Merge pull request #2630 from DNSCrypt/dependabot/github_actions/softprops/action-gh-release-2.0.5

Bump softprops/action-gh-release from 2.0.2 to 2.0.5
2024-05-08 10:31:44 +02:00 · 2024-05-08 03:55:52 +00:00 · 2024-05-07 22:44:33 +02:00 · 2024-05-07 22:35:09 +02:00 · 2024-05-07 17:39:56 +02:00 · 2024-04-27 22:33:56 +02:00
1800 changed files with 323110 additions and 160906 deletions
--- a/.ci/allowed-names.txt
+++ b/.ci/allowed-names.txt
@ -0,0 +1 @@
+tracker.debian.org
--- a/.ci/blocked-ips.txt
+++ b/.ci/blocked-ips.txt
@ -0,0 +1 @@
+8.8.8.8
--- a/.ci/blocked-names.txt
+++ b/.ci/blocked-names.txt
@ -0,0 +1,21 @@
+##################
+# Test blocklist #
+##################
+
+ad.*
+ads.*
+banner.*
+banners.*
+creatives.*
+oas.*
+oascentral.*        # test inline comment
+stats.*             # test inline comment with trailing spaces       
+tag.*
+telemetry.*
+tracker.*
+*.local
+eth0.me
+*.workgroup
+
+*.youtube.*  @time-to-sleep
+facebook.com @work
--- a/.ci/ci-build.sh
+++ b/.ci/ci-build.sh
@ -0,0 +1,204 @@
+#! /bin/sh
+
+PACKAGE_VERSION="$1"
+
+cd dnscrypt-proxy || exit 1
+
+go clean
+env GOOS=windows GOARCH=386 go build -mod vendor -ldflags="-s -w"
+mkdir win32
+ln dnscrypt-proxy.exe win32/
+cp ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt win32/
+for i in win32/LICENSE win32/*.toml win32/*.txt; do ex -bsc '%!awk "{sub(/$/,\"\r\")}1"' -cx "$i"; done
+ln ../windows/* win32/
+zip -9 -r dnscrypt-proxy-win32-${PACKAGE_VERSION:-dev}.zip win32
+
+go clean
+env GOOS=windows GOARCH=amd64 go build -mod vendor -ldflags="-s -w"
+mkdir win64
+ln dnscrypt-proxy.exe win64/
+cp ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt win64/
+for i in win64/LICENSE win64/*.toml win64/*.txt; do ex -bsc '%!awk "{sub(/$/,\"\r\")}1"' -cx "$i"; done
+ln ../windows/* win64/
+zip -9 -r dnscrypt-proxy-win64-${PACKAGE_VERSION:-dev}.zip win64
+
+go clean
+env GO386=softfloat GOOS=openbsd GOARCH=386 go build -mod vendor -ldflags="-s -w"
+mkdir openbsd-i386
+ln dnscrypt-proxy openbsd-i386/
+ln ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt openbsd-i386/
+tar czpvf dnscrypt-proxy-openbsd_i386-${PACKAGE_VERSION:-dev}.tar.gz openbsd-i386
+
+go clean
+env GOOS=openbsd GOARCH=amd64 go build -mod vendor -ldflags="-s -w"
+mkdir openbsd-amd64
+ln dnscrypt-proxy openbsd-amd64/
+ln ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt openbsd-amd64/
+tar czpvf dnscrypt-proxy-openbsd_amd64-${PACKAGE_VERSION:-dev}.tar.gz openbsd-amd64
+
+go clean
+env GOOS=freebsd GOARCH=386 go build -mod vendor -ldflags="-s -w"
+mkdir freebsd-i386
+ln dnscrypt-proxy freebsd-i386/
+ln ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt freebsd-i386/
+tar czpvf dnscrypt-proxy-freebsd_i386-${PACKAGE_VERSION:-dev}.tar.gz freebsd-i386
+
+go clean
+env GOOS=freebsd GOARCH=amd64 go build -mod vendor -ldflags="-s -w"
+mkdir freebsd-amd64
+ln dnscrypt-proxy freebsd-amd64/
+ln ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt freebsd-amd64/
+tar czpvf dnscrypt-proxy-freebsd_amd64-${PACKAGE_VERSION:-dev}.tar.gz freebsd-amd64
+
+go clean
+env GOOS=freebsd GOARCH=arm GOARM=5 go build -mod vendor -ldflags="-s -w"
+mkdir freebsd-arm
+ln dnscrypt-proxy freebsd-arm/
+ln ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt freebsd-arm/
+tar czpvf dnscrypt-proxy-freebsd_arm-${PACKAGE_VERSION:-dev}.tar.gz freebsd-arm
+
+go clean
+env GOOS=dragonfly GOARCH=amd64 go build -mod vendor -ldflags="-s -w"
+mkdir dragonflybsd-amd64
+ln dnscrypt-proxy dragonflybsd-amd64/
+ln ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt dragonflybsd-amd64/
+tar czpvf dnscrypt-proxy-dragonflybsd_amd64-${PACKAGE_VERSION:-dev}.tar.gz dragonflybsd-amd64
+
+go clean
+env GOOS=netbsd GOARCH=386 go build -mod vendor -ldflags="-s -w"
+mkdir netbsd-i386
+ln dnscrypt-proxy netbsd-i386/
+ln ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt netbsd-i386/
+tar czpvf dnscrypt-proxy-netbsd_i386-${PACKAGE_VERSION:-dev}.tar.gz netbsd-i386
+
+go clean
+env GOOS=netbsd GOARCH=amd64 go build -mod vendor -ldflags="-s -w"
+mkdir netbsd-amd64
+ln dnscrypt-proxy netbsd-amd64/
+ln ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt netbsd-amd64/
+tar czpvf dnscrypt-proxy-netbsd_amd64-${PACKAGE_VERSION:-dev}.tar.gz netbsd-amd64
+
+go clean
+env GOOS=solaris GOARCH=amd64 go build -mod vendor -ldflags="-s -w"
+mkdir solaris-amd64
+ln dnscrypt-proxy solaris-amd64/
+ln ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt solaris-amd64/
+tar czpvf dnscrypt-proxy-solaris_amd64-${PACKAGE_VERSION:-dev}.tar.gz solaris-amd64
+
+go clean
+env CGO_ENABLED=0 GOOS=linux GOARCH=386 go build -mod vendor -ldflags="-s -w"
+mkdir linux-i386
+ln dnscrypt-proxy linux-i386/
+ln ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt linux-i386/
+tar czpvf dnscrypt-proxy-linux_i386-${PACKAGE_VERSION:-dev}.tar.gz linux-i386
+
+go clean
+env CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -mod vendor -ldflags="-s -w"
+mkdir linux-x86_64
+ln dnscrypt-proxy linux-x86_64/
+ln ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt linux-x86_64/
+tar czpvf dnscrypt-proxy-linux_x86_64-${PACKAGE_VERSION:-dev}.tar.gz linux-x86_64
+
+go clean
+env CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=5 go build -mod vendor -ldflags="-s -w"
+mkdir linux-arm
+ln dnscrypt-proxy linux-arm/
+ln ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt linux-arm/
+tar czpvf dnscrypt-proxy-linux_arm-${PACKAGE_VERSION:-dev}.tar.gz linux-arm
+
+go clean
+env CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -mod vendor -ldflags="-s -w"
+mkdir linux-arm64
+ln dnscrypt-proxy linux-arm64/
+ln ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt linux-arm64/
+tar czpvf dnscrypt-proxy-linux_arm64-${PACKAGE_VERSION:-dev}.tar.gz linux-arm64
+
+go clean
+env CGO_ENABLED=0 GOOS=linux GOARCH=mips GOMIPS=softfloat go build -mod vendor -ldflags="-s -w"
+mkdir linux-mips
+ln dnscrypt-proxy linux-mips/
+ln ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt linux-mips/
+tar czpvf dnscrypt-proxy-linux_mips-${PACKAGE_VERSION:-dev}.tar.gz linux-mips
+
+go clean
+env CGO_ENABLED=0 GOOS=linux GOARCH=mipsle GOMIPS=softfloat go build -mod vendor -ldflags="-s -w"
+mkdir linux-mipsle
+ln dnscrypt-proxy linux-mipsle/
+ln ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt linux-mipsle/
+tar czpvf dnscrypt-proxy-linux_mipsle-${PACKAGE_VERSION:-dev}.tar.gz linux-mipsle
+
+go clean
+env CGO_ENABLED=0 GOOS=linux GOARCH=mips64 GOMIPS64=softfloat go build -mod vendor -ldflags="-s -w"
+mkdir linux-mips64
+ln dnscrypt-proxy linux-mips64/
+ln ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt linux-mips64/
+tar czpvf dnscrypt-proxy-linux_mips64-${PACKAGE_VERSION:-dev}.tar.gz linux-mips64
+
+go clean
+env CGO_ENABLED=0 GOOS=linux GOARCH=mips64le GOMIPS64=softfloat go build -mod vendor -ldflags="-s -w"
+mkdir linux-mips64le
+ln dnscrypt-proxy linux-mips64le/
+ln ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt linux-mips64le/
+tar czpvf dnscrypt-proxy-linux_mips64le-${PACKAGE_VERSION:-dev}.tar.gz linux-mips64le
+
+go clean
+env CGO_ENABLED=0 GOOS=linux GOARCH=riscv64 go build -mod vendor -ldflags="-s -w"
+mkdir linux-riscv64
+ln dnscrypt-proxy linux-riscv64/
+ln ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt linux-riscv64/
+tar czpvf dnscrypt-proxy-linux_riscv64-${PACKAGE_VERSION:-dev}.tar.gz linux-riscv64
+
+go clean
+env GOOS=darwin GOARCH=amd64 go build -mod vendor -ldflags="-s -w"
+mkdir macos-x86_64
+ln dnscrypt-proxy macos-x86_64/
+ln ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt macos-x86_64/
+tar czpvf dnscrypt-proxy-macos_x86_64-${PACKAGE_VERSION:-dev}.tar.gz macos-x86_64
+
+go clean
+env GOOS=darwin GOARCH=arm64 go build -mod vendor -ldflags="-s -w"
+mkdir macos-arm64
+ln dnscrypt-proxy macos-arm64/
+ln ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt macos-arm64/
+tar czpvf dnscrypt-proxy-macos_arm64-${PACKAGE_VERSION:-dev}.tar.gz macos-arm64
+
+# Android
+
+NDK_VER=r20
+curl -LOs https://dl.google.com/android/repository/android-ndk-${NDK_VER}-linux-x86_64.zip
+unzip -q android-ndk-${NDK_VER}-linux-x86_64.zip -d ${HOME}
+rm android-ndk-${NDK_VER}-linux-x86_64.zip
+NDK_TOOLS=${HOME}/android-ndk-${NDK_VER}
+export PATH=${PATH}:${NDK_TOOLS}/toolchains/llvm/prebuilt/linux-x86_64/bin
+
+go clean
+env CC=armv7a-linux-androideabi19-clang CXX=armv7a-linux-androideabi19-clang++ CGO_ENABLED=1 GOOS=android GOARCH=arm GOARM=7 go build -mod vendor -ldflags="-s -w"
+mkdir android-arm
+ln dnscrypt-proxy android-arm/
+cp ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt android-arm/
+zip -9 -r dnscrypt-proxy-android_arm-${PACKAGE_VERSION:-dev}.zip android-arm
+
+go clean
+env CC=aarch64-linux-android21-clang CXX=aarch64-linux-android21-clang++ CGO_ENABLED=1 GOOS=android GOARCH=arm64 go build -mod vendor -ldflags="-s -w"
+mkdir android-arm64
+ln dnscrypt-proxy android-arm64/
+cp ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt android-arm64/
+zip -9 -r dnscrypt-proxy-android_arm64-${PACKAGE_VERSION:-dev}.zip android-arm64
+
+go clean
+env CC=i686-linux-android19-clang CXX=i686-linux-android19-clang++ CGO_ENABLED=1 GOOS=android GOARCH=386 go build -mod vendor -ldflags="-s -w"
+mkdir android-i386
+ln dnscrypt-proxy android-i386/
+cp ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt android-i386/
+zip -9 -r dnscrypt-proxy-android_i386-${PACKAGE_VERSION:-dev}.zip android-i386
+
+go clean
+env CC=x86_64-linux-android21-clang CXX=x86_64-linux-android21-clang++ CGO_ENABLED=1 GOOS=android GOARCH=amd64 go build -mod vendor -ldflags="-s -w"
+mkdir android-x86_64
+ln dnscrypt-proxy android-x86_64/
+cp ../LICENSE example-dnscrypt-proxy.toml localhost.pem example-*.txt android-x86_64/
+zip -9 -r dnscrypt-proxy-android_x86_64-${PACKAGE_VERSION:-dev}.zip android-x86_64
+
+# Done
+
+ls -l dnscrypt-proxy-*.tar.gz dnscrypt-proxy-*.zip
--- a/.ci/ci-package.sh
+++ b/.ci/ci-package.sh
@ -0,0 +1,58 @@
+#! /bin/sh
+
+PACKAGE_VERSION="$1"
+
+cd dnscrypt-proxy || exit 1
+
+# setup the environment
+
+sudo apt-get update -y
+sudo apt-get install -y wget wine dotnet-sdk-6.0
+sudo dpkg --add-architecture i386 && sudo apt-get update && sudo apt-get install -y wine32
+
+sudo apt-get install -y unzip
+
+export WINEPREFIX="$HOME"/.wine32
+export WINEARCH=win32
+export WINEDEBUG=-all
+
+wget https://dl.winehq.org/wine/wine-mono/8.1.0/wine-mono-8.1.0-x86.msi
+WINEPREFIX="$HOME/.wine32" WINEARCH=win32 wineboot --init
+WINEPREFIX="$HOME/.wine32" WINEARCH=win32 wine msiexec /i wine-mono-8.1.0-x86.msi
+
+mkdir "$HOME"/.wine32/drive_c/temp
+mkdir -p "$HOME"/.wine/drive_c/temp
+wget https://github.com/wixtoolset/wix3/releases/download/wix3112rtm/wix311-binaries.zip -nv -O wix.zip
+
+unzip wix.zip -d "$HOME"/wix
+rm -f wix.zip
+
+builddir=$(pwd)
+srcdir=$(
+  cd ..
+  pwd
+)
+version=$PACKAGE_VERSION
+
+cd "$HOME"/wix || exit
+
+ln -s "$builddir" "$HOME"/wix/build
+ln -s "$srcdir"/contrib/msi "$HOME"/wix/wixproj
+echo "builddir: $builddir"
+
+# build the msi's
+#################
+for arch in x64 x86; do
+  binpath="win32"
+  if [ "$arch" = "x64" ]; then
+    binpath="win64"
+  fi
+
+  echo $arch
+
+  wine candle.exe -dVersion="$version" -dPlatform=$arch -dPath=build\\$binpath -arch $arch wixproj\\dnscrypt.wxs -out build\\dnscrypt-$arch.wixobj
+  wine light.exe -out build\\dnscrypt-proxy-$arch-"$version".msi build\\dnscrypt-$arch.wixobj -sval
+
+done
+
+cd "$builddir" || exit
--- a/.ci/ci-test.sh
+++ b/.ci/ci-test.sh
@ -0,0 +1,164 @@
+#! /bin/sh
+
+DNS_PORT=5300
+HTTP_PORT=3053
+TEST_COUNT=0
+
+exec 2>error.log
+
+t() {
+    TEST_COUNT=$((TEST_COUNT + 1))
+    echo "Test #${TEST_COUNT}..."
+    false
+}
+
+fail() (
+    echo "*** Test #${TEST_COUNT} FAILED ***" >&2
+)
+
+section() {
+    true
+}
+
+rm -f blocked-names.log blocked-ips.log query.log nx.log allowed-names.log
+
+t || (
+    cd ../dnscrypt-proxy
+    go test -mod vendor
+    go build -mod vendor -race
+) || fail
+
+section
+sed -e "s/127.0.0.1:53/127.0.0.1:${DNS_PORT}/g" -e "s/# server_names =.*/server_names = ['scaleway-fr']/" ../dnscrypt-proxy/example-dnscrypt-proxy.toml >test-dnscrypt-proxy.toml
+../dnscrypt-proxy/dnscrypt-proxy -loglevel 3 -config test-dnscrypt-proxy.toml -pidfile /tmp/dnscrypt-proxy.pidfile &
+sleep 5
+
+t ||
+    dig -p${DNS_PORT} . @127.0.0.1 | grep -Fq 'root-servers.net.' || fail
+t || dig -p${DNS_PORT} +dnssec . @127.0.0.1 | grep -Fq 'root-servers.net.' || fail
+t || dig -p${DNS_PORT} +dnssec . @127.0.0.1 | grep -Fq 'flags: do;' || fail
+t || dig -p${DNS_PORT} +short one.one.one.one @127.0.0.1 | grep -Fq '1.1.1.1' || fail
+t || dig -p${DNS_PORT} +dnssec dnscrypt.info @127.0.0.1 | grep -Fq 'flags: qr rd ra ad' || fail
+t || dig -p${DNS_PORT} +dnssec dnscrypt.info @127.0.0.1 | grep -Fq 'flags: do;' || fail
+
+kill $(cat /tmp/dnscrypt-proxy.pidfile)
+sleep 5
+
+section
+../dnscrypt-proxy/dnscrypt-proxy -loglevel 3 -config test2-dnscrypt-proxy.toml -pidfile /tmp/dnscrypt-proxy.pidfile &
+sleep 5
+
+section
+t || dig -p${DNS_PORT} A microsoft.com @127.0.0.1 | grep -Fq "NOERROR" || fail
+t || dig -p${DNS_PORT} A MICROSOFT.COM @127.0.0.1 | grep -Fq "NOERROR" || fail
+
+section
+t || dig -p${DNS_PORT} AAAA ipv6.google.com @127.0.0.1 | grep -Fq 'locally blocked' || fail
+
+section
+t || dig -p${DNS_PORT} invalid. @127.0.0.1 | grep -Fq NXDOMAIN || fail
+t || dig -p${DNS_PORT} +dnssec invalid. @127.0.0.1 | grep -Fq 'flags: do;' || fail
+t || dig -p${DNS_PORT} PTR 168.192.in-addr.arpa @127.0.0.1 | grep -Fq 'NXDOMAIN' || fail
+t || dig -p${DNS_PORT} +dnssec PTR 168.192.in-addr.arpa @127.0.0.1 | grep -Fq 'flags: do;' || fail
+
+section
+t || dig -p${DNS_PORT} +dnssec darpa.mil @127.0.0.1 2>&1 | grep -Fvq 'RRSIG' || fail
+t || dig -p${DNS_PORT} +dnssec www.darpa.mil @127.0.0.1 2>&1 | grep -Fvq 'RRSIG' || fail
+
+section
+t || dig -p${DNS_PORT} +short cloakedunregistered.com @127.0.0.1 | grep -Eq '1.1.1.1|1.0.0.1' || fail
+t || dig -p${DNS_PORT} +short MX cloakedunregistered.com @127.0.0.1 | grep -Fq 'locally blocked' || fail
+t || dig -p${DNS_PORT} +short MX example.com @127.0.0.1 | grep -Fvq 'locally blocked' || fail
+t || dig -p${DNS_PORT} NS cloakedunregistered.com @127.0.0.1 | grep -Fiq 'gtld-servers.net' || fail
+t || dig -p${DNS_PORT} +short www.cloakedunregistered2.com @127.0.0.1 | grep -Eq '1.1.1.1|1.0.0.1' || fail
+t || dig -p${DNS_PORT} +short www.dnscrypt-test @127.0.0.1 | grep -Fq '192.168.100.100' || fail
+t || dig -p${DNS_PORT} a.www.dnscrypt-test @127.0.0.1 | grep -Fq 'NXDOMAIN' || fail
+t || dig -p${DNS_PORT} +short ptr 101.100.168.192.in-addr.arpa. @127.0.0.1 | grep -Eq 'www.dnscrypt-test.com' || fail
+t || dig -p${DNS_PORT} +short ptr 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.d.f.ip6.arpa. @127.0.0.1 | grep -Eq 'ipv6.dnscrypt-test.com' || fail
+
+section
+t || dig -p${DNS_PORT} telemetry.example @127.0.0.1 | grep -Fq 'locally blocked' || fail
+
+section
+t || dig -p${DNS_PORT} dns.google @127.0.0.1 | grep -Fq 'locally blocked' || fail
+
+section
+t || dig -p${DNS_PORT} tracker.xdebian.org @127.0.0.1 | grep -Fq 'locally blocked' || fail
+t || dig -p${DNS_PORT} tracker.debian.org @127.0.0.1 | grep -Fqv 'locally blocked' || fail
+
+section
+t || curl --insecure -siL https://127.0.0.1:${HTTP_PORT}/ | grep -Fq 'HTTP/2 404' || fail
+t || curl --insecure -sL https://127.0.0.1:${HTTP_PORT}/dns-query | grep -Fq 'dnscrypt-proxy local DoH server' || fail
+t ||
+    echo yv4BAAABAAAAAAABAAACAAEAACkQAAAAgAAAAA== | base64 -d |
+    curl -H'Content-Type: application/dns-message' -H'Accept: application/dns-message' --data-binary @- -D - --insecure https://127.0.0.1:${HTTP_PORT}/dns-query 2>/dev/null |
+        grep -Fq application/dns-message || fail
+
+kill $(cat /tmp/dnscrypt-proxy.pidfile)
+
+sleep 5
+
+section
+t || grep -Fq 'telemetry.example' blocked-names.log || fail
+t || grep -Fq 'telemetry.*' blocked-names.log || fail
+t || grep -Fq 'tracker.xdebian.org' blocked-names.log || fail
+t || grep -Fq 'tracker.*' blocked-names.log || fail
+
+section
+t || grep -Fq 'dns.google' blocked-ips.log || fail
+t || grep -Fq '8.8.8.8' blocked-ips.log || fail
+
+section
+t || grep -Fq 'a.www.dnscrypt-test' nx.log || fail
+
+section
+t || grep -Fq 'a.www.dnscrypt-test' nx.log || fail
+
+section
+t || grep -Eq 'microsoft.com.*PASS.*[^-]$' query.log || fail
+t || grep -Eq 'microsoft.com.*PASS.*-$' query.log || fail
+t || grep -Eq 'ipv6.google.com.*SYNTH' query.log || fail
+t || grep -Eq 'invalid.*SYNTH' query.log || fail
+t || grep -Eq '168.192.in-addr.arpa.*SYNTH' query.log || fail
+t || grep -Eq 'darpa.mil.*FORWARD' query.log || fail
+t || grep -Eq 'www.darpa.mil.*FORWARD' query.log || fail
+t || grep -Eq 'cloakedunregistered.com.*CLOAK' query.log || fail
+t || grep -Eq 'www.cloakedunregistered2.com.*CLOAK' query.log || fail
+t || grep -Eq 'www.dnscrypt-test.*CLOAK' query.log || fail
+t || grep -Eq 'a.www.dnscrypt-test.*NXDOMAIN' query.log || fail
+t || grep -Eq 'telemetry.example.*REJECT' query.log || fail
+t || grep -Eq 'dns.google.*REJECT' query.log || fail
+t || grep -Eq 'tracker.xdebian.org.*REJECT' query.log || fail
+t || grep -Eq 'tracker.debian.org.*PASS' query.log || fail
+t || grep -Eq '[.].*NS.*PASS' query.log || fail
+
+section
+t || grep -Fq 'tracker.debian.org' allowed-names.log || fail
+t || grep -Fq '*.tracker.debian' allowed-names.log || fail
+
+section
+../dnscrypt-proxy/dnscrypt-proxy -loglevel 3 -config test3-dnscrypt-proxy.toml -pidfile /tmp/dnscrypt-proxy.pidfile &
+sleep 5
+
+section
+t || dig -p${DNS_PORT} A microsoft.com @127.0.0.1 | grep -Fq "NOERROR" || fail
+t || dig -p${DNS_PORT} A MICROSOFT.COM @127.0.0.1 | grep -Fq "NOERROR" || fail
+
+kill $(cat /tmp/dnscrypt-proxy.pidfile)
+sleep 5
+
+section
+../dnscrypt-proxy/dnscrypt-proxy -loglevel 3 -config test-odoh-proxied.toml -pidfile /tmp/odoh-proxied.pidfile &
+sleep 5
+
+section
+t || dig -p${DNS_PORT} A microsoft.com @127.0.0.1 | grep -Fq "NOERROR" || fail
+t || dig -p${DNS_PORT} A cloudflare.com @127.0.0.1 | grep -Fq "NOERROR" || fail
+
+kill $(cat /tmp/odoh-proxied.pidfile)
+sleep 5
+
+if [ -s error.log ]; then
+    cat *.log
+    exit 1
+fi
--- a/.ci/cloaking-rules.txt
+++ b/.ci/cloaking-rules.txt
@ -0,0 +1,5 @@
+cloakedunregistered.*       one.one.one.one
+*.cloakedunregistered2.*    one.one.one.one # inline comment
+=www.dnscrypt-test          192.168.100.100
+=www.dnscrypt-test.com      192.168.100.101
+=ipv6.dnscrypt-test.com     fd02::1
--- a/.ci/forwarding-rules.txt
+++ b/.ci/forwarding-rules.txt
@ -0,0 +1,2 @@
+darpa.mil 208.67.222.222
+
--- a/.ci/test-odoh-proxied.toml
+++ b/.ci/test-odoh-proxied.toml
@ -0,0 +1,17 @@
+server_names = ['odohtarget']
+listen_addresses = ['127.0.0.1:5300']
+
+[query_log]
+file = 'query.log'
+
+[static]
+  [static.'odohtarget']
+  stamp = 'sdns://BQcAAAAAAAAADm9kb2guY3J5cHRvLnN4Ci9kbnMtcXVlcnk'
+
+  [static.'odohrelay']
+  stamp = 'sdns://hQcAAAAAAAAADDg5LjM4LjEzMS4zOAAYb2RvaC1ubC5hbGVrYmVyZy5uZXQ6NDQzBi9wcm94eQ'
+
+[anonymized_dns]
+  routes = [
+    { server_name='odohtarget', via=['odohrelay'] }
+  ]
--- a/.ci/test2-dnscrypt-proxy.toml
+++ b/.ci/test2-dnscrypt-proxy.toml
@ -0,0 +1,69 @@
+server_names = ['public-scaleway-fr']
+listen_addresses = ['127.0.0.1:5300']
+require_dnssec = true
+dnscrypt_ephemeral_keys = true
+tls_disable_session_tickets = false
+ignore_system_dns = false
+lb_strategy = 'p12'
+block_ipv6 = true
+block_unqualified = true
+block_undelegated = true
+forwarding_rules = 'forwarding-rules.txt'
+cloaking_rules = 'cloaking-rules.txt'
+cloak_ptr = true
+cache = true
+
+[local_doh]
+listen_addresses = ['127.0.0.1:3053']
+cert_file = "../dnscrypt-proxy/localhost.pem"
+cert_key_file = "../dnscrypt-proxy/localhost.pem"
+
+[query_log]
+file = 'query.log'
+
+[nx_log]
+file = 'nx.log'
+
+[blocked_names]
+blocked_names_file = 'blocked-names.txt'
+log_file = 'blocked-names.log'
+
+[blocked_ips]
+blocked_ips_file = 'blocked-ips.txt'
+log_file = 'blocked-ips.log'
+
+[allowed_names]
+allowed_names_file = 'allowed-names.txt'
+log_file = 'allowed-names.log'
+
+[schedules]
+
+  [schedules.'time-to-sleep']
+  mon = [{after='21:00', before='7:00'}]
+  tue = [{after='21:00', before='7:00'}]
+  wed = [{after='21:00', before='7:00'}]
+  thu = [{after='21:00', before='7:00'}]
+  fri = [{after='23:00', before='7:00'}]
+  sat = [{after='23:00', before='7:00'}]
+  sun = [{after='21:00', before='7:00'}]
+
+  [schedules.'work']
+  mon = [{after='9:00', before='18:00'}]
+  tue = [{after='9:00', before='18:00'}]
+  wed = [{after='9:00', before='18:00'}]
+  thu = [{after='9:00', before='18:00'}]
+  fri = [{after='9:00', before='17:00'}]
+
+[sources]
+  [sources.'public-resolvers']
+  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
+  cache_file = 'public-resolvers.md'
+  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+  prefix = 'public-'
+
+  [sources.'relays']
+  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/relays.md', 'https://download.dnscrypt.info/resolvers-list/v2/relays.md']
+  cache_file = 'relays.md'
+  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+  refresh_delay = 72
+  prefix = 'relay-'
--- a/.ci/test3-dnscrypt-proxy.toml
+++ b/.ci/test3-dnscrypt-proxy.toml
@ -0,0 +1,19 @@
+server_names = ['myserver']
+listen_addresses = ['127.0.0.1:5300']
+require_dnssec = true
+dnscrypt_ephemeral_keys = true
+tls_disable_session_tickets = false
+ignore_system_dns = false
+lb_strategy = 'p12'
+block_ipv6 = true
+block_unqualified = true
+block_undelegated = true
+cache = true
+
+[query_log]
+file = 'query.log'
+
+[static]
+
+  [static.'myserver']
+  stamp = 'sdns://AQcAAAAAAAAADjIxMi40Ny4yMjguMTM2IOgBuE6mBr-wusDOQ0RbsV66ZLAvo8SqMa4QY2oHkDJNHzIuZG5zY3J5cHQtY2VydC5mci5kbnNjcnlwdC5vcmc'
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,7 @@
+*               text=auto
+*.go            text        diff=golang
+*.bat           text        eol=crlf
+go.mod          text        eol=lf
+
+# Ensure test fixtures don't get mangled
+**/testdata/**  -text
--- a/.github/ISSUE_TEMPLATE/bugs.md
+++ b/.github/ISSUE_TEMPLATE/bugs.md
@ -0,0 +1,65 @@
+---
+name: "\U0001F41E Issues"
+about: Bug reports
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+THE TRACKER IS DEDICATED TO KEEPING TRACK OF *BUGS*,
+preferably after they have been already discussed and confirmed to be reproducible.
+
+FOR ASSISTANCE, PLEASE CLOSE THIS FORM AND USE THE DISCUSSIONS SECTION INSTEAD:
+https://github.com/DNSCrypt/dnscrypt-proxy/discussions/categories/q-a
+
+~~~
+
+Reported bugs must reproducible in the context described in the "Context" section.
+
+Installation and configuration issues are not bugs, but individual assistance request.
+
+Context: the LATEST version of `dnscrypt-proxy` (precompiled binaries downloaded from this repository) is correctly installed and configured on your system, but something doesn't seem to produce the expected result.
+
+If the bug is not trivial to reproduce on any platform, please include ALL the steps required to reliably duplicate it, on a vanilla, generic install of macOS, Windows, OpenBSD or Ubuntu Linux system, in their most current version.
+
+If you don't have any clear understanding of the issue or can't enumerate the steps to reproduce it, open a discussion instead:
+https://github.com/DNSCrypt/dnscrypt-proxy/discussions
+
+
+## Output of the following commands:
+
+./dnscrypt-proxy -version
+
+./dnscrypt-proxy -check
+
+./dnscrypt-proxy -resolve example.com
+
+
+- [ ] Initially raised as discussion #...
+
+
+
+## *What* is affected by this bug?
+
+
+
+## *When* does this occur?
+
+
+
+## *Where* does it happen?
+
+
+
+## *How* do we replicate the issue?
+<!-- Please list all the steps required to reliably replicate it, starting from a newly installed operating system -->
+
+
+
+## Expected behavior (i.e. solution)
+
+
+
+## Other Comments
+
--- a/.github/ISSUE_TEMPLATE/suggestions.md
+++ b/.github/ISSUE_TEMPLATE/suggestions.md
@ -0,0 +1,22 @@
+---
+name: "🙋🏽 Planned changes"
+about: List of planned changes
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+The starting point should be a discussion.
+
+https://github.com/DNSCrypt/dnscrypt-proxy/discussions/
+
+Suggestions may be raised as an "Ideas" discussion.
+
+We can then determine if the discussion needs to be escalated into a "planned change" or not.
+
+This will help us ensure that the issue tracker properly reflects ongoing or needed work on the project.
+
+---
+
+- [ ] Initially raised as discussion #...
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,15 @@
+version: 2
+
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+
+  # Maintain dependencies for Go
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
--- a/.github/workflows/autocloser.yml
+++ b/.github/workflows/autocloser.yml
@ -0,0 +1,12 @@
+name: Autocloser
+on: [issues]
+jobs:
+  autoclose:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Autoclose issues that did not follow issue template
+      uses: roots/issue-closer@v1.2
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        issue-close-message: "This issue was automatically closed because it did not follow the issue template. We use the issue tracker exclusively for bug reports and feature additions that have been previously discussed. However, this issue appears to be a support request. Please use the discussion forums for support requests."
+        issue-pattern: ".*(do we replicate the issue|Expected behavior|raised as discussion|# Impact).*"
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -0,0 +1,32 @@
+name: "CodeQL scan"
+
+on:
+  push:
+  pull_request:
+  schedule:
+    - cron: '0 14 * * 6'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 2
+
+    - name: Setup Go
+      uses: actions/setup-go@v5
+      with:
+        go-version-file: 'go.mod'
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v3
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
--- a/.github/workflows/releases.yml
+++ b/.github/workflows/releases.yml
@ -0,0 +1,95 @@
+on:
+  push:
+    paths:
+      - "**.go"
+      - "go.*"
+      - "**/testdata/**"
+      - ".ci/**"
+      - ".git*"
+      - ".github/workflows/releases.yml"
+  pull_request:
+    paths:
+      - "**.go"
+      - "go.*"
+      - "**/testdata/**"
+      - ".ci/**"
+      - ".git*"
+      - ".github/workflows/releases.yml"
+
+name: GitHub CI
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get the version
+        id: get_version
+        run: echo "VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT
+
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1
+          check-latest: true
+        id: go
+
+      - name: Test suite
+        run: |
+          go version
+          cd .ci
+          ./ci-test.sh
+          cd -
+
+      - name: Build all
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          .ci/ci-build.sh "${{ steps.get_version.outputs.VERSION }}"
+
+      - name: Package
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          .ci/ci-package.sh "${{ steps.get_version.outputs.VERSION }}"
+
+      - name: Install minisign and sign
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          sudo apt-get -y install libsodium-dev
+          git clone --depth 1 https://github.com/jedisct1/minisign.git
+          cd minisign/src
+          mkdir -p /tmp/bin
+          cc -O2 -o /tmp/bin/minisign -D_GNU_SOURCE *.c -lsodium
+          cd -
+          /tmp/bin/minisign -v
+          echo '#' > /tmp/minisign.key
+          echo "${{ secrets.MINISIGN_SK }}" >> /tmp/minisign.key
+          cd dnscrypt-proxy
+          echo | /tmp/bin/minisign -s /tmp/minisign.key -Sm *.tar.gz *.zip
+          ls -l dnscrypt-proxy*
+
+      - name: Create release
+        id: create_release
+        uses: actions/create-release@v1
+        if: startsWith(github.ref, 'refs/tags/')
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref }}
+          release_name: Release ${{ github.ref }}
+          draft: false
+          prerelease: false
+
+      - name: Upload release assets
+        uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87
+        if: startsWith(github.ref, 'refs/tags/')
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          files: |
+            dnscrypt-proxy/*.zip
+            dnscrypt-proxy/*.tar.gz
+            dnscrypt-proxy/*.minisig
+            dnscrypt-proxy/*.msi
--- a/.github/workflows/shiftleft-analysis.yml
+++ b/.github/workflows/shiftleft-analysis.yml
@ -0,0 +1,23 @@
+name: ShiftLeft Scan
+
+on: push
+
+jobs:
+  Scan-Build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Perform ShiftLeft Scan
+      uses: ShiftLeftSecurity/scan-action@master
+      env:
+        WORKSPACE: ""
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        SCAN_AUTO_BUILD: true
+      with:
+        output: reports
+
+    - name: Upload report
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: reports
--- a/.gitignore
+++ b/.gitignore
@ -9,3 +9,11 @@
 *~
 dnscrypt-proxy/dnscrypt-proxy2
 dnscrypt-proxy/dnscrypt-proxy
+.idea
+.ci/*.log
+.ci/*.md
+.ci/*.md.minisig
+.ci/test-dnscrypt-proxy.toml
+contrib/msi/*.msi
+contrib/msi/*.wixpdb
+contrib/msi/*.wixobj
--- a/.travis.yml
+++ b/.travis.yml
@ -1,218 +0,0 @@
-sudo: false
-language: go
-os:
- linux
-go:
- 1.x
-script:
- gimme --list
- echo $TRAVIS_GO_VERSION
- cd dnscrypt-proxy
- go clean
- env GOOS=windows GOARCH=386 go build -ldflags="-s -w"
- mkdir win32
- ln dnscrypt-proxy.exe win32/
- cp ../LICENSE example-dnscrypt-proxy.toml example-*.txt win32/
- for i in win32/LICENSE win32/*.toml win32/*.txt; do ex -bsc '%!awk "{sub(/$/,\"\r\")}1"'
-  -cx "$i"; done
- ln ../windows/* win32/
- zip -9 -r dnscrypt-proxy-win32-${TRAVIS_TAG:-dev}.zip win32
- go clean
- env GOOS=windows GOARCH=amd64 go build -ldflags="-s -w"
- mkdir win64
- ln dnscrypt-proxy.exe win64/
- cp ../LICENSE example-dnscrypt-proxy.toml example-*.txt win64/
- for i in win64/LICENSE win64/*.toml win64/*.txt; do ex -bsc '%!awk "{sub(/$/,\"\r\")}1"'
-  -cx "$i"; done
- ln ../windows/* win64/
- zip -9 -r dnscrypt-proxy-win64-${TRAVIS_TAG:-dev}.zip win64
- go clean
- env GO386=387 GOOS=openbsd GOARCH=386 go build -ldflags="-s -w"
- mkdir openbsd-i386
- ln dnscrypt-proxy openbsd-i386/
- ln ../LICENSE example-dnscrypt-proxy.toml example-*.txt openbsd-i386/
- tar czpvf dnscrypt-proxy-openbsd_i386-${TRAVIS_TAG:-dev}.tar.gz openbsd-i386
- go clean
- env GOOS=openbsd GOARCH=amd64 go build -ldflags="-s -w"
- mkdir openbsd-amd64
- ln dnscrypt-proxy openbsd-amd64/
- ln ../LICENSE example-dnscrypt-proxy.toml example-*.txt openbsd-amd64/
- tar czpvf dnscrypt-proxy-openbsd_amd64-${TRAVIS_TAG:-dev}.tar.gz openbsd-amd64
- go clean
- env GOOS=freebsd GOARCH=386 go build -ldflags="-s -w"
- mkdir freebsd-i386
- ln dnscrypt-proxy freebsd-i386/
- ln ../LICENSE example-dnscrypt-proxy.toml example-*.txt freebsd-i386/
- tar czpvf dnscrypt-proxy-freebsd_i386-${TRAVIS_TAG:-dev}.tar.gz freebsd-i386
- go clean
- env GOOS=freebsd GOARCH=amd64 go build -ldflags="-s -w"
- mkdir freebsd-amd64
- ln dnscrypt-proxy freebsd-amd64/
- ln ../LICENSE example-dnscrypt-proxy.toml example-*.txt freebsd-amd64/
- tar czpvf dnscrypt-proxy-freebsd_amd64-${TRAVIS_TAG:-dev}.tar.gz freebsd-amd64
- go clean
-
- env GOOS=freebsd GOARCH=arm go build -ldflags="-s -w"
- mkdir freebsd-arm
- ln dnscrypt-proxy freebsd-arm/
- ln ../LICENSE example-dnscrypt-proxy.toml example-*.txt freebsd-arm/
- tar czpvf dnscrypt-proxy-freebsd_arm-${TRAVIS_TAG:-dev}.tar.gz freebsd-arm
- go clean
- env GOOS=freebsd GOARCH=arm GOARM=7 go build -ldflags="-s -w"
- mkdir freebsd-armv7
- ln dnscrypt-proxy freebsd-armv7/
- ln ../LICENSE example-dnscrypt-proxy.toml example-*.txt freebsd-armv7/
- tar czpvf dnscrypt-proxy-freebsd_armv7-${TRAVIS_TAG:-dev}.tar.gz freebsd-armv7
- go clean
- env GOOS=dragonfly GOARCH=amd64 go build -ldflags="-s -w"
- mkdir dragonflybsd-amd64
- ln dnscrypt-proxy dragonflybsd-amd64/
- ln ../LICENSE example-dnscrypt-proxy.toml example-*.txt dragonflybsd-amd64/
- tar czpvf dnscrypt-proxy-dragonflybsd_amd64-${TRAVIS_TAG:-dev}.tar.gz dragonflybsd-amd64
- go clean
- env GOOS=netbsd GOARCH=386 go build -ldflags="-s -w"
- mkdir netbsd-i386
- ln dnscrypt-proxy netbsd-i386/
- ln ../LICENSE example-dnscrypt-proxy.toml example-*.txt netbsd-i386/
- tar czpvf dnscrypt-proxy-netbsd_i386-${TRAVIS_TAG:-dev}.tar.gz netbsd-i386
- go clean
- env GOOS=netbsd GOARCH=amd64 go build -ldflags="-s -w"
- mkdir netbsd-amd64
- ln dnscrypt-proxy netbsd-amd64/
- ln ../LICENSE example-dnscrypt-proxy.toml example-*.txt netbsd-amd64/
- tar czpvf dnscrypt-proxy-netbsd_amd64-${TRAVIS_TAG:-dev}.tar.gz netbsd-amd64
- go clean
- env CGO_ENABLED=0 GOOS=linux GOARCH=386 go build -ldflags="-s -w"
- mkdir linux-i386
- ln dnscrypt-proxy linux-i386/
- ln ../LICENSE example-dnscrypt-proxy.toml example-*.txt linux-i386/
- tar czpvf dnscrypt-proxy-linux_i386-${TRAVIS_TAG:-dev}.tar.gz linux-i386
- go clean
- env CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w"
- mkdir linux-x86_64
- ln dnscrypt-proxy linux-x86_64/
- ln ../LICENSE example-dnscrypt-proxy.toml example-*.txt linux-x86_64/
- tar czpvf dnscrypt-proxy-linux_x86_64-${TRAVIS_TAG:-dev}.tar.gz linux-x86_64
- go clean
- env CGO_ENABLED=0 GOOS=linux GOARCH=arm go build -ldflags="-s -w"
- mkdir linux-arm
- ln dnscrypt-proxy linux-arm/
- ln ../LICENSE example-dnscrypt-proxy.toml example-*.txt linux-arm/
- tar czpvf dnscrypt-proxy-linux_arm-${TRAVIS_TAG:-dev}.tar.gz linux-arm
- go clean
- env CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags="-s -w"
- mkdir linux-arm64
- ln dnscrypt-proxy linux-arm64/
- ln ../LICENSE example-dnscrypt-proxy.toml example-*.txt linux-arm64/
- tar czpvf dnscrypt-proxy-linux_arm64-${TRAVIS_TAG:-dev}.tar.gz linux-arm64
- go clean
- env CGO_ENABLED=0 GOOS=linux GOARCH=mips GOMIPS=softfloat go build -ldflags="-s -w"
- mkdir linux-mips
- ln dnscrypt-proxy linux-mips/
- ln ../LICENSE example-dnscrypt-proxy.toml example-*.txt linux-mips/
- tar czpvf dnscrypt-proxy-linux_mips-${TRAVIS_TAG:-dev}.tar.gz linux-mips
- go clean
- env CGO_ENABLED=0 GOOS=linux GOARCH=mipsle GOMIPS=softfloat go build -ldflags="-s -w"
- mkdir linux-mipsle
- ln dnscrypt-proxy linux-mipsle/
- ln ../LICENSE example-dnscrypt-proxy.toml example-*.txt linux-mipsle/
- tar czpvf dnscrypt-proxy-linux_mipsle-${TRAVIS_TAG:-dev}.tar.gz linux-mipsle
- go clean
- env CGO_ENABLED=0 GOOS=linux GOARCH=mips64 go build -ldflags="-s -w"
- mkdir linux-mips64
- ln dnscrypt-proxy linux-mips64/
- ln ../LICENSE example-dnscrypt-proxy.toml example-*.txt linux-mips64/
- tar czpvf dnscrypt-proxy-linux_mips64-${TRAVIS_TAG:-dev}.tar.gz linux-mips64
- go clean
- env CGO_ENABLED=0 GOOS=linux GOARCH=mips64le go build -ldflags="-s -w"
- mkdir linux-mips64le
- ln dnscrypt-proxy linux-mips64le/
- ln ../LICENSE example-dnscrypt-proxy.toml example-*.txt linux-mips64le/
- tar czpvf dnscrypt-proxy-linux_mips64le-${TRAVIS_TAG:-dev}.tar.gz linux-mips64le
- go clean
- env GOOS=darwin GOARCH=amd64 go build -ldflags="-s -w"
- mkdir macos
- ln dnscrypt-proxy macos/
- ln ../LICENSE example-dnscrypt-proxy.toml example-*.txt macos/
- tar czpvf dnscrypt-proxy-macos-${TRAVIS_TAG:-dev}.tar.gz macos
- go clean
- env CC=arm-linux-androideabi-clang CXX=arm-linux-androideabi-clang++
-  CGO_ENABLED=1
-  GOOS=android GOARCH=arm GOARM=7 go build -ldflags="-s -w"
- mkdir android-arm
- ln dnscrypt-proxy android-arm/
- cp ../LICENSE example-dnscrypt-proxy.toml example-*.txt android-arm/
- zip -9 -r dnscrypt-proxy-android_arm-${TRAVIS_TAG:-dev}.zip android-arm
- go clean
- env CC=aarch64-linux-android-clang CXX=aarch64-linux-android-clang++
-  CGO_ENABLED=1
-  GOOS=android GOARCH=arm64 go build -ldflags="-s -w"
- mkdir android-arm64
- ln dnscrypt-proxy android-arm64/
- cp ../LICENSE example-dnscrypt-proxy.toml example-*.txt android-arm64/
- zip -9 -r dnscrypt-proxy-android_arm64-${TRAVIS_TAG:-dev}.zip android-arm64
- go clean
- env CC=i686-linux-android-clang CXX=i686-linux-android-clang++
-  CGO_ENABLED=1 GOOS=android
-  GOARCH=386 go build -ldflags="-s -w"
- mkdir android-i386
- ln dnscrypt-proxy android-i386/
- cp ../LICENSE example-dnscrypt-proxy.toml example-*.txt android-i386/
- zip -9 -r dnscrypt-proxy-android_i386-${TRAVIS_TAG:-dev}.zip android-i386
- go clean
- env CC=x86_64-linux-android-clang CXX=x86_64-linux-android-clang++
-  CGO_ENABLED=1
-  GOOS=android GOARCH=amd64 go build -ldflags="-s -w"
- mkdir android-x86_64
- ln dnscrypt-proxy android-x86_64/
- cp ../LICENSE example-dnscrypt-proxy.toml example-*.txt android-x86_64/
- zip -9 -r dnscrypt-proxy-android_x86_64-${TRAVIS_TAG:-dev}.zip android-x86_64
- ls -l dnscrypt-proxy-*.tar.gz dnscrypt-proxy-*.zip
-deploy:
-  provider: releases
-  api_key:
-    secure: J3K/wo3oW/ySl6X4Zk5PX+EVy4fa0qa4fbpKNivogch5yjYw2pgrlSvwto9TM12Gxi4tTMKiWYK4YBapNf+tm501s4OyS1G1rJR1fZ+iyaHgGBLD+QppbivZt+P7Do56agSili68Zcgm7MQfZbvOq9z42z3AJ71+UNTJmTp63voaAuyOF/VdLsmJHMd/5nmFJH6mfMrgMs720GCWxFgdq3NRM2AdVldsp1YmNb4qKqIzunmfxqG9TqVlpq35tNOhWA/Ll3rbsiDVeUpBAW5ked/qHyGRkFVk44O6cPSFGe035Txx0JviBshGxsNSP+aJL9T55hIj1dmuk6g5uhPqABU/zcdJvXOv11oqJuV/DGHO31UfVN6u744LJY6Y1lkd+UUNiOJDPGC80+6M2GbP7BFMZiO5qnYkxzktnYg9b6zIPwmj96XZSniDTAn+qemJf2S8rzShvBtWX29Q4odIaCfFUY8i0muowQ4Vep5S5FqVG+r/rQTXOUIUsNv4r/gP/y5hdtOMC2r1VSvWk068upmW6ovCtcmTghSfYcLCG5r+g5OE2mKj9kbx6RQMspewk9+pvOhNZKXsn/AIvvDC4V46MaDjFkdYN0VbsYB5NH11DGCPH7vDwJnAzzMWnofCkiTG07dJYlLUnD9iUgYoNkrxivAgQKnDP8C6Ka0RGdk=
-  file:
-  - dnscrypt-proxy-*.tar.gz
-  - dnscrypt-proxy-*.zip
-  - dnscrypt-proxy-*.minisig
-  file_glob: true
-  skip_cleanup: true
-  on:
-    repo: jedisct1/dnscrypt-proxy
-    tags: true
-before_deploy:
- mkdir -p /tmp/bin /tmp/lib /tmp/include
- export LD_LIBRARY_PATH=/tmp/lib:LD_LIBRARY_PATH
- export PATH=/tmp/bin:$PATH
- git clone https://github.com/jedisct1/libsodium.git --branch=stable
- cd libsodium
- env ./configure --disable-dependency-tracking --prefix=/tmp
- make -j$(nproc) install
- cd -
- git clone https://github.com/jedisct1/minisign.git
- cd minisign/src
- gcc -O2 -o /tmp/bin/minisign -I/tmp/include -L/tmp/lib *.c -lsodium
- cd -
- minisign -v
- echo '#' > /tmp/minisign.key
- echo "$MINISIGN_SK" >> /tmp/minisign.key
- echo | minisign -s /tmp/minisign.key -Sm dnscrypt-proxy-*.tar.gz dnscrypt-proxy-*.zip
-after_deploy:
- ls -l dnscrypt-proxy-*.tar.gz dnscrypt-proxy-*.zip
-before_install:
- NDK_VER=r18
- curl -LO http://dl.google.com/android/repository/android-ndk-${NDK_VER}-linux-x86_64.zip
- unzip -q android-ndk-${NDK_VER}-linux-x86_64.zip -d $HOME
- rm android-ndk-${NDK_VER}-linux-x86_64.zip
- NDK_TOOLS=$HOME/android-ndk-${NDK_VER}
- NDK_STANDALONE=$HOME/ndk-standalone-${NDK_VER}
- MAKE_TOOLCHAIN=$NDK_TOOLS/build/tools/make_standalone_toolchain.py
- for arch in x86 arm; do python $MAKE_TOOLCHAIN --arch $arch --api 19
-  --install-dir $NDK_STANDALONE/$arch; PATH=$PATH:$NDK_STANDALONE/$arch/bin; done
- for arch in x86_64 arm64; do python $MAKE_TOOLCHAIN --arch $arch --api 21
-  --install-dir $NDK_STANDALONE/$arch; PATH=$PATH:$NDK_STANDALONE/$arch/bin; done
- rm -rf $NDK_TOOLS
-env:
-  global:
-  - secure: cuTXb4v5NwTr1XmkiHGkFir8fMiiBMnraCrls3thdDRlSTix0CiQc/H5Vh8SHauuG6VwVyrCT/Xsf0UQUmnULkPHjvuiNehb+bG4J3fz7hF94glBdQ8vxTuMmnHfJEYTQRLwCsWMBEC1wekw13O8J/0opFNG5neduns3Z1/rD5VSlBwgc8/4lomEp0fadIvzLeS7f5mxeXAD5Z9KBmc09uCjxVoF9Qsk1r901B0c0RMxIbJWyW9ZhDIVr/aEUN/tU0EXMKOA85sizg2moAigb8RZ1WCTh7utLGKpAyQegNk/unkksKMzZFkUCwHkrxlujwoe93wUS4rvZ+3nHMtLQdR+OfMeVs4/zvvQVq2f3bOXgkxgvhq6Bop0RK0xyEJffa5hUFbGNKhIFkLFLn1Ok28t2q7NOFPr0H2egHlkwgPztyhYMYb9C5PW4zd9buI0LS5452C4jXH5raBMfx844wTzaBbN689AKiYb84Qesqczss/o7eC7V48kh823dlZ/s2//gtp1ceqdAtNvp4dy7X/ECA/vNlpYisrtkR/CsFpJjGoTvS37leVMpmc5bn39dkoa5ZLliu7CaFRefbavcWWEImVStll9FBQ6+Ck9+41gczl9Rr7eGIV9ZZ/fmdkLNgxIpoAhZRee/dZD+/0gUExHxXXn10MqPuNVytVPiuU=
--- a/424
+++ b/424
@ -1,4 +1,380 @@
-* Version 2.0.24
+# Version 2.1.5
+ - dnscrypt-proxy can be compiled with Go 1.21.0+
+ - Responses to blocked queries now include extended error codes
+ - Reliability of connections using HTTP/3 has been improved
+ - New configuration directive: `tls_key_log_file`. When defined, this
+is the path to a file where TLS secret keys will be written to, so
+that DoH traffic can be locally inspected.
+
+# Version 2.1.4
+ - Fixes a regression from version 2.1.3: when cloaking was enabled,
+blocked responses were returned for records that were not A/AAAA/PTR
+even for names that were not in the cloaked list.
+
+# Version 2.1.3
+ - DNS-over-HTTP/3 (QUIC) should be more reliable. In particular,
+version 2.1.2 required another (non-QUIC) resolver to be present for
+bootstrapping, or the resolver's IP address to be present in the
+stamp. This is not the case any more.
+ - dnscrypt-proxy is now compatible with Go 1.20+
+ - Commands (-check, -show-certs, -list, -list-all) now ignore log
+files and directly output the result to the standard output.
+ - The `cert_ignore_timestamp` configuration switch is now documented.
+It allows ignoring timestamps for DNSCrypt certificate verification,
+until a first server is available. This should only be used on devices
+that don't have any ways to set the clock before DNS service is up.
+However, a safer alternative remains to use an NTP server with a fixed
+IP address (such as time.google.com), configured in the captive portals
+file.
+ - Cloaking: when a name is cloaked, unsupported record types now
+return a blocked response rather than the actual records.
+ - systemd: report Ready earlier as dnscrypt-proxy can itself manage
+retries for updates/refreshes.
+
+# Version 2.1.2
+ - Support for DoH over HTTP/3 (DoH3, HTTP over QUIC) has been added.
+Compatible servers will automatically use it. Note that QUIC uses UDP
+(usually over port 443, like DNSCrypt) instead of TCP.
+ - In previous versions, memory usage kept growing due to channels not
+being properly closed, causing goroutines to pile up. This was fixed,
+resulting in an important reduction of memory usage. Thanks to
+@lifenjoiner for investigating and fixing this!
+ - DNS64: `CNAME` records are now translated like other responses.
+Thanks to @ignoramous for this!
+ - A relay whose name has been configured, but doesn't exist in the
+list of available relays is now a hard error. Thanks to @lifenjoiner!
+ - Mutexes/locking: bug fixes and improvements, by @ignoramous
+ - Official packages now include linux/riscv64 builds.
+ - `dnscrypt-proxy -resolve` now reports if ECS (EDNS-clientsubnet) is
+supported by the server.
+ - `dnscrypt-proxy -list` now includes ODoH (Oblivious DoH) servers.
+ - Local DoH: queries made using the `GET` method are now handled.
+ - The service can now be installed on OpenRC-based systems.
+ - `PTR` queries are now supported for cloaked domains. Contributed by
+Ian Bashford, thanks!
+
+# Version 2.1.1
+  This is a bugfix only release, addressing regressions introduced in
+version 2.1.0:
+ - When using DoH, cached responses were not served any more when
+experiencing connectivity issues. This has been fixed.
+ - Time attributes in allow/block lists were ignored. This has been
+fixed.
+ - The TTL as served to clients is now rounded and starts decreasing
+before the first query is received.
+ - Time-based rules are properly handled again in
+generate-domains-blocklist.
+ - DoH/ODoH: entries with an IP address and using a non-standard port
+used to require help from a bootstrap resolver. This is not the case
+any more.
+
+# Version 2.1.0
+ - `dnscrypt-proxy` now includes support for Oblivious DoH.
+ - If the proxy is overloaded, cached and synthetic queries now keep being
+served, while non-cached queries are delayed.
+ - A deprecation warning was added for `fallback_resolvers`.
+ - Source URLs are now randomized.
+ - On some platforms, redirecting the application log to a file was not
+compatible with user switching; this has been fixed.
+ - `fallback_resolvers` was renamed to `bootstrap_resolvers` for
+clarity. Please update your configuration file accordingly.
+
+# Version 2.0.45
+ - Configuration changes (to be required in versions 2.1.x):
+   * `[blacklist]` has been renamed to `[blocked_names]`
+   * `[ip_blacklist]` has been renamed to `[blocked_ips]`
+   * `[whitelist]` has been renamed to `[allowed_names]`
+   * `generate-domains-blacklist.py` has been renamed to
+     `generate-domains-blocklist.py`, and the configuration files have been
+     renamed as well.
+ - `dnscrypt-proxy -resolve` has been completely revamped, and now requires
+the configuration file to be accessible. It will send a query to an IP address
+of the `dnscrypt-proxy` server by default. Sending queries to arbitrary
+servers is also supported with the new `-resolve name,address` syntax.
+ - Relay lists can be set to `*` for automatic relay selection. When a wildcard
+is used, either for the list of servers or relays, the proxy ensures that
+relays and servers are on distinct networks.
+ - Lying resolvers are detected and reported.
+ - New return code: `NOT_READY` for queries received before the proxy has
+been initialized.
+ - Server lists can't be older than a week any more, even if directory
+permissions are incorrect and cache files cannot be written.
+ - macOS/arm64 is now officially supported.
+ - New feature: `allowed_ips`, to configure a set of IP addresses to
+never block no matter what DNS name resolves to them.
+ - Hard-coded IP addresses can be immediately returned for test queries
+sent by operating systems in order to check for connectivity and captive
+portals. Such responses can be sent even before an interface is considered
+as enabled by the operating system. This can be configured in a new section
+called `[captive_portals]`.
+ - On Linux, OpenBSD and FreeBSD, `listen_addresses` can now include IP
+addresses that haven't been assigned to an interface yet.
+ - The logo has been tweaked to look fine on a dark background.
+ - `generate-domains-blocklist.py`: regular expressions are now ignored in
+time-based entries.
+ - Minor bug fixes and logging improvements.
+ - Cloaking plugin: if an entry has multiple IP addresses for a type,
+all the IP addresses are now returned instead of a random one.
+ - Static entries can now include DNSCrypt relays.
+ - Name blocking: aliases relying on `SVCB` and `HTTPS` records can now
+be blocked in addition to aliases via regular `CNAME` records.
+ - EDNS-Client-Subnet information can be added to outgoing queries.
+Instead of sending the actual client IP, ECS information is user
+configurable, and IP addresses will be randomly chosen for every query.
+ - Initial DoH queries are now checked using random names in order to
+properly measure CDNs such as Tencent that ignore the padding.
+ - DoH: the `max-stale` cache control directive is now present in queries.
+ - Logs can now be sent to `/dev/stdout` instead of actual files.
+ - User switching is now supported on macOS.
+ - New download mirror (https://download.dnscrypt.net) for resolvers,
+relays and parental-control.
+
+ Thanks to the nice people who contributed to this release:
+
+ - Ian Bashford
+ - Will Elwood
+ - Alison Winters
+ - Krish De Souza
+ - @hugepants
+ - @IceCodeNew
+ - @lifenjoiner
+ - @mibere
+ - @jacob755
+ - @petercooperjr
+ - @yofiji
+
+# Version 2.0.44
+ - More updates to the set of block lists, thanks again to IceCodeNew.
+ - Netprobes and listening sockets are now ignored when the `-list`,
+`-list-all`, `-show-certs` or `-check` command-line switches are used.
+ - `tls_client_auth` was renamed to `doh_client_x509_auth`. A section
+with the previous name is temporarily ignored if empty, but will error
+out if not.
+ - Unit tests are now working on 32-bit systems. Thanks to Will Elwood
+and @lifenjoiner.
+
+# Version 2.0.43
+ - Built-in support for DNS64 translation has been implemented.
+(Contributed by Sergey Smirnov, thanks!)
+ - Connections to DoH servers can be authenticated using TLS client
+certificates (Contributed by Kevin O'Sullivan, thanks!)
+ - Multiple stamps are now allowed for a single server in resolvers
+and relays lists.
+ - Android: the time zone for log files is now set to the system
+time zone.
+ - Quite a lot of updates and additions have been made to the
+example domain block lists. Thanks to `IceCodeNew`!
+ - Cached configuration files can now be temporarily used if
+they are out of date, but bootstraping is impossible. Contributed by
+`lifenjoiner`, thanks!
+ - Precompiled macOS binaries are now notarized.
+ - `generate-domains-blacklists` now tries to deduplicate entries
+clobbered by wildcard rules. Thanks to `Huhni`!
+ - `generate-domains-blacklists` can now directly write lists to a
+file with the `-o` command-line option.
+ - cache files are now downloaded as the user the daemon will be running
+as. This fixes permission issues at startup time.
+ - Forwarded queries are now subject to global timeouts, and can be
+forced to use TCP.
+ - The `ct` parameter has been removed from DoH queries, as Google doesn't
+require it any more.
+ - Service installation is now supported on FreeBSD.
+ - When stored into a file, service logs now only contain data from the most
+recent launch. This can be changed with the new `log_file_latest` option.
+ - Breaking change: the `tls_client_auth` section was renamed to
+`doh_client_x509_auth`. If you had a tls_client_auth section in the
+configuration file, it needs to be updated.
+
+# Version 2.0.42
+ - The current versions of the `dnsdist` load balancer (presumably used
+by quad9, cleanbrowsing, qualityology, freetsa.org, ffmuc.net,
+opennic-bongobow, sth-dnscrypt-se, ams-dnscrypt-nl and more)
+is preventing queries over 1500 bytes from being received over UDP.
+Temporary workarounds have been introduced to improve reliability
+with these resolvers for regular DNSCrypt. Unfortunately, anonymized
+DNS cannot be reliable until the issue is fixed server-side. `dnsdist`
+authors are aware of it and are working on a fix.
+ - New option in the `[anonymized_dns]` section: `skip_incompatible`,
+to ignore resolvers incompatible with Anonymized DNS instead of
+using them without a relay.
+ - The server latency benchmark is faster while being able to perform
+more retries if necessary.
+ - Continuous integration has been moved to GitHub Actions.
+
+# Version 2.0.41
+ - Precompiled ARM binaries are compatible with ARMv5 CPUs. The
+default arm builds were not compatible with older CPUs when compiled
+with Go 1.14. mips64 binaries are explicitly compiled with `softfloat`
+to improve compatibility.
+ - Quad9 seems to be only blocking fragmented queries over UDP for
+some networks. They have been removed from the default list of broken
+resolvers; runtime detection of support for fragments should now do
+the job.
+ - Runtime detection of support for fragments was actually enabled.
+
+# Version 2.0.40
+ - Servers blocking fragmented queries are now automatically detected.
+ - The server name is now only present in query logs when an actual
+upstream servers was required to resolve a query.
+ - TLS client authentication has been added for DoH.
+ - The Firefox plugin is now skipped for connections coming from the
+local DoH server.
+ - DoH RTT computation is now more accurate, especially when CDNs are
+in the middle.
+ - The forwarding plugin is now more reliable, and handles retries over
+ TCP.
+
+# Version 2.0.39
+ - The Firefox Local DoH service didn't properly work in version 2.0.38;
+this has been fixed. Thanks to Simon Brand for the report!
+
+# Version 2.0.38
+ - Entries from lists (forwarding, blacklists, whitelists) now support
+inline comments.
+ - Reliability improvement: queries over UDP are retried after a timeout
+instead of solely relying on the client.
+ - Reliability improvement: during temporary network outages, cached records
+are now served even if they are stale.
+ - Bug fix: SOCKS proxies and DNS relays can be combined.
+ - New feature: multiple fallback resolvers are now supported (see the
+new `fallback_resolvers` option. Note that `fallback_resolver` is
+still supported for backward compatibility).
+ - Windows: the service can be installed with a configuration file
+stored separately from the application.
+ - Security (affecting DoH): precompiled binaries of dnscrypt-proxy 2.0.37 are
+built using Go 1.13.7 that fixes a TLS certificate parsing issue present in
+previous versions of the compiler.
+
+# Version 2.0.36
+ - New option: `block_undelegated`. When enabled, `dnscrypt-proxy` will
+directly respond to queries for locally-served zones (https://sk.tl/2QqB971U)
+and nonexistent zones that should have been kept local, but are frequently
+leaked. This reduces latency and improves privacy.
+ - Conformance: the `DO` bit is now set in synthetic responses if it was
+set in a question, and the `AD` bit is cleared.
+ - The `miegkg/dns` module was updated to version 1.1.26, that fixes a
+security issue affecting non-encrypted/non-authenticated DNS traffic. In
+`dnscrypt-proxy`, this only affects the forwarding feature.
+
+# Version 2.0.35
+ - New option: `block_unqualified` to block `A`/`AAAA` queries with
+unqualified host names. These will very rarely get an answer from upstream
+resolvers, but can leak private information to these, as well as to root
+servers.
+ - When a `CNAME` pointer is blocked, the original query name is now logged
+along with the pointer. This makes it easier to know what the original
+query name, so it can be whitelisted, or what the pointer was, so it
+can be removed from the blacklist.
+
+# Version 2.0.34
+ - Blacklisted names are now also blocked if they appear in `CNAME`
+pointers.
+ - `dnscrypt-proxy` can now act as a local DoH *server*. Firefox can
+be configured to use it, so that ESNI can be enabled without bypassing
+your DNS proxy.
+
+# Version 2.0.33
+ - Fixes an issue that caused some valid queries to return `PARSE_ERROR`.
+
+# Version 2.0.32
+ - On certificate errors, the server name is now logged instead of the
+provider name, which is generally more useful.
+ - IP addresses for DoH servers that require DNS lookups are now cached
+for at least 12 hours.
+ - `ignore_system_dns` is now set to `true` by default.
+ - A workaround for a bug in Cisco servers has been implemented.
+ - A corrupted or incomplete resolvers list is now ignored, keeping the
+last good known cached list until the next update. In addition, logging was
+improved and unit tests were also added. Awesome contribution from William
+Elwood, thanks!
+ - On Windows, the network probe immediately returned instead of blocking
+if `netprobe_timeout` was set to `-1`. This has been fixed.
+ - Expired cached IP addresses now have a grace period, to avoid breaking the
+service if they temporarily can't be refreshed.
+ - On Windows, the service now returns immediately, solving a long-standing
+issue when initialization took more than 30 seconds ("The service did not
+respond to the start or control request in a timely fashion"). Fantastic
+work by Alison Winters, thanks!
+ - The `SERVER_ERROR` error code has been split into two new error codes:
+`NETWORK_ERROR` (self-explanatory) and `SERVFAIL` (a response was returned,
+but it includes a `SERVFAIL` error code).
+ - Responses are now always compressed.
+
+# Version 2.0.31
+ - This version fixes two regressions introduced in version 2.0.29:
+DoH server couldn't be reached over IPv6 any more, and the proxy
+couldn't be interrupted while servers were being benchmarked.
+
+# Version 2.0.30
+ - This version fixes a startup issue introduced in version 2.0.29,
+on systems for which the service cannot be automatically installed
+(such as OpenBSD and FreeBSD). Reported by @5ch17 and Vinícius Zavam,
+and fixed by Will Elwood, thanks!
+
+# Version 2.0.29
+ - Support for Anonymized DNS has been added!
+ - Wait before stopping, fixing an issue with Unbound (thanks to
+Vladimir Bauer)
+ - DNS stamps are now included in the -list-all -json ouptut
+ - The netprobe_timeout setting from the configuration file or
+command-line was ignored. This has been fixed.
+ - The TTL or cloaked entries can now be adjusted (thanks to Markus
+Linnala)
+ - Cached IP address from DoH servers now expire (thanks to Markus
+Linnala)
+ - DNSCrypt certificates can be fetched over Tor and SOCKS proxies
+ - Retries over TCP are faster
+ - Improved logging (thanks to Alison Winters)
+ - Ignore non-TXT records in certificate responses (thanks to Vladimir
+Bauer)
+ - A lot of internal cleanups, thanks to Markus Linnala.
+
+# Version 2.0.28
+ - Invalid server entries are now skipped instead of preventing a
+source from being used. Thanks to Alison Winters for the contribution!
+ - Truncated responses are immediately retried over TCP instead of
+waiting for the client to retry. This reduces the latency for large
+responses.
+ - Responses sent to the local network are assumed to support at least
+1252 bytes packets, and use optional information from EDNS up to 4096
+bytes. This also reduces latency.
+ - Logging improvements: servers are not logged for cached, synthetic
+and cloaked responses. And the forwarder is logged instead of the
+regular server for forwarded responses.
+
+# Version 2.0.27
+ - The X25519 implementation was changed from using the Go standard
+implementation to using Cloudflare's CIRCL library. Unfortunately,
+CIRCL appears to be broken on big-endian systems. That change has been
+reverted.
+ - All the dependencies have been updated.
+
+# Version 2.0.26
+ - A new plugin was added to prevent Firefox from bypassing the system
+DNS settings.
+ - New configuration parameter to set how to respond to blocked
+queries: `blocked_query_response`. Responses can now be empty record
+sets, REFUSED response codes, or predefined IPv4 and/or IPv6 addresses.
+ - The `refused_code_in_responses` and `blocked_query_response` options
+have been folded into a new `blocked_query_response` option.
+ - The fallback resolver is now accessed using TCP if `force_tcp` has
+been set to `true`.
+ - CPU usage when enabling DNSCrypt ephemeral keys has been reduced.
+ - New command-line option: `-show-certs` to print DoH certificate
+hashes.
+ - Solaris packages are now provided.
+ - DoH servers on a non-standard port, with stamps that don't include
+IP addresses, and without working system resolvers can now be properly
+bootstrapped.
+ - A new option, `query_meta`, is now available to add optional records
+to client queries.
+
+# Version 2.0.25
+ - The example IP address for network probes didn't work on Windows.
+The example configuration file has been updated and the fallback
+resolver IP is now used when no netprobe address has been configured.
+
+# Version 2.0.24
 - The query log now includes the time it took to complete the
 transaction, the name of the resolver that sent the response and if
 the response was served from the cache. Thanks to Ferdinand Holzer for
@ -20,7 +396,7 @@ Thanks to @inkblotadmirer for the report.
 - Resolvers are now tried in random order to avoid favoring the first
 ones at startup.

