feature: support marking packet on upstream server

ReadMe.md

@@ -112,7 +112,7 @@ rtt min/avg/max/mdev = 5.954/6.133/6.313/0.195 ms
    支持域名后缀匹配模式，简化过滤配置，过滤 20 万条记录时间 < 1ms。
 
 6. **域名分流**  
-   支持域名分流，不同类型的域名向不同的 DNS 服务器查询。
+   支持域名分流，不同类型的域名向不同的 DNS 服务器查询，支持iptable和nftable更好的分流。
 
 7. **Windows / Linux 多平台支持**  
    支持标准 Linux 系统（树莓派）、OpenWrt 系统各种固件和华硕路由器原生固件。同时还支持 WSL（Windows Subsystem for Linux，适用于 Linux 的 Windows 子系统）。
@@ -186,43 +186,55 @@ entware|ipkg update<br>ipkg install smartdns|软件源路径：https://bin.entwa
 
 1. 安装
    
-   下载配套安装包，并上传到 Linux 系统中。 
+    下载配套安装包，并上传到 Linux 系统中。 
-   
+
-   标准 Linux 系统（X86 / X86_64）请执行如下命令安装：
+    标准 Linux 系统（X86 / X86_64）请执行如下命令安装：
-   
+
-   ```shell
+    ```shell
-   $ tar zxf smartdns.1.yyyy.MM.dd-REL.x86_64-linux-all.tar.gz
+    $ tar zxf smartdns.1.yyyy.MM.dd-REL.x86_64-linux-all.tar.gz
-   $ cd smartdns
+    $ cd smartdns
-   $ chmod +x ./install
+    $ chmod +x ./install
-   $ ./install -i
+    $ ./install -i
-   ```
+    ```
-   
+
-   树莓派或其他 Debian 系系统（ARM / ARM64）请执行如下命令安装：
+    树莓派或其他 Debian 系系统（ARM / ARM64）请执行如下命令安装：
-   
+
-   ```shell
+    ```shell
-   # dpkg -i smartdns.1.yyyy.MM.dd-REL.arm-debian-all.deb
+    # dpkg -i smartdns.1.yyyy.MM.dd-REL.arm-debian-all.deb
-   ```
+    ```
 
 2. 修改配置
    
     安装完成后，可配置 SmartDNS 的上游服务器信息。
-   
+
     一般情况下，只需要增加 `server `[`IP`]`:port` 和 `server-tcp `[`IP`]`:port` 配置项。
-   
+
     请尽可能配置多个上游 DNS 服务器，包括国内外的服务器。
-   
+
     具体配置参数请参考[配置文件说明](#配置文件说明)。  
    
-   ```shell
+    ```shell
-   # vi /etc/smartdns/smartdns.conf
+    # vi /etc/smartdns/smartdns.conf
-   ```
+    ```
+
+    `/etc/smartdns/smartdns.conf`配置包含如下基本内容：
+    ```
+    # 指定监听的端口号
+    bind []:53 
+    # 指定上游服务器
+    server 1.1.1.1
+    server-tls 8.8.8.8
+    # 指定域名规则
+    address /example.com/1.2.3.4
+    domain-rule /example.com/ -address 1.2.3.4
+    ```
 
 3. 启动服务
    
-   ```shell
+    ```shell
-   # systemctl enable smartdns
+    # systemctl enable smartdns
-   # systemctl start smartdns
+    # systemctl start smartdns
-   ```
+    ```
 
 4. 将 DNS 请求转发到 SmartDNS 解析
    
@@ -390,6 +402,18 @@ entware|ipkg update<br>ipkg install smartdns|软件源路径：https://bin.entwa
    ```shell
    # vi /opt/etc/smartdns/smartdns.conf
    ```
+
+    `/opt/etc/smartdns/smartdns.conf`配置包含如下基本内容：
+    ```
+    # 指定监听的端口号
+    bind []:53 
+    # 指定上游服务器
+    server 1.1.1.1
+    server-tls 8.8.8.8
+    # 指定域名规则
+    address /example.com/1.2.3.4
+    domain-rule /example.com/ -address 1.2.3.4
+    ```
    
    也可以通过网上邻居修改，网上邻居共享目录 `sda1` 看不到 `asusware.mipsbig` 目录，但可以直接在`文件管理器`中输入 `asusware.mipsbig\etc\init.d` 访问
    
@@ -418,6 +442,18 @@ entware|ipkg update<br>ipkg install smartdns|软件源路径：https://bin.entwa
    ```shell
    # vi /opt/etc/smartdns/smartdns.conf
    ```
+
+   `/opt/etc/smartdns/smartdns.conf`配置包含如下基本内容：
+    ```
+    # 指定监听的端口号
+    bind []:53 
+    # 指定上游服务器
+    server 1.1.1.1
+    server-tls 8.8.8.8
+    # 指定域名规则
+    address /example.com/1.2.3.4
+    domain-rule /example.com/ -address 1.2.3.4
+    ```
    
     另外，如需支持 IPv6，可设置工作模式为 `2`，将 DNSmasq 的 DNS 服务禁用，设置 SmartDNS 为主用 DNS 服务器。将文件 `/opt/etc/smartdns/smartdns-opt.conf` 中的 `SMARTDNS_WORKMODE` 的值修改为 `2`
    
@@ -480,6 +516,17 @@ entware|ipkg update<br>ipkg install smartdns|软件源路径：https://bin.entwa
     尽可能配置多个上游DNS服务器，包括国内外的服务器。
    
     具体配置请参考[配置文件说明](#配置文件说明)。
+     `smartdns.conf` 配置包含如下基本内容：
+    ```
+    # 指定监听的端口号
+    bind []:53 
+    # 指定上游服务器
+    server 1.1.1.1
+    server-tls 8.8.8.8
+    # 指定域名规则
+    address /example.com/1.2.3.4
+    domain-rule /example.com/ -address 1.2.3.4
+    ```
 
 4. 重新加载配置
    
@@ -508,6 +555,7 @@ entware|ipkg update<br>ipkg install smartdns|软件源路径：https://bin.entwa
    smartdns        name = smartdns.
    ```
 
