all: sync with master

.github/ISSUE_TEMPLATE/bug.yml

@@ -102,6 +102,9 @@
             the best way.  For crashes, please provide a full failure log.
         'label': 'Action'
         'value': |
+            Replace the following command with the one you're calling or a
+            description of the failing action:
+
             ```sh
             nslookup -debug -type=a 'www.example.com' '$YOUR_AGH_ADDRESS'
             ```

.github/workflows/build.yml

@@ -1,7 +1,7 @@
 'name': 'build'
 
 'env':
-  'GO_VERSION': '1.20.12'
+  'GO_VERSION': '1.21.8'
   'NODE_VERSION': '16'
 
 'on':
@@ -101,7 +101,10 @@
     - 'name': 'Set up Docker Buildx'
       'uses': 'docker/setup-buildx-action@v1'
     - 'name': 'Run snapshot build'
-      'run': 'make SIGN=0 VERBOSE=1 build-release build-docker'
+      # Set a custom version string, since the checkout@v2 action does not seem
+      # to know about the master branch, while the version script uses it to
+      # count the number of commits within the branch.
+      'run': 'make SIGN=0 VERBOSE=1 VERSION="v0.0.0-github" build-release build-docker'
 
   'notify':
     'needs':

.github/workflows/lint.yml

@@ -1,7 +1,7 @@
 'name': 'lint'
 
 'env':
-  'GO_VERSION': '1.20.12'
+  'GO_VERSION': '1.21.8'
 
 'on':
   'push':

CHANGELOG.md

@@ -14,11 +14,11 @@ and this project adheres to
 <!--
 ## [v0.108.0] - TBA
 
-## [v0.107.45] - 2024-03-05 (APPROX.)
+## [v0.107.47] - 2024-04-03 (APPROX.)
 
-See also the [v0.107.45 GitHub milestone][ms-v0.107.45].
+See also the [v0.107.47 GitHub milestone][ms-v0.107.47].
 
-[ms-v0.107.45]: https://github.com/AdguardTeam/AdGuardHome/milestone/80?closed=1
+[ms-v0.107.47]: https://github.com/AdguardTeam/AdGuardHome/milestone/82?closed=1
 
 NOTE: Add new changes BELOW THIS COMMENT.
 -->
@@ -29,6 +29,100 @@ NOTE: Add new changes ABOVE THIS COMMENT.
 
 
 
+## [v0.107.46] - 2024-03-20
+
+See also the [v0.107.46 GitHub milestone][ms-v0.107.46].
+
+### Added
+
+- Ability to disable the use of system hosts file information for query
+  resolution ([#6610]).
+- Ability to define custom directories for storage of query log files and
+  statistics ([#5992]).
+
+### Changed
+
+- Private RDNS resolution (`dns.use_private_ptr_resolvers` in YAML
+  configuration) now requires a valid "Private reverse DNS servers", when
+  enabled ([#6820]).
+
+  **NOTE:** Disabling private RDNS resolution behaves effectively the same as if
+  no private reverse DNS servers provided by user and by the OS.
+
+### Fixed
+
+- Statistics for 7 days displayed by day on the dashboard graph ([#6712]).
+- Missing "served from cache" label on long DNS server strings ([#6740]).
+- Incorrect tracking of the system hosts file's changes ([#6711]).
+
+[#5992]: https://github.com/AdguardTeam/AdGuardHome/issues/5992
+[#6610]: https://github.com/AdguardTeam/AdGuardHome/issues/6610
+[#6711]: https://github.com/AdguardTeam/AdGuardHome/issues/6711
+[#6712]: https://github.com/AdguardTeam/AdGuardHome/issues/6712
+[#6740]: https://github.com/AdguardTeam/AdGuardHome/issues/6740
+[#6820]: https://github.com/AdguardTeam/AdGuardHome/issues/6820
+
+[ms-v0.107.46]: https://github.com/AdguardTeam/AdGuardHome/milestone/81?closed=1
+
+
+
+## [v0.107.45] - 2024-03-06
+
+See also the [v0.107.45 GitHub milestone][ms-v0.107.45].
+
+### Security
+
+- Go version has been updated to prevent the possibility of exploiting the Go
+  vulnerabilities fixed in [Go 1.21.8][go-1.21.8].
+
+### Added
+
+- Context menu item in the Query Log to add a Client to the Persistent client
+  list ([#6679]).
+
+### Changed
+
+- Starting with this release our scripts are using Go's [forward compatibility
+  mechanism][go-toolchain] for updating the Go version.
+
+  **Important note for porters:**  This change means that if your `go` version
+  is 1.21+ but is different from the one required by AdGuard Home, the `go` tool
+  will automatically download the required version.
+
+  If you want to use the version installed on your builder, run:
+
+  ```sh
+  go get go@$YOUR_VERSION
+  go mod tidy
+  ```
+
+  and call `make` with `GOTOOLCHAIN=local`.
+
+### Deprecated
+
+- Go 1.21 support.  Future versions will require at least Go 1.22 to build.
+
+### Fixed
+
+- Missing IP addresses in logs when querying for domain names from the ignore
+  lists.
+- Blank page after resetting access clients ([#6634]).
+- Wrong algorithm for caching bootstrapped upstream addresses ([#6723]).
+
+### Removed
+
+- Go 1.20 support, as it has reached end of life.
+
+[#6634]: https://github.com/AdguardTeam/AdGuardHome/issues/6634
+[#6679]: https://github.com/AdguardTeam/AdGuardHome/issues/6679
+[#6723]: https://github.com/AdguardTeam/AdGuardHome/issues/6723
+
+[go-1.21.8]:    https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg
+[go-toolchain]: https://go.dev/blog/toolchain
+[ms-v0.107.45]: https://github.com/AdguardTeam/AdGuardHome/milestone/80?closed=1
+
+
+
 ## [v0.107.44] - 2024-02-06
 
 See also the [v0.107.44 GitHub milestone][ms-v0.107.44].
@@ -2759,11 +2853,13 @@ See also the [v0.104.2 GitHub milestone][ms-v0.104.2].
 
 
 <!--
-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.45...HEAD
-[v0.107.45]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.44...v0.107.45
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.47...HEAD
+[v0.107.47]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.46...v0.107.46
 -->
 
-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.44...HEAD
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.46...HEAD
+[v0.107.46]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.45...v0.107.46
+[v0.107.45]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.44...v0.107.45
 [v0.107.44]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.43...v0.107.44
 [v0.107.43]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.42...v0.107.43
 [v0.107.42]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.41...v0.107.42

Makefile

@@ -8,7 +8,7 @@
 # Makefile.  Bump this number every time a significant change is made to
 # this Makefile.
 #
-# AdGuard-Project-Version: 2
+# AdGuard-Project-Version: 4
 
 # Don't name these macros "GO" etc., because GNU Make apparently makes
 # them exported environment variables with the literal value of
@@ -27,6 +27,7 @@ DIST_DIR = dist
 GOAMD64 = v1
 GOPROXY = https://goproxy.cn|https://proxy.golang.org|direct
 GOSUMDB = sum.golang.google.cn
+GOTOOLCHAIN = go1.21.8
 GPG_KEY = devteam@adguard.com
 GPG_KEY_PASSPHRASE = not-a-real-password
 NPM = npm
@@ -56,15 +57,16 @@ BUILD_RELEASE_DEPS_0 = deps js-build
 BUILD_RELEASE_DEPS_1 = go-deps
 
 ENV = env\
-	COMMIT='$(COMMIT)'\
 	CHANNEL='$(CHANNEL)'\
-	GPG_KEY='$(GPG_KEY)'\
-	GPG_KEY_PASSPHRASE='$(GPG_KEY_PASSPHRASE)'\
+	COMMIT='$(COMMIT)'\
 	DIST_DIR='$(DIST_DIR)'\
 	GO="$(GO.MACRO)"\
 	GOAMD64="$(GOAMD64)"\
 	GOPROXY='$(GOPROXY)'\
 	GOSUMDB='$(GOSUMDB)'\
+	GOTOOLCHAIN='$(GOTOOLCHAIN)'\
+	GPG_KEY='$(GPG_KEY)'\
+	GPG_KEY_PASSPHRASE='$(GPG_KEY_PASSPHRASE)'\
 	PATH="$${PWD}/bin:$$( "$(GO.MACRO)" env GOPATH )/bin:$${PATH}"\
 	RACE='$(RACE)'\
 	SIGN='$(SIGN)'\
@@ -117,6 +119,8 @@ go-tools: ; $(ENV) "$(SHELL)" ./scripts/make/go-tools.sh
 # targets.
 go-test:  ; $(ENV) RACE='1' "$(SHELL)" ./scripts/make/go-test.sh
 
+go-upd-tools: ; $(ENV) "$(SHELL)" ./scripts/make/go-upd-tools.sh
+
 go-check: go-tools go-lint go-test
 
 # A quick check to make sure that all supported operating systems can be
@@ -132,10 +136,3 @@ openapi-lint: ; cd ./openapi/ && $(YARN) test
 openapi-show: ; cd ./openapi/ && $(YARN) start
 
 txt-lint: ; $(ENV) "$(SHELL)" ./scripts/make/txt-lint.sh
-
-# TODO(a.garipov): Consider adding to scripts/ and the common project
-# structure.
-go-upd-tools:
-	cd ./internal/tools/ &&\
-		"$(GO.MACRO)" get -u &&\
-		"$(GO.MACRO)" mod tidy

README.md

@@ -473,6 +473,9 @@ bug or implementing the feature.
     [@kongfl888](https://github.com/kongfl888) (originally by
     [@rufengsuixing](https://github.com/rufengsuixing)).
 
+ *  [AdGuardHome sync](https://github.com/bakito/adguardhome-sync) by
+    [@bakito](https://github.com/bakito).
+
  *  [Terminal-based, real-time traffic monitoring and statistics for your AdGuard Home
     instance](https://github.com/Lissy93/AdGuardian-Term) by
     [@Lissy93](https://github.com/Lissy93)

bamboo-specs/release.yaml

@@ -7,7 +7,7 @@
 # Make sure to sync any changes with the branch overrides below.
 'variables':
     'channel': 'edge'
-    'dockerGo': 'adguard/golang-ubuntu:7.6'
+    'dockerGo': 'adguard/golang-ubuntu:8.1'
 
 'stages':
   - 'Build frontend':
@@ -40,6 +40,8 @@
         'jobs':
           - 'Publish to GitHub Releases'
 
+# TODO(e.burkov):  In jobs below find out why the explicit checkout is
+# performed.
 'Build frontend':
     'docker':
         'image': '${bamboo.dockerGo}'
@@ -272,7 +274,7 @@
         # need to build a few of these.
         'variables':
             'channel': 'beta'
-            'dockerGo': 'adguard/golang-ubuntu:7.6'
+            'dockerGo': 'adguard/golang-ubuntu:8.1'
     # release-vX.Y.Z branches are the branches from which the actual final
     # release is built.
   - '^release-v[0-9]+\.[0-9]+\.[0-9]+':
@@ -287,4 +289,4 @@
         # are the ones that actually get released.
         'variables':
             'channel': 'release'
-            'dockerGo': 'adguard/golang-ubuntu:7.6'
+            'dockerGo': 'adguard/golang-ubuntu:8.1'

bamboo-specs/snapcraft.yaml

@@ -10,7 +10,7 @@
 # Make sure to sync any changes with the branch overrides below.
 'variables':
     'channel': 'edge'
-    'dockerGo': 'adguard/golang-ubuntu:7.6'
+    'dockerGo': 'adguard/golang-ubuntu:8.1'
     'snapcraftChannel': 'edge'
 
 'stages':
@@ -191,7 +191,7 @@
         # need to build a few of these.
         'variables':
             'channel': 'beta'
-            'dockerGo': 'adguard/golang-ubuntu:7.6'
+            'dockerGo': 'adguard/golang-ubuntu:8.1'
             'snapcraftChannel': 'beta'
     # release-vX.Y.Z branches are the branches from which the actual final
     # release is built.
@@ -207,5 +207,5 @@
         # are the ones that actually get released.
         'variables':
             'channel': 'release'
-            'dockerGo': 'adguard/golang-ubuntu:7.6'
+            'dockerGo': 'adguard/golang-ubuntu:8.1'
             'snapcraftChannel': 'candidate'

bamboo-specs/test.yaml

@@ -5,7 +5,8 @@
     'key': 'AHBRTSPECS'
     'name': 'AdGuard Home - Build and run tests'
 'variables':
-    'dockerGo': 'adguard/golang-ubuntu:7.6'
+    'dockerGo': 'adguard/golang-ubuntu:8.1'
+    'channel': 'development'
 
 'stages':
   - 'Tests':
@@ -67,13 +68,10 @@
 
                 set -e -f -u -x
 
-                # Explicitly checkout the revision that we need.
-                git checkout "${bamboo.repository.revision.number}"
-
                 make\
                         ARCH="amd64"\
                         OS="windows darwin linux"\
-                        CHANNEL="development"\
+                        CHANNEL=${bamboo.channel}\
                         SIGN=0\
                         PARALLELISM=1\
                         VERBOSE=2\
@@ -115,3 +113,14 @@
 'labels': []
 'other':
     'concurrent-build-plugin': 'system-default'
+
+'branch-overrides':
+    # rc-vX.Y.Z branches are the release candidate branches. They are created
+    # from the release branch and are used to build the release candidate
+    # images.
+  - '^rc-v[0-9]+\.[0-9]+\.[0-9]+':
+        # Set the default release channel on the release branch to beta, as we
+        # may need to build a few of these.
+        'variables':
+            'dockerGo': 'adguard/golang-ubuntu:8.1'
+            'channel': 'candidate'

client/src/__locales/be.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "Upstream DNS-серверы абноўлены",
     "dns_test_ok_toast": "Паказаныя серверы DNS працуюць карэктна",
     "dns_test_not_ok_toast": "Сервер «{{key}}»: немагчыма выкарыстоўваць, праверце слушнасць напісання",
+    "dns_test_parsing_error_toast": "Раздзел {{section}}: радок {{line}}: немагчыма выкарыстоўваць, праверце слушнасць напісання",
     "dns_test_warning_toast": "Upstream «{{key}}» не адказвае на тэставыя запыты і можа не працаваць належным чынам",
     "unblock": "Адблакаваць",
     "block": "Заблакаваць",
@@ -243,6 +244,7 @@
     "allow_this_client": "Дазволіць доступ гэтаму кліенту",
     "block_for_this_client_only": "Заблакаваць толькі для гэтага кліента",
     "unblock_for_this_client_only": "Адблакаваць толькі для гэтага кліента",
+    "add_persistent_client": "Дадаць у захаваныя кліенты",
     "time_table_header": "Час",
     "date": "Дата",
     "domain_name_table_header": "Дамен",
@@ -462,6 +464,7 @@
     "form_add_id": "Дадаць ідэнтыфікатар",
     "form_client_name": "Увядзіце імя кліента",
     "name": "Назва",
+    "client_name": "Кліент {{id}}",
     "client_global_settings": "Выкарыстаць глабальныя налады",
     "client_deleted": "Кліент «{{key}}» паспяхова выдалены",
     "client_added": "Кліент «{{key}}» паспяхова дададзены",

client/src/__locales/cs.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "Odchozí servery byly úspěšně uloženy",
     "dns_test_ok_toast": "Specifikované DNS servery pracují správně",
     "dns_test_not_ok_toast": "Server \"{{key}}\": nemohl být použit, zkontrolujte, zda jste ho správně napsali",
+    "dns_test_parsing_error_toast": "Sekce {{section}}: řádek {{line}}: nelze použít, zkontrolujte prosím, zda jste ho správně napsali",
     "dns_test_warning_toast": "Upstream \"{{key}}\" neodpovídá na testovací požadavky a nemusí fungovat správně",
     "unblock": "Odblokovat",
     "block": "Blokovat",
@@ -243,6 +244,7 @@
     "allow_this_client": "Povolit tohoto klienta",
     "block_for_this_client_only": "Blokovat pouze pro tohoto klienta",
     "unblock_for_this_client_only": "Odblokovat pouze pro tohoto klienta",
+    "add_persistent_client": "Přidat jako trvalého klienta",
     "time_table_header": "Čas",
     "date": "Datum",
     "domain_name_table_header": "Název domény",
@@ -465,6 +467,7 @@
     "form_add_id": "Přidat identifikátor",
     "form_client_name": "Zadejte název klienta",
     "name": "Název",
+    "client_name": "Klient {{id}}",
     "client_global_settings": "Použít globální nastavení",
     "client_deleted": "Klient \"{{key}}\" byl úspěšně odstraněn",
     "client_added": "Klient \"{{key}}\" byl úspěšně přidán",
@@ -675,7 +678,7 @@
     "use_saved_key": "Použít dříve uložený klíče",
     "parental_control": "Rodičovská ochrana",
     "safe_browsing": "Bezpečné prohlížení",
-    "served_from_cache": "{{value}} <i>(převzato z mezipaměti)</i>",
+    "served_from_cache_label": "Převzato z mezipaměti",
     "form_error_password_length": "Heslo musí obsahovat od {{min}} do {{max}} znaků",
     "anonymizer_notification": "<0>Poznámka:</0> Anonymizace IP je zapnuta. Můžete ji vypnout v <1>Obecných nastaveních</1>.",
     "confirm_dns_cache_clear": "Opravdu chcete vymazat mezipaměť DNS?",

client/src/__locales/da.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "Upstream-servere er gemt",
     "dns_test_ok_toast": "Angivne DNS-servere fungerer korrekt",
     "dns_test_not_ok_toast": "Server \"{{key}}\": Kunne ikke bruges. Tjek, at du har angivet den korrekt",
+    "dns_test_parsing_error_toast": "Sektion {{section}}: linje {{line}}: kunne ikke anvendes. Tjek at den er angivet korrekt",
     "dns_test_warning_toast": "Upstream \"{{key}}\" svarer ikke på testforespørgsler og fungerer muligvis ikke korrekt",
     "unblock": "Afblokering",
     "block": "Blokering",
@@ -243,6 +244,7 @@
     "allow_this_client": "Tillad denne klient",
     "block_for_this_client_only": "Blokér kun for denne klient",
     "unblock_for_this_client_only": "Afblokér kun for denne klient",
+    "add_persistent_client": "Tilføj som vedvarende klient",
     "time_table_header": "Tid",
     "date": "Dato",
     "domain_name_table_header": "Domænenavn",
@@ -465,6 +467,7 @@
     "form_add_id": "Tilføj identifikator",
     "form_client_name": "Angiv klientnavn",
     "name": "Navn",
+    "client_name": "Klient {{id}}",
     "client_global_settings": "Brug globale indstillinger",
     "client_deleted": "Klient \"{{key}}\" slettet",
     "client_added": "Klient \"{{key}}\" tilføjet",
@@ -675,7 +678,7 @@
     "use_saved_key": "Brug den tidligere gemte nøgle",
     "parental_control": "Forældrekontrol",
     "safe_browsing": "Sikker Browsing",
-    "served_from_cache": "{{value}} <i>(leveret fra cache)</i>",
+    "served_from_cache_label": "Leveret fra cache",
     "form_error_password_length": "Adgangskode skal udgøre fra {{min}} til {{max}} tegn",
     "anonymizer_notification": "<0>Bemærk:</0> IP-anonymisering er aktiveret. Det kan deaktiveres via <1>Generelle indstillinger</1>.",
     "confirm_dns_cache_clear": "Sikker på, at DNS-cache skal ryddes?",

client/src/__locales/de.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "Upstream-Server erfolgreich gespeichert",
     "dns_test_ok_toast": "Angegebene DNS-Server arbeiten ordnungsgemäß",
     "dns_test_not_ok_toast": "Server „{{key}}“: konnte nicht verwendet werden, bitte überprüfen Sie die korrekte Schreibweise",
+    "dns_test_parsing_error_toast": "Abschnitt {{section}}: Zeile {{line}}: konnte nicht verwendet werden, bitte überprüfen Sie, ob alles richtig geschrieben ist",
     "dns_test_warning_toast": "Upstream „{{key}}“ reagiert nicht auf Testanfragen und funktioniert möglicherweise nicht fehlerfrei",
     "unblock": "Entsperren",
     "block": "Sperren",
@@ -243,6 +244,7 @@
     "allow_this_client": "Diesen Client zulassen",
     "block_for_this_client_only": "Nur für diesen Client sperren",
     "unblock_for_this_client_only": "Nur für diesen Client freigeben",
+    "add_persistent_client": "Als dauerhaften Client hinzufügen",
     "time_table_header": "Zeit",
     "date": "Datum",
     "domain_name_table_header": "Domainname",
@@ -465,6 +467,7 @@
     "form_add_id": "Kennung hinzufügen",
     "form_client_name": "Clientnamen eingeben",
     "name": "Name",
+    "client_name": "Client {{id}}",
     "client_global_settings": "Allgemeine Einstellungen nutzen",
     "client_deleted": "Client „{{key}}“ erfolgreich entfernt",
     "client_added": "Client „{{key}}“ erfolgreich hinzugefügt",
@@ -675,7 +678,7 @@
     "use_saved_key": "Zuvor gespeicherten Schlüssel verwenden",
     "parental_control": "Kindersicherung",
     "safe_browsing": "Internetsicherheit",
-    "served_from_cache": "{{value}} <i>(aus dem Cache abgerufen)</i>",
+    "served_from_cache_label": "Aus dem Cache abgerufen",
     "form_error_password_length": "Das Passwort muss zwischen {{min}} und {{max}} Zeichen enthalten",
     "anonymizer_notification": "<0>Hinweis:</0> Die IP-Anonymisierung ist aktiviert. Sie können sie in den <1>Allgemeinen Einstellungen</1> deaktivieren.",
     "confirm_dns_cache_clear": "Möchten Sie den DNS-Cache wirklich leeren?",

client/src/__locales/en.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "Upstream servers successfully saved",
     "dns_test_ok_toast": "Specified DNS servers are working correctly",
     "dns_test_not_ok_toast": "Server \"{{key}}\": could not be used, please check that you've written it correctly",
+    "dns_test_parsing_error_toast": "Section {{section}}: line {{line}}: could not be used, please check that you've written it correctly",
     "dns_test_warning_toast": "Upstream \"{{key}}\" does not respond to test requests and may not work properly",
     "unblock": "Unblock",
     "block": "Block",
@@ -243,6 +244,7 @@
     "allow_this_client": "Allow this client",
     "block_for_this_client_only": "Block for this client only",
     "unblock_for_this_client_only": "Unblock for this client only",
+    "add_persistent_client": "Add as persistent client",
     "time_table_header": "Time",
     "date": "Date",
     "domain_name_table_header": "Domain name",
@@ -465,6 +467,7 @@
     "form_add_id": "Add identifier",
     "form_client_name": "Enter client name",
     "name": "Name",
+    "client_name": "Client {{id}}",
     "client_global_settings": "Use global settings",
     "client_deleted": "Client \"{{key}}\" successfully deleted",
     "client_added": "Client \"{{key}}\" successfully added",
@@ -675,7 +678,7 @@
     "use_saved_key": "Use the previously saved key",
     "parental_control": "Parental Control",
     "safe_browsing": "Safe Browsing",
-    "served_from_cache": "{{value}} <i>(served from cache)</i>",
+    "served_from_cache_label": "Served from cache",
     "form_error_password_length": "Password must be {{min}} to {{max}} characters long",
     "anonymizer_notification": "<0>Note:</0> IP anonymization is enabled. You can disable it in <1>General settings</1>.",
     "confirm_dns_cache_clear": "Are you sure you want to clear DNS cache?",

client/src/__locales/es.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "Servidores DNS de subida guardados correctamente",
     "dns_test_ok_toast": "Los servidores DNS especificados funcionan correctamente",
     "dns_test_not_ok_toast": "Servidor \"{{key}}\": no se puede utilizar, por favor revisa si lo has escrito correctamente",
+    "dns_test_parsing_error_toast": "No se pudo utilizar la sección {{section}}: línea {{line}}:, verifica si la escribiste correctamente",
     "dns_test_warning_toast": "DNS de subida \"{{key}}\" no responde a las peticiones de prueba y es posible que no funcione correctamente",
     "unblock": "Desbloquear",
     "block": "Bloquear",
@@ -243,6 +244,7 @@
     "allow_this_client": "Permitir a este cliente",
     "block_for_this_client_only": "Bloquear solo para este cliente",
     "unblock_for_this_client_only": "Desbloquear solo para este cliente",
+    "add_persistent_client": "Añadir como cliente persistente",
     "time_table_header": "Hora",
     "date": "Fecha",
     "domain_name_table_header": "Nombre del dominio",
@@ -465,6 +467,7 @@
     "form_add_id": "Añadir identificador",
     "form_client_name": "Ingresa el nombre del cliente",
     "name": "Nombre",
+    "client_name": "Cliente {{id}}",
     "client_global_settings": "Usar configuración global",
     "client_deleted": "Cliente \"{{key}}\" eliminado correctamente",
     "client_added": "Cliente \"{{key}}\" añadido correctamente",
@@ -675,7 +678,7 @@
     "use_saved_key": "Usar la clave guardada previamente",
     "parental_control": "Control parental",
     "safe_browsing": "Navegación segura",
-    "served_from_cache": "{{value}} <i>(servido desde la caché)</i>",
+    "served_from_cache_label": "Servido desde la caché",
     "form_error_password_length": "La contraseña debe tener entre {{min}} y {{max}} caracteres",
     "anonymizer_notification": "<0>Nota:</0> La anonimización de IP está habilitada. Puedes deshabilitarla en <1>Configuración general</1>.",
     "confirm_dns_cache_clear": "¿Estás seguro de que deseas borrar la caché DNS?",

client/src/__locales/fa.json

@@ -220,6 +220,7 @@
     "updated_upstream_dns_toast": "سرورهای DNS جریان ارسالی بروز رسانی شده است",
     "dns_test_ok_toast": "سرورهای DNS تعیین شده بدرستی کار می کنند",
     "dns_test_not_ok_toast": "سرور \"{{key}}\": نمیتواند مورد استفاده قرار گیرد،لطفا بررسی کنید آن را بدرستی نوشته اید",
+    "dns_test_parsing_error_toast": "بخش {{section}}: خط {{line}}: نمی‌تواند مورد استفاده قرار گیرد،لطفا بررسی کنید آن را به‌درستی نوشته‌اید",
     "unblock": "رفع انسداد",
     "block": "مسدود کردن",
     "disallow_this_client": "این مشتری را رد کنید",
@@ -420,6 +421,7 @@
     "form_add_id": "افزودن احرازکننده",
     "form_client_name": "نام کلاینت را وارد کنید",
     "name": "نام",
+    "client_name": "مشتری {{id}}",
     "client_global_settings": "استفاده از تنظیمات سراسری",
     "client_deleted": "کلاینت \"{{key}}\" را با موفقیت حذف کرد",
     "client_added": "کلاینت \"{{key}}\" را با موفقیت اضافه کرد",

client/src/__locales/fi.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "Ylävirtapalvelimet tallennettiin",
     "dns_test_ok_toast": "Määritetyt DNS-palvelimet toimivat oikein",
     "dns_test_not_ok_toast": "Palvelin \"{{key}}\": Ei voitu käyttää, tarkista oikeinkirjoitus",
+    "dns_test_parsing_error_toast": "Osio {{section}}: rivi {{line}}: Ei voitu käyttää, tarkista oikeinkirjoitus",
     "dns_test_warning_toast": "Datavuon \"{{key}}\" ei vastaa testipyyntöihin eikä välttämättä toimi kunnolla",
     "unblock": "Salli",
     "block": "Estä",
@@ -243,6 +244,7 @@
     "allow_this_client": "Salli tämä päätelaite",
     "block_for_this_client_only": "Estä vain tältä päätelaitteelta",
     "unblock_for_this_client_only": "Salli vain tälle päätelaitteelle",
+    "add_persistent_client": "Lisää pysyvänä päätelaitteena",
     "time_table_header": "Aika",
     "date": "Päiväys",
     "domain_name_table_header": "Verkkotunnus",
@@ -446,7 +448,7 @@
     "manual_update": "Seuraa <a>näitä ohjeita</a> päivittääksesi manuaalisesti.",
     "processing_update": "Odota kun AdGuard Home päivittyy",
     "clients_title": "Pysyvät päätelaitteet",
-    "clients_desc": "Määritä pysyvät AdGuard Homeen yhdistetyt päätelaitetiedot.",
+    "clients_desc": "Määritä AdGuard Homeen pysyvästi yhdistettyjen päätelaitteiden tiedot.",
     "settings_global": "Yleinen",
     "settings_custom": "Mukautettu",
     "table_client": "Asiakas",
@@ -465,6 +467,7 @@
     "form_add_id": "Lisää tunniste",
     "form_client_name": "Syötä päätelaitteen nimi",
     "name": "Nimi",
+    "client_name": "Päätelaite {{id}}",
     "client_global_settings": "Käytä yleisiä asetuksia",
     "client_deleted": "Päätelaite \"{{key}}\" poistettiin",
     "client_added": "Päätelaite \"{{key}}\" lisättiin",

client/src/__locales/fr.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "Serveurs en amont enregistrés",
     "dns_test_ok_toast": "Les serveurs DNS spécifiés fonctionnent correctement",
     "dns_test_not_ok_toast": "Impossible d'utiliser le serveur « {{key}} »: veuillez vérifier si le nom saisi est bien correct",
+    "dns_test_parsing_error_toast": "La section {{section}}: ligne {{line}}: n'a pas pu être utilisée, veuillez vérifier que vous l'avez écrite correctement",
     "dns_test_warning_toast": "L'amont « {{key}} » ne répond pas aux demandes de test et peut ne pas fonctionner correctement",
     "unblock": "Débloquer",
     "block": "Bloquer",
@@ -243,6 +244,7 @@
     "allow_this_client": "Autoriser ce client",
     "block_for_this_client_only": "Bloquer uniquement pour ce client",
     "unblock_for_this_client_only": "Débloquer uniquement pour ce client",
+    "add_persistent_client": "Ajouter comme client persistant",
     "time_table_header": "Temps",
     "date": "Date",
     "domain_name_table_header": "Nom de domaine",
@@ -465,6 +467,7 @@
     "form_add_id": "Ajouter identifiant",
     "form_client_name": "Saisissez le nom du client",
     "name": "Nom",
+    "client_name": "Client {{id}}",
     "client_global_settings": "Utiliser les paramètres généraux",
     "client_deleted": "Le client « {{key}} » a été supprimé",
     "client_added": "Le client « {{key}} » a été ajouté",
@@ -675,7 +678,7 @@
     "use_saved_key": "Utiliser la clef précédemment enregistrée",
     "parental_control": "Contrôle parental",
     "safe_browsing": "Navigation sécurisée",
-    "served_from_cache": "{{value}} <i>(depuis le cache)</i>",
+    "served_from_cache_label": "Servi depuis le cache",
     "form_error_password_length": "Le mot de passe doit comporter entre {{min}} et {{max}}  caractères",
     "anonymizer_notification": "<0>Note :</0> L'anonymisation IP est activée. Vous pouvez la désactiver dans les <1>paramètres généraux</1>.",
     "confirm_dns_cache_clear": "Voulez-vous vraiment vider le cache DNS ?",

client/src/__locales/hr.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "Uzvodni poslužitelji uspješno su spremljeni",
     "dns_test_ok_toast": "Odabrani DNS poslužitelji su trenutno aktivni",
     "dns_test_not_ok_toast": "\"{{key}}\" poslužitelja: ne može se upotrijebiti, provjerite jeste li to ispravno napisali",
+    "dns_test_parsing_error_toast": "Odjeljak {{section}}: redak {{line}}: nije moguće koristiti, provjerite jeste li ispravno napisali",
     "dns_test_warning_toast": "Upstream \"{{key}}\" ne odgovara na zahtjeve za testiranje i možda neće raditi ispravno",
     "unblock": "Odblokiraj",
     "block": "Blokiraj",
@@ -243,6 +244,7 @@
     "allow_this_client": "Omogući ovog klijenta",
     "block_for_this_client_only": "Blokiraj samo za ovog klijenta",
     "unblock_for_this_client_only": "Odblokiraj samo za ovog klijenta",
+    "add_persistent_client": "Dodaj u spremljene klijente",
     "time_table_header": "Vrijeme",
     "date": "Datum",
     "domain_name_table_header": "Naziv domene",
@@ -462,6 +464,7 @@
     "form_add_id": "Dodaj identifikator",
     "form_client_name": "Unesite naziv klijenta",
     "name": "Naziv",
+    "client_name": "Klijent {{id}}",
     "client_global_settings": "Koristi globalne postavke",
     "client_deleted": "Klijent \"{{key}}\" je uspješno uklonjen",
     "client_added": "Klijent \"{{key}}\" je uspješno dodan",

client/src/__locales/hu.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "Upstream szerverek sikeresen mentve",
     "dns_test_ok_toast": "A megadott DNS-kiszolgálók megfelelően működnek",
     "dns_test_not_ok_toast": "Szerver \"{{key}}\": nem használható, ellenőrizze, hogy helyesen írta-e be",
