all: upd chlog

all: resync fix
all: add permcheck, client fix; imp chlog
2024-10-03 15:34:48 +03:00 · 2024-10-02 20:25:07 +03:00 · 2024-10-02 18:24:07 +03:00 · 2024-09-30 20:17:20 +03:00 · 2024-07-04 17:06:16 +03:00 · 2024-07-03 15:53:40 +03:00
80 changed files with 27343 additions and 26622 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,7 +1,7 @@
 'name': 'build'

 'env':
-  'GO_VERSION': '1.23.1'
+  'GO_VERSION': '1.23.2'
  'NODE_VERSION': '16'

 'on':
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,7 +1,7 @@
 'name': 'lint'

 'env':
-  'GO_VERSION': '1.23.1'
+  'GO_VERSION': '1.23.2'

 'on':
  'push':
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,19 +18,43 @@ TODO(a.garipov): Use the common markdown formatting tools.
 <!--
 ## [v0.108.0] - TBA

-## [v0.107.53] - 2024-07-24 (APPROX.)
+## [v0.107.54] - 2024-10-03 (APPROX.)

-See also the [v0.107.53 GitHub milestone][ms-v0.107.53].
+See also the [v0.107.54 GitHub milestone][ms-v0.107.54].

-[ms-v0.107.53]: https://github.com/AdguardTeam/AdGuardHome/milestone/88?closed=1
+[ms-v0.107.54]: https://github.com/AdguardTeam/AdGuardHome/milestone/89?closed=1

 NOTE: Add new changes BELOW THIS COMMENT.
 -->

+<!--
+NOTE: Add new changes ABOVE THIS COMMENT.
+-->
+
+
+
+## [v0.107.53] - 2024-10-03
+
+See also the [v0.107.53 GitHub milestone][ms-v0.107.53].
+
 ### Security

+- Previous versions of AdGuard Home allowed users to add any system file it had
+  access to as filters, exposing them to be world-readable.  To prevent this,
+  AdGuard Home now allows adding filtering-rule list files only from files
+  matching the patterns enumerated in the `filtering.safe_fs_patterns` property
+  in the configuration file.
+
+  We thank @itz-d0dgy for reporting this vulnerability, designated
+  CVE-2024-36814, to us.
+- Additionally, AdGuard Home will now try to change the permissions of its files
+  and directories to more restrictive ones to prevent similar vulnerabilities
+  as well as limit the access to the configuration.
+
+  We thank @go-compile for reporting this vulnerability, designated
+  CVE-2024-36586, to us.
 - Go version has been updated to prevent the possibility of exploiting the Go
-  vulnerabilities fixed in [1.23.1][go-1.23.1].
+  vulnerabilities fixed in [1.23.2][go-1.23.2].

 ### Added

@@ -42,22 +66,47 @@ NOTE: Add new changes BELOW THIS COMMENT.
 - Upstream server URL domain names requirements has been relaxed and now follow
  the same rules as their domain specifications.

+#### Configuration changes
+
+In this release, the schema version has changed from 28 to 29.
+
+- The new array `filtering.safe_fs_patterns` contains glob patterns for paths of
+  files that can be added as local filtering-rule lists.  The migration should
+  add list files that have already been added, as well as the default value,
+  `$DATA_DIR/userfilters/*`.
+
 ### Fixed

- Update Google safe search domains list ([#7155]).
- Enforce Bing safe search from Edge sidebar ([#7154]).
+- Property `clients.runtime_sources.dhcp` in the configuration file not taking
+  effect.
+- Stale Google safe search domains list ([#7155]).
+- Bing safe search from Edge sidebar ([#7154]).
 - Text overflow on the query log page ([#7119]).

+### Known issues
+
+- Due to the complexity of the Windows permissions architecture and poor support
+  from the standard Go library, we have to postpone the proper automated Windows
+  fix until the next release.
+
+  **Temporary workaround:**  Set the permissions of the `AdGuardHome` directory
+  to more restrictive ones manually.  To do that:
+
+  1. Locate the `AdGuardHome` directory.
+  2. Right-click on it and navigate to *Properties → Security → Advanced.*
+  3. (You might need to disable permission inheritance to make them more
+     restricted.)
+  4. Adjust to give the `Full control` access to only the user which runs
+     AdGuard Home.  Typically, `Administrator`.
+
 [#5009]: https://github.com/AdguardTeam/AdGuardHome/issues/5009
+[#5704]: https://github.com/AdguardTeam/AdGuardHome/issues/5704
 [#7119]: https://github.com/AdguardTeam/AdGuardHome/issues/7119
 [#7154]: https://github.com/AdguardTeam/AdGuardHome/pull/7154
 [#7155]: https://github.com/AdguardTeam/AdGuardHome/pull/7155

-[go-1.23.1]: https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc
-
-<!--
-NOTE: Add new changes ABOVE THIS COMMENT.
-->
+[go-1.23.2]:    https://groups.google.com/g/golang-announce/c/NKEc8VT7Fz0
+[ms-v0.107.53]: https://github.com/AdguardTeam/AdGuardHome/milestone/88?closed=1



@@ -3095,11 +3144,12 @@ See also the [v0.104.2 GitHub milestone][ms-v0.104.2].


 <!--
-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.53...HEAD
-[v0.107.53]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.52...v0.107.53
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.54...HEAD
+[v0.107.54]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.53...v0.107.54
 -->

-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.52...HEAD
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.53...HEAD
+[v0.107.53]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.52...v0.107.53
 [v0.107.52]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.51...v0.107.52
 [v0.107.51]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.50...v0.107.51
 [v0.107.50]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.49...v0.107.50
--- a/4
+++ b/4
@@ -27,8 +27,7 @@ DEPLOY_SCRIPT_PATH = not/a/real/path
 DIST_DIR = dist
 GOAMD64 = v1
 GOPROXY = https://proxy.golang.org|direct
-GOSUMDB = sum.golang.google.cn
-GOTOOLCHAIN = go1.23.1
+GOTOOLCHAIN = go1.23.2
 GOTELEMETRY = off
 GPG_KEY = devteam@adguard.com
 GPG_KEY_PASSPHRASE = not-a-real-password
@@ -67,7 +66,6 @@ ENV = env\
 	GO="$(GO.MACRO)"\
 	GOAMD64='$(GOAMD64)'\
 	GOPROXY='$(GOPROXY)'\
-	GOSUMDB='$(GOSUMDB)'\
 	GOTELEMETRY='$(GOTELEMETRY)'\
 	GOTOOLCHAIN='$(GOTOOLCHAIN)'\
 	GPG_KEY='$(GPG_KEY)'\
--- a/bamboo-specs/release.yaml
+++ b/bamboo-specs/release.yaml
@@ -8,7 +8,7 @@
 'variables':
    'channel': 'edge'
    'dockerFrontend': 'adguard/home-js-builder:2.0'
-    'dockerGo': 'adguard/go-builder:1.23.1--1'
+    'dockerGo': 'adguard/go-builder:1.23.2--1'

 'stages':
  - 'Build frontend':
@@ -276,7 +276,7 @@
        'variables':
            'channel': 'beta'
            'dockerFrontend': 'adguard/home-js-builder:2.0'
-            'dockerGo': 'adguard/go-builder:1.23.1--1'
+            'dockerGo': 'adguard/go-builder:1.23.2--1'
    # release-vX.Y.Z branches are the branches from which the actual final
    # release is built.
  - '^release-v[0-9]+\.[0-9]+\.[0-9]+':
@@ -292,4 +292,4 @@
        'variables':
            'channel': 'release'
            'dockerFrontend': 'adguard/home-js-builder:2.0'
-            'dockerGo': 'adguard/go-builder:1.23.1--1'
+            'dockerGo': 'adguard/go-builder:1.23.2--1'
--- a/bamboo-specs/test.yaml
+++ b/bamboo-specs/test.yaml
@@ -6,7 +6,7 @@
    'name': 'AdGuard Home - Build and run tests'
 'variables':
    'dockerFrontend': 'adguard/home-js-builder:2.0'
-    'dockerGo': 'adguard/go-builder:1.23.1--1'
+    'dockerGo': 'adguard/go-builder:1.23.2--1'
    'channel': 'development'

