Freedom UDP: Fix some cone uses like STUN,... when address is domain (#4942 )

https://github.com/XTLS/Xray-core/issues/2962#issuecomment-3120472154
UDP listener: Allow listening on "localhost" (#4940 )
2025-08-22 17:46:48 +08:00 · 2025-07-26 01:59:15 +00:00 · 2025-07-26 01:27:35 +00:00 · 2025-07-25 14:59:43 +00:00 · 2025-07-25 14:47:12 +00:00 · 2025-07-25 14:40:26 +00:00
218 changed files with 7557 additions and 3807 deletions
--- a/.github/docker/Dockerfile
+++ b/.github/docker/Dockerfile
@@ -1,28 +1,62 @@
-# syntax=docker/dockerfile:1
+# syntax=docker/dockerfile:latest
-FROM --platform=$BUILDPLATFORM golang:alpine AS build
+FROM --platform=$BUILDPLATFORM golang:latest AS build
 # Build xray-core
 WORKDIR /src
 COPY . .
 ARG TARGETOS
 ARG TARGETARCH
 RUN GOOS=$TARGETOS GOARCH=$TARGETARCH CGO_ENABLED=0 go build -o xray -trimpath -ldflags "-s -w -buildid=" ./main
 ADD https://github.com/v2fly/geoip/releases/latest/download/geoip.dat /v2fly/geoip.dat
 ADD https://github.com/v2fly/domain-list-community/releases/latest/download/dlc.dat /v2fly/geosite.dat
 ADD https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat /loyalsoldier/geoip.dat
 ADD https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat /loyalsoldier/geosite.dat
-# chainguard/static contains only tzdata and ca-certificates, can be built with multiarch static binaries.
+# Download geodat into a staging directory
-FROM --platform=linux/amd64 chainguard/static:latest
+ADD https://raw.githubusercontent.com/Loyalsoldier/v2ray-rules-dat/release/geoip.dat /tmp/geodat/geoip.dat
-WORKDIR /var/log/xray
+ADD https://raw.githubusercontent.com/Loyalsoldier/v2ray-rules-dat/release/geosite.dat /tmp/geodat/geosite.dat
 COPY .github/docker/files/config.json /etc/xray/config.json
 COPY --from=build --chmod=755 /src/xray /usr/bin/xray
-USER root
+RUN mkdir -p /tmp/empty
-WORKDIR /root
+
-VOLUME /etc/xray
+# Create config files with empty JSON content
-ARG TZ=Asia/Shanghai
+RUN mkdir -p /tmp/usr/local/etc/xray
 RUN cat <<EOF >/tmp/usr/local/etc/xray/00_log.json
 {
  "log": {
    "error": "/var/log/xray/error.log",
    "loglevel": "warning",
    "access": "none",
    "dnsLog": false
  }
 }
 EOF
 RUN echo '{}' >/tmp/usr/local/etc/xray/01_api.json
 RUN echo '{}' >/tmp/usr/local/etc/xray/02_dns.json
 RUN echo '{}' >/tmp/usr/local/etc/xray/03_routing.json
 RUN echo '{}' >/tmp/usr/local/etc/xray/04_policy.json
 RUN echo '{}' >/tmp/usr/local/etc/xray/05_inbounds.json
 RUN echo '{}' >/tmp/usr/local/etc/xray/06_outbounds.json
 RUN echo '{}' >/tmp/usr/local/etc/xray/07_transport.json
 RUN echo '{}' >/tmp/usr/local/etc/xray/08_stats.json
 RUN echo '{}' >/tmp/usr/local/etc/xray/09_reverse.json
 # Create log files
 RUN mkdir -p /tmp/var/log/xray && touch \
  /tmp/var/log/xray/access.log \
  /tmp/var/log/xray/error.log
 # Build finally image
 FROM gcr.io/distroless/static:nonroot
 COPY --from=build --chown=0:0 --chmod=755 /src/xray /usr/local/bin/xray
 COPY --from=build --chown=0:0 --chmod=755 /tmp/empty /usr/local/share/xray
 COPY --from=build --chown=0:0 --chmod=644 /tmp/geodat/*.dat /usr/local/share/xray/
 COPY --from=build --chown=0:0 --chmod=755 /tmp/empty /usr/local/etc/xray
 COPY --from=build --chown=0:0 --chmod=644 /tmp/usr/local/etc/xray/*.json /usr/local/etc/xray/
 COPY --from=build --chown=0:0 --chmod=755 /tmp/empty /var/log/xray
 COPY --from=build --chown=65532:65532 --chmod=600 /tmp/var/log/xray/*.log /var/log/xray/
 VOLUME /usr/local/etc/xray
 VOLUME /var/log/xray
 ARG TZ=Etc/UTC
 ENV TZ=$TZ
 ENTRYPOINT [ "/usr/bin/xray" ]
 CMD [ "-confdir", "/etc/xray/" ]
-ARG flavor=v2fly
+ENTRYPOINT [ "/usr/local/bin/xray" ]
-COPY --from=build --chmod=644 /$flavor /usr/share/xray
+CMD [ "-confdir", "/usr/local/etc/xray/" ]
--- a/.github/docker/Dockerfile.usa
+++ b/.github/docker/Dockerfile.usa
@@ -0,0 +1,71 @@
 # syntax=docker/dockerfile:latest
 FROM --platform=$BUILDPLATFORM golang:latest AS build
 # Build xray-core
 WORKDIR /src
 COPY . .
 ARG TARGETOS
 ARG TARGETARCH
 RUN GOOS=$TARGETOS GOARCH=$TARGETARCH CGO_ENABLED=0 go build -o xray -trimpath -ldflags "-s -w -buildid=" ./main
 # Download geodat into a staging directory
 ADD https://raw.githubusercontent.com/Loyalsoldier/v2ray-rules-dat/release/geoip.dat /tmp/geodat/geoip.dat
 ADD https://raw.githubusercontent.com/Loyalsoldier/v2ray-rules-dat/release/geosite.dat /tmp/geodat/geosite.dat
 RUN mkdir -p /tmp/empty
 # Create config files with empty JSON content
 RUN mkdir -p /tmp/usr/local/etc/xray
 RUN cat <<EOF >/tmp/usr/local/etc/xray/00_log.json
 {
  "log": {
    "error": "/var/log/xray/error.log",
    "loglevel": "warning",
    "access": "none",
    "dnsLog": false
  }
 }
 EOF
 RUN echo '{}' >/tmp/usr/local/etc/xray/01_api.json
 RUN echo '{}' >/tmp/usr/local/etc/xray/02_dns.json
 RUN echo '{}' >/tmp/usr/local/etc/xray/03_routing.json
 RUN echo '{}' >/tmp/usr/local/etc/xray/04_policy.json
 RUN echo '{}' >/tmp/usr/local/etc/xray/05_inbounds.json
 RUN echo '{}' >/tmp/usr/local/etc/xray/06_outbounds.json
 RUN echo '{}' >/tmp/usr/local/etc/xray/07_transport.json
 RUN echo '{}' >/tmp/usr/local/etc/xray/08_stats.json
 RUN echo '{}' >/tmp/usr/local/etc/xray/09_reverse.json
 # Create log files
 RUN mkdir -p /tmp/var/log/xray && touch \
  /tmp/var/log/xray/access.log \
  /tmp/var/log/xray/error.log
 # Build finally image
 # Note on Distroless Base Image and Architecture Support:
 # - The official 'gcr.io/distroless/static' image provided by Google only supports a limited set of architectures for Linux:
 #   - linux/amd64
 #   - linux/arm/v7
 #   - linux/arm64/v8
 #   - linux/ppc64le
 #   - linux/s390x
 # - Upon inspection, the blob contents of the Distroless images across these architectures are nearly identical, with only minor differences in metadata (e.g., 'Architecture' field in the manifest).
 # - Due to this similarity in content, it is feasible to forcibly specify a single platform (e.g., '--platform=linux/amd64') for unsupported architectures, as the core image content remains compatible with statically compiled binaries like Go applications.
 FROM --platform=linux/amd64 gcr.io/distroless/static:nonroot
 COPY --from=build --chown=0:0 --chmod=755 /src/xray /usr/local/bin/xray
 COPY --from=build --chown=0:0 --chmod=755 /tmp/empty /usr/local/share/xray
 COPY --from=build --chown=0:0 --chmod=644 /tmp/geodat/*.dat /usr/local/share/xray/
 COPY --from=build --chown=0:0 --chmod=755 /tmp/empty /usr/local/etc/xray
 COPY --from=build --chown=0:0 --chmod=644 /tmp/usr/local/etc/xray/*.json /usr/local/etc/xray/
 COPY --from=build --chown=0:0 --chmod=755 /tmp/empty /var/log/xray
 COPY --from=build --chown=65532:65532 --chmod=600 /tmp/var/log/xray/*.log /var/log/xray/
 VOLUME /usr/local/etc/xray
 VOLUME /var/log/xray
 ARG TZ=Etc/UTC
 ENV TZ=$TZ
 ENTRYPOINT [ "/usr/local/bin/xray" ]
 CMD [ "-confdir", "/usr/local/etc/xray/" ]
--- a/.github/docker/files/config.json
+++ b/.github/docker/files/config.json
@@ -1,18 +0,0 @@
 {
  "inbounds": [{
    "port": 9000,
    "protocol": "vmess",
    "settings": {
      "clients": [
        {
          "id": "1eb6e917-774b-4a84-aff6-b058577c60a5",
          "level": 1
        }
      ]
    }
  }],
  "outbounds": [{
    "protocol": "freedom",
    "settings": {}
  }]
 }
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -1,76 +1,133 @@
-name: Build docker image
+name: Build and Push Docker Image
 on:
  release:
-    types: [published]
+    types:
-  push:
+      - published
-    branches:
+      - released
-      - main
+
  workflow_dispatch:
    inputs:
      tag:
        description: "Docker image tag:"
        required: true
      latest:
        description: "Set to latest"
        type: boolean
        default: false
 jobs:
-  build-image:
+  build-and-push:
    if: (github.event.action != 'published') || (github.event.action == 'published' && github.event.release.prerelease == true)
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    steps:
-      - uses: actions/checkout@v4
+      - name: Set repository and image name to lowercase
-      - name: Docker metadata
+        env:
-        id: meta
+          IMAGE_NAME: "${{ github.repository }}"
-        uses: docker/metadata-action@v5
+        run: |
-        with:
+          echo "IMAGE_NAME=${IMAGE_NAME,,}" >>${GITHUB_ENV}
-          images: ghcr.io/${{ github.repository_owner }}/xray-core
+          echo "FULL_IMAGE_NAME=ghcr.io/${IMAGE_NAME,,}" >>${GITHUB_ENV}
-          flavor: latest=auto
+
-          tags: |
+      - name: Validate and extract tag
-            type=sha
+        run: |
-            type=ref,event=branch
+          SOURCE_TAG="${{ github.event.inputs.tag }}"
-            type=ref,event=pr
+          if [[ -z "$SOURCE_TAG" ]]; then
-            type=semver,pattern={{version}}
+            SOURCE_TAG="${{ github.ref_name }}"
-      - name: Docker metadata Loyalsoldier flavor
+          fi
-        id: loyalsoldier
+          if [[ -z "$SOURCE_TAG" ]]; then
-        uses: docker/metadata-action@v5
+            SOURCE_TAG="${{ github.event.release.tag_name }}"
-        with:
+          fi
-          images: ghcr.io/${{ github.repository_owner }}/xray-core
+
-          flavor: |
+          if [[ -z "$SOURCE_TAG" ]]; then
-            latest=auto
+            echo "Error: Could not determine a valid tag source. Input tag and context tag (github.ref_name) are both empty."
-            suffix=-ls,onlatest=true
+            exit 1
-          tags: |
+          fi
-            type=sha
+
-            type=ref,event=branch
+          if [[ "$SOURCE_TAG" =~ ^v[0-9]+\.[0-9] ]]; then
-            type=ref,event=pr
+            IMAGE_TAG="${SOURCE_TAG#v}"
-            type=semver,pattern={{version}}
+          else
            IMAGE_TAG="$SOURCE_TAG"
          fi
          echo "Docker image tag: '$IMAGE_TAG'."
          echo "IMAGE_TAG=$IMAGE_TAG" >>${GITHUB_ENV}
          LATEST=false
          if [[ "${{ github.event_name }}" == "release" && "${{ github.event.release.prerelease }}" == "false" ]] || [[ "${{ github.event_name }}" == "workflow_dispatch" && "${{ github.event.inputs.latest }}" == "true" ]]; then
            LATEST=true
          fi
          echo "Latest: '$LATEST'."
          echo "LATEST=$LATEST" >>${GITHUB_ENV}
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Set up Docker Buildx
+
-        uses: docker/setup-buildx-action@v3
+      - name: Build Docker image (main architectures)
-      - name: Build and push
+        id: build_main_arches
        uses: docker/build-push-action@v6
        with:
          context: .
          file: .github/docker/Dockerfile
          platforms: |
            linux/amd64
-            linux/arm64
+            linux/arm/v7
-            linux/loong64
+            linux/arm64/v8
-            linux/riscv64
+            linux/ppc64le
            linux/s390x
          provenance: false
-          file: .github/docker/Dockerfile
+          outputs: type=image,name=${{ env.FULL_IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true
-          push: true
+
-          tags: ${{ steps.meta.outputs.tags }}
+      - name: Build Docker image (additional architectures)
-      - name: Build and push Loyalsoldier flavor
+        id: build_additional_arches
        uses: docker/build-push-action@v6
        with:
          context: .
          file: .github/docker/Dockerfile.usa
          platforms: |
-            linux/amd64
+            linux/386
-            linux/arm64
+            linux/arm/v6
            linux/loong64
            linux/riscv64
            linux/loong64
          provenance: false
-          file: .github/docker/Dockerfile
+          outputs: type=image,name=${{ env.FULL_IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true
-          build-args: flavor=loyalsoldier
+
-          push: true
+      - name: Create manifest list and push
-          tags: |
+        run: |
-            ${{ steps.loyalsoldier.outputs.tags }}
+          echo "Creating multi-arch manifest with tag: '${{ env.FULL_IMAGE_NAME }}:${{ env.IMAGE_TAG }}'."
          docker buildx imagetools create \
            --tag ${{ env.FULL_IMAGE_NAME }}:${{ env.IMAGE_TAG }} \
            ${{ env.FULL_IMAGE_NAME }}@${{ steps.build_main_arches.outputs.digest }} \
            ${{ env.FULL_IMAGE_NAME }}@${{ steps.build_additional_arches.outputs.digest }}
          if [[ "${{ env.LATEST }}" == "true" ]]; then
            echo "Adding 'latest' tag to manifest: '${{ env.FULL_IMAGE_NAME }}:latest'."
            docker buildx imagetools create \
            --tag ${{ env.FULL_IMAGE_NAME }}:latest \
            ${{ env.FULL_IMAGE_NAME }}:${{ env.IMAGE_TAG }}
          fi
      - name: Inspect image
        run: |
          docker buildx imagetools inspect ${{ env.FULL_IMAGE_NAME }}:${{ env.IMAGE_TAG }}
          if [[ "${{ env.LATEST }}" == "true" ]]; then
            docker buildx imagetools inspect ${{ env.FULL_IMAGE_NAME }}:latest
          fi
--- a/.github/workflows/release-win7.yml
+++ b/.github/workflows/release-win7.yml
@@ -0,0 +1,148 @@
 name: Build and Release for Windows 7
 on:
  workflow_dispatch:
  release:
    types: [published]
  push:
  pull_request:
    types: [opened, synchronize, reopened]
 jobs:
  check-assets:
    runs-on: ubuntu-latest
    steps:
      - name: Restore Geodat Cache
        uses: actions/cache/restore@v4
        with:
          path: resources
          key: xray-geodat-
      - name: Check Assets Existence
        id: check-assets
        run: |
          [ -d 'resources' ] || mkdir resources
          LIST=('geoip.dat' 'geosite.dat')
          for FILE_NAME in "${LIST[@]}"
          do
            echo -e "Checking ${FILE_NAME}..."
            if [ -s "./resources/${FILE_NAME}" ]; then
              echo -e "${FILE_NAME} exists."
            else
              echo -e "${FILE_NAME} does not exist."
              echo "missing=true" >> $GITHUB_OUTPUT
              break
            fi
          done
      - name: Sleep for 90 seconds if Assets Missing
        if: steps.check-assets.outputs.missing == 'true'
        run: sleep 90
  build:
    needs: check-assets
    permissions:
      contents: write
    strategy:
      matrix:
        include:
          # BEGIN Windows 7
          - goos: windows
            goarch: amd64
            assetname: win7-64
          - goos: windows
            goarch: 386
            assetname: win7-32
          # END Windows 7
      fail-fast: false
    runs-on: ubuntu-latest
    env:
      GOOS: ${{ matrix.goos}}
      GOARCH: ${{ matrix.goarch }}
      CGO_ENABLED: 0
    steps:
      - name: Checkout codebase
        uses: actions/checkout@v4
      - name: Show workflow information
        run: |
          _NAME=${{ matrix.assetname }}
          echo "GOOS: ${{ matrix.goos }}, GOARCH: ${{ matrix.goarch }}, RELEASE_NAME: $_NAME"
          echo "ASSET_NAME=$_NAME" >> $GITHUB_ENV
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version-file: go.mod
          check-latest: true
      - name: Setup patched builder
        run: |
          GOSDK=$(go env GOROOT)
          rm -r $GOSDK/*
          cd $GOSDK
          curl -O -L -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" https://github.com/XTLS/go-win7/releases/latest/download/go-for-win7-linux-amd64.zip
          unzip ./go-for-win7-linux-amd64.zip -d $GOSDK
          rm ./go-for-win7-linux-amd64.zip
      - name: Get project dependencies
        run: go mod download
      - name: Build Xray
        run: |
          mkdir -p build_assets
          COMMID=$(git describe --always --dirty)
          echo 'Building Xray for Windows 7...'
          go build -o build_assets/xray.exe -trimpath -buildvcs=false -ldflags="-X github.com/xtls/xray-core/core.build=${COMMID} -s -w -buildid=" -v ./main
          echo 'CreateObject("Wscript.Shell").Run "xray.exe -config config.json",0' > build_assets/xray_no_window.vbs
          echo 'Start-Process -FilePath ".\xray.exe" -ArgumentList "-config .\config.json" -WindowStyle Hidden' > build_assets/xray_no_window.ps1
          # The line below is for without running conhost.exe version. Commented for not being used. Provided for reference.
          # go build -o build_assets/wxray.exe -trimpath -buildvcs=false -ldflags="-H windowsgui -X github.com/xtls/xray-core/core.build=${COMMID} -s -w -buildid=" -v ./main
      - name: Restore Geodat Cache
        uses: actions/cache/restore@v4
        with:
          path: resources
          key: xray-geodat-
      - name: Copy README.md & LICENSE
        run: |
          mv -f resources/* build_assets
          cp ${GITHUB_WORKSPACE}/README.md ./build_assets/README.md
          cp ${GITHUB_WORKSPACE}/LICENSE ./build_assets/LICENSE
      - name: Create ZIP archive
        if: github.event_name == 'release'
        shell: bash
        run: |
          pushd build_assets || exit 1
          touch -mt $(date +%Y01010000) *
          zip -9vr ../Xray-${{ env.ASSET_NAME }}.zip .
          popd || exit 1
          FILE=./Xray-${{ env.ASSET_NAME }}.zip
          DGST=$FILE.dgst
          for METHOD in {"md5","sha1","sha256","sha512"}
          do
            openssl dgst -$METHOD $FILE | sed 's/([^)]*)//g' >>$DGST
          done
      - name: Change the name
        run: |
          mv build_assets Xray-${{ env.ASSET_NAME }}
      - name: Upload files to Artifacts
        uses: actions/upload-artifact@v4
        with:
          name: Xray-${{ env.ASSET_NAME }}
          path: |
            ./Xray-${{ env.ASSET_NAME }}/*
      - name: Upload binaries to release
        uses: svenstaro/upload-release-action@v2
        if: github.event_name == 'release'
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          file: ./Xray-${{ env.ASSET_NAME }}.zip*
          tag: ${{ github.ref }}
          file_glob: true
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,76 +1,61 @@
 name: Build and Release
 # NOTE: This Github Actions file depends on the Makefile.
 #       Building the correct package requires the correct binaries generated by the Makefile. To 
 #       ensure the correct output, the Makefile must accept the appropriate input and compile the 
 #       correct file with the correct name. If you need to modify this file, please ensure it won't 
 #       disrupt the Makefile.
 on:
  workflow_dispatch:
  release:
    types: [published]
  push:
    branches:
      - main
    paths:
      - "**/*.go"
      - "go.mod"
      - "go.sum"
      - ".github/workflows/release.yml"
  pull_request:
    types: [opened, synchronize, reopened]
-    paths:
+
      - "**/*.go"
      - "go.mod"
      - "go.sum"
      - ".github/workflows/release.yml"
 jobs:
-  prepare:
+  check-assets:
    runs-on: ubuntu-latest
    steps:
-      - name: Restore Cache
+      - name: Restore Geodat Cache
        uses: actions/cache/restore@v4
        with:
          path: resources
          key: xray-geodat-
-      - name: Update Geodat
+      - name: Check Assets Existence
-        id: update
+        id: check-assets
-        uses: nick-fields/retry@v3
+        run: |
-        with:
+          [ -d 'resources' ] || mkdir resources
-          timeout_minutes: 60
+          LIST=('geoip.dat' 'geosite.dat')
-          retry_wait_seconds: 60
+          for FILE_NAME in "${LIST[@]}"
-          max_attempts: 60
+          do
-          command: |
+            echo -e "Checking ${FILE_NAME}..."
-            [ -d 'resources' ] || mkdir resources
+            if [ -s "./resources/${FILE_NAME}" ]; then
-            LIST=('geoip geoip geoip' 'domain-list-community dlc geosite')
+              echo -e "${FILE_NAME} exists."
-            for i in "${LIST[@]}"
+            else
-            do
+              echo -e "${FILE_NAME} does not exist."
-              INFO=($(echo $i | awk 'BEGIN{FS=" ";OFS=" "} {print $1,$2,$3}'))
+              echo "missing=true" >> $GITHUB_OUTPUT
-              FILE_NAME="${INFO[2]}.dat"
+              break
-              echo -e "Verifying HASH key..."
+            fi
-              HASH="$(curl -sL "https://raw.githubusercontent.com/v2fly/${INFO[0]}/release/${INFO[1]}.dat.sha256sum" | awk -F ' ' '{print $1}')"
+          done
              if [ -s "./resources/${FILE_NAME}" ] && [ "$(sha256sum "./resources/${FILE_NAME}" | awk -F ' ' '{print $1}')" == "${HASH}" ]; then
                  continue
              else
                  echo -e "Downloading https://raw.githubusercontent.com/v2fly/${INFO[0]}/release/${INFO[1]}.dat..."
                  curl -L "https://raw.githubusercontent.com/v2fly/${INFO[0]}/release/${INFO[1]}.dat" -o ./resources/${FILE_NAME}
                  echo -e "Verifying HASH key..."
                  [ "$(sha256sum "./resources/${FILE_NAME}" | awk -F ' ' '{print $1}')" == "${HASH}" ] || { echo -e "The HASH key of ${FILE_NAME} does not match cloud one."; exit 1; }
                  echo "unhit=true" >> $GITHUB_OUTPUT
              fi
            done
-      - name: Save Cache
+      - name: Trigger Asset Update Workflow if Assets Missing
-        uses: actions/cache/save@v4
+        if: steps.check-assets.outputs.missing == 'true'
-        if: ${{ steps.update.outputs.unhit }}
+        uses: actions/github-script@v7
        with:
-          path: resources
+          github-token: ${{ secrets.GITHUB_TOKEN }}
-          key: xray-geodat-${{ github.sha }}-${{ github.run_number }}
+          script: |
            const { owner, repo } = context.repo;
            await github.rest.actions.createWorkflowDispatch({
              owner,
              repo,
              workflow_id: 'scheduled-assets-update.yml',
              ref: context.ref
            });
            console.log('Triggered scheduled-assets-update.yml due to missing assets on branch:', context.ref);
      - name: Sleep for 90 seconds if Assets Missing
        if: steps.check-assets.outputs.missing == 'true'
        run: sleep 90
  build:
-    needs: prepare
+    needs: check-assets
    permissions:
      contents: write
    strategy:
@@ -78,9 +63,7 @@ jobs:
        # Include amd64 on all platforms.
        goos: [windows, freebsd, openbsd, linux, darwin]
        goarch: [amd64, 386]
        gotoolchain: [""]
        patch-assetname: [""]
        exclude:
          # Exclude i386 on darwin
          - goarch: 386
@@ -105,6 +88,11 @@ jobs:
          - goos: android
            goarch: arm64
          # END Android ARM 8
          # BEGIN Android AMD64
          - goos: android
            goarch: amd64
            patch-assetname: android-amd64
          # END Android AMD64
          # Windows ARM
          - goos: windows
            goarch: arm64
@@ -155,16 +143,6 @@ jobs:
            goarch: arm
            goarm: 7
          # END OPENBSD ARM
          # BEGIN Windows 7
          - goos: windows
            goarch: amd64
            gotoolchain: 1.21.4
            patch-assetname: win7-64
          - goos: windows
            goarch: 386
            gotoolchain: 1.21.4
            patch-assetname: win7-32
          # END Windows 7
      fail-fast: false
    runs-on: ubuntu-latest
@@ -177,6 +155,19 @@ jobs:
      - name: Checkout codebase
        uses: actions/checkout@v4
      - name: Set up NDK
        if: matrix.goos == 'android'
        run: |
          wget -qO android-ndk.zip https://dl.google.com/android/repository/android-ndk-r28b-linux.zip
          unzip android-ndk.zip
          rm android-ndk.zip
          declare -A arches=(
            ["amd64"]="x86_64-linux-android24-clang"
            ["arm64"]="aarch64-linux-android24-clang"
          )
          echo CC="$(realpath android-ndk-*/toolchains/llvm/prebuilt/linux-x86_64/bin)/${arches[${{ matrix.goarch }}]}" >> $GITHUB_ENV
          echo CGO_ENABLED=1 >> $GITHUB_ENV
      - name: Show workflow information
        run: |
          _NAME=${{ matrix.patch-assetname }}
@@ -187,7 +178,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: ${{ matrix.gotoolchain || '1.23' }}
+          go-version-file: go.mod
          check-latest: true
      - name: Get project dependencies
@@ -196,10 +187,24 @@ jobs:
      - name: Build Xray
        run: |
          mkdir -p build_assets
-          make
+          COMMID=$(git describe --always --dirty)
-          find . -maxdepth 1 -type f -regex './\(wxray\|xray\|xray_softfloat\)\(\|.exe\)' -exec mv {} ./build_assets/ \;
+          if [[ ${GOOS} == 'windows' ]]; then
            echo 'Building Xray for Windows...'
            go build -o build_assets/xray.exe -trimpath -buildvcs=false -ldflags="-X github.com/xtls/xray-core/core.build=${COMMID} -s -w -buildid=" -v ./main
            echo 'CreateObject("Wscript.Shell").Run "xray.exe -config config.json",0' > build_assets/xray_no_window.vbs
            echo 'Start-Process -FilePath ".\xray.exe" -ArgumentList "-config .\config.json" -WindowStyle Hidden' > build_assets/xray_no_window.ps1
            # The line below is for without running conhost.exe version. Commented for not being used. Provided for reference.
            # go build -o build_assets/wxray.exe -trimpath -buildvcs=false -ldflags="-H windowsgui -X github.com/xtls/xray-core/core.build=${COMMID} -s -w -buildid=" -v ./main
          else
            echo 'Building Xray...'
            go build -o build_assets/xray -trimpath -buildvcs=false -ldflags="-X github.com/xtls/xray-core/core.build=${COMMID} -s -w -buildid=" -v ./main
            if [[ ${GOARCH} == 'mips' || ${GOARCH} == 'mipsle' ]]; then
              echo 'Building soft-float Xray for MIPS/MIPSLE 32-bit...'
              GOMIPS=softfloat go build -o build_assets/xray_softfloat -trimpath -buildvcs=false -ldflags="-X github.com/xtls/xray-core/core.build=${COMMID} -s -w -buildid=" -v ./main
            fi
          fi
-      - name: Restore Cache
+      - name: Restore Geodat Cache
        uses: actions/cache/restore@v4
        with:
          path: resources
--- a/.github/workflows/scheduled-assets-update.yml
+++ b/.github/workflows/scheduled-assets-update.yml
@@ -0,0 +1,65 @@
 name: Scheduled assets update
 # NOTE: This Github Actions is required by other actions, for preparing other packaging assets in a
 #       routine manner, for example: GeoIP/GeoSite.
 #       Currently updating:
 #       - Geodat (GeoIP/Geosite)
 on:
  workflow_dispatch:
  schedule:
    # Update GeoData on every day (22:30 UTC)
    - cron: "30 22 * * *"
  push:
    # Prevent triggering update request storm
    paths:
      - ".github/workflows/scheduled-assets-update.yml"
  pull_request:
    # Prevent triggering update request storm
    paths:
      - ".github/workflows/scheduled-assets-update.yml"
 jobs:
  geodat:
    if: github.event.schedule == '30 22 * * *' || github.event_name == 'push'|| github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch'
    runs-on: ubuntu-latest
    steps:
      - name: Restore Geodat Cache
        uses: actions/cache/restore@v4
        with:
          path: resources
          key: xray-geodat-
      - name: Update Geodat
        id: update
        uses: nick-fields/retry@v3
        with:
          timeout_minutes: 60
          retry_wait_seconds: 60
          max_attempts: 60
          command: |
            [ -d 'resources' ] || mkdir resources
            LIST=('Loyalsoldier v2ray-rules-dat geoip geoip' 'Loyalsoldier v2ray-rules-dat geosite geosite')
            for i in "${LIST[@]}"
            do
              INFO=($(echo $i | awk 'BEGIN{FS=" ";OFS=" "} {print $1,$2,$3,$4}'))
              FILE_NAME="${INFO[3]}.dat"
              echo -e "Verifying HASH key..."
              HASH="$(curl -sL -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" "https://raw.githubusercontent.com/${INFO[0]}/${INFO[1]}/release/${INFO[2]}.dat.sha256sum" | awk -F ' ' '{print $1}')"
              if [ -s "./resources/${FILE_NAME}" ] && [ "$(sha256sum "./resources/${FILE_NAME}" | awk -F ' ' '{print $1}')" == "${HASH}" ]; then
                  continue
              else
                  echo -e "Downloading https://raw.githubusercontent.com/${INFO[0]}/${INFO[1]}/release/${INFO[2]}.dat..."
                  curl -L -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" "https://raw.githubusercontent.com/${INFO[0]}/${INFO[1]}/release/${INFO[2]}.dat" -o ./resources/${FILE_NAME}
                  echo -e "Verifying HASH key..."
                  [ "$(sha256sum "./resources/${FILE_NAME}" | awk -F ' ' '{print $1}')" == "${HASH}" ] || { echo -e "The HASH key of ${FILE_NAME} does not match cloud one."; exit 1; }
                  echo "unhit=true" >> $GITHUB_OUTPUT
              fi
            done
      - name: Save Geodat Cache
        uses: actions/cache/save@v4
        if: ${{ steps.update.outputs.unhit }}
        with:
          path: resources
          key: xray-geodat-${{ github.sha }}-${{ github.run_number }}
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -2,23 +2,40 @@ name: Test
 on:
  push:
    branches:
      - main
    paths:
      - "**/*.go"
      - "go.mod"
      - "go.sum"
      - ".github/workflows/*.yml"
  pull_request:
    types: [opened, synchronize, reopened]
    paths:
      - "**/*.go"
      - "go.mod"
      - "go.sum"
      - ".github/workflows/*.yml"
 jobs:
  check-assets:
    runs-on: ubuntu-latest
    steps:
      - name: Restore Geodat Cache
        uses: actions/cache/restore@v4
        with:
          path: resources
          key: xray-geodat-
      - name: Check Assets Existence
        id: check-assets
        run: |
          [ -d 'resources' ] || mkdir resources
          LIST=('geoip.dat' 'geosite.dat')
          for FILE_NAME in "${LIST[@]}"
          do
            echo -e "Checking ${FILE_NAME}..."
            if [ -s "./resources/${FILE_NAME}" ]; then
              echo -e "${FILE_NAME} exists."
            else
              echo -e "${FILE_NAME} does not exist."
              echo "missing=true" >> $GITHUB_OUTPUT
              break
            fi
          done
      - name: Sleep for 90 seconds if Assets Missing
        if: steps.check-assets.outputs.missing == 'true'
        run: sleep 90
  test:
    needs: check-assets
    permissions:
      contents: read
    runs-on: ${{ matrix.os }}
@@ -32,9 +49,9 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: '1.23'
+          go-version-file: go.mod
          check-latest: true
-      - name: Restore Cache
+      - name: Restore Geodat Cache
        uses: actions/cache/restore@v4
        with:
          path: resources
--- a/.gitignore
+++ b/.gitignore
@@ -14,10 +14,18 @@
 # Dependency directories (remove the comment below to include it)
 # vendor/
 # macOS specific files
 *.DS_Store
-.idea
+
 # IDE specific files
 .idea/
 .vscode/
 # Archive files
 *.zip
 *.tar.gz
 # Binaries
 xray
 xray_softfloat
 mockgen
@@ -26,8 +34,13 @@ vprotogen
 errorgen
 !common/errors/errorgen/
 *.dat
-.vscode
+
 # Build assets
 /build_assets
 # Output from dlv test
 **/debug.*
 # Certificates
 *.crt
 *.key
--- a/37
+++ b/37
@@ -1,37 +0,0 @@
 NAME = xray
 VERSION=$(shell git describe --always --dirty)
 # NOTE: This MAKEFILE can be used to build Xray-core locally and in Automatic workflows. It is \
 	provided for convenience in automatic building and functions as a part of it.
 # NOTE: If you need to modify this file, please be aware that:\
 	- This file is not the main Makefile; it only accepts environment variables and builds the \
 	binary.\
 	- Automatic building expects the correct binaries to be built by this Makefile. If you \
 	intend to propose a change to this Makefile, carefully review the file below and ensure \
 	that the change will not accidentally break the automatic building:\
 		.github/workflows/release.yml \
 	Otherwise it is recommended to contact the project maintainers.
 LDFLAGS = -X github.com/xtls/xray-core/core.build=$(VERSION) -s -w -buildid=
 PARAMS = -trimpath -ldflags "$(LDFLAGS)" -v
 MAIN = ./main
 PREFIX ?= $(shell go env GOPATH)
 ifeq ($(GOOS),windows)
 OUTPUT = $(NAME).exe
 ADDITION = go build -o w$(NAME).exe -trimpath -ldflags "-H windowsgui $(LDFLAGS)" -v $(MAIN)
 else
 OUTPUT = $(NAME)
 endif
 ifeq ($(shell echo "$(GOARCH)" | grep -Eq "(mips|mipsle)" && echo true),true) # 
 ADDITION = GOMIPS=softfloat go build -o $(NAME)_softfloat -trimpath -ldflags "$(LDFLAGS)" -v $(MAIN)
 endif
 .PHONY: clean build
 build:
 	go build -o $(OUTPUT) $(PARAMS) $(MAIN)
 	$(ADDITION)
 clean:
 	go clean -v -i $(PWD)
 	rm -f xray xray.exe wxray.exe xray_softfloat
--- a/README.md
+++ b/README.md
@@ -1,5 +1,9 @@
 # Project X
 [![Project X NFT](https://raw2.seadn.io/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/7fa9ce900fb39b44226348db330e32/8b7fa9ce900fb39b44226348db330e32.svg)](https://opensea.io/item/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/1)
 ### [Collect a Project X NFT to support the development of Project X!](https://opensea.io/item/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/1)
 [Project X](https://github.com/XTLS) originates from XTLS protocol, providing a set of network tools such as [Xray-core](https://github.com/XTLS/Xray-core) and [REALITY](https://github.com/XTLS/REALITY).
 [README](https://github.com/XTLS/Xray-core#readme) is open, so feel free to submit your project [here](https://github.com/XTLS/Xray-core/pulls).
@@ -7,8 +11,9 @@
 ## Donation & NFTs
 - **ETH/USDT/USDC: `0xDc3Fe44F0f25D13CACb1C4896CD0D321df3146Ee`**
- **Project X NFT: [Announcement of NFTs by Project X](https://github.com/XTLS/Xray-core/discussions/3633)**
+- **Project X NFT: https://opensea.io/item/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/1**
- **REALITY NFT: [XHTTP: Beyond REALITY](https://github.com/XTLS/Xray-core/discussions/4113)**
+- **REALITY NFT: https://opensea.io/item/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/2**
 - **Related links: https://opensea.io/collection/xtls, [Announcement of NFTs by Project X](https://github.com/XTLS/Xray-core/discussions/3633), [XHTTP: Beyond REALITY](https://github.com/XTLS/Xray-core/discussions/4113)**
 ## License
@@ -24,7 +29,9 @@
 [Project X Channel](https://t.me/projectXtls)
-[Project VLESS](https://t.me/projectVless) (non-Chinese)
+[Project VLESS](https://t.me/projectVless) (Русский)
 [Project XHTTP](https://t.me/projectXhttp) (Persian)
 ## Installation
@@ -36,12 +43,13 @@
  - [teddysun/xray](https://hub.docker.com/r/teddysun/xray)
  - [wulabing/xray_docker](https://github.com/wulabing/xray_docker)
 - Web Panel - **WARNING: Please DO NOT USE plain HTTP panels like 3X-UI**, as they are believed to be bribed by Iran GFW for supporting plain HTTP by default and refused to change (https://github.com/XTLS/Xray-core/pull/3884#issuecomment-2439595331), which has already put many users' data security in danger in the past few years. **If you are already using 3X-UI, please switch to the following panels, which are verified to support HTTPS and SSH port forwarding only:**
  - [Remnawave](https://github.com/remnawave/panel)
  - [Marzban](https://github.com/Gozargah/Marzban)
  - [Xray-UI](https://github.com/qist/xray-ui)
  - [Hiddify](https://github.com/hiddify/Hiddify-Manager)
 - One Click
  - [Xray-REALITY](https://github.com/zxcvos/Xray-script), [xray-reality](https://github.com/sajjaddg/xray-reality), [reality-ezpz](https://github.com/aleskxyz/reality-ezpz)
-  - [Xray_bash_onekey](https://github.com/hello-yunshu/Xray_bash_onekey), [XTool](https://github.com/LordPenguin666/XTool)
+  - [Xray_bash_onekey](https://github.com/hello-yunshu/Xray_bash_onekey), [XTool](https://github.com/LordPenguin666/XTool), [VPainLess](https://github.com/vpainless/vpainless)
  - [v2ray-agent](https://github.com/mack-a/v2ray-agent), [Xray_onekey](https://github.com/wulabing/Xray_onekey), [ProxySU](https://github.com/proxysu/ProxySU)
 - Magisk
  - [Xray4Magisk](https://github.com/Asterisk4Magisk/Xray4Magisk)
@@ -72,34 +80,49 @@
  - [PassWall](https://github.com/xiaorouji/openwrt-passwall), [PassWall 2](https://github.com/xiaorouji/openwrt-passwall2)
  - [ShadowSocksR Plus+](https://github.com/fw876/helloworld)
  - [luci-app-xray](https://github.com/yichya/luci-app-xray) ([openwrt-xray](https://github.com/yichya/openwrt-xray))
 - Asuswrt-Merlin
  - [XRAYUI](https://github.com/DanielLavrushin/asuswrt-merlin-xrayui)
 - Windows
  - [v2rayN](https://github.com/2dust/v2rayN)
  - [Furious](https://github.com/LorenEteval/Furious)
  - [Invisible Man - Xray](https://github.com/InvisibleManVPN/InvisibleMan-XRayClient)
  - [AnyPortal](https://github.com/AnyPortal/AnyPortal)
 - Android
  - [v2rayNG](https://github.com/2dust/v2rayNG)
  - [X-flutter](https://github.com/XTLS/X-flutter)
  - [SaeedDev94/Xray](https://github.com/SaeedDev94/Xray)
- iOS & macOS arm64
+  - [SimpleXray](https://github.com/lhear/SimpleXray)
-  - [FoXray](https://apps.apple.com/app/foxray/id6448898396)
+  - [AnyPortal](https://github.com/AnyPortal/AnyPortal)
 - iOS & macOS arm64 & tvOS
  - [Happ](https://apps.apple.com/app/happ-proxy-utility/id6504287215) ([tvOS](https://apps.apple.com/us/app/happ-proxy-utility-for-tv/id6748297274))
  - [Streisand](https://apps.apple.com/app/streisand/id6450534064)
  - [OneXray](https://github.com/OneXray/OneXray)
 - macOS arm64 & x64
  - [Happ](https://apps.apple.com/app/happ-proxy-utility/id6504287215)
  - [V2rayU](https://github.com/yanue/V2rayU)
  - [V2RayXS](https://github.com/tzmax/V2RayXS)
  - [Furious](https://github.com/LorenEteval/Furious)
-  - [FoXray](https://apps.apple.com/app/foxray/id6448898396)
+  - [OneXray](https://github.com/OneXray/OneXray)
  - [GoXRay](https://github.com/goxray/desktop)
  - [AnyPortal](https://github.com/AnyPortal/AnyPortal)
 - Linux
  - [v2rayA](https://github.com/v2rayA/v2rayA)
  - [Furious](https://github.com/LorenEteval/Furious)
  - [GorzRay](https://github.com/ketetefid/GorzRay)
  - [GoXRay](https://github.com/goxray/desktop)
  - [AnyPortal](https://github.com/AnyPortal/AnyPortal)
 ## Others that support VLESS, XTLS, REALITY, XUDP, PLUX...
- iOS & macOS arm64
+- iOS & macOS arm64 & tvOS
  - [Shadowrocket](https://apps.apple.com/app/shadowrocket/id932747118)
  - [Loon](https://apps.apple.com/us/app/loon/id1373567447)
 - Xray Tools
  - [xray-knife](https://github.com/lilendian0x00/xray-knife)
  - [xray-checker](https://github.com/kutovoys/xray-checker)
 - Xray Wrapper
  - [XTLS/libXray](https://github.com/XTLS/libXray)
  - [xtls-sdk](https://github.com/remnawave/xtls-sdk)
  - [xtlsapi](https://github.com/hiddify/xtlsapi)
  - [AndroidLibXrayLite](https://github.com/2dust/AndroidLibXrayLite)
  - [Xray-core-python](https://github.com/LorenEteval/Xray-core-python)
@@ -107,39 +130,43 @@
 - [XrayR](https://github.com/XrayR-project/XrayR)
  - [XrayR-release](https://github.com/XrayR-project/XrayR-release)
  - [XrayR-V2Board](https://github.com/missuo/XrayR-V2Board)
- [Clash.Meta](https://github.com/MetaCubeX/Clash.Meta)
+- Cores
-  - [clashN](https://github.com/2dust/clashN)
+  - [Amnezia VPN](https://github.com/amnezia-vpn)
-  - [Clash Meta for Android](https://github.com/MetaCubeX/ClashMetaForAndroid)
+  - [mihomo](https://github.com/MetaCubeX/mihomo)
- [sing-box](https://github.com/SagerNet/sing-box)
+  - [sing-box](https://github.com/SagerNet/sing-box)
 ## Contributing
 [Code of Conduct](https://github.com/XTLS/Xray-core/blob/main/CODE_OF_CONDUCT.md)
 [![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/XTLS/Xray-core)
 ## Credits
 - [Xray-core v1.0.0](https://github.com/XTLS/Xray-core/releases/tag/v1.0.0) was forked from [v2fly-core 9a03cc5](https://github.com/v2fly/v2ray-core/commit/9a03cc5c98d04cc28320fcee26dbc236b3291256), and we have made & accumulated a huge number of enhancements over time, check [the release notes for each version](https://github.com/XTLS/Xray-core/releases).
 - For third-party projects used in [Xray-core](https://github.com/XTLS/Xray-core), check your local or [the latest go.mod](https://github.com/XTLS/Xray-core/blob/main/go.mod).
-## Compilation
+## One-line Compilation
 ### Windows (PowerShell)
 ```powershell
 $env:CGO_ENABLED=0
-go build -o xray.exe -trimpath -ldflags "-s -w -buildid=" ./main
+go build -o xray.exe -trimpath -buildvcs=false -ldflags="-s -w -buildid=" -v ./main
 ```
 ### Linux / macOS
 ```bash
-CGO_ENABLED=0 go build -o xray -trimpath -ldflags "-s -w -buildid=" ./main
+CGO_ENABLED=0 go build -o xray -trimpath -buildvcs=false -ldflags="-s -w -buildid=" -v ./main
 ```
 ### Reproducible Releases
 Make sure that you are using the same Go version, and remember to set the git commit id (7 bytes):
 ```bash
-make
+CGO_ENABLED=0 go build -o xray -trimpath -buildvcs=false -ldflags="-X github.com/xtls/xray-core/core.build=REPLACE -s -w -buildid=" -v ./main
 ```
 ## Stargazers over time
--- a/app/commander/outbound.go
+++ b/app/commander/outbound.go
@@ -8,6 +8,7 @@ import (
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/net/cnc"
 	"github.com/xtls/xray-core/common/serial"
 	"github.com/xtls/xray-core/common/signal/done"
 	"github.com/xtls/xray-core/transport"
 )
@@ -108,3 +109,13 @@ func (co *Outbound) Close() error {
 	co.closed = true
 	return co.listener.Close()
 }
 // SenderSettings implements outbound.Handler.
 func (co *Outbound) SenderSettings() *serial.TypedMessage {
 	return nil
 }
 // ProxySettings implements outbound.Handler.
 func (co *Outbound) ProxySettings() *serial.TypedMessage {
 	return nil
 }
--- a/app/dispatcher/default.go
+++ b/app/dispatcher/default.go
@@ -33,23 +33,21 @@ type cachedReader struct {
 	cache  buf.MultiBuffer
 }
-func (r *cachedReader) Cache(b *buf.Buffer) {
+func (r *cachedReader) Cache(b *buf.Buffer, deadline time.Duration) error {
-	mb, _ := r.reader.ReadMultiBufferTimeout(time.Millisecond * 100)
+	mb, err := r.reader.ReadMultiBufferTimeout(deadline)
 	if err != nil {
 		return err
 	}
 	r.Lock()
 	if !mb.IsEmpty() {
 		r.cache, _ = buf.MergeMulti(r.cache, mb)
 	}
-	cacheLen := r.cache.Len()
+	b.Clear()
-	if cacheLen <= b.Cap() {
+	rawBytes := b.Extend(min(r.cache.Len(), b.Cap()))
 		b.Clear()
 	} else {
 		b.Release()
 		*b = *buf.NewWithSize(cacheLen)
 	}
 	rawBytes := b.Extend(cacheLen)
 	n := r.cache.Copy(rawBytes)
 	b.Resize(0, int32(n))
 	r.Unlock()
 	return nil
 }
 func (r *cachedReader) readInternal() buf.MultiBuffer {
@@ -98,7 +96,6 @@ type DefaultDispatcher struct {
 	router routing.Router
 	policy policy.Manager
 	stats  stats.Manager
 	dns    dns.Client
 	fdns   dns.FakeDNSEngine
 }
@@ -106,10 +103,10 @@ func init() {
 	common.Must(common.RegisterConfig((*Config)(nil), func(ctx context.Context, config interface{}) (interface{}, error) {
 		d := new(DefaultDispatcher)
 		if err := core.RequireFeatures(ctx, func(om outbound.Manager, router routing.Router, pm policy.Manager, sm stats.Manager, dc dns.Client) error {
-			core.RequireFeatures(ctx, func(fdns dns.FakeDNSEngine) { // FakeDNSEngine is optional
+			core.OptionalFeatures(ctx, func(fdns dns.FakeDNSEngine) {
 				d.fdns = fdns
 			})
-			return d.Init(config.(*Config), om, router, pm, sm, dc)
+			return d.Init(config.(*Config), om, router, pm, sm)
 		}); err != nil {
 			return nil, err
 		}
@@ -118,12 +115,11 @@ func init() {
 }
 // Init initializes DefaultDispatcher.