-* Version 2.0.23
+# Version 2.0.23
 - Binaries for FreeBSD/armv7 are now available.
 - .onion servers are now automatically ignored if Tor routing is not
 enabled.
@ -29,15 +405,15 @@ using proxies.
 - DNSCrypt communications are now automatically forced to using TCP
 when a SOCKS proxy has been set up.

-* Version 2.0.22
+# Version 2.0.22
 - The previous version had issues with the .org TLD when used in
 conjunction with dnsmasq. This has been fixed.

-* Version 2.0.21
+# Version 2.0.21
 - The change to run the Windows service as `NT AUTHORITY\NetworkService`
 has been reverted, as it was reported to break logging (Windows only).

-* Version 2.0.20
+# Version 2.0.20
 - Startup is now *way* faster, especially when using DoH servers.
 - A new action: `CLOAK` is logged when queries are being cloaked.
 - A cloaking rule can now map to multiple IPv4 and IPv6 addresses,
@ -51,7 +427,7 @@ generate-domains-blacklist.py script.
 script.
 - The Windows service is now installed as `NT AUTHORITY\NetworkService`.

-* Version 2.0.19
+# Version 2.0.19
 - The value for `netprobe_timeout` was read from the command-line, but
 not from the configuration file any more. This is a regression introduced
 in the previous version, that has been fixed.
@ -60,7 +436,7 @@ in the previous version, that has been fixed.
 queries with the POST method in order to work around badly configured
 proxies.

-* Version 2.0.18
+# Version 2.0.18
 - Official builds now support TLS 1.3.
 - The timeout for the initial connectivity check can now be set from
 the command line.
@ -69,7 +445,7 @@ the command line.
 - In addition to SOCKS, HTTP and HTTPS proxies are now supported for
 DoH servers.

-* Version 2.0.17
+# Version 2.0.17
 - Go >= 1.11 is now supported
 - The flipside is that Windows XP is not supported any more :(
 - When dropping privileges, there is no supervisor process any more.
@ -78,7 +454,7 @@ of flags and payload sizes. This is not the case any more.
 - DoH queries are smaller, since workarounds are not required any more
 after Google updated their implementation.

-* Version 2.0.16
+# Version 2.0.16
 - On Unix-like systems, the server can run as an unprivileged user,
 and the main process will automatically restart if an error occurs.
 - pledge() on OpenBSD.
@ -90,7 +466,7 @@ cloaking module for local development.
 - The proxy doesn't quit any more if new TCP connections cannot be
 created.

-* Version 2.0.15
+# Version 2.0.15
 - Support for proxies (HTTP/SOCKS) was added. All it takes to route
 all TCP queries to Tor is add `proxy = "socks5://127.0.0.1:9050"` to
 the configuration file.
@ -99,16 +475,16 @@ transaction.
 - Pre-built binaries for Linux are statically linked on all
 architectures.

-* Version 2.0.14
+# Version 2.0.14
 - Supports DNS-over-HTTPS draft 08.
 - Netprobes don't use port 0 by default, as this causes issues with
 Little Snitch and FreeBSD.

-* Version 2.0.13
+# Version 2.0.13
 - This version fixes a crash when using DoH for queries whose size
 were a multiple of the block size. Reported by @char101, thanks!

-* Version 2.0.12
+# Version 2.0.12
 - Further compatibility fixes for Alpine Linux/i386 and Android/i386
 have been made. Thanks to @aead for his help!
 - The proxy will now wait for network connectivity before starting.
@ -117,7 +493,7 @@ before the network is fully configured.
 - The IPv6 blocking module now returns synthetic SOA records to
 improve compatibility with downstream resolvers and stub resolvers.

-* Version 2.0.11
+# Version 2.0.11
 - This release fixes a long-standing bug that caused the proxy to
 block or crash when Position-Independent Executables were produced.
 This bug only showed up when compiled on (not for) Alpine Linux and
@ -125,13 +501,13 @@ Android, for some CPU architectures.
 - New configuration settings: cache_neg_min_ttl and
 cache_neg_max_ttl, to clamp the negative caching TTL.

-* Version 2.0.10
+# Version 2.0.10
 - This version fixes a crash when an incomplete size is sent by a
 local client for a query over TCP.
 - Slight performance improvement of DNSCrypt on non-Intel CPUs such
 as Raspberry Pi.

-* Version 2.0.9
+# Version 2.0.9
 - Whitelists have been implemented: one a name matches a pattern in
 the whitelist, rules from the name-based and IP-based blacklists will
 be bypassed. Whitelists support the same patterns as blacklists, as
@ -157,7 +533,7 @@ especially on Mips and ARM systems.
 - The ephemeral keys mode of dnscrypt-proxy v1.x was reimplemented: this
 creates a new unique key for every single query.

-* Version 2.0.8
+# Version 2.0.8
 - Multiple URLs can be defined for a source in order to improve
 resiliency when servers are temporarily unreachable.
 - Connections over IPv6 will be preferred over IPv4 for DoH servers
@ -171,41 +547,41 @@ Android/x86.
 - `dnscrypt-proxy -list -json` and `-list-all -json` now include the
 remove servers names and IP addresses.

-* Version 2.0.7
+# Version 2.0.7
 - Bug fix: optional ports were not properly parsed with IPv6
 addresses -- thanks to @bleeee for the report and fix.
 - Bug fix: truncate TCP queries to the prefixed length.
 - Certificates are force-refreshed after a time jump (e.g. when a
 system resumes from hibernation).

-* Version 2.0.6
+# Version 2.0.6
 - Automatic log files rotation was finally implemented.
 - A new -pidfile command-line option to write the PID file was added.

-* Version 2.0.5
+# Version 2.0.5
 - Fixes a crash occasionally happening when using DoH servers, with
 stamps not containing any IP addresses, a DNSSEC-signed name, a
 non-working system DNS configuration, and a fallback server supporting
 DNSSEC.

-* Version 2.0.4
+# Version 2.0.4
 - Fixes a regression with truncated packets. Thanks to @mazesy and
@the-w1nd for spotting a case triggering this!

-* Version 2.0.3
+# Version 2.0.3
 - Load balancing: resolvers that respond promptly, but with bogus
 responses are now gradually removed from the preferred pool.
 - Due to popular request, Android binaries are now available! Thanks
 to @sporif for his help on getting these built.
 - Binaries are built using Go 1.10-final.

-* Version 2.0.2
+# Version 2.0.2
 - Properly error out on FreeBSD and other platforms where built-in
 service installation is not supported yet.
 - Improved load-balancing algorithm, which should result in lower
 latency.

-* Version 2.0.1
+# Version 2.0.1
 - Cached source data were not redownloaded if the proxy was used
 without interruption. This has been fixed.
 - If the network is down at startup time, fall back to cached source
--- a/33
+++ b/33
@ -1,18 +1,15 @@
-/*
- * ISC License
- *
- * Copyright (c) 2018
- * Frank Denis <j at pureftpd dot org>
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
+ISC License
+
+Copyright (c) 2018-2023, Frank Denis <j at pureftpd dot org>
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
--- a/README.md
+++ b/README.md
@ -1,26 +1,32 @@
-# ![dnscrypt-proxy 2](https://raw.github.com/jedisct1/dnscrypt-proxy/master/logo.png?3)
+# ![dnscrypt-proxy 2](https://raw.github.com/dnscrypt/dnscrypt-proxy/master/logo.png?3)

-[![DNSCrypt-Proxy Release](https://img.shields.io/github/release/jedisct1/dnscrypt-proxy.svg?label=Latest%20Release&style=popout)](https://github.com/jedisct1/dnscrypt-proxy/releases/latest)  [![Build Status](https://travis-ci.org/jedisct1/dnscrypt-proxy.svg?branch=master)](https://travis-ci.org/jedisct1/dnscrypt-proxy?branch=master) [![#dnscrypt-proxy:matrix.org](https://img.shields.io/matrix/dnscrypt-proxy:matrix.org.svg?label=DNSCrypt-Proxy%20Matrix%20Chat&server_fqdn=matrix.org&style=popout)](https://matrix.to/#/#dnscrypt-proxy:matrix.org)
+[![Financial Contributors on Open Collective](https://opencollective.com/dnscrypt/all/badge.svg?label=financial+contributors)](https://opencollective.com/dnscrypt)
+[![DNSCrypt-Proxy Release](https://img.shields.io/github/release/dnscrypt/dnscrypt-proxy.svg?label=Latest%20Release&style=popout)](https://github.com/dnscrypt/dnscrypt-proxy/releases/latest)
+[![Build Status](https://github.com/DNSCrypt/dnscrypt-proxy/actions/workflows/releases.yml/badge.svg)](https://github.com/DNSCrypt/dnscrypt-proxy/actions/workflows/releases.yml)
+![CodeQL scan](https://github.com/DNSCrypt/dnscrypt-proxy/workflows/CodeQL%20scan/badge.svg)
+![ShiftLeft Scan](https://github.com/DNSCrypt/dnscrypt-proxy/workflows/ShiftLeft%20Scan/badge.svg)
+[![#dnscrypt-proxy:matrix.org](https://img.shields.io/matrix/dnscrypt-proxy:matrix.org.svg?label=DNSCrypt-Proxy%20Matrix%20Chat&server_fqdn=matrix.org&style=popout)](https://matrix.to/#/#dnscrypt-proxy:matrix.org)

 ## Overview

-A flexible DNS proxy, with support for modern encrypted DNS protocols such as [DNSCrypt v2](https://dnscrypt.info/protocol) and [DNS-over-HTTPS](https://www.rfc-editor.org/rfc/rfc8484.txt).
+A flexible DNS proxy, with support for modern encrypted DNS protocols such as [DNSCrypt v2](https://dnscrypt.info/protocol), [DNS-over-HTTPS](https://www.rfc-editor.org/rfc/rfc8484.txt), [Anonymized DNSCrypt](https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/ANONYMIZED-DNSCRYPT.txt) and [ODoH (Oblivious DoH)](https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/odoh-servers.md).

-* [dnscrypt-proxy documentation](https://dnscrypt.info/doc) – This project's documentation (Wiki)
+* **[dnscrypt-proxy documentation](https://dnscrypt.info/doc) ← Start here**
 * [DNSCrypt project home page](https://dnscrypt.info/)
+* [Discussions](https://github.com/DNSCrypt/dnscrypt-proxy/discussions)
 * [DNS-over-HTTPS and DNSCrypt resolvers](https://dnscrypt.info/public-servers)
 * [Server and client implementations](https://dnscrypt.info/implementations)
 * [DNS stamps](https://dnscrypt.info/stamps)
 * [FAQ](https://dnscrypt.info/faq)

-## [Download the latest release](https://github.com/jedisct1/dnscrypt-proxy/releases/latest)
+## [Download the latest release](https://github.com/dnscrypt/dnscrypt-proxy/releases/latest)

-Available as source code and pre-built binaries for most operating
-systems and architectures (see below).
+Available as source code and pre-built binaries for most operating systems and architectures (see below).

 ## Features

-* DNS traffic encryption and authentication. Supports DNS-over-HTTPS (DoH) using TLS 1.3, and DNSCrypt.
+* DNS traffic encryption and authentication. Supports DNS-over-HTTPS (DoH) using TLS 1.3 and QUIC, DNSCrypt, Anonymized DNS and ODoH
+* Client IP addresses can be hidden using Tor, SOCKS proxies or Anonymized DNS relays
 * DNS query monitoring, with separate log files for regular and suspicious queries
 * Filtering: block ads, malware, and other unwanted content. Compatible with all DNS services
 * Time-based filtering, with a flexible weekly schedule
@ -28,11 +34,11 @@ systems and architectures (see below).
 * DNS caching, to reduce latency and improve privacy
 * Local IPv6 blocking to reduce latency on IPv4-only networks
 * Load balancing: pick a set of resolvers, dnscrypt-proxy will automatically measure and keep track of their speed, and balance the traffic across the fastest available ones.
-* Cloaking: like a `HOSTS` file on steroids, that can return preconfigured addresses for specific names, or resolve and return the IP address of other names. This can be used for local development as well as to enforce safe search results on Google, Yahoo and Bing.
+* Cloaking: like a `HOSTS` file on steroids, that can return preconfigured addresses for specific names, or resolve and return the IP address of other names. This can be used for local development as well as to enforce safe search results on Google, Yahoo, DuckDuckGo and Bing
 * Automatic background updates of resolvers lists
 * Can force outgoing connections to use TCP
-* Supports SOCKS proxies
 * Compatible with DNSSEC
+* Includes a local DoH server in order to support ECH (ESNI)

 ## Pre-built binaries

@ -54,7 +60,8 @@ Up-to-date, pre-built binaries are available for:
 * Linux/mips64le
 * Linux/x86
 * Linux/x86_64
-* MacOS X
+* macOS/arm64
+* macOS/x86_64
 * NetBSD/x86
 * NetBSD/x86_64
 * OpenBSD/x86
@ -62,4 +69,34 @@ Up-to-date, pre-built binaries are available for:
 * Windows
 * Windows 64 bit

-How to use these files, as well as how to verify their signatures, are documented in the [installation instructions](https://github.com/jedisct1/dnscrypt-proxy/wiki/installation).
+How to use these files, as well as how to verify their signatures, are documented in the [installation instructions](https://github.com/dnscrypt/dnscrypt-proxy/wiki/installation).
+
+## Contributors
+
+### Code Contributors
+
+This project exists thanks to all the people who contribute.
+<a href="https://github.com/dnscrypt/dnscrypt-proxy/graphs/contributors"><img src="https://opencollective.com/dnscrypt/contributors.svg?width=890&button=false" /></a>
+
+### Financial Contributors
+
+Become a financial contributor and help us sustain our community. [[Contribute](https://opencollective.com/dnscrypt/contribute)]
+
+#### Individuals
+
+<a href="https://opencollective.com/dnscrypt"><img src="https://opencollective.com/dnscrypt/individuals.svg?width=890"></a>
+
+#### Organizations
+
+Support this project with your organization. Your logo will show up here with a link to your website. [[Contribute](https://opencollective.com/dnscrypt/contribute)]
+
+<a href="https://opencollective.com/dnscrypt/organization/0/website"><img src="https://opencollective.com/dnscrypt/organization/0/avatar.svg"></a>
+<a href="https://opencollective.com/dnscrypt/organization/1/website"><img src="https://opencollective.com/dnscrypt/organization/1/avatar.svg"></a>
+<a href="https://opencollective.com/dnscrypt/organization/2/website"><img src="https://opencollective.com/dnscrypt/organization/2/avatar.svg"></a>
+<a href="https://opencollective.com/dnscrypt/organization/3/website"><img src="https://opencollective.com/dnscrypt/organization/3/avatar.svg"></a>
+<a href="https://opencollective.com/dnscrypt/organization/4/website"><img src="https://opencollective.com/dnscrypt/organization/4/avatar.svg"></a>
+<a href="https://opencollective.com/dnscrypt/organization/5/website"><img src="https://opencollective.com/dnscrypt/organization/5/avatar.svg"></a>
+<a href="https://opencollective.com/dnscrypt/organization/6/website"><img src="https://opencollective.com/dnscrypt/organization/6/avatar.svg"></a>
+<a href="https://opencollective.com/dnscrypt/organization/7/website"><img src="https://opencollective.com/dnscrypt/organization/7/avatar.svg"></a>
+<a href="https://opencollective.com/dnscrypt/organization/8/website"><img src="https://opencollective.com/dnscrypt/organization/8/avatar.svg"></a>
+<a href="https://opencollective.com/dnscrypt/organization/9/website"><img src="https://opencollective.com/dnscrypt/organization/9/avatar.svg"></a>
--- a/contrib/msi/Dockerfile
+++ b/contrib/msi/Dockerfile
@ -0,0 +1,21 @@
+FROM ubuntu:latest
+MAINTAINER dnscrypt-authors
+
+RUN apt-get update && \
+    apt-get install -y wget wine dotnet-sdk-6.0 && \
+    dpkg --add-architecture i386 && apt-get update && apt-get install -y wine32
+
+
+ENV WINEPREFIX=/root/.wine32 WINEARCH=win32 WINEDEBUG=-all
+
+RUN wget https://dl.winehq.org/wine/wine-mono/8.1.0/wine-mono-8.1.0-x86.msi && \
+    WINEPREFIX="$HOME/.wine32" WINEARCH=win32 wineboot --init && \
+    WINEPREFIX="$HOME/.wine32" WINEARCH=win32 wine msiexec /i wine-mono-8.1.0-x86.msi && \
+    mkdir $WINEPREFIX/drive_c/temp && \
+    apt-get install -y unzip && \
+    wget https://github.com/wixtoolset/wix3/releases/download/wix3112rtm/wix311-binaries.zip -nv -O wix.zip && \
+    unzip wix.zip -d /wix && \
+    rm -f wix.zip
+
+WORKDIR /wix
+
--- a/contrib/msi/README.md
+++ b/contrib/msi/README.md
@ -0,0 +1,13 @@
+# Scripts and utilities related to building an .msi (Microsoft Standard Installer) file.
+
+## Docker test image for building an MSI locally
+
+```sh
+docker build . -f Dockerfile -t ubuntu:dnscrypt-msi
+```
+
+## Test building msi files for intel win32 & win64
+
+```sh
+./build.sh
+```
--- a/contrib/msi/build.sh
+++ b/contrib/msi/build.sh
@ -0,0 +1,30 @@
+#! /bin/sh
+
+version=0.0.0
+gitver=$(git describe --tags --always --match="[0-9]*.[0-9]*.[0-9]*" --exclude='*[^0-9.]*')
+if [ "$gitver" != "" ]; then
+  version=$gitver
+fi
+
+# build the image by running: docker build . -f Dockerfile -t ubuntu:dnscrypt-msi
+if [ "$(docker image list -q ubuntu:dnscrypt-msi)" = "" ]; then
+  docker build . -f Dockerfile -t ubuntu:dnscrypt-msi
+fi
+
+image=ubuntu:dnscrypt-msi
+
+for arch in x64 x86; do
+  binpath="win32"
+  if [ "$arch" = "x64" ]; then
+    binpath="win64"
+  fi
+  src=$(
+    cd ../../dnscrypt-proxy/$binpath || exit
+    pwd
+  )
+  echo "$src"
+
+  docker run --rm -v "$(pwd)":/wixproj -v "$src":/src $image wine candle.exe -dVersion="$version" -dPlatform=$arch -dPath=\\src -arch $arch \\wixproj\\dnscrypt.wxs -out \\wixproj\\dnscrypt-$arch.wixobj
+  docker run --rm -v "$(pwd)":/wixproj -v "$src":/src $image wine light.exe -out \\wixproj\\dnscrypt-proxy-$arch-"$version".msi \\wixproj\\dnscrypt-$arch.wixobj -sval
+
+done
--- a/contrib/msi/dnscrypt.wxs
+++ b/contrib/msi/dnscrypt.wxs
@ -0,0 +1,60 @@
+<?xml version="1.0"?>
+
+<?if $(var.Platform)="x64" ?>
+    <?define Program_Files="ProgramFiles64Folder"?>
+<?else ?>
+    <?define Program_Files="ProgramFilesFolder"?>
+<?endif ?>
+<?ifndef var.Version?>
+    <?error Undefined Version variable?>
+<?endif ?>
+<?ifndef var.Path?>
+    <?error Undefined Path variable?>
+<?endif ?>
+
+<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
+    <Product Id="*"
+        UpgradeCode="fbf99dd8-c21e-4f9b-a632-de53bb64c45e"
+        Name="dnscrypt-proxy"
+        Version="$(var.Version)"
+        Manufacturer="DNSCrypt"
+        Language="1033">
+
+        <Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package" InstallScope="perMachine" />
+        <Media Id="1" Cabinet="product.cab" EmbedCab="yes" />
+        <MajorUpgrade DowngradeErrorMessage="A later version of [ProductName] is already installed. Setup will now exit." />
+
+        <Upgrade Id="fbf99dd8-c21e-4f9b-a632-de53bb64c45e">
+            <UpgradeVersion Minimum="$(var.Version)" OnlyDetect="yes" Property="NEWERVERSIONDETECTED" />
+            <UpgradeVersion Minimum="2.1.0" Maximum="$(var.Version)" IncludeMinimum="yes" IncludeMaximum="no" Property="OLDERVERSIONBEINGUPGRADED" />
+        </Upgrade>
+        <Condition Message="A newer version of this software is already installed.">NOT NEWERVERSIONDETECTED</Condition>
+
+        <Directory Id="TARGETDIR" Name="SourceDir">
+            <Directory Id="$(var.Program_Files)">
+                <Directory Id="INSTALLDIR" Name="DNSCrypt">
+                    <Component Id="ApplicationFiles" Guid="7d693c0b-71d8-436a-9c84-60a11dc74092">
+                        <File Id="dnscryptproxy.exe" KeyPath="yes" Source="$(var.Path)\dnscrypt-proxy.exe" DiskId="1"/>
+                        <File Source="$(var.Path)\LICENSE"></File>
+                        <File Source="$(var.Path)\service-install.bat"></File>
+                        <File Source="$(var.Path)\service-restart.bat"></File>
+                        <File Source="$(var.Path)\service-uninstall.bat"></File>
+                        <File Source="$(var.Path)\example-dnscrypt-proxy.toml"></File>
+                    </Component>
+                    <Component Id="ConfigInstall" Guid="db7b691e-f7c7-4c9a-92e1-c6f21ce6430f" KeyPath="yes">
+                        <Condition><![CDATA[CONFIGFILE]]></Condition>
+                        <CopyFile Id="dnscryptproxytoml" DestinationDirectory="INSTALLDIR" DestinationName="dnscrypt-proxy.toml" SourceProperty="CONFIGFILE">
+                        </CopyFile>
+                        <RemoveFile Id="RemoveConfig" Directory="INSTALLDIR" Name="dnscrypt-proxy.toml" On="uninstall" />
+                    </Component>
+                </Directory>
+            </Directory>
+        </Directory>
+
+        <Feature Id="Complete" Level="1">
+            <ComponentRef Id="ApplicationFiles" />
+            <ComponentRef Id="ConfigInstall" />
+        </Feature>
+
+    </Product>
+</Wix>
--- a/dnscrypt-proxy/coldstart.go
+++ b/dnscrypt-proxy/coldstart.go
@ -0,0 +1,203 @@
+package main
+
+import (
+	"fmt"
+	"net"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/jedisct1/dlog"
+	"github.com/miekg/dns"
+)
+
+type CaptivePortalEntryIPs []net.IP
+
+type CaptivePortalMap map[string]CaptivePortalEntryIPs
+
+type CaptivePortalHandler struct {
+	wg            sync.WaitGroup
+	cancelChannel chan struct{}
+}
+
+func (captivePortalHandler *CaptivePortalHandler) Stop() {
+	close(captivePortalHandler.cancelChannel)
+	captivePortalHandler.wg.Wait()
+}
+
+func (ipsMap *CaptivePortalMap) GetEntry(msg *dns.Msg) (*dns.Question, *CaptivePortalEntryIPs) {
+	if len(msg.Question) != 1 {
+		return nil, nil
+	}
+	question := &msg.Question[0]
+	name, err := NormalizeQName(question.Name)
+	if err != nil {
+		return nil, nil
+	}
+	ips, ok := (*ipsMap)[name]
+	if !ok {
+		return nil, nil
+	}
+	if question.Qclass != dns.ClassINET {
+		return nil, nil
+	}
+	return question, &ips
+}
+
+func HandleCaptivePortalQuery(msg *dns.Msg, question *dns.Question, ips *CaptivePortalEntryIPs) *dns.Msg {
+	respMsg := EmptyResponseFromMessage(msg)
+	ttl := uint32(1)
+	if question.Qtype == dns.TypeA {
+		for _, xip := range *ips {
+			if ip := xip.To4(); ip != nil {
+				rr := new(dns.A)
+				rr.Hdr = dns.RR_Header{Name: question.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: ttl}
+				rr.A = ip
+				respMsg.Answer = append(respMsg.Answer, rr)
+			}
+		}
+	} else if question.Qtype == dns.TypeAAAA {
+		for _, xip := range *ips {
+			if xip.To4() == nil {
+				if ip := xip.To16(); ip != nil {
+					rr := new(dns.AAAA)
+					rr.Hdr = dns.RR_Header{Name: question.Name, Rrtype: dns.TypeAAAA, Class: dns.ClassINET, Ttl: ttl}
+					rr.AAAA = ip
+					respMsg.Answer = append(respMsg.Answer, rr)
+				}
+			}
+		}
+	}
+
+	qType, ok := dns.TypeToString[question.Qtype]
+	if !ok {
+		qType = fmt.Sprint(question.Qtype)
+	}
+	dlog.Infof("Query for captive portal detection: [%v] (%v)", question.Name, qType)
+	return respMsg
+}
+
+func handleColdStartClient(clientPc *net.UDPConn, cancelChannel chan struct{}, ipsMap *CaptivePortalMap) bool {
+	buffer := make([]byte, MaxDNSPacketSize-1)
+	clientPc.SetDeadline(time.Now().Add(time.Duration(1) * time.Second))
+	length, clientAddr, err := clientPc.ReadFrom(buffer)
+	exit := false
+	select {
+	case <-cancelChannel:
+		exit = true
+	default:
+	}
+	if exit {
+		return true
+	}
+	if neterr, ok := err.(net.Error); ok && neterr.Timeout() {
+		return false
+	}
+	if err != nil {
+		dlog.Warn(err)
+		return true
+	}
+	packet := buffer[:length]
+	msg := &dns.Msg{}
+	if err := msg.Unpack(packet); err != nil {
+		return false
+	}
+	question, ips := ipsMap.GetEntry(msg)
+	if ips == nil {
+		return false
+	}
+	respMsg := HandleCaptivePortalQuery(msg, question, ips)
+	if respMsg == nil {
+		return false
+	}
+	if response, err := respMsg.Pack(); err == nil {
+		clientPc.WriteTo(response, clientAddr)
+	}
+	return false
+}
+
+func addColdStartListener(
+	ipsMap *CaptivePortalMap,
+	listenAddrStr string,
+	captivePortalHandler *CaptivePortalHandler,
+) error {
+	network := "udp"
+	isIPv4 := isDigit(listenAddrStr[0])
+	if isIPv4 {
+		network = "udp4"
+	}
+	listenUDPAddr, err := net.ResolveUDPAddr(network, listenAddrStr)
+	if err != nil {
+		return err
+	}
+	clientPc, err := net.ListenUDP(network, listenUDPAddr)
+	if err != nil {
+		return err
+	}
+	captivePortalHandler.wg.Add(1)
+	go func() {
+		for !handleColdStartClient(clientPc, captivePortalHandler.cancelChannel, ipsMap) {
+		}
+		clientPc.Close()
+		captivePortalHandler.wg.Done()
+	}()
+	return nil
+}
+
+func ColdStart(proxy *Proxy) (*CaptivePortalHandler, error) {
+	if len(proxy.captivePortalMapFile) == 0 {
+		return nil, nil
+	}
+	lines, err := ReadTextFile(proxy.captivePortalMapFile)
+	if err != nil {
+		dlog.Warn(err)
+		return nil, err
+	}
+	ipsMap := make(CaptivePortalMap)
+	for lineNo, line := range strings.Split(lines, "\n") {
+		line = TrimAndStripInlineComments(line)
+		if len(line) == 0 {
+			continue
+		}
+		name, ipsStr, ok := StringTwoFields(line)
+		if !ok {
+			return nil, fmt.Errorf(
+				"Syntax error for a captive portal rule at line %d",
+				1+lineNo,
+			)
+		}
+		name, err = NormalizeQName(name)
+		if err != nil {
+			continue
+		}
+		var ips []net.IP
+		for _, ip := range strings.Split(ipsStr, ",") {
+			ipStr := strings.TrimSpace(ip)
+			if ip := net.ParseIP(ipStr); ip != nil {
+				ips = append(ips, ip)
+			} else {
+				return nil, fmt.Errorf(
+					"Syntax error for a captive portal rule at line %d",
+					1+lineNo,
+				)
+			}
+		}
+		ipsMap[name] = ips
+	}
+	listenAddrStrs := proxy.listenAddresses
+	captivePortalHandler := CaptivePortalHandler{
+		cancelChannel: make(chan struct{}),
+	}
+	ok := false
+	for _, listenAddrStr := range listenAddrStrs {
+		err = addColdStartListener(&ipsMap, listenAddrStr, &captivePortalHandler)
+		if err == nil {
+			ok = true
+		}
+	}
+	if ok {
+		err = nil
+	}
+	proxy.captivePortalMap = &ipsMap
+	return &captivePortalHandler, err
+}
--- a/dnscrypt-proxy/common.go
+++ b/dnscrypt-proxy/common.go
@ -4,14 +4,14 @@ import (
 	"bytes"
 	"encoding/binary"
 	"errors"
-	"fmt"
-	"io/ioutil"
 	"net"
 	"os"
-	"runtime"
+	"path"
 	"strconv"
 	"strings"
 	"unicode"
+
+	"github.com/jedisct1/dlog"
 )

 type CryptoConstruction uint16
@ -27,21 +27,26 @@ const (
 )

 const (
-	MaxHTTPBodyLength = 4000000
+	MaxHTTPBodyLength = 1000000
 )

 var (
-	CertMagic              = [4]byte{0x44, 0x4e, 0x53, 0x43}
-	ServerMagic            = [8]byte{0x72, 0x36, 0x66, 0x6e, 0x76, 0x57, 0x6a, 0x38}
-	MinDNSPacketSize       = 12 + 5
-	MaxDNSPacketSize       = 4096
-	MaxDNSUDPPacketSize    = 1252
-	InitialMinQuestionSize = 256
+	CertMagic               = [4]byte{0x44, 0x4e, 0x53, 0x43}
+	ServerMagic             = [8]byte{0x72, 0x36, 0x66, 0x6e, 0x76, 0x57, 0x6a, 0x38}
+	MinDNSPacketSize        = 12 + 5
+	MaxDNSPacketSize        = 4096
+	MaxDNSUDPPacketSize     = 4096
+	MaxDNSUDPSafePacketSize = 1252
+	InitialMinQuestionSize  = 512
 )

 var (
 	FileDescriptors   = make([]*os.File, 0)
-	FileDescriptorNum = 0
+	FileDescriptorNum = uintptr(0)
+)
+
+const (
+	InheritedDescriptorsBase = uintptr(50)
 )

 func PrefixWithSize(packet []byte) ([]byte, error) {
@ -93,20 +98,6 @@ func Max(a, b int) int {
 	return b
 }