 'stages':
@@ -196,5 +196,5 @@
        # may need to build a few of these.
        'variables':
            'dockerFrontend': 'adguard/home-js-builder:2.0'
-            'dockerGo': 'adguard/go-builder:1.23.1--1'
+            'dockerGo': 'adguard/go-builder:1.23.2--1'
            'channel': 'candidate'
--- a/client/src/__locales/ar.json
+++ b/client/src/__locales/ar.json
@@ -291,7 +291,7 @@
    "custom_ip": "عنوان IP مخصص",
    "blocking_ipv4": "حجب عنوان IPv4",
    "blocking_ipv6": "حجب عنوان IPv6",
-    "blocked_response_ttl": "زمن حظر الاستجابة",
+    "blocked_response_ttl": "حظر استجابة TTL",
    "blocked_response_ttl_desc": "تحديد عدد الثواني التي يجب على العملاء تخزين الاستجابة التي تمت تصفيتها مؤقتًا",
    "form_enter_blocked_response_ttl": "أدخل وقت الاستجابة المحظورة TTL (بالثواني)",
    "dnscrypt": "DNSCrypt",
@@ -734,10 +734,10 @@
    "thursday": "الخميس",
    "friday": "الجمعة",
    "saturday": "السبت",
-    "sunday_short": "الاحد",
+    "sunday_short": "الأحد",
    "monday_short": "الإثنين",
    "tuesday_short": "الثلاثاء",
-    "wednesday_short": "الاربعاء",
+    "wednesday_short": "الأربعاء",
    "thursday_short": "الخميس",
    "friday_short": "الجمعة",
    "saturday_short": "السبت",
--- a/client/src/__locales/bg.json
+++ b/client/src/__locales/bg.json
@@ -159,6 +159,8 @@
    "dns_over_https": "DNS-пред-HTTPS",
    "dns_over_quic": "DNS-over-QUIC",
    "plain_dns": "Обикновен DNS",
+    "theme_light": "Светла тема",
+    "theme_dark": "Тъмна тема",
    "source_label": "Източник",
    "found_in_known_domain_db": "Намерен в списъците с домейни.",
    "category_label": "Категория",
@@ -283,5 +285,12 @@
    "filter_category_general": "General",
    "filter_category_security": "Сигурност",
    "port_53_faq_link": "Порт 53 често е зает от \"DNSStubListener\" или \"systemd-resolved\" услуги. Моля, прочетете <0>тази инструкция</0> как да решите това.",
-    "parental_control": "Родителски контрол"
+    "parental_control": "Родителски контрол",
+    "sunday_short": "Нд",
+    "monday_short": "Пон",
+    "tuesday_short": "Вт",
+    "wednesday_short": "Ср",
+    "thursday_short": "Чт",
+    "friday_short": "Пт",
+    "saturday_short": "Съб"
 }
--- a/client/src/__locales/cs.json
+++ b/client/src/__locales/cs.json
@@ -154,7 +154,7 @@
    "use_adguard_parental": "Použít službu AdGuard Rodičovská kontrola",
    "use_adguard_parental_hint": "AdGuard Home zkontroluje, zda doména obsahuje materiály pro dospělé. Používá stejné API přátelské k ochraně osobních údajů jako služba Bezpečnost prohlížení.",
    "enforce_safe_search": "Použít bezpečné vyhledávání",
-    "enforce_save_search_hint": "AdGuard Home vynutí bezpečné vyhledávání v následujících vyhledávačích: Google, YouTube, Bing, DuckDuckGo, Yandex, Pixabay.",
+    "enforce_save_search_hint": "AdGuard Home vynutí bezpečné vyhledávání v následujících vyhledávačích: Google, YouTube, Bing, DuckDuckGo, Ecosia, Yandex, Pixabay.",
    "no_servers_specified": "Nebyly specifikovány žádné servery",
    "general_settings": "Obecná nastavení",
    "dns_settings": "Nastavení DNS",
--- a/client/src/__locales/da.json
+++ b/client/src/__locales/da.json
@@ -154,7 +154,7 @@
    "use_adguard_parental": "Brug AdGuards forældrekontrolwebtjeneste",
    "use_adguard_parental_hint": "AdGuard Home vil tjekke, om domænet indeholder voksenindhold vha. den samme fortrolighedsvenlige API som browsingsikkerhedswebtjenesten.",
    "enforce_safe_search": "Brug sikker søgning",
-    "enforce_save_search_hint": "AdGuard Home vil håndhæve sikker søgning i flg. søgemaskiner: Google, YouTube, Bing, DuckDuckGo, Yandex og Pixabay.",
+    "enforce_save_search_hint": "AdGuard Home vil håndhæve sikker søgning i flg. søgemaskiner: Google, YouTube, Bing, DuckDuckGo, Ecosia, Yandex, Pixabay.",
    "no_servers_specified": "Ingen servere angivet",
    "general_settings": "Generelle indstillinger",
    "dns_settings": "DNS-indstillinger",
--- a/client/src/__locales/de.json
+++ b/client/src/__locales/de.json
@@ -154,7 +154,7 @@
    "use_adguard_parental": "AdGuard Webservice für Kindersicherung verwenden",
    "use_adguard_parental_hint": "AdGuard Home wird prüfen, ob die Domain jugendgefährdende Inhalte enthält. Zum Schutz Ihrer Privatsphäre wird die selbe API wie für den Webservice für Internetsicherheit verwendet.",
    "enforce_safe_search": "Sichere Suche verwenden",
-    "enforce_save_search_hint": "AdGuard kann Sichere Suche für folgende Suchmaschinen erzwingen: Google, YouTube, Bing, DuckDuckGo, Yandex und Pixabay.",
+    "enforce_save_search_hint": "AdGuard kann Sichere Suche für folgende Suchmaschinen erzwingen: Google, YouTube, Bing, DuckDuckGo, Ecosia, Yandex und Pixabay.",
    "no_servers_specified": "Keine Server festgelegt",
    "general_settings": "Allgemeine Einstellungen",
    "dns_settings": "DNS-Einstellungen",
@@ -641,7 +641,7 @@
    "show_processed_responses": "Verarbeitet",
    "blocked_safebrowsing": "Gesperrt durch Internetsicherheit",
    "blocked_adult_websites": "Gesperrt durch Kindersicherung",
-    "blocked_threats": "Gesperrte Bedrohungen",
+    "blocked_threats": "Bedrohungen blockiert",
    "allowed": "Zugelassen",
    "filtered": "Gefiltert",
    "rewritten": "Umgeschrieben",
--- a/client/src/__locales/es.json
+++ b/client/src/__locales/es.json
@@ -154,7 +154,7 @@
    "use_adguard_parental": "Usar el control parental de AdGuard",
    "use_adguard_parental_hint": "AdGuard Home comprobará si el dominio contiene materiales para adultos. Utiliza la misma API amigable con la privacidad del servicio web de seguridad de navegación.",
    "enforce_safe_search": "Usar búsqueda segura",
-    "enforce_save_search_hint": "AdGuard Home reforzará la búsqueda segura en los siguientes motores de búsqueda: Google, YouTube, Bing, DuckDuckGo, Yandex y Pixabay.",
+    "enforce_save_search_hint": "AdGuard Home reforzará la búsqueda segura en los siguientes motores de búsqueda: Google, YouTube, Bing, DuckDuckGo, Ecosia, Yandex y Pixabay.",
    "no_servers_specified": "No hay servidores especificados",
    "general_settings": "Configuración general",
    "dns_settings": "Configuración del DNS",
--- a/client/src/__locales/fi.json
+++ b/client/src/__locales/fi.json
@@ -6,7 +6,7 @@
    "upstream_parallel": "Käytä rinnakkaisia pyyntöjä ja nopeuta selvitystä käyttämällä kaikkia ylävirtapalvelimia samanaikaisesti.",
    "parallel_requests": "Rinnakkaiset pyynnöt",
    "load_balancing": "Kuormantasaus",
-    "load_balancing_desc": "Lähetä pyyntö yhdelle ylävirtapalvelimelle kerrallaan. AdGuard Home pyrkii valitsemaan nopeimman palvelimen painotetun satunnaisalgoritminsa avulla.",
+    "load_balancing_desc": "Lähetä kysely kerrallaan yhdelle ylävirtapalvelimelle. AdGuard Home valitsee painotetun satunnaisalgoritmin avulla palvelimet, joilla on vähiten epäonnistuneita hakuja ja keskimääräisesti lyhin hakuaika.",
    "bootstrap_dns": "Bootstrap DNS-palvelimet",
    "bootstrap_dns_desc": "Ylävirroiksi määrittämiesi DoH/DoT-resolverien IP-osoitteiden selvitykseen käytettävien DNS-palvelimien IP-osoitteet. Kommentteja ei sallita.",
    "fallback_dns_title": "DNS-varapalvelimet",
@@ -154,7 +154,7 @@
    "use_adguard_parental": "Käytä AdGuardin lapsilukko-palvelua",
    "use_adguard_parental_hint": "AdGuard Home tarkistaa, sisältääkö verkkotunnus aikuisille tarkoitettua sisältöä. Se käyttää samaa tietosuojapainotteista rajapintaa, kuin turvallisen selauksen palvelu.",
    "enforce_safe_search": "Käytä turvallista hakua",
-    "enforce_save_search_hint": "AdGuard Home voi pakottaa turvallisen haun käyttöön seuraavissa hakukoneissa: Google, YouTube, Bing, DuckDuckGo, Yandex, Pixabay.",
+    "enforce_save_search_hint": "AdGuard Home pakottaa turvallisen haun käyttöön seuraavissa hakukoneissa: Google, YouTube, Bing, DuckDuckGo, Ecosia, Yandex ja Pixabay.",
    "no_servers_specified": "Palvelimia ei ole määritetty",
    "general_settings": "Yleiset asetukset",
    "dns_settings": "DNS-asetukset",
@@ -709,9 +709,9 @@
    "log_and_stats_section_label": "Pyyntöhistoria ja tilastot",
    "ignore_query_log": "Älä huomioi tätä päätelaitetta pyyntöhistoriassa",
    "ignore_statistics": "Älä huomioi tätä päätettä tilastoissa",
-    "schedule_services": "Keskeytä palveluesto",
-    "schedule_services_desc": "Määritä palvelunestosuodattimen keskeytysajoitus.",
-    "schedule_services_desc_client": "Määritä palvelunestosuodattimen keskeytysajoitus tälle päätteelle.",
+    "schedule_services": "Pysäytä palveluesto",
+    "schedule_services_desc": "Määritä palvelunestosuodattimen pysäytysajoitus.",
+    "schedule_services_desc_client": "Määritä palvelunestosuodattimen pysäytysajoitus tälle päätteelle.",
    "schedule_desc": "Aseta estettujen palveluiden käyttämättömyysjaksot",
    "schedule_invalid_select": "Aloitusaika on oltava ennen lopetusaikaa",
    "schedule_select_days": "Valitse päivät",
--- a/client/src/__locales/fr.json
+++ b/client/src/__locales/fr.json
@@ -154,7 +154,7 @@
    "use_adguard_parental": "Utiliser le contrôle parental d'AdGuard",
    "use_adguard_parental_hint": "AdGuard Home va vérifier s'il y a du contenu pour adultes sur le domaine. Ce sera fait par aide du même API discret que celui utilisé par le service de Sécurité de navigation.",
    "enforce_safe_search": "Utiliser la Recherche Sécurisée",
-    "enforce_save_search_hint": "AdGuard Home appliquera la recherche sécurisée dans les moteurs de recherche suivants : Google, YouTube, Bing, DuckDuckGo, Yandex, Pixabay.",
+    "enforce_save_search_hint": "AdGuard Home appliquera la recherche sécurisée dans les moteurs de recherche suivants : Google, YouTube, Bing, DuckDuckGo, Ecosia, Yandex, Pixabay.",
    "no_servers_specified": "Pas de serveurs spécifiés",
    "general_settings": "Paramètres généraux",
    "dns_settings": "Paramètres DNS",
@@ -676,7 +676,7 @@
    "filter_allowlist": "ATTENTION : Cette action exclura également la règle « {{disallowed_rule}} » de la liste des clients autorisés.",
    "last_rule_in_allowlist": "Impossible d’interdire ce client, car l’exclusion de la règle « {{disallowed_rule}} » DÉSACTIVERA la liste des « clients autorisés ».",
    "use_saved_key": "Utiliser la clef précédemment enregistrée",
-    "parental_control": "Contrôle parental",
+    "parental_control": "Contrôle Parental",
    "safe_browsing": "Navigation sécurisée",
    "served_from_cache_label": "Servi depuis le cache",
    "form_error_password_length": "Le mot de passe doit comporter entre {{min}} et {{max}}  caractères",
--- a/client/src/__locales/id.json
+++ b/client/src/__locales/id.json
@@ -147,7 +147,7 @@
    "average_upstream_response_time": "Rata-rata waktu respons hulu",
    "response_time": "Waktu respons",
    "average_processing_time_hint": "Rata-rata waktu dalam milidetik untuk pemrosesan sebuah permintaan DNS",
-    "block_domain_use_filters_and_hosts": "Blokir domain menggunakan filter dan file hosts",
+    "block_domain_use_filters_and_hosts": "Blokir domain menggunakan filter dan berkas host",
    "filters_block_toggle_hint": "Anda dapat menyiapkan aturan pemblokiran dalam pengaturan <a>Filter</a>.",
    "use_adguard_browsing_sec": "Gunakan layanan web Keamanan Penjelajahan AdGuard",
    "use_adguard_browsing_sec_hint": "AdGuard Home akan memeriksa apakah domain diblokir oleh layanan web keamanan penjelajahan. Ini akan menggunakan API pencarian yang ramah privasi untuk melakukan pemeriksaan: hanya awalan singkat dari hash nama domain SHA256 yang dikirim ke server.",
@@ -191,7 +191,7 @@
    "edit_table_action": "Ubah",
    "delete_table_action": "Hapus",
    "elapsed": "Berlalu",
-    "filters_and_hosts_hint": "AdGuard Home memahami aturan dasar adblock dan sintak file hosts.",
+    "filters_and_hosts_hint": "AdGuard Home memahami aturan dasar adblock dan sintak berkas host.",
    "no_blocklist_added": "Tidak ada daftar hitam yang ditambahkan",
    "no_whitelist_added": "Tidak ada daftar putih yang ditambahkan",
    "add_blocklist": "Tambahkan daftar hitam",
@@ -211,8 +211,8 @@
    "form_error_url_format": "Format URL tidak valid",
    "form_error_url_or_path_format": "URL atau jalur absolut dari daftar tidak valid",
    "custom_filter_rules": "Aturan penyaringan khusus",
-    "custom_filter_rules_hint": "Masukkan satu aturan dalam sebuah baris. Anda dapat menggunakan baik aturan adblock maupun sintaks file hosts.",
-    "system_host_files": "File host sistem",
+    "custom_filter_rules_hint": "Masukkan satu aturan pada satu baris. Anda dapat menggunakan aturan adblock atau sintaks berkas host.",
+    "system_host_files": "Berkas host sistem",
    "examples_title": "Contoh",
    "example_meaning_filter_block": "blokir akses ke example.org dan seluruh subdomainnya;",
    "example_meaning_filter_whitelist": "buka blokir akses ke domain example.orf dan seluruh subdomainnya;",
@@ -476,7 +476,7 @@
    "client_confirm_delete": "Apakah anda yakin ingin menghapus klien \"{{key}}\"?",
    "list_confirm_delete": "Anda yakin ingin menghapus daftar ini?",
    "auto_clients_title": "Klien (waktu berjalan)",
-    "auto_clients_desc": "Informasi tentang alamat IP perangkat yang menggunakan atau mungkin menggunakan AdGuard Home. Informasi ini dikumpulkan dari beberapa sumber, termasuk file host, reverse DNS, dll.",
+    "auto_clients_desc": "Informasi tentang alamat IP perangkat yang menggunakan atau mungkin menggunakan AdGuard Home. Informasi ini dikumpulkan dari beberapa sumber, termasuk berkas host, DNS terbalik, dll.",
    "access_title": "Pengaturan akses",
    "access_desc": "Disini anda dapat mengatur aturan akses untuk server AdGuard Home DNS",
    "access_allowed_title": "Klien yang diizinkan",
@@ -494,7 +494,7 @@
    "setup_dns_privacy_1": "<0>DNS melalui TLS:</0> Gunakan <1>{{address}}</1> string.",
    "setup_dns_privacy_2": "<0>DNS-over-TLS:</0> Memakai <1>{{address}}</1> string.",
    "setup_dns_privacy_3": "<0>Berikut daftar perangkat lunak yang dapat Anda gunakan.</0>",
-    "setup_dns_privacy_4": "Di perangkat iOS 14 atau macOS Big Sur, Anda dapat mengunduh file '.mobileconfig' khusus yang menambahkan server <highlight>DNS-over-HTTPS</highlight> atau <highlight>DNS-over-TLS</highlight> ke pengaturan DNS.",
+    "setup_dns_privacy_4": "Pada perangkat iOS 14 atau macOS Big Sur, Anda dapat mengunduh berkas khusus '.mobileconfig' yang menambahkan server <highlight>DNS melalui HTTPS</highlight> atau <highlight>DNS melalui TLS</highlight> ke pengaturan DNS.",
    "setup_dns_privacy_android_1": "Android 9 mendukung DNS-over-TLS secara asli. Untuk mengkonfigurasinya, buka Pengaturan → Jaringan & internet → Tingkat Lanjut → DNS Pribadi dan masukkan nama domain Anda di sana.",
    "setup_dns_privacy_android_2": "<0>AdGuard untuk Android</0> mendukung <1>DNS-over-HTTPS</1> dan <1>DNS-over-TLS</1>.",
    "setup_dns_privacy_android_3": "<0>Intra</0> menambahkan dukungan <1>DNS-over-HTTPS</1> untuk Android.",
@@ -517,7 +517,7 @@
    "rewrite_confirm_delete": "Apakah anda yakin ingin menghapus DNS rewrite untuk \"{{key}}\"?",
    "rewrite_desc": "Memungkinkan untuk dengan mudah mengkonfigurasi respons DNS kustom untuk nama domain tertentu.",
    "rewrite_applied": "Aturan Rewrite yang diterapkan",
-    "rewrite_hosts_applied": "Ditulis ulang oleh aturan file hosts",
+    "rewrite_hosts_applied": "Ditulis ulang oleh aturan berkas host",
    "dns_rewrites": "DNS rewrite",
    "form_domain": "Masukkan nama domain",
    "form_answer": "Masaukan alamat IP atau nama domain",
@@ -676,7 +676,7 @@
    "filter_allowlist": "PERINGATAN: Tindakan ini juga akan mengecualikan aturan \"{{disallowed_rule}}\" dari daftar klien yang diizinkan.",
    "last_rule_in_allowlist": "Tidak dapat melarang klien ini karena mengecualikan aturan \"{{disallowed_rule}}\" akan MENONAKTIFKAN daftar \"Klien yang diizinkan\".",
    "use_saved_key": "Gunakan kunci yang disimpan sebelumnya",
-    "parental_control": "Kontrol Orang Tua",
+    "parental_control": "Pengawasan Orang Tua",
    "safe_browsing": "Penjelajahan Aman",
    "served_from_cache": "{{value}} <i>(disajikan dari cache)</i>",
    "form_error_password_length": "Kata sandi harus terdiri dari {{min}} hingga {{max}}",
--- a/client/src/__locales/it.json
+++ b/client/src/__locales/it.json
@@ -154,7 +154,7 @@
    "use_adguard_parental": "Utilizza il Controllo Parentale di AdGuard",
    "use_adguard_parental_hint": "AdGuard Home verificherà se il dominio contiene materiale per adulti. Utilizza le stesse API privacy-friendly del servizio web 'sicurezza di navigazione'.",
    "enforce_safe_search": "Utilizza Ricerca Sicura",
-    "enforce_save_search_hint": "AdGuard Home forzerà la ricerca sicura sui seguenti motori di ricerca: Google, YouTube, Bing, DuckDuckGo, Yandex, Pixabay.",
+    "enforce_save_search_hint": "AdGuard Home applicherà la ricerca sicura nei seguenti motori di ricerca: Google, YouTube, Bing, DuckDuckGo, Ecosia, Yandex, Pixabay.",
    "no_servers_specified": "Nessun server specificato",
    "general_settings": "Impostazioni generali",
    "dns_settings": "Impostazioni DNS",
--- a/client/src/__locales/ja.json
+++ b/client/src/__locales/ja.json
@@ -154,7 +154,7 @@
    "use_adguard_parental": "AdGuardペアレンタルコントロール・ウェブサービスを使用する",
    "use_adguard_parental_hint": "AdGuard Homeは、ドメインにアダルトコンテンツが含まれているかどうかを確認します。 ブラウジングセキュリティ・ウェブサービスと同じプライバシーに優しいAPIを使用します。",
    "enforce_safe_search": "セーフサーチを使用する",
-    "enforce_save_search_hint": "AdGuard Homeは、次の検索エンジンでセーフサーチを強制適用します: Google, YouTube, Bing, DuckDuckGo, Yandex, Pixabay",
+    "enforce_save_search_hint": "AdGuard Homeは、次の検索エンジンでセーフサーチを強制適用します: Google, YouTube, Bing, DuckDuckGo, Ecosia, Yandex, Pixabay",
    "no_servers_specified": "サーバが指定されていません",
    "general_settings": "一般設定",
    "dns_settings": "DNS設定",
--- a/client/src/__locales/ko.json
+++ b/client/src/__locales/ko.json
@@ -108,7 +108,7 @@
    "off": "OFF",
    "copyright": "Copyright",
    "homepage": "홈페이지",
-    "report_an_issue": "문제를 보고합니다",
+    "report_an_issue": "문제 신고",
    "privacy_policy": "개인정보취급방침",
    "enable_protection": "보호 활성화",
    "enabled_protection": "보호 활성화됨",
@@ -154,7 +154,7 @@
    "use_adguard_parental": "AdGuard 자녀 보호 웹 서비스 사용",
    "use_adguard_parental_hint": "AdGuard Home은 도메인에 성인 자료가 포함되어 있는지 확인합니다. 브라우징 보안 웹 서비스와 동일한 개인정보 보호 API를 사용함.",
    "enforce_safe_search": "세이프서치 사용",
-    "enforce_save_search_hint": "AdGuard Home은 Google, YouTube, Bing, DuckDuckGo, Yandex, Pixabay와 같은 검색 엔진에서 세이프서치를 시행합니다.",
+    "enforce_save_search_hint": "AdGuard Home은 Google, YouTube, Bing, DuckDuckGo, Ecosia, Yandex, Pixabay와 같은 검색 엔진에서 세이프서치를 시행합니다.",
    "no_servers_specified": "지정된 서버 없음",
    "general_settings": "일반 설정",
    "dns_settings": "DNS 설정",
--- a/client/src/__locales/nl.json
+++ b/client/src/__locales/nl.json
@@ -154,7 +154,7 @@
    "use_adguard_parental": "Gebruik AdGuard Ouderlijk toezicht web service",
    "use_adguard_parental_hint": "AdGuard Home controleert of het domein 18+ content bevat. Dit gebeurt dmv dezelfde privacy vriendelijke API als de Browsing Security web service.",
    "enforce_safe_search": "Veilig zoeken gebruiken",
-    "enforce_save_search_hint": "AdGuard Home kan veilig zoeken forceren voor de volgende zoekmachines: Google, Youtube, Bing, en DuckDuckGo, Yandex, Pixabay.",
+    "enforce_save_search_hint": "AdGuard Home dwingt veilig zoeken af in de volgende zoekmachines: Google, YouTube, Bing, DuckDuckGo, Ecosia, Yandex, Pixabay.",
    "no_servers_specified": "Geen servers gespecificeerd",
    "general_settings": "Algemene instellingen",
    "dns_settings": "DNS instellingen",
--- a/client/src/__locales/no.json
+++ b/client/src/__locales/no.json
@@ -128,6 +128,7 @@
    "enforced_save_search": "Påtvungede barnevennlige søk",
    "number_of_dns_query_to_safe_search": "Antall DNS-forespørsler til søkemotorer der \"Safe Search\" ble fremtvunget",
    "average_processing_time": "Gjennomsnittlig behandlingstid",
+    "response_time": "Responstid",
    "average_processing_time_hint": "Gjennomsnittstid for behandling av DNS-forespørsler i millisekunder",
    "block_domain_use_filters_and_hosts": "Blokker domener ved hjelp av filtre, «hosts»-filer, og rå domener",
    "filters_block_toggle_hint": "Du kan sette opp blokkeringsoppføringer i <a>Filtre</a>-innstillingene.",
--- a/client/src/__locales/pl.json
+++ b/client/src/__locales/pl.json
@@ -6,7 +6,7 @@
    "upstream_parallel": "Użyj zapytań równoległych, aby przyspieszyć rozwiązywanie przez jednoczesne wysyłanie zapytań do wszystkich serwerów nadrzędnych.",
    "parallel_requests": "Równoległe żądania",
    "load_balancing": "Równoważenie obciążenia",
-    "load_balancing_desc": "Wysyłaj zapytania do jednego serwera nadrzędnego na raz. AdGuard Home używa swojego losowego algorytmu ważonego, aby wybrać serwer, tak aby najszybszy serwer był używany częściej.",
+    "load_balancing_desc": "Zapytaj jeden serwer nadrzędny na raz. AdGuard Home używa ważonego, losowego algorytmu do wybierania serwerów z najmniejszą liczbą nieudanych wyszukiwań i najniższym uśrednionym czasem wyszukiwania.",
    "bootstrap_dns": "Serwery DNS Bootstrap",
    "bootstrap_dns_desc": "Adresy IP serwerów DNS używanych do rozpoznawania adresów IP programów rozpoznawania nazw DoH/DoT określonych jako nadrzędne. Komentarze są niedozwolone.",
    "fallback_dns_title": "Rezerwowe serwery DNS",
@@ -154,7 +154,7 @@
    "use_adguard_parental": "Użyj usługi Kontrola Rodzicielska AdGuard",
    "use_adguard_parental_hint": "AdGuard Home sprawdzi, czy domena zawiera materiały dla dorosłych. Używa tego samego interfejsu API przyjaznego prywatności, co usługa sieciowa Bezpieczne Przeglądanie. ",
    "enforce_safe_search": "Użyj bezpiecznego wyszukiwania",
-    "enforce_save_search_hint": "AdGuard Home wymusza bezpieczne wyszukiwanie w następujących wyszukiwarkach: Google, YouTube, Bing, DuckDuckGo, Yandex, Pixabay.",
+    "enforce_save_search_hint": "AdGuard Home wymusza bezpieczne wyszukiwanie w następujących wyszukiwarkach: Google, YouTube, Bing, DuckDuckGo, Ecosia, Yandex, Pixabay.",
    "no_servers_specified": "Nie określono serwerów",
    "general_settings": "Ustawienia główne",
    "dns_settings": "Ustawienia DNS",
--- a/client/src/__locales/pt-br.json
+++ b/client/src/__locales/pt-br.json
@@ -154,7 +154,7 @@
    "use_adguard_parental": "Usar o serviço de controle parental do AdGuard",
    "use_adguard_parental_hint": "O AdGuard Home irá verificar se o domínio contém conteúdo adulto. Ele usa a mesma API amigável de privacidade que o serviço de segurança da navegação.",
    "enforce_safe_search": "Usar pesquisa segura",
-    "enforce_save_search_hint": "O AdGuard Home forcará a pesquisa segura nos seguintes motores de busca: Google, YouTube, Bing, DuckDuckGo, Yandex, Pixabay.",
+    "enforce_save_search_hint": "O AdGuard Home forcará a pesquisa segura nos seguintes motores de busca: Google, YouTube, Bing, DuckDuckGo, Ecosia, Yandex, Pixabay.",
    "no_servers_specified": "Nenhum servidor especificado",
    "general_settings": "Configurações gerais",
    "dns_settings": "Configurações de DNS",
--- a/client/src/__locales/pt-pt.json
+++ b/client/src/__locales/pt-pt.json
@@ -154,7 +154,7 @@
    "use_adguard_parental": "Usar o serviço de controlo parental do AdGuard",
    "use_adguard_parental_hint": "O AdGuard Home irá verificar se o domínio contém conteúdo adulto. Usa a mesma API amigável de privacidade que o serviço de segurança da navegação.",
    "enforce_safe_search": "Usar pesquisa segura",
-    "enforce_save_search_hint": "O AdGuard Home forçará a pesquisa segura nos seguintes motores de busca: Google, Youtube, Bing, DuckDuckGo, Yandex, Pixabay.",
+    "enforce_save_search_hint": "O AdGuard Home aplicará pesquisa segura nos seguintes motores de busca: Google, YouTube, Bing, DuckDuckGo, Ecosia, Yandex, Pixabay.",
    "no_servers_specified": "Nenhum servidor especificado",
    "general_settings": "Definições gerais",
    "dns_settings": "Definições de DNS",
--- a/client/src/__locales/ru.json
+++ b/client/src/__locales/ru.json
@@ -154,7 +154,7 @@
    "use_adguard_parental": "Включить модуль Родительского контроля AdGuard ",
    "use_adguard_parental_hint": "AdGuard Home проверит, содержит ли домен материалы 18+. Он использует тот же API для обеспечения конфиденциальности, что и веб-служба безопасности браузера.",
    "enforce_safe_search": "Включить безопасный поиск",
-    "enforce_save_search_hint": "AdGuard Home может обеспечить безопасный поиск в следующих поисковых системах: Google, YouTube, Bing, DuckDuckGo, Yandex и Pixabay.",
+    "enforce_save_search_hint": "AdGuard Home будет обеспечивать безопасный поиск в следующих поисковых системах: Google, YouTube, Bing, DuckDuckGo, Ecosia, Yandex, Pixabay.",
    "no_servers_specified": "Нет указанных серверов",
    "general_settings": "Основные настройки",
    "dns_settings": "Настройки DNS",
--- a/client/src/__locales/sk.json
+++ b/client/src/__locales/sk.json
@@ -154,7 +154,7 @@
    "use_adguard_parental": "Použiť AdGuard službu Rodičovská kontrola",
    "use_adguard_parental_hint": "AdGuard Home skontroluje, či doména obsahuje materiály pre dospelých. Používa rovnaké API priateľské k ochrane osobných údajov ako služba Bezpečného prehliadania.",
    "enforce_safe_search": "Používať bezpečné vyhľadávanie",
-    "enforce_save_search_hint": "AdGuard Home vynucuje bezpečné vyhľadávanie v nasledujúcich vyhľadávačoch: Google, YouTube, Bing, DuckDuckGo, Yandex a Pixabay.",
+    "enforce_save_search_hint": "AdGuard Home vynúti bezpečné vyhľadávanie v nasledujúcich vyhľadávačoch: Google, YouTube, Bing, DuckDuckGo, Ecosia, Yandex, Pixabay.",
    "no_servers_specified": "Neboli špecifikované žiadne servery",
    "general_settings": "Všeobecné nastavenia",
    "dns_settings": "Nastavenia DNS",
@@ -484,7 +484,7 @@
    "access_disallowed_title": "Nepovolení klienti",
    "access_disallowed_desc": "Zoznam CIDR, IP adries alebo <a>ClientID</a>. Ak tento zoznam obsahuje položky, AdGuard Home zruší dopyty od týchto klientov. Toto pole sa ignoruje, ak sú v poli Povolení klienti položky.",
    "access_blocked_title": "Nepovolené domény",
-    "access_blocked_desc": "Nesmie byť zamieňaná s filtrami. AdGuard Home zruší DNS dopyty, ktoré sa zhodujú s týmito doménami, a tieto dopyty sa nezobrazia ani v denníku dopytov. Môžete určiť presné názvy domén, zástupné znaky alebo pravidlá filtrovania URL adries, napr. \"example.org\", \"*.example.org\" alebo ||example.org^\" zodpovedajúcim spôsobom.",
+    "access_blocked_desc": "Nesmie byť zamieňaná s filtrami. AdGuard Home zruší DNS dopyty, ktoré sa zhodujú s týmito doménami, a tieto dopyty sa nezobrazia ani v denníku dopytov. Môžete určiť presné názvy domén, zástupné znaky alebo pravidlá filtrácie URL adries, napr. \"example.org\", \"*.example.org\" alebo ||example.org^\" zodpovedajúcim spôsobom.",
    "access_settings_saved": "Nastavenia prístupu úspešne uložené",
    "updates_checked": "K dispozícii je nová verzia aplikácie AdGuard Home\n",
    "updates_version_equal": "AdGuard Home je aktuálny",
--- a/client/src/__locales/th.json
+++ b/client/src/__locales/th.json
@@ -46,6 +46,7 @@
    "settings": "การตั้งค่า",
    "filters": "ตัวกรอง",
    "query_log": "บันทึกการสืบค้น",
+    "nothing_found": "ไม่พบอะไร",
    "faq": "คำถามที่พบบ่อย",
    "version": "รุ่น",
    "address": "ที่อยู่",
@@ -349,7 +350,7 @@
    "statistics_configuration": "การกำหนดค่าสถิติ",
    "statistics_retention": "การเก็บรักษาสถิติ",
    "statistics_retention_desc": "หากคุณลดค่าช่วงเวลาข้อมูลบางอย่างจะหายไป",
-    "statistics_clear": " ล้างค่าสถิติ",
+    "statistics_clear": "ล้างสถิติ",
    "statistics_clear_confirm": "คุณแน่ใจหรือไม่ว่าต้องการล้างสถิติ?",
    "statistics_retention_confirm": "คุณแน่ใจหรือไม่ว่าต้องการเปลี่ยนการเก็บรักษาสถิติ? หากคุณลดค่าช่วงเวลา ข้อมูลบางอย่างจะหายไป",
    "statistics_cleared": "สถิติได้ถูกล้างเรียบร้อยแล้ว",
@@ -390,10 +391,13 @@
    "check_title": "ตรวจสอบการกรอง",
    "check_desc": "ตรวจสอบว่าชื่อโฮสต์ถูกกรอง",
    "form_enter_host": "ป้อนชื่อโฮสต์",
-    "show_processed_responses": "การประมวลผล",
+    "show_blocked_responses": "ปิดกั้นแล้ว",
+    "show_whitelisted_responses": "รายการที่อนุญาต",
+    "show_processed_responses": "ประมวลผลแล้ว",
    "blocked_adult_websites": "ถูกปิดกั้นโดยการควบคุมของผู้ปกครอง",
    "safe_search": "ค้นหาอย่างปลอดภัย",
    "blocklist": "บัญชีดำ",
+    "allowed": "รายการที่อนุญาต",
    "filter_category_other": "อื่น ๆ",
    "parental_control": "ควบคุมโดยผู้ปกครอง",
    "sunday_short": "อาทิตย์",
--- a/client/src/__locales/tr.json
+++ b/client/src/__locales/tr.json
@@ -68,7 +68,7 @@
    "ip": "IP",
    "dhcp_table_hostname": "Ana makine Adı",
    "dhcp_table_expires": "Bitiş tarihi",
-    "dhcp_warning": "DHCP sunucusunu yine de etkinleştirmek istiyorsanız, ağınızda başka aktif DHCP sunucusu olmadığından emin olun, aksi takdirde ağa bağlı cihazların İnternet bağlantısı kesilebilir!",
+    "dhcp_warning": "DHCP sunucusunu yine de etkinleştirmek istiyorsanız, ağınızda başka aktif DHCP sunucusu olmadığından emin olun, aksi takdirde ağa bağlı cihazların internet bağlantısı kesilebilir!",
    "dhcp_error": "AdGuard Home, ağda başka bir etkin DHCP sunucusu olup olmadığını belirleyemedi",
    "dhcp_static_ip_error": "DHCP sunucusunu kullanmak için sabit bir IP adresi ayarlanmalıdır. AdGuard Home, bu ağ arayüzünün sabit bir IP adresi kullanılarak yapılandırılıp yapılandırılmadığını belirleyemedi. Lütfen sabit IP adresini elle ayarlayın.",
    "dhcp_dynamic_ip_found": "Sisteminiz, <0>{{interfaceName}}</0> arayüzü için dinamik IP adresi yapılandırması kullanıyor. DHCP sunucusunu kullanmak için sabit bir IP adresi ayarlanmalıdır. Geçerli olan IP adresiniz <0>{{ipAddress}}</0>. \"DHCP sunucusunu etkinleştir\" düğmesine basarsanız, AdGuard Home bu IP adresini otomatik bir şekilde sabit olarak ayarlayacaktır.",
@@ -154,7 +154,7 @@
    "use_adguard_parental": "AdGuard ebeveyn denetimi web hizmetini kullan",
    "use_adguard_parental_hint": "AdGuard Home, alan adının yetişkin içerik bulundurup bulundurmadığını kontrol eder. Gezinti koruması web hizmeti ile kullandığımız aynı gizlilik dostu API'yi kullanır.",
    "enforce_safe_search": "Güvenli Aramayı kullan",
-    "enforce_save_search_hint": "AdGuard Home, şu arama motorlarında güvenli aramayı uygular: Google, YouTube, Bing, DuckDuckGo, Yandex ve Pixabay.",
+    "enforce_save_search_hint": "AdGuard Home, şu arama motorlarında güvenli aramayı uygular: Google, YouTube, Bing, DuckDuckGo, Ecosia, Yandex, Pixabay.",
    "no_servers_specified": "Sunucu belirtilmedi",
    "general_settings": "Genel ayarlar",
    "dns_settings": "DNS ayarları",
@@ -476,7 +476,7 @@
    "client_confirm_delete": "\"{{key}}\" istemcisini silmek istediğinizden emin misiniz?",
    "list_confirm_delete": "Bu listeyi silmek istediğinizden emin misiniz?",
    "auto_clients_title": "Çalışma zamanı istemcileri",
-    "auto_clients_desc": "AdGuard Home'u kullanan veya kullanabilecek cihazların IP adresleri hakkında bilgiler. Bu bilgiler, hosts dosyaları, ters DNS, vb. dahil olmak üzere çeşitli kaynaklardan toplanır.",
+    "auto_clients_desc": "AdGuard Home'u kullanan veya kullanabilecek cihazların IP adresleri hakkında bilgiler. Bu bilgiler, hosts dosyaları, ters DNS, vb. dâhil olmak üzere çeşitli kaynaklardan toplanır.",
    "access_title": "Erişim ayarları",
    "access_desc": "AdGuard Home DNS sunucusu için erişim kurallarını buradan yapılandırabilirsiniz",
    "access_allowed_title": "İzin verilen istemciler",
@@ -603,7 +603,7 @@
    "autofix_warning_list": "Bu görevleri gerçekleştirir: <0>Sistem DNSStubListener'ı devre dışı bırakın</0> <0>DNS sunucusu adresini 127.0.0.1 olarak ayarlayın</0> <0>/etc/resolv.conf'un sembolik bağlantı hedefini /run/systemd/resolve/resolv.conf ile değiştirin<0> <0>DNSStubListener'ı durdurun (systemd çözümlenmiş hizmeti yeniden yükleyin)</0>",
    "autofix_warning_result": "Sonuç olarak, sisteminizden gelen tüm DNS istekleri varsayılan olarak AdGuard Home tarafından işlenecektir.",
    "tags_title": "Etiketler",
-    "tags_desc": "İstemciye karşılık gelen etiketleri seçebilirsiniz. Etiketleri daha kesin olarak uygulamak için filtreleme kurallarına dahil edin. <0>Daha fazla bilgi edinin</0>.",
+    "tags_desc": "İstemciye karşılık gelen etiketleri seçebilirsiniz. Etiketleri daha kesin olarak uygulamak için filtreleme kurallarına dâhil edin. <0>Daha fazla bilgi edinin</0>.",
    "form_select_tags": "İstemci etiketlerini seçin",
    "check_title": "Filtrelemeyi denetleyin",
    "check_desc": "Ana makine adının filtreleme durumunu kontrol edin.",
--- a/client/src/__locales/vi.json
+++ b/client/src/__locales/vi.json
@@ -6,21 +6,21 @@
    "upstream_parallel": "Sử dụng truy vấn song song để tăng tốc độ giải quyết bằng cách truy vấn đồng thời tất cả các máy chủ ngược tuyến",
    "parallel_requests": "Yêu cầu song song",
    "load_balancing": "Cân bằng tải",
-    "load_balancing_desc": "Chỉ truy xuất một máy chủ trong cùng thời điểm. AdGuard Home sẽ sử dụng thuật toán trọng số ngẫu nhiên để chọn một máy chủ nhanh nhất và sử dụng máy chủ đó thường xuyên hơn.",
+    "load_balancing_desc": "Truy vấn một máy chủ thượng nguồn tại một thời điểm. AdGuard Home sử dụng thuật toán ngẫu nhiên có trọng số để chọn máy chủ có số lần tìm kiếm không thành công thấp nhất và thời gian tìm kiếm trung bình thấp nhất.",
    "bootstrap_dns": "Máy chủ DNS Bootstrap",
    "bootstrap_dns_desc": "Địa chỉ IP của máy chủ DNS được sử dụng để phân giải địa chỉ IP của trình phân giải DoH/DoT mà bạn chỉ định làm thượng nguồn. Bình luận không được phép.",
    "fallback_dns_title": "Máy chủ DNS dự phòng",
    "fallback_dns_desc": "Danh sách máy chủ DNS dự phòng được sử dụng khi máy chủ DNS ngược tuyến không phản hồi. Cú pháp tương tự như trong trường ngược dòng chính ở trên.",
    "fallback_dns_placeholder": "Nhập một máy chủ DNS dự phòng trên mỗi dòng",
    "local_ptr_title": "Máy chủ DNS riêng tư",
-    "local_ptr_desc": "Máy chủ DNS hoặc các máy chủ mà AdGuard Home sẽ sử dụng cho các truy vấn về tài nguyên được phân phối cục bộ. Ví dụ: máy chủ này sẽ được sử dụng để phân giải tên máy khách của máy khách cho các máy khách có địa chỉ IP riêng. Nếu không được cài đặt, AdGuard Home sẽ tự động sử dụng trình phân giải DNS mặc định của bạn.",
+    "local_ptr_desc": "Máy chủ DNS được AdGuard Home sử dụng cho các yêu cầu PTR, SOA và NS riêng tư. Một yêu cầu được coi là riêng tư nếu nó yêu cầu một miền ARPA chứa một mạng con trong phạm vi IP riêng tư (chẳng hạn như \"192.168.12.34\") và đến từ một máy khách có địa chỉ IP riêng tư. Nếu không được thiết lập, các trình phân giải DNS mặc định của hệ điều hành của bạn sẽ được sử dụng, ngoại trừ các địa chỉ IP của AdGuard Home.",
    "local_ptr_default_resolver": "Theo mặc định, AdGuard Home sử dụng các hệ thống phân giải tên miền ngược sau: {{ip}}.",
    "local_ptr_no_default_resolver": "AdGuard Home không thể xác định hệ thống phân giải tên miền ngược riêng phù hợp cho hệ thống này.",
    "local_ptr_placeholder": "Nhập một địa chỉ IP trên mỗi dòng",
    "resolve_clients_title": "Kích hoạt cho phép phân giải ngược về địa chỉ IP của máy khách",
    "resolve_clients_desc": "Nếu được bật, AdGuard Home sẽ cố gắng phân giải ngược lại địa chỉ IP của khách hàng thành tên máy chủ của họ bằng cách gửi các truy vấn PTR tới trình phân giải tương ứng (máy chủ DNS riêng cho máy khách cục bộ, máy chủ ngược dòng cho máy khách có địa chỉ IP công cộng).",
    "use_private_ptr_resolvers_title": "Sử dụng trình rDNS riêng tư",
-    "use_private_ptr_resolvers_desc": "Thực hiện tra cứu ngược DNS cho các địa chỉ được phân phối cục bộ bằng cách sử dụng các máy chủ nguồn. Nếu bị vô hiệu hóa, AdGuard Home sẽ phản hồi với NXDOMAIN cho tất cả các yêu cầu PTR ngoại trừ các ứng dụng khách được biết đến bởi DHCP, / etc / hosts, v. v.",
+    "use_private_ptr_resolvers_desc": "Giải quyết các yêu cầu PTR, SOA và NS cho các miền ARPA chứa địa chỉ IP riêng thông qua máy chủ thượng nguồn riêng, DHCP, /etc/hosts, v. v. Nếu bị vô hiệu hóa, AdGuard Home sẽ phản hồi tất cả các yêu cầu đó bằng NXDOMAIN.",
    "check_dhcp_servers": "Kiểm tra máy chủ DHCP",
    "save_config": "Lưu thiết lập",
    "enabled_dhcp": "Máy chủ DHCP đã kích hoạt",
@@ -154,7 +154,7 @@
    "use_adguard_parental": "Sử dụng dịch vụ quản lý của phụ huynh AdGuard",
    "use_adguard_parental_hint": "AdGuard Home sẽ kiểm tra nếu tên miền chứa từ khoá người lớn. Tính năng sử dụng API thân thiện với quyền riêng tư tương tự với dịch vụ bảo vệ duyệt web",
    "enforce_safe_search": "Bắt buộc tìm kiếm an toàn",
-    "enforce_save_search_hint": "AdGuard Home có thể bắt buộc tìm kiếm an toàn với các dịch vụ tìm kiếm: Google, Youtube, Bing, Yandex.",
+    "enforce_save_search_hint": "AdGuard Home sẽ thực thi tìm kiếm an toàn trong các công cụ tìm kiếm sau: Google, YouTube, Bing, DuckDuckGo, Ecosia, Yandex, Pixabay.",
    "no_servers_specified": "Không có máy chủ nào được liệt kê",
    "general_settings": "Cài đặt chung",
    "dns_settings": "Cài đặt DNS",
@@ -425,6 +425,9 @@
    "encryption_hostnames": "Tên máy chủ",
    "encryption_reset": "Bạn có chắc chắn muốn đặt lại cài đặt mã hóa?",
    "encryption_warning": "Cảnh báo",
+    "encryption_plain_dns_enable": "Kích hoạt DNS đơn giản",
+    "encryption_plain_dns_desc": "DNS đơn giản được bật theo mặc định. Bạn có thể vô hiệu hóa nó để buộc tất cả các thiết bị sử dụng DNS được mã hóa. Để thực hiện việc này, bạn phải kích hoạt ít nhất một giao thức DNS được mã hóa",
+    "encryption_plain_dns_error": "Để tắt DNS đơn giản, hãy bật ít nhất một giao thức DNS được mã hóa",
    "topline_expiring_certificate": "Chứng chỉ SSL của bạn sắp hết hạn. Cập nhật <0>Cài đặt mã hóa</0>.",
    "topline_expired_certificate": "Chứng chỉ SSL của bạn đã hết hạn. Cập nhật <0>Cài đặt mã hóa</0>.",
    "form_error_port_range": "Nhập giá trị cổng trong phạm vi 80-65535",
@@ -675,7 +678,7 @@
    "use_saved_key": "Sử dụng khóa đã lưu trước đó",
    "parental_control": "Quản lý của phụ huynh",
    "safe_browsing": "Duyệt web an toàn",
-    "served_from_cache": "{{value}} <i>(được phục vụ từ bộ nhớ cache)</i>",
+    "served_from_cache_label": "Được phục vụ từ bộ nhớ đệm",
    "form_error_password_length": "Mật khẩu phải dài từ {{min}} đến {{max}} ký tự",
    "anonymizer_notification": "<0> Lưu ý:</0> Tính năng ẩn danh IP được bật. Bạn có thể tắt nó trong <1> Cài đặt chung</1>.",
    "confirm_dns_cache_clear": "Bạn có chắc chắn muốn xóa bộ đệm ẩn DNS không?",
--- a/client/src/__locales/zh-cn.json
+++ b/client/src/__locales/zh-cn.json
@@ -154,7 +154,7 @@
    "use_adguard_parental": "使用 AdGuard 【家长控制】服务",
    "use_adguard_parental_hint": "AdGuard Home 将使用与浏览安全服务相同的隐私性强的 API 来检查域名指向的网站是否包含成人内容。",
    "enforce_safe_search": "使用安全搜索",
-    "enforce_save_search_hint": "AdGuard Home 对以下搜索引擎可强制启用安全搜索：Google、YouTube、Bing、DuckDuckGo、Yandex、Pixabay。",
+    "enforce_save_search_hint": "AdGuard Home 将会在下列搜索引擎中强制启用安全搜索：Google、YouTube、Bing、DuckDuckGo、Ecosia、Yandex、Pixabay。",
    "no_servers_specified": "未找到指定的服务器",
    "general_settings": "常规设置",
    "dns_settings": "DNS 设置",
--- a/client/src/__locales/zh-tw.json
+++ b/client/src/__locales/zh-tw.json
@@ -154,7 +154,7 @@
    "use_adguard_parental": "使用 AdGuard 家長控制之網路服務",
    "use_adguard_parental_hint": "AdGuard Home 將檢查網域是否包含成人資料。它使用如同瀏覽安全網路服務一樣之對隱私友好的應用程式介面（API）。",
    "enforce_safe_search": "使用安全搜尋",
-    "enforce_save_search_hint": "AdGuard Home 將在下列的搜尋引擎：Google、YouTube、Bing、DuckDuckGo、Yandex 和 Pixabay 中強制執行安全搜尋。",
+    "enforce_save_search_hint": "AdGuard Home 將在下列的搜尋引擎：Google、YouTube、Bing、DuckDuckGo、Ecosia、Yandex 和 Pixabay 中強制執行安全搜尋。",
    "no_servers_specified": "無已明確指定的伺服器",
    "general_settings": "一般設定",
    "dns_settings": "DNS 設定",
--- a/client/src/helpers/filters/filters.ts
+++ b/client/src/helpers/filters/filters.ts
@@ -256,6 +256,12 @@ export default {
            "homepage": "https://github.com/hagezi/dns-blocklists",
            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_49.txt"
        },
+        "hagezi_xiaomi_tracking_blocklist": {
+            "name": "HaGeZi's Xiaomi Tracker Blocklist",
+            "categoryId": "other",
+            "homepage": "https://github.com/hagezi/dns-blocklists",
+            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_60.txt"
+        },
        "no_google": {
            "name": "No Google",
            "categoryId": "other",
--- a/client/src/helpers/trackers/trackers.json
+++ b/client/src/helpers/trackers/trackers.json
--- a/go.mod
+++ b/go.mod
@@ -1,10 +1,10 @@
 module github.com/AdguardTeam/AdGuardHome