-func (d *DefaultDispatcher) Init(config *Config, om outbound.Manager, router routing.Router, pm policy.Manager, sm stats.Manager, dns dns.Client) error {
+func (d *DefaultDispatcher) Init(config *Config, om outbound.Manager, router routing.Router, pm policy.Manager, sm stats.Manager) error {
 	d.ohm = om
 	d.router = router
 	d.policy = pm
 	d.stats = sm
 	d.dns = dns
 	return nil
 }
@@ -355,7 +351,7 @@ func (d *DefaultDispatcher) DispatchLink(ctx context.Context, destination net.De
 }
 func sniffer(ctx context.Context, cReader *cachedReader, metadataOnly bool, network net.Network) (SniffResult, error) {
-	payload := buf.New()
+	payload := buf.NewWithSize(32767)
 	defer payload.Release()
 	sniffer := NewSniffer(ctx)
@@ -367,26 +363,36 @@ func sniffer(ctx context.Context, cReader *cachedReader, metadataOnly bool, netw
 	}
 	contentResult, contentErr := func() (SniffResult, error) {
 		cacheDeadline := 200 * time.Millisecond
 		totalAttempt := 0
 		for {
 			select {
 			case <-ctx.Done():
 				return nil, ctx.Err()
 			default:
-				totalAttempt++
+				cachingStartingTimeStamp := time.Now()
-				if totalAttempt > 2 {
+				err := cReader.Cache(payload, cacheDeadline)
-					return nil, errSniffingTimeout
+				if err != nil {
 					return nil, err
 				}
 				cachingTimeElapsed := time.Since(cachingStartingTimeStamp)
 				cacheDeadline -= cachingTimeElapsed
 				cReader.Cache(payload)
 				if !payload.IsEmpty() {
 					result, err := sniffer.Sniff(ctx, payload.Bytes(), network)
-					if err != common.ErrNoClue {
+					switch err {
 					case common.ErrNoClue: // No Clue: protocol not matches, and sniffer cannot determine whether there will be a match or not
 						totalAttempt++
 					case protocol.ErrProtoNeedMoreData: // Protocol Need More Data: protocol matches, but need more data to complete sniffing
 						// in this case, do not add totalAttempt(allow to read until timeout)
 					default:
 						return result, err
 					}
 				} else {
 					totalAttempt++
 				}
-				if payload.IsFull() {
+				if totalAttempt >= 2 || cacheDeadline <= 0 {
-					return nil, errUnknownContent
+					return nil, errSniffingTimeout
 				}
 			}
 		}
@@ -402,18 +408,6 @@ func sniffer(ctx context.Context, cReader *cachedReader, metadataOnly bool, netw
 func (d *DefaultDispatcher) routedDispatch(ctx context.Context, link *transport.Link, destination net.Destination) {
 	outbounds := session.OutboundsFromContext(ctx)
 	ob := outbounds[len(outbounds)-1]
 	if hosts, ok := d.dns.(dns.HostsLookup); ok && destination.Address.Family().IsDomain() {
 		proxied := hosts.LookupHosts(ob.Target.String())
 		if proxied != nil {
 			ro := ob.RouteTarget == destination
 			destination.Address = *proxied
 			if ro {
 				ob.RouteTarget = destination
 			} else {
 				ob.Target = destination
 			}
 		}
 	}
 	var handler outbound.Handler
--- a/app/dispatcher/sniffer.go
+++ b/app/dispatcher/sniffer.go
@@ -6,6 +6,7 @@ import (
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/protocol"
 	"github.com/xtls/xray-core/common/protocol/bittorrent"
 	"github.com/xtls/xray-core/common/protocol/http"
 	"github.com/xtls/xray-core/common/protocol/quic"
@@ -58,14 +59,17 @@ var errUnknownContent = errors.New("unknown content")
 func (s *Sniffer) Sniff(c context.Context, payload []byte, network net.Network) (SniffResult, error) {
 	var pendingSniffer []protocolSnifferWithMetadata
 	for _, si := range s.sniffer {
-		s := si.protocolSniffer
+		protocolSniffer := si.protocolSniffer
 		if si.metadataSniffer || si.network != network {
 			continue
 		}
-		result, err := s(c, payload)
+		result, err := protocolSniffer(c, payload)
 		if err == common.ErrNoClue {
 			pendingSniffer = append(pendingSniffer, si)
 			continue
 		} else if err == protocol.ErrProtoNeedMoreData { // Sniffer protocol matched, but need more data to complete sniffing
 			s.sniffer = []protocolSnifferWithMetadata{si}
 			return nil, err
 		}
 		if err == nil && result != nil {
--- a/app/dns/cache_controller.go
+++ b/app/dns/cache_controller.go
@@ -0,0 +1,188 @@
 package dns
 import (
 	"context"
 	go_errors "errors"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/signal/pubsub"
 	"github.com/xtls/xray-core/common/task"
 	dns_feature "github.com/xtls/xray-core/features/dns"
 	"golang.org/x/net/dns/dnsmessage"
 	"sync"
 	"time"
 )
 type CacheController struct {
 	sync.RWMutex
 	ips          map[string]*record
 	pub          *pubsub.Service
 	cacheCleanup *task.Periodic
 	name         string
 	disableCache bool
 }
 func NewCacheController(name string, disableCache bool) *CacheController {
 	c := &CacheController{
 		name:         name,
 		disableCache: disableCache,
 		ips:          make(map[string]*record),
 		pub:          pubsub.NewService(),
 	}
 	c.cacheCleanup = &task.Periodic{
 		Interval: time.Minute,
 		Execute:  c.CacheCleanup,
 	}
 	return c
 }
 // CacheCleanup clears expired items from cache
 func (c *CacheController) CacheCleanup() error {
 	now := time.Now()
 	c.Lock()
 	defer c.Unlock()
 	if len(c.ips) == 0 {
 		return errors.New("nothing to do. stopping...")
 	}
 	for domain, record := range c.ips {
 		if record.A != nil && record.A.Expire.Before(now) {
 			record.A = nil
 		}
 		if record.AAAA != nil && record.AAAA.Expire.Before(now) {
 			record.AAAA = nil
 		}
 		if record.A == nil && record.AAAA == nil {
 			errors.LogDebug(context.Background(), c.name, "cache cleanup ", domain)
 			delete(c.ips, domain)
 		} else {
 			c.ips[domain] = record
 		}
 	}
 	if len(c.ips) == 0 {
 		c.ips = make(map[string]*record)
 	}
 	return nil
 }
 func (c *CacheController) updateIP(req *dnsRequest, ipRec *IPRecord) {
 	elapsed := time.Since(req.start)
 	c.Lock()
 	rec, found := c.ips[req.domain]
 	if !found {
 		rec = &record{}
 	}
 	switch req.reqType {
 	case dnsmessage.TypeA:
 		rec.A = ipRec
 	case dnsmessage.TypeAAAA:
 		rec.AAAA = ipRec
 	}
 	errors.LogInfo(context.Background(), c.name, " got answer: ", req.domain, " ", req.reqType, " -> ", ipRec.IP, " ", elapsed)
 	c.ips[req.domain] = rec
 	switch req.reqType {
 	case dnsmessage.TypeA:
 		c.pub.Publish(req.domain+"4", nil)
 		if !c.disableCache {
 			_, _, err := rec.AAAA.getIPs()
 			if !go_errors.Is(err, errRecordNotFound) {
 				c.pub.Publish(req.domain+"6", nil)
 			}
 		}
 	case dnsmessage.TypeAAAA:
 		c.pub.Publish(req.domain+"6", nil)
 		if !c.disableCache {
 			_, _, err := rec.A.getIPs()
 			if !go_errors.Is(err, errRecordNotFound) {
 				c.pub.Publish(req.domain+"4", nil)
 			}
 		}
 	}
 	c.Unlock()
 	common.Must(c.cacheCleanup.Start())
 }
 func (c *CacheController) findIPsForDomain(domain string, option dns_feature.IPOption) ([]net.IP, uint32, error) {
 	c.RLock()
 	record, found := c.ips[domain]
 	c.RUnlock()
 	if !found {
 		return nil, 0, errRecordNotFound
 	}
 	var errs []error
 	var allIPs []net.IP
 	var rTTL uint32 = dns_feature.DefaultTTL
 	mergeReq := option.IPv4Enable && option.IPv6Enable
 	if option.IPv4Enable {
 		ips, ttl, err := record.A.getIPs()
 		if !mergeReq || go_errors.Is(err, errRecordNotFound) {
 			return ips, ttl, err
 		}
 		if ttl < rTTL {
 			rTTL = ttl
 		}
 		if len(ips) > 0 {
 			allIPs = append(allIPs, ips...)
 		} else {
 			errs = append(errs, err)
 		}
 	}
 	if option.IPv6Enable {
 		ips, ttl, err := record.AAAA.getIPs()
 		if !mergeReq || go_errors.Is(err, errRecordNotFound) {
 			return ips, ttl, err
 		}
 		if ttl < rTTL {
 			rTTL = ttl
 		}
 		if len(ips) > 0 {
 			allIPs = append(allIPs, ips...)
 		} else {
 			errs = append(errs, err)
 		}
 	}
 	if len(allIPs) > 0 {
 		return allIPs, rTTL, nil
 	}
 	if go_errors.Is(errs[0], errs[1]) {
 		return nil, rTTL, errs[0]
 	}
 	return nil, rTTL, errors.Combine(errs...)
 }
 func (c *CacheController) registerSubscribers(domain string, option dns_feature.IPOption) (sub4 *pubsub.Subscriber, sub6 *pubsub.Subscriber) {
 	// ipv4 and ipv6 belong to different subscription groups
 	if option.IPv4Enable {
 		sub4 = c.pub.Subscribe(domain + "4")
 	}
 	if option.IPv6Enable {
 		sub6 = c.pub.Subscribe(domain + "6")
 	}
 	return
 }
 func closeSubscribers(sub4 *pubsub.Subscriber, sub6 *pubsub.Subscriber) {
 	if sub4 != nil {
 		sub4.Close()
 	}
 	if sub6 != nil {
 		sub6.Close()
 	}
 }
--- a/app/dns/config.pb.go
+++ b/app/dns/config.pb.go
@@ -80,6 +80,7 @@ const (
 	QueryStrategy_USE_IP  QueryStrategy = 0
 	QueryStrategy_USE_IP4 QueryStrategy = 1
 	QueryStrategy_USE_IP6 QueryStrategy = 2
 	QueryStrategy_USE_SYS QueryStrategy = 3
 )
 // Enum value maps for QueryStrategy.
@@ -88,11 +89,13 @@ var (
 		0: "USE_IP",
 		1: "USE_IP4",
 		2: "USE_IP6",
 		3: "USE_SYS",
 	}
 	QueryStrategy_value = map[string]int32{
 		"USE_IP":  0,
 		"USE_IP4": 1,
 		"USE_IP6": 2,
 		"USE_SYS": 3,
 	}
 )
@@ -132,9 +135,16 @@ type NameServer struct {
 	ClientIp          []byte                       `protobuf:"bytes,5,opt,name=client_ip,json=clientIp,proto3" json:"client_ip,omitempty"`
 	SkipFallback      bool                         `protobuf:"varint,6,opt,name=skipFallback,proto3" json:"skipFallback,omitempty"`
 	PrioritizedDomain []*NameServer_PriorityDomain `protobuf:"bytes,2,rep,name=prioritized_domain,json=prioritizedDomain,proto3" json:"prioritized_domain,omitempty"`
-	Geoip             []*router.GeoIP              `protobuf:"bytes,3,rep,name=geoip,proto3" json:"geoip,omitempty"`
+	ExpectedGeoip     []*router.GeoIP              `protobuf:"bytes,3,rep,name=expected_geoip,json=expectedGeoip,proto3" json:"expected_geoip,omitempty"`
 	OriginalRules     []*NameServer_OriginalRule   `protobuf:"bytes,4,rep,name=original_rules,json=originalRules,proto3" json:"original_rules,omitempty"`
 	QueryStrategy     QueryStrategy                `protobuf:"varint,7,opt,name=query_strategy,json=queryStrategy,proto3,enum=xray.app.dns.QueryStrategy" json:"query_strategy,omitempty"`
 	ActPrior          bool                         `protobuf:"varint,8,opt,name=actPrior,proto3" json:"actPrior,omitempty"`
 	Tag               string                       `protobuf:"bytes,9,opt,name=tag,proto3" json:"tag,omitempty"`
 	TimeoutMs         uint64                       `protobuf:"varint,10,opt,name=timeoutMs,proto3" json:"timeoutMs,omitempty"`
 	DisableCache      bool                         `protobuf:"varint,11,opt,name=disableCache,proto3" json:"disableCache,omitempty"`
 	FinalQuery        bool                         `protobuf:"varint,12,opt,name=finalQuery,proto3" json:"finalQuery,omitempty"`
 	UnexpectedGeoip   []*router.GeoIP              `protobuf:"bytes,13,rep,name=unexpected_geoip,json=unexpectedGeoip,proto3" json:"unexpected_geoip,omitempty"`
 	ActUnprior        bool                         `protobuf:"varint,14,opt,name=actUnprior,proto3" json:"actUnprior,omitempty"`
 }
 func (x *NameServer) Reset() {
@@ -195,9 +205,9 @@ func (x *NameServer) GetPrioritizedDomain() []*NameServer_PriorityDomain {
 	return nil
 }
-func (x *NameServer) GetGeoip() []*router.GeoIP {
+func (x *NameServer) GetExpectedGeoip() []*router.GeoIP {
 	if x != nil {
-		return x.Geoip
+		return x.ExpectedGeoip
 	}
 	return nil
 }
@@ -216,6 +226,55 @@ func (x *NameServer) GetQueryStrategy() QueryStrategy {
 	return QueryStrategy_USE_IP
 }
 func (x *NameServer) GetActPrior() bool {
 	if x != nil {
 		return x.ActPrior
 	}
 	return false
 }
 func (x *NameServer) GetTag() string {
 	if x != nil {
 		return x.Tag
 	}
 	return ""
 }
 func (x *NameServer) GetTimeoutMs() uint64 {
 	if x != nil {
 		return x.TimeoutMs
 	}
 	return 0
 }
 func (x *NameServer) GetDisableCache() bool {
 	if x != nil {
 		return x.DisableCache
 	}
 	return false
 }
 func (x *NameServer) GetFinalQuery() bool {
 	if x != nil {
 		return x.FinalQuery
 	}
 	return false
 }
 func (x *NameServer) GetUnexpectedGeoip() []*router.GeoIP {
 	if x != nil {
 		return x.UnexpectedGeoip
 	}
 	return nil
 }
 func (x *NameServer) GetActUnprior() bool {
 	if x != nil {
 		return x.ActUnprior
 	}
 	return false
 }
 type Config struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -508,7 +567,7 @@ var file_app_dns_config_proto_rawDesc = []byte{
 	0x2e, 0x64, 0x6e, 0x73, 0x1a, 0x1c, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x6e, 0x65, 0x74,
 	0x2f, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f,
 	0x74, 0x6f, 0x1a, 0x17, 0x61, 0x70, 0x70, 0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x2f, 0x63,
-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xb2, 0x04, 0x0a, 0x0a,
+	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xb6, 0x06, 0x0a, 0x0a,
 	0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x33, 0x0a, 0x07, 0x61, 0x64,
 	0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x78, 0x72,
 	0x61, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x6e, 0x65, 0x74, 0x2e, 0x45, 0x6e,
@@ -522,75 +581,92 @@ var file_app_dns_config_proto_rawDesc = []byte{
 	0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x64, 0x6e, 0x73, 0x2e, 0x4e, 0x61, 0x6d, 0x65,
 	0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2e, 0x50, 0x72, 0x69, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x44,
 	0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x52, 0x11, 0x70, 0x72, 0x69, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x7a,
-	0x65, 0x64, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x2c, 0x0a, 0x05, 0x67, 0x65, 0x6f, 0x69,
+	0x65, 0x64, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x3d, 0x0a, 0x0e, 0x65, 0x78, 0x70, 0x65,
-	0x70, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61,
+	0x63, 0x74, 0x65, 0x64, 0x5f, 0x67, 0x65, 0x6f, 0x69, 0x70, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b,
-	0x70, 0x70, 0x2e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x2e, 0x47, 0x65, 0x6f, 0x49, 0x50, 0x52,
+	0x32, 0x16, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x72, 0x6f, 0x75, 0x74,
-	0x05, 0x67, 0x65, 0x6f, 0x69, 0x70, 0x12, 0x4c, 0x0a, 0x0e, 0x6f, 0x72, 0x69, 0x67, 0x69, 0x6e,
+	0x65, 0x72, 0x2e, 0x47, 0x65, 0x6f, 0x49, 0x50, 0x52, 0x0d, 0x65, 0x78, 0x70, 0x65, 0x63, 0x74,
-	0x61, 0x6c, 0x5f, 0x72, 0x75, 0x6c, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x25,
+	0x65, 0x64, 0x47, 0x65, 0x6f, 0x69, 0x70, 0x12, 0x4c, 0x0a, 0x0e, 0x6f, 0x72, 0x69, 0x67, 0x69,
-	0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x64, 0x6e, 0x73, 0x2e, 0x4e, 0x61,
+	0x6e, 0x61, 0x6c, 0x5f, 0x72, 0x75, 0x6c, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32,
-	0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2e, 0x4f, 0x72, 0x69, 0x67, 0x69, 0x6e, 0x61,
+	0x25, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x64, 0x6e, 0x73, 0x2e, 0x4e,
-	0x6c, 0x52, 0x75, 0x6c, 0x65, 0x52, 0x0d, 0x6f, 0x72, 0x69, 0x67, 0x69, 0x6e, 0x61, 0x6c, 0x52,
+	0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2e, 0x4f, 0x72, 0x69, 0x67, 0x69, 0x6e,
-	0x75, 0x6c, 0x65, 0x73, 0x12, 0x42, 0x0a, 0x0e, 0x71, 0x75, 0x65, 0x72, 0x79, 0x5f, 0x73, 0x74,
+	0x61, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x52, 0x0d, 0x6f, 0x72, 0x69, 0x67, 0x69, 0x6e, 0x61, 0x6c,
-	0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1b, 0x2e, 0x78,
+	0x52, 0x75, 0x6c, 0x65, 0x73, 0x12, 0x42, 0x0a, 0x0e, 0x71, 0x75, 0x65, 0x72, 0x79, 0x5f, 0x73,
-	0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x64, 0x6e, 0x73, 0x2e, 0x51, 0x75, 0x65, 0x72,
+	0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1b, 0x2e,
-	0x79, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x52, 0x0d, 0x71, 0x75, 0x65, 0x72, 0x79,
+	0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x64, 0x6e, 0x73, 0x2e, 0x51, 0x75, 0x65,
-	0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x1a, 0x5e, 0x0a, 0x0e, 0x50, 0x72, 0x69, 0x6f,
+	0x72, 0x79, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x52, 0x0d, 0x71, 0x75, 0x65, 0x72,
-	0x72, 0x69, 0x74, 0x79, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x34, 0x0a, 0x04, 0x74, 0x79,
+	0x79, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x12, 0x1a, 0x0a, 0x08, 0x61, 0x63, 0x74,
-	0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x20, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e,
+	0x50, 0x72, 0x69, 0x6f, 0x72, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x61, 0x63, 0x74,
-	0x61, 0x70, 0x70, 0x2e, 0x64, 0x6e, 0x73, 0x2e, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x4d, 0x61,
+	0x50, 0x72, 0x69, 0x6f, 0x72, 0x12, 0x10, 0x0a, 0x03, 0x74, 0x61, 0x67, 0x18, 0x09, 0x20, 0x01,
-	0x74, 0x63, 0x68, 0x69, 0x6e, 0x67, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65,
+	0x28, 0x09, 0x52, 0x03, 0x74, 0x61, 0x67, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x69, 0x6d, 0x65, 0x6f,
-	0x12, 0x16, 0x0a, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
+	0x75, 0x74, 0x4d, 0x73, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x74, 0x69, 0x6d, 0x65,
-	0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x1a, 0x36, 0x0a, 0x0c, 0x4f, 0x72, 0x69, 0x67,
+	0x6f, 0x75, 0x74, 0x4d, 0x73, 0x12, 0x22, 0x0a, 0x0c, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65,
-	0x69, 0x6e, 0x61, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x72, 0x75, 0x6c, 0x65,
+	0x43, 0x61, 0x63, 0x68, 0x65, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0c, 0x64, 0x69, 0x73,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x72, 0x75, 0x6c, 0x65, 0x12, 0x12, 0x0a, 0x04,
+	0x61, 0x62, 0x6c, 0x65, 0x43, 0x61, 0x63, 0x68, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x66, 0x69, 0x6e,
-	0x73, 0x69, 0x7a, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x04, 0x73, 0x69, 0x7a, 0x65,
+	0x61, 0x6c, 0x51, 0x75, 0x65, 0x72, 0x79, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x66,
-	0x22, 0x9c, 0x04, 0x0a, 0x06, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x39, 0x0a, 0x0b, 0x6e,
+	0x69, 0x6e, 0x61, 0x6c, 0x51, 0x75, 0x65, 0x72, 0x79, 0x12, 0x41, 0x0a, 0x10, 0x75, 0x6e, 0x65,
-	0x61, 0x6d, 0x65, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b,
+	0x78, 0x70, 0x65, 0x63, 0x74, 0x65, 0x64, 0x5f, 0x67, 0x65, 0x6f, 0x69, 0x70, 0x18, 0x0d, 0x20,
-	0x32, 0x18, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x64, 0x6e, 0x73, 0x2e,
+	0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x72,
-	0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x0a, 0x6e, 0x61, 0x6d, 0x65,
+	0x6f, 0x75, 0x74, 0x65, 0x72, 0x2e, 0x47, 0x65, 0x6f, 0x49, 0x50, 0x52, 0x0f, 0x75, 0x6e, 0x65,
-	0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x1b, 0x0a, 0x09, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74,
+	0x78, 0x70, 0x65, 0x63, 0x74, 0x65, 0x64, 0x47, 0x65, 0x6f, 0x69, 0x70, 0x12, 0x1e, 0x0a, 0x0a,
-	0x5f, 0x69, 0x70, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x08, 0x63, 0x6c, 0x69, 0x65, 0x6e,
+	0x61, 0x63, 0x74, 0x55, 0x6e, 0x70, 0x72, 0x69, 0x6f, 0x72, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x08,
-	0x74, 0x49, 0x70, 0x12, 0x43, 0x0a, 0x0c, 0x73, 0x74, 0x61, 0x74, 0x69, 0x63, 0x5f, 0x68, 0x6f,
+	0x52, 0x0a, 0x61, 0x63, 0x74, 0x55, 0x6e, 0x70, 0x72, 0x69, 0x6f, 0x72, 0x1a, 0x5e, 0x0a, 0x0e,
-	0x73, 0x74, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x78, 0x72, 0x61, 0x79,
+	0x50, 0x72, 0x69, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x34,
-	0x2e, 0x61, 0x70, 0x70, 0x2e, 0x64, 0x6e, 0x73, 0x2e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e,
+	0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x20, 0x2e, 0x78,
-	0x48, 0x6f, 0x73, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x0b, 0x73, 0x74, 0x61,
+	0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x64, 0x6e, 0x73, 0x2e, 0x44, 0x6f, 0x6d, 0x61,
-	0x74, 0x69, 0x63, 0x48, 0x6f, 0x73, 0x74, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x74, 0x61, 0x67, 0x18,
+	0x69, 0x6e, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x69, 0x6e, 0x67, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04,
-	0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x74, 0x61, 0x67, 0x12, 0x22, 0x0a, 0x0c, 0x64, 0x69,
+	0x74, 0x79, 0x70, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x02,
-	0x73, 0x61, 0x62, 0x6c, 0x65, 0x43, 0x61, 0x63, 0x68, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x1a, 0x36, 0x0a, 0x0c,
-	0x52, 0x0c, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x43, 0x61, 0x63, 0x68, 0x65, 0x12, 0x42,
+	0x4f, 0x72, 0x69, 0x67, 0x69, 0x6e, 0x61, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x12, 0x0a, 0x04,
-	0x0a, 0x0e, 0x71, 0x75, 0x65, 0x72, 0x79, 0x5f, 0x73, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79,
+	0x72, 0x75, 0x6c, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x72, 0x75, 0x6c, 0x65,
-	0x18, 0x09, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1b, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70,
+	0x12, 0x12, 0x0a, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x04,
-	0x70, 0x2e, 0x64, 0x6e, 0x73, 0x2e, 0x51, 0x75, 0x65, 0x72, 0x79, 0x53, 0x74, 0x72, 0x61, 0x74,
+	0x73, 0x69, 0x7a, 0x65, 0x22, 0x9c, 0x04, 0x0a, 0x06, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12,
-	0x65, 0x67, 0x79, 0x52, 0x0d, 0x71, 0x75, 0x65, 0x72, 0x79, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65,
+	0x39, 0x0a, 0x0b, 0x6e, 0x61, 0x6d, 0x65, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x18, 0x05,
-	0x67, 0x79, 0x12, 0x28, 0x0a, 0x0f, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x46, 0x61, 0x6c,
+	0x20, 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e,
-	0x6c, 0x62, 0x61, 0x63, 0x6b, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0f, 0x64, 0x69, 0x73,
+	0x64, 0x6e, 0x73, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x0a,
-	0x61, 0x62, 0x6c, 0x65, 0x46, 0x61, 0x6c, 0x6c, 0x62, 0x61, 0x63, 0x6b, 0x12, 0x36, 0x0a, 0x16,
+	0x6e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x1b, 0x0a, 0x09, 0x63, 0x6c,
-	0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x46, 0x61, 0x6c, 0x6c, 0x62, 0x61, 0x63, 0x6b, 0x49,
+	0x69, 0x65, 0x6e, 0x74, 0x5f, 0x69, 0x70, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x08, 0x63,
-	0x66, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x08, 0x52, 0x16, 0x64, 0x69,
+	0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49, 0x70, 0x12, 0x43, 0x0a, 0x0c, 0x73, 0x74, 0x61, 0x74, 0x69,
-	0x73, 0x61, 0x62, 0x6c, 0x65, 0x46, 0x61, 0x6c, 0x6c, 0x62, 0x61, 0x63, 0x6b, 0x49, 0x66, 0x4d,
+	0x63, 0x5f, 0x68, 0x6f, 0x73, 0x74, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x20, 0x2e,
-	0x61, 0x74, 0x63, 0x68, 0x1a, 0x92, 0x01, 0x0a, 0x0b, 0x48, 0x6f, 0x73, 0x74, 0x4d, 0x61, 0x70,
+	0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x64, 0x6e, 0x73, 0x2e, 0x43, 0x6f, 0x6e,
-	0x70, 0x69, 0x6e, 0x67, 0x12, 0x34, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01,
+	0x66, 0x69, 0x67, 0x2e, 0x48, 0x6f, 0x73, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52,
-	0x28, 0x0e, 0x32, 0x20, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x64, 0x6e,
+	0x0b, 0x73, 0x74, 0x61, 0x74, 0x69, 0x63, 0x48, 0x6f, 0x73, 0x74, 0x73, 0x12, 0x10, 0x0a, 0x03,
-	0x73, 0x2e, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x69, 0x6e, 0x67,
+	0x74, 0x61, 0x67, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x74, 0x61, 0x67, 0x12, 0x22,
-	0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x6f,
+	0x0a, 0x0c, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x43, 0x61, 0x63, 0x68, 0x65, 0x18, 0x08,
-	0x6d, 0x61, 0x69, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61,
+	0x20, 0x01, 0x28, 0x08, 0x52, 0x0c, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x43, 0x61, 0x63,
-	0x69, 0x6e, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x70, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0c, 0x52, 0x02,
+	0x68, 0x65, 0x12, 0x42, 0x0a, 0x0e, 0x71, 0x75, 0x65, 0x72, 0x79, 0x5f, 0x73, 0x74, 0x72, 0x61,
-	0x69, 0x70, 0x12, 0x25, 0x0a, 0x0e, 0x70, 0x72, 0x6f, 0x78, 0x69, 0x65, 0x64, 0x5f, 0x64, 0x6f,
+	0x74, 0x65, 0x67, 0x79, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1b, 0x2e, 0x78, 0x72, 0x61,
-	0x6d, 0x61, 0x69, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x70, 0x72, 0x6f, 0x78,
+	0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x64, 0x6e, 0x73, 0x2e, 0x51, 0x75, 0x65, 0x72, 0x79, 0x53,
-	0x69, 0x65, 0x64, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x4a, 0x04, 0x08, 0x07, 0x10, 0x08, 0x2a,
+	0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x52, 0x0d, 0x71, 0x75, 0x65, 0x72, 0x79, 0x53, 0x74,
-	0x45, 0x0a, 0x12, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x69, 0x6e,
+	0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x12, 0x28, 0x0a, 0x0f, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c,
-	0x67, 0x54, 0x79, 0x70, 0x65, 0x12, 0x08, 0x0a, 0x04, 0x46, 0x75, 0x6c, 0x6c, 0x10, 0x00, 0x12,
+	0x65, 0x46, 0x61, 0x6c, 0x6c, 0x62, 0x61, 0x63, 0x6b, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x08, 0x52,
-	0x0d, 0x0a, 0x09, 0x53, 0x75, 0x62, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x10, 0x01, 0x12, 0x0b,
+	0x0f, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x46, 0x61, 0x6c, 0x6c, 0x62, 0x61, 0x63, 0x6b,
-	0x0a, 0x07, 0x4b, 0x65, 0x79, 0x77, 0x6f, 0x72, 0x64, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x52,
+	0x12, 0x36, 0x0a, 0x16, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x46, 0x61, 0x6c, 0x6c, 0x62,
-	0x65, 0x67, 0x65, 0x78, 0x10, 0x03, 0x2a, 0x35, 0x0a, 0x0d, 0x51, 0x75, 0x65, 0x72, 0x79, 0x53,
+	0x61, 0x63, 0x6b, 0x49, 0x66, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x08,
-	0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x12, 0x0a, 0x0a, 0x06, 0x55, 0x53, 0x45, 0x5f, 0x49,
+	0x52, 0x16, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x46, 0x61, 0x6c, 0x6c, 0x62, 0x61, 0x63,
-	0x50, 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x53, 0x45, 0x5f, 0x49, 0x50, 0x34, 0x10, 0x01,
+	0x6b, 0x49, 0x66, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x1a, 0x92, 0x01, 0x0a, 0x0b, 0x48, 0x6f, 0x73,
-	0x12, 0x0b, 0x0a, 0x07, 0x55, 0x53, 0x45, 0x5f, 0x49, 0x50, 0x36, 0x10, 0x02, 0x42, 0x46, 0x0a,
+	0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x34, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65,
-	0x10, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x64, 0x6e,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x20, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70,
-	0x73, 0x50, 0x01, 0x5a, 0x21, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
+	0x70, 0x2e, 0x64, 0x6e, 0x73, 0x2e, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x4d, 0x61, 0x74, 0x63,
-	0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x61,
+	0x68, 0x69, 0x6e, 0x67, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x16,
-	0x70, 0x70, 0x2f, 0x64, 0x6e, 0x73, 0xaa, 0x02, 0x0c, 0x58, 0x72, 0x61, 0x79, 0x2e, 0x41, 0x70,
+	0x0a, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06,
-	0x70, 0x2e, 0x44, 0x6e, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x70, 0x18, 0x03, 0x20, 0x03,
 	0x28, 0x0c, 0x52, 0x02, 0x69, 0x70, 0x12, 0x25, 0x0a, 0x0e, 0x70, 0x72, 0x6f, 0x78, 0x69, 0x65,
 	0x64, 0x5f, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d,
 	0x70, 0x72, 0x6f, 0x78, 0x69, 0x65, 0x64, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x4a, 0x04, 0x08,
 	0x07, 0x10, 0x08, 0x2a, 0x45, 0x0a, 0x12, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x4d, 0x61, 0x74,
 	0x63, 0x68, 0x69, 0x6e, 0x67, 0x54, 0x79, 0x70, 0x65, 0x12, 0x08, 0x0a, 0x04, 0x46, 0x75, 0x6c,
 	0x6c, 0x10, 0x00, 0x12, 0x0d, 0x0a, 0x09, 0x53, 0x75, 0x62, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e,
 	0x10, 0x01, 0x12, 0x0b, 0x0a, 0x07, 0x4b, 0x65, 0x79, 0x77, 0x6f, 0x72, 0x64, 0x10, 0x02, 0x12,
 	0x09, 0x0a, 0x05, 0x52, 0x65, 0x67, 0x65, 0x78, 0x10, 0x03, 0x2a, 0x42, 0x0a, 0x0d, 0x51, 0x75,
 	0x65, 0x72, 0x79, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x12, 0x0a, 0x0a, 0x06, 0x55,
 	0x53, 0x45, 0x5f, 0x49, 0x50, 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x53, 0x45, 0x5f, 0x49,
 	0x50, 0x34, 0x10, 0x01, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x53, 0x45, 0x5f, 0x49, 0x50, 0x36, 0x10,
 	0x02, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x53, 0x45, 0x5f, 0x53, 0x59, 0x53, 0x10, 0x03, 0x42, 0x46,
 	0x0a, 0x10, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x64,
 	0x6e, 0x73, 0x50, 0x01, 0x5a, 0x21, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d,
 	0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f,
 	0x61, 0x70, 0x70, 0x2f, 0x64, 0x6e, 0x73, 0xaa, 0x02, 0x0c, 0x58, 0x72, 0x61, 0x79, 0x2e, 0x41,
 	0x70, 0x70, 0x2e, 0x44, 0x6e, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 var (
@@ -621,19 +697,20 @@ var file_app_dns_config_proto_goTypes = []any{
 var file_app_dns_config_proto_depIdxs = []int32{
 	7,  // 0: xray.app.dns.NameServer.address:type_name -> xray.common.net.Endpoint
 	4,  // 1: xray.app.dns.NameServer.prioritized_domain:type_name -> xray.app.dns.NameServer.PriorityDomain
-	8,  // 2: xray.app.dns.NameServer.geoip:type_name -> xray.app.router.GeoIP
+	8,  // 2: xray.app.dns.NameServer.expected_geoip:type_name -> xray.app.router.GeoIP
 	5,  // 3: xray.app.dns.NameServer.original_rules:type_name -> xray.app.dns.NameServer.OriginalRule
 	1,  // 4: xray.app.dns.NameServer.query_strategy:type_name -> xray.app.dns.QueryStrategy
-	2,  // 5: xray.app.dns.Config.name_server:type_name -> xray.app.dns.NameServer
+	8,  // 5: xray.app.dns.NameServer.unexpected_geoip:type_name -> xray.app.router.GeoIP
-	6,  // 6: xray.app.dns.Config.static_hosts:type_name -> xray.app.dns.Config.HostMapping
+	2,  // 6: xray.app.dns.Config.name_server:type_name -> xray.app.dns.NameServer
-	1,  // 7: xray.app.dns.Config.query_strategy:type_name -> xray.app.dns.QueryStrategy
+	6,  // 7: xray.app.dns.Config.static_hosts:type_name -> xray.app.dns.Config.HostMapping
-	0,  // 8: xray.app.dns.NameServer.PriorityDomain.type:type_name -> xray.app.dns.DomainMatchingType
+	1,  // 8: xray.app.dns.Config.query_strategy:type_name -> xray.app.dns.QueryStrategy
-	0,  // 9: xray.app.dns.Config.HostMapping.type:type_name -> xray.app.dns.DomainMatchingType
+	0,  // 9: xray.app.dns.NameServer.PriorityDomain.type:type_name -> xray.app.dns.DomainMatchingType
-	10, // [10:10] is the sub-list for method output_type
+	0,  // 10: xray.app.dns.Config.HostMapping.type:type_name -> xray.app.dns.DomainMatchingType
-	10, // [10:10] is the sub-list for method input_type
+	11, // [11:11] is the sub-list for method output_type
-	10, // [10:10] is the sub-list for extension type_name
+	11, // [11:11] is the sub-list for method input_type
-	10, // [10:10] is the sub-list for extension extendee
+	11, // [11:11] is the sub-list for extension type_name
-	0,  // [0:10] is the sub-list for field type_name
+	11, // [11:11] is the sub-list for extension extendee
 	0,  // [0:11] is the sub-list for field type_name
 }
 func init() { file_app_dns_config_proto_init() }
--- a/app/dns/config.proto
+++ b/app/dns/config.proto
@@ -25,9 +25,16 @@ message NameServer {
  }
  repeated PriorityDomain prioritized_domain = 2;
-  repeated xray.app.router.GeoIP geoip = 3;
+  repeated xray.app.router.GeoIP expected_geoip = 3;
  repeated OriginalRule original_rules = 4;
  QueryStrategy query_strategy = 7;
  bool actPrior = 8;
  string tag = 9;
  uint64 timeoutMs = 10;
  bool disableCache = 11;
  bool finalQuery = 12;
  repeated xray.app.router.GeoIP unexpected_geoip = 13;
  bool actUnprior = 14;
 }
 enum DomainMatchingType {
@@ -41,6 +48,7 @@ enum QueryStrategy {
  USE_IP = 0;
  USE_IP4 = 1;
  USE_IP6 = 2;
  USE_SYS = 3;
 }
 message Config {
--- a/app/dns/dns.go
+++ b/app/dns/dns.go
@@ -3,11 +3,12 @@ package dns
 import (
 	"context"
 	go_errors "errors"
 	"fmt"
 	"sort"
 	"strings"
 	"sync"
 	"github.com/xtls/xray-core/app/router"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/net"
@@ -19,8 +20,6 @@ import (
 // DNS is a DNS rely server.
 type DNS struct {
 	sync.Mutex
 	tag                    string
 	disableCache           bool
 	disableFallback        bool
 	disableFallbackIfMatch bool
 	ipOption               *dns.IPOption
@@ -29,6 +28,7 @@ type DNS struct {
 	ctx                    context.Context
 	domainMatcher          strmatcher.IndexMatcher
 	matcherInfos           []*DomainMatcherInfo
 	checkSystem            bool
 }
 // DomainMatcherInfo contains information attached to index returned by Server.domainMatcher
@@ -39,13 +39,6 @@ type DomainMatcherInfo struct {
 // New creates a new DNS server with given configuration.
 func New(ctx context.Context, config *Config) (*DNS, error) {
 	var tag string
 	if len(config.Tag) > 0 {
 		tag = config.Tag
 	} else {
 		tag = generateRandomTag()
 	}
 	var clientIP net.IP
 	switch len(config.ClientIp) {
 	case 0, net.IPv4len, net.IPv6len:
@@ -54,26 +47,36 @@ func New(ctx context.Context, config *Config) (*DNS, error) {
 		return nil, errors.New("unexpected client IP length ", len(config.ClientIp))
 	}
-	var ipOption *dns.IPOption
+	var ipOption dns.IPOption
 	checkSystem := false
 	switch config.QueryStrategy {
 	case QueryStrategy_USE_IP:
-		ipOption = &dns.IPOption{
+		ipOption = dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
 		}
 	case QueryStrategy_USE_SYS:
 		ipOption = dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
 		}
 		checkSystem = true
 	case QueryStrategy_USE_IP4:
-		ipOption = &dns.IPOption{
+		ipOption = dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: false,
 			FakeEnable: false,
 		}
 	case QueryStrategy_USE_IP6:
-		ipOption = &dns.IPOption{
+		ipOption = dns.IPOption{
 			IPv4Enable: false,
 			IPv6Enable: true,
 			FakeEnable: false,
 		}
 	default:
 		return nil, errors.New("unexpected query strategy ", config.QueryStrategy)
 	}
 	hosts, err := NewStaticHosts(config.StaticHosts)
@@ -81,8 +84,14 @@ func New(ctx context.Context, config *Config) (*DNS, error) {
 		return nil, errors.New("failed to create hosts").Base(err)
 	}
-	clients := []*Client{}
+	var clients []*Client
 	domainRuleCount := 0
 	var defaultTag = config.Tag
 	if len(config.Tag) == 0 {
 		defaultTag = generateRandomTag()
 	}
 	for _, ns := range config.NameServer {
 		domainRuleCount += len(ns.PrioritizedDomain)
 	}
@@ -90,7 +99,6 @@ func New(ctx context.Context, config *Config) (*DNS, error) {
 	// MatcherInfos is ensured to cover the maximum index domainMatcher could return, where matcher's index starts from 1
 	matcherInfos := make([]*DomainMatcherInfo, domainRuleCount+1)
 	domainMatcher := &strmatcher.MatcherGroup{}
 	geoipContainer := router.GeoIPMatcherContainer{}
 	for _, ns := range config.NameServer {
 		clientIdx := len(clients)
@@ -108,7 +116,19 @@ func New(ctx context.Context, config *Config) (*DNS, error) {
 		case net.IPv4len, net.IPv6len:
 			myClientIP = net.IP(ns.ClientIp)
 		}
-		client, err := NewClient(ctx, ns, myClientIP, geoipContainer, &matcherInfos, updateDomain)
+
 		disableCache := config.DisableCache || ns.DisableCache
 		var tag = defaultTag
 		if len(ns.Tag) > 0 {
 			tag = ns.Tag
 		}
 		clientIPOption := ResolveIpOptionOverride(ns.QueryStrategy, ipOption)
 		if !clientIPOption.IPv4Enable && !clientIPOption.IPv6Enable {
 			return nil, errors.New("no QueryStrategy available for ", ns.Address)
 		}
 		client, err := NewClient(ctx, ns, myClientIP, disableCache, tag, clientIPOption, &matcherInfos, updateDomain)
 		if err != nil {
 			return nil, errors.New("failed to create client").Base(err)
 		}
@@ -117,20 +137,19 @@ func New(ctx context.Context, config *Config) (*DNS, error) {
 	// If there is no DNS client in config, add a `localhost` DNS client
 	if len(clients) == 0 {
-		clients = append(clients, NewLocalDNSClient())
+		clients = append(clients, NewLocalDNSClient(ipOption))
 	}
 	return &DNS{
 		tag:                    tag,
 		hosts:                  hosts,
-		ipOption:               ipOption,
+		ipOption:               &ipOption,
 		clients:                clients,
 		ctx:                    ctx,
 		domainMatcher:          domainMatcher,
 		matcherInfos:           matcherInfos,
 		disableCache:           config.DisableCache,
 		disableFallback:        config.DisableFallback,
 		disableFallbackIfMatch: config.DisableFallbackIfMatch,
 		checkSystem:            checkSystem,
 	}, nil
 }
@@ -152,94 +171,101 @@ func (s *DNS) Close() error {
 // IsOwnLink implements proxy.dns.ownLinkVerifier
 func (s *DNS) IsOwnLink(ctx context.Context) bool {
 	inbound := session.InboundFromContext(ctx)
-	return inbound != nil && inbound.Tag == s.tag
+	if inbound == nil {
 		return false
 	}
 	for _, client := range s.clients {
 		if client.tag == inbound.Tag {
 			return true
 		}
 	}
 	return false
 }
 // LookupIP implements dns.Client.
