documentation: Bump version

Update anytls
Co-authored-by: anytls <anytls>
2025-06-09 03:54:15 +08:00 · 2025-04-09 11:37:57 +08:00 · 2025-04-09 11:37:57 +08:00 · 2025-04-09 11:28:44 +08:00 · 2025-04-09 11:28:43 +08:00 · 2025-04-09 11:28:43 +08:00
194 changed files with 1283 additions and 5663 deletions
--- a/.fpm_systemd
+++ b/.fpm_systemd
@ -1,22 +1,17 @@
 -s dir
 --name sing-box
 --category net
--license GPL-3.0-or-later
+--license GPLv3-or-later
 --description "The universal proxy platform."
 --url "https://sing-box.sagernet.org/"
 --maintainer "nekohasekai <contact-git@sekai.icu>"
 --deb-field "Bug: https://github.com/SagerNet/sing-box/issues"
--no-deb-generate-changes
 --config-files /etc/sing-box/config.json
--after-install release/config/sing-box.postinst

 release/config/config.json=/etc/sing-box/config.json

 release/config/sing-box.service=/usr/lib/systemd/system/sing-box.service
 release/config/sing-box@.service=/usr/lib/systemd/system/sing-box@.service
-release/config/sing-box.sysusers=/usr/lib/sysusers.d/sing-box.conf
-release/config/sing-box.rules=usr/share/polkit-1/rules.d/sing-box.rules
-release/config/sing-box-split-dns.xml=/usr/share/dbus-1/system.d/sing-box-split-dns.conf

 release/completions/sing-box.bash=/usr/share/bash-completion/completions/sing-box.bash
 release/completions/sing-box.fish=/usr/share/fish/vendor_completions.d/sing-box.fish
--- a/.fpm_openwrt
+++ b/.fpm_openwrt
@ -1,30 +0,0 @@
-s dir
--name sing-box
--category net
--license GPL-3.0-or-later
--description "The universal proxy platform."
--url "https://sing-box.sagernet.org/"
--maintainer "nekohasekai <contact-git@sekai.icu>"
--no-deb-generate-changes
-
--config-files /etc/config/sing-box
--config-files /etc/sing-box/config.json
-
--depends ca-bundle
--depends kmod-inet-diag
--depends kmod-tun
--depends firewall4
-
--before-remove release/config/openwrt.prerm
-
-release/config/config.json=/etc/sing-box/config.json
-
-release/config/openwrt.conf=/etc/config/sing-box
-release/config/openwrt.init=/etc/init.d/sing-box
-release/config/openwrt.keep=/lib/upgrade/keep.d/sing-box
-
-release/completions/sing-box.bash=/usr/share/bash-completion/completions/sing-box.bash
-release/completions/sing-box.fish=/usr/share/fish/vendor_completions.d/sing-box.fish
-release/completions/sing-box.zsh=/usr/share/zsh/site-functions/_sing-box
-
-LICENSE=/usr/share/licenses/sing-box/LICENSE
--- a/.github/deb2ipk.sh
+++ b/.github/deb2ipk.sh
@ -1,28 +0,0 @@
-#!/usr/bin/env bash
-# mod from https://gist.github.com/pldubouilh/c5703052986bfdd404005951dee54683
-
-set -e -o pipefail
-
-PROJECT=$(dirname "$0")/../..
-TMP_PATH=`mktemp -d`
-cp $2 $TMP_PATH
-pushd $TMP_PATH
-
-DEB_NAME=`ls *.deb`
-ar x $DEB_NAME
-
-mkdir control
-pushd control
-tar xf ../control.tar.gz
-rm md5sums
-sed "s/Architecture:\\ \w*/Architecture:\\ $1/g" ./control -i
-cat control
-tar czf ../control.tar.gz ./*
-popd
-
-DEB_NAME=${DEB_NAME%.deb}
-tar czf $DEB_NAME.ipk control.tar.gz data.tar.gz debian-binary
-popd
-
-cp $TMP_PATH/$DEB_NAME.ipk $3
-rm -r $TMP_PATH
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -46,7 +46,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.24.4
+          go-version: ^1.24.2
      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
@ -68,38 +68,31 @@ jobs:
      - calculate_version
    strategy:
      matrix:
+        os: [ linux, windows, darwin, android ]
+        arch: [ "386", amd64, arm64 ]
+        legacy_go: [ false ]
        include:
-          - { os: linux, arch: amd64, debian: amd64, rpm: x86_64, pacman: x86_64, openwrt: "x86_64" }
-          - { os: linux, arch: "386", go386: sse2, debian: i386, rpm: i386, openwrt: "i386_pentium4" }
-          - { os: linux, arch: "386", go386: softfloat, openwrt: "i386_pentium-mmx" }
-          - { os: linux, arch: arm64, debian: arm64, rpm: aarch64, pacman: aarch64, openwrt: "aarch64_cortex-a53 aarch64_cortex-a72 aarch64_cortex-a76 aarch64_generic" }
-          - { os: linux, arch: arm, goarm: "5", openwrt: "arm_arm926ej-s arm_cortex-a7 arm_cortex-a9 arm_fa526 arm_xscale" }
-          - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl, openwrt: "arm_arm1176jzf-s_vfp" }
-          - { os: linux, arch: arm, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl, openwrt: "arm_cortex-a5_vfpv4 arm_cortex-a7_neon-vfpv4 arm_cortex-a7_vfpv4 arm_cortex-a8_vfpv3 arm_cortex-a9_neon arm_cortex-a9_vfpv3-d16 arm_cortex-a15_neon-vfpv4" }
-          - { os: linux, arch: mips, gomips: softfloat, openwrt: "mips_24kc mips_4kec mips_mips32" }
-          - { os: linux, arch: mipsle, gomips: hardfloat, debian: mipsel, rpm: mipsel, openwrt: "mipsel_24kc_24kf" }
-          - { os: linux, arch: mipsle, gomips: softfloat, openwrt: "mipsel_24kc mipsel_74kc mipsel_mips32" }
-          - { os: linux, arch: mips64, gomips: softfloat, openwrt: "mips64_mips64r2 mips64_octeonplus" }
-          - { os: linux, arch: mips64le, gomips: hardfloat, debian: mips64el, rpm: mips64el }
-          - { os: linux, arch: mips64le, gomips: softfloat, openwrt: "mips64el_mips64r2" }
+          - { os: linux, arch: amd64, debian: amd64, rpm: x86_64, pacman: x86_64 }
+          - { os: linux, arch: "386", debian: i386, rpm: i386 }
+          - { os: linux, arch: arm, goarm: "6", debian: armel, rpm: armv6hl }
+          - { os: linux, arch: arm, goarm: "7", debian: armhf, rpm: armv7hl, pacman: armv7hl }
+          - { os: linux, arch: arm64, debian: arm64, rpm: aarch64, pacman: aarch64 }
+          - { os: linux, arch: mips64le, debian: mips64el, rpm: mips64el }
+          - { os: linux, arch: mipsle, debian: mipsel, rpm: mipsel }
          - { os: linux, arch: s390x, debian: s390x, rpm: s390x }
          - { os: linux, arch: ppc64le, debian: ppc64el, rpm: ppc64le }
-          - { os: linux, arch: riscv64, debian: riscv64, rpm: riscv64, openwrt: "riscv64_generic" }
-          - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64, openwrt: "loongarch64_generic" }
+          - { os: linux, arch: riscv64, debian: riscv64, rpm: riscv64 }
+          - { os: linux, arch: loong64, debian: loongarch64, rpm: loongarch64 }

-          - { os: windows, arch: amd64 }
-          - { os: windows, arch: amd64, legacy_go: true }
-          - { os: windows, arch: "386" }
          - { os: windows, arch: "386", legacy_go: true }
-          - { os: windows, arch: arm64 }
-
-          - { os: darwin, arch: amd64 }
-          - { os: darwin, arch: arm64 }
+          - { os: windows, arch: amd64, legacy_go: true }

+          - { os: android, arch: "386", ndk: "i686-linux-android21" }
+          - { os: android, arch: amd64, ndk: "x86_64-linux-android21" }
          - { os: android, arch: arm64, ndk: "aarch64-linux-android21" }
          - { os: android, arch: arm, ndk: "armv7a-linux-androideabi21" }
-          - { os: android, arch: amd64, ndk: "x86_64-linux-android21" }
-          - { os: android, arch: "386", ndk: "i686-linux-android21" }
+        exclude:
+          - { os: darwin, arch: "386" }
    steps:
      - name: Checkout
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
@ -109,7 +102,7 @@ jobs:
        if: ${{ ! matrix.legacy_go }}
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.24.4
+          go-version: ^1.24.2
      - name: Cache Legacy Go
        if: matrix.require_legacy_go
        id: cache-legacy-go
@ -140,7 +133,7 @@ jobs:
      - name: Set build tags
        run: |
          set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale'
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_acme,with_clash_api,with_tailscale'
          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
      - name: Build
        if: matrix.os != 'android'
@ -154,10 +147,7 @@ jobs:
          CGO_ENABLED: "0"
          GOOS: ${{ matrix.os }}
          GOARCH: ${{ matrix.arch }}
-          GO386: ${{ matrix.go386 }}
          GOARM: ${{ matrix.goarm }}
-          GOMIPS: ${{ matrix.gomips }}
-          GOMIPS64: ${{ matrix.gomips }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Build Android
        if: matrix.os == 'android'
@ -177,17 +167,12 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Set name
        run: |-
-          DIR_NAME="sing-box-${{ needs.calculate_version.outputs.version }}-${{ matrix.os }}-${{ matrix.arch }}"
-          if [[ -n "${{ matrix.goarm }}" ]]; then
-            DIR_NAME="${DIR_NAME}v${{ matrix.goarm }}"
-          elif [[ -n "${{ matrix.go386 }}" && "${{ matrix.go386 }}" != 'sse2' ]]; then
-            DIR_NAME="${DIR_NAME}-${{ matrix.go386 }}"
-          elif [[ -n "${{ matrix.gomips }}" && "${{ matrix.gomips }}" != 'hardfloat' ]]; then
-            DIR_NAME="${DIR_NAME}-${{ matrix.gomips }}"
-          elif [[ "${{ matrix.legacy_go }}" == 'true' ]]; then
-            DIR_NAME="${DIR_NAME}-legacy"
-          fi
+          ARM_VERSION=$([ -n '${{ matrix.goarm}}' ] && echo 'v${{ matrix.goarm}}' || true)
+          LEGACY=$([ '${{ matrix.legacy_go }}' = 'true' ] && echo "-legacy" || true)
+          DIR_NAME="sing-box-${{ needs.calculate_version.outputs.version }}-${{ matrix.os }}-${{ matrix.arch }}${ARM_VERSION}${LEGACY}"
+          PKG_NAME="sing-box_${{ needs.calculate_version.outputs.version }}_${{ matrix.os }}_${{ matrix.arch }}${ARM_VERSION}"
          echo "DIR_NAME=${DIR_NAME}" >> "${GITHUB_ENV}"
+          echo "PKG_NAME=${PKG_NAME}" >> "${GITHUB_ENV}"
          PKG_VERSION="${{ needs.calculate_version.outputs.version }}"
          PKG_VERSION="${PKG_VERSION//-/\~}"
          echo "PKG_VERSION=${PKG_VERSION}" >> "${GITHUB_ENV}"
@ -196,12 +181,10 @@ jobs:
        run: |
          set -xeuo pipefail
          sudo gem install fpm
-          sudo apt-get update
          sudo apt-get install -y debsigs
-          cp .fpm_systemd .fpm
          fpm -t deb \
            -v "$PKG_VERSION" \
-            -p "dist/sing-box_${{ needs.calculate_version.outputs.version }}_${{ matrix.os }}_${{ matrix.debian }}.deb" \
+            -p "dist/${PKG_NAME}.deb" \
            --architecture ${{ matrix.debian }} \
            dist/sing-box=/usr/bin/sing-box
          curl -Lo '/tmp/debsigs.diff' 'https://gitlab.com/debsigs/debsigs/-/commit/160138f5de1ec110376d3c807b60a37388bc7c90.diff'
@ -216,10 +199,9 @@ jobs:
        run: |-
          set -xeuo pipefail
          sudo gem install fpm
-          cp .fpm_systemd .fpm
          fpm -t rpm \
            -v "$PKG_VERSION" \
-            -p "dist/sing-box_${{ needs.calculate_version.outputs.version }}_${{ matrix.os }}_${{ matrix.rpm }}.rpm" \
+            -p "dist/${PKG_NAME}.rpm" \
            --architecture ${{ matrix.rpm }} \
            dist/sing-box=/usr/bin/sing-box
          cat > $HOME/.rpmmacros <<EOF
@ -235,29 +217,12 @@ jobs:
        run: |-
          set -xeuo pipefail
          sudo gem install fpm
-          sudo apt-get update
          sudo apt-get install -y libarchive-tools
-          cp .fpm_systemd .fpm
          fpm -t pacman \
            -v "$PKG_VERSION" \
-            -p "dist/sing-box_${{ needs.calculate_version.outputs.version }}_${{ matrix.os }}_${{ matrix.pacman }}.pkg.tar.zst" \
+            -p "dist/${PKG_NAME}.pkg.tar.zst" \
            --architecture ${{ matrix.pacman }} \
            dist/sing-box=/usr/bin/sing-box
-      - name: Package OpenWrt
-        if: matrix.openwrt != ''
-        run: |-
-          set -xeuo pipefail
-          sudo gem install fpm
-          cp .fpm_openwrt .fpm
-          fpm -t deb \
-            -v "$PKG_VERSION" \
-            -p "dist/openwrt.deb" \
-            --architecture all \
-            dist/sing-box=/usr/bin/sing-box
-          for architecture in ${{ matrix.openwrt }}; do
-            .github/deb2ipk.sh "$architecture" "dist/openwrt.deb" "dist/sing-box_${{ needs.calculate_version.outputs.version }}_openwrt_${architecture}.ipk"
-          done
-          rm "dist/openwrt.deb"
      - name: Archive
        run: |
          set -xeuo pipefail
@ -277,7 +242,7 @@ jobs:
      - name: Upload artifact
        uses: actions/upload-artifact@v4
        with:
-          name: binary-${{ matrix.os }}_${{ matrix.arch }}${{ matrix.goarm && format('v{0}', matrix.goarm) }}${{ matrix.go386 && format('_{0}', matrix.go386) }}${{ matrix.gomips && format('_{0}', matrix.gomips) }}${{ matrix.legacy_go && '-legacy' || '' }}
+          name: binary-${{ matrix.os }}_${{ matrix.arch }}${{ matrix.goarm && format('v{0}', matrix.goarm) }}${{ matrix.legacy_go && '-legacy' || '' }}
          path: "dist"
  build_android:
    name: Build Android
@ -294,7 +259,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.24.4
+          go-version: ^1.24.2
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
@ -374,7 +339,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.24.4
+          go-version: ^1.24.2
      - name: Setup Android NDK
        id: setup-ndk
        uses: nttld/setup-ndk@v1
@ -472,7 +437,7 @@ jobs:
        if: matrix.if
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.24.4
+          go-version: ^1.24.2
      - name: Setup Xcode stable
        if: matrix.if && github.ref == 'refs/heads/main-next'
        run: |-
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@ -28,7 +28,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.24.4
+          go-version: ^1.24.2
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v6
        with:
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@ -25,7 +25,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.24.4
+          go-version: ^1.24.2
      - name: Check input version
        if: github.event_name == 'workflow_dispatch'
        run: |-
@ -66,7 +66,7 @@ jobs:
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version: ^1.24.4
+          go-version: ^1.24.2
      - name: Setup Android NDK
        if: matrix.os == 'android'
        uses: nttld/setup-ndk@v1
@ -80,7 +80,10 @@ jobs:
      - name: Set build tags
        run: |
          set -xeuo pipefail
-          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale'
+          TAGS='with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_acme,with_clash_api'
+          if [ ! '${{ matrix.legacy_go }}' = 'true' ]; then
+            TAGS="${TAGS},with_ech"
+          fi
          echo "BUILD_TAGS=${TAGS}" >> "${GITHUB_ENV}"
      - name: Build
        run: |
@ -117,7 +120,6 @@ jobs:
          set -xeuo pipefail
          sudo gem install fpm
          sudo apt-get install -y debsigs
-          cp .fpm_systemd .fpm
          fpm -t deb \
            --name "${NAME}" \
            -v "$PKG_VERSION" \
@ -136,7 +138,6 @@ jobs:
        run: |-
          set -xeuo pipefail
          sudo gem install fpm
-          cp .fpm_systemd .fpm
          fpm -t rpm \
            --name "${NAME}" \
            -v "$PKG_VERSION" \
--- a/.golangci.yml
+++ b/.golangci.yml
@ -21,13 +21,14 @@ linters-settings:
      - -SA1003

 run:
-  go: "1.23"
+  go: "1.24"
  build-tags:
    - with_gvisor
    - with_quic
    - with_dhcp
    - with_wireguard
    - with_utls
+    - with_reality_server
    - with_acme
    - with_clash_api

