all: sync with master; upd chlog

cherry-pick: 5959-fix-error-days
2023-07-26 13:18:44 +03:00 · 2023-07-12 15:13:31 +03:00 · 2023-07-03 14:38:16 +03:00 · 2023-07-03 14:10:40 +03:00 · 2023-06-13 17:04:47 +03:00 · 2023-06-08 19:48:01 +03:00
75 changed files with 157 additions and 8793 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,7 +1,7 @@
 'name': 'build'

 'env':
-  'GO_VERSION': '1.20.7'
+  'GO_VERSION': '1.19.11'
  'NODE_VERSION': '14'

 'on':
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,7 +1,7 @@
 'name': 'lint'

 'env':
-  'GO_VERSION': '1.20.7'
+  'GO_VERSION': '1.19.11'

 'on':
  'push':
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,81 +14,21 @@ and this project adheres to
 <!--
 ## [v0.108.0] - TBA

-## [v0.107.37] - 2023-08-16 (APPROX.)
+## [v0.107.36] - 2023-08-09 (APPROX.)

-See also the [v0.107.37 GitHub milestone][ms-v0.107.37].
+See also the [v0.107.36 GitHub milestone][ms-v0.107.36].

-[ms-v0.107.37]: https://github.com/AdguardTeam/AdGuardHome/milestone/72?closed=1
+[ms-v0.107.36]: https://github.com/AdguardTeam/AdGuardHome/milestone/71?closed=1

 NOTE: Add new changes BELOW THIS COMMENT.
 -->

-### Added
-
- The ability to set the port for the `pprof` debug API, see configuration
-  changes below.
-
-### Changed
-
-#### Configuration Changes
-
-In this release, the schema version has changed from 24 to 25.
-
- Property `debug_pprof` which used to setup profiling HTTP handler, is now
-  moved to the new `pprof` object under `http` section.  The new object contains
-  properties `enabled` and `port`:
-
-  ```yaml
-  # BEFORE:
-  'debug_pprof': true
-
-  # AFTER:
-  'http':
-    'pprof':
-      'enabled': true
-      'port': 6060
-  ```
-
-  Note that the new default `6060` is used as default.  To rollback this change,
-  remove the new object `pprof`, set back `debug_pprof`, and change the
-  `schema_version` back to `24`.
-
 <!--
 NOTE: Add new changes ABOVE THIS COMMENT.
 -->



-## [v0.107.36] - 2023-08-02
-
-See also the [v0.107.36 GitHub milestone][ms-v0.107.36].
-
-### Security
-
- Go version has been updated to prevent the possibility of exploiting the
-  CVE-2023-29409 Go vulnerability fixed in [Go 1.20.7][go-1.20.7].
-
-### Deprecated
-
- Go 1.20 support.  Future versions will require at least Go 1.21 to build.
-
-### Fixed
-
- Inability to block queries for the root domain, such as `NS .` queries, using
-  the *Disallowed domains* feature on the *DNS settings* page ([#6049]).  Users
-  who want to block `.` queries should use the `|.^` AdBlock rule or a similar
-  regular expression.
- Client hostnames not resolving when upstream server responds with zero-TTL
-  records ([#6046]).
-
-[#6046]: https://github.com/AdguardTeam/AdGuardHome/issues/6046
-[#6049]: https://github.com/AdguardTeam/AdGuardHome/issues/6049
-
-[go-1.20.7]:    https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI/m/Efv5DbZ9AwAJ
-[ms-v0.107.36]: https://github.com/AdguardTeam/AdGuardHome/milestone/71?closed=1
-
-
-
 ## [v0.107.35] - 2023-07-26

 See also the [v0.107.35 GitHub milestone][ms-v0.107.35].
@@ -2330,12 +2270,11 @@ See also the [v0.104.2 GitHub milestone][ms-v0.104.2].


 <!--
-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.37...HEAD
-[v0.107.37]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.36...v0.107.37
-->
-
 [Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.36...HEAD
 [v0.107.36]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.35...v0.107.36
+-->
+
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.35...HEAD
 [v0.107.35]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.34...v0.107.35
 [v0.107.34]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.33...v0.107.34
 [v0.107.33]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.32...v0.107.33
--- a/3
+++ b/3
@@ -37,8 +37,6 @@ SIGN = 1
 VERSION = v0.0.0
 YARN = yarn

-NEXTAPI = 0
-
 # Macros for the build-release target.  If FRONTEND_PREBUILT is 0, the
 # default, the macro $(BUILD_RELEASE_DEPS_$(FRONTEND_PREBUILT)) expands
 # into BUILD_RELEASE_DEPS_0, and so both frontend and backend
@@ -66,7 +64,6 @@ ENV = env\
 	PATH="$${PWD}/bin:$$( "$(GO.MACRO)" env GOPATH )/bin:$${PATH}"\
 	RACE='$(RACE)'\
 	SIGN='$(SIGN)'\
-	NEXTAPI='$(NEXTAPI)'\
 	VERBOSE="$(VERBOSE.MACRO)"\
 	VERSION='$(VERSION)'\

--- a/README.md
+++ b/README.md
@@ -54,7 +54,7 @@ code.


 *  [Getting Started](#getting-started)
-     *  [Automated install (Linux/Unix/MacOS/FreeBSD/OpenBSD)](#automated-install-linux-and-mac)
+     *  [Automated install (Unix)](#automated-install-linux-and-mac)
     *  [Alternative methods](#alternative-methods)
     *  [Guides](#guides)
     *  [API](#api)
@@ -79,7 +79,7 @@ code.

 ##  <a href="#getting-started" id="getting-started" name="getting-started">Getting Started</a>

-   ###  <a href="#automated-install-linux-and-mac" id="automated-install-linux-and-mac" name="automated-install-linux-and-mac">Automated install (Linux/Unix/MacOS/FreeBSD/OpenBSD)</a>
+   ###  <a href="#automated-install-linux-and-mac" id="automated-install-linux-and-mac" name="automated-install-linux-and-mac">Automated install (Unix)</a>

 To install with `curl` run the following command:

@@ -261,7 +261,7 @@ Run `make init` to prepare the development environment.

 You will need this to build AdGuard Home:

- *  [Go](https://golang.org/dl/) v1.20 or later;
+ *  [Go](https://golang.org/dl/) v1.19 or later;
 *  [Node.js](https://nodejs.org/en/download/) v10.16.2 or later;
 *  [npm](https://www.npmjs.com/) v6.14 or later;
 *  [yarn](https://yarnpkg.com/) v1.22.5 or later.
--- a/bamboo-specs/release.yaml
+++ b/bamboo-specs/release.yaml
@@ -7,7 +7,7 @@
 # Make sure to sync any changes with the branch overrides below.
 'variables':
    'channel': 'edge'
-    'dockerGo': 'adguard/golang-ubuntu:7.0'
+    'dockerGo': 'adguard/golang-ubuntu:6.8'

 'stages':
  - 'Build frontend':
@@ -272,7 +272,7 @@
        # need to build a few of these.
        'variables':
            'channel': 'beta'
-            'dockerGo': 'adguard/golang-ubuntu:7.0'
+            'dockerGo': 'adguard/golang-ubuntu:6.8'
    # release-vX.Y.Z branches are the branches from which the actual final
    # release is built.
  - '^release-v[0-9]+\.[0-9]+\.[0-9]+':
@@ -287,4 +287,4 @@
        # are the ones that actually get released.
        'variables':
            'channel': 'release'
-            'dockerGo': 'adguard/golang-ubuntu:7.0'
+            'dockerGo': 'adguard/golang-ubuntu:6.8'
--- a/bamboo-specs/snapcraft.yaml
+++ b/bamboo-specs/snapcraft.yaml
@@ -10,7 +10,7 @@
 # Make sure to sync any changes with the branch overrides below.
 'variables':
    'channel': 'edge'
-    'dockerGo': 'adguard/golang-ubuntu:7.0'
+    'dockerGo': 'adguard/golang-ubuntu:6.8'
    'snapcraftChannel': 'edge'

 'stages':
@@ -191,7 +191,7 @@
        # need to build a few of these.
        'variables':
            'channel': 'beta'
-            'dockerGo': 'adguard/golang-ubuntu:7.0'
+            'dockerGo': 'adguard/golang-ubuntu:6.8'
            'snapcraftChannel': 'beta'
    # release-vX.Y.Z branches are the branches from which the actual final
    # release is built.
@@ -207,5 +207,5 @@
        # are the ones that actually get released.
        'variables':
            'channel': 'release'
-            'dockerGo': 'adguard/golang-ubuntu:7.0'
+            'dockerGo': 'adguard/golang-ubuntu:6.8'
            'snapcraftChannel': 'candidate'
--- a/bamboo-specs/test.yaml
+++ b/bamboo-specs/test.yaml
@@ -5,7 +5,7 @@
    'key': 'AHBRTSPECS'
    'name': 'AdGuard Home - Build and run tests'
 'variables':
-    'dockerGo': 'adguard/golang-ubuntu:7.0'
+    'dockerGo': 'adguard/golang-ubuntu:6.8'

 'stages':
  - 'Tests':
--- a/client/src/__locales/hr.json
+++ b/client/src/__locales/hr.json
@@ -444,7 +444,7 @@
    "client_confirm_delete": "Jeste li sigurni da želite ukloniti \"{{key}}\" klijenta?",
    "list_confirm_delete": "Jeste li sigurni da želite ukloniti ovaj popis?",
    "auto_clients_title": "Runtime klijenti",
-    "auto_clients_desc": "Informacije o IP adresama uređaja koji koriste ili bi mogli koristiti AdGuard Home. Ove informacije prikupljaju se iz nekoliko izvora, uključujući datoteke hostova, obrnuti DNS itd.",
+    "auto_clients_desc": "Podaci na klijentu koji koriste AdGuard Home, ali se ne mijenjaju u postavkama",
    "access_title": "Postavke pristupa",
    "access_desc": "Ovdje možete konfigurirati pravila pristupa za AdGuard Home DNS poslužitelj",
    "access_allowed_title": "Dopušteni klijenti",
--- a/client/src/__locales/hu.json
+++ b/client/src/__locales/hu.json
@@ -444,7 +444,7 @@
    "client_confirm_delete": "Biztosan törölni szeretné a(z) \"{{key}}\" klienst?",
    "list_confirm_delete": "Biztosan törölni kívánja ezt a listát?",
    "auto_clients_title": "Futási idejű kliensek",
-    "auto_clients_desc": "Az AdGuard Home-ot használó vagy esetleg használó eszközök IP-címeire vonatkozó információk. Ezeket az információkat több forrásból gyűjtik, beleértve a hosts fájlokat, a fordított DNS-t stb.",
+    "auto_clients_desc": "Ezek az eszközök nem szerepelnek a fenntartott kliensek listáján, de használják az AdGuard Home-ot",
    "access_title": "Hozzáférési beállítások",
    "access_desc": "Itt konfigurálhatja az AdGuard Home DNS-kiszolgáló hozzáférési szabályait",
    "access_allowed_title": "Engedélyezett kliensek",
--- a/client/src/__locales/ro.json
+++ b/client/src/__locales/ro.json
@@ -444,7 +444,7 @@
    "client_confirm_delete": "Sunteți sigur că doriți să ștergeți clientul \"{{key}}\"?",
    "list_confirm_delete": "Sigur doriți să ștergeți această listă?",
    "auto_clients_title": "Clienți runtime",
-    "auto_clients_desc": "Informații despre adresele IP ale dispozitivelor care utilizează sau pot utiliza AdGuard Home. Aceste informații sunt colectate din mai multe surse, inclusiv din fișiere hosts, DNS inversat etc.",
+    "auto_clients_desc": "Dispozitivele care nu se află pe lista de clienți Persistent care pot utiliza în continuare AdGuard Home",
    "access_title": "Setări de acces",
    "access_desc": "Aici puteți configura regulile de acces pentru serverul DNS AdGuard Home",
    "access_allowed_title": "Clienți autorizați",
--- a/client/src/__locales/sk.json
+++ b/client/src/__locales/sk.json
@@ -444,7 +444,7 @@
    "client_confirm_delete": "Naozaj chcete vymazať \"{{key}}\" klienta?",
    "list_confirm_delete": "Naozaj chcete vymazať tento zoznam?",
    "auto_clients_title": "Runtime klienti",
-    "auto_clients_desc": "Informácie o IP adresách zariadení, ktoré používajú alebo môžu používať AdGuard Home. Tieto informácie sa získavajú z viacerých zdrojov vrátane súborov hosts, reverzného DNS atď.",
+    "auto_clients_desc": "Zariadenia, ktoré nie sú na zozname trvalých klientov, ktorí môžu stále používať AdGuard Home",
    "access_title": "Nastavenia prístupu",
    "access_desc": "Tu môžete konfigurovať pravidlá prístupu pre server DNS AdGuard Home.",
    "access_allowed_title": "Povolení klienti",
--- a/client/src/__locales/th.json
+++ b/client/src/__locales/th.json
@@ -172,7 +172,6 @@
    "dnscrypt": "DNSCrypt",
    "dns_over_https": "DNS-over-HTTPS",
    "dns_over_tls": "DNS-over-TLS",
-    "dns_over_quic": "DNS-over-QUIC",
    "form_enter_rate_limit": "ป้อนขีดจำกัดอัตรา",
    "rate_limit": "จำกัดอัตรา",
    "edns_enable": "เปิดใช้งานซับเน็ตไคลเอ็นต์ EDNS",
@@ -393,7 +392,6 @@
    "show_processed_responses": "การประมวลผล",
    "blocked_adult_websites": "ถูกปิดกั้นโดยการควบคุมของผู้ปกครอง",
    "safe_search": "ค้นหาอย่างปลอดภัย",
-    "blocklist": "บัญชีดำ",
    "filter_category_other": "อื่น ๆ",
    "parental_control": "ควบคุมโดยผู้ปกครอง"
 }
--- a/client/src/__locales/uk.json
+++ b/client/src/__locales/uk.json
@@ -444,7 +444,7 @@
    "client_confirm_delete": "Ви впевнені, що хочете видалити клієнта «{{key}}»?",
    "list_confirm_delete": "Ви впевнені, що хочете видалити цей список?",
    "auto_clients_title": "Runtime-клієнти",
-    "auto_clients_desc": "Інформація про IP-адреси пристроїв, які використовують або можуть використовувати AdGuard Home. Ця інформація збирається з кількох джерел, зокрема з файлів hosts, зворотного DNS тощо.",
+    "auto_clients_desc": "Клієнти, які використовують AdGuard Home, незалежно від того, чи збережені вони в списку постійних",
    "access_title": "Налаштування доступу",
    "access_desc": "Тут ви можете налаштувати правила доступу для DNS-сервера AdGuard Home",
    "access_allowed_title": "Дозволені клієнти",
--- a/client/src/__locales/vi.json
+++ b/client/src/__locales/vi.json
@@ -444,7 +444,7 @@
    "client_confirm_delete": "Bạn có chắc chắn muốn xóa máy khách \"{{key}}\" không?",
    "list_confirm_delete": "Bạn có muốn xóa bộ lọc này?",
    "auto_clients_title": "Máy khách (thời gian chạy)",
-    "auto_clients_desc": "Thông tin về địa chỉ IP của thiết bị đang sử dụng hoặc có thể sử dụng AdGuard Home. Thông tin này được thu thập từ nhiều nguồn, bao gồm tệp máy chủ, DNS ngược, v.v.",
+    "auto_clients_desc": "Các thiết bị không có trong danh sách khách hàng ổn định vẫn có thể sử dụng AdGuard Home",
    "access_title": "Cài đặt truy cập",
    "access_desc": "Tại đây bạn có thể định cấu hình quy tắc truy cập cho máy chủ AdGuard Home DNS",
    "access_allowed_title": "Máy chủ được phép",
--- a/client/src/__locales/zh-tw.json
+++ b/client/src/__locales/zh-tw.json
@@ -138,9 +138,9 @@
    "block_domain_use_filters_and_hosts": "透過過濾器和主機檔案封鎖網域",
    "filters_block_toggle_hint": "您可在<a>過濾器</a>設定中設置封鎖規則。",
    "use_adguard_browsing_sec": "使用 AdGuard 瀏覽安全網路服務",
-    "use_adguard_browsing_sec_hint": "AdGuard Home 將檢查該網域是否被瀏覽安全網路服務封鎖。它將使用對隱私友好的查找應用程式介面（API）以執行檢查：僅域名 SHA256 雜湊的短前綴被傳送到該伺服器。",
+    "use_adguard_browsing_sec_hint": "AdGuard Home 將檢查該網域是否被瀏覽安全網路服務封鎖。它將使用友好的隱私查找應用程式介面（API）以執行檢查：僅域名 SHA256 雜湊的短前綴被傳送到該伺服器。",
    "use_adguard_parental": "使用 AdGuard 家長控制之網路服務",
-    "use_adguard_parental_hint": "AdGuard Home 將檢查網域是否包含成人資料。它使用如同瀏覽安全網路服務一樣之對隱私友好的應用程式介面（API）。",
+    "use_adguard_parental_hint": "AdGuard Home 將檢查網域是否包含成人資料。它使用如同瀏覽安全網路服務一樣之友好的隱私應用程式介面（API）。",
    "enforce_safe_search": "使用安全搜尋",
    "enforce_save_search_hint": "AdGuard Home 將在下列的搜尋引擎：Google、YouTube、Bing、DuckDuckGo、Yandex 和 Pixabay 中強制執行安全搜尋。",
    "no_servers_specified": "無已明確指定的伺服器",
--- a/client/src/helpers/trackers/trackers.json
+++ b/client/src/helpers/trackers/trackers.json
@@ -1,5 +1,5 @@
 {
-    "timeUpdated": "2023-08-01T00:10:42.759Z",
+    "timeUpdated": "2023-07-15T00:10:47.501Z",
    "categories": {
        "0": "audio_video_player",
        "1": "comments",
@@ -42,8 +42,7 @@
            "name": "1822direkt.de",
            "categoryId": 8,
            "url": "https://www.1822direkt.de/",
-            "companyId": "1822direkt",
-            "source": "AdGuard"
+            "companyId": null
        },
        "1dmp.io": {
            "name": "1DMP",
@@ -70,18 +69,16 @@
            "companyId": "dentsu_aegis_network"
        },
        "1und1": {
-            "name": "1&1 IONOS",
+            "name": "1&1 Internet",
            "categoryId": 8,
-            "url": "http://www.ionos.com/",
-            "companyId": "1und1",
-            "source": "AdGuard"
+            "url": null,
+            "companyId": null
        },
        "24-ads.com": {
-            "name": "24-ADS",
+            "name": "24-ADS GmbH",
            "categoryId": 4,
            "url": "http://www.24-ads.com/",
-            "companyId": "24-ads.com",
-            "source": "AdGuard"
+            "companyId": null
        },
        "24_7": {
            "name": "[24]7",
@@ -96,11 +93,10 @@
            "companyId": "24log"
        },
        "24smi": {
-            "name": "24SMI",
+            "name": "24СМИ",
            "categoryId": 8,
            "url": "https://24smi.org/",
-            "companyId": "24smi",
-            "source": "AdGuard"
+            "companyId": null
        },
        "2leep": {
            "name": "2leep",
@@ -131,15 +127,13 @@
            "name": "4Chan",
            "categoryId": 8,
            "url": "https://www.4chan.org/",
-            "companyId": "4chan",
-            "source": "AdGuard"
+            "companyId": null
        },
        "4finance_com": {
-            "name": "4finance",
+            "name": "4finance.com",
            "categoryId": 2,
-            "url": "https://4finance.com/",
-            "companyId": "4finance",
-            "source": "AdGuard"
+            "url": "http://4finance.com/",
+            "companyId": null
        },
        "4w_marketplace": {
            "name": "4w Marketplace",
@@ -185,11 +179,10 @@
            "source": "AdGuard"
        },
        "7tv.de": {
-            "name": "7tv.app",
+            "name": "7tv.de",
            "categoryId": 0,
-            "url": "https://www.7tv.app/",
-            "companyId": "7tv",
-            "source": "AdGuard"
+            "url": "https://www.7tv.de/",
+            "companyId": null
        },
        "888media": {
            "name": "888media",
@@ -2561,7 +2554,7 @@
            "name": "Microsoft App Center",
            "categoryId": 5,
            "url": "https://appcenter.ms/",
-            "companyId": "microsoft",
+            "companyId": null,
            "source": "AdGuard"
        },
        "appcues": {
@@ -3932,7 +3925,7 @@
            "name": "Button",
            "categoryId": 4,
            "url": "https://www.usebutton.com/",
-            "companyId": "button",
+            "companyId": null,
            "source": "AdGuard"
        },
        "buysellads": {
@@ -5283,7 +5276,7 @@
            "name": "Crashlytics",
            "categoryId": 101,
            "url": "https://crashlytics.com/",
-            "companyId": "google",
+            "companyId": null,
            "source": "AdGuard"
        },
        "crazy_egg": {
@@ -6434,13 +6427,6 @@
            "url": "http://www.amazon.com/",
            "companyId": "amazon_associates"
        },
-        "electronic_arts": {
-            "name": "Electronic Arts",
-            "categoryId": 2,
-            "url": "https://www.ea.com/",
-            "companyId": "electronic_arts",
-            "source": "AdGuard"
-        },
        "element": {
            "name": "Element",
            "categoryId": 7,
@@ -7028,13 +7014,6 @@
            "url": null,
            "companyId": null
        },
-        "farlight_pte_ltd": {
-            "name": "Farlight Pte Ltd.",
-            "categoryId": 8,
-            "url": "https://farlightgames.com/",
-            "companyId": "farlight",
-            "source": "AdGuard"
-        },
        "fastly_insights": {
            "name": "Fastly Insights",
            "categoryId": 6,
@@ -8676,7 +8655,7 @@
            "name": "HockeyApp",
            "categoryId": 101,
            "url": "https://hockeyapp.net/",
-            "companyId": "microsoft",
+            "companyId": null,
            "source": "AdGuard"
        },
        "hoholikik.club": {
@@ -16750,13 +16729,6 @@
            "url": "http://www.sundaysky.com/",
            "companyId": "sundaysky"
        },
-        "supercell": {
-            "name": "Supercell",
-            "categoryId": 2,
-            "url": "https://supercell.com/",
-            "companyId": "supercell",
-            "source": "AdGuard"
-        },
        "supercounters": {
            "name": "SuperCounters",
            "categoryId": 6,
@@ -19346,11 +19318,10 @@
            "companyId": "xapads"
        },
        "xen-media.com": {
-            "name": "Xen Media",
+            "name": "xen-media.com",
            "categoryId": 11,
-            "url": "https://www.xenmedia.net/",
-            "companyId": "xenmedia",
-            "source": "AdGuard"
+            "url": null,
+            "companyId": null
        },
        "xfreeservice.com": {
            "name": "xfreeservice.com",
@@ -19361,9 +19332,8 @@
        "xhamster": {
            "name": "xHamster",
            "categoryId": 3,
-            "url": "https://xhamster.com/",
-            "companyId": "xhamster",
-            "source": "AdGuard"
+            "url": null,
+            "companyId": null
        },
        "xing": {
            "name": "Xing",
@@ -19378,11 +19348,10 @@
            "companyId": "exoclick"
        },
        "xnxx_cdn": {
-            "name": "XNXX",
+            "name": "xnxx CDN",
            "categoryId": 9,
            "url": "https://www.xnxx.com",
-            "companyId": "xnxx",
-            "source": "AdGuard"
+            "companyId": null
        },
        "xplosion": {
            "name": "xplosion",
@@ -19397,18 +19366,16 @@
            "companyId": "matomy_media"
        },
        "xvideos_com": {
-            "name": "Xvideos",
+            "name": "xvideos.com",
            "categoryId": 8,
-            "url": "https://www.xvideos.com",
-            "companyId": "xvideos",
-            "source": "AdGuard"
+            "url": null,
+            "companyId": null
        },
        "xxxlshop.de": {
-            "name": "XXXLutz",
+            "name": "xxxlshop.de",
            "categoryId": 8,
-            "url": "https://www.xxxlutz.de/",
-            "companyId": "xxxlutz",
-            "source": "AdGuard"
+            "url": "https://www.xxxlshop.de/",
+            "companyId": null
        },
        "xxxlutz": {
            "name": "XXXLutz",
@@ -19420,8 +19387,7 @@
            "name": "Yabbi",
            "categoryId": 4,
            "url": "https://yabbi.me/",
-            "companyId": "yabbi",
-            "source": "AdGuard"
+            "companyId": null
        },
        "yabuka": {
            "name": "Yabuka",
@@ -19683,11 +19649,10 @@
            "companyId": "yomedia"
        },
        "yoochoose.net": {
-            "name": "Ibexa Personalizaton Software",
+            "name": "YOOCHOOSE",
            "categoryId": 4,
-            "url": "https://yoochoose.net/",
-            "companyId": "ibexa",
-            "source": "AdGuard"
+            "url": "https://yoochoose.com/",
+            "companyId": null
        },
        "yotpo": {
            "name": "Yotpo",
@@ -19722,9 +19687,8 @@
        "youporn": {
            "name": "YouPorn",
            "categoryId": 3,
-            "url": "https://www.youporn.com/",
-            "companyId": "youporn",
-            "source": "AdGuard"
+            "url": null,
+            "companyId": null
        },
        "youtube": {
            "name": "YouTube",
@@ -19862,8 +19826,7 @@
            "name": "ZeusClicks",
            "categoryId": 4,
            "url": "http://zeusclicks.com/",
-            "companyId": "zeusclicks",
-            "source": "AdGuard"
+            "companyId": null
        },
        "ziff_davis": {
            "name": "Ziff Davis",
@@ -19881,8 +19844,7 @@
            "name": "Zimbio",
            "categoryId": 8,
            "url": "http://www.zimbio.com/",
-            "companyId": "livinglymedia",
-            "source": "AdGuard"
+            "companyId": null
        },
        "zippyshare_widget": {
            "name": "Zippyshare Widget",
@@ -21488,9 +21450,6 @@
        "ekomi.de": "ekomi",
        "elasticad.net": "elastic_ad",
        "elasticbeanstalk.com": "elastic_beanstalk",
-        "cloudcell.com": "electronic_arts",
-        "ea.com": "electronic_arts",
-        "eamobile.com": "electronic_arts",
        "element.io": "element",
        "riot.im": "element",
        "elicitapp.com": "elicit",
@@ -21611,7 +21570,6 @@
        "thefancy.com": "fancy_widget",
        "d1q7pknmpq2wkm.cloudfront.net": "fanplayr",
        "fap.to": "fap.to",
-        "farlightgames.com": "farlight_pte_ltd",
        "fastly-insights.com": "fastly_insights",
        "fastly.net": "fastlylb.net",
        "fastlylb.net": "fastlylb.net",
@@ -24188,8 +24146,6 @@
        "sumo.com": "sumome",
        "sumome.com": "sumome",
        "sundaysky.com": "sundaysky",
-        "supercell.com": "supercell",
-        "supercellsupport.com": "supercell",
        "supercounters.com": "supercounters",
        "superfastcdn.com": "superfastcdn.com",
        "socdm.com": "supership",
--- a/go.mod
+++ b/go.mod
@@ -1,9 +1,9 @@
 module github.com/AdguardTeam/AdGuardHome

