。",
-    "stats_disabled_short": "該統計資料已被禁用",
+    "stats_disabled": "統計功能目前停用中，請至<0>設定頁面</0>重新開啟。",
+    "stats_disabled_short": "該統計資料已停用",
    "no_domains_found": "無已發現之網域",
    "requests_count": "請求總數",
    "top_blocked_domains": "熱門已封鎖的網域",
@@ -172,13 +172,13 @@
    "upstreams": "上游",
    "upstream": "上游伺服器",
    "apply_btn": "套用",
-    "disabled_filtering_toast": "已禁用過濾",
+    "disabled_filtering_toast": "已停用過濾",
    "enabled_filtering_toast": "已啟用過濾",
-    "disabled_safe_browsing_toast": "已禁用安全瀏覽",
+    "disabled_safe_browsing_toast": "已停用安全瀏覽",
    "enabled_safe_browsing_toast": "已啟用安全瀏覽",
-    "disabled_parental_toast": "已禁用家長控制",
+    "disabled_parental_toast": "已停用家長控制",
    "enabled_parental_toast": "已啟用家長控制",
-    "disabled_safe_search_toast": "已禁用安全搜尋",
+    "disabled_safe_search_toast": "已停用安全搜尋",
    "enabled_save_search_toast": "已啟用安全搜尋",
    "updated_save_search_toast": "安全搜尋設定更新成功",
    "enabled_table_header": "已啟用",
@@ -275,7 +275,7 @@
    "query_log_retention": "查詢記錄保留時間",
    "query_log_enable": "啟用記錄",
    "query_log_configuration": "記錄配置",
-    "query_log_disabled": "查詢記錄被禁用並可在<0>設定</0>中被配置",
+    "query_log_disabled": "查詢記錄功能已停用，請至「<0>設定</0>」調整",
    "query_log_strict_search": "使用雙引號於嚴謹的搜尋",
    "query_log_retention_confirm": "您確定要更改記錄檔保存期限嗎？如果您縮短期限部分資料可能將會遺失",
    "anonymize_client_ip": "將用戶端 IP 匿名",
@@ -401,7 +401,7 @@
    "encryption_config_saved": "加密配置被儲存",
    "encryption_server": "伺服器名稱",
    "encryption_server_enter": "輸入您的域名",
-    "encryption_server_desc": "如果被設定，AdGuard Home 檢測用戶端 IDs，回覆 DDR 查詢，並執行額外的連線驗證。如果未被設定，這些功能被禁用。必須與在該憑證裡的 DNS 名稱其中之一相符。",
+    "encryption_server_desc": "如果設定，AdGuard Home 會偵測 ClientID、回應 DDR 查詢，並執行其他連線驗證。如果未設定，則會停用這些功能。必須符合憑證中的一個 DNS 名稱。",
    "encryption_redirect": "自動地重新導向到 HTTPS",
    "encryption_redirect_desc": "如果被勾選，AdGuard Home 將自動地重新導向您從 HTTP 到 HTTPS 位址。",
    "encryption_https": "HTTPS 連接埠",
@@ -429,8 +429,8 @@
    "encryption_reset": "您確定您想要重置加密設定嗎？",
    "encryption_warning": "警告",
    "encryption_plain_dns_enable": "啟用一般的 DNS",
-    "encryption_plain_dns_desc": "預設情況下啟用一般的 DNS。使用者可以禁用它，強制所有裝置使用一般的 DNS。為此，必須至少啟用一個一般的 DNS 協定。",
-    "encryption_plain_dns_error": "要禁用一般的 DNS，請至少啟用一個一般的 DNS 協定",
+    "encryption_plain_dns_desc": "預設啟用一般 DNS。您可以停用它以強制所有裝置使用加密 DNS。若要這樣做，您必須啟用至少一個加密 DNS 通訊協定",
+    "encryption_plain_dns_error": "若要停用一般 DNS，請啟用至少一個加密 DNS 通訊協定",
    "topline_expiring_certificate": "您的安全通訊端層（SSL）憑證即將到期。更新<0>加密設定</0>。",
    "topline_expired_certificate": "您的安全通訊端層（SSL）憑證為已到期的。更新<0>加密設定</0>。",
    "form_error_port_range": "輸入在 80-65535 之範圍內的連接埠號碼",
@@ -572,7 +572,7 @@
    "filters_configuration": "過濾器配置",
    "filters_enable": "啟用過濾器",
    "filters_interval": "過濾器更新間隔",
-    "disabled": "已禁用",
+    "disabled": "已停用",
    "username_label": "使用者名稱",
    "username_placeholder": "輸入使用者名稱",
    "password_label": "密碼",
@@ -598,7 +598,7 @@
    "rewrite_domain_name": "域名：新增一筆正規名稱（CNAME）記錄",
    "rewrite_A": "<0>A</0>：特殊的數值，阻止 <0>A</0> 記錄免於該上游",
    "rewrite_AAAA": "<0>AAAA</0>：特殊的數值，阻止 <0>AAAA</0> 記錄免於該上游",
-    "disable_ipv6": "禁用 IPv6 位址之解析",
+    "disable_ipv6": "停用 IPv6 位址解析",
    "disable_ipv6_desc": "停止所有對於 IPv6 位址（類型 AAAA）的 DNS 查詢，並從 HTTPS 回應中移除 IPv6 的提示。",
    "fastest_addr": "最快的 IP 位址",
    "fastest_addr_desc": "等待<b>所有</b> DNS 伺服器的回應，測量每個伺服器的 TCP 連線速度，並返回連線速度最快的伺服器的 IP 位址。<br/>如果一個或多個上游伺服器沒有回應，此模式會顯著減慢 DNS 查詢速度。確保您的上游伺服器穩定且上游超時時間短。",
@@ -620,6 +620,10 @@
    "check_cname": "正規名稱（CNAME）：{{cname}}",
    "check_reason": "原因：{{reason}}",
    "check_service": "服務名稱：{{service}}",
+    "check_hostname": "主機名稱或域名",
+    "check_client_id": "用戶端識別碼（ClientID 或 IP 位址）",
+    "check_enter_client_id": "輸入用戶識別碼",
+    "check_dns_record": "選擇 DNS 記錄類型",
    "service_name": "服務名稱",
    "check_not_found": "未在您的過濾器清單中被找到",
    "client_confirm_block": "您確定您想要封鎖該用戶端 \"{{ip}}\" 嗎？",
@@ -652,7 +656,7 @@
    "blocklist": "封鎖清單",
    "milliseconds_abbreviation": "ms",
    "cache_size": "快取大小",
-    "cache_size_desc": "DNS 快取大小（以位元組）。要禁用快取，留空。",
+    "cache_size_desc": "DNS 快取大小 (位元組)。若要停用快取，請留空。",
    "cache_ttl_min_override": "覆寫最小的存活時間（TTL）",
    "cache_ttl_max_override": "覆寫最大的存活時間（TTL）",
    "enter_cache_size": "輸入快取大小（位元組）",
@@ -677,13 +681,13 @@
    "port_53_faq_link": "連接埠 53 常被 \"DNSStubListener\" 或 \"systemd-resolved\" 服務佔用。請閱讀有關如何解決這個的<0>用法說明</0>。",
    "adg_will_drop_dns_queries": "AdGuard Home 將持續排除來自此用戶端之所有的 DNS 查詢。",
    "filter_allowlist": "警告：此動作也將把 \"{{disallowed_rule}}\" 規則排除在被允許的用戶端的清單之外。",
-    "last_rule_in_allowlist": "因為排除 \"{{disallowed_rule}}\" 規則將禁用\"被允許的用戶端\"清單，無法不允許此用戶端。",
+    "last_rule_in_allowlist": "無法禁止此用戶端，因為排除規則 \"{{disallowed_rule}}\" 會停用「允許的用戶端」清單。",
    "use_saved_key": "使用該先前已儲存的金鑰",
    "parental_control": "家長控制",
    "safe_browsing": "安全瀏覽",
    "served_from_cache_label": "從快取中",
    "form_error_password_length": "密碼長度必須為 {{min}} 到 {{max}} 個字符",
-    "anonymizer_notification": "<0>注意：</0>IP 匿名化被啟用。您可在<1>一般設定</1>中禁用它。",
+    "anonymizer_notification": "<0>注意：</0>IP 匿名功能已開啟。您可在<1>一般設定</1>中關閉。",
    "confirm_dns_cache_clear": "您確定您想要清除 DNS 快取嗎？",
    "cache_cleared": "DNS 快取被成功地清除",
    "clear_cache": "清除快取",
@@ -698,14 +702,14 @@
    "disable_for_hours": "{{count}} 小時",
    "disable_for_hours_plural": "{{count}} 小時",
    "disable_until_tomorrow": "直到明天",
-    "disable_notify_for_seconds": "計 {{count}} 秒禁用防護",
-    "disable_notify_for_seconds_plural": "計 {{count}} 秒禁用防護",
-    "disable_notify_for_minutes": "計 {{count}} 分鐘禁用防護",
-    "disable_notify_for_minutes_plural": "計 {{count}} 分鐘禁用防護",
-    "disable_notify_for_hours": "計 {{count}} 小時禁用防護",
-    "disable_notify_for_hours_plural": "計 {{count}} 小時禁用防護",
-    "disable_notify_until_tomorrow": "禁用防護直到明天",
-    "enable_protection_timer": "防護將於 {{time}} 被啟用",
+    "disable_notify_for_seconds": "計 {{count}} 秒停用防護",
+    "disable_notify_for_seconds_plural": "計 {{count}} 秒停用防護",
+    "disable_notify_for_minutes": "計 {{count}} 分鐘停用防護",
+    "disable_notify_for_minutes_plural": "計 {{count}} 分鐘停用防護",
+    "disable_notify_for_hours": "計 {{count}} 小時停用防護",
+    "disable_notify_for_hours_plural": "計 {{count}} 小時停用防護",
+    "disable_notify_until_tomorrow": "停用防護直到明天",
+    "enable_protection_timer": "防護將於 {{time}} 啟用",
    "custom_retention_input": "輸入保留時間（小時）",
    "custom_rotation_input": "輸入旋轉時間（小時）",
    "protection_section_label": "防護",
--- a/client/src/components/Filters/Check/index.tsx
+++ b/client/src/components/Filters/Check/index.tsx
@@ -9,13 +9,17 @@ import Info from './Info';
 import { RootState } from '../../../initialState';
 import { validateRequiredValue } from '../../../helpers/validators';
 import { Input } from '../../ui/Controls/Input';
+import { DNS_RECORD_TYPES } from '../../../helpers/constants';
+import { Select } from '../../ui/Controls/Select';

-interface FormValues {
+export type FilteringCheckFormValues = {
    name: string;
+    client?: string;
+    qtype?: string;
 }

 type Props = {
-    onSubmit?: (data: FormValues) => void;
+    onSubmit?: (data: FilteringCheckFormValues) => void;
 };

 const Check = ({ onSubmit }: Props) => {
@@ -27,11 +31,13 @@ const Check = ({ onSubmit }: Props) => {
    const {
        control,
        handleSubmit,
-        formState: { isDirty, isValid },
-    } = useForm<FormValues>({
+        formState: { isValid },
+    } = useForm<FilteringCheckFormValues>({
        mode: 'onBlur',
        defaultValues: {
            name: '',
+            client: '',
+            qtype: DNS_RECORD_TYPES[0],
        },
    });

@@ -48,24 +54,56 @@ const Check = ({ onSubmit }: Props) => {
                                <Input
                                    {...field}
                                    type="text"
+                                    label={t('check_hostname')}
                                    data-testid="check_domain_name"
-                                    placeholder={t('form_enter_host')}
+                                    placeholder="example.com"
                                    error={fieldState.error?.message}
-                                    rightAddon={
-                                        <span className="input-group-append">
-                                            <button
-                                                className="btn btn-success btn-standard btn-large"
-                                                type="submit"
-                                                data-testid="check_domain_submit"
-                                                disabled={!isDirty || !isValid || processingCheck}>
-                                                {t('check')}
-                                            </button>
-                                        </span>
-                                    }
                                />
                            )}
                        />

+                        <Controller
+                            name="client"
+                            control={control}
+                            render={({ field, fieldState }) => (
+                                <Input
+                                    {...field}
+                                    type="text"
+                                    data-testid="check_client_id"
+                                    label={t('check_client_id')}
+                                    placeholder={t('check_enter_client_id')}
+                                    error={fieldState.error?.message}
+                                />
+                            )}
+                        />
+
+                        <Controller
+                            name="qtype"
+                            control={control}
+                            render={({ field }) => (
+                                <Select
+                                    {...field}
+                                    label={t('check_dns_record')}
+                                    data-testid="check_dns_record_type"
+                                >
+                                    {DNS_RECORD_TYPES.map((type) => (
+                                        <option key={type} value={type}>
+                                            {type}
+                                        </option>
+                                    ))}
+                                </Select>
+                            )}
+                        />
+
+                        <button
+                            className="btn btn-success btn-standard btn-large"
+                            type="submit"
+                            data-testid="check_domain_submit"
+                            disabled={!isValid || processingCheck}
+                        >
+                            {t('check')}
+                        </button>
+
                        {hostname && (
                            <>
                                <hr />
--- a/client/src/components/Filters/CustomRules.tsx
+++ b/client/src/components/Filters/CustomRules.tsx
@@ -7,7 +7,7 @@ import PageTitle from '../ui/PageTitle';

 import Examples from './Examples';

-import Check from './Check';
+import Check, { FilteringCheckFormValues } from './Check';

 import { getTextareaCommentsHighlight, syncScroll } from '../../helpers/highlightTextareaComments';
 import { COMMENT_LINE_DEFAULT_TOKEN } from '../../helpers/constants';
@@ -48,8 +48,18 @@ class CustomRules extends Component<CustomRulesProps> {
        this.props.setRules(this.props.filtering.userRules);
    };

-    handleCheck = (values: any) => {
-        this.props.checkHost(values);
+    handleCheck = (values: FilteringCheckFormValues) => {
+        const params: FilteringCheckFormValues = { name: values.name };
+
+        if (values.client) {
+            params.client = values.client;
+        }
+
+        if (values.qtype) {
+            params.qtype = values.qtype;
+        }
+
+        this.props.checkHost(params);
    };

    onScroll = (e: any) => syncScroll(e, this.ref);
--- a/client/src/components/Logs/Filters/Form.tsx
+++ b/client/src/components/Logs/Filters/Form.tsx
@@ -6,6 +6,8 @@ import { useDispatch } from 'react-redux';
 import { useHistory } from 'react-router-dom';
 import classNames from 'classnames';
 import { useFormContext } from 'react-hook-form';
+import queryString from 'query-string';
+
 import {
    DEBOUNCE_FILTER_TIMEOUT,
    DEFAULT_LOGS_FILTER,
@@ -54,9 +56,17 @@ export const Form = ({ className, setIsLoading }: Props) => {
        }
    }, [responseStatusValue, setValue]);

+    useEffect(() => {
+        const { search: searchUrlParam } = queryString.parse(history.location.search);
+
+        if (searchUrlParam !== searchValue) {
+            setValue('search', searchUrlParam ? searchUrlParam.toString() : '');
+        }
+    }, [history.location.search]);
+
    const onInputClear = async () => {
        setIsLoading(true);
-        setValue('search', DEFAULT_LOGS_FILTER.search);
+        history.push(getLogsUrlParams(DEFAULT_LOGS_FILTER.search, responseStatusValue));
        setIsLoading(false);
    };

--- a/client/src/helpers/constants.ts
+++ b/client/src/helpers/constants.ts
@@ -523,3 +523,12 @@ export const TIME_UNITS = {
    HOURS: 'hours',
    DAYS: 'days',
 };
+
+export const DNS_RECORD_TYPES = [
+    "A", "AAAA", "AFSDB", "APL", "CAA", "CDNSKEY", "CDS", "CERT", "CNAME",
+    "CSYNC", "DHCID", "DLV", "DNAME", "DNSKEY", "DS", "EUI48", "EUI64",
+    "HINFO", "HIP", "HTTPS", "IPSECKEY", "KEY", "KX", "LOC", "MX", "NAPTR",
+    "NS", "NSEC", "NSEC3", "NSEC3PARAM", "OPENPGPKEY", "PTR", "RP", "RRSIG",
+    "SIG", "SMIMEA", "SOA", "SRV", "SSHFP", "SVCB", "TA", "TKEY",
+    "TLSA", "TSIG", "TXT", "URI", "ZONEMD"
+];
--- a/client/src/helpers/trackers/trackers.json
+++ b/client/src/helpers/trackers/trackers.json
@@ -1,5 +1,5 @@
 {
-	"timeUpdated": "2025-03-10T15:13:28.992Z",
+	"timeUpdated": "2025-03-17T10:05:02.622Z",
 	"categories": {
 		"0": "audio_video_player",
 		"1": "comments",
@@ -20958,6 +20958,7 @@
 		"audiencesquare.com": "audiencesquare.com",
 		"ad.gt": "audiencesquare.com",
 		"audigent.com": "audiencesquare.com",
+		"hadronid.net": "audiencesquare.com",
 		"auditude.com": "auditude",
 		"audtd.com": "audtd.com",
 		"cdn.augur.io": "augur",
@@ -21413,6 +21414,7 @@
 		"static.clmbtech.com": "columbia_online",
 		"combotag.com": "combotag",
 		"pdk.theplatform.com": "comcast_technology_solutions",
+		"theplatform.com": "comcast_technology_solutions",
 		"comm100.cn": "comm100",
 		"comm100.com": "comm100",
 		"cdn-cs.com": "commerce_sciences",
--- a/client/src/login/Login/Form.tsx
+++ b/client/src/login/Login/Form.tsx
@@ -62,7 +62,7 @@ const Form = ({ onSubmit, processing }: LoginFormProps) => {
                                {...field}
                                data-testid="password"
                                type="password"
-                                label={t('username_label')}
+                                label={t('password_label')}
                                placeholder={t('password_placeholder')}
                                error={fieldState.error?.message}
                                autoComplete="current-password"
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,12 +1,12 @@
 # A docker file for scripts/make/build-docker.sh.

-FROM alpine:3.18
+FROM alpine:3.21

 ARG BUILD_DATE
 ARG VERSION
 ARG VCS_REF

-LABEL\
+LABEL \
 	maintainer="AdGuard Team <devteam@adguard.com>" \
 	org.opencontainers.image.authors="AdGuard Team <devteam@adguard.com>" \
 	org.opencontainers.image.created=$BUILD_DATE \
@@ -30,8 +30,8 @@ ARG TARGETARCH
 ARG TARGETOS
 ARG TARGETVARIANT

-COPY --chown=nobody:nogroup\
-	./${DIST_DIR}/docker/AdGuardHome_${TARGETOS}_${TARGETARCH}_${TARGETVARIANT}\
+COPY --chown=nobody:nogroup \
+	./${DIST_DIR}/docker/AdGuardHome_${TARGETOS}_${TARGETARCH}_${TARGETVARIANT} \
 	/opt/adguardhome/AdGuardHome

 RUN setcap 'cap_net_bind_service=+eip' /opt/adguardhome/AdGuardHome
@@ -45,8 +45,15 @@ RUN setcap 'cap_net_bind_service=+eip' /opt/adguardhome/AdGuardHome
 # 3000   : TCP, UDP : HTTP(S) (alt, incl. HTTP/3)
 # 5443   : TCP, UDP : DNSCrypt (alt)
 # 6060   : TCP      : HTTP (pprof)
-EXPOSE 53/tcp 53/udp 67/udp 68/udp 80/tcp 443/tcp 443/udp 853/tcp\
-	853/udp 3000/tcp 3000/udp 5443/tcp 5443/udp 6060/tcp
+EXPOSE 53/tcp 53/udp \
+	67/udp \
+	68/udp \
+	80/tcp \
+	443/tcp 443/udp \
+	853/tcp 853/udp \
+	3000/tcp 3000/udp \
+	5443/tcp 5443/udp \
+	6060/tcp

 WORKDIR /opt/adguardhome/work

--- a/go.mod
+++ b/go.mod
@@ -1,17 +1,17 @@
 module github.com/AdguardTeam/AdGuardHome

