Pull request: client: upd i18n

Merge in DNS/adguard-home from upd-i18n to master Squashed commit of the following: commit e2f9e9f52a424b7c13beebfc2f8fea3814d3b2f4 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Feb 8 13:48:17 2022 +0300 client: upd i18n
Pull request: upd changelog
2022-02-08 13:53:58 +03:00 · 2022-02-07 20:23:07 +03:00 · 2022-02-07 19:01:51 +03:00 · 2022-02-04 18:18:28 +03:00 · 2022-02-03 21:19:32 +03:00 · 2022-02-01 21:44:01 +03:00
105 changed files with 2439 additions and 1321 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,7 +1,7 @@
 'name': 'build'

 'env':
-  'GO_VERSION': '1.16'
+  'GO_VERSION': '1.17'
  'NODE_VERSION': '14'

 'on':
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,7 +1,7 @@
 'name': 'lint'

 'env':
-  'GO_VERSION': '1.16'
+  'GO_VERSION': '1.17'

 'on':
  'push':
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,40 +7,142 @@ The format is based on
 and this project adheres to
 [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

+
+
 ## [Unreleased]

 <!--
-## [v0.108.0] - 2021-06-01 (APPROX.)
+## [v0.108.0] - 2022-06-01 (APPROX.)
 -->

 ### Added

 - `windows/arm64` support ([#3057]).

+### Changed
+
+- Response filtering is now performed using the record types of the answer
+  section of messages as opposed to the type of the question ([#4238]).
+- Instead of adding the build time information, the build scripts now use the
+  standardized environment variable [`SOURCE_DATE_EPOCH`][repr] to add the date
+  of the commit from which the binary was built ([#4221]).  This should simplify
+  reproducible builds for package maintainers and those who compile their own
+  AdGuard Home.
+- The setting `local_domain_name` is now in the `dhcp` block in the
+  configuration file to avoid confusion ([#3367]).
+- The `dns.bogus_nxdomain` configuration file parameter now supports CIDR
+  notation alongside IP addresses ([#1730]).
+
+#### Configuration Changes
+
+In this release, the schema version has changed from 12 to 13.
+
+- Parameter `local_domain_name`, which in schema versions 12 and earlier used to
+  be a part of the `dns` object, is now a part of the `dhcp` object:
+
+  ```yaml
+  # BEFORE:
+  'dns':
+    # …
+    'local_domain_name': 'lan'
+
+  # AFTER:
+  'dhcp':
+    # …
+    'local_domain_name': 'lan'
+  ```
+
+  To rollback this change, move the parameter back into `dns` and change the
+  `schema_version` back to `12`.
+
 ### Deprecated

-<!--
-    TODO(a.garipov): Remove this deprecation, if v0.108.0 is released before
-    the Go 1.18 release.
-->
 - Go 1.17 support.  v0.109.0 will require at least Go 1.18 to build.

+### Fixed
+
+- Optimistic cache now responds with expired items even if those can't be
+  resolved again ([#4254]).
+- Unnecessarily complex hosts-related logic leading to infinite recursion in
+  some cases ([#4216]).
+
 ### Removed

 - Go 1.16 support.

+### Security
+
+- Weaker cipher suites that use the CBC (cipher block chaining) mode of
+  operation have been disabled ([#2993]).
+
+[#1730]: https://github.com/AdguardTeam/AdGuardHome/issues/1730
+[#2993]: https://github.com/AdguardTeam/AdGuardHome/issues/2993
 [#3057]: https://github.com/AdguardTeam/AdGuardHome/issues/3057
+[#3367]: https://github.com/AdguardTeam/AdGuardHome/issues/3367
+[#4216]: https://github.com/AdguardTeam/AdGuardHome/issues/4216
+[#4221]: https://github.com/AdguardTeam/AdGuardHome/issues/4221
+[#4238]: https://github.com/AdguardTeam/AdGuardHome/issues/4238
+[#4254]: https://github.com/AdguardTeam/AdGuardHome/issues/4254
+
+[repr]: https://reproducible-builds.org/docs/source-date-epoch/



 <!--
-## [v0.107.2] - 2021-01-19 (APPROX.)
+## [v0.107.4] - 2022-03-01 (APPROX.)
+
+See also the [v0.107.4 GitHub milestone][ms-v0.107.4].
+
+[ms-v0.107.4]: https://github.com/AdguardTeam/AdGuardHome/milestone/41?closed=1
 -->



+## [v0.107.3] - 2022-01-25
+
+See also the [v0.107.3 GitHub milestone][ms-v0.107.3].
+
+### Added
+
+- Support for a `$dnsrewrite` modifier with an empty `NOERROR` response
+  ([#4133]).
+
+### Fixed
+
+- Wrong set of ports checked for duplicates during the initial setup ([#4095]).
+- Incorrectly invalidated service domains ([#4120]).
+- Poor testing of domain-specific upstream servers ([#4074]).
+- Omitted aliases of hosts specified by another line within the OS's hosts file
+  ([#4079]).
+
+[#4074]: https://github.com/AdguardTeam/AdGuardHome/issues/4074
+[#4079]: https://github.com/AdguardTeam/AdGuardHome/issues/4079
+[#4095]: https://github.com/AdguardTeam/AdGuardHome/issues/4095
+[#4120]: https://github.com/AdguardTeam/AdGuardHome/issues/4120
+[#4133]: https://github.com/AdguardTeam/AdGuardHome/issues/4133
+
+[ms-v0.107.3]: https://github.com/AdguardTeam/AdGuardHome/milestone/40?closed=1
+
+
+
+## [v0.107.2] - 2021-12-29
+
+See also the [v0.107.2 GitHub milestone][ms-v0.107.2].
+
+### Fixed
+
+- Infinite loops when TCP connections time out ([#4042]).
+
+[#4042]: https://github.com/AdguardTeam/AdGuardHome/issues/4042
+
+[ms-v0.107.2]: https://github.com/AdguardTeam/AdGuardHome/milestone/38?closed=1
+
+
+
 ## [v0.107.1] - 2021-12-29

+See also the [v0.107.1 GitHub milestone][ms-v0.107.1].
+
 ### Changed

 - The validation error message for duplicated allow- and blocklists in DNS
@@ -66,10 +168,14 @@ and this project adheres to
 [#4016]: https://github.com/AdguardTeam/AdGuardHome/issues/4016
 [#4027]: https://github.com/AdguardTeam/AdGuardHome/issues/4027

+[ms-v0.107.1]: https://github.com/AdguardTeam/AdGuardHome/milestone/37?closed=1
+


 ## [v0.107.0] - 2021-12-21

+See also the [v0.107.0 GitHub milestone][ms-v0.107.0].
+
 ### Added

 - Upstream server information for responses from cache ([#3772]).  Note that old
@@ -306,10 +412,14 @@ In this release, the schema version has changed from 10 to 12.
 [#3904]: https://github.com/AdguardTeam/AdGuardHome/issues/3904
 [#3933]: https://github.com/AdguardTeam/AdGuardHome/pull/3933

+[ms-v0.107.0]: https://github.com/AdguardTeam/AdGuardHome/milestone/23?closed=1
+


 ## [v0.106.3] - 2021-05-19

+See also the [v0.106.3 GitHub milestone][ms-v0.106.3].
+
 ### Added

 - Support for reinstall (`-r`) and uninstall (`-u`) flags in the installation
@@ -339,20 +449,28 @@ In this release, the schema version has changed from 10 to 12.
 [#3115]: https://github.com/AdguardTeam/AdGuardHome/issues/3115
 [#3127]: https://github.com/AdguardTeam/AdGuardHome/issues/3127

+[ms-v0.106.3]: https://github.com/AdguardTeam/AdGuardHome/milestone/35?closed=1
+


 ## [v0.106.2] - 2021-05-06

+See also the [v0.106.2 GitHub milestone][ms-v0.106.2].
+
 ### Fixed

 - Uniqueness validation for dynamic DHCP leases ([#3056]).

 [#3056]: https://github.com/AdguardTeam/AdGuardHome/issues/3056

+[ms-v0.106.2]: https://github.com/AdguardTeam/AdGuardHome/milestone/34?closed=1
+


 ## [v0.106.1] - 2021-04-30

+See also the [v0.106.1 GitHub milestone][ms-v0.106.1].
+
 ### Fixed

 - Local domain name handling when the DHCP server is disabled ([#3028]).
@@ -363,10 +481,14 @@ In this release, the schema version has changed from 10 to 12.
 [#3027]: https://github.com/AdguardTeam/AdGuardHome/issues/3027
 [#3028]: https://github.com/AdguardTeam/AdGuardHome/issues/3028

+[ms-v0.106.1]: https://github.com/AdguardTeam/AdGuardHome/milestone/33?closed=1
+


 ## [v0.106.0] - 2021-04-28

+See also the [v0.106.0 GitHub milestone][ms-v0.106.0].
+
 ### Added

 - The ability to block user for login after configurable number of unsuccessful
@@ -455,11 +577,14 @@ In this release, the schema version has changed from 10 to 12.
 [#2994]: https://github.com/AdguardTeam/AdGuardHome/issues/2994

 [doq-draft-02]: https://tools.ietf.org/html/draft-ietf-dprive-dnsoquic-02
+[ms-v0.106.0]:  https://github.com/AdguardTeam/AdGuardHome/milestone/26?closed=1



 ## [v0.105.2] - 2021-03-10

+See also the [v0.105.2 GitHub milestone][ms-v0.105.2].
+
 ### Fixed

 - Incomplete hostnames with trailing zero-bytes handling ([#2582]).
@@ -471,6 +596,11 @@ In this release, the schema version has changed from 10 to 12.
 - Incomplete DNS upstreams validation ([#2674]).
 - Wrong parsing of DHCP options of the `ip` type ([#2688]).

+### Security
+
+- Session token doesn't contain user's information anymore ([#2470]).
+
+[#2470]: https://github.com/AdguardTeam/AdGuardHome/issues/2470
 [#2582]: https://github.com/AdguardTeam/AdGuardHome/issues/2582
 [#2600]: https://github.com/AdguardTeam/AdGuardHome/issues/2600
 [#2674]: https://github.com/AdguardTeam/AdGuardHome/issues/2674
@@ -479,16 +609,14 @@ In this release, the schema version has changed from 10 to 12.
 [#2692]: https://github.com/AdguardTeam/AdGuardHome/issues/2692
 [#2757]: https://github.com/AdguardTeam/AdGuardHome/issues/2757

-### Security
-
- Session token doesn't contain user's information anymore ([#2470]).
-
-[#2470]: https://github.com/AdguardTeam/AdGuardHome/issues/2470
+[ms-v0.105.2]: https://github.com/AdguardTeam/AdGuardHome/milestone/32?closed=1



 ## [v0.105.1] - 2021-02-15

+See also the [v0.105.1 GitHub milestone][ms-v0.105.1].
+
 ### Changed

 - Increased HTTP API timeouts ([#2671], [#2682]).
@@ -528,10 +656,14 @@ In this release, the schema version has changed from 10 to 12.
 [#2678]: https://github.com/AdguardTeam/AdGuardHome/issues/2678
 [#2682]: https://github.com/AdguardTeam/AdGuardHome/issues/2682

+[ms-v0.105.1]: https://github.com/AdguardTeam/AdGuardHome/milestone/31?closed=1
+


 ## [v0.105.0] - 2021-02-10

+See also the [v0.105.0 GitHub milestone][ms-v0.105.0].
+
 ### Added

 - Added more services to the "Blocked services" list ([#2224], [#2401]).
@@ -629,18 +761,28 @@ In this release, the schema version has changed from 10 to 12.
 [#2639]: https://github.com/AdguardTeam/AdGuardHome/issues/2639
 [#2646]: https://github.com/AdguardTeam/AdGuardHome/issues/2646

+[ms-v0.105.0]: https://github.com/AdguardTeam/AdGuardHome/milestone/27?closed=1
+
+
+
 ## [v0.104.3] - 2020-11-19

+See also the [v0.104.3 GitHub milestone][ms-v0.104.3].
+
 ### Fixed

 - The accidentally exposed profiler HTTP API ([#2336]).

 [#2336]: https://github.com/AdguardTeam/AdGuardHome/issues/2336

+[ms-v0.104.3]: https://github.com/AdguardTeam/AdGuardHome/milestone/30?closed=1
+


 ## [v0.104.2] - 2020-11-19

+See also the [v0.104.2 GitHub milestone][ms-v0.104.2].
+
 ### Added

 - This changelog :-) ([#2294]).
@@ -665,14 +807,19 @@ In this release, the schema version has changed from 10 to 12.
 [#2324]: https://github.com/AdguardTeam/AdGuardHome/issues/2324
 [#2325]: https://github.com/AdguardTeam/AdGuardHome/issues/2325

+[ms-v0.104.2]: https://github.com/AdguardTeam/AdGuardHome/milestone/28?closed=1
+
+


 <!--
-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.2...HEAD
-[v0.107.2]:   https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.1...v0.107.2
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.4...HEAD
+[v0.107.4]:   https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.3...v0.107.4
 -->

-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.1...HEAD
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.3...HEAD
+[v0.107.3]:   https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.2...v0.107.3
+[v0.107.2]:   https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.1...v0.107.2
 [v0.107.1]:   https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.0...v0.107.1
 [v0.107.0]:   https://github.com/AdguardTeam/AdGuardHome/compare/v0.106.3...v0.107.0
 [v0.106.3]:   https://github.com/AdguardTeam/AdGuardHome/compare/v0.106.2...v0.106.3
--- a/README.md
+++ b/README.md
@@ -185,7 +185,7 @@ Run `make init` to prepare the development environment.

 You will need this to build AdGuard Home:

- * [go](https://golang.org/dl/) v1.16 or later.
+ * [go](https://golang.org/dl/) v1.17 or later.
 * [node.js](https://nodejs.org/en/download/) v10.16.2 or later.
 * [npm](https://www.npmjs.com/) v6.14 or later (temporary requirement, TODO: remove when redesign is finished).
 * [yarn](https://yarnpkg.com/) v1.22.5 or later.
--- a/bamboo-specs/release.yaml
+++ b/bamboo-specs/release.yaml
@@ -7,7 +7,7 @@
 # Make sure to sync any changes with the branch overrides below.
 'variables':
  'channel': 'edge'
-  'dockerGo': 'adguard/golang-ubuntu:3.8'
+  'dockerGo': 'adguard/golang-ubuntu:4.0'

 'stages':
 - 'Make release':
@@ -266,7 +266,7 @@
    # need to build a few of these.
    'variables':
      'channel': 'beta'
-      'dockerGo': 'adguard/golang-ubuntu:3.8'
+      'dockerGo': 'adguard/golang-ubuntu:4.0'
 # release-vX.Y.Z branches are the branches from which the actual final release
 # is built.
 - '^release-v[0-9]+\.[0-9]+\.[0-9]+':
@@ -281,4 +281,4 @@
    # are the ones that actually get released.
    'variables':
      'channel': 'release'
-      'dockerGo': 'adguard/golang-ubuntu:3.8'
+      'dockerGo': 'adguard/golang-ubuntu:4.0'
--- a/bamboo-specs/test.yaml
+++ b/bamboo-specs/test.yaml
@@ -5,7 +5,7 @@
  'key': 'AHBRTSPECS'
  'name': 'AdGuard Home - Build and run tests'
 'variables':
-  'dockerGo': 'adguard/golang-ubuntu:3.8'
+  'dockerGo': 'adguard/golang-ubuntu:4.0'