--- a/.goreleaser.fury.yaml
+++ b/.goreleaser.fury.yaml
@ -15,6 +15,7 @@ builds:
      - with_dhcp
      - with_wireguard
      - with_utls
+      - with_reality_server
      - with_acme
      - with_clash_api
      - with_tailscale
@ -55,12 +56,6 @@ nfpms:
        dst: /usr/lib/systemd/system/sing-box.service
      - src: release/config/sing-box@.service
        dst: /usr/lib/systemd/system/sing-box@.service
-      - src: release/config/sing-box.sysusers
-        dst: /usr/lib/sysusers.d/sing-box.conf
-      - src: release/config/sing-box.rules
-        dst: /usr/share/polkit-1/rules.d/sing-box.rules
-      - src: release/config/sing-box-split-dns.xml
-        dst: /usr/share/dbus-1/system.d/sing-box-split-dns.conf

      - src: release/completions/sing-box.bash
        dst: /usr/share/bash-completion/completions/sing-box.bash
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -17,6 +17,7 @@ builds:
      - with_dhcp
      - with_wireguard
      - with_utls
+      - with_reality_server
      - with_acme
      - with_clash_api
      - with_tailscale
@ -46,6 +47,7 @@ builds:
      - with_dhcp
      - with_wireguard
      - with_utls
+      - with_reality_server
      - with_acme
      - with_clash_api
      - with_tailscale
@ -136,12 +138,6 @@ nfpms:
        dst: /usr/lib/systemd/system/sing-box.service
      - src: release/config/sing-box@.service
        dst: /usr/lib/systemd/system/sing-box@.service
-      - src: release/config/sing-box.sysusers
-        dst: /usr/lib/sysusers.d/sing-box.conf
-      - src: release/config/sing-box.rules
-        dst: /usr/share/polkit-1/rules.d/sing-box.rules
-      - src: release/config/sing-box-split-dns.xml
-        dst: /usr/share/dbus-1/system.d/sing-box-split-dns.conf

      - src: release/completions/sing-box.bash
        dst: /usr/share/bash-completion/completions/sing-box.bash
--- a/2
+++ b/2
@ -13,7 +13,7 @@ RUN set -ex \
    && export COMMIT=$(git rev-parse --short HEAD) \
    && export VERSION=$(go run ./cmd/internal/read_tag) \
    && go build -v -trimpath -tags \
-        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale" \
+        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_acme,with_clash_api,with_tailscale" \
        -o /go/bin/sing-box \
        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid=" \
        ./cmd/sing-box
--- a/11
+++ b/11
@ -1,13 +1,14 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS ?= with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale
+TAGS ?= with_gvisor,with_dhcp,with_wireguard,with_reality_server,with_clash_api,with_quic,with_utls,with_tailscale
+TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_utls,with_reality_server

 GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
-VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run github.com/sagernet/sing-box/cmd/internal/read_tag@latest)
+VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run ./cmd/internal/read_tag)

 PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid="
-MAIN_PARAMS = $(PARAMS) -tags "$(TAGS)"
+MAIN_PARAMS = $(PARAMS) -tags $(TAGS)
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)

@ -23,7 +24,7 @@ ci_build:
 	go build $(MAIN_PARAMS) $(MAIN)

 generate_completions:
-	go run -v --tags "$(TAGS),generate,generate_completions" $(MAIN)
+	go run -v --tags $(TAGS),generate,generate_completions $(MAIN)

 install:
 	go build -o $(PREFIX)/bin/$(NAME) $(MAIN_PARAMS) $(MAIN)
@ -245,4 +246,4 @@ clean:
 update:
 	git fetch
 	git reset FETCH_HEAD --hard
-	git clean -fdx
+	git clean -fdx
--- a/adapter/dns.go
+++ b/adapter/dns.go
@ -7,9 +7,7 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
-	"github.com/sagernet/sing/service"

 	"github.com/miekg/dns"
 )
@ -33,30 +31,11 @@ type DNSClient interface {
 }

 type DNSQueryOptions struct {
-	Transport      DNSTransport
-	Strategy       C.DomainStrategy
-	LookupStrategy C.DomainStrategy
-	DisableCache   bool
-	RewriteTTL     *uint32
-	ClientSubnet   netip.Prefix
-}
-
-func DNSQueryOptionsFrom(ctx context.Context, options *option.DomainResolveOptions) (*DNSQueryOptions, error) {
-	if options == nil {
-		return &DNSQueryOptions{}, nil
-	}
-	transportManager := service.FromContext[DNSTransportManager](ctx)
-	transport, loaded := transportManager.Transport(options.Server)
-	if !loaded {
-		return nil, E.New("domain resolver not found: " + options.Server)
-	}
-	return &DNSQueryOptions{
-		Transport:    transport,
-		Strategy:     C.DomainStrategy(options.Strategy),
-		DisableCache: options.DisableCache,
-		RewriteTTL:   options.RewriteTTL,
-		ClientSubnet: options.ClientSubnet.Build(netip.Prefix{}),
-	}, nil
+	Transport    DNSTransport
+	Strategy     C.DomainStrategy
+	DisableCache bool
+	RewriteTTL   *uint32
+	ClientSubnet netip.Prefix
 }

 type RDRCStore interface {
--- a/adapter/fakeip.go
+++ b/adapter/fakeip.go
@ -7,7 +7,7 @@ import (
 )

 type FakeIPStore interface {
-	SimpleLifecycle
+	Service
 	Contains(address netip.Addr) bool
 	Create(domain string, isIPv6 bool) (netip.Addr, error)
 	Lookup(address netip.Addr) (string, bool)
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@ -74,7 +74,6 @@ type InboundContext struct {
 	UDPTimeout                time.Duration
 	TLSFragment               bool
 	TLSFragmentFallbackDelay  time.Duration
-	TLSRecordFragment         bool

 	NetworkStrategy     *C.NetworkStrategy
 	NetworkType         []C.InterfaceType
--- a/adapter/inbound/manager.go
+++ b/adapter/inbound/manager.go
@ -37,14 +37,13 @@ func NewManager(logger log.ContextLogger, registry adapter.InboundRegistry, endp

 func (m *Manager) Start(stage adapter.StartStage) error {
 	m.access.Lock()
+	defer m.access.Unlock()
 	if m.started && m.stage >= stage {
 		panic("already started")
 	}
 	m.started = true
 	m.stage = stage
-	inbounds := m.inbounds
-	m.access.Unlock()
-	for _, inbound := range inbounds {
+	for _, inbound := range m.inbounds {
 		err := adapter.LegacyStart(inbound, stage)
 		if err != nil {
 			return E.Cause(err, stage, " inbound/", inbound.Type(), "[", inbound.Tag(), "]")
--- a/adapter/lifecycle.go
+++ b/adapter/lifecycle.go
@ -2,11 +2,6 @@ package adapter

 import E "github.com/sagernet/sing/common/exceptions"

-type SimpleLifecycle interface {
-	Start() error
-	Close() error
-}
-
 type StartStage uint8

 const (
--- a/adapter/lifecycle_legacy.go
+++ b/adapter/lifecycle_legacy.go
@ -28,14 +28,14 @@ func LegacyStart(starter any, stage StartStage) error {
 }

 type lifecycleServiceWrapper struct {
-	SimpleLifecycle
+	Service
 	name string
 }

-func NewLifecycleService(service SimpleLifecycle, name string) LifecycleService {
+func NewLifecycleService(service Service, name string) LifecycleService {
 	return &lifecycleServiceWrapper{
-		SimpleLifecycle: service,
-		name:            name,
+		Service: service,
+		name:    name,
 	}
 }

@ -44,9 +44,9 @@ func (l *lifecycleServiceWrapper) Name() string {
 }

 func (l *lifecycleServiceWrapper) Start(stage StartStage) error {
-	return LegacyStart(l.SimpleLifecycle, stage)
+	return LegacyStart(l.Service, stage)
 }

 func (l *lifecycleServiceWrapper) Close() error {
-	return l.SimpleLifecycle.Close()
+	return l.Service.Close()
 }
--- a/adapter/rule.go
+++ b/adapter/rule.go
@ -11,7 +11,7 @@ type HeadlessRule interface {

 type Rule interface {
 	HeadlessRule
-	SimpleLifecycle
+	Service
 	Type() string
 	Action() RuleAction
 }
--- a/adapter/service.go
+++ b/adapter/service.go
@ -1,27 +1,6 @@
 package adapter

-import (
-	"context"
-
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-)
-
 type Service interface {
-	Lifecycle
-	Type() string
-	Tag() string
-}
-
-type ServiceRegistry interface {
-	option.ServiceOptionsRegistry
-	Create(ctx context.Context, logger log.ContextLogger, tag string, serviceType string, options any) (Service, error)
-}
-
-type ServiceManager interface {
-	Lifecycle
-	Services() []Service
-	Get(tag string) (Service, bool)
-	Remove(tag string) error
-	Create(ctx context.Context, logger log.ContextLogger, tag string, serviceType string, options any) error
+	Start() error
+	Close() error
 }
--- a/adapter/service/adapter.go
+++ b/adapter/service/adapter.go
@ -1,21 +0,0 @@
-package service
-
-type Adapter struct {
-	serviceType string
-	serviceTag  string
-}
-
-func NewAdapter(serviceType string, serviceTag string) Adapter {
-	return Adapter{
-		serviceType: serviceType,
-		serviceTag:  serviceTag,
-	}
-}
-
-func (a *Adapter) Type() string {
-	return a.serviceType
-}
-
-func (a *Adapter) Tag() string {
-	return a.serviceTag
-}
--- a/adapter/service/manager.go
+++ b/adapter/service/manager.go
@ -1,144 +0,0 @@
-package service
-
-import (
-	"context"
-	"os"
-	"sync"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/taskmonitor"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-var _ adapter.ServiceManager = (*Manager)(nil)
-
-type Manager struct {
-	logger       log.ContextLogger
-	registry     adapter.ServiceRegistry
-	access       sync.Mutex
-	started      bool
-	stage        adapter.StartStage
-	services     []adapter.Service
-	serviceByTag map[string]adapter.Service
-}
-
-func NewManager(logger log.ContextLogger, registry adapter.ServiceRegistry) *Manager {
-	return &Manager{
-		logger:       logger,
-		registry:     registry,
-		serviceByTag: make(map[string]adapter.Service),
-	}
-}
-
-func (m *Manager) Start(stage adapter.StartStage) error {
-	m.access.Lock()
-	if m.started && m.stage >= stage {
-		panic("already started")
-	}
-	m.started = true
-	m.stage = stage
-	services := m.services
-	m.access.Unlock()
-	for _, service := range services {
-		err := adapter.LegacyStart(service, stage)
-		if err != nil {
-			return E.Cause(err, stage, " service/", service.Type(), "[", service.Tag(), "]")
-		}
-	}
-	return nil
-}
-
-func (m *Manager) Close() error {
-	m.access.Lock()
-	defer m.access.Unlock()
-	if !m.started {
-		return nil
-	}
-	m.started = false
-	services := m.services
-	m.services = nil
-	monitor := taskmonitor.New(m.logger, C.StopTimeout)
-	var err error
-	for _, service := range services {
-		monitor.Start("close service/", service.Type(), "[", service.Tag(), "]")
-		err = E.Append(err, service.Close(), func(err error) error {
-			return E.Cause(err, "close service/", service.Type(), "[", service.Tag(), "]")
-		})
-		monitor.Finish()
-	}
-	return nil
-}
-
-func (m *Manager) Services() []adapter.Service {
-	m.access.Lock()
-	defer m.access.Unlock()
-	return m.services
-}
-
-func (m *Manager) Get(tag string) (adapter.Service, bool) {
-	m.access.Lock()
-	service, found := m.serviceByTag[tag]
-	m.access.Unlock()
-	return service, found
-}
-
-func (m *Manager) Remove(tag string) error {
-	m.access.Lock()
-	service, found := m.serviceByTag[tag]
-	if !found {
-		m.access.Unlock()
-		return os.ErrInvalid
-	}
-	delete(m.serviceByTag, tag)
-	index := common.Index(m.services, func(it adapter.Service) bool {
-		return it == service
-	})
-	if index == -1 {
-		panic("invalid service index")
-	}
-	m.services = append(m.services[:index], m.services[index+1:]...)
-	started := m.started
-	m.access.Unlock()
-	if started {
-		return service.Close()
-	}
-	return nil
-}
-
-func (m *Manager) Create(ctx context.Context, logger log.ContextLogger, tag string, serviceType string, options any) error {
-	service, err := m.registry.Create(ctx, logger, tag, serviceType, options)
-	if err != nil {
-		return err
-	}
-	m.access.Lock()
-	defer m.access.Unlock()
-	if m.started {
-		for _, stage := range adapter.ListStartStages {
-			err = adapter.LegacyStart(service, stage)
-			if err != nil {
-				return E.Cause(err, stage, " service/", service.Type(), "[", service.Tag(), "]")
-			}
-		}
-	}
-	if existsService, loaded := m.serviceByTag[tag]; loaded {
-		if m.started {
-			err = existsService.Close()
-			if err != nil {
-				return E.Cause(err, "close service/", existsService.Type(), "[", existsService.Tag(), "]")
-			}
-		}
-		existsIndex := common.Index(m.services, func(it adapter.Service) bool {
-			return it == existsService
-		})
-		if existsIndex == -1 {
-			panic("invalid service index")
-		}
-		m.services = append(m.services[:existsIndex], m.services[existsIndex+1:]...)
-	}
-	m.services = append(m.services, service)
-	m.serviceByTag[tag] = service
-	return nil
-}
--- a/adapter/service/registry.go
+++ b/adapter/service/registry.go
@ -1,72 +0,0 @@
-package service
-
-import (
-	"context"
-	"sync"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-type ConstructorFunc[T any] func(ctx context.Context, logger log.ContextLogger, tag string, options T) (adapter.Service, error)
-
-func Register[Options any](registry *Registry, outboundType string, constructor ConstructorFunc[Options]) {
-	registry.register(outboundType, func() any {
-		return new(Options)
-	}, func(ctx context.Context, logger log.ContextLogger, tag string, rawOptions any) (adapter.Service, error) {
-		var options *Options
-		if rawOptions != nil {
-			options = rawOptions.(*Options)
-		}
-		return constructor(ctx, logger, tag, common.PtrValueOrDefault(options))
-	})
-}
-
-var _ adapter.ServiceRegistry = (*Registry)(nil)
-
-type (
-	optionsConstructorFunc func() any
-	constructorFunc        func(ctx context.Context, logger log.ContextLogger, tag string, options any) (adapter.Service, error)
-)
-
-type Registry struct {
-	access      sync.Mutex
-	optionsType map[string]optionsConstructorFunc
-	constructor map[string]constructorFunc
-}
-
-func NewRegistry() *Registry {
-	return &Registry{
-		optionsType: make(map[string]optionsConstructorFunc),
-		constructor: make(map[string]constructorFunc),
-	}
-}
-
-func (m *Registry) CreateOptions(outboundType string) (any, bool) {
-	m.access.Lock()
-	defer m.access.Unlock()
-	optionsConstructor, loaded := m.optionsType[outboundType]
-	if !loaded {
-		return nil, false
-	}
-	return optionsConstructor(), true
-}
-
-func (m *Registry) Create(ctx context.Context, logger log.ContextLogger, tag string, outboundType string, options any) (adapter.Service, error) {
-	m.access.Lock()
-	defer m.access.Unlock()
-	constructor, loaded := m.constructor[outboundType]
-	if !loaded {
-		return nil, E.New("outbound type not found: " + outboundType)
-	}
-	return constructor(ctx, logger, tag, options)
-}
-
-func (m *Registry) register(outboundType string, optionsConstructor optionsConstructorFunc, constructor constructorFunc) {
-	m.access.Lock()
-	defer m.access.Unlock()
-	m.optionsType[outboundType] = optionsConstructor
-	m.constructor[outboundType] = constructor
-}
--- a/adapter/ssm.go
+++ b/adapter/ssm.go
@ -1,18 +0,0 @@
-package adapter
-
-import (
-	"net"
-
-	N "github.com/sagernet/sing/common/network"
-)
-
-type ManagedSSMServer interface {
-	Inbound
-	SetTracker(tracker SSMTracker)
-	UpdateUsers(users []string, uPSKs []string) error
-}
-
-type SSMTracker interface {
-	TrackConnection(conn net.Conn, metadata InboundContext) net.Conn
-	TrackPacketConnection(conn N.PacketConn, metadata InboundContext) N.PacketConn
-}
--- a/adapter/time.go
+++ b/adapter/time.go
@ -3,6 +3,6 @@ package adapter
 import "time"