+
 ## 配置文件说明
 
 配置建议：**smartdns默认已设置为最优模式，适合大部分场景的DNS查询体验改善，一般情况只需要增加上游服务器地址即可，无需做其他配置修改；如有其他配置修改，请务必了解其用途，避免修改后起到反作用。**
@@ -536,10 +584,10 @@ entware|ipkg update<br>ipkg install smartdns|软件源路径：https://bin.entwa
 | audit-size | 审计大小 | 128K | 数字 + K、M 或 G | audit-size 128K |
 | audit-num | 审计归档个数 | 2 | 大于等于 0 的数字 | audit-num 2 |
 | conf-file | 附加配置文件 | 无 | 合法路径字符串 | conf-file /etc/smartdns/smartdns.more.conf |
-| server | 上游 UDP DNS | 无 | 可重复。<br>[ip][:port]：服务器 IP:端口（可选）<br>[-blacklist-ip]：配置 IP 过滤结果。<br>[-whitelist-ip]：指定仅接受参数中配置的 IP 范围<br>[-group [group] ...]：DNS 服务器所属组，比如 office 和 foreign，和 nameserver 配套使用<br>[-exclude-default-group]：将 DNS 服务器从默认组中排除 | server 8.8.8.8:53 -blacklist-ip -group g1 |
+| server | 上游 UDP DNS | 无 | 可重复。<br>[ip][:port]：服务器 IP:端口（可选）<br>[-blacklist-ip]：配置 IP 过滤结果。<br>[-whitelist-ip]：指定仅接受参数中配置的 IP 范围<br>[-group [group] ...]：DNS 服务器所属组，比如 office 和 foreign，和 nameserver 配套使用<br>[-exclude-default-group]：将 DNS 服务器从默认组中排除。<br>[-set-mark]：设置数据包标记so-mark| server 8.8.8.8:53 -blacklist-ip -group g1 |
-| server-tcp | 上游 TCP DNS | 无 | 可重复。<br>[ip][:port]：服务器 IP:端口（可选）<br>[-blacklist-ip]：配置 IP 过滤结果<br>[-whitelist-ip]：指定仅接受参数中配置的 IP 范围。<br>[-group [group] ...]：DNS 服务器所属组，比如 office 和 foreign，和 nameserver 配套使用<br>[-exclude-default-group]：将 DNS 服务器从默认组中排除  | server-tcp 8.8.8.8:53 |
+| server-tcp | 上游 TCP DNS | 无 | 可重复。<br>[ip][:port]：服务器 IP:端口（可选）<br>[-blacklist-ip]：配置 IP 过滤结果<br>[-whitelist-ip]：指定仅接受参数中配置的 IP 范围。<br>[-group [group] ...]：DNS 服务器所属组，比如 office 和 foreign，和 nameserver 配套使用<br>[-exclude-default-group]：将 DNS 服务器从默认组中排除。<br>[-set-mark]：设置数据包标记so-mark | server-tcp 8.8.8.8:53 |
-| server-tls | 上游 TLS DNS | 无 | 可重复。<br>[ip][:port]：服务器 IP:端口（可选)<br>[-spki-pin [sha256-pin]]：TLS 合法性校验 SPKI 值，base64 编码的 sha256 SPKI pin 值<br>[-host-name]：TLS SNI 名称, 名称设置为-，表示停用SNI名称<br>[-tls-host-verify]：TLS 证书主机名校验<br> [-no-check-certificate]：跳过证书校验<br>[-blacklist-ip]：配置 IP 过滤结果<br>[-whitelist-ip]：仅接受参数中配置的 IP 范围<br>[-group [group] ...]：DNS 服务器所属组，比如 office 和 foreign，和 nameserver 配套使用<br>[-exclude-default-group]：将 DNS 服务器从默认组中排除 | server-tls 8.8.8.8:853 |
+| server-tls | 上游 TLS DNS | 无 | 可重复。<br>[ip][:port]：服务器 IP:端口（可选)<br>[-spki-pin [sha256-pin]]：TLS 合法性校验 SPKI 值，base64 编码的 sha256 SPKI pin 值<br>[-host-name]：TLS SNI 名称, 名称设置为-，表示停用SNI名称<br>[-tls-host-verify]：TLS 证书主机名校验<br> [-no-check-certificate]：跳过证书校验<br>[-blacklist-ip]：配置 IP 过滤结果<br>[-whitelist-ip]：仅接受参数中配置的 IP 范围<br>[-group [group] ...]：DNS 服务器所属组，比如 office 和 foreign，和 nameserver 配套使用<br>[-exclude-default-group]：将 DNS 服务器从默认组中排除。<br>[-set-mark]：设置数据包标记so-mark | server-tls 8.8.8.8:853 |
-| server-https | 上游 HTTPS DNS | 无 | 可重复。<br>https://[host][:port]/path：服务器 IP:端口（可选）<br>[-spki-pin [sha256-pin]]：TLS 合法性校验 SPKI 值，base64 编码的 sha256 SPKI pin 值<br>[-host-name]：TLS SNI 名称<br>[-http-host]：http 协议头主机名<br>[-tls-host-verify]：TLS 证书主机名校验<br> [-no-check-certificate]：跳过证书校验<br>[-blacklist-ip]：配置 IP 过滤结果<br>[-whitelist-ip]：仅接受参数中配置的 IP 范围。<br>[-group [group] ...]：DNS 服务器所属组，比如 office 和 foreign，和 nameserver 配套使用<br>[-exclude-default-group]：将 DNS 服务器从默认组中排除 | server-https https://cloudflare-dns.com/dns-query |
+| server-https | 上游 HTTPS DNS | 无 | 可重复。<br>https://[host][:port]/path：服务器 IP:端口（可选）<br>[-spki-pin [sha256-pin]]：TLS 合法性校验 SPKI 值，base64 编码的 sha256 SPKI pin 值<br>[-host-name]：TLS SNI 名称<br>[-http-host]：http 协议头主机名<br>[-tls-host-verify]：TLS 证书主机名校验<br> [-no-check-certificate]：跳过证书校验<br>[-blacklist-ip]：配置 IP 过滤结果<br>[-whitelist-ip]：仅接受参数中配置的 IP 范围。<br>[-group [group] ...]：DNS 服务器所属组，比如 office 和 foreign，和 nameserver 配套使用<br>[-exclude-default-group]：将 DNS 服务器从默认组中排除。<br>[-set-mark]：设置数据包标记so-mark | server-https https://cloudflare-dns.com/dns-query |
 | speed-check-mode | 测速模式选择 | 无 | [ping\|tcp:[80]\|none] | speed-check-mode ping,tcp:80,tcp:443 |
 | response-mode | 首次查询响应模式 | first-ping |模式：[fisrt-ping\|fastest-ip\|fastest-response]<br> [first-ping]: 最快ping响应地址模式，DNS上游最快查询时延+ping时延最短，查询等待与链接体验最佳;<br>[fastest-ip]: 最快IP地址模式，查询到的所有IP地址中ping最短的IP。需等待IP测速; <br>[fastest-response]: 最快响应的DNS结果，DNS查询等待时间最短，返回的IP地址可能不是最快。| response-mode first-ping |
 | address | 指定域名 IP 地址 | 无 | address /domain/[ip\|-\|-4\|-6\|#\|#4\|#6] <br>- 表示忽略 <br># 表示返回 SOA <br>4 表示 IPv4 <br>6 表示 IPv6 | address /www.example.com/1.2.3.4 |
@@ -549,7 +597,7 @@ entware|ipkg update<br>ipkg install smartdns|软件源路径：https://bin.entwa
 | nftset | 域名 nftset | 无 | nftset /domain/[#4\|#6\|-]:[family#nftable#nftset\|-][,#[4\|6]:[family#nftable#nftset\|-]]]，-表示忽略；ipv4 地址的 family 只支持 inet 和 ip；ipv6 地址的 family 只支持 inet 和 ip6；由于 nft 限制，两种地址只能分开存放于两个 set 中。| nftset /www.example.com/#4:inet#mytab#dns4,#6:- |
 | nftset-timeout | 设置 nftset 超时功能启用  | no | [yes\|no] | nftset-timeout yes |
 | nftset-debug | 设置 nftset 调试功能启用  | no | [yes\|no] | nftset-debug yes |
-| domain-rules | 设置域名规则 | 无 | domain-rules /domain/ [-rules...]<br>[-c\|-speed-check-mode]：测速模式，参考 speed-check-mode 配置<br>[-a\|-address]：参考 address 配置<br>[-n\|-nameserver]：参考 nameserver 配置<br>[-p\|-ipset]：参考ipset配置<br>[-t\|-nftset]：参考nftset配置<br>[-d\|-dualstack-ip-selection]：参考 dualstack-ip-selection  | domain-rules /www.example.com/ -speed-check-mode none |
+| domain-rules | 设置域名规则 | 无 | domain-rules /domain/ [-rules...]<br>[-c\|-speed-check-mode]：测速模式，参考 speed-check-mode 配置<br>[-a\|-address]：参考 address 配置<br>[-n\|-nameserver]：参考 nameserver 配置<br>[-p\|-ipset]：参考ipset配置<br>[-t\|-nftset]：参考nftset配置<br>[-d\|-dualstack-ip-selection]：参考 dualstack-ip-selection<br> [-no-serve-expired]：禁用过期缓存 | domain-rules /www.example.com/ -speed-check-mode none |
 | domain-set | 设置域名集合 | 无 | domain-set [options...]<br>[-n\|-name]：域名集合名称 <br>[-t\|-type]：域名集合类型，当前仅支持list，格式为域名列表，一行一个域名。<br>[-f\|-file]：域名集合文件路径。<br> 选项需要配合address, nameserver, ipset, nftset等需要指定域名的地方使用，使用方式为 /domain-set:[name]/| domain-set -name set -type list -file /path/to/list <br> address /domain-set:set/1.2.4.8 |
 | bogus-nxdomain | 假冒 IP 地址过滤 | 无 | [ip/subnet]，可重复 | bogus-nxdomain 1.2.3.4/16 |
 | ignore-ip | 忽略 IP 地址 | 无 | [ip/subnet]，可重复 | ignore-ip 1.2.3.4/16 |

ReadMe_en.md

@@ -118,6 +118,9 @@ From the comparison, smartdns found the fastest IP address to visit www.baidu.co
 8. **High performance, low resource consumption**  
    Multi-threaded asynchronous IO mode, cache cache query results.
 
+9. **DNS domain forwarding**
+   Support DNS forwarding, ipset and nftables.
+
 ## Architecture
 
 ![Architecture](doc/architecture.png)
@@ -164,7 +167,7 @@ Download the matching version of the SmartDNS installation package. The correspo
 
 * The released packages are statically compiled. If you need a small size package, please compile it yourself or obtain it from the openwrt / entware repository.
 