 'stages':
 - 'Tests':
--- a/client/public/index.html
+++ b/client/public/index.html
@@ -3,7 +3,6 @@
    <head>
        <meta charset="utf-8">
        <meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no">
-        <meta name="theme-color" content="#000000">
        <meta name="google" content="notranslate">
        <meta http-equiv="x-dns-prefetch-control" content="off">
        <meta name="mobile-web-app-capable" content="yes" />
--- a/client/public/install.html
+++ b/client/public/install.html
@@ -3,7 +3,6 @@
    <head>
        <meta charset="utf-8">
        <meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no">
-        <meta name="theme-color" content="#000000">
        <meta name="google" content="notranslate">
        <meta name="mobile-web-app-capable" content="yes" />
        <meta name="apple-mobile-web-app-capable" content="yes" />
--- a/client/public/login.html
+++ b/client/public/login.html
@@ -3,7 +3,6 @@
    <head>
        <meta charset="utf-8">
        <meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no">
-        <meta name="theme-color" content="#000000">
        <meta name="google" content="notranslate">
        <link rel="apple-touch-icon" sizes="180x180" href="assets/apple-touch-icon-180x180.png" />
        <meta name="mobile-web-app-capable" content="yes" />
--- a/client/src/__locales/be.json
+++ b/client/src/__locales/be.json
@@ -163,8 +163,8 @@
    "apply_btn": "Ужыць",
    "disabled_filtering_toast": "Фільтрацыя выкл.",
    "enabled_filtering_toast": "Фільтрацыя ўкл.",
-    "disabled_safe_browsing_toast": "Бяспечная навігацыя выкл.",
-    "enabled_safe_browsing_toast": "Бяспечная навігацыя ўкл.",
+    "disabled_safe_browsing_toast": "Бяспечная навігацыя выключана",
+    "enabled_safe_browsing_toast": "Бяспечная навігацыя ўключана",
    "disabled_parental_toast": "Бацькоўскі кантроль выкл.",
    "enabled_parental_toast": "Бацькоўскі кантроль укл.",
    "disabled_safe_search_toast": "Бяспечны пошук выкл.",
@@ -200,6 +200,7 @@
    "form_error_url_or_path_format": "Няслушны URL ці абсалютны шлях да спіса",
    "custom_filter_rules": "Карыстацкае рэдагавала фільтрацыі",
    "custom_filter_rules_hint": "Уводзьце па адным правіле на радок. Вы можаце выкарыстоўваць правілы блакавання ці сінтаксіс файлаў hosts.",
+    "system_host_files": "Сістэмныя hosts-файлы",
    "examples_title": "Прыклады",
    "example_meaning_filter_block": "заблакаваць доступ да дамена example.org і ўсім яго паддаменам",
    "example_meaning_filter_whitelist": "адблакаваць доступ да дамена example.org і ўсім яго паддаменам",
@@ -586,8 +587,8 @@
    "show_blocked_responses": "Заблакавана",
    "show_whitelisted_responses": "Белы спіс",
    "show_processed_responses": "Апрацавана",
-    "blocked_safebrowsing": "Заблакавана згодна базе дадзеных Safebrowsing",
-    "blocked_adult_websites": "Заблакаваныя \"дарослыя\" сайты",
+    "blocked_safebrowsing": "Заблакавана згодна базе дадзеных Safe Browsing",
+    "blocked_adult_websites": "Заблакавана Бацькоўскім кантролем",
    "blocked_threats": "Заблакавана пагроз",
    "allowed": "Дазволены",
    "filtered": "Адфільтраваныя",
@@ -624,5 +625,7 @@
    "last_rule_in_allowlist": "Няможна заблакаваць гэтага кліента, бо вынятак правіла «{{disallowed_rule}}» АДКЛЮЧЫЦЬ рэжым белага спіса.",
    "experimental": "Эксперыментальны",
    "use_saved_key": "Скарыстаць захаваны раней ключ",
-    "parental_control": "Бацькоўскі кантроль"
+    "parental_control": "Бацькоўскі кантроль",
+    "safe_browsing": "Бяспечны інтэрнэт",
+    "served_from_cache": "{{value}} <i>(атрымана з кэша)</i>"
 }
--- a/client/src/__locales/cs.json
+++ b/client/src/__locales/cs.json
@@ -43,7 +43,7 @@
    "form_error_ip6_format": "Neplatná adresa IPv6",
    "form_error_ip_format": "Neplatná adresa IP",
    "form_error_mac_format": "Neplatná adresa MAC",
-    "form_error_client_id_format": "Neplatné ID klienta",
+    "form_error_client_id_format": "ID klienta musí obsahovat pouze čísla, malá písmena a spojovníky",
    "form_error_server_name": "Neplatný název serveru",
    "form_error_subnet": "Podsíť \"{{cidr}}\" neobsahuje IP adresu \"{{ip}}\"",
    "form_error_positive": "Musí být větší než 0",
@@ -403,6 +403,7 @@
    "dns_providers": "Zde je <0>seznam známých poskytovatelů DNS</0>, z nichž si můžete vybrat.",
    "update_now": "Aktualizovat nyní",
    "update_failed": "Automatická aktualizace selhala. Prosím <a>následujte tyto kroky</a> a aktualizujte ručně.",
+    "manual_update": "Prosím <a>následujte tyto kroky</a> a aktualizujte ručně.",
    "processing_update": "Čekejte prosím, AdGuard Home se aktualizuje",
    "clients_title": "Klienti",
    "clients_desc": "Konfigurace zařízení připojených k AdGuard Home",
--- a/client/src/__locales/da.json
+++ b/client/src/__locales/da.json
@@ -43,7 +43,7 @@
    "form_error_ip6_format": "Ugyldig IPv6-adresse",
    "form_error_ip_format": "Ugyldig IP-adresse",
    "form_error_mac_format": "Ugyldig MAC-adresse",
-    "form_error_client_id_format": "Ugyldigt klient-ID",
+    "form_error_client_id_format": "Klient-ID må kun indeholde cifre, minuskler og bindestreger",
    "form_error_server_name": "Ugyldigt servernavn",
    "form_error_subnet": "Subnet \"{{cidr}}\" indeholder ikke IP-adressen \"{{ip}}\"",
    "form_error_positive": "Skal være større end 0",
@@ -403,6 +403,7 @@
    "dns_providers": "Her er en <0>liste over kendte DNS-udbydere</ 0> at vælge imellem.",
    "update_now": "Opdatér nu",
    "update_failed": "Autoopdatering mislykkedes. Følg <a>disse trin</a> for at opdatere manuelt.",
+    "manual_update": "<a>Følg disse trin</a> for at opdatere manuelt.",
    "processing_update": "Vent venligst, AdGuard Home bliver opdateret",
    "clients_title": "Klienter",
    "clients_desc": "Opsæt enheder forbundet til AdGuard Home",
--- a/client/src/__locales/de.json
+++ b/client/src/__locales/de.json
@@ -6,7 +6,7 @@
    "parallel_requests": "Paralleles Abfragen",
    "load_balancing": "Lastverteilung",
    "load_balancing_desc": "Einen Server nach dem anderen abfragen. AdGuard Home verwendet den gewichteten Zufallsalgorithmus, um den Server so auszuwählen, dass der schnellste Server häufiger verwendet wird.",
-    "bootstrap_dns": "Bootstrap DNS-Server starten",
+    "bootstrap_dns": "Bootstrap DNS-Server",
    "bootstrap_dns_desc": "Bootstrap-DNS-Server werden verwendet, um IP-Adressen der DoH/DoT-Resolver aufzulösen, die Sie als Upstreams angeben.",
    "local_ptr_title": "Private inverse DNS-Server",
    "local_ptr_desc": "Die DNS-Server, die AdGuard Home für lokale PTR-Abfragen verwendet. Diese Server werden verwendet, um die Hostnamen von Clients mit privaten IP-Adressen, z. B. „192.168.12.34“, per inverse DNS-Anfragen aufzulösen. Wenn nicht festgelegt, verwendet AdGuard Home die Adressen der Standard-DNS-Auflöser Ihres Betriebssystems mit Ausnahme der Adressen von AdGuard Home selbst.",
@@ -43,7 +43,7 @@
    "form_error_ip6_format": "Ungültige IPv6-Adresse",
    "form_error_ip_format": "Ungültige IP-Adresse",
    "form_error_mac_format": "Ungültige MAC-Adresse",
-    "form_error_client_id_format": "Ungültiges Client-ID",
+    "form_error_client_id_format": "Client-ID muss nur Zahlen, Kleinbuchstaben und Bindestriche enthalten",
    "form_error_server_name": "Ungültiger Servername",
    "form_error_subnet": "Subnetz „{{cidr}}“ enthält nicht die IP-Adresse „{{ip}}“",
    "form_error_positive": "Muss größer als 0 (Null) sein",
@@ -70,9 +70,9 @@
    "dhcp_error": "AdGuard Home konnte nicht ermitteln, ob es einen anderen aktiven DHCP-Server im Netzwerk gibt.",
    "dhcp_static_ip_error": "Um den DHCP-Server nutzen zu können, muss eine statische IP-Adresse festgelegt werden. Es konnte nicht ermittelt werden, ob diese Netzwerkschnittstelle mit statischer IP-Adresse konfiguriert ist. Bitte legen Sie eine statische IP-Adresse manuell fest.",
    "dhcp_dynamic_ip_found": "Ihr System verwendet die dynamische Konfiguration der IP-Adresse für die Schnittstelle <0>{{interfaceName}}</0>. Um den DHCP-Server nutzen zu können, muss eine statische IP-Adresse festgelegt werden. Ihre aktuelle IP-Adresse ist <0>{{ipAddress}}</0>. Diese IP-Adresse wird automatisch als statisch festgelegt, sobald Sie auf die Schaltfläche „DHCP-Server aktivieren“ klicken.",
-    "dhcp_lease_added": "Statischer Zuweisung „{{key}}“ erfolgreich hinzugefügt",
+    "dhcp_lease_added": "Statische Zuweisung „{{key}}“ erfolgreich hinzugefügt",
    "dhcp_lease_deleted": "Statische Zuweisung „{{key}}“ erfolgreich entfernt",
-    "dhcp_new_static_lease": "Neuer statischer Zuweisung",
+    "dhcp_new_static_lease": "Neue statische Zuweisung",
    "dhcp_static_leases_not_found": "Keine statischen DHCP-Zuweisungen gefunden",
    "dhcp_add_static_lease": "Statische Zuweisung hinzufügen",
    "dhcp_reset_leases": "Alle Zuweisungen zurücksetzen",
@@ -133,8 +133,8 @@
    "number_of_dns_query_blocked_24_hours": "Anzahl der durch Werbefilter und Host-Sperrlisten abgelehnte DNS-Anfragen",
    "number_of_dns_query_blocked_24_hours_by_sec": "Anzahl der durch das AdGuard-Modul „Internetsicherheit“ gesperrten DNS-Anfragen",
    "number_of_dns_query_blocked_24_hours_adult": "Anzahl der gesperrten Websites mit jugendgefährdenden Inhalten",
-    "enforced_save_search": "SafeSearch erzwungen",
-    "number_of_dns_query_to_safe_search": "Anzahl der DNS-Anfragen bei denen SafeSearch für Suchanfragen erzwungen wurde",
+    "enforced_save_search": "Sichere Suche erzwungen",
+    "number_of_dns_query_to_safe_search": "Anzahl der DNS-Anfragen bei denen Sichere Suche für Suchanfragen erzwungen wurde",
    "average_processing_time": "Durchschnittliche Bearbeitungsdauer",
    "average_processing_time_hint": "Durchschnittliche Zeit in Millisekunden zur Bearbeitung von DNS-Anfragen",
    "block_domain_use_filters_and_hosts": "Domains durch Filter und Host-Dateien sperren",
@@ -143,8 +143,8 @@
    "use_adguard_browsing_sec_hint": "AdGuard Home prüft, ob die Domain durch den Webdienst für Internetsicherheit auf eine Sperrliste gesetzt wurde. Es verwendet eine datenschutzfreundliche Lookup-API, um die Prüfung durchzuführen: Nur ein kurzes Präfix des Domänennamens SHA256-Hash wird an den Server gesendet.",
    "use_adguard_parental": "AdGuard Webservice für Kindersicherung verwenden",
    "use_adguard_parental_hint": "AdGuard Home wird prüfen, ob die Domain jugendgefährdende Inhalte enthält. Zum Schutz Ihrer Privatsphäre wird die selbe API wie für den Webservice für Internetsicherheit verwendet.",
-    "enforce_safe_search": "SafeSearch erzwingen",
-    "enforce_save_search_hint": "AdGuard kann SafeSearch für folgende Suchmaschinen erzwingen: Google, YouTube, Bing, DuckDuckGo, Yandex und Pixabay.",
+    "enforce_safe_search": "Sichere Suche verwenden",
+    "enforce_save_search_hint": "AdGuard kann Sichere Suche für folgende Suchmaschinen erzwingen: Google, YouTube, Bing, DuckDuckGo, Yandex und Pixabay.",
    "no_servers_specified": "Keine Server festgelegt",
    "general_settings": "Allgemeine Einstellungen",
    "dns_settings": "DNS-Einstellungen",
@@ -167,8 +167,8 @@
    "enabled_safe_browsing_toast": "Internetsicherheit aktiviert",
    "disabled_parental_toast": "Kindersicherung deaktiviert",
    "enabled_parental_toast": "Kindersicherung aktiviert",
-    "disabled_safe_search_toast": "SafeSearch deaktiviert",
-    "enabled_save_search_toast": "SafeSearch aktiviert",
+    "disabled_safe_search_toast": "Sichere Suche deaktiviert",
+    "enabled_save_search_toast": "Sichere Suche aktiviert",
    "enabled_table_header": "Aktiviert",
    "name_table_header": "Name",
    "list_url_table_header": "Adressliste",
@@ -403,6 +403,7 @@
    "dns_providers": "Hier finden Sie eine <0>Liste der bekannten DNS-Anbieter</0> zur Auswahl.",
    "update_now": "Jetzt aktualisieren",
    "update_failed": "Das automatische Aktualisieren ist fehlgeschlagen. Bitte <a>folgen Sie den Schritten</a>, um manuell zu aktualisieren.",
+    "manual_update": "Bitte <a>befolgen Sie diese Schritte</a>, um manuell zu aktualisieren.",
    "processing_update": "Bitte warten Sie, AdGuard Home wird aktualisiert …",
    "clients_title": "Clients",
    "clients_desc": "Geräte einrichten, die mit AdGuard Home verbunden sind",
@@ -626,6 +627,6 @@
    "experimental": "Experimentell",
    "use_saved_key": "Zuvor gespeicherten Schlüssel verwenden",
    "parental_control": "Kindersicherung",
-    "safe_browsing": "Sicheres Surfen",
+    "safe_browsing": "Internetsicherheit",
    "served_from_cache": "{{value}} <i>(aus dem Zwischenspeicher abgerufen)</i>"
 }
--- a/client/src/__locales/en.json
+++ b/client/src/__locales/en.json
@@ -43,7 +43,7 @@
    "form_error_ip6_format": "Invalid IPv6 address",
    "form_error_ip_format": "Invalid IP address",
    "form_error_mac_format": "Invalid MAC address",
-    "form_error_client_id_format": "Invalid client ID",
+    "form_error_client_id_format": "Client ID must contain only numbers, lowercase letters, and hyphens",
    "form_error_server_name": "Invalid server name",
    "form_error_subnet": "Subnet \"{{cidr}}\" does not contain the IP address \"{{ip}}\"",
    "form_error_positive": "Must be greater than 0",
@@ -403,6 +403,7 @@
    "dns_providers": "Here is a <0>list of known DNS providers</0> to choose from.",
    "update_now": "Update now",
    "update_failed": "Auto-update failed. Please <a>follow these steps</a> to update manually.",
+    "manual_update": "Please <a>follow these steps</a> to update manually.",
    "processing_update": "Please wait, AdGuard Home is being updated",
    "clients_title": "Clients",
    "clients_desc": "Configure devices connected to AdGuard Home",
--- a/client/src/__locales/es.json
+++ b/client/src/__locales/es.json
@@ -43,7 +43,7 @@
    "form_error_ip6_format": "Dirección IPv6 no válida",
    "form_error_ip_format": "Dirección IP no válida",
    "form_error_mac_format": "Dirección MAC no válida",
-    "form_error_client_id_format": "ID de cliente no válido",
+    "form_error_client_id_format": "El ID de cliente debe contener solo números, letras minúsculas y guiones",
    "form_error_server_name": "Nombre de servidor no válido",
    "form_error_subnet": "La subred \"{{cidr}}\" no contiene la dirección IP \"{{ip}}\"",
    "form_error_positive": "Debe ser mayor que 0",
@@ -403,6 +403,7 @@
    "dns_providers": "Aquí hay una <0>lista de proveedores DNS</0> conocidos para elegir.",
    "update_now": "Actualizar ahora",
    "update_failed": "Error en la actualización automática. Por favor <a>sigue estos pasos</a> para actualizar manualmente.",
+    "manual_update": "Por favor <a>sigue estos pasos</a> para actualizar manualmente.",
    "processing_update": "Por favor espera, AdGuard Home se está actualizando",
    "clients_title": "Clientes",
    "clients_desc": "Configurar dispositivos conectados con AdGuard Home",
--- a/client/src/__locales/fa.json
+++ b/client/src/__locales/fa.json
@@ -17,7 +17,7 @@
    "form_error_required": "فیلد مورد نیاز",
    "form_error_ip4_format": "فرمت نامعتبر IPv4",
    "form_error_ip6_format": "فرمت نامعتبر IPv6",
-    "form_error_ip_format": "فرمت IPv4 نامعتبر است",
+    "form_error_ip_format": "آدرس آی پی نامعتبر است",
    "form_error_mac_format": "فرمت مَک نامعتبر است",
    "form_error_client_id_format": "فرمت شناسه کلاینت نامعتبر است",
    "form_error_positive": "باید بزرگتر از 0 باشد",
@@ -313,7 +313,7 @@
    "fix": "تعمیر",
    "dns_providers": "در اینجا یک <0>لیست از سرویس های ارائه دهنده DNS</0> برای انتخاب هست.",
    "update_now": "حالا بروز رسانی",
-    "update_failed": "بروز رسانی خودکار موفق نشد. لطفا <a href='https://github.com/AdguardTeam/AdGuardHome/wiki/Getting-Started#update'>مراحل را دنبال کرده</a> تا بطور دستی بروز رسانی کنید.",
+    "update_failed": "بروز رسانی خودکار موفق نشد. لطفا <a>مراحل را دنبال کرده</a> تا بطور دستی بروز رسانی کنید.",
    "processing_update": "منتظر بمانید،AdGuard Home در حال بروز رسانی است",
    "clients_title": "کلاینت ها",
    "clients_desc": "پیکربندی دستگاه های متصل شده به AdGuard Home",
--- a/client/src/__locales/fi.json
+++ b/client/src/__locales/fi.json
@@ -43,7 +43,7 @@
    "form_error_ip6_format": "Virheellinen IPv6-osoite",
    "form_error_ip_format": "Virheellinen IP-osoite",
    "form_error_mac_format": "Virheellinen MAC-osoite",
-    "form_error_client_id_format": "Virheellinen päätelaitteen ID",
+    "form_error_client_id_format": "Päätelaitteen tunniste voi sisältää ainoastaan numeroita, pieniä kirjaimia sekä yhdysviivoja",
    "form_error_server_name": "Virheellinen palvelimen nimi",
    "form_error_subnet": "Aliverkko \"{{cidr}}\" ei sisällä IP-osoitetta \"{{ip}}\"",
    "form_error_positive": "Oltava suurempi kuin 0",
@@ -403,6 +403,7 @@
    "dns_providers": "Katso <0>luettelo tunnetuista DNS-palveluista</0>, joista valita.",
    "update_now": "Päivitä nyt",
    "update_failed": "Automaattinen päivitys epäonnistui. Seuraa <a>näitä ohjeita</a> päivittääksesi manuaalisesti.",
+    "manual_update": "Seuraa <a>näitä ohjeita</a> päivittääksesi manuaalisesti.",
    "processing_update": "Odota kun AdGuard Home päivittyy",
    "clients_title": "Päätelaitteet",
    "clients_desc": "Määritä AdGuard Homeen yhdistetyt päätelaitteet",
@@ -603,9 +604,9 @@
    "enter_cache_size": "Syötä välimuistin koko (tavuina)",
    "enter_cache_ttl_min_override": "Syötä vähimmäis-TTL (sekunteina)",
    "enter_cache_ttl_max_override": "Syötä enimmäis-TTL (sekunteina)",
-    "cache_ttl_min_override_desc": "Pidennä ylävirran palvelimelta vastaanotettuja, lyhyitä time-to-live -arvoja (sekunteina) tallennettaessa DNS-vastauksia välimuistiin.",
-    "cache_ttl_max_override_desc": "Määritä DNS-välimuistin kohteiden suurin time-to-live -arvo (sekunteina)",
-    "ttl_cache_validation": "Välimuistin TTL-vähimmäisarvon tulee olla pienempi tai sama kuin enimmäisarvon",
+    "cache_ttl_min_override_desc": "Pidennä ylävirran palvelimelta vastaanotettuja, lyhyitä elinaika-arvoja (sekunteina) tallennettaessa DNS-vastauksia välimuistiin.",
+    "cache_ttl_max_override_desc": "Määritä DNS-välimuistin kohteiden suurin elinaika-arvo (sekunteina)",
+    "ttl_cache_validation": "Välimuistin elinajan vähimmäisarvon tulee olla pienempi tai sama kuin enimmäisarvon",
    "cache_optimistic": "Optimistinen välimuisti",
    "cache_optimistic_desc": "Pakota AdGuard Home vastaamaan välimuistista vaikka sen tiedot olisivat vanhentuneet. Pyri samalla myös päivittämään tiedot.",
    "filter_category_general": "Yleiset",
--- a/client/src/__locales/fr.json
+++ b/client/src/__locales/fr.json
@@ -43,7 +43,7 @@
    "form_error_ip6_format": "Adresse IPv6 invalide",
    "form_error_ip_format": "Adresse IP invalide",
    "form_error_mac_format": "Adresse MAC invalide",
-    "form_error_client_id_format": "Identifiant de client invalide",
+    "form_error_client_id_format": "L'ID du client ne doit contenir que des chiffres, des lettres minuscules et des traits d'union.",
    "form_error_server_name": "Nom de serveur invalide",
    "form_error_subnet": "Le sous-réseau « {{cidr}} » ne contient pas l'adresse IP « {{ip}} »",
    "form_error_positive": "Doit être supérieur à 0",
@@ -163,8 +163,8 @@
    "apply_btn": "Appliquer",
    "disabled_filtering_toast": "Filtrage désactivé",
    "enabled_filtering_toast": "Filtrage activé",
-    "disabled_safe_browsing_toast": "Surfing sécurisé désactivé",
-    "enabled_safe_browsing_toast": "Surfing sécurisé activé",
+    "disabled_safe_browsing_toast": "Navigation sécurisée désactivée",
+    "enabled_safe_browsing_toast": "Navigation sécurisée activée",
    "disabled_parental_toast": "Contrôle parental désactivé",
    "enabled_parental_toast": "Contrôle parental activé",
    "disabled_safe_search_toast": "Recherche sécurisée désactivée",
@@ -402,7 +402,8 @@
    "fix": "Corriger",
    "dns_providers": "Voici une <0>liste de fournisseurs DNS connus</0>.",
    "update_now": "Mettre à jour maintenant",
-    "update_failed": "Échec de la mise à jour automatique. Veuillez <a href='https://github.com/AdguardTeam/AdGuardHome/wiki/Getting-Started#update'>suivre ces étapes</a> pour mettre à jour manuellement.",
+    "update_failed": "Échec de la mise à jour automatique. Veuillez <a>suivre ces étapes</a> pour mettre à jour manuellement.",
+    "manual_update": "Veuillez <a>suivre ces étapes</a> pour mettre à jour manuellement.",
    "processing_update": "Veuillez patienter, AdGuard Home est en cours de mise à jour",
    "clients_title": "Clients",
    "clients_desc": "Configurer les appareils connectés à AdGuard Home",
--- a/client/src/__locales/hr.json
+++ b/client/src/__locales/hr.json
@@ -43,7 +43,7 @@
    "form_error_ip6_format": "Nevažeći IPv6 format",
    "form_error_ip_format": "Nevažeći format IP adrese",
    "form_error_mac_format": "Nevažeći MAC format",
-    "form_error_client_id_format": "Nevažeći format ID-a klijenta",
+    "form_error_client_id_format": "ID klijenta može sadržavati samo brojeve, mala slova i crtice",
    "form_error_server_name": "Nevažeće ime poslužitelja",
    "form_error_subnet": "Podmrežu \"{{cidr}}\" ne sadrži IP adresu \"{{ip}}\"",
    "form_error_positive": "Mora biti veće od 0",
@@ -163,8 +163,8 @@
    "apply_btn": "Primijeni",
    "disabled_filtering_toast": "Onemogućeno filtriranje",
    "enabled_filtering_toast": "Omogućeno filtriranje",
-    "disabled_safe_browsing_toast": "Onemogućena sigurna pretraga",
-    "enabled_safe_browsing_toast": "Omogućena sigurna pretraga",
+    "disabled_safe_browsing_toast": "Onemogućena Sigurna pretraga",
+    "enabled_safe_browsing_toast": "Omogućena Sigurna pretraga",
    "disabled_parental_toast": "Onemogućen roditeljski nadzor",
    "enabled_parental_toast": "Omogućen roditeljski nadzor",
    "disabled_safe_search_toast": "Onemogućeno sigurno pretraživanje",
@@ -588,7 +588,7 @@
    "show_whitelisted_responses": "Na popisu dopuštenih",
    "show_processed_responses": "Obrađeno",
    "blocked_safebrowsing": "Blokirano s Sigurnom pretragom",
-    "blocked_adult_websites": "Blokirala roditeljska zaštita",
+    "blocked_adult_websites": "Blokirano Roditeljskom kontrolom",
    "blocked_threats": "Blokirane prijetnje",
    "allowed": "Dopušteno",
    "filtered": "Filtrirano",
--- a/client/src/__locales/hu.json
+++ b/client/src/__locales/hu.json
@@ -36,14 +36,23 @@
    "dhcp_ipv4_settings": "DHCP IPv4 Beállítások",
    "dhcp_ipv6_settings": "DHCP IPv6 Beállítások",
    "form_error_required": "Kötelező mező",
-    "form_error_ip4_format": "Érvénytelen IPv4 formátum",
-    "form_error_ip6_format": "Érvénytelen IPv6 formátum",
+    "form_error_ip4_format": "Érvénytelen IPv4 cím",
+    "form_error_ip4_range_start_format": "Érvénytelen IPv4-cím a tartomány kezdetéhez",
+    "form_error_ip4_range_end_format": "Érvénytelen IPv4-cím a tartomány végén",
+    "form_error_ip4_gateway_format": "Érvénytelen IPv4-cím az átjáró",
+    "form_error_ip6_format": "Érvénytelen IPv6 cím",
    "form_error_ip_format": "Érvénytelen IP-cím",
-    "form_error_mac_format": "Érvénytelen MAC formátum",
-    "form_error_client_id_format": "Érvénytelen kliens ID formátum",
+    "form_error_mac_format": "Érvénytelen MAC cím",
+    "form_error_client_id_format": "Az ügyfél-azonosító csak számokat, kisbetűket és kötőjeleket tartalmazhat",
    "form_error_server_name": "Érvénytelen szervernév",
    "form_error_subnet": "A(z) \"{{cidr}}\" alhálózat nem tartalmazza a(z) \"{{ip}}\" IP címet",
    "form_error_positive": "0-nál nagyobbnak kell lennie",
+    "out_of_range_error": "A tartományon kívül legyen \"{{start}}\"-\"{{end}}\"",
+    "lower_range_start_error": "Kisebb legyen, mint a tartomány kezdete",
+    "greater_range_start_error": "Nagyobbbb legyen, mint a tartomány kezdete",
+    "greater_range_end_error": "Nagyobb legyen, mint a tartomány vége",
+    "subnet_error": "A címeknek egy alhálózatban kell lenniük",
+    "gateway_or_subnet_invalid": "Az alhálózati maszk érvénytelen",
    "dhcp_form_gateway_input": "Átjáró IP",
    "dhcp_form_subnet_input": "Alhálózati maszk",
    "dhcp_form_range_title": "IP-címek tartománya",
@@ -191,6 +200,7 @@
    "form_error_url_or_path_format": "Helytelen URL vagy elérési út a listához",
    "custom_filter_rules": "Egyéni szűrési szabályok",
    "custom_filter_rules_hint": "Adjon meg egy szabályt egy sorban. Használhat egyszerű hirdetésblokkolási szabályokat vagy hosztfájl szintaxist.",
+    "system_host_files": "Rendszer hosztfájlok",
    "examples_title": "Példák",
    "example_meaning_filter_block": "letiltja a hozzáférést az example.org domainhez, valamint annak az összes aldomainjéhez is",
    "example_meaning_filter_whitelist": "feloldja a hozzáférést az example.org domainhez, valamint annak az összes aldomainjéhez is",
@@ -577,7 +587,7 @@
    "show_blocked_responses": "Blokkolva",
    "show_whitelisted_responses": "Kivételezett",
    "show_processed_responses": "Feldolgozva",
-    "blocked_safebrowsing": "Blokkolva a biztonságos böngészés által",
+    "blocked_safebrowsing": "Blokkolva a Biztonságos böngészés által",
    "blocked_adult_websites": "Szülői felügyelet által blokkolva",
    "blocked_threats": "Blokkolt fenyegetések",
    "allowed": "Engedve",
@@ -611,7 +621,11 @@
    "click_to_view_queries": "Kattintson a lekérésekért",
    "port_53_faq_link": "Az 53-as portot gyakran a \"DNSStubListener\" vagy a \"systemd-resolved\" (rendszer által feloldott) szolgáltatások használják. Kérjük, olvassa el <0>ezt az útmutatót</0> a probléma megoldásához.",
    "adg_will_drop_dns_queries": "Az AdGuard Home eldobja az összes DNS kérést erről a kliensről.",
+    "filter_allowlist": "FIGYELMEZTETÉS: Ez a művelet a \"{{disallowed_rule}}\" szabályt is kizárja az engedélyezett ügyfelek listájából.",
+    "last_rule_in_allowlist": "Nem lehet letiltani ezt az ügyfelet, mert a \"{{disallowed_rule}}\" szabály kizárása letiltja az \"Allowed clients\" listát.",
    "experimental": "Kísérleti",
    "use_saved_key": "Előzőleg mentett kulcs használata",
-    "parental_control": "Szülői felügyelet"
+    "parental_control": "Szülői felügyelet",
+    "safe_browsing": "Biztonságos böngészés",
+    "served_from_cache": "{{value}} <i>(gyorsítótárból kiszolgálva)</i>"
 }
--- a/client/src/__locales/id.json
+++ b/client/src/__locales/id.json
@@ -36,10 +36,23 @@
    "dhcp_ipv4_settings": "Pengaturan DHCP IPv4",
    "dhcp_ipv6_settings": "Pengaturan DHCP IPv6",
    "form_error_required": "Kolom yang harus diisi",
-    "form_error_ip_format": "Alamat IP salah",
+    "form_error_ip4_format": "Alamat IPv4 tidak valid",
+    "form_error_ip4_range_start_format": "Alamat IPv4 tidak valid dari rentang awal",
+    "form_error_ip4_range_end_format": "Alamat IPv4 tidak valid dari rentang akhir",
+    "form_error_ip4_gateway_format": "Alamat IPv4 gateway tidak valid",
+    "form_error_ip6_format": "Alamat IPv6 tidak valid",
+    "form_error_ip_format": "Alamat IP tidak valid",
+    "form_error_mac_format": "Alamat MAC tidak valid",
+    "form_error_client_id_format": "ID Klien hanya boleh berisi angka, huruf kecil, dan tanda hubung",
    "form_error_server_name": "Nama server tidak valid",
    "form_error_subnet": "Subnet \"{{cidr}}\" tidak berisi alamat IP \"{{ip}}\"",
    "form_error_positive": "Harus lebih dari 0",
+    "out_of_range_error": "Harus di luar rentang \"{{start}}\"-\"{{end}}\"",
+    "lower_range_start_error": "Harus lebih rendah dari rentang awal",
+    "greater_range_start_error": "Harus lebih besar dari rentang awal",
+    "greater_range_end_error": "Harus lebih besar dari rentang akhir",
+    "subnet_error": "Alamat harus dalam satu subnet",
+    "gateway_or_subnet_invalid": "Subnet mask tidak valid",
    "dhcp_form_gateway_input": "IP gateway",
    "dhcp_form_subnet_input": "Subnet mask",
    "dhcp_form_range_title": "Rentang alamat IP",
@@ -150,8 +163,8 @@
    "apply_btn": "Terapkan",
    "disabled_filtering_toast": "Penyaringan nonaktif",
    "enabled_filtering_toast": "Penyaringan aktif",
-    "disabled_safe_browsing_toast": "Penelusuran aman dinonaktifkan",
-    "enabled_safe_browsing_toast": "Penelusuran aman diaktifkan",
+    "disabled_safe_browsing_toast": "Penjelajahan Aman dinonaktifkan",
+    "enabled_safe_browsing_toast": "Penjelajahan Aman Diaktifkan",
    "disabled_parental_toast": "Kontrol orang tua dinonaktifkan",
    "enabled_parental_toast": "Kontrol orang tua diaktifkan",
    "disabled_safe_search_toast": "Pencarian aman dinonaktifkan",
@@ -187,6 +200,7 @@
    "form_error_url_or_path_format": "URL atau jalur absolut dari daftar tidak valid",
    "custom_filter_rules": "Aturan penyaringan khusus",
    "custom_filter_rules_hint": "Masukkan satu aturan dalam sebuah baris. Anda dapat menggunakan baik aturan adblock maupun sintaks file hosts.",
+    "system_host_files": "File host sistem",
    "examples_title": "Contoh",
    "example_meaning_filter_block": "Blokir akses ke example.org dan seluruh subdomainnya",
    "example_meaning_filter_whitelist": "Buka blokir akses ke domain example.orf dan seluruh subdomainnya",
@@ -202,6 +216,7 @@
    "example_upstream_sdns": "anda bisa menggunakan <0>Stempel DNS</0> untuk <1>DNSCrypt</1> atau pengarah <2>DNS-over-HTTPS</2>",
    "example_upstream_tcp": "DNS reguler (melalui TCP)",
    "all_lists_up_to_date_toast": "Semua daftar sudah diperbarui",
+    "updated_upstream_dns_toast": "Server upstream berhasil disimpan",
    "dns_test_ok_toast": "Server DNS yang ditentukan bekerja dengan benar",
    "dns_test_not_ok_toast": "Server \"{{key}}\": tidak dapat digunakan, mohon cek bahwa Anda telah menulisnya dengan benar",
    "unblock": "Buka Blokir",
@@ -299,6 +314,7 @@
    "install_settings_dns_desc": "Anda perlu mengkonfigurasi perangkat atau router anda untuk menggunakan server DNS berikut ini",
    "install_settings_all_interfaces": "Semua antarmuka",
    "install_auth_title": "Otentikasi",
+    "install_auth_desc": "Otentikasi kata sandi ke antarmuka web admin AdGuard Home Anda harus dikonfigurasi. Meskipun AdGuard Home hanya dapat diakses di jaringan lokal Anda, tetap penting untuk melindunginya dari akses tak terbatas.",
    "install_auth_username": "Nama Pengguna",
    "install_auth_password": "Kata Sandi",
    "install_auth_confirm": "Konfirmasi kata sandi",
@@ -495,6 +511,7 @@
    "statistics_clear_confirm": "Apakah Anda yakin ingin menghapus statistik?",
    "statistics_retention_confirm": "Apakah Anda yakin ingin mengubah retensi statistik? Jika Anda menurunkan nilai interval, beberapa data akan hilang",
    "statistics_cleared": "Statistik berhasil dihapus",
+    "statistics_enable": "Aktifkan statistik",
    "interval_hours": "{{count}} jam",
    "interval_hours_plural": "{{count}} jam",
    "filters_configuration": "Konfigurasi filter",
@@ -570,7 +587,7 @@
    "show_blocked_responses": "Diblokir",
    "show_whitelisted_responses": "Dalam Daftar Putih",
    "show_processed_responses": "Terproses",
-    "blocked_safebrowsing": "Terblokir oleh Safebrowsing",
+    "blocked_safebrowsing": "Diblokir oleh Penjelajahan Aman",
    "blocked_adult_websites": "Diblok oleh Kontrol Orang tua",
    "blocked_threats": "Blokir Ancaman",
    "allowed": "Dibolehkan",
@@ -604,7 +621,11 @@
    "click_to_view_queries": "Klik untuk lihat permintaan",
    "port_53_faq_link": "Port 53 sering ditempati oleh layanan \"DNSStubListener\" atau \"systemd-resolved\". Silakan baca <0>instruksi ini</0> tentang cara menyelesaikan ini.",
    "adg_will_drop_dns_queries": "AdGuard Home akan menghapus semua permintaan DNS dari klien ini.",
+    "filter_allowlist": "PERINGATAN: Tindakan ini juga akan mengecualikan aturan \"{{disallowed_rule}}\" dari daftar klien yang diizinkan.",
+    "last_rule_in_allowlist": "Tidak dapat melarang klien ini karena mengecualikan aturan \"{{disallowed_rule}}\" akan MENONAKTIFKAN daftar \"Klien yang diizinkan\".",
    "experimental": "Eksperimental",
    "use_saved_key": "Gunakan kunci yang disimpan sebelumnya",
-    "parental_control": "Kontrol Orang Tua"
+    "parental_control": "Kontrol Orang Tua",
+    "safe_browsing": "Penjelajahan Aman",
+    "served_from_cache": "{{value}} <i>(disajikan dari cache)</i>"
 }
--- a/client/src/__locales/it.json
+++ b/client/src/__locales/it.json
@@ -43,7 +43,7 @@
    "form_error_ip6_format": "Indirizzo IPv6 non valido",
    "form_error_ip_format": "Indirizzo IP non valido",
    "form_error_mac_format": "Indirizzo MAC non valido",
-    "form_error_client_id_format": "ID cliente non valido",
+    "form_error_client_id_format": "Il client ID deve contenere solo numeri, lettere minuscole e trattini",
    "form_error_server_name": "Nome server non valido",
    "form_error_subnet": "La subnet \"{{cidr}}\" non contiene l'indirizzo IP \"{{ip}}\"",
    "form_error_positive": "Deve essere maggiore di 0",
@@ -295,16 +295,16 @@
    "blocking_mode_null_ip": "IP nullo: Rispondi con indirizzo IP zero (0.0.0.0 per A; :: per AAAA)",
    "blocking_mode_custom_ip": "IP personalizzato: Rispondi con un indirizzo IP impostato manualmente",
    "upstream_dns_client_desc": "Se lasci questo spazio vuoto, AdGuard Home utilizzerà i server configurati nelle <0>impostazioni DNS</0>.",
-    "tracker_source": "Origine tracciante",
+    "tracker_source": "Origine del tracciatore",
    "source_label": "Fonte",
-    "found_in_known_domain_db": "Trovato nel database dei domini conosciuti.",
+    "found_in_known_domain_db": "Trovato nel database dei domini noti.",
    "category_label": "Categoria",
    "rule_label": "Regola(e)",
    "list_label": "Elenco",
    "unknown_filter": "Filtro sconosciuto {{filterId}}",
-    "known_tracker": "Tracciante noto",
+    "known_tracker": "Tracciatore noto",
    "install_welcome_title": "Benvenuto nella Home di AdGuard!",
-    "install_welcome_desc": "AdGuard Home è un server DNS che blocca annunci e traccianti in tutta la rete. Il suo scopo è quello di consentire di controllare l'intera rete e tutti i dispositivi, e non richiede l'utilizzo di un programma sul lato client.",
+    "install_welcome_desc": "AdGuard Home è un server DNS che blocca annunci e tracciatori a livello di rete. Il suo scopo è quello di permetterti il controllo dell'intera rete e di tutti i dispositivi, e non richiede l'utilizzo di un programma lato client.",
    "install_settings_title": "Interfaccia Web dell'Admin",
    "install_settings_listen": "Interfaccia d'ascolto",
    "install_settings_port": "Porta",
@@ -400,9 +400,10 @@
    "dns_status_error": "Errore nel recupero dello stato del server DNS",
    "down": "Spenta",
    "fix": "Risolvi",
-    "dns_providers": "Qui c'è un <0>elenco di fornitori DNS conosciuti</0> da cui scegliere.",
+    "dns_providers": "Qui c'è un <0>elenco di fornitori DNS noti</0> da cui scegliere.",
    "update_now": "Aggiorna ora",
    "update_failed": "Aggiornamento automatico non riuscito. Ti suggeriamo di <a>seguire questi passaggi</a> per aggiornare manualmente.",
+    "manual_update": "Ti invitiamo a <a>seguire questi passaggi</a> per aggiornare manualmente.",
    "processing_update": "Perfavore aspetta, AdGuard Home si sta aggiornando",
    "clients_title": "Client",
    "clients_desc": "Configura i dispositivi connessi ad AdGuard Home",
@@ -612,9 +613,9 @@
    "filter_category_security": "Sicurezza",
    "filter_category_regional": "Regionale",
    "filter_category_other": "Altro",
-    "filter_category_general_desc": "Elenchi per il blocco dei traccianti e degli annunci sulla maggioranza dei dispositivi",
+    "filter_category_general_desc": "Elenchi per il blocco dei tracciatori e degli annunci sulla maggioranza dei dispositivi",
    "filter_category_security_desc": "Elenchi progettati specificamente per bloccare domini malevoli, di phishing o truffa",
-    "filter_category_regional_desc": "Elenchi focalizzati su annunci regionali e server traccianti",
+    "filter_category_regional_desc": "Elenchi focalizzati su annunci regionali e server tracciatori",
    "filter_category_other_desc": "Altre liste nere",
    "setup_config_to_enable_dhcp_server": "Configurazione dell'installazione per l'attivazione del server DHCP",
    "original_response": "Responso originale",
--- a/client/src/__locales/ja.json
+++ b/client/src/__locales/ja.json
@@ -43,7 +43,7 @@
    "form_error_ip6_format": "IPv6アドレスが無効です",
    "form_error_ip_format": "IPアドレスが無効です",
    "form_error_mac_format": "MACアドレスが無効です",
-    "form_error_client_id_format": "クライアントIDが無効です",
+    "form_error_client_id_format": "クライアントIDには、数字、小文字、ハイフンのみが使われている必要があります",
    "form_error_server_name": "サーバ名が無効です",
    "form_error_subnet": "IPアドレス「{{ip}}」はサブネット「{{cidr}}」に含まれていません",
    "form_error_positive": "0より大きい必要があります",
@@ -403,6 +403,7 @@
    "dns_providers": "こちらは、選択可能な<0>既知のDNSプロバイダの一覧</0>です。",
    "update_now": "今すぐ更新する",
    "update_failed": "自動更新に失敗しました。手動で更新するには、<a>手順に従って</a>ください。",
+    "manual_update": "手動でアップデートするには、<a>こちらの手順</a>を使ってください。",
    "processing_update": "AdGuard Homeを更新しています。しばらくお待ちください",
    "clients_title": "クライアント",
    "clients_desc": "AdGuard Homeに接続されているデバイスを設定します",
@@ -587,8 +588,8 @@
    "show_blocked_responses": "ブロック済",
    "show_whitelisted_responses": "ホワイトリストにあり",
    "show_processed_responses": "処理済",
-    "blocked_safebrowsing": "ブロックされたセーフブラウジング",
-    "blocked_adult_websites": "ペアレンタルコントロールによってブロックされました",
+    "blocked_safebrowsing": "セーフブラウジングによってブロック済み",
+    "blocked_adult_websites": "ペアレンタルコントロールによってブロック済み",
    "blocked_threats": "ブロックされた脅威",
    "allowed": "許可",
    "filtered": "フィルタで処理",
--- a/client/src/__locales/ko.json
+++ b/client/src/__locales/ko.json
@@ -43,7 +43,7 @@
    "form_error_ip6_format": "잘못된 IPv6 형식",
    "form_error_ip_format": "잘못된 IP 형식",
    "form_error_mac_format": "잘못된 MAC 형식",
-    "form_error_client_id_format": "잘못된 클라이언트 ID 형식",
+    "form_error_client_id_format": "클라이언트 ID는 숫자, 소문자 및 하이픈만 포함해야 합니다",
    "form_error_server_name": "유효하지 않은 서버 이름입니다",
    "form_error_subnet": "서브넷 \"{{cidr}}\"에 \"{{ip}}\" IP 주소가 없습니다",
    "form_error_positive": "0보다 커야 합니다",
@@ -403,6 +403,7 @@
    "dns_providers": "다음은 선택할 수 있는 <0>알려진 DNS 공급자 목록</0>입니다.",
    "update_now": "지금 업데이트",
    "update_failed": "자동 업데이트 실패 되었습니다. <a> 단계를 따라 수동으로 업데이트하세요</a>",
+    "manual_update": "<a>절차를 따라</a> 수동으로 업데이트하십시오.",
    "processing_update": "잠시만 기다려주세요, AdGuard Home가 업데이트 중입니다.",
    "clients_title": "클라이언트",
    "clients_desc": "AdGuard Home에 연결할 기기들을 설정",
@@ -587,8 +588,8 @@
    "show_blocked_responses": "차단됨",
    "show_whitelisted_responses": "예외 적용됨",
    "show_processed_responses": "처리됨",
-    "blocked_safebrowsing": "차단된 세이프 브라우징",
-    "blocked_adult_websites": "자녀 보호로 차단됨",
+    "blocked_safebrowsing": "세이프 브라우징에 의해 차단됨",
+    "blocked_adult_websites": "자녀 보호에 의해 차단됨",
    "blocked_threats": "차단된 위협",
    "allowed": "허용됨",
    "filtered": "필터링됨",
@@ -626,6 +627,6 @@
    "experimental": "실험",
    "use_saved_key": "이전에 저장했던 키 사용하기",
    "parental_control": "자녀 보호",
-    "safe_browsing": "안전한 브라우징",
+    "safe_browsing": "세이프 브라우징",
    "served_from_cache": "{{value}} <i>(캐시에서 제공)</i>"
 }
--- a/client/src/__locales/nl.json
+++ b/client/src/__locales/nl.json
@@ -43,7 +43,7 @@
    "form_error_ip6_format": "Ongeldig IPv6-adres",
    "form_error_ip_format": "Ongeldig IP-adres",
    "form_error_mac_format": "Ongeldig MAC-adres",
-    "form_error_client_id_format": "Ongeldige cliënt-ID",
+    "form_error_client_id_format": "Client-ID mag alleen cijfers, kleine letters en koppeltekens bevatten",
    "form_error_server_name": "Ongeldige servernaam",
    "form_error_subnet": "Subnet “{{cidr}}” bevat niet het IP-adres “{{ip}}”",
    "form_error_positive": "Moet groter zijn dan 0",
@@ -403,6 +403,7 @@
    "dns_providers": "hier is een <0>lijst of gekende DNS providers</0> waarvan je kan kiezen.",
    "update_now": "Update nu",
    "update_failed": "Automatisch bijwerken is mislukt. <a>Volg deze stappen</a> om handmatig bij te werken.",
+    "manual_update": "<a>Volg deze stappen</a> om handmatig bij te werken.",
    "processing_update": "Even geduld, AdGuard Home wordt bijgewerkt",
    "clients_title": "Gebruikers",
    "clients_desc": "Configureer apparaten die gebruik maken van AdGuard Home",
--- a/client/src/__locales/no.json
+++ b/client/src/__locales/no.json
@@ -1,11 +1,18 @@
 {
    "client_settings": "Klientinnstillinger",
+    "example_upstream_reserved": "Du kan bestemme en oppstrøms-DNS <0>for et spesifikt domene(r)</0>",
+    "example_upstream_comment": "Du kan spesifisere en kommentar",
+    "upstream_parallel": "Bruk parallele forespørsler for å få oppfarten på behandlinger, ved å forespørre til alle oppstrømstjenerne samtidig",
    "parallel_requests": "Parallelle forespørsler",
    "load_balancing": "Pågangstrykk-utjevning",
+    "load_balancing_desc": "Forespør én tjener om gangen. AdGuard Home vil bruke en 'vektlagt tilfeldig valg'-algoritme for å velge tjener, slik at den raskeste tjeneren blir brukt oftere.",
    "bootstrap_dns": "Bootstrap-DNS-tjenere",
    "bootstrap_dns_desc": "Bootstrap-DNS-tjenere brukes til å oppklare IP-adressene til DoH/DoT-oppklarerene som du har valgt som oppstrømstjenere.",
    "local_ptr_title": "Private DNS-tjenere",
+    "local_ptr_desc": "DNS-tjenerne som AdGuard Home bruker for lokale PTR-spørringer. Disse tjenerne brukes til å løse vertsnavnene til klienter med private IP-adresser, for eksempel \"192.168.12.34\", ved bruk av omvendt DNS. Hvis det ikke er angitt, bruker AdGuard Home adressene til standard-DNS-løserne til operativsystemet ditt, bortsett fra adressene til selve AdGuard Home.",
+    "use_private_ptr_resolvers_title": "Bruk private omvendte DNS-løsere",
    "check_dhcp_servers": "Se etter DHCP-tjenere",
+    "save_config": "Lagre oppsettet",
    "enabled_dhcp": "DHCP-tjeneren ble skrudd på",
    "disabled_dhcp": "DHCP-tjeneren ble skrudd av",
    "unavailable_dhcp": "DHCP er utilgjengelig",
@@ -102,6 +109,7 @@
    "use_adguard_parental": "Benytt AdGuard sin foreldrekontroll-nettjeneste",
    "use_adguard_parental_hint": "AdGuard Home vil sjekke om domenet inneholder erotisk materiale. Den benytter den samme privatlivsvennlige API-en som nettlesersikkerhetstjenesten.",
    "enforce_safe_search": "Påtving barnevennlige søk",
+    "enforce_save_search_hint": "AdGuard Home kan fremtvinge \"Safe Search\" i de følgende søkemotorene: Google, YouTube, Bing, DuckDuckGo, Yandex, og Pixabay.",
    "no_servers_specified": "Ingen tjenere er spesifisert",
    "general_settings": "Generelle innstillinger",
    "dns_settings": "DNS-innstillinger",
@@ -113,6 +121,7 @@
    "encryption_settings": "Krypteringsinnstillinger",
    "dhcp_settings": "DHCP-innstillinger",
    "upstream_dns": "Oppstrøms-DNS-tjenere",
+    "upstream_dns_help": "Skriv inn én tjeneradresse per linje. <a>Lær mer</a> om å konfigurere oppstrøms-DNS-tjenere.",
    "upstream_dns_configured_in_file": "Satt opp i {{path}}",
    "test_upstream_btn": "Test oppstrømstilkoblinger",
    "upstreams": "Oppstrømstjenere",
@@ -156,6 +165,7 @@
    "form_error_url_or_path_format": "Listens URL eller fulle filbane er ugyldig",
    "custom_filter_rules": "Selvvalgte filtreringsregler",
    "custom_filter_rules_hint": "Skriv inn én oppføring per linje. Du kan bruke adblock-oppføringer, «hosts»-filsyntaks, eller rå domener.",
+    "system_host_files": "System-'hosts'-filer",
    "examples_title": "Eksempler",
    "example_meaning_filter_block": "blokker tilgang til 'example.org'-domenet og alle dens underdomener",
    "example_meaning_filter_whitelist": "opphev blokkeringen av 'example.org'-domenet og alle dens underdomener",
@@ -308,6 +318,7 @@
    "encryption_desc": "Krypteringsstøtte (HTTPS/TLS) for både DNS og admin-nettgrensesnittet",
    "encryption_server": "Tjenerens navn",
    "encryption_server_enter": "Skriv inn domenenavnet ditt",
+    "encryption_server_desc": "For å kunne bruke HTTPS, må du skrive inn tjenernavnet som samsvarer med ditt SSL-sertifikat eller jokertegnsertifikat. Hvis feltet er tomt, vil den akseptere TLS-tilkoblinger til ethvert domene.",
    "encryption_redirect": "Automatisk omdiriger til HTTPS",
    "encryption_redirect_desc": "Dersom dette er valgt, vil AdGuard Home automatisk omdirigere deg fra HTTP til HTTPS-adresser.",
    "encryption_https": "HTTPS-port",
@@ -339,6 +350,7 @@
    "form_error_password": "Passordet samsvarer ikke",
    "reset_settings": "Tilbakestill innstillinger",
    "update_announcement": "AdGuard Home {{version}} er nå tilgjengelig! <0>Klikk her</0> for mere informasjon.",
+    "setup_guide": "Oppsettsveiledning",
    "dns_addresses": "DNS-adresser",
    "dns_start": "DNS-tjeneren starter opp",
    "dns_status_error": "Feil ved sjekk av DNS-tjenerstatusen",
@@ -360,6 +372,7 @@
    "client_edit": "Rediger klienten",
    "client_identifier": "Identifikator",
    "ip_address": "IP-adresse",
+    "client_identifier_desc": "Klienter kan bli identifisert gjennom IP-adressen, CIDR, MAC-adressen, eller en spesiell klient-ID (kan også brukes for DoT/DoH/DoQ). <0>Her</0> kan du lære mer om å identifisere klienter.",
    "form_enter_ip": "Skriv inn IP",
    "form_enter_mac": "Skriv inn MAC",
    "form_enter_id": "Skriv inn identifikator",
@@ -382,6 +395,7 @@
    "access_disallowed_title": "Klienter som skal avvises",
    "access_disallowed_desc": "En liste over CIDR- eller IP-adresser. Dersom dette er satt opp, vil AdGuard Home avslå forespørsler fra disse IP-adressene.",
    "access_blocked_title": "Blokkerte domener",
+    "access_blocked_desc": "Ikke forveksle dette med filtre. AdGuard Home vil nekte å behandle DNS-forespørsler som har disse domenene, og disse forespørslene dukker ikke engang opp i forespørselsloggen. Du kan spesifisere nøyaktige domene navn, jokertegn, eller URL-filterregler, f.eks. «example.org», «*.example.log» eller «||example.org^» derav.",
    "access_settings_saved": "Tilgangsinnstillingene ble vellykket lagret",
    "updates_checked": "Oppdateringene ble vellykket sett etter",
    "updates_version_equal": "AdGuard Home er fullt oppdatert",
@@ -390,6 +404,7 @@
    "setup_dns_privacy_1": "<0>DNS-over-TLS:</0> Benytt <1>{{address}}</1>-strengen.",
    "setup_dns_privacy_2": "<0>DNS-over-HTTPS:</0> Benytt <1>{{address}}</1>-strengen.",
    "setup_dns_privacy_3": "<0>Her er en liste over programvarer du kan bruke.</0>",
+    "setup_dns_privacy_4": "På en iOS 14 eller macOS Big Sur-enhet kan du laste ned en spesiell '.mobileconfig'-fil som legger til<highlight>DNS-over-HTTPS</highlight>- eller<highlight>DNS-over-TLS</highlight>-tjenere til DNS-innstillingene.",
    "setup_dns_privacy_android_1": "Android 9 har innebygd støtte for DNS-over-TLS. For å sette det opp, gå til Innstillinger → Nettverk og internett → Avansert → Privat DNS, og skriv inn domenenavnet ditt der.",
    "setup_dns_privacy_android_2": "<0>AdGuard for Android</0> støtter <1>DNS-over-HTTPS</1> og <1>DNS-over-TLS</1>.",
    "setup_dns_privacy_android_3": "<0>Intra</0> legger til <1>DNS-over-HTTPS</1>-støtte i Android.",
@@ -449,6 +464,7 @@
    "statistics_clear_confirm": "Er du sikker på at du vil slette statistikkene?",
    "statistics_retention_confirm": "Er du sikker på at du vil endre hvor lenge statistikkene skal beholdes? Hvis du reduserer den interne verdien, vil noe av dataene gå tapt",
    "statistics_cleared": "Statistikkene ble vellykket tømt",
+    "statistics_enable": "Skru på statistikker",
    "interval_hours": "{{count}} time",
    "interval_hours_plural": "{{count}} timer",
    "filters_configuration": "Oppsett av filtre",
@@ -541,6 +557,8 @@
    "cache_ttl_min_override_desc": "Overstyr korte levetidsverdier (i sekunder) som mottas fra oppstrømstjeneren under mellomlagring av DNS-responser",
    "cache_ttl_max_override_desc": "Velg en maks-levetidsverdi (i sekunder) for oppføringer i DNS-mellomlageret",
    "ttl_cache_validation": "Minimums-mellomlagringslevetidsverdien må være mindre enn eller det samme som maksverdien",
+    "cache_optimistic": "Optimistisk mellomlagring",
+    "cache_optimistic_desc": "Få AdGuard Home til å svare fra hurtigbufferen selv når oppføringene er utløpt, og prøv også å oppfriske dem.",
    "filter_category_general": "Generelt",
    "filter_category_security": "Sikkerhet",
    "filter_category_regional": "Regional",
@@ -554,5 +572,7 @@
    "port_53_faq_link": "Port 53 er ofte opptatt av «DNSStubListener»- eller «systemd-resolved»-tjenestene. Vennligst les <0>denne instruksjonen</0> om hvordan man løser dette.",
    "adg_will_drop_dns_queries": "AdGuard Home vil droppe alle DNS-forespørsler fra denne klienten.",
    "experimental": "Eksperimentell",
-    "parental_control": "Foreldrekontroll"
+    "use_saved_key": "Bruk den tidligere lagrede nøkkelen",
+    "parental_control": "Foreldrekontroll",
+    "served_from_cache": "{{value}} <i>(formidlet fra mellomlageret)</i>"
 }
--- a/client/src/__locales/pl.json
+++ b/client/src/__locales/pl.json
@@ -43,7 +43,7 @@
    "form_error_ip6_format": "Nieprawidłowy adres IPv6",
    "form_error_ip_format": "Nieprawidłowy adres IP",
    "form_error_mac_format": "Nieprawidłowy adres MAC",
-    "form_error_client_id_format": "Nieprawidłowy ID klienta",
+    "form_error_client_id_format": "ID klienta musi zawierać tylko cyfry, małe litery i myślniki",
    "form_error_server_name": "Nieprawidłowa nazwa serwera",
    "form_error_subnet": "Podsieć \"{{cidr}}\" nie zawiera adresu IP \"{{ip}}\"",
    "form_error_positive": "Musi być większa niż 0",
@@ -403,6 +403,7 @@
    "dns_providers": "Oto lista <0>znanych dostawców DNS</0> do wyboru.",
    "update_now": "Aktualizuj teraz",
    "update_failed": "Automatyczna aktualizacja nie powiodła się. Proszę <a>wykonaj kroki</a> aby zaktualizować ręcznie.",
+    "manual_update": "Proszę <a>wykonać te czynności</a>, aby zaktualizować ręcznie.",
    "processing_update": "Poczekaj, trwa aktualizacja AdGuard Home",
    "clients_title": "Klienci",
    "clients_desc": "Skonfiguruj urządzenia podłączone do AdGuard Home",
--- a/client/src/__locales/pt-br.json
+++ b/client/src/__locales/pt-br.json
@@ -43,7 +43,7 @@
    "form_error_ip6_format": "Endereço de IPv6 inválido",
    "form_error_ip_format": "Endereço de IP inválido",
    "form_error_mac_format": "Endereço de MAC inválido",
-    "form_error_client_id_format": "ID de cliente inválido",
+    "form_error_client_id_format": "O ID do cliente deve conter apenas números, letras minúsculas e hifens",
    "form_error_server_name": "Nome de servidor inválido",
    "form_error_subnet": "A sub-rede \"{{cidr}}\" não contém o endereço IP \"{{ip}}\"",
    "form_error_positive": "Deve ser maior que 0",
@@ -403,6 +403,7 @@
    "dns_providers": "Aqui está uma <0>lista de provedores de DNS conhecidos</0> para escolher.",
    "update_now": "Atualizar agora",
    "update_failed": "A atualização automática falhou. Por favor, <a>siga estes passos</a> para atualizar manualmente.",
+    "manual_update": "Por favor, <a>siga estes passos</a> para atualizar manualmente.",
    "processing_update": "Por favor, aguarde enquanto o AdGuard Home está sendo atualizado",
    "clients_title": "Clientes",
    "clients_desc": "Configure dispositivos conectados ao AdGuard",
--- a/client/src/__locales/pt-pt.json
+++ b/client/src/__locales/pt-pt.json
@@ -43,7 +43,7 @@
    "form_error_ip6_format": "Endereço de IPv6 inválido",
    "form_error_ip_format": "Endereço de IP inválido",
    "form_error_mac_format": "Endereço de MAC inválido",
-    "form_error_client_id_format": "ID de cliente inválido",
+    "form_error_client_id_format": "O ID do cliente deve conter apenas números, letras minúsculas e hifens",
    "form_error_server_name": "Nome de servidor inválido",
    "form_error_subnet": "A sub-rede \"{{cidr}}\" não contém o endereço IP \"{{ip}}\"",
    "form_error_positive": "Deve ser maior que 0",
@@ -403,6 +403,7 @@
    "dns_providers": "Aqui está uma <0>lista de provedores de DNS conhecidos</0> para escolher.",
    "update_now": "Atualizar agora",
    "update_failed": "A atualização automática falhou. Por favor, <a>siga estes passos</a> para atualizar manualmente.",
+    "manual_update": "Por favor, <a>siga estes passos</a> para atualizar manualmente.",
    "processing_update": "Por favor espere, o AdGuard Home está a atualizar-se",
    "clients_title": "Clientes",
    "clients_desc": "Configure os dispositivos ligados ao AdGuard",
--- a/client/src/__locales/ro.json
+++ b/client/src/__locales/ro.json
@@ -43,7 +43,7 @@
    "form_error_ip6_format": "Adresa IPv6 nevalidă",
    "form_error_ip_format": "Adresă IP nevalidă",
    "form_error_mac_format": "Adresă MAC nevalidă",
-    "form_error_client_id_format": "ID client nevalid",
+    "form_error_client_id_format": "ID-ul clientului trebuie să conțină numai numere, litere minuscule și liniuțe.",
    "form_error_server_name": "Nume de server nevalid",
    "form_error_subnet": "Subrețeaua „{{cidr}}” nu conține adresa IP „{{ip}}”",
    "form_error_positive": "Trebuie să fie mai mare de 0",
@@ -403,6 +403,7 @@
    "dns_providers": "Iată o <0>listă de furnizori DNS cunoscuți</0> ce pot fi aleși.",
    "update_now": "Actualizați acum",
    "update_failed": "Auto-actualizarea a eșuat. Vă rugăm să <a>urmați aceste etape</a> pentru a actualiza manual.",
+    "manual_update": "Vă rugăm <a>să urmați etapele următoare</a> pentru a actualiza manual.",
    "processing_update": "Vă rugăm să așteptați, AdGuard Home se actualizează...",
    "clients_title": "Clienți",
    "clients_desc": "Configură aparatele conectate la AdGuard Home",
--- a/client/src/__locales/ru.json
+++ b/client/src/__locales/ru.json
@@ -43,7 +43,7 @@
    "form_error_ip6_format": "Некорректный IPv6-адрес",
    "form_error_ip_format": "Некорректный IP-адрес",
    "form_error_mac_format": "Некорректный MAC-адрес",
-    "form_error_client_id_format": "Некорректный ID клиента",
+    "form_error_client_id_format": "ID клиента может содержать только цифры, строчные латинские буквы и дефисы",
    "form_error_server_name": "Некорректное имя сервера",
    "form_error_subnet": "Подсеть «{{cidr}}» не содержит IP-адрес «{{ip}}»",
    "form_error_positive": "Должно быть больше 0",
@@ -403,6 +403,7 @@
    "dns_providers": "<0>Список известных DNS-провайдеров</0> на выбор.",
    "update_now": "Обновить сейчас",
    "update_failed": "Ошибка авто-обновления. Пожалуйста, <a>следуйте инструкции</a> для обновления вручную.",
+    "manual_update": "Пожалуйста, <a>следуйте инструкции</a> для обновления вручную.",
    "processing_update": "Пожалуйста, подождите, AdGuard Home обновляется",
    "clients_title": "Клиенты",
    "clients_desc": "Настройте устройства, использующие AdGuard Home",
@@ -587,7 +588,7 @@
    "show_blocked_responses": "Заблокировано",
    "show_whitelisted_responses": "В белом списке",
    "show_processed_responses": "Обработан",
-    "blocked_safebrowsing": "Заблокировано согласно базе данных Safebrowsing",
+    "blocked_safebrowsing": "Заблокировано согласно базе данных Safe Browsing",
    "blocked_adult_websites": "Заблокировано Родительским контролем",
    "blocked_threats": "Заблокировано угроз",
    "allowed": "Разрешённые",
--- a/client/src/__locales/sk.json
+++ b/client/src/__locales/sk.json
@@ -43,7 +43,7 @@
    "form_error_ip6_format": "Neplatná IPv6 adresa",
    "form_error_ip_format": "Neplatná IP adresa",
    "form_error_mac_format": "Neplatná MAC adresa",
-    "form_error_client_id_format": "Neplatné ID klienta",
+    "form_error_client_id_format": "ID klienta musí obsahovať iba čísla, malé písmená a spojovníky",
    "form_error_server_name": "Neplatné meno servera",
    "form_error_subnet": "Podsieť \"{{cidr}}\" neobsahuje IP adresu \"{{ip}}\"",
    "form_error_positive": "Musí byť väčšie ako 0",
@@ -163,8 +163,8 @@
    "apply_btn": "Použiť",
    "disabled_filtering_toast": "Vypnutá filtrácia",
    "enabled_filtering_toast": "Zapnutá filtrácia",
-    "disabled_safe_browsing_toast": "Vypnuté Bezpečné prehliadanie",
-    "enabled_safe_browsing_toast": "Zapnuté Bezpečné prehliadanie",
+    "disabled_safe_browsing_toast": "Bezpečné prehliadanie vypnuté",
+    "enabled_safe_browsing_toast": "Bezpečné prehliadanie zapnuté",
    "disabled_parental_toast": "Vypnutá Rodičovská kontrola",
    "enabled_parental_toast": "Zapnutá Rodičovská kontrola",
    "disabled_safe_search_toast": "Vypnuté bezpečné vyhľadávanie",
@@ -403,6 +403,7 @@
    "dns_providers": "Tu je <0>zoznam známych poskytovateľov DNS</0>, z ktorého si vyberiete.",
    "update_now": "Aktualizovať teraz",
    "update_failed": "Automatická aktualizácia zlyhala. Prosím <a>sledujte postup</a> pre manuálnu aktualizáciu.",
+    "manual_update": "Pre manuálnu aktualizáciu prosím <a>sledujte tento postup</a>.",
    "processing_update": "Čakajte prosím, AdGuard Home sa aktualizuje",
    "clients_title": "Klienti",
    "clients_desc": "Konfigurácia zariadení pripojených k AdGuard Home",
@@ -588,7 +589,7 @@
    "show_whitelisted_responses": "Obsiahnuté v bielej listine",
    "show_processed_responses": "Spracované",
    "blocked_safebrowsing": "Zablokované modulom Bezpečné prehliadanie",
-    "blocked_adult_websites": "Blokované Rodičovskou kontrolou",
+    "blocked_adult_websites": "Zablokovaná stránka pre dospelých",
    "blocked_threats": "Zablokované hrozby",
    "allowed": "Povolené",
    "filtered": "Filtrované",
--- a/client/src/__locales/sl.json
+++ b/client/src/__locales/sl.json
@@ -43,7 +43,7 @@
    "form_error_ip6_format": "Neveljaven naslov IPv6",
    "form_error_ip_format": "Neveljaven naslov IP",
    "form_error_mac_format": "Neveljaven naslov MAC",
-    "form_error_client_id_format": "Neveljaven ID odjemalca",
+    "form_error_client_id_format": "ID odjemalca mora vsebovati samo številke, male črke in vezaje",
    "form_error_server_name": "Neveljavno ime strežnika",
    "form_error_subnet": "Podomrežje \"{{cidr}}\" ne vsebuje naslova IP \"{{ip}}\"",
    "form_error_positive": "Mora biti večja od 0",
@@ -403,6 +403,7 @@
    "dns_providers": "Tukaj je  <0>seznam znanih ponudnikov DNS</0>, med katerimi lahko izbirate.",
    "update_now": "Posodobi zdaj",
    "update_failed": "Samodejna posodobitev ni uspela. Prosimo <a>sledite korakom</a>, da ročno posodobite.",
+    "manual_update": "Za ročno posodobitev <a>sledite tem korakom</a>.",
    "processing_update": "Prosimo, počakajte. AdGuard Home se posodablja!",
    "clients_title": "Odjemalci",
    "clients_desc": "Konfigurirajte naprave, ki so povezane z AdGuard Home",
--- a/client/src/__locales/sv.json
+++ b/client/src/__locales/sv.json
@@ -1,24 +1,58 @@
 {
    "client_settings": "Klientinställningar",
+    "example_upstream_reserved": "Du kan specificera DNS-uppström <0>för en specifik domän</0>",
+    "example_upstream_comment": "Du kan ange en kommentar",