 type TimeService interface {
-	SimpleLifecycle
+	Service
 	TimeFunc() func() time.Time
 }
--- a/box.go
+++ b/box.go
@ -12,7 +12,6 @@ import (
 	"github.com/sagernet/sing-box/adapter/endpoint"
 	"github.com/sagernet/sing-box/adapter/inbound"
 	"github.com/sagernet/sing-box/adapter/outbound"
-	boxService "github.com/sagernet/sing-box/adapter/service"
 	"github.com/sagernet/sing-box/common/certificate"
 	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/common/taskmonitor"
@ -35,23 +34,22 @@ import (
 	"github.com/sagernet/sing/service/pause"
 )

-var _ adapter.SimpleLifecycle = (*Box)(nil)
+var _ adapter.Service = (*Box)(nil)

 type Box struct {
-	createdAt       time.Time
-	logFactory      log.Factory
-	logger          log.ContextLogger
-	network         *route.NetworkManager
-	endpoint        *endpoint.Manager
-	inbound         *inbound.Manager
-	outbound        *outbound.Manager
-	service         *boxService.Manager
-	dnsTransport    *dns.TransportManager
-	dnsRouter       *dns.Router
-	connection      *route.ConnectionManager
-	router          *route.Router
-	internalService []adapter.LifecycleService
-	done            chan struct{}
+	createdAt    time.Time
+	logFactory   log.Factory
+	logger       log.ContextLogger
+	network      *route.NetworkManager
+	endpoint     *endpoint.Manager
+	inbound      *inbound.Manager
+	outbound     *outbound.Manager
+	dnsTransport *dns.TransportManager
+	dnsRouter    *dns.Router
+	connection   *route.ConnectionManager
+	router       *route.Router
+	services     []adapter.LifecycleService
+	done         chan struct{}
 }

 type Options struct {
@ -66,7 +64,6 @@ func Context(
 	outboundRegistry adapter.OutboundRegistry,
 	endpointRegistry adapter.EndpointRegistry,
 	dnsTransportRegistry adapter.DNSTransportRegistry,
-	serviceRegistry adapter.ServiceRegistry,
 ) context.Context {
 	if service.FromContext[option.InboundOptionsRegistry](ctx) == nil ||
 		service.FromContext[adapter.InboundRegistry](ctx) == nil {
@ -87,10 +84,6 @@ func Context(
 		ctx = service.ContextWith[option.DNSTransportOptionsRegistry](ctx, dnsTransportRegistry)
 		ctx = service.ContextWith[adapter.DNSTransportRegistry](ctx, dnsTransportRegistry)
 	}
-	if service.FromContext[adapter.ServiceRegistry](ctx) == nil {
-		ctx = service.ContextWith[option.ServiceOptionsRegistry](ctx, serviceRegistry)
-		ctx = service.ContextWith[adapter.ServiceRegistry](ctx, serviceRegistry)
-	}
 	return ctx
 }

@ -106,7 +99,6 @@ func New(options Options) (*Box, error) {
 	inboundRegistry := service.FromContext[adapter.InboundRegistry](ctx)
 	outboundRegistry := service.FromContext[adapter.OutboundRegistry](ctx)
 	dnsTransportRegistry := service.FromContext[adapter.DNSTransportRegistry](ctx)
-	serviceRegistry := service.FromContext[adapter.ServiceRegistry](ctx)

 	if endpointRegistry == nil {
 		return nil, E.New("missing endpoint registry in context")
@ -117,12 +109,6 @@ func New(options Options) (*Box, error) {
 	if outboundRegistry == nil {
 		return nil, E.New("missing outbound registry in context")
 	}
-	if dnsTransportRegistry == nil {
-		return nil, E.New("missing DNS transport registry in context")
-	}
-	if serviceRegistry == nil {
-		return nil, E.New("missing service registry in context")
-	}

 	ctx = pause.WithDefaultManager(ctx)
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
@ -156,7 +142,7 @@ func New(options Options) (*Box, error) {
 		return nil, E.Cause(err, "create log factory")
 	}

-	var internalServices []adapter.LifecycleService
+	var services []adapter.LifecycleService
 	certificateOptions := common.PtrValueOrDefault(options.Certificate)
 	if C.IsAndroid || certificateOptions.Store != "" && certificateOptions.Store != C.CertificateStoreSystem ||
 		len(certificateOptions.Certificate) > 0 ||
@ -167,7 +153,7 @@ func New(options Options) (*Box, error) {
 			return nil, err
 		}
 		service.MustRegister[adapter.CertificateStore](ctx, certificateStore)
-		internalServices = append(internalServices, certificateStore)
+		services = append(services, certificateStore)
 	}

 	routeOptions := common.PtrValueOrDefault(options.Route)
@ -176,12 +162,10 @@ func New(options Options) (*Box, error) {
 	inboundManager := inbound.NewManager(logFactory.NewLogger("inbound"), inboundRegistry, endpointManager)
 	outboundManager := outbound.NewManager(logFactory.NewLogger("outbound"), outboundRegistry, endpointManager, routeOptions.Final)
 	dnsTransportManager := dns.NewTransportManager(logFactory.NewLogger("dns/transport"), dnsTransportRegistry, outboundManager, dnsOptions.Final)
-	serviceManager := boxService.NewManager(logFactory.NewLogger("service"), serviceRegistry)
 	service.MustRegister[adapter.EndpointManager](ctx, endpointManager)
 	service.MustRegister[adapter.InboundManager](ctx, inboundManager)
 	service.MustRegister[adapter.OutboundManager](ctx, outboundManager)
 	service.MustRegister[adapter.DNSTransportManager](ctx, dnsTransportManager)
-	service.MustRegister[adapter.ServiceManager](ctx, serviceManager)
 	dnsRouter := dns.NewRouter(ctx, logFactory, dnsOptions)
 	service.MustRegister[adapter.DNSRouter](ctx, dnsRouter)
 	networkManager, err := route.NewNetworkManager(ctx, logFactory.NewLogger("network"), routeOptions)
@ -296,24 +280,6 @@ func New(options Options) (*Box, error) {
 			return nil, E.Cause(err, "initialize outbound[", i, "]")
 		}
 	}
-	for i, serviceOptions := range options.Services {
-		var tag string
-		if serviceOptions.Tag != "" {
-			tag = serviceOptions.Tag
-		} else {
-			tag = F.ToString(i)
-		}
-		err = serviceManager.Create(
-			ctx,
-			logFactory.NewLogger(F.ToString("service/", serviceOptions.Type, "[", tag, "]")),
-			tag,
-			serviceOptions.Type,
-			serviceOptions.Options,
-		)
-		if err != nil {
-			return nil, E.Cause(err, "initialize service[", i, "]")
-		}
-	}
 	outboundManager.Initialize(common.Must1(
 		direct.NewOutbound(
 			ctx,
@ -339,7 +305,7 @@ func New(options Options) (*Box, error) {
 	if needCacheFile {
 		cacheFile := cachefile.New(ctx, common.PtrValueOrDefault(experimentalOptions.CacheFile))
 		service.MustRegister[adapter.CacheFile](ctx, cacheFile)
-		internalServices = append(internalServices, cacheFile)
+		services = append(services, cacheFile)
 	}
 	if needClashAPI {
 		clashAPIOptions := common.PtrValueOrDefault(experimentalOptions.ClashAPI)
@ -350,7 +316,7 @@ func New(options Options) (*Box, error) {
 		}
 		router.AppendTracker(clashServer)
 		service.MustRegister[adapter.ClashServer](ctx, clashServer)
-		internalServices = append(internalServices, clashServer)
+		services = append(services, clashServer)
 	}
 	if needV2RayAPI {
 		v2rayServer, err := experimental.NewV2RayServer(logFactory.NewLogger("v2ray-api"), common.PtrValueOrDefault(experimentalOptions.V2RayAPI))
@ -359,7 +325,7 @@ func New(options Options) (*Box, error) {
 		}
 		if v2rayServer.StatsService() != nil {
 			router.AppendTracker(v2rayServer.StatsService())
-			internalServices = append(internalServices, v2rayServer)
+			services = append(services, v2rayServer)
 			service.MustRegister[adapter.V2RayServer](ctx, v2rayServer)
 		}
 	}
@ -377,23 +343,22 @@ func New(options Options) (*Box, error) {
 			WriteToSystem: ntpOptions.WriteToSystem,
 		})
 		timeService.TimeService = ntpService
-		internalServices = append(internalServices, adapter.NewLifecycleService(ntpService, "ntp service"))
+		services = append(services, adapter.NewLifecycleService(ntpService, "ntp service"))
 	}
 	return &Box{
-		network:         networkManager,
-		endpoint:        endpointManager,
-		inbound:         inboundManager,
-		outbound:        outboundManager,
-		dnsTransport:    dnsTransportManager,
-		service:         serviceManager,
-		dnsRouter:       dnsRouter,
-		connection:      connectionManager,
-		router:          router,
-		createdAt:       createdAt,
-		logFactory:      logFactory,
-		logger:          logFactory.Logger(),
-		internalService: internalServices,
-		done:            make(chan struct{}),
+		network:      networkManager,
+		endpoint:     endpointManager,
+		inbound:      inboundManager,
+		outbound:     outboundManager,
+		dnsTransport: dnsTransportManager,
+		dnsRouter:    dnsRouter,
+		connection:   connectionManager,
+		router:       router,
+		createdAt:    createdAt,
+		logFactory:   logFactory,
+		logger:       logFactory.Logger(),
+		services:     services,
+		done:         make(chan struct{}),
 	}, nil
 }

