cherry-pick: 5959-fix-error-days

Updates #5959. * commit '4b9264531be50e81fe610050a12827b71bc3a9cd': clients: use constant a day in milliseconds clients: fix lint fix error days
all: sync with master; upd chlog
2023-07-03 14:38:16 +03:00 · 2023-07-03 14:10:40 +03:00 · 2023-06-13 17:04:47 +03:00 · 2023-06-08 19:48:01 +03:00 · 2023-06-07 20:04:01 +03:00 · 2023-04-18 16:56:12 +03:00
67 changed files with 1438 additions and 8227 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,15 +14,25 @@ and this project adheres to
 <!--
 ## [v0.108.0] - TBA

-## [v0.107.33] - 2023-06-28 (APPROX.)
+## [v0.107.34] - 2023-07-26 (APPROX.)

-See also the [v0.107.33 GitHub milestone][ms-v0.107.33].
+See also the [v0.107.34 GitHub milestone][ms-v0.107.34].

-[ms-v0.107.33]: https://github.com/AdguardTeam/AdGuardHome/milestone/68?closed=1
+[ms-v0.107.34]: https://github.com/AdguardTeam/AdGuardHome/milestone/69?closed=1

 NOTE: Add new changes BELOW THIS COMMENT.
 -->

+<!--
+NOTE: Add new changes ABOVE THIS COMMENT.
+-->
+
+
+
+## [v0.107.33] - 2023-07-03
+
+See also the [v0.107.33 GitHub milestone][ms-v0.107.33].
+
 ### Added

 - The new command-line flag `--web-addr` is the address to serve the web UI on,
@@ -37,8 +47,27 @@ NOTE: Add new changes BELOW THIS COMMENT.

 #### Configuration Changes

-In this release, the schema version has changed from 20 to 22.
+In this release, the schema version has changed from 20 to 23.

+- Properties `bind_host`, `bind_port`, and `web_session_ttl` which used to setup
+  web UI binding configuration, are now moved to a new object `http` containing
+  new properties `address` and `session_ttl`:
+
+  ```yaml
+  # BEFORE:
+  'bind_host': '1.2.3.4'
+  'bind_port': 8080
+  'web_session_ttl': 720
+
+  # AFTER:
+  'http':
+    'address': '1.2.3.4:8080'
+    'session_ttl': '720h'
+  ```
+
+  Note that the new `http.session_ttl` property is now a duration string.  To
+  rollback this change, remove the new object `http`, set back `bind_host`,
+  `bind_port`, `web_session_ttl`,  and change the `schema_version` back to `22`.
 - Property `clients.persistent.blocked_services`, which in schema versions 21
  and earlier used to be a list containing ids of blocked services, is now an
  object containing ids and schedule for blocked services:
@@ -118,14 +147,20 @@ In this release, the schema version has changed from 20 to 22.

 ### Deprecated

+- `HEALTHCHECK` and `ENTRYPOINT` sections in `Dockerfile` ([#5939]).  They cause
+  a lot of issues, especially with tools like `docker-compose` and `podman`, and
+  will be removed in a future release.
 - Flags `-h`, `--host`, `-p`, `--port` have been deprecated.  The `-h` flag
  will work as an alias for `--help`, instead of the deprecated `--host` in the
  future releases.

 ### Fixed

+- Ignoring of `/etc/hosts` file when resolving the hostnames of upstream DNS
+  servers ([#5902]).
 - Excessive error logging when using DNS-over-QUIC ([#5285]).
- Cannot set `bind_host` in AdGuardHome.yaml (docker version)([#4231], [#4235]).
+- Inability to set `bind_host` in `AdGuardHome.yaml` in Docker ([#4231],
+  [#4235]).
 - The blocklists can now be deleted properly ([#5700]).
 - Queries with the question-section target `.`, for example `NS .`, are now
  counted in the statistics and correctly shown in the query log ([#5910]).
@@ -138,12 +173,12 @@ In this release, the schema version has changed from 20 to 22.
 [#4235]: https://github.com/AdguardTeam/AdGuardHome/pull/4235
 [#5285]: https://github.com/AdguardTeam/AdGuardHome/issues/5285
 [#5700]: https://github.com/AdguardTeam/AdGuardHome/issues/5700
+[#5902]: https://github.com/AdguardTeam/AdGuardHome/issues/5902
 [#5910]: https://github.com/AdguardTeam/AdGuardHome/issues/5910
 [#5913]: https://github.com/AdguardTeam/AdGuardHome/issues/5913
+[#5939]: https://github.com/AdguardTeam/AdGuardHome/discussions/5939

-<!--
-NOTE: Add new changes ABOVE THIS COMMENT.
-->
+[ms-v0.107.33]: https://github.com/AdguardTeam/AdGuardHome/milestone/68?closed=1



@@ -2125,11 +2160,12 @@ See also the [v0.104.2 GitHub milestone][ms-v0.104.2].


 <!--
-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.33...HEAD
-[v0.107.33]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.32...v0.107.33
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.34...HEAD
+[v0.107.34]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.33...v0.107.34
 -->

-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.32...HEAD
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.33...HEAD
+[v0.107.33]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.32...v0.107.33
 [v0.107.32]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.31...v0.107.32
 [v0.107.31]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.30...v0.107.31
 [v0.107.30]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.29...v0.107.30
--- a/3
+++ b/3
@@ -37,8 +37,6 @@ SIGN = 1
 VERSION = v0.0.0
 YARN = yarn

-NEXTAPI = 0
-
 # Macros for the build-release target.  If FRONTEND_PREBUILT is 0, the
 # default, the macro $(BUILD_RELEASE_DEPS_$(FRONTEND_PREBUILT)) expands
 # into BUILD_RELEASE_DEPS_0, and so both frontend and backend
@@ -66,7 +64,6 @@ ENV = env\
 	PATH="$${PWD}/bin:$$( "$(GO.MACRO)" env GOPATH )/bin:$${PATH}"\
 	RACE='$(RACE)'\
 	SIGN='$(SIGN)'\
-	NEXTAPI='$(NEXTAPI)'\
 	VERBOSE="$(VERBOSE.MACRO)"\
 	VERSION='$(VERSION)'\

--- a/client/src/__locales/vi.json
+++ b/client/src/__locales/vi.json
@@ -1,5 +1,5 @@
 {
-    "client_settings": "Cài đặt máy khách",
+    "client_settings": "Cài đặt thiết bị",
    "example_upstream_reserved": "ngược dòng <0>cho các miền cụ thể</0>;",
    "example_upstream_comment": "một lời bình luận.",
    "upstream_parallel": "Sử dụng truy vấn song song để tăng tốc độ giải quyết bằng cách truy vấn đồng thời tất cả các máy chủ ngược tuyến",
--- a/client/src/__locales/zh-hk.json
+++ b/client/src/__locales/zh-hk.json
@@ -513,6 +513,7 @@
    "statistics_clear_confirm": "您確定要清除統計資料嗎？",
    "statistics_retention_confirm": "您確定要更改統計資料保存時間嗎？如果您縮短期限部分資料可能將會遺失",
    "statistics_cleared": "已清除統計資料",
+    "statistics_enable": "啟用統計數據",
    "interval_hours": "{{count}} 小時",
    "interval_hours_plural": "{{count}} 小時",
    "filters_configuration": "過濾器設定",
--- a/client/src/components/Dashboard/Counters.js
+++ b/client/src/components/Dashboard/Counters.js
@@ -6,7 +6,7 @@ import { shallowEqual, useSelector } from 'react-redux';
 import Card from '../ui/Card';
 import { formatNumber } from '../../helpers/helpers';
 import LogsSearchLink from '../ui/LogsSearchLink';
-import { RESPONSE_FILTER } from '../../helpers/constants';
+import { RESPONSE_FILTER, DAY } from '../../helpers/constants';
 import Tooltip from '../ui/Tooltip';

 const Row = ({
@@ -54,12 +54,12 @@ const Counters = ({ refreshButton, subtitle }) => {
        avgProcessingTime,
    } = useSelector((state) => state.stats, shallowEqual);
    const { t } = useTranslation();
-
+    const days = interval / DAY;
    const rows = [
        {
            label: 'dns_query',
            count: numDnsQueries,
-            tooltipTitle: interval === 1 ? 'number_of_dns_query_24_hours' : t('number_of_dns_query_days', { count: interval }),
+            tooltipTitle: days === 1 ? 'number_of_dns_query_24_hours' : t('number_of_dns_query_days', { count: days }),
            response_status: RESPONSE_FILTER.ALL.QUERY,
        },
        {
--- a/client/src/helpers/trackers/trackers.json
+++ b/client/src/helpers/trackers/trackers.json
@@ -1,5 +1,5 @@
 {
-    "timeUpdated": "2023-06-26T13:46:24.414Z",
+    "timeUpdated": "2023-07-01T00:11:37.465Z",
    "categories": {
        "0": "audio_video_player",
        "1": "comments",
@@ -3348,6 +3348,13 @@
            "url": "https://www.microsoft.com/",
            "companyId": "microsoft"
        },
+        "binge": {
+            "name": "Binge",
+            "categoryId": 0,
+            "url": "https://binge.com.au/",
+            "companyId": "foxtel",
+            "source": "AdGuard"
+        },
        "binlayer": {
            "name": "BinLayer",
            "categoryId": 4,
@@ -7164,6 +7171,13 @@
            "url": "http://flagcounter.com/",
            "companyId": "flag_counter"
        },
+        "flash": {
+            "name": "Flash",
+            "categoryId": 0,
+            "url": "https://flashnews.com.au/",
+            "companyId": "foxtel",
+            "source": "AdGuard"
+        },
        "flashtalking": {
            "name": "Flashtalking",
            "categoryId": 4,
@@ -7369,6 +7383,13 @@
            "url": "https://publishers.foxaudiencenetwork.com/",
            "companyId": "fox_audience_network"
        },
+        "fox_sports": {
+            "name": "Fox Sports",
+            "categoryId": 0,
+            "url": "https://foxsports.com.au/",
+            "companyId": "foxtel",
+            "source": "AdGuard"
+        },
        "foxnews_static": {
            "name": "Fox News CDN",
            "categoryId": 9,
@@ -7381,6 +7402,13 @@
            "url": "https://www.foxpush.com/",
            "companyId": "foxpush"
        },
+        "foxtel": {
+            "name": "Foxtel",
+            "categoryId": 0,
+            "url": "https://foxtel.com.au/",
+            "companyId": "foxtel",
+            "source": "AdGuard"
+        },
        "foxydeal_com": {
            "name": "foxydeal.com",
            "categoryId": 12,
@@ -7983,12 +8011,40 @@
            "url": "http://www.google.com",
            "companyId": "google"
        },
+        "google_auth": {
+            "name": "Google Auth",
+            "categoryId": 2,
+            "url": "https://myaccount.google.com/",
+            "companyId": "google",
+            "source": "AdGuard"
+        },
        "google_beacons": {
            "name": "Google Beacons",
            "categoryId": 6,
            "url": "https://google.xyz",
            "companyId": "google"
        },
+        "google_chat": {
+            "name": "Google Chat",
+            "categoryId": 7,
+            "url": "https://mail.google.com/chat/",
+            "companyId": "google",
+            "source": "AdGuard"
+        },
+        "google_cloud_platform": {
+            "name": "Google Cloud Platform",
+            "categoryId": 10,
+            "url": "https://cloud.google.com/",
+            "companyId": "google",
+            "source": "AdGuard"
+        },
+        "google_cloud_storage": {
+            "name": "Google Cloud Storage",
+            "categoryId": 10,
+            "url": "https://cloud.google.com/storage/",
+            "companyId": "google",
+            "source": "AdGuard"
+        },
        "google_custom_search": {
            "name": "Google Custom Search Ads",
            "categoryId": 4,
@@ -8001,6 +8057,27 @@
            "url": "https://programmablesearchengine.google.com/about/",
            "companyId": "google"
        },
+        "google_dns": {
+            "name": "Google DNS",
+            "categoryId": 10,
+            "url": "hhttps://dns.google/",
+            "companyId": "google",
+            "source": "AdGuard"
+        },
+        "google_domains": {
+            "name": "Google Domains",
+            "categoryId": 10,
+            "url": "https://domains.google/",
+            "companyId": "google",
+            "source": "AdGuard"
+        },
+        "google_edge": {
+            "name": "Google Edge CDN",
+            "categoryId": 9,
+            "url": "https://peering.google.com/",
+            "companyId": "google",
+            "source": "AdGuard"
+        },
        "google_email": {
            "name": "Google Email",
            "categoryId": 13,
@@ -8013,12 +8090,47 @@
            "url": "https://fonts.google.com/",
            "companyId": "google"
        },
+        "google_hosted": {
+            "name": "Google Hosted",
+            "categoryId": 10,
+            "url": "https://workspace.google.com/",
+            "companyId": "google",
+            "source": "AdGuard"
+        },
        "google_ima": {
            "name": "Google IMA",
            "categoryId": 4,
            "url": "http://www.google.com",
            "companyId": "google"
        },
+        "google_location": {
+            "name": "Google Location",
+            "categoryId": 8,
+            "url": "https://patents.google.com/patent/WO2007025143A1/",
+            "companyId": "google",
+            "source": "AdGuard"
+        },
+        "google_maps": {
+            "name": "Google Maps",
+            "categoryId": 2,
+            "url": "https://www.google.com/maps/",
+            "companyId": "google",
+            "source": "AdGuard"
+        },
+        "google_marketing": {
+            "name": "Google Marketing",
+            "categoryId": 6,
+            "url": "https://marketingplatform.google.com/",
+            "companyId": "google",
+            "source": "AdGuard"
+        },
+        "google_meet": {
+            "name": "Google Meet",
+            "categoryId": 2,
+            "url": "https://meet.google.com/",
+            "companyId": "google",
+            "source": "AdGuard"
+        },
        "google_photos": {
            "name": "Google Photos",
            "categoryId": 9,
@@ -8031,6 +8143,13 @@
            "url": "http://www.google.com",
            "companyId": "google"
        },
+        "google_play": {
+            "name": "Google Play",
+            "categoryId": 8,
+            "url": "https://play.google.com/",
+            "companyId": "google",
+            "source": "AdGuard"
+        },
        "google_plus": {
            "name": "Google+ Platform",
            "categoryId": 7,
@@ -8110,6 +8229,13 @@
            "url": "http://www.google.com",
            "companyId": "google"
        },
+        "google_voice": {
+            "name": "Google Voice",
+            "categoryId": 2,
+            "url": "https://voice.google.com/",
+            "companyId": "google",
+            "source": "AdGuard"
+        },
        "google_website_optimizer": {
            "name": "Google Website Optimizer",
            "categoryId": 6,
@@ -8122,6 +8248,13 @@
            "url": "http://www.google.com",
            "companyId": "google"
        },
+        "google_workspace": {
+            "name": "Google Workspace",
+            "categoryId": 2,
+            "url": "https://workspace.google.com/",
+            "companyId": "google",
+            "source": "AdGuard"
+        },
        "googleapis.com": {
            "name": "Google APIs",
            "categoryId": 9,
@@ -9766,6 +9899,13 @@
            "url": "http://kavanga.ru/",
            "companyId": "kavanga"
        },
+        "kayo_sports": {
+            "name": "Kayo Sports",
+            "categoryId": 0,
+            "url": "https://kayosports.com.au/",
+            "companyId": "foxtel",
+            "source": "AdGuard"
+        },
        "keen_io": {
            "name": "Keen IO",
            "categoryId": 6,
@@ -13093,6 +13233,13 @@
            "url": "http://perfectmarket.com/",
            "companyId": "perfect_market"
        },
+        "perfops": {
+            "name": "PerfOps",
+            "categoryId": 6,
+            "url": "https://perfops.net/",
+            "companyId": "perfops",
+            "source": "AdGuard"
+        },
        "perform_group": {
            "name": "Perform Group",
            "categoryId": 5,
@@ -16484,6 +16631,13 @@
            "url": "http://www.streak.com/",
            "companyId": "streak"
        },
+        "streamotion": {
+            "name": "Streamotion",
+            "categoryId": 0,
+            "url": "https://streamotion.com.au/",
+            "companyId": "foxtel",
+            "source": "AdGuard"
+        },
        "streamrail.com": {
            "name": "StreamRail",
            "categoryId": 4,
@@ -20598,6 +20752,7 @@
        "bing.com": "bing_ads",
        "bing.net": "bing_ads",
        "virtualearth.net": "bing_maps",
+        "binge.com.au": "binge",
        "view.binlayer.com": "binlayer",
        "widgets.binotel.com": "binotel",
        "esendra.fi": "bisnode",
@@ -21212,6 +21367,7 @@
        "2mdn.net": "doubleclick",
        "doubleclick.net": "doubleclick",
        "invitemedia.com": "doubleclick",
+        "doubleclick.com": "doubleclick",
        "doublepimp.com": "doublepimp",
        "doublepimpssl.com": "doublepimp",
        "redcourtside.com": "doublepimp",
@@ -21435,12 +21591,28 @@
        "findizer.fr": "findizer.fr",
        "findologic.com": "findologic.com",
        "app-measurement.com": "firebase",
+        "fcm.googleapis.com": "firebase",
+        "firebaseappcheck.googleapis.com": "firebase",
+        "firebaseapp.com": "firebase",
+        "firebase.com": "firebase",
+        "firebasedynamiclinks.googleapis.com": "firebase",
+        "firebasedynamiclinks-ipv4.googleapis.com": "firebase",
+        "firebasedynamiclinks-ipv6.googleapis.com": "firebase",
+        "firebase.googleapis.com": "firebase",
+        "firebase.google.com": "firebase",
+        "firebaseinappmessaging.googleapis.com": "firebase",
+        "firebaseinstallations.googleapis.com": "firebase",
+        "firebaselogging.googleapis.com": "firebase",
+        "firebaselogging-pa.googleapis.com": "firebase",
+        "firebaseperusertopics-pa.googleapis.com": "firebase",
+        "firebaseremoteconfig.googleapis.com": "firebase",
        "firebaseio.com": "firebaseio.com",
        "firstimpression.io": "first_impression",
        "fitanalytics.com": "fit_analytics",
        "fivetran.com": "fivetran",
        "flagads.net": "flag_ads",
        "flagcounter.com": "flag_counter",
+        "flashnews.com.au": "flash",
        "flashtalking.com": "flashtalking",
        "flattr.com": "flattr_button",
        "flexlinks.com": "flexoffers",
@@ -21486,9 +21658,11 @@
        "platform.foursquare.com": "foursquare_widget",
        "fout.jp": "fout.jp",
        "fimserve.com": "fox_audience_network",
+        "foxsports.com.au": "fox_sports",
        "fncstatic.com": "foxnews_static",
        "cdn.foxpush.net": "foxpush",
        "foxpush.com": "foxpush",
+        "foxtel.com.au": "foxtel",
        "foxydeal.com": "foxydeal_com",
        "yabidos.com": "fraudlogix",
        "besucherstatistiken.com": "free_counter",
@@ -21649,15 +21823,287 @@
        "google.ru": "google",
        "google.se": "google",
        "google.tn": "google",
+        "1e100.net": "google",
+        "agnss.goog": "google",
+        "channel.status.request.url": "google",
+        "g.cn": "google",
+        "g.co": "google",
+        "google.ad": "google",
+        "google.ae": "google",
+        "google.al": "google",
+        "google.am": "google",
+        "googleapis.cn": "google",
+        "google.as": "google",
+        "google.az": "google",
+        "google.ba": "google",
+        "google.bf": "google",
+        "google.bg": "google",
+        "google.bi": "google",
+        "google.bj": "google",
+        "google.bs": "google",
+        "google.bt": "google",
+        "google.by": "google",
+        "google.cat": "google",
+        "google.cd": "google",
+        "google.cf": "google",
+        "google.cg": "google",
+        "google.ci": "google",
+        "google.cl": "google",
+        "google.cm": "google",
+        "google.cn": "google",
+        "google.co.ao": "google",
+        "google.co.bw": "google",
+        "google.co.ck": "google",
+        "google.co.cr": "google",
+        "googlecode.com": "google",
+        "google.co.il": "google",
+        "google.co.ke": "google",
+        "google.co.kr": "google",
+        "google.co.ls": "google",
+        "google.com.af": "google",
+        "google.com.ag": "google",
+        "google.com.ai": "google",
+        "google.com.bd": "google",
+        "google.com.bh": "google",
+        "google.com.bn": "google",
+        "google.com.bo": "google",
+        "google.com.bz": "google",
+        "google.com.co": "google",
+        "google.com.cu": "google",
+        "google.com.cy": "google",
+        "google.com.ec": "google",
+        "google.com.eg": "google",
+        "google.com.et": "google",
+        "google.com.fj": "google",
+        "google.com.gh": "google",
+        "google.com.gi": "google",
+        "google.com.gt": "google",
+        "google.com.hk": "google",
+        "google.com.jm": "google",
+        "google.com.kh": "google",
+        "google.com.kw": "google",
+        "google.com.lb": "google",
+        "google.com.my": "google",
+        "google.com.na": "google",
+        "google.com.nf": "google",
+        "google.com.ng": "google",
+        "google.com.ni": "google",
+        "google.com.np": "google",
+        "google.com.om": "google",
+        "google.com.pa": "google",
+        "google.com.pe": "google",
+        "google.com.pg": "google",
+        "google.com.ph": "google",
+        "google.com.pk": "google",
+        "google.com.pr": "google",
+        "google.com.py": "google",
+        "google.com.qa": "google",
+        "google.com.sa": "google",
+        "google.com.sb": "google",
+        "google.com.sg": "google",
+        "google.com.sl": "google",
+        "google.com.sv": "google",
+        "google.com.tj": "google",
+        "google.com.uy": "google",
+        "google.com.vc": "google",
+        "google.com.vn": "google",
+        "google.co.mz": "google",
+        "google.co.nz": "google",
+        "google.co.tz": "google",
+        "google.co.ug": "google",
+        "google.co.uz": "google",
+        "google.co.ve": "google",
+        "google.co.vi": "google",
+        "google.co.za": "google",
+        "google.co.zm": "google",
+        "google.co.zw": "google",
+        "google.cv": "google",
+        "google.dj": "google",
+        "google.dm": "google",
+        "googledownloads.cn": "google",
+        "google.ee": "google",
+        "google.fm": "google",
+        "google.ga": "google",
+        "google.ge": "google",
+        "google.gg": "google",
+        "google.gl": "google",
+        "google.gm": "google",
+        "google.gp": "google",
+        "google.gy": "google",
+        "google.hn": "google",
+        "google.hr": "google",
+        "google.ht": "google",
+        "google.im": "google",
+        "google.in": "google",
+        "google.iq": "google",
+        "google.is": "google",
+        "google.je": "google",
+        "google.jo": "google",
+        "google.kg": "google",
+        "google.ki": "google",
+        "google.kz": "google",
+        "google.la": "google",
+        "google.li": "google",
+        "google.lk": "google",
+        "google.lt": "google",
+        "google.lu": "google",
+        "google.lv": "google",
+        "google.md": "google",
+        "google.me": "google",
+        "google.mg": "google",
+        "google.mk": "google",
+        "google.ml": "google",
+        "google.mn": "google",
+        "google.ms": "google",
+        "google.mu": "google",
+        "google.mv": "google",
+        "google.mw": "google",
+        "google.ne": "google",
+        "google.net": "google",
+        "google.nr": "google",
+        "google.nu": "google",
+        "googleoptimize.com": "google",
+        "google.org": "google",
+        "google.pn": "google",
+        "google.ps": "google",
+        "google.rw": "google",
+        "google.sc": "google",
+        "google.sh": "google",
+        "google.si": "google",
+        "google.sk": "google",
+        "google.sm": "google",
+        "google.sn": "google",
+        "google.so": "google",
+        "google.sr": "google",
+        "google.st": "google",
+        "google.td": "google",
+        "google.tg": "google",
+        "google.tk": "google",
+        "google.tl": "google",
+        "google.tm": "google",
+        "google.to": "google",
+        "google.tt": "google",
+        "google.us": "google",
+        "google.vg": "google",
+        "google.vu": "google",
+        "googleweblight.in": "google",
+        "google.ws": "google",
+        "googlezip.net": "google",
+        "gstatic.cn": "google",
+        "news.google.com": "google",
+        "oo.gl": "google",
+        "withgoogle.com": "google",
        "googleadservices.com": "google_adservices",
        "google-analytics.com": "google_analytics",
+        "ssl-google-analytics.l.google.com": "google_analytics",
+        "www-googletagmanager.l.google.com": "google_analytics",
        "appspot.com": "google_appspot",
        "googlehosted.com": "google_appspot",
+        "accounts.google.com": "google_auth",
+        "myaccount.google.com": "google_auth",
+        "oauth2.googleapis.com": "google_auth",
+        "ogs.google.com": "google_auth",
+        "securetoken.googleapis.com": "google_auth",
        "beacons-google.com": "google_beacons",
+        "alt1-mtalk.google.com": "google_chat",
+        "alt2-mtalk.google.com": "google_chat",
+        "alt3-mtalk.google.com": "google_chat",
+        "alt4-mtalk.google.com": "google_chat",
+        "alt5-mtalk.google.com": "google_chat",
+        "alt6-mtalk.google.com": "google_chat",
+        "alt7-mtalk.google.com": "google_chat",
+        "alt8-mtalk.google.com": "google_chat",
+        "chat.google.com": "google_chat",
+        "mobile-gtalk4.l.google.com": "google_chat",
+        "mobile-gtalk.l.google.com": "google_chat",
+        "mtalk4.google.com": "google_chat",
+        "mtalk.google.com": "google_chat",
+        "talk.google.com": "google_chat",
+        "talk.l.google.com": "google_chat",
+        "talkx.l.google.com": "google_chat",
+        "cloud.google.com": "google_cloud_platform",
+        "gcp.gvt2.com": "google_cloud_platform",
+        "storage.googleapis.com": "google_cloud_storage",
        "adsensecustomsearchads.com": "google_custom_search",
+        "dns.google": "google_dns",
+        "dns.google.com": "google_dns",
+        "google-public-dns-a.google.com": "google_dns",
+        "google-public-dns-b.google.com": "google_dns",
+        "domains.google": "google_domains",
+        "googledomains.com": "google_domains",
+        "nic.google": "google_domains",
+        "registry.google": "google_domains",
+        "edge.google.com": "google_edge",
        "mail-ads.google.com": "google_email",
        "fonts.googleapis.com": "google_fonts",
+        "cloudfunctions.net": "google_hosted",
+        "ghs46.googlehosted.com": "google_hosted",
+        "ghs4.googlehosted.com": "google_hosted",
+        "ghs6.googlehosted.com": "google_hosted",
+        "ghs.googlehosted.com": "google_hosted",
+        "googlehosted.l.googleusercontent.com": "google_hosted",
+        "run.app": "google_hosted",
+        "supl.google.com": "google_location",
+        "earth.app.goo.gl": "google_maps",
+        "geo0.ggpht.com": "google_maps",
+        "geo1.ggpht.com": "google_maps",
+        "geo2.ggpht.com": "google_maps",
+        "geo3.ggpht.com": "google_maps",
+        "kh.google.com": "google_maps",
+        "maps.app.goo.gl": "google_maps",
+        "maps.google.ca": "google_maps",
+        "maps.google.ch": "google_maps",
+        "maps.google.co.jp": "google_maps",
+        "maps.google.com": "google_maps",
+        "maps.google.com.mx": "google_maps",
+        "maps.google.co.uk": "google_maps",
+        "maps.google.es": "google_maps",
+        "maps.google.se": "google_maps",
+        "maps.gstatic.com": "google_maps",
+        "adsense.google.com": "google_marketing",
+        "adservice.google.ca": "google_marketing",
+        "adservice.google.co.in": "google_marketing",
+        "adservice.google.co.kr": "google_marketing",
+        "adservice.google.com": "google_marketing",
+        "adservice.google.com.ar": "google_marketing",
+        "adservice.google.com.au": "google_marketing",
+        "adservice.google.com.br": "google_marketing",
+        "adservice.google.com.co": "google_marketing",
+        "adservice.google.com.gt": "google_marketing",
+        "adservice.google.com.mx": "google_marketing",
+        "adservice.google.com.pe": "google_marketing",
+        "adservice.google.com.ph": "google_marketing",
+        "adservice.google.com.pk": "google_marketing",
+        "adservice.google.com.tr": "google_marketing",
+        "adservice.google.com.tw": "google_marketing",
+        "adservice.google.com.vn": "google_marketing",
+        "adservice.google.co.uk": "google_marketing",
+        "adservice.google.co.za": "google_marketing",
+        "adservice.google.de": "google_marketing",
+        "adservice.google.dk": "google_marketing",
+        "adservice.google.es": "google_marketing",
+        "adservice.google.fr": "google_marketing",
+        "adservice.google.nl": "google_marketing",
+        "adservice.google.no": "google_marketing",
+        "adservice.google.pl": "google_marketing",
+        "adservice.google.ru": "google_marketing",
+        "adservice.google.vg": "google_marketing",
+        "dai.google.com": "google_marketing",
+        "doubleclickbygoogle.com": "google_marketing",
+        "googlesyndication-cn.com": "google_marketing",
+        "duo.google.com": "google_meet",
+        "hangouts.clients6.google.com": "google_meet",
+        "hangouts.googleapis.com": "google_meet",
+        "hangouts.google.com": "google_meet",
+        "meet.google.com": "google_meet",
+        "meetings.googleapis.com": "google_meet",
+        "stun1.l.google.com": "google_meet",
+        "stun.l.google.com": "google_meet",
        "ggpht.com": "google_photos",
+        "play-fe.googleapis.com": "google_play",
+        "play.googleapis.com": "google_play",
+        "play.google.com": "google_play",
+        "play-lh.googleusercontent.com": "google_play",
        "1e100cdn.net": "google_servers",
        "gvt1.com": "google_servers",
        "gvt2.com": "google_servers",
@@ -21670,7 +22116,22 @@
        "pki.goog": "google_trust_services",
        "googlecommerce.com": "google_trusted_stores",
        "googleusercontent.com": "google_users",
+        "telephony.goog": "google_voice",
+        "voice.google.com": "google_voice",
        "gmodules.com": "google_widgets",
+        "calendar.google.com": "google_workspace",
+        "contacts.google.com": "google_workspace",
+        "currents.google.com": "google_workspace",
+        "docs.google.com": "google_workspace",
+        "drive.google.com": "google_workspace",
+        "forms.google.com": "google_workspace",
+        "gsuite.google.com": "google_workspace",
+        "jamboard.google.com": "google_workspace",
+        "keep.google.com": "google_workspace",
+        "plus.google.com": "google_workspace",
+        "sheets.google.com": "google_workspace",
+        "slides.google.com": "google_workspace",
+        "spreadsheets.google.com": "google_workspace",
        "googleapis.com": "googleapis.com",
        "gooal.herokuapp.com": "goooal",
        "gooo.al": "goooal",
@@ -22037,6 +22498,7 @@
        "cen.katchup.fr": "katchup",
        "kau.li": "kauli",
        "kavanga.ru": "kavanga",
+        "kayosports.com.au": "kayo_sports",
        "dc8na2hxrj29i.cloudfront.net": "keen_io",
        "keen.io": "keen_io",
        "widget.kelkoo.com": "kelkoo",
@@ -22847,6 +23309,7 @@
        "perfectaudience.com": "perfect_audience",
        "prfct.co": "perfect_audience",
        "perfectmarket.com": "perfect_market",
+        "perfops.io": "perfops",
        "performgroup.com": "perform_group",
        "analytics.performable.com": "performable",
        "performancing.com": "performancing_metrics",
@@ -23652,6 +24115,7 @@
        "bizsolutions.strands.com": "strands_recommender",
        "strava.com": "strava",
        "mailfoogae.appspot.com": "streak",
+        "streamotion.com.au": "streamotion",
        "streamrail.com": "streamrail.com",
        "streamrail.net": "streamrail.com",
        "stridespark.com": "stride",
--- a/docker/web-bind.awk
+++ b/docker/web-bind.awk
@@ -1,13 +1,5 @@
 # Don't consider the HTTPS hostname since the enforced HTTPS redirection should
 # work if the SSL check skipped.  See file docker/healthcheck.sh.
-/^bind_host:/ { host = $2 }
+/^[^[:space:]]/ { is_http = /^http:/ }