-* **Please download from the Release page: [Download here](https://github.com/pymu/smartdns/releases)**
+* **Please download from the Release page: [Download here](https://github.com/pymumu/smartdns/releases)**
 
 ```shell
 https://github.com/pymumu/smartdns/releases
@@ -203,6 +206,18 @@ https://github.com/pymumu/smartdns/releases
     vi /etc/smartdns/smartdns.conf
     ```
 
+    `smartdns.conf` example:
+    ```
+    # set listen port
+    bind []:53 
+    # set upstream servers
+    server 1.1.1.1
+    server-tls 8.8.8.8
+    # set domain rules
+    address /example.com/1.2.3.4
+    domain-rule /example.com/ -address 1.2.3.4
+    ```
+
 1. Start Service
 
     ```shell
@@ -363,6 +378,18 @@ Note: Merlin firmware is derived from ASUS firmware and can theoretically be use
     ```shell
     vi /opt/etc/smartdns/smartdns.conf
     ```
+    
+    `smartdns.conf` example:
+    ```
+    # set listen port
+    bind []:53 
+    # set upstream servers
+    server 1.1.1.1
+    server-tls 8.8.8.8
+    # set domain rules
+    address /example.com/1.2.3.4
+    domain-rule /example.com/ -address 1.2.3.4
+    ```
 
     It can also be modified from Network Neighborhood. From the neighbor sharing directory `sda1` you can't see the `asusware.mipsbig` directory, but you can directly enter `asusware.mipsbig\etc\init.d` in `File Manager` to modify it.
 
@@ -392,6 +419,18 @@ Note: Merlin firmware is derived from ASUS firmware and can theoretically be use
     Vi /opt/etc/smartdns/smartdns.conf
     ```
 
+    `smartdns.conf` example:
+    ```
+    # set listen port
+    bind []:53 
+    # set upstream servers
+    server 1.1.1.1
+    server-tls 8.8.8.8
+    # set domain rules
+    address /example.com/1.2.3.4
+    domain-rule /example.com/ -address 1.2.3.4
+    ```
+
     Note: if you need to support IPV6, you can set the worke-mode to `2`, this will disable the DNS service of dnsmasq, and smartdns run as the primary DNS server. Change `SMARTDNS_WORKMODE` in the file `/opt/etc/smartdns/smartdns-opt.conf` to 2.
 
     ```shell
@@ -447,6 +486,18 @@ Note: Merlin firmware is derived from ASUS firmware and can theoretically be use
     In general, you only need to add `server [IP]:port`, `server-tcp [IP]:port` configuration items.  
     Configure as many upstream DNS servers as possible, including servers at home and abroad. Please refer to the `Configuration Parameters` section for configuration parameters.  
 
+    `smartdns.conf` example:
+    ```
+    # set listen port
+    bind []:53 
+    # set upstream servers
+    server 1.1.1.1
+    server-tls 8.8.8.8
+    # set domain rules
+    address /example.com/1.2.3.4
+    domain-rule /example.com/ -address 1.2.3.4
+    ```
+    
 1. Start Service
 
     Double-click `reload.bat` in the `D:\smartdns\package\windows` directory for reload.
@@ -495,10 +546,10 @@ Note: Merlin firmware is derived from ASUS firmware and can theoretically be use
 |audit-size|audit log size|128K|number+K,M,G|audit-size 128K
 |audit-num|archived audit log number|2|Integer|audit-num 2
 |conf-file|additional conf file|None|File path|conf-file /etc/smartdns/smartdns.more.conf
-|server|Upstream UDP DNS server|None|Repeatable <br>`[ip][:port]`: Server IP, port optional. <br>`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br>`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted. <br>`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br>`[-exclude-default-group]`: Exclude DNS servers from the default group| server 8.8.8.8:53 -blacklist-ip
+|server|Upstream UDP DNS server|None|Repeatable <br>`[ip][:port]`: Server IP, port optional. <br>`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br>`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted. <br>`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br>`[-exclude-default-group]`: Exclude DNS servers from the default group. <br>`[-set-mark]`：set mark on packets | server 8.8.8.8:53 -blacklist-ip
-|server-tcp|Upstream TCP DNS server|None|Repeatable <br>`[ip][:port]`: Server IP, port optional. <br>`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br>`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted. <br>`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br>`[-exclude-default-group]`: Exclude DNS servers from the default group| server-tcp 8.8.8.8:53
+|server-tcp|Upstream TCP DNS server|None|Repeatable <br>`[ip][:port]`: Server IP, port optional. <br>`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br>`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted. <br>`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br>`[-exclude-default-group]`: Exclude DNS servers from the default group <br>`[-set-mark]`：set mark on packets | server-tcp 8.8.8.8:53
-|server-tls|Upstream TLS DNS server|None|Repeatable <br>`[ip][:port]`: Server IP, port optional. <br>`[-spki-pin [sha256-pin]]`: TLS verify SPKI value, a base64 encoded SHA256 hash<br>`[-host-name]`:TLS Server name. `-` to disable SNI name.<br>`[-tls-host-verify]`: TLS cert hostname to verify. <br>`-no-check-certificate:`: No check certificate. <br>`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br>`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted. <br>`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br>`[-exclude-default-group]`: Exclude DNS servers from the default group| server-tls 8.8.8.8:853
+|server-tls|Upstream TLS DNS server|None|Repeatable <br>`[ip][:port]`: Server IP, port optional. <br>`[-spki-pin [sha256-pin]]`: TLS verify SPKI value, a base64 encoded SHA256 hash<br>`[-host-name]`:TLS Server name. `-` to disable SNI name.<br>`[-tls-host-verify]`: TLS cert hostname to verify. <br>`-no-check-certificate:`: No check certificate. <br>`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br>`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted. <br>`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br>`[-exclude-default-group]`: Exclude DNS servers from the default group <br> `[-set-mark]`：set mark on packets | server-tls 8.8.8.8:853
-|server-https|Upstream HTTPS DNS server|None|Repeatable <br>`https://[host][:port]/path`: Server IP, port optional. <br>`[-spki-pin [sha256-pin]]`: TLS verify SPKI value, a base64 encoded SHA256 hash<br>`[-host-name]`:TLS Server name<br>`[-http-host]`：http header host. <br>`[-tls-host-verify]`: TLS cert hostname to verify. <br>`-no-check-certificate:`: No check certificate. <br>`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br>`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted. <br>`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br>`[-exclude-default-group]`: Exclude DNS servers from the default group| server-https https://cloudflare-dns.com/dns-query
+|server-https|Upstream HTTPS DNS server|None|Repeatable <br>`https://[host][:port]/path`: Server IP, port optional. <br>`[-spki-pin [sha256-pin]]`: TLS verify SPKI value, a base64 encoded SHA256 hash<br>`[-host-name]`:TLS Server name<br>`[-http-host]`：http header host. <br>`[-tls-host-verify]`: TLS cert hostname to verify. <br>`-no-check-certificate:`: No check certificate. <br>`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br>`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted. <br>`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br>`[-exclude-default-group]`: Exclude DNS servers from the default group <br> `[-set-mark]`：set mark on packets | server-https https://cloudflare-dns.com/dns-query
 |speed-check-mode|Speed ​​mode|None|[ping\|tcp:[80]\|none]|speed-check-mode ping,tcp:80,tcp:443
 |response-mode|First query response mode|first-ping|Mode: [fisrt-ping\|fastest-ip\|fastest-response]<br> [first-ping]: The fastest dns + ping response mode, DNS query delay + ping delay is the shortest;<br>[fastest-ip]: The fastest IP address mode, return the fastest ip address, may take some time to test speed. <br>[fastest-response]: The fastest response DNS result mode, the DNS query waiting time is the shortest. | response-mode first-ping |