-go 1.24.1
+go 1.24.2

 require (
-	github.com/AdguardTeam/dnsproxy v0.75.1
-	github.com/AdguardTeam/golibs v0.32.5
+	github.com/AdguardTeam/dnsproxy v0.75.2
+	github.com/AdguardTeam/golibs v0.32.7
 	github.com/AdguardTeam/urlfilter v0.20.0
 	github.com/NYTimes/gziphandler v1.1.1
-	github.com/ameshkov/dnscrypt/v2 v2.3.0
+	github.com/ameshkov/dnscrypt/v2 v2.4.0
 	github.com/bluele/gcache v0.0.2
 	github.com/c2h5oh/datasize v0.0.0-20231215233829-aa82cc1e6500
 	github.com/digineo/go-ipset/v2 v2.2.1
-	github.com/fsnotify/fsnotify v1.8.0
+	github.com/fsnotify/fsnotify v1.9.0
 	// TODO(e.burkov): This package is deprecated; find a new one or use our
 	// own code for that.  Perhaps, use gopacket.
 	github.com/go-ping/ping v1.2.0
@@ -28,33 +28,31 @@ require (
 	// TODO(a.garipov): This package is deprecated; find a new one or use our
 	// own code for that.  Perhaps, use gopacket.
 	github.com/mdlayher/raw v0.1.0
-	github.com/miekg/dns v1.1.63
-	github.com/quic-go/quic-go v0.49.0
+	github.com/miekg/dns v1.1.65
+	github.com/quic-go/quic-go v0.50.1
 	github.com/stretchr/testify v1.10.0
 	github.com/ti-mo/netfilter v0.5.2
 	go.etcd.io/bbolt v1.4.0
-	golang.org/x/crypto v0.36.0
-	golang.org/x/exp v0.0.0-20250218142911-aa4b98e5adaa
-	golang.org/x/net v0.37.0
-	golang.org/x/sys v0.31.0
+	golang.org/x/crypto v0.37.0
+	golang.org/x/exp v0.0.0-20250305212735-054e65f0b394
+	golang.org/x/net v0.39.0
+	golang.org/x/sys v0.32.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 	gopkg.in/yaml.v3 v3.0.1
 	howett.net/plist v1.0.1
 )

 require (
-	cloud.google.com/go v0.118.3 // indirect
-	cloud.google.com/go/ai v0.10.0 // indirect
+	cloud.google.com/go v0.120.0 // indirect
+	cloud.google.com/go/ai v0.10.1 // indirect
 	cloud.google.com/go/auth v0.15.0 // indirect
-	cloud.google.com/go/auth/oauth2adapt v0.2.7 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/compute/metadata v0.6.0 // indirect
-	cloud.google.com/go/longrunning v0.6.5 // indirect
-	github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c // indirect
-	github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da // indirect
-	github.com/aead/poly1305 v0.0.0-20180717145839-3fee0db0b635 // indirect
+	cloud.google.com/go/longrunning v0.6.6 // indirect
+	github.com/BurntSushi/toml v1.5.0 // indirect
 	github.com/ameshkov/dnsstamps v1.0.3 // indirect
 	github.com/beefsack/go-rate v0.0.0-20220214233405-116f4ca011a0 // indirect
-	github.com/ccojocar/zxcvbn-go v1.0.2 // indirect
+	github.com/ccojocar/zxcvbn-go v1.0.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fzipp/gocyclo v0.6.0 // indirect
@@ -63,16 +61,16 @@ require (
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/golangci/misspell v0.6.0 // indirect
 	github.com/google/generative-ai-go v0.19.0 // indirect
-	github.com/google/pprof v0.0.0-20250202011525-fc3143867406 // indirect
+	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.5 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
 	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
 	github.com/gookit/color v1.5.4 // indirect
 	github.com/gordonklaus/ineffassign v0.1.0 // indirect
 	github.com/jstemmer/go-junit-report/v2 v2.1.0 // indirect
 	github.com/kisielk/errcheck v1.9.0 // indirect
 	github.com/mdlayher/socket v0.5.1 // indirect
-	github.com/onsi/ginkgo/v2 v2.22.2 // indirect
+	github.com/onsi/ginkgo/v2 v2.23.4 // indirect
 	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
 	github.com/pierrec/lz4/v4 v4.1.22 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
@@ -80,7 +78,7 @@ require (
 	github.com/quic-go/qpack v0.5.1 // indirect
 	github.com/robfig/cron/v3 v3.0.1 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
-	github.com/securego/gosec/v2 v2.22.2 // indirect
+	github.com/securego/gosec/v2 v2.22.3 // indirect
 	github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect
 	github.com/uudashr/gocognit v1.2.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
@@ -90,23 +88,24 @@ require (
 	go.opentelemetry.io/otel v1.35.0 // indirect
 	go.opentelemetry.io/otel/metric v1.35.0 // indirect
 	go.opentelemetry.io/otel/trace v1.35.0 // indirect
-	go.uber.org/mock v0.5.0 // indirect
+	go.uber.org/automaxprocs v1.6.0 // indirect
+	go.uber.org/mock v0.5.1 // indirect
 	golang.org/x/exp/typeparams v0.0.0-20250305212735-054e65f0b394 // indirect
 	golang.org/x/mod v0.24.0 // indirect
-	golang.org/x/oauth2 v0.28.0 // indirect
-	golang.org/x/sync v0.12.0 // indirect
-	golang.org/x/telemetry v0.0.0-20250305155315-2a181eac97a3 // indirect
-	golang.org/x/term v0.30.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/oauth2 v0.29.0 // indirect
+	golang.org/x/sync v0.13.0 // indirect
+	golang.org/x/telemetry v0.0.0-20250406004356-f593adaf3fc1 // indirect
+	golang.org/x/term v0.31.0 // indirect
+	golang.org/x/text v0.24.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
-	golang.org/x/tools v0.31.0 // indirect
+	golang.org/x/tools v0.32.0 // indirect
 	golang.org/x/vuln v1.1.4 // indirect
-	gonum.org/v1/gonum v0.15.1 // indirect
-	google.golang.org/api v0.224.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/grpc v1.71.0 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
+	gonum.org/v1/gonum v0.16.0 // indirect
+	google.golang.org/api v0.228.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250407143221-ac9807e6c755 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250407143221-ac9807e6c755 // indirect
+	google.golang.org/grpc v1.71.1 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
 	honnef.co/go/tools v0.6.1 // indirect
 	mvdan.cc/editorconfig v0.3.0 // indirect
 	mvdan.cc/gofumpt v0.7.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -1,31 +1,27 @@
-cloud.google.com/go v0.118.3 h1:jsypSnrE/w4mJysioGdMBg4MiW/hHx/sArFpaBWHdME=
-cloud.google.com/go v0.118.3/go.mod h1:Lhs3YLnBlwJ4KA6nuObNMZ/fCbOQBPuWKPoE0Wa/9Vc=
-cloud.google.com/go/ai v0.10.0 h1:hwj6CI6sMKubXodoJJGTy/c2T1RbbLGM6TL3QoAvzU8=
-cloud.google.com/go/ai v0.10.0/go.mod h1:kvnt2KeHqX8+41PVeMRBETDyQAp/RFvBWGdx/aGjNMo=
+cloud.google.com/go v0.120.0 h1:wc6bgG9DHyKqF5/vQvX1CiZrtHnxJjBlKUyF9nP6meA=
+cloud.google.com/go v0.120.0/go.mod h1:/beW32s8/pGRuj4IILWQNd4uuebeT4dkOhKmkfit64Q=
+cloud.google.com/go/ai v0.10.1 h1:EU93KqYmMeOKgaBXAz2DshH2C/BzAT1P+iJORksLIic=
+cloud.google.com/go/ai v0.10.1/go.mod h1:sWWHZvmJ83BjuxAQtYEiA0SFTpijtbH+SXWFO14ri5A=
 cloud.google.com/go/auth v0.15.0 h1:Ly0u4aA5vG/fsSsxu98qCQBemXtAtJf+95z9HK+cxps=
 cloud.google.com/go/auth v0.15.0/go.mod h1:WJDGqZ1o9E9wKIL+IwStfyn/+s59zl4Bi+1KQNVXLZ8=
-cloud.google.com/go/auth/oauth2adapt v0.2.7 h1:/Lc7xODdqcEw8IrZ9SvwnlLX6j9FHQM74z6cBk9Rw6M=
-cloud.google.com/go/auth/oauth2adapt v0.2.7/go.mod h1:NTbTTzfvPl1Y3V1nPpOgl2w6d/FjO7NNUQaWSox6ZMc=
+cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
+cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
 cloud.google.com/go/compute/metadata v0.6.0 h1:A6hENjEsCDtC1k8byVsgwvVcioamEHvZ4j01OwKxG9I=
 cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg=
-cloud.google.com/go/longrunning v0.6.5 h1:sD+t8DO8j4HKW4QfouCklg7ZC1qC4uzVZt8iz3uTW+Q=
-cloud.google.com/go/longrunning v0.6.5/go.mod h1:Et04XK+0TTLKa5IPYryKf5DkpwImy6TluQ1QTLwlKmY=
-github.com/AdguardTeam/dnsproxy v0.75.1 h1:ux2sQfF/9+WRo6a32g9NtfaAPU19gJhqkEu2OZflxJg=
-github.com/AdguardTeam/dnsproxy v0.75.1/go.mod h1:HKBI/IO2/ACOjfTV6qIzB5ZDDxfjgHHvQ3hIbGg9wvc=
-github.com/AdguardTeam/golibs v0.32.5 h1:4Rkv2xBnyJe6l/EM2MFgoY1S4pweYwDgLTYg2MDArEA=
-github.com/AdguardTeam/golibs v0.32.5/go.mod h1:agsvz8Iyv0uV9NU56hpCoFLAtSPkiBf9nPVhDvdUIb0=
+cloud.google.com/go/longrunning v0.6.6 h1:XJNDo5MUfMM05xK3ewpbSdmt7R2Zw+aQEMbdQR65Rbw=
+cloud.google.com/go/longrunning v0.6.6/go.mod h1:hyeGJUrPHcx0u2Uu1UFSoYZLn4lkMrccJig0t4FI7yw=
+github.com/AdguardTeam/dnsproxy v0.75.2 h1:bciOkzQh/GG8vcZGdFn6+rS3pu+2Npt9tbA4bNA/rsc=
+github.com/AdguardTeam/dnsproxy v0.75.2/go.mod h1:U/ouLftmXMIrkTAf8JepqbPuoQzsbXJo0Vxxn+LAdgA=
+github.com/AdguardTeam/golibs v0.32.7 h1:3dmGlAVgmvquCCwHsvEl58KKcRAK3z1UnjMnwSIeDH4=
+github.com/AdguardTeam/golibs v0.32.7/go.mod h1:bE8KV1zqTzgZjmjFyBJ9f9O5DEKO717r7e57j1HclJA=
 github.com/AdguardTeam/urlfilter v0.20.0 h1:X32qiuVCVd8WDYCEsbdZKfXMzwdVqrdulamtUi4rmzs=
 github.com/AdguardTeam/urlfilter v0.20.0/go.mod h1:gjrywLTxfJh6JOkwi9SU+frhP7kVVEZ5exFGkR99qpk=
-github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c h1:pxW6RcqyfI9/kWtOwnv/G+AzdKuy2ZrqINhenH4HyNs=
-github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
+github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
+github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
-github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da h1:KjTM2ks9d14ZYCvmHS9iAKVt9AyzRSqNU1qabPih5BY=
-github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da/go.mod h1:eHEWzANqSiWQsof+nXEI9bUVUyV6F53Fp89EuCh2EAA=
-github.com/aead/poly1305 v0.0.0-20180717145839-3fee0db0b635 h1:52m0LGchQBBVqJRyYYufQuIbVqRawmubW3OFGqK1ekw=
-github.com/aead/poly1305 v0.0.0-20180717145839-3fee0db0b635/go.mod h1:lmLxL+FV291OopO93Bwf9fQLQeLyt33VJRUg5VJ30us=
-github.com/ameshkov/dnscrypt/v2 v2.3.0 h1:pDXDF7eFa6Lw+04C0hoMh8kCAQM8NwUdFEllSP2zNLs=
-github.com/ameshkov/dnscrypt/v2 v2.3.0/go.mod h1:N5hDwgx2cNb4Ay7AhvOSKst+eUiOZ/vbKRO9qMpQttE=
+github.com/ameshkov/dnscrypt/v2 v2.4.0 h1:if6ZG2cuQmcP2TwSY+D0+8+xbPfoatufGlOQTMNkI9o=
+github.com/ameshkov/dnscrypt/v2 v2.4.0/go.mod h1:WpEFV2uhebXb8Jhes/5/fSdpmhGV8TL22RDaeWwV6hI=
 github.com/ameshkov/dnsstamps v1.0.3 h1:Srzik+J9mivH1alRACTbys2xOxs0lRH9qnTA7Y1OYVo=
 github.com/ameshkov/dnsstamps v1.0.3/go.mod h1:Ii3eUu73dx4Vw5O4wjzmT5+lkCwovjzaEZZ4gKyIH5A=
 github.com/beefsack/go-rate v0.0.0-20220214233405-116f4ca011a0 h1:0b2vaepXIfMsG++IsjHiI2p4bxALD1Y2nQKGMR5zDQM=
@@ -34,8 +30,8 @@ github.com/bluele/gcache v0.0.2 h1:WcbfdXICg7G/DGBh1PFfcirkWOQV+v077yF1pSy3DGw=
 github.com/bluele/gcache v0.0.2/go.mod h1:m15KV+ECjptwSPxKhOhQoAFQVtUFjTVkc3H8o0t/fp0=
 github.com/c2h5oh/datasize v0.0.0-20231215233829-aa82cc1e6500 h1:6lhrsTEnloDPXyeZBvSYvQf8u86jbKehZPVDDlkgDl4=
 github.com/c2h5oh/datasize v0.0.0-20231215233829-aa82cc1e6500/go.mod h1:S/7n9copUssQ56c7aAgHqftWO4LTf4xY6CGWt8Bc+3M=
-github.com/ccojocar/zxcvbn-go v1.0.2 h1:na/czXU8RrhXO4EZme6eQJLR4PzcGsahsBOAwU6I3Vg=
-github.com/ccojocar/zxcvbn-go v1.0.2/go.mod h1:g1qkXtUSvHP8lhHp5GrSmTz6uWALGRMQdw6Qnz/hi60=
+github.com/ccojocar/zxcvbn-go v1.0.4 h1:FWnCIRMXPj43ukfX000kvBZvV6raSxakYr1nzyNrUcc=
+github.com/ccojocar/zxcvbn-go v1.0.4/go.mod h1:3GxGX+rHmueTUMvm5ium7irpyjmm7ikxYFOSJB21Das=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -43,8 +39,8 @@ github.com/digineo/go-ipset/v2 v2.2.1 h1:k6skY+0fMqeUjjeWO/m5OuWPSZUAn7AucHMnQ1M
 github.com/digineo/go-ipset/v2 v2.2.1/go.mod h1:wBsNzJlZlABHUITkesrggFnZQtgW5wkqw1uo8Qxe0VU=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
-github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
+github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
+github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fzipp/gocyclo v0.6.0 h1:lsblElZG7d3ALtGMx9fmxeTKZaLLpU8mET09yN4BBLo=
 github.com/fzipp/gocyclo v0.6.0/go.mod h1:rXPyn8fnlpa0R2csP/31uerbiVBugk5whMdlyaLkLoA=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@@ -76,8 +72,8 @@ github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
-github.com/google/pprof v0.0.0-20250202011525-fc3143867406 h1:wlQI2cYY0BsWmmPPAnxfQ8SDW0S3Jasn+4B8kXFxprg=
-github.com/google/pprof v0.0.0-20250202011525-fc3143867406/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/renameio v0.1.0 h1:GOZbcHa3HfsPKPlmyPyN2KEohoMXOhdMbHrvbpl2QaA=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/renameio/v2 v2.0.0 h1:UifI23ZTGY8Tt29JbYFiuyIU3eX+RNFtUwefq9qAhxg=
@@ -87,8 +83,8 @@ github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0
 github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.3.5 h1:VgzTY2jogw3xt39CusEnFJWm7rlsq5yL5q9XdLOuP5g=
-github.com/googleapis/enterprise-certificate-proxy v0.3.5/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA=
+github.com/googleapis/enterprise-certificate-proxy v0.3.6 h1:GW/XbdyBFQ8Qe+YAmFU9uHLo7OnF5tL52HFAgMmyrf4=
+github.com/googleapis/enterprise-certificate-proxy v0.3.6/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA=
 github.com/googleapis/gax-go/v2 v2.14.1 h1:hb0FFeiPaQskmvakKu5EbCbpntQn48jyHuvrkurSS/Q=
 github.com/googleapis/gax-go/v2 v2.14.1/go.mod h1:Hb/NubMaVM88SrNkvl8X/o8XWwDJEPqouaLeN2IUxoA=
 github.com/gookit/color v1.5.4 h1:FZmqs7XOyGgCAxmWyPslpiok1k05wmY3SJTytgvYFs0=
@@ -128,12 +124,12 @@ github.com/mdlayher/raw v0.1.0/go.mod h1:yXnxvs6c0XoF/aK52/H5PjsVHmWBCFfZUfoh/Y5
 github.com/mdlayher/socket v0.2.1/go.mod h1:QLlNPkFR88mRUNQIzRBMfXxwKal8H7u1h3bL1CV+f0E=
 github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos=
 github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ=
-github.com/miekg/dns v1.1.63 h1:8M5aAw6OMZfFXTT7K5V0Eu5YiiL8l7nUAkyN6C9YwaY=
-github.com/miekg/dns v1.1.63/go.mod h1:6NGHfjhpmr5lt3XPLuyfDJi5AXbNIPM9PY6H6sF1Nfs=
-github.com/onsi/ginkgo/v2 v2.22.2 h1:/3X8Panh8/WwhU/3Ssa6rCKqPLuAkVY2I0RoyDLySlU=
-github.com/onsi/ginkgo/v2 v2.22.2/go.mod h1:oeMosUL+8LtarXBHu/c0bx2D/K9zyQ6uX3cTyztHwsk=
-github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8=
-github.com/onsi/gomega v1.36.2/go.mod h1:DdwyADRjrc825LhMEkD76cHR5+pUnjhUN8GlHlRPHzY=
+github.com/miekg/dns v1.1.65 h1:0+tIPHzUW0GCge7IiK3guGP57VAw7hoPDfApjkMD1Fc=
+github.com/miekg/dns v1.1.65/go.mod h1:Dzw9769uoKVaLuODMDZz9M6ynFU6Em65csPuoi8G0ck=
+github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
+github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
+github.com/onsi/gomega v1.36.3 h1:hID7cr8t3Wp26+cYnfcjR6HpJ00fdogN6dqZ1t6IylU=
+github.com/onsi/gomega v1.36.3/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
 github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pierrec/lz4/v4 v4.1.22 h1:cKFw6uJDK+/gfw5BcDL0JL5aBsAFdsIT18eRtLj7VIU=
@@ -145,16 +141,18 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw=
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
+github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
+github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
 github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
 github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
-github.com/quic-go/quic-go v0.49.0 h1:w5iJHXwHxs1QxyBv1EHKuC50GX5to8mJAxvtnttJp94=
-github.com/quic-go/quic-go v0.49.0/go.mod h1:s2wDnmCdooUQBmQfpUSTCYBl1/D4FcqbULMMkASvR6s=
+github.com/quic-go/quic-go v0.50.1 h1:unsgjFIUqW8a2oopkY7YNONpV1gYND6Nt9hnt1PN94Q=
+github.com/quic-go/quic-go v0.50.1/go.mod h1:Vim6OmUvlYdwBhXP9ZVrtGmCMWa3wEqhq3NgYrI8b4E=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
-github.com/securego/gosec/v2 v2.22.2 h1:IXbuI7cJninj0nRpZSLCUlotsj8jGusohfONMrHoF6g=
-github.com/securego/gosec/v2 v2.22.2/go.mod h1:UEBGA+dSKb+VqM6TdehR7lnQtIIMorYJ4/9CW1KVQBE=
+github.com/securego/gosec/v2 v2.22.3 h1:mRrCNmRF2NgZp4RJ8oJ6yPJ7G4x6OCiAXHd8x4trLRc=
+github.com/securego/gosec/v2 v2.22.3/go.mod h1:42M9Xs0v1WseinaB/BmNGO8AVqG8vRfhC2686ACY48k=
 github.com/shirou/gopsutil/v3 v3.24.5 h1:i0t8kL+kQTvpAYToeuiVk3TgDeKOFioZO3Ztz/iZ9pI=
 github.com/shirou/gopsutil/v3 v3.24.5/go.mod h1:bsoOS1aStSs9ErQ1WWfxllSeS1K5D+U30r2NfcubMVk=
 github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=
@@ -199,14 +197,16 @@ go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5J
 go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
 go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
 go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
-go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
-go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
+go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
+go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
+go.uber.org/mock v0.5.1 h1:ASgazW/qBmR+A32MYFDB6E2POoTgOwT509VP0CT/fjs=
+go.uber.org/mock v0.5.1/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
-golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
-golang.org/x/exp v0.0.0-20250218142911-aa4b98e5adaa h1:t2QcU6V556bFjYgu4L6C+6VrCPyJZ+eyRsABUPs1mz4=
-golang.org/x/exp v0.0.0-20250218142911-aa4b98e5adaa/go.mod h1:BHOTPb3L19zxehTsLoJXVaTktb06DFgmdW6Wb9s8jqk=
+golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
+golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
+golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 h1:nDVHiLt8aIbd/VzvPWN6kSOPE7+F/fNFDSXLVYkE/Iw=
+golang.org/x/exp v0.0.0-20250305212735-054e65f0b394/go.mod h1:sIifuuw/Yco/y6yb6+bDNfyeQ/MdPUy/hKEMYQV17cM=
 golang.org/x/exp/typeparams v0.0.0-20250305212735-054e65f0b394 h1:VI4qDpTkfFaCXEPrbojidLgVQhj2x4nzTccG0hjaLlU=
 golang.org/x/exp/typeparams v0.0.0-20250305212735-054e65f0b394/go.mod h1:LKZHyeOpPuZcMgxeHjJp4p5yvxrCX1xDvH10zYHhjjQ=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
@@ -221,14 +221,14 @@ golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
-golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
-golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
-golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
+golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
+golang.org/x/oauth2 v0.29.0 h1:WdYw2tdTK1S8olAzWHdgeqfy+Mtm9XNhv/xJsY65d98=
+golang.org/x/oauth2 v0.29.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
+golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190322080309-f49334f85ddc/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -241,43 +241,43 @@ golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.4.1-0.20230131160137-e7d7f63158de/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/telemetry v0.0.0-20250305155315-2a181eac97a3 h1:k+pofz4/0MRETtVtItAwfDgPUvNlWrUrFw+8dtUVUa8=
-golang.org/x/telemetry v0.0.0-20250305155315-2a181eac97a3/go.mod h1:16eI1RtbPZAEm3u7hpIh7JM/w5AbmlDtnrdKYaREic8=
+golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
+golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/telemetry v0.0.0-20250406004356-f593adaf3fc1 h1:LxyDqgHX2VuimV2UQSNFpQxz+NRUUsh8ulNcP3WvNG0=
+golang.org/x/telemetry v0.0.0-20250406004356-f593adaf3fc1/go.mod h1:RoaXAWDwS90j6FxVKwJdBV+0HCU+llrKUGgJaxiKl6M=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
-golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
+golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
+golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
+golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
 golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
 golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.31.0 h1:0EedkvKDbh+qistFTd0Bcwe/YLh4vHwWEkiI0toFIBU=
-golang.org/x/tools v0.31.0/go.mod h1:naFTU+Cev749tSJRXJlna0T3WxKvb1kWEx15xA4SdmQ=
+golang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=
+golang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s=
 golang.org/x/vuln v1.1.4 h1:Ju8QsuyhX3Hk8ma3CesTbO8vfJD9EvUBgHvkxHBzj0I=
 golang.org/x/vuln v1.1.4/go.mod h1:F+45wmU18ym/ca5PLTPLsSzr2KppzswxPP603ldA67s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-gonum.org/v1/gonum v0.15.1 h1:FNy7N6OUZVUaWG9pTiD+jlhdQ3lMP+/LcTpJ6+a8sQ0=
-gonum.org/v1/gonum v0.15.1/go.mod h1:eZTZuRFrzu5pcyjN5wJhcIhnUdNijYxX1T2IcrOGY0o=
-google.golang.org/api v0.224.0 h1:Ir4UPtDsNiwIOHdExr3fAj4xZ42QjK7uQte3lORLJwU=
-google.golang.org/api v0.224.0/go.mod h1:3V39my2xAGkodXy0vEqcEtkqgw2GtrFL5WuBZlCTCOQ=
-google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950=
-google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
-google.golang.org/grpc v1.71.0 h1:kF77BGdPTQ4/JZWMlb9VpJ5pa25aqvVqogsxNHHdeBg=
-google.golang.org/grpc v1.71.0/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
+gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
+google.golang.org/api v0.228.0 h1:X2DJ/uoWGnY5obVjewbp8icSL5U4FzuCfy9OjbLSnLs=
+google.golang.org/api v0.228.0/go.mod h1:wNvRS1Pbe8r4+IfBIniV8fwCpGwTrYa+kMUDiC5z5a4=
+google.golang.org/genproto/googleapis/api v0.0.0-20250407143221-ac9807e6c755 h1:AMLTAunltONNuzWgVPZXrjLWtXpsG6A3yLLPEoJ/IjU=
+google.golang.org/genproto/googleapis/api v0.0.0-20250407143221-ac9807e6c755/go.mod h1:2R6XrVC8Oc08GlNh8ujEpc7HkLiEZ16QeY7FxIs20ac=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250407143221-ac9807e6c755 h1:TwXJCGVREgQ/cl18iY0Z4wJCTL/GmW+Um2oSwZiZPnc=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250407143221-ac9807e6c755/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.71.1 h1:ffsFWr7ygTUscGPI0KKK6TLrGz0476KUvvsbqWK0rPI=
+google.golang.org/grpc v1.71.1/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
--- a/internal/aghalg/sortedmap_test.go
+++ b/internal/aghalg/sortedmap_test.go
@@ -1,14 +1,15 @@
-package aghalg
+package aghalg_test

 import (
 	"strings"
 	"testing"