-func (s *DNS) LookupIP(domain string, option dns.IPOption) ([]net.IP, error) {
+func (s *DNS) LookupIP(domain string, option dns.IPOption) ([]net.IP, uint32, error) {
 	if domain == "" {
 		return nil, errors.New("empty domain name")
 	}
 	option.IPv4Enable = option.IPv4Enable && s.ipOption.IPv4Enable
 	option.IPv6Enable = option.IPv6Enable && s.ipOption.IPv6Enable
 	if !option.IPv4Enable && !option.IPv6Enable {
 		return nil, dns.ErrEmptyResponse
 	}
 	// Normalize the FQDN form query
 	domain = strings.TrimSuffix(domain, ".")
 	if domain == "" {
 		return nil, 0, errors.New("empty domain name")
 	}
 	if s.checkSystem {
 		supportIPv4, supportIPv6 := checkSystemNetwork()
 		option.IPv4Enable = option.IPv4Enable && supportIPv4
 		option.IPv6Enable = option.IPv6Enable && supportIPv6
 	} else {
 		option.IPv4Enable = option.IPv4Enable && s.ipOption.IPv4Enable
 		option.IPv6Enable = option.IPv6Enable && s.ipOption.IPv6Enable
 	}
 	if !option.IPv4Enable && !option.IPv6Enable {
 		return nil, 0, dns.ErrEmptyResponse
 	}
 	// Static host lookup
-	switch addrs := s.hosts.Lookup(domain, option); {
+	switch addrs, err := s.hosts.Lookup(domain, option); {
 	case err != nil:
 		if go_errors.Is(err, dns.ErrEmptyResponse) {
 			return nil, 0, dns.ErrEmptyResponse
 		}
 		return nil, 0, errors.New("returning nil for domain ", domain).Base(err)
 	case addrs == nil: // Domain not recorded in static host
 		break
 	case len(addrs) == 0: // Domain recorded, but no valid IP returned (e.g. IPv4 address with only IPv6 enabled)
-		return nil, dns.ErrEmptyResponse
+		return nil, 0, dns.ErrEmptyResponse
 	case len(addrs) == 1 && addrs[0].Family().IsDomain(): // Domain replacement
 		errors.LogInfo(s.ctx, "domain replaced: ", domain, " -> ", addrs[0].Domain())
 		domain = addrs[0].Domain()
 	default: // Successfully found ip records in static host
 		errors.LogInfo(s.ctx, "returning ", len(addrs), " IP(s) for domain ", domain, " -> ", addrs)
-		return toNetIP(addrs)
+		ips, err := toNetIP(addrs)
 		if err != nil {
 			return nil, 0, err
 		}
 		return ips, 10, nil // Hosts ttl is 10
 	}
 	// Name servers lookup
-	errs := []error{}
+	var errs []error
 	ctx := session.ContextWithInbound(s.ctx, &session.Inbound{Tag: s.tag})
 	for _, client := range s.sortClients(domain) {
 		if !option.FakeEnable && strings.EqualFold(client.Name(), "FakeDNS") {
 			errors.LogDebug(s.ctx, "skip DNS resolution for domain ", domain, " at server ", client.Name())
 			continue
 		}
-		ips, err := client.QueryIP(ctx, domain, option, s.disableCache)
+
 		ips, ttl, err := client.QueryIP(s.ctx, domain, option)
 		if len(ips) > 0 {
-			return ips, nil
+			if ttl == 0 {
 				ttl = 1
 			}
 			return ips, ttl, nil
 		}
-		if err != nil {
+
-			errors.LogInfoInner(s.ctx, err, "failed to lookup ip for domain ", domain, " at server ", client.Name())
+		errors.LogInfoInner(s.ctx, err, "failed to lookup ip for domain ", domain, " at server ", client.Name())
-			errs = append(errs, err)
+		if err == nil {
 			err = dns.ErrEmptyResponse
 		}
-		// 5 for RcodeRefused in miekg/dns, hardcode to reduce binary size
+		errs = append(errs, err)
-		if err != context.Canceled && err != context.DeadlineExceeded && err != errExpectedIPNonMatch && err != dns.ErrEmptyResponse && dns.RCodeFromError(err) != 5 {
+
-			return nil, err
+		if client.IsFinalQuery() {
 			break
 		}
 	}
-	return nil, errors.New("returning nil for domain ", domain).Base(errors.Combine(errs...))
+	if len(errs) > 0 {
-}
+		allErrs := errors.Combine(errs...)
-
+		err0 := errs[0]
-// LookupHosts implements dns.HostsLookup.
+		if errors.AllEqual(err0, allErrs) {
-func (s *DNS) LookupHosts(domain string) *net.Address {
+			if go_errors.Is(err0, dns.ErrEmptyResponse) {
-	domain = strings.TrimSuffix(domain, ".")
+				return nil, 0, dns.ErrEmptyResponse
-	if domain == "" {
+			}
-		return nil
+			return nil, 0, errors.New("returning nil for domain ", domain).Base(err0)
 		}
 		return nil, 0, errors.New("returning nil for domain ", domain).Base(allErrs)
 	}
-	// Normalize the FQDN form query
+	return nil, 0, dns.ErrEmptyResponse
 	addrs := s.hosts.Lookup(domain, *s.ipOption)
 	if len(addrs) > 0 {
 		errors.LogInfo(s.ctx, "domain replaced: ", domain, " -> ", addrs[0].String())
 		return &addrs[0]
 	}
 	return nil
 }
 // GetIPOption implements ClientWithIPOption.
 func (s *DNS) GetIPOption() *dns.IPOption {
 	return s.ipOption
 }
 // SetQueryOption implements ClientWithIPOption.
 func (s *DNS) SetQueryOption(isIPv4Enable, isIPv6Enable bool) {
 	s.ipOption.IPv4Enable = isIPv4Enable
 	s.ipOption.IPv6Enable = isIPv6Enable
 }
 // SetFakeDNSOption implements ClientWithIPOption.
 func (s *DNS) SetFakeDNSOption(isFakeEnable bool) {
 	s.ipOption.FakeEnable = isFakeEnable
 }
 func (s *DNS) sortClients(domain string) []*Client {
@@ -250,7 +276,11 @@ func (s *DNS) sortClients(domain string) []*Client {
 	// Priority domain matching
 	hasMatch := false
-	for _, match := range s.domainMatcher.Match(domain) {
+	MatchSlice := s.domainMatcher.Match(domain)
 	sort.Slice(MatchSlice, func(i, j int) bool {
 		return MatchSlice[i] < MatchSlice[j]
 	})
 	for _, match := range MatchSlice {
 		info := s.matcherInfos[match]
 		client := s.clients[info.clientIdx]
 		domainRule := client.domains[info.domainRuleIdx]
@@ -297,3 +327,22 @@ func init() {
 		return New(ctx, config.(*Config))
 	}))
 }
 func checkSystemNetwork() (supportIPv4 bool, supportIPv6 bool) {
 	conn4, err4 := net.Dial("udp4", "8.8.8.8:53")
 	if err4 != nil {
 		supportIPv4 = false
 	} else {
 		supportIPv4 = true
 		conn4.Close()
 	}
 	conn6, err6 := net.Dial("udp6", "[2001:4860:4860::8888]:53")
 	if err6 != nil {
 		supportIPv6 = false
 	} else {
 		supportIPv6 = true
 		conn6.Close()
 	}
 	return
 }
--- a/app/dns/dns_test.go
+++ b/app/dns/dns_test.go
@@ -76,6 +76,9 @@ func (*staticHandler) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		case q.Name == "notexist.google.com." && q.Qtype == dns.TypeAAAA:
 			ans.MsgHdr.Rcode = dns.RcodeNameError
 		case q.Name == "notexist.google.com." && q.Qtype == dns.TypeA:
 			ans.MsgHdr.Rcode = dns.RcodeNameError
 		case q.Name == "hostname." && q.Qtype == dns.TypeA:
 			rr, _ := dns.NewRR("hostname. IN A 127.0.0.1")
 			ans.Answer = append(ans.Answer, rr)
@@ -117,7 +120,6 @@ func TestUDPServerSubnet(t *testing.T) {
 		Handler: &staticHandler{},
 		UDPSize: 1200,
 	}
 	go dnsServer.ListenAndServe()
 	time.Sleep(time.Second)
@@ -155,7 +157,7 @@ func TestUDPServerSubnet(t *testing.T) {
 	client := v.GetFeature(feature_dns.ClientType()).(feature_dns.Client)
-	ips, err := client.LookupIP("google.com", feature_dns.IPOption{
+	ips, _, err := client.LookupIP("google.com", feature_dns.IPOption{
 		IPv4Enable: true,
 		IPv6Enable: true,
 		FakeEnable: false,
@@ -216,7 +218,7 @@ func TestUDPServer(t *testing.T) {
 	client := v.GetFeature(feature_dns.ClientType()).(feature_dns.Client)
 	{
-		ips, err := client.LookupIP("google.com", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("google.com", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@@ -231,7 +233,7 @@ func TestUDPServer(t *testing.T) {
 	}
 	{
-		ips, err := client.LookupIP("facebook.com", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("facebook.com", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@@ -246,7 +248,7 @@ func TestUDPServer(t *testing.T) {
 	}
 	{
-		_, err := client.LookupIP("notexist.google.com", feature_dns.IPOption{
+		_, _, err := client.LookupIP("notexist.google.com", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@@ -260,7 +262,7 @@ func TestUDPServer(t *testing.T) {
 	}
 	{
-		ips, err := client.LookupIP("ipv4only.google.com", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("ipv4only.google.com", feature_dns.IPOption{
 			IPv4Enable: false,
 			IPv6Enable: true,
 			FakeEnable: false,
@@ -276,7 +278,7 @@ func TestUDPServer(t *testing.T) {
 	dnsServer.Shutdown()
 	{
-		ips, err := client.LookupIP("google.com", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("google.com", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@@ -357,7 +359,7 @@ func TestPrioritizedDomain(t *testing.T) {
 	startTime := time.Now()
 	{
-		ips, err := client.LookupIP("google.com", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("google.com", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@@ -423,7 +425,7 @@ func TestUDPServerIPv6(t *testing.T) {
 	client := v.GetFeature(feature_dns.ClientType()).(feature_dns.Client)
 	{
-		ips, err := client.LookupIP("ipv6.google.com", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("ipv6.google.com", feature_dns.IPOption{
 			IPv4Enable: false,
 			IPv6Enable: true,
 			FakeEnable: false,
@@ -492,7 +494,7 @@ func TestStaticHostDomain(t *testing.T) {
 	client := v.GetFeature(feature_dns.ClientType()).(feature_dns.Client)
 	{
-		ips, err := client.LookupIP("example.com", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("example.com", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@@ -537,7 +539,7 @@ func TestIPMatch(t *testing.T) {
 							},
 							Port: uint32(port),
 						},
-						Geoip: []*router.GeoIP{
+						ExpectedGeoip: []*router.GeoIP{
 							{
 								CountryCode: "local",
 								Cidr: []*router.CIDR{
@@ -561,7 +563,7 @@ func TestIPMatch(t *testing.T) {
 							},
 							Port: uint32(port),
 						},
-						Geoip: []*router.GeoIP{
+						ExpectedGeoip: []*router.GeoIP{
 							{
 								CountryCode: "test",
 								Cidr: []*router.CIDR{
@@ -603,7 +605,7 @@ func TestIPMatch(t *testing.T) {
 	startTime := time.Now()
 	{
-		ips, err := client.LookupIP("google.com", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("google.com", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@@ -665,7 +667,7 @@ func TestLocalDomain(t *testing.T) {
 							// Equivalent of dotless:localhost
 							{Type: DomainMatchingType_Regex, Domain: "^[^.]*localhost[^.]*$"},
 						},
-						Geoip: []*router.GeoIP{
+						ExpectedGeoip: []*router.GeoIP{
 							{ // Will match localhost, localhost-a and localhost-b,
 								CountryCode: "local",
 								Cidr: []*router.CIDR{
@@ -726,7 +728,7 @@ func TestLocalDomain(t *testing.T) {
 	startTime := time.Now()
 	{ // Will match dotless:
-		ips, err := client.LookupIP("hostname", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("hostname", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@@ -741,7 +743,7 @@ func TestLocalDomain(t *testing.T) {
 	}
 	{ // Will match domain:local
-		ips, err := client.LookupIP("hostname.local", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("hostname.local", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@@ -756,7 +758,7 @@ func TestLocalDomain(t *testing.T) {
 	}
 	{ // Will match static ip
-		ips, err := client.LookupIP("hostnamestatic", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("hostnamestatic", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@@ -771,7 +773,7 @@ func TestLocalDomain(t *testing.T) {
 	}
 	{ // Will match domain replacing
-		ips, err := client.LookupIP("hostnamealias", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("hostnamealias", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@@ -785,8 +787,8 @@ func TestLocalDomain(t *testing.T) {
 		}
 	}
-	{ // Will match dotless:localhost, but not expectIPs: 127.0.0.2, 127.0.0.3, then matches at dotless:
+	{ // Will match dotless:localhost, but not expectedIPs: 127.0.0.2, 127.0.0.3, then matches at dotless:
-		ips, err := client.LookupIP("localhost", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("localhost", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@@ -800,8 +802,8 @@ func TestLocalDomain(t *testing.T) {
 		}
 	}
-	{ // Will match dotless:localhost, and expectIPs: 127.0.0.2, 127.0.0.3
+	{ // Will match dotless:localhost, and expectedIPs: 127.0.0.2, 127.0.0.3
-		ips, err := client.LookupIP("localhost-a", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("localhost-a", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@@ -815,8 +817,8 @@ func TestLocalDomain(t *testing.T) {
 		}
 	}
-	{ // Will match dotless:localhost, and expectIPs: 127.0.0.2, 127.0.0.3
+	{ // Will match dotless:localhost, and expectedIPs: 127.0.0.2, 127.0.0.3
-		ips, err := client.LookupIP("localhost-b", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("localhost-b", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@@ -831,7 +833,7 @@ func TestLocalDomain(t *testing.T) {
 	}
 	{ // Will match dotless:
-		ips, err := client.LookupIP("Mijia Cloud", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("Mijia Cloud", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@@ -895,7 +897,7 @@ func TestMultiMatchPrioritizedDomain(t *testing.T) {
 								Domain: "google.com",
 							},
 						},
-						Geoip: []*router.GeoIP{
+						ExpectedGeoip: []*router.GeoIP{
 							{ // Will only match 8.8.8.8 and 8.8.4.4
 								Cidr: []*router.CIDR{
 									{Ip: []byte{8, 8, 8, 8}, Prefix: 32},
@@ -920,7 +922,7 @@ func TestMultiMatchPrioritizedDomain(t *testing.T) {
 								Domain: "google.com",
 							},
 						},
-						Geoip: []*router.GeoIP{
+						ExpectedGeoip: []*router.GeoIP{
 							{ // Will match 8.8.8.8 and 8.8.8.7, etc
 								Cidr: []*router.CIDR{
 									{Ip: []byte{8, 8, 8, 7}, Prefix: 24},
@@ -944,7 +946,7 @@ func TestMultiMatchPrioritizedDomain(t *testing.T) {
 								Domain: "api.google.com",
 							},
 						},
-						Geoip: []*router.GeoIP{
+						ExpectedGeoip: []*router.GeoIP{
 							{ // Will only match 8.8.7.7 (api.google.com)
 								Cidr: []*router.CIDR{
 									{Ip: []byte{8, 8, 7, 7}, Prefix: 32},
@@ -968,7 +970,7 @@ func TestMultiMatchPrioritizedDomain(t *testing.T) {
 								Domain: "v2.api.google.com",
 							},
 						},
-						Geoip: []*router.GeoIP{
+						ExpectedGeoip: []*router.GeoIP{
 							{ // Will only match 8.8.7.8 (v2.api.google.com)
 								Cidr: []*router.CIDR{
 									{Ip: []byte{8, 8, 7, 8}, Prefix: 32},
@@ -997,7 +999,7 @@ func TestMultiMatchPrioritizedDomain(t *testing.T) {
 	startTime := time.Now()
 	{ // Will match server 1,2 and server 1 returns expected ip
-		ips, err := client.LookupIP("google.com", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("google.com", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@@ -1012,7 +1014,7 @@ func TestMultiMatchPrioritizedDomain(t *testing.T) {
 	}
 	{ // Will match server 1,2 and server 1 returns unexpected ip, then server 2 returns expected one
-		ips, err := client.LookupIP("ipv6.google.com", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("ipv6.google.com", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: false,
 			FakeEnable: false,
@@ -1027,7 +1029,7 @@ func TestMultiMatchPrioritizedDomain(t *testing.T) {
 	}
 	{ // Will match server 3,1,2 and server 3 returns expected one
-		ips, err := client.LookupIP("api.google.com", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("api.google.com", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@@ -1042,7 +1044,7 @@ func TestMultiMatchPrioritizedDomain(t *testing.T) {
 	}
 	{ // Will match server 4,3,1,2 and server 4 returns expected one
-		ips, err := client.LookupIP("v2.api.google.com", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("v2.api.google.com", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
--- a/app/dns/dnscommon.go
+++ b/app/dns/dnscommon.go
@@ -31,30 +31,31 @@ type record struct {
 // IPRecord is a cacheable item for a resolved domain
 type IPRecord struct {
-	ReqID  uint16
+	ReqID     uint16
-	IP     []net.Address
+	IP        []net.IP
-	Expire time.Time
+	Expire    time.Time
-	RCode  dnsmessage.RCode
+	RCode     dnsmessage.RCode
 	RawHeader *dnsmessage.Header
 }
-func (r *IPRecord) getIPs() ([]net.Address, error) {
+func (r *IPRecord) getIPs() ([]net.IP, uint32, error) {
-	if r == nil || r.Expire.Before(time.Now()) {
+	if r == nil {
-		return nil, errRecordNotFound
+		return nil, 0, errRecordNotFound
 	}
 	untilExpire := time.Until(r.Expire)
 	if untilExpire <= 0 {
 		return nil, 0, errRecordNotFound
 	}
 	ttl := uint32(untilExpire/time.Second) + uint32(1)
 	if r.RCode != dnsmessage.RCodeSuccess {
-		return nil, dns_feature.RCodeError(r.RCode)
+		return nil, ttl, dns_feature.RCodeError(r.RCode)
 	}
 	if len(r.IP) == 0 {
 		return nil, ttl, dns_feature.ErrEmptyResponse
 	}
 	return r.IP, nil
 }
-func isNewer(baseRec *IPRecord, newRec *IPRecord) bool {
+	return r.IP, ttl, nil
 	if newRec == nil {
 		return false
 	}
 	if baseRec == nil {
 		return true
 	}
 	return baseRec.Expire.Before(newRec.Expire)
 }
 var errRecordNotFound = errors.New("record not found")
@@ -67,49 +68,59 @@ type dnsRequest struct {
 	msg     *dnsmessage.Message
 }
-func genEDNS0Options(clientIP net.IP) *dnsmessage.Resource {
+func genEDNS0Options(clientIP net.IP, padding int) *dnsmessage.Resource {
-	if len(clientIP) == 0 {
+	if len(clientIP) == 0 && padding == 0 {
 		return nil
 	}
-	var netmask int
+	const EDNS0SUBNET = 0x8
-	var family uint16
+	const EDNS0PADDING = 0xc
 	if len(clientIP) == 4 {
 		family = 1
 		netmask = 24 // 24 for IPV4, 96 for IPv6
 	} else {
 		family = 2
 		netmask = 96
 	}
 	b := make([]byte, 4)
 	binary.BigEndian.PutUint16(b[0:], family)
 	b[2] = byte(netmask)
 	b[3] = 0
 	switch family {
 	case 1:
 		ip := clientIP.To4().Mask(net.CIDRMask(netmask, net.IPv4len*8))
 		needLength := (netmask + 8 - 1) / 8 // division rounding up
 		b = append(b, ip[:needLength]...)
 	case 2:
 		ip := clientIP.Mask(net.CIDRMask(netmask, net.IPv6len*8))
 		needLength := (netmask + 8 - 1) / 8 // division rounding up
 		b = append(b, ip[:needLength]...)
 	}
 	const EDNS0SUBNET = 0x08
 	opt := new(dnsmessage.Resource)
 	common.Must(opt.Header.SetEDNS0(1350, 0xfe00, true))
 	body := dnsmessage.OPTResource{}
 	opt.Body = &body
-	opt.Body = &dnsmessage.OPTResource{
+	if len(clientIP) != 0 {
-		Options: []dnsmessage.Option{
+		var netmask int
-			{
+		var family uint16
 		if len(clientIP) == 4 {
 			family = 1
 			netmask = 24 // 24 for IPV4, 96 for IPv6
 		} else {
 			family = 2
 			netmask = 96
 		}
 		b := make([]byte, 4)
 		binary.BigEndian.PutUint16(b[0:], family)
 		b[2] = byte(netmask)
 		b[3] = 0
 		switch family {
 		case 1:
 			ip := clientIP.To4().Mask(net.CIDRMask(netmask, net.IPv4len*8))
 			needLength := (netmask + 8 - 1) / 8 // division rounding up
 			b = append(b, ip[:needLength]...)
 		case 2:
 			ip := clientIP.Mask(net.CIDRMask(netmask, net.IPv6len*8))
 			needLength := (netmask + 8 - 1) / 8 // division rounding up
 			b = append(b, ip[:needLength]...)
 		}
 		body.Options = append(body.Options,
 			dnsmessage.Option{
 				Code: EDNS0SUBNET,
 				Data: b,
-			},
+			})
-		},
+	}
 	if padding != 0 {
 		body.Options = append(body.Options,
 			dnsmessage.Option{
 				Code: EDNS0PADDING,
 				Data: make([]byte, padding),
 			})
 	}
 	return opt
@@ -179,9 +190,10 @@ func parseResponse(payload []byte) (*IPRecord, error) {
 	now := time.Now()
 	ipRecord := &IPRecord{
-		ReqID:  h.ID,
+		ReqID:     h.ID,
-		RCode:  h.RCode,
+		RCode:     h.RCode,
-		Expire: now.Add(time.Second * 600),
+		Expire:    now.Add(time.Second * dns_feature.DefaultTTL),
 		RawHeader: &h,
 	}
 L:
@@ -196,7 +208,7 @@ L:
 		ttl := ah.TTL
 		if ttl == 0 {
-			ttl = 600
+			ttl = 1
 		}
 		expire := now.Add(time.Duration(ttl) * time.Second)
 		if ipRecord.Expire.After(expire) {
@@ -210,14 +222,17 @@ L:
 				errors.LogInfoInner(context.Background(), err, "failed to parse A record for domain: ", ah.Name)
 				break L
 			}
-			ipRecord.IP = append(ipRecord.IP, net.IPAddress(ans.A[:]))
+			ipRecord.IP = append(ipRecord.IP, net.IPAddress(ans.A[:]).IP())
 		case dnsmessage.TypeAAAA:
 			ans, err := parser.AAAAResource()
 			if err != nil {
 				errors.LogInfoInner(context.Background(), err, "failed to parse AAAA record for domain: ", ah.Name)
 				break L
 			}
-			ipRecord.IP = append(ipRecord.IP, net.IPAddress(ans.AAAA[:]))
+			newIP := net.IPAddress(ans.AAAA[:]).IP()
 			if len(newIP) == net.IPv6len {
 				ipRecord.IP = append(ipRecord.IP, newIP)
 			}
 		default:
 			if err := parser.SkipAnswer(); err != nil {
 				errors.LogInfoInner(context.Background(), err, "failed to skip answer")
--- a/app/dns/dnscommon_test.go
+++ b/app/dns/dnscommon_test.go
@@ -51,7 +51,7 @@ func Test_parseResponse(t *testing.T) {
 	}{
 		{
 			"empty",
-			&IPRecord{0, []net.Address(nil), time.Time{}, dnsmessage.RCodeSuccess},
+			&IPRecord{0, []net.IP(nil), time.Time{}, dnsmessage.RCodeSuccess, nil},
 			false,
 		},
 		{
@@ -63,15 +63,16 @@ func Test_parseResponse(t *testing.T) {
 			"a record",
 			&IPRecord{
 				1,
-				[]net.Address{net.ParseAddress("8.8.8.8"), net.ParseAddress("8.8.4.4")},
+				[]net.IP{net.ParseIP("8.8.8.8"), net.ParseIP("8.8.4.4")},
 				time.Time{},
 				dnsmessage.RCodeSuccess,
 				nil,
 			},
 			false,
 		},
 		{
 			"aaaa record",
-			&IPRecord{2, []net.Address{net.ParseAddress("2001::123:8888"), net.ParseAddress("2001::123:8844")}, time.Time{}, dnsmessage.RCodeSuccess},
+			&IPRecord{2, []net.IP{net.ParseIP("2001::123:8888"), net.ParseIP("2001::123:8844")}, time.Time{}, dnsmessage.RCodeSuccess, nil},
 			false,
 		},
 	}
@@ -84,8 +85,9 @@ func Test_parseResponse(t *testing.T) {
 			}
 			if got != nil {
-				// reset the time
+				// reset the time and RawHeader
 				got.Expire = time.Time{}
 				got.RawHeader = nil
 			}
 			if cmp.Diff(got, tt.want) != "" {
 				t.Error(cmp.Diff(got, tt.want))
@@ -154,7 +156,7 @@ func Test_genEDNS0Options(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if got := genEDNS0Options(tt.args.clientIP); got == nil {
+			if got := genEDNS0Options(tt.args.clientIP, 0); got == nil {
 				t.Errorf("genEDNS0Options() = %v, want %v", got, tt.want)
 			}
 		})
--- a/app/dns/hosts.go
+++ b/app/dns/hosts.go
@@ -2,6 +2,7 @@ package dns
 import (
 	"context"
 	"strconv"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/net"
@@ -32,7 +33,15 @@ func NewStaticHosts(hosts []*Config_HostMapping) (*StaticHosts, error) {
 		ips := make([]net.Address, 0, len(mapping.Ip)+1)
 		switch {
 		case len(mapping.ProxiedDomain) > 0:
-			ips = append(ips, net.DomainAddress(mapping.ProxiedDomain))
+			if mapping.ProxiedDomain[0] == '#' {
 				rcode, err := strconv.Atoi(mapping.ProxiedDomain[1:])
 				if err != nil {
 					return nil, err
 				}
 				ips = append(ips, dns.RCodeError(rcode))
 			} else {
 				ips = append(ips, net.DomainAddress(mapping.ProxiedDomain))
 			}
 		case len(mapping.Ip) > 0:
 			for _, ip := range mapping.Ip {
 				addr := net.IPAddress(ip)
@@ -41,8 +50,6 @@ func NewStaticHosts(hosts []*Config_HostMapping) (*StaticHosts, error) {
 				}
 				ips = append(ips, addr)
 			}
 		default:
 			return nil, errors.New("neither IP address nor proxied domain specified for domain: ", mapping.Domain).AtWarning()
 		}
 		sh.ips[id] = ips
@@ -61,33 +68,51 @@ func filterIP(ips []net.Address, option dns.IPOption) []net.Address {
 	return filtered
 }
-func (h *StaticHosts) lookupInternal(domain string) []net.Address {
+func (h *StaticHosts) lookupInternal(domain string) ([]net.Address, error) {
-	var ips []net.Address
+	ips := make([]net.Address, 0)
 	found := false
 	for _, id := range h.matchers.Match(domain) {
 		for _, v := range h.ips[id] {
 			if err, ok := v.(dns.RCodeError); ok {
 				if uint16(err) == 0 {
 					return nil, dns.ErrEmptyResponse
 				}
 				return nil, err
 			}
 		}
 		ips = append(ips, h.ips[id]...)
 		found = true
 	}
-	return ips
+	if !found {
 		return nil, nil
 	}
 	return ips, nil
 }
-func (h *StaticHosts) lookup(domain string, option dns.IPOption, maxDepth int) []net.Address {
+func (h *StaticHosts) lookup(domain string, option dns.IPOption, maxDepth int) ([]net.Address, error) {
-	switch addrs := h.lookupInternal(domain); {
+	switch addrs, err := h.lookupInternal(domain); {
 	case err != nil:
 		return nil, err
 	case len(addrs) == 0: // Not recorded in static hosts, return nil
-		return nil
+		return addrs, nil
 	case len(addrs) == 1 && addrs[0].Family().IsDomain(): // Try to unwrap domain
 		errors.LogDebug(context.Background(), "found replaced domain: ", domain, " -> ", addrs[0].Domain(), ". Try to unwrap it")
 		if maxDepth > 0 {
-			unwrapped := h.lookup(addrs[0].Domain(), option, maxDepth-1)
+			unwrapped, err := h.lookup(addrs[0].Domain(), option, maxDepth-1)
 			if err != nil {
 				return nil, err
 			}
 			if unwrapped != nil {
-				return unwrapped
+				return unwrapped, nil
 			}
 		}
-		return addrs
+		return addrs, nil
 	default: // IP record found, return a non-nil IP array
-		return filterIP(addrs, option)
+		return filterIP(addrs, option), nil
 	}
 }
 // Lookup returns IP addresses or proxied domain for the given domain, if exists in this StaticHosts.
-func (h *StaticHosts) Lookup(domain string, option dns.IPOption) []net.Address {
+func (h *StaticHosts) Lookup(domain string, option dns.IPOption) ([]net.Address, error) {
 	return h.lookup(domain, option, 5)
 }
--- a/app/dns/hosts_test.go
+++ b/app/dns/hosts_test.go
@@ -12,6 +12,11 @@ import (
 func TestStaticHosts(t *testing.T) {
 	pb := []*Config_HostMapping{
 		{
 			Type:          DomainMatchingType_Subdomain,
 			Domain:        "lan",
 			ProxiedDomain: "#3",
 		},
 		{
 			Type:   DomainMatchingType_Full,
 			Domain: "example.com",
@@ -54,7 +59,14 @@ func TestStaticHosts(t *testing.T) {
 	common.Must(err)
 	{
-		ips := hosts.Lookup("example.com", dns.IPOption{
+		_, err := hosts.Lookup("example.com.lan", dns.IPOption{})
 		if dns.RCodeFromError(err) != 3 {
 			t.Error(err)
 		}
 	}
 	{
 		ips, _ := hosts.Lookup("example.com", dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 		})
@@ -67,7 +79,7 @@ func TestStaticHosts(t *testing.T) {
 	}
 	{
-		domain := hosts.Lookup("proxy.xray.com", dns.IPOption{
+		domain, _ := hosts.Lookup("proxy.xray.com", dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: false,
 		})
@@ -80,7 +92,7 @@ func TestStaticHosts(t *testing.T) {
 	}
 	{
-		domain := hosts.Lookup("proxy2.xray.com", dns.IPOption{
+		domain, _ := hosts.Lookup("proxy2.xray.com", dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: false,
 		})
@@ -93,7 +105,7 @@ func TestStaticHosts(t *testing.T) {
 	}
 	{
-		ips := hosts.Lookup("www.example.cn", dns.IPOption{
+		ips, _ := hosts.Lookup("www.example.cn", dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 		})
@@ -106,7 +118,7 @@ func TestStaticHosts(t *testing.T) {
 	}
 	{
-		ips := hosts.Lookup("baidu.com", dns.IPOption{
+		ips, _ := hosts.Lookup("baidu.com", dns.IPOption{
 			IPv4Enable: false,
 			IPv6Enable: true,
 		})
--- a/app/dns/nameserver.go
+++ b/app/dns/nameserver.go
@@ -9,6 +9,7 @@ import (
 	"github.com/xtls/xray-core/app/router"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/session"
 	"github.com/xtls/xray-core/common/strmatcher"
 	"github.com/xtls/xray-core/core"
 	"github.com/xtls/xray-core/features/dns"
@@ -20,22 +21,27 @@ type Server interface {
 	// Name of the Client.
 	Name() string
 	// QueryIP sends IP queries to its configured server.
-	QueryIP(ctx context.Context, domain string, clientIP net.IP, option dns.IPOption, disableCache bool) ([]net.IP, error)
+	QueryIP(ctx context.Context, domain string, option dns.IPOption) ([]net.IP, uint32, error)
 }
 // Client is the interface for DNS client.
 type Client struct {
-	server       Server
+	server        Server
-	clientIP     net.IP
+	skipFallback  bool
-	skipFallback bool
+	domains       []string
-	domains      []string
+	expectedIPs   []*router.GeoIPMatcher
-	expectIPs    []*router.GeoIPMatcher
+	unexpectedIPs []*router.GeoIPMatcher
 	actPrior      bool
 	actUnprior    bool
 	tag           string
 	timeoutMs     time.Duration
 	finalQuery    bool
 	ipOption      *dns.IPOption
 	checkSystem   bool
 }
 var errExpectedIPNonMatch = errors.New("expectIPs not match")
 // NewServer creates a name server object according to the network destination url.
-func NewServer(ctx context.Context, dest net.Destination, dispatcher routing.Dispatcher, queryStrategy QueryStrategy) (Server, error) {
+func NewServer(ctx context.Context, dest net.Destination, dispatcher routing.Dispatcher, disableCache bool, clientIP net.IP) (Server, error) {
 	if address := dest.Address; address.Family().IsDomain() {
 		u, err := url.Parse(address.Domain())
 		if err != nil {
@@ -44,21 +50,28 @@ func NewServer(ctx context.Context, dest net.Destination, dispatcher routing.Dis
 		switch {
 		case strings.EqualFold(u.String(), "localhost"):
 			return NewLocalNameServer(), nil
-		case strings.EqualFold(u.Scheme, "https"): // DOH Remote mode
+		case strings.EqualFold(u.Scheme, "https"): // DNS-over-HTTPS Remote mode
-			return NewDoHNameServer(u, dispatcher, queryStrategy)
+			return NewDoHNameServer(u, dispatcher, false, disableCache, clientIP), nil
-		case strings.EqualFold(u.Scheme, "https+local"): // DOH Local mode
+		case strings.EqualFold(u.Scheme, "h2c"): // DNS-over-HTTPS h2c Remote mode
-			return NewDoHLocalNameServer(u, queryStrategy), nil
+			return NewDoHNameServer(u, dispatcher, true, disableCache, clientIP), nil
 		case strings.EqualFold(u.Scheme, "https+local"): // DNS-over-HTTPS Local mode
 			return NewDoHNameServer(u, nil, false, disableCache, clientIP), nil
 		case strings.EqualFold(u.Scheme, "h2c+local"): // DNS-over-HTTPS h2c Local mode
 			return NewDoHNameServer(u, nil, true, disableCache, clientIP), nil
 		case strings.EqualFold(u.Scheme, "quic+local"): // DNS-over-QUIC Local mode
-			return NewQUICNameServer(u, queryStrategy)
+			return NewQUICNameServer(u, disableCache, clientIP)
 		case strings.EqualFold(u.Scheme, "tcp"): // DNS-over-TCP Remote mode
-			return NewTCPNameServer(u, dispatcher, queryStrategy)
+			return NewTCPNameServer(u, dispatcher, disableCache, clientIP)
 		case strings.EqualFold(u.Scheme, "tcp+local"): // DNS-over-TCP Local mode
-			return NewTCPLocalNameServer(u, queryStrategy)
+			return NewTCPLocalNameServer(u, disableCache, clientIP)
 		case strings.EqualFold(u.String(), "fakedns"):
 			var fd dns.FakeDNSEngine
-			core.RequireFeatures(ctx, func(fdns dns.FakeDNSEngine) { // FakeDNSEngine is optional
+			err = core.RequireFeatures(ctx, func(fdns dns.FakeDNSEngine) {
 				fd = fdns
 			})
 			if err != nil {
 				return nil, err
 			}
 			return NewFakeDNSServer(fd), nil
 		}
 	}
@@ -66,7 +79,7 @@ func NewServer(ctx context.Context, dest net.Destination, dispatcher routing.Dis
 		dest.Network = net.Network_UDP
 	}
 	if dest.Network == net.Network_UDP { // UDP classic DNS mode
-		return NewClassicNameServer(dest, dispatcher, queryStrategy), nil
+		return NewClassicNameServer(dest, dispatcher, disableCache, clientIP), nil
 	}
 	return nil, errors.New("No available name server could be created from ", dest).AtWarning()
 }
@@ -76,7 +89,9 @@ func NewClient(
 	ctx context.Context,
 	ns *NameServer,
 	clientIP net.IP,
-	container router.GeoIPMatcherContainer,
+	disableCache bool,
 	tag string,
 	ipOption dns.IPOption,
 	matcherInfos *[]*DomainMatcherInfo,
 	updateDomainRule func(strmatcher.Matcher, int, []*DomainMatcherInfo) error,
 ) (*Client, error) {
@@ -84,7 +99,7 @@ func NewClient(
 	err := core.RequireFeatures(ctx, func(dispatcher routing.Dispatcher) error {
 		// Create a new server for each client for now
-		server, err := NewServer(ctx, ns.Address.AsDestination(), dispatcher, ns.GetQueryStrategy())
+		server, err := NewServer(ctx, ns.Address.AsDestination(), dispatcher, disableCache, clientIP)
 		if err != nil {
 			return errors.New("failed to create nameserver").Base(err).AtWarning()
 		}
@@ -139,13 +154,23 @@ func NewClient(
 		}
 		// Establish expected IPs
-		var matchers []*router.GeoIPMatcher
+		var expectedMatchers []*router.GeoIPMatcher
-		for _, geoip := range ns.Geoip {
+		for _, geoip := range ns.ExpectedGeoip {
-			matcher, err := container.Add(geoip)
+			matcher, err := router.GlobalGeoIPContainer.Add(geoip)
 			if err != nil {
-				return errors.New("failed to create ip matcher").Base(err).AtWarning()
+				return errors.New("failed to create expected ip matcher").Base(err).AtWarning()
 			}
-			matchers = append(matchers, matcher)
+			expectedMatchers = append(expectedMatchers, matcher)
 		}
 		// Establish unexpected IPs
 		var unexpectedMatchers []*router.GeoIPMatcher
 		for _, geoip := range ns.UnexpectedGeoip {
 			matcher, err := router.GlobalGeoIPContainer.Add(geoip)
 			if err != nil {
 				return errors.New("failed to create unexpected ip matcher").Base(err).AtWarning()
 			}
 			unexpectedMatchers = append(unexpectedMatchers, matcher)
 		}
 		if len(clientIP) > 0 {
@@ -153,15 +178,29 @@ func NewClient(
 			case *net.IPOrDomain_Domain:
 				errors.LogInfo(ctx, "DNS: client ", ns.Address.Address.GetDomain(), " uses clientIP ", clientIP.String())
 			case *net.IPOrDomain_Ip:
-				errors.LogInfo(ctx, "DNS: client ", ns.Address.Address.GetIp(), " uses clientIP ", clientIP.String())
+				errors.LogInfo(ctx, "DNS: client ", net.IP(ns.Address.Address.GetIp()), " uses clientIP ", clientIP.String())
 			}
 		}
 		var timeoutMs = 4000 * time.Millisecond
 		if ns.TimeoutMs > 0 {
 			timeoutMs = time.Duration(ns.TimeoutMs) * time.Millisecond
 		}
 		checkSystem := ns.QueryStrategy == QueryStrategy_USE_SYS
 		client.server = server
 		client.clientIP = clientIP
 		client.skipFallback = ns.SkipFallback
 		client.domains = rules
-		client.expectIPs = matchers
+		client.expectedIPs = expectedMatchers
 		client.unexpectedIPs = unexpectedMatchers
 		client.actPrior = ns.ActPrior
 		client.actUnprior = ns.ActUnprior
 		client.tag = tag
 		client.timeoutMs = timeoutMs
 		client.finalQuery = ns.FinalQuery
 		client.ipOption = &ipOption
 		client.checkSystem = checkSystem
 		return nil
 	})
 	return client, err
@@ -172,43 +211,79 @@ func (c *Client) Name() string {
 	return c.server.Name()
 }
 func (c *Client) IsFinalQuery() bool {
 	return c.finalQuery
 }
 // QueryIP sends DNS query to the name server with the client's IP.
-func (c *Client) QueryIP(ctx context.Context, domain string, option dns.IPOption, disableCache bool) ([]net.IP, error) {
+func (c *Client) QueryIP(ctx context.Context, domain string, option dns.IPOption) ([]net.IP, uint32, error) {
-	ctx, cancel := context.WithTimeout(ctx, 4*time.Second)
+	if c.checkSystem {
-	ips, err := c.server.QueryIP(ctx, domain, c.clientIP, option, disableCache)
+		supportIPv4, supportIPv6 := checkSystemNetwork()
 		option.IPv4Enable = option.IPv4Enable && supportIPv4
 		option.IPv6Enable = option.IPv6Enable && supportIPv6
 	} else {
 		option.IPv4Enable = option.IPv4Enable && c.ipOption.IPv4Enable
 		option.IPv6Enable = option.IPv6Enable && c.ipOption.IPv6Enable
 	}
 	if !option.IPv4Enable && !option.IPv6Enable {
 		return nil, 0, dns.ErrEmptyResponse
 	}
 	ctx, cancel := context.WithTimeout(ctx, c.timeoutMs)
 	ctx = session.ContextWithInbound(ctx, &session.Inbound{Tag: c.tag})
 	ips, ttl, err := c.server.QueryIP(ctx, domain, option)
 	cancel()
 	if err != nil {
-		return ips, err
+		return nil, 0, err
 	}
 	return c.MatchExpectedIPs(domain, ips)
 }
-// MatchExpectedIPs matches queried domain IPs with expected IPs and returns matched ones.
+	if len(ips) == 0 {
-func (c *Client) MatchExpectedIPs(domain string, ips []net.IP) ([]net.IP, error) {
+		return nil, 0, dns.ErrEmptyResponse
 	if len(c.expectIPs) == 0 {
 		return ips, nil
 	}
-	newIps := []net.IP{}
+
-	for _, ip := range ips {
+	if len(c.expectedIPs) > 0 && !c.actPrior {
-		for _, matcher := range c.expectIPs {
+		ips = router.MatchIPs(c.expectedIPs, ips, false)
-			if matcher.Match(ip) {
+		errors.LogDebug(context.Background(), "domain ", domain, " expectedIPs ", ips, " matched at server ", c.Name())
-				newIps = append(newIps, ip)
+		if len(ips) == 0 {
-				break
+			return nil, 0, dns.ErrEmptyResponse
 			}
 		}
 	}
-	if len(newIps) == 0 {
+
-		return nil, errExpectedIPNonMatch
+	if len(c.unexpectedIPs) > 0 && !c.actUnprior {
 		ips = router.MatchIPs(c.unexpectedIPs, ips, true)
 		errors.LogDebug(context.Background(), "domain ", domain, " unexpectedIPs ", ips, " matched at server ", c.Name())
 		if len(ips) == 0 {
 			return nil, 0, dns.ErrEmptyResponse
 		}
 	}
-	errors.LogDebug(context.Background(), "domain ", domain, " expectIPs ", newIps, " matched at server ", c.Name())
+
-	return newIps, nil
+	if len(c.expectedIPs) > 0 && c.actPrior {
 		ipsNew := router.MatchIPs(c.expectedIPs, ips, false)
 		if len(ipsNew) > 0 {
 			ips = ipsNew
 			errors.LogDebug(context.Background(), "domain ", domain, " priorIPs ", ips, " matched at server ", c.Name())
 		}
 	}
 	if len(c.unexpectedIPs) > 0 && c.actUnprior {
 		ipsNew := router.MatchIPs(c.unexpectedIPs, ips, true)
 		if len(ipsNew) > 0 {
 			ips = ipsNew
 			errors.LogDebug(context.Background(), "domain ", domain, " unpriorIPs ", ips, " matched at server ", c.Name())
 		}
 	}
 	return ips, ttl, nil
 }
 func ResolveIpOptionOverride(queryStrategy QueryStrategy, ipOption dns.IPOption) dns.IPOption {
 	switch queryStrategy {
 	case QueryStrategy_USE_IP:
 		return ipOption
 	case QueryStrategy_USE_SYS:
 		return ipOption
 	case QueryStrategy_USE_IP4:
 		return dns.IPOption{
 			IPv4Enable: ipOption.IPv4Enable,
--- a/app/dns/nameserver_doh.go
+++ b/app/dns/nameserver_doh.go
@@ -3,237 +3,136 @@ package dns
 import (
 	"bytes"
 	"context"
 	"crypto/tls"
 	go_errors "errors"
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
-	"sync"
+	"strings"
 	"sync/atomic"
 	"time"
 	utls "github.com/refraction-networking/utls"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/crypto"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/log"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/net/cnc"
 	"github.com/xtls/xray-core/common/protocol/dns"
 	"github.com/xtls/xray-core/common/session"
 	"github.com/xtls/xray-core/common/signal/pubsub"
 	"github.com/xtls/xray-core/common/task"
 	dns_feature "github.com/xtls/xray-core/features/dns"
 	"github.com/xtls/xray-core/features/routing"
 	"github.com/xtls/xray-core/transport/internet"
-	"golang.org/x/net/dns/dnsmessage"
+	"golang.org/x/net/http2"
 )
 // DoHNameServer implemented DNS over HTTPS (RFC8484) Wire Format,
 // which is compatible with traditional dns over udp(RFC1035),
 // thus most of the DOH implementation is copied from udpns.go
 type DoHNameServer struct {
-	dispatcher routing.Dispatcher
+	cacheController *CacheController
-	sync.RWMutex
+	httpClient      *http.Client
-	ips           map[string]*record
+	dohURL          string
-	pub           *pubsub.Service
+	clientIP        net.IP
 	cleanup       *task.Periodic
 	reqID         uint32
 	httpClient    *http.Client
 	dohURL        string
 	name          string
 	queryStrategy QueryStrategy
 }
-// NewDoHNameServer creates DOH server object for remote resolving.
+// NewDoHNameServer creates DOH/DOHL client object for remote/local resolving.