-go 1.20
+go 1.19

 require (
-	github.com/AdguardTeam/dnsproxy v0.52.1-0.20230726165924-30c459b0cdef
+	github.com/AdguardTeam/dnsproxy v0.52.0
 	github.com/AdguardTeam/golibs v0.13.6
 	github.com/AdguardTeam/urlfilter v0.16.1
 	github.com/NYTimes/gziphandler v1.1.1
@@ -17,7 +17,7 @@ require (
 	github.com/google/gopacket v1.1.19
 	github.com/google/renameio/v2 v2.0.0
 	github.com/google/uuid v1.3.0
-	github.com/insomniacslk/dhcp v0.0.0-20230720093626-5648422c16cd
+	github.com/insomniacslk/dhcp v0.0.0-20230612134759-b20c9ba983df
 	github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86
 	github.com/kardianos/service v1.2.2
 	github.com/mdlayher/ethernet v0.0.0-20220221185849-529eae5b6118
@@ -27,15 +27,12 @@ require (
 	// own code for that.  Perhaps, use gopacket.
 	github.com/mdlayher/raw v0.1.0
 	github.com/miekg/dns v1.1.55
-	// TODO(a.garipov): Update to ≥ v0.37.0 once we update to Go 1.20.
-	github.com/quic-go/quic-go v0.36.2
+	github.com/quic-go/quic-go v0.36.1
 	github.com/stretchr/testify v1.8.4
 	github.com/ti-mo/netfilter v0.5.0
 	go.etcd.io/bbolt v1.3.7
 	golang.org/x/crypto v0.11.0
-	// TODO(a.garipov): Update after updating slices.Sort and friends to
-	// stdlib versions in dnsproxy and golibs in Go 1.20.
-	golang.org/x/exp v0.0.0-20230724220655-d98519c11495
+	golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1
 	golang.org/x/net v0.12.0
 	golang.org/x/sys v0.10.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
@@ -51,7 +48,7 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/golang/mock v1.6.0 // indirect
-	github.com/google/pprof v0.0.0-20230705174524-200ffdc848b8 // indirect
+	github.com/google/pprof v0.0.0-20230602150820-91b7bce49751 // indirect
 	github.com/mdlayher/socket v0.4.1 // indirect
 	github.com/onsi/ginkgo/v2 v2.11.0 // indirect
 	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
@@ -62,8 +59,8 @@ require (
 	github.com/quic-go/qtls-go1-19 v0.3.2 // indirect
 	github.com/quic-go/qtls-go1-20 v0.2.2 // indirect
 	github.com/u-root/uio v0.0.0-20230305220412-3e8cd9d6bf63 // indirect
-	golang.org/x/mod v0.12.0 // indirect
+	golang.org/x/mod v0.11.0 // indirect
 	golang.org/x/sync v0.3.0 // indirect
 	golang.org/x/text v0.11.0 // indirect
-	golang.org/x/tools v0.11.0 // indirect
+	golang.org/x/tools v0.10.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,5 @@
-github.com/AdguardTeam/dnsproxy v0.52.1-0.20230726165924-30c459b0cdef h1:3ZJieG+PV+wJEXLgUndW4yL9/7iubyipbDmA0w3sa7Y=
-github.com/AdguardTeam/dnsproxy v0.52.1-0.20230726165924-30c459b0cdef/go.mod h1:Jo2zeRe97Rxt3yikXc+fn0LdLtqCj0Xlyh1PNBj6bpM=
+github.com/AdguardTeam/dnsproxy v0.52.0 h1:uZxCXflHSAwtJ7uTYXP6qgWcxaBsH0pJvldpwTqIDJk=
+github.com/AdguardTeam/dnsproxy v0.52.0/go.mod h1:Jo2zeRe97Rxt3yikXc+fn0LdLtqCj0Xlyh1PNBj6bpM=
 github.com/AdguardTeam/golibs v0.4.0/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
 github.com/AdguardTeam/golibs v0.10.4/go.mod h1:rSfQRGHIdgfxriDDNgNJ7HmE5zRoURq8R+VdR81Zuzw=
 github.com/AdguardTeam/golibs v0.13.6 h1:z/0Q25pRLdaQxtoxvfSaooz5mdv8wj0R8KREj54q8yQ=
@@ -50,16 +50,16 @@ github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
-github.com/google/pprof v0.0.0-20230705174524-200ffdc848b8 h1:n6vlPhxsA+BW/XsS5+uqi7GyzaLa5MH7qlSLBZtRdiA=
-github.com/google/pprof v0.0.0-20230705174524-200ffdc848b8/go.mod h1:Jh3hGz2jkYak8qXPD19ryItVnUgpgeqzdkY/D0EaeuA=
+github.com/google/pprof v0.0.0-20230602150820-91b7bce49751 h1:hR7/MlvK23p6+lIw9SN1TigNLn9ZnF3W4SYRKq2gAHs=
+github.com/google/pprof v0.0.0-20230602150820-91b7bce49751/go.mod h1:Jh3hGz2jkYak8qXPD19ryItVnUgpgeqzdkY/D0EaeuA=
 github.com/google/renameio/v2 v2.0.0 h1:UifI23ZTGY8Tt29JbYFiuyIU3eX+RNFtUwefq9qAhxg=
 github.com/google/renameio/v2 v2.0.0/go.mod h1:BtmJXm5YlszgC+TD4HOEEUFgkJP3nLxehU6hfe7jRt4=
 github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714 h1:/jC7qQFrv8CrSJVmaolDVOxTfS9kc36uB6H40kdbQq8=
-github.com/insomniacslk/dhcp v0.0.0-20230720093626-5648422c16cd h1:D772X7igTag7yKErVWAR7boXpOml3fqqBzH1wNaD/jk=
-github.com/insomniacslk/dhcp v0.0.0-20230720093626-5648422c16cd/go.mod h1:7474bZ1YNCvarT6WFKie4kEET6J0KYRDC4XJqqXzQW4=
+github.com/insomniacslk/dhcp v0.0.0-20230612134759-b20c9ba983df h1:pF1MMIzEJzJ/MyI4bXYXVYyN8CJgoQ2PPKT2z3O/Cl4=
+github.com/insomniacslk/dhcp v0.0.0-20230612134759-b20c9ba983df/go.mod h1:7474bZ1YNCvarT6WFKie4kEET6J0KYRDC4XJqqXzQW4=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/josharian/native v1.0.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
@@ -108,8 +108,8 @@ github.com/quic-go/qtls-go1-19 v0.3.2 h1:tFxjCFcTQzK+oMxG6Zcvp4Dq8dx4yD3dDiIiyc8
 github.com/quic-go/qtls-go1-19 v0.3.2/go.mod h1:ySOI96ew8lnoKPtSqx2BlI5wCpUVPT05RMAlajtnyOI=
 github.com/quic-go/qtls-go1-20 v0.2.2 h1:WLOPx6OY/hxtTxKV1Zrq20FtXtDEkeY00CGQm8GEa3E=
 github.com/quic-go/qtls-go1-20 v0.2.2/go.mod h1:JKtK6mjbAVcUTN/9jZpvLbGxvdWIKS8uT7EiStoU1SM=
-github.com/quic-go/quic-go v0.36.2 h1:ZX/UNQ4gvpCv2RmwdbA6lrRjF6EBm5yZ7TMoT4NQVrA=
-github.com/quic-go/quic-go v0.36.2/go.mod h1:zPetvwDlILVxt15n3hr3Gf/I3mDf7LpLKPhR4Ez0AZQ=
+github.com/quic-go/quic-go v0.36.1 h1:WsG73nVtnDy1TiACxFxhQ3TqaW+DipmqzLEtNlAwZyY=
+github.com/quic-go/quic-go v0.36.1/go.mod h1:zPetvwDlILVxt15n3hr3Gf/I3mDf7LpLKPhR4Ez0AZQ=
 github.com/shirou/gopsutil/v3 v3.21.8 h1:nKct+uP0TV8DjjNiHanKf8SAuub+GNsbrOtM9Nl9biA=
 github.com/shirou/gopsutil/v3 v3.21.8/go.mod h1:YWp/H8Qs5fVmf17v7JNZzA0mPJ+mS2e9JdiUF9LlKzQ=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -136,13 +136,13 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
 golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
-golang.org/x/exp v0.0.0-20230724220655-d98519c11495 h1:zKGKw2WlGb8oPoRGqQ2PT8g2YoCN1w/YbbQjHXCdUWE=
-golang.org/x/exp v0.0.0-20230724220655-d98519c11495/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc=
+golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1 h1:MGwJjxBy0HJshjDNfLsYO8xppfqWlA5ZT9OhtUUhTNw=
+golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
-golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU=
+golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -191,8 +191,8 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.11.0 h1:EMCa6U9S2LtZXLAMoWiR/R8dAQFRqbAitmbJ2UKhoi8=
-golang.org/x/tools v0.11.0/go.mod h1:anzJrxPjNtfgiYQYirP2CPGzGLxrH2u2QBhn6Bf3qY8=
+golang.org/x/tools v0.10.0 h1:tvDr/iQoUqNdohiYm0LmmKcBk+q86lb9EprIUFhHHGg=
+golang.org/x/tools v0.10.0/go.mod h1:UJwyiVBsOA2uwvK/e5OY3GTpDUJriEd+/YlqAwLPmyM=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/internal/client/addrproc.go
+++ b/internal/client/addrproc.go
@@ -58,12 +58,6 @@ type DefaultAddrProcConfig struct {
 	// immediately by [NewDefaultAddrProc].
 	InitialAddresses []netip.Addr

-	// CatchPanics, if true, makes the address processor catch and log panics.
-	//
-	// TODO(a.garipov): Consider better ways to do this or apply this method to
-	// other parts of the codebase.
-	CatchPanics bool
-
 	// UseRDNS, if true, enables resolving of client IP addresses using reverse
 	// DNS.
 	UseRDNS bool
@@ -157,7 +151,7 @@ func NewDefaultAddrProc(c *DefaultAddrProcConfig) (p *DefaultAddrProc) {
 		p.whois = newWHOIS(c.DialContext)
 	}

-	go p.process(c.CatchPanics)
+	go p.process()

 	for _, ip := range c.InitialAddresses {
 		p.Process(ip)
@@ -220,10 +214,8 @@ func (p *DefaultAddrProc) Process(ip netip.Addr) {

 // process processes the incoming client IP-address information.  It is intended
 // to be used as a goroutine.  Once clientIPs is closed, process exits.
-func (p *DefaultAddrProc) process(catchPanics bool) {
-	if catchPanics {
-		defer log.OnPanic("addrProcessor.process")
-	}
+func (p *DefaultAddrProc) process() {
+	defer log.OnPanic("addrProcessor.process")

 	log.Info("clients: processing addresses")

--- a/internal/client/addrproc_test.go
+++ b/internal/client/addrproc_test.go
@@ -2,7 +2,6 @@ package client_test

 import (
 	"context"
-	"fmt"
 	"io"
 	"net"
 	"net/netip"
@@ -113,7 +112,6 @@ func TestDefaultAddrProc_Process_rDNS(t *testing.T) {
 				AddressUpdater: &aghtest.AddressUpdater{
 					OnUpdateAddress: newOnUpdateAddress(tc.wantUpd, updIPCh, updHostCh, updInfoCh),
 				},
-				CatchPanics:    false,
 				UseRDNS:        true,
 				UsePrivateRDNS: tc.usePrivate,
 				UseWHOIS:       false,
@@ -148,8 +146,8 @@ func newOnUpdateAddress(
 	infos chan<- *whois.Info,
 ) (f func(ip netip.Addr, host string, info *whois.Info)) {
 	return func(ip netip.Addr, host string, info *whois.Info) {
-		if !want && (host != "" || info != nil) {
-			panic(fmt.Errorf("got unexpected update for %v with %q and %v", ip, host, info))
+		if !want {
+			panic("got unexpected update")
 		}

 		ips <- ip
@@ -224,7 +222,6 @@ func TestDefaultAddrProc_Process_WHOIS(t *testing.T) {
 				AddressUpdater: &aghtest.AddressUpdater{
 					OnUpdateAddress: newOnUpdateAddress(tc.wantUpd, updIPCh, updHostCh, updInfoCh),
 				},
-				CatchPanics:    false,
 				UseRDNS:        false,
 				UsePrivateRDNS: false,
 				UseWHOIS:       true,
--- a/internal/dnsforward/access.go
+++ b/internal/dnsforward/access.go
@@ -90,7 +90,7 @@ func newAccessCtx(allowed, blocked, blockedHosts []string) (a *accessManager, er

 	lists := []filterlist.RuleList{
 		&filterlist.StringRuleList{
-			ID:             0,
+			ID:             int(0),
 			RulesText:      b.String(),
 			IgnoreCosmetic: true,
 		},
--- a/internal/dnsforward/access_test.go
+++ b/internal/dnsforward/access_test.go
@@ -31,7 +31,6 @@ func TestIsBlockedHost(t *testing.T) {
 		"*.host.com",
 		"||host3.com^",
 		"||*^$dnstype=HTTPS",
-		"|.^",
 	})
 	require.NoError(t, err)

@@ -95,11 +94,6 @@ func TestIsBlockedHost(t *testing.T) {
 		name: "by_qtype_other",
 		host: "site-with-https-record.example",
 		qt:   dns.TypeA,
-	}, {
-		want: assert.True,
-		name: "ns_root",
-		host: ".",
-		qt:   dns.TypeNS,
 	}}

 	for _, tc := range testCases {
--- a/internal/dnsforward/dnsforward.go
+++ b/internal/dnsforward/dnsforward.go
@@ -346,21 +346,19 @@ func (s *Server) Exchange(ip netip.Addr) (host string, ttl time.Duration, err er
 	}

 	var resolver *proxy.Proxy
-	var errMsg string
 	if s.privateNets.Contains(ip.AsSlice()) {
 		if !s.conf.UsePrivateRDNS {
 			return "", 0, nil
 		}

 		resolver = s.localResolvers
-		errMsg = "resolving a private address: %w"
 		s.recDetector.add(*req)
 	} else {
 		resolver = s.internalProxy
-		errMsg = "resolving an address: %w"
 	}
+
 	if err = resolver.Resolve(dctx); err != nil {
-		return "", 0, fmt.Errorf(errMsg, err)
+		return "", 0, err
 	}

 	return hostFromPTR(dctx.Res)
@@ -379,18 +377,13 @@ func hostFromPTR(resp *dns.Msg) (host string, ttl time.Duration, err error) {

 	var ttlSec uint32

-	log.Debug("dnsforward: resolving ptr, received %d answers", len(resp.Answer))
 	for _, ans := range resp.Answer {
 		ptr, ok := ans.(*dns.PTR)
 		if !ok {
 			continue
 		}

-		// Respect zero TTL records since some DNS servers use it to
-		// locally-resolved addresses.
-		//
-		// See https://github.com/AdguardTeam/AdGuardHome/issues/6046.
-		if ptr.Hdr.Ttl >= ttlSec {
+		if ptr.Hdr.Ttl > ttlSec {
 			host = ptr.Ptr
 			ttlSec = ptr.Hdr.Ttl
 		}
@@ -472,7 +465,6 @@ func (s *Server) filterOurDNSAddrs(addrs []string) (filtered []string, err error
 	}

 	ourAddrsSet := stringutil.NewSet(ourAddrs...)
-	log.Debug("dnsforward: filtering out %s", ourAddrsSet.String())

 	// TODO(e.burkov): The approach of subtracting sets of strings is not
 	// really applicable here since in case of listening on all network
@@ -509,7 +501,7 @@ func (s *Server) setupLocalResolvers() (err error) {
 		PreferIPv6: s.conf.BootstrapPreferIPv6,
 	})
 	if err != nil {
-		return fmt.Errorf("preparing private upstreams: %w", err)
+		return fmt.Errorf("parsing private upstreams: %w", err)
 	}

 	s.localResolvers = &proxy.Proxy{
--- a/internal/dnsforward/dnsforward_test.go
+++ b/internal/dnsforward/dnsforward_test.go
@@ -72,6 +72,13 @@ func startDeferStop(t *testing.T, s *Server) {
 	testutil.CleanupAndRequireSuccess(t, s.Stop)
 }

+// packageUpstreamVariableMu is used to serialize access to the package-level
+// variables of package upstream.
+//
+// TODO(s.chzhen): Move these parameters to upstream options and remove this
+// crutch.
+var packageUpstreamVariableMu = &sync.Mutex{}
+
 func createTestServer(
 	t *testing.T,
 	filterConf *filtering.Config,
@@ -80,6 +87,9 @@ func createTestServer(
 ) (s *Server) {
 	t.Helper()

+	packageUpstreamVariableMu.Lock()
+	defer packageUpstreamVariableMu.Unlock()
+
 	rules := `||nxdomain.example.org
 ||NULL.example.org^
 127.0.0.1	host.example.org
@@ -1364,24 +1374,6 @@ func TestServer_Exchange(t *testing.T) {
 	refusingUpstream := aghtest.NewUpstreamMock(func(req *dns.Msg) (resp *dns.Msg, err error) {
 		return new(dns.Msg).SetRcode(req, dns.RcodeRefused), nil
 	})
-	zeroTTLUps := &aghtest.UpstreamMock{
-		OnAddress: func() (addr string) { return "zero.ttl.example" },
-		OnExchange: func(req *dns.Msg) (resp *dns.Msg, err error) {
-			resp = new(dns.Msg).SetReply(req)
-			hdr := dns.RR_Header{
-				Name:   req.Question[0].Name,
-				Rrtype: dns.TypePTR,
-				Class:  dns.ClassINET,
-				Ttl:    0,
-			}
-			resp.Answer = []dns.RR{&dns.PTR{
-				Hdr: hdr,
-				Ptr: localDomainHost,
-			}}
-
-			return resp, nil
-		},
-	}

 	srv := &Server{
 		recDetector: newRecursionDetector(0, 1),
@@ -1453,13 +1445,6 @@ func TestServer_Exchange(t *testing.T) {
 		locUpstream: nil,
 		req:         twosIP,
 		wantTTL:     defaultTTL * 2,
-	}, {
-		name:        "zero_ttl",
-		want:        localDomainHost,
-		wantErr:     nil,
-		locUpstream: zeroTTLUps,
-		req:         localIP,
-		wantTTL:     0,
 	}}

 	for _, tc := range testCases {
@@ -1483,7 +1468,6 @@ func TestServer_Exchange(t *testing.T) {

 	t.Run("resolving_disabled", func(t *testing.T) {
 		srv.conf.UsePrivateRDNS = false
-		t.Cleanup(func() { srv.conf.UsePrivateRDNS = true })

 		host, _, eerr := srv.Exchange(localIP)