+	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
 	"github.com/stretchr/testify/assert"
 )

 func TestNewSortedMap(t *testing.T) {
-	var m SortedMap[string, int]
+	var m aghalg.SortedMap[string, int]

 	letters := []string{}
 	for i := range 10 {
@@ -17,7 +18,7 @@ func TestNewSortedMap(t *testing.T) {
 	}

 	t.Run("create_and_fill", func(t *testing.T) {
-		m = NewSortedMap[string, int](strings.Compare)
+		m = aghalg.NewSortedMap[string, int](strings.Compare)

 		nums := []int{}
 		for i, r := range letters {
@@ -68,7 +69,7 @@ func TestNewSortedMap_nil(t *testing.T) {
 		val = "val"
 	)

-	var m SortedMap[string, string]
+	var m aghalg.SortedMap[string, string]

 	assert.Panics(t, func() {
 		m.Set(key, val)
--- a/internal/aghnet/hostgen_test.go
+++ b/internal/aghnet/hostgen_test.go
@@ -1,9 +1,10 @@
-package aghnet
+package aghnet_test

 import (
 	"net/netip"
 	"testing"

+	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/stretchr/testify/assert"
 )

@@ -29,13 +30,13 @@ func TestGenerateHostName(t *testing.T) {

 		for _, tc := range testCases {
 			t.Run(tc.name, func(t *testing.T) {
-				hostname := GenerateHostname(tc.ip)
+				hostname := aghnet.GenerateHostname(tc.ip)
 				assert.Equal(t, tc.want, hostname)
 			})
 		}
 	})

 	t.Run("invalid", func(t *testing.T) {
-		assert.Panics(t, func() { GenerateHostname(netip.Addr{}) })
+		assert.Panics(t, func() { aghnet.GenerateHostname(netip.Addr{}) })
 	})
 }
--- a/internal/aghnet/interfaces_test.go
+++ b/internal/aghnet/interfaces_test.go
@@ -1,22 +1,24 @@
-package aghnet
+package aghnet_test

 import (
 	"net"
 	"testing"

+	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/testutil"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

-// fakeIface is a stub implementation of aghnet.NetIface to simplify testing.
+// fakeIface is a stub implementation of [aghnet.NetIface] interface to simplify
+// testing.
 type fakeIface struct {
 	err   error
 	addrs []net.Addr
 }

-// Addrs implements the NetIface interface for *fakeIface.
+// Addrs implements the [aghnet.NetIface] interface for *fakeIface.
 func (iface *fakeIface) Addrs() (addrs []net.Addr, err error) {
 	if iface.err != nil {
 		return nil, iface.err
@@ -25,6 +27,9 @@ func (iface *fakeIface) Addrs() (addrs []net.Addr, err error) {
 	return iface.addrs, nil
 }

+// type check
+var _ aghnet.NetIface = (*fakeIface)(nil)
+
 func TestIfaceIPAddrs(t *testing.T) {
 	const errTest errors.Error = "test error"

@@ -35,76 +40,76 @@ func TestIfaceIPAddrs(t *testing.T) {
 	addr6 := &net.IPNet{IP: ip6}

 	testCases := []struct {
-		iface      NetIface
+		iface      aghnet.NetIface
 		name       string
 		wantErrMsg string
 		want       []net.IP
-		ipv        IPVersion
+		ipv        aghnet.IPVersion
 	}{{
 		iface:      &fakeIface{addrs: []net.Addr{addr4}, err: nil},
 		name:       "ipv4_success",
 		wantErrMsg: "",
 		want:       []net.IP{ip4},
-		ipv:        IPVersion4,
+		ipv:        aghnet.IPVersion4,
 	}, {
 		iface:      &fakeIface{addrs: []net.Addr{addr6, addr4}, err: nil},
 		name:       "ipv4_success_with_ipv6",
 		wantErrMsg: "",
 		want:       []net.IP{ip4},
-		ipv:        IPVersion4,
+		ipv:        aghnet.IPVersion4,
 	}, {
 		iface:      &fakeIface{addrs: []net.Addr{addr4}, err: errTest},
 		name:       "ipv4_error",
 		wantErrMsg: errTest.Error(),
 		want:       nil,
-		ipv:        IPVersion4,
+		ipv:        aghnet.IPVersion4,
 	}, {
 		iface:      &fakeIface{addrs: []net.Addr{addr6}, err: nil},
 		name:       "ipv6_success",
 		wantErrMsg: "",
 		want:       []net.IP{ip6},
-		ipv:        IPVersion6,
+		ipv:        aghnet.IPVersion6,
 	}, {
 		iface:      &fakeIface{addrs: []net.Addr{addr6, addr4}, err: nil},
 		name:       "ipv6_success_with_ipv4",
 		wantErrMsg: "",
 		want:       []net.IP{ip6},
-		ipv:        IPVersion6,
+		ipv:        aghnet.IPVersion6,
 	}, {
 		iface:      &fakeIface{addrs: []net.Addr{addr6}, err: errTest},
 		name:       "ipv6_error",
 		wantErrMsg: errTest.Error(),
 		want:       nil,
-		ipv:        IPVersion6,
+		ipv:        aghnet.IPVersion6,
 	}, {
 		iface:      &fakeIface{addrs: nil, err: nil},
 		name:       "bad_proto",
 		wantErrMsg: "invalid ip version 10",
 		want:       nil,
-		ipv:        IPVersion6 + IPVersion4,
+		ipv:        aghnet.IPVersion6 + aghnet.IPVersion4,
 	}, {
 		iface:      &fakeIface{addrs: []net.Addr{&net.IPAddr{IP: ip4}}, err: nil},
 		name:       "ipaddr_v4",
 		wantErrMsg: "",
 		want:       []net.IP{ip4},
-		ipv:        IPVersion4,
+		ipv:        aghnet.IPVersion4,
 	}, {
 		iface:      &fakeIface{addrs: []net.Addr{&net.IPAddr{IP: ip6, Zone: ""}}, err: nil},
 		name:       "ipaddr_v6",
 		wantErrMsg: "",
 		want:       []net.IP{ip6},
-		ipv:        IPVersion6,
+		ipv:        aghnet.IPVersion6,
 	}, {
 		iface:      &fakeIface{addrs: []net.Addr{&net.UnixAddr{}}, err: nil},
 		name:       "non-ipv4",
 		wantErrMsg: "",
 		want:       nil,
-		ipv:        IPVersion4,
+		ipv:        aghnet.IPVersion4,
 	}}

 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			got, err := IfaceIPAddrs(tc.iface, tc.ipv)
+			got, err := aghnet.IfaceIPAddrs(tc.iface, tc.ipv)
 			testutil.AssertErrorMsg(t, tc.wantErrMsg, err)

 			assert.Equal(t, tc.want, got)
@@ -118,7 +123,10 @@ type waitingFakeIface struct {
 	n     int
 }

-// Addrs implements the NetIface interface for *waitingFakeIface.
+// type check
+var _ aghnet.NetIface = (*waitingFakeIface)(nil)
+
+// Addrs implements the [aghnet.NetIface] interface for *waitingFakeIface.
 func (iface *waitingFakeIface) Addrs() (addrs []net.Addr, err error) {
 	if iface.err != nil {
 		return nil, iface.err
@@ -143,76 +151,76 @@ func TestIfaceDNSIPAddrs(t *testing.T) {
 	addr6 := &net.IPNet{IP: ip6}

 	testCases := []struct {
-		iface   NetIface
+		iface   aghnet.NetIface
 		wantErr error
 		name    string
 		want    []net.IP
-		ipv     IPVersion
+		ipv     aghnet.IPVersion
 	}{{
 		name:    "ipv4_success",
 		iface:   &fakeIface{addrs: []net.Addr{addr4}, err: nil},
-		ipv:     IPVersion4,
+		ipv:     aghnet.IPVersion4,
 		want:    []net.IP{ip4, ip4},
 		wantErr: nil,
 	}, {
 		name:    "ipv4_success_with_ipv6",
 		iface:   &fakeIface{addrs: []net.Addr{addr6, addr4}, err: nil},
-		ipv:     IPVersion4,
+		ipv:     aghnet.IPVersion4,
 		want:    []net.IP{ip4, ip4},
 		wantErr: nil,
 	}, {
 		name:    "ipv4_error",
 		iface:   &fakeIface{addrs: []net.Addr{addr4}, err: errTest},
-		ipv:     IPVersion4,
+		ipv:     aghnet.IPVersion4,
 		want:    nil,
 		wantErr: errTest,
 	}, {
 		name:    "ipv4_wait",
 		iface:   &waitingFakeIface{addrs: []net.Addr{addr4}, err: nil, n: 1},
-		ipv:     IPVersion4,
+		ipv:     aghnet.IPVersion4,
 		want:    []net.IP{ip4, ip4},
 		wantErr: nil,
 	}, {
 		name:    "ipv6_success",
 		iface:   &fakeIface{addrs: []net.Addr{addr6}, err: nil},
-		ipv:     IPVersion6,
+		ipv:     aghnet.IPVersion6,
 		want:    []net.IP{ip6, ip6},
 		wantErr: nil,
 	}, {
 		name:    "ipv6_success_with_ipv4",
 		iface:   &fakeIface{addrs: []net.Addr{addr6, addr4}, err: nil},
-		ipv:     IPVersion6,
+		ipv:     aghnet.IPVersion6,
 		want:    []net.IP{ip6, ip6},
 		wantErr: nil,
 	}, {
 		name:    "ipv6_error",
 		iface:   &fakeIface{addrs: []net.Addr{addr6}, err: errTest},
-		ipv:     IPVersion6,
+		ipv:     aghnet.IPVersion6,
 		want:    nil,
 		wantErr: errTest,
 	}, {
 		name:    "ipv6_wait",
 		iface:   &waitingFakeIface{addrs: []net.Addr{addr6}, err: nil, n: 1},
-		ipv:     IPVersion6,
+		ipv:     aghnet.IPVersion6,
 		want:    []net.IP{ip6, ip6},
 		wantErr: nil,
 	}, {
 		name:    "empty",
 		iface:   &fakeIface{addrs: nil, err: nil},
-		ipv:     IPVersion4,
+		ipv:     aghnet.IPVersion4,
 		want:    nil,
 		wantErr: nil,
 	}, {
 		name:    "many",
 		iface:   &fakeIface{addrs: []net.Addr{addr4, addr4}},
-		ipv:     IPVersion4,
+		ipv:     aghnet.IPVersion4,
 		want:    []net.IP{ip4, ip4},
 		wantErr: nil,
 	}}

 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			got, err := IfaceDNSIPAddrs(tc.iface, tc.ipv, 2, 0)
+			got, err := aghnet.IfaceDNSIPAddrs(tc.iface, tc.ipv, 2, 0)
 			require.ErrorIs(t, err, tc.wantErr)

 			assert.Equal(t, tc.want, got)
--- a/internal/aghnet/ipmut_test.go
+++ b/internal/aghnet/ipmut_test.go
@@ -1,9 +1,10 @@
-package aghnet
+package aghnet_test

 import (
 	"net"
 	"testing"

+	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/stretchr/testify/assert"
 )
@@ -18,7 +19,7 @@ func TestIPMut(t *testing.T) {
 	}}

 	t.Run("nil_no_mut", func(t *testing.T) {
-		ipmut := NewIPMut(nil)
+		ipmut := aghnet.NewIPMut(nil)

 		ips := netutil.CloneIPs(testIPs)
 		for i := range ips {
@@ -28,7 +29,7 @@ func TestIPMut(t *testing.T) {
 	})

 	t.Run("not_nil_mut", func(t *testing.T) {
-		ipmut := NewIPMut(func(ip net.IP) {
+		ipmut := aghnet.NewIPMut(func(ip net.IP) {
 			for i := range ip {
 				ip[i] = 0
 			}
--- a/internal/aghnet/net_darwin_internal_test.go
+++ b/internal/aghnet/net_darwin_internal_test.go
@@ -1,3 +1,5 @@
+//go:build darwin
+
 package aghnet

 import (
--- a/internal/aghnet/net_freebsd_internal_test.go
+++ b/internal/aghnet/net_freebsd_internal_test.go
--- a/internal/aghnet/net_linux_internal_test.go
+++ b/internal/aghnet/net_linux_internal_test.go
--- a/internal/aghnet/net_openbsd_internal_test.go
+++ b/internal/aghnet/net_openbsd_internal_test.go
--- a/internal/aghos/os_internal_test.go
+++ b/internal/aghos/os_internal_test.go
--- a/internal/aghuser/aghuser.go
+++ b/internal/aghuser/aghuser.go
@@ -0,0 +1,58 @@
+package aghuser
+
+import (
+	"context"
+
+	"github.com/AdguardTeam/golibs/errors"
+	"golang.org/x/crypto/bcrypt"
+)
+
+// Login is the type for web user logins.
+type Login string
+
+// NewLogin returns a web user login.
+//
+// TODO(s.chzhen): Add more constraints as needed.
+func NewLogin(s string) (l Login, err error) {
+	if s == "" {
+		return "", errors.ErrEmptyValue
+	}
+
+	return Login(s), nil
+}
+
+// Password is an interface that defines methods for handling web user
+// passwords.
+type Password interface {
+	// Authenticate returns true if the provided password is allowed.
+	Authenticate(ctx context.Context, password string) (ok bool)
+
+	// Hash returns a hashed representation of the web user password.
+	Hash() (b []byte)
+}
+
+// DefaultPassword is the default bcrypt implementation of the [Password]
+// interface.
+type DefaultPassword struct {
+	hash []byte
+}
+
+// NewDefaultPassword returns the new properly initialized *DefaultPassword.
+func NewDefaultPassword(hash string) (p *DefaultPassword) {
+	return &DefaultPassword{
+		hash: []byte(hash),
+	}
+}
+
+// type check
+var _ Password = (*DefaultPassword)(nil)
+
+// Authenticate implements the [Password] interface for *DefaultPassword.
+func (p *DefaultPassword) Authenticate(ctx context.Context, passwd string) (ok bool) {
+	return bcrypt.CompareHashAndPassword([]byte(p.hash), []byte(passwd)) == nil
+}
+
+// Hash implements the [Password] interface for *DefaultPassword.
+func (p *DefaultPassword) Hash() (b []byte) {
+	return p.hash
+}
--- a/internal/aghuser/aghuser_test.go
+++ b/internal/aghuser/aghuser_test.go
@@ -0,0 +1,6 @@
+package aghuser_test
+
+import "time"
+
+// testTimeout is the common timeout for tests.
+const testTimeout = 1 * time.Second
--- a/internal/aghuser/db.go
+++ b/internal/aghuser/db.go
@@ -0,0 +1,149 @@
+package aghuser
+
+import (
+	"cmp"
+	"context"
+	"fmt"
+	"maps"
+	"slices"
+	"sync"
+
+	"github.com/AdguardTeam/golibs/errors"
+)
+
+// DB is an interface that defines methods for interacting with user
+// information.  All methods must be safe for concurrent use.
+//
+// TODO(s.chzhen):  Use this.
+//
+// TODO(s.chzhen):  Consider updating methods to return a clone.
+type DB interface {
+	// All retrieves all users from the database, sorted by login.
+	//
+	// TODO(s.chzhen):  Consider function signature change to reflect the
+	// in-memory implementation, as it currently always returns nil for error.
+	All(ctx context.Context) (users []*User, err error)
+
+	// ByLogin retrieves a user by their login.  u must not be modified.
+	//
+	// TODO(s.chzhen):  Remove this once user sessions support [UserID].
+	ByLogin(ctx context.Context, login Login) (u *User, err error)
+
+	// ByUUID retrieves a user by their unique identifier.  u must not be
+	// modified.
+	//
+	// TODO(s.chzhen):  Use this.
+	ByUUID(ctx context.Context, id UserID) (u *User, err error)
+
+	// Create adds a new user to the database.  If the credentials already
+	// exist, it returns the [errors.ErrDuplicated] error.  It also can return
+	// an error from the cryptographic randomness reader.  u must not be
+	// modified.
+	Create(ctx context.Context, u *User) (err error)
+}
+
+// DefaultDB is the default in-memory implementation of the [DB] interface.
+type DefaultDB struct {
+	// mu protects all properties below.
+	mu *sync.Mutex
+
+	// loginToUserID maps a web user login to their UserID.  The values must not
+	// be empty.
+	//
+	// TODO(s.chzhen):  Remove this once user sessions support [UserID].
+	loginToUserID map[Login]UserID
+
+	// userIDToUser maps a UserID to a web user.  The values must not be nil.
+	// It must be synchronized with loginToUserID, meaning all UserIDs stored in
+	// loginToUserID must also be stored in this map.
+	userIDToUser map[UserID]*User
+}
+
+// NewDefaultDB returns the new properly initialized *DefaultDB.
+func NewDefaultDB() (db *DefaultDB) {
+	return &DefaultDB{
+		mu:            &sync.Mutex{},
+		loginToUserID: map[Login]UserID{},
+		userIDToUser:  map[UserID]*User{},
+	}
+}
+
+// type check
+var _ DB = (*DefaultDB)(nil)
+
+// All implements the [DB] interface for *DefaultDB.
+func (db *DefaultDB) All(ctx context.Context) (users []*User, err error) {
+	db.mu.Lock()
+	defer db.mu.Unlock()
+
+	if len(db.userIDToUser) == 0 {
+		return nil, nil
+	}
+
+	users = slices.SortedStableFunc(
+		maps.Values(db.userIDToUser),
+		func(a, b *User) (res int) {
+			// TODO(s.chzhen):  Consider adding a custom comparer.
+			return cmp.Compare(a.Login, b.Login)
+		},
+	)
+
+	return users, nil
+}
+
+// ByLogin implements the [DB] interface for *DefaultDB.
+func (db *DefaultDB) ByLogin(ctx context.Context, login Login) (u *User, err error) {
+	db.mu.Lock()
+	defer db.mu.Unlock()
+
+	id, ok := db.loginToUserID[login]
+	if !ok {
+		return nil, nil
+	}
+
+	u, ok = db.userIDToUser[id]
+	if !ok {
+		// Should not happen.
+		panic(fmt.Errorf("no web user present with login %q", login))
+	}
+
+	return u, nil
+}
+
+// ByUUID implements the [DB] interface for *DefaultDB.
+func (db *DefaultDB) ByUUID(ctx context.Context, id UserID) (u *User, err error) {
+	db.mu.Lock()
+	defer db.mu.Unlock()
+
+	u, ok := db.userIDToUser[id]
+	if !ok {
+		return nil, nil
+	}
+
+	return u, nil
+}
+
+// Create implements the [DB] interface for *DefaultDB.
+func (db *DefaultDB) Create(ctx context.Context, u *User) (err error) {
+	db.mu.Lock()
+	defer db.mu.Unlock()
+
+	if u.ID == (UserID{}) {
+		return fmt.Errorf("userid: %w", errors.ErrEmptyValue)
+	}
+
+	_, ok := db.userIDToUser[u.ID]
+	if ok {
+		return fmt.Errorf("userid: %w", errors.ErrDuplicated)
+	}
+
+	_, ok = db.loginToUserID[u.Login]
+	if ok {
+		return fmt.Errorf("login: %w", errors.ErrDuplicated)
+	}
+
+	db.userIDToUser[u.ID] = u
+	db.loginToUserID[u.Login] = u.ID
+
+	return nil
+}
--- a/internal/aghuser/db_test.go
+++ b/internal/aghuser/db_test.go
@@ -0,0 +1,83 @@
+package aghuser_test
+
+import (
+	"testing"
+
+	"github.com/AdguardTeam/AdGuardHome/internal/aghuser"
+	"github.com/AdguardTeam/golibs/errors"
+	"github.com/AdguardTeam/golibs/testutil"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/crypto/bcrypt"
+)
+
+func TestDB(t *testing.T) {
+	db := aghuser.NewDefaultDB()
+
+	const (
+		userWithIDPassRaw = "user_with_id_password"
+		userSecondPassRaw = "user_second_password"
+	)
+
+	userWithIDPassHash, err := bcrypt.GenerateFromPassword(
+		[]byte(userWithIDPassRaw),
+		bcrypt.DefaultCost,
+	)
+	require.NoError(t, err)
+
+	userSecondPassHash, err := bcrypt.GenerateFromPassword(
+		[]byte(userSecondPassRaw),
+		bcrypt.DefaultCost,
+	)
+	require.NoError(t, err)
+
+	userWithIDPass := aghuser.NewDefaultPassword(string(userWithIDPassHash))
+	userSecondPass := aghuser.NewDefaultPassword(string(userSecondPassHash))
+
+	var (
+		userWithID = &aghuser.User{
+			ID:       aghuser.MustNewUserID(),
+			Login:    "user_with_id",
+			Password: userWithIDPass,
+		}
+		userSecond = &aghuser.User{
+			ID:       aghuser.MustNewUserID(),
+			Login:    "user_second",
+			Password: userSecondPass,
+		}
+		userDuplicateLogin = &aghuser.User{
+			ID:       aghuser.MustNewUserID(),
+			Login:    userWithID.Login,
+			Password: userWithIDPass,
+		}
+	)
+
+	ctx := testutil.ContextWithTimeout(t, testTimeout)
+
+	err = db.Create(ctx, userWithID)
+	require.NoError(t, err)
+
+	err = db.Create(ctx, userSecond)
+	require.NoError(t, err)
+
+	err = db.Create(ctx, userDuplicateLogin)
+	assert.ErrorIs(t, err, errors.ErrDuplicated)
+
+	got, err := db.ByUUID(ctx, userWithID.ID)
+	require.NoError(t, err)
+
+	assert.Equal(t, userWithID, got)
+	assert.True(t, got.Password.Authenticate(ctx, userWithIDPassRaw))
+
+	got, err = db.ByLogin(ctx, userSecond.Login)
+	require.NoError(t, err)
+
+	assert.Equal(t, userSecond, got)
+	assert.True(t, got.Password.Authenticate(ctx, userSecondPassRaw))
+
+	users, err := db.All(ctx)
+	require.NoError(t, err)
+
+	assert.Len(t, users, 2)
+	assert.Equal(t, []*aghuser.User{userSecond, userWithID}, users)
+}
--- a/internal/aghuser/user.go
+++ b/internal/aghuser/user.go
@@ -0,0 +1,44 @@
+// Package aghuser contains types and logic for dealing with AdGuard Home's web
+// users.
+package aghuser
+
+import (
+	"fmt"
+
+	"github.com/google/uuid"
+)
+
+// UserID is the type for the unique IDs of web users.
+type UserID uuid.UUID
+
+// NewUserID returns a new web user unique identifier.  Any error returned is an
+// error from the cryptographic randomness reader.
+func NewUserID() (uid UserID, err error) {
+	uuidv7, err := uuid.NewV7()
+
+	return UserID(uuidv7), err
+}
+
+// MustNewUserID is a wrapper around [NewUserID] that panics if there is an
+// error.  It is currently only used in tests.
+func MustNewUserID() (uid UserID) {
+	uid, err := NewUserID()
+	if err != nil {
+		panic(fmt.Errorf("unexpected uuidv7 error: %w", err))
+	}
+
+	return uid
+}
+
+// User represents a web user.
+type User struct {
+	// ID is the unique identifier for the web user.  It must not be empty.
+	ID UserID
+
+	// Login is the login name of the web user.  It must not be empty.
+	Login Login
+
+	// Password stores the password information for the web user.  It must not
+	// be nil.
+	Password Password
+}
--- a/internal/client/storage.go
+++ b/internal/client/storage.go
@@ -12,6 +12,7 @@ import (