-func NewDoHNameServer(url *url.URL, dispatcher routing.Dispatcher, queryStrategy QueryStrategy) (*DoHNameServer, error) {
+func NewDoHNameServer(url *url.URL, dispatcher routing.Dispatcher, h2c bool, disableCache bool, clientIP net.IP) *DoHNameServer {
 	errors.LogInfo(context.Background(), "DNS: created Remote DOH client for ", url.String())
 	s := baseDOHNameServer(url, "DOH", queryStrategy)
 	s.dispatcher = dispatcher
 	tr := &http.Transport{
 		MaxIdleConns:        30,
 		IdleConnTimeout:     90 * time.Second,
 		TLSHandshakeTimeout: 30 * time.Second,
 		ForceAttemptHTTP2:   true,
 		DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
 			dest, err := net.ParseDestination(network + ":" + addr)
 			if err != nil {
 				return nil, err
 			}
 			link, err := s.dispatcher.Dispatch(toDnsContext(ctx, s.dohURL), dest)
 			select {
 			case <-ctx.Done():
 				return nil, ctx.Err()
 			default:
 			}
 			if err != nil {
 				return nil, err
 			}
 			cc := common.ChainedClosable{}
 			if cw, ok := link.Writer.(common.Closable); ok {
 				cc = append(cc, cw)
 			}
 			if cr, ok := link.Reader.(common.Closable); ok {
 				cc = append(cc, cr)
 			}
 			return cnc.NewConnection(
 				cnc.ConnectionInputMulti(link.Writer),
 				cnc.ConnectionOutputMulti(link.Reader),
 				cnc.ConnectionOnClose(cc),
 			), nil
 		},
 	}
 	s.httpClient = &http.Client{
 		Timeout:   time.Second * 180,
 		Transport: tr,
 	}
 	return s, nil
 }
 // NewDoHLocalNameServer creates DOH client object for local resolving
 func NewDoHLocalNameServer(url *url.URL, queryStrategy QueryStrategy) *DoHNameServer {
 	url.Scheme = "https"
-	s := baseDOHNameServer(url, "DOHL", queryStrategy)
+	mode := "DOH"
-	tr := &http.Transport{
+	if dispatcher == nil {
-		IdleConnTimeout:   90 * time.Second,
+		mode = "DOHL"
-		ForceAttemptHTTP2: true,
+	}
-		DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+	errors.LogInfo(context.Background(), "DNS: created ", mode, " client for ", url.String(), ", with h2c ", h2c)
-			dest, err := net.ParseDestination(network + ":" + addr)
+	s := &DoHNameServer{
-			if err != nil {
+		cacheController: NewCacheController(mode+"//"+url.Host, disableCache),
-				return nil, err
+		dohURL:          url.String(),
-			}
+		clientIP:        clientIP,
 			conn, err := internet.DialSystem(ctx, dest, nil)
 			log.Record(&log.AccessMessage{
 				From:   "DNS",
 				To:     s.dohURL,
 				Status: log.AccessAccepted,
 				Detour: "local",
 			})
 			if err != nil {
 				return nil, err
 			}
 			return conn, nil
 		},
 	}
 	s.httpClient = &http.Client{
-		Timeout:   time.Second * 180,
+		Transport: &http2.Transport{
-		Transport: tr,
+			IdleConnTimeout: net.ConnIdleTimeout,
-	}
+			ReadIdleTimeout: net.ChromeH2KeepAlivePeriod,
-	errors.LogInfo(context.Background(), "DNS: created Local DOH client for ", url.String())
+			DialTLSContext: func(ctx context.Context, network, addr string, cfg *tls.Config) (net.Conn, error) {
-	return s
+				dest, err := net.ParseDestination(network + ":" + addr)
-}
+				if err != nil {
-
+					return nil, err
-func baseDOHNameServer(url *url.URL, prefix string, queryStrategy QueryStrategy) *DoHNameServer {
+				}
-	s := &DoHNameServer{
+				var conn net.Conn
-		ips:           make(map[string]*record),
+				if dispatcher != nil {
-		pub:           pubsub.NewService(),
+					dnsCtx := toDnsContext(ctx, s.dohURL)
-		name:          prefix + "//" + url.Host,
+					if h2c {
-		dohURL:        url.String(),
+						dnsCtx = session.ContextWithMitmAlpn11(dnsCtx, false) // for insurance
-		queryStrategy: queryStrategy,
+						dnsCtx = session.ContextWithMitmServerName(dnsCtx, url.Hostname())
-	}
+					}
-	s.cleanup = &task.Periodic{
+					link, err := dispatcher.Dispatch(dnsCtx, dest)
-		Interval: time.Minute,
+					select {
-		Execute:  s.Cleanup,
+					case <-ctx.Done():
 						return nil, ctx.Err()
 					default:
 					}
 					if err != nil {
 						return nil, err
 					}
 					cc := common.ChainedClosable{}
 					if cw, ok := link.Writer.(common.Closable); ok {
 						cc = append(cc, cw)
 					}
 					if cr, ok := link.Reader.(common.Closable); ok {
 						cc = append(cc, cr)
 					}
 					conn = cnc.NewConnection(
 						cnc.ConnectionInputMulti(link.Writer),
 						cnc.ConnectionOutputMulti(link.Reader),
 						cnc.ConnectionOnClose(cc),
 					)
 				} else {
 					log.Record(&log.AccessMessage{
 						From:   "DNS",
 						To:     s.dohURL,
 						Status: log.AccessAccepted,
 						Detour: "local",
 					})
 					conn, err = internet.DialSystem(ctx, dest, nil)
 					if err != nil {
 						return nil, err
 					}
 				}
 				if !h2c {
 					conn = utls.UClient(conn, &utls.Config{ServerName: url.Hostname()}, utls.HelloChrome_Auto)
 					if err := conn.(*utls.UConn).HandshakeContext(ctx); err != nil {
 						return nil, err
 					}
 				}
 				return conn, nil
 			},
 		},
 	}
 	return s
 }
 // Name implements Server.
 func (s *DoHNameServer) Name() string {
-	return s.name
+	return s.cacheController.name
 }
 // Cleanup clears expired items from cache
 func (s *DoHNameServer) Cleanup() error {
 	now := time.Now()
 	s.Lock()
 	defer s.Unlock()
 	if len(s.ips) == 0 {
 		return errors.New("nothing to do. stopping...")
 	}
 	for domain, record := range s.ips {
 		if record.A != nil && record.A.Expire.Before(now) {
 			record.A = nil
 		}
 		if record.AAAA != nil && record.AAAA.Expire.Before(now) {
 			record.AAAA = nil
 		}
 		if record.A == nil && record.AAAA == nil {
 			errors.LogDebug(context.Background(), s.name, " cleanup ", domain)
 			delete(s.ips, domain)
 		} else {
 			s.ips[domain] = record
 		}
 	}
 	if len(s.ips) == 0 {
 		s.ips = make(map[string]*record)
 	}
 	return nil
 }
 func (s *DoHNameServer) updateIP(req *dnsRequest, ipRec *IPRecord) {
 	elapsed := time.Since(req.start)
 	s.Lock()
 	rec, found := s.ips[req.domain]
 	if !found {
 		rec = &record{}
 	}
 	updated := false
 	switch req.reqType {
 	case dnsmessage.TypeA:
 		if isNewer(rec.A, ipRec) {
 			rec.A = ipRec
 			updated = true
 		}
 	case dnsmessage.TypeAAAA:
 		addr := make([]net.Address, 0, len(ipRec.IP))
 		for _, ip := range ipRec.IP {
 			if len(ip.IP()) == net.IPv6len {
 				addr = append(addr, ip)
 			}
 		}
 		ipRec.IP = addr
 		if isNewer(rec.AAAA, ipRec) {
 			rec.AAAA = ipRec
 			updated = true
 		}
 	}
 	errors.LogInfo(context.Background(), s.name, " got answer: ", req.domain, " ", req.reqType, " -> ", ipRec.IP, " ", elapsed)
 	if updated {
 		s.ips[req.domain] = rec
 	}
 	switch req.reqType {
 	case dnsmessage.TypeA:
 		s.pub.Publish(req.domain+"4", nil)
 	case dnsmessage.TypeAAAA:
 		s.pub.Publish(req.domain+"6", nil)
 	}
 	s.Unlock()
 	common.Must(s.cleanup.Start())
 }
 func (s *DoHNameServer) newReqID() uint16 {
-	return uint16(atomic.AddUint32(&s.reqID, 1))
+	return 0
 }
-func (s *DoHNameServer) sendQuery(ctx context.Context, domain string, clientIP net.IP, option dns_feature.IPOption) {
+func (s *DoHNameServer) sendQuery(ctx context.Context, noResponseErrCh chan<- error, domain string, option dns_feature.IPOption) {
-	errors.LogInfo(ctx, s.name, " querying: ", domain)
+	errors.LogInfo(ctx, s.Name(), " querying: ", domain)
-	if s.name+"." == "DOH//"+domain {
+	if s.Name()+"." == "DOH//"+domain {
-		errors.LogError(ctx, s.name, " tries to resolve itself! Use IP or set \"hosts\" instead.")
+		errors.LogError(ctx, s.Name(), " tries to resolve itself! Use IP or set \"hosts\" instead.")
 		noResponseErrCh <- errors.New("tries to resolve itself!", s.Name())
 		return
 	}
-	reqs := buildReqMsgs(domain, option, s.newReqID, genEDNS0Options(clientIP))
+	// As we don't want our traffic pattern looks like DoH, we use Random-Length Padding instead of Block-Length Padding recommended in RFC 8467
 	// Although DoH server like 1.1.1.1 will pad the response to Block-Length 468, at least it is better than no padding for response at all
 	reqs := buildReqMsgs(domain, option, s.newReqID, genEDNS0Options(s.clientIP, int(crypto.RandBetween(100, 300))))
 	var deadline time.Time
 	if d, ok := ctx.Deadline(); ok {
@@ -268,19 +167,22 @@ func (s *DoHNameServer) sendQuery(ctx context.Context, domain string, clientIP n
 			b, err := dns.PackMessage(r.msg)
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to pack dns query for ", domain)
 				noResponseErrCh <- err
 				return
 			}
 			resp, err := s.dohHTTPSContext(dnsCtx, b.Bytes())
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to retrieve response for ", domain)
 				noResponseErrCh <- err
 				return
 			}
 			rec, err := parseResponse(resp)
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to handle DOH response for ", domain)
 				noResponseErrCh <- err
 				return
 			}
-			s.updateIP(r, rec)
+			s.cacheController.updateIP(r, rec)
 		}(req)
 	}
 }
@@ -295,6 +197,8 @@ func (s *DoHNameServer) dohHTTPSContext(ctx context.Context, b []byte) ([]byte,
 	req.Header.Add("Accept", "application/dns-message")
 	req.Header.Add("Content-Type", "application/dns-message")
 	req.Header.Set("X-Padding", strings.Repeat("X", int(crypto.RandBetween(100, 1000))))
 	hc := s.httpClient
 	resp, err := hc.Do(req.WithContext(ctx))
@@ -311,107 +215,50 @@ func (s *DoHNameServer) dohHTTPSContext(ctx context.Context, b []byte) ([]byte,
 	return io.ReadAll(resp.Body)
 }
 func (s *DoHNameServer) findIPsForDomain(domain string, option dns_feature.IPOption) ([]net.IP, error) {
 	s.RLock()
 	record, found := s.ips[domain]
 	s.RUnlock()
 	if !found {
 		return nil, errRecordNotFound
 	}
 	var err4 error
 	var err6 error
 	var ips []net.Address
 	var ip6 []net.Address
 	if option.IPv4Enable {
 		ips, err4 = record.A.getIPs()
 	}
 	if option.IPv6Enable {
 		ip6, err6 = record.AAAA.getIPs()
 		ips = append(ips, ip6...)
 	}
 	if len(ips) > 0 {
 		return toNetIP(ips)
 	}
 	if err4 != nil {
 		return nil, err4
 	}
 	if err6 != nil {
 		return nil, err6
 	}
 	if (option.IPv4Enable && record.A != nil) || (option.IPv6Enable && record.AAAA != nil) {
 		return nil, dns_feature.ErrEmptyResponse
 	}
 	return nil, errRecordNotFound
 }
 // QueryIP implements Server.
-func (s *DoHNameServer) QueryIP(ctx context.Context, domain string, clientIP net.IP, option dns_feature.IPOption, disableCache bool) ([]net.IP, error) { // nolint: dupl
+func (s *DoHNameServer) QueryIP(ctx context.Context, domain string, option dns_feature.IPOption) ([]net.IP, uint32, error) { // nolint: dupl
 	fqdn := Fqdn(domain)
-	option = ResolveIpOptionOverride(s.queryStrategy, option)
+	sub4, sub6 := s.cacheController.registerSubscribers(fqdn, option)
-	if !option.IPv4Enable && !option.IPv6Enable {
+	defer closeSubscribers(sub4, sub6)
 		return nil, dns_feature.ErrEmptyResponse
 	}
-	if disableCache {
+	if s.cacheController.disableCache {
-		errors.LogDebug(ctx, "DNS cache is disabled. Querying IP for ", domain, " at ", s.name)
+		errors.LogDebug(ctx, "DNS cache is disabled. Querying IP for ", domain, " at ", s.Name())
 	} else {
-		ips, err := s.findIPsForDomain(fqdn, option)
+		ips, ttl, err := s.cacheController.findIPsForDomain(fqdn, option)
-		if err == nil || err == dns_feature.ErrEmptyResponse {
+		if !go_errors.Is(err, errRecordNotFound) {
-			errors.LogDebugInner(ctx, err, s.name, " cache HIT ", domain, " -> ", ips)
+			errors.LogDebugInner(ctx, err, s.Name(), " cache HIT ", domain, " -> ", ips)
-			log.Record(&log.DNSLog{Server: s.name, Domain: domain, Result: ips, Status: log.DNSCacheHit, Elapsed: 0, Error: err})
+			log.Record(&log.DNSLog{Server: s.Name(), Domain: domain, Result: ips, Status: log.DNSCacheHit, Elapsed: 0, Error: err})
-			return ips, err
+			return ips, ttl, err
 		}
 	}
-	// ipv4 and ipv6 belong to different subscription groups
+	noResponseErrCh := make(chan error, 2)
-	var sub4, sub6 *pubsub.Subscriber
+	s.sendQuery(ctx, noResponseErrCh, fqdn, option)
 	if option.IPv4Enable {
 		sub4 = s.pub.Subscribe(fqdn + "4")
 		defer sub4.Close()
 	}
 	if option.IPv6Enable {
 		sub6 = s.pub.Subscribe(fqdn + "6")
 		defer sub6.Close()
 	}
 	done := make(chan interface{})
 	go func() {
 		if sub4 != nil {
 			select {
 			case <-sub4.Wait():
 			case <-ctx.Done():
 			}
 		}
 		if sub6 != nil {
 			select {
 			case <-sub6.Wait():
 			case <-ctx.Done():
 			}
 		}
 		close(done)
 	}()
 	s.sendQuery(ctx, fqdn, clientIP, option)
 	start := time.Now()
-	for {
+	if sub4 != nil {
 		ips, err := s.findIPsForDomain(fqdn, option)
 		if err != errRecordNotFound {
 			log.Record(&log.DNSLog{Server: s.name, Domain: domain, Result: ips, Status: log.DNSQueried, Elapsed: time.Since(start), Error: err})
 			return ips, err
 		}
 		select {
 		case <-ctx.Done():
-			return nil, ctx.Err()
+			return nil, 0, ctx.Err()
-		case <-done:
+		case err := <-noResponseErrCh:
 			return nil, 0, err
 		case <-sub4.Wait():
 			sub4.Close()
 		}
 	}
 	if sub6 != nil {
 		select {
 		case <-ctx.Done():
 			return nil, 0, ctx.Err()
 		case err := <-noResponseErrCh:
 			return nil, 0, err
 		case <-sub6.Wait():
 			sub6.Close()
 		}
 	}
 	ips, ttl, err := s.cacheController.findIPsForDomain(fqdn, option)
 	log.Record(&log.DNSLog{Server: s.Name(), Domain: domain, Result: ips, Status: log.DNSQueried, Elapsed: time.Since(start), Error: err})
 	return ips, ttl, err
 }
--- a/app/dns/nameserver_doh_test.go
+++ b/app/dns/nameserver_doh_test.go
@@ -17,12 +17,12 @@ func TestDOHNameServer(t *testing.T) {
 	url, err := url.Parse("https+local://1.1.1.1/dns-query")
 	common.Must(err)
-	s := NewDoHLocalNameServer(url, QueryStrategy_USE_IP)
+	s := NewDoHNameServer(url, nil, false, false, net.IP(nil))
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	ips, err := s.QueryIP(ctx, "google.com", net.IP(nil), dns_feature.IPOption{
+	ips, _, err := s.QueryIP(ctx, "google.com", dns_feature.IPOption{
 		IPv4Enable: true,
 		IPv6Enable: true,
-	}, false)
+	})
 	cancel()
 	common.Must(err)
 	if len(ips) == 0 {
@@ -34,12 +34,12 @@ func TestDOHNameServerWithCache(t *testing.T) {
 	url, err := url.Parse("https+local://1.1.1.1/dns-query")
 	common.Must(err)
-	s := NewDoHLocalNameServer(url, QueryStrategy_USE_IP)
+	s := NewDoHNameServer(url, nil, false, false, net.IP(nil))
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	ips, err := s.QueryIP(ctx, "google.com", net.IP(nil), dns_feature.IPOption{
+	ips, _, err := s.QueryIP(ctx, "google.com", dns_feature.IPOption{
 		IPv4Enable: true,
 		IPv6Enable: true,
-	}, false)
+	})
 	cancel()
 	common.Must(err)
 	if len(ips) == 0 {
@@ -47,10 +47,10 @@ func TestDOHNameServerWithCache(t *testing.T) {
 	}
 	ctx2, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	ips2, err := s.QueryIP(ctx2, "google.com", net.IP(nil), dns_feature.IPOption{
+	ips2, _, err := s.QueryIP(ctx2, "google.com", dns_feature.IPOption{
 		IPv4Enable: true,
 		IPv6Enable: true,
-	}, true)
+	})
 	cancel()
 	common.Must(err)
 	if r := cmp.Diff(ips2, ips); r != "" {
@@ -62,12 +62,12 @@ func TestDOHNameServerWithIPv4Override(t *testing.T) {
 	url, err := url.Parse("https+local://1.1.1.1/dns-query")
 	common.Must(err)
-	s := NewDoHLocalNameServer(url, QueryStrategy_USE_IP4)
+	s := NewDoHNameServer(url, nil, false, false, net.IP(nil))
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	ips, err := s.QueryIP(ctx, "google.com", net.IP(nil), dns_feature.IPOption{
+	ips, _, err := s.QueryIP(ctx, "google.com", dns_feature.IPOption{
 		IPv4Enable: true,
-		IPv6Enable: true,
+		IPv6Enable: false,
-	}, false)
+	})
 	cancel()
 	common.Must(err)
 	if len(ips) == 0 {
@@ -85,12 +85,12 @@ func TestDOHNameServerWithIPv6Override(t *testing.T) {
 	url, err := url.Parse("https+local://1.1.1.1/dns-query")
 	common.Must(err)
-	s := NewDoHLocalNameServer(url, QueryStrategy_USE_IP6)
+	s := NewDoHNameServer(url, nil, false, false, net.IP(nil))
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	ips, err := s.QueryIP(ctx, "google.com", net.IP(nil), dns_feature.IPOption{
+	ips, _, err := s.QueryIP(ctx, "google.com", dns_feature.IPOption{
-		IPv4Enable: true,
+		IPv4Enable: false,
 		IPv6Enable: true,
-	}, false)
+	})
 	cancel()
 	common.Must(err)
 	if len(ips) == 0 {
--- a/app/dns/nameserver_fakedns.go
+++ b/app/dns/nameserver_fakedns.go
@@ -20,9 +20,9 @@ func (FakeDNSServer) Name() string {
 	return "FakeDNS"
 }
-func (f *FakeDNSServer) QueryIP(ctx context.Context, domain string, _ net.IP, opt dns.IPOption, _ bool) ([]net.IP, error) {
+func (f *FakeDNSServer) QueryIP(ctx context.Context, domain string, opt dns.IPOption) ([]net.IP, uint32, error) {
 	if f.fakeDNSEngine == nil {
-		return nil, errors.New("Unable to locate a fake DNS Engine").AtError()
+		return nil, 0, errors.New("Unable to locate a fake DNS Engine").AtError()
 	}
 	var ips []net.Address
@@ -34,13 +34,13 @@ func (f *FakeDNSServer) QueryIP(ctx context.Context, domain string, _ net.IP, op
 	netIP, err := toNetIP(ips)
 	if err != nil {
-		return nil, errors.New("Unable to convert IP to net ip").Base(err).AtError()
+		return nil, 0, errors.New("Unable to convert IP to net ip").Base(err).AtError()
 	}
 	errors.LogInfo(ctx, f.Name(), " got answer: ", domain, " -> ", ips)
 	if len(netIP) > 0 {
-		return netIP, nil
+		return netIP, 1, nil // fakeIP ttl is 1
 	}
-	return nil, dns.ErrEmptyResponse
+	return nil, 0, dns.ErrEmptyResponse
 }
--- a/app/dns/nameserver_local.go
+++ b/app/dns/nameserver_local.go
@@ -2,7 +2,6 @@ package dns
 import (
 	"context"
 	"strings"
 	"time"
 	"github.com/xtls/xray-core/common/errors"
@@ -17,16 +16,11 @@ type LocalNameServer struct {
 	client *localdns.Client
 }
 const errEmptyResponse = "No address associated with hostname"
 // QueryIP implements Server.
-func (s *LocalNameServer) QueryIP(ctx context.Context, domain string, _ net.IP, option dns.IPOption, _ bool) (ips []net.IP, err error) {
+func (s *LocalNameServer) QueryIP(ctx context.Context, domain string, option dns.IPOption) (ips []net.IP, ttl uint32, err error) {
 	start := time.Now()
 	ips, err = s.client.LookupIP(domain, option)
-	if err != nil && strings.HasSuffix(err.Error(), errEmptyResponse) {
+	start := time.Now()
-		err = dns.ErrEmptyResponse
+	ips, ttl, err = s.client.LookupIP(domain, option)
 	}
 	if len(ips) > 0 {
 		errors.LogInfo(ctx, "Localhost got answer: ", domain, " -> ", ips)
@@ -50,6 +44,6 @@ func NewLocalNameServer() *LocalNameServer {
 }
 // NewLocalDNSClient creates localdns client object for directly lookup in system DNS.
-func NewLocalDNSClient() *Client {
+func NewLocalDNSClient(ipOption dns.IPOption) *Client {
-	return &Client{server: NewLocalNameServer()}
+	return &Client{server: NewLocalNameServer(), ipOption: &ipOption}
 }
--- a/app/dns/nameserver_local_test.go
+++ b/app/dns/nameserver_local_test.go
@@ -7,18 +7,17 @@ import (
 	. "github.com/xtls/xray-core/app/dns"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/features/dns"
 )
 func TestLocalNameServer(t *testing.T) {
 	s := NewLocalNameServer()
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*2)
-	ips, err := s.QueryIP(ctx, "google.com", net.IP{}, dns.IPOption{
+	ips, _, err := s.QueryIP(ctx, "google.com", dns.IPOption{
 		IPv4Enable: true,
 		IPv6Enable: true,
 		FakeEnable: false,
-	}, false)
+	})
 	cancel()
 	common.Must(err)
 	if len(ips) == 0 {
--- a/app/dns/nameserver_quic.go
+++ b/app/dns/nameserver_quic.go
@@ -4,24 +4,20 @@ import (
 	"bytes"
 	"context"
 	"encoding/binary"
 	go_errors "errors"
 	"net/url"
 	"sync"
 	"sync/atomic"
 	"time"
 	"github.com/quic-go/quic-go"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/buf"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/log"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/protocol/dns"
 	"github.com/xtls/xray-core/common/session"
 	"github.com/xtls/xray-core/common/signal/pubsub"
 	"github.com/xtls/xray-core/common/task"
 	dns_feature "github.com/xtls/xray-core/features/dns"
 	"github.com/xtls/xray-core/transport/internet/tls"
 	"golang.org/x/net/dns/dnsmessage"
 	"golang.org/x/net/http2"
 )
@@ -34,18 +30,14 @@ const handshakeTimeout = time.Second * 8
 // QUICNameServer implemented DNS over QUIC
 type QUICNameServer struct {
 	sync.RWMutex
-	ips           map[string]*record
+	cacheController *CacheController
-	pub           *pubsub.Service
+	destination     *net.Destination
-	cleanup       *task.Periodic
+	connection      *quic.Conn
-	reqID         uint32
+	clientIP        net.IP
 	name          string
 	destination   *net.Destination
 	connection    quic.Connection
 	queryStrategy QueryStrategy
 }
 // NewQUICNameServer creates DNS-over-QUIC client object for local resolving
-func NewQUICNameServer(url *url.URL, queryStrategy QueryStrategy) (*QUICNameServer, error) {
+func NewQUICNameServer(url *url.URL, disableCache bool, clientIP net.IP) (*QUICNameServer, error) {
 	errors.LogInfo(context.Background(), "DNS: created Local DNS-over-QUIC client for ", url.String())
 	var err error
@@ -59,15 +51,9 @@ func NewQUICNameServer(url *url.URL, queryStrategy QueryStrategy) (*QUICNameServ
 	dest := net.UDPDestination(net.ParseAddress(url.Hostname()), port)
 	s := &QUICNameServer{
-		ips:           make(map[string]*record),
+		cacheController: NewCacheController(url.String(), disableCache),
-		pub:           pubsub.NewService(),
+		destination:     &dest,
-		name:          url.String(),
+		clientIP:        clientIP,
 		destination:   &dest,
 		queryStrategy: queryStrategy,
 	}
 	s.cleanup = &task.Periodic{
 		Interval: time.Minute,
 		Execute:  s.Cleanup,
 	}
 	return s, nil
@@ -75,94 +61,17 @@ func NewQUICNameServer(url *url.URL, queryStrategy QueryStrategy) (*QUICNameServ
 // Name returns client name
 func (s *QUICNameServer) Name() string {
-	return s.name
+	return s.cacheController.name
 }
 // Cleanup clears expired items from cache
 func (s *QUICNameServer) Cleanup() error {
 	now := time.Now()
 	s.Lock()
 	defer s.Unlock()
 	if len(s.ips) == 0 {
 		return errors.New("nothing to do. stopping...")
 	}
 	for domain, record := range s.ips {
 		if record.A != nil && record.A.Expire.Before(now) {
 			record.A = nil
 		}
 		if record.AAAA != nil && record.AAAA.Expire.Before(now) {
 			record.AAAA = nil
 		}
 		if record.A == nil && record.AAAA == nil {
 			errors.LogDebug(context.Background(), s.name, " cleanup ", domain)
 			delete(s.ips, domain)
 		} else {
 			s.ips[domain] = record
 		}
 	}
 	if len(s.ips) == 0 {
 		s.ips = make(map[string]*record)
 	}
 	return nil
 }
 func (s *QUICNameServer) updateIP(req *dnsRequest, ipRec *IPRecord) {
 	elapsed := time.Since(req.start)
 	s.Lock()
 	rec, found := s.ips[req.domain]
 	if !found {
 		rec = &record{}
 	}
 	updated := false
 	switch req.reqType {
 	case dnsmessage.TypeA:
 		if isNewer(rec.A, ipRec) {
 			rec.A = ipRec
 			updated = true
 		}
 	case dnsmessage.TypeAAAA:
 		addr := make([]net.Address, 0)
 		for _, ip := range ipRec.IP {
 			if len(ip.IP()) == net.IPv6len {
 				addr = append(addr, ip)
 			}
 		}
 		ipRec.IP = addr
 		if isNewer(rec.AAAA, ipRec) {
 			rec.AAAA = ipRec
 			updated = true
 		}
 	}
 	errors.LogInfo(context.Background(), s.name, " got answer: ", req.domain, " ", req.reqType, " -> ", ipRec.IP, " ", elapsed)
 	if updated {
 		s.ips[req.domain] = rec
 	}
 	switch req.reqType {
 	case dnsmessage.TypeA:
 		s.pub.Publish(req.domain+"4", nil)
 	case dnsmessage.TypeAAAA:
 		s.pub.Publish(req.domain+"6", nil)
 	}
 	s.Unlock()
 	common.Must(s.cleanup.Start())
 }
 func (s *QUICNameServer) newReqID() uint16 {
-	return uint16(atomic.AddUint32(&s.reqID, 1))
+	return 0
 }
-func (s *QUICNameServer) sendQuery(ctx context.Context, domain string, clientIP net.IP, option dns_feature.IPOption) {
+func (s *QUICNameServer) sendQuery(ctx context.Context, noResponseErrCh chan<- error, domain string, option dns_feature.IPOption) {
-	errors.LogInfo(ctx, s.name, " querying: ", domain)
+	errors.LogInfo(ctx, s.Name(), " querying: ", domain)
-	reqs := buildReqMsgs(domain, option, s.newReqID, genEDNS0Options(clientIP))
+	reqs := buildReqMsgs(domain, option, s.newReqID, genEDNS0Options(s.clientIP, 0))
 	var deadline time.Time
 	if d, ok := ctx.Deadline(); ok {
@@ -194,23 +103,36 @@ func (s *QUICNameServer) sendQuery(ctx context.Context, domain string, clientIP
 			b, err := dns.PackMessage(r.msg)
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to pack dns query")
 				noResponseErrCh <- err
 				return
 			}
 			dnsReqBuf := buf.New()
-			binary.Write(dnsReqBuf, binary.BigEndian, uint16(b.Len()))
+			err = binary.Write(dnsReqBuf, binary.BigEndian, uint16(b.Len()))
-			dnsReqBuf.Write(b.Bytes())
+			if err != nil {
 				errors.LogErrorInner(ctx, err, "binary write failed")
 				noResponseErrCh <- err
 				return
 			}
 			_, err = dnsReqBuf.Write(b.Bytes())
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "buffer write failed")
 				noResponseErrCh <- err
 				return
 			}
 			b.Release()
 			conn, err := s.openStream(dnsCtx)
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to open quic connection")
 				noResponseErrCh <- err
 				return
 			}
 			_, err = conn.Write(dnsReqBuf.Bytes())
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to send query")
 				noResponseErrCh <- err
 				return
 			}
@@ -221,137 +143,84 @@ func (s *QUICNameServer) sendQuery(ctx context.Context, domain string, clientIP
 			n, err := respBuf.ReadFullFrom(conn, 2)
 			if err != nil && n == 0 {
 				errors.LogErrorInner(ctx, err, "failed to read response length")
 				noResponseErrCh <- err
 				return
 			}
 			var length int16
 			err = binary.Read(bytes.NewReader(respBuf.Bytes()), binary.BigEndian, &length)
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to parse response length")
 				noResponseErrCh <- err
 				return
 			}
 			respBuf.Clear()
 			n, err = respBuf.ReadFullFrom(conn, int32(length))
 			if err != nil && n == 0 {
 				errors.LogErrorInner(ctx, err, "failed to read response length")
 				noResponseErrCh <- err
 				return
 			}
 			rec, err := parseResponse(respBuf.Bytes())
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to handle response")
 				noResponseErrCh <- err
 				return
 			}
-			s.updateIP(r, rec)
+			s.cacheController.updateIP(r, rec)
 		}(req)
 	}
 }
 func (s *QUICNameServer) findIPsForDomain(domain string, option dns_feature.IPOption) ([]net.IP, error) {
 	s.RLock()
 	record, found := s.ips[domain]
 	s.RUnlock()
 	if !found {
 		return nil, errRecordNotFound
 	}
 	var err4 error
 	var err6 error
 	var ips []net.Address
 	var ip6 []net.Address
 	if option.IPv4Enable {
 		ips, err4 = record.A.getIPs()
 	}
 	if option.IPv6Enable {
 		ip6, err6 = record.AAAA.getIPs()
 		ips = append(ips, ip6...)
 	}
 	if len(ips) > 0 {
 		return toNetIP(ips)
 	}
 	if err4 != nil {
 		return nil, err4
 	}
 	if err6 != nil {
 		return nil, err6
 	}
 	if (option.IPv4Enable && record.A != nil) || (option.IPv6Enable && record.AAAA != nil) {
 		return nil, dns_feature.ErrEmptyResponse
 	}
 	return nil, errRecordNotFound
 }
 // QueryIP is called from dns.Server->queryIPTimeout
-func (s *QUICNameServer) QueryIP(ctx context.Context, domain string, clientIP net.IP, option dns_feature.IPOption, disableCache bool) ([]net.IP, error) {
+func (s *QUICNameServer) QueryIP(ctx context.Context, domain string, option dns_feature.IPOption) ([]net.IP, uint32, error) {
 	fqdn := Fqdn(domain)
-	option = ResolveIpOptionOverride(s.queryStrategy, option)
+	sub4, sub6 := s.cacheController.registerSubscribers(fqdn, option)
-	if !option.IPv4Enable && !option.IPv6Enable {
+	defer closeSubscribers(sub4, sub6)
 		return nil, dns_feature.ErrEmptyResponse
 	}
-	if disableCache {
+	if s.cacheController.disableCache {
-		errors.LogDebug(ctx, "DNS cache is disabled. Querying IP for ", domain, " at ", s.name)
+		errors.LogDebug(ctx, "DNS cache is disabled. Querying IP for ", domain, " at ", s.Name())
 	} else {
-		ips, err := s.findIPsForDomain(fqdn, option)
+		ips, ttl, err := s.cacheController.findIPsForDomain(fqdn, option)
-		if err == nil || err == dns_feature.ErrEmptyResponse {
+		if !go_errors.Is(err, errRecordNotFound) {
-			errors.LogDebugInner(ctx, err, s.name, " cache HIT ", domain, " -> ", ips)
+			errors.LogDebugInner(ctx, err, s.Name(), " cache HIT ", domain, " -> ", ips)
-			log.Record(&log.DNSLog{Server: s.name, Domain: domain, Result: ips, Status: log.DNSCacheHit, Elapsed: 0, Error: err})
+			log.Record(&log.DNSLog{Server: s.Name(), Domain: domain, Result: ips, Status: log.DNSCacheHit, Elapsed: 0, Error: err})
-			return ips, err
+			return ips, ttl, err
 		}
 	}
-	// ipv4 and ipv6 belong to different subscription groups
+	noResponseErrCh := make(chan error, 2)
-	var sub4, sub6 *pubsub.Subscriber
+	s.sendQuery(ctx, noResponseErrCh, fqdn, option)
 	if option.IPv4Enable {
 		sub4 = s.pub.Subscribe(fqdn + "4")
 		defer sub4.Close()
 	}
 	if option.IPv6Enable {
 		sub6 = s.pub.Subscribe(fqdn + "6")
 		defer sub6.Close()
 	}
 	done := make(chan interface{})
 	go func() {
 		if sub4 != nil {
 			select {
 			case <-sub4.Wait():
 			case <-ctx.Done():
 			}
 		}
 		if sub6 != nil {
 			select {
 			case <-sub6.Wait():
 			case <-ctx.Done():
 			}
 		}
 		close(done)
 	}()
 	s.sendQuery(ctx, fqdn, clientIP, option)
 	start := time.Now()
-	for {
+	if sub4 != nil {
 		ips, err := s.findIPsForDomain(fqdn, option)
 		if err != errRecordNotFound {
 			log.Record(&log.DNSLog{Server: s.name, Domain: domain, Result: ips, Status: log.DNSQueried, Elapsed: time.Since(start), Error: err})
 			return ips, err
 		}
 		select {
 		case <-ctx.Done():
-			return nil, ctx.Err()
+			return nil, 0, ctx.Err()
-		case <-done:
+		case err := <-noResponseErrCh:
 			return nil, 0, err
 		case <-sub4.Wait():
 			sub4.Close()
 		}
 	}
 	if sub6 != nil {
 		select {
 		case <-ctx.Done():
 			return nil, 0, ctx.Err()
 		case err := <-noResponseErrCh:
 			return nil, 0, err
 		case <-sub6.Wait():
 			sub6.Close()
 		}
 	}
 	ips, ttl, err := s.cacheController.findIPsForDomain(fqdn, option)
 	log.Record(&log.DNSLog{Server: s.Name(), Domain: domain, Result: ips, Status: log.DNSQueried, Elapsed: time.Since(start), Error: err})
 	return ips, ttl, err
 }
-func isActive(s quic.Connection) bool {
+func isActive(s *quic.Conn) bool {
 	select {
 	case <-s.Context().Done():
 		return false
@@ -360,8 +229,8 @@ func isActive(s quic.Connection) bool {
 	}
 }
-func (s *QUICNameServer) getConnection() (quic.Connection, error) {
+func (s *QUICNameServer) getConnection() (*quic.Conn, error) {
-	var conn quic.Connection
+	var conn *quic.Conn
 	s.RLock()
 	conn = s.connection
 	if conn != nil && isActive(conn) {
@@ -394,7 +263,7 @@ func (s *QUICNameServer) getConnection() (quic.Connection, error) {
 	return conn, nil
 }
-func (s *QUICNameServer) openConnection() (quic.Connection, error) {
+func (s *QUICNameServer) openConnection() (*quic.Conn, error) {
 	tlsConfig := tls.Config{}
 	quicConfig := &quic.Config{
 		HandshakeIdleTimeout: handshakeTimeout,
@@ -414,7 +283,7 @@ func (s *QUICNameServer) openConnection() (quic.Connection, error) {
 	return conn, nil
 }
-func (s *QUICNameServer) openStream(ctx context.Context) (quic.Stream, error) {
+func (s *QUICNameServer) openStream(ctx context.Context) (*quic.Stream, error) {
 	conn, err := s.getConnection()
 	if err != nil {
 		return nil, err
--- a/app/dns/nameserver_quic_test.go
+++ b/app/dns/nameserver_quic_test.go
@@ -16,24 +16,23 @@ import (
 func TestQUICNameServer(t *testing.T) {
 	url, err := url.Parse("quic://dns.adguard-dns.com")
 	common.Must(err)
-	s, err := NewQUICNameServer(url, QueryStrategy_USE_IP)
+	s, err := NewQUICNameServer(url, false, net.IP(nil))
 	common.Must(err)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*2)
-	ips, err := s.QueryIP(ctx, "google.com", net.IP(nil), dns.IPOption{
+	ips, _, err := s.QueryIP(ctx, "google.com", dns.IPOption{
 		IPv4Enable: true,
 		IPv6Enable: true,
-	}, false)
+	})
 	cancel()
 	common.Must(err)
 	if len(ips) == 0 {
 		t.Error("expect some ips, but got 0")
 	}
 	ctx2, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	ips2, err := s.QueryIP(ctx2, "google.com", net.IP(nil), dns.IPOption{
+	ips2, _, err := s.QueryIP(ctx2, "google.com", dns.IPOption{
 		IPv4Enable: true,
 		IPv6Enable: true,
-	}, true)
+	})
 	cancel()
 	common.Must(err)
 	if r := cmp.Diff(ips2, ips); r != "" {
@@ -44,13 +43,13 @@ func TestQUICNameServer(t *testing.T) {
 func TestQUICNameServerWithIPv4Override(t *testing.T) {
 	url, err := url.Parse("quic://dns.adguard-dns.com")
 	common.Must(err)
-	s, err := NewQUICNameServer(url, QueryStrategy_USE_IP4)
+	s, err := NewQUICNameServer(url, false, net.IP(nil))
 	common.Must(err)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*2)
-	ips, err := s.QueryIP(ctx, "google.com", net.IP(nil), dns.IPOption{
+	ips, _, err := s.QueryIP(ctx, "google.com", dns.IPOption{
 		IPv4Enable: true,
-		IPv6Enable: true,
+		IPv6Enable: false,
-	}, false)
+	})
 	cancel()
 	common.Must(err)
 	if len(ips) == 0 {
@@ -67,13 +66,13 @@ func TestQUICNameServerWithIPv4Override(t *testing.T) {
 func TestQUICNameServerWithIPv6Override(t *testing.T) {
 	url, err := url.Parse("quic://dns.adguard-dns.com")
 	common.Must(err)
-	s, err := NewQUICNameServer(url, QueryStrategy_USE_IP6)
+	s, err := NewQUICNameServer(url, false, net.IP(nil))
 	common.Must(err)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*2)
-	ips, err := s.QueryIP(ctx, "google.com", net.IP(nil), dns.IPOption{
+	ips, _, err := s.QueryIP(ctx, "google.com", dns.IPOption{
-		IPv4Enable: true,
+		IPv4Enable: false,
 		IPv6Enable: true,
-	}, false)
+	})
 	cancel()
 	common.Must(err)
 	if len(ips) == 0 {
--- a/app/dns/nameserver_tcp.go
+++ b/app/dns/nameserver_tcp.go
@@ -4,12 +4,11 @@ import (
 	"bytes"
 	"context"
 	"encoding/binary"
 	go_errors "errors"
 	"net/url"
 	"sync"
 	"sync/atomic"
 	"time"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/buf"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/log"
@@ -17,34 +16,28 @@ import (
 	"github.com/xtls/xray-core/common/net/cnc"
 	"github.com/xtls/xray-core/common/protocol/dns"
 	"github.com/xtls/xray-core/common/session"
 	"github.com/xtls/xray-core/common/signal/pubsub"
 	"github.com/xtls/xray-core/common/task"
 	dns_feature "github.com/xtls/xray-core/features/dns"
 	"github.com/xtls/xray-core/features/routing"
 	"github.com/xtls/xray-core/transport/internet"
 	"golang.org/x/net/dns/dnsmessage"
 )
 // TCPNameServer implemented DNS over TCP (RFC7766).
 type TCPNameServer struct {
-	sync.RWMutex
+	cacheController *CacheController
-	name          string
+	destination     *net.Destination
-	destination   *net.Destination
+	reqID           uint32
-	ips           map[string]*record
+	dial            func(context.Context) (net.Conn, error)
-	pub           *pubsub.Service
+	clientIP        net.IP
 	cleanup       *task.Periodic
 	reqID         uint32
 	dial          func(context.Context) (net.Conn, error)
 	queryStrategy QueryStrategy
 }
 // NewTCPNameServer creates DNS over TCP server object for remote resolving.
 func NewTCPNameServer(
 	url *url.URL,
 	dispatcher routing.Dispatcher,
-	queryStrategy QueryStrategy,
+	disableCache bool,
 	clientIP net.IP,
 ) (*TCPNameServer, error) {
-	s, err := baseTCPNameServer(url, "TCP", queryStrategy)
+	s, err := baseTCPNameServer(url, "TCP", disableCache, clientIP)
 	if err != nil {
 		return nil, err
 	}
@@ -65,8 +58,8 @@ func NewTCPNameServer(
 }
 // NewTCPLocalNameServer creates DNS over TCP client object for local resolving
-func NewTCPLocalNameServer(url *url.URL, queryStrategy QueryStrategy) (*TCPNameServer, error) {
+func NewTCPLocalNameServer(url *url.URL, disableCache bool, clientIP net.IP) (*TCPNameServer, error) {
-	s, err := baseTCPNameServer(url, "TCPL", queryStrategy)
+	s, err := baseTCPNameServer(url, "TCPL", disableCache, clientIP)
 	if err != nil {
 		return nil, err
 	}
@@ -78,7 +71,7 @@ func NewTCPLocalNameServer(url *url.URL, queryStrategy QueryStrategy) (*TCPNameS
 	return s, nil
 }
-func baseTCPNameServer(url *url.URL, prefix string, queryStrategy QueryStrategy) (*TCPNameServer, error) {
+func baseTCPNameServer(url *url.URL, prefix string, disableCache bool, clientIP net.IP) (*TCPNameServer, error) {
 	port := net.Port(53)
 	if url.Port() != "" {
 		var err error
@@ -89,15 +82,9 @@ func baseTCPNameServer(url *url.URL, prefix string, queryStrategy QueryStrategy)
 	dest := net.TCPDestination(net.ParseAddress(url.Hostname()), port)
 	s := &TCPNameServer{
-		destination:   &dest,
+		cacheController: NewCacheController(prefix+"//"+dest.NetAddr(), disableCache),
-		ips:           make(map[string]*record),
+		destination:     &dest,
-		pub:           pubsub.NewService(),
+		clientIP:        clientIP,
 		name:          prefix + "//" + dest.NetAddr(),
 		queryStrategy: queryStrategy,
 	}
 	s.cleanup = &task.Periodic{
 		Interval: time.Minute,
 		Execute:  s.Cleanup,
 	}
 	return s, nil
@@ -105,94 +92,17 @@ func baseTCPNameServer(url *url.URL, prefix string, queryStrategy QueryStrategy)
 // Name implements Server.
 func (s *TCPNameServer) Name() string {
-	return s.name
+	return s.cacheController.name
 }
 // Cleanup clears expired items from cache
 func (s *TCPNameServer) Cleanup() error {
 	now := time.Now()
 	s.Lock()
 	defer s.Unlock()
 	if len(s.ips) == 0 {
 		return errors.New("nothing to do. stopping...")
 	}
 	for domain, record := range s.ips {
 		if record.A != nil && record.A.Expire.Before(now) {
 			record.A = nil
 		}
 		if record.AAAA != nil && record.AAAA.Expire.Before(now) {
 			record.AAAA = nil
 		}
 		if record.A == nil && record.AAAA == nil {
 			errors.LogDebug(context.Background(), s.name, " cleanup ", domain)
 			delete(s.ips, domain)
 		} else {
 			s.ips[domain] = record
 		}
 	}
 	if len(s.ips) == 0 {
 		s.ips = make(map[string]*record)
 	}
 	return nil
 }
 func (s *TCPNameServer) updateIP(req *dnsRequest, ipRec *IPRecord) {
 	elapsed := time.Since(req.start)
 	s.Lock()
 	rec, found := s.ips[req.domain]
 	if !found {
 		rec = &record{}
 	}
 	updated := false
 	switch req.reqType {
 	case dnsmessage.TypeA:
 		if isNewer(rec.A, ipRec) {
 			rec.A = ipRec
 			updated = true
 		}
 	case dnsmessage.TypeAAAA:
 		addr := make([]net.Address, 0)
 		for _, ip := range ipRec.IP {
 			if len(ip.IP()) == net.IPv6len {
 				addr = append(addr, ip)
 			}
 		}
 		ipRec.IP = addr
 		if isNewer(rec.AAAA, ipRec) {
 			rec.AAAA = ipRec
 			updated = true
 		}
 	}
 	errors.LogInfo(context.Background(), s.name, " got answer: ", req.domain, " ", req.reqType, " -> ", ipRec.IP, " ", elapsed)
 	if updated {
 		s.ips[req.domain] = rec
 	}
 	switch req.reqType {
 	case dnsmessage.TypeA:
 		s.pub.Publish(req.domain+"4", nil)
 	case dnsmessage.TypeAAAA:
 		s.pub.Publish(req.domain+"6", nil)
 	}
 	s.Unlock()
 	common.Must(s.cleanup.Start())
 }
 func (s *TCPNameServer) newReqID() uint16 {
 	return uint16(atomic.AddUint32(&s.reqID, 1))
 }
-func (s *TCPNameServer) sendQuery(ctx context.Context, domain string, clientIP net.IP, option dns_feature.IPOption) {
+func (s *TCPNameServer) sendQuery(ctx context.Context, noResponseErrCh chan<- error, domain string, option dns_feature.IPOption) {
-	errors.LogDebug(ctx, s.name, " querying DNS for: ", domain)
+	errors.LogDebug(ctx, s.Name(), " querying DNS for: ", domain)
-	reqs := buildReqMsgs(domain, option, s.newReqID, genEDNS0Options(clientIP))
+	reqs := buildReqMsgs(domain, option, s.newReqID, genEDNS0Options(s.clientIP, 0))
 	var deadline time.Time
 	if d, ok := ctx.Deadline(); ok {
@@ -221,23 +131,36 @@ func (s *TCPNameServer) sendQuery(ctx context.Context, domain string, clientIP n
 			b, err := dns.PackMessage(r.msg)
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to pack dns query")
 				noResponseErrCh <- err
 				return
 			}
 			conn, err := s.dial(dnsCtx)
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to dial namesever")
 				noResponseErrCh <- err
 				return
 			}
 			defer conn.Close()
 			dnsReqBuf := buf.New()
-			binary.Write(dnsReqBuf, binary.BigEndian, uint16(b.Len()))
+			err = binary.Write(dnsReqBuf, binary.BigEndian, uint16(b.Len()))
-			dnsReqBuf.Write(b.Bytes())
+			if err != nil {
 				errors.LogErrorInner(ctx, err, "binary write failed")
 				noResponseErrCh <- err
 				return
 			}
 			_, err = dnsReqBuf.Write(b.Bytes())
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "buffer write failed")
 				noResponseErrCh <- err
 				return
 			}
 			b.Release()
 			_, err = conn.Write(dnsReqBuf.Bytes())
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to send query")
 				noResponseErrCh <- err
 				return
 			}
 			dnsReqBuf.Release()
@@ -247,129 +170,80 @@ func (s *TCPNameServer) sendQuery(ctx context.Context, domain string, clientIP n
 			n, err := respBuf.ReadFullFrom(conn, 2)
 			if err != nil && n == 0 {
 				errors.LogErrorInner(ctx, err, "failed to read response length")
 				noResponseErrCh <- err
 				return
 			}
 			var length int16
 			err = binary.Read(bytes.NewReader(respBuf.Bytes()), binary.BigEndian, &length)
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to parse response length")
 				noResponseErrCh <- err
 				return
 			}
 			respBuf.Clear()
 			n, err = respBuf.ReadFullFrom(conn, int32(length))
 			if err != nil && n == 0 {
 				errors.LogErrorInner(ctx, err, "failed to read response length")
 				noResponseErrCh <- err
 				return
 			}
 			rec, err := parseResponse(respBuf.Bytes())
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to parse DNS over TCP response")
 				noResponseErrCh <- err
 				return
 			}
-			s.updateIP(r, rec)
+			s.cacheController.updateIP(r, rec)
 		}(req)
 	}
 }
 func (s *TCPNameServer) findIPsForDomain(domain string, option dns_feature.IPOption) ([]net.IP, error) {
 	s.RLock()
 	record, found := s.ips[domain]
 	s.RUnlock()
 	if !found {
 		return nil, errRecordNotFound
 	}
 	var err4 error
 	var err6 error
 	var ips []net.Address
 	var ip6 []net.Address
 	if option.IPv4Enable {
 		ips, err4 = record.A.getIPs()
 	}
 	if option.IPv6Enable {
 		ip6, err6 = record.AAAA.getIPs()
 		ips = append(ips, ip6...)
