Bump github.com/vishvananda/netlink from 1.3.0 to 1.3.1 (#4719 )

Bumps [github.com/vishvananda/netlink](https://github.com/vishvananda/netlink) from 1.3.0 to 1.3.1. - [Release notes](https://github.com/vishvananda/netlink/releases) - [Commits](https://github.com/vishvananda/netlink/compare/v1.3.0...v1.3.1) --- updated-dependencies: - dependency-name: github.com/vishvananda/netlink dependency-version: 1.3.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bump github.com/refraction-networking/utls from 1.7.1 to 1.7.2 (#4710 )
2025-05-14 05:04:12 +08:00 · 2025-05-11 20:55:45 -04:00 · 2025-05-09 10:32:00 -04:00 · 2025-05-09 10:31:28 -04:00 · 2025-05-09 10:29:52 -04:00 · 2025-05-08 15:44:54 -04:00
90 changed files with 2722 additions and 1880 deletions
--- a/.github/workflows/release-win7.yml
+++ b/.github/workflows/release-win7.yml
@ -9,7 +9,38 @@ on:
    types: [opened, synchronize, reopened]

 jobs:
+  check-assets:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Restore Geodat Cache
+        uses: actions/cache/restore@v4
+        with:
+          path: resources
+          key: xray-geodat-
+
+      - name: Check Assets Existence
+        id: check-assets
+        run: |
+          [ -d 'resources' ] || mkdir resources
+          LIST=('geoip.dat' 'geosite.dat')
+          for FILE_NAME in "${LIST[@]}"
+          do
+            echo -e "Checking ${FILE_NAME}..."
+            if [ -s "./resources/${FILE_NAME}" ]; then
+              echo -e "${FILE_NAME} exists."
+            else
+              echo -e "${FILE_NAME} does not exist."
+              echo "missing=true" >> $GITHUB_OUTPUT
+              break
+            fi
+          done
+
+      - name: Sleep for 90 seconds if Assets Missing
+        if: steps.check-assets.outputs.missing == 'true'
+        run: sleep 90
+
  build:
+    needs: check-assets
    permissions:
      contents: write
    strategy:
@ -51,7 +82,7 @@ jobs:
          GOSDK=$(go env GOROOT)
          rm -r $GOSDK/*
          cd $GOSDK
-          curl -O -L https://github.com/XTLS/go-win7/releases/latest/download/go-for-win7-linux-amd64.zip
+          curl -O -L -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" https://github.com/XTLS/go-win7/releases/latest/download/go-for-win7-linux-amd64.zip
          unzip ./go-for-win7-linux-amd64.zip -d $GOSDK
          rm ./go-for-win7-linux-amd64.zip

--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -9,7 +9,53 @@ on:
    types: [opened, synchronize, reopened]

 jobs:
+  check-assets:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Restore Geodat Cache
+        uses: actions/cache/restore@v4
+        with:
+          path: resources
+          key: xray-geodat-
+
+      - name: Check Assets Existence
+        id: check-assets
+        run: |
+          [ -d 'resources' ] || mkdir resources
+          LIST=('geoip.dat' 'geosite.dat')
+          for FILE_NAME in "${LIST[@]}"
+          do
+            echo -e "Checking ${FILE_NAME}..."
+            if [ -s "./resources/${FILE_NAME}" ]; then
+              echo -e "${FILE_NAME} exists."
+            else
+              echo -e "${FILE_NAME} does not exist."
+              echo "missing=true" >> $GITHUB_OUTPUT
+              break
+            fi
+          done
+
+      - name: Trigger Asset Update Workflow if Assets Missing
+        if: steps.check-assets.outputs.missing == 'true'
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const { owner, repo } = context.repo;
+            await github.rest.actions.createWorkflowDispatch({
+              owner,
+              repo,
+              workflow_id: 'scheduled-assets-update.yml',
+              ref: context.ref
+            });
+            console.log('Triggered scheduled-assets-update.yml due to missing assets on branch:', context.ref);
+
+      - name: Sleep for 90 seconds if Assets Missing
+        if: steps.check-assets.outputs.missing == 'true'
+        run: sleep 90
+
  build:
+    needs: check-assets
    permissions:
      contents: write
    strategy:
@ -42,6 +88,11 @@ jobs:
          - goos: android
            goarch: arm64
          # END Android ARM 8
+          # BEGIN Android AMD64
+          - goos: android
+            goarch: amd64
+            patch-assetname: android-amd64
+          # END Android AMD64
          # Windows ARM
          - goos: windows
            goarch: arm64
@ -104,6 +155,19 @@ jobs:
      - name: Checkout codebase
        uses: actions/checkout@v4

+      - name: Set up NDK
+        if: matrix.goos == 'android'
+        run: |
+          wget -qO android-ndk.zip https://dl.google.com/android/repository/android-ndk-r28b-linux.zip
+          unzip android-ndk.zip
+          rm android-ndk.zip
+          declare -A arches=(
+            ["amd64"]="x86_64-linux-android24-clang"
+            ["arm64"]="aarch64-linux-android24-clang"
+          )
+          echo CC="$(realpath android-ndk-*/toolchains/llvm/prebuilt/linux-x86_64/bin)/${arches[${{ matrix.goarch }}]}" >> $GITHUB_ENV
+          echo CGO_ENABLED=1 >> $GITHUB_ENV
+
      - name: Show workflow information
        run: |
          _NAME=${{ matrix.patch-assetname }}
@ -119,7 +183,7 @@ jobs:

      - name: Get project dependencies
        run: go mod download
-      
+
      - name: Build Xray
        run: |
          mkdir -p build_assets
--- a/.github/workflows/scheduled-assets-update.yml
+++ b/.github/workflows/scheduled-assets-update.yml
@ -1,6 +1,6 @@
 name: Scheduled assets update

-# NOTE: This Github Actions is required by other actions, for preparing other packaging assets in a 
+# NOTE: This Github Actions is required by other actions, for preparing other packaging assets in a
 #       routine manner, for example: GeoIP/GeoSite.
 #       Currently updating:
 #       - Geodat (GeoIP/Geosite)
@ -9,7 +9,7 @@ on:
  workflow_dispatch:
  schedule:
    # Update GeoData on every day (22:30 UTC)
-    - cron: '30 22 * * *'
+    - cron: "30 22 * * *"
  push:
    # Prevent triggering update request storm
    paths:
@ -45,12 +45,12 @@ jobs:
              INFO=($(echo $i | awk 'BEGIN{FS=" ";OFS=" "} {print $1,$2,$3,$4}'))
              FILE_NAME="${INFO[3]}.dat"
              echo -e "Verifying HASH key..."
-              HASH="$(curl -sL "https://raw.githubusercontent.com/${INFO[0]}/${INFO[1]}/release/${INFO[2]}.dat.sha256sum" | awk -F ' ' '{print $1}')"
+              HASH="$(curl -sL -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" "https://raw.githubusercontent.com/${INFO[0]}/${INFO[1]}/release/${INFO[2]}.dat.sha256sum" | awk -F ' ' '{print $1}')"
              if [ -s "./resources/${FILE_NAME}" ] && [ "$(sha256sum "./resources/${FILE_NAME}" | awk -F ' ' '{print $1}')" == "${HASH}" ]; then
                  continue
              else
                  echo -e "Downloading https://raw.githubusercontent.com/${INFO[0]}/${INFO[1]}/release/${INFO[2]}.dat..."
-                  curl -L "https://raw.githubusercontent.com/${INFO[0]}/${INFO[1]}/release/${INFO[2]}.dat" -o ./resources/${FILE_NAME}
+                  curl -L -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" "https://raw.githubusercontent.com/${INFO[0]}/${INFO[1]}/release/${INFO[2]}.dat" -o ./resources/${FILE_NAME}
                  echo -e "Verifying HASH key..."
                  [ "$(sha256sum "./resources/${FILE_NAME}" | awk -F ' ' '{print $1}')" == "${HASH}" ] || { echo -e "The HASH key of ${FILE_NAME} does not match cloud one."; exit 1; }
                  echo "unhit=true" >> $GITHUB_OUTPUT
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -6,7 +6,36 @@ on:
    types: [opened, synchronize, reopened]

 jobs:
+  check-assets:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Restore Geodat Cache
+        uses: actions/cache/restore@v4
+        with:
+          path: resources
+          key: xray-geodat-
+      - name: Check Assets Existence
+        id: check-assets
+        run: |
+          [ -d 'resources' ] || mkdir resources
+          LIST=('geoip.dat' 'geosite.dat')
+          for FILE_NAME in "${LIST[@]}"
+          do
+            echo -e "Checking ${FILE_NAME}..."
+            if [ -s "./resources/${FILE_NAME}" ]; then
+              echo -e "${FILE_NAME} exists."
+            else
+              echo -e "${FILE_NAME} does not exist."
+              echo "missing=true" >> $GITHUB_OUTPUT
+              break
+            fi
+          done
+      - name: Sleep for 90 seconds if Assets Missing
+        if: steps.check-assets.outputs.missing == 'true'
+        run: sleep 90
+
  test:
+    needs: check-assets
    permissions:
      contents: read
    runs-on: ${{ matrix.os }}
--- a/.gitignore
+++ b/.gitignore
@ -14,10 +14,18 @@
 # Dependency directories (remove the comment below to include it)
 # vendor/

+# macOS specific files
 *.DS_Store
-.idea
+
+# IDE specific files
+.idea/
+.vscode/
+
+# Archive files
 *.zip
 *.tar.gz
+
+# Binaries
 xray
 xray_softfloat
 mockgen
@ -26,8 +34,13 @@ vprotogen
 errorgen
 !common/errors/errorgen/
 *.dat
-.vscode
+
+# Build assets
 /build_assets

 # Output from dlv test
 **/debug.*
+
+# Certificates
+*.crt
+*.key
--- a/README.md
+++ b/README.md
@ -38,6 +38,7 @@
  - [teddysun/xray](https://hub.docker.com/r/teddysun/xray)
  - [wulabing/xray_docker](https://github.com/wulabing/xray_docker)
 - Web Panel - **WARNING: Please DO NOT USE plain HTTP panels like 3X-UI**, as they are believed to be bribed by Iran GFW for supporting plain HTTP by default and refused to change (https://github.com/XTLS/Xray-core/pull/3884#issuecomment-2439595331), which has already put many users' data security in danger in the past few years. **If you are already using 3X-UI, please switch to the following panels, which are verified to support HTTPS and SSH port forwarding only:**
+  - [Remnawave](https://github.com/remnawave/panel)
  - [Marzban](https://github.com/Gozargah/Marzban)
  - [Xray-UI](https://github.com/qist/xray-ui)
  - [Hiddify](https://github.com/hiddify/Hiddify-Manager)
@ -85,6 +86,7 @@
  - [X-flutter](https://github.com/XTLS/X-flutter)
  - [SaeedDev94/Xray](https://github.com/SaeedDev94/Xray)
 - iOS & macOS arm64
+  - [Happ](https://apps.apple.com/app/happ-proxy-utility/id6504287215)
  - [FoXray](https://apps.apple.com/app/foxray/id6448898396)
  - [Streisand](https://apps.apple.com/app/streisand/id6450534064)
 - macOS arm64 & x64
@ -100,6 +102,7 @@

 - iOS & macOS arm64
  - [Shadowrocket](https://apps.apple.com/app/shadowrocket/id932747118)
+  - [Loon](https://apps.apple.com/us/app/loon/id1373567447)
 - Xray Tools
  - [xray-knife](https://github.com/lilendian0x00/xray-knife)
  - [xray-checker](https://github.com/kutovoys/xray-checker)
@ -112,10 +115,9 @@
 - [XrayR](https://github.com/XrayR-project/XrayR)
  - [XrayR-release](https://github.com/XrayR-project/XrayR-release)
  - [XrayR-V2Board](https://github.com/missuo/XrayR-V2Board)
- [Clash.Meta](https://github.com/MetaCubeX/Clash.Meta)
-  - [clashN](https://github.com/2dust/clashN)
-  - [Clash Meta for Android](https://github.com/MetaCubeX/ClashMetaForAndroid)
- [sing-box](https://github.com/SagerNet/sing-box)
+- Cores
+  - [mihomo](https://github.com/MetaCubeX/mihomo)
+  - [sing-box](https://github.com/SagerNet/sing-box)

 ## Contributing

--- a/app/dispatcher/default.go
+++ b/app/dispatcher/default.go
@ -33,23 +33,21 @@ type cachedReader struct {
 	cache  buf.MultiBuffer
 }

-func (r *cachedReader) Cache(b *buf.Buffer) {
-	mb, _ := r.reader.ReadMultiBufferTimeout(time.Millisecond * 100)
+func (r *cachedReader) Cache(b *buf.Buffer, deadline time.Duration) error {
+	mb, err := r.reader.ReadMultiBufferTimeout(deadline)
+	if err != nil {
+		return err
+	}
 	r.Lock()
 	if !mb.IsEmpty() {
 		r.cache, _ = buf.MergeMulti(r.cache, mb)
 	}
-	cacheLen := r.cache.Len()
-	if cacheLen <= b.Cap() {
-		b.Clear()
-	} else {
-		b.Release()
-		*b = *buf.NewWithSize(cacheLen)
-	}
-	rawBytes := b.Extend(cacheLen)
+	b.Clear()
+	rawBytes := b.Extend(min(r.cache.Len(), b.Cap()))
 	n := r.cache.Copy(rawBytes)
 	b.Resize(0, int32(n))
 	r.Unlock()
+	return nil
 }

 func (r *cachedReader) readInternal() buf.MultiBuffer {
@ -355,7 +353,7 @@ func (d *DefaultDispatcher) DispatchLink(ctx context.Context, destination net.De
 }

 func sniffer(ctx context.Context, cReader *cachedReader, metadataOnly bool, network net.Network) (SniffResult, error) {
-	payload := buf.New()
+	payload := buf.NewWithSize(32767)
 	defer payload.Release()

 	sniffer := NewSniffer(ctx)
@ -367,26 +365,33 @@ func sniffer(ctx context.Context, cReader *cachedReader, metadataOnly bool, netw
 	}

 	contentResult, contentErr := func() (SniffResult, error) {
+		cacheDeadline := 200 * time.Millisecond
 		totalAttempt := 0
 		for {
 			select {
 			case <-ctx.Done():
 				return nil, ctx.Err()
 			default:
-				totalAttempt++
-				if totalAttempt > 2 {
-					return nil, errSniffingTimeout
-				}
+				cachingStartingTimeStamp := time.Now()
+				cacheErr := cReader.Cache(payload, cacheDeadline)
+				cachingTimeElapsed := time.Since(cachingStartingTimeStamp)
+				cacheDeadline -= cachingTimeElapsed

-				cReader.Cache(payload)
 				if !payload.IsEmpty() {
 					result, err := sniffer.Sniff(ctx, payload.Bytes(), network)
-					if err != common.ErrNoClue {
+					switch err {
+					case common.ErrNoClue: // No Clue: protocol not matches, and sniffer cannot determine whether there will be a match or not
+						totalAttempt++
+					case protocol.ErrProtoNeedMoreData: // Protocol Need More Data: protocol matches, but need more data to complete sniffing
+						if cacheErr != nil { // Cache error (e.g. timeout) counts for failed attempt
+							totalAttempt++
+						}
+					default:
 						return result, err
 					}
 				}
-				if payload.IsFull() {
-					return nil, errUnknownContent
+				if totalAttempt >= 2 || cacheDeadline <= 0 {
+					return nil, errSniffingTimeout
 				}
 			}
 		}
--- a/app/dispatcher/sniffer.go
+++ b/app/dispatcher/sniffer.go
@ -6,6 +6,7 @@ import (
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/net"
+	"github.com/xtls/xray-core/common/protocol"
 	"github.com/xtls/xray-core/common/protocol/bittorrent"
 	"github.com/xtls/xray-core/common/protocol/http"
 	"github.com/xtls/xray-core/common/protocol/quic"
@ -58,14 +59,17 @@ var errUnknownContent = errors.New("unknown content")
 func (s *Sniffer) Sniff(c context.Context, payload []byte, network net.Network) (SniffResult, error) {
 	var pendingSniffer []protocolSnifferWithMetadata
 	for _, si := range s.sniffer {
-		s := si.protocolSniffer
+		protocolSniffer := si.protocolSniffer
 		if si.metadataSniffer || si.network != network {
 			continue
 		}
-		result, err := s(c, payload)
+		result, err := protocolSniffer(c, payload)
 		if err == common.ErrNoClue {
 			pendingSniffer = append(pendingSniffer, si)
 			continue
+		} else if err == protocol.ErrProtoNeedMoreData { // Sniffer protocol matched, but need more data to complete sniffing
+			s.sniffer = []protocolSnifferWithMetadata{si}
+			return nil, err
 		}

 		if err == nil && result != nil {
--- a/app/dns/cache_controller.go
+++ b/app/dns/cache_controller.go
@ -0,0 +1,188 @@
+package dns
+
+import (
+	"context"
+	go_errors "errors"
+	"github.com/xtls/xray-core/common"
+	"github.com/xtls/xray-core/common/errors"
+	"github.com/xtls/xray-core/common/net"
+	"github.com/xtls/xray-core/common/signal/pubsub"
+	"github.com/xtls/xray-core/common/task"
+	dns_feature "github.com/xtls/xray-core/features/dns"
+	"golang.org/x/net/dns/dnsmessage"
+	"sync"
+	"time"
+)
+
+type CacheController struct {
+	sync.RWMutex
+	ips          map[string]*record
+	pub          *pubsub.Service
+	cacheCleanup *task.Periodic
+	name         string
+	disableCache bool
+}
+
+func NewCacheController(name string, disableCache bool) *CacheController {
+	c := &CacheController{
+		name:         name,
+		disableCache: disableCache,
+		ips:          make(map[string]*record),
+		pub:          pubsub.NewService(),
+	}
+
+	c.cacheCleanup = &task.Periodic{
+		Interval: time.Minute,
+		Execute:  c.CacheCleanup,
+	}
+	return c
+}
+
+// CacheCleanup clears expired items from cache
+func (c *CacheController) CacheCleanup() error {
+	now := time.Now()
+	c.Lock()
+	defer c.Unlock()
+
+	if len(c.ips) == 0 {
+		return errors.New("nothing to do. stopping...")
+	}
+
+	for domain, record := range c.ips {
+		if record.A != nil && record.A.Expire.Before(now) {
+			record.A = nil
+		}
+		if record.AAAA != nil && record.AAAA.Expire.Before(now) {
+			record.AAAA = nil
+		}
+
+		if record.A == nil && record.AAAA == nil {
+			errors.LogDebug(context.Background(), c.name, "cache cleanup ", domain)
+			delete(c.ips, domain)
+		} else {
+			c.ips[domain] = record
+		}
+	}
+
+	if len(c.ips) == 0 {
+		c.ips = make(map[string]*record)
+	}
+
+	return nil
+}
+
+func (c *CacheController) updateIP(req *dnsRequest, ipRec *IPRecord) {
+	elapsed := time.Since(req.start)
+
+	c.Lock()
+	rec, found := c.ips[req.domain]
+	if !found {
+		rec = &record{}
+	}
+
+	switch req.reqType {
+	case dnsmessage.TypeA:
+		rec.A = ipRec
+	case dnsmessage.TypeAAAA:
+		rec.AAAA = ipRec
+	}
+
+	errors.LogInfo(context.Background(), c.name, " got answer: ", req.domain, " ", req.reqType, " -> ", ipRec.IP, " ", elapsed)
+	c.ips[req.domain] = rec
+
+	switch req.reqType {
+	case dnsmessage.TypeA:
+		c.pub.Publish(req.domain+"4", nil)
+		if !c.disableCache {
+			_, _, err := rec.AAAA.getIPs()
+			if !go_errors.Is(err, errRecordNotFound) {
+				c.pub.Publish(req.domain+"6", nil)
+			}
+		}
+	case dnsmessage.TypeAAAA:
+		c.pub.Publish(req.domain+"6", nil)
+		if !c.disableCache {
+			_, _, err := rec.A.getIPs()
+			if !go_errors.Is(err, errRecordNotFound) {
+				c.pub.Publish(req.domain+"4", nil)
+			}
+		}
+	}
+
+	c.Unlock()
+	common.Must(c.cacheCleanup.Start())
+}
+
+func (c *CacheController) findIPsForDomain(domain string, option dns_feature.IPOption) ([]net.IP, uint32, error) {
+	c.RLock()
+	record, found := c.ips[domain]
+	c.RUnlock()
+
+	if !found {
+		return nil, 0, errRecordNotFound
+	}
+
+	var errs []error
+	var allIPs []net.IP
+	var rTTL uint32 = dns_feature.DefaultTTL
+
+	mergeReq := option.IPv4Enable && option.IPv6Enable
+
+	if option.IPv4Enable {
+		ips, ttl, err := record.A.getIPs()
+		if !mergeReq || go_errors.Is(err, errRecordNotFound) {
+			return ips, ttl, err
+		}
+		if ttl < rTTL {
+			rTTL = ttl
+		}
+		if len(ips) > 0 {
+			allIPs = append(allIPs, ips...)
+		} else {
+			errs = append(errs, err)
+		}
+	}
+
+	if option.IPv6Enable {
+		ips, ttl, err := record.AAAA.getIPs()
+		if !mergeReq || go_errors.Is(err, errRecordNotFound) {
+			return ips, ttl, err
+		}
+		if ttl < rTTL {
+			rTTL = ttl
+		}
+		if len(ips) > 0 {
+			allIPs = append(allIPs, ips...)
+		} else {
+			errs = append(errs, err)
+		}
+	}
+
+	if len(allIPs) > 0 {
+		return allIPs, rTTL, nil
+	}
+	if go_errors.Is(errs[0], errs[1]) {
+		return nil, rTTL, errs[0]
+	}
+	return nil, rTTL, errors.Combine(errs...)
+}
+
+func (c *CacheController) registerSubscribers(domain string, option dns_feature.IPOption) (sub4 *pubsub.Subscriber, sub6 *pubsub.Subscriber) {
+	// ipv4 and ipv6 belong to different subscription groups
+	if option.IPv4Enable {
+		sub4 = c.pub.Subscribe(domain + "4")
+	}
+	if option.IPv6Enable {
+		sub6 = c.pub.Subscribe(domain + "6")
+	}
+	return
+}
+
+func closeSubscribers(sub4 *pubsub.Subscriber, sub6 *pubsub.Subscriber) {
+	if sub4 != nil {
+		sub4.Close()
+	}
+	if sub6 != nil {
+		sub6.Close()
+	}
+}
--- a/app/dns/config.pb.go
+++ b/app/dns/config.pb.go
@ -128,13 +128,16 @@ type NameServer struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Address           *net.Endpoint                `protobuf:"bytes,1,opt,name=address,proto3" json:"address,omitempty"`
-	ClientIp          []byte                       `protobuf:"bytes,5,opt,name=client_ip,json=clientIp,proto3" json:"client_ip,omitempty"`
-	SkipFallback      bool                         `protobuf:"varint,6,opt,name=skipFallback,proto3" json:"skipFallback,omitempty"`
-	PrioritizedDomain []*NameServer_PriorityDomain `protobuf:"bytes,2,rep,name=prioritized_domain,json=prioritizedDomain,proto3" json:"prioritized_domain,omitempty"`
-	Geoip             []*router.GeoIP              `protobuf:"bytes,3,rep,name=geoip,proto3" json:"geoip,omitempty"`
-	OriginalRules     []*NameServer_OriginalRule   `protobuf:"bytes,4,rep,name=original_rules,json=originalRules,proto3" json:"original_rules,omitempty"`
-	QueryStrategy     QueryStrategy                `protobuf:"varint,7,opt,name=query_strategy,json=queryStrategy,proto3,enum=xray.app.dns.QueryStrategy" json:"query_strategy,omitempty"`
+	Address            *net.Endpoint                `protobuf:"bytes,1,opt,name=address,proto3" json:"address,omitempty"`
+	ClientIp           []byte                       `protobuf:"bytes,5,opt,name=client_ip,json=clientIp,proto3" json:"client_ip,omitempty"`
+	SkipFallback       bool                         `protobuf:"varint,6,opt,name=skipFallback,proto3" json:"skipFallback,omitempty"`
+	PrioritizedDomain  []*NameServer_PriorityDomain `protobuf:"bytes,2,rep,name=prioritized_domain,json=prioritizedDomain,proto3" json:"prioritized_domain,omitempty"`
+	Geoip              []*router.GeoIP              `protobuf:"bytes,3,rep,name=geoip,proto3" json:"geoip,omitempty"`
+	OriginalRules      []*NameServer_OriginalRule   `protobuf:"bytes,4,rep,name=original_rules,json=originalRules,proto3" json:"original_rules,omitempty"`
+	QueryStrategy      QueryStrategy                `protobuf:"varint,7,opt,name=query_strategy,json=queryStrategy,proto3,enum=xray.app.dns.QueryStrategy" json:"query_strategy,omitempty"`
+	AllowUnexpectedIPs bool                         `protobuf:"varint,8,opt,name=allowUnexpectedIPs,proto3" json:"allowUnexpectedIPs,omitempty"`
+	Tag                string                       `protobuf:"bytes,9,opt,name=tag,proto3" json:"tag,omitempty"`
+	TimeoutMs          uint64                       `protobuf:"varint,10,opt,name=timeoutMs,proto3" json:"timeoutMs,omitempty"`
 }

 func (x *NameServer) Reset() {
@ -216,6 +219,27 @@ func (x *NameServer) GetQueryStrategy() QueryStrategy {
 	return QueryStrategy_USE_IP
 }

+func (x *NameServer) GetAllowUnexpectedIPs() bool {
+	if x != nil {
+		return x.AllowUnexpectedIPs
+	}
+	return false
+}
+
+func (x *NameServer) GetTag() string {
+	if x != nil {
+		return x.Tag
+	}
+	return ""
+}
+
+func (x *NameServer) GetTimeoutMs() uint64 {
+	if x != nil {
+		return x.TimeoutMs
+	}
+	return 0
+}
+
 type Config struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@ -508,7 +532,7 @@ var file_app_dns_config_proto_rawDesc = []byte{
 	0x2e, 0x64, 0x6e, 0x73, 0x1a, 0x1c, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x6e, 0x65, 0x74,
 	0x2f, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f,
 	0x74, 0x6f, 0x1a, 0x17, 0x61, 0x70, 0x70, 0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x2f, 0x63,
-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xb2, 0x04, 0x0a, 0x0a,
+	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x92, 0x05, 0x0a, 0x0a,
 	0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x33, 0x0a, 0x07, 0x61, 0x64,
 	0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x78, 0x72,
 	0x61, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x6e, 0x65, 0x74, 0x2e, 0x45, 0x6e,
@ -534,7 +558,13 @@ var file_app_dns_config_proto_rawDesc = []byte{
 	0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1b, 0x2e, 0x78,
 	0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x64, 0x6e, 0x73, 0x2e, 0x51, 0x75, 0x65, 0x72,
 	0x79, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x52, 0x0d, 0x71, 0x75, 0x65, 0x72, 0x79,
-	0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x1a, 0x5e, 0x0a, 0x0e, 0x50, 0x72, 0x69, 0x6f,
+	0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x12, 0x2e, 0x0a, 0x12, 0x61, 0x6c, 0x6c, 0x6f,
+	0x77, 0x55, 0x6e, 0x65, 0x78, 0x70, 0x65, 0x63, 0x74, 0x65, 0x64, 0x49, 0x50, 0x73, 0x18, 0x08,
+	0x20, 0x01, 0x28, 0x08, 0x52, 0x12, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x55, 0x6e, 0x65, 0x78, 0x70,
+	0x65, 0x63, 0x74, 0x65, 0x64, 0x49, 0x50, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x74, 0x61, 0x67, 0x18,
+	0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x74, 0x61, 0x67, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x69,
+	0x6d, 0x65, 0x6f, 0x75, 0x74, 0x4d, 0x73, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x74,
+	0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x4d, 0x73, 0x1a, 0x5e, 0x0a, 0x0e, 0x50, 0x72, 0x69, 0x6f,
 	0x72, 0x69, 0x74, 0x79, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x34, 0x0a, 0x04, 0x74, 0x79,
 	0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x20, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e,
 	0x61, 0x70, 0x70, 0x2e, 0x64, 0x6e, 0x73, 0x2e, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x4d, 0x61,
--- a/app/dns/config.proto
+++ b/app/dns/config.proto
@ -28,6 +28,9 @@ message NameServer {
  repeated xray.app.router.GeoIP geoip = 3;
  repeated OriginalRule original_rules = 4;
  QueryStrategy query_strategy = 7;
+  bool allowUnexpectedIPs = 8;
+  string tag = 9;
+  uint64 timeoutMs = 10;
 }

 enum DomainMatchingType {
--- a/app/dns/dns.go
+++ b/app/dns/dns.go
@ -3,11 +3,12 @@ package dns

 import (
 	"context"
+	go_errors "errors"
 	"fmt"
+	"sort"
 	"strings"
 	"sync"

-	"github.com/xtls/xray-core/app/router"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/net"
@ -19,8 +20,6 @@ import (
 // DNS is a DNS rely server.
 type DNS struct {
 	sync.Mutex
-	tag                    string
-	disableCache           bool
 	disableFallback        bool
 	disableFallbackIfMatch bool
 	ipOption               *dns.IPOption
@ -39,13 +38,6 @@ type DomainMatcherInfo struct {

 // New creates a new DNS server with given configuration.
 func New(ctx context.Context, config *Config) (*DNS, error) {
-	var tag string
-	if len(config.Tag) > 0 {
-		tag = config.Tag
-	} else {
-		tag = generateRandomTag()
-	}
-
 	var clientIP net.IP
 	switch len(config.ClientIp) {
 	case 0, net.IPv4len, net.IPv6len:
@ -54,26 +46,28 @@ func New(ctx context.Context, config *Config) (*DNS, error) {
 		return nil, errors.New("unexpected client IP length ", len(config.ClientIp))
 	}

-	var ipOption *dns.IPOption
+	var ipOption dns.IPOption
 	switch config.QueryStrategy {
 	case QueryStrategy_USE_IP:
-		ipOption = &dns.IPOption{
+		ipOption = dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
 		}
 	case QueryStrategy_USE_IP4:
-		ipOption = &dns.IPOption{
+		ipOption = dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: false,
 			FakeEnable: false,
 		}
 	case QueryStrategy_USE_IP6:
-		ipOption = &dns.IPOption{
+		ipOption = dns.IPOption{
 			IPv4Enable: false,
 			IPv6Enable: true,
 			FakeEnable: false,
 		}
+	default:
+		return nil, errors.New("unexpected query strategy ", config.QueryStrategy)
 	}

 	hosts, err := NewStaticHosts(config.StaticHosts)
@ -81,8 +75,14 @@ func New(ctx context.Context, config *Config) (*DNS, error) {
 		return nil, errors.New("failed to create hosts").Base(err)
 	}

-	clients := []*Client{}
+	var clients []*Client
 	domainRuleCount := 0
+
+	var defaultTag = config.Tag
+	if len(config.Tag) == 0 {
+		defaultTag = generateRandomTag()
+	}
+
 	for _, ns := range config.NameServer {
 		domainRuleCount += len(ns.PrioritizedDomain)
 	}
@ -90,7 +90,6 @@ func New(ctx context.Context, config *Config) (*DNS, error) {
 	// MatcherInfos is ensured to cover the maximum index domainMatcher could return, where matcher's index starts from 1
 	matcherInfos := make([]*DomainMatcherInfo, domainRuleCount+1)
 	domainMatcher := &strmatcher.MatcherGroup{}
-	geoipContainer := router.GeoIPMatcherContainer{}

 	for _, ns := range config.NameServer {
 		clientIdx := len(clients)
@ -108,7 +107,18 @@ func New(ctx context.Context, config *Config) (*DNS, error) {
 		case net.IPv4len, net.IPv6len:
 			myClientIP = net.IP(ns.ClientIp)
 		}
-		client, err := NewClient(ctx, ns, myClientIP, geoipContainer, &matcherInfos, updateDomain)
+
+		disableCache := config.DisableCache
+
+		var tag = defaultTag
+		if len(ns.Tag) > 0 {
+			tag = ns.Tag
+		}
+		clientIPOption := ResolveIpOptionOverride(ns.QueryStrategy, ipOption)
+		if !clientIPOption.IPv4Enable && !clientIPOption.IPv6Enable {
+			return nil, errors.New("no QueryStrategy available for ", ns.Address)
+		}
+		client, err := NewClient(ctx, ns, myClientIP, disableCache, tag, clientIPOption, &matcherInfos, updateDomain)
 		if err != nil {
 			return nil, errors.New("failed to create client").Base(err)
 		}
@ -117,18 +127,16 @@ func New(ctx context.Context, config *Config) (*DNS, error) {

 	// If there is no DNS client in config, add a `localhost` DNS client
 	if len(clients) == 0 {
-		clients = append(clients, NewLocalDNSClient())
+		clients = append(clients, NewLocalDNSClient(ipOption))
 	}

 	return &DNS{
-		tag:                    tag,
 		hosts:                  hosts,
-		ipOption:               ipOption,
+		ipOption:               &ipOption,
 		clients:                clients,
 		ctx:                    ctx,
 		domainMatcher:          domainMatcher,
 		matcherInfos:           matcherInfos,
-		disableCache:           config.DisableCache,
 		disableFallback:        config.DisableFallback,
 		disableFallbackIfMatch: config.DisableFallbackIfMatch,
 	}, nil
@ -152,62 +160,87 @@ func (s *DNS) Close() error {
 // IsOwnLink implements proxy.dns.ownLinkVerifier
 func (s *DNS) IsOwnLink(ctx context.Context) bool {
 	inbound := session.InboundFromContext(ctx)
-	return inbound != nil && inbound.Tag == s.tag
+	if inbound == nil {
+		return false
+	}
+	for _, client := range s.clients {
+		if client.tag == inbound.Tag {
+			return true
+		}
+	}
+	return false
 }

 // LookupIP implements dns.Client.
-func (s *DNS) LookupIP(domain string, option dns.IPOption) ([]net.IP, error) {
+func (s *DNS) LookupIP(domain string, option dns.IPOption) ([]net.IP, uint32, error) {
+	// Normalize the FQDN form query
+	domain = strings.TrimSuffix(domain, ".")
 	if domain == "" {
-		return nil, errors.New("empty domain name")
+		return nil, 0, errors.New("empty domain name")
 	}

 	option.IPv4Enable = option.IPv4Enable && s.ipOption.IPv4Enable
 	option.IPv6Enable = option.IPv6Enable && s.ipOption.IPv6Enable

 	if !option.IPv4Enable && !option.IPv6Enable {
-		return nil, dns.ErrEmptyResponse
+		return nil, 0, dns.ErrEmptyResponse
 	}

-	// Normalize the FQDN form query
-	domain = strings.TrimSuffix(domain, ".")
-
 	// Static host lookup
 	switch addrs := s.hosts.Lookup(domain, option); {
 	case addrs == nil: // Domain not recorded in static host
 		break
 	case len(addrs) == 0: // Domain recorded, but no valid IP returned (e.g. IPv4 address with only IPv6 enabled)
-		return nil, dns.ErrEmptyResponse
+		return nil, 0, dns.ErrEmptyResponse
 	case len(addrs) == 1 && addrs[0].Family().IsDomain(): // Domain replacement
 		errors.LogInfo(s.ctx, "domain replaced: ", domain, " -> ", addrs[0].Domain())
 		domain = addrs[0].Domain()
 	default: // Successfully found ip records in static host
 		errors.LogInfo(s.ctx, "returning ", len(addrs), " IP(s) for domain ", domain, " -> ", addrs)
-		return toNetIP(addrs)
+		ips, err := toNetIP(addrs)
+		if err != nil {
+			return nil, 0, err
+		}
+		return ips, 10, nil // Hosts ttl is 10
 	}

 	// Name servers lookup
-	errs := []error{}
-	ctx := session.ContextWithInbound(s.ctx, &session.Inbound{Tag: s.tag})
+	var errs []error
 	for _, client := range s.sortClients(domain) {
 		if !option.FakeEnable && strings.EqualFold(client.Name(), "FakeDNS") {
 			errors.LogDebug(s.ctx, "skip DNS resolution for domain ", domain, " at server ", client.Name())
 			continue
 		}
-		ips, err := client.QueryIP(ctx, domain, option, s.disableCache)
+
+		ips, ttl, err := client.QueryIP(s.ctx, domain, option)
+
 		if len(ips) > 0 {
-			return ips, nil
+			if ttl == 0 {
+				ttl = 1
+			}
+			return ips, ttl, nil
 		}
-		if err != nil {
-			errors.LogInfoInner(s.ctx, err, "failed to lookup ip for domain ", domain, " at server ", client.Name())
-			errs = append(errs, err)
-		}
-		// 5 for RcodeRefused in miekg/dns, hardcode to reduce binary size
-		if err != context.Canceled && err != context.DeadlineExceeded && err != errExpectedIPNonMatch && err != dns.ErrEmptyResponse && dns.RCodeFromError(err) != 5 {
-			return nil, err
+
+		errors.LogInfoInner(s.ctx, err, "failed to lookup ip for domain ", domain, " at server ", client.Name())
+		if err == nil {
+			err = dns.ErrEmptyResponse
 		}
+		errs = append(errs, err)
+
 	}

-	return nil, errors.New("returning nil for domain ", domain).Base(errors.Combine(errs...))
+	if len(errs) > 0 {
+		allErrs := errors.Combine(errs...)
+		err0 := errs[0]
+		if errors.AllEqual(err0, allErrs) {
+			if go_errors.Is(err0, dns.ErrEmptyResponse) {
+				return nil, 0, dns.ErrEmptyResponse
+			}
+			return nil, 0, errors.New("returning nil for domain ", domain).Base(err0)
+		}
+		return nil, 0, errors.New("returning nil for domain ", domain).Base(allErrs)
+	}
+	return nil, 0, dns.ErrEmptyResponse
 }

 // LookupHosts implements dns.HostsLookup.
@ -226,22 +259,6 @@ func (s *DNS) LookupHosts(domain string) *net.Address {
 	return nil
 }

-// GetIPOption implements ClientWithIPOption.
-func (s *DNS) GetIPOption() *dns.IPOption {
-	return s.ipOption
-}
-
-// SetQueryOption implements ClientWithIPOption.
-func (s *DNS) SetQueryOption(isIPv4Enable, isIPv6Enable bool) {
-	s.ipOption.IPv4Enable = isIPv4Enable
-	s.ipOption.IPv6Enable = isIPv6Enable
-}
-
-// SetFakeDNSOption implements ClientWithIPOption.
-func (s *DNS) SetFakeDNSOption(isFakeEnable bool) {
-	s.ipOption.FakeEnable = isFakeEnable
-}
-
 func (s *DNS) sortClients(domain string) []*Client {
 	clients := make([]*Client, 0, len(s.clients))
 	clientUsed := make([]bool, len(s.clients))
@ -250,7 +267,11 @@ func (s *DNS) sortClients(domain string) []*Client {

 	// Priority domain matching
 	hasMatch := false
-	for _, match := range s.domainMatcher.Match(domain) {
+	MatchSlice := s.domainMatcher.Match(domain)
+	sort.Slice(MatchSlice, func(i, j int) bool {
+		return MatchSlice[i] < MatchSlice[j]
+	})
+	for _, match := range MatchSlice {
 		info := s.matcherInfos[match]
 		client := s.clients[info.clientIdx]
 		domainRule := client.domains[info.domainRuleIdx]
--- a/app/dns/dns_test.go
+++ b/app/dns/dns_test.go
@ -76,6 +76,9 @@ func (*staticHandler) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		case q.Name == "notexist.google.com." && q.Qtype == dns.TypeAAAA:
 			ans.MsgHdr.Rcode = dns.RcodeNameError

+		case q.Name == "notexist.google.com." && q.Qtype == dns.TypeA:
+			ans.MsgHdr.Rcode = dns.RcodeNameError
+
 		case q.Name == "hostname." && q.Qtype == dns.TypeA:
 			rr, _ := dns.NewRR("hostname. IN A 127.0.0.1")
 			ans.Answer = append(ans.Answer, rr)
@ -117,7 +120,6 @@ func TestUDPServerSubnet(t *testing.T) {
 		Handler: &staticHandler{},
 		UDPSize: 1200,
 	}
-
 	go dnsServer.ListenAndServe()
 	time.Sleep(time.Second)

@ -155,7 +157,7 @@ func TestUDPServerSubnet(t *testing.T) {

 	client := v.GetFeature(feature_dns.ClientType()).(feature_dns.Client)

-	ips, err := client.LookupIP("google.com", feature_dns.IPOption{
+	ips, _, err := client.LookupIP("google.com", feature_dns.IPOption{
 		IPv4Enable: true,
 		IPv6Enable: true,
 		FakeEnable: false,
@ -216,7 +218,7 @@ func TestUDPServer(t *testing.T) {
 	client := v.GetFeature(feature_dns.ClientType()).(feature_dns.Client)