-func MinF(a, b float64) float64 {
-	if a < b {
-		return a
-	}
-	return b
-}
-
-func MaxF(a, b float64) float64 {
-	if a > b {
-		return a
-	}
-	return b
-}
-
 func StringReverse(s string) string {
 	r := []rune(s)
 	for i, j := 0, len(r)-1; i < len(r)/2; i, j = i+1, j-1 {
@ -123,7 +114,7 @@ func StringTwoFields(str string) (string, string, bool) {
 	if pos == -1 {
 		return "", "", false
 	}
-	a, b := strings.TrimFunc(str[:pos], unicode.IsSpace), strings.TrimFunc(str[pos+1:], unicode.IsSpace)
+	a, b := strings.TrimSpace(str[:pos]), strings.TrimSpace(str[pos+1:])
 	if len(a) == 0 || len(b) == 0 {
 		return a, b, false
 	}
@ -135,23 +126,25 @@ func StringQuote(str string) string {
 	return str[1 : len(str)-1]
 }

-func ExtractPort(str string, defaultPort int) int {
-	port := defaultPort
-	if idx := strings.LastIndex(str, ":"); idx >= 0 && idx < len(str)-1 {
-		if portX, err := strconv.Atoi(str[idx+1:]); err == nil {
-			port = portX
+func StringStripSpaces(str string) string {
+	return strings.Map(func(r rune) rune {
+		if unicode.IsSpace(r) {
+			return -1
 		}
-	}
-	return port
+		return r
+	}, str)
 }

-func ExtractHost(str string) string {
-	if idx := strings.LastIndex(str, ":"); idx >= 0 && idx < len(str)-1 {
-		if _, err := strconv.Atoi(str[idx+1:]); err == nil {
-			str = str[:idx]
+func TrimAndStripInlineComments(str string) string {
+	if idx := strings.LastIndexByte(str, '#'); idx >= 0 {
+		if idx == 0 || str[0] == '#' {
+			return ""
+		}
+		if prev := str[idx-1]; prev == ' ' || prev == '\t' {
+			str = str[:idx-1]
 		}
 	}
-	return str
+	return strings.TrimSpace(str)
 }

 func ExtractHostAndPort(str string, defaultPort int) (host string, port int) {
@ -164,20 +157,41 @@ func ExtractHostAndPort(str string, defaultPort int) (host string, port int) {
 	return
 }

-func MemUsage() {
-	var m runtime.MemStats
-	runtime.ReadMemStats(&m)
-	fmt.Printf("Alloc = %v MiB", m.Alloc/1024/1024)
-	fmt.Printf("\tTotalAlloc = %v MiB", m.TotalAlloc/1024/1024)
-	fmt.Printf("\tSys = %v MiB", m.Sys/1024/1024)
-	fmt.Printf("\tNumGC = %v\n", m.NumGC)
-}
-
 func ReadTextFile(filename string) (string, error) {
-	bin, err := ioutil.ReadFile(filename)
+	bin, err := os.ReadFile(filename)
 	if err != nil {
 		return "", err
 	}
 	bin = bytes.TrimPrefix(bin, []byte{0xef, 0xbb, 0xbf})
 	return string(bin), nil
 }
+
+func isDigit(b byte) bool { return b >= '0' && b <= '9' }
+
+func maybeWritableByOtherUsers(p string) (bool, string, error) {
+	p = path.Clean(p)
+	for p != "/" && p != "." {
+		st, err := os.Stat(p)
+		if err != nil {
+			return false, p, err
+		}
+		mode := st.Mode()
+		if mode.Perm()&2 != 0 && !(st.IsDir() && mode&os.ModeSticky == os.ModeSticky) {
+			return true, p, nil
+		}
+		p = path.Dir(p)
+	}
+	return false, "", nil
+}
+
+func WarnIfMaybeWritableByOtherUsers(p string) {
+	if ok, px, err := maybeWritableByOtherUsers(p); ok {
+		if px == p {
+			dlog.Criticalf("[%s] is writable by other system users - If this is not intentional, it is recommended to fix the access permissions", p)
+		} else {
+			dlog.Warnf("[%s] can be modified by other system users because [%s] is writable by other users - If this is not intentional, it is recommended to fix the access permissions", p, px)
+		}
+	} else if err != nil {
+		dlog.Warnf("Error while checking if [%s] is accessible: [%s] : [%s]", p, px, err)
+	}
+}
--- a/dnscrypt-proxy/config.go
+++ b/dnscrypt-proxy/config.go
--- a/dnscrypt-proxy/crypto.go
+++ b/dnscrypt-proxy/crypto.go
@ -5,7 +5,6 @@ import (
 	crypto_rand "crypto/rand"
 	"crypto/sha512"
 	"errors"
-	"math/rand"

 	"github.com/jedisct1/dlog"
 	"github.com/jedisct1/xsecretbox"
@ -45,22 +44,43 @@ func unpad(packet []byte) ([]byte, error) {
 	}
 }

-func ComputeSharedKey(cryptoConstruction CryptoConstruction, secretKey *[32]byte, serverPk *[32]byte, providerName *string) (sharedKey [32]byte) {
+func ComputeSharedKey(
+	cryptoConstruction CryptoConstruction,
+	secretKey *[32]byte,
+	serverPk *[32]byte,
+	providerName *string,
+) (sharedKey [32]byte) {
 	if cryptoConstruction == XChacha20Poly1305 {
 		var err error
 		sharedKey, err = xsecretbox.SharedKey(*secretKey, *serverPk)
 		if err != nil {
-			dlog.Criticalf("[%v] Weak public key", providerName)
+			dlog.Criticalf("[%v] Weak XChaCha20 public key", providerName)
 		}
 	} else {
 		box.Precompute(&sharedKey, serverPk, secretKey)
+		c := byte(0)
+		for i := 0; i < 32; i++ {
+			c |= sharedKey[i]
+		}
+		if c == 0 {
+			dlog.Criticalf("[%v] Weak XSalsa20 public key", providerName)
+			if _, err := crypto_rand.Read(sharedKey[:]); err != nil {
+				dlog.Fatal(err)
+			}
+		}
 	}
 	return
 }

-func (proxy *Proxy) Encrypt(serverInfo *ServerInfo, packet []byte, proto string) (sharedKey *[32]byte, encrypted []byte, clientNonce []byte, err error) {
+func (proxy *Proxy) Encrypt(
+	serverInfo *ServerInfo,
+	packet []byte,
+	proto string,
+) (sharedKey *[32]byte, encrypted []byte, clientNonce []byte, err error) {
 	nonce, clientNonce := make([]byte, NonceSize), make([]byte, HalfNonceSize)
-	crypto_rand.Read(clientNonce)
+	if _, err := crypto_rand.Read(clientNonce); err != nil {
+		return nil, nil, nil, err
+	}
 	copy(nonce, clientNonce)
 	var publicKey *[PublicKeySize]byte
 	if proxy.ephemeralKeys {
@ -83,10 +103,17 @@ func (proxy *Proxy) Encrypt(serverInfo *ServerInfo, packet []byte, proto string)
 		minQuestionSize = Max(proxy.questionSizeEstimator.MinQuestionSize(), minQuestionSize)
 	} else {
 		var xpad [1]byte
-		rand.Read(xpad[:])
+		if _, err := crypto_rand.Read(xpad[:]); err != nil {
+			return nil, nil, nil, err
+		}
 		minQuestionSize += int(xpad[0])
 	}
-	paddedLength := Min(MaxDNSUDPPacketSize, (Max(minQuestionSize, QueryOverhead)+63) & ^63)
+	paddedLength := Min(MaxDNSUDPPacketSize, (Max(minQuestionSize, QueryOverhead)+1+63) & ^63)
+	if serverInfo.knownBugs.fragmentsBlocked && proto == "udp" {
+		paddedLength = MaxDNSUDPSafePacketSize
+	} else if serverInfo.Relay != nil && proto == "tcp" {
+		paddedLength = MaxDNSPacketSize
+	}
 	if QueryOverhead+len(packet)+1 > paddedLength {
 		err = errors.New("Question too large; cannot be padded")
 		return
@ -104,7 +131,12 @@ func (proxy *Proxy) Encrypt(serverInfo *ServerInfo, packet []byte, proto string)
 	return
 }

-func (proxy *Proxy) Decrypt(serverInfo *ServerInfo, sharedKey *[32]byte, encrypted []byte, nonce []byte) ([]byte, error) {
+func (proxy *Proxy) Decrypt(
+	serverInfo *ServerInfo,
+	sharedKey *[32]byte,
+	encrypted []byte,
+	nonce []byte,
+) ([]byte, error) {
 	serverMagicLen := len(ServerMagic)
 	responseHeaderLen := serverMagicLen + NonceSize
 	if len(encrypted) < responseHeaderLen+TagSize+int(MinDNSPacketSize) ||
--- a/dnscrypt-proxy/dnscrypt_certs.go
+++ b/dnscrypt-proxy/dnscrypt_certs.go
@ -20,40 +20,76 @@ type CertInfo struct {
 	ForwardSecurity    bool
 }

-func FetchCurrentDNSCryptCert(proxy *Proxy, serverName *string, proto string, pk ed25519.PublicKey, serverAddress string, providerName string, isNew bool) (CertInfo, int, error) {
+func FetchCurrentDNSCryptCert(
+	proxy *Proxy,
+	serverName *string,
+	proto string,
+	pk ed25519.PublicKey,
+	serverAddress string,
+	providerName string,
+	isNew bool,
+	relay *DNSCryptRelay,
+	knownBugs ServerBugs,
+) (CertInfo, int, bool, error) {
 	if len(pk) != ed25519.PublicKeySize {
-		return CertInfo{}, 0, errors.New("Invalid public key length")
+		return CertInfo{}, 0, false, errors.New("Invalid public key length")
 	}
 	if !strings.HasSuffix(providerName, ".") {
-		providerName = providerName + "."
+		providerName += "."
 	}
 	if serverName == nil {
 		serverName = &providerName
 	}
-	query := new(dns.Msg)
+	query := dns.Msg{}
 	query.SetQuestion(providerName, dns.TypeTXT)
-	client := dns.Client{Net: proto, UDPSize: uint16(MaxDNSUDPPacketSize)}
-	in, rtt, err := client.Exchange(query, serverAddress)
+	if !strings.HasPrefix(providerName, "2.dnscrypt-cert.") {
+		if relay != nil && !proxy.anonDirectCertFallback {
+			dlog.Warnf(
+				"[%v] uses a non-standard provider name, enable direct cert fallback to use with a relay ('%v' doesn't start with '2.dnscrypt-cert.')",
+				*serverName,
+				providerName,
+			)
+		} else {
+			dlog.Warnf("[%v] uses a non-standard provider name ('%v' doesn't start with '2.dnscrypt-cert.')", *serverName, providerName)
+			relay = nil
+		}
+	}
+	tryFragmentsSupport := true
+	if knownBugs.fragmentsBlocked {
+		tryFragmentsSupport = false
+	}
+	in, rtt, fragmentsBlocked, err := DNSExchange(
+		proxy,
+		proto,
+		&query,
+		serverAddress,
+		relay,
+		serverName,
+		tryFragmentsSupport,
+	)
 	if err != nil {
 		dlog.Noticef("[%s] TIMEOUT", *serverName)
-		return CertInfo{}, 0, err
+		return CertInfo{}, 0, fragmentsBlocked, err
 	}
 	now := uint32(time.Now().Unix())
 	certInfo := CertInfo{CryptoConstruction: UndefinedConstruction}
 	highestSerial := uint32(0)
 	var certCountStr string
 	for _, answerRr := range in.Answer {
-		binCert, err := packTxtString(strings.Join(answerRr.(*dns.TXT).Txt, ""))
-		if err != nil {
-			dlog.Warnf("[%v] Unable to unpack the certificate", providerName)
+		var txt string
+		if t, ok := answerRr.(*dns.TXT); !ok {
+			dlog.Noticef("[%v] Extra record of type [%v] found in certificate", *serverName, answerRr.Header().Rrtype)
 			continue
+		} else {
+			txt = strings.Join(t.Txt, "")
 		}
+		binCert := PackTXTRR(txt)
 		if len(binCert) < 124 {
-			dlog.Warnf("[%v] Certificate too short", providerName)
+			dlog.Warnf("[%v] Certificate too short", *serverName)
 			continue
 		}
 		if !bytes.Equal(binCert[:4], CertMagic[:4]) {
-			dlog.Warnf("[%v] Invalid cert magic", providerName)
+			dlog.Warnf("[%v] Invalid cert magic", *serverName)
 			continue
 		}
 		cryptoConstruction := CryptoConstruction(0)
@ -63,32 +99,41 @@ func FetchCurrentDNSCryptCert(proxy *Proxy, serverName *string, proto string, pk
 		case 0x0002:
 			cryptoConstruction = XChacha20Poly1305
 		default:
-			dlog.Noticef("[%v] Unsupported crypto construction", providerName)
+			dlog.Noticef("[%v] Unsupported crypto construction", *serverName)
 			continue
 		}
 		signature := binCert[8:72]
 		signed := binCert[72:]
 		if !ed25519.Verify(pk, signed, signature) {
-			dlog.Warnf("[%v] Incorrect signature", providerName)
+			dlog.Warnf("[%v] Incorrect signature for provider name: [%v]", *serverName, providerName)
 			continue
 		}
 		serial := binary.BigEndian.Uint32(binCert[112:116])
 		tsBegin := binary.BigEndian.Uint32(binCert[116:120])
 		tsEnd := binary.BigEndian.Uint32(binCert[120:124])
 		if tsBegin >= tsEnd {
-			dlog.Warnf("[%v] certificate ends before it starts (%v >= %v)", providerName, tsBegin, tsEnd)
+			dlog.Warnf("[%v] certificate ends before it starts (%v >= %v)", *serverName, tsBegin, tsEnd)
 			continue
 		}
 		ttl := tsEnd - tsBegin
 		if ttl > 86400*7 {
-			dlog.Infof("[%v] the key validity period for this server is excessively long (%d days), significantly reducing reliability and forward security.", providerName, ttl/86400)
+			dlog.Infof(
+				"[%v] the key validity period for this server is excessively long (%d days), significantly reducing reliability and forward security.",
+				*serverName,
+				ttl/86400,
+			)
 			daysLeft := (tsEnd - now) / 86400
 			if daysLeft < 1 {
-				dlog.Criticalf("[%v] certificate will expire today -- Switch to a different resolver as soon as possible", providerName)
+				dlog.Criticalf(
+					"[%v] certificate will expire today -- Switch to a different resolver as soon as possible",
+					*serverName,
+				)
 			} else if daysLeft <= 7 {
-				dlog.Warnf("[%v] certificate is about to expire -- if you don't manage this server, tell the server operator about it", providerName)
+				dlog.Warnf("[%v] certificate is about to expire -- if you don't manage this server, tell the server operator about it", *serverName)
 			} else if daysLeft <= 30 {
-				dlog.Infof("[%v] certificate will expire in %d days", providerName, daysLeft)
+				dlog.Infof("[%v] certificate will expire in %d days", *serverName, daysLeft)
+			} else {
+				dlog.Debugf("[%v] certificate still valid for %d days", *serverName, daysLeft)
 			}
 			certInfo.ForwardSecurity = false
 		} else {
@ -96,24 +141,30 @@ func FetchCurrentDNSCryptCert(proxy *Proxy, serverName *string, proto string, pk
 		}
 		if !proxy.certIgnoreTimestamp {
 			if now > tsEnd || now < tsBegin {
-				dlog.Debugf("[%v] Certificate not valid at the current date", providerName)
+				dlog.Debugf(
+					"[%v] Certificate not valid at the current date (now: %v is not in [%v..%v])",
+					*serverName,
+					now,
+					tsBegin,
+					tsEnd,
+				)
 				continue
 			}
 		}
 		if serial < highestSerial {
-			dlog.Debugf("[%v] Superseded by a previous certificate", providerName)
+			dlog.Debugf("[%v] Superseded by a previous certificate", *serverName)
 			continue
 		}
 		if serial == highestSerial {
 			if cryptoConstruction < certInfo.CryptoConstruction {
-				dlog.Debugf("[%v] Keeping the previous, preferred crypto construction", providerName)
+				dlog.Debugf("[%v] Keeping the previous, preferred crypto construction", *serverName)
 				continue
 			} else {
-				dlog.Debugf("[%v] Upgrading the construction from %v to %v", providerName, certInfo.CryptoConstruction, cryptoConstruction)
+				dlog.Debugf("[%v] Upgrading the construction from %v to %v", *serverName, certInfo.CryptoConstruction, cryptoConstruction)
 			}
 		}
 		if cryptoConstruction != XChacha20Poly1305 && cryptoConstruction != XSalsa20Poly1305 {
-			dlog.Noticef("[%v] Cryptographic construction %v not supported", providerName, cryptoConstruction)
+			dlog.Noticef("[%v] Cryptographic construction %v not supported", *serverName, cryptoConstruction)
 			continue
 		}
 		var serverPk [32]byte
@ -132,42 +183,7 @@ func FetchCurrentDNSCryptCert(proxy *Proxy, serverName *string, proto string, pk
 		certCountStr = " - additional certificate"
 	}
 	if certInfo.CryptoConstruction == UndefinedConstruction {
-		return certInfo, 0, errors.New("No useable certificate found")
+		return certInfo, 0, fragmentsBlocked, errors.New("No usable certificate found")
 	}
-	return certInfo, int(rtt.Nanoseconds() / 1000000), nil
-}
-
-func isDigit(b byte) bool { return b >= '0' && b <= '9' }
-
-func dddToByte(s []byte) byte {
-	return byte((s[0]-'0')*100 + (s[1]-'0')*10 + (s[2] - '0'))
-}
-
-func packTxtString(s string) ([]byte, error) {
-	bs := make([]byte, len(s))
-	msg := make([]byte, 0)
-	copy(bs, s)
-	for i := 0; i < len(bs); i++ {
-		if bs[i] == '\\' {
-			i++
-			if i == len(bs) {
-				break
-			}
-			if i+2 < len(bs) && isDigit(bs[i]) && isDigit(bs[i+1]) && isDigit(bs[i+2]) {
-				msg = append(msg, dddToByte(bs[i:]))
-				i += 2
-			} else if bs[i] == 't' {
-				msg = append(msg, '\t')
-			} else if bs[i] == 'r' {
-				msg = append(msg, '\r')
-			} else if bs[i] == 'n' {
-				msg = append(msg, '\n')
-			} else {
-				msg = append(msg, bs[i])
-			}
-		} else {
-			msg = append(msg, bs[i])
-		}
-	}
-	return msg, nil
+	return certInfo, int(rtt.Nanoseconds() / 1000000), fragmentsBlocked, nil
 }
--- a/dnscrypt-proxy/dnsutils.go
+++ b/dnscrypt-proxy/dnsutils.go
@ -2,55 +2,95 @@ package main

 import (
 	"encoding/binary"
+	"errors"
+	"net"
 	"strings"
 	"time"
+	"unicode/utf8"

+	"github.com/jedisct1/dlog"
 	"github.com/miekg/dns"
 )

+func EmptyResponseFromMessage(srcMsg *dns.Msg) *dns.Msg {
+	dstMsg := dns.Msg{MsgHdr: srcMsg.MsgHdr, Compress: true}
+	dstMsg.Question = srcMsg.Question
+	dstMsg.Response = true
+	if srcMsg.RecursionDesired {
+		dstMsg.RecursionAvailable = true
+	}
+	dstMsg.RecursionDesired = false
+	dstMsg.CheckingDisabled = false
+	dstMsg.AuthenticatedData = false
+	if edns0 := srcMsg.IsEdns0(); edns0 != nil {
+		dstMsg.SetEdns0(edns0.UDPSize(), edns0.Do())
+	}
+	return &dstMsg
+}
+
 func TruncatedResponse(packet []byte) ([]byte, error) {
-	srcMsg := new(dns.Msg)
+	srcMsg := dns.Msg{}
 	if err := srcMsg.Unpack(packet); err != nil {
 		return nil, err
 	}
-	dstMsg := srcMsg
-	dstMsg.Response = true
-	dstMsg.Answer = make([]dns.RR, 0)
-	dstMsg.Ns = make([]dns.RR, 0)
-	dstMsg.Extra = make([]dns.RR, 0)
+	dstMsg := EmptyResponseFromMessage(&srcMsg)
 	dstMsg.Truncated = true
 	return dstMsg.Pack()
 }

-func EmptyResponseFromMessage(srcMsg *dns.Msg) (*dns.Msg, error) {
-	dstMsg := srcMsg
-	dstMsg.Response = true
-	dstMsg.Answer = make([]dns.RR, 0)
-	dstMsg.Ns = make([]dns.RR, 0)
-	dstMsg.Extra = make([]dns.RR, 0)
-	return dstMsg, nil
-}
-
-func RefusedResponseFromMessage(srcMsg *dns.Msg, refusedCode bool) (*dns.Msg, error) {
-	dstMsg, err := EmptyResponseFromMessage(srcMsg)
-	if err != nil {
-		return dstMsg, err
+func RefusedResponseFromMessage(srcMsg *dns.Msg, refusedCode bool, ipv4 net.IP, ipv6 net.IP, ttl uint32) *dns.Msg {
+	dstMsg := EmptyResponseFromMessage(srcMsg)
+	ede := new(dns.EDNS0_EDE)
+	if edns0 := dstMsg.IsEdns0(); edns0 != nil {
+		edns0.Option = append(edns0.Option, ede)
 	}
+	ede.InfoCode = dns.ExtendedErrorCodeFiltered
 	if refusedCode {
 		dstMsg.Rcode = dns.RcodeRefused
 	} else {
 		dstMsg.Rcode = dns.RcodeSuccess
 		questions := srcMsg.Question
-		if len(questions) > 0 {
+		if len(questions) == 0 {
+			return dstMsg
+		}
+		question := questions[0]
+		sendHInfoResponse := true
+
+		if ipv4 != nil && question.Qtype == dns.TypeA {
+			rr := new(dns.A)
+			rr.Hdr = dns.RR_Header{Name: question.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: ttl}
+			rr.A = ipv4.To4()
+			if rr.A != nil {
+				dstMsg.Answer = []dns.RR{rr}
+				sendHInfoResponse = false
+				ede.InfoCode = dns.ExtendedErrorCodeForgedAnswer
+			}
+		} else if ipv6 != nil && question.Qtype == dns.TypeAAAA {
+			rr := new(dns.AAAA)
+			rr.Hdr = dns.RR_Header{Name: question.Name, Rrtype: dns.TypeAAAA, Class: dns.ClassINET, Ttl: ttl}
+			rr.AAAA = ipv6.To16()
+			if rr.AAAA != nil {
+				dstMsg.Answer = []dns.RR{rr}
+				sendHInfoResponse = false
+				ede.InfoCode = dns.ExtendedErrorCodeForgedAnswer
+			}
+		}
+
+		if sendHInfoResponse {
 			hinfo := new(dns.HINFO)
-			hinfo.Hdr = dns.RR_Header{Name: questions[0].Name, Rrtype: dns.TypeHINFO,
-				Class: dns.ClassINET, Ttl: 1}
+			hinfo.Hdr = dns.RR_Header{
+				Name: question.Name, Rrtype: dns.TypeHINFO,
+				Class: dns.ClassINET, Ttl: ttl,
+			}
 			hinfo.Cpu = "This query has been locally blocked"
 			hinfo.Os = "by dnscrypt-proxy"
 			dstMsg.Answer = []dns.RR{hinfo}
+		} else {
+			ede.ExtraText = "This query has been locally blocked by dnscrypt-proxy"
 		}
 	}
-	return dstMsg, nil
+
+	return dstMsg
 }

 func HasTCFlag(packet []byte) bool {
@ -69,7 +109,7 @@ func Rcode(packet []byte) uint8 {
 	return packet[3] & 0xf
 }

-func NormalizeName(name *[]byte) {
+func NormalizeRawQName(name *[]byte) {
 	for i, c := range *name {
 		if c >= 65 && c <= 90 {
 			(*name)[i] = c + 32
@ -77,15 +117,38 @@ func NormalizeName(name *[]byte) {
 	}
 }

-func StripTrailingDot(str string) string {
-	if len(str) > 1 && strings.HasSuffix(str, ".") {
-		str = str[:len(str)-1]
+func NormalizeQName(str string) (string, error) {
+	if len(str) == 0 || str == "." {
+		return ".", nil
 	}
-	return str
+	hasUpper := false
+	str = strings.TrimSuffix(str, ".")
+	strLen := len(str)
+	for i := 0; i < strLen; i++ {
+		c := str[i]
+		if c >= utf8.RuneSelf {
+			return str, errors.New("Query name is not an ASCII string")
+		}
+		hasUpper = hasUpper || ('A' <= c && c <= 'Z')
+	}
+	if !hasUpper {
+		return str, nil
+	}
+	var b strings.Builder
+	b.Grow(len(str))
+	for i := 0; i < strLen; i++ {
+		c := str[i]
+		if 'A' <= c && c <= 'Z' {
+			c += 'a' - 'A'
+		}
+		b.WriteByte(c)
+	}
+	return b.String(), nil
 }

 func getMinTTL(msg *dns.Msg, minTTL uint32, maxTTL uint32, cacheNegMinTTL uint32, cacheNegMaxTTL uint32) time.Duration {
-	if (msg.Rcode != dns.RcodeSuccess && msg.Rcode != dns.RcodeNameError) || (len(msg.Answer) <= 0 && len(msg.Ns) <= 0) {
+	if (msg.Rcode != dns.RcodeSuccess && msg.Rcode != dns.RcodeNameError) ||
+		(len(msg.Answer) <= 0 && len(msg.Ns) <= 0) {
 		return time.Duration(cacheNegMinTTL) * time.Second
 	}
 	var ttl uint32
@ -142,8 +205,14 @@ func setMaxTTL(msg *dns.Msg, ttl uint32) {
 }

 func updateTTL(msg *dns.Msg, expiration time.Time) {
-	ttl := uint32(time.Until(expiration) / time.Second)
-
+	until := time.Until(expiration)
+	ttl := uint32(0)
+	if until > 0 {
+		ttl = uint32(until / time.Second)
+		if until-time.Duration(ttl)*time.Second >= time.Second/2 {
+			ttl += 1
+		}
+	}
 	for _, rr := range msg.Answer {
 		rr.Header().Ttl = ttl
 	}
@ -151,10 +220,291 @@ func updateTTL(msg *dns.Msg, expiration time.Time) {
 		rr.Header().Ttl = ttl
 	}
 	for _, rr := range msg.Extra {
-		header := rr.Header()
-		if header.Rrtype == dns.TypeOPT {
-			continue
+		if rr.Header().Rrtype != dns.TypeOPT {
+			rr.Header().Ttl = ttl
 		}
-		rr.Header().Ttl = ttl
 	}
 }
+
+func hasEDNS0Padding(packet []byte) (bool, error) {
+	msg := dns.Msg{}
+	if err := msg.Unpack(packet); err != nil {
+		return false, err
+	}
+	if edns0 := msg.IsEdns0(); edns0 != nil {
+		for _, option := range edns0.Option {
+			if option.Option() == dns.EDNS0PADDING {
+				return true, nil
+			}
+		}
+	}
+	return false, nil
+}
+
+func addEDNS0PaddingIfNoneFound(msg *dns.Msg, unpaddedPacket []byte, paddingLen int) ([]byte, error) {
+	edns0 := msg.IsEdns0()
+	if edns0 == nil {
+		msg.SetEdns0(uint16(MaxDNSPacketSize), false)
+		edns0 = msg.IsEdns0()
+		if edns0 == nil {
+			return unpaddedPacket, nil
+		}
+	}
+	for _, option := range edns0.Option {
+		if option.Option() == dns.EDNS0PADDING {
+			return unpaddedPacket, nil
+		}
+	}
+	ext := new(dns.EDNS0_PADDING)
+	padding := make([]byte, paddingLen)
+	for i := range padding {
+		padding[i] = 'X'
+	}
+	ext.Padding = padding[:paddingLen]
+	edns0.Option = append(edns0.Option, ext)
+	return msg.Pack()
+}
+
+func removeEDNS0Options(msg *dns.Msg) bool {
+	edns0 := msg.IsEdns0()
+	if edns0 == nil {
+		return false
+	}
+	edns0.Option = []dns.EDNS0{}
+	return true
+}
+
+func dddToByte(s []byte) byte {
+	return byte((s[0]-'0')*100 + (s[1]-'0')*10 + (s[2] - '0'))
+}
+
+func PackTXTRR(s string) []byte {
+	bs := make([]byte, len(s))
+	msg := make([]byte, 0)
+	copy(bs, s)
+	for i := 0; i < len(bs); i++ {
+		if bs[i] == '\\' {
+			i++
+			if i == len(bs) {
+				break
+			}
+			if i+2 < len(bs) && isDigit(bs[i]) && isDigit(bs[i+1]) && isDigit(bs[i+2]) {
+				msg = append(msg, dddToByte(bs[i:]))
+				i += 2
+			} else if bs[i] == 't' {
+				msg = append(msg, '\t')
+			} else if bs[i] == 'r' {
+				msg = append(msg, '\r')
+			} else if bs[i] == 'n' {
+				msg = append(msg, '\n')
+			} else {
+				msg = append(msg, bs[i])
+			}
+		} else {
+			msg = append(msg, bs[i])
+		}
+	}
+	return msg
+}
+
+type DNSExchangeResponse struct {
+	response         *dns.Msg
+	rtt              time.Duration
+	priority         int
+	fragmentsBlocked bool
+	err              error
+}
+
+func DNSExchange(
+	proxy *Proxy,
+	proto string,
+	query *dns.Msg,
+	serverAddress string,
+	relay *DNSCryptRelay,
+	serverName *string,
+	tryFragmentsSupport bool,
+) (*dns.Msg, time.Duration, bool, error) {
+	for {
+		cancelChannel := make(chan struct{})
+		maxTries := 3
+		channel := make(chan DNSExchangeResponse, 2*maxTries)
+		var err error
+		options := 0
+
+		for tries := 0; tries < maxTries; tries++ {
+			if tryFragmentsSupport {
+				queryCopy := query.Copy()
+				queryCopy.Id += uint16(options)
+				go func(query *dns.Msg, delay time.Duration) {
+					time.Sleep(delay)
+					option := DNSExchangeResponse{err: errors.New("Canceled")}
+					select {
+					case <-cancelChannel:
+					default:
+						option = _dnsExchange(proxy, proto, query, serverAddress, relay, 1500)
+					}
+					option.fragmentsBlocked = false
+					option.priority = 0
+					channel <- option
+				}(queryCopy, time.Duration(200*tries)*time.Millisecond)
+				options++
+			}
+			queryCopy := query.Copy()
+			queryCopy.Id += uint16(options)
+			go func(query *dns.Msg, delay time.Duration) {
+				time.Sleep(delay)
+				option := DNSExchangeResponse{err: errors.New("Canceled")}
+				select {
+				case <-cancelChannel:
+				default:
+					option = _dnsExchange(proxy, proto, query, serverAddress, relay, 480)
+				}
+				option.fragmentsBlocked = true
+				option.priority = 1
+				channel <- option
+			}(queryCopy, time.Duration(250*tries)*time.Millisecond)
+			options++
+		}
+		var bestOption *DNSExchangeResponse
+		for i := 0; i < options; i++ {
+			if dnsExchangeResponse := <-channel; dnsExchangeResponse.err == nil {
+				if bestOption == nil || dnsExchangeResponse.priority < bestOption.priority ||
+					(dnsExchangeResponse.priority == bestOption.priority && dnsExchangeResponse.rtt < bestOption.rtt) {
+					bestOption = &dnsExchangeResponse
+					if bestOption.priority == 0 {
+						close(cancelChannel)
+						break
+					}
+				}
+			} else {
+				err = dnsExchangeResponse.err
+			}
+		}
+		if bestOption != nil {
+			if bestOption.fragmentsBlocked {
+				dlog.Debugf("[%v] public key retrieval succeeded but server is blocking fragments", *serverName)
+			} else {
+				dlog.Debugf("[%v] public key retrieval succeeded", *serverName)
+			}
+			return bestOption.response, bestOption.rtt, bestOption.fragmentsBlocked, nil
+		}
+
+		if relay == nil || !proxy.anonDirectCertFallback {
+			if err == nil {
+				err = errors.New("Unable to reach the server")
+			}
+			return nil, 0, false, err
+		}
+		dlog.Infof(
+			"Unable to get the public key for [%v] via relay [%v], retrying over a direct connection",
+			*serverName,
+			relay.RelayUDPAddr.IP,
+		)
+		relay = nil
+	}
+}
+
+func _dnsExchange(
+	proxy *Proxy,
+	proto string,
+	query *dns.Msg,
+	serverAddress string,
+	relay *DNSCryptRelay,
+	paddedLen int,
+) DNSExchangeResponse {
+	var packet []byte
+	var rtt time.Duration
+
+	if proto == "udp" {
+		qNameLen, padding := len(query.Question[0].Name), 0
+		if qNameLen < paddedLen {
+			padding = paddedLen - qNameLen
+		}
+		if padding > 0 {
+			opt := new(dns.OPT)
+			opt.Hdr.Name = "."
+			ext := new(dns.EDNS0_PADDING)
+			ext.Padding = make([]byte, padding)
+			opt.Option = append(opt.Option, ext)
+			query.Extra = []dns.RR{opt}
+		}
+		binQuery, err := query.Pack()
+		if err != nil {
+			return DNSExchangeResponse{err: err}
+		}
+		udpAddr, err := net.ResolveUDPAddr("udp", serverAddress)
+		if err != nil {
+			return DNSExchangeResponse{err: err}
+		}
+		upstreamAddr := udpAddr
+		if relay != nil {
+			proxy.prepareForRelay(udpAddr.IP, udpAddr.Port, &binQuery)
+			upstreamAddr = relay.RelayUDPAddr
+		}
+		now := time.Now()
+		pc, err := net.DialUDP("udp", nil, upstreamAddr)
+		if err != nil {
+			return DNSExchangeResponse{err: err}
+		}
+		defer pc.Close()
+		if err := pc.SetDeadline(time.Now().Add(proxy.timeout)); err != nil {
+			return DNSExchangeResponse{err: err}
+		}
+		if _, err := pc.Write(binQuery); err != nil {
+			return DNSExchangeResponse{err: err}
+		}
+		packet = make([]byte, MaxDNSPacketSize)
+		length, err := pc.Read(packet)
+		if err != nil {
+			return DNSExchangeResponse{err: err}
+		}
+		rtt = time.Since(now)
+		packet = packet[:length]
+	} else {
+		binQuery, err := query.Pack()
+		if err != nil {
+			return DNSExchangeResponse{err: err}
+		}
+		tcpAddr, err := net.ResolveTCPAddr("tcp", serverAddress)
+		if err != nil {
+			return DNSExchangeResponse{err: err}
+		}
+		upstreamAddr := tcpAddr
+		if relay != nil {
+			proxy.prepareForRelay(tcpAddr.IP, tcpAddr.Port, &binQuery)
+			upstreamAddr = relay.RelayTCPAddr
+		}
+		now := time.Now()
+		var pc net.Conn
+		proxyDialer := proxy.xTransport.proxyDialer
+		if proxyDialer == nil {
+			pc, err = net.DialTCP("tcp", nil, upstreamAddr)
+		} else {
+			pc, err = (*proxyDialer).Dial("tcp", tcpAddr.String())
+		}
+		if err != nil {
+			return DNSExchangeResponse{err: err}
+		}
+		defer pc.Close()
+		if err := pc.SetDeadline(time.Now().Add(proxy.timeout)); err != nil {
+			return DNSExchangeResponse{err: err}
+		}
+		binQuery, err = PrefixWithSize(binQuery)
+		if err != nil {
+			return DNSExchangeResponse{err: err}
+		}
+		if _, err := pc.Write(binQuery); err != nil {
+			return DNSExchangeResponse{err: err}
+		}
+		packet, err = ReadPrefixed(&pc)
+		if err != nil {
+			return DNSExchangeResponse{err: err}
+		}
+		rtt = time.Since(now)
+	}
+	msg := dns.Msg{}
+	if err := msg.Unpack(packet); err != nil {
+		return DNSExchangeResponse{err: err}
+	}
+	return DNSExchangeResponse{response: &msg, rtt: rtt, err: nil}
+}
--- a/dnscrypt-proxy/estimators.go
+++ b/dnscrypt-proxy/estimators.go
@ -6,10 +6,6 @@ import (
 	"github.com/VividCortex/ewma"
 )

-const (
-	SizeEstimatorEwmaDecay = 100.0
-)
-
 type QuestionSizeEstimator struct {
 	sync.RWMutex
 	minQuestionSize int
@ -17,7 +13,10 @@ type QuestionSizeEstimator struct {
 }

 func NewQuestionSizeEstimator() QuestionSizeEstimator {
-	return QuestionSizeEstimator{minQuestionSize: InitialMinQuestionSize, ewma: ewma.NewMovingAverage(SizeEstimatorEwmaDecay)}
+	return QuestionSizeEstimator{
+		minQuestionSize: InitialMinQuestionSize,
+		ewma:            &ewma.SimpleEWMA{},
+	}
 }

 func (questionSizeEstimator *QuestionSizeEstimator) MinQuestionSize() int {
--- a/dnscrypt-proxy/example-allowed-ips.txt
+++ b/dnscrypt-proxy/example-allowed-ips.txt
@ -0,0 +1,7 @@
+##############################
+#   Allowed IPs List         #
+##############################
+
+#192.168.0.*
+#fe80:53:*          # IPv6 prefix example
+#81.169.145.105
--- a/dnscrypt-proxy/example-allowed-names.txt
+++ b/dnscrypt-proxy/example-allowed-names.txt
@ -0,0 +1,31 @@
+
+###########################
+#        Allowlist        #
+###########################
+
+## Rules for allowing queries based on name, one per line
+##
+## Example of valid patterns:
+##
+## ads.*         | matches anything with an "ads." prefix
+## *.example.com | matches example.com and all names within that zone such as www.example.com
+## example.com   | identical to the above
+## =example.com  | allows example.com but not *.example.com
+## *sex*         | matches any name containing that substring
+## ads[0-9]*     | matches "ads" followed by one or more digits
+## ads*.example* | *, ? and [] can be used anywhere, but prefixes/suffixes are faster
+
+
+# That one may be blocked due to 'tracker' being in the name.
+tracker.debian.org
+
+# That one may be blocked due to 'ads' being in the name.
+# However, blocking it prevents all sponsored links from the Google
+# search engine from being opened.
+googleadservices.com
+
+
+## Time-based rules
+
+# *.youtube.*  @time-to-play
+# facebook.com @play
--- a/dnscrypt-proxy/example-blacklist.txt
+++ b/dnscrypt-proxy/example-blacklist.txt
@ -1,38 +0,0 @@
-
-###########################
-#        Blacklist        #
-###########################
-
-## Rules for name-based query blocking, one per line
-##
-## Example of valid patterns:
-##
-## ads.*         | matches anything with an "ads." prefix
-## *.example.com | matches example.com and all names within that zone such as www.example.com
-## example.com   | identical to the above
-## =example.com  | block example.com but not *.example.com
-## *sex*         | matches any name containing that substring
-## ads[0-9]*     | matches "ads" followed by one or more digits
-## ads*.example* | *, ? and [] can be used anywhere, but prefixes/suffixes are faster
-
-ad.*
-ads.*
-banner.*
-banners.*
-creatives.*
-oas.*
-oascentral.*
-stats.*
-tag.*
-telemetry.*
-tracker.*
-*.local
-eth0.me
-*.workgroup
-
-
-
-## Time-based rules
-
-# *.youtube.*  @time-to-sleep
-# facebook.com @work
--- a/dnscrypt-proxy/example-blocked-ips.txt
+++ b/dnscrypt-proxy/example-blocked-ips.txt
@ -0,0 +1,16 @@
+##############################
+#        IP blocklist        #
+##############################
+
+## Rules for IP-based response blocking
+##
+## Sample feeds of suspect IP addresses:
+## - https://github.com/stamparm/ipsum
+## - https://github.com/tg12/bad_packets_blocklist
+## - https://isc.sans.edu/block.txt
+## - https://block.energized.pro/extensions/ips/formats/list.txt
+## - https://www.iblocklist.com/lists
+
+163.5.1.4
+94.46.118.*
+fe80:53:*          # IPv6 prefix example
--- a/dnscrypt-proxy/example-blocked-names.txt
+++ b/dnscrypt-proxy/example-blocked-names.txt
@ -0,0 +1,45 @@
+
+###########################
+#        Blocklist        #
+###########################
+
+## Rules for name-based query blocking, one per line
+##
+## Example of valid patterns:
+##
+## ads.*         | matches anything with an "ads." prefix
+## *.example.com | matches example.com and all names within that zone such as www.example.com
+## example.com   | identical to the above
+## =example.com  | block example.com but not *.example.com
+## *sex*         | matches any name containing that substring
+## ads[0-9]*     | matches "ads" followed by one or more digits
+## ads*.example* | *, ? and [] can be used anywhere, but prefixes/suffixes are faster
+
+ad.*
+ads.*
+banner.*
+banners.*
+creatives.*
+oas.*
+oascentral.*        # inline comments are allowed after a pound sign
+stats.*
+tag.*
+telemetry.*
+tracker.*
+*.local
+eth0.me
+*.workgroup
+
+
+## Prevent usage of Apple private relay, that bypasses DNS
+
+# mask.apple-dns.net
+# mask.icloud.com
+# mask-api.icloud.com
+# doh.dns.apple.com
+
+
+## Time-based rules
+
+# *.youtube.*  @time-to-sleep
+# facebook.com @work
--- a/dnscrypt-proxy/example-captive-portals.txt
+++ b/dnscrypt-proxy/example-captive-portals.txt
@ -0,0 +1,27 @@
+###########################################
+#        Captive portal test names        #
+###########################################
+
+## Some operating systems send queries to these names after a network change,
+## in order to check if connectivity beyond the router is possible without
+## going through a captive portal.
+##
+## This is a list of hard-coded IP addresses that will be returned when queries
+## for these names are received, even before the operating system reports an interface
+## as usable for reaching the Internet.
+##
+## Note that IPv6 addresses don't need to be specified within brackets,
+## as there are no port numbers.
+
+captive.apple.com               17.253.109.201, 17.253.113.202
+connectivitycheck.gstatic.com   64.233.162.94, 64.233.164.94, 64.233.165.94, 64.233.177.94, 64.233.185.94, 74.125.132.94, 74.125.136.94, 74.125.20.94, 74.125.21.94, 74.125.28.94
+connectivitycheck.android.com   64.233.162.100, 64.233.162.101, 64.233.162.102, 64.233.162.113, 64.233.162.138, 64.233.162.139
+www.msftncsi.com                2.16.106.89, 2.16.106.91, 23.0.175.137, 23.0.175.146, 23.192.47.155, 23.192.47.203, 23.199.63.160, 23.199.63.184, 23.199.63.208, 23.204.146.160, 23.204.146.163, 23.46.238.243, 23.46.239.24, 23.48.39.16, 23.48.39.48, 23.55.38.139, 23.55.38.146, 23.59.190.185, 23.59.190.195
+dns.msftncsi.com                131.107.255.255, fd3e:4f5a:5b81::1
+www.msftconnecttest.com         13.107.4.52
+ipv6.msftconnecttest.com        2a01:111:2003::52
+ipv4only.arpa                   192.0.0.170, 192.0.0.171
+
+## Adding IP addresses of NTP servers is also a good idea
+
+time.google.com                 216.239.35.0, 2001:4860:4806::
--- a/dnscrypt-proxy/example-cloaking-rules.txt
+++ b/dnscrypt-proxy/example-cloaking-rules.txt
@ -13,7 +13,9 @@ www.google.*             forcesafesearch.google.com

 www.bing.com             strict.bing.com

-yandex.ru                familysearch.yandex.ru
+yandex.ru                familysearch.yandex.ru       # inline comments are allowed after a pound sign
+
+=duckduckgo.com          safe.duckduckgo.com

 www.youtube.com          restrictmoderate.youtube.com
 m.youtube.com            restrictmoderate.youtube.com
@ -21,5 +23,22 @@ youtubei.googleapis.com  restrictmoderate.youtube.com
 youtube.googleapis.com   restrictmoderate.youtube.com
 www.youtube-nocookie.com restrictmoderate.youtube.com

+# Multiple IP entries for the same name are supported.
+# In the following example, the same name maps both to IPv4 and IPv6 addresses:
+
 localhost                127.0.0.1
 localhost                ::1
+
+# For load-balancing, multiple IP addresses of the same class can also be
+# provided using the same format, one <pattern> <ip> pair per line.
+
+# ads.*                 192.168.100.1
+# ads.*                 192.168.100.2
+# ads.*                 ::1
+
+# PTR records can be created by setting cloak_ptr in the main configuration file
+# Entries with wild cards will not have PTR records created, but multiple 
+# names for the same IP are supported 
+
+# example.com           192.168.100.1
+# my.example.com        192.168.100.1
--- a/dnscrypt-proxy/example-dnscrypt-proxy.toml
+++ b/dnscrypt-proxy/example-dnscrypt-proxy.toml
@ -21,19 +21,25 @@
 ## Servers from the "public-resolvers" source (see down below) can
 ## be viewed here: https://dnscrypt.info/public-servers
 ##
-## If this line is commented, all registered servers matching the require_* filters
-## will be used.
+## The proxy will automatically pick working servers from this list.
+## Note that the require_* filters do NOT apply when using this setting.
+##
+## By default, this list is empty and all registered servers matching the
+## require_* filters will be used instead.
 ##
-## The proxy will automatically pick the fastest, working servers from the list.
 ## Remove the leading # first to enable this; lines starting with # are ignored.

 # server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']


 ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
-## Note: When using systemd socket activation, choose an empty set (i.e. [] ).
+## Example with both IPv4 and IPv6:
+## listen_addresses = ['127.0.0.1:53', '[::1]:53']
+##
+## To listen to all IPv4 addresses, use `listen_addresses = ['0.0.0.0:53']`
+## To listen to all IPv4+IPv6 addresses, use `listen_addresses = ['[::]:53']`

-listen_addresses = ['127.0.0.1:53', '[::1]:53']
+listen_addresses = ['127.0.0.1:53']


 ## Maximum number of simultaneous client connections to accept
@ -49,7 +55,7 @@ max_clients = 250
 # user_name = 'nobody'


-## Require servers (from static + remote sources) to satisfy specific properties
+## Require servers (from remote sources) to satisfy specific properties

 # Use servers reachable over IPv4
 ipv4_servers = true
@ -63,6 +69,9 @@ dnscrypt_servers = true
 # Use servers implementing the DNS-over-HTTPS protocol
 doh_servers = true

+# Use servers implementing the Oblivious DoH protocol
+odoh_servers = false
+

 ## Require servers defined by remote sources to satisfy specific properties

@ -72,7 +81,7 @@ require_dnssec = false
 # Server must not log user queries (declarative)
 require_nolog = true

-# Server must not enforce its own blacklist (for parental control, ads blocking...)
+# Server must not enforce its own blocklist (for parental control, ads blocking...)
 require_nofilter = true

 # Server names to avoid even if they match all criteria
@ -88,42 +97,64 @@ disabled_server_names = []
 force_tcp = false


+## Enable *experimental* support for HTTP/3 (DoH3, HTTP over QUIC)
+## Note that, like DNSCrypt but unlike other HTTP versions, this uses
+## UDP and (usually) port 443 instead of TCP.
+
+http3 = false
+
+
 ## SOCKS proxy
 ## Uncomment the following line to route all TCP connections to a local Tor node
 ## Tor doesn't support UDP, so set `force_tcp` to `true` as well.

-# proxy = "socks5://127.0.0.1:9050"
+# proxy = 'socks5://127.0.0.1:9050'


 ## HTTP/HTTPS proxy
 ## Only for DoH servers

-# http_proxy = "http://127.0.0.1:8888"
+# http_proxy = 'http://127.0.0.1:8888'


-## How long a DNS query will wait for a response, in milliseconds
+## How long a DNS query will wait for a response, in milliseconds.
+## If you have a network with *a lot* of latency, you may need to
+## increase this. Startup may be slower if you do so.
+## Don't increase it too much. 10000 is the highest reasonable value.

-timeout = 2500
+timeout = 5000


-## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds
+## Keepalive for HTTP (HTTPS, HTTP/2, HTTP/3) queries, in seconds

 keepalive = 30


-## Use the REFUSED return code for blocked responses
-## Setting this to `false` means that some responses will be lies.
-## Unfortunately, `false` appears to be required for Android 8+
+## Add EDNS-client-subnet information to outgoing queries
+##
+## Multiple networks can be listed; they will be randomly chosen.
+## These networks don't have to match your actual networks.