-/^bind_port:/ { port = $2 }
-
-END {
-    if (match(host, ":")) {
-        print "http://[" host "]:" port
-     } else {
-        print "http://" host ":" port
-    }
-}
+/^[[:space:]]+address:/ { if (is_http) print "http://" $2 }
--- a/go.mod
+++ b/go.mod
@@ -9,9 +9,7 @@ require (
 	github.com/AdguardTeam/urlfilter v0.16.1
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/ameshkov/dnscrypt/v2 v2.2.7
-	github.com/bluele/gcache v0.0.2
 	github.com/digineo/go-ipset/v2 v2.2.1
-	github.com/dimfeld/httptreemux/v5 v5.5.0
 	github.com/fsnotify/fsnotify v1.6.0
 	github.com/go-ping/ping v1.1.0
 	github.com/google/go-cmp v0.5.9
@@ -46,6 +44,7 @@ require (
 	github.com/aead/poly1305 v0.0.0-20180717145839-3fee0db0b635 // indirect
 	github.com/ameshkov/dnsstamps v1.0.3 // indirect
 	github.com/beefsack/go-rate v0.0.0-20220214233405-116f4ca011a0 // indirect
+	github.com/bluele/gcache v0.0.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/golang/mock v1.6.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -29,8 +29,6 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/digineo/go-ipset/v2 v2.2.1 h1:k6skY+0fMqeUjjeWO/m5OuWPSZUAn7AucHMnQ1MX77g=
 github.com/digineo/go-ipset/v2 v2.2.1/go.mod h1:wBsNzJlZlABHUITkesrggFnZQtgW5wkqw1uo8Qxe0VU=
-github.com/dimfeld/httptreemux/v5 v5.5.0 h1:p8jkiMrCuZ0CmhwYLcbNbl7DDo21fozhKHQ2PccwOFQ=
-github.com/dimfeld/httptreemux/v5 v5.5.0/go.mod h1:QeEylH57C0v3VO0tkKraVz9oD3Uu93CKPnTLbsidvSw=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
 github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
--- a/internal/aghnet/hostscontainer.go
+++ b/internal/aghnet/hostscontainer.go
@@ -56,15 +56,20 @@ func (rm *requestMatcher) MatchRequest(
 ) (res *urlfilter.DNSResult, ok bool) {
 	switch req.DNSType {
 	case dns.TypeA, dns.TypeAAAA, dns.TypePTR:
-		log.Debug("%s: handling the request for %s", hostsContainerPrefix, req.Hostname)
+		log.Debug(
+			"%s: handling %s request for %s",
+			hostsContainerPrefix,
+			dns.Type(req.DNSType),
+			req.Hostname,
+		)
+
+		rm.stateLock.RLock()
+		defer rm.stateLock.RUnlock()
+
+		return rm.engine.MatchRequest(req)
 	default:
 		return nil, false
 	}
-
-	rm.stateLock.RLock()
-	defer rm.stateLock.RUnlock()
-
-	return rm.engine.MatchRequest(req)
 }

 // Translate returns the source hosts-syntax rule for the generated dnsrewrite
@@ -96,6 +101,8 @@ const hostsContainerPrefix = "hosts container"

 // HostsContainer stores the relevant hosts database provided by the OS and
 // processes both A/AAAA and PTR DNS requests for those.
+//
+// TODO(e.burkov):  Improve API and move to golibs.
 type HostsContainer struct {
 	// requestMatcher matches the requests and translates the rules.  It's
 	// embedded to implement MatchRequest and Translate for *HostsContainer.
--- a/internal/aghtest/interface.go
+++ b/internal/aghtest/interface.go
@@ -1,12 +1,10 @@
 package aghtest

 import (
-	"context"
 	"io/fs"
 	"net"

 	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
 	"github.com/AdguardTeam/dnsproxy/upstream"
 	"github.com/miekg/dns"
 )
@@ -118,36 +116,6 @@ func (w *FSWatcher) Close() (err error) {
 	return w.OnClose()
 }

-// Package agh
-
-// type check
-var _ agh.ServiceWithConfig[struct{}] = (*ServiceWithConfig[struct{}])(nil)
-
-// ServiceWithConfig is a mock [agh.ServiceWithConfig] implementation for tests.
-type ServiceWithConfig[ConfigType any] struct {
-	OnStart    func() (err error)
-	OnShutdown func(ctx context.Context) (err error)
-	OnConfig   func() (c ConfigType)
-}
-
-// Start implements the [agh.ServiceWithConfig] interface for
-// *ServiceWithConfig.
-func (s *ServiceWithConfig[_]) Start() (err error) {
-	return s.OnStart()
-}
-
-// Shutdown implements the [agh.ServiceWithConfig] interface for
-// *ServiceWithConfig.
-func (s *ServiceWithConfig[_]) Shutdown(ctx context.Context) (err error) {
-	return s.OnShutdown(ctx)
-}
-
-// Config implements the [agh.ServiceWithConfig] interface for
-// *ServiceWithConfig.
-func (s *ServiceWithConfig[ConfigType]) Config() (c ConfigType) {
-	return s.OnConfig()
-}
-
 // Module dnsproxy

 // Package upstream
--- a/internal/dhcpd/migrate.go
+++ b/internal/dhcpd/migrate.go
@@ -51,6 +51,9 @@ func migrateDB(conf *ServerConfig) (err error) {
 	oldLeasesPath := filepath.Join(conf.WorkDir, dbFilename)
 	dataDirPath := filepath.Join(conf.DataDir, dataFilename)

+	// #nosec G304 -- Trust this path, since it's taken from the old file name
+	// relative to the working directory and should generally be considered
+	// safe.
 	file, err := os.Open(oldLeasesPath)
 	if errors.Is(err, os.ErrNotExist) {
 		// Nothing to migrate.
--- a/internal/dnsforward/config.go
+++ b/internal/dnsforward/config.go
@@ -15,7 +15,6 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/dnsproxy/proxy"
-	"github.com/AdguardTeam/dnsproxy/upstream"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/netutil"
@@ -436,102 +435,6 @@ func (s *Server) initDefaultSettings() {
 	}
 }

-// UpstreamHTTPVersions returns the HTTP versions for upstream configuration
-// depending on configuration.
-func UpstreamHTTPVersions(http3 bool) (v []upstream.HTTPVersion) {
-	if !http3 {
-		return upstream.DefaultHTTPVersions
-	}
-
-	return []upstream.HTTPVersion{
-		upstream.HTTPVersion3,
-		upstream.HTTPVersion2,
-		upstream.HTTPVersion11,
-	}
-}
-
-// prepareUpstreamSettings - prepares upstream DNS server settings
-func (s *Server) prepareUpstreamSettings() error {
-	// We're setting a customized set of RootCAs.  The reason is that Go default
-	// mechanism of loading TLS roots does not always work properly on some
-	// routers so we're loading roots manually and pass it here.
-	//
-	// See [aghtls.SystemRootCAs].
-	upstream.RootCAs = s.conf.TLSv12Roots
-	upstream.CipherSuites = s.conf.TLSCiphers
-
-	// Load upstreams either from the file, or from the settings
-	var upstreams []string
-	if s.conf.UpstreamDNSFileName != "" {
-		data, err := os.ReadFile(s.conf.UpstreamDNSFileName)
-		if err != nil {
-			return fmt.Errorf("reading upstream from file: %w", err)
-		}
-
-		upstreams = stringutil.SplitTrimmed(string(data), "\n")
-
-		log.Debug("dns: using %d upstream servers from file %s", len(upstreams), s.conf.UpstreamDNSFileName)
-	} else {
-		upstreams = s.conf.UpstreamDNS
-	}
-
-	httpVersions := UpstreamHTTPVersions(s.conf.UseHTTP3Upstreams)
-	upstreams = stringutil.FilterOut(upstreams, IsCommentOrEmpty)
-	upstreamConfig, err := proxy.ParseUpstreamsConfig(
-		upstreams,
-		&upstream.Options{
-			Bootstrap:    s.conf.BootstrapDNS,
-			Timeout:      s.conf.UpstreamTimeout,
-			HTTPVersions: httpVersions,
-			PreferIPv6:   s.conf.BootstrapPreferIPv6,
-		},
-	)
-	if err != nil {
-		return fmt.Errorf("parsing upstream config: %w", err)
-	}
-
-	if len(upstreamConfig.Upstreams) == 0 {
-		log.Info("warning: no default upstream servers specified, using %v", defaultDNS)
-		var uc *proxy.UpstreamConfig
-		uc, err = proxy.ParseUpstreamsConfig(
-			defaultDNS,
-			&upstream.Options{
-				Bootstrap:    s.conf.BootstrapDNS,
-				Timeout:      s.conf.UpstreamTimeout,
-				HTTPVersions: httpVersions,
-				PreferIPv6:   s.conf.BootstrapPreferIPv6,
-			},
-		)
-		if err != nil {
-			return fmt.Errorf("parsing default upstreams: %w", err)
-		}
-
-		upstreamConfig.Upstreams = uc.Upstreams
-	}
-
-	s.conf.UpstreamConfig = upstreamConfig
-
-	return nil
-}
-
-// setProxyUpstreamMode sets the upstream mode and related settings in conf
-// based on provided parameters.
-func setProxyUpstreamMode(
-	conf *proxy.Config,
-	allServers bool,
-	fastestAddr bool,
-	fastestTimeout time.Duration,
-) {
-	if allServers {
-		conf.UpstreamMode = proxy.UModeParallel
-	} else if fastestAddr {
-		conf.UpstreamMode = proxy.UModeFastestAddr
-		conf.FastestPingTimeout = fastestTimeout
-	} else {
-		conf.UpstreamMode = proxy.UModeLoadBalance
-	}
-}
-
 // prepareIpsetListSettings reads and prepares the ipset configuration either
 // from a file or from the data in the configuration file.
 func (s *Server) prepareIpsetListSettings() (err error) {
@@ -540,6 +443,7 @@ func (s *Server) prepareIpsetListSettings() (err error) {
 		return s.ipset.init(s.conf.IpsetList)
 	}

+	// #nosec G304 -- Trust the path explicitly given by the user.
 	data, err := os.ReadFile(fn)
 	if err != nil {
 		return err
--- a/internal/dnsforward/dnsforward.go
+++ b/internal/dnsforward/dnsforward.go
@@ -466,19 +466,15 @@ func (s *Server) setupResolvers(localAddrs []string) (err error) {

 	log.Debug("dnsforward: upstreams to resolve ptr for local addresses: %v", localAddrs)

-	var upsConfig *proxy.UpstreamConfig
-	upsConfig, err = proxy.ParseUpstreamsConfig(
-		localAddrs,
-		&upstream.Options{
-			Bootstrap: bootstraps,
-			Timeout:   defaultLocalTimeout,
-			// TODO(e.burkov): Should we verify server's certificates?
+	upsConfig, err := s.prepareUpstreamConfig(localAddrs, nil, &upstream.Options{
+		Bootstrap: bootstraps,
+		Timeout:   defaultLocalTimeout,
+		// TODO(e.burkov): Should we verify server's certificates?

-			PreferIPv6: s.conf.BootstrapPreferIPv6,
-		},
-	)
+		PreferIPv6: s.conf.BootstrapPreferIPv6,
+	})
 	if err != nil {
-		return fmt.Errorf("parsing upstreams: %w", err)
+		return fmt.Errorf("parsing private upstreams: %w", err)
 	}

 	s.localResolvers = &proxy.Proxy{
@@ -510,7 +506,8 @@ func (s *Server) Prepare(conf *ServerConfig) (err error) {

 	err = s.prepareUpstreamSettings()
 	if err != nil {
-		return fmt.Errorf("preparing upstream settings: %w", err)
+		// Don't wrap the error, because it's informative enough as is.
+		return err
 	}

 	var proxyConfig proxy.Config
--- a/internal/dnsforward/http.go
+++ b/internal/dnsforward/http.go
@@ -633,61 +633,70 @@ func (err domainSpecificTestError) Error() (msg string) {
 	return fmt.Sprintf("WARNING: %s", err.error)
 }

-// checkDNS checks the upstream server defined by upstreamConfigStr using
-// healthCheck for actually exchange messages.  It uses bootstrap to resolve the
-// upstream's address.
-func checkDNS(
-	upstreamConfigStr string,
-	bootstrap []string,
-	bootstrapPrefIPv6 bool,
-	timeout time.Duration,
-	healthCheck healthCheckFunc,
-) (err error) {
-	if IsCommentOrEmpty(upstreamConfigStr) {
-		return nil
+// parseUpstreamLine parses line and creates the [upstream.Upstream] using opts
+// and information from [s.dnsFilter.EtcHosts].  It returns an error if the line
+// is not a valid upstream line, see [upstream.AddressToUpstream].  It's a
+// caller's responsibility to close u.
+func (s *Server) parseUpstreamLine(
+	line string,
+	opts *upstream.Options,
+) (u upstream.Upstream, specific bool, err error) {
+	// Separate upstream from domains list.
+	upstreamAddr, domains, err := separateUpstream(line)
+	if err != nil {
+		return nil, false, fmt.Errorf("wrong upstream format: %w", err)
 	}

-	// Separate upstream from domains list.
-	upstreamAddr, domains, err := separateUpstream(upstreamConfigStr)
-	if err != nil {
-		return fmt.Errorf("wrong upstream format: %w", err)
-	}
+	specific = len(domains) > 0

 	useDefault, err := validateUpstream(upstreamAddr, domains)
 	if err != nil {
-		return fmt.Errorf("wrong upstream format: %w", err)
+		return nil, specific, fmt.Errorf("wrong upstream format: %w", err)
 	} else if useDefault {
-		return nil
-	}
-
-	if len(bootstrap) == 0 {
-		bootstrap = defaultBootstrap
+		return nil, specific, nil
 	}

 	log.Debug("dnsforward: checking if upstream %q works", upstreamAddr)

-	u, err := upstream.AddressToUpstream(upstreamAddr, &upstream.Options{
-		Bootstrap:  bootstrap,
-		Timeout:    timeout,
-		PreferIPv6: bootstrapPrefIPv6,
-	})
+	opts = &upstream.Options{
+		Bootstrap:  opts.Bootstrap,
+		Timeout:    opts.Timeout,
+		PreferIPv6: opts.PreferIPv6,
+	}
+
+	if s.dnsFilter != nil && s.dnsFilter.EtcHosts != nil {
+		resolved := s.resolveUpstreamHost(extractUpstreamHost(upstreamAddr))
+		sortNetIPAddrs(resolved, opts.PreferIPv6)
+		opts.ServerIPAddrs = resolved
+	}
+	u, err = upstream.AddressToUpstream(upstreamAddr, opts)
 	if err != nil {
-		return fmt.Errorf("failed to choose upstream for %q: %w", upstreamAddr, err)
+		return nil, specific, fmt.Errorf("creating upstream for %q: %w", upstreamAddr, err)
+	}
+
+	return u, specific, nil
+}
+
+func (s *Server) checkDNS(line string, opts *upstream.Options, check healthCheckFunc) (err error) {
+	if IsCommentOrEmpty(line) {
+		return nil
+	}
+
+	var u upstream.Upstream
+	var specific bool
+	defer func() {
+		if err != nil && specific {
+			err = domainSpecificTestError{error: err}
+		}
+	}()
+
+	u, specific, err = s.parseUpstreamLine(line, opts)
+	if err != nil || u == nil {
+		return err
 	}
 	defer func() { err = errors.WithDeferred(err, u.Close()) }()

-	if err = healthCheck(u); err != nil {
-		err = fmt.Errorf("upstream %q fails to exchange: %w", upstreamAddr, err)
-		if domains != nil {
-			return domainSpecificTestError{error: err}
-		}
-
-		return err
-	}
-
-	log.Debug("dnsforward: upstream %q is ok", upstreamAddr)
-
-	return nil
+	return check(u)
 }

 func (s *Server) handleTestUpstreamDNS(w http.ResponseWriter, r *http.Request) {
@@ -699,47 +708,54 @@ func (s *Server) handleTestUpstreamDNS(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	result := map[string]string{}
-	bootstraps := req.BootstrapDNS
-	bootstrapPrefIPv6 := s.conf.BootstrapPreferIPv6
-	timeout := s.conf.UpstreamTimeout
+	opts := &upstream.Options{
+		Bootstrap:  req.BootstrapDNS,
+		Timeout:    s.conf.UpstreamTimeout,
+		PreferIPv6: s.conf.BootstrapPreferIPv6,
+	}
+	if len(opts.Bootstrap) == 0 {
+		opts.Bootstrap = defaultBootstrap
+	}

 	type upsCheckResult = struct {
-		res  string
+		err  error
 		host string
 	}

+	req.Upstreams = stringutil.FilterOut(req.Upstreams, IsCommentOrEmpty)
+	req.PrivateUpstreams = stringutil.FilterOut(req.PrivateUpstreams, IsCommentOrEmpty)
+
 	upsNum := len(req.Upstreams) + len(req.PrivateUpstreams)
+	result := make(map[string]string, upsNum)
 	resCh := make(chan upsCheckResult, upsNum)

-	checkUps := func(ups string, healthCheck healthCheckFunc) {
-		res := upsCheckResult{
-			host: ups,
-		}
-		defer func() { resCh <- res }()
-
-		checkErr := checkDNS(ups, bootstraps, bootstrapPrefIPv6, timeout, healthCheck)
-		if checkErr != nil {
-			res.res = checkErr.Error()
-		} else {
-			res.res = "OK"
-		}
-	}
-
 	for _, ups := range req.Upstreams {
-		go checkUps(ups, checkDNSUpstreamExc)
+		go func(ups string) {
+			resCh <- upsCheckResult{
+				host: ups,
+				err:  s.checkDNS(ups, opts, checkDNSUpstreamExc),
+			}
+		}(ups)
 	}
 	for _, ups := range req.PrivateUpstreams {
-		go checkUps(ups, checkPrivateUpstreamExc)
+		go func(ups string) {
+			resCh <- upsCheckResult{
+				host: ups,
+				err:  s.checkDNS(ups, opts, checkPrivateUpstreamExc),
+			}
+		}(ups)
 	}

 	for i := 0; i < upsNum; i++ {
-		pair := <-resCh
 		// TODO(e.burkov):  The upstreams used for both common and private
 		// resolving should be reported separately.
-		result[pair.host] = pair.res
+		pair := <-resCh
+		if pair.err != nil {
+			result[pair.host] = pair.err.Error()
+		} else {
+			result[pair.host] = "OK"
+		}
 	}
-	close(resCh)

 	_ = aghhttp.WriteJSONResponse(w, r, result)
 }
--- a/internal/dnsforward/http_test.go
+++ b/internal/dnsforward/http_test.go
@@ -13,10 +13,12 @@ import (
 	"path/filepath"
 	"strings"
 	"testing"
+	"testing/fstest"
 	"time"

 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
+	"github.com/AdguardTeam/AdGuardHome/internal/aghtest"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/golibs/httphdr"
 	"github.com/AdguardTeam/golibs/netutil"
@@ -280,6 +282,10 @@ func TestIsCommentOrEmpty(t *testing.T) {
 }

 func TestValidateUpstreams(t *testing.T) {
+	const sdnsStamp = `sdns://AQMAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR_J` +
+		`S3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczE` +
+		`uYWRndWFyZC5jb20`
+
 	testCases := []struct {
 		name    string
 		wantErr string
@@ -300,7 +306,7 @@ func TestValidateUpstreams(t *testing.T) {
 			"[//]tls://1.1.1.1",
 			"[/www.host.com/]#",
 			"[/host.com/google.com/]8.8.8.8",
-			"[/host/]sdns://AQMAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20",
+			"[/host/]" + sdnsStamp,
 		},
 	}, {
 		name:    "with_default",
@@ -310,7 +316,7 @@ func TestValidateUpstreams(t *testing.T) {
 			"[//]tls://1.1.1.1",
 			"[/www.host.com/]#",
 			"[/host.com/google.com/]8.8.8.8",
-			"[/host/]sdns://AQMAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20",
+			"[/host/]" + sdnsStamp,
 			"8.8.8.8",
 		},
 	}, {
@@ -326,9 +332,10 @@ func TestValidateUpstreams(t *testing.T) {
 		wantErr: `validating upstream "123.3.7m": not an ip:port`,
 		set:     []string{"123.3.7m"},
 	}, {
-		name:    "invalid",
-		wantErr: `bad upstream for domain "[/host.com]tls://dns.adguard.com": missing separator`,
-		set:     []string{"[/host.com]tls://dns.adguard.com"},
+		name: "invalid",
+		wantErr: `bad upstream for domain "[/host.com]tls://dns.adguard.com": ` +
+			`missing separator`,
+		set: []string{"[/host.com]tls://dns.adguard.com"},
 	}, {
 		name:    "invalid",
 		wantErr: `validating upstream "[host.ru]#": not an ip:port`,
@@ -340,14 +347,14 @@ func TestValidateUpstreams(t *testing.T) {
 			"1.1.1.1",
 			"tls://1.1.1.1",
 			"https://dns.adguard.com/dns-query",
-			"sdns://AQMAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20",
+			sdnsStamp,
 			"udp://dns.google",
 			"udp://8.8.8.8",
 			"[/host.com/]1.1.1.1",
 			"[//]tls://1.1.1.1",
 			"[/www.host.com/]#",
 			"[/host.com/google.com/]8.8.8.8",
-			"[/host/]sdns://AQMAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20",
+			"[/host/]" + sdnsStamp,
 			"[/пример.рф/]8.8.8.8",
 		},
 	}, {
@@ -418,27 +425,28 @@ func TestValidateUpstreamsPrivate(t *testing.T) {
 	}
 }