-go 1.23.1
+go 1.23.2

 require (
-	github.com/AdguardTeam/dnsproxy v0.73.0
-	github.com/AdguardTeam/golibs v0.26.0
+	github.com/AdguardTeam/dnsproxy v0.73.2
+	github.com/AdguardTeam/golibs v0.27.0
 	github.com/AdguardTeam/urlfilter v0.19.0
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/ameshkov/dnscrypt/v2 v2.3.0
@@ -28,7 +28,7 @@ require (
 	// own code for that.  Perhaps, use gopacket.
 	github.com/mdlayher/raw v0.1.0
 	github.com/miekg/dns v1.1.61
-	github.com/quic-go/quic-go v0.44.0
+	github.com/quic-go/quic-go v0.47.0
 	github.com/stretchr/testify v1.9.0
 	github.com/ti-mo/netfilter v0.5.2
 	go.etcd.io/bbolt v1.3.10
@@ -55,7 +55,7 @@ require (
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/quic-go/qpack v0.4.0 // indirect
+	github.com/quic-go/qpack v0.5.1 // indirect
 	github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect
 	go.uber.org/mock v0.4.0 // indirect
 	golang.org/x/mod v0.20.0 // indirect
@@ -64,3 +64,6 @@ require (
 	golang.org/x/tools v0.24.0 // indirect
 	gonum.org/v1/gonum v0.15.0 // indirect
 )
+
+// TODO(a.garipov): Remove once https://github.com/quic-go/quic-go/pull/4685 is merged.
+replace github.com/quic-go/quic-go => github.com/ainar-g/quic-go v0.0.0-20240930125330-446bd86056fd
--- a/go.sum
+++ b/go.sum
@@ -1,7 +1,7 @@
-github.com/AdguardTeam/dnsproxy v0.73.0 h1:E1fxzosMqExZH8h7OJnKXLxyktcAFRJapLF4+nKULms=
-github.com/AdguardTeam/dnsproxy v0.73.0/go.mod h1:ZcvmyQY2EiX5B0yCTkiYTgtm+1lBWA0lajbEI9dOhW4=
-github.com/AdguardTeam/golibs v0.26.0 h1:uLL0XggEjB+87lL1tPpEAQNoKAlHDq5AyBUVWEgf63E=
-github.com/AdguardTeam/golibs v0.26.0/go.mod h1:iWdjXPCwmK2g2FKIb/OwEPnovSXeMqRhI8FWLxF5oxE=
+github.com/AdguardTeam/dnsproxy v0.73.2 h1:O6wRXzHsnWL5TkhYcuLWCShVFF0X5RFI6qUmq1ZFVsQ=
+github.com/AdguardTeam/dnsproxy v0.73.2/go.mod h1:zD5WfTctbRvYYk8PS39h6/OT84NTu6QxKbAiBN5PUcI=
+github.com/AdguardTeam/golibs v0.27.0 h1:YxCFK6HBGp/ZXp3bv5uei+oLH12UfIYB8u2rh1B6nnU=
+github.com/AdguardTeam/golibs v0.27.0/go.mod h1:iWdjXPCwmK2g2FKIb/OwEPnovSXeMqRhI8FWLxF5oxE=
 github.com/AdguardTeam/urlfilter v0.19.0 h1:q7eH13+yNETlpD/VD3u5rLQOripcUdEktqZFy+KiQLk=
 github.com/AdguardTeam/urlfilter v0.19.0/go.mod h1:+N54ZvxqXYLnXuvpaUhK2exDQW+djZBRSb6F6j0rkBY=
 github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
@@ -10,6 +10,8 @@ github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da h1:KjTM2ks9d14ZYCvmH
 github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da/go.mod h1:eHEWzANqSiWQsof+nXEI9bUVUyV6F53Fp89EuCh2EAA=
 github.com/aead/poly1305 v0.0.0-20180717145839-3fee0db0b635 h1:52m0LGchQBBVqJRyYYufQuIbVqRawmubW3OFGqK1ekw=
 github.com/aead/poly1305 v0.0.0-20180717145839-3fee0db0b635/go.mod h1:lmLxL+FV291OopO93Bwf9fQLQeLyt33VJRUg5VJ30us=
+github.com/ainar-g/quic-go v0.0.0-20240930125330-446bd86056fd h1:mw4LqrCiv3vcKuCxBRg7kA17xfHKM+9hZgFWmyhe/AY=
+github.com/ainar-g/quic-go v0.0.0-20240930125330-446bd86056fd/go.mod h1:yBgs3rWBOADpga7F+jJsb6Ybg1LSYiQvwWlLX+/6HMs=
 github.com/ameshkov/dnscrypt/v2 v2.3.0 h1:pDXDF7eFa6Lw+04C0hoMh8kCAQM8NwUdFEllSP2zNLs=
 github.com/ameshkov/dnscrypt/v2 v2.3.0/go.mod h1:N5hDwgx2cNb4Ay7AhvOSKst+eUiOZ/vbKRO9qMpQttE=
 github.com/ameshkov/dnsstamps v1.0.3 h1:Srzik+J9mivH1alRACTbys2xOxs0lRH9qnTA7Y1OYVo=
@@ -97,10 +99,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw=
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
-github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
-github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
-github.com/quic-go/quic-go v0.44.0 h1:So5wOr7jyO4vzL2sd8/pD9Kesciv91zSk8BoFngItQ0=
-github.com/quic-go/quic-go v0.44.0/go.mod h1:z4cx/9Ny9UtGITIPzmPTXh1ULfOyWh4qGQlpnPcWmek=
+github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
+github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
 github.com/shirou/gopsutil/v3 v3.24.5 h1:i0t8kL+kQTvpAYToeuiVk3TgDeKOFioZO3Ztz/iZ9pI=
 github.com/shirou/gopsutil/v3 v3.24.5/go.mod h1:bsoOS1aStSs9ErQ1WWfxllSeS1K5D+U30r2NfcubMVk=
 github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=
--- a/internal/aghos/os.go
+++ b/internal/aghos/os.go
@@ -7,6 +7,7 @@ import (
 	"bufio"
 	"fmt"
 	"io"
+	"io/fs"
 	"os"
 	"os/exec"
 	"path"
@@ -19,6 +20,12 @@ import (
 	"github.com/AdguardTeam/golibs/log"
 )

+// Default file and directory permissions.
+const (
+	DefaultPermDir  fs.FileMode = 0o700
+	DefaultPermFile fs.FileMode = 0o600
+)
+
 // Unsupported is a helper that returns a wrapped [errors.ErrUnsupported].
 func Unsupported(op string) (err error) {
 	return fmt.Errorf("%s: not supported on %s: %w", op, runtime.GOOS, errors.ErrUnsupported)
--- a/internal/client/client.go
+++ b/internal/client/client.go
@@ -119,8 +119,8 @@ func (r *Runtime) Info() (cs Source, host string) {
 	return cs, info[0]
 }

-// SetInfo sets a host as a client information from the cs.
-func (r *Runtime) SetInfo(cs Source, hosts []string) {
+// setInfo sets a host as a client information from the cs.
+func (r *Runtime) setInfo(cs Source, hosts []string) {
 	// TODO(s.chzhen):  Use contract where hosts must contain non-empty host.
 	if len(hosts) == 1 && hosts[0] == "" {
 		hosts = []string{}
@@ -138,13 +138,13 @@ func (r *Runtime) SetInfo(cs Source, hosts []string) {
 	}
 }

-// WHOIS returns a WHOIS client information.
+// WHOIS returns a copy of WHOIS client information.
 func (r *Runtime) WHOIS() (info *whois.Info) {
-	return r.whois
+	return r.whois.Clone()
 }

-// SetWHOIS sets a WHOIS client information.  info must be non-nil.
-func (r *Runtime) SetWHOIS(info *whois.Info) {
+// setWHOIS sets a WHOIS client information.  info must be non-nil.
+func (r *Runtime) setWHOIS(info *whois.Info) {
 	r.whois = info
 }

@@ -178,8 +178,8 @@ func (r *Runtime) Addr() (ip netip.Addr) {
 	return r.ip
 }

-// Clone returns a deep copy of the runtime client.
-func (r *Runtime) Clone() (c *Runtime) {
+// clone returns a deep copy of the runtime client.
+func (r *Runtime) clone() (c *Runtime) {
 	return &Runtime{
 		ip:        r.ip,
 		whois:     r.whois.Clone(),
--- a/internal/client/persistent.go
+++ b/internal/client/persistent.go
@@ -13,7 +13,6 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering/safesearch"
 	"github.com/AdguardTeam/dnsproxy/proxy"
 	"github.com/AdguardTeam/dnsproxy/upstream"
-	"github.com/AdguardTeam/golibs/container"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/netutil"
@@ -136,7 +135,8 @@ type Persistent struct {
 }

 // validate returns an error if persistent client information contains errors.
-func (c *Persistent) validate(allTags *container.MapSet[string]) (err error) {
+// allTags must be sorted.
+func (c *Persistent) validate(allTags []string) (err error) {
 	switch {
 	case c.Name == "":
 		return errors.Error("empty name")
@@ -157,7 +157,8 @@ func (c *Persistent) validate(allTags *container.MapSet[string]) (err error) {
 	}

 	for _, t := range c.Tags {
-		if !allTags.Has(t) {
+		_, ok := slices.BinarySearch(allTags, t)
+		if !ok {
 			return fmt.Errorf("invalid tag: %q", t)
 		}
 	}
--- a/internal/client/persistent_internal_test.go
+++ b/internal/client/persistent_internal_test.go
@@ -1,11 +1,8 @@
 package client

 import (
-	"net/netip"
 	"testing"

-	"github.com/AdguardTeam/golibs/container"
-	"github.com/AdguardTeam/golibs/testutil"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -125,69 +122,3 @@ func TestPersistent_EqualIDs(t *testing.T) {
 		})
 	}
 }
-
-func TestPersistent_Validate(t *testing.T) {
-	const (
-		allowedTag    = "allowed_tag"
-		notAllowedTag = "not_allowed_tag"
-	)
-
-	allowedTags := container.NewMapSet(allowedTag)
-
-	testCases := []struct {
-		name       string
-		cli        *Persistent
-		wantErrMsg string
-	}{{
-		name: "success",
-		cli: &Persistent{
-			Name: "basic",
-			IPs: []netip.Addr{
-				netip.MustParseAddr("1.2.3.4"),
-			},
-			UID: MustNewUID(),
-		},
-		wantErrMsg: "",
-	}, {
-		name: "empty_name",
-		cli: &Persistent{
-			Name: "",
-		},
-		wantErrMsg: "empty name",
-	}, {
-		name: "no_id",
-		cli: &Persistent{
-			Name: "no_id",
-		},
-		wantErrMsg: "id required",
-	}, {
-		name: "no_uid",
-		cli: &Persistent{
-			Name: "no_uid",
-			IPs: []netip.Addr{
-				netip.MustParseAddr("1.2.3.4"),
-			},
-		},
-		wantErrMsg: "uid required",
-	}, {
-		name: "not_allowed_tag",
-		cli: &Persistent{
-			Name: "basic",
-			IPs: []netip.Addr{
-				netip.MustParseAddr("1.2.3.4"),
-			},
-			UID: MustNewUID(),
-			Tags: []string{
-				notAllowedTag,
-			},
-		},
-		wantErrMsg: `invalid tag: "` + notAllowedTag + `"`,
-	}}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			err := tc.cli.validate(allowedTags)
-			testutil.AssertErrorMsg(t, tc.wantErrMsg, err)
-		})
-	}
-}
--- a/internal/client/runtimeindex.go
+++ b/internal/client/runtimeindex.go
@@ -2,39 +2,34 @@ package client

 import "net/netip"

-// RuntimeIndex stores information about runtime clients.
-type RuntimeIndex struct {
+// runtimeIndex stores information about runtime clients.
+type runtimeIndex struct {
 	// index maps IP address to runtime client.
 	index map[netip.Addr]*Runtime
 }

-// NewRuntimeIndex returns initialized runtime index.
-func NewRuntimeIndex() (ri *RuntimeIndex) {
-	return &RuntimeIndex{
+// newRuntimeIndex returns initialized runtime index.
+func newRuntimeIndex() (ri *runtimeIndex) {
+	return &runtimeIndex{
 		index: map[netip.Addr]*Runtime{},
 	}
 }

-// Client returns the saved runtime client by ip.  If no such client exists,
+// client returns the saved runtime client by ip.  If no such client exists,
 // returns nil.
-func (ri *RuntimeIndex) Client(ip netip.Addr) (rc *Runtime) {
+func (ri *runtimeIndex) client(ip netip.Addr) (rc *Runtime) {
 	return ri.index[ip]
 }

-// Add saves the runtime client in the index.  IP address of a client must be
+// add saves the runtime client in the index.  IP address of a client must be
 // unique.  See [Runtime.Client].  rc must not be nil.
-func (ri *RuntimeIndex) Add(rc *Runtime) {
+func (ri *runtimeIndex) add(rc *Runtime) {
 	ip := rc.Addr()
 	ri.index[ip] = rc
 }

-// Size returns the number of the runtime clients.
-func (ri *RuntimeIndex) Size() (n int) {
-	return len(ri.index)
-}
-
-// Range calls f for each runtime client in an undefined order.
-func (ri *RuntimeIndex) Range(f func(rc *Runtime) (cont bool)) {
+// rangeClients calls f for each runtime client in an undefined order.
+func (ri *runtimeIndex) rangeClients(f func(rc *Runtime) (cont bool)) {
 	for _, rc := range ri.index {
 		if !f(rc) {
 			return
@@ -42,17 +37,31 @@ func (ri *RuntimeIndex) Range(f func(rc *Runtime) (cont bool)) {
 	}
 }

-// Delete removes the runtime client by ip.
-func (ri *RuntimeIndex) Delete(ip netip.Addr) {
-	delete(ri.index, ip)
+// setInfo sets the client information from cs for runtime client stored by ip.
+// If no such client exists, it creates one.
+func (ri *runtimeIndex) setInfo(ip netip.Addr, cs Source, hosts []string) (rc *Runtime) {
+	rc = ri.index[ip]
+	if rc == nil {
+		rc = NewRuntime(ip)
+		ri.add(rc)
+	}
+
+	rc.setInfo(cs, hosts)
+
+	return rc
 }

-// DeleteBySource removes all runtime clients that have information only from
-// the specified source and returns the number of removed clients.
-func (ri *RuntimeIndex) DeleteBySource(src Source) (n int) {
-	for ip, rc := range ri.index {
+// clearSource removes information from the specified source from all clients.
+func (ri *runtimeIndex) clearSource(src Source) {
+	for _, rc := range ri.index {
 		rc.unset(src)
+	}
+}

+// removeEmpty removes empty runtime clients and returns the number of removed
+// clients.
+func (ri *runtimeIndex) removeEmpty() (n int) {
+	for ip, rc := range ri.index {
 		if rc.isEmpty() {
 			delete(ri.index, ip)
 			n++
--- a/internal/client/runtimeindex_test.go
+++ b/internal/client/runtimeindex_test.go
@@ -1,85 +0,0 @@
-package client_test
-
-import (
-	"net/netip"
-	"testing"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/client"
-	"github.com/stretchr/testify/assert"
-)
-
-func TestRuntimeIndex(t *testing.T) {
-	const cliSrc = client.SourceARP
-
-	var (
-		ip1 = netip.MustParseAddr("1.1.1.1")
-		ip2 = netip.MustParseAddr("2.2.2.2")
-		ip3 = netip.MustParseAddr("3.3.3.3")
-	)
-
-	ri := client.NewRuntimeIndex()
-	currentSize := 0
-
-	testCases := []struct {
-		ip    netip.Addr
-		name  string
-		hosts []string
-		src   client.Source
-	}{{
-		src:   cliSrc,
-		ip:    ip1,
-		name:  "1",
-		hosts: []string{"host1"},
-	}, {
-		src:   cliSrc,
-		ip:    ip2,
-		name:  "2",
-		hosts: []string{"host2"},
-	}, {
-		src:   cliSrc,
-		ip:    ip3,
-		name:  "3",
-		hosts: []string{"host3"},
-	}}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			rc := client.NewRuntime(tc.ip)
-			rc.SetInfo(tc.src, tc.hosts)
-
-			ri.Add(rc)
-			currentSize++
-
-			got := ri.Client(tc.ip)
-			assert.Equal(t, rc, got)
-		})
-	}
-
-	t.Run("size", func(t *testing.T) {
-		assert.Equal(t, currentSize, ri.Size())
-	})
-
-	t.Run("range", func(t *testing.T) {
-		s := 0
-
-		ri.Range(func(rc *client.Runtime) (cont bool) {
-			s++
-
-			return true
-		})
-
-		assert.Equal(t, currentSize, s)
-	})
-
-	t.Run("delete", func(t *testing.T) {
-		ri.Delete(ip1)
-		currentSize--
-
-		assert.Equal(t, currentSize, ri.Size())
-	})
-
-	t.Run("delete_by_src", func(t *testing.T) {
-		assert.Equal(t, currentSize, ri.DeleteBySource(cliSrc))
-		assert.Equal(t, 0, ri.Size())
-	})
-}
--- a/internal/client/storage.go
+++ b/internal/client/storage.go
@@ -1,30 +1,113 @@
 package client

 import (
+	"context"
 	"fmt"
 	"net"
 	"net/netip"
 	"slices"
 	"sync"
+	"time"

-	"github.com/AdguardTeam/golibs/container"
+	"github.com/AdguardTeam/AdGuardHome/internal/arpdb"
+	"github.com/AdguardTeam/AdGuardHome/internal/dhcpsvc"
+	"github.com/AdguardTeam/AdGuardHome/internal/whois"
 	"github.com/AdguardTeam/golibs/errors"
+	"github.com/AdguardTeam/golibs/hostsfile"
 	"github.com/AdguardTeam/golibs/log"
 )

-// Config is the client storage configuration structure.
-//
-// TODO(s.chzhen):  Expand.
-type Config struct {
-	// AllowedTags is a list of all allowed client tags.
-	AllowedTags []string
+// allowedTags is the list of available client tags.
+var allowedTags = []string{
+	"device_audio",
+	"device_camera",
+	"device_gameconsole",
+	"device_laptop",
+	"device_nas", // Network-attached Storage
+	"device_other",
+	"device_pc",
+	"device_phone",
+	"device_printer",
+	"device_securityalarm",
+	"device_tablet",
+	"device_tv",
+
+	"os_android",
+	"os_ios",
+	"os_linux",
+	"os_macos",
+	"os_other",
+	"os_windows",
+
+	"user_admin",
+	"user_child",
+	"user_regular",
+}
+
+// DHCP is an interface for accessing DHCP lease data the [Storage] needs.
+type DHCP interface {
+	// Leases returns all the DHCP leases.
+	Leases() (leases []*dhcpsvc.Lease)
+
+	// HostByIP returns the hostname of the DHCP client with the given IP
+	// address.  host will be empty if there is no such client, due to an
+	// assumption that a DHCP client must always have a hostname.
+	HostByIP(ip netip.Addr) (host string)
+
+	// MACByIP returns the MAC address for the given IP address leased.  It
+	// returns nil if there is no such client, due to an assumption that a DHCP
+	// client must always have a MAC address.
+	MACByIP(ip netip.Addr) (mac net.HardwareAddr)
+}
+
+// EmptyDHCP is the empty [DHCP] implementation that does nothing.
+type EmptyDHCP struct{}
+
+// type check
+var _ DHCP = EmptyDHCP{}
+
+// Leases implements the [DHCP] interface for emptyDHCP.
+func (EmptyDHCP) Leases() (leases []*dhcpsvc.Lease) { return nil }
+
+// HostByIP implements the [DHCP] interface for emptyDHCP.
+func (EmptyDHCP) HostByIP(_ netip.Addr) (host string) { return "" }
+
+// MACByIP implements the [DHCP] interface for emptyDHCP.
+func (EmptyDHCP) MACByIP(_ netip.Addr) (mac net.HardwareAddr) { return nil }
+
+// HostsContainer is an interface for receiving updates to the system hosts
+// file.
+type HostsContainer interface {
+	Upd() (updates <-chan *hostsfile.DefaultStorage)
+}
+
+// StorageConfig is the client storage configuration structure.
+type StorageConfig struct {
+	// DHCP is used to match IPs against MACs of persistent clients and update
+	// [SourceDHCP] runtime client information.  It must not be nil.
+	DHCP DHCP
+
+	// EtcHosts is used to update [SourceHostsFile] runtime client information.
+	EtcHosts HostsContainer
+
+	// ARPDB is used to update [SourceARP] runtime client information.
+	ARPDB arpdb.Interface
+
+	// InitialClients is a list of persistent clients parsed from the
+	// configuration file.  Each client must not be nil.
+	InitialClients []*Persistent
+
+	// ARPClientsUpdatePeriod defines how often [SourceARP] runtime client
+	// information is updated.
+	ARPClientsUpdatePeriod time.Duration
+
+	// RuntimeSourceDHCP specifies whether to update [SourceDHCP] information
+	// of runtime clients.
+	RuntimeSourceDHCP bool
 }