 	{
-		ips, err := client.LookupIP("google.com", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("google.com", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@ -231,7 +233,7 @@ func TestUDPServer(t *testing.T) {
 	}

 	{
-		ips, err := client.LookupIP("facebook.com", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("facebook.com", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@ -246,7 +248,7 @@ func TestUDPServer(t *testing.T) {
 	}

 	{
-		_, err := client.LookupIP("notexist.google.com", feature_dns.IPOption{
+		_, _, err := client.LookupIP("notexist.google.com", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@ -260,7 +262,7 @@ func TestUDPServer(t *testing.T) {
 	}

 	{
-		ips, err := client.LookupIP("ipv4only.google.com", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("ipv4only.google.com", feature_dns.IPOption{
 			IPv4Enable: false,
 			IPv6Enable: true,
 			FakeEnable: false,
@ -276,7 +278,7 @@ func TestUDPServer(t *testing.T) {
 	dnsServer.Shutdown()

 	{
-		ips, err := client.LookupIP("google.com", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("google.com", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@ -357,7 +359,7 @@ func TestPrioritizedDomain(t *testing.T) {
 	startTime := time.Now()

 	{
-		ips, err := client.LookupIP("google.com", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("google.com", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@ -423,7 +425,7 @@ func TestUDPServerIPv6(t *testing.T) {

 	client := v.GetFeature(feature_dns.ClientType()).(feature_dns.Client)
 	{
-		ips, err := client.LookupIP("ipv6.google.com", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("ipv6.google.com", feature_dns.IPOption{
 			IPv4Enable: false,
 			IPv6Enable: true,
 			FakeEnable: false,
@ -492,7 +494,7 @@ func TestStaticHostDomain(t *testing.T) {
 	client := v.GetFeature(feature_dns.ClientType()).(feature_dns.Client)

 	{
-		ips, err := client.LookupIP("example.com", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("example.com", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@ -603,7 +605,7 @@ func TestIPMatch(t *testing.T) {
 	startTime := time.Now()

 	{
-		ips, err := client.LookupIP("google.com", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("google.com", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@ -726,7 +728,7 @@ func TestLocalDomain(t *testing.T) {
 	startTime := time.Now()

 	{ // Will match dotless:
-		ips, err := client.LookupIP("hostname", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("hostname", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@ -741,7 +743,7 @@ func TestLocalDomain(t *testing.T) {
 	}

 	{ // Will match domain:local
-		ips, err := client.LookupIP("hostname.local", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("hostname.local", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@ -756,7 +758,7 @@ func TestLocalDomain(t *testing.T) {
 	}

 	{ // Will match static ip
-		ips, err := client.LookupIP("hostnamestatic", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("hostnamestatic", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@ -771,7 +773,7 @@ func TestLocalDomain(t *testing.T) {
 	}

 	{ // Will match domain replacing
-		ips, err := client.LookupIP("hostnamealias", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("hostnamealias", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@ -785,8 +787,8 @@ func TestLocalDomain(t *testing.T) {
 		}
 	}

-	{ // Will match dotless:localhost, but not expectIPs: 127.0.0.2, 127.0.0.3, then matches at dotless:
-		ips, err := client.LookupIP("localhost", feature_dns.IPOption{
+	{ // Will match dotless:localhost, but not expectedIPs: 127.0.0.2, 127.0.0.3, then matches at dotless:
+		ips, _, err := client.LookupIP("localhost", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@ -800,8 +802,8 @@ func TestLocalDomain(t *testing.T) {
 		}
 	}

-	{ // Will match dotless:localhost, and expectIPs: 127.0.0.2, 127.0.0.3
-		ips, err := client.LookupIP("localhost-a", feature_dns.IPOption{
+	{ // Will match dotless:localhost, and expectedIPs: 127.0.0.2, 127.0.0.3
+		ips, _, err := client.LookupIP("localhost-a", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@ -815,8 +817,8 @@ func TestLocalDomain(t *testing.T) {
 		}
 	}

-	{ // Will match dotless:localhost, and expectIPs: 127.0.0.2, 127.0.0.3
-		ips, err := client.LookupIP("localhost-b", feature_dns.IPOption{
+	{ // Will match dotless:localhost, and expectedIPs: 127.0.0.2, 127.0.0.3
+		ips, _, err := client.LookupIP("localhost-b", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@ -831,7 +833,7 @@ func TestLocalDomain(t *testing.T) {
 	}

 	{ // Will match dotless:
-		ips, err := client.LookupIP("Mijia Cloud", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("Mijia Cloud", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@ -997,7 +999,7 @@ func TestMultiMatchPrioritizedDomain(t *testing.T) {
 	startTime := time.Now()

 	{ // Will match server 1,2 and server 1 returns expected ip
-		ips, err := client.LookupIP("google.com", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("google.com", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@ -1012,7 +1014,7 @@ func TestMultiMatchPrioritizedDomain(t *testing.T) {
 	}

 	{ // Will match server 1,2 and server 1 returns unexpected ip, then server 2 returns expected one
-		ips, err := client.LookupIP("ipv6.google.com", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("ipv6.google.com", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: false,
 			FakeEnable: false,
@ -1027,7 +1029,7 @@ func TestMultiMatchPrioritizedDomain(t *testing.T) {
 	}

 	{ // Will match server 3,1,2 and server 3 returns expected one
-		ips, err := client.LookupIP("api.google.com", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("api.google.com", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
@ -1042,7 +1044,7 @@ func TestMultiMatchPrioritizedDomain(t *testing.T) {
 	}

 	{ // Will match server 4,3,1,2 and server 4 returns expected one
-		ips, err := client.LookupIP("v2.api.google.com", feature_dns.IPOption{
+		ips, _, err := client.LookupIP("v2.api.google.com", feature_dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
--- a/app/dns/dnscommon.go
+++ b/app/dns/dnscommon.go
@ -31,30 +31,31 @@ type record struct {

 // IPRecord is a cacheable item for a resolved domain
 type IPRecord struct {
-	ReqID  uint16
-	IP     []net.Address
-	Expire time.Time
-	RCode  dnsmessage.RCode
+	ReqID     uint16
+	IP        []net.IP
+	Expire    time.Time
+	RCode     dnsmessage.RCode
+	RawHeader *dnsmessage.Header
 }

-func (r *IPRecord) getIPs() ([]net.Address, error) {
-	if r == nil || r.Expire.Before(time.Now()) {
-		return nil, errRecordNotFound
+func (r *IPRecord) getIPs() ([]net.IP, uint32, error) {
+	if r == nil {
+		return nil, 0, errRecordNotFound
 	}
+	untilExpire := time.Until(r.Expire)
+	if untilExpire <= 0 {
+		return nil, 0, errRecordNotFound
+	}
+
+	ttl := uint32(untilExpire/time.Second) + uint32(1)
 	if r.RCode != dnsmessage.RCodeSuccess {
-		return nil, dns_feature.RCodeError(r.RCode)
+		return nil, ttl, dns_feature.RCodeError(r.RCode)
+	}
+	if len(r.IP) == 0 {
+		return nil, ttl, dns_feature.ErrEmptyResponse
 	}
-	return r.IP, nil
-}

-func isNewer(baseRec *IPRecord, newRec *IPRecord) bool {
-	if newRec == nil {
-		return false
-	}
-	if baseRec == nil {
-		return true
-	}
-	return baseRec.Expire.Before(newRec.Expire)
+	return r.IP, ttl, nil
 }

 var errRecordNotFound = errors.New("record not found")
@ -67,49 +68,59 @@ type dnsRequest struct {
 	msg     *dnsmessage.Message
 }

-func genEDNS0Options(clientIP net.IP) *dnsmessage.Resource {
-	if len(clientIP) == 0 {
+func genEDNS0Options(clientIP net.IP, padding int) *dnsmessage.Resource {
+	if len(clientIP) == 0 && padding == 0 {
 		return nil
 	}

-	var netmask int
-	var family uint16
-
-	if len(clientIP) == 4 {
-		family = 1
-		netmask = 24 // 24 for IPV4, 96 for IPv6
-	} else {
-		family = 2
-		netmask = 96
-	}
-
-	b := make([]byte, 4)
-	binary.BigEndian.PutUint16(b[0:], family)
-	b[2] = byte(netmask)
-	b[3] = 0
-	switch family {
-	case 1:
-		ip := clientIP.To4().Mask(net.CIDRMask(netmask, net.IPv4len*8))
-		needLength := (netmask + 8 - 1) / 8 // division rounding up
-		b = append(b, ip[:needLength]...)
-	case 2:
-		ip := clientIP.Mask(net.CIDRMask(netmask, net.IPv6len*8))
-		needLength := (netmask + 8 - 1) / 8 // division rounding up
-		b = append(b, ip[:needLength]...)
-	}
-
-	const EDNS0SUBNET = 0x08
+	const EDNS0SUBNET = 0x8
+	const EDNS0PADDING = 0xc

 	opt := new(dnsmessage.Resource)
 	common.Must(opt.Header.SetEDNS0(1350, 0xfe00, true))
+	body := dnsmessage.OPTResource{}
+	opt.Body = &body

-	opt.Body = &dnsmessage.OPTResource{
-		Options: []dnsmessage.Option{
-			{
+	if len(clientIP) != 0 {
+		var netmask int
+		var family uint16
+
+		if len(clientIP) == 4 {
+			family = 1
+			netmask = 24 // 24 for IPV4, 96 for IPv6
+		} else {
+			family = 2
+			netmask = 96
+		}
+
+		b := make([]byte, 4)
+		binary.BigEndian.PutUint16(b[0:], family)
+		b[2] = byte(netmask)
+		b[3] = 0
+		switch family {
+		case 1:
+			ip := clientIP.To4().Mask(net.CIDRMask(netmask, net.IPv4len*8))
+			needLength := (netmask + 8 - 1) / 8 // division rounding up
+			b = append(b, ip[:needLength]...)
+		case 2:
+			ip := clientIP.Mask(net.CIDRMask(netmask, net.IPv6len*8))
+			needLength := (netmask + 8 - 1) / 8 // division rounding up
+			b = append(b, ip[:needLength]...)
+		}
+
+		body.Options = append(body.Options,
+			dnsmessage.Option{
 				Code: EDNS0SUBNET,
 				Data: b,
-			},
-		},
+			})
+	}
+
+	if padding != 0 {
+		body.Options = append(body.Options,
+			dnsmessage.Option{
+				Code: EDNS0PADDING,
+				Data: make([]byte, padding),
+			})
 	}

 	return opt
@ -179,9 +190,10 @@ func parseResponse(payload []byte) (*IPRecord, error) {

 	now := time.Now()
 	ipRecord := &IPRecord{
-		ReqID:  h.ID,
-		RCode:  h.RCode,
-		Expire: now.Add(time.Second * 600),
+		ReqID:     h.ID,
+		RCode:     h.RCode,
+		Expire:    now.Add(time.Second * dns_feature.DefaultTTL),
+		RawHeader: &h,
 	}

 L:
@ -196,7 +208,7 @@ L:

 		ttl := ah.TTL
 		if ttl == 0 {
-			ttl = 600
+			ttl = 1
 		}
 		expire := now.Add(time.Duration(ttl) * time.Second)
 		if ipRecord.Expire.After(expire) {
@ -210,14 +222,17 @@ L:
 				errors.LogInfoInner(context.Background(), err, "failed to parse A record for domain: ", ah.Name)
 				break L
 			}
-			ipRecord.IP = append(ipRecord.IP, net.IPAddress(ans.A[:]))
+			ipRecord.IP = append(ipRecord.IP, net.IPAddress(ans.A[:]).IP())
 		case dnsmessage.TypeAAAA:
 			ans, err := parser.AAAAResource()
 			if err != nil {
 				errors.LogInfoInner(context.Background(), err, "failed to parse AAAA record for domain: ", ah.Name)
 				break L
 			}
-			ipRecord.IP = append(ipRecord.IP, net.IPAddress(ans.AAAA[:]))
+			newIP := net.IPAddress(ans.AAAA[:]).IP()
+			if len(newIP) == net.IPv6len {
+				ipRecord.IP = append(ipRecord.IP, newIP)
+			}
 		default:
 			if err := parser.SkipAnswer(); err != nil {
 				errors.LogInfoInner(context.Background(), err, "failed to skip answer")
--- a/app/dns/dnscommon_test.go
+++ b/app/dns/dnscommon_test.go
@ -51,7 +51,7 @@ func Test_parseResponse(t *testing.T) {
 	}{
 		{
 			"empty",
-			&IPRecord{0, []net.Address(nil), time.Time{}, dnsmessage.RCodeSuccess},
+			&IPRecord{0, []net.IP(nil), time.Time{}, dnsmessage.RCodeSuccess, nil},
 			false,
 		},
 		{
@ -63,15 +63,16 @@ func Test_parseResponse(t *testing.T) {
 			"a record",
 			&IPRecord{
 				1,
-				[]net.Address{net.ParseAddress("8.8.8.8"), net.ParseAddress("8.8.4.4")},
+				[]net.IP{net.ParseIP("8.8.8.8"), net.ParseIP("8.8.4.4")},
 				time.Time{},
 				dnsmessage.RCodeSuccess,
+				nil,
 			},
 			false,
 		},
 		{
 			"aaaa record",
-			&IPRecord{2, []net.Address{net.ParseAddress("2001::123:8888"), net.ParseAddress("2001::123:8844")}, time.Time{}, dnsmessage.RCodeSuccess},
+			&IPRecord{2, []net.IP{net.ParseIP("2001::123:8888"), net.ParseIP("2001::123:8844")}, time.Time{}, dnsmessage.RCodeSuccess, nil},
 			false,
 		},
 	}
@ -84,8 +85,9 @@ func Test_parseResponse(t *testing.T) {
 			}

 			if got != nil {
-				// reset the time
+				// reset the time and RawHeader
 				got.Expire = time.Time{}
+				got.RawHeader = nil
 			}
 			if cmp.Diff(got, tt.want) != "" {
 				t.Error(cmp.Diff(got, tt.want))
@ -154,7 +156,7 @@ func Test_genEDNS0Options(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if got := genEDNS0Options(tt.args.clientIP); got == nil {
+			if got := genEDNS0Options(tt.args.clientIP, 0); got == nil {
 				t.Errorf("genEDNS0Options() = %v, want %v", got, tt.want)
 			}
 		})
--- a/app/dns/hosts.go
+++ b/app/dns/hosts.go
@ -2,7 +2,6 @@ package dns

 import (
 	"context"
-
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/strmatcher"
@ -41,8 +40,6 @@ func NewStaticHosts(hosts []*Config_HostMapping) (*StaticHosts, error) {
 				}
 				ips = append(ips, addr)
 			}
-		default:
-			return nil, errors.New("neither IP address nor proxied domain specified for domain: ", mapping.Domain).AtWarning()
 		}

 		sh.ips[id] = ips
@ -62,9 +59,14 @@ func filterIP(ips []net.Address, option dns.IPOption) []net.Address {
 }

 func (h *StaticHosts) lookupInternal(domain string) []net.Address {
-	var ips []net.Address
+	ips := make([]net.Address, 0)
+	found := false
 	for _, id := range h.matchers.Match(domain) {
 		ips = append(ips, h.ips[id]...)
+		found = true
+	}
+	if !found {
+		return nil
 	}
 	return ips
 }
@ -72,7 +74,7 @@ func (h *StaticHosts) lookupInternal(domain string) []net.Address {
 func (h *StaticHosts) lookup(domain string, option dns.IPOption, maxDepth int) []net.Address {
 	switch addrs := h.lookupInternal(domain); {
 	case len(addrs) == 0: // Not recorded in static hosts, return nil
-		return nil
+		return addrs
 	case len(addrs) == 1 && addrs[0].Family().IsDomain(): // Try to unwrap domain
 		errors.LogDebug(context.Background(), "found replaced domain: ", domain, " -> ", addrs[0].Domain(), ". Try to unwrap it")
 		if maxDepth > 0 {
--- a/app/dns/nameserver.go
+++ b/app/dns/nameserver.go
@ -9,6 +9,7 @@ import (
 	"github.com/xtls/xray-core/app/router"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/net"
+	"github.com/xtls/xray-core/common/session"
 	"github.com/xtls/xray-core/common/strmatcher"
 	"github.com/xtls/xray-core/core"
 	"github.com/xtls/xray-core/features/dns"
@ -20,22 +21,23 @@ type Server interface {
 	// Name of the Client.
 	Name() string
 	// QueryIP sends IP queries to its configured server.
-	QueryIP(ctx context.Context, domain string, clientIP net.IP, option dns.IPOption, disableCache bool) ([]net.IP, error)
+	QueryIP(ctx context.Context, domain string, option dns.IPOption) ([]net.IP, uint32, error)
 }

 // Client is the interface for DNS client.
 type Client struct {
-	server       Server
-	clientIP     net.IP
-	skipFallback bool
-	domains      []string
-	expectIPs    []*router.GeoIPMatcher
+	server             Server
+	skipFallback       bool
+	domains            []string
+	expectedIPs        []*router.GeoIPMatcher
+	allowUnexpectedIPs bool
+	tag                string
+	timeoutMs          time.Duration
+	ipOption           *dns.IPOption
 }

-var errExpectedIPNonMatch = errors.New("expectIPs not match")
-
 // NewServer creates a name server object according to the network destination url.
-func NewServer(ctx context.Context, dest net.Destination, dispatcher routing.Dispatcher, queryStrategy QueryStrategy) (Server, error) {
+func NewServer(ctx context.Context, dest net.Destination, dispatcher routing.Dispatcher, disableCache bool, clientIP net.IP) (Server, error) {
 	if address := dest.Address; address.Family().IsDomain() {
 		u, err := url.Parse(address.Domain())
 		if err != nil {
@ -43,24 +45,29 @@ func NewServer(ctx context.Context, dest net.Destination, dispatcher routing.Dis
 		}
 		switch {
 		case strings.EqualFold(u.String(), "localhost"):
-			return NewLocalNameServer(queryStrategy), nil
+			return NewLocalNameServer(), nil
 		case strings.EqualFold(u.Scheme, "https"): // DNS-over-HTTPS Remote mode
-			return NewDoHNameServer(u, dispatcher, queryStrategy, false)
+			return NewDoHNameServer(u, dispatcher, false, disableCache, clientIP), nil
 		case strings.EqualFold(u.Scheme, "h2c"): // DNS-over-HTTPS h2c Remote mode
-			return NewDoHNameServer(u, dispatcher, queryStrategy, true)
+			return NewDoHNameServer(u, dispatcher, true, disableCache, clientIP), nil
 		case strings.EqualFold(u.Scheme, "https+local"): // DNS-over-HTTPS Local mode
-			return NewDoHLocalNameServer(u, queryStrategy), nil
+			return NewDoHNameServer(u, nil, false, disableCache, clientIP), nil
+		case strings.EqualFold(u.Scheme, "h2c+local"): // DNS-over-HTTPS h2c Local mode
+			return NewDoHNameServer(u, nil, true, disableCache, clientIP), nil
 		case strings.EqualFold(u.Scheme, "quic+local"): // DNS-over-QUIC Local mode
-			return NewQUICNameServer(u, queryStrategy)
+			return NewQUICNameServer(u, disableCache, clientIP)
 		case strings.EqualFold(u.Scheme, "tcp"): // DNS-over-TCP Remote mode
-			return NewTCPNameServer(u, dispatcher, queryStrategy)
+			return NewTCPNameServer(u, dispatcher, disableCache, clientIP)
 		case strings.EqualFold(u.Scheme, "tcp+local"): // DNS-over-TCP Local mode
-			return NewTCPLocalNameServer(u, queryStrategy)
+			return NewTCPLocalNameServer(u, disableCache, clientIP)
 		case strings.EqualFold(u.String(), "fakedns"):
 			var fd dns.FakeDNSEngine
-			core.RequireFeatures(ctx, func(fdns dns.FakeDNSEngine) {
+			err = core.RequireFeatures(ctx, func(fdns dns.FakeDNSEngine) {
 				fd = fdns
 			})
+			if err != nil {
+				return nil, err
+			}
 			return NewFakeDNSServer(fd), nil
 		}
 	}
@ -68,7 +75,7 @@ func NewServer(ctx context.Context, dest net.Destination, dispatcher routing.Dis
 		dest.Network = net.Network_UDP
 	}
 	if dest.Network == net.Network_UDP { // UDP classic DNS mode
-		return NewClassicNameServer(dest, dispatcher, queryStrategy), nil
+		return NewClassicNameServer(dest, dispatcher, disableCache, clientIP), nil
 	}
 	return nil, errors.New("No available name server could be created from ", dest).AtWarning()
 }
@ -78,7 +85,9 @@ func NewClient(
 	ctx context.Context,
 	ns *NameServer,
 	clientIP net.IP,
-	container router.GeoIPMatcherContainer,
+	disableCache bool,
+	tag string,
+	ipOption dns.IPOption,
 	matcherInfos *[]*DomainMatcherInfo,
 	updateDomainRule func(strmatcher.Matcher, int, []*DomainMatcherInfo) error,
 ) (*Client, error) {
@ -86,7 +95,7 @@ func NewClient(

 	err := core.RequireFeatures(ctx, func(dispatcher routing.Dispatcher) error {
 		// Create a new server for each client for now
-		server, err := NewServer(ctx, ns.Address.AsDestination(), dispatcher, ns.GetQueryStrategy())
+		server, err := NewServer(ctx, ns.Address.AsDestination(), dispatcher, disableCache, clientIP)
 		if err != nil {
 			return errors.New("failed to create nameserver").Base(err).AtWarning()
 		}
@ -143,7 +152,7 @@ func NewClient(
 		// Establish expected IPs
 		var matchers []*router.GeoIPMatcher
 		for _, geoip := range ns.Geoip {
-			matcher, err := container.Add(geoip)
+			matcher, err := router.GlobalGeoIPContainer.Add(geoip)
 			if err != nil {
 				return errors.New("failed to create ip matcher").Base(err).AtWarning()
 			}
@ -155,15 +164,23 @@ func NewClient(
 			case *net.IPOrDomain_Domain:
 				errors.LogInfo(ctx, "DNS: client ", ns.Address.Address.GetDomain(), " uses clientIP ", clientIP.String())
 			case *net.IPOrDomain_Ip:
-				errors.LogInfo(ctx, "DNS: client ", ns.Address.Address.GetIp(), " uses clientIP ", clientIP.String())
+				errors.LogInfo(ctx, "DNS: client ", net.IP(ns.Address.Address.GetIp()), " uses clientIP ", clientIP.String())
 			}
 		}

+		var timeoutMs = 4000 * time.Millisecond
+		if ns.TimeoutMs > 0 {
+			timeoutMs = time.Duration(ns.TimeoutMs) * time.Millisecond
+		}
+
 		client.server = server
-		client.clientIP = clientIP
 		client.skipFallback = ns.SkipFallback
 		client.domains = rules
-		client.expectIPs = matchers
+		client.expectedIPs = matchers
+		client.allowUnexpectedIPs = ns.AllowUnexpectedIPs
+		client.tag = tag
+		client.timeoutMs = timeoutMs
+		client.ipOption = &ipOption
 		return nil
 	})
 	return client, err
@ -175,36 +192,53 @@ func (c *Client) Name() string {
 }

 // QueryIP sends DNS query to the name server with the client's IP.
-func (c *Client) QueryIP(ctx context.Context, domain string, option dns.IPOption, disableCache bool) ([]net.IP, error) {
-	ctx, cancel := context.WithTimeout(ctx, 4*time.Second)
-	ips, err := c.server.QueryIP(ctx, domain, c.clientIP, option, disableCache)
+func (c *Client) QueryIP(ctx context.Context, domain string, option dns.IPOption) ([]net.IP, uint32, error) {
+	option.IPv4Enable = option.IPv4Enable && c.ipOption.IPv4Enable
+	option.IPv6Enable = option.IPv6Enable && c.ipOption.IPv6Enable
+	if !option.IPv4Enable && !option.IPv6Enable {
+		return nil, 0, dns.ErrEmptyResponse
+	}
+
+	ctx, cancel := context.WithTimeout(ctx, c.timeoutMs)
+	ctx = session.ContextWithInbound(ctx, &session.Inbound{Tag: c.tag})
+	ips, ttl, err := c.server.QueryIP(ctx, domain, option)
 	cancel()

 	if err != nil {
-		return ips, err
+		return nil, 0, err
 	}
-	return c.MatchExpectedIPs(domain, ips)
+
+	if len(ips) == 0 {
+		return nil, 0, dns.ErrEmptyResponse
+	}
+
+	if len(c.expectedIPs) > 0 {
+		newIps := c.MatchExpectedIPs(domain, ips)
+		if len(newIps) == 0 {
+			if !c.allowUnexpectedIPs {
+				return nil, 0, dns.ErrEmptyResponse
+			}
+		} else {
+			ips = newIps
+		}
+	}
+
+	return ips, ttl, nil
 }

 // MatchExpectedIPs matches queried domain IPs with expected IPs and returns matched ones.
-func (c *Client) MatchExpectedIPs(domain string, ips []net.IP) ([]net.IP, error) {
-	if len(c.expectIPs) == 0 {
-		return ips, nil
-	}
-	newIps := []net.IP{}
+func (c *Client) MatchExpectedIPs(domain string, ips []net.IP) []net.IP {
+	var newIps []net.IP
 	for _, ip := range ips {
-		for _, matcher := range c.expectIPs {
+		for _, matcher := range c.expectedIPs {
 			if matcher.Match(ip) {
 				newIps = append(newIps, ip)
 				break
 			}
 		}
 	}
-	if len(newIps) == 0 {
-		return nil, errExpectedIPNonMatch
-	}
-	errors.LogDebug(context.Background(), "domain ", domain, " expectIPs ", newIps, " matched at server ", c.Name())
-	return newIps, nil
+	errors.LogDebug(context.Background(), "domain ", domain, " expectedIPs ", newIps, " matched at server ", c.Name())
+	return newIps
 }

 func ResolveIpOptionOverride(queryStrategy QueryStrategy, ipOption dns.IPOption) dns.IPOption {
--- a/app/dns/nameserver_doh.go
+++ b/app/dns/nameserver_doh.go
@ -4,26 +4,26 @@ import (
 	"bytes"
 	"context"
 	"crypto/tls"
+	go_errors "errors"
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
-	"sync"
+	"strings"
 	"time"

+	utls "github.com/refraction-networking/utls"
 	"github.com/xtls/xray-core/common"
+	"github.com/xtls/xray-core/common/crypto"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/log"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/net/cnc"
 	"github.com/xtls/xray-core/common/protocol/dns"
 	"github.com/xtls/xray-core/common/session"
-	"github.com/xtls/xray-core/common/signal/pubsub"
-	"github.com/xtls/xray-core/common/task"
 	dns_feature "github.com/xtls/xray-core/features/dns"
 	"github.com/xtls/xray-core/features/routing"
 	"github.com/xtls/xray-core/transport/internet"
-	"golang.org/x/net/dns/dnsmessage"
 	"golang.org/x/net/http2"
 )

@ -31,224 +31,108 @@ import (
 // which is compatible with traditional dns over udp(RFC1035),
 // thus most of the DOH implementation is copied from udpns.go
 type DoHNameServer struct {
-	dispatcher routing.Dispatcher
-	sync.RWMutex
-	ips           map[string]*record
-	pub           *pubsub.Service
-	cleanup       *task.Periodic
-	httpClient    *http.Client
-	dohURL        string
-	name          string
-	queryStrategy QueryStrategy
+	cacheController *CacheController
+	httpClient      *http.Client
+	dohURL          string
+	clientIP        net.IP
 }

-// NewDoHNameServer creates DOH server object for remote resolving.
-func NewDoHNameServer(url *url.URL, dispatcher routing.Dispatcher, queryStrategy QueryStrategy, h2c bool) (*DoHNameServer, error) {
+// NewDoHNameServer creates DOH/DOHL client object for remote/local resolving.
+func NewDoHNameServer(url *url.URL, dispatcher routing.Dispatcher, h2c bool, disableCache bool, clientIP net.IP) *DoHNameServer {
 	url.Scheme = "https"
-	errors.LogInfo(context.Background(), "DNS: created Remote DNS-over-HTTPS client for ", url.String(), ", with h2c ", h2c)
-	s := baseDOHNameServer(url, "DOH", queryStrategy)
-
-	s.dispatcher = dispatcher
-	dialContext := func(ctx context.Context, network, addr string) (net.Conn, error) {
-		dest, err := net.ParseDestination(network + ":" + addr)
-		if err != nil {
-			return nil, err
-		}
-		dnsCtx := toDnsContext(ctx, s.dohURL)
-		if h2c {
-			dnsCtx = session.ContextWithMitmAlpn11(dnsCtx, false) // for insurance
-			dnsCtx = session.ContextWithMitmServerName(dnsCtx, url.Hostname())
-		}
-		link, err := s.dispatcher.Dispatch(dnsCtx, dest)
-		select {
-		case <-ctx.Done():
-			return nil, ctx.Err()
-		default:
-
-		}
-		if err != nil {
-			return nil, err
-		}
-
-		cc := common.ChainedClosable{}
-		if cw, ok := link.Writer.(common.Closable); ok {
-			cc = append(cc, cw)
-		}
-		if cr, ok := link.Reader.(common.Closable); ok {
-			cc = append(cc, cr)
-		}
-		return cnc.NewConnection(
-			cnc.ConnectionInputMulti(link.Writer),
-			cnc.ConnectionOutputMulti(link.Reader),
-			cnc.ConnectionOnClose(cc),
-		), nil
+	mode := "DOH"
+	if dispatcher == nil {
+		mode = "DOHL"
 	}
-
-	s.httpClient = &http.Client{
-		Timeout: time.Second * 180,
-		Transport: &http.Transport{
-			MaxIdleConns:        30,
-			IdleConnTimeout:     90 * time.Second,
-			TLSHandshakeTimeout: 30 * time.Second,
-			ForceAttemptHTTP2:   true,
-			DialContext:         dialContext,
-		},
-	}
-	if h2c {
-		s.httpClient.Transport = &http2.Transport{
-			IdleConnTimeout: 90 * time.Second,
-			DialTLSContext: func(ctx context.Context, network, addr string, cfg *tls.Config) (net.Conn, error) {
-				return dialContext(ctx, network, addr)
-			},
-		}
-	}
-
-	return s, nil
-}
-
-// NewDoHLocalNameServer creates DOH client object for local resolving
-func NewDoHLocalNameServer(url *url.URL, queryStrategy QueryStrategy) *DoHNameServer {
-	url.Scheme = "https"
-	s := baseDOHNameServer(url, "DOHL", queryStrategy)
-	tr := &http.Transport{
-		IdleConnTimeout:   90 * time.Second,
-		ForceAttemptHTTP2: true,
-		DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-			dest, err := net.ParseDestination(network + ":" + addr)
-			if err != nil {
-				return nil, err
-			}
-			conn, err := internet.DialSystem(ctx, dest, nil)
-			log.Record(&log.AccessMessage{
-				From:   "DNS",
-				To:     s.dohURL,
-				Status: log.AccessAccepted,
-				Detour: "local",
-			})
-			if err != nil {
-				return nil, err
-			}
-			return conn, nil
-		},
-	}
-	s.httpClient = &http.Client{
-		Timeout:   time.Second * 180,
-		Transport: tr,
-	}
-	errors.LogInfo(context.Background(), "DNS: created Local DNS-over-HTTPS client for ", url.String())
-	return s
-}
-
-func baseDOHNameServer(url *url.URL, prefix string, queryStrategy QueryStrategy) *DoHNameServer {
+	errors.LogInfo(context.Background(), "DNS: created ", mode, " client for ", url.String(), ", with h2c ", h2c)
 	s := &DoHNameServer{
-		ips:           make(map[string]*record),
-		pub:           pubsub.NewService(),
-		name:          prefix + "//" + url.Host,
-		dohURL:        url.String(),
-		queryStrategy: queryStrategy,
+		cacheController: NewCacheController(mode+"//"+url.Host, disableCache),
+		dohURL:          url.String(),
+		clientIP:        clientIP,
 	}
-	s.cleanup = &task.Periodic{
-		Interval: time.Minute,
-		Execute:  s.Cleanup,
+	s.httpClient = &http.Client{
+		Transport: &http2.Transport{
+			IdleConnTimeout: net.ConnIdleTimeout,
+			ReadIdleTimeout: net.ChromeH2KeepAlivePeriod,
+			DialTLSContext: func(ctx context.Context, network, addr string, cfg *tls.Config) (net.Conn, error) {
+				dest, err := net.ParseDestination(network + ":" + addr)
+				if err != nil {
+					return nil, err
+				}
+				var conn net.Conn
+				if dispatcher != nil {
+					dnsCtx := toDnsContext(ctx, s.dohURL)
+					if h2c {
+						dnsCtx = session.ContextWithMitmAlpn11(dnsCtx, false) // for insurance
+						dnsCtx = session.ContextWithMitmServerName(dnsCtx, url.Hostname())
+					}
+					link, err := dispatcher.Dispatch(dnsCtx, dest)
+					select {
+					case <-ctx.Done():
+						return nil, ctx.Err()
+					default:
+					}
+					if err != nil {
+						return nil, err
+					}
+					cc := common.ChainedClosable{}
+					if cw, ok := link.Writer.(common.Closable); ok {
+						cc = append(cc, cw)
+					}
+					if cr, ok := link.Reader.(common.Closable); ok {
+						cc = append(cc, cr)
+					}
+					conn = cnc.NewConnection(
+						cnc.ConnectionInputMulti(link.Writer),
+						cnc.ConnectionOutputMulti(link.Reader),
+						cnc.ConnectionOnClose(cc),
+					)
+				} else {
+					log.Record(&log.AccessMessage{
+						From:   "DNS",
+						To:     s.dohURL,
+						Status: log.AccessAccepted,
+						Detour: "local",
+					})
+					conn, err = internet.DialSystem(ctx, dest, nil)
+					if err != nil {
+						return nil, err
+					}
+				}
+				if !h2c {
+					conn = utls.UClient(conn, &utls.Config{ServerName: url.Hostname()}, utls.HelloChrome_Auto)
+					if err := conn.(*utls.UConn).HandshakeContext(ctx); err != nil {
+						return nil, err
+					}
+				}
+				return conn, nil
+			},
+		},
 	}
 	return s
 }

 // Name implements Server.
 func (s *DoHNameServer) Name() string {
-	return s.name
-}
-
-// Cleanup clears expired items from cache
-func (s *DoHNameServer) Cleanup() error {
-	now := time.Now()
-	s.Lock()
-	defer s.Unlock()
-
-	if len(s.ips) == 0 {
-		return errors.New("nothing to do. stopping...")
-	}
-
-	for domain, record := range s.ips {
-		if record.A != nil && record.A.Expire.Before(now) {
-			record.A = nil
-		}
-		if record.AAAA != nil && record.AAAA.Expire.Before(now) {
-			record.AAAA = nil
-		}
-
-		if record.A == nil && record.AAAA == nil {
-			errors.LogDebug(context.Background(), s.name, " cleanup ", domain)
-			delete(s.ips, domain)
-		} else {
-			s.ips[domain] = record
-		}
-	}
-
-	if len(s.ips) == 0 {
-		s.ips = make(map[string]*record)
-	}
-
-	return nil
-}
-
-func (s *DoHNameServer) updateIP(req *dnsRequest, ipRec *IPRecord) {
-	elapsed := time.Since(req.start)
-
-	s.Lock()
-	rec, found := s.ips[req.domain]
-	if !found {
-		rec = &record{}
-	}
-	updated := false
-
-	switch req.reqType {
-	case dnsmessage.TypeA:
-		if isNewer(rec.A, ipRec) {
-			rec.A = ipRec
-			updated = true
-		}
-	case dnsmessage.TypeAAAA:
-		addr := make([]net.Address, 0, len(ipRec.IP))
-		for _, ip := range ipRec.IP {
-			if len(ip.IP()) == net.IPv6len {
-				addr = append(addr, ip)
-			}
-		}
-		ipRec.IP = addr
-		if isNewer(rec.AAAA, ipRec) {
-			rec.AAAA = ipRec
-			updated = true
-		}
-	}
-	errors.LogInfo(context.Background(), s.name, " got answer: ", req.domain, " ", req.reqType, " -> ", ipRec.IP, " ", elapsed)
-
-	if updated {
-		s.ips[req.domain] = rec
-	}
-	switch req.reqType {
-	case dnsmessage.TypeA:
-		s.pub.Publish(req.domain+"4", nil)
-	case dnsmessage.TypeAAAA:
-		s.pub.Publish(req.domain+"6", nil)
-	}
-	s.Unlock()
-	common.Must(s.cleanup.Start())
+	return s.cacheController.name
 }

 func (s *DoHNameServer) newReqID() uint16 {
 	return 0
 }

-func (s *DoHNameServer) sendQuery(ctx context.Context, domain string, clientIP net.IP, option dns_feature.IPOption) {
-	errors.LogInfo(ctx, s.name, " querying: ", domain)
+func (s *DoHNameServer) sendQuery(ctx context.Context, noResponseErrCh chan<- error, domain string, option dns_feature.IPOption) {
+	errors.LogInfo(ctx, s.Name(), " querying: ", domain)

-	if s.name+"." == "DOH//"+domain {
-		errors.LogError(ctx, s.name, " tries to resolve itself! Use IP or set \"hosts\" instead.")
+	if s.Name()+"." == "DOH//"+domain {
+		errors.LogError(ctx, s.Name(), " tries to resolve itself! Use IP or set \"hosts\" instead.")
+		noResponseErrCh <- errors.New("tries to resolve itself!", s.Name())
 		return
 	}

-	reqs := buildReqMsgs(domain, option, s.newReqID, genEDNS0Options(clientIP))
+	// As we don't want our traffic pattern looks like DoH, we use Random-Length Padding instead of Block-Length Padding recommended in RFC 8467
+	// Although DoH server like 1.1.1.1 will pad the response to Block-Length 468, at least it is better than no padding for response at all
+	reqs := buildReqMsgs(domain, option, s.newReqID, genEDNS0Options(s.clientIP, int(crypto.RandBetween(100, 300))))

 	var deadline time.Time
 	if d, ok := ctx.Deadline(); ok {
@ -283,19 +167,22 @@ func (s *DoHNameServer) sendQuery(ctx context.Context, domain string, clientIP n
 			b, err := dns.PackMessage(r.msg)
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to pack dns query for ", domain)
+				noResponseErrCh <- err
 				return
 			}
 			resp, err := s.dohHTTPSContext(dnsCtx, b.Bytes())
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to retrieve response for ", domain)
+				noResponseErrCh <- err
 				return
 			}
 			rec, err := parseResponse(resp)
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to handle DOH response for ", domain)
+				noResponseErrCh <- err
 				return
 			}
-			s.updateIP(r, rec)
+			s.cacheController.updateIP(r, rec)
 		}(req)
 	}
 }
@ -310,6 +197,8 @@ func (s *DoHNameServer) dohHTTPSContext(ctx context.Context, b []byte) ([]byte,
 	req.Header.Add("Accept", "application/dns-message")
 	req.Header.Add("Content-Type", "application/dns-message")

+	req.Header.Set("X-Padding", strings.Repeat("X", int(crypto.RandBetween(100, 1000))))
+
 	hc := s.httpClient

 	resp, err := hc.Do(req.WithContext(ctx))
@ -326,107 +215,50 @@ func (s *DoHNameServer) dohHTTPSContext(ctx context.Context, b []byte) ([]byte,
 	return io.ReadAll(resp.Body)
 }

-func (s *DoHNameServer) findIPsForDomain(domain string, option dns_feature.IPOption) ([]net.IP, error) {
-	s.RLock()
-	record, found := s.ips[domain]
-	s.RUnlock()
-
-	if !found {
-		return nil, errRecordNotFound
-	}
-
-	var err4 error
-	var err6 error
-	var ips []net.Address
-	var ip6 []net.Address
-
-	if option.IPv4Enable {
-		ips, err4 = record.A.getIPs()
-	}
-
-	if option.IPv6Enable {
-		ip6, err6 = record.AAAA.getIPs()
-		ips = append(ips, ip6...)
-	}
-
-	if len(ips) > 0 {
-		return toNetIP(ips)
-	}
-
-	if err4 != nil {
-		return nil, err4
-	}
-
-	if err6 != nil {
-		return nil, err6
-	}
-
-	if (option.IPv4Enable && record.A != nil) || (option.IPv6Enable && record.AAAA != nil) {
-		return nil, dns_feature.ErrEmptyResponse
-	}
-
-	return nil, errRecordNotFound
-}
-
 // QueryIP implements Server.
-func (s *DoHNameServer) QueryIP(ctx context.Context, domain string, clientIP net.IP, option dns_feature.IPOption, disableCache bool) ([]net.IP, error) { // nolint: dupl
+func (s *DoHNameServer) QueryIP(ctx context.Context, domain string, option dns_feature.IPOption) ([]net.IP, uint32, error) { // nolint: dupl
 	fqdn := Fqdn(domain)
-	option = ResolveIpOptionOverride(s.queryStrategy, option)
-	if !option.IPv4Enable && !option.IPv6Enable {
-		return nil, dns_feature.ErrEmptyResponse
-	}
+	sub4, sub6 := s.cacheController.registerSubscribers(fqdn, option)
+	defer closeSubscribers(sub4, sub6)