-func newLocalUpstreamListener(t *testing.T, port int, handler dns.Handler) (real net.Addr) {
+func newLocalUpstreamListener(t *testing.T, port uint16, handler dns.Handler) (real netip.AddrPort) {
+	t.Helper()
+
 	startCh := make(chan struct{})
 	upsSrv := &dns.Server{
-		Addr:              netip.AddrPortFrom(netutil.IPv4Localhost(), uint16(port)).String(),
+		Addr:              netip.AddrPortFrom(netutil.IPv4Localhost(), port).String(),
 		Net:               "tcp",
 		Handler:           handler,
 		NotifyStartedFunc: func() { close(startCh) },
 	}
 	go func() {
-		t := testutil.PanicT{}
-
 		err := upsSrv.ListenAndServe()
-		require.NoError(t, err)
+		require.NoError(testutil.PanicT{}, err)
 	}()
+
 	<-startCh
 	testutil.CleanupAndRequireSuccess(t, upsSrv.Shutdown)

-	return upsSrv.Listener.Addr()
+	return testutil.RequireTypeAssert[*net.TCPAddr](t, upsSrv.Listener.Addr()).AddrPort()
 }

-func TestServer_handleTestUpstreaDNS(t *testing.T) {
+func TestServer_HandleTestUpstreamDNS(t *testing.T) {
 	goodHandler := dns.HandlerFunc(func(w dns.ResponseWriter, m *dns.Msg) {
 		err := w.WriteMsg(new(dns.Msg).SetReply(m))
 		require.NoError(testutil.PanicT{}, err)
@@ -457,9 +465,38 @@ func TestServer_handleTestUpstreaDNS(t *testing.T) {
 		Host:   newLocalUpstreamListener(t, 0, badHandler).String(),
 	}).String()

-	const upsTimeout = 100 * time.Millisecond
+	const (
+		upsTimeout = 100 * time.Millisecond

-	srv := createTestServer(t, &filtering.Config{}, ServerConfig{
+		hostsFileName = "hosts"
+		upstreamHost  = "custom.localhost"
+	)
+
+	hostsListener := newLocalUpstreamListener(t, 0, goodHandler)
+	hostsUps := (&url.URL{
+		Scheme: "tcp",
+		Host:   netutil.JoinHostPort(upstreamHost, int(hostsListener.Port())),
+	}).String()
+
+	hc, err := aghnet.NewHostsContainer(
+		filtering.SysHostsListID,
+		fstest.MapFS{
+			hostsFileName: &fstest.MapFile{
+				Data: []byte(hostsListener.Addr().String() + " " + upstreamHost),
+			},
+		},
+		&aghtest.FSWatcher{
+			OnEvents: func() (e <-chan struct{}) { return nil },
+			OnAdd:    func(_ string) (err error) { return nil },
+			OnClose:  func() (err error) { return nil },
+		},
+		hostsFileName,
+	)
+	require.NoError(t, err)
+
+	srv := createTestServer(t, &filtering.Config{
+		EtcHosts: hc,
+	}, ServerConfig{
 		UDPListenAddrs:  []*net.UDPAddr{{}},
 		TCPListenAddrs:  []*net.TCPAddr{{}},
 		UpstreamTimeout: upsTimeout,
@@ -486,8 +523,7 @@ func TestServer_handleTestUpstreaDNS(t *testing.T) {
 			"upstream_dns": []string{badUps},
 		},
 		wantResp: map[string]any{
-			badUps: `upstream "` + badUps + `" fails to exchange: ` +
-				`couldn't communicate with upstream: exchanging with ` +
+			badUps: `couldn't communicate with upstream: exchanging with ` +
 				badUps + ` over tcp: dns: id mismatch`,
 		},
 		name: "broken",
@@ -497,20 +533,40 @@ func TestServer_handleTestUpstreaDNS(t *testing.T) {
 		},
 		wantResp: map[string]any{
 			goodUps: "OK",
-			badUps: `upstream "` + badUps + `" fails to exchange: ` +
-				`couldn't communicate with upstream: exchanging with ` +
+			badUps: `couldn't communicate with upstream: exchanging with ` +
 				badUps + ` over tcp: dns: id mismatch`,
 		},
 		name: "both",
+	}, {
+		body: map[string]any{
+			"upstream_dns": []string{"[/domain.example/]" + badUps},
+		},
+		wantResp: map[string]any{
+			"[/domain.example/]" + badUps: `WARNING: couldn't communicate ` +
+				`with upstream: exchanging with ` + badUps + ` over tcp: ` +
+				`dns: id mismatch`,
+		},
+		name: "domain_specific_error",
+	}, {
+		body: map[string]any{
+			"upstream_dns": []string{hostsUps},
+		},
+		wantResp: map[string]any{
+			hostsUps: "OK",
+		},
+		name: "etc_hosts",
 	}}

 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			reqBody, err := json.Marshal(tc.body)
+			var reqBody []byte
+			reqBody, err = json.Marshal(tc.body)
 			require.NoError(t, err)

 			w := httptest.NewRecorder()
-			r, err := http.NewRequest(http.MethodPost, "", bytes.NewReader(reqBody))
+
+			var r *http.Request
+			r, err = http.NewRequest(http.MethodPost, "", bytes.NewReader(reqBody))
 			require.NoError(t, err)

 			srv.handleTestUpstreamDNS(w, r)
@@ -538,11 +594,15 @@ func TestServer_handleTestUpstreaDNS(t *testing.T) {
 		req := map[string]any{
 			"upstream_dns": []string{sleepyUps},
 		}
-		reqBody, err := json.Marshal(req)
+
+		var reqBody []byte
+		reqBody, err = json.Marshal(req)
 		require.NoError(t, err)

 		w := httptest.NewRecorder()
-		r, err := http.NewRequest(http.MethodPost, "", bytes.NewReader(reqBody))
+
+		var r *http.Request
+		r, err = http.NewRequest(http.MethodPost, "", bytes.NewReader(reqBody))
 		require.NoError(t, err)

 		srv.handleTestUpstreamDNS(w, r)
--- a/internal/dnsforward/upstreams.go
+++ b/internal/dnsforward/upstreams.go
@@ -0,0 +1,311 @@
+package dnsforward
+
+import (
+	"bytes"
+	"fmt"
+	"net"
+	"net/url"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/AdguardTeam/dnsproxy/proxy"
+	"github.com/AdguardTeam/dnsproxy/upstream"
+	"github.com/AdguardTeam/golibs/log"
+	"github.com/AdguardTeam/golibs/netutil"
+	"github.com/AdguardTeam/golibs/stringutil"
+	"github.com/AdguardTeam/urlfilter"
+	"github.com/miekg/dns"
+	"golang.org/x/exp/maps"
+	"golang.org/x/exp/slices"
+)
+
+// loadUpstreams parses upstream DNS servers from the configured file or from
+// the configuration itself.
+func (s *Server) loadUpstreams() (upstreams []string, err error) {
+	if s.conf.UpstreamDNSFileName == "" {
+		return stringutil.FilterOut(s.conf.UpstreamDNS, IsCommentOrEmpty), nil
+	}
+
+	var data []byte
+	data, err = os.ReadFile(s.conf.UpstreamDNSFileName)
+	if err != nil {
+		return nil, fmt.Errorf("reading upstream from file: %w", err)
+	}
+
+	upstreams = stringutil.SplitTrimmed(string(data), "\n")
+
+	log.Debug("dnsforward: got %d upstreams in %q", len(upstreams), s.conf.UpstreamDNSFileName)
+
+	return stringutil.FilterOut(upstreams, IsCommentOrEmpty), nil
+}
+
+// prepareUpstreamSettings sets upstream DNS server settings.
+func (s *Server) prepareUpstreamSettings() (err error) {
+	// We're setting a customized set of RootCAs.  The reason is that Go default
+	// mechanism of loading TLS roots does not always work properly on some
+	// routers so we're loading roots manually and pass it here.
+	//
+	// See [aghtls.SystemRootCAs].
+	upstream.RootCAs = s.conf.TLSv12Roots
+	upstream.CipherSuites = s.conf.TLSCiphers
+
+	// Load upstreams either from the file, or from the settings
+	var upstreams []string
+	upstreams, err = s.loadUpstreams()
+	if err != nil {
+		return fmt.Errorf("loading upstreams: %w", err)
+	}
+
+	s.conf.UpstreamConfig, err = s.prepareUpstreamConfig(upstreams, defaultDNS, &upstream.Options{
+		Bootstrap:    s.conf.BootstrapDNS,
+		Timeout:      s.conf.UpstreamTimeout,
+		HTTPVersions: UpstreamHTTPVersions(s.conf.UseHTTP3Upstreams),
+		PreferIPv6:   s.conf.BootstrapPreferIPv6,
+	})
+	if err != nil {
+		return fmt.Errorf("preparing upstream config: %w", err)
+	}
+
+	return nil
+}
+
+// prepareUpstreamConfig sets upstream configuration based on upstreams and
+// configuration of s.
+func (s *Server) prepareUpstreamConfig(
+	upstreams []string,
+	defaultUpstreams []string,
+	opts *upstream.Options,
+) (uc *proxy.UpstreamConfig, err error) {
+	uc, err = proxy.ParseUpstreamsConfig(upstreams, opts)
+	if err != nil {
+		return nil, fmt.Errorf("parsing upstream config: %w", err)
+	}
+
+	if len(uc.Upstreams) == 0 && defaultUpstreams != nil {
+		log.Info("dnsforward: warning: no default upstreams specified, using %v", defaultUpstreams)
+		var defaultUpstreamConfig *proxy.UpstreamConfig
+		defaultUpstreamConfig, err = proxy.ParseUpstreamsConfig(defaultUpstreams, opts)
+		if err != nil {
+			return nil, fmt.Errorf("parsing default upstreams: %w", err)
+		}
+
+		uc.Upstreams = defaultUpstreamConfig.Upstreams
+	}
+
+	if s.dnsFilter != nil && s.dnsFilter.EtcHosts != nil {
+		err = s.replaceUpstreamsWithHosts(uc, opts)
+		if err != nil {
+			return nil, fmt.Errorf("resolving upstreams with hosts: %w", err)
+		}
+	}
+
+	return uc, nil
+}
+
+// replaceUpstreamsWithHosts replaces unique upstreams with their resolved
+// versions based on the system hosts file.
+//
+// TODO(e.burkov):  This should be performed inside dnsproxy, which should
+// actually consider /etc/hosts.  See TODO on [aghnet.HostsContainer].
+func (s *Server) replaceUpstreamsWithHosts(
+	upsConf *proxy.UpstreamConfig,
+	opts *upstream.Options,
+) (err error) {
+	resolved := map[string]*upstream.Options{}
+
+	err = s.resolveUpstreamsWithHosts(resolved, upsConf.Upstreams, opts)
+	if err != nil {
+		return fmt.Errorf("resolving upstreams: %w", err)
+	}
+
+	hosts := maps.Keys(upsConf.DomainReservedUpstreams)
+	// TODO(e.burkov):  Think of extracting sorted range into an util function.
+	slices.Sort(hosts)
+	for _, host := range hosts {
+		err = s.resolveUpstreamsWithHosts(resolved, upsConf.DomainReservedUpstreams[host], opts)
+		if err != nil {
+			return fmt.Errorf("resolving upstreams reserved for %s: %w", host, err)
+		}
+	}
+
+	hosts = maps.Keys(upsConf.SpecifiedDomainUpstreams)
+	slices.Sort(hosts)
+	for _, host := range hosts {
+		err = s.resolveUpstreamsWithHosts(resolved, upsConf.SpecifiedDomainUpstreams[host], opts)
+		if err != nil {
+			return fmt.Errorf("resolving upstreams specific for %s: %w", host, err)
+		}
+	}
+
+	return nil
+}
+
+// resolveUpstreamsWithHosts resolves the IP addresses of each of the upstreams
+// and replaces those both in upstreams and resolved.  Upstreams that failed to
+// resolve are placed to resolved as-is.  This function only returns error of
+// upstreams closing.
+func (s *Server) resolveUpstreamsWithHosts(
+	resolved map[string]*upstream.Options,
+	upstreams []upstream.Upstream,
+	opts *upstream.Options,
+) (err error) {
+	for i := range upstreams {
+		u := upstreams[i]
+		addr := u.Address()
+		host := extractUpstreamHost(addr)
+
+		withIPs, ok := resolved[host]
+		if !ok {
+			ips := s.resolveUpstreamHost(host)
+			if len(ips) == 0 {
+				resolved[host] = nil
+
+				return nil
+			}
+
+			sortNetIPAddrs(ips, opts.PreferIPv6)
+
+			withIPs = opts.Clone()
+			withIPs.ServerIPAddrs = ips
+			resolved[host] = withIPs
+		} else if withIPs == nil {
+			continue
+		}
+
+		if err = u.Close(); err != nil {
+			return fmt.Errorf("closing upstream %s: %w", addr, err)
+		}
+
+		upstreams[i], err = upstream.AddressToUpstream(addr, withIPs)
+		if err != nil {
+			return fmt.Errorf("replacing upstream %s with resolved %s: %w", addr, host, err)
+		}
+
+		log.Debug("dnsforward: using %s for %s", withIPs.ServerIPAddrs, upstreams[i].Address())
+	}
+
+	return nil
+}
+
+// extractUpstreamHost returns the hostname of addr without port with an
+// assumption that any address passed here has already been successfully parsed
+// by [upstream.AddressToUpstream].  This function eesentially mirrors the logic
+// of [upstream.AddressToUpstream], see TODO on [replaceUpstreamsWithHosts].
+func extractUpstreamHost(addr string) (host string) {
+	var err error
+	if strings.Contains(addr, "://") {
+		var u *url.URL
+		u, err = url.Parse(addr)
+		if err != nil {
+			log.Debug("dnsforward: parsing upstream %s: %s", addr, err)
+
+			return addr
+		}
+
+		return u.Hostname()
+	}
+
+	// Probably, plain UDP upstream defined by address or address:port.
+	host, err = netutil.SplitHost(addr)
+	if err != nil {
+		return addr
+	}
+
+	return host
+}
+
+// resolveUpstreamHost returns the version of ups with IP addresses from the
+// system hosts file placed into its options.
+func (s *Server) resolveUpstreamHost(host string) (addrs []net.IP) {
+	req := &urlfilter.DNSRequest{
+		Hostname: host,
+		DNSType:  dns.TypeA,
+	}
+	aRes, _ := s.dnsFilter.EtcHosts.MatchRequest(req)
+
+	req.DNSType = dns.TypeAAAA
+	aaaaRes, _ := s.dnsFilter.EtcHosts.MatchRequest(req)
+
+	var ips []net.IP
+	for _, rw := range append(aRes.DNSRewrites(), aaaaRes.DNSRewrites()...) {
+		dr := rw.DNSRewrite
+		if dr == nil || dr.Value == nil {
+			continue
+		}
+
+		if ip, ok := dr.Value.(net.IP); ok {
+			ips = append(ips, ip)
+		}
+	}
+
+	return ips
+}
+
+// sortNetIPAddrs sorts addrs in accordance with the protocol preferences.
+// Invalid addresses are sorted near the end.
+//
+// TODO(e.burkov):  This function taken from dnsproxy, which also already
+// contains a few similar functions.  Think of moving to golibs.
+func sortNetIPAddrs(addrs []net.IP, preferIPv6 bool) {
+	l := len(addrs)
+	if l <= 1 {
+		return
+	}
+
+	slices.SortStableFunc(addrs, func(addrA, addrB net.IP) (sortsBefore bool) {
+		switch len(addrA) {
+		case net.IPv4len, net.IPv6len:
+			switch len(addrB) {
+			case net.IPv4len, net.IPv6len:
+				// Go on.
+			default:
+				return true
+			}
+		default:
+			return false
+		}
+
+		if aIs4, bIs4 := addrA.To4() != nil, addrB.To4() != nil; aIs4 != bIs4 {
+			if aIs4 {
+				return !preferIPv6
+			}
+
+			return preferIPv6
+		}
+
+		return bytes.Compare(addrA, addrB) < 0
+	})
+}
+
+// UpstreamHTTPVersions returns the HTTP versions for upstream configuration
+// depending on configuration.
+func UpstreamHTTPVersions(http3 bool) (v []upstream.HTTPVersion) {
+	if !http3 {
+		return upstream.DefaultHTTPVersions
+	}
+
+	return []upstream.HTTPVersion{
+		upstream.HTTPVersion3,
+		upstream.HTTPVersion2,
+		upstream.HTTPVersion11,
+	}
+}
+
+// setProxyUpstreamMode sets the upstream mode and related settings in conf
+// based on provided parameters.
+func setProxyUpstreamMode(
+	conf *proxy.Config,
+	allServers bool,
+	fastestAddr bool,
+	fastestTimeout time.Duration,
+) {
+	if allServers {
+		conf.UpstreamMode = proxy.UModeParallel
+	} else if fastestAddr {
+		conf.UpstreamMode = proxy.UModeFastestAddr
+		conf.FastestPingTimeout = fastestTimeout
+	} else {
+		conf.UpstreamMode = proxy.UModeLoadBalance
+	}
+}
--- a/internal/filtering/filtering.go
+++ b/internal/filtering/filtering.go
@@ -519,7 +519,7 @@ func (d *DNSFilter) matchSysHosts(
 	dnsres, _ := d.EtcHosts.MatchRequest(&urlfilter.DNSRequest{
 		Hostname:         host,
 		SortedClientTags: setts.ClientTags,
-		// TODO(e.burkov):  Wait for urlfilter update to pass net.IP.
+		// TODO(e.burkov):  Wait for urlfilter update to pass netip.Addr.
 		ClientIP:   setts.ClientIP.String(),
 		ClientName: setts.ClientName,
 		DNSType:    qtype,
--- a/internal/filtering/servicelist.go
+++ b/internal/filtering/servicelist.go
@@ -27,6 +27,25 @@ var blockedServices = []blockedService{{
 		"||9cache.com^",
 		"||9gag.com^",
 	},
+}, {
+	ID:      "activision_blizzard",
+	Name:    "Activision Blizzard",
+	IconSVG: []byte("<svg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"-237 0 1572 1572\"><path d=\"m549.1.2 548.4 1571.4H798l-74.2-200H374.5l-74.3 200H.7zM626 1085.1l-83-274.3-82.9 274.3z\"/></svg>"),
+	Rules: []string{
+		"||activision.com^",
+		"||activisionblizzard.com^",
+		"||demonware.net^",
+	},
+}, {
+	ID:      "aliexpress",
+	Name:    "AliExpress",
+	IconSVG: []byte("<svg xmlns=\"http://www.w3.org/2000/svg\" fill=\"currentColor\"  viewBox=\"0 0 50 50\"><path d=\"M9 4C6.25 4 4 6.25 4 9v32c0 2.75 2.25 5 5 5h32c2.75 0 5-2.25 5-5V9c0-2.75-2.25-5-5-5H9zm0 2h32c1.668 0 3 1.332 3 3v3.38A3.973 3.973 0 0 0 41 11H9a3.973 3.973 0 0 0-3 1.38V9c0-1.668 1.332-3 3-3zm6 11a1 1 0 0 1 1 1c0 4.962 4.037 9 9 9s9-4.038 9-9a1 1 0 1 1 2 0c0 6.065-4.935 11-11 11s-11-4.935-11-11a1 1 0 0 1 1-1z\"/></svg>"),
+	Rules: []string{
+		"||ae-rus.net^",
+		"||ae-rus.ru^",
+		"||aliexpress.com^",
+		"||aliexpress.ru^",
+	},
 }, {
 	ID:      "amazon",
 	Name:    "Amazon",
@@ -293,6 +312,21 @@ var blockedServices = []blockedService{{
 		"||mincdn.com^",
 		"||yo9.com^",
 	},
+}, {
+	ID:      "blizzard_entertainment",
+	Name:    "Blizzard Entertainment",
+	IconSVG: []byte("<svg xmlns=\"http://www.w3.org/2000/svg\" fill=\"currentColor\" viewBox=\"0 -32 128 128\"><path fill-rule=\"evenodd\" d=\"M105 2h3v1h2l2 1 1 1h3l1 1h4l1 1 2 2v1l1 3v4l1 2v6l-1 2v2l-1 3v2l-1 2v14l-1 2v1l-1 3-1 1h-3l-1 1h-6a5 5 0 0 0 1-6l2-1h-1l-1-3v-3a350 350 0 0 1 0-8l-1-3v-1l-1-1V9h1V6l-1-1-4-3Zm9 13v10h1v25a8 8 0 0 0 2-4l1-1 1-3V30l1-1v-2l1-1v-5l-1-2-2-3-1-1h-3Z\" clip-rule=\"evenodd\"/><path fill-rule=\"evenodd\" d=\"M101 24v1l2 1h1v2h1l1 2v5l1 2s0-1 0 0l1 7 1 2v7l-1 5h-2l-2-2-4-1 1-3 1-2a22 22 0 0 0-1-10l-1-4h-1l1-4-1-1-2-3v2l-1 1v3l1 6v4l1 1-1 3v4l1 1-1 2v4l-1-1a13 13 0 0 0-4-5l-2-2 2-5V27l-1-1v-4l-1-1v-5h-1a33 33 0 0 1 0-4l4-4h-2l-4-4h-1V3h10l2 1 2 1h1c2 0 2 1 3 2l2 3 1 3v1l-1 2v1a11 11 0 0 1-1 4l-4 3ZM96 9v13l1 1a3 3 0 0 0 1-1c1 0 2-1 2-3v-1l1-1v-3l-2-3-2-2h-1ZM26 3l1 1h1l2 3v5l1 1v2l-1 1v9l1 1 1 1-1 7v9l-1 1 1 1-1 1v8h3l1-1h7v-1h16v6l1 2h-6l-1-1h-2l-1-1H31a4 4 0 0 0-3-1l-1 1h-1l-1 1h-5l1-1a10 10 0 0 0 3-2v-9l1-1-1-1V35l1-1V21l-1-1v-4l1-1v-3l1-2-1-3h-1l-2-2-1-1 1-1h4Z\" clip-rule=\"evenodd\"/><path fill-rule=\"evenodd\" d=\"M84 60v-3l-1-2v-4l-3-2v-1l1-2a11 11 0 0 0 2-6l-1-1-3-2h-2v3l1 1h1l-1 2h-4l-2 1-2 1-1-2v-1l1-1 1-1 1-2v-5l1-1v-6l1-1v-3l1-1v-3l1-2 1-1-1-1 1-1 1-3 1-1V7l1-1c1-1 0-4 2-3l1 3 1 1 1 2v1l1 5 1 3v2l1 1v2l1 1v8l1 3v9l-1 1-2 5v3l-1 2v4l-1 1h-1Zm-4-36-1 1v2l-1 2v4l4 1h2v-7l-1-3-2-1-1-1v2Z\" clip-rule=\"evenodd\"/><path fill-rule=\"evenodd\" d=\"M77 4v1l-2 3v2l-1 2v1l-1 1-1 4v7h-1v2a5 5 0 0 1-1 2v2l-2 2v7l-1 2v2l-2 4v3-1h3v-1l3-1 1-1 3-2h3l1 1-1 1a3 3 0 0 0 0 1l1 1v5l-1 1h-7v-1h-2l-2 1h-4l-2 1-1-2v-2l1-1v-1l1-1-1-1 1-1v-2l1-2-1-2v-8l1-2 2-5-1-1 1-2v-1l1-1v-4l1-1 2-4v-2l1-1h-3V8h-1l-1 1-2 3-1 4h-1l-1-1v-2l1-1V4h16ZM32 4h9l1 2-3 2 1 2-1 1v13l1 2-1 2v6l-1 1v2l1 1v5l-1 1 1 2 1 1 2 1v2h-7l-2 1-1-1 3-2v-8a4 4 0 0 1 0-2l1-1v-3l-1-14v-2l1-1h-1V7l-2-1h-1l-1-1 1-1Zm12 0h14v15c-2 1-2 4-3 6v2c-1 0-3 1-2 4h-1l-2 3-1 2v3l-1 2-2 5h2l1-1h2l1-1c1-1 1-3 3-3l1-2 2-2h1l1 3h-1v1l-1 1v7h-8l-1 1-2-1h-3l-1-1 1-1v-3l-1-2 1-1-1-1 1-3v-2l1-2 1-3a7 7 0 0 1 2-4l1-4 2-2 2-3v-3h1l2-3V8l-3-1h-2l-1 1a3 3 0 0 0-2 3l-1 1v4l-1 1-1 1v-1l-1-1V4ZM17 22l1 1h1v3s0-1 0 0l2 1v5l1 2-1 8v3a6 6 0 0 1 0 2l-1 2-1 2-1 3-3 2-2 2-3 1-1-1-1 1H1l-1-1 2-1 1-4V26l1-1-1-3V11l1-1-1-1H2V8L1 7 0 6V5l1-1h15l1 1c2 0 3 1 3 2l1 3v6l-4 6Zm-6-11v9h1l1-2 2-1v-6h-1l-1-1h-2v1Zm0 19-1 1 1 2-1 3v9a2 2 0 0 0 0 1v6l-1 1 3-1 1-2h1v-4l1-4v-5l-1-1 1-3-1-1v-2s0 1 0 0v-1l-1-1a20 20 0 0 1-2-2v4Z\" clip-rule=\"evenodd\"/></svg>"),
+	Rules: []string{
+		"||battle.net^",
+		"||battlenet.com.cn^",
+		"||blizzard.cn^",
+		"||blizzardgames.cn^",
+		"||blz-contentstack.com^",
+		"||blzstatic.cn^",
+		"||bnet.163.com^",
+		"||bnet.cn^",
+		"||lizzard.com^",
+	},
 }, {
 	ID:      "cloudflare",
 	Name:    "CloudFlare",
@@ -329,6 +363,14 @@ var blockedServices = []blockedService{{
 		"||warp.plus^",
 		"||workers.dev^",
 	},
+}, {
+	ID:      "clubhouse",
+	Name:    "Clubhouse",
+	IconSVG: []byte("<svg xmlns=\"http://www.w3.org/2000/svg\" fill=\"currentColor\" viewBox=\"0 0 50 50\"><path d=\"M29.8 4a1 1 0 0 0-.92.7 1 1 0 0 0 .36 1.1 31.2 31.2 0 0 1 6 6.02 1 1 0 1 0 1.6-1.2 33.2 33.2 0 0 0-6.4-6.4A1 1 0 0 0 29.8 4Zm-7.16 1.06c-.46 0-.87.3-.99.74a1 1 0 0 0 .5 1.15 31.13 31.13 0 0 1 11.13 10.6 1 1 0 1 0 1.7-1.07A33.12 33.12 0 0 0 23.11 5.2a.96.96 0 0 0-.48-.14ZM14.5 7.01a3.42 3.42 0 0 0-3.27 2.28l-.26-.27A3.49 3.49 0 0 0 8.5 8.01c-.9 0-1.8.34-2.48 1.01a3.51 3.51 0 0 0-.57 4.17c-.52.15-1.01.42-1.43.84a3.52 3.52 0 0 0 0 4.94l.27.27c-.46.16-.9.41-1.27.79a3.52 3.52 0 0 0 0 4.94l.88.88 16.47 16.47a9.01 9.01 0 0 0 12.72 0l4.23-4.22a9.94 9.94 0 0 0 2.3-3.59l2.63-7.08a8.03 8.03 0 0 1 1.84-2.87l1.74-1.73 1-1a4.02 4.02 0 0 0 0-5.66 4.02 4.02 0 0 0-5.66 0l-1 1-.7.71-4.2 4.2a2.98 2.98 0 0 1-4.24 0L17.9 8.96l-.94-.94a3.49 3.49 0 0 0-2.47-1.01Zm0 1.98c.38 0 .76.15 1.06.45l.94.94 13.1 13.1a5.02 5.02 0 0 0 7.08 0l4.2-4.18.7-.71 1-1c.8-.8 2.05-.8 2.83 0 .8.79.8 2.04 0 2.83l-2.73 2.73a10.03 10.03 0 0 0-2.3 3.58l-2.63 7.08a8.02 8.02 0 0 1-1.84 2.87l-4.23 4.23a6.99 6.99 0 0 1-9.9 0L4.44 23.56a1.5 1.5 0 0 1 0-2.12c.59-.59 1.45-.55 2.08.08l.1.09 8.2 8.37a1 1 0 0 0 .97.29 1 1 0 0 0 .46-1.68l-9.52-9.73-.01-.01-1.28-1.29a1.5 1.5 0 0 1 0-2.12c.6-.6 1.47-.58 2.08.03l9.18 9.17a1 1 0 0 0 1.69-.43 1 1 0 0 0-.28-.98L9 14.13l-.06-.07-1.5-1.5c-.6-.6-.6-1.53 0-2.12a1.5 1.5 0 0 1 2.12 0L20.8 21.67a1 1 0 0 0 1.68-.44 1 1 0 0 0-.27-.97l-8.7-8.7-.06-.06a1.4 1.4 0 0 1-.01-2.06c.3-.3.68-.45 1.06-.45ZM4.23 32a1 1 0 0 0-.82 1.51c3 5.18 7.36 9.46 12.59 12.37a1 1 0 0 0 1.51-.89 1 1 0 0 0-.54-.86A31.16 31.16 0 0 1 5.15 32.5a1.01 1.01 0 0 0-.92-.51Z\"/></svg>"),
+	Rules: []string{
+		"||clubhouse.com^",
+		"||clubhouseapi.com^",
+	},
 }, {
 	ID:      "crunchyroll",
 	Name:    "Crunchyroll",
@@ -736,6 +778,18 @@ var blockedServices = []blockedService{{
 		"||xxbay.com^",
 		"||yibei.org^",
 	},
+}, {
+	ID:      "electronic_arts",
+	Name:    "Electronic Arts",
+	IconSVG: []byte("<svg xmlns=\"http://www.w3.org/2000/svg\" fill=\"currentColor\" viewBox=\"0 0 1000 1000\"><path d=\"M500 1000C224.3 1000 0 775.7 0 500S224.3 0 500 0s500 224.3 500 500-224.3 500-500 500zm84.63-693.4H302.05l-42.87 68.9h282.25zm57.75.66L469.63 582.33H278.02l44.2-68.96h114.85l43.87-68.93h-265.5l-43.86 68.93h62.9L147.2 651.05h364.2L645.9 438.9l49.05 74.46h-44.23l-41.88 68.96H739.8l45.48 68.72h83.54z\"/></svg>"),
+	Rules: []string{
+		"||ea.com^",
+		"||eamobile.com^",
+		"||easports.com^",
+		"||nearpolar.com^",
+		"||swtor.com^",
+		"||tnt-ea.com^",
+	},
 }, {
 	ID:      "epic_games",
 	Name:    "Epic Games",
@@ -1412,6 +1466,28 @@ var blockedServices = []blockedService{{
 		"||lineshoppingseller.com^",
 		"||linetv.tw^",
 	},
+}, {
+	ID:      "linkedin",
+	Name:    "LinkedIn",
+	IconSVG: []byte("<svg xmlns=\"http://www.w3.org/2000/svg\" fill=\"currentColor\" viewBox=\"0 0 50 50\"><path d=\"M41,4H9C6.24,4,4,6.24,4,9v32c0,2.76,2.24,5,5,5h32c2.76,0,5-2.24,5-5V9C46,6.24,43.76,4,41,4z M17,20v19h-6V20H17z M11,14.47c0-1.4,1.2-2.47,3-2.47s2.93,1.07,3,2.47c0,1.4-1.12,2.53-3,2.53C12.2,17,11,15.87,11,14.47z M39,39h-6c0,0,0-9.26,0-10 c0-2-1-4-3.5-4.04h-0.08C27,24.96,26,27.02,26,29c0,0.91,0,10,0,10h-6V20h6v2.56c0,0,1.93-2.56,5.81-2.56 c3.97,0,7.19,2.73,7.19,8.26V39z\"/></svg>"),
+	Rules: []string{
+		"||bizographics.com^",
+		"||cs1404.wpc.epsiloncdn.net^",
+		"||cs767.wpc.epsiloncdn.net^",
+		"||l-0005.dc-msedge.net^",
+		"||l-0005.l-dc-msedge.net^",
+		"||l-0005.l-msedge.net^",
+		"||l-0015.l-msedge.net^",
+		"||licdn.cn^",
+		"||licdn.com^",
+		"||linkedin.at^",
+		"||linkedin.be^",
+		"||linkedin.cn^",
+		"||linkedin.com^",
+		"||linkedin.nl^",
+		"||linkedin.qtlcdn.com^",
+		"||lnkd.in^",
+	},
 }, {
 	ID:      "mail_ru",
 	Name:    "Mail.ru",
@@ -1454,7 +1530,6 @@ var blockedServices = []blockedService{{
 		"||masto.pt^",
 		"||mastodon.au^",
 		"||mastodon.bida.im^",
-		"||mastodon.com.tr^",
 		"||mastodon.eus^",
 		"||mastodon.green^",
 		"||mastodon.ie^",
@@ -1470,6 +1545,7 @@ var blockedServices = []blockedService{{
 		"||mastodon.social^",
 		"||mastodon.uno^",
 		"||mastodon.world^",
+		"||mastodon.zaclys.com^",
 		"||mastodonapp.uk^",
 		"||mastodonners.nl^",
 		"||mastodont.cat^",
@@ -1480,11 +1556,11 @@ var blockedServices = []blockedService{{
 		"||metalhead.club^",
 		"||mindly.social^",
 		"||mstdn.ca^",
-		"||mstdn.jp^",
 		"||mstdn.party^",
 		"||mstdn.plus^",
 		"||mstdn.social^",
 		"||muenchen.social^",
+		"||muenster.im^",
 		"||nerdculture.de^",
 		"||noc.social^",
 		"||norden.social^",
@@ -1513,13 +1589,13 @@ var blockedServices = []blockedService{{
 		"||techhub.social^",
 		"||theblower.au^",
 		"||tkz.one^",
+		"||todon.eu^",
 		"||toot.aquilenet.fr^",
 		"||toot.community^",
 		"||toot.funami.tech^",
 		"||toot.io^",
 		"||toot.wales^",
 		"||troet.cafe^",
-		"||twingyeo.kr^",
 		"||union.place^",
 		"||universeodon.com^",
 		"||urbanists.social^",
@@ -1566,6 +1642,44 @@ var blockedServices = []blockedService{{
 		"||nflxso.net^",
 		"||nflxvideo.net^",
 	},
+}, {
+	ID:      "nintendo",
+	Name:    "Nintendo",
+	IconSVG: []byte("<svg xmlns=\"http://www.w3.org/2000/svg\" fill=\"currentColor\" viewBox=\"0 0 50 50\"><path d=\"M6 7v36h12.6V21.75l13 20.78.27.47H44V7H31.4v1l.04 20.22L18.5 7.47 18.22 7Zm2 2h9.1l14.5 23.22 1.84 3v-3.5L33.4 9H42v32h-9L18.44 17.75l-1.85-2.94V41H8Z\"/></svg>"),
+	Rules: []string{
+		"||nintendo-europe.com^",
+		"||nintendo.be^",
+		"||nintendo.co.jp^",
+		"||nintendo.co.uk^",
+		"||nintendo.com.au^",
+		"||nintendo.com^",
+		"||nintendo.de^",
+		"||nintendo.es^",
+		"||nintendo.eu^",
+		"||nintendo.fr^",
+		"||nintendo.it^",
+		"||nintendo.jp^",
+		"||nintendo.net^",
+		"||nintendo.nl^",
+		"||nintendoswitch.cn^",
+		"||nintendowifi.net^",
+	},
+}, {
+	ID:      "nvidia",
+	Name:    "Nvidia",
+	IconSVG: []byte("<svg xmlns=\"http://www.w3.org/2000/svg\" fill=\"currentColor\" viewBox=\"0 0 48 48\"><path d=\"M20 8a2 2 0 0 0-2 2v2.55l.84-.05c10.76-.37 17.78 8.82 17.78 8.82s-8.05 9.8-16.44 9.8c-.73 0-1.47-.07-2.18-.19v-2.2c.73.23 1.52.35 2.3.35 5.88 0 11.35-7.6 11.35-7.6s-5.07-6.91-12.81-6.66l-.82.03v-2.3c-9.49.77-17.68 8.8-17.68 8.8S4.97 34.76 18 35.98v-2.44c.59.07 1.22.12 1.81.12 7.82 0 13.47-3.99 18.94-8.7.91.73 4.62 2.49 5.4 3.26-5.2 4.36-17.33 7.86-24.2 7.86-.66 0-1.32-.03-1.95-.1V38c0 1.1.9 2 2 2h25a2 2 0 0 0 2-2V10a2 2 0 0 0-2-2H20zm-2 6.86v2.82a11.8 11.8 0 0 1 1.57-.07c4.95 0 7.9 3.85 7.9 3.85l-4.03 3.39c-1.8-3.02-2.43-4.35-5.44-4.7v8.57c-4.06-1.38-5.4-6.14-5.4-6.14s2.37-2.83 5.38-2.46H18v-2.44a15.66 15.66 0 0 0-9.22 4.46s2 7.52 9.22 8.8v2.6c-9.56-1.17-12.82-11.7-12.82-11.7s4.27-6.3 12.82-6.97z\"/></svg>"),
+	Rules: []string{
+		"||geforce.com^",
+		"||geforcenow.com^",
+		"||nvidia.cn^",
+		"||nvidia.com.global.ogslb.com^",
+		"||nvidia.com^",
+		"||nvidia.eu^",
+		"||nvidia.partners^",
+		"||nvidiagrid.net^",
+		"||nvidianews.com^",
+		"||tegrazone.com^",
+	},
 }, {
 	ID:      "ok",
 	Name:    "OK.ru",
@@ -1964,6 +2078,16 @@ var blockedServices = []blockedService{{
 		"||twvid.com^",
 		"||vine.co^",
 	},
+}, {
+	ID:      "ubisoft",
+	Name:    "Ubisoft",
+	IconSVG: []byte("<svg xmlns=\"http://www.w3.org/2000/svg\" fill=\"currentColor\" viewBox=\"0 0 32 32\"><path d=\"M15.22 3C7.14 3 3.66 10.18 3.66 10.18l1.03.74s-1.3 2.45-1.26 5.6A12.5 12.5 0 0 0 16.08 29a12.5 12.5 0 0 0 12.49-12.46c0-9-6.98-13.54-13.35-13.54zm.07 2.2c6.3 0 11.2 5.07 11.2 10.98 0 6.27-4.71 10.62-10.2 10.62-4.04 0-7.69-3.08-7.69-7.3a5.8 5.8 0 0 1 2.75-5.03l.21.23a6.37 6.37 0 0 0-1.53 3.91c0 3.32 2.6 5.62 5.88 5.62 4.18 0 6.97-3.56 6.97-7.7 0-4.81-4.25-8.9-9.36-8.9a11.1 11.1 0 0 0-6.61 2.3l-.21-.2a10.07 10.07 0 0 1 8.59-4.54zM13.4 9.8c3.26 0 6.44 2.15 7.24 5.22l-.3.1a8.35 8.35 0 0 0-6.52-3.44c-5.08 0-7.75 4.62-7.36 8.47l-.3.12s-.56-1.24-.56-2.71a7.8 7.8 0 0 1 7.8-7.76zm2.15 5.33a2.77 2.77 0 0 1 2.78 2.74c0 1.23-.79 1.96-.79 1.96l.94.65s-.93 1.46-2.82 1.46a3.4 3.4 0 0 1-.1-6.8z\"/></svg>"),
+	Rules: []string{
+		"||ubi.com^",
+		"||ubisoft.com^",
+		"||ubisoft.org^",
+		"||ubisoftconnect.com^",
+	},
 }, {
 	ID:      "valorant",
 	Name:    "Valorant",
--- a/internal/home/clientshttp.go
+++ b/internal/home/clientshttp.go
@@ -9,6 +9,7 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
+	"github.com/AdguardTeam/AdGuardHome/internal/schedule"
 	"github.com/AdguardTeam/AdGuardHome/internal/whois"
 )