 // Storage contains information about persistent and runtime clients.
 type Storage struct {
-	// allowedTags is a set of all allowed tags.
-	allowedTags *container.MapSet[string]
-
 	// mu protects indexes of persistent and runtime clients.
 	mu *sync.Mutex

@@ -32,19 +115,250 @@ type Storage struct {
 	index *index

 	// runtimeIndex contains information about runtime clients.
-	runtimeIndex *RuntimeIndex
+	runtimeIndex *runtimeIndex
+
+	// dhcp is used to update [SourceDHCP] runtime client information.
+	dhcp DHCP
+
+	// etcHosts is used to update [SourceHostsFile] runtime client information.
+	etcHosts HostsContainer
+
+	// arpDB is used to update [SourceARP] runtime client information.
+	arpDB arpdb.Interface
+
+	// done is the shutdown signaling channel.
+	done chan struct{}
+
+	// allowedTags is a sorted list of all allowed tags.  It must not be
+	// modified after initialization.
+	//
+	// TODO(s.chzhen):  Use custom type.
+	allowedTags []string
+
+	// arpClientsUpdatePeriod defines how often [SourceARP] runtime client
+	// information is updated.  It must be greater than zero.
+	arpClientsUpdatePeriod time.Duration
+
+	// runtimeSourceDHCP specifies whether to update [SourceDHCP] information
+	// of runtime clients.
+	runtimeSourceDHCP bool
 }

 // NewStorage returns initialized client storage.  conf must not be nil.
-func NewStorage(conf *Config) (s *Storage) {
-	allowedTags := container.NewMapSet(conf.AllowedTags...)
+func NewStorage(conf *StorageConfig) (s *Storage, err error) {
+	tags := slices.Clone(allowedTags)
+	slices.Sort(tags)

-	return &Storage{
-		allowedTags:  allowedTags,
-		mu:           &sync.Mutex{},
-		index:        newIndex(),
-		runtimeIndex: NewRuntimeIndex(),
+	s = &Storage{
+		allowedTags:            tags,
+		mu:                     &sync.Mutex{},
+		index:                  newIndex(),
+		runtimeIndex:           newRuntimeIndex(),
+		dhcp:                   conf.DHCP,
+		etcHosts:               conf.EtcHosts,
+		arpDB:                  conf.ARPDB,
+		done:                   make(chan struct{}),
+		arpClientsUpdatePeriod: conf.ARPClientsUpdatePeriod,
+		runtimeSourceDHCP:      conf.RuntimeSourceDHCP,
 	}
+
+	for i, p := range conf.InitialClients {
+		err = s.Add(p)
+		if err != nil {
+			return nil, fmt.Errorf("adding client %q at index %d: %w", p.Name, i, err)
+		}
+	}
+
+	s.ReloadARP()
+
+	return s, nil
+}
+
+// Start starts the goroutines for updating the runtime client information.
+//
+// TODO(s.chzhen):  Pass context.
+func (s *Storage) Start(_ context.Context) (err error) {
+	go s.periodicARPUpdate()
+	go s.handleHostsUpdates()
+
+	return nil
+}
+
+// Shutdown gracefully stops the client storage.
+//
+// TODO(s.chzhen):  Pass context.
+func (s *Storage) Shutdown(_ context.Context) (err error) {
+	close(s.done)
+
+	return s.closeUpstreams()
+}
+
+// periodicARPUpdate periodically reloads runtime clients from ARP.  It is
+// intended to be used as a goroutine.
+func (s *Storage) periodicARPUpdate() {
+	defer log.OnPanic("storage")
+
+	t := time.NewTicker(s.arpClientsUpdatePeriod)
+
+	for {
+		select {
+		case <-t.C:
+			s.ReloadARP()
+		case <-s.done:
+			return
+		}
+	}
+}
+
+// ReloadARP reloads runtime clients from ARP, if configured.
+func (s *Storage) ReloadARP() {
+	if s.arpDB != nil {
+		s.addFromSystemARP()
+	}
+}
+
+// addFromSystemARP adds the IP-hostname pairings from the output of the arp -a
+// command.
+func (s *Storage) addFromSystemARP() {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if err := s.arpDB.Refresh(); err != nil {
+		s.arpDB = arpdb.Empty{}
+		log.Error("refreshing arp container: %s", err)
+
+		return
+	}
+
+	ns := s.arpDB.Neighbors()
+	if len(ns) == 0 {
+		log.Debug("refreshing arp container: the update is empty")
+
+		return
+	}
+
+	src := SourceARP
+	s.runtimeIndex.clearSource(src)
+
+	for _, n := range ns {
+		s.runtimeIndex.setInfo(n.IP, src, []string{n.Name})
+	}
+
+	removed := s.runtimeIndex.removeEmpty()
+
+	log.Debug("storage: added %d, removed %d client aliases from arp neighborhood", len(ns), removed)
+}
+
+// handleHostsUpdates receives the updates from the hosts container and adds
+// them to the clients storage.  It is intended to be used as a goroutine.
+func (s *Storage) handleHostsUpdates() {
+	if s.etcHosts == nil {
+		return
+	}
+
+	defer log.OnPanic("storage")
+
+	for {
+		select {
+		case upd, ok := <-s.etcHosts.Upd():
+			if !ok {
+				return
+			}
+
+			s.addFromHostsFile(upd)
+		case <-s.done:
+			return
+		}
+	}
+}
+
+// addFromHostsFile fills the client-hostname pairing index from the system's
+// hosts files.
+func (s *Storage) addFromHostsFile(hosts *hostsfile.DefaultStorage) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	src := SourceHostsFile
+	s.runtimeIndex.clearSource(src)
+
+	added := 0
+	hosts.RangeNames(func(addr netip.Addr, names []string) (cont bool) {
+		// Only the first name of the first record is considered a canonical
+		// hostname for the IP address.
+		//
+		// TODO(e.burkov):  Consider using all the names from all the records.
+		s.runtimeIndex.setInfo(addr, src, []string{names[0]})
+		added++
+
+		return true
+	})
+
+	removed := s.runtimeIndex.removeEmpty()
+	log.Debug("storage: added %d, removed %d client aliases from system hosts file", added, removed)
+}
+
+// type check
+var _ AddressUpdater = (*Storage)(nil)
+
+// UpdateAddress implements the [AddressUpdater] interface for *Storage
+func (s *Storage) UpdateAddress(ip netip.Addr, host string, info *whois.Info) {
+	// Common fast path optimization.
+	if host == "" && info == nil {
+		return
+	}
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if host != "" {
+		s.runtimeIndex.setInfo(ip, SourceRDNS, []string{host})
+	}
+
+	if info != nil {
+		s.setWHOISInfo(ip, info)
+	}
+}
+
+// UpdateDHCP updates [SourceDHCP] runtime client information.
+func (s *Storage) UpdateDHCP() {
+	if s.dhcp == nil || !s.runtimeSourceDHCP {
+		return
+	}
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	src := SourceDHCP
+	s.runtimeIndex.clearSource(src)
+
+	added := 0
+	for _, l := range s.dhcp.Leases() {
+		s.runtimeIndex.setInfo(l.IP, src, []string{l.Hostname})
+		added++
+	}
+
+	removed := s.runtimeIndex.removeEmpty()
+	log.Debug("storage: added %d, removed %d client aliases from dhcp", added, removed)
+}
+
+// setWHOISInfo sets the WHOIS information for a runtime client.
+func (s *Storage) setWHOISInfo(ip netip.Addr, wi *whois.Info) {
+	_, ok := s.index.findByIP(ip)
+	if ok {
+		log.Debug("storage: client for %s is already created, ignore whois info", ip)
+
+		return
+	}
+
+	rc := s.runtimeIndex.client(ip)
+	if rc == nil {
+		rc = NewRuntime(ip)
+		s.runtimeIndex.add(rc)
+	}
+
+	rc.setWHOIS(wi)
+
+	log.Debug("storage: set whois info for runtime client with ip %s: %+v", ip, wi)
 }

 // Add stores persistent client information or returns an error.
@@ -94,6 +408,9 @@ func (s *Storage) FindByName(name string) (p *Persistent, ok bool) {

 // Find finds persistent client by string representation of the client ID, IP
 // address, or MAC.  And returns its shallow copy.
+//
+// TODO(s.chzhen):  Accept ClientIDData structure instead, which will contain
+// the parsed IP address, if any.
 func (s *Storage) Find(id string) (p *Persistent, ok bool) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
@@ -103,6 +420,16 @@ func (s *Storage) Find(id string) (p *Persistent, ok bool) {
 		return p.ShallowClone(), ok
 	}

+	ip, err := netip.ParseAddr(id)
+	if err != nil {
+		return nil, false
+	}
+
+	foundMAC := s.dhcp.MACByIP(ip)
+	if foundMAC != nil {
+		return s.FindByMAC(foundMAC)
+	}
+
 	return nil, false
 }

@@ -130,11 +457,9 @@ func (s *Storage) FindLoose(ip netip.Addr, id string) (p *Persistent, ok bool) {
 	return nil, false
 }

-// FindByMAC finds persistent client by MAC and returns its shallow copy.
+// FindByMAC finds persistent client by MAC and returns its shallow copy.  s.mu
+// is expected to be locked.
 func (s *Storage) FindByMAC(mac net.HardwareAddr) (p *Persistent, ok bool) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
 	p, ok = s.index.findByMAC(mac)
 	if ok {
 		return p.ShallowClone(), ok
@@ -216,8 +541,8 @@ func (s *Storage) Size() (n int) {
 	return s.index.size()
 }

-// CloseUpstreams closes upstream configurations of persistent clients.
-func (s *Storage) CloseUpstreams() (err error) {
+// closeUpstreams closes upstream configurations of persistent clients.
+func (s *Storage) closeUpstreams() (err error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()

@@ -226,89 +551,27 @@ func (s *Storage) CloseUpstreams() (err error) {

 // ClientRuntime returns a copy of the saved runtime client by ip.  If no such
 // client exists, returns nil.
-//
-// TODO(s.chzhen):  Use it.
 func (s *Storage) ClientRuntime(ip netip.Addr) (rc *Runtime) {
 	s.mu.Lock()
 	defer s.mu.Unlock()

-	return s.runtimeIndex.Client(ip)
-}
-
-// UpdateRuntime updates the stored runtime client with information from rc.  If
-// no such client exists, saves the copy of rc in storage.  rc must not be nil.
-func (s *Storage) UpdateRuntime(rc *Runtime) (added bool) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	return s.updateRuntimeLocked(rc)
-}
-
-// updateRuntimeLocked updates the stored runtime client with information from
-// rc.  rc must not be nil.  Storage.mu is expected to be locked.
-func (s *Storage) updateRuntimeLocked(rc *Runtime) (added bool) {
-	stored := s.runtimeIndex.Client(rc.ip)
-	if stored == nil {
-		s.runtimeIndex.Add(rc.Clone())
-
-		return true
+	rc = s.runtimeIndex.client(ip)
+	if rc != nil {
+		return rc.clone()
 	}

-	if rc.whois != nil {
-		stored.whois = rc.whois.Clone()
+	if !s.runtimeSourceDHCP {
+		return nil
 	}

-	if rc.arp != nil {
-		stored.arp = slices.Clone(rc.arp)
+	host := s.dhcp.HostByIP(ip)
+	if host == "" {
+		return nil
 	}

-	if rc.rdns != nil {
-		stored.rdns = slices.Clone(rc.rdns)
-	}
+	rc = s.runtimeIndex.setInfo(ip, SourceDHCP, []string{host})

-	if rc.dhcp != nil {
-		stored.dhcp = slices.Clone(rc.dhcp)
-	}
-
-	if rc.hostsFile != nil {
-		stored.hostsFile = slices.Clone(rc.hostsFile)
-	}
-
-	return false
-}
-
-// BatchUpdateBySource updates the stored runtime clients information from the
-// specified source and returns the number of added and removed clients.
-func (s *Storage) BatchUpdateBySource(src Source, rcs []*Runtime) (added, removed int) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	for _, rc := range s.runtimeIndex.index {
-		rc.unset(src)
-	}
-
-	for _, rc := range rcs {
-		if s.updateRuntimeLocked(rc) {
-			added++
-		}
-	}
-
-	for ip, rc := range s.runtimeIndex.index {
-		if rc.isEmpty() {
-			delete(s.runtimeIndex.index, ip)
-			removed++
-		}
-	}
-
-	return added, removed
-}
-
-// SizeRuntime returns the number of the runtime clients.
-func (s *Storage) SizeRuntime() (n int) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	return s.runtimeIndex.Size()
+	return rc.clone()
 }

 // RangeRuntime calls f for each runtime client in an undefined order.
@@ -316,16 +579,11 @@ func (s *Storage) RangeRuntime(f func(rc *Runtime) (cont bool)) {
 	s.mu.Lock()
 	defer s.mu.Unlock()

-	s.runtimeIndex.Range(f)
+	s.runtimeIndex.rangeClients(f)
 }

-// DeleteBySource removes all runtime clients that have information only from
-// the specified source and returns the number of removed clients.
-//
-// TODO(s.chzhen):  Use it.
-func (s *Storage) DeleteBySource(src Source) (n int) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	return s.runtimeIndex.DeleteBySource(src)
+// AllowedTags returns the list of available client tags.  tags must not be
+// modified.
+func (s *Storage) AllowedTags() (tags []string) {
+	return s.allowedTags
 }
--- a/internal/client/storage_test.go
+++ b/internal/client/storage_test.go
@@ -3,23 +3,513 @@ package client_test
 import (
 	"net"
 	"net/netip"
+	"runtime"
+	"slices"
+	"sync"
 	"testing"
+	"time"

+	"github.com/AdguardTeam/AdGuardHome/internal/arpdb"
 	"github.com/AdguardTeam/AdGuardHome/internal/client"
+	"github.com/AdguardTeam/AdGuardHome/internal/dhcpd"
+	"github.com/AdguardTeam/AdGuardHome/internal/dhcpsvc"
 	"github.com/AdguardTeam/AdGuardHome/internal/whois"
+	"github.com/AdguardTeam/golibs/hostsfile"
 	"github.com/AdguardTeam/golibs/testutil"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

+// testHostsContainer is a mock implementation of the [client.HostsContainer]
+// interface.
+type testHostsContainer struct {
+	onUpd func() (updates <-chan *hostsfile.DefaultStorage)
+}
+
+// type check
+var _ client.HostsContainer = (*testHostsContainer)(nil)
+
+// Upd implements the [client.HostsContainer] interface for *testHostsContainer.
+func (c *testHostsContainer) Upd() (updates <-chan *hostsfile.DefaultStorage) {
+	return c.onUpd()
+}
+
+// Interface stores and refreshes the network neighborhood reported by ARP
+// (Address Resolution Protocol).
+type Interface interface {
+	// Refresh updates the stored data.  It must be safe for concurrent use.
+	Refresh() (err error)
+
+	// Neighbors returnes the last set of data reported by ARP.  Both the method
+	// and it's result must be safe for concurrent use.
+	Neighbors() (ns []arpdb.Neighbor)
+}
+
+// testARPDB is a mock implementation of the [arpdb.Interface].
+type testARPDB struct {
+	onRefresh   func() (err error)
+	onNeighbors func() (ns []arpdb.Neighbor)
+}
+
+// type check
+var _ arpdb.Interface = (*testARPDB)(nil)
+
+// Refresh implements the [arpdb.Interface] interface for *testARP.
+func (c *testARPDB) Refresh() (err error) {
+	return c.onRefresh()
+}
+
+// Neighbors implements the [arpdb.Interface] interface for *testARP.
+func (c *testARPDB) Neighbors() (ns []arpdb.Neighbor) {
+	return c.onNeighbors()
+}
+
+// testDHCP is a mock implementation of the [client.DHCP].
+type testDHCP struct {
+	OnLeases func() (leases []*dhcpsvc.Lease)
+	OnHostBy func(ip netip.Addr) (host string)
+	OnMACBy  func(ip netip.Addr) (mac net.HardwareAddr)
+}
+
+// type check
+var _ client.DHCP = (*testDHCP)(nil)
+
+// Lease implements the [client.DHCP] interface for *testDHCP.
+func (t *testDHCP) Leases() (leases []*dhcpsvc.Lease) { return t.OnLeases() }
+
+// HostByIP implements the [client.DHCP] interface for *testDHCP.
+func (t *testDHCP) HostByIP(ip netip.Addr) (host string) { return t.OnHostBy(ip) }
+
+// MACByIP implements the [client.DHCP] interface for *testDHCP.
+func (t *testDHCP) MACByIP(ip netip.Addr) (mac net.HardwareAddr) { return t.OnMACBy(ip) }
+
+// compareRuntimeInfo is a helper function that returns true if the runtime
+// client has provided info.
+func compareRuntimeInfo(rc *client.Runtime, src client.Source, host string) (ok bool) {
+	s, h := rc.Info()
+	if s != src {
+		return false
+	} else if h != host {
+		return false
+	}
+
+	return true
+}
+
+func TestStorage_Add_hostsfile(t *testing.T) {
+	var (
+		cliIP1   = netip.MustParseAddr("1.1.1.1")
+		cliName1 = "client_one"
+
+		cliIP2   = netip.MustParseAddr("2.2.2.2")
+		cliName2 = "client_two"
+	)
+
+	hostCh := make(chan *hostsfile.DefaultStorage)
+	h := &testHostsContainer{
+		onUpd: func() (updates <-chan *hostsfile.DefaultStorage) { return hostCh },
+	}
+
+	storage, err := client.NewStorage(&client.StorageConfig{
+		DHCP:                   client.EmptyDHCP{},
+		EtcHosts:               h,
+		ARPClientsUpdatePeriod: testTimeout / 10,
+	})
+	require.NoError(t, err)
+
+	err = storage.Start(testutil.ContextWithTimeout(t, testTimeout))
+	require.NoError(t, err)
+
+	testutil.CleanupAndRequireSuccess(t, func() (err error) {
+		return storage.Shutdown(testutil.ContextWithTimeout(t, testTimeout))
+	})
+
+	t.Run("add_hosts", func(t *testing.T) {
+		var s *hostsfile.DefaultStorage
+		s, err = hostsfile.NewDefaultStorage()
+		require.NoError(t, err)
+
+		s.Add(&hostsfile.Record{
+			Addr:  cliIP1,
+			Names: []string{cliName1},
+		})
+
+		testutil.RequireSend(t, hostCh, s, testTimeout)
+
+		require.Eventually(t, func() (ok bool) {
+			cli1 := storage.ClientRuntime(cliIP1)
+			if cli1 == nil {
+				return false
+			}
+
+			assert.True(t, compareRuntimeInfo(cli1, client.SourceHostsFile, cliName1))
+
+			return true
+		}, testTimeout, testTimeout/10)
+	})
+
+	t.Run("update_hosts", func(t *testing.T) {
+		var s *hostsfile.DefaultStorage
+		s, err = hostsfile.NewDefaultStorage()
+		require.NoError(t, err)
+
+		s.Add(&hostsfile.Record{
+			Addr:  cliIP2,
+			Names: []string{cliName2},
+		})
+
+		testutil.RequireSend(t, hostCh, s, testTimeout)
+
+		require.Eventually(t, func() (ok bool) {
+			cli2 := storage.ClientRuntime(cliIP2)
+			if cli2 == nil {
+				return false
+			}
+
+			assert.True(t, compareRuntimeInfo(cli2, client.SourceHostsFile, cliName2))
+
+			cli1 := storage.ClientRuntime(cliIP1)
+			require.Nil(t, cli1)
+
+			return true
+		}, testTimeout, testTimeout/10)
+	})
+}
+
+func TestStorage_Add_arp(t *testing.T) {
+	var (
+		mu        sync.Mutex
+		neighbors []arpdb.Neighbor
+
+		cliIP1   = netip.MustParseAddr("1.1.1.1")
+		cliName1 = "client_one"
+
+		cliIP2   = netip.MustParseAddr("2.2.2.2")
+		cliName2 = "client_two"
+	)
+
+	a := &testARPDB{
+		onRefresh: func() (err error) { return nil },
+		onNeighbors: func() (ns []arpdb.Neighbor) {
+			mu.Lock()
+			defer mu.Unlock()
+
+			return neighbors
+		},
+	}
+
+	storage, err := client.NewStorage(&client.StorageConfig{
+		DHCP:                   client.EmptyDHCP{},
+		ARPDB:                  a,
+		ARPClientsUpdatePeriod: testTimeout / 10,
+	})
+	require.NoError(t, err)
+
+	err = storage.Start(testutil.ContextWithTimeout(t, testTimeout))
+	require.NoError(t, err)
+
+	testutil.CleanupAndRequireSuccess(t, func() (err error) {
+		return storage.Shutdown(testutil.ContextWithTimeout(t, testTimeout))
+	})
+
+	t.Run("add_hosts", func(t *testing.T) {
+		func() {
+			mu.Lock()
+			defer mu.Unlock()
+
+			neighbors = []arpdb.Neighbor{{
+				Name: cliName1,
+				IP:   cliIP1,
+			}}
+		}()
+
+		require.Eventually(t, func() (ok bool) {
+			cli1 := storage.ClientRuntime(cliIP1)
+			if cli1 == nil {
+				return false
+			}
+
+			assert.True(t, compareRuntimeInfo(cli1, client.SourceARP, cliName1))
+
+			return true
+		}, testTimeout, testTimeout/10)
+	})
+
+	t.Run("update_hosts", func(t *testing.T) {
+		func() {
+			mu.Lock()
+			defer mu.Unlock()
+
+			neighbors = []arpdb.Neighbor{{
+				Name: cliName2,
+				IP:   cliIP2,
+			}}
+		}()
+
+		require.Eventually(t, func() (ok bool) {
+			cli2 := storage.ClientRuntime(cliIP2)
+			if cli2 == nil {
+				return false
+			}
+
+			assert.True(t, compareRuntimeInfo(cli2, client.SourceARP, cliName2))
+
+			cli1 := storage.ClientRuntime(cliIP1)
+			require.Nil(t, cli1)
+
+			return true
+		}, testTimeout, testTimeout/10)
+	})
+}
+
+func TestStorage_Add_whois(t *testing.T) {
+	var (
+		cliIP1 = netip.MustParseAddr("1.1.1.1")
+
+		cliIP2   = netip.MustParseAddr("2.2.2.2")
+		cliName2 = "client_two"
+
+		cliIP3   = netip.MustParseAddr("3.3.3.3")
+		cliName3 = "client_three"
+	)
+
+	storage, err := client.NewStorage(&client.StorageConfig{
+		DHCP: client.EmptyDHCP{},
+	})
+	require.NoError(t, err)
+
+	whois := &whois.Info{
+		Country: "AU",
+		Orgname: "Example Org",
+	}
+
+	t.Run("new_client", func(t *testing.T) {
+		storage.UpdateAddress(cliIP1, "", whois)
+		cli1 := storage.ClientRuntime(cliIP1)
+		require.NotNil(t, cli1)
+
+		assert.Equal(t, whois, cli1.WHOIS())
+	})
+
+	t.Run("existing_runtime_client", func(t *testing.T) {
+		storage.UpdateAddress(cliIP2, cliName2, nil)
+		storage.UpdateAddress(cliIP2, "", whois)
+
+		cli2 := storage.ClientRuntime(cliIP2)
+		require.NotNil(t, cli2)
+
+		assert.True(t, compareRuntimeInfo(cli2, client.SourceRDNS, cliName2))
+
+		assert.Equal(t, whois, cli2.WHOIS())
+	})
+
+	t.Run("can't_set_persistent_client", func(t *testing.T) {
+		err = storage.Add(&client.Persistent{
+			Name: cliName3,
+			UID:  client.MustNewUID(),
+			IPs:  []netip.Addr{cliIP3},
+		})
+		require.NoError(t, err)
+
+		storage.UpdateAddress(cliIP3, "", whois)
+		rc := storage.ClientRuntime(cliIP3)
+		require.Nil(t, rc)
+	})
+}
+
+func TestClientsDHCP(t *testing.T) {
+	var (
+		cliIP1   = netip.MustParseAddr("1.1.1.1")
+		cliName1 = "one.dhcp"
+
+		cliIP2   = netip.MustParseAddr("2.2.2.2")
+		cliMAC2  = mustParseMAC("22:22:22:22:22:22")
+		cliName2 = "two.dhcp"
+
+		cliIP3   = netip.MustParseAddr("3.3.3.3")
+		cliMAC3  = mustParseMAC("33:33:33:33:33:33")
+		cliName3 = "three.dhcp"
+
+		prsCliIP   = netip.MustParseAddr("4.3.2.1")
+		prsCliMAC  = mustParseMAC("AA:AA:AA:AA:AA:AA")
+		prsCliName = "persistent.dhcp"
+	)
+
+	ipToHost := map[netip.Addr]string{
+		cliIP1: cliName1,
+	}
+	ipToMAC := map[netip.Addr]net.HardwareAddr{
+		prsCliIP: prsCliMAC,
+	}
+
+	leases := []*dhcpsvc.Lease{{
+		IP:       cliIP2,
+		Hostname: cliName2,
+		HWAddr:   cliMAC2,
+	}, {
+		IP:       cliIP3,
+		Hostname: cliName3,
+		HWAddr:   cliMAC3,
+	}}
+
+	d := &testDHCP{
+		OnLeases: func() (ls []*dhcpsvc.Lease) {
+			return leases
+		},
+		OnHostBy: func(ip netip.Addr) (host string) {
+			return ipToHost[ip]
+		},
+		OnMACBy: func(ip netip.Addr) (mac net.HardwareAddr) {
+			return ipToMAC[ip]
+		},
+	}
+
+	storage, err := client.NewStorage(&client.StorageConfig{
+		DHCP:              d,
+		RuntimeSourceDHCP: true,
+	})
+	require.NoError(t, err)
+
+	t.Run("find_runtime", func(t *testing.T) {
+		cli1 := storage.ClientRuntime(cliIP1)
+		require.NotNil(t, cli1)
+
+		assert.True(t, compareRuntimeInfo(cli1, client.SourceDHCP, cliName1))
+	})
+
+	t.Run("find_persistent", func(t *testing.T) {
+		err = storage.Add(&client.Persistent{
+			Name: prsCliName,
+			UID:  client.MustNewUID(),
+			MACs: []net.HardwareAddr{prsCliMAC},
+		})
+		require.NoError(t, err)
+
+		prsCli, ok := storage.Find(prsCliIP.String())
+		require.True(t, ok)
+
+		assert.Equal(t, prsCliName, prsCli.Name)
+	})
+
+	t.Run("leases", func(t *testing.T) {
+		delete(ipToHost, cliIP1)
+		storage.UpdateDHCP()
+
+		cli1 := storage.ClientRuntime(cliIP1)
+		require.Nil(t, cli1)
+
+		for i, l := range leases {
+			cli := storage.ClientRuntime(l.IP)
+			require.NotNil(t, cli)
+
+			src, host := cli.Info()
+			assert.Equal(t, client.SourceDHCP, src)
+			assert.Equal(t, leases[i].Hostname, host)
+		}
+	})
+
+	t.Run("range", func(t *testing.T) {
+		s := 0
+		storage.RangeRuntime(func(rc *client.Runtime) (cont bool) {
+			s++
+
+			return true
+		})
+
+		assert.Equal(t, len(leases), s)
+	})
+}
+
+func TestClientsAddExisting(t *testing.T) {
+	t.Run("simple", func(t *testing.T) {
+		storage, err := client.NewStorage(&client.StorageConfig{
+			DHCP: client.EmptyDHCP{},
+		})
+		require.NoError(t, err)
+
+		ip := netip.MustParseAddr("1.1.1.1")
+
+		// Add a client.
+		err = storage.Add(&client.Persistent{
+			Name:    "client1",
+			UID:     client.MustNewUID(),
+			IPs:     []netip.Addr{ip, netip.MustParseAddr("1:2:3::4")},
+			Subnets: []netip.Prefix{netip.MustParsePrefix("2.2.2.0/24")},
+			MACs:    []net.HardwareAddr{{0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA}},
+		})
+		require.NoError(t, err)
+
+		// Now add an auto-client with the same IP.
+		storage.UpdateAddress(ip, "test", nil)
+		rc := storage.ClientRuntime(ip)
+		assert.True(t, compareRuntimeInfo(rc, client.SourceRDNS, "test"))
+	})
+
+	t.Run("complicated", func(t *testing.T) {
+		// TODO(a.garipov): Properly decouple the DHCP server from the client
+		// storage.
+		if runtime.GOOS == "windows" {
+			t.Skip("skipping dhcp test on windows")
+		}
+
+		// First, init a DHCP server with a single static lease.
+		config := &dhcpd.ServerConfig{
+			Enabled: true,
+			DataDir: t.TempDir(),
+			Conf4: dhcpd.V4ServerConf{
+				Enabled:    true,
+				GatewayIP:  netip.MustParseAddr("1.2.3.1"),
+				SubnetMask: netip.MustParseAddr("255.255.255.0"),
+				RangeStart: netip.MustParseAddr("1.2.3.2"),
+				RangeEnd:   netip.MustParseAddr("1.2.3.10"),
+			},
+		}
+
+		dhcpServer, err := dhcpd.Create(config)
+		require.NoError(t, err)
+
+		storage, err := client.NewStorage(&client.StorageConfig{
+			DHCP: dhcpServer,
+		})
+		require.NoError(t, err)
+
+		ip := netip.MustParseAddr("1.2.3.4")
+
+		err = dhcpServer.AddStaticLease(&dhcpsvc.Lease{
+			HWAddr:   net.HardwareAddr{0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA},
+			IP:       ip,
+			Hostname: "testhost",
+			Expiry:   time.Now().Add(time.Hour),
+		})
+		require.NoError(t, err)
+
+		// Add a new client with the same IP as for a client with MAC.
+		err = storage.Add(&client.Persistent{
+			Name: "client2",
+			UID:  client.MustNewUID(),
+			IPs:  []netip.Addr{ip},
+		})
+		require.NoError(t, err)
+
+		// Add a new client with the IP from the first client's IP range.
+		err = storage.Add(&client.Persistent{
+			Name: "client3",
+			UID:  client.MustNewUID(),
+			IPs:  []netip.Addr{netip.MustParseAddr("2.2.2.2")},
+		})
+		require.NoError(t, err)
+	})
+}
+
 // newStorage is a helper function that returns a client storage filled with
 // persistent clients from the m.  It also generates a UID for each client.
 func newStorage(tb testing.TB, m []*client.Persistent) (s *client.Storage) {
 	tb.Helper()