 	"github.com/AdguardTeam/AdGuardHome/internal/arpdb"
 	"github.com/AdguardTeam/AdGuardHome/internal/dhcpsvc"
+	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/AdGuardHome/internal/whois"
 	"github.com/AdguardTeam/dnsproxy/proxy"
 	"github.com/AdguardTeam/golibs/errors"
@@ -495,6 +496,11 @@ func (s *Storage) FindLoose(ip netip.Addr, id string) (p *Persistent, ok bool) {
 		return p.ShallowClone(), ok
 	}

+	foundMAC := s.dhcp.MACByIP(ip)
+	if foundMAC != nil {
+		return s.FindByMAC(foundMAC)
+	}
+
 	p = s.index.findByIPWithoutZone(ip)
 	if p != nil {
 		return p.ShallowClone(), true
@@ -671,3 +677,44 @@ func (s *Storage) ClearUpstreamCache() {

 	s.upstreamManager.clearUpstreamCache()
 }
+
+// ApplyClientFiltering retrieves persistent client information using the
+// ClientID or client IP address, and applies it to the filtering settings.
+// setts must not be nil.
+func (s *Storage) ApplyClientFiltering(id string, addr netip.Addr, setts *filtering.Settings) {
+	c, ok := s.index.findByClientID(id)
+	if !ok {
+		c, ok = s.index.findByIP(addr)
+	}
+
+	if !ok {
+		foundMAC := s.dhcp.MACByIP(addr)
+		if foundMAC != nil {
+			c, ok = s.FindByMAC(foundMAC)
+		}
+	}
+
+	if !ok {
+		s.logger.Debug("no client filtering settings found", "clientid", id, "addr", addr)
+
+		return
+	}
+
+	s.logger.Debug("applying custom client filtering settings", "client_name", c.Name)
+
+	if c.UseOwnBlockedServices {
+		setts.BlockedServices = c.BlockedServices.Clone()
+	}
+
+	setts.ClientName = c.Name
+	setts.ClientTags = slices.Clone(c.Tags)
+	if !c.UseOwnSettings {
+		return
+	}
+
+	setts.FilteringEnabled = c.FilteringEnabled
+	setts.SafeSearchEnabled = c.SafeSearchConf.Enabled
+	setts.ClientSafeSearch = c.SafeSearch
+	setts.SafeBrowsingEnabled = c.SafeBrowsingEnabled
+	setts.ParentalEnabled = c.ParentalEnabled
+}
--- a/internal/client/upstreammanager.go
+++ b/internal/client/upstreammanager.go
@@ -153,7 +153,9 @@ func (m *upstreamManager) isConfigChanged(cliConf *customUpstreamConfig) (ok boo
 // upstream configuration.
 func (m *upstreamManager) clearUpstreamCache() {
 	for _, c := range m.uidToCustomConf {
-		c.proxyConf.ClearCache()
+		if c.proxyConf != nil {
+			c.proxyConf.ClearCache()
+		}
 	}
 }

--- a/internal/dhcpd/bitset_internal_test.go
+++ b/internal/dhcpd/bitset_internal_test.go
--- a/internal/dhcpd/broadcast_bsd_internal_test.go
+++ b/internal/dhcpd/broadcast_bsd_internal_test.go
--- a/internal/dhcpd/broadcast_others_internal_test.go
+++ b/internal/dhcpd/broadcast_others_internal_test.go
--- a/internal/dhcpd/dhcpd_unix_internal_test.go
+++ b/internal/dhcpd/dhcpd_unix_internal_test.go
--- a/internal/dhcpd/http_windows_internal_test.go
+++ b/internal/dhcpd/http_windows_internal_test.go
--- a/internal/dhcpd/iprange_internal_test.go
+++ b/internal/dhcpd/iprange_internal_test.go
--- a/internal/dhcpd/options_unix_internal_test.go
+++ b/internal/dhcpd/options_unix_internal_test.go
--- a/internal/dhcpd/v4_unix_internal_test.go
+++ b/internal/dhcpd/v4_unix_internal_test.go
--- a/internal/dhcpd/v6_unix_internal_test.go
+++ b/internal/dhcpd/v6_unix_internal_test.go
--- a/internal/dnsforward/access_internal_test.go
+++ b/internal/dnsforward/access_internal_test.go
--- a/internal/dnsforward/clientid_internal_test.go
+++ b/internal/dnsforward/clientid_internal_test.go
--- a/internal/dnsforward/config.go
+++ b/internal/dnsforward/config.go
@@ -16,7 +16,6 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
 	"github.com/AdguardTeam/AdGuardHome/internal/client"
-	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/dnsproxy/proxy"
 	"github.com/AdguardTeam/dnsproxy/upstream"
 	"github.com/AdguardTeam/golibs/container"
@@ -34,9 +33,6 @@ import (
 type Config struct {
 	// Callbacks for other modules

-	// FilterHandler is an optional additional filtering callback.
-	FilterHandler func(cliAddr netip.Addr, clientID string, settings *filtering.Settings) `yaml:"-"`
-
 	// ClientsContainer stores the information about special handling of some
 	// DNS clients.
 	ClientsContainer ClientsContainer `yaml:"-"`
--- a/internal/dnsforward/config_internal_test.go
+++ b/internal/dnsforward/config_internal_test.go
--- a/internal/dnsforward/dns64_internal_test.go
+++ b/internal/dnsforward/dns64_internal_test.go
--- a/internal/dnsforward/dnsforward_internal_test.go
+++ b/internal/dnsforward/dnsforward_internal_test.go
@@ -27,6 +27,7 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering/hashprefix"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering/safesearch"
+	"github.com/AdguardTeam/AdGuardHome/internal/schedule"
 	"github.com/AdguardTeam/dnsproxy/proxy"
 	"github.com/AdguardTeam/dnsproxy/upstream"
 	"github.com/AdguardTeam/golibs/logutil/slogutil"
@@ -106,6 +107,21 @@ func startDeferStop(t *testing.T, s *Server) {
 	testutil.CleanupAndRequireSuccess(t, s.Stop)
 }

+// applyEmptyClientFiltering is a helper function for tests with
+// [filtering.Config] that does nothing.
+func applyEmptyClientFiltering(_ string, _ netip.Addr, _ *filtering.Settings) {}
+
+// emptyFilteringBlockedServices is a helper function that returns an empty
+// filtering blocked services for tests.
+func emptyFilteringBlockedServices() (bsvc *filtering.BlockedServices) {
+	return &filtering.BlockedServices{
+		Schedule: schedule.EmptyWeekly(),
+	}
+}
+
+// createTestServer is a helper function that returns a properly initialized
+// *Server for use in tests, given the provided parameters.  It also populates
+// the filtering configuration with default parameters.
 func createTestServer(
 	t *testing.T,
 	filterConf *filtering.Config,
@@ -123,6 +139,12 @@ func createTestServer(
 		Data: []byte(rules),
 	}}

+	filterConf.BlockedServices = cmp.Or(filterConf.BlockedServices, emptyFilteringBlockedServices())
+
+	if filterConf.ApplyClientFiltering == nil {
+		filterConf.ApplyClientFiltering = applyEmptyClientFiltering
+	}
+
 	f, err := filtering.New(filterConf, filters)
 	require.NoError(t, err)

@@ -926,9 +948,6 @@ func TestClientRulesForCNAMEMatching(t *testing.T) {
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
 		Config: Config{
-			FilterHandler: func(_ netip.Addr, _ string, settings *filtering.Settings) {
-				settings.FilteringEnabled = false
-			},
 			UpstreamMode: UpstreamModeLoadBalance,
 			EDNSClientSubnet: &EDNSClientSubnet{
 				Enabled: false,
@@ -1020,10 +1039,12 @@ func TestBlockedCustomIP(t *testing.T) {
 	}}

 	f, err := filtering.New(&filtering.Config{
-		ProtectionEnabled: true,
-		BlockingMode:      filtering.BlockingModeCustomIP,
-		BlockingIPv4:      netip.Addr{},
-		BlockingIPv6:      netip.Addr{},
+		ProtectionEnabled:    true,
+		ApplyClientFiltering: applyEmptyClientFiltering,
+		BlockedServices:      emptyFilteringBlockedServices(),
+		BlockingMode:         filtering.BlockingModeCustomIP,
+		BlockingIPv4:         netip.Addr{},
+		BlockingIPv6:         netip.Addr{},
 	}, filters)
 	require.NoError(t, err)

@@ -1176,7 +1197,9 @@ func TestBlockedBySafeBrowsing(t *testing.T) {

 func TestRewrite(t *testing.T) {
 	c := &filtering.Config{
-		BlockingMode: filtering.BlockingModeDefault,
+		ApplyClientFiltering: applyEmptyClientFiltering,
+		BlockedServices:      emptyFilteringBlockedServices(),
+		BlockingMode:         filtering.BlockingModeDefault,
 		Rewrites: []*filtering.LegacyRewrite{{
 			Domain: "test.com",
 			Answer: "1.2.3.4",
@@ -1322,7 +1345,9 @@ func TestPTRResponseFromDHCPLeases(t *testing.T) {
 	const localDomain = "lan"

 	flt, err := filtering.New(&filtering.Config{
-		BlockingMode: filtering.BlockingModeDefault,
+		ApplyClientFiltering: applyEmptyClientFiltering,
+		BlockedServices:      emptyFilteringBlockedServices(),
+		BlockingMode:         filtering.BlockingModeDefault,
 	}, nil)
 	require.NoError(t, err)

@@ -1411,8 +1436,10 @@ func TestPTRResponseFromHosts(t *testing.T) {
 	})

 	flt, err := filtering.New(&filtering.Config{
-		BlockingMode: filtering.BlockingModeDefault,
-		EtcHosts:     hc,
+		ApplyClientFiltering: applyEmptyClientFiltering,
+		BlockedServices:      emptyFilteringBlockedServices(),
+		BlockingMode:         filtering.BlockingModeDefault,
+		EtcHosts:             hc,
 	}, nil)
 	require.NoError(t, err)

--- a/internal/dnsforward/dnsrewrite_internal_test.go
+++ b/internal/dnsforward/dnsrewrite_internal_test.go
--- a/internal/dnsforward/filter.go
+++ b/internal/dnsforward/filter.go
@@ -17,9 +17,7 @@ import (
 func (s *Server) clientRequestFilteringSettings(dctx *dnsContext) (setts *filtering.Settings) {
 	setts = s.dnsFilter.Settings()
 	setts.ProtectionEnabled = dctx.protectionEnabled
-	if s.conf.FilterHandler != nil {
-		s.conf.FilterHandler(dctx.proxyCtx.Addr.Addr(), dctx.clientID, setts)
-	}
+	s.dnsFilter.ApplyAdditionalFiltering(dctx.proxyCtx.Addr.Addr(), dctx.clientID, setts)

 	return setts
 }
--- a/internal/dnsforward/filter_internal_test.go
+++ b/internal/dnsforward/filter_internal_test.go
@@ -45,8 +45,10 @@ func TestHandleDNSRequest_handleDNSRequest(t *testing.T) {
 	}}

 	f, err := filtering.New(&filtering.Config{
-		ProtectionEnabled: true,
-		BlockingMode:      filtering.BlockingModeDefault,
+		ProtectionEnabled:    true,
+		ApplyClientFiltering: applyEmptyClientFiltering,
+		BlockedServices:      emptyFilteringBlockedServices(),
+		BlockingMode:         filtering.BlockingModeDefault,
 	}, filters)
 	require.NoError(t, err)
 	f.SetEnabled(true)
--- a/internal/dnsforward/http_internal_test.go
+++ b/internal/dnsforward/http_internal_test.go
--- a/internal/dnsforward/stats_internal_test.go
+++ b/internal/dnsforward/stats_internal_test.go
--- a/internal/dnsforward/svcbmsg_internal_test.go
+++ b/internal/dnsforward/svcbmsg_internal_test.go
--- a/internal/filtering/blocked.go
+++ b/internal/filtering/blocked.go
@@ -49,6 +49,9 @@ func initBlockedServices() {
 }

 // BlockedServices is the configuration of blocked services.
+//
+// TODO(s.chzhen):  Move to a higher-level package to allow importing the client
+// package into the filtering package.
 type BlockedServices struct {
 	// Schedule is blocked services schedule for every day of the week.
 	Schedule *schedule.Weekly `json:"schedule" yaml:"schedule"`
--- a/internal/filtering/dnsrewrite_test.go
+++ b/internal/filtering/dnsrewrite_test.go
@@ -1,10 +1,11 @@
-package filtering
+package filtering_test

 import (
 	"net/netip"
 	"path"
 	"testing"

+	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/miekg/dns"
 	"github.com/stretchr/testify/assert"
@@ -50,8 +51,17 @@ func TestDNSFilter_CheckHostRules_dnsrewrite(t *testing.T) {
 |1.2.3.5.in-addr.arpa^$dnsrewrite=NOERROR;PTR;new-ptr-with-dot.
 `

-	f, _ := newForTest(t, nil, []Filter{{ID: 0, Data: []byte(text)}})
-	setts := &Settings{
+	conf := &filtering.Config{
+		SafeBrowsingCacheSize: 10000,
+		ParentalCacheSize:     10000,
+		SafeSearchCacheSize:   1000,
+		CacheTime:             30,
+	}
+
+	f, err := filtering.New(conf, []filtering.Filter{{ID: 0, Data: []byte(text)}})
+	require.NoError(t, err)
+
+	setts := &filtering.Settings{
 		FilteringEnabled: true,
 	}

@@ -117,7 +127,8 @@ func TestDNSFilter_CheckHostRules_dnsrewrite(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			host := path.Base(tc.name)

-			res, err := f.CheckHostRules(host, tc.dtyp, setts)
+			var res filtering.Result
+			res, err = f.CheckHostRules(host, tc.dtyp, setts)
 			require.NoError(t, err)

 			dnsrr := res.DNSRewriteResult
@@ -141,7 +152,8 @@ func TestDNSFilter_CheckHostRules_dnsrewrite(t *testing.T) {
 		dtyp := dns.TypeA
 		host := path.Base(t.Name())

-		res, err := f.CheckHostRules(host, dtyp, setts)
+		var res filtering.Result
+		res, err = f.CheckHostRules(host, dtyp, setts)
 		require.NoError(t, err)

 		assert.Equal(t, "new-cname", res.CanonName)
@@ -151,7 +163,8 @@ func TestDNSFilter_CheckHostRules_dnsrewrite(t *testing.T) {
 		dtyp := dns.TypeA
 		host := path.Base(t.Name())

-		res, err := f.CheckHostRules(host, dtyp, setts)
+		var res filtering.Result
+		res, err = f.CheckHostRules(host, dtyp, setts)
 		require.NoError(t, err)

 		assert.Equal(t, "new-cname-2", res.CanonName)
@@ -162,7 +175,8 @@ func TestDNSFilter_CheckHostRules_dnsrewrite(t *testing.T) {
 		dtyp := dns.TypeA
 		host := path.Base(t.Name())

-		res, err := f.CheckHostRules(host, dtyp, setts)
+		var res filtering.Result
+		res, err = f.CheckHostRules(host, dtyp, setts)
 		require.NoError(t, err)

 		assert.Empty(t, res.CanonName)
@@ -173,7 +187,8 @@ func TestDNSFilter_CheckHostRules_dnsrewrite(t *testing.T) {
 		dtyp := dns.TypePTR
 		host := path.Base(t.Name())

-		res, err := f.CheckHostRules(host, dtyp, setts)
+		var res filtering.Result
+		res, err = f.CheckHostRules(host, dtyp, setts)
 		require.NoError(t, err)
 		require.NotNil(t, res.DNSRewriteResult)

@@ -193,7 +208,8 @@ func TestDNSFilter_CheckHostRules_dnsrewrite(t *testing.T) {
 		dtyp := dns.TypePTR
 		host := path.Base(t.Name())

-		res, err := f.CheckHostRules(host, dtyp, setts)
+		var res filtering.Result
+		res, err = f.CheckHostRules(host, dtyp, setts)
 		require.NoError(t, err)
 		require.NotNil(t, res.DNSRewriteResult)

--- a/internal/filtering/filter.go
+++ b/internal/filtering/filter.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/netip"
 	"os"
 	"path/filepath"
 	"slices"
@@ -629,3 +630,20 @@ func (d *DNSFilter) enableFiltersLocked(async bool) {

 	d.SetEnabled(d.conf.FilteringEnabled)
 }
+
+// ApplyAdditionalFiltering enhances the provided filtering settings with
+// blocked services and client-specific configurations.
+func (d *DNSFilter) ApplyAdditionalFiltering(cliAddr netip.Addr, clientID string, setts *Settings) {
+	setts.ClientIP = cliAddr
+
+	d.ApplyBlockedServices(setts)
+	d.applyClientFiltering(clientID, cliAddr, setts)
+	if setts.BlockedServices != nil {
+		// TODO(e.burkov):  Get rid of this crutch.
+		setts.ServicesRules = nil
+		svcs := setts.BlockedServices.IDs
+		if !setts.BlockedServices.Schedule.Contains(time.Now()) {
+			d.ApplyBlockedServicesList(setts, svcs)
+		}
+	}
+}
--- a/internal/filtering/filter_internal_test.go
+++ b/internal/filtering/filter_internal_test.go
--- a/internal/filtering/filtering.go
+++ b/internal/filtering/filtering.go
@@ -40,6 +40,8 @@ type ServiceEntry struct {
 }

 // Settings are custom filtering settings for a client.
+//
+// TODO(s.chzhen):  Move to the client package.
 type Settings struct {
 	ClientName string
 	ClientIP   netip.Addr
@@ -47,6 +49,10 @@ type Settings struct {

 	ServicesRules []ServiceEntry

+	// BlockedServices is the configuration of blocked services of a client.  It
+	// is nil if the client does not have any blocked services.
+	BlockedServices *BlockedServices
+
 	ProtectionEnabled   bool
 	FilteringEnabled    bool
 	SafeSearchEnabled   bool
@@ -78,6 +84,11 @@ type Config struct {

 	SafeSearch SafeSearch `yaml:"-"`

+	// ApplyClientFiltering retrieves persistent client information using the
+	// ClientID or client IP address, and applies it to the filtering settings.
+	// It must not be nil.
+	ApplyClientFiltering func(clientID string, cliAddr netip.Addr, setts *Settings) `yaml:"-"`
+
 	// BlockedServices is the configuration of blocked services.
 	// Per-client settings can override this configuration.
 	BlockedServices *BlockedServices `yaml:"blocked_services"`
@@ -244,6 +255,13 @@ type DNSFilter struct {
 	// parentalControl is the parental control hash-prefix checker.
 	parentalControlChecker Checker

+	// applyClientFiltering retrieves persistent client information using the
+	// ClientID or client IP address, and applies it to the filtering settings.
+	//
+	// TODO(s.chzhen):  Consider finding a better approach while taking an
+	// import cycle into account.
+	applyClientFiltering func(clientID string, cliAddr netip.Addr, setts *Settings)
+
 	engineLock sync.RWMutex

