all: fix chlog link

Squashed commit of the following:

commit 284190f748345c7556e60b67f051ec5f6f080948
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Wed Dec 6 19:36:00 2023 +0300

    all: sync with master; upd chlog

.github/PULL_REQUEST_TEMPLATE

@@ -1,7 +1,8 @@
 Before submitting a PR please make sure that:
 
 1.  You have discussed your solution in an issue and have got an
-    approval from a maintainer.
+    approval from a maintainer.  See our
+    [contribution guide](https://github.com/AdguardTeam/AdGuardHome/blob/master/CONTRIBUTING.md).
 
 2.  This isn't a localization fix; please send those to our
     [CrowdIn](https://crowdin.com/project/adguard-applications/en#/adguard-home)
@@ -13,8 +14,8 @@ Before submitting a PR please make sure that:
 Add a short description here.  The description should include:
 
 1.  Which issue this PR closes (`Closes #NNNN.`) or updates (`Updates
-    #NNNN.`).
+    #NNNN.`).  Please do not open PRs without filing an issue first.
 
 2.  A short description of how the change achieves that.
 
-Do not forget to remove these instructions.
+Do not forget to remove these instructions!

.github/workflows/build.yml

@@ -1,7 +1,7 @@
 'name': 'build'
 
 'env':
-  'GO_VERSION': '1.20.10'
+  'GO_VERSION': '1.20.12'
   'NODE_VERSION': '16'
 
 'on':

.github/workflows/lint.yml

@@ -1,7 +1,7 @@
 'name': 'lint'
 
 'env':
-  'GO_VERSION': '1.20.10'
+  'GO_VERSION': '1.20.12'
 
 'on':
   'push':

CHANGELOG.md

@@ -14,11 +14,11 @@ and this project adheres to
 <!--
 ## [v0.108.0] - TBA
 
-## [v0.107.41] - 2023-11-01 (APPROX.)
+## [v0.107.44] - 2023-12-20 (APPROX.)
 
-See also the [v0.107.41 GitHub milestone][ms-v0.107.41].
+See also the [v0.107.44 GitHub milestone][ms-v0.107.44].
 
-[ms-v0.107.41]: https://github.com/AdguardTeam/AdGuardHome/milestone/76?closed=1
+[ms-v0.107.44]: https://github.com/AdguardTeam/AdGuardHome/milestone/79?closed=1
 
 NOTE: Add new changes BELOW THIS COMMENT.
 -->
@@ -29,6 +29,122 @@ NOTE: Add new changes ABOVE THIS COMMENT.
 
 
 
+## [v0.107.43] - 2023-12-11
+
+See also the [v0.107.43 GitHub milestone][ms-v0.107.43].
+
+### Fixed
+
+- Incorrect handling of IPv4-in-IPv6 addresses when binding to an unspecified
+  address on some machines ([#6510]).
+
+[#6510]: https://github.com/AdguardTeam/AdGuardHome/issues/6510
+
+[ms-v0.107.43]: https://github.com/AdguardTeam/AdGuardHome/milestone/78?closed=1
+
+
+
+## [v0.107.42] - 2023-12-07
+
+See also the [v0.107.42 GitHub milestone][ms-v0.107.42].
+
+### Security
+
+- Go version has been updated to prevent the possibility of exploiting the
+  CVE-2023-39326, CVE-2023-45283, and CVE-2023-45285 Go vulnerabilities fixed in
+  [Go 1.20.12][go-1.20.12].
+
+### Added
+
+- Ability to set client's custom DNS cache ([#6263]).
+- Ability to disable plain-DNS serving through configuration file if an
+  encrypted protocol is already enabled ([#1660]).
+- Ability to specify rate limiting settings in the Web UI ([#6369]).
+
+### Changed
+
+#### Configuration changes
+
+- The new property `dns.serve_plain_dns` has been added to the configuration
+  file ([#1660]).
+- The property `dns.bogus_nxdomain` is now validated more strictly.
+- Added new properties `clients.persistent.*.upstreams_cache_enabled` and
+  `clients.persistent.*.upstreams_cache_size` that describe cache configuration
+  for each client's custom upstream configuration.
+
+### Fixed
+
+- `ipset` entries family validation ([#6420]).
+- Pre-filling the *New static lease* window with data ([#6402]).
+- Protection pause timer synchronization ([#5759]).
+
+[#1660]: https://github.com/AdguardTeam/AdGuardHome/issues/1660
+[#5759]: https://github.com/AdguardTeam/AdGuardHome/issues/5759
+[#6263]: https://github.com/AdguardTeam/AdGuardHome/issues/6263
+[#6369]: https://github.com/AdguardTeam/AdGuardHome/issues/6369
+[#6402]: https://github.com/AdguardTeam/AdGuardHome/issues/6402
+[#6420]: https://github.com/AdguardTeam/AdGuardHome/issues/6420
+
+[go-1.20.12]:   https://groups.google.com/g/golang-announce/c/iLGK3x6yuNo/m/z6MJ-eB0AQAJ
+[ms-v0.107.42]: https://github.com/AdguardTeam/AdGuardHome/milestone/77?closed=1
+
+
+
+## [v0.107.41] - 2023-11-13
+
+See also the [v0.107.41 GitHub milestone][ms-v0.107.41].
+
+### Security
+
+- Go version has been updated to prevent the possibility of exploiting the
+  CVE-2023-45283 and CVE-2023-45284 Go vulnerabilities fixed in
+  [Go 1.20.11][go-1.20.11].
+
+### Added
+
+- Ability to specify subnet lengths for IPv4 and IPv6 addresses, used for rate
+  limiting requests, in the configuration file ([#6368]).
+- Ability to specify multiple domain specific upstreams per line, e.g.
+  `[/domain1/../domain2/]upstream1 upstream2 .. upstreamN` ([#4977]).
+
+### Changed
+
+- Increased the height of the ready-to-use filter lists dialog ([#6358]).
+- Improved logging of authentication failures ([#6357]).
+
+#### Configuration changes
+
+- New properties `dns.ratelimit_subnet_len_ipv4` and
+  `dns.ratelimit_subnet_len_ipv6` have been added to the configuration file
+  ([#6368]).
+
+### Fixed
+
+- Schedule timezone not being sent ([#6401]).
+- Average request processing time calculation ([#6220]).
+- Redundant truncation of long client names in the Top Clients table ([#6338]).
+- Scrolling column headers in the tables ([#6337]).
+- `$important,dnsrewrite` rules not overriding allowlist rules ([#6204]).
+- Dark mode DNS rewrite background ([#6329]).
+- Issues with QUIC and HTTP/3 upstreams on Linux ([#6335]).
+
+[#4977]: https://github.com/AdguardTeam/AdGuardHome/issues/4977
+[#6204]: https://github.com/AdguardTeam/AdGuardHome/issues/6204
+[#6220]: https://github.com/AdguardTeam/AdGuardHome/issues/6220
+[#6329]: https://github.com/AdguardTeam/AdGuardHome/issues/6329
+[#6335]: https://github.com/AdguardTeam/AdGuardHome/issues/6335
+[#6337]: https://github.com/AdguardTeam/AdGuardHome/issues/6337
+[#6338]: https://github.com/AdguardTeam/AdGuardHome/issues/6338
+[#6357]: https://github.com/AdguardTeam/AdGuardHome/issues/6357
+[#6358]: https://github.com/AdguardTeam/AdGuardHome/issues/6358
+[#6368]: https://github.com/AdguardTeam/AdGuardHome/issues/6368
+[#6401]: https://github.com/AdguardTeam/AdGuardHome/issues/6401
+
+[go-1.20.11]:   https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY/m/d-jSKR_jBwAJ
+[ms-v0.107.41]: https://github.com/AdguardTeam/AdGuardHome/milestone/76?closed=1
+
+
+
 ## [v0.107.40] - 2023-10-18
 
 See also the [v0.107.40 GitHub milestone][ms-v0.107.40].
@@ -156,7 +272,7 @@ See also the [v0.107.37 GitHub milestone][ms-v0.107.37].
   is returned if the blocking mode isn't set to `Null IP`.  In previous versions
   it returned NXDOMAIN response in such cases.
 
-#### Configuration Changes
+#### Configuration changes
 
 In this release, the schema version has changed from 24 to 27.
 
@@ -366,7 +482,7 @@ See also the [v0.107.34 GitHub milestone][ms-v0.107.34].
 
 - Improved CPU and RAM consumption during updates of filtering-rule lists.
 
-#### Configuration Changes
+#### Configuration changes
 
 In this release, the schema version has changed from 23 to 24.
 
@@ -446,7 +562,7 @@ See also the [v0.107.33 GitHub milestone][ms-v0.107.33].
 
 ### Changed
 
-#### Configuration Changes
+#### Configuration changes
 
 In this release, the schema version has changed from 20 to 23.
 
@@ -711,7 +827,7 @@ See also the [v0.107.28 GitHub milestone][ms-v0.107.28].
 - ARPA domain names containing a subnet within private networks now also
   considered private, behaving closer to [RFC 6761][rfc6761] ([#5567]).
 
-#### Configuration Changes
+#### Configuration changes
 
 In this release, the schema version has changed from 17 to 20.
 
@@ -851,7 +967,7 @@ See also the [v0.107.26 GitHub milestone][ms-v0.107.26].
 
 ### Changed
 
-#### Configuration Changes
+#### Configuration changes
 
 - Property `edns_client_subnet`, which in schema versions 16 and earlier used
   to be a part of the `dns` object, is now part of the `dns.edns_client_subnet`
@@ -940,7 +1056,7 @@ See also the [v0.107.24 GitHub milestone][ms-v0.107.24].
 
 ### Changed
 
-#### Configuration Changes
+#### Configuration changes
 
 In this release, the schema version has changed from 14 to 16.
 
@@ -1650,7 +1766,7 @@ See also the [v0.107.7 GitHub milestone][ms-v0.107.7].
 - The `dns.bogus_nxdomain` property in the configuration file now supports CIDR
   notation alongside IP addresses ([#1730]).
 
-#### Configuration Changes
+#### Configuration changes
 
 In this release, the schema version has changed from 12 to 14.
 
@@ -1991,7 +2107,7 @@ See also the [v0.107.0 GitHub milestone][ms-v0.107.0].
   file, together with the new `group` and `user` properties ([#2763]).
 - Permissions on filter files are now `0o644` instead of `0o600` ([#3198]).
 
-#### Configuration Changes
+#### Configuration changes
 
 In this release, the schema version has changed from 10 to 12.
 
@@ -2557,11 +2673,14 @@ See also the [v0.104.2 GitHub milestone][ms-v0.104.2].
 
 
 <!--
-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.41...HEAD
-[v0.107.41]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.40...v0.107.41
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.44...HEAD
+[v0.107.44]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.43...v0.107.44
 -->
 
-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.40...HEAD
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.43...HEAD
+[v0.107.43]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.42...v0.107.43
+[v0.107.42]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.41...v0.107.42
+[v0.107.41]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.40...v0.107.41
 [v0.107.40]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.39...v0.107.40
 [v0.107.39]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.38...v0.107.39
 [v0.107.38]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.37...v0.107.38

CONTRIBUTING.md

@@ -0,0 +1,89 @@
+ #  Contributing to AdGuard Home
+
+If you want to contribute to AdGuard Home by filing or commenting on an issue or
+opening a pull request, please follow the instructions below.
+
+
+
+##  General recommendations
+
+Please don't:
+
+ *  post comments like “+1” or “this”.  Use the :+1: reaction on the issue
+    instead, as this allows us to actually see the level of support for issues.
+
+ *  file issues about localization errors or send localization updates as PRs.
+    We're using [CrowdIn] to manage our translations and we generally update
+    them before each Beta and Release build.  You can learn more about
+    translating AdGuard products [in our Knowledge Base][kb-trans].
+
+ *  file issues about a particular filtering-rule list misbehaving.  These are
+    tracked through the [separate form for filtering issues][form].
+
+ *  send updates to filtering-rule lists, such as the ones for the Blocked
+    Services feature or the list of approved filtering-rule lists.  We update
+    them once before each Beta and Release build.
+
+Please do:
+
+ *  follow the template instructions and provide data for reproducing issues.
+
+ *  write the title of your issue or pull request in English.  Any language is
+    fine in the body, but it is important to keep the title in English to make
+    it easier for people and bots to look up duplicated issues.
+
+[CrowdIn]:  https://crowdin.com/project/adguard-applications/en#/adguard-home
+[form]:     https://link.adtidy.org/forward.html?action=report&app=home&from=github
+[kb-trans]: https://kb.adguard.com/en/general/adguard-translations
+
+
+
+##  Issues
+
+   ###  Search first
+
+Please make sure that the issue is not a duplicate or a question.  If it's a
+duplicate, please react to the original issue with a thumbs up.  If it's a
+question, please look through our [Wiki] and, if you haven't found the answer,
+post it to the GitHub [Discussions] page.
+
+[Discussions]: https://github.com/AdguardTeam/AdGuardHome/discussions/categories/q-a
+[Wiki]:        https://github.com/AdguardTeam/AdGuardHome/wiki
+
+
+
+   ###  Follow the issue template
+
+Developers need to be able to reproduce the faulty behavior in order to fix an
+issue, so please make sure that you follow the instructions in the issue
+template carefully.
+
+
+
+##  Pull requests
+
+   ###  Discuss your changes first
+
+Please discuss your changes by opening an issue.  The maintainers should
+evaluate your proposal, and it's generally better if that's done before any code
+is written.
+
+
+
+   ###  Review your changes for style
+
+We have a set of [code guidelines][hacking] that we expect the code to follow.
+Please make sure you follow it.
+
+[hacking]: https://github.com/AdguardTeam/CodeGuidelines/blob/master/Go/Go.md
+
+
+
+   ###  Test your changes
+
+Make sure that it passes linters and tests by running the corresponding Make
+targets.  For backend changes, it's `make go-check`.  For frontend, run
+`make js-lint`.
+
+Additionally, a manual test is often required.  While we're constantly working
+on improving our test suites, they're still not as good as we'd like them to be.

README.md

@@ -201,7 +201,7 @@ opinion, this cannot be legitimately counted as a Pi-Hole's feature.
 | Cross-platform                                                          | ✅                | ❌ (not natively, only via Docker)                        |
 | Running as a DNS-over-HTTPS or DNS-over-TLS server                      | ✅                | ❌ (requires additional software)                         |
 | Blocking phishing and malware domains                                   | ✅                | ❌ (requires non-default blocklists)                      |
-| Parental control (blocking adult domains)                               | ✅                | ❌                                                        |
+| Parental control (blocking adult domains)                               | ✅                | ❌ (requires non-default blocklists)                      |
 | Force Safe search on search engines                                     | ✅                | ❌                                                        |
 | Per-client (device) configuration                                       | ✅                | ✅                                                        |
 | Access settings (choose who can use AGH DNS)                            | ✅                | ❌                                                        |

bamboo-specs/release.yaml

@@ -7,7 +7,7 @@
 # Make sure to sync any changes with the branch overrides below.
 'variables':
     'channel': 'edge'
-    'dockerGo': 'adguard/golang-ubuntu:7.4'
+    'dockerGo': 'adguard/golang-ubuntu:7.6'
 
 'stages':
   - 'Build frontend':
@@ -272,7 +272,7 @@
         # need to build a few of these.
         'variables':
             'channel': 'beta'
-            'dockerGo': 'adguard/golang-ubuntu:7.4'
+            'dockerGo': 'adguard/golang-ubuntu:7.6'
     # release-vX.Y.Z branches are the branches from which the actual final
     # release is built.
   - '^release-v[0-9]+\.[0-9]+\.[0-9]+':
@@ -287,4 +287,4 @@
         # are the ones that actually get released.
         'variables':
             'channel': 'release'
-            'dockerGo': 'adguard/golang-ubuntu:7.4'
+            'dockerGo': 'adguard/golang-ubuntu:7.6'

bamboo-specs/snapcraft.yaml

@@ -10,7 +10,7 @@
 # Make sure to sync any changes with the branch overrides below.
 'variables':
     'channel': 'edge'
-    'dockerGo': 'adguard/golang-ubuntu:7.4'
+    'dockerGo': 'adguard/golang-ubuntu:7.6'
     'snapcraftChannel': 'edge'
 
 'stages':
@@ -191,7 +191,7 @@
         # need to build a few of these.
         'variables':
             'channel': 'beta'
-            'dockerGo': 'adguard/golang-ubuntu:7.4'
+            'dockerGo': 'adguard/golang-ubuntu:7.6'
             'snapcraftChannel': 'beta'
     # release-vX.Y.Z branches are the branches from which the actual final
     # release is built.
@@ -207,5 +207,5 @@
         # are the ones that actually get released.
         'variables':
             'channel': 'release'
-            'dockerGo': 'adguard/golang-ubuntu:7.4'
+            'dockerGo': 'adguard/golang-ubuntu:7.6'
             'snapcraftChannel': 'candidate'

bamboo-specs/test.yaml

@@ -5,7 +5,7 @@
     'key': 'AHBRTSPECS'
     'name': 'AdGuard Home - Build and run tests'
 'variables':
-    'dockerGo': 'adguard/golang-ubuntu:7.4'
+    'dockerGo': 'adguard/golang-ubuntu:7.6'
 
 'stages':
   - 'Tests':

client/src/__locales/be.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "Налады кліентаў",
     "example_upstream_reserved": "upstream <0>для канкрэтных даменаў</0>;",
+    "example_multiple_upstreams_reserved": "некалькі DNS-сервераў <0>для канкрэтных даменаў</0>;",
     "example_upstream_comment": "каментар.",
     "upstream_parallel": "Ужыць адначасныя запыты да ўсіх сервераў для паскарэння апрацоўкі запыту",
     "parallel_requests": "Паралельныя запыты",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Ужыты бяспечны пошук",
     "number_of_dns_query_to_safe_search": "Колькасць запытаў DNS для пошукавых сістэм, для якіх быў ужыты Бяспечны пошук",
     "average_processing_time": "Сярэдні час апрацоўкі запыту",
-    "processing_time": "Час апрацоўкі",
+    "average_upstream_response_time": "Сярэдні час водгуку upstream-сервера",
+    "response_time": "Час водгуку",
     "average_processing_time_hint": "Сярэдні час для апрацоўкі запыту DNS  у мілісекундах",
     "block_domain_use_filters_and_hosts": "Блакаваць дамены з выкарыстаннем фільтраў і файлаў хастоў",
     "filters_block_toggle_hint": "Вы можаце наладзіць правілы блакавання ў «<a>Фільтрах</a>».",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "Выкарыстоўваць указаны IP для DNS",
     "edns_use_custom_ip_desc": "Дазволіць выкарыстоўваць уласны IP для DNS",
     "rate_limit_desc": "Абмежаванне на колькасць запытаў у секунду для кожнага кліента (0 — неабмежавана)",
+    "rate_limit_subnet_len_ipv4": "Даўжыня прэфікса падсеткі для адрасоў IPv4",
+    "rate_limit_subnet_len_ipv4_desc": "Даўжыня прэфікса падсеткі для адрасоў IPv4, якія выкарыстоўваюцца для абмежавання хуткасці. Значэнне па змаўчанні 24",
+    "rate_limit_subnet_len_ipv4_error": "Даўжыня прэфікса падсеткі IPv4 павінна быць ад 0 да 32",
+    "rate_limit_subnet_len_ipv6": "Даўжыня прэфікса падсеткі для адрасоў IPv6",
+    "rate_limit_subnet_len_ipv6_desc": "Даўжыня прэфікса падсеткі для адрасоў IPv6, якія выкарыстоўваюцца для абмежавання хуткасці. Значэнне па змаўчанні 56",
+    "rate_limit_subnet_len_ipv6_error": "Даўжыня прэфікса падсеткі IPv6 павінна быць ад 0 да 128",
+    "form_enter_rate_limit_subnet_len": "Увядзіце даўжыню прэфікса падсеткі для абмежавання хуткасці",
+    "rate_limit_whitelist": "Белы спіс з абмежаваннем хуткасці",
+    "rate_limit_whitelist_desc": "IP-адрасы выключаны з абмежавання хуткасці",
+    "rate_limit_whitelist_placeholder": "Увядзіце па адным адрасе на радок",
     "blocking_ipv4_desc": "IP-адрас, што вяртаецца пры блакаванню A-запыту",
     "blocking_ipv6_desc": "IP-адрас, што вяртаецца пры блакаванню AAAA-запыту",
     "blocking_mode_default": "Стандартны: Адказвае з нулёвым IP-адрасам (0.0.0.0 для A; :: для AAAA), калі заблакавана правілам у стылі Adblock; адказвае з IP-адрасам, паказаным у правіле, калі заблакавана правілам у стылі /etc/hosts-style",
@@ -722,5 +734,8 @@
     "wednesday_short": "Ср.",
     "thursday_short": "Чц.",
     "friday_short": "Пт.",
-    "saturday_short": "Сб."
+    "saturday_short": "Сб.",
+    "upstream_dns_cache_configuration": "Канфігурацыя кэша upstream DNS-сервераў",
+    "enable_upstream_dns_cache": "Ўключыць кэшаванне для карыстацкай канфігурацыі upstream-сервераў гэтага кліента",
+    "dns_cache_size": "Памер кэша DNS, у байтах"
 }

client/src/__locales/cs.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "Nastavení klienta",
     "example_upstream_reserved": "odchozí DNS připojení <0>pro konkrétní doménu(y)</0>;",
+    "example_multiple_upstreams_reserved": "více odchozích připojení <0>pro konkrétní domény</0>;",
     "example_upstream_comment": "komentář.",
     "upstream_parallel": "Použijte paralelní požadavky na urychlení řešení simultánním dotazováním na všechny navazující servery.",
     "parallel_requests": "Paralelní požadavky",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Vynucené bezpečné vyhledávání",
     "number_of_dns_query_to_safe_search": "Počet požadavků DNS na vyhledávače, při kterých bylo vynucené bezpečné vyhledávání",
     "average_processing_time": "Průměrný čas zpracování",
-    "processing_time": "Doba zpracování",
+    "average_upstream_response_time": "Průměrná doba odezvy odchozích připojení",
+    "response_time": "Čas odezvy",
     "average_processing_time_hint": "Průměrný čas zpracování požadavků DNS v milisekundách",
     "block_domain_use_filters_and_hosts": "Blokovat domény pomocí filtrů a seznamů adres",
     "filters_block_toggle_hint": "Pravidla blokování můžete nastavit v nastavení <a>Filtry</a>.",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "Použít vlastní IP pro EDNS",
     "edns_use_custom_ip_desc": "Povolit použití vlastní IP pro EDNS",
     "rate_limit_desc": "Počet požadavků za sekundu, které smí jeden klient provádět (0: neomezeno)",
+    "rate_limit_subnet_len_ipv4": "Délka předpony podsítě pro adresy IPv4",
+    "rate_limit_subnet_len_ipv4_desc": "Délka předpony podsítě pro adresy IPv4 používané pro omezení rychlosti. Výchozí hodnota je 24",
+    "rate_limit_subnet_len_ipv4_error": "Délka předpony podsítě IPv4 by měla být mezi 0 a 32",
+    "rate_limit_subnet_len_ipv6": "Délka předpony podsítě pro adresy IPv6",
+    "rate_limit_subnet_len_ipv6_desc": "Délka předpony podsítě pro adresy IPv6 používané pro omezení rychlosti. Výchozí hodnota je 56",
+    "rate_limit_subnet_len_ipv6_error": "Délka předpony podsítě IPv6 by měla být mezi 0 a 128",
+    "form_enter_rate_limit_subnet_len": "Zadejte délku předpony podsítě pro omezení rychlosti",
+    "rate_limit_whitelist": "Seznam výjimek pro omezení rychlosti",
+    "rate_limit_whitelist_desc": "IP adresy vyloučené z omezení rychlosti",
+    "rate_limit_whitelist_placeholder": "Zadejte jednu IP adresu na řádek",
     "blocking_ipv4_desc": "IP adresa, která se má vrátit v případě blokovaného požadavku typu A",
     "blocking_ipv6_desc": "IP adresa, která se má vrátit v případě blokovaného požadavku typu AAAA",
     "blocking_mode_default": "Výchozí: Odezva s nulovou IP adresou (0.0.0.0 pro A; :: pro AAAA), pokud je blokováno pravidlem ve stylu Adblock; odezva pomocí IP adresy uvedené v pravidle, pokud je blokováno pravidlem /etc/hosts-style",
@@ -722,5 +734,8 @@
     "wednesday_short": "Středa",
     "thursday_short": "Čtvrtek",
     "friday_short": "Pátek",
-    "saturday_short": "Sobota"
+    "saturday_short": "Sobota",
+    "upstream_dns_cache_configuration": "Konfigurace mezipaměti odchozího DNS",
+    "enable_upstream_dns_cache": "Povolit ukládání do mezipaměti DNS pro vlastní konfiguraci odchozího připojení tohoto klienta",
+    "dns_cache_size": "Velikost mezipaměti DNS v bajtech"
 }

client/src/__locales/da.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "Klientindstillinger",
     "example_upstream_reserved": "en upstream <0>for bestemte domæner</0>;",
+    "example_multiple_upstreams_reserved": "flere upstreams <0>til bestemte domæner</0>;",
     "example_upstream_comment": "en kommentaren.",
     "upstream_parallel": "Brug parallelforespørgsler til at accelerere fortolkningen ved at forespørge alle upstream-servere samtidigt.",
     "parallel_requests": "Parallelle forespørgsler",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Håndhævet sikker søgning",
     "number_of_dns_query_to_safe_search": "Antallet af DNS-forespørgsler til søgemaskiner, hvor Sikker Søgning blev håndhævet",
     "average_processing_time": "Gennemsnitlig behandlingstid",
-    "processing_time": "Behandlingstid",
+    "average_upstream_response_time": "Gennemsnitlig upstream-responstid",
+    "response_time": "Responstid",
     "average_processing_time_hint": "Gennemsnitlig behandlingstid i millisekunder af DNS-forespørgsel",
     "block_domain_use_filters_and_hosts": "Blokér domæner vha. filtre og værtsfiler",
     "filters_block_toggle_hint": "Du kan opsætte blokeringsregler i <a>Filterindstillingerne</a>.",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "Brug tilpasset IP til EDNS",
     "edns_use_custom_ip_desc": "Tillad brug af tilpasset IP til EDNS",
     "rate_limit_desc": "Antallet af forespørgsler pr. sekund tilladt pr. klient (værdien 0 = ubegrænset)",
+    "rate_limit_subnet_len_ipv4": "Længde på undernetpræfiks for IPv4-adresser",
+    "rate_limit_subnet_len_ipv4_desc": "Længde på undernetpræfiks for IPv4-adresser til hastighedsbegrænsning. Standard er 24",
+    "rate_limit_subnet_len_ipv4_error": "Længden på IPv4-undernetpræfiks skal være mellem 0 og 32",
+    "rate_limit_subnet_len_ipv6": "Længde på undernetpræfiks for IPv6-adresser",
+    "rate_limit_subnet_len_ipv6_desc": "Længde på undernetpræfiks for IPv6-adresser til hastighedsbegrænsning. Standard er 56",
+    "rate_limit_subnet_len_ipv6_error": "Længden på IPv6-undernetpræfiks skal være mellem 0 og 128",
+    "form_enter_rate_limit_subnet_len": "Angiv længden på undernetpræfiks til hastighedsbegrænsning",
+    "rate_limit_whitelist": "Hvidliste til hastighedsbegrænsning",
+    "rate_limit_whitelist_desc": "IP-adresser undtaget fra hastighedsbegrænsning",
+    "rate_limit_whitelist_placeholder": "Angiv én IP-adresse pr. linje",
     "blocking_ipv4_desc": "Returneret IP-adresse for en blokeret A-forespørgsel",
     "blocking_ipv6_desc": "Returneret IP-adresse for en blokeret AAAA-forespørgsel",
     "blocking_mode_default": "Standard: Svar med nul IP-adresse (0.0.0.0 for A; :: for AAAA), når blokeret af Adblock-lignende regel. Svar med IP-adressen angivet i reglen, når blokeret af /etc/hosts-lignende regel",
@@ -722,5 +734,8 @@
     "wednesday_short": "Ons",
     "thursday_short": "Tors",
     "friday_short": "Fre",
-    "saturday_short": "Lør"
+    "saturday_short": "Lør",
+    "upstream_dns_cache_configuration": "Upstream DNS-cacheopsætning",
+    "enable_upstream_dns_cache": "Aktivér DNS-cachelagring for denne klients tilpassede upstream-opsætning",
+    "dns_cache_size": "DNS-cachestørrelse i bytes"
 }

client/src/__locales/de.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "Client-Einstellungen",
     "example_upstream_reserved": "ein Upstream <0>für bestimmte Domains</0>;",
+    "example_multiple_upstreams_reserved": "mehrere Upstreams <0>für bestimmte Domains</0>;",
     "example_upstream_comment": "ein Kommentar.",
     "upstream_parallel": "Parallele Abfragen verwenden, um das Auflösen zu beschleunigen, indem alle Upstream-Server gleichzeitig abgefragt werden.",
     "parallel_requests": "Paralleles Abfragen",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Sichere Suche erzwungen",
     "number_of_dns_query_to_safe_search": "Anzahl der DNS-Anfragen bei denen Sichere Suche für Suchanfragen erzwungen wurde",
     "average_processing_time": "Durchschnittliche Bearbeitungsdauer",
-    "processing_time": "Verarbeitungszeit",
+    "average_upstream_response_time": "Durchschnittliche Upstream-Antwortzeit",
+    "response_time": "Antwortzeit",
     "average_processing_time_hint": "Durchschnittliche Zeit in Millisekunden zur Bearbeitung von DNS-Anfragen",
     "block_domain_use_filters_and_hosts": "Domains durch Filter und Host-Dateien sperren",
     "filters_block_toggle_hint": "Sie können Blockierregeln in den <a>Filter</a>einstellungen erstellen.",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "Benutzerdefinierte IP für EDNS verwenden",
     "edns_use_custom_ip_desc": "Benutzerdefinierte IP für EDNS zulassen",
     "rate_limit_desc": "Die Anzahl der Anfragen pro Sekunde, die ein einzelner Client stellen darf. Das Setzen auf 0 bedeutet keine Begrenzung.",
+    "rate_limit_subnet_len_ipv4": "Länge des Subnetzpräfixes für IPv4-Adressen",
+    "rate_limit_subnet_len_ipv4_desc": "Subnetpräfixlänge für IPv4-Adressen, die für die Ratebegrenzung verwendet werden. Der Standardwert ist 24",
+    "rate_limit_subnet_len_ipv4_error": "Die Subnetzpräfixlänge für IPv4-Adressen sollte zwischen 0 und 32 liegen",
+    "rate_limit_subnet_len_ipv6": "Subnetzpräfixlänge für IPv6-Adressen",
+    "rate_limit_subnet_len_ipv6_desc": "Subnetpräfixlänge für IPv6-Adressen, die für die Ratebegrenzung verwendet werden. Der Standardwert ist 56",
+    "rate_limit_subnet_len_ipv6_error": "Die Subnetzpräfixlänge für IPv6-Adressen sollte zwischen 0 und 128 liegen",
+    "form_enter_rate_limit_subnet_len": "Geben Sie die Subnetzpräfixlänge für die Ratebegrenzung ein",
+    "rate_limit_whitelist": "Zulassungsliste für die Ratebegrenzung",
+    "rate_limit_whitelist_desc": "IP-Adressen, die von der Ratebegrenzung ausgeschlossen sind",
+    "rate_limit_whitelist_placeholder": "Geben Sie eine IP-Adresse pro Zeile ein",
     "blocking_ipv4_desc": "IP-Adresse, die für eine gesperrte A-Anfrage zurückgegeben werden soll",
     "blocking_ipv6_desc": "IP-Adresse, die für eine gesperrte AAAA-Anfrage zurückgegeben werden soll",
     "blocking_mode_default": "Standard: Mit Null IP Adress (0.0.0.0 for A; :: for AAAA) antworten, wenn sie durch eine Regel im Adblock-Stil gesperrt sind; mit der in der Regel angegebenen IP-Adresse antworten, wenn sie durch eine Regel im /etc/hosts-Stil gesperrt wurde",
@@ -722,5 +734,8 @@
     "wednesday_short": "Mi",
     "thursday_short": "Do",
     "friday_short": "Fr",
-    "saturday_short": "Sa"
+    "saturday_short": "Sa",
+    "upstream_dns_cache_configuration": "Konfiguration des Upstream-DNS-Cache",
+    "enable_upstream_dns_cache": "Caching für die benutzerdefinierte Upstream-Server-Konfiguration dieses Clients aktivieren",
+    "dns_cache_size": "Größe des DNS-Cache, in Bytes"
 }

client/src/__locales/en.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "Client settings",
     "example_upstream_reserved": "an upstream <0>for specific domains</0>;",
+    "example_multiple_upstreams_reserved": "multiple upstreams <0>for specific domains</0>;",
     "example_upstream_comment": "a comment.",
     "upstream_parallel": "Use parallel queries to speed up resolving by querying all upstream servers simultaneously.",
     "parallel_requests": "Parallel requests",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Enforced safe search",
     "number_of_dns_query_to_safe_search": "The number of DNS requests to search engines for which Safe Search was enforced",
     "average_processing_time": "Average processing time",
-    "processing_time": "Processing time",
+    "average_upstream_response_time": "Average upstream response time",
+    "response_time": "Response time",
     "average_processing_time_hint": "Average time in milliseconds on processing a DNS request",
     "block_domain_use_filters_and_hosts": "Block domains using filters and hosts files",
     "filters_block_toggle_hint": "You can setup blocking rules in the <a>Filters</a> settings.",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "Use custom IP for EDNS",
     "edns_use_custom_ip_desc": "Allow to use custom IP for EDNS",
     "rate_limit_desc": "The number of requests per second allowed per client. Setting it to 0 means no limit.",
+    "rate_limit_subnet_len_ipv4": "Subnet prefix length for IPv4 addresses",
+    "rate_limit_subnet_len_ipv4_desc": "Subnet prefix length for IPv4 addresses used for rate limiting. The default is 24",
+    "rate_limit_subnet_len_ipv4_error": "The IPv4 subnet prefix length should be between 0 and 32",
+    "rate_limit_subnet_len_ipv6": "Subnet prefix length for IPv6 addresses",
+    "rate_limit_subnet_len_ipv6_desc": "Subnet prefix length for IPv6 addresses used for rate limiting. The default is 56",
+    "rate_limit_subnet_len_ipv6_error": "The IPv6 subnet prefix length should be between 0 and 128",
+    "form_enter_rate_limit_subnet_len": "Enter subnet prefix length for rate limiting",
+    "rate_limit_whitelist": "Rate limiting allowlist",
+    "rate_limit_whitelist_desc": "IP addresses excluded from rate limiting",
+    "rate_limit_whitelist_placeholder": "Enter one IP address per line",
     "blocking_ipv4_desc": "IP address to be returned for a blocked A request",
     "blocking_ipv6_desc": "IP address to be returned for a blocked AAAA request",
     "blocking_mode_default": "Default: Respond with zero IP address (0.0.0.0 for A; :: for AAAA) when blocked by Adblock-style rule; respond with the IP address specified in the rule when blocked by /etc/hosts-style rule",
@@ -722,5 +734,8 @@
     "wednesday_short": "Wed",
     "thursday_short": "Thu",
     "friday_short": "Fri",
-    "saturday_short": "Sat"
+    "saturday_short": "Sat",
+    "upstream_dns_cache_configuration": "Upstream DNS cache configuration",
+    "enable_upstream_dns_cache": "Enable DNS caching for this client's custom upstream configuration",
+    "dns_cache_size": "DNS cache size, in bytes"
 }