@ -443,11 +408,11 @@ func (s *Box) preStart() error {
 	if err != nil {
 		return E.Cause(err, "start logger")
 	}
-	err = adapter.StartNamed(adapter.StartStateInitialize, s.internalService) // cache-file clash-api v2ray-api
+	err = adapter.StartNamed(adapter.StartStateInitialize, s.services) // cache-file clash-api v2ray-api
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStateInitialize, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
+	err = adapter.Start(adapter.StartStateInitialize, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint)
 	if err != nil {
 		return err
 	}
@ -463,27 +428,31 @@ func (s *Box) start() error {
 	if err != nil {
 		return err
 	}
-	err = adapter.StartNamed(adapter.StartStateStart, s.internalService)
+	err = adapter.StartNamed(adapter.StartStateStart, s.services)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStateStart, s.inbound, s.endpoint, s.service)
+	err = s.inbound.Start(adapter.StartStateStart)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStatePostStart, s.outbound, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.inbound, s.endpoint, s.service)
+	err = adapter.Start(adapter.StartStateStart, s.endpoint)
 	if err != nil {
 		return err
 	}
-	err = adapter.StartNamed(adapter.StartStatePostStart, s.internalService)
+	err = adapter.Start(adapter.StartStatePostStart, s.outbound, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.inbound, s.endpoint)
 	if err != nil {
 		return err
 	}
-	err = adapter.Start(adapter.StartStateStarted, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint, s.service)
+	err = adapter.StartNamed(adapter.StartStatePostStart, s.services)
 	if err != nil {
 		return err
 	}
-	err = adapter.StartNamed(adapter.StartStateStarted, s.internalService)
+	err = adapter.Start(adapter.StartStateStarted, s.network, s.dnsTransport, s.dnsRouter, s.connection, s.router, s.outbound, s.inbound, s.endpoint)
+	if err != nil {
+		return err
+	}
+	err = adapter.StartNamed(adapter.StartStateStarted, s.services)
 	if err != nil {
 		return err
 	}
@ -500,7 +469,7 @@ func (s *Box) Close() error {
 	err := common.Close(
 		s.inbound, s.outbound, s.endpoint, s.router, s.connection, s.dnsRouter, s.dnsTransport, s.network,
 	)
-	for _, lifecycleService := range s.internalService {
+	for _, lifecycleService := range s.services {
 		err = E.Append(err, lifecycleService.Close(), func(err error) error {
 			return E.Cause(err, "close ", lifecycleService.Name())
 		})
--- a/clients/android
+++ b/clients/android
@ -1 +1 @@
-Subproject commit 320170a1077ea5c93872b3e055b96b8836615ef0
+Subproject commit 8354b78e5d002d636827cfeed6ed5df8ea057452
--- a/cmd/internal/app_store_connect/main.go
+++ b/cmd/internal/app_store_connect/main.go
@ -105,7 +105,7 @@ func publishTestflight(ctx context.Context) error {
 		return err
 	}
 	tag := tagVersion.VersionString()
-	client := createClient(20 * time.Minute)
+	client := createClient(10 * time.Minute)

 	log.Info(tag, " list build IDs")
 	buildIDsResponse, _, err := client.TestFlight.ListBuildIDsForBetaGroup(ctx, groupID, nil)
@ -145,7 +145,7 @@ func publishTestflight(ctx context.Context) error {
 				return err
 			}
 			build := builds.Data[0]
-			if common.Contains(buildIDs, build.ID) || time.Since(build.Attributes.UploadedDate.Time) > 30*time.Minute {
+			if common.Contains(buildIDs, build.ID) || time.Since(build.Attributes.UploadedDate.Time) > 5*time.Minute {
 				log.Info(string(platform), " ", tag, " waiting for process")
 				time.Sleep(15 * time.Second)
 				continue
--- a/cmd/internal/build_libbox/main.go
+++ b/cmd/internal/build_libbox/main.go
@ -59,8 +59,8 @@ func init() {
 	sharedFlags = append(sharedFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=")
 	debugFlags = append(debugFlags, "-ldflags", "-X github.com/sagernet/sing-box/constant.Version="+currentTag)

-	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_clash_api", "with_conntrack")
-	iosTags = append(iosTags, "with_dhcp", "with_low_memory")
+	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_clash_api")
+	iosTags = append(iosTags, "with_dhcp", "with_low_memory", "with_conntrack")
 	memcTags = append(memcTags, "with_tailscale")
 	debugTags = append(debugTags, "debug")
 }
--- a/cmd/sing-box/cmd.go
+++ b/cmd/sing-box/cmd.go
@ -7,6 +7,7 @@ import (
 	"strconv"
 	"time"

+	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/experimental/deprecated"
 	"github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
@ -67,5 +68,6 @@ func preRun(cmd *cobra.Command, args []string) {
 	if len(configPaths) == 0 && len(configDirectories) == 0 {
 		configPaths = append(configPaths, "config.json")
 	}
-	globalCtx = include.Context(service.ContextWith(globalCtx, deprecated.NewStderrManager(log.StdLogger())))
+	globalCtx = service.ContextWith(globalCtx, deprecated.NewStderrManager(log.StdLogger()))
+	globalCtx = box.Context(globalCtx, include.InboundRegistry(), include.OutboundRegistry(), include.EndpointRegistry(), include.DNSTransportRegistry())
 }
--- a/cmd/sing-box/cmd_rule_set_match.go
+++ b/cmd/sing-box/cmd_rule_set_match.go
@ -5,7 +5,6 @@ import (
 	"context"
 	"io"
 	"os"
-	"path/filepath"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/srs"
@ -57,14 +56,6 @@ func ruleSetMatch(sourcePath string, domain string) error {
 	if err != nil {
 		return E.Cause(err, "read rule-set")
 	}
-	if flagRuleSetMatchFormat == "" {
-		switch filepath.Ext(sourcePath) {
-		case ".json":
-			flagRuleSetMatchFormat = C.RuleSetFormatSource
-		case ".srs":
-			flagRuleSetMatchFormat = C.RuleSetFormatBinary
-		}
-	}
 	var ruleSet option.PlainRuleSetCompat
 	switch flagRuleSetMatchFormat {
 	case C.RuleSetFormatSource:
--- a/common/badtls/read_wait_utls.go
+++ b/common/badtls/read_wait_utls.go
@ -7,8 +7,7 @@ import (
 	_ "unsafe"

 	"github.com/sagernet/sing/common"
-
-	"github.com/metacubex/utls"
+	"github.com/sagernet/utls"
 )

 func init() {
@ -25,8 +24,8 @@ func init() {
 	})
 }

-//go:linkname utlsReadRecord github.com/metacubex/utls.(*Conn).readRecord
+//go:linkname utlsReadRecord github.com/sagernet/utls.(*Conn).readRecord
 func utlsReadRecord(c *tls.Conn) error

-//go:linkname utlsHandlePostHandshakeMessage github.com/metacubex/utls.(*Conn).handlePostHandshakeMessage
+//go:linkname utlsHandlePostHandshakeMessage github.com/sagernet/utls.(*Conn).handlePostHandshakeMessage
 func utlsHandlePostHandshakeMessage(c *tls.Conn) error
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@ -66,17 +66,11 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 		interfaceFinder = control.NewDefaultInterfaceFinder()
 	}
 	if options.BindInterface != "" {
-		if !(C.IsLinux || C.IsDarwin || C.IsWindows) {
-			return nil, E.New("`bind_interface` is only supported on Linux, macOS and Windows")
-		}
 		bindFunc := control.BindToInterface(interfaceFinder, options.BindInterface, -1)
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
 	}
 	if options.RoutingMark > 0 {
-		if !C.IsLinux {
-			return nil, E.New("`routing_mark` is only supported on Linux")
-		}
 		dialer.Control = control.Append(dialer.Control, setMarkWrapper(networkManager, uint32(options.RoutingMark), false))
 		listener.Control = control.Append(listener.Control, setMarkWrapper(networkManager, uint32(options.RoutingMark), false))
 	}
@ -97,6 +91,10 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 			} else if networkManager.AutoDetectInterface() {
 				if platformInterface != nil {
 					networkStrategy = (*C.NetworkStrategy)(options.NetworkStrategy)
+					if networkStrategy == nil {
+						networkStrategy = common.Ptr(C.NetworkStrategyDefault)
+						defaultNetworkStrategy = true
+					}
 					networkType = common.Map(options.NetworkType, option.InterfaceType.Build)
 					fallbackNetworkType = common.Map(options.FallbackNetworkType, option.InterfaceType.Build)
 					if networkStrategy == nil && len(networkType) == 0 && len(fallbackNetworkType) == 0 {
@ -108,10 +106,6 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 					if networkFallbackDelay == 0 && defaultOptions.FallbackDelay != 0 {
 						networkFallbackDelay = defaultOptions.FallbackDelay
 					}
-					if networkStrategy == nil {
-						networkStrategy = common.Ptr(C.NetworkStrategyDefault)
-						defaultNetworkStrategy = true
-					}
 					bindFunc := networkManager.ProtectFunc()
 					dialer.Control = control.Append(dialer.Control, bindFunc)
 					listener.Control = control.Append(listener.Control, bindFunc)
@ -347,17 +341,7 @@ func (d *DefaultDialer) ListenSerialInterfacePacket(ctx context.Context, destina
 }

 func (d *DefaultDialer) ListenPacketCompat(network, address string) (net.PacketConn, error) {
-	udpListener := d.udpListener
-	udpListener.Control = control.Append(udpListener.Control, func(network, address string, conn syscall.RawConn) error {
-		for _, wgControlFn := range WgControlFns {
-			err := wgControlFn(network, address, conn)
-			if err != nil {
-				return err
-			}
-		}
-		return nil
-	})
-	return udpListener.ListenPacket(context.Background(), network, address)
+	return d.udpListener.ListenPacket(context.Background(), network, address)
 }

 func trackConn(conn net.Conn, err error) (net.Conn, error) {
--- a/common/dialer/dialer.go
+++ b/common/dialer/dialer.go
@ -83,7 +83,6 @@ func NewWithOptions(options Options) (N.Dialer, error) {
 			dialOptions.DomainStrategy != option.DomainStrategy(C.DomainStrategyAsIS) {
 				//nolint:staticcheck
 				strategy = C.DomainStrategy(dialOptions.DomainStrategy)
-				deprecated.Report(options.Context, deprecated.OptionLegacyDomainStrategyOptions)
 			}
 			server = dialOptions.DomainResolver.Server
 			dnsQueryOptions = adapter.DNSQueryOptions{
@ -96,31 +95,22 @@ func NewWithOptions(options Options) (N.Dialer, error) {
 			resolveFallbackDelay = time.Duration(dialOptions.FallbackDelay)
 		} else if options.DirectResolver {
 			return nil, E.New("missing domain resolver for domain server address")
-		} else {
-			if defaultOptions.DomainResolver != "" {
-				dnsQueryOptions = defaultOptions.DomainResolveOptions
-				transport, loaded := dnsTransport.Transport(defaultOptions.DomainResolver)
-				if !loaded {
-					return nil, E.New("default domain resolver not found: " + defaultOptions.DomainResolver)
-				}
-				dnsQueryOptions.Transport = transport
-				resolveFallbackDelay = time.Duration(dialOptions.FallbackDelay)
-			} else {
-				transports := dnsTransport.Transports()
-				if len(transports) < 2 {
-					dnsQueryOptions.Transport = dnsTransport.Default()
-				} else if options.NewDialer {
-					return nil, E.New("missing domain resolver for domain server address")
-				} else if !options.DirectOutbound {
-					deprecated.Report(options.Context, deprecated.OptionMissingDomainResolver)
-				}
+		} else if defaultOptions.DomainResolver != "" {
+			dnsQueryOptions = defaultOptions.DomainResolveOptions
+			transport, loaded := dnsTransport.Transport(defaultOptions.DomainResolver)
+			if !loaded {
+				return nil, E.New("default domain resolver not found: " + defaultOptions.DomainResolver)
 			}
-			if
-			//nolint:staticcheck
-			dialOptions.DomainStrategy != option.DomainStrategy(C.DomainStrategyAsIS) {
-				//nolint:staticcheck
-				dnsQueryOptions.Strategy = C.DomainStrategy(dialOptions.DomainStrategy)
-				deprecated.Report(options.Context, deprecated.OptionLegacyDomainStrategyOptions)
+			dnsQueryOptions.Transport = transport
+			resolveFallbackDelay = time.Duration(dialOptions.FallbackDelay)
+		} else {
+			transports := dnsTransport.Transports()
+			if len(transports) < 2 {
+				dnsQueryOptions.Transport = dnsTransport.Default()
+			} else if options.NewDialer {
+				return nil, E.New("missing domain resolver for domain server address")
+			} else if !options.DirectOutbound {
+				deprecated.Report(options.Context, deprecated.OptionMissingDomainResolver)
 			}
 		}
 		dialer = NewResolveDialer(
--- a/common/dialer/tfo.go
+++ b/common/dialer/tfo.go
@ -12,6 +12,7 @@ import (

 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/bufio"
+	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"

@ -75,11 +76,10 @@ func (c *slowOpenConn) Write(b []byte) (n int, err error) {
 		return c.conn.Write(b)
 	default:
 	}
-	conn, err := c.dialer.DialContext(c.ctx, c.network, c.destination.String(), b)
+	c.conn, err = c.dialer.DialContext(c.ctx, c.network, c.destination.String(), b)
 	if err != nil {
-		c.err = err
-	} else {
-		c.conn = conn
+		c.conn = nil
+		c.err = E.Cause(err, "dial tcp fast open")
 	}
 	n = len(b)
 	close(c.create)
--- a/common/humanize/bytes.go
+++ b/common/humanize/bytes.go
@ -0,0 +1,158 @@
+package humanize
+
+import (
+	"fmt"
+	"math"
+	"strconv"
+	"strings"
+	"unicode"
+)
+
+// IEC Sizes.
+// kibis of bits
+const (
+	Byte = 1 << (iota * 10)
+	KiByte
+	MiByte
+	GiByte
+	TiByte
+	PiByte
+	EiByte
+)
+
+// SI Sizes.
+const (
+	IByte = 1
+	KByte = IByte * 1000
+	MByte = KByte * 1000
+	GByte = MByte * 1000
+	TByte = GByte * 1000
+	PByte = TByte * 1000
+	EByte = PByte * 1000
+)
+
+var defaultSizeTable = map[string]uint64{
+	"b":   Byte,
+	"kib": KiByte,
+	"kb":  KByte,
+	"mib": MiByte,
+	"mb":  MByte,
+	"gib": GiByte,
+	"gb":  GByte,
+	"tib": TiByte,
+	"tb":  TByte,
+	"pib": PiByte,
+	"pb":  PByte,
+	"eib": EiByte,
+	"eb":  EByte,
+	// Without suffix
+	"":   Byte,
+	"ki": KiByte,
+	"k":  KByte,
+	"mi": MiByte,
+	"m":  MByte,
+	"gi": GiByte,
+	"g":  GByte,
+	"ti": TiByte,
+	"t":  TByte,
+	"pi": PiByte,
+	"p":  PByte,
+	"ei": EiByte,
+	"e":  EByte,
+}
+
+var memorysSizeTable = map[string]uint64{
+	"b":  Byte,
+	"kb": KiByte,
+	"mb": MiByte,
+	"gb": GiByte,
+	"tb": TiByte,
+	"pb": PiByte,
+	"eb": EiByte,
+	"":   Byte,
+	"k":  KiByte,
+	"m":  MiByte,
+	"g":  GiByte,
+	"t":  TiByte,
+	"p":  PiByte,
+	"e":  EiByte,
+}
+
+var (
+	defaultSizes = []string{"B", "kB", "MB", "GB", "TB", "PB", "EB"}
+	iSizes       = []string{"B", "KiB", "MiB", "GiB", "TiB", "PiB", "EiB"}
+)
+
+func Bytes(s uint64) string {
+	return humanateBytes(s, 1000, defaultSizes)
+}
+
+func MemoryBytes(s uint64) string {
+	return humanateBytes(s, 1024, defaultSizes)
+}
+
+func IBytes(s uint64) string {
+	return humanateBytes(s, 1024, iSizes)
+}
+
+func logn(n, b float64) float64 {
+	return math.Log(n) / math.Log(b)
+}
+
+func humanateBytes(s uint64, base float64, sizes []string) string {
+	if s < 10 {
+		return fmt.Sprintf("%d B", s)
+	}
+	e := math.Floor(logn(float64(s), base))
+	suffix := sizes[int(e)]
+	val := math.Floor(float64(s)/math.Pow(base, e)*10+0.5) / 10
+	f := "%.0f %s"
+	if val < 10 {
+		f = "%.1f %s"
+	}
+
+	return fmt.Sprintf(f, val, suffix)
+}
+
+func ParseBytes(s string) (uint64, error) {
+	return parseBytes0(s, defaultSizeTable)
+}
+
+func ParseMemoryBytes(s string) (uint64, error) {
+	return parseBytes0(s, memorysSizeTable)
+}
+
+func parseBytes0(s string, sizeTable map[string]uint64) (uint64, error) {
+	lastDigit := 0
+	hasComma := false
+	for _, r := range s {
+		if !(unicode.IsDigit(r) || r == '.' || r == ',') {
+			break
+		}
+		if r == ',' {
+			hasComma = true
+		}
+		lastDigit++
+	}
+
+	num := s[:lastDigit]
+	if hasComma {
+		num = strings.Replace(num, ",", "", -1)
+	}
+
+	f, err := strconv.ParseFloat(num, 64)
+	if err != nil {
+		return 0, err
+	}
+
+	extra := strings.ToLower(strings.TrimSpace(s[lastDigit:]))
+	if m, ok := sizeTable[extra]; ok {
+		f *= float64(m)
+		if f >= math.MaxUint64 {
+			return 0, fmt.Errorf("too large: %v", s)
+		}
+		return uint64(f), nil
+	}
+
+	return 0, fmt.Errorf("unhandled size name: %v", extra)
+}
--- a/common/listener/listener.go
+++ b/common/listener/listener.go
@ -32,7 +32,6 @@ type Listener struct {
 	disablePacketOutput      bool
 	setSystemProxy           bool
 	systemProxySOCKS         bool
-	tproxy                   bool

 	tcpListener          net.Listener
 	systemProxy          settings.SystemProxy
@ -55,7 +54,6 @@ type Options struct {
 	DisablePacketOutput      bool
 	SetSystemProxy           bool
 	SystemProxySOCKS         bool
-	TProxy                   bool
 }

 func New(
@ -73,7 +71,6 @@ func New(
 		disablePacketOutput:      options.DisablePacketOutput,
 		setSystemProxy:           options.SetSystemProxy,
 		systemProxySOCKS:         options.SystemProxySOCKS,
-		tproxy:                   options.TProxy,
 	}
 }