 	}
 	if len(ips) > 0 {
 		return toNetIP(ips)
 	}
 	if err4 != nil {
 		return nil, err4
 	}
 	if err6 != nil {
 		return nil, err6
 	}
 	return nil, dns_feature.ErrEmptyResponse
 }
 // QueryIP implements Server.
-func (s *TCPNameServer) QueryIP(ctx context.Context, domain string, clientIP net.IP, option dns_feature.IPOption, disableCache bool) ([]net.IP, error) {
+func (s *TCPNameServer) QueryIP(ctx context.Context, domain string, option dns_feature.IPOption) ([]net.IP, uint32, error) {
 	fqdn := Fqdn(domain)
-	option = ResolveIpOptionOverride(s.queryStrategy, option)
+	sub4, sub6 := s.cacheController.registerSubscribers(fqdn, option)
-	if !option.IPv4Enable && !option.IPv6Enable {
+	defer closeSubscribers(sub4, sub6)
 		return nil, dns_feature.ErrEmptyResponse
 	}
-	if disableCache {
+	if s.cacheController.disableCache {
-		errors.LogDebug(ctx, "DNS cache is disabled. Querying IP for ", domain, " at ", s.name)
+		errors.LogDebug(ctx, "DNS cache is disabled. Querying IP for ", domain, " at ", s.Name())
 	} else {
-		ips, err := s.findIPsForDomain(fqdn, option)
+		ips, ttl, err := s.cacheController.findIPsForDomain(fqdn, option)
-		if err == nil || err == dns_feature.ErrEmptyResponse {
+		if !go_errors.Is(err, errRecordNotFound) {
-			errors.LogDebugInner(ctx, err, s.name, " cache HIT ", domain, " -> ", ips)
+			errors.LogDebugInner(ctx, err, s.Name(), " cache HIT ", domain, " -> ", ips)
-			log.Record(&log.DNSLog{Server: s.name, Domain: domain, Result: ips, Status: log.DNSCacheHit, Elapsed: 0, Error: err})
+			log.Record(&log.DNSLog{Server: s.Name(), Domain: domain, Result: ips, Status: log.DNSCacheHit, Elapsed: 0, Error: err})
-			return ips, err
+			return ips, ttl, err
 		}
 	}
-	// ipv4 and ipv6 belong to different subscription groups
+	noResponseErrCh := make(chan error, 2)
-	var sub4, sub6 *pubsub.Subscriber
+	s.sendQuery(ctx, noResponseErrCh, fqdn, option)
 	if option.IPv4Enable {
 		sub4 = s.pub.Subscribe(fqdn + "4")
 		defer sub4.Close()
 	}
 	if option.IPv6Enable {
 		sub6 = s.pub.Subscribe(fqdn + "6")
 		defer sub6.Close()
 	}
 	done := make(chan interface{})
 	go func() {
 		if sub4 != nil {
 			select {
 			case <-sub4.Wait():
 			case <-ctx.Done():
 			}
 		}
 		if sub6 != nil {
 			select {
 			case <-sub6.Wait():
 			case <-ctx.Done():
 			}
 		}
 		close(done)
 	}()
 	s.sendQuery(ctx, fqdn, clientIP, option)
 	start := time.Now()
-	for {
+	if sub4 != nil {
 		ips, err := s.findIPsForDomain(fqdn, option)
 		if err != errRecordNotFound {
 			log.Record(&log.DNSLog{Server: s.name, Domain: domain, Result: ips, Status: log.DNSQueried, Elapsed: time.Since(start), Error: err})
 			return ips, err
 		}
 		select {
 		case <-ctx.Done():
-			return nil, ctx.Err()
+			return nil, 0, ctx.Err()
-		case <-done:
+		case err := <-noResponseErrCh:
 			return nil, 0, err
 		case <-sub4.Wait():
 			sub4.Close()
 		}
 	}
 	if sub6 != nil {
 		select {
 		case <-ctx.Done():
 			return nil, 0, ctx.Err()
 		case err := <-noResponseErrCh:
 			return nil, 0, err
 		case <-sub6.Wait():
 			sub6.Close()
 		}
 	}
 	ips, ttl, err := s.cacheController.findIPsForDomain(fqdn, option)
 	log.Record(&log.DNSLog{Server: s.Name(), Domain: domain, Result: ips, Status: log.DNSQueried, Elapsed: time.Since(start), Error: err})
 	return ips, ttl, err
 }
--- a/app/dns/nameserver_tcp_test.go
+++ b/app/dns/nameserver_tcp_test.go
@@ -16,13 +16,13 @@ import (
 func TestTCPLocalNameServer(t *testing.T) {
 	url, err := url.Parse("tcp+local://8.8.8.8")
 	common.Must(err)
-	s, err := NewTCPLocalNameServer(url, QueryStrategy_USE_IP)
+	s, err := NewTCPLocalNameServer(url, false, net.IP(nil))
 	common.Must(err)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	ips, err := s.QueryIP(ctx, "google.com", net.IP(nil), dns_feature.IPOption{
+	ips, _, err := s.QueryIP(ctx, "google.com", dns_feature.IPOption{
 		IPv4Enable: true,
 		IPv6Enable: true,
-	}, false)
+	})
 	cancel()
 	common.Must(err)
 	if len(ips) == 0 {
@@ -33,13 +33,13 @@ func TestTCPLocalNameServer(t *testing.T) {
 func TestTCPLocalNameServerWithCache(t *testing.T) {
 	url, err := url.Parse("tcp+local://8.8.8.8")
 	common.Must(err)
-	s, err := NewTCPLocalNameServer(url, QueryStrategy_USE_IP)
+	s, err := NewTCPLocalNameServer(url, false, net.IP(nil))
 	common.Must(err)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	ips, err := s.QueryIP(ctx, "google.com", net.IP(nil), dns_feature.IPOption{
+	ips, _, err := s.QueryIP(ctx, "google.com", dns_feature.IPOption{
 		IPv4Enable: true,
 		IPv6Enable: true,
-	}, false)
+	})
 	cancel()
 	common.Must(err)
 	if len(ips) == 0 {
@@ -47,10 +47,10 @@ func TestTCPLocalNameServerWithCache(t *testing.T) {
 	}
 	ctx2, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	ips2, err := s.QueryIP(ctx2, "google.com", net.IP(nil), dns_feature.IPOption{
+	ips2, _, err := s.QueryIP(ctx2, "google.com", dns_feature.IPOption{
 		IPv4Enable: true,
 		IPv6Enable: true,
-	}, true)
+	})
 	cancel()
 	common.Must(err)
 	if r := cmp.Diff(ips2, ips); r != "" {
@@ -61,13 +61,13 @@ func TestTCPLocalNameServerWithCache(t *testing.T) {
 func TestTCPLocalNameServerWithIPv4Override(t *testing.T) {
 	url, err := url.Parse("tcp+local://8.8.8.8")
 	common.Must(err)
-	s, err := NewTCPLocalNameServer(url, QueryStrategy_USE_IP4)
+	s, err := NewTCPLocalNameServer(url, false, net.IP(nil))
 	common.Must(err)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	ips, err := s.QueryIP(ctx, "google.com", net.IP(nil), dns_feature.IPOption{
+	ips, _, err := s.QueryIP(ctx, "google.com", dns_feature.IPOption{
 		IPv4Enable: true,
-		IPv6Enable: true,
+		IPv6Enable: false,
-	}, false)
+	})
 	cancel()
 	common.Must(err)
@@ -85,13 +85,13 @@ func TestTCPLocalNameServerWithIPv4Override(t *testing.T) {
 func TestTCPLocalNameServerWithIPv6Override(t *testing.T) {
 	url, err := url.Parse("tcp+local://8.8.8.8")
 	common.Must(err)
-	s, err := NewTCPLocalNameServer(url, QueryStrategy_USE_IP6)
+	s, err := NewTCPLocalNameServer(url, false, net.IP(nil))
 	common.Must(err)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	ips, err := s.QueryIP(ctx, "google.com", net.IP(nil), dns_feature.IPOption{
+	ips, _, err := s.QueryIP(ctx, "google.com", dns_feature.IPOption{
-		IPv4Enable: true,
+		IPv4Enable: false,
 		IPv6Enable: true,
-	}, false)
+	})
 	cancel()
 	common.Must(err)
--- a/app/dns/nameserver_udp.go
+++ b/app/dns/nameserver_udp.go
@@ -2,6 +2,7 @@ package dns
 import (
 	"context"
 	go_errors "errors"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -13,7 +14,6 @@ import (
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/protocol/dns"
 	udp_proto "github.com/xtls/xray-core/common/protocol/udp"
 	"github.com/xtls/xray-core/common/signal/pubsub"
 	"github.com/xtls/xray-core/common/task"
 	dns_feature "github.com/xtls/xray-core/features/dns"
 	"github.com/xtls/xray-core/features/routing"
@@ -24,35 +24,36 @@ import (
 // ClassicNameServer implemented traditional UDP DNS.
 type ClassicNameServer struct {
 	sync.RWMutex
-	name          string
+	cacheController *CacheController
-	address       *net.Destination
+	address         *net.Destination
-	ips           map[string]*record
+	requests        map[uint16]*udpDnsRequest
-	requests      map[uint16]*dnsRequest
+	udpServer       *udp.Dispatcher
-	pub           *pubsub.Service
+	requestsCleanup *task.Periodic
-	udpServer     *udp.Dispatcher
+	reqID           uint32
-	cleanup       *task.Periodic
+	clientIP        net.IP
-	reqID         uint32
+}
-	queryStrategy QueryStrategy
+
 type udpDnsRequest struct {
 	dnsRequest
 	ctx context.Context
 }
 // NewClassicNameServer creates udp server object for remote resolving.
-func NewClassicNameServer(address net.Destination, dispatcher routing.Dispatcher, queryStrategy QueryStrategy) *ClassicNameServer {
+func NewClassicNameServer(address net.Destination, dispatcher routing.Dispatcher, disableCache bool, clientIP net.IP) *ClassicNameServer {
 	// default to 53 if unspecific
 	if address.Port == 0 {
 		address.Port = net.Port(53)
 	}
 	s := &ClassicNameServer{
-		address:       &address,
+		cacheController: NewCacheController(strings.ToUpper(address.String()), disableCache),
-		ips:           make(map[string]*record),
+		address:         &address,
-		requests:      make(map[uint16]*dnsRequest),
+		requests:        make(map[uint16]*udpDnsRequest),
-		pub:           pubsub.NewService(),
+		clientIP:        clientIP,
 		name:          strings.ToUpper(address.String()),
 		queryStrategy: queryStrategy,
 	}
-	s.cleanup = &task.Periodic{
+	s.requestsCleanup = &task.Periodic{
 		Interval: time.Minute,
-		Execute:  s.Cleanup,
+		Execute:  s.RequestsCleanup,
 	}
 	s.udpServer = udp.NewDispatcher(dispatcher, s.HandleResponse)
 	errors.LogInfo(context.Background(), "DNS: created UDP client initialized for ", address.NetAddr())
@@ -61,37 +62,17 @@ func NewClassicNameServer(address net.Destination, dispatcher routing.Dispatcher
 // Name implements Server.
 func (s *ClassicNameServer) Name() string {
-	return s.name
+	return s.cacheController.name
 }
-// Cleanup clears expired items from cache
+// RequestsCleanup clears expired items from cache
-func (s *ClassicNameServer) Cleanup() error {
+func (s *ClassicNameServer) RequestsCleanup() error {
 	now := time.Now()
 	s.Lock()
 	defer s.Unlock()
-	if len(s.ips) == 0 && len(s.requests) == 0 {
+	if len(s.requests) == 0 {
-		return errors.New(s.name, " nothing to do. stopping...")
+		return errors.New(s.Name(), " nothing to do. stopping...")
 	}
 	for domain, record := range s.ips {
 		if record.A != nil && record.A.Expire.Before(now) {
 			record.A = nil
 		}
 		if record.AAAA != nil && record.AAAA.Expire.Before(now) {
 			record.AAAA = nil
 		}
 		if record.A == nil && record.AAAA == nil {
 			errors.LogDebug(context.Background(), s.name, " cleanup ", domain)
 			delete(s.ips, domain)
 		} else {
 			s.ips[domain] = record
 		}
 	}
 	if len(s.ips) == 0 {
 		s.ips = make(map[string]*record)
 	}
 	for id, req := range s.requests {
@@ -101,7 +82,7 @@ func (s *ClassicNameServer) Cleanup() error {
 	}
 	if len(s.requests) == 0 {
-		s.requests = make(map[uint16]*dnsRequest)
+		s.requests = make(map[uint16]*udpDnsRequest)
 	}
 	return nil
@@ -111,7 +92,7 @@ func (s *ClassicNameServer) Cleanup() error {
 func (s *ClassicNameServer) HandleResponse(ctx context.Context, packet *udp_proto.Packet) {
 	ipRec, err := parseResponse(packet.Payload.Bytes())
 	if err != nil {
-		errors.LogError(ctx, s.name, " fail to parse responded DNS udp")
+		errors.LogError(ctx, s.Name(), " fail to parse responded DNS udp")
 		return
 	}
@@ -124,179 +105,107 @@ func (s *ClassicNameServer) HandleResponse(ctx context.Context, packet *udp_prot
 	}
 	s.Unlock()
 	if !ok {
-		errors.LogError(ctx, s.name, " cannot find the pending request")
+		errors.LogError(ctx, s.Name(), " cannot find the pending request")
 		return
 	}
-	var rec record
+	// if truncated, retry with EDNS0 option(udp payload size: 1350)
-	switch req.reqType {
+	if ipRec.RawHeader.Truncated {
-	case dnsmessage.TypeA:
+		// if already has EDNS0 option, no need to retry
-		rec.A = ipRec
+		if len(req.msg.Additionals) == 0 {
-	case dnsmessage.TypeAAAA:
+			// copy necessary meta data from original request
-		rec.AAAA = ipRec
+			// and add EDNS0 option
 			opt := new(dnsmessage.Resource)
 			common.Must(opt.Header.SetEDNS0(1350, 0xfe00, true))
 			opt.Body = &dnsmessage.OPTResource{}
 			newMsg := *req.msg
 			newReq := *req
 			newMsg.Additionals = append(newMsg.Additionals, *opt)
 			newMsg.ID = s.newReqID()
 			newReq.msg = &newMsg
 			s.addPendingRequest(&newReq)
 			b, _ := dns.PackMessage(newReq.msg)
 			s.udpServer.Dispatch(toDnsContext(newReq.ctx, s.address.String()), *s.address, b)
 			return
 		}
 	}
-	elapsed := time.Since(req.start)
+	s.cacheController.updateIP(&req.dnsRequest, ipRec)
 	errors.LogInfo(ctx, s.name, " got answer: ", req.domain, " ", req.reqType, " -> ", ipRec.IP, " ", elapsed)
 	if len(req.domain) > 0 && (rec.A != nil || rec.AAAA != nil) {
 		s.updateIP(req.domain, &rec)
 	}
 }
 func (s *ClassicNameServer) updateIP(domain string, newRec *record) {
 	s.Lock()
 	rec, found := s.ips[domain]
 	if !found {
 		rec = &record{}
 	}
 	updated := false
 	if isNewer(rec.A, newRec.A) {
 		rec.A = newRec.A
 		updated = true
 	}
 	if isNewer(rec.AAAA, newRec.AAAA) {
 		rec.AAAA = newRec.AAAA
 		updated = true
 	}
 	if updated {
 		errors.LogDebug(context.Background(), s.name, " updating IP records for domain:", domain)
 		s.ips[domain] = rec
 	}
 	if newRec.A != nil {
 		s.pub.Publish(domain+"4", nil)
 	}
 	if newRec.AAAA != nil {
 		s.pub.Publish(domain+"6", nil)
 	}
 	s.Unlock()
 	common.Must(s.cleanup.Start())
 }
 func (s *ClassicNameServer) newReqID() uint16 {
 	return uint16(atomic.AddUint32(&s.reqID, 1))
 }
-func (s *ClassicNameServer) addPendingRequest(req *dnsRequest) {
+func (s *ClassicNameServer) addPendingRequest(req *udpDnsRequest) {
 	s.Lock()
 	defer s.Unlock()
 	id := req.msg.ID
 	req.expire = time.Now().Add(time.Second * 8)
 	s.requests[id] = req
 	s.Unlock()
 	common.Must(s.requestsCleanup.Start())
 }
-func (s *ClassicNameServer) sendQuery(ctx context.Context, domain string, clientIP net.IP, option dns_feature.IPOption) {
+func (s *ClassicNameServer) sendQuery(ctx context.Context, _ chan<- error, domain string, option dns_feature.IPOption) {
-	errors.LogDebug(ctx, s.name, " querying DNS for: ", domain)
+	errors.LogDebug(ctx, s.Name(), " querying DNS for: ", domain)
-	reqs := buildReqMsgs(domain, option, s.newReqID, genEDNS0Options(clientIP))
+	reqs := buildReqMsgs(domain, option, s.newReqID, genEDNS0Options(s.clientIP, 0))
 	for _, req := range reqs {
-		s.addPendingRequest(req)
+		udpReq := &udpDnsRequest{
 			dnsRequest: *req,
 			ctx:        ctx,
 		}
 		s.addPendingRequest(udpReq)
 		b, _ := dns.PackMessage(req.msg)
 		s.udpServer.Dispatch(toDnsContext(ctx, s.address.String()), *s.address, b)
 	}
 }
 func (s *ClassicNameServer) findIPsForDomain(domain string, option dns_feature.IPOption) ([]net.IP, error) {
 	s.RLock()
 	record, found := s.ips[domain]
 	s.RUnlock()
 	if !found {
 		return nil, errRecordNotFound
 	}
 	var err4 error
 	var err6 error
 	var ips []net.Address
 	var ip6 []net.Address
 	if option.IPv4Enable {
 		ips, err4 = record.A.getIPs()
 	}
 	if option.IPv6Enable {
 		ip6, err6 = record.AAAA.getIPs()
 		ips = append(ips, ip6...)
 	}
 	if len(ips) > 0 {
 		return toNetIP(ips)
 	}
 	if err4 != nil {
 		return nil, err4
 	}
 	if err6 != nil {
 		return nil, err6
 	}
 	return nil, dns_feature.ErrEmptyResponse
 }
 // QueryIP implements Server.
-func (s *ClassicNameServer) QueryIP(ctx context.Context, domain string, clientIP net.IP, option dns_feature.IPOption, disableCache bool) ([]net.IP, error) {
+func (s *ClassicNameServer) QueryIP(ctx context.Context, domain string, option dns_feature.IPOption) ([]net.IP, uint32, error) {
 	fqdn := Fqdn(domain)
-	option = ResolveIpOptionOverride(s.queryStrategy, option)
+	sub4, sub6 := s.cacheController.registerSubscribers(fqdn, option)
-	if !option.IPv4Enable && !option.IPv6Enable {
+	defer closeSubscribers(sub4, sub6)
 		return nil, dns_feature.ErrEmptyResponse
 	}
-	if disableCache {
+	if s.cacheController.disableCache {
-		errors.LogDebug(ctx, "DNS cache is disabled. Querying IP for ", domain, " at ", s.name)
+		errors.LogDebug(ctx, "DNS cache is disabled. Querying IP for ", domain, " at ", s.Name())
 	} else {
-		ips, err := s.findIPsForDomain(fqdn, option)
+		ips, ttl, err := s.cacheController.findIPsForDomain(fqdn, option)
-		if err == nil || err == dns_feature.ErrEmptyResponse {
+		if !go_errors.Is(err, errRecordNotFound) {
-			errors.LogDebugInner(ctx, err, s.name, " cache HIT ", domain, " -> ", ips)
+			errors.LogDebugInner(ctx, err, s.Name(), " cache HIT ", domain, " -> ", ips)
-			log.Record(&log.DNSLog{Server: s.name, Domain: domain, Result: ips, Status: log.DNSCacheHit, Elapsed: 0, Error: err})
+			log.Record(&log.DNSLog{Server: s.Name(), Domain: domain, Result: ips, Status: log.DNSCacheHit, Elapsed: 0, Error: err})
-			return ips, err
+			return ips, ttl, err
 		}
 	}
-	// ipv4 and ipv6 belong to different subscription groups
+	noResponseErrCh := make(chan error, 2)
-	var sub4, sub6 *pubsub.Subscriber
+	s.sendQuery(ctx, noResponseErrCh, fqdn, option)
 	if option.IPv4Enable {
 		sub4 = s.pub.Subscribe(fqdn + "4")
 		defer sub4.Close()
 	}
 	if option.IPv6Enable {
 		sub6 = s.pub.Subscribe(fqdn + "6")
 		defer sub6.Close()
 	}
 	done := make(chan interface{})
 	go func() {
 		if sub4 != nil {
 			select {
 			case <-sub4.Wait():
 			case <-ctx.Done():
 			}
 		}
 		if sub6 != nil {
 			select {
 			case <-sub6.Wait():
 			case <-ctx.Done():
 			}
 		}
 		close(done)
 	}()
 	s.sendQuery(ctx, fqdn, clientIP, option)
 	start := time.Now()
-	for {
+	if sub4 != nil {
 		ips, err := s.findIPsForDomain(fqdn, option)
 		if err != errRecordNotFound {
 			log.Record(&log.DNSLog{Server: s.name, Domain: domain, Result: ips, Status: log.DNSQueried, Elapsed: time.Since(start), Error: err})
 			return ips, err
 		}
 		select {
 		case <-ctx.Done():
-			return nil, ctx.Err()
+			return nil, 0, ctx.Err()
-		case <-done:
+		case err := <-noResponseErrCh:
 			return nil, 0, err
 		case <-sub4.Wait():
 			sub4.Close()
 		}
 	}
 	if sub6 != nil {
 		select {
 		case <-ctx.Done():
 			return nil, 0, ctx.Err()
 		case err := <-noResponseErrCh:
 			return nil, 0, err
 		case <-sub6.Wait():
 			sub6.Close()
 		}
 	}
 	ips, ttl, err := s.cacheController.findIPsForDomain(fqdn, option)
 	log.Record(&log.DNSLog{Server: s.Name(), Domain: domain, Result: ips, Status: log.DNSQueried, Elapsed: time.Since(start), Error: err})
 	return ips, ttl, err
 }
--- a/app/metrics/config.pb.go
+++ b/app/metrics/config.pb.go
@@ -27,7 +27,8 @@ type Config struct {
 	unknownFields protoimpl.UnknownFields
 	// Tag of the outbound handler that handles metrics http connections.
-	Tag string `protobuf:"bytes,1,opt,name=tag,proto3" json:"tag,omitempty"`
+	Tag    string `protobuf:"bytes,1,opt,name=tag,proto3" json:"tag,omitempty"`
 	Listen string `protobuf:"bytes,2,opt,name=listen,proto3" json:"listen,omitempty"`
 }
 func (x *Config) Reset() {
@@ -67,20 +68,28 @@ func (x *Config) GetTag() string {
 	return ""
 }
 func (x *Config) GetListen() string {
 	if x != nil {
 		return x.Listen
 	}
 	return ""
 }
 var File_app_metrics_config_proto protoreflect.FileDescriptor
 var file_app_metrics_config_proto_rawDesc = []byte{
 	0x0a, 0x18, 0x61, 0x70, 0x70, 0x2f, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x2f, 0x63, 0x6f,
 	0x6e, 0x66, 0x69, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x10, 0x78, 0x72, 0x61, 0x79,
-	0x2e, 0x61, 0x70, 0x70, 0x2e, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x22, 0x1a, 0x0a, 0x06,
+	0x2e, 0x61, 0x70, 0x70, 0x2e, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x22, 0x32, 0x0a, 0x06,
 	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x10, 0x0a, 0x03, 0x74, 0x61, 0x67, 0x18, 0x01, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x03, 0x74, 0x61, 0x67, 0x42, 0x52, 0x0a, 0x14, 0x63, 0x6f, 0x6d, 0x2e,
+	0x01, 0x28, 0x09, 0x52, 0x03, 0x74, 0x61, 0x67, 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x69, 0x73, 0x74,
-	0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73,
+	0x65, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e,
-	0x50, 0x01, 0x5a, 0x25, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78,
+	0x42, 0x52, 0x0a, 0x14, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70,
-	0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x61, 0x70,
+	0x2e, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x50, 0x01, 0x5a, 0x25, 0x67, 0x69, 0x74, 0x68,
-	0x70, 0x2f, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0xaa, 0x02, 0x10, 0x58, 0x72, 0x61, 0x79,
+	0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79,
-	0x2e, 0x41, 0x70, 0x70, 0x2e, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x62, 0x06, 0x70, 0x72,
+	0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x61, 0x70, 0x70, 0x2f, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63,
-	0x6f, 0x74, 0x6f, 0x33,
+	0x73, 0xaa, 0x02, 0x10, 0x58, 0x72, 0x61, 0x79, 0x2e, 0x41, 0x70, 0x70, 0x2e, 0x4d, 0x65, 0x74,
 	0x72, 0x69, 0x63, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 var (
--- a/app/metrics/config.proto
+++ b/app/metrics/config.proto
@@ -10,4 +10,5 @@ option java_multiple_files = true;
 message Config {
  // Tag of the outbound handler that handles metrics http connections.
  string tag = 1;
  string listen = 2;
 }
--- a/app/metrics/metrics.go
+++ b/app/metrics/metrics.go
@@ -24,12 +24,15 @@ type MetricsHandler struct {
 	statsManager feature_stats.Manager
 	observatory  extension.Observatory
 	tag          string
 	listen       string
 	tcpListener  net.Listener
 }
 // NewMetricsHandler creates a new MetricsHandler based on the given config.
 func NewMetricsHandler(ctx context.Context, config *Config) (*MetricsHandler, error) {
 	c := &MetricsHandler{
-		tag: config.Tag,
+		tag:    config.Tag,
 		listen: config.Listen,
 	}
 	common.Must(core.RequireFeatures(ctx, func(om outbound.Manager, sm feature_stats.Manager) {
 		c.statsManager = sm
@@ -87,6 +90,23 @@ func (p *MetricsHandler) Type() interface{} {
 }
 func (p *MetricsHandler) Start() error {
 	// direct listen a port if listen is set
 	if p.listen != "" {
 		TCPlistener, err := net.Listen("tcp", p.listen)
 		if err != nil {
 			return err
 		}
 		p.tcpListener = TCPlistener
 		errors.LogInfo(context.Background(), "Metrics server listening on ", p.listen)
 		go func() {
 			if err := http.Serve(TCPlistener, http.DefaultServeMux); err != nil {
 				errors.LogErrorInner(context.Background(), err, "failed to start metrics server")
 			}
 		}()
 	}
 	listener := &OutboundListener{
 		buffer: make(chan net.Conn, 4),
 		done:   done.New(),
--- a/app/metrics/outbound.go
+++ b/app/metrics/outbound.go
@@ -8,6 +8,7 @@ import (
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/net/cnc"
 	"github.com/xtls/xray-core/common/serial"
 	"github.com/xtls/xray-core/common/signal/done"
 	"github.com/xtls/xray-core/transport"
 )
@@ -108,3 +109,13 @@ func (co *Outbound) Close() error {
 	co.closed = true
 	return co.listener.Close()
 }
 // SenderSettings implements outbound.Handler.
 func (co *Outbound) SenderSettings() *serial.TypedMessage {
 	return nil
 }
 // ProxySettings implements outbound.Handler.
 func (co *Outbound) ProxySettings() *serial.TypedMessage {
 	return nil
 }
--- a/app/observatory/burst/config.pb.go
+++ b/app/observatory/burst/config.pb.go
@@ -90,6 +90,8 @@ type HealthPingConfig struct {
 	SamplingCount int32 `protobuf:"varint,4,opt,name=samplingCount,proto3" json:"samplingCount,omitempty"`
 	// ping timeout, int64 values of time.Duration
 	Timeout int64 `protobuf:"varint,5,opt,name=timeout,proto3" json:"timeout,omitempty"`
 	// http method to make request
 	HttpMethod string `protobuf:"bytes,6,opt,name=httpMethod,proto3" json:"httpMethod,omitempty"`
 }
 func (x *HealthPingConfig) Reset() {
@@ -157,6 +159,13 @@ func (x *HealthPingConfig) GetTimeout() int64 {
 	return 0
 }
 func (x *HealthPingConfig) GetHttpMethod() string {
 	if x != nil {
 		return x.HttpMethod
 	}
 	return ""
 }
 var File_app_observatory_burst_config_proto protoreflect.FileDescriptor
 var file_app_observatory_burst_config_proto_rawDesc = []byte{
@@ -173,7 +182,7 @@ var file_app_observatory_burst_config_proto_rawDesc = []byte{
 	0x2e, 0x6f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x61, 0x74, 0x6f, 0x72, 0x79, 0x2e, 0x62, 0x75, 0x72,
 	0x73, 0x74, 0x2e, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x50, 0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6e,
 	0x66, 0x69, 0x67, 0x52, 0x0a, 0x70, 0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22,
-	0xb4, 0x01, 0x0a, 0x10, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x50, 0x69, 0x6e, 0x67, 0x43, 0x6f,
+	0xd4, 0x01, 0x0a, 0x10, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x50, 0x69, 0x6e, 0x67, 0x43, 0x6f,
 	0x6e, 0x66, 0x69, 0x67, 0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74,
 	0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x64, 0x65, 0x73, 0x74, 0x69,
 	0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x22, 0x0a, 0x0c, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63,
@@ -184,7 +193,9 @@ var file_app_observatory_burst_config_proto_rawDesc = []byte{
 	0x6e, 0x67, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0d, 0x73,
 	0x61, 0x6d, 0x70, 0x6c, 0x69, 0x6e, 0x67, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x18, 0x0a, 0x07,
 	0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52, 0x07, 0x74,
-	0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x42, 0x70, 0x0a, 0x1e, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72,
+	0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x12, 0x1e, 0x0a, 0x0a, 0x68, 0x74, 0x74, 0x70, 0x4d, 0x65,
 	0x74, 0x68, 0x6f, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x68, 0x74, 0x74, 0x70,
 	0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x42, 0x70, 0x0a, 0x1e, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72,
 	0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x6f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x61, 0x74, 0x6f,
 	0x72, 0x79, 0x2e, 0x62, 0x75, 0x72, 0x73, 0x74, 0x50, 0x01, 0x5a, 0x2f, 0x67, 0x69, 0x74, 0x68,
 	0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79,
--- a/app/observatory/burst/config.proto
+++ b/app/observatory/burst/config.proto
@@ -26,4 +26,7 @@ message HealthPingConfig {
  int32 samplingCount = 4;
  // ping timeout, int64 values of time.Duration
  int64 timeout = 5;
  // http method to make request
  string httpMethod = 6;
 }
--- a/app/observatory/burst/healthping.go
+++ b/app/observatory/burst/healthping.go
@@ -19,6 +19,7 @@ type HealthPingSettings struct {
 	Interval      time.Duration `json:"interval"`
 	SamplingCount int           `json:"sampling"`
 	Timeout       time.Duration `json:"timeout"`
 	HttpMethod    string        `json:"httpMethod"`
 }
 // HealthPing is the health checker for balancers
@@ -37,12 +38,21 @@ type HealthPing struct {
 func NewHealthPing(ctx context.Context, dispatcher routing.Dispatcher, config *HealthPingConfig) *HealthPing {
 	settings := &HealthPingSettings{}
 	if config != nil {
 		var httpMethod string
 		if config.HttpMethod == "" {
 			httpMethod = "HEAD"
 		} else {
 			httpMethod = strings.TrimSpace(config.HttpMethod)
 		}
 		settings = &HealthPingSettings{
 			Connectivity:  strings.TrimSpace(config.Connectivity),
 			Destination:   strings.TrimSpace(config.Destination),
 			Interval:      time.Duration(config.Interval),
 			SamplingCount: int(config.SamplingCount),
 			Timeout:       time.Duration(config.Timeout),
 			HttpMethod:    httpMethod,
 		}
 	}
 	if settings.Destination == "" {
@@ -66,10 +76,10 @@ func NewHealthPing(ctx context.Context, dispatcher routing.Dispatcher, config *H
 		settings.Timeout = time.Duration(5) * time.Second
 	}
 	return &HealthPing{
-		ctx:      ctx,
+		ctx:        ctx,
 		dispatcher: dispatcher,
-		Settings: settings,
+		Settings:   settings,
-		Results:  nil,
+		Results:    nil,
 	}
 }
@@ -164,7 +174,7 @@ func (h *HealthPing) doCheck(tags []string, duration time.Duration, rounds int)
 			}
 			time.AfterFunc(delay, func() {
 				errors.LogDebug(h.ctx, "checking ", handler)
-				delay, err := client.MeasureDelay()
+				delay, err := client.MeasureDelay(h.Settings.HttpMethod)
 				if err == nil {
 					ch <- &rtt{
 						handler: handler,
@@ -251,7 +261,7 @@ func (h *HealthPing) checkConnectivity() bool {
 		h.Settings.Connectivity,
 		h.Settings.Timeout,
 	)
-	if _, err := tester.MeasureDelay(); err != nil {
+	if _, err := tester.MeasureDelay(h.Settings.HttpMethod); err != nil {
 		return false
 	}
 	return true
--- a/app/observatory/burst/ping.go
+++ b/app/observatory/burst/ping.go
@@ -2,6 +2,7 @@ package burst
 import (
 	"context"
 	"io"
 	"net/http"
 	"time"
@@ -51,20 +52,28 @@ func newHTTPClient(ctxv context.Context, dispatcher routing.Dispatcher, handler
 }
 // MeasureDelay returns the delay time of the request to dest
-func (s *pingClient) MeasureDelay() (time.Duration, error) {
+func (s *pingClient) MeasureDelay(httpMethod string) (time.Duration, error) {
 	if s.httpClient == nil {
 		panic("pingClient not initialized")
 	}
-	req, err := http.NewRequest(http.MethodHead, s.destination, nil)
+
 	req, err := http.NewRequest(httpMethod, s.destination, nil)
 	if err != nil {
 		return rttFailed, err
 	}
 	start := time.Now()
 	resp, err := s.httpClient.Do(req)
 	if err != nil {
 		return rttFailed, err
 	}
-	// don't wait for body
+	if httpMethod == http.MethodGet {
 		_, err = io.Copy(io.Discard, resp.Body)
 		if err != nil {
 			return rttFailed, err
 		}
 	}
 	resp.Body.Close()
 	return time.Since(start), nil
 }
--- a/app/observatory/command/command.go
+++ b/app/observatory/command/command.go
@@ -38,7 +38,7 @@ func init() {
 		sv := &service{v: s}
 		err := s.RequireFeatures(func(Observatory extension.Observatory) {
 			sv.observatory = Observatory
-		})
+		}, false)
 		if err != nil {
 			return nil, err
 		}
--- a/app/observatory/observer.go
+++ b/app/observatory/observer.go
@@ -32,7 +32,7 @@ type Observer struct {
 	finished *done.Instance
-	ohm outbound.Manager
+	ohm        outbound.Manager
 	dispatcher routing.Dispatcher
 }
@@ -226,9 +226,9 @@ func New(ctx context.Context, config *Config) (*Observer, error) {
 		return nil, errors.New("Cannot get depended features").Base(err)
 	}
 	return &Observer{
-		config: config,
+		config:     config,
-		ctx:    ctx,
+		ctx:        ctx,
-		ohm:    outboundManager,
+		ohm:        outboundManager,
 		dispatcher: dispatcher,
 	}, nil
 }
--- a/app/proxyman/command/command.go
+++ b/app/proxyman/command/command.go
@@ -3,6 +3,7 @@ package command
 import (
 	"context"
 	"github.com/xtls/xray-core/app/commander"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/protocol"
@@ -99,6 +100,28 @@ func (s *handlerServer) AlterInbound(ctx context.Context, request *AlterInboundR
 	return &AlterInboundResponse{}, operation.ApplyInbound(ctx, handler)
 }
 func (s *handlerServer) ListInbounds(ctx context.Context, request *ListInboundsRequest) (*ListInboundsResponse, error) {
 	handlers := s.ihm.ListHandlers(ctx)
 	response := &ListInboundsResponse{}
 	if request.GetIsOnlyTags() {
 		for _, handler := range handlers {
 			response.Inbounds = append(response.Inbounds, &core.InboundHandlerConfig{
 				Tag: handler.Tag(),
 			})
 		}
 	} else {
 		for _, handler := range handlers {
 			response.Inbounds = append(response.Inbounds, &core.InboundHandlerConfig{
 				Tag:              handler.Tag(),
 				ReceiverSettings: handler.ReceiverSettings(),
 				ProxySettings:    handler.ProxySettings(),
 			})
 		}
 	}
 	return response, nil
 }
 func (s *handlerServer) GetInboundUsers(ctx context.Context, request *GetInboundUserRequest) (*GetInboundUserResponse, error) {
 	handler, err := s.ihm.GetHandler(ctx, request.Tag)
 	if err != nil {
@@ -164,6 +187,23 @@ func (s *handlerServer) AlterOutbound(ctx context.Context, request *AlterOutboun
 	return &AlterOutboundResponse{}, operation.ApplyOutbound(ctx, handler)
 }
 func (s *handlerServer) ListOutbounds(ctx context.Context, request *ListOutboundsRequest) (*ListOutboundsResponse, error) {
 	handlers := s.ohm.ListHandlers(ctx)
 	response := &ListOutboundsResponse{}
 	for _, handler := range handlers {
 		// Ignore gRPC outbound
 		if _, ok := handler.(*commander.Outbound); ok {
 			continue
 		}
 		response.Outbounds = append(response.Outbounds, &core.OutboundHandlerConfig{
 			Tag:            handler.Tag(),
 			SenderSettings: handler.SenderSettings(),
 			ProxySettings:  handler.ProxySettings(),
 		})
 	}
 	return response, nil
 }
 func (s *handlerServer) mustEmbedUnimplementedHandlerServiceServer() {}
 type service struct {
@@ -177,7 +217,7 @@ func (s *service) Register(server *grpc.Server) {
 	common.Must(s.v.RequireFeatures(func(im inbound.Manager, om outbound.Manager) {
 		hs.ihm = im
 		hs.ohm = om
-	}))
+	}, false))
 	RegisterHandlerServiceServer(server, hs)
 	// For compatibility purposes
--- a/app/proxyman/command/command.pb.go
+++ b/app/proxyman/command/command.pb.go
@@ -364,6 +364,96 @@ func (*AlterInboundResponse) Descriptor() ([]byte, []int) {
 	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{7}
 }
 type ListInboundsRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	IsOnlyTags bool `protobuf:"varint,1,opt,name=isOnlyTags,proto3" json:"isOnlyTags,omitempty"`
 }
 func (x *ListInboundsRequest) Reset() {
 	*x = ListInboundsRequest{}
 	mi := &file_app_proxyman_command_command_proto_msgTypes[8]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
 func (x *ListInboundsRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*ListInboundsRequest) ProtoMessage() {}
 func (x *ListInboundsRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_app_proxyman_command_command_proto_msgTypes[8]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use ListInboundsRequest.ProtoReflect.Descriptor instead.
 func (*ListInboundsRequest) Descriptor() ([]byte, []int) {
 	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{8}
 }
 func (x *ListInboundsRequest) GetIsOnlyTags() bool {
 	if x != nil {
 		return x.IsOnlyTags
 	}
 	return false
 }
 type ListInboundsResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	Inbounds []*core.InboundHandlerConfig `protobuf:"bytes,1,rep,name=inbounds,proto3" json:"inbounds,omitempty"`
 }
 func (x *ListInboundsResponse) Reset() {
 	*x = ListInboundsResponse{}
 	mi := &file_app_proxyman_command_command_proto_msgTypes[9]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
 func (x *ListInboundsResponse) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*ListInboundsResponse) ProtoMessage() {}
 func (x *ListInboundsResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_app_proxyman_command_command_proto_msgTypes[9]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use ListInboundsResponse.ProtoReflect.Descriptor instead.
 func (*ListInboundsResponse) Descriptor() ([]byte, []int) {
 	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{9}
 }
 func (x *ListInboundsResponse) GetInbounds() []*core.InboundHandlerConfig {
 	if x != nil {
 		return x.Inbounds
 	}
 	return nil
 }
 type GetInboundUserRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -375,7 +465,7 @@ type GetInboundUserRequest struct {
 func (x *GetInboundUserRequest) Reset() {
 	*x = GetInboundUserRequest{}
-	mi := &file_app_proxyman_command_command_proto_msgTypes[8]
+	mi := &file_app_proxyman_command_command_proto_msgTypes[10]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -387,7 +477,7 @@ func (x *GetInboundUserRequest) String() string {
 func (*GetInboundUserRequest) ProtoMessage() {}
 func (x *GetInboundUserRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_app_proxyman_command_command_proto_msgTypes[8]
+	mi := &file_app_proxyman_command_command_proto_msgTypes[10]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -400,7 +490,7 @@ func (x *GetInboundUserRequest) ProtoReflect() protoreflect.Message {
 // Deprecated: Use GetInboundUserRequest.ProtoReflect.Descriptor instead.
 func (*GetInboundUserRequest) Descriptor() ([]byte, []int) {
-	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{8}
+	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{10}
 }
 func (x *GetInboundUserRequest) GetTag() string {
@@ -427,7 +517,7 @@ type GetInboundUserResponse struct {
 func (x *GetInboundUserResponse) Reset() {
 	*x = GetInboundUserResponse{}
-	mi := &file_app_proxyman_command_command_proto_msgTypes[9]
+	mi := &file_app_proxyman_command_command_proto_msgTypes[11]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -439,7 +529,7 @@ func (x *GetInboundUserResponse) String() string {
 func (*GetInboundUserResponse) ProtoMessage() {}
 func (x *GetInboundUserResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_app_proxyman_command_command_proto_msgTypes[9]
+	mi := &file_app_proxyman_command_command_proto_msgTypes[11]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -452,7 +542,7 @@ func (x *GetInboundUserResponse) ProtoReflect() protoreflect.Message {
 // Deprecated: Use GetInboundUserResponse.ProtoReflect.Descriptor instead.
 func (*GetInboundUserResponse) Descriptor() ([]byte, []int) {
-	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{9}
+	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{11}
 }
 func (x *GetInboundUserResponse) GetUsers() []*protocol.User {
@@ -472,7 +562,7 @@ type GetInboundUsersCountResponse struct {
 func (x *GetInboundUsersCountResponse) Reset() {
 	*x = GetInboundUsersCountResponse{}
-	mi := &file_app_proxyman_command_command_proto_msgTypes[10]
+	mi := &file_app_proxyman_command_command_proto_msgTypes[12]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -484,7 +574,7 @@ func (x *GetInboundUsersCountResponse) String() string {
 func (*GetInboundUsersCountResponse) ProtoMessage() {}
 func (x *GetInboundUsersCountResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_app_proxyman_command_command_proto_msgTypes[10]
+	mi := &file_app_proxyman_command_command_proto_msgTypes[12]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -497,7 +587,7 @@ func (x *GetInboundUsersCountResponse) ProtoReflect() protoreflect.Message {
 // Deprecated: Use GetInboundUsersCountResponse.ProtoReflect.Descriptor instead.
 func (*GetInboundUsersCountResponse) Descriptor() ([]byte, []int) {
-	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{10}
+	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{12}
 }
 func (x *GetInboundUsersCountResponse) GetCount() int64 {
@@ -517,7 +607,7 @@ type AddOutboundRequest struct {
 func (x *AddOutboundRequest) Reset() {
 	*x = AddOutboundRequest{}
-	mi := &file_app_proxyman_command_command_proto_msgTypes[11]
+	mi := &file_app_proxyman_command_command_proto_msgTypes[13]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -529,7 +619,7 @@ func (x *AddOutboundRequest) String() string {
 func (*AddOutboundRequest) ProtoMessage() {}
 func (x *AddOutboundRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_app_proxyman_command_command_proto_msgTypes[11]
+	mi := &file_app_proxyman_command_command_proto_msgTypes[13]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -542,7 +632,7 @@ func (x *AddOutboundRequest) ProtoReflect() protoreflect.Message {
 // Deprecated: Use AddOutboundRequest.ProtoReflect.Descriptor instead.
 func (*AddOutboundRequest) Descriptor() ([]byte, []int) {
-	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{11}
+	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{13}
 }
 func (x *AddOutboundRequest) GetOutbound() *core.OutboundHandlerConfig {
@@ -560,7 +650,7 @@ type AddOutboundResponse struct {
 func (x *AddOutboundResponse) Reset() {
 	*x = AddOutboundResponse{}
-	mi := &file_app_proxyman_command_command_proto_msgTypes[12]
+	mi := &file_app_proxyman_command_command_proto_msgTypes[14]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -572,7 +662,7 @@ func (x *AddOutboundResponse) String() string {
 func (*AddOutboundResponse) ProtoMessage() {}
 func (x *AddOutboundResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_app_proxyman_command_command_proto_msgTypes[12]
+	mi := &file_app_proxyman_command_command_proto_msgTypes[14]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -585,7 +675,7 @@ func (x *AddOutboundResponse) ProtoReflect() protoreflect.Message {
 // Deprecated: Use AddOutboundResponse.ProtoReflect.Descriptor instead.