client/src/__locales/es.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "Configuración de clientes",
     "example_upstream_reserved": "un DNS de subida <0>para un dominio específico</0>.",
+    "example_multiple_upstreams_reserved": "múltiples upstreams <0>para dominios específicos</0>;",
     "example_upstream_comment": "un comentario.",
     "upstream_parallel": "Usar consultas paralelas para acelerar la resolución al consultar simultáneamente a todos los servidores DNS de subida.",
     "parallel_requests": "Consultas paralelas",
@@ -8,9 +9,9 @@
     "load_balancing_desc": "Consulta un servidor DNS de subida a la vez. AdGuard Home utiliza su algoritmo aleatorio ponderado para elegir el servidor más rápido y sea utilizado con más frecuencia.",
     "bootstrap_dns": "Servidores DNS de arranque",
     "bootstrap_dns_desc": "Direcciones IP de servidores DNS utilizadas para resolver direcciones IP de los solucionadores DoH/DoT que especifiques como ascendentes. No se permiten comentarios.",
-    "fallback_dns_title": "Servidores DNS de fallback",
-    "fallback_dns_desc": "La lista de DNS de fallback serán usadas cuando los servidores de upstream de DNS no respondan. La sintaxis es la misma que en los principales del campo anterior.",
-    "fallback_dns_placeholder": "Ingresa un servidor de DNS alternativo por línea",
+    "fallback_dns_title": "Servidores DNS alternativos",
+    "fallback_dns_desc": "Lista de servidores DNS alternativos utilizados cuando los servidores DNS de subida no responden. La sintaxis es la misma que en el campo de los principales DNS de subida anterior.",
+    "fallback_dns_placeholder": "Ingresa un servidor DNS alternativo por línea",
     "local_ptr_title": "Servidores DNS inversos y privados",
     "local_ptr_desc": "Los servidores DNS que AdGuard Home utiliza para las consultas PTR locales. Estos servidores se utilizan para resolver las peticiones PTR de direcciones en rangos de IP privadas, por ejemplo \"192.168.12.34\", utilizando DNS inverso. Si no está establecido, AdGuard Home utilizará los resolutores DNS predeterminados de tu sistema operativo, excepto las direcciones del propio AdGuard Home.",
     "local_ptr_default_resolver": "Por defecto, AdGuard Home utiliza los siguientes resolutores DNS inversos: {{ip}}.",
@@ -131,8 +132,8 @@
     "top_clients": "Clientes más frecuentes",
     "no_clients_found": "No se han encontrado clientes",
     "general_statistics": "Estadísticas generales",
-    "top_upstreams": "Mejores upstreams",
-    "no_upstreams_data_found": "No se han encontrado datos de upstreams",
+    "top_upstreams": "DNS de subida más frecuentes",
+    "no_upstreams_data_found": "No se han encontrado datos de DNS de subida",
     "number_of_dns_query_days": "Número de consultas DNS procesadas durante el último {{count}} día",
     "number_of_dns_query_days_plural": "Número de consultas DNS procesadas durante los últimos {{count}} días",
     "number_of_dns_query_hours": "Número de consultas DNS procesadas durante la última {{count}} hora",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Búsquedas seguras forzadas",
     "number_of_dns_query_to_safe_search": "Número de peticiones DNS a los motores de búsqueda para los que se aplicó la búsqueda segura forzada",
     "average_processing_time": "Tiempo promedio de procesamiento",
-    "processing_time": "Tiempo de procesamiento",
+    "average_upstream_response_time": "Tiempo promedio de respuesta upstream",
+    "response_time": "Tiempo de respuesta",
     "average_processing_time_hint": "Tiempo promedio en milisegundos al procesar una petición DNS",
     "block_domain_use_filters_and_hosts": "Bloquear dominios usando filtros y archivos hosts",
     "filters_block_toggle_hint": "Puedes configurar las reglas de bloqueo en la configuración de <a>filtros</a>.",
@@ -168,7 +170,7 @@
     "upstream_dns_configured_in_file": "Configurado en {{path}}",
     "test_upstream_btn": "Probar DNS de subida",
     "upstreams": "DNS de subida",
-    "upstream": "Upstream",
+    "upstream": "DNS de subida",
     "apply_btn": "Aplicar",
     "disabled_filtering_toast": "Filtrado deshabilitado",
     "enabled_filtering_toast": "Filtrado habilitado",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "Usar IP personalizada para EDNS",
     "edns_use_custom_ip_desc": "Permitir el uso de IP personalizadas para EDNS",
     "rate_limit_desc": "Número de peticiones por segundo permitidas por cliente. Establecerlo en 0 significa que no hay límite.",
+    "rate_limit_subnet_len_ipv4": "Longitud del prefijo de subred para direcciones IPv4",
+    "rate_limit_subnet_len_ipv4_desc": "Longitud del prefijo de subred para direcciones IPv4 utilizadas para limitar la velocidad. El valor predeterminado es 24",
+    "rate_limit_subnet_len_ipv4_error": "La longitud del prefijo de subred IPv4 debe estar entre 0 y 32",
+    "rate_limit_subnet_len_ipv6": "Longitud del prefijo de subred para direcciones IPv6",
+    "rate_limit_subnet_len_ipv6_desc": "Longitud del prefijo de subred para direcciones IPv6 utilizadas para limitar la velocidad. El valor predeterminado es 56",
+    "rate_limit_subnet_len_ipv6_error": "La longitud del prefijo de subred IPv6 debe estar entre 0 y 128",
+    "form_enter_rate_limit_subnet_len": "Ingresa la longitud del prefijo de subred para limitar la velocidad",
+    "rate_limit_whitelist": "Lista de permitidos de limitación de velocidad",
+    "rate_limit_whitelist_desc": "Direcciones IP excluidas de la limitación de velocidad",
+    "rate_limit_whitelist_placeholder": "Ingresa una dirección IP por línea",
     "blocking_ipv4_desc": "Dirección IP devolverá una petición A bloqueada",
     "blocking_ipv6_desc": "Dirección IP devolverá una petición AAAA bloqueada",
     "blocking_mode_default": "Predeterminado: Responde con dirección IP cero (0.0.0.0 para A; :: para AAAA) cuando está bloqueado por la regla de estilo Adblock; responde con la dirección IP especificada en la regla cuando está bloqueado por una regla de estilo /etc/hosts",
@@ -677,21 +689,21 @@
     "disable_for_hours": "Por {{count}} hora",
     "disable_for_hours_plural": "Por {{count}} horas",
     "disable_until_tomorrow": "Hasta mañana",
-    "disable_notify_for_seconds": "Desactivar la protección por {{count}} segundo",
-    "disable_notify_for_seconds_plural": "Desactivar la protección por {{count}} segundos",
-    "disable_notify_for_minutes": "Desactivar la protección por {{count}} minuto",
-    "disable_notify_for_minutes_plural": "Desactivar la protección por {{count}} minutos",
-    "disable_notify_for_hours": "Desactivar la protección por {{count}} hora",
-    "disable_notify_for_hours_plural": "Desactivar la protección por {{count}} horas",
-    "disable_notify_until_tomorrow": "Desactivar la protección hasta mañana",
-    "enable_protection_timer": "La protección se activará en {{time}}",
+    "disable_notify_for_seconds": "Deshabilitar protección por {{count}} segundo",
+    "disable_notify_for_seconds_plural": "Deshabilitar protección por {{count}} segundos",
+    "disable_notify_for_minutes": "Deshabilitar protección por {{count}} minuto",
+    "disable_notify_for_minutes_plural": "Deshabilitar protección por {{count}} minutos",
+    "disable_notify_for_hours": "Deshabilitar protección por {{count}} hora",
+    "disable_notify_for_hours_plural": "Deshabilitar protección por {{count}} horas",
+    "disable_notify_until_tomorrow": "Deshabilitar protección hasta mañana",
+    "enable_protection_timer": "La protección se habilitará a las {{time}}",
     "custom_retention_input": "Ingresa la retención en horas",
     "custom_rotation_input": "Ingresa la rotación en horas",
     "protection_section_label": "Protección",
     "log_and_stats_section_label": "Registro de consultas y estadísticas",
     "ignore_query_log": "Ignorar este cliente en el registro de consultas",
     "ignore_statistics": "Ignorar este cliente en las estadísticas",
-    "schedule_services": "Pausar el servicio de bloqueo",
+    "schedule_services": "Pausar servicio de bloqueo",
     "schedule_services_desc": "Configura el horario programado de pausa del servicio de bloqueo",
     "schedule_services_desc_client": "Configurar el horario programado de pausa del bloqueo de servicio filtrado para este cliente",
     "schedule_desc": "Establecer periodos de inactividad para servicios bloqueados",
@@ -701,7 +713,7 @@
     "schedule_current_timezone": "Zona horaria actual: {{value}}",
     "schedule_time_all_day": "Todo el dia",
     "schedule_modal_description": "Este horario sustituirá cualquier horario existente para el mismo día de la semana. Cada día de la semana solo puede tener un periodo de inactividad.",
-    "schedule_modal_time_off": "Detener el servicio de bloqueo:",
+    "schedule_modal_time_off": "Detener servicio de bloqueo:",
     "schedule_new": "Nuevo horario",
     "schedule_edit": "Editar horario",
     "schedule_save": "Guardar horario",
@@ -722,5 +734,8 @@
     "wednesday_short": "Mié.",
     "thursday_short": "Jue.",
     "friday_short": "Vie.",
-    "saturday_short": "Sáb."
+    "saturday_short": "Sáb.",
+    "upstream_dns_cache_configuration": "Configuración de la caché DNS upstream",
+    "enable_upstream_dns_cache": "Habilitar el almacenamiento en caché de DNS para la configuración personalizada de este cliente",
+    "dns_cache_size": "Tamaño de la caché DNS, en bytes"
 }

client/src/__locales/fa.json

@@ -139,7 +139,6 @@
     "enforced_save_search": "جستجوی اَمن اجبار شده",
     "number_of_dns_query_to_safe_search": "تعداد درخواست های DNS برای موتور جستجو که جستجوی اَمن اجبار شده",
     "average_processing_time": "میانگین زمان پردازش",
-    "processing_time": "زمان پردازش",
     "average_processing_time_hint": "زمان میانگین بر هزارم ثانیه در پردازش درخواست DNS",
     "block_domain_use_filters_and_hosts": "مسدودسازی دامنه ها توسط فیلترها و فایل های میزبان",
     "filters_block_toggle_hint": "میتوانید دستورات مسدودسازی را در تنظیمات <a>فیلترها</a> راه اندازی کنید.",

client/src/__locales/fi.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "Päätelaiteasetukset",
     "example_upstream_reserved": "ylävirta <0>tietyille verkkotunnuksille</0>;",
+    "example_multiple_upstreams_reserved": "useita ylävirtoja <0>tietyille verkkotunnuksille</0>;",
     "example_upstream_comment": "kommentti.",
     "upstream_parallel": "Käytä rinnakkaisia pyyntöjä ja nopeuta selvitystä käyttämällä kaikkia ylävirtapalvelimia samanaikaisesti.",
     "parallel_requests": "Rinnakkaiset pyynnöt",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Turvallinen haku pakotettiin",
     "number_of_dns_query_to_safe_search": "DNS-pyyntöjen määrä, joille turvallinen haku pakotettiin käyttöön",
     "average_processing_time": "Keskimääräinen käsittelyaika",
-    "processing_time": "Käsittelyaika",
+    "average_upstream_response_time": "Ylävirran keskimääräinen vasteaika",
+    "response_time": "Vasteaika",
     "average_processing_time_hint": "Keskimääräinen DNS-pyynnön käsittelyyn kulutettu aika millisekunteina",
     "block_domain_use_filters_and_hosts": "Estä verkkotunnuksia suodattimilla ja hosts-tiedostoilla",
     "filters_block_toggle_hint": "Voit määrittää estosääntöjä <a>suodatinasetuksissa</a>.",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "Käytä omaa IP-osoitetta EDNS:lle",
     "edns_use_custom_ip_desc": "Salli oman IP-osoitteen käyttö EDNS-mekanismille.",
     "rate_limit_desc": "Päätelaitteelle sallittu pyyntöjen enimmäismäärä sekunnissa. Arvo 0 tarkoittaa rajatonta.",
+    "rate_limit_subnet_len_ipv4": "IPv4-osoitteiden aliverkon etuliitteen pituus",
+    "rate_limit_subnet_len_ipv4_desc": "Aliverkon etuliitteen pituus IPv4-osoitteille, joita käytetään nopeuden rajoittamiseen. Oletusarvo on 24",
+    "rate_limit_subnet_len_ipv4_error": "IPv4-aliverkon etuliitteen pituuden tulee olla 0–32",
+    "rate_limit_subnet_len_ipv6": "IPv6-osoitteiden aliverkon etuliitteen pituus",
+    "rate_limit_subnet_len_ipv6_desc": "Aliverkon etuliitteen pituus IPv6-osoitteille, joita käytetään nopeuden rajoittamiseen. Oletusarvo on 56",
+    "rate_limit_subnet_len_ipv6_error": "IPv6-aliverkon etuliitteen pituuden tulee olla 0–128",
+    "form_enter_rate_limit_subnet_len": "Anna aliverkon etuliitteen pituus nopeuden rajoittamista varten",
+    "rate_limit_whitelist": "Nopeutta rajoittava sallittu luettelo",
+    "rate_limit_whitelist_desc": "IP-osoitteet, jotka eivät kuulu nopeusrajoituksen piiriin",
+    "rate_limit_whitelist_placeholder": "Syötä yksi IP-osoite per rivi",
     "blocking_ipv4_desc": "Estettyyn A-pyyntöön palautettava IP-osoite",
     "blocking_ipv6_desc": "Estettyyn AAAA-pyyntöön palautettava IP-osoite",
     "blocking_mode_default": "Oletus: Vastaa IP-nollaosoitteella (0.0.0.0 korvaa A; :: korvaa AAAA) kun estetään mainoseston säännöllä; vastaa säännön määrittämällä IP-osoitteella kun estetään /etc/hosts-tyyppisellä säännöllä",
@@ -722,5 +734,8 @@
     "wednesday_short": "Ke",
     "thursday_short": "To",
     "friday_short": "Pe",
-    "saturday_short": "La"
+    "saturday_short": "La",
+    "upstream_dns_cache_configuration": "Ylävirran DNS-välimuistin määritykset",
+    "enable_upstream_dns_cache": "Käytä DNS-välimuistia tämän päätelaitteen mukautetuissa ylävirtamäärityksissä",
+    "dns_cache_size": "DNS-välimuistin koko tavuina"
 }

client/src/__locales/fr.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "Paramètres du client",
     "example_upstream_reserved": "un amont <0>pour des domaines spécifiques</0> ;",
+    "example_multiple_upstreams_reserved": "plusieurs amonts <0>pour des domaines spécifiques</0> ;",
     "example_upstream_comment": " un commentaire.",
     "upstream_parallel": "Utilisez des requêtes parallèles pour accélérer la résolution en requêtant simultanément tous les serveurs en amont.",
     "parallel_requests": "Requêtes en parallèle",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Recherche sécurisée forcée",
     "number_of_dns_query_to_safe_search": "Le nombre de requêtes DNS faites avec la Recherche securisée",
     "average_processing_time": "Temps moyen de traitement",
-    "processing_time": "Délai de traitement",
+    "average_upstream_response_time": "Temps de réponse moyen en amont",
+    "response_time": "Temps de réponse",
     "average_processing_time_hint": "Temps moyen (en millisecondes) de traitement d'une requête DNS",
     "block_domain_use_filters_and_hosts": "Bloquez les domaines à l'aide des filtres et fichiers hosts",
     "filters_block_toggle_hint": "Vous pouvez configurer les règles de filtrage dans les paramètres des <a>Filtres</a>.",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "Utiliser une IP personnalisée pour EDNS",
     "edns_use_custom_ip_desc": "Autoriser l'utilisation d'une adresse IP personnalisée pour EDNS",
     "rate_limit_desc": "Le nombre de requêtes par seconde qu’un seul client est autorisé à faire. Le réglage 0 fait illimité.",
+    "rate_limit_subnet_len_ipv4": "Longueur du préfixe de sous-réseau pour les adresses IPv4",
+    "rate_limit_subnet_len_ipv4_desc": "Longueur du préfixe de sous-réseau pour les adresses IPv4 utilisé pour la limitation de vitesse. La valeur par défaut est 24",
+    "rate_limit_subnet_len_ipv4_error": "La longueur du préfixe du sous-réseau IPv4 doit être entre 0 et 32",
+    "rate_limit_subnet_len_ipv6": "Longueur du préfixe de sous-réseau pour les adresses IPv6",
+    "rate_limit_subnet_len_ipv6_desc": "Longueur du préfixe de sous-réseau pour les adresses IPv6 utilisé pour la limitation de débit. La valeur par défaut est 56",
+    "rate_limit_subnet_len_ipv6_error": "La longueur du préfixe du sous-réseau IPv6 doit être entre 0 et 128",
+    "form_enter_rate_limit_subnet_len": "Saisissez la longueur du préfixe de sous-réseau pour la limitation de débit",
+    "rate_limit_whitelist": "Liste d'autorisation de limitation de débit",
+    "rate_limit_whitelist_desc": "Adresses IP exclues de la limitation du débit",
+    "rate_limit_whitelist_placeholder": "Saisissez une adresse IP par ligne",
     "blocking_ipv4_desc": "Adresse IP à renvoyer pour une demande A bloquée",
     "blocking_ipv6_desc": "Adresse IP à renvoyer pour une demande AAAA bloquée",
     "blocking_mode_default": "Par défaut : Répondre avec adresse IP zéro (0.0.0.0 pour A ; :: pour AAAA) lorsque bloqué par la règle de style Adblock ; répondre avec l’adresse IP spécifiée dans la règle lorsque bloquée par la règle du style /etc/hosts",
@@ -722,5 +734,8 @@
     "wednesday_short": "Mer.",
     "thursday_short": "Jeu.",
     "friday_short": "Ven.",
-    "saturday_short": "Sam."
+    "saturday_short": "Sam.",
+    "upstream_dns_cache_configuration": "Configuration du cache DNS en amont",
+    "enable_upstream_dns_cache": "Activer la mise en cache pour la configuration personnalisée du serveur en amont de ce client",
+    "dns_cache_size": "Taille du cache DNS, en bytes"
 }

client/src/__locales/hr.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "Postavke klijenta",
     "example_upstream_reserved": "upstream <0>za određene domene</0>;",
+    "example_multiple_upstreams_reserved": "višestruke upstream poslužitelje <0>za određene domene</0>;",
     "example_upstream_comment": "komentar.",
     "upstream_parallel": "Koristi paralelne upite kako bi ubrzali rješavanje istovremenim ispitavanjem svih upstream poslužitelja.",
     "parallel_requests": "Paralelni zahtjevi",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Omogućeno sigurno pretraživanje",
     "number_of_dns_query_to_safe_search": "Broj DNS zahtjeva prema pretraživačima za koje je omogućeno Sigurno pretraživanje",
     "average_processing_time": "Prosječno vrijeme obrade",
-    "processing_time": "Vrijeme obrade",
+    "average_upstream_response_time": "Prosječno vrijeme odziva upstream poslužitelja",
+    "response_time": "Vrijeme odziva",
     "average_processing_time_hint": "Prosječno vrijeme u milisekundama za obradu DNS zahtjeva",
     "block_domain_use_filters_and_hosts": "Blokiraj domene koristeći filtre ili hosts datoteke",
     "filters_block_toggle_hint": "Pravila blokiranja možete postaviti u postavkama <a>filtara</a>.",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "Koristi prilagođeni IP za EDNS",
     "edns_use_custom_ip_desc": "Dopusti korištenje prilagođenog IP-a za EDNS",
     "rate_limit_desc": "Broj zahtjeva u sekundi koji su dopušteni po jednom klijentu. Postavljanje na 0 znači neograničeno.",
+    "rate_limit_subnet_len_ipv4": "Duljina prefiksa podmreže za IPv4 adrese",
+    "rate_limit_subnet_len_ipv4_desc": "Duljina prefiksa podmreže za IPv4 adrese koje se koriste za ograničavanje brzine. Zadana vrijednost je 24",
+    "rate_limit_subnet_len_ipv4_error": "Dužina IPv4 prefiksa podmreže trebala bi biti između 0 i 32",
+    "rate_limit_subnet_len_ipv6": "Duljina prefiksa podmreže za IPv6 adrese",
+    "rate_limit_subnet_len_ipv6_desc": "Duljina prefiksa podmreže za IPv6 adrese koje se koriste za ograničavanje brzine. Zadana vrijednost je 56",
+    "rate_limit_subnet_len_ipv6_error": "Dužina IPv6 prefiksa podmreže trebala bi biti između 0 i 128",
+    "form_enter_rate_limit_subnet_len": "Unesite duljinu prefiksa podmreže za ograničenje brzine",
+    "rate_limit_whitelist": "Popis dopuštenih za ograničavanje brzine",
+    "rate_limit_whitelist_desc": "IP adrese isključene iz ograničenja brzine",
+    "rate_limit_whitelist_placeholder": "Unesite jednu adresu poslužitelja po retku",
     "blocking_ipv4_desc": "Povratna IP adresa za blokirane A zahtjeve",
     "blocking_ipv6_desc": "Povratna IP adresa za blokirane AAAA zahtjeve",
     "blocking_mode_default": "Zadano: Odgovori s nultom IP adresom (0.0.0.0 za A; :: za AAAA) kada ga blokira Adblock slično pravilo; odgovorite s IP adresom definiranom u pravilu kada je blokirano od /etc/hosts sličnog pravila",
@@ -722,5 +734,8 @@
     "wednesday_short": "Sri",
     "thursday_short": "Čet",
     "friday_short": "Pet",
-    "saturday_short": "Sub"
+    "saturday_short": "Sub",
+    "upstream_dns_cache_configuration": "Konfiguracija predmemoriranja upstream DNS poslužitelja",
+    "enable_upstream_dns_cache": "Uključite keširanje za korisničku konfiguraciju upstream servera ovog klijenta",
+    "dns_cache_size": "Veličina DNS predmemorije, u bajtovima"
 }

client/src/__locales/hu.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "Kliens beállítások",
     "example_upstream_reserved": "Megadhat egy DNS kiszolgálót <0>egy adott domainhez vagy domainekhez</0>",
+    "example_multiple_upstreams_reserved": "több upstream szerver <0>adott domainekhez</0>;",
     "example_upstream_comment": "egy megjegyzés.",
     "upstream_parallel": "Használjon párhuzamos lekéréseket a domainek feloldásának felgyorsításához az összes upstream kiszolgálóra való egyidejű lekérdezéssel.",
     "parallel_requests": "Párhuzamos lekérések",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Kényszerített biztonságos keresés",
     "number_of_dns_query_to_safe_search": "A biztonságos keresésre kényszerített DNS lekérdezések száma",
     "average_processing_time": "Átlagos feldolgozási idő",
-    "processing_time": "Feldolgozási idő",
+    "average_upstream_response_time": "Átlagos upstream válaszidő",
+    "response_time": "Válaszidő",
     "average_processing_time_hint": "A DNS lekérdezések feldolgozásához szükséges átlagos idő milliszekundumban",
     "block_domain_use_filters_and_hosts": "Domainek blokkolása szűrők és hosztfájlok használatával",
     "filters_block_toggle_hint": "A <a> szűrőbeállításoknál</a> megadhatja a blokkolási szabályokat.",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "Használjon egyéni IP-címet az EDNS-hez",
     "edns_use_custom_ip_desc": "Engedélyezze az egyéni IP-cím használatát az EDNS-hez",
     "rate_limit_desc": "Maximálisan hány kérést küldhet egy kliens másodpercenkén. Ha 0-ra állítja, akkor nincs korlátozás.",
+    "rate_limit_subnet_len_ipv4": "Az IPv4-címek alhálózati előtagjának hossza",
+    "rate_limit_subnet_len_ipv4_desc": "A sebességkorlátozáshoz használt IPv4-címek alhálózati előtagjának hossza. Az alapértelmezett érték 24",
+    "rate_limit_subnet_len_ipv4_error": "Az IPv4 alhálózati előtag hosszának 0 és 32 között kell lennie",
+    "rate_limit_subnet_len_ipv6": "Az IPv6-címek alhálózati előtagjának hossza",
+    "rate_limit_subnet_len_ipv6_desc": "A sebességkorlátozáshoz használt IPv6-címek alhálózati előtagjának hossza. Az alapértelmezett érték 56",
+    "rate_limit_subnet_len_ipv6_error": "Az IPv6 alhálózati előtag hosszának 0 és 128 között kell lennie",
+    "form_enter_rate_limit_subnet_len": "Adja meg az alhálózati előtag hosszát a sebességkorlátozáshoz",
+    "rate_limit_whitelist": "Sebességkorlátozó engedélyezési lista",
+    "rate_limit_whitelist_desc": "A sebességkorlátozásból kizárt IP-címek",
+    "rate_limit_whitelist_placeholder": "Adjon meg egy IP-címet soronként",
     "blocking_ipv4_desc": "A blokkolt A kéréshez visszaadandó IP-cím",
     "blocking_ipv6_desc": "A blokkolt AAAA kéréshez visszaadandó IP-cím",
     "blocking_mode_default": "Alapértelmezés: Válaszoljon nulla IP-címmel (vagyis 0.0.0.0 az A-hoz, :: pedig az AAAA-hoz), amikor a blokkolás egy adblock-stílusú szabállyal történik; illetve válaszoljon egy, a szabály által meghatározott IP címmel, amikor a blokkolás egy /etc/hosts stílusú szabállyal történik",
@@ -722,5 +734,8 @@
     "wednesday_short": "Szer",
     "thursday_short": "Csüt",
     "friday_short": "Pén",
-    "saturday_short": "Szom"
+    "saturday_short": "Szom",
+    "upstream_dns_cache_configuration": "Upstream DNS gyorsítótár konfigurációja",
+    "enable_upstream_dns_cache": "A DNS gyorsítótárazásának engedélyezése az ügyfél egyéni upstream konfigurációjához",
+    "dns_cache_size": "DNS gyorsítótár mérete, bájtokban"
 }

client/src/__locales/id.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "Pengaturan klien",
     "example_upstream_reserved": "upstream <0>untuk domain spesifik</0>;",
+    "example_multiple_upstreams_reserved": "beberapa server upstream <0>untuk domain spesifik</0>;",
     "example_upstream_comment": "komentar.",
     "upstream_parallel": "Gunakan kueri paralel untuk mempercepat resoluasi dengan menanyakan semua server upstream secara bersamaan",
     "parallel_requests": "Permintaan paralel",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Paksa pencarian aman",
     "number_of_dns_query_to_safe_search": "Jumlah perminataan DNS ke mesin pencari yang dipaksa Pencarian Aman",
     "average_processing_time": "Rata-rata waktu pemrosesan",
-    "processing_time": "Waktu pemrosesan",
+    "average_upstream_response_time": "Waktu respons server upstream rata-rata",
+    "response_time": "Waktu respons",
     "average_processing_time_hint": "Rata-rata waktu dalam milidetik untuk pemrosesan sebuah permintaan DNS",
     "block_domain_use_filters_and_hosts": "Blokir domain menggunakan filter dan file hosts",
     "filters_block_toggle_hint": "Anda dapat menyiapkan aturan pemblokiran di pengaturan <a>Penyaringan</a>.",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "Gunakan IP khusus untuk EDNS",
     "edns_use_custom_ip_desc": "Izinkan untuk menggunakan IP kustom untuk EDNS",
     "rate_limit_desc": "Jumlah permintaan per detik yang diperbolehkan untuk satu klien. Atur ke 0 untuk tidak terbatas.",
+    "rate_limit_subnet_len_ipv4": "Panjang awalan subnet untuk alamat IPv4",
+    "rate_limit_subnet_len_ipv4_desc": "Panjang awalan subnet untuk alamat IPv4 yang digunakan untuk pembatasan kecepatan. Standarnya adalah 24",
+    "rate_limit_subnet_len_ipv4_error": "Panjang awalan subnet IPv4 harus antara 0 dan 32",
+    "rate_limit_subnet_len_ipv6": "Panjang awalan subnet untuk alamat IPv6",
+    "rate_limit_subnet_len_ipv6_desc": "Panjang awalan subnet untuk alamat IPv6 yang digunakan untuk pembatasan kecepatan. Standarnya adalah 56",
+    "rate_limit_subnet_len_ipv6_error": "Panjang awalan subnet IPv6 harus antara 0 dan 128",
+    "form_enter_rate_limit_subnet_len": "Masukkan panjang awalan subnet untuk pembatasan kecepatan",
+    "rate_limit_whitelist": "Daftar pembatasan tarif yang diizinkan",
+    "rate_limit_whitelist_desc": "Alamat IP dikecualikan dari pembatasan tarif",
+    "rate_limit_whitelist_placeholder": "Masukkan satu alamat IP per baris",
     "blocking_ipv4_desc": "Alamat IP akan dikembalikan untuk permintaan A yang diblokir",
     "blocking_ipv6_desc": "Alamat IP akan dipulihkan untuk permintaan AAAA yang diblokir",
     "blocking_mode_default": "Default: Tanggapi dengan alamat IP nol (0.0.0.0 untuk A; :: untuk AAAA) saat diblokir oleh aturan gaya Adblock; tanggapi dengan alamat IP yang ditentukan dalam aturan ketika diblokir oleh aturan gaya host /etc/",
@@ -722,5 +734,8 @@
     "wednesday_short": "Rab",
     "thursday_short": "Kam",
     "friday_short": "Jum",
-    "saturday_short": "Sab"
+    "saturday_short": "Sab",
+    "upstream_dns_cache_configuration": "Konfigurasi cache DNS upstream",
+    "enable_upstream_dns_cache": "Aktifkan cache DNS untuk konfigurasi upstream kustom klien ini",
+    "dns_cache_size": "Ukuran cache DNS, dalam byte"
 }

client/src/__locales/it.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "Impostazioni client",
     "example_upstream_reserved": "un upstream <0>per specifici domini</0>;",
+    "example_multiple_upstreams_reserved": "upstream multipli <0>per domini specifici</0>;",
     "example_upstream_comment": "un commento.",
     "upstream_parallel": "Utilizza richieste parallele per accelerare la risoluzione interrogando simultaneamente tutti i server upstream.",
     "parallel_requests": "Richieste parallele",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Ricerca sicura forzata",
     "number_of_dns_query_to_safe_search": "Numero di richieste DNS dai motori di ricerca per i quali la Ricerca Sicura è stata forzata",
     "average_processing_time": "Tempo di elaborazione medio",
-    "processing_time": "Tempo di elaborazione",
+    "average_upstream_response_time": "Tempo medio di risposta upstream",
+    "response_time": "Tempo di risposta",
     "average_processing_time_hint": "Tempo medio in millisecondi per elaborare una richiesta DNS",
     "block_domain_use_filters_and_hosts": "Blocca domini utilizzando filtri e file hosts",
     "filters_block_toggle_hint": "Puoi impostare le regole di blocco nelle impostazioni dei <a>Filtri</a>.",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "Usa IP personalizzato per EDNS",
     "edns_use_custom_ip_desc": "Consentire l'uso di un IP personalizzato per EDNS",
     "rate_limit_desc": "Il numero di richieste al secondo consentite da un singolo client. Impostare questo valore a 0 rimuove le limitazioni.",
+    "rate_limit_subnet_len_ipv4": "Lunghezza prefisso di sottorete per indirizzi IPv4",
+    "rate_limit_subnet_len_ipv4_desc": "Lunghezza prefisso sottorete per indirizzi IPv4 usati per la limitazione della velocità. Valore predefinito 24",
+    "rate_limit_subnet_len_ipv4_error": "La lunghezza del prefisso di sottorete IPv4 deve essere compresa tra 0 e 32",
+    "rate_limit_subnet_len_ipv6": "Lunghezza prefisso di sottorete per indirizzi IPv6",
+    "rate_limit_subnet_len_ipv6_desc": "Lunghezza prefisso di sottorete per indirizzi IPv6 usati per la limitazione della velocità. Valore predefinito 56",
+    "rate_limit_subnet_len_ipv6_error": "La lunghezza del prefisso di sottorete IPv6 deve essere compresa tra 0 e 128",
+    "form_enter_rate_limit_subnet_len": "Inserisci lunghezza prefisso di sottorete per limitazione velocità",
+    "rate_limit_whitelist": "Lista consentita per limitazione velocità",
+    "rate_limit_whitelist_desc": "Indirizzi IP esclusi dalla limitazione della velocità",
+    "rate_limit_whitelist_placeholder": "Inserisci un indirizzo IP per riga",
     "blocking_ipv4_desc": "Indirizzo IP per una richiesta DNS IPv4 bloccata",
     "blocking_ipv6_desc": "Indirizzo IP restituito per una richiesta DNS IPv6 bloccata",
     "blocking_mode_default": "Risponde con un indirizzo IP pari a zero (0.0.0.0 per A; :: per AAAA) quando bloccato da una regola in stile Blocca-annunci; risponde con l'indirizzo IP specificato nella regola quando bloccato da una regola in stile /etc/hosts",
@@ -722,5 +734,8 @@
     "wednesday_short": "Mer",
     "thursday_short": "Gio",
     "friday_short": "Ven",
-    "saturday_short": "Sab"
+    "saturday_short": "Sab",
+    "upstream_dns_cache_configuration": "Configurazione cache DNS upstream",
+    "enable_upstream_dns_cache": "Abilita cache DNS per la configurazione upstream personalizzata del client",
+    "dns_cache_size": "Dimensioni cache DNS (in byte)"
 }

client/src/__locales/ja.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "クライアント設定",
     "example_upstream_reserved": "<0>特定のドメイン</0>に対してDNSアップストリームを指定できます。",
+    "example_multiple_upstreams_reserved": "<0>特定ドメイン</0>のための複数のアップストリームサーバー;",
     "example_upstream_comment": "コメントを追加できます。",
     "upstream_parallel": "並列リクエストを使用する（同時にすべてのアップストリームサーバーに処理要求することで解決スピードが向上）",
     "parallel_requests": "並列リクエスト",
@@ -143,7 +144,8 @@
     "enforced_save_search": "強制されたセーフサーチ",
     "number_of_dns_query_to_safe_search": "セーフサーチが強制適用された検索エンジンへのDNSリクエストの数",
     "average_processing_time": "平均処理時間",
-    "processing_time": "処理時間",
+    "average_upstream_response_time": "アップストリームの平均応答時間",
+    "response_time": "応答時間",
     "average_processing_time_hint": "DNSリクエストの処理にかかる平均時間（ミリ秒単位）",
     "block_domain_use_filters_and_hosts": "フィルタとhostsファイルを使用してドメインをブロックする",
     "filters_block_toggle_hint": "<a>フィルタ</a>の設定でブロックするルールを設定することができます。",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "EDNSにカスタムIPを使用する",
     "edns_use_custom_ip_desc": "EDNS に対してカスタム IP の使用を許可します。",
     "rate_limit_desc": "一つのクライアントに対して許可される1秒あたりのリクエスト数（「0」に設定すると、制限なしになります）",
+    "rate_limit_subnet_len_ipv4": "IPv4 アドレスのサブネットプレフィックス長",
+    "rate_limit_subnet_len_ipv4_desc": "rate limiting（レート制限）に使用される IPv4 アドレスのサブネットプレフィックス長です。デフォルト値は 24 です。",
+    "rate_limit_subnet_len_ipv4_error": "IPv4 サブネットプレフィックス長は0〜32の範囲内である必要があります。",
+    "rate_limit_subnet_len_ipv6": "IPv6 アドレスのサブネットプレフィックス長",
+    "rate_limit_subnet_len_ipv6_desc": "rate limiting（レート制限）に使用される IPv6 アドレスのサブネットプレフィックス長です。デフォルト値は 56 です。",
+    "rate_limit_subnet_len_ipv6_error": "IPv6 サブネットのプレフィックス長は0〜128の範囲内である必要があります。",
+    "form_enter_rate_limit_subnet_len": "rate limiting（レート制限）のためのサブネットプレフィックス長を入力してください",
+    "rate_limit_whitelist": "rate limiting（レート制限）の許可リスト",
+    "rate_limit_whitelist_desc": "rate limiting（レート制限）の対象から外すIPアドレスを指定できます。",
+    "rate_limit_whitelist_placeholder": "IPアドレスを1行に1つずづ入力してください。",
     "blocking_ipv4_desc": "ブロックされたAリクエストに対して応答されるIPアドレス",
     "blocking_ipv6_desc": "ブロックされたAAAAリクエストに対して応答されるIPアドレス",
     "blocking_mode_default": "デフォルト：Adblock系ルールによってブロックされると、ゼロIPアドレス（Aに対しては「0.0.0.0」、AAAAに対しては「::」）で応答します。/etc/hosts系ルールによってブロックされると、ルールにて指定されているIPアドレスで応答します。",
@@ -722,5 +734,8 @@
     "wednesday_short": "水",
     "thursday_short": "木",
     "friday_short": "金",
-    "saturday_short": "土"
+    "saturday_short": "土",
+    "upstream_dns_cache_configuration": "Upstream DNS cache configuration（アップストリームDNSキャッシュの構成）",
+    "enable_upstream_dns_cache": "このクライアントのカスタムアップストリーム構成に対してDNSキャッシュを有効にする",
+    "dns_cache_size": "DNSキャッシュサイズ（バイト単位）"
 }

client/src/__locales/ko.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "클라이언트 설정",
     "example_upstream_reserved": "<0>특정 도메인에 대한</0> 업스트림;",
+    "example_multiple_upstreams_reserved": "<0>특정 도메인</0>에 대한 여러 업스트림",
     "example_upstream_comment": "댓글.",
     "upstream_parallel": "쿼리 처리 속도를 높이려면 모든 업스트림 서버에서 동시에 병렬 쿼리를 사용해주세요.",
     "parallel_requests": "병렬 처리 요청",
@@ -143,7 +144,8 @@
     "enforced_save_search": "세이프서치 강제",
     "number_of_dns_query_to_safe_search": "세이프서치가 적용된 검색 엔진에 대해 DNS 요청 수",
     "average_processing_time": "평균처리 시간",
-    "processing_time": "처리 시간",
+    "average_upstream_response_time": "평균 업스트림 응답 시간",
+    "response_time": "응답 시간",
     "average_processing_time_hint": "DNS 요청 처리시 평균 시간(밀리초)",
     "block_domain_use_filters_and_hosts": "필터 및 호스트 파일을 사용하여 도메인 차단",
     "filters_block_toggle_hint": "차단규칙<a>필터</a>을 설정할 수 있습니다.",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "EDNS에 사용자 지정 IP 사용",
     "edns_use_custom_ip_desc": "EDNS에 사용자 지정 IP 사용하도록 허용합니다.",
     "rate_limit_desc": "단일 클라이언트에서 허용 가능한 초 당 요청 생성 숫자 (0: 무제한)",
+    "rate_limit_subnet_len_ipv4": "IPv4 주소의 서브넷 접두사 길이",
+    "rate_limit_subnet_len_ipv4_desc": "속도 제한에 사용되는 IPv4 주소의 서브넷 접두사 길이입니다. 기본값은 24입니다.",
+    "rate_limit_subnet_len_ipv4_error": "IPv4 서브넷 접두사 길이는 0에서 32 사이여야 합니다.",
+    "rate_limit_subnet_len_ipv6": "IPv6 주소의 서브넷 접두사 길이",
+    "rate_limit_subnet_len_ipv6_desc": "속도 제한에 사용되는 IPv6 주소의 서브넷 접두사 길이입니다. 기본값은 56입니다.",
+    "rate_limit_subnet_len_ipv6_error": "IPv6 서브넷 접두사 길이는 0에서 128 사이여야 합니다.",
+    "form_enter_rate_limit_subnet_len": "속도 제한을 위한 서브넷 접두사 길이를 입력하세요",
+    "rate_limit_whitelist": "속도 제한 허용 목록",
+    "rate_limit_whitelist_desc": "속도 제한에서 제외되는 IP 주소",
+    "rate_limit_whitelist_placeholder": "한 줄에 하나씩 IP 주소를 입력하세요.",
     "blocking_ipv4_desc": "차단된 A 요청에 대해서 반환할 IP 주소",
     "blocking_ipv6_desc": "차단된 AAAA 요청에 대해서 반환할 IP 주소",
     "blocking_mode_default": "기본: Adblock 스타일 규칙에 의해 차단되면 제로 IP 주소(A는 0.0.0.0; AAAA는 ::)로 응답합니다; /etc/hosts 스타일 규칙에 의해 차단되면 규칙에 정의된 IP 주소로 응답합니다",
@@ -722,5 +734,8 @@
     "wednesday_short": "수",
     "thursday_short": "목",
     "friday_short": "금",
-    "saturday_short": "토"
+    "saturday_short": "토",
+    "upstream_dns_cache_configuration": "업스트림 DNS 캐시 설정",
+    "enable_upstream_dns_cache": "이 클라이언트의 사용자 지정 업스트림 설정에서 DNS 캐싱 사용",
+    "dns_cache_size": "DNS 캐시 크기(바이트)"
 }

client/src/__locales/nl.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "Cliëntinstellingen",
     "example_upstream_reserved": "een upstream <0>voor specifieke domeinen</0>;",
+    "example_multiple_upstreams_reserved": "meerdere upstreams <0>voor specifieke domeinen</0>;",
     "example_upstream_comment": "een commentaar.",
     "upstream_parallel": "Parallelle verzoeken gebruiken om te versnellen door gelijktijdig verzoeken te sturen naar alle upstream servers.",
     "parallel_requests": "Parallelle verzoeken",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Geforceerd veilig zoeken",
     "number_of_dns_query_to_safe_search": "Aantal DNS aanvragen in zoekmachines dmv geforceerd veilig zoeken",
     "average_processing_time": "Gemiddelde procestijd",
-    "processing_time": "Verwerkingstijd",
+    "average_upstream_response_time": "Gemiddelde upstream responstijd",
+    "response_time": "Responsetijd",
     "average_processing_time_hint": "Gemiddelde verwerkingstijd in milliseconden van een DNS aanvraag",
     "block_domain_use_filters_and_hosts": "Domeinen blokkeren d.m.v. filters en host-bestanden",
     "filters_block_toggle_hint": "Je kan blokkeringsregels toevoegen in de <a>Filters</a> instellingen.",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "Aangepast IP-adres gebruiken voor EDNS",
     "edns_use_custom_ip_desc": "Toestaan om aangepast IP-adres voor EDNS te gebruiken",
     "rate_limit_desc": "Het aantal verzoeken per seconde toegelaten per toestel. 0 betekent onbeperkt.",
+    "rate_limit_subnet_len_ipv4": "Lengte subnetvoorvoegsel voor IPv4-adressen",
+    "rate_limit_subnet_len_ipv4_desc": "Lengte subnetvoorvoegsel voor IPv4-adressen die worden gebruikt voor snelheidsbeperking. De standaardwaarde is 24",
+    "rate_limit_subnet_len_ipv4_error": "De lengte van het IPv4-subnetvoorvoegsel moet tussen 0 en 32 liggen",
+    "rate_limit_subnet_len_ipv6": "Lengte subnetvoorvoegsel voor IPv6-adressen",
+    "rate_limit_subnet_len_ipv6_desc": "Lengte subnetvoorvoegsel voor IPv6-adressen die worden gebruikt voor snelheidsbeperking. De standaardwaarde is 56",
+    "rate_limit_subnet_len_ipv6_error": "De lengte van het IPv6-subnetvoorvoegsel moet tussen 0 en 128 liggen",
+    "form_enter_rate_limit_subnet_len": "Voer de lengte van het subnetvoorvoegsel in voor snelheidsbeperking",
+    "rate_limit_whitelist": "Toelatingslijst voor snelheidsbeperking",
+    "rate_limit_whitelist_desc": "IP-adressen uitgesloten van snelheidsbeperking",
+    "rate_limit_whitelist_placeholder": "Voer één IP-adres per regel in",
     "blocking_ipv4_desc": "IP-adres dat moet worden teruggegeven voor een geblokkeerd A-verzoek",
     "blocking_ipv6_desc": "IP-adres dat moet worden teruggegeven voor een geblokkeerd A-verzoek",
     "blocking_mode_default": "Standaard: Reageer met een nul IP adres (0.0.0.0 for A; :: voor AAAA) wanneer geblokkeerd door een Adblock-type regel; reageer met het IP-adres dat is opgegeven in de regel wanneer geblokkeerd door een /etc/hosts type regel",
@@ -722,5 +734,8 @@
     "wednesday_short": "wo",
     "thursday_short": "do",
     "friday_short": "vr",
-    "saturday_short": "za"
+    "saturday_short": "za",
+    "upstream_dns_cache_configuration": "Upstream DNS-cacheconfiguratie",
+    "enable_upstream_dns_cache": "DNS-caching inschakelen voor de aangepaste upstream-configuratie van deze client",
+    "dns_cache_size": "DNS-cachegrootte, in bytes"
 }