+    "dns_test_parsing_error_toast": "Szekció {{section}}: sor {{line}}: nem használható, ellenőrizze, hogy helyesen írta-e be",
     "dns_test_warning_toast": "A \"{{key}}\" feltöltés nem válaszol a tesztkérelmekre, és lehet, hogy nem működik megfelelően",
     "unblock": "Feloldás",
     "block": "Blokkolás",
@@ -243,6 +244,7 @@
     "allow_this_client": "Engedélyezés ennek a kliensnek",
     "block_for_this_client_only": "Tiltás csak ennek a kliensnek",
     "unblock_for_this_client_only": "Feloldás csak ennek a kliensnek",
+    "add_persistent_client": "Hozzáadás állandó ügyfélként",
     "time_table_header": "Idő",
     "date": "Dátum",
     "domain_name_table_header": "Domain név",
@@ -462,6 +464,7 @@
     "form_add_id": "Azonosító hozzáadása",
     "form_client_name": "Adja meg a kliens nevét",
     "name": "Név",
+    "client_name": "Ügyfél {{id}}",
     "client_global_settings": "Globális beállítások használata",
     "client_deleted": "A(z) \"{{key}}\" kliens sikeresen el lett távolítva",
     "client_added": "A(z) \"{{key}}\" kliens sikeresen hozzá lett adva",

client/src/__locales/id.json

@@ -224,10 +224,10 @@
     "example_upstream_regular": "DNS reguler (melalui UDP);",
     "example_upstream_regular_port": "DNS biasa (lebih dari UDP, dengan port);",
     "example_upstream_udp": "DNS biasa (lebih dari UDP, nama host);",
-    "example_upstream_dot": "terenkripsi <0>DNS-over-TLS</0>;",
-    "example_upstream_doh": "terenkripsi <0>DNS-over-HTTPS</0>;",
-    "example_upstream_doh3": "DNS-over-HTTPS terenkripsi dengan paksa <0>HTTP/3</0> dan tidak ada fallback ke HTTP/2 atau lebih rendah;",
-    "example_upstream_doq": "terenkripsi <0>DNS-over-QUIC</0>;",
+    "example_upstream_dot": "<0>DNS melalui TLS</0> terenkripsi;",
+    "example_upstream_doh": "<0>DNS melalui HTTPS</0> terenkripsi;",
+    "example_upstream_doh3": "DNS melalui HTTPS terenkripsi dengan <0>HTTP/3</0> secara paksa dan tidak ada cadangan ke HTTP/2 atau lebih rendah;",
+    "example_upstream_doq": "<0>DNS melalui QUIC</0> terenkripsi;",
     "example_upstream_sdns": "<0>Stempel DNS</0> untuk <1>DNSCrypt</1> atau pengarah <2>DNS-over-HTTPS</2>;",
     "example_upstream_tcp": "DNS reguler (melalui TCP);",
     "example_upstream_tcp_port": "DNS biasa (melalui TCP, dengan port);",
@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "Server upstream berhasil disimpan",
     "dns_test_ok_toast": "Server DNS yang ditentukan bekerja dengan benar",
     "dns_test_not_ok_toast": "Server \"{{key}}\": tidak dapat digunakan, mohon cek bahwa Anda telah menulisnya dengan benar",
+    "dns_test_parsing_error_toast": "Bagian {{section}}: baris {{line}}: tidak dapat digunakan, mohon cek bahwa Anda telah menulisnya dengan benar",
     "dns_test_warning_toast": "Upstream \"{{key}}\" tidak menanggapi permintaan pengujian dan mungkin tidak berfungsi dengan baik",
     "unblock": "Buka Blokir",
     "block": "Blok",
@@ -243,6 +244,7 @@
     "allow_this_client": "Ijinkan klien ini",
     "block_for_this_client_only": "Blok hanya untuk klien ini",
     "unblock_for_this_client_only": "Jangan diblok hanya untuk klien ini",
+    "add_persistent_client": "Tambahkan sebagai klien persisten",
     "time_table_header": "Waktu",
     "date": "Tanggal",
     "domain_name_table_header": "Nama domain",
@@ -289,7 +291,7 @@
     "custom_ip": "Custom IP",
     "blocking_ipv4": "Blokiran IPv4",
     "blocking_ipv6": "Blokiran IPv6",
-    "blocked_response_ttl": "TTL Respons yang diblokir",
+    "blocked_response_ttl": "Respons TTL yang diblokir",
     "blocked_response_ttl_desc": "Menentukan berapa detik klien harus menyimpan respons yang difilter dalam cache",
     "form_enter_blocked_response_ttl": "Masukkan TTL respons yang diblokir (detik)",
     "dnscrypt": "DNSCrypt",
@@ -424,7 +426,7 @@
     "encryption_reset": "Anda yakin ingin mengatur ulang pengaturan enkripsi?",
     "encryption_warning": "Peringatan",
     "encryption_plain_dns_enable": "Aktifkan DNS biasa",
-    "encryption_plain_dns_desc": "DNS Biasa diaktifkan secara standar. Anda dapat menonaktifkannya untuk memaksa semua perangkat menggunakan DNS terenkripsi. Untuk melakukan ini, Anda harus mengaktifkan setidaknya satu protokol DNS terenkripsi",
+    "encryption_plain_dns_desc": "DNS biasa diaktifkan secara standar. Anda dapat menonaktifkannya untuk memaksa semua perangkat menggunakan DNS terenkripsi. Untuk melakukan ini, Anda harus mengaktifkan setidaknya satu protokol DNS terenkripsi",
     "encryption_plain_dns_error": "Untuk menonaktifkan DNS biasa, aktifkan setidaknya satu protokol DNS terenkripsi",
     "topline_expiring_certificate": "Sertifikat SSL Anda hampir kedaluwarsa. Perbarui <0>Pengaturan enkripsi</0>.",
     "topline_expired_certificate": "Sertifikat SSL Anda kedaluwarsa. Perbarui <0>Pengaturan enkripsi</0>.",
@@ -442,7 +444,7 @@
     "fix": "Perbaiki",
     "dns_providers": "Berikut adalah <0>daftar penyedia DNS yang dikenal</0> untuk dipilih.",
     "update_now": "Perbarui sekarang",
-    "update_failed": "Pembaruan otomatis gagal. Silahkan <a>ikuti petunjuk ini</a> untuk perbarui secara manual.",
+    "update_failed": "Pembaruan otomatis gagal. Silakan <a>ikuti langkah-langkah berikut</a> untuk memperbarui secara manual.",
     "manual_update": "Silakan <a>mengikuti langkah berikut</a> untuk memperbarui secara manual.",
     "processing_update": "Silahkan tunggu, AdGuard Home sedang diperbarui",
     "clients_title": "Klien yang gigih",
@@ -465,6 +467,7 @@
     "form_add_id": "Tambahkan pengenal",
     "form_client_name": "Masukkan nama klien",
     "name": "Nama",
+    "client_name": "Klien {{id}}",
     "client_global_settings": "Gunakan pengaturan global",
     "client_deleted": "Klien \"{{key}}\" berhasil dihapus",
     "client_added": "Klien \"{{key}}\" berhasil ditambahkan",
@@ -545,7 +548,7 @@
     "domain": "Domain",
     "ecs": "ECS",
     "punycode": "Kode kecil",
-    "answer": "Jawab",
+    "answer": "Jawaban",
     "filter_added_successfully": "Filter telah berhasil ditambahkan",
     "filter_removed_successfully": "Daftar ini telah sukses dihapus",
     "filter_updated": "Daftar telah sukses diperbarui",
@@ -679,7 +682,7 @@
     "form_error_password_length": "Kata sandi harus terdiri dari {{min}} hingga {{max}}",
     "anonymizer_notification": "<0>Catatan:</0> Anonimisasi IP diaktifkan. Anda dapat menonaktifkannya di <1>Pengaturan umum</1> .",
     "confirm_dns_cache_clear": "Apakah Anda yakin ingin menghapus cache DNS?",
-    "cache_cleared": "Cache DNS berhasil dibersihkan",
+    "cache_cleared": "Cache DNS berhasil dihapus",
     "clear_cache": "Hapus cache",
     "make_static": "Jadikan statis",
     "theme_auto_desc": "Otomatis (berdasarkan skema warna perangkat anda)",

client/src/__locales/it.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "I server upstream sono stati salvati correttamente",
     "dns_test_ok_toast": "I server DNS specificati funzionano correttamente",
     "dns_test_not_ok_toast": "Server \"{{key}}\": non può essere utilizzato, assicurati di averlo digitato correttamente",
+    "dns_test_parsing_error_toast": "Sezione {{section}}: riga {{line}}: non può essere usata, controlla se l'hai scritta correttamente",
     "dns_test_warning_toast": "Upstream \"{{key}}\" non risponde alle richieste di test e potrebbe non funzionare correttamente",
     "unblock": "Sblocca",
     "block": "Blocca",
@@ -243,6 +244,7 @@
     "allow_this_client": "Consenti questo client",
     "block_for_this_client_only": "Blocca solo per questo client",
     "unblock_for_this_client_only": "Sblocca solo per questo client",
+    "add_persistent_client": "Aggiungi come client persistente",
     "time_table_header": "Ora",
     "date": "Data",
     "domain_name_table_header": "Nome dominio",
@@ -465,6 +467,7 @@
     "form_add_id": "Aggiungi identificatore",
     "form_client_name": "Inserisci nome client",
     "name": "Nome",
+    "client_name": "Client {{id}}",
     "client_global_settings": "Utilizza le impostazioni globali",
     "client_deleted": "Client \"{{key}}\" eliminato correttamente",
     "client_added": "Client \"{{key}}\" aggiunto correttamente",
@@ -675,7 +678,7 @@
     "use_saved_key": "Utilizza la chiave salvata in precedenza",
     "parental_control": "Controllo Parentale",
     "safe_browsing": "Navigazione Sicura",
-    "served_from_cache": "{{value}} <i>(fornito dalla cache)</i>",
+    "served_from_cache_label": "Servito dalla cache",
     "form_error_password_length": "La password deve contenere da {{min}} a {{max}} caratteri",
     "anonymizer_notification": "<0>Attenzione:</0> L'anonimizzazione dell'IP è abilitata. Puoi disabilitarla in <1>Impostazioni generali</1>.",
     "confirm_dns_cache_clear": "Sei sicuro di voler cancellare la cache DNS?",

client/src/__locales/ja.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "アップストリームサーバーを保存しました。",
     "dns_test_ok_toast": "指定されたDNSサーバは正しく動作しています",
     "dns_test_not_ok_toast": "サーバ \"{{key}}\": 使用できませんでした。正しく入力されているかどうかを確認してください",
+    "dns_test_parsing_error_toast": "セクション {{section}}: 行 {{line}}: を使用できませんでした。正しく記述されているか確認してください",
     "dns_test_warning_toast": "アップストリーム\"{{key}}\"はテストリクエストに応答せず、正しく動作しない可能性があります。",
     "unblock": "ブロック解除",
     "block": "ブロック",
@@ -243,6 +244,7 @@
     "allow_this_client": "このクライアントを許可する",
     "block_for_this_client_only": "このクライアントに対してのみブロックする",
     "unblock_for_this_client_only": "このクライアントに対してのみブロックを解除する",
+    "add_persistent_client": "永続クライアントとして追加する",
     "time_table_header": "時刻",
     "date": "購入日時",
     "domain_name_table_header": "ドメイン名",
@@ -465,6 +467,7 @@
     "form_add_id": "識別子を追加する",
     "form_client_name": "クライアント名を入力してください",
     "name": "名前",
+    "client_name": "クライアント {{id}}",
     "client_global_settings": "グローバル設定を使用する",
     "client_deleted": "クライアント \"{{key}}\" の削除に成功しました",
     "client_added": "クライアント \"{{key}}\" の追加に成功しました",
@@ -675,7 +678,7 @@
     "use_saved_key": "以前に保存したキーを使用する",
     "parental_control": "ペアレンタルコントロール",
     "safe_browsing": "セーフブラウジング",
-    "served_from_cache": "{{value}} <i>(キャッシュから応答)</i>",
+    "served_from_cache_label": "キャッシュからの配信:",
     "form_error_password_length": "パスワードの長さは{{min}}〜{{max}}文字にしてください。",
     "anonymizer_notification": "【<0>注意</0>】IPの匿名化が有効になっています。 <1>一般設定</1>で無効にできます。",
     "confirm_dns_cache_clear": "DNS キャッシュをクリアしてもよろしいですか？",

client/src/__locales/ko.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "업스트림 서버가 성공적으로 저장되었습니다",
     "dns_test_ok_toast": "지정된 DNS 서버가 올바르게 작동하고 있습니다.",
     "dns_test_not_ok_toast": "서버 '{{key}}': 사용할 수 없습니다, 제대로 작성했는지 확인하세요",
+    "dns_test_parsing_error_toast": "섹션 {{section}}: 줄 {{line}}: 사용할 수 없으며, 올바르게 작성했는지 확인하세요.",
     "dns_test_warning_toast": "업스트림 '{{key}}'이(가) 테스트 요청에 응답하지 않으며 제대로 작동하지 않을 수 있습니다",
     "unblock": "차단 해제",
     "block": "차단",
@@ -243,6 +244,7 @@
     "allow_this_client": "클라이언트 허용",
     "block_for_this_client_only": "이 클라이언트에 대해서만 차단",
     "unblock_for_this_client_only": "이 클라이언트에 대해서만 차단 해제",
+    "add_persistent_client": "저장된 클라이언트에 추가",
     "time_table_header": "시간",
     "date": "날짜",
     "domain_name_table_header": "도메인명",
@@ -465,6 +467,7 @@
     "form_add_id": "식별자 추가",
     "form_client_name": "클라이언트 이름 입력",
     "name": "이름",
+    "client_name": "클라이언트 {{id}}",
     "client_global_settings": "글로벌 설정 사용",
     "client_deleted": "클라이언트 '{{key}}'이(가) 정상적으로 삭제되었습니다",
     "client_added": "클라이언트 '{{key}}'이(가) 정상적으로 추가되었습니다",
@@ -675,7 +678,7 @@
     "use_saved_key": "이전에 저장했던 키 사용하기",
     "parental_control": "자녀 보호",
     "safe_browsing": "세이프 브라우징",
-    "served_from_cache": "{{value}} <i>(캐시에서 제공)</i>",
+    "served_from_cache_label": "캐시에서 가져옴",
     "form_error_password_length": "비밀번호는 {{min}}~{{max}}자 길이여야 합니다.",
     "anonymizer_notification": "<0>참고:</0> IP 익명화가 활성화되었습니다. <1>일반 설정</1>에서 비활성화할 수 있습니다.",
     "confirm_dns_cache_clear": "정말로 DNS 캐시를 지우시겠습니까?",

client/src/__locales/nl.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "Upstream-servers succesvol opgeslagen",
     "dns_test_ok_toast": "Opgegeven DNS-servers werken correct",
     "dns_test_not_ok_toast": "Server \"{{key}}\": kon niet worden gebruikt, controleer of je het correct hebt geschreven",
+    "dns_test_parsing_error_toast": "Sectie {{section}}: regel {{line}}: kan niet worden gebruikt. Controleer of je het correct hebt geschreven",
     "dns_test_warning_toast": "Upstream \"{{key}}\" reageert niet op testverzoeken en werkt mogelijk niet goed",
     "unblock": "Deblokkeren",
     "block": "Blokkeren",
@@ -243,6 +244,7 @@
     "allow_this_client": "Toepassing/systeem toelaten",
     "block_for_this_client_only": "Alleen voor deze cliënt blokkeren",
     "unblock_for_this_client_only": "Alleen voor deze cliënt deblokkeren",
+    "add_persistent_client": "Toevoegen als permanente client",
     "time_table_header": "Tijd",
     "date": "Datum",
     "domain_name_table_header": "Domein naam",
@@ -465,6 +467,7 @@
     "form_add_id": "ID toevoegen",
     "form_client_name": "Vul gebruikersnaam in",
     "name": "Naam",
+    "client_name": "Client {{id}}",
     "client_global_settings": "Gebruik globale instelling",
     "client_deleted": "Gebruiker \"{{key}}\" met succes verwijderd",
     "client_added": "Gebruiker \"{{key}}\" met succes toegevoegd",
@@ -675,7 +678,7 @@
     "use_saved_key": "De eerder opgeslagen sleutel gebruiken",
     "parental_control": "Ouderlijk toezicht",
     "safe_browsing": "Veilig browsen",
-    "served_from_cache": "{{value}} <i>(geleverd vanuit cache)</i>",
+    "served_from_cache_label": "Geleverd vanuit cache",
     "form_error_password_length": "Wachtwoord moet {{min}} tot {{max}} tekens lang zijn",
     "anonymizer_notification": "<0>Opmerking:</0> IP-anonimisering is ingeschakeld. Je kunt het uitschakelen in <1>Algemene instellingen</1>.",
     "confirm_dns_cache_clear": "Weet je zeker dat je de DNS-cache wilt wissen?",

client/src/__locales/no.json

@@ -212,6 +212,7 @@
     "updated_upstream_dns_toast": "Oppdaterte oppstrøms-DNS-tjenerne",
     "dns_test_ok_toast": "De spesifiserte DNS-tjenerne fungerer riktig",
     "dns_test_not_ok_toast": "Tjeneren «{{key}}» kunne ikke brukes, vennligst dobbeltsjekk at du har skrevet den riktig",
+    "dns_test_parsing_error_toast": "Seksjon {{section}}: linje {{line}}: kunne ikke brukes, vennligst sjekk at du har skrevet det riktig",
     "unblock": "Tillat",
     "block": "Blokker",
     "disallow_this_client": "Ikke tillat denne klienten",

client/src/__locales/pl.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "Serwery nadrzędne zostały pomyślnie zapisane",
     "dns_test_ok_toast": "Określone serwery DNS działają poprawnie",
     "dns_test_not_ok_toast": "Serwer \"{{key}}\": nie może być użyte, sprawdź, czy zapisano go poprawnie",
+    "dns_test_parsing_error_toast": "Sekcja {{section}}: linia {{line}}: nie może być użyte, sprawdź, czy zapisano go poprawnie",
     "dns_test_warning_toast": "Upstream \"{{key}}\" nie odpowiada na zapytania testowe i może nie działać prawidłowo",
     "unblock": "Odblokuj",
     "block": "Zablokuj",
@@ -243,6 +244,7 @@
     "allow_this_client": "Pozwól temu klientowi",
     "block_for_this_client_only": "Zablokuj tylko tego klienta",
     "unblock_for_this_client_only": "Odblokuj tylko tego klienta",
+    "add_persistent_client": "Dodaj do zapisanych klientów",
     "time_table_header": "Czas",
     "date": "Data",
     "domain_name_table_header": "Nazwa domeny",
@@ -423,6 +425,9 @@
     "encryption_hostnames": "Nazwy hostów",
     "encryption_reset": "Czy na pewno chcesz zresetować ustawienia szyfrowania?",
     "encryption_warning": "Ostrzeżenie",
+    "encryption_plain_dns_enable": "Włącz zwykły DNS",
+    "encryption_plain_dns_desc": "Zwykły DNS jest domyślnie włączony. Możesz go wyłączyć, aby zmusić wszystkie urządzenia do korzystania z szyfrowanego DNS. Aby to zrobić, musisz włączyć co najmniej jeden szyfrowany protokół DNS",
+    "encryption_plain_dns_error": "Aby wyłączyć zwykły DNS, włącz co najmniej jeden szyfrowany protokół DNS",
     "topline_expiring_certificate": "Twój certyfikat SSL wkrótce wygaśnie. Zaktualizuj <0>Ustawienia szyfrowania</0>.",
     "topline_expired_certificate": "Twój certyfikat SSL wygasł. Zaktualizuj <0>Ustawienia szyfrowania</0>.",
     "form_error_port_range": "Wpisz numer portu z zakresu 80-65535",
@@ -462,6 +467,7 @@
     "form_add_id": "Dodaj identyfikator",
     "form_client_name": "Wpisz nazwę klienta",
     "name": "Nazwa",
+    "client_name": "Klient {{id}}",
     "client_global_settings": "Użyj ustawień globalnych",
     "client_deleted": "Klient \"{{key}}\" został pomyślnie usunięty",
     "client_added": "Klient \"{{key}}\" został pomyślnie dodany",

client/src/__locales/pt-br.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "Servidores DNS primário salvos com sucesso",
     "dns_test_ok_toast": "Os servidores DNS especificados estão funcionando corretamente",
     "dns_test_not_ok_toast": "O servidor \"{{key}}\": não pôde ser utilizado. Por favor, verifique se você escreveu corretamente",
+    "dns_test_parsing_error_toast": "A seção {{section}}: linha {{line}}: não pôde ser usada. Verifique se foi escrita corretamente",
     "dns_test_warning_toast": "Servidor DNS primário \"{{key}}\" não responde aos Solicitações de teste e pode não funcionar corretamente",
     "unblock": "Desbloquear",
     "block": "Bloquear",
@@ -243,6 +244,7 @@
     "allow_this_client": "Permitir este cliente",
     "block_for_this_client_only": "Bloquear apenas para este cliente",
     "unblock_for_this_client_only": "Desbloquear apenas para este cliente",
+    "add_persistent_client": "Adicionar como cliente persistente",
     "time_table_header": "Data",
     "date": "Data",
     "domain_name_table_header": "Nome de domínio",
@@ -465,6 +467,7 @@
     "form_add_id": "Adicionar identificador",
     "form_client_name": "Digite o nome do cliente",
     "name": "Nome",
+    "client_name": "Cliente {{id}}",
     "client_global_settings": "Usar configurações global",
     "client_deleted": "Cliente \"{{key}}\" excluído com sucesso",
     "client_added": "Cliente \"{{key}}\" adicionado com sucesso",
@@ -675,7 +678,7 @@
     "use_saved_key": "Use a chave salva anteriormente",
     "parental_control": "Controle parental",
     "safe_browsing": "Navegação segura",
-    "served_from_cache": "{{value}} <i>(servido do cache)</i>",
+    "served_from_cache_label": "Servido a partir do cache",
     "form_error_password_length": "A senha deve ter entre {{min}} e {{max}} caracteres",
     "anonymizer_notification": "<0>Observação:</0> A anonimização de IP está ativada. Você pode desativá-lo em <1>Configurações gerais</1>.",
     "confirm_dns_cache_clear": "Tem certeza de que deseja limpar o cache DNS?",

client/src/__locales/pt-pt.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "Servidores DNS primário guardados com sucesso",
     "dns_test_ok_toast": "Os servidores DNS especificados estão a funcionar corretamente",
     "dns_test_not_ok_toast": "O servidor \"{{key}}\": não pôde ser utilizado. Por favor, verifique se o escreveu corretamente",
+    "dns_test_parsing_error_toast": "A seção {{section}}: linha {{line}}: não pôde ser usada. Verifique se foi escrita corretamente",
     "dns_test_warning_toast": "Servidor DNS primário \"{{key}}\" não responde aos solicitações de teste e pode não funcionar corretamente",
     "unblock": "Desbloquear",
     "block": "Bloquear",
@@ -243,6 +244,7 @@
     "allow_this_client": "Permitir este cliente",
     "block_for_this_client_only": "Bloquear apenas para este cliente",
     "unblock_for_this_client_only": "Desbloquear apenas para este cliente",
+    "add_persistent_client": "Adicionar como cliente persistente",
     "time_table_header": "Data",
     "date": "Data",
     "domain_name_table_header": "Nome do domínio",
@@ -465,6 +467,7 @@
     "form_add_id": "Adicionar identificador",
     "form_client_name": "Insira o nome do cliente",
     "name": "Nome",
+    "client_name": "Cliente {{id}}",
     "client_global_settings": "Usar definições globais",
     "client_deleted": "Cliente \"{{key}}\" excluído com sucesso",
     "client_added": "Cliente \"{{key}}\" adicionado com sucesso",
@@ -675,7 +678,7 @@
     "use_saved_key": "Use a chave guardada anteriormente",
     "parental_control": "Controlo parental",
     "safe_browsing": "Navegação segura",
-    "served_from_cache": "{{value}} <i>(servido do cache)</i>",
+    "served_from_cache_label": "Servido a partir do cache",
     "form_error_password_length": "A palavra-passe deve ter {{min}} a {{max}} caracteres",
     "anonymizer_notification": "<0>Observação:</0> A anonimização de IP está ativada. Você pode desativá-la em <1>Definições gerais</1>.",
     "confirm_dns_cache_clear": "Tem certeza de que quer limpar a cache DNS?",

client/src/__locales/ro.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "Serverele din amonte au fost salvate cu succes",
     "dns_test_ok_toast": "Serverele DNS specificate funcționează corect",
     "dns_test_not_ok_toast": "Serverul \"{{key}}\": nu a putut fi utilizat, verificați dacă l-ați scris corect",
+    "dns_test_parsing_error_toast": "Secțiune {{section}}: linie {{line}}: nu a putut fi folosit, vă rugăm să verificați dacă l-ați scris corect",
     "dns_test_warning_toast": "„{{key}}” în amonte nu răspunde la solicitările de testare și s-ar putea să nu funcționeze corect",
     "unblock": "Deblocați",
     "block": "Blocați",
@@ -243,6 +244,7 @@
     "allow_this_client": "Permiteți acest client",
     "block_for_this_client_only": "Blocați numai pentru acest client",
     "unblock_for_this_client_only": "Deblocați numai pentru acest client",
+    "add_persistent_client": "Adăugați ca client persistent",
     "time_table_header": "Ora",
     "date": "Data",
     "domain_name_table_header": "Nume domeniu",
@@ -462,6 +464,7 @@
     "form_add_id": "Adăugați identificator",
     "form_client_name": "Introduceți nume client",
     "name": "Nume",
+    "client_name": "Client {{id}}",
     "client_global_settings": "Folosiți setări globale",
     "client_deleted": "Clientul \"{{key}}\" a fost șters cu succes",
     "client_added": "Clientul \"{{key}}\" a fost adăugat cu succes",

client/src/__locales/ru.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "DNS-серверы успешно обновлены",
     "dns_test_ok_toast": "Указанные серверы DNS работают корректно",
     "dns_test_not_ok_toast": "Сервер «{{key}}»: невозможно использовать, проверьте правильность написания",
+    "dns_test_parsing_error_toast": "Раздел {{section}}: строка {{line}}: невозможно использовать, проверьте правильность написания",
     "dns_test_warning_toast": "Upstream «{{key}}» не отвечает на тестовые запросы и может работать некорректно",
     "unblock": "Разблокировать",
     "block": "Заблокировать",
@@ -243,6 +244,7 @@
     "allow_this_client": "Разрешить доступ клиенту",
     "block_for_this_client_only": "Заблокировать только для этого клиента",
     "unblock_for_this_client_only": "Разблокировать только для этого клиента",
+    "add_persistent_client": "Добавить в сохранённые клиенты",
     "time_table_header": "Время",
     "date": "Дата",
     "domain_name_table_header": "Домен",
@@ -465,6 +467,7 @@
     "form_add_id": "Добавить идентификатор",
     "form_client_name": "Введите имя клиента",
     "name": "Имя",
+    "client_name": "Клиент {{id}}",
     "client_global_settings": "Использовать глобальные настройки",
     "client_deleted": "Клиент «{{key}}» успешно удалён",
     "client_added": "Клиент «{{key}}» успешно добавлен",
@@ -675,7 +678,7 @@
     "use_saved_key": "Использовать сохранённый ранее ключ",
     "parental_control": "Родительский контроль",
     "safe_browsing": "Безопасный интернет",
-    "served_from_cache": "{{value}} <i>(получено из кеша)</i>",
+    "served_from_cache_label": "Получено из кеша",
     "form_error_password_length": "Пароль должен содержать от {{min}} до {{max}} символов",
     "anonymizer_notification": "<0>Внимание:</0> включена анонимизация IP-адресов. Вы можете отключить её в разделе <1>Основные настройки</1>.",
     "confirm_dns_cache_clear": "Вы уверены, что хотите очистить кеш DNS?",

client/src/__locales/sk.json

@@ -26,7 +26,7 @@
     "enabled_dhcp": "DHCP server zapnutý",
     "disabled_dhcp": "DHCP server vypnutý",
     "unavailable_dhcp": "DHCP nie je dostupné",
-    "unavailable_dhcp_desc": "AdGuard Home nemôže vo vašom OS prevádzkovať DHCP server",
+    "unavailable_dhcp_desc": "AdGuard Home nemôže vo Vašom OS prevádzkovať DHCP server",
     "dhcp_title": "DHCP server (experimentálne!)",
     "dhcp_description": "Ak Váš smerovač neposkytuje možnosť nastaviť DHCP, môžete použiť vlastný zabudovaný DHCP server AdGuard.",
     "dhcp_enable": "Zapnúť DHCP server",
@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "Upstream servery boli úspešne uložené",
     "dns_test_ok_toast": "Špecifikované DNS servery pracujú korektne",
     "dns_test_not_ok_toast": "Server \"{{key}}\": nemohol byť použitý, skontrolujte, či ste ho správne napísali",
+    "dns_test_parsing_error_toast": "Sekcia {{section}}: riadok {{line}}: nepodarilo sa použiť, skontrolujte, či ste ho napísali správne",
     "dns_test_warning_toast": "Upstream \"{{key}}\" neodpovedá na testovacie dopyty a nemusí fungovať správne",
     "unblock": "Odblokovať",
     "block": "Blokovať",
@@ -243,6 +244,7 @@
     "allow_this_client": "Povoliť tohto klienta",
     "block_for_this_client_only": "Blokovať len pre tohto klienta",
     "unblock_for_this_client_only": "Odblokovať len pre tohto klienta",
+    "add_persistent_client": "Pridať ako trvalého klienta",
     "time_table_header": "Čas",
     "date": "Dátum",
     "domain_name_table_header": "Meno domény",
@@ -465,6 +467,7 @@
     "form_add_id": "Pridajte identifikátor",
     "form_client_name": "Zadajte meno klienta",
     "name": "Meno",
+    "client_name": "Klient {{id}}",
     "client_global_settings": "Použiť globálne nastavenia",
     "client_deleted": "\"{{key}}\" klienta bol úspešne vymazaný",
     "client_added": "\"{{key}}\" klienta bol úspešne pridaný",
@@ -675,7 +678,7 @@
     "use_saved_key": "Použiť predtým uložený kľúč",
     "parental_control": "Rodičovská kontrola",
     "safe_browsing": "Bezpečné prehliadanie",
-    "served_from_cache": "{{value}} <i>(prevzatá z cache pamäte)</i>",
+    "served_from_cache_label": "Prevzaté z cache pamäte",
     "form_error_password_length": "Heslo musí mať od {{min}} do {{max}} znakov",
     "anonymizer_notification": "<0>Poznámka:</0> Anonymizácia IP je zapnutá. Môžete ju vypnúť vo <1>Všeobecných nastaveniach</1>.",
     "confirm_dns_cache_clear": "Naozaj chcete vymazať vyrovnávaciu pamäť DNS?",

client/src/__locales/sl.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "Gorvodni trežniki so uspešno shranjeni",
     "dns_test_ok_toast": "Navedeni strežniki DNS delujejo pravilno",
     "dns_test_not_ok_toast": "Ni mogoče uporabiti: strežnika \"{{key}}\". Preverite, ali ste ga pravilno napisali",
+    "dns_test_parsing_error_toast": "Razdelek {{section}}: vrstica {{line}}: ni bilo mogoče uporabiti, preverite, ali ste ga pravilno zapisali",
     "dns_test_warning_toast": "Upstream \"{{key}}\" se ne odziva na testne zahteve in morda ne deluje pravilno",
     "unblock": "Omogoči",
     "block": "Onemogoči",
@@ -243,6 +244,7 @@
     "allow_this_client": "Dovoli tega odjemalca",
     "block_for_this_client_only": "Onemogoči samo za tega odjemalca",
     "unblock_for_this_client_only": "Omogoči samo za tega odjemalca",
+    "add_persistent_client": "Dodaj kot vztrajnega odjemalca",
     "time_table_header": "Čas",
     "date": "Datum",
     "domain_name_table_header": "Ime domene",
@@ -465,6 +467,7 @@
     "form_add_id": "Dodaj identifikatorja",
     "form_client_name": "Vnesite ime odjemalca",
     "name": "Ime",
+    "client_name": "Odjemalec {{id}}",
     "client_global_settings": "Uporabi splošne nastavitve",
     "client_deleted": "Odjemalec \"{{key}}\" je bil uspešno izbrisan",
     "client_added": "Odjemalec \"{{key}}\" je bil uspešno dodan",
@@ -675,7 +678,7 @@
     "use_saved_key": "Uporabi prej shranjeni ključ",
     "parental_control": "Starševski nadzor",
     "safe_browsing": "Varno brskanje",
-    "served_from_cache": "{{value}} <i>(postreženo iz predpomnilnika)</i>",
+    "served_from_cache_label": "Dostavljeno iz predpomnilnika",
     "form_error_password_length": "Geslo mora vsebovati od {{min}} do {{max}} znakov",
     "anonymizer_notification": "<0>Opomba:</0> Anonimizacija IP je omogočena. Onemogočite ga lahko v <1>Splošnih nastavitvah</1>.",
     "confirm_dns_cache_clear": "Ali ste prepričani, da želite počistiti predpomnilnik DNS?",

client/src/__locales/sr-cs.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "Upstream serveri su uspešno sačuvani",
     "dns_test_ok_toast": "Dati DNS serveri rade ispravno",
     "dns_test_not_ok_toast": "Server \"{{key}}\": se ne može koristiti. Proverite da li ste ga ispravno uneli",
+    "dns_test_parsing_error_toast": "Odeljak {{section}}: linija {{line}}: ne može se koristiti, molimo proverite da li ste ga ispravno napisali",
     "dns_test_warning_toast": "Apstrim \"{{key}}\" ne odgovara na zahteve za testiranje i možda neće raditi kako treba",
     "unblock": "Odblokiraj",
     "block": "Blokiraj",
@@ -243,6 +244,7 @@