-refused_code_in_responses = false
+# edns_client_subnet = ['0.0.0.0/0', '2001:db8::/32']


-## Load-balancing strategy: 'p2' (default), 'ph', 'first' or 'random'
+## Response for blocked queries. Options are `refused`, `hinfo` (default) or
+## an IP response. To give an IP response, use the format `a:<IPv4>,aaaa:<IPv6>`.
+## Using the `hinfo` option means that some responses will be lies.
+## Unfortunately, the `hinfo` option appears to be required for Android 8+
+
+# blocked_query_response = 'refused'
+
+
+## Load-balancing strategy: 'p2' (default), 'ph', 'p<n>', 'first' or 'random'
+## Randomly choose 1 of the fastest 2, half, n, 1 or all live servers by latency.
+## The response quality still depends on the server itself.

 # lb_strategy = 'p2'

 ## Set to `true` to constantly try to estimate the latency of all the resolvers
 ## and adjust the load-balancing parameters accordingly, or to `false` to disable.
+## Default is `true` that makes 'p2' `lb_strategy` work well.

 # lb_estimator = true

@ -133,21 +164,43 @@ refused_code_in_responses = false
 # log_level = 2


-## log file for the application
+## Log file for the application, as an alternative to sending logs to
+## the standard system logging service (syslog/Windows event log).
+##
+## This file is different from other log files, and will not be
+## automatically rotated by the application.

 # log_file = 'dnscrypt-proxy.log'


+## When using a log file, only keep logs from the most recent launch.
+
+# log_file_latest = true
+
+
 ## Use the system logger (syslog on Unix, Event Log on Windows)

 # use_syslog = true


+## The maximum concurrency to reload certificates from the resolvers.
+## Default is 10.
+
+# cert_refresh_concurrency = 10
+
+
 ## Delay, in minutes, after which certificates are reloaded

 cert_refresh_delay = 240


+## Initially don't check DNSCrypt server certificates for expiration, and
+## only start checking them after a first successful connection to a resolver.
+## This can be useful on routers with no battery-backed clock.
+
+# cert_ignore_timestamp = false
+
+
 ## DNSCrypt: Create a new, unique key for every single DNS query
 ## This may improve privacy but can also have a significant impact on CPU usage
 ## Only enable if you don't have a lot of network load
@ -160,7 +213,7 @@ cert_refresh_delay = 240
 # tls_disable_session_tickets = false


-## DoH: Use a specific cipher suite instead of the server preference
+## DoH: Use TLS 1.2 and specific cipher suite instead of the server preference
 ## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 ## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 ## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
@ -171,39 +224,72 @@ cert_refresh_delay = 240
 ## This may also help on Intel CPUs running 32-bit operating systems.
 ##
 ## Keep tls_cipher_suite empty if you have issues fetching sources or
-## connecting to some DoH servers. Google and Cloudflare are fine with it.
+## connecting to some DoH servers.

 # tls_cipher_suite = [52392, 49199]


-## Fallback resolver
-## This is a normal, non-encrypted DNS resolver, that will be only used
-## for one-shot queries when retrieving the initial resolvers list, and
-## only if the system DNS configuration doesn't work.
-## No user application queries will ever be leaked through this resolver,
-## and it will not be used after IP addresses of resolvers URLs have been found.
-## It will never be used if lists have already been cached, and if stamps
-## don't include host names without IP addresses.
-## It will not be used if the configured system DNS works.
-## A resolver supporting DNSSEC is recommended. This may become mandatory.
+## Log TLS key material to a file, for debugging purposes only.
+## This file will contain the TLS master key, which can be used to decrypt
+## all TLS traffic to/from DoH servers.
+## Never ever enable except for debugging purposes with a tool such as mitmproxy.
+
+# tls_key_log_file = '/tmp/keylog.txt'
+
+
+## Bootstrap resolvers
 ##
-## People in China may need to use 114.114.114.114:53 here.
-## Other popular options include 8.8.8.8 and 1.1.1.1.
+## These are normal, non-encrypted DNS resolvers, that will be only used
+## for one-shot queries when retrieving the initial resolvers list and if
+## the system DNS configuration doesn't work.
+##
+## No user queries will ever be leaked through these resolvers, and they will
+## not be used after IP addresses of DoH resolvers have been found (if you are
+## using DoH).
+##
+## They will never be used if lists have already been cached, and if the stamps
+## of the configured servers already include IP addresses (which is the case for
+## most of DoH servers, and for all DNSCrypt servers and relays).
+##
+## They will not be used if the configured system DNS works, or after the
+## proxy already has at least one usable secure resolver.
+##
+## Resolvers supporting DNSSEC are recommended, and, if you are using
+## DoH, bootstrap resolvers should ideally be operated by a different entity
+## than the DoH servers you will be using, especially if you have IPv6 enabled.
+##
+## People in China may want to use 114.114.114.114:53 here.
+## Other popular options include 8.8.8.8, 9.9.9.9 and 1.1.1.1.
+##
+## If more than one resolver is specified, they will be tried in sequence.
+##
+## TL;DR: put valid standard resolver addresses here. Your actual queries will
+## not be sent there. If you're using DNSCrypt or Anonymized DNS and your
+## lists are up to date, these resolvers will not even be used.

-fallback_resolver = '9.9.9.9:53'
+bootstrap_resolvers = ['9.9.9.11:53', '8.8.8.8:53']


-## Never let dnscrypt-proxy try to use the system DNS settings;
-## unconditionally use the fallback resolver.
+## When internal DNS resolution is required, for example to retrieve
+## the resolvers list:
+##
+## - queries will be sent to dnscrypt-proxy itself, if it is already
+##   running with active servers (*)
+## - or else, queries will be sent to fallback servers
+## - finally, if `ignore_system_dns` is `false`, queries will be sent
+##   to the system DNS
+##
+## (*) this is incompatible with systemd sockets.
+## `listen_addrs` must not be empty.

-ignore_system_dns = false
+ignore_system_dns = true


 ## Maximum time (in seconds) to wait for network connectivity before
 ## initializing the proxy.
 ## Useful if the proxy is automatically started at boot, and network
 ## connectivity is not guaranteed to be immediately available.
-## Use 0 to not test for connectivity at all,
+## Use 0 to not test for connectivity at all (not recommended),
 ## and -1 to wait as much as possible.

 netprobe_timeout = 60
@ -217,7 +303,7 @@ netprobe_timeout = 60
 ## On other operating systems, the connection will be initialized
 ## but nothing will be sent at all.

-netprobe_address = "255.255.255.0:53"
+netprobe_address = '9.9.9.9:53'


 ## Offline mode - Do not use any remote encrypted servers.
@ -227,9 +313,19 @@ netprobe_address = "255.255.255.0:53"
 # offline_mode = false


+## Additional data to attach to outgoing queries.
+## These strings will be added as TXT records to queries.
+## Do not use, except on servers explicitly asking for extra data
+## to be present.
+## encrypted-dns-server can be configured to use this for access control
+## in the [access_control] section
+
+# query_meta = ['key1:value1', 'key2:value2', 'token:MySecretToken']
+
+
 ## Automatic log files rotation

-# Maximum log files size in MB
+# Maximum log files size in MB - Set to 0 for unlimited.
 log_files_max_size = 10

 # How long to keep backup files, in days
@ -244,23 +340,43 @@ log_files_max_backups = 1
 #        Filters        #
 #########################

+## Note: if you are using dnsmasq, disable the `dnssec` option in dnsmasq if you
+## configure dnscrypt-proxy to do any kind of filtering (including the filters
+## below and blocklists).
+## You can still choose resolvers that do DNSSEC validation.
+
+
 ## Immediately respond to IPv6-related queries with an empty response
 ## This makes things faster when there is no IPv6 connectivity, but can
 ## also cause reliability issues with some stub resolvers.
-## Do not enable if you added a validating resolver such as dnsmasq in front
-## of the proxy.

 block_ipv6 = false


+## Immediately respond to A and AAAA queries for host names without a domain name
+## This also prevents "dotless domain names" from being resolved upstream.
+
+block_unqualified = true
+
+
+## Immediately respond to queries for local zones instead of leaking them to
+## upstream resolvers (always causing errors or timeouts).
+
+block_undelegated = true
+
+
+## TTL for synthetic responses sent when a request has been blocked (due to
+## IPv6 or blocklists).
+
+reject_ttl = 10
+
+

 ##################################################################################
 #        Route queries for specific domains to a dedicated set of servers        #
 ##################################################################################

-## Example map entries (one entry per line):
-## example.com 9.9.9.9
-## example.net 9.9.9.9,8.8.8.8,1.1.1.1
+## See the `example-forwarding-rules.txt` file for an example

 # forwarding_rules = 'forwarding-rules.txt'

@ -273,13 +389,18 @@ block_ipv6 = false
 ## Cloaking returns a predefined address for a specific name.
 ## In addition to acting as a HOSTS file, it can also return the IP address
 ## of a different name. It will also do CNAME flattening.
+## If 'cloak_ptr' is set, then PTR (reverse lookups) are enabled
+## for cloaking rules that do not contain wild cards.
 ##
-## Example map entries (one entry per line)
-## example.com     10.1.1.1
-## www.google.com  forcesafesearch.google.com
+## See the `example-cloaking-rules.txt` file for an example

 # cloaking_rules = 'cloaking-rules.txt'

+## TTL used when serving entries in cloaking-rules.txt
+
+# cloak_ttl = 600
+# cloak_ptr = false
+


 ###########################
@ -293,12 +414,12 @@ cache = true

 ## Cache size

-cache_size = 512
+cache_size = 4096


 ## Minimum TTL for cached entries

-cache_min_ttl = 600
+cache_min_ttl = 2400


 ## Maximum TTL for cached entries
@ -317,6 +438,53 @@ cache_neg_max_ttl = 600



+########################################
+#        Captive portal handling       #
+########################################
+
+[captive_portals]
+
+## A file that contains a set of names used by operating systems to
+## check for connectivity and captive portals, along with hard-coded
+## IP addresses to return.
+
+# map_file = 'example-captive-portals.txt'
+
+
+
+##################################
+#        Local DoH server        #
+##################################
+
+[local_doh]
+
+## dnscrypt-proxy can act as a local DoH server. By doing so, web browsers
+## requiring a direct connection to a DoH server in order to enable some
+## features will enable these, without bypassing your DNS proxy.
+
+## Addresses that the local DoH server should listen to
+
+# listen_addresses = ['127.0.0.1:3000']
+
+
+## Path of the DoH URL. This is not a file, but the part after the hostname
+## in the URL. By convention, `/dns-query` is frequently chosen.
+## For each `listen_address` the complete URL to access the server will be:
+## `https://<listen_address><path>` (ex: `https://127.0.0.1/dns-query`)
+
+# path = '/dns-query'
+
+
+## Certificate file and key - Note that the certificate has to be trusted.
+## Can be generated using the following command:
+## openssl req -x509 -nodes -newkey rsa:2048 -days 5000 -sha256 -keyout localhost.pem -out localhost.pem
+## See the documentation (wiki) for more information.
+
+# cert_file = 'localhost.pem'
+# cert_key_file = 'localhost.pem'
+
+
+
 ###############################
 #        Query logging        #
 ###############################
@ -325,19 +493,20 @@ cache_neg_max_ttl = 600

 [query_log]

-  ## Path to the query log file (absolute, or relative to the same directory as the executable file)
+## Path to the query log file (absolute, or relative to the same directory as the config file)
+## Can be set to /dev/stdout in order to log to the standard output.

-  # file = 'query.log'
+# file = 'query.log'


-  ## Query log format (currently supported: tsv and ltsv)
+## Query log format (currently supported: tsv and ltsv)

-  format = 'tsv'
+format = 'tsv'


-  ## Do not log these query types, to reduce verbosity. Keep empty to log everything.
+## Do not log these query types, to reduce verbosity. Keep empty to log everything.

-  # ignored_qtypes = ['DNSKEY', 'NS']
+# ignored_qtypes = ['DNSKEY', 'NS']



@ -351,22 +520,22 @@ cache_neg_max_ttl = 600

 [nx_log]

-  ## Path to the query log file (absolute, or relative to the same directory as the executable file)
+## Path to the query log file (absolute, or relative to the same directory as the config file)

-  # file = 'nx.log'
+# file = 'nx.log'


-  ## Query log format (currently supported: tsv and ltsv)
+## Query log format (currently supported: tsv and ltsv)

-  format = 'tsv'
+format = 'tsv'



 ######################################################
-#        Pattern-based blocking (blacklists)        #
+#        Pattern-based blocking (blocklists)         #
 ######################################################

-## Blacklists are made of one pattern per line. Example of valid patterns:
+## Blocklists are made of one pattern per line. Example of valid patterns:
 ##
 ##   example.com
 ##   =example.com
@ -375,81 +544,108 @@ cache_neg_max_ttl = 600
 ##   ads*.example.*
 ##   ads*.example[0-9]*.com
 ##
-## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
-## A script to build blacklists from public feeds can be found in the
-## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.
+## Example blocklist files can be found at https://download.dnscrypt.info/blocklists/
+## A script to build blocklists from public feeds can be found in the
+## `utils/generate-domains-blocklists` directory of the dnscrypt-proxy source code.

-[blacklist]
+[blocked_names]

-  ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
+## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)

-  # blacklist_file = 'blacklist.txt'
+# blocked_names_file = 'blocked-names.txt'


-  ## Optional path to a file logging blocked queries
+## Optional path to a file logging blocked queries

-  # log_file = 'blocked.log'
+# log_file = 'blocked-names.log'


-  ## Optional log format: tsv or ltsv (default: tsv)
+## Optional log format: tsv or ltsv (default: tsv)

-  # log_format = 'tsv'
+# log_format = 'tsv'



 ###########################################################
-#        Pattern-based IP blocking (IP blacklists)        #
+#        Pattern-based IP blocking (IP blocklists)        #
 ###########################################################

-## IP blacklists are made of one pattern per line. Example of valid patterns:
+## IP blocklists are made of one pattern per line. Example of valid patterns:
 ##
 ##   127.*
 ##   fe80:abcd:*
 ##   192.168.1.4

-[ip_blacklist]
+[blocked_ips]

-  ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
+## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)

-  # blacklist_file = 'ip-blacklist.txt'
+# blocked_ips_file = 'blocked-ips.txt'


-  ## Optional path to a file logging blocked queries
+## Optional path to a file logging blocked queries

-  # log_file = 'ip-blocked.log'
+# log_file = 'blocked-ips.log'


-  ## Optional log format: tsv or ltsv (default: tsv)
+## Optional log format: tsv or ltsv (default: tsv)

-  # log_format = 'tsv'
+# log_format = 'tsv'



 ######################################################
-#   Pattern-based whitelisting (blacklists bypass)   #
+#   Pattern-based allow lists (blocklists bypass)    #
 ######################################################

-## Whitelists support the same patterns as blacklists
-## If a name matches a whitelist entry, the corresponding session
+## Allowlists support the same patterns as blocklists
+## If a name matches an allowlist entry, the corresponding session
 ## will bypass names and IP filters.
 ##
 ## Time-based rules are also supported to make some websites only accessible at specific times of the day.

-[whitelist]
+[allowed_names]

-  ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the executable file)
+## Path to the file of allow list rules (absolute, or relative to the same directory as the config file)

-  # whitelist_file = 'whitelist.txt'
+# allowed_names_file = 'allowed-names.txt'


-  ## Optional path to a file logging whitelisted queries
+## Optional path to a file logging allowed queries

-  # log_file = 'whitelisted.log'
+# log_file = 'allowed-names.log'


-  ## Optional log format: tsv or ltsv (default: tsv)
+## Optional log format: tsv or ltsv (default: tsv)

-  # log_format = 'tsv'
+# log_format = 'tsv'
+
+
+
+#########################################################
+#   Pattern-based allowed IPs lists (blocklists bypass) #
+#########################################################
+
+## Allowed IP lists support the same patterns as IP blocklists
+## If an IP response matches an allowed entry, the corresponding session
+## will bypass IP filters.
+##
+## Time-based rules are also supported to make some websites only accessible at specific times of the day.
+
+[allowed_ips]
+
+## Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file)
+
+# allowed_ips_file = 'allowed-ips.txt'
+
+
+## Optional path to a file logging allowed queries
+
+# log_file = 'allowed-ips.log'
+
+## Optional log format: tsv or ltsv (default: tsv)
+
+# log_format = 'tsv'



@ -458,34 +654,33 @@ cache_neg_max_ttl = 600
 ##########################################

 ## One or more weekly schedules can be defined here.
-## Patterns in the name-based blocklist can optionally be followed with @schedule_name
+## Patterns in the name-based blocked_names file can optionally be followed with @schedule_name
 ## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
 ##
-## For example, the following rule in a blacklist file:
+## For example, the following rule in a blocklist file:
 ## *.youtube.* @time-to-sleep
-## would block access to YouTube only during the days, and period of the days
-## define by the 'time-to-sleep' schedule.
+## would block access to YouTube during the times defined by the 'time-to-sleep' schedule.
 ##
 ## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
 ## {after= '9:00', before='18:00'} matches 9:00-18:00

 [schedules]

-  # [schedules.'time-to-sleep']
-  # mon = [{after='21:00', before='7:00'}]
-  # tue = [{after='21:00', before='7:00'}]
-  # wed = [{after='21:00', before='7:00'}]
-  # thu = [{after='21:00', before='7:00'}]
-  # fri = [{after='23:00', before='7:00'}]
-  # sat = [{after='23:00', before='7:00'}]
-  # sun = [{after='21:00', before='7:00'}]
+  # [schedules.time-to-sleep]
+  #   mon = [{after='21:00', before='7:00'}]
+  #   tue = [{after='21:00', before='7:00'}]
+  #   wed = [{after='21:00', before='7:00'}]
+  #   thu = [{after='21:00', before='7:00'}]
+  #   fri = [{after='23:00', before='7:00'}]
+  #   sat = [{after='23:00', before='7:00'}]
+  #   sun = [{after='21:00', before='7:00'}]

-  # [schedules.'work']
-  # mon = [{after='9:00', before='18:00'}]
-  # tue = [{after='9:00', before='18:00'}]
-  # wed = [{after='9:00', before='18:00'}]
-  # thu = [{after='9:00', before='18:00'}]
-  # fri = [{after='9:00', before='17:00'}]
+  # [schedules.work]
+  #   mon = [{after='9:00', before='18:00'}]
+  #   tue = [{after='9:00', before='18:00'}]
+  #   wed = [{after='9:00', before='18:00'}]
+  #   thu = [{after='9:00', before='18:00'}]
+  #   fri = [{after='9:00', before='17:00'}]



@ -505,43 +700,209 @@ cache_neg_max_ttl = 600
 ## must include the prefixes.
 ##
 ## If the `urls` property is missing, cache files and valid signatures
-## must be already present; This doesn't prevent these cache files from
+## must already be present. This doesn't prevent these cache files from
 ## expiring after `refresh_delay` hours.
+## `refreshed_delay` must be in the [24..168] interval.
+## The minimum delay of 24 hours (1 day) avoids unnecessary requests to servers.
+## The maximum delay of 168 hours (1 week) ensures cache freshness.

 [sources]

-  ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
+  ### An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers

-  [sources.'public-resolvers']
-  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
-  cache_file = 'public-resolvers.md'
-  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
-  refresh_delay = 72
-  prefix = ''
+  [sources.public-resolvers]
+    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
+    cache_file = 'public-resolvers.md'
+    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+    refresh_delay = 72
+    prefix = ''

-  ## Quad9 over DNSCrypt - https://quad9.net/
+  ### Anonymized DNS relays
+
+  [sources.relays]
+    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md']
+    cache_file = 'relays.md'
+    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+    refresh_delay = 72
+    prefix = ''
+
+  ### ODoH (Oblivious DoH) servers and relays
+
+  # [sources.odoh-servers]
+  #   urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md']
+  #   cache_file = 'odoh-servers.md'
+  #   minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+  #   refresh_delay = 24
+  #   prefix = ''
+  # [sources.odoh-relays]
+  #   urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md']
+  #   cache_file = 'odoh-relays.md'
+  #   minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+  #   refresh_delay = 24
+  #   prefix = ''
+
+  ### Quad9

  # [sources.quad9-resolvers]
-  # urls = ["https://www.quad9.net/quad9-resolvers.md"]
-  # minisign_key = "RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN"
-  # cache_file = "quad9-resolvers.md"
-  # refresh_delay = 72
-  # prefix = "quad9-"
+  #   urls = ['https://www.quad9.net/quad9-resolvers.md']
+  #   minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN'
+  #   cache_file = 'quad9-resolvers.md'
+  #   prefix = 'quad9-'

-  ## Another example source, with resolvers censoring some websites not appropriate for children
-  ## This is a subset of the `public-resolvers` list, so enabling both is useless
+  ### Another example source, with resolvers censoring some websites not appropriate for children
+  ### This is a subset of the `public-resolvers` list, so enabling both is useless.

-  #  [sources.'parental-control']
-  #  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md']
-  #  cache_file = 'parental-control.md'
-  #  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+  # [sources.parental-control]
+  #   urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md']
+  #   cache_file = 'parental-control.md'
+  #   minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+
+  ### dnscry.pt servers - See https://www.dnscry.pt
+
+  #  [sources.dnscry-pt-resolvers]
+  #    urls = ["https://www.dnscry.pt/resolvers.md"]
+  #    minisign_key = "RWQM31Nwkqh01x88SvrBL8djp1NH56Rb4mKLHz16K7qsXgEomnDv6ziQ"
+  #    cache_file = "dnscry.pt-resolvers.md"
+  #    refresh_delay = 72
+  #    prefix = "dnscry.pt-"


+#########################################
+#        Servers with known bugs        #
+#########################################
+
+[broken_implementations]
+
+## Cisco servers currently cannot handle queries larger than 1472 bytes, and don't
+## truncate responses larger than questions as expected by the DNSCrypt protocol.
+## This prevents large responses from being received over UDP and over relays.
+##
+## Older versions of the `dnsdist` server software had a bug with queries larger
+## than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but
+## some server may still run an outdated version.
+##
+## The list below enables workarounds to make non-relayed usage more reliable
+## until the servers are fixed.
+
+fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6']
+
+
+
+#################################################################
+#        Certificate-based client authentication for DoH        #
+#################################################################
+
+## Use a X509 certificate to authenticate yourself when connecting to DoH servers.
+## This is only useful if you are operating your own, private DoH server(s).
+## 'creds' maps servers to certificates, and supports multiple entries.
+## If you are not using the standard root CA, an optional "root_ca"
+## property set to the path to a root CRT file can be added to a server entry.
+
+[doh_client_x509_auth]
+
+# creds = [
+#    { server_name='*', client_cert='client.crt', client_key='client.key' }
+# ]
+
+
+
+################################
+#        Anonymized DNS        #
+################################
+
+[anonymized_dns]
+
+## Routes are indirect ways to reach DNSCrypt servers.
+##
+## A route maps a server name ("server_name") to one or more relays that will be
+## used to connect to that server.
+##
+## A relay can be specified as a DNS Stamp (either a relay stamp, or a
+## DNSCrypt stamp) or a server name.
+##
+## The following example routes "example-server-1" via `anon-example-1` or `anon-example-2`,
+## and "example-server-2" via the relay whose relay DNS stamp is
+## "sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM".
+##
+## !!! THESE ARE JUST EXAMPLES !!!
+##
+## Review the list of available relays from the "relays.md" file, and, for each
+## server you want to use, define the relays you want connections to go through.
+##
+## Carefully choose relays and servers so that they are run by different entities.
+##
+## "server_name" can also be set to "*" to define a default route, for all servers:
+## { server_name='*', via=['anon-example-1', 'anon-example-2'] }
+##
+## If a route is ["*"], the proxy automatically picks a relay on a distinct network.
+## { server_name='*', via=['*'] } is also an option, but is likely to be suboptimal.
+##
+## Manual selection is always recommended over automatic selection, so that you can
+## select (relay,server) pairs that work well and fit your own criteria (close by or
+## in different countries, operated by different entities, on distinct ISPs...)
+
+# routes = [
+#    { server_name='example-server-1', via=['anon-example-1', 'anon-example-2'] },
+#    { server_name='example-server-2', via=['sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM'] }
+# ]
+
+
+## Skip resolvers incompatible with anonymization instead of using them directly
+
+skip_incompatible = false
+
+
+## If public server certificates for a non-conformant server cannot be
+## retrieved via a relay, try getting them directly. Actual queries
+## will then always go through relays.
+
+# direct_cert_fallback = false
+
+
+
+###############################
+#            DNS64            #
+###############################
+
+## DNS64 is a mechanism for synthesizing AAAA records from A records.
+## It is used with an IPv6/IPv4 translator to enable client-server
+## communication between an IPv6-only client and an IPv4-only server,
+## without requiring any changes to either the IPv6 or the IPv4 node,
+## for the class of applications that work through NATs.
+##
+## There are two options to synthesize such records:
+## Option 1: Using a set of static IPv6 prefixes;
+## Option 2: By discovering the IPv6 prefix from DNS64-enabled resolver.
+##
+## If both options are configured - only static prefixes are used.
+## (Ref. RFC6147, RFC6052, RFC7050)
+##
+## Do not enable unless you know what DNS64 is and why you need it, or else
+## you won't be able to connect to anything at all.
+
+[dns64]
+
+## Static prefix(es) as Pref64::/n CIDRs
+
+# prefix = ['64:ff9b::/96']
+
+## DNS64-enabled resolver(s) to discover Pref64::/n CIDRs
+## These resolvers are used to query for Well-Known IPv4-only Name (WKN) "ipv4only.arpa." to discover only.
+## Set with your ISP's resolvers in case of custom prefixes (other than Well-Known Prefix 64:ff9b::/96).
+## IMPORTANT: Default resolvers listed below support Well-Known Prefix 64:ff9b::/96 only.
+
+# resolver = ['[2606:4700:4700::64]:53', '[2001:4860:4860::64]:53']
+
+
+
+########################################
+#            Static entries            #
+########################################

 ## Optional, local, static list of additional servers
 ## Mostly useful for testing your own servers.

 [static]

-  # [static.'google']
-  # stamp = 'sdns://AgUAAAAAAAAAAAAOZG5zLmdvb2dsZS5jb20NL2V4cGVyaW1lbnRhbA'
+  # [static.myserver]
+  #   stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'
--- a/dnscrypt-proxy/example-forwarding-rules.txt
+++ b/dnscrypt-proxy/example-forwarding-rules.txt
@ -10,5 +10,27 @@
 ## In order to enable this feature, the "forwarding_rules" property needs to
 ## be set to this file name inside the main configuration file.

+## Blocking IPv6 may prevent local devices from being discovered.
+## If this happens, set `block_ipv6` to `false` in the main config file.
+
+## Forward *.lan, *.local, *.home, *.home.arpa, *.internal and *.localdomain to 192.168.1.1
+# lan              192.168.1.1
+# local            192.168.1.1
+# home             192.168.1.1
+# home.arpa        192.168.1.1
+# internal         192.168.1.1
+# localdomain      192.168.1.1
+# 192.in-addr.arpa 192.168.1.1
+
 ## Forward queries for example.com and *.example.com to 9.9.9.9 and 8.8.8.8
-# example.com     9.9.9.9,8.8.8.8
+# example.com      9.9.9.9,8.8.8.8
+
+## Forward queries to a resolver using IPv6
+# ipv6.example.com [2001:DB8::42]:53
+
+## Forward queries for .onion names to a local Tor client
+## Tor must be configured with the following in the torrc file:
+## DNSPort 9053
+## AutomapHostsOnResolve 1
+
+# onion            127.0.0.1:9053
--- a/dnscrypt-proxy/example-whitelist.txt
+++ b/dnscrypt-proxy/example-whitelist.txt
@ -1,23 +0,0 @@
-
-###########################
-#        Whitelist        #
-###########################
-
-## Rules for name-based query whitelisting, one per line
-##
-## Example of valid patterns:
-##
-## ads.*         | matches anything with an "ads." prefix
-## *.example.com | matches example.com and all names within that zone such as www.example.com
-## example.com   | identical to the above
-## =example.com  | whitelists example.com but not *.example.com
-## *sex*         | matches any name containing that substring
-## ads[0-9]*     | matches "ads" followed by one or more digits
-## ads*.example* | *, ? and [] can be used anywhere, but prefixes/suffixes are faster
-
-
-
-## Time-based rules
-
-# *.youtube.*  @time-to-play
-# facebook.com @play
--- a/dnscrypt-proxy/fuzzing_test.go
+++ b/dnscrypt-proxy/fuzzing_test.go
@ -0,0 +1,41 @@
+//go:build gofuzzbeta
+// +build gofuzzbeta
+
+package main
+
+import (
+	"encoding/hex"
+	"testing"
+
+	stamps "github.com/jedisct1/go-dnsstamps"
+)
+
+func FuzzParseODoHTargetConfigs(f *testing.F) {
+	configs_hex := "0020000100010020aacc53b3df0c6eb2d7d5ce4ddf399593376c9903ba6a52a52c3a2340f97bb764"
+	configs, _ := hex.DecodeString(configs_hex)
+	f.Add(configs)
+	f.Fuzz(func(t *testing.T, configs []byte) {
+		if _, err := parseODoHTargetConfigs(configs); err != nil {
+			t.Skip()
+		}
+	})
+}
+
+func FuzzParseStampParser(f *testing.F) {
+	f.Add("sdns://AgcAAAAAAAAACzEwNC4yMS42Ljc4AA1kb2guY3J5cHRvLnN4Ci9kbnMtcXVlcnk")
+	f.Add("sdns://AgcAAAAAAAAAGlsyNjA2OjQ3MDA6MzAzNzo6NjgxNTo2NGVdABJkb2gtaXB2Ni5jcnlwdG8uc3gKL2Rucy1xdWVyeQ")
+	f.Add(
+		"sdns://AQcAAAAAAAAADTUxLjE1LjEyMi4yNTAg6Q3ZfapcbHgiHKLF7QFoli0Ty1Vsz3RXs1RUbxUrwZAcMi5kbnNjcnlwdC1jZXJ0LnNjYWxld2F5LWFtcw",
+	)
+	f.Add(
+		"sdns://AQcAAAAAAAAAFlsyMDAxOmJjODoxODIwOjUwZDo6MV0g6Q3ZfapcbHgiHKLF7QFoli0Ty1Vsz3RXs1RUbxUrwZAcMi5kbnNjcnlwdC1jZXJ0LnNjYWxld2F5LWFtcw",
+	)
+	f.Add("sdns://gQ8xNjMuMTcyLjE4MC4xMjU")
+	f.Add("sdns://BQcAAAAAAAAADm9kb2guY3J5cHRvLnN4Ci9kbnMtcXVlcnk")
+	f.Add("sdns://hQcAAAAAAAAAACCi3jNJDEdtNW4tvHN8J3lpIklSa2Wrj7qaNCgEgci9_BpvZG9oLXJlbGF5LmVkZ2Vjb21wdXRlLmFwcAEv")
+	f.Fuzz(func(t *testing.T, stamp string) {
+		if _, err := stamps.NewServerStampFromString(stamp); err != nil {
+			t.Skip()
+		}
+	})
+}
--- a/dnscrypt-proxy/local-doh.go
+++ b/dnscrypt-proxy/local-doh.go
@ -0,0 +1,141 @@
+package main
+
+import (
+	"encoding/base64"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/jedisct1/dlog"
+	"github.com/miekg/dns"
+)
+
+type localDoHHandler struct {
+	proxy *Proxy
+}
+
+func (handler localDoHHandler) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
+	proxy := handler.proxy
+	if !proxy.clientsCountInc() {
+		dlog.Warnf("Too many incoming connections (max=%d)", proxy.maxClients)
+		return
+	}
+	defer proxy.clientsCountDec()
+	dataType := "application/dns-message"
+	writer.Header().Set("Server", "dnscrypt-proxy")
+	if request.URL.Path != proxy.localDoHPath {
+		writer.WriteHeader(404)
+		return
+	}
+	packet := []byte{}
+	var err error
+	start := time.Now()
+	if request.Method == "POST" &&
+		request.Header.Get("Content-Type") == dataType {
+		packet, err = io.ReadAll(io.LimitReader(request.Body, int64(MaxDNSPacketSize)))
+		if err != nil {
+			dlog.Warnf("No body in a local DoH query")
+			return
+		}
+	} else if request.Method == "GET" && request.Header.Get("Accept") == dataType {
+		encodedPacket := request.URL.Query().Get("dns")
+		if len(encodedPacket) >= MinDNSPacketSize*4/3 && len(encodedPacket) <= MaxDNSPacketSize*4/3 {
+			packet, err = base64.RawURLEncoding.DecodeString(encodedPacket)
+			if err != nil {
+				dlog.Warnf("Invalid base64 in a local DoH query")
+				return
+			}
+		}
+	}
+	if len(packet) < MinDNSPacketSize {
+		writer.Header().Set("Content-Type", "text/plain")
+		writer.WriteHeader(400)
+		writer.Write([]byte("dnscrypt-proxy local DoH server\n"))
+		return
+	}
+	clientAddr, err := net.ResolveTCPAddr("tcp", request.RemoteAddr)
+	if err != nil {
+		dlog.Errorf("Unable to get the client address: [%v]", err)
+		return
+	}
+	xClientAddr := net.Addr(clientAddr)
+	hasEDNS0Padding, err := hasEDNS0Padding(packet)
+	if err != nil {
+		writer.WriteHeader(400)
+		return
+	}
+	response := proxy.processIncomingQuery("local_doh", proxy.mainProto, packet, &xClientAddr, nil, start, false)
+	if len(response) == 0 {
+		writer.WriteHeader(500)
+		return
+	}
+	msg := dns.Msg{}
+	if err := msg.Unpack(packet); err != nil {
+		writer.WriteHeader(500)
+		return
+	}
+	responseLen := len(response)
+	paddedLen := dohPaddedLen(responseLen)
+	padLen := paddedLen - responseLen
+	if hasEDNS0Padding {
+		response, err = addEDNS0PaddingIfNoneFound(&msg, response, padLen)
+		if err != nil {
+			dlog.Critical(err)
+			return
+		}
+	} else {
+		pad := strings.Repeat("X", padLen)
+		writer.Header().Set("X-Pad", pad)
+	}
+	writer.Header().Set("Content-Type", dataType)
+	writer.Header().Set("Content-Length", fmt.Sprint(len(response)))
+	writer.WriteHeader(200)
+	writer.Write(response)
+}
+
+func (proxy *Proxy) localDoHListener(acceptPc *net.TCPListener) {
+	defer acceptPc.Close()
+	if len(proxy.localDoHCertFile) == 0 || len(proxy.localDoHCertKeyFile) == 0 {
+		dlog.Fatal("A certificate and a key are required to start a local DoH service")
+	}
+	httpServer := &http.Server{
+		ReadTimeout:  proxy.timeout,
+		WriteTimeout: proxy.timeout,
+		Handler:      localDoHHandler{proxy: proxy},
+	}
+	httpServer.SetKeepAlivesEnabled(true)
+	if err := httpServer.ServeTLS(acceptPc, proxy.localDoHCertFile, proxy.localDoHCertKeyFile); err != nil {
+		dlog.Fatal(err)
+	}
+}
+
+func dohPaddedLen(unpaddedLen int) int {
+	boundaries := [...]int{
+		64,
+		128,
+		192,
+		256,
+		320,
+		384,
+		512,
+		704,
+		768,
+		896,
+		960,
+		1024,
+		1088,
+		1152,
+		2688,
+		4080,
+		MaxDNSPacketSize,
+	}
+	for _, boundary := range boundaries {
+		if boundary >= unpaddedLen {
+			return boundary
+		}
+	}
+	return unpaddedLen
+}
--- a/dnscrypt-proxy/localhost.pem
+++ b/dnscrypt-proxy/localhost.pem
@ -0,0 +1,47 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDb7g6EQhbfby97
+k4oMbZTzdi2TWFBs7qK/QwgOu+L6EhNHPO1ZEU29v0APFBFJO5zyyAk9bZ9k9tPB
+bCuVVI9jEUfLH3UCjEQPG6XI2w++uVh0yALvc/uurCvRHVlle/V7cAoikndc2SjE
+RQUALbACIqwD5g0F77BYwcsreB4GH253/R6Q2/CJZ4jNHPjkocOJiVr3ejA0kkoN
+MXpGUXWcrVVk20M2A1CeO7HAulLRcklEdoHE3v46pjp0iZK0F9LyZX1U1ql+4QL3
+iQttoZ4tMg83lFHSt4G9PrpIhzXr9W4NW822faSvrIwwN/JbItUmRa7n/3+MkuJQ
+IGGNDayXAgMBAAECggEBANs0fmGSocuXvYL1Pi4+9qxnCOwIpTi97Zam0BwnZwcL
+Bw4FCyiwV4UdX1LoFIailT9i49rHLYzre4oZL6OKgdQjQCSTuQOOHLPWQbpdpWba
+w/C5/jr+pkemMZIfJ6BAGiArPt7Qj4oKpFhj1qUj5H9sYXkNTcOx8Fm25rLv6TT9
+O7wg0oCpyG+iBSbCYBp9mDMz8pfo4P3BhcFiyKCKeiAC6KuHU81dvuKeFB4XQK+X
+no2NqDqe6MBkmTqjNNy+wi1COR7lu34LPiWU5Hq5PdIEqBBUMjlMI6oYlhlgNTdx
+SvsqFz3Xs6kpAhJTrSiAqscPYosgaMQxo+LI26PJnikCgYEA9n0OERkm0wSBHnHY
+Kx8jaxNYg93jEzVnEgI/MBTJZqEyCs9fF6Imv737VawEN/BhesZZX7bGZQfDo8AT
+aiSa5upkkSGXEqTu5ytyoKFTb+dJ/qmx3+zP6dPVzDnc8WPYMoUg7vvjZkXXJgZX
+oMlMUW1wWiDNI3wP19W9Is6xssCgYEA5GqkUBEns6eTFJV0JKqbEORJJ7lx5NZe
+cIx+jPpLkILG4mOKOg1TBx0wkxa9cELtsNsM+bPtu9OqRMhsfPBmsXDHhJwg0Z6G
+eDTfYYPkpRhwZvl6jBZn9sLVR9wfg2hE+n0lfV3mceg336KOkwAehDU84SWZ2e0S
+esqkpbHJa+UCgYA7PY0O8POSzcdWkNf6bS5vAqRIdSCpMjGGc4HKRYSuJNnJHVPm
+czNK7Bcm3QPaiexzvI4oYd5G09niVjyUSx3rl7P56Y/MjFVau+d90agjAfyXtyMo
+BVtnAGGnBtUiMvP4GGT06xcZMnnmCqpEbBaZQ/7N8Bdwnxh5sqlMdtX2hwKBgAhL
+hyQRO2vezgyVUN50A6WdZLq4lVZGIq/bqkzcWhopZaebDc4F5doASV9OGBsXkyI1
+EkePLTcA/NH6pVX0NQaEnfpG4To7k46R/PrBm3ATbyGONdEYjzX65VvytoJDKx4d
+pVrkKhZA5KaOdLcJ7hHHDSrv/qJXZbBn44rQ5guxAoGBAJ6oeUsUUETakxlmIhmK
+xuQmWqLf97BKt8r6Z8CqHKWK7vpG2OmgFYCQGaR7angQ8hmAOv6jM56XhoagDBoc
+UoaoEyo9/uCk6NRUkUMj7Tk/5UQSiWLceVH27w+icMFhf1b7EmmNfk+APsiathO5
+j4edf1AinVCPwRVVu1dtLL5P
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDAjCCAeoCCQCptj0+TjjIJjANBgkqhkiG9w0BAQsFADBDMREwDwYDVQQKDAhE
+TlNDcnlwdDEaMBgGA1UECwwRTG9jYWwgdGVzdCBzZXJ2ZXIxEjAQBgNVBAMMCWxv
+Y2FsaG9zdDAeFw0xOTExMTgxNDA2MzBaFw0zMzA3MjcxNDA2MzBaMEMxETAPBgNV
+BAoMCEROU0NyeXB0MRowGAYDVQQLDBFMb2NhbCB0ZXN0IHNlcnZlcjESMBAGA1UE
+AwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2+4O
+hEIW328ve5OKDG2U83Ytk1hQbO6iv0MIDrvi+hITRzztWRFNvb9ADxQRSTuc8sgJ
+PW2fZPbTwWwrlVSPYxFHyx91AoxEDxulyNsPvrlYdMgC73P7rqwr0R1ZZXv1e3AK
+IpJ3XNkoxEUFAC2wAiKsA+YNBe+wWMHLK3geBh9ud/0ekNvwiWeIzRz45KHDiYla
+93owNJJKDTF6RlF1nK1VZNtDNgNQnjuxwLpS0XJJRHaBxN7+OqY6dImStBfS8mV9
+VNapfuEC94kLbaGeLTIPN5RR0reBvT66SIc16/VuDVvNtn2kr6yMMDfyWyLVJkWu
+5/9/jJLiUCBhjQ2slwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA6Vz5HnGuy8jZz
+5i8ipbcDMCZNdpYYnxgD53hEKOfoSv7LaF0ztD8Kmg3s5LHv9EHlkK3+G6FWRGiP
+9f6IbtRITaiVQP3M13T78hpN5Qq5jgsqjR7ZcN7Etr6ZFd7G/0+mzqbyBuW/3szt
+RdX/YLy1csvjbZoNNuXGWRohXjg0Mjko2tRLmARvxA/gZV5zWycv3BD2BPzyCdS9
+MDMYSF0RPiL8+alfwLNqLcqMA5liHlmZa85uapQyoUI3ksKJkEgU53aD8cYhH9Yn
+6mVpsrvrcRLBiHlbi24QBolhFkCSRK8bXes8XDIPuD8iYRwlrVBwOakMFQWMqNfI
+IMOKJomU
+-----END CERTIFICATE-----
--- a/dnscrypt-proxy/logger.go
+++ b/dnscrypt-proxy/logger.go
@ -0,0 +1,40 @@
+package main
+
+import (
+	"io"
+	"os"
+
+	"github.com/jedisct1/dlog"
+	"gopkg.in/natefinch/lumberjack.v2"
+)
+
+func Logger(logMaxSize int, logMaxAge int, logMaxBackups int, fileName string) io.Writer {
+	if fileName == "/dev/stdout" {
+		return os.Stdout
+	}
+	if st, _ := os.Stat(fileName); st != nil && !st.Mode().IsRegular() {
+		if st.Mode().IsDir() {
+			dlog.Fatalf("[%v] is a directory", fileName)
+		}
+		fp, err := os.OpenFile(fileName, os.O_WRONLY|os.O_APPEND|os.O_CREATE, 0o644)
+		if err != nil {
+			dlog.Fatalf("Unable to access [%v]: [%v]", fileName, err)
+		}
+		return fp
+	}
+	if fp, err := os.OpenFile(fileName, os.O_WRONLY|os.O_APPEND|os.O_CREATE, 0o644); err == nil {
+		fp.Close()
+	} else {
+		dlog.Errorf("Unable to create [%v]: [%v]", fileName, err)
+	}
+	logger := &lumberjack.Logger{
+		LocalTime:  true,
+		MaxSize:    logMaxSize,
+		MaxAge:     logMaxAge,
+		MaxBackups: logMaxBackups,
+		Filename:   fileName,
+		Compress:   true,
+	}
+
+	return logger
+}
--- a/dnscrypt-proxy/main.go
+++ b/dnscrypt-proxy/main.go
@ -7,56 +7,88 @@ import (
 	"fmt"
 	"math/rand"
 	"os"
+	"runtime"
 	"sync"

-	"github.com/facebookgo/pidfile"
 	"github.com/jedisct1/dlog"
 	"github.com/kardianos/service"
 )

 const (
-	AppVersion            = "2.0.24"
+	AppVersion            = "2.1.5"
 	DefaultConfigFileName = "dnscrypt-proxy.toml"
 )

 type App struct {
 	wg    sync.WaitGroup
 	quit  chan struct{}
-	proxy Proxy
+	proxy *Proxy
+	flags *ConfigFlags
 }

 func main() {
+	tzErr := TimezoneSetup()
 	dlog.Init("dnscrypt-proxy", dlog.SeverityNotice, "DAEMON")
-	os.Setenv("GODEBUG", os.Getenv("GODEBUG")+",tls13=1")
+	if tzErr != nil {
+		dlog.Warnf("Timezone setup failed: [%v]", tzErr)
+	}
+	runtime.MemProfileRate = 0

 	seed := make([]byte, 8)
-	crypto_rand.Read(seed)
-	rand.Seed(int64(binary.LittleEndian.Uint64(seed[:])))
+	if _, err := crypto_rand.Read(seed); err != nil {
+		dlog.Fatal(err)
+	}
+	rand.Seed(int64(binary.LittleEndian.Uint64(seed)))

 	pwd, err := os.Getwd()
 	if err != nil {
 		dlog.Fatal("Unable to find the path to the current directory")
 	}
+
+	svcFlag := flag.String("service", "", fmt.Sprintf("Control the system service: %q", service.ControlAction))
+	version := flag.Bool("version", false, "print current proxy version")
+	flags := ConfigFlags{}
+	flags.Resolve = flag.String("resolve", "", "resolve a DNS name (string can be <name> or <name>,<resolver address>)")
+	flags.List = flag.Bool("list", false, "print the list of available resolvers for the enabled filters")
+	flags.ListAll = flag.Bool("list-all", false, "print the complete list of available resolvers, ignoring filters")
+	flags.IncludeRelays = flag.Bool("include-relays", false, "include the list of available relays in the output of -list and -list-all")
+	flags.JSONOutput = flag.Bool("json", false, "output list as JSON")
+	flags.Check = flag.Bool("check", false, "check the configuration file and exit")
+	flags.ConfigFile = flag.String("config", DefaultConfigFileName, "Path to the configuration file")
+	flags.Child = flag.Bool("child", false, "Invokes program as a child process")
+	flags.NetprobeTimeoutOverride = flag.Int("netprobe-timeout", 60, "Override the netprobe timeout")
+	flags.ShowCerts = flag.Bool("show-certs", false, "print DoH certificate chain hashes")
+
+	flag.Parse()
+
+	if *version {
+		fmt.Println(AppVersion)
+		os.Exit(0)
+	}
+
+	if fullexecpath, err := os.Executable(); err == nil {
+		WarnIfMaybeWritableByOtherUsers(fullexecpath)
+	}
+
+	app := &App{
+		flags: &flags,
+	}
+
 	svcConfig := &service.Config{
 		Name:             "dnscrypt-proxy",
 		DisplayName:      "DNSCrypt client proxy",
 		Description:      "Encrypted/authenticated DNS proxy",
 		WorkingDirectory: pwd,
+		Arguments:        []string{"-config", *flags.ConfigFile},
 	}
-	svcFlag := flag.String("service", "", fmt.Sprintf("Control the system service: %q", service.ControlAction))
-	app := &App{}
 	svc, err := service.New(app, svcConfig)
 	if err != nil {
 		svc = nil
 		dlog.Debug(err)
 	}
+
 	app.proxy = NewProxy()
 	_ = ServiceManagerStartNotify()
-	if err := ConfigLoad(&app.proxy, svcFlag); err != nil {
-		dlog.Fatal(err)
-	}
-	dlog.Noticef("dnscrypt-proxy %s", AppVersion)
-
 	if len(*svcFlag) != 0 {
 		if svc == nil {
 			dlog.Fatal("Built-in service installation is not supported on this platform")
@ -78,7 +110,7 @@ func main() {
 		return
 	}
 	if svc != nil {
-		if err = svc.Run(); err != nil {
+		if err := svc.Run(); err != nil {
 			dlog.Fatal(err)
 		}
 	} else {
@ -87,34 +119,38 @@ func main() {
 }

 func (app *App) Start(service service.Service) error {
-	proxy := &app.proxy
-	if err := InitPluginsGlobals(&proxy.pluginsGlobals, proxy); err != nil {
+	if service != nil {
+		go func() {
+			app.AppMain()
+		}()
+	} else {
+		app.AppMain()
+	}
+	return nil
+}
+
+func (app *App) AppMain() {
+	if err := ConfigLoad(app.proxy, app.flags); err != nil {
+		dlog.Fatal(err)
+	}
+	if err := PidFileCreate(); err != nil {
+		dlog.Errorf("Unable to create the PID file: [%v]", err)
+	}
+	if err := app.proxy.InitPluginsGlobals(); err != nil {
 		dlog.Fatal(err)
 	}
 	app.quit = make(chan struct{})
 	app.wg.Add(1)
-	if service != nil {
-		go func() {
-			app.AppMain(proxy)
-		}()
-	} else {
-		app.AppMain(proxy)
-	}
-	return nil
-}
-
-func (app *App) AppMain(proxy *Proxy) {
-	pidfile.Write()
-	proxy.StartProxy()
+	app.proxy.StartProxy()
+	runtime.GC()
 	<-app.quit
 	dlog.Notice("Quit signal received...")
 	app.wg.Done()
-
 }

 func (app *App) Stop(service service.Service) error {
-	if pidFilePath := pidfile.GetPidfilePath(); len(pidFilePath) > 1 {
-		os.Remove(pidFilePath)
+	if err := PidFileRemove(); err != nil {
+		dlog.Warnf("Failed to remove the PID file: [%v]", err)
 	}
 	dlog.Notice("Stopped.")
 	return nil
--- a/dnscrypt-proxy/netprobe_others.go
+++ b/dnscrypt-proxy/netprobe_others.go
@ -1,19 +1,26 @@
+//go:build !windows
 // +build !windows

 package main

 import (
-	"errors"
 	"net"
 	"time"

 	"github.com/jedisct1/dlog"
 )