-	if disableCache {
-		errors.LogDebug(ctx, "DNS cache is disabled. Querying IP for ", domain, " at ", s.name)
+	if s.cacheController.disableCache {
+		errors.LogDebug(ctx, "DNS cache is disabled. Querying IP for ", domain, " at ", s.Name())
 	} else {
-		ips, err := s.findIPsForDomain(fqdn, option)
-		if err == nil || err == dns_feature.ErrEmptyResponse {
-			errors.LogDebugInner(ctx, err, s.name, " cache HIT ", domain, " -> ", ips)
-			log.Record(&log.DNSLog{Server: s.name, Domain: domain, Result: ips, Status: log.DNSCacheHit, Elapsed: 0, Error: err})
-			return ips, err
+		ips, ttl, err := s.cacheController.findIPsForDomain(fqdn, option)
+		if !go_errors.Is(err, errRecordNotFound) {
+			errors.LogDebugInner(ctx, err, s.Name(), " cache HIT ", domain, " -> ", ips)
+			log.Record(&log.DNSLog{Server: s.Name(), Domain: domain, Result: ips, Status: log.DNSCacheHit, Elapsed: 0, Error: err})
+			return ips, ttl, err
 		}
 	}

-	// ipv4 and ipv6 belong to different subscription groups
-	var sub4, sub6 *pubsub.Subscriber
-	if option.IPv4Enable {
-		sub4 = s.pub.Subscribe(fqdn + "4")
-		defer sub4.Close()
-	}
-	if option.IPv6Enable {
-		sub6 = s.pub.Subscribe(fqdn + "6")
-		defer sub6.Close()
-	}
-	done := make(chan interface{})
-	go func() {
-		if sub4 != nil {
-			select {
-			case <-sub4.Wait():
-			case <-ctx.Done():
-			}
-		}
-		if sub6 != nil {
-			select {
-			case <-sub6.Wait():
-			case <-ctx.Done():
-			}
-		}
-		close(done)
-	}()
-	s.sendQuery(ctx, fqdn, clientIP, option)
+	noResponseErrCh := make(chan error, 2)
+	s.sendQuery(ctx, noResponseErrCh, fqdn, option)
 	start := time.Now()

-	for {
-		ips, err := s.findIPsForDomain(fqdn, option)
-		if err != errRecordNotFound {
-			log.Record(&log.DNSLog{Server: s.name, Domain: domain, Result: ips, Status: log.DNSQueried, Elapsed: time.Since(start), Error: err})
-			return ips, err
-		}
-
+	if sub4 != nil {
 		select {
 		case <-ctx.Done():
-			return nil, ctx.Err()
-		case <-done:
+			return nil, 0, ctx.Err()
+		case err := <-noResponseErrCh:
+			return nil, 0, err
+		case <-sub4.Wait():
+			sub4.Close()
 		}
 	}
+	if sub6 != nil {
+		select {
+		case <-ctx.Done():
+			return nil, 0, ctx.Err()
+		case err := <-noResponseErrCh:
+			return nil, 0, err
+		case <-sub6.Wait():
+			sub6.Close()
+		}
+	}
+
+	ips, ttl, err := s.cacheController.findIPsForDomain(fqdn, option)
+	log.Record(&log.DNSLog{Server: s.Name(), Domain: domain, Result: ips, Status: log.DNSQueried, Elapsed: time.Since(start), Error: err})
+	return ips, ttl, err
+
 }
--- a/app/dns/nameserver_doh_test.go
+++ b/app/dns/nameserver_doh_test.go
@ -17,12 +17,12 @@ func TestDOHNameServer(t *testing.T) {
 	url, err := url.Parse("https+local://1.1.1.1/dns-query")
 	common.Must(err)

-	s := NewDoHLocalNameServer(url, QueryStrategy_USE_IP)
+	s := NewDoHNameServer(url, nil, false, false, net.IP(nil))
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	ips, err := s.QueryIP(ctx, "google.com", net.IP(nil), dns_feature.IPOption{
+	ips, _, err := s.QueryIP(ctx, "google.com", dns_feature.IPOption{
 		IPv4Enable: true,
 		IPv6Enable: true,
-	}, false)
+	})
 	cancel()
 	common.Must(err)
 	if len(ips) == 0 {
@ -34,12 +34,12 @@ func TestDOHNameServerWithCache(t *testing.T) {
 	url, err := url.Parse("https+local://1.1.1.1/dns-query")
 	common.Must(err)

-	s := NewDoHLocalNameServer(url, QueryStrategy_USE_IP)
+	s := NewDoHNameServer(url, nil, false, false, net.IP(nil))
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	ips, err := s.QueryIP(ctx, "google.com", net.IP(nil), dns_feature.IPOption{
+	ips, _, err := s.QueryIP(ctx, "google.com", dns_feature.IPOption{
 		IPv4Enable: true,
 		IPv6Enable: true,
-	}, false)
+	})
 	cancel()
 	common.Must(err)
 	if len(ips) == 0 {
@ -47,10 +47,10 @@ func TestDOHNameServerWithCache(t *testing.T) {
 	}

 	ctx2, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	ips2, err := s.QueryIP(ctx2, "google.com", net.IP(nil), dns_feature.IPOption{
+	ips2, _, err := s.QueryIP(ctx2, "google.com", dns_feature.IPOption{
 		IPv4Enable: true,
 		IPv6Enable: true,
-	}, true)
+	})
 	cancel()
 	common.Must(err)
 	if r := cmp.Diff(ips2, ips); r != "" {
@ -62,12 +62,12 @@ func TestDOHNameServerWithIPv4Override(t *testing.T) {
 	url, err := url.Parse("https+local://1.1.1.1/dns-query")
 	common.Must(err)

-	s := NewDoHLocalNameServer(url, QueryStrategy_USE_IP4)
+	s := NewDoHNameServer(url, nil, false, false, net.IP(nil))
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	ips, err := s.QueryIP(ctx, "google.com", net.IP(nil), dns_feature.IPOption{
+	ips, _, err := s.QueryIP(ctx, "google.com", dns_feature.IPOption{
 		IPv4Enable: true,
-		IPv6Enable: true,
-	}, false)
+		IPv6Enable: false,
+	})
 	cancel()
 	common.Must(err)
 	if len(ips) == 0 {
@ -85,12 +85,12 @@ func TestDOHNameServerWithIPv6Override(t *testing.T) {
 	url, err := url.Parse("https+local://1.1.1.1/dns-query")
 	common.Must(err)

-	s := NewDoHLocalNameServer(url, QueryStrategy_USE_IP6)
+	s := NewDoHNameServer(url, nil, false, false, net.IP(nil))
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	ips, err := s.QueryIP(ctx, "google.com", net.IP(nil), dns_feature.IPOption{
-		IPv4Enable: true,
+	ips, _, err := s.QueryIP(ctx, "google.com", dns_feature.IPOption{
+		IPv4Enable: false,
 		IPv6Enable: true,
-	}, false)
+	})
 	cancel()
 	common.Must(err)
 	if len(ips) == 0 {
--- a/app/dns/nameserver_fakedns.go
+++ b/app/dns/nameserver_fakedns.go
@ -20,9 +20,9 @@ func (FakeDNSServer) Name() string {
 	return "FakeDNS"
 }

-func (f *FakeDNSServer) QueryIP(ctx context.Context, domain string, _ net.IP, opt dns.IPOption, _ bool) ([]net.IP, error) {
+func (f *FakeDNSServer) QueryIP(ctx context.Context, domain string, opt dns.IPOption) ([]net.IP, uint32, error) {
 	if f.fakeDNSEngine == nil {
-		return nil, errors.New("Unable to locate a fake DNS Engine").AtError()
+		return nil, 0, errors.New("Unable to locate a fake DNS Engine").AtError()
 	}

 	var ips []net.Address
@ -34,13 +34,13 @@ func (f *FakeDNSServer) QueryIP(ctx context.Context, domain string, _ net.IP, op

 	netIP, err := toNetIP(ips)
 	if err != nil {
-		return nil, errors.New("Unable to convert IP to net ip").Base(err).AtError()
+		return nil, 0, errors.New("Unable to convert IP to net ip").Base(err).AtError()
 	}

 	errors.LogInfo(ctx, f.Name(), " got answer: ", domain, " -> ", ips)

 	if len(netIP) > 0 {
-		return netIP, nil
+		return netIP, 1, nil // fakeIP ttl is 1
 	}
-	return nil, dns.ErrEmptyResponse
+	return nil, 0, dns.ErrEmptyResponse
 }
--- a/app/dns/nameserver_local.go
+++ b/app/dns/nameserver_local.go
@ -2,7 +2,6 @@ package dns

 import (
 	"context"
-	"strings"
 	"time"

 	"github.com/xtls/xray-core/common/errors"
@ -14,25 +13,14 @@ import (

 // LocalNameServer is an wrapper over local DNS feature.
 type LocalNameServer struct {
-	client        *localdns.Client
-	queryStrategy QueryStrategy
+	client *localdns.Client
 }

-const errEmptyResponse = "No address associated with hostname"
-
 // QueryIP implements Server.
-func (s *LocalNameServer) QueryIP(ctx context.Context, domain string, _ net.IP, option dns.IPOption, _ bool) (ips []net.IP, err error) {
-	option = ResolveIpOptionOverride(s.queryStrategy, option)
-	if !option.IPv4Enable && !option.IPv6Enable {
-		return nil, dns.ErrEmptyResponse
-	}
+func (s *LocalNameServer) QueryIP(ctx context.Context, domain string, option dns.IPOption) (ips []net.IP, ttl uint32, err error) {

 	start := time.Now()
-	ips, err = s.client.LookupIP(domain, option)
-
-	if err != nil && strings.HasSuffix(err.Error(), errEmptyResponse) {
-		err = dns.ErrEmptyResponse
-	}
+	ips, ttl, err = s.client.LookupIP(domain, option)

 	if len(ips) > 0 {
 		errors.LogInfo(ctx, "Localhost got answer: ", domain, " -> ", ips)
@ -48,15 +36,14 @@ func (s *LocalNameServer) Name() string {
 }

 // NewLocalNameServer creates localdns server object for directly lookup in system DNS.
-func NewLocalNameServer(queryStrategy QueryStrategy) *LocalNameServer {
+func NewLocalNameServer() *LocalNameServer {
 	errors.LogInfo(context.Background(), "DNS: created localhost client")
 	return &LocalNameServer{
-		queryStrategy: queryStrategy,
-		client:        localdns.New(),
+		client: localdns.New(),
 	}
 }

 // NewLocalDNSClient creates localdns client object for directly lookup in system DNS.
-func NewLocalDNSClient() *Client {
-	return &Client{server: NewLocalNameServer(QueryStrategy_USE_IP)}
+func NewLocalDNSClient(ipOption dns.IPOption) *Client {
+	return &Client{server: NewLocalNameServer(), ipOption: &ipOption}
 }
--- a/app/dns/nameserver_local_test.go
+++ b/app/dns/nameserver_local_test.go
@ -7,18 +7,17 @@ import (

 	. "github.com/xtls/xray-core/app/dns"
 	"github.com/xtls/xray-core/common"
-	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/features/dns"
 )

 func TestLocalNameServer(t *testing.T) {
-	s := NewLocalNameServer(QueryStrategy_USE_IP)
+	s := NewLocalNameServer()
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*2)
-	ips, err := s.QueryIP(ctx, "google.com", net.IP{}, dns.IPOption{
+	ips, _, err := s.QueryIP(ctx, "google.com", dns.IPOption{
 		IPv4Enable: true,
 		IPv6Enable: true,
 		FakeEnable: false,
-	}, false)
+	})
 	cancel()
 	common.Must(err)
 	if len(ips) == 0 {
--- a/app/dns/nameserver_quic.go
+++ b/app/dns/nameserver_quic.go
@ -4,23 +4,20 @@ import (
 	"bytes"
 	"context"
 	"encoding/binary"
+	go_errors "errors"
 	"net/url"
 	"sync"
 	"time"

 	"github.com/quic-go/quic-go"
-	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/buf"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/log"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/protocol/dns"
 	"github.com/xtls/xray-core/common/session"
-	"github.com/xtls/xray-core/common/signal/pubsub"
-	"github.com/xtls/xray-core/common/task"
 	dns_feature "github.com/xtls/xray-core/features/dns"
 	"github.com/xtls/xray-core/transport/internet/tls"
-	"golang.org/x/net/dns/dnsmessage"
 	"golang.org/x/net/http2"
 )

@ -33,17 +30,14 @@ const handshakeTimeout = time.Second * 8
 // QUICNameServer implemented DNS over QUIC
 type QUICNameServer struct {
 	sync.RWMutex
-	ips           map[string]*record
-	pub           *pubsub.Service
-	cleanup       *task.Periodic
-	name          string
-	destination   *net.Destination
-	connection    quic.Connection
-	queryStrategy QueryStrategy
+	cacheController *CacheController
+	destination     *net.Destination
+	connection      quic.Connection
+	clientIP        net.IP
 }

 // NewQUICNameServer creates DNS-over-QUIC client object for local resolving
-func NewQUICNameServer(url *url.URL, queryStrategy QueryStrategy) (*QUICNameServer, error) {
+func NewQUICNameServer(url *url.URL, disableCache bool, clientIP net.IP) (*QUICNameServer, error) {
 	errors.LogInfo(context.Background(), "DNS: created Local DNS-over-QUIC client for ", url.String())

 	var err error
@ -57,15 +51,9 @@ func NewQUICNameServer(url *url.URL, queryStrategy QueryStrategy) (*QUICNameServ
 	dest := net.UDPDestination(net.ParseAddress(url.Hostname()), port)

 	s := &QUICNameServer{
-		ips:           make(map[string]*record),
-		pub:           pubsub.NewService(),
-		name:          url.String(),
-		destination:   &dest,
-		queryStrategy: queryStrategy,
-	}
-	s.cleanup = &task.Periodic{
-		Interval: time.Minute,
-		Execute:  s.Cleanup,
+		cacheController: NewCacheController(url.String(), disableCache),
+		destination:     &dest,
+		clientIP:        clientIP,
 	}

 	return s, nil
@ -73,94 +61,17 @@ func NewQUICNameServer(url *url.URL, queryStrategy QueryStrategy) (*QUICNameServ

 // Name returns client name
 func (s *QUICNameServer) Name() string {
-	return s.name
-}
-
-// Cleanup clears expired items from cache
-func (s *QUICNameServer) Cleanup() error {
-	now := time.Now()
-	s.Lock()
-	defer s.Unlock()
-
-	if len(s.ips) == 0 {
-		return errors.New("nothing to do. stopping...")
-	}
-
-	for domain, record := range s.ips {
-		if record.A != nil && record.A.Expire.Before(now) {
-			record.A = nil
-		}
-		if record.AAAA != nil && record.AAAA.Expire.Before(now) {
-			record.AAAA = nil
-		}
-
-		if record.A == nil && record.AAAA == nil {
-			errors.LogDebug(context.Background(), s.name, " cleanup ", domain)
-			delete(s.ips, domain)
-		} else {
-			s.ips[domain] = record
-		}
-	}
-
-	if len(s.ips) == 0 {
-		s.ips = make(map[string]*record)
-	}
-
-	return nil
-}
-
-func (s *QUICNameServer) updateIP(req *dnsRequest, ipRec *IPRecord) {
-	elapsed := time.Since(req.start)
-
-	s.Lock()
-	rec, found := s.ips[req.domain]
-	if !found {
-		rec = &record{}
-	}
-	updated := false
-
-	switch req.reqType {
-	case dnsmessage.TypeA:
-		if isNewer(rec.A, ipRec) {
-			rec.A = ipRec
-			updated = true
-		}
-	case dnsmessage.TypeAAAA:
-		addr := make([]net.Address, 0)
-		for _, ip := range ipRec.IP {
-			if len(ip.IP()) == net.IPv6len {
-				addr = append(addr, ip)
-			}
-		}
-		ipRec.IP = addr
-		if isNewer(rec.AAAA, ipRec) {
-			rec.AAAA = ipRec
-			updated = true
-		}
-	}
-	errors.LogInfo(context.Background(), s.name, " got answer: ", req.domain, " ", req.reqType, " -> ", ipRec.IP, " ", elapsed)
-
-	if updated {
-		s.ips[req.domain] = rec
-	}
-	switch req.reqType {
-	case dnsmessage.TypeA:
-		s.pub.Publish(req.domain+"4", nil)
-	case dnsmessage.TypeAAAA:
-		s.pub.Publish(req.domain+"6", nil)
-	}
-	s.Unlock()
-	common.Must(s.cleanup.Start())
+	return s.cacheController.name
 }

 func (s *QUICNameServer) newReqID() uint16 {
 	return 0
 }

-func (s *QUICNameServer) sendQuery(ctx context.Context, domain string, clientIP net.IP, option dns_feature.IPOption) {
-	errors.LogInfo(ctx, s.name, " querying: ", domain)
+func (s *QUICNameServer) sendQuery(ctx context.Context, noResponseErrCh chan<- error, domain string, option dns_feature.IPOption) {
+	errors.LogInfo(ctx, s.Name(), " querying: ", domain)

-	reqs := buildReqMsgs(domain, option, s.newReqID, genEDNS0Options(clientIP))
+	reqs := buildReqMsgs(domain, option, s.newReqID, genEDNS0Options(s.clientIP, 0))

 	var deadline time.Time
 	if d, ok := ctx.Deadline(); ok {
@ -192,23 +103,36 @@ func (s *QUICNameServer) sendQuery(ctx context.Context, domain string, clientIP
 			b, err := dns.PackMessage(r.msg)
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to pack dns query")
+				noResponseErrCh <- err
 				return
 			}

 			dnsReqBuf := buf.New()
-			binary.Write(dnsReqBuf, binary.BigEndian, uint16(b.Len()))
-			dnsReqBuf.Write(b.Bytes())
+			err = binary.Write(dnsReqBuf, binary.BigEndian, uint16(b.Len()))
+			if err != nil {
+				errors.LogErrorInner(ctx, err, "binary write failed")
+				noResponseErrCh <- err
+				return
+			}
+			_, err = dnsReqBuf.Write(b.Bytes())
+			if err != nil {
+				errors.LogErrorInner(ctx, err, "buffer write failed")
+				noResponseErrCh <- err
+				return
+			}
 			b.Release()

 			conn, err := s.openStream(dnsCtx)
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to open quic connection")
+				noResponseErrCh <- err
 				return
 			}

 			_, err = conn.Write(dnsReqBuf.Bytes())
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to send query")
+				noResponseErrCh <- err
 				return
 			}

@ -219,134 +143,81 @@ func (s *QUICNameServer) sendQuery(ctx context.Context, domain string, clientIP
 			n, err := respBuf.ReadFullFrom(conn, 2)
 			if err != nil && n == 0 {
 				errors.LogErrorInner(ctx, err, "failed to read response length")
+				noResponseErrCh <- err
 				return
 			}
 			var length int16
 			err = binary.Read(bytes.NewReader(respBuf.Bytes()), binary.BigEndian, &length)
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to parse response length")
+				noResponseErrCh <- err
 				return
 			}
 			respBuf.Clear()
 			n, err = respBuf.ReadFullFrom(conn, int32(length))
 			if err != nil && n == 0 {
 				errors.LogErrorInner(ctx, err, "failed to read response length")
+				noResponseErrCh <- err
 				return
 			}

 			rec, err := parseResponse(respBuf.Bytes())
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to handle response")
+				noResponseErrCh <- err
 				return
 			}
-			s.updateIP(r, rec)
+			s.cacheController.updateIP(r, rec)
 		}(req)
 	}
 }

-func (s *QUICNameServer) findIPsForDomain(domain string, option dns_feature.IPOption) ([]net.IP, error) {
-	s.RLock()
-	record, found := s.ips[domain]
-	s.RUnlock()
-
-	if !found {
-		return nil, errRecordNotFound
-	}
-
-	var err4 error
-	var err6 error
-	var ips []net.Address
-	var ip6 []net.Address
-
-	if option.IPv4Enable {
-		ips, err4 = record.A.getIPs()
-	}
-
-	if option.IPv6Enable {
-		ip6, err6 = record.AAAA.getIPs()
-		ips = append(ips, ip6...)
-	}
-
-	if len(ips) > 0 {
-		return toNetIP(ips)
-	}
-
-	if err4 != nil {
-		return nil, err4
-	}
-
-	if err6 != nil {
-		return nil, err6
-	}
-
-	if (option.IPv4Enable && record.A != nil) || (option.IPv6Enable && record.AAAA != nil) {
-		return nil, dns_feature.ErrEmptyResponse
-	}
-
-	return nil, errRecordNotFound
-}
-
 // QueryIP is called from dns.Server->queryIPTimeout
-func (s *QUICNameServer) QueryIP(ctx context.Context, domain string, clientIP net.IP, option dns_feature.IPOption, disableCache bool) ([]net.IP, error) {
+func (s *QUICNameServer) QueryIP(ctx context.Context, domain string, option dns_feature.IPOption) ([]net.IP, uint32, error) {
 	fqdn := Fqdn(domain)
-	option = ResolveIpOptionOverride(s.queryStrategy, option)
-	if !option.IPv4Enable && !option.IPv6Enable {
-		return nil, dns_feature.ErrEmptyResponse
-	}
+	sub4, sub6 := s.cacheController.registerSubscribers(fqdn, option)
+	defer closeSubscribers(sub4, sub6)

-	if disableCache {
-		errors.LogDebug(ctx, "DNS cache is disabled. Querying IP for ", domain, " at ", s.name)
+	if s.cacheController.disableCache {
+		errors.LogDebug(ctx, "DNS cache is disabled. Querying IP for ", domain, " at ", s.Name())
 	} else {
-		ips, err := s.findIPsForDomain(fqdn, option)
-		if err == nil || err == dns_feature.ErrEmptyResponse {
-			errors.LogDebugInner(ctx, err, s.name, " cache HIT ", domain, " -> ", ips)
-			log.Record(&log.DNSLog{Server: s.name, Domain: domain, Result: ips, Status: log.DNSCacheHit, Elapsed: 0, Error: err})
-			return ips, err
+		ips, ttl, err := s.cacheController.findIPsForDomain(fqdn, option)
+		if !go_errors.Is(err, errRecordNotFound) {
+			errors.LogDebugInner(ctx, err, s.Name(), " cache HIT ", domain, " -> ", ips)
+			log.Record(&log.DNSLog{Server: s.Name(), Domain: domain, Result: ips, Status: log.DNSCacheHit, Elapsed: 0, Error: err})
+			return ips, ttl, err
 		}
 	}

-	// ipv4 and ipv6 belong to different subscription groups
-	var sub4, sub6 *pubsub.Subscriber
-	if option.IPv4Enable {
-		sub4 = s.pub.Subscribe(fqdn + "4")
-		defer sub4.Close()
-	}
-	if option.IPv6Enable {
-		sub6 = s.pub.Subscribe(fqdn + "6")
-		defer sub6.Close()
-	}
-	done := make(chan interface{})
-	go func() {
-		if sub4 != nil {
-			select {
-			case <-sub4.Wait():
-			case <-ctx.Done():
-			}
-		}
-		if sub6 != nil {
-			select {
-			case <-sub6.Wait():
-			case <-ctx.Done():
-			}
-		}
-		close(done)
-	}()
-	s.sendQuery(ctx, fqdn, clientIP, option)
+	noResponseErrCh := make(chan error, 2)
+	s.sendQuery(ctx, noResponseErrCh, fqdn, option)
 	start := time.Now()

-	for {
-		ips, err := s.findIPsForDomain(fqdn, option)
-		if err != errRecordNotFound {
-			log.Record(&log.DNSLog{Server: s.name, Domain: domain, Result: ips, Status: log.DNSQueried, Elapsed: time.Since(start), Error: err})
-			return ips, err
-		}
-
+	if sub4 != nil {
 		select {
 		case <-ctx.Done():
-			return nil, ctx.Err()
-		case <-done:
+			return nil, 0, ctx.Err()
+		case err := <-noResponseErrCh:
+			return nil, 0, err
+		case <-sub4.Wait():
+			sub4.Close()
 		}
 	}
+	if sub6 != nil {
+		select {
+		case <-ctx.Done():
+			return nil, 0, ctx.Err()
+		case err := <-noResponseErrCh:
+			return nil, 0, err
+		case <-sub6.Wait():
+			sub6.Close()
+		}
+	}
+
+	ips, ttl, err := s.cacheController.findIPsForDomain(fqdn, option)
+	log.Record(&log.DNSLog{Server: s.Name(), Domain: domain, Result: ips, Status: log.DNSQueried, Elapsed: time.Since(start), Error: err})
+	return ips, ttl, err
+
 }

 func isActive(s quic.Connection) bool {
--- a/app/dns/nameserver_quic_test.go
+++ b/app/dns/nameserver_quic_test.go
@ -16,24 +16,23 @@ import (
 func TestQUICNameServer(t *testing.T) {
 	url, err := url.Parse("quic://dns.adguard-dns.com")
 	common.Must(err)
-	s, err := NewQUICNameServer(url, QueryStrategy_USE_IP)
+	s, err := NewQUICNameServer(url, false, net.IP(nil))
 	common.Must(err)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*2)
-	ips, err := s.QueryIP(ctx, "google.com", net.IP(nil), dns.IPOption{
+	ips, _, err := s.QueryIP(ctx, "google.com", dns.IPOption{
 		IPv4Enable: true,
 		IPv6Enable: true,
-	}, false)
+	})
 	cancel()
 	common.Must(err)
 	if len(ips) == 0 {
 		t.Error("expect some ips, but got 0")
 	}
-
 	ctx2, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	ips2, err := s.QueryIP(ctx2, "google.com", net.IP(nil), dns.IPOption{
+	ips2, _, err := s.QueryIP(ctx2, "google.com", dns.IPOption{
 		IPv4Enable: true,
 		IPv6Enable: true,
-	}, true)
+	})
 	cancel()
 	common.Must(err)
 	if r := cmp.Diff(ips2, ips); r != "" {
@ -44,13 +43,13 @@ func TestQUICNameServer(t *testing.T) {
 func TestQUICNameServerWithIPv4Override(t *testing.T) {
 	url, err := url.Parse("quic://dns.adguard-dns.com")
 	common.Must(err)
-	s, err := NewQUICNameServer(url, QueryStrategy_USE_IP4)
+	s, err := NewQUICNameServer(url, false, net.IP(nil))
 	common.Must(err)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*2)
-	ips, err := s.QueryIP(ctx, "google.com", net.IP(nil), dns.IPOption{
+	ips, _, err := s.QueryIP(ctx, "google.com", dns.IPOption{
 		IPv4Enable: true,
-		IPv6Enable: true,
-	}, false)
+		IPv6Enable: false,
+	})
 	cancel()
 	common.Must(err)
 	if len(ips) == 0 {
@ -67,13 +66,13 @@ func TestQUICNameServerWithIPv4Override(t *testing.T) {
 func TestQUICNameServerWithIPv6Override(t *testing.T) {
 	url, err := url.Parse("quic://dns.adguard-dns.com")
 	common.Must(err)
-	s, err := NewQUICNameServer(url, QueryStrategy_USE_IP6)
+	s, err := NewQUICNameServer(url, false, net.IP(nil))
 	common.Must(err)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*2)
-	ips, err := s.QueryIP(ctx, "google.com", net.IP(nil), dns.IPOption{
-		IPv4Enable: true,
+	ips, _, err := s.QueryIP(ctx, "google.com", dns.IPOption{
+		IPv4Enable: false,
 		IPv6Enable: true,
-	}, false)
+	})
 	cancel()
 	common.Must(err)
 	if len(ips) == 0 {
--- a/app/dns/nameserver_tcp.go
+++ b/app/dns/nameserver_tcp.go
@ -4,12 +4,11 @@ import (
 	"bytes"
 	"context"
 	"encoding/binary"
+	go_errors "errors"
 	"net/url"
-	"sync"
 	"sync/atomic"
 	"time"

-	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/buf"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/log"
@ -17,34 +16,28 @@ import (
 	"github.com/xtls/xray-core/common/net/cnc"
 	"github.com/xtls/xray-core/common/protocol/dns"
 	"github.com/xtls/xray-core/common/session"
-	"github.com/xtls/xray-core/common/signal/pubsub"
-	"github.com/xtls/xray-core/common/task"
 	dns_feature "github.com/xtls/xray-core/features/dns"
 	"github.com/xtls/xray-core/features/routing"
 	"github.com/xtls/xray-core/transport/internet"
-	"golang.org/x/net/dns/dnsmessage"
 )

 // TCPNameServer implemented DNS over TCP (RFC7766).
 type TCPNameServer struct {
-	sync.RWMutex
-	name          string
-	destination   *net.Destination
-	ips           map[string]*record
-	pub           *pubsub.Service
-	cleanup       *task.Periodic
-	reqID         uint32
-	dial          func(context.Context) (net.Conn, error)
-	queryStrategy QueryStrategy
+	cacheController *CacheController
+	destination     *net.Destination
+	reqID           uint32
+	dial            func(context.Context) (net.Conn, error)
+	clientIP        net.IP
 }

 // NewTCPNameServer creates DNS over TCP server object for remote resolving.
 func NewTCPNameServer(
 	url *url.URL,
 	dispatcher routing.Dispatcher,
-	queryStrategy QueryStrategy,
+	disableCache bool,
+	clientIP net.IP,
 ) (*TCPNameServer, error) {
-	s, err := baseTCPNameServer(url, "TCP", queryStrategy)
+	s, err := baseTCPNameServer(url, "TCP", disableCache, clientIP)
 	if err != nil {
 		return nil, err
 	}
@ -65,8 +58,8 @@ func NewTCPNameServer(
 }

 // NewTCPLocalNameServer creates DNS over TCP client object for local resolving
-func NewTCPLocalNameServer(url *url.URL, queryStrategy QueryStrategy) (*TCPNameServer, error) {
-	s, err := baseTCPNameServer(url, "TCPL", queryStrategy)
+func NewTCPLocalNameServer(url *url.URL, disableCache bool, clientIP net.IP) (*TCPNameServer, error) {
+	s, err := baseTCPNameServer(url, "TCPL", disableCache, clientIP)
 	if err != nil {
 		return nil, err
 	}
@ -78,7 +71,7 @@ func NewTCPLocalNameServer(url *url.URL, queryStrategy QueryStrategy) (*TCPNameS
 	return s, nil
 }

-func baseTCPNameServer(url *url.URL, prefix string, queryStrategy QueryStrategy) (*TCPNameServer, error) {
+func baseTCPNameServer(url *url.URL, prefix string, disableCache bool, clientIP net.IP) (*TCPNameServer, error) {
 	port := net.Port(53)
 	if url.Port() != "" {
 		var err error
@ -89,15 +82,9 @@ func baseTCPNameServer(url *url.URL, prefix string, queryStrategy QueryStrategy)
 	dest := net.TCPDestination(net.ParseAddress(url.Hostname()), port)

 	s := &TCPNameServer{
-		destination:   &dest,
-		ips:           make(map[string]*record),
-		pub:           pubsub.NewService(),
-		name:          prefix + "//" + dest.NetAddr(),
-		queryStrategy: queryStrategy,
-	}
-	s.cleanup = &task.Periodic{
-		Interval: time.Minute,
-		Execute:  s.Cleanup,
+		cacheController: NewCacheController(prefix+"//"+dest.NetAddr(), disableCache),
+		destination:     &dest,
+		clientIP:        clientIP,
 	}

 	return s, nil
@ -105,94 +92,17 @@ func baseTCPNameServer(url *url.URL, prefix string, queryStrategy QueryStrategy)

 // Name implements Server.
 func (s *TCPNameServer) Name() string {
-	return s.name
-}
-
-// Cleanup clears expired items from cache
-func (s *TCPNameServer) Cleanup() error {
-	now := time.Now()
-	s.Lock()
-	defer s.Unlock()
-
-	if len(s.ips) == 0 {
-		return errors.New("nothing to do. stopping...")
-	}
-
-	for domain, record := range s.ips {
-		if record.A != nil && record.A.Expire.Before(now) {
-			record.A = nil
-		}
-		if record.AAAA != nil && record.AAAA.Expire.Before(now) {
-			record.AAAA = nil
-		}
-
-		if record.A == nil && record.AAAA == nil {
-			errors.LogDebug(context.Background(), s.name, " cleanup ", domain)
-			delete(s.ips, domain)
-		} else {
-			s.ips[domain] = record
-		}
-	}
-
-	if len(s.ips) == 0 {
-		s.ips = make(map[string]*record)
-	}
-
-	return nil
-}
-
-func (s *TCPNameServer) updateIP(req *dnsRequest, ipRec *IPRecord) {
-	elapsed := time.Since(req.start)
-
-	s.Lock()
-	rec, found := s.ips[req.domain]
-	if !found {
-		rec = &record{}
-	}
-	updated := false
-
-	switch req.reqType {
-	case dnsmessage.TypeA:
-		if isNewer(rec.A, ipRec) {
-			rec.A = ipRec
-			updated = true
-		}
-	case dnsmessage.TypeAAAA:
-		addr := make([]net.Address, 0)
-		for _, ip := range ipRec.IP {
-			if len(ip.IP()) == net.IPv6len {
-				addr = append(addr, ip)
-			}
-		}
-		ipRec.IP = addr
-		if isNewer(rec.AAAA, ipRec) {
-			rec.AAAA = ipRec
-			updated = true
-		}
-	}
-	errors.LogInfo(context.Background(), s.name, " got answer: ", req.domain, " ", req.reqType, " -> ", ipRec.IP, " ", elapsed)
-
-	if updated {
-		s.ips[req.domain] = rec
-	}
-	switch req.reqType {
-	case dnsmessage.TypeA:
-		s.pub.Publish(req.domain+"4", nil)
-	case dnsmessage.TypeAAAA:
-		s.pub.Publish(req.domain+"6", nil)
-	}
-	s.Unlock()
-	common.Must(s.cleanup.Start())
+	return s.cacheController.name
 }

 func (s *TCPNameServer) newReqID() uint16 {
 	return uint16(atomic.AddUint32(&s.reqID, 1))
 }

-func (s *TCPNameServer) sendQuery(ctx context.Context, domain string, clientIP net.IP, option dns_feature.IPOption) {
-	errors.LogDebug(ctx, s.name, " querying DNS for: ", domain)
+func (s *TCPNameServer) sendQuery(ctx context.Context, noResponseErrCh chan<- error, domain string, option dns_feature.IPOption) {
+	errors.LogDebug(ctx, s.Name(), " querying DNS for: ", domain)

-	reqs := buildReqMsgs(domain, option, s.newReqID, genEDNS0Options(clientIP))
+	reqs := buildReqMsgs(domain, option, s.newReqID, genEDNS0Options(s.clientIP, 0))

 	var deadline time.Time
 	if d, ok := ctx.Deadline(); ok {
@ -221,23 +131,36 @@ func (s *TCPNameServer) sendQuery(ctx context.Context, domain string, clientIP n
 			b, err := dns.PackMessage(r.msg)
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to pack dns query")
+				noResponseErrCh <- err
 				return
 			}

 			conn, err := s.dial(dnsCtx)
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to dial namesever")
+				noResponseErrCh <- err
 				return
 			}
 			defer conn.Close()
 			dnsReqBuf := buf.New()
-			binary.Write(dnsReqBuf, binary.BigEndian, uint16(b.Len()))
-			dnsReqBuf.Write(b.Bytes())
+			err = binary.Write(dnsReqBuf, binary.BigEndian, uint16(b.Len()))
+			if err != nil {
+				errors.LogErrorInner(ctx, err, "binary write failed")
+				noResponseErrCh <- err
+				return
+			}
+			_, err = dnsReqBuf.Write(b.Bytes())
+			if err != nil {
+				errors.LogErrorInner(ctx, err, "buffer write failed")
+				noResponseErrCh <- err
+				return
+			}
 			b.Release()

 			_, err = conn.Write(dnsReqBuf.Bytes())
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to send query")
+				noResponseErrCh <- err
 				return
 			}
 			dnsReqBuf.Release()
@ -247,129 +170,80 @@ func (s *TCPNameServer) sendQuery(ctx context.Context, domain string, clientIP n
 			n, err := respBuf.ReadFullFrom(conn, 2)
 			if err != nil && n == 0 {
 				errors.LogErrorInner(ctx, err, "failed to read response length")
+				noResponseErrCh <- err
 				return
 			}
 			var length int16
 			err = binary.Read(bytes.NewReader(respBuf.Bytes()), binary.BigEndian, &length)
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to parse response length")
+				noResponseErrCh <- err
 				return
 			}
 			respBuf.Clear()
 			n, err = respBuf.ReadFullFrom(conn, int32(length))
 			if err != nil && n == 0 {
 				errors.LogErrorInner(ctx, err, "failed to read response length")
+				noResponseErrCh <- err
 				return
 			}

 			rec, err := parseResponse(respBuf.Bytes())
 			if err != nil {
 				errors.LogErrorInner(ctx, err, "failed to parse DNS over TCP response")
+				noResponseErrCh <- err
 				return
 			}

-			s.updateIP(r, rec)
+			s.cacheController.updateIP(r, rec)
 		}(req)
 	}
 }

-func (s *TCPNameServer) findIPsForDomain(domain string, option dns_feature.IPOption) ([]net.IP, error) {
-	s.RLock()
-	record, found := s.ips[domain]
-	s.RUnlock()
-
-	if !found {
-		return nil, errRecordNotFound
-	}
-
-	var err4 error
-	var err6 error
-	var ips []net.Address
-	var ip6 []net.Address
-
-	if option.IPv4Enable {
-		ips, err4 = record.A.getIPs()
-	}
-
-	if option.IPv6Enable {
-		ip6, err6 = record.AAAA.getIPs()
-		ips = append(ips, ip6...)
-	}
-
-	if len(ips) > 0 {
-		return toNetIP(ips)
-	}
-
-	if err4 != nil {
-		return nil, err4
-	}
-
-	if err6 != nil {
-		return nil, err6
-	}
-
-	return nil, dns_feature.ErrEmptyResponse
-}
-
 // QueryIP implements Server.
-func (s *TCPNameServer) QueryIP(ctx context.Context, domain string, clientIP net.IP, option dns_feature.IPOption, disableCache bool) ([]net.IP, error) {
+func (s *TCPNameServer) QueryIP(ctx context.Context, domain string, option dns_feature.IPOption) ([]net.IP, uint32, error) {
 	fqdn := Fqdn(domain)
-	option = ResolveIpOptionOverride(s.queryStrategy, option)
-	if !option.IPv4Enable && !option.IPv6Enable {
-		return nil, dns_feature.ErrEmptyResponse
-	}
+	sub4, sub6 := s.cacheController.registerSubscribers(fqdn, option)
+	defer closeSubscribers(sub4, sub6)

-	if disableCache {
-		errors.LogDebug(ctx, "DNS cache is disabled. Querying IP for ", domain, " at ", s.name)
+	if s.cacheController.disableCache {
+		errors.LogDebug(ctx, "DNS cache is disabled. Querying IP for ", domain, " at ", s.Name())
 	} else {
-		ips, err := s.findIPsForDomain(fqdn, option)
-		if err == nil || err == dns_feature.ErrEmptyResponse {
-			errors.LogDebugInner(ctx, err, s.name, " cache HIT ", domain, " -> ", ips)
-			log.Record(&log.DNSLog{Server: s.name, Domain: domain, Result: ips, Status: log.DNSCacheHit, Elapsed: 0, Error: err})
-			return ips, err
+		ips, ttl, err := s.cacheController.findIPsForDomain(fqdn, option)
+		if !go_errors.Is(err, errRecordNotFound) {
+			errors.LogDebugInner(ctx, err, s.Name(), " cache HIT ", domain, " -> ", ips)
+			log.Record(&log.DNSLog{Server: s.Name(), Domain: domain, Result: ips, Status: log.DNSCacheHit, Elapsed: 0, Error: err})
+			return ips, ttl, err
 		}
 	}

-	// ipv4 and ipv6 belong to different subscription groups
-	var sub4, sub6 *pubsub.Subscriber
-	if option.IPv4Enable {
-		sub4 = s.pub.Subscribe(fqdn + "4")
-		defer sub4.Close()
-	}
-	if option.IPv6Enable {
-		sub6 = s.pub.Subscribe(fqdn + "6")
-		defer sub6.Close()
-	}
-	done := make(chan interface{})
-	go func() {
-		if sub4 != nil {
-			select {
-			case <-sub4.Wait():
-			case <-ctx.Done():
-			}
-		}
-		if sub6 != nil {
-			select {
-			case <-sub6.Wait():
-			case <-ctx.Done():
-			}
-		}
-		close(done)
-	}()
-	s.sendQuery(ctx, fqdn, clientIP, option)
+	noResponseErrCh := make(chan error, 2)
+	s.sendQuery(ctx, noResponseErrCh, fqdn, option)
 	start := time.Now()