client/src/__locales/no.json

@@ -128,7 +128,6 @@
     "enforced_save_search": "Påtvungede barnevennlige søk",
     "number_of_dns_query_to_safe_search": "Antall DNS-forespørsler til søkemotorer der \"Safe Search\" ble fremtvunget",
     "average_processing_time": "Gjennomsnittlig behandlingstid",
-    "processing_time": "Behandlingstid",
     "average_processing_time_hint": "Gjennomsnittstid for behandling av DNS-forespørsler i millisekunder",
     "block_domain_use_filters_and_hosts": "Blokker domener ved hjelp av filtre, «hosts»-filer, og rå domener",
     "filters_block_toggle_hint": "Du kan sette opp blokkeringsoppføringer i <a>Filtre</a>-innstillingene.",

client/src/__locales/pl.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "Ustawienia klienta",
     "example_upstream_reserved": "upstream <0>dla określonych domen</0>;",
+    "example_multiple_upstreams_reserved": "wiele serwerów nadrzędnych <0>dla konkretnej domeny</0>;",
     "example_upstream_comment": "komentarz.",
     "upstream_parallel": "Użyj zapytań równoległych, aby przyspieszyć rozwiązywanie przez jednoczesne wysyłanie zapytań do wszystkich serwerów nadrzędnych.",
     "parallel_requests": "Równoległe żądania",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Wymuszone bezpieczne wyszukiwanie",
     "number_of_dns_query_to_safe_search": "Liczba żądań DNS kierowanych do wyszukiwarek, dla których wymuszono Bezpieczne wyszukiwanie",
     "average_processing_time": "Średni czas przetwarzania",
-    "processing_time": "Czas przetwarzania",
+    "average_upstream_response_time": "Średni czas odpowiedzi serwera nadrzędnego",
+    "response_time": "Czas odpowiedzi",
     "average_processing_time_hint": "Średni czas przetwarzania żądania DNS liczony w milisekundach",
     "block_domain_use_filters_and_hosts": "Zablokuj domeny za pomocą filtrów i plików host",
     "filters_block_toggle_hint": "Możesz skonfigurować reguły blokowania w ustawieniach <a>Filtry</a>.",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "Użyj niestandardowego adresu IP dla EDNS",
     "edns_use_custom_ip_desc": "Zezwól na użycie niestandardowego adresu IP dla EDNS",
     "rate_limit_desc": "Liczba żądań na sekundę dozwolona na klienta. Ustawienie wartości 0 oznacza brak ograniczeń.",
+    "rate_limit_subnet_len_ipv4": "Długość maski podsieci dla adresów IPv4",
+    "rate_limit_subnet_len_ipv4_desc": "Długość maski podsieci dla adresów IPv4 używanych do ograniczania prędkości. Domyślnie jest to 24",
+    "rate_limit_subnet_len_ipv4_error": "Długość maski podsieci IPv4 powinna wynosić od 0 do 32",
+    "rate_limit_subnet_len_ipv6": "Długość prefiksu podsieci dla adresów IPv6",
+    "rate_limit_subnet_len_ipv6_desc": "Długość prefiksu podsieci dla adresów IPv6 używanych do ograniczania szybkości. Domyślnie jest to 56",
+    "rate_limit_subnet_len_ipv6_error": "Długość prefiksu podsieci IPv6 powinna wynosić od 0 do 128",
+    "form_enter_rate_limit_subnet_len": "Wprowadź długość prefiksu podsieci dla ograniczenia prędkości",
+    "rate_limit_whitelist": "Lista zezwoleń ograniczających prędkość",
+    "rate_limit_whitelist_desc": "Adresy IP wykluczone z ograniczania prędkości",
+    "rate_limit_whitelist_placeholder": "Wprowadź po jednym adresie IP w każdym wierszu",
     "blocking_ipv4_desc": "Adres IP, który ma zostać zwrócony w przypadku zablokowanego żądania A",
     "blocking_ipv6_desc": "Adres IP, który ma zostać zwrócony w przypadku zablokowanego żądania AAAA",
     "blocking_mode_default": "Domyślna: Odpowiedz z zerowym adresem IP (0.0.0.0 dla A; :: dla AAAA) po zablokowaniu przez regułę Adblock; odpowiedź adresem IP wpisanym w regule, jeśli jest blokowany przez regułę w stylu /etc/hosts",
@@ -722,5 +734,8 @@
     "wednesday_short": "Śro",
     "thursday_short": "Czw",
     "friday_short": "Pt",
-    "saturday_short": "Sob"
+    "saturday_short": "Sob",
+    "upstream_dns_cache_configuration": "Konfiguracja pamięci podręcznej upstream serwerów DNS",
+    "enable_upstream_dns_cache": "Włącz pamięć podręczną dla niestandardowej konfiguracji serwera upstream tego klienta",
+    "dns_cache_size": "Rozmiar pamięci podręcznej DNS, w bajtach"
 }

client/src/__locales/pt-br.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "Configurações do cliente",
     "example_upstream_reserved": "um DNS primário <0>para o domínios especificos</0>;",
+    "example_multiple_upstreams_reserved": "múltiplos upstreams <0>para domínios específicos</0>;",
     "example_upstream_comment": "um comentário.",
     "upstream_parallel": "Usar consultas paralelas para acelerar a resolução consultando simultaneamente todos os servidores DNS primário",
     "parallel_requests": "Solicitações paralelas",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Forçar pesquisa segura",
     "number_of_dns_query_to_safe_search": "O número de solicitações de DNS para mecanismos de pesquisa para os quais a pesquisa segura foi aplicada",
     "average_processing_time": "Tempo médio de processamento",
-    "processing_time": "Tempo de processamento",
+    "average_upstream_response_time": "Tempo médio de resposta upstream",
+    "response_time": "Tempo de resposta",
     "average_processing_time_hint": "Tempo médio em milissegundos no processamento de uma solicitação DNS",
     "block_domain_use_filters_and_hosts": "Bloquear domínios usando arquivos de filtros e hosts",
     "filters_block_toggle_hint": "Você pode configurar as regras de bloqueio nas configurações de <a>Filtros</a>.",
@@ -301,13 +303,23 @@
     "download_mobileconfig_dot": "BAixar .mobileconfig para DNS-sobre-TLS",
     "download_mobileconfig": "Baixar arquivo de configuração",
     "plain_dns": "DNS simples",
-    "form_enter_rate_limit": "Insira a taxa limite",
-    "rate_limit": "Taxa limite",
+    "form_enter_rate_limit": "Insira a velocidade limite",
+    "rate_limit": "Velocidade limite",
     "edns_enable": "Ativar a sub-rede do cliente EDNS",
     "edns_cs_desc": "Adicione a opção de sub-rede de cliente EDNS (ECS) às solicitações de servidor DNS primário e registre os valores enviados pelos clientes no registro de consulta.",
     "edns_use_custom_ip": "Usar IP personalizado para EDNS",
     "edns_use_custom_ip_desc": "Permitir o uso de IP personalizado para EDNS",
     "rate_limit_desc": "O número de solicitações por segundo permitidas por cliente. Definir como 0 significa que não há limite.",
+    "rate_limit_subnet_len_ipv4": "Comprimento do prefixo de sub-rede para endereços IPv4",
+    "rate_limit_subnet_len_ipv4_desc": "Comprimento do prefixo de sub-rede para endereços IPv4 usados para limitação de velocidade. O padrão é 24",
+    "rate_limit_subnet_len_ipv4_error": "O comprimento do prefixo da sub-rede IPv4 deve estar entre 0 e 32",
+    "rate_limit_subnet_len_ipv6": "Comprimento do prefixo de sub-rede para endereços IPv6",
+    "rate_limit_subnet_len_ipv6_desc": "Comprimento do prefixo de sub-rede para endereços IPv6 usados para limitação de velocidade. O padrão é 56",
+    "rate_limit_subnet_len_ipv6_error": "O comprimento do prefixo da sub-rede IPv6 deve estar entre 0 e 128",
+    "form_enter_rate_limit_subnet_len": "Insira o comprimento do prefixo da sub-rede para limitação de taxa",
+    "rate_limit_whitelist": "Lista de permissões de limitação de velocidade",
+    "rate_limit_whitelist_desc": "Endereços IP excluídos da limitação de velocidade",
+    "rate_limit_whitelist_placeholder": "Insira um endereço IP por linha",
     "blocking_ipv4_desc": "Endereço de IP a ser retornado para uma solicitação bloqueada",
     "blocking_ipv6_desc": "Endereço de IP a ser retornado para uma solicitação AAAA bloqueada",
     "blocking_mode_default": "Padrão: Responder com zero endereço IP (0.0.0.0 para A; :: para AAAA) quando bloqueado pela regra de estilo Adblock; responde com o endereço IP especificado na regra quando bloqueado pela regra /etc/hosts-style",
@@ -722,5 +734,8 @@
     "wednesday_short": "Quar",
     "thursday_short": "Qui",
     "friday_short": "Sex",
-    "saturday_short": "Sab"
+    "saturday_short": "Sab",
+    "upstream_dns_cache_configuration": "Configuração do cache de DNS upstream",
+    "enable_upstream_dns_cache": "Ativar o armazenamento em cache do DNS para a configuração de upstream personalizada deste cliente",
+    "dns_cache_size": "Tamanho do cache do DNS, em bytes"
 }

client/src/__locales/pt-pt.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "Definições do cliente",
     "example_upstream_reserved": "Podes especificar o DNS primário <0>para domínio(s) especifico(s)</0>",
+    "example_multiple_upstreams_reserved": "múltiplos upstreams <0>para domínios específicos</0>;",
     "example_upstream_comment": "um comentário.",
     "upstream_parallel": "Usar consultas paralelas para acelerar a resolução consultando simultaneamente todos os servidores DNS",
     "parallel_requests": "Solicitações paralelas",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Forçar pesquisa segura",
     "number_of_dns_query_to_safe_search": "O número de solicitações de DNS para motores de busca para os quais a pesquisa segura foi aplicada",
     "average_processing_time": "Tempo médio de processamento",
-    "processing_time": "Tempo de processamento",
+    "average_upstream_response_time": "Tempo médio de resposta upstream",
+    "response_time": "Tempo de resposta",
     "average_processing_time_hint": "Tempo médio em milissegundos no processamento de uma solicitação DNS",
     "block_domain_use_filters_and_hosts": "Bloquear domínios usando ficheiros de filtros e hosts",
     "filters_block_toggle_hint": "Pode configurar as regras de bloqueio nas configurações de <a>Filtros</a>.",
@@ -301,13 +303,23 @@
     "download_mobileconfig_dot": "Transferir .mobileconfig para DNS-sobre-TLS",
     "download_mobileconfig": "Transferir ficheiro de configuração",
     "plain_dns": "DNS simples",
-    "form_enter_rate_limit": "Insira o limite de taxa",
-    "rate_limit": "Limite de taxa",
+    "form_enter_rate_limit": "Insira o limite de velocidade",
+    "rate_limit": "Limite de velocidade",
     "edns_enable": "Ativar a sub-rede do cliente EDNS",
     "edns_cs_desc": "Adicione a opção de sub-rede de cliente EDNS (ECS) às solicitações de servidor DNS primário e registre os valores enviados pelos clientes no registo de consulta.",
     "edns_use_custom_ip": "Usar IP personalizado para EDNS",
     "edns_use_custom_ip_desc": "Permitir a utilização de IP personalizado para EDNS",
     "rate_limit_desc": "O número de solicitações por segundo permitido por cliente. Configurando para 0 significa sem limite.",
+    "rate_limit_subnet_len_ipv4": "Comprimento do prefixo de sub-rede para endereços IPv4",
+    "rate_limit_subnet_len_ipv4_desc": "Comprimento do prefixo de sub-rede para endereços IPv4 usados para limitação de velocidade. O padrão é 24",
+    "rate_limit_subnet_len_ipv4_error": "O comprimento do prefixo da sub-rede IPv4 deve estar entre 0 e 32",
+    "rate_limit_subnet_len_ipv6": "Comprimento do prefixo de sub-rede para endereços IPv6",
+    "rate_limit_subnet_len_ipv6_desc": "Comprimento do prefixo de sub-rede para endereços IPv6 usados para limitação de velocidade. O padrão é 56",
+    "rate_limit_subnet_len_ipv6_error": "O comprimento do prefixo da sub-rede IPv6 deve situar-se entre 0 e 128",
+    "form_enter_rate_limit_subnet_len": "Introduza o comprimento do prefixo da sub-rede para limitação da velocidade",
+    "rate_limit_whitelist": "Lista de permissões de limitação de velocidade",
+    "rate_limit_whitelist_desc": "Endereços IP excluídos da limitação de velocidade",
+    "rate_limit_whitelist_placeholder": "Insira um endereço IP por linha",
     "blocking_ipv4_desc": "Endereço IP a ser devolvido para uma solicitação A bloqueada",
     "blocking_ipv6_desc": "Endereço IP a ser devolvido para uma solicitação AAAA bloqueada",
     "blocking_mode_default": "Predefinido: Responder com zero endereço IP (0.0.0.0 para A; :: para AAAA) quando bloqueado pela regra de estilo Adblock; responde com o endereço IP especificado na regra quando bloqueado pela regra /etc/hosts-style",
@@ -722,5 +734,8 @@
     "wednesday_short": "Quarta",
     "thursday_short": "Quinta",
     "friday_short": "Sexta",
-    "saturday_short": "Sábado"
+    "saturday_short": "Sábado",
+    "upstream_dns_cache_configuration": "Configuração da cache do DNS upstream",
+    "enable_upstream_dns_cache": "Ativar o armazenamento em cache do DNS para a configuração de upstream personalizada deste cliente",
+    "dns_cache_size": "Tamanho da cache DNS, em bytes"
 }

client/src/__locales/ro.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "Setări client",
     "example_upstream_reserved": "un flux în amonte <0>pentru domenii specifice</0>;",
+    "example_multiple_upstreams_reserved": "mai mulți servere în amonte <0>pentru domenii specifice</0>;",
     "example_upstream_comment": "un comentariu.",
     "upstream_parallel": "Folosiți interogări paralele pentru a accelera rezolvarea, interogând simultan toate serverele în amonte.",
     "parallel_requests": "Solicitări paralele",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Căutare protejată întărită",
     "number_of_dns_query_to_safe_search": "Numărul de interogări DNS pe motoarele de căutare pentru care a fost impusă Căutarea Sigură",
     "average_processing_time": "Timpul mediu de procesare",
-    "processing_time": "Timp de procesare",
+    "average_upstream_response_time": "Timpul mediu de răspuns al serverului în amonte",
+    "response_time": "Timp de răspuns",
     "average_processing_time_hint": "Timp mediu în milisecunde la procesarea unei cereri DNS",
     "block_domain_use_filters_and_hosts": "Blocați domenii folosind filtre și fișiere hosts",
     "filters_block_toggle_hint": "Puteți configura regulile de blocare în setările <a>Filtre</a>.",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "Utilizați IP personalizat pentru EDNS",
     "edns_use_custom_ip_desc": "Permiteți utilizarea IP-ului personalizat pentru EDNS",
     "rate_limit_desc": "Numărul de interogări pe secundă permise pe client. Setarea la 0 înseamnă că nu există limită.",
+    "rate_limit_subnet_len_ipv4": "Lungimea prefixului de subrețea pentru adrese IPv4",
+    "rate_limit_subnet_len_ipv4_desc": "Lungimea prefixului de subrețea pentru adresele IPv4 utilizate pentru limitarea ratei. Valoarea implicită este 24",
+    "rate_limit_subnet_len_ipv4_error": "Lungimea prefixului de subrețea IPv4 ar trebui să fie între 0 și 32",
+    "rate_limit_subnet_len_ipv6": "Lungimea prefixului de subrețea pentru adrese IPv6",
+    "rate_limit_subnet_len_ipv6_desc": "Lungimea prefixului de subrețea pentru adresele IPv6 utilizate pentru limitarea ratei. Valoarea implicită este 56",
+    "rate_limit_subnet_len_ipv6_error": "Lungimea prefixului de subrețea IPv6 ar trebui să fie între 0 și 128",
+    "form_enter_rate_limit_subnet_len": "Introduceți lungimea prefixului de subrețea pentru limitarea ratei",
+    "rate_limit_whitelist": "Lista permisă pentru limitarea ratei",
+    "rate_limit_whitelist_desc": "Adresele IP excluse de la limitarea ratei",
+    "rate_limit_whitelist_placeholder": "Introduceți o adresă IP per linie",
     "blocking_ipv4_desc": "Adresa IP de returnat pentru o cerere A de blocare",
     "blocking_ipv6_desc": "Adresa IP de returnat pentru o cerere AAAA de blocare",
     "blocking_mode_default": "Implicit: Răspunde cu adresa IP (0.0.0.0 for A; :: pentru AAAA) când sunt blocate de regulă tip Adblock; răspunde cu adresa IP specificată în regulă când sunt blocate de regula tip /etc/hosts",
@@ -722,5 +734,8 @@
     "wednesday_short": "mi",
     "thursday_short": "jo",
     "friday_short": "vi",
-    "saturday_short": "sa"
+    "saturday_short": "sa",
+    "upstream_dns_cache_configuration": "Configurarea cache-ului DNS în amonte",
+    "enable_upstream_dns_cache": "Activați memoria cache DNS pentru configurația personalizată în amonte a acestui client",
+    "dns_cache_size": "Dimensiunea cache-ului DNS, în octeți"
 }

client/src/__locales/ru.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "Настройки клиентов",
     "example_upstream_reserved": "DNS-сервер <0>для конкретных доменов</0>;",
+    "example_multiple_upstreams_reserved": "несколько DNS-серверов <0>для конкретных доменов</0>;",
     "example_upstream_comment": "комментарий.",
     "upstream_parallel": "Использовать параллельные запросы ко всем серверам одновременно для ускорения обработки запроса.",
     "parallel_requests": "Параллельные запросы",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Применён безопасный поиск",
     "number_of_dns_query_to_safe_search": "Количество запросов DNS для поисковых систем, для которых был применён Безопасный поиск",
     "average_processing_time": "Среднее время обработки запроса",
-    "processing_time": "Время обработки",
+    "average_upstream_response_time": "Среднее время ответа upstream-сервера",
+    "response_time": "Время ответа",
     "average_processing_time_hint": "Среднее время для обработки запроса DNS  в миллисекундах",
     "block_domain_use_filters_and_hosts": "Блокировать домены с использованием фильтров и файлов hosts",
     "filters_block_toggle_hint": "Вы можете настроить правила блокировки в <a>«Фильтрах»</a>.",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "Использовать указанный IP для EDNS",
     "edns_use_custom_ip_desc": "Разрешить использовать собственный IP для EDNS",
     "rate_limit_desc": "Ограничение на количество запросов в секунду для каждого клиента (0 — неограниченно).",
+    "rate_limit_subnet_len_ipv4": "Длина префикса подсети для IPv4-адресов",
+    "rate_limit_subnet_len_ipv4_desc": "Длина префикса подсети для IPv4-адресов, используемых для ограничения скорости. По умолчанию 24",
+    "rate_limit_subnet_len_ipv4_error": "Длина префикса IPv4-подсетей должна составлять от 0 до 32",
+    "rate_limit_subnet_len_ipv6": "Длина префикса подсети для IPv6-адресов",
+    "rate_limit_subnet_len_ipv6_desc": "Длина префикса подсети для IPv6-адресов, используемых для ограничения скорости. По умолчанию 56",
+    "rate_limit_subnet_len_ipv6_error": "Длина префикса IPv6-подсетей должна составлять от 0 до 128",
+    "form_enter_rate_limit_subnet_len": "Введите длину префикса подсети для ограничения скорости",
+    "rate_limit_whitelist": "Белый список ограничения скорости",
+    "rate_limit_whitelist_desc": "IP-адреса, на которые не распространяется ограничение скорости",
+    "rate_limit_whitelist_placeholder": "Введите по одному адресу на строчку",
     "blocking_ipv4_desc": "IP-адрес, возвращаемый при блокировке A-запроса",
     "blocking_ipv6_desc": "IP-адрес, возвращаемый при блокировке AAAA-запроса",
     "blocking_mode_default": "Стандартный: Отвечает с нулевым IP-адресом, (0.0.0.0 для A; :: для AAAA) когда заблокировано правилом в стиле Adblock; отвечает с IP-адресом, указанным в правиле, когда заблокировано правилом в стиле файлов hosts",
@@ -722,5 +734,8 @@
     "wednesday_short": "Ср",
     "thursday_short": "Чт",
     "friday_short": "Пт",
-    "saturday_short": "Сб"
+    "saturday_short": "Сб",
+    "upstream_dns_cache_configuration": "Конфигурация кеша upstream DNS-серверов",
+    "enable_upstream_dns_cache": "Включить кеширование для пользовательской конфигурации upstream-серверов этого клиента",
+    "dns_cache_size": "Размер DNS-кеша в байтах"
 }

client/src/__locales/si-lk.json

@@ -122,7 +122,6 @@
     "enforced_save_search": "ආරක්‍ෂිත සෙවීම බලාත්මක කළ",
     "number_of_dns_query_to_safe_search": "ආරක්‍ෂිත සෙවීම බලාත්මක කළ සෙවුම් යන්ත්‍ර සඳහා ව.නා.ප. ඉල්ලීම් ගණන",
     "average_processing_time": "සාමාන්‍ය සැකසුම් කාලය",
-    "processing_time": "සැකසුම් කාලය",
     "average_processing_time_hint": "ව.නා.ප. ඉල්ලීමක් සැකසීමේ සාමාන්‍ය කාලය මිලි තත්පර වලින්",
     "block_domain_use_filters_and_hosts": "පෙරහන් හා සත්කාරක ගොනු භාවිතයෙන් වසම් අවහිර කරන්න",
     "filters_block_toggle_hint": "ඔබට අවහිර කිරීමේ නීති <a>පෙරහන්</a> තුළ පිහිටුවිය හැකිය.",
@@ -647,6 +646,20 @@
     "log_and_stats_section_label": "විමසුම් සටහන හා සංඛ්‍යාලේඛන",
     "ignore_query_log": "විමසුම් සටහනට මෙම අනුග්‍රාහකය යොදන්න එපා",
     "ignore_statistics": "සංඛ්‍යාලේඛනයට මෙම අනුග්‍රාහකය යොදන්න එපා",
+    "schedule_invalid_select": "ආරම්භක වේලාව අවසන් වේලාවට කලින් විය යුතුය",
+    "schedule_select_days": "දවස් තෝරන්න",
+    "schedule_timezone": "වේලා කලාපයක් තෝරන්න",
+    "schedule_current_timezone": "වත්මන් වේලා කලාපය: {{value}}",
+    "schedule_time_all_day": "දවස පුරාම",
+    "schedule_from": "සිට",
+    "schedule_to": "දක්වා",
+    "sunday": "ඉරිදා",
+    "monday": "සඳුදා",
+    "tuesday": "අඟහරුවාදා",
+    "wednesday": "බදාදා",
+    "thursday": "බ්‍රහස්පතින්දා",
+    "friday": "සිකුරාදා",
+    "saturday": "සෙනසුරාදා",
     "sunday_short": "ඉරිදා",
     "monday_short": "සඳුදා",
     "tuesday_short": "අඟහ",

client/src/__locales/sk.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "Nastavenie klienta",
     "example_upstream_reserved": "upstream <0>pre konkrétne domény</0>;",
+    "example_multiple_upstreams_reserved": "viaceré upstreamy pre <0>konkrétne domény</0>;",
     "example_upstream_comment": "komentár.",
     "upstream_parallel": "Používať paralelné dopyty na zrýchlenie súčasným dopytovaním všetkých upstream serverov súčasne.",
     "parallel_requests": "Paralelné dopyty",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Vynútené bezpečné vyhľadávanie",
     "number_of_dns_query_to_safe_search": "Počet DNS dopytov na vyhľadávače, pri ktorých bolo vynútené bezpečné vyhľadávanie",
     "average_processing_time": "Priemerný čas spracovania",
-    "processing_time": "Doba spracovania",
+    "average_upstream_response_time": "Priemerný čas odozvy upstreamu",
+    "response_time": "Čas odozvy",
     "average_processing_time_hint": "Priemerný čas spracovania DNS dopytu v milisekundách",
     "block_domain_use_filters_and_hosts": "Blokovať domény pomocou filtrov a zoznamov adries",
     "filters_block_toggle_hint": "Pravidlá blokovania môžete nastaviť v nastaveniach <a>Filtre</a>.",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "Použiť vlastnú IP adresu pre EDNS",
     "edns_use_custom_ip_desc": "Povoliť používanie vlastnej IP adresy pre EDNS",
     "rate_limit_desc": "Počet požiadaviek za sekundu, ktoré môže jeden klient vykonať. Nastavenie na hodnotu 0 znamená neobmedzene.",
+    "rate_limit_subnet_len_ipv4": "Dĺžka prefixu podsiete pre adresy IPv4",
+    "rate_limit_subnet_len_ipv4_desc": "Dĺžka prefixu podsiete pre adresy IPv4 používané na obmedzenie rýchlosti. Predvolená hodnota je 24",
+    "rate_limit_subnet_len_ipv4_error": "Dĺžka prefixu podsiete IPv4 musí byť od 0 do 32",
+    "rate_limit_subnet_len_ipv6": "Dĺžka prefixu podsiete pre adresy IPv6",
+    "rate_limit_subnet_len_ipv6_desc": "Dĺžka prefixu podsiete pre adresy IPv6 používané na obmedzenie rýchlosti. Predvolená hodnota je 56",
+    "rate_limit_subnet_len_ipv6_error": "Dĺžka prefixu podsiete IPv6 musí byť od 0 do 128",
+    "form_enter_rate_limit_subnet_len": "Zadajte dĺžku prefixu podsiete pre obmedzenie rýchlosti",
+    "rate_limit_whitelist": "Zoznam povolení obmedzujúcich rýchlosť",
+    "rate_limit_whitelist_desc": "IP adresy vylúčené z obmedzenia rýchlosti",
+    "rate_limit_whitelist_placeholder": "Na každý riadok zadajte IP adresu jedného servera",
     "blocking_ipv4_desc": "IP adresa, ktorá sa má vrátiť v prípade blokovanej žiadosti A",
     "blocking_ipv6_desc": "IP adresa, ktorá sa má vrátiť v prípade blokovanej žiadosti AAAA",
     "blocking_mode_default": "Predvolené: Odpovedať nulovou adresou IP (0,0.0.0 pre A; :: pre AAAA), keď je blokovaná pravidlom v štýle Adblock; odpovedať IP adresou uvedenou v pravidle, keď je blokovaná pravidlom v štýle /etc/hosts",
@@ -722,5 +734,8 @@
     "wednesday_short": "Str",
     "thursday_short": "Štr",
     "friday_short": "Pia",
-    "saturday_short": "Sob"
+    "saturday_short": "Sob",
+    "upstream_dns_cache_configuration": "Konfigurácia cache pamäte DNS pre upstream",
+    "enable_upstream_dns_cache": "Zapnúť ukladanie DNS do cache pamäte pre vlastnú konfiguráciu odosielania tohto klienta",
+    "dns_cache_size": "Veľkosť cache pamäte DNS v bajtoch"
 }

client/src/__locales/sl.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "Nastavitve odjemalca",
     "example_upstream_reserved": "gorvodni <0>za določene domene</0>;",
+    "example_multiple_upstreams_reserved": "več gorvodnih <0>za določene domene</0>;",
     "example_upstream_comment": "komentar.",
     "upstream_parallel": "Uporabite vzporedne zahteve za pospešitev reševanja s hkratnim poizvedovanjem vseh gorvodnih strežnikov.",
     "parallel_requests": "Vzporedne zahteve",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Prisilno varno iskanje",
     "number_of_dns_query_to_safe_search": "Število zahtev DNS za iskalnike, za katere je bilo uveljavljeno varno iskanje",
     "average_processing_time": "Povprečni čas obdelave",
-    "processing_time": "Čas obdelave",
+    "average_upstream_response_time": "Povprečni gorvodni odzivni čas",
+    "response_time": "Odzivni čas",
     "average_processing_time_hint": "Povprečni čas v milisekundah pri obdelavi zahteve DNS",
     "block_domain_use_filters_and_hosts": "Onemogoči domene s filtri in gostiteljskimi datotekami",
     "filters_block_toggle_hint": "Pravila zaviranja lahko nastavite v nastavitvah <a>Filtri</a>.",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "Uporabi IP po meri za EDNS",
     "edns_use_custom_ip_desc": "Dovoli uporabo naslova IP po meri za EDNS",
     "rate_limit_desc": "Dovoljeno število zahtev na sekundo na odjemalca. Nastavitev na 0 pomeni brez omejitve.",
+    "rate_limit_subnet_len_ipv4": "Dolžina predpone podomrežja za naslove IPv4",
+    "rate_limit_subnet_len_ipv4_desc": "Dolžina predpone podomrežja za naslove IPv4, ki se uporabljajo za omejevanje hitrosti. Privzeto je 24",
+    "rate_limit_subnet_len_ipv4_error": "Dolžina predpone podomrežja IPv4 mora biti med 0 in 32",
+    "rate_limit_subnet_len_ipv6": "Dolžina predpone podomrežja za naslove IPv4",
+    "rate_limit_subnet_len_ipv6_desc": "Dolžina predpone podomrežja za naslove IPv6, ki se uporabljajo za omejevanje hitrosti. Privzeta vrednost je 56",
+    "rate_limit_subnet_len_ipv6_error": "Dolžina podomrežne predpone IPv6 mora biti med 0 in 128",
+    "form_enter_rate_limit_subnet_len": "Vnesite dolžino predpone podomrežja za omejitev hitrosti",
+    "rate_limit_whitelist": "Seznam dovoljenih za omejevanje hitrosti",
+    "rate_limit_whitelist_desc": "Naslovi IP so izključeni iz omejitve hitrosti",
+    "rate_limit_whitelist_placeholder": "Vnesite en naslov IP na vrstico",
     "blocking_ipv4_desc": "IP naslov, ki mora biti vrnjen za onemogočeno zahtevo A",
     "blocking_ipv6_desc": "IP naslov, ki mora biti vrnjen za onemogočeno zahtevo AAAA",
     "blocking_mode_default": "Privzeto: odgovori z ničelnim naslovom IP (0.0.0.0 za A; :: za AAAA), ko je onemogočen s pravilom v slogu Adblocka; odgovor z naslovom IP, določenim v pravilu, ko je onemogočen s pravilom /etc/hosts",
@@ -722,5 +734,8 @@
     "wednesday_short": "Sre",
     "thursday_short": "Čet",
     "friday_short": "Pet",
-    "saturday_short": "Sob"
+    "saturday_short": "Sob",
+    "upstream_dns_cache_configuration": "Nastavitve predpomnilnika gorvodnega DNS",
+    "enable_upstream_dns_cache": "Omogoči predpomnjenje nastavitev gorvodnega DNS po meri tega odjemalca",
+    "dns_cache_size": "Velikost predpomnilnika DNS, v bajtih"
 }

client/src/__locales/sr-cs.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "Postavke klijenta",
     "example_upstream_reserved": "upstream <0>za određene domene</0>;",
+    "example_multiple_upstreams_reserved": "nekoliko DNS servera <0>za određene domene</0>;",
     "example_upstream_comment": "komentar.",
     "upstream_parallel": "Koristite paralelne upite da biste ubrzali rešavanje tako što ćete istovremeno ispitati sve uzvodne servere.",
     "parallel_requests": "Paralelni zahtevi",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Nametni sigurno pretraživanje",
     "number_of_dns_query_to_safe_search": "Broj DNS zahteva ka pretraživačima za koje je nametnuto sigurno pretraživanje",
     "average_processing_time": "Prosečno vreme obrade",
-    "processing_time": "Vreme obrade",
+    "average_upstream_response_time": "Prosečno vreme odziva upstream-servera",
+    "response_time": "Vreme odziva",
     "average_processing_time_hint": "Prosečno vreme u milisekundama za obradu DNS zahteva",
     "block_domain_use_filters_and_hosts": "Blokiraj domene koristeći filtere i hosts datoteke",
     "filters_block_toggle_hint": "Možete postaviti pravila blokiranja u <a>Filters</a> postavkama.",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "Koristi prilagođeni IP za EDNS",
     "edns_use_custom_ip_desc": "Dozvoli korišćenje prilagođenog IP-a za EDNS",
     "rate_limit_desc": "Broj zahteva u sekundi dozvoljen po klijentu. Postavljanje na 0 znači da nema ograničenja.",
+    "rate_limit_subnet_len_ipv4": "Dužina prefixa podmreže za IPv4 adrese",
+    "rate_limit_subnet_len_ipv4_desc": "Dužina prefixa podmreže za IPv4 adrese koje se koriste za ograničavanje brzine. Podrazumevano je 24",
+    "rate_limit_subnet_len_ipv4_error": "Dužina prefixa IPv4 podmreže treba da bude između 0 i 32",
+    "rate_limit_subnet_len_ipv6": "Dužina prefixa podmreže za IPv6 adrese",
+    "rate_limit_subnet_len_ipv6_desc": "Dužina prefixa podmreže za IPv6 adrese koje se koriste za ograničavanje brzine. Podrazumevano je 56",
+    "rate_limit_subnet_len_ipv6_error": "Dužina prefixa IPv6 podmreže treba da bude između 0 i 128",
+    "form_enter_rate_limit_subnet_len": "Unesite dužinu prefixa podmreže da biste ograničili brzinu",
+    "rate_limit_whitelist": "Lista dozvoljenih lista za ograničavanje brzine",
+    "rate_limit_whitelist_desc": "IP adrese koje nisu obuhvaćene ograničenjem brzine",
+    "rate_limit_whitelist_placeholder": "Unesite jednu IP adresu servera po redu",
     "blocking_ipv4_desc": "IP adresa koja će biti vraćena za blokirane zahteve",
     "blocking_ipv6_desc": "IP adresa koja će biti vraćena za blokirane AAAA zahteve",
     "blocking_mode_default": "Podrazumevano: Odgovara sa REFUSED kada je blokirano od Adblock-style pravila; odgovara sa IP adresom koja je određena u pravilu kada je blokiran od /etc/hosts-style pravila",
@@ -722,5 +734,8 @@
     "wednesday_short": "Sre",
     "thursday_short": "Čet",
     "friday_short": "Pet",
-    "saturday_short": "Sub"
+    "saturday_short": "Sub",
+    "upstream_dns_cache_configuration": "Konfiguracija keša upstream DNS servera",
+    "enable_upstream_dns_cache": "Uključite keširanje za korisničku konfiguraciju upstream servera ovog klijenta",
+    "dns_cache_size": "Veličina DNS keša, u bajtovima"
 }

client/src/__locales/sv.json

@@ -1,7 +1,8 @@
 {
     "client_settings": "Klientinställningar",
     "example_upstream_reserved": "uppström <0>för en specifik domän</0>;",
-    "example_upstream_comment": "du kan ange en kommentar.",
+    "example_multiple_upstreams_reserved": "flera uppströmsservrar <0>för specifika domäner</0>;",
+    "example_upstream_comment": "en kommentar.",
     "upstream_parallel": "Använd parallella förfrågningar för att snabba upp dessa genom att fråga alla uppströmsservrar samtidigt.",
     "parallel_requests": "Parallella förfrågningar",
     "load_balancing": "Lastbalansering",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Aktivering av Säker surf",
     "number_of_dns_query_to_safe_search": "Antalet DNS-förfrågningar mot sökmotorer där Säker surf tvingats",
     "average_processing_time": "Genomsnittlig processtid",
-    "processing_time": "Bearbetningstid",
+    "average_upstream_response_time": "Genomsnittlig svarstid uppströmsserver",
+    "response_time": "Svarstid",
     "average_processing_time_hint": "Genomsnittlig processtid i millisekunder för DNS-förfrågning",
     "block_domain_use_filters_and_hosts": "Blockera domäner med filter- och värdfiler",
     "filters_block_toggle_hint": "Du kan ställa in egna blockerings regler i <a>Filterinställningar</a>.",
@@ -308,6 +310,15 @@
     "edns_use_custom_ip": "Använd anpassad IP för EDNS",
     "edns_use_custom_ip_desc": "Tillåt att använda anpassad IP för EDNS",
     "rate_limit_desc": "Antalet förfrågningar per sekund som tillåts per klient. Att sätta den till 0 innebär ingen gräns.",
+    "rate_limit_subnet_len_ipv4": "Prefixlängd för subnät för IPv4-adresser",
+    "rate_limit_subnet_len_ipv4_desc": "Subnätprefixlängd för IPv4-adresser som används för hastighetsbegränsning. Standard är 24",
+    "rate_limit_subnet_len_ipv4_error": "IPv4-subnätets prefixlängd ska vara mellan 0 och 32",
+    "rate_limit_subnet_len_ipv6": "Prefixlängd för subnät för IPv6-adresser",
+    "rate_limit_subnet_len_ipv6_desc": "Subnätprefixlängd för IPv6-adresser som används för hastighetsbegränsning. Standard är 56",
+    "rate_limit_subnet_len_ipv6_error": "IPv6-subnätets prefixlängd ska vara mellan 0 och 128",
+    "form_enter_rate_limit_subnet_len": "Ange subnätprefixlängd för hastighetsbegränsning",
+    "rate_limit_whitelist_desc": "IP-adresser uteslutna från hastighetsbegränsning",
+    "rate_limit_whitelist_placeholder": "Ange en IP-adress per rad",
     "blocking_ipv4_desc": "IP adress som ska returneras för en blockerad A förfrågan",
     "blocking_ipv6_desc": "IP adress som ska returneras för en blockerad AAAA förfrågan",
     "blocking_mode_default": "Standard: Svara med noll IP-adress (0.0.0.0 för A; :: för AAAA) när det blockeras av regel i Adblock-stil; svara med IP-adressen som anges i regeln när den blockeras av regel i /etc/hosts-stil",
@@ -722,5 +733,8 @@
     "wednesday_short": "Ons",
     "thursday_short": "Tor",
     "friday_short": "Fre",
-    "saturday_short": "Lör"
+    "saturday_short": "Lör",
+    "upstream_dns_cache_configuration": "Konfiguration av uppströms DNS-cache",
+    "enable_upstream_dns_cache": "Aktivera DNS-cachelagring för den här klientens anpassade uppströmskonfiguration",
+    "dns_cache_size": "DNS-cachestorlek, i byte"
 }