 	// confMu protects conf.
@@ -914,10 +932,9 @@ func (d *DNSFilter) matchHost(
 	ufReq := &urlfilter.DNSRequest{
 		Hostname:         host,
 		SortedClientTags: setts.ClientTags,
-		// TODO(e.burkov): Wait for urlfilter update to pass net.IP.
-		ClientIP:   setts.ClientIP,
-		ClientName: setts.ClientName,
-		DNSType:    rrtype,
+		ClientIP:         setts.ClientIP,
+		ClientName:       setts.ClientName,
+		DNSType:          rrtype,
 	}

 	d.engineLock.RLock()
@@ -998,6 +1015,7 @@ func New(c *Config, blockFilters []Filter) (d *DNSFilter, err error) {
 		refreshLock:            &sync.Mutex{},
 		safeBrowsingChecker:    c.SafeBrowsingChecker,
 		parentalControlChecker: c.ParentalControlChecker,
+		applyClientFiltering:   c.ApplyClientFiltering,
 		confMu:                 &sync.RWMutex{},
 	}

--- a/internal/filtering/filtering_internal_test.go
+++ b/internal/filtering/filtering_internal_test.go
--- a/internal/filtering/hashprefix/hashprefix_internal_test.go
+++ b/internal/filtering/hashprefix/hashprefix_internal_test.go
@@ -78,11 +78,11 @@ func TestHostnameToHashes(t *testing.T) {
 		wantLen: 2,
 	}, {
 		name:    "private_domain_v2",
-		host:    "foo.blogspot.co.uk",
-		wantLen: 4,
+		host:    "foo.dyndns.org",
+		wantLen: 3,
 	}, {
 		name:    "sub_private_domain_v2",
-		host:    "bar.foo.blogspot.co.uk",
+		host:    "bar.foo.dyndns.org",
 		wantLen: 4,
 	}}

--- a/internal/filtering/hosts_test.go
+++ b/internal/filtering/hosts_test.go
@@ -1,4 +1,4 @@
-package filtering
+package filtering_test

 import (
 	"fmt"
@@ -8,6 +8,7 @@ import (

 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghtest"
+	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering/rulelist"
 	"github.com/AdguardTeam/golibs/testutil"
 	"github.com/AdguardTeam/urlfilter/rules"
@@ -50,27 +51,27 @@ func TestDNSFilter_CheckHost_hostsContainer(t *testing.T) {
 	require.NoError(t, err)
 	testutil.CleanupAndRequireSuccess(t, hc.Close)

-	conf := &Config{
+	conf := &filtering.Config{
 		EtcHosts: hc,
 	}
-	f, err := New(conf, nil)
+	f, err := filtering.New(conf, nil)
 	require.NoError(t, err)

-	setts := &Settings{
+	setts := &filtering.Settings{
 		FilteringEnabled: true,
 	}

 	testCases := []struct {
 		name      string
 		host      string
-		wantRules []*ResultRule
+		wantRules []*filtering.ResultRule
 		wantResps []rules.RRValue
 		dtyp      uint16
 	}{{
 		name: "v4",
 		host: "v4.host.example",
 		dtyp: dns.TypeA,
-		wantRules: []*ResultRule{{
+		wantRules: []*filtering.ResultRule{{
 			Text:         "1.2.3.4 v4.host.example",
 			FilterListID: rulelist.URLFilterIDEtcHosts,
 		}},
@@ -79,7 +80,7 @@ func TestDNSFilter_CheckHost_hostsContainer(t *testing.T) {
 		name: "v6",
 		host: "v6.host.example",
 		dtyp: dns.TypeAAAA,
-		wantRules: []*ResultRule{{
+		wantRules: []*filtering.ResultRule{{
 			Text:         "::1 v6.host.example",
 			FilterListID: rulelist.URLFilterIDEtcHosts,
 		}},
@@ -88,7 +89,7 @@ func TestDNSFilter_CheckHost_hostsContainer(t *testing.T) {
 		name: "mapped",
 		host: "mapped.host.example",
 		dtyp: dns.TypeAAAA,
-		wantRules: []*ResultRule{{
+		wantRules: []*filtering.ResultRule{{
 			Text:         "::ffff:1.2.3.4 mapped.host.example",
 			FilterListID: rulelist.URLFilterIDEtcHosts,
 		}},
@@ -97,7 +98,7 @@ func TestDNSFilter_CheckHost_hostsContainer(t *testing.T) {
 		name: "ptr",
 		host: "4.3.2.1.in-addr.arpa",
 		dtyp: dns.TypePTR,
-		wantRules: []*ResultRule{{
+		wantRules: []*filtering.ResultRule{{
 			Text:         "1.2.3.4 v4.host.example",
 			FilterListID: rulelist.URLFilterIDEtcHosts,
 		}},
@@ -106,7 +107,7 @@ func TestDNSFilter_CheckHost_hostsContainer(t *testing.T) {
 		name: "ptr-mapped",
 		host: "4.0.3.0.2.0.1.0.f.f.f.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa",
 		dtyp: dns.TypePTR,
-		wantRules: []*ResultRule{{
+		wantRules: []*filtering.ResultRule{{
 			Text:         "::ffff:1.2.3.4 mapped.host.example",
 			FilterListID: rulelist.URLFilterIDEtcHosts,
 		}},
@@ -133,7 +134,7 @@ func TestDNSFilter_CheckHost_hostsContainer(t *testing.T) {
 		name: "v4_mismatch",
 		host: "v4.host.example",
 		dtyp: dns.TypeAAAA,
-		wantRules: []*ResultRule{{
+		wantRules: []*filtering.ResultRule{{
 			Text:         fmt.Sprintf("%s v4.host.example", addrv4),
 			FilterListID: rulelist.URLFilterIDEtcHosts,
 		}},
@@ -142,7 +143,7 @@ func TestDNSFilter_CheckHost_hostsContainer(t *testing.T) {
 		name: "v6_mismatch",
 		host: "v6.host.example",
 		dtyp: dns.TypeA,
-		wantRules: []*ResultRule{{
+		wantRules: []*filtering.ResultRule{{
 			Text:         fmt.Sprintf("%s v6.host.example", addrv6),
 			FilterListID: rulelist.URLFilterIDEtcHosts,
 		}},
@@ -163,7 +164,7 @@ func TestDNSFilter_CheckHost_hostsContainer(t *testing.T) {
 		name: "v4_dup",
 		host: "v4.host.with-dup",
 		dtyp: dns.TypeA,
-		wantRules: []*ResultRule{{
+		wantRules: []*filtering.ResultRule{{
 			Text:         "4.3.2.1 v4.host.with-dup",
 			FilterListID: rulelist.URLFilterIDEtcHosts,
 		}},
@@ -172,7 +173,7 @@ func TestDNSFilter_CheckHost_hostsContainer(t *testing.T) {

 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			var res Result
+			var res filtering.Result
 			res, err = f.CheckHost(tc.host, tc.dtyp, setts)
 			require.NoError(t, err)

--- a/internal/filtering/http.go
+++ b/internal/filtering/http.go
@@ -9,6 +9,8 @@ import (
 	"os"
 	"path/filepath"
 	"slices"
+	"strconv"
+	"strings"
 	"sync"
 	"time"

@@ -420,15 +422,52 @@ type checkHostResp struct {
 	FilterID rulelist.URLFilterID `json:"filter_id"`
 }

+// handleCheckHost is the handler for the GET /control/filtering/check_host HTTP
+// API.
 func (d *DNSFilter) handleCheckHost(w http.ResponseWriter, r *http.Request) {
-	host := r.URL.Query().Get("name")
+	query := r.URL.Query()
+	host := query.Get("name")
+	if host == "" {
+		aghhttp.Error(
+			r,
+			w,
+			http.StatusBadRequest,
+			`query parameter "name" is required`,
+		)
+
+		return
+	}
+
+	cli := query.Get("client")
+	qTypeStr := query.Get("qtype")
+	qType, err := stringToDNSType(qTypeStr)
+	if err != nil {
+		aghhttp.Error(
+			r,
+			w,
+			http.StatusUnprocessableEntity,
+			"bad qtype query parameter: %q",
+			qTypeStr,
+		)
+
+		return
+	}

 	setts := d.Settings()
 	setts.FilteringEnabled = true
 	setts.ProtectionEnabled = true

-	d.ApplyBlockedServices(setts)
-	result, err := d.CheckHost(host, dns.TypeA, setts)
+	addr, err := netip.ParseAddr(cli)
+	if err == nil {
+		d.ApplyAdditionalFiltering(addr, "", setts)
+	} else if cli != "" {
+		// TODO(s.chzhen):  Set [Settings.ClientName] once urlfilter supports
+		// multiple client names.  This will handle the case when a rule exists
+		// but the persistent client does not.
+		d.ApplyAdditionalFiltering(netip.Addr{}, cli, setts)
+	}
+
+	result, err := d.CheckHost(host, qType, setts)
 	if err != nil {
 		aghhttp.Error(
 			r,
@@ -466,6 +505,33 @@ func (d *DNSFilter) handleCheckHost(w http.ResponseWriter, r *http.Request) {
 	aghhttp.WriteJSONResponseOK(w, r, resp)
 }

+// stringToDNSType is a helper function that converts a string to DNS type.  If
+// the string is empty, it returns the default value [dns.TypeA].
+func stringToDNSType(str string) (qtype uint16, err error) {
+	if str == "" {
+		return dns.TypeA, nil
+	}
+
+	qtype, ok := dns.StringToType[str]
+	if ok {
+		return qtype, nil
+	}
+
+	// typePref is a prefix for DNS types from experimental RFCs.
+	const typePref = "TYPE"
+
+	if !strings.HasPrefix(str, typePref) {
+		return 0, errors.ErrBadEnumValue
+	}
+
+	val, err := strconv.ParseUint(str[len(typePref):], 10, 16)
+	if err != nil {
+		return 0, errors.ErrBadEnumValue
+	}
+
+	return uint16(val), nil
+}
+
 // setProtectedBool sets the value of a boolean pointer under a lock.  l must
 // protect the value under ptr.
 //
--- a/internal/filtering/http_internal_test.go
+++ b/internal/filtering/http_internal_test.go
@@ -3,11 +3,15 @@ package filtering
 import (
 	"bytes"
 	"encoding/json"
+	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"net/netip"
+	"strings"
 	"testing"
 	"time"

+	"github.com/AdguardTeam/AdGuardHome/internal/schedule"
 	"github.com/AdguardTeam/golibs/testutil"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -305,3 +309,168 @@ func TestDNSFilter_handleParentalStatus(t *testing.T) {
 		})
 	}
 }
+
+func TestDNSFilter_HandleCheckHost(t *testing.T) {
+	const (
+		cliName = "client_name"
+		cliID   = "client_id"
+
+		notFilteredHost = "not.filterd.example"
+		allowedHost     = "allowed.example"
+		blockedHost     = "blocked.example"
+		cliHost         = "client.example"
+		qTypeHost       = "qtype.example"
+		cliQTypeHost    = "cli.qtype.example"
+
+		target          = "/control/check_host"
+		hostFmt         = target + "?name=%s"
+		hostCliFmt      = hostFmt + "&client=%s"
+		hostQTypeFmt    = hostFmt + "&qtype=%s"
+		hostCliQTypeFmt = hostCliFmt + "&qtype=%s"
+
+		allowedRuleFmt         = "@@||%s^"
+		blockedRuleFmt         = "||%s^"
+		blockedRuleCliFmt      = blockedRuleFmt + "$client=%s"
+		blockedRuleQTypeFmt    = blockedRuleFmt + "$dnstype=%s"
+		blockedRuleCliQTypeFmt = blockedRuleCliFmt + ",dnstype=%s"
+	)
+
+	var (
+		allowedRule            = fmt.Sprintf(allowedRuleFmt, allowedHost)
+		blockedRule            = fmt.Sprintf(blockedRuleFmt, blockedHost)
+		blockedClientRule      = fmt.Sprintf(blockedRuleCliFmt, cliHost, cliName)
+		blockedQTypeRule       = fmt.Sprintf(blockedRuleQTypeFmt, qTypeHost, "CNAME")
+		blockedClientQTypeRule = fmt.Sprintf(blockedRuleCliQTypeFmt, cliQTypeHost, cliName, "CNAME")
+
+		notFilteredURL        = fmt.Sprintf(hostFmt, notFilteredHost)
+		allowedURL            = fmt.Sprintf(hostFmt, allowedHost)
+		blockedURL            = fmt.Sprintf(hostFmt, blockedHost)
+		blockedClientURL      = fmt.Sprintf(hostCliFmt, cliHost, cliID)
+		allowedQTypeURL       = fmt.Sprintf(hostQTypeFmt, qTypeHost, "AAAA")
+		blockedQTypeURL       = fmt.Sprintf(hostQTypeFmt, qTypeHost, "CNAME")
+		allowedClientQTypeURL = fmt.Sprintf(hostCliQTypeFmt, cliQTypeHost, cliID, "AAAA")
+		blockedClientQTypeURL = fmt.Sprintf(hostCliQTypeFmt, cliQTypeHost, cliID, "CNAME")
+	)
+
+	rules := []string{
+		allowedRule,
+		blockedRule,
+		blockedClientRule,
+		blockedQTypeRule,
+		blockedClientQTypeRule,
+	}
+	rulesData := strings.Join(rules, "\n")
+
+	filters := []Filter{{
+		ID: 0, Data: []byte(rulesData),
+	}}
+
+	clientNames := map[string]string{
+		cliID: cliName,
+	}
+
+	dnsFilter, err := New(&Config{
+		BlockedServices: &BlockedServices{
+			Schedule: schedule.EmptyWeekly(),
+		},
+		ApplyClientFiltering: func(clientID string, cliAddr netip.Addr, setts *Settings) {
+			setts.ClientName = clientNames[clientID]
+		},
+	}, filters)
+	require.NoError(t, err)
+
+	testCases := []struct {
+		name string
+		url  string
+		want *checkHostResp
+	}{{
+		name: "not_filtered",
+		url:  notFilteredURL,
+		want: &checkHostResp{
+			Reason: reasonNames[NotFilteredNotFound],
+			Rule:   "",
+			Rules:  []*checkHostRespRule{},
+		},
+	}, {
+		name: "allowed",
+		url:  allowedURL,
+		want: &checkHostResp{
+			Reason: reasonNames[NotFilteredAllowList],
+			Rule:   allowedRule,
+			Rules: []*checkHostRespRule{{
+				Text: allowedRule,
+			}},
+		},
+	}, {
+		name: "blocked",
+		url:  blockedURL,
+		want: &checkHostResp{
+			Reason: reasonNames[FilteredBlockList],
+			Rule:   blockedRule,
+			Rules: []*checkHostRespRule{{
+				Text: blockedRule,
+			}},
+		},
+	}, {
+		name: "blocked_client",
+		url:  blockedClientURL,
+		want: &checkHostResp{
+			Reason: reasonNames[FilteredBlockList],
+			Rule:   blockedClientRule,
+			Rules: []*checkHostRespRule{{
+				Text: blockedClientRule,
+			}},
+		},
+	}, {
+		name: "allowed_qtype",
+		url:  allowedQTypeURL,
+		want: &checkHostResp{
+			Reason: reasonNames[NotFilteredNotFound],
+			Rule:   "",
+			Rules:  []*checkHostRespRule{},
+		},
+	}, {
+		name: "blocked_qtype",
+		url:  blockedQTypeURL,
+		want: &checkHostResp{
+			Reason: reasonNames[FilteredBlockList],
+			Rule:   blockedQTypeRule,
+			Rules: []*checkHostRespRule{{
+				Text: blockedQTypeRule,
+			}},
+		},
+	}, {
+		name: "blocked_client_qtype",
+		url:  blockedClientQTypeURL,
+		want: &checkHostResp{
+			Reason: reasonNames[FilteredBlockList],
+			Rule:   blockedClientQTypeRule,
+			Rules: []*checkHostRespRule{{
+				Text: blockedClientQTypeRule,
+			}},
+		},
+	}, {
+		name: "allowed_client_qtype",
+		url:  allowedClientQTypeURL,
+		want: &checkHostResp{
+			Reason: reasonNames[NotFilteredNotFound],
+			Rule:   "",
+			Rules:  []*checkHostRespRule{},
+		},
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			r := httptest.NewRequest(http.MethodGet, tc.url, nil)
+			w := httptest.NewRecorder()
+
+			dnsFilter.handleCheckHost(w, r)
+
+			res := &checkHostResp{}
+			err = json.NewDecoder(w.Body).Decode(res)
+			require.NoError(t, err)
+
+			assert.Equal(t, tc.want, res)
+		})
+	}
+}
--- a/internal/filtering/rewrite/storage_internal_test.go
+++ b/internal/filtering/rewrite/storage_internal_test.go
--- a/internal/filtering/rewrites_internal_test.go
+++ b/internal/filtering/rewrites_internal_test.go
--- a/internal/filtering/safesearch.go
+++ b/internal/filtering/safesearch.go
@@ -3,6 +3,9 @@ package filtering
 import "context"

 // SafeSearch interface describes a service for search engines hosts rewrites.
+//
+// TODO(s.chzhen):  Move to a higher-level package to allow importing the client
+// package into the filtering package.
 type SafeSearch interface {
 	// CheckHost checks host with safe search filter.  CheckHost must be safe
 	// for concurrent use.  qtype must be either [dns.TypeA] or [dns.TypeAAAA].
--- a/internal/home/authglinet_internal_test.go
+++ b/internal/home/authglinet_internal_test.go
--- a/internal/home/authratelimiter_internal_test.go
+++ b/internal/home/authratelimiter_internal_test.go
--- a/internal/home/clients.go
+++ b/internal/home/clients.go
@@ -121,6 +121,8 @@ func (clients *clientsContainer) Init(

 	sigHdlr.addClientStorage(clients.storage)

+	filteringConf.ApplyClientFiltering = clients.storage.ApplyClientFiltering
+
 	return nil
 }

--- a/internal/home/config.go
+++ b/internal/home/config.go
@@ -568,7 +568,7 @@ func parseConfig() (err error) {
 	}

 	// Do not wrap the error because it's informative enough as is.
-	return setContextTLSCipherIDs()
+	return validateTLSCipherIDs(config.TLS.OverrideTLSCiphers)
 }

 // validateConfig returns error if the configuration is invalid.
@@ -721,21 +721,15 @@ func (c *configuration) write(tlsMgr *tlsManager) (err error) {
 	return nil
 }

-// setContextTLSCipherIDs sets the TLS cipher suite IDs to use.
-func setContextTLSCipherIDs() (err error) {
-	if len(config.TLS.OverrideTLSCiphers) == 0 {
-		log.Info("tls: using default ciphers")
-
-		globalContext.tlsCipherIDs = aghtls.SaferCipherSuites()
-
+// validateTLSCipherIDs validates the custom TLS cipher suite IDs.
+func validateTLSCipherIDs(cipherIDs []string) (err error) {
+	if len(cipherIDs) == 0 {
 		return nil
 	}

-	log.Info("tls: overriding ciphers: %s", config.TLS.OverrideTLSCiphers)
-
-	globalContext.tlsCipherIDs, err = aghtls.ParseCiphers(config.TLS.OverrideTLSCiphers)
+	_, err = aghtls.ParseCiphers(cipherIDs)
 	if err != nil {
-		return fmt.Errorf("parsing override ciphers: %w", err)
+		return fmt.Errorf("override_tls_ciphers: %w", err)
 	}

 	return nil
--- a/internal/home/dns.go
+++ b/internal/home/dns.go
@@ -38,6 +38,8 @@ const (
 )

 // Called by other modules when configuration is changed
+//
+// TODO(s.chzhen):  Remove this after refactoring.
 func onConfigModified() {
 	err := config.write(globalContext.tls)
 	if err != nil {
@@ -120,14 +122,15 @@ func initDNS(
 		anonymizer,
 		httpRegister,
 		tlsConf,
+		tlsMgr,
 		baseLogger,
 	)
 }

 // initDNSServer initializes the [context.dnsServer].  To only use the internal
-// proxy, none of the arguments are required, but tlsConf and l still must not
-// be nil, in other cases all the arguments also must not be nil.  It also must
-// not be called unless [config] and [globalContext] are initialized.
+// proxy, none of the arguments are required, but tlsConf, tlsMgr and l still
+// must not be nil, in other cases all the arguments also must not be nil.  It
+// also must not be called unless [config] and [globalContext] are initialized.
 //
 // TODO(e.burkov): Use [dnsforward.DNSCreateParams] as a parameter.
 func initDNSServer(
@@ -138,6 +141,7 @@ func initDNSServer(
 	anonymizer *aghnet.IPMut,
 	httpReg aghhttp.RegisterFunc,
 	tlsConf *tlsConfigSettings,
+	tlsMgr *tlsManager,
 	l *slog.Logger,
 ) (err error) {
 	globalContext.dnsServer, err = dnsforward.NewServer(dnsforward.DNSCreateParams{
@@ -166,6 +170,7 @@ func initDNSServer(
 		&config.DNS,
 		config.Clients.Sources,
 		tlsConf,
+		tlsMgr,
 		httpReg,
 		globalContext.clients.storage,
 	)
@@ -236,18 +241,18 @@ func ipsToUDPAddrs(ips []netip.Addr, port uint16) (udpAddrs []*net.UDPAddr) {
 }

 // newServerConfig converts values from the configuration file into the internal
-// DNS server configuration.  All arguments must not be nil.
+// DNS server configuration.  All arguments must not be nil, except for httpReg.
 func newServerConfig(
 	dnsConf *dnsConfig,
 	clientSrcConf *clientSourcesConfig,
 	tlsConf *tlsConfigSettings,
+	tlsMgr *tlsManager,
 	httpReg aghhttp.RegisterFunc,
 	clientsContainer dnsforward.ClientsContainer,
 ) (newConf *dnsforward.ServerConfig, err error) {
 	hosts := aghalg.CoalesceSlice(dnsConf.BindHosts, []netip.Addr{netutil.IPv4Localhost()})

 	fwdConf := dnsConf.Config
-	fwdConf.FilterHandler = applyAdditionalFiltering
 	fwdConf.ClientsContainer = clientsContainer

 	newConf = &dnsforward.ServerConfig{
@@ -257,7 +262,7 @@ func newServerConfig(
 		TLSConfig:              newDNSTLSConfig(tlsConf, hosts),
 		TLSAllowUnencryptedDoH: tlsConf.AllowUnencryptedDoH,
 		UpstreamTimeout:        time.Duration(dnsConf.UpstreamTimeout),
-		TLSv12Roots:            globalContext.tlsRoots,
+		TLSv12Roots:            tlsMgr.rootCerts,
 		ConfigModified:         onConfigModified,
 		HTTPRegister:           httpReg,
 		LocalPTRResolvers:      dnsConf.PrivateRDNSResolvers,
@@ -411,57 +416,6 @@ func getDNSEncryption(tlsMgr *tlsManager) (de dnsEncryption) {
 	return de
 }