 func (*AddOutboundResponse) Descriptor() ([]byte, []int) {
-	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{12}
+	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{14}
 }
 type RemoveOutboundRequest struct {
@@ -598,7 +688,7 @@ type RemoveOutboundRequest struct {
 func (x *RemoveOutboundRequest) Reset() {
 	*x = RemoveOutboundRequest{}
-	mi := &file_app_proxyman_command_command_proto_msgTypes[13]
+	mi := &file_app_proxyman_command_command_proto_msgTypes[15]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -610,7 +700,7 @@ func (x *RemoveOutboundRequest) String() string {
 func (*RemoveOutboundRequest) ProtoMessage() {}
 func (x *RemoveOutboundRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_app_proxyman_command_command_proto_msgTypes[13]
+	mi := &file_app_proxyman_command_command_proto_msgTypes[15]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -623,7 +713,7 @@ func (x *RemoveOutboundRequest) ProtoReflect() protoreflect.Message {
 // Deprecated: Use RemoveOutboundRequest.ProtoReflect.Descriptor instead.
 func (*RemoveOutboundRequest) Descriptor() ([]byte, []int) {
-	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{13}
+	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{15}
 }
 func (x *RemoveOutboundRequest) GetTag() string {
@@ -641,7 +731,7 @@ type RemoveOutboundResponse struct {
 func (x *RemoveOutboundResponse) Reset() {
 	*x = RemoveOutboundResponse{}
-	mi := &file_app_proxyman_command_command_proto_msgTypes[14]
+	mi := &file_app_proxyman_command_command_proto_msgTypes[16]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -653,7 +743,7 @@ func (x *RemoveOutboundResponse) String() string {
 func (*RemoveOutboundResponse) ProtoMessage() {}
 func (x *RemoveOutboundResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_app_proxyman_command_command_proto_msgTypes[14]
+	mi := &file_app_proxyman_command_command_proto_msgTypes[16]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -666,7 +756,7 @@ func (x *RemoveOutboundResponse) ProtoReflect() protoreflect.Message {
 // Deprecated: Use RemoveOutboundResponse.ProtoReflect.Descriptor instead.
 func (*RemoveOutboundResponse) Descriptor() ([]byte, []int) {
-	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{14}
+	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{16}
 }
 type AlterOutboundRequest struct {
@@ -680,7 +770,7 @@ type AlterOutboundRequest struct {
 func (x *AlterOutboundRequest) Reset() {
 	*x = AlterOutboundRequest{}
-	mi := &file_app_proxyman_command_command_proto_msgTypes[15]
+	mi := &file_app_proxyman_command_command_proto_msgTypes[17]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -692,7 +782,7 @@ func (x *AlterOutboundRequest) String() string {
 func (*AlterOutboundRequest) ProtoMessage() {}
 func (x *AlterOutboundRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_app_proxyman_command_command_proto_msgTypes[15]
+	mi := &file_app_proxyman_command_command_proto_msgTypes[17]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -705,7 +795,7 @@ func (x *AlterOutboundRequest) ProtoReflect() protoreflect.Message {
 // Deprecated: Use AlterOutboundRequest.ProtoReflect.Descriptor instead.
 func (*AlterOutboundRequest) Descriptor() ([]byte, []int) {
-	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{15}
+	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{17}
 }
 func (x *AlterOutboundRequest) GetTag() string {
@@ -730,7 +820,7 @@ type AlterOutboundResponse struct {
 func (x *AlterOutboundResponse) Reset() {
 	*x = AlterOutboundResponse{}
-	mi := &file_app_proxyman_command_command_proto_msgTypes[16]
+	mi := &file_app_proxyman_command_command_proto_msgTypes[18]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -742,7 +832,7 @@ func (x *AlterOutboundResponse) String() string {
 func (*AlterOutboundResponse) ProtoMessage() {}
 func (x *AlterOutboundResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_app_proxyman_command_command_proto_msgTypes[16]
+	mi := &file_app_proxyman_command_command_proto_msgTypes[18]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -755,7 +845,88 @@ func (x *AlterOutboundResponse) ProtoReflect() protoreflect.Message {
 // Deprecated: Use AlterOutboundResponse.ProtoReflect.Descriptor instead.
 func (*AlterOutboundResponse) Descriptor() ([]byte, []int) {
-	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{16}
+	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{18}
 }
 type ListOutboundsRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 }
 func (x *ListOutboundsRequest) Reset() {
 	*x = ListOutboundsRequest{}
 	mi := &file_app_proxyman_command_command_proto_msgTypes[19]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
 func (x *ListOutboundsRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*ListOutboundsRequest) ProtoMessage() {}
 func (x *ListOutboundsRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_app_proxyman_command_command_proto_msgTypes[19]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use ListOutboundsRequest.ProtoReflect.Descriptor instead.
 func (*ListOutboundsRequest) Descriptor() ([]byte, []int) {
 	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{19}
 }
 type ListOutboundsResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	Outbounds []*core.OutboundHandlerConfig `protobuf:"bytes,1,rep,name=outbounds,proto3" json:"outbounds,omitempty"`
 }
 func (x *ListOutboundsResponse) Reset() {
 	*x = ListOutboundsResponse{}
 	mi := &file_app_proxyman_command_command_proto_msgTypes[20]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
 func (x *ListOutboundsResponse) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*ListOutboundsResponse) ProtoMessage() {}
 func (x *ListOutboundsResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_app_proxyman_command_command_proto_msgTypes[20]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use ListOutboundsResponse.ProtoReflect.Descriptor instead.
 func (*ListOutboundsResponse) Descriptor() ([]byte, []int) {
 	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{20}
 }
 func (x *ListOutboundsResponse) GetOutbounds() []*core.OutboundHandlerConfig {
 	if x != nil {
 		return x.Outbounds
 	}
 	return nil
 }
 type Config struct {
@@ -766,7 +937,7 @@ type Config struct {
 func (x *Config) Reset() {
 	*x = Config{}
-	mi := &file_app_proxyman_command_command_proto_msgTypes[17]
+	mi := &file_app_proxyman_command_command_proto_msgTypes[21]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -778,7 +949,7 @@ func (x *Config) String() string {
 func (*Config) ProtoMessage() {}
 func (x *Config) ProtoReflect() protoreflect.Message {
-	mi := &file_app_proxyman_command_command_proto_msgTypes[17]
+	mi := &file_app_proxyman_command_command_proto_msgTypes[21]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -791,7 +962,7 @@ func (x *Config) ProtoReflect() protoreflect.Message {
 // Deprecated: Use Config.ProtoReflect.Descriptor instead.
 func (*Config) Descriptor() ([]byte, []int) {
-	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{17}
+	return file_app_proxyman_command_command_proto_rawDescGZIP(), []int{21}
 }
 var File_app_proxyman_command_command_proto protoreflect.FileDescriptor
@@ -831,61 +1002,84 @@ var file_app_proxyman_command_command_proto_rawDesc = []byte{
 	0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x2e, 0x54, 0x79, 0x70,
 	0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x52, 0x09, 0x6f, 0x70, 0x65, 0x72, 0x61,
 	0x74, 0x69, 0x6f, 0x6e, 0x22, 0x16, 0x0a, 0x14, 0x41, 0x6c, 0x74, 0x65, 0x72, 0x49, 0x6e, 0x62,
-	0x6f, 0x75, 0x6e, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x3f, 0x0a, 0x15,
+	0x6f, 0x75, 0x6e, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x35, 0x0a, 0x13,
-	0x47, 0x65, 0x74, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65,
+	0x4c, 0x69, 0x73, 0x74, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x73, 0x52, 0x65, 0x71, 0x75,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x74, 0x61, 0x67, 0x18, 0x01, 0x20, 0x01,
+	0x65, 0x73, 0x74, 0x12, 0x1e, 0x0a, 0x0a, 0x69, 0x73, 0x4f, 0x6e, 0x6c, 0x79, 0x54, 0x61, 0x67,
-	0x28, 0x09, 0x52, 0x03, 0x74, 0x61, 0x67, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x6d, 0x61, 0x69, 0x6c,
+	0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x69, 0x73, 0x4f, 0x6e, 0x6c, 0x79, 0x54,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x22, 0x4a, 0x0a,
+	0x61, 0x67, 0x73, 0x22, 0x53, 0x0a, 0x14, 0x4c, 0x69, 0x73, 0x74, 0x49, 0x6e, 0x62, 0x6f, 0x75,
-	0x16, 0x47, 0x65, 0x74, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x55, 0x73, 0x65, 0x72, 0x52,
+	0x6e, 0x64, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3b, 0x0a, 0x08, 0x69,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x30, 0x0a, 0x05, 0x75, 0x73, 0x65, 0x72, 0x73,
+	0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e,
-	0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x63, 0x6f,
+	0x78, 0x72, 0x61, 0x79, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e,
-	0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2e, 0x55, 0x73,
+	0x64, 0x48, 0x61, 0x6e, 0x64, 0x6c, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x08,
-	0x65, 0x72, 0x52, 0x05, 0x75, 0x73, 0x65, 0x72, 0x73, 0x22, 0x34, 0x0a, 0x1c, 0x47, 0x65, 0x74,
+	0x69, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x73, 0x22, 0x3f, 0x0a, 0x15, 0x47, 0x65, 0x74, 0x49,
-	0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x55, 0x73, 0x65, 0x72, 0x73, 0x43, 0x6f, 0x75, 0x6e,
+	0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
-	0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x63, 0x6f, 0x75,
+	0x74, 0x12, 0x10, 0x0a, 0x03, 0x74, 0x61, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03,
-	0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x05, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x22,
+	0x74, 0x61, 0x67, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x18, 0x02, 0x20, 0x01,
-	0x52, 0x0a, 0x12, 0x41, 0x64, 0x64, 0x4f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x52, 0x65,
+	0x28, 0x09, 0x52, 0x05, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x22, 0x4a, 0x0a, 0x16, 0x47, 0x65, 0x74,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x3c, 0x0a, 0x08, 0x6f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e,
+	0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f,
-	0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x63,
+	0x6e, 0x73, 0x65, 0x12, 0x30, 0x0a, 0x05, 0x75, 0x73, 0x65, 0x72, 0x73, 0x18, 0x01, 0x20, 0x03,
-	0x6f, 0x72, 0x65, 0x2e, 0x4f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x48, 0x61, 0x6e, 0x64,
+	0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e,
-	0x6c, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x08, 0x6f, 0x75, 0x74, 0x62, 0x6f,
+	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2e, 0x55, 0x73, 0x65, 0x72, 0x52, 0x05,
-	0x75, 0x6e, 0x64, 0x22, 0x15, 0x0a, 0x13, 0x41, 0x64, 0x64, 0x4f, 0x75, 0x74, 0x62, 0x6f, 0x75,
+	0x75, 0x73, 0x65, 0x72, 0x73, 0x22, 0x34, 0x0a, 0x1c, 0x47, 0x65, 0x74, 0x49, 0x6e, 0x62, 0x6f,
-	0x6e, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x29, 0x0a, 0x15, 0x52, 0x65,
+	0x75, 0x6e, 0x64, 0x55, 0x73, 0x65, 0x72, 0x73, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x65, 0x73,
-	0x6d, 0x6f, 0x76, 0x65, 0x4f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x52, 0x65, 0x71, 0x75,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x01,
 	0x20, 0x01, 0x28, 0x03, 0x52, 0x05, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x22, 0x52, 0x0a, 0x12, 0x41,
 	0x64, 0x64, 0x4f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
 	0x74, 0x12, 0x3c, 0x0a, 0x08, 0x6f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x18, 0x01, 0x20,
 	0x01, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e,
 	0x4f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x48, 0x61, 0x6e, 0x64, 0x6c, 0x65, 0x72, 0x43,
 	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x08, 0x6f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x22,
 	0x15, 0x0a, 0x13, 0x41, 0x64, 0x64, 0x4f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x52, 0x65,
 	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x29, 0x0a, 0x15, 0x52, 0x65, 0x6d, 0x6f, 0x76, 0x65,
 	0x4f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12,
 	0x10, 0x0a, 0x03, 0x74, 0x61, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x74, 0x61,
 	0x67, 0x22, 0x18, 0x0a, 0x16, 0x52, 0x65, 0x6d, 0x6f, 0x76, 0x65, 0x4f, 0x75, 0x74, 0x62, 0x6f,
 	0x75, 0x6e, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x68, 0x0a, 0x14, 0x41,
 	0x6c, 0x74, 0x65, 0x72, 0x4f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x52, 0x65, 0x71, 0x75,
 	0x65, 0x73, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x74, 0x61, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x03, 0x74, 0x61, 0x67, 0x22, 0x18, 0x0a, 0x16, 0x52, 0x65, 0x6d, 0x6f, 0x76, 0x65, 0x4f,
+	0x52, 0x03, 0x74, 0x61, 0x67, 0x12, 0x3e, 0x0a, 0x09, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69,
-	0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
+	0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e,
-	0x68, 0x0a, 0x14, 0x41, 0x6c, 0x74, 0x65, 0x72, 0x4f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64,
+	0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x2e, 0x54, 0x79,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x74, 0x61, 0x67, 0x18, 0x01,
+	0x70, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x52, 0x09, 0x6f, 0x70, 0x65, 0x72,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x74, 0x61, 0x67, 0x12, 0x3e, 0x0a, 0x09, 0x6f, 0x70, 0x65,
+	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x17, 0x0a, 0x15, 0x41, 0x6c, 0x74, 0x65, 0x72, 0x4f, 0x75,
-	0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x78,
+	0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x16,
-	0x72, 0x61, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x73, 0x65, 0x72, 0x69, 0x61,
+	0x0a, 0x14, 0x4c, 0x69, 0x73, 0x74, 0x4f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x73, 0x52,
-	0x6c, 0x2e, 0x54, 0x79, 0x70, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x52, 0x09,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x57, 0x0a, 0x15, 0x4c, 0x69, 0x73, 0x74, 0x4f, 0x75,
-	0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x17, 0x0a, 0x15, 0x41, 0x6c, 0x74,
+	0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12,
-	0x65, 0x72, 0x4f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0x3e, 0x0a, 0x09, 0x6f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x73, 0x18, 0x01, 0x20, 0x03,
-	0x73, 0x65, 0x22, 0x08, 0x0a, 0x06, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x32, 0xc5, 0x07, 0x0a,
+	0x28, 0x0b, 0x32, 0x20, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x4f,
-	0x0e, 0x48, 0x61, 0x6e, 0x64, 0x6c, 0x65, 0x72, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12,
+	0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x48, 0x61, 0x6e, 0x64, 0x6c, 0x65, 0x72, 0x43, 0x6f,
-	0x6b, 0x0a, 0x0a, 0x41, 0x64, 0x64, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x12, 0x2c, 0x2e,
+	0x6e, 0x66, 0x69, 0x67, 0x52, 0x09, 0x6f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x73, 0x22,
-	0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x6d, 0x61,
+	0x08, 0x0a, 0x06, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x32, 0xae, 0x09, 0x0a, 0x0e, 0x48, 0x61,
-	0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x41, 0x64, 0x64, 0x49, 0x6e, 0x62,
+	0x6e, 0x64, 0x6c, 0x65, 0x72, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x6b, 0x0a, 0x0a,
-	0x6f, 0x75, 0x6e, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2d, 0x2e, 0x78, 0x72,
+	0x41, 0x64, 0x64, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x12, 0x2c, 0x2e, 0x78, 0x72, 0x61,
 	0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0x2e, 0x63,
 	0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x41, 0x64, 0x64, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e,
 	0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e,
 	0x61, 0x70, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0x2e, 0x63, 0x6f, 0x6d,
 	0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x41, 0x64, 0x64, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x52,
 	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x74, 0x0a, 0x0d, 0x52, 0x65, 0x6d,
 	0x6f, 0x76, 0x65, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x12, 0x2f, 0x2e, 0x78, 0x72, 0x61,
 	0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0x2e, 0x63,
 	0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x52, 0x65, 0x6d, 0x6f, 0x76, 0x65, 0x49, 0x6e, 0x62,
 	0x6f, 0x75, 0x6e, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x30, 0x2e, 0x78, 0x72,
 	0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0x2e,
-	0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x41, 0x64, 0x64, 0x49, 0x6e, 0x62, 0x6f, 0x75,
+	0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x52, 0x65, 0x6d, 0x6f, 0x76, 0x65, 0x49, 0x6e,
-	0x6e, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x74, 0x0a, 0x0d,
+	0x62, 0x6f, 0x75, 0x6e, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12,
-	0x52, 0x65, 0x6d, 0x6f, 0x76, 0x65, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x12, 0x2f, 0x2e,
+	0x71, 0x0a, 0x0c, 0x41, 0x6c, 0x74, 0x65, 0x72, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x12,
-	0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x6d, 0x61,
+	0x2e, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79,
-	0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x52, 0x65, 0x6d, 0x6f, 0x76, 0x65,
+	0x6d, 0x61, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x41, 0x6c, 0x74, 0x65,
-	0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x30,
+	0x72, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
-	0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x6d,
+	0x2f, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79,
-	0x61, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x52, 0x65, 0x6d, 0x6f, 0x76,
+	0x6d, 0x61, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x41, 0x6c, 0x74, 0x65,
-	0x65, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x72, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
-	0x22, 0x00, 0x12, 0x71, 0x0a, 0x0c, 0x41, 0x6c, 0x74, 0x65, 0x72, 0x49, 0x6e, 0x62, 0x6f, 0x75,
+	0x22, 0x00, 0x12, 0x71, 0x0a, 0x0c, 0x4c, 0x69, 0x73, 0x74, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e,
-	0x6e, 0x64, 0x12, 0x2e, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x70, 0x72,
+	0x64, 0x73, 0x12, 0x2e, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x70, 0x72,
-	0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x41,
+	0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x4c,
-	0x6c, 0x74, 0x65, 0x72, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x69, 0x73, 0x74, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65,
 	0x73, 0x74, 0x1a, 0x2f, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x70, 0x72,
-	0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x41,
+	0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x4c,
-	0x6c, 0x74, 0x65, 0x72, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x69, 0x73, 0x74, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f,
 	0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x78, 0x0a, 0x0f, 0x47, 0x65, 0x74, 0x49, 0x6e, 0x62, 0x6f,
 	0x75, 0x6e, 0x64, 0x55, 0x73, 0x65, 0x72, 0x73, 0x12, 0x30, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e,
 	0x61, 0x70, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0x2e, 0x63, 0x6f, 0x6d,
@@ -924,14 +1118,22 @@ var file_app_proxyman_command_command_proto_rawDesc = []byte{
 	0x1a, 0x30, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x78,
 	0x79, 0x6d, 0x61, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x41, 0x6c, 0x74,
 	0x65, 0x72, 0x4f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
-	0x73, 0x65, 0x22, 0x00, 0x42, 0x6d, 0x0a, 0x1d, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79,
+	0x73, 0x65, 0x22, 0x00, 0x12, 0x74, 0x0a, 0x0d, 0x4c, 0x69, 0x73, 0x74, 0x4f, 0x75, 0x74, 0x62,
-	0x2e, 0x61, 0x70, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0x2e, 0x63, 0x6f,
+	0x6f, 0x75, 0x6e, 0x64, 0x73, 0x12, 0x2f, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70,
-	0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x50, 0x01, 0x5a, 0x2e, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e,
+	0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e,
-	0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f,
+	0x64, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x73, 0x52,
-	0x72, 0x65, 0x2f, 0x61, 0x70, 0x70, 0x2f, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0x2f,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x30, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70,
-	0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0xaa, 0x02, 0x19, 0x58, 0x72, 0x61, 0x79, 0x2e, 0x41,
+	0x70, 0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61,
-	0x70, 0x70, 0x2e, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0x2e, 0x43, 0x6f, 0x6d, 0x6d,
+	0x6e, 0x64, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x73,
-	0x61, 0x6e, 0x64, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x6d, 0x0a, 0x1d, 0x63, 0x6f,
 	0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79,
 	0x6d, 0x61, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x50, 0x01, 0x5a, 0x2e, 0x67,
 	0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78,
 	0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x61, 0x70, 0x70, 0x2f, 0x70, 0x72, 0x6f,
 	0x78, 0x79, 0x6d, 0x61, 0x6e, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0xaa, 0x02, 0x19,
 	0x58, 0x72, 0x61, 0x79, 0x2e, 0x41, 0x70, 0x70, 0x2e, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x6d, 0x61,
 	0x6e, 0x2e, 0x43, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
 	0x33,
 }
 var (
@@ -946,7 +1148,7 @@ func file_app_proxyman_command_command_proto_rawDescGZIP() []byte {
 	return file_app_proxyman_command_command_proto_rawDescData
 }
-var file_app_proxyman_command_command_proto_msgTypes = make([]protoimpl.MessageInfo, 18)
+var file_app_proxyman_command_command_proto_msgTypes = make([]protoimpl.MessageInfo, 22)
 var file_app_proxyman_command_command_proto_goTypes = []any{
 	(*AddUserOperation)(nil),             // 0: xray.app.proxyman.command.AddUserOperation
 	(*RemoveUserOperation)(nil),          // 1: xray.app.proxyman.command.RemoveUserOperation
@@ -956,49 +1158,59 @@ var file_app_proxyman_command_command_proto_goTypes = []any{
 	(*RemoveInboundResponse)(nil),        // 5: xray.app.proxyman.command.RemoveInboundResponse
 	(*AlterInboundRequest)(nil),          // 6: xray.app.proxyman.command.AlterInboundRequest
 	(*AlterInboundResponse)(nil),         // 7: xray.app.proxyman.command.AlterInboundResponse
-	(*GetInboundUserRequest)(nil),        // 8: xray.app.proxyman.command.GetInboundUserRequest
+	(*ListInboundsRequest)(nil),          // 8: xray.app.proxyman.command.ListInboundsRequest
-	(*GetInboundUserResponse)(nil),       // 9: xray.app.proxyman.command.GetInboundUserResponse
+	(*ListInboundsResponse)(nil),         // 9: xray.app.proxyman.command.ListInboundsResponse
-	(*GetInboundUsersCountResponse)(nil), // 10: xray.app.proxyman.command.GetInboundUsersCountResponse
+	(*GetInboundUserRequest)(nil),        // 10: xray.app.proxyman.command.GetInboundUserRequest
-	(*AddOutboundRequest)(nil),           // 11: xray.app.proxyman.command.AddOutboundRequest
+	(*GetInboundUserResponse)(nil),       // 11: xray.app.proxyman.command.GetInboundUserResponse
-	(*AddOutboundResponse)(nil),          // 12: xray.app.proxyman.command.AddOutboundResponse
+	(*GetInboundUsersCountResponse)(nil), // 12: xray.app.proxyman.command.GetInboundUsersCountResponse
-	(*RemoveOutboundRequest)(nil),        // 13: xray.app.proxyman.command.RemoveOutboundRequest
+	(*AddOutboundRequest)(nil),           // 13: xray.app.proxyman.command.AddOutboundRequest
-	(*RemoveOutboundResponse)(nil),       // 14: xray.app.proxyman.command.RemoveOutboundResponse
+	(*AddOutboundResponse)(nil),          // 14: xray.app.proxyman.command.AddOutboundResponse
-	(*AlterOutboundRequest)(nil),         // 15: xray.app.proxyman.command.AlterOutboundRequest
+	(*RemoveOutboundRequest)(nil),        // 15: xray.app.proxyman.command.RemoveOutboundRequest
-	(*AlterOutboundResponse)(nil),        // 16: xray.app.proxyman.command.AlterOutboundResponse
+	(*RemoveOutboundResponse)(nil),       // 16: xray.app.proxyman.command.RemoveOutboundResponse
-	(*Config)(nil),                       // 17: xray.app.proxyman.command.Config
+	(*AlterOutboundRequest)(nil),         // 17: xray.app.proxyman.command.AlterOutboundRequest
-	(*protocol.User)(nil),                // 18: xray.common.protocol.User
+	(*AlterOutboundResponse)(nil),        // 18: xray.app.proxyman.command.AlterOutboundResponse
-	(*core.InboundHandlerConfig)(nil),    // 19: xray.core.InboundHandlerConfig
+	(*ListOutboundsRequest)(nil),         // 19: xray.app.proxyman.command.ListOutboundsRequest
-	(*serial.TypedMessage)(nil),          // 20: xray.common.serial.TypedMessage
+	(*ListOutboundsResponse)(nil),        // 20: xray.app.proxyman.command.ListOutboundsResponse
-	(*core.OutboundHandlerConfig)(nil),   // 21: xray.core.OutboundHandlerConfig
+	(*Config)(nil),                       // 21: xray.app.proxyman.command.Config
 	(*protocol.User)(nil),                // 22: xray.common.protocol.User
 	(*core.InboundHandlerConfig)(nil),    // 23: xray.core.InboundHandlerConfig
 	(*serial.TypedMessage)(nil),          // 24: xray.common.serial.TypedMessage
 	(*core.OutboundHandlerConfig)(nil),   // 25: xray.core.OutboundHandlerConfig
 }
 var file_app_proxyman_command_command_proto_depIdxs = []int32{
-	18, // 0: xray.app.proxyman.command.AddUserOperation.user:type_name -> xray.common.protocol.User
+	22, // 0: xray.app.proxyman.command.AddUserOperation.user:type_name -> xray.common.protocol.User
-	19, // 1: xray.app.proxyman.command.AddInboundRequest.inbound:type_name -> xray.core.InboundHandlerConfig
+	23, // 1: xray.app.proxyman.command.AddInboundRequest.inbound:type_name -> xray.core.InboundHandlerConfig
-	20, // 2: xray.app.proxyman.command.AlterInboundRequest.operation:type_name -> xray.common.serial.TypedMessage
+	24, // 2: xray.app.proxyman.command.AlterInboundRequest.operation:type_name -> xray.common.serial.TypedMessage
-	18, // 3: xray.app.proxyman.command.GetInboundUserResponse.users:type_name -> xray.common.protocol.User
+	23, // 3: xray.app.proxyman.command.ListInboundsResponse.inbounds:type_name -> xray.core.InboundHandlerConfig
-	21, // 4: xray.app.proxyman.command.AddOutboundRequest.outbound:type_name -> xray.core.OutboundHandlerConfig
+	22, // 4: xray.app.proxyman.command.GetInboundUserResponse.users:type_name -> xray.common.protocol.User
-	20, // 5: xray.app.proxyman.command.AlterOutboundRequest.operation:type_name -> xray.common.serial.TypedMessage
+	25, // 5: xray.app.proxyman.command.AddOutboundRequest.outbound:type_name -> xray.core.OutboundHandlerConfig
-	2,  // 6: xray.app.proxyman.command.HandlerService.AddInbound:input_type -> xray.app.proxyman.command.AddInboundRequest
+	24, // 6: xray.app.proxyman.command.AlterOutboundRequest.operation:type_name -> xray.common.serial.TypedMessage
-	4,  // 7: xray.app.proxyman.command.HandlerService.RemoveInbound:input_type -> xray.app.proxyman.command.RemoveInboundRequest
+	25, // 7: xray.app.proxyman.command.ListOutboundsResponse.outbounds:type_name -> xray.core.OutboundHandlerConfig
-	6,  // 8: xray.app.proxyman.command.HandlerService.AlterInbound:input_type -> xray.app.proxyman.command.AlterInboundRequest
+	2,  // 8: xray.app.proxyman.command.HandlerService.AddInbound:input_type -> xray.app.proxyman.command.AddInboundRequest
-	8,  // 9: xray.app.proxyman.command.HandlerService.GetInboundUsers:input_type -> xray.app.proxyman.command.GetInboundUserRequest
+	4,  // 9: xray.app.proxyman.command.HandlerService.RemoveInbound:input_type -> xray.app.proxyman.command.RemoveInboundRequest
-	8,  // 10: xray.app.proxyman.command.HandlerService.GetInboundUsersCount:input_type -> xray.app.proxyman.command.GetInboundUserRequest
+	6,  // 10: xray.app.proxyman.command.HandlerService.AlterInbound:input_type -> xray.app.proxyman.command.AlterInboundRequest
-	11, // 11: xray.app.proxyman.command.HandlerService.AddOutbound:input_type -> xray.app.proxyman.command.AddOutboundRequest
+	8,  // 11: xray.app.proxyman.command.HandlerService.ListInbounds:input_type -> xray.app.proxyman.command.ListInboundsRequest
-	13, // 12: xray.app.proxyman.command.HandlerService.RemoveOutbound:input_type -> xray.app.proxyman.command.RemoveOutboundRequest
+	10, // 12: xray.app.proxyman.command.HandlerService.GetInboundUsers:input_type -> xray.app.proxyman.command.GetInboundUserRequest
-	15, // 13: xray.app.proxyman.command.HandlerService.AlterOutbound:input_type -> xray.app.proxyman.command.AlterOutboundRequest
+	10, // 13: xray.app.proxyman.command.HandlerService.GetInboundUsersCount:input_type -> xray.app.proxyman.command.GetInboundUserRequest
-	3,  // 14: xray.app.proxyman.command.HandlerService.AddInbound:output_type -> xray.app.proxyman.command.AddInboundResponse
+	13, // 14: xray.app.proxyman.command.HandlerService.AddOutbound:input_type -> xray.app.proxyman.command.AddOutboundRequest
-	5,  // 15: xray.app.proxyman.command.HandlerService.RemoveInbound:output_type -> xray.app.proxyman.command.RemoveInboundResponse
+	15, // 15: xray.app.proxyman.command.HandlerService.RemoveOutbound:input_type -> xray.app.proxyman.command.RemoveOutboundRequest
-	7,  // 16: xray.app.proxyman.command.HandlerService.AlterInbound:output_type -> xray.app.proxyman.command.AlterInboundResponse
+	17, // 16: xray.app.proxyman.command.HandlerService.AlterOutbound:input_type -> xray.app.proxyman.command.AlterOutboundRequest
-	9,  // 17: xray.app.proxyman.command.HandlerService.GetInboundUsers:output_type -> xray.app.proxyman.command.GetInboundUserResponse
+	19, // 17: xray.app.proxyman.command.HandlerService.ListOutbounds:input_type -> xray.app.proxyman.command.ListOutboundsRequest
-	10, // 18: xray.app.proxyman.command.HandlerService.GetInboundUsersCount:output_type -> xray.app.proxyman.command.GetInboundUsersCountResponse
+	3,  // 18: xray.app.proxyman.command.HandlerService.AddInbound:output_type -> xray.app.proxyman.command.AddInboundResponse
-	12, // 19: xray.app.proxyman.command.HandlerService.AddOutbound:output_type -> xray.app.proxyman.command.AddOutboundResponse
+	5,  // 19: xray.app.proxyman.command.HandlerService.RemoveInbound:output_type -> xray.app.proxyman.command.RemoveInboundResponse
-	14, // 20: xray.app.proxyman.command.HandlerService.RemoveOutbound:output_type -> xray.app.proxyman.command.RemoveOutboundResponse
+	7,  // 20: xray.app.proxyman.command.HandlerService.AlterInbound:output_type -> xray.app.proxyman.command.AlterInboundResponse
-	16, // 21: xray.app.proxyman.command.HandlerService.AlterOutbound:output_type -> xray.app.proxyman.command.AlterOutboundResponse
+	9,  // 21: xray.app.proxyman.command.HandlerService.ListInbounds:output_type -> xray.app.proxyman.command.ListInboundsResponse
-	14, // [14:22] is the sub-list for method output_type
+	11, // 22: xray.app.proxyman.command.HandlerService.GetInboundUsers:output_type -> xray.app.proxyman.command.GetInboundUserResponse
-	6,  // [6:14] is the sub-list for method input_type
+	12, // 23: xray.app.proxyman.command.HandlerService.GetInboundUsersCount:output_type -> xray.app.proxyman.command.GetInboundUsersCountResponse
-	6,  // [6:6] is the sub-list for extension type_name
+	14, // 24: xray.app.proxyman.command.HandlerService.AddOutbound:output_type -> xray.app.proxyman.command.AddOutboundResponse
-	6,  // [6:6] is the sub-list for extension extendee
+	16, // 25: xray.app.proxyman.command.HandlerService.RemoveOutbound:output_type -> xray.app.proxyman.command.RemoveOutboundResponse
-	0,  // [0:6] is the sub-list for field type_name
+	18, // 26: xray.app.proxyman.command.HandlerService.AlterOutbound:output_type -> xray.app.proxyman.command.AlterOutboundResponse
 	20, // 27: xray.app.proxyman.command.HandlerService.ListOutbounds:output_type -> xray.app.proxyman.command.ListOutboundsResponse
 	18, // [18:28] is the sub-list for method output_type
 	8,  // [8:18] is the sub-list for method input_type
 	8,  // [8:8] is the sub-list for extension type_name
 	8,  // [8:8] is the sub-list for extension extendee
 	0,  // [0:8] is the sub-list for field type_name
 }
 func init() { file_app_proxyman_command_command_proto_init() }
@@ -1012,7 +1224,7 @@ func file_app_proxyman_command_command_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_app_proxyman_command_command_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   18,
+			NumMessages:   22,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
--- a/app/proxyman/command/command.proto
+++ b/app/proxyman/command/command.proto
@@ -37,6 +37,14 @@ message AlterInboundRequest {
 message AlterInboundResponse {}
 message ListInboundsRequest {
  bool isOnlyTags = 1;
 }
 message ListInboundsResponse {
  repeated core.InboundHandlerConfig inbounds = 1;
 }
 message GetInboundUserRequest {
  string tag = 1;
  string email = 2;
@@ -69,6 +77,12 @@ message AlterOutboundRequest {
 message AlterOutboundResponse {}
 message ListOutboundsRequest {}
 message ListOutboundsResponse {
  repeated core.OutboundHandlerConfig outbounds = 1;
 }
 service HandlerService {
  rpc AddInbound(AddInboundRequest) returns (AddInboundResponse) {}
@@ -76,6 +90,8 @@ service HandlerService {
  rpc AlterInbound(AlterInboundRequest) returns (AlterInboundResponse) {}
  rpc ListInbounds(ListInboundsRequest) returns (ListInboundsResponse) {}
  rpc GetInboundUsers(GetInboundUserRequest) returns (GetInboundUserResponse) {}
  rpc GetInboundUsersCount(GetInboundUserRequest) returns (GetInboundUsersCountResponse) {}
@@ -85,6 +101,8 @@ service HandlerService {
  rpc RemoveOutbound(RemoveOutboundRequest) returns (RemoveOutboundResponse) {}
  rpc AlterOutbound(AlterOutboundRequest) returns (AlterOutboundResponse) {}
  rpc ListOutbounds(ListOutboundsRequest) returns (ListOutboundsResponse) {}
 }
 message Config {}
--- a/app/proxyman/command/command_grpc.pb.go
+++ b/app/proxyman/command/command_grpc.pb.go
@@ -22,11 +22,13 @@ const (
 	HandlerService_AddInbound_FullMethodName           = "/xray.app.proxyman.command.HandlerService/AddInbound"
 	HandlerService_RemoveInbound_FullMethodName        = "/xray.app.proxyman.command.HandlerService/RemoveInbound"
 	HandlerService_AlterInbound_FullMethodName         = "/xray.app.proxyman.command.HandlerService/AlterInbound"
 	HandlerService_ListInbounds_FullMethodName         = "/xray.app.proxyman.command.HandlerService/ListInbounds"
 	HandlerService_GetInboundUsers_FullMethodName      = "/xray.app.proxyman.command.HandlerService/GetInboundUsers"
 	HandlerService_GetInboundUsersCount_FullMethodName = "/xray.app.proxyman.command.HandlerService/GetInboundUsersCount"
 	HandlerService_AddOutbound_FullMethodName          = "/xray.app.proxyman.command.HandlerService/AddOutbound"
 	HandlerService_RemoveOutbound_FullMethodName       = "/xray.app.proxyman.command.HandlerService/RemoveOutbound"
 	HandlerService_AlterOutbound_FullMethodName        = "/xray.app.proxyman.command.HandlerService/AlterOutbound"
 	HandlerService_ListOutbounds_FullMethodName        = "/xray.app.proxyman.command.HandlerService/ListOutbounds"
 )
 // HandlerServiceClient is the client API for HandlerService service.
@@ -36,11 +38,13 @@ type HandlerServiceClient interface {
 	AddInbound(ctx context.Context, in *AddInboundRequest, opts ...grpc.CallOption) (*AddInboundResponse, error)
 	RemoveInbound(ctx context.Context, in *RemoveInboundRequest, opts ...grpc.CallOption) (*RemoveInboundResponse, error)
 	AlterInbound(ctx context.Context, in *AlterInboundRequest, opts ...grpc.CallOption) (*AlterInboundResponse, error)
 	ListInbounds(ctx context.Context, in *ListInboundsRequest, opts ...grpc.CallOption) (*ListInboundsResponse, error)
 	GetInboundUsers(ctx context.Context, in *GetInboundUserRequest, opts ...grpc.CallOption) (*GetInboundUserResponse, error)
 	GetInboundUsersCount(ctx context.Context, in *GetInboundUserRequest, opts ...grpc.CallOption) (*GetInboundUsersCountResponse, error)
 	AddOutbound(ctx context.Context, in *AddOutboundRequest, opts ...grpc.CallOption) (*AddOutboundResponse, error)
 	RemoveOutbound(ctx context.Context, in *RemoveOutboundRequest, opts ...grpc.CallOption) (*RemoveOutboundResponse, error)
 	AlterOutbound(ctx context.Context, in *AlterOutboundRequest, opts ...grpc.CallOption) (*AlterOutboundResponse, error)
 	ListOutbounds(ctx context.Context, in *ListOutboundsRequest, opts ...grpc.CallOption) (*ListOutboundsResponse, error)
 }
 type handlerServiceClient struct {
@@ -81,6 +85,16 @@ func (c *handlerServiceClient) AlterInbound(ctx context.Context, in *AlterInboun
 	return out, nil
 }
 func (c *handlerServiceClient) ListInbounds(ctx context.Context, in *ListInboundsRequest, opts ...grpc.CallOption) (*ListInboundsResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(ListInboundsResponse)
 	err := c.cc.Invoke(ctx, HandlerService_ListInbounds_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }
 func (c *handlerServiceClient) GetInboundUsers(ctx context.Context, in *GetInboundUserRequest, opts ...grpc.CallOption) (*GetInboundUserResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(GetInboundUserResponse)
@@ -131,6 +145,16 @@ func (c *handlerServiceClient) AlterOutbound(ctx context.Context, in *AlterOutbo
 	return out, nil
 }
 func (c *handlerServiceClient) ListOutbounds(ctx context.Context, in *ListOutboundsRequest, opts ...grpc.CallOption) (*ListOutboundsResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(ListOutboundsResponse)
 	err := c.cc.Invoke(ctx, HandlerService_ListOutbounds_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }
 // HandlerServiceServer is the server API for HandlerService service.
 // All implementations must embed UnimplementedHandlerServiceServer
 // for forward compatibility.
@@ -138,11 +162,13 @@ type HandlerServiceServer interface {
 	AddInbound(context.Context, *AddInboundRequest) (*AddInboundResponse, error)
 	RemoveInbound(context.Context, *RemoveInboundRequest) (*RemoveInboundResponse, error)
 	AlterInbound(context.Context, *AlterInboundRequest) (*AlterInboundResponse, error)
 	ListInbounds(context.Context, *ListInboundsRequest) (*ListInboundsResponse, error)
 	GetInboundUsers(context.Context, *GetInboundUserRequest) (*GetInboundUserResponse, error)
 	GetInboundUsersCount(context.Context, *GetInboundUserRequest) (*GetInboundUsersCountResponse, error)
 	AddOutbound(context.Context, *AddOutboundRequest) (*AddOutboundResponse, error)
 	RemoveOutbound(context.Context, *RemoveOutboundRequest) (*RemoveOutboundResponse, error)
 	AlterOutbound(context.Context, *AlterOutboundRequest) (*AlterOutboundResponse, error)
 	ListOutbounds(context.Context, *ListOutboundsRequest) (*ListOutboundsResponse, error)
 	mustEmbedUnimplementedHandlerServiceServer()
 }
@@ -162,6 +188,9 @@ func (UnimplementedHandlerServiceServer) RemoveInbound(context.Context, *RemoveI
 func (UnimplementedHandlerServiceServer) AlterInbound(context.Context, *AlterInboundRequest) (*AlterInboundResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method AlterInbound not implemented")
 }
 func (UnimplementedHandlerServiceServer) ListInbounds(context.Context, *ListInboundsRequest) (*ListInboundsResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ListInbounds not implemented")
 }
 func (UnimplementedHandlerServiceServer) GetInboundUsers(context.Context, *GetInboundUserRequest) (*GetInboundUserResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetInboundUsers not implemented")
 }
@@ -177,6 +206,9 @@ func (UnimplementedHandlerServiceServer) RemoveOutbound(context.Context, *Remove
 func (UnimplementedHandlerServiceServer) AlterOutbound(context.Context, *AlterOutboundRequest) (*AlterOutboundResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method AlterOutbound not implemented")
 }
 func (UnimplementedHandlerServiceServer) ListOutbounds(context.Context, *ListOutboundsRequest) (*ListOutboundsResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ListOutbounds not implemented")
 }
 func (UnimplementedHandlerServiceServer) mustEmbedUnimplementedHandlerServiceServer() {}
 func (UnimplementedHandlerServiceServer) testEmbeddedByValue()                        {}
@@ -252,6 +284,24 @@ func _HandlerService_AlterInbound_Handler(srv interface{}, ctx context.Context,
 	return interceptor(ctx, in, info, handler)
 }
 func _HandlerService_ListInbounds_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(ListInboundsRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
 		return srv.(HandlerServiceServer).ListInbounds(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
 		FullMethod: HandlerService_ListInbounds_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HandlerServiceServer).ListInbounds(ctx, req.(*ListInboundsRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
 func _HandlerService_GetInboundUsers_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(GetInboundUserRequest)
 	if err := dec(in); err != nil {
@@ -342,6 +392,24 @@ func _HandlerService_AlterOutbound_Handler(srv interface{}, ctx context.Context,
 	return interceptor(ctx, in, info, handler)
 }
 func _HandlerService_ListOutbounds_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(ListOutboundsRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
 		return srv.(HandlerServiceServer).ListOutbounds(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
 		FullMethod: HandlerService_ListOutbounds_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HandlerServiceServer).ListOutbounds(ctx, req.(*ListOutboundsRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
 // HandlerService_ServiceDesc is the grpc.ServiceDesc for HandlerService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -361,6 +429,10 @@ var HandlerService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "AlterInbound",
 			Handler:    _HandlerService_AlterInbound_Handler,
 		},
 		{
 			MethodName: "ListInbounds",
 			Handler:    _HandlerService_ListInbounds_Handler,
 		},
 		{
 			MethodName: "GetInboundUsers",
 			Handler:    _HandlerService_GetInboundUsers_Handler,
@@ -381,6 +453,10 @@ var HandlerService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "AlterOutbound",
 			Handler:    _HandlerService_AlterOutbound_Handler,
 		},
 		{
 			MethodName: "ListOutbounds",
 			Handler:    _HandlerService_ListOutbounds_Handler,
 		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "app/proxyman/command/command.proto",
--- a/app/proxyman/inbound/always.go
+++ b/app/proxyman/inbound/always.go
@@ -9,11 +9,13 @@ import (
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/mux"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/serial"
 	"github.com/xtls/xray-core/core"
 	"github.com/xtls/xray-core/features/policy"
 	"github.com/xtls/xray-core/features/stats"
 	"github.com/xtls/xray-core/proxy"
 	"github.com/xtls/xray-core/transport/internet"
 	"google.golang.org/protobuf/proto"
 )
 func getStatCounter(v *core.Instance, tag string) (stats.Counter, stats.Counter) {
@@ -42,10 +44,12 @@ func getStatCounter(v *core.Instance, tag string) (stats.Counter, stats.Counter)
 }
 type AlwaysOnInboundHandler struct {
-	proxy   proxy.Inbound
+	proxyConfig    interface{}
-	workers []worker
+	receiverConfig *proxyman.ReceiverConfig
-	mux     *mux.Server
+	proxy          proxy.Inbound
-	tag     string
+	workers        []worker
 	mux            *mux.Server
 	tag            string
 }
 func NewAlwaysOnInboundHandler(ctx context.Context, tag string, receiverConfig *proxyman.ReceiverConfig, proxyConfig interface{}) (*AlwaysOnInboundHandler, error) {
@@ -59,9 +63,11 @@ func NewAlwaysOnInboundHandler(ctx context.Context, tag string, receiverConfig *
 	}
 	h := &AlwaysOnInboundHandler{
-		proxy: p,
+		receiverConfig: receiverConfig,
-		mux:   mux.NewServer(ctx),
+		proxyConfig:    proxyConfig,
-		tag:   tag,
+		proxy:          p,
 		mux:            mux.NewServer(ctx),
 		tag:            tag,
 	}
 	uplinkCounter, downlinkCounter := getStatCounter(core.MustFromContext(ctx), tag)
@@ -187,3 +193,16 @@ func (h *AlwaysOnInboundHandler) Tag() string {
 func (h *AlwaysOnInboundHandler) GetInbound() proxy.Inbound {
 	return h.proxy
 }
 // ReceiverSettings implements inbound.Handler.
 func (h *AlwaysOnInboundHandler) ReceiverSettings() *serial.TypedMessage {
 	return serial.ToTypedMessage(h.receiverConfig)
 }
 // ProxySettings implements inbound.Handler.
 func (h *AlwaysOnInboundHandler) ProxySettings() *serial.TypedMessage {
 	if v, ok := h.proxyConfig.(proto.Message); ok {
 		return serial.ToTypedMessage(v)
 	}
 	return nil
 }
--- a/app/proxyman/inbound/dynamic.go
+++ b/app/proxyman/inbound/dynamic.go
@@ -10,10 +10,12 @@ import (
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/mux"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/serial"
 	"github.com/xtls/xray-core/common/task"
 	"github.com/xtls/xray-core/core"
 	"github.com/xtls/xray-core/proxy"
 	"github.com/xtls/xray-core/transport/internet"
 	"google.golang.org/protobuf/proto"
 )
 type DynamicInboundHandler struct {
@@ -23,7 +25,7 @@ type DynamicInboundHandler struct {
 	receiverConfig *proxyman.ReceiverConfig
 	streamSettings *internet.MemoryStreamConfig
 	portMutex      sync.Mutex
-	portsInUse     map[net.Port]bool
+	portsInUse     map[net.Port]struct{}
 	workerMutex    sync.RWMutex
 	worker         []worker
 	lastRefresh    time.Time
@@ -39,7 +41,7 @@ func NewDynamicInboundHandler(ctx context.Context, tag string, receiverConfig *p
 		tag:            tag,
 		proxyConfig:    proxyConfig,
 		receiverConfig: receiverConfig,
-		portsInUse:     make(map[net.Port]bool),
+		portsInUse:     make(map[net.Port]struct{}),
 		mux:            mux.NewServer(ctx),
 		v:              v,
 		ctx:            ctx,
@@ -84,7 +86,7 @@ func (h *DynamicInboundHandler) allocatePort() net.Port {
 		port := net.Port(allPorts[r])
 		_, used := h.portsInUse[port]
 		if !used {
-			h.portsInUse[port] = true
+			h.portsInUse[port] = struct{}{}
 			return port
 		}
 	}
@@ -205,3 +207,16 @@ func (h *DynamicInboundHandler) GetRandomInboundProxy() (interface{}, net.Port,
 func (h *DynamicInboundHandler) Tag() string {
 	return h.tag
 }
 // ReceiverSettings implements inbound.Handler.
 func (h *DynamicInboundHandler) ReceiverSettings() *serial.TypedMessage {
 	return serial.ToTypedMessage(h.receiverConfig)
 }
 // ProxySettings implements inbound.Handler.
 func (h *DynamicInboundHandler) ProxySettings() *serial.TypedMessage {
 	if v, ok := h.proxyConfig.(proto.Message); ok {
 		return serial.ToTypedMessage(v)
 	}
 	return nil
 }
--- a/app/proxyman/inbound/inbound.go
+++ b/app/proxyman/inbound/inbound.go
@@ -89,6 +89,21 @@ func (m *Manager) RemoveHandler(ctx context.Context, tag string) error {
 	return common.ErrNoClue
 }
 // ListHandlers implements inbound.Manager.
 func (m *Manager) ListHandlers(ctx context.Context) []inbound.Handler {
 	m.access.RLock()
 	defer m.access.RUnlock()
 	var response []inbound.Handler
 	copy(m.untaggedHandler, response)
 	for _, v := range m.taggedHandlers {
 		response = append(response, v)
 	}
 	return response
 }
 // Start implements common.Runnable.
 func (m *Manager) Start() error {
 	m.access.Lock()
--- a/app/proxyman/inbound/worker.go
+++ b/app/proxyman/inbound/worker.go
@@ -161,6 +161,7 @@ type udpConn struct {
 	uplink           stats.Counter
 	downlink         stats.Counter
 	inactive         bool
 	cancel           context.CancelFunc
 }
 func (c *udpConn) setInactive() {
@@ -203,6 +204,9 @@ func (c *udpConn) Write(buf []byte) (int, error) {
 }
 func (c *udpConn) Close() error {
 	if c.cancel != nil {
 		c.cancel()
 	}
 	common.Must(c.done.Close())
 	common.Must(common.Close(c.writer))
 	return nil
@@ -259,6 +263,7 @@ func (w *udpWorker) getConnection(id connID) (*udpConn, bool) {
 	defer w.Unlock()
 	if conn, found := w.activeConn[id]; found && !conn.done.Done() {
 		conn.updateActivity()
 		return conn, true
 	}
@@ -306,7 +311,8 @@ func (w *udpWorker) callback(b *buf.Buffer, source net.Destination, originalDest
 		common.Must(w.checker.Start())
 		go func() {
-			ctx := w.ctx
+			ctx, cancel := context.WithCancel(w.ctx)
 			conn.cancel = cancel
 			sid := session.NewID()
 			ctx = c.ContextWithID(ctx, sid)
@@ -324,6 +330,7 @@ func (w *udpWorker) callback(b *buf.Buffer, source net.Destination, originalDest
 			if w.sniffingConfig != nil {
 				content.SniffingRequest.Enabled = w.sniffingConfig.Enabled
 				content.SniffingRequest.OverrideDestinationForProtocol = w.sniffingConfig.DestinationOverride
 				content.SniffingRequest.ExcludeForDomain = w.sniffingConfig.DomainsExcluded
 				content.SniffingRequest.MetadataOnly = w.sniffingConfig.MetadataOnly
 				content.SniffingRequest.RouteOnly = w.sniffingConfig.RouteOnly
 			}
@@ -464,8 +471,7 @@ func (w *dsWorker) callback(conn stat.Connection) {
 		}
 	}
 	ctx = session.ContextWithInbound(ctx, &session.Inbound{
-		// Unix have no source addr, so we use gateway as source for log.