client/src/__locales/tr.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "İstemci ayarları",
     "example_upstream_reserved": "<0>belirli alan adları</0> için bir üst sunucusu;",
+    "example_multiple_upstreams_reserved": "<0>belirli alanlar için</0> birden fazla üst kaynaklar;",
     "example_upstream_comment": "bir yorum.",
     "upstream_parallel": "Tüm üst sunucuları eş zamanlı sorgulayarak çözümlemeyi hızlandırmak için paralel sorgular kullanın.",
     "parallel_requests": "Paralel istekler",
@@ -97,7 +98,7 @@
     "filters": "Filtreler",
     "filter": "Filtre",
     "query_log": "Sorgu Günlüğü",
-    "compact": "Yoğun",
+    "compact": "Sık",
     "nothing_found": "Hiçbir şey bulunamadı",
     "faq": "SSS",
     "version": "Sürüm",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Uygulanan güvenli arama",
     "number_of_dns_query_to_safe_search": "Güvenli Aramanın uygulandığı arama motorlarına gönderilen DNS isteklerinin sayısı",
     "average_processing_time": "Ortalama işlem süresi",
-    "processing_time": "İşlem süresi",
+    "average_upstream_response_time": "Ortalama üst kaynak yanıt süresi",
+    "response_time": "Yanıt süresi",
     "average_processing_time_hint": "Bir DNS isteğinin milisaniye cinsinden ortalama işlem süresi",
     "block_domain_use_filters_and_hosts": "Filtre ve hosts dosyalarını kullanarak alan adlarını engelle",
     "filters_block_toggle_hint": "<a>Filtreler</a> ayarlarında engelleme kuralları oluşturabilirsiniz.",
@@ -180,7 +182,7 @@
     "enabled_save_search_toast": "Güvenli Arama etkinleştirildi",
     "updated_save_search_toast": "Güvenli Arama ayarları güncellendi",
     "enabled_table_header": "Etkin",
-    "name_table_header": "Ad",
+    "name_table_header": "Adı",
     "list_url_table_header": "Liste URL'si",
     "rules_count_table_header": "Kural sayısı",
     "last_time_updated_table_header": "Son güncelleme zamanı",
@@ -308,9 +310,19 @@
     "edns_use_custom_ip": "EDNS için özel IP kullan",
     "edns_use_custom_ip_desc": "EDNS için özel IP kullanımına izin ver",
     "rate_limit_desc": "İstemci başına izin verilen saniyedeki istek sayısı. 0 olarak ayarlamak, sınır olmadığı anlamına gelir.",
+    "rate_limit_subnet_len_ipv4": "IPv4 adresleri için alt ağ önek uzunluğu",
+    "rate_limit_subnet_len_ipv4_desc": "Hız sınırlaması için kullanılan IPv4 adreslerinin alt ağ önek uzunluğu. Varsayılan 24'tür",
+    "rate_limit_subnet_len_ipv4_error": "IPv4 alt ağ önek uzunluğu 0 ile 32 arasında olmalıdır",
+    "rate_limit_subnet_len_ipv6": "IPv6 adresleri için alt ağ önek uzunluğu",
+    "rate_limit_subnet_len_ipv6_desc": "Hız sınırlaması için kullanılan IPv6 adreslerinin alt ağ önek uzunluğu. Varsayılan 56'tür",
+    "rate_limit_subnet_len_ipv6_error": "IPv6 alt ağ önek uzunluğu 0 ile 128 arasında olmalıdır",
+    "form_enter_rate_limit_subnet_len": "Hız sınırlaması için alt ağ önek uzunluğunu girin",
+    "rate_limit_whitelist": "Hız sınırlama izin listesi",
+    "rate_limit_whitelist_desc": "Hız sınırlamasından hariç tutulan IP adresleri",
+    "rate_limit_whitelist_placeholder": "Her satıra bir IP adresi girin",
     "blocking_ipv4_desc": "Engellenen bir A isteği için geri döndürülecek IP adresi",
     "blocking_ipv6_desc": "Engellenen bir AAAA isteği için geri döndürülecek IP adresi",
-    "blocking_mode_default": "Varsayılan: Reklam engelleme tarzı kural tarafından engellendiğinde sıfır IP adresiyle (A için 0.0.0.0; :: AAAA için) yanıt verin; /etc/hosts-tarzı kural tarafından engellendiğinde, kuralda belirtilen IP adresiyle yanıt verin",
+    "blocking_mode_default": "Varsayılan: Reklam engelleme stili kuralı tarafından engellendiğinde sıfır IP adresiyle (A için 0.0.0.0; :: AAAA için) yanıt verin; /etc/hosts-tarzı kural tarafından engellendiğinde, kuralda belirtilen IP adresiyle yanıt verin",
     "blocking_mode_refused": "REFUSED: REFUSED koduyla yanıt verin",
     "blocking_mode_nxdomain": "NXDOMAIN: NXDOMAIN koduyla yanıt verin",
     "blocking_mode_null_ip": "Boş IP: Sıfır IP adresiyle yanıt verin (A için 0.0.0.0; :: AAAA için)",
@@ -435,7 +447,7 @@
     "settings_global": "Genel",
     "settings_custom": "Özel",
     "table_client": "İstemci",
-    "table_name": "Ad",
+    "table_name": "AdAdı",
     "save_btn": "Kaydet",
     "client_add": "İstemci Ekle",
     "client_new": "Yeni İstemci",
@@ -449,7 +461,7 @@
     "form_enter_id": "Tanımlayıcı girin",
     "form_add_id": "Tanımlayıcı ekle",
     "form_client_name": "İstemci ismi girin",
-    "name": "Ad",
+    "name": "Adı",
     "client_global_settings": "Genel ayarları kullan",
     "client_deleted": "\"{{key}}\" istemcisi başarıyla silindi",
     "client_added": "\"{{key}}\" istemcisi başarıyla eklendi",
@@ -722,5 +734,8 @@
     "wednesday_short": "Çar",
     "thursday_short": "Per",
     "friday_short": "Cum",
-    "saturday_short": "Cmt"
+    "saturday_short": "Cmt",
+    "upstream_dns_cache_configuration": "Üst kaynak DNS önbellek yapılandırması",
+    "enable_upstream_dns_cache": "Bu istemcinin özel üst kaynak yapılandırması için DNS önbelleğe almayı etkinleştir",
+    "dns_cache_size": "DNS önbellek boyutu, bayt cinsinden"
 }

client/src/__locales/uk.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "Налаштування клієнта",
     "example_upstream_reserved": "DNS-сервер <0>для певних доменів</0>;",
+    "example_multiple_upstreams_reserved": "кілька DNS-серверів <0>для конкретних доменів</0>;",
     "example_upstream_comment": "коментар.",
     "upstream_parallel": "Використовувати паралельні запити, щоб пришвидшити вирішення одночасною чергою всіх оригінальних серверів.",
     "parallel_requests": "Паралельні запити",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Примусовий безпечний пошук",
     "number_of_dns_query_to_safe_search": "Кількість DNS-запитів до пошукових систем, для яких примусово застосований безпечний пошук",
     "average_processing_time": "Середній час обробки",
-    "processing_time": "Час обробки",
+    "average_upstream_response_time": "Середній час відгуку upstream-сервера",
+    "response_time": "Час відгуку",
     "average_processing_time_hint": "Середній час обробки DNS запиту в мілісекундах",
     "block_domain_use_filters_and_hosts": "Блокування доменів за допомогою фільтрів та hosts-файлів",
     "filters_block_toggle_hint": "Ви можете налаштувати правила блокування в розділі <a>Фільтри</a>.",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "Використання користувацької IP-адреси для EDNS",
     "edns_use_custom_ip_desc": "Дозволити використовувати користувацьку IP-адресу для EDNS",
     "rate_limit_desc": "Кількість запитів в секунду, які може робити один клієнт. Встановлене значення «0» означатиме необмежену кількість.",
+    "rate_limit_subnet_len_ipv4": "Довжина префікса підмережі для адрес IPv4",
+    "rate_limit_subnet_len_ipv4_desc": "Довжина префікса підмережі для адрес IPv4, які використовуються для обмеження швидкості. Типовим значенням є 24",
+    "rate_limit_subnet_len_ipv4_error": "Довжина префікса підмережі IPv4 має бути від 0 до 32",
+    "rate_limit_subnet_len_ipv6": "Довжина префікса підмережі для адрес IPv6",
+    "rate_limit_subnet_len_ipv6_desc": "Довжина префікса підмережі для адрес IPv6, які використовуються для обмеження швидкості. Типовим значенням є 56",
+    "rate_limit_subnet_len_ipv6_error": "Довжина префікса підмережі IPv6 має бути від 0 до 128",
+    "form_enter_rate_limit_subnet_len": "Введіть довжину префікса підмережі для обмеження швидкості",
+    "rate_limit_whitelist": "Список дозволених обмежень швидкості",
+    "rate_limit_whitelist_desc": "IP-адреси, на які не поширюється обмеження швидкості",
+    "rate_limit_whitelist_placeholder": "Вводьте одну адресу на рядок",
     "blocking_ipv4_desc": "IP-адреса, яку потрібно видати для заблокованого A запиту",
     "blocking_ipv6_desc": "IP-адреса, яку потрібно видати для заблокованого АААА запиту",
     "blocking_mode_default": "Усталено: відповідь із нульовою IP-адресою (0.0.0.0 для A; :: для AAAA), якщо заблоковано правилом у Adblock-стилі; відповідь зазначеною у правилі IP-адресою, якщо заблокувано правилом у hosts-стилі",
@@ -683,7 +695,7 @@
     "disable_notify_for_minutes_plural": "Вимкнення захисту на {{count}} хвилин",
     "disable_notify_for_hours": "Вимкнення захисту на {{count}} годину",
     "disable_notify_for_hours_plural": "Вимкнення захисту на {{count}} годин",
-    "disable_notify_until_tomorrow": "Відключення захисту до завтра",
+    "disable_notify_until_tomorrow": "Вимкнути захист до завтра",
     "enable_protection_timer": "Захист буде ввімкнено о {{time}}",
     "custom_retention_input": "Введіть час в годинах",
     "custom_rotation_input": "Введіть час в годинах",
@@ -701,7 +713,7 @@
     "schedule_current_timezone": "Поточний часовий пояс: {{value}}",
     "schedule_time_all_day": "Увесь день",
     "schedule_modal_description": "Цей розклад замінить усі наявні розклади на той самий день тижня. Кожен день тижня може мати тільки один період бездіяльності.",
-    "schedule_modal_time_off": "Блокування сервісів відключена:",
+    "schedule_modal_time_off": "Вимкнення блокування сервісів:",
     "schedule_new": "Новий розклад",
     "schedule_edit": "Редагувати розклад",
     "schedule_save": "Зберегти розклад",
@@ -722,5 +734,8 @@
     "wednesday_short": "СР",
     "thursday_short": "ЧТ",
     "friday_short": "ПТ",
-    "saturday_short": "СБ"
+    "saturday_short": "СБ",
+    "upstream_dns_cache_configuration": "Конфігурація кешу upstream DNS-серверів",
+    "enable_upstream_dns_cache": "Увімкнути кешування для користувацької конфігурації upstream-серверів цього клієнта",
+    "dns_cache_size": "Розмір кешу DNS, у байтах"
 }

client/src/__locales/vi.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "Cài đặt thiết bị",
     "example_upstream_reserved": "ngược dòng <0>cho các miền cụ thể</0>;",
+    "example_multiple_upstreams_reserved": "nhiều máy chủ thượng nguồn <0>cho các miền cụ thể</0>;",
     "example_upstream_comment": "một lời bình luận.",
     "upstream_parallel": "Sử dụng truy vấn song song để tăng tốc độ giải quyết bằng cách truy vấn đồng thời tất cả các máy chủ ngược tuyến",
     "parallel_requests": "Yêu cầu song song",
@@ -143,7 +144,8 @@
     "enforced_save_search": "Bắt buộc tìm kiếm an toàn",
     "number_of_dns_query_to_safe_search": "Số yêu cầu DNS tới công cụ tìm kiếm đã chuyển thành tìm kiếm an toàn",
     "average_processing_time": "Thời gian xử lý trung bình",
-    "processing_time": "Thời gian xử lý",
+    "average_upstream_response_time": "Thời gian phản hồi trung bình từ máy chủ thượng nguồn",
+    "response_time": "Thời gian đáp ứng",
     "average_processing_time_hint": "Thời gian trung bình cho một yêu cầu DNS tính bằng mili giây",
     "block_domain_use_filters_and_hosts": "Chặn tên miền sử dụng các bộ lọc và file hosts",
     "filters_block_toggle_hint": "Bạn có thể thiết lập quy tắc chặn tại cài đặt <a>Bộ lọc</a>.",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "Sử dụng địa chỉ IP tùy chỉnh cho EDNS",
     "edns_use_custom_ip_desc": "Cho phép sử dụng địa chỉ IP tùy chỉnh cho EDNS",
     "rate_limit_desc": "Số lượng yêu cầu mỗi giây mà một khách hàng được phép thực hiện (0: không giới hạn)",
+    "rate_limit_subnet_len_ipv4": "Độ dài tiền tố mạng con cho địa chỉ IPv4",
+    "rate_limit_subnet_len_ipv4_desc": "Độ dài tiền tố mạng con cho các địa chỉ IPv4 được sử dụng để giới hạn tốc độ. Mặc định là 24",
+    "rate_limit_subnet_len_ipv4_error": "Độ dài tiền tố mạng con IPv4 phải nằm trong khoảng từ 0 đến 32",
+    "rate_limit_subnet_len_ipv6": "Độ dài tiền tố mạng con cho địa chỉ IPv6",
+    "rate_limit_subnet_len_ipv6_desc": "Độ dài tiền tố mạng con cho các địa chỉ IPv6 được sử dụng để giới hạn tốc độ. Mặc định là 56",
+    "rate_limit_subnet_len_ipv6_error": "Độ dài tiền tố mạng con IPv6 phải nằm trong khoảng từ 0 đến 128",
+    "form_enter_rate_limit_subnet_len": "Nhập độ dài tiền tố mạng con để giới hạn tốc độ",
+    "rate_limit_whitelist": "Danh sách cho phép giới hạn tỷ lệ",
+    "rate_limit_whitelist_desc": "Địa chỉ IP bị loại trừ khỏi giới hạn tốc độ",
+    "rate_limit_whitelist_placeholder": "Nhập một địa chỉ IP trên mỗi dòng",
     "blocking_ipv4_desc": "Địa chỉ IP được trả lại cho một yêu cầu A bị chặn",
     "blocking_ipv6_desc": "Địa chỉ IP được trả lại cho một yêu cầu AAA bị chặn",
     "blocking_mode_default": "Mặc định: Trả lời với NXDOMAIN khi bị chặn bởi quy tắc kiểu Adblock; phản hồi với địa chỉ IP được chỉ định trong quy tắc khi bị chặn bởi quy tắc / etc / hosts-style",
@@ -722,5 +734,8 @@
     "wednesday_short": "Thứ 4",
     "thursday_short": "Thứ 5",
     "friday_short": "Thứ 6",
-    "saturday_short": "Thứ 7"
+    "saturday_short": "Thứ 7",
+    "upstream_dns_cache_configuration": "Cấu hình bộ nhớ đệm upstream của các máy chủ DNS",
+    "enable_upstream_dns_cache": "Bật bộ nhớ cache cho cấu hình ngược dòng của máy chủ upstream của khách hàng này",
+    "dns_cache_size": "Kích thước bộ nhớ cache DNS, tính bằng byte"
 }

client/src/__locales/zh-cn.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "客户端设置",
     "example_upstream_reserved": "指定为<0>特定域名</0>的上游服务器；",
+    "example_multiple_upstreams_reserved": "<0>特定域名</0>的多个上游服务器；",
     "example_upstream_comment": "注释。",
     "upstream_parallel": "使用并行请求以同时查询所有上游服务器来加快解析速度。",
     "parallel_requests": "并行请求",
@@ -143,7 +144,8 @@
     "enforced_save_search": "强制安全搜索",
     "number_of_dns_query_to_safe_search": "启用强制安全搜索后对搜索引擎的 DNS 请求总数",
     "average_processing_time": "平均处理时间",
-    "processing_time": "处理时间",
+    "average_upstream_response_time": "上游服务器的平均响应时间",
+    "response_time": "响应时间",
     "average_processing_time_hint": "处理 DNS 请求的平均时间（毫秒）",
     "block_domain_use_filters_and_hosts": "使用过滤器和 Hosts 文件以拦截指定域名",
     "filters_block_toggle_hint": "你可以在 <a>过滤器</a> 设置中添加过滤规则。",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "为 EDNS 使用自定义 IP",
     "edns_use_custom_ip_desc": "允许为 EDNS 使用自定义 IP",
     "rate_limit_desc": "每个客户端每秒钟查询次数的限制。设置为 0 意味着不限制。",
+    "rate_limit_subnet_len_ipv4": "IPv4 地址子网前缀长度",
+    "rate_limit_subnet_len_ipv4_desc": "用于速率限制的 IPv4 地址子网前缀长度。默认为 24",
+    "rate_limit_subnet_len_ipv4_error": "IPv4 子网前缀长度应介于 0 到 32 之间",
+    "rate_limit_subnet_len_ipv6": "IPv6 地址子网前缀长度",
+    "rate_limit_subnet_len_ipv6_desc": "用于速率限制的 IPv6 地址子网前缀长度。默认为 56",
+    "rate_limit_subnet_len_ipv6_error": "IPv6 子网前缀长度应介于 0 到 128 之间",
+    "form_enter_rate_limit_subnet_len": "输入用于速率限制的子网前缀长度",
+    "rate_limit_whitelist": "速率限制白名单",
+    "rate_limit_whitelist_desc": "排除在速率限制之外的 IP 地址",
+    "rate_limit_whitelist_placeholder": "每行输入一个 IP 地址",
     "blocking_ipv4_desc": "拦截 A 记录请求返回的 IP 地址",
     "blocking_ipv6_desc": "拦截 AAAA 记录请求返回的 IP 地址",
     "blocking_mode_default": "默认：被 Adblock 规则拦截时反应为零 IP 地址（A记录：0.0.0.0；AAAA记录：::）；被 /etc/hosts 规则拦截时反应为规则中指定 IP 地址",
@@ -722,5 +734,8 @@
     "wednesday_short": "周三",
     "thursday_short": "周四",
     "friday_short": "周五",
-    "saturday_short": "周六"
+    "saturday_short": "周六",
+    "upstream_dns_cache_configuration": "上游 DNS 缓存配置",
+    "enable_upstream_dns_cache": "为该客户端的自定义上游配置启用 DNS 缓存",
+    "dns_cache_size": "DNS 缓存大小，单位：字节"
 }

client/src/__locales/zh-tw.json

@@ -1,6 +1,7 @@
 {
     "client_settings": "用戶端設定",
     "example_upstream_reserved": "<0>供特定的網域</0>之上游；",
+    "example_multiple_upstreams_reserved": "<0>特定網域</0>的多個上游伺服器；",
     "example_upstream_comment": "註解。",
     "upstream_parallel": "透過同時地查詢所有上游的伺服器，使用並行的查詢以加速解析。",
     "parallel_requests": "並行的請求",
@@ -8,9 +9,9 @@
     "load_balancing_desc": "每次查詢一個上游伺服器。AdGuard Home 使用它的加權隨機的演算法來選擇伺服器，以便最快的伺服器被更常使用。",
     "bootstrap_dns": "自我啟動（Bootstrap）DNS 伺服器",
     "bootstrap_dns_desc": "DNS 伺服器的 IP 位址，用於解析您指定為上游伺服器的 DoH/DoT 解析器的 IP 位址。不允許註釋。",
-    "fallback_dns_title": "備援 DNS 伺服器",
-    "fallback_dns_desc": "當上游 DNS 伺服器未回應時使用的備援 DNS 伺服器清單。語法與上面的主要上游欄位相同。",
-    "fallback_dns_placeholder": "每行輸入一個備援 DNS 伺服器",
+    "fallback_dns_title": "應變 DNS 伺服器",
+    "fallback_dns_desc": "當上游 DNS 伺服器未回覆時被使用的應變 DNS 伺服器之清單。此語法與在上面主要上游欄位中的相同。",
+    "fallback_dns_placeholder": "每行輸入一個應變 DNS 伺服器",
     "local_ptr_title": "私人反向的 DNS 伺服器",
     "local_ptr_desc": "AdGuard Home 用於區域指標（PTR）查詢之 DNS 伺服器。這些伺服器被用於解析有關在私人 IP 範圍的位址之區域指標查詢，例如，\"192.168.12.34\"，使用反向的 DNS。如果未被設定，AdGuard Home 使用您的作業系統之預設 DNS 解析器的位址。",
     "local_ptr_default_resolver": "預設下，AdGuard Home 使用以下反向的 DNS 解析器：{{ip}}。",
@@ -131,7 +132,7 @@
     "top_clients": "熱門用戶端",
     "no_clients_found": "無已發現之用戶端",
     "general_statistics": "一般的統計資料",
-    "top_upstreams": "經常請求的上游伺服器",
+    "top_upstreams": "熱門上游",
     "no_upstreams_data_found": "找不到上游伺服器資料",
     "number_of_dns_query_days": "在最近的 {{count}} 日內已處理的 DNS 查詢之數量",
     "number_of_dns_query_days_plural": "在最近的 {{count}} 日內已處理的 DNS 查詢之數量",
@@ -143,7 +144,8 @@
     "enforced_save_search": "已強制執行的安全搜尋",
     "number_of_dns_query_to_safe_search": "安全搜尋已被強制執行之屬於搜尋引擎的 DNS 請求之數量",
     "average_processing_time": "平均的處理時間",
-    "processing_time": "處理時間",
+    "average_upstream_response_time": "平均的上游回應時間",
+    "response_time": "回應時間",
     "average_processing_time_hint": "在處理一項 DNS 請求時以毫秒（ms）計的平均時間",
     "block_domain_use_filters_and_hosts": "透過過濾器和主機檔案封鎖網域",
     "filters_block_toggle_hint": "您可在<a>過濾器</a>設定中設置封鎖規則。",
@@ -288,7 +290,7 @@
     "blocking_ipv4": "封鎖 IPv4",
     "blocking_ipv6": "封鎖 IPv6",
     "blocked_response_ttl": "已封鎖的回應之存活時間（TTL）",
-    "blocked_response_ttl_desc": "指定客戶端應將過濾後的回應存入快取的秒數",
+    "blocked_response_ttl_desc": "對用戶端應快取受過濾的回應，指定多少秒數",
     "form_enter_blocked_response_ttl": "請輸入已封鎖回應的存活時間（秒）",
     "dnscrypt": "DNSCrypt",
     "dns_over_https": "DNS-over-HTTPS",
@@ -308,6 +310,16 @@
     "edns_use_custom_ip": "為 EDNS 使用自訂的 IP",
     "edns_use_custom_ip_desc": "允許為 EDNS 使用自訂的 IP",
     "rate_limit_desc": "每個用戶端被允許的每秒請求之數量。設定它為 0 表示無限制。",
+    "rate_limit_subnet_len_ipv4": "IPv4 位址的子網路前綴長度",
+    "rate_limit_subnet_len_ipv4_desc": "用於速率限制的 IPv4 位址的子網路前綴長度。預設值為 24",
+    "rate_limit_subnet_len_ipv4_error": "IPv4 子網路前綴長度應在 0 至 32 之間",
+    "rate_limit_subnet_len_ipv6": "IPv6 位址的子網路前綴長度",
+    "rate_limit_subnet_len_ipv6_desc": "用於速率限制的 IPv6 位址的子網路前綴長度。預設值為 56",
+    "rate_limit_subnet_len_ipv6_error": "IPv6 子網路前綴長度應在 0 至 128 之間",
+    "form_enter_rate_limit_subnet_len": "輸入用於速率限制的子網路前綴長度",
+    "rate_limit_whitelist": "速率限制允許清單",
+    "rate_limit_whitelist_desc": "從速率限制中排除的 IP 位址",
+    "rate_limit_whitelist_placeholder": "每行輸入一個 IP 位址",
     "blocking_ipv4_desc": "要被返回給已封鎖的 A 請求之 IP 位址",
     "blocking_ipv6_desc": "要被返回給已封鎖的 AAAA 請求之 IP 位址",
     "blocking_mode_default": "預設：當被 AdBlock 樣式的規則封鎖時，以零值 IP 位址（0.0.0.0 供 A；:: 供 AAAA）回覆；當被 /etc/hosts 樣式的規則封鎖時，以在該規則中之已明確指定的 IP 位址回覆",
@@ -722,5 +734,8 @@
     "wednesday_short": "週三",
     "thursday_short": "週四",
     "friday_short": "週五",
-    "saturday_short": "週六"
+    "saturday_short": "週六",
+    "upstream_dns_cache_configuration": "上游 DNS 快取設定",
+    "enable_upstream_dns_cache": "啟用本用戶端自訂上游配置的 DNS 快取",
+    "dns_cache_size": "DNS 快取大小，單位：位元"
 }

client/src/actions/dnsConfig.js

@@ -62,6 +62,10 @@ export const setDnsConfig = (config) => async (dispatch) => {
             data.upstream_dns = splitByNewLine(config.upstream_dns);
             hasDnsSettings = true;
         }
+        if (Object.prototype.hasOwnProperty.call(data, 'ratelimit_whitelist')) {
+            data.ratelimit_whitelist = splitByNewLine(config.ratelimit_whitelist);
+            hasDnsSettings = true;
+        }
 
         await apiClient.setDnsConfig(data);
 

client/src/actions/index.js

@@ -338,6 +338,40 @@ export const getDnsStatus = () => async (dispatch) => {
     }
 };
 
+export const timerStatusRequest = createAction('TIMER_STATUS_REQUEST');
+export const timerStatusFailure = createAction('TIMER_STATUS_FAILURE');
+export const timerStatusSuccess = createAction('TIMER_STATUS_SUCCESS');
+
+export const getTimerStatus = () => async (dispatch) => {
+    dispatch(timerStatusRequest());
+
+    const handleRequestError = () => {
+        dispatch(addErrorToast({ error: 'dns_status_error' }));
+        dispatch(dnsStatusFailure());
+        window.location.reload(true);
+    };
+
+    const handleRequestSuccess = (response) => {
+        const dnsStatus = response.data;
+        if (dnsStatus.protection_disabled_duration === 0) {
+            dnsStatus.protection_disabled_duration = null;
+        }
+        const { running } = dnsStatus;
+        const runningStatus = dnsStatus && running;
+        if (runningStatus === true) {
+            dispatch(timerStatusSuccess(dnsStatus));
+        } else {
+            dispatch(setDnsRunningStatus(running));
+        }
+    };
+
+    try {
+        checkStatus(handleRequestSuccess, handleRequestError);
+    } catch (error) {
+        handleRequestError();
+    }
+};
+
 export const testUpstreamRequest = createAction('TEST_UPSTREAM_REQUEST');
 export const testUpstreamFailure = createAction('TEST_UPSTREAM_FAILURE');
 export const testUpstreamSuccess = createAction('TEST_UPSTREAM_SUCCESS');

client/src/components/App/index.css

@@ -118,6 +118,11 @@ body {
     overflow-y: auto;
 }
 
+.modal-body--filters {
+    max-height: 600px;
+    overflow-y: auto;
+}
+
 .modal-body__item:not(:first-child) {
     padding-top: 1.5rem;
 }

client/src/components/App/index.js

@@ -28,7 +28,7 @@ import {
 } from '../../helpers/constants';
 import { getLogsUrlParams, setHtmlLangAttr, setUITheme } from '../../helpers/helpers';
 import Header from '../Header';
-import { changeLanguage, getDnsStatus } from '../../actions';
+import { changeLanguage, getDnsStatus, getTimerStatus } from '../../actions';
 
 import Dashboard from '../../containers/Dashboard';
 import SetupGuide from '../../containers/SetupGuide';
@@ -126,6 +126,18 @@ const App = () => {
 
     useEffect(() => {
         dispatch(getDnsStatus());
+
+        const handleVisibilityChange = () => {
+            if (document.visibilityState === 'visible') {
+                dispatch(getTimerStatus());
+            }
+        };
+
+        document.addEventListener('visibilitychange', handleVisibilityChange);
+
+        return () => {
+            document.removeEventListener('visibilitychange', handleVisibilityChange);
+        };
     }, []);
 
     const setLanguage = () => {

client/src/components/Dashboard/UpstreamAvgTime.js

@@ -38,7 +38,7 @@ const UpstreamAvgTime = ({
     subtitle,
 }) => (
     <Card
-        title={t('average_processing_time')}
+        title={t('average_upstream_response_time')}
         subtitle={subtitle}
         bodyType="card-table"
         refresh={refreshButton}
@@ -55,7 +55,7 @@ const UpstreamAvgTime = ({
                     Cell: DomainCell,
                 },
                 {
-                    Header: <Trans>processing_time</Trans>,
+                    Header: <Trans>response_time</Trans>,
                     accessor: 'count',
                     maxWidth: 190,
                     Cell: TimeCell,

client/src/components/Filters/Form.js

@@ -28,7 +28,7 @@ const renderIcons = (iconsData) => iconsData.map(({
 }) => <a key={iconName} href={href} target="_blank" rel="noopener noreferrer"
          className={classNames('d-flex align-items-center', className)}
 >
-    <svg className="nav-icon nav-icon--gray">
+    <svg className="icon icon--15 mr-1 icon--gray">
         <use xlinkHref={`#${iconName}`} />
     </svg>
 </a>);
@@ -110,7 +110,7 @@ const Form = (props) => {
     const openAddFiltersModal = () => openModal(MODAL_TYPE.ADD_FILTERS);
 
     return <form onSubmit={handleSubmit}>
-        <div className="modal-body modal-body--medium">
+        <div className="modal-body modal-body--filters">
             {modalType === MODAL_TYPE.SELECT_MODAL_TYPE
             && <div className="d-flex justify-content-around">
                 <button onClick={openFilteringListModal}

client/src/components/Filters/Services/ScheduleForm/Modal.js

@@ -81,6 +81,10 @@ export const Modal = ({
             };
         });
 
+        if (timezone !== intialTimezone) {
+            newSchedule.time_zone = timezone;
+        }
+
         onSubmit(newSchedule);
     };
 

client/src/components/Logs/Logs.css

@@ -80,7 +80,7 @@
     color: var(--gray-f3);
 }
 
-.logs__text--client {
+.logs__table .logs__text--client {
     padding-right: 32px;
 }
 

client/src/components/Settings/Clients/ClientsTable/ClientsTable.js

@@ -79,6 +79,10 @@ const ClientsTable = ({
             } else {
                 config.tags = [];
             }
+
+            if (typeof values.upstreams_cache_size === 'string') {
+                config.upstreams_cache_size = 0;
+            }
         }
 
         if (modalType === MODAL_TYPE.EDIT_FILTERS) {

client/src/components/Settings/Clients/Form.js

@@ -12,8 +12,13 @@ import i18n from '../../../i18n';
 import Tabs from '../../ui/Tabs';
 import Examples from '../Dns/Upstream/Examples';
 import { ScheduleForm } from '../../Filters/Services/ScheduleForm';
-import { toggleAllServices, trimLinesAndRemoveEmpty, captitalizeWords } from '../../../helpers/helpers';
 import {
+    toggleAllServices,
+    trimLinesAndRemoveEmpty,
+    captitalizeWords,
+} from '../../../helpers/helpers';
+import {
+    toNumber,
     renderInputField,
     renderGroupField,
     CheckboxField,
@@ -21,7 +26,7 @@ import {
     renderTextareaField,
 } from '../../../helpers/form';
 import { validateClientId, validateRequiredValue } from '../../../helpers/validators';
-import { CLIENT_ID_LINK, FORM_NAME } from '../../../helpers/constants';
+import { CLIENT_ID_LINK, FORM_NAME, UINT32_RANGE } from '../../../helpers/constants';
 import './Service.css';
 
 const settingsCheckboxes = [
@@ -307,6 +312,35 @@ let Form = (props) => {
                     normalizeOnBlur={trimLinesAndRemoveEmpty}
                 />
                 <Examples />
+                <div className="form__label--bold mt-5 mb-3">
+                    {t('upstream_dns_cache_configuration')}
+                </div>
+                <div className="form__group mb-2">
+                    <Field
+                        name="upstreams_cache_enabled"
+                        type="checkbox"
+                        component={CheckboxField}
+                        placeholder={t('enable_upstream_dns_cache')}
+                    />
+                </div>
+                <div className="form__group form__group--settings">
+                    <label
+                        htmlFor="upstreams_cache_size"
+                        className="form__label"
+                    >
+                        {t('dns_cache_size')}
+                    </label>
+                    <Field
+                        name="upstreams_cache_size"
+                        type="number"
+                        component={renderInputField}
+                        placeholder={t('enter_cache_size')}
+                        className="form-control"
+                        normalize={toNumber}
+                        min={0}
+                        max={UINT32_RANGE.MAX}
+                    />
+                </div>
             </div>,
         },
     };

client/src/components/Settings/Dhcp/Leases.js

@@ -27,7 +27,7 @@ class Leases extends Component {
             <div className="logs__row logs__row--center">
                 <button
                     type="button"
-                    className="btn btn-icon btn-icon--green btn-outline-secondary btn-sm"
+                    className="btn btn-icon btn-icon--green btn-outline-success btn-sm"
                     title={t('make_static')}
                     onClick={this.convertToStatic(row)}
                     disabled={disabledLeasesButton}

client/src/components/Settings/Dns/Config/Form.js

@@ -6,6 +6,7 @@ import { Trans, useTranslation } from 'react-i18next';
 import {
     renderInputField,
     renderRadioField,
+    renderTextareaField,
     CheckboxField,
     toNumber,
 } from '../../../../helpers/form';
@@ -14,7 +15,10 @@ import {
     validateIpv6,
     validateRequiredValue,
     validateIp,
+    validateIPv4Subnet,
+    validateIPv6Subnet,
 } from '../../../../helpers/validators';
+import { removeEmptyLines } from '../../../../helpers/helpers';
 import { BLOCKING_MODES, FORM_NAME, UINT32_RANGE } from '../../../../helpers/constants';
 
 const checkboxes = [
@@ -90,6 +94,69 @@ const Form = ({
                     />
                 </div>
             </div>
+            <div className="col-12 col-md-7">
+                <div className="form__group form__group--settings">
+                    <label htmlFor="ratelimit_subnet_len_ipv4"
+                        className="form__label form__label--with-desc">
+                        <Trans>rate_limit_subnet_len_ipv4</Trans>
+                    </label>
+                    <div className="form__desc form__desc--top">
+                        <Trans>rate_limit_subnet_len_ipv4_desc</Trans>
+                    </div>
+                    <Field
+                        name="ratelimit_subnet_len_ipv4"
+                        type="number"
+                        component={renderInputField}
+                        className="form-control"
+                        placeholder={t('form_enter_rate_limit_subnet_len')}
+                        normalize={toNumber}
+                        validate={[validateRequiredValue, validateIPv4Subnet]}
+                        min={0}
+                        max={32}
+                    />
+                </div>
+            </div>
+            <div className="col-12 col-md-7">
+                <div className="form__group form__group--settings">
+                    <label htmlFor="ratelimit_subnet_len_ipv6"
+                        className="form__label form__label--with-desc">
+                        <Trans>rate_limit_subnet_len_ipv6</Trans>
+                    </label>
+                    <div className="form__desc form__desc--top">
+                        <Trans>rate_limit_subnet_len_ipv6_desc</Trans>
+                    </div>
+                    <Field
+                        name="ratelimit_subnet_len_ipv6"
+                        type="number"
+                        component={renderInputField}
+                        className="form-control"
+                        placeholder={t('form_enter_rate_limit_subnet_len')}
+                        normalize={toNumber}
+                        validate={[validateRequiredValue, validateIPv6Subnet]}
+                        min={0}
+                        max={128}
+                    />
+                </div>
+            </div>
+            <div className="col-12 col-md-7">
+                <div className="form__group form__group--settings">
+                    <label htmlFor="ratelimit_whitelist"
+                        className="form__label form__label--with-desc">
+                        <Trans>rate_limit_whitelist</Trans>
+                    </label>
+                    <div className="form__desc form__desc--top">
+                        <Trans>rate_limit_whitelist_desc</Trans>
+                    </div>
+                    <Field
+                        name="ratelimit_whitelist"
+                        component={renderTextareaField}
+                        type="text"
+                        className="form-control"
+                        placeholder={t('rate_limit_whitelist_placeholder')}
+                        normalizeOnBlur={removeEmptyLines}
+                    />
+                </div>
+            </div>
             <div className="col-12">
                 <div className="form__group form__group--settings">
                     <Field

client/src/components/Settings/Dns/Config/index.js

@@ -11,6 +11,9 @@ const Config = () => {
     const {
         blocking_mode,
         ratelimit,
+        ratelimit_subnet_len_ipv4,
+        ratelimit_subnet_len_ipv6,
+        ratelimit_whitelist,
         blocking_ipv4,
         blocking_ipv6,
         blocked_response_ttl,
@@ -36,6 +39,9 @@ const Config = () => {
                 <Form
                     initialValues={{
                         ratelimit,
+                        ratelimit_subnet_len_ipv4,
+                        ratelimit_subnet_len_ipv6,
+                        ratelimit_whitelist,
                         blocking_mode,
                         blocking_ipv4,
                         blocking_ipv6,

client/src/components/Settings/Dns/Upstream/Examples.js

@@ -137,6 +137,22 @@ const Examples = (props) => (
                     example_upstream_reserved
                 </Trans>
             </li>
+            <li>
+                <code>[/example.local/]94.140.14.140 2a10:50c0::1:ff</code>: <Trans
+                    components={[
+                        <a
+                            href="https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#upstreams-for-domains"
+                            target="_blank"
+                            rel="noopener noreferrer"
+                            key="0"
+                        >
+                            Link
+                        </a>,
+                    ]}
+                >
+                    example_multiple_upstreams_reserved
+                </Trans>
+            </li>
             <li>
                 <code>{COMMENT_LINE_DEFAULT_TOKEN} comment</code>: <Trans>
                     example_upstream_comment

client/src/components/ui/Card.css

@@ -149,3 +149,7 @@
 .card .logs__row--blue {
     background-color: #ecf7ff;
 }
+
+[data-theme="dark"] .card .logs__row--blue {
+    background-color: var(--logs__row--blue-bgcolor);
+}

client/src/components/ui/Icons.css

@@ -24,6 +24,13 @@
     height: var(--size);
 }
 
+.icon--15 {
+    --size: 0.95rem;
+
+    width: var(--size);
+    height: var(--size);
+}
+
 .icon--gray {
     color: var(--gray-a5);
 }

client/src/components/ui/ReactTable.css

@@ -9,10 +9,6 @@
     overflow: visible;
 }
 
-.ReactTable .rt-tbody {
-    overflow: visible;
-}
-
 .ReactTable .rt-noData {
     color: var(--rt-nodata-color);
     background-color: var(--rt-nodata-bgcolor);

client/src/helpers/constants.js

@@ -26,6 +26,10 @@ export const R_WIN_ABSOLUTE_PATH = /^([a-zA-Z]:)?(\\|\/)(?:[^\\/:*?"<>|\x00]+\\)
 
 export const R_CLIENT_ID = /^[a-z0-9-]{1,63}$/;
 