-func NetProbe(address string, timeout int) error {
-	if len(address) <= 0 || timeout <= 0 {
+func NetProbe(proxy *Proxy, address string, timeout int) error {
+	if len(address) <= 0 || timeout == 0 {
 		return nil
 	}
+	if captivePortalHandler, err := ColdStart(proxy); err == nil {
+		if captivePortalHandler != nil {
+			defer captivePortalHandler.Stop()
+		}
+	} else {
+		dlog.Critical(err)
+	}
 	remoteUDPAddr, err := net.ResolveUDPAddr("udp", address)
 	if err != nil {
 		return err
@ -22,7 +29,7 @@ func NetProbe(address string, timeout int) error {
 	if timeout < 0 {
 		timeout = MaxTimeout
 	} else {
-		timeout = Max(MaxTimeout, timeout)
+		timeout = Min(MaxTimeout, timeout)
 	}
 	for tries := timeout; tries > 0; tries-- {
 		pc, err := net.DialUDP("udp", nil, remoteUDPAddr)
@ -39,7 +46,6 @@ func NetProbe(address string, timeout int) error {
 		dlog.Notice("Network connectivity detected")
 		return nil
 	}
-	es := "Timeout while waiting for network connectivity"
-	dlog.Error(es)
-	return errors.New(es)
+	dlog.Error("Timeout while waiting for network connectivity")
+	return nil
 }
--- a/dnscrypt-proxy/netprobe_windows.go
+++ b/dnscrypt-proxy/netprobe_windows.go
@ -1,17 +1,23 @@
 package main

 import (
-	"errors"
 	"net"
- 	"time"
+	"time"

 	"github.com/jedisct1/dlog"
 )

-func NetProbe(address string, timeout int) error {
-	if len(address) <= 0 || timeout <= 0 {
+func NetProbe(proxy *Proxy, address string, timeout int) error {
+	if len(address) <= 0 || timeout == 0 {
 		return nil
 	}
+	if captivePortalHandler, err := ColdStart(proxy); err == nil {
+		if captivePortalHandler != nil {
+			defer captivePortalHandler.Stop()
+		}
+	} else {
+		dlog.Critical(err)
+	}
 	remoteUDPAddr, err := net.ResolveUDPAddr("udp", address)
 	if err != nil {
 		return err
@ -20,14 +26,15 @@ func NetProbe(address string, timeout int) error {
 	if timeout < 0 {
 		timeout = MaxTimeout
 	} else {
-		timeout = Max(MaxTimeout, timeout)
+		timeout = Min(MaxTimeout, timeout)
 	}
 	for tries := timeout; tries > 0; tries-- {
 		pc, err := net.DialUDP("udp", nil, remoteUDPAddr)
 		if err == nil {
 			// Write at least 1 byte. This ensures that sockets are ready to use for writing.
-			// Windows specific: during the system startup, sockets can be created but the underlying buffers may not be setup yet. If this is the case
-			// Write fails with WSAENOBUFS: "An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full"
+			// Windows specific: during the system startup, sockets can be created but the underlying buffers may not be
+			// setup yet. If this is the case Write fails with WSAENOBUFS: "An operation on a socket could not be
+			// performed because the system lacked sufficient buffer space or because a queue was full"
 			_, err = pc.Write([]byte{0})
 		}
 		if err != nil {
@ -43,7 +50,6 @@ func NetProbe(address string, timeout int) error {
 		dlog.Notice("Network connectivity detected")
 		return nil
 	}
-	es := "Timeout while waiting for network connectivity"
-	dlog.Error(es)
-	return errors.New(es)
+	dlog.Error("Timeout while waiting for network connectivity")
+	return nil
 }
--- a/dnscrypt-proxy/oblivious_doh.go
+++ b/dnscrypt-proxy/oblivious_doh.go
@ -0,0 +1,191 @@
+package main
+
+import (
+	"crypto/subtle"
+	"encoding/binary"
+	"fmt"
+
+	"github.com/jedisct1/dlog"
+	hpkecompact "github.com/jedisct1/go-hpke-compact"
+)
+
+const (
+	odohVersion     = uint16(0x0001)
+	odohTestVersion = uint16(0xff06)
+	maxODoHConfigs  = 10
+)
+
+type ODoHTargetConfig struct {
+	suite     *hpkecompact.Suite
+	keyID     []byte
+	publicKey []byte
+}
+
+func encodeLengthValue(b []byte) []byte {
+	lengthBuffer := make([]byte, 2)
+	binary.BigEndian.PutUint16(lengthBuffer, uint16(len(b)))
+	return append(lengthBuffer, b...)
+}
+
+func parseODoHTargetConfig(config []byte) (ODoHTargetConfig, error) {
+	if len(config) < 8 {
+		return ODoHTargetConfig{}, fmt.Errorf("Malformed config")
+	}
+	kemID := binary.BigEndian.Uint16(config[0:2])
+	kdfID := binary.BigEndian.Uint16(config[2:4])
+	aeadID := binary.BigEndian.Uint16(config[4:6])
+	publicKeyLength := binary.BigEndian.Uint16(config[6:8])
+	publicKey := config[8:]
+	if len(publicKey) != int(publicKeyLength) {
+		return ODoHTargetConfig{}, fmt.Errorf("Malformed config")
+	}
+
+	suite, err := hpkecompact.NewSuite(hpkecompact.KemID(kemID), hpkecompact.KdfID(kdfID), hpkecompact.AeadID(aeadID))
+	if err != nil {
+		return ODoHTargetConfig{}, err
+	}
+
+	_, _, err = suite.NewClientContext(publicKey, []byte("odoh query"), nil)
+	if err != nil {
+		return ODoHTargetConfig{}, err
+	}
+
+	keyID, err := suite.Expand(suite.Extract(config, nil), []byte("odoh key id"), uint16(suite.Hash().Size()))
+	if err != nil {
+		return ODoHTargetConfig{}, err
+	}
+
+	return ODoHTargetConfig{
+		suite:     suite,
+		publicKey: publicKey,
+		keyID:     encodeLengthValue(keyID),
+	}, nil
+}
+
+func parseODoHTargetConfigs(configs []byte) ([]ODoHTargetConfig, error) {
+	if len(configs) <= 2 {
+		return nil, fmt.Errorf("Server didn't return any ODoH configurations")
+	}
+	length := binary.BigEndian.Uint16(configs)
+	if len(configs) != int(length)+2 {
+		return nil, fmt.Errorf("Malformed configs")
+	}
+
+	targets := make([]ODoHTargetConfig, 0)
+	offset := 2
+	for {
+		if offset+4 > len(configs) || len(targets) >= maxODoHConfigs {
+			break
+		}
+		configVersion := binary.BigEndian.Uint16(configs[offset : offset+2])
+		configLength := binary.BigEndian.Uint16(configs[offset+2 : offset+4])
+		if configVersion == odohVersion || configVersion == odohTestVersion {
+			if configVersion != odohVersion {
+				dlog.Debugf("Server still uses the legacy 0x%x ODoH version", configVersion)
+			}
+			target, err := parseODoHTargetConfig(configs[offset+4 : offset+4+int(configLength)])
+			if err == nil {
+				targets = append(targets, target)
+			}
+		}
+		offset = offset + int(configLength) + 4
+	}
+	return targets, nil
+}
+
+type ODoHQuery struct {
+	suite         *hpkecompact.Suite
+	ctx           hpkecompact.ClientContext
+	odohPlaintext []byte
+	odohMessage   []byte
+}
+
+func (t ODoHTargetConfig) encryptQuery(query []byte) (ODoHQuery, error) {
+	clientCtx, encryptedSharedSecret, err := t.suite.NewClientContext(t.publicKey, []byte("odoh query"), nil)
+	if err != nil {
+		return ODoHQuery{}, err
+	}
+
+	odohPlaintext := make([]byte, 4+len(query))
+	binary.BigEndian.PutUint16(odohPlaintext[0:2], uint16(len(query)))
+	copy(odohPlaintext[2:], query)
+
+	aad := append([]byte{0x01}, t.keyID...)
+	ciphertext, err := clientCtx.EncryptToServer(odohPlaintext, aad)
+	if err != nil {
+		return ODoHQuery{}, err
+	}
+
+	encryptedMessage := encodeLengthValue(append(encryptedSharedSecret, ciphertext...))
+	odohMessage := append(append([]byte{0x01}, t.keyID...), encryptedMessage...)
+
+	return ODoHQuery{
+		suite:         t.suite,
+		odohPlaintext: odohPlaintext,
+		odohMessage:   odohMessage,
+		ctx:           clientCtx,
+	}, nil
+}
+
+func (q ODoHQuery) decryptResponse(response []byte) ([]byte, error) {
+	if len(response) < 3 {
+		return nil, fmt.Errorf("Malformed response")
+	}
+
+	messageType := response[0]
+	if messageType != uint8(0x02) {
+		return nil, fmt.Errorf("Malformed response")
+	}
+
+	responseNonceLength := binary.BigEndian.Uint16(response[1:3])
+	if len(response) < 5+int(responseNonceLength) {
+		return nil, fmt.Errorf("Malformed response")
+	}
+
+	responseNonceEnc := response[1 : 3+responseNonceLength]
+
+	secret, err := q.ctx.Export([]byte("odoh response"), q.suite.KeyBytes)
+	if err != nil {
+		return nil, err
+	}
+
+	salt := append(q.odohPlaintext, responseNonceEnc...)
+	prk := q.suite.Extract(secret, salt)
+	key, err := q.suite.Expand(prk, []byte("odoh key"), q.suite.KeyBytes)
+	if err != nil {
+		return nil, err
+	}
+	nonce, err := q.suite.Expand(prk, []byte("odoh nonce"), q.suite.NonceBytes)
+	if err != nil {
+		return nil, err
+	}
+
+	cipher, err := q.suite.NewRawCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	ctLength := binary.BigEndian.Uint16(response[3+int(responseNonceLength) : 5+int(responseNonceLength)])
+	if int(ctLength) != len(response[5+int(responseNonceLength):]) {
+		return nil, fmt.Errorf("Malformed response")
+	}
+
+	ct := response[5+int(responseNonceLength):]
+	aad := response[0 : 3+int(responseNonceLength)]
+
+	responsePlaintext, err := cipher.Open(nil, nonce, ct, aad)
+	if err != nil {
+		return nil, err
+	}
+
+	responseLength := binary.BigEndian.Uint16(responsePlaintext[0:2])
+	valid := 1
+	for i := 4 + int(responseLength); i < len(responsePlaintext); i++ {
+		valid &= subtle.ConstantTimeByteEq(response[i], 0x00)
+	}
+	if valid != 1 {
+		return nil, fmt.Errorf("Malformed response")
+	}
+
+	return responsePlaintext[2 : 2+int(responseLength)], nil
+}
--- a/dnscrypt-proxy/pattern_matcher.go
+++ b/dnscrypt-proxy/pattern_matcher.go
@ -30,7 +30,7 @@ type PatternMatcher struct {
 	indirectVals      map[string]interface{}
 }

-func NewPatternPatcher() *PatternMatcher {
+func NewPatternMatcher() *PatternMatcher {
 	patternMatcher := PatternMatcher{
 		blockedPrefixes: critbitgo.NewTrie(),
 		blockedSuffixes: critbitgo.NewTrie(),
@ -51,7 +51,7 @@ func isGlobCandidate(str string) bool {
 	return false
 }

-func (patternMatcher *PatternMatcher) Add(pattern string, val interface{}, position int) (PatternType, error) {
+func (patternMatcher *PatternMatcher) Add(pattern string, val interface{}, position int) error {
 	leadingStar := strings.HasPrefix(pattern, "*")
 	trailingStar := strings.HasSuffix(pattern, "*")
 	exact := strings.HasPrefix(pattern, "=")
@ -60,24 +60,24 @@ func (patternMatcher *PatternMatcher) Add(pattern string, val interface{}, posit
 		patternType = PatternTypePattern
 		_, err := filepath.Match(pattern, "example.com")
 		if len(pattern) < 2 || err != nil {
-			return patternType, fmt.Errorf("Syntax error in block rules at pattern %d", position)
+			return fmt.Errorf("Syntax error in block rules at pattern %d", position)
 		}
 	} else if leadingStar && trailingStar {
 		patternType = PatternTypeSubstring
 		if len(pattern) < 3 {
-			return patternType, fmt.Errorf("Syntax error in block rules at pattern %d", position)
+			return fmt.Errorf("Syntax error in block rules at pattern %d", position)
 		}
 		pattern = pattern[1 : len(pattern)-1]
 	} else if trailingStar {
 		patternType = PatternTypePrefix
 		if len(pattern) < 2 {
-			return patternType, fmt.Errorf("Syntax error in block rules at pattern %d", position)
+			return fmt.Errorf("Syntax error in block rules at pattern %d", position)
 		}
 		pattern = pattern[:len(pattern)-1]
 	} else if exact {
 		patternType = PatternTypeExact
 		if len(pattern) < 2 {
-			return patternType, fmt.Errorf("Syntax error in block rules at pattern %d", position)
+			return fmt.Errorf("Syntax error in block rules at pattern %d", position)
 		}
 		pattern = pattern[1:]
 	} else {
@ -112,7 +112,7 @@ func (patternMatcher *PatternMatcher) Add(pattern string, val interface{}, posit
 	default:
 		dlog.Fatal("Unexpected block type")
 	}
-	return patternType, nil
+	return nil
 }

 func (patternMatcher *PatternMatcher) Eval(qName string) (reject bool, reason string, val interface{}) {
@ -120,9 +120,13 @@ func (patternMatcher *PatternMatcher) Eval(qName string) (reject bool, reason st
 		return false, "", nil
 	}

+	if xval := patternMatcher.blockedExact[qName]; xval != nil {
+		return true, qName, xval
+	}
+
 	revQname := StringReverse(qName)
 	if match, xval, found := patternMatcher.blockedSuffixes.LongestPrefix([]byte(revQname)); found {
-		if len(match) == len(qName) || revQname[len(match)] == '.' {
+		if len(match) == len(revQname) || revQname[len(match)] == '.' {
 			return true, "*." + StringReverse(string(match)), xval
 		}
 		if len(match) < len(revQname) && len(revQname) > 0 {
@ -153,9 +157,5 @@ func (patternMatcher *PatternMatcher) Eval(qName string) (reject bool, reason st
 		}
 	}

-	if xval := patternMatcher.blockedExact[qName]; xval != nil {
-		return true, qName, xval
-	}
-
 	return false, "", nil
 }
--- a/dnscrypt-proxy/pidfile.go
+++ b/dnscrypt-proxy/pidfile.go
@ -0,0 +1,29 @@
+package main
+
+import (
+	"flag"
+	"os"
+	"path/filepath"
+	"strconv"
+
+	"github.com/dchest/safefile"
+)
+
+var pidFile = flag.String("pidfile", "", "Store the PID into a file")
+
+func PidFileCreate() error {
+	if pidFile == nil || len(*pidFile) == 0 {
+		return nil
+	}
+	if err := os.MkdirAll(filepath.Dir(*pidFile), 0o755); err != nil {
+		return err
+	}
+	return safefile.WriteFile(*pidFile, []byte(strconv.Itoa(os.Getpid())), 0o644)
+}
+
+func PidFileRemove() error {
+	if pidFile == nil || len(*pidFile) == 0 {
+		return nil
+	}
+	return os.Remove(*pidFile)
+}
--- a/dnscrypt-proxy/plugin_allow_ip.go
+++ b/dnscrypt-proxy/plugin_allow_ip.go
@ -0,0 +1,157 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"strings"
+	"time"
+
+	iradix "github.com/hashicorp/go-immutable-radix"
+	"github.com/jedisct1/dlog"
+	"github.com/miekg/dns"
+)
+
+type PluginAllowedIP struct {
+	allowedPrefixes *iradix.Tree
+	allowedIPs      map[string]interface{}
+	logger          io.Writer
+	format          string
+}
+
+func (plugin *PluginAllowedIP) Name() string {
+	return "allow_ip"
+}
+
+func (plugin *PluginAllowedIP) Description() string {
+	return "Allows DNS queries containing specific IP addresses"
+}
+
+func (plugin *PluginAllowedIP) Init(proxy *Proxy) error {
+	dlog.Noticef("Loading the set of allowed IP rules from [%s]", proxy.allowedIPFile)
+	lines, err := ReadTextFile(proxy.allowedIPFile)
+	if err != nil {
+		return err
+	}
+	plugin.allowedPrefixes = iradix.New()
+	plugin.allowedIPs = make(map[string]interface{})
+	for lineNo, line := range strings.Split(lines, "\n") {
+		line = TrimAndStripInlineComments(line)
+		if len(line) == 0 {
+			continue
+		}
+		ip := net.ParseIP(line)
+		trailingStar := strings.HasSuffix(line, "*")
+		if len(line) < 2 || (ip != nil && trailingStar) {
+			dlog.Errorf("Suspicious allowed IP rule [%s] at line %d", line, lineNo)
+			continue
+		}
+		if trailingStar {
+			line = line[:len(line)-1]
+		}
+		if strings.HasSuffix(line, ":") || strings.HasSuffix(line, ".") {
+			line = line[:len(line)-1]
+		}
+		if len(line) == 0 {
+			dlog.Errorf("Empty allowed IP rule at line %d", lineNo)
+			continue
+		}
+		if strings.Contains(line, "*") {
+			dlog.Errorf("Invalid rule: [%s] - wildcards can only be used as a suffix at line %d", line, lineNo)
+			continue
+		}
+		line = strings.ToLower(line)
+		if trailingStar {
+			plugin.allowedPrefixes, _, _ = plugin.allowedPrefixes.Insert([]byte(line), 0)
+		} else {
+			plugin.allowedIPs[line] = true
+		}
+	}
+	if len(proxy.allowedIPLogFile) == 0 {
+		return nil
+	}
+	plugin.logger = Logger(proxy.logMaxSize, proxy.logMaxAge, proxy.logMaxBackups, proxy.allowedIPLogFile)
+	plugin.format = proxy.allowedIPFormat
+
+	return nil
+}
+
+func (plugin *PluginAllowedIP) Drop() error {
+	return nil
+}
+
+func (plugin *PluginAllowedIP) Reload() error {
+	return nil
+}
+
+func (plugin *PluginAllowedIP) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
+	answers := msg.Answer
+	if len(answers) == 0 {
+		return nil
+	}
+	allowed, reason, ipStr := false, "", ""
+	for _, answer := range answers {
+		header := answer.Header()
+		Rrtype := header.Rrtype
+		if header.Class != dns.ClassINET || (Rrtype != dns.TypeA && Rrtype != dns.TypeAAAA) {
+			continue
+		}
+		if Rrtype == dns.TypeA {
+			ipStr = answer.(*dns.A).A.String()
+		} else if Rrtype == dns.TypeAAAA {
+			ipStr = answer.(*dns.AAAA).AAAA.String() // IPv4-mapped IPv6 addresses are converted to IPv4
+		}
+		if _, found := plugin.allowedIPs[ipStr]; found {
+			allowed, reason = true, ipStr
+			break
+		}
+		match, _, found := plugin.allowedPrefixes.Root().LongestPrefix([]byte(ipStr))
+		if found {
+			if len(match) == len(ipStr) || (ipStr[len(match)] == '.' || ipStr[len(match)] == ':') {
+				allowed, reason = true, string(match)+"*"
+				break
+			}
+		}
+	}
+	if allowed {
+		pluginsState.sessionData["whitelisted"] = true
+		if plugin.logger != nil {
+			qName := pluginsState.qName
+			var clientIPStr string
+			switch pluginsState.clientProto {
+			case "udp":
+				clientIPStr = (*pluginsState.clientAddr).(*net.UDPAddr).IP.String()
+			case "tcp", "local_doh":
+				clientIPStr = (*pluginsState.clientAddr).(*net.TCPAddr).IP.String()
+			default:
+				// Ignore internal flow.
+				return nil
+			}
+			var line string
+			if plugin.format == "tsv" {
+				now := time.Now()
+				year, month, day := now.Date()
+				hour, minute, second := now.Clock()
+				tsStr := fmt.Sprintf("[%d-%02d-%02d %02d:%02d:%02d]", year, int(month), day, hour, minute, second)
+				line = fmt.Sprintf(
+					"%s\t%s\t%s\t%s\t%s\n",
+					tsStr,
+					clientIPStr,
+					StringQuote(qName),
+					StringQuote(ipStr),
+					StringQuote(reason),
+				)
+			} else if plugin.format == "ltsv" {
+				line = fmt.Sprintf("time:%d\thost:%s\tqname:%s\tip:%s\tmessage:%s\n", time.Now().Unix(), clientIPStr, StringQuote(qName), StringQuote(ipStr), StringQuote(reason))
+			} else {
+				dlog.Fatalf("Unexpected log format: [%s]", plugin.format)
+			}
+			if plugin.logger == nil {
+				return errors.New("Log file not initialized")
+			}
+			_, _ = plugin.logger.Write([]byte(line))
+		}
+	}
+	return nil
+}
--- a/dnscrypt-proxy/plugin_allow_name.go
+++ b/dnscrypt-proxy/plugin_allow_name.go
@ -0,0 +1,127 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"strings"
+	"time"
+
+	"github.com/jedisct1/dlog"
+	"github.com/miekg/dns"
+)
+
+type PluginAllowName struct {
+	allWeeklyRanges *map[string]WeeklyRanges
+	patternMatcher  *PatternMatcher
+	logger          io.Writer
+	format          string
+}
+
+func (plugin *PluginAllowName) Name() string {
+	return "allow_name"
+}
+
+func (plugin *PluginAllowName) Description() string {
+	return "Allow names matching patterns"
+}
+
+func (plugin *PluginAllowName) Init(proxy *Proxy) error {
+	dlog.Noticef("Loading the set of allowed names from [%s]", proxy.allowNameFile)
+	lines, err := ReadTextFile(proxy.allowNameFile)
+	if err != nil {
+		return err
+	}
+	plugin.allWeeklyRanges = proxy.allWeeklyRanges
+	plugin.patternMatcher = NewPatternMatcher()
+	for lineNo, line := range strings.Split(lines, "\n") {
+		line = TrimAndStripInlineComments(line)
+		if len(line) == 0 {
+			continue
+		}
+		parts := strings.Split(line, "@")
+		timeRangeName := ""
+		if len(parts) == 2 {
+			line = strings.TrimSpace(parts[0])
+			timeRangeName = strings.TrimSpace(parts[1])
+		} else if len(parts) > 2 {
+			dlog.Errorf("Syntax error in allowed names at line %d -- Unexpected @ character", 1+lineNo)
+			continue
+		}
+		var weeklyRanges *WeeklyRanges
+		if len(timeRangeName) > 0 {
+			weeklyRangesX, ok := (*plugin.allWeeklyRanges)[timeRangeName]
+			if !ok {
+				dlog.Errorf("Time range [%s] not found at line %d", timeRangeName, 1+lineNo)
+			} else {
+				weeklyRanges = &weeklyRangesX
+			}
+		}
+		if err := plugin.patternMatcher.Add(line, weeklyRanges, lineNo+1); err != nil {
+			dlog.Error(err)
+			continue
+		}
+	}
+	if len(proxy.allowNameLogFile) == 0 {
+		return nil
+	}
+	plugin.logger = Logger(proxy.logMaxSize, proxy.logMaxAge, proxy.logMaxBackups, proxy.allowNameLogFile)
+	plugin.format = proxy.allowNameFormat
+
+	return nil
+}
+
+func (plugin *PluginAllowName) Drop() error {
+	return nil
+}
+
+func (plugin *PluginAllowName) Reload() error {
+	return nil
+}
+
+func (plugin *PluginAllowName) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
+	qName := pluginsState.qName
+	allowList, reason, xweeklyRanges := plugin.patternMatcher.Eval(qName)
+	var weeklyRanges *WeeklyRanges
+	if xweeklyRanges != nil {
+		weeklyRanges = xweeklyRanges.(*WeeklyRanges)
+	}
+	if allowList {
+		if weeklyRanges != nil && !weeklyRanges.Match() {
+			allowList = false
+		}
+	}
+	if allowList {
+		pluginsState.sessionData["whitelisted"] = true
+		if plugin.logger != nil {
+			var clientIPStr string
+			switch pluginsState.clientProto {
+			case "udp":
+				clientIPStr = (*pluginsState.clientAddr).(*net.UDPAddr).IP.String()
+			case "tcp", "local_doh":
+				clientIPStr = (*pluginsState.clientAddr).(*net.TCPAddr).IP.String()
+			default:
+				// Ignore internal flow.
+				return nil
+			}
+			var line string
+			if plugin.format == "tsv" {
+				now := time.Now()
+				year, month, day := now.Date()
+				hour, minute, second := now.Clock()
+				tsStr := fmt.Sprintf("[%d-%02d-%02d %02d:%02d:%02d]", year, int(month), day, hour, minute, second)
+				line = fmt.Sprintf("%s\t%s\t%s\t%s\n", tsStr, clientIPStr, StringQuote(qName), StringQuote(reason))
+			} else if plugin.format == "ltsv" {
+				line = fmt.Sprintf("time:%d\thost:%s\tqname:%s\tmessage:%s\n", time.Now().Unix(), clientIPStr, StringQuote(qName), StringQuote(reason))
+			} else {
+				dlog.Fatalf("Unexpected log format: [%s]", plugin.format)
+			}
+			if plugin.logger == nil {
+				return errors.New("Log file not initialized")
+			}
+			_, _ = plugin.logger.Write([]byte(line))
+		}
+	}
+	return nil
+}
--- a/dnscrypt-proxy/plugin_block_ip.go
+++ b/dnscrypt-proxy/plugin_block_ip.go
@ -3,21 +3,20 @@ package main
 import (
 	"errors"
 	"fmt"
+	"io"
 	"net"
 	"strings"
 	"time"
-	"unicode"

-	"github.com/hashicorp/go-immutable-radix"
+	iradix "github.com/hashicorp/go-immutable-radix"
 	"github.com/jedisct1/dlog"
 	"github.com/miekg/dns"
-	"gopkg.in/natefinch/lumberjack.v2"
 )

 type PluginBlockIP struct {
 	blockedPrefixes *iradix.Tree
 	blockedIPs      map[string]interface{}
-	logger          *lumberjack.Logger
+	logger          io.Writer
 	format          string
 }

@ -31,15 +30,15 @@ func (plugin *PluginBlockIP) Description() string {

 func (plugin *PluginBlockIP) Init(proxy *Proxy) error {
 	dlog.Noticef("Loading the set of IP blocking rules from [%s]", proxy.blockIPFile)
-	bin, err := ReadTextFile(proxy.blockIPFile)
+	lines, err := ReadTextFile(proxy.blockIPFile)
 	if err != nil {
 		return err
 	}
 	plugin.blockedPrefixes = iradix.New()
 	plugin.blockedIPs = make(map[string]interface{})
-	for lineNo, line := range strings.Split(string(bin), "\n") {
-		line = strings.TrimFunc(line, unicode.IsSpace)
-		if len(line) == 0 || strings.HasPrefix(line, "#") {
+	for lineNo, line := range strings.Split(lines, "\n") {
+		line = TrimAndStripInlineComments(line)
+		if len(line) == 0 {
 			continue
 		}
 		ip := net.ParseIP(line)
@ -72,7 +71,7 @@ func (plugin *PluginBlockIP) Init(proxy *Proxy) error {
 	if len(proxy.blockIPLogFile) == 0 {
 		return nil
 	}
-	plugin.logger = &lumberjack.Logger{LocalTime: true, MaxSize: proxy.logMaxSize, MaxAge: proxy.logMaxAge, MaxBackups: proxy.logMaxBackups, Filename: proxy.blockIPLogFile, Compress: true}
+	plugin.logger = Logger(proxy.logMaxSize, proxy.logMaxAge, proxy.logMaxBackups, proxy.blockIPLogFile)
 	plugin.format = proxy.blockIPFormat

 	return nil
@ -122,19 +121,16 @@ func (plugin *PluginBlockIP) Eval(pluginsState *PluginsState, msg *dns.Msg) erro
 		pluginsState.action = PluginsActionReject
 		pluginsState.returnCode = PluginsReturnCodeReject
 		if plugin.logger != nil {
-			questions := msg.Question
-			if len(questions) != 1 {
-				return nil
-			}
-			qName := strings.ToLower(StripTrailingDot(questions[0].Name))
-			if len(qName) < 2 {
-				return nil
-			}
+			qName := pluginsState.qName
 			var clientIPStr string
-			if pluginsState.clientProto == "udp" {
+			switch pluginsState.clientProto {
+			case "udp":
 				clientIPStr = (*pluginsState.clientAddr).(*net.UDPAddr).IP.String()
-			} else {
+			case "tcp", "local_doh":
 				clientIPStr = (*pluginsState.clientAddr).(*net.TCPAddr).IP.String()
+			default:
+				// Ignore internal flow.
+				return nil
 			}
 			var line string
 			if plugin.format == "tsv" {
@ -142,7 +138,14 @@ func (plugin *PluginBlockIP) Eval(pluginsState *PluginsState, msg *dns.Msg) erro
 				year, month, day := now.Date()
 				hour, minute, second := now.Clock()
 				tsStr := fmt.Sprintf("[%d-%02d-%02d %02d:%02d:%02d]", year, int(month), day, hour, minute, second)
-				line = fmt.Sprintf("%s\t%s\t%s\t%s\t%s\n", tsStr, clientIPStr, StringQuote(qName), StringQuote(ipStr), StringQuote(reason))
+				line = fmt.Sprintf(
+					"%s\t%s\t%s\t%s\t%s\n",
+					tsStr,
+					clientIPStr,
+					StringQuote(qName),
+					StringQuote(ipStr),
+					StringQuote(reason),
+				)
 			} else if plugin.format == "ltsv" {
 				line = fmt.Sprintf("time:%d\thost:%s\tqname:%s\tip:%s\tmessage:%s\n", time.Now().Unix(), clientIPStr, StringQuote(qName), StringQuote(ipStr), StringQuote(reason))
 			} else {
@ -151,7 +154,7 @@ func (plugin *PluginBlockIP) Eval(pluginsState *PluginsState, msg *dns.Msg) erro
 			if plugin.logger == nil {
 				return errors.New("Log file not initialized")
 			}
-			plugin.logger.Write([]byte(line))
+			_, _ = plugin.logger.Write([]byte(line))
 		}
 	}
 	return nil
--- a/dnscrypt-proxy/plugin_block_ipv6.go
+++ b/dnscrypt-proxy/plugin_block_ipv6.go
@ -29,23 +29,18 @@ func (plugin *PluginBlockIPv6) Reload() error {
 }

 func (plugin *PluginBlockIPv6) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
-	questions := msg.Question
-	if len(questions) != 1 {
-		return nil
-	}
-	question := questions[0]
+	question := msg.Question[0]
 	if question.Qclass != dns.ClassINET || question.Qtype != dns.TypeAAAA {
 		return nil
 	}
-	synth, err := EmptyResponseFromMessage(msg)
-	if err != nil {
-		return err
-	}
+	synth := EmptyResponseFromMessage(msg)
 	hinfo := new(dns.HINFO)
-	hinfo.Hdr = dns.RR_Header{Name: question.Name, Rrtype: dns.TypeHINFO,
-		Class: dns.ClassINET, Ttl: 86400}
+	hinfo.Hdr = dns.RR_Header{
+		Name: question.Name, Rrtype: dns.TypeHINFO,
+		Class: dns.ClassINET, Ttl: 86400,
+	}
 	hinfo.Cpu = "AAAA queries have been locally blocked by dnscrypt-proxy"
-	hinfo.Os = "Set block_ipv6 to false to disable this feature"
+	hinfo.Os = "Set block_ipv6 to false to disable that feature"
 	synth.Answer = []dns.RR{hinfo}
 	qName := question.Name
 	i := strings.Index(qName, ".")
@ -61,8 +56,10 @@ func (plugin *PluginBlockIPv6) Eval(pluginsState *PluginsState, msg *dns.Msg) er
 	soa.Minttl = 2400
 	soa.Expire = 604800
 	soa.Retry = 300
-	soa.Hdr = dns.RR_Header{Name: parentZone, Rrtype: dns.TypeSOA,
-		Class: dns.ClassINET, Ttl: 60}
+	soa.Hdr = dns.RR_Header{
+		Name: parentZone, Rrtype: dns.TypeSOA,
+		Class: dns.ClassINET, Ttl: 60,
+	}
 	synth.Ns = []dns.RR{soa}
 	pluginsState.synthResponse = synth
 	pluginsState.action = PluginsActionSynth
--- a/dnscrypt-proxy/plugin_block_name.go
+++ b/dnscrypt-proxy/plugin_block_name.go
@ -3,23 +3,80 @@ package main
 import (
 	"errors"
 	"fmt"
+	"io"
 	"net"
 	"strings"
 	"time"
-	"unicode"

 	"github.com/jedisct1/dlog"
 	"github.com/miekg/dns"
-	lumberjack "gopkg.in/natefinch/lumberjack.v2"
 )

-type PluginBlockName struct {
+type BlockedNames struct {
 	allWeeklyRanges *map[string]WeeklyRanges
 	patternMatcher  *PatternMatcher
-	logger          *lumberjack.Logger
+	logger          io.Writer
 	format          string
 }

+const aliasesLimit = 8
+
+var blockedNames *BlockedNames
+
+func (blockedNames *BlockedNames) check(pluginsState *PluginsState, qName string, aliasFor *string) (bool, error) {
+	reject, reason, xweeklyRanges := blockedNames.patternMatcher.Eval(qName)
+	if aliasFor != nil {
+		reason = reason + " (alias for [" + *aliasFor + "])"
+	}
+	var weeklyRanges *WeeklyRanges
+	if xweeklyRanges != nil {
+		weeklyRanges = xweeklyRanges.(*WeeklyRanges)
+	}
+	if reject {
+		if weeklyRanges != nil && !weeklyRanges.Match() {
+			reject = false
+		}
+	}
+	if !reject {
+		return false, nil
+	}
+	pluginsState.action = PluginsActionReject
+	pluginsState.returnCode = PluginsReturnCodeReject
+	if blockedNames.logger != nil {
+		var clientIPStr string
+		switch pluginsState.clientProto {
+		case "udp":
+			clientIPStr = (*pluginsState.clientAddr).(*net.UDPAddr).IP.String()
+		case "tcp", "local_doh":
+			clientIPStr = (*pluginsState.clientAddr).(*net.TCPAddr).IP.String()
+		default:
+			// Ignore internal flow.
+			return false, nil
+		}
+		var line string
+		if blockedNames.format == "tsv" {
+			now := time.Now()
+			year, month, day := now.Date()
+			hour, minute, second := now.Clock()
+			tsStr := fmt.Sprintf("[%d-%02d-%02d %02d:%02d:%02d]", year, int(month), day, hour, minute, second)
+			line = fmt.Sprintf("%s\t%s\t%s\t%s\n", tsStr, clientIPStr, StringQuote(qName), StringQuote(reason))
+		} else if blockedNames.format == "ltsv" {
+			line = fmt.Sprintf("time:%d\thost:%s\tqname:%s\tmessage:%s\n", time.Now().Unix(), clientIPStr, StringQuote(qName), StringQuote(reason))
+		} else {
+			dlog.Fatalf("Unexpected log format: [%s]", blockedNames.format)
+		}
+		if blockedNames.logger == nil {
+			return false, errors.New("Log file not initialized")
+		}
+		_, _ = blockedNames.logger.Write([]byte(line))
+	}
+	return true, nil
+}
+
+// ---
+
+type PluginBlockName struct{}
+
 func (plugin *PluginBlockName) Name() string {
 	return "block_name"
 }
@ -30,45 +87,48 @@ func (plugin *PluginBlockName) Description() string {

 func (plugin *PluginBlockName) Init(proxy *Proxy) error {
 	dlog.Noticef("Loading the set of blocking rules from [%s]", proxy.blockNameFile)
-	bin, err := ReadTextFile(proxy.blockNameFile)
+	lines, err := ReadTextFile(proxy.blockNameFile)
 	if err != nil {
 		return err
 	}
-	plugin.allWeeklyRanges = proxy.allWeeklyRanges
-	plugin.patternMatcher = NewPatternPatcher()
-	for lineNo, line := range strings.Split(string(bin), "\n") {
-		line = strings.TrimFunc(line, unicode.IsSpace)
-		if len(line) == 0 || strings.HasPrefix(line, "#") {
+	xBlockedNames := BlockedNames{
+		allWeeklyRanges: proxy.allWeeklyRanges,
+		patternMatcher:  NewPatternMatcher(),
+	}
+	for lineNo, line := range strings.Split(lines, "\n") {
+		line = TrimAndStripInlineComments(line)
+		if len(line) == 0 {
 			continue
 		}
 		parts := strings.Split(line, "@")
 		timeRangeName := ""
 		if len(parts) == 2 {
-			line = strings.TrimFunc(parts[0], unicode.IsSpace)
-			timeRangeName = strings.TrimFunc(parts[1], unicode.IsSpace)
+			line = strings.TrimSpace(parts[0])
+			timeRangeName = strings.TrimSpace(parts[1])
 		} else if len(parts) > 2 {
 			dlog.Errorf("Syntax error in block rules at line %d -- Unexpected @ character", 1+lineNo)
 			continue
 		}
 		var weeklyRanges *WeeklyRanges
 		if len(timeRangeName) > 0 {
-			weeklyRangesX, ok := (*plugin.allWeeklyRanges)[timeRangeName]
+			weeklyRangesX, ok := (*xBlockedNames.allWeeklyRanges)[timeRangeName]
 			if !ok {
 				dlog.Errorf("Time range [%s] not found at line %d", timeRangeName, 1+lineNo)
 			} else {
 				weeklyRanges = &weeklyRangesX
 			}
 		}
-		if _, err := plugin.patternMatcher.Add(line, weeklyRanges, lineNo+1); err != nil {
+		if err := xBlockedNames.patternMatcher.Add(line, weeklyRanges, lineNo+1); err != nil {
 			dlog.Error(err)
 			continue
 		}
 	}
+	blockedNames = &xBlockedNames
 	if len(proxy.blockNameLogFile) == 0 {
 		return nil
 	}
-	plugin.logger = &lumberjack.Logger{LocalTime: true, MaxSize: proxy.logMaxSize, MaxAge: proxy.logMaxAge, MaxBackups: proxy.logMaxBackups, Filename: proxy.blockNameLogFile, Compress: true}
-	plugin.format = proxy.blockNameFormat
+	blockedNames.logger = Logger(proxy.logMaxSize, proxy.logMaxAge, proxy.logMaxBackups, proxy.blockNameLogFile)
+	blockedNames.format = proxy.blockNameFormat

 	return nil
 }
@ -82,50 +142,69 @@ func (plugin *PluginBlockName) Reload() error {
 }

 func (plugin *PluginBlockName) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
-	if pluginsState.sessionData["whitelisted"] != nil {
+	if blockedNames == nil || pluginsState.sessionData["whitelisted"] != nil {
 		return nil
 	}
-	questions := msg.Question
-	if len(questions) != 1 {
+	_, err := blockedNames.check(pluginsState, pluginsState.qName, nil)
+	return err
+}
+
+// ---
+
+type PluginBlockNameResponse struct{}
+
+func (plugin *PluginBlockNameResponse) Name() string {
+	return "block_name"
+}
+
+func (plugin *PluginBlockNameResponse) Description() string {
+	return "Block DNS responses matching name patterns"
+}
+
+func (plugin *PluginBlockNameResponse) Init(proxy *Proxy) error {
+	return nil
+}
+
+func (plugin *PluginBlockNameResponse) Drop() error {
+	return nil
+}
+
+func (plugin *PluginBlockNameResponse) Reload() error {
+	return nil
+}
+
+func (plugin *PluginBlockNameResponse) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
+	if blockedNames == nil || pluginsState.sessionData["whitelisted"] != nil {
 		return nil
 	}
-	qName := strings.ToLower(StripTrailingDot(questions[0].Name))
-	reject, reason, xweeklyRanges := plugin.patternMatcher.Eval(qName)
-	var weeklyRanges *WeeklyRanges
-	if xweeklyRanges != nil {
-		weeklyRanges = xweeklyRanges.(*WeeklyRanges)
-	}
-	if reject {
-		if weeklyRanges != nil && !weeklyRanges.Match() {
-			reject = false
+	aliasFor := pluginsState.qName
+	aliasesLeft := aliasesLimit
+	answers := msg.Answer
+	for _, answer := range answers {
+		header := answer.Header()
+		if header.Class != dns.ClassINET {
+			continue
 		}
-	}
-	if reject {
-		pluginsState.action = PluginsActionReject
-		pluginsState.returnCode = PluginsReturnCodeReject
-		if plugin.logger != nil {
-			var clientIPStr string
-			if pluginsState.clientProto == "udp" {
-				clientIPStr = (*pluginsState.clientAddr).(*net.UDPAddr).IP.String()
-			} else {
-				clientIPStr = (*pluginsState.clientAddr).(*net.TCPAddr).IP.String()
-			}
-			var line string
-			if plugin.format == "tsv" {
-				now := time.Now()
-				year, month, day := now.Date()
-				hour, minute, second := now.Clock()
-				tsStr := fmt.Sprintf("[%d-%02d-%02d %02d:%02d:%02d]", year, int(month), day, hour, minute, second)
-				line = fmt.Sprintf("%s\t%s\t%s\t%s\n", tsStr, clientIPStr, StringQuote(qName), StringQuote(reason))
-			} else if plugin.format == "ltsv" {
-				line = fmt.Sprintf("time:%d\thost:%s\tqname:%s\tmessage:%s\n", time.Now().Unix(), clientIPStr, StringQuote(qName), StringQuote(reason))
-			} else {
-				dlog.Fatalf("Unexpected log format: [%s]", plugin.format)
-			}
-			if plugin.logger == nil {
-				return errors.New("Log file not initialized")
-			}
-			plugin.logger.Write([]byte(line))
+		var target string
+		if header.Rrtype == dns.TypeCNAME {
+			target = answer.(*dns.CNAME).Target
+		} else if header.Rrtype == dns.TypeSVCB && answer.(*dns.SVCB).Priority == 0 {
+			target = answer.(*dns.SVCB).Target
+		} else if header.Rrtype == dns.TypeHTTPS && answer.(*dns.HTTPS).Priority == 0 {
+			target = answer.(*dns.HTTPS).Target
+		} else {
+			continue
+		}
+		target, err := NormalizeQName(target)
+		if err != nil {
+			return err
+		}
+		if blocked, err := blockedNames.check(pluginsState, target, &aliasFor); blocked || err != nil {
+			return err
+		}
+		aliasesLeft--
+		if aliasesLeft == 0 {
+			break
 		}
 	}
 	return nil
--- a/dnscrypt-proxy/plugin_block_undelegated.go
+++ b/dnscrypt-proxy/plugin_block_undelegated.go
@ -0,0 +1,202 @@
+package main
+
+import (
+	"github.com/k-sone/critbitgo"
+	"github.com/miekg/dns"
+)
+
+var undelegatedSet = []string{
+	"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa",
+	"0.in-addr.arpa",
+	"1",
+	"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa",
+	"10.in-addr.arpa",
+	"100.100.in-addr.arpa",
+	"100.51.198.in-addr.arpa",
+	"101.100.in-addr.arpa",
+	"102.100.in-addr.arpa",
+	"103.100.in-addr.arpa",
+	"104.100.in-addr.arpa",
+	"105.100.in-addr.arpa",
+	"106.100.in-addr.arpa",
+	"107.100.in-addr.arpa",
+	"108.100.in-addr.arpa",
+	"109.100.in-addr.arpa",
+	"110.100.in-addr.arpa",
+	"111.100.in-addr.arpa",
+	"112.100.in-addr.arpa",
+	"113.0.203.in-addr.arpa",
+	"113.100.in-addr.arpa",
+	"114.100.in-addr.arpa",
+	"115.100.in-addr.arpa",
+	"116.100.in-addr.arpa",
+	"117.100.in-addr.arpa",
+	"118.100.in-addr.arpa",
+	"119.100.in-addr.arpa",
+	"120.100.in-addr.arpa",
+	"121.100.in-addr.arpa",
+	"122.100.in-addr.arpa",
+	"123.100.in-addr.arpa",
+	"124.100.in-addr.arpa",
+	"125.100.in-addr.arpa",
+	"126.100.in-addr.arpa",
+	"127.100.in-addr.arpa",
+	"127.in-addr.arpa",
+	"16.172.in-addr.arpa",
+	"168.192.in-addr.arpa",
+	"17.172.in-addr.arpa",
+	"18.172.in-addr.arpa",
+	"19.172.in-addr.arpa",
+	"2.0.192.in-addr.arpa",
+	"20.172.in-addr.arpa",
+	"21.172.in-addr.arpa",
+	"22.172.in-addr.arpa",
+	"23.172.in-addr.arpa",
+	"24.172.in-addr.arpa",
+	"25.172.in-addr.arpa",
+	"254.169.in-addr.arpa",
+	"255.255.255.255.in-addr.arpa",
+	"26.172.in-addr.arpa",
+	"27.172.in-addr.arpa",
+	"28.172.in-addr.arpa",
+	"29.172.in-addr.arpa",
+	"30.172.in-addr.arpa",
+	"31.172.in-addr.arpa",
+	"64.100.in-addr.arpa",
+	"65.100.in-addr.arpa",
+	"66.100.in-addr.arpa",
+	"67.100.in-addr.arpa",
+	"68.100.in-addr.arpa",
+	"69.100.in-addr.arpa",
+	"70.100.in-addr.arpa",
+	"71.100.in-addr.arpa",
+	"72.100.in-addr.arpa",
+	"73.100.in-addr.arpa",
+	"74.100.in-addr.arpa",
+	"75.100.in-addr.arpa",
+	"76.100.in-addr.arpa",
+	"77.100.in-addr.arpa",
+	"78.100.in-addr.arpa",
+	"79.100.in-addr.arpa",
+	"8.b.d.0.1.0.0.2.ip6.arpa",
+	"8.e.f.ip6.arpa",
+	"80.100.in-addr.arpa",
+	"81.100.in-addr.arpa",
+	"82.100.in-addr.arpa",
+	"83.100.in-addr.arpa",
+	"84.100.in-addr.arpa",
+	"85.100.in-addr.arpa",
+	"86.100.in-addr.arpa",
+	"87.100.in-addr.arpa",
+	"88.100.in-addr.arpa",
+	"89.100.in-addr.arpa",
+	"9.e.f.ip6.arpa",
+	"90.100.in-addr.arpa",
+	"91.100.in-addr.arpa",
+	"92.100.in-addr.arpa",
+	"93.100.in-addr.arpa",
+	"94.100.in-addr.arpa",
+	"95.100.in-addr.arpa",
+	"96.100.in-addr.arpa",
+	"97.100.in-addr.arpa",
+	"98.100.in-addr.arpa",
+	"99.100.in-addr.arpa",
+	"a.e.f.ip6.arpa",
+	"airdream",
+	"api",
+	"b.e.f.ip6.arpa",
+	"bbrouter",
+	"belkin",
+	"bind",
+	"blinkap",
+	"corp",
+	"d.f.ip6.arpa",
+	"davolink",
+	"dearmyrouter",
+	"dhcp",
+	"dlink",
+	"domain",
+	"envoy",
+	"example",
+	"f.f.ip6.arpa",
+	"fritz.box",
+	"grp",
+	"gw==",
+	"home",
+	"home.arpa",
+	"hub",
+	"internal",
+	"intra",
+	"intranet",
+	"invalid",
+	"ksyun",
+	"lan",
+	"loc",
+	"local",
+	"localdomain",
+	"localhost",
+	"localnet",
+	"mail",
+	"modem",
+	"mynet",
+	"myrouter",
+	"novalocal",
+	"onion",
+	"openstacklocal",
+	"priv",
+	"private",
+	"prv",
+	"router",
+	"telus",
+	"test",
+	"totolink",
+	"wlan_ap",
+	"workgroup",
+	"zghjccbob3n0",
+}
+
+type PluginBlockUndelegated struct {
+	suffixes *critbitgo.Trie
+}
+
+func (plugin *PluginBlockUndelegated) Name() string {
+	return "block_undelegated"
+}
+
+func (plugin *PluginBlockUndelegated) Description() string {
+	return "Block undelegated DNS names"
+}
+
+func (plugin *PluginBlockUndelegated) Init(proxy *Proxy) error {
+	suffixes := critbitgo.NewTrie()
+	for _, line := range undelegatedSet {
+		pattern := StringReverse(line)
+		suffixes.Insert([]byte(pattern), true)
+	}
+	plugin.suffixes = suffixes
+	return nil
+}
+
+func (plugin *PluginBlockUndelegated) Drop() error {
+	return nil
+}
+
+func (plugin *PluginBlockUndelegated) Reload() error {
+	return nil
+}
+
+func (plugin *PluginBlockUndelegated) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
+	revQname := StringReverse(pluginsState.qName)
+	match, _, found := plugin.suffixes.LongestPrefix([]byte(revQname))
+	if !found {
+		return nil
+	}
+	if len(match) == len(revQname) || revQname[len(match)] == '.' {
+		synth := EmptyResponseFromMessage(msg)
+		synth.Rcode = dns.RcodeNameError
+		pluginsState.synthResponse = synth
+		pluginsState.action = PluginsActionSynth
+		pluginsState.returnCode = PluginsReturnCodeSynth
+	}
+	return nil
+}
--- a/dnscrypt-proxy/plugin_block_unqualified.go
+++ b/dnscrypt-proxy/plugin_block_unqualified.go
@ -0,0 +1,46 @@
+package main
+
+import (
+	"strings"
+
+	"github.com/miekg/dns"
+)
+
+type PluginBlockUnqualified struct{}
+
+func (plugin *PluginBlockUnqualified) Name() string {
+	return "block_unqualified"
+}
+
+func (plugin *PluginBlockUnqualified) Description() string {
+	return "Block unqualified DNS names"
+}
+
+func (plugin *PluginBlockUnqualified) Init(proxy *Proxy) error {
+	return nil
+}
+
+func (plugin *PluginBlockUnqualified) Drop() error {
+	return nil
+}
+
+func (plugin *PluginBlockUnqualified) Reload() error {
+	return nil
+}
+
+func (plugin *PluginBlockUnqualified) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
+	question := msg.Question[0]
+	if question.Qclass != dns.ClassINET || (question.Qtype != dns.TypeA && question.Qtype != dns.TypeAAAA) {
+		return nil
+	}
+	if strings.IndexByte(pluginsState.qName, '.') >= 0 {
+		return nil
+	}
+	synth := EmptyResponseFromMessage(msg)
+	synth.Rcode = dns.RcodeNameError
+	pluginsState.synthResponse = synth
+	pluginsState.action = PluginsActionSynth
+	pluginsState.returnCode = PluginsReturnCodeSynth
+
+	return nil
+}
--- a/dnscrypt-proxy/plugin_cache.go
+++ b/dnscrypt-proxy/plugin_cache.go
@ -3,14 +3,15 @@ package main
 import (
 	"crypto/sha512"
 	"encoding/binary"
-	"errors"
 	"sync"
 	"time"