--- a/internal/dnsforward/filter.go
+++ b/internal/dnsforward/filter.go
@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"strings"

-	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/dnsproxy/proxy"
 	"github.com/AdguardTeam/golibs/log"
@@ -34,9 +33,9 @@ func (s *Server) beforeRequestHandler(
 	if len(pctx.Req.Question) == 1 {
 		q := pctx.Req.Question[0]
 		qt := q.Qtype
-		host := aghnet.NormalizeDomain(q.Name)
+		host := strings.TrimSuffix(q.Name, ".")
 		if s.access.isBlockedHost(host, qt) {
-			log.Debug("access: request %s %s is in access blocklist", dns.Type(qt), host)
+			log.Debug("request %s %s is in access blocklist", dns.Type(qt), host)

 			return s.preBlockedResponse(pctx)
 		}
@@ -80,12 +79,7 @@ func (s *Server) filterDNSRequest(dctx *dnsContext) (res *filtering.Result, err
 	res = &resVal
 	switch {
 	case res.IsFiltered:
-		log.Debug(
-			"dnsforward: host %q is filtered, reason: %q; rule: %q",
-			host,
-			res.Reason,
-			res.Rules[0].Text,
-		)
+		log.Tracef("host %q is filtered, reason %q, rule: %q", host, res.Reason, res.Rules[0].Text)
 		pctx.Res = s.genDNSFilterMessage(pctx, res)
 	case res.Reason.In(filtering.Rewritten, filtering.RewrittenRule) &&
 		res.CanonName != "" &&
@@ -195,7 +189,7 @@ func (s *Server) filterDNSResponse(
 			continue
 		} else if res.IsFiltered {
 			pctx.Res = s.genDNSFilterMessage(pctx, res)
-			log.Debug("dnsforward: matched %q by response: %q", pctx.Req.Question[0].Name, host)
+			log.Debug("DNSFwd: Matched %s by response: %s", pctx.Req.Question[0].Name, host)

 			return res, nil
 		}
--- a/internal/dnsforward/process.go
+++ b/internal/dnsforward/process.go
@@ -719,8 +719,6 @@ func (s *Server) processLocalPTR(dctx *dnsContext) (rc resultCode) {
 	if s.conf.UsePrivateRDNS {
 		s.recDetector.add(*pctx.Req)
 		if err := s.localResolvers.Resolve(pctx); err != nil {
-			log.Debug("dnsforward: resolving private address: %s", err)
-
 			// Generate the server failure if the private upstream configuration
 			// is empty.
 			//
--- a/internal/dnsforward/upstreams.go
+++ b/internal/dnsforward/upstreams.go
@@ -42,6 +42,16 @@ func (s *Server) loadUpstreams() (upstreams []string, err error) {

 // prepareUpstreamSettings sets upstream DNS server settings.
 func (s *Server) prepareUpstreamSettings() (err error) {
+	// Use a customized set of RootCAs, because Go's default mechanism of
+	// loading TLS roots does not always work properly on some routers so we're
+	// loading roots manually and pass it here.
+	//
+	// See [aghtls.SystemRootCAs].
+	//
+	// TODO(a.garipov): Investigate if that's true.
+	upstream.RootCAs = s.conf.TLSv12Roots
+	upstream.CipherSuites = s.conf.TLSCiphers
+
 	// Load upstreams either from the file, or from the settings
 	var upstreams []string
 	upstreams, err = s.loadUpstreams()
@@ -54,15 +64,6 @@ func (s *Server) prepareUpstreamSettings() (err error) {
 		Timeout:      s.conf.UpstreamTimeout,
 		HTTPVersions: UpstreamHTTPVersions(s.conf.UseHTTP3Upstreams),
 		PreferIPv6:   s.conf.BootstrapPreferIPv6,
-		// Use a customized set of RootCAs, because Go's default mechanism of
-		// loading TLS roots does not always work properly on some routers so we're
-		// loading roots manually and pass it here.
-		//
-		// See [aghtls.SystemRootCAs].
-		//
-		// TODO(a.garipov): Investigate if that's true.
-		RootCAs:      s.conf.TLSv12Roots,
-		CipherSuites: s.conf.TLSCiphers,
 	})
 	if err != nil {
 		return fmt.Errorf("preparing upstream config: %w", err)
--- a/internal/filtering/servicelist.go
+++ b/internal/filtering/servicelist.go
@@ -253,30 +253,6 @@ var blockedServices = []blockedService{{
 		"||z.cn^",
 		"||zappos^",
 	},
-}, {
-	ID:      "apple_streaming",
-	Name:    "Apple Streaming",
-	IconSVG: []byte("<svg xmlns=\"http://www.w3.org/2000/svg\" fill=\"currentColor\" viewBox=\"0 0 50 50\"><path d=\"M33.375 0c-2.836.191-5.871 1.879-7.75 4.156-1.645 2.004-3.023 4.946-2.5 8-.469-.144-.895-.16-1.406-.344-1.395-.496-2.989-1.03-4.969-1.03-3.934 0-7.96 2.34-10.5 6.25C2.555 22.71 3.297 32.706 8.906 41.25c.989 1.5 2.14 3.137 3.563 4.438 1.422 1.3 3.14 2.292 5.156 2.312 1.723.02 2.922-.555 4-1.031 1.078-.477 2.082-.899 3.969-.907h.031c1.879-.015 2.852.399 3.906.876 1.055.476 2.242 1.078 3.969 1.062 2.055-.016 3.8-1.14 5.25-2.531 1.45-1.39 2.64-3.098 3.625-4.594 1.41-2.148 1.977-3.32 3.063-5.719a1.001 1.001 0 0 0-.563-1.344C41.32 32.47 39.293 29.325 39 26c-.293-3.324 1.113-6.746 4.656-8.688a1 1 0 0 0 .508-.675 1.007 1.007 0 0 0-.195-.825c-2.543-3.16-6.121-5.03-9.625-5.03-2.235 0-3.875.527-5.219 1.03-.223.086-.387.079-.594.157 1.364-.719 2.567-1.715 3.469-2.875 1.64-2.106 2.906-5.102 2.438-8.25A.999.999 0 0 0 33.374 0Zm-1.063 2.375c-.066 2.02-.757 3.996-1.906 5.469-1.203 1.547-3.226 2.617-5.187 2.937.035-1.941.8-3.953 1.968-5.375 1.227-1.484 3.258-2.554 5.125-3.031ZM16.75 12.781c1.613 0 2.906.418 4.281.906 1.375.489 2.824 1.063 4.532 1.063 1.667 0 2.988-.578 4.28-1.063 1.294-.484 2.583-.906 4.5-.906 2.505 0 5.212 1.301 7.344 3.563-3.414 2.41-5.011 6.168-4.687 9.812.324 3.684 2.543 7.18 6.188 9-.79 1.719-1.31 2.856-2.47 4.625-.956 1.457-2.093 3.051-3.343 4.25-1.25 1.2-2.574 1.957-3.906 1.969-1.285.012-2.016-.371-3.125-.875-1.11-.504-2.543-1.082-4.75-1.063-2.203.012-3.657.567-4.782 1.063s-1.863.887-3.156.875c-1.367-.012-2.636-.676-3.843-1.781-1.208-1.106-2.297-2.614-3.25-4.063-5.25-8-5.672-17.398-2.657-22.031 2.211-3.402 5.723-5.344 8.844-5.344Z\"/></svg>"),
-	Rules: []string{
-		"||applemusic.apple^",
-		"||hls-svod-aoc-ve.itunes.g.aaplimg.com^",
-		"||itun.es^",
-		"||itunes.apple.com^",
-		"||itunes.ca^",
-		"||itunes.co.th^",
-		"||itunes.co^",
-		"||itunes.com^",
-		"||itunes.es^",
-		"||itunes.g.aaplimg.com^",
-		"||itunes.hk^",
-		"||itunes.mx^",
-		"||itunes.org^",
-		"||itunes.us^",
-		"||music.apple.com^",
-		"||tv.apple.com^",
-		"||tv.g.apple.com^",
-		"||tv.v.aaplimg.com^",
-	},
 }, {
 	ID:      "battle_net",
 	Name:    "Battle.net",
@@ -351,34 +327,6 @@ var blockedServices = []blockedService{{
 		"||bnet.cn^",
 		"||lizzard.com^",
 	},
-}, {
-	ID:      "claro",
-	Name:    "Claro",
-	IconSVG: []byte("<svg xmlns=\"http://www.w3.org/2000/svg\" fill=\"currentColor\" viewBox=\"0 -21 67 67\"><path d=\"M49.004 0c.933.01 1.866.002 2.8.003.003 2.842.001 5.684 0 8.525-.934.001-1.867.002-2.8.001 0-2.842-.002-5.686 0-8.529ZM55.2 9.622c2.564-2.63 5.1-5.292 7.662-7.926.657.69 1.334 1.36 1.978 2.064-2.535 2.654-5.096 5.282-7.632 7.933-.68-.679-1.339-1.38-2.008-2.07ZM6.091 8.06a7.942 7.942 0 0 1 2.155-.233c2.405-.058 4.742 1.202 6.232 3.131a8.516 8.516 0 0 1 1.514 3.12c-1.102.004-2.204 0-3.306 0-.486-1.001-1.23-1.893-2.2-2.413a4.756 4.756 0 0 0-1.728-.58c-.565-.012-1.142-.062-1.695.086a4.798 4.798 0 0 0-2.452 1.427c-.859.836-1.434 2.013-1.485 3.243-.11 1.171.105 2.399.749 3.384.619.944 1.494 1.73 2.53 2.135 1.739.666 3.843.265 5.174-1.095a6.18 6.18 0 0 0 1.118-1.604c1.098-.006 2.195-.006 3.292 0-.271 1.202-.863 2.316-1.611 3.27-.513.556-1.016 1.138-1.648 1.552-2.835 2.024-6.953 1.91-9.618-.379-.829-.73-1.586-1.572-2.107-2.57-.96-1.765-1.199-3.886-.859-5.863.286-1.676 1.135-3.22 2.305-4.4.987-1.065 2.25-1.868 3.64-2.21Zm11.58-.234h3.142c0 5.723.003 11.446-.002 17.169-1.047.002-2.093-.002-3.14-.001V7.826Zm9.493 3.417c.596-.125 1.205-.054 1.807-.07.698.062 1.398.166 2.062.41.665.24 1.35.54 1.817 1.111.548.676.742 1.574.785 2.435-.002 3.288.002 6.577-.002 9.866-1.062-.006-2.126.023-3.187-.015-.01-.447.009-.895-.007-1.341-.924.826-2.147 1.207-3.346 1.303-.756.135-1.54.013-2.261-.238a3.151 3.151 0 0 1-1.968-2.1c-.297-1.042-.235-2.183.112-3.204.377-1.04 1.285-1.78 2.284-2.117 1.28-.469 2.647-.541 3.97-.812.458 0 .91-.294 1.08-.74.123-.486.017-1.096-.397-1.405-.455-.311-1.011-.376-1.543-.392-.473.015-.973.02-1.392.28-.544.32-.788.956-.895 1.564-1.052-.023-2.105.001-3.157-.018.13-1.072.347-2.217 1.09-3.031.777-.943 1.982-1.392 3.148-1.486Zm2.316 7.423c-.622.149-1.234.34-1.866.44-.502.103-1.031.271-1.389.674-.497.608-.533 1.547-.148 2.224.168.31.5.463.809.574.997.2 2.091-.122 2.819-.864.746-.967.614-2.278.612-3.437-.294.097-.53.33-.837.389Zm11.644-7.032c.648-.164 1.284-.44 1.965-.375.007 1.111.065 2.224.043 3.337-.58-.083-1.184-.15-1.752.03-1.225.351-2.25 1.471-2.394 2.801-.008.293-.084.58-.087.873-.002 2.233.003 4.464 0 6.696-1.044-.002-2.09.008-3.134-.006-.012-4.395-.003-8.791.006-13.187 1.012-.01 2.023.03 3.035.068.001.543-.013 1.086.006 1.63.592-.819 1.369-1.527 2.312-1.867Zm7.824-.34c.466-.049.94-.095 1.409-.055 2.817.037 5.389 2.29 6.06 5.1.58 2.296.017 4.946-1.66 6.612-.97 1.086-2.302 1.823-3.714 2.044-.681.006-1.362.002-2.042.001-2.033-.296-3.8-1.735-4.802-3.557-1.042-2-1.046-4.535-.024-6.545.97-1.849 2.736-3.299 4.773-3.6Zm.253 3.255c-.938.22-1.737.902-2.215 1.757-.714 1.244-.6 2.94.29 4.06.907 1.354 2.77 1.811 4.194 1.117.828-.386 1.46-1.144 1.811-2.002.39-.985.32-2.141-.148-3.084-.492-.954-1.395-1.703-2.436-1.875-.497-.042-1.003-.057-1.496.027Zm9.407.496c2.796 0 5.594-.002 8.392.002-.002.963.002 1.927-.001 2.892-2.797-.004-5.593.006-8.39.001-.004-.965.003-1.93-.002-2.895Z\"/></svg>"),
-	Rules: []string{
-		"||claro.com.ar^",
-		"||claro.com.br^",
-		"||claro.com.co^",
-		"||claro.com.do^",
-		"||claro.com.ec^",
-		"||claro.com.gt^",
-		"||claro.com.hn^",
-		"||claro.com.ni^",
-		"||claro.com.pa^",
-		"||claro.com.pe^",
-		"||claro.com.py^",
-		"||claro.com.sv^",
-		"||claro.com.uy^",
-		"||claro.com^",
-		"||claro.cr^",
-		"||claro.net.br^",
-		"||claro.net.co^",
-		"||clarochile.cl^",
-		"||claromusica.com^",
-		"||claropr.com^",
-		"||clarovideo.com^",
-		"||usclaro.com^",
-	},
 }, {
 	ID:      "cloudflare",
 	Name:    "CloudFlare",
@@ -1557,7 +1505,6 @@ var blockedServices = []blockedService{{
 		"||aus.social^",
 		"||awscommunity.social^",
 		"||climatejustice.social^",
-		"||cupoftea.social^",
 		"||cyberplace.social^",
 		"||defcon.social^",
 		"||det.social^",
@@ -1648,6 +1595,7 @@ var blockedServices = []blockedService{{
 		"||toot.io^",
 		"||toot.wales^",
 		"||troet.cafe^",
+		"||twingyeo.kr^",
 		"||union.place^",
 		"||universeodon.com^",
 		"||urbanists.social^",
--- a/internal/home/config.go
+++ b/internal/home/config.go
@@ -114,6 +114,8 @@ type configuration struct {
 	Language string `yaml:"language"`
 	// Theme is a UI theme for current user.
 	Theme Theme `yaml:"theme"`
+	// DebugPProf defines if the profiling HTTP handler will listen on :6060.
+	DebugPProf bool `yaml:"debug_pprof"`

 	DNS      dnsConfig         `yaml:"dns"`
 	TLS      tlsConfigSettings `yaml:"tls"`
@@ -153,9 +155,6 @@ type configuration struct {
 // Field ordering is important, YAML fields better not to be reordered, if it's
 // not absolutely necessary.
 type httpConfig struct {
-	// Pprof defines the profiling HTTP handler.
-	Pprof *httpPprofConfig `yaml:"pprof"`
-
 	// Address is the address to serve the web UI on.
 	Address netip.AddrPort

@@ -164,15 +163,6 @@ type httpConfig struct {
 	SessionTTL timeutil.Duration `yaml:"session_ttl"`
 }

-// httpPprofConfig is the block with pprof HTTP configuration.
-type httpPprofConfig struct {
-	// Port for the profiling handler.
-	Port uint16 `yaml:"port"`
-
-	// Enabled defines if the profiling handler is enabled.
-	Enabled bool `yaml:"enabled"`
-}
-
 // dnsConfig is a block with DNS configuration params.
 //
 // Field ordering is important, YAML fields better not to be reordered, if it's
@@ -287,10 +277,6 @@ var config = &configuration{
 	HTTPConfig: httpConfig{
 		Address:    netip.AddrPortFrom(netip.IPv4Unspecified(), 3000),
 		SessionTTL: timeutil.Duration{Duration: 30 * timeutil.Day},
-		Pprof: &httpPprofConfig{
-			Enabled: false,
-			Port:    6060,
-		},
 	},
 	DNS: dnsConfig{
 		BindHosts: []netip.Addr{netip.IPv4Unspecified()},
--- a/internal/home/dns.go
+++ b/internal/home/dns.go
@@ -254,7 +254,6 @@ func newServerConfig(
 		Exchanger:        Context.dnsServer,
 		AddressUpdater:   &Context.clients,
 		InitialAddresses: initialAddresses,
-		CatchPanics:      true,
 		UseRDNS:          config.Clients.Sources.RDNS,
 		UseWHOIS:         config.Clients.Sources.WHOIS,
 	}
--- a/internal/home/home.go
+++ b/internal/home/home.go
@@ -567,8 +567,9 @@ func run(opts options, clientBuildFS fs.FS) {
 		err = config.write()
 		fatalOnError(err)

-		if config.HTTPConfig.Pprof.Enabled {
-			startPprof(config.HTTPConfig.Pprof.Port)
+		if config.DebugPProf {
+			// TODO(a.garipov): Make the address configurable.
+			startPprof("localhost:6060")
 		}
 	}

--- a/internal/home/upgrade.go
+++ b/internal/home/upgrade.go
@@ -23,7 +23,7 @@ import (
 )

 // currentSchemaVersion is the current schema version.
-const currentSchemaVersion = 25
+const currentSchemaVersion = 24

 // These aliases are provided for convenience.
 type (
@@ -99,7 +99,6 @@ func upgradeConfigSchema(oldVersion int, diskConf yobj) (err error) {
 		upgradeSchema21to22,
 		upgradeSchema22to23,
 		upgradeSchema23to24,
-		upgradeSchema24to25,
 	}

 	n := 0
@@ -1381,50 +1380,6 @@ func upgradeSchema23to24(diskConf yobj) (err error) {
 	return nil
 }

-// upgradeSchema24to25 performs the following changes:
-//
-//	# BEFORE:
-//	'debug_pprof': true
-//
-//	# AFTER:
-//	'http':
-//	  'pprof':
-//	    'enabled': true
-//	    'port': 6060
-func upgradeSchema24to25(diskConf yobj) (err error) {
-	log.Printf("Upgrade yaml: 24 to 25")
-	diskConf["schema_version"] = 25
-
-	debugPprofVal, ok := diskConf["debug_pprof"]
-	if !ok {
-		return nil
-	}
-
-	debugPprofEnabled, ok := debugPprofVal.(bool)
-	if !ok {
-		return fmt.Errorf("unexpected type of debug_pprof: %T", debugPprofVal)
-	}
-
-	httpVal, ok := diskConf["http"]
-	if !ok {
-		return nil
-	}
-
-	httpObj, ok := httpVal.(yobj)
-	if !ok {
-		return fmt.Errorf("unexpected type of dns: %T", httpVal)
-	}
-
-	httpObj["pprof"] = yobj{
-		"enabled": debugPprofEnabled,
-		"port":    6060,
-	}
-
-	delete(diskConf, "debug_pprof")
-
-	return nil
-}
-
 // moveField gets field value for key from diskConf, and then set this value
 // in newConf for newKey.
 func moveField[T any](diskConf, newConf yobj, key, newKey string) (err error) {
--- a/internal/home/upgrade_test.go
+++ b/internal/home/upgrade_test.go
@@ -1379,90 +1379,3 @@ func TestUpgradeSchema23to24(t *testing.T) {
 		})
 	}
 }
-
-func TestUpgradeSchema24to25(t *testing.T) {
-	const newSchemaVer = 25
-
-	testCases := []struct {
-		in         yobj
-		want       yobj
-		name       string
-		wantErrMsg string
-	}{{
-		name: "empty",
-		in:   yobj{},
-		want: yobj{
-			"schema_version": newSchemaVer,
-		},
-		wantErrMsg: "",
-	}, {
-		name: "ok",
-		in: yobj{
-			"http": yobj{
-				"address":     "0.0.0.0:3000",
-				"session_ttl": "720h",
-			},
-			"debug_pprof": true,
-		},
-		want: yobj{
-			"http": yobj{
-				"address":     "0.0.0.0:3000",
-				"session_ttl": "720h",
-				"pprof": yobj{
-					"enabled": true,
-					"port":    6060,
-				},
-			},
-			"schema_version": newSchemaVer,
-		},
-		wantErrMsg: "",
-	}, {
-		name: "ok_disabled",
-		in: yobj{
-			"http": yobj{
-				"address":     "0.0.0.0:3000",
-				"session_ttl": "720h",
-			},
-			"debug_pprof": false,
-		},
-		want: yobj{
-			"http": yobj{
-				"address":     "0.0.0.0:3000",
-				"session_ttl": "720h",
-				"pprof": yobj{
-					"enabled": false,
-					"port":    6060,
-				},
-			},
-			"schema_version": newSchemaVer,
-		},
-		wantErrMsg: "",
-	}, {
-		name: "invalid",
-		in: yobj{
-			"http": yobj{
-				"address":     "0.0.0.0:3000",
-				"session_ttl": "720h",
-			},
-			"debug_pprof": 1,
-		},
-		want: yobj{
-			"http": yobj{
-				"address":     "0.0.0.0:3000",
-				"session_ttl": "720h",
-			},
-			"debug_pprof":    1,
-			"schema_version": newSchemaVer,
-		},
-		wantErrMsg: "unexpected type of debug_pprof: int",
-	}}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			err := upgradeSchema24to25(tc.in)
-			testutil.AssertErrorMsg(t, tc.wantErrMsg, err)
-
-			assert.Equal(t, tc.want, tc.in)
-		})
-	}
-}
--- a/internal/home/web.go
+++ b/internal/home/web.go
@@ -312,10 +312,8 @@ func (web *webAPI) mustStartHTTP3(address string) {
 	}
 }

-// startPprof launches the debug and profiling server on the provided port.
-func startPprof(port uint16) {
-	addr := netip.AddrPortFrom(netutil.IPv4Localhost(), port)
-
+// startPprof launches the debug and profiling server on addr.
+func startPprof(addr string) {
 	runtime.SetBlockProfileRate(1)
 	runtime.SetMutexProfileFraction(1)