-	for {
-		ips, err := s.findIPsForDomain(fqdn, option)
-		if err != errRecordNotFound {
-			log.Record(&log.DNSLog{Server: s.name, Domain: domain, Result: ips, Status: log.DNSQueried, Elapsed: time.Since(start), Error: err})
-			return ips, err
-		}
-
+	if sub4 != nil {
 		select {
 		case <-ctx.Done():
-			return nil, ctx.Err()
-		case <-done:
+			return nil, 0, ctx.Err()
+		case err := <-noResponseErrCh:
+			return nil, 0, err
+		case <-sub4.Wait():
+			sub4.Close()
 		}
 	}
+	if sub6 != nil {
+		select {
+		case <-ctx.Done():
+			return nil, 0, ctx.Err()
+		case err := <-noResponseErrCh:
+			return nil, 0, err
+		case <-sub6.Wait():
+			sub6.Close()
+		}
+	}
+
+	ips, ttl, err := s.cacheController.findIPsForDomain(fqdn, option)
+	log.Record(&log.DNSLog{Server: s.Name(), Domain: domain, Result: ips, Status: log.DNSQueried, Elapsed: time.Since(start), Error: err})
+	return ips, ttl, err
+
 }
--- a/app/dns/nameserver_tcp_test.go
+++ b/app/dns/nameserver_tcp_test.go
@ -16,13 +16,13 @@ import (
 func TestTCPLocalNameServer(t *testing.T) {
 	url, err := url.Parse("tcp+local://8.8.8.8")
 	common.Must(err)
-	s, err := NewTCPLocalNameServer(url, QueryStrategy_USE_IP)
+	s, err := NewTCPLocalNameServer(url, false, net.IP(nil))
 	common.Must(err)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	ips, err := s.QueryIP(ctx, "google.com", net.IP(nil), dns_feature.IPOption{
+	ips, _, err := s.QueryIP(ctx, "google.com", dns_feature.IPOption{
 		IPv4Enable: true,
 		IPv6Enable: true,
-	}, false)
+	})
 	cancel()
 	common.Must(err)
 	if len(ips) == 0 {
@ -33,13 +33,13 @@ func TestTCPLocalNameServer(t *testing.T) {
 func TestTCPLocalNameServerWithCache(t *testing.T) {
 	url, err := url.Parse("tcp+local://8.8.8.8")
 	common.Must(err)
-	s, err := NewTCPLocalNameServer(url, QueryStrategy_USE_IP)
+	s, err := NewTCPLocalNameServer(url, false, net.IP(nil))
 	common.Must(err)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	ips, err := s.QueryIP(ctx, "google.com", net.IP(nil), dns_feature.IPOption{
+	ips, _, err := s.QueryIP(ctx, "google.com", dns_feature.IPOption{
 		IPv4Enable: true,
 		IPv6Enable: true,
-	}, false)
+	})
 	cancel()
 	common.Must(err)
 	if len(ips) == 0 {
@ -47,10 +47,10 @@ func TestTCPLocalNameServerWithCache(t *testing.T) {
 	}

 	ctx2, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	ips2, err := s.QueryIP(ctx2, "google.com", net.IP(nil), dns_feature.IPOption{
+	ips2, _, err := s.QueryIP(ctx2, "google.com", dns_feature.IPOption{
 		IPv4Enable: true,
 		IPv6Enable: true,
-	}, true)
+	})
 	cancel()
 	common.Must(err)
 	if r := cmp.Diff(ips2, ips); r != "" {
@ -61,13 +61,13 @@ func TestTCPLocalNameServerWithCache(t *testing.T) {
 func TestTCPLocalNameServerWithIPv4Override(t *testing.T) {
 	url, err := url.Parse("tcp+local://8.8.8.8")
 	common.Must(err)
-	s, err := NewTCPLocalNameServer(url, QueryStrategy_USE_IP4)
+	s, err := NewTCPLocalNameServer(url, false, net.IP(nil))
 	common.Must(err)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	ips, err := s.QueryIP(ctx, "google.com", net.IP(nil), dns_feature.IPOption{
+	ips, _, err := s.QueryIP(ctx, "google.com", dns_feature.IPOption{
 		IPv4Enable: true,
-		IPv6Enable: true,
-	}, false)
+		IPv6Enable: false,
+	})
 	cancel()
 	common.Must(err)

@ -85,13 +85,13 @@ func TestTCPLocalNameServerWithIPv4Override(t *testing.T) {
 func TestTCPLocalNameServerWithIPv6Override(t *testing.T) {
 	url, err := url.Parse("tcp+local://8.8.8.8")
 	common.Must(err)
-	s, err := NewTCPLocalNameServer(url, QueryStrategy_USE_IP6)
+	s, err := NewTCPLocalNameServer(url, false, net.IP(nil))
 	common.Must(err)
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
-	ips, err := s.QueryIP(ctx, "google.com", net.IP(nil), dns_feature.IPOption{
-		IPv4Enable: true,
+	ips, _, err := s.QueryIP(ctx, "google.com", dns_feature.IPOption{
+		IPv4Enable: false,
 		IPv6Enable: true,
-	}, false)
+	})
 	cancel()
 	common.Must(err)

--- a/app/dns/nameserver_udp.go
+++ b/app/dns/nameserver_udp.go
@ -2,6 +2,7 @@ package dns

 import (
 	"context"
+	go_errors "errors"
 	"strings"
 	"sync"
 	"sync/atomic"
@ -13,7 +14,6 @@ import (
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/protocol/dns"
 	udp_proto "github.com/xtls/xray-core/common/protocol/udp"
-	"github.com/xtls/xray-core/common/signal/pubsub"
 	"github.com/xtls/xray-core/common/task"
 	dns_feature "github.com/xtls/xray-core/features/dns"
 	"github.com/xtls/xray-core/features/routing"
@ -24,35 +24,36 @@ import (
 // ClassicNameServer implemented traditional UDP DNS.
 type ClassicNameServer struct {
 	sync.RWMutex
-	name          string
-	address       *net.Destination
-	ips           map[string]*record
-	requests      map[uint16]*dnsRequest
-	pub           *pubsub.Service
-	udpServer     *udp.Dispatcher
-	cleanup       *task.Periodic
-	reqID         uint32
-	queryStrategy QueryStrategy
+	cacheController *CacheController
+	address         *net.Destination
+	requests        map[uint16]*udpDnsRequest
+	udpServer       *udp.Dispatcher
+	requestsCleanup *task.Periodic
+	reqID           uint32
+	clientIP        net.IP
+}
+
+type udpDnsRequest struct {
+	dnsRequest
+	ctx context.Context
 }

 // NewClassicNameServer creates udp server object for remote resolving.
-func NewClassicNameServer(address net.Destination, dispatcher routing.Dispatcher, queryStrategy QueryStrategy) *ClassicNameServer {
+func NewClassicNameServer(address net.Destination, dispatcher routing.Dispatcher, disableCache bool, clientIP net.IP) *ClassicNameServer {
 	// default to 53 if unspecific
 	if address.Port == 0 {
 		address.Port = net.Port(53)
 	}

 	s := &ClassicNameServer{
-		address:       &address,
-		ips:           make(map[string]*record),
-		requests:      make(map[uint16]*dnsRequest),
-		pub:           pubsub.NewService(),
-		name:          strings.ToUpper(address.String()),
-		queryStrategy: queryStrategy,
+		cacheController: NewCacheController(strings.ToUpper(address.String()), disableCache),
+		address:         &address,
+		requests:        make(map[uint16]*udpDnsRequest),
+		clientIP:        clientIP,
 	}
-	s.cleanup = &task.Periodic{
+	s.requestsCleanup = &task.Periodic{
 		Interval: time.Minute,
-		Execute:  s.Cleanup,
+		Execute:  s.RequestsCleanup,
 	}
 	s.udpServer = udp.NewDispatcher(dispatcher, s.HandleResponse)
 	errors.LogInfo(context.Background(), "DNS: created UDP client initialized for ", address.NetAddr())
@ -61,37 +62,17 @@ func NewClassicNameServer(address net.Destination, dispatcher routing.Dispatcher

 // Name implements Server.
 func (s *ClassicNameServer) Name() string {
-	return s.name
+	return s.cacheController.name
 }

-// Cleanup clears expired items from cache
-func (s *ClassicNameServer) Cleanup() error {
+// RequestsCleanup clears expired items from cache
+func (s *ClassicNameServer) RequestsCleanup() error {
 	now := time.Now()
 	s.Lock()
 	defer s.Unlock()

-	if len(s.ips) == 0 && len(s.requests) == 0 {
-		return errors.New(s.name, " nothing to do. stopping...")
-	}
-
-	for domain, record := range s.ips {
-		if record.A != nil && record.A.Expire.Before(now) {
-			record.A = nil
-		}
-		if record.AAAA != nil && record.AAAA.Expire.Before(now) {
-			record.AAAA = nil
-		}
-
-		if record.A == nil && record.AAAA == nil {
-			errors.LogDebug(context.Background(), s.name, " cleanup ", domain)
-			delete(s.ips, domain)
-		} else {
-			s.ips[domain] = record
-		}
-	}
-
-	if len(s.ips) == 0 {
-		s.ips = make(map[string]*record)
+	if len(s.requests) == 0 {
+		return errors.New(s.Name(), " nothing to do. stopping...")
 	}

 	for id, req := range s.requests {
@ -101,7 +82,7 @@ func (s *ClassicNameServer) Cleanup() error {
 	}

 	if len(s.requests) == 0 {
-		s.requests = make(map[uint16]*dnsRequest)
+		s.requests = make(map[uint16]*udpDnsRequest)
 	}

 	return nil
@ -111,7 +92,7 @@ func (s *ClassicNameServer) Cleanup() error {
 func (s *ClassicNameServer) HandleResponse(ctx context.Context, packet *udp_proto.Packet) {
 	ipRec, err := parseResponse(packet.Payload.Bytes())
 	if err != nil {
-		errors.LogError(ctx, s.name, " fail to parse responded DNS udp")
+		errors.LogError(ctx, s.Name(), " fail to parse responded DNS udp")
 		return
 	}

@ -124,179 +105,107 @@ func (s *ClassicNameServer) HandleResponse(ctx context.Context, packet *udp_prot
 	}
 	s.Unlock()
 	if !ok {
-		errors.LogError(ctx, s.name, " cannot find the pending request")
+		errors.LogError(ctx, s.Name(), " cannot find the pending request")
 		return
 	}

-	var rec record
-	switch req.reqType {
-	case dnsmessage.TypeA:
-		rec.A = ipRec
-	case dnsmessage.TypeAAAA:
-		rec.AAAA = ipRec
+	// if truncated, retry with EDNS0 option(udp payload size: 1350)
+	if ipRec.RawHeader.Truncated {
+		// if already has EDNS0 option, no need to retry
+		if len(req.msg.Additionals) == 0 {
+			// copy necessary meta data from original request
+			// and add EDNS0 option
+			opt := new(dnsmessage.Resource)
+			common.Must(opt.Header.SetEDNS0(1350, 0xfe00, true))
+			opt.Body = &dnsmessage.OPTResource{}
+			newMsg := *req.msg
+			newReq := *req
+			newMsg.Additionals = append(newMsg.Additionals, *opt)
+			newMsg.ID = s.newReqID()
+			newReq.msg = &newMsg
+			s.addPendingRequest(&newReq)
+			b, _ := dns.PackMessage(newReq.msg)
+			s.udpServer.Dispatch(toDnsContext(newReq.ctx, s.address.String()), *s.address, b)
+			return
+		}
 	}

-	elapsed := time.Since(req.start)
-	errors.LogInfo(ctx, s.name, " got answer: ", req.domain, " ", req.reqType, " -> ", ipRec.IP, " ", elapsed)
-	if len(req.domain) > 0 && (rec.A != nil || rec.AAAA != nil) {
-		s.updateIP(req.domain, &rec)
-	}
-}
-
-func (s *ClassicNameServer) updateIP(domain string, newRec *record) {
-	s.Lock()
-
-	rec, found := s.ips[domain]
-	if !found {
-		rec = &record{}
-	}
-
-	updated := false
-	if isNewer(rec.A, newRec.A) {
-		rec.A = newRec.A
-		updated = true
-	}
-	if isNewer(rec.AAAA, newRec.AAAA) {
-		rec.AAAA = newRec.AAAA
-		updated = true
-	}
-
-	if updated {
-		errors.LogDebug(context.Background(), s.name, " updating IP records for domain:", domain)
-		s.ips[domain] = rec
-	}
-	if newRec.A != nil {
-		s.pub.Publish(domain+"4", nil)
-	}
-	if newRec.AAAA != nil {
-		s.pub.Publish(domain+"6", nil)
-	}
-	s.Unlock()
-	common.Must(s.cleanup.Start())
+	s.cacheController.updateIP(&req.dnsRequest, ipRec)
 }

 func (s *ClassicNameServer) newReqID() uint16 {
 	return uint16(atomic.AddUint32(&s.reqID, 1))
 }

-func (s *ClassicNameServer) addPendingRequest(req *dnsRequest) {
+func (s *ClassicNameServer) addPendingRequest(req *udpDnsRequest) {
 	s.Lock()
-	defer s.Unlock()
-
 	id := req.msg.ID
 	req.expire = time.Now().Add(time.Second * 8)
 	s.requests[id] = req
+	s.Unlock()
+	common.Must(s.requestsCleanup.Start())
 }

-func (s *ClassicNameServer) sendQuery(ctx context.Context, domain string, clientIP net.IP, option dns_feature.IPOption) {
-	errors.LogDebug(ctx, s.name, " querying DNS for: ", domain)
+func (s *ClassicNameServer) sendQuery(ctx context.Context, _ chan<- error, domain string, option dns_feature.IPOption) {
+	errors.LogDebug(ctx, s.Name(), " querying DNS for: ", domain)

-	reqs := buildReqMsgs(domain, option, s.newReqID, genEDNS0Options(clientIP))
+	reqs := buildReqMsgs(domain, option, s.newReqID, genEDNS0Options(s.clientIP, 0))

 	for _, req := range reqs {
-		s.addPendingRequest(req)
+		udpReq := &udpDnsRequest{
+			dnsRequest: *req,
+			ctx:        ctx,
+		}
+		s.addPendingRequest(udpReq)
 		b, _ := dns.PackMessage(req.msg)
 		s.udpServer.Dispatch(toDnsContext(ctx, s.address.String()), *s.address, b)
 	}
 }

-func (s *ClassicNameServer) findIPsForDomain(domain string, option dns_feature.IPOption) ([]net.IP, error) {
-	s.RLock()
-	record, found := s.ips[domain]
-	s.RUnlock()
-
-	if !found {
-		return nil, errRecordNotFound
-	}
-
-	var err4 error
-	var err6 error
-	var ips []net.Address
-	var ip6 []net.Address
-
-	if option.IPv4Enable {
-		ips, err4 = record.A.getIPs()
-	}
-
-	if option.IPv6Enable {
-		ip6, err6 = record.AAAA.getIPs()
-		ips = append(ips, ip6...)
-	}
-
-	if len(ips) > 0 {
-		return toNetIP(ips)
-	}
-
-	if err4 != nil {
-		return nil, err4
-	}
-
-	if err6 != nil {
-		return nil, err6
-	}
-
-	return nil, dns_feature.ErrEmptyResponse
-}
-
 // QueryIP implements Server.
-func (s *ClassicNameServer) QueryIP(ctx context.Context, domain string, clientIP net.IP, option dns_feature.IPOption, disableCache bool) ([]net.IP, error) {
+func (s *ClassicNameServer) QueryIP(ctx context.Context, domain string, option dns_feature.IPOption) ([]net.IP, uint32, error) {
 	fqdn := Fqdn(domain)
-	option = ResolveIpOptionOverride(s.queryStrategy, option)
-	if !option.IPv4Enable && !option.IPv6Enable {
-		return nil, dns_feature.ErrEmptyResponse
-	}
+	sub4, sub6 := s.cacheController.registerSubscribers(fqdn, option)
+	defer closeSubscribers(sub4, sub6)

-	if disableCache {
-		errors.LogDebug(ctx, "DNS cache is disabled. Querying IP for ", domain, " at ", s.name)
+	if s.cacheController.disableCache {
+		errors.LogDebug(ctx, "DNS cache is disabled. Querying IP for ", domain, " at ", s.Name())
 	} else {
-		ips, err := s.findIPsForDomain(fqdn, option)
-		if err == nil || err == dns_feature.ErrEmptyResponse {
-			errors.LogDebugInner(ctx, err, s.name, " cache HIT ", domain, " -> ", ips)
-			log.Record(&log.DNSLog{Server: s.name, Domain: domain, Result: ips, Status: log.DNSCacheHit, Elapsed: 0, Error: err})
-			return ips, err
+		ips, ttl, err := s.cacheController.findIPsForDomain(fqdn, option)
+		if !go_errors.Is(err, errRecordNotFound) {
+			errors.LogDebugInner(ctx, err, s.Name(), " cache HIT ", domain, " -> ", ips)
+			log.Record(&log.DNSLog{Server: s.Name(), Domain: domain, Result: ips, Status: log.DNSCacheHit, Elapsed: 0, Error: err})
+			return ips, ttl, err
 		}
 	}

-	// ipv4 and ipv6 belong to different subscription groups
-	var sub4, sub6 *pubsub.Subscriber
-	if option.IPv4Enable {
-		sub4 = s.pub.Subscribe(fqdn + "4")
-		defer sub4.Close()
-	}
-	if option.IPv6Enable {
-		sub6 = s.pub.Subscribe(fqdn + "6")
-		defer sub6.Close()
-	}
-	done := make(chan interface{})
-	go func() {
-		if sub4 != nil {
-			select {
-			case <-sub4.Wait():
-			case <-ctx.Done():
-			}
-		}
-		if sub6 != nil {
-			select {
-			case <-sub6.Wait():
-			case <-ctx.Done():
-			}
-		}
-		close(done)
-	}()
-	s.sendQuery(ctx, fqdn, clientIP, option)
+	noResponseErrCh := make(chan error, 2)
+	s.sendQuery(ctx, noResponseErrCh, fqdn, option)
 	start := time.Now()

-	for {
-		ips, err := s.findIPsForDomain(fqdn, option)
-		if err != errRecordNotFound {
-			log.Record(&log.DNSLog{Server: s.name, Domain: domain, Result: ips, Status: log.DNSQueried, Elapsed: time.Since(start), Error: err})
-			return ips, err
-		}
-
+	if sub4 != nil {
 		select {
 		case <-ctx.Done():
-			return nil, ctx.Err()
-		case <-done:
+			return nil, 0, ctx.Err()
+		case err := <-noResponseErrCh:
+			return nil, 0, err
+		case <-sub4.Wait():
+			sub4.Close()
 		}
 	}
+	if sub6 != nil {
+		select {
+		case <-ctx.Done():
+			return nil, 0, ctx.Err()
+		case err := <-noResponseErrCh:
+			return nil, 0, err
+		case <-sub6.Wait():
+			sub6.Close()
+		}
+	}
+
+	ips, ttl, err := s.cacheController.findIPsForDomain(fqdn, option)
+	log.Record(&log.DNSLog{Server: s.Name(), Domain: domain, Result: ips, Status: log.DNSQueried, Elapsed: time.Since(start), Error: err})
+	return ips, ttl, err
+
 }
--- a/app/proxyman/inbound/worker.go
+++ b/app/proxyman/inbound/worker.go
@ -324,6 +324,7 @@ func (w *udpWorker) callback(b *buf.Buffer, source net.Destination, originalDest
 			if w.sniffingConfig != nil {
 				content.SniffingRequest.Enabled = w.sniffingConfig.Enabled
 				content.SniffingRequest.OverrideDestinationForProtocol = w.sniffingConfig.DestinationOverride
+				content.SniffingRequest.ExcludeForDomain = w.sniffingConfig.DomainsExcluded
 				content.SniffingRequest.MetadataOnly = w.sniffingConfig.MetadataOnly
 				content.SniffingRequest.RouteOnly = w.sniffingConfig.RouteOnly
 			}
--- a/app/proxyman/outbound/handler.go
+++ b/app/proxyman/outbound/handler.go
@ -241,7 +241,9 @@ func (h *Handler) DestIpAddress() net.IP {
 // Dial implements internet.Dialer.
 func (h *Handler) Dial(ctx context.Context, dest net.Destination) (stat.Connection, error) {
 	if h.senderSettings != nil {
+
 		if h.senderSettings.ProxySettings.HasTag() {
+
 			tag := h.senderSettings.ProxySettings.Tag
 			handler := h.outboundManager.GetHandler(tag)
 			if handler != nil {
@ -270,22 +272,40 @@ func (h *Handler) Dial(ctx context.Context, dest net.Destination) (stat.Connecti
 		}

 		if h.senderSettings.Via != nil {
+
 			outbounds := session.OutboundsFromContext(ctx)
 			ob := outbounds[len(outbounds)-1]
-			if h.senderSettings.ViaCidr == "" {
-				if h.senderSettings.Via.AsAddress().Family().IsDomain() && h.senderSettings.Via.AsAddress().Domain() == "origin" {
-					if inbound := session.InboundFromContext(ctx); inbound != nil {
-						origin, _, err := net.SplitHostPort(inbound.Conn.LocalAddr().String())
-						if err == nil {
-							ob.Gateway = net.ParseAddress(origin)
-						}
-					}
-				} else {
-					ob.Gateway = h.senderSettings.Via.AsAddress()
-				}
-			} else { //Get a random address.
-				ob.Gateway = ParseRandomIPv6(h.senderSettings.Via.AsAddress(), h.senderSettings.ViaCidr)
+			addr := h.senderSettings.Via.AsAddress()
+			var domain string
+			if addr.Family().IsDomain() {
+				domain = addr.Domain()
 			}
+			switch {
+			case h.senderSettings.ViaCidr != "":
+				ob.Gateway = ParseRandomIP(addr, h.senderSettings.ViaCidr)
+
+			case domain == "origin":
+
+				if inbound := session.InboundFromContext(ctx); inbound != nil {
+					origin, _, err := net.SplitHostPort(inbound.Conn.LocalAddr().String())
+					if err == nil {
+						ob.Gateway = net.ParseAddress(origin)
+					}
+
+				}
+			case domain == "srcip":
+				if inbound := session.InboundFromContext(ctx); inbound != nil {
+					srcip, _, err := net.SplitHostPort(inbound.Conn.RemoteAddr().String())
+					if err == nil {
+						ob.Gateway = net.ParseAddress(srcip)
+					}
+				}
+			//case addr.Family().IsDomain():
+			default:
+				ob.Gateway = addr
+
+			}
+
 		}
 	}

@ -325,23 +345,25 @@ func (h *Handler) Start() error {
 // Close implements common.Closable.
 func (h *Handler) Close() error {
 	common.Close(h.mux)
+	common.Close(h.proxy)
 	return nil
 }

-func ParseRandomIPv6(address net.Address, prefix string) net.Address {
-	_, network, _ := gonet.ParseCIDR(address.IP().String() + "/" + prefix)
+func ParseRandomIP(addr net.Address, prefix string) net.Address {

-	maskSize, totalBits := network.Mask.Size()
-	subnetSize := big.NewInt(1).Lsh(big.NewInt(1), uint(totalBits-maskSize))
+	_, ipnet, _ := gonet.ParseCIDR(addr.IP().String() + "/" + prefix)

-	// random
-	randomBigInt, _ := rand.Int(rand.Reader, subnetSize)
+	ones, bits := ipnet.Mask.Size()
+	subnetSize := new(big.Int).Lsh(big.NewInt(1), uint(bits-ones))

-	startIPBigInt := big.NewInt(0).SetBytes(network.IP.To16())
-	randomIPBigInt := big.NewInt(0).Add(startIPBigInt, randomBigInt)
+	rnd, _ := rand.Int(rand.Reader, subnetSize)

-	randomIPBytes := randomIPBigInt.Bytes()
-	randomIPBytes = append(make([]byte, 16-len(randomIPBytes)), randomIPBytes...)
+	startInt := new(big.Int).SetBytes(ipnet.IP)
+	rndInt := new(big.Int).Add(startInt, rnd)

-	return net.ParseAddress(gonet.IP(randomIPBytes).String())
+	rndBytes := rndInt.Bytes()
+	padded := make([]byte, len(ipnet.IP))
+	copy(padded[len(padded)-len(rndBytes):], rndBytes)
+
+	return net.ParseAddress(gonet.IP(padded).String())
 }
--- a/app/router/condition.go
+++ b/app/router/condition.go
@ -119,7 +119,7 @@ type MultiGeoIPMatcher struct {
 func NewMultiGeoIPMatcher(geoips []*GeoIP, onSource bool) (*MultiGeoIPMatcher, error) {
 	var matchers []*GeoIPMatcher
 	for _, geoip := range geoips {
-		matcher, err := globalGeoIPContainer.Add(geoip)
+		matcher, err := GlobalGeoIPContainer.Add(geoip)
 		if err != nil {
 			return nil, err
 		}
--- a/app/router/condition_geoip.go
+++ b/app/router/condition_geoip.go
@ -115,4 +115,4 @@ func (c *GeoIPMatcherContainer) Add(geoip *GeoIP) (*GeoIPMatcher, error) {
 	return m, nil
 }

-var globalGeoIPContainer GeoIPMatcherContainer
+var GlobalGeoIPContainer GeoIPMatcherContainer
--- a/app/router/router_test.go
+++ b/app/router/router_test.go
@ -177,7 +177,7 @@ func TestIPOnDemand(t *testing.T) {
 		IPv4Enable: true,
 		IPv6Enable: true,
 		FakeEnable: false,
-	}).Return([]net.IP{{192, 168, 0, 1}}, nil).AnyTimes()
+	}).Return([]net.IP{{192, 168, 0, 1}}, uint32(600), nil).AnyTimes()

 	r := new(Router)
 	common.Must(r.Init(context.TODO(), config, mockDNS, nil, nil))
@ -222,7 +222,7 @@ func TestIPIfNonMatchDomain(t *testing.T) {
 		IPv4Enable: true,
 		IPv6Enable: true,
 		FakeEnable: false,
-	}).Return([]net.IP{{192, 168, 0, 1}}, nil).AnyTimes()
+	}).Return([]net.IP{{192, 168, 0, 1}}, uint32(600), nil).AnyTimes()

 	r := new(Router)
 	common.Must(r.Init(context.TODO(), config, mockDNS, nil, nil))
--- a/app/stats/online_map.go
+++ b/app/stats/online_map.go
@ -40,11 +40,11 @@ func (c *OnlineMap) AddIP(ip string) {
 	if ip == "127.0.0.1" {
 		return
 	}
+	c.access.Lock()
 	if _, ok := list[ip]; !ok {
-		c.access.Lock()
 		list[ip] = time.Now()
-		c.access.Unlock()
 	}
+	c.access.Unlock()
 	if time.Since(c.lastCleanup) > c.cleanupPeriod {
 		list = c.RemoveExpiredIPs(list)
 		c.lastCleanup = time.Now()
--- a/common/buf/buffer.go
+++ b/common/buf/buffer.go
@ -13,8 +13,19 @@ const (
 	Size = 8192
 )

+var zero = [Size * 10]byte{0}
+
 var pool = bytespool.GetPool(Size)

+// ownership represents the data owner of the buffer.
+type ownership uint8
+
+const (
+	managed ownership = iota
+	unmanaged
+	bytespools
+)
+
 // Buffer is a recyclable allocation of a byte array. Buffer.Release() recycles
 // the buffer into an internal buffer pool, in order to recreate a buffer more
 // quickly.
@ -22,11 +33,11 @@ type Buffer struct {
 	v         []byte
 	start     int32
 	end       int32
-	unmanaged bool
+	ownership ownership
 	UDP       *net.Destination
 }

-// New creates a Buffer with 0 length and 8K capacity.
+// New creates a Buffer with 0 length and 8K capacity, managed.
 func New() *Buffer {
 	buf := pool.Get().([]byte)
 	if cap(buf) >= Size {
@ -40,7 +51,7 @@ func New() *Buffer {
 	}
 }

-// NewExisted creates a managed, standard size Buffer with an existed bytearray
+// NewExisted creates a standard size Buffer with an existed bytearray, managed.
 func NewExisted(b []byte) *Buffer {
 	if cap(b) < Size {
 		panic("Invalid buffer")
@ -57,16 +68,16 @@ func NewExisted(b []byte) *Buffer {
 	}
 }

-// FromBytes creates a Buffer with an existed bytearray
+// FromBytes creates a Buffer with an existed bytearray, unmanaged.
 func FromBytes(b []byte) *Buffer {
 	return &Buffer{
 		v:         b,
 		end:       int32(len(b)),
-		unmanaged: true,
+		ownership: unmanaged,
 	}
 }

-// StackNew creates a new Buffer object on stack.
+// StackNew creates a new Buffer object on stack, managed.
 // This method is for buffers that is released in the same function.
 func StackNew() Buffer {
 	buf := pool.Get().([]byte)
@ -81,9 +92,17 @@ func StackNew() Buffer {
 	}
 }

+// NewWithSize creates a Buffer with 0 length and capacity with at least the given size, bytespool's.
+func NewWithSize(size int32) *Buffer {
+	return &Buffer{
+		v:         bytespool.Alloc(size),
+		ownership: bytespools,
+	}
+}
+
 // Release recycles the buffer into an internal buffer pool.
 func (b *Buffer) Release() {
-	if b == nil || b.v == nil || b.unmanaged {
+	if b == nil || b.v == nil || b.ownership == unmanaged {
 		return
 	}

@ -91,8 +110,13 @@ func (b *Buffer) Release() {
 	b.v = nil
 	b.Clear()

-	if cap(p) == Size {
-		pool.Put(p)
+	switch b.ownership {
+	case managed:
+		if cap(p) == Size {
+			pool.Put(p)
+		}
+	case bytespools:
+		bytespool.Free(p)
 	}
 	b.UDP = nil
 }
@ -128,6 +152,7 @@ func (b *Buffer) Extend(n int32) []byte {
 	}
 	ext := b.v[b.end:end]
 	b.end = end
+	copy(ext, zero[:])
 	return ext
 }

@ -176,6 +201,7 @@ func (b *Buffer) Check() {

 // Resize cuts the buffer at the given position.
 func (b *Buffer) Resize(from, to int32) {
+	oldEnd := b.end
 	if from < 0 {
 		from += b.Len()
 	}
@ -188,6 +214,9 @@ func (b *Buffer) Resize(from, to int32) {
 	b.end = b.start + to
 	b.start += from
 	b.Check()
+	if b.end > oldEnd {
+		copy(b.v[oldEnd:b.end], zero[:])
+	}
 }

 // Advance cuts the buffer at the given position.
@ -215,13 +244,6 @@ func (b *Buffer) Cap() int32 {
 	return int32(len(b.v))
 }

-// NewWithSize creates a Buffer with 0 length and capacity with at least the given size.
-func NewWithSize(size int32) *Buffer {
-	return &Buffer{
-		v: bytespool.Alloc(size),
-	}
-}
-
 // IsEmpty returns true if the buffer is empty.
 func (b *Buffer) IsEmpty() bool {
 	return b.Len() == 0
--- a/common/crypto/crypto.go
+++ b/common/crypto/crypto.go
@ -1,2 +1,15 @@
 // Package crypto provides common crypto libraries for Xray.
 package crypto // import "github.com/xtls/xray-core/common/crypto"
+
+import (
+	"crypto/rand"
+	"math/big"
+)
+
+func RandBetween(from int64, to int64) int64 {
+	if from == to {
+		return from
+	}
+	bigInt, _ := rand.Int(rand.Reader, big.NewInt(to-from))
+	return from + bigInt.Int64()
+}
--- a/common/errors/multi_error.go
+++ b/common/errors/multi_error.go
@ -1,6 +1,7 @@
 package errors

 import (
+	"errors"
 	"strings"
 )

@ -36,12 +37,12 @@ func AllEqual(expected error, actual error) bool {
 			return false
 		}
 		for _, err := range errs {
-			if err != expected {
+			if !errors.Is(err, expected) {
 				return false
 			}
 		}
 		return true
 	default:
-		return errs == expected
+		return errors.Is(errs, expected)
 	}
 }
--- a/common/mux/server.go
+++ b/common/mux/server.go
@ -120,7 +120,7 @@ func (w *ServerWorker) handleStatusKeepAlive(meta *FrameMetadata, reader *buf.Bu
 func (w *ServerWorker) handleStatusNew(ctx context.Context, meta *FrameMetadata, reader *buf.BufferedReader) error {
 	// deep-clone outbounds because it is going to be mutated concurrently
 	// (Target and OriginalTarget)
-	ctx = session.ContextCloneOutbounds(ctx)
+	ctx = session.ContextCloneOutboundsAndContent(ctx)
 	errors.LogInfo(ctx, "received request for ", meta.Target)
 	{
 		msg := &log.AccessMessage{
--- a/common/net/net.go
+++ b/common/net/net.go
@ -1,2 +1,14 @@
 // Package net is a drop-in replacement to Golang's net package, with some more functionalities.
 package net // import "github.com/xtls/xray-core/common/net"
+
+import "time"
+
+// defines the maximum time an idle TCP session can survive in the tunnel, so
+// it should be consistent across HTTP versions and with other transports.
+const ConnIdleTimeout = 300 * time.Second
+
+// consistent with quic-go
+const QuicgoH3KeepAlivePeriod = 10 * time.Second
+
+// consistent with chrome
+const ChromeH2KeepAlivePeriod = 45 * time.Second
--- a/common/platform/filesystem/file.go
+++ b/common/platform/filesystem/file.go
@ -3,6 +3,7 @@ package filesystem
 import (
 	"io"
 	"os"
+	"path/filepath"

 	"github.com/xtls/xray-core/common/buf"
 	"github.com/xtls/xray-core/common/platform"
@ -28,6 +29,13 @@ func ReadAsset(file string) ([]byte, error) {
 	return ReadFile(platform.GetAssetLocation(file))
 }

+func ReadCert(file string) ([]byte, error) {
+	if filepath.IsAbs(file) {
+		return ReadFile(file)
+	}
+	return ReadFile(platform.GetCertLocation(file))
+}
+
 func CopyFile(dst string, src string) error {
 	bytes, err := ReadFile(src)
 	if err != nil {
--- a/common/platform/others.go
+++ b/common/platform/others.go
@ -21,7 +21,7 @@ func GetToolLocation(file string) string {
 	return filepath.Join(toolPath, file)
 }

-// GetAssetLocation searches for `file` in certain locations
+// GetAssetLocation searches for `file` in the env dir, the executable dir, and certain locations
 func GetAssetLocation(file string) string {
 	assetPath := NewEnvFlag(AssetLocation).GetValue(getExecutableDir)
 	defPath := filepath.Join(assetPath, file)
@ -42,3 +42,9 @@ func GetAssetLocation(file string) string {
 	// asset not found, let the caller throw out the error
 	return defPath
 }
+
+// GetCertLocation searches for `file` in the env dir and the executable dir
+func GetCertLocation(file string) string {
+	certPath := NewEnvFlag(CertLocation).GetValue(getExecutableDir)
+	return filepath.Join(certPath, file)
+}
--- a/common/platform/platform.go
+++ b/common/platform/platform.go
@ -13,6 +13,7 @@ const (
 	ConfdirLocation = "xray.location.confdir"
 	ToolLocation    = "xray.location.tool"
 	AssetLocation   = "xray.location.asset"
+	CertLocation    = "xray.location.cert"

 	UseReadV         = "xray.buf.readv"
 	UseFreedomSplice = "xray.buf.splice"
--- a/common/platform/windows.go
+++ b/common/platform/windows.go
@ -19,8 +19,14 @@ func GetToolLocation(file string) string {
 	return filepath.Join(toolPath, file+".exe")
 }

-// GetAssetLocation searches for `file` in the executable dir
+// GetAssetLocation searches for `file` in the env dir and the executable dir
 func GetAssetLocation(file string) string {
 	assetPath := NewEnvFlag(AssetLocation).GetValue(getExecutableDir)
 	return filepath.Join(assetPath, file)
 }
+
+// GetCertLocation searches for `file` in the env dir and the executable dir
+func GetCertLocation(file string) string {
+	certPath := NewEnvFlag(CertLocation).GetValue(getExecutableDir)
+	return filepath.Join(certPath, file)
+}
--- a/common/protocol/http/sniff.go
+++ b/common/protocol/http/sniff.go
@ -63,7 +63,7 @@ func SniffHTTP(b []byte, c context.Context) (*SniffHeader, error) {
 	ShouldSniffAttr := true
 	// If content.Attributes have information, that means it comes from HTTP inbound PlainHTTP mode.
 	// It will set attributes, so skip it.
-	if content == nil || content.AttributeLen() != 0 {
+	if content == nil || len(content.Attributes) != 0 {
 		ShouldSniffAttr = false
 	}
 	if err := beginWithHTTPMethod(b); err != nil {
--- a/common/protocol/protocol.go
+++ b/common/protocol/protocol.go
@ -1 +1,7 @@
 package protocol // import "github.com/xtls/xray-core/common/protocol"
+
+import (
+	"errors"
+)
+
+var ErrProtoNeedMoreData = errors.New("protocol matches, but need more data to complete sniffing")
--- a/common/protocol/quic/sniff.go
+++ b/common/protocol/quic/sniff.go
@ -1,7 +1,6 @@
 package quic

 import (
-	"context"
 	"crypto"
 	"crypto/aes"
 	"crypto/tls"
@ -11,8 +10,8 @@ import (
 	"github.com/quic-go/quic-go/quicvarint"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/buf"
-	"github.com/xtls/xray-core/common/bytespool"
 	"github.com/xtls/xray-core/common/errors"
+	"github.com/xtls/xray-core/common/protocol"
 	ptls "github.com/xtls/xray-core/common/protocol/tls"
 	"golang.org/x/crypto/hkdf"
 )
@ -47,22 +46,17 @@ var (
 	errNotQuicInitial = errors.New("not initial packet")
 )

-func SniffQUIC(b []byte) (resultReturn *SniffHeader, errorReturn error) {
-	// In extremely rare cases, this sniffer may cause slice error
-	// and we set recover() here to prevent crash.
-	// TODO: Thoroughly fix this panic
-	defer func() {
-		if r := recover(); r != nil {
-			errors.LogError(context.Background(), "Failed to sniff QUIC: ", r)
-			resultReturn = nil
-			errorReturn = common.ErrNoClue
-		}
-	}()
+func SniffQUIC(b []byte) (*SniffHeader, error) {
+	if len(b) == 0 {
+		return nil, common.ErrNoClue
+	}

 	// Crypto data separated across packets
-	cryptoLen := 0
-	cryptoData := bytespool.Alloc(int32(len(b)))
-	defer bytespool.Free(cryptoData)
+	cryptoLen := int32(0)
+	cryptoDataBuf := buf.NewWithSize(32767)
+	defer cryptoDataBuf.Release()
+	cache := buf.New()
+	defer cache.Release()

 	// Parse QUIC packets
 	for len(b) > 0 {
@ -105,13 +99,15 @@ func SniffQUIC(b []byte) (resultReturn *SniffHeader, errorReturn error) {
 			return nil, errNotQuic
 		}

-		tokenLen, err := quicvarint.Read(buffer)
-		if err != nil || tokenLen > uint64(len(b)) {
-			return nil, errNotQuic
-		}
+		if isQuicInitial { // Only initial packets have token, see https://datatracker.ietf.org/doc/html/rfc9000#section-17.2.2
+			tokenLen, err := quicvarint.Read(buffer)
+			if err != nil || tokenLen > uint64(len(b)) {
+				return nil, errNotQuic
+			}

-		if _, err = buffer.ReadBytes(int32(tokenLen)); err != nil {
-			return nil, errNotQuic
+			if _, err = buffer.ReadBytes(int32(tokenLen)); err != nil {
+				return nil, errNotQuic
+			}
 		}

 		packetLen, err := quicvarint.Read(buffer)
@ -130,9 +126,6 @@ func SniffQUIC(b []byte) (resultReturn *SniffHeader, errorReturn error) {
 			continue
 		}

-		origPNBytes := make([]byte, 4)
-		copy(origPNBytes, b[hdrLen:hdrLen+4])
-
 		var salt []byte
 		if versionNumber == version1 {
 			salt = quicSalt
@ -147,44 +140,34 @@ func SniffQUIC(b []byte) (resultReturn *SniffHeader, errorReturn error) {
 			return nil, err
 		}