 |address|Domain IP address|None|address /domain/[ip\|-\|-4\|-6\|#\|#4\|#6], `-` for ignore, `#` for return SOA, `4` for IPV4, `6` for IPV6| address /www.example.com/1.2.3.4
@@ -508,7 +559,7 @@ Note: Merlin firmware is derived from ASUS firmware and can theoretically be use
 |nftset|Domain nftset|None|nftset /domain/[#4\|#6\|-]:[family#nftable#nftset\|-][,#[4\|6]:[family#nftable#nftset\|-]]], `-` to ignore; the valid families are inet and ip for ipv4 addresses while the valid ones are inet and ip6 for ipv6 addresses; due to the limitation of nft, two types of addresses have to be stored in two sets|nftset /www.example.com/#4:inet#mytab#dns4,#6:-
 |nftset-timeout|nftset timeout enable|no|[yes\|no]|nftset-timeout yes
 |nftset-debug|nftset debug enable|no|[yes\|no]|nftset-debug yes
-|domain-rules|set domain rules|None|domain-rules /domain/ [-rules...]<br>[-c\|-speed-check-mode]: set speed check mode，same as parameter speed-check-mode<br>[-a\|-address]: same as  parameter `address` <br>[-n\|-nameserver]: same as parameter `nameserver`<br>[-p\|-ipset]: same as parameter `nftset`<br>[-t\|-nftset]: same as parameter `nftset`<br>[-d\|-dualstack-ip-selection]: same as parameter `dualstack-ip-selection`|domain-rules /www.example.com/ -speed-check-mode none
+|domain-rules|set domain rules|None|domain-rules /domain/ [-rules...]<br>[-c\|-speed-check-mode]: set speed check mode，same as parameter speed-check-mode<br>[-a\|-address]: same as  parameter `address` <br>[-n\|-nameserver]: same as parameter `nameserver`<br>[-p\|-ipset]: same as parameter `nftset`<br>[-t\|-nftset]: same as parameter `nftset`<br>[-d\|-dualstack-ip-selection]: same as parameter `dualstack-ip-selection`<br>  [-no-serve-expired]：disable serve expired|domain-rules /www.example.com/ -speed-check-mode none
 | domain-set | collection of domains|None| domain-set [options...]<br>[-n\|-name]：name of set <br>[-t\|-type] [list]: set type, only support list, one domain per line <br>[-f\|-file]：file path of domain set<br> used with address, nameserver, ipset, nftset, example: /domain-set:[name]/ | domain-set -name set -type list -file /path/to/list <br> address /domain-set:set/1.2.4.8 |
 |bogus-nxdomain|bogus IP address|None|[IP/subnet], Repeatable| bogus-nxdomain 1.2.3.4/16
 |ignore-ip|ignore ip address|None|[ip/subnet], Repeatable| ignore-ip 1.2.3.4/16

etc/smartdns/smartdns.conf

@@ -32,6 +32,7 @@
 #   -no-rule-soa: Skip address SOA(#) rules.
 #   -no-dualstack-selection: Disable dualstack ip selection.
 #   -force-aaaa-soa: force AAAA query return SOA.
+#   -set-mark: set mark on packets.
 # example: 
 #  IPV4: 
 #    bind :53
@@ -237,6 +238,7 @@ log-level info
 #   [-p] -ipset [ipset|-]: same as ipset option
 #   [-t] -nftset [nftset|-]: same as nftset option
 #   [-d] -dualstack-ip-selection [yes|no]: same as dualstack-ip-selection option
+#   -no-serve-expired: ignore expired domain
 
 # collection of domains 
 # the domain-set can be used with /domain/ for address, nameserver, ipset, etc.

package/luci-compat/files/luci/i18n/smartdns.zh-cn.po

@@ -2,6 +2,12 @@
 msgid "Additional Args for upstream dns servers"
 msgstr "额外的上游 DNS 服务器参数"
 
+msgid "Additional Rule Flag"
+msgstr "额外规则标识"
+
+msgid "Additional Flags for rules, read help on domain-rule for more information."
+msgstr "额外的规则标识，具体参考domain-rule的帮助说明。"
+
 msgid "Additional Server Args"
 msgstr "额外的服务器参数"
 
@@ -224,6 +230,12 @@ msgstr "下载的文件列表。"
 msgid "Local Port"
 msgstr "本地端口"
 
+msgid "Marking Packets"
+msgstr "数据包标记"
+
+msgid "Set mark on packets."
+msgstr "设置数据包标记。"
+
 msgid "Maximum TTL for all domain result."
 msgstr "所有域名的最大 TTL 值。"
 
@@ -369,6 +381,15 @@ msgstr ""
 msgid "Smartdns server name"
 msgstr "SmartDNS的服务器名称，默认为smartdns，留空为主机名"
 
+msgid "Speed check mode is invalid."
+msgstr "测速模式无效。"
+
+msgid "Speed Check Mode"
+msgstr "测速模式"
+
+msgid "Smartdns speed check mode. "
+msgstr "SmartDns测速模式设置。"
+
 msgid ""
 "Specify an IP address to return for any host in the given domains, Queries "
 "in the domains are never forwarded and always replied to with the specified "
@@ -377,6 +398,9 @@ msgstr ""
 "配置特定域名返回特定的IP地址，域名查询将不到上游服务器请求，直接返回配置的IP"
 "地址，可用于广告屏蔽。"
 
+msgid "Report bugs"
+msgstr "报告BUG"
+
 msgid "TCP Server"
 msgstr "TCP服务器"
 

package/luci-compat/files/luci/model/cbi/smartdns/smartdns.lua

@@ -55,8 +55,54 @@ o.default     = 53
 o.datatype    = "port"
 o.rempty      = false
 
+---- Speed check mode;
+o = s:taboption("advanced", Value, "speed_check_mode", translate("Speed Check Mode"), translate("Smartdns speed check mode."));
+o.rmempty = true;
+o.placeholder = "default";
+o.default = o.enabled;
+o:value("ping,tcp:80,tcp:443");
+o:value("ping,tcp:443,tcp:80");
+o:value("tcp:80,tcp:443,ping");
+o:value("tcp:443,tcp:80,ping");
+o:value("none", translate("None"));
+function o.validate (section_id, value) 
+    if value == "" then
+        return value
+    end
+
+    if value == nil then
+        return nil, translate("Speed check mode is invalid.")
+    end
+
+    if value == "none" then
+        return value
+    end
+
+    local mode = value:split(",");
+    for _, v in ipairs(mode) do repeat
+        if v == "ping" then
+            break
+        end
+
+        if v == nil then
+            return nil, translate("Speed check mode is invalid.")
+        end
+        
+        local port = v:split(":");
+        if "tcp" == port[1] then
+            if tonumber(port[2]) then
+                break
+            end
+        end
+        
+        return nil, translate("Speed check mode is invalid.")
+    until true end
+
+    return value
+end
+
 ---- Enable TCP server
-o = s:taboption("settings", Flag, "tcp_server", translate("TCP Server"), translate("Enable TCP DNS Server"))
+o = s:taboption("advanced", Flag, "tcp_server", translate("TCP Server"), translate("Enable TCP DNS Server"))
 o.rmempty     = false
 o.default     = o.enabled
 o.cfgvalue    = function(...)
@@ -64,7 +110,7 @@ o.cfgvalue    = function(...)
 end
 
 ---- Support IPV6
-o = s:taboption("settings", Flag, "ipv6_server", translate("IPV6 Server"), translate("Enable IPV6 DNS Server"))
+o = s:taboption("advanced", Flag, "ipv6_server", translate("IPV6 Server"), translate("Enable IPV6 DNS Server"))
 o.rmempty     = false
 o.default     = o.enabled
 o.cfgvalue    = function(...)
@@ -337,14 +383,21 @@ o.datatype = "hostname"
 o.rempty = true
 uci:foreach("smartdns", "server", function(section)
     local server_group = section.server_group
+    if server_group == nil then
+        return
+    end
     o:value(server_group);
 end)
 
 function o.validate (section_id, value) 
-    if (value == "") then
+    if value == "" then
         return value
     end
 
+    if value == nil then
+        return nil, translate('Server Group not exists')
+    end
+
     local exists = false
     uci:foreach("smartdns", "server", function(section)
         local server_group = section.server_group
@@ -357,7 +410,7 @@ function o.validate (section_id, value)
         end
     end)
 
-    if (exists == false) then
+    if exists == false then
         return nil, translate('Server Group not exists')
     end
 
@@ -395,6 +448,12 @@ function o.validate(self, value)
     return nil, translate("NFTset name format error, format: [#[4|6]:[family#table#set]]")
 end
 
+---- other args
+o = s:taboption("forwarding", Value, "addition_flag", translate("Additional Rule Flag"), translate("Additional Flags for rules, read help on domain-rule for more information."))
+o.default = ""
+o.rempty = true
+o.modalonly = true;
+
 o = s:taboption("forwarding", FileUpload, "forwarding_domain_set_file", translate("Domain List File"),
     translate("Upload domain list file, or configure auto download from Download File Setting page."))