+export const R_IPV4_SUBNET = /^([0-9]|[1-2][0-9]|3[0-2])?$/;
+
+export const R_IPV6_SUBNET = /^([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])?$/;
+
 export const MIN_PASSWORD_LENGTH = 8;
 export const MAX_PASSWORD_LENGTH = 72;
 

client/src/helpers/filters/filters.js

@@ -190,6 +190,12 @@ export default {
             "homepage": "https://github.com/hagezi/dns-blocklists#piracy",
             "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_46.txt"
         },
+        "hagezi_encrypted_dns_vpn_tor_proxy_bypass": {
+            "name": "HaGeZi's Encrypted DNS/VPN/TOR/Proxy Bypass",
+            "categoryId": "security",
+            "homepage": "https://github.com/hagezi/dns-blocklists#bypass",
+            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_52.txt"
+        },
         "hagezi_gambling_blocklist": {
             "name": "HaGeZi's Gambling Blocklist",
             "categoryId": "other",
@@ -202,12 +208,30 @@ export default {
             "homepage": "https://github.com/hagezi/dns-blocklists",
             "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_34.txt"
         },
+        "hagezi_pro": {
+            "name": "HaGeZi's Pro Blocklist",
+            "categoryId": "general",
+            "homepage": "https://github.com/hagezi/dns-blocklists",
+            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_48.txt"
+        },
+        "hagezi_pro++": {
+            "name": "HaGeZi's Pro++ Blocklist",
+            "categoryId": "general",
+            "homepage": "https://github.com/hagezi/dns-blocklists",
+            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_51.txt"
+        },
         "hagezi_threat_intelligence_feeds": {
             "name": "HaGeZi's Threat Intelligence Feeds",
             "categoryId": "security",
             "homepage": "https://github.com/hagezi/dns-blocklists",
             "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_44.txt"
         },
+        "hagezi_ultimate": {
+            "name": "HaGeZi's Ultimate Blocklist",
+            "categoryId": "general",
+            "homepage": "https://github.com/hagezi/dns-blocklists",
+            "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_49.txt"
+        },
         "no_google": {
             "name": "No Google",
             "categoryId": "other",

client/src/helpers/trackers/trackers.json

@@ -1,5 +1,5 @@
 {
-    "timeUpdated": "2023-10-15T12:13:01.838Z",
+    "timeUpdated": "2023-12-01T15:24:07.522Z",
     "categories": {
         "0": "audio_video_player",
         "1": "comments",
@@ -640,7 +640,8 @@
             "name": "AdChina",
             "categoryId": 4,
             "url": "http://www.adchina.com/",
-            "companyId": "alibaba"
+            "companyId": null,
+            "source": "AdGuard"
         },
         "adcito": {
             "name": "Adcito",
@@ -681,8 +682,9 @@
         "adcolony": {
             "name": "AdColony",
             "categoryId": 4,
-            "url": "thttp://www.admarvel.com/",
-            "companyId": "adcolony"
+            "url": "https://www.adcolony.com/history-of-adcolony/",
+            "companyId": "digital_turbine",
+            "source": "AdGuard"
         },
         "adconion": {
             "name": "Adconion",
@@ -1294,6 +1296,13 @@
             "url": "http://www.demdex.com/",
             "companyId": "adobe"
         },
+        "adobe_developer": {
+            "name": "Adobe Developer",
+            "categoryId": 8,
+            "url": "https://developer.adobe.com/",
+            "companyId": "adobe",
+            "source": "AdGuard"
+        },
         "adobe_dynamic_media": {
             "name": "Adobe Dynamic Media",
             "categoryId": 4,
@@ -1309,8 +1318,16 @@
         "adobe_experience_cloud": {
             "name": "Adobe Experience Cloud",
             "categoryId": 6,
-            "url": "https://www.adobe.com/experience-cloud.html",
-            "companyId": "adobe"
+            "url": "https://business.adobe.com/",
+            "companyId": "adobe",
+            "source": "AdGuard"
+        },
+        "adobe_experience_league": {
+            "name": "Adobe Experience League",
+            "categoryId": 6,
+            "url": "https://experienceleague.adobe.com/",
+            "companyId": "adobe",
+            "source": "AdGuard"
         },
         "adobe_login": {
             "name": "Adobe Login",
@@ -2272,27 +2289,29 @@
             "name": "Alibaba",
             "categoryId": 8,
             "url": "http://www.alibaba.com/",
-            "companyId": "alibaba"
+            "companyId": "softbank",
+            "source": "AdGuard"
         },
         "alibaba_cloud": {
             "name": "Alibaba Cloud",
             "categoryId": 10,
             "url": "https://www.alibabacloud.com/",
-            "companyId": "alibaba",
+            "companyId": "softbank",
             "source": "AdGuard"
         },
         "alibaba_ucbrowser": {
             "name": "UC Browser",
             "categoryId": 8,
             "url": "https://ucweb.com/",
-            "companyId": "alibaba",
+            "companyId": "softbank",
             "source": "AdGuard"
         },
         "alipay.com": {
             "name": "Alipay",
             "categoryId": 2,
-            "url": "https://www.alipay.com/",
-            "companyId": "alibaba"
+            "url": "https://global.alipay.com/",
+            "companyId": "softbank",
+            "source": "AdGuard"
         },
         "alivechat": {
             "name": "AliveChat",
@@ -3758,10 +3777,11 @@
             "companyId": "branica"
         },
         "braze": {
-            "name": "Braze",
+            "name": "Braze, Inc.",
             "categoryId": 6,
             "url": "https://www.braze.com/",
-            "companyId": "braze_inc"
+            "companyId": "braze",
+            "source": "AdGuard"
         },
         "brealtime": {
             "name": "EMX Digital",
@@ -4353,6 +4373,13 @@
             "url": "http://chartbeat.com/",
             "companyId": "chartbeat"
         },
+        "chartboost": {
+            "name": "Chartboost",
+            "categoryId": 4,
+            "url": "http://chartboost.com/",
+            "companyId": "take-two",
+            "source": "AdGuard"
+        },
         "chaser": {
             "name": "Chaser",
             "categoryId": 2,
@@ -7330,7 +7357,7 @@
             "name": "Flurry",
             "categoryId": 101,
             "url": "http://www.flurry.com/",
-            "companyId": "verizon",
+            "companyId": "apollo_global_management",
             "source": "AdGuard"
         },
         "flxone": {
@@ -12386,6 +12413,13 @@
             "url": "http://www.nimblecommerce.com/",
             "companyId": "nimblecommerce"
         },
+        "nine_direct_digital": {
+            "name": "Nine Digital Direct",
+            "categoryId": 4,
+            "url": "https://ninedigitaldirect.com.au/",
+            "companyId": "nine_entertainment",
+            "source": "AdGuard"
+        },
         "ninja_access_analysis": {
             "name": "Ninja Access Analysis",
             "categoryId": 6,
@@ -12511,7 +12545,7 @@
             "name": "Network Time Protocol",
             "categoryId": 5,
             "url": "https://ntp.org/",
-            "companyId": "ntppool",
+            "companyId": "network_time_foundation",
             "source": "AdGuard"
         },
         "nttcom_online_marketing_solutions": {
@@ -17039,7 +17073,8 @@
             "name": "Taobao",
             "categoryId": 4,
             "url": "https://world.taobao.com/",
-            "companyId": "alibaba"
+            "companyId": "softbank",
+            "source": "AdGuard"
         },
         "tapad": {
             "name": "Tapad",
@@ -19546,8 +19581,9 @@
         "yahoo": {
             "name": "Yahoo!",
             "categoryId": 6,
-            "url": "https://yahoo.com",
-            "companyId": "verizon"
+            "url": "https://yahoo.com/",
+            "companyId": "apollo_global_management",
+            "source": "AdGuard"
         },
         "yahoo_ad_exchange": {
             "name": "Yahoo! Ad Exchange",
@@ -19561,6 +19597,13 @@
             "url": "https://developer.yahoo.com/analytics/",
             "companyId": "verizon"
         },
+        "yahoo_advertising": {
+            "name": "Yahoo! Advertising",
+            "categoryId": 4,
+            "url": "https://www.advertising.yahooinc.com/",
+            "companyId": "apollo_global_management",
+            "source": "AdGuard"
+        },
         "yahoo_analytics": {
             "name": "Yahoo! Analytics",
             "categoryId": 6,
@@ -19591,6 +19634,13 @@
             "url": "http://searchmarketing.yahoo.com",
             "companyId": "verizon"
         },
+        "yahoo_search": {
+            "name": "Yahoo! Search",
+            "categoryId": 4,
+            "url": "https://search.yahooinc.com/",
+            "companyId": "apollo_global_management",
+            "source": "AdGuard"
+        },
         "yahoo_small_business": {
             "name": "Yahoo! Small Business",
             "categoryId": 4,
@@ -20228,6 +20278,7 @@
         "ad-cloud.jp": "adcloud",
         "admarvel.s3.amazonaws.com": "adcolony",
         "ads.admarvel.com": "adcolony",
+        "adcolony.com": "adcolony",
         "adrdgt.com": "adconion",
         "amgdgt.com": "adconion",
         "adcrowd.com": "adcrowd",
@@ -20382,6 +20433,7 @@
         "demdex.net": "adobe_audience_manager",
         "everestjs.net": "adobe_audience_manager",
         "everesttech.net": "adobe_audience_manager",
+        "adobe.io": "adobe_developer",
         "scene7.com": "adobe_dynamic_media",
         "adobedtm.com": "adobe_dynamic_tag_management",
         "2o7.net": "adobe_experience_cloud",
@@ -20391,6 +20443,7 @@
         "nedstat.com": "adobe_experience_cloud",
         "omtrdc.net": "adobe_experience_cloud",
         "sitestat.com": "adobe_experience_cloud",
+        "adobedc.net": "adobe_experience_league",
         "adobelogin.com": "adobe_login",
         "adobetag.com": "adobe_tagmanager",
         "typekit.com": "adobe_typekit",
@@ -20654,8 +20707,10 @@
         "a2z.com": "amazon",
         "aamazoncognito.com": "amazon",
         "amazon-corp.com": "amazon",
+        "amazon-dss.com": "amazon",
         "amazon.com.au": "amazon",
         "amazon.com.mx": "amazon",
+        "amazon.dev": "amazon",
         "amazon.in": "amazon",
         "amazon.nl": "amazon",
         "amazon.sa": "amazon",
@@ -20663,6 +20718,7 @@
         "amazonbrowserapp.es": "amazon",
         "amazoncrl.com": "amazon",
         "firetvcaptiveportal.com": "amazon",
+        "ntp-fireos.com": "amazon",
         "amazon-adsystem.com": "amazon_adsystem",
         "serving-sys.com": "amazon_adsystem",
         "sizmek.com": "amazon_adsystem",
@@ -20678,12 +20734,16 @@
         "amazontrust.com": "amazon_cdn",
         "associates-amazon.com": "amazon_cdn",
         "cloudfront.net": "amazon_cloudfront",
+        "ota-cloudfront.net": "amazon_cloudfront",
         "axx-eu.amazon-adsystem.com": "amazon_mobile_ads",
         "amazonpay.com": "amazon_payments",
         "payments-amazon.com": "amazon_payments",
         "amazonpay.in": "amazon_payments",
         "aiv-cdn.net": "amazon_video",
+        "aiv-delivery.net": "amazon_video",
         "amazonvideo.com": "amazon_video",
+        "pv-cdn.net": "amazon_video",
+        "primevideo.com": "amazon_video",
         "amazonaws.com": "amazon_web_services",
         "amazonwebservices.com": "amazon_web_services",
         "awsstatic.com": "amazon_web_services",
@@ -20830,6 +20890,8 @@
         "ad.globe7.com": "axill",
         "azadify.com": "azadify",
         "azure.com": "azure",
+        "azure.net": "azure",
+        "azurefd.net": "azure",
         "trafficmanager.net": "azure",
         "blob.core.windows.net": "azure_blob_storage",
         "azureedge.net": "azureedge.net",
@@ -20997,6 +21059,7 @@
         "brandwire.tv": "brandwire.tv",
         "branica.com": "branica",
         "appboycdn.com": "braze",
+        "braze.com": "braze",
         "brealtime.com": "brealtime",
         "bridgetrack.com": "bridgetrack",
         "brightcove.com": "brightcove",
@@ -21120,6 +21183,7 @@
         "chaordicsystems.com": "chaordic",
         "chartbeat.com": "chartbeat",
         "chartbeat.net": "chartbeat",
+        "chartboost.com": "chartboost",
         "chaser.ru": "chaser",
         "cloud.chatbeacon.io": "chat_beacon",
         "chatango.com": "chatango",
@@ -21929,7 +21993,9 @@
         "githubassets.com": "github",
         "githubusercontent.com": "github",
         "ghcr.io": "github",
+        "github.blog": "github",
         "github.dev": "github",
+        "octocaptcha.com": "github",
         "githubapp.com": "github_apps",
         "github.io": "github_pages",
         "aff3.gittigidiyor.com": "gittigidiyor_affiliate_program",
@@ -23088,7 +23154,16 @@
         "s-microsoft.com": "microsoft",
         "trouter.io": "microsoft",
         "windows.net": "microsoft",
+        "aka.ms": "microsoft",
+        "microsoftazuread-sso.com": "microsoft",
+        "bingapis.com": "microsoft",
+        "msauth.net": "microsoft",
+        "msauthimages.net": "microsoft",
+        "msftauth.net": "microsoft",
+        "msftstatic.com": "microsoft",
         "msidentity.com": "microsoft",
+        "nelreports.net": "microsoft",
+        "windowscentral.com": "microsoft",
         "analytics.live.com": "microsoft_analytics",
         "a.clarity.ms": "microsoft_clarity",
         "b.clarity.ms": "microsoft_clarity",
@@ -23173,10 +23248,14 @@
         "mrpdata.com": "mrpdata",
         "mrpdata.net": "mrpdata",
         "mrskincash.com": "mrskincash",
+        "a-msedge.net": "msedge",
+        "b-msedge.net": "msedge",
         "e-msedge.net": "msedge",
+        "k-msedge.net": "msedge",
         "l-msedge.net": "msedge",
         "s-msedge.net": "msedge",
         "t-msedge.net": "msedge",
+        "wac-msedge.net": "msedge",
         "msn.com": "msn",
         "s-msn.com": "msn",
         "musculahq.appspot.com": "muscula",
@@ -23294,6 +23373,7 @@
         "ads.ngageinc.com": "ngage_inc.",
         "nice264.com": "nice264.com",
         "nimblecommerce.com": "nimblecommerce",
+        "nineanalytics.io": "nine_direct_digital",
         "cho-chin.com": "ninja_access_analysis",
         "donburako.com": "ninja_access_analysis",
         "hishaku.com": "ninja_access_analysis",
@@ -24947,10 +25027,15 @@
         "yahoo.com": "yahoo",
         "yahooapis.com": "yahoo",
         "yimg.com": "yahoo",
-        "ads.yahoo.com": "yahoo_ad_exchange",
+        "oath.cloud": "yahoo",
+        "yahoo.net": "yahoo",
+        "yahooinc.com": "yahoo",
+        "yahoodns.net": "yahoo",
         "yads.yahoo.com": "yahoo_ad_exchange",
         "yieldmanager.com": "yahoo_ad_exchange",
         "pr-bh.ybp.yahoo.com": "yahoo_ad_manager",
+        "ads.yahoo.com": "yahoo_advertising",
+        "adtech.yahooinc.com": "yahoo_advertising",
         "analytics.yahoo.com": "yahoo_analytics",
         "np.lexity.com": "yahoo_commerce_central",
         "storage-yahoo.jp": "yahoo_japan_retargeting",
@@ -24960,6 +25045,7 @@
         "yjtag.jp": "yahoo_japan_retargeting",
         "ov.yahoo.co.jp": "yahoo_overture",
         "overture.com": "yahoo_overture",
+        "search.yahooinc.com": "yahoo_search",
         "luminate.com": "yahoo_small_business",
         "pixazza.com": "yahoo_small_business",
         "awaps.yandex.ru": "yandex",

client/src/helpers/validators.js

@@ -15,6 +15,8 @@ import {
     R_DOMAIN,
     MAX_PASSWORD_LENGTH,
     MIN_PASSWORD_LENGTH,
+    R_IPV4_SUBNET,
+    R_IPV6_SUBNET,
 } from './constants';
 import { ip4ToInt, isValidAbsolutePath } from './form';
 import { isIpInCidr, parseSubnetMask } from './helpers';
@@ -365,3 +367,25 @@ export const validateIpGateway = (value, allValues) => {
     }
     return undefined;
 };
+
+/**
+ * @param value {string}
+ * @returns {Function}
+ */
+export const validateIPv4Subnet = (value) => {
+    if (!R_IPV4_SUBNET.test(value)) {
+        return i18next.t('rate_limit_subnet_len_ipv4_error');
+    }
+    return undefined;
+};
+
+/**
+ * @param value {string}
+ * @returns {Function}
+ */
+export const validateIPv6Subnet = (value) => {
+    if (!R_IPV6_SUBNET.test(value)) {
+        return i18next.t('rate_limit_subnet_len_ipv6_error');
+    }
+    return undefined;
+};

client/src/reducers/dashboard.js

@@ -44,6 +44,19 @@ const dashboard = handleActions(
 
             return newState;
         },
+        [actions.timerStatusSuccess]: (state, { payload }) => {
+            const {
+                protection_enabled: protectionEnabled,
+                protection_disabled_duration: protectionDisabledDuration,
+            } = payload;
+            const newState = {
+                ...state,
+                protectionEnabled,
+                protectionDisabledDuration,
+            };
+
+            return newState;
+        },
 
         [actions.getVersionRequest]: (state) => ({
             ...state,

client/src/reducers/dhcp.js

@@ -128,8 +128,7 @@ const dhcp = handleActions(
             const newState = {
                 ...state,
                 isModalOpen: !state.isModalOpen,
-                modalType: payload?.type || '',
-                leaseModalConfig: payload?.config,
+                leaseModalConfig: payload,
             };
             return newState;
         },

client/src/reducers/dnsConfig.js

@@ -18,6 +18,7 @@ const dnsConfig = handleActions(
                 fallback_dns,
                 bootstrap_dns,
                 local_ptr_upstreams,
+                ratelimit_whitelist,
                 ...values
             } = payload;
 
@@ -30,6 +31,7 @@ const dnsConfig = handleActions(
                 fallback_dns: (fallback_dns && fallback_dns.join('\n')) || '',
                 bootstrap_dns: (bootstrap_dns && bootstrap_dns.join('\n')) || '',
                 local_ptr_upstreams: (local_ptr_upstreams && local_ptr_upstreams.join('\n')) || '',
+                ratelimit_whitelist: (ratelimit_whitelist && ratelimit_whitelist.join('\n')) || '',
                 processingGetConfig: false,
             };
         },

go.mod

@@ -3,21 +3,21 @@ module github.com/AdguardTeam/AdGuardHome
 go 1.20
 
 require (
-	github.com/AdguardTeam/dnsproxy v0.56.2
-	github.com/AdguardTeam/golibs v0.17.1
-	github.com/AdguardTeam/urlfilter v0.17.0
+	github.com/AdguardTeam/dnsproxy v0.60.1
+	github.com/AdguardTeam/golibs v0.18.0
+	github.com/AdguardTeam/urlfilter v0.17.3
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/ameshkov/dnscrypt/v2 v2.2.7
 	github.com/bluele/gcache v0.0.2
 	github.com/digineo/go-ipset/v2 v2.2.1
 	github.com/dimfeld/httptreemux/v5 v5.5.0
-	github.com/fsnotify/fsnotify v1.6.0
+	github.com/fsnotify/fsnotify v1.7.0
 	github.com/go-ping/ping v1.1.0
 	github.com/google/go-cmp v0.6.0
 	github.com/google/gopacket v1.1.19
 	github.com/google/renameio/v2 v2.0.0
-	github.com/google/uuid v1.3.1
-	github.com/insomniacslk/dhcp v0.0.0-20230908212754-65c27093e38a
+	github.com/google/uuid v1.4.0
+	github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2
 	github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86
 	github.com/kardianos/service v1.2.2
 	github.com/mdlayher/ethernet v0.0.0-20220221185849-529eae5b6118
@@ -26,18 +26,18 @@ require (
 	// TODO(a.garipov): This package is deprecated; find a new one or use our
 	// own code for that.  Perhaps, use gopacket.
 	github.com/mdlayher/raw v0.1.0
-	github.com/miekg/dns v1.1.56
-	github.com/quic-go/quic-go v0.39.1
+	github.com/miekg/dns v1.1.57
+	github.com/quic-go/quic-go v0.40.0
 	github.com/stretchr/testify v1.8.4
-	github.com/ti-mo/netfilter v0.5.0
-	go.etcd.io/bbolt v1.3.7
-	golang.org/x/crypto v0.14.0
-	golang.org/x/exp v0.0.0-20231006140011-7918f672742d
-	golang.org/x/net v0.17.0
-	golang.org/x/sys v0.13.0
+	github.com/ti-mo/netfilter v0.5.1
+	go.etcd.io/bbolt v1.3.8
+	golang.org/x/crypto v0.16.0
+	golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb
+	golang.org/x/net v0.19.0
+	golang.org/x/sys v0.15.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 	gopkg.in/yaml.v3 v3.0.1
-	howett.net/plist v1.0.0
+	howett.net/plist v1.0.1
 )
 
 require (
@@ -47,19 +47,20 @@ require (
 	github.com/beefsack/go-rate v0.0.0-20220214233405-116f4ca011a0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
-	github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98 // indirect
-	github.com/mdlayher/socket v0.5.0 // indirect
-	github.com/onsi/ginkgo/v2 v2.13.0 // indirect
+	github.com/google/pprof v0.0.0-20231205033806-a5a03c77bf08 // indirect
+	// TODO(a.garipov): Upgrade to v0.5.0 once we switch to Go 1.21+.
+	github.com/mdlayher/socket v0.4.1 // indirect
+	github.com/onsi/ginkgo/v2 v2.13.2 // indirect
 	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
-	github.com/pierrec/lz4/v4 v4.1.18 // indirect
+	github.com/pierrec/lz4/v4 v4.1.19 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
-	github.com/quic-go/qtls-go1-20 v0.3.4 // indirect
+	github.com/quic-go/qtls-go1-20 v0.4.1 // indirect
 	github.com/u-root/uio v0.0.0-20230305220412-3e8cd9d6bf63 // indirect
 	go.uber.org/mock v0.3.0 // indirect
-	golang.org/x/mod v0.13.0 // indirect
-	golang.org/x/sync v0.4.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
-	golang.org/x/tools v0.14.0 // indirect
+	golang.org/x/mod v0.14.0 // indirect
+	golang.org/x/sync v0.5.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/tools v0.16.0 // indirect
 )

go.sum

@@ -1,9 +1,9 @@
-github.com/AdguardTeam/dnsproxy v0.56.2 h1:+k1iUmp05QIqkgXWyPn70fki4FouHe6vHIyHguelKao=
-github.com/AdguardTeam/dnsproxy v0.56.2/go.mod h1:ZvkbM71HwpilgkCnTubDiR4Ba6x5Qvnhy2iasMWaTDM=
-github.com/AdguardTeam/golibs v0.17.1 h1:j3Ehhld5GI/amcHYG+CF0sJ4OOzAQ06BY3N/iBYJZ1M=
-github.com/AdguardTeam/golibs v0.17.1/go.mod h1:DKhCIXHcUYtBhU8ibTLKh1paUL96n5zhQBlx763sj+U=
-github.com/AdguardTeam/urlfilter v0.17.0 h1:tUzhtR9wMx704GIP3cibsDQJrixlMHfwoQbYJfPdFow=
-github.com/AdguardTeam/urlfilter v0.17.0/go.mod h1:bbuZjPUzm/Ip+nz5qPPbwIP+9rZyQbQad8Lt/0fCulU=
+github.com/AdguardTeam/dnsproxy v0.60.1 h1:YveGe7UZLaAiePkaV3orkc0IIfPX9vi/qQDIFdeO//A=
+github.com/AdguardTeam/dnsproxy v0.60.1/go.mod h1:B7FvvTFQZBfey1cJXQo732EyCLX6xj4JqrciCawATzg=
+github.com/AdguardTeam/golibs v0.18.0 h1:ckS2YK7t2Ub6UkXl0fnreVaM15Zb07Hh1gmFqttjpWg=
+github.com/AdguardTeam/golibs v0.18.0/go.mod h1:DKhCIXHcUYtBhU8ibTLKh1paUL96n5zhQBlx763sj+U=
+github.com/AdguardTeam/urlfilter v0.17.3 h1:fg/ObbnO0Cv6aw0tW6N/ETDMhhNvmcUUOZ7HlmKC3rw=
+github.com/AdguardTeam/urlfilter v0.17.3/go.mod h1:Jru7jFfeH2CoDf150uDs+rRYcZBzHHBz05r9REyDKyE=
 github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da h1:KjTM2ks9d14ZYCvmHS9iAKVt9AyzRSqNU1qabPih5BY=
@@ -25,9 +25,9 @@ github.com/digineo/go-ipset/v2 v2.2.1 h1:k6skY+0fMqeUjjeWO/m5OuWPSZUAn7AucHMnQ1M
 github.com/digineo/go-ipset/v2 v2.2.1/go.mod h1:wBsNzJlZlABHUITkesrggFnZQtgW5wkqw1uo8Qxe0VU=
 github.com/dimfeld/httptreemux/v5 v5.5.0 h1:p8jkiMrCuZ0CmhwYLcbNbl7DDo21fozhKHQ2PccwOFQ=
 github.com/dimfeld/httptreemux/v5 v5.5.0/go.mod h1:QeEylH57C0v3VO0tkKraVz9oD3Uu93CKPnTLbsidvSw=
-github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
-github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
-github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
+github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
+github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
+github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
 github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
 github.com/go-ping/ping v1.1.0 h1:3MCGhVX4fyEUuhsfwPrsEdQw6xspHkv5zHsiSoDFZYw=
 github.com/go-ping/ping v1.1.0/go.mod h1:xIFjORFzTxqIV/tDVGO4eDy/bLuSyawEeojSm3GfRGk=
@@ -41,16 +41,16 @@ github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
-github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98 h1:pUa4ghanp6q4IJHwE9RwLgmVFfReJN+KbQ8ExNEUUoQ=
-github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
+github.com/google/pprof v0.0.0-20231205033806-a5a03c77bf08 h1:PxlBVtIFHR/mtWk2i0gTEdCz+jBnqiuHNSki0epDbVs=
+github.com/google/pprof v0.0.0-20231205033806-a5a03c77bf08/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
 github.com/google/renameio/v2 v2.0.0 h1:UifI23ZTGY8Tt29JbYFiuyIU3eX+RNFtUwefq9qAhxg=
 github.com/google/renameio/v2 v2.0.0/go.mod h1:BtmJXm5YlszgC+TD4HOEEUFgkJP3nLxehU6hfe7jRt4=
 github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4=
-github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4=
+github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714 h1:/jC7qQFrv8CrSJVmaolDVOxTfS9kc36uB6H40kdbQq8=
-github.com/insomniacslk/dhcp v0.0.0-20230908212754-65c27093e38a h1:S33o3djA1nPRd+d/bf7jbbXytXuK/EoXow7+aa76grQ=
-github.com/insomniacslk/dhcp v0.0.0-20230908212754-65c27093e38a/go.mod h1:zmdm3sTSDP3vOOX3CEWRkkRHtKr1DxBx+J1OQFoDQQs=
+github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 h1:9K06NfxkBh25x56yVhWWlKFE8YpicaSfHwoV8SFbueA=
+github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2/go.mod h1:3A9PQ1cunSDF/1rbTq99Ts4pVnycWg+vlPkfeD2NLFI=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/josharian/native v1.0.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
@@ -71,19 +71,19 @@ github.com/mdlayher/packet v1.1.2/go.mod h1:GEu1+n9sG5VtiRE4SydOmX5GTwyyYlteZiFU
 github.com/mdlayher/raw v0.1.0 h1:K4PFMVy+AFsp0Zdlrts7yNhxc/uXoPVHi9RzRvtZF2Y=
 github.com/mdlayher/raw v0.1.0/go.mod h1:yXnxvs6c0XoF/aK52/H5PjsVHmWBCFfZUfoh/Y5s9Sg=
 github.com/mdlayher/socket v0.2.1/go.mod h1:QLlNPkFR88mRUNQIzRBMfXxwKal8H7u1h3bL1CV+f0E=
-github.com/mdlayher/socket v0.5.0 h1:ilICZmJcQz70vrWVes1MFera4jGiWNocSkykwwoy3XI=
-github.com/mdlayher/socket v0.5.0/go.mod h1:WkcBFfvyG8QENs5+hfQPl1X6Jpd2yeLIYgrGFmJiJxI=
-github.com/miekg/dns v1.1.56 h1:5imZaSeoRNvpM9SzWNhEcP9QliKiz20/dA2QabIGVnE=
-github.com/miekg/dns v1.1.56/go.mod h1:cRm6Oo2C8TY9ZS/TqsSrseAcncm74lfK5G+ikN2SWWY=
+github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
+github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
+github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=
+github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
-github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4=
-github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o=
-github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
+github.com/onsi/ginkgo/v2 v2.13.2 h1:Bi2gGVkfn6gQcjNjZJVO8Gf0FHzMPf2phUei9tejVMs=
+github.com/onsi/ginkgo/v2 v2.13.2/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM=
+github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg=
 github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pierrec/lz4/v4 v4.1.14/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
-github.com/pierrec/lz4/v4 v4.1.18 h1:xaKrnTkyoqfh1YItXl56+6KJNVYWlEEPuAQW9xsplYQ=
-github.com/pierrec/lz4/v4 v4.1.18/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
+github.com/pierrec/lz4/v4 v4.1.19 h1:tYLzDnjDXh9qIxSTKHwXwOYmm9d887Y7Y1ZkyXYHAN4=
+github.com/pierrec/lz4/v4 v4.1.19/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -92,10 +92,10 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw=
 github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
 github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
-github.com/quic-go/qtls-go1-20 v0.3.4 h1:MfFAPULvst4yoMgY9QmtpYmfij/em7O8UUi+bNVm7Cg=
-github.com/quic-go/qtls-go1-20 v0.3.4/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k=
-github.com/quic-go/quic-go v0.39.1 h1:d/m3oaN/SD2c+f7/yEjZxe2zEVotXprnrCCJ2y/ZZFE=
-github.com/quic-go/quic-go v0.39.1/go.mod h1:T09QsDQWjLiQ74ZmacDfqZmhY/NLnw5BC40MANNNZ1Q=
+github.com/quic-go/qtls-go1-20 v0.4.1 h1:D33340mCNDAIKBqXuAvexTNMUByrYmFYVfKfDN5nfFs=
+github.com/quic-go/qtls-go1-20 v0.4.1/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k=
+github.com/quic-go/quic-go v0.40.0 h1:GYd1iznlKm7dpHD7pOVpUvItgMPo/jrMgDWZhMCecqw=
+github.com/quic-go/quic-go v0.40.0/go.mod h1:PeN7kuVJ4xZbxSv/4OX6S1USOX8MJvydwpTx31vx60c=
 github.com/shirou/gopsutil/v3 v3.23.7 h1:C+fHO8hfIppoJ1WdsVm1RoI0RwXoNdfTK7yWXV0wVj4=
 github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -105,39 +105,39 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/ti-mo/netfilter v0.2.0/go.mod h1:8GbBGsY/8fxtyIdfwy29JiluNcPK4K7wIT+x42ipqUU=
-github.com/ti-mo/netfilter v0.5.0 h1:MZmsUw5bFRecOb0AeyjOPxTHg4UxYzyEs0Ek/6Lxoy8=
-github.com/ti-mo/netfilter v0.5.0/go.mod h1:nt+8B9hx/QpqHr7Hazq+2qMCCA8u2OTkyc/7+U9ARz8=
+github.com/ti-mo/netfilter v0.5.1 h1:cqamEd1c1zmpfpqvInLOro0Znq/RAfw2QL5wL2rAR/8=
+github.com/ti-mo/netfilter v0.5.1/go.mod h1:h9UPQ3ZrTZGBitay+LETMxZvNgWGK/efTUcqES2YiLw=
 github.com/tklauser/go-sysconf v0.3.11 h1:89WgdJhk5SNwJfu+GKyYveZ4IaJ7xAkecBo+KdJV0CM=
 github.com/tklauser/numcpus v0.6.0 h1:kebhY2Qt+3U6RNK7UqpYNA+tJ23IBEGKkB7JQBfDYms=
 github.com/u-root/uio v0.0.0-20230305220412-3e8cd9d6bf63 h1:YcojQL98T/OO+rybuzn2+5KrD5dBwXIvYBvQ2cD3Avg=
 github.com/u-root/uio v0.0.0-20230305220412-3e8cd9d6bf63/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
 github.com/yusufpapurcu/wmi v1.2.3 h1:E1ctvB7uKFMOJw3fdOW32DwGE9I7t++CRUEMKvFoFiw=
-go.etcd.io/bbolt v1.3.7 h1:j+zJOnnEjF/kyHlDDgGnVL/AIqIJPq8UoB2GSNfkUfQ=
-go.etcd.io/bbolt v1.3.7/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
+go.etcd.io/bbolt v1.3.8 h1:xs88BrvEv273UsB79e0hcVrlUWmS0a8upikMFhSyAtA=
+go.etcd.io/bbolt v1.3.8/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
 go.uber.org/mock v0.3.0 h1:3mUxI1No2/60yUYax92Pt8eNOEecx2D3lcXZh2NEZJo=
 go.uber.org/mock v0.3.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
-golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
-golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
-golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
+golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY=
+golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb h1:c0vyKkb6yr3KR7jEfJaOSv4lG7xPkbN6r52aJz1d8a8=
+golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY=
-golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
+golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
-golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
-golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
+golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ=
-golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
+golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190322080309-f49334f85ddc/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -148,19 +148,18 @@ golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.4.1-0.20230131160137-e7d7f63158de/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
-golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc=
-golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg=
+golang.org/x/tools v0.16.0 h1:GO788SKMRunPIBCXiQyo2AaexLstOrVhuAL5YwsckQM=
+golang.org/x/tools v0.16.0/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw=
@@ -172,5 +171,5 @@ gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
-howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
+howett.net/plist v1.0.1 h1:37GdZ8tP09Q35o9ych3ehygcsL+HqKSwzctveSlarvM=
+howett.net/plist v1.0.1/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=

internal/aghnet/hostscontainer.go

@@ -1,14 +1,17 @@
 package aghnet
 
 import (
+	"context"
 	"fmt"
 	"io"
 	"io/fs"
 	"net/netip"
 	"path"
+	"strings"
 	"sync/atomic"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
+	"github.com/AdguardTeam/dnsproxy/upstream"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/hostsfile"
 	"github.com/AdguardTeam/golibs/log"
@@ -141,13 +144,9 @@ func NewHostsContainer(
 func (hc *HostsContainer) Close() (err error) {
 	log.Debug("%s: closing", hostsContainerPrefix)
 
-	err = hc.watcher.Close()
-	if err != nil {
-		err = fmt.Errorf("closing fs watcher: %w", err)
-
-		// Go on and close the container either way.
-	}
+	err = errors.Annotate(hc.watcher.Close(), "closing fs watcher: %w")
 
+	// Go on and close the container either way.
 	close(hc.done)
 
 	return err
@@ -319,3 +318,39 @@ func (hc *HostsContainer) refresh() (err error) {
 
 	return nil
 }
+
+// type check
+var _ upstream.Resolver = (*HostsContainer)(nil)
+
+// LookupNetIP implements the [upstream.Resolver] interface for *HostsContainer.
+func (hc *HostsContainer) LookupNetIP(
+	ctx context.Context,
+	network string,
+	hostname string,
+) (addrs []netip.Addr, err error) {
+	// TODO(e.burkov):  Think of extracting this logic to a golibs function if
+	// needed anywhere else.
+	var isDesiredProto func(ip netip.Addr) (ok bool)
+	switch network {
+	case "ip4":
+		isDesiredProto = (netip.Addr).Is4
+	case "ip6":
+		isDesiredProto = (netip.Addr).Is6
+	case "ip":
+		isDesiredProto = func(ip netip.Addr) (ok bool) { return true }
+	default:
+		return nil, fmt.Errorf("unsupported network: %q", network)
+	}
+
+	idx := hc.current.Load()
+	recs := idx.names[strings.ToLower(hostname)]
+
+	addrs = make([]netip.Addr, 0, len(recs))
+	for _, rec := range recs {
+		if isDesiredProto(rec.Addr) {
+			addrs = append(addrs, rec.Addr)
+		}
+	}
+
+	return slices.Clip(addrs), nil
+}

internal/aghnet/net.go

@@ -10,9 +10,11 @@ import (
 	"net"
 	"net/netip"
 	"net/url"
+	"strings"
 	"syscall"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
+	"github.com/AdguardTeam/dnsproxy/upstream"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 )
@@ -307,6 +309,50 @@ func ParseAddrPort(s string, defaultPort uint16) (ipp netip.AddrPort, err error)
 	return ipp, nil
 }
 
+// ParseSubnet parses s either as a CIDR prefix itself, or as an IP address,
+// returning the corresponding single-IP CIDR prefix.
+//
+// TODO(e.burkov):  Taken from dnsproxy, move to golibs.
+func ParseSubnet(s string) (p netip.Prefix, err error) {
+	if strings.Contains(s, "/") {
+		p, err = netip.ParsePrefix(s)
+		if err != nil {
+			return netip.Prefix{}, err
+		}
+	} else {
+		var ip netip.Addr
+		ip, err = netip.ParseAddr(s)
+		if err != nil {
+			return netip.Prefix{}, err
+		}
+
+		p = netip.PrefixFrom(ip, ip.BitLen())
+	}
+
+	return p, nil
+}
+
+// ParseBootstraps returns the slice of upstream resolvers parsed from addrs.
+// It additionally returns the closers for each resolver, that should be closed
+// after use.
+func ParseBootstraps(
+	addrs []string,
+	opts *upstream.Options,
+) (boots []*upstream.UpstreamResolver, err error) {
+	boots = make([]*upstream.UpstreamResolver, 0, len(boots))
+	for i, b := range addrs {
+		var r *upstream.UpstreamResolver
+		r, err = upstream.NewUpstreamResolver(b, opts)
+		if err != nil {
+			return nil, fmt.Errorf("bootstrap at index %d: %w", i, err)
+		}
+
+		boots = append(boots, r)
+	}
+
+	return boots, nil
+}
+
 // BroadcastFromPref calculates the broadcast IP address for p.
 func BroadcastFromPref(p netip.Prefix) (bc netip.Addr) {
 	bc = p.Addr().Unmap()

internal/aghtest/interface.go

@@ -11,6 +11,7 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
 	"github.com/AdguardTeam/AdGuardHome/internal/rdns"
 	"github.com/AdguardTeam/AdGuardHome/internal/whois"
+	"github.com/AdguardTeam/dnsproxy/proxy"
 	"github.com/AdguardTeam/dnsproxy/upstream"
 	"github.com/miekg/dns"
 )
@@ -116,6 +117,26 @@ func (p *AddressUpdater) UpdateAddress(ip netip.Addr, host string, info *whois.I
 	p.OnUpdateAddress(ip, host, info)
 }
 
+// Package dnsforward
+
+// ClientsContainer is a fake [dnsforward.ClientsContainer] implementation for
+// tests.
+type ClientsContainer struct {
+	OnUpstreamConfigByID func(
+		id string,
+		boot upstream.Resolver,
+	) (conf *proxy.CustomUpstreamConfig, err error)
+}
+
+// UpstreamConfigByID implements the [dnsforward.ClientsContainer] interface
+// for *ClientsContainer.
+func (c *ClientsContainer) UpstreamConfigByID(
+	id string,
+	boot upstream.Resolver,
+) (conf *proxy.CustomUpstreamConfig, err error) {
+	return c.OnUpstreamConfigByID(id, boot)
+}
+
 // Package filtering
 
 // Resolver is a fake [filtering.Resolver] implementation for tests.

internal/aghtest/interface_test.go

@@ -2,6 +2,7 @@ package aghtest_test
 
 import (
 	"github.com/AdguardTeam/AdGuardHome/internal/aghtest"
+	"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 )
 
@@ -9,3 +10,6 @@ import (
 
 // type check
 var _ filtering.Resolver = (*aghtest.Resolver)(nil)
+
+// type check
+var _ dnsforward.ClientsContainer = (*aghtest.ClientsContainer)(nil)

internal/confmigrate/migrator_test.go

@@ -7,11 +7,16 @@ import (
 	"testing"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/confmigrate"
+	"github.com/AdguardTeam/golibs/testutil"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/crypto/bcrypt"
 	yaml "gopkg.in/yaml.v3"
 )
 
+func TestMain(m *testing.M) {
+	testutil.DiscardLogOutput(m)
+}
+
 // testdata is a virtual filesystem containing test data.
 var testdata = os.DirFS("testdata")
 

internal/dhcpd/config.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
+	"github.com/AdguardTeam/AdGuardHome/internal/dhcpsvc"
 	"github.com/AdguardTeam/golibs/errors"
 )
 
@@ -49,16 +50,16 @@ type ServerConfig struct {
 // DHCPServer - DHCP server interface
 type DHCPServer interface {
 	// ResetLeases resets leases.
-	ResetLeases(leases []*Lease) (err error)
+	ResetLeases(leases []*dhcpsvc.Lease) (err error)
 	// GetLeases returns deep clones of the current leases.
-	GetLeases(flags GetLeasesFlags) (leases []*Lease)
+	GetLeases(flags GetLeasesFlags) (leases []*dhcpsvc.Lease)
 	// AddStaticLease - add a static lease
-	AddStaticLease(l *Lease) (err error)
+	AddStaticLease(l *dhcpsvc.Lease) (err error)
 	// RemoveStaticLease - remove a static lease
-	RemoveStaticLease(l *Lease) (err error)
+	RemoveStaticLease(l *dhcpsvc.Lease) (err error)
 
 	// UpdateStaticLease updates IP, hostname of the lease.
-	UpdateStaticLease(l *Lease) (err error)
+	UpdateStaticLease(l *dhcpsvc.Lease) (err error)
 
 	// FindMACbyIP returns a MAC address by the IP address of its lease, if
 	// there is one.
@@ -81,7 +82,7 @@ type DHCPServer interface {
 	Start() (err error)
 	// Stop - stop server
 	Stop() (err error)
-	getLeasesRef() []*Lease
+	getLeasesRef() []*dhcpsvc.Lease
 }
 
 // V4ServerConf - server configuration

internal/dhcpd/db.go

@@ -5,9 +5,13 @@ package dhcpd
 import (
 	"encoding/json"
 	"fmt"
+	"net"
+	"net/netip"
 	"os"
 	"strings"
+	"time"
 
+	"github.com/AdguardTeam/AdGuardHome/internal/dhcpsvc"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/google/renameio/v2/maybe"
@@ -28,7 +32,60 @@ type dataLeases struct {
 	Version int `json:"version"`
 