-	lru "github.com/hashicorp/golang-lru"
 	"github.com/miekg/dns"
+	sieve "github.com/opencoff/go-sieve"
 )

+const StaleResponseTTL = 30 * time.Second
+
 type CachedResponse struct {
 	expiration time.Time
 	msg        dns.Msg
@ -18,69 +19,33 @@ type CachedResponse struct {

 type CachedResponses struct {
 	sync.RWMutex
-	cache *lru.ARCCache
+	cache *sieve.Sieve[[32]byte, CachedResponse]
 }

 var cachedResponses CachedResponses

-type PluginCacheResponse struct {
-	cachedResponses *CachedResponses
-}
-
-func (plugin *PluginCacheResponse) Name() string {
-	return "cache_response"
-}
-
-func (plugin *PluginCacheResponse) Description() string {
-	return "DNS cache (writer)."
-}
-
-func (plugin *PluginCacheResponse) Init(proxy *Proxy) error {
-	return nil
-}
-
-func (plugin *PluginCacheResponse) Drop() error {
-	return nil
-}
-
-func (plugin *PluginCacheResponse) Reload() error {
-	return nil
-}
-
-func (plugin *PluginCacheResponse) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
-	plugin.cachedResponses = &cachedResponses
-	if msg.Rcode != dns.RcodeSuccess && msg.Rcode != dns.RcodeNameError && msg.Rcode != dns.RcodeNotAuth {
-		return nil
+func computeCacheKey(pluginsState *PluginsState, msg *dns.Msg) [32]byte {
+	question := msg.Question[0]
+	h := sha512.New512_256()
+	var tmp [5]byte
+	binary.LittleEndian.PutUint16(tmp[0:2], question.Qtype)
+	binary.LittleEndian.PutUint16(tmp[2:4], question.Qclass)
+	if pluginsState.dnssec {
+		tmp[4] = 1
 	}
-	if msg.Truncated {
-		return nil
-	}
-	cacheKey, err := computeCacheKey(pluginsState, msg)
-	if err != nil {
-		return err
-	}
-	ttl := getMinTTL(msg, pluginsState.cacheMinTTL, pluginsState.cacheMaxTTL, pluginsState.cacheNegMinTTL, pluginsState.cacheNegMaxTTL)
-	cachedResponse := CachedResponse{
-		expiration: time.Now().Add(ttl),
-		msg:        *msg,
-	}
-	plugin.cachedResponses.Lock()
-	defer plugin.cachedResponses.Unlock()
-	if plugin.cachedResponses.cache == nil {
-		plugin.cachedResponses.cache, err = lru.NewARC(pluginsState.cacheSize)
-		if err != nil {
-			return err
-		}
-	}
-	plugin.cachedResponses.cache.Add(cacheKey, cachedResponse)
-	updateTTL(msg, cachedResponse.expiration)
+	h.Write(tmp[:])
+	normalizedRawQName := []byte(question.Name)
+	NormalizeRawQName(&normalizedRawQName)
+	h.Write(normalizedRawQName)
+	var sum [32]byte
+	h.Sum(sum[:0])

-	return nil
+	return sum
 }

-type PluginCache struct {
-	cachedResponses *CachedResponses
-}
+// ---
+
+type PluginCache struct{}

 func (plugin *PluginCache) Name() string {
 	return "cache"
@ -103,57 +68,97 @@ func (plugin *PluginCache) Reload() error {
 }

 func (plugin *PluginCache) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
-	plugin.cachedResponses = &cachedResponses
+	cacheKey := computeCacheKey(pluginsState, msg)

-	cacheKey, err := computeCacheKey(pluginsState, msg)
-	if err != nil {
+	cachedResponses.RLock()
+	if cachedResponses.cache == nil {
+		cachedResponses.RUnlock()
 		return nil
 	}
-	plugin.cachedResponses.RLock()
-	defer plugin.cachedResponses.RUnlock()
-	if plugin.cachedResponses.cache == nil {
-		return nil
-	}
-	cachedAny, ok := plugin.cachedResponses.cache.Get(cacheKey)
+	cached, ok := cachedResponses.cache.Get(cacheKey)
 	if !ok {
+		cachedResponses.RUnlock()
 		return nil
 	}
-	cached := cachedAny.(CachedResponse)
-	if time.Now().After(cached.expiration) {
-		return nil
-	}
+	expiration := cached.expiration
+	synth := cached.msg.Copy()
+	cachedResponses.RUnlock()

-	updateTTL(&cached.msg, cached.expiration)
-
-	synth := cached.msg
 	synth.Id = msg.Id
 	synth.Response = true
 	synth.Compress = true
 	synth.Question = msg.Question
-	pluginsState.synthResponse = &synth
+
+	if time.Now().After(expiration) {
+		expiration2 := time.Now().Add(StaleResponseTTL)
+		updateTTL(synth, expiration2)
+		pluginsState.sessionData["stale"] = synth
+		return nil
+	}
+
+	updateTTL(synth, expiration)
+
+	pluginsState.synthResponse = synth
 	pluginsState.action = PluginsActionSynth
 	pluginsState.cacheHit = true
 	return nil
 }

-func computeCacheKey(pluginsState *PluginsState, msg *dns.Msg) ([32]byte, error) {
-	questions := msg.Question
-	if len(questions) != 1 {
-		return [32]byte{}, errors.New("No question present")
-	}
-	question := questions[0]
-	h := sha512.New512_256()
-	var tmp [5]byte
-	binary.LittleEndian.PutUint16(tmp[0:2], question.Qtype)
-	binary.LittleEndian.PutUint16(tmp[2:4], question.Qclass)
-	if pluginsState.dnssec {
-		tmp[4] = 1
-	}
-	h.Write(tmp[:])
-	normalizedName := []byte(question.Name)
-	NormalizeName(&normalizedName)
-	h.Write(normalizedName)
-	var sum [32]byte
-	h.Sum(sum[:0])
-	return sum, nil
+// ---
+
+type PluginCacheResponse struct{}
+
+func (plugin *PluginCacheResponse) Name() string {
+	return "cache_response"
+}
+
+func (plugin *PluginCacheResponse) Description() string {
+	return "DNS cache (writer)."
+}
+
+func (plugin *PluginCacheResponse) Init(proxy *Proxy) error {
+	return nil
+}
+
+func (plugin *PluginCacheResponse) Drop() error {
+	return nil
+}
+
+func (plugin *PluginCacheResponse) Reload() error {
+	return nil
+}
+
+func (plugin *PluginCacheResponse) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
+	if msg.Rcode != dns.RcodeSuccess && msg.Rcode != dns.RcodeNameError && msg.Rcode != dns.RcodeNotAuth {
+		return nil
+	}
+	if msg.Truncated {
+		return nil
+	}
+	cacheKey := computeCacheKey(pluginsState, msg)
+	ttl := getMinTTL(
+		msg,
+		pluginsState.cacheMinTTL,
+		pluginsState.cacheMaxTTL,
+		pluginsState.cacheNegMinTTL,
+		pluginsState.cacheNegMaxTTL,
+	)
+	cachedResponse := CachedResponse{
+		expiration: time.Now().Add(ttl),
+		msg:        *msg,
+	}
+	cachedResponses.Lock()
+	if cachedResponses.cache == nil {
+		var err error
+		cachedResponses.cache = sieve.New[[32]byte, CachedResponse](pluginsState.cacheSize)
+		if cachedResponses.cache == nil {
+			cachedResponses.Unlock()
+			return err
+		}
+	}
+	cachedResponses.cache.Add(cacheKey, cachedResponse)
+	cachedResponses.Unlock()
+	updateTTL(msg, cachedResponse.expiration)
+
+	return nil
 }
--- a/dnscrypt-proxy/plugin_captive_portal.go
+++ b/dnscrypt-proxy/plugin_captive_portal.go
@ -0,0 +1,44 @@
+package main
+
+import (
+	"github.com/jedisct1/dlog"
+	"github.com/miekg/dns"
+)
+
+type PluginCaptivePortal struct {
+	captivePortalMap *CaptivePortalMap
+}
+
+func (plugin *PluginCaptivePortal) Name() string {
+	return "captive portal handlers"
+}
+
+func (plugin *PluginCaptivePortal) Description() string {
+	return "Handle test queries operating systems make to detect Wi-Fi captive portal"
+}
+
+func (plugin *PluginCaptivePortal) Init(proxy *Proxy) error {
+	plugin.captivePortalMap = proxy.captivePortalMap
+	dlog.Notice("Captive portals handler enabled")
+	return nil
+}
+
+func (plugin *PluginCaptivePortal) Drop() error {
+	return nil
+}
+
+func (plugin *PluginCaptivePortal) Reload() error {
+	return nil
+}
+
+func (plugin *PluginCaptivePortal) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
+	question, ips := plugin.captivePortalMap.GetEntry(msg)
+	if ips == nil {
+		return nil
+	}
+	if synth := HandleCaptivePortalQuery(msg, question, ips); synth != nil {
+		pluginsState.synthResponse = synth
+		pluginsState.action = PluginsActionSynth
+	}
+	return nil
+}
--- a/dnscrypt-proxy/plugin_cloak.go
+++ b/dnscrypt-proxy/plugin_cloak.go
@ -19,12 +19,14 @@ type CloakedName struct {
 	lastUpdate *time.Time
 	lineNo     int
 	isIP       bool
+	PTR        []string
 }

 type PluginCloak struct {
 	sync.RWMutex
 	patternMatcher *PatternMatcher
 	ttl            uint32
+	createPTR      bool
 }

 func (plugin *PluginCloak) Name() string {
@ -37,23 +39,24 @@ func (plugin *PluginCloak) Description() string {

 func (plugin *PluginCloak) Init(proxy *Proxy) error {
 	dlog.Noticef("Loading the set of cloaking rules from [%s]", proxy.cloakFile)
-	bin, err := ReadTextFile(proxy.cloakFile)
+	lines, err := ReadTextFile(proxy.cloakFile)
 	if err != nil {
 		return err
 	}
-	plugin.ttl = proxy.cacheMinTTL
-	plugin.patternMatcher = NewPatternPatcher()
+	plugin.ttl = proxy.cloakTTL
+	plugin.createPTR = proxy.cloakedPTR
+	plugin.patternMatcher = NewPatternMatcher()
 	cloakedNames := make(map[string]*CloakedName)
-	for lineNo, line := range strings.Split(string(bin), "\n") {
-		line = strings.TrimFunc(line, unicode.IsSpace)
-		if len(line) == 0 || strings.HasPrefix(line, "#") {
+	for lineNo, line := range strings.Split(lines, "\n") {
+		line = TrimAndStripInlineComments(line)
+		if len(line) == 0 {
 			continue
 		}
 		var target string
 		parts := strings.FieldsFunc(line, unicode.IsSpace)
 		if len(parts) == 2 {
-			line = strings.TrimFunc(parts[0], unicode.IsSpace)
-			target = strings.TrimFunc(parts[1], unicode.IsSpace)
+			line = strings.TrimSpace(parts[0])
+			target = strings.TrimSpace(parts[1])
 		} else if len(parts) > 2 {
 			dlog.Errorf("Syntax error in cloaking rules at line %d -- Unexpected space character", 1+lineNo)
 			continue
@ -67,11 +70,12 @@ func (plugin *PluginCloak) Init(proxy *Proxy) error {
 		if !found {
 			cloakedName = &CloakedName{}
 		}
-		if ip := net.ParseIP(target); ip != nil {
+		ip := net.ParseIP(target)
+		if ip != nil {
 			if ipv4 := ip.To4(); ipv4 != nil {
-				cloakedName.ipv4 = append((*cloakedName).ipv4, ipv4)
+				cloakedName.ipv4 = append(cloakedName.ipv4, ipv4)
 			} else if ipv6 := ip.To16(); ipv6 != nil {
-				cloakedName.ipv6 = append((*cloakedName).ipv6, ipv6)
+				cloakedName.ipv6 = append(cloakedName.ipv6, ipv6)
 			} else {
 				dlog.Errorf("Invalid IP address in cloaking rule at line %d", 1+lineNo)
 				continue
@ -82,13 +86,46 @@ func (plugin *PluginCloak) Init(proxy *Proxy) error {
 		}
 		cloakedName.lineNo = lineNo + 1
 		cloakedNames[line] = cloakedName
+
+		if !plugin.createPTR || strings.Contains(line, "*") || !cloakedName.isIP {
+			continue
+		}
+
+		var ptrLine string
+		if ipv4 := ip.To4(); ipv4 != nil {
+			reversed, _ := dns.ReverseAddr(ip.To4().String())
+			ptrLine = strings.TrimSuffix(reversed, ".")
+		} else {
+			reversed, _ := dns.ReverseAddr(cloakedName.ipv6[0].To16().String())
+			ptrLine = strings.TrimSuffix(reversed, ".")
+		}
+		ptrQueryLine := ptrEntryToQuery(ptrLine)
+		ptrCloakedName, found := cloakedNames[ptrQueryLine]
+		if !found {
+			ptrCloakedName = &CloakedName{}
+		}
+		ptrCloakedName.isIP = true
+		ptrCloakedName.PTR = append((*ptrCloakedName).PTR, ptrNameToFQDN(line))
+		ptrCloakedName.lineNo = lineNo + 1
+		cloakedNames[ptrQueryLine] = ptrCloakedName
 	}
 	for line, cloakedName := range cloakedNames {
-		plugin.patternMatcher.Add(line, cloakedName, cloakedName.lineNo)
+		if err := plugin.patternMatcher.Add(line, cloakedName, cloakedName.lineNo); err != nil {
+			return err
+		}
 	}
 	return nil
 }

+func ptrEntryToQuery(ptrEntry string) string {
+	return "=" + ptrEntry
+}
+
+func ptrNameToFQDN(ptrLine string) string {
+	ptrLine = strings.TrimPrefix(ptrLine, "=")
+	return ptrLine + "."
+}
+
 func (plugin *PluginCloak) Drop() error {
 	return nil
 }
@ -98,25 +135,23 @@ func (plugin *PluginCloak) Reload() error {
 }

 func (plugin *PluginCloak) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
-	questions := msg.Question
-	if len(questions) != 1 {
-		return nil
-	}
-	question := questions[0]
-	if question.Qclass != dns.ClassINET || (question.Qtype != dns.TypeA && question.Qtype != dns.TypeAAAA) {
-		return nil
-	}
-	qName := strings.ToLower(StripTrailingDot(questions[0].Name))
-	if len(qName) < 2 {
+	question := msg.Question[0]
+	if question.Qclass != dns.ClassINET || question.Qtype == dns.TypeNS || question.Qtype == dns.TypeSOA {
 		return nil
 	}
 	now := time.Now()
 	plugin.RLock()
-	_, _, xcloakedName := plugin.patternMatcher.Eval(qName)
+	_, _, xcloakedName := plugin.patternMatcher.Eval(pluginsState.qName)
 	if xcloakedName == nil {
 		plugin.RUnlock()
 		return nil
 	}
+	if question.Qtype != dns.TypeA && question.Qtype != dns.TypeAAAA && question.Qtype != dns.TypePTR {
+		plugin.RUnlock()
+		pluginsState.action = PluginsActionReject
+		pluginsState.returnCode = PluginsReturnCodeCloak
+		return nil
+	}
 	cloakedName := xcloakedName.(*CloakedName)
 	ttl, expired := plugin.ttl, false
 	if cloakedName.lastUpdate != nil {
@ -153,36 +188,35 @@ func (plugin *PluginCloak) Eval(pluginsState *PluginsState, msg *dns.Msg) error
 		plugin.Unlock()
 		plugin.RLock()
 	}
-	var ip *net.IP
-	if question.Qtype == dns.TypeA {
-		ipLen := len(cloakedName.ipv4)
-		if ipLen > 0 {
-			ip = &cloakedName.ipv4[rand.Intn(ipLen)]
-		}
-	} else {
-		ipLen := len(cloakedName.ipv6)
-		if ipLen > 0 {
-			ip = &cloakedName.ipv6[rand.Intn(ipLen)]
-		}
-	}
 	plugin.RUnlock()
-	synth, err := EmptyResponseFromMessage(msg)
-	if err != nil {
-		return err
-	}
-	if ip == nil {
-		synth.Answer = []dns.RR{}
-	} else if question.Qtype == dns.TypeA {
-		rr := new(dns.A)
-		rr.Hdr = dns.RR_Header{Name: question.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: ttl}
-		rr.A = *ip
-		synth.Answer = []dns.RR{rr}
-	} else {
-		rr := new(dns.AAAA)
-		rr.Hdr = dns.RR_Header{Name: question.Name, Rrtype: dns.TypeAAAA, Class: dns.ClassINET, Ttl: ttl}
-		rr.AAAA = *ip
-		synth.Answer = []dns.RR{rr}
+	synth := EmptyResponseFromMessage(msg)
+	synth.Answer = []dns.RR{}
+	if question.Qtype == dns.TypeA {
+		for _, ip := range cloakedName.ipv4 {
+			rr := new(dns.A)
+			rr.Hdr = dns.RR_Header{Name: question.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: ttl}
+			rr.A = ip
+			synth.Answer = append(synth.Answer, rr)
+		}
+	} else if question.Qtype == dns.TypeAAAA {
+		for _, ip := range cloakedName.ipv6 {
+			rr := new(dns.AAAA)
+			rr.Hdr = dns.RR_Header{Name: question.Name, Rrtype: dns.TypeAAAA, Class: dns.ClassINET, Ttl: ttl}
+			rr.AAAA = ip
+			synth.Answer = append(synth.Answer, rr)
+		}
+	} else if question.Qtype == dns.TypePTR {
+		for _, ptr := range cloakedName.PTR {
+			rr := new(dns.PTR)
+			rr.Hdr = dns.RR_Header{Name: question.Name, Rrtype: dns.TypePTR, Class: dns.ClassINET, Ttl: ttl}
+			rr.Ptr = ptr
+			synth.Answer = append(synth.Answer, rr)
+		}
 	}
+	rand.Shuffle(
+		len(synth.Answer),
+		func(i, j int) { synth.Answer[i], synth.Answer[j] = synth.Answer[j], synth.Answer[i] },
+	)
 	pluginsState.synthResponse = synth
 	pluginsState.action = PluginsActionSynth
 	pluginsState.returnCode = PluginsReturnCodeCloak
--- a/dnscrypt-proxy/plugin_dns64.go
+++ b/dnscrypt-proxy/plugin_dns64.go
@ -0,0 +1,265 @@
+package main
+
+import (
+	"errors"
+	"net"
+	"sync"
+	"time"
+
+	"github.com/jedisct1/dlog"
+	"github.com/miekg/dns"
+)
+
+const rfc7050WKN = "ipv4only.arpa."
+
+var (
+	rfc7050WKA1 = net.IPv4(192, 0, 0, 170)
+	rfc7050WKA2 = net.IPv4(192, 0, 0, 171)
+)
+
+type PluginDNS64 struct {
+	pref64Mutex    *sync.RWMutex
+	pref64         []*net.IPNet
+	dns64Resolvers []string
+	ipv4Resolver   string
+	proxy          *Proxy
+}
+
+func (plugin *PluginDNS64) Name() string {
+	return "dns64"
+}
+
+func (plugin *PluginDNS64) Description() string {
+	return "Synthesize DNS64 AAAA responses"
+}
+
+func (plugin *PluginDNS64) Init(proxy *Proxy) error {
+	if len(proxy.listenAddresses) == 0 {
+		return errors.New("At least one listening IP address must be configured for the DNS64 plugin to work")
+	}
+	plugin.ipv4Resolver = proxy.listenAddresses[0] // query is sent to ourselves
+	plugin.pref64Mutex = new(sync.RWMutex)
+	plugin.proxy = proxy
+
+	if len(proxy.dns64Prefixes) != 0 {
+		plugin.pref64Mutex.Lock()
+		defer plugin.pref64Mutex.Unlock()
+		for _, prefStr := range proxy.dns64Prefixes {
+			_, pref, err := net.ParseCIDR(prefStr)
+			if err != nil {
+				return err
+			}
+			dlog.Noticef("Registered DNS64 prefix [%s]", pref.String())
+			plugin.pref64 = append(plugin.pref64, pref)
+		}
+	} else if len(proxy.dns64Resolvers) != 0 {
+		plugin.dns64Resolvers = proxy.dns64Resolvers
+		if err := plugin.refreshPref64(); err != nil {
+			return err
+		}
+	} else {
+		return nil
+	}
+	dlog.Notice("DNS64 map enabled")
+
+	return nil
+}
+
+func (plugin *PluginDNS64) Drop() error {
+	return nil
+}
+
+func (plugin *PluginDNS64) Reload() error {
+	return nil
+}
+
+func (plugin *PluginDNS64) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
+	if hasAAAAAnswer(msg) {
+		return nil
+	}
+
+	question := pluginsState.questionMsg.Question[0]
+	if question.Qclass != dns.ClassINET || question.Qtype != dns.TypeAAAA {
+		return nil
+	}
+
+	msgA := pluginsState.questionMsg.Copy()
+	msgA.SetQuestion(question.Name, dns.TypeA)
+	msgAPacket, err := msgA.Pack()
+	if err != nil {
+		return err
+	}
+
+	if !plugin.proxy.clientsCountInc() {
+		return errors.New("Too many concurrent connections to handle DNS64 subqueries")
+	}
+	respPacket := plugin.proxy.processIncomingQuery(
+		"trampoline",
+		plugin.proxy.mainProto,
+		msgAPacket,
+		nil,
+		nil,
+		time.Now(),
+		false,
+	)
+	plugin.proxy.clientsCountDec()
+	resp := dns.Msg{}
+	if err := resp.Unpack(respPacket); err != nil {
+		return err
+	}
+
+	if resp.Rcode != dns.RcodeSuccess {
+		return nil
+	}
+
+	if len(resp.Answer) == 0 {
+		return nil
+	}
+
+	initialTTL := uint32(600)
+	for _, ns := range resp.Ns {
+		header := ns.Header()
+		if header.Rrtype == dns.TypeSOA {
+			initialTTL = header.Ttl
+		}
+	}
+
+	synth64 := make([]dns.RR, 0)
+	for _, answer := range resp.Answer {
+		header := answer.Header()
+		if header.Rrtype == dns.TypeCNAME {
+			synth64 = append(synth64, answer)
+		} else if header.Rrtype == dns.TypeA {
+			ttl := initialTTL
+			if ttl > header.Ttl {
+				ttl = header.Ttl
+			}
+
+			ipv4 := answer.(*dns.A).A.To4()
+			if ipv4 != nil {
+				plugin.pref64Mutex.RLock()
+				for _, prefix := range plugin.pref64 {
+					ipv6 := translateToIPv6(ipv4, prefix)
+					synthAAAA := new(dns.AAAA)
+					synthAAAA.Hdr = dns.RR_Header{
+						Name:   header.Name,
+						Rrtype: dns.TypeAAAA,
+						Class:  header.Class,
+						Ttl:    ttl,
+					}
+					synthAAAA.AAAA = ipv6
+					synth64 = append(synth64, synthAAAA)
+				}
+				plugin.pref64Mutex.RUnlock()
+			}
+		}
+	}
+
+	msg.Answer = synth64
+	msg.AuthenticatedData = false
+	msg.SetEdns0(uint16(MaxDNSUDPSafePacketSize), false)
+
+	pluginsState.returnCode = PluginsReturnCodeCloak
+
+	return nil
+}
+
+func hasAAAAAnswer(msg *dns.Msg) bool {
+	for _, answer := range msg.Answer {
+		if answer.Header().Rrtype == dns.TypeAAAA {
+			return true
+		}
+	}
+	return false
+}
+
+func translateToIPv6(ipv4 net.IP, prefix *net.IPNet) net.IP {
+	ipv6 := make(net.IP, net.IPv6len)
+	copy(ipv6, prefix.IP)
+	n, _ := prefix.Mask.Size()
+	ipShift := n / 8
+	for i := 0; i < net.IPv4len; i++ {
+		if ipShift+i == 8 {
+			ipShift++
+		}
+		ipv6[ipShift+i] = ipv4[i]
+	}
+	return ipv6
+}
+
+func (plugin *PluginDNS64) fetchPref64(resolver string) error {
+	msg := new(dns.Msg)
+	msg.SetQuestion(rfc7050WKN, dns.TypeAAAA)
+
+	client := new(dns.Client)
+	resp, _, err := client.Exchange(msg, resolver)
+	if err != nil {
+		return err
+	}
+
+	if resp == nil || resp.Rcode != dns.RcodeSuccess {
+		return errors.New("Unable to fetch Pref64")
+	}
+
+	uniqPrefixes := make(map[string]struct{})
+	prefixes := make([]*net.IPNet, 0)
+	for _, answer := range resp.Answer {
+		if answer.Header().Rrtype == dns.TypeAAAA {
+			ipv6 := answer.(*dns.AAAA).AAAA
+			if ipv6 != nil && len(ipv6) == net.IPv6len {
+				prefEnd := 0
+
+				if wka := net.IPv4(ipv6[12], ipv6[13], ipv6[14], ipv6[15]); wka.Equal(rfc7050WKA1) ||
+					wka.Equal(rfc7050WKA2) { // 96
+					prefEnd = 12
+				} else if wka := net.IPv4(ipv6[9], ipv6[10], ipv6[11], ipv6[12]); wka.Equal(rfc7050WKA1) || wka.Equal(rfc7050WKA2) { // 64
+					prefEnd = 8
+				} else if wka := net.IPv4(ipv6[7], ipv6[9], ipv6[10], ipv6[11]); wka.Equal(rfc7050WKA1) || wka.Equal(rfc7050WKA2) { // 56
+					prefEnd = 7
+				} else if wka := net.IPv4(ipv6[6], ipv6[7], ipv6[9], ipv6[10]); wka.Equal(rfc7050WKA1) || wka.Equal(rfc7050WKA2) { // 48
+					prefEnd = 6
+				} else if wka := net.IPv4(ipv6[5], ipv6[6], ipv6[7], ipv6[9]); wka.Equal(rfc7050WKA1) || wka.Equal(rfc7050WKA2) { // 40
+					prefEnd = 5
+				} else if wka := net.IPv4(ipv6[4], ipv6[5], ipv6[6], ipv6[7]); wka.Equal(rfc7050WKA1) || wka.Equal(rfc7050WKA2) { // 32
+					prefEnd = 4
+				}
+
+				if prefEnd > 0 {
+					prefix := new(net.IPNet)
+					prefix.IP = append(ipv6[:prefEnd], net.IPv6zero[prefEnd:]...)
+					prefix.Mask = net.CIDRMask(prefEnd*8, 128)
+					if _, ok := uniqPrefixes[prefix.String()]; !ok {
+						prefixes = append(prefixes, prefix)
+						uniqPrefixes[prefix.String()] = struct{}{}
+						dlog.Infof("Registered DNS64 prefix [%s]", prefix.String())
+					}
+				}
+			}
+		}
+	}
+
+	if len(prefixes) == 0 {
+		return errors.New("Empty Pref64 list")
+	}
+
+	plugin.pref64Mutex.Lock()
+	defer plugin.pref64Mutex.Unlock()
+	plugin.pref64 = prefixes
+	return nil
+}
+
+func (plugin *PluginDNS64) refreshPref64() error {
+	for _, resolver := range plugin.dns64Resolvers {
+		if err := plugin.fetchPref64(resolver); err == nil {
+			break
+		}
+	}
+
+	plugin.pref64Mutex.RLock()
+	defer plugin.pref64Mutex.RUnlock()
+	if len(plugin.pref64) == 0 {
+		return errors.New("Empty Pref64 list")
+	}
+
+	return nil
+}
--- a/dnscrypt-proxy/plugin_ecs.go
+++ b/dnscrypt-proxy/plugin_ecs.go
@ -0,0 +1,80 @@
+package main
+
+import (
+	"math/rand"
+	"net"
+
+	"github.com/jedisct1/dlog"
+	"github.com/miekg/dns"
+)
+
+type PluginECS struct {
+	nets []*net.IPNet
+}
+
+func (plugin *PluginECS) Name() string {
+	return "ecs"
+}
+
+func (plugin *PluginECS) Description() string {
+	return "Set EDNS-client-subnet information in outgoing queries."
+}
+
+func (plugin *PluginECS) Init(proxy *Proxy) error {
+	plugin.nets = proxy.ednsClientSubnets
+	dlog.Notice("ECS plugin enabled")
+	return nil
+}
+
+func (plugin *PluginECS) Drop() error {
+	return nil
+}
+
+func (plugin *PluginECS) Reload() error {
+	return nil
+}
+
+func (plugin *PluginECS) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
+	var options *[]dns.EDNS0
+
+	for _, extra := range msg.Extra {
+		if extra.Header().Rrtype == dns.TypeOPT {
+			options = &extra.(*dns.OPT).Option
+			for _, option := range *options {
+				if option.Option() == dns.EDNS0SUBNET {
+					return nil
+				}
+			}
+			break
+		}
+	}
+	if options == nil {
+		msg.SetEdns0(uint16(pluginsState.maxPayloadSize), false)
+		for _, extra := range msg.Extra {
+			if extra.Header().Rrtype == dns.TypeOPT {
+				options = &extra.(*dns.OPT).Option
+				break
+			}
+		}
+	}
+	if options == nil {
+		return nil
+	}
+	prr := dns.EDNS0_SUBNET{}
+	prr.Code = dns.EDNS0SUBNET
+	net := plugin.nets[rand.Intn(len(plugin.nets))]
+	bits, totalSize := net.Mask.Size()
+	if totalSize == 32 {
+		prr.Family = 1
+	} else if totalSize == 128 {
+		prr.Family = 2
+	} else {
+		return nil
+	}
+	prr.SourceNetmask = uint8(bits)
+	prr.SourceScope = 0
+	prr.Address = net.IP
+	*options = append(*options, &prr)
+
+	return nil
+}
--- a/dnscrypt-proxy/plugin_firefox.go
+++ b/dnscrypt-proxy/plugin_firefox.go
@ -0,0 +1,53 @@
+// Work around Mozilla's evil plan - https://sk.tl/3Ek6tzhq
+
+package main
+
+import (
+	"strings"
+
+	"github.com/jedisct1/dlog"
+	"github.com/miekg/dns"
+)
+
+type PluginFirefox struct{}
+
+func (plugin *PluginFirefox) Name() string {
+	return "firefox"
+}
+
+func (plugin *PluginFirefox) Description() string {
+	return "Work around Firefox taking over DNS"
+}
+
+func (plugin *PluginFirefox) Init(proxy *Proxy) error {
+	dlog.Noticef("Firefox workaround initialized")
+	return nil
+}
+
+func (plugin *PluginFirefox) Drop() error {
+	return nil
+}
+
+func (plugin *PluginFirefox) Reload() error {
+	return nil
+}
+
+func (plugin *PluginFirefox) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
+	if pluginsState.clientProto == "local_doh" {
+		return nil
+	}
+	question := msg.Question[0]
+	if question.Qclass != dns.ClassINET || (question.Qtype != dns.TypeA && question.Qtype != dns.TypeAAAA) {
+		return nil
+	}
+	qName := pluginsState.qName
+	if qName != "use-application-dns.net" && !strings.HasSuffix(qName, ".use-application-dns.net") {
+		return nil
+	}
+	synth := EmptyResponseFromMessage(msg)
+	synth.Rcode = dns.RcodeNameError
+	pluginsState.synthResponse = synth
+	pluginsState.action = PluginsActionSynth
+	pluginsState.returnCode = PluginsReturnCodeSynth
+	return nil
+}
--- a/dnscrypt-proxy/plugin_forward.go
+++ b/dnscrypt-proxy/plugin_forward.go
@ -5,7 +5,6 @@ import (
 	"math/rand"
 	"net"
 	"strings"
-	"unicode"

 	"github.com/jedisct1/dlog"
 	"github.com/miekg/dns"
@ -30,33 +29,44 @@ func (plugin *PluginForward) Description() string {

 func (plugin *PluginForward) Init(proxy *Proxy) error {
 	dlog.Noticef("Loading the set of forwarding rules from [%s]", proxy.forwardFile)
-	bin, err := ReadTextFile(proxy.forwardFile)
+	lines, err := ReadTextFile(proxy.forwardFile)
 	if err != nil {
 		return err
 	}
-	for lineNo, line := range strings.Split(string(bin), "\n") {
-		line = strings.TrimFunc(line, unicode.IsSpace)
-		if len(line) == 0 || strings.HasPrefix(line, "#") {
+	for lineNo, line := range strings.Split(lines, "\n") {
+		line = TrimAndStripInlineComments(line)
+		if len(line) == 0 {
 			continue
 		}
 		domain, serversStr, ok := StringTwoFields(line)
 		if !ok {
-			return fmt.Errorf("Syntax error for a forwarding rule at line %d. Expected syntax: example.com: 9.9.9.9,8.8.8.8", 1+lineNo)
+			return fmt.Errorf(
+				"Syntax error for a forwarding rule at line %d. Expected syntax: example.com 9.9.9.9,8.8.8.8",
+				1+lineNo,
+			)
 		}
 		domain = strings.ToLower(domain)
 		var servers []string
 		for _, server := range strings.Split(serversStr, ",") {
-			server = strings.TrimFunc(server, unicode.IsSpace)
-			if net.ParseIP(server) != nil {
-				server = fmt.Sprintf("%s:%d", server, 53)
+			server = strings.TrimSpace(server)
+			server = strings.TrimPrefix(server, "[")
+			server = strings.TrimSuffix(server, "]")
+			if ip := net.ParseIP(server); ip != nil {
+				if ip.To4() != nil {
+					server = fmt.Sprintf("%s:%d", server, 53)
+				} else {
+					server = fmt.Sprintf("[%s]:%d", server, 53)
+				}
 			}
+			dlog.Infof("Forwarding [%s] to %s", domain, server)
 			servers = append(servers, server)
 		}
 		if len(servers) == 0 {
 			continue
 		}
 		plugin.forwardMap = append(plugin.forwardMap, PluginForwardEntry{
-			domain: domain, servers: servers,
+			domain:  domain,
+			servers: servers,
 		})
 	}
 	return nil
@ -71,19 +81,17 @@ func (plugin *PluginForward) Reload() error {
 }

 func (plugin *PluginForward) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
-	questions := msg.Question
-	if len(questions) != 1 {
-		return nil
-	}
-	question := strings.ToLower(StripTrailingDot(questions[0].Name))
-	questionLen := len(question)
+	qName := pluginsState.qName
+	qNameLen := len(qName)
 	var servers []string
 	for _, candidate := range plugin.forwardMap {
 		candidateLen := len(candidate.domain)
-		if candidateLen > questionLen {
+		if candidateLen > qNameLen {
 			continue
 		}
-		if question[questionLen-candidateLen:] == candidate.domain && (candidateLen == questionLen || (question[questionLen-candidateLen-1] == '.')) {
+		if (qName[qNameLen-candidateLen:] == candidate.domain &&
+			(candidateLen == qNameLen || (qName[qNameLen-candidateLen-1] == '.'))) ||
+			(candidate.domain == ".") {
 			servers = candidate.servers
 			break
 		}
@ -92,11 +100,25 @@ func (plugin *PluginForward) Eval(pluginsState *PluginsState, msg *dns.Msg) erro
 		return nil
 	}
 	server := servers[rand.Intn(len(servers))]
-	respMsg, err := dns.Exchange(msg, server)
+	pluginsState.serverName = server
+	client := dns.Client{Net: pluginsState.serverProto, Timeout: pluginsState.timeout}
+	respMsg, _, err := client.Exchange(msg, server)
 	if err != nil {
 		return err
 	}
+	if respMsg.Truncated {
+		client.Net = "tcp"
+		respMsg, _, err = client.Exchange(msg, server)
+		if err != nil {
+			return err
+		}
+	}
+	if edns0 := respMsg.IsEdns0(); edns0 == nil || !edns0.Do() {
+		respMsg.AuthenticatedData = false
+	}
+	respMsg.Id = msg.Id
 	pluginsState.synthResponse = respMsg
 	pluginsState.action = PluginsActionSynth
+	pluginsState.returnCode = PluginsReturnCodeForward
 	return nil
 }
--- a/dnscrypt-proxy/plugin_get_set_payload_size.go
+++ b/dnscrypt-proxy/plugin_get_set_payload_size.go
@ -29,12 +29,19 @@ func (plugin *PluginGetSetPayloadSize) Eval(pluginsState *PluginsState, msg *dns
 	edns0 := msg.IsEdns0()
 	dnssec := false
 	if edns0 != nil {
-		pluginsState.originalMaxPayloadSize = Min(int(edns0.UDPSize())-ResponseOverhead, pluginsState.originalMaxPayloadSize)
+		pluginsState.maxUnencryptedUDPSafePayloadSize = int(edns0.UDPSize())
+		pluginsState.originalMaxPayloadSize = Max(
+			pluginsState.maxUnencryptedUDPSafePayloadSize-ResponseOverhead,
+			pluginsState.originalMaxPayloadSize,
+		)
 		dnssec = edns0.Do()
 	}
 	var options *[]dns.EDNS0
 	pluginsState.dnssec = dnssec
-	pluginsState.maxPayloadSize = Min(MaxDNSUDPPacketSize-ResponseOverhead, Max(pluginsState.originalMaxPayloadSize, pluginsState.maxPayloadSize))
+	pluginsState.maxPayloadSize = Min(
+		MaxDNSUDPPacketSize-ResponseOverhead,
+		Max(pluginsState.originalMaxPayloadSize, pluginsState.maxPayloadSize),
+	)
 	if pluginsState.maxPayloadSize > 512 {
 		extra2 := []dns.RR{}
 		for _, extra := range msg.Extra {
--- a/dnscrypt-proxy/plugin_nx_log.go
+++ b/dnscrypt-proxy/plugin_nx_log.go
@ -3,16 +3,16 @@ package main
 import (
 	"errors"
 	"fmt"
+	"io"
 	"net"
 	"time"

 	"github.com/jedisct1/dlog"
 	"github.com/miekg/dns"
-	lumberjack "gopkg.in/natefinch/lumberjack.v2"
 )

 type PluginNxLog struct {
-	logger *lumberjack.Logger
+	logger io.Writer
 	format string
 }

@ -25,7 +25,7 @@ func (plugin *PluginNxLog) Description() string {
 }

 func (plugin *PluginNxLog) Init(proxy *Proxy) error {
-	plugin.logger = &lumberjack.Logger{LocalTime: true, MaxSize: proxy.logMaxSize, MaxAge: proxy.logMaxAge, MaxBackups: proxy.logMaxBackups, Filename: proxy.nxLogFile, Compress: true}
+	plugin.logger = Logger(proxy.logMaxSize, proxy.logMaxAge, proxy.logMaxBackups, proxy.nxLogFile)
 	plugin.format = proxy.nxLogFormat

 	return nil
@ -43,22 +43,22 @@ func (plugin *PluginNxLog) Eval(pluginsState *PluginsState, msg *dns.Msg) error
 	if msg.Rcode != dns.RcodeNameError {
 		return nil
 	}
-	questions := msg.Question
-	if len(questions) == 0 {
+	var clientIPStr string
+	switch pluginsState.clientProto {
+	case "udp":
+		clientIPStr = (*pluginsState.clientAddr).(*net.UDPAddr).IP.String()
+	case "tcp", "local_doh":
+		clientIPStr = (*pluginsState.clientAddr).(*net.TCPAddr).IP.String()
+	default:
+		// Ignore internal flow.
 		return nil
 	}
-	question := questions[0]
+	question := msg.Question[0]
 	qType, ok := dns.TypeToString[question.Qtype]
 	if !ok {
 		qType = string(qType)
 	}
-	var clientIPStr string
-	if pluginsState.clientProto == "udp" {
-		clientIPStr = (*pluginsState.clientAddr).(*net.UDPAddr).IP.String()
-	} else {
-		clientIPStr = (*pluginsState.clientAddr).(*net.TCPAddr).IP.String()
-	}
-	qName := StripTrailingDot(question.Name)
+	qName := pluginsState.qName

 	var line string
 	if plugin.format == "tsv" {
@ -76,7 +76,7 @@ func (plugin *PluginNxLog) Eval(pluginsState *PluginsState, msg *dns.Msg) error
 	if plugin.logger == nil {
 		return errors.New("Log file not initialized")
 	}
-	plugin.logger.Write([]byte(line))
+	_, _ = plugin.logger.Write([]byte(line))

 	return nil
 }
--- a/dnscrypt-proxy/plugin_query_log.go
+++ b/dnscrypt-proxy/plugin_query_log.go
@ -3,17 +3,17 @@ package main
 import (
 	"errors"
 	"fmt"
+	"io"
 	"net"
 	"strings"
 	"time"

 	"github.com/jedisct1/dlog"
 	"github.com/miekg/dns"
-	lumberjack "gopkg.in/natefinch/lumberjack.v2"
 )

 type PluginQueryLog struct {
-	logger        *lumberjack.Logger
+	logger        io.Writer
 	format        string
 	ignoredQtypes []string
 }
@ -27,7 +27,7 @@ func (plugin *PluginQueryLog) Description() string {
 }

 func (plugin *PluginQueryLog) Init(proxy *Proxy) error {
-	plugin.logger = &lumberjack.Logger{LocalTime: true, MaxSize: proxy.logMaxSize, MaxAge: proxy.logMaxAge, MaxBackups: proxy.logMaxBackups, Filename: proxy.queryLogFile, Compress: true}
+	plugin.logger = Logger(proxy.logMaxSize, proxy.logMaxAge, proxy.logMaxBackups, proxy.queryLogFile)
 	plugin.format = proxy.queryLogFormat
 	plugin.ignoredQtypes = proxy.queryLogIgnoredQtypes

@ -43,11 +43,17 @@ func (plugin *PluginQueryLog) Reload() error {
 }

 func (plugin *PluginQueryLog) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
-	questions := msg.Question
-	if len(questions) == 0 {
+	var clientIPStr string
+	switch pluginsState.clientProto {
+	case "udp":
+		clientIPStr = (*pluginsState.clientAddr).(*net.UDPAddr).IP.String()
+	case "tcp", "local_doh":
+		clientIPStr = (*pluginsState.clientAddr).(*net.TCPAddr).IP.String()
+	default:
+		// Ignore internal flow.
 		return nil
 	}
-	question := questions[0]
+	question := msg.Question[0]
 	qType, ok := dns.TypeToString[question.Qtype]
 	if !ok {
 		qType = string(qType)
@ -59,13 +65,16 @@ func (plugin *PluginQueryLog) Eval(pluginsState *PluginsState, msg *dns.Msg) err
 			}
 		}
 	}
-	var clientIPStr string
-	if pluginsState.clientProto == "udp" {
-		clientIPStr = (*pluginsState.clientAddr).(*net.UDPAddr).IP.String()
+	qName := pluginsState.qName
+
+	if pluginsState.cacheHit {
+		pluginsState.serverName = "-"
 	} else {
-		clientIPStr = (*pluginsState.clientAddr).(*net.TCPAddr).IP.String()
+		switch pluginsState.returnCode {
+		case PluginsReturnCodeSynth, PluginsReturnCodeCloak, PluginsReturnCodeParseError:
+			pluginsState.serverName = "-"
+		}
 	}
-	qName := StripTrailingDot(question.Name)
 	returnCode, ok := PluginsReturnCodeToString[pluginsState.returnCode]
 	if !ok {
 		returnCode = string(returnCode)
@ -75,15 +84,22 @@ func (plugin *PluginQueryLog) Eval(pluginsState *PluginsState, msg *dns.Msg) err
 	if !pluginsState.requestStart.IsZero() && !pluginsState.requestEnd.IsZero() {
 		requestDuration = pluginsState.requestEnd.Sub(pluginsState.requestStart)
 	}
-
 	var line string
 	if plugin.format == "tsv" {
 		now := time.Now()
 		year, month, day := now.Date()
 		hour, minute, second := now.Clock()
 		tsStr := fmt.Sprintf("[%d-%02d-%02d %02d:%02d:%02d]", year, int(month), day, hour, minute, second)
-		line = fmt.Sprintf("%s\t%s\t%s\t%s\t%s\t%dms\t%s\n", tsStr, clientIPStr, StringQuote(qName), qType, returnCode, requestDuration/time.Millisecond,
-			StringQuote(pluginsState.serverName))
+		line = fmt.Sprintf(
+			"%s\t%s\t%s\t%s\t%s\t%dms\t%s\n",
+			tsStr,
+			clientIPStr,
+			StringQuote(qName),
+			qType,
+			returnCode,
+			requestDuration/time.Millisecond,
+			StringQuote(pluginsState.serverName),
+		)
 	} else if plugin.format == "ltsv" {
 		cached := 0
 		if pluginsState.cacheHit {
@ -97,6 +113,7 @@ func (plugin *PluginQueryLog) Eval(pluginsState *PluginsState, msg *dns.Msg) err
 	if plugin.logger == nil {
 		return errors.New("Log file not initialized")
 	}
-	plugin.logger.Write([]byte(line))
+	_, _ = plugin.logger.Write([]byte(line))
+
 	return nil
 }
--- a/dnscrypt-proxy/plugin_querymeta.go
+++ b/dnscrypt-proxy/plugin_querymeta.go
@ -0,0 +1,41 @@
+package main
+
+import (
+	"github.com/miekg/dns"
+)
+
+type PluginQueryMeta struct {
+	queryMetaRR *dns.TXT
+}
+
+func (plugin *PluginQueryMeta) Name() string {
+	return "query_log"
+}
+
+func (plugin *PluginQueryMeta) Description() string {
+	return "Log DNS queries."
+}
+
+func (plugin *PluginQueryMeta) Init(proxy *Proxy) error {
+	queryMetaRR := new(dns.TXT)
+	queryMetaRR.Hdr = dns.RR_Header{
+		Name: ".", Rrtype: dns.TypeTXT,
+		Class: dns.ClassINET, Ttl: 86400,
+	}
+	queryMetaRR.Txt = proxy.queryMeta
+	plugin.queryMetaRR = queryMetaRR
+	return nil
+}
+
+func (plugin *PluginQueryMeta) Drop() error {
+	return nil
+}
+
+func (plugin *PluginQueryMeta) Reload() error {
+	return nil
+}
+
+func (plugin *PluginQueryMeta) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
+	msg.Extra = []dns.RR{plugin.queryMetaRR}
+	return nil
+}
--- a/dnscrypt-proxy/plugin_whitelist_name.go
+++ b/dnscrypt-proxy/plugin_whitelist_name.go
@ -1,131 +0,0 @@
-package main
-
-import (
-	"errors"
-	"fmt"
-	"net"
-	"strings"
-	"time"
-	"unicode"
-
-	"github.com/jedisct1/dlog"
-	"github.com/miekg/dns"
-	lumberjack "gopkg.in/natefinch/lumberjack.v2"
-)
-
-type PluginWhitelistName struct {
-	allWeeklyRanges *map[string]WeeklyRanges
-	patternMatcher  *PatternMatcher
-	logger          *lumberjack.Logger
-	format          string
-}
-
-func (plugin *PluginWhitelistName) Name() string {
-	return "whitelist_name"
-}
-
-func (plugin *PluginWhitelistName) Description() string {
-	return "Whitelists DNS queries matching name patterns"
-}
-
-func (plugin *PluginWhitelistName) Init(proxy *Proxy) error {
-	dlog.Noticef("Loading the set of whitelisting rules from [%s]", proxy.whitelistNameFile)
-	bin, err := ReadTextFile(proxy.whitelistNameFile)
-	if err != nil {
-		return err
-	}
-	plugin.allWeeklyRanges = proxy.allWeeklyRanges
-	plugin.patternMatcher = NewPatternPatcher()
-	for lineNo, line := range strings.Split(string(bin), "\n") {
-		line = strings.TrimFunc(line, unicode.IsSpace)
-		if len(line) == 0 || strings.HasPrefix(line, "#") {
-			continue
-		}
-		parts := strings.Split(line, "@")
-		timeRangeName := ""
-		if len(parts) == 2 {
-			line = strings.TrimFunc(parts[0], unicode.IsSpace)
-			timeRangeName = strings.TrimFunc(parts[1], unicode.IsSpace)
-		} else if len(parts) > 2 {
-			dlog.Errorf("Syntax error in whitelist rules at line %d -- Unexpected @ character", 1+lineNo)
-			continue
-		}
-		var weeklyRanges *WeeklyRanges
-		if len(timeRangeName) > 0 {
-			weeklyRangesX, ok := (*plugin.allWeeklyRanges)[timeRangeName]
-			if !ok {
-				dlog.Errorf("Time range [%s] not found at line %d", timeRangeName, 1+lineNo)
-			} else {
-				weeklyRanges = &weeklyRangesX
-			}
-		}
-		if _, err := plugin.patternMatcher.Add(line, weeklyRanges, lineNo+1); err != nil {
-			dlog.Error(err)
-			continue
-		}
-	}
-	if len(proxy.whitelistNameLogFile) == 0 {
-		return nil
-	}
-	plugin.logger = &lumberjack.Logger{LocalTime: true, MaxSize: proxy.logMaxSize, MaxAge: proxy.logMaxAge, MaxBackups: proxy.logMaxBackups, Filename: proxy.whitelistNameLogFile, Compress: true}
-	plugin.format = proxy.whitelistNameFormat
-
-	return nil
-}
-
-func (plugin *PluginWhitelistName) Drop() error {
-	return nil
-}
-
-func (plugin *PluginWhitelistName) Reload() error {
-	return nil
-}
-
-func (plugin *PluginWhitelistName) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
-	questions := msg.Question
-	if len(questions) != 1 {
-		return nil
-	}
-	qName := strings.ToLower(StripTrailingDot(questions[0].Name))
-	whitelist, reason, xweeklyRanges := plugin.patternMatcher.Eval(qName)
-	var weeklyRanges *WeeklyRanges
-	if xweeklyRanges != nil {
-		weeklyRanges = xweeklyRanges.(*WeeklyRanges)
-	}
-	if whitelist {
-		if weeklyRanges != nil && !weeklyRanges.Match() {
-			whitelist = false
-		}
-	}
-	if whitelist {
-		if pluginsState.sessionData == nil {
-			pluginsState.sessionData = make(map[string]interface{})
-		}
-		pluginsState.sessionData["whitelisted"] = true
-		if plugin.logger != nil {
-			var clientIPStr string
-			if pluginsState.clientProto == "udp" {
-				clientIPStr = (*pluginsState.clientAddr).(*net.UDPAddr).IP.String()
-			} else {
-				clientIPStr = (*pluginsState.clientAddr).(*net.TCPAddr).IP.String()
-			}
-			var line string
-			if plugin.format == "tsv" {
-				now := time.Now()
-				year, month, day := now.Date()
-				hour, minute, second := now.Clock()
-				tsStr := fmt.Sprintf("[%d-%02d-%02d %02d:%02d:%02d]", year, int(month), day, hour, minute, second)
-				line = fmt.Sprintf("%s\t%s\t%s\t%s\n", tsStr, clientIPStr, StringQuote(qName), StringQuote(reason))
-			} else if plugin.format == "ltsv" {
-				line = fmt.Sprintf("time:%d\thost:%s\tqname:%s\tmessage:%s\n", time.Now().Unix(), clientIPStr, StringQuote(qName), StringQuote(reason))
-			} else {
-				dlog.Fatalf("Unexpected log format: [%s]", plugin.format)
-			}
-			if plugin.logger == nil {
-				return errors.New("Log file not initialized")
-			}
-			plugin.logger.Write([]byte(line))
-		}
-	}
-	return nil
-}
--- a/dnscrypt-proxy/plugins.go
+++ b/dnscrypt-proxy/plugins.go
@ -3,6 +3,7 @@ package main
 import (
 	"errors"
 	"net"
+	"strings"
 	"sync"
 	"time"