     "allow_this_client": "Dozvoli ovaj klijent",
     "block_for_this_client_only": "Blokiraj samo za ovaj klijent",
     "unblock_for_this_client_only": "Odblokiraj samo za ovaj klijent",
+    "add_persistent_client": "Dodati u sačuvane klijente",
     "time_table_header": "Vreme",
     "date": "Datum",
     "domain_name_table_header": "Ime domena",
@@ -462,6 +464,7 @@
     "form_add_id": "Dodaj identifikator",
     "form_client_name": "Unesite ime klijenta",
     "name": "Ime",
+    "client_name": "Klijent {{id}}",
     "client_global_settings": "Koristi globalne postavke",
     "client_deleted": "Klijent \"{{key}}\" uspešno izbrisan",
     "client_added": "Klijent \"{{key}}\" uspešno dodat",

client/src/__locales/sv.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "Sparade uppströms dns-servrar",
     "dns_test_ok_toast": "Angivna DNS servrar fungerar korrekt",
     "dns_test_not_ok_toast": "Server \"{{key}}\": kunde inte användas. Var snäll och kolla att du skrivit in rätt",
+    "dns_test_parsing_error_toast": "Avsnitt {{section}}: rad {{line}}: kunde inte användas, kontrollera att du har skrivit det korrekt",
     "dns_test_warning_toast": "Uppströms \"{{key}}\" svarar inte på testförfrågningar och kanske inte fungerar korrekt",
     "unblock": "Avblockera",
     "block": "Blockera",
@@ -243,6 +244,7 @@
     "allow_this_client": "Tillåt den här klienten",
     "block_for_this_client_only": "Blockera endast för denna klient",
     "unblock_for_this_client_only": "Avblockera endast för denna klient",
+    "add_persistent_client": "Lägg till som beständig klient",
     "time_table_header": "Tid",
     "date": "Datum",
     "domain_name_table_header": "Domännamn",
@@ -461,6 +463,7 @@
     "form_add_id": "Lägg till identifierare",
     "form_client_name": "Skriv in klientnamn",
     "name": "Namn",
+    "client_name": "Klient {{id}}",
     "client_global_settings": "Använda globala inställningar",
     "client_deleted": "Klient \"{{key}}\" har raderats",
     "client_added": "Klient \"{{key}}\" har lagts till",

client/src/__locales/tr.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "Üst sunucular başarıyla kaydedildi",
     "dns_test_ok_toast": "Belirtilen DNS sunucuları düzgün çalışıyor",
     "dns_test_not_ok_toast": "Sunucu \"{{key}}\": kullanılamıyor, lütfen doğru yazdığınızdan emin olun",
+    "dns_test_parsing_error_toast": "{{section}} bölümü: {{line}}. satır: kullanılamadı, lütfen doğru yazdığınızı kontrol edin",
     "dns_test_warning_toast": "Üst kaynak \"{{key}}\", test isteklerine yanıt vermiyor ve düzgün çalışmayabilir",
     "unblock": "Engeli kaldır",
     "block": "Engelle",
@@ -243,6 +244,7 @@
     "allow_this_client": "Bu istemciye izin ver",
     "block_for_this_client_only": "Yalnızca bu istemci için engelle",
     "unblock_for_this_client_only": "Yalnızca bu istemci için engellemeyi kaldır",
+    "add_persistent_client": "Kalıcı istemci olarak ekle",
     "time_table_header": "Saat",
     "date": "Tarih",
     "domain_name_table_header": "Alan adı",
@@ -465,6 +467,7 @@
     "form_add_id": "Tanımlayıcı ekle",
     "form_client_name": "İstemci ismi girin",
     "name": "Adı",
+    "client_name": "İstemci {{id}}",
     "client_global_settings": "Genel ayarları kullan",
     "client_deleted": "\"{{key}}\" istemcisi başarıyla silindi",
     "client_added": "\"{{key}}\" istemcisi başarıyla eklendi",
@@ -675,7 +678,7 @@
     "use_saved_key": "Önceden kaydedilmiş anahtarı kullan",
     "parental_control": "Ebeveyn Denetimi",
     "safe_browsing": "Güvenli Gezinti",
-    "served_from_cache": "{{value}} <i>(önbellekten kullanıldı)</i>",
+    "served_from_cache_label": "Önbellekten kullanıldı",
     "form_error_password_length": "Parola {{min}} ila {{max}} karakter uzunluğunda olmalıdır",
     "anonymizer_notification": "<0>Not:</0> IP anonimleştirme etkinleştirildi. Bunu <1>Genel ayarlardan</1> devre dışı bırakabilirsiniz.",
     "confirm_dns_cache_clear": "DNS önbelleğini temizlemek istediğinizden emin misiniz?",

client/src/__locales/uk.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "DNS-сервери успішно збережено",
     "dns_test_ok_toast": "Вказані DNS сервери працюють правильно",
     "dns_test_not_ok_toast": "Сервер «{{key}}»: неможливо використати. Перевірте правильність введення",
+    "dns_test_parsing_error_toast": "Розділ {{section}}: рядок {{line}}: неможливо використати. Перевірте правильність введення",
     "dns_test_warning_toast": "Upstream «{{key}}» не відповідає на тестові запити та може працювати не правильно",
     "unblock": "Дозволити",
     "block": "Заборонити",
@@ -243,6 +244,7 @@
     "allow_this_client": "Дозволити цей клієнт",
     "block_for_this_client_only": "Заборонити тільки цей клієнт",
     "unblock_for_this_client_only": "Дозволити тільки цей клієнт",
+    "add_persistent_client": "Додати в збережені клієнти",
     "time_table_header": "Час",
     "date": "Дата",
     "domain_name_table_header": "Назва домену",
@@ -465,6 +467,7 @@
     "form_add_id": "Додати ідентифікатор",
     "form_client_name": "Введіть ім'я клієнта",
     "name": "Ім'я",
+    "client_name": "Клієнт {{id}}",
     "client_global_settings": "Використати загальні налаштування",
     "client_deleted": "Клієнта «{{key}}» успішно видалено",
     "client_added": "Клієнта «{{key}}» успішно додано",
@@ -675,7 +678,7 @@
     "use_saved_key": "Використати раніше збережений ключ",
     "parental_control": "Батьківський контроль",
     "safe_browsing": "Безпечний перегляд",
-    "served_from_cache": "{{value}} <i>(отримано з кешу)</i>",
+    "served_from_cache_label": "Отримано з кешу",
     "form_error_password_length": "Пароль має містити від {{min}} до {{max}} символів",
     "anonymizer_notification": "<0>Примітка:</0> IP-анонімізацію ввімкнено. Ви можете вимкнути його в <1>Загальні налаштування</1> .",
     "confirm_dns_cache_clear": "Ви впевнені, що бажаєте очистити кеш DNS?",

client/src/__locales/vi.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "Các máy chủ thượng nguồn đã được lưu thành công",
     "dns_test_ok_toast": "Máy chủ DNS có thể sử dụng",
     "dns_test_not_ok_toast": "Máy chủ \"{{key}}\"': không thể sử dụng, vui lòng kiểm tra lại",
+    "dns_test_parsing_error_toast": "Phần {{section}}: dòng {{line}}: không thể sử dụng được, vui lòng kiểm tra xem bạn đã viết đúng chưa",
     "dns_test_warning_toast": "Ngược lại \"{{key}}\" không phản hồi các yêu cầu kiểm tra và có thể không hoạt động bình thường",
     "unblock": "Bỏ chặn",
     "block": "Chặn",
@@ -243,6 +244,7 @@
     "allow_this_client": "Cho phép ứng dụng khách này",
     "block_for_this_client_only": "Chỉ chặn ứng dụng khách này",
     "unblock_for_this_client_only": "Chỉ hủy chặn ứng dụng khách này",
+    "add_persistent_client": "Thêm làm ứng dụng khách liên tục",
     "time_table_header": "Thời gian",
     "date": "Ngày",
     "domain_name_table_header": "Tên miền",
@@ -462,6 +464,7 @@
     "form_add_id": "Thêm định danh",
     "form_client_name": "Nhập tên máy khách",
     "name": "Tên",
+    "client_name": "Khách hàng {{id}}",
     "client_global_settings": "Sử dụng cài đặt toàn cầu",
     "client_deleted": "Máy khách \"{{key}}\" đã xóa thành công",
     "client_added": "Máy khách \"{{key}}\" đã thêm thành công",

client/src/__locales/zh-cn.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "上游服务器保存成功",
     "dns_test_ok_toast": "指定的 DNS 服务器现已正常运行",
     "dns_test_not_ok_toast": "服务器 \"{{key}}\"：无法使用，请检查你输入的是否正确",
+    "dns_test_parsing_error_toast": "第 {{section}} 节：第 {{line}} 行：无法使用，请检查您输入的是否正确",
     "dns_test_warning_toast": "上游 “{{key}}” 不响应测试请求，可能无法正常工作",
     "unblock": "放行",
     "block": "拦截",
@@ -243,6 +244,7 @@
     "allow_this_client": "允许这个客户端",
     "block_for_this_client_only": "仅对此客户端拦截",
     "unblock_for_this_client_only": "仅解除对此客户端的拦截",
+    "add_persistent_client": "添加为持久客户端",
     "time_table_header": "时间",
     "date": "日期",
     "domain_name_table_header": "域名",
@@ -465,6 +467,7 @@
     "form_add_id": "添加标识符",
     "form_client_name": "输入客户端名称",
     "name": "名称",
+    "client_name": "客户端 {{id}}",
     "client_global_settings": "使用全局设置",
     "client_deleted": "客户端 \"{{key}}\" 删除成功",
     "client_added": "客户端 \"{{key}}\" 添加成功",
@@ -675,7 +678,7 @@
     "use_saved_key": "使用之前保存的密钥",
     "parental_control": "家长控制",
     "safe_browsing": "安全浏览",
-    "served_from_cache": "{{value}}<i>(由缓存提供)</i>",
+    "served_from_cache_label": "从缓存中",
     "form_error_password_length": "密码长度必须为 {{min}} 到 {{max}} 个字符",
     "anonymizer_notification": "<0>注意：</0> IP 匿名化已启用。您可以在<1>常规设置</1>中禁用它。",
     "confirm_dns_cache_clear": "您确定要清除 DNS 缓存吗？",

client/src/__locales/zh-tw.json

@@ -236,6 +236,7 @@
     "updated_upstream_dns_toast": "上游的伺服器被成功地儲存",
     "dns_test_ok_toast": "已明確指定的 DNS 伺服器正在正確地運作",
     "dns_test_not_ok_toast": "伺服器 \"{{key}}\"：無法被使用，請檢查您已正確地填寫它",
+    "dns_test_parsing_error_toast": "第 {{section}} 節：第 {{line}} 行：無法使用，請檢查您輸入的是否正確",
     "dns_test_warning_toast": "上游 “{{key}}” 不回應測試請求，可能無法正常工作",
     "unblock": "解除封鎖",
     "block": "封鎖",
@@ -243,6 +244,7 @@
     "allow_this_client": "允許此用戶端",
     "block_for_this_client_only": "僅對此用戶端封鎖",
     "unblock_for_this_client_only": "僅對此用戶端解除封鎖",
+    "add_persistent_client": "新增為永久性客戶端",
     "time_table_header": "時間",
     "date": "日期",
     "domain_name_table_header": "域名",
@@ -465,6 +467,7 @@
     "form_add_id": "新增識別碼",
     "form_client_name": "輸入用戶端名稱",
     "name": "名稱",
+    "client_name": "用戶端 {{id}}",
     "client_global_settings": "使用全域的設定",
     "client_deleted": "用戶端 \"{{key}}\" 被成功地刪除",
     "client_added": "用戶端 \"{{key}}\" 被成功地加入",
@@ -675,7 +678,7 @@
     "use_saved_key": "使用該先前已儲存的金鑰",
     "parental_control": "家長控制",
     "safe_browsing": "安全瀏覽",
-    "served_from_cache": "{{value}} <i>(由快取提供)</i>",
+    "served_from_cache_label": "從快取中",
     "form_error_password_length": "密碼長度必須為 {{min}} 到 {{max}} 個字符",
     "anonymizer_notification": "<0>注意：</0>IP 匿名化被啟用。您可在<1>一般設定</1>中禁用它。",
     "confirm_dns_cache_clear": "您確定您想要清除 DNS 快取嗎？",

client/src/actions/index.js

@@ -403,6 +403,11 @@ export const testUpstream = (
                 const message = upstreamResponse[key];
                 if (message.startsWith('WARNING:')) {
                     dispatch(addErrorToast({ error: i18next.t('dns_test_warning_toast', { key }) }));
+                } else if (message.endsWith(': parsing error')) {
+                    const info = message.substring(0, message.indexOf(':'));
+                    const [sectionKey, line] = info.split(' ');
+                    const section = i18next.t(sectionKey);
+                    dispatch(addErrorToast({ error: i18next.t('dns_test_parsing_error_toast', { section, line }) }));
                 } else if (message !== 'OK') {
                     dispatch(addErrorToast({ error: i18next.t('dns_test_not_ok_toast', { key }) }));
                 }

client/src/components/Dashboard/index.js

@@ -55,6 +55,12 @@ const Dashboard = ({
             return t('stats_disabled_short');
         }
 
+        const msIn7Days = 604800000;
+
+        if (stats.timeUnits === TIME_UNITS.HOURS && stats.interval === msIn7Days) {
+            return t('for_last_days', { count: msToDays(stats.interval) });
+        }
+
         return stats.timeUnits === TIME_UNITS.HOURS
             ? t('for_last_hours', { count: msToHours(stats.interval) })
             : t('for_last_days', { count: msToDays(stats.interval) });

client/src/components/Filters/Modal.js

@@ -13,6 +13,8 @@ ReactModal.setAppElement('#root');
 const MODAL_TYPE_TO_TITLE_TYPE_MAP = {
     [MODAL_TYPE.EDIT_FILTERS]: 'edit',
     [MODAL_TYPE.ADD_FILTERS]: 'new',
+    [MODAL_TYPE.EDIT_CLIENT]: 'edit',
+    [MODAL_TYPE.ADD_CLIENT]: 'new',
     [MODAL_TYPE.SELECT_MODAL_TYPE]: 'new',
     [MODAL_TYPE.CHOOSE_FILTERING_LIST]: 'choose',
 };

client/src/components/Logs/Cells/ClientCell.js

@@ -3,7 +3,7 @@ import { shallowEqual, useDispatch, useSelector } from 'react-redux';
 import { nanoid } from 'nanoid';
 import classNames from 'classnames';
 import { useTranslation } from 'react-i18next';
-import { Link } from 'react-router-dom';
+import { Link, useHistory } from 'react-router-dom';
 import propTypes from 'prop-types';
 
 import { checkFiltered, getBlockingClientName } from '../../../helpers/helpers';
@@ -25,12 +25,14 @@ const ClientCell = ({
 }) => {
     const { t } = useTranslation();
     const dispatch = useDispatch();
+    const history = useHistory();
     const autoClients = useSelector((state) => state.dashboard.autoClients, shallowEqual);
     const isDetailed = useSelector((state) => state.queryLogs.isDetailed);
     const allowedСlients = useSelector((state) => state.access.allowed_clients, shallowEqual);
     const [isOptionsOpened, setOptionsOpened] = useState(false);
 
     const autoClient = autoClients.find((autoClient) => autoClient.name === client);
+    const clients = useSelector((state) => state.dashboard.clients);
     const source = autoClient?.source;
     const whoisAvailable = client_info && Object.keys(client_info.whois).length > 0;
     const clientName = client_info?.name || client_id;
@@ -55,6 +57,8 @@ const ClientCell = ({
 
     const isFiltered = checkFiltered(reason);
 
+    const clientIds = clients.map((c) => c.ids).flat();
+
     const nameClass = classNames('w-90 o-hidden d-flex flex-column', {
         'mt-2': isDetailed && !client_info?.name && !whoisAvailable,
         'white-space--nowrap': isDetailed,
@@ -66,7 +70,6 @@ const ClientCell = ({
 
     const renderBlockingButton = (isFiltered, domain) => {
         const buttonType = isFiltered ? BLOCK_ACTIONS.UNBLOCK : BLOCK_ACTIONS.BLOCK;
-        const clients = useSelector((state) => state.dashboard.clients);
 
         const {
             confirmMessage,
@@ -118,6 +121,15 @@ const ClientCell = ({
             },
         ];
 
+        if (!clientIds.includes(client)) {
+            BUTTON_OPTIONS.push({
+                name: 'add_persistent_client',
+                onClick: () => {
+                    history.push(`/#clients?clientId=${client}`);
+                },
+            });
+        }
+
         const getOptions = (options) => {
             if (options.length === 0) {
                 return null;

client/src/components/Logs/Cells/ResponseCell.js

@@ -38,9 +38,6 @@ const ResponseCell = ({
 
     const statusLabel = t(isBlockedByResponse ? 'blocked_by_cname_or_ip' : FILTERED_STATUS_TO_META_MAP[reason]?.LABEL || reason);
     const boldStatusLabel = <span className="font-weight-bold">{statusLabel}</span>;
-    const upstreamString = cached
-        ? t('served_from_cache', { value: upstream, i: <i /> })
-        : upstream;
 
     const renderResponses = (responseArr) => {
         if (!responseArr || responseArr.length === 0) {
@@ -58,7 +55,16 @@ const ResponseCell = ({
 
     const COMMON_CONTENT = {
         encryption_status: boldStatusLabel,
-        install_settings_dns: upstreamString,
+        install_settings_dns: upstream,
+        ...(cached
+            && {
+                served_from_cache_label: (
+                    <svg className="icons icon--20 icon--green mb-1">
+                        <use xlinkHref="#check" />
+                    </svg>
+                ),
+            }
+        ),
         elapsed: formattedElapsedMs,
         response_code: status,
         ...(service_name && services.allServices

client/src/components/Logs/Cells/index.js

@@ -118,9 +118,6 @@ const Row = memo(({
 
         const blockingForClientKey = isFiltered ? 'unblock_for_this_client_only' : 'block_for_this_client_only';
         const clientNameBlockingFor = getBlockingClientName(clients, client);
-        const upstreamString = cached
-            ? t('served_from_cache', { value: upstream, i: <i /> })
-            : upstream;
 
         const onBlockingForClientClick = () => {
             dispatch(toggleBlockingForClient(buttonType, domain, clientNameBlockingFor));
@@ -192,7 +189,16 @@ const Row = memo(({
                             className="link--green">{sourceData.name}
                     </a>,
             response_details: 'title',
-            install_settings_dns: upstreamString,
+            install_settings_dns: upstream,
+            ...(cached
+                && {
+                    served_from_cache_label: (
+                        <svg className="icons icon--20 icon--green">
+                            <use xlinkHref="#check" />
+                        </svg>
+                    ),
+                }
+            ),
             elapsed: formattedElapsedMs,
             ...(rules.length > 0
                     && { rule_label: getRulesToFilterList(rules, filters, whitelistFilters) }

client/src/components/Settings/Clients/ClientsTable/ClientsTable.js

@@ -4,6 +4,7 @@ import React, { useEffect } from 'react';
 import PropTypes from 'prop-types';
 import { Trans, useTranslation } from 'react-i18next';
 import { useDispatch, useSelector } from 'react-redux';
+import { useHistory, useLocation } from 'react-router-dom';
 import ReactTable from 'react-table';
 
 import { getAllBlockedServices, getBlockedServices } from '../../../../actions/services';
@@ -39,8 +40,12 @@ const ClientsTable = ({
 }) => {
     const [t] = useTranslation();
     const dispatch = useDispatch();
+    const location = useLocation();
+    const history = useHistory();
     const services = useSelector((store) => store?.services);
     const globalSettings = useSelector((store) => store?.settings.settingsList) || {};
+    const params = new URLSearchParams(location.search);
+    const clientId = params.get('clientId');
 
     const { safesearch } = globalSettings;
 
@@ -48,6 +53,12 @@ const ClientsTable = ({
         dispatch(getAllBlockedServices());
         dispatch(getBlockedServices());
         dispatch(initSettings());
+
+        if (clientId) {
+            toggleClientModal({
+                type: MODAL_TYPE.ADD_CLIENT,
+            });
+        }
     }, []);
 
     const handleFormAdd = (values) => {
@@ -85,11 +96,15 @@ const ClientsTable = ({
             }
         }
 
-        if (modalType === MODAL_TYPE.EDIT_FILTERS) {
+        if (modalType === MODAL_TYPE.EDIT_CLIENT) {
             handleFormUpdate(config, modalClientName);
         } else {
             handleFormAdd(config);
         }
+
+        if (clientId) {
+            history.push('/#clients');
+        }
     };
 
     const getOptionsWithLabels = (options) => (
@@ -133,6 +148,14 @@ const ClientsTable = ({
         }
     };
 
+    const handleClose = () => {
+        toggleClientModal();
+
+        if (clientId) {
+            history.push('/#clients');
+        }
+    };
+
     const columns = [
         {
             Header: t('table_client'),
@@ -298,7 +321,7 @@ const ClientsTable = ({
                             type="button"
                             className="btn btn-icon btn-outline-primary btn-sm mr-2"
                             onClick={() => toggleClientModal({
-                                type: MODAL_TYPE.EDIT_FILTERS,
+                                type: MODAL_TYPE.EDIT_CLIENT,
                                 name: clientName,
                             })
                             }
@@ -371,12 +394,13 @@ const ClientsTable = ({
                 <Modal
                     isModalOpen={isModalOpen}
                     modalType={modalType}
-                    toggleClientModal={toggleClientModal}
+                    handleClose={handleClose}
                     currentClientData={currentClientData}
                     handleSubmit={handleSubmit}
                     processingAdding={processingAdding}
                     processingUpdating={processingUpdating}
                     tagsOptions={tagsOptions}
+                    clientId={clientId}
                 />
             </>
         </Card>

client/src/components/Settings/Clients/Form.js

@@ -147,7 +147,7 @@ let Form = (props) => {
         useGlobalSettings,
         useGlobalServices,
         blockedServicesSchedule,
-        toggleClientModal,
+        handleClose,
         processingAdding,
         processingUpdating,
         invalid,
@@ -427,7 +427,7 @@ let Form = (props) => {
                         disabled={submitting}
                         onClick={() => {
                             reset();
-                            toggleClientModal();
+                            handleClose();
                         }}
                     >
                         <Trans>cancel_btn</Trans>
@@ -456,7 +456,7 @@ Form.propTypes = {
     reset: PropTypes.func.isRequired,
     change: PropTypes.func.isRequired,
     submitting: PropTypes.bool.isRequired,
-    toggleClientModal: PropTypes.func.isRequired,
+    handleClose: PropTypes.func.isRequired,
     useGlobalSettings: PropTypes.bool,
     useGlobalServices: PropTypes.bool,
     blockedServicesSchedule: PropTypes.object,

client/src/components/Settings/Clients/Modal.js

@@ -6,7 +6,9 @@ import ReactModal from 'react-modal';
 import { MODAL_TYPE } from '../../../helpers/constants';
 import Form from './Form';
 
-const getInitialData = (initial) => {
+const getInitialData = ({
+    initial, modalType, clientId, clientName,
+}) => {
     if (initial && initial.blocked_services) {
         const { blocked_services } = initial;
         const blocked = {};
@@ -21,46 +23,60 @@ const getInitialData = (initial) => {
         };
     }
 
+    if (modalType !== MODAL_TYPE.EDIT_CLIENT && clientId) {
+        return {
+            ...initial,
+            name: clientName,
+            ids: [clientId],
+        };
+    }
+
     return initial;
 };
 
-const Modal = (props) => {
-    const {
-        isModalOpen,
+const Modal = ({
+    isModalOpen,
+    modalType,
+    currentClientData,
+    handleSubmit,
+    handleClose,
+    processingAdding,
+    processingUpdating,
+    tagsOptions,
+    clientId,
+    t,
+}) => {
+    const initialData = getInitialData({
+        initial: currentClientData,
         modalType,
-        currentClientData,
-        handleSubmit,
-        toggleClientModal,
-        processingAdding,
-        processingUpdating,
-        tagsOptions,
-    } = props;
-    const initialData = getInitialData(currentClientData);
+        clientId,
+        clientName: t('client_name', { id: clientId }),
+    });
 
     return (
         <ReactModal
             className="Modal__Bootstrap modal-dialog modal-dialog-centered modal-dialog--clients"
             closeTimeoutMS={0}
             isOpen={isModalOpen}
-            onRequestClose={() => toggleClientModal()}
+            onRequestClose={handleClose}
         >
             <div className="modal-content">
                 <div className="modal-header">
                     <h4 className="modal-title">
-                        {modalType === MODAL_TYPE.EDIT_FILTERS ? (
+                        {modalType === MODAL_TYPE.EDIT_CLIENT ? (
                             <Trans>client_edit</Trans>
                         ) : (
                             <Trans>client_new</Trans>
                         )}
                     </h4>
-                    <button type="button" className="close" onClick={() => toggleClientModal()}>
+                    <button type="button" className="close" onClick={handleClose}>
                         <span className="sr-only">Close</span>
                     </button>
                 </div>
                 <Form
                     initialValues={{ ...initialData }}
                     onSubmit={handleSubmit}
-                    toggleClientModal={toggleClientModal}
+                    handleClose={handleClose}
                     processingAdding={processingAdding}
                     processingUpdating={processingUpdating}
                     tagsOptions={tagsOptions}
@@ -75,10 +91,12 @@ Modal.propTypes = {
     modalType: PropTypes.string.isRequired,
     currentClientData: PropTypes.object.isRequired,
     handleSubmit: PropTypes.func.isRequired,
-    toggleClientModal: PropTypes.func.isRequired,
+    handleClose: PropTypes.func.isRequired,
     processingAdding: PropTypes.bool.isRequired,
     processingUpdating: PropTypes.bool.isRequired,
     tagsOptions: PropTypes.array.isRequired,
+    t: PropTypes.func.isRequired,
+    clientId: PropTypes.string,
 };
 
 export default withTranslation()(Modal);

client/src/components/Settings/LogsConfig/index.js

@@ -62,7 +62,7 @@ class LogsConfig extends Component {
                             interval,
                             customInterval,
                             anonymize_client_ip,
-                            ignored: ignored.join('\n'),
+                            ignored: ignored?.join('\n'),
                         }}
                         onSubmit={this.handleFormSubmit}
                         processing={processing}

client/src/components/ui/Icons.js

@@ -245,6 +245,10 @@ const Icons = () => (
             <path fillRule="evenodd" clipRule="evenodd" d="M12 13.5C11.1716 13.5 10.5 12.8284 10.5 12C10.5 11.1716 11.1716 10.5 12 10.5C12.8284 10.5 13.5 11.1716 13.5 12C13.5 12.8284 12.8284 13.5 12 13.5Z" fill="currentColor" />
             <path fillRule="evenodd" clipRule="evenodd" d="M12 20C11.1716 20 10.5 19.3284 10.5 18.5C10.5 17.6716 11.1716 17 12 17C12.8284 17 13.5 17.6716 13.5 18.5C13.5 19.3284 12.8284 20 12 20Z" fill="currentColor" />
         </symbol>
+
+        <symbol id="check" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round">
+            <path d="M5 11.7665L10.5878 17L19 8" />
+        </symbol>
     </svg>
 );
 

client/src/helpers/constants.js

@@ -182,6 +182,8 @@ export const MODAL_TYPE = {
     EDIT_REWRITE: 'EDIT_REWRITE',
     EDIT_LEASE: 'EDIT_LEASE',
     ADD_LEASE: 'ADD_LEASE',
+    ADD_CLIENT: 'ADD_CLIENT',
+    EDIT_CLIENT: 'EDIT_CLIENT',
 };
 
 export const CLIENT_ID = {

client/src/helpers/filters/filters.js

@@ -209,7 +209,7 @@ export default {
             "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_47.txt"
         },
         "hagezi_multinormal": {
-            "name": "HaGeZi Multi NORMAL",
+            "name": "HaGeZi's Normal Blocklist",
             "categoryId": "general",
             "homepage": "https://github.com/hagezi/dns-blocklists",
             "source": "https://adguardteam.github.io/HostlistsRegistry/assets/filter_34.txt"

client/src/helpers/trackers/trackers.json

@@ -1,5 +1,5 @@
 {
-    "timeUpdated": "2024-01-22T00:10:10.554Z",
+    "timeUpdated": "2024-03-01T00:10:14.031Z",
     "categories": {
         "0": "audio_video_player",
         "1": "comments",
@@ -2732,6 +2732,13 @@
             "url": "https://www.microsoft.com/",
             "companyId": "microsoft"
         },
+        "assemblyexchange": {
+            "name": "Assembly Exchange",
+            "categoryId": 4,
+            "url": "https://www.medialab.la/",
+            "companyId": "medialab",
+            "source": "AdGuard"
+        },
         "astronomer": {
             "name": "Astronomer",
             "categoryId": 6,
@@ -20831,6 +20838,7 @@
         "asambeauty.com": "asambeauty.com",
         "ask.com": "ask.com",
         "aspnetcdn.com": "aspnetcdn",
+        "ads.assemblyexchange.com": "assemblyexchange",
         "cdn.astronomer.io": "astronomer",
         "ati-host.net": "at_internet",
         "aticdn.net": "at_internet",

go.mod

@@ -1,11 +1,11 @@
 module github.com/AdguardTeam/AdGuardHome
 
-go 1.20
+go 1.21.8
 
 require (
-	github.com/AdguardTeam/dnsproxy v0.63.1
-	github.com/AdguardTeam/golibs v0.19.0
-	github.com/AdguardTeam/urlfilter v0.17.3
+	github.com/AdguardTeam/dnsproxy v0.66.0
+	github.com/AdguardTeam/golibs v0.20.2
+	github.com/AdguardTeam/urlfilter v0.18.0
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/ameshkov/dnscrypt/v2 v2.2.7
 	github.com/bluele/gcache v0.0.2
@@ -17,8 +17,8 @@ require (
 	github.com/google/go-cmp v0.6.0
 	github.com/google/gopacket v1.1.19
 	github.com/google/renameio/v2 v2.0.0
-	github.com/google/uuid v1.5.0
-	github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2
+	github.com/google/uuid v1.6.0
+	github.com/insomniacslk/dhcp v0.0.0-20240227161007-c728f5dd21c8
 	github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86
 	github.com/kardianos/service v1.2.2
 	github.com/mdlayher/ethernet v0.0.0-20220221185849-529eae5b6118
@@ -28,14 +28,14 @@ require (
 	// own code for that.  Perhaps, use gopacket.
 	github.com/mdlayher/raw v0.1.0
 	github.com/miekg/dns v1.1.58
-	github.com/quic-go/quic-go v0.40.1
+	github.com/quic-go/quic-go v0.41.0
 	github.com/stretchr/testify v1.8.4
 	github.com/ti-mo/netfilter v0.5.1
-	go.etcd.io/bbolt v1.3.8
-	golang.org/x/crypto v0.18.0
-	golang.org/x/exp v0.0.0-20240119083558-1b970713d09a
-	golang.org/x/net v0.20.0
-	golang.org/x/sys v0.16.0
+	go.etcd.io/bbolt v1.3.9
+	golang.org/x/crypto v0.21.0
+	golang.org/x/exp v0.0.0-20240222234643-814bf88cf225
+	golang.org/x/net v0.22.0
+	golang.org/x/sys v0.18.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 	gopkg.in/yaml.v3 v3.0.1
 	howett.net/plist v1.0.1
@@ -48,21 +48,19 @@ require (
 	github.com/beefsack/go-rate v0.0.0-20220214233405-116f4ca011a0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
-	github.com/google/pprof v0.0.0-20240117000934-35fc243c5815 // indirect
-	// TODO(a.garipov): Upgrade to v0.5.0 once we switch to Go 1.21+.