-		cache := buf.New()
-		defer cache.Release()
-
+		cache.Clear()
 		mask := cache.Extend(int32(block.BlockSize()))
-		block.Encrypt(mask, b[hdrLen+4:hdrLen+4+16])
+		block.Encrypt(mask, b[hdrLen+4:hdrLen+4+len(mask)])
 		b[0] ^= mask[0] & 0xf
-		for i := range b[hdrLen : hdrLen+4] {
+		packetNumberLength := int(b[0]&0x3 + 1)
+		for i := range packetNumberLength {
 			b[hdrLen+i] ^= mask[i+1]
 		}
-		packetNumberLength := b[0]&0x3 + 1
-		if packetNumberLength != 1 {
-			return nil, errNotQuicInitial
-		}
-		var packetNumber uint32
-		{
-			n, err := buffer.ReadByte()
-			if err != nil {
-				return nil, err
-			}
-			packetNumber = uint32(n)
-		}
-
-		extHdrLen := hdrLen + int(packetNumberLength)
-		copy(b[extHdrLen:hdrLen+4], origPNBytes[packetNumberLength:])
-		data := b[extHdrLen : int(packetLen)+hdrLen]

 		key := hkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic key", 16)
 		iv := hkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic iv", 12)
 		cipher := AEADAESGCMTLS13(key, iv)
+
 		nonce := cache.Extend(int32(cipher.NonceSize()))
-		binary.BigEndian.PutUint64(nonce[len(nonce)-8:], uint64(packetNumber))
+		_, err = buffer.Read(nonce[len(nonce)-packetNumberLength:])
+		if err != nil {
+			return nil, err
+		}
+
+		extHdrLen := hdrLen + packetNumberLength
+		data := b[extHdrLen : int(packetLen)+hdrLen]
 		decrypted, err := cipher.Open(b[extHdrLen:extHdrLen], nonce, data, b[:extHdrLen])
 		if err != nil {
 			return nil, err
 		}
 		buffer = buf.FromBytes(decrypted)
-		for i := 0; !buffer.IsEmpty(); i++ {
-			frameType := byte(0x0) // Default to PADDING frame
+		for !buffer.IsEmpty() {
+			frameType, _ := buffer.ReadByte()
 			for frameType == 0x0 && !buffer.IsEmpty() {
 				frameType, _ = buffer.ReadByte()
 			}
@ -233,16 +216,15 @@ func SniffQUIC(b []byte) (resultReturn *SniffHeader, errorReturn error) {
 				if err != nil || length > uint64(buffer.Len()) {
 					return nil, io.ErrUnexpectedEOF
 				}
-				if cryptoLen < int(offset+length) {
-					cryptoLen = int(offset + length)
-					if len(cryptoData) < cryptoLen {
-						newCryptoData := bytespool.Alloc(int32(cryptoLen))
-						copy(newCryptoData, cryptoData)
-						bytespool.Free(cryptoData)
-						cryptoData = newCryptoData
+				currentCryptoLen := int32(offset + length)
+				if cryptoLen < currentCryptoLen {
+					if cryptoDataBuf.Cap() < currentCryptoLen {
+						return nil, io.ErrShortBuffer
 					}
+					cryptoDataBuf.Extend(currentCryptoLen - cryptoLen)
+					cryptoLen = currentCryptoLen
 				}
-				if _, err := buffer.Read(cryptoData[offset : offset+length]); err != nil { // Field: Crypto Data
+				if _, err := buffer.Read(cryptoDataBuf.BytesRange(int32(offset), currentCryptoLen)); err != nil { // Field: Crypto Data
 					return nil, io.ErrUnexpectedEOF
 				}
 			case 0x1c: // CONNECTION_CLOSE frame, only 0x1c is permitted in initial packet
@ -267,7 +249,7 @@ func SniffQUIC(b []byte) (resultReturn *SniffHeader, errorReturn error) {
 		}

 		tlsHdr := &ptls.SniffHeader{}
-		err = ptls.ReadClientHello(cryptoData[:cryptoLen], tlsHdr)
+		err = ptls.ReadClientHello(cryptoDataBuf.BytesRange(0, cryptoLen), tlsHdr)
 		if err != nil {
 			// The crypto data may have not been fully recovered in current packets,
 			// So we continue to sniff rest packets.
@ -276,7 +258,8 @@ func SniffQUIC(b []byte) (resultReturn *SniffHeader, errorReturn error) {
 		}
 		return &SniffHeader{domain: tlsHdr.Domain()}, nil
 	}
-	return nil, common.ErrNoClue
+	// All payload is parsed as valid QUIC packets, but we need more packets for crypto data to read client hello.
+	return nil, protocol.ErrProtoNeedMoreData
 }

 func hkdfExpandLabel(hash crypto.Hash, secret, context []byte, label string, length int) []byte {
--- a/common/protocol/quic/sniff_test.go
+++ b/common/protocol/quic/sniff_test.go
--- a/common/protocol/tls/cert/.gitignore
+++ b/common/protocol/tls/cert/.gitignore
@ -1,2 +0,0 @@
-*.crt
-*.key
--- a/common/protocol/tls/sniff.go
+++ b/common/protocol/tls/sniff.go
@ -3,9 +3,9 @@ package tls
 import (
 	"encoding/binary"
 	"errors"
-	"strings"

 	"github.com/xtls/xray-core/common"
+	"github.com/xtls/xray-core/common/protocol"
 )

 type SniffHeader struct {
@ -59,9 +59,6 @@ func ReadClientHello(data []byte, h *SniffHeader) error {
 	}
 	data = data[1+compressionMethodsLen:]

-	if len(data) == 0 {
-		return errNotClientHello
-	}
 	if len(data) < 2 {
 		return errNotClientHello
 	}
@ -104,13 +101,21 @@ func ReadClientHello(data []byte, h *SniffHeader) error {
 					return errNotClientHello
 				}
 				if nameType == 0 {
-					serverName := string(d[:nameLen])
+					// QUIC separated across packets
+					// May cause the serverName to be incomplete
+					b := byte(0)
+					for _, b = range d[:nameLen] {
+						if b <= ' ' {
+							return protocol.ErrProtoNeedMoreData
+						}
+					}
 					// An SNI value may not include a
 					// trailing dot. See
 					// https://tools.ietf.org/html/rfc6066#section-3.
-					if strings.HasSuffix(serverName, ".") {
+					if b == '.' {
 						return errNotClientHello
 					}
+					serverName := string(d[:nameLen])
 					h.domain = serverName
 					return nil
 				}
--- a/common/session/context.go
+++ b/common/session/context.go
@ -42,7 +42,7 @@ func ContextWithOutbounds(ctx context.Context, outbounds []*Outbound) context.Co
 	return context.WithValue(ctx, outboundSessionKey, outbounds)
 }

-func ContextCloneOutbounds(ctx context.Context) context.Context {
+func ContextCloneOutboundsAndContent(ctx context.Context) context.Context {
 	outbounds := OutboundsFromContext(ctx)
 	newOutbounds := make([]*Outbound, len(outbounds))
 	for i, ob := range outbounds {
@ -55,7 +55,15 @@ func ContextCloneOutbounds(ctx context.Context) context.Context {
 		newOutbounds[i] = &v
 	}

-	return ContextWithOutbounds(ctx, newOutbounds)
+	content := ContentFromContext(ctx)
+	newContent := Content{}
+	if content != nil {
+		newContent = *content
+		if content.Attributes != nil {
+			panic("content.Attributes != nil")
+		}
+	}
+	return ContextWithContent(ContextWithOutbounds(ctx, newOutbounds), &newContent)
 }

 func OutboundsFromContext(ctx context.Context) []*Outbound {
--- a/common/session/session.go
+++ b/common/session/session.go
@ -4,7 +4,6 @@ package session // import "github.com/xtls/xray-core/common/session"
 import (
 	"context"
 	"math/rand"
-	"sync"

 	c "github.com/xtls/xray-core/common/ctx"
 	"github.com/xtls/xray-core/common/errors"
@ -75,8 +74,8 @@ type Outbound struct {

 // SniffingRequest controls the behavior of content sniffing.
 type SniffingRequest struct {
-	ExcludeForDomain               []string
-	OverrideDestinationForProtocol []string
+	ExcludeForDomain               []string // read-only once set
+	OverrideDestinationForProtocol []string // read-only once set
 	Enabled                        bool
 	MetadataOnly                   bool
 	RouteOnly                      bool
@ -92,10 +91,6 @@ type Content struct {
 	Attributes map[string]string

 	SkipDNSResolve bool
-
-	mu sync.Mutex
-
-	isLocked bool
 }

 // Sockopt is the settings for socket connection.
@ -104,22 +99,8 @@ type Sockopt struct {
 	Mark int32
 }

-// Some how when using mux, there will be a same ctx between different requests
-// This will cause problem as it's designed for single request, like concurrent map writes
-// Add a Mutex as a temp solution
-
 // SetAttribute attaches additional string attributes to content.
 func (c *Content) SetAttribute(name string, value string) {
-	if c.isLocked {
-		errors.LogError(context.Background(), "Multiple goroutines are tring to access one routing content, tring to write ", name, ":", value)
-	}
-	c.mu.Lock()
-	c.isLocked = true
-	defer func() {
-		c.isLocked = false
-		c.mu.Unlock()
-	}()
-
 	if c.Attributes == nil {
 		c.Attributes = make(map[string]string)
 	}
@ -128,24 +109,8 @@ func (c *Content) SetAttribute(name string, value string) {

 // Attribute retrieves additional string attributes from content.
 func (c *Content) Attribute(name string) string {
-	c.mu.Lock()
-	c.isLocked = true
-	defer func() {
-		c.isLocked = false
-		c.mu.Unlock()
-	}()
 	if c.Attributes == nil {
 		return ""
 	}
 	return c.Attributes[name]
 }
-
-func (c *Content) AttributeLen() int {
-	c.mu.Lock()
-	c.isLocked = true
-	defer func() {
-		c.isLocked = false
-		c.mu.Unlock()
-	}()
-	return len(c.Attributes)
-}
--- a/core/core.go
+++ b/core/core.go
@ -18,8 +18,8 @@ import (

 var (
 	Version_x byte = 25
-	Version_y byte = 2
-	Version_z byte = 21
+	Version_y byte = 4
+	Version_z byte = 30
 )

 var (
--- a/features/dns/client.go
+++ b/features/dns/client.go
@ -21,7 +21,7 @@ type Client interface {
 	features.Feature

 	// LookupIP returns IP address for the given domain. IPs may contain IPv4 and/or IPv6 addresses.
-	LookupIP(domain string, option IPOption) ([]net.IP, error)
+	LookupIP(domain string, option IPOption) ([]net.IP, uint32, error)
 }

 type HostsLookup interface {
@ -38,6 +38,8 @@ func ClientType() interface{} {
 // ErrEmptyResponse indicates that DNS query succeeded but no answer was returned.
 var ErrEmptyResponse = errors.New("empty response")

+const DefaultTTL = 300
+
 type RCodeError uint16

 func (e RCodeError) Error() string {
--- a/features/dns/localdns/client.go
+++ b/features/dns/localdns/client.go
@ -20,41 +20,44 @@ func (*Client) Start() error { return nil }
 func (*Client) Close() error { return nil }

 // LookupIP implements Client.
-func (*Client) LookupIP(host string, option dns.IPOption) ([]net.IP, error) {
+func (*Client) LookupIP(host string, option dns.IPOption) ([]net.IP, uint32, error) {
 	ips, err := net.LookupIP(host)
 	if err != nil {
-		return nil, err
+		return nil, 0, err
 	}
 	parsedIPs := make([]net.IP, 0, len(ips))
 	ipv4 := make([]net.IP, 0, len(ips))
 	ipv6 := make([]net.IP, 0, len(ips))
 	for _, ip := range ips {
 		parsed := net.IPAddress(ip)
-		if parsed != nil {
-			parsedIPs = append(parsedIPs, parsed.IP())
+		if parsed == nil {
+			continue
 		}
-		if len(ip) == net.IPv4len {
-			ipv4 = append(ipv4, ip)
-		}
-		if len(ip) == net.IPv6len {
-			ipv6 = append(ipv6, ip)
+		parsedIP := parsed.IP()
+		parsedIPs = append(parsedIPs, parsedIP)
+
+		if len(parsedIP) == net.IPv4len {
+			ipv4 = append(ipv4, parsedIP)
+		} else {
+			ipv6 = append(ipv6, parsedIP)
 		}
 	}
+
 	switch {
 	case option.IPv4Enable && option.IPv6Enable:
 		if len(parsedIPs) > 0 {
-			return parsedIPs, nil
+			return parsedIPs, dns.DefaultTTL, nil
 		}
 	case option.IPv4Enable:
 		if len(ipv4) > 0 {
-			return ipv4, nil
+			return ipv4, dns.DefaultTTL, nil
 		}
 	case option.IPv6Enable:
 		if len(ipv6) > 0 {
-			return ipv6, nil
+			return ipv6, dns.DefaultTTL, nil
 		}
 	}
-	return nil, dns.ErrEmptyResponse
+	return nil, 0, dns.ErrEmptyResponse
 }

 // New create a new dns.Client that queries localhost for DNS.
--- a/features/routing/dns/context.go
+++ b/features/routing/dns/context.go
@ -23,7 +23,7 @@ func (ctx *ResolvableContext) GetTargetIPs() []net.IP {
 	}

 	if domain := ctx.GetTargetDomain(); len(domain) != 0 {
-		ips, err := ctx.dnsClient.LookupIP(domain, dns.IPOption{
+		ips, _, err := ctx.dnsClient.LookupIP(domain, dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: true,
 			FakeEnable: false,
--- a/go.mod
+++ b/go.mod
@ -1,37 +1,37 @@
 module github.com/xtls/xray-core

-go 1.23
+go 1.24

 require (
 	github.com/OmarTariq612/goech v0.0.0-20240405204721-8e2e1dafd3a0
-	github.com/cloudflare/circl v1.6.0
+	github.com/cloudflare/circl v1.6.1
 	github.com/ghodss/yaml v1.0.1-0.20220118164431-d8423dcdf344
 	github.com/golang/mock v1.7.0-rc.1
-	github.com/google/go-cmp v0.6.0
+	github.com/google/go-cmp v0.7.0
 	github.com/gorilla/websocket v1.5.3
-	github.com/miekg/dns v1.1.63
+	github.com/miekg/dns v1.1.66
 	github.com/pelletier/go-toml v1.9.5
-	github.com/pires/go-proxyproto v0.8.0
-	github.com/quic-go/quic-go v0.50.0
-	github.com/refraction-networking/utls v1.6.7
+	github.com/pires/go-proxyproto v0.8.1
+	github.com/quic-go/quic-go v0.51.0
+	github.com/refraction-networking/utls v1.7.2
 	github.com/sagernet/sing v0.5.1
 	github.com/sagernet/sing-shadowsocks v0.2.7
 	github.com/seiflotfy/cuckoofilter v0.0.0-20240715131351-a2f2c23f1771
 	github.com/stretchr/testify v1.10.0
 	github.com/v2fly/ss-bloomring v0.0.0-20210312155135-28617310f63e
-	github.com/vishvananda/netlink v1.3.0
+	github.com/vishvananda/netlink v1.3.1
 	github.com/xtls/reality v0.0.0-20240712055506-48f0b2d5ed6d
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.33.0
-	golang.org/x/net v0.35.0
-	golang.org/x/sync v0.11.0
-	golang.org/x/sys v0.30.0
+	golang.org/x/crypto v0.38.0
+	golang.org/x/net v0.40.0
+	golang.org/x/sync v0.14.0
+	golang.org/x/sys v0.33.0
 	golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173
-	google.golang.org/grpc v1.70.0
-	google.golang.org/protobuf v1.36.5
-	gvisor.dev/gvisor v0.0.0-20240320123526-dc6abceb7ff0
+	google.golang.org/grpc v1.72.0
+	google.golang.org/protobuf v1.36.6
+	gvisor.dev/gvisor v0.0.0-20250428193742-2d800c3129d5
 	h12.io/socks v1.0.3
-	lukechampine.com/blake3 v1.3.0
+	lukechampine.com/blake3 v1.4.1
 )

 require (
@ -47,15 +47,14 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.5.1 // indirect
 	github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3 // indirect
-	github.com/vishvananda/netns v0.0.4 // indirect
+	github.com/vishvananda/netns v0.0.5 // indirect
 	go.uber.org/mock v0.5.0 // indirect
-	golang.org/x/exp v0.0.0-20240531132922-fd00a4e0eefc // indirect
-	golang.org/x/mod v0.21.0 // indirect
-	golang.org/x/text v0.22.0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
-	golang.org/x/tools v0.26.0 // indirect
+	golang.org/x/tools v0.32.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20241202173237-19429a94021a // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -2,8 +2,8 @@ github.com/OmarTariq612/goech v0.0.0-20240405204721-8e2e1dafd3a0 h1:Wo41lDOevRJS
 github.com/OmarTariq612/goech v0.0.0-20240405204721-8e2e1dafd3a0/go.mod h1:FVGavL/QEBQDcBpr3fAojoK17xX5k9bicBphrOpP7uM=
 github.com/andybalholm/brotli v1.1.0 h1:eLKJA0d02Lf0mVpIDgYnqXcUn0GqVmEFny3VuID1U3M=
 github.com/andybalholm/brotli v1.1.0/go.mod h1:sms7XGricyQI9K10gOSf56VKKWS4oLer58Q+mhRPtnY=
-github.com/cloudflare/circl v1.6.0 h1:cr5JKic4HI+LkINy2lg3W2jF8sHCVTBncJr5gIIq7qk=
-github.com/cloudflare/circl v1.6.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
+github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
+github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@ -24,8 +24,8 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/pprof v0.0.0-20240528025155-186aa0362fba h1:ql1qNgCyOB7iAEk8JTNM+zJrgIbnyCKX/wdlyPufP5g=
 github.com/google/pprof v0.0.0-20240528025155-186aa0362fba/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@ -38,8 +38,8 @@ github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0N
 github.com/klauspost/compress v1.17.8/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
 github.com/klauspost/cpuid/v2 v2.2.7 h1:ZWSB3igEs+d0qvnxR/ZBzXVmxkgt8DdzP6m9pfuVLDM=
 github.com/klauspost/cpuid/v2 v2.2.7/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
-github.com/miekg/dns v1.1.63 h1:8M5aAw6OMZfFXTT7K5V0Eu5YiiL8l7nUAkyN6C9YwaY=
-github.com/miekg/dns v1.1.63/go.mod h1:6NGHfjhpmr5lt3XPLuyfDJi5AXbNIPM9PY6H6sF1Nfs=
+github.com/miekg/dns v1.1.66 h1:FeZXOS3VCVsKnEAd+wBkjMC3D2K+ww66Cq3VnCINuJE=
+github.com/miekg/dns v1.1.66/go.mod h1:jGFzBsSNbJw6z1HYut1RKBKHA9PBdxeHrZG8J+gC2WE=
 github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA=
 github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To=
 github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk=
@ -48,16 +48,16 @@ github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3v
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2 h1:JhzVVoYvbOACxoUmOs6V/G4D5nPVUW73rKvXxP4XUJc=
 github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE=
-github.com/pires/go-proxyproto v0.8.0 h1:5unRmEAPbHXHuLjDg01CxJWf91cw3lKHc/0xzKpXEe0=
-github.com/pires/go-proxyproto v0.8.0/go.mod h1:iknsfgnH8EkjrMeMyvfKByp9TiBZCKZM0jx2xmKqnVY=
+github.com/pires/go-proxyproto v0.8.1 h1:9KEixbdJfhrbtjpz/ZwCdWDD2Xem0NZ38qMYaASJgp0=
+github.com/pires/go-proxyproto v0.8.1/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
 github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
-github.com/quic-go/quic-go v0.50.0 h1:3H/ld1pa3CYhkcc20TPIyG1bNsdhn9qZBGN3b9/UyUo=
-github.com/quic-go/quic-go v0.50.0/go.mod h1:Vim6OmUvlYdwBhXP9ZVrtGmCMWa3wEqhq3NgYrI8b4E=
-github.com/refraction-networking/utls v1.6.7 h1:zVJ7sP1dJx/WtVuITug3qYUq034cDq9B2MR1K67ULZM=
-github.com/refraction-networking/utls v1.6.7/go.mod h1:BC3O4vQzye5hqpmDTWUqi4P5DDhzJfkV1tdqtawQIH0=
+github.com/quic-go/quic-go v0.51.0 h1:K8exxe9zXxeRKxaXxi/GpUqYiTrtdiWP8bo1KFya6Wc=
+github.com/quic-go/quic-go v0.51.0/go.mod h1:MFlGGpcpJqRAfmYi6NC2cptDPSxRWTOGNuP4wqrWmzQ=
+github.com/refraction-networking/utls v1.7.2 h1:XOgYzit7lAKaa7kzAO5BJR9l4X/H200eVUD4s8SF8/s=
+github.com/refraction-networking/utls v1.7.2/go.mod h1:TUhh27RHMGtQvjQq+RyO11P6ZNQNBb3N0v7wsEjKAIQ=
 github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3 h1:f/FNXud6gA3MNr8meMVVGxhp+QBTqY91tM8HjEuMjGg=
 github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3/go.mod h1:HgjTstvQsPGkxUsCd2KWxErBblirPizecHcpD3ffK+s=
 github.com/sagernet/sing v0.5.1 h1:mhL/MZVq0TjuvHcpYcFtmSD1BFOxZ/+8ofbNZcg1k1Y=
@ -72,45 +72,45 @@ github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOf
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/v2fly/ss-bloomring v0.0.0-20210312155135-28617310f63e h1:5QefA066A1tF8gHIiADmOVOV5LS43gt3ONnlEl3xkwI=
 github.com/v2fly/ss-bloomring v0.0.0-20210312155135-28617310f63e/go.mod h1:5t19P9LBIrNamL6AcMQOncg/r10y3Pc01AbHeMhwlpU=
-github.com/vishvananda/netlink v1.3.0 h1:X7l42GfcV4S6E4vHTsw48qbrV+9PVojNfIhZcwQdrZk=
-github.com/vishvananda/netlink v1.3.0/go.mod h1:i6NetklAujEcC6fK0JPjT8qSwWyO0HLn4UKG+hGqeJs=
-github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
-github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
+github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW6bV0=
+github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4=
+github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
+github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
 github.com/xtls/reality v0.0.0-20240712055506-48f0b2d5ed6d h1:+B97uD9uHLgAAulhigmys4BVwZZypzK7gPN3WtpgRJg=
 github.com/xtls/reality v0.0.0-20240712055506-48f0b2d5ed6d/go.mod h1:dm4y/1QwzjGaK17ofi0Vs6NpKAHegZky8qk6J2JJZAE=
 github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-go.opentelemetry.io/otel v1.32.0 h1:WnBN+Xjcteh0zdk01SVqV55d/m62NJLJdIyb4y/WO5U=
-go.opentelemetry.io/otel v1.32.0/go.mod h1:00DCVSB0RQcnzlwyTfqtxSm+DRr9hpYrHjNGiBHVQIg=
-go.opentelemetry.io/otel/metric v1.32.0 h1:xV2umtmNcThh2/a/aCP+h64Xx5wsj8qqnkYZktzNa0M=
-go.opentelemetry.io/otel/metric v1.32.0/go.mod h1:jH7CIbbK6SH2V2wE16W05BHCtIDzauciCRLoc/SyMv8=
-go.opentelemetry.io/otel/sdk v1.32.0 h1:RNxepc9vK59A8XsgZQouW8ue8Gkb4jpWtJm9ge5lEG4=
-go.opentelemetry.io/otel/sdk v1.32.0/go.mod h1:LqgegDBjKMmb2GC6/PrTnteJG39I8/vJCAP9LlJXEjU=
-go.opentelemetry.io/otel/sdk/metric v1.32.0 h1:rZvFnvmvawYb0alrYkjraqJq0Z4ZUJAiyYCU9snn1CU=
-go.opentelemetry.io/otel/sdk/metric v1.32.0/go.mod h1:PWeZlq0zt9YkYAp3gjKZ0eicRYvOh1Gd+X99x6GHpCQ=
-go.opentelemetry.io/otel/trace v1.32.0 h1:WIC9mYrXf8TmY/EXuULKc8hR17vE+Hjv2cssQDe03fM=
-go.opentelemetry.io/otel/trace v1.32.0/go.mod h1:+i4rkvCraA+tG6AzwloGaCtkx53Fa+L+V8e9a7YvhT8=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY=
+go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI=
+go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ=
+go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE=
+go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
+go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
+go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
+go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
+go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k=
+go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
 go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
 go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
-golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
-golang.org/x/exp v0.0.0-20240531132922-fd00a4e0eefc h1:O9NuF4s+E/PvMIy+9IUZB9znFwUIXEWSstNjek6VpVg=
-golang.org/x/exp v0.0.0-20240531132922-fd00a4e0eefc/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
+golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
+golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
 golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
-golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
-golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
-golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
-golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@ -119,21 +119,21 @@ golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
-golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
-golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
 golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
 golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.8/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
-golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
-golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
+golang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=
+golang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@ -141,12 +141,12 @@ golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeu
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173 h1:/jFs0duh4rdb8uIfPMv78iAJGcPKDeqAFnaLBropIC4=
 golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173/go.mod h1:tkCQ4FQXmpAgYVh++1cq16/dH4QJtmvpRv19DWGAHSA=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20241202173237-19429a94021a h1:hgh8P4EuoxpsuKMXX/To36nOFD7vixReXgn8lPGnt+o=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20241202173237-19429a94021a/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU=
-google.golang.org/grpc v1.70.0 h1:pWFv03aZoHzlRKHWicjsZytKAiYCtNS0dHbXnIdq7jQ=
-google.golang.org/grpc v1.70.0/go.mod h1:ofIJqVKDXx/JiXrwr2IG4/zwdH9txy3IlF40RmcJSQw=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a h1:51aaUVRocpvUOSQKM6Q7VuoaktNIaMCLuhZB6DKksq4=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a/go.mod h1:uRxBH1mhmO8PGhU89cMcHaXKZqO+OfakD8QQO0oYwlQ=
+google.golang.org/grpc v1.72.0 h1:S7UkcVa60b5AAQTaO6ZKamFp1zMZSU0fGDK2WZLbBnM=
+google.golang.org/grpc v1.72.0/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
@ -156,9 +156,9 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gvisor.dev/gvisor v0.0.0-20240320123526-dc6abceb7ff0 h1:P+U/06iIKPQ3DLcg+zBfSCia1luZ2msPZrJ8jYDFPs0=
-gvisor.dev/gvisor v0.0.0-20240320123526-dc6abceb7ff0/go.mod h1:NQHVAzMwvZ+Qe3ElSiHmq9RUm1MdNHpUZ52fiEqvn+0=
+gvisor.dev/gvisor v0.0.0-20250428193742-2d800c3129d5 h1:sfK5nHuG7lRFZ2FdTT3RimOqWBg8IrVm+/Vko1FVOsk=
+gvisor.dev/gvisor v0.0.0-20250428193742-2d800c3129d5/go.mod h1:3r5CMtNQMKIvBlrmM9xWUNamjKBYPOWyXOjmg5Kts3g=
 h12.io/socks v1.0.3 h1:Ka3qaQewws4j4/eDQnOdpr4wXsC//dXtWvftlIcCQUo=
 h12.io/socks v1.0.3/go.mod h1:AIhxy1jOId/XCz9BO+EIgNL2rQiPTBNnOfnVnQ+3Eck=
-lukechampine.com/blake3 v1.3.0 h1:sJ3XhFINmHSrYCgl958hscfIa3bw8x4DqMP3u1YvoYE=
-lukechampine.com/blake3 v1.3.0/go.mod h1:0OFRp7fBtAylGVCO40o87sbupkyIGgbpv1+M1k1LM6k=
+lukechampine.com/blake3 v1.4.1 h1:I3Smz7gso8w4/TunLKec6K2fn+kyKtDxr/xcQEN84Wg=
+lukechampine.com/blake3 v1.4.1/go.mod h1:QFosUxmjB8mnrWFSNwKmvxHpfY72bmD2tQ0kBMM3kwo=
--- a/infra/conf/cfgcommon/duration/duration.go
+++ b/infra/conf/cfgcommon/duration/duration.go
@ -8,11 +8,13 @@ import (

 type Duration int64

+// MarshalJSON implements encoding/json.Marshaler.MarshalJSON
 func (d *Duration) MarshalJSON() ([]byte, error) {
 	dr := time.Duration(*d)
 	return json.Marshal(dr.String())
 }

+// UnmarshalJSON implements encoding/json.Unmarshaler.UnmarshalJSON
 func (d *Duration) UnmarshalJSON(b []byte) error {
 	var v interface{}
 	if err := json.Unmarshal(b, &v); err != nil {
--- a/infra/conf/common.go
+++ b/infra/conf/common.go
@ -23,6 +23,7 @@ func (v StringList) Len() int {
 	return len(v)
 }

+// UnmarshalJSON implements encoding/json.Unmarshaler.UnmarshalJSON
 func (v *StringList) UnmarshalJSON(data []byte) error {
 	var strarray []string
 	if err := json.Unmarshal(data, &strarray); err == nil {
@ -43,10 +44,12 @@ type Address struct {
 	net.Address
 }

-func (v Address) MarshalJSON() ([]byte, error) {
+// MarshalJSON implements encoding/json.Marshaler.MarshalJSON
+func (v *Address) MarshalJSON() ([]byte, error) {
 	return json.Marshal(v.Address.String())
 }

+// UnmarshalJSON implements encoding/json.Unmarshaler.UnmarshalJSON
 func (v *Address) UnmarshalJSON(data []byte) error {
 	var rawStr string
 	if err := json.Unmarshal(data, &rawStr); err != nil {
@ -81,6 +84,7 @@ func (v Network) Build() net.Network {

 type NetworkList []Network

+// UnmarshalJSON implements encoding/json.Unmarshaler.UnmarshalJSON
 func (v *NetworkList) UnmarshalJSON(data []byte) error {
 	var strarray []Network
 	if err := json.Unmarshal(data, &strarray); err == nil {
@ -169,6 +173,19 @@ func (v *PortRange) Build() *net.PortRange {
 	}
 }

+// MarshalJSON implements encoding/json.Marshaler.MarshalJSON
+func (v *PortRange) MarshalJSON() ([]byte, error) {
+	return json.Marshal(v.String())
+}
+
+func (port *PortRange) String() string {
+	if port.From == port.To {
+		return strconv.Itoa(int(port.From))
+	} else {
+		return fmt.Sprintf("%d-%d", port.From, port.To)
+	}
+}
+
 // UnmarshalJSON implements encoding/json.Unmarshaler.UnmarshalJSON
 func (v *PortRange) UnmarshalJSON(data []byte) error {
 	port, err := parseIntPort(data)
@ -203,20 +220,21 @@ func (list *PortList) Build() *net.PortList {
 	return portList
 }

-func (v PortList) MarshalJSON() ([]byte, error) {
-	return json.Marshal(v.String())
+// MarshalJSON implements encoding/json.Marshaler.MarshalJSON
+func (v *PortList) MarshalJSON() ([]byte, error) {
+	portStr := v.String()
+	port, err := strconv.Atoi(portStr)
+	if err == nil {
+		return json.Marshal(port)
+	} else {
+		return json.Marshal(portStr)
+	}
 }

 func (v PortList) String() string {
 	ports := []string{}
 	for _, port := range v.Range {
-		if port.From == port.To {
-			p := strconv.Itoa(int(port.From))
-			ports = append(ports, p)
-		} else {
-			p := fmt.Sprintf("%d-%d", port.From, port.To)
-			ports = append(ports, p)
-		}
+		ports = append(ports, port.String())
 	}
 	return strings.Join(ports, ",")
 }
@ -277,7 +295,8 @@ type Int32Range struct {
 	To    int32
 }

-func (v Int32Range) MarshalJSON() ([]byte, error) {
+// MarshalJSON implements encoding/json.Marshaler.MarshalJSON
+func (v *Int32Range) MarshalJSON() ([]byte, error) {
 	return json.Marshal(v.String())
 }

@ -289,6 +308,7 @@ func (v Int32Range) String() string {
 	}
 }

+// UnmarshalJSON implements encoding/json.Unmarshaler.UnmarshalJSON
 func (v *Int32Range) UnmarshalJSON(data []byte) error {
 	defer v.ensureOrder()
 	var str string
--- a/infra/conf/dns.go
+++ b/infra/conf/dns.go
@ -12,15 +12,20 @@ import (
 )

 type NameServerConfig struct {
-	Address       *Address   `json:"address"`
-	ClientIP      *Address   `json:"clientIp"`
-	Port          uint16     `json:"port"`
-	SkipFallback  bool       `json:"skipFallback"`
-	Domains       []string   `json:"domains"`
-	ExpectIPs     StringList `json:"expectIps"`
-	QueryStrategy string     `json:"queryStrategy"`
+	Address            *Address   `json:"address"`
+	ClientIP           *Address   `json:"clientIp"`
+	Port               uint16     `json:"port"`
+	SkipFallback       bool       `json:"skipFallback"`
+	Domains            []string   `json:"domains"`
+	ExpectedIPs        StringList `json:"expectedIPs"`
+	ExpectIPs          StringList `json:"expectIPs"`
+	QueryStrategy      string     `json:"queryStrategy"`
+	AllowUnexpectedIPs bool       `json:"allowUnexpectedIps"`
+	Tag                string     `json:"tag"`
+	TimeoutMs          uint64     `json:"timeoutMs"`
 }

+// UnmarshalJSON implements encoding/json.Unmarshaler.UnmarshalJSON
 func (c *NameServerConfig) UnmarshalJSON(data []byte) error {
 	var address Address
 	if err := json.Unmarshal(data, &address); err == nil {
@ -29,13 +34,17 @@ func (c *NameServerConfig) UnmarshalJSON(data []byte) error {
 	}

 	var advanced struct {
-		Address       *Address   `json:"address"`
-		ClientIP      *Address   `json:"clientIp"`
-		Port          uint16     `json:"port"`
-		SkipFallback  bool       `json:"skipFallback"`
-		Domains       []string   `json:"domains"`
-		ExpectIPs     StringList `json:"expectIps"`
-		QueryStrategy string     `json:"queryStrategy"`
+		Address            *Address   `json:"address"`
+		ClientIP           *Address   `json:"clientIp"`
+		Port               uint16     `json:"port"`
+		SkipFallback       bool       `json:"skipFallback"`
+		Domains            []string   `json:"domains"`
+		ExpectedIPs        StringList `json:"expectedIPs"`
+		ExpectIPs          StringList `json:"expectIPs"`
+		QueryStrategy      string     `json:"queryStrategy"`
+		AllowUnexpectedIPs bool       `json:"allowUnexpectedIps"`
+		Tag                string     `json:"tag"`
+		TimeoutMs          uint64     `json:"timeoutMs"`
 	}
 	if err := json.Unmarshal(data, &advanced); err == nil {
 		c.Address = advanced.Address
@ -43,8 +52,12 @@ func (c *NameServerConfig) UnmarshalJSON(data []byte) error {
 		c.Port = advanced.Port
 		c.SkipFallback = advanced.SkipFallback
 		c.Domains = advanced.Domains
+		c.ExpectedIPs = advanced.ExpectedIPs
 		c.ExpectIPs = advanced.ExpectIPs
 		c.QueryStrategy = advanced.QueryStrategy
+		c.AllowUnexpectedIPs = advanced.AllowUnexpectedIPs
+		c.Tag = advanced.Tag
+		c.TimeoutMs = advanced.TimeoutMs
 		return nil
 	}

@ -92,9 +105,13 @@ func (c *NameServerConfig) Build() (*dns.NameServer, error) {
 		})
 	}

-	geoipList, err := ToCidrList(c.ExpectIPs)
+	var expectedIPs = c.ExpectedIPs
+	if len(expectedIPs) == 0 {
+		expectedIPs = c.ExpectIPs
+	}
+	geoipList, err := ToCidrList(expectedIPs)
 	if err != nil {
-		return nil, errors.New("invalid IP rule: ", c.ExpectIPs).Base(err)
+		return nil, errors.New("invalid IP rule: ", expectedIPs).Base(err)
 	}

 	var myClientIP []byte
@ -111,12 +128,15 @@ func (c *NameServerConfig) Build() (*dns.NameServer, error) {
 			Address: c.Address.Build(),
 			Port:    uint32(c.Port),
 		},
-		ClientIp:          myClientIP,
-		SkipFallback:      c.SkipFallback,
-		PrioritizedDomain: domains,
-		Geoip:             geoipList,
-		OriginalRules:     originalRules,
-		QueryStrategy:     resolveQueryStrategy(c.QueryStrategy),
+		ClientIp:           myClientIP,
+		SkipFallback:       c.SkipFallback,
+		PrioritizedDomain:  domains,
+		Geoip:              geoipList,
+		OriginalRules:      originalRules,
+		QueryStrategy:      resolveQueryStrategy(c.QueryStrategy),
+		AllowUnexpectedIPs: c.AllowUnexpectedIPs,
+		Tag:                c.Tag,
+		TimeoutMs:          c.TimeoutMs,
 	}, nil
 }

@ -144,6 +164,18 @@ type HostAddress struct {
 	addrs []*Address
 }

+// MarshalJSON implements encoding/json.Marshaler.MarshalJSON
+func (h *HostAddress) MarshalJSON() ([]byte, error) {
+	if (h.addr != nil) != (h.addrs != nil) {
+		if h.addr != nil {
+			return json.Marshal(h.addr)
+		} else if h.addrs != nil {
+			return json.Marshal(h.addrs)
+		}
+	}
+	return nil, errors.New("unexpected config state")
+}
+
 // UnmarshalJSON implements encoding/json.Unmarshaler.UnmarshalJSON
 func (h *HostAddress) UnmarshalJSON(data []byte) error {
 	addr := new(Address)
@ -189,6 +221,11 @@ func getHostMapping(ha *HostAddress) *dns.Config_HostMapping {
 	}
 }

+// MarshalJSON implements encoding/json.Marshaler.MarshalJSON
+func (m *HostsWrapper) MarshalJSON() ([]byte, error) {
+	return json.Marshal(m.Hosts)
+}
+
 // UnmarshalJSON implements encoding/json.Unmarshaler.UnmarshalJSON
 func (m *HostsWrapper) UnmarshalJSON(data []byte) error {
 	hosts := make(map[string]*HostAddress)
--- a/infra/conf/fakedns.go
+++ b/infra/conf/fakedns.go
@ -20,6 +20,18 @@ type FakeDNSConfig struct {
 	pools []*FakeDNSPoolElementConfig
 }

+// MarshalJSON implements encoding/json.Marshaler.MarshalJSON
+func (f *FakeDNSConfig) MarshalJSON() ([]byte, error) {
+	if (f.pool != nil) != (f.pools != nil) {
+		if f.pool != nil {
+			return json.Marshal(f.pool)
+		} else if f.pools != nil {
+			return json.Marshal(f.pools)
+		}
+	}
+	return nil, errors.New("unexpected config state")
+}
+
 // UnmarshalJSON implements encoding/json.Unmarshaler.UnmarshalJSON
 func (f *FakeDNSConfig) UnmarshalJSON(data []byte) error {
 	var pool FakeDNSPoolElementConfig
--- a/infra/conf/transport_internet.go
+++ b/infra/conf/transport_internet.go
@ -334,7 +334,7 @@ func (c *SplitHTTPConfig) Build() (proto.Message, error) {

 func readFileOrString(f string, s []string) ([]byte, error) {
 	if len(f) > 0 {
-		return filesystem.ReadFile(f)
+		return filesystem.ReadCert(f)
 	}
 	if len(s) > 0 {
 		return []byte(strings.Join(s, "\n")), nil
@ -502,6 +502,7 @@ type REALITYConfig struct {

 	Fingerprint string `json:"fingerprint"`
 	ServerName  string `json:"serverName"`
+	Password    string `json:"password"`
 	PublicKey   string `json:"publicKey"`
 	ShortId     string `json:"shortId"`
 	SpiderX     string `json:"spiderX"`
@ -610,11 +611,14 @@ func (c *REALITYConfig) Build() (proto.Message, error) {
 		if len(c.ServerNames) != 0 {
 			return nil, errors.New(`non-empty "serverNames", please use "serverName" instead`)
 		}
+		if c.Password != "" {
+			c.PublicKey = c.Password
+		}
 		if c.PublicKey == "" {
-			return nil, errors.New(`empty "publicKey"`)
+			return nil, errors.New(`empty "password"`)
 		}
 		if config.PublicKey, err = base64.RawURLEncoding.DecodeString(c.PublicKey); err != nil || len(config.PublicKey) != 32 {
-			return nil, errors.New(`invalid "publicKey": `, c.PublicKey)
+			return nil, errors.New(`invalid "password": `, c.PublicKey)
 		}
 		if len(c.ShortIds) != 0 {
 			return nil, errors.New(`non-empty "shortIds", please use "shortId" instead`)
@ -687,10 +691,12 @@ func (p TransportProtocol) Build() (string, error) {
 }

 type CustomSockoptConfig struct {
-	Level string `json:"level"`
-	Opt   string `json:"opt"`
-	Value string `json:"value"`
-	Type  string `json:"type"`
+	Syetem  string `json:"system"`
+	Network string `json:"network"`
+	Level   string `json:"level"`
+	Opt     string `json:"opt"`
+	Value   string `json:"value"`
+	Type    string `json:"type"`
 }

 type SocketConfig struct {
@ -711,6 +717,7 @@ type SocketConfig struct {
 	Interface            string                 `json:"interface"`
 	TcpMptcp             bool                   `json:"tcpMptcp"`
 	CustomSockopt        []*CustomSockoptConfig `json:"customSockopt"`
+	AddressPortStrategy  string                 `json:"addressPortStrategy"`
 }