--- a/common/listener/listener_tcp.go
+++ b/common/listener/listener_tcp.go
@ -3,18 +3,14 @@ package listener
 import (
 	"net"
 	"net/netip"
-	"syscall"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/redir"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/service"

 	"github.com/metacubex/tfo-go"
 )
@ -27,15 +23,6 @@ func (l *Listener) ListenTCP() (net.Listener, error) {
 	var err error
 	bindAddr := M.SocksaddrFrom(l.listenOptions.Listen.Build(netip.AddrFrom4([4]byte{127, 0, 0, 1})), l.listenOptions.ListenPort)
 	var listenConfig net.ListenConfig
-	if l.listenOptions.BindInterface != "" {
-		listenConfig.Control = control.Append(listenConfig.Control, control.BindToInterface(service.FromContext[adapter.NetworkManager](l.ctx).InterfaceFinder(), l.listenOptions.BindInterface, -1))
-	}
-	if l.listenOptions.RoutingMark != 0 {
-		listenConfig.Control = control.Append(listenConfig.Control, control.RoutingMark(uint32(l.listenOptions.RoutingMark)))
-	}
-	if l.listenOptions.ReuseAddr {
-		listenConfig.Control = control.Append(listenConfig.Control, control.ReuseAddr())
-	}
 	if l.listenOptions.TCPKeepAlive >= 0 {
 		keepIdle := time.Duration(l.listenOptions.TCPKeepAlive)
 		if keepIdle == 0 {
@ -53,13 +40,6 @@ func (l *Listener) ListenTCP() (net.Listener, error) {
 		}
 		setMultiPathTCP(&listenConfig)
 	}
-	if l.tproxy {
-		listenConfig.Control = control.Append(listenConfig.Control, func(network, address string, conn syscall.RawConn) error {
-			return control.Raw(conn, func(fd uintptr) error {
-				return redir.TProxy(fd, !M.ParseSocksaddr(address).IsIPv4(), false)
-			})
-		})
-	}
 	tcpListener, err := ListenNetworkNamespace[net.Listener](l.listenOptions.NetNs, func() (net.Listener, error) {
 		if l.listenOptions.TCPFastOpen {
 			var tfoConfig tfo.ListenConfig
--- a/common/listener/listener_udp.go
+++ b/common/listener/listener_udp.go
@ -5,30 +5,17 @@ import (
 	"net"
 	"net/netip"
 	"os"
-	"syscall"

-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/redir"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/service"
 )

 func (l *Listener) ListenUDP() (net.PacketConn, error) {
 	bindAddr := M.SocksaddrFrom(l.listenOptions.Listen.Build(netip.AddrFrom4([4]byte{127, 0, 0, 1})), l.listenOptions.ListenPort)
-	var listenConfig net.ListenConfig
-	if l.listenOptions.BindInterface != "" {
-		listenConfig.Control = control.Append(listenConfig.Control, control.BindToInterface(service.FromContext[adapter.NetworkManager](l.ctx).InterfaceFinder(), l.listenOptions.BindInterface, -1))
-	}
-	if l.listenOptions.RoutingMark != 0 {
-		listenConfig.Control = control.Append(listenConfig.Control, control.RoutingMark(uint32(l.listenOptions.RoutingMark)))
-	}
-	if l.listenOptions.ReuseAddr {
-		listenConfig.Control = control.Append(listenConfig.Control, control.ReuseAddr())
-	}
+	var lc net.ListenConfig
 	var udpFragment bool
 	if l.listenOptions.UDPFragment != nil {
 		udpFragment = *l.listenOptions.UDPFragment
@ -36,17 +23,10 @@ func (l *Listener) ListenUDP() (net.PacketConn, error) {
 		udpFragment = l.listenOptions.UDPFragmentDefault
 	}
 	if !udpFragment {
-		listenConfig.Control = control.Append(listenConfig.Control, control.DisableUDPFragment())
-	}
-	if l.tproxy {
-		listenConfig.Control = control.Append(listenConfig.Control, func(network, address string, conn syscall.RawConn) error {
-			return control.Raw(conn, func(fd uintptr) error {
-				return redir.TProxy(fd, !M.ParseSocksaddr(address).IsIPv4(), true)
-			})
-		})
+		lc.Control = control.Append(lc.Control, control.DisableUDPFragment())
 	}
 	udpConn, err := ListenNetworkNamespace[net.PacketConn](l.listenOptions.NetNs, func() (net.PacketConn, error) {
-		return listenConfig.ListenPacket(l.ctx, M.NetworkFromNetAddr(N.NetworkUDP, bindAddr.Addr), bindAddr.String())
+		return lc.ListenPacket(l.ctx, M.NetworkFromNetAddr(N.NetworkUDP, bindAddr.Addr), bindAddr.String())
 	})
 	if err != nil {
 		return nil, err
@ -57,32 +37,8 @@ func (l *Listener) ListenUDP() (net.PacketConn, error) {
 	return udpConn, err
 }

-func (l *Listener) DialContext(dialer net.Dialer, ctx context.Context, network string, address string) (net.Conn, error) {
-	return ListenNetworkNamespace[net.Conn](l.listenOptions.NetNs, func() (net.Conn, error) {
-		if l.listenOptions.BindInterface != "" {
-			dialer.Control = control.Append(dialer.Control, control.BindToInterface(service.FromContext[adapter.NetworkManager](l.ctx).InterfaceFinder(), l.listenOptions.BindInterface, -1))
-		}
-		if l.listenOptions.RoutingMark != 0 {
-			dialer.Control = control.Append(dialer.Control, control.RoutingMark(uint32(l.listenOptions.RoutingMark)))
-		}
-		if l.listenOptions.ReuseAddr {
-			dialer.Control = control.Append(dialer.Control, control.ReuseAddr())
-		}
-		return dialer.DialContext(ctx, network, address)
-	})
-}
-
 func (l *Listener) ListenPacket(listenConfig net.ListenConfig, ctx context.Context, network string, address string) (net.PacketConn, error) {
 	return ListenNetworkNamespace[net.PacketConn](l.listenOptions.NetNs, func() (net.PacketConn, error) {
-		if l.listenOptions.BindInterface != "" {
-			listenConfig.Control = control.Append(listenConfig.Control, control.BindToInterface(service.FromContext[adapter.NetworkManager](l.ctx).InterfaceFinder(), l.listenOptions.BindInterface, -1))
-		}
-		if l.listenOptions.RoutingMark != 0 {
-			listenConfig.Control = control.Append(listenConfig.Control, control.RoutingMark(uint32(l.listenOptions.RoutingMark)))
-		}
-		if l.listenOptions.ReuseAddr {
-			listenConfig.Control = control.Append(listenConfig.Control, control.ReuseAddr())
-		}
 		return listenConfig.ListenPacket(ctx, network, address)
 	})
 }
--- a/common/redir/tproxy_linux.go
+++ b/common/redir/tproxy_linux.go
@ -12,7 +12,7 @@ import (
 	"golang.org/x/sys/unix"
 )

-func TProxy(fd uintptr, isIPv6 bool, isUDP bool) error {
+func TProxy(fd uintptr, isIPv6 bool) error {
 	err := syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_REUSEADDR, 1)
 	if err == nil {
 		err = syscall.SetsockoptInt(int(fd), syscall.SOL_IP, syscall.IP_TRANSPARENT, 1)
@ -20,13 +20,11 @@ func TProxy(fd uintptr, isIPv6 bool, isUDP bool) error {
 	if err == nil && isIPv6 {
 		err = syscall.SetsockoptInt(int(fd), syscall.SOL_IPV6, unix.IPV6_TRANSPARENT, 1)
 	}
-	if isUDP {
-		if err == nil {
-			err = syscall.SetsockoptInt(int(fd), syscall.SOL_IP, syscall.IP_RECVORIGDSTADDR, 1)
-		}
-		if err == nil && isIPv6 {
-			err = syscall.SetsockoptInt(int(fd), syscall.SOL_IPV6, unix.IPV6_RECVORIGDSTADDR, 1)
-		}
+	if err == nil {
+		err = syscall.SetsockoptInt(int(fd), syscall.SOL_IP, syscall.IP_RECVORIGDSTADDR, 1)
+	}
+	if err == nil && isIPv6 {
+		err = syscall.SetsockoptInt(int(fd), syscall.SOL_IPV6, unix.IPV6_RECVORIGDSTADDR, 1)
 	}
 	return err
 }
--- a/common/redir/tproxy_other.go
+++ b/common/redir/tproxy_other.go
@ -9,7 +9,7 @@ import (
 	"github.com/sagernet/sing/common/control"
 )

-func TProxy(fd uintptr, isIPv6 bool, isUDP bool) error {
+func TProxy(fd uintptr, isIPv6 bool) error {
 	return os.ErrInvalid
 }

--- a/common/sniff/bittorrent.go
+++ b/common/sniff/bittorrent.go
@ -31,18 +31,13 @@ func BitTorrent(_ context.Context, metadata *adapter.InboundContext, reader io.R
 		return os.ErrInvalid
 	}

-	const header = "BitTorrent protocol"
 	var protocol [19]byte
-	var n int
-	n, err = reader.Read(protocol[:])
-	if string(protocol[:n]) != header[:n] {
-		return os.ErrInvalid
-	}
+	_, err = reader.Read(protocol[:])
 	if err != nil {
 		return E.Cause1(ErrNeedMoreData, err)
 	}
-	if n < 19 {
-		return ErrNeedMoreData
+	if string(protocol[:]) != "BitTorrent protocol" {
+		return os.ErrInvalid
 	}

 	metadata.Protocol = C.ProtocolBitTorrent
--- a/common/sniff/bittorrent_test.go
+++ b/common/sniff/bittorrent_test.go
@ -32,27 +32,6 @@ func TestSniffBittorrent(t *testing.T) {
 	}
 }

-func TestSniffIncompleteBittorrent(t *testing.T) {
-	t.Parallel()
-
-	pkt, err := hex.DecodeString("13426974546f7272656e74")
-	require.NoError(t, err)
-	var metadata adapter.InboundContext
-	err = sniff.BitTorrent(context.TODO(), &metadata, bytes.NewReader(pkt))
-	require.ErrorIs(t, err, sniff.ErrNeedMoreData)
-}
-
-func TestSniffNotBittorrent(t *testing.T) {
-	t.Parallel()
-
-	pkt, err := hex.DecodeString("13426974546f7272656e75")
-	require.NoError(t, err)
-	var metadata adapter.InboundContext
-	err = sniff.BitTorrent(context.TODO(), &metadata, bytes.NewReader(pkt))
-	require.NotEmpty(t, err)
-	require.NotErrorIs(t, err, sniff.ErrNeedMoreData)
-}
-
 func TestSniffUTP(t *testing.T) {
 	t.Parallel()

--- a/common/sniff/dns.go
+++ b/common/sniff/dns.go
@ -20,36 +20,22 @@ func StreamDomainNameQuery(readCtx context.Context, metadata *adapter.InboundCon
 	if err != nil {
 		return E.Cause1(ErrNeedMoreData, err)
 	}
-	if length < 12 {
+	if length == 0 {
 		return os.ErrInvalid
 	}
 	buffer := buf.NewSize(int(length))
 	defer buffer.Release()
-	var n int
-	n, err = buffer.ReadFullFrom(reader, buffer.FreeLen())
-	packet := buffer.Bytes()
-	if n > 2 && packet[2]&0x80 != 0 { // QR
-		return os.ErrInvalid
-	}
-	if n > 5 && packet[4] == 0 && packet[5] == 0 { // QDCOUNT
-		return os.ErrInvalid
-	}
-	for i := 6; i < 10; i++ {
-		// ANCOUNT, NSCOUNT
-		if n > i && packet[i] != 0 {
-			return os.ErrInvalid
-		}
-	}
+	_, err = buffer.ReadFullFrom(reader, buffer.FreeLen())
 	if err != nil {
 		return E.Cause1(ErrNeedMoreData, err)
 	}
-	return DomainNameQuery(readCtx, metadata, packet)
+	return DomainNameQuery(readCtx, metadata, buffer.Bytes())
 }

 func DomainNameQuery(ctx context.Context, metadata *adapter.InboundContext, packet []byte) error {
 	var msg mDNS.Msg
 	err := msg.Unpack(packet)
-	if err != nil || msg.Response || len(msg.Question) == 0 || len(msg.Answer) > 0 || len(msg.Ns) > 0 {
+	if err != nil {
 		return err
 	}
 	metadata.Protocol = C.ProtocolDNS
--- a/common/sniff/dns_test.go
+++ b/common/sniff/dns_test.go
@ -1,7 +1,6 @@
 package sniff_test