+	github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7 // indirect
 	github.com/mdlayher/socket v0.5.0 // indirect
-	github.com/onsi/ginkgo/v2 v2.15.0 // indirect
+	github.com/onsi/ginkgo/v2 v2.16.0 // indirect
 	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
-	github.com/quic-go/qtls-go1-20 v0.4.1 // indirect
-	github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e // indirect
+	github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect
 	go.uber.org/mock v0.4.0 // indirect
-	golang.org/x/mod v0.14.0 // indirect
+	golang.org/x/mod v0.16.0 // indirect
 	golang.org/x/sync v0.6.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
-	golang.org/x/tools v0.17.0 // indirect
+	golang.org/x/tools v0.19.0 // indirect
 	gonum.org/v1/gonum v0.14.0 // indirect
 )

go.sum

@@ -1,9 +1,9 @@
-github.com/AdguardTeam/dnsproxy v0.63.1 h1:CilxSuLYcuYpbPCGB7w41UUqWRMu3dvj4c9TvkIrpBg=
-github.com/AdguardTeam/dnsproxy v0.63.1/go.mod h1:dRRAFOjrq4QYM92jGs4lt4BoY0Dm3EY3HkaleoM2Feo=
-github.com/AdguardTeam/golibs v0.19.0 h1:y/x+Xn3pDg1ZfQ+QEZapPJqaeVYUIMp/EODMtVhn7PM=
-github.com/AdguardTeam/golibs v0.19.0/go.mod h1:3WunclLLfrVAq7fYQRhd6f168FHOEMssnipVXCxDL/w=
-github.com/AdguardTeam/urlfilter v0.17.3 h1:fg/ObbnO0Cv6aw0tW6N/ETDMhhNvmcUUOZ7HlmKC3rw=
-github.com/AdguardTeam/urlfilter v0.17.3/go.mod h1:Jru7jFfeH2CoDf150uDs+rRYcZBzHHBz05r9REyDKyE=
+github.com/AdguardTeam/dnsproxy v0.66.0 h1:RyUbyDxRSXBFjVG1l2/4HV3I98DtfIgpnZkgXkgHKnc=
+github.com/AdguardTeam/dnsproxy v0.66.0/go.mod h1:ZThEXbMUlP1RxfwtNW30ItPAHE6OF4YFygK8qjU/cvY=
+github.com/AdguardTeam/golibs v0.20.2 h1:9gThBFyuELf2ohRnUNeQGQsVBYI7YslaRLUFwVaUj8E=
+github.com/AdguardTeam/golibs v0.20.2/go.mod h1:/votX6WK1PdcZ3T2kBOPjPCGmfhlKixhI6ljYrFRPvI=
+github.com/AdguardTeam/urlfilter v0.18.0 h1:ZZzwODC/ADpjJSODxySrrUnt/fvOCfGFaCW6j+wsGfQ=
+github.com/AdguardTeam/urlfilter v0.18.0/go.mod h1:IXxBwedLiZA2viyHkaFxY/8mjub0li2PXRg8a3d9Z1s=
 github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da h1:KjTM2ks9d14ZYCvmHS9iAKVt9AyzRSqNU1qabPih5BY=
@@ -29,13 +29,16 @@ github.com/dimfeld/httptreemux/v5 v5.5.0 h1:p8jkiMrCuZ0CmhwYLcbNbl7DDo21fozhKHQ2
 github.com/dimfeld/httptreemux/v5 v5.5.0/go.mod h1:QeEylH57C0v3VO0tkKraVz9oD3Uu93CKPnTLbsidvSw=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
-github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
+github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
+github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
+github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
 github.com/go-ping/ping v1.1.0 h1:3MCGhVX4fyEUuhsfwPrsEdQw6xspHkv5zHsiSoDFZYw=
 github.com/go-ping/ping v1.1.0/go.mod h1:xIFjORFzTxqIV/tDVGO4eDy/bLuSyawEeojSm3GfRGk=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
@@ -43,25 +46,27 @@ github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
-github.com/google/pprof v0.0.0-20240117000934-35fc243c5815 h1:WzfWbQz/Ze8v6l++GGbGNFZnUShVpP/0xffCPLL+ax8=
-github.com/google/pprof v0.0.0-20240117000934-35fc243c5815/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
+github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7 h1:y3N7Bm7Y9/CtpiVkw/ZWj6lSlDF3F74SfKwfTCer72Q=
+github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
 github.com/google/renameio/v2 v2.0.0 h1:UifI23ZTGY8Tt29JbYFiuyIU3eX+RNFtUwefq9qAhxg=
 github.com/google/renameio/v2 v2.0.0/go.mod h1:BtmJXm5YlszgC+TD4HOEEUFgkJP3nLxehU6hfe7jRt4=
 github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU=
-github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714 h1:/jC7qQFrv8CrSJVmaolDVOxTfS9kc36uB6H40kdbQq8=
-github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 h1:9K06NfxkBh25x56yVhWWlKFE8YpicaSfHwoV8SFbueA=
-github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2/go.mod h1:3A9PQ1cunSDF/1rbTq99Ts4pVnycWg+vlPkfeD2NLFI=
+github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714/go.mod h1:2Goc3h8EklBH5mspfHFxBnEoURQCGzQQH1ga9Myjvis=
+github.com/insomniacslk/dhcp v0.0.0-20240227161007-c728f5dd21c8 h1:V3plQrMHRWOB5zMm3yNqvBxDQVW1+/wHBSok5uPdmVs=
+github.com/insomniacslk/dhcp v0.0.0-20240227161007-c728f5dd21c8/go.mod h1:izxuNQZeFrbx2nK2fAyN5iNUB34Fe9j0nK4PwLzAkKw=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/josharian/native v1.0.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
-github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 h1:elKwZS1OcdQ0WwEDBeqxKwb7WB62QX8bvZ/FJnVXIfk=
 github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86/go.mod h1:aFAMtuldEgx/4q7iSGazk22+IcgvtiC+HIimFO9XlS8=
 github.com/kardianos/service v1.2.2 h1:ZvePhAHfvo0A7Mftk/tEzqEZ7Q4lgnR8sGz4xu1YX60=
 github.com/kardianos/service v1.2.2/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4=
+github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
 github.com/mdlayher/ethernet v0.0.0-20220221185849-529eae5b6118 h1:2oDp6OOhLxQ9JBoUuysVz9UZ9uI6oLUbvAZu0x8o+vE=
 github.com/mdlayher/ethernet v0.0.0-20220221185849-529eae5b6118/go.mod h1:ZFUnHIVchZ9lJoWoEGUg8Q3M4U8aNNWA3CVSUTkW4og=
 github.com/mdlayher/netlink v0.0.0-20190313131330-258ea9dff42c/go.mod h1:eQB3mZE4aiYnlUsyGGCOpPETfdQq4Jhsgf1fk3cwQaA=
@@ -78,12 +83,13 @@ github.com/mdlayher/socket v0.5.0/go.mod h1:WkcBFfvyG8QENs5+hfQPl1X6Jpd2yeLIYgrG
 github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4=
 github.com/miekg/dns v1.1.58/go.mod h1:Ypv+3b/KadlvW9vJfXOTf300O4UqaHFzFCuHz+rPkBY=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
-github.com/onsi/ginkgo/v2 v2.15.0 h1:79HwNRBAZHOEwrczrgSOPy+eFTTlIGELKy5as+ClttY=
-github.com/onsi/ginkgo/v2 v2.15.0/go.mod h1:HlxMHtYF57y6Dpf+mc5529KKmSq9h2FpCF+/ZkwUxKM=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
+github.com/onsi/ginkgo/v2 v2.16.0 h1:7q1w9frJDzninhXxjZd+Y/x54XNjG/UlRLIYPZafsPM=
+github.com/onsi/ginkgo/v2 v2.16.0/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs=
 github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8=
+github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
 github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
-github.com/pierrec/lz4/v4 v4.1.14/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
 github.com/pierrec/lz4/v4 v4.1.21/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -92,16 +98,18 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw=
+github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
 github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
-github.com/quic-go/qtls-go1-20 v0.4.1 h1:D33340mCNDAIKBqXuAvexTNMUByrYmFYVfKfDN5nfFs=
-github.com/quic-go/qtls-go1-20 v0.4.1/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k=
-github.com/quic-go/quic-go v0.40.1 h1:X3AGzUNFs0jVuO3esAGnTfvdgvL4fq655WaOi1snv1Q=
-github.com/quic-go/quic-go v0.40.1/go.mod h1:PeN7kuVJ4xZbxSv/4OX6S1USOX8MJvydwpTx31vx60c=
+github.com/quic-go/quic-go v0.41.0 h1:aD8MmHfgqTURWNJy48IYFg2OnxwHT3JL7ahGs73lb4k=
+github.com/quic-go/quic-go v0.41.0/go.mod h1:qCkNjqczPEvgsOnxZ0eCD14lv+B2LHlFAB++CNOh9hA=
 github.com/shirou/gopsutil/v3 v3.23.7 h1:C+fHO8hfIppoJ1WdsVm1RoI0RwXoNdfTK7yWXV0wVj4=
+github.com/shirou/gopsutil/v3 v3.23.7/go.mod h1:c4gnmoRC0hQuaLqvxnx1//VXQ0Ms/X9UnJF8pddY5z4=
 github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=
+github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
@@ -110,32 +118,35 @@ github.com/ti-mo/netfilter v0.2.0/go.mod h1:8GbBGsY/8fxtyIdfwy29JiluNcPK4K7wIT+x
 github.com/ti-mo/netfilter v0.5.1 h1:cqamEd1c1zmpfpqvInLOro0Znq/RAfw2QL5wL2rAR/8=
 github.com/ti-mo/netfilter v0.5.1/go.mod h1:h9UPQ3ZrTZGBitay+LETMxZvNgWGK/efTUcqES2YiLw=
 github.com/tklauser/go-sysconf v0.3.11 h1:89WgdJhk5SNwJfu+GKyYveZ4IaJ7xAkecBo+KdJV0CM=
+github.com/tklauser/go-sysconf v0.3.11/go.mod h1:GqXfhXY3kiPa0nAXPDIQIWzJbMCB7AmcWpGR8lSZfqI=
 github.com/tklauser/numcpus v0.6.0 h1:kebhY2Qt+3U6RNK7UqpYNA+tJ23IBEGKkB7JQBfDYms=
-github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e h1:BA9O3BmlTmpjbvajAwzWx4Wo2TRVdpPXZEeemGQcajw=
-github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
+github.com/tklauser/numcpus v0.6.0/go.mod h1:FEZLMke0lhOUG6w2JadTzp0a+Nl8PF/GFkQ5UVIcaL4=
+github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM=
+github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA=
 github.com/yusufpapurcu/wmi v1.2.3 h1:E1ctvB7uKFMOJw3fdOW32DwGE9I7t++CRUEMKvFoFiw=
-go.etcd.io/bbolt v1.3.8 h1:xs88BrvEv273UsB79e0hcVrlUWmS0a8upikMFhSyAtA=
-go.etcd.io/bbolt v1.3.8/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
+github.com/yusufpapurcu/wmi v1.2.3/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
+go.etcd.io/bbolt v1.3.9 h1:8x7aARPEXiXbHmtUwAIv7eV2fQFHrLLavdiJ3uzJXoI=
+go.etcd.io/bbolt v1.3.9/go.mod h1:zaO32+Ti0PK1ivdPtgMESzuzL2VPoIG1PCQNvOdo/dE=
 go.uber.org/mock v0.4.0 h1:VcM4ZOtdbR4f6VXfiOpwpVJDL6lCReaZ6mw31wqh7KU=
 go.uber.org/mock v0.4.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
-golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
-golang.org/x/exp v0.0.0-20240119083558-1b970713d09a h1:Q8/wZp0KX97QFTc2ywcOE0YRjZPVIx+MXInMzdvQqcA=
-golang.org/x/exp v0.0.0-20240119083558-1b970713d09a/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 h1:LfspQV/FYTatPTr/3HzIcmiUFH7PGP+OQ6mgDYo3yuQ=
+golang.org/x/exp v0.0.0-20240222234643-814bf88cf225/go.mod h1:CxmFvTBINI24O/j8iY7H1xHzx2i4OsyguNBmN/uPtqc=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
-golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic=
+golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
-golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo=
-golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
+golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc=
+golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
@@ -149,10 +160,9 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.4.1-0.20230131160137-e7d7f63158de/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
-golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -160,15 +170,17 @@ golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc=
-golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps=
+golang.org/x/tools v0.19.0 h1:tfGCXNR1OsFG+sVdLAitlpjAvD/I6dHDKnYrpEZUHkw=
+golang.org/x/tools v0.19.0/go.mod h1:qoJWxmGSIBmAeriMx19ogtrEPrGtDbPK634QFIcLAhc=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gonum.org/v1/gonum v0.14.0 h1:2NiG67LD1tEH0D7kM+ps2V+fXmsAnpUeec7n8tcr4S0=
 gonum.org/v1/gonum v0.14.0/go.mod h1:AoWeoz0becf9QMWtE8iWXNXc27fK4fNeHNf/oMejGfU=
 google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw=
+google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
 gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=

internal/aghalg/aghalg.go

@@ -5,9 +5,9 @@ package aghalg
 
 import (
 	"fmt"
+	"slices"
 
 	"golang.org/x/exp/constraints"
-	"golang.org/x/exp/slices"
 )
 
 // Coalesce returns the first non-zero value.  It is named after function

internal/aghalg/ringbuffer_test.go

@@ -1,11 +1,11 @@
 package aghalg_test
 
 import (
+	"slices"
 	"testing"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
 	"github.com/stretchr/testify/assert"
-	"golang.org/x/exp/slices"
 )
 
 // elements is a helper function that returns n elements of the buffer.

internal/aghalg/sortedmap.go

@@ -0,0 +1,86 @@
+package aghalg
+
+import (
+	"slices"
+)
+
+// SortedMap is a map that keeps elements in order with internal sorting
+// function.  Must be initialised by the [NewSortedMap].
+type SortedMap[K comparable, V any] struct {
+	vals map[K]V
+	cmp  func(a, b K) (res int)
+	keys []K
+}
+
+// NewSortedMap initializes the new instance of sorted map.  cmp is a sort
+// function to keep elements in order.
+//
+// TODO(s.chzhen):  Use cmp.Compare in Go 1.21.
+func NewSortedMap[K comparable, V any](cmp func(a, b K) (res int)) SortedMap[K, V] {
+	return SortedMap[K, V]{
+		vals: map[K]V{},
+		cmp:  cmp,
+	}
+}
+
+// Set adds val with key to the sorted map.  It panics if the m is nil.
+func (m *SortedMap[K, V]) Set(key K, val V) {
+	m.vals[key] = val
+
+	i, has := slices.BinarySearchFunc(m.keys, key, m.cmp)
+	if has {
+		m.keys[i] = key
+	} else {
+		m.keys = slices.Insert(m.keys, i, key)
+	}
+}
+
+// Get returns val by key from the sorted map.
+func (m *SortedMap[K, V]) Get(key K) (val V, ok bool) {
+	if m == nil {
+		return
+	}
+
+	val, ok = m.vals[key]
+
+	return val, ok
+}
+
+// Del removes the value by key from the sorted map.
+func (m *SortedMap[K, V]) Del(key K) {
+	if m == nil {
+		return
+	}
+
+	if _, has := m.vals[key]; !has {
+		return
+	}
+
+	delete(m.vals, key)
+	i, _ := slices.BinarySearchFunc(m.keys, key, m.cmp)
+	m.keys = slices.Delete(m.keys, i, i+1)
+}
+
+// Clear removes all elements from the sorted map.
+func (m *SortedMap[K, V]) Clear() {
+	if m == nil {
+		return
+	}
+
+	m.keys = nil
+	clear(m.vals)
+}
+
+// Range calls cb for each element of the map, sorted by m.cmp.  If cb returns
+// false it stops.
+func (m *SortedMap[K, V]) Range(cb func(K, V) (cont bool)) {
+	if m == nil {
+		return
+	}
+
+	for _, k := range m.keys {
+		if !cb(k, m.vals[k]) {
+			return
+		}
+	}
+}

internal/aghalg/sortedmap_test.go

@@ -0,0 +1,95 @@
+package aghalg
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNewSortedMap(t *testing.T) {
+	var m SortedMap[string, int]
+
+	letters := []string{}
+	for i := 0; i < 10; i++ {
+		r := string('a' + rune(i))
+		letters = append(letters, r)
+	}
+
+	t.Run("create_and_fill", func(t *testing.T) {
+		m = NewSortedMap[string, int](strings.Compare)
+
+		nums := []int{}
+		for i, r := range letters {
+			m.Set(r, i)
+			nums = append(nums, i)
+		}
+
+		gotLetters := []string{}
+		gotNums := []int{}
+		m.Range(func(k string, v int) bool {
+			gotLetters = append(gotLetters, k)
+			gotNums = append(gotNums, v)
+
+			return true
+		})
+
+		assert.Equal(t, letters, gotLetters)
+		assert.Equal(t, nums, gotNums)
+
+		n, ok := m.Get(letters[0])
+		assert.True(t, ok)
+		assert.Equal(t, nums[0], n)
+	})
+
+	t.Run("clear", func(t *testing.T) {
+		lastLetter := letters[len(letters)-1]
+		m.Del(lastLetter)
+
+		_, ok := m.Get(lastLetter)
+		assert.False(t, ok)
+
+		m.Clear()
+
+		gotLetters := []string{}
+		m.Range(func(k string, _ int) bool {
+			gotLetters = append(gotLetters, k)
+
+			return true
+		})
+
+		assert.Len(t, gotLetters, 0)
+	})
+}
+
+func TestNewSortedMap_nil(t *testing.T) {
+	const (
+		key = "key"
+		val = "val"
+	)
+
+	var m SortedMap[string, string]
+
+	assert.Panics(t, func() {
+		m.Set(key, val)
+	})
+
+	assert.NotPanics(t, func() {
+		_, ok := m.Get(key)
+		assert.False(t, ok)
+	})
+
+	assert.NotPanics(t, func() {
+		m.Range(func(_, _ string) (cont bool) {
+			return true
+		})
+	})
+
+	assert.NotPanics(t, func() {
+		m.Del(key)
+	})
+
+	assert.NotPanics(t, func() {
+		m.Clear()
+	})
+}

internal/aghnet/hostscontainer.go

@@ -154,8 +154,8 @@ func pathsToPatterns(fsys fs.FS, paths []string) (patterns []string, err error)
 }
 
 // handleEvents concurrently handles the file system events.  It closes the
-// update channel of HostsContainer when finishes.  It's used to be called
-// within a separate goroutine.
+// update channel of HostsContainer when finishes.  It is intended to be used as
+// a goroutine.
 func (hc *HostsContainer) handleEvents() {
 	defer log.OnPanic(fmt.Sprintf("%s: handling events", hostsContainerPrefix))
 

internal/aghnet/hostscontainer_test.go

@@ -67,6 +67,7 @@ func TestNewHostsContainer(t *testing.T) {
 			}
 
 			hc, err := aghnet.NewHostsContainer(testFS, &aghtest.FSWatcher{
+				OnStart:  func() (_ error) { panic("not implemented") },
 				OnEvents: onEvents,
 				OnAdd:    onAdd,
 				OnClose:  func() (err error) { return nil },
@@ -93,6 +94,7 @@ func TestNewHostsContainer(t *testing.T) {
 	t.Run("nil_fs", func(t *testing.T) {
 		require.Panics(t, func() {
 			_, _ = aghnet.NewHostsContainer(nil, &aghtest.FSWatcher{
+				OnStart: func() (_ error) { panic("not implemented") },
 				// Those shouldn't panic.
 				OnEvents: func() (e <-chan struct{}) { return nil },
 				OnAdd:    func(name string) (err error) { return nil },
@@ -111,6 +113,7 @@ func TestNewHostsContainer(t *testing.T) {
 		const errOnAdd errors.Error = "error"
 
 		errWatcher := &aghtest.FSWatcher{
+			OnStart:  func() (_ error) { panic("not implemented") },
 			OnEvents: func() (e <-chan struct{}) { panic("not implemented") },
 			OnAdd:    func(name string) (err error) { return errOnAdd },
 			OnClose:  func() (err error) { return nil },
@@ -155,6 +158,7 @@ func TestHostsContainer_refresh(t *testing.T) {
 	t.Cleanup(func() { close(eventsCh) })
 
 	w := &aghtest.FSWatcher{
+		OnStart:  func() (_ error) { panic("not implemented") },
 		OnEvents: func() (e <-chan event) { return eventsCh },
 		OnAdd: func(name string) (err error) {
 			assert.Equal(t, "dir", name)

internal/aghnet/ignore.go

@@ -1,11 +1,11 @@
 package aghnet
 
 import (
+	"slices"
 	"strings"
 
 	"github.com/AdguardTeam/urlfilter"
 	"github.com/AdguardTeam/urlfilter/filterlist"
-	"golang.org/x/exp/slices"
 )
 
 // IgnoreEngine contains the list of rules for ignoring hostnames and matches

internal/aghnet/net.go

@@ -17,6 +17,7 @@ import (
 	"github.com/AdguardTeam/dnsproxy/upstream"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
+	"github.com/AdguardTeam/golibs/osutil"
 )
 
 // DialContextFunc is the semantic alias for dialing functions, such as
@@ -32,7 +33,7 @@ var (
 	netInterfaceAddrs = net.InterfaceAddrs
 
 	// rootDirFS is the filesystem pointing to the root directory.
-	rootDirFS = aghos.RootDirFS()
+	rootDirFS = osutil.RootDirFS()
 )
 
 // ErrNoStaticIPInfo is returned by IfaceHasStaticIP when no information about

internal/aghos/fswatcher.go

@@ -8,6 +8,8 @@ import (
 
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
+	"github.com/AdguardTeam/golibs/osutil"
+	"github.com/AdguardTeam/golibs/stringutil"
 	"github.com/fsnotify/fsnotify"
 )
 
@@ -18,31 +20,38 @@ type event = struct{}
 // FSWatcher tracks all the fyle system events and notifies about those.
 //
 // TODO(e.burkov, a.garipov): Move into another package like aghfs.
+//
+// TODO(e.burkov):  Add tests.
 type FSWatcher interface {
+	// Start starts watching the added files.
+	Start() (err error)
+
+	// Close stops watching the files and closes an update channel.
 	io.Closer
 
-	// Events should return a read-only channel which notifies about events.
+	// Events returns the channel to notify about the file system events.
 	Events() (e <-chan event)
 
-	// Add should check if the file named name is accessible and starts tracking
-	// it.
+	// Add starts tracking the file.  It returns an error if the file can't be
+	// tracked.  It must not be called after Start.
 	Add(name string) (err error)
 }
 
 // osWatcher tracks the file system provided by the OS.
 type osWatcher struct {
-	// w is the actual notifier that is handled by osWatcher.
-	w *fsnotify.Watcher
+	// watcher is the actual notifier that is handled by osWatcher.
+	watcher *fsnotify.Watcher
 
 	// events is the channel to notify.
 	events chan event
+
+	// files is the set of tracked files.
+	files *stringutil.Set
 }
 
-const (
-	// osWatcherPref is a prefix for logging and wrapping errors in osWathcer's
-	// methods.
-	osWatcherPref = "os watcher"
-)
+// osWatcherPref is a prefix for logging and wrapping errors in osWathcer's
+// methods.
+const osWatcherPref = "os watcher"
 
 // NewOSWritesWatcher creates FSWatcher that tracks the real file system of the
 // OS and notifies only about writing events.
@@ -55,25 +64,27 @@ func NewOSWritesWatcher() (w FSWatcher, err error) {
 		return nil, fmt.Errorf("creating watcher: %w", err)
 	}
 
-	fsw := &osWatcher{
-		w:      watcher,
-		events: make(chan event, 1),
-	}
-
-	go fsw.handleErrors()
-	go fsw.handleEvents()
-
-	return fsw, nil
+	return &osWatcher{
+		watcher: watcher,
+		events:  make(chan event, 1),
+		files:   stringutil.NewSet(),
+	}, nil
 }
 
-// handleErrors handles accompanying errors.  It used to be called in a separate
-// goroutine.
-func (w *osWatcher) handleErrors() {
-	defer log.OnPanic(fmt.Sprintf("%s: handling errors", osWatcherPref))
+// type check
+var _ FSWatcher = (*osWatcher)(nil)
 
-	for err := range w.w.Errors {
-		log.Error("%s: %s", osWatcherPref, err)
-	}
+// Start implements the FSWatcher interface for *osWatcher.
+func (w *osWatcher) Start() (err error) {
+	go w.handleErrors()
+	go w.handleEvents()
+
+	return nil
+}
+
+// Close implements the FSWatcher interface for *osWatcher.
+func (w *osWatcher) Close() (err error) {
+	return w.watcher.Close()
 }
 
 // Events implements the FSWatcher interface for *osWatcher.
@@ -81,34 +92,42 @@ func (w *osWatcher) Events() (e <-chan event) {
 	return w.events
 }
 
-// Add implements the FSWatcher interface for *osWatcher.
+// Add implements the [FSWatcher] interface for *osWatcher.
 //
 // TODO(e.burkov):  Make it accept non-existing files to detect it's creating.
 func (w *osWatcher) Add(name string) (err error) {
 	defer func() { err = errors.Annotate(err, "%s: %w", osWatcherPref) }()
 
-	if _, err = fs.Stat(RootDirFS(), name); err != nil {
+	fi, err := fs.Stat(osutil.RootDirFS(), name)
+	if err != nil {
 		return fmt.Errorf("checking file %q: %w", name, err)
 	}
 
-	return w.w.Add(filepath.Join("/", name))
-}
+	name = filepath.Join("/", name)
+	w.files.Add(name)
 
-// Close implements the FSWatcher interface for *osWatcher.
-func (w *osWatcher) Close() (err error) {
-	return w.w.Close()
+	// Watch the directory and filter the events by the file name, since the
+	// common recomendation to the fsnotify package is to watch the directory
+	// instead of the file itself.
+	//
+	// See https://pkg.go.dev/github.com/fsnotify/fsnotify@v1.7.0#readme-watching-a-file-doesn-t-work-well.
+	if !fi.IsDir() {
+		name = filepath.Dir(name)
+	}
+
+	return w.watcher.Add(name)
 }
 
 // handleEvents notifies about the received file system's event if needed.  It
-// used to be called in a separate goroutine.
+// is intended to be used as a goroutine.
 func (w *osWatcher) handleEvents() {
 	defer log.OnPanic(fmt.Sprintf("%s: handling events", osWatcherPref))
 
 	defer close(w.events)
 
-	ch := w.w.Events
+	ch := w.watcher.Events
 	for e := range ch {
-		if e.Op&fsnotify.Write == 0 {
+		if e.Op&fsnotify.Write == 0 || !w.files.Has(e.Name) {
 			continue
 		}
 
@@ -131,3 +150,13 @@ func (w *osWatcher) handleEvents() {
 		}
 	}
 }
+
+// handleErrors handles accompanying errors.  It used to be called in a separate
+// goroutine.
+func (w *osWatcher) handleErrors() {
+	defer log.OnPanic(fmt.Sprintf("%s: handling errors", osWatcherPref))
+
+	for err := range w.watcher.Errors {
+		log.Error("%s: %s", osWatcherPref, err)
+	}
+}

internal/aghos/os.go

@@ -7,18 +7,16 @@ import (
 	"bufio"
 	"fmt"
 	"io"
-	"io/fs"
 	"os"
 	"os/exec"
 	"path"
 	"runtime"
+	"slices"
 	"strconv"
 	"strings"
 
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
-	"github.com/AdguardTeam/golibs/mathutil"
-	"golang.org/x/exp/slices"
 )
 
 // UnsupportedError is returned by functions and methods when a particular
@@ -63,7 +61,7 @@ func RunCommand(command string, arguments ...string) (code int, output []byte, e
 	cmd := exec.Command(command, arguments...)
 	out, err := cmd.Output()
 
-	out = out[:mathutil.Min(len(out), MaxCmdOutputSize)]
+	out = out[:min(len(out), MaxCmdOutputSize)]
 
 	if err != nil {
 		if eerr := new(exec.ExitError); errors.As(err, &eerr) {
@@ -142,7 +140,7 @@ func parsePSOutput(r io.Reader, cmdName string, ignore []int) (largest, instNum
 		}
 
 		instNum++
-		largest = mathutil.Max(largest, cur)
+		largest = max(largest, cur)
 	}
 	if err = s.Err(); err != nil {
 		return 0, 0, fmt.Errorf("scanning stdout: %w", err)
@@ -156,13 +154,6 @@ func IsOpenWrt() (ok bool) {
 	return isOpenWrt()
 }
 
-// RootDirFS returns the [fs.FS] rooted at the operating system's root.  On
-// Windows it returns the fs.FS rooted at the volume of the system directory
-// (usually, C:).
-func RootDirFS() (fsys fs.FS) {
-	return rootDirFS()
-}
-
 // NotifyReconfigureSignal notifies c on receiving reconfigure signals.
 func NotifyReconfigureSignal(c chan<- os.Signal) {
 	notifyReconfigureSignal(c)

internal/aghos/os_linux.go

@@ -7,6 +7,7 @@ import (
 	"os"
 	"syscall"
 
+	"github.com/AdguardTeam/golibs/osutil"
 	"github.com/AdguardTeam/golibs/stringutil"
 )
 
@@ -40,7 +41,7 @@ func isOpenWrt() (ok bool) {
 		}
 
 		return nil, !stringutil.ContainsFold(string(data), osNameData), nil
-	}).Walk(RootDirFS(), etcReleasePattern)
+	}).Walk(osutil.RootDirFS(), etcReleasePattern)
 
 	return err == nil && ok
 }

internal/aghos/os_unix.go

@@ -3,17 +3,12 @@
 package aghos
 
 import (
-	"io/fs"
 	"os"
 	"os/signal"
 
 	"golang.org/x/sys/unix"
 )
 
-func rootDirFS() (fsys fs.FS) {
-	return os.DirFS("/")
-}
-
 func notifyReconfigureSignal(c chan<- os.Signal) {
 	signal.Notify(c, unix.SIGHUP)
 }

internal/aghos/os_windows.go

@@ -3,29 +3,13 @@
 package aghos
 
 import (
-	"io/fs"
 	"os"
 	"os/signal"
-	"path/filepath"
 	"syscall"
 
-	"github.com/AdguardTeam/golibs/log"
 	"golang.org/x/sys/windows"
 )
 
-func rootDirFS() (fsys fs.FS) {
-	// TODO(a.garipov): Use a better way if golang/go#44279 is ever resolved.
-	sysDir, err := windows.GetSystemDirectory()
-	if err != nil {
-		log.Error("aghos: getting root filesystem: %s; using C:", err)
-
-		// Assume that C: is the safe default.