+    "upstream_parallel": "Använd parallella förfrågningar för att snabba upp dessa genom att fråga alla uppströmsservrar samtidigt.",
+    "parallel_requests": "Parallella förfrågningar",
+    "load_balancing": "Lastbalansering",
+    "load_balancing_desc": "Fråga en uppströmsserver åt gången. AdGuard Home använder sin viktade slumpmässiga algoritm för att välja server så att den snabbaste servern används oftare.",
    "bootstrap_dns": "Bootstrap-DNS-servrar",
    "bootstrap_dns_desc": "Bootstrap-DNS-servrar används för att slå upp DoH/DoT-resolvrarnas IP-adresser som du specificerat som uppström.",
+    "local_ptr_title": "Privata omvända DNS-servrar",
+    "local_ptr_desc": "DNS servrarna som AdGuard Home använder för lokala PTR frågor. Dessa servrar används för att lösa värdnamnen på klienter med privata IP-adresser, till exempel \"192.168.12.34\", genom omvänd DNS. Om inga servrar angetts använder AdGuard Home adresserna till standard DNS servrar för ditt operativsystem förutom adresserna till AdGuard Home själv.",
+    "local_ptr_default_resolver": "Som standard använder AdGuard Home följande omvända DNS upplösare: {{ip}}.",
+    "local_ptr_no_default_resolver": "AdGuard Home kunde inte fastställa lämpliga privata omvända DNS upplösare för detta system.",
    "local_ptr_placeholder": "Ange en serveradress per rad",
+    "resolve_clients_title": "Aktivera omvänd upplösning av klienters IP-adresser",
+    "resolve_clients_desc": "Lös upp klienternas värdnamn med omvänt uppslag av klienternas IP-adresser genom att skicka PTR-frågor till motsvarande upplösare (privata DNS-servrar för lokala klienter, uppströmsservrar för klienter med offentliga IP-adresser).",
+    "use_private_ptr_resolvers_title": "Använd privata omvända DNS upplösare",
+    "use_private_ptr_resolvers_desc": "Utför omvända DNS-sökningar för lokalt betjänade adresser med dessa uppströmsservrar. Om det är inaktiverat svarar AdGuard Home med NXDOMAIN på alla sådana PTR-förfrågningar förutom klienter kända från DHCP, /etc/hosts, och så vidare.",
    "check_dhcp_servers": "Letar efter DHCP-servrar",
    "save_config": "Spara konfiguration",
    "enabled_dhcp": "DHCP-server aktiverad",
    "disabled_dhcp": "Dhcp-server avaktiverad",
+    "unavailable_dhcp": "DHCP är inte tillgängligt",
+    "unavailable_dhcp_desc": "AdGuard Home kan inte köra en DHCP-server på ditt operativsystem",
    "dhcp_title": "DHCP-server (experimentell)",
    "dhcp_description": "Om din router inte har inställningar för DHCP kan du använda AdGuards inbyggda server.",
    "dhcp_enable": "Aktivera DHCP.-server",
    "dhcp_disable": "Avaktivera DHCP-server",
+    "dhcp_not_found": "Det är säkert att aktivera den inbyggda DHCP-servern eftersom AdGuard Home inte hittade några aktiva DHCP-servrar i nätverket. Du bör dock kontrollera det igen manuellt eftersom den automatiska sökningenn efter DHCP-servrar inte ger 100 % garanti.",
    "dhcp_found": "Några aktiva DHCP-servar upptäcktes. Det är inte säkert att aktivera inbyggda DHCP-servrar.",
    "dhcp_leases": "DHCP-lease",
    "dhcp_static_leases": "Statiska DHCP-leases",
    "dhcp_leases_not_found": "Ingen DHCP-lease hittad",
+    "dhcp_config_saved": "DHCP-konfigurationen har sparats",
+    "dhcp_ipv4_settings": "DHCP IPv4 inställningar",
+    "dhcp_ipv6_settings": "DHCP IPv6 inställningar",
    "form_error_required": "Obligatoriskt fält",
+    "form_error_ip4_format": "Ogiltig IPv4-adress",
+    "form_error_ip4_range_start_format": "Ogiltig IPv4-adress för starten av intervallet",
+    "form_error_ip4_range_end_format": "Ogiltig IPv4-adress för slutet av intervallet",
+    "form_error_ip4_gateway_format": "Ogiltig IPv4 adress för gatewayen",
+    "form_error_ip6_format": "Ogiltig IPv6-adress",
    "form_error_ip_format": "Ogiltig IP-adress",
    "form_error_mac_format": "Ogiltig MAC-adress",
+    "form_error_client_id_format": "Ogiltigt klient-ID",
+    "form_error_server_name": "Ogiltigt servernamn",
+    "form_error_subnet": "Subnätet \"{{cidr}}\" innehåller inte IP-adressen \"{{ip}}\"",
    "form_error_positive": "Måste vara större än noll",
+    "out_of_range_error": "Måste vara utanför intervallet \"{{start}}\"-\"{{end}}\"",
+    "lower_range_start_error": "Måste vara lägre än starten på intervallet",
+    "greater_range_start_error": "Måste vara högre än starten på intervallet",
+    "greater_range_end_error": "Måste vara större än intervallets slut",
+    "subnet_error": "Adresser måste finnas i ett subnät",
+    "gateway_or_subnet_invalid": "Subnätmask ogiltig",
    "dhcp_form_gateway_input": "Gateway-IP",
    "dhcp_form_subnet_input": "Subnetmask",
    "dhcp_form_range_title": "IP-adressgränser",
@@ -29,17 +63,30 @@
    "dhcp_interface_select": "Välj DHCP-gränssnitt",
    "dhcp_hardware_address": "Hårdvaruadress",
    "dhcp_ip_addresses": "IP-adresser",
+    "ip": "IP",
    "dhcp_table_hostname": "Värdnamn",
    "dhcp_table_expires": "Utgår",
+    "dhcp_warning": "Om du vill använda den inbyggda DHCP servern ändå, se till att det inte finns några andra aktiva DHCP servrar. Annars kan den störa internetanslutningen för anslutna enheter!",
+    "dhcp_error": "Vi kunde inte avgöra om det finns en till DHCP-server på nätverket.",
+    "dhcp_static_ip_error": "För att kunna använda en DHCP-server måste det finnas en statisk IP-adress. AdGuard Home kunde inte avgöra om nätverksgränssnittet är konfigurerat med en statisk IP-adress. Ställ in en statisk IP-adress manuellt.",
+    "dhcp_dynamic_ip_found": "Din enhet använder en dynamisk IP-adress för gränssnittet <0>{{interfaceName}}</0>. För att kunna använda DHCP-servern behövs en statisk IP-adress. Din nuvarande IP-adress är <0>{{ipAddress}}</0>. AdGuard Home kommer automatiskt att göra denna IP-adress statisk om du trycker på knappen \"Aktivera DHCP\".",
    "dhcp_lease_added": "Statisk lease \"{{key}}\" har lagts till",
    "dhcp_lease_deleted": "Statisk lease \"{{key}}\" har raderats",
    "dhcp_new_static_lease": "Ny statisk lease",
    "dhcp_static_leases_not_found": "Inga statiska DHCP-leases hittade",
    "dhcp_add_static_lease": "Lägg till statisk lease",
+    "dhcp_reset_leases": "Återställ alla leasingavtal",
+    "dhcp_reset_leases_confirm": "Är du säker på att du vill ta bort alla leasingavtal?",
+    "dhcp_reset_leases_success": "DHCP-leasing har återställts",
+    "dhcp_reset": "Är du säker på att du vill ta bort DHCP inställningarna?",
+    "country": "Land",
+    "city": "Stad",
    "delete_confirm": "Är du säker på att du vill ta bort \"{{key}}\"?",
    "form_enter_hostname": "Skriv in värdnamn",
    "error_details": "Felinformation",
+    "response_details": "Svarsdetaljer",
    "request_details": "Förfrågningsdetaljer",
+    "client_details": "Klient information",
    "details": "Detaljer",
    "back": "Tiilbaka",
    "dashboard": "Kontrollpanel",
@@ -47,6 +94,8 @@
    "filters": "Filter",
    "filter": "Filter",
    "query_log": "Förfrågningslogg",
+    "compact": "Komprimera",
+    "nothing_found": "Inget hittades",
    "faq": "FAQ",
    "version": "version",
    "address": "Adress",
@@ -70,52 +119,88 @@
    "for_last_24_hours": "under de senaste 24 timmarna",
    "for_last_days": "för den senaste {{count}} dagen",
    "for_last_days_plural": "för de senaste {{count}} dagarna",
+    "stats_disabled": "Statistiken har inaktiverats. Du kan aktivera det från <0>inställningssidan</0>.",
+    "stats_disabled_short": "Statistiken har inaktiverats",
    "no_domains_found": "Inga domäner hittade",
    "requests_count": "Förfrågningsantal",
    "top_blocked_domains": "Flest blockerade domäner",
    "top_clients": "Toppklienter",
    "no_clients_found": "Inga klienter hittade",
    "general_statistics": "Allmän statistik",
+    "number_of_dns_query_days": "Antalet DNS-förfrågningar som utfördes under senaste {{count}} dagen",
+    "number_of_dns_query_days_plural": "Ett antal DNS förfrågningar utfördes under de senaste {{count}} dagarna",
+    "number_of_dns_query_24_hours": "Antalet DNS-förfrågningar som utfördes under de senaste 24 timmarna",
+    "number_of_dns_query_blocked_24_hours": "Antalet DNS-förfrågningar som blockerades av annonsfilter och värdens blockeringsklistor",
+    "number_of_dns_query_blocked_24_hours_by_sec": "Antalet DNS-förfrågningar som blockerades av AdGuards modul för surfsäkerhet",
+    "number_of_dns_query_blocked_24_hours_adult": "Antalet vuxensajter som blockerats",
    "enforced_save_search": "Aktivering av Säker surf",
+    "number_of_dns_query_to_safe_search": "Antalet DNS-förfrågningar mot sökmotorer där Säker surf tvingats",
    "average_processing_time": "Genomsnittlig processtid",
    "average_processing_time_hint": "Genomsnittlig processtid i millisekunder för DNS-förfrågning",
    "block_domain_use_filters_and_hosts": "Blockera domäner med filter- och värdfiler",
    "filters_block_toggle_hint": "Du kan ställa in egna blockerings regler i <a>Filterinställningar</a>.",
    "use_adguard_browsing_sec": "Använd AdGuards webbservice för surfsäkerhet",
-    "use_adguard_browsing_sec_hint": "AdGuard Home kommer att kontrollera om en domän är svartlistad i webbservicens surfsäkerhet. Med en integritetsvänlig metod görs en API-lookup för att kontrollera : endast en kort prefix i domännamnet SHA256 hash skickas till servern.",
+    "use_adguard_browsing_sec_hint": "AdGuard Home kommer att kontrollera om en domän är blockerad av webbservicen surfsäkerhet. Med en integritetsvänlig metod görs en API-lookup för att kontrollera: endast ett kort prefix i domännamnet SHA256 hash skickas till servern.",
    "use_adguard_parental": "Använda AdGuards webbservice för föräldrakontroll",
    "use_adguard_parental_hint": "AdGuard Home kommer att kontrollera domäner för innehåll av vuxenmaterial . Samma integritetsvänliga metod för  API-lookup som tillämpas i webbservicens surfsäkerhet används.",
-    "enforce_safe_search": "Tillämpa Säker surf",
+    "enforce_safe_search": "Använd säker webbsökning",
+    "enforce_save_search_hint": "AdGuard Home kommer tvinga säker surf på följande sökmotorer: Google, Youtube, Bing, DuckDuckGo, Yandex, Pixabay.",
    "no_servers_specified": "Inga servrar angivna",
    "general_settings": "Allmänna inställningar",
    "dns_settings": "DNS-inställningar",
+    "dns_blocklists": "DNS blockeringslistor",
+    "dns_allowlists": "DNS frilistor",
+    "dns_blocklists_desc": "AdGuard Home kommer att blockera domäner som matchar blockeringslistorna.",
+    "dns_allowlists_desc": "Domäner från DNS frilistor kommer att tillåtas även om de finns i någon av blockeringslistorna.",
    "custom_filtering_rules": "Egna filterregler",
    "encryption_settings": "Krypteringsinställningar",
    "dhcp_settings": "DHCP-inställningar",
    "upstream_dns": "Upstream DNS-servrar",
+    "upstream_dns_help": "Ange en serveradress per rad. <a>Läs mer</a> om att konfigurera uppströms DNS-servrar.",
+    "upstream_dns_configured_in_file": "Konfigurerad i {{path}}",
    "test_upstream_btn": "Testa uppströmmar",
+    "upstreams": "Uppströms",
    "apply_btn": "Tillämpa",
    "disabled_filtering_toast": "Filtrering bortkopplad",
    "enabled_filtering_toast": "Filtrering inkopplad",
-    "disabled_safe_browsing_toast": "Säker surfning bortkopplat",
-    "enabled_safe_browsing_toast": "Säker surfning inkopplat",
+    "disabled_safe_browsing_toast": "Säker surfning inaktiverad",
+    "enabled_safe_browsing_toast": "Säker surfning aktiverat",
    "disabled_parental_toast": "Föräldrakontroll bortkopplat",
    "enabled_parental_toast": "Föräldrakontroll inkopplat",
    "disabled_safe_search_toast": "Säker webbsökning bortkopplat",
    "enabled_save_search_toast": "Säker webbsökning inkopplat",
    "enabled_table_header": "Inkopplat",
    "name_table_header": "Namn",
+    "list_url_table_header": "Lista URL",
    "rules_count_table_header": "Regelantal",
    "last_time_updated_table_header": "Uppdaterades senast",
    "actions_table_header": "Åtgärder",
+    "request_table_header": "Förfrågning",
    "edit_table_action": "Redigera",
    "delete_table_action": "Radera",
+    "elapsed": "Förfluten tid",
    "filters_and_hosts_hint": "AdGuard tillämpar grundläggande annonsblockeringsregler och värdfiltersyntaxer",
+    "no_blocklist_added": "Inga blocklistor har lagts till",
+    "no_whitelist_added": "Inga frilistor har lagts till",
+    "add_blocklist": "Lägg till blockeringslista",
+    "add_allowlist": "Lägg till frilista",
    "cancel_btn": "Avbryt",
    "enter_name_hint": "Skriv in namn",
+    "enter_url_or_path_hint": "Ange en URL eller en absolut sökväg till listan",
    "check_updates_btn": "Sök efter uppdateringar",
+    "new_blocklist": "Ny blockeringslista",
+    "new_allowlist": "Ny frilista",
+    "edit_blocklist": "Redigera blockeringslista",
+    "edit_allowlist": "Redigera frilista",
+    "choose_blocklist": "Välj blockeringslistor",
+    "choose_allowlist": "Välj frilistor",
+    "enter_valid_blocklist": "Ange en giltig URL till blockeringslistan.",
+    "enter_valid_allowlist": "Ange en giltig URL till frilistan.",
+    "form_error_url_format": "Ogiltigt URL format",
+    "form_error_url_or_path_format": "Ogiltig URL eller absolut sökväg till listan",
    "custom_filter_rules": "Egna filterregler",
    "custom_filter_rules_hint": "Skriv en regel per rad. Du kan använda antingen annonsblockeringsregler eller värdfilssyntax.",
+    "system_host_files": "Systemfiler",
    "examples_title": "Exempel",
    "example_meaning_filter_block": "blockera åtkomst till domän example.org domain och alla dess subdomäner",
    "example_meaning_filter_whitelist": "avblockera åtkomst till domän example.org domain och alla dess subdomäner",
@@ -127,17 +212,26 @@
    "example_upstream_regular": "vanlig DNS (över UDP)",
    "example_upstream_dot": "krypterat <0>DNS-over-TLS</0>",
    "example_upstream_doh": "krypterat <0>DNS-over-HTTPS</0>",
+    "example_upstream_doq": "krypterat <0>DNS-over-QUIC</0>",
    "example_upstream_sdns": "Du kan använda <0>DNS-stamps</0> för <1>DNSCrypt</1> eller <2>DNS-over-HTTPS</2>-resolvers",
    "example_upstream_tcp": "vanlig DNS (över UDP)",
+    "all_lists_up_to_date_toast": "Alla listor är redan uppdaterade",
+    "updated_upstream_dns_toast": "Sparade uppströms dns-servrar",
    "dns_test_ok_toast": "Angivna DNS servrar fungerar korrekt",
    "dns_test_not_ok_toast": "Server \"{{key}}\": kunde inte användas. Var snäll och kolla att du skrivit in rätt",
    "unblock": "Avblockera",
    "block": "Blockera",
+    "disallow_this_client": "Tillåt inte den här klienten",
+    "allow_this_client": "Tillåt den här klienten",
+    "block_for_this_client_only": "Blockera endast för denna klient",
+    "unblock_for_this_client_only": "Avblockera endast för denna klient",
    "time_table_header": "Tid",
    "date": "Datum",
    "domain_name_table_header": "Domännamn",
+    "domain_or_client": "Domän eller klient",
    "type_table_header": "Typ",
    "response_table_header": "Svar",
+    "response_code": "Svarskod",
    "client_table_header": "Klient",
    "empty_response_status": "Tomt",
    "show_all_filter_type": "Visa alla",
@@ -149,13 +243,14 @@
    "loading_table_status": "Läser in...",
    "page_table_footer_text": "Sida",
    "rows_table_footer_text": "rader",
-    "updated_custom_filtering_toast": "Uppdaterade de egna filterreglerna",
+    "updated_custom_filtering_toast": "Anpassade filterregler sparade",
    "rule_removed_from_custom_filtering_toast": "Regel borttagen från de egna filterreglerna: {{rule}}",
    "rule_added_to_custom_filtering_toast": "Regel tillagd till de egna filterreglerna: {{rule}}",
    "query_log_response_status": "Status: {{value}}",
    "query_log_filtered": "Filtrerat av {{filter}}",
    "query_log_confirm_clear": "Är du säker på att du vill rensa hela förfrågningsloggen?",
    "query_log_cleared": "Förfrågningsloggen har rensats",
+    "query_log_updated": "Förfrågningsloggen har uppdaterats",
    "query_log_clear": "Rensa förfrågningsloggar",
    "query_log_retention": "Förfrågningsloggars retentionstid",
    "query_log_enable": "Aktivera logg",
@@ -163,27 +258,63 @@
    "query_log_disabled": "Förfrågningsloggen är avaktiverad och kan konfigureras i <0>inställningar</0>",
    "query_log_strict_search": "Använd dubbla citattecken för strikt sökning",
    "query_log_retention_confirm": "Är du säker på att du vill ändra förfrågningsloggars retentionstid? Om du minskar intervallet kommer viss data att gå förlorad",
+    "anonymize_client_ip": "Anonymisera klientens IP",
+    "anonymize_client_ip_desc": "Spara inte klientens fullständiga IP-adress i loggar och statistik",
+    "dns_config": "DNS server konfiguration",
+    "dns_cache_config": "DNS cache konfiguration",
+    "dns_cache_config_desc": "Här kan du konfigurera DNS cache",
+    "blocking_mode": "Blockeringsläge",
    "default": "Standard",
+    "nxdomain": "NXDOMÄN",
+    "refused": "REFUSED",
+    "null_ip": "Null IP",
    "custom_ip": "Eget IP",
+    "blocking_ipv4": "Blockera IPv4",
+    "blocking_ipv6": "Blockera IPv6",
    "dnscrypt": "DNSCrypt",
    "dns_over_https": "DNS-over-HTTPS",
    "dns_over_tls": "DNS-over-TLS",
    "dns_over_quic": "DNS-over-QUIC",
+    "client_id": "Klient ID",
+    "client_id_placeholder": "Ange klient ID",
+    "client_id_desc": "Olika klienter kan identifieras med ett speciellt klient ID. <a>Här</a> kan du lära dig mer om hur du identifierar klienter.",
+    "download_mobileconfig_doh": "Ladda ner .mobileconfig för DNS-over-HTTPS",
+    "download_mobileconfig_dot": "Ladda ner .mobileconfig för DNS-over-TLS",
+    "download_mobileconfig": "Ladda ner konfigurationsfil",
+    "plain_dns": "Vanlig DNS",
+    "form_enter_rate_limit": "Ange förfrågnings gräns",
+    "rate_limit": "Förfrågnings gräns",
+    "edns_enable": "Aktivera EDNS-klient subnät",
+    "edns_cs_desc": "Skicka klienternas subnät till DNS servrarna.",
+    "rate_limit_desc": "Antalet förfrågningar per sekund som tillåts per klient. Att sätta den till 0 innebär ingen gräns.",
+    "blocking_ipv4_desc": "IP adress som ska returneras för en blockerad A förfrågan",
+    "blocking_ipv6_desc": "IP adress som ska returneras för en blockerad AAAA förfrågan",
+    "blocking_mode_default": "Standard: Svara med noll IP-adress (0.0.0.0 för A; :: för AAAA) när det blockeras av regel i Adblock-stil; svara med IP-adressen som anges i regeln när den blockeras av regel i /etc/hosts-stil",
+    "blocking_mode_refused": "REFUSED: Svara med REFUSED kod",
+    "blocking_mode_nxdomain": "NXDOMAIN: Svara med NXDOMAIN kod",
+    "blocking_mode_null_ip": "Null IP: Svara med noll IP adress (0.0.0.0 för A; :: för AAAA)",
+    "blocking_mode_custom_ip": "Anpassad IP: Svara med en manuellt inställd IP adress",
+    "upstream_dns_client_desc": "Om detta fält är tomt kommer AdGuard Home att använda de servrar som konfigurerats i <0>DNS inställningarna</0>.",
+    "tracker_source": "Spårningskälla",
    "source_label": "Källa",
    "found_in_known_domain_db": "Hittad i domändatabas.",
    "category_label": "Kategori",
+    "rule_label": "Regel(er)",
+    "list_label": "Lista",
    "unknown_filter": "Okänt filter {{filterId}}",
+    "known_tracker": "Känd spårare",
    "install_welcome_title": "Välkommen till AdGuard Home!",
    "install_welcome_desc": "AdGuard Home är en DNS-server för nätverkstäckande annons- och spårningsblockering. Dess syfte är att de dig kontroll över hela nätverket och alla dina enheter, utan behov av att använda klientbaserade program.",
    "install_settings_title": "Administratörens webbgränssnitt",
    "install_settings_listen": "Övervakningsgränssnitt",
    "install_settings_port": "Port",
    "install_settings_interface_link": "Din administratörssida för AdGuard Home finns på följande adresser:",
+    "form_error_port": "Skriv in ett giltigt portnummer",
    "install_settings_dns": "DNS-server",
    "install_settings_dns_desc": "Du behöver ställa in dina enheter eller din router för att använda DNS-server på följande adresser.",
    "install_settings_all_interfaces": "Alla gränssnitt",
    "install_auth_title": "Autentisering",
-    "install_auth_desc": "Det rekommenderas starkt att ställa in lösenordsskydd till webbgränssnittets administrativa del i ditt AdGuard Home. Även om den endast är åtkomlig på ditt lokala nätverk rekommenderas det ändå att skydda det mot oönskad åtkomst.",
+    "install_auth_desc": "Lösenordsautentisering till ditt AdGuard Home administratörsgränssnitt måste konfigureras. Även om AdGuard Home bara är tillgängligt i ditt lokala nätverk är det fortfarande viktigt att skydda det från obegränsad åtkomst.",
    "install_auth_username": "Användarnamn",
    "install_auth_password": "Lösenord",
    "install_auth_confirm": "Bekräfta lösenord",
@@ -193,18 +324,20 @@
    "install_devices_title": "Ställ in dina enheter",
    "install_devices_desc": "För att kunna använda AdGuard Home måste du ställa in dina enheter för att utnyttja den.",
    "install_submit_title": "Grattis!",
-    "install_submit_desc": "Inställningsproceduren är klar och du kan börja använda AdGuard Home.",
+    "install_submit_desc": "Installationen är klar och du kan börja använda AdGuard Home.",
    "install_devices_router": "Router",
    "install_devices_router_desc": "Den här anpassningen kommer att automatiskt täcka in alla de enheter som är anslutna till din hemmarouter och du behöver därför inte konfigurera var och en individuellt.",
    "install_devices_address": "AdGuard Home DNS-server täcker följande adresser",
+    "install_devices_router_list_1": "Öppna inställningarna för din router. Vanligtvis kan du komma åt den från din webbläsare via en URL, som http://192.168.0.1/ eller http://192.168.1.1/. Du kan bli ombedd att ange ett lösenord. Om du inte kommer ihåg det kan du ofta återställa lösenordet genom att trycka på en knapp på själva routern, men var medveten om att om denna procedur väljs kommer du förmodligen att förlora hela routerkonfigurationen. Om din router kräver en app för att konfigurera den, installera appen på din telefon eller dator och använd den för att komma åt routerns inställningar.",
    "install_devices_router_list_2": "Leta upp DHCP/DNS-inställningarna. Titta efter DNS-tecken intill ett fält med två eller tre uppsättningar siffror, var och en uppdelade i grupper om fyra med en eller tre siffror.",
    "install_devices_router_list_3": "Ange serveradressen till ditt AdGuard Home.",
+    "install_devices_router_list_4": "På vissa routertyper kan en anpassad DNS server inte konfigureras. I så fall kan det hjälpa att konfigurera AdGuard Home som en <0>DHCP server</0>. Annars bör du kontrollera routermanualen om hur du anpassar DNS servrar på din specifika routermodell.",
    "install_devices_windows_list_1": "Öppna Kontrollpanelen via Start eller Windows Sök.",
    "install_devices_windows_list_2": "Välj Nätverks och delningscenter, Nätverk och Internet.",
-    "install_devices_windows_list_3": "Leta upp Ändra nätverkskortsalternativ",
+    "install_devices_windows_list_3": "På vänster sida av skärmen hittar du \"Ändra adapterinställningar\" och klicka på den.",
    "install_devices_windows_list_4": "Markera din aktiva anslutning. Högerklicka på den och välj Egenskaper.",
-    "install_devices_windows_list_5": "Markera Internet Protocol Version 4 (TCP/IP) och klicka på knappen Egenskaper.",
-    "install_devices_windows_list_6": "Markera Använd följande DNS-serveradresser och skriv in adresserna till ditt AdGuard Home.",
+    "install_devices_windows_list_5": "Hitta \"Internet Protocol Version 4 (TCP/IPv4)\" (eller, för IPv6, \"Internet Protocol Version 6 (TCP/IPv6)\") i listan, välj den och klicka sedan på Egenskaper igen.",
+    "install_devices_windows_list_6": "Välj \"Använd följande DNS-serveradresser\" och ange dina AdGuard Home-serveradresser.",
    "install_devices_macos_list_1": "Klicka på Apple-ikonen och välj Systemalternativ.",
    "install_devices_macos_list_2": "Klicka på Nätverk.",
    "install_devices_macos_list_3": "Välj den första anslutningen i listan och klicka på Avancerat.",
@@ -213,7 +346,7 @@
    "install_devices_android_list_2": "Tryck på Nätverk och Internet, Wi-Fi. Alla tillgängliga nätverk visas i en lista (det går inte all välja egen DNS på mobilnätverk.",
    "install_devices_android_list_3": "Håll ner på nätverksnamnet som du är ansluten till och välj Ändra nätverk.",
    "install_devices_android_list_4": "På en del enheter kan du behöva välja Avancerat för att komma åt ytterligare inställningar. För att ändra på DNS-inställningar måste du byta IP-inställning från DHCP till Statisk. På Android Pie väljs Privat DNS på Nätverk och internet.",
-    "install_devices_android_list_5": "Ändra DNS 1 och DNS 2 till serveradresserna för AdGuard Home.",
+    "install_devices_android_list_5": "Ändra DNS 1 och DNS 2 värdena till serveradresserna för din AdGuard Home.",
    "install_devices_ios_list_1": "Tryck Inställningar från hemskärmen.",
    "install_devices_ios_list_2": "Välj Wi_Fi på den vänstra menyn (det går inte att ställa in egen DNS för mobila nätverk).",
    "install_devices_ios_list_3": "Tryck på namnet på den aktiva anslutningen.",
@@ -224,14 +357,18 @@
    "install_saved": "Sparat utan fel",
    "encryption_title": "Kryptering",
    "encryption_desc": "Krypteringsstöd (HTTPS/TLS) för både DNS och adminwebbgränssnitt.",
+    "encryption_config_saved": "Krypteringsinställningar sparade",
    "encryption_server": "Servernamn",
    "encryption_server_enter": "Skriv in ditt domännamn",
+    "encryption_server_desc": "För att kunna använda HTTPS måste du ange servernamnet som matchar ditt SSL-certifikat eller jokerteckencertifikat. Om fältet inte är inställt kommer det att acceptera TLS-anslutningar för alla domäner.",
    "encryption_redirect": "Omdirigera till HTTPS automatiskt",
    "encryption_redirect_desc": "Om bockad kommer AdGuard Home automatiskt att omdirigera dig från HTTP till HTTPS-adresser.",
    "encryption_https": "HTTPS-port",
    "encryption_https_desc": "Om en HTTPS-port är inställd kommer gränssnittet till AdGuard Home administrering att kunna nås via HTTPS och kommer också att erbjuda DNS-over-HTTPS på '/dns-query' plats.",
    "encryption_dot": "DNS-över-TLS port",
    "encryption_dot_desc": "Om den här porten ställs in kommer AdGuard Home att använda DNS-over-TLS-server på porten.",
+    "encryption_doq": "DNS-over-QUIC port",
+    "encryption_doq_desc": "Om denna port är konfigurerad kommer AdGuard Home att köra en DNS-over-QUIC-server på denna port. Det är experimentellt och kanske inte är tillförlitligt. Dessutom finns det inte så många klienter som stödjer det för tillfället.",
    "encryption_certificates": "Certifikat",
    "encryption_certificates_desc": "För att använda kryptering måste du ange ett giltigt SSL-certifikat för din domän. Du kan skaffa ett certifikat gratis på <0>{{link}}</0> eller köpa ett från någon av de godkända certifikatutfärdare.",
    "encryption_certificates_input": "Kopiera/klistra in dina PEM-kodade certifikat här.",
@@ -251,16 +388,22 @@
    "encryption_reset": "Är du säker på att du vill återställa krypteringsinställningarna?",
    "topline_expiring_certificate": "Ditt SSL-certifikat håller på att gå ut. <0>Krypteringsinställningar</0>.",
    "topline_expired_certificate": "Ditt SSL-certifikat har gått ut. Uppdatera <0>Krypteringsinställningar</0>-",
+    "form_error_port_range": "Ange ett portnummer inom värdena 80-65535",
    "form_error_port_unsafe": "Det här är en osäker port",
+    "form_error_equal": "Får inte vara samma",
    "form_error_password": "Lösenorden överensstämmer inte",
    "reset_settings": "Återställ inställningar",
    "update_announcement": "AdGuard Home {{version}} är nu tillgänglig! <0>Klicka här</0> för mer information.",
+    "setup_guide": "Installationsguide",
    "dns_addresses": "DNS-adresser",
+    "dns_start": "DNS servern startar",
+    "dns_status_error": "Fel vid kontroll av DNS serverns status",
    "down": "Ner",
    "fix": "Fixa",
    "dns_providers": "Här är en <0>lista över kända DNS-leverantörer</0> att välja från.",
    "update_now": "Uppdatera nu",
    "update_failed": "Automatisk uppdatering misslyckad. Var god <a>följ stegen</a> för att uppdatera manuellt.",
+    "manual_update": "Vänligen <a>följ dessa steg</a> för att uppdatera manuellt.",
    "processing_update": "Vänta, AdGuard Home uppdateras",
    "clients_title": "Klienter",
    "clients_desc": "Konfigurera enheter uppkopplade mot AdGuard Home",
@@ -274,8 +417,12 @@
    "client_edit": "Redigera klient",
    "client_identifier": "Identifikator",
    "ip_address": "IP-adress",
+    "client_identifier_desc": "Klienter kan identifieras med IP-adressen, CIDR, MAC-adressen eller ett speciellt klient-ID (kan användas för DoT/DoH/DoQ). <0>Här</0> kan du lära dig mer om hur du identifierar klienter.",
    "form_enter_ip": "Skriv in IP",
+    "form_enter_subnet_ip": "Ange en IP adress i subnätet \"{{cidr}}\"",
    "form_enter_mac": "Skriv in MAC",
+    "form_enter_id": "Ange identifierare",
+    "form_add_id": "Lägg till identifierare",
    "form_client_name": "Skriv in klientnamn",
    "name": "Namn",
    "client_global_settings": "Använda globala inställningar",
@@ -284,15 +431,17 @@
    "client_updated": "Klient \"{{key}}\" har uppdaterats",
    "clients_not_found": "Inga klienter hittade",
    "client_confirm_delete": "Är du säker på att du vill ta bort klient \"{{key}}\"?",
+    "list_confirm_delete": "Är du säker på att du vill ta bort den här listan?",
    "auto_clients_title": "Klienter (körtid)",
    "auto_clients_desc": "Data från klienter som använder AdGuard Home, men inte är sparade i konfigurationen",
    "access_title": "Åtkomstinställningar",
    "access_desc": "Här kan du konfigurera åtkomstregler för AdGuard Homes DNS-server.",
    "access_allowed_title": "Tillåtna klienter",
-    "access_allowed_desc": "En lista över CIDR eller IP-adresser. Om konfigurerad kommer AdGuard Home endast acceptera förfrågningar från dessa IP-adresser.",
+    "access_allowed_desc": "En lista över CIDR, IP-adresser eller klient-ID. Om det är konfigurerat accepterar AdGuard Home endast förfrågningar från dessa klienter.",
    "access_disallowed_title": "Otillåtna klienter",
-    "access_disallowed_desc": "En lista över CIDR eller IP-adresser. Om konfigurerad kommer AdGuard Home inte acceptera förfrågningar från dessa IP-adresser.",
+    "access_disallowed_desc": "En lista över CIDR, IP-adresser eller klient-ID. Om det är konfigurerat kommer AdGuard Home att kasta förfrågningar från dessa klienter. Om tillåtna klienter är konfigurerade ignoreras detta fält.",
    "access_blocked_title": "Blockerade domäner",
+    "access_blocked_desc": "Ej att förväxla med filter. AdGuard Home kastar DNS-frågor som matchar dessa domäner, och dessa frågor visas inte ens i frågeloggen. Du kan ange exakta domännamn, jokertecken eller URL-filterregler, t.ex. \"example.org\", \"*.example.org\" eller \"||example.org^\" på motsvarande sätt.",
    "access_settings_saved": "Åtkomstinställningar sparade",
    "updates_checked": "Sökning efter uppdateringar genomförd",
    "updates_version_equal": "AdGuard Home är uppdaterat",
@@ -300,6 +449,8 @@
    "dns_privacy": "DNS-Integritet",
    "setup_dns_privacy_1": "<0>DNS-över-TLS:</0> Använd: <1>{{address}}</1>",
    "setup_dns_privacy_2": "<0>DNS-över-HTTPS:</0> Använd: <1>{{address}}</1>",
+    "setup_dns_privacy_3": "<0>Här är en lista över program du kan använda.</0>",
+    "setup_dns_privacy_4": "På en iOS 14 eller macOS Big Sur enhet kan du ladda ner en speciell '.mobileconfig' fil som lägger till <highlight>DNS-over-HTTPS</highlight> eller <highlight>DNS-over-TLS</highlight>-servrar till DNS inställningarna.",
    "setup_dns_privacy_android_1": "Android 9 har inbyggt stöd för DNS-över-TLS. Konfigurera och uppge domännamn under Inställningar → Nätverk & Internet → Avancerat → Privat DNS.",
    "setup_dns_privacy_android_2": "<0>AdGuard för Android</0> stödjer <1>DNS-över-HTTPS</1> samt <1>DNS-över-TLS</1>.",
    "setup_dns_privacy_android_3": "<0>Intra</0> lägger till stöd för <1>DNS-ÖVER-HTTPS</1> till Android.",
@@ -311,15 +462,51 @@
    "setup_dns_privacy_other_3": "<0>dnscrypt-proxy</0> stödjer <1>DNS-over-HTTPS</1>.",
    "setup_dns_privacy_other_4": "<0>Mozilla Firefox</0> stödjer <1>DNS-over-HTTPS</1>.",
    "setup_dns_privacy_other_5": "Du kan hitta fler implementeringar <0>här</0> och <1>här</1>.",
+    "setup_dns_privacy_ioc_mac": "iOS och macOS konfiguration",
    "setup_dns_notice": "För att kunna använda <1>DNS-över-HTTPS</1> eller <1>DNS-över-TLS</1>, behöver du <0>konfigurera Kryptering</0> i AdGuard Home-inställningar.",
    "rewrite_added": "DNS-omskrivning för \"{{key}}\" lyckad",
    "rewrite_deleted": "DNS-omskrivning för \"{{key}}\" har tagits bort",
+    "rewrite_add": "Lägg till DNS omskrivning",
+    "rewrite_not_found": "Inga DNS omskrivningar hittades",
+    "rewrite_confirm_delete": "Är du säker på att du vill ta bort DNS-omskrivningen för \"{{key}}\"?",
+    "rewrite_desc": "Gör det enkelt att konfigurera anpassat DNS svar för ett specifikt domännamn.",
+    "rewrite_applied": "Omskrivningsregeln tillämpas",
+    "rewrite_hosts_applied": "Omskriven av värd fil regel",
+    "dns_rewrites": "DNS omskrivningar",
+    "form_domain": "Ange domännamn eller jokertecken",
+    "form_answer": "Ange IP adress eller domännamn",
+    "form_error_domain_format": "Ogiltigt domänformat",
+    "form_error_answer_format": "Ogiltigt svarsformat",
+    "configure": "Konfigurera",
+    "main_settings": "Huvudinställningar",
+    "block_services": "Blockera specifika tjänster",
+    "blocked_services": "Blockerade tjänster",
+    "blocked_services_desc": "Gör det möjligt att snabbt blockera populära webbplatser och tjänster.",
+    "blocked_services_saved": "Blockerade tjänster har sparats",
+    "blocked_services_global": "Använd globalt blockerade tjänster",
+    "blocked_service": "Blockerad tjänst",
+    "block_all": "Blockera alla",
+    "unblock_all": "Avblockera alla",
+    "encryption_certificate_path": "Certifikatsökväg",
+    "encryption_private_key_path": "Privat nyckel sökväg",
+    "encryption_certificates_source_path": "Ange sökväg för certifikatfilen",
+    "encryption_certificates_source_content": "Klistra in certifikatets innehåll",
+    "encryption_key_source_path": "Ställ in en privat nyckelfil",
+    "encryption_key_source_content": "Klistra in den privata nyckelns innehåll",
+    "stats_params": "Statistikkonfiguration",
+    "config_successfully_saved": "Konfigurationen har sparats",
    "interval_6_hour": "6 timmar",
    "interval_24_hour": "24 timmar",
    "interval_days": "{{count}} dag",
    "interval_days_plural": "{{count}} dagar",
    "domain": "Domän",
+    "punycode": "Punycode",
    "answer": "Svar",
+    "filter_added_successfully": "Listan har lagts till",
+    "filter_removed_successfully": "Listan har tagits bort",
+    "filter_updated": "Listan har uppdaterats",
+    "statistics_configuration": "Statistikkonfiguration",
+    "statistics_retention": "Bevarande av statistik",
    "statistics_retention_desc": "Om du minskar intervallet kommer viss data att gå förlorad",
    "statistics_clear": "Rensa statistik",
    "statistics_clear_confirm": "Är du säker på att du vill radera statistiken?",
@@ -347,17 +534,99 @@
    "descr": "Beskrivning",
    "whois": "Whois",
    "filtering_rules_learn_more": "<0>Mer info</0> om att skapa dina egna blockeringslistor för värdar.",
+    "blocked_by_response": "Blockerad av CNAME eller IP i svaret",
+    "blocked_by_cname_or_ip": "Blockerad av CNAME eller IP",
    "try_again": "Försök igen",
+    "domain_desc": "Ange domännamnet eller jokertecken som du vill ska skrivas om.",
+    "example_rewrite_domain": "skriv bara om svar för detta domännamn.",
+    "example_rewrite_wildcard": "skriv om svar för alla <0>example.org</0> subdomäner.",
+    "rewrite_ip_address": "IP adress: använd denna IP i ett A- eller AAAA-svar",
+    "rewrite_domain_name": "Domännamn: lägg till en CNAME post",
+    "rewrite_A": "<0>A</0>: specialvärde, behåll <0>A</0> poster från uppströms",
+    "rewrite_AAAA": "<0>AAAA</0>: specialvärde, behåll <0>AAAA</0> poster från uppströms",
+    "disable_ipv6": "Inaktivera upplösning av IPv6 adresser",
+    "disable_ipv6_desc": "Kasta alla DNS-frågor för IPv6-adresser (typ AAAA).",
+    "fastest_addr": "Snabbaste IP adressen",
+    "fastest_addr_desc": "Fråga alla DNS servrar och returnera den snabbaste IP adressen bland alla svar. Detta saktar ner DNS-frågor eftersom AdGuard Home måste vänta på svar från alla DNS servrar, men förbättrar den övergripande anslutningen.",
+    "autofix_warning_text": "Om du klickar på \"Fix\" kommer AdGuard Home att konfigurera ditt system för att använda AdGuard Home DNS server.",
+    "autofix_warning_list": "Den kommer att utföra följande uppgifter: <0>Avaktivera system DNSStubListener</0> <0>Sätt DNS serveradress till 127.0.0.1</0> <0>Ersätt symboliskt länkmål för /etc/resolv.conf med /run/systemd /resolve/resolv.conf</0> <0>Stoppa DNSStubListener (ladda om systemd-resolved tjänst)</0>",
+    "autofix_warning_result": "Som ett resultat kommer alla DNS-förfrågningar från ditt system att behandlas av AdGuard Home som standard.",
+    "tags_title": "Taggar",
+    "tags_desc": "Du kan välja de taggar som motsvarar klienten. Taggar kan inkluderas i filtreringsreglerna och låter dig tillämpa dem mer exakt. <0>Läs mer</0>",
+    "form_select_tags": "Välj klienttaggar",
+    "check_title": "Kontrollera filtreringen",
+    "check_desc": "Kontrollera om värdnamnet är filtrerat",
+    "check": "Kontrollera",
+    "form_enter_host": "Ange ett värdnamn",
+    "filtered_custom_rules": "Filtrerat efter anpassade filtreringsregler",
+    "choose_from_list": "Välj från listan",
+    "add_custom_list": "Lägg till en anpassad lista",
+    "host_whitelisted": "Värden är tillåten",
+    "check_ip": "IP adresser: {{ip}}",
+    "check_cname": "CNAME: {{cname}}",
+    "check_reason": "Anledning: {{reason}}",
+    "check_service": "Service namn: {{service}}",
+    "service_name": "Service namn",
+    "check_not_found": "Hittades inte i dina filterlistor",
+    "client_confirm_block": "Är du säker på att du vill blockera klienten \"{{ip}}\"?",
+    "client_confirm_unblock": "Är du säker på att du vill avblockera klienten \"{{ip}}\"?",
+    "client_blocked": "Klienten \"{{ip}}\" har blockerats",
+    "client_unblocked": "Klienten \"{{ip}}\" har avblockerats",
+    "static_ip": "Statisk IP adress",
+    "static_ip_desc": "AdGuard Home är en server så den behöver en statisk IP-adress för att fungera korrekt. Annars kan din router vid något tillfälle tilldela en annan IP-adress till den här enheten.",
+    "set_static_ip": "Ställ in en statisk IP adress",
+    "install_static_ok": "Goda nyheter! Den statiska IP adressen är redan konfigurerad",
+    "install_static_error": "AdGuard Home kan inte konfigurera det automatiskt för detta nätverksgränssnitt. Vänligen leta efter en instruktion om hur du gör detta manuellt.",
+    "install_static_configure": "AdGuard Home har upptäckt att den dynamiska IP adressen <0>{{ip}}</0> används. Vill du att den ska ställas in som din statiska adress?",
+    "confirm_static_ip": "AdGuard Home kommer att konfigurera {{ip}} för att vara din statiska IP adress. Vill du fortsätta?",
+    "list_updated": "{{count}} listan uppdaterad",
+    "list_updated_plural": "{{count}} listor uppdaterade",
+    "dnssec_enable": "Aktivera DNSSEC",
+    "dnssec_enable_desc": "Ställ in DNSSEC flagga i de utgående DNS frågorna och kontrollera resultatet (DNSSEC-aktiverad upplösare krävs).",
+    "validated_with_dnssec": "Validerad med DNSSEC",
+    "all_queries": "Alla förfrågningar",
    "show_blocked_responses": "Blockerade",
    "show_whitelisted_responses": "Vitlistade",
    "show_processed_responses": "Utförda",
-    "blocked_adult_websites": "Blockerad av Föräldrakontrollen",
+    "blocked_safebrowsing": "Blockerad av Säker webbsökning",
+    "blocked_adult_websites": "Blockerad av Föräldrakontroll",
    "blocked_threats": "Blockerade hot",
    "allowed": "Vitlistade",
+    "filtered": "Filtrerad",
+    "rewritten": "Omskriven",
    "safe_search": "Säker surf",
+    "blocklist": "Blocklista",
+    "milliseconds_abbreviation": "ms",
+    "cache_size": "Cachestorlek",
+    "cache_size_desc": "DNS cachestorlek (i byte)",
+    "cache_ttl_min_override": "Åsidosätt minsta TTL",
+    "cache_ttl_max_override": "Åsidosätt maximal TTL",
+    "enter_cache_size": "Ange cachestorlek (byte)",
+    "enter_cache_ttl_min_override": "Ange minsta TTL (sekunder)",
+    "enter_cache_ttl_max_override": "Ange maximal TTL (sekunder)",
+    "cache_ttl_min_override_desc": "Förläng värden för korta time-to-live värden (sekunder) som tas emot från uppströms server när DNS svar cachelagras",
+    "cache_ttl_max_override_desc": "Ställ in ett maximalt värde för time-to-live (sekunder) för poster i DNS cachen",
+    "ttl_cache_validation": "Minsta cache TTL-värde måste vara mindre än eller lika med maxvärdet",
+    "cache_optimistic": "Optimistisk cachning",
+    "cache_optimistic_desc": "Få AdGuard Home att svara från cachen även när posterna har gått ut och försök även uppdatera dem.",
    "filter_category_general": "General",
    "filter_category_security": "säkerhet",
+    "filter_category_regional": "Regional",
    "filter_category_other": "Övrigt",
+    "filter_category_general_desc": "Listor som blockerar spårning och reklam på de flesta enheterna",
+    "filter_category_security_desc": "Listor utformade specifikt för att blockera skadliga domäner, nätfiske och bluffdomäner",
+    "filter_category_regional_desc": "Listor som fokuserar på regionala annonser och spårningsservrar",
+    "filter_category_other_desc": "Andra blockeringslistor",
+    "setup_config_to_enable_dhcp_server": "Ställ in konfiguration för att aktivera DHCP-server",
+    "original_response": "Ursprungligt svar",
+    "click_to_view_queries": "Klicka för att se förfrågningar",
+    "port_53_faq_link": "Port 53 är ofta upptagen av \"DNSStubListener\" eller \"systemd-resolved\" tjänster. Läs <0>denna instruktion</0> om hur du löser detta.",
+    "adg_will_drop_dns_queries": "AdGuard Home kommer att kasta alla DNS-frågor från den här klienten.",
+    "filter_allowlist": "VARNING: Denna åtgärd kommer också att utesluta regeln \"{{disallowed_rule}}\" från listan över tillåtna klienter.",
+    "last_rule_in_allowlist": "Det går inte att avvisa den här klienten eftersom att utesluta regeln \"{{disallowed_rule}}\" kommer att INAKTIVERA listan \"Tillåtna klienter\".",
+    "experimental": "Experimentell",
    "use_saved_key": "Använd den tidigare sparade nyckeln",
-    "parental_control": "Föräldrarkontroll"
+    "parental_control": "Föräldrakontroll",
+    "safe_browsing": "Säker surfning",
+    "served_from_cache": "{{value}} <i>(levereras från cache)</i>"
 }
--- a/client/src/__locales/tr.json
+++ b/client/src/__locales/tr.json
@@ -43,7 +43,7 @@
    "form_error_ip6_format": "IPv6 adresi geçersiz",
    "form_error_ip_format": "IP adresi geçersiz",
    "form_error_mac_format": "MAC adresi geçersiz",
-    "form_error_client_id_format": "İstemci kimliği geçersiz",
+    "form_error_client_id_format": "İstemci kimliği yalnızca sayılar, küçük harfler ve kısa çizgiler içermelidir",
    "form_error_server_name": "Sunucu adı geçersiz",
    "form_error_subnet": "\"{{cidr}}\" alt ağı, \"{{ip}}\" IP adresini içermiyor",
    "form_error_positive": "0'dan büyük olmalıdır",
@@ -53,7 +53,7 @@
    "greater_range_end_error": "Bitiş aralığından daha büyük olmalıdır",
    "subnet_error": "Adresler bir alt ağda olmalıdır",
    "gateway_or_subnet_invalid": "Alt ağ maskesi geçersiz",
-    "dhcp_form_gateway_input": "Ağ Geçidi IP'si",
+    "dhcp_form_gateway_input": "Ağ geçidi IP",
    "dhcp_form_subnet_input": "Alt ağ maskesi",
    "dhcp_form_range_title": "IP adresi aralığı",
    "dhcp_form_range_start": "Başlangıç aralığı",
@@ -138,7 +138,7 @@
    "average_processing_time": "Ortalama işlem süresi",
    "average_processing_time_hint": "Bir DNS isteğinin milisaniye cinsinden ortalama işlem süresi",
    "block_domain_use_filters_and_hosts": "Filtre ve ana bilgisayar listelerini kullanarak alan adlarını engelle",
-    "filters_block_toggle_hint": "<a>Filtreler</a> sayfasından engelleme kurallarını ayarlayabilirsiniz.",
+    "filters_block_toggle_hint": "<a>Filtreler</a> ayarlarında engelleme kuralları oluşturabilirsiniz.",
    "use_adguard_browsing_sec": "AdGuard gezinti koruması web hizmetini kullan",
    "use_adguard_browsing_sec_hint": "AdGuard Home, alan adının gezinti koruması web hizmeti tarafından engellenip engellenmediğini kontrol eder. Kontrolü gerçekleştirmek için gizlilik dostu arama API'sini kullanır: sunucuya yalnızca SHA256 karma alan adının kısa bir ön eki gönderilir.",
    "use_adguard_parental": "AdGuard ebeveyn denetimi web hizmetini kullan",
@@ -165,10 +165,10 @@
    "enabled_filtering_toast": "Filtreleme etkin",
    "disabled_safe_browsing_toast": "Güvenli Gezinti devre dışı bırakıldı",
    "enabled_safe_browsing_toast": "Güvenli Gezinti etkinleştirildi",
-    "disabled_parental_toast": "Ebeveyn denetimi devre dışı",
-    "enabled_parental_toast": "Ebeveyn denetimi etkin",
-    "disabled_safe_search_toast": "Güvenli arama devre dışı",
-    "enabled_save_search_toast": "Güvenli arama etkin",
+    "disabled_parental_toast": "Ebeveyn denetimi devre dışı bırakıldı",
+    "enabled_parental_toast": "Ebeveyn denetimi etkinleştirildi",
+    "disabled_safe_search_toast": "Güvenli arama devre dışı bırakıldı",
+    "enabled_save_search_toast": "Güvenli arama etkinleştirildi",
    "enabled_table_header": "Etkin",
    "name_table_header": "İsim",
    "list_url_table_header": "Liste URL'si",
@@ -178,7 +178,7 @@
    "request_table_header": "İstek",
    "edit_table_action": "Düzenle",
    "delete_table_action": "Sil",
-    "elapsed": "Geçen zaman",
+    "elapsed": "Geçen süre",
    "filters_and_hosts_hint": "AdGuard Home, temel reklam engelleme kurallarını ve ana bilgisayar engelleme dosyalarının söz dizimini anlar.",
    "no_blocklist_added": "Engel listesi eklenmedi",
    "no_whitelist_added": "İzin listesi eklenmedi",
@@ -327,10 +327,10 @@
    "install_submit_desc": "Yükleme işlemi tamamlandı ve artık AdGuard Home'u kullanmaya hazırsınız.",
    "install_devices_router": "Yönlendirici",
    "install_devices_router_desc": "Bu kurulum, ev yönlendiricinize bağlı tüm cihazları otomatik olarak kapsar ve her birini elle yapılandırmanıza gerek yoktur.",
-    "install_devices_address": "AdGuard Home DNS sunucusu şu adresi dinleyecektir",
+    "install_devices_address": "AdGuard Home DNS sunucusu aşağıdaki adresleri dinliyor",
    "install_devices_router_list_1": "Yönlendiricinizin ayarlarına gidin. Genellikle tarayıcınızdan http://192.168.0.1/ veya http://192.168.1.1/ gibi bir URL aracılığıyla erişebilirsiniz. Bir parola girmeniz istenebilir. Hatırlamıyorsanız, genellikle yönlendiricinin üzerindeki bir düğmeye basarak parolayı sıfırlayabilirsiniz, ancak bu işlemin seçilmesi durumunda yüksek ihtimalle tüm yönlendirici yapılandırmasını kaybedeceğinizi unutmayın. Yönlendiricinizin kurulumu için bir uygulama gerekiyorsa, lütfen uygulamayı telefonunuza veya PC'nize yükleyin ve yönlendiricinin ayarlarına erişmek için kullanın.",
    "install_devices_router_list_2": "DHCP/DNS ayarlarını bulun. DNS satırlarını arayın, genelde iki veya üç tanedir, üç rakam girilebilen dört ayrı grup içeren satırdır.",
-    "install_devices_router_list_3": "AdGuard Home sunucusunun adresini o kısma yazın.",
+    "install_devices_router_list_3": "AdGuard Home sunucu adreslerinizi oraya girin.",
    "install_devices_router_list_4": "Bazı yönlendirici türlerinde özel bir DNS sunucusu ayarlanamaz. Bu durumda, AdGuard Home'u <0>DHCP sunucusu</0> olarak ayarlamak yardımcı olabilir. Aksi takdirde, yönlendirici modeliniz için DNS sunucularını nasıl ayarlayacağınız konusunda yönlendirici kılavuzuna bakmalısınız.",
    "install_devices_windows_list_1": "Başlat menüsünden veya Windows araması aracılığıyla Denetim Masası'nı açın.",
    "install_devices_windows_list_2": "Ağ ve İnternet kategorisine girin ve ardından Ağ ve Paylaşım Merkezi'ne girin.",
@@ -339,15 +339,15 @@
    "install_devices_windows_list_5": "Listede \"İnternet Protokolü Sürüm 4 (TCP/IPv4)\" (veya IPv6 için \"İnternet Protokolü Sürüm 6 (TCP/IPv6)\") öğesini bulun, seçin ve ardından tekrar Özellikler'e tıklayın.",
    "install_devices_windows_list_6": "\"Aşağıdaki DNS sunucu adreslerini kullan\"ı seçin ve AdGuard Home sunucu adreslerinizi girin.",
    "install_devices_macos_list_1": "Apple simgesinde bulunan Sistem Tercihleri'ne tıklayın.",
-    "install_devices_macos_list_2": "Ağ seçeneğine tıklayın.",
+    "install_devices_macos_list_2": "Ağ'a tıklayın.",
    "install_devices_macos_list_3": "Listedeki ilk bağlantıyı seçin ve Gelişmiş öğesine tıklayın.",
    "install_devices_macos_list_4": "DNS sekmesini seçin ve AdGuard Home sunucunuzun adreslerini girin.",
-    "install_devices_android_list_1": "Android cihazınızda Ayarlar simgesine dokunun.",
+    "install_devices_android_list_1": "Android Menüsü ana ekranından Ayarlar'a dokunun.",
    "install_devices_android_list_2": "Menüde bulunan Wi-Fi seçeneğine dokunun. Mevcut tüm ağlar listelenecektir (mobil ağlar için özel DNS sunucusu ayarlanamaz).",
    "install_devices_android_list_3": "Bağlı olduğunuz ağın üzerine basılı tutun ve Ağı Değiştir'e dokunun.",
    "install_devices_android_list_4": "Bazı cihazlarda, diğer ayarları görmek için \"Gelişmiş\" seçeneğini seçmeniz gerekebilir. Android DNS ayarlarınızı yapmak için IP ayarlarını DHCP modundan Statik moda almanız gerekecektir.",
    "install_devices_android_list_5": "DNS 1 ve DNS 2 değerlerini AdGuard Home sunucunuzun adresleriyle değiştirin.",
-    "install_devices_ios_list_1": "Ana ekrandaki Ayarlar simgesine dokunun.",
+    "install_devices_ios_list_1": "Ana ekrandan Ayarlar'a dokunun.",
    "install_devices_ios_list_2": "Sol menüde bulunan Wi-Fi bölümüne girin (mobil ağlar için özel DNS sunucusu ayarlanamaz).",
    "install_devices_ios_list_3": "Bağlı olduğunuz ağın ismine dokunun.",
    "install_devices_ios_list_4": "DNS alanına AdGuard Home sunucunuzun adreslerini girin.",
@@ -386,8 +386,8 @@
    "encryption_issuer": "Sağlayan",
    "encryption_hostnames": "Ana bilgisayar adları",
    "encryption_reset": "Şifreleme ayarlarını sıfırlamak istediğinizden emin misiniz?",
-    "topline_expiring_certificate": "SSL sertifikanızın süresi dolmak üzere. <0>Şifreleme ayarlarını</0> güncelleyin.",
-    "topline_expired_certificate": "SSL sertifikanızın süresi doldu. <0>Şifreleme ayarlarını</0> güncelleyin.",
+    "topline_expiring_certificate": "SSL sertifikanızın süresi sona erdi. <0>Şifreleme ayarlarını</0> güncelleyin.",
+    "topline_expired_certificate": "SSL sertifikanızın süresi sona erdi. <0>Şifreleme ayarlarını</0> güncelleyin.",
    "form_error_port_range": "80-65535 aralığında geçerli bir bağlantı noktası değeri girin",
    "form_error_port_unsafe": "Bu bağlantı noktası güvenli değil",
    "form_error_equal": "Aynı olmamalı",
@@ -403,6 +403,7 @@
    "dns_providers": "Aralarından seçim yapabileceğiniz, bilinen <0>DNS sağlayıcıların listesi</0>.",
    "update_now": "Şimdi güncelle",
    "update_failed": "Otomatik güncelleme başarısız oldu. Elle güncellemek için lütfen <a>bu adımları uygulayın</a>.",
+    "manual_update": "Elle güncellemek için lütfen <a>bu adımları uygulayın</a>.",
    "processing_update": "Lütfen bekleyin, AdGuard Home güncelleniyor",
    "clients_title": "İstemciler",
    "clients_desc": "AdGuard Home'a bağlı cihazları yapılandırın",
@@ -417,7 +418,7 @@
    "client_identifier": "Tanımlayıcı",
    "ip_address": "IP adresi",
    "client_identifier_desc": "İstemciler IP adresi, CIDR, MAC adresi veya özel bir istemci kimliği ile tanımlanabilir (DoT/DoH/DoQ için kullanılabilir). İstemcileri nasıl tanımlayacağınız hakkında daha fazla bilgiyi <0>burada</0> bulabilirsiniz.",
-    "form_enter_ip": "IP adresi girin",
+    "form_enter_ip": "IP girin",
    "form_enter_subnet_ip": "\"{{cidr}}\" alt ağına bir IP adresi girin",
    "form_enter_mac": "MAC adresi girin",
    "form_enter_id": "Tanımlayıcı girin",
@@ -439,7 +440,7 @@
    "access_allowed_desc": "CIDR'lerin, IP adreslerinin veya istemci kimliklerinin listesi. Yapılandırılırsa, AdGuard Home yalnızca bu istemcilerden gelen istekleri kabul eder.",
    "access_disallowed_title": "İzin verilmeyen istemciler",
    "access_disallowed_desc": "CIDR'lerin, IP adreslerinin veya istemci kimliklerinin listesi. Yapılandırılırsa, AdGuard Home bu istemcilerden gelen istekleri keser. İzin verilen istemciler yapılandırılırsa, bu alan yok sayılır.",
-    "access_blocked_title": "Engellenen alan adları",
+    "access_blocked_title": "İzin verilmeyen alan adları",
    "access_blocked_desc": "Bu işlem filtrelerle ilgili değildir. AdGuard Home, bu alan adlarından gelen DNS sorgularını yanıtsız bırakır ve bu sorgular sorgu günlüğünde görünmez. Tam alan adlarını, joker karakterleri veya URL filtre kurallarını belirtebilirsiniz, ör. \"example.org\", \"*.example.org\" veya \"||example.org^\".",
    "access_settings_saved": "Erişim ayarları başarıyla kaydedildi!",
    "updates_checked": "Güncelleme kontrolü başarılı",
@@ -601,8 +602,8 @@
    "cache_ttl_min_override": "Minimum TTL'i değiştir",
    "cache_ttl_max_override": "Maksimum TTL'i değiştir",
    "enter_cache_size": "Önbellek boyutunu girin (bayt)",
-    "enter_cache_ttl_min_override": "Minimum TTL değerini girin (saniye)",
-    "enter_cache_ttl_max_override": "Maksimum TTL değerini girin (saniye)",
+    "enter_cache_ttl_min_override": "Minimum TTL değerini girin (saniye olarak)",
+    "enter_cache_ttl_max_override": "Maksimum TTL değerini girin (saniye olarak)",
    "cache_ttl_min_override_desc": "DNS yanıtlarını önbelleğe alırken üst sunucudan alınan kullanım süresi değerini uzatın (saniye olarak)",
    "cache_ttl_max_override_desc": "DNS önbelleğindeki girişler için maksimum kullanım süresi değerini ayarlayın (saniye olarak)",
    "ttl_cache_validation": "Minimum önbellek TTL değeri, maksimum değerden küçük veya bu değere eşit olmalıdır",
@@ -626,5 +627,6 @@
    "experimental": "Deneysel",
    "use_saved_key": "Önceden kaydedilmiş anahtarı kullan",
    "parental_control": "Ebeveyn Denetimi",
-    "safe_browsing": "Güvenli Gezinti"
+    "safe_browsing": "Güvenli Gezinti",
+    "served_from_cache": "{{value}} <i>(önbellekten kullanıldı)</i>"
 }
--- a/client/src/__locales/uk.json
+++ b/client/src/__locales/uk.json
@@ -43,7 +43,7 @@
    "form_error_ip6_format": "Неправильна IPv6-адреса",
    "form_error_ip_format": "Неправильна IP-адреса",
    "form_error_mac_format": "Неправильна MAC-адреса",
-    "form_error_client_id_format": "Неправильний ID клієнта",
+    "form_error_client_id_format": "ID клієнта має містити лише цифри, малі букви та дефіси",
    "form_error_server_name": "Неправильна назва сервера",
    "form_error_subnet": "Підмережа «{{cidr}}» не містить IP-адресу «{{ip}}»",
    "form_error_positive": "Повинно бути більше 0",
--- a/client/src/__locales/zh-cn.json
+++ b/client/src/__locales/zh-cn.json
@@ -43,7 +43,7 @@
    "form_error_ip6_format": "无效的 IPv6 地址",
    "form_error_ip_format": "无效的 IP 地址",
    "form_error_mac_format": "无效的 MAC 地址",
-    "form_error_client_id_format": "无效的客户端 ID",
+    "form_error_client_id_format": "无效的客户端 ID 格式客户 ID 必须只包含数字、小写字母和连字符",
    "form_error_server_name": "无效的服务器名",
    "form_error_subnet": "子网 \"{{cidr}}\" 不包含 IP 地址 \"{{ip}}\"",
    "form_error_positive": "必须大于 0",
@@ -403,6 +403,7 @@
    "dns_providers": "此为可从中选择的<0>已知 DNS 提供商列表</0>。",
    "update_now": "立即更新",
    "update_failed": "自动更新失败。请<a>跟随这些步骤</a>以手动更新。",
+    "manual_update": "请跟随<a>此步骤</a>以进行手动更新。",
    "processing_update": "正在更新 AdGuard Home，请稍侯",
    "clients_title": "客户端",
    "clients_desc": "配置已连接到 AdGuard Home 的设备",
@@ -588,7 +589,7 @@
    "show_whitelisted_responses": "已列入白名单",
    "show_processed_responses": "已处理",
    "blocked_safebrowsing": "被安全浏览阻止",
-    "blocked_adult_websites": "已由家长控制拦截",
+    "blocked_adult_websites": "被家长控制阻止",
    "blocked_threats": "拦截的威胁",
    "allowed": "允许项",
    "filtered": "已过滤",
--- a/client/src/__locales/zh-tw.json
+++ b/client/src/__locales/zh-tw.json
@@ -43,7 +43,7 @@
    "form_error_ip6_format": "無效的 IPv6 位址",
    "form_error_ip_format": "無效的 IP 位址",
    "form_error_mac_format": "無效的媒體存取控制（MAC）位址",
-    "form_error_client_id_format": "無效的用戶端 ID",
+    "form_error_client_id_format": "用戶端 ID 必須只包含數字、小寫字母和連字號",
    "form_error_server_name": "無效的伺服器名稱",
    "form_error_subnet": "子網路 \"{{cidr}}\" 不包含該 IP 位址 \"{{ip}}\"",
    "form_error_positive": "必須大於 0",
@@ -146,7 +146,7 @@
    "enforce_safe_search": "使用安全搜尋",
    "enforce_save_search_hint": "AdGuard Home 將在下列的搜尋引擎：Google、YouTube、Bing、DuckDuckGo、Yandex 和 Pixabay 中強制執行安全搜尋。",
    "no_servers_specified": "無已明確指定的伺服器",
-    "general_settings": "一般的設定",
+    "general_settings": "一般設定",
    "dns_settings": "DNS 設定",
    "dns_blocklists": "DNS 封鎖清單",
    "dns_allowlists": "DNS 允許清單",
@@ -403,6 +403,7 @@
    "dns_providers": "這裡是一個從中選擇之<0>已知的 DNS 供應商之清單</0>。",
    "update_now": "立即更新",
    "update_failed": "自動更新已失敗。請<a>遵循這些步驟</a>以手動地更新。",
+    "manual_update": "請<a>遵循這些步驟</a>以手動地更新。",
    "processing_update": "請稍候，AdGuard Home 正被更新",
    "clients_title": "用戶端",
    "clients_desc": "配置被連線到 AdGuard Home 的裝置",
--- a/client/src/actions/index.js
+++ b/client/src/actions/index.js
@@ -13,7 +13,7 @@ import {
    STATUS_RESPONSE,
    SETTINGS_NAMES,
    FORM_NAME,
-    GETTING_STARTED_LINK,
+    MANUAL_UPDATE_LINK,
 } from '../helpers/constants';
 import { areEqualVersions } from '../helpers/version';
 import { getTlsStatus } from './encryption';
@@ -193,7 +193,7 @@ export const getUpdate = () => async (dispatch, getState) => {
    const handleRequestError = () => {
        const options = {
            components: {
-                a: <a href={GETTING_STARTED_LINK} target="_blank"
+                a: <a href={MANUAL_UPDATE_LINK} target="_blank"
                      rel="noopener noreferrer" />,
            },
        };
--- a/client/src/components/Settings/Clients/ClientsTable.js
+++ b/client/src/components/Settings/Clients/ClientsTable.js
@@ -4,7 +4,7 @@ import { Trans, withTranslation } from 'react-i18next';
 import ReactTable from 'react-table';