 import (
-	"bytes"
 	"context"
 	"encoding/hex"
 	"testing"
@ -22,32 +21,3 @@ func TestSniffDNS(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, C.ProtocolDNS, metadata.Protocol)
 }
-
-func TestSniffStreamDNS(t *testing.T) {
-	t.Parallel()
-	query, err := hex.DecodeString("001e740701000001000000000000012a06676f6f676c6503636f6d0000010001")
-	require.NoError(t, err)
-	var metadata adapter.InboundContext
-	err = sniff.StreamDomainNameQuery(context.TODO(), &metadata, bytes.NewReader(query))
-	require.NoError(t, err)
-	require.Equal(t, C.ProtocolDNS, metadata.Protocol)
-}
-
-func TestSniffIncompleteStreamDNS(t *testing.T) {
-	t.Parallel()
-	query, err := hex.DecodeString("001e740701000001000000000000")
-	require.NoError(t, err)
-	var metadata adapter.InboundContext
-	err = sniff.StreamDomainNameQuery(context.TODO(), &metadata, bytes.NewReader(query))
-	require.ErrorIs(t, err, sniff.ErrNeedMoreData)
-}
-
-func TestSniffNotStreamDNS(t *testing.T) {
-	t.Parallel()
-	query, err := hex.DecodeString("001e740701000000000000000000")
-	require.NoError(t, err)
-	var metadata adapter.InboundContext
-	err = sniff.StreamDomainNameQuery(context.TODO(), &metadata, bytes.NewReader(query))
-	require.NotEmpty(t, err)
-	require.NotErrorIs(t, err, sniff.ErrNeedMoreData)
-}
--- a/common/sniff/sniff.go
+++ b/common/sniff/sniff.go
@ -68,7 +68,7 @@ func PeekStream(ctx context.Context, metadata *adapter.InboundContext, conn net.
 			}
 			sniffError = E.Errors(sniffError, err)
 		}
-		if !errors.Is(sniffError, ErrNeedMoreData) {
+		if !errors.Is(err, ErrNeedMoreData) {
 			break
 		}
 	}
--- a/common/sniff/ssh.go
+++ b/common/sniff/ssh.go
@ -15,11 +15,10 @@ func SSH(_ context.Context, metadata *adapter.InboundContext, reader io.Reader)
 	const sshPrefix = "SSH-2.0-"
 	bReader := bufio.NewReader(reader)
 	prefix, err := bReader.Peek(len(sshPrefix))
-	if string(prefix[:]) != sshPrefix[:len(prefix)] {
-		return os.ErrInvalid
-	}
 	if err != nil {
 		return E.Cause1(ErrNeedMoreData, err)
+	} else if string(prefix) != sshPrefix {
+		return os.ErrInvalid
 	}
 	fistLine, _, err := bReader.ReadLine()
 	if err != nil {
--- a/common/sniff/ssh_test.go
+++ b/common/sniff/ssh_test.go
@ -24,24 +24,3 @@ func TestSniffSSH(t *testing.T) {
 	require.Equal(t, C.ProtocolSSH, metadata.Protocol)
 	require.Equal(t, "dropbear", metadata.Client)
 }
-
-func TestSniffIncompleteSSH(t *testing.T) {
-	t.Parallel()
-
-	pkt, err := hex.DecodeString("5353482d322e30")
-	require.NoError(t, err)
-	var metadata adapter.InboundContext
-	err = sniff.SSH(context.TODO(), &metadata, bytes.NewReader(pkt))
-	require.ErrorIs(t, err, sniff.ErrNeedMoreData)
-}
-
-func TestSniffNotSSH(t *testing.T) {
-	t.Parallel()
-
-	pkt, err := hex.DecodeString("5353482d322e31")
-	require.NoError(t, err)
-	var metadata adapter.InboundContext
-	err = sniff.SSH(context.TODO(), &metadata, bytes.NewReader(pkt))
-	require.NotEmpty(t, err)
-	require.NotErrorIs(t, err, sniff.ErrNeedMoreData)
-}
--- a/common/tls/acme.go
+++ b/common/tls/acme.go
@ -37,7 +37,7 @@ func (w *acmeWrapper) Close() error {
 	return nil
 }

-func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Config, adapter.SimpleLifecycle, error) {
+func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Config, adapter.Service, error) {
 	var acmeServer string
 	switch options.Provider {
 	case "", "letsencrypt":
--- a/common/tls/acme_stub.go
+++ b/common/tls/acme_stub.go
@ -11,6 +11,6 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 )

-func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Config, adapter.SimpleLifecycle, error) {
+func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Config, adapter.Service, error) {
 	return nil, nil, E.New(`ACME is not included in this build, rebuild with -tags with_acme`)
 }
--- a/common/tls/config.go
+++ b/common/tls/config.go
@ -18,7 +18,6 @@ type (
 	STDConfig       = tls.Config
 	STDConn         = tls.Conn
 	ConnectionState = tls.ConnectionState
-	CurveID         = tls.CurveID
 )

 func ParseTLSVersion(version string) (uint16, error) {
--- a/common/tls/ech.go
+++ b/common/tls/ech.go
@ -10,8 +10,6 @@ import (
 	"net"
 	"os"
 	"strings"
-	"sync"
-	"time"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/dns"
@ -48,10 +46,7 @@ func parseECHClientConfig(ctx context.Context, options option.OutboundTLSOptions
 		tlsConfig.EncryptedClientHelloConfigList = block.Bytes
 		return &STDClientConfig{tlsConfig}, nil
 	} else {
-		return &STDECHClientConfig{
-			STDClientConfig: STDClientConfig{tlsConfig},
-			dnsRouter:       service.FromContext[adapter.DNSRouter](ctx),
-		}, nil
+		return &STDECHClientConfig{STDClientConfig{tlsConfig}, service.FromContext[adapter.DNSRouter](ctx)}, nil
 	}
 }

@ -104,28 +99,11 @@ func reloadECHKeys(echKeyPath string, tlsConfig *tls.Config) error {

 type STDECHClientConfig struct {
 	STDClientConfig
-	access     sync.Mutex
-	dnsRouter  adapter.DNSRouter
-	lastTTL    time.Duration
-	lastUpdate time.Time
+	dnsRouter adapter.DNSRouter
 }

 func (s *STDECHClientConfig) ClientHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
-	tlsConn, err := s.fetchAndHandshake(ctx, conn)
-	if err != nil {
-		return nil, err
-	}
-	err = tlsConn.HandshakeContext(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return tlsConn, nil
-}
-
-func (s *STDECHClientConfig) fetchAndHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
-	s.access.Lock()
-	defer s.access.Unlock()
-	if len(s.config.EncryptedClientHelloConfigList) == 0 || s.lastTTL == 0 || time.Now().Sub(s.lastUpdate) > s.lastTTL {
+	if len(s.config.EncryptedClientHelloConfigList) == 0 {
 		message := &mDNS.Msg{
 			MsgHdr: mDNS.MsgHdr{
 				RecursionDesired: true,
@ -155,8 +133,6 @@ func (s *STDECHClientConfig) fetchAndHandshake(ctx context.Context, conn net.Con
 						if err != nil {
 							return nil, E.Cause(err, "decode ECH config")
 						}
-						s.lastTTL = time.Duration(rr.Header().Ttl) * time.Second
-						s.lastUpdate = time.Now()
 						s.config.EncryptedClientHelloConfigList = echConfigList
 						break match
 					}
@ -167,11 +143,19 @@ func (s *STDECHClientConfig) fetchAndHandshake(ctx context.Context, conn net.Con
 			return nil, E.New("no ECH config found in DNS records")
 		}
 	}
-	return s.Client(conn)
+	tlsConn, err := s.Client(conn)
+	if err != nil {
+		return nil, err
+	}
+	err = tlsConn.HandshakeContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return tlsConn, nil
 }

 func (s *STDECHClientConfig) Clone() Config {
-	return &STDECHClientConfig{STDClientConfig: STDClientConfig{s.config.Clone()}, dnsRouter: s.dnsRouter, lastUpdate: s.lastUpdate}
+	return &STDECHClientConfig{STDClientConfig{s.config.Clone()}, s.dnsRouter}
 }

 func UnmarshalECHKeys(raw []byte) ([]tls.EncryptedClientHelloKey, error) {
--- a/common/tls/ech_tag_stub.go
+++ b/common/tls/ech_tag_stub.go
@ -1,5 +0,0 @@
-//go:build with_ech
-
-package tls
-
-var _ int = "Due to the migration to stdlib, the separate `with_ech` build tag has been deprecated and is no longer needed, please update your build configuration."
--- a/common/tls/reality_client.go
+++ b/common/tls/reality_client.go
@ -29,13 +29,12 @@ import (

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/debug"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
 	aTLS "github.com/sagernet/sing/common/tls"
+	utls "github.com/sagernet/utls"

-	utls "github.com/metacubex/utls"
 	"golang.org/x/crypto/hkdf"
 	"golang.org/x/net/http2"
 )
@ -115,22 +114,6 @@ func (e *RealityClientConfig) ClientHandshake(ctx context.Context, conn net.Conn
 	if err != nil {
 		return nil, err
 	}
-	for _, extension := range uConn.Extensions {
-		if ce, ok := extension.(*utls.SupportedCurvesExtension); ok {
-			ce.Curves = common.Filter(ce.Curves, func(curveID utls.CurveID) bool {
-				return curveID != utls.X25519MLKEM768
-			})
-		}
-		if ks, ok := extension.(*utls.KeyShareExtension); ok {
-			ks.KeyShares = common.Filter(ks.KeyShares, func(share utls.KeyShare) bool {
-				return share.Group != utls.X25519MLKEM768
-			})
-		}
-	}
-	err = uConn.BuildHandshakeState()
-	if err != nil {
-		return nil, err
-	}

 	if len(uConfig.NextProtos) > 0 {
 		for _, extension := range uConn.Extensions {
@ -165,13 +148,9 @@ func (e *RealityClientConfig) ClientHandshake(ctx context.Context, conn net.Conn
 	if err != nil {
 		return nil, err
 	}
-	keyShareKeys := uConn.HandshakeState.State13.KeyShareKeys
-	if keyShareKeys == nil {
-		return nil, E.New("nil KeyShareKeys")
-	}
-	ecdheKey := keyShareKeys.Ecdhe
+	ecdheKey := uConn.HandshakeState.State13.EcdheKey
 	if ecdheKey == nil {
-		return nil, E.New("nil ecdheKey")
+		return nil, E.New("nil ecdhe_key")
 	}
 	authKey, err := ecdheKey.ECDH(publicKey)
 	if err != nil {
@ -235,6 +214,10 @@ func realityClientFallback(ctx context.Context, uConn net.Conn, serverName strin
 	response.Body.Close()
 }

+func (e *RealityClientConfig) SetSessionIDGenerator(generator func(clientHello []byte, sessionID []byte) error) {
+	e.uClient.config.SessionIDGenerator = generator
+}
+
 func (e *RealityClientConfig) Clone() Config {
 	return &RealityClientConfig{
 		e.ctx,
--- a/common/tls/reality_server.go
+++ b/common/tls/reality_server.go
@ -1,4 +1,4 @@
-//go:build with_utls
+//go:build with_reality_server

 package tls

@ -7,29 +7,28 @@ import (
 	"crypto/tls"
 	"encoding/base64"
 	"encoding/hex"
-	"fmt"
 	"net"
 	"time"

+	"github.com/sagernet/reality"
 	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common/debug"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/ntp"
-
-	utls "github.com/metacubex/utls"
 )

 var _ ServerConfigCompat = (*RealityServerConfig)(nil)

 type RealityServerConfig struct {
-	config *utls.RealityConfig
+	config *reality.Config
 }

 func NewRealityServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (*RealityServerConfig, error) {
-	var tlsConfig utls.RealityConfig
+	var tlsConfig reality.Config

 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
 		return nil, E.New("acme is unavailable in reality")
@ -75,11 +74,6 @@ func NewRealityServer(ctx context.Context, logger log.Logger, options option.Inb
 	}

 	tlsConfig.SessionTicketsDisabled = true
-	tlsConfig.Log = func(format string, v ...any) {
-		if logger != nil {
-			logger.Trace(fmt.Sprintf(format, v...))
-		}
-	}
 	tlsConfig.Type = N.NetworkTCP
 	tlsConfig.Dest = options.Reality.Handshake.ServerOptions.Build().String()

@ -95,20 +89,16 @@ func NewRealityServer(ctx context.Context, logger log.Logger, options option.Inb
 	tlsConfig.MaxTimeDiff = time.Duration(options.Reality.MaxTimeDifference)

 	tlsConfig.ShortIds = make(map[[8]byte]bool)
-	if len(options.Reality.ShortID) == 0 {
-		tlsConfig.ShortIds[[8]byte{0}] = true
-	} else {
-		for i, shortIDString := range options.Reality.ShortID {
-			var shortID [8]byte
-			decodedLen, err := hex.Decode(shortID[:], []byte(shortIDString))
-			if err != nil {
-				return nil, E.Cause(err, "decode short_id[", i, "]: ", shortIDString)
-			}
-			if decodedLen > 8 {
-				return nil, E.New("invalid short_id[", i, "]: ", shortIDString)
-			}
-			tlsConfig.ShortIds[shortID] = true
+	for i, shortIDString := range options.Reality.ShortID {
+		var shortID [8]byte
+		decodedLen, err := hex.Decode(shortID[:], []byte(shortIDString))
+		if err != nil {
+			return nil, E.Cause(err, "decode short_id[", i, "]: ", shortIDString)
 		}
+		if decodedLen > 8 {
+			return nil, E.New("invalid short_id[", i, "]: ", shortIDString)
+		}
+		tlsConfig.ShortIds[shortID] = true
 	}

 	handshakeDialer, err := dialer.New(ctx, options.Reality.Handshake.DialerOptions, options.Reality.Handshake.ServerIsDomain())
@ -119,6 +109,10 @@ func NewRealityServer(ctx context.Context, logger log.Logger, options option.Inb
 		return handshakeDialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
 	}

+	if debug.Enabled {
+		tlsConfig.Show = true
+	}
+
 	return &RealityServerConfig{&tlsConfig}, nil
 }

@ -159,7 +153,7 @@ func (c *RealityServerConfig) Server(conn net.Conn) (Conn, error) {
 }

 func (c *RealityServerConfig) ServerHandshake(ctx context.Context, conn net.Conn) (Conn, error) {
-	tlsConn, err := utls.RealityServer(ctx, conn, c.config)
+	tlsConn, err := reality.Server(ctx, conn, c.config)
 	if err != nil {
 		return nil, err
 	}
@ -175,7 +169,7 @@ func (c *RealityServerConfig) Clone() Config {
 var _ Conn = (*realityConnWrapper)(nil)

 type realityConnWrapper struct {
-	*utls.Conn
+	*reality.Conn
 }

 func (c *realityConnWrapper) ConnectionState() ConnectionState {
--- a/common/tls/reality_stub.go
+++ b/common/tls/reality_stub.go
@ -1,5 +1,15 @@
-//go:build with_reality_server
+//go:build !with_reality_server

 package tls

-var _ int = "The separate `with_reality_server` build tag has been merged into `with_utls` and is no longer needed, please update your build configuration."
+import (
+	"context"
+
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+func NewRealityServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+	return nil, E.New(`reality server is not included in this build, rebuild with -tags with_reality_server`)
+}
--- a/common/tls/std_server.go
+++ b/common/tls/std_server.go
@ -6,7 +6,6 @@ import (
 	"net"
 	"os"
 	"strings"
-	"time"