 o.rmempty = true
@@ -517,7 +576,11 @@ o.rmempty = false
 o.datatype = 'string'
 function o.validate(self, value, section)
     if value == "" then
-        return nil
+        return nil, translate("URL format error, format: http:// or https://")
+    end
+
+    if value == nil then
+        return nil, translate("URL format error, format: http:// or https://")
     end
 
     if value.find(value, "http://") then
@@ -554,6 +617,14 @@ o.write = function()
 	luci.http.redirect("https://pymumu.github.io/smartdns")
 end
 
+o = s:option(Button, "report")
+o.title = translate("Report bugs")
+o.inputtitle = translate("Report bugs")
+o.inputstyle = "apply"
+o.write = function()
+	luci.http.redirect("https://github.com/pymumu/smartdns/issues")
+end
+
 o = s:option(Button, "Donate")
 o.title = translate("Donate to smartdns")
 o.inputtitle = translate("Donate")

package/luci-compat/files/luci/model/cbi/smartdns/upstream.lua

@@ -127,6 +127,12 @@ o.rempty      = true
 o:depends("type", "tls")
 o:depends("type", "https")
 
+---- mark
+o = s:option(Value, "set_mark", translate("Marking Packets"), translate("Set mark on packets."))
+o.default     = ""
+o.rempty      = true
+o.datatype    = "uinteger"
+
 ---- other args
 o = s:option(Value, "addition_arg", translate("Additional Server Args"), translate("Additional Args for upstream dns servers"))
 o.default     = ""

package/luci/files/luci/i18n/smartdns.zh-cn.po

@@ -2,6 +2,12 @@
 msgid "Additional Args for upstream dns servers"
 msgstr "额外的上游 DNS 服务器参数"
 
+msgid "Additional Rule Flag"
+msgstr "额外规则标识"
+
+msgid "Additional Flags for rules, read help on domain-rule for more information."
+msgstr "额外的规则标识，具体参考domain-rule的帮助说明。"
+
 msgid "Additional Server Args"
 msgstr "额外的服务器参数"
 
@@ -19,6 +25,12 @@ msgstr "自动设置Dnsmasq"
 msgid "Automatically set as upstream of dnsmasq when port changes."
 msgstr "端口更改时自动设为 dnsmasq 的上游。"
 
+msgid "Block domain type"
+msgstr "屏蔽域名类型"
+
+msgid "Block domain type."
+msgstr "屏蔽域名类型。"
+
 msgid "Cache Size"
 msgstr "缓存大小"
 
@@ -33,6 +45,9 @@ msgstr "配置需要从指定域名服务器结果过滤的IP黑名单。"
 msgid "Configure block domain list."
 msgstr "配置屏蔽域名列表"
 
+msgid "Configure domain rule list."
+msgstr "配置域名规则列表"
+
 msgid "Configure forwarding domain name list."
 msgstr "配置分流域名列表"
 
@@ -66,6 +81,9 @@ msgstr "协议类型"
 msgid "DNS domain result cache size"
 msgstr "缓存DNS的结果，缓存大小，配置零则不缓存"
 
+msgid "default"
+msgstr "默认"
+
 msgid "Description"
 msgstr "描述"
 
@@ -87,6 +105,12 @@ msgstr "域名列表"
 msgid "Domain List File"
 msgstr "域名列表文件"
 
+msgid "Domain Rule List"
+msgstr "域名规则列表"
+
+msgid "Domain Rule Name"
+msgstr "域名规则名称"
+
 msgid "Domain Rules"
 msgstr "域名规则"
 
@@ -232,6 +256,12 @@ msgstr "下载文件列表"
 msgid "Local Port"
 msgstr "本地端口"
 
+msgid "Marking Packets"
+msgstr "数据包标记"
+
+msgid "Set mark on packets."
+msgstr "设置数据包标记。"
+
 msgid "Maximum TTL for all domain result."
 msgstr "所有域名的最大 TTL 值。"
 
@@ -250,9 +280,15 @@ msgstr "NFTSet名称，格式：[#[4|6]:[family#table#set]]"
 msgid "NOT RUNNING"
 msgstr "未运行"
 
+msgid "No"
+msgstr "否"
+
 msgid "No check certificate"
 msgstr "停用证书校验"
 
+msgid "None"
+msgstr "无"
+
 msgid "Query DNS through specific dns server group, such as office, home."
 msgstr "使用指定服务器组查询，比如office, home。"
 
@@ -265,6 +301,9 @@ msgstr "回应的域名TTL最大值"
 msgid "Reply maximum TTL for all domain result."
 msgstr "设置返回给客户端的域名TTL最大值。"
 
+msgid "Report bugs"
+msgstr "报告BUG"
+
 msgid "Resolve Local Hostnames"
 msgstr "解析本地主机名"
 
@@ -295,6 +334,9 @@ msgstr "服务器名称"
 msgid "Set Specific domain ip address."
 msgstr "设置指定域名的IP地址。"
 
+msgid "Set Specific domain rule list."
+msgstr "设置指定域名的规则列表。"
+
 msgid "Set Specific ip blacklist."
 msgstr "设置指定的 IP 黑名单列表。"
 
@@ -377,6 +419,12 @@ msgstr ""
 msgid "Smartdns server name"
 msgstr "SmartDNS的服务器名称，默认为smartdns，留空为主机名"
 
+msgid "Smartdns speed check mode."
+msgstr "SmartDNS测速模式。"
+
+msgid "Speed Check Mode"
+msgstr "测速模式"
+
 msgid ""
 "Specify an IP address to return for any host in the given domains, Queries "
 "in the domains are never forwarded and always replied to with the specified "
@@ -485,3 +533,6 @@ msgstr "类型"
 
 msgid "udp"
 msgstr "udp"
+
+msgid "Yes"
+msgstr "是"

package/luci/files/root/www/luci-static/resources/view/smartdns/smartdns.js

@@ -155,19 +155,59 @@ return view.extend({
 		o.datatype = "port";
 		o.rempty = false;
 
+		///////////////////////////////////////
+		// advanced settings;
+		///////////////////////////////////////
+		// Speed check mode;
+		o = s.taboption("advanced", form.Value, "speed_check_mode", _("Speed Check Mode"), _("Smartdns speed check mode."));
+		o.rmempty = true;
+		o.placeholder = "default";
+		o.value("", _("default"));
+		o.value("ping,tcp:80,tcp:443");
+		o.value("ping,tcp:443,tcp:80");
+		o.value("tcp:80,tcp:443,ping");
+		o.value("tcp:443,tcp:80,ping");
+		o.value("none", _("None"));
+		o.validate = function (section_id, value) {
+			if (value == "") {
+				return true;
+			}
+
+			if (value == "none") {
+				return true;
+			}
+
+			var check_mode = value.split(",")
+			for (var i = 0; i < check_mode.length; i++) {
+				if (check_mode[i] == "ping") {
+					continue;
+				}
+
+				if (check_mode[i].indexOf("tcp:") == 0) {
+					var port = check_mode[i].split(":")[1];
+					if (port == "") {
+						return _("TCP port is empty");
+					}
+
+					continue;
+				}
+
+				return _("Speed check mode is invalid.");
+			}
+
+			return true;
+		}
+
 		// Enable TCP server;
-		o = s.taboption("settings", form.Flag, "tcp_server", _("TCP Server"), _("Enable TCP DNS Server"));
+		o = s.taboption("advanced", form.Flag, "tcp_server", _("TCP Server"), _("Enable TCP DNS Server"));
 		o.rmempty = false;
 		o.default = o.enabled;
 
 		// Support IPV6;
-		o = s.taboption("settings", form.Flag, "ipv6_server", _("IPV6 Server"), _("Enable IPV6 DNS Server"));
+		o = s.taboption("advanced", form.Flag, "ipv6_server", _("IPV6 Server"), _("Enable IPV6 DNS Server"));
 		o.rmempty = false;
 		o.default = o.enabled;
 
-		///////////////////////////////////////
-		// advanced settings;
-		///////////////////////////////////////
 		// Support DualStack ip selection;
 		o = s.taboption("advanced", form.Flag, "dualstack_ip_selection", _("Dual-stack IP Selection"),
 			_("Enable IP selection between IPV4 and IPV6"));
@@ -334,7 +374,6 @@ return view.extend({
 		o.rmempty = true
 		o.datatype = "file"
 		o.rempty = true
-		o.editable = true
 		o.root_directory = "/etc/smartdns/conf.d"
 
 		o = s.taboption("files", form.FileUpload, "upload_list_file", _("Upload Domain List File"),
@@ -342,7 +381,6 @@ return view.extend({
 		o.rmempty = true
 		o.datatype = "file"
 		o.rempty = true
-		o.editable = true
 		o.root_directory = "/etc/smartdns/domain-set"
 
 		o = s.taboption('files', form.DummyValue, "_update", _("Update Files"));
@@ -546,6 +584,14 @@ return view.extend({
 		o.depends("type", "tls")
 		o.depends("type", "https")
 
+		// mark
+		o = s.taboption("advanced", form.Value, "set_mark", _("Marking Packets"),
+			_("Set mark on packets."))
+		o.default = ""
+		o.rempty = true
+		o.datatype = "uinteger"
+		o.modalonly = true;
+		
 		// other args
 		o = s.taboption("advanced", form.Value, "addition_arg", _("Additional Server Args"),
 			_("Additional Args for upstream dns servers"))
@@ -562,6 +608,7 @@ return view.extend({
 
 		s.tab("forwarding", _('DNS Forwarding Setting'));
 		s.tab("block", _("DNS Block Setting"));
+		s.tab("domain-rule-list", _("Domain Rule List"), _("Set Specific domain rule list."));
 		s.tab("domain-address", _("Domain Address"), _("Set Specific domain ip address."));
 		s.tab("blackip-list", _("IP Blacklist"), _("Set Specific ip blacklist."));
 
@@ -625,6 +672,13 @@ return view.extend({
 			return true;
 		}
 
+		// other args
+		o = s.taboption("forwarding", form.Value, "addition_flag", _("Additional Rule Flag"),
+			_("Additional Flags for rules, read help on domain-rule for more information."))