@@ -326,7 +324,7 @@ func startPprof(port uint16) {
 		defer log.OnPanic("pprof server")

 		log.Info("pprof: listening on %q", addr)
-		err := http.ListenAndServe(addr.String(), mux)
+		err := http.ListenAndServe(addr, mux)
 		if !errors.Is(err, http.ErrServerClosed) {
 			log.Error("pprof: shutting down: %s", err)
 		}
--- a/internal/next/AdGuardHome.example.yaml
+++ b/internal/next/AdGuardHome.example.yaml
@@ -1,30 +0,0 @@
-# This is a file showing example configuration for AdGuard Home.
-#
-# TODO(a.garipov): Move to the top level once the rewrite is over.
-
-dns:
-  addresses:
-  - '0.0.0.0:53'
-  bootstrap_dns:
-  - '9.9.9.10'
-  - '149.112.112.10'
-  - '2620:fe::10'
-  - '2620:fe::fe:10'
-  upstream_dns:
-  - '8.8.8.8'
-  dns64_prefixes:
-  - '1234::/64'
-  upstream_timeout: 1s
-  bootstrap_prefer_ipv6: true
-  use_dns64: true
-http:
-  pprof:
-    enabled: true
-    port: 6060
-  addresses:
-  - '0.0.0.0:3000'
-  secure_addresses: []
-  timeout: 5s
-  force_https: true
-log:
-  verbose: true
--- a/internal/next/changelog.md
+++ b/internal/next/changelog.md
@@ -1,42 +0,0 @@
-# AdGuard Home v0.108.0 Changelog DRAFT
-
-This changelog should be merged into the main one once the next API matures
-enough.
-
-## [v0.108.0] - TODO
-
-### Added
-
- The ability to change the port of the pprof debug API.
- The ability to log to stderr using `--logFile=stderr`.
- The new `--web-addr` flag to set the Web UI address in a `host:port` form.
- `SIGHUP` now reloads all configuration from the configuration file ([#5676]).
-
-### Changed
-
-#### New HTTP API
-
-**TODO(a.garipov):** Describe the new API and add a link to the new OpenAPI doc.
-
-#### Other changes
-
- `-h` is now an alias for `--help` instead of the removed `--host`, see below.
-  Use `--web-addr=host:port` to set an address on which to serve the Web UI.
-
-### Fixed
-
- `--check-config` breaking the configuration file ([#4067]).
- Inconsistent application of `--work-dir/-w` ([#2598], [#2902]).
- The order of `-v/--verbose` and `--version` being significant ([#2893]).
-
-### Removed
-
- The deprecated `--no-mem-optimization` and `--no-etc-hosts` flags.
- `--host` and `-p/--port` flags.  Use `--web-addr=host:port` to set an address
-  on which to serve the Web UI.  `-h` is now an alias for `--help`, see above.
-
-[#2598]: https://github.com/AdguardTeam/AdGuardHome/issues/2598
-[#2893]: https://github.com/AdguardTeam/AdGuardHome/issues/2893
-[#2902]: https://github.com/AdguardTeam/AdGuardHome/issues/2902
-[#4067]: https://github.com/AdguardTeam/AdGuardHome/issues/4067
-[#5676]: https://github.com/AdguardTeam/AdGuardHome/issues/5676
--- a/internal/next/cmd/cmd.go
+++ b/internal/next/cmd/cmd.go
@@ -1,95 +0,0 @@
-// Package cmd is the AdGuard Home entry point.  It assembles the configuration
-// file manager, sets up signal processing logic, and so on.
-//
-// TODO(a.garipov): Move to the upper-level internal/.
-package cmd
-
-import (
-	"context"
-	"io/fs"
-	"os"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/configmgr"
-	"github.com/AdguardTeam/AdGuardHome/internal/version"
-	"github.com/AdguardTeam/golibs/log"
-)
-
-// Main is the entry point of AdGuard Home.
-func Main(embeddedFrontend fs.FS) {
-	start := time.Now()
-
-	cmdName := os.Args[0]
-	opts, err := parseOptions(cmdName, os.Args[1:])
-	exitCode, needExit := processOptions(opts, cmdName, err)
-	if needExit {
-		os.Exit(exitCode)
-	}
-
-	err = setLog(opts)
-	check(err)
-
-	log.Info("starting adguard home, version %s, pid %d", version.Version(), os.Getpid())
-
-	if opts.workDir != "" {
-		log.Info("changing working directory to %q", opts.workDir)
-		err = os.Chdir(opts.workDir)
-		check(err)
-	}
-
-	frontend, err := frontendFromOpts(opts, embeddedFrontend)
-	check(err)
-
-	confMgrConf := &configmgr.Config{
-		Frontend: frontend,
-		WebAddr:  opts.webAddr,
-		Start:    start,
-		FileName: opts.confFile,
-	}
-
-	confMgr, err := newConfigMgr(confMgrConf)
-	check(err)
-
-	web := confMgr.Web()
-	err = web.Start()
-	check(err)
-
-	dns := confMgr.DNS()
-	err = dns.Start()
-	check(err)
-
-	sigHdlr := newSignalHandler(
-		confMgrConf,
-		opts.pidFile,
-		web,
-		dns,
-	)
-
-	sigHdlr.handle()
-}
-
-// defaultTimeout is the timeout used for some operations where another timeout
-// hasn't been defined yet.
-const defaultTimeout = 5 * time.Second
-
-// ctxWithDefaultTimeout is a helper function that returns a context with
-// timeout set to defaultTimeout.
-func ctxWithDefaultTimeout() (ctx context.Context, cancel context.CancelFunc) {
-	return context.WithTimeout(context.Background(), defaultTimeout)
-}
-
-// newConfigMgr returns a new configuration manager using defaultTimeout as the
-// context timeout.
-func newConfigMgr(c *configmgr.Config) (m *configmgr.Manager, err error) {
-	ctx, cancel := ctxWithDefaultTimeout()
-	defer cancel()
-
-	return configmgr.New(ctx, c)
-}
-
-// check is a simple error-checking helper.  It must only be used within Main.
-func check(err error) {
-	if err != nil {
-		panic(err)
-	}
-}
--- a/internal/next/cmd/log.go
+++ b/internal/next/cmd/log.go
@@ -1,39 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"os"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
-	"github.com/AdguardTeam/golibs/log"
-)
-
-// syslogServiceName is the name of the AdGuard Home service used for writing
-// logs to the system log.
-const syslogServiceName = "AdGuardHome"
-
-// setLog sets up the text logging.
-//
-// TODO(a.garipov): Add parameters from configuration file.
-func setLog(opts *options) (err error) {
-	switch opts.confFile {
-	case "stdout":
-		log.SetOutput(os.Stdout)
-	case "stderr":
-		log.SetOutput(os.Stderr)
-	case "syslog":
-		err = aghos.ConfigureSyslog(syslogServiceName)
-		if err != nil {
-			return fmt.Errorf("initializing syslog: %w", err)
-		}
-	default:
-		// TODO(a.garipov): Use the path.
-	}
-
-	if opts.verbose {
-		log.SetLevel(log.DEBUG)
-		log.Debug("verbose logging enabled")
-	}
-
-	return nil
-}
--- a/internal/next/cmd/opt.go
+++ b/internal/next/cmd/opt.go
@@ -1,418 +0,0 @@
-package cmd
-
-import (
-	"encoding"
-	"flag"
-	"fmt"
-	"io"
-	"io/fs"
-	"net/netip"
-	"os"
-	"strings"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/configmgr"
-	"github.com/AdguardTeam/AdGuardHome/internal/version"
-	"github.com/AdguardTeam/golibs/log"
-	"golang.org/x/exp/slices"
-)
-
-// options contains all command-line options for the AdGuardHome(.exe) binary.
-type options struct {
-	// confFile is the path to the configuration file.
-	confFile string
-
-	// logFile is the path to the log file.  Special values:
-	//
-	//   - "stdout":  Write to stdout (the default).
-	//   - "stderr":  Write to stderr.
-	//   - "syslog":  Write to the system log.
-	logFile string
-
-	// pidFile is the path to the file where to store the PID.
-	pidFile string
-
-	// serviceAction is the service control action to perform:
-	//
-	//   - "install":  Installs AdGuard Home as a system service.
-	//   - "uninstall":  Uninstalls it.
-	//   - "status":  Prints the service status.
-	//   - "start":  Starts the previously installed service.
-	//   - "stop":  Stops the previously installed service.
-	//   - "restart":  Restarts the previously installed service.
-	//   - "reload":  Reloads the configuration.
-	//   - "run":  This is a special command that is not supposed to be used
-	//     directly it is specified when we register a service, and it indicates
-	//     to the app that it is being run as a service.
-	//
-	// TODO(a.garipov): Use.
-	serviceAction string
-
-	// workDir is the path to the working directory.  It is applied before all
-	// other configuration is read, so all relative paths are relative to it.
-	workDir string
-
-	// webAddr contains the address on which to serve the web UI.
-	webAddr netip.AddrPort
-
-	// checkConfig, if true, instructs AdGuard Home to check the configuration
-	// file, optionally print an error message to stdout, and exit with a
-	// corresponding exit code.
-	checkConfig bool
-
-	// disableUpdate, if true, prevents AdGuard Home from automatically checking
-	// for updates.
-	//
-	// TODO(a.garipov): Use.
-	disableUpdate bool
-
-	// glinetMode enables the GL-Inet compatibility mode.
-	//
-	// TODO(a.garipov): Use.
-	glinetMode bool
-
-	// help, if true, instructs AdGuard Home to print the command-line option
-	// help message and quit with a successful exit-code.
-	help bool
-
-	// localFrontend, if true, instructs AdGuard Home to use the local frontend
-	// directory instead of the files compiled into the binary.
-	//
-	// TODO(a.garipov): Use.
-	localFrontend bool
-
-	// performUpdate, if true, instructs AdGuard Home to update the current
-	// binary and restart the service in case it's installed.
-	//
-	// TODO(a.garipov): Use.
-	performUpdate bool
-
-	// verbose, if true, instructs AdGuard Home to enable verbose logging.
-	verbose bool
-
-	// version, if true, instructs AdGuard Home to print the version to stdout
-	// and quit with a successful exit-code.  If verbose is also true, print a
-	// more detailed version description.
-	version bool
-}
-
-// Indexes to help with the [commandLineOptions] initialization.
-const (
-	confFileIdx = iota
-	logFileIdx
-	pidFileIdx
-	serviceActionIdx
-	workDirIdx
-	webAddrIdx
-	checkConfigIdx
-	disableUpdateIdx
-	glinetModeIdx
-	helpIdx
-	localFrontend
-	performUpdateIdx
-	verboseIdx
-	versionIdx
-)
-
-// commandLineOption contains information about a command-line option: its long
-// and, if there is one, short forms, the value type, the description, and the
-// default value.
-type commandLineOption struct {
-	defaultValue any
-	description  string
-	long         string
-	short        string
-	valueType    string
-}
-
-// commandLineOptions are all command-line options currently supported by
-// AdGuard Home.
-var commandLineOptions = []*commandLineOption{
-	confFileIdx: {
-		// TODO(a.garipov): Remove the directory when the new code is ready.
-		defaultValue: "internal/next/AdGuardHome.yaml",
-		description:  "Path to the config file.",
-		long:         "config",
-		short:        "c",
-		valueType:    "path",
-	},
-
-	logFileIdx: {
-		defaultValue: "stdout",
-		description:  `Path to log file.  Special values include "stdout", "stderr", and "syslog".`,
-		long:         "logfile",
-		short:        "l",
-		valueType:    "path",
-	},
-
-	pidFileIdx: {
-		defaultValue: "",
-		description:  "Path to the file where to store the PID.",
-		long:         "pidfile",
-		short:        "",
-		valueType:    "path",
-	},
-
-	serviceActionIdx: {
-		defaultValue: "",
-		description: `Service control action: "status", "install" (as a service), ` +
-			`"uninstall" (as a service), "start", "stop", "restart", "reload" (configuration).`,
-		long:      "service",
-		short:     "s",
-		valueType: "action",
-	},
-
-	workDirIdx: {
-		defaultValue: "",
-		description: `Path to the working directory.  ` +
-			`It is applied before all other configuration is read, ` +
-			`so all relative paths are relative to it.`,
-		long:      "work-dir",
-		short:     "w",
-		valueType: "path",
-	},
-
-	webAddrIdx: {
-		defaultValue: netip.AddrPort{},
-		description:  `Address to serve the web UI on, in the host:port format.`,
-		long:         "web-addr",
-		short:        "",
-		valueType:    "host:port",
-	},
-
-	checkConfigIdx: {
-		defaultValue: false,
-		description:  "Check configuration, print errors to stdout, and quit.",
-		long:         "check-config",
-		short:        "",
-		valueType:    "",
-	},
-
-	disableUpdateIdx: {
-		defaultValue: false,
-		description:  "Disable automatic update checking.",
-		long:         "no-check-update",
-		short:        "",
-		valueType:    "",
-	},
-
-	glinetModeIdx: {
-		defaultValue: false,
-		description:  "Run in GL-Inet compatibility mode.",
-		long:         "glinet",
-		short:        "",
-		valueType:    "",
-	},
-
-	helpIdx: {
-		defaultValue: false,
-		description:  "Print this help message and quit.",
-		long:         "help",
-		short:        "h",
-		valueType:    "",
-	},
-
-	localFrontend: {
-		defaultValue: false,
-		description:  "Use local frontend directories.",
-		long:         "local-frontend",
-		short:        "",
-		valueType:    "",
-	},
-
-	performUpdateIdx: {
-		defaultValue: false,
-		description:  "Update the current binary and restart the service in case it's installed.",
-		long:         "update",
-		short:        "",
-		valueType:    "",
-	},
-
-	verboseIdx: {
-		defaultValue: false,
-		description:  "Enable verbose logging.",
-		long:         "verbose",
-		short:        "v",
-		valueType:    "",
-	},
-
-	versionIdx: {
-		defaultValue: false,
-		description: `Print the version to stdout and quit.  ` +
-			`Print a more detailed version description with -v.`,
-		long:      "version",
-		short:     "",
-		valueType: "",
-	},
-}
-
-// parseOptions parses the command-line options for AdGuardHome.
-func parseOptions(cmdName string, args []string) (opts *options, err error) {
-	flags := flag.NewFlagSet(cmdName, flag.ContinueOnError)
-
-	opts = &options{}
-	for i, fieldPtr := range []any{
-		confFileIdx:      &opts.confFile,
-		logFileIdx:       &opts.logFile,
-		pidFileIdx:       &opts.pidFile,
-		serviceActionIdx: &opts.serviceAction,
-		workDirIdx:       &opts.workDir,
-		webAddrIdx:       &opts.webAddr,
-		checkConfigIdx:   &opts.checkConfig,
-		disableUpdateIdx: &opts.disableUpdate,
-		glinetModeIdx:    &opts.glinetMode,
-		helpIdx:          &opts.help,
-		localFrontend:    &opts.localFrontend,
-		performUpdateIdx: &opts.performUpdate,
-		verboseIdx:       &opts.verbose,
-		versionIdx:       &opts.version,
-	} {
-		addOption(flags, fieldPtr, commandLineOptions[i])
-	}
-
-	flags.Usage = func() { usage(cmdName, os.Stderr) }
-
-	err = flags.Parse(args)
-	if err != nil {
-		// Don't wrap the error, because it's informative enough as is.
-		return nil, err
-	}
-
-	return opts, nil
-}
-
-// addOption adds the command-line option described by o to flags using fieldPtr
-// as the pointer to the value.
-func addOption(flags *flag.FlagSet, fieldPtr any, o *commandLineOption) {
-	switch fieldPtr := fieldPtr.(type) {
-	case *string:
-		flags.StringVar(fieldPtr, o.long, o.defaultValue.(string), o.description)
-		if o.short != "" {
-			flags.StringVar(fieldPtr, o.short, o.defaultValue.(string), o.description)
-		}
-	case *bool:
-		flags.BoolVar(fieldPtr, o.long, o.defaultValue.(bool), o.description)
-		if o.short != "" {
-			flags.BoolVar(fieldPtr, o.short, o.defaultValue.(bool), o.description)
-		}
-	case encoding.TextUnmarshaler:
-		flags.TextVar(fieldPtr, o.long, o.defaultValue.(encoding.TextMarshaler), o.description)
-		if o.short != "" {
-			flags.TextVar(fieldPtr, o.short, o.defaultValue.(encoding.TextMarshaler), o.description)
-		}
-	default:
-		panic(fmt.Errorf("unexpected field pointer type %T", fieldPtr))
-	}
-}
-
-// usage prints a usage message similar to the one printed by package flag but
-// taking long vs. short versions into account as well as using more informative
-// value hints.
-func usage(cmdName string, output io.Writer) {
-	options := slices.Clone(commandLineOptions)
-	slices.SortStableFunc(options, func(a, b *commandLineOption) (sortsBefore bool) {
-		return a.long < b.long
-	})
-
-	b := &strings.Builder{}
-	_, _ = fmt.Fprintf(b, "Usage of %s:\n", cmdName)
-
-	for _, o := range options {
-		writeUsageLine(b, o)
-
-		// Use four spaces before the tab to trigger good alignment for both 4-
-		// and 8-space tab stops.
-		if shouldIncludeDefault(o.defaultValue) {
-			_, _ = fmt.Fprintf(b, "    \t%s  (Default value: %q)\n", o.description, o.defaultValue)
-		} else {
-			_, _ = fmt.Fprintf(b, "    \t%s\n", o.description)
-		}
-	}
-
-	_, _ = io.WriteString(output, b.String())
-}
-
-// shouldIncludeDefault returns true if this default value should be printed.
-func shouldIncludeDefault(v any) (ok bool) {
-	switch v := v.(type) {
-	case bool:
-		return v
-	case string:
-		return v != ""
-	default:
-		return v == nil
-	}
-}
-
-// writeUsageLine writes the usage line for the provided command-line option.
-func writeUsageLine(b *strings.Builder, o *commandLineOption) {
-	if o.short == "" {
-		if o.valueType == "" {
-			_, _ = fmt.Fprintf(b, "  --%s\n", o.long)
-		} else {
-			_, _ = fmt.Fprintf(b, "  --%s=%s\n", o.long, o.valueType)
-		}
-
-		return
-	}
-
-	if o.valueType == "" {
-		_, _ = fmt.Fprintf(b, "  --%s/-%s\n", o.long, o.short)
-	} else {
-		_, _ = fmt.Fprintf(b, "  --%[1]s=%[3]s/-%[2]s %[3]s\n", o.long, o.short, o.valueType)
-	}
-}
-
-// processOptions decides if AdGuard Home should exit depending on the results
-// of command-line option parsing.
-func processOptions(
-	opts *options,
-	cmdName string,
-	parseErr error,
-) (exitCode int, needExit bool) {
-	if parseErr != nil {
-		// Assume that usage has already been printed.
-		return statusArgumentError, true
-	}
-
-	if opts.help {
-		usage(cmdName, os.Stdout)
-
-		return statusSuccess, true
-	}
-
-	if opts.version {
-		if opts.verbose {
-			fmt.Println(version.Verbose())
-		} else {
-			fmt.Printf("AdGuard Home %s\n", version.Version())
-		}
-
-		return statusSuccess, true
-	}
-
-	if opts.checkConfig {
-		err := configmgr.Validate(opts.confFile)
-		if err != nil {
-			_, _ = io.WriteString(os.Stdout, err.Error()+"\n")
-
-			return statusError, true
-		}
-
-		return statusSuccess, true
-	}
-
-	return 0, false
-}
-
-// frontendFromOpts returns the frontend to use based on the options.
-func frontendFromOpts(opts *options, embeddedFrontend fs.FS) (frontend fs.FS, err error) {
-	const frontendSubdir = "build/static"
-
-	if opts.localFrontend {
-		log.Info("warning: using local frontend files")
-
-		return os.DirFS(frontendSubdir), nil
-	}
-
-	return fs.Sub(embeddedFrontend, frontendSubdir)
-}
--- a/internal/next/cmd/signal.go
+++ b/internal/next/cmd/signal.go
@@ -1,167 +0,0 @@
-package cmd
-
-import (
-	"os"
-	"strconv"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/aghos"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/configmgr"
-	"github.com/AdguardTeam/golibs/log"
-	"github.com/google/renameio/v2/maybe"
-)
-
-// signalHandler processes incoming signals and shuts services down.
-type signalHandler struct {
-	// confMgrConf contains the configuration parameters for the configuration
-	// manager.
-	confMgrConf *configmgr.Config
-
-	// signal is the channel to which OS signals are sent.
-	signal chan os.Signal
-
-	// pidFile is the path to the file where to store the PID, if any.
-	pidFile string
-
-	// services are the services that are shut down before application exiting.
-	services []agh.Service
-}
-
-// handle processes OS signals.
-func (h *signalHandler) handle() {
-	defer log.OnPanic("signalHandler.handle")
-
-	h.writePID()
-
-	for sig := range h.signal {
-		log.Info("sighdlr: received signal %q", sig)
-
-		if aghos.IsReconfigureSignal(sig) {
-			h.reconfigure()
-		} else if aghos.IsShutdownSignal(sig) {
-			status := h.shutdown()
-			h.removePID()
-
-			log.Info("sighdlr: exiting with status %d", status)
-
-			os.Exit(status)
-		}
-	}
-}
-
-// reconfigure rereads the configuration file and updates and restarts services.
-func (h *signalHandler) reconfigure() {
-	log.Info("sighdlr: reconfiguring adguard home")
-
-	status := h.shutdown()
-	if status != statusSuccess {
-		log.Info("sighdlr: reconfiguring: exiting with status %d", status)
-
-		os.Exit(status)
-	}
-
-	// TODO(a.garipov): This is a very rough way to do it.  Some services can be
-	// reconfigured without the full shutdown, and the error handling is
-	// currently not the best.
-
-	confMgr, err := newConfigMgr(h.confMgrConf)
-	check(err)
-
-	web := confMgr.Web()
-	err = web.Start()
-	check(err)
-
-	dns := confMgr.DNS()
-	err = dns.Start()
-	check(err)
-
-	h.services = []agh.Service{
-		dns,
-		web,
-	}
-
-	log.Info("sighdlr: successfully reconfigured adguard home")
-}
-
-// Exit status constants.
-const (
-	statusSuccess       = 0
-	statusError         = 1
-	statusArgumentError = 2
-)
-
-// shutdown gracefully shuts down all services.
-func (h *signalHandler) shutdown() (status int) {
-	ctx, cancel := ctxWithDefaultTimeout()
-	defer cancel()
-
-	status = statusSuccess
-
-	log.Info("sighdlr: shutting down services")
-	for i, service := range h.services {
-		err := service.Shutdown(ctx)
-		if err != nil {
-			log.Error("sighdlr: shutting down service at index %d: %s", i, err)
-			status = statusError
-		}
-	}
-
-	return status
-}
-
-// newSignalHandler returns a new signalHandler that shuts down svcs.
-func newSignalHandler(
-	confMgrConf *configmgr.Config,
-	pidFile string,
-	svcs ...agh.Service,
-) (h *signalHandler) {
-	h = &signalHandler{
-		confMgrConf: confMgrConf,
-		signal:      make(chan os.Signal, 1),
-		pidFile:     pidFile,
-		services:    svcs,
-	}
-
-	aghos.NotifyShutdownSignal(h.signal)
-	aghos.NotifyReconfigureSignal(h.signal)
-
-	return h
-}
-
-// writePID writes the PID to the file, if needed.  Any errors are reported to
-// log.
-func (h *signalHandler) writePID() {
-	if h.pidFile == "" {
-		return
-	}
-
-	// Use 8, since most PIDs will fit.
-	data := make([]byte, 0, 8)
-	data = strconv.AppendInt(data, int64(os.Getpid()), 10)
-	data = append(data, '\n')
-
-	err := maybe.WriteFile(h.pidFile, data, 0o644)
-	if err != nil {
-		log.Error("sighdlr: writing pidfile: %s", err)
-
-		return
-	}
-
-	log.Debug("sighdlr: wrote pid to %q", h.pidFile)
-}
-
-// removePID removes the PID file, if any.
-func (h *signalHandler) removePID() {
-	if h.pidFile == "" {
-		return
-	}
-
-	err := os.Remove(h.pidFile)
-	if err != nil {
-		log.Error("sighdlr: removing pidfile: %s", err)
-
-		return
-	}
-
-	log.Debug("sighdlr: removed pid at %q", h.pidFile)
-}
--- a/internal/next/configmgr/config.go
+++ b/internal/next/configmgr/config.go
@@ -1,138 +0,0 @@
-package configmgr
-
-import (
-	"fmt"
-	"net/netip"
-
-	"github.com/AdguardTeam/golibs/errors"
-	"github.com/AdguardTeam/golibs/timeutil"
-)
-
-// Configuration Structures
-
-// config is the top-level on-disk configuration structure.
-type config struct {
-	DNS  *dnsConfig  `yaml:"dns"`
-	HTTP *httpConfig `yaml:"http"`
-	Log  *logConfig  `yaml:"log"`
-	// TODO(a.garipov): Use.
-	SchemaVersion int `yaml:"schema_version"`
-}
-
-const errNoConf errors.Error = "configuration not found"
-
-// validate returns an error if the configuration structure is invalid.
-func (c *config) validate() (err error) {
-	if c == nil {
-		return errNoConf
-	}
-
-	// TODO(a.garipov): Add more validations.
-