-// applyAdditionalFiltering adds additional client information and settings if
-// the client has them.
-func applyAdditionalFiltering(clientIP netip.Addr, clientID string, setts *filtering.Settings) {
-	// pref is a prefix for logging messages around the scope.
-	const pref = "applying filters"
-
-	globalContext.filters.ApplyBlockedServices(setts)
-
-	log.Debug("%s: looking for client with ip %s and clientid %q", pref, clientIP, clientID)
-
-	if !clientIP.IsValid() {
-		return
-	}
-
-	setts.ClientIP = clientIP
-
-	c, ok := globalContext.clients.storage.Find(clientID)
-	if !ok {
-		c, ok = globalContext.clients.storage.Find(clientIP.String())
-		if !ok {
-			log.Debug("%s: no clients with ip %s and clientid %q", pref, clientIP, clientID)
-
-			return
-		}
-	}
-
-	log.Debug("%s: using settings for client %q (%s; %q)", pref, c.Name, clientIP, clientID)
-
-	if c.UseOwnBlockedServices {
-		// TODO(e.burkov):  Get rid of this crutch.
-		setts.ServicesRules = nil
-		svcs := c.BlockedServices.IDs
-		if !c.BlockedServices.Schedule.Contains(time.Now()) {
-			globalContext.filters.ApplyBlockedServicesList(setts, svcs)
-			log.Debug("%s: services for client %q set: %s", pref, c.Name, svcs)
-		}
-	}
-
-	setts.ClientName = c.Name
-	setts.ClientTags = c.Tags
-	if !c.UseOwnSettings {
-		return
-	}
-
-	setts.FilteringEnabled = c.FilteringEnabled
-	setts.SafeSearchEnabled = c.SafeSearchConf.Enabled
-	setts.ClientSafeSearch = c.SafeSearch
-	setts.SafeBrowsingEnabled = c.SafeBrowsingEnabled
-	setts.ParentalEnabled = c.ParentalEnabled
-}
-
 func startDNSServer() error {
 	config.RLock()
 	defer config.RUnlock()
@@ -495,31 +449,6 @@ func startDNSServer() error {
 	return nil
 }

-// reconfigureDNSServer updates the DNS server configuration using the provided
-// TLS settings.  tlsMgr must not be nil.
-func reconfigureDNSServer(tlsMgr *tlsManager) (err error) {
-	tlsConf := &tlsConfigSettings{}
-	tlsMgr.WriteDiskConfig(tlsConf)
-
-	newConf, err := newServerConfig(
-		&config.DNS,
-		config.Clients.Sources,
-		tlsConf,
-		httpRegister,
-		globalContext.clients.storage,
-	)
-	if err != nil {
-		return fmt.Errorf("generating forwarding dns server config: %w", err)
-	}
-
-	err = globalContext.dnsServer.Reconfigure(newConf)
-	if err != nil {
-		return fmt.Errorf("starting forwarding dns server: %w", err)
-	}
-
-	return nil
-}
-
 func stopDNSServer() (err error) {
 	if !isRunning() {
 		return nil
--- a/internal/home/dns_internal_test.go
+++ b/internal/home/dns_internal_test.go
@@ -1,206 +0,0 @@
-package home
-
-import (
-	"net/netip"
-	"testing"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/client"
-	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
-	"github.com/AdguardTeam/AdGuardHome/internal/schedule"
-	"github.com/AdguardTeam/golibs/logutil/slogutil"
-	"github.com/AdguardTeam/golibs/testutil"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-var testIPv4 = netip.AddrFrom4([4]byte{1, 2, 3, 4})
-
-// newStorage is a helper function that returns a client storage filled with
-// persistent clients.  It also generates a UID for each client.
-func newStorage(tb testing.TB, clients []*client.Persistent) (s *client.Storage) {
-	tb.Helper()
-
-	ctx := testutil.ContextWithTimeout(tb, testTimeout)
-	s, err := client.NewStorage(ctx, &client.StorageConfig{
-		Logger: slogutil.NewDiscardLogger(),
-	})
-	require.NoError(tb, err)
-
-	for _, p := range clients {
-		p.UID = client.MustNewUID()
-		require.NoError(tb, s.Add(ctx, p))
-	}
-
-	return s
-}
-
-func TestApplyAdditionalFiltering(t *testing.T) {
-	var err error
-
-	globalContext.filters, err = filtering.New(&filtering.Config{
-		BlockedServices: &filtering.BlockedServices{
-			Schedule: schedule.EmptyWeekly(),
-		},
-	}, nil)
-	require.NoError(t, err)
-
-	globalContext.clients.storage = newStorage(t, []*client.Persistent{{
-		Name:                "default",
-		ClientIDs:           []string{"default"},
-		UseOwnSettings:      false,
-		SafeSearchConf:      filtering.SafeSearchConfig{Enabled: false},
-		FilteringEnabled:    false,
-		SafeBrowsingEnabled: false,
-		ParentalEnabled:     false,
-	}, {
-		Name:                "custom_filtering",
-		ClientIDs:           []string{"custom_filtering"},
-		UseOwnSettings:      true,
-		SafeSearchConf:      filtering.SafeSearchConfig{Enabled: true},
-		FilteringEnabled:    true,
-		SafeBrowsingEnabled: true,
-		ParentalEnabled:     true,
-	}, {
-		Name:                "partial_custom_filtering",
-		ClientIDs:           []string{"partial_custom_filtering"},
-		UseOwnSettings:      true,
-		SafeSearchConf:      filtering.SafeSearchConfig{Enabled: true},
-		FilteringEnabled:    true,
-		SafeBrowsingEnabled: false,
-		ParentalEnabled:     false,
-	}})
-
-	testCases := []struct {
-		name                string
-		id                  string
-		FilteringEnabled    assert.BoolAssertionFunc
-		SafeSearchEnabled   assert.BoolAssertionFunc
-		SafeBrowsingEnabled assert.BoolAssertionFunc
-		ParentalEnabled     assert.BoolAssertionFunc
-	}{{
-		name:                "global_settings",
-		id:                  "default",
-		FilteringEnabled:    assert.False,
-		SafeSearchEnabled:   assert.False,
-		SafeBrowsingEnabled: assert.False,
-		ParentalEnabled:     assert.False,
-	}, {
-		name:                "custom_settings",
-		id:                  "custom_filtering",
-		FilteringEnabled:    assert.True,
-		SafeSearchEnabled:   assert.True,
-		SafeBrowsingEnabled: assert.True,
-		ParentalEnabled:     assert.True,
-	}, {
-		name:                "partial",
-		id:                  "partial_custom_filtering",
-		FilteringEnabled:    assert.True,
-		SafeSearchEnabled:   assert.True,
-		SafeBrowsingEnabled: assert.False,
-		ParentalEnabled:     assert.False,
-	}}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			setts := &filtering.Settings{}
-
-			applyAdditionalFiltering(testIPv4, tc.id, setts)
-			tc.FilteringEnabled(t, setts.FilteringEnabled)
-			tc.SafeSearchEnabled(t, setts.SafeSearchEnabled)
-			tc.SafeBrowsingEnabled(t, setts.SafeBrowsingEnabled)
-			tc.ParentalEnabled(t, setts.ParentalEnabled)
-		})
-	}
-}
-
-func TestApplyAdditionalFiltering_blockedServices(t *testing.T) {
-	filtering.InitModule()
-
-	var (
-		globalBlockedServices  = []string{"ok"}
-		clientBlockedServices  = []string{"ok", "mail_ru", "vk"}
-		invalidBlockedServices = []string{"invalid"}
-
-		err error
-	)
-
-	globalContext.filters, err = filtering.New(&filtering.Config{
-		BlockedServices: &filtering.BlockedServices{
-			Schedule: schedule.EmptyWeekly(),
-			IDs:      globalBlockedServices,
-		},
-	}, nil)
-	require.NoError(t, err)
-
-	globalContext.clients.storage = newStorage(t, []*client.Persistent{{
-		Name:                  "default",
-		ClientIDs:             []string{"default"},
-		UseOwnBlockedServices: false,
-	}, {
-		Name:      "no_services",
-		ClientIDs: []string{"no_services"},
-		BlockedServices: &filtering.BlockedServices{
-			Schedule: schedule.EmptyWeekly(),
-		},
-		UseOwnBlockedServices: true,
-	}, {
-		Name:      "services",
-		ClientIDs: []string{"services"},
-		BlockedServices: &filtering.BlockedServices{
-			Schedule: schedule.EmptyWeekly(),
-			IDs:      clientBlockedServices,
-		},
-		UseOwnBlockedServices: true,
-	}, {
-		Name:      "invalid_services",
-		ClientIDs: []string{"invalid_services"},
-		BlockedServices: &filtering.BlockedServices{
-			Schedule: schedule.EmptyWeekly(),
-			IDs:      invalidBlockedServices,
-		},
-		UseOwnBlockedServices: true,
-	}, {
-		Name:      "allow_all",
-		ClientIDs: []string{"allow_all"},
-		BlockedServices: &filtering.BlockedServices{
-			Schedule: schedule.FullWeekly(),
-			IDs:      clientBlockedServices,
-		},
-		UseOwnBlockedServices: true,
-	}})
-
-	testCases := []struct {
-		name    string
-		id      string
-		wantLen int
-	}{{
-		name:    "global_settings",
-		id:      "default",
-		wantLen: len(globalBlockedServices),
-	}, {
-		name:    "custom_settings",
-		id:      "no_services",
-		wantLen: 0,
-	}, {
-		name:    "custom_settings_block",
-		id:      "services",
-		wantLen: len(clientBlockedServices),
-	}, {
-		name:    "custom_settings_invalid",
-		id:      "invalid_services",
-		wantLen: 0,
-	}, {
-		name:    "custom_settings_inactive_schedule",
-		id:      "allow_all",
-		wantLen: 0,
-	}}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			setts := &filtering.Settings{}
-
-			applyAdditionalFiltering(testIPv4, tc.id, setts)
-			require.Len(t, setts.ServicesRules, tc.wantLen)
-		})
-	}
-}
--- a/internal/home/home.go
+++ b/internal/home/home.go
@@ -3,7 +3,6 @@ package home

 import (
 	"context"
-	"crypto/x509"
 	"fmt"
 	"io/fs"
 	"log/slog"
@@ -22,7 +21,6 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
-	"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
 	"github.com/AdguardTeam/AdGuardHome/internal/arpdb"
 	"github.com/AdguardTeam/AdGuardHome/internal/dhcpd"
 	"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
@@ -81,10 +79,6 @@ type homeContext struct {
 	workDir     string // Location of our directory, used to protect against CWD being somewhere else
 	pidFileName string // PID file name.  Empty if no PID file was created.
 	controlLock sync.Mutex
-	tlsRoots    *x509.CertPool // list of root CAs for TLSv1.2
-
-	// tlsCipherIDs are the ID of the cipher suites that AdGuard Home must use.
-	tlsCipherIDs []uint16

 	// firstRun, if true, tells AdGuard Home to only start the web interface
 	// service, and only serve the first-run APIs.
@@ -142,7 +136,6 @@ func Main(clientBuildFS fs.FS) {
 func setupContext(opts options) (err error) {
 	globalContext.firstRun = detectFirstRun()

-	globalContext.tlsRoots = aghtls.SystemRootCAs()
 	globalContext.mux = http.NewServeMux()

 	if !opts.noEtcHosts {
@@ -274,18 +267,13 @@ func setupOpts(opts options) (err error) {
 	return nil
 }

-// initContextClients initializes Context clients and related fields.
+// initContextClients initializes Context clients and related fields.  All
+// arguments must not be nil.
 func initContextClients(
 	ctx context.Context,
 	logger *slog.Logger,
 	sigHdlr *signalHandler,
 ) (err error) {
-	err = setupDNSFilteringConf(ctx, logger, config.Filtering)
-	if err != nil {
-		// Don't wrap the error, because it's informative enough as is.
-		return err
-	}
-
 	//lint:ignore SA1019 Migration is not over.
 	config.DHCP.WorkDir = globalContext.workDir
 	config.DHCP.DataDir = globalContext.getDataDir()
@@ -358,11 +346,13 @@ func setupBindOpts(opts options) (err error) {
 	return nil
 }

-// setupDNSFilteringConf sets up DNS filtering configuration settings.
+// setupDNSFilteringConf sets up DNS filtering configuration settings.  All
+// arguments must not be nil.
 func setupDNSFilteringConf(
 	ctx context.Context,
 	baseLogger *slog.Logger,
 	conf *filtering.Config,
+	tlsMgr *tlsManager,
 ) (err error) {
 	const (
 		dnsTimeout = 3 * time.Second
@@ -388,7 +378,7 @@ func setupDNSFilteringConf(
 	conf.Filters = slices.Clone(config.Filters)
 	conf.WhitelistFilters = slices.Clone(config.WhitelistFilters)
 	conf.UserRules = slices.Clone(config.UserRules)
-	conf.HTTPClient = httpClient()
+	conf.HTTPClient = httpClient(tlsMgr)

 	cacheTime := time.Duration(conf.CacheTime) * time.Minute

@@ -630,6 +620,23 @@ func run(opts options, clientBuildFS fs.FS, done chan struct{}, sigHdlr *signalH
 	err = initContextClients(ctx, slogLogger, sigHdlr)
 	fatalOnError(err)

+	tlsMgrLogger := slogLogger.With(slogutil.KeyPrefix, "tls_manager")
+	tlsMgr, err := newTLSManager(ctx, &tlsManagerConfig{
+		logger:         tlsMgrLogger,
+		configModified: onConfigModified,
+		tlsSettings:    config.TLS,
+		servePlainDNS:  config.DNS.ServePlainDNS,
+	})
+	if err != nil {
+		tlsMgrLogger.ErrorContext(ctx, "initializing", slogutil.KeyError, err)
+		onConfigModified()
+	}
+
+	globalContext.tls = tlsMgr
+
+	err = setupDNSFilteringConf(ctx, slogLogger, config.Filtering, tlsMgr)
+	fatalOnError(err)
+
 	err = setupOpts(opts)
 	fatalOnError(err)

@@ -642,7 +649,7 @@ func run(opts options, clientBuildFS fs.FS, done chan struct{}, sigHdlr *signalH

 	// TODO(e.burkov): This could be made earlier, probably as the option's
 	// effect.
-	cmdlineUpdate(ctx, slogLogger, opts, upd)
+	cmdlineUpdate(ctx, slogLogger, opts, upd, tlsMgr)

 	if !globalContext.firstRun {
 		// Save the updated config.
@@ -664,18 +671,14 @@ func run(opts options, clientBuildFS fs.FS, done chan struct{}, sigHdlr *signalH
 	globalContext.auth, err = initUsers()
 	fatalOnError(err)

-	tlsMgr, err := newTLSManager(config.TLS, config.DNS.ServePlainDNS)
-	if err != nil {
-		log.Error("initializing tls: %s", err)
-		onConfigModified()
-	}
-
-	globalContext.tls = tlsMgr
-	sigHdlr.addTLSManager(tlsMgr)
-
-	globalContext.web, err = initWeb(ctx, opts, clientBuildFS, upd, slogLogger, tlsMgr, customURL)
+	web, err := initWeb(ctx, opts, clientBuildFS, upd, slogLogger, tlsMgr, customURL)
 	fatalOnError(err)

+	globalContext.web = web
+
+	tlsMgr.setWebAPI(web)
+	sigHdlr.addTLSManager(tlsMgr)
+
 	statsDir, querylogDir, err := checkStatsAndQuerylogDirs(&globalContext, config)
 	fatalOnError(err)

@@ -705,7 +708,7 @@ func run(opts options, clientBuildFS fs.FS, done chan struct{}, sigHdlr *signalH
 		checkPermissions(ctx, slogLogger, globalContext.workDir, confPath, dataDir, statsDir, querylogDir)
 	}

-	globalContext.web.start(ctx)
+	web.start(ctx)

 	// Wait for other goroutines to complete their job.
 	<-done
@@ -1057,8 +1060,15 @@ type jsonError struct {
 	Message string `json:"message"`
 }

-// cmdlineUpdate updates current application and exits.  l must not be nil.
-func cmdlineUpdate(ctx context.Context, l *slog.Logger, opts options, upd *updater.Updater) {
+// cmdlineUpdate updates current application and exits.  l and tlsMgr must not
+// be nil.
+func cmdlineUpdate(
+	ctx context.Context,
+	l *slog.Logger,
+	opts options,
+	upd *updater.Updater,
+	tlsMgr *tlsManager,
+) {
 	if !opts.performUpdate {
 		return
 	}
@@ -1068,7 +1078,7 @@ func cmdlineUpdate(ctx context.Context, l *slog.Logger, opts options, upd *updat
 	//
 	// TODO(e.burkov):  We could probably initialize the internal resolver
 	// separately.
-	err := initDNSServer(nil, nil, nil, nil, nil, nil, &tlsConfigSettings{}, l)
+	err := initDNSServer(nil, nil, nil, nil, nil, nil, &tlsConfigSettings{}, tlsMgr, l)
 	fatalOnError(err)

 	l.InfoContext(ctx, "performing update via cli")
--- a/internal/home/home_internal_test.go
+++ b/internal/home/home_internal_test.go
--- a/internal/home/httpclient.go
+++ b/internal/home/httpclient.go
@@ -10,10 +10,10 @@ import (

 // httpClient returns a new HTTP client that uses the AdGuard Home's own DNS
 // server for resolving hostnames.  The resulting client should not be used
-// until [Context.dnsServer] is initialized.
+// until [Context.dnsServer] is initialized.  tlsMgr must not be nil.
 //
 // TODO(a.garipov, e.burkov): This is rather messy.  Refactor.
-func httpClient() (c *http.Client) {
+func httpClient(tlsMgr *tlsManager) (c *http.Client) {
 	// Do not use Context.dnsServer.DialContext directly in the struct literal
 	// below, since Context.dnsServer may be nil when this function is called.
 	dialContext := func(ctx context.Context, network, addr string) (conn net.Conn, err error) {
@@ -27,8 +27,8 @@ func httpClient() (c *http.Client) {
 			DialContext: dialContext,
 			Proxy:       httpProxy,
 			TLSClientConfig: &tls.Config{
-				RootCAs:      globalContext.tlsRoots,
-				CipherSuites: globalContext.tlsCipherIDs,
+				RootCAs:      tlsMgr.rootCerts,
+				CipherSuites: tlsMgr.customCipherIDs,
 				MinVersion:   tls.VersionTLS12,
 			},
 		},
--- a/internal/home/middlewares_internal_test.go
+++ b/internal/home/middlewares_internal_test.go
--- a/internal/home/options_internal_test.go
+++ b/internal/home/options_internal_test.go
--- a/internal/home/signal.go
+++ b/internal/home/signal.go
@@ -116,6 +116,6 @@ func (h *signalHandler) reloadConfig(ctx context.Context) {
 	}

 	if h.tlsManager != nil {
-		h.tlsManager.reload()
+		h.tlsManager.reload(ctx)
 	}
 }
--- a/internal/home/tls.go
+++ b/internal/home/tls.go
@@ -12,7 +12,9 @@ import (
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
+	"log/slog"
 	"net/http"
+	"net/netip"
 	"os"
 	"strings"
 	"sync"
@@ -20,22 +22,43 @@ import (

 	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
+	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
 	"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
 	"github.com/AdguardTeam/golibs/errors"
-	"github.com/AdguardTeam/golibs/log"
+	"github.com/AdguardTeam/golibs/logutil/slogutil"
+	"github.com/c2h5oh/datasize"
 	"github.com/google/go-cmp/cmp"
 )

 // tlsManager contains the current configuration and state of AdGuard Home TLS
 // encryption.
 type tlsManager struct {
+	// logger is used for logging the operation of the TLS Manager.
+	logger *slog.Logger
+
 	// status is the current status of the configuration.  It is never nil.
 	status *tlsConfigStatus

 	// certLastMod is the last modification time of the certificate file.
 	certLastMod time.Time

+	// rootCerts is a pool of root CAs for TLSv1.2.
+	rootCerts *x509.CertPool
+
+	// web is the web UI and API server.  It must not be nil.
+	//
+	// TODO(s.chzhen):  Temporary cyclic dependency due to ongoing refactoring.
+	// Resolve it.
+	web *webAPI
+
+	// configModified is called when the TLS configuration is changed via an
+	// HTTP request.
+	configModified func()
+
+	// customCipherIDs are the ID of the cipher suites that AdGuard Home must use.
+	customCipherIDs []uint16
+
 	confLock sync.Mutex
 	conf     tlsConfigSettings

@@ -43,33 +66,78 @@ type tlsManager struct {
 	servePlainDNS bool
 }

+// tlsManagerConfig contains the settings for initializing the TLS manager.
+type tlsManagerConfig struct {
+	// logger is used for logging the operation of the TLS Manager.  It must not
+	// be nil.
+	logger *slog.Logger
+
+	// configModified is called when the TLS configuration is changed via an
+	// HTTP request.  It must not be nil.
+	configModified func()
+
+	// tlsSettings contains the TLS configuration settings.
+	tlsSettings tlsConfigSettings
+
+	// servePlainDNS defines if plain DNS is allowed for incoming requests.
+	servePlainDNS bool
+}
+
 // newTLSManager initializes the manager of TLS configuration.  m is always
 // non-nil while any returned error indicates that the TLS configuration isn't
-// valid.  Thus TLS may be initialized later, e.g. via the web UI.
-func newTLSManager(conf tlsConfigSettings, servePlainDNS bool) (m *tlsManager, err error) {
+// valid.  Thus TLS may be initialized later, e.g. via the web UI.  conf must
+// not be nil.  Note that [tlsManager.web] must be initialized later on by using
+// [tlsManager.setWebAPI].
+func newTLSManager(ctx context.Context, conf *tlsManagerConfig) (m *tlsManager, err error) {
 	m = &tlsManager{
-		status:        &tlsConfigStatus{},
-		conf:          conf,
-		servePlainDNS: servePlainDNS,
+		logger:         conf.logger,
+		configModified: conf.configModified,
+		status:         &tlsConfigStatus{},
+		conf:           conf.tlsSettings,
+		servePlainDNS:  conf.servePlainDNS,
+	}
+
+	m.rootCerts = aghtls.SystemRootCAs()
+
+	if len(conf.tlsSettings.OverrideTLSCiphers) > 0 {
+		m.customCipherIDs, err = aghtls.ParseCiphers(config.TLS.OverrideTLSCiphers)
+		if err != nil {
+			// Should not happen because upstreams are already validated.  See
+			// [validateTLSCipherIDs].
+			panic(err)
+		}
+
+		m.logger.InfoContext(ctx, "overriding ciphers", "ciphers", config.TLS.OverrideTLSCiphers)
+	} else {
+		m.logger.InfoContext(ctx, "using default ciphers")
 	}

 	if m.conf.Enabled {
-		err = m.load()
+		err = m.load(ctx)
 		if err != nil {
 			m.conf.Enabled = false

 			return m, err
 		}

-		m.setCertFileTime()
+		m.setCertFileTime(ctx)
 	}

 	return m, nil
 }

+// setWebAPI stores the provided web API.  It must be called before
+// [tlsManager.start], [tlsManager.reload], [tlsManager.handleTLSConfigure], or
+// [tlsManager.validateTLSSettings].
+//
+// TODO(s.chzhen):  Remove it once cyclic dependency is resolved.
+func (m *tlsManager) setWebAPI(webAPI *webAPI) {
+	m.web = webAPI
+}
+
 // load reloads the TLS configuration from files or data from the config file.
-func (m *tlsManager) load() (err error) {
-	err = loadTLSConf(&m.conf, m.status)
+func (m *tlsManager) load(ctx context.Context) (err error) {
+	err = m.loadTLSConf(ctx, &m.conf, m.status)
 	if err != nil {
 		return fmt.Errorf("loading config: %w", err)
 	}
@@ -84,16 +152,16 @@ func (m *tlsManager) WriteDiskConfig(conf *tlsConfigSettings) {
 	m.confLock.Unlock()
 }