@@ -118,13 +119,18 @@ func (clients *clientsContainer) jsonToClient(cj clientJSON, prev *Client) (c *C
 		}
 	}

+	weekly := schedule.EmptyWeekly()
+	if prev != nil {
+		weekly = prev.BlockedServices.Schedule.Clone()
+	}
+
 	c = &Client{
 		safeSearchConf: safeSearchConf,

 		Name: cj.Name,

 		BlockedServices: &filtering.BlockedServices{
-			Schedule: prev.BlockedServices.Schedule.Clone(),
+			Schedule: weekly,
 			IDs:      cj.BlockedServices,
 		},

--- a/internal/home/config.go
+++ b/internal/home/config.go
@@ -91,18 +91,17 @@ type clientSourcesConfig struct {
 	HostsFile bool `yaml:"hosts"`
 }

-// configuration is loaded from YAML
-// field ordering is important -- yaml fields will mirror ordering from here
+// configuration is loaded from YAML.
+//
+// Field ordering is important, YAML fields better not to be reordered, if it's
+// not absolutely necessary.
 type configuration struct {
 	// Raw file data to avoid re-reading of configuration file
 	// It's reset after config is parsed
 	fileData []byte

-	// BindHost is the address for the web interface server to listen on.
-	BindHost netip.Addr `yaml:"bind_host"`
-	// BindPort is the port for the web interface server to listen on.
-	BindPort int `yaml:"bind_port"`
-
+	// HTTPConfig is the block with http conf.
+	HTTPConfig httpConfig `yaml:"http"`
 	// Users are the clients capable for accessing the web interface.
 	Users []webUser `yaml:"users"`
 	// AuthAttempts is the maximum number of failed login attempts a user
@@ -120,10 +119,6 @@ type configuration struct {
 	// DebugPProf defines if the profiling HTTP handler will listen on :6060.
 	DebugPProf bool `yaml:"debug_pprof"`

-	// TTL for a web session (in hours)
-	// An active session is automatically refreshed once a day.
-	WebSessionTTLHours uint32 `yaml:"web_session_ttl"`
-
 	DNS      dnsConfig         `yaml:"dns"`
 	TLS      tlsConfigSettings `yaml:"tls"`
 	QueryLog queryLogConfig    `yaml:"querylog"`
@@ -156,7 +151,23 @@ type configuration struct {
 	SchemaVersion int `yaml:"schema_version"` // keeping last so that users will be less tempted to change it -- used when upgrading between versions
 }

-// field ordering is important -- yaml fields will mirror ordering from here
+// httpConfig is a block with HTTP configuration params.
+//
+// Field ordering is important, YAML fields better not to be reordered, if it's
+// not absolutely necessary.
+type httpConfig struct {
+	// Address is the address to serve the web UI on.
+	Address netip.AddrPort
+
+	// SessionTTL for a web session.
+	// An active session is automatically refreshed once a day.
+	SessionTTL timeutil.Duration `yaml:"session_ttl"`
+}
+
+// dnsConfig is a block with DNS configuration params.
+//
+// Field ordering is important, YAML fields better not to be reordered, if it's
+// not absolutely necessary.
 type dnsConfig struct {
 	BindHosts []netip.Addr `yaml:"bind_hosts"`
 	Port      int          `yaml:"port"`
@@ -261,11 +272,12 @@ type statsConfig struct {
 //
 // TODO(a.garipov, e.burkov): This global is awful and must be removed.
 var config = &configuration{
-	BindPort:           3000,
-	BindHost:           netip.IPv4Unspecified(),
-	AuthAttempts:       5,
-	AuthBlockMin:       15,
-	WebSessionTTLHours: 30 * 24,
+	AuthAttempts: 5,
+	AuthBlockMin: 15,
+	HTTPConfig: httpConfig{
+		Address:    netip.AddrPortFrom(netip.IPv4Unspecified(), 3000),
+		SessionTTL: timeutil.Duration{Duration: 30 * timeutil.Day},
+	},
 	DNS: dnsConfig{
 		BindHosts: []netip.Addr{netip.IPv4Unspecified()},
 		Port:      defaultPortDNS,
@@ -427,8 +439,8 @@ func readLogSettings() (ls *logSettings) {
 // validateBindHosts returns error if any of binding hosts from configuration is
 // not a valid IP address.
 func validateBindHosts(conf *configuration) (err error) {
-	if !conf.BindHost.IsValid() {
-		return errors.Error("bind_host is not a valid ip address")
+	if !conf.HTTPConfig.Address.IsValid() {
+		return errors.Error("http.address is not a valid ip address")
 	}

 	for i, addr := range conf.DNS.BindHosts {
@@ -462,7 +474,7 @@ func parseConfig() (err error) {
 	}

 	tcpPorts := aghalg.UniqChecker[tcpPort]{}
-	addPorts(tcpPorts, tcpPort(config.BindPort))
+	addPorts(tcpPorts, tcpPort(config.HTTPConfig.Address.Port()))

 	udpPorts := aghalg.UniqChecker[udpPort]{}
 	addPorts(udpPorts, udpPort(config.DNS.Port))
--- a/internal/home/control.go
+++ b/internal/home/control.go
@@ -103,7 +103,7 @@ type statusResponse struct {
 	Language string   `json:"language"`
 	DNSAddrs []string `json:"dns_addresses"`
 	DNSPort  int      `json:"dns_port"`
-	HTTPPort int      `json:"http_port"`
+	HTTPPort uint16   `json:"http_port"`

 	// ProtectionDisabledDuration is the duration of the protection pause in
 	// milliseconds.
@@ -158,7 +158,7 @@ func handleStatus(w http.ResponseWriter, r *http.Request) {
 			Language:                   config.Language,
 			DNSAddrs:                   dnsAddrs,
 			DNSPort:                    config.DNS.Port,
-			HTTPPort:                   config.BindPort,
+			HTTPPort:                   config.HTTPConfig.Address.Port(),
 			ProtectionDisabledDuration: protectionDisabledDuration,
 			ProtectionEnabled:          protectionEnabled,
 			IsRunning:                  isRunning(),
--- a/internal/home/controlinstall.go
+++ b/internal/home/controlinstall.go
@@ -96,8 +96,9 @@ type checkConfResp struct {
 func (req *checkConfReq) validateWeb(tcpPorts aghalg.UniqChecker[tcpPort]) (err error) {
 	defer func() { err = errors.Annotate(err, "validating ports: %w") }()

-	portInt := req.Web.Port
-	port := tcpPort(portInt)
+	// TODO(a.garipov): Declare all port variables anywhere as uint16.
+	reqPort := uint16(req.Web.Port)
+	port := tcpPort(reqPort)
 	addPorts(tcpPorts, port)
 	if err = tcpPorts.Validate(); err != nil {
 		// Reset the value for the port to 1 to make sure that validateDNS
@@ -108,15 +109,15 @@ func (req *checkConfReq) validateWeb(tcpPorts aghalg.UniqChecker[tcpPort]) (err
 		return err
 	}

-	switch portInt {
-	case 0, config.BindPort:
+	switch reqPort {
+	case 0, config.HTTPConfig.Address.Port():
 		return nil
 	default:
 		// Go on and check the port binding only if it's not zero or won't be
 		// unbound after install.
 	}

-	return aghnet.CheckPort("tcp", netip.AddrPortFrom(req.Web.IP, uint16(portInt)))
+	return aghnet.CheckPort("tcp", netip.AddrPortFrom(req.Web.IP, reqPort))
 }

 // validateDNS returns error if the DNS part of the initial configuration can't
@@ -127,11 +128,11 @@ func (req *checkConfReq) validateDNS(
 ) (canAutofix bool, err error) {
 	defer func() { err = errors.Annotate(err, "validating ports: %w") }()

-	port := req.DNS.Port
+	port := uint16(req.DNS.Port)
 	switch port {
 	case 0:
 		return false, nil
-	case config.BindPort:
+	case config.HTTPConfig.Address.Port():
 		// Go on and only check the UDP port since the TCP one is already bound
 		// by AdGuard Home for web interface.
 	default:
@@ -318,8 +319,7 @@ type applyConfigReq struct {
 // copyInstallSettings copies the installation parameters between two
 // configuration structures.
 func copyInstallSettings(dst, src *configuration) {
-	dst.BindHost = src.BindHost
-	dst.BindPort = src.BindPort
+	dst.HTTPConfig = src.HTTPConfig
 	dst.DNS.BindHosts = src.DNS.BindHosts
 	dst.DNS.Port = src.DNS.Port
 }
@@ -413,8 +413,7 @@ func (web *webAPI) handleInstallConfigure(w http.ResponseWriter, r *http.Request
 	copyInstallSettings(curConfig, config)

 	Context.firstRun = false
-	config.BindHost = req.Web.IP
-	config.BindPort = req.Web.Port
+	config.HTTPConfig.Address = netip.AddrPortFrom(req.Web.IP, uint16(req.Web.Port))
 	config.DNS.BindHosts = []netip.Addr{req.DNS.IP}
 	config.DNS.Port = req.DNS.Port

@@ -487,7 +486,8 @@ func decodeApplyConfigReq(r io.Reader) (req *applyConfigReq, restartHTTP bool, e
 		return nil, false, errors.Error("ports cannot be 0")
 	}

-	restartHTTP = config.BindHost != req.Web.IP || config.BindPort != req.Web.Port
+	addrPort := config.HTTPConfig.Address
+	restartHTTP = addrPort.Addr() != req.Web.IP || int(addrPort.Port()) != req.Web.Port
 	if restartHTTP {
 		err = aghnet.CheckPort("tcp", netip.AddrPortFrom(req.Web.IP, uint16(req.Web.Port)))
 		if err != nil {
--- a/internal/home/controlupdate.go
+++ b/internal/home/controlupdate.go
@@ -157,7 +157,9 @@ func (vr *versionResponse) setAllowedToAutoUpdate() (err error) {
 	Context.tls.WriteDiskConfig(tlsConf)

 	canUpdate := true
-	if tlsConfUsesPrivilegedPorts(tlsConf) || config.BindPort < 1024 || config.DNS.Port < 1024 {
+	if tlsConfUsesPrivilegedPorts(tlsConf) ||
+		config.HTTPConfig.Address.Port() < 1024 ||
+		config.DNS.Port < 1024 {
 		canUpdate, err = aghnet.CanBindPrivilegedPorts()
 		if err != nil {
 			return fmt.Errorf("checking ability to bind privileged ports: %w", err)
--- a/internal/home/home.go
+++ b/internal/home/home.go
@@ -372,8 +372,26 @@ func initContextClients() (err error) {

 // setupBindOpts overrides bind host/port from the opts.
 func setupBindOpts(opts options) (err error) {
+	bindAddr := opts.bindAddr
+	if bindAddr != (netip.AddrPort{}) {
+		config.HTTPConfig.Address = bindAddr
+
+		if config.HTTPConfig.Address.Port() != 0 {
+			err = checkPorts()
+			if err != nil {
+				// Don't wrap the error, because it's informative enough as is.
+				return err
+			}
+		}
+
+		return nil
+	}
+
 	if opts.bindPort != 0 {
-		config.BindPort = opts.bindPort
+		config.HTTPConfig.Address = netip.AddrPortFrom(
+			config.HTTPConfig.Address.Addr(),
+			uint16(opts.bindPort),
+		)

 		err = checkPorts()
 		if err != nil {
@@ -383,20 +401,10 @@ func setupBindOpts(opts options) (err error) {
 	}

 	if opts.bindHost.IsValid() {
-		config.BindHost = opts.bindHost
-	}
-
-	// Rewrite deprecated options.
-	bindAddr := opts.bindAddr
-	if bindAddr.IsValid() {
-		config.BindHost = bindAddr.Addr()
-		config.BindPort = int(bindAddr.Port())
-
-		err = checkPorts()
-		if err != nil {
-			// Don't wrap the error, because it's informative enough as is.
-			return err
-		}
+		config.HTTPConfig.Address = netip.AddrPortFrom(
+			opts.bindHost,
+			config.HTTPConfig.Address.Port(),
+		)
 	}

 	return nil
@@ -480,7 +488,7 @@ func setupDNSFilteringConf(conf *filtering.Config) (err error) {
 // checkPorts is a helper for ports validation in config.
 func checkPorts() (err error) {
 	tcpPorts := aghalg.UniqChecker[tcpPort]{}
-	addPorts(tcpPorts, tcpPort(config.BindPort))
+	addPorts(tcpPorts, tcpPort(config.HTTPConfig.Address.Port()))

 	udpPorts := aghalg.UniqChecker[udpPort]{}
 	addPorts(udpPorts, udpPort(config.DNS.Port))
@@ -520,8 +528,8 @@ func initWeb(opts options, clientBuildFS fs.FS) (web *webAPI, err error) {

 	webConf := webConfig{
 		firstRun: Context.firstRun,
-		BindHost: config.BindHost,
-		BindPort: config.BindPort,
+		BindHost: config.HTTPConfig.Address.Addr(),
+		BindPort: int(config.HTTPConfig.Address.Port()),

 		ReadTimeout:       readTimeout,
 		ReadHeaderTimeout: readHdrTimeout,
@@ -657,8 +665,8 @@ func initUsers() (auth *Auth, err error) {
 		log.Info("authratelimiter is disabled")
 	}

-	sessionTTL := config.WebSessionTTLHours * 60 * 60
-	auth = InitAuth(sessFilename, config.Users, sessionTTL, rateLimiter)
+	sessionTTL := config.HTTPConfig.SessionTTL.Seconds()
+	auth = InitAuth(sessFilename, config.Users, uint32(sessionTTL), rateLimiter)
 	if auth == nil {
 		return nil, errors.Error("initializing auth module failed")
 	}
@@ -936,7 +944,7 @@ func printHTTPAddresses(proto string) {
 		Context.tls.WriteDiskConfig(&tlsConf)
 	}

-	port := config.BindPort
+	port := int(config.HTTPConfig.Address.Port())
 	if proto == aghhttp.SchemeHTTPS {
 		port = tlsConf.PortHTTPS
 	}
@@ -948,9 +956,9 @@ func printHTTPAddresses(proto string) {
 		return
 	}