-		return os.DirFS("C:")
-	}
-
-	return os.DirFS(filepath.VolumeName(sysDir))
-}
-
 func setRlimit(val uint64) (err error) {
 	return Unsupported("setrlimit")
 }

internal/aghtest/aghtest.go

@@ -9,8 +9,13 @@ import (
 	"net/netip"
 	"net/url"
 	"testing"
+	"time"
 
+	"github.com/AdguardTeam/dnsproxy/proxy"
 	"github.com/AdguardTeam/golibs/log"
+	"github.com/AdguardTeam/golibs/netutil"
+	"github.com/AdguardTeam/golibs/testutil"
+	"github.com/miekg/dns"
 	"github.com/stretchr/testify/require"
 )
 
@@ -71,3 +76,49 @@ func StartHTTPServer(t testing.TB, data []byte) (c *http.Client, u *url.URL) {
 
 	return srv.Client(), u
 }
+
+// testTimeout is a timeout for tests.
+//
+// TODO(e.burkov):  Move into agdctest.
+const testTimeout = 1 * time.Second
+
+// StartLocalhostUpstream is a test helper that starts a DNS server on
+// localhost.
+func StartLocalhostUpstream(t *testing.T, h dns.Handler) (addr *url.URL) {
+	t.Helper()
+
+	startCh := make(chan netip.AddrPort)
+	defer close(startCh)
+	errCh := make(chan error)
+
+	srv := &dns.Server{
+		Addr:         "127.0.0.1:0",
+		Net:          string(proxy.ProtoTCP),
+		Handler:      h,
+		ReadTimeout:  testTimeout,
+		WriteTimeout: testTimeout,
+	}
+	srv.NotifyStartedFunc = func() {
+		addrPort := srv.Listener.Addr()
+		startCh <- netutil.NetAddrToAddrPort(addrPort)
+	}
+
+	go func() { errCh <- srv.ListenAndServe() }()
+
+	select {
+	case addrPort := <-startCh:
+		addr = &url.URL{
+			Scheme: string(proxy.ProtoTCP),
+			Host:   addrPort.String(),
+		}
+
+		testutil.CleanupAndRequireSuccess(t, func() (err error) { return <-errCh })
+		testutil.CleanupAndRequireSuccess(t, srv.Shutdown)
+	case err := <-errCh:
+		require.NoError(t, err)
+	case <-time.After(testTimeout):
+		require.FailNow(t, "timeout exceeded")
+	}
+
+	return addr
+}

internal/aghtest/interface.go

@@ -7,7 +7,6 @@ import (
 	"time"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
-	"github.com/AdguardTeam/AdGuardHome/internal/client"
 	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
 	"github.com/AdguardTeam/AdGuardHome/internal/rdns"
 	"github.com/AdguardTeam/AdGuardHome/internal/whois"
@@ -26,14 +25,25 @@ import (
 
 // FSWatcher is a fake [aghos.FSWatcher] implementation for tests.
 type FSWatcher struct {
+	OnStart  func() (err error)
+	OnClose  func() (err error)
 	OnEvents func() (e <-chan struct{})
 	OnAdd    func(name string) (err error)
-	OnClose  func() (err error)
 }
 
 // type check
 var _ aghos.FSWatcher = (*FSWatcher)(nil)
 
+// Start implements the [aghos.FSWatcher] interface for *FSWatcher.
+func (w *FSWatcher) Start() (err error) {
+	return w.OnStart()
+}
+
+// Close implements the [aghos.FSWatcher] interface for *FSWatcher.
+func (w *FSWatcher) Close() (err error) {
+	return w.OnClose()
+}
+
 // Events implements the [aghos.FSWatcher] interface for *FSWatcher.
 func (w *FSWatcher) Events() (e <-chan struct{}) {
 	return w.OnEvents()
@@ -44,11 +54,6 @@ func (w *FSWatcher) Add(name string) (err error) {
 	return w.OnAdd(name)
 }
 
-// Close implements the [aghos.FSWatcher] interface for *FSWatcher.
-func (w *FSWatcher) Close() (err error) {
-	return w.OnClose()
-}
-
 // Package agh
 
 // ServiceWithConfig is a fake [agh.ServiceWithConfig] implementation for tests.
@@ -88,9 +93,6 @@ type AddressProcessor struct {
 	OnClose   func() (err error)
 }
 
-// type check
-var _ client.AddressProcessor = (*AddressProcessor)(nil)
-
 // Process implements the [client.AddressProcessor] interface for
 // *AddressProcessor.
 func (p *AddressProcessor) Process(ip netip.Addr) {
@@ -108,9 +110,6 @@ type AddressUpdater struct {
 	OnUpdateAddress func(ip netip.Addr, host string, info *whois.Info)
 }
 
-// type check
-var _ client.AddressUpdater = (*AddressUpdater)(nil)
-
 // UpdateAddress implements the [client.AddressUpdater] interface for
 // *AddressUpdater.
 func (p *AddressUpdater) UpdateAddress(ip netip.Addr, host string, info *whois.Info) {

internal/aghtest/interface_test.go

@@ -2,6 +2,7 @@ package aghtest_test
 
 import (
 	"github.com/AdguardTeam/AdGuardHome/internal/aghtest"
+	"github.com/AdguardTeam/AdGuardHome/internal/client"
 	"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 )
@@ -13,3 +14,13 @@ var _ filtering.Resolver = (*aghtest.Resolver)(nil)
 
 // type check
 var _ dnsforward.ClientsContainer = (*aghtest.ClientsContainer)(nil)
+
+// type check
+//
+// TODO(s.chzhen):  It's here to avoid the import cycle.  Remove it.
+var _ client.AddressProcessor = (*aghtest.AddressProcessor)(nil)
+
+// type check
+//
+// TODO(s.chzhen):  It's here to avoid the import cycle.  Remove it.
+var _ client.AddressUpdater = (*aghtest.AddressUpdater)(nil)

internal/arpdb/arpdb.go

@@ -7,13 +7,14 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
+	"slices"
 	"sync"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/netutil"
-	"golang.org/x/exp/slices"
+	"github.com/AdguardTeam/golibs/osutil"
 )
 
 // Variables and functions to substitute in tests.
@@ -22,7 +23,7 @@ var (
 	aghosRunCommand = aghos.RunCommand
 
 	// rootDirFS is the filesystem pointing to the root directory.
-	rootDirFS = aghos.RootDirFS()
+	rootDirFS = osutil.RootDirFS()
 )
 
 // Interface stores and refreshes the network neighborhood reported by ARP

internal/client/index.go

@@ -0,0 +1,249 @@
+package client
+
+import (
+	"fmt"
+	"net"
+	"net/netip"
+
+	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
+)
+
+// macKey contains MAC as byte array of 6, 8, or 20 bytes.
+type macKey any
+
+// macToKey converts mac into key of type macKey, which is used as the key of
+// the [clientIndex.macToUID].  mac must be valid MAC address.
+func macToKey(mac net.HardwareAddr) (key macKey) {
+	switch len(mac) {
+	case 6:
+		return [6]byte(mac)
+	case 8:
+		return [8]byte(mac)
+	case 20:
+		return [20]byte(mac)
+	default:
+		panic(fmt.Errorf("invalid mac address %#v", mac))
+	}
+}
+
+// Index stores all information about persistent clients.
+type Index struct {
+	// clientIDToUID maps client ID to UID.
+	clientIDToUID map[string]UID
+
+	// ipToUID maps IP address to UID.
+	ipToUID map[netip.Addr]UID
+
+	// macToUID maps MAC address to UID.
+	macToUID map[macKey]UID
+
+	// uidToClient maps UID to the persistent client.
+	uidToClient map[UID]*Persistent
+
+	// subnetToUID maps subnet to UID.
+	subnetToUID aghalg.SortedMap[netip.Prefix, UID]
+}
+
+// NewIndex initializes the new instance of client index.
+func NewIndex() (ci *Index) {
+	return &Index{
+		clientIDToUID: map[string]UID{},
+		ipToUID:       map[netip.Addr]UID{},
+		subnetToUID:   aghalg.NewSortedMap[netip.Prefix, UID](subnetCompare),
+		macToUID:      map[macKey]UID{},
+		uidToClient:   map[UID]*Persistent{},
+	}
+}
+
+// Add stores information about a persistent client in the index.  c must be
+// non-nil and contain UID.
+func (ci *Index) Add(c *Persistent) {
+	if (c.UID == UID{}) {
+		panic("client must contain uid")
+	}
+
+	for _, id := range c.ClientIDs {
+		ci.clientIDToUID[id] = c.UID
+	}
+
+	for _, ip := range c.IPs {
+		ci.ipToUID[ip] = c.UID
+	}
+
+	for _, pref := range c.Subnets {
+		ci.subnetToUID.Set(pref, c.UID)
+	}
+
+	for _, mac := range c.MACs {
+		k := macToKey(mac)
+		ci.macToUID[k] = c.UID
+	}
+
+	ci.uidToClient[c.UID] = c
+}
+
+// Clashes returns an error if the index contains a different persistent client
+// with at least a single identifier contained by c.  c must be non-nil.
+func (ci *Index) Clashes(c *Persistent) (err error) {
+	for _, id := range c.ClientIDs {
+		existing, ok := ci.clientIDToUID[id]
+		if ok && existing != c.UID {
+			p := ci.uidToClient[existing]
+
+			return fmt.Errorf("another client %q uses the same ID %q", p.Name, id)
+		}
+	}
+
+	p, ip := ci.clashesIP(c)
+	if p != nil {
+		return fmt.Errorf("another client %q uses the same IP %q", p.Name, ip)
+	}
+
+	p, s := ci.clashesSubnet(c)
+	if p != nil {
+		return fmt.Errorf("another client %q uses the same subnet %q", p.Name, s)
+	}
+
+	p, mac := ci.clashesMAC(c)
+	if p != nil {
+		return fmt.Errorf("another client %q uses the same MAC %q", p.Name, mac)
+	}
+
+	return nil
+}
+
+// clashesIP returns a previous client with the same IP address as c.  c must be
+// non-nil.
+func (ci *Index) clashesIP(c *Persistent) (p *Persistent, ip netip.Addr) {
+	for _, ip := range c.IPs {
+		existing, ok := ci.ipToUID[ip]
+		if ok && existing != c.UID {
+			return ci.uidToClient[existing], ip
+		}
+	}
+
+	return nil, netip.Addr{}
+}
+
+// clashesSubnet returns a previous client with the same subnet as c.  c must be
+// non-nil.
+func (ci *Index) clashesSubnet(c *Persistent) (p *Persistent, s netip.Prefix) {
+	for _, s = range c.Subnets {
+		var existing UID
+		var ok bool
+
+		ci.subnetToUID.Range(func(p netip.Prefix, uid UID) (cont bool) {
+			if s == p {
+				existing = uid
+				ok = true
+
+				return false
+			}
+
+			return true
+		})
+
+		if ok && existing != c.UID {
+			return ci.uidToClient[existing], s
+		}
+	}
+
+	return nil, netip.Prefix{}
+}
+
+// clashesMAC returns a previous client with the same MAC address as c.  c must
+// be non-nil.
+func (ci *Index) clashesMAC(c *Persistent) (p *Persistent, mac net.HardwareAddr) {
+	for _, mac = range c.MACs {
+		k := macToKey(mac)
+		existing, ok := ci.macToUID[k]
+		if ok && existing != c.UID {
+			return ci.uidToClient[existing], mac
+		}
+	}
+
+	return nil, nil
+}
+
+// Find finds persistent client by string representation of the client ID, IP
+// address, or MAC.
+func (ci *Index) Find(id string) (c *Persistent, ok bool) {
+	uid, found := ci.clientIDToUID[id]
+	if found {
+		return ci.uidToClient[uid], true
+	}
+
+	ip, err := netip.ParseAddr(id)
+	if err == nil {
+		// MAC addresses can be successfully parsed as IP addresses.
+		c, found = ci.findByIP(ip)
+		if found {
+			return c, true
+		}
+	}
+
+	mac, err := net.ParseMAC(id)
+	if err == nil {
+		return ci.findByMAC(mac)
+	}
+
+	return nil, false
+}
+
+// find finds persistent client by IP address.
+func (ci *Index) findByIP(ip netip.Addr) (c *Persistent, found bool) {
+	uid, found := ci.ipToUID[ip]
+	if found {
+		return ci.uidToClient[uid], true
+	}
+
+	ci.subnetToUID.Range(func(pref netip.Prefix, id UID) (cont bool) {
+		if pref.Contains(ip) {
+			uid, found = id, true
+
+			return false
+		}
+
+		return true
+	})
+
+	if found {
+		return ci.uidToClient[uid], true
+	}
+
+	return nil, false
+}
+
+// find finds persistent client by MAC.
+func (ci *Index) findByMAC(mac net.HardwareAddr) (c *Persistent, found bool) {
+	k := macToKey(mac)
+	uid, found := ci.macToUID[k]
+	if found {
+		return ci.uidToClient[uid], true
+	}
+
+	return nil, false
+}
+
+// Delete removes information about persistent client from the index.  c must be
+// non-nil.
+func (ci *Index) Delete(c *Persistent) {
+	for _, id := range c.ClientIDs {
+		delete(ci.clientIDToUID, id)
+	}
+
+	for _, ip := range c.IPs {
+		delete(ci.ipToUID, ip)
+	}
+
+	for _, pref := range c.Subnets {
+		ci.subnetToUID.Del(pref)
+	}
+
+	for _, mac := range c.MACs {
+		k := macToKey(mac)
+		delete(ci.macToUID, k)
+	}
+
+	delete(ci.uidToClient, c.UID)
+}

internal/client/index_internal_test.go

@@ -0,0 +1,223 @@
+package client
+
+import (
+	"net"
+	"net/netip"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// newIDIndex is a helper function that returns a client index filled with
+// persistent clients from the m.  It also generates a UID for each client.
+func newIDIndex(m []*Persistent) (ci *Index) {
+	ci = NewIndex()
+
+	for _, c := range m {
+		c.UID = MustNewUID()
+		ci.Add(c)
+	}
+
+	return ci
+}
+
+func TestClientIndex(t *testing.T) {
+	const (
+		cliIPNone = "1.2.3.4"
+		cliIP1    = "1.1.1.1"
+		cliIP2    = "2.2.2.2"
+
+		cliIPv6 = "1:2:3::4"
+
+		cliSubnet   = "2.2.2.0/24"
+		cliSubnetIP = "2.2.2.222"
+
+		cliID  = "client-id"
+		cliMAC = "11:11:11:11:11:11"
+	)
+
+	clients := []*Persistent{{
+		Name: "client1",
+		IPs: []netip.Addr{
+			netip.MustParseAddr(cliIP1),
+			netip.MustParseAddr(cliIPv6),
+		},
+	}, {
+		Name:    "client2",
+		IPs:     []netip.Addr{netip.MustParseAddr(cliIP2)},
+		Subnets: []netip.Prefix{netip.MustParsePrefix(cliSubnet)},
+	}, {
+		Name: "client_with_mac",
+		MACs: []net.HardwareAddr{mustParseMAC(cliMAC)},
+	}, {
+		Name:      "client_with_id",
+		ClientIDs: []string{cliID},
+	}}
+
+	ci := newIDIndex(clients)
+
+	testCases := []struct {
+		want *Persistent
+		name string
+		ids  []string
+	}{{
+		name: "ipv4_ipv6",
+		ids:  []string{cliIP1, cliIPv6},
+		want: clients[0],
+	}, {
+		name: "ipv4_subnet",
+		ids:  []string{cliIP2, cliSubnetIP},
+		want: clients[1],
+	}, {
+		name: "mac",
+		ids:  []string{cliMAC},
+		want: clients[2],
+	}, {
+		name: "client_id",
+		ids:  []string{cliID},
+		want: clients[3],
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			for _, id := range tc.ids {
+				c, ok := ci.Find(id)
+				require.True(t, ok)
+
+				assert.Equal(t, tc.want, c)
+			}
+		})
+	}
+
+	t.Run("not_found", func(t *testing.T) {
+		_, ok := ci.Find(cliIPNone)
+		assert.False(t, ok)
+	})
+}
+
+func TestClientIndex_Clashes(t *testing.T) {
+	const (
+		cliIP1      = "1.1.1.1"
+		cliSubnet   = "2.2.2.0/24"
+		cliSubnetIP = "2.2.2.222"
+		cliID       = "client-id"
+		cliMAC      = "11:11:11:11:11:11"
+	)
+
+	clients := []*Persistent{{
+		Name: "client_with_ip",
+		IPs:  []netip.Addr{netip.MustParseAddr(cliIP1)},
+	}, {
+		Name:    "client_with_subnet",
+		Subnets: []netip.Prefix{netip.MustParsePrefix(cliSubnet)},
+	}, {
+		Name: "client_with_mac",
+		MACs: []net.HardwareAddr{mustParseMAC(cliMAC)},
+	}, {
+		Name:      "client_with_id",
+		ClientIDs: []string{cliID},
+	}}
+
+	ci := newIDIndex(clients)
+
+	testCases := []struct {
+		client *Persistent
+		name   string
+	}{{
+		name:   "ipv4",
+		client: clients[0],
+	}, {
+		name:   "subnet",
+		client: clients[1],
+	}, {
+		name:   "mac",
+		client: clients[2],
+	}, {
+		name:   "client_id",
+		client: clients[3],
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			clone := tc.client.ShallowClone()
+			clone.UID = MustNewUID()
+
+			err := ci.Clashes(clone)
+			require.Error(t, err)
+
+			ci.Delete(tc.client)
+			err = ci.Clashes(clone)
+			require.NoError(t, err)
+		})
+	}
+}
+
+// mustParseMAC is wrapper around [net.ParseMAC] that panics if there is an
+// error.
+func mustParseMAC(s string) (mac net.HardwareAddr) {
+	mac, err := net.ParseMAC(s)
+	if err != nil {
+		panic(err)
+	}
+
+	return mac
+}
+
+func TestMACToKey(t *testing.T) {
+	testCases := []struct {
+		want any
+		name string
+		in   string
+	}{{
+		name: "column6",
+		in:   "00:00:5e:00:53:01",
+		want: [6]byte(mustParseMAC("00:00:5e:00:53:01")),
+	}, {
+		name: "column8",
+		in:   "02:00:5e:10:00:00:00:01",
+		want: [8]byte(mustParseMAC("02:00:5e:10:00:00:00:01")),
+	}, {
+		name: "column20",
+		in:   "00:00:00:00:fe:80:00:00:00:00:00:00:02:00:5e:10:00:00:00:01",
+		want: [20]byte(mustParseMAC("00:00:00:00:fe:80:00:00:00:00:00:00:02:00:5e:10:00:00:00:01")),
+	}, {
+		name: "hyphen6",
+		in:   "00-00-5e-00-53-01",
+		want: [6]byte(mustParseMAC("00-00-5e-00-53-01")),
+	}, {
+		name: "hyphen8",
+		in:   "02-00-5e-10-00-00-00-01",
+		want: [8]byte(mustParseMAC("02-00-5e-10-00-00-00-01")),
+	}, {
+		name: "hyphen20",
+		in:   "00-00-00-00-fe-80-00-00-00-00-00-00-02-00-5e-10-00-00-00-01",
+		want: [20]byte(mustParseMAC("00-00-00-00-fe-80-00-00-00-00-00-00-02-00-5e-10-00-00-00-01")),
+	}, {
+		name: "dot6",
+		in:   "0000.5e00.5301",
+		want: [6]byte(mustParseMAC("0000.5e00.5301")),
+	}, {
+		name: "dot8",
+		in:   "0200.5e10.0000.0001",
+		want: [8]byte(mustParseMAC("0200.5e10.0000.0001")),
+	}, {
+		name: "dot20",
+		in:   "0000.0000.fe80.0000.0000.0000.0200.5e10.0000.0001",
+		want: [20]byte(mustParseMAC("0000.0000.fe80.0000.0000.0000.0200.5e10.0000.0001")),
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			mac := mustParseMAC(tc.in)
+
+			key := macToKey(mac)
+			assert.Equal(t, tc.want, key)
+		})
+	}
+
+	assert.Panics(t, func() {
+		mac := net.HardwareAddr([]byte{1, 2, 3})
+		_ = macToKey(mac)
+	})
+}

internal/client/persistent.go

@@ -1,22 +1,22 @@
-package home
+package client
 
 import (
 	"encoding"
 	"fmt"
 	"net"
 	"net/netip"
+	"slices"
 	"strings"
 	"time"
 
-	"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering/safesearch"
 	"github.com/AdguardTeam/dnsproxy/proxy"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
+	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/AdguardTeam/golibs/stringutil"
 	"github.com/google/uuid"
-	"golang.org/x/exp/slices"
 )
 
 // UID is the type for the unique IDs of persistent clients.
@@ -30,6 +30,16 @@ func NewUID() (uid UID, err error) {
 	return UID(uuidv7), err
 }
 
+// MustNewUID is a wrapper around [NewUID] that panics if there is an error.
+func MustNewUID() (uid UID) {
+	uid, err := NewUID()
+	if err != nil {
+		panic(fmt.Errorf("unexpected uuidv7 error: %w", err))
+	}
+
+	return uid
+}
+
 // type check
 var _ encoding.TextMarshaler = UID{}
 
@@ -46,16 +56,16 @@ func (uid *UID) UnmarshalText(data []byte) error {
 	return (*uuid.UUID)(uid).UnmarshalText(data)
 }
 
-// persistentClient contains information about persistent clients.
-type persistentClient struct {
-	// upstreamConfig is the custom upstream configuration for this client.  If
+// Persistent contains information about persistent clients.
+type Persistent struct {
+	// UpstreamConfig is the custom upstream configuration for this client.  If
 	// it's nil, it has not been initialized yet.  If it's non-nil and empty,
 	// there are no valid upstreams.  If it's non-nil and non-empty, these
 	// upstream must be used.
-	upstreamConfig *proxy.CustomUpstreamConfig
+	UpstreamConfig *proxy.CustomUpstreamConfig
 
-	// TODO(d.kolyshev): Make safeSearchConf a pointer.
-	safeSearchConf filtering.SafeSearchConfig
+	// TODO(d.kolyshev): Make SafeSearchConf a pointer.
+	SafeSearchConf filtering.SafeSearchConfig
 	SafeSearch     filtering.SafeSearch
 
 	// BlockedServices is the configuration of blocked services of a client.
@@ -87,8 +97,8 @@ type persistentClient struct {
 	IgnoreStatistics      bool
 }
 
-// setTags sets the tags if they are known, otherwise logs an unknown tag.
-func (c *persistentClient) setTags(tags []string, known *stringutil.Set) {
+// SetTags sets the tags if they are known, otherwise logs an unknown tag.
+func (c *Persistent) SetTags(tags []string, known *stringutil.Set) {
 	for _, t := range tags {
 		if !known.Has(t) {
 			log.Info("skipping unknown tag %q", t)
@@ -102,9 +112,9 @@ func (c *persistentClient) setTags(tags []string, known *stringutil.Set) {
 	slices.Sort(c.Tags)
 }
 
-// setIDs parses a list of strings into typed fields and returns an error if
+// SetIDs parses a list of strings into typed fields and returns an error if
 // there is one.
-func (c *persistentClient) setIDs(ids []string) (err error) {
+func (c *Persistent) SetIDs(ids []string) (err error) {
 	for _, id := range ids {
 		err = c.setID(id)
 		if err != nil {
@@ -144,7 +154,7 @@ func subnetCompare(x, y netip.Prefix) (cmp int) {
 }
 
 // setID parses id into typed field if there is no error.
-func (c *persistentClient) setID(id string) (err error) {
+func (c *Persistent) setID(id string) (err error) {
 	if id == "" {
 		return errors.Error("clientid is empty")
 	}
@@ -170,7 +180,7 @@ func (c *persistentClient) setID(id string) (err error) {
 		return nil
 	}
 
-	err = dnsforward.ValidateClientID(id)
+	err = ValidateClientID(id)
 	if err != nil {
 		// Don't wrap the error, because it's informative enough as is.
 		return err
@@ -181,9 +191,23 @@ func (c *persistentClient) setID(id string) (err error) {
 	return nil
 }
 
-// ids returns a list of client ids containing at least one element.
-func (c *persistentClient) ids() (ids []string) {
-	ids = make([]string, 0, c.idsLen())
+// ValidateClientID returns an error if id is not a valid ClientID.
+//
+// TODO(s.chzhen):  It's an exact copy of the [dnsforward.ValidateClientID] to
+// avoid the import cycle.  Remove it.
+func ValidateClientID(id string) (err error) {
+	err = netutil.ValidateHostnameLabel(id)
+	if err != nil {
+		// Replace the domain name label wrapper with our own.
+		return fmt.Errorf("invalid clientid %q: %w", id, errors.Unwrap(err))
+	}
+
+	return nil
+}
+
+// IDs returns a list of client IDs containing at least one element.
+func (c *Persistent) IDs() (ids []string) {
+	ids = make([]string, 0, c.IDsLen())
 
 	for _, ip := range c.IPs {
 		ids = append(ids, ip.String())
@@ -200,24 +224,24 @@ func (c *persistentClient) ids() (ids []string) {
 	return append(ids, c.ClientIDs...)
 }
 
-// idsLen returns a length of client ids.
-func (c *persistentClient) idsLen() (n int) {
+// IDsLen returns a length of client ids.
+func (c *Persistent) IDsLen() (n int) {
 	return len(c.IPs) + len(c.Subnets) + len(c.MACs) + len(c.ClientIDs)
 }
 
-// equalIDs returns true if the ids of the current and previous clients are the
+// EqualIDs returns true if the ids of the current and previous clients are the
 // same.
-func (c *persistentClient) equalIDs(prev *persistentClient) (equal bool) {
+func (c *Persistent) EqualIDs(prev *Persistent) (equal bool) {
 	return slices.Equal(c.IPs, prev.IPs) &&
 		slices.Equal(c.Subnets, prev.Subnets) &&
 		slices.EqualFunc(c.MACs, prev.MACs, slices.Equal[net.HardwareAddr]) &&
 		slices.Equal(c.ClientIDs, prev.ClientIDs)
 }
 
-// shallowClone returns a deep copy of the client, except upstreamConfig,
+// ShallowClone returns a deep copy of the client, except upstreamConfig,
 // safeSearchConf, SafeSearch fields, because it's difficult to copy them.
-func (c *persistentClient) shallowClone() (clone *persistentClient) {
-	clone = &persistentClient{}
+func (c *Persistent) ShallowClone() (clone *Persistent) {
+	clone = &Persistent{}
 	*clone = *c
 
 	clone.BlockedServices = c.BlockedServices.Clone()
@@ -232,10 +256,10 @@ func (c *persistentClient) shallowClone() (clone *persistentClient) {
 	return clone
 }
 
-// closeUpstreams closes the client-specific upstream config of c if any.
-func (c *persistentClient) closeUpstreams() (err error) {
-	if c.upstreamConfig != nil {
-		if err = c.upstreamConfig.Close(); err != nil {
+// CloseUpstreams closes the client-specific upstream config of c if any.
+func (c *Persistent) CloseUpstreams() (err error) {
+	if c.UpstreamConfig != nil {
+		if err = c.UpstreamConfig.Close(); err != nil {
 			return fmt.Errorf("closing upstreams of client %q: %w", c.Name, err)
 		}
 	}
@@ -243,8 +267,8 @@ func (c *persistentClient) closeUpstreams() (err error) {
 	return nil
 }
 
-// setSafeSearch initializes and sets the safe search filter for this client.
-func (c *persistentClient) setSafeSearch(
+// SetSafeSearch initializes and sets the safe search filter for this client.
+func (c *Persistent) SetSafeSearch(
 	conf filtering.SafeSearchConfig,
 	cacheSize uint,
 	cacheTTL time.Duration,

internal/client/persistent_internal_test.go

@@ -1,4 +1,4 @@
-package home
+package client
 
 import (
 	"testing"
@@ -27,10 +27,10 @@ func TestPersistentClient_EqualIDs(t *testing.T) {
 	)
 
 	testCases := []struct {
+		want    assert.BoolAssertionFunc
 		name    string
 		ids     []string
 		prevIDs []string
-		want    assert.BoolAssertionFunc
 	}{{
 		name:    "single_ip",
 		ids:     []string{ip1},
@@ -110,15 +110,15 @@ func TestPersistentClient_EqualIDs(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			c := &persistentClient{}
-			err := c.setIDs(tc.ids)
+			c := &Persistent{}
+			err := c.SetIDs(tc.ids)
 			require.NoError(t, err)
 
-			prev := &persistentClient{}
-			err = prev.setIDs(tc.prevIDs)
+			prev := &Persistent{}
+			err = prev.SetIDs(tc.prevIDs)
 			require.NoError(t, err)
 
-			tc.want(t, c.equalIDs(prev))
+			tc.want(t, c.EqualIDs(prev))
 		})
 	}
 }

internal/dhcpd/db.go

@@ -8,6 +8,7 @@ import (
 	"net"
 	"net/netip"
 	"os"
+	"slices"
 	"strings"
 	"time"
 
@@ -15,7 +16,6 @@ import (
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/google/renameio/v2/maybe"
-	"golang.org/x/exp/slices"
 )
 
 const (

internal/dhcpd/dhcpd_unix_test.go

@@ -6,6 +6,7 @@ import (
 	"net"
 	"net/netip"
 	"path/filepath"
+	"slices"
 	"testing"
 	"time"
 
@@ -13,7 +14,6 @@ import (
 	"github.com/AdguardTeam/golibs/testutil"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"golang.org/x/exp/slices"
 )
 
 func TestMain(m *testing.M) {

internal/dhcpd/http_unix.go

@@ -10,6 +10,7 @@ import (
 	"net/http"
 	"net/netip"
 	"os"
+	"slices"
 	"time"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
@@ -19,7 +20,6 @@ import (
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/netutil"
-	"golang.org/x/exp/slices"
 )
 
 type v4ServerConfJSON struct {
@@ -592,7 +592,7 @@ func setOtherDHCPResult(ifaceName string, result *dhcpSearchResult) {
 }
 
 // parseLease parses a lease from r.  If there is no error returns DHCPServer
-// and *Lease. r must be non-nil.
+// and *Lease.  r must be non-nil.
 func (s *server) parseLease(r io.Reader) (srv DHCPServer, lease *dhcpsvc.Lease, err error) {
 	l := &leaseStatic{}
 	err = json.NewDecoder(r).Decode(l)

internal/dhcpd/v4_unix.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
+	"slices"
 	"strings"
 	"sync"
 	"time"
@@ -20,7 +21,6 @@ import (
 	"github.com/go-ping/ping"
 	"github.com/insomniacslk/dhcp/dhcpv4"
 	"github.com/insomniacslk/dhcp/dhcpv4/server4"
-	"golang.org/x/exp/slices"
 )
 
 // v4Server is a DHCPv4 server.

internal/dhcpsvc/config.go

@@ -2,11 +2,11 @@ package dhcpsvc
 
 import (
 	"fmt"
+	"slices"
 	"time"
 
 	"github.com/AdguardTeam/golibs/netutil"
 	"golang.org/x/exp/maps"
-	"golang.org/x/exp/slices"
 )
 
 // Config is the configuration for the DHCP service.
@@ -19,6 +19,8 @@ type Config struct {
 	// clients' hostnames.
 	LocalDomainName string
 
+	// TODO(e.burkov):  Add DB path.
+
 	// ICMPTimeout is the timeout for checking another DHCP server's presence.
 	ICMPTimeout time.Duration
 
@@ -68,12 +70,6 @@ func (conf *Config) Validate() (err error) {
 	return nil
 }
 
-// newMustErr returns an error that indicates that valName must be as must
-// describes.
-func newMustErr(valName, must string, val fmt.Stringer) (err error) {
-	return fmt.Errorf("%s %s must %s", valName, val, must)
-}
-
 // validate returns an error in ic, if any.
 func (ic *InterfaceConfig) validate() (err error) {
 	if ic == nil {

internal/dhcpsvc/dhcpsvc.go

@@ -7,48 +7,16 @@ import (
 	"context"
 	"net"
 	"net/netip"
-	"time"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
-	"golang.org/x/exp/slices"
 )
 
-// Lease is a DHCP lease.
+// Interface is a DHCP service.
 //
-// TODO(e.burkov):  Consider moving it to [agh], since it also may be needed in
-// [websvc].