-	// Keep this in the same order as the fields in the config.
-	validators := []struct {
-		validate func() (err error)
-		name     string
-	}{{
-		validate: c.DNS.validate,
-		name:     "dns",
-	}, {
-		validate: c.HTTP.validate,
-		name:     "http",
-	}, {
-		validate: c.Log.validate,
-		name:     "log",
-	}}
-
-	for _, v := range validators {
-		err = v.validate()
-		if err != nil {
-			return fmt.Errorf("%s: %w", v.name, err)
-		}
-	}
-
-	return nil
-}
-
-// dnsConfig is the on-disk DNS configuration.
-type dnsConfig struct {
-	Addresses           []netip.AddrPort  `yaml:"addresses"`
-	BootstrapDNS        []string          `yaml:"bootstrap_dns"`
-	UpstreamDNS         []string          `yaml:"upstream_dns"`
-	DNS64Prefixes       []netip.Prefix    `yaml:"dns64_prefixes"`
-	UpstreamTimeout     timeutil.Duration `yaml:"upstream_timeout"`
-	BootstrapPreferIPv6 bool              `yaml:"bootstrap_prefer_ipv6"`
-	UseDNS64            bool              `yaml:"use_dns64"`
-}
-
-// validate returns an error if the DNS configuration structure is invalid.
-//
-// TODO(a.garipov): Add more validations.
-func (c *dnsConfig) validate() (err error) {
-	// TODO(a.garipov): Add more validations.
-	switch {
-	case c == nil:
-		return errNoConf
-	case c.UpstreamTimeout.Duration <= 0:
-		return newMustBePositiveError("upstream_timeout", c.UpstreamTimeout)
-	default:
-		return nil
-	}
-}
-
-// httpConfig is the on-disk web API configuration.
-type httpConfig struct {
-	Pprof *httpPprofConfig `yaml:"pprof"`
-
-	// TODO(a.garipov): Document the configuration change.
-	Addresses       []netip.AddrPort  `yaml:"addresses"`
-	SecureAddresses []netip.AddrPort  `yaml:"secure_addresses"`
-	Timeout         timeutil.Duration `yaml:"timeout"`
-	ForceHTTPS      bool              `yaml:"force_https"`
-}
-
-// validate returns an error if the HTTP configuration structure is invalid.
-//
-// TODO(a.garipov): Add more validations.
-func (c *httpConfig) validate() (err error) {
-	switch {
-	case c == nil:
-		return errNoConf
-	case c.Timeout.Duration <= 0:
-		return newMustBePositiveError("timeout", c.Timeout)
-	default:
-		return c.Pprof.validate()
-	}
-}
-
-// httpPprofConfig is the on-disk pprof configuration.
-type httpPprofConfig struct {
-	Port    uint16 `yaml:"port"`
-	Enabled bool   `yaml:"enabled"`
-}
-
-// validate returns an error if the pprof configuration structure is invalid.
-func (c *httpPprofConfig) validate() (err error) {
-	if c == nil {
-		return errNoConf
-	}
-
-	return nil
-}
-
-// logConfig is the on-disk web API configuration.
-type logConfig struct {
-	// TODO(a.garipov): Use.
-	Verbose bool `yaml:"verbose"`
-}
-
-// validate returns an error if the HTTP configuration structure is invalid.
-//
-// TODO(a.garipov): Add more validations.
-func (c *logConfig) validate() (err error) {
-	if c == nil {
-		return errNoConf
-	}
-
-	return nil
-}
--- a/internal/next/configmgr/configmgr.go
+++ b/internal/next/configmgr/configmgr.go
@@ -1,301 +0,0 @@
-// Package configmgr defines the AdGuard Home on-disk configuration entities and
-// configuration manager.
-//
-// TODO(a.garipov): Add tests.
-package configmgr
-
-import (
-	"context"
-	"fmt"
-	"io/fs"
-	"net/netip"
-	"os"
-	"sync"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/dnssvc"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/websvc"
-	"github.com/AdguardTeam/golibs/errors"
-	"github.com/AdguardTeam/golibs/log"
-	"github.com/AdguardTeam/golibs/timeutil"
-	"github.com/google/renameio/v2/maybe"
-	"golang.org/x/exp/slices"
-	"gopkg.in/yaml.v3"
-)
-
-// Configuration Manager
-
-// Manager handles full and partial changes in the configuration, persisting
-// them to disk if necessary.
-//
-// TODO(a.garipov): Support missing configs and default values.
-type Manager struct {
-	// updMu makes sure that at most one reconfiguration is performed at a time.
-	// updMu protects all fields below.
-	updMu *sync.RWMutex
-
-	// dns is the DNS service.
-	dns *dnssvc.Service
-
-	// Web is the Web API service.
-	web *websvc.Service
-
-	// current is the current configuration.
-	current *config
-
-	// fileName is the name of the configuration file.
-	fileName string
-}
-
-// Validate returns an error if the configuration file with the given name does
-// not exist or is invalid.
-func Validate(fileName string) (err error) {
-	conf, err := read(fileName)
-	if err != nil {
-		// Don't wrap the error, because it's informative enough as is.
-		return err
-	}
-
-	// Don't wrap the error, because it's informative enough as is.
-	return conf.validate()
-}
-
-// Config contains the configuration parameters for the configuration manager.
-type Config struct {
-	// Frontend is the filesystem with the frontend files.
-	Frontend fs.FS
-
-	// WebAddr is the initial or override address for the Web UI.  It is not
-	// written to the configuration file.
-	WebAddr netip.AddrPort
-
-	// Start is the time of start of AdGuard Home.
-	Start time.Time
-
-	// FileName is the path to the configuration file.
-	FileName string
-}
-
-// New creates a new *Manager that persists changes to the file pointed to by
-// c.FileName.  It reads the configuration file and populates the service
-// fields.  c must not be nil.
-func New(ctx context.Context, c *Config) (m *Manager, err error) {
-	conf, err := read(c.FileName)
-	if err != nil {
-		// Don't wrap the error, because it's informative enough as is.
-		return nil, err
-	}
-
-	err = conf.validate()
-	if err != nil {
-		return nil, fmt.Errorf("validating config: %w", err)
-	}
-
-	m = &Manager{
-		updMu:    &sync.RWMutex{},
-		current:  conf,
-		fileName: c.FileName,
-	}
-
-	err = m.assemble(ctx, conf, c.Frontend, c.WebAddr, c.Start)
-	if err != nil {
-		return nil, fmt.Errorf("creating config manager: %w", err)
-	}
-
-	return m, nil
-}
-
-// read reads and decodes configuration from the provided filename.
-func read(fileName string) (conf *config, err error) {
-	defer func() { err = errors.Annotate(err, "reading config: %w") }()
-
-	conf = &config{}
-	f, err := os.Open(fileName)
-	if err != nil {
-		// Don't wrap the error, because it's informative enough as is.
-		return nil, err
-	}
-	defer func() { err = errors.WithDeferred(err, f.Close()) }()
-
-	err = yaml.NewDecoder(f).Decode(conf)
-	if err != nil {
-		// Don't wrap the error, because it's informative enough as is.
-		return nil, err
-	}
-
-	return conf, nil
-}
-
-// assemble creates all services and puts them into the corresponding fields.
-// The fields of conf must not be modified after calling assemble.
-func (m *Manager) assemble(
-	ctx context.Context,
-	conf *config,
-	frontend fs.FS,
-	webAddr netip.AddrPort,
-	start time.Time,
-) (err error) {
-	dnsConf := &dnssvc.Config{
-		Addresses:           conf.DNS.Addresses,
-		BootstrapServers:    conf.DNS.BootstrapDNS,
-		UpstreamServers:     conf.DNS.UpstreamDNS,
-		DNS64Prefixes:       conf.DNS.DNS64Prefixes,
-		UpstreamTimeout:     conf.DNS.UpstreamTimeout.Duration,
-		BootstrapPreferIPv6: conf.DNS.BootstrapPreferIPv6,
-		UseDNS64:            conf.DNS.UseDNS64,
-	}
-	err = m.updateDNS(ctx, dnsConf)
-	if err != nil {
-		return fmt.Errorf("assembling dnssvc: %w", err)
-	}
-
-	webSvcConf := &websvc.Config{
-		Pprof: &websvc.PprofConfig{
-			Port:    conf.HTTP.Pprof.Port,
-			Enabled: conf.HTTP.Pprof.Enabled,
-		},
-		ConfigManager: m,
-		Frontend:      frontend,
-		// TODO(a.garipov): Fill from config file.
-		TLS:             nil,
-		Start:           start,
-		Addresses:       conf.HTTP.Addresses,
-		SecureAddresses: conf.HTTP.SecureAddresses,
-		OverrideAddress: webAddr,
-		Timeout:         conf.HTTP.Timeout.Duration,
-		ForceHTTPS:      conf.HTTP.ForceHTTPS,
-	}
-
-	err = m.updateWeb(ctx, webSvcConf)
-	if err != nil {
-		return fmt.Errorf("assembling websvc: %w", err)
-	}
-
-	return nil
-}
-
-// write writes the current configuration to disk.
-func (m *Manager) write() (err error) {
-	b, err := yaml.Marshal(m.current)
-	if err != nil {
-		return fmt.Errorf("encoding: %w", err)
-	}
-
-	err = maybe.WriteFile(m.fileName, b, 0o644)
-	if err != nil {
-		return fmt.Errorf("writing: %w", err)
-	}
-
-	log.Info("configmgr: written to %q", m.fileName)
-
-	return nil
-}
-
-// DNS returns the current DNS service.  It is safe for concurrent use.
-func (m *Manager) DNS() (dns agh.ServiceWithConfig[*dnssvc.Config]) {
-	m.updMu.RLock()
-	defer m.updMu.RUnlock()
-
-	return m.dns
-}
-
-// UpdateDNS implements the [websvc.ConfigManager] interface for *Manager.  The
-// fields of c must not be modified after calling UpdateDNS.
-func (m *Manager) UpdateDNS(ctx context.Context, c *dnssvc.Config) (err error) {
-	m.updMu.Lock()
-	defer m.updMu.Unlock()
-
-	// TODO(a.garipov): Update and write the configuration file.  Return an
-	// error if something went wrong.
-
-	err = m.updateDNS(ctx, c)
-	if err != nil {
-		return fmt.Errorf("reassembling dnssvc: %w", err)
-	}
-
-	m.updateCurrentDNS(c)
-
-	return m.write()
-}
-
-// updateDNS recreates the DNS service.  m.updMu is expected to be locked.
-func (m *Manager) updateDNS(ctx context.Context, c *dnssvc.Config) (err error) {
-	if prev := m.dns; prev != nil {
-		err = prev.Shutdown(ctx)
-		if err != nil {
-			return fmt.Errorf("shutting down dns svc: %w", err)
-		}
-	}
-
-	svc, err := dnssvc.New(c)
-	if err != nil {
-		return fmt.Errorf("creating dns svc: %w", err)
-	}
-
-	m.dns = svc
-
-	return nil
-}
-
-// updateCurrentDNS updates the DNS configuration in the current config.
-func (m *Manager) updateCurrentDNS(c *dnssvc.Config) {
-	m.current.DNS.Addresses = slices.Clone(c.Addresses)
-	m.current.DNS.BootstrapDNS = slices.Clone(c.BootstrapServers)
-	m.current.DNS.UpstreamDNS = slices.Clone(c.UpstreamServers)
-	m.current.DNS.DNS64Prefixes = slices.Clone(c.DNS64Prefixes)
-	m.current.DNS.UpstreamTimeout = timeutil.Duration{Duration: c.UpstreamTimeout}
-	m.current.DNS.BootstrapPreferIPv6 = c.BootstrapPreferIPv6
-	m.current.DNS.UseDNS64 = c.UseDNS64
-}
-
-// Web returns the current web service.  It is safe for concurrent use.
-func (m *Manager) Web() (web agh.ServiceWithConfig[*websvc.Config]) {
-	m.updMu.RLock()
-	defer m.updMu.RUnlock()
-
-	return m.web
-}
-
-// UpdateWeb implements the [websvc.ConfigManager] interface for *Manager.  The
-// fields of c must not be modified after calling UpdateWeb.
-func (m *Manager) UpdateWeb(ctx context.Context, c *websvc.Config) (err error) {
-	m.updMu.Lock()
-	defer m.updMu.Unlock()
-
-	err = m.updateWeb(ctx, c)
-	if err != nil {
-		return fmt.Errorf("reassembling websvc: %w", err)
-	}
-
-	m.updateCurrentWeb(c)
-
-	return m.write()
-}
-
-// updateWeb recreates the web service.  m.upd is expected to be locked.
-func (m *Manager) updateWeb(ctx context.Context, c *websvc.Config) (err error) {
-	if prev := m.web; prev != nil {
-		err = prev.Shutdown(ctx)
-		if err != nil {
-			return fmt.Errorf("shutting down web svc: %w", err)
-		}
-	}
-
-	m.web, err = websvc.New(c)
-	if err != nil {
-		return fmt.Errorf("creating web svc: %w", err)
-	}
-
-	return nil
-}
-
-// updateCurrentWeb updates the web configuration in the current config.
-func (m *Manager) updateCurrentWeb(c *websvc.Config) {
-	// TODO(a.garipov): Update pprof from API?
-
-	m.current.HTTP.Addresses = slices.Clone(c.Addresses)
-	m.current.HTTP.SecureAddresses = slices.Clone(c.SecureAddresses)
-	m.current.HTTP.Timeout = timeutil.Duration{Duration: c.Timeout}
-	m.current.HTTP.ForceHTTPS = c.ForceHTTPS
-}
--- a/internal/next/configmgr/error.go
+++ b/internal/next/configmgr/error.go
@@ -1,27 +0,0 @@
-package configmgr
-
-import (
-	"fmt"
-
-	"github.com/AdguardTeam/golibs/timeutil"
-	"golang.org/x/exp/constraints"
-)
-
-// numberOrDuration is the constraint for integer types along with
-// timeutil.Duration.
-type numberOrDuration interface {
-	constraints.Integer | timeutil.Duration
-}
-
-// newMustBePositiveError returns an error about the value that must be positive
-// but isn't.  prop is the name of the property to mention in the error message.
-//
-// TODO(a.garipov): Consider moving such helpers to golibs and use in AdGuardDNS
-// as well.
-func newMustBePositiveError[T numberOrDuration](prop string, v T) (err error) {
-	if s, ok := any(v).(fmt.Stringer); ok {
-		return fmt.Errorf("%s must be positive, got %s", prop, s)
-	}
-
-	return fmt.Errorf("%s must be positive, got %d", prop, v)
-}
--- a/internal/next/dnssvc/config.go
+++ b/internal/next/dnssvc/config.go
@@ -1,35 +0,0 @@
-package dnssvc
-
-import (
-	"net/netip"
-	"time"
-)
-
-// Config is the AdGuard Home DNS service configuration structure.
-//
-// TODO(a.garipov): Add timeout for incoming requests.
-type Config struct {
-	// Addresses are the addresses on which to serve plain DNS queries.
-	Addresses []netip.AddrPort
-
-	// BootstrapServers are the addresses of DNS servers used for bootstrapping
-	// the upstream DNS server addresses.
-	BootstrapServers []string
-
-	// UpstreamServers are the upstream DNS server addresses to use.
-	UpstreamServers []string
-
-	// DNS64Prefixes is a slice of NAT64 prefixes to be used for DNS64.  See
-	// also [Config.UseDNS64].
-	DNS64Prefixes []netip.Prefix
-
-	// UpstreamTimeout is the timeout for upstream requests.
-	UpstreamTimeout time.Duration
-
-	// BootstrapPreferIPv6, if true, instructs the bootstrapper to prefer IPv6
-	// addresses to IPv4 ones when bootstrapping.
-	BootstrapPreferIPv6 bool
-
-	// UseDNS64, if true, enables DNS64 protection for incoming requests.
-	UseDNS64 bool
-}
--- a/internal/next/dnssvc/dnssvc.go
+++ b/internal/next/dnssvc/dnssvc.go
@@ -1,202 +0,0 @@
-// Package dnssvc contains the AdGuard Home DNS service.
-//
-// TODO(a.garipov): Define, if all methods of a *Service should work with a nil
-// receiver.
-package dnssvc
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"net/netip"
-	"sync/atomic"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
-	// TODO(a.garipov): Add a “dnsproxy proxy” package to shield us from changes
-	// and replacement of module dnsproxy.
-	"github.com/AdguardTeam/dnsproxy/proxy"
-	"github.com/AdguardTeam/dnsproxy/upstream"
-)
-
-// Service is the AdGuard Home DNS service.  A nil *Service is a valid
-// [agh.Service] that does nothing.
-//
-// TODO(a.garipov): Consider saving a [*proxy.Config] instance for those
-// fields that are only used in [New] and [Service.Config].
-type Service struct {
-	proxy               *proxy.Proxy
-	bootstraps          []string
-	upstreams           []string
-	dns64Prefixes       []netip.Prefix
-	upsTimeout          time.Duration
-	running             atomic.Bool
-	bootstrapPreferIPv6 bool
-	useDNS64            bool
-}
-
-// New returns a new properly initialized *Service.  If c is nil, svc is a nil
-// *Service that does nothing.  The fields of c must not be modified after
-// calling New.
-func New(c *Config) (svc *Service, err error) {
-	if c == nil {
-		return nil, nil
-	}
-
-	svc = &Service{
-		bootstraps:          c.BootstrapServers,
-		upstreams:           c.UpstreamServers,
-		dns64Prefixes:       c.DNS64Prefixes,
-		upsTimeout:          c.UpstreamTimeout,
-		bootstrapPreferIPv6: c.BootstrapPreferIPv6,
-		useDNS64:            c.UseDNS64,
-	}
-
-	upstreams, err := addressesToUpstreams(
-		c.UpstreamServers,
-		c.BootstrapServers,
-		c.UpstreamTimeout,
-		c.BootstrapPreferIPv6,
-	)
-	if err != nil {
-		return nil, fmt.Errorf("converting upstreams: %w", err)
-	}
-
-	svc.proxy = &proxy.Proxy{
-		Config: proxy.Config{
-			UDPListenAddr: udpAddrs(c.Addresses),
-			TCPListenAddr: tcpAddrs(c.Addresses),
-			UpstreamConfig: &proxy.UpstreamConfig{
-				Upstreams: upstreams,
-			},
-			UseDNS64:   c.UseDNS64,
-			DNS64Prefs: c.DNS64Prefixes,
-		},
-	}
-
-	err = svc.proxy.Init()
-	if err != nil {
-		return nil, fmt.Errorf("proxy: %w", err)
-	}
-
-	return svc, nil
-}
-
-// addressesToUpstreams is a wrapper around [upstream.AddressToUpstream].  It
-// accepts a slice of addresses and other upstream parameters, and returns a
-// slice of upstreams.
-func addressesToUpstreams(
-	upsStrs []string,
-	bootstraps []string,
-	timeout time.Duration,
-	preferIPv6 bool,
-) (upstreams []upstream.Upstream, err error) {
-	upstreams = make([]upstream.Upstream, len(upsStrs))
-	for i, upsStr := range upsStrs {
-		upstreams[i], err = upstream.AddressToUpstream(upsStr, &upstream.Options{
-			Bootstrap:  bootstraps,
-			Timeout:    timeout,
-			PreferIPv6: preferIPv6,
-		})
-		if err != nil {
-			return nil, fmt.Errorf("upstream at index %d: %w", i, err)
-		}
-	}
-
-	return upstreams, nil
-}
-
-// tcpAddrs converts []netip.AddrPort into []*net.TCPAddr.
-func tcpAddrs(addrPorts []netip.AddrPort) (tcpAddrs []*net.TCPAddr) {
-	if addrPorts == nil {
-		return nil
-	}
-
-	tcpAddrs = make([]*net.TCPAddr, len(addrPorts))
-	for i, a := range addrPorts {
-		tcpAddrs[i] = net.TCPAddrFromAddrPort(a)
-	}
-
-	return tcpAddrs
-}
-
-// udpAddrs converts []netip.AddrPort into []*net.UDPAddr.
-func udpAddrs(addrPorts []netip.AddrPort) (udpAddrs []*net.UDPAddr) {
-	if addrPorts == nil {
-		return nil
-	}
-
-	udpAddrs = make([]*net.UDPAddr, len(addrPorts))
-	for i, a := range addrPorts {
-		udpAddrs[i] = net.UDPAddrFromAddrPort(a)
-	}
-
-	return udpAddrs
-}
-
-// type check
-var _ agh.Service = (*Service)(nil)
-
-// Start implements the [agh.Service] interface for *Service.  svc may be nil.
-// After Start exits, all DNS servers have tried to start, but there is no
-// guarantee that they did.  Errors from the servers are written to the log.
-func (svc *Service) Start() (err error) {
-	if svc == nil {
-		return nil
-	}
-
-	defer func() {
-		// TODO(a.garipov): [proxy.Proxy.Start] doesn't actually have any way to
-		// tell when all servers are actually up, so at best this is merely an
-		// assumption.
-		svc.running.Store(err == nil)
-	}()
-
-	return svc.proxy.Start()
-}
-
-// Shutdown implements the [agh.Service] interface for *Service.  svc may be
-// nil.
-func (svc *Service) Shutdown(ctx context.Context) (err error) {
-	if svc == nil {
-		return nil
-	}
-
-	return svc.proxy.Stop()
-}
-
-// Config returns the current configuration of the web service.  Config must not
-// be called simultaneously with Start.  If svc was initialized with ":0"
-// addresses, addrs will not return the actual bound ports until Start is
-// finished.
-func (svc *Service) Config() (c *Config) {
-	// TODO(a.garipov): Do we need to get the TCP addresses separately?
-
-	var addrs []netip.AddrPort
-	if svc.running.Load() {
-		udpAddrs := svc.proxy.Addrs(proxy.ProtoUDP)
-		addrs = make([]netip.AddrPort, len(udpAddrs))
-		for i, a := range udpAddrs {
-			addrs[i] = a.(*net.UDPAddr).AddrPort()
-		}
-	} else {
-		conf := svc.proxy.Config
-		udpAddrs := conf.UDPListenAddr
-		addrs = make([]netip.AddrPort, len(udpAddrs))
-		for i, a := range udpAddrs {
-			addrs[i] = a.AddrPort()
-		}
-	}
-
-	c = &Config{
-		Addresses:           addrs,
-		BootstrapServers:    svc.bootstraps,
-		UpstreamServers:     svc.upstreams,
-		DNS64Prefixes:       svc.dns64Prefixes,
-		UpstreamTimeout:     svc.upsTimeout,
-		BootstrapPreferIPv6: svc.bootstrapPreferIPv6,
-		UseDNS64:            svc.useDNS64,
-	}
-
-	return c
-}
--- a/internal/next/dnssvc/dnssvc_test.go
+++ b/internal/next/dnssvc/dnssvc_test.go
@@ -1,125 +0,0 @@
-package dnssvc_test
-
-import (
-	"context"
-	"net/netip"
-	"testing"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/dnssvc"
-	"github.com/AdguardTeam/golibs/testutil"
-	"github.com/miekg/dns"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestMain(m *testing.M) {
-	testutil.DiscardLogOutput(m)
-}
-
-// testTimeout is the common timeout for tests.
-const testTimeout = 1 * time.Second
-
-func TestService(t *testing.T) {
-	const (
-		listenAddr    = "127.0.0.1:0"
-		bootstrapAddr = "127.0.0.1:0"
-		upstreamAddr  = "upstream.example"
-	)
-
-	upstreamErrCh := make(chan error, 1)
-	upstreamStartedCh := make(chan struct{})
-	upstreamSrv := &dns.Server{
-		Addr: bootstrapAddr,
-		Net:  "udp",
-		Handler: dns.HandlerFunc(func(w dns.ResponseWriter, req *dns.Msg) {
-			pt := testutil.PanicT{}
-
-			resp := (&dns.Msg{}).SetReply(req)
-			resp.Answer = append(resp.Answer, &dns.A{
-				Hdr: dns.RR_Header{},
-				A:   netip.MustParseAddrPort(bootstrapAddr).Addr().AsSlice(),
-			})
-
-			writeErr := w.WriteMsg(resp)
-			require.NoError(pt, writeErr)
-		}),
-		NotifyStartedFunc: func() { close(upstreamStartedCh) },
-	}
-
-	go func() {
-		listenErr := upstreamSrv.ListenAndServe()
-		if listenErr != nil {
-			// Log these immediately to see what happens.
-			t.Logf("upstream listen error: %s", listenErr)
-		}
-
-		upstreamErrCh <- listenErr
-	}()
-
-	_, _ = testutil.RequireReceive(t, upstreamStartedCh, testTimeout)
-
-	c := &dnssvc.Config{
-		Addresses:           []netip.AddrPort{netip.MustParseAddrPort(listenAddr)},
-		BootstrapServers:    []string{upstreamSrv.PacketConn.LocalAddr().String()},
-		UpstreamServers:     []string{upstreamAddr},
-		DNS64Prefixes:       nil,
-		UpstreamTimeout:     testTimeout,
-		BootstrapPreferIPv6: false,
-		UseDNS64:            false,
-	}
-
-	svc, err := dnssvc.New(c)
-	require.NoError(t, err)
-
-	err = svc.Start()
-	require.NoError(t, err)
-
-	gotConf := svc.Config()
-	require.NotNil(t, gotConf)
-	require.Len(t, gotConf.Addresses, 1)
-
-	addr := gotConf.Addresses[0]
-
-	t.Run("dns", func(t *testing.T) {
-		req := &dns.Msg{
-			MsgHdr: dns.MsgHdr{
-				Id:               dns.Id(),
-				RecursionDesired: true,
-			},
-			Question: []dns.Question{{
-				Name:   "example.com.",
-				Qtype:  dns.TypeA,
-				Qclass: dns.ClassINET,
-			}},
-		}
-
-		ctx, cancel := context.WithTimeout(context.Background(), testTimeout)
-		defer cancel()
-
-		cli := &dns.Client{}
-
-		var resp *dns.Msg
-		require.Eventually(t, func() (ok bool) {
-			var excErr error
-			resp, _, excErr = cli.ExchangeContext(ctx, req, addr.String())
-
-			return excErr == nil
-		}, testTimeout, testTimeout/10)
-
-		assert.NotNil(t, resp)
-	})
-
-	ctx, cancel := context.WithTimeout(context.Background(), testTimeout)
-	defer cancel()
-
-	err = svc.Shutdown(ctx)
-	require.NoError(t, err)
-
-	err = upstreamSrv.Shutdown()
-	require.NoError(t, err)
-
-	err, ok := testutil.RequireReceive(t, upstreamErrCh, testTimeout)
-	require.True(t, ok)
-	require.NoError(t, err)
-}
--- a/internal/next/websvc/config.go
+++ b/internal/next/websvc/config.go
@@ -1,79 +0,0 @@
-package websvc
-
-import (
-	"crypto/tls"
-	"io/fs"
-	"net/netip"
-	"time"
-)
-
-// Config is the AdGuard Home web service configuration structure.
-type Config struct {