-	bindhost := config.BindHost
-	if !bindhost.IsUnspecified() {
-		printWebAddrs(proto, bindhost.String(), port)
+	bindHost := config.HTTPConfig.Address.Addr()
+	if !bindHost.IsUnspecified() {
+		printWebAddrs(proto, bindHost.String(), port)

 		return
 	}
@@ -961,14 +969,14 @@ func printHTTPAddresses(proto string) {
 		// That's weird, but we'll ignore it.
 		//
 		// TODO(e.burkov): Find out when it happens.
-		printWebAddrs(proto, bindhost.String(), port)
+		printWebAddrs(proto, bindHost.String(), port)

 		return
 	}

 	for _, iface := range ifaces {
 		for _, addr := range iface.Addresses {
-			printWebAddrs(proto, addr.String(), config.BindPort)
+			printWebAddrs(proto, addr.String(), port)
 		}
 	}
 }
--- a/internal/home/tls.go
+++ b/internal/home/tls.go
@@ -320,7 +320,7 @@ func (m *tlsManager) handleTLSValidate(w http.ResponseWriter, r *http.Request) {

 	if setts.Enabled {
 		err = validatePorts(
-			tcpPort(config.BindPort),
+			tcpPort(config.HTTPConfig.Address.Port()),
 			tcpPort(setts.PortHTTPS),
 			tcpPort(setts.PortDNSOverTLS),
 			tcpPort(setts.PortDNSCrypt),
@@ -407,7 +407,7 @@ func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request)

 	if req.Enabled {
 		err = validatePorts(
-			tcpPort(config.BindPort),
+			tcpPort(config.HTTPConfig.Address.Port()),
 			tcpPort(req.PortHTTPS),
 			tcpPort(req.PortDNSOverTLS),
 			tcpPort(req.PortDNSCrypt),
--- a/internal/home/upgrade.go
+++ b/internal/home/upgrade.go
@@ -3,6 +3,7 @@ package home
 import (
 	"bytes"
 	"fmt"
+	"net/netip"
 	"net/url"
 	"os"
 	"path"
@@ -22,7 +23,7 @@ import (
 )

 // currentSchemaVersion is the current schema version.
-const currentSchemaVersion = 22
+const currentSchemaVersion = 23

 // These aliases are provided for convenience.
 type (
@@ -96,6 +97,7 @@ func upgradeConfigSchema(oldVersion int, diskConf yobj) (err error) {
 		upgradeSchema19to20,
 		upgradeSchema20to21,
 		upgradeSchema21to22,
+		upgradeSchema22to23,
 	}

 	n := 0
@@ -1256,6 +1258,73 @@ func upgradeSchema21to22(diskConf yobj) (err error) {
 	return nil
 }

+// upgradeSchema22to23 performs the following changes:
+//
+//	# BEFORE:
+//	'bind_host': '1.2.3.4'
+//	'bind_port': 8080
+//	'web_session_ttl': 720
+//
+//	# AFTER:
+//	'http':
+//	  'address': '1.2.3.4:8080'
+//	  'session_ttl': '720h'
+func upgradeSchema22to23(diskConf yobj) (err error) {
+	log.Printf("Upgrade yaml: 22 to 23")
+	diskConf["schema_version"] = 23
+
+	bindHostVal, ok := diskConf["bind_host"]
+	if !ok {
+		return nil
+	}
+
+	bindHost, ok := bindHostVal.(string)
+	if !ok {
+		return fmt.Errorf("unexpected type of bind_host: %T", bindHostVal)
+	}
+
+	bindHostAddr, err := netip.ParseAddr(bindHost)
+	if err != nil {
+		return fmt.Errorf("invalid bind_host value: %s", bindHost)
+	}
+
+	bindPortVal, ok := diskConf["bind_port"]
+	if !ok {
+		return nil
+	}
+
+	bindPort, ok := bindPortVal.(int)
+	if !ok {
+		return fmt.Errorf("unexpected type of bind_port: %T", bindPortVal)
+	}
+
+	sessionTTLVal, ok := diskConf["web_session_ttl"]
+	if !ok {
+		return nil
+	}
+
+	sessionTTL, ok := sessionTTLVal.(int)
+	if !ok {
+		return fmt.Errorf("unexpected type of web_session_ttl: %T", sessionTTLVal)
+	}
+
+	addr := netip.AddrPortFrom(bindHostAddr, uint16(bindPort))
+	if !addr.IsValid() {
+		return fmt.Errorf("invalid address: %s", addr)
+	}
+
+	diskConf["http"] = yobj{
+		"address":     addr.String(),
+		"session_ttl": timeutil.Duration{Duration: time.Duration(sessionTTL) * time.Hour}.String(),
+	}
+
+	delete(diskConf, "bind_host")
+	delete(diskConf, "bind_port")
+	delete(diskConf, "web_session_ttl")
+
+	return nil
+}
+
 // TODO(a.garipov): Replace with log.Output when we port it to our logging
 // package.
 func funcName() string {
--- a/internal/home/upgrade_test.go
+++ b/internal/home/upgrade_test.go
@@ -1253,3 +1253,56 @@ func TestUpgradeSchema21to22(t *testing.T) {
 		})
 	}
 }
+
+func TestUpgradeSchema22to23(t *testing.T) {
+	const newSchemaVer = 23
+
+	testCases := []struct {
+		in   yobj
+		want yobj
+		name string
+	}{{
+		name: "empty",
+		in:   yobj{},
+		want: yobj{
+			"schema_version": newSchemaVer,
+		},
+	}, {
+		name: "ok",
+		in: yobj{
+			"bind_host":       "1.2.3.4",
+			"bind_port":       8081,
+			"web_session_ttl": 720,
+		},
+		want: yobj{
+			"http": yobj{
+				"address":     "1.2.3.4:8081",
+				"session_ttl": "720h",
+			},
+			"schema_version": newSchemaVer,
+		},
+	}, {
+		name: "v6_address",
+		in: yobj{
+			"bind_host":       "2001:db8::1",
+			"bind_port":       8081,
+			"web_session_ttl": 720,
+		},
+		want: yobj{
+			"http": yobj{
+				"address":     "[2001:db8::1]:8081",
+				"session_ttl": "720h",
+			},
+			"schema_version": newSchemaVer,
+		},
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			err := upgradeSchema22to23(tc.in)
+			require.NoError(t, err)
+
+			assert.Equal(t, tc.want, tc.in)
+		})
+	}
+}
--- a/internal/home/web.go
+++ b/internal/home/web.go
@@ -119,7 +119,9 @@ func webCheckPortAvailable(port int) (ok bool) {
 		return true
 	}

-	return aghnet.CheckPort("tcp", netip.AddrPortFrom(config.BindHost, uint16(port))) == nil
+	addrPort := netip.AddrPortFrom(config.HTTPConfig.Address.Addr(), uint16(port))
+
+	return aghnet.CheckPort("tcp", addrPort) == nil
 }