 import { MODAL_TYPE } from '../../../helpers/constants';
-import { splitByNewLine, countClientsStatistics } from '../../../helpers/helpers';
+import { splitByNewLine, countClientsStatistics, sortIp } from '../../../helpers/helpers';
 import Card from '../../ui/Card';
 import Modal from './Modal';
 import CellWrap from '../../ui/CellWrap';
@@ -106,6 +106,7 @@ class ClientsTable extends Component {
                    </div>
                );
            },
+            sortMethod: sortIp,
        },
        {
            Header: this.props.t('table_name'),
--- a/client/src/components/ui/UpdateTopline.js
+++ b/client/src/components/ui/UpdateTopline.js
@@ -1,8 +1,10 @@
 import React from 'react';
 import { Trans } from 'react-i18next';
 import { shallowEqual, useDispatch, useSelector } from 'react-redux';
+
 import Topline from './Topline';
 import { getUpdate } from '../../actions';
+import { MANUAL_UPDATE_LINK } from '../../helpers/constants';

 const UpdateTopline = () => {
    const {
@@ -29,16 +31,27 @@ const UpdateTopline = () => {
            >
                update_announcement
            </Trans>
-            {canAutoUpdate
-            && <button
-                type="button"
-                className="btn btn-sm btn-primary ml-3"
-                onClick={handleUpdate}
-                disabled={processingUpdate}
-            >
-                <Trans>update_now</Trans>
-            </button>
-            }
+            &nbsp;
+            {canAutoUpdate ? (
+                <button
+                    type="button"
+                    className="btn btn-sm btn-primary ml-3"
+                    onClick={handleUpdate}
+                    disabled={processingUpdate}
+                >
+                    <Trans>update_now</Trans>
+                </button>
+            ) : (
+                <Trans components={{
+                    a: (
+                        <a href={MANUAL_UPDATE_LINK} target="_blank" rel="noopener noreferrer" key="0">
+                            Link
+                        </a>
+                    ),
+                }}>
+                    manual_update
+                </Trans>
+            )}
        </>
    </Topline>;
 };
--- a/client/src/components/ui/Version.js
+++ b/client/src/components/ui/Version.js
@@ -13,6 +13,12 @@ const Version = () => {
        checkUpdateFlag,
    } = useSelector((state) => state?.dashboard ?? {}, shallowEqual);

+    const {
+        dnsVersion: installDnsVersion,
+    } = useSelector((state) => state?.install ?? {}, shallowEqual);
+
+    const version = dnsVersion || installDnsVersion;
+
    const onClick = () => {
        dispatch(getVersion(true));
    };
@@ -20,11 +26,12 @@ const Version = () => {
    return (
        <div className="version">
            <div className="version__text">
-                {dnsVersion
-                && <>
-                    <Trans>version</Trans>:&nbsp;
-                    <span className="version__value" title={dnsVersion}>{dnsVersion}</span>
-                </>}
+                {version && (
+                    <>
+                        <Trans>version</Trans>:&nbsp;
+                        <span className="version__value" title={version}>{version}</span>
+                    </>
+                )}
                {checkUpdateFlag && <button
                    type="button"
                    className="btn btn-icon btn-icon-sm btn-outline-primary btn-sm ml-2"
--- a/client/src/helpers/constants.js
+++ b/client/src/helpers/constants.js
@@ -58,7 +58,7 @@ export const REPOSITORY = {
 export const PRIVACY_POLICY_LINK = 'https://adguard.com/privacy/home.html';
 export const PORT_53_FAQ_LINK = 'https://github.com/AdguardTeam/AdGuardHome/wiki/FAQ#bindinuse';
 export const UPSTREAM_CONFIGURATION_WIKI_LINK = 'https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#upstreams';
-export const GETTING_STARTED_LINK = 'https://github.com/AdguardTeam/AdGuardHome/wiki/Getting-Started#update';
+export const MANUAL_UPDATE_LINK = 'https://github.com/AdguardTeam/AdGuardHome/wiki/FAQ#manual-update';

 export const FILTERS_RELATIVE_LINK = '#filters';

--- a/client/src/helpers/helpers.js
+++ b/client/src/helpers/helpers.js
@@ -754,8 +754,10 @@ const getAddressesComparisonBytes = (item) => {
 */
 export const sortIp = (a, b) => {
    try {
-        const comparisonBytesA = getAddressesComparisonBytes(a);
-        const comparisonBytesB = getAddressesComparisonBytes(b);
+        const comparisonBytesA = Array.isArray(a)
+            ? getAddressesComparisonBytes(a[0]) : getAddressesComparisonBytes(a);
+        const comparisonBytesB = Array.isArray(b)
+            ? getAddressesComparisonBytes(b[0]) : getAddressesComparisonBytes(b);

        for (let i = 0; i < comparisonBytesA.length; i += 1) {
            const byteA = comparisonBytesA[i];
--- a/client/src/reducers/install.js
+++ b/client/src/reducers/install.js
@@ -12,13 +12,19 @@ const install = handleActions({
    [actions.getDefaultAddressesRequest]: (state) => ({ ...state, processingDefault: true }),
    [actions.getDefaultAddressesFailure]: (state) => ({ ...state, processingDefault: false }),
    [actions.getDefaultAddressesSuccess]: (state, { payload }) => {
-        const { interfaces } = payload;
+        const { interfaces, version } = payload;
        const web = { ...state.web, port: payload.web_port };
        const dns = { ...state.dns, port: payload.dns_port };

        const newState = {
-            ...state, web, dns, interfaces, processingDefault: false,
+            ...state,
+            web,
+            dns,
+            interfaces,
+            processingDefault: false,
+            dnsVersion: version,
        };
+
        return newState;
    },

@@ -64,6 +70,7 @@ const install = handleActions({
        error: '',
    },
    interfaces: {},
+    dnsVersion: '',
 });

 export default combineReducers({
--- a/client/src/reducers/queryLogs.js
+++ b/client/src/reducers/queryLogs.js
@@ -28,11 +28,7 @@ const queryLogs = handleActions(
            };
        },

-        [actions.setLogsFilterRequest]: (state, { payload }) => {
-            const { filter } = payload;
-
-            return { ...state, filter };
-        },
+        [actions.setLogsFilterRequest]: (state, { payload }) => ({ ...state, filter: payload }),

        [actions.getLogsRequest]: (state) => ({ ...state, processingGetLogs: true }),
        [actions.getLogsFailure]: (state) => ({ ...state, processingGetLogs: false }),
--- a/go.mod
+++ b/go.mod
@@ -1,25 +1,25 @@
 module github.com/AdguardTeam/AdGuardHome

-go 1.16
+go 1.17

 require (
-	github.com/AdguardTeam/dnsproxy v0.40.3-0.20211229125141-da9b0c6cf76a
-	github.com/AdguardTeam/golibs v0.10.3
-	github.com/AdguardTeam/urlfilter v0.15.1
+	github.com/AdguardTeam/dnsproxy v0.41.1
+	github.com/AdguardTeam/golibs v0.10.4
+	github.com/AdguardTeam/urlfilter v0.15.2
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/ameshkov/dnscrypt/v2 v2.2.3
 	github.com/digineo/go-ipset/v2 v2.2.1
 	github.com/fsnotify/fsnotify v1.5.1
-	github.com/go-ping/ping v0.0.0-20210506233800-ff8be3320020
-	github.com/google/go-cmp v0.5.5
+	github.com/go-ping/ping v0.0.0-20211130115550-779d1e919534
+	github.com/google/go-cmp v0.5.6
 	github.com/google/gopacket v1.1.19
 	github.com/google/renameio v1.0.1
-	github.com/insomniacslk/dhcp v0.0.0-20210310193751-cfd4d47082c2
+	github.com/insomniacslk/dhcp v0.0.0-20211214070828-5297eed8f489
 	github.com/kardianos/service v1.2.0
-	github.com/lucas-clemente/quic-go v0.24.0
+	github.com/lucas-clemente/quic-go v0.25.0
 	github.com/mdlayher/ethernet v0.0.0-20190606142754-0394541c37b7
-	github.com/mdlayher/netlink v1.4.0
-	github.com/mdlayher/raw v0.0.0-20210412142147-51b895745faf
+	github.com/mdlayher/netlink v1.5.0
+	github.com/mdlayher/raw v0.0.0-20211126142749-4eae47f3d54b
 	github.com/miekg/dns v1.1.45
 	github.com/satori/go.uuid v1.2.0
 	github.com/stretchr/testify v1.7.0
@@ -30,7 +30,37 @@ require (
 	golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 	gopkg.in/yaml.v2 v2.4.0
-	howett.net/plist v0.0.0-20201203080718-1454fab16a06
+	howett.net/plist v1.0.0
 )

-require github.com/stretchr/objx v0.1.1 // indirect
+require (
+	github.com/BurntSushi/toml v0.4.1 // indirect
+	github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da // indirect
+	github.com/aead/poly1305 v0.0.0-20180717145839-3fee0db0b635 // indirect
+	github.com/ameshkov/dnsstamps v1.0.3 // indirect
+	github.com/beefsack/go-rate v0.0.0-20200827232406-6cde80facd47 // indirect
+	github.com/cheekybits/genny v1.0.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/josharian/native v0.0.0-20200817173448-b6b71def0850 // indirect
+	github.com/marten-seemann/qtls-go1-16 v0.1.4 // indirect
+	github.com/marten-seemann/qtls-go1-17 v0.1.0 // indirect
+	github.com/marten-seemann/qtls-go1-18 v0.1.0-beta.1 // indirect
+	github.com/mdlayher/socket v0.1.1 // indirect
+	github.com/nxadm/tail v1.4.8 // indirect
+	github.com/onsi/ginkgo v1.16.5 // indirect
+	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/stretchr/objx v0.1.1 // indirect
+	github.com/u-root/uio v0.0.0-20210528151154-e40b768296a7 // indirect
+	golang.org/x/mod v0.5.1 // indirect
+	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
+	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/tools v0.1.8 // indirect
+	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	honnef.co/go/tools v0.2.2 // indirect
+)
--- a/go.sum
+++ b/go.sum
@@ -7,18 +7,19 @@ dmitri.shuralyov.com/html/belt v0.0.0-20180602232347-f7d459c86be0/go.mod h1:JLBr
 dmitri.shuralyov.com/service/change v0.0.0-20181023043359-a85b471d5412/go.mod h1:a1inKt/atXimZ4Mv927x+r7UpyzRUf4emIoiiSC2TN4=
 dmitri.shuralyov.com/state v0.0.0-20180228185332-28bcc343414c/go.mod h1:0PRwlb0D6DFvNNtx+9ybjezNCa8XF0xaYcETyp6rHWU=
 git.apache.org/thrift.git v0.0.0-20180902110319-2566ecd5d999/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg=
-github.com/AdguardTeam/dnsproxy v0.40.3-0.20211229125141-da9b0c6cf76a h1:m+84VGYbDBq55L5apbHj1UqbZOcK1lqmnZVlBvzycmk=
-github.com/AdguardTeam/dnsproxy v0.40.3-0.20211229125141-da9b0c6cf76a/go.mod h1:+NlQl9lcVKjbecYlCumfjMzDk2BblySEX7WOHhQBbXk=
+github.com/AdguardTeam/dnsproxy v0.41.1 h1:sDWami83ZNp0XNdWsLECwIX/hPI5UnVrotRtPnrgDuo=
+github.com/AdguardTeam/dnsproxy v0.41.1/go.mod h1:PZ9l22h3Er+5mxFQB7oHZMTvx+aa9R6LbzA/ikXQlS0=
 github.com/AdguardTeam/golibs v0.4.0/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
 github.com/AdguardTeam/golibs v0.4.2/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
-github.com/AdguardTeam/golibs v0.9.2/go.mod h1:fCAMwPBJ8S7YMYbTWvYS+eeTLblP5E04IDtNAo7y7IY=
-github.com/AdguardTeam/golibs v0.10.3 h1:FBgk17zf35ESVWQKIqEUiqqB2bDaCBC8X5vMU760yB4=
 github.com/AdguardTeam/golibs v0.10.3/go.mod h1:rSfQRGHIdgfxriDDNgNJ7HmE5zRoURq8R+VdR81Zuzw=
+github.com/AdguardTeam/golibs v0.10.4 h1:TMBkablZC0IZOpRgg9fzAKlxxNhSN2YJq7qbgtuZ7PQ=
+github.com/AdguardTeam/golibs v0.10.4/go.mod h1:rSfQRGHIdgfxriDDNgNJ7HmE5zRoURq8R+VdR81Zuzw=
 github.com/AdguardTeam/gomitmproxy v0.2.0/go.mod h1:Qdv0Mktnzer5zpdpi5rAwixNJzW2FN91LjKJCkVbYGU=
-github.com/AdguardTeam/urlfilter v0.15.1 h1:dP6S7J6eFAk8MN4IDpUq2fZoBo8K8fmc6pXpxNIv84M=
-github.com/AdguardTeam/urlfilter v0.15.1/go.mod h1:EwXwrYhowP7bedqmOrmKKmQtpBYFyDNEBFQ+lxdUgQU=
-github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
+github.com/AdguardTeam/urlfilter v0.15.2 h1:LZGgrm4l4Ys9eAqB+UUmZfiC6vHlDlYFhx0WXqo6LtQ=
+github.com/AdguardTeam/urlfilter v0.15.2/go.mod h1:46YZDOV1+qtdRDuhZKVPSSp7JWWes0KayqHrKAFBdEI=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/toml v0.4.1 h1:GaI7EiDXDRfa8VshkTj7Fym7ha+y8/XxIgD2okUIjLw=
+github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/StackExchange/wmi v1.2.1 h1:VIkavFPXSjcnS+O8yTq7NI32k0R5Aj+v39y29VYDOSA=
@@ -40,6 +41,8 @@ github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBT
 github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
 github.com/cheekybits/genny v1.0.0 h1:uGGa4nei+j20rOSeDeP5Of12XVm7TGUd4dJA9RDitfE=
 github.com/cheekybits/genny v1.0.0/go.mod h1:+tQajlRqAUrPI7DOSpB0XAqZYtQakVtB7wXkRAgjxjQ=
+github.com/cilium/ebpf v0.5.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
+github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/coreos/go-systemd v0.0.0-20181012123002-c6f51f82210d/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
@@ -52,6 +55,7 @@ github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25Kn
 github.com/fanliao/go-promise v0.0.0-20141029170127-1890db352a72/go.mod h1:PjfxuH4FZdUyfMdtBio2lsRr1AKEaVPwelzuHuh8Lqc=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/francoispqt/gojay v1.2.13/go.mod h1:ehT5mTG4ua4581f1++1WLG0vPdaA9HaiDsoyrBGkyDY=
+github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fsnotify/fsnotify v1.5.1 h1:mZcQUHVQUQWoPXXtuf9yuEXKudkV2sx1E06UadKWpgI=
@@ -61,8 +65,8 @@ github.com/gliderlabs/ssh v0.1.1/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aev
 github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
 github.com/go-ole/go-ole v1.2.5 h1:t4MGB5xEDZvXI+0rMjjsfBsD7yAgp/s9ZDkL1JndXwY=
 github.com/go-ole/go-ole v1.2.5/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
-github.com/go-ping/ping v0.0.0-20210506233800-ff8be3320020 h1:mdi6AbCEoKCA1xKCmp7UtRB5fvGFlP92PvlhxgdvXEw=
-github.com/go-ping/ping v0.0.0-20210506233800-ff8be3320020/go.mod h1:KmHOjTUmJh/l04ukqPoBWPEZr9jwN05h5NXQl5C+DyY=
+github.com/go-ping/ping v0.0.0-20211130115550-779d1e919534 h1:dhy9OQKGBh4zVXbjwbxxHjRxMJtLXj3zfgpBYQaR4Q4=
+github.com/go-ping/ping v0.0.0-20211130115550-779d1e919534/go.mod h1:xIFjORFzTxqIV/tDVGO4eDy/bLuSyawEeojSm3GfRGk=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
@@ -91,8 +95,9 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
+github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
@@ -101,6 +106,9 @@ github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXi
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/renameio v1.0.1 h1:Lh/jXZmvZxb0BBeSY5VKEfidcbcbenKjZFzM/q0fSeU=
 github.com/google/renameio v1.0.1/go.mod h1:t/HQoYBZSsWSNK35C6CO/TpPLDVWvxOHboWUAweKUpk=
+github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go v2.0.0+incompatible/go.mod h1:SFVmujtThgffbyetf+mdk2eWhX2bMyUtNHzFKcPA9HY=
 github.com/googleapis/gax-go/v2 v2.0.3/go.mod h1:LLvjysVCY1JZeum8Z6l8qUty8fiNwE08qbEPm1M08qg=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
@@ -109,8 +117,8 @@ github.com/grpc-ecosystem/grpc-gateway v1.5.0/go.mod h1:RSKVYQBd5MCa4OVpNdGskqpg
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714 h1:/jC7qQFrv8CrSJVmaolDVOxTfS9kc36uB6H40kdbQq8=
 github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714/go.mod h1:2Goc3h8EklBH5mspfHFxBnEoURQCGzQQH1ga9Myjvis=
-github.com/insomniacslk/dhcp v0.0.0-20210310193751-cfd4d47082c2 h1:NpTIlXznCStsY88jU+Gh1Dy5dt/jYV4z4uU8h2TUOt4=
-github.com/insomniacslk/dhcp v0.0.0-20210310193751-cfd4d47082c2/go.mod h1:TKl4jN3Voofo4UJIicyNhWGp/nlQqQkFxmwIFTvBkKI=
+github.com/insomniacslk/dhcp v0.0.0-20211214070828-5297eed8f489 h1:jhdHqd7DxBrzfuFSoPxjD6nUVaV/1RIn9aHA0WCf/as=
+github.com/insomniacslk/dhcp v0.0.0-20211214070828-5297eed8f489/go.mod h1:h+MxyHxRg9NH3terB1nfRIUaQEcI0XOVkdR9LNBlp8E=
 github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0B/fFc00Y+Rasa88328GlI/XbtyysCtTHZS8h7IrBU=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4=
@@ -123,8 +131,10 @@ github.com/jsimonetti/rtnetlink v0.0.0-20201110080708-d2c240429e6c/go.mod h1:huN
 github.com/jsimonetti/rtnetlink v0.0.0-20201216134343-bde56ed16391/go.mod h1:cR77jAZG3Y3bsb8hF6fHJbFoyFukLFOkQ98S0pQz3xw=
 github.com/jsimonetti/rtnetlink v0.0.0-20201220180245-69540ac93943/go.mod h1:z4c53zj6Eex712ROyh8WI0ihysb5j2ROyV42iNogmAs=
 github.com/jsimonetti/rtnetlink v0.0.0-20210122163228-8d122574c736/go.mod h1:ZXpIyOK59ZnN7J0BV99cZUPmsqDRZ3eq5X+st7u/oSA=
-github.com/jsimonetti/rtnetlink v0.0.0-20210212075122-66c871082f2b h1:c3NTyLNozICy8B4mlMXemD3z/gXgQzVXZS/HqT+i3do=
 github.com/jsimonetti/rtnetlink v0.0.0-20210212075122-66c871082f2b/go.mod h1:8w9Rh8m+aHZIG69YPGGem1i5VzoyRC8nw2kA8B+ik5U=
+github.com/jsimonetti/rtnetlink v0.0.0-20210525051524-4cc836578190/go.mod h1:NmKSdU4VGSiv1bMsdqNALI4RSvvjtz65tTMCnD05qLo=
+github.com/jsimonetti/rtnetlink v0.0.0-20211022192332-93da33804786 h1:N527AHMa793TP5z5GNAn/VLPzlc0ewzWdeP/25gDfgQ=
+github.com/jsimonetti/rtnetlink v0.0.0-20211022192332-93da33804786/go.mod h1:v4hqbTdfQngbVSZJVWUhGE/lbTFf9jb+ygmNUDQMuOs=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
@@ -132,13 +142,15 @@ github.com/kardianos/service v1.2.0 h1:bGuZ/epo3vrt8IPC7mnKQolqFeYJb7Cs8Rk4PSOBB
 github.com/kardianos/service v1.2.0/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.3/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/lucas-clemente/quic-go v0.24.0 h1:ToR7SIIEdrgOhgVTHvPgdVRJfgVy+N0wQAagH7L4d5g=
 github.com/lucas-clemente/quic-go v0.24.0/go.mod h1:paZuzjXCE5mj6sikVLMvqXk8lJV2AsqtJ6bDhjEfxx0=
+github.com/lucas-clemente/quic-go v0.25.0 h1:K+X9Gvd7JXsOHtU0N2icZ2Nw3rx82uBej3mP4CLgibc=
+github.com/lucas-clemente/quic-go v0.25.0/go.mod h1:YtzP8bxRVCBlO77yRanE264+fY/T2U9ZlW1AaHOsMOg=
 github.com/lunixbochs/vtclean v1.0.0/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI=
 github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/marten-seemann/qpack v0.2.1/go.mod h1:F7Gl5L1jIgN1D11ucXefiuJS9UMVP2opoCp2jDKb7wc=
@@ -147,11 +159,14 @@ github.com/marten-seemann/qtls-go1-16 v0.1.4 h1:xbHbOGGhrenVtII6Co8akhLEdrawwB2i
 github.com/marten-seemann/qtls-go1-16 v0.1.4/go.mod h1:gNpI2Ol+lRS3WwSOtIUUtRwZEQMXjYK+dQSBFbethAk=
 github.com/marten-seemann/qtls-go1-17 v0.1.0 h1:P9ggrs5xtwiqXv/FHNwntmuLMNq3KaSIG93AtAZ48xk=
 github.com/marten-seemann/qtls-go1-17 v0.1.0/go.mod h1:fz4HIxByo+LlWcreM4CZOYNuz3taBQ8rN2X6FqvaWo8=
+github.com/marten-seemann/qtls-go1-18 v0.1.0-beta.1 h1:EnzzN9fPUkUck/1CuY1FlzBaIYMoiBsdwTNmNGkwUUM=
+github.com/marten-seemann/qtls-go1-18 v0.1.0-beta.1/go.mod h1:PUhIQk19LoFt2174H4+an8TYvWOGjb/hHwphBeaDHwI=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/mdlayher/ethernet v0.0.0-20190606142754-0394541c37b7 h1:lez6TS6aAau+8wXUP3G9I3TGlmPFEq2CTxBaRqY6AGE=
 github.com/mdlayher/ethernet v0.0.0-20190606142754-0394541c37b7/go.mod h1:U6ZQobyTjI/tJyq2HG+i/dfSoFUt8/aZCM+GKtmFk/Y=
-github.com/mdlayher/ethtool v0.0.0-20210210192532-2b88debcdd43 h1:WgyLFv10Ov49JAQI/ZLUkCZ7VJS3r74hwFIGXJsgZlY=
 github.com/mdlayher/ethtool v0.0.0-20210210192532-2b88debcdd43/go.mod h1:+t7E0lkKfbBsebllff1xdTmyJt8lH37niI6kwFk9OTo=
+github.com/mdlayher/ethtool v0.0.0-20211028163843-288d040e9d60 h1:tHdB+hQRHU10CfcK0furo6rSNgZ38JT8uPh70c/pFD8=
+github.com/mdlayher/ethtool v0.0.0-20211028163843-288d040e9d60/go.mod h1:aYbhishWc4Ai3I2U4Gaa2n3kHWSwzme6EsG/46HRQbE=
 github.com/mdlayher/genetlink v1.0.0 h1:OoHN1OdyEIkScEmRgxLEe2M9U8ClMytqA5niynLtfj0=
 github.com/mdlayher/genetlink v1.0.0/go.mod h1:0rJ0h4itni50A86M2kHcgS85ttZazNt7a8H2a2cw0Gc=
 github.com/mdlayher/netlink v0.0.0-20190313131330-258ea9dff42c/go.mod h1:eQB3mZE4aiYnlUsyGGCOpPETfdQq4Jhsgf1fk3cwQaA=
@@ -164,12 +179,19 @@ github.com/mdlayher/netlink v1.2.0/go.mod h1:kwVW1io0AZy9A1E2YYgaD4Cj+C+GPkU6klX
 github.com/mdlayher/netlink v1.2.1/go.mod h1:bacnNlfhqHqqLo4WsYeXSqfyXkInQ9JneWI68v1KwSU=
 github.com/mdlayher/netlink v1.2.2-0.20210123213345-5cc92139ae3e/go.mod h1:bacnNlfhqHqqLo4WsYeXSqfyXkInQ9JneWI68v1KwSU=
 github.com/mdlayher/netlink v1.3.0/go.mod h1:xK/BssKuwcRXHrtN04UBkwQ6dY9VviGGuriDdoPSWys=
-github.com/mdlayher/netlink v1.4.0 h1:n3ARR+Fm0dDv37dj5wSWZXDKcy+U0zwcXS3zKMnSiT0=
 github.com/mdlayher/netlink v1.4.0/go.mod h1:dRJi5IABcZpBD2A3D0Mv/AiX8I9uDEu5oGkAVrekmf8=
+github.com/mdlayher/netlink v1.4.1/go.mod h1:e4/KuJ+s8UhfUpO9z00/fDZZmhSrs+oxyqAS9cNgn6Q=
+github.com/mdlayher/netlink v1.5.0 h1:r4fa439+SsMarM0rMONU3iSshSV3ArVqJl6H/zjrhh4=
+github.com/mdlayher/netlink v1.5.0/go.mod h1:1Kr8BBFxGyUyNmztC9WLOayqYVAd2wsgOZm18nqGuzQ=
 github.com/mdlayher/raw v0.0.0-20190606142536-fef19f00fc18/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg=
 github.com/mdlayher/raw v0.0.0-20191009151244-50f2db8cc065/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg=
-github.com/mdlayher/raw v0.0.0-20210412142147-51b895745faf h1:InctQoB89TIkmgIFQeIL4KXNvWc1iebQXdZggqPSwL8=
-github.com/mdlayher/raw v0.0.0-20210412142147-51b895745faf/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg=
+github.com/mdlayher/raw v0.0.0-20211126142749-4eae47f3d54b h1:MHcTarUMC4sFA7eiyR8IEJ6j2PgmgXR+B9X2IIMjh7A=
+github.com/mdlayher/raw v0.0.0-20211126142749-4eae47f3d54b/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg=
+github.com/mdlayher/socket v0.0.0-20210307095302-262dc9984e00/go.mod h1:GAFlyu4/XV68LkQKYzKhIo/WW7j3Zi0YRAz/BOoanUc=
+github.com/mdlayher/socket v0.0.0-20211007213009-516dcbdf0267/go.mod h1:nFZ1EtZYK8Gi/k6QNu7z7CgO20i/4ExeQswwWuPmG/g=
+github.com/mdlayher/socket v0.1.0/go.mod h1:mYV5YIZAfHh4dzDVzI8x8tWLWCliuX8Mon5Awbj+qDs=
+github.com/mdlayher/socket v0.1.1 h1:q3uOGirUPfAV2MUoaC7BavjQ154J7+JOkTWyiV+intI=
+github.com/mdlayher/socket v0.1.1/go.mod h1:mYV5YIZAfHh4dzDVzI8x8tWLWCliuX8Mon5Awbj+qDs=
 github.com/microcosm-cc/bluemonday v1.0.1/go.mod h1:hsXNsILzKxV+sX77C5b8FSuKF00vh2OMYv+xgHpAMF4=
 github.com/miekg/dns v1.1.40/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
 github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4=
@@ -257,12 +279,14 @@ github.com/tklauser/go-sysconf v0.3.9 h1:JeUVdAOWhhxVcU6Eqr/ATFHgXk/mmiItdKeJPev
 github.com/tklauser/go-sysconf v0.3.9/go.mod h1:11DU/5sG7UexIrp/O6g35hrWzu0JxlwQ3LSFUzyeuhs=
 github.com/tklauser/numcpus v0.3.0 h1:ILuRUQBtssgnxw0XXIjKUC56fgnOrFoQQ/4+DeU2biQ=
 github.com/tklauser/numcpus v0.3.0/go.mod h1:yFGUr7TUHQRAhyqBcEg0Ge34zDBAsIvJJcyE6boqnA8=
-github.com/u-root/u-root v7.0.0+incompatible h1:u+KSS04pSxJGI5E7WE4Bs9+Zd75QjFv+REkjy/aoAc8=
-github.com/u-root/u-root v7.0.0+incompatible/go.mod h1:RYkpo8pTHrNjW08opNd/U6p/RJE7K0D8fXO0d47+3YY=
+github.com/u-root/uio v0.0.0-20210528114334-82958018845c/go.mod h1:LpEX5FO/cB+WF4TYGY1V5qktpaZLkKkSegbr0V4eYXA=
+github.com/u-root/uio v0.0.0-20210528151154-e40b768296a7 h1:XMAtQHwKjWHIRwg+8Nj/rzUomQY1q6cM3ncA0wP8GU4=
+github.com/u-root/uio v0.0.0-20210528151154-e40b768296a7/go.mod h1:LpEX5FO/cB+WF4TYGY1V5qktpaZLkKkSegbr0V4eYXA=
 github.com/viant/assertly v0.4.8/go.mod h1:aGifi++jvCrUaklKEKT0BU95igDNaqkvz+49uaYMPRU=
 github.com/viant/toolbox v0.24.0/go.mod h1:OxMCG57V0PXuIP2HNQrtJf2CjqdmbrOx5EkMILuUhzM=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 go.etcd.io/bbolt v1.3.6 h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU=
 go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
@@ -308,7 +332,6 @@ golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20200904194848-62affa334b73/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201016165138-7b1cca2348c0/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
@@ -317,13 +340,18 @@ golang.org/x/net v0.0.0-20201216054612-986b41b23924/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
+golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210908191846-a5e095526f91/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210929193557-e81a3d93ecf6/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20211020060615-d418f374d309/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211216030914-fe4d6282115f h1:hEYJvxw1lSnWIl8X9ofsYMklzaDs90JI2az5YMd4fPM=
 golang.org/x/net v0.0.0-20211216030914-fe4d6282115f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -368,25 +396,33 @@ golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20201015000850-e3ed0017c211/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201017003518-b09fb700fbb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201101102859-da207088b7d1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201118182958-a01c418693c7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201218084310-7d0127a74742/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210110051926-789bb1bd4061/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210123111255-9b0068b26619/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210216163648-f7da38b97c65/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210525143221-35b2ab0089ea/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210816074244-15123e1e1f71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210909193231-528a39cd75f3/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -410,8 +446,10 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
 golang.org/x/tools v0.1.8 h1:P1HhGGuLW4aAclzjtmJdf0mJOjVUZUzOTqkAkWL+l6w=
 golang.org/x/tools v0.1.8/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -454,6 +492,7 @@ gopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXL
 gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
@@ -468,7 +507,10 @@ grpc.go4.org v0.0.0-20170609214715-11d0a25b4919/go.mod h1:77eQGdRu53HpSqPFJFmuJd
 honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-howett.net/plist v0.0.0-20201203080718-1454fab16a06 h1:QDxUo/w2COstK1wIBYpzQlHX/NqaQTcf9jyz347nI58=
-howett.net/plist v0.0.0-20201203080718-1454fab16a06/go.mod h1:vMygbs4qMhSZSc4lCUl2OEE+rDiIIJAIdR4m7MiMcm0=
+honnef.co/go/tools v0.2.1/go.mod h1:lPVVZ2BS5TfnjLyizF7o7hv7j9/L+8cZY2hLyjP9cGY=
+honnef.co/go/tools v0.2.2 h1:MNh1AVMyVX23VUHE2O27jm6lNj3vjO5DexS4A1xvnzk=
+honnef.co/go/tools v0.2.2/go.mod h1:lPVVZ2BS5TfnjLyizF7o7hv7j9/L+8cZY2hLyjP9cGY=
+howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
+howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
 sourcegraph.com/sourcegraph/go-diff v0.5.0/go.mod h1:kuch7UrkMzY0X+p9CRK03kfuPQ2zzQcaEFbx8wA8rck=
 sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4/go.mod h1:ketZ/q3QxT9HOBeFhu6RdvsftgpsbFHBF5Cas6cDKZ0=
--- a/internal/aghalgo/aghalgo.go
+++ b/internal/aghalgo/aghalgo.go
@@ -1,7 +1,7 @@
-// Package aghalgo contains common generic algorithms and data structures.
+// Package aghalg contains common generic algorithms and data structures.
 //
 // TODO(a.garipov): Update to use type parameters in Go 1.18.
-package aghalgo
+package aghalg

 import (
 	"fmt"
@@ -14,20 +14,20 @@ import (
 // TODO(a.garipov): Remove in Go 1.18.
 type comparable = interface{}