-	s = client.NewStorage(&client.Config{
-		AllowedTags: nil,
+	s, err := client.NewStorage(&client.StorageConfig{
+		DHCP: client.EmptyDHCP{},
 	})
+	require.NoError(tb, err)

 	for _, c := range m {
 		c.UID = client.MustNewUID()
@@ -31,14 +521,6 @@ func newStorage(tb testing.TB, m []*client.Persistent) (s *client.Storage) {
 	return s
 }

-// newRuntimeClient is a helper function that returns a new runtime client.
-func newRuntimeClient(ip netip.Addr, source client.Source, host string) (rc *client.Runtime) {
-	rc = client.NewRuntime(ip)
-	rc.SetInfo(source, []string{host})
-
-	return rc
-}
-
 // mustParseMAC is wrapper around [net.ParseMAC] that panics if there is an
 // error.
 func mustParseMAC(s string) (mac net.HardwareAddr) {
@@ -55,7 +537,7 @@ func TestStorage_Add(t *testing.T) {
 		existingName     = "existing_name"
 		existingClientID = "existing_client_id"

-		allowedTag    = "tag"
+		allowedTag    = "user_admin"
 		notAllowedTag = "not_allowed_tag"
 	)

@@ -73,10 +555,20 @@ func TestStorage_Add(t *testing.T) {
 		UID:       existingClientUID,
 	}

-	s := client.NewStorage(&client.Config{
-		AllowedTags: []string{allowedTag},
-	})
-	err := s.Add(existingClient)
+	s, err := client.NewStorage(&client.StorageConfig{})
+	require.NoError(t, err)
+
+	tags := s.AllowedTags()
+	require.NotZero(t, len(tags))
+	require.True(t, slices.IsSorted(tags))
+
+	_, ok := slices.BinarySearch(tags, allowedTag)
+	require.True(t, ok)
+
+	_, ok = slices.BinarySearch(tags, notAllowedTag)
+	require.False(t, ok)
+
+	err = s.Add(existingClient)
 	require.NoError(t, err)

 	testCases := []struct {
@@ -136,12 +628,43 @@ func TestStorage_Add(t *testing.T) {
 	}, {
 		name: "not_allowed_tag",
 		cli: &client.Persistent{
-			Name: "nont_allowed_tag",
+			Name: "not_allowed_tag",
 			Tags: []string{notAllowedTag},
 			IPs:  []netip.Addr{netip.MustParseAddr("4.4.4.4")},
 			UID:  client.MustNewUID(),
 		},
 		wantErrMsg: `adding client: invalid tag: "not_allowed_tag"`,
+	}, {
+		name: "allowed_tag",
+		cli: &client.Persistent{
+			Name: "allowed_tag",
+			Tags: []string{allowedTag},
+			IPs:  []netip.Addr{netip.MustParseAddr("5.5.5.5")},
+			UID:  client.MustNewUID(),
+		},
+		wantErrMsg: "",
+	}, {
+		name: "",
+		cli: &client.Persistent{
+			Name: "",
+			IPs:  []netip.Addr{netip.MustParseAddr("6.6.6.6")},
+			UID:  client.MustNewUID(),
+		},
+		wantErrMsg: "adding client: empty name",
+	}, {
+		name: "no_id",
+		cli: &client.Persistent{
+			Name: "no_id",
+			UID:  client.MustNewUID(),
+		},
+		wantErrMsg: "adding client: id required",
+	}, {
+		name: "no_uid",
+		cli: &client.Persistent{
+			Name: "no_uid",
+			IPs:  []netip.Addr{netip.MustParseAddr("7.7.7.7")},
+		},
+		wantErrMsg: "adding client: uid required",
 	}}

 	for _, tc := range testCases {
@@ -164,10 +687,10 @@ func TestStorage_RemoveByName(t *testing.T) {
 		UID:  client.MustNewUID(),
 	}

-	s := client.NewStorage(&client.Config{
-		AllowedTags: nil,
-	})
-	err := s.Add(existingClient)
+	s, err := client.NewStorage(&client.StorageConfig{})
+	require.NoError(t, err)
+
+	err = s.Add(existingClient)
 	require.NoError(t, err)

 	testCases := []struct {
@@ -191,9 +714,9 @@ func TestStorage_RemoveByName(t *testing.T) {
 	}

 	t.Run("duplicate_remove", func(t *testing.T) {
-		s = client.NewStorage(&client.Config{
-			AllowedTags: nil,
-		})
+		s, err = client.NewStorage(&client.StorageConfig{})
+		require.NoError(t, err)
+
 		err = s.Add(existingClient)
 		require.NoError(t, err)

@@ -623,157 +1146,3 @@ func TestStorage_RangeByName(t *testing.T) {
 		})
 	}
 }
-
-func TestStorage_UpdateRuntime(t *testing.T) {
-	const (
-		addedARP       = "added_arp"
-		addedSecondARP = "added_arp"
-
-		updatedARP = "updated_arp"
-
-		cliCity    = "City"
-		cliCountry = "Country"
-		cliOrgname = "Orgname"
-	)
-
-	var (
-		ip  = netip.MustParseAddr("1.1.1.1")
-		ip2 = netip.MustParseAddr("2.2.2.2")
-	)
-
-	updated := client.NewRuntime(ip)
-	updated.SetInfo(client.SourceARP, []string{updatedARP})
-
-	info := &whois.Info{
-		City:    cliCity,
-		Country: cliCountry,
-		Orgname: cliOrgname,
-	}
-	updated.SetWHOIS(info)
-
-	s := client.NewStorage(&client.Config{
-		AllowedTags: nil,
-	})
-
-	t.Run("add_arp_client", func(t *testing.T) {
-		added := client.NewRuntime(ip)
-		added.SetInfo(client.SourceARP, []string{addedARP})
-
-		require.True(t, s.UpdateRuntime(added))
-		require.Equal(t, 1, s.SizeRuntime())
-
-		got := s.ClientRuntime(ip)
-		source, host := got.Info()
-		assert.Equal(t, client.SourceARP, source)
-		assert.Equal(t, addedARP, host)
-	})
-
-	t.Run("add_second_arp_client", func(t *testing.T) {
-		added := client.NewRuntime(ip2)
-		added.SetInfo(client.SourceARP, []string{addedSecondARP})
-
-		require.True(t, s.UpdateRuntime(added))
-		require.Equal(t, 2, s.SizeRuntime())
-
-		got := s.ClientRuntime(ip2)
-		source, host := got.Info()
-		assert.Equal(t, client.SourceARP, source)
-		assert.Equal(t, addedSecondARP, host)
-	})
-
-	t.Run("update_first_client", func(t *testing.T) {
-		require.False(t, s.UpdateRuntime(updated))
-		got := s.ClientRuntime(ip)
-		require.Equal(t, 2, s.SizeRuntime())
-
-		source, host := got.Info()
-		assert.Equal(t, client.SourceARP, source)
-		assert.Equal(t, updatedARP, host)
-	})
-
-	t.Run("remove_arp_info", func(t *testing.T) {
-		n := s.DeleteBySource(client.SourceARP)
-		require.Equal(t, 1, n)
-		require.Equal(t, 1, s.SizeRuntime())
-
-		got := s.ClientRuntime(ip)
-		source, _ := got.Info()
-		assert.Equal(t, client.SourceWHOIS, source)
-		assert.Equal(t, info, got.WHOIS())
-	})
-
-	t.Run("remove_whois_info", func(t *testing.T) {
-		n := s.DeleteBySource(client.SourceWHOIS)
-		require.Equal(t, 1, n)
-		require.Equal(t, 0, s.SizeRuntime())
-	})
-}
-
-func TestStorage_BatchUpdateBySource(t *testing.T) {
-	const (
-		defSrc = client.SourceARP
-
-		cliFirstHost1   = "host1"
-		cliFirstHost2   = "host2"
-		cliUpdatedHost3 = "host3"
-		cliUpdatedHost4 = "host4"
-		cliUpdatedHost5 = "host5"
-	)
-
-	var (
-		cliFirstIP1   = netip.MustParseAddr("1.1.1.1")
-		cliFirstIP2   = netip.MustParseAddr("2.2.2.2")
-		cliUpdatedIP3 = netip.MustParseAddr("3.3.3.3")
-		cliUpdatedIP4 = netip.MustParseAddr("4.4.4.4")
-		cliUpdatedIP5 = netip.MustParseAddr("5.5.5.5")
-	)
-
-	firstClients := []*client.Runtime{
-		newRuntimeClient(cliFirstIP1, defSrc, cliFirstHost1),
-		newRuntimeClient(cliFirstIP2, defSrc, cliFirstHost2),
-	}
-
-	updatedClients := []*client.Runtime{
-		newRuntimeClient(cliUpdatedIP3, defSrc, cliUpdatedHost3),
-		newRuntimeClient(cliUpdatedIP4, defSrc, cliUpdatedHost4),
-		newRuntimeClient(cliUpdatedIP5, defSrc, cliUpdatedHost5),
-	}
-
-	s := client.NewStorage(&client.Config{
-		AllowedTags: nil,
-	})
-
-	t.Run("populate_storage_with_first_clients", func(t *testing.T) {
-		added, removed := s.BatchUpdateBySource(defSrc, firstClients)
-		require.Equal(t, len(firstClients), added)
-		require.Equal(t, 0, removed)
-		require.Equal(t, len(firstClients), s.SizeRuntime())
-
-		rc := s.ClientRuntime(cliFirstIP1)
-		src, host := rc.Info()
-		assert.Equal(t, defSrc, src)
-		assert.Equal(t, cliFirstHost1, host)
-	})
-
-	t.Run("update_storage", func(t *testing.T) {
-		added, removed := s.BatchUpdateBySource(defSrc, updatedClients)
-		require.Equal(t, len(updatedClients), added)
-		require.Equal(t, len(firstClients), removed)
-		require.Equal(t, len(updatedClients), s.SizeRuntime())
-
-		rc := s.ClientRuntime(cliUpdatedIP3)
-		src, host := rc.Info()
-		assert.Equal(t, defSrc, src)
-		assert.Equal(t, cliUpdatedHost3, host)
-
-		rc = s.ClientRuntime(cliFirstIP1)
-		assert.Nil(t, rc)
-	})
-
-	t.Run("remove_all", func(t *testing.T) {
-		added, removed := s.BatchUpdateBySource(defSrc, []*client.Runtime{})
-		require.Equal(t, 0, added)
-		require.Equal(t, len(updatedClients), removed)
-		require.Equal(t, 0, s.SizeRuntime())
-	})
-}
--- a/internal/configmigrate/configmigrate.go
+++ b/internal/configmigrate/configmigrate.go
@@ -2,4 +2,4 @@
 package configmigrate

 // LastSchemaVersion is the most recent schema version.
-const LastSchemaVersion uint = 28
+const LastSchemaVersion uint = 29
--- a/internal/configmigrate/migrations_internal_test.go
+++ b/internal/configmigrate/migrations_internal_test.go
@@ -19,6 +19,7 @@ func TestUpgradeSchema1to2(t *testing.T) {

 	m := New(&Config{
 		WorkingDir: "",
+		DataDir:    "",
 	})

 	err := m.migrateTo2(diskConf)
--- a/internal/configmigrate/migrator.go
+++ b/internal/configmigrate/migrator.go
@@ -10,20 +10,24 @@ import (

 // Config is a the configuration for initializing a [Migrator].
 type Config struct {
-	// WorkingDir is an absolute path to the working directory of AdGuardHome.
+	// WorkingDir is the absolute path to the working directory of AdGuardHome.
 	WorkingDir string
+
+	// DataDir is the absolute path to the data directory of AdGuardHome.
+	DataDir string
 }

 // Migrator performs the YAML configuration file migrations.
 type Migrator struct {
-	// workingDir is an absolute path to the working directory of AdGuardHome.
 	workingDir string
+	dataDir    string
 }

 // New creates a new Migrator.
-func New(cfg *Config) (m *Migrator) {
+func New(c *Config) (m *Migrator) {
 	return &Migrator{
-		workingDir: cfg.WorkingDir,
+		workingDir: c.WorkingDir,
+		dataDir:    c.DataDir,
 	}
 }

@@ -120,6 +124,7 @@ func (m *Migrator) upgradeConfigSchema(current, target uint, diskConf yobj) (err
 		25: migrateTo26,
 		26: migrateTo27,
 		27: migrateTo28,
+		28: m.migrateTo29,
 	}

 	for i, migrate := range upgrades[current:target] {
--- a/internal/configmigrate/migrator_test.go
+++ b/internal/configmigrate/migrator_test.go
@@ -1,9 +1,12 @@
 package configmigrate_test

 import (
+	"bytes"
 	"io/fs"
 	"os"
 	"path"
+	"path/filepath"
+	"runtime"
 	"testing"

 	"github.com/AdguardTeam/AdGuardHome/internal/configmigrate"
@@ -202,6 +205,7 @@ func TestMigrateConfig_Migrate(t *testing.T) {

 			migrator := configmigrate.New(&configmigrate.Config{
 				WorkingDir: t.Name(),
+				DataDir:    filepath.Join(t.Name(), "data"),
 			})
 			newBody, upgraded, err := migrator.Migrate(body, tc.targetVersion)
 			require.NoError(t, err)
@@ -211,3 +215,43 @@ func TestMigrateConfig_Migrate(t *testing.T) {
 		})
 	}
 }
+
+// TODO(a.garipov):  Consider ways of merging into the previous one.
+func TestMigrateConfig_Migrate_v29(t *testing.T) {
+	const (
+		pathUnix       = `/path/to/file.txt`
+		userDirPatUnix = `TestMigrateConfig_Migrate/v29/data/userfilters/*`
+
+		pathWindows       = `C:\path\to\file.txt`
+		userDirPatWindows = `TestMigrateConfig_Migrate\v29\data\userfilters\*`
+	)
+
+	pathToReplace := pathUnix
+	patternToReplace := userDirPatUnix
+	if runtime.GOOS == "windows" {
+		pathToReplace = pathWindows
+		patternToReplace = userDirPatWindows
+	}
+
+	body, err := fs.ReadFile(testdata, "TestMigrateConfig_Migrate/v29/input.yml")
+	require.NoError(t, err)
+
+	body = bytes.ReplaceAll(body, []byte("FILEPATH"), []byte(pathToReplace))
+
+	wantBody, err := fs.ReadFile(testdata, "TestMigrateConfig_Migrate/v29/output.yml")
+	require.NoError(t, err)
+
+	wantBody = bytes.ReplaceAll(wantBody, []byte("FILEPATH"), []byte(pathToReplace))
+	wantBody = bytes.ReplaceAll(wantBody, []byte("USERFILTERSPATH"), []byte(patternToReplace))
+
+	migrator := configmigrate.New(&configmigrate.Config{
+		WorkingDir: t.Name(),
+		DataDir:    "TestMigrateConfig_Migrate/v29/data",
+	})
+
+	newBody, upgraded, err := migrator.Migrate(body, 29)
+	require.NoError(t, err)
+	require.True(t, upgraded)
+
+	require.YAMLEq(t, string(wantBody), string(newBody))
+}
--- a/internal/configmigrate/testdata/TestMigrateConfig_Migrate/v29/input.yml
+++ b/internal/configmigrate/testdata/TestMigrateConfig_Migrate/v29/input.yml
@@ -0,0 +1,117 @@
+http:
+  address: 127.0.0.1:3000
+  session_ttl: 3h
+  pprof:
+    enabled: true
+    port: 6060
+users:
+- name: testuser
+  password: testpassword
+dns:
+  bind_hosts:
+  - 127.0.0.1
+  port: 53
+  parental_sensitivity: 0
+  upstream_dns:
+  - tls://1.1.1.1
+  - tls://1.0.0.1
+  - quic://8.8.8.8:784
+  bootstrap_dns:
+  - 8.8.8.8:53
+  edns_client_subnet:
+    enabled:    true
+    use_custom: false
+    custom_ip:  ""
+filtering:
+  filtering_enabled: true
+  parental_enabled: false
+  safebrowsing_enabled: false
+  safe_search:
+    enabled:    false
+    bing:       true
+    duckduckgo: true
+    google:     true
+    pixabay:    true
+    yandex:     true
+    youtube:    true
+  protection_enabled: true
+  blocked_services:
+    schedule:
+      time_zone: Local
+    ids:
+    - 500px
+  blocked_response_ttl: 10
+filters:
+- url: https://adaway.org/hosts.txt
+  name: AdAway
+  enabled: false
+- url: FILEPATH
+  name: Local Filter
+  enabled: false
+clients:
+  persistent:
+  - name: localhost
+    ids:
+    - 127.0.0.1
+    - aa:aa:aa:aa:aa:aa
+    use_global_settings: true
+    use_global_blocked_services: true
+    filtering_enabled: false
+    parental_enabled: false
+    safebrowsing_enabled: false
+    safe_search:
+      enabled:    true
+      bing:       true
+      duckduckgo: true
+      google:     true
+      pixabay:    true
+      yandex:     true
+      youtube:    true
+    blocked_services:
+      schedule:
+        time_zone: Local
+      ids:
+      - 500px
+  runtime_sources:
+    whois: true
+    arp:   true
+    rdns:  true
+    dhcp:  true
+    hosts: true
+dhcp:
+  enabled: false
+  interface_name: vboxnet0
+  local_domain_name: local
+  dhcpv4:
+    gateway_ip: 192.168.0.1
+    subnet_mask: 255.255.255.0
+    range_start: 192.168.0.10
+    range_end: 192.168.0.250
+    lease_duration: 1234
+    icmp_timeout_msec: 10
+schema_version: 28
+user_rules: []
+querylog:
+  enabled: true
+  file_enabled: true
+  interval: 720h
+  size_memory: 1000
+  ignored:
+  - '|.^'
+statistics:
+  enabled: true
+  interval: 240h
+  ignored:
+  - '|.^'
+os:
+  group: ''
+  rlimit_nofile: 123
+  user: ''
+log:
+  file: ""
+  max_backups: 0
+  max_size: 100
+  max_age: 3
+  compress: true
+  local_time: false
+  verbose: true
--- a/internal/configmigrate/testdata/TestMigrateConfig_Migrate/v29/output.yml
+++ b/internal/configmigrate/testdata/TestMigrateConfig_Migrate/v29/output.yml
@@ -0,0 +1,120 @@
+http:
+  address: 127.0.0.1:3000
+  session_ttl: 3h
+  pprof:
+    enabled: true
+    port: 6060
+users:
+- name: testuser
+  password: testpassword
+dns:
+  bind_hosts:
+  - 127.0.0.1
+  port: 53
+  parental_sensitivity: 0
+  upstream_dns:
+  - tls://1.1.1.1
+  - tls://1.0.0.1
+  - quic://8.8.8.8:784
+  bootstrap_dns:
+  - 8.8.8.8:53
+  edns_client_subnet:
+    enabled:    true
+    use_custom: false
+    custom_ip:  ""
+filtering:
+  filtering_enabled: true
+  parental_enabled: false
+  safebrowsing_enabled: false
+  safe_fs_patterns:
+      - USERFILTERSPATH
+      - FILEPATH
+  safe_search:
+    enabled:    false
+    bing:       true
+    duckduckgo: true
+    google:     true
+    pixabay:    true
+    yandex:     true
+    youtube:    true
+  protection_enabled: true
+  blocked_services:
+    schedule:
+      time_zone: Local
+    ids:
+    - 500px
+  blocked_response_ttl: 10
+filters:
+- url: https://adaway.org/hosts.txt
+  name: AdAway
+  enabled: false
+- url: FILEPATH
+  name: Local Filter
+  enabled: false
+clients:
+  persistent:
+  - name: localhost
+    ids:
+    - 127.0.0.1
+    - aa:aa:aa:aa:aa:aa
+    use_global_settings: true
+    use_global_blocked_services: true
+    filtering_enabled: false
+    parental_enabled: false
+    safebrowsing_enabled: false
+    safe_search:
+      enabled:    true
+      bing:       true
+      duckduckgo: true
+      google:     true
+      pixabay:    true
+      yandex:     true
+      youtube:    true
+    blocked_services:
+      schedule:
+        time_zone: Local
+      ids:
+      - 500px
+  runtime_sources:
+    whois: true
+    arp:   true
+    rdns:  true
+    dhcp:  true
+    hosts: true
+dhcp:
+  enabled: false
+  interface_name: vboxnet0
+  local_domain_name: local
+  dhcpv4:
+    gateway_ip: 192.168.0.1
+    subnet_mask: 255.255.255.0
+    range_start: 192.168.0.10
+    range_end: 192.168.0.250
+    lease_duration: 1234
+    icmp_timeout_msec: 10
+schema_version: 29
+user_rules: []
+querylog:
+  enabled: true
+  file_enabled: true
+  interval: 720h
+  size_memory: 1000
+  ignored:
+  - '|.^'
+statistics:
+  enabled: true
+  interval: 240h
+  ignored:
+  - '|.^'
+os:
+  group: ''
+  rlimit_nofile: 123
+  user: ''
+log:
+  file: ""
+  max_backups: 0
+  max_size: 100
+  max_age: 3
+  compress: true
+  local_time: false
+  verbose: true
--- a/internal/configmigrate/v29.go
+++ b/internal/configmigrate/v29.go
@@ -0,0 +1,63 @@
+package configmigrate
+
+import (
+	"fmt"
+	"path/filepath"
+)
+
+// migrateTo29 performs the following changes:
+//
+//	# BEFORE:
+//	'filters':
+//	  - 'enabled': true
+//	    'url': /path/to/file.txt
+//	    'name': My FS Filter
+//	    'id': 1234
+//
+//	# AFTER:
+//	'filters':
+//	  - 'enabled': true
+//	    'url': /path/to/file.txt
+//	    'name': My FS Filter
+//	    'id': 1234
+//	# …
+//	'filtering':
+//	  'safe_fs_patterns':
+//	    - '/opt/AdGuardHome/data/userfilters/*'
+//	    - '/path/to/file.txt'
+//	  # …
+func (m Migrator) migrateTo29(diskConf yobj) (err error) {
+	diskConf["schema_version"] = 29
+
+	filterVals, ok, err := fieldVal[[]any](diskConf, "filters")
+	if !ok {
+		return err
+	}
+
+	paths := []string{
+		filepath.Join(m.dataDir, "userfilters", "*"),
+	}
+
+	for i, v := range filterVals {
+		var f yobj
+		f, ok = v.(yobj)
+		if !ok {
+			return fmt.Errorf("filters: at index %d: expected object, got %T", i, v)
+		}
+
+		var u string
+		u, ok, _ = fieldVal[string](f, "url")
+		if ok && filepath.IsAbs(u) {
+			paths = append(paths, u)
+		}
+	}
+
+	fltConf, ok, err := fieldVal[yobj](diskConf, "filtering")
+	if !ok {
+		return err
+	}
+
+	fltConf["safe_fs_patterns"] = paths
+
+	return nil
+}
--- a/internal/dhcpd/db.go
+++ b/internal/dhcpd/db.go
@@ -12,6 +12,7 @@ import (
 	"strings"
 	"time"