+		Source:  net.DestinationFromAddr(conn.RemoteAddr()),
 		Source:  net.UnixDestination(w.address),
 		Gateway: net.UnixDestination(w.address),
 		Tag:     w.tag,
 		Conn:    conn,
--- a/app/proxyman/outbound/handler.go
+++ b/app/proxyman/outbound/handler.go
@@ -16,6 +16,7 @@ import (
 	"github.com/xtls/xray-core/common/mux"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/net/cnc"
 	"github.com/xtls/xray-core/common/serial"
 	"github.com/xtls/xray-core/common/session"
 	"github.com/xtls/xray-core/core"
 	"github.com/xtls/xray-core/features/outbound"
@@ -27,6 +28,7 @@ import (
 	"github.com/xtls/xray-core/transport/internet/stat"
 	"github.com/xtls/xray-core/transport/internet/tls"
 	"github.com/xtls/xray-core/transport/pipe"
 	"google.golang.org/protobuf/proto"
 )
 func getStatCounter(v *core.Instance, tag string) (stats.Counter, stats.Counter) {
@@ -59,6 +61,7 @@ type Handler struct {
 	tag             string
 	senderSettings  *proxyman.SenderConfig
 	streamSettings  *internet.MemoryStreamConfig
 	proxyConfig     proto.Message
 	proxy           proxy.Outbound
 	outboundManager outbound.Manager
 	mux             *mux.ClientManager
@@ -101,6 +104,7 @@ func NewHandler(ctx context.Context, config *core.OutboundHandlerConfig) (outbou
 	if err != nil {
 		return nil, err
 	}
 	h.proxyConfig = proxyConfig
 	rawProxyHandler, err := common.CreateObject(ctx, proxyConfig)
 	if err != nil {
@@ -241,7 +245,9 @@ func (h *Handler) DestIpAddress() net.IP {
 // Dial implements internet.Dialer.
 func (h *Handler) Dial(ctx context.Context, dest net.Destination) (stat.Connection, error) {
 	if h.senderSettings != nil {
 		if h.senderSettings.ProxySettings.HasTag() {
 			tag := h.senderSettings.ProxySettings.Tag
 			handler := h.outboundManager.GetHandler(tag)
 			if handler != nil {
@@ -270,13 +276,44 @@ func (h *Handler) Dial(ctx context.Context, dest net.Destination) (stat.Connecti
 		}
 		if h.senderSettings.Via != nil {
 			outbounds := session.OutboundsFromContext(ctx)
 			ob := outbounds[len(outbounds)-1]
-			if h.senderSettings.ViaCidr == "" {
+			var domain string
-				ob.Gateway = h.senderSettings.Via.AsAddress()
+			addr := h.senderSettings.Via.AsAddress()
-			} else { //Get a random address.
+			domain = h.senderSettings.Via.GetDomain()
-				ob.Gateway = ParseRandomIPv6(h.senderSettings.Via.AsAddress(), h.senderSettings.ViaCidr)
+			switch {
 			case h.senderSettings.ViaCidr != "":
 				ob.Gateway = ParseRandomIP(addr, h.senderSettings.ViaCidr)
 			case domain == "origin":
 				if inbound := session.InboundFromContext(ctx); inbound != nil {
 					if inbound.Conn != nil {
 						origin, _, err := net.SplitHostPort(inbound.Conn.LocalAddr().String())
 						if err == nil {
 							ob.Gateway = net.ParseAddress(origin)
 							errors.LogDebug(ctx, "use receive package ip as snedthrough: ", origin)
 						}
 					}
 				}
 			case domain == "srcip":
 				if inbound := session.InboundFromContext(ctx); inbound != nil {
 					if inbound.Conn != nil {
 						clientaddr, _, err := net.SplitHostPort(inbound.Conn.RemoteAddr().String())
 						if err == nil {
 							ob.Gateway = net.ParseAddress(clientaddr)
 							errors.LogDebug(ctx, "use client src ip as snedthrough: ", clientaddr)
 						}
 					}
 				}
 			//case addr.Family().IsDomain():
 			default:
 				ob.Gateway = addr
 			}
 		}
 	}
@@ -316,23 +353,35 @@ func (h *Handler) Start() error {
 // Close implements common.Closable.
 func (h *Handler) Close() error {
 	common.Close(h.mux)
 	common.Close(h.proxy)
 	return nil
 }
-func ParseRandomIPv6(address net.Address, prefix string) net.Address {
+// SenderSettings implements outbound.Handler.
-	_, network, _ := gonet.ParseCIDR(address.IP().String() + "/" + prefix)
+func (h *Handler) SenderSettings() *serial.TypedMessage {
-
+	return serial.ToTypedMessage(h.senderSettings)
-	maskSize, totalBits := network.Mask.Size()
+}
-	subnetSize := big.NewInt(1).Lsh(big.NewInt(1), uint(totalBits-maskSize))
+
-
+// ProxySettings implements outbound.Handler.
-	// random
+func (h *Handler) ProxySettings() *serial.TypedMessage {
-	randomBigInt, _ := rand.Int(rand.Reader, subnetSize)
+	return serial.ToTypedMessage(h.proxyConfig)
-
+}
-	startIPBigInt := big.NewInt(0).SetBytes(network.IP.To16())
+
-	randomIPBigInt := big.NewInt(0).Add(startIPBigInt, randomBigInt)
+func ParseRandomIP(addr net.Address, prefix string) net.Address {
-
+
-	randomIPBytes := randomIPBigInt.Bytes()
+	_, ipnet, _ := gonet.ParseCIDR(addr.IP().String() + "/" + prefix)
-	randomIPBytes = append(make([]byte, 16-len(randomIPBytes)), randomIPBytes...)
+
-
+	ones, bits := ipnet.Mask.Size()
-	return net.ParseAddress(gonet.IP(randomIPBytes).String())
+	subnetSize := new(big.Int).Lsh(big.NewInt(1), uint(bits-ones))
 	rnd, _ := rand.Int(rand.Reader, subnetSize)
 	startInt := new(big.Int).SetBytes(ipnet.IP)
 	rndInt := new(big.Int).Add(startInt, rnd)
 	rndBytes := rndInt.Bytes()
 	padded := make([]byte, len(ipnet.IP))
 	copy(padded[len(padded)-len(rndBytes):], rndBytes)
 	return net.ParseAddress(gonet.IP(padded).String())
 }
--- a/app/proxyman/outbound/outbound.go
+++ b/app/proxyman/outbound/outbound.go
@@ -145,6 +145,21 @@ func (m *Manager) RemoveHandler(ctx context.Context, tag string) error {
 	return nil
 }
 // ListHandlers implements outbound.Manager.
 func (m *Manager) ListHandlers(ctx context.Context) []outbound.Handler {
 	m.access.RLock()
 	defer m.access.RUnlock()
 	var response []outbound.Handler
 	copy(m.untaggedHandlers, response)
 	for _, v := range m.taggedHandler {
 		response = append(response, v)
 	}
 	return response
 }
 // Select implements outbound.HandlerSelector.
 func (m *Manager) Select(selectors []string) []string {
--- a/app/reverse/config.go
+++ b/app/reverse/config.go
@@ -9,6 +9,7 @@ import (
 func (c *Control) FillInRandom() {
 	randomLength := dice.Roll(64)
 	randomLength++
 	c.Random = make([]byte, randomLength)
 	io.ReadFull(rand.Reader, c.Random)
 }
--- a/app/reverse/portal.go
+++ b/app/reverse/portal.go
@@ -10,6 +10,7 @@ import (
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/mux"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/serial"
 	"github.com/xtls/xray-core/common/session"
 	"github.com/xtls/xray-core/common/task"
 	"github.com/xtls/xray-core/features/outbound"
@@ -111,6 +112,16 @@ func (o *Outbound) Close() error {
 	return nil
 }
 // SenderSettings implements outbound.Handler.
 func (o *Outbound) SenderSettings() *serial.TypedMessage {
 	return nil
 }
 // ProxySettings implements outbound.Handler.
 func (o *Outbound) ProxySettings() *serial.TypedMessage {
 	return nil
 }
 type StaticMuxPicker struct {
 	access  sync.Mutex
 	workers []*PortalWorker
@@ -159,7 +170,7 @@ func (p *StaticMuxPicker) PickAvailable() (*mux.ClientWorker, error) {
 		if w.draining {
 			continue
 		}
-		if w.client.Closed() {
+		if w.IsFull() {
 			continue
 		}
 		if w.client.ActiveConnections() < minConn {
@@ -200,6 +211,7 @@ type PortalWorker struct {
 	writer   buf.Writer
 	reader   buf.Reader
 	draining bool
 	counter  uint32
 }
 func NewPortalWorker(client *mux.ClientWorker) (*PortalWorker, error) {
@@ -233,7 +245,7 @@ func NewPortalWorker(client *mux.ClientWorker) (*PortalWorker, error) {
 }
 func (w *PortalWorker) heartbeat() error {
-	if w.client.Closed() {
+	if w.Closed() {
 		return errors.New("client worker stopped")
 	}
@@ -249,16 +261,21 @@ func (w *PortalWorker) heartbeat() error {
 		msg.State = Control_DRAIN
 		defer func() {
 			w.client.GetTimer().Reset(time.Second * 16)
 			common.Close(w.writer)
 			common.Interrupt(w.reader)
 			w.writer = nil
 		}()
 	}
-	b, err := proto.Marshal(msg)
+	w.counter = (w.counter + 1) % 5
-	common.Must(err)
+	if w.draining || w.counter == 1 {
-	mb := buf.MergeBytes(nil, b)
+		b, err := proto.Marshal(msg)
-	return w.writer.WriteMultiBuffer(mb)
+		common.Must(err)
 		mb := buf.MergeBytes(nil, b)
 		return w.writer.WriteMultiBuffer(mb)
 	}
 	return nil
 }
 func (w *PortalWorker) IsFull() bool {
--- a/app/router/balancing.go
+++ b/app/router/balancing.go
@@ -5,6 +5,7 @@ import (
 	sync "sync"
 	"github.com/xtls/xray-core/app/observatory"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/core"
 	"github.com/xtls/xray-core/features/extension"
@@ -31,9 +32,10 @@ type RoundRobinStrategy struct {
 func (s *RoundRobinStrategy) InjectContext(ctx context.Context) {
 	s.ctx = ctx
 	if len(s.FallbackTag) > 0 {
-		core.RequireFeaturesAsync(s.ctx, func(observatory extension.Observatory) {
+		common.Must(core.RequireFeatures(s.ctx, func(observatory extension.Observatory) error {
 			s.observatory = observatory
-		})
+			return nil
 		}))
 	}
 }
--- a/app/router/command/command.go
+++ b/app/router/command/command.go
@@ -135,7 +135,7 @@ func (s *service) Register(server *grpc.Server) {
 		vCoreDesc := RoutingService_ServiceDesc
 		vCoreDesc.ServiceName = "v2ray.core.app.router.command.RoutingService"
 		server.RegisterService(&vCoreDesc, rs)
-	}))
+	}, false))
 }
 func init() {
--- a/app/router/condition.go
+++ b/app/router/condition.go
@@ -119,7 +119,7 @@ type MultiGeoIPMatcher struct {
 func NewMultiGeoIPMatcher(geoips []*GeoIP, onSource bool) (*MultiGeoIPMatcher, error) {
 	var matchers []*GeoIPMatcher
 	for _, geoip := range geoips {
-		matcher, err := globalGeoIPContainer.Add(geoip)
+		matcher, err := GlobalGeoIPContainer.Add(geoip)
 		if err != nil {
 			return nil, err
 		}
--- a/app/router/condition_geoip.go
+++ b/app/router/condition_geoip.go
@@ -115,4 +115,30 @@ func (c *GeoIPMatcherContainer) Add(geoip *GeoIP) (*GeoIPMatcher, error) {
 	return m, nil
 }
-var globalGeoIPContainer GeoIPMatcherContainer
+var GlobalGeoIPContainer GeoIPMatcherContainer
 func MatchIPs(matchers []*GeoIPMatcher, ips []net.IP, reverse bool) []net.IP {
 	if len(matchers) == 0 {
 		panic("GeoIP matchers should not be empty to avoid ambiguity")
 	}
 	newIPs := make([]net.IP, 0, len(ips))
 	var isFound bool
 	for _, ip := range ips {
 		isFound = false
 		for _, matcher := range matchers {
 			if matcher.Match(ip) {
 				isFound = true
 				break
 			}
 		}
 		if isFound && !reverse {
 			newIPs = append(newIPs, ip)
 			continue
 		}
 		if !isFound && reverse {
 			newIPs = append(newIPs, ip)
 			continue
 		}
 	}
 	return newIPs
 }
--- a/app/router/router_test.go
+++ b/app/router/router_test.go
@@ -177,7 +177,7 @@ func TestIPOnDemand(t *testing.T) {
 		IPv4Enable: true,
 		IPv6Enable: true,
 		FakeEnable: false,
-	}).Return([]net.IP{{192, 168, 0, 1}}, nil).AnyTimes()
+	}).Return([]net.IP{{192, 168, 0, 1}}, uint32(600), nil).AnyTimes()
 	r := new(Router)
 	common.Must(r.Init(context.TODO(), config, mockDNS, nil, nil))
@@ -222,7 +222,7 @@ func TestIPIfNonMatchDomain(t *testing.T) {
 		IPv4Enable: true,
 		IPv6Enable: true,
 		FakeEnable: false,
-	}).Return([]net.IP{{192, 168, 0, 1}}, nil).AnyTimes()
+	}).Return([]net.IP{{192, 168, 0, 1}}, uint32(600), nil).AnyTimes()
 	r := new(Router)
 	common.Must(r.Init(context.TODO(), config, mockDNS, nil, nil))
--- a/app/router/strategy_leastload.go
+++ b/app/router/strategy_leastload.go
@@ -7,6 +7,7 @@ import (
 	"time"
 	"github.com/xtls/xray-core/app/observatory"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/dice"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/core"
@@ -59,9 +60,10 @@ type node struct {
 func (s *LeastLoadStrategy) InjectContext(ctx context.Context) {
 	s.ctx = ctx
-	core.RequireFeaturesAsync(s.ctx, func(observatory extension.Observatory) {
+	common.Must(core.RequireFeatures(s.ctx, func(observatory extension.Observatory) error {
 		s.observer = observatory
-	})
+		return nil
 	}))
 }
 func (s *LeastLoadStrategy) PickOutbound(candidates []string) string {
--- a/app/router/strategy_leastping.go
+++ b/app/router/strategy_leastping.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"github.com/xtls/xray-core/app/observatory"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/core"
 	"github.com/xtls/xray-core/features/extension"
@@ -20,9 +21,10 @@ func (l *LeastPingStrategy) GetPrincipleTarget(strings []string) []string {
 func (l *LeastPingStrategy) InjectContext(ctx context.Context) {
 	l.ctx = ctx
-	core.RequireFeaturesAsync(l.ctx, func(observatory extension.Observatory) {
+	common.Must(core.RequireFeatures(l.ctx, func(observatory extension.Observatory) error {
 		l.observatory = observatory
-	})
+		return nil
 	}))
 }
 func (l *LeastPingStrategy) PickOutbound(strings []string) string {
--- a/app/router/strategy_random.go
+++ b/app/router/strategy_random.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"github.com/xtls/xray-core/app/observatory"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/dice"
 	"github.com/xtls/xray-core/core"
 	"github.com/xtls/xray-core/features/extension"
@@ -20,9 +21,10 @@ type RandomStrategy struct {
 func (s *RandomStrategy) InjectContext(ctx context.Context) {
 	s.ctx = ctx
 	if len(s.FallbackTag) > 0 {
-		core.RequireFeaturesAsync(s.ctx, func(observatory extension.Observatory) {
+		common.Must(core.RequireFeatures(s.ctx, func(observatory extension.Observatory) error {
 			s.observatory = observatory
-		})
+			return nil
 		}))
 	}
 }
--- a/app/stats/command/command.go
+++ b/app/stats/command/command.go
@@ -12,6 +12,8 @@ import (
 	"github.com/xtls/xray-core/core"
 	feature_stats "github.com/xtls/xray-core/features/stats"
 	grpc "google.golang.org/grpc"
 	codes "google.golang.org/grpc/codes"
 	status "google.golang.org/grpc/status"
 )
 // statsServer is an implementation of StatsService.
@@ -30,7 +32,7 @@ func NewStatsServer(manager feature_stats.Manager) StatsServiceServer {
 func (s *statsServer) GetStats(ctx context.Context, request *GetStatsRequest) (*GetStatsResponse, error) {
 	c := s.stats.GetCounter(request.Name)
 	if c == nil {
-		return nil, errors.New(request.Name, " not found.")
+		return nil, status.Error(codes.NotFound, request.Name+" not found.")
 	}
 	var value int64
 	if request.Reset_ {
@@ -49,7 +51,7 @@ func (s *statsServer) GetStats(ctx context.Context, request *GetStatsRequest) (*
 func (s *statsServer) GetStatsOnline(ctx context.Context, request *GetStatsRequest) (*GetStatsResponse, error) {
 	c := s.stats.GetOnlineMap(request.Name)
 	if c == nil {
-		return nil, errors.New(request.Name, " not found.")
+		return nil, status.Error(codes.NotFound, request.Name+" not found.")
 	}
 	value := int64(c.Count())
 	return &GetStatsResponse{
@@ -60,6 +62,24 @@ func (s *statsServer) GetStatsOnline(ctx context.Context, request *GetStatsReque
 	}, nil
 }
 func (s *statsServer) GetStatsOnlineIpList(ctx context.Context, request *GetStatsRequest) (*GetStatsOnlineIpListResponse, error) {
 	c := s.stats.GetOnlineMap(request.Name)
 	if c == nil {
 		return nil, status.Error(codes.NotFound, request.Name+" not found.")
 	}
 	ips := make(map[string]int64)
 	for ip, t := range c.IpTimeMap() {
 		ips[ip] = t.Unix()
 	}
 	return &GetStatsOnlineIpListResponse{
 		Name: request.Name,
 		Ips:  ips,
 	}, nil
 }
 func (s *statsServer) QueryStats(ctx context.Context, request *QueryStatsRequest) (*QueryStatsResponse, error) {
 	matcher, err := strmatcher.Substr.New(request.Pattern)
 	if err != nil {
--- a/app/stats/command/command.pb.go
+++ b/app/stats/command/command.pb.go
@@ -424,6 +424,59 @@ func (x *SysStatsResponse) GetUptime() uint32 {
 	return 0
 }
 type GetStatsOnlineIpListResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	Name string           `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
 	Ips  map[string]int64 `protobuf:"bytes,2,rep,name=ips,proto3" json:"ips,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"varint,2,opt,name=value,proto3"`
 }
 func (x *GetStatsOnlineIpListResponse) Reset() {
 	*x = GetStatsOnlineIpListResponse{}
 	mi := &file_app_stats_command_command_proto_msgTypes[7]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
 func (x *GetStatsOnlineIpListResponse) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*GetStatsOnlineIpListResponse) ProtoMessage() {}
 func (x *GetStatsOnlineIpListResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_app_stats_command_command_proto_msgTypes[7]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use GetStatsOnlineIpListResponse.ProtoReflect.Descriptor instead.
 func (*GetStatsOnlineIpListResponse) Descriptor() ([]byte, []int) {
 	return file_app_stats_command_command_proto_rawDescGZIP(), []int{7}
 }
 func (x *GetStatsOnlineIpListResponse) GetName() string {
 	if x != nil {
 		return x.Name
 	}
 	return ""
 }
 func (x *GetStatsOnlineIpListResponse) GetIps() map[string]int64 {
 	if x != nil {
 		return x.Ips
 	}
 	return nil
 }
 type Config struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -432,7 +485,7 @@ type Config struct {
 func (x *Config) Reset() {
 	*x = Config{}
-	mi := &file_app_stats_command_command_proto_msgTypes[7]
+	mi := &file_app_stats_command_command_proto_msgTypes[8]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -444,7 +497,7 @@ func (x *Config) String() string {
 func (*Config) ProtoMessage() {}
 func (x *Config) ProtoReflect() protoreflect.Message {
-	mi := &file_app_stats_command_command_proto_msgTypes[7]
+	mi := &file_app_stats_command_command_proto_msgTypes[8]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -457,7 +510,7 @@ func (x *Config) ProtoReflect() protoreflect.Message {
 // Deprecated: Use Config.ProtoReflect.Descriptor instead.
 func (*Config) Descriptor() ([]byte, []int) {
-	return file_app_stats_command_command_proto_rawDescGZIP(), []int{7}
+	return file_app_stats_command_command_proto_rawDescGZIP(), []int{8}
 }
 var File_app_stats_command_command_proto protoreflect.FileDescriptor
@@ -506,40 +559,60 @@ var file_app_stats_command_command_proto_rawDesc = []byte{
 	0x54, 0x6f, 0x74, 0x61, 0x6c, 0x4e, 0x73, 0x18, 0x09, 0x20, 0x01, 0x28, 0x04, 0x52, 0x0c, 0x50,
 	0x61, 0x75, 0x73, 0x65, 0x54, 0x6f, 0x74, 0x61, 0x6c, 0x4e, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x55,
 	0x70, 0x74, 0x69, 0x6d, 0x65, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x55, 0x70, 0x74,
-	0x69, 0x6d, 0x65, 0x22, 0x08, 0x0a, 0x06, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x32, 0xa1, 0x03,
+	0x69, 0x6d, 0x65, 0x22, 0xbb, 0x01, 0x0a, 0x1c, 0x47, 0x65, 0x74, 0x53, 0x74, 0x61, 0x74, 0x73,
-	0x0a, 0x0c, 0x53, 0x74, 0x61, 0x74, 0x73, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x5f,
+	0x4f, 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x49, 0x70, 0x4c, 0x69, 0x73, 0x74, 0x52, 0x65, 0x73, 0x70,
-	0x0a, 0x08, 0x47, 0x65, 0x74, 0x53, 0x74, 0x61, 0x74, 0x73, 0x12, 0x27, 0x2e, 0x78, 0x72, 0x61,
+	0x6f, 0x6e, 0x73, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01,
-	0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x73, 0x2e, 0x63, 0x6f, 0x6d, 0x6d,
+	0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x4f, 0x0a, 0x03, 0x69, 0x70, 0x73, 0x18,
-	0x61, 0x6e, 0x64, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x74, 0x61, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75,
+	0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x3d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70,
-	0x65, 0x73, 0x74, 0x1a, 0x28, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x73,
+	0x2e, 0x73, 0x74, 0x61, 0x74, 0x73, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x47,
-	0x74, 0x61, 0x74, 0x73, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x47, 0x65, 0x74,
+	0x65, 0x74, 0x53, 0x74, 0x61, 0x74, 0x73, 0x4f, 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x49, 0x70, 0x4c,
-	0x53, 0x74, 0x61, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12,
+	0x69, 0x73, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x49, 0x70, 0x73, 0x45,
-	0x65, 0x0a, 0x0e, 0x47, 0x65, 0x74, 0x53, 0x74, 0x61, 0x74, 0x73, 0x4f, 0x6e, 0x6c, 0x69, 0x6e,
+	0x6e, 0x74, 0x72, 0x79, 0x52, 0x03, 0x69, 0x70, 0x73, 0x1a, 0x36, 0x0a, 0x08, 0x49, 0x70, 0x73,
-	0x65, 0x12, 0x27, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x73, 0x74, 0x61,
+	0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01,
 	0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65,
 	0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38,
 	0x01, 0x22, 0x08, 0x0a, 0x06, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x32, 0x9a, 0x04, 0x0a, 0x0c,
 	0x53, 0x74, 0x61, 0x74, 0x73, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x5f, 0x0a, 0x08,
 	0x47, 0x65, 0x74, 0x53, 0x74, 0x61, 0x74, 0x73, 0x12, 0x27, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e,
 	0x61, 0x70, 0x70, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x73, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e,
 	0x64, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x74, 0x61, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
 	0x74, 0x1a, 0x28, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x73, 0x74, 0x61,
 	0x74, 0x73, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x74,
-	0x61, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x28, 0x2e, 0x78, 0x72, 0x61,
+	0x61, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x65, 0x0a,
 	0x0e, 0x47, 0x65, 0x74, 0x53, 0x74, 0x61, 0x74, 0x73, 0x4f, 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x12,
 	0x27, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x73,
 	0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x74, 0x61, 0x74,
 	0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x28, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e,
 	0x61, 0x70, 0x70, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x73, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e,
 	0x64, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x74, 0x61, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
 	0x73, 0x65, 0x22, 0x00, 0x12, 0x65, 0x0a, 0x0a, 0x51, 0x75, 0x65, 0x72, 0x79, 0x53, 0x74, 0x61,
 	0x74, 0x73, 0x12, 0x29, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x73, 0x74,
 	0x61, 0x74, 0x73, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x51, 0x75, 0x65, 0x72,
 	0x79, 0x53, 0x74, 0x61, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2a, 0x2e,
 	0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x73, 0x2e, 0x63,
 	0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x51, 0x75, 0x65, 0x72, 0x79, 0x53, 0x74, 0x61, 0x74,
 	0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x62, 0x0a, 0x0b, 0x47,
 	0x65, 0x74, 0x53, 0x79, 0x73, 0x53, 0x74, 0x61, 0x74, 0x73, 0x12, 0x27, 0x2e, 0x78, 0x72, 0x61,
 	0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x73, 0x2e, 0x63, 0x6f, 0x6d, 0x6d,
-	0x61, 0x6e, 0x64, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x74, 0x61, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70,
+	0x61, 0x6e, 0x64, 0x2e, 0x53, 0x79, 0x73, 0x53, 0x74, 0x61, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75,
-	0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x65, 0x0a, 0x0a, 0x51, 0x75, 0x65, 0x72, 0x79, 0x53,
+	0x65, 0x73, 0x74, 0x1a, 0x28, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x73,
-	0x74, 0x61, 0x74, 0x73, 0x12, 0x29, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e,
+	0x74, 0x61, 0x74, 0x73, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x53, 0x79, 0x73,
-	0x73, 0x74, 0x61, 0x74, 0x73, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x51, 0x75,
+	0x53, 0x74, 0x61, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12,
-	0x65, 0x72, 0x79, 0x53, 0x74, 0x61, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
+	0x77, 0x0a, 0x14, 0x47, 0x65, 0x74, 0x53, 0x74, 0x61, 0x74, 0x73, 0x4f, 0x6e, 0x6c, 0x69, 0x6e,
-	0x2a, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x73,
+	0x65, 0x49, 0x70, 0x4c, 0x69, 0x73, 0x74, 0x12, 0x27, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61,
-	0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x51, 0x75, 0x65, 0x72, 0x79, 0x53, 0x74,
+	0x70, 0x70, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x73, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64,
-	0x61, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x62, 0x0a,
+	0x2e, 0x47, 0x65, 0x74, 0x53, 0x74, 0x61, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
-	0x0b, 0x47, 0x65, 0x74, 0x53, 0x79, 0x73, 0x53, 0x74, 0x61, 0x74, 0x73, 0x12, 0x27, 0x2e, 0x78,
+	0x1a, 0x34, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x73, 0x74, 0x61, 0x74,
-	0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x73, 0x2e, 0x63, 0x6f,
+	0x73, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x74, 0x61,
-	0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x53, 0x79, 0x73, 0x53, 0x74, 0x61, 0x74, 0x73, 0x52, 0x65,
+	0x74, 0x73, 0x4f, 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x49, 0x70, 0x4c, 0x69, 0x73, 0x74, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x28, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x64, 0x0a, 0x1a, 0x63, 0x6f, 0x6d, 0x2e,
-	0x2e, 0x73, 0x74, 0x61, 0x74, 0x73, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x2e, 0x53,
+	0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x73, 0x2e, 0x63,
-	0x79, 0x73, 0x53, 0x74, 0x61, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
+	0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x50, 0x01, 0x5a, 0x2b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
-	0x00, 0x42, 0x64, 0x0a, 0x1a, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70,
+	0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79, 0x2d, 0x63,
-	0x70, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x73, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x50,
+	0x6f, 0x72, 0x65, 0x2f, 0x61, 0x70, 0x70, 0x2f, 0x73, 0x74, 0x61, 0x74, 0x73, 0x2f, 0x63, 0x6f,
-	0x01, 0x5a, 0x2b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74,
+	0x6d, 0x6d, 0x61, 0x6e, 0x64, 0xaa, 0x02, 0x16, 0x58, 0x72, 0x61, 0x79, 0x2e, 0x41, 0x70, 0x70,
-	0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x61, 0x70, 0x70,
+	0x2e, 0x53, 0x74, 0x61, 0x74, 0x73, 0x2e, 0x43, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x62, 0x06,
-	0x2f, 0x73, 0x74, 0x61, 0x74, 0x73, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0xaa, 0x02,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 	0x16, 0x58, 0x72, 0x61, 0x79, 0x2e, 0x41, 0x70, 0x70, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x73, 0x2e,
 	0x43, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 var (
@@ -554,33 +627,38 @@ func file_app_stats_command_command_proto_rawDescGZIP() []byte {
 	return file_app_stats_command_command_proto_rawDescData
 }
-var file_app_stats_command_command_proto_msgTypes = make([]protoimpl.MessageInfo, 8)
+var file_app_stats_command_command_proto_msgTypes = make([]protoimpl.MessageInfo, 10)
 var file_app_stats_command_command_proto_goTypes = []any{
-	(*GetStatsRequest)(nil),    // 0: xray.app.stats.command.GetStatsRequest
+	(*GetStatsRequest)(nil),              // 0: xray.app.stats.command.GetStatsRequest
-	(*Stat)(nil),               // 1: xray.app.stats.command.Stat
+	(*Stat)(nil),                         // 1: xray.app.stats.command.Stat
-	(*GetStatsResponse)(nil),   // 2: xray.app.stats.command.GetStatsResponse
+	(*GetStatsResponse)(nil),             // 2: xray.app.stats.command.GetStatsResponse
-	(*QueryStatsRequest)(nil),  // 3: xray.app.stats.command.QueryStatsRequest
+	(*QueryStatsRequest)(nil),            // 3: xray.app.stats.command.QueryStatsRequest
-	(*QueryStatsResponse)(nil), // 4: xray.app.stats.command.QueryStatsResponse
+	(*QueryStatsResponse)(nil),           // 4: xray.app.stats.command.QueryStatsResponse
-	(*SysStatsRequest)(nil),    // 5: xray.app.stats.command.SysStatsRequest
+	(*SysStatsRequest)(nil),              // 5: xray.app.stats.command.SysStatsRequest
-	(*SysStatsResponse)(nil),   // 6: xray.app.stats.command.SysStatsResponse
+	(*SysStatsResponse)(nil),             // 6: xray.app.stats.command.SysStatsResponse
-	(*Config)(nil),             // 7: xray.app.stats.command.Config
+	(*GetStatsOnlineIpListResponse)(nil), // 7: xray.app.stats.command.GetStatsOnlineIpListResponse
 	(*Config)(nil),                       // 8: xray.app.stats.command.Config
 	nil,                                  // 9: xray.app.stats.command.GetStatsOnlineIpListResponse.IpsEntry
 }
 var file_app_stats_command_command_proto_depIdxs = []int32{
 	1, // 0: xray.app.stats.command.GetStatsResponse.stat:type_name -> xray.app.stats.command.Stat
 	1, // 1: xray.app.stats.command.QueryStatsResponse.stat:type_name -> xray.app.stats.command.Stat
-	0, // 2: xray.app.stats.command.StatsService.GetStats:input_type -> xray.app.stats.command.GetStatsRequest
+	9, // 2: xray.app.stats.command.GetStatsOnlineIpListResponse.ips:type_name -> xray.app.stats.command.GetStatsOnlineIpListResponse.IpsEntry
-	0, // 3: xray.app.stats.command.StatsService.GetStatsOnline:input_type -> xray.app.stats.command.GetStatsRequest
+	0, // 3: xray.app.stats.command.StatsService.GetStats:input_type -> xray.app.stats.command.GetStatsRequest
-	3, // 4: xray.app.stats.command.StatsService.QueryStats:input_type -> xray.app.stats.command.QueryStatsRequest
+	0, // 4: xray.app.stats.command.StatsService.GetStatsOnline:input_type -> xray.app.stats.command.GetStatsRequest
-	5, // 5: xray.app.stats.command.StatsService.GetSysStats:input_type -> xray.app.stats.command.SysStatsRequest
+	3, // 5: xray.app.stats.command.StatsService.QueryStats:input_type -> xray.app.stats.command.QueryStatsRequest
-	2, // 6: xray.app.stats.command.StatsService.GetStats:output_type -> xray.app.stats.command.GetStatsResponse
+	5, // 6: xray.app.stats.command.StatsService.GetSysStats:input_type -> xray.app.stats.command.SysStatsRequest
-	2, // 7: xray.app.stats.command.StatsService.GetStatsOnline:output_type -> xray.app.stats.command.GetStatsResponse
+	0, // 7: xray.app.stats.command.StatsService.GetStatsOnlineIpList:input_type -> xray.app.stats.command.GetStatsRequest
-	4, // 8: xray.app.stats.command.StatsService.QueryStats:output_type -> xray.app.stats.command.QueryStatsResponse
+	2, // 8: xray.app.stats.command.StatsService.GetStats:output_type -> xray.app.stats.command.GetStatsResponse
-	6, // 9: xray.app.stats.command.StatsService.GetSysStats:output_type -> xray.app.stats.command.SysStatsResponse
+	2, // 9: xray.app.stats.command.StatsService.GetStatsOnline:output_type -> xray.app.stats.command.GetStatsResponse
-	6, // [6:10] is the sub-list for method output_type
+	4, // 10: xray.app.stats.command.StatsService.QueryStats:output_type -> xray.app.stats.command.QueryStatsResponse
-	2, // [2:6] is the sub-list for method input_type
+	6, // 11: xray.app.stats.command.StatsService.GetSysStats:output_type -> xray.app.stats.command.SysStatsResponse
-	2, // [2:2] is the sub-list for extension type_name
+	7, // 12: xray.app.stats.command.StatsService.GetStatsOnlineIpList:output_type -> xray.app.stats.command.GetStatsOnlineIpListResponse
-	2, // [2:2] is the sub-list for extension extendee
+	8, // [8:13] is the sub-list for method output_type
-	0, // [0:2] is the sub-list for field type_name
+	3, // [3:8] is the sub-list for method input_type
 	3, // [3:3] is the sub-list for extension type_name
 	3, // [3:3] is the sub-list for extension extendee
 	0, // [0:3] is the sub-list for field type_name
 }
 func init() { file_app_stats_command_command_proto_init() }
@@ -594,7 +672,7 @@ func file_app_stats_command_command_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_app_stats_command_command_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   8,
+			NumMessages:   10,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
--- a/app/stats/command/command.proto
+++ b/app/stats/command/command.proto
@@ -46,11 +46,17 @@ message SysStatsResponse {
  uint32 Uptime = 10;
 }
 message GetStatsOnlineIpListResponse {
  string name = 1;
  map<string, int64> ips = 2;
 }
 service StatsService {
  rpc GetStats(GetStatsRequest) returns (GetStatsResponse) {}
  rpc GetStatsOnline(GetStatsRequest) returns (GetStatsResponse) {}
  rpc QueryStats(QueryStatsRequest) returns (QueryStatsResponse) {}
  rpc GetSysStats(SysStatsRequest) returns (SysStatsResponse) {}
  rpc GetStatsOnlineIpList(GetStatsRequest) returns (GetStatsOnlineIpListResponse) {}
 }
 message Config {}
--- a/app/stats/command/command_grpc.pb.go
+++ b/app/stats/command/command_grpc.pb.go
@@ -19,10 +19,11 @@ import (
 const _ = grpc.SupportPackageIsVersion9
 const (
-	StatsService_GetStats_FullMethodName       = "/xray.app.stats.command.StatsService/GetStats"
+	StatsService_GetStats_FullMethodName             = "/xray.app.stats.command.StatsService/GetStats"
-	StatsService_GetStatsOnline_FullMethodName = "/xray.app.stats.command.StatsService/GetStatsOnline"
+	StatsService_GetStatsOnline_FullMethodName       = "/xray.app.stats.command.StatsService/GetStatsOnline"
-	StatsService_QueryStats_FullMethodName     = "/xray.app.stats.command.StatsService/QueryStats"
+	StatsService_QueryStats_FullMethodName           = "/xray.app.stats.command.StatsService/QueryStats"
-	StatsService_GetSysStats_FullMethodName    = "/xray.app.stats.command.StatsService/GetSysStats"
+	StatsService_GetSysStats_FullMethodName          = "/xray.app.stats.command.StatsService/GetSysStats"
 	StatsService_GetStatsOnlineIpList_FullMethodName = "/xray.app.stats.command.StatsService/GetStatsOnlineIpList"
 )
 // StatsServiceClient is the client API for StatsService service.
@@ -33,6 +34,7 @@ type StatsServiceClient interface {
 	GetStatsOnline(ctx context.Context, in *GetStatsRequest, opts ...grpc.CallOption) (*GetStatsResponse, error)
 	QueryStats(ctx context.Context, in *QueryStatsRequest, opts ...grpc.CallOption) (*QueryStatsResponse, error)
 	GetSysStats(ctx context.Context, in *SysStatsRequest, opts ...grpc.CallOption) (*SysStatsResponse, error)
 	GetStatsOnlineIpList(ctx context.Context, in *GetStatsRequest, opts ...grpc.CallOption) (*GetStatsOnlineIpListResponse, error)
 }
 type statsServiceClient struct {
@@ -83,6 +85,16 @@ func (c *statsServiceClient) GetSysStats(ctx context.Context, in *SysStatsReques
 	return out, nil
 }
 func (c *statsServiceClient) GetStatsOnlineIpList(ctx context.Context, in *GetStatsRequest, opts ...grpc.CallOption) (*GetStatsOnlineIpListResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(GetStatsOnlineIpListResponse)
 	err := c.cc.Invoke(ctx, StatsService_GetStatsOnlineIpList_FullMethodName, in, out, cOpts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }
 // StatsServiceServer is the server API for StatsService service.
 // All implementations must embed UnimplementedStatsServiceServer
 // for forward compatibility.
@@ -91,6 +103,7 @@ type StatsServiceServer interface {
 	GetStatsOnline(context.Context, *GetStatsRequest) (*GetStatsResponse, error)
 	QueryStats(context.Context, *QueryStatsRequest) (*QueryStatsResponse, error)
 	GetSysStats(context.Context, *SysStatsRequest) (*SysStatsResponse, error)
 	GetStatsOnlineIpList(context.Context, *GetStatsRequest) (*GetStatsOnlineIpListResponse, error)
 	mustEmbedUnimplementedStatsServiceServer()
 }
@@ -113,6 +126,9 @@ func (UnimplementedStatsServiceServer) QueryStats(context.Context, *QueryStatsRe
 func (UnimplementedStatsServiceServer) GetSysStats(context.Context, *SysStatsRequest) (*SysStatsResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetSysStats not implemented")
 }
 func (UnimplementedStatsServiceServer) GetStatsOnlineIpList(context.Context, *GetStatsRequest) (*GetStatsOnlineIpListResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetStatsOnlineIpList not implemented")
 }
 func (UnimplementedStatsServiceServer) mustEmbedUnimplementedStatsServiceServer() {}
 func (UnimplementedStatsServiceServer) testEmbeddedByValue()                      {}
@@ -206,6 +222,24 @@ func _StatsService_GetSysStats_Handler(srv interface{}, ctx context.Context, dec
 	return interceptor(ctx, in, info, handler)
 }
 func _StatsService_GetStatsOnlineIpList_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(GetStatsRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
 		return srv.(StatsServiceServer).GetStatsOnlineIpList(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
 		FullMethod: StatsService_GetStatsOnlineIpList_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(StatsServiceServer).GetStatsOnlineIpList(ctx, req.(*GetStatsRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
 // StatsService_ServiceDesc is the grpc.ServiceDesc for StatsService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -229,6 +263,10 @@ var StatsService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "GetSysStats",
 			Handler:    _StatsService_GetSysStats_Handler,
 		},
 		{
 			MethodName: "GetStatsOnlineIpList",
 			Handler:    _StatsService_GetStatsOnlineIpList_Handler,
 		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "app/stats/command/command.proto",
--- a/app/stats/online_map.go
+++ b/app/stats/online_map.go
@@ -40,11 +40,11 @@ func (c *OnlineMap) AddIP(ip string) {
 	if ip == "127.0.0.1" {
 		return
 	}
 	c.access.Lock()
 	if _, ok := list[ip]; !ok {
 		c.access.Lock()
 		list[ip] = time.Now()
 		c.access.Unlock()
 	}
 	c.access.Unlock()
 	if time.Since(c.lastCleanup) > c.cleanupPeriod {
 		list = c.RemoveExpiredIPs(list)
 		c.lastCleanup = time.Now()
@@ -78,3 +78,13 @@ func (c *OnlineMap) RemoveExpiredIPs(list map[string]time.Time) map[string]time.
 	}
 	return list
 }
 func (c *OnlineMap) IpTimeMap() map[string]time.Time {
 	list := c.ipList
 	if time.Since(c.lastCleanup) > c.cleanupPeriod {
 		list = c.RemoveExpiredIPs(list)
 		c.lastCleanup = time.Now()
 	}
 	return c.ipList
 }
--- a/common/buf/buffer.go
+++ b/common/buf/buffer.go
@@ -13,8 +13,19 @@ const (
 	Size = 8192
 )
 var zero = [Size * 10]byte{0}
 var pool = bytespool.GetPool(Size)
 // ownership represents the data owner of the buffer.
 type ownership uint8
 const (
 	managed ownership = iota
 	unmanaged
 	bytespools
 )
 // Buffer is a recyclable allocation of a byte array. Buffer.Release() recycles
 // the buffer into an internal buffer pool, in order to recreate a buffer more
 // quickly.