-// UniquenessValidator allows validating uniqueness of comparable items.
-type UniquenessValidator map[comparable]int64
+// UniqChecker allows validating uniqueness of comparable items.
+type UniqChecker map[comparable]int64

 // Add adds a value to the validator.  v must not be nil.
-func (v UniquenessValidator) Add(elems ...comparable) {
+func (uc UniqChecker) Add(elems ...comparable) {
 	for _, e := range elems {
-		v[e]++
+		uc[e]++
 	}
 }

-// Merge returns a validator containing data from both v and other.
-func (v UniquenessValidator) Merge(other UniquenessValidator) (merged UniquenessValidator) {
-	merged = make(UniquenessValidator, len(v)+len(other))
-	for elem, num := range v {
+// Merge returns a checker containing data from both uc and other.
+func (uc UniqChecker) Merge(other UniqChecker) (merged UniqChecker) {
+	merged = make(UniqChecker, len(uc)+len(other))
+	for elem, num := range uc {
 		merged[elem] += num
 	}

@@ -41,9 +41,9 @@ func (v UniquenessValidator) Merge(other UniquenessValidator) (merged Uniqueness
 // Validate returns an error enumerating all elements that aren't unique.
 // isBefore is an optional sorting function to make the error message
 // deterministic.
-func (v UniquenessValidator) Validate(isBefore func(a, b comparable) (less bool)) (err error) {
+func (uc UniqChecker) Validate(isBefore func(a, b comparable) (less bool)) (err error) {
 	var dup []comparable
-	for elem, num := range v {
+	for elem, num := range uc {
 		if num > 1 {
 			dup = append(dup, elem)
 		}
@@ -62,13 +62,13 @@ func (v UniquenessValidator) Validate(isBefore func(a, b comparable) (less bool)
 	return fmt.Errorf("duplicated values: %v", dup)
 }

-// IntIsBefore is a helper sort function for UniquenessValidator.Validate.
+// IntIsBefore is a helper sort function for UniqChecker.Validate.
 // a and b must be of type int.
 func IntIsBefore(a, b comparable) (less bool) {
 	return a.(int) < b.(int)
 }

-// StringIsBefore is a helper sort function for UniquenessValidator.Validate.
+// StringIsBefore is a helper sort function for UniqChecker.Validate.
 // a and b must be of type string.
 func StringIsBefore(a, b comparable) (less bool) {
 	return a.(string) < b.(string)
--- a/internal/aghnet/dhcp_unix.go
+++ b/internal/aghnet/dhcp_unix.go
@@ -19,7 +19,8 @@ import (
 	"github.com/insomniacslk/dhcp/iana"
 )

-// defaultDiscoverTime is the
+// defaultDiscoverTime is the default timeout of checking another DHCP server
+// response.
 const defaultDiscoverTime = 3 * time.Second

 func checkOtherDHCP(ifaceName string) (ok4, ok6 bool, err4, err6 error) {
@@ -110,7 +111,7 @@ func discover4(iface *net.Interface, dstAddr *net.UDPAddr, hostname string) (ok
 	// is spoiled.
 	//
 	// It's also known that listening on the specified interface's address
-	// ignores broadcasted packets when reading.
+	// ignores broadcast packets when reading.
 	var c net.PacketConn
 	if c, err = listenPacketReusable(iface.Name, "udp4", ":68"); err != nil {
 		return false, fmt.Errorf("couldn't listen on :68: %w", err)
--- a/internal/aghnet/hostscontainer.go
+++ b/internal/aghnet/hostscontainer.go
@@ -46,13 +46,8 @@ type requestMatcher struct {
 }

 // MatchRequest processes the request rewriting hostnames and addresses read
-// from the operating system's hosts files.
-//
-// res is nil for any request having not an A/AAAA or PTR type.  Results
-// containing CNAME information may be queried again with the same question type
-// and the returned CNAME for Host field of request.  Results are guaranteed to
-// be direct, i.e. any returned CNAME resolves into actual address like an alias
-// in hosts does, see man hosts (5).
+// from the operating system's hosts files.  res is nil for any request having
+// not an A/AAAA or PTR type, see man 5 hosts.
 //
 // It's safe for concurrent use.
 func (rm *requestMatcher) MatchRequest(
@@ -72,7 +67,11 @@ func (rm *requestMatcher) MatchRequest(
 }

 // Translate returns the source hosts-syntax rule for the generated dnsrewrite
-// rule or an empty string if the last doesn't exist.
+// rule or an empty string if the last doesn't exist.  The returned rules are in
+// a processed format like:
+//
+//   ip host1 host2 ...
+//
 func (rm *requestMatcher) Translate(rule string) (hostRule string) {
 	rm.stateLock.RLock()
 	defer rm.stateLock.RUnlock()
@@ -179,7 +178,7 @@ func NewHostsContainer(
 				return nil, fmt.Errorf("adding path: %w", err)
 			}

-			log.Debug("%s: file %q expected to exist but doesn't", hostsContainerPref, p)
+			log.Debug("%s: %s is expected to exist but doesn't", hostsContainerPref, p)
 		}
 	}

@@ -228,8 +227,9 @@ func pathsToPatterns(fsys fs.FS, paths []string) (patterns []string, err error)
 	return patterns, nil
 }

-// handleEvents concurrently handles the events.  It closes the update channel
-// of HostsContainer when finishes.  Used to be called within a goroutine.
+// handleEvents concurrently handles the file system events.  It closes the
+// update channel of HostsContainer when finishes.  It's used to be called
+// within a separate goroutine.
 func (hc *HostsContainer) handleEvents() {
 	defer log.OnPanic(fmt.Sprintf("%s: handling events", hostsContainerPref))

@@ -257,27 +257,23 @@ func (hc *HostsContainer) handleEvents() {
 // hostsParser is a helper type to parse rules from the operating system's hosts
 // file.  It exists for only a single refreshing session.
 type hostsParser struct {
-	// rulesBuilder builds the resulting rulesBuilder list content.
+	// rulesBuilder builds the resulting rules list content.
 	rulesBuilder *strings.Builder

-	// translations maps generated $dnsrewrite rules to the hosts-translations
-	// rules.
+	// translations maps generated rules into actual hosts file lines.
 	translations map[string]string

-	// cnameSet prevents duplicating cname rules.
-	cnameSet *stringutil.Set
-
 	// table stores only the unique IP-hostname pairs.  It's also sent to the
 	// updates channel afterwards.
 	table *netutil.IPMap
 }

+// newHostsParser creates a new *hostsParser with buffers of size taken from the
+// previous parse.
 func (hc *HostsContainer) newHostsParser() (hp *hostsParser) {
 	return &hostsParser{
 		rulesBuilder: &strings.Builder{},
-		// For A/AAAA and PTRs.
-		translations: make(map[string]string, hc.last.Len()*2),
-		cnameSet:     stringutil.NewSet(),
+		translations: map[string]string{},
 		table:        netutil.NewIPMap(hc.last.Len()),
 	}
 }
@@ -286,9 +282,7 @@ func (hc *HostsContainer) newHostsParser() (hp *hostsParser) {
 // never signs to stop walking and never returns any additional patterns.
 //
 // See man hosts(5).
-func (hp *hostsParser) parseFile(
-	r io.Reader,
-) (patterns []string, cont bool, err error) {
+func (hp *hostsParser) parseFile(r io.Reader) (patterns []string, cont bool, err error) {
 	s := bufio.NewScanner(r)
 	for s.Scan() {
 		ip, hosts := hp.parseLine(s.Text())
@@ -326,6 +320,8 @@ func (hp *hostsParser) parseLine(line string) (ip net.IP, hosts []string) {
 		// Make sure that invalid hosts aren't turned into rules.
 		//
 		// See https://github.com/AdguardTeam/AdGuardHome/issues/3946.
+		//
+		// TODO(e.burkov):  Investigate if hosts may contain DNS-SD domains.
 		err := netutil.ValidateDomainName(f)
 		if err != nil {
 			log.Error("%s: host %q is invalid, ignoring", hostsContainerPref, f)
@@ -339,90 +335,45 @@ func (hp *hostsParser) parseLine(line string) (ip net.IP, hosts []string) {
 	return ip, hosts
 }

-// Simple types of hosts in hosts database.  Zero value isn't used to be able
-// quizzaciously emulate nil with 0.
-const (
-	_ = iota
-	hostAlias
-	hostMain
-)
-
-// add tries to add the ip-host pair.  It returns:
-//
-//   hostAlias if the host is not the first one added for the ip.
-//   hostMain  if the host is the first one added for the ip.
-//   0         if the ip-host pair has already been added.
-//
-func (hp *hostsParser) add(ip net.IP, host string) (hostType int) {
-	v, ok := hp.table.Get(ip)
-	switch hosts, _ := v.(*stringutil.Set); {
-	case ok && hosts.Has(host):
-		return 0
-	case hosts == nil:
-		hosts = stringutil.NewSet(host)
-		hp.table.Set(ip, hosts)
-
-		return hostMain
-	default:
-		hosts.Add(host)
-
-		return hostAlias
-	}
-}
-
 // addPair puts the pair of ip and host to the rules builder if needed.  For
 // each ip the first member of hosts will become the main one.
 func (hp *hostsParser) addPairs(ip net.IP, hosts []string) {
-	// Put the rule in a processed format like:
-	//
-	//   ip host1 host2 ...
-	//
-	hostsLine := strings.Join(append([]string{ip.String()}, hosts...), " ")
-	var mainHost string
-	for _, host := range hosts {
-		switch hp.add(ip, host) {
-		case 0:
+	v, ok := hp.table.Get(ip)
+	if !ok {
+		// This ip is added at the first time.
+		v = stringutil.NewSet()
+		hp.table.Set(ip, v)
+	}
+
+	var set *stringutil.Set
+	set, ok = v.(*stringutil.Set)
+	if !ok {
+		log.Debug("%s: adding pairs: unexpected value type %T", hostsContainerPref, v)
+
+		return
+	}
+
+	processed := strings.Join(append([]string{ip.String()}, hosts...), " ")
+	for _, h := range hosts {
+		if set.Has(h) {
 			continue
-		case hostMain:
-			mainHost = host
-			added, addedPtr := hp.writeMainHostRule(host, ip)
-			hp.translations[added], hp.translations[addedPtr] = hostsLine, hostsLine
-		case hostAlias:
-			pair := fmt.Sprint(host, " ", mainHost)
-			if hp.cnameSet.Has(pair) {
-				continue
-			}
-			// Since the hostAlias couldn't be returned from add before the
-			// hostMain the mainHost shouldn't appear empty.
-			hp.writeAliasHostRule(host, mainHost)
-			hp.cnameSet.Add(pair)
 		}

-		log.Debug("%s: added ip-host pair %q-%q", hostsContainerPref, ip, host)
+		set.Add(h)
+
+		rule, rulePtr := hp.writeRules(h, ip)
+		hp.translations[rule], hp.translations[rulePtr] = processed, processed
+
+		log.Debug("%s: added ip-host pair %q-%q", hostsContainerPref, ip, h)
 	}
 }

-// writeAliasHostRule writes the CNAME rule for the alias-host pair into
-// internal builders.
-func (hp *hostsParser) writeAliasHostRule(alias, host string) {
-	const (
-		nl = "\n"
-		sc = ";"
-
-		rwSuccess = rules.MaskSeparator + "$dnsrewrite=NOERROR" + sc + "CNAME" + sc
-		constLen  = len(rules.MaskPipe) + len(rwSuccess) + len(nl)
-	)
-
-	hp.rulesBuilder.Grow(constLen + len(host) + len(alias))
-	stringutil.WriteToBuilder(hp.rulesBuilder, rules.MaskPipe, alias, rwSuccess, host, nl)
-}
-
-// writeMainHostRule writes the actual rule for the qtype and the PTR for the
+// writeRules writes the actual rule for the qtype and the PTR for the
 // host-ip pair into internal builders.
-func (hp *hostsParser) writeMainHostRule(host string, ip net.IP) (added, addedPtr string) {
+func (hp *hostsParser) writeRules(host string, ip net.IP) (rule, rulePtr string) {
 	arpa, err := netutil.IPToReversedAddr(ip)
 	if err != nil {
-		return
+		return "", ""
 	}

 	const (
@@ -449,28 +400,20 @@ func (hp *hostsParser) writeMainHostRule(host string, ip net.IP) (added, addedPt

 	ruleBuilder := &strings.Builder{}
 	ruleBuilder.Grow(modLen + len(host) + len(qtype) + len(ipStr))
-	stringutil.WriteToBuilder(
-		ruleBuilder,
-		rules.MaskPipe,
-		host,
-		rwSuccess,
-		qtype,
-		";",
-		ipStr,
-	)
-	added = ruleBuilder.String()
+	stringutil.WriteToBuilder(ruleBuilder, rules.MaskPipe, host, rwSuccess, qtype, ";", ipStr)
+	rule = ruleBuilder.String()

 	ruleBuilder.Reset()

 	ruleBuilder.Grow(modLenPTR + len(arpa) + len(fqdn))
 	stringutil.WriteToBuilder(ruleBuilder, rules.MaskPipe, arpa, rwSuccessPTR, fqdn)

-	addedPtr = ruleBuilder.String()
+	rulePtr = ruleBuilder.String()

-	hp.rulesBuilder.Grow(len(added) + len(addedPtr) + 2*len(nl))
-	stringutil.WriteToBuilder(hp.rulesBuilder, added, nl, addedPtr, nl)
+	hp.rulesBuilder.Grow(len(rule) + len(rulePtr) + 2*len(nl))
+	stringutil.WriteToBuilder(hp.rulesBuilder, rule, nl, rulePtr, nl)

-	return added, addedPtr
+	return rule, rulePtr
 }

 // equalSet returns true if the internal hosts table just parsed equals target.
@@ -484,12 +427,14 @@ func (hp *hostsParser) equalSet(target *netutil.IPMap) (ok bool) {
 		return false
 	}

-	hp.table.Range(func(ip net.IP, val interface{}) (cont bool) {
-		v, hasIP := target.Get(ip)
+	hp.table.Range(func(ip net.IP, b interface{}) (cont bool) {
 		// ok is set to true if the target doesn't contain ip or if the
-		// appropriate hosts set isn't equal to the checked one, i.e. the maps
-		// have at least one discrepancy.
-		ok = !hasIP || !v.(*stringutil.Set).Equal(val.(*stringutil.Set))
+		// appropriate hosts set isn't equal to the checked one.
+		if a, hasIP := target.Get(ip); !hasIP {
+			ok = true
+		} else if hosts, aok := a.(*stringutil.Set); aok {
+			ok = !hosts.Equal(b.(*stringutil.Set))
+		}

 		// Continue only if maps has no discrepancies.
 		return !ok
@@ -540,7 +485,7 @@ func (hc *HostsContainer) refresh() (err error) {
 	}

 	if hp.equalSet(hc.last) {
-		log.Debug("%s: no updates detected", hostsContainerPref)
+		log.Debug("%s: no changes detected", hostsContainerPref)

 		return nil
 	}
--- a/internal/aghnet/hostscontainer_test.go
+++ b/internal/aghnet/hostscontainer_test.go
@@ -9,10 +9,12 @@ import (
 	"sync/atomic"
 	"testing"
 	"testing/fstest"
+	"time"

 	"github.com/AdguardTeam/AdGuardHome/internal/aghtest"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/stringutil"
+	"github.com/AdguardTeam/golibs/testutil"
 	"github.com/AdguardTeam/urlfilter"
 	"github.com/AdguardTeam/urlfilter/rules"
 	"github.com/miekg/dns"
@@ -85,6 +87,7 @@ func TestNewHostsContainer(t *testing.T) {

 				return
 			}
+			testutil.CleanupAndRequireSuccess(t, hc.Close)

 			require.NoError(t, err)
 			require.NotNil(t, hc)
@@ -129,24 +132,13 @@ func TestNewHostsContainer(t *testing.T) {
 	})
 }

-func TestHostsContainer_Refresh(t *testing.T) {
-	knownIP := net.IP{127, 0, 0, 1}
+func TestHostsContainer_refresh(t *testing.T) {
+	// TODO(e.burkov):  Test the case with no actual updates.

-	const knownHost = "localhost"
-	const knownAlias = "hocallost"
+	ip := net.IP{127, 0, 0, 1}
+	ipStr := ip.String()

-	const dirname = "dir"
-	const filename1 = "file1"
-	const filename2 = "file2"
-
-	p1 := path.Join(dirname, filename1)
-	p2 := path.Join(dirname, filename2)
-
-	testFS := fstest.MapFS{
-		p1: &fstest.MapFile{
-			Data: []byte(strings.Join([]string{knownIP.String(), knownHost}, sp) + nl),
-		},
-	}
+	testFS := fstest.MapFS{"dir/file1": &fstest.MapFile{Data: []byte(ipStr + ` hostname` + nl)}}

 	// event is a convenient alias for an empty struct{} to emit test events.
 	type event = struct{}
@@ -157,15 +149,16 @@ func TestHostsContainer_Refresh(t *testing.T) {
 	w := &aghtest.FSWatcher{
 		OnEvents: func() (e <-chan event) { return eventsCh },
 		OnAdd: func(name string) (err error) {
-			assert.Equal(t, dirname, name)
+			assert.Equal(t, "dir", name)

 			return nil
 		},
 		OnClose: func() (err error) { panic("not implemented") },
 	}

-	hc, err := NewHostsContainer(0, testFS, w, dirname)
+	hc, err := NewHostsContainer(0, testFS, w, "dir")
 	require.NoError(t, err)
+	testutil.CleanupAndRequireSuccess(t, hc.Close)

 	checkRefresh := func(t *testing.T, wantHosts *stringutil.Set) {
 		upd, ok := <-hc.Upd()
@@ -174,102 +167,99 @@ func TestHostsContainer_Refresh(t *testing.T) {

 		assert.Equal(t, 1, upd.Len())

-		v, ok := upd.Get(knownIP)
+		v, ok := upd.Get(ip)
 		require.True(t, ok)

-		var hosts *stringutil.Set
-		hosts, ok = v.(*stringutil.Set)
+		var set *stringutil.Set
+		set, ok = v.(*stringutil.Set)
 		require.True(t, ok)

-		assert.True(t, hosts.Equal(wantHosts))
+		assert.True(t, set.Equal(wantHosts))
 	}

 	t.Run("initial_refresh", func(t *testing.T) {
-		checkRefresh(t, stringutil.NewSet(knownHost))
+		checkRefresh(t, stringutil.NewSet("hostname"))
 	})

-	testFS[p2] = &fstest.MapFile{
-		Data: []byte(strings.Join([]string{knownIP.String(), knownAlias}, sp) + nl),
-	}
-	eventsCh <- event{}
-
 	t.Run("second_refresh", func(t *testing.T) {
-		checkRefresh(t, stringutil.NewSet(knownHost, knownAlias))
+		testFS["dir/file2"] = &fstest.MapFile{Data: []byte(ipStr + ` alias` + nl)}
+		eventsCh <- event{}
+		checkRefresh(t, stringutil.NewSet("hostname", "alias"))
 	})

-	eventsCh <- event{}
+	t.Run("double_refresh", func(t *testing.T) {
+		// Make a change once.
+		testFS["dir/file1"] = &fstest.MapFile{Data: []byte(ipStr + ` alias` + nl)}
+		eventsCh <- event{}

-	t.Run("no_changes_refresh", func(t *testing.T) {
-		assert.Empty(t, hc.Upd())
+		// Require the changes are written.
+		require.Eventually(t, func() bool {
+			res, ok := hc.MatchRequest(urlfilter.DNSRequest{
+				Hostname: "hostname",
+				DNSType:  dns.TypeA,
+			})
+
+			return !ok && res.DNSRewrites() == nil
+		}, 5*time.Second, time.Second/2)
+
+		// Make a change again.
+		testFS["dir/file2"] = &fstest.MapFile{Data: []byte(ipStr + ` hostname` + nl)}
+		eventsCh <- event{}
+
+		// Require the changes are written.
+		require.Eventually(t, func() bool {
+			res, ok := hc.MatchRequest(urlfilter.DNSRequest{
+				Hostname: "hostname",
+				DNSType:  dns.TypeA,
+			})
+
+			return !ok && res.DNSRewrites() != nil
+		}, 5*time.Second, time.Second/2)
+
+		assert.Len(t, hc.Upd(), 1)
 	})
 }

 func TestHostsContainer_PathsToPatterns(t *testing.T) {
-	const (
-		dir0 = "dir"
-		dir1 = "dir_1"
-		fn1  = "file_1"
-		fn2  = "file_2"
-		fn3  = "file_3"
-		fn4  = "file_4"
-	)
-
-	fp1 := path.Join(dir0, fn1)
-	fp2 := path.Join(dir0, fn2)
-	fp3 := path.Join(dir0, dir1, fn3)
-
 	gsfs := fstest.MapFS{
-		fp1: &fstest.MapFile{Data: []byte{1}},
-		fp2: &fstest.MapFile{Data: []byte{2}},
-		fp3: &fstest.MapFile{Data: []byte{3}},
+		"dir_0/file_1":       &fstest.MapFile{Data: []byte{1}},
+		"dir_0/file_2":       &fstest.MapFile{Data: []byte{2}},
+		"dir_0/dir_1/file_3": &fstest.MapFile{Data: []byte{3}},
 	}

 	testCases := []struct {
-		name    string
-		wantErr error
-		want    []string
-		paths   []string
+		name  string
+		paths []string
+		want  []string
 	}{{
-		name:    "no_paths",
-		wantErr: nil,
-		want:    nil,
-		paths:   nil,
+		name:  "no_paths",
+		paths: nil,
+		want:  nil,
 	}, {
-		name:    "single_file",
-		wantErr: nil,
-		want:    []string{fp1},
-		paths:   []string{fp1},
+		name:  "single_file",
+		paths: []string{"dir_0/file_1"},
+		want:  []string{"dir_0/file_1"},
 	}, {
-		name:    "several_files",
-		wantErr: nil,
-		want:    []string{fp1, fp2},
-		paths:   []string{fp1, fp2},
+		name:  "several_files",
+		paths: []string{"dir_0/file_1", "dir_0/file_2"},
+		want:  []string{"dir_0/file_1", "dir_0/file_2"},
 	}, {
-		name:    "whole_dir",
-		wantErr: nil,
-		want:    []string{path.Join(dir0, "*")},
-		paths:   []string{dir0},
+		name:  "whole_dir",
+		paths: []string{"dir_0"},
+		want:  []string{"dir_0/*"},
 	}, {
-		name:    "file_and_dir",
-		wantErr: nil,
-		want:    []string{fp1, path.Join(dir0, dir1, "*")},
-		paths:   []string{fp1, path.Join(dir0, dir1)},
+		name:  "file_and_dir",
+		paths: []string{"dir_0/file_1", "dir_0/dir_1"},
+		want:  []string{"dir_0/file_1", "dir_0/dir_1/*"},
 	}, {
-		name:    "non-existing",
-		wantErr: nil,
-		want:    nil,
-		paths:   []string{path.Join(dir0, "file_3")},
+		name:  "non-existing",
+		paths: []string{path.Join("dir_0", "file_3")},
+		want:  nil,
 	}}

 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			patterns, err := pathsToPatterns(gsfs, tc.paths)
-			if tc.wantErr != nil {
-				assert.ErrorIs(t, err, tc.wantErr)
-
-				return
-			}
-
 			require.NoError(t, err)

 			assert.Equal(t, tc.want, patterns)
@@ -290,111 +280,235 @@ func TestHostsContainer_PathsToPatterns(t *testing.T) {
 	})
 }

+func TestHostsContainer_Translate(t *testing.T) {
+	testdata := os.DirFS("./testdata")
+	stubWatcher := aghtest.FSWatcher{
+		OnEvents: func() (e <-chan struct{}) { return nil },
+		OnAdd:    func(name string) (err error) { return nil },
+		OnClose:  func() (err error) { panic("not implemented") },
+	}
+
+	hc, err := NewHostsContainer(0, testdata, &stubWatcher, "etc_hosts")
+	require.NoError(t, err)
+	testutil.CleanupAndRequireSuccess(t, hc.Close)
+
+	testCases := []struct {
+		name      string
+		rule      string
+		wantTrans []string
+	}{{
+		name:      "simplehost",
+		rule:      "|simplehost^$dnsrewrite=NOERROR;A;1.0.0.1",
+		wantTrans: []string{"1.0.0.1", "simplehost"},
+	}, {
+		name:      "hello",
+		rule:      "|hello^$dnsrewrite=NOERROR;A;1.0.0.0",
+		wantTrans: []string{"1.0.0.0", "hello", "hello.world"},
+	}, {
+		name:      "hello-alias",
+		rule:      "|hello.world.again^$dnsrewrite=NOERROR;A;1.0.0.0",
+		wantTrans: []string{"1.0.0.0", "hello.world.again"},
+	}, {
+		name:      "simplehost_v6",
+		rule:      "|simplehost^$dnsrewrite=NOERROR;AAAA;::1",
+		wantTrans: []string{"::1", "simplehost"},
+	}, {
+		name:      "hello_v6",
+		rule:      "|hello^$dnsrewrite=NOERROR;AAAA;::",
+		wantTrans: []string{"::", "hello", "hello.world"},
+	}, {
+		name:      "hello_v6-alias",
+		rule:      "|hello.world.again^$dnsrewrite=NOERROR;AAAA;::",
+		wantTrans: []string{"::", "hello.world.again"},
+	}, {
+		name:      "simplehost_ptr",
+		rule:      "|1.0.0.1.in-addr.arpa^$dnsrewrite=NOERROR;PTR;simplehost.",
+		wantTrans: []string{"1.0.0.1", "simplehost"},
+	}, {
+		name:      "hello_ptr",
+		rule:      "|0.0.0.1.in-addr.arpa^$dnsrewrite=NOERROR;PTR;hello.",
+		wantTrans: []string{"1.0.0.0", "hello", "hello.world"},
+	}, {
+		name:      "hello_ptr-alias",
+		rule:      "|0.0.0.1.in-addr.arpa^$dnsrewrite=NOERROR;PTR;hello.world.again.",
+		wantTrans: []string{"1.0.0.0", "hello.world.again"},
+	}, {
+		name: "simplehost_ptr_v6",
+		rule: "|1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" +
+			"^$dnsrewrite=NOERROR;PTR;simplehost.",
+		wantTrans: []string{"::1", "simplehost"},
+	}, {
+		name: "hello_ptr_v6",
+		rule: "|0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" +
+			"^$dnsrewrite=NOERROR;PTR;hello.",
+		wantTrans: []string{"::", "hello", "hello.world"},
+	}, {
+		name: "hello_ptr_v6-alias",
+		rule: "|0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" +
+			"^$dnsrewrite=NOERROR;PTR;hello.world.again.",
+		wantTrans: []string{"::", "hello.world.again"},
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			got := stringutil.NewSet(strings.Fields(hc.Translate(tc.rule))...)
+			assert.True(t, stringutil.NewSet(tc.wantTrans...).Equal(got))
+		})
+	}
+}
+
 func TestHostsContainer(t *testing.T) {
 	const listID = 1234

 	testdata := os.DirFS("./testdata")

-	nRewrites := func(t *testing.T, res *urlfilter.DNSResult, n int) (rws []*rules.DNSRewrite) {
-		t.Helper()
-
-		rewrites := res.DNSRewrites()
-		assert.Len(t, rewrites, n)
-
-		for _, rewrite := range rewrites {
-			require.Equal(t, listID, rewrite.FilterListID)
-
-			rw := rewrite.DNSRewrite
-			require.NotNil(t, rw)
-
-			rws = append(rws, rw)
-		}
-
-		return rws
-	}
-
 	testCases := []struct {
-		testTail func(t *testing.T, res *urlfilter.DNSResult)
-		name     string
-		req      urlfilter.DNSRequest
+		want []*rules.DNSRewrite
+		name string
+		req  urlfilter.DNSRequest
 	}{{
+		want: []*rules.DNSRewrite{{
+			RCode:  dns.RcodeSuccess,
+			Value:  net.IPv4(1, 0, 0, 1),
+			RRType: dns.TypeA,
+		}, {
+			RCode:  dns.RcodeSuccess,
+			Value:  net.ParseIP("::1"),
+			RRType: dns.TypeAAAA,
+		}},
 		name: "simple",
 		req: urlfilter.DNSRequest{
 			Hostname: "simplehost",
 			DNSType:  dns.TypeA,
 		},
-		testTail: func(t *testing.T, res *urlfilter.DNSResult) {
-			rws := nRewrites(t, res, 2)
-
-			v, ok := rws[0].Value.(net.IP)
-			require.True(t, ok)
-
-			assert.True(t, net.IP{1, 0, 0, 1}.Equal(v))
-
-			v, ok = rws[1].Value.(net.IP)
-			require.True(t, ok)
-
-			// It's ::1.
-			assert.True(t, net.IP(append((&[15]byte{})[:], byte(1))).Equal(v))
-		},
 	}, {
+		want: []*rules.DNSRewrite{{
+			RCode:  dns.RcodeSuccess,
+			Value:  net.IPv4(1, 0, 0, 0),
+			RRType: dns.TypeA,
+		}, {
+			RCode:  dns.RcodeSuccess,
+			Value:  net.ParseIP("::"),
+			RRType: dns.TypeAAAA,
+		}},
 		name: "hello_alias",
 		req: urlfilter.DNSRequest{
 			Hostname: "hello.world",
 			DNSType:  dns.TypeA,
 		},
-		testTail: func(t *testing.T, res *urlfilter.DNSResult) {
-			assert.Equal(t, "hello", nRewrites(t, res, 1)[0].NewCNAME)
+	}, {
+		want: []*rules.DNSRewrite{{
+			RCode:  dns.RcodeSuccess,
+			Value:  net.IPv4(1, 0, 0, 0),
+			RRType: dns.TypeA,
+		}, {
+			RCode:  dns.RcodeSuccess,
+			Value:  net.ParseIP("::"),
+			RRType: dns.TypeAAAA,
+		}},
+		name: "other_line_alias",
+		req: urlfilter.DNSRequest{
+			Hostname: "hello.world.again",
+			DNSType:  dns.TypeA,
 		},
 	}, {
+		want: []*rules.DNSRewrite{},
 		name: "hello_subdomain",
 		req: urlfilter.DNSRequest{
 			Hostname: "say.hello",
 			DNSType:  dns.TypeA,
 		},
-		testTail: func(t *testing.T, res *urlfilter.DNSResult) {
-			assert.Empty(t, res.DNSRewrites())
-		},
 	}, {
+		want: []*rules.DNSRewrite{},
 		name: "hello_alias_subdomain",
 		req: urlfilter.DNSRequest{
 			Hostname: "say.hello.world",
 			DNSType:  dns.TypeA,
 		},
-		testTail: func(t *testing.T, res *urlfilter.DNSResult) {
-			assert.Empty(t, res.DNSRewrites())
-		},
 	}, {
+		want: []*rules.DNSRewrite{{
+			RCode:  dns.RcodeSuccess,
+			RRType: dns.TypeA,
+			Value:  net.IPv4(1, 0, 0, 2),
+		}, {
+			RCode:  dns.RcodeSuccess,
+			RRType: dns.TypeAAAA,
+			Value:  net.ParseIP("::2"),
+		}},
 		name: "lots_of_aliases",
 		req: urlfilter.DNSRequest{
 			Hostname: "for.testing",
 			DNSType:  dns.TypeA,
 		},
-		testTail: func(t *testing.T, res *urlfilter.DNSResult) {
-			assert.Equal(t, "a.whole", nRewrites(t, res, 1)[0].NewCNAME)
-		},
 	}, {
+		want: []*rules.DNSRewrite{{
+			RCode:  dns.RcodeSuccess,
+			RRType: dns.TypePTR,
+			Value:  "simplehost.",
+		}},
 		name: "reverse",
 		req: urlfilter.DNSRequest{
 			Hostname: "1.0.0.1.in-addr.arpa",
 			DNSType:  dns.TypePTR,
 		},
-		testTail: func(t *testing.T, res *urlfilter.DNSResult) {
-			rws := nRewrites(t, res, 1)
-
-			assert.Equal(t, dns.TypePTR, rws[0].RRType)
-			assert.Equal(t, "simplehost.", rws[0].Value)
-		},
 	}, {
+		want: []*rules.DNSRewrite{},
 		name: "non-existing",
 		req: urlfilter.DNSRequest{
 			Hostname: "nonexisting",
 			DNSType:  dns.TypeA,
 		},
-		testTail: func(t *testing.T, res *urlfilter.DNSResult) {
-			require.NotNil(t, res)
-
-			assert.Nil(t, res.DNSRewrites())
+	}, {
+		want: nil,
+		name: "bad_type",
+		req: urlfilter.DNSRequest{
+			Hostname: "1.0.0.1.in-addr.arpa",
+			DNSType:  dns.TypeSRV,
+		},
+	}, {
+		want: []*rules.DNSRewrite{{
+			RCode:  dns.RcodeSuccess,
+			RRType: dns.TypeA,
+			Value:  net.IPv4(4, 2, 1, 6),
+		}, {
+			RCode:  dns.RcodeSuccess,
+			RRType: dns.TypeAAAA,
+			Value:  net.ParseIP("::42"),
+		}},
+		name: "issue_4216_4_6",
+		req: urlfilter.DNSRequest{
+			Hostname: "domain",
+			DNSType:  dns.TypeA,
+		},
+	}, {
+		want: []*rules.DNSRewrite{{
+			RCode:  dns.RcodeSuccess,
+			RRType: dns.TypeA,
+			Value:  net.IPv4(7, 5, 3, 1),
+		}, {
+			RCode:  dns.RcodeSuccess,
+			RRType: dns.TypeA,
+			Value:  net.IPv4(1, 3, 5, 7),
+		}},
+		name: "issue_4216_4",
+		req: urlfilter.DNSRequest{
+			Hostname: "domain4",
+			DNSType:  dns.TypeA,
+		},
+	}, {
+		want: []*rules.DNSRewrite{{
+			RCode:  dns.RcodeSuccess,
+			RRType: dns.TypeAAAA,
+			Value:  net.ParseIP("::13"),
+		}, {
+			RCode:  dns.RcodeSuccess,
+			RRType: dns.TypeAAAA,
+			Value:  net.ParseIP("::31"),
+		}},
+		name: "issue_4216_6",
+		req: urlfilter.DNSRequest{
+			Hostname: "domain6",
+			DNSType:  dns.TypeAAAA,
 		},
 	}}

@@ -406,25 +520,39 @@ func TestHostsContainer(t *testing.T) {

 	hc, err := NewHostsContainer(listID, testdata, &stubWatcher, "etc_hosts")
 	require.NoError(t, err)
+	testutil.CleanupAndRequireSuccess(t, hc.Close)

 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			res, ok := hc.MatchRequest(tc.req)
 			require.False(t, ok)
+
+			if tc.want == nil {
+				assert.Nil(t, res)
+
+				return
+			}
+
 			require.NotNil(t, res)

-			tc.testTail(t, res)
+			rewrites := res.DNSRewrites()
+			require.Len(t, rewrites, len(tc.want))
+
+			for i, rewrite := range rewrites {
+				require.Equal(t, listID, rewrite.FilterListID)
+
+				rw := rewrite.DNSRewrite
+				require.NotNil(t, rw)
+
+				assert.Equal(t, tc.want[i], rw)
+			}
 		})
 	}
 }

 func TestUniqueRules_ParseLine(t *testing.T) {
-	const (
-		hostname = "localhost"
-		alias    = "hocallost"
-	)
-
-	knownIP := net.IP{127, 0, 0, 1}
+	ip := net.IP{127, 0, 0, 1}
+	ipStr := ip.String()

 	testCases := []struct {
 		name      string
@@ -433,39 +561,39 @@ func TestUniqueRules_ParseLine(t *testing.T) {
 		wantHosts []string
 	}{{
 		name:      "simple",
-		line:      strings.Join([]string{knownIP.String(), hostname}, sp),
-		wantIP:    knownIP,
-		wantHosts: []string{"localhost"},
+		line:      ipStr + ` hostname`,
+		wantIP:    ip,
+		wantHosts: []string{"hostname"},
 	}, {
 		name:      "aliases",
-		line:      strings.Join([]string{knownIP.String(), hostname, alias}, sp),
-		wantIP:    knownIP,
-		wantHosts: []string{"localhost", "hocallost"},
+		line:      ipStr + ` hostname alias`,
+		wantIP:    ip,
+		wantHosts: []string{"hostname", "alias"},
 	}, {
 		name:      "invalid_line",
-		line:      knownIP.String(),
+		line:      ipStr,
 		wantIP:    nil,
 		wantHosts: nil,
 	}, {
 		name:      "invalid_line_hostname",
-		line:      strings.Join([]string{knownIP.String(), "#" + hostname}, sp),
-		wantIP:    knownIP,
+		line:      ipStr + ` # hostname`,
+		wantIP:    ip,
 		wantHosts: nil,
 	}, {
 		name:      "commented_aliases",
-		line:      strings.Join([]string{knownIP.String(), hostname, "#" + alias}, sp),
-		wantIP:    knownIP,
-		wantHosts: []string{"localhost"},
+		line:      ipStr + ` hostname # alias`,
+		wantIP:    ip,
+		wantHosts: []string{"hostname"},
 	}, {
 		name:      "whole_comment",
-		line:      strings.Join([]string{"#", knownIP.String(), hostname}, sp),
+		line:      `# ` + ipStr + ` hostname`,
 		wantIP:    nil,
 		wantHosts: nil,
 	}, {
 		name:      "partial_comment",
-		line:      strings.Join([]string{knownIP.String(), hostname[:4] + "#" + hostname[4:]}, sp),
-		wantIP:    knownIP,
-		wantHosts: []string{hostname[:4]},
+		line:      ipStr + ` host#name`,
+		wantIP:    ip,
+		wantHosts: []string{"host"},
 	}, {
 		name:      "empty",
 		line:      ``,
@@ -476,8 +604,8 @@ func TestUniqueRules_ParseLine(t *testing.T) {
 	for _, tc := range testCases {
 		hp := hostsParser{}
 		t.Run(tc.name, func(t *testing.T) {
-			ip, hosts := hp.parseLine(tc.line)
-			assert.True(t, tc.wantIP.Equal(ip))
+			got, hosts := hp.parseLine(tc.line)
+			assert.True(t, tc.wantIP.Equal(got))
 			assert.Equal(t, tc.wantHosts, hosts)
 		})
 	}
--- a/internal/aghnet/interfaces.go
+++ b/internal/aghnet/interfaces.go
@@ -25,6 +25,13 @@ type NetIface interface {

 // IfaceIPAddrs returns the interface's IP addresses.
 func IfaceIPAddrs(iface NetIface, ipv IPVersion) (ips []net.IP, err error) {
+	switch ipv {
+	case IPVersion4, IPVersion6:
+		// Go on.
+	default:
+		return nil, fmt.Errorf("invalid ip version %d", ipv)
+	}
+
 	addrs, err := iface.Addrs()
 	if err != nil {
 		return nil, err
@@ -41,20 +48,16 @@ func IfaceIPAddrs(iface NetIface, ipv IPVersion) (ips []net.IP, err error) {
 			continue
 		}

-		// Assume that net.(*Interface).Addrs can only return valid IPv4
-		// and IPv6 addresses.  Thus, if it isn't an IPv4 address, it
-		// must be an IPv6 one.
-		switch ipv {
-		case IPVersion4:
-			if ip4 := ip.To4(); ip4 != nil {
+		// Assume that net.(*Interface).Addrs can only return valid IPv4 and
+		// IPv6 addresses.  Thus, if it isn't an IPv4 address, it must be an
+		// IPv6 one.
+		ip4 := ip.To4()
+		if ipv == IPVersion4 {
+			if ip4 != nil {
 				ips = append(ips, ip4)
 			}
-		case IPVersion6:
-			if ip6 := ip.To4(); ip6 == nil {
-				ips = append(ips, ip)
-			}
-		default:
-			return nil, fmt.Errorf("invalid ip version %d", ipv)
+		} else if ip4 == nil {
+			ips = append(ips, ip)
 		}
 	}

@@ -96,16 +99,16 @@ func IfaceDNSIPAddrs(

 	switch len(addrs) {
 	case 0:
-		// Don't return errors in case the users want to try and enable
-		// the DHCP server later.
+		// Don't return errors in case the users want to try and enable the DHCP
+		// server later.
 		t := time.Duration(n) * backoff
 		log.Error("dhcpv%d: no ip for iface after %d attempts and %s", ipv, n, t)

 		return nil, nil
 	case 1:
-		// Some Android devices use 8.8.8.8 if there is not a secondary
-		// DNS server.  Fix that by setting the secondary DNS address to
-		// the same address.
+		// Some Android devices use 8.8.8.8 if there is not a secondary DNS
+		// server.  Fix that by setting the secondary DNS address to the same
+		// address.
 		//
 		// See https://github.com/AdguardTeam/AdGuardHome/issues/1708.
 		log.Debug("dhcpv%d: setting secondary dns ip to itself", ipv)
--- a/internal/aghnet/interfaces_test.go
+++ b/internal/aghnet/interfaces_test.go
@@ -5,13 +5,15 @@ import (
 	"testing"