-type Lease struct {
-	// IP is the IP address leased to the client.
-	IP netip.Addr
-
-	// Expiry is the expiration time of the lease.
-	Expiry time.Time
-
-	// Hostname of the client.
-	Hostname string
-
-	// HWAddr is the physical hardware address (MAC address).
-	HWAddr net.HardwareAddr
-
-	// IsStatic defines if the lease is static.
-	IsStatic bool
-}
-
-// Clone returns a deep copy of l.
-func (l *Lease) Clone() (clone *Lease) {
-	if l == nil {
-		return nil
-	}
-
-	return &Lease{
-		Expiry:   l.Expiry,
-		Hostname: l.Hostname,
-		HWAddr:   slices.Clone(l.HWAddr),
-		IP:       l.IP,
-		IsStatic: l.IsStatic,
-	}
-}
-
+// TODO(e.burkov):  Separate HostByIP, MACByIP, IPByHost into a separate
+// interface.  This is also applicable to Enabled method.
+//
+// TODO(e.burkov):  Reconsider the requirements for the leases validity.
 type Interface interface {
 	agh.ServiceWithConfig[*Config]
 
@@ -63,6 +31,8 @@ type Interface interface {
 	// MACByIP returns the MAC address for the given IP address leased.  It
 	// returns nil if there is no such client, due to an assumption that a DHCP
 	// client must always have a MAC address.
+	//
+	// TODO(e.burkov):  Think of a contract for the returned value.
 	MACByIP(ip netip.Addr) (mac net.HardwareAddr)
 
 	// IPByHost returns the IP address of the DHCP client with the given
@@ -71,26 +41,29 @@ type Interface interface {
 	// hostname, either set or generated.
 	IPByHost(host string) (ip netip.Addr)
 
-	// Leases returns all the active DHCP leases.
+	// Leases returns all the active DHCP leases.  The returned slice should be
+	// a clone.
 	//
 	// TODO(e.burkov):  Consider implementing iterating methods with appropriate
 	// signatures instead of cloning the whole list.
 	Leases() (ls []*Lease)
 
-	// AddLease adds a new DHCP lease.  It returns an error if the lease is
-	// invalid or already exists.
+	// AddLease adds a new DHCP lease.  l must be valid.  It returns an error if
+	// l already exists.
 	AddLease(l *Lease) (err error)
 
-	// UpdateStaticLease changes an existing DHCP lease.  It returns an error if
-	// there is no lease with such hardware addressor if new values are invalid
-	// or already exist.
+	// UpdateStaticLease replaces an existing static DHCP lease.  l must be
+	// valid.  It returns an error if the lease with the given hardware address
+	// doesn't exist or if other values match another existing lease.
 	UpdateStaticLease(l *Lease) (err error)
 
-	// RemoveLease removes an existing DHCP lease.  It returns an error if there
-	// is no lease equal to l.
+	// RemoveLease removes an existing DHCP lease.  l must be valid.  It returns
+	// an error if there is no lease equal to l.
 	RemoveLease(l *Lease) (err error)
 
 	// Reset removes all the DHCP leases.
+	//
+	// TODO(e.burkov):  If it's really needed?
 	Reset() (err error)
 }
 

internal/dhcpsvc/errors.go

@@ -1,6 +1,10 @@
 package dhcpsvc
 
-import "github.com/AdguardTeam/golibs/errors"
+import (
+	"fmt"
+
+	"github.com/AdguardTeam/golibs/errors"
+)
 
 const (
 	// errNilConfig is returned when a nil config met.
@@ -9,3 +13,9 @@ const (
 	// errNoInterfaces is returned when no interfaces found in configuration.
 	errNoInterfaces errors.Error = "no interfaces specified"
 )
+
+// newMustErr returns an error that indicates that valName must be as must
+// describes.
+func newMustErr(valName, must string, val fmt.Stringer) (err error) {
+	return fmt.Errorf("%s %s must %s", valName, val, must)
+}

internal/dhcpsvc/interface.go

@@ -0,0 +1,66 @@
+package dhcpsvc
+
+import (
+	"fmt"
+	"slices"
+	"time"
+)
+
+// netInterface is a common part of any network interface within the DHCP
+// server.
+//
+// TODO(e.burkov):  Add other methods as [DHCPServer] evolves.
+type netInterface struct {
+	// name is the name of the network interface.
+	name string
+
+	// leases is a set of leases sorted by hardware address.
+	leases []*Lease
+
+	// leaseTTL is the default Time-To-Live value for leases.
+	leaseTTL time.Duration
+}
+
+// reset clears all the slices in iface for reuse.
+func (iface *netInterface) reset() {
+	iface.leases = iface.leases[:0]
+}
+
+// insertLease inserts the given lease into iface.  It returns an error if the
+// lease can't be inserted.
+func (iface *netInterface) insertLease(l *Lease) (err error) {
+	i, found := slices.BinarySearchFunc(iface.leases, l, compareLeaseMAC)
+	if found {
+		return fmt.Errorf("lease for mac %s already exists", l.HWAddr)
+	}
+
+	iface.leases = slices.Insert(iface.leases, i, l)
+
+	return nil
+}
+
+// updateLease replaces an existing lease within iface with the given one.  It
+// returns an error if there is no lease with such hardware address.
+func (iface *netInterface) updateLease(l *Lease) (prev *Lease, err error) {
+	i, found := slices.BinarySearchFunc(iface.leases, l, compareLeaseMAC)
+	if !found {
+		return nil, fmt.Errorf("no lease for mac %s", l.HWAddr)
+	}
+
+	prev, iface.leases[i] = iface.leases[i], l
+
+	return prev, nil
+}
+
+// removeLease removes an existing lease from iface.  It returns an error if
+// there is no lease equal to l.
+func (iface *netInterface) removeLease(l *Lease) (err error) {
+	i, found := slices.BinarySearchFunc(iface.leases, l, compareLeaseMAC)
+	if !found {
+		return fmt.Errorf("no lease for mac %s", l.HWAddr)
+	}
+
+	iface.leases = slices.Delete(iface.leases, i, i+1)
+
+	return nil
+}

internal/dhcpsvc/lease.go

@@ -0,0 +1,52 @@
+package dhcpsvc
+
+import (
+	"bytes"
+	"net"
+	"net/netip"
+	"slices"
+	"time"
+)
+
+// Lease is a DHCP lease.
+//
+// TODO(e.burkov):  Consider moving it to [agh], since it also may be needed in
+// [websvc].
+//
+// TODO(e.burkov):  Add validation method.
+type Lease struct {
+	// IP is the IP address leased to the client.
+	IP netip.Addr
+
+	// Expiry is the expiration time of the lease.
+	Expiry time.Time
+
+	// Hostname of the client.
+	Hostname string
+
+	// HWAddr is the physical hardware address (MAC address).
+	HWAddr net.HardwareAddr
+
+	// IsStatic defines if the lease is static.
+	IsStatic bool
+}
+
+// Clone returns a deep copy of l.
+func (l *Lease) Clone() (clone *Lease) {
+	if l == nil {
+		return nil
+	}
+
+	return &Lease{
+		Expiry:   l.Expiry,
+		Hostname: l.Hostname,
+		HWAddr:   slices.Clone(l.HWAddr),
+		IP:       l.IP,
+		IsStatic: l.IsStatic,
+	}
+}
+
+// compareLeaseMAC compares two [Lease]s by hardware address.
+func compareLeaseMAC(a, b *Lease) (res int) {
+	return bytes.Compare(a.HWAddr, b.HWAddr)
+}

internal/dhcpsvc/leaseindex.go

@@ -0,0 +1,126 @@
+package dhcpsvc
+
+import (
+	"fmt"
+	"net/netip"
+	"slices"
+	"strings"
+)
+
+// leaseIndex is the set of leases indexed by their identifiers for quick
+// lookup.
+type leaseIndex struct {
+	// byAddr is a lookup shortcut for leases by their IP addresses.
+	byAddr map[netip.Addr]*Lease
+
+	// byName is a lookup shortcut for leases by their hostnames.
+	//
+	// TODO(e.burkov):  Use a slice of leases with the same hostname?
+	byName map[string]*Lease
+}
+
+// newLeaseIndex returns a new index for [Lease]s.
+func newLeaseIndex() *leaseIndex {
+	return &leaseIndex{
+		byAddr: map[netip.Addr]*Lease{},
+		byName: map[string]*Lease{},
+	}
+}
+
+// leaseByAddr returns a lease by its IP address.
+func (idx *leaseIndex) leaseByAddr(addr netip.Addr) (l *Lease, ok bool) {
+	l, ok = idx.byAddr[addr]
+
+	return l, ok
+}
+
+// leaseByName returns a lease by its hostname.
+func (idx *leaseIndex) leaseByName(name string) (l *Lease, ok bool) {
+	// TODO(e.burkov):  Probably, use a case-insensitive comparison and store in
+	// slice.  This would require a benchmark.
+	l, ok = idx.byName[strings.ToLower(name)]
+
+	return l, ok
+}
+
+// clear removes all leases from idx.
+func (idx *leaseIndex) clear() {
+	clear(idx.byAddr)
+	clear(idx.byName)
+}
+
+// add adds l into idx and into iface.  l must be valid, iface should be
+// responsible for l's IP.  It returns an error if l duplicates at least a
+// single value of another lease.
+func (idx *leaseIndex) add(l *Lease, iface *netInterface) (err error) {
+	loweredName := strings.ToLower(l.Hostname)
+
+	if _, ok := idx.byAddr[l.IP]; ok {
+		return fmt.Errorf("lease for ip %s already exists", l.IP)
+	} else if _, ok = idx.byName[loweredName]; ok {
+		return fmt.Errorf("lease for hostname %s already exists", l.Hostname)
+	}
+
+	err = iface.insertLease(l)
+	if err != nil {
+		return err
+	}
+
+	idx.byAddr[l.IP] = l
+	idx.byName[loweredName] = l
+
+	return nil
+}
+
+// remove removes l from idx and from iface.  l must be valid, iface should
+// contain the same lease or the lease itself.  It returns an error if the lease
+// not found.
+func (idx *leaseIndex) remove(l *Lease, iface *netInterface) (err error) {
+	loweredName := strings.ToLower(l.Hostname)
+
+	if _, ok := idx.byAddr[l.IP]; !ok {
+		return fmt.Errorf("no lease for ip %s", l.IP)
+	} else if _, ok = idx.byName[loweredName]; !ok {
+		return fmt.Errorf("no lease for hostname %s", l.Hostname)
+	}
+
+	err = iface.removeLease(l)
+	if err != nil {
+		return err
+	}
+
+	delete(idx.byAddr, l.IP)
+	delete(idx.byName, loweredName)
+
+	return nil
+}
+
+// update updates l in idx and in iface.  l must be valid, iface should be
+// responsible for l's IP.  It returns an error if l duplicates at least a
+// single value of another lease, except for the updated lease itself.
+func (idx *leaseIndex) update(l *Lease, iface *netInterface) (err error) {
+	loweredName := strings.ToLower(l.Hostname)
+
+	existing, ok := idx.byAddr[l.IP]
+	if ok && !slices.Equal(l.HWAddr, existing.HWAddr) {
+		return fmt.Errorf("lease for ip %s already exists", l.IP)
+	}
+
+	existing, ok = idx.byName[loweredName]
+	if ok && !slices.Equal(l.HWAddr, existing.HWAddr) {
+		return fmt.Errorf("lease for hostname %s already exists", l.Hostname)
+	}
+
+	prev, err := iface.updateLease(l)
+	if err != nil {
+		return err
+	}
+
+	delete(idx.byAddr, prev.IP)
+	delete(idx.byName, strings.ToLower(prev.Hostname))
+
+	idx.byAddr[l.IP] = l
+	idx.byName[loweredName] = l
+
+	return nil
+}

internal/dhcpsvc/server.go

@@ -2,11 +2,15 @@ package dhcpsvc
 
 import (
 	"fmt"
+	"net"
+	"net/netip"
+	"slices"
+	"sync"
 	"sync/atomic"
 	"time"
 
+	"github.com/AdguardTeam/golibs/errors"
 	"golang.org/x/exp/maps"
-	"golang.org/x/exp/slices"
 )
 
 // DHCPServer is a DHCP server for both IPv4 and IPv6 address families.
@@ -15,18 +19,21 @@ type DHCPServer struct {
 	// information about its clients.
 	enabled *atomic.Bool
 
-	// localTLD is the top-level domain name to use for resolving DHCP
-	// clients' hostnames.
+	// localTLD is the top-level domain name to use for resolving DHCP clients'
+	// hostnames.
 	localTLD string
 
+	// leasesMu protects the leases index as well as leases in the interfaces.
+	leasesMu *sync.RWMutex
+
+	// leases stores the DHCP leases for quick lookups.
+	leases *leaseIndex
+
 	// interfaces4 is the set of IPv4 interfaces sorted by interface name.
-	interfaces4 []*iface4
+	interfaces4 netInterfacesV4
 
 	// interfaces6 is the set of IPv6 interfaces sorted by interface name.
-	interfaces6 []*iface6
-
-	// leases is the set of active DHCP leases.
-	leases []*Lease
+	interfaces6 netInterfacesV6
 
 	// icmpTimeout is the timeout for checking another DHCP server's presence.
 	icmpTimeout time.Duration
@@ -42,26 +49,27 @@ func New(conf *Config) (srv *DHCPServer, err error) {
 		return nil, nil
 	}
 
-	ifaces4 := make([]*iface4, len(conf.Interfaces))
-	ifaces6 := make([]*iface6, len(conf.Interfaces))
+	// TODO(e.burkov):  Add validations scoped to the network interfaces set.
+	ifaces4 := make(netInterfacesV4, 0, len(conf.Interfaces))
+	ifaces6 := make(netInterfacesV6, 0, len(conf.Interfaces))
 
 	ifaceNames := maps.Keys(conf.Interfaces)
 	slices.Sort(ifaceNames)
 
-	var i4 *iface4
-	var i6 *iface6
+	var i4 *netInterfaceV4
+	var i6 *netInterfaceV6
 
 	for _, ifaceName := range ifaceNames {
 		iface := conf.Interfaces[ifaceName]
 
-		i4, err = newIface4(ifaceName, iface.IPv4)
+		i4, err = newNetInterfaceV4(ifaceName, iface.IPv4)
 		if err != nil {
 			return nil, fmt.Errorf("interface %q: ipv4: %w", ifaceName, err)
 		} else if i4 != nil {
 			ifaces4 = append(ifaces4, i4)
 		}
 
-		i6 = newIface6(ifaceName, iface.IPv6)
+		i6 = newNetInterfaceV6(ifaceName, iface.IPv6)
 		if i6 != nil {
 			ifaces6 = append(ifaces6, i6)
 		}
@@ -70,13 +78,19 @@ func New(conf *Config) (srv *DHCPServer, err error) {
 	enabled := &atomic.Bool{}
 	enabled.Store(conf.Enabled)
 
-	return &DHCPServer{
+	srv = &DHCPServer{
 		enabled:     enabled,
+		localTLD:    conf.LocalDomainName,
+		leasesMu:    &sync.RWMutex{},
+		leases:      newLeaseIndex(),
 		interfaces4: ifaces4,
 		interfaces6: ifaces6,
-		localTLD:    conf.LocalDomainName,
 		icmpTimeout: conf.ICMPTimeout,
-	}, nil
+	}
+
+	// TODO(e.burkov):  Load leases.
+
+	return srv, nil
 }
 
 // type check
@@ -91,10 +105,140 @@ func (srv *DHCPServer) Enabled() (ok bool) {
 
 // Leases implements the [Interface] interface for *DHCPServer.
 func (srv *DHCPServer) Leases() (leases []*Lease) {
-	leases = make([]*Lease, 0, len(srv.leases))
-	for _, lease := range srv.leases {
-		leases = append(leases, lease.Clone())
+	srv.leasesMu.RLock()
+	defer srv.leasesMu.RUnlock()
+
+	for _, iface := range srv.interfaces4 {
+		for _, lease := range iface.leases {
+			leases = append(leases, lease.Clone())
+		}
+	}
+	for _, iface := range srv.interfaces6 {
+		for _, lease := range iface.leases {
+			leases = append(leases, lease.Clone())
+		}
 	}
 
 	return leases
 }
+
+// HostByIP implements the [Interface] interface for *DHCPServer.
+func (srv *DHCPServer) HostByIP(ip netip.Addr) (host string) {
+	srv.leasesMu.RLock()
+	defer srv.leasesMu.RUnlock()
+
+	if l, ok := srv.leases.leaseByAddr(ip); ok {
+		return l.Hostname
+	}
+
+	return ""
+}
+
+// MACByIP implements the [Interface] interface for *DHCPServer.
+func (srv *DHCPServer) MACByIP(ip netip.Addr) (mac net.HardwareAddr) {
+	srv.leasesMu.RLock()
+	defer srv.leasesMu.RUnlock()
+
+	if l, ok := srv.leases.leaseByAddr(ip); ok {
+		return l.HWAddr
+	}
+
+	return nil
+}
+
+// IPByHost implements the [Interface] interface for *DHCPServer.
+func (srv *DHCPServer) IPByHost(host string) (ip netip.Addr) {
+	srv.leasesMu.RLock()
+	defer srv.leasesMu.RUnlock()
+
+	if l, ok := srv.leases.leaseByName(host); ok {
+		return l.IP
+	}
+
+	return netip.Addr{}
+}
+
+// Reset implements the [Interface] interface for *DHCPServer.
+func (srv *DHCPServer) Reset() (err error) {
+	srv.leasesMu.Lock()
+	defer srv.leasesMu.Unlock()
+
+	for _, iface := range srv.interfaces4 {
+		iface.reset()
+	}
+	for _, iface := range srv.interfaces6 {
+		iface.reset()
+	}
+	srv.leases.clear()
+
+	return nil
+}
+
+// AddLease implements the [Interface] interface for *DHCPServer.
+func (srv *DHCPServer) AddLease(l *Lease) (err error) {
+	defer func() { err = errors.Annotate(err, "adding lease: %w") }()
+
+	addr := l.IP
+	iface, err := srv.ifaceForAddr(addr)
+	if err != nil {
+		// Don't wrap the error since there is already an annotation deferred.
+		return err
+	}
+
+	srv.leasesMu.Lock()
+	defer srv.leasesMu.Unlock()
+
+	return srv.leases.add(l, iface)
+}
+
+// UpdateStaticLease implements the [Interface] interface for *DHCPServer.
+//
+// TODO(e.burkov):  Support moving leases between interfaces.
+func (srv *DHCPServer) UpdateStaticLease(l *Lease) (err error) {
+	defer func() { err = errors.Annotate(err, "updating static lease: %w") }()
+
+	addr := l.IP
+	iface, err := srv.ifaceForAddr(addr)
+	if err != nil {
+		// Don't wrap the error since there is already an annotation deferred.
+		return err
+	}
+
+	srv.leasesMu.Lock()
+	defer srv.leasesMu.Unlock()
+
+	return srv.leases.update(l, iface)
+}
+
+// RemoveLease implements the [Interface] interface for *DHCPServer.
+func (srv *DHCPServer) RemoveLease(l *Lease) (err error) {
+	defer func() { err = errors.Annotate(err, "removing lease: %w") }()
+
+	addr := l.IP
+	iface, err := srv.ifaceForAddr(addr)
+	if err != nil {
+		// Don't wrap the error since there is already an annotation deferred.
+		return err
+	}
+
+	srv.leasesMu.Lock()
+	defer srv.leasesMu.Unlock()
+
+	return srv.leases.remove(l, iface)
+}
+
+// ifaceForAddr returns the handled network interface for the given IP address,
+// or an error if no such interface exists.
+func (srv *DHCPServer) ifaceForAddr(addr netip.Addr) (iface *netInterface, err error) {
+	var ok bool
+	if addr.Is4() {
+		iface, ok = srv.interfaces4.find(addr)
+	} else {
+		iface, ok = srv.interfaces6.find(addr)
+	}
+	if !ok {
+		return nil, fmt.Errorf("no interface for ip %s", addr)
+	}
+
+	return iface, nil
+}

internal/dhcpsvc/server_test.go

@@ -1,17 +1,67 @@
 package dhcpsvc_test
 
 import (
+	"net"
 	"net/netip"
+	"strings"
 	"testing"
 	"time"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/dhcpsvc"
 	"github.com/AdguardTeam/golibs/testutil"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 // testLocalTLD is a common local TLD for tests.
 const testLocalTLD = "local"
 
+// testInterfaceConf is a common set of interface configurations for tests.
+var testInterfaceConf = map[string]*dhcpsvc.InterfaceConfig{
+	"eth0": {
+		IPv4: &dhcpsvc.IPv4Config{
+			Enabled:       true,
+			GatewayIP:     netip.MustParseAddr("192.168.0.1"),
+			SubnetMask:    netip.MustParseAddr("255.255.255.0"),
+			RangeStart:    netip.MustParseAddr("192.168.0.2"),
+			RangeEnd:      netip.MustParseAddr("192.168.0.254"),
+			LeaseDuration: 1 * time.Hour,
+		},
+		IPv6: &dhcpsvc.IPv6Config{
+			Enabled:       true,
+			RangeStart:    netip.MustParseAddr("2001:db8::1"),
+			LeaseDuration: 1 * time.Hour,
+			RAAllowSLAAC:  true,
+			RASLAACOnly:   true,
+		},
+	},
+	"eth1": {
+		IPv4: &dhcpsvc.IPv4Config{
+			Enabled:       true,
+			GatewayIP:     netip.MustParseAddr("172.16.0.1"),
+			SubnetMask:    netip.MustParseAddr("255.255.255.0"),
+			RangeStart:    netip.MustParseAddr("172.16.0.2"),
+			RangeEnd:      netip.MustParseAddr("172.16.0.255"),
+			LeaseDuration: 1 * time.Hour,
+		},
+		IPv6: &dhcpsvc.IPv6Config{
+			Enabled:       true,
+			RangeStart:    netip.MustParseAddr("2001:db9::1"),
+			LeaseDuration: 1 * time.Hour,
+			RAAllowSLAAC:  true,
+			RASLAACOnly:   true,
+		},
+	},
+}
+
+// mustParseMAC parses a hardware address from s and requires no errors.
+func mustParseMAC(t require.TestingT, s string) (mac net.HardwareAddr) {
+	mac, err := net.ParseMAC(s)
+	require.NoError(t, err)
+
+	return mac
+}
+
 func TestNew(t *testing.T) {
 	validIPv4Conf := &dhcpsvc.IPv4Config{
 		Enabled:       true,
@@ -113,3 +163,433 @@ func TestNew(t *testing.T) {
 		})
 	}
 }
+
+func TestDHCPServer_AddLease(t *testing.T) {
+	srv, err := dhcpsvc.New(&dhcpsvc.Config{
+		Enabled:         true,
+		LocalDomainName: testLocalTLD,
+		Interfaces:      testInterfaceConf,
+	})
+	require.NoError(t, err)
+
+	const (
+		host1 = "host1"
+		host2 = "host2"
+		host3 = "host3"
+	)
+
+	ip1 := netip.MustParseAddr("192.168.0.2")
+	ip2 := netip.MustParseAddr("192.168.0.3")
+	ip3 := netip.MustParseAddr("2001:db8::2")
+
+	mac1 := mustParseMAC(t, "01:02:03:04:05:06")
+	mac2 := mustParseMAC(t, "06:05:04:03:02:01")
+	mac3 := mustParseMAC(t, "02:03:04:05:06:07")
+
+	require.NoError(t, srv.AddLease(&dhcpsvc.Lease{
+		Hostname: host1,
+		IP:       ip1,
+		HWAddr:   mac1,
+		IsStatic: true,
+	}))
+
+	testCases := []struct {
+		name       string
+		lease      *dhcpsvc.Lease
+		wantErrMsg string
+	}{{
+		name: "outside_range",
+		lease: &dhcpsvc.Lease{
+			Hostname: host2,
+			IP:       netip.MustParseAddr("1.2.3.4"),
+			HWAddr:   mac2,
+		},
+		wantErrMsg: "adding lease: no interface for ip 1.2.3.4",
+	}, {
+		name: "duplicate_ip",
+		lease: &dhcpsvc.Lease{
+			Hostname: host2,
+			IP:       ip1,
+			HWAddr:   mac2,
+		},
+		wantErrMsg: "adding lease: lease for ip " + ip1.String() +
+			" already exists",
+	}, {
+		name: "duplicate_hostname",
+		lease: &dhcpsvc.Lease{
+			Hostname: host1,
+			IP:       ip2,
+			HWAddr:   mac2,
+		},
+		wantErrMsg: "adding lease: lease for hostname " + host1 +
+			" already exists",
+	}, {
+		name: "duplicate_hostname_case",
+		lease: &dhcpsvc.Lease{
+			Hostname: strings.ToUpper(host1),
+			IP:       ip2,
+			HWAddr:   mac2,
+		},
+		wantErrMsg: "adding lease: lease for hostname " +
+			strings.ToUpper(host1) + " already exists",
+	}, {
+		name: "duplicate_mac",
+		lease: &dhcpsvc.Lease{
+			Hostname: host2,
+			IP:       ip2,
+			HWAddr:   mac1,
+		},
+		wantErrMsg: "adding lease: lease for mac " + mac1.String() +
+			" already exists",
+	}, {
+		name: "valid",
+		lease: &dhcpsvc.Lease{
+			Hostname: host2,
+			IP:       ip2,
+			HWAddr:   mac2,
+		},
+		wantErrMsg: "",
+	}, {
+		name: "valid_v6",
+		lease: &dhcpsvc.Lease{
+			Hostname: host3,
+			IP:       ip3,
+			HWAddr:   mac3,
+		},
+		wantErrMsg: "",
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			testutil.AssertErrorMsg(t, tc.wantErrMsg, srv.AddLease(tc.lease))
+		})
+	}
+}
+
+func TestDHCPServer_index(t *testing.T) {
+	srv, err := dhcpsvc.New(&dhcpsvc.Config{
+		Enabled:         true,
+		LocalDomainName: testLocalTLD,
+		Interfaces:      testInterfaceConf,
+	})
+	require.NoError(t, err)
+
+	const (
+		host1 = "host1"
+		host2 = "host2"
+		host3 = "host3"
+		host4 = "host4"
+		host5 = "host5"
+	)
+
+	ip1 := netip.MustParseAddr("192.168.0.2")
+	ip2 := netip.MustParseAddr("192.168.0.3")
+	ip3 := netip.MustParseAddr("172.16.0.3")
+	ip4 := netip.MustParseAddr("172.16.0.4")
+
+	mac1 := mustParseMAC(t, "01:02:03:04:05:06")
+	mac2 := mustParseMAC(t, "06:05:04:03:02:01")
+	mac3 := mustParseMAC(t, "02:03:04:05:06:07")
+
+	leases := []*dhcpsvc.Lease{{
+		Hostname: host1,
+		IP:       ip1,
+		HWAddr:   mac1,
+		IsStatic: true,
+	}, {
+		Hostname: host2,
+		IP:       ip2,
+		HWAddr:   mac2,
+		IsStatic: true,
+	}, {
+		Hostname: host3,
+		IP:       ip3,
+		HWAddr:   mac3,
+		IsStatic: true,
+	}, {
+		Hostname: host4,
+		IP:       ip4,
+		HWAddr:   mac1,
+		IsStatic: true,
+	}}
+	for _, l := range leases {
+		require.NoError(t, srv.AddLease(l))
+	}
+
+	t.Run("ip_idx", func(t *testing.T) {
+		assert.Equal(t, ip1, srv.IPByHost(host1))
+		assert.Equal(t, ip2, srv.IPByHost(host2))
+		assert.Equal(t, ip3, srv.IPByHost(host3))
+		assert.Equal(t, ip4, srv.IPByHost(host4))
+		assert.Equal(t, netip.Addr{}, srv.IPByHost(host5))
+	})
+
+	t.Run("name_idx", func(t *testing.T) {
+		assert.Equal(t, host1, srv.HostByIP(ip1))
+		assert.Equal(t, host2, srv.HostByIP(ip2))
+		assert.Equal(t, host3, srv.HostByIP(ip3))
+		assert.Equal(t, host4, srv.HostByIP(ip4))
+		assert.Equal(t, "", srv.HostByIP(netip.Addr{}))
+	})
+
+	t.Run("mac_idx", func(t *testing.T) {
+		assert.Equal(t, mac1, srv.MACByIP(ip1))
+		assert.Equal(t, mac2, srv.MACByIP(ip2))
+		assert.Equal(t, mac3, srv.MACByIP(ip3))
+		assert.Equal(t, mac1, srv.MACByIP(ip4))
+		assert.Nil(t, srv.MACByIP(netip.Addr{}))
+	})
+}
+
+func TestDHCPServer_UpdateStaticLease(t *testing.T) {
+	srv, err := dhcpsvc.New(&dhcpsvc.Config{
+		Enabled:         true,
+		LocalDomainName: testLocalTLD,
+		Interfaces:      testInterfaceConf,
+	})
+	require.NoError(t, err)
+
+	const (
+		host1 = "host1"
+		host2 = "host2"
+		host3 = "host3"
+		host4 = "host4"
+		host5 = "host5"
+		host6 = "host6"
+	)
+
+	ip1 := netip.MustParseAddr("192.168.0.2")
+	ip2 := netip.MustParseAddr("192.168.0.3")
+	ip3 := netip.MustParseAddr("192.168.0.4")
+	ip4 := netip.MustParseAddr("2001:db8::2")
+	ip5 := netip.MustParseAddr("2001:db8::3")
+
+	mac1 := mustParseMAC(t, "01:02:03:04:05:06")
+	mac2 := mustParseMAC(t, "01:02:03:04:05:07")
+	mac3 := mustParseMAC(t, "06:05:04:03:02:01")
+	mac4 := mustParseMAC(t, "06:05:04:03:02:02")
+
+	leases := []*dhcpsvc.Lease{{
+		Hostname: host1,
+		IP:       ip1,
+		HWAddr:   mac1,
+		IsStatic: true,
+	}, {
+		Hostname: host2,
+		IP:       ip2,
+		HWAddr:   mac2,
+		IsStatic: true,
+	}, {
+		Hostname: host4,
+		IP:       ip4,
+		HWAddr:   mac4,
+		IsStatic: true,
+	}}
+	for _, l := range leases {
+		require.NoError(t, srv.AddLease(l))
+	}
+
+	testCases := []struct {
+		name       string
+		lease      *dhcpsvc.Lease
+		wantErrMsg string
+	}{{
+		name: "outside_range",
+		lease: &dhcpsvc.Lease{
+			Hostname: host1,
+			IP:       netip.MustParseAddr("1.2.3.4"),
+			HWAddr:   mac1,
+		},
+		wantErrMsg: "updating static lease: no interface for ip 1.2.3.4",
+	}, {
+		name: "not_found",
+		lease: &dhcpsvc.Lease{
+			Hostname: host3,
+			IP:       ip3,
+			HWAddr:   mac3,
+		},
+		wantErrMsg: "updating static lease: no lease for mac " + mac3.String(),
+	}, {
+		name: "duplicate_ip",
+		lease: &dhcpsvc.Lease{
+			Hostname: host1,
+			IP:       ip2,
+			HWAddr:   mac1,
+		},
+		wantErrMsg: "updating static lease: lease for ip " + ip2.String() +
+			" already exists",
+	}, {
+		name: "duplicate_hostname",
+		lease: &dhcpsvc.Lease{
+			Hostname: host2,
+			IP:       ip1,
+			HWAddr:   mac1,
+		},
+		wantErrMsg: "updating static lease: lease for hostname " + host2 +
+			" already exists",
+	}, {
+		name: "duplicate_hostname_case",
+		lease: &dhcpsvc.Lease{
+			Hostname: strings.ToUpper(host2),
+			IP:       ip1,
+			HWAddr:   mac1,
+		},
+		wantErrMsg: "updating static lease: lease for hostname " +
+			strings.ToUpper(host2) + " already exists",
+	}, {
+		name: "valid",
+		lease: &dhcpsvc.Lease{
+			Hostname: host3,
+			IP:       ip3,
+			HWAddr:   mac1,
+		},
+		wantErrMsg: "",
+	}, {
+		name: "valid_v6",
+		lease: &dhcpsvc.Lease{
+			Hostname: host6,
+			IP:       ip5,
+			HWAddr:   mac4,
+		},
+		wantErrMsg: "",
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			testutil.AssertErrorMsg(t, tc.wantErrMsg, srv.UpdateStaticLease(tc.lease))
+		})
+	}
+}
+
+func TestDHCPServer_RemoveLease(t *testing.T) {
+	srv, err := dhcpsvc.New(&dhcpsvc.Config{
+		Enabled:         true,
+		LocalDomainName: testLocalTLD,
+		Interfaces:      testInterfaceConf,
+	})
+	require.NoError(t, err)
+
+	const (
+		host1 = "host1"
+		host2 = "host2"
+		host3 = "host3"
+	)
+
+	ip1 := netip.MustParseAddr("192.168.0.2")
+	ip2 := netip.MustParseAddr("192.168.0.3")
+	ip3 := netip.MustParseAddr("2001:db8::2")
+
+	mac1 := mustParseMAC(t, "01:02:03:04:05:06")
+	mac2 := mustParseMAC(t, "02:03:04:05:06:07")
+	mac3 := mustParseMAC(t, "06:05:04:03:02:01")
+
+	leases := []*dhcpsvc.Lease{{
+		Hostname: host1,
+		IP:       ip1,
+		HWAddr:   mac1,
+		IsStatic: true,
+	}, {
+		Hostname: host3,
+		IP:       ip3,
+		HWAddr:   mac3,
+		IsStatic: true,
+	}}
+	for _, l := range leases {
+		require.NoError(t, srv.AddLease(l))
+	}
+
+	testCases := []struct {
+		name       string
+		lease      *dhcpsvc.Lease
+		wantErrMsg string
+	}{{
+		name: "not_found_mac",
+		lease: &dhcpsvc.Lease{
+			Hostname: host1,
+			IP:       ip1,
+			HWAddr:   mac2,
+		},
+		wantErrMsg: "removing lease: no lease for mac " + mac2.String(),
+	}, {
+		name: "not_found_ip",
+		lease: &dhcpsvc.Lease{
+			Hostname: host1,
+			IP:       ip2,
+			HWAddr:   mac1,
+		},
+		wantErrMsg: "removing lease: no lease for ip " + ip2.String(),
+	}, {
+		name: "not_found_host",
+		lease: &dhcpsvc.Lease{
+			Hostname: host2,
+			IP:       ip1,
+			HWAddr:   mac1,
+		},
+		wantErrMsg: "removing lease: no lease for hostname " + host2,
+	}, {
+		name: "valid",
+		lease: &dhcpsvc.Lease{
+			Hostname: host1,
+			IP:       ip1,
+			HWAddr:   mac1,
+		},
+		wantErrMsg: "",
+	}, {
+		name: "valid_v6",
+		lease: &dhcpsvc.Lease{
+			Hostname: host3,
+			IP:       ip3,
+			HWAddr:   mac3,
+		},
+		wantErrMsg: "",
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			testutil.AssertErrorMsg(t, tc.wantErrMsg, srv.RemoveLease(tc.lease))
+		})
+	}
+
+	assert.Empty(t, srv.Leases())
+}
+
+func TestDHCPServer_Reset(t *testing.T) {
+	srv, err := dhcpsvc.New(&dhcpsvc.Config{
+		Enabled:         true,
+		LocalDomainName: testLocalTLD,
+		Interfaces:      testInterfaceConf,
+	})
+	require.NoError(t, err)
+
+	leases := []*dhcpsvc.Lease{{
+		Hostname: "host1",
+		IP:       netip.MustParseAddr("192.168.0.2"),
+		HWAddr:   mustParseMAC(t, "01:02:03:04:05:06"),
+		IsStatic: true,
+	}, {
+		Hostname: "host2",
+		IP:       netip.MustParseAddr("192.168.0.3"),
+		HWAddr:   mustParseMAC(t, "06:05:04:03:02:01"),
+		IsStatic: true,
+	}, {
+		Hostname: "host3",
+		IP:       netip.MustParseAddr("2001:db8::2"),
+		HWAddr:   mustParseMAC(t, "02:03:04:05:06:07"),
+		IsStatic: true,
+	}, {
+		Hostname: "host4",
+		IP:       netip.MustParseAddr("2001:db8::3"),
+		HWAddr:   mustParseMAC(t, "06:05:04:03:02:02"),
+		IsStatic: true,
+	}}
+
+	for _, l := range leases {
+		require.NoError(t, srv.AddLease(l))
+	}
+
+	require.Len(t, srv.Leases(), len(leases))
+
+	require.NoError(t, srv.Reset())
+
+	assert.Empty(t, srv.Leases())
+}

internal/dhcpsvc/v4.go

@@ -4,12 +4,12 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
+	"slices"
 	"time"
 
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/google/gopacket/layers"
-	"golang.org/x/exp/slices"
 )
 
 // IPv4Config is the interface-specific configuration for DHCPv4.