 	"github.com/sagernet/fswatch"
 	"github.com/sagernet/sing-box/adapter"
@ -22,7 +21,7 @@ var errInsecureUnused = E.New("tls: insecure unused")
 type STDServerConfig struct {
 	config          *tls.Config
 	logger          log.Logger
-	acmeService     adapter.SimpleLifecycle
+	acmeService     adapter.Service
 	certificate     []byte
 	key             []byte
 	certificatePath string
@ -165,7 +164,7 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 		return nil, nil
 	}
 	var tlsConfig *tls.Config
-	var acmeService adapter.SimpleLifecycle
+	var acmeService adapter.Service
 	var err error
 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
 		//nolint:staticcheck
@ -234,12 +233,8 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 			key = content
 		}
 		if certificate == nil && key == nil && options.Insecure {
-			timeFunc := ntp.TimeFuncFromContext(ctx)
-			if timeFunc == nil {
-				timeFunc = time.Now
-			}
 			tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
-				return GenerateKeyPair(nil, nil, timeFunc, info.ServerName)
+				return GenerateKeyPair(nil, nil, ntp.TimeFuncFromContext(ctx), info.ServerName)
 			}
 		} else {
 			if certificate == nil {
--- a/common/tls/utls_client.go
+++ b/common/tls/utls_client.go
@ -16,8 +16,8 @@ import (
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
+	utls "github.com/sagernet/utls"

-	utls "github.com/metacubex/utls"
 	"golang.org/x/net/http2"
 )

--- a/common/tls/utls_stub.go
+++ b/common/tls/utls_stub.go
@ -5,7 +5,6 @@ package tls
 import (
 	"context"

-	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )
@ -15,9 +14,5 @@ func NewUTLSClient(ctx context.Context, serverAddress string, options option.Out
 }

 func NewRealityClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
-	return nil, E.New(`uTLS, which is required by reality is not included in this build, rebuild with -tags with_utls`)
-}
-
-func NewRealityServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
-	return nil, E.New(`uTLS, which is required by reality is not included in this build, rebuild with -tags with_utls`)
+	return nil, E.New(`uTLS, which is required by reality client is not included in this build, rebuild with -tags with_utls`)
 }
--- a/common/tlsfragment/conn.go
+++ b/common/tlsfragment/conn.go
@ -1,9 +1,7 @@
 package tf

 import (
-	"bytes"
 	"context"
-	"encoding/binary"
 	"math/rand"
 	"net"
 	"strings"
@ -19,19 +17,17 @@ type Conn struct {
 	tcpConn            *net.TCPConn
 	ctx                context.Context
 	firstPacketWritten bool
-	splitRecord        bool
 	fallbackDelay      time.Duration
 }

-func NewConn(conn net.Conn, ctx context.Context, splitRecord bool, fallbackDelay time.Duration) *Conn {
+func NewConn(conn net.Conn, ctx context.Context, fallbackDelay time.Duration) (*Conn, error) {
 	tcpConn, _ := N.UnwrapReader(conn).(*net.TCPConn)
 	return &Conn{
 		Conn:          conn,
 		tcpConn:       tcpConn,
 		ctx:           ctx,
-		splitRecord:   splitRecord,
 		fallbackDelay: fallbackDelay,
-	}
+	}, nil
 }

 func (c *Conn) Write(b []byte) (n int, err error) {
@ -41,12 +37,10 @@ func (c *Conn) Write(b []byte) (n int, err error) {
 		}()
 		serverName := indexTLSServerName(b)
 		if serverName != nil {
-			if !c.splitRecord {
-				if c.tcpConn != nil {
-					err = c.tcpConn.SetNoDelay(true)
-					if err != nil {
-						return
-					}
+			if c.tcpConn != nil {
+				err = c.tcpConn.SetNoDelay(true)
+				if err != nil {
+					return
 				}
 			}
 			splits := strings.Split(serverName.ServerName, ".")
@ -67,25 +61,16 @@ func (c *Conn) Write(b []byte) (n int, err error) {
 					currentIndex++
 				}
 			}
-			var buffer bytes.Buffer
 			for i := 0; i <= len(splitIndexes); i++ {
 				var payload []byte
 				if i == 0 {
 					payload = b[:splitIndexes[i]]
-					if c.splitRecord {
-						payload = payload[recordLayerHeaderLen:]
-					}
 				} else if i == len(splitIndexes) {
 					payload = b[splitIndexes[i-1]:]
 				} else {
 					payload = b[splitIndexes[i-1]:splitIndexes[i]]
 				}
-				if c.splitRecord {
-					payloadLen := uint16(len(payload))
-					buffer.Write(b[:3])
-					binary.Write(&buffer, binary.BigEndian, payloadLen)
-					buffer.Write(payload)
-				} else if c.tcpConn != nil && i != len(splitIndexes) {
+				if c.tcpConn != nil && i != len(splitIndexes) {
 					err = writeAndWaitAck(c.ctx, c.tcpConn, payload, c.fallbackDelay)
 					if err != nil {
 						return
@ -97,18 +82,11 @@ func (c *Conn) Write(b []byte) (n int, err error) {
 					}
 				}
 			}
-			if c.splitRecord {
-				_, err = c.Conn.Write(buffer.Bytes())
+			if c.tcpConn != nil {
+				err = c.tcpConn.SetNoDelay(false)
 				if err != nil {
 					return
 				}
-			} else {
-				if c.tcpConn != nil {
-					err = c.tcpConn.SetNoDelay(false)
-					if err != nil {
-						return
-					}
-				}
 			}
 			return len(b), nil
 		}
--- a/common/tlsfragment/conn_test.go
+++ b/common/tlsfragment/conn_test.go
@ -1,32 +0,0 @@
-package tf_test
-
-import (
-	"context"
-	"crypto/tls"
-	"net"
-	"testing"
-
-	tf "github.com/sagernet/sing-box/common/tlsfragment"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestTLSFragment(t *testing.T) {
-	t.Parallel()
-	tcpConn, err := net.Dial("tcp", "1.1.1.1:443")
-	require.NoError(t, err)
-	tlsConn := tls.Client(tf.NewConn(tcpConn, context.Background(), false, 0), &tls.Config{
-		ServerName: "www.cloudflare.com",
-	})
-	require.NoError(t, tlsConn.Handshake())
-}
-
-func TestTLSRecordFragment(t *testing.T) {
-	t.Parallel()
-	tcpConn, err := net.Dial("tcp", "1.1.1.1:443")
-	require.NoError(t, err)
-	tlsConn := tls.Client(tf.NewConn(tcpConn, context.Background(), true, 0), &tls.Config{
-		ServerName: "www.cloudflare.com",
-	})
-	require.NoError(t, tlsConn.Handshake())
-}
--- a/constant/proxy.go
+++ b/constant/proxy.go
@ -25,9 +25,6 @@ const (
 	TypeTUIC         = "tuic"
 	TypeHysteria2    = "hysteria2"
 	TypeTailscale    = "tailscale"
-	TypeDERP         = "derp"
-	TypeResolved     = "resolved"
-	TypeSSMAPI       = "ssm-api"
 )

 const (
--- a/debug.go
+++ b/debug.go
@ -24,9 +24,9 @@ func applyDebugOptions(options option.DebugOptions) {
 	if options.TraceBack != "" {
 		debug.SetTraceback(options.TraceBack)
 	}
-	if options.MemoryLimit.Value() != 0 {
-		debug.SetMemoryLimit(int64(float64(options.MemoryLimit.Value()) / 1.5))
-		conntrack.MemoryLimit = options.MemoryLimit.Value()
+	if options.MemoryLimit != 0 {
+		debug.SetMemoryLimit(int64(float64(options.MemoryLimit) / 1.5))
+		conntrack.MemoryLimit = uint64(options.MemoryLimit)
 	}
 	if options.OOMKiller != nil {
 		conntrack.KillerEnabled = *options.OOMKiller
--- a/debug_http.go
+++ b/debug_http.go
@ -7,9 +7,9 @@ import (
 	"runtime/debug"
 	"strings"

+	"github.com/sagernet/sing-box/common/humanize"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common/byteformats"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/json"
 	"github.com/sagernet/sing/common/json/badjson"
@ -38,9 +38,9 @@ func applyDebugListenOption(options option.DebugOptions) {
 			runtime.ReadMemStats(&memStats)

 			var memObject badjson.JSONObject
-			memObject.Put("heap", byteformats.FormatMemoryBytes(memStats.HeapInuse))
-			memObject.Put("stack", byteformats.FormatMemoryBytes(memStats.StackInuse))
-			memObject.Put("idle", byteformats.FormatMemoryBytes(memStats.HeapIdle-memStats.HeapReleased))
+			memObject.Put("heap", humanize.MemoryBytes(memStats.HeapInuse))
+			memObject.Put("stack", humanize.MemoryBytes(memStats.StackInuse))
+			memObject.Put("idle", humanize.MemoryBytes(memStats.HeapIdle-memStats.HeapReleased))
 			memObject.Put("goroutines", runtime.NumGoroutine())
 			memObject.Put("rss", rusageMaxRSS())

--- a/dns/client.go
+++ b/dns/client.go
@ -34,7 +34,6 @@ type Client struct {
 	disableCache     bool
 	disableExpire    bool
 	independentCache bool
-	clientSubnet     netip.Prefix
 	rdrc             adapter.RDRCStore
 	initRDRCFunc     func() adapter.RDRCStore
 	logger           logger.ContextLogger
@ -48,7 +47,6 @@ type ClientOptions struct {
 	DisableExpire    bool
 	IndependentCache bool
 	CacheCapacity    uint32
-	ClientSubnet     netip.Prefix
 	RDRC             func() adapter.RDRCStore
 	Logger           logger.ContextLogger
 }
@ -59,7 +57,6 @@ func NewClient(options ClientOptions) *Client {
 		disableCache:     options.DisableCache,
 		disableExpire:    options.DisableExpire,
 		independentCache: options.IndependentCache,
-		clientSubnet:     options.ClientSubnet,
 		initRDRCFunc:     options.RDRC,
 		logger:           options.Logger,
 	}
@ -107,12 +104,8 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		return &responseMessage, nil
 	}
 	question := message.Question[0]
-	clientSubnet := options.ClientSubnet
-	if !clientSubnet.IsValid() {
-		clientSubnet = c.clientSubnet
-	}
-	if clientSubnet.IsValid() {
-		message = SetClientSubnet(message, clientSubnet)
+	if options.ClientSubnet.IsValid() {
+		message = SetClientSubnet(message, options.ClientSubnet, true)
 	}
 	isSimpleRequest := len(message.Question) == 1 &&
 		len(message.Ns) == 0 &&
@ -239,20 +232,10 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 			record.Header().Ttl = timeToLive
 		}
 	}
+	response.Id = messageId
 	if !disableCache {
 		c.storeCache(transport, question, response, timeToLive)
 	}
-	response.Id = messageId
-	requestEDNSOpt := message.IsEdns0()
-	responseEDNSOpt := response.IsEdns0()
-	if responseEDNSOpt != nil && (requestEDNSOpt == nil || requestEDNSOpt.Version() < responseEDNSOpt.Version()) {
-		response.Extra = common.Filter(response.Extra, func(it dns.RR) bool {
-			return it.Header().Rrtype != dns.TypeOPT
-		})
-		if requestEDNSOpt != nil {
-			response.SetEdns0(responseEDNSOpt.UDPSize(), responseEDNSOpt.Do())
-		}
-	}
 	logExchangedResponse(c.logger, ctx, response, timeToLive)
 	return response, err
 }
@ -260,15 +243,9 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, domain string, options adapter.DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error) {
 	domain = FqdnToDomain(domain)
 	dnsName := dns.Fqdn(domain)
-	var strategy C.DomainStrategy
-	if options.LookupStrategy != C.DomainStrategyAsIS {
-		strategy = options.LookupStrategy
-	} else {
-		strategy = options.Strategy
-	}
-	if strategy == C.DomainStrategyIPv4Only {
+	if options.Strategy == C.DomainStrategyIPv4Only {
 		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeA, options, responseChecker)
-	} else if strategy == C.DomainStrategyIPv6Only {
+	} else if options.Strategy == C.DomainStrategyIPv6Only {
 		return c.lookupToExchange(ctx, transport, dnsName, dns.TypeAAAA, options, responseChecker)
 	}
 	var response4 []netip.Addr
@ -294,7 +271,7 @@ func (c *Client) Lookup(ctx context.Context, transport adapter.DNSTransport, dom
 	if len(response4) == 0 && len(response6) == 0 {
 		return nil, err
 	}
-	return sortAddresses(response4, response6, strategy), nil
+	return sortAddresses(response4, response6, options.Strategy), nil
 }

 func (c *Client) ClearCache() {
@ -506,7 +483,7 @@ func (c *Client) loadResponse(question dns.Question, transport adapter.DNSTransp
 }

 func MessageToAddresses(response *dns.Msg) ([]netip.Addr, error) {
-	if response.Rcode != dns.RcodeSuccess {
+	if response.Rcode != dns.RcodeSuccess && response.Rcode != dns.RcodeNameError {
 		return nil, RcodeError(response.Rcode)
 	}
 	addresses := make([]netip.Addr, 0, len(response.Answer))
@ -550,26 +527,12 @@ func transportTagFromContext(ctx context.Context) (string, bool) {
 	return value, loaded
 }

-func FixedResponseStatus(message *dns.Msg, rcode int) *dns.Msg {
-	return &dns.Msg{
-		MsgHdr: dns.MsgHdr{
-			Id:       message.Id,
-			Rcode:    rcode,
-			Response: true,
-		},
-		Question: message.Question,
-	}
-}
-
 func FixedResponse(id uint16, question dns.Question, addresses []netip.Addr, timeToLive uint32) *dns.Msg {
 	response := dns.Msg{
 		MsgHdr: dns.MsgHdr{
-			Id:                 id,
-			Response:           true,
-			Authoritative:      true,
-			RecursionDesired:   true,
-			RecursionAvailable: true,
-			Rcode:              dns.RcodeSuccess,
+			Id:       id,
+			Rcode:    dns.RcodeSuccess,
+			Response: true,
 		},
 		Question: []dns.Question{question},
 	}
@ -602,12 +565,9 @@ func FixedResponse(id uint16, question dns.Question, addresses []netip.Addr, tim
 func FixedResponseCNAME(id uint16, question dns.Question, record string, timeToLive uint32) *dns.Msg {
 	response := dns.Msg{
 		MsgHdr: dns.MsgHdr{
-			Id:                 id,
-			Response:           true,
-			Authoritative:      true,
-			RecursionDesired:   true,
-			RecursionAvailable: true,
-			Rcode:              dns.RcodeSuccess,
+			Id:       id,
+			Rcode:    dns.RcodeSuccess,
+			Response: true,
 		},
 		Question: []dns.Question{question},
 		Answer: []dns.RR{
@ -628,12 +588,9 @@ func FixedResponseCNAME(id uint16, question dns.Question, record string, timeToL
 func FixedResponseTXT(id uint16, question dns.Question, records []string, timeToLive uint32) *dns.Msg {
 	response := dns.Msg{
 		MsgHdr: dns.MsgHdr{
-			Id:                 id,
-			Response:           true,
-			Authoritative:      true,
-			RecursionDesired:   true,
-			RecursionAvailable: true,
-			Rcode:              dns.RcodeSuccess,
+			Id:       id,
+			Rcode:    dns.RcodeSuccess,
+			Response: true,
 		},
 		Question: []dns.Question{question},
 		Answer: []dns.RR{
@ -654,12 +611,9 @@ func FixedResponseTXT(id uint16, question dns.Question, records []string, timeTo
 func FixedResponseMX(id uint16, question dns.Question, records []*net.MX, timeToLive uint32) *dns.Msg {
 	response := dns.Msg{
 		MsgHdr: dns.MsgHdr{
-			Id:                 id,
-			Response:           true,
-			Authoritative:      true,
-			RecursionDesired:   true,
-			RecursionAvailable: true,
-			Rcode:              dns.RcodeSuccess,
+			Id:       id,
+			Rcode:    dns.RcodeSuccess,
+			Response: true,
 		},
 		Question: []dns.Question{question},
 	}
--- a/dns/extension_edns0_subnet.go
+++ b/dns/extension_edns0_subnet.go
@ -6,11 +6,7 @@ import (
 	"github.com/miekg/dns"
 )