-	// Pprof is the configuration for the pprof debug API.  It must not be nil.
-	Pprof *PprofConfig
-
-	// ConfigManager is used to show information about services as well as
-	// dynamically reconfigure them.
-	ConfigManager ConfigManager
-
-	// Frontend is the filesystem with the frontend and other statically
-	// compiled files.
-	Frontend fs.FS
-
-	// TLS is the optional TLS configuration.  If TLS is not nil,
-	// SecureAddresses must not be empty.
-	TLS *tls.Config
-
-	// Start is the time of start of AdGuard Home.
-	Start time.Time
-
-	// OverrideAddress is the initial or override address for the HTTP API.  If
-	// set, it is used instead of [Addresses] and [SecureAddresses].
-	OverrideAddress netip.AddrPort
-
-	// Addresses are the addresses on which to serve the plain HTTP API.
-	Addresses []netip.AddrPort
-
-	// SecureAddresses are the addresses on which to serve the HTTPS API.  If
-	// SecureAddresses is not empty, TLS must not be nil.
-	SecureAddresses []netip.AddrPort
-
-	// Timeout is the timeout for all server operations.
-	Timeout time.Duration
-
-	// ForceHTTPS tells if all requests to Addresses should be redirected to a
-	// secure address instead.
-	//
-	// TODO(a.garipov): Use; define rules, which address to redirect to.
-	ForceHTTPS bool
-}
-
-// PprofConfig is the configuration for the pprof debug API.
-type PprofConfig struct {
-	Port    uint16 `yaml:"port"`
-	Enabled bool   `yaml:"enabled"`
-}
-
-// Config returns the current configuration of the web service.  Config must not
-// be called simultaneously with Start.  If svc was initialized with ":0"
-// addresses, addrs will not return the actual bound ports until Start is
-// finished.
-func (svc *Service) Config() (c *Config) {
-	c = &Config{
-		Pprof: &PprofConfig{
-			Port:    svc.pprofPort,
-			Enabled: svc.pprof != nil,
-		},
-		ConfigManager: svc.confMgr,
-		TLS:           svc.tls,
-		// Leave Addresses and SecureAddresses empty and get the actual
-		// addresses that include the :0 ones later.
-		Start:      svc.start,
-		Timeout:    svc.timeout,
-		ForceHTTPS: svc.forceHTTPS,
-	}
-
-	c.Addresses, c.SecureAddresses = svc.addrs()
-
-	return c
-}
--- a/internal/next/websvc/dns.go
+++ b/internal/next/websvc/dns.go
@@ -1,96 +0,0 @@
-package websvc
-
-import (
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"net/netip"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/dnssvc"
-)
-
-// DNS Settings Handlers
-
-// ReqPatchSettingsDNS describes the request to the PATCH /api/v1/settings/dns
-// HTTP API.
-type ReqPatchSettingsDNS struct {
-	// TODO(a.garipov): Add more as we go.
-
-	Addresses           []netip.AddrPort `json:"addresses"`
-	BootstrapServers    []string         `json:"bootstrap_servers"`
-	UpstreamServers     []string         `json:"upstream_servers"`
-	DNS64Prefixes       []netip.Prefix   `json:"dns64_prefixes"`
-	UpstreamTimeout     JSONDuration     `json:"upstream_timeout"`
-	BootstrapPreferIPv6 bool             `json:"bootstrap_prefer_ipv6"`
-	UseDNS64            bool             `json:"use_dns64"`
-}
-
-// HTTPAPIDNSSettings are the DNS settings as used by the HTTP API.  See the
-// DnsSettings object in the OpenAPI specification.
-type HTTPAPIDNSSettings struct {
-	// TODO(a.garipov): Add more as we go.
-
-	Addresses           []netip.AddrPort `json:"addresses"`
-	BootstrapServers    []string         `json:"bootstrap_servers"`
-	UpstreamServers     []string         `json:"upstream_servers"`
-	DNS64Prefixes       []netip.Prefix   `json:"dns64_prefixes"`
-	UpstreamTimeout     JSONDuration     `json:"upstream_timeout"`
-	BootstrapPreferIPv6 bool             `json:"bootstrap_prefer_ipv6"`
-	UseDNS64            bool             `json:"use_dns64"`
-}
-
-// handlePatchSettingsDNS is the handler for the PATCH /api/v1/settings/dns HTTP
-// API.
-func (svc *Service) handlePatchSettingsDNS(w http.ResponseWriter, r *http.Request) {
-	req := &ReqPatchSettingsDNS{
-		Addresses:        []netip.AddrPort{},
-		BootstrapServers: []string{},
-		UpstreamServers:  []string{},
-	}
-
-	// TODO(a.garipov): Validate nulls and proper JSON patch.
-
-	err := json.NewDecoder(r.Body).Decode(&req)
-	if err != nil {
-		writeJSONErrorResponse(w, r, fmt.Errorf("decoding: %w", err))
-
-		return
-	}
-
-	newConf := &dnssvc.Config{
-		Addresses:           req.Addresses,
-		BootstrapServers:    req.BootstrapServers,
-		UpstreamServers:     req.UpstreamServers,
-		DNS64Prefixes:       req.DNS64Prefixes,
-		UpstreamTimeout:     time.Duration(req.UpstreamTimeout),
-		BootstrapPreferIPv6: req.BootstrapPreferIPv6,
-		UseDNS64:            req.UseDNS64,
-	}
-
-	ctx := r.Context()
-	err = svc.confMgr.UpdateDNS(ctx, newConf)
-	if err != nil {
-		writeJSONErrorResponse(w, r, fmt.Errorf("updating: %w", err))
-
-		return
-	}
-
-	newSvc := svc.confMgr.DNS()
-	err = newSvc.Start()
-	if err != nil {
-		writeJSONErrorResponse(w, r, fmt.Errorf("starting new service: %w", err))
-
-		return
-	}
-
-	writeJSONOKResponse(w, r, &HTTPAPIDNSSettings{
-		Addresses:           newConf.Addresses,
-		BootstrapServers:    newConf.BootstrapServers,
-		UpstreamServers:     newConf.UpstreamServers,
-		DNS64Prefixes:       newConf.DNS64Prefixes,
-		UpstreamTimeout:     JSONDuration(newConf.UpstreamTimeout),
-		BootstrapPreferIPv6: newConf.BootstrapPreferIPv6,
-		UseDNS64:            newConf.UseDNS64,
-	})
-}
--- a/internal/next/websvc/dns_test.go
+++ b/internal/next/websvc/dns_test.go
@@ -1,74 +0,0 @@
-package websvc_test
-
-import (
-	"context"
-	"encoding/json"
-	"net/http"
-	"net/netip"
-	"net/url"
-	"sync/atomic"
-	"testing"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/aghtest"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/dnssvc"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/websvc"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestService_HandlePatchSettingsDNS(t *testing.T) {
-	wantDNS := &websvc.HTTPAPIDNSSettings{
-		Addresses:           []netip.AddrPort{netip.MustParseAddrPort("127.0.1.1:53")},
-		BootstrapServers:    []string{"1.0.0.1"},
-		UpstreamServers:     []string{"1.1.1.1"},
-		DNS64Prefixes:       []netip.Prefix{netip.MustParsePrefix("1234::/64")},
-		UpstreamTimeout:     websvc.JSONDuration(2 * time.Second),
-		BootstrapPreferIPv6: true,
-		UseDNS64:            true,
-	}
-
-	var started atomic.Bool
-	confMgr := newConfigManager()
-	confMgr.onDNS = func() (s agh.ServiceWithConfig[*dnssvc.Config]) {
-		return &aghtest.ServiceWithConfig[*dnssvc.Config]{
-			OnStart: func() (err error) {
-				started.Store(true)
-
-				return nil
-			},
-			OnShutdown: func(_ context.Context) (err error) { panic("not implemented") },
-			OnConfig:   func() (c *dnssvc.Config) { panic("not implemented") },
-		}
-	}
-	confMgr.onUpdateDNS = func(ctx context.Context, c *dnssvc.Config) (err error) {
-		return nil
-	}
-
-	_, addr := newTestServer(t, confMgr)
-	u := &url.URL{
-		Scheme: "http",
-		Host:   addr.String(),
-		Path:   websvc.PathV1SettingsDNS,
-	}
-
-	req := jobj{
-		"addresses":             wantDNS.Addresses,
-		"bootstrap_servers":     wantDNS.BootstrapServers,
-		"upstream_servers":      wantDNS.UpstreamServers,
-		"dns64_prefixes":        wantDNS.DNS64Prefixes,
-		"upstream_timeout":      wantDNS.UpstreamTimeout,
-		"bootstrap_prefer_ipv6": wantDNS.BootstrapPreferIPv6,
-		"use_dns64":             wantDNS.UseDNS64,
-	}
-
-	respBody := httpPatch(t, u, req, http.StatusOK)
-	resp := &websvc.HTTPAPIDNSSettings{}
-	err := json.Unmarshal(respBody, resp)
-	require.NoError(t, err)
-
-	assert.True(t, started.Load())
-	assert.Equal(t, wantDNS, resp)
-	assert.Equal(t, wantDNS, resp)
-}
--- a/internal/next/websvc/http.go
+++ b/internal/next/websvc/http.go
@@ -1,122 +0,0 @@
-package websvc
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"net/netip"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
-	"github.com/AdguardTeam/golibs/log"
-)
-
-// HTTP Settings Handlers
-
-// ReqPatchSettingsHTTP describes the request to the PATCH /api/v1/settings/http
-// HTTP API.
-type ReqPatchSettingsHTTP struct {
-	// TODO(a.garipov): Add more as we go.
-	//
-	// TODO(a.garipov): Add wait time.
-
-	Addresses       []netip.AddrPort `json:"addresses"`
-	SecureAddresses []netip.AddrPort `json:"secure_addresses"`
-	Timeout         JSONDuration     `json:"timeout"`
-}
-
-// HTTPAPIHTTPSettings are the HTTP settings as used by the HTTP API.  See the
-// HttpSettings object in the OpenAPI specification.
-type HTTPAPIHTTPSettings struct {
-	// TODO(a.garipov): Add more as we go.
-
-	Addresses       []netip.AddrPort `json:"addresses"`
-	SecureAddresses []netip.AddrPort `json:"secure_addresses"`
-	Timeout         JSONDuration     `json:"timeout"`
-	ForceHTTPS      bool             `json:"force_https"`
-}
-
-// handlePatchSettingsHTTP is the handler for the PATCH /api/v1/settings/http
-// HTTP API.
-func (svc *Service) handlePatchSettingsHTTP(w http.ResponseWriter, r *http.Request) {
-	req := &ReqPatchSettingsHTTP{}
-
-	// TODO(a.garipov): Validate nulls and proper JSON patch.
-
-	err := json.NewDecoder(r.Body).Decode(&req)
-	if err != nil {
-		writeJSONErrorResponse(w, r, fmt.Errorf("decoding: %w", err))
-
-		return
-	}
-
-	newConf := &Config{
-		Pprof: &PprofConfig{
-			Port:    svc.pprofPort,
-			Enabled: svc.pprof != nil,
-		},
-		ConfigManager:   svc.confMgr,
-		Frontend:        svc.frontend,
-		TLS:             svc.tls,
-		Addresses:       req.Addresses,
-		SecureAddresses: req.SecureAddresses,
-		Timeout:         time.Duration(req.Timeout),
-		ForceHTTPS:      svc.forceHTTPS,
-	}
-
-	writeJSONOKResponse(w, r, &HTTPAPIHTTPSettings{
-		Addresses:       newConf.Addresses,
-		SecureAddresses: newConf.SecureAddresses,
-		Timeout:         JSONDuration(newConf.Timeout),
-		ForceHTTPS:      newConf.ForceHTTPS,
-	})
-
-	cancelUpd := func() {}
-	updCtx := context.Background()
-
-	ctx := r.Context()
-	if deadline, ok := ctx.Deadline(); ok {
-		updCtx, cancelUpd = context.WithDeadline(updCtx, deadline)
-	}
-
-	// Launch the new HTTP service in a separate goroutine to let this handler
-	// finish and thus, this server to shutdown.
-	go svc.relaunch(updCtx, cancelUpd, newConf)
-}
-
-// relaunch updates the web service in the configuration manager and starts it.
-// It is intended to be used as a goroutine.
-func (svc *Service) relaunch(ctx context.Context, cancel context.CancelFunc, newConf *Config) {
-	defer log.OnPanic("websvc: relaunching")
-
-	defer cancel()
-
-	err := svc.confMgr.UpdateWeb(ctx, newConf)
-	if err != nil {
-		log.Error("websvc: updating web: %s", err)
-
-		return
-	}
-
-	// TODO(a.garipov): Consider better ways to do this.
-	const maxUpdDur = 5 * time.Second
-	updStart := time.Now()
-	var newSvc agh.ServiceWithConfig[*Config]
-	for newSvc = svc.confMgr.Web(); newSvc == svc; {
-		if time.Since(updStart) >= maxUpdDur {
-			log.Error("websvc: failed to update svc after %s", maxUpdDur)
-
-			return
-		}
-
-		log.Debug("websvc: waiting for new websvc to be configured")
-
-		time.Sleep(100 * time.Millisecond)
-	}
-
-	err = newSvc.Start()
-	if err != nil {
-		log.Error("websvc: new svc failed to start with error: %s", err)
-	}
-}
--- a/internal/next/websvc/http_test.go
+++ b/internal/next/websvc/http_test.go
@@ -1,65 +0,0 @@
-package websvc_test
-
-import (
-	"context"
-	"crypto/tls"
-	"encoding/json"
-	"net/http"
-	"net/netip"
-	"net/url"
-	"testing"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/websvc"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestService_HandlePatchSettingsHTTP(t *testing.T) {
-	wantWeb := &websvc.HTTPAPIHTTPSettings{
-		Addresses:       []netip.AddrPort{netip.MustParseAddrPort("127.0.1.1:80")},
-		SecureAddresses: []netip.AddrPort{netip.MustParseAddrPort("127.0.1.1:443")},
-		Timeout:         websvc.JSONDuration(10 * time.Second),
-		ForceHTTPS:      false,
-	}
-
-	svc, err := websvc.New(&websvc.Config{
-		Pprof: &websvc.PprofConfig{
-			Enabled: false,
-		},
-		TLS: &tls.Config{
-			Certificates: []tls.Certificate{{}},
-		},
-		Addresses:       []netip.AddrPort{netip.MustParseAddrPort("127.0.0.1:80")},
-		SecureAddresses: []netip.AddrPort{netip.MustParseAddrPort("127.0.0.1:443")},
-		Timeout:         5 * time.Second,
-		ForceHTTPS:      true,
-	})
-	require.NoError(t, err)
-
-	confMgr := newConfigManager()
-	confMgr.onWeb = func() (s agh.ServiceWithConfig[*websvc.Config]) { return svc }
-	confMgr.onUpdateWeb = func(ctx context.Context, c *websvc.Config) (err error) { return nil }
-
-	_, addr := newTestServer(t, confMgr)
-	u := &url.URL{
-		Scheme: "http",
-		Host:   addr.String(),
-		Path:   websvc.PathV1SettingsHTTP,
-	}
-
-	req := jobj{
-		"addresses":        wantWeb.Addresses,
-		"secure_addresses": wantWeb.SecureAddresses,
-		"timeout":          wantWeb.Timeout,
-		"force_https":      wantWeb.ForceHTTPS,
-	}
-
-	respBody := httpPatch(t, u, req, http.StatusOK)
-	resp := &websvc.HTTPAPIHTTPSettings{}
-	err = json.Unmarshal(respBody, resp)
-	require.NoError(t, err)
-
-	assert.Equal(t, wantWeb, resp)
-}
--- a/internal/next/websvc/json.go
+++ b/internal/next/websvc/json.go
@@ -1,144 +0,0 @@
-package websvc
-
-import (
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"strconv"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
-	"github.com/AdguardTeam/golibs/httphdr"
-	"github.com/AdguardTeam/golibs/log"
-)
-
-// JSON Utilities
-
-// nsecPerMsec is the number of nanoseconds in a millisecond.
-const nsecPerMsec = float64(time.Millisecond / time.Nanosecond)
-
-// JSONDuration is a time.Duration that can be decoded from JSON and encoded
-// into JSON according to our API conventions.
-type JSONDuration time.Duration
-
-// type check
-var _ json.Marshaler = JSONDuration(0)
-
-// MarshalJSON implements the json.Marshaler interface for JSONDuration.  err is
-// always nil.
-func (d JSONDuration) MarshalJSON() (b []byte, err error) {
-	msec := float64(time.Duration(d)) / nsecPerMsec
-	b = strconv.AppendFloat(nil, msec, 'f', -1, 64)
-
-	return b, nil
-}
-
-// type check
-var _ json.Unmarshaler = (*JSONDuration)(nil)
-
-// UnmarshalJSON implements the json.Marshaler interface for *JSONDuration.
-func (d *JSONDuration) UnmarshalJSON(b []byte) (err error) {
-	if d == nil {
-		return fmt.Errorf("json duration is nil")
-	}
-
-	msec, err := strconv.ParseFloat(string(b), 64)
-	if err != nil {
-		return fmt.Errorf("parsing json time: %w", err)
-	}
-
-	*d = JSONDuration(int64(msec * nsecPerMsec))
-
-	return nil
-}
-
-// JSONTime is a time.Time that can be decoded from JSON and encoded into JSON
-// according to our API conventions.
-type JSONTime time.Time
-
-// type check
-var _ json.Marshaler = JSONTime{}
-
-// MarshalJSON implements the json.Marshaler interface for JSONTime.  err is
-// always nil.
-func (t JSONTime) MarshalJSON() (b []byte, err error) {
-	msec := float64(time.Time(t).UnixNano()) / nsecPerMsec
-	b = strconv.AppendFloat(nil, msec, 'f', -1, 64)
-
-	return b, nil
-}
-
-// type check
-var _ json.Unmarshaler = (*JSONTime)(nil)
-
-// UnmarshalJSON implements the json.Marshaler interface for *JSONTime.
-func (t *JSONTime) UnmarshalJSON(b []byte) (err error) {
-	if t == nil {
-		return fmt.Errorf("json time is nil")
-	}
-
-	msec, err := strconv.ParseFloat(string(b), 64)
-	if err != nil {
-		return fmt.Errorf("parsing json time: %w", err)
-	}
-
-	*t = JSONTime(time.Unix(0, int64(msec*nsecPerMsec)).UTC())
-
-	return nil
-}
-
-// writeJSONOKResponse writes headers with the code 200 OK, encodes v into w,
-// and logs any errors it encounters.  r is used to get additional information
-// from the request.
-func writeJSONOKResponse(w http.ResponseWriter, r *http.Request, v any) {
-	writeJSONResponse(w, r, v, http.StatusOK)
-}
-
-// writeJSONResponse writes headers with code, encodes v into w, and logs any
-// errors it encounters.  r is used to get additional information from the
-// request.
-func writeJSONResponse(w http.ResponseWriter, r *http.Request, v any, code int) {
-	// TODO(a.garipov): Put some of these to a middleware.
-	h := w.Header()
-	h.Set(httphdr.ContentType, aghhttp.HdrValApplicationJSON)
-	h.Set(httphdr.Server, aghhttp.UserAgent())
-
-	w.WriteHeader(code)
-
-	err := json.NewEncoder(w).Encode(v)
-	if err != nil {
-		log.Error("websvc: writing resp to %s %s: %s", r.Method, r.URL.Path, err)
-	}
-}
-
-// ErrorCode is the error code as used by the HTTP API.  See the ErrorCode
-// definition in the OpenAPI specification.
-type ErrorCode string
-
-// ErrorCode constants.
-//
-// TODO(a.garipov): Expand and document codes.
-const (
-	// ErrorCodeTMP000 is the temporary error code used for all errors.
-	ErrorCodeTMP000 = ""
-)
-
-// HTTPAPIErrorResp is the error response as used by the HTTP API.  See the
-// BadRequestResp, InternalServerErrorResp, and similar objects in the OpenAPI
-// specification.
-type HTTPAPIErrorResp struct {
-	Code ErrorCode `json:"code"`
-	Msg  string    `json:"msg"`
-}
-
-// writeJSONErrorResponse encodes err as a JSON error into w, and logs any
-// errors it encounters.  r is used to get additional information from the
-// request.
-func writeJSONErrorResponse(w http.ResponseWriter, r *http.Request, err error) {
-	log.Error("websvc: %s %s: %s", r.Method, r.URL.Path, err)
-
-	writeJSONResponse(w, r, &HTTPAPIErrorResp{
-		Code: ErrorCodeTMP000,
-		Msg:  err.Error(),
-	}, http.StatusUnprocessableEntity)
-}
--- a/internal/next/websvc/json_test.go
+++ b/internal/next/websvc/json_test.go
@@ -1,114 +0,0 @@
-package websvc_test
-
-import (
-	"encoding/json"
-	"testing"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/websvc"
-	"github.com/AdguardTeam/golibs/testutil"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-// testJSONTime is the JSON time for tests.
-var testJSONTime = websvc.JSONTime(time.Unix(1_234_567_890, 123_456_000).UTC())
-
-// testJSONTimeStr is the string with the JSON encoding of testJSONTime.
-const testJSONTimeStr = "1234567890123.456"
-
-func TestJSONTime_MarshalJSON(t *testing.T) {
-	testCases := []struct {
-		name       string
-		wantErrMsg string
-		in         websvc.JSONTime
-		want       []byte
-	}{{
-		name:       "unix_zero",
-		wantErrMsg: "",
-		in:         websvc.JSONTime(time.Unix(0, 0)),
-		want:       []byte("0"),
-	}, {
-		name:       "empty",
-		wantErrMsg: "",
-		in:         websvc.JSONTime{},
-		want:       []byte("-6795364578871.345"),
-	}, {
-		name:       "time",
-		wantErrMsg: "",
-		in:         testJSONTime,
-		want:       []byte(testJSONTimeStr),
-	}}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			got, err := tc.in.MarshalJSON()
-			testutil.AssertErrorMsg(t, tc.wantErrMsg, err)
-
-			assert.Equal(t, tc.want, got)
-		})
-	}
-
-	t.Run("json", func(t *testing.T) {
-		in := &struct {
-			A websvc.JSONTime
-		}{
-			A: testJSONTime,
-		}
-
-		got, err := json.Marshal(in)
-		require.NoError(t, err)
-
-		assert.Equal(t, []byte(`{"A":`+testJSONTimeStr+`}`), got)
-	})
-}
-
-func TestJSONTime_UnmarshalJSON(t *testing.T) {
-	testCases := []struct {
-		name       string
-		wantErrMsg string
-		want       websvc.JSONTime
-		data       []byte
-	}{{
-		name:       "time",
-		wantErrMsg: "",
-		want:       testJSONTime,
-		data:       []byte(testJSONTimeStr),
-	}, {
-		name: "bad",
-		wantErrMsg: `parsing json time: strconv.ParseFloat: parsing "{}": ` +
-			`invalid syntax`,
-		want: websvc.JSONTime{},
-		data: []byte(`{}`),
-	}}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			var got websvc.JSONTime
-			err := got.UnmarshalJSON(tc.data)
-			testutil.AssertErrorMsg(t, tc.wantErrMsg, err)
-
-			assert.Equal(t, tc.want, got)
-		})
-	}
-
-	t.Run("nil", func(t *testing.T) {
-		err := (*websvc.JSONTime)(nil).UnmarshalJSON([]byte("0"))
-		require.Error(t, err)
-
-		msg := err.Error()
-		assert.Equal(t, "json time is nil", msg)
-	})
-
-	t.Run("json", func(t *testing.T) {
-		want := testJSONTime
-		var got struct {
-			A websvc.JSONTime
-		}
-
-		err := json.Unmarshal([]byte(`{"A":`+testJSONTimeStr+`}`), &got)
-		require.NoError(t, err)
-
-		assert.Equal(t, want, got.A)
-	})
-}
--- a/internal/next/websvc/middleware.go
+++ b/internal/next/websvc/middleware.go
@@ -1,38 +0,0 @@
-package websvc
-
-import (
-	"net/http"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
-	"github.com/AdguardTeam/golibs/httphdr"
-	"github.com/AdguardTeam/golibs/log"
-)
-
-// Middlewares
-
-// jsonMw sets the content type of the response to application/json.
-func jsonMw(h http.Handler) (wrapped http.HandlerFunc) {
-	f := func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set(httphdr.ContentType, aghhttp.HdrValApplicationJSON)
-
-		h.ServeHTTP(w, r)
-	}
-
-	return http.HandlerFunc(f)
-}
-
-// logMw logs the queries with level debug.
-func logMw(h http.Handler) (wrapped http.HandlerFunc) {
-	f := func(w http.ResponseWriter, r *http.Request) {
-		start := time.Now()
-		m, u := r.Method, r.RequestURI
-
-		log.Debug("websvc: %s %s started", m, u)
-		defer func() { log.Debug("websvc: %s %s finished in %s", m, u, time.Since(start)) }()
-
-		h.ServeHTTP(w, r)
-	}
-
-	return http.HandlerFunc(f)
-}
--- a/internal/next/websvc/path.go
+++ b/internal/next/websvc/path.go
@@ -1,14 +0,0 @@
-package websvc
-
-// Path constants
-const (
-	PathRoot     = "/"
-	PathFrontend = "/*filepath"
-
-	PathHealthCheck = "/health-check"
-
-	PathV1SettingsAll  = "/api/v1/settings/all"
-	PathV1SettingsDNS  = "/api/v1/settings/dns"
-	PathV1SettingsHTTP = "/api/v1/settings/http"
-	PathV1SystemInfo   = "/api/v1/system/info"
-)
--- a/internal/next/websvc/settings.go
+++ b/internal/next/websvc/settings.go
@@ -1,45 +0,0 @@
-package websvc
-
-import (
-	"net/http"
-)
-
-// All Settings Handlers
-
-// RespGetV1SettingsAll describes the response of the GET /api/v1/settings/all
-// HTTP API.
-type RespGetV1SettingsAll struct {
-	// TODO(a.garipov): Add more as we go.
-
-	DNS  *HTTPAPIDNSSettings  `json:"dns"`
-	HTTP *HTTPAPIHTTPSettings `json:"http"`
-}
-
-// handleGetSettingsAll is the handler for the GET /api/v1/settings/all HTTP
-// API.
-func (svc *Service) handleGetSettingsAll(w http.ResponseWriter, r *http.Request) {
-	dnsSvc := svc.confMgr.DNS()
-	dnsConf := dnsSvc.Config()
-
-	webSvc := svc.confMgr.Web()
-	httpConf := webSvc.Config()
-
-	// TODO(a.garipov): Add all currently supported parameters.
-	writeJSONOKResponse(w, r, &RespGetV1SettingsAll{
-		DNS: &HTTPAPIDNSSettings{
-			Addresses:           dnsConf.Addresses,
-			BootstrapServers:    dnsConf.BootstrapServers,
-			UpstreamServers:     dnsConf.UpstreamServers,
-			DNS64Prefixes:       dnsConf.DNS64Prefixes,
-			UpstreamTimeout:     JSONDuration(dnsConf.UpstreamTimeout),