@@ -64,69 +64,6 @@ func (conf *IPv4Config) validate() (err error) {
 	}
 }
 
-// iface4 is a DHCP interface for IPv4 address family.
-type iface4 struct {
-	// gateway is the IP address of the network gateway.
-	gateway netip.Addr
-
-	// subnet is the network subnet.
-	subnet netip.Prefix
-
-	// addrSpace is the IPv4 address space allocated for leasing.
-	addrSpace ipRange
-
-	// name is the name of the interface.
-	name string
-
-	// implicitOpts are the options listed in Appendix A of RFC 2131 and
-	// initialized with default values.  It must not have intersections with
-	// explicitOpts.
-	implicitOpts layers.DHCPOptions
-
-	// explicitOpts are the user-configured options.  It must not have
-	// intersections with implicitOpts.
-	explicitOpts layers.DHCPOptions
-
-	// leaseTTL is the time-to-live of dynamic leases on this interface.
-	leaseTTL time.Duration
-}
-
-// newIface4 creates a new DHCP interface for IPv4 address family with the given
-// configuration.  It returns an error if the given configuration can't be used.
-func newIface4(name string, conf *IPv4Config) (i *iface4, err error) {
-	if !conf.Enabled {
-		return nil, nil
-	}
-
-	maskLen, _ := net.IPMask(conf.SubnetMask.AsSlice()).Size()
-	subnet := netip.PrefixFrom(conf.GatewayIP, maskLen)
-
-	switch {
-	case !subnet.Contains(conf.RangeStart):
-		return nil, fmt.Errorf("range start %s is not within %s", conf.RangeStart, subnet)
-	case !subnet.Contains(conf.RangeEnd):
-		return nil, fmt.Errorf("range end %s is not within %s", conf.RangeEnd, subnet)
-	}
-
-	addrSpace, err := newIPRange(conf.RangeStart, conf.RangeEnd)
-	if err != nil {
-		return nil, err
-	} else if addrSpace.contains(conf.GatewayIP) {
-		return nil, fmt.Errorf("gateway ip %s in the ip range %s", conf.GatewayIP, addrSpace)
-	}
-
-	i = &iface4{
-		name:      name,
-		gateway:   conf.GatewayIP,
-		subnet:    subnet,
-		addrSpace: addrSpace,
-		leaseTTL:  conf.LeaseDuration,
-	}
-	i.implicitOpts, i.explicitOpts = conf.options()
-
-	return i, nil
-}
-
 // options returns the implicit and explicit options for the interface.  The two
 // lists are disjoint and the implicit options are initialized with default
 // values.
@@ -318,3 +255,83 @@ func (conf *IPv4Config) options() (implicit, explicit layers.DHCPOptions) {
 func compareV4OptionCodes(a, b layers.DHCPOption) (res int) {
 	return int(a.Type) - int(b.Type)
 }
+
+// netInterfaceV4 is a DHCP interface for IPv4 address family.
+type netInterfaceV4 struct {
+	// gateway is the IP address of the network gateway.
+	gateway netip.Addr
+
+	// subnet is the network subnet.
+	subnet netip.Prefix
+
+	// addrSpace is the IPv4 address space allocated for leasing.
+	addrSpace ipRange
+
+	// implicitOpts are the options listed in Appendix A of RFC 2131 and
+	// initialized with default values.  It must not have intersections with
+	// explicitOpts.
+	implicitOpts layers.DHCPOptions
+
+	// explicitOpts are the user-configured options.  It must not have
+	// intersections with implicitOpts.
+	explicitOpts layers.DHCPOptions
+
+	// netInterface is embedded here to provide some common network interface
+	// logic.
+	netInterface
+}
+
+// newNetInterfaceV4 creates a new DHCP interface for IPv4 address family with
+// the given configuration.  It returns an error if the given configuration
+// can't be used.
+func newNetInterfaceV4(name string, conf *IPv4Config) (i *netInterfaceV4, err error) {
+	if !conf.Enabled {
+		return nil, nil
+	}
+
+	maskLen, _ := net.IPMask(conf.SubnetMask.AsSlice()).Size()
+	subnet := netip.PrefixFrom(conf.GatewayIP, maskLen)
+
+	switch {
+	case !subnet.Contains(conf.RangeStart):
+		return nil, fmt.Errorf("range start %s is not within %s", conf.RangeStart, subnet)
+	case !subnet.Contains(conf.RangeEnd):
+		return nil, fmt.Errorf("range end %s is not within %s", conf.RangeEnd, subnet)
+	}
+
+	addrSpace, err := newIPRange(conf.RangeStart, conf.RangeEnd)
+	if err != nil {
+		return nil, err
+	} else if addrSpace.contains(conf.GatewayIP) {
+		return nil, fmt.Errorf("gateway ip %s in the ip range %s", conf.GatewayIP, addrSpace)
+	}
+
+	i = &netInterfaceV4{
+		gateway:   conf.GatewayIP,
+		subnet:    subnet,
+		addrSpace: addrSpace,
+		netInterface: netInterface{
+			name:     name,
+			leaseTTL: conf.LeaseDuration,
+		},
+	}
+	i.implicitOpts, i.explicitOpts = conf.options()
+
+	return i, nil
+}
+
+// netInterfacesV4 is a slice of network interfaces of IPv4 address family.
+type netInterfacesV4 []*netInterfaceV4
+
+// find returns the first network interface within ifaces containing ip.  It
+// returns false if there is no such interface.
+func (ifaces netInterfacesV4) find(ip netip.Addr) (iface4 *netInterface, ok bool) {
+	i := slices.IndexFunc(ifaces, func(iface *netInterfaceV4) (contains bool) {
+		return iface.subnet.Contains(ip)
+	})
+	if i < 0 {
+		return nil, false
+	}
+
+	return &ifaces[i].netInterface, true
+}

internal/dhcpsvc/v6.go

@@ -3,11 +3,12 @@ package dhcpsvc
 import (
 	"fmt"
 	"net/netip"
+	"slices"
 	"time"
 
 	"github.com/AdguardTeam/golibs/log"
+	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/google/gopacket/layers"
-	"golang.org/x/exp/slices"
 )
 
 // IPv6Config is the interface-specific configuration for DHCPv6.
@@ -52,57 +53,6 @@ func (conf *IPv6Config) validate() (err error) {
 	}
 }
 
-// iface6 is a DHCP interface for IPv6 address family.
-//
-// TODO(e.burkov):  Add options.
-type iface6 struct {
-	// rangeStart is the first IP address in the range.
-	rangeStart netip.Addr
-
-	// name is the name of the interface.
-	name string
-
-	// implicitOpts are the DHCPv6 options listed in RFC 8415 (and others) and
-	// initialized with default values.  It must not have intersections with
-	// explicitOpts.
-	implicitOpts layers.DHCPv6Options
-
-	// explicitOpts are the user-configured options.  It must not have
-	// intersections with implicitOpts.
-	explicitOpts layers.DHCPv6Options
-
-	// leaseTTL is the time-to-live of dynamic leases on this interface.
-	leaseTTL time.Duration
-
-	// raSLAACOnly defines if DHCP should send ICMPv6.RA packets without MO
-	// flags.
-	raSLAACOnly bool
-
-	// raAllowSLAAC defines if DHCP should send ICMPv6.RA packets with MO flags.
-	raAllowSLAAC bool
-}
-
-// newIface6 creates a new DHCP interface for IPv6 address family with the given
-// configuration.
-//
-// TODO(e.burkov):  Validate properly.
-func newIface6(name string, conf *IPv6Config) (i *iface6) {
-	if !conf.Enabled {
-		return nil
-	}
-
-	i = &iface6{
-		name:         name,
-		rangeStart:   conf.RangeStart,
-		leaseTTL:     conf.LeaseDuration,
-		raSLAACOnly:  conf.RASLAACOnly,
-		raAllowSLAAC: conf.RAAllowSLAAC,
-	}
-	i.implicitOpts, i.explicitOpts = conf.options()
-
-	return i
-}
-
 // options returns the implicit and explicit options for the interface.  The two
 // lists are disjoint and the implicit options are initialized with default
 // values.
@@ -133,3 +83,79 @@ func (conf *IPv6Config) options() (implicit, explicit layers.DHCPv6Options) {
 func compareV6OptionCodes(a, b layers.DHCPv6Option) (res int) {
 	return int(a.Code) - int(b.Code)
 }
+
+// netInterfaceV6 is a DHCP interface for IPv6 address family.
+//
+// TODO(e.burkov):  Add options.
+type netInterfaceV6 struct {
+	// rangeStart is the first IP address in the range.
+	rangeStart netip.Addr
+
+	// implicitOpts are the DHCPv6 options listed in RFC 8415 (and others) and
+	// initialized with default values.  It must not have intersections with
+	// explicitOpts.
+	implicitOpts layers.DHCPv6Options
+
+	// explicitOpts are the user-configured options.  It must not have
+	// intersections with implicitOpts.
+	explicitOpts layers.DHCPv6Options
+
+	// netInterface is embedded here to provide some common network interface
+	// logic.
+	netInterface
+
+	// raSLAACOnly defines if DHCP should send ICMPv6.RA packets without MO
+	// flags.
+	raSLAACOnly bool
+
+	// raAllowSLAAC defines if DHCP should send ICMPv6.RA packets with MO flags.
+	raAllowSLAAC bool
+}
+
+// newNetInterfaceV6 creates a new DHCP interface for IPv6 address family with
+// the given configuration.
+//
+// TODO(e.burkov):  Validate properly.
+func newNetInterfaceV6(name string, conf *IPv6Config) (i *netInterfaceV6) {
+	if !conf.Enabled {
+		return nil
+	}
+
+	i = &netInterfaceV6{
+		rangeStart: conf.RangeStart,
+		netInterface: netInterface{
+			name:     name,
+			leaseTTL: conf.LeaseDuration,
+		},
+		raSLAACOnly:  conf.RASLAACOnly,
+		raAllowSLAAC: conf.RAAllowSLAAC,
+	}
+	i.implicitOpts, i.explicitOpts = conf.options()
+
+	return i
+}
+
+// netInterfacesV4 is a slice of network interfaces of IPv4 address family.
+type netInterfacesV6 []*netInterfaceV6
+
+// find returns the first network interface within ifaces containing ip.  It
+// returns false if there is no such interface.
+func (ifaces netInterfacesV6) find(ip netip.Addr) (iface6 *netInterface, ok bool) {
+	// prefLen is the length of prefix to match ip against.
+	//
+	// TODO(e.burkov):  DHCPv6 inherits the weird behavior of legacy
+	// implementation where the allocated range constrained by the first address
+	// and the first address with last byte set to 0xff.  Proper prefixes should
+	// be used instead.
+	const prefLen = netutil.IPv6BitLen - 8
+
+	i := slices.IndexFunc(ifaces, func(iface *netInterfaceV6) (contains bool) {
+		return !ip.Less(iface.rangeStart) &&
+			netip.PrefixFrom(iface.rangeStart, prefLen).Contains(ip)
+	})
+	if i < 0 {
+		return nil, false
+	}
+
+	return &ifaces[i].netInterface, true
+}

internal/dnsforward/clientid.go

@@ -14,6 +14,8 @@ import (
 )
 
 // ValidateClientID returns an error if id is not a valid ClientID.
+//
+// Keep in sync with [client.ValidateClientID].
 func ValidateClientID(id string) (err error) {
 	err = netutil.ValidateHostnameLabel(id)
 	if err != nil {

internal/dnsforward/config.go

@@ -7,6 +7,7 @@ import (
 	"net"
 	"net/netip"
 	"os"
+	"slices"
 	"strings"
 	"time"
 
@@ -24,7 +25,6 @@ import (
 	"github.com/AdguardTeam/golibs/stringutil"
 	"github.com/AdguardTeam/golibs/timeutil"
 	"github.com/ameshkov/dnscrypt/v2"
-	"golang.org/x/exp/slices"
 )
 
 // ClientsContainer provides information about preconfigured DNS clients.
@@ -40,7 +40,7 @@ type ClientsContainer interface {
 	) (conf *proxy.CustomUpstreamConfig, err error)
 }
 
-// Config represents the DNS filtering configuration of AdGuard Home. The zero
+// Config represents the DNS filtering configuration of AdGuard Home.  The zero
 // Config is empty and ready for use.
 type Config struct {
 	// Callbacks for other modules
@@ -357,10 +357,6 @@ func (s *Server) newProxyConfig() (conf *proxy.Config, err error) {
 		conf.DNSCryptResolverCert = c.ResolverCert
 	}
 
-	if conf.UpstreamConfig == nil || len(conf.UpstreamConfig.Upstreams) == 0 {
-		return nil, errors.Error("no default upstream servers configured")
-	}
-
 	conf, err = prepareCacheConfig(conf,
 		srvConf.CacheSize,
 		srvConf.CacheMinTTL,

internal/dnsforward/config_test.go

@@ -1,10 +1,10 @@
 package dnsforward
 
 import (
+	"slices"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-	"golang.org/x/exp/slices"
 )
 
 func TestAnyNameMatches(t *testing.T) {

internal/dnsforward/configvalidator.go

@@ -2,54 +2,56 @@ package dnsforward
 
 import (
 	"fmt"
-	"strings"
 	"sync"
 
+	"github.com/AdguardTeam/dnsproxy/proxy"
 	"github.com/AdguardTeam/dnsproxy/upstream"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/miekg/dns"
-	"golang.org/x/exp/slices"
 )
 
-// upstreamConfigValidator parses the [*proxy.UpstreamConfig] and checks the
-// actual DNS availability of each upstream.
+// upstreamConfigValidator parses each section of an upstream configuration into
+// a corresponding [*proxy.UpstreamConfig] and checks the actual DNS
+// availability of each upstream.
 type upstreamConfigValidator struct {
-	// general is the general upstream configuration.
-	general []*upstreamResult
+	// generalUpstreamResults contains upstream results of a general section.
+	generalUpstreamResults map[string]*upstreamResult
 
-	// fallback is the fallback upstream configuration.
-	fallback []*upstreamResult
+	// fallbackUpstreamResults contains upstream results of a fallback section.
+	fallbackUpstreamResults map[string]*upstreamResult
 
-	// private is the private upstream configuration.
-	private []*upstreamResult
+	// privateUpstreamResults contains upstream results of a private section.
+	privateUpstreamResults map[string]*upstreamResult
+
+	// generalParseResults contains parsing results of a general section.
+	generalParseResults []*parseResult
+
+	// fallbackParseResults contains parsing results of a fallback section.
+	fallbackParseResults []*parseResult
+
+	// privateParseResults contains parsing results of a private section.
+	privateParseResults []*parseResult
 }
 
-// upstreamResult is a result of validation of an [upstream.Upstream] within an
+// upstreamResult is a result of parsing of an [upstream.Upstream] within an
 // [proxy.UpstreamConfig].
 type upstreamResult struct {
-	// server is the parsed upstream.  It is nil when there was an error during
-	// parsing.
+	// server is the parsed upstream.
 	server upstream.Upstream
 
-	// err is the error either from parsing or from checking the upstream.
+	// err is the upstream check error.
 	err error
 
-	// original is the piece of configuration that have either been turned to an
-	// upstream or caused an error.
-	original string
-
 	// isSpecific is true if the upstream is domain-specific.
 	isSpecific bool
 }
 
-// compare compares two [upstreamResult]s.  It returns 0 if they are equal, -1
-// if ur should be sorted before other, and 1 otherwise.
-//
-// TODO(e.burkov):  Perhaps it makes sense to sort the results with errors near
-// the end.
-func (ur *upstreamResult) compare(other *upstreamResult) (res int) {
-	return strings.Compare(ur.original, other.original)
+// parseResult contains a original piece of upstream configuration and a
+// corresponding error.
+type parseResult struct {
+	err      *proxy.ParseError
+	original string
 }
 
 // newUpstreamConfigValidator parses the upstream configuration and returns a
@@ -61,97 +63,99 @@ func newUpstreamConfigValidator(
 	private []string,
 	opts *upstream.Options,
 ) (cv *upstreamConfigValidator) {
-	cv = &upstreamConfigValidator{}
+	cv = &upstreamConfigValidator{
+		generalUpstreamResults:  map[string]*upstreamResult{},
+		fallbackUpstreamResults: map[string]*upstreamResult{},
+		privateUpstreamResults:  map[string]*upstreamResult{},
+	}
 
-	for _, line := range general {
-		cv.general = cv.insertLineResults(cv.general, line, opts)
-	}
-	for _, line := range fallback {
-		cv.fallback = cv.insertLineResults(cv.fallback, line, opts)
-	}
-	for _, line := range private {
-		cv.private = cv.insertLineResults(cv.private, line, opts)
-	}
+	conf, err := proxy.ParseUpstreamsConfig(general, opts)
+	cv.generalParseResults = collectErrResults(general, err)
+	insertConfResults(conf, cv.generalUpstreamResults)
+
+	conf, err = proxy.ParseUpstreamsConfig(fallback, opts)
+	cv.fallbackParseResults = collectErrResults(fallback, err)
+	insertConfResults(conf, cv.fallbackUpstreamResults)
+
+	conf, err = proxy.ParseUpstreamsConfig(private, opts)
+	cv.privateParseResults = collectErrResults(private, err)
+	insertConfResults(conf, cv.privateUpstreamResults)
 
 	return cv
 }
 
-// insertLineResults parses line and inserts the result into s.  It can insert
-// multiple results as well as none.
-func (cv *upstreamConfigValidator) insertLineResults(
-	s []*upstreamResult,
-	line string,
-	opts *upstream.Options,
-) (result []*upstreamResult) {
-	upstreams, isSpecific, err := splitUpstreamLine(line)
-	if err != nil {
-		return cv.insert(s, &upstreamResult{
-			err:      err,
-			original: line,
-		})
+// collectErrResults parses err and returns parsing results containing the
+// original upstream configuration line and the corresponding error.  err can be
+// nil.
+func collectErrResults(lines []string, err error) (results []*parseResult) {
+	if err == nil {
+		return nil
 	}
 
-	for _, upstreamAddr := range upstreams {
-		var res *upstreamResult
-		if upstreamAddr != "#" {
-			res = cv.parseUpstream(upstreamAddr, opts)
-		} else if !isSpecific {
-			res = &upstreamResult{
-				err:      errNotDomainSpecific,
-				original: upstreamAddr,
-			}
-		} else {
+	// limit is a maximum length for upstream configuration lines.
+	const limit = 80
+
+	wrapper, ok := err.(errors.WrapperSlice)
+	if !ok {
+		log.Debug("dnsforward: configvalidator: unwrapping: %s", err)
+
+		return nil
+	}
+
+	errs := wrapper.Unwrap()
+	results = make([]*parseResult, 0, len(errs))
+	for i, e := range errs {
+		var parseErr *proxy.ParseError
+		if !errors.As(e, &parseErr) {
+			log.Debug("dnsforward: configvalidator: inserting unexpected error %d: %s", i, err)
+
 			continue
 		}
 
-		res.isSpecific = isSpecific
-		s = cv.insert(s, res)
-	}
-
-	return s
-}
-
-// insert inserts r into slice in a sorted order, except duplicates.  slice must
-// not be nil.
-func (cv *upstreamConfigValidator) insert(
-	s []*upstreamResult,
-	r *upstreamResult,
-) (result []*upstreamResult) {
-	i, has := slices.BinarySearchFunc(s, r, (*upstreamResult).compare)
-	if has {
-		log.Debug("dnsforward: duplicate configuration %q", r.original)
-
-		return s
-	}
-
-	return slices.Insert(s, i, r)
-}
-
-// parseUpstream parses addr and returns the result of parsing.  It returns nil
-// if the specified server points at the default upstream server which is
-// validated separately.
-func (cv *upstreamConfigValidator) parseUpstream(
-	addr string,
-	opts *upstream.Options,
-) (r *upstreamResult) {
-	// Check if the upstream has a valid protocol prefix.
-	//
-	// TODO(e.burkov):  Validate the domain name.
-	if proto, _, ok := strings.Cut(addr, "://"); ok {
-		if !slices.Contains(protocols, proto) {
-			return &upstreamResult{
-				err:      fmt.Errorf("bad protocol %q", proto),
-				original: addr,
-			}
+		idx := parseErr.Idx
+		line := []rune(lines[idx])
+		if len(line) > limit {
+			line = line[:limit]
+			line[limit-1] = '…'
 		}
+
+		results = append(results, &parseResult{
+			original: string(line),
+			err:      parseErr,
+		})
 	}
 
-	ups, err := upstream.AddressToUpstream(addr, opts)
+	return results
+}
 
-	return &upstreamResult{
-		server:   ups,
-		err:      err,
-		original: addr,
+// insertConfResults parses conf and inserts the upstream result into results.
+// It can insert multiple results as well as none.
+func insertConfResults(conf *proxy.UpstreamConfig, results map[string]*upstreamResult) {
+	insertListResults(conf.Upstreams, results, false)
+
+	for _, ups := range conf.DomainReservedUpstreams {
+		insertListResults(ups, results, true)
+	}
+
+	for _, ups := range conf.SpecifiedDomainUpstreams {
+		insertListResults(ups, results, true)
+	}
+}
+
+// insertListResults constructs upstream results from the upstream list and
+// inserts them into results.  It can insert multiple results as well as none.
+func insertListResults(ups []upstream.Upstream, results map[string]*upstreamResult, specific bool) {
+	for _, u := range ups {
+		addr := u.Address()
+		_, ok := results[addr]
+		if ok {
+			continue
+		}
+
+		results[addr] = &upstreamResult{
+			server:     u,
+			isSpecific: specific,
+		}
 	}
 }
 
@@ -187,35 +191,30 @@ func (cv *upstreamConfigValidator) check() {
 	}
 
 	wg := &sync.WaitGroup{}
-	wg.Add(len(cv.general) + len(cv.fallback) + len(cv.private))
+	wg.Add(len(cv.generalUpstreamResults) +
+		len(cv.fallbackUpstreamResults) +
+		len(cv.privateUpstreamResults))
 
-	for _, res := range cv.general {
-		go cv.checkSrv(res, wg, commonChecker)
+	for _, res := range cv.generalUpstreamResults {
+		go checkSrv(res, wg, commonChecker)
 	}
-	for _, res := range cv.fallback {
-		go cv.checkSrv(res, wg, commonChecker)
+	for _, res := range cv.fallbackUpstreamResults {
+		go checkSrv(res, wg, commonChecker)
 	}
-	for _, res := range cv.private {
-		go cv.checkSrv(res, wg, arpaChecker)
+	for _, res := range cv.privateUpstreamResults {
+		go checkSrv(res, wg, arpaChecker)
 	}
 
 	wg.Wait()
 }
 
 // checkSrv runs hc on the server from res, if any, and stores any occurred
-// error in res.  wg is always marked done in the end.  It used to be called in
-// a separate goroutine.
-func (cv *upstreamConfigValidator) checkSrv(
-	res *upstreamResult,
-	wg *sync.WaitGroup,
-	hc *healthchecker,
-) {
+// error in res.  wg is always marked done in the end.  It is intended to be
+// used as a goroutine.
+func checkSrv(res *upstreamResult, wg *sync.WaitGroup, hc *healthchecker) {
+	defer log.OnPanic(fmt.Sprintf("dnsforward: checking upstream %s", res.server.Address()))
 	defer wg.Done()
 
-	if res.server == nil {
-		return
-	}
-
 	res.err = hc.check(res.server)
 	if res.err != nil && res.isSpecific {
 		res.err = domainSpecificTestError{Err: res.err}
@@ -225,65 +224,126 @@ func (cv *upstreamConfigValidator) checkSrv(
 // close closes all the upstreams that were successfully parsed.  It enriches
 // the results with deferred closing errors.
 func (cv *upstreamConfigValidator) close() {
-	for _, slice := range [][]*upstreamResult{cv.general, cv.fallback, cv.private} {
-		for _, r := range slice {
-			if r.server != nil {
-				r.err = errors.WithDeferred(r.err, r.server.Close())
-			}
+	all := []map[string]*upstreamResult{
+		cv.generalUpstreamResults,
+		cv.fallbackUpstreamResults,
+		cv.privateUpstreamResults,
+	}
+
+	for _, m := range all {
+		for _, r := range m {
+			r.err = errors.WithDeferred(r.err, r.server.Close())
 		}
 	}
 }
 
+// sections of the upstream configuration according to the text label of the
+// localization.
+//
+// Keep in sync with client/src/__locales/en.json.
+//
+// TODO(s.chzhen):  Refactor.
+const (
+	generalTextLabel  = "upstream_dns"
+	fallbackTextLabel = "fallback_dns_title"
+	privateTextLabel  = "local_ptr_title"
+)
+
 // status returns all the data collected during parsing, healthcheck, and
 // closing of the upstreams.  The returned map is keyed by the original upstream
 // configuration piece and contains the corresponding error or "OK" if there was
 // no error.
 func (cv *upstreamConfigValidator) status() (results map[string]string) {
-	result := map[string]string{}
+	// Names of the upstream configuration sections for logging.
+	const (
+		generalSection  = "general"
+		fallbackSection = "fallback"
+		privateSection  = "private"
+	)
 
-	for _, res := range cv.general {
-		resultToStatus("general", res, result)
+	results = map[string]string{}
+
+	for original, res := range cv.generalUpstreamResults {
+		upstreamResultToStatus(generalSection, string(original), res, results)
 	}
-	for _, res := range cv.fallback {
-		resultToStatus("fallback", res, result)
+	for original, res := range cv.fallbackUpstreamResults {
+		upstreamResultToStatus(fallbackSection, string(original), res, results)
 	}
-	for _, res := range cv.private {
-		resultToStatus("private", res, result)
+	for original, res := range cv.privateUpstreamResults {
+		upstreamResultToStatus(privateSection, string(original), res, results)
 	}
 
-	return result
+	parseResultToStatus(generalTextLabel, generalSection, cv.generalParseResults, results)
+	parseResultToStatus(fallbackTextLabel, fallbackSection, cv.fallbackParseResults, results)
+	parseResultToStatus(privateTextLabel, privateSection, cv.privateParseResults, results)
+
+	return results
 }
 
-// resultToStatus puts "OK" or an error message from res into resMap.  section
-// is the name of the upstream configuration section, i.e. "general",
+// upstreamResultToStatus puts "OK" or an error message from res into resMap.
+// section is the name of the upstream configuration section, i.e. "general",
 // "fallback", or "private", and only used for logging.
 //
 // TODO(e.burkov):  Currently, the HTTP handler expects that all the results are
 // put together in a single map, which may lead to collisions, see AG-27539.
 // Improve the results compilation.
-func resultToStatus(section string, res *upstreamResult, resMap map[string]string) {
+func upstreamResultToStatus(
+	section string,
+	original string,
+	res *upstreamResult,
+	resMap map[string]string,
+) {
 	val := "OK"
 	if res.err != nil {
 		val = res.err.Error()
 	}
 
-	prevVal := resMap[res.original]
+	prevVal := resMap[original]
 	switch prevVal {
 	case "":
-		resMap[res.original] = val
+		resMap[original] = val
 	case val:
-		log.Debug("dnsforward: duplicating %s config line %q", section, res.original)
+		log.Debug("dnsforward: duplicating %s config line %q", section, original)
 	default:
 		log.Debug(
 			"dnsforward: warning: %s config line %q (%v) had different result %v",
 			section,
 			val,
-			res.original,
+			original,
 			prevVal,
 		)
 	}
 }
 
+// parseResultToStatus puts parsing error messages from results into resMap.
+// section is the name of the upstream configuration section, i.e. "general",
+// "fallback", or "private", and only used for logging.
+//
+// Parsing error message has the following format:
+//
+//	sectionTextLabel line: parsing error
+//
+// Where sectionTextLabel is a section text label of a localization and line is
+// a line number.