@ -13,11 +14,11 @@ import (
 type PluginsAction int

 const (
-	PluginsActionNone    = 0
-	PluginsActionForward = 1
-	PluginsActionDrop    = 2
-	PluginsActionReject  = 3
-	PluginsActionSynth   = 4
+	PluginsActionNone     = 0
+	PluginsActionContinue = 1
+	PluginsActionDrop     = 2
+	PluginsActionReject   = 3
+	PluginsActionSynth    = 4
 )

 type PluginsGlobals struct {
@ -26,6 +27,8 @@ type PluginsGlobals struct {
 	responsePlugins        *[]Plugin
 	loggingPlugins         *[]Plugin
 	refusedCodeInResponses bool
+	respondWithIPv4        net.IP
+	respondWithIPv6        net.IP
 }

 type PluginsReturnCode int
@ -39,8 +42,11 @@ const (
 	PluginsReturnCodeParseError
 	PluginsReturnCodeNXDomain
 	PluginsReturnCodeResponseError
-	PluginsReturnCodeServerError
+	PluginsReturnCodeServFail
+	PluginsReturnCodeNetworkError
 	PluginsReturnCodeCloak
+	PluginsReturnCodeServerTimeout
+	PluginsReturnCodeNotReady
 )

 var PluginsReturnCodeToString = map[PluginsReturnCode]string{
@ -52,36 +58,57 @@ var PluginsReturnCodeToString = map[PluginsReturnCode]string{
 	PluginsReturnCodeParseError:    "PARSE_ERROR",
 	PluginsReturnCodeNXDomain:      "NXDOMAIN",
 	PluginsReturnCodeResponseError: "RESPONSE_ERROR",
-	PluginsReturnCodeServerError:   "SERVER_ERROR",
+	PluginsReturnCodeServFail:      "SERVFAIL",
+	PluginsReturnCodeNetworkError:  "NETWORK_ERROR",
 	PluginsReturnCodeCloak:         "CLOAK",
+	PluginsReturnCodeServerTimeout: "SERVER_TIMEOUT",
+	PluginsReturnCodeNotReady:      "NOT_READY",
 }

 type PluginsState struct {
-	sessionData            map[string]interface{}
-	action                 PluginsAction
-	originalMaxPayloadSize int
-	maxPayloadSize         int
-	clientProto            string
-	clientAddr             *net.Addr
-	synthResponse          *dns.Msg
-	dnssec                 bool
-	cacheSize              int
-	cacheNegMinTTL         uint32
-	cacheNegMaxTTL         uint32
-	cacheMinTTL            uint32
-	cacheMaxTTL            uint32
-	questionMsg            *dns.Msg
-	requestStart           time.Time
-	requestEnd             time.Time
-	cacheHit               bool
-	returnCode             PluginsReturnCode
-	serverName             string
+	requestStart                     time.Time
+	requestEnd                       time.Time
+	clientProto                      string
+	serverName                       string
+	serverProto                      string
+	qName                            string
+	clientAddr                       *net.Addr
+	synthResponse                    *dns.Msg
+	questionMsg                      *dns.Msg
+	sessionData                      map[string]interface{}
+	action                           PluginsAction
+	timeout                          time.Duration
+	returnCode                       PluginsReturnCode
+	maxPayloadSize                   int
+	cacheSize                        int
+	originalMaxPayloadSize           int
+	maxUnencryptedUDPSafePayloadSize int
+	rejectTTL                        uint32
+	cacheMaxTTL                      uint32
+	cacheNegMaxTTL                   uint32
+	cacheNegMinTTL                   uint32
+	cacheMinTTL                      uint32
+	cacheHit                         bool
+	dnssec                           bool
 }

-func InitPluginsGlobals(pluginsGlobals *PluginsGlobals, proxy *Proxy) error {
+func (proxy *Proxy) InitPluginsGlobals() error {
 	queryPlugins := &[]Plugin{}
-	if len(proxy.whitelistNameFile) != 0 {
-		*queryPlugins = append(*queryPlugins, Plugin(new(PluginWhitelistName)))
+
+	if proxy.captivePortalMap != nil {
+		*queryPlugins = append(*queryPlugins, Plugin(new(PluginCaptivePortal)))
+	}
+	if len(proxy.queryMeta) != 0 {
+		*queryPlugins = append(*queryPlugins, Plugin(new(PluginQueryMeta)))
+	}
+	if len(proxy.allowNameFile) != 0 {
+		*queryPlugins = append(*queryPlugins, Plugin(new(PluginAllowName)))
+	}
+
+	*queryPlugins = append(*queryPlugins, Plugin(new(PluginFirefox)))
+
+	if len(proxy.ednsClientSubnets) != 0 {
+		*queryPlugins = append(*queryPlugins, Plugin(new(PluginECS)))
 	}
 	if len(proxy.blockNameFile) != 0 {
 		*queryPlugins = append(*queryPlugins, Plugin(new(PluginBlockName)))
@ -99,14 +126,29 @@ func InitPluginsGlobals(pluginsGlobals *PluginsGlobals, proxy *Proxy) error {
 	if len(proxy.forwardFile) != 0 {
 		*queryPlugins = append(*queryPlugins, Plugin(new(PluginForward)))
 	}
+	if proxy.pluginBlockUnqualified {
+		*queryPlugins = append(*queryPlugins, Plugin(new(PluginBlockUnqualified)))
+	}
+	if proxy.pluginBlockUndelegated {
+		*queryPlugins = append(*queryPlugins, Plugin(new(PluginBlockUndelegated)))
+	}

 	responsePlugins := &[]Plugin{}
 	if len(proxy.nxLogFile) != 0 {
 		*responsePlugins = append(*responsePlugins, Plugin(new(PluginNxLog)))
 	}
+	if len(proxy.allowedIPFile) != 0 {
+		*responsePlugins = append(*responsePlugins, Plugin(new(PluginAllowedIP)))
+	}
+	if len(proxy.blockNameFile) != 0 {
+		*responsePlugins = append(*responsePlugins, Plugin(new(PluginBlockNameResponse)))
+	}
 	if len(proxy.blockIPFile) != 0 {
 		*responsePlugins = append(*responsePlugins, Plugin(new(PluginBlockIP)))
 	}
+	if len(proxy.dns64Resolvers) != 0 || len(proxy.dns64Prefixes) != 0 {
+		*responsePlugins = append(*responsePlugins, Plugin(new(PluginDNS64)))
+	}
 	if proxy.cache {
 		*responsePlugins = append(*responsePlugins, Plugin(new(PluginCacheResponse)))
 	}
@ -132,13 +174,63 @@ func InitPluginsGlobals(pluginsGlobals *PluginsGlobals, proxy *Proxy) error {
 		}
 	}

-	(*pluginsGlobals).queryPlugins = queryPlugins
-	(*pluginsGlobals).responsePlugins = responsePlugins
-	(*pluginsGlobals).loggingPlugins = loggingPlugins
-	(*pluginsGlobals).refusedCodeInResponses = proxy.refusedCodeInResponses
+	proxy.pluginsGlobals.queryPlugins = queryPlugins
+	proxy.pluginsGlobals.responsePlugins = responsePlugins
+	proxy.pluginsGlobals.loggingPlugins = loggingPlugins
+
+	parseBlockedQueryResponse(proxy.blockedQueryResponse, &proxy.pluginsGlobals)
+
 	return nil
 }

+// blockedQueryResponse can be 'refused', 'hinfo' or IP responses 'a:IPv4,aaaa:IPv6
+func parseBlockedQueryResponse(blockedResponse string, pluginsGlobals *PluginsGlobals) {
+	blockedResponse = StringStripSpaces(strings.ToLower(blockedResponse))
+
+	if strings.HasPrefix(blockedResponse, "a:") {
+		blockedIPStrings := strings.Split(blockedResponse, ",")
+		pluginsGlobals.respondWithIPv4 = net.ParseIP(strings.TrimPrefix(blockedIPStrings[0], "a:"))
+
+		if pluginsGlobals.respondWithIPv4 == nil {
+			dlog.Notice("Error parsing IPv4 response given in blocked_query_response option, defaulting to `hinfo`")
+			pluginsGlobals.refusedCodeInResponses = false
+			return
+		}
+
+		if len(blockedIPStrings) > 1 {
+			if strings.HasPrefix(blockedIPStrings[1], "aaaa:") {
+				ipv6Response := strings.TrimPrefix(blockedIPStrings[1], "aaaa:")
+				if strings.HasPrefix(ipv6Response, "[") {
+					ipv6Response = strings.Trim(ipv6Response, "[]")
+				}
+				pluginsGlobals.respondWithIPv6 = net.ParseIP(ipv6Response)
+
+				if pluginsGlobals.respondWithIPv6 == nil {
+					dlog.Notice(
+						"Error parsing IPv6 response given in blocked_query_response option, defaulting to IPv4",
+					)
+				}
+			} else {
+				dlog.Noticef("Invalid IPv6 response given in blocked_query_response option [%s], the option should take the form 'a:<IPv4>,aaaa:<IPv6>'", blockedIPStrings[1])
+			}
+		}
+
+		if pluginsGlobals.respondWithIPv6 == nil {
+			pluginsGlobals.respondWithIPv6 = pluginsGlobals.respondWithIPv4
+		}
+	} else {
+		switch blockedResponse {
+		case "refused":
+			pluginsGlobals.refusedCodeInResponses = true
+		case "hinfo":
+			pluginsGlobals.refusedCodeInResponses = false
+		default:
+			dlog.Noticef("Invalid blocked_query_response option [%s], defaulting to `hinfo`", blockedResponse)
+			pluginsGlobals.refusedCodeInResponses = false
+		}
+	}
+}
+
 type Plugin interface {
 	Name() string
 	Description() string
@ -148,68 +240,99 @@ type Plugin interface {
 	Eval(pluginsState *PluginsState, msg *dns.Msg) error
 }

-func NewPluginsState(proxy *Proxy, clientProto string, clientAddr *net.Addr, start time.Time) PluginsState {
+func NewPluginsState(
+	proxy *Proxy,
+	clientProto string,
+	clientAddr *net.Addr,
+	serverProto string,
+	start time.Time,
+) PluginsState {
 	return PluginsState{
-		action:         PluginsActionForward,
-		maxPayloadSize: MaxDNSUDPPacketSize - ResponseOverhead,
-		clientProto:    clientProto,
-		clientAddr:     clientAddr,
-		cacheSize:      proxy.cacheSize,
-		cacheNegMinTTL: proxy.cacheNegMinTTL,
-		cacheNegMaxTTL: proxy.cacheNegMaxTTL,
-		cacheMinTTL:    proxy.cacheMinTTL,
-		cacheMaxTTL:    proxy.cacheMaxTTL,
-		questionMsg:    nil,
-		requestStart:   start,
+		action:                           PluginsActionContinue,
+		returnCode:                       PluginsReturnCodePass,
+		maxPayloadSize:                   MaxDNSUDPPacketSize - ResponseOverhead,
+		clientProto:                      clientProto,
+		clientAddr:                       clientAddr,
+		cacheSize:                        proxy.cacheSize,
+		cacheNegMinTTL:                   proxy.cacheNegMinTTL,
+		cacheNegMaxTTL:                   proxy.cacheNegMaxTTL,
+		cacheMinTTL:                      proxy.cacheMinTTL,
+		cacheMaxTTL:                      proxy.cacheMaxTTL,
+		rejectTTL:                        proxy.rejectTTL,
+		questionMsg:                      nil,
+		qName:                            "",
+		serverName:                       "-",
+		serverProto:                      serverProto,
+		timeout:                          proxy.timeout,
+		requestStart:                     start,
+		maxUnencryptedUDPSafePayloadSize: MaxDNSUDPSafePacketSize,
+		sessionData:                      make(map[string]interface{}),
 	}
 }

-func (pluginsState *PluginsState) ApplyQueryPlugins(pluginsGlobals *PluginsGlobals, packet []byte, serverName string) ([]byte, error) {
-	if len(*pluginsGlobals.queryPlugins) == 0 && len(*pluginsGlobals.loggingPlugins) == 0 {
-		return packet, nil
-	}
-	pluginsState.serverName = serverName
-	pluginsState.action = PluginsActionForward
+func (pluginsState *PluginsState) ApplyQueryPlugins(
+	pluginsGlobals *PluginsGlobals,
+	packet []byte,
+	needsEDNS0Padding bool,
+) ([]byte, error) {
 	msg := dns.Msg{}
 	if err := msg.Unpack(packet); err != nil {
 		return packet, err
 	}
-	if len(msg.Question) > 1 {
+	if len(msg.Question) != 1 {
 		return packet, errors.New("Unexpected number of questions")
 	}
+	qName, err := NormalizeQName(msg.Question[0].Name)
+	if err != nil {
+		return packet, err
+	}
+	dlog.Debugf("Handling query for [%v]", qName)
+	pluginsState.qName = qName
 	pluginsState.questionMsg = &msg
+	if len(*pluginsGlobals.queryPlugins) == 0 && len(*pluginsGlobals.loggingPlugins) == 0 {
+		return packet, nil
+	}
 	pluginsGlobals.RLock()
+	defer pluginsGlobals.RUnlock()
 	for _, plugin := range *pluginsGlobals.queryPlugins {
-		if ret := plugin.Eval(pluginsState, &msg); ret != nil {
-			pluginsGlobals.RUnlock()
+		if err := plugin.Eval(pluginsState, &msg); err != nil {
 			pluginsState.action = PluginsActionDrop
-			return packet, ret
+			return packet, err
 		}
 		if pluginsState.action == PluginsActionReject {
-			synth, err := RefusedResponseFromMessage(&msg, pluginsGlobals.refusedCodeInResponses)
-			if err != nil {
-				return nil, err
-			}
+			synth := RefusedResponseFromMessage(
+				&msg,
+				pluginsGlobals.refusedCodeInResponses,
+				pluginsGlobals.respondWithIPv4,
+				pluginsGlobals.respondWithIPv6,
+				pluginsState.rejectTTL,
+			)
 			pluginsState.synthResponse = synth
 		}
-		if pluginsState.action != PluginsActionForward {
+		if pluginsState.action != PluginsActionContinue {
 			break
 		}
 	}
-	pluginsGlobals.RUnlock()
+
 	packet2, err := msg.PackBuffer(packet)
 	if err != nil {
 		return packet, err
 	}
+	if needsEDNS0Padding && pluginsState.action == PluginsActionContinue {
+		padLen := 63 - ((len(packet2) + 63) & 63)
+		if paddedPacket2, _ := addEDNS0PaddingIfNoneFound(&msg, packet2, padLen); paddedPacket2 != nil {
+			return paddedPacket2, nil
+		}
+	}
 	return packet2, nil
 }

-func (pluginsState *PluginsState) ApplyResponsePlugins(pluginsGlobals *PluginsGlobals, packet []byte, ttl *uint32) ([]byte, error) {
-	if len(*pluginsGlobals.responsePlugins) == 0 && len(*pluginsGlobals.loggingPlugins) == 0 {
-		return packet, nil
-	}
-	pluginsState.action = PluginsActionForward
-	msg := dns.Msg{}
+func (pluginsState *PluginsState) ApplyResponsePlugins(
+	pluginsGlobals *PluginsGlobals,
+	packet []byte,
+	ttl *uint32,
+) ([]byte, error) {
+	msg := dns.Msg{Compress: true}
 	if err := msg.Unpack(packet); err != nil {
 		if len(packet) >= MinDNSPacketSize && HasTCFlag(packet) {
 			err = nil
@ -222,30 +345,32 @@ func (pluginsState *PluginsState) ApplyResponsePlugins(pluginsGlobals *PluginsGl
 	case dns.RcodeNameError:
 		pluginsState.returnCode = PluginsReturnCodeNXDomain
 	case dns.RcodeServerFailure:
-		pluginsState.returnCode = PluginsReturnCodeServerError
+		pluginsState.returnCode = PluginsReturnCodeServFail
 	default:
 		pluginsState.returnCode = PluginsReturnCodeResponseError
 	}
+	removeEDNS0Options(&msg)
 	pluginsGlobals.RLock()
+	defer pluginsGlobals.RUnlock()
 	for _, plugin := range *pluginsGlobals.responsePlugins {
-		if ret := plugin.Eval(pluginsState, &msg); ret != nil {
-			pluginsGlobals.RUnlock()
+		if err := plugin.Eval(pluginsState, &msg); err != nil {
 			pluginsState.action = PluginsActionDrop
-			return packet, ret
+			return packet, err
 		}
 		if pluginsState.action == PluginsActionReject {
-			synth, err := RefusedResponseFromMessage(&msg, pluginsGlobals.refusedCodeInResponses)
-			if err != nil {
-				return nil, err
-			}
-			dlog.Infof("Blocking [%s]", synth.Question[0].Name)
+			synth := RefusedResponseFromMessage(
+				&msg,
+				pluginsGlobals.refusedCodeInResponses,
+				pluginsGlobals.respondWithIPv4,
+				pluginsGlobals.respondWithIPv6,
+				pluginsState.rejectTTL,
+			)
 			pluginsState.synthResponse = synth
 		}
-		if pluginsState.action != PluginsActionForward {
+		if pluginsState.action != PluginsActionContinue {
 			break
 		}
 	}
-	pluginsGlobals.RUnlock()
 	if ttl != nil {
 		setMaxTTL(&msg, *ttl)
 	}
@ -262,16 +387,15 @@ func (pluginsState *PluginsState) ApplyLoggingPlugins(pluginsGlobals *PluginsGlo
 	}
 	pluginsState.requestEnd = time.Now()
 	questionMsg := pluginsState.questionMsg
-	if questionMsg == nil || len(questionMsg.Question) > 1 {
-		return errors.New("Unexpected number of questions")
+	if questionMsg == nil {
+		return errors.New("Question not found")
 	}
 	pluginsGlobals.RLock()
+	defer pluginsGlobals.RUnlock()
 	for _, plugin := range *pluginsGlobals.loggingPlugins {
-		if ret := plugin.Eval(pluginsState, questionMsg); ret != nil {
-			pluginsGlobals.RUnlock()
-			return ret
+		if err := plugin.Eval(pluginsState, questionMsg); err != nil {
+			return err
 		}
 	}
-	pluginsGlobals.RUnlock()
 	return nil
 }
--- a/dnscrypt-proxy/privilege_linux.go
+++ b/dnscrypt-proxy/privilege_linux.go
@ -9,12 +9,13 @@ import (
 	"strconv"
 	"syscall"

+	"golang.org/x/sys/unix"
+
 	"github.com/jedisct1/dlog"
 )

 func (proxy *Proxy) dropPrivilege(userStr string, fds []*os.File) {
-	currentUser, err := user.Current()
-	if err != nil && currentUser.Uid != "0" {
+	if os.Geteuid() != 0 {
 		dlog.Fatal("Root privileges are required in order to switch to a different user. Maybe try again with 'sudo'")
 	}
 	userInfo, err := user.Lookup(userStr)
@ -23,9 +24,19 @@ func (proxy *Proxy) dropPrivilege(userStr string, fds []*os.File) {
 	if err != nil {
 		uid, err2 := strconv.Atoi(userStr)
 		if err2 != nil || uid <= 0 {
-			dlog.Fatalf("Unable to retrieve any information about user [%s]: [%s] - Remove the user_name directive from the configuration file in order to avoid identity switch", userStr, err)
+			dlog.Fatalf(
+				"Unable to retrieve any information about user [%s]: [%s] - Remove the user_name directive from the configuration file in order to avoid identity switch",
+				userStr,
+				err,
+			)
 		}
-		dlog.Warnf("Unable to retrieve any information about user [%s]: [%s] - Switching to user id [%v] with the same group id, as [%v] looks like a user id. But you should remove or fix the user_name directive in the configuration file if possible", userStr, err, uid, uid)
+		dlog.Warnf(
+			"Unable to retrieve any information about user [%s]: [%s] - Switching to user id [%v] with the same group id, as [%v] looks like a user id. But you should remove or fix the user_name directive in the configuration file if possible",
+			userStr,
+			err,
+			uid,
+			uid,
+		)
 		userInfo = &user.User{Uid: userStr, Gid: userStr}
 	}
 	uid, err := strconv.Atoi(userInfo.Uid)
@ -45,42 +56,36 @@ func (proxy *Proxy) dropPrivilege(userStr string, fds []*os.File) {
 		dlog.Fatal(err)
 	}

-	ServiceManagerReadyNotify()
+	if err := ServiceManagerReadyNotify(); err != nil {
+		dlog.Fatal(err)
+	}

 	args = append(args, "-child")

 	dlog.Notice("Dropping privileges")
+
 	runtime.LockOSThread()
 	if _, _, rcode := syscall.RawSyscall(syscall.SYS_SETGROUPS, uintptr(0), uintptr(0), 0); rcode != 0 {
 		dlog.Fatalf("Unable to drop additional groups: [%s]", rcode.Error())
 	}
 	if _, _, rcode := syscall.RawSyscall(syscall.SYS_SETGID, uintptr(gid), 0, 0); rcode != 0 {
-		dlog.Fatalf("Unable to drop user privileges: [%s]", rcode.Error())
+		dlog.Fatalf("Unable to drop group privileges: [%s]", rcode.Error())
 	}
 	if _, _, rcode := syscall.RawSyscall(syscall.SYS_SETUID, uintptr(uid), 0, 0); rcode != 0 {
 		dlog.Fatalf("Unable to drop user privileges: [%s]", rcode.Error())
 	}
-	maxfd := uintptr(0)
-	for _, fd := range fds {
-		if fd.Fd() > maxfd {
-			maxfd = fd.Fd()
-		}
-	}
-	fdbase := maxfd + 1
 	for i, fd := range fds {
-		if _, _, rcode := syscall.RawSyscall(syscall.SYS_DUP3, fd.Fd(), fdbase+uintptr(i), 0); rcode != 0 {
-			dlog.Fatalf("Unable to clone file descriptor: [%s]", rcode.Error())
+		if fd.Fd() >= InheritedDescriptorsBase {
+			dlog.Fatal("Duplicated file descriptors are above base")
 		}
-		if _, _, rcode := syscall.RawSyscall(syscall.SYS_FCNTL, fd.Fd(), syscall.F_SETFD, syscall.FD_CLOEXEC); rcode != 0 {
-			dlog.Fatalf("Unable to set the close on exec flag: [%s]", rcode.Error())
+		if err := unix.Dup2(int(fd.Fd()), int(InheritedDescriptorsBase+uintptr(i))); err != nil {
+			dlog.Fatalf("Unable to clone file descriptor: [%s]", err)
+		}
+		if _, err := unix.FcntlInt(fd.Fd(), unix.F_SETFD, unix.FD_CLOEXEC); err != nil {
+			dlog.Fatalf("Unable to set the close on exec flag: [%s]", err)
 		}
 	}
-	for i := range fds {
-		if _, _, rcode := syscall.RawSyscall(syscall.SYS_DUP3, fdbase+uintptr(i), uintptr(i)+3, 0); rcode != 0 {
-			dlog.Fatalf("Unable to reassign descriptor: [%s]", rcode.Error())
-		}
-	}
-	err = syscall.Exec(path, args, os.Environ())
+	err = unix.Exec(path, args, os.Environ())
 	dlog.Fatalf("Unable to reexecute [%s]: [%s]", path, err)
 	os.Exit(1)
 }
--- a/dnscrypt-proxy/privilege_others.go
+++ b/dnscrypt-proxy/privilege_others.go
@ -1,3 +1,4 @@
+//go:build !windows && !linux
 // +build !windows,!linux

 package main
@ -9,75 +10,84 @@ import (
 	"path/filepath"
 	"runtime"
 	"strconv"
-	"syscall"
+
+	"golang.org/x/sys/unix"

 	"github.com/jedisct1/dlog"
 )

 func (proxy *Proxy) dropPrivilege(userStr string, fds []*os.File) {
-	currentUser, err := user.Current()
-	if err != nil && currentUser.Uid != "0" {
+	if os.Geteuid() != 0 {
 		dlog.Fatal("Root privileges are required in order to switch to a different user. Maybe try again with 'sudo'")
 	}
-	user, err := user.Lookup(userStr)
+	userInfo, err := user.Lookup(userStr)
 	args := os.Args

 	if err != nil {
-		dlog.Fatal(err)
+		uid, err2 := strconv.Atoi(userStr)
+		if err2 != nil || uid <= 0 {
+			dlog.Fatalf(
+				"Unable to retrieve any information about user [%s]: [%s] - Remove the user_name directive from the configuration file in order to avoid identity switch",
+				userStr,
+				err,
+			)
+		}
+		dlog.Warnf(
+			"Unable to retrieve any information about user [%s]: [%s] - Switching to user id [%v] with the same group id, as [%v] looks like a user id. But you should remove or fix the user_name directive in the configuration file if possible",
+			userStr,
+			err,
+			uid,
+			uid,
+		)
+		userInfo = &user.User{Uid: userStr, Gid: userStr}
 	}
-	uid, err := strconv.Atoi(user.Uid)
+	uid, err := strconv.Atoi(userInfo.Uid)
 	if err != nil {
 		dlog.Fatal(err)
 	}
-	gid, err := strconv.Atoi(user.Gid)
+	gid, err := strconv.Atoi(userInfo.Gid)
 	if err != nil {
 		dlog.Fatal(err)
 	}
 	execPath, err := exec.LookPath(args[0])
 	if err != nil {
-		dlog.Fatal(err)
+		dlog.Fatalf("Unable to get the path to the dnscrypt-proxy executable file: [%s]", err)
 	}
 	path, err := filepath.Abs(execPath)
 	if err != nil {
 		dlog.Fatal(err)
 	}

-	ServiceManagerReadyNotify()
+	if err := ServiceManagerReadyNotify(); err != nil {
+		dlog.Fatal(err)
+	}

 	args = append(args, "-child")

 	dlog.Notice("Dropping privileges")
+
 	runtime.LockOSThread()
-	if _, _, rcode := syscall.RawSyscall(syscall.SYS_SETGROUPS, uintptr(0), uintptr(0), 0); rcode != 0 {
-		dlog.Fatalf("Unable to drop additional groups: %s", rcode.Error())
+	if err := unix.Setgroups([]int{}); err != nil {
+		dlog.Fatalf("Unable to drop additional groups: %s", err)
 	}
-	if _, _, rcode := syscall.RawSyscall(syscall.SYS_SETGID, uintptr(gid), 0, 0); rcode != 0 {
-		dlog.Fatalf("Unable to drop user privileges: %s", rcode.Error())
+	if err := unix.Setgid(gid); err != nil {
+		dlog.Fatalf("Unable to drop group privileges: %s", err)
 	}
-	if _, _, rcode := syscall.RawSyscall(syscall.SYS_SETUID, uintptr(uid), 0, 0); rcode != 0 {
-		dlog.Fatalf("Unable to drop user privileges: %s", rcode.Error())
+	if err := unix.Setuid(uid); err != nil {
+		dlog.Fatalf("Unable to drop user privileges: %s", err)
 	}
-	maxfd := uintptr(0)
-	for _, fd := range fds {
-		if fd.Fd() > maxfd {
-			maxfd = fd.Fd()
-		}
-	}
-	fdbase := maxfd + 1
 	for i, fd := range fds {
-		if _, _, rcode := syscall.RawSyscall(syscall.SYS_DUP2, fd.Fd(), fdbase+uintptr(i), 0); rcode != 0 {
-			dlog.Fatalf("Unable to clone file descriptor: [%s]", rcode.Error())
+		if fd.Fd() >= InheritedDescriptorsBase {
+			dlog.Fatal("Duplicated file descriptors are above base")
 		}
-		if _, _, rcode := syscall.RawSyscall(syscall.SYS_FCNTL, fd.Fd(), syscall.F_SETFD, syscall.FD_CLOEXEC); rcode != 0 {
-			dlog.Fatalf("Unable to set the close on exec flag: [%s]", rcode.Error())
+		if err := unix.Dup2(int(fd.Fd()), int(InheritedDescriptorsBase+uintptr(i))); err != nil {
+			dlog.Fatalf("Unable to clone file descriptor: [%s]", err)
+		}
+		if _, err := unix.FcntlInt(fd.Fd(), unix.F_SETFD, unix.FD_CLOEXEC); err != nil {
+			dlog.Fatalf("Unable to set the close on exec flag: [%s]", err)
 		}
 	}
-	for i := range fds {
-		if _, _, rcode := syscall.RawSyscall(syscall.SYS_DUP2, fdbase+uintptr(i), uintptr(i)+3, 0); rcode != 0 {
-			dlog.Fatalf("Unable to reassign descriptor: [%s]", rcode.Error())
-		}
-	}
-	err = syscall.Exec(path, args, os.Environ())
+	err = unix.Exec(path, args, os.Environ())
 	dlog.Fatalf("Unable to reexecute [%s]: [%s]", path, err)
 	os.Exit(1)
 }
--- a/dnscrypt-proxy/proxy.go
+++ b/dnscrypt-proxy/proxy.go
--- a/dnscrypt-proxy/resolve.go
+++ b/dnscrypt-proxy/resolve.go
@ -1,60 +1,383 @@
 package main

 import (
+	"errors"
 	"fmt"
 	"net"
+	"os"
 	"strings"
+	"time"
+
+	"github.com/miekg/dns"
 )

-const myResolverHost string = "resolver.dnscrypt.info"
+const (
+	myResolverHost  string = "resolver.dnscrypt.info."
+	nonexistentName string = "nonexistent-zone.dnscrypt-test."
+)

-func Resolve(name string) {
-	fmt.Printf("Resolving [%s]\n\n", name)
-
-	fmt.Printf("Domain exists:  ")
-	ns, err := net.LookupNS(name)
-	if err != nil || len(ns) == 0 {
-		if name == "." {
-			fmt.Println("'No' would mean that the Internet doesn't exist any more, and that would be very sad. On the bright side, you just found an easter egg.")
-		} else {
-			fmt.Println("probably not, or blocked by the proxy")
-		}
-	} else {
-		fmt.Printf("yes, %d name servers found\n", len(ns))
+func resolveQuery(server string, qName string, qType uint16, sendClientSubnet bool) (*dns.Msg, error) {
+	client := new(dns.Client)
+	client.ReadTimeout = 2 * time.Second
+	msg := &dns.Msg{
+		MsgHdr: dns.MsgHdr{
+			RecursionDesired: true,
+			Opcode:           dns.OpcodeQuery,
+		},
+		Question: make([]dns.Question, 1),
+	}
+	options := &dns.OPT{
+		Hdr: dns.RR_Header{
+			Name:   ".",
+			Rrtype: dns.TypeOPT,
+		},
 	}

-	fmt.Printf("Canonical name: ")
-	cname, err := net.LookupCNAME(name)
-	if err != nil {
-		fmt.Println("-")
-	} else {
+	if sendClientSubnet {
+		subnet := net.IPNet{IP: net.IPv4(93, 184, 216, 0), Mask: net.CIDRMask(24, 32)}
+		prr := dns.EDNS0_SUBNET{}
+		prr.Code = dns.EDNS0SUBNET
+		bits, totalSize := subnet.Mask.Size()
+		if totalSize == 32 {
+			prr.Family = 1
+		} else if totalSize == 128 { // if we want to test with IPv6
+			prr.Family = 2
+		}
+		prr.SourceNetmask = uint8(bits)
+		prr.SourceScope = 0
+		prr.Address = subnet.IP
+		options.Option = append(options.Option, &prr)
+	}
+
+	msg.Extra = append(msg.Extra, options)
+	options.SetDo()
+	options.SetUDPSize(uint16(MaxDNSPacketSize))
+
+	msg.Question[0] = dns.Question{Name: qName, Qtype: qType, Qclass: dns.ClassINET}
+	msg.Id = dns.Id()
+	for i := 0; i < 3; i++ {
+		response, rtt, err := client.Exchange(msg, server)
+		if neterr, ok := err.(net.Error); ok && neterr.Timeout() {
+			client.ReadTimeout *= 2
+			continue
+		}
+		_ = rtt
+		if err != nil {
+			return nil, err
+		}
+		return response, nil
+	}
+	return nil, errors.New("Timeout")
+}
+
+func Resolve(server string, name string, singleResolver bool) {
+	parts := strings.SplitN(name, ",", 2)
+	if len(parts) == 2 {
+		name, server = parts[0], parts[1]
+		singleResolver = true
+	}
+
+	host, port := ExtractHostAndPort(server, 53)
+	if host == "0.0.0.0" {
+		host = "127.0.0.1"
+	} else if host == "[::]" {
+		host = "[::1]"
+	}
+	server = fmt.Sprintf("%s:%d", host, port)
+
+	fmt.Printf("Resolving [%s] using %s port %d\n\n", name, host, port)
+	name = dns.Fqdn(name)
+
+	cname := name
+	var clientSubnet string
+
+	for once := true; once; once = false {
+		response, err := resolveQuery(server, myResolverHost, dns.TypeTXT, true)
+		if err != nil {
+			fmt.Printf("Unable to resolve: [%s]\n", err)
+			os.Exit(1)
+		}
+		fmt.Printf("Resolver      : ")
+		res := make([]string, 0)
+		for _, answer := range response.Answer {
+			if answer.Header().Class != dns.ClassINET || answer.Header().Rrtype != dns.TypeTXT {
+				continue
+			}
+			var ip string
+			for _, txt := range answer.(*dns.TXT).Txt {
+				if strings.HasPrefix(txt, "Resolver IP: ") {
+					ip = strings.TrimPrefix(txt, "Resolver IP: ")
+				} else if strings.HasPrefix(txt, "EDNS0 client subnet: ") {
+					clientSubnet = strings.TrimPrefix(txt, "EDNS0 client subnet: ")
+				}
+			}
+			if ip == "" {
+				continue
+			}
+			if rev, err := dns.ReverseAddr(ip); err == nil {
+				response, err = resolveQuery(server, rev, dns.TypePTR, false)
+				if err != nil {
+					break
+				}
+				for _, answer := range response.Answer {
+					if answer.Header().Rrtype != dns.TypePTR || answer.Header().Class != dns.ClassINET {
+						continue
+					}
+					ip = ip + " (" + answer.(*dns.PTR).Ptr + ")"
+					break
+				}
+			}
+			res = append(res, ip)
+		}
+		if len(res) == 0 {
+			fmt.Println("-")
+		} else {
+			fmt.Println(strings.Join(res, ", "))
+		}
+	}
+
+	if singleResolver {
+		for once := true; once; once = false {
+			fmt.Printf("Lying         : ")
+			response, err := resolveQuery(server, nonexistentName, dns.TypeA, false)
+			if err != nil {
+				break
+			}
+			if response.Rcode == dns.RcodeSuccess {
+				fmt.Println("yes. That resolver returns wrong responses")
+			} else if response.Rcode == dns.RcodeNameError {
+				fmt.Println("no")
+			} else {
+				fmt.Printf("unknown - query returned %s\n", dns.RcodeToString[response.Rcode])
+			}
+
+			if response.Rcode == dns.RcodeNameError {
+				fmt.Printf("DNSSEC        : ")
+				if response.AuthenticatedData {
+					fmt.Println("yes, the resolver supports DNSSEC")
+				} else {
+					fmt.Println("no, the resolver doesn't support DNSSEC")
+				}
+			}
+
+			fmt.Printf("ECS           : ")
+			if clientSubnet != "" {
+				fmt.Println("client network address is sent to authoritative servers")
+			} else {
+				fmt.Println("ignored or selective")
+			}
+		}
+	}
+
+	fmt.Println("")
+
+cname:
+	for once := true; once; once = false {
+		fmt.Printf("Canonical name: ")
+		for i := 0; i < 100; i++ {
+			response, err := resolveQuery(server, cname, dns.TypeCNAME, false)
+			if err != nil {
+				break cname
+			}
+			found := false
+			for _, answer := range response.Answer {
+				if answer.Header().Rrtype != dns.TypeCNAME || answer.Header().Class != dns.ClassINET {
+					continue
+				}
+				cname = answer.(*dns.CNAME).Target
+				found = true
+				break
+			}
+			if !found {
+				break
+			}
+		}
 		fmt.Println(cname)
 	}

-	fmt.Printf("IP addresses:   ")
-	addrs, err := net.LookupHost(name)
-	if err != nil {
-		fmt.Println("-")
-	} else {
-		fmt.Println(strings.Join(addrs, ", "))
-	}
+	fmt.Println("")

-	fmt.Printf("TXT records:    ")
-	txt, err := net.LookupTXT(name)
-	if err != nil {
-		fmt.Println("-")
-	} else {
-		fmt.Println(strings.Join(txt, " "))
-	}
-
-	resIP, err := net.LookupHost(myResolverHost)
-	if err == nil && len(resIP) > 0 {
-		fmt.Printf("Resolver IP:    %s", resIP[0])
-		rev, err := net.LookupAddr(resIP[0])
-		if err == nil && len(rev) > 0 {
-			fmt.Printf(" (%s)", rev[0])
+	for once := true; once; once = false {
+		fmt.Printf("IPv4 addresses: ")
+		response, err := resolveQuery(server, cname, dns.TypeA, false)
+		if err != nil {
+			break
+		}
+		ipv4 := make([]string, 0)
+		for _, answer := range response.Answer {
+			if answer.Header().Rrtype != dns.TypeA || answer.Header().Class != dns.ClassINET {
+				continue
+			}
+			ipv4 = append(ipv4, answer.(*dns.A).A.String())
+		}
+		if len(ipv4) == 0 {
+			fmt.Println("-")
+		} else {
+			fmt.Println(strings.Join(ipv4, ", "))
 		}
-		fmt.Println("")
 	}
+
+	for once := true; once; once = false {
+		fmt.Printf("IPv6 addresses: ")
+		response, err := resolveQuery(server, cname, dns.TypeAAAA, false)
+		if err != nil {
+			break
+		}
+		ipv6 := make([]string, 0)
+		for _, answer := range response.Answer {
+			if answer.Header().Rrtype != dns.TypeAAAA || answer.Header().Class != dns.ClassINET {
+				continue
+			}
+			ipv6 = append(ipv6, answer.(*dns.AAAA).AAAA.String())
+		}
+		if len(ipv6) == 0 {
+			fmt.Println("-")
+		} else {
+			fmt.Println(strings.Join(ipv6, ", "))
+		}
+	}
+
+	fmt.Println("")
+
+	for once := true; once; once = false {
+		fmt.Printf("Name servers  : ")
+		response, err := resolveQuery(server, cname, dns.TypeNS, false)
+		if err != nil {
+			break
+		}
+		nss := make([]string, 0)
+		for _, answer := range response.Answer {
+			if answer.Header().Rrtype != dns.TypeNS || answer.Header().Class != dns.ClassINET {
+				continue
+			}
+			nss = append(nss, answer.(*dns.NS).Ns)
+		}
+		if response.Rcode == dns.RcodeNameError {
+			fmt.Println("name does not exist")
+		} else if response.Rcode != dns.RcodeSuccess {
+			fmt.Printf("server returned %s", dns.RcodeToString[response.Rcode])
+		} else if len(nss) == 0 {
+			fmt.Println("no name servers found")
+		} else {
+			fmt.Println(strings.Join(nss, ", "))
+		}
+		fmt.Printf("DNSSEC signed : ")
+		if response.AuthenticatedData {
+			fmt.Println("yes")
+		} else {
+			fmt.Println("no")
+		}
+	}
+
+	for once := true; once; once = false {
+		fmt.Printf("Mail servers  : ")
+		response, err := resolveQuery(server, cname, dns.TypeMX, false)
+		if err != nil {
+			break
+		}
+		mxs := make([]string, 0)
+		for _, answer := range response.Answer {
+			if answer.Header().Rrtype != dns.TypeMX || answer.Header().Class != dns.ClassINET {
+				continue
+			}
+			mxs = append(mxs, answer.(*dns.MX).Mx)
+		}
+		if len(mxs) == 0 {
+			fmt.Println("no mail servers found")
+		} else if len(mxs) > 1 {
+			fmt.Printf("%d mail servers found\n", len(mxs))
+		} else {
+			fmt.Println("1 mail servers found")
+		}
+	}
+
+	fmt.Println("")
+
+	for once := true; once; once = false {
+		fmt.Printf("HTTPS alias   : ")
+		response, err := resolveQuery(server, cname, dns.TypeHTTPS, false)
+		if err != nil {
+			break
+		}
+		aliases := make([]string, 0)
+		for _, answer := range response.Answer {
+			if answer.Header().Rrtype != dns.TypeHTTPS || answer.Header().Class != dns.ClassINET {
+				continue
+			}
+			https := answer.(*dns.HTTPS)
+			if https.Priority != 0 || len(https.Target) < 2 {
+				continue
+			}
+			aliases = append(aliases, https.Target)
+		}
+		if len(aliases) == 0 {
+			fmt.Println("-")
+		} else {
+			fmt.Println(strings.Join(aliases, ", "))
+		}
+
+		fmt.Printf("HTTPS info    : ")
+		info := make([]string, 0)
+		for _, answer := range response.Answer {
+			if answer.Header().Rrtype != dns.TypeHTTPS || answer.Header().Class != dns.ClassINET {
+				continue
+			}
+			https := answer.(*dns.HTTPS)
+			if https.Priority == 0 || len(https.Target) > 1 {
+				continue
+			}
+			for _, value := range https.Value {
+				info = append(info, fmt.Sprintf("[%s]=[%s]", value.Key(), value.String()))
+			}
+		}
+		if len(info) == 0 {
+			fmt.Println("-")
+		} else {
+			fmt.Println(strings.Join(info, ", "))
+		}
+	}
+
+	fmt.Println("")
+
+	for once := true; once; once = false {
+		fmt.Printf("Host info     : ")
+		response, err := resolveQuery(server, cname, dns.TypeHINFO, false)
+		if err != nil {
+			break
+		}
+		hinfo := make([]string, 0)
+		for _, answer := range response.Answer {
+			if answer.Header().Rrtype != dns.TypeHINFO || answer.Header().Class != dns.ClassINET {
+				continue
+			}
+			hinfo = append(hinfo, fmt.Sprintf("%s %s", answer.(*dns.HINFO).Cpu, answer.(*dns.HINFO).Os))
+		}
+		if len(hinfo) == 0 {
+			fmt.Println("-")
+		} else {
+			fmt.Println(strings.Join(hinfo, ", "))
+		}
+	}
+
+	for once := true; once; once = false {
+		fmt.Printf("TXT records   : ")
+		response, err := resolveQuery(server, cname, dns.TypeTXT, false)
+		if err != nil {
+			break
+		}
+		txt := make([]string, 0)
+		for _, answer := range response.Answer {
+			if answer.Header().Rrtype != dns.TypeTXT || answer.Header().Class != dns.ClassINET {
+				continue
+			}
+			txt = append(txt, strings.Join(answer.(*dns.TXT).Txt, " "))
+		}
+		if len(txt) == 0 {
+			fmt.Println("-")
+		} else {
+			fmt.Println(strings.Join(txt, ", "))
+		}
+	}
+
 	fmt.Println("")
 }
--- a/dnscrypt-proxy/serversInfo.go
+++ b/dnscrypt-proxy/serversInfo.go
--- a/dnscrypt-proxy/service_android.go
+++ b/dnscrypt-proxy/service_android.go
@ -0,0 +1,12 @@
+//go:build android
+// +build android
+
+package main
+
+func ServiceManagerStartNotify() error {
+	return nil
+}
+
+func ServiceManagerReadyNotify() error {
+	return nil
+}
--- a/dnscrypt-proxy/service_linux.go
+++ b/dnscrypt-proxy/service_linux.go
@ -1,12 +1,36 @@
+//go:build !android
+// +build !android
+
 package main

-import "github.com/coreos/go-systemd/daemon"
+import (
+	"github.com/coreos/go-systemd/daemon"
+	clocksmith "github.com/jedisct1/go-clocksmith"
+)
+
+const SdNotifyStatus = "STATUS="

 func ServiceManagerStartNotify() error {
-	daemon.SdNotify(false, "STATUS=Starting")
+	daemon.SdNotify(false, SdNotifyStatus+"Starting...")
 	return nil
 }

-func ServiceManagerReadyNotify() {
-	daemon.SdNotify(false, "READY=1")
+func ServiceManagerReadyNotify() error {
+	daemon.SdNotify(false, daemon.SdNotifyReady+"\n"+SdNotifyStatus+"Ready")
+	return systemDWatchdog()
+}
+
+func systemDWatchdog() error {
+	watchdogFailureDelay, err := daemon.SdWatchdogEnabled(false)
+	if err != nil || watchdogFailureDelay == 0 {
+		return err
+	}
+	refreshInterval := watchdogFailureDelay / 3
+	go func() {
+		for {
+			daemon.SdNotify(false, daemon.SdNotifyWatchdog)
+			clocksmith.Sleep(refreshInterval)
+		}
+	}()
+	return nil
 }
--- a/dnscrypt-proxy/service_others.go
+++ b/dnscrypt-proxy/service_others.go
@ -1,3 +1,4 @@
+//go:build !linux && !windows
 // +build !linux,!windows

 package main
@ -6,5 +7,6 @@ func ServiceManagerStartNotify() error {
 	return nil
 }

-func ServiceManagerReadyNotify() {
+func ServiceManagerReadyNotify() error {
+	return nil
 }
--- a/dnscrypt-proxy/service_windows.go
+++ b/dnscrypt-proxy/service_windows.go
@ -7,8 +7,11 @@ func ServiceManagerStartNotify() error {
 	if err != nil {
 		return err
 	}
-	mgr.Disconnect()
+	_ = mgr.Disconnect()
+
 	return nil
 }