+	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
 	"github.com/AdguardTeam/AdGuardHome/internal/dhcpsvc"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
@@ -185,7 +186,7 @@ func writeDB(path string, leases []*dbLease) (err error) {
 		return err
 	}

-	err = maybe.WriteFile(path, buf, 0o644)
+	err = maybe.WriteFile(path, buf, aghos.DefaultPermFile)
 	if err != nil {
 		// Don't wrap the error since it's informative enough as is.
 		return err
--- a/internal/dnsforward/dnsforward_test.go
+++ b/internal/dnsforward/dnsforward_test.go
@@ -584,7 +584,11 @@ func TestSafeSearch(t *testing.T) {
 			req := createTestMessage(tc.host)

 			var reply *dns.Msg
-			reply, _, err = client.Exchange(req, addr)
+			require.Eventually(t, func() (ok bool) {
+				reply, _, err = client.Exchange(req, addr)
+
+				return err == nil
+			}, testTimeout*10, testTimeout)
 			require.NoErrorf(t, err, "couldn't talk to server %s: %s", addr, err)

 			if tc.wantCNAME != "" {
--- a/internal/filtering/filter.go
+++ b/internal/filtering/filter.go
@@ -11,6 +11,7 @@ import (
 	"strings"
 	"time"

+	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghrenameio"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering/rulelist"
 	"github.com/AdguardTeam/golibs/container"
@@ -448,11 +449,7 @@ func (d *DNSFilter) updateIntl(flt *FilterYAML) (ok bool, err error) {

 	var res *rulelist.ParseResult

-	// Change the default 0o600 permission to something more acceptable by end
-	// users.
-	//
-	// See https://github.com/AdguardTeam/AdGuardHome/issues/3198.
-	tmpFile, err := aghrenameio.NewPendingFile(flt.Path(d.conf.DataDir), 0o644)
+	tmpFile, err := aghrenameio.NewPendingFile(flt.Path(d.conf.DataDir), aghos.DefaultPermFile)
 	if err != nil {
 		return false, err
 	}
@@ -522,6 +519,11 @@ func (d *DNSFilter) reader(fltURL string) (r io.ReadCloser, err error) {
 		return r, nil
 	}

+	fltURL = filepath.Clean(fltURL)
+	if !pathMatchesAny(d.safeFSPatterns, fltURL) {
+		return nil, fmt.Errorf("path %q does not match safe patterns", fltURL)
+	}
+
 	r, err = os.Open(fltURL)
 	if err != nil {
 		return nil, fmt.Errorf("opening file: %w", err)
--- a/internal/filtering/filtering.go
+++ b/internal/filtering/filtering.go
@@ -19,6 +19,7 @@ import (
 	"time"

 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
+	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering/rulelist"
 	"github.com/AdguardTeam/golibs/container"
 	"github.com/AdguardTeam/golibs/errors"
@@ -130,6 +131,10 @@ type Config struct {
 	// UserRules is the global list of custom rules.
 	UserRules []string `yaml:"-"`

+	// SafeFSPatterns are the patterns for matching which local filtering-rule
+	// files can be added.
+	SafeFSPatterns []string `yaml:"safe_fs_patterns"`
+
 	SafeBrowsingCacheSize uint `yaml:"safebrowsing_cache_size"` // (in bytes)
 	SafeSearchCacheSize   uint `yaml:"safesearch_cache_size"`   // (in bytes)
 	ParentalCacheSize     uint `yaml:"parental_cache_size"`     // (in bytes)
@@ -257,6 +262,8 @@ type DNSFilter struct {
 	refreshLock *sync.Mutex

 	hostCheckers []hostChecker
+
+	safeFSPatterns []string
 }

 // Filter represents a filter list
@@ -987,13 +994,22 @@ func New(c *Config, blockFilters []Filter) (d *DNSFilter, err error) {
 	d = &DNSFilter{
 		idGen:                  newIDGenerator(int32(time.Now().Unix())),
 		bufPool:                syncutil.NewSlicePool[byte](rulelist.DefaultRuleBufSize),
+		safeSearch:             c.SafeSearch,
 		refreshLock:            &sync.Mutex{},
 		safeBrowsingChecker:    c.SafeBrowsingChecker,
 		parentalControlChecker: c.ParentalControlChecker,
 		confMu:                 &sync.RWMutex{},
 	}

-	d.safeSearch = c.SafeSearch
+	for i, p := range c.SafeFSPatterns {
+		// Use Match to validate the patterns here.
+		_, err = filepath.Match(p, "test")
+		if err != nil {
+			return nil, fmt.Errorf("safe_fs_patterns: at index %d: %w", i, err)
+		}
+
+		d.safeFSPatterns = append(d.safeFSPatterns, p)
+	}

 	d.hostCheckers = []hostChecker{{
 		check: d.matchSysHosts,
@@ -1022,7 +1038,7 @@ func New(c *Config, blockFilters []Filter) (d *DNSFilter, err error) {

 	err = d.prepareRewrites()
 	if err != nil {
-		return nil, fmt.Errorf("rewrites: preparing: %s", err)
+		return nil, fmt.Errorf("rewrites: preparing: %w", err)
 	}

 	if d.conf.BlockedServices != nil {
@@ -1037,11 +1053,16 @@ func New(c *Config, blockFilters []Filter) (d *DNSFilter, err error) {
 		if err != nil {
 			d.Close()

-			return nil, fmt.Errorf("initializing filtering subsystem: %s", err)
+			return nil, fmt.Errorf("initializing filtering subsystem: %w", err)
 		}
 	}

-	_ = os.MkdirAll(filepath.Join(d.conf.DataDir, filterDir), 0o755)
+	err = os.MkdirAll(filepath.Join(d.conf.DataDir, filterDir), aghos.DefaultPermDir)
+	if err != nil {
+		d.Close()
+
+		return nil, fmt.Errorf("making filtering directory: %w", err)
+	}

 	d.loadFilters(d.conf.Filters)
 	d.loadFilters(d.conf.WhitelistFilters)
--- a/internal/filtering/http.go
+++ b/internal/filtering/http.go
@@ -20,14 +20,22 @@ import (
 )

 // validateFilterURL validates the filter list URL or file name.
-func validateFilterURL(urlStr string) (err error) {
+func (d *DNSFilter) validateFilterURL(urlStr string) (err error) {
 	defer func() { err = errors.Annotate(err, "checking filter: %w") }()

 	if filepath.IsAbs(urlStr) {
+		urlStr = filepath.Clean(urlStr)
 		_, err = os.Stat(urlStr)
+		if err != nil {
+			// Don't wrap the error since it's informative enough as is.
+			return err
+		}

-		// Don't wrap the error since it's informative enough as is.
-		return err
+		if !pathMatchesAny(d.safeFSPatterns, urlStr) {
+			return fmt.Errorf("path %q does not match safe patterns", urlStr)
+		}
+
+		return nil
 	}

 	u, err := url.ParseRequestURI(urlStr)
@@ -65,7 +73,7 @@ func (d *DNSFilter) handleFilteringAddURL(w http.ResponseWriter, r *http.Request
 		return
 	}

-	err = validateFilterURL(fj.URL)
+	err = d.validateFilterURL(fj.URL)
 	if err != nil {
 		aghhttp.Error(r, w, http.StatusBadRequest, "%s", err)

@@ -225,7 +233,7 @@ func (d *DNSFilter) handleFilteringSetURL(w http.ResponseWriter, r *http.Request
 		return
 	}

-	err = validateFilterURL(fj.Data.URL)
+	err = d.validateFilterURL(fj.Data.URL)
 	if err != nil {
 		aghhttp.Error(r, w, http.StatusBadRequest, "invalid url: %s", err)

--- a/internal/filtering/path.go
+++ b/internal/filtering/path.go
@@ -0,0 +1,37 @@
+package filtering
+
+import (
+	"fmt"
+	"path/filepath"
+)
+
+// pathMatchesAny returns true if filePath matches one of globs.  globs must be
+// valid.  filePath must be absolute and clean.  If globs are empty,
+// pathMatchesAny returns false.
+//
+// TODO(a.garipov): Move to golibs?
+func pathMatchesAny(globs []string, filePath string) (ok bool) {
+	if len(globs) == 0 {
+		return false
+	}
+
+	clean, err := filepath.Abs(filePath)
+	if err != nil {
+		panic(fmt.Errorf("pathMatchesAny: %w", err))
+	} else if clean != filePath {
+		panic(fmt.Errorf("pathMatchesAny: filepath %q is not absolute", filePath))
+	}
+
+	for _, g := range globs {
+		ok, err = filepath.Match(g, filePath)
+		if err != nil {
+			panic(fmt.Errorf("pathMatchesAny: bad pattern: %w", err))
+		}
+
+		if ok {
+			return true
+		}
+	}
+
+	return false
+}
--- a/internal/filtering/path_unix_internal_test.go
+++ b/internal/filtering/path_unix_internal_test.go
@@ -0,0 +1,78 @@
+//go:build unix
+
+package filtering
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestPathInAnyDir(t *testing.T) {
+	t.Parallel()
+
+	const (
+		filePath      = "/path/to/file.txt"
+		filePathGlob  = "/path/to/*"
+		otherFilePath = "/otherpath/to/file.txt"
+	)
+
+	testCases := []struct {
+		want     assert.BoolAssertionFunc
+		filePath string
+		name     string
+		globs    []string
+	}{{
+		want:     assert.False,
+		filePath: filePath,
+		name:     "nil_pats",
+		globs:    nil,
+	}, {
+		want:     assert.True,
+		filePath: filePath,
+		name:     "match",
+		globs: []string{
+			filePath,
+			otherFilePath,
+		},
+	}, {
+		want:     assert.False,
+		filePath: filePath,
+		name:     "no_match",
+		globs: []string{
+			otherFilePath,
+		},
+	}, {
+		want:     assert.True,
+		filePath: filePath,
+		name:     "match_star",
+		globs: []string{
+			filePathGlob,
+		},
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			tc.want(t, pathMatchesAny(tc.globs, tc.filePath))
+		})
+	}
+
+	require.True(t, t.Run("panic_on_unabs_file_path", func(t *testing.T) {
+		t.Parallel()
+
+		assert.Panics(t, func() {
+			_ = pathMatchesAny([]string{"/home/user"}, "../../etc/passwd")
+		})
+	}))
+
+	require.True(t, t.Run("panic_on_bad_pat", func(t *testing.T) {
+		t.Parallel()
+
+		assert.Panics(t, func() {
+			_ = pathMatchesAny([]string{`\`}, filePath)
+		})
+	}))
+}
--- a/internal/filtering/path_windows_internal_test.go
+++ b/internal/filtering/path_windows_internal_test.go
@@ -0,0 +1,73 @@
+//go:build windows
+
+package filtering
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestPathInAnyDir(t *testing.T) {
+	t.Parallel()
+
+	const (
+		filePath      = `C:\path\to\file.txt`
+		filePathGlob  = `C:\path\to\*`
+		otherFilePath = `C:\otherpath\to\file.txt`
+	)
+
+	testCases := []struct {
+		want     assert.BoolAssertionFunc
+		filePath string
+		name     string
+		globs    []string
+	}{{
+		want:     assert.False,
+		filePath: filePath,
+		name:     "nil_pats",
+		globs:    nil,
+	}, {
+		want:     assert.True,
+		filePath: filePath,
+		name:     "match",
+		globs: []string{
+			filePath,
+			otherFilePath,
+		},
+	}, {
+		want:     assert.False,
+		filePath: filePath,
+		name:     "no_match",
+		globs: []string{
+			otherFilePath,
+		},
+	}, {
+		want:     assert.True,
+		filePath: filePath,
+		name:     "match_star",
+		globs: []string{
+			filePathGlob,
+		},
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			tc.want(t, pathMatchesAny(tc.globs, tc.filePath))
+		})
+	}
+
+	require.True(t, t.Run("panic_on_unabs_file_path", func(t *testing.T) {
+		t.Parallel()
+
+		assert.Panics(t, func() {
+			_ = pathMatchesAny([]string{`C:\home\user`}, `..\..\etc\passwd`)
+		})
+	}))
+
+	// TODO(a.garipov): See if there is anything for which filepath.Match
+	// returns ErrBadPattern on Windows.
+}
--- a/internal/filtering/rulelist/filter.go
+++ b/internal/filtering/rulelist/filter.go
@@ -11,6 +11,7 @@ import (
 	"path/filepath"
 	"time"

+	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghrenameio"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/ioutil"
@@ -196,7 +197,7 @@ func (f *Filter) readFromHTTP(
 		return "", nil, fmt.Errorf("got status code %d, want %d", resp.StatusCode, http.StatusOK)
 	}

-	fltFile, err := aghrenameio.NewPendingFile(cachePath, 0o644)
+	fltFile, err := aghrenameio.NewPendingFile(cachePath, aghos.DefaultPermFile)
 	if err != nil {
 		return "", nil, fmt.Errorf("creating temp file: %w", err)
 	}
@@ -271,7 +272,7 @@ func parseIntoCache(
 	filePath string,
 	cachePath string,
 ) (parseRes *ParseResult, err error) {
-	tmpFile, err := aghrenameio.NewPendingFile(cachePath, 0o644)
+	tmpFile, err := aghrenameio.NewPendingFile(cachePath, aghos.DefaultPermFile)
 	if err != nil {
 		return nil, fmt.Errorf("creating temp file: %w", err)
 	}
--- a/internal/filtering/servicelist.go
+++ b/internal/filtering/servicelist.go
--- a/internal/home/auth.go
+++ b/internal/home/auth.go
@@ -9,6 +9,7 @@ import (
 	"sync"
 	"time"

+	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/netutil"
@@ -89,7 +90,7 @@ func InitAuth(
 		trustedProxies: trustedProxies,
 	}
 	var err error
-	a.db, err = bbolt.Open(dbFilename, 0o644, nil)
+	a.db, err = bbolt.Open(dbFilename, aghos.DefaultPermFile, nil)
 	if err != nil {
 		log.Error("auth: open DB: %s: %s", dbFilename, err)
 		if err.Error() == "invalid argument" {
--- a/internal/home/clients.go
+++ b/internal/home/clients.go
@@ -1,8 +1,8 @@
 package home

 import (
+	"context"
 	"fmt"
-	"net"
 	"net/netip"
 	"slices"
 	"sync"
@@ -11,7 +11,6 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/AdguardTeam/AdGuardHome/internal/arpdb"
 	"github.com/AdguardTeam/AdGuardHome/internal/client"
-	"github.com/AdguardTeam/AdGuardHome/internal/dhcpsvc"
 	"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/AdGuardHome/internal/querylog"
@@ -20,47 +19,18 @@ import (
 	"github.com/AdguardTeam/dnsproxy/proxy"
 	"github.com/AdguardTeam/dnsproxy/upstream"
 	"github.com/AdguardTeam/golibs/errors"
-	"github.com/AdguardTeam/golibs/hostsfile"
-	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/stringutil"
 )

-// DHCP is an interface for accessing DHCP lease data the [clientsContainer]
-// needs.
-type DHCP interface {
-	// Leases returns all the DHCP leases.
-	Leases() (leases []*dhcpsvc.Lease)
-
-	// HostByIP returns the hostname of the DHCP client with the given IP
-	// address.  The address will be netip.Addr{} if there is no such client,
-	// due to an assumption that a DHCP client must always have a hostname.
-	HostByIP(ip netip.Addr) (host string)
-
-	// MACByIP returns the MAC address for the given IP address leased.  It
-	// returns nil if there is no such client, due to an assumption that a DHCP
-	// client must always have a MAC address.
-	MACByIP(ip netip.Addr) (mac net.HardwareAddr)
-}
-
 // clientsContainer is the storage of all runtime and persistent clients.
 type clientsContainer struct {
 	// storage stores information about persistent clients.
 	storage *client.Storage

-	// dhcp is the DHCP service implementation.
-	dhcp DHCP
-
 	// clientChecker checks if a client is blocked by the current access
 	// settings.
 	clientChecker BlockedClientChecker

-	// etcHosts contains list of rewrite rules taken from the operating system's
-	// hosts database.
-	etcHosts *aghnet.HostsContainer
-
-	// arpDB stores the neighbors retrieved from ARP.
-	arpDB arpdb.Interface
-
 	// lock protects all fields.
 	//
 	// TODO(a.garipov): Use a pointer and describe which fields are protected in
@@ -92,7 +62,7 @@ type BlockedClientChecker interface {
 // Note: this function must be called only once
 func (clients *clientsContainer) Init(
 	objects []*clientObject,
-	dhcpServer DHCP,
+	dhcpServer client.DHCP,
 	etcHosts *aghnet.HostsContainer,
 	arpDB arpdb.Interface,
 	filteringConf *filtering.Config,
@@ -102,26 +72,18 @@ func (clients *clientsContainer) Init(
 		return errors.Error("clients container already initialized")
 	}

-	clients.storage = client.NewStorage(&client.Config{
-		AllowedTags: clientTags,
-	})
-
-	// TODO(e.burkov):  Use [dhcpsvc] implementation when it's ready.
-	clients.dhcp = dhcpServer
-
-	clients.etcHosts = etcHosts
-	clients.arpDB = arpDB
-	err = clients.addFromConfig(objects, filteringConf)
-	if err != nil {
-		// Don't wrap the error, because it's informative enough as is.
-		return err
-	}
-
 	clients.safeSearchCacheSize = filteringConf.SafeSearchCacheSize
 	clients.safeSearchCacheTTL = time.Minute * time.Duration(filteringConf.CacheTime)

-	if clients.testing {
-		return nil
+	confClients := make([]*client.Persistent, 0, len(objects))
+	for i, o := range objects {
+		var p *client.Persistent
+		p, err = o.toPersistent(clients.safeSearchCacheSize, clients.safeSearchCacheTTL)
+		if err != nil {
+			return fmt.Errorf("init persistent client at index %d: %w", i, err)
+		}
+
+		confClients = append(confClients, p)
 	}

 	// The clients.etcHosts may be nil even if config.Clients.Sources.HostsFile
@@ -130,21 +92,26 @@ func (clients *clientsContainer) Init(
 	// TODO(e.burkov):  The option should probably be returned, since hosts file
 	// currently used not only for clients' information enrichment, but also in
 	// the filtering module and upstream addresses resolution.
-	if config.Clients.Sources.HostsFile && clients.etcHosts != nil {
-		go clients.handleHostsUpdates()
+	var hosts client.HostsContainer = etcHosts
+	if !config.Clients.Sources.HostsFile {
+		hosts = nil
+	}
+
+	clients.storage, err = client.NewStorage(&client.StorageConfig{
+		InitialClients:         confClients,
+		DHCP:                   dhcpServer,
+		EtcHosts:               hosts,
+		ARPDB:                  arpDB,
+		ARPClientsUpdatePeriod: arpClientsUpdatePeriod,
+		RuntimeSourceDHCP:      config.Clients.Sources.DHCP,
+	})
+	if err != nil {
+		return fmt.Errorf("init client storage: %w", err)
 	}

 	return nil
 }

-// handleHostsUpdates receives the updates from the hosts container and adds
-// them to the clients container.  It is intended to be used as a goroutine.
-func (clients *clientsContainer) handleHostsUpdates() {
-	for upd := range clients.etcHosts.Upd() {
-		clients.addFromHostsFile(upd)
-	}
-}
-
 // webHandlersRegistered prevents a [clientsContainer] from registering its web
 // handlers more than once.
 //
@@ -152,7 +119,7 @@ func (clients *clientsContainer) handleHostsUpdates() {
 var webHandlersRegistered = false

 // Start starts the clients container.
-func (clients *clientsContainer) Start() {
+func (clients *clientsContainer) Start(ctx context.Context) (err error) {
 	if clients.testing {
 		return
 	}
@@ -162,14 +129,7 @@ func (clients *clientsContainer) Start() {
 		clients.registerWebHandlers()
 	}

-	go clients.periodicUpdate()
-}
-
-// reloadARP reloads runtime clients from ARP, if configured.
-func (clients *clientsContainer) reloadARP() {
-	if clients.arpDB != nil {
-		clients.addFromSystemARP()
-	}
+	return clients.storage.Start(ctx)
 }

 // clientObject is the YAML representation of a persistent client.
@@ -208,7 +168,8 @@ type clientObject struct {

 // toPersistent returns an initialized persistent client if there are no errors.
 func (o *clientObject) toPersistent(
-	filteringConf *filtering.Config,
+	safeSearchCacheSize uint,
+	safeSearchCacheTTL time.Duration,
 ) (cli *client.Persistent, err error) {
 	cli = &client.Persistent{
 		Name: o.Name,
@@ -244,8 +205,8 @@ func (o *clientObject) toPersistent(
 	if o.SafeSearchConf.Enabled {
 		err = cli.SetSafeSearch(
 			o.SafeSearchConf,
-			filteringConf.SafeSearchCacheSize,
-			time.Minute*time.Duration(filteringConf.CacheTime),
+			safeSearchCacheSize,
+			safeSearchCacheTTL,
 		)
 		if err != nil {
 			return nil, fmt.Errorf("init safesearch %q: %w", cli.Name, err)
@@ -270,28 +231,6 @@ func (o *clientObject) toPersistent(
 	return cli, nil
 }

-// addFromConfig initializes the clients container with objects from the
-// configuration file.
-func (clients *clientsContainer) addFromConfig(
-	objects []*clientObject,
-	filteringConf *filtering.Config,
-) (err error) {
-	for i, o := range objects {
-		var cli *client.Persistent
-		cli, err = o.toPersistent(filteringConf)
-		if err != nil {
-			return fmt.Errorf("clients: init persistent client at index %d: %w", i, err)
-		}
-
-		err = clients.storage.Add(cli)
-		if err != nil {
-			return fmt.Errorf("adding client %q at index %d: %w", cli.Name, i, err)
-		}
-	}
-
-	return nil
-}
-
 // forConfig returns all currently known persistent clients as objects for the
 // configuration file.
 func (clients *clientsContainer) forConfig() (objs []*clientObject) {
@@ -332,39 +271,6 @@ func (clients *clientsContainer) forConfig() (objs []*clientObject) {
 // arpClientsUpdatePeriod defines how often ARP clients are updated.
 const arpClientsUpdatePeriod = 10 * time.Minute

-func (clients *clientsContainer) periodicUpdate() {
-	defer log.OnPanic("clients container")
-
-	for {
-		clients.reloadARP()
-		time.Sleep(arpClientsUpdatePeriod)
-	}
-}
-
-// clientSource checks if client with this IP address already exists and returns
-// the source which updated it last.  It returns [client.SourceNone] if the
-// client doesn't exist.  Note that it is only used in tests.
-func (clients *clientsContainer) clientSource(ip netip.Addr) (src client.Source) {
-	clients.lock.Lock()
-	defer clients.lock.Unlock()
-
-	_, ok := clients.findLocked(ip.String())
-	if ok {
-		return client.SourcePersistent
-	}
-
-	rc := clients.storage.ClientRuntime(ip)
-	if rc != nil {
-		src, _ = rc.Info()
-	}
-
-	if src < client.SourceDHCP && clients.dhcp.HostByIP(ip) != "" {
-		src = client.SourceDHCP
-	}
-
-	return src
-}
-
 // findMultiple is a wrapper around [clientsContainer.find] to make it a valid
 // client finder for the query log.  c is never nil; if no information about the
 // client is found, it returns an artificial client record by only setting the
@@ -410,7 +316,7 @@ func (clients *clientsContainer) clientOrArtificial(
 		}, false
 	}

-	rc := clients.findRuntimeClient(ip)
+	rc := clients.storage.ClientRuntime(ip)
 	if rc != nil {
 		_, host := rc.Info()

@@ -425,19 +331,6 @@ func (clients *clientsContainer) clientOrArtificial(
 	}, true
 }

-// find returns a shallow copy of the client if there is one found.
-func (clients *clientsContainer) find(id string) (c *client.Persistent, ok bool) {
-	clients.lock.Lock()
-	defer clients.lock.Unlock()
-
-	c, ok = clients.findLocked(id)
-	if !ok {
-		return nil, false
-	}
-
-	return c, true
-}
-
 // shouldCountClient is a wrapper around [clientsContainer.find] to make it a
 // valid client information finder for the statistics.  If no information about
 // the client is found, it returns true.
@@ -446,7 +339,7 @@ func (clients *clientsContainer) shouldCountClient(ids []string) (y bool) {
 	defer clients.lock.Unlock()

 	for _, id := range ids {
-		client, ok := clients.findLocked(id)
+		client, ok := clients.storage.Find(id)
 		if ok {
 			return !client.IgnoreStatistics
 		}
@@ -468,7 +361,7 @@ func (clients *clientsContainer) UpstreamConfigByID(
 	clients.lock.Lock()
 	defer clients.lock.Unlock()

-	c, ok := clients.findLocked(id)
+	c, ok := clients.storage.Find(id)
 	if !ok {
 		return nil, nil
 	} else if c.UpstreamConfig != nil {
@@ -506,195 +399,17 @@ func (clients *clientsContainer) UpstreamConfigByID(
 	return conf, nil
 }