 	// Leases is the list containing stored DHCP leases.
-	Leases []*Lease `json:"leases"`
+	Leases []*dbLease `json:"leases"`
+}
+
+// dbLease is the structure of stored lease.
+type dbLease struct {
+	Expiry   string     `json:"expires"`
+	IP       netip.Addr `json:"ip"`
+	Hostname string     `json:"hostname"`
+	HWAddr   string     `json:"mac"`
+	IsStatic bool       `json:"static"`
+}
+
+// fromLease converts *dhcpsvc.Lease to *dbLease.
+func fromLease(l *dhcpsvc.Lease) (dl *dbLease) {
+	var expiryStr string
+	if !l.IsStatic {
+		// The front-end is waiting for RFC 3999 format of the time value.  It
+		// also shouldn't got an Expiry field for static leases.
+		//
+		// See https://github.com/AdguardTeam/AdGuardHome/issues/2692.
+		expiryStr = l.Expiry.Format(time.RFC3339)
+	}
+
+	return &dbLease{
+		Expiry:   expiryStr,
+		Hostname: l.Hostname,
+		HWAddr:   l.HWAddr.String(),
+		IP:       l.IP,
+		IsStatic: l.IsStatic,
+	}
+}
+
+// toLease converts *dbLease to *dhcpsvc.Lease.
+func (dl *dbLease) toLease() (l *dhcpsvc.Lease, err error) {
+	mac, err := net.ParseMAC(dl.HWAddr)
+	if err != nil {
+		return nil, fmt.Errorf("parsing hardware address: %w", err)
+	}
+
+	expiry := time.Time{}
+	if !dl.IsStatic {
+		expiry, err = time.Parse(time.RFC3339, dl.Expiry)
+		if err != nil {
+			return nil, fmt.Errorf("parsing expiry time: %w", err)
+		}
+	}
+
+	return &dhcpsvc.Lease{
+		Expiry:   expiry,
+		IP:       dl.IP,
+		Hostname: dl.Hostname,
+		HWAddr:   mac,
+		IsStatic: dl.IsStatic,
+	}, nil
 }
 
 // dbLoad loads stored leases.
@@ -49,15 +106,22 @@ func (s *server) dbLoad() (err error) {
 	}
 
 	leases := dl.Leases
-
-	leases4 := []*Lease{}
-	leases6 := []*Lease{}
+	leases4 := []*dhcpsvc.Lease{}
+	leases6 := []*dhcpsvc.Lease{}
 
 	for _, l := range leases {
-		if l.IP.Is4() {
-			leases4 = append(leases4, l)
+		var lease *dhcpsvc.Lease
+		lease, err = l.toLease()
+		if err != nil {
+			log.Info("dhcp: invalid lease: %s", err)
+
+			continue
+		}
+
+		if lease.IP.Is4() {
+			leases4 = append(leases4, lease)
 		} else {
-			leases6 = append(leases6, l)
+			leases6 = append(leases6, lease)
 		}
 	}
 
@@ -73,8 +137,12 @@ func (s *server) dbLoad() (err error) {
 		}
 	}
 
-	log.Info("dhcp: loaded leases v4:%d  v6:%d  total-read:%d from DB",
-		len(leases4), len(leases6), len(leases))
+	log.Info(
+		"dhcp: loaded leases v4:%d  v6:%d  total-read:%d from DB",
+		len(leases4),
+		len(leases6),
+		len(leases),
+	)
 
 	return nil
 }
@@ -83,24 +151,26 @@ func (s *server) dbLoad() (err error) {
 func (s *server) dbStore() (err error) {
 	// Use an empty slice here as opposed to nil so that it doesn't write
 	// "null" into the database file if leases are empty.
-	leases := []*Lease{}
+	leases := []*dbLease{}
 
-	leases4 := s.srv4.getLeasesRef()
-	leases = append(leases, leases4...)
+	for _, l := range s.srv4.getLeasesRef() {
+		leases = append(leases, fromLease(l))
+	}
 
 	if s.srv6 != nil {
-		leases6 := s.srv6.getLeasesRef()
-		leases = append(leases, leases6...)
+		for _, l := range s.srv6.getLeasesRef() {
+			leases = append(leases, fromLease(l))
+		}
 	}
 
 	return writeDB(s.conf.dbFilePath, leases)
 }
 
 // writeDB writes leases to file at path.
-func writeDB(path string, leases []*Lease) (err error) {
+func writeDB(path string, leases []*dbLease) (err error) {
 	defer func() { err = errors.Annotate(err, "writing db: %w") }()
 
-	slices.SortFunc(leases, func(a, b *Lease) (res int) {
+	slices.SortFunc(leases, func(a, b *dbLease) (res int) {
 		return strings.Compare(a.Hostname, b.Hostname)
 	})
 

internal/dhcpd/dhcpd.go

@@ -2,7 +2,6 @@
 package dhcpd
 
 import (
-	"encoding/json"
 	"fmt"
 	"net"
 	"net/netip"
@@ -12,7 +11,6 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/dhcpsvc"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/timeutil"
-	"golang.org/x/exp/slices"
 )
 
 const (
@@ -29,105 +27,6 @@ const (
 	defaultBackoff     time.Duration = 500 * time.Millisecond
 )
 
-// Lease contains the necessary information about a DHCP lease.  It's used as is
-// in the database, so don't change it until it's absolutely necessary, see
-// [dataVersion].
-//
-// TODO(e.burkov):  Unexport it and use [dhcpsvc.Lease].
-type Lease struct {
-	// Expiry is the expiration time of the lease.
-	Expiry time.Time `json:"expires"`
-
-	// Hostname of the client.
-	Hostname string `json:"hostname"`
-
-	// HWAddr is the physical hardware address (MAC address).
-	HWAddr net.HardwareAddr `json:"mac"`
-
-	// IP is the IP address leased to the client.
-	IP netip.Addr `json:"ip"`
-
-	// IsStatic defines if the lease is static.
-	IsStatic bool `json:"static"`
-}
-
-// Clone returns a deep copy of l.
-func (l *Lease) Clone() (clone *Lease) {
-	if l == nil {
-		return nil
-	}
-
-	return &Lease{
-		Expiry:   l.Expiry,
-		Hostname: l.Hostname,
-		HWAddr:   slices.Clone(l.HWAddr),
-		IP:       l.IP,
-		IsStatic: l.IsStatic,
-	}
-}
-
-// IsBlocklisted returns true if the lease is blocklisted.
-//
-// TODO(a.garipov): Just make it a boolean field.
-func (l *Lease) IsBlocklisted() (ok bool) {
-	if len(l.HWAddr) == 0 {
-		return false
-	}
-
-	for _, b := range l.HWAddr {
-		if b != 0 {
-			return false
-		}
-	}
-
-	return true
-}
-
-// MarshalJSON implements the json.Marshaler interface for Lease.
-func (l Lease) MarshalJSON() ([]byte, error) {
-	var expiryStr string
-	if !l.IsStatic {
-		// The front-end is waiting for RFC 3999 format of the time
-		// value.  It also shouldn't got an Expiry field for static
-		// leases.
-		//
-		// See https://github.com/AdguardTeam/AdGuardHome/issues/2692.
-		expiryStr = l.Expiry.Format(time.RFC3339)
-	}
-
-	type lease Lease
-	return json.Marshal(&struct {
-		HWAddr string `json:"mac"`
-		Expiry string `json:"expires,omitempty"`
-		lease
-	}{
-		HWAddr: l.HWAddr.String(),
-		Expiry: expiryStr,
-		lease:  lease(l),
-	})
-}
-
-// UnmarshalJSON implements the json.Unmarshaler interface for *Lease.
-func (l *Lease) UnmarshalJSON(data []byte) (err error) {
-	type lease Lease
-	aux := struct {
-		*lease
-		HWAddr string `json:"mac"`
-	}{
-		lease: (*lease)(l),
-	}
-	if err = json.Unmarshal(data, &aux); err != nil {
-		return err
-	}
-
-	l.HWAddr, err = net.ParseMAC(aux.HWAddr)
-	if err != nil {
-		return fmt.Errorf("couldn't parse MAC address: %w", err)
-	}
-
-	return nil
-}
-
 // OnLeaseChangedT is a callback for lease changes.
 type OnLeaseChangedT func(flags int)
 
@@ -370,19 +269,7 @@ func (s *server) Stop() (err error) {
 
 // Leases returns the list of active DHCP leases.
 func (s *server) Leases() (leases []*dhcpsvc.Lease) {
-	ls := append(s.srv4.GetLeases(LeasesAll), s.srv6.GetLeases(LeasesAll)...)
-	leases = make([]*dhcpsvc.Lease, len(ls))
-	for i, l := range ls {
-		leases[i] = &dhcpsvc.Lease{
-			Expiry:   l.Expiry,
-			Hostname: l.Hostname,
-			HWAddr:   l.HWAddr,
-			IP:       l.IP,
-			IsStatic: l.IsStatic,
-		}
-	}
-
-	return leases
+	return append(s.srv4.GetLeases(LeasesAll), s.srv6.GetLeases(LeasesAll)...)
 }
 
 // MACByIP returns a MAC address by the IP address of its lease, if there is
@@ -414,6 +301,6 @@ func (s *server) IPByHost(host string) (ip netip.Addr) {
 }
 
 // AddStaticLease - add static v4 lease
-func (s *server) AddStaticLease(l *Lease) error {
+func (s *server) AddStaticLease(l *dhcpsvc.Lease) error {
 	return s.srv4.AddStaticLease(l)
 }

internal/dhcpd/dhcpd_unix_test.go

@@ -9,6 +9,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/AdguardTeam/AdGuardHome/internal/dhcpsvc"
 	"github.com/AdguardTeam/golibs/testutil"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -44,7 +45,7 @@ func TestDB(t *testing.T) {
 	s.srv6, err = v6Create(V6ServerConf{})
 	require.NoError(t, err)
 
-	leases := []*Lease{{
+	leases := []*dhcpsvc.Lease{{
 		Expiry:   time.Now().Add(time.Hour),
 		Hostname: "static-1.local",
 		HWAddr:   net.HardwareAddr{0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA},

internal/dhcpd/http_unix.go

@@ -93,13 +93,13 @@ func leasesToStatic(leases []*dhcpsvc.Lease) (static []*leaseStatic) {
 }
 
 // toLease converts leaseStatic to Lease or returns error.
-func (l *leaseStatic) toLease() (lease *Lease, err error) {
+func (l *leaseStatic) toLease() (lease *dhcpsvc.Lease, err error) {
 	addr, err := net.ParseMAC(l.HWAddr)
 	if err != nil {
 		return nil, fmt.Errorf("couldn't parse MAC address: %w", err)
 	}
 
-	return &Lease{
+	return &dhcpsvc.Lease{
 		HWAddr:   addr,
 		IP:       l.IP,
 		Hostname: l.Hostname,
@@ -593,7 +593,7 @@ func setOtherDHCPResult(ifaceName string, result *dhcpSearchResult) {
 
 // parseLease parses a lease from r.  If there is no error returns DHCPServer
 // and *Lease. r must be non-nil.
-func (s *server) parseLease(r io.Reader) (srv DHCPServer, lease *Lease, err error) {
+func (s *server) parseLease(r io.Reader) (srv DHCPServer, lease *dhcpsvc.Lease, err error) {
 	l := &leaseStatic{}
 	err = json.NewDecoder(r).Decode(l)
 	if err != nil {

internal/dhcpd/migrate.go

@@ -2,6 +2,7 @@ package dhcpd
 
 import (
 	"encoding/json"
+	"fmt"
 	"net"
 	"net/netip"
 	"os"
@@ -25,9 +26,9 @@ const (
 	dbFilename = "leases.db"
 )
 
-// leaseJSON is the structure of stored lease.
+// leaseJSON is the structure of stored lease in a legacy database.
 //
-// Deprecated:  Use [Lease].
+// Deprecated:  Use [dbLease].
 type leaseJSON struct {
 	HWAddr   []byte `json:"mac"`
 	IP       []byte `json:"ip"`
@@ -35,13 +36,28 @@ type leaseJSON struct {
 	Expiry   int64  `json:"exp"`
 }
 
-func normalizeIP(ip net.IP) net.IP {
-	ip4 := ip.To4()
-	if ip4 != nil {
-		return ip4
+// readOldDB reads the old database from the given path.
+func readOldDB(path string) (leases []*leaseJSON, err error) {
+	// #nosec G304 -- Trust this path, since it's taken from the old file name
+	// relative to the working directory and should generally be considered
+	// safe.
+	file, err := os.Open(path)
+	if errors.Is(err, os.ErrNotExist) {
+		// Nothing to migrate.
+		return nil, nil
+	} else if err != nil {
+		// Don't wrap the error since it's informative enough as is.
+		return nil, err
+	}
+	defer func() { err = errors.WithDeferred(err, file.Close()) }()
+
+	leases = []*leaseJSON{}
+	err = json.NewDecoder(file).Decode(&leases)
+	if err != nil {
+		return nil, fmt.Errorf("decoding old db: %w", err)
 	}
 
-	return ip
+	return leases, nil
 }
 
 // migrateDB migrates stored leases if necessary.
@@ -51,59 +67,50 @@ func migrateDB(conf *ServerConfig) (err error) {
 	oldLeasesPath := filepath.Join(conf.WorkDir, dbFilename)
 	dataDirPath := filepath.Join(conf.DataDir, dataFilename)
 
-	// #nosec G304 -- Trust this path, since it's taken from the old file name
-	// relative to the working directory and should generally be considered
-	// safe.
-	file, err := os.Open(oldLeasesPath)
-	if errors.Is(err, os.ErrNotExist) {
+	oldLeases, err := readOldDB(oldLeasesPath)
+	if err != nil {
+		// Don't wrap the error since it's informative enough as is.
+		return err
+	} else if oldLeases == nil {
 		// Nothing to migrate.
 		return nil
-	} else if err != nil {
-		// Don't wrap the error since it's informative enough as is.
-		return err
 	}
 
-	ljs := []leaseJSON{}
-	err = json.NewDecoder(file).Decode(&ljs)
-	if err != nil {
-		// Don't wrap the error since it's informative enough as is.
-		return err
-	}
-
-	err = file.Close()
-	if err != nil {
-		// Don't wrap the error since it's informative enough as is.
-		return err
-	}
-
-	leases := []*Lease{}
-
-	for _, lj := range ljs {
-		lj.IP = normalizeIP(lj.IP)
-
-		ip, ok := netip.AddrFromSlice(lj.IP)
+	leases := make([]*dbLease, 0, len(oldLeases))
+	for _, l := range oldLeases {
+		l.IP = normalizeIP(l.IP)
+		ip, ok := netip.AddrFromSlice(l.IP)
 		if !ok {
-			log.Info("dhcp: invalid IP: %s", lj.IP)
+			log.Info("dhcp: invalid IP: %s", l.IP)
 
 			continue
 		}
 
-		lease := &Lease{
-			Expiry:   time.Unix(lj.Expiry, 0),
-			Hostname: lj.Hostname,
-			HWAddr:   lj.HWAddr,
+		leases = append(leases, &dbLease{
+			Expiry:   time.Unix(l.Expiry, 0).Format(time.RFC3339),
+			Hostname: l.Hostname,
+			HWAddr:   net.HardwareAddr(l.HWAddr).String(),
 			IP:       ip,
-			IsStatic: lj.Expiry == leaseExpireStatic,
-		}
-
-		leases = append(leases, lease)
+			IsStatic: l.Expiry == leaseExpireStatic,
+		})
 	}
 
 	err = writeDB(dataDirPath, leases)
 	if err != nil {
-		// Don't wrap the error since it's informative enough as is.
+		// Don't wrap the error since an annotation deferred already.
 		return err
 	}
 
 	return os.Remove(oldLeasesPath)
 }
+
+// normalizeIP converts the given IP address to IPv4 if it's IPv4-mapped IPv6,
+// or leaves it as is otherwise.
+func normalizeIP(ip net.IP) (normalized net.IP) {
+	normalized = ip.To4()
+	if normalized != nil {
+		return normalized
+	}
+
+	return ip
+}

internal/dhcpd/migrate_internal_test.go

@@ -2,7 +2,6 @@ package dhcpd
 
 import (
 	"encoding/json"
-	"net"
 	"net/netip"
 	"os"
 	"path/filepath"
@@ -27,16 +26,16 @@ func TestMigrateDB(t *testing.T) {
 	err := os.WriteFile(oldLeasesPath, []byte(testData), 0o644)
 	require.NoError(t, err)
 
-	wantLeases := []*Lease{{
-		Expiry:   time.Time{},
+	wantLeases := []*dbLease{{
+		Expiry:   time.Unix(1, 0).Format(time.RFC3339),
 		Hostname: "test1",
-		HWAddr:   net.HardwareAddr{0x11, 0x22, 0x33, 0x44, 0x55, 0x66},
+		HWAddr:   "11:22:33:44:55:66",
 		IP:       netip.MustParseAddr("1.2.3.4"),
 		IsStatic: true,
 	}, {
-		Expiry:   time.Unix(1231231231, 0),
+		Expiry:   time.Unix(1231231231, 0).Format(time.RFC3339),
 		Hostname: "test2",
-		HWAddr:   net.HardwareAddr{0x66, 0x55, 0x44, 0x33, 0x22, 0x11},
+		HWAddr:   "66:55:44:33:22:11",
 		IP:       netip.MustParseAddr("4.3.2.1"),
 		IsStatic: false,
 	}}
@@ -62,12 +61,12 @@ func TestMigrateDB(t *testing.T) {
 
 	leases := dl.Leases
 
-	for i, wl := range wantLeases {
-		assert.Equal(t, wl.Hostname, leases[i].Hostname)
-		assert.Equal(t, wl.HWAddr, leases[i].HWAddr)
-		assert.Equal(t, wl.IP, leases[i].IP)
-		assert.Equal(t, wl.IsStatic, leases[i].IsStatic)
+	for i, wantLease := range wantLeases {
+		assert.Equal(t, wantLease.Hostname, leases[i].Hostname)
+		assert.Equal(t, wantLease.HWAddr, leases[i].HWAddr)
+		assert.Equal(t, wantLease.IP, leases[i].IP)
+		assert.Equal(t, wantLease.IsStatic, leases[i].IsStatic)
 
-		require.True(t, wl.Expiry.Equal(leases[i].Expiry))
+		require.Equal(t, wantLease.Expiry, leases[i].Expiry)
 	}
 }

internal/dhcpd/v46_windows.go

@@ -7,6 +7,8 @@ package dhcpd
 import (
 	"net"
 	"net/netip"
+
+	"github.com/AdguardTeam/AdGuardHome/internal/dhcpsvc"
 )
 
 type winServer struct{}
@@ -14,19 +16,19 @@ type winServer struct{}
 // type check
 var _ DHCPServer = winServer{}
 
-func (winServer) ResetLeases(_ []*Lease) (err error)              { return nil }
-func (winServer) GetLeases(_ GetLeasesFlags) (leases []*Lease)    { return nil }
-func (winServer) getLeasesRef() []*Lease                          { return nil }
-func (winServer) AddStaticLease(_ *Lease) (err error)             { return nil }
-func (winServer) RemoveStaticLease(_ *Lease) (err error)          { return nil }
-func (winServer) UpdateStaticLease(_ *Lease) (err error)          { return nil }
-func (winServer) FindMACbyIP(_ netip.Addr) (mac net.HardwareAddr) { return nil }
-func (winServer) WriteDiskConfig4(_ *V4ServerConf)                {}
-func (winServer) WriteDiskConfig6(_ *V6ServerConf)                {}
-func (winServer) Start() (err error)                              { return nil }
-func (winServer) Stop() (err error)                               { return nil }
-func (winServer) HostByIP(_ netip.Addr) (host string)             { return "" }
-func (winServer) IPByHost(_ string) (ip netip.Addr)               { return netip.Addr{} }
+func (winServer) ResetLeases(_ []*dhcpsvc.Lease) (err error)           { return nil }
+func (winServer) GetLeases(_ GetLeasesFlags) (leases []*dhcpsvc.Lease) { return nil }
+func (winServer) getLeasesRef() []*dhcpsvc.Lease                       { return nil }
+func (winServer) AddStaticLease(_ *dhcpsvc.Lease) (err error)          { return nil }
+func (winServer) RemoveStaticLease(_ *dhcpsvc.Lease) (err error)       { return nil }
+func (winServer) UpdateStaticLease(_ *dhcpsvc.Lease) (err error)       { return nil }
+func (winServer) FindMACbyIP(_ netip.Addr) (mac net.HardwareAddr)      { return nil }
+func (winServer) WriteDiskConfig4(_ *V4ServerConf)                     {}
+func (winServer) WriteDiskConfig6(_ *V6ServerConf)                     {}
+func (winServer) Start() (err error)                                   { return nil }
+func (winServer) Stop() (err error)                                    { return nil }
+func (winServer) HostByIP(_ netip.Addr) (host string)                  { return "" }
+func (winServer) IPByHost(_ string) (ip netip.Addr)                    { return netip.Addr{} }
 
 func v4Create(_ *V4ServerConf) (s DHCPServer, err error) { return winServer{}, nil }
 func v6Create(_ V6ServerConf) (s DHCPServer, err error)  { return winServer{}, nil }

internal/dhcpd/v4_unix.go

@@ -12,6 +12,7 @@ import (
 	"time"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
+	"github.com/AdguardTeam/AdGuardHome/internal/dhcpsvc"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/netutil"
@@ -38,7 +39,7 @@ type v4Server struct {
 	// have intersections with [implicitOpts].
 	explicitOpts dhcpv4.Options
 
-	// leasesLock protects leases, leaseHosts, and leasedOffsets.
+	// leasesLock protects leases, hostsIndex, ipIndex, and leasedOffsets.
 	leasesLock sync.Mutex
 
 	// leasedOffsets contains offsets from conf.ipRange.start that have been
@@ -46,13 +47,13 @@ type v4Server struct {
 	leasedOffsets *bitSet
 
 	// leases contains all dynamic and static leases.
-	leases []*Lease
+	leases []*dhcpsvc.Lease
 
 	// hostsIndex is the set of all hostnames of all known DHCP clients.
-	hostsIndex map[string]*Lease
+	hostsIndex map[string]*dhcpsvc.Lease
 
 	// ipIndex is an index of leases by their IP addresses.
-	ipIndex map[netip.Addr]*Lease
+	ipIndex map[netip.Addr]*dhcpsvc.Lease
 }
 
 func (s *v4Server) enabled() (ok bool) {
@@ -141,7 +142,7 @@ func (s *v4Server) IPByHost(host string) (ip netip.Addr) {
 }
 
 // ResetLeases resets leases.
-func (s *v4Server) ResetLeases(leases []*Lease) (err error) {
+func (s *v4Server) ResetLeases(leases []*dhcpsvc.Lease) (err error) {
 	defer func() { err = errors.Annotate(err, "dhcpv4: %w") }()
 
 	if s.conf == nil {
@@ -152,8 +153,8 @@ func (s *v4Server) ResetLeases(leases []*Lease) (err error) {
 	defer s.leasesLock.Unlock()
 
 	s.leasedOffsets = newBitSet()
-	s.hostsIndex = make(map[string]*Lease, len(leases))
-	s.ipIndex = make(map[netip.Addr]*Lease, len(leases))
+	s.hostsIndex = make(map[string]*dhcpsvc.Lease, len(leases))
+	s.ipIndex = make(map[netip.Addr]*dhcpsvc.Lease, len(leases))
 	s.leases = nil
 
 	for _, l := range leases {
@@ -173,14 +174,14 @@ func (s *v4Server) ResetLeases(leases []*Lease) (err error) {
 }
 
 // getLeasesRef returns the actual leases slice.  For internal use only.
-func (s *v4Server) getLeasesRef() []*Lease {
+func (s *v4Server) getLeasesRef() []*dhcpsvc.Lease {
 	return s.leases
 }
 
 // isBlocklisted returns true if this lease holds a blocklisted IP.
 //
 // TODO(a.garipov): Make a method of *Lease?
-func (s *v4Server) isBlocklisted(l *Lease) (ok bool) {
+func (s *v4Server) isBlocklisted(l *dhcpsvc.Lease) (ok bool) {
 	if len(l.HWAddr) == 0 {
 		return false
 	}
@@ -196,11 +197,11 @@ func (s *v4Server) isBlocklisted(l *Lease) (ok bool) {
 
 // GetLeases returns the list of current DHCP leases.  It is safe for concurrent
 // use.
-func (s *v4Server) GetLeases(flags GetLeasesFlags) (leases []*Lease) {
+func (s *v4Server) GetLeases(flags GetLeasesFlags) (leases []*dhcpsvc.Lease) {
 	// The function shouldn't return nil, because zero-length slice behaves
 	// differently in cases like marshalling.  Our front-end also requires
 	// a non-nil value in the response.
-	leases = []*Lease{}
+	leases = []*dhcpsvc.Lease{}
 
 	getDynamic := flags&LeasesDynamic != 0
 	getStatic := flags&LeasesStatic != 0
@@ -248,7 +249,7 @@ func (s *v4Server) FindMACbyIP(ip netip.Addr) (mac net.HardwareAddr) {
 const defaultHwAddrLen = 6
 
 // Add the specified IP to the black list for a time period
-func (s *v4Server) blocklistLease(l *Lease) {
+func (s *v4Server) blocklistLease(l *dhcpsvc.Lease) {
 	l.HWAddr = make(net.HardwareAddr, defaultHwAddrLen)
 	l.Hostname = ""
 	l.Expiry = time.Now().Add(s.conf.leaseTime)
@@ -284,7 +285,7 @@ func (s *v4Server) rmLeaseByIndex(i int) {
 // Return error if a static lease is found
 //
 // TODO(s.chzhen):  Refactor the code.
-func (s *v4Server) rmDynamicLease(lease *Lease) (err error) {
+func (s *v4Server) rmDynamicLease(lease *dhcpsvc.Lease) (err error) {
 	for i, l := range s.leases {
 		isStatic := l.IsStatic
 
@@ -320,7 +321,7 @@ const (
 )
 
 // addLease adds a dynamic or static lease.
-func (s *v4Server) addLease(l *Lease) (err error) {
+func (s *v4Server) addLease(l *dhcpsvc.Lease) (err error) {
 	r := s.conf.ipRange
 	leaseIP := net.IP(l.IP.AsSlice())
 	offset, inOffset := r.offset(leaseIP)
@@ -352,7 +353,7 @@ func (s *v4Server) addLease(l *Lease) (err error) {
 }
 
 // rmLease removes a lease with the same properties.
-func (s *v4Server) rmLease(lease *Lease) (err error) {
+func (s *v4Server) rmLease(lease *dhcpsvc.Lease) (err error) {
 	if len(s.leases) == 0 {
 		return nil
 	}
@@ -378,7 +379,7 @@ const ErrUnconfigured errors.Error = "server is unconfigured"
 
 // AddStaticLease implements the DHCPServer interface for *v4Server.  It is
 // safe for concurrent use.
-func (s *v4Server) AddStaticLease(l *Lease) (err error) {
+func (s *v4Server) AddStaticLease(l *dhcpsvc.Lease) (err error) {
 	defer func() { err = errors.Annotate(err, "dhcpv4: adding static lease: %w") }()
 
 	if s.conf == nil {
@@ -435,7 +436,7 @@ func (s *v4Server) AddStaticLease(l *Lease) (err error) {
 }
 
 // UpdateStaticLease updates IP, hostname of the static lease.
-func (s *v4Server) UpdateStaticLease(l *Lease) (err error) {
+func (s *v4Server) UpdateStaticLease(l *dhcpsvc.Lease) (err error) {
 	defer func() {
 		if err != nil {
 			err = errors.Annotate(err, "dhcpv4: updating static lease: %w")
@@ -474,7 +475,7 @@ func (s *v4Server) UpdateStaticLease(l *Lease) (err error) {
 }
 
 // validateStaticLease returns an error if the static lease is invalid.
-func (s *v4Server) validateStaticLease(l *Lease) (err error) {
+func (s *v4Server) validateStaticLease(l *dhcpsvc.Lease) (err error) {
 	hostname, err := normalizeHostname(l.Hostname)
 	if err != nil {
 		// Don't wrap the error, because it's informative enough as is.
@@ -511,7 +512,7 @@ func (s *v4Server) validateStaticLease(l *Lease) (err error) {
 
 // updateStaticLease safe removes dynamic lease with the same properties and
 // then adds a static lease l.
-func (s *v4Server) updateStaticLease(l *Lease) (err error) {
+func (s *v4Server) updateStaticLease(l *dhcpsvc.Lease) (err error) {
 	s.leasesLock.Lock()
 	defer s.leasesLock.Unlock()
 
@@ -529,7 +530,7 @@ func (s *v4Server) updateStaticLease(l *Lease) (err error) {
 }
 
 // RemoveStaticLease removes a static lease.  It is safe for concurrent use.
-func (s *v4Server) RemoveStaticLease(l *Lease) (err error) {
+func (s *v4Server) RemoveStaticLease(l *dhcpsvc.Lease) (err error) {
 	defer func() { err = errors.Annotate(err, "dhcpv4: %w") }()
 
 	if s.conf == nil {
@@ -606,7 +607,7 @@ func (s *v4Server) addrAvailable(target net.IP) (avail bool) {
 }
 
 // findLease finds a lease by its MAC-address.
-func (s *v4Server) findLease(mac net.HardwareAddr) (l *Lease) {
+func (s *v4Server) findLease(mac net.HardwareAddr) (l *dhcpsvc.Lease) {
 	for _, l = range s.leases {
 		if bytes.Equal(mac, l.HWAddr) {
 			return l
@@ -646,8 +647,8 @@ func (s *v4Server) findExpiredLease() int {
 
 // reserveLease reserves a lease for a client by its MAC-address.  It returns
 // nil if it couldn't allocate a new lease.
-func (s *v4Server) reserveLease(mac net.HardwareAddr) (l *Lease, err error) {
-	l = &Lease{HWAddr: slices.Clone(mac)}
+func (s *v4Server) reserveLease(mac net.HardwareAddr) (l *dhcpsvc.Lease, err error) {
+	l = &dhcpsvc.Lease{HWAddr: slices.Clone(mac)}
 
 	nextIP := s.nextIP()
 	if nextIP == nil {
@@ -679,7 +680,7 @@ func (s *v4Server) reserveLease(mac net.HardwareAddr) (l *Lease, err error) {
 // commitLease refreshes l's values.  It takes the desired hostname into account
 // when setting it into the lease, but generates a unique one if the provided
 // can't be used.
-func (s *v4Server) commitLease(l *Lease, hostname string) {
+func (s *v4Server) commitLease(l *dhcpsvc.Lease, hostname string) {
 	prev := l.Hostname
 	hostname = s.validHostnameForClient(hostname, l.IP)
 
@@ -709,7 +710,7 @@ func (s *v4Server) commitLease(l *Lease, hostname string) {
 
 // allocateLease allocates a new lease for the MAC address.  If there are no IP
 // addresses left, both l and err are nil.
-func (s *v4Server) allocateLease(mac net.HardwareAddr) (l *Lease, err error) {
+func (s *v4Server) allocateLease(mac net.HardwareAddr) (l *dhcpsvc.Lease, err error) {
 	for {
 		l, err = s.reserveLease(mac)
 		if err != nil {
@@ -728,7 +729,7 @@ func (s *v4Server) allocateLease(mac net.HardwareAddr) (l *Lease, err error) {
 }
 
 // handleDiscover is the handler for the DHCP Discover request.
-func (s *v4Server) handleDiscover(req, resp *dhcpv4.DHCPv4) (l *Lease, err error) {
+func (s *v4Server) handleDiscover(req, resp *dhcpv4.DHCPv4) (l *dhcpsvc.Lease, err error) {
 	mac := req.ClientHWAddr
 
 	defer s.conf.notify(LeaseChangedDBStore)
@@ -787,7 +788,7 @@ func OptionFQDN(fqdn string) (opt dhcpv4.Option) {
 // checkLease checks if the pair of mac and ip is already leased.  The mismatch
 // is true when the existing lease has the same hardware address but differs in
 // its IP address.
-func (s *v4Server) checkLease(mac net.HardwareAddr, ip net.IP) (lease *Lease, mismatch bool) {
+func (s *v4Server) checkLease(mac net.HardwareAddr, ip net.IP) (l *dhcpsvc.Lease, mismatch bool) {
 	s.leasesLock.Lock()
 	defer s.leasesLock.Unlock()
 
@@ -798,7 +799,7 @@ func (s *v4Server) checkLease(mac net.HardwareAddr, ip net.IP) (lease *Lease, mi
 		return nil, false
 	}
 
-	for _, l := range s.leases {
+	for _, l = range s.leases {
 		if !bytes.Equal(l.HWAddr, mac) {
 			continue
 		}
@@ -823,7 +824,7 @@ func (s *v4Server) handleSelecting(
 	req *dhcpv4.DHCPv4,
 	reqIP net.IP,
 	sid net.IP,
-) (l *Lease, needsReply bool) {
+) (l *dhcpsvc.Lease, needsReply bool) {
 	// Client inserts the address of the selected server in server identifier,
 	// ciaddr MUST be zero.
 	mac := req.ClientHWAddr
@@ -857,7 +858,10 @@ func (s *v4Server) handleSelecting(
 }
 
 // handleInitReboot handles the DHCPREQUEST generated during INIT-REBOOT state.
-func (s *v4Server) handleInitReboot(req *dhcpv4.DHCPv4, reqIP net.IP) (l *Lease, needsReply bool) {
+func (s *v4Server) handleInitReboot(
+	req *dhcpv4.DHCPv4,
+	reqIP net.IP,
+) (l *dhcpsvc.Lease, needsReply bool) {
 	mac := req.ClientHWAddr
 
 	ip4 := reqIP.To4()
@@ -899,7 +903,7 @@ func (s *v4Server) handleInitReboot(req *dhcpv4.DHCPv4, reqIP net.IP) (l *Lease,
 
 // handleRenew handles the DHCPREQUEST generated during RENEWING or REBINDING
 // state.
-func (s *v4Server) handleRenew(req *dhcpv4.DHCPv4) (l *Lease, needsReply bool) {
+func (s *v4Server) handleRenew(req *dhcpv4.DHCPv4) (l *dhcpsvc.Lease, needsReply bool) {
 	mac := req.ClientHWAddr
 
 	// ciaddr MUST be filled in with client's IP address.
@@ -926,7 +930,7 @@ func (s *v4Server) handleRenew(req *dhcpv4.DHCPv4) (l *Lease, needsReply bool) {
 
 // handleByRequestType handles the DHCPREQUEST according to the state during
 // which it's generated by client.
-func (s *v4Server) handleByRequestType(req *dhcpv4.DHCPv4) (lease *Lease, needsReply bool) {
+func (s *v4Server) handleByRequestType(req *dhcpv4.DHCPv4) (lease *dhcpsvc.Lease, needsReply bool) {
 	reqIP, sid := req.RequestedIPAddress(), req.ServerIdentifier()
 
 	if sid != nil && !sid.IsUnspecified() {
@@ -950,7 +954,7 @@ func (s *v4Server) handleByRequestType(req *dhcpv4.DHCPv4) (lease *Lease, needsR
 // handleRequest is the handler for a DHCPREQUEST message.
 //
 // See https://datatracker.ietf.org/doc/html/rfc2131#section-4.3.2.
-func (s *v4Server) handleRequest(req, resp *dhcpv4.DHCPv4) (lease *Lease, needsReply bool) {
+func (s *v4Server) handleRequest(req, resp *dhcpv4.DHCPv4) (lease *dhcpsvc.Lease, needsReply bool) {
 	lease, needsReply = s.handleByRequestType(req)
 	if lease == nil {
 		return nil, needsReply
@@ -1043,7 +1047,7 @@ func (s *v4Server) handleDecline(req, resp *dhcpv4.DHCPv4) (err error) {
 }
 
 // findLeaseForIP returns a lease for provided ip and mac.
-func (s *v4Server) findLeaseForIP(ip net.IP, mac net.HardwareAddr) (l *Lease) {
+func (s *v4Server) findLeaseForIP(ip net.IP, mac net.HardwareAddr) (l *dhcpsvc.Lease) {
 	netIP, ok := netip.AddrFromSlice(ip)
 	if !ok {
 		log.Info("dhcpv4: invalid IP: %s", ip)
@@ -1106,7 +1110,11 @@ func (s *v4Server) handleRelease(req, resp *dhcpv4.DHCPv4) (err error) {
 }
 
 // messageHandler describes a DHCPv4 message handler function.
-type messageHandler func(s *v4Server, req, resp *dhcpv4.DHCPv4) (rCode int, l *Lease, err error)
+type messageHandler func(
+	s *v4Server,
+	req *dhcpv4.DHCPv4,
+	resp *dhcpv4.DHCPv4,
+) (rCode int, l *dhcpsvc.Lease, err error)
 
 // messageHandlers is a map of handlers for various messages with message types
 // keys.
@@ -1115,7 +1123,7 @@ var messageHandlers = map[dhcpv4.MessageType]messageHandler{
 		s *v4Server,
 		req *dhcpv4.DHCPv4,
 		resp *dhcpv4.DHCPv4,
-	) (rCode int, l *Lease, err error) {
+	) (rCode int, l *dhcpsvc.Lease, err error) {
 		l, err = s.handleDiscover(req, resp)
 		if err != nil {
 			return 0, nil, fmt.Errorf("handling discover: %s", err)
@@ -1131,7 +1139,7 @@ var messageHandlers = map[dhcpv4.MessageType]messageHandler{
 		s *v4Server,
 		req *dhcpv4.DHCPv4,
 		resp *dhcpv4.DHCPv4,
-	) (rCode int, l *Lease, err error) {
+	) (rCode int, l *dhcpsvc.Lease, err error) {
 		var toReply bool
 		l, toReply = s.handleRequest(req, resp)
 		if l == nil {
@@ -1149,7 +1157,7 @@ var messageHandlers = map[dhcpv4.MessageType]messageHandler{
 		s *v4Server,
 		req *dhcpv4.DHCPv4,
 		resp *dhcpv4.DHCPv4,
-	) (rCode int, l *Lease, err error) {
+	) (rCode int, l *dhcpsvc.Lease, err error) {
 		err = s.handleDecline(req, resp)
 		if err != nil {
 			return 0, nil, fmt.Errorf("handling decline: %s", err)
@@ -1161,7 +1169,7 @@ var messageHandlers = map[dhcpv4.MessageType]messageHandler{
 		s *v4Server,
 		req *dhcpv4.DHCPv4,
 		resp *dhcpv4.DHCPv4,
-	) (rCode int, l *Lease, err error) {
+	) (rCode int, l *dhcpsvc.Lease, err error) {
 		err = s.handleRelease(req, resp)
 		if err != nil {
 			return 0, nil, fmt.Errorf("handling release: %s", err)
@@ -1402,8 +1410,8 @@ func (s *v4Server) Stop() (err error) {
 // Create DHCPv4 server
 func v4Create(conf *V4ServerConf) (srv *v4Server, err error) {
 	s := &v4Server{
-		hostsIndex: map[string]*Lease{},
-		ipIndex:    map[netip.Addr]*Lease{},
+		hostsIndex: map[string]*dhcpsvc.Lease{},
+		ipIndex:    map[netip.Addr]*dhcpsvc.Lease{},
 	}
 
 	err = conf.Validate()

internal/dhcpd/v4_unix_test.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
+	"github.com/AdguardTeam/AdGuardHome/internal/dhcpsvc"
 	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/AdguardTeam/golibs/stringutil"
 	"github.com/AdguardTeam/golibs/testutil"
@@ -67,7 +68,7 @@ func TestV4Server_leasing(t *testing.T) {
 	s := defaultSrv(t)
 
 	t.Run("add_static", func(t *testing.T) {
-		err := s.AddStaticLease(&Lease{
+		err := s.AddStaticLease(&dhcpsvc.Lease{
 			Hostname: staticName,
 			HWAddr:   staticMAC,
 			IP:       staticIP,
@@ -76,7 +77,7 @@ func TestV4Server_leasing(t *testing.T) {
 		require.NoError(t, err)
 
 		t.Run("same_name", func(t *testing.T) {
-			err = s.AddStaticLease(&Lease{
+			err = s.AddStaticLease(&dhcpsvc.Lease{
 				Hostname: staticName,
 				HWAddr:   anotherMAC,
 				IP:       anotherIP,
@@ -90,7 +91,7 @@ func TestV4Server_leasing(t *testing.T) {
 				"dynamic leases for " + anotherIP.String() +
 				" (" + staticMAC.String() + "): static lease already exists"
 