 // Build implements Buildable.
@ -772,14 +779,36 @@ func (c *SocketConfig) Build() (*internet.SocketConfig, error) {

 	for _, copt := range c.CustomSockopt {
 		customSockopt := &internet.CustomSockopt{
-			Level: copt.Level,
-			Opt:   copt.Opt,
-			Value: copt.Value,
-			Type:  copt.Type,
+			System:  copt.Syetem,
+			Network: copt.Network,
+			Level:   copt.Level,
+			Opt:     copt.Opt,
+			Value:   copt.Value,
+			Type:    copt.Type,
 		}
 		customSockopts = append(customSockopts, customSockopt)
 	}

+	addressPortStrategy := internet.AddressPortStrategy_None
+	switch strings.ToLower(c.AddressPortStrategy) {
+	case "none", "":
+		addressPortStrategy = internet.AddressPortStrategy_None
+	case "srvportonly":
+		addressPortStrategy = internet.AddressPortStrategy_SrvPortOnly
+	case "srvaddressonly":
+		addressPortStrategy = internet.AddressPortStrategy_SrvAddressOnly
+	case "srvportandaddress":
+		addressPortStrategy = internet.AddressPortStrategy_SrvPortAndAddress
+	case "txtportonly":
+		addressPortStrategy = internet.AddressPortStrategy_TxtPortOnly
+	case "txtaddressonly":
+		addressPortStrategy = internet.AddressPortStrategy_TxtAddressOnly
+	case "txtportandaddress":
+		addressPortStrategy = internet.AddressPortStrategy_TxtPortAndAddress
+	default:
+		return nil, errors.New("unsupported address and port strategy: ", c.AddressPortStrategy)
+	}
+
 	return &internet.SocketConfig{
 		Mark:                 c.Mark,
 		Tfo:                  tfo,
@ -798,6 +827,7 @@ func (c *SocketConfig) Build() (*internet.SocketConfig, error) {
 		Interface:            c.Interface,
 		TcpMptcp:             c.TcpMptcp,
 		CustomSockopt:        customSockopts,
+		AddressPortStrategy:  addressPortStrategy,
 	}, nil
 }

--- a/infra/conf/wireguard.go
+++ b/infra/conf/wireguard.go
@ -67,7 +67,7 @@ func (c *WireGuardConfig) Build() (proto.Message, error) {
 	var err error
 	config.SecretKey, err = ParseWireGuardKey(c.SecretKey)
 	if err != nil {
-		return nil, err
+		return nil, errors.New("invalid WireGuard secret key: %w", err)
 	}

 	if c.Address == nil {
@ -126,6 +126,10 @@ func (c *WireGuardConfig) Build() (proto.Message, error) {
 func ParseWireGuardKey(str string) (string, error) {
 	var err error

+	if str == "" {
+		return "", errors.New("key must not be empty")
+	}
+
 	if len(str)%2 == 0 {
 		_, err = hex.DecodeString(str)
 		if err == nil {
--- a/infra/conf/xray.go
+++ b/infra/conf/xray.go
@ -241,14 +241,14 @@ func (c *InboundDetourConfig) Build() (*core.InboundHandlerConfig, error) {
 	}
 	rawConfig, err := inboundConfigLoader.LoadWithID(settings, c.Protocol)
 	if err != nil {
-		return nil, errors.New("failed to load inbound detour config.").Base(err)
+		return nil, errors.New("failed to load inbound detour config for protocol ", c.Protocol).Base(err)
 	}
 	if dokodemoConfig, ok := rawConfig.(*DokodemoConfig); ok {
 		receiverSettings.ReceiveOriginalDestination = dokodemoConfig.Redirect
 	}
 	ts, err := rawConfig.(Buildable).Build()
 	if err != nil {
-		return nil, err
+		return nil, errors.New("failed to build inbound handler for protocol ", c.Protocol).Base(err)
 	}

 	return &core.InboundHandlerConfig{
@ -303,7 +303,7 @@ func (c *OutboundDetourConfig) Build() (*core.OutboundHandlerConfig, error) {
 	if c.StreamSetting != nil {
 		ss, err := c.StreamSetting.Build()
 		if err != nil {
-			return nil, err
+			return nil, errors.New("failed to build stream settings for outbound detour").Base(err)
 		}
 		senderSettings.StreamSettings = ss
 	}
@ -311,7 +311,7 @@ func (c *OutboundDetourConfig) Build() (*core.OutboundHandlerConfig, error) {
 	if c.ProxySettings != nil {
 		ps, err := c.ProxySettings.Build()
 		if err != nil {
-			return nil, errors.New("invalid outbound detour proxy settings.").Base(err)
+			return nil, errors.New("invalid outbound detour proxy settings").Base(err)
 		}
 		if ps.TransportLayerProxy {
 			if senderSettings.StreamSettings != nil {
@ -331,7 +331,7 @@ func (c *OutboundDetourConfig) Build() (*core.OutboundHandlerConfig, error) {
 	if c.MuxSettings != nil {
 		ms, err := c.MuxSettings.Build()
 		if err != nil {
-			return nil, errors.New("failed to build Mux config.").Base(err)
+			return nil, errors.New("failed to build Mux config").Base(err)
 		}
 		senderSettings.MultiplexSettings = ms
 	}
@ -342,11 +342,11 @@ func (c *OutboundDetourConfig) Build() (*core.OutboundHandlerConfig, error) {
 	}
 	rawConfig, err := outboundConfigLoader.LoadWithID(settings, c.Protocol)
 	if err != nil {
-		return nil, errors.New("failed to parse to outbound detour config.").Base(err)
+		return nil, errors.New("failed to load outbound detour config for protocol ", c.Protocol).Base(err)
 	}
 	ts, err := rawConfig.(Buildable).Build()
 	if err != nil {
-		return nil, err
+		return nil, errors.New("failed to build outbound handler for protocol ", c.Protocol).Base(err)
 	}

 	return &core.OutboundHandlerConfig{
@ -490,7 +490,7 @@ func (c *Config) Override(o *Config, fn string) {
 // Build implements Buildable.
 func (c *Config) Build() (*core.Config, error) {
 	if err := PostProcessConfigureFile(c); err != nil {
-		return nil, err
+		return nil, errors.New("failed to post-process configuration file").Base(err)
 	}

 	config := &core.Config{
@ -504,21 +504,21 @@ func (c *Config) Build() (*core.Config, error) {
 	if c.API != nil {
 		apiConf, err := c.API.Build()
 		if err != nil {
-			return nil, err
+			return nil, errors.New("failed to build API configuration").Base(err)
 		}
 		config.App = append(config.App, serial.ToTypedMessage(apiConf))
 	}
 	if c.Metrics != nil {
 		metricsConf, err := c.Metrics.Build()
 		if err != nil {
-			return nil, err
+			return nil, errors.New("failed to build metrics configuration").Base(err)
 		}
 		config.App = append(config.App, serial.ToTypedMessage(metricsConf))
 	}
 	if c.Stats != nil {
 		statsConf, err := c.Stats.Build()
 		if err != nil {
-			return nil, err
+			return nil, errors.New("failed to build stats configuration").Base(err)
 		}
 		config.App = append(config.App, serial.ToTypedMessage(statsConf))
 	}
@ -536,7 +536,7 @@ func (c *Config) Build() (*core.Config, error) {
 	if c.RouterConfig != nil {
 		routerConfig, err := c.RouterConfig.Build()
 		if err != nil {
-			return nil, err
+			return nil, errors.New("failed to build routing configuration").Base(err)
 		}
 		config.App = append(config.App, serial.ToTypedMessage(routerConfig))
 	}
@ -544,7 +544,7 @@ func (c *Config) Build() (*core.Config, error) {
 	if c.DNSConfig != nil {
 		dnsApp, err := c.DNSConfig.Build()
 		if err != nil {
-			return nil, errors.New("failed to parse DNS config").Base(err)
+			return nil, errors.New("failed to build DNS configuration").Base(err)
 		}
 		config.App = append(config.App, serial.ToTypedMessage(dnsApp))
 	}
@ -552,7 +552,7 @@ func (c *Config) Build() (*core.Config, error) {
 	if c.Policy != nil {
 		pc, err := c.Policy.Build()
 		if err != nil {
-			return nil, err
+			return nil, errors.New("failed to build policy configuration").Base(err)
 		}
 		config.App = append(config.App, serial.ToTypedMessage(pc))
 	}
@ -560,7 +560,7 @@ func (c *Config) Build() (*core.Config, error) {
 	if c.Reverse != nil {
 		r, err := c.Reverse.Build()
 		if err != nil {
-			return nil, err
+			return nil, errors.New("failed to build reverse configuration").Base(err)
 		}
 		config.App = append(config.App, serial.ToTypedMessage(r))
 	}
@ -568,7 +568,7 @@ func (c *Config) Build() (*core.Config, error) {
 	if c.FakeDNS != nil {
 		r, err := c.FakeDNS.Build()
 		if err != nil {
-			return nil, err
+			return nil, errors.New("failed to build fake DNS configuration").Base(err)
 		}
 		config.App = append([]*serial.TypedMessage{serial.ToTypedMessage(r)}, config.App...)
 	}
@ -576,7 +576,7 @@ func (c *Config) Build() (*core.Config, error) {
 	if c.Observatory != nil {
 		r, err := c.Observatory.Build()
 		if err != nil {
-			return nil, err
+			return nil, errors.New("failed to build observatory configuration").Base(err)
 		}
 		config.App = append(config.App, serial.ToTypedMessage(r))
 	}
@ -584,7 +584,7 @@ func (c *Config) Build() (*core.Config, error) {
 	if c.BurstObservatory != nil {
 		r, err := c.BurstObservatory.Build()
 		if err != nil {
-			return nil, err
+			return nil, errors.New("failed to build burst observatory configuration").Base(err)
 		}
 		config.App = append(config.App, serial.ToTypedMessage(r))
 	}
@ -602,7 +602,7 @@ func (c *Config) Build() (*core.Config, error) {
 	for _, rawInboundConfig := range inbounds {
 		ic, err := rawInboundConfig.Build()
 		if err != nil {
-			return nil, err
+			return nil, errors.New("failed to build inbound config with tag ", rawInboundConfig.Tag).Base(err)
 		}
 		config.Inbound = append(config.Inbound, ic)
 	}
@ -616,7 +616,7 @@ func (c *Config) Build() (*core.Config, error) {
 	for _, rawOutboundConfig := range outbounds {
 		oc, err := rawOutboundConfig.Build()
 		if err != nil {
-			return nil, err
+			return nil, errors.New("failed to build outbound config with tag ", rawOutboundConfig.Tag).Base(err)
 		}
 		config.Outbound = append(config.Outbound, oc)
 	}
--- a/infra/vprotogen/main.go
+++ b/infra/vprotogen/main.go
@ -89,12 +89,11 @@ func whichProtoc(suffix, targetedVersion string) (string, error) {

 	path, err := exec.LookPath(protoc)
 	if err != nil {
-		errStr := fmt.Sprintf(`
+		return "", fmt.Errorf(`
 Command "%s" not found.
 Make sure that %s is in your system path or current path.
 Download %s v%s or later from https://github.com/protocolbuffers/protobuf/releases
 `, protoc, protoc, protoc, targetedVersion)
-		return "", fmt.Errorf(errStr)
 	}
 	return path, nil
 }
--- a/main/commands/all/convert/json.go
+++ b/main/commands/all/convert/json.go
@ -50,17 +50,17 @@ func executeTypedMessageToJson(cmd *base.Command, args []string) {

 	reader, err := confloader.LoadConfig(cmd.Flag.Arg(0))
 	if err != nil {
-		base.Fatalf(err.Error())
+		base.Fatalf("failed to load config: %s", err)
 	}

 	b, err := io.ReadAll(reader)
 	if err != nil {
-		base.Fatalf(err.Error())
+		base.Fatalf("failed to read config: %s", err)
 	}

 	tm := cserial.TypedMessage{}
 	if err = json.Unmarshal(b, &tm); err != nil {
-		base.Fatalf(err.Error())
+		base.Fatalf("failed to unmarshal config: %s", err)
 	}

 	if j, ok := creflect.MarshalToJson(&tm, injectTypeInfo); ok {
--- a/main/commands/all/convert/protobuf.go
+++ b/main/commands/all/convert/protobuf.go
@ -53,12 +53,12 @@ func executeConvertConfigsToProtobuf(cmd *base.Command, args []string) {
 	}

 	if len(unnamedArgs) < 1 {
-		base.Fatalf("empty config list")
+		base.Fatalf("invalid config list length: %d", len(unnamedArgs))
 	}

 	pbConfig, err := core.LoadConfig("auto", unnamedArgs)
 	if err != nil {
-		base.Fatalf(err.Error())
+		base.Fatalf("failed to load config: %s", err)
 	}

 	if optDump {
--- a/proxy/dns/dns.go
+++ b/proxy/dns/dns.go
@ -2,6 +2,7 @@ package dns

 import (
 	"context"
+	go_errors "errors"
 	"io"
 	"sync"
 	"time"
@ -236,17 +237,18 @@ func (h *Handler) handleIPQuery(id uint16, qType dnsmessage.Type, domain string,
 	var ips []net.IP
 	var err error

-	var ttl uint32 = 600
+	var ttl4 uint32
+	var ttl6 uint32

 	switch qType {
 	case dnsmessage.TypeA:
-		ips, err = h.client.LookupIP(domain, dns.IPOption{
+		ips, ttl4, err = h.client.LookupIP(domain, dns.IPOption{
 			IPv4Enable: true,
 			IPv6Enable: false,
 			FakeEnable: true,
 		})
 	case dnsmessage.TypeAAAA:
-		ips, err = h.client.LookupIP(domain, dns.IPOption{
+		ips, ttl6, err = h.client.LookupIP(domain, dns.IPOption{
 			IPv4Enable: false,
 			IPv6Enable: true,
 			FakeEnable: true,
@ -254,15 +256,11 @@ func (h *Handler) handleIPQuery(id uint16, qType dnsmessage.Type, domain string,
 	}

 	rcode := dns.RCodeFromError(err)
-	if rcode == 0 && len(ips) == 0 && !errors.AllEqual(dns.ErrEmptyResponse, errors.Cause(err)) {
+	if rcode == 0 && len(ips) == 0 && !go_errors.Is(err, dns.ErrEmptyResponse) {
 		errors.LogInfoInner(context.Background(), err, "ip query")
 		return
 	}

-	if fkr0, ok := h.fdns.(dns.FakeDNSEngineRev0); ok && len(ips) > 0 && fkr0.IsIPInIPPool(net.IPAddress(ips[0])) {
-		ttl = 1
-	}
-
 	switch qType {
 	case dnsmessage.TypeA:
 		for i, ip := range ips {
@ -293,16 +291,17 @@ func (h *Handler) handleIPQuery(id uint16, qType dnsmessage.Type, domain string,
 	}))
 	common.Must(builder.StartAnswers())

-	rHeader := dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName(domain), Class: dnsmessage.ClassINET, TTL: ttl}
+	rHeader4 := dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName(domain), Class: dnsmessage.ClassINET, TTL: ttl4}
+	rHeader6 := dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName(domain), Class: dnsmessage.ClassINET, TTL: ttl6}
 	for _, ip := range ips {
 		if len(ip) == net.IPv4len {
 			var r dnsmessage.AResource
 			copy(r.A[:], ip)
-			common.Must(builder.AResource(rHeader, r))
+			common.Must(builder.AResource(rHeader4, r))
 		} else {
 			var r dnsmessage.AAAAResource
 			copy(r.AAAA[:], ip)
-			common.Must(builder.AAAAResource(rHeader, r))
+			common.Must(builder.AAAAResource(rHeader6, r))
 		}
 	}
 	msgBytes, err := builder.Finish()
--- a/proxy/freedom/freedom.go
+++ b/proxy/freedom/freedom.go
@ -4,12 +4,12 @@ import (
 	"context"
 	"crypto/rand"
 	"io"
-	"math/big"
 	"time"

 	"github.com/pires/go-proxyproto"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/buf"
+	"github.com/xtls/xray-core/common/crypto"
 	"github.com/xtls/xray-core/common/dice"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/net"
@ -71,13 +71,13 @@ func (h *Handler) policy() policy.Session {
 }

 func (h *Handler) resolveIP(ctx context.Context, domain string, localAddr net.Address) net.Address {
-	ips, err := h.dns.LookupIP(domain, dns.IPOption{
+	ips, _, err := h.dns.LookupIP(domain, dns.IPOption{
 		IPv4Enable: (localAddr == nil || localAddr.Family().IsIPv4()) && h.config.preferIP4(),
 		IPv6Enable: (localAddr == nil || localAddr.Family().IsIPv6()) && h.config.preferIP6(),
 	})
 	{ // Resolve fallback
 		if (len(ips) == 0 || err != nil) && h.config.hasFallback() && localAddr == nil {
-			ips, err = h.dns.LookupIP(domain, dns.IPOption{
+			ips, _, err = h.dns.LookupIP(domain, dns.IPOption{
 				IPv4Enable: h.config.fallbackIP4(),
 				IPv6Enable: h.config.fallbackIP6(),
 			})
@ -414,7 +414,7 @@ func (w *NoisePacketWriter) WriteMultiBuffer(mb buf.MultiBuffer) error {
 				noise = n.Packet
 			} else {
 				//Random noise
-				noise, err = GenerateRandomBytes(randBetween(int64(n.LengthMin),
+				noise, err = GenerateRandomBytes(crypto.RandBetween(int64(n.LengthMin),
 					int64(n.LengthMax)))
 			}
 			if err != nil {
@ -423,7 +423,7 @@ func (w *NoisePacketWriter) WriteMultiBuffer(mb buf.MultiBuffer) error {
 			w.Writer.WriteMultiBuffer(buf.MultiBuffer{buf.FromBytes(noise)})

 			if n.DelayMin != 0 || n.DelayMax != 0 {
-				time.Sleep(time.Duration(randBetween(int64(n.DelayMin), int64(n.DelayMax))) * time.Millisecond)
+				time.Sleep(time.Duration(crypto.RandBetween(int64(n.DelayMin), int64(n.DelayMax))) * time.Millisecond)
 			}
 		}

@ -452,7 +452,7 @@ func (f *FragmentWriter) Write(b []byte) (int, error) {
 		buf := make([]byte, 1024)
 		var hello []byte
 		for from := 0; ; {
-			to := from + int(randBetween(int64(f.fragment.LengthMin), int64(f.fragment.LengthMax)))
+			to := from + int(crypto.RandBetween(int64(f.fragment.LengthMin), int64(f.fragment.LengthMax)))
 			if to > len(data) {
 				to = len(data)
 			}
@ -466,7 +466,7 @@ func (f *FragmentWriter) Write(b []byte) (int, error) {
 				hello = append(hello, buf[:5+l]...)
 			} else {
 				_, err := f.writer.Write(buf[:5+l])
-				time.Sleep(time.Duration(randBetween(int64(f.fragment.IntervalMin), int64(f.fragment.IntervalMax))) * time.Millisecond)
+				time.Sleep(time.Duration(crypto.RandBetween(int64(f.fragment.IntervalMin), int64(f.fragment.IntervalMax))) * time.Millisecond)
 				if err != nil {
 					return 0, err
 				}
@ -493,13 +493,13 @@ func (f *FragmentWriter) Write(b []byte) (int, error) {
 		return f.writer.Write(b)
 	}
 	for from := 0; ; {
-		to := from + int(randBetween(int64(f.fragment.LengthMin), int64(f.fragment.LengthMax)))
+		to := from + int(crypto.RandBetween(int64(f.fragment.LengthMin), int64(f.fragment.LengthMax)))
 		if to > len(b) {
 			to = len(b)
 		}
 		n, err := f.writer.Write(b[from:to])
 		from += n
-		time.Sleep(time.Duration(randBetween(int64(f.fragment.IntervalMin), int64(f.fragment.IntervalMax))) * time.Millisecond)
+		time.Sleep(time.Duration(crypto.RandBetween(int64(f.fragment.IntervalMin), int64(f.fragment.IntervalMax))) * time.Millisecond)
 		if err != nil {
 			return from, err
 		}
@ -509,14 +509,6 @@ func (f *FragmentWriter) Write(b []byte) (int, error) {
 	}
 }

-// stolen from github.com/xtls/xray-core/transport/internet/reality
-func randBetween(left int64, right int64) int64 {
-	if left == right {
-		return left
-	}
-	bigInt, _ := rand.Int(rand.Reader, big.NewInt(right-left))
-	return left + bigInt.Int64()
-}
 func GenerateRandomBytes(n int64) ([]byte, error) {
 	b := make([]byte, n)
 	_, err := rand.Read(b)
--- a/proxy/http/server.go
+++ b/proxy/http/server.go
@ -294,7 +294,7 @@ func (s *Server) handlePlainHTTP(ctx context.Context, request *http.Request, wri

 	responseDone := func() error {
 		responseReader := bufio.NewReaderSize(&buf.BufferedReader{Reader: link.Reader}, buf.Size)
-		response, err := http.ReadResponse(responseReader, request)
+		response, err := readResponseAndHandle100Continue(responseReader, request, writer)
 		if err == nil {
 			http_proto.RemoveHopByHopHeaders(response.Header)
 			if response.ContentLength >= 0 {
@ -338,6 +338,38 @@ func (s *Server) handlePlainHTTP(ctx context.Context, request *http.Request, wri
 	return result
 }

+// Sometimes, server might send 1xx response to client
+// it should not be processed by http proxy handler, just forward it to client
+func readResponseAndHandle100Continue(r *bufio.Reader, req *http.Request, writer io.Writer) (*http.Response, error) {
+	// have a little look of response
+	peekBytes, err := r.Peek(56)
+	if err == nil || err == bufio.ErrBufferFull {
+		str := string(peekBytes)
+		ResponseLine := strings.Split(str, "\r\n")[0]
+		_, status, _ := strings.Cut(ResponseLine, " ")
+		// only handle 1xx response
+		if strings.HasPrefix(status, "1") {
+			ResponseHeader1xx := []byte{}
+			// read until \r\n\r\n (end of http response header)
+			for {
+				data, err := r.ReadSlice('\n')
+				if err != nil {
+					return nil, errors.New("failed to read http 1xx response").Base(err)
+				}
+				ResponseHeader1xx = append(ResponseHeader1xx, data...)
+				if bytes.Equal(ResponseHeader1xx[len(ResponseHeader1xx)-4:], []byte{'\r', '\n', '\r', '\n'}) {
+					break
+				}
+				if len(ResponseHeader1xx) > 1024 {
+					return nil, errors.New("too big http 1xx response")
+				}
+			}
+			writer.Write(ResponseHeader1xx)
+		}
+	}
+	return http.ReadResponse(r, req)
+}
+
 func init() {
 	common.Must(common.RegisterConfig((*ServerConfig)(nil), func(ctx context.Context, config interface{}) (interface{}, error) {
 		return NewServer(ctx, config.(*ServerConfig))
--- a/proxy/wireguard/bind.go
+++ b/proxy/wireguard/bind.go
@ -54,7 +54,7 @@ func (n *netBind) ParseEndpoint(s string) (conn.Endpoint, error) {

 	addr := xnet.ParseAddress(ipStr)
 	if addr.Family() == xnet.AddressFamilyDomain {
-		ips, err := n.dns.LookupIP(addr.Domain(), n.dnsOption)
+		ips, _, err := n.dns.LookupIP(addr.Domain(), n.dnsOption)
 		if err != nil {
 			return nil, err
 		} else if len(ips) == 0 {
--- a/proxy/wireguard/client.go
+++ b/proxy/wireguard/client.go
@ -77,6 +77,20 @@ func New(ctx context.Context, conf *DeviceConfig) (*Handler, error) {
 	}, nil
 }

+func (h *Handler) Close() (err error) {
+	go func() {
+		h.wgLock.Lock()
+		defer h.wgLock.Unlock()
+
+		if h.net != nil {
+			_ = h.net.Close()
+			h.net = nil
+		}
+	}()
+
+	return nil
+}
+
 func (h *Handler) processWireGuard(ctx context.Context, dialer internet.Dialer) (err error) {
 	h.wgLock.Lock()
 	defer h.wgLock.Unlock()
@ -150,13 +164,13 @@ func (h *Handler) Process(ctx context.Context, link *transport.Link, dialer inte
 	// resolve dns
 	addr := destination.Address
 	if addr.Family().IsDomain() {
-		ips, err := h.dns.LookupIP(addr.Domain(), dns.IPOption{
+		ips, _, err := h.dns.LookupIP(addr.Domain(), dns.IPOption{
 			IPv4Enable: h.hasIPv4 && h.conf.preferIP4(),
 			IPv6Enable: h.hasIPv6 && h.conf.preferIP6(),
 		})
 		{ // Resolve fallback
 			if (len(ips) == 0 || err != nil) && h.conf.hasFallback() {
-				ips, err = h.dns.LookupIP(addr.Domain(), dns.IPOption{
+				ips, _, err = h.dns.LookupIP(addr.Domain(), dns.IPOption{
 					IPv4Enable: h.hasIPv4 && h.conf.fallbackIP4(),
 					IPv6Enable: h.hasIPv6 && h.conf.fallbackIP6(),
 				})
@ -284,13 +298,13 @@ func (h *Handler) createIPCRequest() string {
 				addr = net.ParseAddress(dialerIp.String())
 				errors.LogInfo(h.bind.ctx, "createIPCRequest use dialer dest ip: ", addr)
 			} else {
-				ips, err := h.dns.LookupIP(addr.Domain(), dns.IPOption{
+				ips, _, err := h.dns.LookupIP(addr.Domain(), dns.IPOption{
 					IPv4Enable: h.hasIPv4 && h.conf.preferIP4(),
 					IPv6Enable: h.hasIPv6 && h.conf.preferIP6(),
 				})
 				{ // Resolve fallback
 					if (len(ips) == 0 || err != nil) && h.conf.hasFallback() {
-						ips, err = h.dns.LookupIP(addr.Domain(), dns.IPOption{
+						ips, _, err = h.dns.LookupIP(addr.Domain(), dns.IPOption{
 							IPv4Enable: h.hasIPv4 && h.conf.fallbackIP4(),
 							IPv6Enable: h.hasIPv6 && h.conf.fallbackIP6(),
 						})
--- a/proxy/wireguard/gvisortun/tun.go
+++ b/proxy/wireguard/gvisortun/tun.go
@ -10,6 +10,7 @@ import (
 	"fmt"
 	"net/netip"
 	"os"
+	"sync"
 	"syscall"

 	"golang.zx2c4.com/wireguard/tun"
@ -33,6 +34,7 @@ type netTun struct {
 	incomingPacket chan *buffer.View
 	mtu            int
 	hasV4, hasV6   bool
+	closeOnce      sync.Once
 }

 type Net netTun
@ -174,18 +176,15 @@ func (tun *netTun) Flush() error {

 // Close implements tun.Device
 func (tun *netTun) Close() error {
-	tun.stack.RemoveNIC(1)
+	tun.closeOnce.Do(func() {
+		tun.stack.RemoveNIC(1)

-	if tun.events != nil {
 		close(tun.events)
-	}

-	tun.ep.Close()
+		tun.ep.Close()

-	if tun.incomingPacket != nil {
 		close(tun.incomingPacket)
-	}
-
+	})
 	return nil
 }

--- a/proxy/wireguard/server_test.go
+++ b/proxy/wireguard/server_test.go
@ -0,0 +1,52 @@
+package wireguard_test
+
+import (
+	"context"
+	"github.com/stretchr/testify/assert"
+	"runtime/debug"
+	"testing"
+
+	"github.com/xtls/xray-core/core"
+	"github.com/xtls/xray-core/proxy/wireguard"
+)
+
+// TestWireGuardServerInitializationError verifies that an error during TUN initialization
+// (triggered by an empty SecretKey) in the WireGuard server does not cause a panic and returns an error instead.
+func TestWireGuardServerInitializationError(t *testing.T) {
+	// Create a minimal core instance with default features
+	config := &core.Config{}
+	instance, err := core.New(config)
+	if err != nil {
+		t.Fatalf("Failed to create core instance: %v", err)
+	}
+	// Set the Xray instance in the context
+	ctx := context.WithValue(context.Background(), core.XrayKey(1), instance)
+
+	// Define the server configuration with an empty SecretKey to trigger error
+	conf := &wireguard.DeviceConfig{
+		IsClient:  false,
+		Endpoint:  []string{"10.0.0.1/32"},
+		Mtu:       1420,
+		SecretKey: "", // Empty SecretKey to trigger error
+		Peers: []*wireguard.PeerConfig{
+			{
+				PublicKey:  "some_public_key",
+				AllowedIps: []string{"10.0.0.2/32"},
+			},
+		},
+	}
+
+	// Use defer to catch any panic and fail the test explicitly
+	defer func() {
+		if r := recover(); r != nil {
+			t.Errorf("TUN initialization panicked: %v", r)
+			debug.PrintStack()
+		}
+	}()
+
+	// Attempt to initialize the WireGuard server
+	_, err = wireguard.NewServer(ctx, conf)
+
+	// Check that an error is returned
+	assert.ErrorContains(t, err, "failed to set private_key: hex string does not fit the slice")
+}
--- a/testing/mocks/dns.go
+++ b/testing/mocks/dns.go
@ -50,12 +50,13 @@ func (mr *DNSClientMockRecorder) Close() *gomock.Call {
 }

 // LookupIP mocks base method
-func (m *DNSClient) LookupIP(arg0 string, arg1 dns.IPOption) ([]net.IP, error) {
+func (m *DNSClient) LookupIP(arg0 string, arg1 dns.IPOption) ([]net.IP, uint32, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "LookupIP", arg0, arg1)
 	ret0, _ := ret[0].([]net.IP)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
+	ret1, _ := ret[1].(uint32)
+	ret2, _ := ret[2].(error)
+	return ret0, ret1, ret2
 }

 // LookupIP indicates an expected call of LookupIP
--- a/transport/internet/config.pb.go
+++ b/transport/internet/config.pb.go
@ -95,6 +95,67 @@ func (DomainStrategy) EnumDescriptor() ([]byte, []int) {
 	return file_transport_internet_config_proto_rawDescGZIP(), []int{0}
 }

+type AddressPortStrategy int32
+
+const (
+	AddressPortStrategy_None              AddressPortStrategy = 0
+	AddressPortStrategy_SrvPortOnly       AddressPortStrategy = 1
+	AddressPortStrategy_SrvAddressOnly    AddressPortStrategy = 2
+	AddressPortStrategy_SrvPortAndAddress AddressPortStrategy = 3
+	AddressPortStrategy_TxtPortOnly       AddressPortStrategy = 4
+	AddressPortStrategy_TxtAddressOnly    AddressPortStrategy = 5
+	AddressPortStrategy_TxtPortAndAddress AddressPortStrategy = 6
+)
+
+// Enum value maps for AddressPortStrategy.
+var (
+	AddressPortStrategy_name = map[int32]string{
+		0: "None",
+		1: "SrvPortOnly",
+		2: "SrvAddressOnly",
+		3: "SrvPortAndAddress",
+		4: "TxtPortOnly",
+		5: "TxtAddressOnly",
+		6: "TxtPortAndAddress",
+	}
+	AddressPortStrategy_value = map[string]int32{
+		"None":              0,
+		"SrvPortOnly":       1,
+		"SrvAddressOnly":    2,
+		"SrvPortAndAddress": 3,
+		"TxtPortOnly":       4,
+		"TxtAddressOnly":    5,
+		"TxtPortAndAddress": 6,
+	}
+)
+
+func (x AddressPortStrategy) Enum() *AddressPortStrategy {
+	p := new(AddressPortStrategy)
+	*p = x
+	return p
+}
+
+func (x AddressPortStrategy) String() string {
+	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (AddressPortStrategy) Descriptor() protoreflect.EnumDescriptor {
+	return file_transport_internet_config_proto_enumTypes[1].Descriptor()
+}
+
+func (AddressPortStrategy) Type() protoreflect.EnumType {
+	return &file_transport_internet_config_proto_enumTypes[1]
+}
+
+func (x AddressPortStrategy) Number() protoreflect.EnumNumber {
+	return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use AddressPortStrategy.Descriptor instead.
+func (AddressPortStrategy) EnumDescriptor() ([]byte, []int) {
+	return file_transport_internet_config_proto_rawDescGZIP(), []int{1}
+}
+
 type SocketConfig_TProxyMode int32

 const (
@ -131,11 +192,11 @@ func (x SocketConfig_TProxyMode) String() string {
 }

 func (SocketConfig_TProxyMode) Descriptor() protoreflect.EnumDescriptor {
-	return file_transport_internet_config_proto_enumTypes[1].Descriptor()
+	return file_transport_internet_config_proto_enumTypes[2].Descriptor()
 }

 func (SocketConfig_TProxyMode) Type() protoreflect.EnumType {
-	return &file_transport_internet_config_proto_enumTypes[1]
+	return &file_transport_internet_config_proto_enumTypes[2]
 }

 func (x SocketConfig_TProxyMode) Number() protoreflect.EnumNumber {
@ -356,10 +417,12 @@ type CustomSockopt struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Level string `protobuf:"bytes,1,opt,name=level,proto3" json:"level,omitempty"`
-	Opt   string `protobuf:"bytes,2,opt,name=opt,proto3" json:"opt,omitempty"`
-	Value string `protobuf:"bytes,3,opt,name=value,proto3" json:"value,omitempty"`
-	Type  string `protobuf:"bytes,4,opt,name=type,proto3" json:"type,omitempty"`
+	System  string `protobuf:"bytes,1,opt,name=system,proto3" json:"system,omitempty"`
+	Network string `protobuf:"bytes,2,opt,name=network,proto3" json:"network,omitempty"`
+	Level   string `protobuf:"bytes,3,opt,name=level,proto3" json:"level,omitempty"`
+	Opt     string `protobuf:"bytes,4,opt,name=opt,proto3" json:"opt,omitempty"`
+	Value   string `protobuf:"bytes,5,opt,name=value,proto3" json:"value,omitempty"`
+	Type    string `protobuf:"bytes,6,opt,name=type,proto3" json:"type,omitempty"`
 }

 func (x *CustomSockopt) Reset() {
@ -392,6 +455,20 @@ func (*CustomSockopt) Descriptor() ([]byte, []int) {
 	return file_transport_internet_config_proto_rawDescGZIP(), []int{3}
 }

+func (x *CustomSockopt) GetSystem() string {
+	if x != nil {
+		return x.System
+	}
+	return ""
+}
+
+func (x *CustomSockopt) GetNetwork() string {
+	if x != nil {
+		return x.Network
+	}
+	return ""
+}
+
 func (x *CustomSockopt) GetLevel() string {
 	if x != nil {
 		return x.Level
@ -434,23 +511,24 @@ type SocketConfig struct {
 	Tproxy SocketConfig_TProxyMode `protobuf:"varint,3,opt,name=tproxy,proto3,enum=xray.transport.internet.SocketConfig_TProxyMode" json:"tproxy,omitempty"`
 	// ReceiveOriginalDestAddress is for enabling IP_RECVORIGDSTADDR socket
 	// option. This option is for UDP only.
-	ReceiveOriginalDestAddress bool             `protobuf:"varint,4,opt,name=receive_original_dest_address,json=receiveOriginalDestAddress,proto3" json:"receive_original_dest_address,omitempty"`
-	BindAddress                []byte           `protobuf:"bytes,5,opt,name=bind_address,json=bindAddress,proto3" json:"bind_address,omitempty"`
-	BindPort                   uint32           `protobuf:"varint,6,opt,name=bind_port,json=bindPort,proto3" json:"bind_port,omitempty"`
-	AcceptProxyProtocol        bool             `protobuf:"varint,7,opt,name=accept_proxy_protocol,json=acceptProxyProtocol,proto3" json:"accept_proxy_protocol,omitempty"`
-	DomainStrategy             DomainStrategy   `protobuf:"varint,8,opt,name=domain_strategy,json=domainStrategy,proto3,enum=xray.transport.internet.DomainStrategy" json:"domain_strategy,omitempty"`
-	DialerProxy                string           `protobuf:"bytes,9,opt,name=dialer_proxy,json=dialerProxy,proto3" json:"dialer_proxy,omitempty"`
-	TcpKeepAliveInterval       int32            `protobuf:"varint,10,opt,name=tcp_keep_alive_interval,json=tcpKeepAliveInterval,proto3" json:"tcp_keep_alive_interval,omitempty"`
-	TcpKeepAliveIdle           int32            `protobuf:"varint,11,opt,name=tcp_keep_alive_idle,json=tcpKeepAliveIdle,proto3" json:"tcp_keep_alive_idle,omitempty"`
-	TcpCongestion              string           `protobuf:"bytes,12,opt,name=tcp_congestion,json=tcpCongestion,proto3" json:"tcp_congestion,omitempty"`
-	Interface                  string           `protobuf:"bytes,13,opt,name=interface,proto3" json:"interface,omitempty"`
-	V6Only                     bool             `protobuf:"varint,14,opt,name=v6only,proto3" json:"v6only,omitempty"`
-	TcpWindowClamp             int32            `protobuf:"varint,15,opt,name=tcp_window_clamp,json=tcpWindowClamp,proto3" json:"tcp_window_clamp,omitempty"`
-	TcpUserTimeout             int32            `protobuf:"varint,16,opt,name=tcp_user_timeout,json=tcpUserTimeout,proto3" json:"tcp_user_timeout,omitempty"`
-	TcpMaxSeg                  int32            `protobuf:"varint,17,opt,name=tcp_max_seg,json=tcpMaxSeg,proto3" json:"tcp_max_seg,omitempty"`
-	Penetrate                  bool             `protobuf:"varint,18,opt,name=penetrate,proto3" json:"penetrate,omitempty"`
-	TcpMptcp                   bool             `protobuf:"varint,19,opt,name=tcp_mptcp,json=tcpMptcp,proto3" json:"tcp_mptcp,omitempty"`
-	CustomSockopt              []*CustomSockopt `protobuf:"bytes,20,rep,name=customSockopt,proto3" json:"customSockopt,omitempty"`
+	ReceiveOriginalDestAddress bool                `protobuf:"varint,4,opt,name=receive_original_dest_address,json=receiveOriginalDestAddress,proto3" json:"receive_original_dest_address,omitempty"`
+	BindAddress                []byte              `protobuf:"bytes,5,opt,name=bind_address,json=bindAddress,proto3" json:"bind_address,omitempty"`
+	BindPort                   uint32              `protobuf:"varint,6,opt,name=bind_port,json=bindPort,proto3" json:"bind_port,omitempty"`
+	AcceptProxyProtocol        bool                `protobuf:"varint,7,opt,name=accept_proxy_protocol,json=acceptProxyProtocol,proto3" json:"accept_proxy_protocol,omitempty"`
+	DomainStrategy             DomainStrategy      `protobuf:"varint,8,opt,name=domain_strategy,json=domainStrategy,proto3,enum=xray.transport.internet.DomainStrategy" json:"domain_strategy,omitempty"`
+	DialerProxy                string              `protobuf:"bytes,9,opt,name=dialer_proxy,json=dialerProxy,proto3" json:"dialer_proxy,omitempty"`
+	TcpKeepAliveInterval       int32               `protobuf:"varint,10,opt,name=tcp_keep_alive_interval,json=tcpKeepAliveInterval,proto3" json:"tcp_keep_alive_interval,omitempty"`
+	TcpKeepAliveIdle           int32               `protobuf:"varint,11,opt,name=tcp_keep_alive_idle,json=tcpKeepAliveIdle,proto3" json:"tcp_keep_alive_idle,omitempty"`
+	TcpCongestion              string              `protobuf:"bytes,12,opt,name=tcp_congestion,json=tcpCongestion,proto3" json:"tcp_congestion,omitempty"`
+	Interface                  string              `protobuf:"bytes,13,opt,name=interface,proto3" json:"interface,omitempty"`
+	V6Only                     bool                `protobuf:"varint,14,opt,name=v6only,proto3" json:"v6only,omitempty"`
+	TcpWindowClamp             int32               `protobuf:"varint,15,opt,name=tcp_window_clamp,json=tcpWindowClamp,proto3" json:"tcp_window_clamp,omitempty"`
+	TcpUserTimeout             int32               `protobuf:"varint,16,opt,name=tcp_user_timeout,json=tcpUserTimeout,proto3" json:"tcp_user_timeout,omitempty"`
+	TcpMaxSeg                  int32               `protobuf:"varint,17,opt,name=tcp_max_seg,json=tcpMaxSeg,proto3" json:"tcp_max_seg,omitempty"`
+	Penetrate                  bool                `protobuf:"varint,18,opt,name=penetrate,proto3" json:"penetrate,omitempty"`
+	TcpMptcp                   bool                `protobuf:"varint,19,opt,name=tcp_mptcp,json=tcpMptcp,proto3" json:"tcp_mptcp,omitempty"`
+	CustomSockopt              []*CustomSockopt    `protobuf:"bytes,20,rep,name=customSockopt,proto3" json:"customSockopt,omitempty"`
+	AddressPortStrategy        AddressPortStrategy `protobuf:"varint,21,opt,name=address_port_strategy,json=addressPortStrategy,proto3,enum=xray.transport.internet.AddressPortStrategy" json:"address_port_strategy,omitempty"`
 }

 func (x *SocketConfig) Reset() {
@ -623,6 +701,13 @@ func (x *SocketConfig) GetCustomSockopt() []*CustomSockopt {
 	return nil
 }