-// findLocked searches for a client by its ID.  clients.lock is expected to be
-// locked.
-func (clients *clientsContainer) findLocked(id string) (c *client.Persistent, ok bool) {
-	c, ok = clients.storage.Find(id)
-	if ok {
-		return c, true
-	}
-
-	ip, err := netip.ParseAddr(id)
-	if err != nil {
-		return nil, false
-	}
-
-	// TODO(e.burkov):  Iterate through clients.list only once.
-	return clients.findDHCP(ip)
-}
-
-// findDHCP searches for a client by its MAC, if the DHCP server is active and
-// there is such client.  clients.lock is expected to be locked.
-func (clients *clientsContainer) findDHCP(ip netip.Addr) (c *client.Persistent, ok bool) {
-	foundMAC := clients.dhcp.MACByIP(ip)
-	if foundMAC == nil {
-		return nil, false
-	}
-
-	return clients.storage.FindByMAC(foundMAC)
-}
-
-// findRuntimeClient finds a runtime client by their IP.
-func (clients *clientsContainer) findRuntimeClient(ip netip.Addr) (rc *client.Runtime) {
-	rc = clients.storage.ClientRuntime(ip)
-	host := clients.dhcp.HostByIP(ip)
-
-	if host != "" {
-		if rc == nil {
-			rc = client.NewRuntime(ip)
-		}
-
-		rc.SetInfo(client.SourceDHCP, []string{host})
-
-		return rc
-	}
-
-	return rc
-}
-
-// setWHOISInfo sets the WHOIS information for a client.  clients.lock is
-// expected to be locked.
-func (clients *clientsContainer) setWHOISInfo(ip netip.Addr, wi *whois.Info) {
-	_, ok := clients.findLocked(ip.String())
-	if ok {
-		log.Debug("clients: client for %s is already created, ignore whois info", ip)
-
-		return
-	}
-
-	rc := client.NewRuntime(ip)
-	rc.SetWHOIS(wi)
-	clients.storage.UpdateRuntime(rc)
-
-	log.Debug("clients: set whois info for runtime client with ip %s: %+v", ip, wi)
-}
-
-// addHost adds a new IP-hostname pairing.  The priorities of the sources are
-// taken into account.  ok is true if the pairing was added.
-//
-// TODO(a.garipov): Only used in internal tests.  Consider removing.
-func (clients *clientsContainer) addHost(
-	ip netip.Addr,
-	host string,
-	src client.Source,
-) (ok bool) {
-	clients.lock.Lock()
-	defer clients.lock.Unlock()
-
-	return clients.addHostLocked(ip, host, src)
-}
-
 // type check
 var _ client.AddressUpdater = (*clientsContainer)(nil)

 // UpdateAddress implements the [client.AddressUpdater] interface for
 // *clientsContainer
 func (clients *clientsContainer) UpdateAddress(ip netip.Addr, host string, info *whois.Info) {
-	// Common fast path optimization.
-	if host == "" && info == nil {
-		return
-	}
-
-	clients.lock.Lock()
-	defer clients.lock.Unlock()
-
-	if host != "" {
-		ok := clients.addHostLocked(ip, host, client.SourceRDNS)
-		if !ok {
-			log.Debug("clients: host for client %q already set with higher priority source", ip)
-		}
-	}
-
-	if info != nil {
-		clients.setWHOISInfo(ip, info)
-	}
-}
-
-// addHostLocked adds a new IP-hostname pairing.  clients.lock is expected to be
-// locked.
-func (clients *clientsContainer) addHostLocked(
-	ip netip.Addr,
-	host string,
-	src client.Source,
-) (ok bool) {
-	rc := client.NewRuntime(ip)
-	rc.SetInfo(src, []string{host})
-	if dhcpHost := clients.dhcp.HostByIP(ip); dhcpHost != "" {
-		rc.SetInfo(client.SourceDHCP, []string{dhcpHost})
-	}
-
-	clients.storage.UpdateRuntime(rc)
-
-	log.Debug(
-		"clients: adding client info %s -> %q %q [%d]",
-		ip,
-		src,
-		host,
-		clients.storage.SizeRuntime(),
-	)
-
-	return true
-}
-
-// addFromHostsFile fills the client-hostname pairing index from the system's
-// hosts files.
-func (clients *clientsContainer) addFromHostsFile(hosts *hostsfile.DefaultStorage) {
-	clients.lock.Lock()
-	defer clients.lock.Unlock()
-
-	var rcs []*client.Runtime
-	hosts.RangeNames(func(addr netip.Addr, names []string) (cont bool) {
-		// Only the first name of the first record is considered a canonical
-		// hostname for the IP address.
-		//
-		// TODO(e.burkov):  Consider using all the names from all the records.
-		rc := client.NewRuntime(addr)
-		rc.SetInfo(client.SourceHostsFile, []string{names[0]})
-
-		rcs = append(rcs, rc)
-
-		return true
-	})
-
-	added, removed := clients.storage.BatchUpdateBySource(client.SourceHostsFile, rcs)
-	log.Debug("clients: added %d, removed %d client aliases from system hosts file", added, removed)
-}
-
-// addFromSystemARP adds the IP-hostname pairings from the output of the arp -a
-// command.
-func (clients *clientsContainer) addFromSystemARP() {
-	if err := clients.arpDB.Refresh(); err != nil {
-		log.Error("refreshing arp container: %s", err)
-
-		clients.arpDB = arpdb.Empty{}
-
-		return
-	}
-
-	ns := clients.arpDB.Neighbors()
-	if len(ns) == 0 {
-		log.Debug("refreshing arp container: the update is empty")
-
-		return
-	}
-
-	clients.lock.Lock()
-	defer clients.lock.Unlock()
-
-	var rcs []*client.Runtime
-	for _, n := range ns {
-		rc := client.NewRuntime(n.IP)
-		rc.SetInfo(client.SourceARP, []string{n.Name})
-
-		rcs = append(rcs, rc)
-	}
-
-	added, removed := clients.storage.BatchUpdateBySource(client.SourceARP, rcs)
-	log.Debug("clients: added %d, removed %d client aliases from arp neighborhood", added, removed)
+	clients.storage.UpdateAddress(ip, host, info)
 }

 // close gracefully closes all the client-specific upstream configurations of
 // the persistent clients.
-func (clients *clientsContainer) close() (err error) {
-	return clients.storage.CloseUpstreams()
+func (clients *clientsContainer) close(ctx context.Context) (err error) {
+	return clients.storage.Shutdown(ctx)
 }
--- a/internal/home/clients_internal_test.go
+++ b/internal/home/clients_internal_test.go
@@ -3,34 +3,14 @@ package home
 import (
 	"net"
 	"net/netip"
-	"runtime"
 	"testing"
-	"time"

 	"github.com/AdguardTeam/AdGuardHome/internal/client"
-	"github.com/AdguardTeam/AdGuardHome/internal/dhcpd"
-	"github.com/AdguardTeam/AdGuardHome/internal/dhcpsvc"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
-	"github.com/AdguardTeam/AdGuardHome/internal/whois"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

-type testDHCP struct {
-	OnLeases func() (leases []*dhcpsvc.Lease)
-	OnHostBy func(ip netip.Addr) (host string)
-	OnMACBy  func(ip netip.Addr) (mac net.HardwareAddr)
-}
-
-// Lease implements the [DHCP] interface for testDHCP.
-func (t *testDHCP) Leases() (leases []*dhcpsvc.Lease) { return t.OnLeases() }
-
-// HostByIP implements the [DHCP] interface for testDHCP.
-func (t *testDHCP) HostByIP(ip netip.Addr) (host string) { return t.OnHostBy(ip) }
-
-// MACByIP implements the [DHCP] interface for testDHCP.
-func (t *testDHCP) MACByIP(ip netip.Addr) (mac net.HardwareAddr) { return t.OnMACBy(ip) }
-
 // newClientsContainer is a helper that creates a new clients container for
 // tests.
 func newClientsContainer(t *testing.T) (c *clientsContainer) {
@@ -40,316 +20,11 @@ func newClientsContainer(t *testing.T) (c *clientsContainer) {
 		testing: true,
 	}

-	dhcp := &testDHCP{
-		OnLeases: func() (leases []*dhcpsvc.Lease) { return nil },
-		OnHostBy: func(ip netip.Addr) (host string) { return "" },
-		OnMACBy:  func(ip netip.Addr) (mac net.HardwareAddr) { return nil },
-	}
-
-	require.NoError(t, c.Init(nil, dhcp, nil, nil, &filtering.Config{}))
+	require.NoError(t, c.Init(nil, client.EmptyDHCP{}, nil, nil, &filtering.Config{}))

 	return c
 }

-func TestClients(t *testing.T) {
-	clients := newClientsContainer(t)
-
-	t.Run("add_success", func(t *testing.T) {
-		var (
-			cliNone = "1.2.3.4"
-			cli1    = "1.1.1.1"
-			cli2    = "2.2.2.2"
-
-			cli1IP = netip.MustParseAddr(cli1)
-			cli2IP = netip.MustParseAddr(cli2)
-
-			cliIPv6 = netip.MustParseAddr("1:2:3::4")
-		)
-
-		c := &client.Persistent{
-			Name: "client1",
-			UID:  client.MustNewUID(),
-			IPs:  []netip.Addr{cli1IP, cliIPv6},
-		}
-
-		err := clients.storage.Add(c)
-		require.NoError(t, err)
-
-		c = &client.Persistent{
-			Name: "client2",
-			UID:  client.MustNewUID(),
-			IPs:  []netip.Addr{cli2IP},
-		}
-
-		err = clients.storage.Add(c)
-		require.NoError(t, err)
-
-		c, ok := clients.find(cli1)
-		require.True(t, ok)
-
-		assert.Equal(t, "client1", c.Name)
-
-		c, ok = clients.find("1:2:3::4")
-		require.True(t, ok)
-
-		assert.Equal(t, "client1", c.Name)
-
-		c, ok = clients.find(cli2)
-		require.True(t, ok)
-
-		assert.Equal(t, "client2", c.Name)
-
-		_, ok = clients.find(cliNone)
-		assert.False(t, ok)
-
-		assert.Equal(t, clients.clientSource(cli1IP), client.SourcePersistent)
-		assert.Equal(t, clients.clientSource(cli2IP), client.SourcePersistent)
-	})
-
-	t.Run("add_fail_name", func(t *testing.T) {
-		err := clients.storage.Add(&client.Persistent{
-			Name: "client1",
-			UID:  client.MustNewUID(),
-			IPs:  []netip.Addr{netip.MustParseAddr("1.2.3.5")},
-		})
-		require.Error(t, err)
-	})
-
-	t.Run("add_fail_ip", func(t *testing.T) {
-		err := clients.storage.Add(&client.Persistent{
-			Name: "client3",
-			UID:  client.MustNewUID(),
-		})
-		require.Error(t, err)
-	})
-
-	t.Run("update_fail_ip", func(t *testing.T) {
-		err := clients.storage.Update("client1", &client.Persistent{
-			Name: "client1",
-			UID:  client.MustNewUID(),
-		})
-		assert.Error(t, err)
-	})
-
-	t.Run("update_success", func(t *testing.T) {
-		var (
-			cliOld = "1.1.1.1"
-			cliNew = "1.1.1.2"
-
-			cliNewIP = netip.MustParseAddr(cliNew)
-		)
-
-		prev, ok := clients.storage.FindByName("client1")
-		require.True(t, ok)
-		require.NotNil(t, prev)
-
-		err := clients.storage.Update("client1", &client.Persistent{
-			Name: "client1",
-			UID:  prev.UID,
-			IPs:  []netip.Addr{cliNewIP},
-		})
-		require.NoError(t, err)
-
-		_, ok = clients.find(cliOld)
-		assert.False(t, ok)
-
-		assert.Equal(t, clients.clientSource(cliNewIP), client.SourcePersistent)
-
-		prev, ok = clients.storage.FindByName("client1")
-		require.True(t, ok)
-		require.NotNil(t, prev)
-
-		err = clients.storage.Update("client1", &client.Persistent{
-			Name:           "client1-renamed",
-			UID:            prev.UID,
-			IPs:            []netip.Addr{cliNewIP},
-			UseOwnSettings: true,
-		})
-		require.NoError(t, err)
-
-		c, ok := clients.find(cliNew)
-		require.True(t, ok)
-
-		assert.Equal(t, "client1-renamed", c.Name)
-		assert.True(t, c.UseOwnSettings)
-
-		nilCli, ok := clients.storage.FindByName("client1")
-		require.False(t, ok)
-
-		assert.Nil(t, nilCli)
-
-		require.Len(t, c.IDs(), 1)
-
-		assert.Equal(t, cliNewIP, c.IPs[0])
-	})
-
-	t.Run("del_success", func(t *testing.T) {
-		ok := clients.storage.RemoveByName("client1-renamed")
-		require.True(t, ok)
-
-		_, ok = clients.find("1.1.1.2")
-		assert.False(t, ok)
-	})
-
-	t.Run("del_fail", func(t *testing.T) {
-		ok := clients.storage.RemoveByName("client3")
-		assert.False(t, ok)
-	})
-
-	t.Run("addhost_success", func(t *testing.T) {
-		ip := netip.MustParseAddr("1.1.1.1")
-		ok := clients.addHost(ip, "host", client.SourceARP)
-		assert.True(t, ok)
-
-		ok = clients.addHost(ip, "host2", client.SourceARP)
-		assert.True(t, ok)
-
-		ok = clients.addHost(ip, "host3", client.SourceHostsFile)
-		assert.True(t, ok)
-
-		assert.Equal(t, clients.clientSource(ip), client.SourceHostsFile)
-	})
-
-	t.Run("dhcp_replaces_arp", func(t *testing.T) {
-		ip := netip.MustParseAddr("1.2.3.4")
-		ok := clients.addHost(ip, "from_arp", client.SourceARP)
-		assert.True(t, ok)
-		assert.Equal(t, clients.clientSource(ip), client.SourceARP)
-
-		ok = clients.addHost(ip, "from_dhcp", client.SourceDHCP)
-		assert.True(t, ok)
-		assert.Equal(t, clients.clientSource(ip), client.SourceDHCP)
-	})
-
-	t.Run("addhost_priority", func(t *testing.T) {
-		ip := netip.MustParseAddr("1.1.1.1")
-		ok := clients.addHost(ip, "host1", client.SourceRDNS)
-		assert.True(t, ok)
-
-		assert.Equal(t, client.SourceHostsFile, clients.clientSource(ip))
-	})
-}
-
-func TestClientsWHOIS(t *testing.T) {
-	clients := newClientsContainer(t)
-	whois := &whois.Info{
-		Country: "AU",
-		Orgname: "Example Org",
-	}
-
-	t.Run("new_client", func(t *testing.T) {
-		ip := netip.MustParseAddr("1.1.1.255")
-		clients.setWHOISInfo(ip, whois)
-		rc := clients.storage.ClientRuntime(ip)
-		require.NotNil(t, rc)
-
-		assert.Equal(t, whois, rc.WHOIS())
-	})
-
-	t.Run("existing_auto-client", func(t *testing.T) {
-		ip := netip.MustParseAddr("1.1.1.1")
-		ok := clients.addHost(ip, "host", client.SourceRDNS)
-		assert.True(t, ok)
-
-		clients.setWHOISInfo(ip, whois)
-		rc := clients.storage.ClientRuntime(ip)
-		require.NotNil(t, rc)
-
-		assert.Equal(t, whois, rc.WHOIS())
-	})
-
-	t.Run("can't_set_manually-added", func(t *testing.T) {
-		ip := netip.MustParseAddr("1.1.1.2")
-
-		err := clients.storage.Add(&client.Persistent{
-			Name: "client1",
-			UID:  client.MustNewUID(),
-			IPs:  []netip.Addr{netip.MustParseAddr("1.1.1.2")},
-		})
-		require.NoError(t, err)
-
-		clients.setWHOISInfo(ip, whois)
-		rc := clients.storage.ClientRuntime(ip)
-		require.Nil(t, rc)
-
-		assert.True(t, clients.storage.RemoveByName("client1"))
-	})
-}
-
-func TestClientsAddExisting(t *testing.T) {
-	clients := newClientsContainer(t)
-
-	t.Run("simple", func(t *testing.T) {
-		ip := netip.MustParseAddr("1.1.1.1")
-
-		// Add a client.
-		err := clients.storage.Add(&client.Persistent{
-			Name:    "client1",
-			UID:     client.MustNewUID(),
-			IPs:     []netip.Addr{ip, netip.MustParseAddr("1:2:3::4")},
-			Subnets: []netip.Prefix{netip.MustParsePrefix("2.2.2.0/24")},
-			MACs:    []net.HardwareAddr{{0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA}},
-		})
-		require.NoError(t, err)
-
-		// Now add an auto-client with the same IP.
-		ok := clients.addHost(ip, "test", client.SourceRDNS)
-		assert.True(t, ok)
-	})
-
-	t.Run("complicated", func(t *testing.T) {
-		// TODO(a.garipov): Properly decouple the DHCP server from the client
-		// storage.
-		if runtime.GOOS == "windows" {
-			t.Skip("skipping dhcp test on windows")
-		}
-
-		ip := netip.MustParseAddr("1.2.3.4")
-
-		// First, init a DHCP server with a single static lease.
-		config := &dhcpd.ServerConfig{
-			Enabled: true,
-			DataDir: t.TempDir(),
-			Conf4: dhcpd.V4ServerConf{
-				Enabled:    true,
-				GatewayIP:  netip.MustParseAddr("1.2.3.1"),
-				SubnetMask: netip.MustParseAddr("255.255.255.0"),
-				RangeStart: netip.MustParseAddr("1.2.3.2"),
-				RangeEnd:   netip.MustParseAddr("1.2.3.10"),
-			},
-		}
-
-		dhcpServer, err := dhcpd.Create(config)
-		require.NoError(t, err)
-
-		clients.dhcp = dhcpServer
-
-		err = dhcpServer.AddStaticLease(&dhcpsvc.Lease{
-			HWAddr:   net.HardwareAddr{0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA},
-			IP:       ip,
-			Hostname: "testhost",
-			Expiry:   time.Now().Add(time.Hour),
-		})
-		require.NoError(t, err)
-
-		// Add a new client with the same IP as for a client with MAC.
-		err = clients.storage.Add(&client.Persistent{
-			Name: "client2",
-			UID:  client.MustNewUID(),
-			IPs:  []netip.Addr{ip},
-		})
-		require.NoError(t, err)
-
-		// Add a new client with the IP from the first client's IP range.
-		err = clients.storage.Add(&client.Persistent{
-			Name: "client3",
-			UID:  client.MustNewUID(),
-			IPs:  []netip.Addr{netip.MustParseAddr("2.2.2.2")},
-		})
-		require.NoError(t, err)
-	})
-}
-
 func TestClientsCustomUpstream(t *testing.T) {
 	clients := newClientsContainer(t)

--- a/internal/home/clientshttp.go
+++ b/internal/home/clientshttp.go
@@ -103,6 +103,8 @@ func (clients *clientsContainer) handleGetClients(w http.ResponseWriter, r *http
 		return true
 	})

+	clients.storage.UpdateDHCP()
+
 	clients.storage.RangeRuntime(func(rc *client.Runtime) (cont bool) {
 		src, host := rc.Info()
 		cj := runtimeClientJSON{
@@ -117,18 +119,7 @@ func (clients *clientsContainer) handleGetClients(w http.ResponseWriter, r *http
 		return true
 	})

-	for _, l := range clients.dhcp.Leases() {
-		cj := runtimeClientJSON{
-			Name:   l.Hostname,
-			Source: client.SourceDHCP,
-			IP:     l.IP,
-			WHOIS:  &whois.Info{},
-		}
-
-		data.RuntimeClients = append(data.RuntimeClients, cj)
-	}
-
-	data.Tags = clientTags
+	data.Tags = clients.storage.AllowedTags()

 	aghhttp.WriteJSONResponseOK(w, r, data)
 }
@@ -430,7 +421,7 @@ func (clients *clientsContainer) handleFindClient(w http.ResponseWriter, r *http
 		}

 		ip, _ := netip.ParseAddr(idStr)
-		c, ok := clients.find(idStr)
+		c, ok := clients.storage.Find(idStr)
 		var cj *clientJSON
 		if !ok {
 			cj = clients.findRuntime(ip, idStr)
@@ -452,7 +443,7 @@ func (clients *clientsContainer) handleFindClient(w http.ResponseWriter, r *http
 // /etc/hosts tables, DHCP leases, or blocklists.  cj is guaranteed to be
 // non-nil.
 func (clients *clientsContainer) findRuntime(ip netip.Addr, idStr string) (cj *clientJSON) {
-	rc := clients.findRuntimeClient(ip)
+	rc := clients.storage.ClientRuntime(ip)
 	if rc == nil {
 		// It is still possible that the IP used to be in the runtime clients
 		// list, but then the server was reloaded.  So, check the DNS server's
--- a/internal/home/clientstags.go
+++ b/internal/home/clientstags.go
@@ -1,27 +0,0 @@
-package home
-
-var clientTags = []string{
-	"device_audio",
-	"device_camera",
-	"device_gameconsole",
-	"device_laptop",
-	"device_nas", // Network-attached Storage
-	"device_other",
-	"device_pc",
-	"device_phone",
-	"device_printer",
-	"device_securityalarm",
-	"device_tablet",
-	"device_tv",
-
-	"os_android",
-	"os_ios",
-	"os_linux",
-	"os_macos",
-	"os_other",
-	"os_windows",
-
-	"user_admin",
-	"user_child",
-	"user_regular",
-}
--- a/internal/home/config.go
+++ b/internal/home/config.go
@@ -9,6 +9,7 @@ import (
 	"sync"

 	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
+	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
 	"github.com/AdguardTeam/AdGuardHome/internal/configmigrate"
 	"github.com/AdguardTeam/AdGuardHome/internal/dhcpd"
@@ -26,9 +27,15 @@ import (
 	yaml "gopkg.in/yaml.v3"
 )

-// dataDir is the name of a directory under the working one to store some
-// persistent data.
-const dataDir = "data"
+const (
+	// dataDir is the name of a directory under the working one to store some
+	// persistent data.
+	dataDir = "data"
+
+	// userFilterDataDir is the name of the directory used to store users'
+	// FS-based rule lists.
+	userFilterDataDir = "userfilters"
+)

 // logSettings are the logging settings part of the configuration file.
 type logSettings struct {
@@ -520,6 +527,7 @@ func parseConfig() (err error) {

 	migrator := configmigrate.New(&configmigrate.Config{
 		WorkingDir: Context.workDir,
+		DataDir:    Context.getDataDir(),
 	})

 	var upgraded bool
@@ -534,7 +542,7 @@ func parseConfig() (err error) {
 		confPath := configFilePath()
 		log.Debug("writing config file %q after config upgrade", confPath)

-		err = maybe.WriteFile(confPath, config.fileData, 0o644)
+		err = maybe.WriteFile(confPath, config.fileData, aghos.DefaultPermFile)
 		if err != nil {
 			return fmt.Errorf("writing new config: %w", err)
 		}
@@ -700,7 +708,7 @@ func (c *configuration) write() (err error) {
 		return fmt.Errorf("generating config file: %w", err)
 	}

-	err = maybe.WriteFile(confPath, buf.Bytes(), 0o644)
+	err = maybe.WriteFile(confPath, buf.Bytes(), aghos.DefaultPermFile)
 	if err != nil {
 		return fmt.Errorf("writing config file: %w", err)
 	}
--- a/internal/home/controlinstall.go
+++ b/internal/home/controlinstall.go
@@ -270,9 +270,9 @@ DNSStubListener=no
 const resolvConfPath = "/etc/resolv.conf"

 // Deactivate DNSStubListener
-func disableDNSStubListener() error {
+func disableDNSStubListener() (err error) {
 	dir := filepath.Dir(resolvedConfPath)
-	err := os.MkdirAll(dir, 0o755)
+	err = os.MkdirAll(dir, 0o755)
 	if err != nil {
 		return fmt.Errorf("os.MkdirAll: %s: %w", dir, err)
 	}
@@ -413,9 +413,12 @@ func (web *webAPI) handleInstallConfigure(w http.ResponseWriter, r *http.Request
 	copyInstallSettings(curConfig, config)

 	Context.firstRun = false
-	config.HTTPConfig.Address = netip.AddrPortFrom(req.Web.IP, req.Web.Port)
 	config.DNS.BindHosts = []netip.Addr{req.DNS.IP}
 	config.DNS.Port = req.DNS.Port
+	config.Filtering.SafeFSPatterns = []string{
+		filepath.Join(Context.workDir, userFilterDataDir, "*"),
+	}
+	config.HTTPConfig.Address = netip.AddrPortFrom(req.Web.IP, req.Web.Port)

 	u := &webUser{
 		Name: req.Username,
--- a/internal/home/dns.go
+++ b/internal/home/dns.go
@@ -1,6 +1,7 @@
 package home

 import (
+	"context"
 	"fmt"
 	"log/slog"
 	"net"
@@ -46,14 +47,9 @@ func onConfigModified() {
 // initDNS updates all the fields of the [Context] needed to initialize the DNS
 // server and initializes it at last.  It also must not be called unless
 // [config] and [Context] are initialized.  l must not be nil.
-func initDNS(l *slog.Logger) (err error) {
+func initDNS(l *slog.Logger, statsDir, querylogDir string) (err error) {
 	anonymizer := config.anonymizer()

-	statsDir, querylogDir, err := checkStatsAndQuerylogDirs(&Context, config)
-	if err != nil {
-		return err
-	}
-
 	statsConf := stats.Config{
 		Logger:            l.With(slogutil.KeyPrefix, "stats"),
 		Filename:          filepath.Join(statsDir, "stats.db"),
@@ -414,9 +410,9 @@ func applyAdditionalFiltering(clientIP netip.Addr, clientID string, setts *filte

 	setts.ClientIP = clientIP

-	c, ok := Context.clients.find(clientID)
+	c, ok := Context.clients.storage.Find(clientID)
 	if !ok {
-		c, ok = Context.clients.find(clientIP.String())
+		c, ok = Context.clients.storage.Find(clientIP.String())
 		if !ok {
 			log.Debug("%s: no clients with ip %s and clientid %q", pref, clientIP, clientID)

@@ -459,11 +455,15 @@ func startDNSServer() error {

 	Context.filters.EnableFilters(false)

-	Context.clients.Start()
-
-	err := Context.dnsServer.Start()
+	// TODO(s.chzhen):  Pass context.
+	err := Context.clients.Start(context.TODO())
 	if err != nil {
-		return fmt.Errorf("couldn't start forwarding DNS server: %w", err)
+		return fmt.Errorf("starting clients container: %w", err)
+	}
+
+	err = Context.dnsServer.Start()
+	if err != nil {
+		return fmt.Errorf("starting dns server: %w", err)
 	}