 	"github.com/AdguardTeam/golibs/errors"
+	"github.com/AdguardTeam/golibs/testutil"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

+// fakeIface is a stub implementation of aghnet.NetIface to simplify testing.
 type fakeIface struct {
-	addrs []net.Addr
 	err   error
+	addrs []net.Addr
 }

 // Addrs implements the NetIface interface for *fakeIface.
@@ -33,61 +35,86 @@ func TestIfaceIPAddrs(t *testing.T) {
 	addr6 := &net.IPNet{IP: ip6}

 	testCases := []struct {
-		name    string
-		iface   NetIface
-		ipv     IPVersion
-		want    []net.IP
-		wantErr error
+		iface      NetIface
+		name       string
+		wantErrMsg string
+		want       []net.IP
+		ipv        IPVersion
 	}{{
-		name:    "ipv4_success",
-		iface:   &fakeIface{addrs: []net.Addr{addr4}, err: nil},
-		ipv:     IPVersion4,
-		want:    []net.IP{ip4},
-		wantErr: nil,
+		iface:      &fakeIface{addrs: []net.Addr{addr4}, err: nil},
+		name:       "ipv4_success",
+		wantErrMsg: "",
+		want:       []net.IP{ip4},
+		ipv:        IPVersion4,
 	}, {
-		name:    "ipv4_success_with_ipv6",
-		iface:   &fakeIface{addrs: []net.Addr{addr6, addr4}, err: nil},
-		ipv:     IPVersion4,
-		want:    []net.IP{ip4},
-		wantErr: nil,
+		iface:      &fakeIface{addrs: []net.Addr{addr6, addr4}, err: nil},
+		name:       "ipv4_success_with_ipv6",
+		wantErrMsg: "",
+		want:       []net.IP{ip4},
+		ipv:        IPVersion4,
 	}, {
-		name:    "ipv4_error",
-		iface:   &fakeIface{addrs: []net.Addr{addr4}, err: errTest},
-		ipv:     IPVersion4,
-		want:    nil,
-		wantErr: errTest,
+		iface:      &fakeIface{addrs: []net.Addr{addr4}, err: errTest},
+		name:       "ipv4_error",
+		wantErrMsg: errTest.Error(),
+		want:       nil,
+		ipv:        IPVersion4,
 	}, {
-		name:    "ipv6_success",
-		iface:   &fakeIface{addrs: []net.Addr{addr6}, err: nil},
-		ipv:     IPVersion6,
-		want:    []net.IP{ip6},
-		wantErr: nil,
+		iface:      &fakeIface{addrs: []net.Addr{addr6}, err: nil},
+		name:       "ipv6_success",
+		wantErrMsg: "",
+		want:       []net.IP{ip6},
+		ipv:        IPVersion6,
 	}, {
-		name:    "ipv6_success_with_ipv4",
-		iface:   &fakeIface{addrs: []net.Addr{addr6, addr4}, err: nil},
-		ipv:     IPVersion6,
-		want:    []net.IP{ip6},
-		wantErr: nil,
+		iface:      &fakeIface{addrs: []net.Addr{addr6, addr4}, err: nil},
+		name:       "ipv6_success_with_ipv4",
+		wantErrMsg: "",
+		want:       []net.IP{ip6},
+		ipv:        IPVersion6,
 	}, {
-		name:    "ipv6_error",
-		iface:   &fakeIface{addrs: []net.Addr{addr6}, err: errTest},
-		ipv:     IPVersion6,
-		want:    nil,
-		wantErr: errTest,
+		iface:      &fakeIface{addrs: []net.Addr{addr6}, err: errTest},
+		name:       "ipv6_error",
+		wantErrMsg: errTest.Error(),
+		want:       nil,
+		ipv:        IPVersion6,
+	}, {
+		iface:      &fakeIface{addrs: nil, err: nil},
+		name:       "bad_proto",
+		wantErrMsg: "invalid ip version 10",
+		want:       nil,
+		ipv:        IPVersion6 + IPVersion4,
+	}, {
+		iface:      &fakeIface{addrs: []net.Addr{&net.IPAddr{IP: ip4}}, err: nil},
+		name:       "ipaddr_v4",
+		wantErrMsg: "",
+		want:       []net.IP{ip4},
+		ipv:        IPVersion4,
+	}, {
+		iface:      &fakeIface{addrs: []net.Addr{&net.IPAddr{IP: ip6, Zone: ""}}, err: nil},
+		name:       "ipaddr_v6",
+		wantErrMsg: "",
+		want:       []net.IP{ip6},
+		ipv:        IPVersion6,
+	}, {
+		iface:      &fakeIface{addrs: []net.Addr{&net.UnixAddr{}}, err: nil},
+		name:       "non-ipv4",
+		wantErrMsg: "",
+		want:       nil,
+		ipv:        IPVersion4,
 	}}

 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			got, gotErr := IfaceIPAddrs(tc.iface, tc.ipv)
-			require.True(t, errors.Is(gotErr, tc.wantErr))
+			got, err := IfaceIPAddrs(tc.iface, tc.ipv)
+			testutil.AssertErrorMsg(t, tc.wantErrMsg, err)
+
 			assert.Equal(t, tc.want, got)
 		})
 	}
 }

 type waitingFakeIface struct {
-	addrs []net.Addr
 	err   error
+	addrs []net.Addr
 	n     int
 }

@@ -116,11 +143,11 @@ func TestIfaceDNSIPAddrs(t *testing.T) {
 	addr6 := &net.IPNet{IP: ip6}

 	testCases := []struct {
-		name    string
 		iface   NetIface
-		ipv     IPVersion
-		want    []net.IP
 		wantErr error
+		name    string
+		want    []net.IP
+		ipv     IPVersion
 	}{{
 		name:    "ipv4_success",
 		iface:   &fakeIface{addrs: []net.Addr{addr4}, err: nil},
@@ -169,12 +196,25 @@ func TestIfaceDNSIPAddrs(t *testing.T) {
 		ipv:     IPVersion6,
 		want:    []net.IP{ip6, ip6},
 		wantErr: nil,
+	}, {
+		name:    "empty",
+		iface:   &fakeIface{addrs: nil, err: nil},
+		ipv:     IPVersion4,
+		want:    nil,
+		wantErr: nil,
+	}, {
+		name:    "many",
+		iface:   &fakeIface{addrs: []net.Addr{addr4, addr4}},
+		ipv:     IPVersion4,
+		want:    []net.IP{ip4, ip4},
+		wantErr: nil,
 	}}

 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			got, gotErr := IfaceDNSIPAddrs(tc.iface, tc.ipv, 2, 0)
-			require.True(t, errors.Is(gotErr, tc.wantErr))
+			got, err := IfaceDNSIPAddrs(tc.iface, tc.ipv, 2, 0)
+			require.ErrorIs(t, err, tc.wantErr)
+
 			assert.Equal(t, tc.want, got)
 		})
 	}
--- a/internal/aghnet/ipmut_test.go
+++ b/internal/aghnet/ipmut_test.go
@@ -0,0 +1,44 @@
+package aghnet
+
+import (
+	"net"
+	"testing"
+
+	"github.com/AdguardTeam/golibs/netutil"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIPMut(t *testing.T) {
+	testIPs := []net.IP{{
+		127, 0, 0, 1,
+	}, {
+		192, 168, 0, 1,
+	}, {
+		8, 8, 8, 8,
+	}}
+
+	t.Run("nil_no_mut", func(t *testing.T) {
+		ipmut := NewIPMut(nil)
+
+		ips := netutil.CloneIPs(testIPs)
+		for i := range ips {
+			ipmut.Load()(ips[i])
+			assert.True(t, ips[i].Equal(testIPs[i]))
+		}
+	})
+
+	t.Run("not_nil_mut", func(t *testing.T) {
+		ipmut := NewIPMut(func(ip net.IP) {
+			for i := range ip {
+				ip[i] = 0
+			}
+		})
+		want := netutil.IPv4Zero()
+
+		ips := netutil.CloneIPs(testIPs)
+		for i := range ips {
+			ipmut.Load()(ips[i])
+			assert.True(t, ips[i].Equal(want))
+		}
+	})
+}
--- a/internal/aghnet/net.go
+++ b/internal/aghnet/net.go
@@ -42,8 +42,7 @@ func GatewayIP(ifaceName string) net.IP {

 	fields := strings.Fields(string(d))
 	// The meaningful "ip route" command output should contain the word
-	// "default" at first field and default gateway IP address at third
-	// field.
+	// "default" at first field and default gateway IP address at third field.
 	if len(fields) < 3 || fields[0] != "default" {
 		return nil
 	}
@@ -218,28 +217,6 @@ func IsAddrInUse(err error) (ok bool) {
 	return isAddrInUse(sysErr)
 }

-// SplitHost is a wrapper for net.SplitHostPort for the cases when the hostport
-// does not necessarily contain a port.
-func SplitHost(hostport string) (host string, err error) {
-	host, _, err = net.SplitHostPort(hostport)
-	if err != nil {
-		// Check for the missing port error.  If it is that error, just
-		// use the host as is.
-		//
-		// See the source code for net.SplitHostPort.
-		const missingPort = "missing port in address"
-
-		addrErr := &net.AddrError{}
-		if !errors.As(err, &addrErr) || addrErr.Err != missingPort {
-			return "", err
-		}
-
-		host = hostport
-	}
-
-	return host, nil
-}
-
 // CollectAllIfacesAddrs returns the slice of all network interfaces IP
 // addresses without port number.
 func CollectAllIfacesAddrs() (addrs []string, err error) {
--- a/internal/aghnet/net_test.go
+++ b/internal/aghnet/net_test.go
@@ -15,12 +15,20 @@ func TestMain(m *testing.M) {
 	aghtest.DiscardLogOutput(m)
 }

-func TestGetValidNetInterfacesForWeb(t *testing.T) {
+func TestGetInterfaceByIP(t *testing.T) {
 	ifaces, err := GetValidNetInterfacesForWeb()
-	require.NoErrorf(t, err, "cannot get net interfaces: %s", err)
-	require.NotEmpty(t, ifaces, "no net interfaces found")
+	require.NoError(t, err)
+	require.NotEmpty(t, ifaces)
+
 	for _, iface := range ifaces {
-		require.NotEmptyf(t, iface.Addresses, "no addresses found for %s", iface.Name)
+		t.Run(iface.Name, func(t *testing.T) {
+			require.NotEmpty(t, iface.Addresses)
+
+			for _, ip := range iface.Addresses {
+				ifaceName := GetInterfaceByIP(ip)
+				require.Equal(t, iface.Name, ifaceName)
+			}
+		})
 	}
 }

@@ -73,18 +81,47 @@ func TestBroadcastFromIPNet(t *testing.T) {
 }

 func TestCheckPort(t *testing.T) {
-	l, err := net.Listen("tcp", "127.0.0.1:")
-	require.NoError(t, err)
-	testutil.CleanupAndRequireSuccess(t, l.Close)
+	t.Run("tcp_bound", func(t *testing.T) {
+		l, err := net.Listen("tcp", "127.0.0.1:")
+		require.NoError(t, err)
+		testutil.CleanupAndRequireSuccess(t, l.Close)

-	ipp := netutil.IPPortFromAddr(l.Addr())
-	require.NotNil(t, ipp)
-	require.NotNil(t, ipp.IP)
-	require.NotZero(t, ipp.Port)
+		ipp := netutil.IPPortFromAddr(l.Addr())
+		require.NotNil(t, ipp)
+		require.NotNil(t, ipp.IP)
+		require.NotZero(t, ipp.Port)

-	err = CheckPort("tcp", ipp.IP, ipp.Port)
-	target := &net.OpError{}
-	require.ErrorAs(t, err, &target)
+		err = CheckPort("tcp", ipp.IP, ipp.Port)
+		target := &net.OpError{}
+		require.ErrorAs(t, err, &target)

-	assert.Equal(t, "listen", target.Op)
+		assert.Equal(t, "listen", target.Op)
+	})
+
+	t.Run("udp_bound", func(t *testing.T) {
+		conn, err := net.ListenPacket("udp", "127.0.0.1:")
+		require.NoError(t, err)
+		testutil.CleanupAndRequireSuccess(t, conn.Close)
+
+		ipp := netutil.IPPortFromAddr(conn.LocalAddr())
+		require.NotNil(t, ipp)
+		require.NotNil(t, ipp.IP)
+		require.NotZero(t, ipp.Port)
+
+		err = CheckPort("udp", ipp.IP, ipp.Port)
+		target := &net.OpError{}
+		require.ErrorAs(t, err, &target)
+
+		assert.Equal(t, "listen", target.Op)
+	})
+
+	t.Run("bad_network", func(t *testing.T) {
+		err := CheckPort("bad_network", nil, 0)
+		assert.NoError(t, err)
+	})
+
+	t.Run("can_bind", func(t *testing.T) {
+		err := CheckPort("udp", net.IP{0, 0, 0, 0}, 0)
+		assert.NoError(t, err)
+	})
 }
--- a/internal/aghnet/testdata/etc_hosts
+++ b/internal/aghnet/testdata/etc_hosts
@@ -12,9 +12,27 @@
 1.0.0.3 *
 1.0.0.4 *.com

+# See https://github.com/AdguardTeam/AdGuardHome/issues/4079.
+1.0.0.0 hello.world.again
+
+# Duplicates of a main host and an alias.
+1.0.0.1 simplehost
+1.0.0.0 hello.world
+
 # Same for IPv6.
 ::1 simplehost
 ::  hello hello.world
 ::2 a.whole lot.of aliases for.testing
 ::3 *
 ::4 *.com
+::  hello.world.again
+::1 simplehost
+::  hello.world
+
+# See https://github.com/AdguardTeam/AdGuardHome/issues/4216.
+4.2.1.6 domain domain.alias
+::42    domain.alias domain
+1.3.5.7 domain4 domain4.alias
+7.5.3.1 domain4.alias domain4
+::13    domain6 domain6.alias
+::31    domain6.alias domain6
--- a/internal/aghtest/aghtest.go
+++ b/internal/aghtest/aghtest.go
@@ -20,17 +20,19 @@ func DiscardLogOutput(m *testing.M) {

 // ReplaceLogWriter moves logger output to w and uses Cleanup method of t to
 // revert changes.
-func ReplaceLogWriter(t *testing.T, w io.Writer) {
-	stdWriter := log.Writer()
-	t.Cleanup(func() {
-		log.SetOutput(stdWriter)
-	})
+func ReplaceLogWriter(t testing.TB, w io.Writer) {
+	t.Helper()
+
+	prev := log.Writer()
+	t.Cleanup(func() { log.SetOutput(prev) })
 	log.SetOutput(w)
 }

 // ReplaceLogLevel sets logging level to l and uses Cleanup method of t to
 // revert changes.
-func ReplaceLogLevel(t *testing.T, l log.Level) {
+func ReplaceLogLevel(t testing.TB, l log.Level) {
+	t.Helper()
+
 	switch l {
 	case log.INFO, log.DEBUG, log.ERROR:
 		// Go on.
@@ -38,9 +40,7 @@ func ReplaceLogLevel(t *testing.T, l log.Level) {
 		t.Fatalf("wrong l value (must be one of %v, %v, %v)", log.INFO, log.DEBUG, log.ERROR)
 	}

-	stdLevel := log.GetLevel()
-	t.Cleanup(func() {
-		log.SetLevel(stdLevel)
-	})
+	prev := log.GetLevel()
+	t.Cleanup(func() { log.SetLevel(prev) })
 	log.SetLevel(l)
 }
--- a/internal/aghtest/upstream.go
+++ b/internal/aghtest/upstream.go
@@ -11,10 +11,10 @@ import (
 	"github.com/miekg/dns"
 )

-// TestUpstream is a mock of real upstream.
-type TestUpstream struct {
+// Upstream is a mock implementation of upstream.Upstream.
+type Upstream struct {
 	// CName is a map of hostname to canonical name.
-	CName map[string]string
+	CName map[string][]string
 	// IPv4 is a map of hostname to IPv4.
 	IPv4 map[string][]net.IP
 	// IPv6 is a map of hostname to IPv6.
@@ -25,78 +25,45 @@ type TestUpstream struct {
 	Addr string
 }

-// Exchange implements upstream.Upstream interface for *TestUpstream.
+// Exchange implements the upstream.Upstream interface for *Upstream.
 //
 // TODO(a.garipov): Split further into handlers.
-func (u *TestUpstream) Exchange(m *dns.Msg) (resp *dns.Msg, err error) {
-	resp = &dns.Msg{}
-	resp.SetReply(m)
+func (u *Upstream) Exchange(m *dns.Msg) (resp *dns.Msg, err error) {
+	resp = new(dns.Msg).SetReply(m)

 	if len(m.Question) == 0 {
 		return nil, fmt.Errorf("question should not be empty")
 	}

-	name := m.Question[0].Name
-
-	if cname, ok := u.CName[name]; ok {
-		ans := &dns.CNAME{
-			Hdr: dns.RR_Header{
-				Name:   name,
-				Rrtype: dns.TypeCNAME,
-			},
+	q := m.Question[0]
+	name := q.Name
+	for _, cname := range u.CName[name] {
+		resp.Answer = append(resp.Answer, &dns.CNAME{
+			Hdr:    dns.RR_Header{Name: name, Rrtype: dns.TypeCNAME},
 			Target: cname,
-		}
-
-		resp.Answer = append(resp.Answer, ans)
+		})
 	}

-	rrType := m.Question[0].Qtype
+	qtype := q.Qtype
 	hdr := dns.RR_Header{
 		Name:   name,
-		Rrtype: rrType,
+		Rrtype: qtype,
 	}

-	var names []string
-	var ips []net.IP
-	switch m.Question[0].Qtype {
+	switch qtype {
 	case dns.TypeA:
-		ips = u.IPv4[name]
+		for _, ip := range u.IPv4[name] {
+			resp.Answer = append(resp.Answer, &dns.A{Hdr: hdr, A: ip})
+		}
 	case dns.TypeAAAA:
-		ips = u.IPv6[name]
+		for _, ip := range u.IPv6[name] {
+			resp.Answer = append(resp.Answer, &dns.AAAA{Hdr: hdr, AAAA: ip})
+		}
 	case dns.TypePTR:
-		names = u.Reverse[name]
-	}
-
-	for _, ip := range ips {
-		var ans dns.RR
-		if rrType == dns.TypeA {
-			ans = &dns.A{
-				Hdr: hdr,
-				A:   ip,
-			}
-
-			resp.Answer = append(resp.Answer, ans)
-
-			continue
+		for _, name := range u.Reverse[name] {
+			resp.Answer = append(resp.Answer, &dns.PTR{Hdr: hdr, Ptr: name})
 		}
-
-		ans = &dns.AAAA{
-			Hdr:  hdr,
-			AAAA: ip,
-		}
-
-		resp.Answer = append(resp.Answer, ans)
 	}
-
-	for _, n := range names {
-		ans := &dns.PTR{
-			Hdr: hdr,
-			Ptr: n,
-		}
-
-		resp.Answer = append(resp.Answer, ans)
-	}
-
 	if len(resp.Answer) == 0 {
 		resp.SetRcode(m, dns.RcodeNameError)
 	}
@@ -104,8 +71,8 @@ func (u *TestUpstream) Exchange(m *dns.Msg) (resp *dns.Msg, err error) {
 	return resp, nil
 }

-// Address implements upstream.Upstream interface for *TestUpstream.
-func (u *TestUpstream) Address() string {
+// Address implements upstream.Upstream interface for *Upstream.
+func (u *Upstream) Address() string {
 	return u.Addr
 }

--- a/internal/aghtls/aghtls.go
+++ b/internal/aghtls/aghtls.go
@@ -0,0 +1,30 @@
+// Package aghtls contains utilities for work with TLS.
+package aghtls
+
+import "crypto/tls"
+
+// SaferCipherSuites returns a set of default cipher suites with vulnerable and
+// weak cipher suites removed.
+func SaferCipherSuites() (safe []uint16) {
+	for _, s := range tls.CipherSuites() {
+		switch s.ID {
+		case
+			tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
+			// Less safe 3DES and CBC suites, go on.
+		default:
+			safe = append(safe, s.ID)
+		}
+	}
+
+	return safe
+}
--- a/internal/dhcpd/dhcpd.go
+++ b/internal/dhcpd/dhcpd.go
@@ -119,23 +119,28 @@ func (l *Lease) UnmarshalJSON(data []byte) (err error) {
 	return nil
 }

-// ServerConfig - DHCP server configuration
-// field ordering is important -- yaml fields will mirror ordering from here
+// ServerConfig is the configuration for the DHCP server.  The order of YAML
+// fields is important, since the YAML configuration file follows it.
 type ServerConfig struct {
-	Enabled       bool   `yaml:"enabled"`
-	InterfaceName string `yaml:"interface_name"`
-
-	Conf4 V4ServerConf `yaml:"dhcpv4"`
-	Conf6 V6ServerConf `yaml:"dhcpv6"`
-
-	WorkDir    string `yaml:"-"`
-	DBFilePath string `yaml:"-"` // path to DB file
-
 	// Called when the configuration is changed by HTTP request
 	ConfigModified func() `yaml:"-"`

 	// Register an HTTP handler
 	HTTPRegister func(string, string, func(http.ResponseWriter, *http.Request)) `yaml:"-"`
+
+	Enabled       bool   `yaml:"enabled"`
+	InterfaceName string `yaml:"interface_name"`
+
+	// LocalDomainName is the domain name used for DHCP hosts.  For example,
+	// a DHCP client with the hostname "myhost" can be addressed as "myhost.lan"
+	// when LocalDomainName is "lan".
+	LocalDomainName string `yaml:"local_domain_name"`
+
+	Conf4 V4ServerConf `yaml:"dhcpv4"`
+	Conf6 V6ServerConf `yaml:"dhcpv6"`
+
+	WorkDir    string `yaml:"-"`
+	DBFilePath string `yaml:"-"`
 }

 // OnLeaseChangedT is a callback for lease changes.
@@ -156,7 +161,9 @@ type Server struct {
 	srv4 DHCPServer
 	srv6 DHCPServer

-	conf ServerConfig
+	// TODO(a.garipov): Either create a separate type for the internal config or
+	// just put the config values into Server.
+	conf *ServerConfig

 	// Called when the leases DB is modified
 	onLeaseChanged []OnLeaseChangedT
@@ -181,14 +188,21 @@ type ServerInterface interface {
 }

 // Create - create object
-func Create(conf ServerConfig) (s *Server, err error) {
-	s = &Server{}
+func Create(conf *ServerConfig) (s *Server, err error) {
+	s = &Server{
+		conf: &ServerConfig{
+			ConfigModified: conf.ConfigModified,

-	s.conf.Enabled = conf.Enabled
-	s.conf.InterfaceName = conf.InterfaceName
-	s.conf.HTTPRegister = conf.HTTPRegister
-	s.conf.ConfigModified = conf.ConfigModified
-	s.conf.DBFilePath = filepath.Join(conf.WorkDir, dbFilename)
+			HTTPRegister: conf.HTTPRegister,
+
+			Enabled:       conf.Enabled,
+			InterfaceName: conf.InterfaceName,
+
+			LocalDomainName: conf.LocalDomainName,
+
+			DBFilePath: filepath.Join(conf.WorkDir, dbFilename),
+		},
+	}

 	if !webHandlersRegistered && s.conf.HTTPRegister != nil {
 		if runtime.GOOS == "windows" {
@@ -305,6 +319,7 @@ func (s *Server) notify(flags int) {
 func (s *Server) WriteDiskConfig(c *ServerConfig) {
 	c.Enabled = s.conf.Enabled
 	c.InterfaceName = s.conf.InterfaceName
+	c.LocalDomainName = s.conf.LocalDomainName
 	s.srv4.WriteDiskConfig4(&c.Conf4)
 	s.srv6.WriteDiskConfig6(&c.Conf6)
 }
--- a/internal/dhcpd/dhcpd_test.go
+++ b/internal/dhcpd/dhcpd_test.go
@@ -27,7 +27,7 @@ func testNotify(flags uint32) {
 func TestDB(t *testing.T) {
 	var err error
 	s := Server{
-		conf: ServerConfig{
+		conf: &ServerConfig{
 			DBFilePath: dbFilename,
 		},
 	}
@@ -140,27 +140,27 @@ func TestNormalizeLeases(t *testing.T) {
 func TestV4Server_badRange(t *testing.T) {
 	testCases := []struct {
 		name       string
+		wantErrMsg string
 		gatewayIP  net.IP
 		subnetMask net.IP
-		wantErrMsg string
 	}{{
-		name:       "gateway_in_range",
-		gatewayIP:  net.IP{192, 168, 10, 120},
-		subnetMask: net.IP{255, 255, 255, 0},
+		name: "gateway_in_range",
 		wantErrMsg: "dhcpv4: gateway ip 192.168.10.120 in the ip range: " +
 			"192.168.10.20-192.168.10.200",
+		gatewayIP:  net.IP{192, 168, 10, 120},
+		subnetMask: net.IP{255, 255, 255, 0},
 	}, {
-		name:       "outside_range_start",
-		gatewayIP:  net.IP{192, 168, 10, 1},
-		subnetMask: net.IP{255, 255, 255, 240},
+		name: "outside_range_start",
 		wantErrMsg: "dhcpv4: range start 192.168.10.20 is outside network " +
 			"192.168.10.1/28",
-	}, {
-		name:       "outside_range_end",
 		gatewayIP:  net.IP{192, 168, 10, 1},
-		subnetMask: net.IP{255, 255, 255, 224},
+		subnetMask: net.IP{255, 255, 255, 240},
+	}, {
+		name: "outside_range_end",
 		wantErrMsg: "dhcpv4: range end 192.168.10.200 is outside network " +
 			"192.168.10.1/27",
+		gatewayIP:  net.IP{192, 168, 10, 1},
+		subnetMask: net.IP{255, 255, 255, 224},
 	}}

 	for _, tc := range testCases {
--- a/internal/dhcpd/http.go
+++ b/internal/dhcpd/http.go
@@ -575,12 +575,15 @@ func (s *Server) handleReset(w http.ResponseWriter, r *http.Request) {
 		log.Error("dhcp: removing db: %s", err)
 	}

-	oldconf := s.conf
-	s.conf = ServerConfig{
-		WorkDir:        oldconf.WorkDir,
-		HTTPRegister:   oldconf.HTTPRegister,
-		ConfigModified: oldconf.ConfigModified,
-		DBFilePath:     oldconf.DBFilePath,
+	s.conf = &ServerConfig{
+		ConfigModified: s.conf.ConfigModified,
+
+		HTTPRegister: s.conf.HTTPRegister,
+
+		LocalDomainName: s.conf.LocalDomainName,
+
+		WorkDir:    s.conf.WorkDir,
+		DBFilePath: s.conf.DBFilePath,
 	}

 	v4conf := V4ServerConf{
--- a/internal/dhcpd/nullbool_test.go
+++ b/internal/dhcpd/nullbool_test.go
@@ -12,33 +12,33 @@ import (
 func TestNullBool_UnmarshalJSON(t *testing.T) {
 	testCases := []struct {
 		name       string
-		data       []byte
 		wantErrMsg string
+		data       []byte
 		want       nullBool
 	}{{
 		name:       "empty",
-		data:       []byte{},
 		wantErrMsg: "",
+		data:       []byte{},
 		want:       nbNull,
 	}, {
 		name:       "null",
-		data:       []byte("null"),
 		wantErrMsg: "",
+		data:       []byte("null"),
 		want:       nbNull,
 	}, {
 		name:       "true",
-		data:       []byte("true"),
 		wantErrMsg: "",
+		data:       []byte("true"),
 		want:       nbTrue,
 	}, {
 		name:       "false",
-		data:       []byte("false"),
 		wantErrMsg: "",
+		data:       []byte("false"),
 		want:       nbFalse,
 	}, {
 		name:       "invalid",
-		data:       []byte("flase"),
-		wantErrMsg: `invalid nullBool value "flase"`,
+		wantErrMsg: `invalid nullBool value "invalid"`,
+		data:       []byte("invalid"),
 		want:       nbNull,
 	}}

--- a/internal/dhcpd/options_unix.go
+++ b/internal/dhcpd/options_unix.go
@@ -130,21 +130,19 @@ func parseDHCPOption(s string) (opt dhcpv4.Option, err error) {
 // prepareOptions builds the set of DHCP options according to host requirements
 // document and values from conf.
 func prepareOptions(conf V4ServerConf) (opts dhcpv4.Options) {
+	// Set default values for host configuration parameters listed in Appendix
+	// A of RFC-2131.  Those parameters, if requested by client, should be
+	// returned with values defined by Host Requirements Document.
+	//
+	// See https://datatracker.ietf.org/doc/html/rfc2131#appendix-A.
+	//
+	// See also https://datatracker.ietf.org/doc/html/rfc1122,
+	// https://datatracker.ietf.org/doc/html/rfc1123, and
+	// https://datatracker.ietf.org/doc/html/rfc2132.
 	opts = dhcpv4.Options{
-		// Set default values for host configuration parameters listed
-		// in Appendix A of RFC-2131.  Those parameters, if requested by
-		// client, should be returned with values defined by Host
-		// Requirements Document.
-		//
-		// See https://datatracker.ietf.org/doc/html/rfc2131#appendix-A.
-		//
-		// See also https://datatracker.ietf.org/doc/html/rfc1122,
-		// https://datatracker.ietf.org/doc/html/rfc1123, and
-		// https://datatracker.ietf.org/doc/html/rfc2132.
-
 		// IP-Layer Per Host
-
 		dhcpv4.OptionNonLocalSourceRouting.Code(): []byte{0},
+
 		// Set the current recommended default time to live for the
 		// Internet Protocol which is 64, see
 		// https://datatracker.ietf.org/doc/html/rfc1700.
--- a/internal/dhcpd/server.go
+++ b/internal/dhcpd/server.go
@@ -27,7 +27,6 @@ type DHCPServer interface {
 	Start() (err error)
 	// Stop - stop server
 	Stop() (err error)
-
 	getLeasesRef() []*Lease
 }

--- a/internal/dhcpd/v4.go
+++ b/internal/dhcpd/v4.go
@@ -969,11 +969,10 @@ func (s *v4Server) send(peer net.Addr, conn net.PacketConn, req, resp *dhcpv4.DH
 			Port: dhcpv4.ServerPort,
 		}
 		if mtype == dhcpv4.MessageTypeNak {
-			// Set the broadcast bit in the DHCPNAK, so that the
-			// relay agent broadcasted it to the client, because the
-			// client may not have a correct network address or
-			// subnet mask, and the client may not be answering ARP
-			// requests.
+			// Set the broadcast bit in the DHCPNAK, so that the relay agent
+			// broadcasts it to the client, because the client may not have
+			// a correct network address or subnet mask, and the client may not
+			// be answering ARP requests.
 			resp.SetBroadcast()
 		}
 	case mtype == dhcpv4.MessageTypeNak:
--- a/internal/dnsforward/access.go
+++ b/internal/dnsforward/access.go
@@ -7,7 +7,7 @@ import (
 	"net/http"
 	"strings"

-	"github.com/AdguardTeam/AdGuardHome/internal/aghalgo"
+	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/netutil"
@@ -214,7 +214,7 @@ func validateAccessSet(list *accessListJSON) (err error) {
 	}

 	merged := allowed.Merge(disallowed)
-	err = merged.Validate(aghalgo.StringIsBefore)
+	err = merged.Validate(aghalg.StringIsBefore)
 	if err != nil {
 		return fmt.Errorf("items in allowed and disallowed clients intersect: %w", err)
 	}
@@ -223,13 +223,13 @@ func validateAccessSet(list *accessListJSON) (err error) {
 }

 // validateStrUniq returns an informative error if clients are not unique.
-func validateStrUniq(clients []string) (uv aghalgo.UniquenessValidator, err error) {
-	uv = make(aghalgo.UniquenessValidator, len(clients))
+func validateStrUniq(clients []string) (uc aghalg.UniqChecker, err error) {
+	uc = make(aghalg.UniqChecker, len(clients))
 	for _, c := range clients {
-		uv.Add(c)
+		uc.Add(c)
 	}

-	return uv, uv.Validate(aghalgo.StringIsBefore)
+	return uc, uc.Validate(aghalg.StringIsBefore)
 }

 func (s *Server) handleAccessSet(w http.ResponseWriter, r *http.Request) {
--- a/internal/dnsforward/config.go
+++ b/internal/dnsforward/config.go
@@ -11,6 +11,7 @@ import (
 	"strings"
 	"time"

+	"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/dnsproxy/proxy"
 	"github.com/AdguardTeam/dnsproxy/upstream"
@@ -243,15 +244,15 @@ func (s *Server) createProxyConfig() (proxy.Config, error) {
 		proxyConfig.FastestPingTimeout = s.conf.FastestTimeout.Duration
 	}

-	if len(s.conf.BogusNXDomain) > 0 {
-		for _, s := range s.conf.BogusNXDomain {
-			ip := net.ParseIP(s)
-			if ip == nil {
-				log.Error("Invalid bogus IP: %s", s)
-			} else {
-				proxyConfig.BogusNXDomain = append(proxyConfig.BogusNXDomain, ip)
-			}
+	for i, s := range s.conf.BogusNXDomain {
+		subnet, err := netutil.ParseSubnet(s)
+		if err != nil {
+			log.Error("subnet at index %d: %s", i, err)
+
+			continue
 		}
+
+		proxyConfig.BogusNXDomain = append(proxyConfig.BogusNXDomain, subnet)
 	}

 	// TLS settings
@@ -426,6 +427,7 @@ func (s *Server) prepareTLS(proxyConfig *proxy.Config) error {

 	proxyConfig.TLSConfig = &tls.Config{
 		GetCertificate: s.onGetCertificate,
+		CipherSuites:   aghtls.SaferCipherSuites(),
 		MinVersion:     tls.VersionTLS12,
 	}

--- a/internal/dnsforward/dns.go
+++ b/internal/dnsforward/dns.go
@@ -215,9 +215,8 @@ func (s *Server) onDHCPLeaseChanged(flags int) {
 		ipToHost = netutil.NewIPMap(len(ll))

 		for _, l := range ll {
-			// TODO(a.garipov): Remove this after we're finished
-			// with the client hostname validations in the DHCP
-			// server code.
+			// TODO(a.garipov): Remove this after we're finished with the client
+			// hostname validations in the DHCP server code.
 			err = netutil.ValidateDomainName(l.Hostname)
 			if err != nil {
 				log.Debug(
@@ -301,6 +300,8 @@ func (s *Server) processInternalHosts(dctx *dnsContext) (rc resultCode) {
 	}

 	reqHost := strings.ToLower(q.Name)
+	// TODO(a.garipov): Move everything related to DHCP local domain to the DHCP
+	// server.
 	host := strings.TrimSuffix(reqHost, s.localDomainSuffix)
 	if host == reqHost {
 		return resultCodeSuccess
@@ -352,9 +353,22 @@ func (s *Server) processRestrictLocal(ctx *dnsContext) (rc resultCode) {

 	ip, err := netutil.IPFromReversedAddr(q.Name)
 	if err != nil {
-		log.Debug("dns: reversed addr: %s", err)
+		log.Debug("dns: parsing reversed addr: %s", err)

-		return resultCodeError
+		// DNS-Based Service Discovery uses PTR records having not an ARPA
+		// format of the domain name in question.  Those shouldn't be
+		// invalidated.  See http://www.dns-sd.org/ServerStaticSetup.html and
+		// RFC 2782.
+		name := strings.TrimSuffix(q.Name, ".")
+		if err = netutil.ValidateSRVDomainName(name); err != nil {
+			log.Debug("dns: validating service domain: %s", err)
+
+			return resultCodeError
+		}
+
+		log.Debug("dns: request is for a service domain")
+
+		return resultCodeSuccess
 	}

 	// Restrict an access to local addresses for external clients.  We also
@@ -599,9 +613,9 @@ func (s *Server) processFilteringAfterResponse(ctx *dnsContext) (rc resultCode)
 			d.Res.Answer = answer
 		}
 	default:
-		// Check the response only if the it's from an upstream.  Don't check
-		// the response if the protection is disabled since dnsrewrite rules
-		// aren't applied to it anyway.
+		// Check the response only if it's from an upstream.  Don't check the
+		// response if the protection is disabled since dnsrewrite rules aren't
+		// applied to it anyway.
 		if !ctx.protectionEnabled || !ctx.responseFromUpstream || s.dnsFilter == nil {
 			break
 		}
--- a/internal/dnsforward/dns_test.go
+++ b/internal/dnsforward/dns_test.go
@@ -261,7 +261,7 @@ func TestServer_ProcessInternalHosts(t *testing.T) {
 }

 func TestServer_ProcessRestrictLocal(t *testing.T) {
-	ups := &aghtest.TestUpstream{
+	ups := &aghtest.Upstream{
 		Reverse: map[string][]string{
 			"251.252.253.254.in-addr.arpa.": {"host1.example.net."},
 			"1.1.168.192.in-addr.arpa.":     {"some.local-client."},
@@ -339,7 +339,7 @@ func TestServer_ProcessLocalPTR_usingResolvers(t *testing.T) {
 	s := createTestServer(t, &filtering.Config{}, ServerConfig{
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
-	}, &aghtest.TestUpstream{
+	}, &aghtest.Upstream{
 		Reverse: map[string][]string{
 			reqAddr: {locDomain},
 		},
--- a/internal/dnsforward/dnsforward_test.go
+++ b/internal/dnsforward/dnsforward_test.go
@@ -89,7 +89,7 @@ func createTestServer(
 	defer s.serverLock.Unlock()

 	if localUps != nil {
-		s.localResolvers.Config.UpstreamConfig.Upstreams = []upstream.Upstream{localUps}
+		s.localResolvers.UpstreamConfig.Upstreams = []upstream.Upstream{localUps}
 		s.conf.UsePrivateRDNS = true
 	}

@@ -247,7 +247,7 @@ func TestServer(t *testing.T) {
 		TCPListenAddrs: []*net.TCPAddr{{}},
 	}, nil)
 	s.conf.UpstreamConfig.Upstreams = []upstream.Upstream{
-		&aghtest.TestUpstream{
+		&aghtest.Upstream{
 			IPv4: map[string][]net.IP{
 				"google-public-dns-a.google.com.": {{8, 8, 8, 8}},
 			},
@@ -316,7 +316,7 @@ func TestServerWithProtectionDisabled(t *testing.T) {
 		TCPListenAddrs: []*net.TCPAddr{{}},
 	}, nil)
 	s.conf.UpstreamConfig.Upstreams = []upstream.Upstream{
-		&aghtest.TestUpstream{
+		&aghtest.Upstream{
 			IPv4: map[string][]net.IP{
 				"google-public-dns-a.google.com.": {{8, 8, 8, 8}},
 			},
@@ -339,7 +339,7 @@ func TestDoTServer(t *testing.T) {
 		TLSListenAddrs: []*net.TCPAddr{{}},
 	})
 	s.conf.UpstreamConfig.Upstreams = []upstream.Upstream{
-		&aghtest.TestUpstream{
+		&aghtest.Upstream{
 			IPv4: map[string][]net.IP{
 				"google-public-dns-a.google.com.": {{8, 8, 8, 8}},
 			},
@@ -369,7 +369,7 @@ func TestDoQServer(t *testing.T) {
 		QUICListenAddrs: []*net.UDPAddr{{IP: net.IP{127, 0, 0, 1}}},
 	})
 	s.conf.UpstreamConfig.Upstreams = []upstream.Upstream{
-		&aghtest.TestUpstream{
+		&aghtest.Upstream{
 			IPv4: map[string][]net.IP{
 				"google-public-dns-a.google.com.": {{8, 8, 8, 8}},
 			},
@@ -413,7 +413,7 @@ func TestServerRace(t *testing.T) {
 	}
 	s := createTestServer(t, filterConf, forwardConf, nil)
 	s.conf.UpstreamConfig.Upstreams = []upstream.Upstream{
-		&aghtest.TestUpstream{
+		&aghtest.Upstream{
 			IPv4: map[string][]net.IP{
 				"google-public-dns-a.google.com.": {{8, 8, 8, 8}},
 			},
@@ -552,7 +552,7 @@ func TestServerCustomClientUpstream(t *testing.T) {
 	}
 	s := createTestServer(t, &filtering.Config{}, forwardConf, nil)
 	s.conf.GetCustomUpstreamByClient = func(_ string) (conf *proxy.UpstreamConfig, err error) {
-		ups := &aghtest.TestUpstream{
+		ups := &aghtest.Upstream{
 			IPv4: map[string][]net.IP{
 				"host.": {{192, 168, 0, 1}},
 			},
@@ -580,9 +580,9 @@ func TestServerCustomClientUpstream(t *testing.T) {
 }

 // testCNAMEs is a map of names and CNAMEs necessary for the TestUpstream work.
-var testCNAMEs = map[string]string{
-	"badhost.":               "NULL.example.org.",
-	"whitelist.example.org.": "NULL.example.org.",
+var testCNAMEs = map[string][]string{
+	"badhost.":               {"NULL.example.org."},
+	"whitelist.example.org.": {"NULL.example.org."},
 }

 // testIPv4 is a map of names and IPv4s necessary for the TestUpstream work.
@@ -596,7 +596,7 @@ func TestBlockCNAMEProtectionEnabled(t *testing.T) {
 		UDPListenAddrs: []*net.UDPAddr{{}},
 		TCPListenAddrs: []*net.TCPAddr{{}},
 	}, nil)
-	testUpstm := &aghtest.TestUpstream{
+	testUpstm := &aghtest.Upstream{
 		CName: testCNAMEs,
 		IPv4:  testIPv4,
 		IPv6:  nil,
@@ -630,7 +630,7 @@ func TestBlockCNAME(t *testing.T) {
 	}
 	s := createTestServer(t, &filtering.Config{}, forwardConf, nil)
 	s.conf.UpstreamConfig.Upstreams = []upstream.Upstream{
-		&aghtest.TestUpstream{
+		&aghtest.Upstream{
 			CName: testCNAMEs,
 			IPv4:  testIPv4,
 		},
@@ -640,14 +640,17 @@ func TestBlockCNAME(t *testing.T) {
 	addr := s.dnsProxy.Addr(proxy.ProtoUDP).String()

 	testCases := []struct {
+		name string
 		host string
 		want bool
 	}{{
+		name: "block_request",
 		host: "badhost.",
 		// 'badhost' has a canonical name 'NULL.example.org' which is
 		// blocked by filters: response is blocked.
 		want: true,
 	}, {
+		name: "allowed",
 		host: "whitelist.example.org.",
 		// 'whitelist.example.org' has a canonical name
 		// 'NULL.example.org' which is blocked by filters
@@ -655,6 +658,7 @@ func TestBlockCNAME(t *testing.T) {
 		// response isn't blocked.
 		want: false,
 	}, {
+		name: "block_response",
 		host: "example.org.",
 		// 'example.org' has a canonical name 'cname1' with IP
 		// 127.0.0.255 which is blocked by filters: response is blocked.
@@ -662,9 +666,9 @@ func TestBlockCNAME(t *testing.T) {
 	}}

 	for _, tc := range testCases {
-		t.Run("block_cname_"+tc.host, func(t *testing.T) {
-			req := createTestMessage(tc.host)
+		req := createTestMessage(tc.host)

+		t.Run(tc.name, func(t *testing.T) {
 			reply, err := dns.Exchange(req, addr)
 			require.NoError(t, err)

@@ -674,7 +678,7 @@ func TestBlockCNAME(t *testing.T) {

 				ans := reply.Answer[0]
 				a, ok := ans.(*dns.A)
-				require.Truef(t, ok, "got %T", ans)
+				require.True(t, ok)

 				assert.True(t, a.A.IsUnspecified())
 			}
@@ -695,7 +699,7 @@ func TestClientRulesForCNAMEMatching(t *testing.T) {
 	}
 	s := createTestServer(t, &filtering.Config{}, forwardConf, nil)
 	s.conf.UpstreamConfig.Upstreams = []upstream.Upstream{
-		&aghtest.TestUpstream{
+		&aghtest.Upstream{
 			CName: testCNAMEs,
 			IPv4:  testIPv4,
 		},
@@ -931,9 +935,9 @@ func TestRewrite(t *testing.T) {
 	}))

 	s.conf.UpstreamConfig.Upstreams = []upstream.Upstream{
-		&aghtest.TestUpstream{
-			CName: map[string]string{
-				"example.org": "somename",
+		&aghtest.Upstream{
+			CName: map[string][]string{
+				"example.org": {"somename"},
 			},
 			IPv4: map[string][]net.IP{
 				"example.org.": {{4, 3, 2, 1}},
@@ -1193,12 +1197,12 @@ func TestNewServer(t *testing.T) {
 }

 func TestServer_Exchange(t *testing.T) {
-	extUpstream := &aghtest.TestUpstream{
+	extUpstream := &aghtest.Upstream{
 		Reverse: map[string][]string{
 			"1.1.1.1.in-addr.arpa.": {"one.one.one.one"},
 		},
 	}
-	locUpstream := &aghtest.TestUpstream{
+	locUpstream := &aghtest.Upstream{
 		Reverse: map[string][]string{
 			"1.1.168.192.in-addr.arpa.": {"local.domain"},
 			"2.1.168.192.in-addr.arpa.": {},
--- a/internal/dnsforward/filter.go
+++ b/internal/dnsforward/filter.go
@@ -116,7 +116,7 @@ func (s *Server) filterDNSRequest(ctx *dnsContext) (*filtering.Result, error) {