-			BootstrapPreferIPv6: dnsConf.BootstrapPreferIPv6,
-			UseDNS64:            dnsConf.UseDNS64,
-		},
-		HTTP: &HTTPAPIHTTPSettings{
-			Addresses:       httpConf.Addresses,
-			SecureAddresses: httpConf.SecureAddresses,
-			Timeout:         JSONDuration(httpConf.Timeout),
-			ForceHTTPS:      httpConf.ForceHTTPS,
-		},
-	})
-}
--- a/internal/next/websvc/settings_test.go
+++ b/internal/next/websvc/settings_test.go
@@ -1,83 +0,0 @@
-package websvc_test
-
-import (
-	"crypto/tls"
-	"encoding/json"
-	"net/http"
-	"net/netip"
-	"net/url"
-	"testing"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/dnssvc"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/websvc"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestService_HandleGetSettingsAll(t *testing.T) {
-	// TODO(a.garipov): Add all currently supported parameters.
-
-	wantDNS := &websvc.HTTPAPIDNSSettings{
-		Addresses:           []netip.AddrPort{netip.MustParseAddrPort("127.0.0.1:53")},
-		BootstrapServers:    []string{"94.140.14.140", "94.140.14.141"},
-		UpstreamServers:     []string{"94.140.14.14", "1.1.1.1"},
-		UpstreamTimeout:     websvc.JSONDuration(1 * time.Second),
-		BootstrapPreferIPv6: true,
-	}
-
-	wantWeb := &websvc.HTTPAPIHTTPSettings{
-		Addresses:       []netip.AddrPort{netip.MustParseAddrPort("127.0.0.1:80")},
-		SecureAddresses: []netip.AddrPort{netip.MustParseAddrPort("127.0.0.1:443")},
-		Timeout:         websvc.JSONDuration(5 * time.Second),
-		ForceHTTPS:      true,
-	}
-
-	confMgr := newConfigManager()
-	confMgr.onDNS = func() (s agh.ServiceWithConfig[*dnssvc.Config]) {
-		c, err := dnssvc.New(&dnssvc.Config{
-			Addresses:           wantDNS.Addresses,
-			UpstreamServers:     wantDNS.UpstreamServers,
-			BootstrapServers:    wantDNS.BootstrapServers,
-			UpstreamTimeout:     time.Duration(wantDNS.UpstreamTimeout),
-			BootstrapPreferIPv6: true,
-		})
-		require.NoError(t, err)
-
-		return c
-	}
-
-	svc, err := websvc.New(&websvc.Config{
-		Pprof: &websvc.PprofConfig{
-			Enabled: false,
-		},
-		TLS: &tls.Config{
-			Certificates: []tls.Certificate{{}},
-		},
-		Addresses:       wantWeb.Addresses,
-		SecureAddresses: wantWeb.SecureAddresses,
-		Timeout:         time.Duration(wantWeb.Timeout),
-		ForceHTTPS:      true,
-	})
-	require.NoError(t, err)
-
-	confMgr.onWeb = func() (s agh.ServiceWithConfig[*websvc.Config]) {
-		return svc
-	}
-
-	_, addr := newTestServer(t, confMgr)
-	u := &url.URL{
-		Scheme: "http",
-		Host:   addr.String(),
-		Path:   websvc.PathV1SettingsAll,
-	}
-
-	body := httpGet(t, u, http.StatusOK)
-	resp := &websvc.RespGetV1SettingsAll{}
-	err = json.Unmarshal(body, resp)
-	require.NoError(t, err)
-
-	assert.Equal(t, wantDNS, resp.DNS)
-	assert.Equal(t, wantWeb, resp.HTTP)
-}
--- a/internal/next/websvc/system.go
+++ b/internal/next/websvc/system.go
@@ -1,35 +0,0 @@
-package websvc
-
-import (
-	"net/http"
-	"runtime"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/version"
-)
-
-// System Handlers
-
-// RespGetV1SystemInfo describes the response of the GET /api/v1/system/info
-// HTTP API.
-type RespGetV1SystemInfo struct {
-	Arch       string   `json:"arch"`
-	Channel    string   `json:"channel"`
-	OS         string   `json:"os"`
-	NewVersion string   `json:"new_version,omitempty"`
-	Start      JSONTime `json:"start"`
-	Version    string   `json:"version"`
-}
-
-// handleGetV1SystemInfo is the handler for the GET /api/v1/system/info HTTP
-// API.
-func (svc *Service) handleGetV1SystemInfo(w http.ResponseWriter, r *http.Request) {
-	writeJSONOKResponse(w, r, &RespGetV1SystemInfo{
-		Arch:    runtime.GOARCH,
-		Channel: version.Channel(),
-		OS:      runtime.GOOS,
-		// TODO(a.garipov): Fill this when we have an updater.
-		NewVersion: "",
-		Start:      JSONTime(svc.start),
-		Version:    version.Version(),
-	})
-}
--- a/internal/next/websvc/system_test.go
+++ b/internal/next/websvc/system_test.go
@@ -1,37 +0,0 @@
-package websvc_test
-
-import (
-	"encoding/json"
-	"net/http"
-	"net/url"
-	"runtime"
-	"testing"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/websvc"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestService_handleGetV1SystemInfo(t *testing.T) {
-	confMgr := newConfigManager()
-	_, addr := newTestServer(t, confMgr)
-	u := &url.URL{
-		Scheme: "http",
-		Host:   addr.String(),
-		Path:   websvc.PathV1SystemInfo,
-	}
-
-	body := httpGet(t, u, http.StatusOK)
-	resp := &websvc.RespGetV1SystemInfo{}
-	err := json.Unmarshal(body, resp)
-	require.NoError(t, err)
-
-	// TODO(a.garipov): Consider making version.Channel and version.Version
-	// testable and test these better.
-	assert.NotEmpty(t, resp.Channel)
-
-	assert.Equal(t, resp.Arch, runtime.GOARCH)
-	assert.Equal(t, resp.OS, runtime.GOOS)
-	assert.Equal(t, testStart, time.Time(resp.Start))
-}
--- a/internal/next/websvc/waitlistener.go
+++ b/internal/next/websvc/waitlistener.go
@@ -1,31 +0,0 @@
-package websvc
-
-import (
-	"net"
-	"sync"
-)
-
-// Wait Listener
-
-// waitListener is a wrapper around a listener that also calls wg.Done() on the
-// first call to Accept.  It is useful in situations where it is important to
-// catch the precise moment of the first call to Accept, for example when
-// starting an HTTP server.
-//
-// TODO(a.garipov): Move to aghnet?
-type waitListener struct {
-	net.Listener
-
-	firstAcceptWG   *sync.WaitGroup
-	firstAcceptOnce sync.Once
-}
-
-// type check
-var _ net.Listener = (*waitListener)(nil)
-
-// Accept implements the [net.Listener] interface for *waitListener.
-func (l *waitListener) Accept() (conn net.Conn, err error) {
-	l.firstAcceptOnce.Do(l.firstAcceptWG.Done)
-
-	return l.Listener.Accept()
-}
--- a/internal/next/websvc/waitlistener_internal_test.go
+++ b/internal/next/websvc/waitlistener_internal_test.go
@@ -1,40 +0,0 @@
-package websvc
-
-import (
-	"net"
-	"sync"
-	"sync/atomic"
-	"testing"
-
-	"github.com/AdguardTeam/golibs/testutil/fakenet"
-	"github.com/stretchr/testify/assert"
-)
-
-func TestWaitListener_Accept(t *testing.T) {
-	var accepted atomic.Bool
-	var l net.Listener = &fakenet.Listener{
-		OnAccept: func() (conn net.Conn, err error) {
-			accepted.Store(true)
-
-			return nil, nil
-		},
-		OnAddr:  func() (addr net.Addr) { panic("not implemented") },
-		OnClose: func() (err error) { panic("not implemented") },
-	}
-
-	wg := &sync.WaitGroup{}
-	wg.Add(1)
-
-	go func() {
-		var wrapper net.Listener = &waitListener{
-			Listener:      l,
-			firstAcceptWG: wg,
-		}
-
-		_, _ = wrapper.Accept()
-	}()
-
-	wg.Wait()
-
-	assert.Eventually(t, accepted.Load, testTimeout, testTimeout/10)
-}
--- a/internal/next/websvc/websvc.go
+++ b/internal/next/websvc/websvc.go
@@ -1,335 +0,0 @@
-// Package websvc contains the AdGuard Home HTTP API service.
-//
-// NOTE: Packages other than cmd must not import this package, as it imports
-// most other packages.
-//
-// TODO(a.garipov): Add tests.
-package websvc
-
-import (
-	"context"
-	"crypto/tls"
-	"fmt"
-	"io"
-	"io/fs"
-	"net"
-	"net/http"
-	"net/netip"
-	"runtime"
-	"sync"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/dnssvc"
-	"github.com/AdguardTeam/golibs/errors"
-	"github.com/AdguardTeam/golibs/log"
-	"github.com/AdguardTeam/golibs/mathutil"
-	"github.com/AdguardTeam/golibs/pprofutil"
-	httptreemux "github.com/dimfeld/httptreemux/v5"
-)
-
-// ConfigManager is the configuration manager interface.
-type ConfigManager interface {
-	DNS() (svc agh.ServiceWithConfig[*dnssvc.Config])
-	Web() (svc agh.ServiceWithConfig[*Config])
-
-	UpdateDNS(ctx context.Context, c *dnssvc.Config) (err error)
-	UpdateWeb(ctx context.Context, c *Config) (err error)
-}
-
-// Service is the AdGuard Home web service.  A nil *Service is a valid
-// [agh.Service] that does nothing.
-type Service struct {
-	confMgr      ConfigManager
-	frontend     fs.FS
-	tls          *tls.Config
-	pprof        *http.Server
-	start        time.Time
-	overrideAddr netip.AddrPort
-	servers      []*http.Server
-	timeout      time.Duration
-	pprofPort    uint16
-	forceHTTPS   bool
-}
-
-// New returns a new properly initialized *Service.  If c is nil, svc is a nil
-// *Service that does nothing.  The fields of c must not be modified after
-// calling New.
-//
-// TODO(a.garipov): Get rid of this special handling of nil or explain it
-// better.
-func New(c *Config) (svc *Service, err error) {
-	if c == nil {
-		return nil, nil
-	}
-
-	svc = &Service{
-		confMgr:      c.ConfigManager,
-		frontend:     c.Frontend,
-		tls:          c.TLS,
-		start:        c.Start,
-		overrideAddr: c.OverrideAddress,
-		timeout:      c.Timeout,
-		forceHTTPS:   c.ForceHTTPS,
-	}
-
-	mux := newMux(svc)
-
-	if svc.overrideAddr != (netip.AddrPort{}) {
-		svc.servers = []*http.Server{newSrv(svc.overrideAddr, nil, mux, c.Timeout)}
-	} else {
-		for _, a := range c.Addresses {
-			svc.servers = append(svc.servers, newSrv(a, nil, mux, c.Timeout))
-		}
-
-		for _, a := range c.SecureAddresses {
-			svc.servers = append(svc.servers, newSrv(a, c.TLS, mux, c.Timeout))
-		}
-	}
-
-	svc.setupPprof(c.Pprof)
-
-	return svc, nil
-}
-
-// setupPprof sets the pprof properties of svc.
-func (svc *Service) setupPprof(c *PprofConfig) {
-	if !c.Enabled {
-		// Set to zero explicitly in case pprof used to be enabled before a
-		// reconfiguration took place.
-		runtime.SetBlockProfileRate(0)
-		runtime.SetMutexProfileFraction(0)
-
-		return
-	}
-
-	runtime.SetBlockProfileRate(1)
-	runtime.SetMutexProfileFraction(1)
-
-	pprofMux := http.NewServeMux()
-	pprofutil.RoutePprof(pprofMux)
-
-	svc.pprofPort = c.Port
-	addr := netip.AddrPortFrom(netip.AddrFrom4([4]byte{127, 0, 0, 1}), c.Port)
-
-	// TODO(a.garipov): Consider making pprof timeout configurable.
-	svc.pprof = newSrv(addr, nil, pprofMux, 10*time.Minute)
-}
-
-// newSrv returns a new *http.Server with the given parameters.
-func newSrv(
-	addr netip.AddrPort,
-	tlsConf *tls.Config,
-	h http.Handler,
-	timeout time.Duration,
-) (srv *http.Server) {
-	addrStr := addr.String()
-	srv = &http.Server{
-		Addr:              addrStr,
-		Handler:           h,
-		TLSConfig:         tlsConf,
-		ReadTimeout:       timeout,
-		WriteTimeout:      timeout,
-		IdleTimeout:       timeout,
-		ReadHeaderTimeout: timeout,
-	}
-
-	if tlsConf == nil {
-		srv.ErrorLog = log.StdLog("websvc: plain http: "+addrStr, log.ERROR)
-	} else {
-		srv.ErrorLog = log.StdLog("websvc: https: "+addrStr, log.ERROR)
-	}
-
-	return srv
-}
-
-// newMux returns a new HTTP request multiplexer for the AdGuard Home web
-// service.
-func newMux(svc *Service) (mux *httptreemux.ContextMux) {
-	mux = httptreemux.NewContextMux()
-
-	routes := []struct {
-		handler http.HandlerFunc
-		method  string
-		pattern string
-		isJSON  bool
-	}{{
-		handler: svc.handleGetHealthCheck,
-		method:  http.MethodGet,
-		pattern: PathHealthCheck,
-		isJSON:  false,
-	}, {
-		handler: http.FileServer(http.FS(svc.frontend)).ServeHTTP,
-		method:  http.MethodGet,
-		pattern: PathFrontend,
-		isJSON:  false,
-	}, {
-		handler: http.FileServer(http.FS(svc.frontend)).ServeHTTP,
-		method:  http.MethodGet,
-		pattern: PathRoot,
-		isJSON:  false,
-	}, {
-		handler: svc.handleGetSettingsAll,
-		method:  http.MethodGet,
-		pattern: PathV1SettingsAll,
-		isJSON:  true,
-	}, {
-		handler: svc.handlePatchSettingsDNS,
-		method:  http.MethodPatch,
-		pattern: PathV1SettingsDNS,
-		isJSON:  true,
-	}, {
-		handler: svc.handlePatchSettingsHTTP,
-		method:  http.MethodPatch,
-		pattern: PathV1SettingsHTTP,
-		isJSON:  true,
-	}, {
-		handler: svc.handleGetV1SystemInfo,
-		method:  http.MethodGet,
-		pattern: PathV1SystemInfo,
-		isJSON:  true,
-	}}
-
-	for _, r := range routes {
-		var hdlr http.Handler
-		if r.isJSON {
-			hdlr = jsonMw(r.handler)
-		} else {
-			hdlr = r.handler
-		}
-
-		mux.Handle(r.method, r.pattern, logMw(hdlr))
-	}
-
-	return mux
-}
-
-// addrs returns all addresses on which this server serves the HTTP API.  addrs
-// must not be called simultaneously with Start.  If svc was initialized with
-// ":0" addresses, addrs will not return the actual bound ports until Start is
-// finished.
-func (svc *Service) addrs() (addrs, secureAddrs []netip.AddrPort) {
-	if svc.overrideAddr != (netip.AddrPort{}) {
-		return []netip.AddrPort{svc.overrideAddr}, nil
-	}
-
-	for _, srv := range svc.servers {
-		// Use MustParseAddrPort, since no errors should technically happen
-		// here, because all servers must have a valid address.
-		addrPort := netip.MustParseAddrPort(srv.Addr)
-
-		// [srv.Serve] will set TLSConfig to an almost empty value, so, instead
-		// of relying only on the nilness of TLSConfig, check the length of the
-		// certificates field as well.
-		if srv.TLSConfig == nil || len(srv.TLSConfig.Certificates) == 0 {
-			addrs = append(addrs, addrPort)
-		} else {
-			secureAddrs = append(secureAddrs, addrPort)
-		}
-	}
-
-	return addrs, secureAddrs
-}
-
-// handleGetHealthCheck is the handler for the GET /health-check HTTP API.
-func (svc *Service) handleGetHealthCheck(w http.ResponseWriter, _ *http.Request) {
-	_, _ = io.WriteString(w, "OK")
-}
-
-// type check
-var _ agh.Service = (*Service)(nil)
-
-// Start implements the [agh.Service] interface for *Service.  svc may be nil.
-// After Start exits, all HTTP servers have tried to start, possibly failing and
-// writing error messages to the log.
-func (svc *Service) Start() (err error) {
-	if svc == nil {
-		return nil
-	}
-
-	pprofEnabled := svc.pprof != nil
-	srvNum := len(svc.servers) + mathutil.BoolToNumber[int](pprofEnabled)
-
-	wg := &sync.WaitGroup{}
-	wg.Add(srvNum)
-	for _, srv := range svc.servers {
-		go serve(srv, wg)
-	}
-
-	if pprofEnabled {
-		go serve(svc.pprof, wg)
-	}
-
-	wg.Wait()
-
-	return nil
-}
-
-// serve starts and runs srv and writes all errors into its log.
-func serve(srv *http.Server, wg *sync.WaitGroup) {
-	addr := srv.Addr
-	defer log.OnPanic(addr)
-
-	var proto string
-	var l net.Listener
-	var err error
-	if srv.TLSConfig == nil {
-		proto = "http"
-		l, err = net.Listen("tcp", addr)
-	} else {
-		proto = "https"
-		l, err = tls.Listen("tcp", addr, srv.TLSConfig)
-	}
-	if err != nil {
-		srv.ErrorLog.Printf("starting srv %s: binding: %s", addr, err)
-	}
-
-	// Update the server's address in case the address had the port zero, which
-	// would mean that a random available port was automatically chosen.
-	srv.Addr = l.Addr().String()
-
-	log.Info("websvc: starting srv %s://%s", proto, srv.Addr)
-
-	l = &waitListener{
-		Listener:      l,
-		firstAcceptWG: wg,
-	}
-
-	err = srv.Serve(l)
-	if err != nil && !errors.Is(err, http.ErrServerClosed) {
-		srv.ErrorLog.Printf("starting srv %s: %s", addr, err)
-	}
-}
-
-// Shutdown implements the [agh.Service] interface for *Service.  svc may be
-// nil.
-func (svc *Service) Shutdown(ctx context.Context) (err error) {
-	if svc == nil {
-		return nil
-	}
-
-	var errs []error
-	for _, srv := range svc.servers {
-		shutdownErr := srv.Shutdown(ctx)
-		if shutdownErr != nil {
-			errs = append(errs, fmt.Errorf("shutting down srv %s: %w", srv.Addr, shutdownErr))
-		}
-	}
-
-	if svc.pprof != nil {
-		shutdownErr := svc.pprof.Shutdown(ctx)
-		if shutdownErr != nil {
-			errs = append(errs, fmt.Errorf(
-				"shutting down pprof srv %s: %w",
-				svc.pprof.Addr,
-				shutdownErr,
-			))
-		}
-	}
-
-	if len(errs) > 0 {
-		return errors.List("shutting down", errs...)
-	}
-
-	return nil
-}
--- a/internal/next/websvc/websvc_internal_test.go
+++ b/internal/next/websvc/websvc_internal_test.go
@@ -1,6 +0,0 @@
-package websvc
-
-import "time"
-
-// testTimeout is the common timeout for tests.
-const testTimeout = 1 * time.Second
--- a/internal/next/websvc/websvc_test.go
+++ b/internal/next/websvc/websvc_test.go
@@ -1,196 +0,0 @@
-package websvc_test
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"io"
-	"io/fs"
-	"net/http"
-	"net/netip"
-	"net/url"
-	"testing"
-	"time"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/dnssvc"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/websvc"
-	"github.com/AdguardTeam/golibs/testutil"
-	"github.com/AdguardTeam/golibs/testutil/fakefs"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestMain(m *testing.M) {
-	testutil.DiscardLogOutput(m)
-}
-
-// testTimeout is the common timeout for tests.
-const testTimeout = 1 * time.Second
-
-// testStart is the server start value for tests.
-var testStart = time.Date(2022, 1, 1, 0, 0, 0, 0, time.UTC)
-
-// type check
-var _ websvc.ConfigManager = (*configManager)(nil)
-
-// configManager is a [websvc.ConfigManager] for tests.
-type configManager struct {
-	onDNS func() (svc agh.ServiceWithConfig[*dnssvc.Config])
-	onWeb func() (svc agh.ServiceWithConfig[*websvc.Config])
-
-	onUpdateDNS func(ctx context.Context, c *dnssvc.Config) (err error)
-	onUpdateWeb func(ctx context.Context, c *websvc.Config) (err error)
-}
-
-// DNS implements the [websvc.ConfigManager] interface for *configManager.
-func (m *configManager) DNS() (svc agh.ServiceWithConfig[*dnssvc.Config]) {
-	return m.onDNS()
-}
-
-// Web implements the [websvc.ConfigManager] interface for *configManager.
-func (m *configManager) Web() (svc agh.ServiceWithConfig[*websvc.Config]) {
-	return m.onWeb()
-}
-
-// UpdateDNS implements the [websvc.ConfigManager] interface for *configManager.
-func (m *configManager) UpdateDNS(ctx context.Context, c *dnssvc.Config) (err error) {
-	return m.onUpdateDNS(ctx, c)
-}
-
-// UpdateWeb implements the [websvc.ConfigManager] interface for *configManager.
-func (m *configManager) UpdateWeb(ctx context.Context, c *websvc.Config) (err error) {
-	return m.onUpdateWeb(ctx, c)
-}
-
-// newConfigManager returns a *configManager all methods of which panic.
-func newConfigManager() (m *configManager) {
-	return &configManager{
-		onDNS: func() (svc agh.ServiceWithConfig[*dnssvc.Config]) { panic("not implemented") },
-		onWeb: func() (svc agh.ServiceWithConfig[*websvc.Config]) { panic("not implemented") },
-		onUpdateDNS: func(_ context.Context, _ *dnssvc.Config) (err error) {
-			panic("not implemented")
-		},
-		onUpdateWeb: func(_ context.Context, _ *websvc.Config) (err error) {
-			panic("not implemented")
-		},
-	}
-}
-
-// newTestServer creates and starts a new web service instance as well as its
-// sole address.  It also registers a cleanup procedure, which shuts the
-// instance down.
-//
-// TODO(a.garipov): Use svc or remove it.
-func newTestServer(
-	t testing.TB,
-	confMgr websvc.ConfigManager,
-) (svc *websvc.Service, addr netip.AddrPort) {
-	t.Helper()
-
-	c := &websvc.Config{
-		Pprof: &websvc.PprofConfig{
-			Enabled: false,
-		},
-		ConfigManager: confMgr,
-		Frontend: &fakefs.FS{
-			OnOpen: func(_ string) (_ fs.File, _ error) { return nil, fs.ErrNotExist },
-		},
-		TLS:             nil,
-		Addresses:       []netip.AddrPort{netip.MustParseAddrPort("127.0.0.1:0")},
-		SecureAddresses: nil,
-		Timeout:         testTimeout,
-		Start:           testStart,
-		ForceHTTPS:      false,
-	}
-
-	svc, err := websvc.New(c)
-	require.NoError(t, err)
-
-	err = svc.Start()
-	require.NoError(t, err)
-	t.Cleanup(func() {
-		ctx, cancel := context.WithTimeout(context.Background(), testTimeout)
-		t.Cleanup(cancel)
-
-		err = svc.Shutdown(ctx)
-		require.NoError(t, err)
-	})
-
-	c = svc.Config()
-	require.NotNil(t, c)
-	require.Len(t, c.Addresses, 1)
-
-	return svc, c.Addresses[0]
-}
-
-// jobj is a utility alias for JSON objects.
-type jobj map[string]any
-
-// httpGet is a helper that performs an HTTP GET request and returns the body of
-// the response as well as checks that the status code is correct.
-//
-// TODO(a.garipov): Add helpers for other methods.
-func httpGet(t testing.TB, u *url.URL, wantCode int) (body []byte) {
-	t.Helper()
-
-	req, err := http.NewRequest(http.MethodGet, u.String(), nil)
-	require.NoErrorf(t, err, "creating req")
-
-	httpCli := &http.Client{
-		Timeout: testTimeout,
-	}
-	resp, err := httpCli.Do(req)
-	require.NoErrorf(t, err, "performing req")
-	require.Equal(t, wantCode, resp.StatusCode)
-
-	testutil.CleanupAndRequireSuccess(t, resp.Body.Close)
-
-	body, err = io.ReadAll(resp.Body)
-	require.NoErrorf(t, err, "reading body")
-
-	return body
-}
-
-// httpPatch is a helper that performs an HTTP PATCH request with JSON-encoded
-// reqBody as the request body and returns the body of the response as well as
-// checks that the status code is correct.
-//
-// TODO(a.garipov): Add helpers for other methods.
-func httpPatch(t testing.TB, u *url.URL, reqBody any, wantCode int) (body []byte) {
-	t.Helper()
-
-	b, err := json.Marshal(reqBody)
-	require.NoErrorf(t, err, "marshaling reqBody")
-
-	req, err := http.NewRequest(http.MethodPatch, u.String(), bytes.NewReader(b))
-	require.NoErrorf(t, err, "creating req")
-
-	httpCli := &http.Client{
-		Timeout: testTimeout,
-	}
-	resp, err := httpCli.Do(req)
-	require.NoErrorf(t, err, "performing req")
-	require.Equal(t, wantCode, resp.StatusCode)
-
-	testutil.CleanupAndRequireSuccess(t, resp.Body.Close)
-
-	body, err = io.ReadAll(resp.Body)
-	require.NoErrorf(t, err, "reading body")
-
-	return body
-}
-
-func TestService_Start_getHealthCheck(t *testing.T) {
-	confMgr := newConfigManager()
-	_, addr := newTestServer(t, confMgr)
-	u := &url.URL{
-		Scheme: "http",
-		Host:   addr.String(),
-		Path:   websvc.PathHealthCheck,
-	}
-
-	body := httpGet(t, u, http.StatusOK)
-
-	assert.Equal(t, []byte("OK"), body)
-}
--- a/internal/querylog/decode_test.go
+++ b/internal/querylog/decode_test.go
@@ -127,7 +127,7 @@ func TestDecodeLogEntry(t *testing.T) {
 	}, {
 		name: "bad_time",
 		log:  `{"IP":"127.0.0.1","T":"12/09/1998T15:00:00.000000+05:00","QH":"an.yandex.ru","QT":"A","QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3},"Elapsed":837429}`,
-		want: "decodeLogEntry handler err: parsing time \"12/09/1998T15:00:00.000000+05:00\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"12/09/1998T15:00:00.000000+05:00\" as \"2006\"\n",
+		want: "decodeLogEntry handler err: parsing time \"12/09/1998T15:00:00.000000+05:00\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"9/1998T15:00:00.000000+05:00\" as \"2006\"\n",
 	}, {
 		name: "bad_host",
 		log:  `{"IP":"127.0.0.1","T":"2020-11-25T18:55:56.519796+03:00","QH":6,"QT":"A","QC":"IN","CP":"","Answer":"Qz+BgAABAAEAAAAAAmFuBnlhbmRleAJydQAAAQABwAwAAQABAAAACgAEAAAAAA==","Result":{"IsFiltered":true,"Reason":3},"Elapsed":837429}`,
--- a/internal/rdns/rdns.go
+++ b/internal/rdns/rdns.go
@@ -101,8 +101,6 @@ func (r *Default) Process(ip netip.Addr) (host string, changed bool) {
 		log.Debug("rdns: cache: adding item %q: %s", ip, err)
 	}