+		o.default = ""
+		o.rempty = true
+		o.modalonly = true;
+
 		o = s.taboption("forwarding", form.FileUpload, "forwarding_domain_set_file", _("Domain List File"),
 			_("Upload domain list file, or configure auto download from Download File Setting page."));
 		o.rmempty = true
@@ -680,6 +734,155 @@ return view.extend({
 			});
 		};
 
+		///////////////////////////////////////
+		// domain rule list;
+		///////////////////////////////////////
+		o = s.taboption('domain-rule-list', form.SectionValue, '__domain-rule-list__', form.GridSection, 'domain-rule-list', _('Domain Rule List'),
+			_('Configure domain rule list.'));
+
+		ss = o.subsection;
+
+		ss.addremove = true;
+		ss.anonymous = true;
+		ss.sortable = true;
+
+		// enable flag;
+		so = ss.option(form.Flag, "enabled", _("Enable"), _("Enable"));
+		so.rmempty = false;
+		so.default = so.enabled;
+		so.editable = true;
+
+		// name;
+		so = ss.option(form.Value, "name", _("Domain Rule Name"), _("Domain Rule Name"));
+
+		so = ss.option(form.Value, "server_group", _("Server Group"), _("DNS Server group belongs to, such as office, home."))
+		so.rmempty = true
+		so.placeholder = "default"
+		so.datatype = "hostname"
+		so.rempty = true
+		for (const groupname of groupnames) {
+			so.value(groupname);
+		}
+		so.validate = function (section_id, value) {
+			if (value == "") {
+				return true;
+			}
+
+			var val = uci.sections('smartdns', 'server');
+			for (var i = 0; i < val.length; i++) {
+				if (value == val[i].server_group) {
+					return true;
+				}
+			}
+
+			return _('Server Group %s not exists').format(value);
+
+		}
+
+		so = ss.option(form.FileUpload, "domain_list_file", _("Domain List File"),
+			_("Upload domain list file, or configure auto download from Download File Setting page."));
+		so.rmempty = false
+		so.datatype = "file"
+		so.rempty = true
+		so.root_directory = "/etc/smartdns/domain-set"
+
+		so = ss.option(form.ListValue, "block_domain_type", _("Block domain type"), _("Block domain type."));
+		so.rmempty = true;
+		so.value("none", _("None"));
+		so.value("all", "IPv4/IPv6");
+		so.value("ipv4", "IPv4");
+		so.value("ipv6", "IPv6");
+		so.modalonly = true;
+
+		// Support DualStack ip selection;
+		so = ss.option(form.ListValue, "dualstack_ip_selection", _("Dual-stack IP Selection"),
+			_("Enable IP selection between IPV4 and IPV6"));
+		so.rmempty = true;
+		so.default = "default";
+		so.modalonly = true;
+		so.value("", _("default"));
+		so.value("yes", _("Yes"));
+		so.value("no", _("No"));
+
+		so = ss.option(form.Value, "speed_check_mode", _("Speed Check Mode"), _("Smartdns speed check mode."));
+		so.rmempty = true;
+		so.placeholder = "default";
+		so.modalonly = true;
+		so.value("", _("default"));
+		so.value("ping,tcp:80,tcp:443");
+		so.value("ping,tcp:443,tcp:80");
+		so.value("tcp:80,tcp:443,ping");
+		so.value("tcp:443,tcp:80,ping");
+		so.value("none", _("None"));
+		so.validate = function (section_id, value) {
+			if (value == "") {
+				return true;
+			}
+
+			if (value == "none") {
+				return true;
+			}
+
+			var check_mode = value.split(",")
+			for (var i = 0; i < check_mode.length; i++) {
+				if (check_mode[i] == "ping") {
+					continue;
+				}
+
+				if (check_mode[i].indexOf("tcp:") == 0) {
+					var port = check_mode[i].split(":")[1];
+					if (port == "") {
+						return _("TCP port is empty");
+					}
+
+					continue;
+				}
+
+				return _("Speed check mode is invalid.");
+			}
+
+			return true;
+		}
+
+		so = ss.option(form.Flag, "force_aaaa_soa", _("Force AAAA SOA"), _("Force AAAA SOA."));
+		so.rmempty = true;
+		so.default = so.disabled;
+		so.modalonly = true;
+
+
+		so = ss.option(form.Value, "ipset_name", _("IPset Name"), _("IPset name."));
+		so.rmempty = true;
+		so.datatype = "hostname";
+		so.rempty = true;
+		so.modalonly = true;
+
+		so = ss.option(form.Value, "nftset_name", _("NFTset Name"), _("NFTset name, format: [#[4|6]:[family#table#set]]"));
+		so.rmempty = true;
+		so.datatype = "string";
+		so.rempty = true;
+		so.modalonly = true;
+		so.validate = function (section_id, value) {
+			if (value == "") {
+				return true;
+			}
+
+			var nftset = value.split(",")
+			for (var i = 0; i < nftset.length; i++) {
+				if (!nftset[i].match(/#[4|6]:[a-zA-Z0-9\-_]+#[a-zA-Z0-9\-_]+#[a-zA-Z0-9\-_]+$/)) {
+					return _("NFTset name format error, format: [#[4|6]:[family#table#set]]");
+				}
+			}
+
+			return true;
+		}
+
+		// other args
+		so = ss.option(form.Value, "addition_flag", _("Additional Rule Flag"),
+			_("Additional Flags for rules, read help on domain-rule for more information."))
+		so.default = ""
+		so.rempty = true
+		so.modalonly = true;
+
 		///////////////////////////////////////
 		// IP Blacklist;
 		///////////////////////////////////////
@@ -734,6 +937,14 @@ return view.extend({
 			window.open("https://pymumu.github.io/smartdns", '_blank');
 		};
 
+		o = s.option(form.Button, "report");
+		o.title = _("Report bugs");
+		o.inputtitle = _("Report bugs");
+		o.inputstyle = "apply";
+		o.onclick = function () {
+			window.open("https://github.com/pymumu/smartdns/issues", '_blank');
+		};
+
 		o = s.option(form.Button, "Donate");
 		o.title = _("Donate to smartdns");
 		o.inputtitle = _("Donate");

package/openwrt/files/etc/init.d/smartdns

@@ -183,6 +183,7 @@ load_server()
 	config_get check_edns "$section" "check_edns" "0"
 	config_get spki_pin "$section" "spki_pin" ""
 	config_get addition_arg "$section" "addition_arg" ""
+	config_get set_mark "$section" "set_mark" ""
 
 	[ "$enabled" = "0" ] && return
 
@@ -214,6 +215,7 @@ load_server()
 	[ "$blacklist_ip" = "0" ] || ADDITIONAL_ARGS="$ADDITIONAL_ARGS -blacklist-ip"
 	[ "$check_edns" = "0" ] || ADDITIONAL_ARGS="$ADDITIONAL_ARGS -check-edns"
 	[ -z "$spki_pin" ] || ADDITIONAL_ARGS="$ADDITIONAL_ARGS -spki-pin $spki_pin"
+	[ -z "$set_mark" ] || ADDITIONAL_ARGS="$ADDITIONAL_ARGS -set-mark $set_mark"
 
 	if [ -z "$port" ]; then
 		DNS_ADDRESS="$ip"
@@ -278,9 +280,12 @@ load_domain_rules()
 	config_get ipset_name "$section" "ipset_name" ""
 	[ ! -z "$ipset_name" ] && domain_set_args="$domain_set_args -ipset $ipset_name"
 
-	config_get ipset_name "$section" "nftset_name" ""
+	config_get nftset_name "$section" "nftset_name" ""
 	[ ! -z "$nftset_name" ] && domain_set_args="$domain_set_args -nftset '$nftset_name'"
 
+	config_get addition_flag "$section" "addition_flag" ""
+	[ ! -z "$addition_flag" ] && domain_set_args="$domain_set_args $addition_flag"
+
 	config_get forwarding_domain_set_file "$section" "forwarding_domain_set_file" ""
 	[ ! -z "$forwarding_domain_set_file" ] && {
 		conf_append "domain-set" "-name ${domain_set_name}-forwarding-file -file '$forwarding_domain_set_file'"
@@ -300,6 +305,49 @@ load_domain_rules()
 	conf_append "domain-rules" "/domain-set:${domain_set_name}-block-list/ --address #"
 }
 
+load_domain_rule_list()
+{
+	local section="$1"
+	local domain_set_args=""
+	local domain_set_name="$section"
+
+	config_get_bool enabled "$section" "enabled" "0"
+	[ "$enabled" != "1" ] && return
+
+	config_get server_group "$section" "server_group" ""
+	[ ! -z "$server_group" ] && domain_set_args="$domain_set_args -nameserver $server_group"
+
+	config_get block_domain_type "$section" "block_domain_type" ""
+	[ "$block_domain_type" = "all" ] && domain_set_args="$domain_set_args -address #"
+	[ "$block_domain_type" = "ipv4" ] && domain_set_args="$domain_set_args -address #4"
+	[ "$block_domain_type" = "ipv6" ] && domain_set_args="$domain_set_args -address #6"
+
+	config_get speed_check_mode "$section" "speed_check_mode" ""
+	[ ! -z "$speed_check_mode" ] && domain_set_args="$domain_set_args -speed-check-mode $speed_check_mode"
+
+	config_get dualstack_ip_selection "$section" "dualstack_ip_selection" ""
+	[ "$dualstack_ip_selection" = "no" ] && domain_set_args="$domain_set_args -dualstack-ip-selection no"