 	Context.filters.Start()
@@ -500,7 +500,7 @@ func stopDNSServer() (err error) {
 		return fmt.Errorf("stopping forwarding dns server: %w", err)
 	}

-	err = Context.clients.close()
+	err = Context.clients.close(context.TODO())
 	if err != nil {
 		return fmt.Errorf("closing clients container: %w", err)
 	}
--- a/internal/home/dns_internal_test.go
+++ b/internal/home/dns_internal_test.go
@@ -18,9 +18,8 @@ var testIPv4 = netip.AddrFrom4([4]byte{1, 2, 3, 4})
 func newStorage(tb testing.TB, clients []*client.Persistent) (s *client.Storage) {
 	tb.Helper()

-	s = client.NewStorage(&client.Config{
-		AllowedTags: nil,
-	})
+	s, err := client.NewStorage(&client.StorageConfig{})
+	require.NoError(tb, err)

 	for _, p := range clients {
 		p.UID = client.MustNewUID()
--- a/internal/home/home.go
+++ b/internal/home/home.go
@@ -31,6 +31,7 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering/hashprefix"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering/safesearch"
+	"github.com/AdguardTeam/AdGuardHome/internal/permcheck"
 	"github.com/AdguardTeam/AdGuardHome/internal/querylog"
 	"github.com/AdguardTeam/AdGuardHome/internal/stats"
 	"github.com/AdguardTeam/AdGuardHome/internal/updater"
@@ -119,7 +120,7 @@ func Main(clientBuildFS fs.FS) {
 			log.Info("Received signal %q", sig)
 			switch sig {
 			case syscall.SIGHUP:
-				Context.clients.reloadARP()
+				Context.clients.storage.ReloadARP()
 				Context.tls.reload()
 			default:
 				cleanup(context.Background())
@@ -630,9 +631,9 @@ func run(opts options, clientBuildFS fs.FS, done chan struct{}) {
 		}
 	}

-	dir := Context.getDataDir()
-	err = os.MkdirAll(dir, 0o755)
-	fatalOnError(errors.Annotate(err, "creating DNS data dir at %s: %w", dir))
+	dataDir := Context.getDataDir()
+	err = os.MkdirAll(dataDir, aghos.DefaultPermDir)
+	fatalOnError(errors.Annotate(err, "creating DNS data dir at %s: %w", dataDir))

 	GLMode = opts.glinetMode

@@ -649,8 +650,11 @@ func run(opts options, clientBuildFS fs.FS, done chan struct{}) {
 	Context.web, err = initWeb(opts, clientBuildFS, upd, slogLogger)
 	fatalOnError(err)

+	statsDir, querylogDir, err := checkStatsAndQuerylogDirs(&Context, config)
+	fatalOnError(err)
+
 	if !Context.firstRun {
-		err = initDNS(slogLogger)
+		err = initDNS(slogLogger, statsDir, querylogDir)
 		fatalOnError(err)

 		Context.tls.start()
@@ -671,6 +675,12 @@ func run(opts options, clientBuildFS fs.FS, done chan struct{}) {
 		}
 	}

+	if permcheck.NeedsMigration(confPath) {
+		permcheck.Migrate(Context.workDir, dataDir, statsDir, querylogDir, confPath)
+	}
+
+	permcheck.Check(Context.workDir, dataDir, statsDir, querylogDir, confPath)
+
 	Context.web.start()

 	// Wait for other goroutines to complete their job.
@@ -714,7 +724,12 @@ func (c *configuration) anonymizer() (ipmut *aghnet.IPMut) {
 // startMods initializes and starts the DNS server after installation.  l must
 // not be nil.
 func startMods(l *slog.Logger) (err error) {
-	err = initDNS(l)
+	statsDir, querylogDir, err := checkStatsAndQuerylogDirs(&Context, config)
+	if err != nil {
+		return err
+	}
+
+	err = initDNS(l, statsDir, querylogDir)
 	if err != nil {
 		return err
 	}
--- a/internal/next/configmgr/configmgr.go
+++ b/internal/next/configmgr/configmgr.go
@@ -14,6 +14,7 @@ import (
 	"sync"
 	"time"

+	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
 	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
 	"github.com/AdguardTeam/AdGuardHome/internal/next/dnssvc"
 	"github.com/AdguardTeam/AdGuardHome/internal/next/websvc"
@@ -182,7 +183,7 @@ func (m *Manager) write() (err error) {
 		return fmt.Errorf("encoding: %w", err)
 	}

-	err = maybe.WriteFile(m.fileName, b, 0o644)
+	err = maybe.WriteFile(m.fileName, b, aghos.DefaultPermFile)
 	if err != nil {
 		return fmt.Errorf("writing: %w", err)
 	}
--- a/internal/permcheck/migrate.go
+++ b/internal/permcheck/migrate.go
@@ -0,0 +1,93 @@
+package permcheck
+
+import (
+	"io/fs"
+	"os"
+	"path/filepath"
+
+	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
+	"github.com/AdguardTeam/golibs/errors"
+	"github.com/AdguardTeam/golibs/log"
+)
+
+// NeedsMigration returns true if AdGuard Home files need permission migration.
+//
+// TODO(a.garipov):  Consider ways to detect this better.
+func NeedsMigration(confFilePath string) (ok bool) {
+	s, err := os.Stat(confFilePath)
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			// Likely a first run.  Don't check.
+			return false
+		}
+
+		log.Error("permcheck: checking if files need migration: %s", err)
+
+		// Unexpected error.  Try to migrate just in case.
+		return true
+	}
+
+	return s.Mode().Perm() != aghos.DefaultPermFile
+}
+
+// Migrate attempts to change the permissions of AdGuard Home's files.  It logs
+// the results at an appropriate level.
+func Migrate(workDir, dataDir, statsDir, querylogDir, confFilePath string) {
+	chmodDir(workDir)
+
+	chmodFile(confFilePath)
+
+	// TODO(a.garipov): Put all paths in one place and remove this duplication.
+	chmodDir(dataDir)
+	chmodDir(filepath.Join(dataDir, "filters"))
+	chmodFile(filepath.Join(dataDir, "sessions.db"))
+	chmodFile(filepath.Join(dataDir, "leases.json"))
+
+	if dataDir != querylogDir {
+		chmodDir(querylogDir)
+	}
+	chmodFile(filepath.Join(querylogDir, "querylog.json"))
+	chmodFile(filepath.Join(querylogDir, "querylog.json.1"))
+
+	if dataDir != statsDir {
+		chmodDir(statsDir)
+	}
+	chmodFile(filepath.Join(statsDir, "stats.db"))
+}
+
+// chmodDir changes the permissions of a single directory.  The results are
+// logged at the appropriate level.
+func chmodDir(dirPath string) {
+	chmodPath(dirPath, typeDir, aghos.DefaultPermDir)
+}
+
+// chmodFile changes the permissions of a single file.  The results are logged
+// at the appropriate level.
+func chmodFile(filePath string) {
+	chmodPath(filePath, typeFile, aghos.DefaultPermFile)
+}
+
+// chmodPath changes the permissions of a single filesystem entity.  The results
+// are logged at the appropriate level.
+func chmodPath(entPath, fileType string, fm fs.FileMode) {
+	err := os.Chmod(entPath, fm)
+	if err == nil {
+		log.Info("permcheck: changed permissions for %s %q", fileType, entPath)
+
+		return
+	} else if errors.Is(err, os.ErrNotExist) {
+		log.Debug("permcheck: changing permissions for %s %q: %s", fileType, entPath, err)
+
+		return
+	}
+
+	log.Error(
+		"permcheck: SECURITY WARNING: cannot change permissions for %s %q to %#o: %s; "+
+			"this can leave your system vulnerable, see "+
+			"https://adguard-dns.io/kb/adguard-home/running-securely/#os-service-concerns",
+		fileType,
+		entPath,
+		fm,
+		err,
+	)
+}
--- a/internal/permcheck/permcheck.go
+++ b/internal/permcheck/permcheck.go
@@ -0,0 +1,86 @@
+// Package permcheck contains code for simplifying permissions checks on files
+// and directories.
+//
+// TODO(a.garipov):  Improve the approach on Windows.
+package permcheck
+
+import (
+	"io/fs"
+	"os"
+	"path/filepath"
+
+	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
+	"github.com/AdguardTeam/golibs/errors"
+	"github.com/AdguardTeam/golibs/log"
+)
+
+// File type constants for logging.
+const (
+	typeDir  = "directory"
+	typeFile = "file"
+)
+
+// Check checks the permissions on important files.  It logs the results at
+// appropriate levels.
+func Check(workDir, dataDir, statsDir, querylogDir, confFilePath string) {
+	checkDir(workDir)
+
+	checkFile(confFilePath)
+
+	// TODO(a.garipov): Put all paths in one place and remove this duplication.
+	checkDir(dataDir)
+	checkDir(filepath.Join(dataDir, "filters"))
+	checkFile(filepath.Join(dataDir, "sessions.db"))
+	checkFile(filepath.Join(dataDir, "leases.json"))
+
+	if dataDir != querylogDir {
+		checkDir(querylogDir)
+	}
+	checkFile(filepath.Join(querylogDir, "querylog.json"))
+	checkFile(filepath.Join(querylogDir, "querylog.json.1"))
+
+	if dataDir != statsDir {
+		checkDir(statsDir)
+	}
+	checkFile(filepath.Join(statsDir, "stats.db"))
+}
+
+// checkDir checks the permissions of a single directory.  The results are
+// logged at the appropriate level.
+func checkDir(dirPath string) {
+	checkPath(dirPath, typeDir, aghos.DefaultPermDir)
+}
+
+// checkFile checks the permissions of a single file.  The results are logged at
+// the appropriate level.
+func checkFile(filePath string) {
+	checkPath(filePath, typeFile, aghos.DefaultPermFile)
+}
+
+// checkPath checks the permissions of a single filesystem entity.  The results
+// are logged at the appropriate level.
+func checkPath(entPath, fileType string, want fs.FileMode) {
+	s, err := os.Stat(entPath)
+	if err != nil {
+		logFunc := log.Error
+		if errors.Is(err, os.ErrNotExist) {
+			logFunc = log.Debug
+		}
+
+		logFunc("permcheck: checking %s %q: %s", fileType, entPath, err)
+
+		return
+	}
+
+	// TODO(a.garipov): Add a more fine-grained check and result reporting.
+	perm := s.Mode().Perm()
+	if perm != want {
+		log.Info(
+			"permcheck: SECURITY WARNING: %s %q has unexpected permissions %#o; want %#o",
+			fileType,
+			entPath,
+			perm,
+			want,
+		)
+	}
+}
--- a/internal/querylog/qlogfile.go
+++ b/internal/querylog/qlogfile.go
@@ -8,6 +8,7 @@ import (
 	"sync"
 	"time"

+	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 )
@@ -56,7 +57,7 @@ type qLogFile struct {

 // newQLogFile initializes a new instance of the qLogFile.
 func newQLogFile(path string) (qf *qLogFile, err error) {
-	f, err := os.OpenFile(path, os.O_RDONLY, 0o644)
+	f, err := os.OpenFile(path, os.O_RDONLY, aghos.DefaultPermFile)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/querylog/querylogfile.go
+++ b/internal/querylog/querylogfile.go
@@ -7,6 +7,7 @@ import (
 	"os"
 	"time"

+	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 )
@@ -70,7 +71,7 @@ func (l *queryLog) flushToFile(b *bytes.Buffer) (err error) {

 	filename := l.logFile

-	f, err := os.OpenFile(filename, os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0o644)
+	f, err := os.OpenFile(filename, os.O_WRONLY|os.O_CREATE|os.O_APPEND, aghos.DefaultPermFile)
 	if err != nil {
 		return fmt.Errorf("creating file %q: %w", filename, err)
 	}
--- a/internal/stats/stats.go
+++ b/internal/stats/stats.go
@@ -15,6 +15,7 @@ import (

 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
+	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/logutil/slogutil"
 	"github.com/AdguardTeam/golibs/timeutil"
@@ -383,7 +384,7 @@ func (s *StatsCtx) openDB() (err error) {
 	s.logger.Debug("opening database")

 	var db *bbolt.DB
-	db, err = bbolt.Open(s.filename, 0o644, nil)
+	db, err = bbolt.Open(s.filename, aghos.DefaultPermFile, nil)
 	if err != nil {
 		if err.Error() == "invalid argument" {
 			const lines = `AdGuard Home cannot be initialized due to an incompatible file system.
--- a/internal/tools/go.mod
+++ b/internal/tools/go.mod
@@ -1,6 +1,6 @@
 module github.com/AdguardTeam/AdGuardHome/internal/tools

-go 1.23.1
+go 1.23.2

 require (
 	github.com/fzipp/gocyclo v0.6.0
@@ -8,22 +8,22 @@ require (
 	github.com/gordonklaus/ineffassign v0.1.0
 	github.com/kisielk/errcheck v1.7.0
 	github.com/kyoh86/looppointer v0.2.1
-	github.com/securego/gosec/v2 v2.21.2
+	github.com/securego/gosec/v2 v2.21.4
 	github.com/uudashr/gocognit v1.1.3
 	golang.org/x/tools v0.25.0
 	golang.org/x/vuln v1.1.3
 	honnef.co/go/tools v0.5.1
 	mvdan.cc/gofumpt v0.7.0
-	mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f
+	mvdan.cc/unparam v0.0.0-20240917084806-57a3b4290ba3
 )

 require (
 	cloud.google.com/go v0.115.1 // indirect
 	cloud.google.com/go/ai v0.8.2 // indirect
-	cloud.google.com/go/auth v0.9.3 // indirect
+	cloud.google.com/go/auth v0.9.7 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect
-	cloud.google.com/go/compute/metadata v0.5.0 // indirect
-	cloud.google.com/go/longrunning v0.6.0 // indirect
+	cloud.google.com/go/compute/metadata v0.5.2 // indirect
+	cloud.google.com/go/longrunning v0.6.1 // indirect
 	github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c // indirect
 	github.com/ccojocar/zxcvbn-go v1.0.2 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
@@ -40,11 +40,11 @@ require (
 	github.com/kyoh86/nolint v0.0.1 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect
-	go.opentelemetry.io/otel v1.29.0 // indirect
-	go.opentelemetry.io/otel/metric v1.29.0 // indirect
-	go.opentelemetry.io/otel/trace v1.29.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.55.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 // indirect
+	go.opentelemetry.io/otel v1.30.0 // indirect
+	go.opentelemetry.io/otel/metric v1.30.0 // indirect
+	go.opentelemetry.io/otel/trace v1.30.0 // indirect
 	golang.org/x/crypto v0.27.0 // indirect
 	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
 	golang.org/x/exp/typeparams v0.0.0-20240909161429-701f63a606c0 // indirect
@@ -53,13 +53,13 @@ require (
 	golang.org/x/oauth2 v0.23.0 // indirect
 	golang.org/x/sync v0.8.0 // indirect
 	golang.org/x/sys v0.25.0 // indirect
-	golang.org/x/telemetry v0.0.0-20240906150435-6d9f2eb83631 // indirect
+	golang.org/x/telemetry v0.0.0-20240927214544-e9e6960092dd // indirect
 	golang.org/x/text v0.18.0 // indirect
 	golang.org/x/time v0.6.0 // indirect
-	google.golang.org/api v0.196.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect
-	google.golang.org/grpc v1.66.1 // indirect
+	google.golang.org/api v0.199.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f // indirect
+	google.golang.org/grpc v1.67.1 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/internal/tools/go.sum
+++ b/internal/tools/go.sum
@@ -3,14 +3,14 @@ cloud.google.com/go v0.115.1 h1:Jo0SM9cQnSkYfp44+v+NQXHpcHqlnRJk2qxh6yvxxxQ=
 cloud.google.com/go v0.115.1/go.mod h1:DuujITeaufu3gL68/lOFIirVNJwQeyf5UXyi+Wbgknc=
 cloud.google.com/go/ai v0.8.2 h1:LEaQwqBv+k2ybrcdTtCTc9OPZXoEdcQaGrfvDYS6Bnk=
 cloud.google.com/go/ai v0.8.2/go.mod h1:Wb3EUUGWwB6yHBaUf/+oxUq/6XbCaU1yh0GrwUS8lr4=
-cloud.google.com/go/auth v0.9.3 h1:VOEUIAADkkLtyfr3BLa3R8Ed/j6w1jTBmARx+wb5w5U=
-cloud.google.com/go/auth v0.9.3/go.mod h1:7z6VY+7h3KUdRov5F1i8NDP5ZzWKYmEPO842BgCsmTk=
+cloud.google.com/go/auth v0.9.7 h1:ha65jNwOfI48YmUzNfMaUDfqt5ykuYIUnSartpU1+BA=
+cloud.google.com/go/auth v0.9.7/go.mod h1:Xo0n7n66eHyOWWCnitop6870Ilwo3PiZyodVkkH1xWM=
 cloud.google.com/go/auth/oauth2adapt v0.2.4 h1:0GWE/FUsXhf6C+jAkWgYm7X9tK8cuEIfy19DBn6B6bY=
 cloud.google.com/go/auth/oauth2adapt v0.2.4/go.mod h1:jC/jOpwFP6JBxhB3P5Rr0a9HLMC/Pe3eaL4NmdvqPtc=
-cloud.google.com/go/compute/metadata v0.5.0 h1:Zr0eK8JbFv6+Wi4ilXAR8FJ3wyNdpxHKJNPos6LTZOY=
-cloud.google.com/go/compute/metadata v0.5.0/go.mod h1:aHnloV2TPI38yx4s9+wAZhHykWvVCfu7hQbF+9CWoiY=
-cloud.google.com/go/longrunning v0.6.0 h1:mM1ZmaNsQsnb+5n1DNPeL0KwQd9jQRqSqSDEkBZr+aI=
-cloud.google.com/go/longrunning v0.6.0/go.mod h1:uHzSZqW89h7/pasCWNYdUpwGz3PcVWhrWupreVPYLts=
+cloud.google.com/go/compute/metadata v0.5.2 h1:UxK4uu/Tn+I3p2dYWTfiX4wva7aYlKixAHn3fyqngqo=
+cloud.google.com/go/compute/metadata v0.5.2/go.mod h1:C66sj2AluDcIqakBq/M8lw8/ybHgOZqin2obFxa/E5k=
+cloud.google.com/go/longrunning v0.6.1 h1:lOLTFxYpr8hcRtcwWir5ITh1PAKUD/sG2lKrTSYjyMc=
+cloud.google.com/go/longrunning v0.6.1/go.mod h1:nHISoOZpBcmlwbJmiVk5oDRz0qG/ZxPynEGs1iZ79s0=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c h1:pxW6RcqyfI9/kWtOwnv/G+AzdKuy2ZrqINhenH4HyNs=
 github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
@@ -105,8 +105,8 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
-github.com/securego/gosec/v2 v2.21.2 h1:deZp5zmYf3TWwU7A7cR2+SolbTpZ3HQiwFqnzQyEl3M=
-github.com/securego/gosec/v2 v2.21.2/go.mod h1:au33kg78rNseF5PwPnTWhuYBFf534bvJRvOrgZ/bFzU=
+github.com/securego/gosec/v2 v2.21.4 h1:Le8MSj0PDmOnHJgUATjD96PaXRvCpKC+DGJvwyy0Mlk=
+github.com/securego/gosec/v2 v2.21.4/go.mod h1:Jtb/MwRQfRxCXyCm1rfM1BEiiiTfUOdyzzAhlr6lUTA=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@@ -125,16 +125,16 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 h1:r6I7RJCN86bpD/FQwedZ0vSixDpwuWREjW9oRMsmqDc=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0/go.mod h1:B9yO6b04uB80CzjedvewuqDhxJxi11s7/GtiGa8bAjI=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0/go.mod h1:L7UH0GbB0p47T4Rri3uHjbpCFYrVrwc1I25QhNPiGK8=
-go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw=
-go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8=
-go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc=
-go.opentelemetry.io/otel/metric v1.29.0/go.mod h1:auu/QWieFVWx+DmQOUMgj0F8LHWdgalxXqvp7BII/W8=
-go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4=
-go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.55.0 h1:hCq2hNMwsegUvPzI7sPOvtO9cqyy5GbWt/Ybp2xrx8Q=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.55.0/go.mod h1:LqaApwGx/oUmzsbqxkzuBvyoPpkxk3JQWnqfVrJ3wCA=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 h1:ZIg3ZT/aQ7AfKqdwp7ECpOK6vHqquXXuyTjIO8ZdmPs=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0/go.mod h1:DQAwmETtZV00skUwgD6+0U89g80NKsJE3DCKeLLPQMI=
+go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts=
+go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc=
+go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4QIZs7+w=
+go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ=
+go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc=
+go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
@@ -183,8 +183,8 @@ golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
 golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/telemetry v0.0.0-20240906150435-6d9f2eb83631 h1:/udK7fpCEWRkSveodOtAfxZbfWmVndguEdET1gRwdHY=
-golang.org/x/telemetry v0.0.0-20240906150435-6d9f2eb83631/go.mod h1:PsFMgI0jiuY7j+qwXANuh9a/x5kQESTSnRow3gapUyk=
+golang.org/x/telemetry v0.0.0-20240927214544-e9e6960092dd h1:cSUM3UgI7q2QZ4WBwDOGo5eFhZG4eGUkpdFporYHwpQ=
+golang.org/x/telemetry v0.0.0-20240927214544-e9e6960092dd/go.mod h1:PsFMgI0jiuY7j+qwXANuh9a/x5kQESTSnRow3gapUyk=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -208,24 +208,24 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/api v0.196.0 h1:k/RafYqebaIJBO3+SMnfEGtFVlvp5vSgqTUF54UN/zg=
-google.golang.org/api v0.196.0/go.mod h1:g9IL21uGkYgvQ5BZg6BAtoGJQIm8r6EgaAbpNey5wBE=
+google.golang.org/api v0.199.0 h1:aWUXClp+VFJmqE0JPvpZOK3LDQMyFKYIow4etYd9qxs=
+google.golang.org/api v0.199.0/go.mod h1:ohG4qSztDJmZdjK/Ar6MhbAmb/Rpi4JHOqagsh90K28=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 h1:hjSy6tcFQZ171igDaN5QHOw2n6vx40juYbC/x67CEhc=
-google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
+google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f h1:jTm13A2itBi3La6yTGqn8bVSrc3ZZ1r8ENHlIXBfnRA=
+google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f/go.mod h1:CLGoBuH1VHxAUXVPP8FfPwPEVJB6lz3URE5mY2SuayE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f h1:cUMEy+8oS78BWIH9OWazBkzbr090Od9tWBNtZHkOhf0=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.66.1 h1:hO5qAXR19+/Z44hmvIM4dQFMSYX9XcWsByfoxutBpAM=
-google.golang.org/grpc v1.66.1/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y=
+google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E=
+google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -248,5 +248,5 @@ honnef.co/go/tools v0.5.1 h1:4bH5o3b5ZULQ4UrBmP+63W9r7qIkqJClEA9ko5YKx+I=
 honnef.co/go/tools v0.5.1/go.mod h1:e9irvo83WDG9/irijV44wr3tbhcFeRnfpVlRqVwpzMs=
 mvdan.cc/gofumpt v0.7.0 h1:bg91ttqXmi9y2xawvkuMXyvAA/1ZGJqYAEGjXuP0JXU=
 mvdan.cc/gofumpt v0.7.0/go.mod h1:txVFJy/Sc/mvaycET54pV8SW8gWxTlUuGHVEcncmNUo=
-mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f h1:lMpcwN6GxNbWtbpI1+xzFLSW8XzX0u72NttUGVFjO3U=
-mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f/go.mod h1:RSLa7mKKCNeTTMHBw5Hsy2rfJmd6O2ivt9Dw9ZqCQpQ=
+mvdan.cc/unparam v0.0.0-20240917084806-57a3b4290ba3 h1:YkmTN1n5U60NM02j7TCSWRlW3fqNiuXe/eVXf0dLFN8=
+mvdan.cc/unparam v0.0.0-20240917084806-57a3b4290ba3/go.mod h1:z5yboO1sP1Q9pcfvS597TpfbNXQjphDlkCJHzt13ybc=
--- a/internal/updater/updater.go
+++ b/internal/updater/updater.go
@@ -15,6 +15,7 @@ import (
 	"sync"
 	"time"

+	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
 	"github.com/AdguardTeam/AdGuardHome/internal/version"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/ioutil"
@@ -263,7 +264,7 @@ func (u *Updater) check() (err error) {
 // ignores the configuration file if firstRun is true.
 func (u *Updater) backup(firstRun bool) (err error) {
 	log.Debug("updater: backing up current configuration")
-	_ = os.Mkdir(u.backupDir, 0o755)
+	_ = os.Mkdir(u.backupDir, aghos.DefaultPermDir)
 	if !firstRun {
 		err = copyFile(u.confName, filepath.Join(u.backupDir, "AdGuardHome.yaml"))
 		if err != nil {
@@ -337,10 +338,10 @@ func (u *Updater) downloadPackageFile() (err error) {
 		return fmt.Errorf("io.ReadAll() failed: %w", err)
 	}

-	_ = os.Mkdir(u.updateDir, 0o755)
+	_ = os.Mkdir(u.updateDir, aghos.DefaultPermDir)

 	log.Debug("updater: saving package to file")
-	err = os.WriteFile(u.packageName, body, 0o644)
+	err = os.WriteFile(u.packageName, body, aghos.DefaultPermFile)
 	if err != nil {
 		return fmt.Errorf("os.WriteFile() failed: %w", err)
 	}
@@ -527,7 +528,7 @@ func copyFile(src, dst string) error {
 	if e != nil {
 		return e
 	}
-	e = os.WriteFile(dst, d, 0o644)
+	e = os.WriteFile(dst, d, aghos.DefaultPermFile)
 	if e != nil {
 		return e
 	}
--- a/process_log.txt
+++ b/process_log.txt
@@ -1,2 +0,0 @@
-Checking for uncommitted changes...
-Uncommitted changes found in ./adguard-home, skipping...
--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -497,7 +497,7 @@ download() {
 # Function unpack unpacks the passed archive depending on it's extension.
 unpack() {
 	log "unpacking package from $pkg_name into $out_dir"
-	if ! mkdir -p "$out_dir"
+	if ! mkdir -m 0700 -p "$out_dir"
 	then
 		error_exit "cannot create directory $out_dir"
 	fi