 // tlsConfigChanged updates the TLS configuration and restarts the HTTPS server
--- a/internal/next/AdGuardHome.example.yaml
+++ b/internal/next/AdGuardHome.example.yaml
@@ -1,26 +0,0 @@
-# This is a file showing example configuration for AdGuard Home.
-#
-# TODO(a.garipov): Move to the top level once the rewrite is over.
-
-dns:
-  addresses:
-  - '0.0.0.0:53'
-  bootstrap_dns:
-  - '9.9.9.10'
-  - '149.112.112.10'
-  - '2620:fe::10'
-  - '2620:fe::fe:10'
-  upstream_dns:
-  - '8.8.8.8'
-  dns64_prefixes:
-  - '1234::/64'
-  upstream_timeout: 1s
-  bootstrap_prefer_ipv6: true
-  use_dns64: true
-http:
-  addresses:
-  - '0.0.0.0:3000'
-  secure_addresses: []
-  timeout: 5s
-  force_https: true
-verbose: true
--- a/internal/next/changelog.md
+++ b/internal/next/changelog.md
@@ -1,39 +0,0 @@
-# AdGuard Home v0.108.0 Changelog DRAFT
-
-This changelog should be merged into the main one once the next API matures
-enough.
-
-## [v0.108.0] - TODO
-
-### Added
-
- The ability to log to stderr using `--logFile=stderr`.
- The new `--web-addr` flag to set the Web UI address in a `host:port` form.
- `SIGHUP` now reloads all configuration from the configuration file ([#5676]).
-
-### Changed
-
-#### New HTTP API
-
-**TODO(a.garipov):** Describe the new API and add a link to the new OpenAPI doc.
-
-#### Other changes
-
- `-h` is now an alias for `--help` instead of the removed `--host`, see below.
-  Use `--web-addr=host:port` to set an address on which to serve the Web UI.
-
-### Fixed
-
- Inconsistent application of `--work-dir/-w` ([#2598], [#2902]).
- The order of `-v/--verbose` and `--version` being significant ([#2893]).
-
-### Removed
-
- The deprecated `--no-mem-optimization` and `--no-etc-hosts` flags.
- `--host` and `-p/--port` flags.  Use `--web-addr=host:port` to set an address
-  on which to serve the Web UI.  `-h` is now an alias for `--help`, see above.
-
-[#2598]: https://github.com/AdguardTeam/AdGuardHome/issues/2598
-[#2893]: https://github.com/AdguardTeam/AdGuardHome/issues/2893
-[#2902]: https://github.com/AdguardTeam/AdGuardHome/issues/2902
-[#5676]: https://github.com/AdguardTeam/AdGuardHome/issues/5676
--- a/internal/next/cmd/cmd.go
+++ b/internal/next/cmd/cmd.go
@@ -1,81 +0,0 @@
-// Package cmd is the AdGuard Home entry point.  It assembles the configuration
-// file manager, sets up signal processing logic, and so on.
-//
-// TODO(a.garipov): Move to the upper-level internal/.
-package cmd
-
-import (
-	"context"
-	"io/fs"
-	"os"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/configmgr"
-	"github.com/AdguardTeam/AdGuardHome/internal/version"
-	"github.com/AdguardTeam/golibs/log"
-)
-
-// Main is the entry point of AdGuard Home.
-func Main(frontend fs.FS) {
-	start := time.Now()
-
-	// Initial Configuration
-
-	cmdName := os.Args[0]
-	opts, err := parseOptions(cmdName, os.Args[1:])
-	exitCode, needExit := processOptions(opts, cmdName, err)
-	if needExit {
-		os.Exit(exitCode)
-	}
-
-	err = setLog(opts)
-	check(err)
-
-	log.Info("starting adguard home, version %s, pid %d", version.Version(), os.Getpid())
-
-	if opts.workDir != "" {
-		log.Info("changing working directory to %q", opts.workDir)
-		err = os.Chdir(opts.workDir)
-		check(err)
-	}
-
-	// Web Service
-
-	confMgr, err := configmgr.New(opts.confFile, frontend, start)
-	check(err)
-
-	web := confMgr.Web()
-	err = web.Start()
-	check(err)
-
-	dns := confMgr.DNS()
-	err = dns.Start()
-	check(err)
-
-	sigHdlr := newSignalHandler(
-		opts.confFile,
-		frontend,
-		start,
-		web,
-		dns,
-	)
-
-	sigHdlr.handle()
-}
-
-// defaultTimeout is the timeout used for some operations where another timeout
-// hasn't been defined yet.
-const defaultTimeout = 5 * time.Second
-
-// ctxWithDefaultTimeout is a helper function that returns a context with
-// timeout set to defaultTimeout.
-func ctxWithDefaultTimeout() (ctx context.Context, cancel context.CancelFunc) {
-	return context.WithTimeout(context.Background(), defaultTimeout)
-}
-
-// check is a simple error-checking helper.  It must only be used within Main.
-func check(err error) {
-	if err != nil {
-		panic(err)
-	}
-}
--- a/internal/next/cmd/log.go
+++ b/internal/next/cmd/log.go
@@ -1,39 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"os"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
-	"github.com/AdguardTeam/golibs/log"
-)
-
-// syslogServiceName is the name of the AdGuard Home service used for writing
-// logs to the system log.
-const syslogServiceName = "AdGuardHome"
-
-// setLog sets up the text logging.
-//
-// TODO(a.garipov): Add parameters from configuration file.
-func setLog(opts *options) (err error) {
-	switch opts.confFile {
-	case "stdout":
-		log.SetOutput(os.Stdout)
-	case "stderr":
-		log.SetOutput(os.Stderr)
-	case "syslog":
-		err = aghos.ConfigureSyslog(syslogServiceName)
-		if err != nil {
-			return fmt.Errorf("initializing syslog: %w", err)
-		}
-	default:
-		// TODO(a.garipov): Use the path.
-	}
-
-	if opts.verbose {
-		log.SetLevel(log.DEBUG)
-		log.Debug("verbose logging enabled")
-	}
-
-	return nil
-}
--- a/internal/next/cmd/opt.go
+++ b/internal/next/cmd/opt.go
@@ -1,403 +0,0 @@
-package cmd
-
-import (
-	"flag"
-	"fmt"
-	"io"
-	"net/netip"
-	"os"
-	"strings"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/version"
-	"golang.org/x/exp/slices"
-)
-
-// options contains all command-line options for the AdGuardHome(.exe) binary.
-type options struct {
-	// confFile is the path to the configuration file.
-	confFile string
-
-	// logFile is the path to the log file.  Special values:
-	//
-	//   - "stdout":  Write to stdout (the default).
-	//   - "stderr":  Write to stderr.
-	//   - "syslog":  Write to the system log.
-	logFile string
-
-	// pidFile is the path to the file where to store the PID.
-	//
-	// TODO(a.garipov): Use.
-	pidFile string
-
-	// serviceAction is the service control action to perform:
-	//
-	//   - "install":  Installs AdGuard Home as a system service.
-	//   - "uninstall":  Uninstalls it.
-	//   - "status":  Prints the service status.
-	//   - "start":  Starts the previously installed service.
-	//   - "stop":  Stops the previously installed service.
-	//   - "restart":  Restarts the previously installed service.
-	//   - "reload":  Reloads the configuration.
-	//   - "run":  This is a special command that is not supposed to be used
-	//     directly it is specified when we register a service, and it indicates
-	//     to the app that it is being run as a service.
-	//
-	// TODO(a.garipov): Use.
-	serviceAction string
-
-	// workDir is the path to the working directory.  It is applied before all
-	// other configuration is read, so all relative paths are relative to it.
-	workDir string
-
-	// webAddrs contains the addresses on which to serve the web UI.
-	//
-	// TODO(a.garipov): Use.
-	webAddrs []netip.AddrPort
-
-	// checkConfig, if true, instructs AdGuard Home to check the configuration
-	// file and exit with a corresponding exit code.
-	//
-	// TODO(a.garipov): Use.
-	checkConfig bool
-
-	// disableUpdate, if true, prevents AdGuard Home from automatically checking
-	// for updates.
-	//
-	// TODO(a.garipov): Use.
-	disableUpdate bool
-
-	// glinetMode enables the GL-Inet compatibility mode.
-	//
-	// TODO(a.garipov): Use.
-	glinetMode bool
-
-	// help, if true, instructs AdGuard Home to print the command-line option
-	// help message and quit with a successful exit-code.
-	help bool
-
-	// localFrontend, if true, instructs AdGuard Home to use the local frontend
-	// directory instead of the files compiled into the binary.
-	//
-	// TODO(a.garipov): Use.
-	localFrontend bool
-
-	// performUpdate, if true, instructs AdGuard Home to update the current
-	// binary and restart the service in case it's installed.
-	//
-	// TODO(a.garipov): Use.
-	performUpdate bool
-
-	// verbose, if true, instructs AdGuard Home to enable verbose logging.
-	verbose bool
-
-	// version, if true, instructs AdGuard Home to print the version to stdout
-	// and quit with a successful exit-code.  If verbose is also true, print a
-	// more detailed version description.
-	version bool
-}
-
-// Indexes to help with the [commandLineOptions] initialization.
-const (
-	confFileIdx = iota
-	logFileIdx
-	pidFileIdx
-	serviceActionIdx
-	workDirIdx
-	webAddrsIdx
-	checkConfigIdx
-	disableUpdateIdx
-	glinetModeIdx
-	helpIdx
-	localFrontend
-	performUpdateIdx
-	verboseIdx
-	versionIdx
-)
-
-// commandLineOption contains information about a command-line option: its long
-// and, if there is one, short forms, the value type, the description, and the
-// default value.
-type commandLineOption struct {
-	defaultValue any
-	description  string
-	long         string
-	short        string
-	valueType    string
-}
-
-// commandLineOptions are all command-line options currently supported by
-// AdGuard Home.
-var commandLineOptions = []*commandLineOption{
-	confFileIdx: {
-		// TODO(a.garipov): Remove the directory when the new code is ready.
-		defaultValue: "internal/next/AdGuardHome.yaml",
-		description:  "Path to the config file.",
-		long:         "config",
-		short:        "c",
-		valueType:    "path",
-	},
-
-	logFileIdx: {
-		defaultValue: "stdout",
-		description:  `Path to log file.  Special values include "stdout", "stderr", and "syslog".`,
-		long:         "logfile",
-		short:        "l",
-		valueType:    "path",
-	},
-
-	pidFileIdx: {
-		defaultValue: "",
-		description:  "Path to the file where to store the PID.",
-		long:         "pidfile",
-		short:        "",
-		valueType:    "path",
-	},
-
-	serviceActionIdx: {
-		defaultValue: "",
-		description: `Service control action: "status", "install" (as a service), ` +
-			`"uninstall" (as a service), "start", "stop", "restart", "reload" (configuration).`,
-		long:      "service",
-		short:     "s",
-		valueType: "action",
-	},
-
-	workDirIdx: {
-		defaultValue: "",
-		description: `Path to the working directory.  ` +
-			`It is applied before all other configuration is read, ` +
-			`so all relative paths are relative to it.`,
-		long:      "work-dir",
-		short:     "w",
-		valueType: "path",
-	},
-
-	webAddrsIdx: {
-		defaultValue: []netip.AddrPort(nil),
-		description: `Address(es) to serve the web UI on, in the host:port format.  ` +
-			`Can be used multiple times.`,
-		long:      "web-addr",
-		short:     "",
-		valueType: "host:port",
-	},
-
-	checkConfigIdx: {
-		defaultValue: false,
-		description:  "Check configuration and quit.",
-		long:         "check-config",
-		short:        "",
-		valueType:    "",
-	},
-
-	disableUpdateIdx: {
-		defaultValue: false,
-		description:  "Disable automatic update checking.",
-		long:         "no-check-update",
-		short:        "",
-		valueType:    "",
-	},
-
-	glinetModeIdx: {
-		defaultValue: false,
-		description:  "Run in GL-Inet compatibility mode.",
-		long:         "glinet",
-		short:        "",
-		valueType:    "",
-	},
-
-	helpIdx: {
-		defaultValue: false,
-		description:  "Print this help message and quit.",
-		long:         "help",
-		short:        "h",
-		valueType:    "",
-	},
-
-	localFrontend: {
-		defaultValue: false,
-		description:  "Use local frontend directories.",
-		long:         "local-frontend",
-		short:        "",
-		valueType:    "",
-	},
-
-	performUpdateIdx: {
-		defaultValue: false,
-		description:  "Update the current binary and restart the service in case it's installed.",
-		long:         "update",
-		short:        "",
-		valueType:    "",
-	},
-
-	verboseIdx: {
-		defaultValue: false,
-		description:  "Enable verbose logging.",
-		long:         "verbose",
-		short:        "v",
-		valueType:    "",
-	},
-
-	versionIdx: {
-		defaultValue: false,
-		description: `Print the version to stdout and quit.  ` +
-			`Print a more detailed version description with -v.`,
-		long:      "version",
-		short:     "",
-		valueType: "",
-	},
-}
-
-// parseOptions parses the command-line options for AdGuardHome.
-func parseOptions(cmdName string, args []string) (opts *options, err error) {
-	flags := flag.NewFlagSet(cmdName, flag.ContinueOnError)
-
-	opts = &options{}
-	for i, fieldPtr := range []any{
-		confFileIdx:      &opts.confFile,
-		logFileIdx:       &opts.logFile,
-		pidFileIdx:       &opts.pidFile,
-		serviceActionIdx: &opts.serviceAction,
-		workDirIdx:       &opts.workDir,
-		webAddrsIdx:      &opts.webAddrs,
-		checkConfigIdx:   &opts.checkConfig,
-		disableUpdateIdx: &opts.disableUpdate,
-		glinetModeIdx:    &opts.glinetMode,
-		helpIdx:          &opts.help,
-		localFrontend:    &opts.localFrontend,
-		performUpdateIdx: &opts.performUpdate,
-		verboseIdx:       &opts.verbose,
-		versionIdx:       &opts.version,
-	} {
-		addOption(flags, fieldPtr, commandLineOptions[i])
-	}
-
-	flags.Usage = func() { usage(cmdName, os.Stderr) }
-
-	err = flags.Parse(args)
-	if err != nil {
-		// Don't wrap the error, because it's informative enough as is.
-		return nil, err
-	}
-
-	return opts, nil
-}
-
-// addOption adds the command-line option described by o to flags using fieldPtr
-// as the pointer to the value.
-func addOption(flags *flag.FlagSet, fieldPtr any, o *commandLineOption) {
-	switch fieldPtr := fieldPtr.(type) {
-	case *string:
-		flags.StringVar(fieldPtr, o.long, o.defaultValue.(string), o.description)
-		if o.short != "" {
-			flags.StringVar(fieldPtr, o.short, o.defaultValue.(string), o.description)
-		}
-	case *[]netip.AddrPort:
-		flags.Func(o.long, o.description, func(s string) (err error) {
-			addr, err := netip.ParseAddrPort(s)
-			if err != nil {
-				// Don't wrap the error, because it's informative enough as is.
-				return err
-			}
-
-			*fieldPtr = append(*fieldPtr, addr)
-
-			return nil
-		})
-	case *bool:
-		flags.BoolVar(fieldPtr, o.long, o.defaultValue.(bool), o.description)
-		if o.short != "" {
-			flags.BoolVar(fieldPtr, o.short, o.defaultValue.(bool), o.description)
-		}
-	default:
-		panic(fmt.Errorf("unexpected field pointer type %T", fieldPtr))
-	}
-}
-
-// usage prints a usage message similar to the one printed by package flag but
-// taking long vs. short versions into account as well as using more informative
-// value hints.
-func usage(cmdName string, output io.Writer) {
-	options := slices.Clone(commandLineOptions)
-	slices.SortStableFunc(options, func(a, b *commandLineOption) (sortsBefore bool) {
-		return a.long < b.long
-	})
-
-	b := &strings.Builder{}
-	_, _ = fmt.Fprintf(b, "Usage of %s:\n", cmdName)
-
-	for _, o := range options {
-		writeUsageLine(b, o)
-
-		// Use four spaces before the tab to trigger good alignment for both 4-
-		// and 8-space tab stops.
-		if shouldIncludeDefault(o.defaultValue) {
-			_, _ = fmt.Fprintf(b, "    \t%s  (Default value: %q)\n", o.description, o.defaultValue)
-		} else {
-			_, _ = fmt.Fprintf(b, "    \t%s\n", o.description)
-		}
-	}
-
-	_, _ = io.WriteString(output, b.String())
-}
-
-// shouldIncludeDefault returns true if this default value should be printed.
-func shouldIncludeDefault(v any) (ok bool) {
-	switch v := v.(type) {
-	case bool:
-		return v
-	case string:
-		return v != ""
-	default:
-		return v == nil
-	}
-}
-
-// writeUsageLine writes the usage line for the provided command-line option.
-func writeUsageLine(b *strings.Builder, o *commandLineOption) {
-	if o.short == "" {
-		if o.valueType == "" {
-			_, _ = fmt.Fprintf(b, "  --%s\n", o.long)
-		} else {
-			_, _ = fmt.Fprintf(b, "  --%s=%s\n", o.long, o.valueType)
-		}
-
-		return
-	}
-
-	if o.valueType == "" {
-		_, _ = fmt.Fprintf(b, "  --%s/-%s\n", o.long, o.short)
-	} else {
-		_, _ = fmt.Fprintf(b, "  --%[1]s=%[3]s/-%[2]s %[3]s\n", o.long, o.short, o.valueType)
-	}
-}
-
-// processOptions decides if AdGuard Home should exit depending on the results
-// of command-line option parsing.
-func processOptions(
-	opts *options,
-	cmdName string,
-	parseErr error,
-) (exitCode int, needExit bool) {
-	if parseErr != nil {
-		// Assume that usage has already been printed.
-		return 2, true
-	}
-
-	if opts.help {
-		usage(cmdName, os.Stdout)
-
-		return 0, true
-	}
-
-	if opts.version {
-		if opts.verbose {
-			fmt.Println(version.Verbose())
-		} else {
-			fmt.Printf("AdGuard Home %s\n", version.Version())
-		}
-
-		return 0, true
-	}
-
-	return 0, false
-}
--- a/internal/next/cmd/signal.go
+++ b/internal/next/cmd/signal.go
@@ -1,129 +0,0 @@
-package cmd
-
-import (
-	"io/fs"
-	"os"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/configmgr"
-	"github.com/AdguardTeam/golibs/log"
-)
-
-// signalHandler processes incoming signals and shuts services down.
-type signalHandler struct {
-	// signal is the channel to which OS signals are sent.
-	signal chan os.Signal
-
-	// confFile is the path to the configuration file.
-	confFile string
-
-	// frontend is the filesystem with the frontend and other statically
-	// compiled files.
-	frontend fs.FS
-
-	// start is the time at which AdGuard Home has been started.
-	start time.Time
-
-	// services are the services that are shut down before application exiting.
-	services []agh.Service
-}
-
-// handle processes OS signals.
-func (h *signalHandler) handle() {
-	defer log.OnPanic("signalHandler.handle")
-
-	for sig := range h.signal {
-		log.Info("sighdlr: received signal %q", sig)
-
-		if aghos.IsReconfigureSignal(sig) {
-			h.reconfigure()
-		} else if aghos.IsShutdownSignal(sig) {
-			status := h.shutdown()
-			log.Info("sighdlr: exiting with status %d", status)
-
-			os.Exit(status)
-		}
-	}
-}
-
-// reconfigure rereads the configuration file and updates and restarts services.
-func (h *signalHandler) reconfigure() {
-	log.Info("sighdlr: reconfiguring adguard home")
-
-	status := h.shutdown()
-	if status != statusSuccess {
-		log.Info("sighdlr: reconfiguring: exiting with status %d", status)
-
-		os.Exit(status)
-	}
-
-	// TODO(a.garipov): This is a very rough way to do it.  Some services can be
-	// reconfigured without the full shutdown, and the error handling is
-	// currently not the best.
-
-	confMgr, err := configmgr.New(h.confFile, h.frontend, h.start)
-	check(err)
-
-	web := confMgr.Web()
-	err = web.Start()
-	check(err)
-
-	dns := confMgr.DNS()
-	err = dns.Start()
-	check(err)
-
-	h.services = []agh.Service{
-		dns,
-		web,
-	}
-
-	log.Info("sighdlr: successfully reconfigured adguard home")
-}
-
-// Exit status constants.
-const (
-	statusSuccess = 0
-	statusError   = 1
-)
-
-// shutdown gracefully shuts down all services.
-func (h *signalHandler) shutdown() (status int) {
-	ctx, cancel := ctxWithDefaultTimeout()
-	defer cancel()
-
-	status = statusSuccess
-
-	log.Info("sighdlr: shutting down services")
-	for i, service := range h.services {
-		err := service.Shutdown(ctx)
-		if err != nil {
-			log.Error("sighdlr: shutting down service at index %d: %s", i, err)
-			status = statusError
-		}
-	}
-
-	return status
-}
-
-// newSignalHandler returns a new signalHandler that shuts down svcs.
-func newSignalHandler(
-	confFile string,
-	frontend fs.FS,
-	start time.Time,
-	svcs ...agh.Service,
-) (h *signalHandler) {
-	h = &signalHandler{
-		signal:   make(chan os.Signal, 1),
-		confFile: confFile,
-		frontend: frontend,
-		start:    start,
-		services: svcs,
-	}
-
-	aghos.NotifyShutdownSignal(h.signal)
-	aghos.NotifyReconfigureSignal(h.signal)
-
-	return h
-}
--- a/internal/next/configmgr/config.go
+++ b/internal/next/configmgr/config.go
@@ -1,43 +0,0 @@
-package configmgr
-
-import (
-	"net/netip"
-
-	"github.com/AdguardTeam/golibs/timeutil"
-)
-
-// Configuration Structures
-
-// config is the top-level on-disk configuration structure.
-type config struct {
-	DNS  *dnsConfig  `yaml:"dns"`
-	HTTP *httpConfig `yaml:"http"`
-	// TODO(a.garipov): Use.
-	SchemaVersion int `yaml:"schema_version"`
-	// TODO(a.garipov): Use.
-	DebugPprof bool `yaml:"debug_pprof"`
-	Verbose    bool `yaml:"verbose"`
-}
-
-// dnsConfig is the on-disk DNS configuration.
-//
-// TODO(a.garipov): Validate.
-type dnsConfig struct {
-	Addresses           []netip.AddrPort  `yaml:"addresses"`
-	BootstrapDNS        []string          `yaml:"bootstrap_dns"`
-	UpstreamDNS         []string          `yaml:"upstream_dns"`
-	DNS64Prefixes       []netip.Prefix    `yaml:"dns64_prefixes"`
-	UpstreamTimeout     timeutil.Duration `yaml:"upstream_timeout"`
-	BootstrapPreferIPv6 bool              `yaml:"bootstrap_prefer_ipv6"`
-	UseDNS64            bool              `yaml:"use_dns64"`
-}
-
-// httpConfig is the on-disk web API configuration.
-//
-// TODO(a.garipov): Validate.
-type httpConfig struct {
-	Addresses       []netip.AddrPort  `yaml:"addresses"`
-	SecureAddresses []netip.AddrPort  `yaml:"secure_addresses"`
-	Timeout         timeutil.Duration `yaml:"timeout"`
-	ForceHTTPS      bool              `yaml:"force_https"`
-}
--- a/internal/next/configmgr/configmgr.go
+++ b/internal/next/configmgr/configmgr.go
@@ -1,215 +0,0 @@
-// Package configmgr defines the AdGuard Home on-disk configuration entities and
-// configuration manager.
-package configmgr
-
-import (
-	"context"
-	"fmt"
-	"io/fs"
-	"os"
-	"sync"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/dnssvc"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/websvc"
-	"github.com/AdguardTeam/golibs/errors"
-	"gopkg.in/yaml.v3"
-)
-
-// Configuration Manager
-
-// Manager handles full and partial changes in the configuration, persisting
-// them to disk if necessary.
-type Manager struct {
-	// updMu makes sure that at most one reconfiguration is performed at a time.
-	// updMu protects all fields below.
-	updMu *sync.RWMutex
-
-	// dns is the DNS service.
-	dns *dnssvc.Service
-
-	// Web is the Web API service.
-	web *websvc.Service
-
-	// current is the current configuration.
-	current *config
-
-	// fileName is the name of the configuration file.
-	fileName string
-}
-
-// New creates a new *Manager that persists changes to the file pointed to by
-// fileName.  It reads the configuration file and populates the service fields.
-// start is the startup time of AdGuard Home.
-func New(
-	fileName string,
-	frontend fs.FS,
-	start time.Time,
-) (m *Manager, err error) {
-	defer func() { err = errors.Annotate(err, "reading config: %w") }()
-
-	conf := &config{}
-	f, err := os.Open(fileName)
-	if err != nil {
-		// Don't wrap the error, because it's informative enough as is.
-		return nil, err
-	}
-	defer func() { err = errors.WithDeferred(err, f.Close()) }()
-
-	err = yaml.NewDecoder(f).Decode(conf)
-	if err != nil {
-		// Don't wrap the error, because it's informative enough as is.
-		return nil, err
-	}
-
-	// TODO(a.garipov): Validate the configuration structure.  Return an error
-	// if it's incorrect.
-
-	m = &Manager{
-		updMu:    &sync.RWMutex{},
-		current:  conf,
-		fileName: fileName,
-	}
-
-	// TODO(a.garipov): Get the context with the timeout from the arguments?
-	const assemblyTimeout = 5 * time.Second
-	ctx, cancel := context.WithTimeout(context.Background(), assemblyTimeout)
-	defer cancel()
-
-	err = m.assemble(ctx, conf, frontend, start)
-	if err != nil {
-		// Don't wrap the error, because it's informative enough as is.
-		return nil, err
-	}
-
-	return m, nil
-}
-
-// assemble creates all services and puts them into the corresponding fields.
-// The fields of conf must not be modified after calling assemble.
-func (m *Manager) assemble(
-	ctx context.Context,
-	conf *config,
-	frontend fs.FS,
-	start time.Time,
-) (err error) {
-	dnsConf := &dnssvc.Config{
-		Addresses:           conf.DNS.Addresses,
-		BootstrapServers:    conf.DNS.BootstrapDNS,
-		UpstreamServers:     conf.DNS.UpstreamDNS,
-		DNS64Prefixes:       conf.DNS.DNS64Prefixes,
-		UpstreamTimeout:     conf.DNS.UpstreamTimeout.Duration,
-		BootstrapPreferIPv6: conf.DNS.BootstrapPreferIPv6,
-		UseDNS64:            conf.DNS.UseDNS64,
-	}
-	err = m.updateDNS(ctx, dnsConf)
-	if err != nil {
-		return fmt.Errorf("assembling dnssvc: %w", err)
-	}
-
-	webSvcConf := &websvc.Config{
-		ConfigManager: m,
-		Frontend:      frontend,
-		// TODO(a.garipov): Fill from config file.
-		TLS:             nil,
-		Start:           start,
-		Addresses:       conf.HTTP.Addresses,
-		SecureAddresses: conf.HTTP.SecureAddresses,
-		Timeout:         conf.HTTP.Timeout.Duration,
-		ForceHTTPS:      conf.HTTP.ForceHTTPS,
-	}
-
-	err = m.updateWeb(ctx, webSvcConf)
-	if err != nil {
-		return fmt.Errorf("assembling websvc: %w", err)
-	}
-
-	return nil
-}
-
-// DNS returns the current DNS service.  It is safe for concurrent use.
-func (m *Manager) DNS() (dns agh.ServiceWithConfig[*dnssvc.Config]) {
-	m.updMu.RLock()
-	defer m.updMu.RUnlock()
-
-	return m.dns
-}
-
-// UpdateDNS implements the [websvc.ConfigManager] interface for *Manager.  The
-// fields of c must not be modified after calling UpdateDNS.
-func (m *Manager) UpdateDNS(ctx context.Context, c *dnssvc.Config) (err error) {
-	m.updMu.Lock()
-	defer m.updMu.Unlock()
-
-	// TODO(a.garipov): Update and write the configuration file.  Return an
-	// error if something went wrong.
-
-	err = m.updateDNS(ctx, c)
-	if err != nil {
-		return fmt.Errorf("reassembling dnssvc: %w", err)
-	}
-
-	return nil
-}
-
-// updateDNS recreates the DNS service.  m.updMu is expected to be locked.
-func (m *Manager) updateDNS(ctx context.Context, c *dnssvc.Config) (err error) {
-	if prev := m.dns; prev != nil {
-		err = prev.Shutdown(ctx)
-		if err != nil {
-			return fmt.Errorf("shutting down dns svc: %w", err)
-		}
-	}
-
-	svc, err := dnssvc.New(c)
-	if err != nil {
-		return fmt.Errorf("creating dns svc: %w", err)
-	}
-
-	m.dns = svc
-
-	return nil
-}
-
-// Web returns the current web service.  It is safe for concurrent use.
-func (m *Manager) Web() (web agh.ServiceWithConfig[*websvc.Config]) {
-	m.updMu.RLock()
-	defer m.updMu.RUnlock()
-
-	return m.web
-}
-
-// UpdateWeb implements the [websvc.ConfigManager] interface for *Manager.  The
-// fields of c must not be modified after calling UpdateWeb.
-func (m *Manager) UpdateWeb(ctx context.Context, c *websvc.Config) (err error) {
-	m.updMu.Lock()
-	defer m.updMu.Unlock()
-
-	// TODO(a.garipov): Update and write the configuration file.  Return an
-	// error if something went wrong.
-
-	err = m.updateWeb(ctx, c)
-	if err != nil {
-		return fmt.Errorf("reassembling websvc: %w", err)
-	}
-
-	return nil
-}
-
-// updateWeb recreates the web service.  m.upd is expected to be locked.
-func (m *Manager) updateWeb(ctx context.Context, c *websvc.Config) (err error) {
-	if prev := m.web; prev != nil {
-		err = prev.Shutdown(ctx)
-		if err != nil {
-			return fmt.Errorf("shutting down web svc: %w", err)
-		}
-	}
-
-	m.web, err = websvc.New(c)
-	if err != nil {
-		return fmt.Errorf("creating web svc: %w", err)
-	}
-
-	return nil
-}
--- a/internal/next/dnssvc/config.go
+++ b/internal/next/dnssvc/config.go
@@ -1,35 +0,0 @@
-package dnssvc
-
-import (
-	"net/netip"
-	"time"
-)
-
-// Config is the AdGuard Home DNS service configuration structure.
-//
-// TODO(a.garipov): Add timeout for incoming requests.
-type Config struct {
-	// Addresses are the addresses on which to serve plain DNS queries.
-	Addresses []netip.AddrPort
-
-	// BootstrapServers are the addresses of DNS servers used for bootstrapping
-	// the upstream DNS server addresses.
-	BootstrapServers []string
-
-	// UpstreamServers are the upstream DNS server addresses to use.
-	UpstreamServers []string
-
-	// DNS64Prefixes is a slice of NAT64 prefixes to be used for DNS64.  See
-	// also [Config.UseDNS64].
-	DNS64Prefixes []netip.Prefix
-
-	// UpstreamTimeout is the timeout for upstream requests.
-	UpstreamTimeout time.Duration
-
-	// BootstrapPreferIPv6, if true, instructs the bootstrapper to prefer IPv6
-	// addresses to IPv4 ones when bootstrapping.
-	BootstrapPreferIPv6 bool
-
-	// UseDNS64, if true, enables DNS64 protection for incoming requests.
-	UseDNS64 bool
-}
--- a/internal/next/dnssvc/dnssvc.go
+++ b/internal/next/dnssvc/dnssvc.go
@@ -1,202 +0,0 @@
-// Package dnssvc contains the AdGuard Home DNS service.
-//
-// TODO(a.garipov): Define, if all methods of a *Service should work with a nil
-// receiver.
-package dnssvc
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"net/netip"
-	"sync/atomic"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
-	// TODO(a.garipov): Add a “dnsproxy proxy” package to shield us from changes
-	// and replacement of module dnsproxy.
-	"github.com/AdguardTeam/dnsproxy/proxy"
-	"github.com/AdguardTeam/dnsproxy/upstream"
-)
-
-// Service is the AdGuard Home DNS service.  A nil *Service is a valid
-// [agh.Service] that does nothing.
-//
-// TODO(a.garipov): Consider saving a [*proxy.Config] instance for those
-// fields that are only used in [New] and [Service.Config].
-type Service struct {
-	proxy               *proxy.Proxy
-	bootstraps          []string
-	upstreams           []string
-	dns64Prefixes       []netip.Prefix
-	upsTimeout          time.Duration
-	running             atomic.Bool
-	bootstrapPreferIPv6 bool
-	useDNS64            bool
-}
-
-// New returns a new properly initialized *Service.  If c is nil, svc is a nil
-// *Service that does nothing.  The fields of c must not be modified after
-// calling New.
-func New(c *Config) (svc *Service, err error) {
-	if c == nil {
-		return nil, nil
-	}
-
-	svc = &Service{
-		bootstraps:          c.BootstrapServers,
-		upstreams:           c.UpstreamServers,
-		dns64Prefixes:       c.DNS64Prefixes,
-		upsTimeout:          c.UpstreamTimeout,
-		bootstrapPreferIPv6: c.BootstrapPreferIPv6,
-		useDNS64:            c.UseDNS64,
-	}
-
-	upstreams, err := addressesToUpstreams(
-		c.UpstreamServers,
-		c.BootstrapServers,
-		c.UpstreamTimeout,
-		c.BootstrapPreferIPv6,
-	)
-	if err != nil {
-		return nil, fmt.Errorf("converting upstreams: %w", err)
-	}
-
-	svc.proxy = &proxy.Proxy{
-		Config: proxy.Config{
-			UDPListenAddr: udpAddrs(c.Addresses),
-			TCPListenAddr: tcpAddrs(c.Addresses),
-			UpstreamConfig: &proxy.UpstreamConfig{
-				Upstreams: upstreams,
-			},
-			UseDNS64:   c.UseDNS64,
-			DNS64Prefs: c.DNS64Prefixes,
-		},
-	}
-
-	err = svc.proxy.Init()
-	if err != nil {
-		return nil, fmt.Errorf("proxy: %w", err)
-	}
-
-	return svc, nil
-}
-
-// addressesToUpstreams is a wrapper around [upstream.AddressToUpstream].  It
-// accepts a slice of addresses and other upstream parameters, and returns a
-// slice of upstreams.
-func addressesToUpstreams(
-	upsStrs []string,
-	bootstraps []string,
-	timeout time.Duration,
-	preferIPv6 bool,
-) (upstreams []upstream.Upstream, err error) {
-	upstreams = make([]upstream.Upstream, len(upsStrs))
-	for i, upsStr := range upsStrs {
-		upstreams[i], err = upstream.AddressToUpstream(upsStr, &upstream.Options{
-			Bootstrap:  bootstraps,
-			Timeout:    timeout,
-			PreferIPv6: preferIPv6,
-		})
-		if err != nil {
-			return nil, fmt.Errorf("upstream at index %d: %w", i, err)
-		}
-	}
-
-	return upstreams, nil
-}
-
-// tcpAddrs converts []netip.AddrPort into []*net.TCPAddr.
-func tcpAddrs(addrPorts []netip.AddrPort) (tcpAddrs []*net.TCPAddr) {
-	if addrPorts == nil {
-		return nil
-	}
-
-	tcpAddrs = make([]*net.TCPAddr, len(addrPorts))
-	for i, a := range addrPorts {
-		tcpAddrs[i] = net.TCPAddrFromAddrPort(a)
-	}
-
-	return tcpAddrs
-}
-
-// udpAddrs converts []netip.AddrPort into []*net.UDPAddr.
-func udpAddrs(addrPorts []netip.AddrPort) (udpAddrs []*net.UDPAddr) {
-	if addrPorts == nil {
-		return nil
-	}
-
-	udpAddrs = make([]*net.UDPAddr, len(addrPorts))
-	for i, a := range addrPorts {
-		udpAddrs[i] = net.UDPAddrFromAddrPort(a)
-	}
-
-	return udpAddrs
-}
-
-// type check
-var _ agh.Service = (*Service)(nil)
-
-// Start implements the [agh.Service] interface for *Service.  svc may be nil.
-// After Start exits, all DNS servers have tried to start, but there is no
-// guarantee that they did.  Errors from the servers are written to the log.
-func (svc *Service) Start() (err error) {
-	if svc == nil {
-		return nil
-	}
-
-	defer func() {
-		// TODO(a.garipov): [proxy.Proxy.Start] doesn't actually have any way to
-		// tell when all servers are actually up, so at best this is merely an
-		// assumption.
-		svc.running.Store(err == nil)
-	}()
-
-	return svc.proxy.Start()
-}
-
-// Shutdown implements the [agh.Service] interface for *Service.  svc may be
-// nil.
-func (svc *Service) Shutdown(ctx context.Context) (err error) {
-	if svc == nil {
-		return nil
-	}
-
-	return svc.proxy.Stop()
-}
-
-// Config returns the current configuration of the web service.  Config must not
-// be called simultaneously with Start.  If svc was initialized with ":0"
-// addresses, addrs will not return the actual bound ports until Start is
-// finished.
-func (svc *Service) Config() (c *Config) {
-	// TODO(a.garipov): Do we need to get the TCP addresses separately?
-
-	var addrs []netip.AddrPort
-	if svc.running.Load() {
-		udpAddrs := svc.proxy.Addrs(proxy.ProtoUDP)
-		addrs = make([]netip.AddrPort, len(udpAddrs))
-		for i, a := range udpAddrs {
-			addrs[i] = a.(*net.UDPAddr).AddrPort()
-		}
-	} else {
-		conf := svc.proxy.Config
-		udpAddrs := conf.UDPListenAddr
-		addrs = make([]netip.AddrPort, len(udpAddrs))
-		for i, a := range udpAddrs {
-			addrs[i] = a.AddrPort()
-		}
-	}
-
-	c = &Config{
-		Addresses:           addrs,
-		BootstrapServers:    svc.bootstraps,
-		UpstreamServers:     svc.upstreams,
-		DNS64Prefixes:       svc.dns64Prefixes,
-		UpstreamTimeout:     svc.upsTimeout,
-		BootstrapPreferIPv6: svc.bootstrapPreferIPv6,
-		UseDNS64:            svc.useDNS64,
-	}
-
-	return c
-}
--- a/internal/next/dnssvc/dnssvc_test.go
+++ b/internal/next/dnssvc/dnssvc_test.go
@@ -1,125 +0,0 @@
-package dnssvc_test
-
-import (
-	"context"
-	"net/netip"
-	"testing"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/dnssvc"
-	"github.com/AdguardTeam/golibs/testutil"
-	"github.com/miekg/dns"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestMain(m *testing.M) {
-	testutil.DiscardLogOutput(m)
-}
-
-// testTimeout is the common timeout for tests.
-const testTimeout = 1 * time.Second
-
-func TestService(t *testing.T) {
-	const (
-		listenAddr    = "127.0.0.1:0"
-		bootstrapAddr = "127.0.0.1:0"
-		upstreamAddr  = "upstream.example"
-	)
-
-	upstreamErrCh := make(chan error, 1)
-	upstreamStartedCh := make(chan struct{})
-	upstreamSrv := &dns.Server{
-		Addr: bootstrapAddr,
-		Net:  "udp",
-		Handler: dns.HandlerFunc(func(w dns.ResponseWriter, req *dns.Msg) {
-			pt := testutil.PanicT{}
-
-			resp := (&dns.Msg{}).SetReply(req)
-			resp.Answer = append(resp.Answer, &dns.A{
-				Hdr: dns.RR_Header{},
-				A:   netip.MustParseAddrPort(bootstrapAddr).Addr().AsSlice(),
-			})
-
-			writeErr := w.WriteMsg(resp)
-			require.NoError(pt, writeErr)
-		}),
-		NotifyStartedFunc: func() { close(upstreamStartedCh) },
-	}
-
-	go func() {
-		listenErr := upstreamSrv.ListenAndServe()
-		if listenErr != nil {
-			// Log these immediately to see what happens.
-			t.Logf("upstream listen error: %s", listenErr)
-		}
-
-		upstreamErrCh <- listenErr
-	}()
-
-	_, _ = testutil.RequireReceive(t, upstreamStartedCh, testTimeout)
-
-	c := &dnssvc.Config{
-		Addresses:           []netip.AddrPort{netip.MustParseAddrPort(listenAddr)},
-		BootstrapServers:    []string{upstreamSrv.PacketConn.LocalAddr().String()},
-		UpstreamServers:     []string{upstreamAddr},
-		DNS64Prefixes:       nil,
-		UpstreamTimeout:     testTimeout,
-		BootstrapPreferIPv6: false,
-		UseDNS64:            false,
-	}
-
-	svc, err := dnssvc.New(c)
-	require.NoError(t, err)
-
-	err = svc.Start()
-	require.NoError(t, err)
-
-	gotConf := svc.Config()
-	require.NotNil(t, gotConf)
-	require.Len(t, gotConf.Addresses, 1)
-
-	addr := gotConf.Addresses[0]
-
-	t.Run("dns", func(t *testing.T) {
-		req := &dns.Msg{
-			MsgHdr: dns.MsgHdr{
-				Id:               dns.Id(),
-				RecursionDesired: true,
-			},
-			Question: []dns.Question{{
-				Name:   "example.com.",
-				Qtype:  dns.TypeA,
-				Qclass: dns.ClassINET,
-			}},
-		}
-
-		ctx, cancel := context.WithTimeout(context.Background(), testTimeout)
-		defer cancel()
-
-		cli := &dns.Client{}
-
-		var resp *dns.Msg
-		require.Eventually(t, func() (ok bool) {
-			var excErr error
-			resp, _, excErr = cli.ExchangeContext(ctx, req, addr.String())
-
-			return excErr == nil
-		}, testTimeout, testTimeout/10)
-
-		assert.NotNil(t, resp)
-	})
-
-	ctx, cancel := context.WithTimeout(context.Background(), testTimeout)
-	defer cancel()
-
-	err = svc.Shutdown(ctx)
-	require.NoError(t, err)
-
-	err = upstreamSrv.Shutdown()
-	require.NoError(t, err)
-
-	err, ok := testutil.RequireReceive(t, upstreamErrCh, testTimeout)
-	require.True(t, ok)
-	require.NoError(t, err)
-}
--- a/internal/next/websvc/dns.go
+++ b/internal/next/websvc/dns.go
@@ -1,96 +0,0 @@
-package websvc
-
-import (
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"net/netip"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/dnssvc"
-)
-
-// DNS Settings Handlers
-
-// ReqPatchSettingsDNS describes the request to the PATCH /api/v1/settings/dns
-// HTTP API.
-type ReqPatchSettingsDNS struct {
-	// TODO(a.garipov): Add more as we go.
-
-	Addresses           []netip.AddrPort `json:"addresses"`
-	BootstrapServers    []string         `json:"bootstrap_servers"`
-	UpstreamServers     []string         `json:"upstream_servers"`
-	DNS64Prefixes       []netip.Prefix   `json:"dns64_prefixes"`
-	UpstreamTimeout     JSONDuration     `json:"upstream_timeout"`
-	BootstrapPreferIPv6 bool             `json:"bootstrap_prefer_ipv6"`
-	UseDNS64            bool             `json:"use_dns64"`
-}
-
-// HTTPAPIDNSSettings are the DNS settings as used by the HTTP API.  See the
-// DnsSettings object in the OpenAPI specification.
-type HTTPAPIDNSSettings struct {
-	// TODO(a.garipov): Add more as we go.
-
-	Addresses           []netip.AddrPort `json:"addresses"`
-	BootstrapServers    []string         `json:"bootstrap_servers"`
-	UpstreamServers     []string         `json:"upstream_servers"`
-	DNS64Prefixes       []netip.Prefix   `json:"dns64_prefixes"`
-	UpstreamTimeout     JSONDuration     `json:"upstream_timeout"`
-	BootstrapPreferIPv6 bool             `json:"bootstrap_prefer_ipv6"`
-	UseDNS64            bool             `json:"use_dns64"`
-}
-
-// handlePatchSettingsDNS is the handler for the PATCH /api/v1/settings/dns HTTP
-// API.
-func (svc *Service) handlePatchSettingsDNS(w http.ResponseWriter, r *http.Request) {
-	req := &ReqPatchSettingsDNS{
-		Addresses:        []netip.AddrPort{},
-		BootstrapServers: []string{},
-		UpstreamServers:  []string{},
-	}
-
-	// TODO(a.garipov): Validate nulls and proper JSON patch.
-
-	err := json.NewDecoder(r.Body).Decode(&req)
-	if err != nil {
-		writeJSONErrorResponse(w, r, fmt.Errorf("decoding: %w", err))
-
-		return
-	}
-
-	newConf := &dnssvc.Config{
-		Addresses:           req.Addresses,
-		BootstrapServers:    req.BootstrapServers,
-		UpstreamServers:     req.UpstreamServers,
-		DNS64Prefixes:       req.DNS64Prefixes,
-		UpstreamTimeout:     time.Duration(req.UpstreamTimeout),
-		BootstrapPreferIPv6: req.BootstrapPreferIPv6,
-		UseDNS64:            req.UseDNS64,
-	}
-
-	ctx := r.Context()
-	err = svc.confMgr.UpdateDNS(ctx, newConf)
-	if err != nil {
-		writeJSONErrorResponse(w, r, fmt.Errorf("updating: %w", err))
-
-		return
-	}
-
-	newSvc := svc.confMgr.DNS()
-	err = newSvc.Start()
-	if err != nil {
-		writeJSONErrorResponse(w, r, fmt.Errorf("starting new service: %w", err))
-
-		return
-	}
-
-	writeJSONOKResponse(w, r, &HTTPAPIDNSSettings{
-		Addresses:           newConf.Addresses,
-		BootstrapServers:    newConf.BootstrapServers,
-		UpstreamServers:     newConf.UpstreamServers,
-		DNS64Prefixes:       newConf.DNS64Prefixes,
-		UpstreamTimeout:     JSONDuration(newConf.UpstreamTimeout),
-		BootstrapPreferIPv6: newConf.BootstrapPreferIPv6,
-		UseDNS64:            newConf.UseDNS64,
-	})
-}
--- a/internal/next/websvc/dns_test.go
+++ b/internal/next/websvc/dns_test.go
@@ -1,74 +0,0 @@
-package websvc_test
-
-import (
-	"context"
-	"encoding/json"
-	"net/http"
-	"net/netip"