-func ServiceManagerReadyNotify() {}
+func ServiceManagerReadyNotify() error {
+	return nil
+}
--- a/dnscrypt-proxy/setsockopts_darwin.go
+++ b/dnscrypt-proxy/setsockopts_darwin.go
@ -0,0 +1,31 @@
+package main
+
+import (
+	"net"
+	"syscall"
+)
+
+func (proxy *Proxy) udpListenerConfig() (*net.ListenConfig, error) {
+	return &net.ListenConfig{
+		Control: func(network, address string, c syscall.RawConn) error {
+			_ = c.Control(func(fd uintptr) {
+				_ = syscall.SetsockoptInt(int(fd), syscall.IPPROTO_IP, syscall.IP_DF, 0)
+				_ = syscall.SetsockoptInt(int(fd), syscall.IPPROTO_IP, syscall.IP_TOS, 0x70)
+				_ = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_RCVBUF, 4096)
+				_ = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_SNDBUF, 4096)
+			})
+			return nil
+		},
+	}, nil
+}
+
+func (proxy *Proxy) tcpListenerConfig() (*net.ListenConfig, error) {
+	return &net.ListenConfig{
+		Control: func(network, address string, c syscall.RawConn) error {
+			_ = c.Control(func(fd uintptr) {
+				_ = syscall.SetsockoptInt(int(fd), syscall.IPPROTO_IP, syscall.IP_TOS, 0x70)
+			})
+			return nil
+		},
+	}, nil
+}
--- a/dnscrypt-proxy/setsockopts_freebsd.go
+++ b/dnscrypt-proxy/setsockopts_freebsd.go
@ -0,0 +1,35 @@
+package main
+
+import (
+	"net"
+	"syscall"
+)
+
+func (proxy *Proxy) udpListenerConfig() (*net.ListenConfig, error) {
+	return &net.ListenConfig{
+		Control: func(network, address string, c syscall.RawConn) error {
+			_ = c.Control(func(fd uintptr) {
+				_ = syscall.SetsockoptInt(int(fd), syscall.IPPROTO_IP, syscall.IP_BINDANY, 1)
+				_ = syscall.SetsockoptInt(int(fd), syscall.IPPROTO_IPV6, syscall.IPV6_BINDANY, 1)
+				_ = syscall.SetsockoptInt(int(fd), syscall.IPPROTO_IP, syscall.IP_DF, 0)
+				_ = syscall.SetsockoptInt(int(fd), syscall.IPPROTO_IP, syscall.IP_TOS, 0x70)
+				_ = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_RCVBUF, 4096)
+				_ = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_SNDBUF, 4096)
+			})
+			return nil
+		},
+	}, nil
+}
+
+func (proxy *Proxy) tcpListenerConfig() (*net.ListenConfig, error) {
+	return &net.ListenConfig{
+		Control: func(network, address string, c syscall.RawConn) error {
+			_ = c.Control(func(fd uintptr) {
+				_ = syscall.SetsockoptInt(int(fd), syscall.IPPROTO_IP, syscall.IP_BINDANY, 1)
+				_ = syscall.SetsockoptInt(int(fd), syscall.IPPROTO_IPV6, syscall.IPV6_BINDANY, 1)
+				_ = syscall.SetsockoptInt(int(fd), syscall.IPPROTO_IP, syscall.IP_TOS, 0x70)
+			})
+			return nil
+		},
+	}, nil
+}
--- a/dnscrypt-proxy/setsockopts_linux.go
+++ b/dnscrypt-proxy/setsockopts_linux.go
@ -0,0 +1,40 @@
+package main
+
+import (
+	"net"
+	"syscall"
+)
+
+func (proxy *Proxy) udpListenerConfig() (*net.ListenConfig, error) {
+	return &net.ListenConfig{
+		Control: func(network, address string, c syscall.RawConn) error {
+			_ = c.Control(func(fd uintptr) {
+				_ = syscall.SetsockoptInt(int(fd), syscall.IPPROTO_IP, syscall.IP_FREEBIND, 1)
+				_ = syscall.SetsockoptInt(int(fd), syscall.IPPROTO_IP, syscall.IP_DF, 0)
+				_ = syscall.SetsockoptInt(int(fd), syscall.IPPROTO_IP, syscall.IP_TOS, 0x70)
+				_ = syscall.SetsockoptInt(
+					int(fd),
+					syscall.IPPROTO_IP,
+					syscall.IP_MTU_DISCOVER,
+					syscall.IP_PMTUDISC_DONT,
+				)
+				_ = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_RCVBUFFORCE, 4096)
+				_ = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_SNDBUFFORCE, 4096)
+			})
+			return nil
+		},
+	}, nil
+}
+
+func (proxy *Proxy) tcpListenerConfig() (*net.ListenConfig, error) {
+	return &net.ListenConfig{
+		Control: func(network, address string, c syscall.RawConn) error {
+			_ = c.Control(func(fd uintptr) {
+				_ = syscall.SetsockoptInt(int(fd), syscall.IPPROTO_IP, syscall.IP_FREEBIND, 1)
+				_ = syscall.SetsockoptInt(int(fd), syscall.IPPROTO_IP, syscall.IP_TOS, 0x70)
+				_ = syscall.SetsockoptInt(int(fd), syscall.IPPROTO_TCP, syscall.TCP_QUICKACK, 1)
+			})
+			return nil
+		},
+	}, nil
+}
--- a/dnscrypt-proxy/setsockopts_openbsd.go
+++ b/dnscrypt-proxy/setsockopts_openbsd.go
@ -0,0 +1,33 @@
+package main
+
+import (
+	"net"
+	"syscall"
+)
+
+func (proxy *Proxy) udpListenerConfig() (*net.ListenConfig, error) {
+	return &net.ListenConfig{
+		Control: func(network, address string, c syscall.RawConn) error {
+			_ = c.Control(func(fd uintptr) {
+				_ = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_BINDANY, 1)
+				_ = syscall.SetsockoptInt(int(fd), syscall.IPPROTO_IP, syscall.IP_DF, 0)
+				_ = syscall.SetsockoptInt(int(fd), syscall.IPPROTO_IP, syscall.IP_TOS, 0x70)
+				_ = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_RCVBUF, 4096)
+				_ = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_SNDBUF, 4096)
+			})
+			return nil
+		},
+	}, nil
+}
+
+func (proxy *Proxy) tcpListenerConfig() (*net.ListenConfig, error) {
+	return &net.ListenConfig{
+		Control: func(network, address string, c syscall.RawConn) error {
+			_ = c.Control(func(fd uintptr) {
+				_ = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_BINDANY, 1)
+				_ = syscall.SetsockoptInt(int(fd), syscall.IPPROTO_IP, syscall.IP_TOS, 0x70)
+			})
+			return nil
+		},
+	}, nil
+}
--- a/dnscrypt-proxy/setsockopts_others.go
+++ b/dnscrypt-proxy/setsockopts_others.go
@ -0,0 +1,16 @@
+//go:build !freebsd && !openbsd && !windows && !darwin && !linux
+// +build !freebsd,!openbsd,!windows,!darwin,!linux
+
+package main
+
+import (
+	"net"
+)
+
+func (proxy *Proxy) udpListenerConfig() (*net.ListenConfig, error) {
+	return &net.ListenConfig{}, nil
+}
+
+func (proxy *Proxy) tcpListenerConfig() (*net.ListenConfig, error) {
+	return &net.ListenConfig{}, nil
+}
--- a/dnscrypt-proxy/setsockopts_windows.go
+++ b/dnscrypt-proxy/setsockopts_windows.go
@ -0,0 +1,30 @@
+package main
+
+import (
+	"net"
+	"syscall"
+)
+
+func (proxy *Proxy) udpListenerConfig() (*net.ListenConfig, error) {
+	return &net.ListenConfig{
+		Control: func(network, address string, c syscall.RawConn) error {
+			_ = c.Control(func(fd uintptr) {
+				_ = syscall.SetsockoptInt(syscall.Handle(fd), syscall.IPPROTO_IP, syscall.IP_TOS, 0x70)
+				_ = syscall.SetsockoptInt(syscall.Handle(fd), syscall.SOL_SOCKET, syscall.SO_RCVBUF, 4096)
+				_ = syscall.SetsockoptInt(syscall.Handle(fd), syscall.SOL_SOCKET, syscall.SO_SNDBUF, 4096)
+			})
+			return nil
+		},
+	}, nil
+}
+
+func (proxy *Proxy) tcpListenerConfig() (*net.ListenConfig, error) {
+	return &net.ListenConfig{
+		Control: func(network, address string, c syscall.RawConn) error {
+			_ = c.Control(func(fd uintptr) {
+				_ = syscall.SetsockoptInt(syscall.Handle(fd), syscall.IPPROTO_IP, syscall.IP_TOS, 0x70)
+			})
+			return nil
+		},
+	}, nil
+}
--- a/dnscrypt-proxy/sources.go
+++ b/dnscrypt-proxy/sources.go
@ -1,22 +1,19 @@
 package main

 import (
-	"errors"
+	"bytes"
 	"fmt"
-	"io"
-	"io/ioutil"
-	"net/http"
+	"math/rand"
 	"net/url"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
-	"unicode"

 	"github.com/dchest/safefile"

 	"github.com/jedisct1/dlog"
-	stamps "github.com/jedisct1/go-dnsstamps"
+	"github.com/jedisct1/go-dnsstamps"
 	"github.com/jedisct1/go-minisign"
 )

@ -27,220 +24,268 @@ const (
 )

 const (
-	SourcesUpdateDelay = time.Duration(24) * time.Hour
+	DefaultPrefetchDelay    time.Duration = 24 * time.Hour
+	MinimumPrefetchInterval time.Duration = 10 * time.Minute
 )

 type Source struct {
-	urls   []string
-	format SourceFormat
-	in     string
+	name                    string
+	urls                    []*url.URL
+	format                  SourceFormat
+	bin                     []byte
+	minisignKey             *minisign.PublicKey
+	cacheFile               string
+	cacheTTL, prefetchDelay time.Duration
+	refresh                 time.Time
+	prefix                  string
 }

-func fetchFromCache(cacheFile string) (in string, expired bool, delayTillNextUpdate time.Duration, err error) {
-	expired = false
-	fi, err := os.Stat(cacheFile)
-	if err != nil {
-		dlog.Debugf("Cache file [%s] not present", cacheFile)
-		delayTillNextUpdate = time.Duration(0)
-		return
+// timeNow() is replaced by tests to provide a static value
+var timeNow = time.Now
+
+func (source *Source) checkSignature(bin, sig []byte) error {
+	signature, err := minisign.DecodeSignature(string(sig))
+	if err == nil {
+		_, err = source.minisignKey.Verify(bin, signature)
 	}
-	elapsed := time.Since(fi.ModTime())
-	if elapsed < SourcesUpdateDelay {
-		dlog.Debugf("Cache file [%s] is still fresh", cacheFile)
-		delayTillNextUpdate = SourcesUpdateDelay - elapsed
+	return err
+}
+
+func (source *Source) fetchFromCache(now time.Time) (time.Duration, error) {
+	var err error
+	var bin, sig []byte
+	if bin, err = os.ReadFile(source.cacheFile); err != nil {
+		return 0, err
+	}
+	if sig, err = os.ReadFile(source.cacheFile + ".minisig"); err != nil {
+		return 0, err
+	}
+	if err = source.checkSignature(bin, sig); err != nil {
+		return 0, err
+	}
+	source.bin = bin
+	var fi os.FileInfo
+	if fi, err = os.Stat(source.cacheFile); err != nil {
+		return 0, err
+	}
+	var ttl time.Duration = 0
+	if elapsed := now.Sub(fi.ModTime()); elapsed < source.cacheTTL {
+		ttl = source.prefetchDelay - elapsed
+		dlog.Debugf("Source [%s] cache file [%s] is still fresh, next update: %v", source.name, source.cacheFile, ttl)
 	} else {
-		dlog.Debugf("Cache file [%s] needs to be refreshed", cacheFile)
-		delayTillNextUpdate = time.Duration(0)
+		dlog.Debugf("Source [%s] cache file [%s] needs to be refreshed", source.name, source.cacheFile)
 	}
-	var bin []byte
-	bin, err = ioutil.ReadFile(cacheFile)
-	if err != nil {
-		delayTillNextUpdate = time.Duration(0)
-		return
-	}
-	in = string(bin)
-	if delayTillNextUpdate <= time.Duration(0) {
-		expired = true
-	}
-	return
+	return ttl, nil
 }

-func fetchWithCache(xTransport *XTransport, urlStr string, cacheFile string) (in string, cached bool, delayTillNextUpdate time.Duration, err error) {
-	cached = false
-	expired := false
-	in, expired, delayTillNextUpdate, err = fetchFromCache(cacheFile)
-	if err == nil && !expired {
-		dlog.Debugf("Delay till next update: %v", delayTillNextUpdate)
-		cached = true
-		return
+func writeSource(f string, bin, sig []byte) error {
+	var err error
+	var fSrc, fSig *safefile.File
+	if fSrc, err = safefile.Create(f, 0o644); err != nil {
+		return err
 	}
-	if expired {
-		cached = true
+	defer fSrc.Close()
+	if fSig, err = safefile.Create(f+".minisig", 0o644); err != nil {
+		return err
 	}
-	if len(urlStr) == 0 {
-		if !expired {
-			err = fmt.Errorf("Cache file [%s] not present and no URL given to retrieve it", cacheFile)
+	defer fSig.Close()
+	if _, err = fSrc.Write(bin); err != nil {
+		return err
+	}
+	if _, err = fSig.Write(sig); err != nil {
+		return err
+	}
+	if err = fSrc.Commit(); err != nil {
+		return err
+	}
+	return fSig.Commit()
+}
+
+func (source *Source) updateCache(bin, sig []byte, now time.Time) {
+	file := source.cacheFile
+	absPath := file
+	if resolved, err := filepath.Abs(file); err != nil {
+		absPath = resolved
+	}
+
+	if !bytes.Equal(source.bin, bin) {
+		if err := writeSource(file, bin, sig); err != nil {
+			dlog.Warnf("Couldn't write cache file [%s]: %s", absPath, err) // an error writing to the cache isn't fatal
 		}
-		return
+	}
+	if err := os.Chtimes(file, now, now); err != nil {
+		dlog.Warnf("Couldn't update cache file [%s]: %s", absPath, err)
 	}

-	var resp *http.Response
-	dlog.Infof("Loading source information from URL [%s]", urlStr)
+	source.bin = bin
+}

-	url, err := url.Parse(urlStr)
+func (source *Source) parseURLs(urls []string) {
+	for _, urlStr := range urls {
+		if srcURL, err := url.Parse(urlStr); err != nil {
+			dlog.Warnf("Source [%s] failed to parse URL [%s]", source.name, urlStr)
+		} else {
+			source.urls = append(source.urls, srcURL)
+		}
+	}
+}
+
+func fetchFromURL(xTransport *XTransport, u *url.URL) ([]byte, error) {
+	bin, _, _, _, err := xTransport.GetWithCompression(u, "", DefaultTimeout)
+	return bin, err
+}
+
+func (source *Source) fetchWithCache(xTransport *XTransport, now time.Time) (time.Duration, error) {
+	var err error
+	var ttl time.Duration
+	if ttl, err = source.fetchFromCache(now); err != nil {
+		if len(source.urls) == 0 {
+			dlog.Errorf("Source [%s] cache file [%s] not present and no valid URL", source.name, source.cacheFile)
+			return 0, err
+		}
+		dlog.Debugf("Source [%s] cache file [%s] not present", source.name, source.cacheFile)
+	}
+
+	if len(source.urls) == 0 {
+		return 0, err
+	}
+	if ttl > 0 {
+		source.refresh = now.Add(ttl)
+		return 0, err
+	}
+
+	ttl = MinimumPrefetchInterval
+	source.refresh = now.Add(ttl)
+	var bin, sig []byte
+	for _, srcURL := range source.urls {
+		dlog.Infof("Source [%s] loading from URL [%s]", source.name, srcURL)
+		sigURL := &url.URL{}
+		*sigURL = *srcURL // deep copy to avoid parsing twice
+		sigURL.Path += ".minisig"
+		if bin, err = fetchFromURL(xTransport, srcURL); err != nil {
+			dlog.Debugf("Source [%s] failed to download from URL [%s]", source.name, srcURL)
+			continue
+		}
+		if sig, err = fetchFromURL(xTransport, sigURL); err != nil {
+			dlog.Debugf("Source [%s] failed to download signature from URL [%s]", source.name, sigURL)
+			continue
+		}
+		if err = source.checkSignature(bin, sig); err != nil {
+			dlog.Debugf("Source [%s] failed signature check using URL [%s]", source.name, srcURL)
+			continue
+		}
+		break // valid signature
+	}
 	if err != nil {
-		return
+		return 0, err
 	}
-	resp, _, err = xTransport.Get(url, "", 30*time.Second)
-	if err == nil && resp != nil && (resp.StatusCode < 200 || resp.StatusCode > 299) {
-		err = fmt.Errorf("Webserver returned code %d", resp.StatusCode)
-		return
-	} else if err != nil {
-		return
-	} else if resp == nil {
-		err = errors.New("Webserver returned an error")
-		return
-	}
-	var bin []byte
-	bin, err = ioutil.ReadAll(io.LimitReader(resp.Body, MaxHTTPBodyLength))
-	resp.Body.Close()
-	if err != nil {
-		return
-	}
-	err = nil
-	cached = false
-	in = string(bin)
-	delayTillNextUpdate = SourcesUpdateDelay
-	return
+	source.updateCache(bin, sig, now)
+	ttl = source.prefetchDelay
+	source.refresh = now.Add(ttl)
+	return ttl, nil
 }

-func AtomicFileWrite(file string, data []byte) error {
-	return safefile.WriteFile(file, data, 0644)
-}
-
-type URLToPrefetch struct {
-	url       string
-	cacheFile string
-	when      time.Time
-}
-
-func NewSource(xTransport *XTransport, urls []string, minisignKeyStr string, cacheFile string, formatStr string, refreshDelay time.Duration) (Source, []URLToPrefetch, error) {
-	_ = refreshDelay
-	source := Source{urls: urls}
+// NewSource loads a new source using the given cacheFile and urls, ensuring it has a valid signature
+func NewSource(
+	name string,
+	xTransport *XTransport,
+	urls []string,
+	minisignKeyStr string,
+	cacheFile string,
+	formatStr string,
+	refreshDelay time.Duration,
+	prefix string,
+) (*Source, error) {
+	if refreshDelay < DefaultPrefetchDelay {
+		refreshDelay = DefaultPrefetchDelay
+	}
+	source := &Source{
+		name:          name,
+		urls:          []*url.URL{},
+		cacheFile:     cacheFile,
+		cacheTTL:      refreshDelay,
+		prefetchDelay: DefaultPrefetchDelay,
+		prefix:        prefix,
+	}
 	if formatStr == "v2" {
 		source.format = SourceFormatV2
 	} else {
-		return source, []URLToPrefetch{}, fmt.Errorf("Unsupported source format: [%s]", formatStr)
+		return source, fmt.Errorf("Unsupported source format: [%s]", formatStr)
 	}
-	minisignKey, err := minisign.NewPublicKey(minisignKeyStr)
-	if err != nil {
-		return source, []URLToPrefetch{}, err
-	}
-	now := time.Now()
-	urlsToPrefetch := []URLToPrefetch{}
-	sigCacheFile := cacheFile + ".minisig"
-
-	var sigStr, in string
-	var cached, sigCached bool
-	var delayTillNextUpdate, sigDelayTillNextUpdate time.Duration
-	var sigErr error
-	var preloadURL string
-	if len(urls) <= 0 {
-		in, cached, delayTillNextUpdate, err = fetchWithCache(xTransport, "", cacheFile)
-		sigStr, sigCached, sigDelayTillNextUpdate, sigErr = fetchWithCache(xTransport, "", sigCacheFile)
+	if minisignKey, err := minisign.NewPublicKey(minisignKeyStr); err == nil {
+		source.minisignKey = &minisignKey
 	} else {
-		preloadURL = urls[0]
-		for _, url := range urls {
-			sigURL := url + ".minisig"
-			in, cached, delayTillNextUpdate, err = fetchWithCache(xTransport, url, cacheFile)
-			sigStr, sigCached, sigDelayTillNextUpdate, sigErr = fetchWithCache(xTransport, sigURL, sigCacheFile)
-			if err == nil && sigErr == nil {
-				preloadURL = url
-				break
-			}
-			dlog.Infof("Loading from [%s] failed", url)
-		}
+		return source, err
 	}
-	if len(preloadURL) > 0 {
-		url := preloadURL
-		sigURL := url + ".minisig"
-		urlsToPrefetch = append(urlsToPrefetch, URLToPrefetch{url: url, cacheFile: cacheFile, when: now.Add(delayTillNextUpdate)})
-		urlsToPrefetch = append(urlsToPrefetch, URLToPrefetch{url: sigURL, cacheFile: sigCacheFile, when: now.Add(sigDelayTillNextUpdate)})
+	source.parseURLs(urls)
+	_, err := source.fetchWithCache(xTransport, timeNow())
+	if err == nil {
+		dlog.Noticef("Source [%s] loaded", name)
 	}
-	if sigErr != nil && err == nil {
-		err = sigErr
-	}
-	if err != nil {
-		return source, urlsToPrefetch, err
-	}
-
-	signature, err := minisign.DecodeSignature(sigStr)
-	if err != nil {
-		os.Remove(cacheFile)
-		os.Remove(sigCacheFile)
-		return source, urlsToPrefetch, err
-	}
-	res, err := minisignKey.Verify([]byte(in), signature)
-	if err != nil || !res {
-		os.Remove(cacheFile)
-		os.Remove(sigCacheFile)
-		return source, urlsToPrefetch, err
-	}
-	if !cached {
-		if err = AtomicFileWrite(cacheFile, []byte(in)); err != nil {
-			if absPath, err2 := filepath.Abs(cacheFile); err2 == nil {
-				dlog.Warnf("%s: %s", absPath, err)
-			}
-		}
-	}
-	if !sigCached {
-		if err = AtomicFileWrite(sigCacheFile, []byte(sigStr)); err != nil {
-			if absPath, err2 := filepath.Abs(sigCacheFile); err2 == nil {
-				dlog.Warnf("%s: %s", absPath, err)
-			}
-		}
-	}
-	dlog.Noticef("Source [%s] loaded", cacheFile)
-	source.in = in
-	return source, urlsToPrefetch, nil
+	return source, err
 }

-func (source *Source) Parse(prefix string) ([]RegisteredServer, error) {
+// PrefetchSources downloads latest versions of given sources, ensuring they have a valid signature before caching
+func PrefetchSources(xTransport *XTransport, sources []*Source) time.Duration {
+	now := timeNow()
+	interval := MinimumPrefetchInterval
+	for _, source := range sources {
+		if source.refresh.IsZero() || source.refresh.After(now) {
+			continue
+		}
+		dlog.Debugf("Prefetching [%s]", source.name)
+		if delay, err := source.fetchWithCache(xTransport, now); err != nil {
+			dlog.Infof("Prefetching [%s] failed: %v, will retry in %v", source.name, err, interval)
+		} else {
+			dlog.Debugf("Prefetching [%s] succeeded, next update in %v min", source.name, delay)
+			if delay >= MinimumPrefetchInterval && (interval == MinimumPrefetchInterval || interval > delay) {
+				interval = delay
+			}
+		}
+	}
+	return interval
+}
+
+func (source *Source) Parse() ([]RegisteredServer, error) {
 	if source.format == SourceFormatV2 {
-		return source.parseV2(prefix)
+		return source.parseV2()
 	}
 	dlog.Fatal("Unexpected source format")
 	return []RegisteredServer{}, nil
 }

-func (source *Source) parseV2(prefix string) ([]RegisteredServer, error) {
+func (source *Source) parseV2() ([]RegisteredServer, error) {
 	var registeredServers []RegisteredServer
-	in := string(source.in)
+	var stampErrs []string
+	appendStampErr := func(format string, a ...interface{}) {
+		stampErr := fmt.Sprintf(format, a...)
+		stampErrs = append(stampErrs, stampErr)
+		dlog.Warn(stampErr)
+	}
+	in := string(source.bin)
 	parts := strings.Split(in, "## ")
 	if len(parts) < 2 {
 		return registeredServers, fmt.Errorf("Invalid format for source at [%v]", source.urls)
 	}
 	parts = parts[1:]
 	for _, part := range parts {
-		part = strings.TrimFunc(part, unicode.IsSpace)
+		part = strings.TrimSpace(part)
 		subparts := strings.Split(part, "\n")
 		if len(subparts) < 2 {
 			return registeredServers, fmt.Errorf("Invalid format for source at [%v]", source.urls)
 		}
-		name := strings.TrimFunc(subparts[0], unicode.IsSpace)
+		name := strings.TrimSpace(subparts[0])
 		if len(name) == 0 {
 			return registeredServers, fmt.Errorf("Invalid format for source at [%v]", source.urls)
 		}
 		subparts = subparts[1:]
-		name = prefix + name
+		name = source.prefix + name
 		var stampStr, description string
+		stampStrs := make([]string, 0)
 		for _, subpart := range subparts {
-			subpart = strings.TrimFunc(subpart, unicode.IsSpace)
-			if strings.HasPrefix(subpart, "sdns:") {
-				if len(stampStr) > 0 {
-					return registeredServers, fmt.Errorf("Multiple stamps for server [%s] in source from [%v]", name, source.urls)
-				}
-				stampStr = subpart
+			subpart = strings.TrimSpace(subpart)
+			if strings.HasPrefix(subpart, "sdns:") && len(subpart) >= 6 {
+				stampStrs = append(stampStrs, subpart)
 				continue
 			} else if len(subpart) == 0 || strings.HasPrefix(subpart, "//") {
 				continue
@ -250,13 +295,24 @@ func (source *Source) parseV2(prefix string) ([]RegisteredServer, error) {
 			}
 			description += subpart
 		}
-		if len(stampStr) < 6 {
-			return registeredServers, fmt.Errorf("Missing stamp for server [%s] in source from [%v]", name, source.urls)
+		stampStrsLen := len(stampStrs)
+		if stampStrsLen <= 0 {
+			appendStampErr("Missing stamp for server [%s]", name)
+			continue
+		} else if stampStrsLen > 1 {
+			rand.Shuffle(stampStrsLen, func(i, j int) { stampStrs[i], stampStrs[j] = stampStrs[j], stampStrs[i] })
+		}
+		var stamp dnsstamps.ServerStamp
+		var err error
+		for _, stampStr = range stampStrs {
+			stamp, err = dnsstamps.NewServerStampFromString(stampStr)
+			if err == nil {
+				break
+			}
+			appendStampErr("Invalid or unsupported stamp [%v]: %s", stampStr, err.Error())
 		}
-		stamp, err := stamps.NewServerStampFromString(stampStr)
 		if err != nil {
-			dlog.Errorf("Invalid or unsupported stamp: [%v]", stampStr)
-			return registeredServers, err
+			continue
 		}
 		registeredServer := RegisteredServer{
 			name: name, stamp: stamp, description: description,
@ -264,14 +320,8 @@ func (source *Source) parseV2(prefix string) ([]RegisteredServer, error) {
 		dlog.Debugf("Registered [%s] with stamp [%s]", name, stamp.String())
 		registeredServers = append(registeredServers, registeredServer)
 	}
+	if len(stampErrs) > 0 {
+		return registeredServers, fmt.Errorf("%s", strings.Join(stampErrs, ", "))
+	}
 	return registeredServers, nil
 }
-
-func PrefetchSourceURL(xTransport *XTransport, urlToPrefetch *URLToPrefetch) error {
-	in, cached, delayTillNextUpdate, err := fetchWithCache(xTransport, urlToPrefetch.url, urlToPrefetch.cacheFile)
-	if err == nil && !cached {
-		AtomicFileWrite(urlToPrefetch.cacheFile, []byte(in))
-	}
-	urlToPrefetch.when = time.Now().Add(delayTillNextUpdate)
-	return err
-}
--- a/dnscrypt-proxy/sources_test.go
+++ b/dnscrypt-proxy/sources_test.go
@ -0,0 +1,491 @@
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/hectane/go-acl"
+	"github.com/jedisct1/dlog"
+	"github.com/jedisct1/go-minisign"
+	"github.com/powerman/check"
+)
+
+type SourceFixture struct {
+	suffix  string
+	content []byte
+	length  string // HTTP Content-Length header
+	perms   os.FileMode
+	mtime   time.Time
+}
+type SourceTestState uint8
+
+const (
+	TestStateCorrect    SourceTestState = iota // valid files
+	TestStateExpired                           // modification time of files set in distant past (cache only)
+	TestStatePartial                           // incomplete files
+	TestStatePartialSig                        // incomplete .minisig
+	TestStateMissing                           // non-existent files
+	TestStateMissingSig                        // non-existent .minisig
+	TestStateReadErr                           // I/O error on reading files (download only)
+	TestStateReadSigErr                        // I/O error on reading .minisig (download only)
+	TestStateOpenErr                           // I/O error on opening files
+	TestStateOpenSigErr                        // I/O error on opening .minisig
+	TestStatePathErr                           // unparseable path to files (download only)
+)
+
+type SourceTestData struct {
+	n                         int // subtest counter
+	xTransport                *XTransport
+	key                       *minisign.PublicKey
+	keyStr, tempDir           string
+	sources                   []string
+	fixtures                  map[SourceTestState]map[string]SourceFixture
+	timeNow, timeOld, timeUpd time.Time
+	server                    *httptest.Server
+	reqActual, reqExpect      map[string]uint
+	cacheTests                map[string]SourceTestState
+	downloadTests             map[string][]SourceTestState
+}
+
+type SourceTestExpect struct {
+	success        bool
+	err, cachePath string
+	cache          []SourceFixture
+	mtime          time.Time
+	urls           []string
+	Source         *Source
+	delay          time.Duration
+	prefix         string
+}
+
+func readFixture(t *testing.T, name string) []byte {
+	bin, err := os.ReadFile(filepath.Join("testdata", name))
+	if err != nil {
+		t.Fatalf("Unable to read test fixture %s: %v", name, err)
+	}
+	return bin
+}
+
+func writeSourceCache(t *testing.T, e *SourceTestExpect) {
+	for _, f := range e.cache {
+		if f.content == nil {
+			continue
+		}
+		path := e.cachePath + f.suffix
+		perms := f.perms
+		if perms == 0 {
+			perms = 0o644
+		}
+		if err := os.WriteFile(path, f.content, perms); err != nil {
+			t.Fatalf("Unable to write cache file %s: %v", path, err)
+		}
+		if err := acl.Chmod(path, perms); err != nil {
+			t.Fatalf("Unable to set permissions on cache file %s: %v", path, err)
+		}
+		if f.suffix != "" {
+			continue
+		}
+		mtime := f.mtime
+		if f.mtime.IsZero() {
+			mtime = e.mtime
+		}
+		if err := os.Chtimes(path, mtime, mtime); err != nil {
+			t.Fatalf("Unable to touch cache file %s to %v: %v", path, f.mtime, err)
+		}
+	}
+}
+
+func checkSourceCache(c *check.C, e *SourceTestExpect) {
+	for _, f := range e.cache {
+		path := e.cachePath + f.suffix
+		_ = acl.Chmod(path, 0o644) // don't worry if this fails, reading it will catch the same problem
+		got, err := os.ReadFile(path)
+		c.DeepEqual(got, f.content, "Unexpected content for cache file '%s', err %v", path, err)
+		if f.suffix != "" {
+			continue
+		}
+		if fi, err := os.Stat(path); err == nil { // again, if this failed it was already caught above
+			mtime := f.mtime
+			if f.mtime.IsZero() {
+				mtime = e.mtime
+			}
+			c.EQ(fi.ModTime(), mtime, "Unexpected timestamp for cache file '%s'", path)
+		}
+	}
+}
+
+func loadSnakeoil(t *testing.T, d *SourceTestData) {
+	key, err := minisign.NewPublicKeyFromFile(filepath.Join("testdata", "snakeoil.pub"))
+	if err != nil {
+		t.Fatalf("Unable to load snakeoil key: %v", err)
+	}
+	d.keyStr = string(bytes.SplitN(readFixture(t, "snakeoil.pub"), []byte("\n"), 2)[1])
+	d.key = &key
+}
+
+func loadTestSourceNames(t *testing.T, d *SourceTestData) {
+	files, err := os.ReadDir(filepath.Join("testdata", "sources"))
+	if err != nil {
+		t.Fatalf("Unable to load list of test sources: %v", err)
+	}
+	for _, file := range files {
+		if !file.IsDir() && strings.HasSuffix(file.Name(), ".minisig") {
+			d.sources = append(d.sources, strings.TrimSuffix(file.Name(), ".minisig"))
+		}
+	}
+}
+
+func generateFixtureState(_ *testing.T, d *SourceTestData, suffix, file string, state SourceTestState) {
+	if _, ok := d.fixtures[state]; !ok {
+		d.fixtures[state] = map[string]SourceFixture{}
+	}
+	if suffix != ".minisig" {
+		switch state {
+		case TestStatePartialSig, TestStateMissingSig, TestStateReadSigErr, TestStateOpenSigErr:
+			d.fixtures[state][file] = d.fixtures[TestStateCorrect][file]
+			return
+		}
+	}
+	f := SourceFixture{suffix: suffix}
+	switch state {
+	case TestStateExpired:
+		f.content, f.mtime = d.fixtures[TestStateCorrect][file].content, d.timeOld
+	case TestStatePartial, TestStatePartialSig:
+		f.content = d.fixtures[TestStateCorrect][file].content[:1]
+	case TestStateReadErr, TestStateReadSigErr:
+		f.content, f.length = []byte{}, "1"
+	case TestStateOpenErr, TestStateOpenSigErr:
+		f.content, f.perms = d.fixtures[TestStateCorrect][file].content[:1], 0o200
+	}
+	d.fixtures[state][file] = f
+}
+
+func loadFixtures(t *testing.T, d *SourceTestData) {
+	d.fixtures = map[SourceTestState]map[string]SourceFixture{TestStateCorrect: {}}
+	for _, source := range d.sources {
+		for _, suffix := range [...]string{"", ".minisig"} {
+			file := source + suffix
+			d.fixtures[TestStateCorrect][file] = SourceFixture{
+				suffix:  suffix,
+				content: readFixture(t, filepath.Join("sources", file)),
+			}
+			for _, state := range [...]SourceTestState{
+				TestStateExpired,
+				TestStatePartial,
+				TestStateReadErr,
+				TestStateOpenErr,
+				TestStatePartialSig,
+				TestStateMissingSig,
+				TestStateReadSigErr,
+				TestStateOpenSigErr,
+			} {
+				generateFixtureState(t, d, suffix, file, state)
+			}
+		}
+	}
+}
+
+func makeTempDir(t *testing.T, d *SourceTestData) {
+	name, err := os.MkdirTemp("", "sources_test.go."+t.Name())
+	if err != nil {
+		t.Fatalf("Unable to create temporary directory: %v", err)
+	}
+	d.tempDir = name
+}
+
+func makeTestServer(t *testing.T, d *SourceTestData) {
+	d.reqActual, d.reqExpect = map[string]uint{}, map[string]uint{}
+	d.server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		var data []byte = nil
+		d.reqActual[r.URL.Path]++
+		pathParts := strings.SplitN(strings.TrimPrefix(r.URL.Path, "/"), "/", 2)
+		state, _ := strconv.ParseUint(pathParts[0], 10, 8)
+		if fixture, ok := d.fixtures[SourceTestState(state)][pathParts[1]]; ok {
+			if len(fixture.length) > 0 {
+				w.Header().Set("Content-Length", fixture.length) // client will return unexpected EOF
+			}
+			data = fixture.content
+		}
+		if data != nil {
+			if _, err := w.Write(data); err != nil {
+				t.Logf("Error writing HTTP response for request [%s]: %v", r.URL.Path, err)
+			}
+		} else {
+			w.WriteHeader(http.StatusNotFound)
+		}
+	}))
+}
+
+func checkTestServer(c *check.C, d *SourceTestData) {
+	c.DeepEqual(d.reqActual, d.reqExpect, "Unexpected HTTP request log")
+	d.reqActual, d.reqExpect = map[string]uint{}, map[string]uint{}
+}
+
+func setupSourceTest(t *testing.T) (func(), *SourceTestData) {
+	d := &SourceTestData{n: -1, xTransport: NewXTransport()}
+	d.cacheTests = map[string]SourceTestState{ // determines cache files written to disk before each call
+		"correct":      TestStateCorrect,
+		"expired":      TestStateExpired,
+		"partial":      TestStatePartial,
+		"partial-sig":  TestStatePartialSig,
+		"missing":      TestStateMissing,
+		"missing-sig":  TestStateMissingSig,
+		"open-err":     TestStateOpenErr,
+		"open-sig-err": TestStateOpenSigErr,
+	}
+	d.downloadTests = map[string][]SourceTestState{ // determines the list of URLs passed in each call and how they will respond
+		"correct":              {TestStateCorrect},
+		"partial":              {TestStatePartial},
+		"partial-sig":          {TestStatePartialSig},
+		"missing":              {TestStateMissing},
+		"missing-sig":          {TestStateMissingSig},
+		"read-err":             {TestStateReadErr},
+		"read-sig-err":         {TestStateReadSigErr},
+		"open-err":             {TestStateOpenErr},
+		"open-sig-err":         {TestStateOpenSigErr},
+		"path-err":             {TestStatePathErr},
+		"partial,correct":      {TestStatePartial, TestStateCorrect},
+		"partial-sig,correct":  {TestStatePartialSig, TestStateCorrect},
+		"missing,correct":      {TestStateMissing, TestStateCorrect},
+		"missing-sig,correct":  {TestStateMissingSig, TestStateCorrect},
+		"read-err,correct":     {TestStateReadErr, TestStateCorrect},
+		"read-sig-err,correct": {TestStateReadSigErr, TestStateCorrect},
+		"open-err,correct":     {TestStateOpenErr, TestStateCorrect},
+		"open-sig-err,correct": {TestStateOpenSigErr, TestStateCorrect},
+		"path-err,correct":     {TestStatePathErr, TestStateCorrect},
+		"no-urls":              {},
+	}
+	d.xTransport.rebuildTransport()
+	d.timeNow = time.Now().AddDate(0, 0, 0).Truncate(time.Second)
+	d.timeOld = d.timeNow.Add(DefaultPrefetchDelay * -4)
+	d.timeUpd = d.timeNow.Add(DefaultPrefetchDelay)
+	timeNow = func() time.Time { return d.timeNow } // originally defined in sources.go, replaced during testing to ensure consistent results
+	makeTempDir(t, d)
+	makeTestServer(t, d)
+	loadSnakeoil(t, d)
+	loadTestSourceNames(t, d)
+	loadFixtures(t, d)
+	return func() {
+		os.RemoveAll(d.tempDir)
+		d.server.Close()
+	}, d
+}
+
+func prepSourceTestCache(t *testing.T, d *SourceTestData, e *SourceTestExpect, source string, state SourceTestState) {
+	e.cache = []SourceFixture{d.fixtures[state][source], d.fixtures[state][source+".minisig"]}
+	switch state {
+	case TestStateCorrect:
+		e.Source.bin, e.success = e.cache[0].content, true
+	case TestStateExpired:
+		e.Source.bin = e.cache[0].content
+	case TestStatePartial, TestStatePartialSig:
+		e.err = "signature"
+	case TestStateMissing, TestStateMissingSig, TestStateOpenErr, TestStateOpenSigErr:
+		e.err = "open"
+	}
+	writeSourceCache(t, e)
+}
+
+func prepSourceTestDownload(
+	_ *testing.T,
+	d *SourceTestData,
+	e *SourceTestExpect,
+	source string,
+	downloadTest []SourceTestState,
+) {
+	if len(downloadTest) == 0 {
+		return
+	}
+	for _, state := range downloadTest {
+		path := "/" + strconv.FormatUint(uint64(state), 10) + "/" + source
+		serverURL := d.server.URL
+		switch state {
+		case TestStateMissing, TestStateMissingSig:
+			e.err = "404 Not Found"
+		case TestStatePartial, TestStatePartialSig:
+			e.err = "signature"
+		case TestStateReadErr, TestStateReadSigErr:
+			e.err = "unexpected EOF"
+		case TestStateOpenErr, TestStateOpenSigErr:
+			if u, err := url.Parse(serverURL + path); err == nil {
+				host, port := ExtractHostAndPort(u.Host, -1)
+				u.Host = fmt.Sprintf(
+					"%s:%d",
+					host,
+					port|0x10000,
+				) // high numeric port is parsed but then fails to connect
+				serverURL = u.String()
+			}
+			e.err = "invalid port"
+		case TestStatePathErr:
+			path = "..." + path // non-numeric port fails URL parsing
+		}
+		if u, err := url.Parse(serverURL + path); err == nil {
+			e.Source.urls = append(e.Source.urls, u)
+		}
+		e.urls = append(e.urls, serverURL+path)
+		if e.success {
+			continue
+		}
+		switch state {
+		case TestStateCorrect:
+			e.cache = []SourceFixture{d.fixtures[state][source], d.fixtures[state][source+".minisig"]}
+			e.Source.bin, e.success = e.cache[0].content, true
+			fallthrough
+		case TestStateMissingSig, TestStatePartial, TestStatePartialSig, TestStateReadSigErr:
+			d.reqExpect[path+".minisig"]++
+			fallthrough
+		case TestStateMissing, TestStateReadErr:
+			d.reqExpect[path]++
+		}
+	}
+	if e.success {
+		e.err = ""
+		e.delay = DefaultPrefetchDelay
+	} else {
+		e.delay = MinimumPrefetchInterval
+	}
+	if len(e.Source.urls) > 0 {
+		e.Source.refresh = d.timeNow.Add(e.delay)
+	} else {
+		e.success = false
+	}
+}
+
+func setupSourceTestCase(t *testing.T, d *SourceTestData, i int,
+	cacheTest *SourceTestState, downloadTest []SourceTestState,
+) (id string, e *SourceTestExpect) {
+	id = strconv.Itoa(d.n) + "-" + strconv.Itoa(i)
+	e = &SourceTestExpect{
+		cachePath: filepath.Join(d.tempDir, id),
+		mtime:     d.timeNow,
+	}
+	e.Source = &Source{
+		name: id, urls: []*url.URL{}, format: SourceFormatV2, minisignKey: d.key,
+		cacheFile: e.cachePath, cacheTTL: DefaultPrefetchDelay * 3, prefetchDelay: DefaultPrefetchDelay,
+	}
+	if cacheTest != nil {
+		prepSourceTestCache(t, d, e, d.sources[i], *cacheTest)
+		i = (i + 1) % len(d.sources) // make the cached and downloaded fixtures different
+	}
+	prepSourceTestDownload(t, d, e, d.sources[i], downloadTest)
+	return
+}
+
+func TestNewSource(t *testing.T) {
+	if testing.Verbose() {
+		dlog.SetLogLevel(dlog.SeverityDebug)
+		dlog.UseSyslog(false)
+	}
+	teardown, d := setupSourceTest(t)
+	defer teardown()
+	checkResult := func(t *testing.T, e *SourceTestExpect, got *Source, err error) {
+		c := check.T(t)
+		if len(e.err) > 0 {
+			c.Match(err, e.err, "Unexpected error")
+		} else {
+			c.Nil(err, "Unexpected error")
+		}
+		c.DeepEqual(got, e.Source, "Unexpected return")
+		checkTestServer(c, d)
+		checkSourceCache(c, e)
+	}
+	d.n++
+	for _, tt := range []struct {
+		v, key       string
+		refreshDelay time.Duration
+		e            *SourceTestExpect
+	}{
+		{"", "", 0, &SourceTestExpect{err: " ", Source: &Source{name: "short refresh delay", urls: []*url.URL{}, cacheTTL: DefaultPrefetchDelay, prefetchDelay: DefaultPrefetchDelay, prefix: ""}}},
+		{"v1", d.keyStr, DefaultPrefetchDelay * 2, &SourceTestExpect{err: "Unsupported source format", Source: &Source{name: "old format", urls: []*url.URL{}, cacheTTL: DefaultPrefetchDelay * 2, prefetchDelay: DefaultPrefetchDelay}}},
+		{"v2", "", DefaultPrefetchDelay * 3, &SourceTestExpect{err: "Invalid encoded public key", Source: &Source{name: "invalid public key", urls: []*url.URL{}, cacheTTL: DefaultPrefetchDelay * 3, prefetchDelay: DefaultPrefetchDelay}}},
+	} {
+		t.Run(tt.e.Source.name, func(t *testing.T) {
+			got, err := NewSource(
+				tt.e.Source.name,
+				d.xTransport,
+				tt.e.urls,
+				tt.key,
+				tt.e.cachePath,
+				tt.v,
+				tt.refreshDelay,
+				tt.e.prefix,
+			)
+			checkResult(t, tt.e, got, err)
+		})
+	}
+	for cacheTestName, cacheTest := range d.cacheTests {
+		for downloadTestName, downloadTest := range d.downloadTests {
+			d.n++
+			for i := range d.sources {
+				id, e := setupSourceTestCase(t, d, i, &cacheTest, downloadTest)
+				t.Run("cache "+cacheTestName+", download "+downloadTestName+"/"+id, func(t *testing.T) {
+					got, err := NewSource(
+						id,
+						d.xTransport,
+						e.urls,
+						d.keyStr,
+						e.cachePath,
+						"v2",
+						DefaultPrefetchDelay*3,
+						"",
+					)
+					checkResult(t, e, got, err)
+				})
+			}
+		}
+	}
+}
+
+func TestPrefetchSources(t *testing.T) {
+	if testing.Verbose() {
+		dlog.SetLogLevel(dlog.SeverityDebug)
+		dlog.UseSyslog(false)
+	}
+	teardown, d := setupSourceTest(t)
+	defer teardown()
+	checkResult := func(t *testing.T, expects []*SourceTestExpect, got time.Duration) {
+		c := check.T(t)
+		expectDelay := MinimumPrefetchInterval
+		for _, e := range expects {
+			if e.delay >= MinimumPrefetchInterval && (expectDelay == MinimumPrefetchInterval || expectDelay > e.delay) {
+				expectDelay = e.delay
+			}
+		}
+		c.InDelta(got, expectDelay, time.Second, "Unexpected return")
+		checkTestServer(c, d)
+		for _, e := range expects {
+			checkSourceCache(c, e)
+		}
+	}
+	timeNow = func() time.Time { return d.timeUpd } // since the fixtures are prepared using real now, make the tested code think it's the future
+	for downloadTestName, downloadTest := range d.downloadTests {
+		d.n++
+		sources := []*Source{}
+		expects := []*SourceTestExpect{}
+		for i := range d.sources {
+			_, e := setupSourceTestCase(t, d, i, nil, downloadTest)
+			e.mtime = d.timeUpd
+			s := &Source{}
+			*s = *e.Source
+			s.bin = nil
+			sources = append(sources, s)
+			expects = append(expects, e)
+		}
+		t.Run("download "+downloadTestName, func(t *testing.T) {
+			got := PrefetchSources(d.xTransport, sources)
+			checkResult(t, expects, got)
+		})
+	}
+}
+
+func TestMain(m *testing.M) { check.TestMain(m) }
--- a/dnscrypt-proxy/staticcheck.conf
+++ b/dnscrypt-proxy/staticcheck.conf
@ -0,0 +1 @@
+checks = ["all", "-ST1005"]
--- a/dnscrypt-proxy/systemd_android.go
+++ b/dnscrypt-proxy/systemd_android.go
@ -0,0 +1,5 @@
+package main
+
+func (proxy *Proxy) addSystemDListeners() error {
+	return nil
+}
--- a/dnscrypt-proxy/systemd_free.go
+++ b/dnscrypt-proxy/systemd_free.go
@ -1,7 +1,8 @@
+//go:build !linux
 // +build !linux

 package main

-func (proxy *Proxy) SystemDListeners() error {
+func (proxy *Proxy) addSystemDListeners() error {
 	return nil
 }
--- a/dnscrypt-proxy/systemd_linux.go
+++ b/dnscrypt-proxy/systemd_linux.go
@ -1,3 +1,6 @@
+//go:build !android
+// +build !android
+
 package main

 import (
@ -7,23 +10,26 @@ import (
 	"github.com/jedisct1/dlog"
 )

-func (proxy *Proxy) SystemDListeners() error {
+func (proxy *Proxy) addSystemDListeners() error {
 	files := activation.Files(true)

-	if len(files) > 0 && (len(proxy.userName) > 0 || proxy.child) {
-		dlog.Fatal("Systemd activated sockets are incompatible with privilege dropping. Remove activated sockets and fill `listen_addresses` in the dnscrypt-proxy configuration file instead.")
-	}
-
-	for i, file := range files {
-		if listener, err := net.FileListener(file); err == nil {
-			dlog.Noticef("Wiring systemd TCP socket #%d, %s, %s", i, file.Name(), listener.Addr())
-			go proxy.tcpListener(listener.(*net.TCPListener))
-		} else if pc, err := net.FilePacketConn(file); err == nil {
-			dlog.Noticef("Wiring systemd UDP socket #%d, %s, %s", i, file.Name(), pc.LocalAddr())
-			go proxy.udpListener(pc.(*net.UDPConn))
+	if len(files) > 0 {
+		if len(proxy.userName) > 0 || proxy.child {
+			dlog.Fatal(
+				"Systemd activated sockets are incompatible with privilege dropping. Remove activated sockets and fill `listen_addresses` in the dnscrypt-proxy configuration file instead.",
+			)
+		}
+		dlog.Warn("Systemd sockets are untested and unsupported - use at your own risk")
+	}
+	for i, file := range files {
+		defer file.Close()
+		if listener, err := net.FileListener(file); err == nil {
+			proxy.registerTCPListener(listener.(*net.TCPListener))
+			dlog.Noticef("Wiring systemd TCP socket #%d, %s, %s", i, file.Name(), listener.Addr())
+		} else if pc, err := net.FilePacketConn(file); err == nil {
+			proxy.registerUDPListener(pc.(*net.UDPConn))
+			dlog.Noticef("Wiring systemd UDP socket #%d, %s, %s", i, file.Name(), pc.LocalAddr())
 		}
-		file.Close()
 	}
-
 	return nil
 }
--- a/dnscrypt-proxy/testdata/snakeoil.key
+++ b/dnscrypt-proxy/testdata/snakeoil.key
@ -0,0 +1,2 @@
+untrusted comment: minisign encrypted secret key
+RWRTY0IyhB6jk0BvB9YnhvXfyLkbKj5CSoL4jZtHw7qidhhNW3sAAAACAAAAAAAAAEAAAAAAus/LOCZVIOcL/da0ldQytjgjKmd5D/C84VitiDP0Fe9zWfTxaGs6SXn4tk0ZYmh2CmHydeQstzpA8cTinbFZgb+gxMHu205cqwHr1wUMtBpKhgdwqPh1EWfokCzrGSCj2Vjxq/Fr0bQ=
--- a/dnscrypt-proxy/testdata/snakeoil.pub
+++ b/dnscrypt-proxy/testdata/snakeoil.pub
@ -0,0 +1,2 @@
+untrusted comment: minisign public key 956181C0EA8BF961
+RWRh+YvqwIFhlRUdNGI/u+EDEmFip5BjgHY/z1yQkmRUcLfeIDWBCxnP
--- a/dnscrypt-proxy/testdata/sources/empty.md
+++ b/dnscrypt-proxy/testdata/sources/empty.md
@ -0,0 +1,2 @@
+# Minimal example of an empty source list
+
--- a/dnscrypt-proxy/testdata/sources/empty.md.minisig
+++ b/dnscrypt-proxy/testdata/sources/empty.md.minisig
@ -0,0 +1,4 @@
+untrusted comment: signature from minisign secret key
+RWRh+YvqwIFhlQu0PHH9BqqxLYYwmhA4TFMNmfj11kkEYZvu8atPqYVEEyEnLIZLUhx+MYHYoiYrRI88LSpoKxMVSr9jIcaGaAI=
+trusted comment: timestamp:1571786369	file:empty.md
+LTu6UMxo0VXIESDN3/vpM/A04L2RfJkorJNPhXMcYUFl4lRH2x7DSyqCK0k6L3fS7u5iz0+SPLxVx17oqw4aBg==
--- a/Show More
+++ b/Show More