-// setCertFileTime sets t.certLastMod from the certificate.  If there are
-// errors, setCertFileTime logs them.
-func (m *tlsManager) setCertFileTime() {
+// setCertFileTime sets [tlsManager.certLastMod] from the certificate.  If there
+// are errors, setCertFileTime logs them.
+func (m *tlsManager) setCertFileTime(ctx context.Context) {
 	if len(m.conf.CertificatePath) == 0 {
 		return
 	}

 	fi, err := os.Stat(m.conf.CertificatePath)
 	if err != nil {
-		log.Error("tls: looking up certificate path: %s", err)
+		m.logger.ErrorContext(ctx, "looking up certificate path", slogutil.KeyError, err)

 		return
 	}
@@ -114,11 +182,11 @@ func (m *tlsManager) start(_ context.Context) {
 	// The background context is used because the TLSConfigChanged wraps context
 	// with timeout on its own and shuts down the server, which handles current
 	// request.
-	globalContext.web.tlsConfigChanged(context.Background(), tlsConf)
+	m.web.tlsConfigChanged(context.Background(), tlsConf)
 }

-// reload updates the configuration and restarts t.
-func (m *tlsManager) reload() {
+// reload updates the configuration and restarts the TLS manager.
+func (m *tlsManager) reload(ctx context.Context) {
 	m.confLock.Lock()
 	tlsConf := m.conf
 	m.confLock.Unlock()
@@ -127,33 +195,37 @@ func (m *tlsManager) reload() {
 		return
 	}

-	fi, err := os.Stat(tlsConf.CertificatePath)
+	certPath := tlsConf.CertificatePath
+	fi, err := os.Stat(certPath)
 	if err != nil {
-		log.Error("tls: %s", err)
+		m.logger.ErrorContext(ctx, "checking certificate file", slogutil.KeyError, err)

 		return
 	}

 	if fi.ModTime().UTC().Equal(m.certLastMod) {
-		log.Debug("tls: certificate file isn't modified")
+		m.logger.InfoContext(ctx, "certificate file is not modified")

 		return
 	}

-	log.Debug("tls: certificate file is modified")
+	m.logger.InfoContext(ctx, "certificate file is modified")

 	m.confLock.Lock()
-	err = m.load()
+	err = m.load(ctx)
 	m.confLock.Unlock()
 	if err != nil {
-		log.Error("tls: reloading: %s", err)
+		m.logger.ErrorContext(ctx, "reloading", slogutil.KeyError, err)

 		return
 	}

 	m.certLastMod = fi.ModTime().UTC()

-	_ = reconfigureDNSServer(m)
+	err = m.reconfigureDNSServer()
+	if err != nil {
+		m.logger.ErrorContext(ctx, "reconfiguring dns server", slogutil.KeyError, err)
+	}

 	m.confLock.Lock()
 	tlsConf = m.conf
@@ -162,12 +234,42 @@ func (m *tlsManager) reload() {
 	// The background context is used because the TLSConfigChanged wraps context
 	// with timeout on its own and shuts down the server, which handles current
 	// request.
-	globalContext.web.tlsConfigChanged(context.Background(), tlsConf)
+	m.web.tlsConfigChanged(context.Background(), tlsConf)
+}
+
+// reconfigureDNSServer updates the DNS server configuration using the stored
+// TLS settings.
+func (m *tlsManager) reconfigureDNSServer() (err error) {
+	tlsConf := &tlsConfigSettings{}
+	m.WriteDiskConfig(tlsConf)
+
+	newConf, err := newServerConfig(
+		&config.DNS,
+		config.Clients.Sources,
+		tlsConf,
+		m,
+		httpRegister,
+		globalContext.clients.storage,
+	)
+	if err != nil {
+		return fmt.Errorf("generating forwarding dns server config: %w", err)
+	}
+
+	err = globalContext.dnsServer.Reconfigure(newConf)
+	if err != nil {
+		return fmt.Errorf("starting forwarding dns server: %w", err)
+	}
+
+	return nil
 }

 // loadTLSConf loads and validates the TLS configuration.  The returned error is
 // also set in status.WarningValidation.
-func loadTLSConf(tlsConf *tlsConfigSettings, status *tlsConfigStatus) (err error) {
+func (m *tlsManager) loadTLSConf(
+	ctx context.Context,
+	tlsConf *tlsConfigSettings,
+	status *tlsConfigStatus,
+) (err error) {
 	defer func() {
 		if err != nil {
 			status.WarningValidation = err.Error()
@@ -190,7 +292,8 @@ func loadTLSConf(tlsConf *tlsConfigSettings, status *tlsConfigStatus) (err error
 		return err
 	}

-	err = validateCertificates(
+	err = m.validateCertificates(
+		ctx,
 		status,
 		tlsConf.CertificateChainData,
 		tlsConf.PrivateKeyData,
@@ -322,6 +425,8 @@ func (m *tlsManager) handleTLSStatus(w http.ResponseWriter, r *http.Request) {

 // handleTLSValidate is the handler for the POST /control/tls/validate HTTP API.
 func (m *tlsManager) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
 	setts, err := unmarshalTLS(r)
 	if err != nil {
 		aghhttp.Error(r, w, http.StatusBadRequest, "Failed to unmarshal TLS config: %s", err)
@@ -333,7 +438,9 @@ func (m *tlsManager) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
 		setts.PrivateKey = m.conf.PrivateKey
 	}

-	if err = validateTLSSettings(setts); err != nil {
+	if err = m.validateTLSSettings(setts); err != nil {
+		m.logger.InfoContext(ctx, "validating tls settings", slogutil.KeyError, err)
+
 		aghhttp.Error(r, w, http.StatusBadRequest, "%s", err)

 		return
@@ -342,7 +449,7 @@ func (m *tlsManager) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
 	// Skip the error check, since we are only interested in the value of
 	// status.WarningValidation.
 	status := &tlsConfigStatus{}
-	_ = loadTLSConf(&setts.tlsConfigSettings, status)
+	_ = m.loadTLSConf(ctx, &setts.tlsConfigSettings, status)
 	resp := tlsConfig{
 		tlsConfigSettingsExt: setts,
 		tlsConfigStatus:      status,
@@ -353,6 +460,7 @@ func (m *tlsManager) handleTLSValidate(w http.ResponseWriter, r *http.Request) {

 // setConfig updates manager conf with the given one.
 func (m *tlsManager) setConfig(
+	ctx context.Context,
 	newConf tlsConfigSettings,
 	status *tlsConfigStatus,
 	servePlain aghalg.NullBool,
@@ -367,10 +475,10 @@ func (m *tlsManager) setConfig(
 	newConf.DNSCryptConfigFile = m.conf.DNSCryptConfigFile
 	newConf.PortDNSCrypt = m.conf.PortDNSCrypt
 	if !cmp.Equal(m.conf, newConf, cmp.AllowUnexported(dnsforward.TLSConfig{})) {
-		log.Info("tls config has changed, restarting https server")
+		m.logger.InfoContext(ctx, "config has changed, restarting https server")
 		restartHTTPS = true
 	} else {
-		log.Info("tls: config has not changed")
+		m.logger.InfoContext(ctx, "config has not changed")
 	}

 	// Note: don't do just `t.conf = data` because we must preserve all other members of t.conf
@@ -398,6 +506,8 @@ func (m *tlsManager) setConfig(
 // handleTLSConfigure is the handler for the POST /control/tls/configure HTTP
 // API.
 func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
 	req, err := unmarshalTLS(r)
 	if err != nil {
 		aghhttp.Error(r, w, http.StatusBadRequest, "Failed to unmarshal TLS config: %s", err)
@@ -409,14 +519,14 @@ func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request)
 		req.PrivateKey = m.conf.PrivateKey
 	}

-	if err = validateTLSSettings(req); err != nil {
+	if err = m.validateTLSSettings(req); err != nil {
 		aghhttp.Error(r, w, http.StatusBadRequest, "%s", err)

 		return
 	}

 	status := &tlsConfigStatus{}
-	err = loadTLSConf(&req.tlsConfigSettings, status)
+	err = m.loadTLSConf(ctx, &req.tlsConfigSettings, status)
 	if err != nil {
 		resp := tlsConfig{
 			tlsConfigSettingsExt: req,
@@ -428,8 +538,8 @@ func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request)
 		return
 	}

-	restartHTTPS := m.setConfig(req.tlsConfigSettings, status, req.ServePlainDNS)
-	m.setCertFileTime()
+	restartHTTPS := m.setConfig(ctx, req.tlsConfigSettings, status, req.ServePlainDNS)
+	m.setCertFileTime(ctx)

 	if req.ServePlainDNS != aghalg.NBNull {
 		func() {
@@ -440,10 +550,12 @@ func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request)
 		}()
 	}

-	onConfigModified()
+	m.configModified()

-	err = reconfigureDNSServer(m)
+	err = m.reconfigureDNSServer()
 	if err != nil {
+		m.logger.ErrorContext(ctx, "reconfiguring dns server", slogutil.KeyError, err)
+
 		aghhttp.Error(r, w, http.StatusInternalServerError, "%s", err)

 		return
@@ -465,36 +577,54 @@ func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request)
 	// same reason.
 	if restartHTTPS {
 		go func() {
-			globalContext.web.tlsConfigChanged(context.Background(), req.tlsConfigSettings)
+			m.web.tlsConfigChanged(context.Background(), req.tlsConfigSettings)
 		}()
 	}
 }

 // validateTLSSettings returns error if the setts are not valid.
-func validateTLSSettings(setts tlsConfigSettingsExt) (err error) {
-	if setts.Enabled {
-		err = validatePorts(
-			tcpPort(config.HTTPConfig.Address.Port()),
-			tcpPort(setts.PortHTTPS),
-			tcpPort(setts.PortDNSOverTLS),
-			tcpPort(setts.PortDNSCrypt),
-			udpPort(config.DNS.Port),
-			udpPort(setts.PortDNSOverQUIC),
-		)
-		if err != nil {
-			// Don't wrap the error since it's informative enough as is.
-			return err
+func (m *tlsManager) validateTLSSettings(setts tlsConfigSettingsExt) (err error) {
+	if !setts.Enabled {
+		if setts.ServePlainDNS == aghalg.NBFalse {
+			// TODO(a.garipov): Support full disabling of all DNS.
+			return errors.Error("plain DNS is required in case encryption protocols are disabled")
 		}
-	} else if setts.ServePlainDNS == aghalg.NBFalse {
-		// TODO(a.garipov): Support full disabling of all DNS.
-		return errors.Error("plain DNS is required in case encryption protocols are disabled")
+
+		return nil
 	}

-	if !webCheckPortAvailable(setts.PortHTTPS) {
-		return fmt.Errorf("port %d is not available, cannot enable HTTPS on it", setts.PortHTTPS)
+	var (
+		tlsConf      tlsConfigSettings
+		webAPIAddr   netip.Addr
+		webAPIPort   uint16
+		plainDNSPort uint16
+	)
+
+	func() {
+		config.Lock()
+		defer config.Unlock()
+
+		tlsConf = config.TLS
+		webAPIAddr = config.HTTPConfig.Address.Addr()
+		webAPIPort = config.HTTPConfig.Address.Port()
+		plainDNSPort = config.DNS.Port
+	}()
+
+	err = validatePorts(
+		tcpPort(webAPIPort),
+		tcpPort(setts.PortHTTPS),
+		tcpPort(setts.PortDNSOverTLS),
+		tcpPort(setts.PortDNSCrypt),
+		udpPort(plainDNSPort),
+		udpPort(setts.PortDNSOverQUIC),
+	)
+	if err != nil {
+		// Don't wrap the error because it's informative enough as is.
+		return err
 	}

-	return nil
+	// Don't wrap the error because it's informative enough as is.
+	return m.checkPortAvailability(tlsConf, setts.tlsConfigSettings, webAPIAddr)
 }

 // validatePorts validates the uniqueness of TCP and UDP ports for AdGuard Home
@@ -506,10 +636,11 @@ func validatePorts(
 	tcpPorts := aghalg.UniqChecker[tcpPort]{}
 	addPorts(
 		tcpPorts,
-		tcpPort(bindPort),
-		tcpPort(dohPort),
-		tcpPort(dotPort),
-		tcpPort(dnscryptTCPPort),
+		bindPort,
+		dohPort,
+		dotPort,
+		dnscryptTCPPort,
+		tcpPort(dnsPort),
 	)

 	err = tcpPorts.Validate()
@@ -518,7 +649,7 @@ func validatePorts(
 	}

 	udpPorts := aghalg.UniqChecker[udpPort]{}
-	addPorts(udpPorts, udpPort(dnsPort), udpPort(doqPort))
+	addPorts(udpPorts, dnsPort, doqPort)

 	err = udpPorts.Validate()
 	if err != nil {
@@ -530,18 +661,30 @@ func validatePorts(

 // validateCertChain verifies certs using the first as the main one and others
 // as intermediate.  srvName stands for the expected DNS name.
-func validateCertChain(certs []*x509.Certificate, srvName string) (err error) {
+func (m *tlsManager) validateCertChain(
+	ctx context.Context,
+	certs []*x509.Certificate,
+	srvName string,
+) (err error) {
 	main, others := certs[0], certs[1:]

 	pool := x509.NewCertPool()
 	for _, cert := range others {
-		log.Info("tls: got an intermediate cert")
 		pool.AddCert(cert)
 	}

+	othersLen := len(others)
+	if othersLen > 0 {
+		m.logger.InfoContext(
+			ctx,
+			"verifying certificate chain: got an intermediate cert",
+			"num", othersLen,
+		)
+	}
+
 	opts := x509.VerifyOptions{
 		DNSName:       srvName,
-		Roots:         globalContext.tlsRoots,
+		Roots:         m.rootCerts,
 		Intermediates: pool,
 	}
 	_, err = main.Verify(opts)
@@ -552,15 +695,79 @@ func validateCertChain(certs []*x509.Certificate, srvName string) (err error) {
 	return nil
 }

-// errNoIPInCert is the error that is returned from [parseCertChain] if the leaf
-// certificate doesn't contain IPs.
+// checkPortAvailability checks [tlsConfigSettings.PortHTTPS],
+// [tlsConfigSettings.PortDNSOverTLS], and [tlsConfigSettings.PortDNSOverQUIC]
+// are available for use.  It checks the current configuration and, if needed,
+// attempts to bind to the port.  The function returns human-readable error
+// messages for the frontend.  This is best-effort check to prevent an "address
+// already in use" error.
+//
+// TODO(a.garipov): Adapt for HTTP/3.
+func (m *tlsManager) checkPortAvailability(
+	currConf tlsConfigSettings,
+	newConf tlsConfigSettings,
+	addr netip.Addr,
+) (err error) {
+	const (
+		networkTCP = "tcp"
+		networkUDP = "udp"
+
+		protoHTTPS = "HTTPS"
+		protoDoT   = "DNS-over-TLS"
+		protoDoQ   = "DNS-over-QUIC"
+	)
+
+	needBindingCheck := []struct {
+		network  string
+		proto    string
+		currPort uint16
+		newPort  uint16
+	}{{
+		network:  networkTCP,
+		proto:    protoHTTPS,
+		currPort: currConf.PortHTTPS,
+		newPort:  newConf.PortHTTPS,
+	}, {
+		network:  networkTCP,
+		proto:    protoDoT,
+		currPort: currConf.PortDNSOverTLS,
+		newPort:  newConf.PortDNSOverTLS,
+	}, {
+		network:  networkUDP,
+		proto:    protoDoQ,
+		currPort: currConf.PortDNSOverQUIC,
+		newPort:  newConf.PortDNSOverQUIC,
+	}}
+
+	var errs []error
+	for _, v := range needBindingCheck {
+		port := v.newPort
+		if v.currPort == port {
+			continue
+		}
+
+		addrPort := netip.AddrPortFrom(addr, port)
+		err = aghnet.CheckPort(v.network, addrPort)
+		if err != nil {
+			errs = append(errs, fmt.Errorf("port %d for %s is not available", port, v.proto))
+		}
+	}
+
+	return errors.Join(errs...)
+}
+
+// errNoIPInCert is the error that is returned from [tlsManager.parseCertChain]
+// if the leaf certificate doesn't contain IPs.
 const errNoIPInCert errors.Error = `certificates has no IP addresses; ` +
 	`DNS-over-TLS won't be advertised via DDR`

 // parseCertChain parses the certificate chain from raw data, and returns it.
 // If ok is true, the returned error, if any, is not critical.
-func parseCertChain(chain []byte) (parsedCerts []*x509.Certificate, ok bool, err error) {
-	log.Debug("tls: got certificate chain: %d bytes", len(chain))
+func (m *tlsManager) parseCertChain(
+	ctx context.Context,
+	chain []byte,
+) (parsedCerts []*x509.Certificate, ok bool, err error) {
+	m.logger.DebugContext(ctx, "parsing certificate chain", "size", datasize.ByteSize(len(chain)))

 	var certs []*pem.Block
 	for decoded, pemblock := pem.Decode(chain); decoded != nil; {
@@ -576,7 +783,7 @@ func parseCertChain(chain []byte) (parsedCerts []*x509.Certificate, ok bool, err
 		return nil, false, err
 	}

-	log.Info("tls: number of certs: %d", len(parsedCerts))
+	m.logger.InfoContext(ctx, "parsing multiple pem certificates", "num", len(parsedCerts))

 	if !aghtls.CertificateHasIP(parsedCerts[0]) {
 		err = errNoIPInCert
@@ -643,7 +850,8 @@ func validatePKey(pkey []byte) (keyType string, err error) {
 // validateCertificates processes certificate data and its private key.  status
 // must not be nil, since it's used to accumulate the validation results.  Other
 // parameters are optional.
-func validateCertificates(
+func (m *tlsManager) validateCertificates(
+	ctx context.Context,
 	status *tlsConfigStatus,
 	certChain []byte,
 	pkey []byte,
@@ -651,27 +859,12 @@ func validateCertificates(
 ) (err error) {
 	// Check only the public certificate separately from the key.
 	if len(certChain) > 0 {
-		var certs []*x509.Certificate
-		certs, status.ValidCert, err = parseCertChain(certChain)
-		if !status.ValidCert {
+		var ok bool
+		ok, err = m.validateCertificate(ctx, status, certChain, serverName)
+		if !ok {
 			// Don't wrap the error, since it's informative enough as is.
 			return err
 		}
-
-		mainCert := certs[0]
-		status.Subject = mainCert.Subject.String()
-		status.Issuer = mainCert.Issuer.String()
-		status.NotAfter = mainCert.NotAfter
-		status.NotBefore = mainCert.NotBefore
-		status.DNSNames = mainCert.DNSNames
-
-		if chainErr := validateCertChain(certs, serverName); chainErr != nil {
-			// Let self-signed certs through and don't return this error to set
-			// its message into the status.WarningValidation afterwards.
-			err = chainErr
-		} else {
-			status.ValidChain = true
-		}
 	}

 	// Validate the private key by parsing it.
@@ -699,6 +892,41 @@ func validateCertificates(
 	return err
 }

+// validateCertificate processes certificate data.  status must not be nil, as
+// it is used to accumulate the validation results.  Other parameters are
+// optional.  If ok is true, the returned error, if any, is not critical.
+func (m *tlsManager) validateCertificate(
+	ctx context.Context,
+	status *tlsConfigStatus,
+	certChain []byte,
+	serverName string,
+) (ok bool, err error) {
+	var certs []*x509.Certificate
+	certs, status.ValidCert, err = m.parseCertChain(ctx, certChain)
+	if !status.ValidCert {
+		// Don't wrap the error, since it's informative enough as is.
+		return false, err
+	}
+
+	mainCert := certs[0]
+	status.Subject = mainCert.Subject.String()
+	status.Issuer = mainCert.Issuer.String()
+	status.NotAfter = mainCert.NotAfter
+	status.NotBefore = mainCert.NotBefore
+	status.DNSNames = mainCert.DNSNames
+
+	err = m.validateCertChain(ctx, certs, serverName)
+	if err != nil {
+		// Let self-signed certs through and don't return this error to set
+		// its message into the status.WarningValidation afterwards.
+		return true, err
+	}
+
+	status.ValidChain = true
+
+	return true, nil
+}
+
 // Key types.
 const (
 	keyTypeECDSA   = "ECDSA"
@@ -761,17 +989,18 @@ func unmarshalTLS(r *http.Request) (tlsConfigSettingsExt, error) {
 		}
 	}

-	if data.PrivateKey != "" {
-		var key []byte
-		key, err = base64.StdEncoding.DecodeString(data.PrivateKey)
-		if err != nil {
-			return data, fmt.Errorf("failed to base64-decode private key: %w", err)
-		}
+	if data.PrivateKey == "" {
+		return data, nil
+	}