+	[ "$dualstack_ip_selection" = "yes" ] && domain_set_args="$domain_set_args -dualstack-ip-selection yes"
+
+	config_get_bool force_aaaa_soa "$section" "force_aaaa_soa" "0"
+	[ "$force_aaaa_soa" = "1" ] && domain_set_args="$domain_set_args -address #6"
+
+	config_get ipset_name "$section" "ipset_name" ""
+	[ ! -z "$ipset_name" ] && domain_set_args="$domain_set_args -ipset $ipset_name"
+
+	config_get nftset_name "$section" "nftset_name" ""
+	[ ! -z "$nftset_name" ] && domain_set_args="$domain_set_args -nftset '$nftset_name'"
+
+	config_get domain_list_file "$section" "domain_list_file" ""
+	[ -z "$domain_list_file" ] && return
+
+	config_get addition_flag "$section" "addition_flag" ""
+	[ ! -z "$addition_flag" ] && domain_set_args="$domain_set_args $addition_flag"
+
+	conf_append "domain-set" "-name domain-rule-list-${domain_set_name} -file '$domain_list_file'"
+	conf_append "domain-rules" "/domain-set:domain-rule-list-${domain_set_name}/ $domain_set_args"	
+}
+
 load_second_server()
 {
 	local section="$1"
@@ -393,6 +441,9 @@ load_service()
 	config_get ipv6_server "$section" "ipv6_server" "1"
 	config_get tcp_server "$section" "tcp_server" "1"
 
+	config_get speed_check_mode "$section" "speed_check_mode" ""
+	[ ! -z "$speed_check_mode" ] && conf_append "speed-check-mode" "$speed_check_mode"
+
 	config_get dualstack_ip_selection "$section" "dualstack_ip_selection" "0"
 	[ "$dualstack_ip_selection" = "0" ] && conf_append "dualstack-ip-selection" "no"
 
@@ -531,6 +582,8 @@ load_service()
 
 	config_foreach load_domain_rules "domain-rule"
 
+	config_foreach load_domain_rule_list "domain-rule-list"
+
 	{
 		echo "conf-file $ADDRESS_CONF"
 		echo "conf-file $BLACKLIST_IP_CONF"

src/dns_cache.c

@@ -245,7 +245,7 @@ struct dns_cache_data *dns_cache_new_data_packet(void *packet, size_t packet_len
 	return (struct dns_cache_data *)cache_packet;
 }
 
-static int _dns_cache_replace(struct dns_cache_key *cache_key, int ttl, int speed, int inactive,
+static int _dns_cache_replace(struct dns_cache_key *cache_key, int ttl, int speed, int no_inactive, int inactive,
 							  struct dns_cache_data *cache_data)
 {
 	struct dns_cache *dns_cache = NULL;
@@ -258,7 +258,7 @@ static int _dns_cache_replace(struct dns_cache_key *cache_key, int ttl, int spee
 	/* lookup existing cache */
 	dns_cache = dns_cache_lookup(cache_key);
 	if (dns_cache == NULL) {
-		return dns_cache_insert(cache_key, ttl, speed, cache_data);
+		return dns_cache_insert(cache_key, ttl, speed, no_inactive, cache_data);
 	}
 
 	if (ttl < DNS_CACHE_TTL_MIN) {
@@ -273,6 +273,7 @@ static int _dns_cache_replace(struct dns_cache_key *cache_key, int ttl, int spee
 	dns_cache->info.query_flag = cache_key->query_flag;
 	dns_cache->info.ttl = ttl;
 	dns_cache->info.speed = speed;
+	dns_cache->info.no_inactive = no_inactive;
 	old_cache_data = dns_cache->cache_data;
 	dns_cache->cache_data = cache_data;
 	list_del_init(&dns_cache->list);
@@ -293,14 +294,14 @@ static int _dns_cache_replace(struct dns_cache_key *cache_key, int ttl, int spee
 	return 0;
 }
 
-int dns_cache_replace(struct dns_cache_key *cache_key, int ttl, int speed, struct dns_cache_data *cache_data)
+int dns_cache_replace(struct dns_cache_key *cache_key, int ttl, int speed, int no_inactive, struct dns_cache_data *cache_data)
 {
-	return _dns_cache_replace(cache_key, ttl, speed, 0, cache_data);
+	return _dns_cache_replace(cache_key, ttl, speed, no_inactive, 0, cache_data);
 }
 
-int dns_cache_replace_inactive(struct dns_cache_key *cache_key, int ttl, int speed, struct dns_cache_data *cache_data)
+int dns_cache_replace_inactive(struct dns_cache_key *cache_key, int ttl, int speed, int no_inactive, struct dns_cache_data *cache_data)
 {
-	return _dns_cache_replace(cache_key, ttl, speed, 1, cache_data);
+	return _dns_cache_replace(cache_key, ttl, speed, no_inactive, 1, cache_data);
 }
 
 static void _dns_cache_remove_by_domain(struct dns_cache_key *cache_key)
@@ -390,7 +391,7 @@ errout:
 	return -1;
 }
 
-int dns_cache_insert(struct dns_cache_key *cache_key, int ttl, int speed, struct dns_cache_data *cache_data)
+int dns_cache_insert(struct dns_cache_key *cache_key, int ttl, int speed, int no_inactive, struct dns_cache_data *cache_data)
 {
 	struct dns_cache_info info;
 
@@ -415,6 +416,7 @@ int dns_cache_insert(struct dns_cache_key *cache_key, int ttl, int speed, struct
 	info.ttl = ttl;
 	info.hitnum_update_add = DNS_CACHE_HITNUM_STEP;
 	info.speed = speed;
+	info.no_inactive = no_inactive;
 	time(&info.insert_time);
 	time(&info.replace_time);
 
@@ -663,7 +665,7 @@ void dns_cache_invalidate(dns_cache_callback precallback, int ttl_pre, unsigned
 		}
 
 		if (ttl < 0) {
-			if (dns_cache_head.enable_inactive) {
+			if (dns_cache_head.enable_inactive && dns_cache->info.no_inactive == 0) {
 				_dns_cache_move_inactive(dns_cache);
 			} else {
 				_dns_cache_remove(dns_cache);

src/dns_cache.h

@@ -87,6 +87,7 @@ struct dns_cache_info {
 	int ttl;
 	int hitnum;
 	int speed;
+	int no_inactive;
 	int hitnum_update_add;
 	time_t insert_time;
 	time_t replace_time;
@@ -135,11 +136,11 @@ struct dns_cache_data *dns_cache_new_data_packet(void *packet, size_t packet_len
 
 int dns_cache_init(int size, int enable_inactive, int inactive_list_expired);
 
-int dns_cache_replace(struct dns_cache_key *key, int ttl, int speed, struct dns_cache_data *cache_data);
+int dns_cache_replace(struct dns_cache_key *key, int ttl, int speed, int no_inactive, struct dns_cache_data *cache_data);
 
-int dns_cache_replace_inactive(struct dns_cache_key *key, int ttl, int speed, struct dns_cache_data *cache_data);
+int dns_cache_replace_inactive(struct dns_cache_key *key, int ttl, int speed, int no_inactive, struct dns_cache_data *cache_data);
 
-int dns_cache_insert(struct dns_cache_key *key, int ttl, int speed, struct dns_cache_data *cache_data);
+int dns_cache_insert(struct dns_cache_key *key, int ttl, int speed, int no_inactive, struct dns_cache_data *cache_data);
 
 struct dns_cache *dns_cache_lookup(struct dns_cache_key *key);
 

src/dns_client.c

@@ -93,6 +93,7 @@ struct dns_server_info {
 	int port;
 	/* server type */
 	dns_server_type_t type;
+	long long so_mark;
 
 	/* client socket */
 	int fd;
@@ -1045,6 +1046,7 @@ static int _dns_client_server_add(char *server_ip, char *server_host, int port,
 	server_info->ttl_range = 0;
 	server_info->skip_check_cert = skip_check_cert;
 	server_info->prohibit = 0;
+	server_info->so_mark = flags->set_mark;
 	pthread_mutex_init(&server_info->lock, NULL);
 	memcpy(&server_info->flags, flags, sizeof(server_info->flags));
 
@@ -1694,6 +1696,13 @@ static int _dns_client_create_socket_udp(struct dns_server_info *server_info)
 		return -1;
 	}
 
+	if (server_info->so_mark >= 0) {
+		unsigned int so_mark = server_info->so_mark;
+		if (setsockopt(fd, SOL_SOCKET, SO_MARK, &so_mark, sizeof(so_mark)) != 0) {
+			tlog(TLOG_DEBUG, "set socket mark failed, %s", strerror(errno));
+		}
+	}
+
 	setsockopt(server_info->fd, IPPROTO_IP, IP_RECVTTL, &on, sizeof(on));
 	setsockopt(server_info->fd, SOL_IP, IP_TTL, &val, sizeof(val));
 	setsockopt(server_info->fd, SOL_SOCKET, SO_PRIORITY, &priority, sizeof(priority));
@@ -1736,6 +1745,13 @@ static int _DNS_client_create_socket_tcp(struct dns_server_info *server_info)
 		goto errout;
 	}
 
+	if (server_info->so_mark >= 0) {
+		unsigned int so_mark = server_info->so_mark;
+		if (setsockopt(fd, SOL_SOCKET, SO_MARK, &so_mark, sizeof(so_mark)) != 0) {
+			tlog(TLOG_DEBUG, "set socket mark failed, %s", strerror(errno));
+		}
+	}
+
 	/* enable tcp fast open */
 	if (setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN_CONNECT, &yes, sizeof(yes)) != 0) {
 		tlog(TLOG_DEBUG, "enable TCP fast open failed, %s", strerror(errno));
@@ -1818,6 +1834,13 @@ static int _DNS_client_create_socket_tls(struct dns_server_info *server_info, ch