@@ -22,11 +33,11 @@ type Buffer struct {
 	v         []byte
 	start     int32
 	end       int32
-	unmanaged bool
+	ownership ownership
 	UDP       *net.Destination
 }
-// New creates a Buffer with 0 length and 8K capacity.
+// New creates a Buffer with 0 length and 8K capacity, managed.
 func New() *Buffer {
 	buf := pool.Get().([]byte)
 	if cap(buf) >= Size {
@@ -40,7 +51,7 @@ func New() *Buffer {
 	}
 }
-// NewExisted creates a managed, standard size Buffer with an existed bytearray
+// NewExisted creates a standard size Buffer with an existed bytearray, managed.
 func NewExisted(b []byte) *Buffer {
 	if cap(b) < Size {
 		panic("Invalid buffer")
@@ -57,16 +68,16 @@ func NewExisted(b []byte) *Buffer {
 	}
 }
-// FromBytes creates a Buffer with an existed bytearray
+// FromBytes creates a Buffer with an existed bytearray, unmanaged.
 func FromBytes(b []byte) *Buffer {
 	return &Buffer{
 		v:         b,
 		end:       int32(len(b)),
-		unmanaged: true,
+		ownership: unmanaged,
 	}
 }
-// StackNew creates a new Buffer object on stack.
+// StackNew creates a new Buffer object on stack, managed.
 // This method is for buffers that is released in the same function.
 func StackNew() Buffer {
 	buf := pool.Get().([]byte)
@@ -81,9 +92,17 @@ func StackNew() Buffer {
 	}
 }
 // NewWithSize creates a Buffer with 0 length and capacity with at least the given size, bytespool's.
 func NewWithSize(size int32) *Buffer {
 	return &Buffer{
 		v:         bytespool.Alloc(size),
 		ownership: bytespools,
 	}
 }
 // Release recycles the buffer into an internal buffer pool.
 func (b *Buffer) Release() {
-	if b == nil || b.v == nil || b.unmanaged {
+	if b == nil || b.v == nil || b.ownership == unmanaged {
 		return
 	}
@@ -91,8 +110,13 @@ func (b *Buffer) Release() {
 	b.v = nil
 	b.Clear()
-	if cap(p) == Size {
+	switch b.ownership {
-		pool.Put(p)
+	case managed:
 		if cap(p) == Size {
 			pool.Put(p)
 		}
 	case bytespools:
 		bytespool.Free(p)
 	}
 	b.UDP = nil
 }
@@ -128,6 +152,7 @@ func (b *Buffer) Extend(n int32) []byte {
 	}
 	ext := b.v[b.end:end]
 	b.end = end
 	copy(ext, zero[:])
 	return ext
 }
@@ -176,6 +201,7 @@ func (b *Buffer) Check() {
 // Resize cuts the buffer at the given position.
 func (b *Buffer) Resize(from, to int32) {
 	oldEnd := b.end
 	if from < 0 {
 		from += b.Len()
 	}
@@ -188,6 +214,9 @@ func (b *Buffer) Resize(from, to int32) {
 	b.end = b.start + to
 	b.start += from
 	b.Check()
 	if b.end > oldEnd {
 		copy(b.v[oldEnd:b.end], zero[:])
 	}
 }
 // Advance cuts the buffer at the given position.
@@ -215,13 +244,6 @@ func (b *Buffer) Cap() int32 {
 	return int32(len(b.v))
 }
 // NewWithSize creates a Buffer with 0 length and capacity with at least the given size.
 func NewWithSize(size int32) *Buffer {
 	return &Buffer{
 		v: bytespool.Alloc(size),
 	}
 }
 // IsEmpty returns true if the buffer is empty.
 func (b *Buffer) IsEmpty() bool {
 	return b.Len() == 0
--- a/common/common.go
+++ b/common/common.go
@@ -38,7 +38,7 @@ func Error2(v interface{}, err error) error {
 func envFile() (string, error) {
 	if file := os.Getenv("GOENV"); file != "" {
 		if file == "off" {
-			return "", fmt.Errorf("GOENV=off")
+			return "", errors.New("GOENV=off")
 		}
 		return file, nil
 	}
@@ -47,7 +47,7 @@ func envFile() (string, error) {
 		return "", err
 	}
 	if dir == "" {
-		return "", fmt.Errorf("missing user-config dir")
+		return "", errors.New("missing user-config dir")
 	}
 	return filepath.Join(dir, "go", "env"), nil
 }
@@ -60,7 +60,7 @@ func GetRuntimeEnv(key string) (string, error) {
 		return "", err
 	}
 	if file == "" {
-		return "", fmt.Errorf("missing runtime env file")
+		return "", errors.New("missing runtime env file")
 	}
 	var data []byte
 	var runtimeEnv string
--- a/common/crypto/crypto.go
+++ b/common/crypto/crypto.go
@@ -1,2 +1,15 @@
 // Package crypto provides common crypto libraries for Xray.
 package crypto // import "github.com/xtls/xray-core/common/crypto"
 import (
 	"crypto/rand"
 	"math/big"
 )
 func RandBetween(from int64, to int64) int64 {
 	if from == to {
 		return from
 	}
 	bigInt, _ := rand.Int(rand.Reader, big.NewInt(to-from))
 	return from + bigInt.Int64()
 }
--- a/common/errors/multi_error.go
+++ b/common/errors/multi_error.go
@@ -1,6 +1,7 @@
 package errors
 import (
 	"errors"
 	"strings"
 )
@@ -36,12 +37,12 @@ func AllEqual(expected error, actual error) bool {
 			return false
 		}
 		for _, err := range errs {
-			if err != expected {
+			if !errors.Is(err, expected) {
 				return false
 			}
 		}
 		return true
 	default:
-		return errs == expected
+		return errors.Is(errs, expected)
 	}
 }
--- a/common/log/logger.go
+++ b/common/log/logger.go
@@ -146,7 +146,7 @@ func (w *fileLogWriter) Close() error {
 func CreateStdoutLogWriter() WriterCreator {
 	return func() Writer {
 		return &consoleLogWriter{
-			logger: log.New(os.Stdout, "", log.Ldate|log.Ltime),
+			logger: log.New(os.Stdout, "", log.Ldate|log.Ltime|log.Lmicroseconds),
 		}
 	}
 }
@@ -155,7 +155,7 @@ func CreateStdoutLogWriter() WriterCreator {
 func CreateStderrLogWriter() WriterCreator {
 	return func() Writer {
 		return &consoleLogWriter{
-			logger: log.New(os.Stderr, "", log.Ldate|log.Ltime),
+			logger: log.New(os.Stderr, "", log.Ldate|log.Ltime|log.Lmicroseconds),
 		}
 	}
 }
@@ -174,7 +174,7 @@ func CreateFileLogWriter(path string) (WriterCreator, error) {
 		}
 		return &fileLogWriter{
 			file:   file,
-			logger: log.New(file, "", log.Ldate|log.Ltime),
+			logger: log.New(file, "", log.Ldate|log.Ltime|log.Lmicroseconds),
 		}
 	}, nil
 }
--- a/common/mux/client.go
+++ b/common/mux/client.go
@@ -173,6 +173,7 @@ type ClientWorker struct {
 	sessionManager *SessionManager
 	link           transport.Link
 	done           *done.Instance
 	timer          *time.Ticker
 	strategy       ClientStrategy
 }
@@ -187,6 +188,7 @@ func NewClientWorker(stream transport.Link, s ClientStrategy) (*ClientWorker, er
 		sessionManager: NewSessionManager(),
 		link:           stream,
 		done:           done.New(),
 		timer:          time.NewTicker(time.Second * 16),
 		strategy:       s,
 	}
@@ -209,9 +211,12 @@ func (m *ClientWorker) Closed() bool {
 	return m.done.Done()
 }
 func (m *ClientWorker) GetTimer() *time.Ticker {
 	return m.timer
 }
 func (m *ClientWorker) monitor() {
-	timer := time.NewTicker(time.Second * 16)
+	defer m.timer.Stop()
 	defer timer.Stop()
 	for {
 		select {
@@ -220,7 +225,7 @@ func (m *ClientWorker) monitor() {
 			common.Close(m.link.Writer)
 			common.Interrupt(m.link.Reader)
 			return
-		case <-timer.C:
+		case <-m.timer.C:
 			size := m.sessionManager.Size()
 			if size == 0 && m.sessionManager.CloseIfNoSession() {
 				common.Must(m.done.Close())
@@ -276,6 +281,8 @@ func (m *ClientWorker) IsClosing() bool {
 	return false
 }
 // IsFull returns true if this ClientWorker is unable to accept more connections.
 // it might be because it is closing, or the number of connections has reached the limit.
 func (m *ClientWorker) IsFull() bool {
 	if m.IsClosing() || m.Closed() {
 		return true
@@ -289,12 +296,12 @@ func (m *ClientWorker) IsFull() bool {
 }
 func (m *ClientWorker) Dispatch(ctx context.Context, link *transport.Link) bool {
-	if m.IsFull() || m.Closed() {
+	if m.IsFull() {
 		return false
 	}
 	sm := m.sessionManager
-	s := sm.Allocate()
+	s := sm.Allocate(&m.strategy)
 	if s == nil {
 		return false
 	}
--- a/common/mux/server.go
+++ b/common/mux/server.go
@@ -120,7 +120,7 @@ func (w *ServerWorker) handleStatusKeepAlive(meta *FrameMetadata, reader *buf.Bu
 func (w *ServerWorker) handleStatusNew(ctx context.Context, meta *FrameMetadata, reader *buf.BufferedReader) error {
 	// deep-clone outbounds because it is going to be mutated concurrently
 	// (Target and OriginalTarget)
-	ctx = session.ContextCloneOutbounds(ctx)
+	ctx = session.ContextCloneOutboundsAndContent(ctx)
 	errors.LogInfo(ctx, "received request for ", meta.Target)
 	{
 		msg := &log.AccessMessage{
@@ -201,11 +201,12 @@ func (w *ServerWorker) handleStatusNew(ctx context.Context, meta *FrameMetadata,
 			transferType: protocol.TransferTypePacket,
 			XUDP:         x,
 		}
 		go handle(ctx, x.Mux, w.link.Writer)
 		x.Status = Active
 		if !w.sessionManager.Add(x.Mux) {
 			x.Mux.Close(false)
 			return errors.New("failed to add new session")
 		}
 		go handle(ctx, x.Mux, w.link.Writer)
 		return nil
 	}
@@ -226,18 +227,23 @@ func (w *ServerWorker) handleStatusNew(ctx context.Context, meta *FrameMetadata,
 	if meta.Target.Network == net.Network_UDP {
 		s.transferType = protocol.TransferTypePacket
 	}
-	w.sessionManager.Add(s)
+	if !w.sessionManager.Add(s) {
 		s.Close(false)
 		return errors.New("failed to add new session")
 	}
 	go handle(ctx, s, w.link.Writer)
 	if !meta.Option.Has(OptionData) {
 		return nil
 	}
 	rr := s.NewReader(reader, &meta.Target)
-	if err := buf.Copy(rr, s.output); err != nil {
+	err = buf.Copy(rr, s.output)
-		buf.Copy(rr, buf.Discard)
+
-		return s.Close(false)
+	if err != nil && buf.IsWriteError(err) {
 		s.Close(false)
 		return buf.Copy(rr, buf.Discard)
 	}
-	return nil
+	return err
 }
 func (w *ServerWorker) handleStatusKeep(meta *FrameMetadata, reader *buf.BufferedReader) error {
@@ -304,10 +310,11 @@ func (w *ServerWorker) handleFrame(ctx context.Context, reader *buf.BufferedRead
 }
 func (w *ServerWorker) run(ctx context.Context) {
-	input := w.link.Reader
+	reader := &buf.BufferedReader{Reader: w.link.Reader}
 	reader := &buf.BufferedReader{Reader: input}
 	defer w.sessionManager.Close()
 	defer common.Close(w.link.Writer)
 	defer common.Interrupt(w.link.Reader)
 	for {
 		select {
@@ -318,7 +325,6 @@ func (w *ServerWorker) run(ctx context.Context) {
 			if err != nil {
 				if errors.Cause(err) != io.EOF {
 					errors.LogInfoInner(ctx, err, "unexpected EOF")
 					common.Interrupt(input)
 				}
 				return
 			}
--- a/common/mux/session.go
+++ b/common/mux/session.go
@@ -50,11 +50,14 @@ func (m *SessionManager) Count() int {
 	return int(m.count)
 }
-func (m *SessionManager) Allocate() *Session {
+func (m *SessionManager) Allocate(Strategy *ClientStrategy) *Session {
 	m.Lock()
 	defer m.Unlock()
-	if m.closed {
+	MaxConcurrency := int(Strategy.MaxConcurrency)
 	MaxConnection := uint16(Strategy.MaxConnection)
 	if m.closed || (MaxConcurrency > 0 && len(m.sessions) >= MaxConcurrency) || (MaxConnection > 0 && m.count >= MaxConnection) {
 		return nil
 	}
--- a/common/mux/session_test.go
+++ b/common/mux/session_test.go
@@ -9,7 +9,7 @@ import (
 func TestSessionManagerAdd(t *testing.T) {
 	m := NewSessionManager()
-	s := m.Allocate()
+	s := m.Allocate(&ClientStrategy{})
 	if s.ID != 1 {
 		t.Error("id: ", s.ID)
 	}
@@ -17,7 +17,7 @@ func TestSessionManagerAdd(t *testing.T) {
 		t.Error("size: ", m.Size())
 	}
-	s = m.Allocate()
+	s = m.Allocate(&ClientStrategy{})
 	if s.ID != 2 {
 		t.Error("id: ", s.ID)
 	}
@@ -39,7 +39,7 @@ func TestSessionManagerAdd(t *testing.T) {
 func TestSessionManagerClose(t *testing.T) {
 	m := NewSessionManager()
-	s := m.Allocate()
+	s := m.Allocate(&ClientStrategy{})
 	if m.CloseIfNoSession() {
 		t.Error("able to close")
--- a/common/net/destination.go
+++ b/common/net/destination.go
@@ -89,12 +89,10 @@ func UnixDestination(address Address) Destination {
 // NetAddr returns the network address in this Destination in string form.
 func (d Destination) NetAddr() string {
 	addr := ""
-	if d.Address != nil {
+	if d.Network == Network_TCP || d.Network == Network_UDP {
-		if d.Network == Network_TCP || d.Network == Network_UDP {
+		addr = d.Address.String() + ":" + d.Port.String()
-			addr = d.Address.String() + ":" + d.Port.String()
+	} else if d.Network == Network_UNIX {
-		} else if d.Network == Network_UNIX {
+		addr = d.Address.String()
 			addr = d.Address.String()
 		}
 	}
 	return addr
 }
--- a/common/net/net.go
+++ b/common/net/net.go
@@ -1,2 +1,14 @@
 // Package net is a drop-in replacement to Golang's net package, with some more functionalities.
 package net // import "github.com/xtls/xray-core/common/net"
 import "time"
 // defines the maximum time an idle TCP session can survive in the tunnel, so
 // it should be consistent across HTTP versions and with other transports.
 const ConnIdleTimeout = 300 * time.Second
 // consistent with quic-go
 const QuicgoH3KeepAlivePeriod = 10 * time.Second
 // consistent with chrome
 const ChromeH2KeepAlivePeriod = 45 * time.Second
--- a/common/net/system.go
+++ b/common/net/system.go
@@ -76,8 +76,9 @@ type (
 )
 var (
-	ResolveUnixAddr = net.ResolveUnixAddr
+	ResolveTCPAddr  = net.ResolveTCPAddr
 	ResolveUDPAddr  = net.ResolveUDPAddr
 	ResolveUnixAddr = net.ResolveUnixAddr
 )
 type Resolver = net.Resolver
--- a/common/platform/filesystem/file.go
+++ b/common/platform/filesystem/file.go
@@ -3,6 +3,7 @@ package filesystem
 import (
 	"io"
 	"os"
 	"path/filepath"
 	"github.com/xtls/xray-core/common/buf"
 	"github.com/xtls/xray-core/common/platform"
@@ -28,6 +29,13 @@ func ReadAsset(file string) ([]byte, error) {
 	return ReadFile(platform.GetAssetLocation(file))
 }
 func ReadCert(file string) ([]byte, error) {
 	if filepath.IsAbs(file) {
 		return ReadFile(file)
 	}
 	return ReadFile(platform.GetCertLocation(file))
 }
 func CopyFile(dst string, src string) error {
 	bytes, err := ReadFile(src)
 	if err != nil {
--- a/common/platform/others.go
+++ b/common/platform/others.go
@@ -21,7 +21,7 @@ func GetToolLocation(file string) string {
 	return filepath.Join(toolPath, file)
 }
-// GetAssetLocation searches for `file` in certain locations
+// GetAssetLocation searches for `file` in the env dir, the executable dir, and certain locations
 func GetAssetLocation(file string) string {
 	assetPath := NewEnvFlag(AssetLocation).GetValue(getExecutableDir)
 	defPath := filepath.Join(assetPath, file)
@@ -42,3 +42,9 @@ func GetAssetLocation(file string) string {
 	// asset not found, let the caller throw out the error
 	return defPath
 }
 // GetCertLocation searches for `file` in the env dir and the executable dir
 func GetCertLocation(file string) string {
 	certPath := NewEnvFlag(CertLocation).GetValue(getExecutableDir)
 	return filepath.Join(certPath, file)
 }
--- a/common/platform/platform.go
+++ b/common/platform/platform.go
@@ -13,6 +13,7 @@ const (
 	ConfdirLocation = "xray.location.confdir"
 	ToolLocation    = "xray.location.tool"
 	AssetLocation   = "xray.location.asset"
 	CertLocation    = "xray.location.cert"
 	UseReadV         = "xray.buf.readv"
 	UseFreedomSplice = "xray.buf.splice"
--- a/common/platform/windows.go
+++ b/common/platform/windows.go
@@ -19,8 +19,14 @@ func GetToolLocation(file string) string {
 	return filepath.Join(toolPath, file+".exe")
 }
-// GetAssetLocation searches for `file` in the executable dir
+// GetAssetLocation searches for `file` in the env dir and the executable dir
 func GetAssetLocation(file string) string {
 	assetPath := NewEnvFlag(AssetLocation).GetValue(getExecutableDir)
 	return filepath.Join(assetPath, file)
 }
 // GetCertLocation searches for `file` in the env dir and the executable dir
 func GetCertLocation(file string) string {
 	certPath := NewEnvFlag(CertLocation).GetValue(getExecutableDir)
 	return filepath.Join(certPath, file)
 }
--- a/common/protocol/http/sniff.go
+++ b/common/protocol/http/sniff.go
@@ -63,7 +63,7 @@ func SniffHTTP(b []byte, c context.Context) (*SniffHeader, error) {
 	ShouldSniffAttr := true
 	// If content.Attributes have information, that means it comes from HTTP inbound PlainHTTP mode.
 	// It will set attributes, so skip it.
-	if content == nil || content.AttributeLen() != 0 {
+	if content == nil || len(content.Attributes) != 0 {
 		ShouldSniffAttr = false
 	}
 	if err := beginWithHTTPMethod(b); err != nil {
--- a/common/protocol/protocol.go
+++ b/common/protocol/protocol.go
@@ -1 +1,7 @@
 package protocol // import "github.com/xtls/xray-core/common/protocol"
 import (
 	"errors"
 )
 var ErrProtoNeedMoreData = errors.New("protocol matches, but need more data to complete sniffing")
--- a/common/protocol/quic/sniff.go
+++ b/common/protocol/quic/sniff.go
@@ -1,7 +1,6 @@
 package quic
 import (
 	"context"
 	"crypto"
 	"crypto/aes"
 	"crypto/tls"
@@ -11,8 +10,8 @@ import (
 	"github.com/quic-go/quic-go/quicvarint"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/buf"
 	"github.com/xtls/xray-core/common/bytespool"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/protocol"
 	ptls "github.com/xtls/xray-core/common/protocol/tls"
 	"golang.org/x/crypto/hkdf"
 )
@@ -47,22 +46,17 @@ var (
 	errNotQuicInitial = errors.New("not initial packet")
 )
-func SniffQUIC(b []byte) (resultReturn *SniffHeader, errorReturn error) {
+func SniffQUIC(b []byte) (*SniffHeader, error) {
-	// In extremely rare cases, this sniffer may cause slice error
+	if len(b) == 0 {
-	// and we set recover() here to prevent crash.
+		return nil, common.ErrNoClue
-	// TODO: Thoroughly fix this panic
+	}
 	defer func() {
 		if r := recover(); r != nil {
 			errors.LogError(context.Background(), "Failed to sniff QUIC: ", r)
 			resultReturn = nil
 			errorReturn = common.ErrNoClue
 		}
 	}()
 	// Crypto data separated across packets
-	cryptoLen := 0
+	cryptoLen := int32(0)
-	cryptoData := bytespool.Alloc(int32(len(b)))
+	cryptoDataBuf := buf.NewWithSize(32767)
-	defer bytespool.Free(cryptoData)
+	defer cryptoDataBuf.Release()
 	cache := buf.New()
 	defer cache.Release()
 	// Parse QUIC packets
 	for len(b) > 0 {
@@ -105,19 +99,25 @@ func SniffQUIC(b []byte) (resultReturn *SniffHeader, errorReturn error) {
 			return nil, errNotQuic
 		}
-		tokenLen, err := quicvarint.Read(buffer)
+		if isQuicInitial { // Only initial packets have token, see https://datatracker.ietf.org/doc/html/rfc9000#section-17.2.2
-		if err != nil || tokenLen > uint64(len(b)) {
+			tokenLen, err := quicvarint.Read(buffer)
-			return nil, errNotQuic
+			if err != nil || tokenLen > uint64(len(b)) {
-		}
+				return nil, errNotQuic
 			}
-		if _, err = buffer.ReadBytes(int32(tokenLen)); err != nil {
+			if _, err = buffer.ReadBytes(int32(tokenLen)); err != nil {
-			return nil, errNotQuic
+				return nil, errNotQuic
 			}
 		}
 		packetLen, err := quicvarint.Read(buffer)
 		if err != nil {
 			return nil, errNotQuic
 		}
 		// packetLen is impossible to be shorter than this
 		if packetLen < 4 {
 			return nil, errNotQuic
 		}
 		hdrLen := len(b) - int(buffer.Len())
 		if len(b) < hdrLen+int(packetLen) {
@@ -130,9 +130,6 @@ func SniffQUIC(b []byte) (resultReturn *SniffHeader, errorReturn error) {
 			continue
 		}
 		origPNBytes := make([]byte, 4)
 		copy(origPNBytes, b[hdrLen:hdrLen+4])
 		var salt []byte
 		if versionNumber == version1 {
 			salt = quicSalt
@@ -147,44 +144,34 @@ func SniffQUIC(b []byte) (resultReturn *SniffHeader, errorReturn error) {
 			return nil, err
 		}
-		cache := buf.New()
+		cache.Clear()
 		defer cache.Release()
 		mask := cache.Extend(int32(block.BlockSize()))
-		block.Encrypt(mask, b[hdrLen+4:hdrLen+4+16])
+		block.Encrypt(mask, b[hdrLen+4:hdrLen+4+len(mask)])
 		b[0] ^= mask[0] & 0xf
-		for i := range b[hdrLen : hdrLen+4] {
+		packetNumberLength := int(b[0]&0x3 + 1)
 		for i := range packetNumberLength {
 			b[hdrLen+i] ^= mask[i+1]
 		}
 		packetNumberLength := b[0]&0x3 + 1
 		if packetNumberLength != 1 {
 			return nil, errNotQuicInitial
 		}
 		var packetNumber uint32
 		{
 			n, err := buffer.ReadByte()
 			if err != nil {
 				return nil, err
 			}
 			packetNumber = uint32(n)
 		}
 		extHdrLen := hdrLen + int(packetNumberLength)
 		copy(b[extHdrLen:hdrLen+4], origPNBytes[packetNumberLength:])
 		data := b[extHdrLen : int(packetLen)+hdrLen]
 		key := hkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic key", 16)
 		iv := hkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic iv", 12)
 		cipher := AEADAESGCMTLS13(key, iv)
 		nonce := cache.Extend(int32(cipher.NonceSize()))
-		binary.BigEndian.PutUint64(nonce[len(nonce)-8:], uint64(packetNumber))
+		_, err = buffer.Read(nonce[len(nonce)-packetNumberLength:])
 		if err != nil {
 			return nil, err
 		}
 		extHdrLen := hdrLen + packetNumberLength
 		data := b[extHdrLen : int(packetLen)+hdrLen]
 		decrypted, err := cipher.Open(b[extHdrLen:extHdrLen], nonce, data, b[:extHdrLen])
 		if err != nil {
 			return nil, err
 		}
 		buffer = buf.FromBytes(decrypted)
-		for i := 0; !buffer.IsEmpty(); i++ {
+		for !buffer.IsEmpty() {
-			frameType := byte(0x0) // Default to PADDING frame
+			frameType, _ := buffer.ReadByte()
 			for frameType == 0x0 && !buffer.IsEmpty() {
 				frameType, _ = buffer.ReadByte()
 			}
@@ -233,16 +220,15 @@ func SniffQUIC(b []byte) (resultReturn *SniffHeader, errorReturn error) {
 				if err != nil || length > uint64(buffer.Len()) {
 					return nil, io.ErrUnexpectedEOF
 				}
-				if cryptoLen < int(offset+length) {
+				currentCryptoLen := int32(offset + length)
-					cryptoLen = int(offset + length)
+				if cryptoLen < currentCryptoLen {
-					if len(cryptoData) < cryptoLen {
+					if cryptoDataBuf.Cap() < currentCryptoLen {
-						newCryptoData := bytespool.Alloc(int32(cryptoLen))
+						return nil, io.ErrShortBuffer
 						copy(newCryptoData, cryptoData)
 						bytespool.Free(cryptoData)
 						cryptoData = newCryptoData
 					}
 					cryptoDataBuf.Extend(currentCryptoLen - cryptoLen)
 					cryptoLen = currentCryptoLen
 				}
-				if _, err := buffer.Read(cryptoData[offset : offset+length]); err != nil { // Field: Crypto Data
+				if _, err := buffer.Read(cryptoDataBuf.BytesRange(int32(offset), currentCryptoLen)); err != nil { // Field: Crypto Data
 					return nil, io.ErrUnexpectedEOF
 				}
 			case 0x1c: // CONNECTION_CLOSE frame, only 0x1c is permitted in initial packet
@@ -267,7 +253,7 @@ func SniffQUIC(b []byte) (resultReturn *SniffHeader, errorReturn error) {
 		}
 		tlsHdr := &ptls.SniffHeader{}
-		err = ptls.ReadClientHello(cryptoData[:cryptoLen], tlsHdr)
+		err = ptls.ReadClientHello(cryptoDataBuf.BytesRange(0, cryptoLen), tlsHdr)
 		if err != nil {
 			// The crypto data may have not been fully recovered in current packets,
 			// So we continue to sniff rest packets.
@@ -276,7 +262,8 @@ func SniffQUIC(b []byte) (resultReturn *SniffHeader, errorReturn error) {
 		}
 		return &SniffHeader{domain: tlsHdr.Domain()}, nil
 	}
-	return nil, common.ErrNoClue
+	// All payload is parsed as valid QUIC packets, but we need more packets for crypto data to read client hello.
 	return nil, protocol.ErrProtoNeedMoreData
 }
 func hkdfExpandLabel(hash crypto.Hash, secret, context []byte, label string, length int) []byte {
--- a/common/protocol/quic/sniff_test.go
+++ b/common/protocol/quic/sniff_test.go
--- a/common/protocol/tls/cert/.gitignore
+++ b/common/protocol/tls/cert/.gitignore
@@ -1 +0,0 @@
 *.pem
--- a/common/protocol/tls/cert/cert_test.go
+++ b/common/protocol/tls/cert/cert_test.go
@@ -78,9 +78,9 @@ func printJSON(certificate *Certificate) {
 func printFile(certificate *Certificate, name string) error {
 	certPEM, keyPEM := certificate.ToPEM()
 	return task.Run(context.Background(), func() error {
-		return writeFile(certPEM, name+"_cert.pem")
+		return writeFile(certPEM, name+".crt")
 	}, func() error {
-		return writeFile(keyPEM, name+"_key.pem")
+		return writeFile(keyPEM, name+".key")
 	})
 }
--- a/common/protocol/tls/sniff.go
+++ b/common/protocol/tls/sniff.go
@@ -3,9 +3,9 @@ package tls
 import (
 	"encoding/binary"
 	"errors"
 	"strings"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/protocol"
 )
 type SniffHeader struct {
@@ -59,9 +59,6 @@ func ReadClientHello(data []byte, h *SniffHeader) error {
 	}
 	data = data[1+compressionMethodsLen:]
 	if len(data) == 0 {
 		return errNotClientHello
 	}
 	if len(data) < 2 {
 		return errNotClientHello
 	}
@@ -104,13 +101,21 @@ func ReadClientHello(data []byte, h *SniffHeader) error {
 					return errNotClientHello
 				}
 				if nameType == 0 {
-					serverName := string(d[:nameLen])
+					// QUIC separated across packets
 					// May cause the serverName to be incomplete
 					b := byte(0)
 					for _, b = range d[:nameLen] {
 						if b <= ' ' {
 							return protocol.ErrProtoNeedMoreData
 						}
 					}
 					// An SNI value may not include a
 					// trailing dot. See
 					// https://tools.ietf.org/html/rfc6066#section-3.
-					if strings.HasSuffix(serverName, ".") {
+					if b == '.' {
 						return errNotClientHello
 					}
 					serverName := string(d[:nameLen])
 					h.domain = serverName
 					return nil
 				}
--- a/common/reflect/marshal.go
+++ b/common/reflect/marshal.go
@@ -58,7 +58,9 @@ func marshalSlice(v reflect.Value, ignoreNullValue bool, insertTypeInfo bool) in
 }
 func isNullValue(f reflect.StructField, rv reflect.Value) bool {
-	if rv.Kind() == reflect.String && rv.Len() == 0 {
+	if rv.Kind() == reflect.Struct {
 		return false
 	} else if rv.Kind() == reflect.String && rv.Len() == 0 {
 		return true
 	} else if !isValueKind(rv.Kind()) && rv.IsNil() {
 		return true
@@ -184,6 +186,12 @@ func marshalKnownType(v interface{}, ignoreNullValue bool, insertTypeInfo bool)
 	case *conf.PortList:
 		cpl := v.(*conf.PortList)
 		return serializePortList(cpl.Build())
 	case conf.Int32Range:
 		i32rng := v.(conf.Int32Range)
 		if i32rng.Left == i32rng.Right {
 			return i32rng.Left, true
 		}
 		return i32rng.String(), true
 	case cnet.Address:
 		if addr := v.(cnet.Address); addr != nil {
 			return addr.String(), true
--- a/common/reflect/marshal_test.go
+++ b/common/reflect/marshal_test.go
@@ -116,98 +116,129 @@ func TestMarshalConfigJson(t *testing.T) {
 		"system",
 		"inboundDownlink",
 		"outboundUplink",
 		"XHTTP_IN",
 		"\"host\": \"bing.com\"",
 		"scMaxEachPostBytes",
 		"\"from\": 100",
 		"\"to\": 1000",
 		"\"from\": 1000000",
 		"\"to\": 1000000",
 	}
 	for _, kw := range keywords {
 		if !strings.Contains(tc, kw) {
-			t.Error("marshaled config error")
+			t.Log("config.json:", tc)
 			t.Error("keyword not found:", kw)
 			break
 		}
 	}
 }
 func getConfig() string {
 	return `{
-		"log": {
+  "log": {
-		  "loglevel": "debug"
+    "loglevel": "debug"
-		},
+  },
-		"stats": {},
+  "stats": {},
-		"policy": {
+  "policy": {
-		  "levels": {
+    "levels": {
-			"0": {
+      "0": {
-			  "statsUserUplink": true,
+        "statsUserUplink": true,
-			  "statsUserDownlink": true
+        "statsUserDownlink": true
-			}
+      }
-		  },
+    },
-		  "system": {
+    "system": {
-			"statsInboundUplink": true,
+      "statsInboundUplink": true,
-			"statsInboundDownlink": true,
+      "statsInboundDownlink": true,
-			"statsOutboundUplink": true,
+      "statsOutboundUplink": true,
-			"statsOutboundDownlink": true
+      "statsOutboundDownlink": true
-		  }
+    }
-		},
+  },
-		"inbounds": [
+  "inbounds": [
-		  {
+    {
-			"tag": "agentin",
+      "tag": "agentin",
-			"protocol": "http",
+      "protocol": "http",
-			"port": 8080,
+      "port": 18080,
-			"listen": "127.0.0.1",
+      "listen": "127.0.0.1",
-			"settings": {}
+      "settings": {}
-		  },
+    },
-		  {
+    {
-			"listen": "127.0.0.1",
+      "listen": "127.0.0.1",
-			"port": 10085,
+      "port": 10085,
-			"protocol": "dokodemo-door",
+      "protocol": "dokodemo-door",
-			"settings": {
+      "settings": {
-			  "address": "127.0.0.1"
+        "address": "127.0.0.1"
-			},
+      },
-			"tag": "api-in"
+      "tag": "api-in"
-		  }
+    }
-		],
+  ],
-		"api": {
+  "api": {
-		  "tag": "api",
+    "tag": "api",
-		  "services": [
+    "services": [
-			"HandlerService",
+      "HandlerService",
-			"StatsService"
+      "StatsService"
-		  ]
+    ]
-		},
+  },
-		"routing": {
+  "routing": {
-		  "rules": [
+    "rules": [
-			{
+      {
-			  "inboundTag": [
+        "inboundTag": [
-				"api-in"
+          "api-in"
-			  ],
+        ],
-			  "outboundTag": "api",
+        "outboundTag": "api",
-			  "type": "field"
+        "type": "field"
-			}
+      }
-		  ],
+    ],
-		  "domainStrategy": "AsIs"
+    "domainStrategy": "AsIs"
-		},
+  },
-		"outbounds": [
+  "outbounds": [
-		  {
+    {
-			"protocol": "vless",
+      "protocol": "vless",
-			"settings": {
+      "settings": {
-			  "vnext": [
+        "vnext": [
-				{
+          {
-				  "address": "1.2.3.4",
+            "address": "1.2.3.4",
-				  "port": 1234,
+            "port": 1234,
-				  "users": [
+            "users": [
-					{
+              {
-					  "id": "4784f9b8-a879-4fec-9718-ebddefa47750",
+                "id": "4784f9b8-a879-4fec-9718-ebddefa47750",
-					  "encryption": "none"
+                "encryption": "none"
-					}
+              }
-				  ]
+            ]
-				}
+          }
-			  ]
+        ]
-			},
+      },
-			"tag": "agentout",
+      "tag": "XHTTP_IN",
-			"streamSettings": {
+      "streamSettings": {
-			  "network": "ws",
+        "network": "xhttp",
-			  "security": "none",
+        "xhttpSettings": {
-			  "wsSettings": {
+          "host": "bing.com",
-				"path": "/?ed=2048",
+          "path": "/xhttp_client_upload",
-				"host": "bing.com"
+          "mode": "auto",
-			  }
+          "extra": {
-			}
+            "noSSEHeader": false,
-		  }
+            "scMaxEachPostBytes": 1000000,
-		]
+            "scMaxBufferedPosts": 30,
-	  }`
+            "xPaddingBytes": "100-1000"
          }
        },
        "sockopt": {
          "tcpFastOpen": true,
          "acceptProxyProtocol": false,
          "tcpcongestion": "bbr",
          "tcpMptcp": true
        }
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls",
          "quic"
        ],
        "metadataOnly": false,
        "routeOnly": true
      }
    }
  ]
 }`
 }
--- a/common/session/context.go
+++ b/common/session/context.go
@@ -23,6 +23,8 @@ const (
 	timeoutOnlyKey            ctx.SessionKey = 8
 	allowedNetworkKey         ctx.SessionKey = 9
 	handlerSessionKey         ctx.SessionKey = 10
 	mitmAlpn11Key             ctx.SessionKey = 11
 	mitmServerNameKey         ctx.SessionKey = 12
 )
 func ContextWithInbound(ctx context.Context, inbound *Inbound) context.Context {
@@ -40,7 +42,7 @@ func ContextWithOutbounds(ctx context.Context, outbounds []*Outbound) context.Co
 	return context.WithValue(ctx, outboundSessionKey, outbounds)
 }
-func ContextCloneOutbounds(ctx context.Context) context.Context {
+func ContextCloneOutboundsAndContent(ctx context.Context) context.Context {
 	outbounds := OutboundsFromContext(ctx)
 	newOutbounds := make([]*Outbound, len(outbounds))
 	for i, ob := range outbounds {
@@ -53,7 +55,15 @@ func ContextCloneOutbounds(ctx context.Context) context.Context {
 		newOutbounds[i] = &v
 	}
-	return ContextWithOutbounds(ctx, newOutbounds)
+	content := ContentFromContext(ctx)
 	newContent := Content{}
 	if content != nil {
 		newContent = *content
 		if content.Attributes != nil {
 			panic("content.Attributes != nil")
 		}
 	}
 	return ContextWithContent(ContextWithOutbounds(ctx, newOutbounds), &newContent)
 }
 func OutboundsFromContext(ctx context.Context) []*Outbound {
@@ -162,3 +172,25 @@ func AllowedNetworkFromContext(ctx context.Context) net.Network {
 	}
 	return net.Network_Unknown
 }
 func ContextWithMitmAlpn11(ctx context.Context, alpn11 bool) context.Context {
 	return context.WithValue(ctx, mitmAlpn11Key, alpn11)
 }
 func MitmAlpn11FromContext(ctx context.Context) bool {
 	if val, ok := ctx.Value(mitmAlpn11Key).(bool); ok {
 		return val
 	}
 	return false
 }
 func ContextWithMitmServerName(ctx context.Context, serverName string) context.Context {
 	return context.WithValue(ctx, mitmServerNameKey, serverName)
 }
 func MitmServerNameFromContext(ctx context.Context) string {
 	if val, ok := ctx.Value(mitmServerNameKey).(string); ok {
 		return val
 	}
 	return ""
 }
--- a/common/session/session.go
+++ b/common/session/session.go
@@ -4,7 +4,6 @@ package session // import "github.com/xtls/xray-core/common/session"
 import (
 	"context"
 	"math/rand"
 	"sync"
 	c "github.com/xtls/xray-core/common/ctx"
 	"github.com/xtls/xray-core/common/errors"
@@ -75,8 +74,8 @@ type Outbound struct {
 // SniffingRequest controls the behavior of content sniffing.
 type SniffingRequest struct {
-	ExcludeForDomain               []string
+	ExcludeForDomain               []string // read-only once set
-	OverrideDestinationForProtocol []string
+	OverrideDestinationForProtocol []string // read-only once set
 	Enabled                        bool
 	MetadataOnly                   bool
 	RouteOnly                      bool
@@ -92,10 +91,6 @@ type Content struct {
 	Attributes map[string]string
 	SkipDNSResolve bool
 	mu sync.Mutex
 	isLocked bool
 }
 // Sockopt is the settings for socket connection.
@@ -104,22 +99,8 @@ type Sockopt struct {
 	Mark int32
 }
 // Some how when using mux, there will be a same ctx between different requests
 // This will cause problem as it's designed for single request, like concurrent map writes
 // Add a Mutex as a temp solution
 // SetAttribute attaches additional string attributes to content.
 func (c *Content) SetAttribute(name string, value string) {
 	if c.isLocked {
 		errors.LogError(context.Background(), "Multiple goroutines are tring to access one routing content, tring to write ", name, ":", value)
 	}
 	c.mu.Lock()
 	c.isLocked = true
 	defer func() {
 		c.isLocked = false
 		c.mu.Unlock()
 	}()
 	if c.Attributes == nil {
 		c.Attributes = make(map[string]string)
 	}
@@ -128,24 +109,8 @@ func (c *Content) SetAttribute(name string, value string) {
 // Attribute retrieves additional string attributes from content.
 func (c *Content) Attribute(name string) string {
 	c.mu.Lock()
 	c.isLocked = true
 	defer func() {
 		c.isLocked = false
 		c.mu.Unlock()
 	}()
 	if c.Attributes == nil {
 		return ""
 	}
 	return c.Attributes[name]
 }
 func (c *Content) AttributeLen() int {
 	c.mu.Lock()
 	c.isLocked = true
 	defer func() {
 		c.isLocked = false
 		c.mu.Unlock()
 	}()
 	return len(c.Attributes)
 }
--- a/common/signal/timer.go
+++ b/common/signal/timer.go
@@ -67,9 +67,9 @@ func (t *ActivityTimer) SetTimeout(timeout time.Duration) {
 		t.checkTask.Close()
 	}
 	t.checkTask = checkTask
 	t.Unlock()
 	t.Update()
 	common.Must(checkTask.Start())
 	t.Unlock()
 }
 func CancelAfterInactivity(ctx context.Context, cancel context.CancelFunc, timeout time.Duration) *ActivityTimer {
--- a/common/utils/typed_sync_map.go
+++ b/common/utils/typed_sync_map.go
@@ -0,0 +1,112 @@
 package utils
 import (
 	"sync"
 )
 // TypedSyncMap is a wrapper of sync.Map that provides type-safe for keys and values.
 // No need to use type assertions every time, so you can have more time to enjoy other things like GochiUsa
 // If sync.Map methods returned nil, it will return the zero value of the type V.
 type TypedSyncMap[K, V any] struct {
 	syncMap *sync.Map
 }
 // NewTypedSyncMap creates a new TypedSyncMap
 // K is key type, V is value type
 // It is recommended to use pointer types for V because sync.Map might return nil
 // If sync.Map methods really returned nil, it will return the zero value of the type V
 func NewTypedSyncMap[K any, V any]() *TypedSyncMap[K, V] {
 	return &TypedSyncMap[K, V]{
 		syncMap: &sync.Map{},
 	}
 }
 // Clear deletes all the entries, resulting in an empty Map.
 func (m *TypedSyncMap[K, V]) Clear() {
 	m.syncMap.Clear()
 }
 // CompareAndDelete deletes the entry for key if its value is equal to old.
 // The old value must be of a comparable type.
 //
 // If there is no current value for key in the map, CompareAndDelete
 // returns false (even if the old value is the nil interface value).
 func (m *TypedSyncMap[K, V]) CompareAndDelete(key K, old V) (deleted bool) {
 	return m.syncMap.CompareAndDelete(key, old)
 }
 // CompareAndSwap swaps the old and new values for key
 // if the value stored in the map is equal to old.
 // The old value must be of a comparable type.
 func (m *TypedSyncMap[K, V]) CompareAndSwap(key K, old V, new V) (swapped bool) {
 	return m.syncMap.CompareAndSwap(key, old, new)
 }
 // Delete deletes the value for a key.
 func (m *TypedSyncMap[K, V]) Delete(key K) {
 	m.syncMap.Delete(key)
 }
 // Load returns the value stored in the map for a key, or nil if no
 // value is present.
 // The ok result indicates whether value was found in the map.
 func (m *TypedSyncMap[K, V]) Load(key K) (value V, ok bool) {
 	anyValue, ok := m.syncMap.Load(key)
 	// anyValue might be nil
 	if anyValue != nil {
 		value = anyValue.(V)
 	}
 	return value, ok
 }
 // LoadAndDelete deletes the value for a key, returning the previous value if any.
 // The loaded result reports whether the key was present.
 func (m *TypedSyncMap[K, V]) LoadAndDelete(key K) (value V, loaded bool) {
 	anyValue, loaded := m.syncMap.LoadAndDelete(key)
 	if anyValue != nil {
 		value = anyValue.(V)
 	}
 	return value, loaded
 }
 // LoadOrStore returns the existing value for the key if present.
 // Otherwise, it stores and returns the given value.
 // The loaded result is true if the value was loaded, false if stored.
 func (m *TypedSyncMap[K, V]) LoadOrStore(key K, value V) (actual V, loaded bool) {
 	anyActual, loaded := m.syncMap.LoadOrStore(key, value)
 	if anyActual != nil {
 		actual = anyActual.(V)
 	}
 	return actual, loaded
 }
 // Range calls f sequentially for each key and value present in the map.
 // If f returns false, range stops the iteration.
 //
 // Range does not necessarily correspond to any consistent snapshot of the Map's
 // contents: no key will be visited more than once, but if the value for any key
 // is stored or deleted concurrently (including by f), Range may reflect any
 // mapping for that key from any point during the Range call. Range does not
 // block other methods on the receiver; even f itself may call any method on m.
 //
 // Range may be O(N) with the number of elements in the map even if f returns
 // false after a constant number of calls.
 func (m *TypedSyncMap[K, V]) Range(f func(key K, value V) bool) {
 	m.syncMap.Range(func(key, value any) bool {
 		return f(key.(K), value.(V))
 	})
 }
 // Store sets the value for a key.
 func (m *TypedSyncMap[K, V]) Store(key K, value V) {
 	m.syncMap.Store(key, value)
 }
 // Swap swaps the value for a key and returns the previous value if any. The loaded result reports whether the key was present.
 func (m *TypedSyncMap[K, V]) Swap(key K, value V) (previous V, loaded bool) {
 	anyPrevious, loaded := m.syncMap.Swap(key, value)
 	if anyPrevious != nil {
 		previous = anyPrevious.(V)
 	}
 	return previous, loaded
 }
--- a/core/config.go
+++ b/core/config.go
@@ -2,6 +2,7 @@ package core
 import (
 	"io"
 	"slices"
 	"strings"
 	"github.com/xtls/xray-core/common"
@@ -64,14 +65,11 @@ func GetMergedConfig(args cmdarg.Arg) (string, error) {
 	supported := []string{"json", "yaml", "toml"}
 	for _, file := range args {
 		format := getFormat(file)
-		for _, s := range supported {
+		if slices.Contains(supported, format) {
-			if s == format {
+			files = append(files, &ConfigSource{
-				files = append(files, &ConfigSource{
+				Name:   file,
-					Name:   file,
+				Format: format,
-					Format: format,
+			})
 				})
 				break
 			}
 		}
 	}
 	return ConfigMergedFormFiles(files)
--- a/core/core.go
+++ b/core/core.go
@@ -17,9 +17,9 @@ import (
 )
 var (
-	Version_x byte = 24
+	Version_x byte = 25
-	Version_y byte = 12
+	Version_y byte = 7
-	Version_z byte = 15
+	Version_z byte = 25
 )
 var (
--- a/Show More
+++ b/Show More