+func (x *SocketConfig) GetAddressPortStrategy() AddressPortStrategy {
+	if x != nil {
+		return x.AddressPortStrategy
+	}
+	return AddressPortStrategy_None
+}
+
 var File_transport_internet_config_proto protoreflect.FileDescriptor

 var file_transport_internet_config_proto_rawDesc = []byte{
@ -671,89 +756,108 @@ var file_transport_internet_config_proto_rawDesc = []byte{
 	0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x74, 0x61, 0x67, 0x12, 0x30, 0x0a, 0x13,
 	0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x4c, 0x61, 0x79, 0x65, 0x72, 0x50, 0x72,
 	0x6f, 0x78, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13, 0x74, 0x72, 0x61, 0x6e, 0x73,
-	0x70, 0x6f, 0x72, 0x74, 0x4c, 0x61, 0x79, 0x65, 0x72, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x22, 0x61,
-	0x0a, 0x0d, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x53, 0x6f, 0x63, 0x6b, 0x6f, 0x70, 0x74, 0x12,
-	0x14, 0x0a, 0x05, 0x6c, 0x65, 0x76, 0x65, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05,
-	0x6c, 0x65, 0x76, 0x65, 0x6c, 0x12, 0x10, 0x0a, 0x03, 0x6f, 0x70, 0x74, 0x18, 0x02, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x03, 0x6f, 0x70, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65,
-	0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x12, 0x0a,
-	0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70,
-	0x65, 0x22, 0x9b, 0x07, 0x0a, 0x0c, 0x53, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x12, 0x12, 0x0a, 0x04, 0x6d, 0x61, 0x72, 0x6b, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05,
-	0x52, 0x04, 0x6d, 0x61, 0x72, 0x6b, 0x12, 0x10, 0x0a, 0x03, 0x74, 0x66, 0x6f, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x05, 0x52, 0x03, 0x74, 0x66, 0x6f, 0x12, 0x48, 0x0a, 0x06, 0x74, 0x70, 0x72, 0x6f,
-	0x78, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x30, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e,
-	0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e,
-	0x65, 0x74, 0x2e, 0x53, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e,
-	0x54, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x52, 0x06, 0x74, 0x70, 0x72, 0x6f,
-	0x78, 0x79, 0x12, 0x41, 0x0a, 0x1d, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x5f, 0x6f, 0x72,
-	0x69, 0x67, 0x69, 0x6e, 0x61, 0x6c, 0x5f, 0x64, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x64, 0x64, 0x72,
-	0x65, 0x73, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x1a, 0x72, 0x65, 0x63, 0x65, 0x69,
-	0x76, 0x65, 0x4f, 0x72, 0x69, 0x67, 0x69, 0x6e, 0x61, 0x6c, 0x44, 0x65, 0x73, 0x74, 0x41, 0x64,
-	0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x62, 0x69, 0x6e, 0x64, 0x5f, 0x61, 0x64,
-	0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0b, 0x62, 0x69, 0x6e,
-	0x64, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x1b, 0x0a, 0x09, 0x62, 0x69, 0x6e, 0x64,
-	0x5f, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x08, 0x62, 0x69, 0x6e,
-	0x64, 0x50, 0x6f, 0x72, 0x74, 0x12, 0x32, 0x0a, 0x15, 0x61, 0x63, 0x63, 0x65, 0x70, 0x74, 0x5f,
-	0x70, 0x72, 0x6f, 0x78, 0x79, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x07,
-	0x20, 0x01, 0x28, 0x08, 0x52, 0x13, 0x61, 0x63, 0x63, 0x65, 0x70, 0x74, 0x50, 0x72, 0x6f, 0x78,
-	0x79, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x50, 0x0a, 0x0f, 0x64, 0x6f, 0x6d,
-	0x61, 0x69, 0x6e, 0x5f, 0x73, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x18, 0x08, 0x20, 0x01,
-	0x28, 0x0e, 0x32, 0x27, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70,
-	0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2e, 0x44, 0x6f, 0x6d,
-	0x61, 0x69, 0x6e, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x52, 0x0e, 0x64, 0x6f, 0x6d,
-	0x61, 0x69, 0x6e, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x12, 0x21, 0x0a, 0x0c, 0x64,
-	0x69, 0x61, 0x6c, 0x65, 0x72, 0x5f, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x18, 0x09, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x0b, 0x64, 0x69, 0x61, 0x6c, 0x65, 0x72, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x12, 0x35,
-	0x0a, 0x17, 0x74, 0x63, 0x70, 0x5f, 0x6b, 0x65, 0x65, 0x70, 0x5f, 0x61, 0x6c, 0x69, 0x76, 0x65,
-	0x5f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x76, 0x61, 0x6c, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x05, 0x52,
-	0x14, 0x74, 0x63, 0x70, 0x4b, 0x65, 0x65, 0x70, 0x41, 0x6c, 0x69, 0x76, 0x65, 0x49, 0x6e, 0x74,
-	0x65, 0x72, 0x76, 0x61, 0x6c, 0x12, 0x2d, 0x0a, 0x13, 0x74, 0x63, 0x70, 0x5f, 0x6b, 0x65, 0x65,
-	0x70, 0x5f, 0x61, 0x6c, 0x69, 0x76, 0x65, 0x5f, 0x69, 0x64, 0x6c, 0x65, 0x18, 0x0b, 0x20, 0x01,
-	0x28, 0x05, 0x52, 0x10, 0x74, 0x63, 0x70, 0x4b, 0x65, 0x65, 0x70, 0x41, 0x6c, 0x69, 0x76, 0x65,
-	0x49, 0x64, 0x6c, 0x65, 0x12, 0x25, 0x0a, 0x0e, 0x74, 0x63, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x67,
-	0x65, 0x73, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x74, 0x63,
-	0x70, 0x43, 0x6f, 0x6e, 0x67, 0x65, 0x73, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1c, 0x0a, 0x09, 0x69,
-	0x6e, 0x74, 0x65, 0x72, 0x66, 0x61, 0x63, 0x65, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09,
-	0x69, 0x6e, 0x74, 0x65, 0x72, 0x66, 0x61, 0x63, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x76, 0x36, 0x6f,
-	0x6e, 0x6c, 0x79, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x08, 0x52, 0x06, 0x76, 0x36, 0x6f, 0x6e, 0x6c,
-	0x79, 0x12, 0x28, 0x0a, 0x10, 0x74, 0x63, 0x70, 0x5f, 0x77, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x5f,
-	0x63, 0x6c, 0x61, 0x6d, 0x70, 0x18, 0x0f, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0e, 0x74, 0x63, 0x70,
-	0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x43, 0x6c, 0x61, 0x6d, 0x70, 0x12, 0x28, 0x0a, 0x10, 0x74,
-	0x63, 0x70, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18,
-	0x10, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0e, 0x74, 0x63, 0x70, 0x55, 0x73, 0x65, 0x72, 0x54, 0x69,
-	0x6d, 0x65, 0x6f, 0x75, 0x74, 0x12, 0x1e, 0x0a, 0x0b, 0x74, 0x63, 0x70, 0x5f, 0x6d, 0x61, 0x78,
-	0x5f, 0x73, 0x65, 0x67, 0x18, 0x11, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x74, 0x63, 0x70, 0x4d,
-	0x61, 0x78, 0x53, 0x65, 0x67, 0x12, 0x1c, 0x0a, 0x09, 0x70, 0x65, 0x6e, 0x65, 0x74, 0x72, 0x61,
-	0x74, 0x65, 0x18, 0x12, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x70, 0x65, 0x6e, 0x65, 0x74, 0x72,
-	0x61, 0x74, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x74, 0x63, 0x70, 0x5f, 0x6d, 0x70, 0x74, 0x63, 0x70,
-	0x18, 0x13, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x74, 0x63, 0x70, 0x4d, 0x70, 0x74, 0x63, 0x70,
-	0x12, 0x4c, 0x0a, 0x0d, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x53, 0x6f, 0x63, 0x6b, 0x6f, 0x70,
-	0x74, 0x18, 0x14, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x74,
-	0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65,
-	0x74, 0x2e, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x53, 0x6f, 0x63, 0x6b, 0x6f, 0x70, 0x74, 0x52,
-	0x0d, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x53, 0x6f, 0x63, 0x6b, 0x6f, 0x70, 0x74, 0x22, 0x2f,
-	0x0a, 0x0a, 0x54, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x07, 0x0a, 0x03,
-	0x4f, 0x66, 0x66, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, 0x54, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x10,
-	0x01, 0x12, 0x0c, 0x0a, 0x08, 0x52, 0x65, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x10, 0x02, 0x2a,
-	0xa9, 0x01, 0x0a, 0x0e, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65,
-	0x67, 0x79, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x53, 0x5f, 0x49, 0x53, 0x10, 0x00, 0x12, 0x0a, 0x0a,
-	0x06, 0x55, 0x53, 0x45, 0x5f, 0x49, 0x50, 0x10, 0x01, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x53, 0x45,
-	0x5f, 0x49, 0x50, 0x34, 0x10, 0x02, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x53, 0x45, 0x5f, 0x49, 0x50,
-	0x36, 0x10, 0x03, 0x12, 0x0c, 0x0a, 0x08, 0x55, 0x53, 0x45, 0x5f, 0x49, 0x50, 0x34, 0x36, 0x10,
-	0x04, 0x12, 0x0c, 0x0a, 0x08, 0x55, 0x53, 0x45, 0x5f, 0x49, 0x50, 0x36, 0x34, 0x10, 0x05, 0x12,
-	0x0c, 0x0a, 0x08, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x5f, 0x49, 0x50, 0x10, 0x06, 0x12, 0x0d, 0x0a,
-	0x09, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x5f, 0x49, 0x50, 0x34, 0x10, 0x07, 0x12, 0x0d, 0x0a, 0x09,
-	0x46, 0x4f, 0x52, 0x43, 0x45, 0x5f, 0x49, 0x50, 0x36, 0x10, 0x08, 0x12, 0x0e, 0x0a, 0x0a, 0x46,
-	0x4f, 0x52, 0x43, 0x45, 0x5f, 0x49, 0x50, 0x34, 0x36, 0x10, 0x09, 0x12, 0x0e, 0x0a, 0x0a, 0x46,
-	0x4f, 0x52, 0x43, 0x45, 0x5f, 0x49, 0x50, 0x36, 0x34, 0x10, 0x0a, 0x42, 0x67, 0x0a, 0x1b, 0x63,
-	0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72,
-	0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x50, 0x01, 0x5a, 0x2c, 0x67, 0x69,
-	0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72,
-	0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72,
-	0x74, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0xaa, 0x02, 0x17, 0x58, 0x72, 0x61,
-	0x79, 0x2e, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x49, 0x6e, 0x74, 0x65,
-	0x72, 0x6e, 0x65, 0x74, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x70, 0x6f, 0x72, 0x74, 0x4c, 0x61, 0x79, 0x65, 0x72, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x22, 0x93,
+	0x01, 0x0a, 0x0d, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x53, 0x6f, 0x63, 0x6b, 0x6f, 0x70, 0x74,
+	0x12, 0x16, 0x0a, 0x06, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x06, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x12, 0x18, 0x0a, 0x07, 0x6e, 0x65, 0x74, 0x77,
+	0x6f, 0x72, 0x6b, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6e, 0x65, 0x74, 0x77, 0x6f,
+	0x72, 0x6b, 0x12, 0x14, 0x0a, 0x05, 0x6c, 0x65, 0x76, 0x65, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x05, 0x6c, 0x65, 0x76, 0x65, 0x6c, 0x12, 0x10, 0x0a, 0x03, 0x6f, 0x70, 0x74, 0x18,
+	0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6f, 0x70, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61,
+	0x6c, 0x75, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65,
+	0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
+	0x74, 0x79, 0x70, 0x65, 0x22, 0xfd, 0x07, 0x0a, 0x0c, 0x53, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x43,
+	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x12, 0x0a, 0x04, 0x6d, 0x61, 0x72, 0x6b, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x05, 0x52, 0x04, 0x6d, 0x61, 0x72, 0x6b, 0x12, 0x10, 0x0a, 0x03, 0x74, 0x66, 0x6f,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x05, 0x52, 0x03, 0x74, 0x66, 0x6f, 0x12, 0x48, 0x0a, 0x06, 0x74,
+	0x70, 0x72, 0x6f, 0x78, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x30, 0x2e, 0x78, 0x72,
+	0x61, 0x79, 0x2e, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74,
+	0x65, 0x72, 0x6e, 0x65, 0x74, 0x2e, 0x53, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66,
+	0x69, 0x67, 0x2e, 0x54, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x52, 0x06, 0x74,
+	0x70, 0x72, 0x6f, 0x78, 0x79, 0x12, 0x41, 0x0a, 0x1d, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65,
+	0x5f, 0x6f, 0x72, 0x69, 0x67, 0x69, 0x6e, 0x61, 0x6c, 0x5f, 0x64, 0x65, 0x73, 0x74, 0x5f, 0x61,
+	0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x1a, 0x72, 0x65,
+	0x63, 0x65, 0x69, 0x76, 0x65, 0x4f, 0x72, 0x69, 0x67, 0x69, 0x6e, 0x61, 0x6c, 0x44, 0x65, 0x73,
+	0x74, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x62, 0x69, 0x6e, 0x64,
+	0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0b,
+	0x62, 0x69, 0x6e, 0x64, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x1b, 0x0a, 0x09, 0x62,
+	0x69, 0x6e, 0x64, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x08,
+	0x62, 0x69, 0x6e, 0x64, 0x50, 0x6f, 0x72, 0x74, 0x12, 0x32, 0x0a, 0x15, 0x61, 0x63, 0x63, 0x65,
+	0x70, 0x74, 0x5f, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
+	0x6c, 0x18, 0x07, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13, 0x61, 0x63, 0x63, 0x65, 0x70, 0x74, 0x50,
+	0x72, 0x6f, 0x78, 0x79, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x50, 0x0a, 0x0f,
+	0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x5f, 0x73, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x18,
+	0x08, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x27, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x74, 0x72, 0x61,
+	0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2e,
+	0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x52, 0x0e,
+	0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x12, 0x21,
+	0x0a, 0x0c, 0x64, 0x69, 0x61, 0x6c, 0x65, 0x72, 0x5f, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x18, 0x09,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x64, 0x69, 0x61, 0x6c, 0x65, 0x72, 0x50, 0x72, 0x6f, 0x78,
+	0x79, 0x12, 0x35, 0x0a, 0x17, 0x74, 0x63, 0x70, 0x5f, 0x6b, 0x65, 0x65, 0x70, 0x5f, 0x61, 0x6c,
+	0x69, 0x76, 0x65, 0x5f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x76, 0x61, 0x6c, 0x18, 0x0a, 0x20, 0x01,
+	0x28, 0x05, 0x52, 0x14, 0x74, 0x63, 0x70, 0x4b, 0x65, 0x65, 0x70, 0x41, 0x6c, 0x69, 0x76, 0x65,
+	0x49, 0x6e, 0x74, 0x65, 0x72, 0x76, 0x61, 0x6c, 0x12, 0x2d, 0x0a, 0x13, 0x74, 0x63, 0x70, 0x5f,
+	0x6b, 0x65, 0x65, 0x70, 0x5f, 0x61, 0x6c, 0x69, 0x76, 0x65, 0x5f, 0x69, 0x64, 0x6c, 0x65, 0x18,
+	0x0b, 0x20, 0x01, 0x28, 0x05, 0x52, 0x10, 0x74, 0x63, 0x70, 0x4b, 0x65, 0x65, 0x70, 0x41, 0x6c,
+	0x69, 0x76, 0x65, 0x49, 0x64, 0x6c, 0x65, 0x12, 0x25, 0x0a, 0x0e, 0x74, 0x63, 0x70, 0x5f, 0x63,
+	0x6f, 0x6e, 0x67, 0x65, 0x73, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x0d, 0x74, 0x63, 0x70, 0x43, 0x6f, 0x6e, 0x67, 0x65, 0x73, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1c,
+	0x0a, 0x09, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x66, 0x61, 0x63, 0x65, 0x18, 0x0d, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x09, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x66, 0x61, 0x63, 0x65, 0x12, 0x16, 0x0a, 0x06,
+	0x76, 0x36, 0x6f, 0x6e, 0x6c, 0x79, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x08, 0x52, 0x06, 0x76, 0x36,
+	0x6f, 0x6e, 0x6c, 0x79, 0x12, 0x28, 0x0a, 0x10, 0x74, 0x63, 0x70, 0x5f, 0x77, 0x69, 0x6e, 0x64,
+	0x6f, 0x77, 0x5f, 0x63, 0x6c, 0x61, 0x6d, 0x70, 0x18, 0x0f, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0e,
+	0x74, 0x63, 0x70, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x43, 0x6c, 0x61, 0x6d, 0x70, 0x12, 0x28,
+	0x0a, 0x10, 0x74, 0x63, 0x70, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f,
+	0x75, 0x74, 0x18, 0x10, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0e, 0x74, 0x63, 0x70, 0x55, 0x73, 0x65,
+	0x72, 0x54, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x12, 0x1e, 0x0a, 0x0b, 0x74, 0x63, 0x70, 0x5f,
+	0x6d, 0x61, 0x78, 0x5f, 0x73, 0x65, 0x67, 0x18, 0x11, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x74,
+	0x63, 0x70, 0x4d, 0x61, 0x78, 0x53, 0x65, 0x67, 0x12, 0x1c, 0x0a, 0x09, 0x70, 0x65, 0x6e, 0x65,
+	0x74, 0x72, 0x61, 0x74, 0x65, 0x18, 0x12, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x70, 0x65, 0x6e,
+	0x65, 0x74, 0x72, 0x61, 0x74, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x74, 0x63, 0x70, 0x5f, 0x6d, 0x70,
+	0x74, 0x63, 0x70, 0x18, 0x13, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x74, 0x63, 0x70, 0x4d, 0x70,
+	0x74, 0x63, 0x70, 0x12, 0x4c, 0x0a, 0x0d, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x53, 0x6f, 0x63,
+	0x6b, 0x6f, 0x70, 0x74, 0x18, 0x14, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x78, 0x72, 0x61,
+	0x79, 0x2e, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65,
+	0x72, 0x6e, 0x65, 0x74, 0x2e, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x53, 0x6f, 0x63, 0x6b, 0x6f,
+	0x70, 0x74, 0x52, 0x0d, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x53, 0x6f, 0x63, 0x6b, 0x6f, 0x70,
+	0x74, 0x12, 0x60, 0x0a, 0x15, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x5f, 0x70, 0x6f, 0x72,
+	0x74, 0x5f, 0x73, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x18, 0x15, 0x20, 0x01, 0x28, 0x0e,
+	0x32, 0x2c, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72,
+	0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2e, 0x41, 0x64, 0x64, 0x72, 0x65,
+	0x73, 0x73, 0x50, 0x6f, 0x72, 0x74, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x52, 0x13,
+	0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x50, 0x6f, 0x72, 0x74, 0x53, 0x74, 0x72, 0x61, 0x74,
+	0x65, 0x67, 0x79, 0x22, 0x2f, 0x0a, 0x0a, 0x54, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x4d, 0x6f, 0x64,
+	0x65, 0x12, 0x07, 0x0a, 0x03, 0x4f, 0x66, 0x66, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, 0x54, 0x50,
+	0x72, 0x6f, 0x78, 0x79, 0x10, 0x01, 0x12, 0x0c, 0x0a, 0x08, 0x52, 0x65, 0x64, 0x69, 0x72, 0x65,
+	0x63, 0x74, 0x10, 0x02, 0x2a, 0xa9, 0x01, 0x0a, 0x0e, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x53,
+	0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x53, 0x5f, 0x49, 0x53,
+	0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, 0x55, 0x53, 0x45, 0x5f, 0x49, 0x50, 0x10, 0x01, 0x12, 0x0b,
+	0x0a, 0x07, 0x55, 0x53, 0x45, 0x5f, 0x49, 0x50, 0x34, 0x10, 0x02, 0x12, 0x0b, 0x0a, 0x07, 0x55,
+	0x53, 0x45, 0x5f, 0x49, 0x50, 0x36, 0x10, 0x03, 0x12, 0x0c, 0x0a, 0x08, 0x55, 0x53, 0x45, 0x5f,
+	0x49, 0x50, 0x34, 0x36, 0x10, 0x04, 0x12, 0x0c, 0x0a, 0x08, 0x55, 0x53, 0x45, 0x5f, 0x49, 0x50,
+	0x36, 0x34, 0x10, 0x05, 0x12, 0x0c, 0x0a, 0x08, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x5f, 0x49, 0x50,
+	0x10, 0x06, 0x12, 0x0d, 0x0a, 0x09, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x5f, 0x49, 0x50, 0x34, 0x10,
+	0x07, 0x12, 0x0d, 0x0a, 0x09, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x5f, 0x49, 0x50, 0x36, 0x10, 0x08,
+	0x12, 0x0e, 0x0a, 0x0a, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x5f, 0x49, 0x50, 0x34, 0x36, 0x10, 0x09,
+	0x12, 0x0e, 0x0a, 0x0a, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x5f, 0x49, 0x50, 0x36, 0x34, 0x10, 0x0a,
+	0x2a, 0x97, 0x01, 0x0a, 0x13, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x50, 0x6f, 0x72, 0x74,
+	0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x12, 0x08, 0x0a, 0x04, 0x4e, 0x6f, 0x6e, 0x65,
+	0x10, 0x00, 0x12, 0x0f, 0x0a, 0x0b, 0x53, 0x72, 0x76, 0x50, 0x6f, 0x72, 0x74, 0x4f, 0x6e, 0x6c,
+	0x79, 0x10, 0x01, 0x12, 0x12, 0x0a, 0x0e, 0x53, 0x72, 0x76, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73,
+	0x73, 0x4f, 0x6e, 0x6c, 0x79, 0x10, 0x02, 0x12, 0x15, 0x0a, 0x11, 0x53, 0x72, 0x76, 0x50, 0x6f,
+	0x72, 0x74, 0x41, 0x6e, 0x64, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x10, 0x03, 0x12, 0x0f,
+	0x0a, 0x0b, 0x54, 0x78, 0x74, 0x50, 0x6f, 0x72, 0x74, 0x4f, 0x6e, 0x6c, 0x79, 0x10, 0x04, 0x12,
+	0x12, 0x0a, 0x0e, 0x54, 0x78, 0x74, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x4f, 0x6e, 0x6c,
+	0x79, 0x10, 0x05, 0x12, 0x15, 0x0a, 0x11, 0x54, 0x78, 0x74, 0x50, 0x6f, 0x72, 0x74, 0x41, 0x6e,
+	0x64, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x10, 0x06, 0x42, 0x67, 0x0a, 0x1b, 0x63, 0x6f,
+	0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74,
+	0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x50, 0x01, 0x5a, 0x2c, 0x67, 0x69, 0x74,
+	0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61,
+	0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74,
+	0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0xaa, 0x02, 0x17, 0x58, 0x72, 0x61, 0x79,
+	0x2e, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x49, 0x6e, 0x74, 0x65, 0x72,
+	0x6e, 0x65, 0x74, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var (
@ -768,33 +872,35 @@ func file_transport_internet_config_proto_rawDescGZIP() []byte {
 	return file_transport_internet_config_proto_rawDescData
 }

-var file_transport_internet_config_proto_enumTypes = make([]protoimpl.EnumInfo, 2)
+var file_transport_internet_config_proto_enumTypes = make([]protoimpl.EnumInfo, 3)
 var file_transport_internet_config_proto_msgTypes = make([]protoimpl.MessageInfo, 5)
 var file_transport_internet_config_proto_goTypes = []any{
 	(DomainStrategy)(0),          // 0: xray.transport.internet.DomainStrategy
-	(SocketConfig_TProxyMode)(0), // 1: xray.transport.internet.SocketConfig.TProxyMode
-	(*TransportConfig)(nil),      // 2: xray.transport.internet.TransportConfig
-	(*StreamConfig)(nil),         // 3: xray.transport.internet.StreamConfig
-	(*ProxyConfig)(nil),          // 4: xray.transport.internet.ProxyConfig
-	(*CustomSockopt)(nil),        // 5: xray.transport.internet.CustomSockopt
-	(*SocketConfig)(nil),         // 6: xray.transport.internet.SocketConfig
-	(*serial.TypedMessage)(nil),  // 7: xray.common.serial.TypedMessage
-	(*net.IPOrDomain)(nil),       // 8: xray.common.net.IPOrDomain
+	(AddressPortStrategy)(0),     // 1: xray.transport.internet.AddressPortStrategy
+	(SocketConfig_TProxyMode)(0), // 2: xray.transport.internet.SocketConfig.TProxyMode
+	(*TransportConfig)(nil),      // 3: xray.transport.internet.TransportConfig
+	(*StreamConfig)(nil),         // 4: xray.transport.internet.StreamConfig
+	(*ProxyConfig)(nil),          // 5: xray.transport.internet.ProxyConfig
+	(*CustomSockopt)(nil),        // 6: xray.transport.internet.CustomSockopt
+	(*SocketConfig)(nil),         // 7: xray.transport.internet.SocketConfig
+	(*serial.TypedMessage)(nil),  // 8: xray.common.serial.TypedMessage
+	(*net.IPOrDomain)(nil),       // 9: xray.common.net.IPOrDomain
 }
 var file_transport_internet_config_proto_depIdxs = []int32{
-	7, // 0: xray.transport.internet.TransportConfig.settings:type_name -> xray.common.serial.TypedMessage
-	8, // 1: xray.transport.internet.StreamConfig.address:type_name -> xray.common.net.IPOrDomain
-	2, // 2: xray.transport.internet.StreamConfig.transport_settings:type_name -> xray.transport.internet.TransportConfig
-	7, // 3: xray.transport.internet.StreamConfig.security_settings:type_name -> xray.common.serial.TypedMessage
-	6, // 4: xray.transport.internet.StreamConfig.socket_settings:type_name -> xray.transport.internet.SocketConfig
-	1, // 5: xray.transport.internet.SocketConfig.tproxy:type_name -> xray.transport.internet.SocketConfig.TProxyMode
+	8, // 0: xray.transport.internet.TransportConfig.settings:type_name -> xray.common.serial.TypedMessage
+	9, // 1: xray.transport.internet.StreamConfig.address:type_name -> xray.common.net.IPOrDomain
+	3, // 2: xray.transport.internet.StreamConfig.transport_settings:type_name -> xray.transport.internet.TransportConfig
+	8, // 3: xray.transport.internet.StreamConfig.security_settings:type_name -> xray.common.serial.TypedMessage
+	7, // 4: xray.transport.internet.StreamConfig.socket_settings:type_name -> xray.transport.internet.SocketConfig
+	2, // 5: xray.transport.internet.SocketConfig.tproxy:type_name -> xray.transport.internet.SocketConfig.TProxyMode
 	0, // 6: xray.transport.internet.SocketConfig.domain_strategy:type_name -> xray.transport.internet.DomainStrategy
-	5, // 7: xray.transport.internet.SocketConfig.customSockopt:type_name -> xray.transport.internet.CustomSockopt
-	8, // [8:8] is the sub-list for method output_type
-	8, // [8:8] is the sub-list for method input_type
-	8, // [8:8] is the sub-list for extension type_name
-	8, // [8:8] is the sub-list for extension extendee
-	0, // [0:8] is the sub-list for field type_name
+	6, // 7: xray.transport.internet.SocketConfig.customSockopt:type_name -> xray.transport.internet.CustomSockopt
+	1, // 8: xray.transport.internet.SocketConfig.address_port_strategy:type_name -> xray.transport.internet.AddressPortStrategy
+	9, // [9:9] is the sub-list for method output_type
+	9, // [9:9] is the sub-list for method input_type
+	9, // [9:9] is the sub-list for extension type_name
+	9, // [9:9] is the sub-list for extension extendee
+	0, // [0:9] is the sub-list for field type_name
 }

 func init() { file_transport_internet_config_proto_init() }
@ -807,7 +913,7 @@ func file_transport_internet_config_proto_init() {
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_transport_internet_config_proto_rawDesc,
-			NumEnums:      2,
+			NumEnums:      3,
 			NumMessages:   5,
 			NumExtensions: 0,
 			NumServices:   0,
--- a/transport/internet/config.proto
+++ b/transport/internet/config.proto
@ -23,6 +23,16 @@ enum DomainStrategy {
  FORCE_IP64 = 10;
 }

+enum AddressPortStrategy {
+  None = 0;
+  SrvPortOnly = 1;
+  SrvAddressOnly = 2;
+  SrvPortAndAddress = 3;
+  TxtPortOnly = 4;
+  TxtAddressOnly = 5;
+  TxtPortAndAddress = 6;
+}
+
 message TransportConfig {
  // Transport protocol name.
  string protocol_name = 3;
@ -55,10 +65,12 @@ message ProxyConfig {
 }

 message CustomSockopt {
-  string level = 1;
-  string opt = 2;
-  string value = 3;
-  string type = 4;
+  string system = 1;
+  string network = 2;
+  string level = 3;
+  string opt = 4;
+  string value = 5;
+  string type = 6;
 }

 // SocketConfig is options to be applied on network sockets.
@ -116,4 +128,6 @@ message SocketConfig {
  bool tcp_mptcp = 19;

  repeated CustomSockopt customSockopt = 20;
+
+  AddressPortStrategy address_port_strategy = 21;
 }
--- a/transport/internet/dialer.go
+++ b/transport/internet/dialer.go
@ -2,6 +2,9 @@ package internet

 import (
 	"context"
+	"fmt"
+	gonet "net"
+	"strings"

 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/dice"
@ -84,60 +87,148 @@ var (

 func lookupIP(domain string, strategy DomainStrategy, localAddr net.Address) ([]net.IP, error) {
 	if dnsClient == nil {
-		return nil, nil
+		return nil, errors.New("DNS client not initialized").AtError()
 	}

-	ips, err := dnsClient.LookupIP(domain, dns.IPOption{
+	ips, _, err := dnsClient.LookupIP(domain, dns.IPOption{
 		IPv4Enable: (localAddr == nil || localAddr.Family().IsIPv4()) && strategy.preferIP4(),
 		IPv6Enable: (localAddr == nil || localAddr.Family().IsIPv6()) && strategy.preferIP6(),
 	})
 	{ // Resolve fallback
 		if (len(ips) == 0 || err != nil) && strategy.hasFallback() && localAddr == nil {
-			ips, err = dnsClient.LookupIP(domain, dns.IPOption{
+			ips, _, err = dnsClient.LookupIP(domain, dns.IPOption{
 				IPv4Enable: strategy.fallbackIP4(),
 				IPv6Enable: strategy.fallbackIP6(),
 			})
 		}
 	}

+	if err == nil && len(ips) == 0 {
+		return nil, dns.ErrEmptyResponse
+	}
 	return ips, err
 }

-func canLookupIP(ctx context.Context, dst net.Destination, sockopt *SocketConfig) bool {
-	if dst.Address.Family().IsIP() || dnsClient == nil {
+func canLookupIP(dst net.Destination, sockopt *SocketConfig) bool {
+	if dst.Address.Family().IsIP() {
 		return false
 	}
 	return sockopt.DomainStrategy.hasStrategy()
 }

-func redirect(ctx context.Context, dst net.Destination, obt string) net.Conn {
+func redirect(ctx context.Context, dst net.Destination, obt string, h outbound.Handler) net.Conn {
 	errors.LogInfo(ctx, "redirecting request "+dst.String()+" to "+obt)
-	h := obm.GetHandler(obt)
 	outbounds := session.OutboundsFromContext(ctx)
 	ctx = session.ContextWithOutbounds(ctx, append(outbounds, &session.Outbound{
 		Target:  dst,
 		Gateway: nil,
 		Tag:     obt,
 	})) // add another outbound in session ctx
-	if h != nil {
-		ur, uw := pipe.New(pipe.OptionsFromContext(ctx)...)
-		dr, dw := pipe.New(pipe.OptionsFromContext(ctx)...)

-		go h.Dispatch(context.WithoutCancel(ctx), &transport.Link{Reader: ur, Writer: dw})
-		var readerOpt cnc.ConnectionOption
-		if dst.Network == net.Network_TCP {
-			readerOpt = cnc.ConnectionOutputMulti(dr)
-		} else {
-			readerOpt = cnc.ConnectionOutputMultiUDP(dr)
-		}
-		nc := cnc.NewConnection(
-			cnc.ConnectionInputMulti(uw),
-			readerOpt,
-			cnc.ConnectionOnClose(common.ChainedClosable{uw, dw}),
-		)
-		return nc
+	ur, uw := pipe.New(pipe.OptionsFromContext(ctx)...)
+	dr, dw := pipe.New(pipe.OptionsFromContext(ctx)...)
+
+	go h.Dispatch(context.WithoutCancel(ctx), &transport.Link{Reader: ur, Writer: dw})
+	var readerOpt cnc.ConnectionOption
+	if dst.Network == net.Network_TCP {
+		readerOpt = cnc.ConnectionOutputMulti(dr)
+	} else {
+		readerOpt = cnc.ConnectionOutputMultiUDP(dr)
 	}
-	return nil
+	nc := cnc.NewConnection(
+		cnc.ConnectionInputMulti(uw),
+		readerOpt,
+		cnc.ConnectionOnClose(common.ChainedClosable{uw, dw}),
+	)
+	return nc
+
+}
+
+func checkAddressPortStrategy(ctx context.Context, dest net.Destination, sockopt *SocketConfig) (*net.Destination, error) {
+	if sockopt.AddressPortStrategy == AddressPortStrategy_None {
+		return nil, nil
+	}
+	newDest := dest
+	var OverridePort, OverrideAddress bool
+	var OverrideBy string
+	switch sockopt.AddressPortStrategy {
+	case AddressPortStrategy_SrvPortOnly:
+		OverridePort = true
+		OverrideAddress = false
+		OverrideBy = "srv"
+	case AddressPortStrategy_SrvAddressOnly:
+		OverridePort = false
+		OverrideAddress = true
+		OverrideBy = "srv"
+	case AddressPortStrategy_SrvPortAndAddress:
+		OverridePort = true
+		OverrideAddress = true
+		OverrideBy = "srv"
+	case AddressPortStrategy_TxtPortOnly:
+		OverridePort = true
+		OverrideAddress = false
+		OverrideBy = "txt"
+	case AddressPortStrategy_TxtAddressOnly:
+		OverridePort = false
+		OverrideAddress = true
+		OverrideBy = "txt"
+	case AddressPortStrategy_TxtPortAndAddress:
+		OverridePort = true
+		OverrideAddress = true
+		OverrideBy = "txt"
+	default:
+		return nil, errors.New("unknown AddressPortStrategy")
+	}
+
+	if !dest.Address.Family().IsDomain() {
+		return nil, nil
+	}
+
+	if OverrideBy == "srv" {
+		errors.LogDebug(ctx, "query SRV record for "+dest.Address.String())
+		parts := strings.SplitN(dest.Address.String(), ".", 3)
+		if len(parts) != 3 {
+			return nil, errors.New("invalid address format", dest.Address.String())
+		}
+		_, srvRecords, err := gonet.DefaultResolver.LookupSRV(context.Background(), parts[0][1:], parts[1][1:], parts[2])
+		if err != nil {
+			return nil, errors.New("failed to lookup SRV record").Base(err)
+		}
+		errors.LogDebug(ctx, "SRV record: "+fmt.Sprintf("addr=%s, port=%d, priority=%d, weight=%d", srvRecords[0].Target, srvRecords[0].Port, srvRecords[0].Priority, srvRecords[0].Weight))
+		if OverridePort {
+			newDest.Port = net.Port(srvRecords[0].Port)
+		}
+		if OverrideAddress {
+			newDest.Address = net.ParseAddress(srvRecords[0].Target)
+		}
+		return &newDest, nil
+	}
+	if OverrideBy == "txt" {
+		errors.LogDebug(ctx, "query TXT record for "+dest.Address.String())
+		txtRecords, err := gonet.DefaultResolver.LookupTXT(ctx, dest.Address.String())
+		if err != nil {
+			errors.LogError(ctx, "failed to lookup SRV record: "+err.Error())
+			return nil, errors.New("failed to lookup SRV record").Base(err)
+		}
+		for _, txtRecord := range txtRecords {
+			errors.LogDebug(ctx, "TXT record: "+txtRecord)
+			addr_s, port_s, _ := net.SplitHostPort(string(txtRecord))
+			addr := net.ParseAddress(addr_s)
+			port, err := net.PortFromString(port_s)
+			if err != nil {
+				continue
+			}
+
+			if OverridePort {
+				newDest.Port = port
+			}
+			if OverrideAddress {
+				newDest.Address = addr
+			}
+			return &newDest, nil
+		}
+	}
+	return nil, nil
 }

 // DialSystem calls system dialer to create a network connection.
@ -152,21 +243,33 @@ func DialSystem(ctx context.Context, dest net.Destination, sockopt *SocketConfig
 		return effectiveSystemDialer.Dial(ctx, src, dest, sockopt)
 	}

-	if canLookupIP(ctx, dest, sockopt) {
+	if newDest, err := checkAddressPortStrategy(ctx, dest, sockopt); err == nil && newDest != nil {
+		errors.LogInfo(ctx, "replace destination with "+newDest.String())
+		dest = *newDest
+	}
+
+	if canLookupIP(dest, sockopt) {
 		ips, err := lookupIP(dest.Address.String(), sockopt.DomainStrategy, src)
-		if err == nil && len(ips) > 0 {
+		if err != nil {
+			errors.LogErrorInner(ctx, err, "failed to resolve ip")
+			if sockopt.DomainStrategy.forceIP() {
+				return nil, err
+			}
+		} else {
 			dest.Address = net.IPAddress(ips[dice.Roll(len(ips))])
 			errors.LogInfo(ctx, "replace destination with "+dest.String())
-		} else if err != nil {
-			errors.LogWarningInner(ctx, err, "failed to resolve ip")
 		}
 	}