-		data.PrivateKey = string(key)
-		if data.PrivateKeyPath != "" {
-			return data, fmt.Errorf("private key data and file can't be set together")
-		}
+	key, err := base64.StdEncoding.DecodeString(data.PrivateKey)
+	if err != nil {
+		return data, fmt.Errorf("failed to base64-decode private key: %w", err)
+	}
+
+	data.PrivateKey = string(key)
+	if data.PrivateKeyPath != "" {
+		return data, fmt.Errorf("private key data and file can't be set together")
 	}

 	return data, nil
--- a/internal/home/tls_internal_test.go
+++ b/internal/home/tls_internal_test.go
@@ -1,13 +1,36 @@
 package home

 import (
+	"bytes"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+	"math/big"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"net/netip"
+	"os"
+	"path/filepath"
 	"testing"
 	"time"

+	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
+	"github.com/AdguardTeam/AdGuardHome/internal/client"
+	"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
+	"github.com/AdguardTeam/golibs/logutil/slogutil"
 	"github.com/AdguardTeam/golibs/testutil"
+	"github.com/AdguardTeam/golibs/timeutil"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

+// TODO(s.chzhen):  Consider moving to testdata.
 var testCertChainData = []byte(`-----BEGIN CERTIFICATE-----
 MIICKzCCAZSgAwIBAgIJAMT9kPVJdM7LMA0GCSqGSIb3DQEBCwUAMC0xFDASBgNV
 BAoMC0FkR3VhcmQgTHRkMRUwEwYDVQQDDAxBZEd1YXJkIEhvbWUwHhcNMTkwMjI3
@@ -41,9 +64,19 @@ kXS9jgARhhiWXJrk
 -----END PRIVATE KEY-----`)

 func TestValidateCertificates(t *testing.T) {
+	ctx := testutil.ContextWithTimeout(t, testTimeout)
+	logger := slogutil.NewDiscardLogger()
+
+	m, err := newTLSManager(ctx, &tlsManagerConfig{
+		logger:         logger,
+		configModified: func() {},
+		servePlainDNS:  false,
+	})
+	require.NoError(t, err)
+
 	t.Run("bad_certificate", func(t *testing.T) {
 		status := &tlsConfigStatus{}
-		err := validateCertificates(status, []byte("bad cert"), nil, "")
+		err = m.validateCertificates(ctx, status, []byte("bad cert"), nil, "")
 		testutil.AssertErrorMsg(t, "empty certificate", err)
 		assert.False(t, status.ValidCert)
 		assert.False(t, status.ValidChain)
@@ -51,14 +84,14 @@ func TestValidateCertificates(t *testing.T) {

 	t.Run("bad_private_key", func(t *testing.T) {
 		status := &tlsConfigStatus{}
-		err := validateCertificates(status, nil, []byte("bad priv key"), "")
+		err = m.validateCertificates(ctx, status, nil, []byte("bad priv key"), "")
 		testutil.AssertErrorMsg(t, "no valid keys were found", err)
 		assert.False(t, status.ValidKey)
 	})

 	t.Run("valid", func(t *testing.T) {
 		status := &tlsConfigStatus{}
-		err := validateCertificates(status, testCertChainData, testPrivateKeyData, "")
+		err = m.validateCertificates(ctx, status, testCertChainData, testPrivateKeyData, "")
 		assert.Error(t, err)

 		notBefore := time.Date(2019, 2, 27, 9, 24, 23, 0, time.UTC)
@@ -75,3 +108,479 @@ func TestValidateCertificates(t *testing.T) {
 		assert.True(t, status.ValidPair)
 	})
 }
+
+// storeGlobals is a test helper function that saves global variables and
+// restores them once the test is complete.
+//
+// The global variables are:
+//   - [configuration.dns]
+//   - [homeContext.clients.storage]
+//   - [homeContext.dnsServer]
+//   - [homeContext.mux]
+//
+// TODO(s.chzhen):  Remove this once the TLS manager no longer accesses global
+// variables.  Make tests that use this helper concurrent.
+func storeGlobals(tb testing.TB) {
+	tb.Helper()
+
+	prevConfig := config
+	storage := globalContext.clients.storage
+	dnsServer := globalContext.dnsServer
+	mux := globalContext.mux
+
+	tb.Cleanup(func() {
+		config = prevConfig
+		globalContext.clients.storage = storage
+		globalContext.dnsServer = dnsServer
+		globalContext.mux = mux
+	})
+}
+
+// newCertAndKey is a helper function that generates certificate and key.
+func newCertAndKey(tb testing.TB, n int64) (certDER []byte, key *rsa.PrivateKey) {
+	tb.Helper()
+
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	require.NoError(tb, err)
+
+	certTmpl := &x509.Certificate{
+		SerialNumber: big.NewInt(n),
+	}
+
+	certDER, err = x509.CreateCertificate(rand.Reader, certTmpl, certTmpl, &key.PublicKey, key)
+	require.NoError(tb, err)
+
+	return certDER, key
+}
+
+// writeCertAndKey is a helper function that writes certificate and key to
+// specified paths.
+func writeCertAndKey(
+	tb testing.TB,
+	certDER []byte,
+	certPath string,
+	key *rsa.PrivateKey,
+	keyPath string,
+) {
+	tb.Helper()
+
+	certFile, err := os.OpenFile(certPath, os.O_WRONLY|os.O_CREATE, 0o600)
+	require.NoError(tb, err)
+
+	defer func() {
+		err = certFile.Close()
+		require.NoError(tb, err)
+	}()
+
+	err = pem.Encode(certFile, &pem.Block{Type: "CERTIFICATE", Bytes: certDER})
+	require.NoError(tb, err)
+
+	keyFile, err := os.OpenFile(keyPath, os.O_WRONLY|os.O_CREATE, 0o600)
+	require.NoError(tb, err)
+
+	defer func() {
+		err = keyFile.Close()
+		require.NoError(tb, err)
+	}()
+
+	err = pem.Encode(keyFile, &pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(key),
+	})
+	require.NoError(tb, err)
+}
+
+// assertCertSerialNumber is a helper function that checks serial number of the
+// TLS certificate.
+func assertCertSerialNumber(tb testing.TB, conf *tlsConfigSettings, wantSN int64) {
+	tb.Helper()
+
+	cert, err := tls.X509KeyPair(conf.CertificateChainData, conf.PrivateKeyData)
+	require.NoError(tb, err)
+
+	assert.Equal(tb, wantSN, cert.Leaf.SerialNumber.Int64())
+}
+
+func TestTLSManager_Reload(t *testing.T) {
+	storeGlobals(t)
+
+	var (
+		logger = slogutil.NewDiscardLogger()
+		ctx    = testutil.ContextWithTimeout(t, testTimeout)
+		err    error
+	)
+
+	globalContext.dnsServer, err = dnsforward.NewServer(dnsforward.DNSCreateParams{
+		Logger: logger,
+	})
+	require.NoError(t, err)
+
+	globalContext.clients.storage, err = client.NewStorage(ctx, &client.StorageConfig{
+		Logger: logger,
+		Clock:  timeutil.SystemClock{},
+	})
+	require.NoError(t, err)
+
+	globalContext.mux = http.NewServeMux()
+
+	const (
+		snBefore int64 = 1
+		snAfter  int64 = 2
+	)
+
+	tmpDir := t.TempDir()
+	certPath := filepath.Join(tmpDir, "cert.pem")
+	keyPath := filepath.Join(tmpDir, "key.pem")
+
+	certDER, key := newCertAndKey(t, snBefore)
+	writeCertAndKey(t, certDER, certPath, key, keyPath)
+
+	m, err := newTLSManager(ctx, &tlsManagerConfig{
+		logger:         logger,
+		configModified: func() {},
+		tlsSettings: tlsConfigSettings{
+			Enabled: true,
+			TLSConfig: dnsforward.TLSConfig{
+				CertificatePath: certPath,
+				PrivateKeyPath:  keyPath,
+			},
+		},
+		servePlainDNS: false,
+	})
+	require.NoError(t, err)
+
+	web, err := initWeb(ctx, options{}, nil, nil, logger, nil, false)
+	require.NoError(t, err)
+
+	m.setWebAPI(web)
+
+	conf := &tlsConfigSettings{}
+	m.WriteDiskConfig(conf)
+	assertCertSerialNumber(t, conf, snBefore)
+
+	certDER, key = newCertAndKey(t, snAfter)
+	writeCertAndKey(t, certDER, certPath, key, keyPath)
+
+	m.reload(ctx)
+
+	m.WriteDiskConfig(conf)
+	assertCertSerialNumber(t, conf, snAfter)
+}
+
+func TestTLSManager_HandleTLSStatus(t *testing.T) {
+	var (
+		logger = slogutil.NewDiscardLogger()
+		ctx    = testutil.ContextWithTimeout(t, testTimeout)
+		err    error
+	)
+
+	m, err := newTLSManager(ctx, &tlsManagerConfig{
+		logger:         logger,
+		configModified: func() {},
+		tlsSettings: tlsConfigSettings{
+			Enabled: true,
+			TLSConfig: dnsforward.TLSConfig{
+				CertificateChain: string(testCertChainData),
+				PrivateKey:       string(testPrivateKeyData),
+			},
+		},
+		servePlainDNS: false,
+	})
+	require.NoError(t, err)
+
+	w := httptest.NewRecorder()
+	r := httptest.NewRequest(http.MethodGet, "/control/tls/status", nil)
+	m.handleTLSStatus(w, r)
+
+	res := &tlsConfigSettingsExt{}
+	err = json.NewDecoder(w.Body).Decode(res)
+	require.NoError(t, err)
+
+	wantCertificateChain := base64.StdEncoding.EncodeToString(testCertChainData)
+	assert.True(t, res.Enabled)
+	assert.Equal(t, wantCertificateChain, res.CertificateChain)
+	assert.True(t, res.PrivateKeySaved)
+}
+
+func TestValidateTLSSettings(t *testing.T) {
+	storeGlobals(t)
+
+	globalContext.mux = http.NewServeMux()
+
+	var (
+		logger = slogutil.NewDiscardLogger()
+		ctx    = testutil.ContextWithTimeout(t, testTimeout)
+		err    error
+	)
+
+	m, err := newTLSManager(ctx, &tlsManagerConfig{
+		logger:         logger,
+		configModified: func() {},
+		servePlainDNS:  false,
+	})
+	require.NoError(t, err)
+
+	web, err := initWeb(ctx, options{}, nil, nil, logger, nil, false)
+	require.NoError(t, err)
+
+	m.setWebAPI(web)
+
+	tcpLn, err := net.Listen("tcp", ":0")
+	require.NoError(t, err)
+
+	testutil.CleanupAndRequireSuccess(t, tcpLn.Close)
+
+	tcpAddr := testutil.RequireTypeAssert[*net.TCPAddr](t, tcpLn.Addr())
+	busyTCPPort := tcpAddr.Port
+
+	udpLn, err := net.ListenPacket("udp", ":0")
+	require.NoError(t, err)
+
+	testutil.CleanupAndRequireSuccess(t, udpLn.Close)
+
+	udpAddr := testutil.RequireTypeAssert[*net.UDPAddr](t, udpLn.LocalAddr())
+	busyUDPPort := udpAddr.Port
+
+	testCases := []struct {
+		setts   tlsConfigSettingsExt
+		name    string
+		wantErr string
+	}{{
+		name:    "basic",
+		setts:   tlsConfigSettingsExt{},
+		wantErr: "",
+	}, {
+		setts: tlsConfigSettingsExt{
+			ServePlainDNS: aghalg.NBFalse,
+		},
+		name:    "disabled_all",
+		wantErr: "plain DNS is required in case encryption protocols are disabled",
+	}, {
+		setts: tlsConfigSettingsExt{
+			tlsConfigSettings: tlsConfigSettings{
+				Enabled:   true,
+				PortHTTPS: uint16(busyTCPPort),
+			},
+		},
+		name:    "busy_https_port",
+		wantErr: fmt.Sprintf("port %d for HTTPS is not available", busyTCPPort),
+	}, {
+		setts: tlsConfigSettingsExt{
+			tlsConfigSettings: tlsConfigSettings{
+				Enabled:        true,
+				PortDNSOverTLS: uint16(busyTCPPort),
+			},
+		},
+		name:    "busy_dot_port",
+		wantErr: fmt.Sprintf("port %d for DNS-over-TLS is not available", busyTCPPort),
+	}, {
+		setts: tlsConfigSettingsExt{
+			tlsConfigSettings: tlsConfigSettings{
+				Enabled:         true,
+				PortDNSOverQUIC: uint16(busyUDPPort),
+			},
+		},
+		name:    "busy_doq_port",
+		wantErr: fmt.Sprintf("port %d for DNS-over-QUIC is not available", busyUDPPort),
+	}, {
+		setts: tlsConfigSettingsExt{
+			tlsConfigSettings: tlsConfigSettings{
+				Enabled:        true,
+				PortHTTPS:      4433,
+				PortDNSOverTLS: 4433,
+			},
+		},
+		name:    "duplicate_port",
+		wantErr: "validating tcp ports: duplicated values: [4433]",
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			err = m.validateTLSSettings(tc.setts)
+			testutil.AssertErrorMsg(t, tc.wantErr, err)
+		})
+	}
+}
+
+func TestTLSManager_HandleTLSValidate(t *testing.T) {
+	storeGlobals(t)
+
+	globalContext.mux = http.NewServeMux()
+
+	var (
+		logger = slogutil.NewDiscardLogger()
+		ctx    = testutil.ContextWithTimeout(t, testTimeout)
+		err    error
+	)
+
+	m, err := newTLSManager(ctx, &tlsManagerConfig{
+		logger:         logger,
+		configModified: func() {},
+		tlsSettings: tlsConfigSettings{
+			Enabled: true,
+			TLSConfig: dnsforward.TLSConfig{
+				CertificateChain: string(testCertChainData),
+				PrivateKey:       string(testPrivateKeyData),
+			},
+		},
+		servePlainDNS: false,
+	})
+	require.NoError(t, err)
+
+	web, err := initWeb(ctx, options{}, nil, nil, logger, nil, false)
+	require.NoError(t, err)
+
+	m.setWebAPI(web)
+
+	setts := &tlsConfigSettingsExt{
+		tlsConfigSettings: tlsConfigSettings{
+			Enabled: true,
+			TLSConfig: dnsforward.TLSConfig{
+				CertificateChain: base64.StdEncoding.EncodeToString(testCertChainData),
+				PrivateKey:       base64.StdEncoding.EncodeToString(testPrivateKeyData),
+			},
+		},
+	}
+
+	req, err := json.Marshal(setts)
+	require.NoError(t, err)
+
+	w := httptest.NewRecorder()
+	r := httptest.NewRequest(http.MethodPost, "/control/tls/validate", bytes.NewReader(req))
+	m.handleTLSValidate(w, r)
+
+	res := &tlsConfigStatus{}
+	err = json.NewDecoder(w.Body).Decode(res)
+	require.NoError(t, err)
+
+	cert, err := tls.X509KeyPair(testCertChainData, testPrivateKeyData)
+	require.NoError(t, err)
+
+	wantIssuer := cert.Leaf.Issuer.String()
+	assert.Equal(t, wantIssuer, res.Issuer)
+}
+
+func TestTLSManager_HandleTLSConfigure(t *testing.T) {
+	// Store the global state before making any changes.
+	storeGlobals(t)
+
+	var (
+		logger = slogutil.NewDiscardLogger()
+		ctx    = testutil.ContextWithTimeout(t, testTimeout)
+		err    error
+	)
+
+	globalContext.dnsServer, err = dnsforward.NewServer(dnsforward.DNSCreateParams{
+		Logger: logger,
+	})
+	require.NoError(t, err)
+
+	err = globalContext.dnsServer.Prepare(&dnsforward.ServerConfig{
+		Config: dnsforward.Config{
+			UpstreamMode:     dnsforward.UpstreamModeLoadBalance,
+			EDNSClientSubnet: &dnsforward.EDNSClientSubnet{Enabled: false},
+			ClientsContainer: dnsforward.EmptyClientsContainer{},
+		},
+		ServePlainDNS: true,
+	})
+	require.NoError(t, err)
+
+	globalContext.clients.storage, err = client.NewStorage(ctx, &client.StorageConfig{
+		Logger: logger,
+		Clock:  timeutil.SystemClock{},
+	})
+	require.NoError(t, err)
+
+	globalContext.mux = http.NewServeMux()
+
+	config.DNS.BindHosts = []netip.Addr{netip.MustParseAddr("127.0.0.1")}
+	config.DNS.Port = 0
+
+	const wantSerialNumber int64 = 1
+
+	// Prepare the TLS manager configuration.
+	tmpDir := t.TempDir()
+	certPath := filepath.Join(tmpDir, "cert.pem")
+	keyPath := filepath.Join(tmpDir, "key.pem")
+
+	certDER, key := newCertAndKey(t, wantSerialNumber)
+	writeCertAndKey(t, certDER, certPath, key, keyPath)
+
+	// Initialize the TLS manager and assert its configuration.
+	m, err := newTLSManager(ctx, &tlsManagerConfig{
+		logger:         logger,
+		configModified: func() {},
+		tlsSettings: tlsConfigSettings{
+			Enabled: true,
+			TLSConfig: dnsforward.TLSConfig{
+				CertificatePath: certPath,
+				PrivateKeyPath:  keyPath,
+			},
+		},
+		servePlainDNS: true,
+	})
+	require.NoError(t, err)
+
+	web, err := initWeb(ctx, options{}, nil, nil, logger, nil, false)
+	require.NoError(t, err)
+
+	m.setWebAPI(web)
+
+	conf := &tlsConfigSettings{}
+	m.WriteDiskConfig(conf)
+	assertCertSerialNumber(t, conf, wantSerialNumber)
+
+	// Prepare a request with the new TLS configuration.
+	setts := &tlsConfigSettingsExt{
+		tlsConfigSettings: tlsConfigSettings{
+			Enabled:   true,
+			PortHTTPS: 4433,
+			TLSConfig: dnsforward.TLSConfig{
+				CertificateChain: base64.StdEncoding.EncodeToString(testCertChainData),
+				PrivateKey:       base64.StdEncoding.EncodeToString(testPrivateKeyData),
+			},
+		},
+	}
+
+	req, err := json.Marshal(setts)
+	require.NoError(t, err)
+
+	r := httptest.NewRequest(http.MethodPost, "/control/tls/configure", bytes.NewReader(req))
+	w := httptest.NewRecorder()
+
+	// Reconfigure the TLS manager.
+	m.handleTLSConfigure(w, r)
+
+	// The [tlsManager.handleTLSConfigure] method will start the DNS server and
+	// it should be stopped after the test ends.
+	testutil.CleanupAndRequireSuccess(t, globalContext.dnsServer.Stop)
+
+	res := &tlsConfig{
+		tlsConfigStatus: &tlsConfigStatus{},
+	}
+	err = json.NewDecoder(w.Body).Decode(res)
+	require.NoError(t, err)
+
+	cert, err := tls.X509KeyPair(testCertChainData, testPrivateKeyData)
+	require.NoError(t, err)
+
+	wantIssuer := cert.Leaf.Issuer.String()
+	assert.Equal(t, wantIssuer, res.tlsConfigStatus.Issuer)
+
+	// Assert that the Web API's TLS configuration has been updated.
+	//
+	// TODO(s.chzhen):  Remove when [httpsServer.cond] is removed.
+	assert.Eventually(t, func() bool {
+		web.httpsServer.condLock.Lock()
+		defer web.httpsServer.condLock.Unlock()
+
+		cert = web.httpsServer.cert
+		if cert.Leaf == nil {
+			return false
+		}
+
+		assert.Equal(t, wantIssuer, cert.Leaf.Issuer.String())
+
+		return true
+	}, testTimeout, testTimeout/10)
+}
--- a/internal/home/web.go
+++ b/internal/home/web.go
@@ -12,10 +12,8 @@ import (
 	"sync"
 	"time"

-	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/AdguardTeam/AdGuardHome/internal/updater"
 	"github.com/AdguardTeam/golibs/errors"
-	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/logutil/slogutil"
 	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/AdguardTeam/golibs/netutil/httputil"
@@ -158,27 +156,6 @@ func newWebAPI(ctx context.Context, conf *webConfig) (w *webAPI) {
 	return w
 }

-// webCheckPortAvailable checks if port, which is considered an HTTPS port, is
-// available, unless the HTTPS server isn't active.
-//
-// TODO(a.garipov): Adapt for HTTP/3.
-func webCheckPortAvailable(port uint16) (ok bool) {
-	if globalContext.web.httpsServer.server != nil {
-		return true
-	}
-
-	addrPort := netip.AddrPortFrom(config.HTTPConfig.Address.Addr(), port)
-
-	err := aghnet.CheckPort("tcp", addrPort)
-	if err != nil {
-		log.Info("web: warning: checking https port: %s", err)
-
-		return false
-	}
-
-	return true
-}
-
 // tlsConfigChanged updates the TLS configuration and restarts the HTTPS server
 // if necessary.
 func (web *webAPI) tlsConfigChanged(ctx context.Context, tlsConf tlsConfigSettings) {
@@ -329,8 +306,8 @@ func (web *webAPI) tlsServerLoop(ctx context.Context) {
 			Handler: hdlr,
 			TLSConfig: &tls.Config{
 				Certificates: []tls.Certificate{web.httpsServer.cert},
-				RootCAs:      globalContext.tlsRoots,
-				CipherSuites: globalContext.tlsCipherIDs,
+				RootCAs:      web.tlsManager.rootCerts,
+				CipherSuites: web.tlsManager.customCipherIDs,
 				MinVersion:   tls.VersionTLS12,
 			},
 			ReadTimeout:       web.conf.ReadTimeout,
@@ -363,8 +340,8 @@ func (web *webAPI) mustStartHTTP3(ctx context.Context, address string) {
 		Addr: address,
 		TLSConfig: &tls.Config{
 			Certificates: []tls.Certificate{web.httpsServer.cert},
-			RootCAs:      globalContext.tlsRoots,
-			CipherSuites: globalContext.tlsCipherIDs,
+			RootCAs:      web.tlsManager.rootCerts,
+			CipherSuites: web.tlsManager.customCipherIDs,
 			MinVersion:   tls.VersionTLS12,
 		},
 		Handler: withMiddlewares(globalContext.mux, limitRequestBody),
--- a/internal/querylog/decode_internal_test.go
+++ b/internal/querylog/decode_internal_test.go
--- a/Show More
+++ b/Show More