-	"net/url"
-	"sync/atomic"
-	"testing"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/aghtest"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/dnssvc"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/websvc"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestService_HandlePatchSettingsDNS(t *testing.T) {
-	wantDNS := &websvc.HTTPAPIDNSSettings{
-		Addresses:           []netip.AddrPort{netip.MustParseAddrPort("127.0.1.1:53")},
-		BootstrapServers:    []string{"1.0.0.1"},
-		UpstreamServers:     []string{"1.1.1.1"},
-		DNS64Prefixes:       []netip.Prefix{netip.MustParsePrefix("1234::/64")},
-		UpstreamTimeout:     websvc.JSONDuration(2 * time.Second),
-		BootstrapPreferIPv6: true,
-		UseDNS64:            true,
-	}
-
-	var started atomic.Bool
-	confMgr := newConfigManager()
-	confMgr.onDNS = func() (s agh.ServiceWithConfig[*dnssvc.Config]) {
-		return &aghtest.ServiceWithConfig[*dnssvc.Config]{
-			OnStart: func() (err error) {
-				started.Store(true)
-
-				return nil
-			},
-			OnShutdown: func(_ context.Context) (err error) { panic("not implemented") },
-			OnConfig:   func() (c *dnssvc.Config) { panic("not implemented") },
-		}
-	}
-	confMgr.onUpdateDNS = func(ctx context.Context, c *dnssvc.Config) (err error) {
-		return nil
-	}
-
-	_, addr := newTestServer(t, confMgr)
-	u := &url.URL{
-		Scheme: "http",
-		Host:   addr.String(),
-		Path:   websvc.PathV1SettingsDNS,
-	}
-
-	req := jobj{
-		"addresses":             wantDNS.Addresses,
-		"bootstrap_servers":     wantDNS.BootstrapServers,
-		"upstream_servers":      wantDNS.UpstreamServers,
-		"dns64_prefixes":        wantDNS.DNS64Prefixes,
-		"upstream_timeout":      wantDNS.UpstreamTimeout,
-		"bootstrap_prefer_ipv6": wantDNS.BootstrapPreferIPv6,
-		"use_dns64":             wantDNS.UseDNS64,
-	}
-
-	respBody := httpPatch(t, u, req, http.StatusOK)
-	resp := &websvc.HTTPAPIDNSSettings{}
-	err := json.Unmarshal(respBody, resp)
-	require.NoError(t, err)
-
-	assert.True(t, started.Load())
-	assert.Equal(t, wantDNS, resp)
-	assert.Equal(t, wantDNS, resp)
-}
--- a/internal/next/websvc/http.go
+++ b/internal/next/websvc/http.go
@@ -1,118 +0,0 @@
-package websvc
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"net/netip"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
-	"github.com/AdguardTeam/golibs/log"
-)
-
-// HTTP Settings Handlers
-
-// ReqPatchSettingsHTTP describes the request to the PATCH /api/v1/settings/http
-// HTTP API.
-type ReqPatchSettingsHTTP struct {
-	// TODO(a.garipov): Add more as we go.
-	//
-	// TODO(a.garipov): Add wait time.
-
-	Addresses       []netip.AddrPort `json:"addresses"`
-	SecureAddresses []netip.AddrPort `json:"secure_addresses"`
-	Timeout         JSONDuration     `json:"timeout"`
-}
-
-// HTTPAPIHTTPSettings are the HTTP settings as used by the HTTP API.  See the
-// HttpSettings object in the OpenAPI specification.
-type HTTPAPIHTTPSettings struct {
-	// TODO(a.garipov): Add more as we go.
-
-	Addresses       []netip.AddrPort `json:"addresses"`
-	SecureAddresses []netip.AddrPort `json:"secure_addresses"`
-	Timeout         JSONDuration     `json:"timeout"`
-	ForceHTTPS      bool             `json:"force_https"`
-}
-
-// handlePatchSettingsHTTP is the handler for the PATCH /api/v1/settings/http
-// HTTP API.
-func (svc *Service) handlePatchSettingsHTTP(w http.ResponseWriter, r *http.Request) {
-	req := &ReqPatchSettingsHTTP{}
-
-	// TODO(a.garipov): Validate nulls and proper JSON patch.
-
-	err := json.NewDecoder(r.Body).Decode(&req)
-	if err != nil {
-		writeJSONErrorResponse(w, r, fmt.Errorf("decoding: %w", err))
-
-		return
-	}
-
-	newConf := &Config{
-		ConfigManager:   svc.confMgr,
-		Frontend:        svc.frontend,
-		TLS:             svc.tls,
-		Addresses:       req.Addresses,
-		SecureAddresses: req.SecureAddresses,
-		Timeout:         time.Duration(req.Timeout),
-		ForceHTTPS:      svc.forceHTTPS,
-	}
-
-	writeJSONOKResponse(w, r, &HTTPAPIHTTPSettings{
-		Addresses:       newConf.Addresses,
-		SecureAddresses: newConf.SecureAddresses,
-		Timeout:         JSONDuration(newConf.Timeout),
-		ForceHTTPS:      newConf.ForceHTTPS,
-	})
-
-	cancelUpd := func() {}
-	updCtx := context.Background()
-
-	ctx := r.Context()
-	if deadline, ok := ctx.Deadline(); ok {
-		updCtx, cancelUpd = context.WithDeadline(updCtx, deadline)
-	}
-
-	// Launch the new HTTP service in a separate goroutine to let this handler
-	// finish and thus, this server to shutdown.
-	go svc.relaunch(updCtx, cancelUpd, newConf)
-}
-
-// relaunch updates the web service in the configuration manager and starts it.
-// It is intended to be used as a goroutine.
-func (svc *Service) relaunch(ctx context.Context, cancel context.CancelFunc, newConf *Config) {
-	defer log.OnPanic("websvc: relaunching")
-
-	defer cancel()
-
-	err := svc.confMgr.UpdateWeb(ctx, newConf)
-	if err != nil {
-		log.Error("websvc: updating web: %s", err)
-
-		return
-	}
-
-	// TODO(a.garipov): Consider better ways to do this.
-	const maxUpdDur = 5 * time.Second
-	updStart := time.Now()
-	var newSvc agh.ServiceWithConfig[*Config]
-	for newSvc = svc.confMgr.Web(); newSvc == svc; {
-		if time.Since(updStart) >= maxUpdDur {
-			log.Error("websvc: failed to update svc after %s", maxUpdDur)
-
-			return
-		}
-
-		log.Debug("websvc: waiting for new websvc to be configured")
-
-		time.Sleep(100 * time.Millisecond)
-	}
-
-	err = newSvc.Start()
-	if err != nil {
-		log.Error("websvc: new svc failed to start with error: %s", err)
-	}
-}
--- a/internal/next/websvc/http_test.go
+++ b/internal/next/websvc/http_test.go
@@ -1,62 +0,0 @@
-package websvc_test
-
-import (
-	"context"
-	"crypto/tls"
-	"encoding/json"
-	"net/http"
-	"net/netip"
-	"net/url"
-	"testing"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/websvc"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestService_HandlePatchSettingsHTTP(t *testing.T) {
-	wantWeb := &websvc.HTTPAPIHTTPSettings{
-		Addresses:       []netip.AddrPort{netip.MustParseAddrPort("127.0.1.1:80")},
-		SecureAddresses: []netip.AddrPort{netip.MustParseAddrPort("127.0.1.1:443")},
-		Timeout:         websvc.JSONDuration(10 * time.Second),
-		ForceHTTPS:      false,
-	}
-
-	svc, err := websvc.New(&websvc.Config{
-		TLS: &tls.Config{
-			Certificates: []tls.Certificate{{}},
-		},
-		Addresses:       []netip.AddrPort{netip.MustParseAddrPort("127.0.0.1:80")},
-		SecureAddresses: []netip.AddrPort{netip.MustParseAddrPort("127.0.0.1:443")},
-		Timeout:         5 * time.Second,
-		ForceHTTPS:      true,
-	})
-	require.NoError(t, err)
-
-	confMgr := newConfigManager()
-	confMgr.onWeb = func() (s agh.ServiceWithConfig[*websvc.Config]) { return svc }
-	confMgr.onUpdateWeb = func(ctx context.Context, c *websvc.Config) (err error) { return nil }
-
-	_, addr := newTestServer(t, confMgr)
-	u := &url.URL{
-		Scheme: "http",
-		Host:   addr.String(),
-		Path:   websvc.PathV1SettingsHTTP,
-	}
-
-	req := jobj{
-		"addresses":        wantWeb.Addresses,
-		"secure_addresses": wantWeb.SecureAddresses,
-		"timeout":          wantWeb.Timeout,
-		"force_https":      wantWeb.ForceHTTPS,
-	}
-
-	respBody := httpPatch(t, u, req, http.StatusOK)
-	resp := &websvc.HTTPAPIHTTPSettings{}
-	err = json.Unmarshal(respBody, resp)
-	require.NoError(t, err)
-
-	assert.Equal(t, wantWeb, resp)
-}
--- a/internal/next/websvc/json.go
+++ b/internal/next/websvc/json.go
@@ -1,144 +0,0 @@
-package websvc
-
-import (
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"strconv"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
-	"github.com/AdguardTeam/golibs/httphdr"
-	"github.com/AdguardTeam/golibs/log"
-)
-
-// JSON Utilities
-
-// nsecPerMsec is the number of nanoseconds in a millisecond.
-const nsecPerMsec = float64(time.Millisecond / time.Nanosecond)
-
-// JSONDuration is a time.Duration that can be decoded from JSON and encoded
-// into JSON according to our API conventions.
-type JSONDuration time.Duration
-
-// type check
-var _ json.Marshaler = JSONDuration(0)
-
-// MarshalJSON implements the json.Marshaler interface for JSONDuration.  err is
-// always nil.
-func (d JSONDuration) MarshalJSON() (b []byte, err error) {
-	msec := float64(time.Duration(d)) / nsecPerMsec
-	b = strconv.AppendFloat(nil, msec, 'f', -1, 64)
-
-	return b, nil
-}
-
-// type check
-var _ json.Unmarshaler = (*JSONDuration)(nil)
-
-// UnmarshalJSON implements the json.Marshaler interface for *JSONDuration.
-func (d *JSONDuration) UnmarshalJSON(b []byte) (err error) {
-	if d == nil {
-		return fmt.Errorf("json duration is nil")
-	}
-
-	msec, err := strconv.ParseFloat(string(b), 64)
-	if err != nil {
-		return fmt.Errorf("parsing json time: %w", err)
-	}
-
-	*d = JSONDuration(int64(msec * nsecPerMsec))
-
-	return nil
-}
-
-// JSONTime is a time.Time that can be decoded from JSON and encoded into JSON
-// according to our API conventions.
-type JSONTime time.Time
-
-// type check
-var _ json.Marshaler = JSONTime{}
-
-// MarshalJSON implements the json.Marshaler interface for JSONTime.  err is
-// always nil.
-func (t JSONTime) MarshalJSON() (b []byte, err error) {
-	msec := float64(time.Time(t).UnixNano()) / nsecPerMsec
-	b = strconv.AppendFloat(nil, msec, 'f', -1, 64)
-
-	return b, nil
-}
-
-// type check
-var _ json.Unmarshaler = (*JSONTime)(nil)
-
-// UnmarshalJSON implements the json.Marshaler interface for *JSONTime.
-func (t *JSONTime) UnmarshalJSON(b []byte) (err error) {
-	if t == nil {
-		return fmt.Errorf("json time is nil")
-	}
-
-	msec, err := strconv.ParseFloat(string(b), 64)
-	if err != nil {
-		return fmt.Errorf("parsing json time: %w", err)
-	}
-
-	*t = JSONTime(time.Unix(0, int64(msec*nsecPerMsec)).UTC())
-
-	return nil
-}
-
-// writeJSONOKResponse writes headers with the code 200 OK, encodes v into w,
-// and logs any errors it encounters.  r is used to get additional information
-// from the request.
-func writeJSONOKResponse(w http.ResponseWriter, r *http.Request, v any) {
-	writeJSONResponse(w, r, v, http.StatusOK)
-}
-
-// writeJSONResponse writes headers with code, encodes v into w, and logs any
-// errors it encounters.  r is used to get additional information from the
-// request.
-func writeJSONResponse(w http.ResponseWriter, r *http.Request, v any, code int) {
-	// TODO(a.garipov): Put some of these to a middleware.
-	h := w.Header()
-	h.Set(httphdr.ContentType, aghhttp.HdrValApplicationJSON)
-	h.Set(httphdr.Server, aghhttp.UserAgent())
-
-	w.WriteHeader(code)
-
-	err := json.NewEncoder(w).Encode(v)
-	if err != nil {
-		log.Error("websvc: writing resp to %s %s: %s", r.Method, r.URL.Path, err)
-	}
-}
-
-// ErrorCode is the error code as used by the HTTP API.  See the ErrorCode
-// definition in the OpenAPI specification.
-type ErrorCode string
-
-// ErrorCode constants.
-//
-// TODO(a.garipov): Expand and document codes.
-const (
-	// ErrorCodeTMP000 is the temporary error code used for all errors.
-	ErrorCodeTMP000 = ""
-)
-
-// HTTPAPIErrorResp is the error response as used by the HTTP API.  See the
-// BadRequestResp, InternalServerErrorResp, and similar objects in the OpenAPI
-// specification.
-type HTTPAPIErrorResp struct {
-	Code ErrorCode `json:"code"`
-	Msg  string    `json:"msg"`
-}
-
-// writeJSONErrorResponse encodes err as a JSON error into w, and logs any
-// errors it encounters.  r is used to get additional information from the
-// request.
-func writeJSONErrorResponse(w http.ResponseWriter, r *http.Request, err error) {
-	log.Error("websvc: %s %s: %s", r.Method, r.URL.Path, err)
-
-	writeJSONResponse(w, r, &HTTPAPIErrorResp{
-		Code: ErrorCodeTMP000,
-		Msg:  err.Error(),
-	}, http.StatusUnprocessableEntity)
-}
--- a/internal/next/websvc/json_test.go
+++ b/internal/next/websvc/json_test.go
@@ -1,114 +0,0 @@
-package websvc_test
-
-import (
-	"encoding/json"
-	"testing"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/websvc"
-	"github.com/AdguardTeam/golibs/testutil"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-// testJSONTime is the JSON time for tests.
-var testJSONTime = websvc.JSONTime(time.Unix(1_234_567_890, 123_456_000).UTC())
-
-// testJSONTimeStr is the string with the JSON encoding of testJSONTime.
-const testJSONTimeStr = "1234567890123.456"
-
-func TestJSONTime_MarshalJSON(t *testing.T) {
-	testCases := []struct {
-		name       string
-		wantErrMsg string
-		in         websvc.JSONTime
-		want       []byte
-	}{{
-		name:       "unix_zero",
-		wantErrMsg: "",
-		in:         websvc.JSONTime(time.Unix(0, 0)),
-		want:       []byte("0"),
-	}, {
-		name:       "empty",
-		wantErrMsg: "",
-		in:         websvc.JSONTime{},
-		want:       []byte("-6795364578871.345"),
-	}, {
-		name:       "time",
-		wantErrMsg: "",
-		in:         testJSONTime,
-		want:       []byte(testJSONTimeStr),
-	}}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			got, err := tc.in.MarshalJSON()
-			testutil.AssertErrorMsg(t, tc.wantErrMsg, err)
-
-			assert.Equal(t, tc.want, got)
-		})
-	}
-
-	t.Run("json", func(t *testing.T) {
-		in := &struct {
-			A websvc.JSONTime
-		}{
-			A: testJSONTime,
-		}
-
-		got, err := json.Marshal(in)
-		require.NoError(t, err)
-
-		assert.Equal(t, []byte(`{"A":`+testJSONTimeStr+`}`), got)
-	})
-}
-
-func TestJSONTime_UnmarshalJSON(t *testing.T) {
-	testCases := []struct {
-		name       string
-		wantErrMsg string
-		want       websvc.JSONTime
-		data       []byte
-	}{{
-		name:       "time",
-		wantErrMsg: "",
-		want:       testJSONTime,
-		data:       []byte(testJSONTimeStr),
-	}, {
-		name: "bad",
-		wantErrMsg: `parsing json time: strconv.ParseFloat: parsing "{}": ` +
-			`invalid syntax`,
-		want: websvc.JSONTime{},
-		data: []byte(`{}`),
-	}}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			var got websvc.JSONTime
-			err := got.UnmarshalJSON(tc.data)
-			testutil.AssertErrorMsg(t, tc.wantErrMsg, err)
-
-			assert.Equal(t, tc.want, got)
-		})
-	}
-
-	t.Run("nil", func(t *testing.T) {
-		err := (*websvc.JSONTime)(nil).UnmarshalJSON([]byte("0"))
-		require.Error(t, err)
-
-		msg := err.Error()
-		assert.Equal(t, "json time is nil", msg)
-	})
-
-	t.Run("json", func(t *testing.T) {
-		want := testJSONTime
-		var got struct {
-			A websvc.JSONTime
-		}
-
-		err := json.Unmarshal([]byte(`{"A":`+testJSONTimeStr+`}`), &got)
-		require.NoError(t, err)
-
-		assert.Equal(t, want, got.A)
-	})
-}
--- a/internal/next/websvc/middleware.go
+++ b/internal/next/websvc/middleware.go
@@ -1,38 +0,0 @@
-package websvc
-
-import (
-	"net/http"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
-	"github.com/AdguardTeam/golibs/httphdr"
-	"github.com/AdguardTeam/golibs/log"
-)
-
-// Middlewares
-
-// jsonMw sets the content type of the response to application/json.
-func jsonMw(h http.Handler) (wrapped http.HandlerFunc) {
-	f := func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set(httphdr.ContentType, aghhttp.HdrValApplicationJSON)
-
-		h.ServeHTTP(w, r)
-	}
-
-	return http.HandlerFunc(f)
-}
-
-// logMw logs the queries with level debug.
-func logMw(h http.Handler) (wrapped http.HandlerFunc) {
-	f := func(w http.ResponseWriter, r *http.Request) {
-		start := time.Now()
-		m, u := r.Method, r.RequestURI
-
-		log.Debug("websvc: %s %s started", m, u)
-		defer func() { log.Debug("websvc: %s %s finished in %s", m, u, time.Since(start)) }()
-
-		h.ServeHTTP(w, r)
-	}
-
-	return http.HandlerFunc(f)
-}
--- a/internal/next/websvc/path.go
+++ b/internal/next/websvc/path.go
@@ -1,14 +0,0 @@
-package websvc
-
-// Path constants
-const (
-	PathRoot     = "/"
-	PathFrontend = "/*filepath"
-
-	PathHealthCheck = "/health-check"
-
-	PathV1SettingsAll  = "/api/v1/settings/all"
-	PathV1SettingsDNS  = "/api/v1/settings/dns"
-	PathV1SettingsHTTP = "/api/v1/settings/http"
-	PathV1SystemInfo   = "/api/v1/system/info"
-)
--- a/internal/next/websvc/settings.go
+++ b/internal/next/websvc/settings.go
@@ -1,45 +0,0 @@
-package websvc
-
-import (
-	"net/http"
-)
-
-// All Settings Handlers
-
-// RespGetV1SettingsAll describes the response of the GET /api/v1/settings/all
-// HTTP API.
-type RespGetV1SettingsAll struct {
-	// TODO(a.garipov): Add more as we go.
-
-	DNS  *HTTPAPIDNSSettings  `json:"dns"`
-	HTTP *HTTPAPIHTTPSettings `json:"http"`
-}
-
-// handleGetSettingsAll is the handler for the GET /api/v1/settings/all HTTP
-// API.
-func (svc *Service) handleGetSettingsAll(w http.ResponseWriter, r *http.Request) {
-	dnsSvc := svc.confMgr.DNS()
-	dnsConf := dnsSvc.Config()
-
-	webSvc := svc.confMgr.Web()
-	httpConf := webSvc.Config()
-
-	// TODO(a.garipov): Add all currently supported parameters.
-	writeJSONOKResponse(w, r, &RespGetV1SettingsAll{
-		DNS: &HTTPAPIDNSSettings{
-			Addresses:           dnsConf.Addresses,
-			BootstrapServers:    dnsConf.BootstrapServers,
-			UpstreamServers:     dnsConf.UpstreamServers,
-			DNS64Prefixes:       dnsConf.DNS64Prefixes,
-			UpstreamTimeout:     JSONDuration(dnsConf.UpstreamTimeout),
-			BootstrapPreferIPv6: dnsConf.BootstrapPreferIPv6,
-			UseDNS64:            dnsConf.UseDNS64,
-		},
-		HTTP: &HTTPAPIHTTPSettings{
-			Addresses:       httpConf.Addresses,
-			SecureAddresses: httpConf.SecureAddresses,
-			Timeout:         JSONDuration(httpConf.Timeout),
-			ForceHTTPS:      httpConf.ForceHTTPS,
-		},
-	})
-}
--- a/internal/next/websvc/settings_test.go
+++ b/internal/next/websvc/settings_test.go
@@ -1,80 +0,0 @@
-package websvc_test
-
-import (
-	"crypto/tls"
-	"encoding/json"
-	"net/http"
-	"net/netip"
-	"net/url"
-	"testing"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/dnssvc"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/websvc"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestService_HandleGetSettingsAll(t *testing.T) {
-	// TODO(a.garipov): Add all currently supported parameters.
-
-	wantDNS := &websvc.HTTPAPIDNSSettings{
-		Addresses:           []netip.AddrPort{netip.MustParseAddrPort("127.0.0.1:53")},
-		BootstrapServers:    []string{"94.140.14.140", "94.140.14.141"},
-		UpstreamServers:     []string{"94.140.14.14", "1.1.1.1"},
-		UpstreamTimeout:     websvc.JSONDuration(1 * time.Second),
-		BootstrapPreferIPv6: true,
-	}
-
-	wantWeb := &websvc.HTTPAPIHTTPSettings{
-		Addresses:       []netip.AddrPort{netip.MustParseAddrPort("127.0.0.1:80")},
-		SecureAddresses: []netip.AddrPort{netip.MustParseAddrPort("127.0.0.1:443")},
-		Timeout:         websvc.JSONDuration(5 * time.Second),
-		ForceHTTPS:      true,
-	}
-
-	confMgr := newConfigManager()
-	confMgr.onDNS = func() (s agh.ServiceWithConfig[*dnssvc.Config]) {
-		c, err := dnssvc.New(&dnssvc.Config{
-			Addresses:           wantDNS.Addresses,
-			UpstreamServers:     wantDNS.UpstreamServers,
-			BootstrapServers:    wantDNS.BootstrapServers,
-			UpstreamTimeout:     time.Duration(wantDNS.UpstreamTimeout),
-			BootstrapPreferIPv6: true,
-		})
-		require.NoError(t, err)
-
-		return c
-	}
-
-	svc, err := websvc.New(&websvc.Config{
-		TLS: &tls.Config{
-			Certificates: []tls.Certificate{{}},
-		},
-		Addresses:       wantWeb.Addresses,
-		SecureAddresses: wantWeb.SecureAddresses,
-		Timeout:         time.Duration(wantWeb.Timeout),
-		ForceHTTPS:      true,
-	})
-	require.NoError(t, err)
-
-	confMgr.onWeb = func() (s agh.ServiceWithConfig[*websvc.Config]) {
-		return svc
-	}
-
-	_, addr := newTestServer(t, confMgr)
-	u := &url.URL{
-		Scheme: "http",
-		Host:   addr.String(),
-		Path:   websvc.PathV1SettingsAll,
-	}
-
-	body := httpGet(t, u, http.StatusOK)
-	resp := &websvc.RespGetV1SettingsAll{}
-	err = json.Unmarshal(body, resp)
-	require.NoError(t, err)
-
-	assert.Equal(t, wantDNS, resp.DNS)
-	assert.Equal(t, wantWeb, resp.HTTP)
-}
--- a/internal/next/websvc/system.go
+++ b/internal/next/websvc/system.go
@@ -1,35 +0,0 @@
-package websvc
-
-import (
-	"net/http"
-	"runtime"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/version"
-)
-
-// System Handlers
-
-// RespGetV1SystemInfo describes the response of the GET /api/v1/system/info
-// HTTP API.
-type RespGetV1SystemInfo struct {
-	Arch       string   `json:"arch"`
-	Channel    string   `json:"channel"`
-	OS         string   `json:"os"`
-	NewVersion string   `json:"new_version,omitempty"`
-	Start      JSONTime `json:"start"`
-	Version    string   `json:"version"`
-}
-
-// handleGetV1SystemInfo is the handler for the GET /api/v1/system/info HTTP
-// API.
-func (svc *Service) handleGetV1SystemInfo(w http.ResponseWriter, r *http.Request) {
-	writeJSONOKResponse(w, r, &RespGetV1SystemInfo{
-		Arch:    runtime.GOARCH,
-		Channel: version.Channel(),
-		OS:      runtime.GOOS,
-		// TODO(a.garipov): Fill this when we have an updater.
-		NewVersion: "",
-		Start:      JSONTime(svc.start),
-		Version:    version.Version(),
-	})
-}
--- a/internal/next/websvc/system_test.go
+++ b/internal/next/websvc/system_test.go
@@ -1,37 +0,0 @@
-package websvc_test
-
-import (
-	"encoding/json"
-	"net/http"
-	"net/url"
-	"runtime"
-	"testing"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/websvc"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestService_handleGetV1SystemInfo(t *testing.T) {
-	confMgr := newConfigManager()
-	_, addr := newTestServer(t, confMgr)
-	u := &url.URL{
-		Scheme: "http",
-		Host:   addr.String(),
-		Path:   websvc.PathV1SystemInfo,
-	}
-
-	body := httpGet(t, u, http.StatusOK)
-	resp := &websvc.RespGetV1SystemInfo{}
-	err := json.Unmarshal(body, resp)
-	require.NoError(t, err)
-
-	// TODO(a.garipov): Consider making version.Channel and version.Version
-	// testable and test these better.
-	assert.NotEmpty(t, resp.Channel)
-
-	assert.Equal(t, resp.Arch, runtime.GOARCH)
-	assert.Equal(t, resp.OS, runtime.GOOS)
-	assert.Equal(t, testStart, time.Time(resp.Start))
-}
--- a/internal/next/websvc/waitlistener.go
+++ b/internal/next/websvc/waitlistener.go
@@ -1,31 +0,0 @@
-package websvc
-
-import (
-	"net"
-	"sync"
-)
-
-// Wait Listener
-
-// waitListener is a wrapper around a listener that also calls wg.Done() on the
-// first call to Accept.  It is useful in situations where it is important to
-// catch the precise moment of the first call to Accept, for example when
-// starting an HTTP server.
-//
-// TODO(a.garipov): Move to aghnet?
-type waitListener struct {
-	net.Listener
-
-	firstAcceptWG   *sync.WaitGroup
-	firstAcceptOnce sync.Once
-}
-
-// type check
-var _ net.Listener = (*waitListener)(nil)
-
-// Accept implements the [net.Listener] interface for *waitListener.
-func (l *waitListener) Accept() (conn net.Conn, err error) {
-	l.firstAcceptOnce.Do(l.firstAcceptWG.Done)
-
-	return l.Listener.Accept()
-}
--- a/internal/next/websvc/waitlistener_internal_test.go
+++ b/internal/next/websvc/waitlistener_internal_test.go
@@ -1,40 +0,0 @@
-package websvc
-
-import (
-	"net"
-	"sync"
-	"sync/atomic"
-	"testing"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/aghtest"
-	"github.com/stretchr/testify/assert"
-)
-
-func TestWaitListener_Accept(t *testing.T) {
-	var accepted atomic.Bool
-	var l net.Listener = &aghtest.Listener{
-		OnAccept: func() (conn net.Conn, err error) {
-			accepted.Store(true)
-
-			return nil, nil
-		},
-		OnAddr:  func() (addr net.Addr) { panic("not implemented") },
-		OnClose: func() (err error) { panic("not implemented") },
-	}
-
-	wg := &sync.WaitGroup{}
-	wg.Add(1)
-
-	go func() {
-		var wrapper net.Listener = &waitListener{
-			Listener:      l,
-			firstAcceptWG: wg,
-		}
-
-		_, _ = wrapper.Accept()
-	}()
-
-	wg.Wait()
-
-	assert.Eventually(t, accepted.Load, testTimeout, testTimeout/10)
-}
--- a/internal/next/websvc/websvc.go
+++ b/internal/next/websvc/websvc.go
@@ -1,333 +0,0 @@
-// Package websvc contains the AdGuard Home HTTP API service.
-//
-// NOTE: Packages other than cmd must not import this package, as it imports
-// most other packages.
-//
-// TODO(a.garipov): Add tests.
-package websvc
-
-import (
-	"context"
-	"crypto/tls"
-	"fmt"
-	"io"
-	"io/fs"
-	"net"
-	"net/http"
-	"net/netip"
-	"sync"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/dnssvc"
-	"github.com/AdguardTeam/golibs/errors"
-	"github.com/AdguardTeam/golibs/log"
-	httptreemux "github.com/dimfeld/httptreemux/v5"
-)
-
-// ConfigManager is the configuration manager interface.
-type ConfigManager interface {
-	DNS() (svc agh.ServiceWithConfig[*dnssvc.Config])
-	Web() (svc agh.ServiceWithConfig[*Config])
-
-	UpdateDNS(ctx context.Context, c *dnssvc.Config) (err error)
-	UpdateWeb(ctx context.Context, c *Config) (err error)
-}
-
-// Config is the AdGuard Home web service configuration structure.
-type Config struct {
-	// ConfigManager is used to show information about services as well as
-	// dynamically reconfigure them.
-	ConfigManager ConfigManager
-
-	// Frontend is the filesystem with the frontend and other statically
-	// compiled files.
-	Frontend fs.FS
-
-	// TLS is the optional TLS configuration.  If TLS is not nil,
-	// SecureAddresses must not be empty.
-	TLS *tls.Config
-
-	// Start is the time of start of AdGuard Home.
-	Start time.Time
-
-	// Addresses are the addresses on which to serve the plain HTTP API.
-	Addresses []netip.AddrPort
-
-	// SecureAddresses are the addresses on which to serve the HTTPS API.  If
-	// SecureAddresses is not empty, TLS must not be nil.
-	SecureAddresses []netip.AddrPort
-
-	// Timeout is the timeout for all server operations.
-	Timeout time.Duration
-
-	// ForceHTTPS tells if all requests to Addresses should be redirected to a
-	// secure address instead.
-	//
-	// TODO(a.garipov): Use; define rules, which address to redirect to.
-	ForceHTTPS bool
-}
-
-// Service is the AdGuard Home web service.  A nil *Service is a valid
-// [agh.Service] that does nothing.
-type Service struct {
-	confMgr    ConfigManager
-	frontend   fs.FS
-	tls        *tls.Config
-	start      time.Time
-	servers    []*http.Server
-	timeout    time.Duration
-	forceHTTPS bool
-}
-
-// New returns a new properly initialized *Service.  If c is nil, svc is a nil
-// *Service that does nothing.  The fields of c must not be modified after
-// calling New.
-//
-// TODO(a.garipov): Get rid of this special handling of nil or explain it
-// better.
-func New(c *Config) (svc *Service, err error) {
-	if c == nil {
-		return nil, nil
-	}
-
-	frontend, err := fs.Sub(c.Frontend, "build/static")
-	if err != nil {
-		return nil, fmt.Errorf("frontend fs: %w", err)
-	}
-
-	svc = &Service{
-		confMgr:    c.ConfigManager,
-		frontend:   frontend,
-		tls:        c.TLS,
-		start:      c.Start,
-		timeout:    c.Timeout,
-		forceHTTPS: c.ForceHTTPS,
-	}
-
-	mux := newMux(svc)
-
-	for _, a := range c.Addresses {
-		addr := a.String()
-		errLog := log.StdLog("websvc: plain http: "+addr, log.ERROR)
-		svc.servers = append(svc.servers, &http.Server{
-			Addr:              addr,
-			Handler:           mux,
-			ErrorLog:          errLog,
-			ReadTimeout:       c.Timeout,
-			WriteTimeout:      c.Timeout,
-			IdleTimeout:       c.Timeout,
-			ReadHeaderTimeout: c.Timeout,
-		})
-	}
-
-	for _, a := range c.SecureAddresses {
-		addr := a.String()
-		errLog := log.StdLog("websvc: https: "+addr, log.ERROR)
-		svc.servers = append(svc.servers, &http.Server{
-			Addr:              addr,
-			Handler:           mux,
-			TLSConfig:         c.TLS,
-			ErrorLog:          errLog,
-			ReadTimeout:       c.Timeout,
-			WriteTimeout:      c.Timeout,
-			IdleTimeout:       c.Timeout,
-			ReadHeaderTimeout: c.Timeout,
-		})
-	}
-
-	return svc, nil
-}
-
-// newMux returns a new HTTP request multiplexer for the AdGuard Home web
-// service.
-func newMux(svc *Service) (mux *httptreemux.ContextMux) {
-	mux = httptreemux.NewContextMux()
-
-	routes := []struct {
-		handler http.HandlerFunc
-		method  string
-		pattern string
-		isJSON  bool
-	}{{
-		handler: svc.handleGetHealthCheck,
-		method:  http.MethodGet,
-		pattern: PathHealthCheck,
-		isJSON:  false,
-	}, {
-		handler: http.FileServer(http.FS(svc.frontend)).ServeHTTP,
-		method:  http.MethodGet,
-		pattern: PathFrontend,
-		isJSON:  false,
-	}, {
-		handler: http.FileServer(http.FS(svc.frontend)).ServeHTTP,
-		method:  http.MethodGet,
-		pattern: PathRoot,
-		isJSON:  false,
-	}, {
-		handler: svc.handleGetSettingsAll,
-		method:  http.MethodGet,
-		pattern: PathV1SettingsAll,
-		isJSON:  true,
-	}, {
-		handler: svc.handlePatchSettingsDNS,
-		method:  http.MethodPatch,
-		pattern: PathV1SettingsDNS,
-		isJSON:  true,
-	}, {
-		handler: svc.handlePatchSettingsHTTP,
-		method:  http.MethodPatch,
-		pattern: PathV1SettingsHTTP,
-		isJSON:  true,
-	}, {
-		handler: svc.handleGetV1SystemInfo,
-		method:  http.MethodGet,
-		pattern: PathV1SystemInfo,
-		isJSON:  true,
-	}}
-
-	for _, r := range routes {
-		var hdlr http.Handler
-		if r.isJSON {
-			hdlr = jsonMw(r.handler)
-		} else {
-			hdlr = r.handler
-		}
-
-		mux.Handle(r.method, r.pattern, logMw(hdlr))
-	}
-
-	return mux
-}
-
-// addrs returns all addresses on which this server serves the HTTP API.  addrs
-// must not be called simultaneously with Start.  If svc was initialized with
-// ":0" addresses, addrs will not return the actual bound ports until Start is
-// finished.
-func (svc *Service) addrs() (addrs, secureAddrs []netip.AddrPort) {
-	for _, srv := range svc.servers {
-		addrPort, err := netip.ParseAddrPort(srv.Addr)
-		if err != nil {
-			// Technically shouldn't happen, since all servers must have a valid
-			// address.
-			panic(fmt.Errorf("websvc: server %q: bad address: %w", srv.Addr, err))
-		}
-
-		// srv.Serve will set TLSConfig to an almost empty value, so, instead of
-		// relying only on the nilness of TLSConfig, check the length of the
-		// certificates field as well.
-		if srv.TLSConfig == nil || len(srv.TLSConfig.Certificates) == 0 {
-			addrs = append(addrs, addrPort)
-		} else {
-			secureAddrs = append(secureAddrs, addrPort)
-		}
-
-	}
-
-	return addrs, secureAddrs
-}
-
-// handleGetHealthCheck is the handler for the GET /health-check HTTP API.
-func (svc *Service) handleGetHealthCheck(w http.ResponseWriter, _ *http.Request) {
-	_, _ = io.WriteString(w, "OK")
-}
-
-// type check
-var _ agh.Service = (*Service)(nil)
-
-// Start implements the [agh.Service] interface for *Service.  svc may be nil.
-// After Start exits, all HTTP servers have tried to start, possibly failing and
-// writing error messages to the log.
-func (svc *Service) Start() (err error) {
-	if svc == nil {
-		return nil
-	}
-
-	wg := &sync.WaitGroup{}
-	wg.Add(len(svc.servers))
-	for _, srv := range svc.servers {
-		go serve(srv, wg)
-	}
-
-	wg.Wait()
-
-	return nil
-}
-
-// serve starts and runs srv and writes all errors into its log.
-func serve(srv *http.Server, wg *sync.WaitGroup) {
-	addr := srv.Addr
-	defer log.OnPanic(addr)
-
-	var proto string
-	var l net.Listener
-	var err error
-	if srv.TLSConfig == nil {
-		proto = "http"
-		l, err = net.Listen("tcp", addr)
-	} else {
-		proto = "https"
-		l, err = tls.Listen("tcp", addr, srv.TLSConfig)
-	}
-	if err != nil {
-		srv.ErrorLog.Printf("starting srv %s: binding: %s", addr, err)
-	}
-
-	// Update the server's address in case the address had the port zero, which
-	// would mean that a random available port was automatically chosen.
-	srv.Addr = l.Addr().String()
-
-	log.Info("websvc: starting srv %s://%s", proto, srv.Addr)
-
-	l = &waitListener{
-		Listener:      l,
-		firstAcceptWG: wg,
-	}
-
-	err = srv.Serve(l)
-	if err != nil && !errors.Is(err, http.ErrServerClosed) {
-		srv.ErrorLog.Printf("starting srv %s: %s", addr, err)
-	}
-}
-
-// Shutdown implements the [agh.Service] interface for *Service.  svc may be
-// nil.
-func (svc *Service) Shutdown(ctx context.Context) (err error) {
-	if svc == nil {
-		return nil
-	}
-
-	var errs []error
-	for _, srv := range svc.servers {
-		serr := srv.Shutdown(ctx)
-		if serr != nil {
-			errs = append(errs, fmt.Errorf("shutting down srv %s: %w", srv.Addr, serr))
-		}
-	}
-
-	if len(errs) > 0 {
-		return errors.List("shutting down", errs...)
-	}
-
-	return nil
-}
-
-// Config returns the current configuration of the web service.  Config must not
-// be called simultaneously with Start.  If svc was initialized with ":0"
-// addresses, addrs will not return the actual bound ports until Start is
-// finished.
-func (svc *Service) Config() (c *Config) {
-	c = &Config{
-		ConfigManager: svc.confMgr,
-		TLS:           svc.tls,
-		// Leave Addresses and SecureAddresses empty and get the actual
-		// addresses that include the :0 ones later.
-		Start:      svc.start,
-		Timeout:    svc.timeout,
-		ForceHTTPS: svc.forceHTTPS,
-	}
-
-	c.Addresses, c.SecureAddresses = svc.addrs()
-
-	return c
-}
--- a/internal/next/websvc/websvc_internal_test.go
+++ b/internal/next/websvc/websvc_internal_test.go
@@ -1,6 +0,0 @@
-package websvc
-
-import "time"
-
-// testTimeout is the common timeout for tests.
-const testTimeout = 1 * time.Second
--- a/internal/next/websvc/websvc_test.go
+++ b/internal/next/websvc/websvc_test.go
@@ -1,193 +0,0 @@
-package websvc_test
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"io"
-	"io/fs"
-	"net/http"
-	"net/netip"
-	"net/url"
-	"testing"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/aghtest"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/dnssvc"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/websvc"
-	"github.com/AdguardTeam/golibs/testutil"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestMain(m *testing.M) {
-	testutil.DiscardLogOutput(m)
-}
-
-// testTimeout is the common timeout for tests.
-const testTimeout = 1 * time.Second
-
-// testStart is the server start value for tests.
-var testStart = time.Date(2022, 1, 1, 0, 0, 0, 0, time.UTC)
-
-// type check
-var _ websvc.ConfigManager = (*configManager)(nil)
-
-// configManager is a [websvc.ConfigManager] for tests.
-type configManager struct {
-	onDNS func() (svc agh.ServiceWithConfig[*dnssvc.Config])
-	onWeb func() (svc agh.ServiceWithConfig[*websvc.Config])
-
-	onUpdateDNS func(ctx context.Context, c *dnssvc.Config) (err error)
-	onUpdateWeb func(ctx context.Context, c *websvc.Config) (err error)
-}
-
-// DNS implements the [websvc.ConfigManager] interface for *configManager.
-func (m *configManager) DNS() (svc agh.ServiceWithConfig[*dnssvc.Config]) {
-	return m.onDNS()
-}
-
-// Web implements the [websvc.ConfigManager] interface for *configManager.
-func (m *configManager) Web() (svc agh.ServiceWithConfig[*websvc.Config]) {
-	return m.onWeb()
-}
-
-// UpdateDNS implements the [websvc.ConfigManager] interface for *configManager.
-func (m *configManager) UpdateDNS(ctx context.Context, c *dnssvc.Config) (err error) {
-	return m.onUpdateDNS(ctx, c)
-}
-
-// UpdateWeb implements the [websvc.ConfigManager] interface for *configManager.
-func (m *configManager) UpdateWeb(ctx context.Context, c *websvc.Config) (err error) {
-	return m.onUpdateWeb(ctx, c)
-}
-
-// newConfigManager returns a *configManager all methods of which panic.
-func newConfigManager() (m *configManager) {
-	return &configManager{
-		onDNS: func() (svc agh.ServiceWithConfig[*dnssvc.Config]) { panic("not implemented") },
-		onWeb: func() (svc agh.ServiceWithConfig[*websvc.Config]) { panic("not implemented") },
-		onUpdateDNS: func(_ context.Context, _ *dnssvc.Config) (err error) {
-			panic("not implemented")
-		},
-		onUpdateWeb: func(_ context.Context, _ *websvc.Config) (err error) {
-			panic("not implemented")
-		},
-	}
-}
-
-// newTestServer creates and starts a new web service instance as well as its
-// sole address.  It also registers a cleanup procedure, which shuts the
-// instance down.
-//
-// TODO(a.garipov): Use svc or remove it.
-func newTestServer(
-	t testing.TB,
-	confMgr websvc.ConfigManager,
-) (svc *websvc.Service, addr netip.AddrPort) {
-	t.Helper()
-
-	c := &websvc.Config{
-		ConfigManager: confMgr,
-		Frontend: &aghtest.FS{
-			OnOpen: func(_ string) (_ fs.File, _ error) { return nil, fs.ErrNotExist },
-		},
-		TLS:             nil,
-		Addresses:       []netip.AddrPort{netip.MustParseAddrPort("127.0.0.1:0")},
-		SecureAddresses: nil,
-		Timeout:         testTimeout,
-		Start:           testStart,
-		ForceHTTPS:      false,
-	}
-
-	svc, err := websvc.New(c)
-	require.NoError(t, err)
-
-	err = svc.Start()
-	require.NoError(t, err)
-	t.Cleanup(func() {
-		ctx, cancel := context.WithTimeout(context.Background(), testTimeout)
-		t.Cleanup(cancel)
-
-		err = svc.Shutdown(ctx)
-		require.NoError(t, err)
-	})
-
-	c = svc.Config()
-	require.NotNil(t, c)
-	require.Len(t, c.Addresses, 1)
-
-	return svc, c.Addresses[0]
-}
-
-// jobj is a utility alias for JSON objects.
-type jobj map[string]any
-
-// httpGet is a helper that performs an HTTP GET request and returns the body of
-// the response as well as checks that the status code is correct.
-//
-// TODO(a.garipov): Add helpers for other methods.
-func httpGet(t testing.TB, u *url.URL, wantCode int) (body []byte) {
-	t.Helper()
-
-	req, err := http.NewRequest(http.MethodGet, u.String(), nil)
-	require.NoErrorf(t, err, "creating req")
-
-	httpCli := &http.Client{
-		Timeout: testTimeout,
-	}
-	resp, err := httpCli.Do(req)
-	require.NoErrorf(t, err, "performing req")
-	require.Equal(t, wantCode, resp.StatusCode)
-
-	testutil.CleanupAndRequireSuccess(t, resp.Body.Close)
-
-	body, err = io.ReadAll(resp.Body)
-	require.NoErrorf(t, err, "reading body")
-
-	return body
-}
-
-// httpPatch is a helper that performs an HTTP PATCH request with JSON-encoded
-// reqBody as the request body and returns the body of the response as well as
-// checks that the status code is correct.
-//
-// TODO(a.garipov): Add helpers for other methods.
-func httpPatch(t testing.TB, u *url.URL, reqBody any, wantCode int) (body []byte) {
-	t.Helper()
-
-	b, err := json.Marshal(reqBody)
-	require.NoErrorf(t, err, "marshaling reqBody")
-
-	req, err := http.NewRequest(http.MethodPatch, u.String(), bytes.NewReader(b))
-	require.NoErrorf(t, err, "creating req")
-
-	httpCli := &http.Client{
-		Timeout: testTimeout,
-	}
-	resp, err := httpCli.Do(req)
-	require.NoErrorf(t, err, "performing req")
-	require.Equal(t, wantCode, resp.StatusCode)
-
-	testutil.CleanupAndRequireSuccess(t, resp.Body.Close)
-
-	body, err = io.ReadAll(resp.Body)
-	require.NoErrorf(t, err, "reading body")
-
-	return body
-}
-
-func TestService_Start_getHealthCheck(t *testing.T) {
-	confMgr := newConfigManager()
-	_, addr := newTestServer(t, confMgr)
-	u := &url.URL{
-		Scheme: "http",
-		Host:   addr.String(),
-		Path:   websvc.PathHealthCheck,
-	}
-
-	body := httpGet(t, u, http.StatusOK)
-
-	assert.Equal(t, []byte("OK"), body)
-}
--- a/internal/tools/go.mod
+++ b/internal/tools/go.mod
@@ -11,7 +11,7 @@ require (
 	github.com/securego/gosec/v2 v2.16.0
 	github.com/uudashr/gocognit v1.0.6
 	golang.org/x/tools v0.10.0
-	golang.org/x/vuln v0.1.0
+	golang.org/x/vuln v0.2.0
 	honnef.co/go/tools v0.4.3
 	mvdan.cc/gofumpt v0.5.0
 	mvdan.cc/unparam v0.0.0-20230610194454-9ea02bef9868
--- a/internal/tools/go.sum
+++ b/internal/tools/go.sum
@@ -1,6 +1,5 @@
 github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
 github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
-github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/frankban/quicktest v1.14.4 h1:g2rn0vABPOOXmZUj+vbmUp0lPoXEMuhTpIluN0XL9UY=
@@ -99,8 +98,8 @@ golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E
 golang.org/x/tools v0.1.11/go.mod h1:SgwaegtQh8clINPpECJMqnxLv9I09HLqnW3RMqW0CA4=
 golang.org/x/tools v0.10.0 h1:tvDr/iQoUqNdohiYm0LmmKcBk+q86lb9EprIUFhHHGg=
 golang.org/x/tools v0.10.0/go.mod h1:UJwyiVBsOA2uwvK/e5OY3GTpDUJriEd+/YlqAwLPmyM=
-golang.org/x/vuln v0.1.0 h1:9GRdj6wAIkDrsMevuolY+SXERPjQPp2P1ysYA0jpZe0=
-golang.org/x/vuln v0.1.0/go.mod h1:/YuzZYjGbwB8y19CisAppfyw3uTZnuCz3r+qgx/QRzU=
+golang.org/x/vuln v0.2.0 h1:Dlz47lW0pvPHU7tnb10S8vbMn9GnV2B6eyT7Tem5XBI=
+golang.org/x/vuln v0.2.0/go.mod h1:V0eyhHwaAaHrt42J9bgrN6rd12f6GU4T0Lu0ex2wDg4=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/internal/whois/whois.go
+++ b/internal/whois/whois.go
@@ -288,6 +288,16 @@ func (w *Default) Process(ctx context.Context, ip netip.Addr) (wi *Info, changed
 		return wi, false
 	}