 // checkHostRules checks the host against filters.  It is safe for concurrent
 // use.
-func (s *Server) checkHostRules(host string, qtype uint16, setts *filtering.Settings) (
+func (s *Server) checkHostRules(host string, rrtype uint16, setts *filtering.Settings) (
 	r *filtering.Result,
 	err error,
 ) {
@@ -128,7 +128,7 @@ func (s *Server) checkHostRules(host string, qtype uint16, setts *filtering.Sett
 	}

 	var res filtering.Result
-	res, err = s.dnsFilter.CheckHostRules(host, qtype, setts)
+	res, err = s.dnsFilter.CheckHostRules(host, rrtype, setts)
 	if err != nil {
 		return nil, err
 	}
@@ -136,33 +136,36 @@ func (s *Server) checkHostRules(host string, qtype uint16, setts *filtering.Sett
 	return &res, err
 }

-// If response contains CNAME, A or AAAA records, we apply filtering to each
-// canonical host name or IP address.  If this is a match, we set a new response
-// in d.Res and return.
-func (s *Server) filterDNSResponse(ctx *dnsContext) (*filtering.Result, error) {
+// filterDNSResponse checks each resource record of the response's answer
+// section from ctx and returns a non-nil res if at least one of canonnical
+// names or IP addresses in it matches the filtering rules.
+func (s *Server) filterDNSResponse(ctx *dnsContext) (res *filtering.Result, err error) {
 	d := ctx.proxyCtx
+	setts := ctx.setts
+	if !setts.FilteringEnabled {
+		return nil, nil
+	}
+
 	for _, a := range d.Res.Answer {
 		host := ""
-
-		switch v := a.(type) {
+		var rrtype uint16
+		switch a := a.(type) {
 		case *dns.CNAME:
-			log.Debug("DNSFwd: Checking CNAME %s for %s", v.Target, v.Hdr.Name)
-			host = strings.TrimSuffix(v.Target, ".")
-
+			host = strings.TrimSuffix(a.Target, ".")
+			rrtype = dns.TypeCNAME
 		case *dns.A:
-			host = v.A.String()
-			log.Debug("DNSFwd: Checking record A (%s) for %s", host, v.Hdr.Name)
-
+			host = a.A.String()
+			rrtype = dns.TypeA
 		case *dns.AAAA:
-			host = v.AAAA.String()
-			log.Debug("DNSFwd: Checking record AAAA (%s) for %s", host, v.Hdr.Name)
-
+			host = a.AAAA.String()
+			rrtype = dns.TypeAAAA
 		default:
 			continue
 		}

-		host = strings.TrimSuffix(host, ".")
-		res, err := s.checkHostRules(host, d.Req.Question[0].Qtype, ctx.setts)
+		log.Debug("dnsforward: checking %s %s for %s", dns.Type(rrtype), host, a.Header().Name)
+
+		res, err = s.checkHostRules(host, rrtype, setts)
 		if err != nil {
 			return nil, err
 		} else if res == nil {
--- a/internal/dnsforward/filter_test.go
+++ b/internal/dnsforward/filter_test.go
@@ -0,0 +1,159 @@
+package dnsforward
+
+import (
+	"net"
+	"testing"
+
+	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
+	"github.com/AdguardTeam/AdGuardHome/internal/aghtest"
+	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
+	"github.com/AdguardTeam/dnsproxy/proxy"
+	"github.com/AdguardTeam/dnsproxy/upstream"
+	"github.com/AdguardTeam/golibs/netutil"
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestHandleDNSRequest_filterDNSResponse(t *testing.T) {
+	rules := `
+||blocked.domain^
+@@||allowed.domain^
+||cname.specific^$dnstype=~CNAME
+||0.0.0.1^$dnstype=~A
+||::1^$dnstype=~AAAA
+`
+
+	forwardConf := ServerConfig{
+		UDPListenAddrs: []*net.UDPAddr{{}},
+		TCPListenAddrs: []*net.TCPAddr{{}},
+		FilteringConfig: FilteringConfig{
+			ProtectionEnabled: true,
+			BlockingMode:      BlockingModeDefault,
+		},
+	}
+	filters := []filtering.Filter{{
+		ID: 0, Data: []byte(rules),
+	}}
+
+	f := filtering.New(&filtering.Config{}, filters)
+	f.SetEnabled(true)
+
+	snd, err := aghnet.NewSubnetDetector()
+	require.NoError(t, err)
+	require.NotNil(t, snd)
+
+	s, err := NewServer(DNSCreateParams{
+		DHCPServer:     &testDHCP{},
+		DNSFilter:      f,
+		SubnetDetector: snd,
+	})
+	require.NoError(t, err)
+
+	s.conf = forwardConf
+	err = s.Prepare(nil)
+	require.NoError(t, err)
+
+	s.conf.UpstreamConfig.Upstreams = []upstream.Upstream{
+		&aghtest.Upstream{
+			CName: map[string][]string{
+				"cname.exception.": {"cname.specific."},
+				"should.block.":    {"blocked.domain."},
+				"allowed.first.":   {"allowed.domain.", "blocked.domain."},
+				"blocked.first.":   {"blocked.domain.", "allowed.domain."},
+			},
+			IPv4: map[string][]net.IP{
+				"a.exception.": {{0, 0, 0, 1}},
+			},
+			IPv6: map[string][]net.IP{
+				"aaaa.exception.": {net.ParseIP("::1")},
+			},
+		},
+	}
+	startDeferStop(t, s)
+
+	testCases := []struct {
+		req     *dns.Msg
+		name    string
+		wantAns []dns.RR
+	}{{
+		req:  createTestMessage("cname.exception."),
+		name: "cname_exception",
+		wantAns: []dns.RR{&dns.CNAME{
+			Hdr: dns.RR_Header{
+				Name:   "cname.exception.",
+				Rrtype: dns.TypeCNAME,
+			},
+			Target: "cname.specific.",
+		}},
+	}, {
+		req:  createTestMessage("should.block."),
+		name: "blocked_by_cname",
+		wantAns: []dns.RR{&dns.A{
+			Hdr: dns.RR_Header{
+				Name:   "should.block.",
+				Rrtype: dns.TypeA,
+				Class:  dns.ClassINET,
+			},
+			A: netutil.IPv4Zero(),
+		}},
+	}, {
+		req:  createTestMessage("a.exception."),
+		name: "a_exception",
+		wantAns: []dns.RR{&dns.A{
+			Hdr: dns.RR_Header{
+				Name:   "a.exception.",
+				Rrtype: dns.TypeA,
+			},
+			A: net.IP{0, 0, 0, 1},
+		}},
+	}, {
+		req:  createTestMessageWithType("aaaa.exception.", dns.TypeAAAA),
+		name: "aaaa_exception",
+		wantAns: []dns.RR{&dns.AAAA{
+			Hdr: dns.RR_Header{
+				Name:   "aaaa.exception.",
+				Rrtype: dns.TypeAAAA,
+			},
+			AAAA: net.ParseIP("::1"),
+		}},
+	}, {
+		req:  createTestMessage("allowed.first."),
+		name: "allowed_first",
+		wantAns: []dns.RR{&dns.A{
+			Hdr: dns.RR_Header{
+				Name:   "allowed.first.",
+				Rrtype: dns.TypeA,
+				Class:  dns.ClassINET,
+			},
+			A: netutil.IPv4Zero(),
+		}},
+	}, {
+		req:  createTestMessage("blocked.first."),
+		name: "blocked_first",
+		wantAns: []dns.RR{&dns.A{
+			Hdr: dns.RR_Header{
+				Name:   "blocked.first.",
+				Rrtype: dns.TypeA,
+				Class:  dns.ClassINET,
+			},
+			A: netutil.IPv4Zero(),
+		}},
+	}}
+
+	for _, tc := range testCases {
+		dctx := &proxy.DNSContext{
+			Proto: proxy.ProtoUDP,
+			Req:   tc.req,
+			Addr:  &net.UDPAddr{IP: net.IP{127, 0, 0, 1}, Port: 1},
+		}
+
+		t.Run(tc.name, func(t *testing.T) {
+			err = s.handleDNSRequest(nil, dctx)
+			require.NoError(t, err)
+			require.NotNil(t, dctx.Res)
+
+			assert.Equal(t, tc.wantAns, dctx.Res.Answer)
+		})
+	}
+}
--- a/internal/dnsforward/http.go
+++ b/internal/dnsforward/http.go
@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"net"
 	"net/http"
-	"strconv"
 	"strings"
 	"time"

@@ -192,22 +191,23 @@ func (req *dnsConfig) checkCacheTTL() bool {

 func (s *Server) handleSetConfig(w http.ResponseWriter, r *http.Request) {
 	req := dnsConfig{}
-	dec := json.NewDecoder(r.Body)
-	if err := dec.Decode(&req); err != nil {
+	err := json.NewDecoder(r.Body).Decode(&req)
+	if err != nil {
 		aghhttp.Error(r, w, http.StatusBadRequest, "json Encode: %s", err)

 		return
 	}

 	if req.Upstreams != nil {
-		if err := ValidateUpstreams(*req.Upstreams); err != nil {
+		if err = ValidateUpstreams(*req.Upstreams); err != nil {
 			aghhttp.Error(r, w, http.StatusBadRequest, "wrong upstreams specification: %s", err)

 			return
 		}
 	}

-	if errBoot, err := req.checkBootstrap(); err != nil {
+	var errBoot string
+	if errBoot, err = req.checkBootstrap(); err != nil {
 		aghhttp.Error(
 			r,
 			w,
@@ -220,19 +220,16 @@ func (s *Server) handleSetConfig(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if !req.checkBlockingMode() {
+	switch {
+	case !req.checkBlockingMode():
 		aghhttp.Error(r, w, http.StatusBadRequest, "blocking_mode: incorrect value")

 		return
-	}
-
-	if !req.checkUpstreamsMode() {
+	case !req.checkUpstreamsMode():
 		aghhttp.Error(r, w, http.StatusBadRequest, "upstream_mode: incorrect value")

 		return
-	}
-
-	if !req.checkCacheTTL() {
+	case !req.checkCacheTTL():
 		aghhttp.Error(
 			r,
 			w,
@@ -241,13 +238,15 @@ func (s *Server) handleSetConfig(w http.ResponseWriter, r *http.Request) {
 		)

 		return
+	default:
+		// Go on.
 	}

 	restart := s.setConfig(req)
 	s.conf.ConfigModified()

 	if restart {
-		if err := s.Reconfigure(nil); err != nil {
+		if err = s.Reconfigure(nil); err != nil {
 			aghhttp.Error(r, w, http.StatusInternalServerError, "%s", err)
 		}
 	}
@@ -387,14 +386,14 @@ func ValidateUpstreams(upstreams []string) (err error) {

 	var defaultUpstreamFound bool
 	for _, u := range upstreams {
-		var ok bool
-		ok, err = validateUpstream(u)
+		var useDefault bool
+		useDefault, err = validateUpstream(u)
 		if err != nil {
 			return err
 		}

 		if !defaultUpstreamFound {
-			defaultUpstreamFound = ok
+			defaultUpstreamFound = useDefault
 		}
 	}

@@ -407,50 +406,62 @@ func ValidateUpstreams(upstreams []string) (err error) {

 var protocols = []string{"tls://", "https://", "tcp://", "sdns://", "quic://"}

-func validateUpstream(u string) (bool, error) {
+func validateUpstream(u string) (useDefault bool, err error) {
 	// Check if the user tries to specify upstream for domain.
-	u, useDefault, err := separateUpstream(u)
+	var isDomainSpec bool
+	u, isDomainSpec, err = separateUpstream(u)
 	if err != nil {
-		return useDefault, err
+		return !isDomainSpec, err
 	}

-	// The special server address '#' means "use the default servers"
-	if u == "#" && !useDefault {
+	// The special server address '#' means that default server must be used.
+	if useDefault = !isDomainSpec; u == "#" && isDomainSpec {
 		return useDefault, nil
 	}

-	// Check if the upstream has a valid protocol prefix
+	// Check if the upstream has a valid protocol prefix.
+	//
+	// TODO(e.burkov):  Validate the domain name.
 	for _, proto := range protocols {
 		if strings.HasPrefix(u, proto) {
 			return useDefault, nil
 		}
 	}

-	// Return error if the upstream contains '://' without any valid protocol
 	if strings.Contains(u, "://") {
-		return useDefault, fmt.Errorf("wrong protocol")
+		return useDefault, errors.Error("wrong protocol")
 	}

-	// Check if upstream is valid plain DNS
-	return useDefault, checkPlainDNS(u)
+	// Check if upstream is either an IP or IP with port.
+	if net.ParseIP(u) != nil {
+		return useDefault, nil
+	} else if _, err = netutil.ParseIPPort(u); err != nil {
+		return useDefault, err
+	}
+
+	return useDefault, nil
 }

 // separateUpstream returns the upstream without the specified domains.
-// useDefault is true when a default upstream must be used.
-func separateUpstream(upstreamStr string) (upstream string, useDefault bool, err error) {
-	defer func() { err = errors.Annotate(err, "bad upstream for domain spec %q: %w", upstreamStr) }()
-
+// isDomainSpec is true when the upstream is domains-specific.
+func separateUpstream(upstreamStr string) (upstream string, isDomainSpec bool, err error) {
 	if !strings.HasPrefix(upstreamStr, "[/") {
-		return upstreamStr, true, nil
+		return upstreamStr, false, nil
 	}
+	defer func() { err = errors.Annotate(err, "bad upstream for domain %q: %w", upstreamStr) }()

 	parts := strings.Split(upstreamStr[2:], "/]")
-	if len(parts) != 2 {
-		return "", false, errors.Error("duplicated separator")
+	switch len(parts) {
+	case 2:
+		// Go on.
+	case 1:
+		return "", false, errors.Error("missing separator")
+	default:
+		return "", true, errors.Error("duplicated separator")
 	}

-	domains := parts[0]
-	upstream = parts[1]
+	var domains string
+	domains, upstream = parts[0], parts[1]
 	for i, host := range strings.Split(domains, "/") {
 		if host == "" {
 			continue
@@ -458,36 +469,11 @@ func separateUpstream(upstreamStr string) (upstream string, useDefault bool, err

 		err = netutil.ValidateDomainName(host)
 		if err != nil {
-			return "", false, fmt.Errorf("domain at index %d: %w", i, err)
+			return "", true, fmt.Errorf("domain at index %d: %w", i, err)
 		}
 	}

-	return upstream, false, nil
-}
-
-// checkPlainDNS checks if host is plain DNS
-func checkPlainDNS(upstream string) error {
-	// Check if host is ip without port
-	if net.ParseIP(upstream) != nil {
-		return nil
-	}
-
-	// Check if host is ip with port
-	ip, port, err := net.SplitHostPort(upstream)
-	if err != nil {
-		return err
-	}
-
-	if net.ParseIP(ip) == nil {
-		return fmt.Errorf("%s is not a valid IP", ip)
-	}
-
-	_, err = strconv.ParseInt(port, 0, 64)
-	if err != nil {
-		return fmt.Errorf("%s is not a valid port: %w", port, err)
-	}
-
-	return nil
+	return upstream, true, nil
 }

 // excFunc is a signature of function to check if upstream exchanges correctly.
@@ -515,12 +501,8 @@ func checkDNSUpstreamExc(u upstream.Upstream) (err error) {

 	if len(reply.Answer) != 1 {
 		return fmt.Errorf("wrong response")
-	}
-
-	if t, ok := reply.Answer[0].(*dns.A); ok {
-		if !net.IPv4(8, 8, 8, 8).Equal(t.A) {
-			return fmt.Errorf("wrong response")
-		}
+	} else if a, ok := reply.Answer[0].(*dns.A); !ok || !a.A.Equal(net.IP{8, 8, 8, 8}) {
+		return fmt.Errorf("wrong response")
 	}

 	return nil
@@ -555,7 +537,7 @@ func checkDNS(input string, bootstrap []string, timeout time.Duration, ef excFun

 	// Separate upstream from domains list.
 	var useDefault bool
-	if input, useDefault, err = separateUpstream(input); err != nil {
+	if useDefault, err = validateUpstream(input); err != nil {
 		return fmt.Errorf("wrong upstream format: %w", err)
 	}

@@ -564,7 +546,7 @@ func checkDNS(input string, bootstrap []string, timeout time.Duration, ef excFun
 		return nil
 	}

-	if _, err = validateUpstream(input); err != nil {
+	if input, _, err = separateUpstream(input); err != nil {
 		return fmt.Errorf("wrong upstream format: %w", err)
 	}

@@ -572,7 +554,8 @@ func checkDNS(input string, bootstrap []string, timeout time.Duration, ef excFun
 		bootstrap = defaultBootstrap
 	}

-	log.Debug("checking if dns server %q works...", input)
+	log.Debug("checking if upstream %s works", input)
+
 	var u upstream.Upstream
 	u, err = upstream.AddressToUpstream(input, &upstream.Options{
 		Bootstrap: bootstrap,
@@ -586,7 +569,7 @@ func checkDNS(input string, bootstrap []string, timeout time.Duration, ef excFun
 		return fmt.Errorf("upstream %q fails to exchange: %w", input, err)
 	}

-	log.Debug("dns %s works OK", input)
+	log.Debug("upstream %s is ok", input)

 	return nil
 }
@@ -620,9 +603,9 @@ func (s *Server) handleTestUpstreamDNS(w http.ResponseWriter, r *http.Request) {
 		err = checkDNS(host, bootstraps, timeout, checkPrivateUpstreamExc)
 		if err != nil {
 			log.Info("%v", err)
-			// TODO(e.burkov): If passed upstream have already
-			// written an error above, we rewriting the error for
-			// it.  These cases should be handled properly instead.
+			// TODO(e.burkov): If passed upstream have already written an error
+			// above, we rewriting the error for it.  These cases should be
+			// handled properly instead.
 			result[host] = err.Error()

 			continue
--- a/internal/dnsforward/http_test.go
+++ b/internal/dnsforward/http_test.go
@@ -184,7 +184,7 @@ func TestDNSForwardHTTP_handleSetConfig(t *testing.T) {
 		wantSet: "",
 	}, {
 		name: "upstream_dns_bad",
-		wantSet: `wrong upstreams specification: address !!!: ` +
+		wantSet: `wrong upstreams specification: bad ipport address "!!!": address !!!: ` +
 			`missing port in address`,
 	}, {
 		name: "bootstraps_bad",
@@ -235,107 +235,117 @@ func TestDNSForwardHTTP_handleSetConfig(t *testing.T) {
 }

 func TestIsCommentOrEmpty(t *testing.T) {
-	assert.True(t, IsCommentOrEmpty(""))
-	assert.True(t, IsCommentOrEmpty("# comment"))
-	assert.False(t, IsCommentOrEmpty("1.2.3.4"))
+	for _, tc := range []struct {
+		want assert.BoolAssertionFunc
+		str  string
+	}{{
+		want: assert.True,
+		str:  "",
+	}, {
+		want: assert.True,
+		str:  "# comment",
+	}, {
+		want: assert.False,
+		str:  "1.2.3.4",
+	}} {
+		tc.want(t, IsCommentOrEmpty(tc.str))
+	}
 }

-// TODO(a.garipov): Rewrite to check the actual error messages.
 func TestValidateUpstream(t *testing.T) {
 	testCases := []struct {
+		wantDef  assert.BoolAssertionFunc
 		name     string
 		upstream string
-		valid    bool
-		wantDef  bool
+		wantErr  string
 	}{{
+		wantDef:  assert.True,
 		name:     "invalid",
 		upstream: "1.2.3.4.5",
-		valid:    false,
-		wantDef:  false,
+		wantErr:  `bad ipport address "1.2.3.4.5": address 1.2.3.4.5: missing port in address`,
 	}, {
+		wantDef:  assert.True,
 		name:     "invalid",
 		upstream: "123.3.7m",
-		valid:    false,
-		wantDef:  false,
+		wantErr:  `bad ipport address "123.3.7m": address 123.3.7m: missing port in address`,
 	}, {
+		wantDef:  assert.True,
 		name:     "invalid",
 		upstream: "htttps://google.com/dns-query",
-		valid:    false,
-		wantDef:  false,
+		wantErr:  `wrong protocol`,
 	}, {
+		wantDef:  assert.True,
 		name:     "invalid",
 		upstream: "[/host.com]tls://dns.adguard.com",
-		valid:    false,
-		wantDef:  false,
+		wantErr:  `bad upstream for domain "[/host.com]tls://dns.adguard.com": missing separator`,
 	}, {
+		wantDef:  assert.True,
 		name:     "invalid",
 		upstream: "[host.ru]#",
-		valid:    false,
-		wantDef:  false,
+		wantErr:  `bad ipport address "[host.ru]#": address [host.ru]#: missing port in address`,
 	}, {
+		wantDef:  assert.True,
 		name:     "valid_default",
 		upstream: "1.1.1.1",
-		valid:    true,
-		wantDef:  true,
+		wantErr:  ``,
 	}, {
+		wantDef:  assert.True,
 		name:     "valid_default",
 		upstream: "tls://1.1.1.1",
-		valid:    true,
-		wantDef:  true,
+		wantErr:  ``,
 	}, {
+		wantDef:  assert.True,
 		name:     "valid_default",
 		upstream: "https://dns.adguard.com/dns-query",
-		valid:    true,
-		wantDef:  true,
+		wantErr:  ``,
 	}, {
+		wantDef:  assert.True,
 		name:     "valid_default",
 		upstream: "sdns://AQMAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20",
-		valid:    true,
-		wantDef:  true,
+		wantErr:  ``,
 	}, {
+		wantDef:  assert.False,
 		name:     "valid",
 		upstream: "[/host.com/]1.1.1.1",
-		valid:    true,
-		wantDef:  false,
+		wantErr:  ``,
 	}, {
+		wantDef:  assert.False,
 		name:     "valid",
 		upstream: "[//]tls://1.1.1.1",
-		valid:    true,
-		wantDef:  false,
+		wantErr:  ``,
 	}, {
+		wantDef:  assert.False,
 		name:     "valid",
 		upstream: "[/www.host.com/]#",
-		valid:    true,
-		wantDef:  false,
+		wantErr:  ``,
 	}, {
+		wantDef:  assert.False,
 		name:     "valid",
 		upstream: "[/host.com/google.com/]8.8.8.8",
-		valid:    true,
-		wantDef:  false,
+		wantErr:  ``,
 	}, {
+		wantDef:  assert.False,
 		name:     "valid",
 		upstream: "[/host/]sdns://AQMAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20",
-		valid:    true,
-		wantDef:  false,
+		wantErr:  ``,
 	}, {
+		wantDef:  assert.False,
 		name:     "idna",
 		upstream: "[/пример.рф/]8.8.8.8",
-		valid:    true,
-		wantDef:  false,
+		wantErr:  ``,
 	}, {
+		wantDef:  assert.False,
 		name:     "bad_domain",
 		upstream: "[/!/]8.8.8.8",
-		valid:    false,
-		wantDef:  false,
+		wantErr: `bad upstream for domain "[/!/]8.8.8.8": domain at index 0: ` +
+			`bad domain name "!": bad domain name label "!": bad domain name label rune '!'`,
 	}}

 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			defaultUpstream, err := validateUpstream(tc.upstream)
-			require.Equal(t, tc.valid, err == nil)
-			if tc.valid {
-				assert.Equal(t, tc.wantDef, defaultUpstream)
-			}
+			testutil.AssertErrorMsg(t, tc.wantErr, err)
+			tc.wantDef(t, defaultUpstream)
 		})
 	}
 }
@@ -343,22 +353,19 @@ func TestValidateUpstream(t *testing.T) {
 func TestValidateUpstreamsSet(t *testing.T) {
 	testCases := []struct {
 		name    string
-		msg     string
+		wantErr string
 		set     []string
-		wantNil bool
 	}{{
 		name:    "empty",
-		msg:     "empty upstreams array should be valid",
+		wantErr: ``,
 		set:     nil,
-		wantNil: true,
 	}, {
 		name:    "comment",
-		msg:     "comments should not be validated",
+		wantErr: ``,
 		set:     []string{"# comment"},
-		wantNil: true,
 	}, {
-		name: "valid_no_default",
-		msg:  "there is no default upstream",
+		name:    "valid_no_default",
+		wantErr: `no default upstreams specified`,
 		set: []string{
 			"[/host.com/]1.1.1.1",
 			"[//]tls://1.1.1.1",
@@ -366,10 +373,9 @@ func TestValidateUpstreamsSet(t *testing.T) {
 			"[/host.com/google.com/]8.8.8.8",
 			"[/host/]sdns://AQMAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20",
 		},
-		wantNil: false,
 	}, {
-		name: "valid_with_default",
-		msg:  "upstreams set is valid, but doesn't pass through validation cause: %s",
+		name:    "valid_with_default",
+		wantErr: ``,
 		set: []string{
 			"[/host.com/]1.1.1.1",
 			"[//]tls://1.1.1.1",
@@ -378,19 +384,16 @@ func TestValidateUpstreamsSet(t *testing.T) {
 			"[/host/]sdns://AQMAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20",
 			"8.8.8.8",
 		},
-		wantNil: true,
 	}, {
 		name:    "invalid",
-		msg:     "there is an invalid upstream in set, but it pass through validation",
+		wantErr: `cannot prepare the upstream dhcp://fake.dns ([]): unsupported URL scheme: dhcp`,
 		set:     []string{"dhcp://fake.dns"},
-		wantNil: false,
 	}}

 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			err := ValidateUpstreams(tc.set)
-
-			assert.Equalf(t, tc.wantNil, err == nil, tc.msg, err)
+			testutil.AssertErrorMsg(t, tc.wantErr, err)
 		})
 	}
 }
--- a/internal/filtering/filtering.go
+++ b/internal/filtering/filtering.go
@@ -420,14 +420,8 @@ func (r Reason) Matched() bool {
 }

 // CheckHostRules tries to match the host against filtering rules only.
-func (d *DNSFilter) CheckHostRules(host string, qtype uint16, setts *Settings) (Result, error) {
-	if !setts.FilteringEnabled {
-		return Result{}, nil
-	}
-
-	host = strings.ToLower(host)
-
-	return d.matchHost(host, qtype, setts)
+func (d *DNSFilter) CheckHostRules(host string, rrtype uint16, setts *Settings) (Result, error) {
+	return d.matchHost(strings.ToLower(host), rrtype, setts)
 }

 // CheckHost tries to match the host against filtering rules, then safebrowsing
@@ -477,7 +471,7 @@ func (d *DNSFilter) matchSysHosts(
 		return res, nil
 	}

-	return d.matchSysHostsIntl(&urlfilter.DNSRequest{
+	dnsres, _ := d.EtcHosts.MatchRequest(urlfilter.DNSRequest{
 		Hostname:         host,
 		SortedClientTags: setts.ClientTags,
 		// TODO(e.burkov):  Wait for urlfilter update to pass net.IP.
@@ -485,12 +479,6 @@ func (d *DNSFilter) matchSysHosts(
 		ClientName: setts.ClientName,
 		DNSType:    qtype,
 	})
-}
-
-// matchSysHostsIntl actually matches the request.  It's separated to avoid
-// performing checks twice.
-func (d *DNSFilter) matchSysHostsIntl(req *urlfilter.DNSRequest) (res Result, err error) {
-	dnsres, _ := d.EtcHosts.MatchRequest(*req)
 	if dnsres == nil {
 		return res, nil
 	}
@@ -501,13 +489,6 @@ func (d *DNSFilter) matchSysHostsIntl(req *urlfilter.DNSRequest) (res Result, er
 	}

 	res = d.processDNSRewrites(dnsr)
-	if cn := res.CanonName; cn != "" {
-		// Probably an alias.
-		req.Hostname = cn
-
-		return d.matchSysHostsIntl(req)
-	}
-
 	res.Reason = RewrittenAutoHosts
 	for _, r := range res.Rules {
 		r.Text = stringutil.Coalesce(d.EtcHosts.Translate(r.Text), r.Text)
@@ -739,8 +720,7 @@ func hostRulesToRules(netRules []*rules.HostRule) (res []rules.Rule) {
 	return res
 }

-// matchHostProcessAllowList processes the allowlist logic of host
-// matching.
+// matchHostProcessAllowList processes the allowlist logic of host matching.
 func (d *DNSFilter) matchHostProcessAllowList(
 	host string,
 	dnsres *urlfilter.DNSResult,
@@ -811,11 +791,11 @@ func (d *DNSFilter) matchHostProcessDNSResult(
 	return Result{}
 }

-// matchHost is a low-level way to check only if hostname is filtered by rules,
+// matchHost is a low-level way to check only if host is filtered by rules,
 // skipping expensive safebrowsing and parental lookups.
 func (d *DNSFilter) matchHost(
 	host string,
-	qtype uint16,
+	rrtype uint16,
 	setts *Settings,
 ) (res Result, err error) {
 	if !setts.FilteringEnabled {
@@ -828,7 +808,7 @@ func (d *DNSFilter) matchHost(
 		// TODO(e.burkov): Wait for urlfilter update to pass net.IP.
 		ClientIP:   setts.ClientIP.String(),
 		ClientName: setts.ClientName,
-		DNSType:    qtype,
+		DNSType:    rrtype,
 	}

 	d.engineLock.RLock()
@@ -868,7 +848,7 @@ func (d *DNSFilter) matchHost(
 		return Result{}, nil
 	}

-	res = d.matchHostProcessDNSResult(qtype, dnsres)
+	res = d.matchHostProcessDNSResult(rrtype, dnsres)
 	for _, r := range res.Rules {
 		log.Debug(
 			"filtering: found rule %q for host %q, filter list id: %d",
--- a/internal/home/clients.go
+++ b/internal/home/clients.go
@@ -783,12 +783,14 @@ func (clients *clientsContainer) addFromHostsFile(hosts *netutil.IPMap) {

 	n := 0
 	hosts.Range(func(ip net.IP, v interface{}) (cont bool) {
-		names, ok := v.(*stringutil.Set)
+		hosts, ok := v.(*stringutil.Set)
 		if !ok {
 			log.Error("dns: bad type %T in ipToRC for %s", v, ip)
+
+			return true
 		}

-		names.Range(func(name string) (cont bool) {
+		hosts.Range(func(name string) (cont bool) {
 			if clients.addHostLocked(ip, name, ClientSourceHostsFile) {
 				n++
 			}
--- a/internal/home/clients_test.go
+++ b/internal/home/clients_test.go
@@ -3,10 +3,12 @@ package home
 import (
 	"net"
 	"os"
+	"runtime"
 	"testing"
 	"time"

 	"github.com/AdguardTeam/AdGuardHome/internal/dhcpd"
+	"github.com/AdguardTeam/golibs/testutil"

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -271,12 +273,18 @@ func TestClientsAddExisting(t *testing.T) {
 	})

 	t.Run("complicated", func(t *testing.T) {
+		// TODO(a.garipov): Properly decouple the DHCP server from the client
+		// storage.
+		if runtime.GOOS == "windows" {
+			t.Skip("skipping dhcp test on windows")
+		}
+
 		var err error

 		ip := net.IP{1, 2, 3, 4}

 		// First, init a DHCP server with a single static lease.
-		config := dhcpd.ServerConfig{
+		config := &dhcpd.ServerConfig{
 			Enabled:    true,
 			DBFilePath: "leases.db",
 			Conf4: dhcpd.V4ServerConf{
@@ -290,10 +298,9 @@ func TestClientsAddExisting(t *testing.T) {

 		clients.dhcpServer, err = dhcpd.Create(config)
 		require.NoError(t, err)
-		// TODO(e.burkov):  leases.db isn't created on Windows so removing it
-		// causes an error.  Split the test to make it run properly on different
-		// operating systems.
-		t.Cleanup(func() { _ = os.Remove("leases.db") })
+		testutil.CleanupAndRequireSuccess(t, func() (err error) {
+			return os.Remove("leases.db")
+		})

 		err = clients.dhcpServer.AddStaticLease(&dhcpd.Lease{
 			HWAddr:   net.HardwareAddr{0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA},
--- a/internal/home/config.go
+++ b/internal/home/config.go
@@ -7,7 +7,7 @@ import (
 	"path/filepath"
 	"sync"

-	"github.com/AdguardTeam/AdGuardHome/internal/aghalgo"
+	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
 	"github.com/AdguardTeam/AdGuardHome/internal/dhcpd"
 	"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
@@ -83,7 +83,7 @@ type configuration struct {
 	WhitelistFilters []filter `yaml:"whitelist_filters"`
 	UserRules        []string `yaml:"user_rules"`

-	DHCP dhcpd.ServerConfig `yaml:"dhcp"`
+	DHCP *dhcpd.ServerConfig `yaml:"dhcp"`

 	// Clients contains the YAML representations of the persistent clients.
 	// This field is only used for reading and writing persistent client data.
@@ -123,11 +123,6 @@ type dnsConfig struct {
 	// UpstreamTimeout is the timeout for querying upstream servers.
 	UpstreamTimeout timeutil.Duration `yaml:"upstream_timeout"`

-	// LocalDomainName is the domain name used for known internal hosts.
-	// For example, a machine called "myhost" can be addressed as
-	// "myhost.lan" when LocalDomainName is "lan".
-	LocalDomainName string `yaml:"local_domain_name"`
-
 	// ResolveClients enables and disables resolving clients with RDNS.
 	ResolveClients bool `yaml:"resolve_clients"`

@@ -199,7 +194,6 @@ var config = &configuration{
 		FilteringEnabled:           true, // whether or not use filter lists
 		FiltersUpdateIntervalHours: 24,
 		UpstreamTimeout:            timeutil.Duration{Duration: dnsforward.DefaultTimeout},
-		LocalDomainName:            "lan",
 		ResolveClients:             true,
 		UsePrivateRDNS:             true,
 	},
@@ -208,6 +202,9 @@ var config = &configuration{
 		PortDNSOverTLS:  defaultPortTLS, // needs to be passed through to dnsproxy
 		PortDNSOverQUIC: defaultPortQUIC,
 	},
+	DHCP: &dhcpd.ServerConfig{
+		LocalDomainName: "lan",
+	},
 	logSettings: logSettings{
 		LogCompress:   false,
 		LogLocalTime:  false,
@@ -288,9 +285,9 @@ func parseConfig() (err error) {
 		return err
 	}

-	uv := aghalgo.UniquenessValidator{}
+	uc := aghalg.UniqChecker{}
 	addPorts(
-		uv,
+		uc,
 		config.BindPort,
 		config.BetaBindPort,
 		config.DNS.Port,
@@ -298,14 +295,14 @@ func parseConfig() (err error) {

 	if config.TLS.Enabled {
 		addPorts(
-			uv,
+			uc,
 			config.TLS.PortHTTPS,
 			config.TLS.PortDNSOverTLS,
 			config.TLS.PortDNSOverQUIC,
 			config.TLS.PortDNSCrypt,
 		)
 	}
-	if err = uv.Validate(aghalgo.IntIsBefore); err != nil {
+	if err = uc.Validate(aghalg.IntIsBefore); err != nil {
 		return fmt.Errorf("validating ports: %w", err)
 	}

@@ -321,10 +318,10 @@ func parseConfig() (err error) {
 }

 // addPorts is a helper for ports validation.  It skips zero ports.
-func addPorts(uv aghalgo.UniquenessValidator, ports ...int) {
+func addPorts(uc aghalg.UniqChecker, ports ...int) {
 	for _, p := range ports {
 		if p != 0 {
-			uv.Add(p)
+			uc.Add(p)
 		}
 	}
 }
@@ -389,8 +386,8 @@ func (c *configuration) write() error {
 	}

 	if Context.dhcpServer != nil {
-		c := dhcpd.ServerConfig{}
-		Context.dhcpServer.WriteDiskConfig(&c)
+		c := &dhcpd.ServerConfig{}
+		Context.dhcpServer.WriteDiskConfig(c)
 		config.DHCP = c
 	}

--- a/internal/home/controlinstall.go
+++ b/internal/home/controlinstall.go
@@ -14,9 +14,10 @@ import (
 	"strings"
 	"time"

-	"github.com/AdguardTeam/AdGuardHome/internal/aghalgo"
+	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
+	"github.com/AdguardTeam/AdGuardHome/internal/version"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 )
@@ -24,13 +25,23 @@ import (
 // getAddrsResponse is the response for /install/get_addresses endpoint.
 type getAddrsResponse struct {
 	Interfaces map[string]*aghnet.NetInterface `json:"interfaces"`
-	WebPort    int                             `json:"web_port"`
-	DNSPort    int                             `json:"dns_port"`
+
+	// Version is the version of AdGuard Home.
+	//
+	// TODO(a.garipov): In the new API, rename this endpoint to something more
+	// general, since there will be more information here than just network
+	// interfaces.
+	Version string `json:"version"`
+
+	WebPort int `json:"web_port"`
+	DNSPort int `json:"dns_port"`
 }

 // handleInstallGetAddresses is the handler for /install/get_addresses endpoint.
 func (web *Web) handleInstallGetAddresses(w http.ResponseWriter, r *http.Request) {
 	data := getAddrsResponse{
+		Version: version.Version(),
+
 		WebPort: defaultPortHTTP,
 		DNSPort: defaultPortDNS,
 	}
@@ -62,19 +73,19 @@ func (web *Web) handleInstallGetAddresses(w http.ResponseWriter, r *http.Request
 	}
 }

-type checkConfigReqEnt struct {
+type checkConfReqEnt struct {
 	IP      net.IP `json:"ip"`
 	Port    int    `json:"port"`
 	Autofix bool   `json:"autofix"`
 }

-type checkConfigReq struct {
-	Web         checkConfigReqEnt `json:"web"`
-	DNS         checkConfigReqEnt `json:"dns"`
-	SetStaticIP bool              `json:"set_static_ip"`
+type checkConfReq struct {
+	Web         checkConfReqEnt `json:"web"`
+	DNS         checkConfReqEnt `json:"dns"`
+	SetStaticIP bool            `json:"set_static_ip"`
 }

-type checkConfigRespEnt struct {
+type checkConfRespEnt struct {
 	Status     string `json:"status"`
 	CanAutofix bool   `json:"can_autofix"`
 }
@@ -85,79 +96,110 @@ type staticIPJSON struct {
 	Error  string `json:"error"`
 }

-type checkConfigResp struct {
-	StaticIP staticIPJSON       `json:"static_ip"`
-	Web      checkConfigRespEnt `json:"web"`
-	DNS      checkConfigRespEnt `json:"dns"`
+type checkConfResp struct {
+	StaticIP staticIPJSON     `json:"static_ip"`
+	Web      checkConfRespEnt `json:"web"`
+	DNS      checkConfRespEnt `json:"dns"`
 }

-// Check if ports are available, respond with results
-func (web *Web) handleInstallCheckConfig(w http.ResponseWriter, r *http.Request) {
-	reqData := checkConfigReq{}
-	respData := checkConfigResp{}
+// validateWeb returns error is the web part if the initial configuration can't
+// be set.
+func (req *checkConfReq) validateWeb(uc aghalg.UniqChecker) (err error) {
+	defer func() { err = errors.Annotate(err, "validating ports: %w") }()

-	err := json.NewDecoder(r.Body).Decode(&reqData)
+	port := req.Web.Port
+	addPorts(uc, config.BetaBindPort, port)
+	if err = uc.Validate(aghalg.IntIsBefore); err != nil {
+		// Avoid duplicating the error into the status of DNS.
+		uc[port] = 1
+
+		return err
+	}
+
+	switch port {
+	case 0, config.BindPort:
+		return nil
+	default:
+		// Go on and check the port binding only if it's not zero or won't be
+		// unbound after install.
+	}
+
+	return aghnet.CheckPort("tcp", req.Web.IP, port)
+}
+
+// validateDNS returns error if the DNS part of the initial configuration can't
+// be set.  canAutofix is true if the port can be unbound by AdGuard Home
+// automatically.
+func (req *checkConfReq) validateDNS(uc aghalg.UniqChecker) (canAutofix bool, err error) {
+	defer func() { err = errors.Annotate(err, "validating ports: %w") }()
+
+	port := req.DNS.Port
+	addPorts(uc, port)
+	if err = uc.Validate(aghalg.IntIsBefore); err != nil {
+		return false, err
+	}
+
+	switch port {
+	case 0:
+		return false, nil
+	case config.BindPort:
+		// Go on and only check the UDP port since the TCP one is already bound
+		// by AdGuard Home for web interface.
+	default:
+		// Check TCP as well.
+		err = aghnet.CheckPort("tcp", req.DNS.IP, port)
+		if err != nil {
+			return false, err
+		}
+	}
+
+	err = aghnet.CheckPort("udp", req.DNS.IP, port)
+	if !aghnet.IsAddrInUse(err) {
+		return false, err
+	}
+
+	// Try to fix automatically.
+	canAutofix = checkDNSStubListener()
+	if canAutofix && req.DNS.Autofix {
+		if derr := disableDNSStubListener(); derr != nil {
+			log.Error("disabling DNSStubListener: %s", err)
+		}
+
+		err = aghnet.CheckPort("udp", req.DNS.IP, port)
+		canAutofix = false
+	}
+
+	return canAutofix, err
+}
+
+// handleInstallCheckConfig handles the /check_config endpoint.
+func (web *Web) handleInstallCheckConfig(w http.ResponseWriter, r *http.Request) {
+	req := &checkConfReq{}
+
+	err := json.NewDecoder(r.Body).Decode(req)
 	if err != nil {
-		aghhttp.Error(r, w, http.StatusBadRequest, "Failed to parse 'check_config' JSON data: %s", err)
+		aghhttp.Error(r, w, http.StatusBadRequest, "decoding the request: %s", err)

 		return
 	}

-	uv := aghalgo.UniquenessValidator{}
-	addPorts(
-		uv,
-		config.BindPort,
-		config.BetaBindPort,
-		reqData.Web.Port,
-	)
-	if err = uv.Validate(aghalgo.IntIsBefore); err != nil {
-		err = fmt.Errorf("validating ports: %w", err)
-		respData.Web.Status = err.Error()
-	} else if reqData.Web.Port != 0 {
-		err = aghnet.CheckPort("tcp", reqData.Web.IP, reqData.Web.Port)
-		if err != nil {
-			respData.Web.Status = err.Error()
-		}
+	resp := &checkConfResp{}
+	uc := aghalg.UniqChecker{}
+
+	if err = req.validateWeb(uc); err != nil {
+		resp.Web.Status = err.Error()
 	}

-	addPorts(uv, reqData.DNS.Port)
-	if err = uv.Validate(aghalgo.IntIsBefore); err != nil {
-		err = fmt.Errorf("validating ports: %w", err)
-		respData.DNS.Status = err.Error()
-	} else if reqData.DNS.Port != 0 {
-		err = aghnet.CheckPort("udp", reqData.DNS.IP, reqData.DNS.Port)
-
-		if aghnet.IsAddrInUse(err) {
-			canAutofix := checkDNSStubListener()
-			if canAutofix && reqData.DNS.Autofix {
-
-				err = disableDNSStubListener()
-				if err != nil {
-					log.Error("Couldn't disable DNSStubListener: %s", err)
-				}
-
-				err = aghnet.CheckPort("udp", reqData.DNS.IP, reqData.DNS.Port)
-				canAutofix = false
-			}
-
-			respData.DNS.CanAutofix = canAutofix
-		}
-
-		if err == nil {
-			err = aghnet.CheckPort("tcp", reqData.DNS.IP, reqData.DNS.Port)
-		}
-
-		if err != nil {
-			respData.DNS.Status = err.Error()
-		} else if !reqData.DNS.IP.IsUnspecified() {
-			respData.StaticIP = handleStaticIP(reqData.DNS.IP, reqData.SetStaticIP)
-		}
+	if resp.DNS.CanAutofix, err = req.validateDNS(uc); err != nil {
+		resp.DNS.Status = err.Error()
+	} else if !req.DNS.IP.IsUnspecified() {
+		resp.StaticIP = handleStaticIP(req.DNS.IP, req.SetStaticIP)
 	}

 	w.Header().Set("Content-Type", "application/json")
-	err = json.NewEncoder(w).Encode(respData)
+	err = json.NewEncoder(w).Encode(resp)
 	if err != nil {
-		aghhttp.Error(r, w, http.StatusInternalServerError, "Unable to marshal JSON: %s", err)
+		aghhttp.Error(r, w, http.StatusInternalServerError, "encoding the response: %s", err)

 		return
 	}
@@ -279,10 +321,11 @@ type applyConfigReqEnt struct {
 }

 type applyConfigReq struct {
-	Web      applyConfigReqEnt `json:"web"`
-	DNS      applyConfigReqEnt `json:"dns"`
-	Username string            `json:"username"`
-	Password string            `json:"password"`
+	Username string `json:"username"`
+	Password string `json:"password"`
+
+	Web applyConfigReqEnt `json:"web"`
+	DNS applyConfigReqEnt `json:"dns"`
 }