-			err = s.AddStaticLease(&Lease{
+			err = s.AddStaticLease(&dhcpsvc.Lease{
 				Hostname: anotherName,
 				HWAddr:   staticMAC,
 				IP:       anotherIP,
@@ -104,7 +105,7 @@ func TestV4Server_leasing(t *testing.T) {
 				"dynamic leases for " + staticIP.String() +
 				" (" + anotherMAC.String() + "): static lease already exists"
 
-			err = s.AddStaticLease(&Lease{
+			err = s.AddStaticLease(&dhcpsvc.Lease{
 				Hostname: anotherName,
 				HWAddr:   anotherMAC,
 				IP:       staticIP,
@@ -208,11 +209,11 @@ func TestV4Server_AddRemove_static(t *testing.T) {
 	require.Empty(t, ls)
 
 	testCases := []struct {
-		lease      *Lease
+		lease      *dhcpsvc.Lease
 		name       string
 		wantErrMsg string
 	}{{
-		lease: &Lease{
+		lease: &dhcpsvc.Lease{
 			Hostname: "success.local",
 			HWAddr:   net.HardwareAddr{0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA},
 			IP:       netip.MustParseAddr("192.168.10.150"),
@@ -220,7 +221,7 @@ func TestV4Server_AddRemove_static(t *testing.T) {
 		name:       "success",
 		wantErrMsg: "",
 	}, {
-		lease: &Lease{
+		lease: &dhcpsvc.Lease{
 			Hostname: "probably-router.local",
 			HWAddr:   net.HardwareAddr{0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA},
 			IP:       DefaultGatewayIP,
@@ -229,7 +230,7 @@ func TestV4Server_AddRemove_static(t *testing.T) {
 		wantErrMsg: "dhcpv4: adding static lease: " +
 			`can't assign the gateway IP "192.168.10.1" to the lease`,
 	}, {
-		lease: &Lease{
+		lease: &dhcpsvc.Lease{
 			Hostname: "ip6.local",
 			HWAddr:   net.HardwareAddr{0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA},
 			IP:       netip.MustParseAddr("ffff::1"),
@@ -238,7 +239,7 @@ func TestV4Server_AddRemove_static(t *testing.T) {
 		wantErrMsg: `dhcpv4: adding static lease: ` +
 			`invalid IP "ffff::1": only IPv4 is supported`,
 	}, {
-		lease: &Lease{
+		lease: &dhcpsvc.Lease{
 			Hostname: "bad-mac.local",
 			HWAddr:   net.HardwareAddr{0xAA, 0xAA},
 			IP:       netip.MustParseAddr("192.168.10.150"),
@@ -247,7 +248,7 @@ func TestV4Server_AddRemove_static(t *testing.T) {
 		wantErrMsg: `dhcpv4: adding static lease: bad mac address "aa:aa": ` +
 			`bad mac address length 2, allowed: [6 8 20]`,
 	}, {
-		lease: &Lease{
+		lease: &dhcpsvc.Lease{
 			Hostname: "bad-lbl-.local",
 			HWAddr:   net.HardwareAddr{0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA},
 			IP:       netip.MustParseAddr("192.168.10.150"),
@@ -266,7 +267,7 @@ func TestV4Server_AddRemove_static(t *testing.T) {
 				return
 			}
 
-			err = s.RemoveStaticLease(&Lease{
+			err = s.RemoveStaticLease(&dhcpsvc.Lease{
 				IP:     tc.lease.IP,
 				HWAddr: tc.lease.HWAddr,
 			})
@@ -289,7 +290,7 @@ func TestV4_AddReplace(t *testing.T) {
 	s, ok := sIface.(*v4Server)
 	require.True(t, ok)
 
-	dynLeases := []Lease{{
+	dynLeases := []dhcpsvc.Lease{{
 		Hostname: "dynamic-1.local",
 		HWAddr:   net.HardwareAddr{0x11, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA},
 		IP:       netip.MustParseAddr("192.168.10.150"),
@@ -304,7 +305,7 @@ func TestV4_AddReplace(t *testing.T) {
 		require.NoError(t, err)
 	}
 
-	stLeases := []*Lease{{
+	stLeases := []*dhcpsvc.Lease{{
 		Hostname: "static-1.local",
 		HWAddr:   net.HardwareAddr{0x33, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA},
 		IP:       netip.MustParseAddr("192.168.10.150"),
@@ -513,7 +514,7 @@ func TestV4StaticLease_Get(t *testing.T) {
 	s.conf.dnsIPAddrs = []netip.Addr{dnsAddr}
 	s.implicitOpts.Update(dhcpv4.OptDNS(dnsAddr.AsSlice()))
 
-	l := &Lease{
+	l := &dhcpsvc.Lease{
 		Hostname: "static-1.local",
 		HWAddr:   net.HardwareAddr{0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA},
 		IP:       netip.MustParseAddr("192.168.10.150"),
@@ -779,7 +780,7 @@ func TestV4Server_FindMACbyIP(t *testing.T) {
 	anotherMAC := net.HardwareAddr{0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB}
 
 	s := &v4Server{
-		leases: []*Lease{{
+		leases: []*dhcpsvc.Lease{{
 			Hostname: staticName,
 			HWAddr:   staticMAC,
 			IP:       staticIP,
@@ -791,11 +792,11 @@ func TestV4Server_FindMACbyIP(t *testing.T) {
 			IP:       anotherIP,
 		}},
 	}
-	s.ipIndex = map[netip.Addr]*Lease{
+	s.ipIndex = map[netip.Addr]*dhcpsvc.Lease{
 		staticIP:  s.leases[0],
 		anotherIP: s.leases[1],
 	}
-	s.hostsIndex = map[string]*Lease{
+	s.hostsIndex = map[string]*dhcpsvc.Lease{
 		staticName:  s.leases[0],
 		anotherName: s.leases[1],
 	}
@@ -845,7 +846,7 @@ func TestV4Server_handleDecline(t *testing.T) {
 	s4, ok := s.(*v4Server)
 	require.True(t, ok)
 
-	s4.leases = []*Lease{{
+	s4.leases = []*dhcpsvc.Lease{{
 		Hostname: dynamicName,
 		HWAddr:   dynamicMAC,
 		IP:       dynamicIP,
@@ -887,7 +888,7 @@ func TestV4Server_handleRelease(t *testing.T) {
 	s4, ok := s.(*v4Server)
 	require.True(t, ok)
 
-	s4.leases = []*Lease{{
+	s4.leases = []*dhcpsvc.Lease{{
 		Hostname: dynamicName,
 		HWAddr:   dynamicMAC,
 		IP:       dynamicIP,

internal/dhcpd/v6_unix.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
+	"github.com/AdguardTeam/AdGuardHome/internal/dhcpsvc"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/netutil"
@@ -31,7 +32,7 @@ type v6Server struct {
 	sid  dhcpv6.DUID
 	srv  *server6.Server
 
-	leases     []*Lease
+	leases     []*dhcpsvc.Lease
 	leasesLock sync.Mutex
 	ipAddrs    [256]byte
 }
@@ -87,7 +88,7 @@ func (s *v6Server) IPByHost(host string) (ip netip.Addr) {
 }
 
 // ResetLeases resets leases.
-func (s *v6Server) ResetLeases(leases []*Lease) (err error) {
+func (s *v6Server) ResetLeases(leases []*dhcpsvc.Lease) (err error) {
 	defer func() { err = errors.Annotate(err, "dhcpv6: %w") }()
 
 	s.leasesLock.Lock()
@@ -111,12 +112,14 @@ func (s *v6Server) ResetLeases(leases []*Lease) (err error) {
 
 // GetLeases returns the list of current DHCP leases.  It is safe for concurrent
 // use.
-func (s *v6Server) GetLeases(flags GetLeasesFlags) (leases []*Lease) {
+func (s *v6Server) GetLeases(flags GetLeasesFlags) (leases []*dhcpsvc.Lease) {
 	// The function shouldn't return nil value because zero-length slice
 	// behaves differently in cases like marshalling.  Our front-end also
 	// requires non-nil value in the response.
-	leases = []*Lease{}
+	leases = []*dhcpsvc.Lease{}
 	s.leasesLock.Lock()
+	defer s.leasesLock.Unlock()
+
 	for _, l := range s.leases {
 		if l.IsStatic {
 			if (flags & LeasesStatic) != 0 {
@@ -128,12 +131,12 @@ func (s *v6Server) GetLeases(flags GetLeasesFlags) (leases []*Lease) {
 			}
 		}
 	}
-	s.leasesLock.Unlock()
+
 	return leases
 }
 
 // getLeasesRef returns the actual leases slice.  For internal use only.
-func (s *v6Server) getLeasesRef() []*Lease {
+func (s *v6Server) getLeasesRef() []*dhcpsvc.Lease {
 	return s.leases
 }
 
@@ -174,7 +177,7 @@ func (s *v6Server) leaseRemoveSwapByIndex(i int) {
 
 // Remove a dynamic lease with the same properties
 // Return error if a static lease is found
-func (s *v6Server) rmDynamicLease(lease *Lease) (err error) {
+func (s *v6Server) rmDynamicLease(lease *dhcpsvc.Lease) (err error) {
 	for i := 0; i < len(s.leases); i++ {
 		l := s.leases[i]
 
@@ -204,7 +207,7 @@ func (s *v6Server) rmDynamicLease(lease *Lease) (err error) {
 }
 
 // AddStaticLease adds a static lease.  It is safe for concurrent use.
-func (s *v6Server) AddStaticLease(l *Lease) (err error) {
+func (s *v6Server) AddStaticLease(l *dhcpsvc.Lease) (err error) {
 	defer func() { err = errors.Annotate(err, "dhcpv6: %w") }()
 
 	if !l.IP.Is6() {
@@ -236,7 +239,7 @@ func (s *v6Server) AddStaticLease(l *Lease) (err error) {
 }
 
 // UpdateStaticLease updates IP, hostname of the static lease.
-func (s *v6Server) UpdateStaticLease(l *Lease) (err error) {
+func (s *v6Server) UpdateStaticLease(l *dhcpsvc.Lease) (err error) {
 	defer func() {
 		if err != nil {
 			err = errors.Annotate(err, "dhcpv6: updating static lease: %w")
@@ -267,7 +270,7 @@ func (s *v6Server) UpdateStaticLease(l *Lease) (err error) {
 }
 
 // RemoveStaticLease removes a static lease.  It is safe for concurrent use.
-func (s *v6Server) RemoveStaticLease(l *Lease) (err error) {
+func (s *v6Server) RemoveStaticLease(l *dhcpsvc.Lease) (err error) {
 	defer func() { err = errors.Annotate(err, "dhcpv6: %w") }()
 
 	if !l.IP.Is6() {
@@ -292,7 +295,7 @@ func (s *v6Server) RemoveStaticLease(l *Lease) (err error) {
 }
 
 // Add a lease
-func (s *v6Server) addLease(l *Lease) {
+func (s *v6Server) addLease(l *dhcpsvc.Lease) {
 	s.leases = append(s.leases, l)
 	ip := l.IP.As16()
 	s.ipAddrs[ip[15]] = 1
@@ -300,7 +303,7 @@ func (s *v6Server) addLease(l *Lease) {
 }
 
 // Remove a lease with the same properties
-func (s *v6Server) rmLease(lease *Lease) (err error) {
+func (s *v6Server) rmLease(lease *dhcpsvc.Lease) (err error) {
 	for i, l := range s.leases {
 		if l.IP == lease.IP {
 			if !bytes.Equal(l.HWAddr, lease.HWAddr) ||
@@ -318,7 +321,7 @@ func (s *v6Server) rmLease(lease *Lease) (err error) {
 }
 
 // Find lease by MAC.
-func (s *v6Server) findLease(mac net.HardwareAddr) (lease *Lease) {
+func (s *v6Server) findLease(mac net.HardwareAddr) (lease *dhcpsvc.Lease) {
 	for i := range s.leases {
 		if bytes.Equal(mac, s.leases[i].HWAddr) {
 			return s.leases[i]
@@ -356,8 +359,8 @@ func (s *v6Server) findFreeIP() net.IP {
 }
 
 // Reserve lease for MAC
-func (s *v6Server) reserveLease(mac net.HardwareAddr) *Lease {
-	l := Lease{
+func (s *v6Server) reserveLease(mac net.HardwareAddr) *dhcpsvc.Lease {
+	l := dhcpsvc.Lease{
 		HWAddr: make([]byte, len(mac)),
 	}
 
@@ -390,7 +393,7 @@ func (s *v6Server) reserveLease(mac net.HardwareAddr) *Lease {
 	return &l
 }
 
-func (s *v6Server) commitDynamicLease(l *Lease) {
+func (s *v6Server) commitDynamicLease(l *dhcpsvc.Lease) {
 	l.Expiry = time.Now().Add(s.conf.leaseTime)
 
 	s.leasesLock.Lock()
@@ -438,7 +441,7 @@ func (s *v6Server) checkSID(msg *dhcpv6.Message) error {
 }
 
 // . IAAddress must be equal to the lease's IP
-func (s *v6Server) checkIA(msg *dhcpv6.Message, lease *Lease) error {
+func (s *v6Server) checkIA(msg *dhcpv6.Message, lease *dhcpsvc.Lease) error {
 	switch msg.Type() {
 	case dhcpv6.MessageTypeRequest,
 		dhcpv6.MessageTypeConfirm,
@@ -464,7 +467,7 @@ func (s *v6Server) checkIA(msg *dhcpv6.Message, lease *Lease) error {
 }
 
 // Store lease in DB (if necessary) and return lease life time
-func (s *v6Server) commitLease(msg *dhcpv6.Message, lease *Lease) time.Duration {
+func (s *v6Server) commitLease(msg *dhcpv6.Message, lease *dhcpsvc.Lease) time.Duration {
 	lifetime := s.conf.leaseTime
 
 	switch msg.Type() {
@@ -506,7 +509,7 @@ func (s *v6Server) process(msg *dhcpv6.Message, req, resp dhcpv6.DHCPv6) bool {
 		return false
 	}
 
-	var lease *Lease
+	var lease *dhcpsvc.Lease
 	func() {
 		s.leasesLock.Lock()
 		defer s.leasesLock.Unlock()

internal/dhcpd/v6_unix_test.go

@@ -8,6 +8,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/AdguardTeam/AdGuardHome/internal/dhcpsvc"
 	"github.com/insomniacslk/dhcp/dhcpv6"
 	"github.com/insomniacslk/dhcp/iana"
 	"github.com/stretchr/testify/assert"
@@ -28,7 +29,7 @@ func TestV6_AddRemove_static(t *testing.T) {
 	require.Empty(t, s.GetLeases(LeasesStatic))
 
 	// Add static lease.
-	l := &Lease{
+	l := &dhcpsvc.Lease{
 		IP:     netip.MustParseAddr("2001::1"),
 		HWAddr: net.HardwareAddr{0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA},
 	}
@@ -47,7 +48,7 @@ func TestV6_AddRemove_static(t *testing.T) {
 	assert.True(t, ls[0].IsStatic)
 
 	// Try to remove non-existent static lease.
-	err = s.RemoveStaticLease(&Lease{
+	err = s.RemoveStaticLease(&dhcpsvc.Lease{
 		IP:     netip.MustParseAddr("2001::2"),
 		HWAddr: l.HWAddr,
 	})
@@ -72,7 +73,7 @@ func TestV6_AddReplace(t *testing.T) {
 	require.True(t, ok)
 
 	// Add dynamic leases.
-	dynLeases := []*Lease{{
+	dynLeases := []*dhcpsvc.Lease{{
 		IP:     netip.MustParseAddr("2001::1"),
 		HWAddr: net.HardwareAddr{0x11, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA},
 	}, {
@@ -84,7 +85,7 @@ func TestV6_AddReplace(t *testing.T) {
 		s.addLease(l)
 	}
 
-	stLeases := []*Lease{{
+	stLeases := []*dhcpsvc.Lease{{
 		IP:     netip.MustParseAddr("2001::1"),
 		HWAddr: net.HardwareAddr{0x33, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA},
 	}, {
@@ -126,7 +127,7 @@ func TestV6GetLease(t *testing.T) {
 		LinkLayerAddr: net.HardwareAddr{0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA},
 	}
 
-	l := &Lease{
+	l := &dhcpsvc.Lease{
 		IP:     netip.MustParseAddr("2001::1"),
 		HWAddr: net.HardwareAddr{0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA},
 	}
@@ -324,7 +325,7 @@ func TestV6_FindMACbyIP(t *testing.T) {
 	anotherMAC := net.HardwareAddr{0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB}
 
 	s := &v6Server{
-		leases: []*Lease{{
+		leases: []*dhcpsvc.Lease{{
 			Hostname: staticName,
 			HWAddr:   staticMAC,
 			IP:       staticIP,
@@ -337,7 +338,7 @@ func TestV6_FindMACbyIP(t *testing.T) {
 		}},
 	}
 
-	s.leases = []*Lease{{
+	s.leases = []*dhcpsvc.Lease{{
 		Hostname: staticName,
 		HWAddr:   staticMAC,
 		IP:       staticIP,

internal/dhcpsvc/config.go

@@ -1,10 +1,12 @@
 package dhcpsvc
 
 import (
-	"net/netip"
+	"fmt"
 	"time"
 
-	"github.com/google/gopacket/layers"
+	"github.com/AdguardTeam/golibs/netutil"
+	"golang.org/x/exp/maps"
+	"golang.org/x/exp/slices"
 )
 
 // Config is the configuration for the DHCP service.
@@ -33,54 +35,58 @@ type InterfaceConfig struct {
 	IPv6 *IPv6Config
 }
 
-// IPv4Config is the interface-specific configuration for DHCPv4.
-type IPv4Config struct {
-	// GatewayIP is the IPv4 address of the network's gateway.  It is used as
-	// the default gateway for DHCP clients and also used in calculating the
-	// network-specific broadcast address.
-	GatewayIP netip.Addr
+// Validate returns an error in conf if any.
+func (conf *Config) Validate() (err error) {
+	switch {
+	case conf == nil:
+		return errNilConfig
+	case !conf.Enabled:
+		return nil
+	case conf.ICMPTimeout < 0:
+		return newMustErr("icmp timeout", "be non-negative", conf.ICMPTimeout)
+	}
 
-	// SubnetMask is the IPv4 subnet mask of the network.  It should be a valid
-	// IPv4 subnet mask (i.e. all 1s followed by all 0s).
-	SubnetMask netip.Addr
+	err = netutil.ValidateDomainName(conf.LocalDomainName)
+	if err != nil {
+		// Don't wrap the error since it's informative enough as is.
+		return err
+	}
 
-	// RangeStart is the first address in the range to assign to DHCP clients.
-	RangeStart netip.Addr
+	if len(conf.Interfaces) == 0 {
+		return errNoInterfaces
+	}
 
-	// RangeEnd is the last address in the range to assign to DHCP clients.
-	RangeEnd netip.Addr
+	ifaces := maps.Keys(conf.Interfaces)
+	slices.Sort(ifaces)
 
-	// Options is the list of DHCP options to send to DHCP clients.
-	Options layers.DHCPOptions
+	for _, iface := range ifaces {
+		if err = conf.Interfaces[iface].validate(); err != nil {
+			return fmt.Errorf("interface %q: %w", iface, err)
+		}
+	}
 
-	// LeaseDuration is the TTL of a DHCP lease.
-	LeaseDuration time.Duration
-
-	// Enabled is the state of the DHCPv4 service, whether it is enabled or not
-	// on the specific interface.
-	Enabled bool
+	return nil
 }
 
-// IPv6Config is the interface-specific configuration for DHCPv6.
-type IPv6Config struct {
-	// RangeStart is the first address in the range to assign to DHCP clients.
-	RangeStart netip.Addr
-
-	// Options is the list of DHCP options to send to DHCP clients.
-	Options layers.DHCPOptions
-
-	// LeaseDuration is the TTL of a DHCP lease.
-	LeaseDuration time.Duration
-
-	// RASlaacOnly defines whether the DHCP clients should only use SLAAC for
-	// address assignment.
-	RASLAACOnly bool
-
-	// RAAllowSlaac defines whether the DHCP clients may use SLAAC for address
-	// assignment.
-	RAAllowSLAAC bool
-
-	// Enabled is the state of the DHCPv6 service, whether it is enabled or not
-	// on the specific interface.
-	Enabled bool
+// newMustErr returns an error that indicates that valName must be as must
+// describes.
+func newMustErr(valName, must string, val fmt.Stringer) (err error) {
+	return fmt.Errorf("%s %s must %s", valName, val, must)
+}
+
+// validate returns an error in ic, if any.
+func (ic *InterfaceConfig) validate() (err error) {
+	if ic == nil {
+		return errNilConfig
+	}
+
+	if err = ic.IPv4.validate(); err != nil {
+		return fmt.Errorf("ipv4: %w", err)
+	}
+
+	if err = ic.IPv6.validate(); err != nil {
+		return fmt.Errorf("ipv6: %w", err)
+	}
+
+	return nil
 }

internal/dhcpsvc/config_test.go

@@ -0,0 +1,88 @@
+package dhcpsvc_test
+
+import (
+	"testing"
+
+	"github.com/AdguardTeam/AdGuardHome/internal/dhcpsvc"
+	"github.com/AdguardTeam/golibs/testutil"
+)
+
+func TestConfig_Validate(t *testing.T) {
+	testCases := []struct {
+		name       string
+		conf       *dhcpsvc.Config
+		wantErrMsg string
+	}{{
+		name:       "nil_config",
+		conf:       nil,
+		wantErrMsg: "config is nil",
+	}, {
+		name:       "disabled",
+		conf:       &dhcpsvc.Config{},
+		wantErrMsg: "",
+	}, {
+		name: "empty",
+		conf: &dhcpsvc.Config{
+			Enabled: true,
+		},
+		wantErrMsg: `bad domain name "": domain name is empty`,
+	}, {
+		conf: &dhcpsvc.Config{
+			Enabled:         true,
+			LocalDomainName: testLocalTLD,
+			Interfaces:      nil,
+		},
+		name:       "no_interfaces",
+		wantErrMsg: "no interfaces specified",
+	}, {
+		conf: &dhcpsvc.Config{
+			Enabled:         true,
+			LocalDomainName: testLocalTLD,
+			Interfaces:      nil,
+		},
+		name:       "no_interfaces",
+		wantErrMsg: "no interfaces specified",
+	}, {
+		conf: &dhcpsvc.Config{
+			Enabled:         true,
+			LocalDomainName: testLocalTLD,
+			Interfaces: map[string]*dhcpsvc.InterfaceConfig{
+				"eth0": nil,
+			},
+		},
+		name:       "nil_interface",
+		wantErrMsg: `interface "eth0": config is nil`,
+	}, {
+		conf: &dhcpsvc.Config{
+			Enabled:         true,
+			LocalDomainName: testLocalTLD,
+			Interfaces: map[string]*dhcpsvc.InterfaceConfig{
+				"eth0": {
+					IPv4: nil,
+					IPv6: &dhcpsvc.IPv6Config{Enabled: false},
+				},
+			},
+		},
+		name:       "nil_ipv4",
+		wantErrMsg: `interface "eth0": ipv4: config is nil`,
+	}, {
+		conf: &dhcpsvc.Config{
+			Enabled:         true,
+			LocalDomainName: testLocalTLD,
+			Interfaces: map[string]*dhcpsvc.InterfaceConfig{
+				"eth0": {
+					IPv4: &dhcpsvc.IPv4Config{Enabled: false},
+					IPv6: nil,
+				},
+			},
+		},
+		name:       "nil_ipv6",
+		wantErrMsg: `interface "eth0": ipv6: config is nil`,
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			testutil.AssertErrorMsg(t, tc.wantErrMsg, tc.conf.Validate())
+		})
+	}
+}

internal/dhcpsvc/dhcpsvc.go

@@ -10,13 +10,13 @@ import (
 	"time"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
+	"golang.org/x/exp/slices"
 )
 
 // Lease is a DHCP lease.
 //
-// TODO(e.burkov):  Consider it to [agh], since it also may be needed in
-// [websvc].  Also think of implementing iterating methods with appropriate
-// signatures.
+// TODO(e.burkov):  Consider moving it to [agh], since it also may be needed in
+// [websvc].
 type Lease struct {
 	// IP is the IP address leased to the client.
 	IP netip.Addr
@@ -34,6 +34,21 @@ type Lease struct {
 	IsStatic bool
 }
 
+// Clone returns a deep copy of l.
+func (l *Lease) Clone() (clone *Lease) {
+	if l == nil {
+		return nil
+	}
+
+	return &Lease{
+		Expiry:   l.Expiry,
+		Hostname: l.Hostname,
+		HWAddr:   slices.Clone(l.HWAddr),
+		IP:       l.IP,
+		IsStatic: l.IsStatic,
+	}
+}
+
 type Interface interface {
 	agh.ServiceWithConfig[*Config]
 
@@ -56,16 +71,20 @@ type Interface interface {
 	// hostname, either set or generated.
 	IPByHost(host string) (ip netip.Addr)
 
-	// Leases returns all the DHCP leases.
-	Leases() (leases []*Lease)
+	// Leases returns all the active DHCP leases.
+	//
+	// TODO(e.burkov):  Consider implementing iterating methods with appropriate
+	// signatures instead of cloning the whole list.
+	Leases() (ls []*Lease)
 
 	// AddLease adds a new DHCP lease.  It returns an error if the lease is
 	// invalid or already exists.
 	AddLease(l *Lease) (err error)
 
-	// EditLease changes an existing DHCP lease.  It returns an error if there
-	// is no lease equal to old or if new is invalid or already exists.
-	EditLease(old, new *Lease) (err error)
+	// UpdateStaticLease changes an existing DHCP lease.  It returns an error if
+	// there is no lease with such hardware addressor if new values are invalid
+	// or already exist.
+	UpdateStaticLease(l *Lease) (err error)
 
 	// RemoveLease removes an existing DHCP lease.  It returns an error if there
 	// is no lease equal to l.
@@ -79,7 +98,7 @@ type Interface interface {
 type Empty struct{}
 
 // type check
-var _ Interface = Empty{}
+var _ agh.ServiceWithConfig[*Config] = Empty{}
 
 // Start implements the [Service] interface for Empty.
 func (Empty) Start() (err error) { return nil }
@@ -87,11 +106,12 @@ func (Empty) Start() (err error) { return nil }
 // Shutdown implements the [Service] interface for Empty.
 func (Empty) Shutdown(_ context.Context) (err error) { return nil }
 
-var _ agh.ServiceWithConfig[*Config] = Empty{}
-
 // Config implements the [ServiceWithConfig] interface for Empty.
 func (Empty) Config() (conf *Config) { return nil }
 
+// type check
+var _ Interface = Empty{}
+
 // Enabled implements the [Interface] interface for Empty.
 func (Empty) Enabled() (ok bool) { return false }
 
@@ -104,17 +124,14 @@ func (Empty) MACByIP(_ netip.Addr) (mac net.HardwareAddr) { return nil }
 // IPByHost implements the [Interface] interface for Empty.
 func (Empty) IPByHost(_ string) (ip netip.Addr) { return netip.Addr{} }
 
-// type check
-var _ Interface = Empty{}
-
 // Leases implements the [Interface] interface for Empty.
 func (Empty) Leases() (leases []*Lease) { return nil }
 
 // AddLease implements the [Interface] interface for Empty.
 func (Empty) AddLease(_ *Lease) (err error) { return nil }
 
-// EditLease implements the [Interface] interface for Empty.
-func (Empty) EditLease(_, _ *Lease) (err error) { return nil }
+// UpdateStaticLease implements the [Interface] interface for Empty.
+func (Empty) UpdateStaticLease(_ *Lease) (err error) { return nil }
 
 // RemoveLease implements the [Interface] interface for Empty.
 func (Empty) RemoveLease(_ *Lease) (err error) { return nil }

internal/dhcpsvc/errors.go

@@ -0,0 +1,11 @@
+package dhcpsvc
+
+import "github.com/AdguardTeam/golibs/errors"
+
+const (
+	// errNilConfig is returned when a nil config met.
+	errNilConfig errors.Error = "config is nil"
+
+	// errNoInterfaces is returned when no interfaces found in configuration.
+	errNoInterfaces errors.Error = "no interfaces specified"
+)

internal/dhcpsvc/iprange.go

@@ -0,0 +1,98 @@
+package dhcpsvc
+
+import (
+	"encoding/binary"
+	"fmt"
+	"math"
+	"math/big"
+	"net/netip"
+
+	"github.com/AdguardTeam/golibs/errors"
+)
+
+// ipRange is an inclusive range of IP addresses.  A zero range doesn't contain
+// any IP addresses.
+//
+// It is safe for concurrent use.
+type ipRange struct {
+	start netip.Addr
+	end   netip.Addr
+}
+
+// maxRangeLen is the maximum IP range length.  The bitsets used in servers only
+// accept uints, which can have the size of 32 bit.
+//
+// TODO(a.garipov, e.burkov):  Reconsider the value for IPv6.
+const maxRangeLen = math.MaxUint32
+
+// newIPRange creates a new IP address range.  start must be less than end.  The
+// resulting range must not be greater than maxRangeLen.
+func newIPRange(start, end netip.Addr) (r ipRange, err error) {
+	defer func() { err = errors.Annotate(err, "invalid ip range: %w") }()
+
+	switch false {
+	case start.Is4() == end.Is4():
+		return ipRange{}, fmt.Errorf("%s and %s must be within the same address family", start, end)
+	case start.Less(end):
+		return ipRange{}, fmt.Errorf("start %s is greater than or equal to end %s", start, end)
+	default:
+		diff := (&big.Int{}).Sub(
+			(&big.Int{}).SetBytes(end.AsSlice()),
+			(&big.Int{}).SetBytes(start.AsSlice()),
+		)
+
+		if !diff.IsUint64() || diff.Uint64() > maxRangeLen {
+			return ipRange{}, fmt.Errorf("range length must be within %d", uint32(maxRangeLen))
+		}
+	}
+
+	return ipRange{
+		start: start,
+		end:   end,
+	}, nil
+}
+
+// contains returns true if r contains ip.
+func (r ipRange) contains(ip netip.Addr) (ok bool) {
+	// Assume that the end was checked to be within the same address family as
+	// the start during construction.
+	return r.start.Is4() == ip.Is4() && !ip.Less(r.start) && !r.end.Less(ip)
+}
+
+// ipPredicate is a function that is called on every IP address in
+// [ipRange.find].
+type ipPredicate func(ip netip.Addr) (ok bool)
+
+// find finds the first IP address in r for which p returns true.  It returns an
+// empty [netip.Addr] if there are no addresses that satisfy p.
+//
+// TODO(e.burkov):  Use.
+func (r ipRange) find(p ipPredicate) (ip netip.Addr) {
+	for ip = r.start; !r.end.Less(ip); ip = ip.Next() {
+		if p(ip) {
+			return ip
+		}
+	}
+
+	return netip.Addr{}
+}
+
+// offset returns the offset of ip from the beginning of r.  It returns 0 and
+// false if ip is not in r.
+func (r ipRange) offset(ip netip.Addr) (offset uint64, ok bool) {
+	if !r.contains(ip) {
+		return 0, false
+	}
+
+	startData, ipData := r.start.As16(), ip.As16()
+	be := binary.BigEndian
+
+	// Assume that the range length was checked against maxRangeLen during
+	// construction.
+	return be.Uint64(ipData[8:]) - be.Uint64(startData[8:]), true
+}
+
+// String implements the fmt.Stringer interface for *ipRange.
+func (r ipRange) String() (s string) {
+	return fmt.Sprintf("%s-%s", r.start, r.end)
+}

internal/dhcpsvc/iprange_internal_test.go

@@ -0,0 +1,204 @@
+package dhcpsvc
+
+import (
+	"net/netip"
+	"strconv"
+	"testing"
+
+	"github.com/AdguardTeam/golibs/testutil"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewIPRange(t *testing.T) {
+	start4 := netip.MustParseAddr("0.0.0.1")
+	end4 := netip.MustParseAddr("0.0.0.3")
+	start6 := netip.MustParseAddr("1::1")
+	end6 := netip.MustParseAddr("1::3")
+	end6Large := netip.MustParseAddr("2::3")
+
+	testCases := []struct {
+		start      netip.Addr
+		end        netip.Addr
+		name       string
+		wantErrMsg string
+	}{{
+		start:      start4,
+		end:        end4,
+		name:       "success_ipv4",
+		wantErrMsg: "",
+	}, {
+		start:      start6,
+		end:        end6,
+		name:       "success_ipv6",
+		wantErrMsg: "",
+	}, {
+		start:      end4,
+		end:        start4,
+		name:       "start_gt_end",
+		wantErrMsg: "invalid ip range: start 0.0.0.3 is greater than or equal to end 0.0.0.1",
+	}, {
+		start:      start4,
+		end:        start4,
+		name:       "start_eq_end",
+		wantErrMsg: "invalid ip range: start 0.0.0.1 is greater than or equal to end 0.0.0.1",
+	}, {
+		start: start6,
+		end:   end6Large,
+		name:  "too_large",
+		wantErrMsg: "invalid ip range: range length must be within " +
+			strconv.FormatUint(maxRangeLen, 10),
+	}, {
+		start:      start4,
+		end:        end6,
+		name:       "different_family",
+		wantErrMsg: "invalid ip range: 0.0.0.1 and 1::3 must be within the same address family",
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			_, err := newIPRange(tc.start, tc.end)
+			testutil.AssertErrorMsg(t, tc.wantErrMsg, err)
+		})
+	}
+}
+
+func TestIPRange_Contains(t *testing.T) {
+	start, end := netip.MustParseAddr("0.0.0.1"), netip.MustParseAddr("0.0.0.3")
+	r, err := newIPRange(start, end)
+	require.NoError(t, err)
+
+	testCases := []struct {
+		in   netip.Addr
+		want assert.BoolAssertionFunc
+		name string
+	}{{
+		in:   start,
+		want: assert.True,
+		name: "start",
+	}, {
+		in:   end,
+		want: assert.True,
+		name: "end",
+	}, {
+		in:   start.Next(),
+		want: assert.True,
+		name: "within",
+	}, {
+		in:   netip.MustParseAddr("0.0.0.0"),
+		want: assert.False,
+		name: "before",
+	}, {
+		in:   netip.MustParseAddr("0.0.0.4"),
+		want: assert.False,
+		name: "after",
+	}, {
+		in:   netip.MustParseAddr("::"),
+		want: assert.False,
+		name: "another_family",
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			tc.want(t, r.contains(tc.in))
+		})
+	}
+}
+
+func TestIPRange_Find(t *testing.T) {
+	start, end := netip.MustParseAddr("0.0.0.1"), netip.MustParseAddr("0.0.0.5")
+	r, err := newIPRange(start, end)
+	require.NoError(t, err)
+
+	num, ok := r.offset(end)
+	require.True(t, ok)
+
+	testCases := []struct {
+		predicate ipPredicate
+		want      netip.Addr
+		name      string
+	}{{
+		predicate: func(ip netip.Addr) (ok bool) {
+			ipData := ip.AsSlice()
+
+			return ipData[len(ipData)-1]%2 == 0
+		},
+		want: netip.MustParseAddr("0.0.0.2"),
+		name: "even",
+	}, {
+		predicate: func(ip netip.Addr) (ok bool) {
+			ipData := ip.AsSlice()
+
+			return ipData[len(ipData)-1]%10 == 0
+		},
+		want: netip.Addr{},
+		name: "none",
+	}, {
+		predicate: func(ip netip.Addr) (ok bool) {
+			return true
+		},
+		want: start,
+		name: "first",
+	}, {
+		predicate: func(ip netip.Addr) (ok bool) {
+			off, _ := r.offset(ip)
+
+			return off == num
+		},
+		want: end,
+		name: "last",
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			got := r.find(tc.predicate)
+			assert.Equal(t, tc.want, got)
+		})
+	}
+}
+
+func TestIPRange_Offset(t *testing.T) {
+	start, end := netip.MustParseAddr("0.0.0.1"), netip.MustParseAddr("0.0.0.5")
+	r, err := newIPRange(start, end)
+	require.NoError(t, err)
+
+	testCases := []struct {
+		in         netip.Addr
+		name       string
+		wantOffset uint64
+		wantOK     bool
+	}{{
+		in:         netip.MustParseAddr("0.0.0.2"),
+		name:       "in",
+		wantOffset: 1,
+		wantOK:     true,
+	}, {
+		in:         start,
+		name:       "in_start",
+		wantOffset: 0,
+		wantOK:     true,
+	}, {
+		in:         end,
+		name:       "in_end",
+		wantOffset: 4,
+		wantOK:     true,
+	}, {
+		in:         netip.MustParseAddr("0.0.0.6"),
+		name:       "out_after",
+		wantOffset: 0,
+		wantOK:     false,
+	}, {
+		in:         netip.MustParseAddr("0.0.0.0"),
+		name:       "out_before",
+		wantOffset: 0,
+		wantOK:     false,
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			offset, ok := r.offset(tc.in)
+			assert.Equal(t, tc.wantOffset, offset)
+			assert.Equal(t, tc.wantOK, ok)
+		})
+	}
+}

internal/dhcpsvc/server.go

@@ -0,0 +1,100 @@
+package dhcpsvc
+
+import (
+	"fmt"
+	"sync/atomic"
+	"time"
+
+	"golang.org/x/exp/maps"
+	"golang.org/x/exp/slices"
+)
+
+// DHCPServer is a DHCP server for both IPv4 and IPv6 address families.
+type DHCPServer struct {
+	// enabled indicates whether the DHCP server is enabled and can provide
+	// information about its clients.
+	enabled *atomic.Bool
+
+	// localTLD is the top-level domain name to use for resolving DHCP
+	// clients' hostnames.
+	localTLD string
+
+	// interfaces4 is the set of IPv4 interfaces sorted by interface name.
+	interfaces4 []*iface4
+
+	// interfaces6 is the set of IPv6 interfaces sorted by interface name.
+	interfaces6 []*iface6
+
+	// leases is the set of active DHCP leases.
+	leases []*Lease
+
+	// icmpTimeout is the timeout for checking another DHCP server's presence.
+	icmpTimeout time.Duration
+}
+
+// New creates a new DHCP server with the given configuration.  It returns an
+// error if the given configuration can't be used.
+//
+// TODO(e.burkov):  Use.
+func New(conf *Config) (srv *DHCPServer, err error) {
+	if !conf.Enabled {
+		// TODO(e.burkov):  Perhaps return [Empty]?
+		return nil, nil
+	}
+
+	ifaces4 := make([]*iface4, len(conf.Interfaces))
+	ifaces6 := make([]*iface6, len(conf.Interfaces))
+
+	ifaceNames := maps.Keys(conf.Interfaces)
+	slices.Sort(ifaceNames)
+
+	var i4 *iface4
+	var i6 *iface6
+
+	for _, ifaceName := range ifaceNames {
+		iface := conf.Interfaces[ifaceName]
+
+		i4, err = newIface4(ifaceName, iface.IPv4)
+		if err != nil {
+			return nil, fmt.Errorf("interface %q: ipv4: %w", ifaceName, err)
+		} else if i4 != nil {
+			ifaces4 = append(ifaces4, i4)
+		}
+
+		i6 = newIface6(ifaceName, iface.IPv6)
+		if i6 != nil {
+			ifaces6 = append(ifaces6, i6)
+		}
+	}
+
+	enabled := &atomic.Bool{}
+	enabled.Store(conf.Enabled)
+
+	return &DHCPServer{
+		enabled:     enabled,
+		interfaces4: ifaces4,
+		interfaces6: ifaces6,
+		localTLD:    conf.LocalDomainName,
+		icmpTimeout: conf.ICMPTimeout,
+	}, nil
+}
+
+// type check
+//
+// TODO(e.burkov):  Uncomment when the [Interface] interface is implemented.
+// var _ Interface = (*DHCPServer)(nil)
+
+// Enabled implements the [Interface] interface for *DHCPServer.
+func (srv *DHCPServer) Enabled() (ok bool) {
+	return srv.enabled.Load()
+}
+
+// Leases implements the [Interface] interface for *DHCPServer.
+func (srv *DHCPServer) Leases() (leases []*Lease) {
+	leases = make([]*Lease, 0, len(srv.leases))
+	for _, lease := range srv.leases {
+		leases = append(leases, lease.Clone())
+	}
+
+	return leases
+}