+func parseResultToStatus(
+	textLabel string,
+	section string,
+	results []*parseResult,
+	resMap map[string]string,
+) {
+	for _, res := range results {
+		original := res.original
+		_, ok := resMap[original]
+		if ok {
+			log.Debug("dnsforward: duplicating %s parsing error %q", section, original)
+
+			continue
+		}
+
+		resMap[original] = fmt.Sprintf("%s %d: parsing error", textLabel, res.err.Idx+1)
+	}
+}
+
 // domainSpecificTestError is a wrapper for errors returned by checkDNS to mark
 // the tested upstream domain-specific and therefore consider its errors
 // non-critical.
@@ -342,7 +402,7 @@ func (h *healthchecker) check(u upstream.Upstream) (err error) {
 	if err != nil {
 		return fmt.Errorf("couldn't communicate with upstream: %w", err)
 	} else if h.ansEmpty && len(reply.Answer) > 0 {
-		return errWrongResponse
+		return errors.Error("wrong response")
 	}
 
 	return nil

internal/dnsforward/dns64_test.go

@@ -8,7 +8,6 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/aghtest"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/dnsproxy/proxy"
-	"github.com/AdguardTeam/dnsproxy/upstream"
 	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/AdguardTeam/golibs/testutil"
 	"github.com/miekg/dns"
@@ -101,21 +100,6 @@ func TestServer_HandleDNSRequest_dns64(t *testing.T) {
 	type answerMap = map[uint16][sectionsNum][]dns.RR
 
 	pt := testutil.PanicT{}
-	newUps := func(answers answerMap) (u upstream.Upstream) {
-		return aghtest.NewUpstreamMock(func(req *dns.Msg) (resp *dns.Msg, err error) {
-			q := req.Question[0]
-			require.Contains(pt, answers, q.Qtype)
-
-			answer := answers[q.Qtype]
-
-			resp = (&dns.Msg{}).SetReply(req)
-			resp.Answer = answer[sectionAnswer]
-			resp.Ns = answer[sectionAuthority]
-			resp.Extra = answer[sectionAdditional]
-
-			return resp, nil
-		})
-	}
 
 	testCases := []struct {
 		name    string
@@ -265,13 +249,16 @@ func TestServer_HandleDNSRequest_dns64(t *testing.T) {
 	}}
 
 	localRR := newRR(t, ptr64Domain, dns.TypePTR, 3600, pointedDomain)
-	localUps := aghtest.NewUpstreamMock(func(req *dns.Msg) (resp *dns.Msg, err error) {
-		require.Equal(pt, req.Question[0].Name, ptr64Domain)
-		resp = (&dns.Msg{}).SetReply(req)
-		resp.Answer = []dns.RR{localRR}
+	localUpsHdlr := dns.HandlerFunc(func(w dns.ResponseWriter, m *dns.Msg) {
+		require.Len(pt, m.Question, 1)
+		require.Equal(pt, m.Question[0].Name, ptr64Domain)
+		resp := (&dns.Msg{
+			Answer: []dns.RR{localRR},
+		}).SetReply(m)
 
-		return resp, nil
+		require.NoError(t, w.WriteMsg(resp))
 	})
+	localUpsAddr := aghtest.StartLocalhostUpstream(t, localUpsHdlr).String()
 
 	client := &dns.Client{
 		Net:     "tcp",
@@ -279,25 +266,44 @@ func TestServer_HandleDNSRequest_dns64(t *testing.T) {
 	}
 
 	for _, tc := range testCases {
-		// TODO(e.burkov):  It seems [proxy.Proxy] isn't intended to be reused
-		// right after stop, due to a data race in [proxy.Proxy.Init] method
-		// when setting an OOB size.  As a temporary workaround, recreate the
-		// whole server for each test case.
-		s := createTestServer(t, &filtering.Config{
-			BlockingMode: filtering.BlockingModeDefault,
-		}, ServerConfig{
-			UDPListenAddrs: []*net.UDPAddr{{}},
-			TCPListenAddrs: []*net.TCPAddr{{}},
-			UseDNS64:       true,
-			Config: Config{
-				UpstreamMode:     UpstreamModeLoadBalance,
-				EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
-			},
-			ServePlainDNS: true,
-		}, localUps)
-
+		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
-			s.conf.UpstreamConfig.Upstreams = []upstream.Upstream{newUps(tc.upsAns)}
+			upsHdlr := dns.HandlerFunc(func(w dns.ResponseWriter, req *dns.Msg) {
+				q := req.Question[0]
+				require.Contains(pt, tc.upsAns, q.Qtype)
+
+				answer := tc.upsAns[q.Qtype]
+
+				resp := (&dns.Msg{
+					Answer: answer[sectionAnswer],
+					Ns:     answer[sectionAuthority],
+					Extra:  answer[sectionAdditional],
+				}).SetReply(req)
+
+				require.NoError(pt, w.WriteMsg(resp))
+			})
+			upsAddr := aghtest.StartLocalhostUpstream(t, upsHdlr).String()
+
+			// TODO(e.burkov):  It seems [proxy.Proxy] isn't intended to be
+			// reused right after stop, due to a data race in [proxy.Proxy.Init]
+			// method when setting an OOB size.  As a temporary workaround,
+			// recreate the whole server for each test case.
+			s := createTestServer(t, &filtering.Config{
+				BlockingMode: filtering.BlockingModeDefault,
+			}, ServerConfig{
+				UDPListenAddrs: []*net.UDPAddr{{}},
+				TCPListenAddrs: []*net.TCPAddr{{}},
+				UseDNS64:       true,
+				Config: Config{
+					UpstreamMode:     UpstreamModeLoadBalance,
+					EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
+					UpstreamDNS:      []string{upsAddr},
+				},
+				UsePrivateRDNS:    true,
+				LocalPTRResolvers: []string{localUpsAddr},
+				ServePlainDNS:     true,
+			})
+
 			startDeferStop(t, s)
 
 			req := (&dns.Msg{}).SetQuestion(tc.qname, tc.qtype)

internal/dnsforward/dnsforward.go

@@ -9,6 +9,7 @@ import (
 	"net/http"
 	"net/netip"
 	"runtime"
+	"slices"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -30,7 +31,6 @@ import (
 	"github.com/AdguardTeam/golibs/netutil/sysresolv"
 	"github.com/AdguardTeam/golibs/stringutil"
 	"github.com/miekg/dns"
-	"golang.org/x/exp/slices"
 )
 
 // DefaultTimeout is the default upstream timeout
@@ -464,7 +464,8 @@ func (s *Server) Start() error {
 // startLocked starts the DNS server without locking.  s.serverLock is expected
 // to be locked.
 func (s *Server) startLocked() error {
-	err := s.dnsProxy.Start()
+	// TODO(e.burkov):  Use context properly.
+	err := s.dnsProxy.Start(context.Background())
 	if err == nil {
 		s.isRunning = true
 	}
@@ -517,35 +518,56 @@ func (s *Server) prepareLocalResolvers(
 	return uc, nil
 }
 
+// LocalResolversError is an error type for errors during local resolvers setup.
+// This is only needed to distinguish these errors from errors returned by
+// creating the proxy.
+type LocalResolversError struct {
+	Err error
+}
+
+// type check
+var _ error = (*LocalResolversError)(nil)
+
+// Error implements the error interface for *LocalResolversError.
+func (err *LocalResolversError) Error() (s string) {
+	return fmt.Sprintf("creating local resolvers: %s", err.Err)
+}
+
+// type check
+var _ errors.Wrapper = (*LocalResolversError)(nil)
+
+// Unwrap implements the [errors.Wrapper] interface for *LocalResolversError.
+func (err *LocalResolversError) Unwrap() error {
+	return err.Err
+}
+
 // setupLocalResolvers initializes and sets the resolvers for local addresses.
-// It assumes s.serverLock is locked or s not running.
-func (s *Server) setupLocalResolvers(boot upstream.Resolver) (err error) {
-	uc, err := s.prepareLocalResolvers(boot)
+// It assumes s.serverLock is locked or s not running.  It returns the upstream
+// configuration used for private PTR resolving, or nil if it's disabled.  Note,
+// that it's safe to put nil into [proxy.Config.PrivateRDNSUpstreamConfig].
+func (s *Server) setupLocalResolvers(boot upstream.Resolver) (uc *proxy.UpstreamConfig, err error) {
+	if !s.conf.UsePrivateRDNS {
+		// It's safe to put nil into [proxy.Config.PrivateRDNSUpstreamConfig].
+		return nil, nil
+	}
+
+	uc, err = s.prepareLocalResolvers(boot)
 	if err != nil {
 		// Don't wrap the error because it's informative enough as is.
-		return err
+		return nil, err
 	}
 
-	s.localResolvers = &proxy.Proxy{
-		Config: proxy.Config{
-			UpstreamConfig: uc,
-		},
-	}
-
-	err = s.localResolvers.Init()
+	localResolvers, err := proxy.New(&proxy.Config{
+		UpstreamConfig: uc,
+	})
 	if err != nil {
-		return fmt.Errorf("initializing proxy: %w", err)
+		return nil, &LocalResolversError{Err: err}
 	}
 
+	s.localResolvers = localResolvers
+
 	// TODO(e.burkov):  Should we also consider the DNS64 usage?
-	if s.conf.UsePrivateRDNS &&
-		// Only set the upstream config if there are any upstreams.  It's safe
-		// to put nil into [proxy.Config.PrivateRDNSUpstreamConfig].
-		len(uc.Upstreams)+len(uc.DomainReservedUpstreams)+len(uc.SpecifiedDomainUpstreams) > 0 {
-		s.dnsProxy.PrivateRDNSUpstreamConfig = uc
-	}
-
-	return nil
+	return uc, nil
 }
 
 // Prepare initializes parameters of s using data from conf.  conf must not be
@@ -586,21 +608,24 @@ func (s *Server) Prepare(conf *ServerConfig) (err error) {
 		return fmt.Errorf("preparing access: %w", err)
 	}
 
-	// Set the proxy here because [setupLocalResolvers] sets its values.
-	//
 	// TODO(e.burkov):  Remove once the local resolvers logic moved to dnsproxy.
-	s.dnsProxy = &proxy.Proxy{Config: *proxyConfig}
-
-	err = s.setupLocalResolvers(boot)
+	proxyConfig.PrivateRDNSUpstreamConfig, err = s.setupLocalResolvers(boot)
 	if err != nil {
 		return fmt.Errorf("setting up resolvers: %w", err)
 	}
 
-	err = s.setupFallbackDNS()
+	proxyConfig.Fallbacks, err = s.setupFallbackDNS()
 	if err != nil {
 		return fmt.Errorf("setting up fallback dns servers: %w", err)
 	}
 
+	dnsProxy, err := proxy.New(proxyConfig)
+	if err != nil {
+		return fmt.Errorf("creating proxy: %w", err)
+	}
+
+	s.dnsProxy = dnsProxy
+
 	s.recDetector.clear()
 
 	s.setupAddrProc()
@@ -643,26 +668,25 @@ func (s *Server) prepareInternalDNS() (boot upstream.Resolver, err error) {
 }
 
 // setupFallbackDNS initializes the fallback DNS servers.
-func (s *Server) setupFallbackDNS() (err error) {
+func (s *Server) setupFallbackDNS() (uc *proxy.UpstreamConfig, err error) {
 	fallbacks := s.conf.FallbackDNS
 	fallbacks = stringutil.FilterOut(fallbacks, IsCommentOrEmpty)
 	if len(fallbacks) == 0 {
-		return nil
+		return nil, nil
 	}
 
-	uc, err := proxy.ParseUpstreamsConfig(fallbacks, &upstream.Options{
+	uc, err = proxy.ParseUpstreamsConfig(fallbacks, &upstream.Options{
 		// TODO(s.chzhen):  Investigate if other options are needed.
 		Timeout:    s.conf.UpstreamTimeout,
 		PreferIPv6: s.conf.BootstrapPreferIPv6,
+		// TODO(e.burkov):  Use bootstrap.
 	})
 	if err != nil {
 		// Do not wrap the error because it's informative enough as is.
-		return err
+		return nil, err
 	}
 
-	s.dnsProxy.Fallbacks = uc
-
-	return nil
+	return uc, nil
 }
 
 // setupAddrProc initializes the address processor.  It assumes s.serverLock is
@@ -730,19 +754,9 @@ func (s *Server) prepareInternalProxy() (err error) {
 		return fmt.Errorf("invalid upstream mode: %w", err)
 	}
 
-	// TODO(a.garipov): Make a proper constructor for proxy.Proxy.
-	p := &proxy.Proxy{
-		Config: *conf,
-	}
+	s.internalProxy, err = proxy.New(conf)
 
-	err = p.Init()
-	if err != nil {
-		return err
-	}
-
-	s.internalProxy = p
-
-	return nil
+	return err
 }
 
 // Stop stops the DNS server.
@@ -761,14 +775,17 @@ func (s *Server) stopLocked() (err error) {
 	// [upstream.Upstream] implementations.
 
 	if s.dnsProxy != nil {
-		err = s.dnsProxy.Stop()
+		// TODO(e.burkov):  Use context properly.
+		err = s.dnsProxy.Shutdown(context.Background())
 		if err != nil {
 			log.Error("dnsforward: closing primary resolvers: %s", err)
 		}
 	}
 
 	logCloserErr(s.internalProxy.UpstreamConfig, "dnsforward: closing internal resolvers: %s")
-	logCloserErr(s.localResolvers.UpstreamConfig, "dnsforward: closing local resolvers: %s")
+	if s.localResolvers != nil {
+		logCloserErr(s.localResolvers.UpstreamConfig, "dnsforward: closing local resolvers: %s")
+	}
 
 	for _, b := range s.bootResolvers {
 		logCloserErr(b, "dnsforward: closing bootstrap %s: %s", b.Address())
@@ -841,6 +858,8 @@ func (s *Server) Reconfigure(conf *ServerConfig) error {
 		}
 	}
 
+	// TODO(e.burkov):  It seems an error here brings the server down, which is
+	// not reliable enough.
 	err = s.Prepare(conf)
 	if err != nil {
 		return fmt.Errorf("could not reconfigure the server: %w", err)

internal/dnsforward/dnsforward_test.go

@@ -5,9 +5,11 @@ import (
 	"crypto/ecdsa"
 	"crypto/rand"
 	"crypto/rsa"
+	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
+	"encoding/hex"
 	"encoding/pem"
 	"fmt"
 	"math/big"
@@ -63,8 +65,7 @@ func startDeferStop(t *testing.T, s *Server) {
 	t.Helper()
 
 	err := s.Start()
-	require.NoErrorf(t, err, "failed to start server: %s", err)
-
+	require.NoError(t, err)
 	testutil.CleanupAndRequireSuccess(t, s.Stop)
 }
 
@@ -72,7 +73,6 @@ func createTestServer(
 	t *testing.T,
 	filterConf *filtering.Config,
 	forwardConf ServerConfig,
-	localUps upstream.Upstream,
 ) (s *Server) {
 	t.Helper()
 
@@ -82,7 +82,8 @@ func createTestServer(
 @@||whitelist.example.org^
 ||127.0.0.255`
 	filters := []filtering.Filter{{
-		ID: 0, Data: []byte(rules),
+		ID:   0,
+		Data: []byte(rules),
 	}}
 
 	f, err := filtering.New(filterConf, filters)
@@ -105,19 +106,6 @@ func createTestServer(
 	err = s.Prepare(&forwardConf)
 	require.NoError(t, err)
 
-	s.serverLock.Lock()
-	defer s.serverLock.Unlock()
-
-	// TODO(e.burkov):  Try to move it higher.
-	if localUps != nil {
-		ups := []upstream.Upstream{localUps}
-		s.localResolvers.UpstreamConfig.Upstreams = ups
-		s.conf.UsePrivateRDNS = true
-		s.dnsProxy.PrivateRDNSUpstreamConfig = &proxy.UpstreamConfig{
-			Upstreams: ups,
-		}
-	}
-
 	return s
 }
 
@@ -181,7 +169,7 @@ func createTestTLS(t *testing.T, tlsConf TLSConfig) (s *Server, certPem []byte)
 			EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
 		},
 		ServePlainDNS: true,
-	}, nil)
+	})
 
 	tlsConf.CertificateChainData, tlsConf.PrivateKeyData = certPem, keyPem
 	s.conf.TLSConfig = tlsConf
@@ -310,7 +298,7 @@ func TestServer(t *testing.T) {
 			EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
 		},
 		ServePlainDNS: true,
-	}, nil)
+	})
 	s.conf.UpstreamConfig.Upstreams = []upstream.Upstream{newGoogleUpstream()}
 	startDeferStop(t, s)
 
@@ -410,7 +398,7 @@ func TestServerWithProtectionDisabled(t *testing.T) {
 			EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
 		},
 		ServePlainDNS: true,
-	}, nil)
+	})
 	s.conf.UpstreamConfig.Upstreams = []upstream.Upstream{newGoogleUpstream()}
 	startDeferStop(t, s)
 
@@ -490,7 +478,7 @@ func TestServerRace(t *testing.T) {
 		ConfigModified: func() {},
 		ServePlainDNS:  true,
 	}
-	s := createTestServer(t, filterConf, forwardConf, nil)
+	s := createTestServer(t, filterConf, forwardConf)
 	s.conf.UpstreamConfig.Upstreams = []upstream.Upstream{newGoogleUpstream()}
 	startDeferStop(t, s)
 
@@ -545,7 +533,7 @@ func TestSafeSearch(t *testing.T) {
 		},
 		ServePlainDNS: true,
 	}
-	s := createTestServer(t, filterConf, forwardConf, nil)
+	s := createTestServer(t, filterConf, forwardConf)
 	startDeferStop(t, s)
 
 	addr := s.dnsProxy.Addr(proxy.ProtoUDP).String()
@@ -628,7 +616,7 @@ func TestInvalidRequest(t *testing.T) {
 			},
 		},
 		ServePlainDNS: true,
-	}, nil)
+	})
 	startDeferStop(t, s)
 
 	addr := s.dnsProxy.Addr(proxy.ProtoUDP).String()
@@ -662,7 +650,7 @@ func TestBlockedRequest(t *testing.T) {
 	s := createTestServer(t, &filtering.Config{
 		ProtectionEnabled: true,
 		BlockingMode:      filtering.BlockingModeDefault,
-	}, forwardConf, nil)
+	}, forwardConf)
 	startDeferStop(t, s)
 
 	addr := s.dnsProxy.Addr(proxy.ProtoUDP)
@@ -698,7 +686,7 @@ func TestServerCustomClientUpstream(t *testing.T) {
 	}
 	s := createTestServer(t, &filtering.Config{
 		BlockingMode: filtering.BlockingModeDefault,
-	}, forwardConf, nil)
+	}, forwardConf)
 
 	ups := aghtest.NewUpstreamMock(func(req *dns.Msg) (resp *dns.Msg, err error) {
 		atomic.AddUint32(&upsCalledCounter, 1)
@@ -773,7 +761,7 @@ func TestBlockCNAMEProtectionEnabled(t *testing.T) {
 			},
 		},
 		ServePlainDNS: true,
-	}, nil)
+	})
 	testUpstm := &aghtest.Upstream{
 		CName: testCNAMEs,
 		IPv4:  testIPv4,
@@ -811,7 +799,7 @@ func TestBlockCNAME(t *testing.T) {
 	s := createTestServer(t, &filtering.Config{
 		ProtectionEnabled: true,
 		BlockingMode:      filtering.BlockingModeDefault,
-	}, forwardConf, nil)
+	}, forwardConf)
 	s.conf.UpstreamConfig.Upstreams = []upstream.Upstream{
 		&aghtest.Upstream{
 			CName: testCNAMEs,
@@ -886,7 +874,7 @@ func TestClientRulesForCNAMEMatching(t *testing.T) {
 	}
 	s := createTestServer(t, &filtering.Config{
 		BlockingMode: filtering.BlockingModeDefault,
-	}, forwardConf, nil)
+	}, forwardConf)
 	s.conf.UpstreamConfig.Upstreams = []upstream.Upstream{
 		&aghtest.Upstream{
 			CName: testCNAMEs,
@@ -933,7 +921,7 @@ func TestNullBlockedRequest(t *testing.T) {
 	s := createTestServer(t, &filtering.Config{
 		ProtectionEnabled: true,
 		BlockingMode:      filtering.BlockingModeNullIP,
-	}, forwardConf, nil)
+	}, forwardConf)
 	startDeferStop(t, s)
 	addr := s.dnsProxy.Addr(proxy.ProtoUDP)
 
@@ -1054,7 +1042,7 @@ func TestBlockedByHosts(t *testing.T) {
 	s := createTestServer(t, &filtering.Config{
 		ProtectionEnabled: true,
 		BlockingMode:      filtering.BlockingModeDefault,
-	}, forwardConf, nil)
+	}, forwardConf)
 	startDeferStop(t, s)
 	addr := s.dnsProxy.Addr(proxy.ProtoUDP)
 
@@ -1102,7 +1090,7 @@ func TestBlockedBySafeBrowsing(t *testing.T) {
 		},
 		ServePlainDNS: true,
 	}
-	s := createTestServer(t, filterConf, forwardConf, nil)
+	s := createTestServer(t, filterConf, forwardConf)
 	startDeferStop(t, s)
 	addr := s.dnsProxy.Addr(proxy.ProtoUDP)
 
@@ -1330,6 +1318,7 @@ func TestPTRResponseFromHosts(t *testing.T) {
 
 	var eventsCalledCounter uint32
 	hc, err := aghnet.NewHostsContainer(testFS, &aghtest.FSWatcher{
+		OnStart: func() (_ error) { panic("not implemented") },
 		OnEvents: func() (e <-chan struct{}) {
 			assert.Equal(t, uint32(1), atomic.AddUint32(&eventsCalledCounter, 1))
 
@@ -1481,6 +1470,8 @@ func TestServer_Exchange(t *testing.T) {
 		onesIP  = netip.MustParseAddr("1.1.1.1")
 		twosIP  = netip.MustParseAddr("2.2.2.2")
 		localIP = netip.MustParseAddr("192.168.1.1")
+
+		pt = testutil.PanicT{}
 	)
 
 	onesRevExtIPv4, err := netutil.IPToReversedAddr(onesIP.AsSlice())
@@ -1489,72 +1480,73 @@ func TestServer_Exchange(t *testing.T) {
 	twosRevExtIPv4, err := netutil.IPToReversedAddr(twosIP.AsSlice())
 	require.NoError(t, err)
 
-	extUpstream := &aghtest.UpstreamMock{
-		OnAddress: func() (addr string) { return "external.upstream.example" },
-		OnExchange: func(req *dns.Msg) (resp *dns.Msg, err error) {
-			return aghalg.Coalesce(
-				aghtest.MatchedResponse(req, dns.TypePTR, onesRevExtIPv4, onesHost),
-				doubleTTL(aghtest.MatchedResponse(req, dns.TypePTR, twosRevExtIPv4, twosHost)),
-				new(dns.Msg).SetRcode(req, dns.RcodeNameError),
-			), nil
-		},
-	}
+	extUpsHdlr := dns.HandlerFunc(func(w dns.ResponseWriter, req *dns.Msg) {
+		resp := aghalg.Coalesce(
+			aghtest.MatchedResponse(req, dns.TypePTR, onesRevExtIPv4, dns.Fqdn(onesHost)),
+			doubleTTL(aghtest.MatchedResponse(req, dns.TypePTR, twosRevExtIPv4, dns.Fqdn(twosHost))),
+			new(dns.Msg).SetRcode(req, dns.RcodeNameError),
+		)
+
+		require.NoError(pt, w.WriteMsg(resp))
+	})
+	upsAddr := aghtest.StartLocalhostUpstream(t, extUpsHdlr).String()
 
 	revLocIPv4, err := netutil.IPToReversedAddr(localIP.AsSlice())
 	require.NoError(t, err)
 
-	locUpstream := &aghtest.UpstreamMock{
-		OnAddress: func() (addr string) { return "local.upstream.example" },
-		OnExchange: func(req *dns.Msg) (resp *dns.Msg, err error) {
-			return aghalg.Coalesce(
-				aghtest.MatchedResponse(req, dns.TypePTR, revLocIPv4, localDomainHost),
-				new(dns.Msg).SetRcode(req, dns.RcodeNameError),
-			), nil
-		},
-	}
+	locUpsHdlr := dns.HandlerFunc(func(w dns.ResponseWriter, req *dns.Msg) {
+		resp := aghalg.Coalesce(
+			aghtest.MatchedResponse(req, dns.TypePTR, revLocIPv4, dns.Fqdn(localDomainHost)),
+			new(dns.Msg).SetRcode(req, dns.RcodeNameError),
+		)
 
-	errUpstream := aghtest.NewErrorUpstream()
-	nonPtrUpstream := aghtest.NewBlockUpstream("some-host", true)
-	refusingUpstream := aghtest.NewUpstreamMock(func(req *dns.Msg) (resp *dns.Msg, err error) {
-		return new(dns.Msg).SetRcode(req, dns.RcodeRefused), nil
+		require.NoError(pt, w.WriteMsg(resp))
 	})
-	zeroTTLUps := &aghtest.UpstreamMock{
-		OnAddress: func() (addr string) { return "zero.ttl.example" },
-		OnExchange: func(req *dns.Msg) (resp *dns.Msg, err error) {
-			resp = new(dns.Msg).SetReply(req)
-			hdr := dns.RR_Header{
-				Name:   req.Question[0].Name,
-				Rrtype: dns.TypePTR,
-				Class:  dns.ClassINET,
-				Ttl:    0,
-			}
-			resp.Answer = []dns.RR{&dns.PTR{
-				Hdr: hdr,
-				Ptr: localDomainHost,
-			}}
 
-			return resp, nil
-		},
-	}
+	errUpsHdlr := dns.HandlerFunc(func(w dns.ResponseWriter, req *dns.Msg) {
+		require.NoError(pt, w.WriteMsg(new(dns.Msg).SetRcode(req, dns.RcodeServerFailure)))
+	})
 
-	srv := &Server{
-		recDetector: newRecursionDetector(0, 1),
-		internalProxy: &proxy.Proxy{
-			Config: proxy.Config{
-				UpstreamConfig: &proxy.UpstreamConfig{
-					Upstreams: []upstream.Upstream{extUpstream},
+	nonPtrHdlr := dns.HandlerFunc(func(w dns.ResponseWriter, req *dns.Msg) {
+		hash := sha256.Sum256([]byte("some-host"))
+		resp := (&dns.Msg{
+			Answer: []dns.RR{&dns.TXT{
+				Hdr: dns.RR_Header{
+					Name:   req.Question[0].Name,
+					Rrtype: dns.TypeTXT,
+					Class:  dns.ClassINET,
+					Ttl:    60,
 				},
-			},
-		},
-	}
-	srv.conf.UsePrivateRDNS = true
-	srv.privateNets = netutil.SubnetSetFunc(netutil.IsLocallyServed)
-	require.NoError(t, srv.internalProxy.Init())
+				Txt: []string{hex.EncodeToString(hash[:])},
+			}},
+		}).SetReply(req)
+
+		require.NoError(pt, w.WriteMsg(resp))
+	})
+	refusingHdlr := dns.HandlerFunc(func(w dns.ResponseWriter, req *dns.Msg) {
+		require.NoError(pt, w.WriteMsg(new(dns.Msg).SetRcode(req, dns.RcodeRefused)))
+	})
+
+	zeroTTLHdlr := dns.HandlerFunc(func(w dns.ResponseWriter, req *dns.Msg) {
+		resp := (&dns.Msg{
+			Answer: []dns.RR{&dns.PTR{
+				Hdr: dns.RR_Header{
+					Name:   req.Question[0].Name,
+					Rrtype: dns.TypePTR,
+					Class:  dns.ClassINET,
+					Ttl:    0,
+				},
+				Ptr: dns.Fqdn(localDomainHost),
+			}},
+		}).SetReply(req)
+
+		require.NoError(pt, w.WriteMsg(resp))
+	})
 
 	testCases := []struct {
 		req         netip.Addr
 		wantErr     error
-		locUpstream upstream.Upstream
+		locUpstream dns.Handler
 		name        string
 		want        string
 		wantTTL     time.Duration
@@ -1569,35 +1561,35 @@ func TestServer_Exchange(t *testing.T) {
 		name:        "local_good",
 		want:        localDomainHost,
 		wantErr:     nil,
-		locUpstream: locUpstream,
+		locUpstream: locUpsHdlr,
 		req:         localIP,
 		wantTTL:     defaultTTL,
 	}, {
 		name:        "upstream_error",
 		want:        "",
-		wantErr:     aghtest.ErrUpstream,
-		locUpstream: errUpstream,
+		wantErr:     ErrRDNSFailed,
+		locUpstream: errUpsHdlr,
 		req:         localIP,
 		wantTTL:     0,
 	}, {
 		name:        "empty_answer_error",
 		want:        "",
 		wantErr:     ErrRDNSNoData,
-		locUpstream: locUpstream,
+		locUpstream: locUpsHdlr,
 		req:         netip.MustParseAddr("192.168.1.2"),
 		wantTTL:     0,
 	}, {
 		name:        "invalid_answer",
 		want:        "",
 		wantErr:     ErrRDNSNoData,
-		locUpstream: nonPtrUpstream,
+		locUpstream: nonPtrHdlr,
 		req:         localIP,
 		wantTTL:     0,
 	}, {
 		name:        "refused",
 		want:        "",
 		wantErr:     ErrRDNSFailed,
-		locUpstream: refusingUpstream,
+		locUpstream: refusingHdlr,
 		req:         localIP,
 		wantTTL:     0,
 	}, {
@@ -1611,23 +1603,28 @@ func TestServer_Exchange(t *testing.T) {
 		name:        "zero_ttl",
 		want:        localDomainHost,
 		wantErr:     nil,
-		locUpstream: zeroTTLUps,
+		locUpstream: zeroTTLHdlr,
 		req:         localIP,
 		wantTTL:     0,
 	}}
 
 	for _, tc := range testCases {
-		pcfg := proxy.Config{
-			UpstreamConfig: &proxy.UpstreamConfig{
-				Upstreams: []upstream.Upstream{tc.locUpstream},
-			},
-		}
-		srv.localResolvers = &proxy.Proxy{
-			Config: pcfg,
-		}
-		require.NoError(t, srv.localResolvers.Init())
+		localUpsAddr := aghtest.StartLocalhostUpstream(t, tc.locUpstream).String()
 
 		t.Run(tc.name, func(t *testing.T) {
+			srv := createTestServer(t, &filtering.Config{
+				BlockingMode: filtering.BlockingModeDefault,
+			}, ServerConfig{
+				Config: Config{
+					UpstreamDNS:      []string{upsAddr},
+					UpstreamMode:     UpstreamModeLoadBalance,
+					EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
+				},
+				LocalPTRResolvers: []string{localUpsAddr},
+				UsePrivateRDNS:    true,
+				ServePlainDNS:     true,
+			})
+
 			host, ttl, eerr := srv.Exchange(tc.req)
 
 			require.ErrorIs(t, eerr, tc.wantErr)
@@ -1637,8 +1634,17 @@ func TestServer_Exchange(t *testing.T) {
 	}
 
 	t.Run("resolving_disabled", func(t *testing.T) {
-		srv.conf.UsePrivateRDNS = false
-		t.Cleanup(func() { srv.conf.UsePrivateRDNS = true })
+		srv := createTestServer(t, &filtering.Config{
+			BlockingMode: filtering.BlockingModeDefault,
+		}, ServerConfig{
+			Config: Config{
+				UpstreamDNS:      []string{upsAddr},
+				UpstreamMode:     UpstreamModeLoadBalance,
+				EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
+			},
+			LocalPTRResolvers: []string{},
+			ServePlainDNS:     true,
+		})
 
 		host, _, eerr := srv.Exchange(localIP)
 

internal/dnsforward/dnsrewrite_test.go

@@ -42,7 +42,7 @@ func TestServer_FilterDNSRewrite(t *testing.T) {
 			EDNSClientSubnet: &EDNSClientSubnet{Enabled: false},
 		},
 		ServePlainDNS: true,
-	}, nil)
+	})
 
 	makeQ := func(qtype rules.RRType) (req *dns.Msg) {
 		return &dns.Msg{

internal/dnsforward/filter.go

@@ -4,6 +4,7 @@ import (
 	"encoding/binary"
 	"fmt"
 	"net"
+	"slices"
 	"strings"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
@@ -12,7 +13,6 @@ import (
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/urlfilter/rules"
 	"github.com/miekg/dns"
-	"golang.org/x/exp/slices"
 )
 
 // beforeRequestHandler is the handler that is called before any other