 		goto errout;
 	}
 
+	if (server_info->so_mark >= 0) {
+		unsigned int so_mark = server_info->so_mark;
+		if (setsockopt(fd, SOL_SOCKET, SO_MARK, &so_mark, sizeof(so_mark)) != 0) {
+			tlog(TLOG_DEBUG, "set socket mark failed, %s", strerror(errno));
+		}
+	}
+
 	if (setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN_CONNECT, &yes, sizeof(yes)) != 0) {
 		tlog(TLOG_DEBUG, "enable TCP fast open failed.");
 	}

src/dns_client.h

@@ -111,6 +111,7 @@ struct client_dns_server_flags {
 	dns_server_type_t type;
 	unsigned int server_flag;
 	unsigned int result_flag;
+	long long set_mark;
 
 	union {
 		struct client_dns_server_flag_udp udp;

src/dns_conf.c

@@ -370,6 +370,7 @@ static int _config_server(int argc, char *argv[], dns_server_type_t type, int de
 		{"tls-host-verify", required_argument, NULL, 'V' }, /* verify tls hostname */
 		{"group", required_argument, NULL, 'g'}, /* add to group */
 		{"exclude-default-group", no_argument, NULL, 'E'}, /* ecluse this from default group */
+		{"set-mark", required_argument, NULL, 254}, /* set mark */
 		{NULL, no_argument, NULL, 0}
 	};
 	/* clang-format on */
@@ -390,6 +391,7 @@ static int _config_server(int argc, char *argv[], dns_server_type_t type, int de
 	server->hostname[0] = '\0';
 	server->httphost[0] = '\0';
 	server->tls_host_verify[0] = '\0';
+	server->set_mark = -1;
 
 	if (type == DNS_SERVER_HTTPS) {
 		if (parse_uri(ip, NULL, server->server, &port, server->path) != 0) {
@@ -467,6 +469,10 @@ static int _config_server(int argc, char *argv[], dns_server_type_t type, int de
 			server->skip_check_cert = 1;
 			break;
 		}
+		case 254: {
+			server->set_mark = atoll(optarg);
+			break;
+		}
 		default:
 			break;
 		}
@@ -533,7 +539,7 @@ static void _config_address_destroy(radix_node_t *node, void *cbctx)
 	node->data = NULL;
 }
 
-static int _config_domain_set_rule_add_ext(char *set_name, enum domain_rule type, void *rule, unsigned int flags,
+static int _config_domain_set_rule_add_ext(const char *set_name, enum domain_rule type, void *rule, unsigned int flags,
 										   int is_clear_flag)
 {
 	struct dns_domain_set_rule *set_rule = NULL;
@@ -587,7 +593,7 @@ errout:
 	return -1;
 }
 
-static int _config_domian_set_rule_flags(char *set_name, unsigned int flags, int is_clear_flag)
+static int _config_domian_set_rule_flags(const char *set_name, unsigned int flags, int is_clear_flag)
 {
 	return _config_domain_set_rule_add_ext(set_name, DOMAIN_RULE_FLAGS, NULL, flags, is_clear_flag);
 }
@@ -664,7 +670,7 @@ errout:
 	return -1;
 }
 
-static int _config_domain_rule_flag_set(char *domain, unsigned int flag, unsigned int is_clear)
+static int _config_domain_rule_flag_set(const char *domain, unsigned int flag, unsigned int is_clear)
 {
 	struct dns_domain_rule *domain_rule = NULL;
 	struct dns_domain_rule *old_domain_rule = NULL;
@@ -1842,6 +1848,11 @@ errout:
 	return -1;
 }
 
+static int _conf_domain_rule_no_serve_expired(const char *domain)
+{
+	return _config_domain_rule_flag_set(domain, DOMAIN_FLAG_NO_SERVE_EXPIRED, 0);
+}
+
 static int _conf_domain_rules(void *data, int argc, char *argv[])
 {
 	int opt = 0;
@@ -1856,6 +1867,7 @@ static int _conf_domain_rules(void *data, int argc, char *argv[])
 		{"nftset", required_argument, NULL, 't'},
 		{"nameserver", required_argument, NULL, 'n'},
 		{"dualstack-ip-selection", required_argument, NULL, 'd'},
+		{"no-serve-expired", no_argument, NULL, 254},
 		{NULL, no_argument, NULL, 0}
 	};
 	/* clang-format on */
@@ -1952,6 +1964,14 @@ static int _conf_domain_rules(void *data, int argc, char *argv[])
 
 			break;
 		}
+		case 254: {
+			if (_conf_domain_rule_no_serve_expired(domain) != 0) {
+				tlog(TLOG_ERROR, "set no-serve-expired rule failed.");
+				goto errout;
+			}
+
+			break;
+		}
 		default:
 			break;
 		}

src/dns_conf.h

@@ -97,6 +97,7 @@ typedef enum {
 #define DOMAIN_FLAG_NFTSET_INET_IGN (1 << 12)
 #define DOMAIN_FLAG_NFTSET_IP_IGN (1 << 13)
 #define DOMAIN_FLAG_NFTSET_IP6_IGN (1 << 14)
+#define DOMAIN_FLAG_NO_SERVE_EXPIRED (1 << 15)
 
 #define SERVER_FLAG_EXCLUDE_DEFAULT (1 << 0)
 
@@ -230,6 +231,7 @@ struct dns_servers {
 	unsigned int server_flag;
 	int ttl;
 	dns_server_type_t type;
+	long long set_mark;
 	char skip_check_cert;
 	char spki[DNS_MAX_SPKI_LEN];
 	char hostname[DNS_MAX_CNAME_LEN];

src/dns_server.c

@@ -236,6 +236,7 @@ struct dns_request {
 	int dualstack_selection_ping_time;
 	int dualstack_selection_has_ip;
 	struct dns_request *dualstack_request;
+	int no_serve_expired;
 
 	pthread_mutex_t ip_map_lock;
 
@@ -1070,17 +1071,17 @@ static int _dns_server_request_update_cache(struct dns_request *request, dns_typ
 
 	if (request->prefetch) {
 		if (request->prefetch_expired_domain == 0) {
-			if (dns_cache_replace(&cache_key, ttl, speed, cache_data) != 0) {
+			if (dns_cache_replace(&cache_key, ttl, speed, request->no_serve_expired, cache_data) != 0) {
 				goto errout;
 			}
 		} else {
-			if (dns_cache_replace_inactive(&cache_key, ttl, speed, cache_data) != 0) {
+			if (dns_cache_replace_inactive(&cache_key, ttl, speed, request->no_serve_expired, cache_data) != 0) {
 				goto errout;
 			}
 		}
 	} else {
 		/* insert result to cache */
-		if (dns_cache_insert(&cache_key, ttl, speed, cache_data) != 0) {
+		if (dns_cache_insert(&cache_key, ttl, speed, request->no_serve_expired, cache_data) != 0) {
 			goto errout;
 		}
 	}
@@ -1218,17 +1219,17 @@ static int _dns_cache_cname_packet(struct dns_server_post_context *context)
 
 	if (request->prefetch) {
 		if (request->prefetch_expired_domain == 0) {
-			if (dns_cache_replace(&cache_key, ttl, speed, cache_packet) != 0) {
+			if (dns_cache_replace(&cache_key, ttl, speed, request->no_serve_expired, cache_packet) != 0) {
 				goto errout;
 			}
 		} else {
-			if (dns_cache_replace_inactive(&cache_key, ttl, speed, cache_packet) != 0) {
+			if (dns_cache_replace_inactive(&cache_key, ttl, speed, request->no_serve_expired, cache_packet) != 0) {
 				goto errout;
 			}
 		}
 	} else {
 		/* insert result to cache */
-		if (dns_cache_insert(&cache_key, ttl, speed, cache_packet) != 0) {
+		if (dns_cache_insert(&cache_key, ttl, speed, request->no_serve_expired, cache_packet) != 0) {
 			goto errout;
 		}
 	}
@@ -1260,12 +1261,12 @@ static int _dns_cache_packet(struct dns_server_post_context *context)
 	cache_key.query_flag = request->server_flags;
 
 	if (request->prefetch) {
-		if (dns_cache_replace(&cache_key, context->reply_ttl, -1, cache_packet) != 0) {
+		if (dns_cache_replace(&cache_key, context->reply_ttl, -1, request->no_serve_expired, cache_packet) != 0) {
 			goto errout;
 		}
 	} else {
 		/* insert result to cache */
-		if (dns_cache_insert(&cache_key, context->reply_ttl, -1, cache_packet) != 0) {
+		if (dns_cache_insert(&cache_key, context->reply_ttl, -1, request->no_serve_expired, cache_packet) != 0) {
 			goto errout;
 		}
 	}
@@ -3603,6 +3604,10 @@ static int _dns_server_pre_process_rule_flags(struct dns_request *request)
 	}
 
 	flags = rule_flag->flags;
+	if (flags & DOMAIN_FLAG_NO_SERVE_EXPIRED) {
+		request->no_serve_expired = 1;
+	}
+
 	if (flags & DOMAIN_FLAG_ADDR_IGN) {
 		/* ignore this domain */
 		goto out;
@@ -3937,6 +3942,10 @@ reply_cache:
 		goto out;
 	}
 
+	if (dns_cache_get_ttl(dns_cache) <= 0 && request->no_serve_expired == 1) {
+		goto out;
+	}
+
 	ret = _dns_server_process_cache_data(request, dns_cache);
 	if (ret != 0) {
 		goto out;

src/smartdns.c

@@ -269,6 +269,7 @@ static int _smartdns_add_servers(void)
 		flags.type = dns_conf_servers[i].type;
 		flags.server_flag = dns_conf_servers[i].server_flag;
 		flags.result_flag = dns_conf_servers[i].result_flag;
+		flags.set_mark = dns_conf_servers[i].set_mark;
 		ret = dns_client_add_server(dns_conf_servers[i].server, dns_conf_servers[i].port, dns_conf_servers[i].type,
 									&flags);
 		if (ret != 0) {