 // copyInstallSettings copies the installation parameters between two
@@ -482,13 +525,13 @@ func (web *Web) handleInstallCheckConfigBeta(w http.ResponseWriter, r *http.Requ
 		return
 	}

-	nonBetaReqData := checkConfigReq{
-		Web: checkConfigReqEnt{
+	nonBetaReqData := checkConfReq{
+		Web: checkConfReqEnt{
 			IP:      reqData.Web.IP[0],
 			Port:    reqData.Web.Port,
 			Autofix: reqData.Web.Autofix,
 		},
-		DNS: checkConfigReqEnt{
+		DNS: checkConfReqEnt{
 			IP:      reqData.DNS.IP[0],
 			Port:    reqData.DNS.Port,
 			Autofix: reqData.DNS.Autofix,
@@ -533,10 +576,11 @@ type applyConfigReqEntBeta struct {
 // TODO(e.burkov): This should removed with the API v1 when the appropriate
 // functionality will appear in default applyConfigReq.
 type applyConfigReqBeta struct {
-	Web      applyConfigReqEntBeta `json:"web"`
-	DNS      applyConfigReqEntBeta `json:"dns"`
-	Username string                `json:"username"`
-	Password string                `json:"password"`
+	Username string `json:"username"`
+	Password string `json:"password"`
+
+	Web applyConfigReqEntBeta `json:"web"`
+	DNS applyConfigReqEntBeta `json:"dns"`
 }

 // handleInstallConfigureBeta is a substitution of /install/configure handler
--- a/internal/home/dns.go
+++ b/internal/home/dns.go
@@ -54,7 +54,7 @@ func initDNSServer() (err error) {
 	}
 	Context.stats, err = stats.New(statsConf)
 	if err != nil {
-		return fmt.Errorf("couldn't initialize statistics module")
+		return fmt.Errorf("init stats: %w", err)
 	}

 	conf := querylog.Config{
@@ -83,7 +83,7 @@ func initDNSServer() (err error) {
 		QueryLog:       Context.queryLog,
 		SubnetDetector: Context.subnetDetector,
 		Anonymizer:     anonymizer,
-		LocalDomain:    config.DNS.LocalDomainName,
+		LocalDomain:    config.DHCP.LocalDomainName,
 	}
 	if Context.dhcpServer != nil {
 		p.DHCPServer = Context.dhcpServer
@@ -211,7 +211,6 @@ func generateServerConfig() (newConf dnsforward.ServerConfig, err error) {
 	}

 	newConf.TLSv12Roots = Context.tlsRoots
-	newConf.TLSCiphers = Context.tlsCiphers
 	newConf.TLSAllowUnencryptedDoH = tlsConf.AllowUnencryptedDoH

 	newConf.FilterHandler = applyAdditionalFiltering
--- a/internal/home/home.go
+++ b/internal/home/home.go
@@ -19,9 +19,10 @@ import (
 	"syscall"
 	"time"

-	"github.com/AdguardTeam/AdGuardHome/internal/aghalgo"
+	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
+	"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
 	"github.com/AdguardTeam/AdGuardHome/internal/dhcpd"
 	"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
@@ -80,7 +81,6 @@ type homeContext struct {
 	disableUpdate    bool   // If set, don't check for updates
 	controlLock      sync.Mutex
 	tlsRoots         *x509.CertPool // list of root CAs for TLSv1.2
-	tlsCiphers       []uint16       // list of TLS ciphers to use
 	transport        *http.Transport
 	client           *http.Client
 	appSignalChannel chan os.Signal // Channel for receiving OS signals by the console app
@@ -145,13 +145,13 @@ func setupContext(args options) {
 	initConfig()

 	Context.tlsRoots = LoadSystemRootCAs()
-	Context.tlsCiphers = InitTLSCiphers()
 	Context.transport = &http.Transport{
 		DialContext: customDialContext,
 		Proxy:       getHTTPProxy,
 		TLSClientConfig: &tls.Config{
-			RootCAs:    Context.tlsRoots,
-			MinVersion: tls.VersionTLS12,
+			RootCAs:      Context.tlsRoots,
+			CipherSuites: aghtls.SaferCipherSuites(),
+			MinVersion:   tls.VersionTLS12,
 		},
 	}
 	Context.client = &http.Client{
@@ -182,7 +182,7 @@ func setupContext(args options) {

 // logIfUnsupported logs a formatted warning if the error is one of the
 // unsupported errors and returns nil.  If err is nil, logIfUnsupported returns
-// nil.  Otherise, it returns err.
+// nil.  Otherwise, it returns err.
 func logIfUnsupported(msg string, err error) (outErr error) {
 	if errors.As(err, new(*aghos.UnsupportedError)) {
 		log.Debug(msg, err)
@@ -296,23 +296,23 @@ func setupConfig(args options) (err error) {
 	Context.clients.Init(config.Clients, Context.dhcpServer, Context.etcHosts)

 	if args.bindPort != 0 {
-		uv := aghalgo.UniquenessValidator{}
+		uc := aghalg.UniqChecker{}
 		addPorts(
-			uv,
+			uc,
 			args.bindPort,
 			config.BetaBindPort,
 			config.DNS.Port,
 		)
 		if config.TLS.Enabled {
 			addPorts(
-				uv,
+				uc,
 				config.TLS.PortHTTPS,
 				config.TLS.PortDNSOverTLS,
 				config.TLS.PortDNSOverQUIC,
 				config.TLS.PortDNSCrypt,
 			)
 		}
-		if err = uv.Validate(aghalgo.IntIsBefore); err != nil {
+		if err = uc.Validate(aghalg.IntIsBefore); err != nil {
 			return fmt.Errorf("validating ports: %w", err)
 		}

@@ -393,9 +393,9 @@ func run(args options, clientBuildFS fs.FS) {
 	// Go memory hacks
 	memoryUsage(args)

-	// print the first message after logger is configured
+	// Print the first message after logger is configured.
 	log.Println(version.Full())
-	log.Debug("Current working directory is %s", Context.workDir)
+	log.Debug("current working directory is %s", Context.workDir)
 	if args.runningAsService {
 		log.Info("AdGuard Home is running as a service")
 	}
@@ -631,13 +631,13 @@ func configureLogger(args options) {
 		log.SetLevel(log.DEBUG)
 	}

-	// Make sure that we see the microseconds in logs, as networking stuff
-	// can happen pretty quickly.
+	// Make sure that we see the microseconds in logs, as networking stuff can
+	// happen pretty quickly.
 	log.SetFlags(log.LstdFlags | log.Lmicroseconds)

 	if args.runningAsService && ls.LogFile == "" && runtime.GOOS == "windows" {
-		// When running as a Windows service, use eventlog by default if nothing else is configured
-		// Otherwise, we'll simply loose the log output
+		// When running as a Windows service, use eventlog by default if nothing
+		// else is configured.  Otherwise, we'll simply lose the log output.
 		ls.LogFile = configSyslog
 	}

--- a/internal/home/rdns_test.go
+++ b/internal/home/rdns_test.go
@@ -167,7 +167,7 @@ func TestRDNS_WorkerLoop(t *testing.T) {
 	w := &bytes.Buffer{}
 	aghtest.ReplaceLogWriter(t, w)

-	locUpstream := &aghtest.TestUpstream{
+	locUpstream := &aghtest.Upstream{
 		Reverse: map[string][]string{
 			"192.168.1.1":            {"local.domain"},
 			"2a00:1450:400c:c06::93": {"ipv6.domain"},
--- a/internal/home/service.go
+++ b/internal/home/service.go
@@ -82,6 +82,12 @@ func svcStatus(s service.Service) (status service.Status, err error) {
 // On OpenWrt, the service utility may not exist.  We use our service script
 // directly in this case.
 func svcAction(s service.Service, action string) (err error) {
+	if runtime.GOOS == "darwin" &&
+		action == "start" &&
+		!strings.HasPrefix(Context.workDir, "/Applications/") {
+		log.Info("warning: service must be started from within the /Applications directory")
+	}
+
 	err = service.Control(s, action)
 	if err != nil && service.Platform() == "unix-systemv" &&
 		(action == "start" || action == "stop" || action == "restart") {
--- a/internal/home/tls.go
+++ b/internal/home/tls.go
@@ -20,13 +20,12 @@ import (
 	"sync"
 	"time"

-	"github.com/AdguardTeam/AdGuardHome/internal/aghalgo"
+	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/google/go-cmp/cmp"
-	"golang.org/x/sys/cpu"
 )

 var tlsWebHandlersRegistered = false
@@ -251,9 +250,9 @@ func (t *TLSMod) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
 	}

 	if setts.Enabled {
-		uv := aghalgo.UniquenessValidator{}
+		uc := aghalg.UniqChecker{}
 		addPorts(
-			uv,
+			uc,
 			config.BindPort,
 			config.BetaBindPort,
 			config.DNS.Port,
@@ -263,7 +262,7 @@ func (t *TLSMod) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
 			setts.PortDNSCrypt,
 		)

-		err = uv.Validate(aghalgo.IntIsBefore)
+		err = uc.Validate(aghalg.IntIsBefore)
 		if err != nil {
 			aghhttp.Error(r, w, http.StatusBadRequest, "validating ports: %s", err)

@@ -344,9 +343,9 @@ func (t *TLSMod) handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
 	}

 	if data.Enabled {
-		uv := aghalgo.UniquenessValidator{}
+		uc := aghalg.UniqChecker{}
 		addPorts(
-			uv,
+			uc,
 			config.BindPort,
 			config.BetaBindPort,
 			config.DNS.Port,
@@ -356,7 +355,7 @@ func (t *TLSMod) handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
 			data.PortDNSCrypt,
 		)

-		err = uv.Validate(aghalgo.IntIsBefore)
+		err = uc.Validate(aghalg.IntIsBefore)
 		if err != nil {
 			aghhttp.Error(r, w, http.StatusBadRequest, "%s", err)

@@ -731,52 +730,3 @@ func LoadSystemRootCAs() (roots *x509.CertPool) {

 	return nil
 }
-
-// InitTLSCiphers performs the same work as initDefaultCipherSuites() from
-// crypto/tls/common.go but don't uses lots of other default ciphers.
-func InitTLSCiphers() (ciphers []uint16) {
-	// Check the cpu flags for each platform that has optimized GCM
-	// implementations.  The worst case is when all these variables are
-	// false.
-	var (
-		hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
-		hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
-		// Keep in sync with crypto/aes/cipher_s390x.go.
-		hasGCMAsmS390X = cpu.S390X.HasAES &&
-			cpu.S390X.HasAESCBC &&
-			cpu.S390X.HasAESCTR &&
-			(cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
-
-		hasGCMAsm = hasGCMAsmAMD64 || hasGCMAsmARM64 || hasGCMAsmS390X
-	)
-
-	if hasGCMAsm {
-		// If AES-GCM hardware is provided then prioritize AES-GCM
-		// cipher suites.
-		ciphers = []uint16{
-			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-		}
-	} else {
-		// Without AES-GCM hardware, we put the ChaCha20-Poly1305 cipher
-		// suites first.
-		ciphers = []uint16{
-			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-		}
-	}
-
-	return append(
-		ciphers,
-		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
-	)
-}
--- a/internal/home/upgrade.go
+++ b/internal/home/upgrade.go
@@ -21,7 +21,7 @@ import (
 )

 // currentSchemaVersion is the current schema version.
-const currentSchemaVersion = 12
+const currentSchemaVersion = 13

 // These aliases are provided for convenience.
 type (
@@ -85,6 +85,7 @@ func upgradeConfigSchema(oldVersion int, diskConf yobj) (err error) {
 		upgradeSchema9to10,
 		upgradeSchema10to11,
 		upgradeSchema11to12,
+		upgradeSchema12to13,
 	}

 	n := 0
@@ -690,6 +691,52 @@ func upgradeSchema11to12(diskConf yobj) (err error) {
 	return nil
 }

+// upgradeSchema12to13 performs the following changes:
+//
+//   # BEFORE:
+//   'dns':
+//     # …
+//     'local_domain_name': 'lan'
+//
+//   # AFTER:
+//   'dhcp':
+//     # …
+//     'local_domain_name': 'lan'
+//
+func upgradeSchema12to13(diskConf yobj) (err error) {
+	log.Printf("Upgrade yaml: 12 to 13")
+	diskConf["schema_version"] = 13
+
+	dnsVal, ok := diskConf["dns"]
+	if !ok {
+		return nil
+	}
+
+	var dns yobj
+	dns, ok = dnsVal.(yobj)
+	if !ok {
+		return fmt.Errorf("unexpected type of dns: %T", dnsVal)
+	}
+
+	dhcpVal, ok := diskConf["dhcp"]
+	if !ok {
+		return nil
+	}
+
+	var dhcp yobj
+	dhcp, ok = dhcpVal.(yobj)
+	if !ok {
+		return fmt.Errorf("unexpected type of dhcp: %T", dnsVal)
+	}
+
+	const field = "local_domain_name"
+
+	dhcp[field] = dns[field]
+	delete(dns, field)
+
+	return nil
+}
+
 // TODO(a.garipov): Replace with log.Output when we port it to our logging
 // package.
 func funcName() string {
--- a/internal/home/upgrade_test.go
+++ b/internal/home/upgrade_test.go
@@ -55,7 +55,7 @@ func TestUpgradeSchema2to3(t *testing.T) {
 		require.Len(t, v, 1)
 		require.Equal(t, "8.8.8.8:53", v[0])
 	default:
-		t.Fatalf("wrong type for bootsrap dns: %T", v)
+		t.Fatalf("wrong type for bootstrap dns: %T", v)
 	}

 	excludedEntries := []string{"bootstrap_dns"}
@@ -511,3 +511,48 @@ func TestUpgradeSchema11to12(t *testing.T) {
 		assert.Equal(t, 90*24*time.Hour, ivlVal.Duration)
 	})
 }
+
+func TestUpgradeSchema12to13(t *testing.T) {
+	t.Run("no_dns", func(t *testing.T) {
+		conf := yobj{}
+
+		err := upgradeSchema12to13(conf)
+		require.NoError(t, err)
+
+		assert.Equal(t, conf["schema_version"], 13)
+	})
+
+	t.Run("no_dhcp", func(t *testing.T) {
+		conf := yobj{
+			"dns": yobj{},
+		}
+
+		err := upgradeSchema12to13(conf)
+		require.NoError(t, err)
+
+		assert.Equal(t, conf["schema_version"], 13)
+	})
+
+	t.Run("good", func(t *testing.T) {
+		conf := yobj{
+			"dns": yobj{
+				"local_domain_name": "lan",
+			},
+			"dhcp":           yobj{},
+			"schema_version": 12,
+		}
+
+		wantConf := yobj{
+			"dns": yobj{},
+			"dhcp": yobj{
+				"local_domain_name": "lan",
+			},
+			"schema_version": 13,
+		}
+
+		err := upgradeSchema12to13(conf)
+		require.NoError(t, err)
+
+		assert.Equal(t, wantConf, conf)
+	})
+}
--- a/internal/home/web.go
+++ b/internal/home/web.go
@@ -10,6 +10,7 @@ import (
 	"time"

 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
+	"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/netutil"
@@ -34,14 +35,13 @@ const (
 )

 type webConfig struct {
+	clientFS     fs.FS
+	clientBetaFS fs.FS
+
 	BindHost     net.IP
 	BindPort     int
 	BetaBindPort int
 	PortHTTPS    int
-	firstRun     bool
-
-	clientFS     fs.FS
-	clientBetaFS fs.FS

 	// ReadTimeout is an option to pass to http.Server for setting an
 	// appropriate field.
@@ -54,6 +54,8 @@ type webConfig struct {
 	// WriteTimeout is an option to pass to http.Server for setting an
 	// appropriate field.
 	WriteTimeout time.Duration
+
+	firstRun bool
 }

 // HTTPSServer - HTTPS Server
@@ -263,9 +265,9 @@ func (web *Web) tlsServerLoop() {
 			Addr:     address,
 			TLSConfig: &tls.Config{
 				Certificates: []tls.Certificate{web.httpsServer.cert},
-				MinVersion:   tls.VersionTLS12,
 				RootCAs:      Context.tlsRoots,
-				CipherSuites: Context.tlsCiphers,
+				CipherSuites: aghtls.SaferCipherSuites(),
+				MinVersion:   tls.VersionTLS12,
 			},
 			Handler:           withMiddlewares(Context.mux, limitRequestBody),
 			ReadTimeout:       web.conf.ReadTimeout,
--- a/internal/querylog/qlog_test.go
+++ b/internal/querylog/qlog_test.go
@@ -306,7 +306,7 @@ func assertLogEntry(t *testing.T, entry *logEntry, host string, answer, client n
 	require.NoError(t, msg.Unpack(entry.Answer))
 	require.Len(t, msg.Answer, 1)

-	ip := proxyutil.GetIPFromDNSRecord(msg.Answer[0]).To16()
+	ip := proxyutil.IPFromRR(msg.Answer[0]).To16()
 	assert.Equal(t, answer, ip)
 }

--- a/internal/stats/unit.go
+++ b/internal/stats/unit.go
@@ -67,7 +67,29 @@ type unitDB struct {
 	TimeAvg uint32 // usec
 }

+// withRecovered turns the value recovered from panic if any into an error and
+// combines it with the one pointed by orig.  orig must be non-nil.
+func withRecovered(orig *error) {
+	p := recover()
+	if p == nil {
+		return
+	}
+
+	var err error
+	switch p := p.(type) {
+	case error:
+		err = fmt.Errorf("panic: %w", p)
+	default:
+		err = fmt.Errorf("panic: recovered value of type %[1]T: %[1]v", p)
+	}
+
+	*orig = errors.WithDeferred(*orig, err)
+}
+
+// createObject creates s from conf and properly initializes it.
 func createObject(conf Config) (s *statsCtx, err error) {
+	defer withRecovered(&err)
+
 	s = &statsCtx{
 		mu: &sync.Mutex{},
 	}
--- a/internal/tools/go.mod
+++ b/internal/tools/go.mod
@@ -1,21 +1,32 @@
 module github.com/AdguardTeam/AdGuardHome/internal/tools

-go 1.16
+go 1.17

 require (
-	github.com/fzipp/gocyclo v0.3.1
+	github.com/fzipp/gocyclo v0.4.0
 	github.com/golangci/misspell v0.3.5
-	github.com/google/go-cmp v0.5.5 // indirect
-	github.com/gookit/color v1.4.2 // indirect
-	github.com/gordonklaus/ineffassign v0.0.0-20210225214923-2e10b2664254
+	github.com/gordonklaus/ineffassign v0.0.0-20210914165742-4cc7213b9bc8
 	github.com/kisielk/errcheck v1.6.0
 	github.com/kyoh86/looppointer v0.1.7
-	github.com/kyoh86/nolint v0.0.1 // indirect
-	github.com/securego/gosec/v2 v2.7.0
+	github.com/securego/gosec/v2 v2.9.5
 	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616
-	golang.org/x/sys v0.0.0-20210514084401-e8d321eab015 // indirect
-	golang.org/x/tools v0.1.1
-	honnef.co/go/tools v0.1.4
-	mvdan.cc/gofumpt v0.1.1
-	mvdan.cc/unparam v0.0.0-20210104141923-aac4ce9116a7
+	golang.org/x/tools v0.1.8
+	honnef.co/go/tools v0.2.2
+	mvdan.cc/gofumpt v0.2.1
+	mvdan.cc/unparam v0.0.0-20211214103731-d0ef000c54e5
+)
+
+require (
+	github.com/BurntSushi/toml v0.4.1 // indirect
+	github.com/client9/misspell v0.3.4 // indirect
+	github.com/google/go-cmp v0.5.6 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/gookit/color v1.5.0 // indirect
+	github.com/kyoh86/nolint v0.0.1 // indirect
+	github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354 // indirect
+	github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect
+	golang.org/x/mod v0.5.1 // indirect
+	golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e // indirect
+	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 )
--- a/internal/tools/go.sum
+++ b/internal/tools/go.sum
@@ -33,8 +33,9 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl
 cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
 contrib.go.opencensus.io/exporter/stackdriver v0.13.4/go.mod h1:aXENhDJ1Y4lIg4EUaVTwzvYETVNZk10Pu26tevFKLUc=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/toml v0.4.1 h1:GaI7EiDXDRfa8VshkTj7Fym7ha+y8/XxIgD2okUIjLw=
+github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
 github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
@@ -76,6 +77,7 @@ github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwc
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v0.0.0-20161028175848-04cdfd42973b/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -90,12 +92,14 @@ github.com/envoyproxy/protoc-gen-validate v0.0.14/go.mod h1:iSmxcyjqTsJpI2R4NaDN
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
+github.com/frankban/quicktest v1.14.0 h1:+cqqvzZV87b4adx/5ayVOaYZ2CrvM4ejQvUdBzPPUss=
+github.com/frankban/quicktest v1.14.0/go.mod h1:NeW+ay9A/U67EYXNFA1nPE8e/tnQv/09mUdL/ijj8og=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fullstorydev/grpcurl v1.6.0/go.mod h1:ZQ+ayqbKMJNhzLmbpCiurTVlaK2M/3nqZCxaQ2Ze/sM=
-github.com/fzipp/gocyclo v0.3.1 h1:A9UeX3HJSXTBzvHzhqoYVuE0eAhe+aM8XBCCwsPMZOc=
-github.com/fzipp/gocyclo v0.3.1/go.mod h1:DJHO6AUmbdqj2ET4Z9iArSuwWgYDRryYt2wASxc7x3E=
+github.com/fzipp/gocyclo v0.4.0 h1:IykTnjwh2YLyYkGa0y92iTTEQcnyAz0r9zOo15EbJ7k=
+github.com/fzipp/gocyclo v0.4.0/go.mod h1:rXPyn8fnlpa0R2csP/31uerbiVBugk5whMdlyaLkLoA=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
@@ -107,6 +111,7 @@ github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V
 github.com/go-redis/redis v6.15.8+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA=
 github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
 github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
@@ -137,6 +142,8 @@ github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:W
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golangci/misspell v0.3.5 h1:pLzmVdl3VxTOncgzHcvLOKirdvcx/TydsClUQXTehjo=
 github.com/golangci/misspell v0.3.5/go.mod h1:dEbvlSfYbMQDtrpRMQU675gSDLDNa8sCPPChZ7PhiVA=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
@@ -149,9 +156,9 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
+github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
@@ -166,14 +173,15 @@ github.com/google/trillian v1.3.11/go.mod h1:0tPraVHrSDkA3BO6vKX67zgLXs6SsOAbHEi
 github.com/google/uuid v0.0.0-20161128191214-064e2069ce9c/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/gookit/color v1.3.8/go.mod h1:R3ogXq2B9rTbXoSHJ1HyUVAZ3poOJHpd9nQmyGZsfvQ=
-github.com/gookit/color v1.4.2 h1:tXy44JFSFkKnELV6WaMo/lLfu/meqITX3iAV52do7lk=
-github.com/gookit/color v1.4.2/go.mod h1:fqRyamkC1W8uxl+lxCQxOT09l/vYfZ+QeiX3rKQHCoQ=
+github.com/gookit/color v1.5.0 h1:1Opow3+BWDwqor78DcJkJCIwnkviFi+rrOANki9BUFw=
+github.com/gookit/color v1.5.0/go.mod h1:43aQb+Zerm/BWh2GnrgOQm7ffz7tvQXEKV6BFMl7wAo=
 github.com/gordonklaus/ineffassign v0.0.0-20200309095847-7953dde2c7bf/go.mod h1:cuNKsD1zp2v6XfE/orVX2QE1LC+i254ceGcVeDT3pTU=
-github.com/gordonklaus/ineffassign v0.0.0-20210225214923-2e10b2664254 h1:Nb2aRlC404yz7gQIfRZxX9/MLvQiqXyiBTJtgAy6yrI=
-github.com/gordonklaus/ineffassign v0.0.0-20210225214923-2e10b2664254/go.mod h1:M9mZEtGIsR1oDaZagNPNG9iq9n2HrhZ17dsXk73V3Lw=
+github.com/gordonklaus/ineffassign v0.0.0-20210914165742-4cc7213b9bc8 h1:PVRE9d4AQKmbelZ7emNig1+NT27DUmKZn5qXxfio54U=
+github.com/gordonklaus/ineffassign v0.0.0-20210914165742-4cc7213b9bc8/go.mod h1:Qcp2HIAYhR7mNUVSIxZww3Guk4it82ghYcEXIAk+QT0=
 github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75/go.mod h1:g2644b03hfBX9Ov0ZBDgXXens4rxSxmqFBbhvKv2yVA=
 github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
 github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
@@ -217,11 +225,13 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
-github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
+github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/kyoh86/looppointer v0.1.7 h1:q5sZOhFvmvQ6ZoZxvPB/Mjj2croWX7L49BBuI4XQWCM=
 github.com/kyoh86/looppointer v0.1.7/go.mod h1:l0cRF49N6xDPx8IuBGC/imZo8Yn1BBLJY0vzI+4fepc=
@@ -231,6 +241,7 @@ github.com/kyoh86/nolint v0.0.1/go.mod h1:1ZiZZ7qqrZ9dZegU96phwVcdQOMKIqRzFJL3ew
 github.com/letsencrypt/pkcs11key/v4 v4.0.0/go.mod h1:EFUvBDay26dErnNb70Nd0/VW3tJiIbETBPTl9ATXQag=
 github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.9.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/lib/pq v1.10.4/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
@@ -257,7 +268,7 @@ github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lN
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8=
 github.com/mozilla/scribe v0.0.0-20180711195314-fb71baf557c1/go.mod h1:FIczTrinKo8VaLxe6PWTPEXRXDIHz2QAwiaBaP5/4a8=
-github.com/mozilla/tls-observatory v0.0.0-20210209181001-cf43108d6880/go.mod h1:FUqVoUPHSEdDR0MnFM3Dh8AU0pZHLXUD127SAJGER/s=
+github.com/mozilla/tls-observatory v0.0.0-20210609171429-7bc42856d2e5/go.mod h1:FUqVoUPHSEdDR0MnFM3Dh8AU0pZHLXUD127SAJGER/s=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-proto-validators v0.0.0-20180403085117-0950a7990007/go.mod h1:m2XC9Qq0AlmmVksL6FktJCdTYyLk7V3fKyp0sl1yWQo=
 github.com/mwitkow/go-proto-validators v0.2.0/go.mod h1:ZfA1hW+UH/2ZHOWvQ3HnQaU0DtnpXu850MZiy+YUgcc=
@@ -273,15 +284,18 @@ github.com/olekukonko/tablewriter v0.0.2/go.mod h1:rSAaSIOAGT9odnlyGlUfAJaoc5w2f
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
-github.com/onsi/ginkgo v1.15.0 h1:1V1NfVQR87RtWAgp1lv9JZJ5Jap+XFGKPi00andXGi4=
-github.com/onsi/ginkgo v1.15.0/go.mod h1:hF8qUzuuC8DJGygJH3726JnCZX4MYbRB8yFfISqnKUg=
+github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
+github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
+github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
-github.com/onsi/gomega v1.10.5 h1:7n6FEkpFmfCoo2t+YYqXH0evK+a9ICQz0xcAy9dYcaQ=
-github.com/onsi/gomega v1.10.5/go.mod h1:gza4q3jKQJijlu05nKWRCW/GavJumGt8aNRxWg7mt48=
+github.com/onsi/gomega v1.17.0 h1:9Luw4uT5HTjHTN8+aNcSThgH1vdXnmdJ8xIfZ4wyTRE=
+github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e h1:aoZm08cpOy4WuID//EZDgcC4zIxODThtZNPirFr42+A=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -305,13 +319,14 @@ github.com/pseudomuto/protokit v0.2.0/go.mod h1:2PdH30hxVHsup8KpBTOXTBeMVhJZVio3
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.6.2 h1:aIihoIOHCiLZHxyoNQ+ABL4NKhFTgKLBdMLyEAh98m0=
-github.com/rogpeppe/go-internal v1.6.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
+github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
+github.com/rogpeppe/go-internal v1.8.1 h1:geMPLpDpQOgVyCg5z5GoRwLHepNdb71NXb67XFkP+Eg=
+github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o=
 github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/securego/gosec/v2 v2.7.0 h1:mOhJv5w6UyNLpSssQOQCc7eGkKLuicAxvf66Ey/X4xk=
-github.com/securego/gosec/v2 v2.7.0/go.mod h1:xNbGArrGUspJLuz3LS5XCY1EBW/0vABAl/LWfSklmiM=
+github.com/securego/gosec/v2 v2.9.5 h1:Wiyf78NNedu8RClwW0vPRgPKCY7LJX4WujjJcPV2Nwg=
+github.com/securego/gosec/v2 v2.9.5/go.mod h1:lG831xFHrZofatyJb9Y5yMUE8Ws6z5U5CMHe9vYn1kM=
 github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
@@ -334,8 +349,10 @@ github.com/stretchr/testify v1.1.4/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20200427203606-3cfed13b9966/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
@@ -356,6 +373,7 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
 go.etcd.io/etcd v0.0.0-20200513171258-e048e166ab9c/go.mod h1:xCI7ZzBfRuGgBXyXO6yfWfDmlWd35khcWpUa4L0xI/k=
@@ -383,7 +401,7 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/crypto v0.0.0-20211209193657-4570a0811e8b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -417,10 +435,9 @@ golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzB
 golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.2 h1:Gz96sIWK3OalVv/I/qNygP42zyoKp3xptRVCWRFEBvo=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.5.1 h1:OJxoQ/rynoF0dcCdI7cLPktw/hR2cueqYfjm43oqK38=
+golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -456,10 +473,11 @@ golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81R
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4 h1:4nGaVu0QrbjT/AK2PRLuQfQuh6DJve+pELhqTdAj3x0=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
+golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2 h1:CIJ76btIcR3eFI5EgSo6k1qKw9KJexJuRLI9G7Hp5wE=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -522,11 +540,14 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210228012217-479acdf4ea46/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210514084401-e8d321eab015 h1:hZR0X1kPW+nwyJ9xRxqZk1vx5RUObAPBdKVvXPDUH/E=
-golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211213223007-03aa0b5f6827/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM=
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -534,8 +555,9 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.5 h1:i6eZZ+zk0SOf0xgBpEpPD18qWcJda6q1sxt3S0kzyUQ=
-golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -591,11 +613,10 @@ golang.org/x/tools v0.0.0-20200706234117-b22de6825cf7/go.mod h1:njjCfa9FT2d7l9Bc
 golang.org/x/tools v0.0.0-20200710042808-f1c4188a97a1/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20201007032633-0806396f153e/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210101214203-2dba1e4ea05c/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210104081019-d8d6ddbec6ee/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
-golang.org/x/tools v0.1.1 h1:wGiQel/hW0NnEkJUk8lbzkX2gFJU6PFxf1v5OlCfuOs=
-golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.1.8 h1:P1HhGGuLW4aAclzjtmJdf0mJOjVUZUzOTqkAkWL+l6w=
+golang.org/x/tools v0.1.8/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -679,6 +700,8 @@ google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -714,12 +737,12 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-honnef.co/go/tools v0.1.4 h1:SadWOkti5uVN1FAMgxn165+Mw00fuQKyk4Gyn/inxNQ=
-honnef.co/go/tools v0.1.4/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las=
-mvdan.cc/gofumpt v0.1.1 h1:bi/1aS/5W00E2ny5q65w9SnKpWEF/UIOqDYBILpo9rA=
-mvdan.cc/gofumpt v0.1.1/go.mod h1:yXG1r1WqZVKWbVRtBWKWX9+CxGYfA51nSomhM0woR48=
-mvdan.cc/unparam v0.0.0-20210104141923-aac4ce9116a7 h1:HT3e4Krq+IE44tiN36RvVEb6tvqeIdtsVSsxmNPqlFU=
-mvdan.cc/unparam v0.0.0-20210104141923-aac4ce9116a7/go.mod h1:hBpJkZE8H/sb+VRFvw2+rBpHNsTBcvSpk61hr8mzXZE=
+honnef.co/go/tools v0.2.2 h1:MNh1AVMyVX23VUHE2O27jm6lNj3vjO5DexS4A1xvnzk=
+honnef.co/go/tools v0.2.2/go.mod h1:lPVVZ2BS5TfnjLyizF7o7hv7j9/L+8cZY2hLyjP9cGY=
+mvdan.cc/gofumpt v0.2.1 h1:7jakRGkQcLAJdT+C8Bwc9d0BANkVPSkHZkzNv07pJAs=
+mvdan.cc/gofumpt v0.2.1/go.mod h1:a/rvZPhsNaedOJBzqRD9omnwVwHZsBdJirXHa9Gh9Ig=
+mvdan.cc/unparam v0.0.0-20211214103731-d0ef000c54e5 h1:Jh3LAeMt1eGpxomyu3jVkmVZWW2MxZ1qIIV2TZ/nRio=
+mvdan.cc/unparam v0.0.0-20211214103731-d0ef000c54e5/go.mod h1:b8RRCBm0eeiWR8cfN88xeq2G5SG3VKGO+5UPWi5FSOY=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
--- a/internal/version/version.go
+++ b/internal/version/version.go
@@ -7,6 +7,7 @@ import (
 	"runtime/debug"
 	"strconv"
 	"strings"
+	"time"

 	"github.com/AdguardTeam/golibs/stringutil"
 )
@@ -26,11 +27,11 @@ const (
 // TODO(a.garipov): Find out if we can get GOARM and GOMIPS values the same way
 // we can GOARCH and GOOS.
 var (
-	channel   string = ChannelDevelopment
-	goarm     string
-	gomips    string
-	version   string
-	buildtime string
+	channel    string = ChannelDevelopment
+	goarm      string
+	gomips     string
+	version    string
+	committime string
 )

 // Channel returns the current AdGuard Home release channel.
@@ -62,18 +63,10 @@ func Version() (v string) {
 	return version
 }

-// Common formatting constants.
-const (
-	sp   = " "
-	nl   = "\n"
-	tb   = "\t"
-	nltb = nl + tb
-)
-
 // Constants defining the format of module information string.
 const (
 	modInfoAtSep    = "@"
-	modInfoDevSep   = sp
+	modInfoDevSep   = " "
 	modInfoSumLeft  = " (sum: "
 	modInfoSumRight = ")"
 )
@@ -114,7 +107,7 @@ const (
 	vFmtVerHdr    = "Version: "
 	vFmtChanHdr   = "Channel: "
 	vFmtGoHdr     = "Go version: "
-	vFmtTimeHdr   = "Build time: "
+	vFmtTimeHdr   = "Commit time: "
 	vFmtRaceHdr   = "Race: "
 	vFmtGOOSHdr   = "GOOS: " + runtime.GOOS
 	vFmtGOARCHHdr = "GOARCH: " + runtime.GOARCH
@@ -142,6 +135,7 @@ const (
 func Verbose() (v string) {
 	b := &strings.Builder{}

+	const nl = "\n"
 	stringutil.WriteToBuilder(
 		b,
 		vFmtAGHHdr,
@@ -155,15 +149,23 @@ func Verbose() (v string) {
 		vFmtGoHdr,
 		runtime.Version(),
 	)
-	if buildtime != "" {
-		stringutil.WriteToBuilder(b, nl, vFmtTimeHdr, buildtime)
+
+	if committime != "" {
+		commitTimeUnix, err := strconv.ParseInt(committime, 10, 64)
+		if err != nil {
+			stringutil.WriteToBuilder(b, nl, vFmtTimeHdr, fmt.Sprintf("parse error: %s", err))
+		} else {
+			stringutil.WriteToBuilder(b, nl, vFmtTimeHdr, time.Unix(commitTimeUnix, 0).String())
+		}
 	}
+
 	stringutil.WriteToBuilder(b, nl, vFmtGOOSHdr, nl, vFmtGOARCHHdr)
 	if goarm != "" {
 		stringutil.WriteToBuilder(b, nl, vFmtGOARMHdr, "v", goarm)
 	} else if gomips != "" {
 		stringutil.WriteToBuilder(b, nl, vFmtGOMIPSHdr, gomips)
 	}
+
 	stringutil.WriteToBuilder(b, nl, vFmtRaceHdr, strconv.FormatBool(isRace))

 	info, ok := debug.ReadBuildInfo()
@@ -178,7 +180,7 @@ func Verbose() (v string) {
 	stringutil.WriteToBuilder(b, nl, vFmtDepsHdr)
 	for _, dep := range info.Deps {
 		if depStr := fmtModule(dep); depStr != "" {
-			stringutil.WriteToBuilder(b, nltb, depStr)
+			stringutil.WriteToBuilder(b, "\n\t", depStr)
 		}
 	}

--- a/openapi/CHANGELOG.md
+++ b/openapi/CHANGELOG.md
@@ -2,9 +2,16 @@

 <!-- TODO(a.garipov): Reformat in accordance with the KeepAChangelog spec. -->

-## v0.107: API changes
+## v0.107.3: API changes

-## The new field `"cached"` in `QueryLogItem`
+### The new field `"version"` in `AddressesInfo`
+
+* The new field `"version"` in `GET /install/get_addresses` is the version of
+  the AdGuard Home instance.
+
+## v0.107.0: API changes
+
+### The new field `"cached"` in `QueryLogItem`

 * The new field `"cached"` in `GET /control/querylog` is true if the response is
  served from cache instead of being resolved by an upstream server.
--- a/openapi/openapi.yaml
+++ b/openapi/openapi.yaml
@@ -123,7 +123,9 @@
                    '8.8.8.8': 'OK'
                    '8.8.4.4': 'OK'
                    '192.168.1.104:53535': >
-                      Couldn't communicate with DNS server
+                      upstream "192.168.1.104:1234" fails to exchange: couldn't
+                      communicate with upstream: read udp
+                      192.168.1.100:60675->8.8.8.8:1234: i/o timeout
  '/version.json':
    'post':
      'tags':
@@ -1262,7 +1264,7 @@
          'type': 'boolean'
        'version':
          'type': 'string'
-          'example': '0.1'
+          'example': 'v0.123.4'
        'language':
          'type': 'string'
          'example': 'en'
@@ -2219,19 +2221,23 @@
      'description': 'AdGuard Home addresses configuration'
      'required':
      - 'dns_port'
-      - 'web_port'
      - 'interfaces'
+      - 'version'
+      - 'web_port'
      'properties':
        'dns_port':
          'type': 'integer'
          'format': 'uint16'
          'example': 53
+        'interfaces':
+          '$ref': '#/components/schemas/NetInterfaces'
+        'version':
+          'type': 'string'
+          'example': 'v0.123.4'
        'web_port':
          'type': 'integer'
          'format': 'uint16'
          'example': 80
-        'interfaces':
-          '$ref': '#/components/schemas/NetInterfaces'
    'AddressesInfoBeta':
      'type': 'object'
      'description': 'AdGuard Home addresses configuration'
--- a/scripts/README.md
+++ b/scripts/README.md
@@ -90,14 +90,15 @@ Required environment:
 ###  `go-build.sh`: Build The Backend

 Optional environment:
- *  `BUILD_TIME`: If set, overrides the build time information.  Useful for
-    reproducible builds.
 *  `GOARM`: ARM processor options for the Go compiler.
 *  `GOMIPS`: ARM processor options for the Go compiler.
 *  `GO`: set an alternative name for the Go compiler.
 *  `OUT`: output binary name.
 *  `PARALLELISM`: set the maximum number of concurrently run build commands
    (that is, compiler, linker, etc.).
+ *  `SOURCE_DATE_EPOCH`: the [standardized][repr] environment variable for the
+    Unix epoch time of the latest commit in the repository.  If set, overrides
+    the default obtained from Git.  Useful for reproducible builds.
 *  `VERBOSE`: verbosity level.  `1` shows every command that is run and every
    Go package that is processed.  `2` also shows subcommands and environment.
    The default value is `0`, don't be verbose.
@@ -107,6 +108,8 @@ Optional environment:
 Required environment:
 *  `CHANNEL`: release channel, see above.

+[repr]: https://reproducible-builds.org/docs/source-date-epoch/
+


 ###  `go-deps.sh`: Install Backend Dependencies
--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -272,32 +272,12 @@ fix_darwin() {
 		return 0
 	fi

-	if [ "$cpu" = 'arm64' ]
-	then
-		case "$channel"
-		in
-		('beta'|'development'|'edge')
-			# Everything is fine, we have Apple Silicon support on
-			# these channels.
-			;;
-		('release')
-			cpu='amd64'
-			log "use $cpu build on Mac M1 until the native ARM support is added."
-			;;
-		(*)
-			# Generally shouldn't happen, since the release channel
-			# has already been validated.
-			error_exit "invalid channel '$channel'"
-			;;
-		esac
-	fi
-
 	# Set the package extension.
 	pkg_ext='zip'

-	# It is important to install AdGuard Home into the /Applications
-	# directory on macOS.  Otherwise, it may not grant enough privileges to
-	# the AdGuard Home.
+	# It is important to install AdGuard Home into the /Applications directory
+	# on macOS.  Otherwise, it may grant not enough privileges to the AdGuard
+	# Home.
 	out_dir='/Applications'
 }

@@ -404,16 +384,15 @@ rerun_with_root() {

 	log 'restarting with root privileges'
 	
-	# Group curl together with an echo, so that if curl fails before
-	# producing any output, the echo prints an exit command for the
-	# following shell to execute to prevent it from getting an empty input
-	# and exiting with a zero code in that case.
+	# Group curl together with an echo, so that if curl fails before producing
+	# any output, the echo prints an exit command for the following shell to
+	# execute to prevent it from getting an empty input and exiting with a zero
+	# code in that case.
 	{ curl -L -S -s "$script_url" || echo 'exit 1'; }\
 		| $sudo_cmd sh -s -- -c "$channel" -C "$cpu" -O "$os" -o "$out_dir" "$r" "$u" "$v"

-	# Exit the script.  Since if the code of the previous pipeline is
-	# non-zero, the execution won't reach this point thanks to set -e, exit
-	# with zero.
+	# Exit the script.  Since if the code of the previous pipeline is non-zero,
+	# the execution won't reach this point thanks to set -e, exit with zero.
 	exit 0
 }

@@ -503,11 +482,7 @@ handle_existing() {

 # Function install_service tries to install AGH as service.
 install_service() {
-	# Installing as root is required at least on FreeBSD.
-	#
-	# TODO(e.burkov): Think about AGH's output suppressing with no verbose
-	# flag.
-	if ( cd "$agh_dir" && $sudo_cmd ./AdGuardHome -s install )
+	if ( cd "$agh_dir" && ./AdGuardHome -s install )
 	then
 		return 0
 	fi
--- a/scripts/make/Dockerfile
+++ b/scripts/make/Dockerfile
@@ -5,22 +5,26 @@ FROM alpine:3.13
 ARG BUILD_DATE
 ARG VERSION
 ARG VCS_REF
-LABEL maintainer="AdGuard Team <devteam@adguard.com>" \
-  org.opencontainers.image.created=$BUILD_DATE \
-  org.opencontainers.image.url="https://adguard.com/adguard-home.html" \
-  org.opencontainers.image.source="https://github.com/AdguardTeam/AdGuardHome" \
-  org.opencontainers.image.version=$VERSION \
-  org.opencontainers.image.revision=$VCS_REF \
-  org.opencontainers.image.vendor="AdGuard" \
-  org.opencontainers.image.title="AdGuard Home" \
-  org.opencontainers.image.description="Network-wide ads & trackers blocking DNS server" \
-  org.opencontainers.image.licenses="GPL-3.0"
+
+LABEL\
+	maintainer="AdGuard Team <devteam@adguard.com>" \
+	org.opencontainers.image.authors="AdGuard Team <devteam@adguard.com>" \
+	org.opencontainers.image.created=$BUILD_DATE \
+	org.opencontainers.image.description="Network-wide ads & trackers blocking DNS server" \
+	org.opencontainers.image.documentation="https://github.com/AdguardTeam/AdGuardHome/wiki/" \
+	org.opencontainers.image.licenses="GPL-3.0" \
+	org.opencontainers.image.revision=$VCS_REF \
+	org.opencontainers.image.source="https://github.com/AdguardTeam/AdGuardHome" \
+	org.opencontainers.image.title="AdGuard Home" \
+	org.opencontainers.image.url="https://adguard.com/en/adguard-home/overview.html" \
+	org.opencontainers.image.vendor="AdGuard" \
+	org.opencontainers.image.version=$VERSION

 # Update certificates.
 RUN apk --no-cache --update add ca-certificates libcap tzdata && \
-    rm -rf /var/cache/apk/* && \
-    mkdir -p /opt/adguardhome/conf /opt/adguardhome/work && \
-    chown -R nobody: /opt/adguardhome
+	rm -rf /var/cache/apk/* && \
+	mkdir -p /opt/adguardhome/conf /opt/adguardhome/work && \
+	chown -R nobody: /opt/adguardhome

 ARG DIST_DIR
 ARG TARGETARCH
--- a/Show More
+++ b/Show More