-	if obm != nil && len(sockopt.DialerProxy) > 0 {
-		nc := redirect(ctx, dest, sockopt.DialerProxy)
-		if nc != nil {
-			return nc, nil
+	if len(sockopt.DialerProxy) > 0 {
+		if obm == nil {
+			return nil, errors.New("there is no outbound manager for dialerProxy").AtError()
 		}
+		h := obm.GetHandler(sockopt.DialerProxy)
+		if h == nil {
+			return nil, errors.New("there is no outbound handler for dialerProxy").AtError()
+		}
+		return redirect(ctx, dest, sockopt.DialerProxy, h), nil
 	}

 	return effectiveSystemDialer.Dial(ctx, src, dest, sockopt)
--- a/transport/internet/reality/reality.go
+++ b/transport/internet/reality/reality.go
@ -8,7 +8,6 @@ import (
 	"crypto/ecdh"
 	"crypto/ed25519"
 	"crypto/hmac"
-	"crypto/rand"
 	"crypto/sha256"
 	"crypto/sha512"
 	gotls "crypto/tls"
@ -16,7 +15,6 @@ import (
 	"encoding/binary"
 	"fmt"
 	"io"
-	"math/big"
 	"net/http"
 	"reflect"
 	"regexp"
@ -27,6 +25,7 @@ import (

 	utls "github.com/refraction-networking/utls"
 	"github.com/xtls/reality"
+	"github.com/xtls/xray-core/common/crypto"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/core"
@ -138,10 +137,10 @@ func UClient(c net.Conn, config *Config, ctx context.Context, dest net.Destinati
 		if err != nil {
 			return nil, errors.New("REALITY: publicKey == nil")
 		}
-		if uConn.HandshakeState.State13.EcdheKey == nil {
+		if uConn.HandshakeState.State13.KeyShareKeys.Ecdhe == nil {
 			return nil, errors.New("Current fingerprint ", uConn.ClientHelloID.Client, uConn.ClientHelloID.Version, " does not support TLS 1.3, REALITY handshake cannot establish.")
 		}
-		uConn.AuthKey, _ = uConn.HandshakeState.State13.EcdheKey.ECDH(publicKey)
+		uConn.AuthKey, _ = uConn.HandshakeState.State13.KeyShareKeys.Ecdhe.ECDH(publicKey)
 		if uConn.AuthKey == nil {
 			return nil, errors.New("REALITY: SharedKey == nil")
 		}
@ -213,13 +212,13 @@ func UClient(c net.Conn, config *Config, ctx context.Context, dest net.Destinati
 				}
 				times := 1
 				if !first {
-					times = int(randBetween(config.SpiderY[4], config.SpiderY[5]))
+					times = int(crypto.RandBetween(config.SpiderY[4], config.SpiderY[5]))
 				}
 				for j := 0; j < times; j++ {
 					if !first && j == 0 {
 						req.Header.Set("Referer", firstURL)
 					}
-					req.AddCookie(&http.Cookie{Name: "padding", Value: strings.Repeat("0", int(randBetween(config.SpiderY[0], config.SpiderY[1])))})
+					req.AddCookie(&http.Cookie{Name: "padding", Value: strings.Repeat("0", int(crypto.RandBetween(config.SpiderY[0], config.SpiderY[1])))})
 					if resp, err = client.Do(req); err != nil {
 						break
 					}
@ -243,18 +242,18 @@ func UClient(c net.Conn, config *Config, ctx context.Context, dest net.Destinati
 					}
 					maps.Unlock()
 					if !first {
-						time.Sleep(time.Duration(randBetween(config.SpiderY[6], config.SpiderY[7])) * time.Millisecond) // interval
+						time.Sleep(time.Duration(crypto.RandBetween(config.SpiderY[6], config.SpiderY[7])) * time.Millisecond) // interval
 					}
 				}
 			}
 			get(true)
-			concurrency := int(randBetween(config.SpiderY[2], config.SpiderY[3]))
+			concurrency := int(crypto.RandBetween(config.SpiderY[2], config.SpiderY[3]))
 			for i := 0; i < concurrency; i++ {
 				go get(false)
 			}
 			// Do not close the connection
 		}()
-		time.Sleep(time.Duration(randBetween(config.SpiderY[8], config.SpiderY[9])) * time.Millisecond) // return
+		time.Sleep(time.Duration(crypto.RandBetween(config.SpiderY[8], config.SpiderY[9])) * time.Millisecond) // return
 		return nil, errors.New("REALITY: processed invalid connection").AtWarning()
 	}
 	return uConn, nil
@ -271,7 +270,7 @@ var maps struct {
 }

 func getPathLocked(paths map[string]struct{}) string {
-	stopAt := int(randBetween(0, int64(len(paths)-1)))
+	stopAt := int(crypto.RandBetween(0, int64(len(paths)-1)))
 	i := 0
 	for s := range paths {
 		if i == stopAt {
@ -281,11 +280,3 @@ func getPathLocked(paths map[string]struct{}) string {
 	}
 	return "/"
 }
-
-func randBetween(left int64, right int64) int64 {
-	if left == right {
-		return left
-	}
-	bigInt, _ := rand.Int(rand.Reader, big.NewInt(right-left))
-	return left + bigInt.Int64()
-}
--- a/transport/internet/sockopt_darwin.go
+++ b/transport/internet/sockopt_darwin.go
@ -1,8 +1,12 @@
 package internet

 import (
-	network "net"
+	"context"
+	gonet "net"
 	"os"
+	"runtime"
+	"strconv"
+	"strings"
 	"syscall"
 	"unsafe"

@ -108,13 +112,96 @@ func applyOutboundSocketOptions(network string, address string, fd uintptr, conf
 				return err
 			}
 		}
-		if config.Interface != "" {
-			InterfaceIndex := getInterfaceIndexByName(config.Interface)
-			if InterfaceIndex != 0 {
-				if err := unix.SetsockoptInt(int(fd), syscall.IPPROTO_IP, syscall.IP_BOUND_IF, InterfaceIndex); err != nil {
-					return errors.New("failed to set Interface").Base(err)
+
+		if config.TcpKeepAliveIdle > 0 || config.TcpKeepAliveInterval > 0 {
+			if config.TcpKeepAliveIdle > 0 {
+				if err := unix.SetsockoptInt(int(fd), unix.IPPROTO_TCP, unix.TCP_KEEPALIVE, int(config.TcpKeepAliveInterval)); err != nil {
+					return errors.New("failed to set TCP_KEEPINTVL", err)
 				}
 			}
+			if config.TcpKeepAliveInterval > 0 {
+				if err := unix.SetsockoptInt(int(fd), unix.IPPROTO_TCP, sysTCP_KEEPINTVL, int(config.TcpKeepAliveIdle)); err != nil {
+					return errors.New("failed to set TCP_KEEPIDLE", err)
+				}
+			}
+			if err := unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_KEEPALIVE, 1); err != nil {
+				return errors.New("failed to set SO_KEEPALIVE", err)
+			}
+		} else if config.TcpKeepAliveInterval < 0 || config.TcpKeepAliveIdle < 0 {
+			if err := unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_KEEPALIVE, 0); err != nil {
+				return errors.New("failed to unset SO_KEEPALIVE", err)
+			}
+		}
+	}
+
+	if config.Interface != "" {
+		iface, err := gonet.InterfaceByName(config.Interface)
+
+		if err != nil {
+			return errors.New("failed to get interface ", config.Interface).Base(err)
+		}
+		if network == "tcp6" || network == "udp6" {
+			if err := unix.SetsockoptInt(int(fd), unix.IPPROTO_IPV6, unix.IPV6_BOUND_IF, iface.Index); err != nil {
+				return errors.New("failed to set IPV6_BOUND_IF").Base(err)
+			}
+		} else {
+			if err := unix.SetsockoptInt(int(fd), unix.IPPROTO_IP, unix.IP_BOUND_IF, iface.Index); err != nil {
+				return errors.New("failed to set IP_BOUND_IF").Base(err)
+			}
+		}
+	}
+
+	if len(config.CustomSockopt) > 0 {
+		for _, custom := range config.CustomSockopt {
+			if custom.System != "" && custom.System != runtime.GOOS {
+				errors.LogDebug(context.Background(), "CustomSockopt system not match: ", "want ", custom.System, " got ", runtime.GOOS)
+				continue
+			}
+			// Skip unwanted network type
+			// network might be tcp4 or tcp6
+			// use HasPrefix so that "tcp" can match tcp4/6 with "tcp" if user want to control all tcp (udp is also the same)
+			// if it is empty, strings.HasPrefix will always return true to make it apply for all networks
+			if !strings.HasPrefix(network, custom.Network) {
+				continue
+			}
+			var level = 0x6 // default TCP
+			var opt int
+			if len(custom.Opt) == 0 {
+				return errors.New("No opt!")
+			} else {
+				opt, _ = strconv.Atoi(custom.Opt)
+			}
+			if custom.Level != "" {
+				level, _ = strconv.Atoi(custom.Level)
+			}
+			if custom.Type == "int" {
+				value, _ := strconv.Atoi(custom.Value)
+				if err := syscall.SetsockoptInt(int(fd), level, opt, value); err != nil {
+					return errors.New("failed to set CustomSockoptInt", opt, value, err)
+				}
+			} else if custom.Type == "str" {
+				if err := syscall.SetsockoptString(int(fd), level, opt, custom.Value); err != nil {
+					return errors.New("failed to set CustomSockoptString", opt, custom.Value, err)
+				}
+			} else {
+				return errors.New("unknown CustomSockopt type:", custom.Type)
+			}
+		}
+	}
+
+	return nil
+}
+
+func applyInboundSocketOptions(network string, fd uintptr, config *SocketConfig) error {
+	if isTCPSocket(network) {
+		tfo := config.ParseTFOValue()
+		if tfo > 0 {
+			tfo = TCP_FASTOPEN_SERVER
+		}
+		if tfo >= 0 {
+			if err := unix.SetsockoptInt(int(fd), unix.IPPROTO_TCP, unix.TCP_FASTOPEN, tfo); err != nil {
+				return err
+			}
 		}

 		if config.TcpKeepAliveIdle > 0 || config.TcpKeepAliveInterval > 0 {
@ -138,46 +225,63 @@ func applyOutboundSocketOptions(network string, address string, fd uintptr, conf
 		}
 	}

-	return nil
-}
+	if config.Interface != "" {
+		iface, err := gonet.InterfaceByName(config.Interface)

-func applyInboundSocketOptions(network string, fd uintptr, config *SocketConfig) error {
-	if isTCPSocket(network) {
-		tfo := config.ParseTFOValue()
-		if tfo > 0 {
-			tfo = TCP_FASTOPEN_SERVER
+		if err != nil {
+			return errors.New("failed to get interface ", config.Interface).Base(err)
 		}
-		if tfo >= 0 {
-			if err := unix.SetsockoptInt(int(fd), unix.IPPROTO_TCP, unix.TCP_FASTOPEN, tfo); err != nil {
-				return err
-			}
-		}
-		if config.Interface != "" {
-			InterfaceIndex := getInterfaceIndexByName(config.Interface)
-			if InterfaceIndex != 0 {
-				if err := unix.SetsockoptInt(int(fd), syscall.IPPROTO_IP, syscall.IP_BOUND_IF, InterfaceIndex); err != nil {
-					return errors.New("failed to set Interface").Base(err)
-				}
+		if network == "tcp6" || network == "udp6" {
+			if err := unix.SetsockoptInt(int(fd), unix.IPPROTO_IPV6, unix.IPV6_BOUND_IF, iface.Index); err != nil {
+				return errors.New("failed to set IPV6_BOUND_IF").Base(err)
+			}
+		} else {
+			if err := unix.SetsockoptInt(int(fd), unix.IPPROTO_IP, unix.IP_BOUND_IF, iface.Index); err != nil {
+				return errors.New("failed to set IP_BOUND_IF").Base(err)
 			}
 		}
+	}

-		if config.TcpKeepAliveIdle > 0 || config.TcpKeepAliveInterval > 0 {
-			if config.TcpKeepAliveIdle > 0 {
-				if err := unix.SetsockoptInt(int(fd), unix.IPPROTO_TCP, unix.TCP_KEEPALIVE, int(config.TcpKeepAliveInterval)); err != nil {
-					return errors.New("failed to set TCP_KEEPINTVL", err)
+	if config.V6Only {
+		if err := unix.SetsockoptInt(int(fd), unix.IPPROTO_IPV6, unix.IPV6_V6ONLY, 1); err != nil {
+			return errors.New("failed to set IPV6_V6ONLY").Base(err)
+		}
+	}
+
+	if len(config.CustomSockopt) > 0 {
+		for _, custom := range config.CustomSockopt {
+			if custom.System != "" && custom.System != runtime.GOOS {
+				errors.LogDebug(context.Background(), "CustomSockopt system not match: ", "want ", custom.System, " got ", runtime.GOOS)
+				continue
+			}
+			// Skip unwanted network type
+			// network might be tcp4 or tcp6
+			// use HasPrefix so that "tcp" can match tcp4/6 with "tcp" if user want to control all tcp (udp is also the same)
+			// if it is empty, strings.HasPrefix will always return true to make it apply for all networks
+			if !strings.HasPrefix(network, custom.Network) {
+				continue
+			}
+			var level = 0x6 // default TCP
+			var opt int
+			if len(custom.Opt) == 0 {
+				return errors.New("No opt!")
+			} else {
+				opt, _ = strconv.Atoi(custom.Opt)
+			}
+			if custom.Level != "" {
+				level, _ = strconv.Atoi(custom.Level)
+			}
+			if custom.Type == "int" {
+				value, _ := strconv.Atoi(custom.Value)
+				if err := syscall.SetsockoptInt(int(fd), level, opt, value); err != nil {
+					return errors.New("failed to set CustomSockoptInt", opt, value, err)
 				}
-			}
-			if config.TcpKeepAliveInterval > 0 {
-				if err := unix.SetsockoptInt(int(fd), unix.IPPROTO_TCP, sysTCP_KEEPINTVL, int(config.TcpKeepAliveIdle)); err != nil {
-					return errors.New("failed to set TCP_KEEPIDLE", err)
+			} else if custom.Type == "str" {
+				if err := syscall.SetsockoptString(int(fd), level, opt, custom.Value); err != nil {
+					return errors.New("failed to set CustomSockoptString", opt, custom.Value, err)
 				}
-			}
-			if err := unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_KEEPALIVE, 1); err != nil {
-				return errors.New("failed to set SO_KEEPALIVE", err)
-			}
-		} else if config.TcpKeepAliveInterval < 0 || config.TcpKeepAliveIdle < 0 {
-			if err := unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_KEEPALIVE, 0); err != nil {
-				return errors.New("failed to unset SO_KEEPALIVE", err)
+			} else {
+				return errors.New("unknown CustomSockopt type:", custom.Type)
 			}
 		}
 	}
@ -224,24 +328,3 @@ func setReusePort(fd uintptr) error {
 	}
 	return nil
 }
-func getInterfaceIndexByName(name string) int {
-	ifaces, err := network.Interfaces()
-	if err == nil {
-		for _, iface := range ifaces {
-			if (iface.Flags&network.FlagUp == network.FlagUp) && (iface.Flags&network.FlagLoopback != network.FlagLoopback) {
-				addrs, _ := iface.Addrs()
-				for _, addr := range addrs {
-					if ipnet, ok := addr.(*network.IPNet); ok && !ipnet.IP.IsLoopback() {
-						if ipnet.IP.To4() != nil {
-							if iface.Name == name {
-								return iface.Index
-							}
-						}
-					}
-				}
-			}
-
-		}
-	}
-	return 0
-}
--- a/transport/internet/sockopt_linux.go
+++ b/transport/internet/sockopt_linux.go
@ -1,8 +1,11 @@
 package internet

 import (
+	"context"
 	"net"
+	"runtime"
 	"strconv"
+	"strings"
 	"syscall"

 	"github.com/xtls/xray-core/common/errors"
@ -35,6 +38,8 @@ func bindAddr(fd uintptr, ip []byte, port uint32) error {
 	return syscall.Bind(int(fd), sockaddr)
 }

+// applyOutboundSocketOptions applies socket options for outbound connection.
+// note that unlike other part of Xray, this function needs network with speified network stack(tcp4/tcp6/udp4/udp6)
 func applyOutboundSocketOptions(network string, address string, fd uintptr, config *SocketConfig) error {
 	if config.Mark != 0 {
 		if err := syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, int(config.Mark)); err != nil {
@ -103,30 +108,42 @@ func applyOutboundSocketOptions(network string, address string, fd uintptr, conf
 			}
 		}

-		if len(config.CustomSockopt) > 0 {
-			for _, custom := range config.CustomSockopt {
-				var level = 0x6 // default TCP
-				var opt int
-				if len(custom.Opt) == 0 {
-					return errors.New("No opt!")
-				} else {
-					opt, _ = strconv.Atoi(custom.Opt)
+	}
+
+	if len(config.CustomSockopt) > 0 {
+		for _, custom := range config.CustomSockopt {
+			if custom.System != "" && custom.System != runtime.GOOS {
+				errors.LogDebug(context.Background(), "CustomSockopt system not match: ", "want ", custom.System, " got ", runtime.GOOS)
+				continue
+			}
+			// Skip unwanted network type
+			// network might be tcp4 or tcp6
+			// use HasPrefix so that "tcp" can match tcp4/6 with "tcp" if user want to control all tcp (udp is also the same)
+			// if it is empty, strings.HasPrefix will always return true to make it apply for all networks
+			if !strings.HasPrefix(network, custom.Network) {
+				continue
+			}
+			var level = 0x6 // default TCP
+			var opt int
+			if len(custom.Opt) == 0 {
+				return errors.New("No opt!")
+			} else {
+				opt, _ = strconv.Atoi(custom.Opt)
+			}
+			if custom.Level != "" {
+				level, _ = strconv.Atoi(custom.Level)
+			}
+			if custom.Type == "int" {
+				value, _ := strconv.Atoi(custom.Value)
+				if err := syscall.SetsockoptInt(int(fd), level, opt, value); err != nil {
+					return errors.New("failed to set CustomSockoptInt", opt, value, err)
 				}
-				if custom.Level != "" {
-					level, _ = strconv.Atoi(custom.Level)
-				}
-				if custom.Type == "int" {
-					value, _ := strconv.Atoi(custom.Value)
-					if err := syscall.SetsockoptInt(int(fd), level, opt, value); err != nil {
-						return errors.New("failed to set CustomSockoptInt", opt, value, err)
-					}
-				} else if custom.Type == "str" {
-					if err := syscall.SetsockoptString(int(fd), level, opt, custom.Value); err != nil {
-						return errors.New("failed to set CustomSockoptString", opt, custom.Value, err)
-					}
-				} else {
-					return errors.New("unknown CustomSockopt type:", custom.Type)
+			} else if custom.Type == "str" {
+				if err := syscall.SetsockoptString(int(fd), level, opt, custom.Value); err != nil {
+					return errors.New("failed to set CustomSockoptString", opt, custom.Value, err)
 				}
+			} else {
+				return errors.New("unknown CustomSockopt type:", custom.Type)
 			}
 		}
 	}
@ -140,6 +157,8 @@ func applyOutboundSocketOptions(network string, address string, fd uintptr, conf
 	return nil
 }

+// applyInboundSocketOptions applies socket options for inbound listener.
+// note that unlike other part of Xray, this function needs network with speified network stack(tcp4/tcp6/udp4/udp6)
 func applyInboundSocketOptions(network string, fd uintptr, config *SocketConfig) error {
 	if config.Mark != 0 {
 		if err := syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, int(config.Mark)); err != nil {
@ -199,6 +218,17 @@ func applyInboundSocketOptions(network string, fd uintptr, config *SocketConfig)
 		}
 		if len(config.CustomSockopt) > 0 {
 			for _, custom := range config.CustomSockopt {
+				if custom.System != "" && custom.System != runtime.GOOS {
+					errors.LogDebug(context.Background(), "CustomSockopt system not match: ", "want ", custom.System, " got ", runtime.GOOS)
+					continue
+				}
+				// Skip unwanted network type
+				// network might be tcp4 or tcp6
+				// use HasPrefix so that "tcp" can match tcp4/6 with "tcp" if user want to control all tcp (udp is also the same)
+				// if it is empty, strings.HasPrefix will always return true to make it apply for all networks
+				if !strings.HasPrefix(network, custom.Network) {
+					continue
+				}
 				var level = 0x6 // default TCP
 				var opt int
 				if len(custom.Opt) == 0 {
--- a/transport/internet/sockopt_windows.go
+++ b/transport/internet/sockopt_windows.go
@ -1,8 +1,12 @@
 package internet

 import (
+	"context"
 	"encoding/binary"
 	"net"
+	"runtime"
+	"strconv"
+	"strings"
 	"syscall"
 	"unsafe"

@ -33,7 +37,11 @@ func applyOutboundSocketOptions(network string, address string, fd uintptr, conf
 		if err != nil {
 			return errors.New("failed to find the interface").Base(err)
 		}
-		isV4 := (network == "tcp4")
+		// easy way to check if the address is ipv4
+		isV4 := strings.Contains(address, ".")
+		// note: DO NOT trust the passed network variable, it can be udp6 even if the address is ipv4
+		// because operating system might(always) use ipv6 socket to process ipv4
+		host, _, err := net.SplitHostPort(address)
 		if isV4 {
 			var bytes [4]byte
 			binary.BigEndian.PutUint32(bytes[:], uint32(inf.Index))
@ -41,10 +49,20 @@ func applyOutboundSocketOptions(network string, address string, fd uintptr, conf
 			if err := syscall.SetsockoptInt(syscall.Handle(fd), syscall.IPPROTO_IP, IP_UNICAST_IF, int(idx)); err != nil {
 				return errors.New("failed to set IP_UNICAST_IF").Base(err)
 			}
+			if ip := net.ParseIP(host); ip != nil && ip.IsMulticast() && isUDPSocket(network) {
+				if err := syscall.SetsockoptInt(syscall.Handle(fd), syscall.IPPROTO_IP, syscall.IP_MULTICAST_IF, int(idx)); err != nil {
+					return errors.New("failed to set IP_MULTICAST_IF").Base(err)
+				}
+			}
 		} else {
 			if err := syscall.SetsockoptInt(syscall.Handle(fd), syscall.IPPROTO_IPV6, IPV6_UNICAST_IF, inf.Index); err != nil {
 				return errors.New("failed to set IPV6_UNICAST_IF").Base(err)
 			}
+			if ip := net.ParseIP(host); ip != nil && ip.IsMulticast() && isUDPSocket(network) {
+				if err := syscall.SetsockoptInt(syscall.Handle(fd), syscall.IPPROTO_IPV6, syscall.IPV6_MULTICAST_IF, inf.Index); err != nil {
+					return errors.New("failed to set IPV6_MULTICAST_IF").Base(err)
+				}
+			}
 		}
 	}

@ -63,6 +81,42 @@ func applyOutboundSocketOptions(network string, address string, fd uintptr, conf
 		}
 	}

+	if len(config.CustomSockopt) > 0 {
+		for _, custom := range config.CustomSockopt {
+			if custom.System != "" && custom.System != runtime.GOOS {
+				errors.LogDebug(context.Background(), "CustomSockopt system not match: ", "want ", custom.System, " got ", runtime.GOOS)
+				continue
+			}
+			// Skip unwanted network type
+			// network might be tcp4 or tcp6
+			// use HasPrefix so that "tcp" can match tcp4/6 with "tcp" if user want to control all tcp (udp is also the same)
+			// if it is empty, strings.HasPrefix will always return true to make it apply for all networks
+			if !strings.HasPrefix(network, custom.Network) {
+				continue
+			}
+			var level = 0x6 // default TCP
+			var opt int
+			if len(custom.Opt) == 0 {
+				return errors.New("No opt!")
+			} else {
+				opt, _ = strconv.Atoi(custom.Opt)
+			}
+			if custom.Level != "" {
+				level, _ = strconv.Atoi(custom.Level)
+			}
+			if custom.Type == "int" {
+				value, _ := strconv.Atoi(custom.Value)
+				if err := syscall.SetsockoptInt(syscall.Handle(fd), level, opt, value); err != nil {
+					return errors.New("failed to set CustomSockoptInt", opt, value, err)
+				}
+			} else if custom.Type == "str" {
+				return errors.New("failed to set CustomSockoptString: Str type does not supported on windows")
+			} else {
+				return errors.New("unknown CustomSockopt type:", custom.Type)
+			}
+		}
+	}
+
 	return nil
 }

@ -82,6 +136,48 @@ func applyInboundSocketOptions(network string, fd uintptr, config *SocketConfig)
 		}
 	}

+	if config.V6Only {
+		if err := syscall.SetsockoptInt(syscall.Handle(fd), syscall.IPPROTO_IPV6, syscall.IPV6_V6ONLY, 1); err != nil {
+			return errors.New("failed to set IPV6_V6ONLY").Base(err)
+		}
+	}
+
+	if len(config.CustomSockopt) > 0 {
+		for _, custom := range config.CustomSockopt {
+			if custom.System != "" && custom.System != runtime.GOOS {
+				errors.LogDebug(context.Background(), "CustomSockopt system not match: ", "want ", custom.System, " got ", runtime.GOOS)
+				continue
+			}
+			// Skip unwanted network type
+			// network might be tcp4 or tcp6
+			// use HasPrefix so that "tcp" can match tcp4/6 with "tcp" if user want to control all tcp (udp is also the same)
+			// if it is empty, strings.HasPrefix will always return true to make it apply for all networks
+			if !strings.HasPrefix(network, custom.Network) {
+				continue
+			}
+			var level = 0x6 // default TCP
+			var opt int
+			if len(custom.Opt) == 0 {
+				return errors.New("No opt!")
+			} else {
+				opt, _ = strconv.Atoi(custom.Opt)
+			}
+			if custom.Level != "" {
+				level, _ = strconv.Atoi(custom.Level)
+			}
+			if custom.Type == "int" {
+				value, _ := strconv.Atoi(custom.Value)
+				if err := syscall.SetsockoptInt(syscall.Handle(fd), level, opt, value); err != nil {
+					return errors.New("failed to set CustomSockoptInt", opt, value, err)
+				}
+			} else if custom.Type == "str" {
+				return errors.New("failed to set CustomSockoptString: Str type does not supported on windows")
+			} else {
+				return errors.New("unknown CustomSockopt type:", custom.Type)
+			}
+		}
+	}
+
 	return nil
 }

--- a/transport/internet/splithttp/config.go
+++ b/transport/internet/splithttp/config.go
@ -1,13 +1,12 @@
 package splithttp

 import (
-	"crypto/rand"
-	"math/big"
 	"net/http"
 	"net/url"
 	"strings"

 	"github.com/xtls/xray-core/common"
+	"github.com/xtls/xray-core/common/crypto"
 	"github.com/xtls/xray-core/transport/internet"
 )

@ -184,9 +183,5 @@ func init() {
 }

 func (c RangeConfig) rand() int32 {
-	if c.From == c.To {
-		return c.From
-	}
-	bigInt, _ := rand.Int(rand.Reader, big.NewInt(int64(c.To-c.From)))
-	return c.From + int32(bigInt.Int64())
+	return int32(crypto.RandBetween(int64(c.From), int64(c.To)))
 }
--- a/transport/internet/splithttp/dialer.go
+++ b/transport/internet/splithttp/dialer.go
@ -30,16 +30,6 @@ import (
 	"golang.org/x/net/http2"
 )

-// defines the maximum time an idle TCP session can survive in the tunnel, so
-// it should be consistent across HTTP versions and with other transports.
-const connIdleTimeout = 300 * time.Second
-
-// consistent with quic-go
-const quicgoH3KeepAlivePeriod = 10 * time.Second
-
-// consistent with chrome
-const chromeH2KeepAlivePeriod = 45 * time.Second
-
 type dialerConf struct {
 	net.Destination
 	*internet.MemoryStreamConfig
@ -154,13 +144,13 @@ func createHTTPClient(dest net.Destination, streamSettings *internet.MemoryStrea

 	if httpVersion == "3" {
 		if keepAlivePeriod == 0 {
-			keepAlivePeriod = quicgoH3KeepAlivePeriod
+			keepAlivePeriod = net.QuicgoH3KeepAlivePeriod
 		}
 		if keepAlivePeriod < 0 {
 			keepAlivePeriod = 0
 		}
 		quicConfig := &quic.Config{
-			MaxIdleTimeout: connIdleTimeout,
+			MaxIdleTimeout: net.ConnIdleTimeout,

 			// these two are defaults of quic-go/http3. the default of quic-go (no
 			// http3) is different, so it is hardcoded here for clarity.
@ -168,7 +158,7 @@ func createHTTPClient(dest net.Destination, streamSettings *internet.MemoryStrea
 			MaxIncomingStreams: -1,
 			KeepAlivePeriod:    keepAlivePeriod,
 		}
-		transport = &http3.RoundTripper{
+		transport = &http3.Transport{
 			QUICConfig:      quicConfig,
 			TLSClientConfig: gotlsConfig,
 			Dial: func(ctx context.Context, addr string, tlsCfg *gotls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
@ -198,7 +188,7 @@ func createHTTPClient(dest net.Destination, streamSettings *internet.MemoryStrea
 						return nil, err
 					}
 				default:
-					udpConn = &internet.FakePacketConn{c}
+					udpConn = &internet.FakePacketConn{Conn: c}
 					udpAddr, err = net.ResolveUDPAddr("udp", c.RemoteAddr().String())
 					if err != nil {
 						return nil, err
@ -210,7 +200,7 @@ func createHTTPClient(dest net.Destination, streamSettings *internet.MemoryStrea
 		}
 	} else if httpVersion == "2" {
 		if keepAlivePeriod == 0 {
-			keepAlivePeriod = chromeH2KeepAlivePeriod
+			keepAlivePeriod = net.ChromeH2KeepAlivePeriod
 		}
 		if keepAlivePeriod < 0 {
 			keepAlivePeriod = 0
@ -219,7 +209,7 @@ func createHTTPClient(dest net.Destination, streamSettings *internet.MemoryStrea
 			DialTLSContext: func(ctxInner context.Context, network string, addr string, cfg *gotls.Config) (net.Conn, error) {
 				return dialContext(ctxInner)
 			},
-			IdleConnTimeout: connIdleTimeout,
+			IdleConnTimeout: net.ConnIdleTimeout,
 			ReadIdleTimeout: keepAlivePeriod,
 		}
 	} else {
@ -230,7 +220,7 @@ func createHTTPClient(dest net.Destination, streamSettings *internet.MemoryStrea
 		transport = &http.Transport{
 			DialTLSContext:  httpDialContext,
 			DialContext:     httpDialContext,
-			IdleConnTimeout: connIdleTimeout,
+			IdleConnTimeout: net.ConnIdleTimeout,
 			// chunked transfer download with KeepAlives is buggy with
 			// http.Client and our custom dial context.
 			DisableKeepAlives: true,
@ -291,11 +281,11 @@ func Dial(ctx context.Context, dest net.Destination, streamSettings *internet.Me
 	mode := transportConfiguration.Mode
 	if mode == "" || mode == "auto" {
 		mode = "packet-up"
-		if httpVersion == "2" {
-			mode = "stream-up"
-		}
-		if realityConfig != nil && transportConfiguration.DownloadSettings == nil {
+		if realityConfig != nil {
 			mode = "stream-one"
+			if transportConfiguration.DownloadSettings != nil {
+				mode = "stream-up"
+			}
 		}
 	}

--- a/transport/internet/splithttp/hub.go
+++ b/transport/internet/splithttp/hub.go
@ -24,8 +24,6 @@ import (
 	"github.com/xtls/xray-core/transport/internet/reality"
 	"github.com/xtls/xray-core/transport/internet/stat"
 	"github.com/xtls/xray-core/transport/internet/tls"
-	"golang.org/x/net/http2"
-	"golang.org/x/net/http2/h2c"
 )

 type requestHandler struct {
@ -426,11 +424,15 @@ func ListenXH(ctx context.Context, address net.Address, port net.Port, streamSet

 		handler.localAddr = l.listener.Addr()

-		// h2cHandler can handle both plaintext HTTP/1.1 and h2c
+		// server can handle both plaintext HTTP/1.1 and h2c
+		protocols := new(http.Protocols)
+		protocols.SetHTTP1(true)
+		protocols.SetUnencryptedHTTP2(true)
 		l.server = http.Server{
-			Handler:           h2c.NewHandler(handler, &http2.Server{}),
+			Handler:           handler,
 			ReadHeaderTimeout: time.Second * 4,
 			MaxHeaderBytes:    8192,
+			Protocols:         protocols,
 		}
 		go func() {
 			if err := l.server.Serve(l.listener); err != nil {
--- a/transport/internet/splithttp/splithttp_test.go
+++ b/transport/internet/splithttp/splithttp_test.go
@ -3,10 +3,8 @@ package splithttp_test
 import (
 	"context"
 	"crypto/rand"
-	gotls "crypto/tls"
 	"fmt"
 	"io"
-	gonet "net"
 	"net/http"
 	"runtime"
 	"testing"
@ -23,7 +21,6 @@ import (
 	. "github.com/xtls/xray-core/transport/internet/splithttp"
 	"github.com/xtls/xray-core/transport/internet/stat"
 	"github.com/xtls/xray-core/transport/internet/tls"
-	"golang.org/x/net/http2"
 )

 func Test_ListenXHAndDial(t *testing.T) {
@ -201,17 +198,11 @@ func Test_ListenXHAndDial_H2C(t *testing.T) {
 	common.Must(err)
 	defer listen.Close()

+	protocols := new(http.Protocols)
+	protocols.SetUnencryptedHTTP2(true)
 	client := http.Client{
-		Transport: &http2.Transport{
-			// So http2.Transport doesn't complain the URL scheme isn't 'https'
-			AllowHTTP: true,
-			// even with AllowHTTP, http2.Transport will attempt to establish
-			// the connection using DialTLSContext. Disable TLS with custom
-			// dial context.
-			DialTLSContext: func(ctx context.Context, network, addr string, cfg *gotls.Config) (gonet.Conn, error) {
-				var d gonet.Dialer
-				return d.DialContext(ctx, network, addr)
-			},
+		Transport: &http.Transport{
+			Protocols: protocols,
 		},
 	}

--- a/transport/internet/system_dialer.go
+++ b/transport/internet/system_dialer.go
@ -59,25 +59,29 @@ func (d *DefaultSystemDialer) Dial(ctx context.Context, src net.Address, dest ne
 				Port: 0,
 			}
 		}
-		packetConn, err := ListenSystemPacket(ctx, srcAddr, sockopt)
-		if err != nil {
-			return nil, err
-		}
+		var lc net.ListenConfig
 		destAddr, err := net.ResolveUDPAddr("udp", dest.NetAddr())
 		if err != nil {
 			return nil, err
 		}
-		if sockopt != nil {
-			sys, err := packetConn.(*net.UDPConn).SyscallConn()
-			if err != nil {
-				return nil, err
+		lc.Control = func(network, address string, c syscall.RawConn) error {
+			for _, ctl := range d.controllers {
+				if err := ctl(network, address, c); err != nil {
+					errors.LogInfoInner(ctx, err, "failed to apply external controller")
+				}
 			}
-			sys.Control(func(fd uintptr) {
-				if err := applyOutboundSocketOptions("udp", dest.NetAddr(), fd, sockopt); err != nil {
-					errors.LogInfo(ctx, err, "failed to apply socket options")
+			return c.Control(func(fd uintptr) {
+				if sockopt != nil {
+					if err := applyOutboundSocketOptions(network, destAddr.String(), fd, sockopt); err != nil {
+						errors.LogInfo(ctx, err, "failed to apply socket options")
+					}
 				}
 			})
 		}
+		packetConn, err := lc.ListenPacket(ctx, srcAddr.Network(), srcAddr.String())
+		if err != nil {
+			return nil, err
+		}
 		return &PacketConnWrapper{
 			Conn: packetConn,
 			Dest: destAddr,
--- a/transport/internet/tls/config.go
+++ b/transport/internet/tls/config.go
@ -109,12 +109,12 @@ func setupOcspTicker(entry *Certificate, callback func(isReloaded, isOcspstaplin
 		for {
 			var isReloaded bool
 			if entry.CertificatePath != "" && entry.KeyPath != "" {
-				newCert, err := filesystem.ReadFile(entry.CertificatePath)
+				newCert, err := filesystem.ReadCert(entry.CertificatePath)
 				if err != nil {
 					errors.LogErrorInner(context.Background(), err, "failed to parse certificate")
 					return
 				}
-				newKey, err := filesystem.ReadFile(entry.KeyPath)
+				newKey, err := filesystem.ReadCert(entry.KeyPath)
 				if err != nil {
 					errors.LogErrorInner(context.Background(), err, "failed to parse key")
 					return
--- a/transport/internet/tls/config.pb.go
+++ b/transport/internet/tls/config.pb.go
@ -207,7 +207,7 @@ type Config struct {
 	// @Critical
 	PinnedPeerCertificateChainSha256 [][]byte `protobuf:"bytes,13,rep,name=pinned_peer_certificate_chain_sha256,json=pinnedPeerCertificateChainSha256,proto3" json:"pinned_peer_certificate_chain_sha256,omitempty"`
 	// @Document Some certificate public key sha256 hashes.
-	// @Document After normal validation (required), if the verified cert's public key hash does not match any of these values, the connection will be aborted.
+	// @Document After normal validation (required), if one of certs in verified chain matches one of these values, the connection will be eventually accepted.
 	// @Critical
 	PinnedPeerCertificatePublicKeySha256 [][]byte `protobuf:"bytes,14,rep,name=pinned_peer_certificate_public_key_sha256,json=pinnedPeerCertificatePublicKeySha256,proto3" json:"pinned_peer_certificate_public_key_sha256,omitempty"`
 	MasterKeyLog                         string   `protobuf:"bytes,15,opt,name=master_key_log,json=masterKeyLog,proto3" json:"master_key_log,omitempty"`
--- a/transport/internet/tls/config.proto
+++ b/transport/internet/tls/config.proto
@ -76,7 +76,7 @@ message Config {
  repeated bytes pinned_peer_certificate_chain_sha256 = 13;

  /* @Document Some certificate public key sha256 hashes.
-     @Document After normal validation (required), if the verified cert's public key hash does not match any of these values, the connection will be aborted.
+     @Document After normal validation (required), if one of certs in verified chain matches one of these values, the connection will be eventually accepted.
     @Critical
  */
  repeated bytes pinned_peer_certificate_public_key_sha256 = 14;
--- a/transport/internet/tls/tls.go
+++ b/transport/internet/tls/tls.go
@ -151,15 +151,19 @@ func init() {
 	weights := utls.DefaultWeights
 	weights.TLSVersMax_Set_VersionTLS13 = 1
 	weights.FirstKeyShare_Set_CurveP256 = 0
-	randomized := utls.HelloRandomized
+	randomized := utls.HelloRandomizedALPN
 	randomized.Seed, _ = utls.NewPRNGSeed()
 	randomized.Weights = &weights
+	randomizednoalpn := utls.HelloRandomizedNoALPN
+	randomizednoalpn.Seed, _ = utls.NewPRNGSeed()
+	randomizednoalpn.Weights = &weights
 	PresetFingerprints["randomized"] = &randomized
+	PresetFingerprints["randomizednoalpn"] = &randomizednoalpn
 }

 func GetFingerprint(name string) (fingerprint *utls.ClientHelloID) {
 	if name == "" {
-		return &utls.HelloChrome_Auto
+		return &utls.HelloChrome_120
 	}
 	if fingerprint = PresetFingerprints[name]; fingerprint != nil {
 		return
@ -175,17 +179,18 @@ func GetFingerprint(name string) (fingerprint *utls.ClientHelloID) {

 var PresetFingerprints = map[string]*utls.ClientHelloID{
 	// Recommended preset options in GUI clients
-	"chrome":     &utls.HelloChrome_Auto,
-	"firefox":    &utls.HelloFirefox_Auto,
-	"safari":     &utls.HelloSafari_Auto,
-	"ios":        &utls.HelloIOS_Auto,
-	"android":    &utls.HelloAndroid_11_OkHttp,
-	"edge":       &utls.HelloEdge_Auto,
-	"360":        &utls.Hello360_Auto,
-	"qq":         &utls.HelloQQ_Auto,
-	"random":     nil,
-	"randomized": nil,
-	"unsafe":     nil,
+	"chrome":           &utls.HelloChrome_120,
+	"firefox":          &utls.HelloFirefox_Auto,
+	"safari":           &utls.HelloSafari_Auto,
+	"ios":              &utls.HelloIOS_Auto,
+	"android":          &utls.HelloAndroid_11_OkHttp,
+	"edge":             &utls.HelloEdge_Auto,
+	"360":              &utls.Hello360_Auto,
+	"qq":               &utls.HelloQQ_Auto,
+	"random":           nil,
+	"randomized":       nil,
+	"randomizednoalpn": nil,
+	"unsafe":           nil,
 }

 var ModernFingerprints = map[string]*utls.ClientHelloID{
@ -193,12 +198,14 @@ var ModernFingerprints = map[string]*utls.ClientHelloID{
 	"hellofirefox_99":         &utls.HelloFirefox_99,
 	"hellofirefox_102":        &utls.HelloFirefox_102,
 	"hellofirefox_105":        &utls.HelloFirefox_105,
+	"hellofirefox_120":        &utls.HelloFirefox_120,
 	"hellochrome_83":          &utls.HelloChrome_83,
 	"hellochrome_87":          &utls.HelloChrome_87,
 	"hellochrome_96":          &utls.HelloChrome_96,
 	"hellochrome_100":         &utls.HelloChrome_100,
 	"hellochrome_102":         &utls.HelloChrome_102,
 	"hellochrome_106_shuffle": &utls.HelloChrome_106_Shuffle,
+	"hellochrome_120":         &utls.HelloChrome_120,
 	"helloios_13":             &utls.HelloIOS_13,
 	"helloios_14":             &utls.HelloIOS_14,
 	"helloedge_85":            &utls.HelloEdge_85,
@ -233,4 +240,13 @@ var OtherFingerprints = map[string]*utls.ClientHelloID{
 	"hello360_auto":          &utls.Hello360_Auto,
 	"hello360_7_5":           &utls.Hello360_7_5,
 	"helloqq_auto":           &utls.HelloQQ_Auto,
+
+	// reality currently does not support these new fingerprints
+	"hellochrome_100_psk":              &utls.HelloChrome_100_PSK,
+	"hellochrome_112_psk_shuf":         &utls.HelloChrome_112_PSK_Shuf,
+	"hellochrome_114_padding_psk_shuf": &utls.HelloChrome_114_Padding_PSK_Shuf,
+	"hellochrome_115_pq":               &utls.HelloChrome_115_PQ,
+	"hellochrome_115_pq_psk":           &utls.HelloChrome_115_PQ_PSK,
+	"hellochrome_120_pq":               &utls.HelloChrome_120_PQ,
+	"hellochrome_131":                  &utls.HelloChrome_131,
 }