-	// TODO(e.burkov):  The name doesn't change if it's neither stored in cache
-	// nor resolved successfully.  Is it correct?
 	return host, fromCache == "" || host != fromCache
 }

--- a/internal/rdns/rdns_test.go
+++ b/internal/rdns/rdns_test.go
@@ -25,6 +25,11 @@ func TestDefault_Process(t *testing.T) {
 	localRevAddr1, err := netutil.IPToReversedAddr(localIP.AsSlice())
 	require.NoError(t, err)

+	config := &rdns.Config{
+		CacheSize: 100,
+		CacheTTL:  time.Hour,
+	}
+
 	testCases := []struct {
 		name string
 		addr netip.Addr
@@ -55,21 +60,21 @@ func TestDefault_Process(t *testing.T) {

 				switch ip {
 				case ip1:
-					return revAddr1, time.Hour, nil
+					return revAddr1, 0, nil
 				case ip2:
-					return revAddr2, time.Hour, nil
+					return revAddr2, 0, nil
 				case localIP:
-					return localRevAddr1, time.Hour, nil
+					return localRevAddr1, 0, nil
 				default:
-					return "", time.Hour, nil
+					return "", 0, nil
 				}
 			}
+			exchanger := &aghtest.Exchanger{
+				OnExchange: onExchange,
+			}

-			r := rdns.New(&rdns.Config{
-				CacheSize: 100,
-				CacheTTL:  time.Hour,
-				Exchanger: &aghtest.Exchanger{OnExchange: onExchange},
-			})
+			config.Exchanger = exchanger
+			r := rdns.New(config)

 			got, changed := r.Process(tc.addr)
 			require.True(t, changed)
@@ -85,40 +90,4 @@ func TestDefault_Process(t *testing.T) {
 			assert.Equal(t, 1, hit)
 		})
 	}
-
-	t.Run("zero_ttl", func(t *testing.T) {
-		const cacheTTL = time.Second / 2
-
-		zeroTTLExchanger := &aghtest.Exchanger{
-			OnExchange: func(ip netip.Addr) (host string, ttl time.Duration, err error) {
-				return revAddr1, 0, nil
-			},
-		}
-
-		r := rdns.New(&rdns.Config{
-			CacheSize: 1,
-			CacheTTL:  cacheTTL,
-			Exchanger: zeroTTLExchanger,
-		})
-
-		got, changed := r.Process(ip1)
-		require.True(t, changed)
-		assert.Equal(t, revAddr1, got)
-
-		zeroTTLExchanger.OnExchange = func(ip netip.Addr) (host string, ttl time.Duration, err error) {
-			return revAddr2, time.Hour, nil
-		}
-
-		require.EventuallyWithT(t, func(t *assert.CollectT) {
-			got, changed = r.Process(ip1)
-			assert.True(t, changed)
-			assert.Equal(t, revAddr2, got)
-		}, 2*cacheTTL, time.Millisecond*100)
-
-		assert.Never(t, func() (changed bool) {
-			_, changed = r.Process(ip1)
-
-			return changed
-		}, 2*cacheTTL, time.Millisecond*100)
-	})
 }
--- a/internal/tools/go.mod
+++ b/internal/tools/go.mod
@@ -1,6 +1,6 @@
 module github.com/AdguardTeam/AdGuardHome/internal/tools

-go 1.20
+go 1.19

 require (
 	github.com/fzipp/gocyclo v0.6.0
@@ -10,7 +10,7 @@ require (
 	github.com/kyoh86/looppointer v0.2.1
 	github.com/securego/gosec/v2 v2.16.0
 	github.com/uudashr/gocognit v1.0.7
-	golang.org/x/tools v0.11.1
+	golang.org/x/tools v0.11.0
 	golang.org/x/vuln v1.0.0
 	// TODO(a.garipov): Return to tagged releases once a new one appears.
 	honnef.co/go/tools v0.5.0-0.dev.0.20230709092525-bc759185c5ee
@@ -27,7 +27,7 @@ require (
 	github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect
-	golang.org/x/exp/typeparams v0.0.0-20230801115018-d63ba01acd4b // indirect
+	golang.org/x/exp/typeparams v0.0.0-20230725093048-515e97ebf090 // indirect
 	golang.org/x/mod v0.12.0 // indirect
 	golang.org/x/sync v0.3.0 // indirect
 	golang.org/x/sys v0.10.0 // indirect
--- a/internal/tools/go.sum
+++ b/internal/tools/go.sum
@@ -52,8 +52,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/exp v0.0.0-20230321023759-10a507213a29 h1:ooxPy7fPvB4kwsA2h+iBNHkAbp/4JxTSwCmvdjEYmug=
 golang.org/x/exp v0.0.0-20230321023759-10a507213a29/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
-golang.org/x/exp/typeparams v0.0.0-20230801115018-d63ba01acd4b h1:3dfup1Bt5y1sKG6rbyAX4qNymwAtJcqx+Aqm1DPP/Qg=
-golang.org/x/exp/typeparams v0.0.0-20230801115018-d63ba01acd4b/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
+golang.org/x/exp/typeparams v0.0.0-20230725093048-515e97ebf090 h1:qOYhjyK9OeXREdh7Zrta8JRvnmnFIzhkosQpp+852Ag=
+golang.org/x/exp/typeparams v0.0.0-20230725093048-515e97ebf090/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY=
@@ -96,8 +96,8 @@ golang.org/x/tools v0.0.0-20201007032633-0806396f153e/go.mod h1:z6u4i615ZeAfBE4X
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E=
 golang.org/x/tools v0.1.11/go.mod h1:SgwaegtQh8clINPpECJMqnxLv9I09HLqnW3RMqW0CA4=
-golang.org/x/tools v0.11.1 h1:ojD5zOW8+7dOGzdnNgersm8aPfcDjhMp12UfG93NIMc=
-golang.org/x/tools v0.11.1/go.mod h1:anzJrxPjNtfgiYQYirP2CPGzGLxrH2u2QBhn6Bf3qY8=
+golang.org/x/tools v0.11.0 h1:EMCa6U9S2LtZXLAMoWiR/R8dAQFRqbAitmbJ2UKhoi8=
+golang.org/x/tools v0.11.0/go.mod h1:anzJrxPjNtfgiYQYirP2CPGzGLxrH2u2QBhn6Bf3qY8=
 golang.org/x/vuln v1.0.0 h1:tYLAU3jD9LQr98Y+3el06lWyGMCnvzw06PIWP3LIy7g=
 golang.org/x/vuln v1.0.0/go.mod h1:V0eyhHwaAaHrt42J9bgrN6rd12f6GU4T0Lu0ex2wDg4=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/main.go
+++ b/main.go
@@ -1,5 +1,3 @@
-//go:build !next
-
 package main

 import (
--- a/main_next.go
+++ b/main_next.go
@@ -1,20 +0,0 @@
-//go:build next
-
-package main
-
-import (
-	"embed"
-
-	"github.com/AdguardTeam/AdGuardHome/internal/next/cmd"
-)
-
-// Embed the prebuilt client here since we strive to keep .go files inside the
-// internal directory and the embed package is unable to embed files located
-// outside of the same or underlying directory.
-
-//go:embed build
-var frontend embed.FS
-
-func main() {
-	cmd.Main(frontend)
-}
--- a/openapi/v1.yaml
+++ b/openapi/v1.yaml
--- a/scripts/make/go-build.sh
+++ b/scripts/make/go-build.sh
@@ -128,13 +128,7 @@ export CGO_ENABLED
 GO111MODULE='on'
 export GO111MODULE

-# Build the new binary if requested.
-if [ "${NEXTAPI:-0}" -eq '0' ]
-then
-	tags_flags='--tags='
-else
-	tags_flags='--tags=next'
-fi
+tags_flags='--tags='
 readonly tags_flags

 if [ "$verbose" -gt '0' ]
--- a/scripts/make/go-lint.sh
+++ b/scripts/make/go-lint.sh
@@ -35,7 +35,7 @@ set -f -u
 go_version="$( "${GO:-go}" version )"
 readonly go_version

-go_min_version='go1.20.7'
+go_min_version='go1.19.11'
 go_version_msg="
 warning: your go version (${go_version}) is different from the recommended minimal one (${go_min_version}).
 if you have the version installed, please set the GO environment variable.