+	return w.requestInfo(ctx, ip, wi)
+}
+
+// requestInfo makes WHOIS request and returns WHOIS info.  changed is false if
+// received information is equal to cached.
+func (w *Default) requestInfo(
+	ctx context.Context,
+	ip netip.Addr,
+	cached *Info,
+) (wi *Info, changed bool) {
 	var info Info

 	defer func() {
@@ -311,12 +321,14 @@ func (w *Default) Process(ctx context.Context, ip netip.Addr) (wi *Info, changed
 		Orgname: kv["orgname"],
 	}

+	changed = cached == nil || info != *cached
+
 	// Don't return an empty struct so that the frontend doesn't get confused.
 	if (info == Info{}) {
-		return nil, true
+		return nil, changed
 	}

-	return &info, wi == nil || info != *wi
+	return &info, changed
 }

 // findInCache finds Info in the cache.  expired indicates that Info is valid.
--- a/main.go
+++ b/main.go
@@ -1,5 +1,3 @@
-//go:build !next
-
 package main

 import (
--- a/main_next.go
+++ b/main_next.go
@@ -1,20 +0,0 @@
-//go:build next
-
-package main
-
-import (
-	"embed"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/cmd"
-)
-
-// Embed the prebuilt client here since we strive to keep .go files inside the
-// internal directory and the embed package is unable to embed files located
-// outside of the same or underlying directory.
-
-//go:embed build
-var frontend embed.FS
-
-func main() {
-	cmd.Main(frontend)
-}
--- a/openapi/v1.yaml
+++ b/openapi/v1.yaml
--- a/scripts/make/build-docker.sh
+++ b/scripts/make/build-docker.sh
@@ -62,21 +62,22 @@ readonly docker_output
 case "$channel"
 in
 ('release')
-	docker_version_tag="${docker_image_name}:${version}"
-	docker_channel_tag="${docker_image_name}:latest"
+	docker_version_tag="--tag=${docker_image_name}:${version}"
+	docker_channel_tag="--tag=${docker_image_name}:latest"
 	;;
 ('beta')
-	docker_version_tag="${docker_image_name}:${version}"
-	docker_channel_tag="${docker_image_name}:beta"
+	docker_version_tag="--tag=${docker_image_name}:${version}"
+	docker_channel_tag="--tag=${docker_image_name}:beta"
 	;;
 ('edge')
-	# Don't set the version tag when pushing to the edge channel.
-	docker_version_tag="${docker_image_name}:edge"
-	docker_channel_tag="${docker_image_name}"
+	# Set the version tag to an empty string when pushing to the edge channel.
+	docker_version_tag=''
+	docker_channel_tag="--tag=${docker_image_name}:edge"
 	;;
 ('development')
-	docker_version_tag="${docker_image_name}"
-	docker_channel_tag="${docker_image_name}"
+	# Set both tags to an empty string for development builds.
+	docker_version_tag=''
+	docker_channel_tag=''
 	;;
 (*)
 	echo "invalid channel '$channel', supported values are\
@@ -118,6 +119,11 @@ cp "./docker/web-bind.awk"\
 cp "./docker/healthcheck.sh"\
 	"${dist_docker_scripts}/healthcheck.sh"

+# Don't use quotes with $docker_version_tag and $docker_channel_tag, because we
+# want word splitting and or an empty space if tags are empty.
+#
+# TODO(a.garipov): Once flag --tag of docker buildx build supports commas, use
+# them instead.
 $sudo_cmd docker\
 	"$debug_flags"\
 	buildx build\
@@ -127,7 +133,7 @@ $sudo_cmd docker\
 	--build-arg VERSION="$version"\
 	--output "$docker_output"\
 	--platform "$docker_platforms"\
-	--tag="$docker_version_tag"\
-	--tag="$docker_channel_tag"\
+	$docker_version_tag\
+	$docker_channel_tag\
 	-f ./docker/Dockerfile\
 	.
--- a/scripts/make/go-build.sh
+++ b/scripts/make/go-build.sh
@@ -128,13 +128,7 @@ export CGO_ENABLED
 GO111MODULE='on'
 export GO111MODULE

-# Build the new binary if requested.
-if [ "${NEXTAPI:-0}" -eq '0' ]
-then
-	tags_flags='--tags='
-else
-	tags_flags='--tags=next'
-fi
+tags_flags='--tags='
 readonly tags_flags

 if [ "$verbose" -gt '0' ]
--- a/scripts/make/go-lint.sh
+++ b/scripts/make/go-lint.sh
@@ -176,9 +176,10 @@ run_linter gocognit --over 10\
 	./internal/aghchan/\
 	./internal/aghhttp/\
 	./internal/aghio/\
-	./internal/tools/\
 	./internal/next/\
+	./internal/tools/\
 	./internal/version/\
+	./internal/whois/\
 	;

 run_linter ineffassign ./...
@@ -197,8 +198,25 @@ run_linter nilness ./...

 run_linter -e shadow --strict ./...

-# TODO(a.garipov): Enable in v0.108.0.
-# run_linter gosec --quiet ./...
+# TODO(a.garipov): Enable for all.
+run_linter gosec --quiet\
+	./internal/aghalg\
+	./internal/aghchan\
+	./internal/aghhttp\
+	./internal/aghio\
+	./internal/aghnet\
+	./internal/aghos\
+	./internal/aghtest\
+	./internal/dhcpd\
+	./internal/dhcpsvc\
+	./internal/dnsforward\
+	./internal/next\
+	./internal/schedule\
+	./internal/stats\
+	./internal/tools\
+	./internal/version\
+	./internal/whois\
+	;

 # TODO(a.garipov): Enable --blank?
 run_linter errcheck --asserts ./...
--- a/snap/local/adguard-home-web.sh
+++ b/snap/local/adguard-home-web.sh
@@ -1,7 +1,20 @@
 #!/bin/sh

+conf_file="${SNAP_DATA}/AdGuardHome.yaml"
+readonly conf_file
+
+if ! [ -f "$conf_file" ]
+then
+  xdg-open 'http://localhost:3000'
+
+  exit
+fi
+
 # Get the admin interface port from the configuration.
-bind_port="$( grep -e 'bind_port' "${SNAP_DATA}/AdGuardHome.yaml" | awk -F ' ' '{print $2}' )"
+awk_prog='/^[^[:space:]]/ { is_http = /^http:/ };/^[[:space:]]+address:/ { if (is_http) print $2 }'
+readonly awk_prog
+
+bind_port="$( awk "$awk_prog" "$conf_file" | awk -F ':' '{print $NF}' )"
 readonly bind_port

 if [ "$bind_port" = '' ]