internal/dhcpsvc/server_test.go

@@ -0,0 +1,115 @@
+package dhcpsvc_test
+
+import (
+	"net/netip"
+	"testing"
+	"time"
+
+	"github.com/AdguardTeam/AdGuardHome/internal/dhcpsvc"
+	"github.com/AdguardTeam/golibs/testutil"
+)
+
+// testLocalTLD is a common local TLD for tests.
+const testLocalTLD = "local"
+
+func TestNew(t *testing.T) {
+	validIPv4Conf := &dhcpsvc.IPv4Config{
+		Enabled:       true,
+		GatewayIP:     netip.MustParseAddr("192.168.0.1"),
+		SubnetMask:    netip.MustParseAddr("255.255.255.0"),
+		RangeStart:    netip.MustParseAddr("192.168.0.2"),
+		RangeEnd:      netip.MustParseAddr("192.168.0.254"),
+		LeaseDuration: 1 * time.Hour,
+	}
+	gwInRangeConf := &dhcpsvc.IPv4Config{
+		Enabled:       true,
+		GatewayIP:     netip.MustParseAddr("192.168.0.100"),
+		SubnetMask:    netip.MustParseAddr("255.255.255.0"),
+		RangeStart:    netip.MustParseAddr("192.168.0.1"),
+		RangeEnd:      netip.MustParseAddr("192.168.0.254"),
+		LeaseDuration: 1 * time.Hour,
+	}
+	badStartConf := &dhcpsvc.IPv4Config{
+		Enabled:       true,
+		GatewayIP:     netip.MustParseAddr("192.168.0.1"),
+		SubnetMask:    netip.MustParseAddr("255.255.255.0"),
+		RangeStart:    netip.MustParseAddr("127.0.0.1"),
+		RangeEnd:      netip.MustParseAddr("192.168.0.254"),
+		LeaseDuration: 1 * time.Hour,
+	}
+
+	validIPv6Conf := &dhcpsvc.IPv6Config{
+		Enabled:       true,
+		RangeStart:    netip.MustParseAddr("2001:db8::1"),
+		LeaseDuration: 1 * time.Hour,
+		RAAllowSLAAC:  true,
+		RASLAACOnly:   true,
+	}
+
+	testCases := []struct {
+		conf       *dhcpsvc.Config
+		name       string
+		wantErrMsg string
+	}{{
+		conf: &dhcpsvc.Config{
+			Enabled:         true,
+			LocalDomainName: testLocalTLD,
+			Interfaces: map[string]*dhcpsvc.InterfaceConfig{
+				"eth0": {
+					IPv4: validIPv4Conf,
+					IPv6: validIPv6Conf,
+				},
+			},
+		},
+		name:       "valid",
+		wantErrMsg: "",
+	}, {
+		conf: &dhcpsvc.Config{
+			Enabled:         true,
+			LocalDomainName: testLocalTLD,
+			Interfaces: map[string]*dhcpsvc.InterfaceConfig{
+				"eth0": {
+					IPv4: &dhcpsvc.IPv4Config{Enabled: false},
+					IPv6: &dhcpsvc.IPv6Config{Enabled: false},
+				},
+			},
+		},
+		name:       "disabled_interfaces",
+		wantErrMsg: "",
+	}, {
+		conf: &dhcpsvc.Config{
+			Enabled:         true,
+			LocalDomainName: testLocalTLD,
+			Interfaces: map[string]*dhcpsvc.InterfaceConfig{
+				"eth0": {
+					IPv4: gwInRangeConf,
+					IPv6: validIPv6Conf,
+				},
+			},
+		},
+		name: "gateway_within_range",
+		wantErrMsg: `interface "eth0": ipv4: ` +
+			`gateway ip 192.168.0.100 in the ip range 192.168.0.1-192.168.0.254`,
+	}, {
+		conf: &dhcpsvc.Config{
+			Enabled:         true,
+			LocalDomainName: testLocalTLD,
+			Interfaces: map[string]*dhcpsvc.InterfaceConfig{
+				"eth0": {
+					IPv4: badStartConf,
+					IPv6: validIPv6Conf,
+				},
+			},
+		},
+		name: "bad_start",
+		wantErrMsg: `interface "eth0": ipv4: ` +
+			`range start 127.0.0.1 is not within 192.168.0.1/24`,
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			_, err := dhcpsvc.New(tc.conf)
+			testutil.AssertErrorMsg(t, tc.wantErrMsg, err)
+		})
+	}
+}

internal/dhcpsvc/v4.go

@@ -0,0 +1,113 @@
+package dhcpsvc
+
+import (
+	"fmt"
+	"net"
+	"net/netip"
+	"time"
+
+	"github.com/google/gopacket/layers"
+)
+
+// IPv4Config is the interface-specific configuration for DHCPv4.
+type IPv4Config struct {
+	// GatewayIP is the IPv4 address of the network's gateway.  It is used as
+	// the default gateway for DHCP clients and also used in calculating the
+	// network-specific broadcast address.
+	GatewayIP netip.Addr
+
+	// SubnetMask is the IPv4 subnet mask of the network.  It should be a valid
+	// IPv4 CIDR (i.e. all 1s followed by all 0s).
+	SubnetMask netip.Addr
+
+	// RangeStart is the first address in the range to assign to DHCP clients.
+	RangeStart netip.Addr
+
+	// RangeEnd is the last address in the range to assign to DHCP clients.
+	RangeEnd netip.Addr
+
+	// Options is the list of DHCP options to send to DHCP clients.
+	Options layers.DHCPOptions
+
+	// LeaseDuration is the TTL of a DHCP lease.
+	LeaseDuration time.Duration
+
+	// Enabled is the state of the DHCPv4 service, whether it is enabled or not
+	// on the specific interface.
+	Enabled bool
+}
+
+// validate returns an error in conf if any.
+func (conf *IPv4Config) validate() (err error) {
+	switch {
+	case conf == nil:
+		return errNilConfig
+	case !conf.Enabled:
+		return nil
+	case !conf.GatewayIP.Is4():
+		return newMustErr("gateway ip", "be a valid ipv4", conf.GatewayIP)
+	case !conf.SubnetMask.Is4():
+		return newMustErr("subnet mask", "be a valid ipv4 cidr mask", conf.SubnetMask)
+	case !conf.RangeStart.Is4():
+		return newMustErr("range start", "be a valid ipv4", conf.RangeStart)
+	case !conf.RangeEnd.Is4():
+		return newMustErr("range end", "be a valid ipv4", conf.RangeEnd)
+	case conf.LeaseDuration <= 0:
+		return newMustErr("lease duration", "be less than %d", conf.LeaseDuration)
+	default:
+		return nil
+	}
+}
+
+// iface4 is a DHCP interface for IPv4 address family.
+type iface4 struct {
+	// gateway is the IP address of the network gateway.
+	gateway netip.Addr
+
+	// subnet is the network subnet.
+	subnet netip.Prefix
+
+	// addrSpace is the IPv4 address space allocated for leasing.
+	addrSpace ipRange
+
+	// name is the name of the interface.
+	name string
+
+	// TODO(e.burkov):  Add options.
+
+	// leaseTTL is the time-to-live of dynamic leases on this interface.
+	leaseTTL time.Duration
+}
+
+// newIface4 creates a new DHCP interface for IPv4 address family with the given
+// configuration.  It returns an error if the given configuration can't be used.
+func newIface4(name string, conf *IPv4Config) (i *iface4, err error) {
+	if !conf.Enabled {
+		return nil, nil
+	}
+
+	maskLen, _ := net.IPMask(conf.SubnetMask.AsSlice()).Size()
+	subnet := netip.PrefixFrom(conf.GatewayIP, maskLen)
+
+	switch {
+	case !subnet.Contains(conf.RangeStart):
+		return nil, fmt.Errorf("range start %s is not within %s", conf.RangeStart, subnet)
+	case !subnet.Contains(conf.RangeEnd):
+		return nil, fmt.Errorf("range end %s is not within %s", conf.RangeEnd, subnet)
+	}
+
+	addrSpace, err := newIPRange(conf.RangeStart, conf.RangeEnd)
+	if err != nil {
+		return nil, err
+	} else if addrSpace.contains(conf.GatewayIP) {
+		return nil, fmt.Errorf("gateway ip %s in the ip range %s", conf.GatewayIP, addrSpace)
+	}
+
+	return &iface4{
+		name:      name,
+		gateway:   conf.GatewayIP,
+		subnet:    subnet,
+		addrSpace: addrSpace,
+		leaseTTL:  conf.LeaseDuration,
+	}, nil
+}

internal/dhcpsvc/v6.go

@@ -0,0 +1,88 @@
+package dhcpsvc
+
+import (
+	"fmt"
+	"net/netip"
+	"time"
+
+	"github.com/google/gopacket/layers"
+)
+
+// IPv6Config is the interface-specific configuration for DHCPv6.
+type IPv6Config struct {
+	// RangeStart is the first address in the range to assign to DHCP clients.
+	RangeStart netip.Addr
+
+	// Options is the list of DHCP options to send to DHCP clients.
+	Options layers.DHCPOptions
+
+	// LeaseDuration is the TTL of a DHCP lease.
+	LeaseDuration time.Duration
+
+	// RASlaacOnly defines whether the DHCP clients should only use SLAAC for
+	// address assignment.
+	RASLAACOnly bool
+
+	// RAAllowSlaac defines whether the DHCP clients may use SLAAC for address
+	// assignment.
+	RAAllowSLAAC bool
+
+	// Enabled is the state of the DHCPv6 service, whether it is enabled or not
+	// on the specific interface.
+	Enabled bool
+}
+
+// validate returns an error in conf if any.
+func (conf *IPv6Config) validate() (err error) {
+	switch {
+	case conf == nil:
+		return errNilConfig
+	case !conf.Enabled:
+		return nil
+	case !conf.RangeStart.Is6():
+		return fmt.Errorf("range start %s should be a valid ipv6", conf.RangeStart)
+	case conf.LeaseDuration <= 0:
+		return fmt.Errorf("lease duration %s must be positive", conf.LeaseDuration)
+	default:
+		return nil
+	}
+}
+
+// iface6 is a DHCP interface for IPv6 address family.
+//
+// TODO(e.burkov):  Add options.
+type iface6 struct {
+	// rangeStart is the first IP address in the range.
+	rangeStart netip.Addr
+
+	// name is the name of the interface.
+	name string
+
+	// leaseTTL is the time-to-live of dynamic leases on this interface.
+	leaseTTL time.Duration
+
+	// raSLAACOnly defines if DHCP should send ICMPv6.RA packets without MO
+	// flags.
+	raSLAACOnly bool
+
+	// raAllowSLAAC defines if DHCP should send ICMPv6.RA packets with MO flags.
+	raAllowSLAAC bool
+}
+
+// newIface6 creates a new DHCP interface for IPv6 address family with the given
+// configuration.
+//
+// TODO(e.burkov):  Validate properly.
+func newIface6(name string, conf *IPv6Config) (i *iface6) {
+	if !conf.Enabled {
+		return nil
+	}
+
+	return &iface6{
+		name:         name,
+		rangeStart:   conf.RangeStart,
+		leaseTTL:     conf.LeaseDuration,
+		raSLAACOnly:  conf.RASLAACOnly,
+		raAllowSLAAC: conf.RAAllowSLAAC,
+	}
+}

internal/dnsforward/access.go

@@ -182,6 +182,7 @@ func (s *Server) accessListJSON() (j accessListJSON) {
 	}
 }
 
+// handleAccessList handles requests to the GET /control/access/list endpoint.
 func (s *Server) handleAccessList(w http.ResponseWriter, r *http.Request) {
 	aghhttp.WriteJSONResponseOK(w, r, s.accessListJSON())
 }
@@ -224,6 +225,7 @@ func validateStrUniq(clients []string) (uc aghalg.UniqChecker[string], err error
 	return uc, uc.Validate()
 }
 
+// handleAccessSet handles requests to the POST /control/access/set endpoint.
 func (s *Server) handleAccessSet(w http.ResponseWriter, r *http.Request) {
 	list := &accessListJSON{}
 	err := json.NewDecoder(r.Body).Decode(&list)

internal/dnsforward/clientid.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/AdguardTeam/dnsproxy/proxy"
 	"github.com/AdguardTeam/golibs/errors"
+	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/quic-go/quic-go"
 )
@@ -151,6 +152,8 @@ func (s *Server) clientIDFromDNSContext(pctx *proxy.DNSContext) (clientID string
 // DNS-over-HTTPS requests, it will return the hostname part of the Host header
 // if there is one.
 func clientServerName(pctx *proxy.DNSContext, proto proxy.Proto) (srvName string, err error) {
+	from := "tls conn"
+
 	switch proto {
 	case proxy.ProtoHTTPS:
 		r := pctx.HTTPRequest
@@ -164,6 +167,7 @@ func clientServerName(pctx *proxy.DNSContext, proto proxy.Proto) (srvName string
 			}
 
 			srvName = host
+			from = "host header"
 		}
 	case proxy.ProtoQUIC:
 		qConn := pctx.QUICConnection
@@ -183,5 +187,7 @@ func clientServerName(pctx *proxy.DNSContext, proto proxy.Proto) (srvName string
 		srvName = tc.ConnectionState().ServerName
 	}
 
+	log.Debug("dnsforward: got client server name %q from %s", srvName, from)
+
 	return srvName, nil
 }

internal/dnsforward/config.go

@@ -27,6 +27,19 @@ import (
 	"golang.org/x/exp/slices"
 )
 
+// ClientsContainer provides information about preconfigured DNS clients.
+type ClientsContainer interface {
+	// UpstreamConfigByID returns the custom upstream configuration for the
+	// client having id, using boot to initialize the one if necessary.  It
+	// returns nil if there is no custom upstream configuration for the client.
+	// The id is expected to be either a string representation of an IP address
+	// or the ClientID.
+	UpstreamConfigByID(
+		id string,
+		boot upstream.Resolver,
+	) (conf *proxy.CustomUpstreamConfig, err error)
+}
+
 // Config represents the DNS filtering configuration of AdGuard Home. The zero
 // Config is empty and ready for use.
 type Config struct {
@@ -35,10 +48,9 @@ type Config struct {
 	// FilterHandler is an optional additional filtering callback.
 	FilterHandler func(cliAddr netip.Addr, clientID string, settings *filtering.Settings) `yaml:"-"`
 
-	// GetCustomUpstreamByClient is a callback that returns upstreams
-	// configuration based on the client IP address or ClientID.  It returns
-	// nil if there are no custom upstreams for the client.
-	GetCustomUpstreamByClient func(id string) (conf *proxy.UpstreamConfig, err error) `yaml:"-"`
+	// ClientsContainer stores the information about special handling of some
+	// DNS clients.
+	ClientsContainer ClientsContainer `yaml:"-"`
 
 	// Anti-DNS amplification
 
@@ -46,8 +58,16 @@ type Config struct {
 	// (0 to disable).
 	Ratelimit uint32 `yaml:"ratelimit"`
 
+	// RatelimitSubnetLenIPv4 is a subnet length for IPv4 addresses used for
+	// rate limiting requests.
+	RatelimitSubnetLenIPv4 int `yaml:"ratelimit_subnet_len_ipv4"`
+
+	// RatelimitSubnetLenIPv6 is a subnet length for IPv6 addresses used for
+	// rate limiting requests.
+	RatelimitSubnetLenIPv6 int `yaml:"ratelimit_subnet_len_ipv6"`
+
 	// RatelimitWhitelist is the list of whitelisted client IP addresses.
-	RatelimitWhitelist []string `yaml:"ratelimit_whitelist"`
+	RatelimitWhitelist []netip.Addr `yaml:"ratelimit_whitelist"`
 
 	// RefuseAny, if true, refuse ANY requests.
 	RefuseAny bool `yaml:"refuse_any"`
@@ -269,16 +289,19 @@ type ServerConfig struct {
 	// UseHTTP3Upstreams defines if HTTP/3 is be allowed for DNS-over-HTTPS
 	// upstreams.
 	UseHTTP3Upstreams bool
+
+	// ServePlainDNS defines if plain DNS is allowed for incoming requests.
+	ServePlainDNS bool
 }
 
-// createProxyConfig creates and validates configuration for the main proxy.
-func (s *Server) createProxyConfig() (conf proxy.Config, err error) {
+// newProxyConfig creates and validates configuration for the main proxy.
+func (s *Server) newProxyConfig() (conf *proxy.Config, err error) {
 	srvConf := s.conf
-	conf = proxy.Config{
-		UDPListenAddr:          srvConf.UDPListenAddrs,
-		TCPListenAddr:          srvConf.TCPListenAddrs,
+	conf = &proxy.Config{
 		HTTP3:                  srvConf.ServeHTTP3,
 		Ratelimit:              int(srvConf.Ratelimit),
+		RatelimitSubnetLenIPv4: srvConf.RatelimitSubnetLenIPv4,
+		RatelimitSubnetLenIPv6: srvConf.RatelimitSubnetLenIPv6,
 		RatelimitWhitelist:     srvConf.RatelimitWhitelist,
 		RefuseAny:              srvConf.RefuseAny,
 		TrustedProxies:         srvConf.TrustedProxies,
@@ -306,27 +329,25 @@ func (s *Server) createProxyConfig() (conf proxy.Config, err error) {
 	}
 
 	setProxyUpstreamMode(
-		&conf,
+		conf,
 		srvConf.AllServers,
 		srvConf.FastestAddr,
 		srvConf.FastestTimeout.Duration,
 	)
 
-	for i, s := range srvConf.BogusNXDomain {
-		var subnet *net.IPNet
-		subnet, err = netutil.ParseSubnet(s)
-		if err != nil {
-			log.Error("subnet at index %d: %s", i, err)
-
-			continue
-		}
-
-		conf.BogusNXDomain = append(conf.BogusNXDomain, subnet)
+	conf.BogusNXDomain, err = parseBogusNXDOMAIN(srvConf.BogusNXDomain)
+	if err != nil {
+		return nil, fmt.Errorf("bogus_nxdomain: %w", err)
 	}
 
-	err = s.prepareTLS(&conf)
+	err = s.prepareTLS(conf)
 	if err != nil {
-		return proxy.Config{}, fmt.Errorf("validating tls: %w", err)
+		return nil, fmt.Errorf("validating tls: %w", err)
+	}
+
+	err = s.preparePlain(conf)
+	if err != nil {
+		return nil, fmt.Errorf("validating plain: %w", err)
 	}
 
 	if c := srvConf.DNSCryptConfig; c.Enabled {
@@ -337,12 +358,27 @@ func (s *Server) createProxyConfig() (conf proxy.Config, err error) {
 	}
 
 	if conf.UpstreamConfig == nil || len(conf.UpstreamConfig.Upstreams) == 0 {
-		return proxy.Config{}, errors.Error("no default upstream servers configured")
+		return nil, errors.Error("no default upstream servers configured")
 	}
 
 	return conf, nil
 }
 
+// parseBogusNXDOMAIN parses the bogus NXDOMAIN strings into valid subnets.
+func parseBogusNXDOMAIN(confBogusNXDOMAIN []string) (subnets []netip.Prefix, err error) {
+	for i, s := range confBogusNXDOMAIN {
+		var subnet netip.Prefix
+		subnet, err = aghnet.ParseSubnet(s)
+		if err != nil {
+			return nil, fmt.Errorf("subnet at index %d: %w", i, err)
+		}
+
+		subnets = append(subnets, subnet)
+	}
+
+	return subnets, nil
+}
+
 const defaultBlockedResponseTTL = 3600
 
 // initDefaultSettings initializes default settings if nothing
@@ -413,10 +449,7 @@ func collectListenAddr(
 
 // collectDNSAddrs returns configured set of listening addresses.  It also
 // returns a set of ports of each unspecified listening address.
-func (conf *ServerConfig) collectDNSAddrs() (
-	addrs map[netip.AddrPort]unit,
-	unspecPorts map[uint16]unit,
-) {
+func (conf *ServerConfig) collectDNSAddrs() (addrs mapAddrPortSet, unspecPorts map[uint16]unit) {
 	// TODO(e.burkov):  Perhaps, we shouldn't allocate as much memory, since the
 	// TCP and UDP listening addresses are currently the same.
 	addrs = make(map[netip.AddrPort]unit, len(conf.TCPListenAddrs)+len(conf.UDPListenAddrs))
@@ -436,20 +469,64 @@ func (conf *ServerConfig) collectDNSAddrs() (
 // defaultPlainDNSPort is the default port for plain DNS.
 const defaultPlainDNSPort uint16 = 53
 
-// addrPortMatcher is a function that matches an IP address with port.
-type addrPortMatcher func(addr netip.AddrPort) (ok bool)
+// addrPortSet is a set of [netip.AddrPort] values.
+type addrPortSet interface {
+	// Has returns true if addrPort is in the set.
+	Has(addrPort netip.AddrPort) (ok bool)
+}
+
+// type check
+var _ addrPortSet = emptyAddrPortSet{}
+
+// emptyAddrPortSet is the [addrPortSet] containing no values.
+type emptyAddrPortSet struct{}
+
+// Has implements the [addrPortSet] interface for [emptyAddrPortSet].
+func (emptyAddrPortSet) Has(_ netip.AddrPort) (ok bool) { return false }
+
+// mapAddrPortSet is the [addrPortSet] containing values of [netip.AddrPort] as
+// keys of a map.
+type mapAddrPortSet map[netip.AddrPort]unit
+
+// type check
+var _ addrPortSet = mapAddrPortSet{}
+
+// Has implements the [addrPortSet] interface for [mapAddrPortSet].
+func (m mapAddrPortSet) Has(addrPort netip.AddrPort) (ok bool) {
+	_, ok = m[addrPort]
+
+	return ok
+}
+
+// combinedAddrPortSet is the [addrPortSet] defined by some IP addresses along
+// with ports, any combination of which is considered being in the set.
+type combinedAddrPortSet struct {
+	// TODO(e.burkov):  Use sorted slices in combination with binary search.
+	ports map[uint16]unit
+	addrs []netip.Addr
+}
+
+// type check
+var _ addrPortSet = (*combinedAddrPortSet)(nil)
+
+// Has implements the [addrPortSet] interface for [*combinedAddrPortSet].
+func (m *combinedAddrPortSet) Has(addrPort netip.AddrPort) (ok bool) {
+	_, ok = m.ports[addrPort.Port()]
+
+	return ok && slices.Contains(m.addrs, addrPort.Addr())
+}
 
 // filterOut filters out all the upstreams that match um.  It returns all the
 // closing errors joined.
-func (m addrPortMatcher) filterOut(upsConf *proxy.UpstreamConfig) (err error) {
+func filterOutAddrs(upsConf *proxy.UpstreamConfig, set addrPortSet) (err error) {
 	var errs []error
 	delFunc := func(u upstream.Upstream) (ok bool) {
 		// TODO(e.burkov):  We should probably consider the protocol of u to
 		// only filter out the listening addresses of the same protocol.
 		addr, parseErr := aghnet.ParseAddrPort(u.Address(), defaultPlainDNSPort)
-		if parseErr != nil || !m(addr) {
+		if parseErr != nil || !set.Has(addr) {
 			// Don't filter out the upstream if it either cannot be parsed, or
-			// does not match um.
+			// does not match m.
 			return false
 		}
 
@@ -469,26 +546,20 @@ func (m addrPortMatcher) filterOut(upsConf *proxy.UpstreamConfig) (err error) {
 	return errors.Join(errs...)
 }
 
-// ourAddrsMatcher returns a matcher that matches all the configured listening
+// ourAddrsSet returns an addrPortSet that contains all the configured listening
 // addresses.
-func (conf *ServerConfig) ourAddrsMatcher() (m addrPortMatcher, err error) {
+func (conf *ServerConfig) ourAddrsSet() (m addrPortSet, err error) {
 	addrs, unspecPorts := conf.collectDNSAddrs()
-	if len(addrs) == 0 {
+	switch {
+	case len(addrs) == 0:
 		log.Debug("dnsforward: no listen addresses")
 
-		// Match no addresses.
-		return func(_ netip.AddrPort) (ok bool) { return false }, nil
-	}
-
-	if len(unspecPorts) == 0 {
+		return emptyAddrPortSet{}, nil
+	case len(unspecPorts) == 0:
 		log.Debug("dnsforward: filtering out addresses %s", addrs)
 
-		m = func(a netip.AddrPort) (ok bool) {
-			_, ok = addrs[a]
-
-			return ok
-		}
-	} else {
+		return addrs, nil
+	default:
 		var ifaceAddrs []netip.Addr
 		ifaceAddrs, err = aghnet.CollectAllIfacesAddrs()
 		if err != nil {
@@ -498,16 +569,11 @@ func (conf *ServerConfig) ourAddrsMatcher() (m addrPortMatcher, err error) {
 
 		log.Debug("dnsforward: filtering out addresses %s on ports %d", ifaceAddrs, unspecPorts)
 
-		m = func(a netip.AddrPort) (ok bool) {
-			if _, ok = unspecPorts[a.Port()]; ok {
-				return slices.Contains(ifaceAddrs, a.Addr())
-			}
-
-			return false
-		}
+		return &combinedAddrPortSet{
+			ports: unspecPorts,
+			addrs: ifaceAddrs,
+		}, nil
 	}
-
-	return m, nil
 }
 
 // prepareTLS - prepares TLS configuration for the DNS proxy
@@ -564,7 +630,7 @@ func (s *Server) prepareTLS(proxyConfig *proxy.Config) (err error) {
 
 // isWildcard returns true if host is a wildcard hostname.
 func isWildcard(host string) (ok bool) {
-	return len(host) >= 2 && host[0] == '*' && host[1] == '.'
+	return strings.HasPrefix(host, "*.")
 }
 
 // matchesDomainWildcard returns true if host matches the domain wildcard
@@ -604,6 +670,31 @@ func (s *Server) onGetCertificate(ch *tls.ClientHelloInfo) (*tls.Certificate, er
 	return &s.conf.cert, nil
 }
 
+// preparePlain prepares the plain-DNS configuration for the DNS proxy.
+// preparePlain assumes that prepareTLS has already been called.
+func (s *Server) preparePlain(proxyConf *proxy.Config) (err error) {
+	if s.conf.ServePlainDNS {
+		proxyConf.UDPListenAddr = s.conf.UDPListenAddrs
+		proxyConf.TCPListenAddr = s.conf.TCPListenAddrs
+
+		return nil
+	}
+
+	lenEncrypted := len(proxyConf.DNSCryptTCPListenAddr) +
+		len(proxyConf.DNSCryptUDPListenAddr) +
+		len(proxyConf.HTTPSListenAddr) +
+		len(proxyConf.QUICListenAddr) +
+		len(proxyConf.TLSListenAddr)
+	if lenEncrypted == 0 {
+		// TODO(a.garipov): Support full disabling of all DNS.
+		return errors.Error("disabling plain dns requires at least one encrypted protocol")
+	}
+
+	log.Info("dnsforward: warning: plain dns is disabled")
+
+	return nil
+}
+
 // UpdatedProtectionStatus updates protection state, if the protection was
 // disabled temporarily.  Returns the updated state of protection.
 func (s *Server) UpdatedProtectionStatus() (enabled bool, disabledUntil *time.Time) {

internal/dnsforward/configvalidator.go

@@ -0,0 +1,349 @@
+package dnsforward
+
+import (
+	"fmt"
+	"strings"
+	"sync"
+
+	"github.com/AdguardTeam/dnsproxy/upstream"
+	"github.com/AdguardTeam/golibs/errors"
+	"github.com/AdguardTeam/golibs/log"
+	"github.com/miekg/dns"
+	"golang.org/x/exp/slices"
+)
+
+// upstreamConfigValidator parses the [*proxy.UpstreamConfig] and checks the
+// actual DNS availability of each upstream.
+type upstreamConfigValidator struct {
+	// general is the general upstream configuration.
+	general []*upstreamResult
+
+	// fallback is the fallback upstream configuration.
+	fallback []*upstreamResult
+
+	// private is the private upstream configuration.
+	private []*upstreamResult
+}
+
+// upstreamResult is a result of validation of an [upstream.Upstream] within an
+// [proxy.UpstreamConfig].
+type upstreamResult struct {
+	// server is the parsed upstream.  It is nil when there was an error during
+	// parsing.
+	server upstream.Upstream
+
+	// err is the error either from parsing or from checking the upstream.
+	err error
+
+	// original is the piece of configuration that have either been turned to an
+	// upstream or caused an error.
+	original string
+
+	// isSpecific is true if the upstream is domain-specific.
+	isSpecific bool
+}
+
+// compare compares two [upstreamResult]s.  It returns 0 if they are equal, -1
+// if ur should be sorted before other, and 1 otherwise.
+//
+// TODO(e.burkov):  Perhaps it makes sense to sort the results with errors near
+// the end.
+func (ur *upstreamResult) compare(other *upstreamResult) (res int) {
+	return strings.Compare(ur.original, other.original)
+}
+
+// newUpstreamConfigValidator parses the upstream configuration and returns a
+// validator for it.  cv already contains the parsed upstreams along with errors
+// related.
+func newUpstreamConfigValidator(
+	general []string,
+	fallback []string,
+	private []string,
+	opts *upstream.Options,
+) (cv *upstreamConfigValidator) {
+	cv = &upstreamConfigValidator{}
+
+	for _, line := range general {
+		cv.general = cv.insertLineResults(cv.general, line, opts)
+	}
+	for _, line := range fallback {
+		cv.fallback = cv.insertLineResults(cv.fallback, line, opts)
+	}
+	for _, line := range private {
+		cv.private = cv.insertLineResults(cv.private, line, opts)
+	}
+
+	return cv
+}
+
+// insertLineResults parses line and inserts the result into s.  It can insert
+// multiple results as well as none.
+func (cv *upstreamConfigValidator) insertLineResults(
+	s []*upstreamResult,
+	line string,
+	opts *upstream.Options,
+) (result []*upstreamResult) {
+	upstreams, isSpecific, err := splitUpstreamLine(line)
+	if err != nil {
+		return cv.insert(s, &upstreamResult{
+			err:      err,
+			original: line,
+		})
+	}
+
+	for _, upstreamAddr := range upstreams {
+		var res *upstreamResult
+		if upstreamAddr != "#" {
+			res = cv.parseUpstream(upstreamAddr, opts)
+		} else if !isSpecific {
+			res = &upstreamResult{
+				err:      errNotDomainSpecific,
+				original: upstreamAddr,
+			}
+		} else {
+			continue
+		}
+
+		res.isSpecific = isSpecific
+		s = cv.insert(s, res)
+	}
+
+	return s
+}
+
+// insert inserts r into slice in a sorted order, except duplicates.  slice must
+// not be nil.
+func (cv *upstreamConfigValidator) insert(
+	s []*upstreamResult,
+	r *upstreamResult,
+) (result []*upstreamResult) {
+	i, has := slices.BinarySearchFunc(s, r, (*upstreamResult).compare)
+	if has {
+		log.Debug("dnsforward: duplicate configuration %q", r.original)
+
+		return s
+	}
+
+	return slices.Insert(s, i, r)
+}
+
+// parseUpstream parses addr and returns the result of parsing.  It returns nil
+// if the specified server points at the default upstream server which is
+// validated separately.
+func (cv *upstreamConfigValidator) parseUpstream(
+	addr string,
+	opts *upstream.Options,
+) (r *upstreamResult) {
+	// Check if the upstream has a valid protocol prefix.
+	//
+	// TODO(e.burkov):  Validate the domain name.
+	if proto, _, ok := strings.Cut(addr, "://"); ok {
+		if !slices.Contains(protocols, proto) {
+			return &upstreamResult{
+				err:      fmt.Errorf("bad protocol %q", proto),
+				original: addr,
+			}
+		}
+	}
+
+	ups, err := upstream.AddressToUpstream(addr, opts)
+
+	return &upstreamResult{
+		server:   ups,
+		err:      err,
+		original: addr,
+	}
+}
+
+// check tries to exchange with each successfully parsed upstream and enriches
+// the results with the healthcheck errors.  It should not be called after the
+// [upsConfValidator.close] method, since it makes no sense to check the closed
+// upstreams.
+func (cv *upstreamConfigValidator) check() {
+	const (
+		// testTLD is the special-use fully-qualified domain name for testing
+		// the DNS server reachability.
+		//
+		// See https://datatracker.ietf.org/doc/html/rfc6761#section-6.2.
+		testTLD = "test."
+
+		// inAddrARPATLD is the special-use fully-qualified domain name for PTR
+		// IP address resolution.
+		//
+		// See https://datatracker.ietf.org/doc/html/rfc1035#section-3.5.
+		inAddrARPATLD = "in-addr.arpa."
+	)
+
+	commonChecker := &healthchecker{
+		hostname: testTLD,
+		qtype:    dns.TypeA,
+		ansEmpty: true,
+	}
+
+	arpaChecker := &healthchecker{
+		hostname: inAddrARPATLD,
+		qtype:    dns.TypePTR,
+		ansEmpty: false,
+	}
+
+	wg := &sync.WaitGroup{}
+	wg.Add(len(cv.general) + len(cv.fallback) + len(cv.private))
+
+	for _, res := range cv.general {
+		go cv.checkSrv(res, wg, commonChecker)
+	}
+	for _, res := range cv.fallback {
+		go cv.checkSrv(res, wg, commonChecker)
+	}
+	for _, res := range cv.private {
+		go cv.checkSrv(res, wg, arpaChecker)
+	}
+
+	wg.Wait()
+}
+
+// checkSrv runs hc on the server from res, if any, and stores any occurred
+// error in res.  wg is always marked done in the end.  It used to be called in
+// a separate goroutine.
+func (cv *upstreamConfigValidator) checkSrv(
+	res *upstreamResult,
+	wg *sync.WaitGroup,
+	hc *healthchecker,
+) {
+	defer wg.Done()
+
+	if res.server == nil {
+		return
+	}
+
+	res.err = hc.check(res.server)
+	if res.err != nil && res.isSpecific {
+		res.err = domainSpecificTestError{Err: res.err}
+	}
+}
+
+// close closes all the upstreams that were successfully parsed.  It enriches
+// the results with deferred closing errors.
+func (cv *upstreamConfigValidator) close() {
+	for _, slice := range [][]*upstreamResult{cv.general, cv.fallback, cv.private} {
+		for _, r := range slice {
+			if r.server != nil {
+				r.err = errors.WithDeferred(r.err, r.server.Close())
+			}
+		}
+	}
+}
+
+// status returns all the data collected during parsing, healthcheck, and
+// closing of the upstreams.  The returned map is keyed by the original upstream
+// configuration piece and contains the corresponding error or "OK" if there was
+// no error.
+func (cv *upstreamConfigValidator) status() (results map[string]string) {
+	result := map[string]string{}
+
+	for _, res := range cv.general {
+		resultToStatus("general", res, result)
+	}
+	for _, res := range cv.fallback {
+		resultToStatus("fallback", res, result)
+	}
+	for _, res := range cv.private {
+		resultToStatus("private", res, result)
+	}
+
+	return result
+}
+
+// resultToStatus puts "OK" or an error message from res into resMap.  section
+// is the name of the upstream configuration section, i.e. "general",
+// "fallback", or "private", and only used for logging.
+//
+// TODO(e.burkov):  Currently, the HTTP handler expects that all the results are
+// put together in a single map, which may lead to collisions, see AG-27539.
+// Improve the results compilation.
+func resultToStatus(section string, res *upstreamResult, resMap map[string]string) {
+	val := "OK"
+	if res.err != nil {
+		val = res.err.Error()
+	}
+
+	prevVal := resMap[res.original]
+	switch prevVal {
+	case "":
+		resMap[res.original] = val
+	case val:
+		log.Debug("dnsforward: duplicating %s config line %q", section, res.original)
+	default:
+		log.Debug(
+			"dnsforward: warning: %s config line %q (%v) had different result %v",
+			section,
+			val,
+			res.original,
+			prevVal,
+		)
+	}
+}
+
+// domainSpecificTestError is a wrapper for errors returned by checkDNS to mark
+// the tested upstream domain-specific and therefore consider its errors
+// non-critical.
+//
+// TODO(a.garipov):  Some common mechanism of distinguishing between errors and
+// warnings (non-critical errors) is desired.
+type domainSpecificTestError struct {
+	// Err is the actual error occurred during healthcheck test.
+	Err error
+}
+
+// type check
+var _ error = domainSpecificTestError{}
+
+// Error implements the [error] interface for domainSpecificTestError.
+func (err domainSpecificTestError) Error() (msg string) {
+	return fmt.Sprintf("WARNING: %s", err.Err)
+}
+
+// type check
+var _ errors.Wrapper = domainSpecificTestError{}
+
+// Unwrap implements the [errors.Wrapper] interface for domainSpecificTestError.
+func (err domainSpecificTestError) Unwrap() (wrapped error) {
+	return err.Err
+}
+
+// healthchecker checks the upstream's status by exchanging with it.
+type healthchecker struct {
+	// hostname is the name of the host to put into healthcheck DNS request.
+	hostname string
+
+	// qtype is the type of DNS request to use for healthcheck.
+	qtype uint16
+
+	// ansEmpty defines if the answer section within the response is expected to
+	// be empty.
+	ansEmpty bool
+}
+
+// check exchanges with u and validates the response.
+func (h *healthchecker) check(u upstream.Upstream) (err error) {
+	req := &dns.Msg{
+		MsgHdr: dns.MsgHdr{
+			Id:               dns.Id(),
+			RecursionDesired: true,
+		},
+		Question: []dns.Question{{
+			Name:   h.hostname,
+			Qtype:  h.qtype,
+			Qclass: dns.ClassINET,
+		}},
+	}
+
+	reply, err := u.Exchange(req)
+	if err != nil {
+		return fmt.Errorf("couldn't communicate with upstream: %w", err)
+	} else if h.ansEmpty && len(reply.Answer) > 0 {
+		return errWrongResponse
+	}
+
+	return nil
+}

internal/dnsforward/dialcontext.go

@@ -4,6 +4,8 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"net/netip"
+	"strconv"
 	"time"
 
 	"github.com/AdguardTeam/golibs/errors"
@@ -11,10 +13,12 @@ import (
 )
 
 // DialContext is an [aghnet.DialContextFunc] that uses s to resolve hostnames.
+// addr should be a valid host:port address, where host could be a domain name
+// or an IP address.
 func (s *Server) DialContext(ctx context.Context, network, addr string) (conn net.Conn, err error) {
 	log.Debug("dnsforward: dialing %q for network %q", addr, network)
 
-	host, port, err := net.SplitHostPort(addr)
+	host, portStr, err := net.SplitHostPort(addr)
 	if err != nil {
 		return nil, err
 	}
@@ -28,21 +32,24 @@ func (s *Server) DialContext(ctx context.Context, network, addr string) (conn ne
 		return dialer.DialContext(ctx, network, addr)
 	}
 
-	addrs, err := s.Resolve(host)
+	port, err := strconv.Atoi(portStr)
 	if err != nil {
-		return nil, fmt.Errorf("resolving %q: %w", host, err)
+		return nil, fmt.Errorf("invalid port %s: %w", portStr, err)
 	}
 
-	log.Debug("dnsforward: resolving %q: %v", host, addrs)
-
-	if len(addrs) == 0 {
+	ips, err := s.Resolve(ctx, network, host)
+	if err != nil {
+		return nil, fmt.Errorf("resolving %q: %w", host, err)
+	} else if len(ips) == 0 {
 		return nil, fmt.Errorf("no addresses for host %q", host)
 	}
 
+	log.Debug("dnsforward: resolved %q: %v", host, ips)
+
 	var dialErrs []error
-	for _, a := range addrs {
-		addr = net.JoinHostPort(a.String(), port)
-		conn, err = dialer.DialContext(ctx, network, addr)
+	for _, ip := range ips {
+		addrPort := netip.AddrPortFrom(ip, uint16(port))
+		conn, err = dialer.DialContext(ctx, network, addrPort.String())
 		if err != nil {
 			dialErrs = append(dialErrs, err)
 

internal/dnsforward/dns64_test.go

@@ -292,6 +292,7 @@ func TestServer_HandleDNSRequest_dns64(t *testing.T) {
 			Config: Config{
 				EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
 			},
+			ServePlainDNS: true,
 		}, localUps)
 
 		t.Run(tc.name, func(t *testing.T) {