-func SetClientSubnet(message *dns.Msg, clientSubnet netip.Prefix) *dns.Msg {
-	return setClientSubnet(message, clientSubnet, true)
-}
-
-func setClientSubnet(message *dns.Msg, clientSubnet netip.Prefix, clone bool) *dns.Msg {
+func SetClientSubnet(message *dns.Msg, clientSubnet netip.Prefix, override bool) *dns.Msg {
 	var (
 		optRecord    *dns.OPT
 		subnetOption *dns.EDNS0_SUBNET
@ -23,6 +19,9 @@ findExists:
 				var isEDNS0Subnet bool
 				subnetOption, isEDNS0Subnet = option.(*dns.EDNS0_SUBNET)
 				if isEDNS0Subnet {
+					if !override {
+						return message
+					}
 					break findExists
 				}
 			}
@ -38,14 +37,14 @@ findExists:
 			},
 		}
 		message.Extra = append(message.Extra, optRecord)
-	} else if clone {
-		return setClientSubnet(message.Copy(), clientSubnet, false)
+	} else {
+		message = message.Copy()
 	}
 	if subnetOption == nil {
 		subnetOption = new(dns.EDNS0_SUBNET)
-		subnetOption.Code = dns.EDNS0SUBNET
 		optRecord.Option = append(optRecord.Option, subnetOption)
 	}
+	subnetOption.Code = dns.EDNS0SUBNET
 	if clientSubnet.Addr().Is4() {
 		subnetOption.Family = 1
 	} else {
--- a/dns/router.go
+++ b/dns/router.go
@ -55,7 +55,6 @@ func NewRouter(ctx context.Context, logFactory log.Factory, options option.DNSOp
 		DisableExpire:    options.DNSClientOptions.DisableExpire,
 		IndependentCache: options.DNSClientOptions.IndependentCache,
 		CacheCapacity:    options.DNSClientOptions.CacheCapacity,
-		ClientSubnet:     options.DNSClientOptions.ClientSubnet.Build(netip.Prefix{}),
 		RDRC: func() adapter.RDRCStore {
 			cacheFile := service.FromContext[adapter.CacheFile](ctx)
 			if cacheFile == nil {
@ -259,14 +258,7 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 					case *R.RuleActionReject:
 						switch action.Method {
 						case C.RuleActionRejectMethodDefault:
-							return &mDNS.Msg{
-								MsgHdr: mDNS.MsgHdr{
-									Id:       message.Id,
-									Rcode:    mDNS.RcodeRefused,
-									Response: true,
-								},
-								Question: []mDNS.Question{message.Question[0]},
-							}, nil
+							return FixedResponse(message.Id, message.Question[0], nil, 0), nil
 						case C.RuleActionRejectMethodDrop:
 							return nil, tun.ErrDrop
 						}
@ -293,12 +285,7 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg, options adapte
 					} else if errors.Is(err, ErrResponseRejected) {
 						rejected = true
 						r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())))
-						/*} else if responseCheck!= nil && errors.Is(err, RcodeError(mDNS.RcodeNameError)) {
-						rejected = true
-						r.logger.DebugContext(ctx, E.Cause(err, "response rejected for ", FormatQuestion(message.Question[0].String())))
-						*/
 					} else if len(message.Question) > 0 {
-						rejected = true
 						r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for ", FormatQuestion(message.Question[0].String())))
 					} else {
 						r.logger.ErrorContext(ctx, E.Cause(err, "exchange failed for <empty query>"))
@ -336,9 +323,6 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 		err           error
 	)
 	printResult := func() {
-		if err == nil && len(responseAddrs) == 0 {
-			err = E.New("empty result")
-		}
 		if err != nil {
 			if errors.Is(err, ErrResponseRejectedCached) {
 				r.logger.DebugContext(ctx, "response rejected for ", domain, " (cached)")
@ -347,15 +331,15 @@ func (r *Router) Lookup(ctx context.Context, domain string, options adapter.DNSQ
 			} else {
 				r.logger.ErrorContext(ctx, E.Cause(err, "lookup failed for ", domain))
 			}
-		}
-		if err != nil {
-			err = E.Cause(err, "lookup ", domain)
+		} else if len(responseAddrs) == 0 {
+			r.logger.ErrorContext(ctx, "lookup failed for ", domain, ": empty result")
+			err = RcodeNameError
 		}
 	}
 	responseAddrs, cached = r.client.LookupCache(domain, options.Strategy)
 	if cached {
 		if len(responseAddrs) == 0 {
-			return nil, E.New("lookup ", domain, ": empty result (cached)")
+			return nil, RcodeNameError
 		}
 		return responseAddrs, nil
 	}
--- a/dns/transport/https.go
+++ b/dns/transport/https.go
@ -96,9 +96,6 @@ func NewHTTPS(ctx context.Context, logger log.ContextLogger, tag string, options
 	if serverAddr.Port == 0 {
 		serverAddr.Port = 443
 	}
-	if !serverAddr.IsValid() {
-		return nil, E.New("invalid server address: ", serverAddr)
-	}
 	return NewHTTPSRaw(
 		dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeHTTPS, tag, options.RemoteDNSServerOptions),
 		logger,
--- a/dns/transport/local/local.go
+++ b/dns/transport/local/local.go
@ -3,7 +3,6 @@ package local
 import (
 	"context"
 	"math/rand"
-	"net/netip"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
@ -36,7 +35,6 @@ func NewTransport(ctx context.Context, logger log.ContextLogger, tag string, opt
 	}
 	return &Transport{
 		TransportAdapter: dns.NewTransportAdapterWithLocalOptions(C.DNSTypeLocal, tag, options),
-		ctx:              ctx,
 		hosts:            hosts.NewFile(hosts.DefaultPath),
 		dialer:           transportDialer,
 	}, nil
@ -59,7 +57,7 @@ func (t *Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg,
 			return dns.FixedResponse(message.Id, question, addresses, C.DefaultDNSTTL), nil
 		}
 	}
-	systemConfig := getSystemDNSConfig(t.ctx)
+	systemConfig := getSystemDNSConfig()
 	if systemConfig.singleRequest || !(message.Question[0].Qtype == mDNS.TypeA || message.Question[0].Qtype == mDNS.TypeAAAA) {
 		return t.exchangeSingleRequest(ctx, systemConfig, message, domain)
 	} else {
@ -91,9 +89,8 @@ func (t *Transport) exchangeParallel(ctx context.Context, systemConfig *dnsConfi
 	startRacer := func(ctx context.Context, fqdn string) {
 		response, err := t.tryOneName(ctx, systemConfig, fqdn, message)
 		if err == nil {
-			var addresses []netip.Addr
-			addresses, err = dns.MessageToAddresses(response)
-			if err == nil && len(addresses) == 0 {
+			addresses, _ := dns.MessageToAddresses(response)
+			if len(addresses) == 0 {
 				err = E.New(fqdn, ": empty result")
 			}
 		}
--- a/dns/transport/local/resolv.go
+++ b/dns/transport/local/resolv.go
@ -1,7 +1,6 @@
 package local

 import (
-	"context"
 	"os"
 	"runtime"
 	"strings"
@ -24,21 +23,19 @@ type resolverConfig struct {

 var resolvConf resolverConfig

-func getSystemDNSConfig(ctx context.Context) *dnsConfig {
-	resolvConf.tryUpdate(ctx, "/etc/resolv.conf")
+func getSystemDNSConfig() *dnsConfig {
+	resolvConf.tryUpdate("/etc/resolv.conf")
 	return resolvConf.dnsConfig.Load()
 }

-func (conf *resolverConfig) init(ctx context.Context) {
-	conf.dnsConfig.Store(dnsReadConfig(ctx, "/etc/resolv.conf"))
+func (conf *resolverConfig) init() {
+	conf.dnsConfig.Store(dnsReadConfig("/etc/resolv.conf"))
 	conf.lastChecked = time.Now()
 	conf.ch = make(chan struct{}, 1)
 }

-func (conf *resolverConfig) tryUpdate(ctx context.Context, name string) {
-	conf.initOnce.Do(func() {
-		conf.init(ctx)
-	})
+func (conf *resolverConfig) tryUpdate(name string) {
+	conf.initOnce.Do(conf.init)

 	if conf.dnsConfig.Load().noReload {
 		return
@ -62,7 +59,7 @@ func (conf *resolverConfig) tryUpdate(ctx context.Context, name string) {
 			return
 		}
 	}
-	dnsConf := dnsReadConfig(ctx, name)
+	dnsConf := dnsReadConfig(name)
 	conf.dnsConfig.Store(dnsConf)
 }

--- a/dns/transport/local/resolv_darwin_cgo.go
+++ b/dns/transport/local/resolv_darwin_cgo.go
@ -11,7 +11,6 @@ package local
 import "C"

 import (
-	"context"
 	"time"

 	E "github.com/sagernet/sing/common/exceptions"
@ -19,7 +18,7 @@ import (
 	"github.com/miekg/dns"
 )

-func dnsReadConfig(_ context.Context, _ string) *dnsConfig {
+func dnsReadConfig(_ string) *dnsConfig {
 	if C.res_init() != 0 {
 		return &dnsConfig{
 			servers:  defaultNS,
--- a/dns/transport/local/resolv_unix.go
+++ b/dns/transport/local/resolv_unix.go
@ -4,7 +4,6 @@ package local

 import (
 	"bufio"
-	"context"
 	"net"
 	"net/netip"
 	"os"
@ -14,7 +13,7 @@ import (
 	"github.com/miekg/dns"
 )

-func dnsReadConfig(_ context.Context, name string) *dnsConfig {
+func dnsReadConfig(name string) *dnsConfig {
 	conf := &dnsConfig{
 		ndots:    1,
 		timeout:  5 * time.Second,
--- a/dns/transport/local/resolv_windows.go
+++ b/dns/transport/local/resolv_windows.go
@ -1,7 +1,6 @@
 package local

 import (
-	"context"
 	"net"
 	"net/netip"
 	"os"
@ -9,13 +8,10 @@ import (
 	"time"
 	"unsafe"

-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing/service"
-
 	"golang.org/x/sys/windows"
 )

-func dnsReadConfig(ctx context.Context, _ string) *dnsConfig {
+func dnsReadConfig(_ string) *dnsConfig {
 	conf := &dnsConfig{
 		ndots:    1,
 		timeout:  5 * time.Second,
@ -26,35 +22,35 @@ func dnsReadConfig(ctx context.Context, _ string) *dnsConfig {
 			conf.servers = defaultNS
 		}
 	}()
-	addresses, err := adapterAddresses()
+	aas, err := adapterAddresses()
 	if err != nil {
 		return nil
 	}
-	var dnsAddresses []struct {
-		ifName string
-		netip.Addr
-	}
-	for _, address := range addresses {
-		if address.OperStatus != windows.IfOperStatusUp {
+
+	for _, aa := range aas {
+		// Only take interfaces whose OperStatus is IfOperStatusUp(0x01) into DNS configs.
+		if aa.OperStatus != windows.IfOperStatusUp {
 			continue
 		}
-		if address.IfType == windows.IF_TYPE_TUNNEL {
+
+		// Only take interfaces which have at least one gateway
+		if aa.FirstGatewayAddress == nil {
 			continue
 		}
-		if address.FirstGatewayAddress == nil {
-			continue
-		}
-		for dnsServerAddress := address.FirstDnsServerAddress; dnsServerAddress != nil; dnsServerAddress = dnsServerAddress.Next {
-			rawSockaddr, err := dnsServerAddress.Address.Sockaddr.Sockaddr()
+
+		for dns := aa.FirstDnsServerAddress; dns != nil; dns = dns.Next {
+			sa, err := dns.Address.Sockaddr.Sockaddr()
 			if err != nil {
 				continue
 			}
-			var dnsServerAddr netip.Addr
-			switch sockaddr := rawSockaddr.(type) {
+			var ip netip.Addr
+			switch sa := sa.(type) {
 			case *syscall.SockaddrInet4:
-				dnsServerAddr = netip.AddrFrom4(sockaddr.Addr)
+				ip = netip.AddrFrom4([4]byte{sa.Addr[0], sa.Addr[1], sa.Addr[2], sa.Addr[3]})
 			case *syscall.SockaddrInet6:
-				if sockaddr.Addr[0] == 0xfe && sockaddr.Addr[1] == 0xc0 {
+				var addr16 [16]byte
+				copy(addr16[:], sa.Addr[:])
+				if addr16[0] == 0xfe && addr16[1] == 0xc0 {
 					// fec0/10 IPv6 addresses are site local anycast DNS
 					// addresses Microsoft sets by default if no other
 					// IPv6 DNS address is set. Site local anycast is
@ -62,27 +58,14 @@ func dnsReadConfig(ctx context.Context, _ string) *dnsConfig {
 					// https://datatracker.ietf.org/doc/html/rfc3879
 					continue
 				}
-				dnsServerAddr = netip.AddrFrom16(sockaddr.Addr)
+				ip = netip.AddrFrom16(addr16)
 			default:
 				// Unexpected type.
 				continue
 			}
-			dnsAddresses = append(dnsAddresses, struct {
-				ifName string
-				netip.Addr
-			}{ifName: windows.UTF16PtrToString(address.FriendlyName), Addr: dnsServerAddr})
+			conf.servers = append(conf.servers, net.JoinHostPort(ip.String(), "53"))
 		}
 	}
-	var myInterface string
-	if networkManager := service.FromContext[adapter.NetworkManager](ctx); networkManager != nil {
-		myInterface = networkManager.InterfaceMonitor().MyInterface()
-	}
-	for _, address := range dnsAddresses {
-		if address.ifName == myInterface {
-			continue
-		}
-		conf.servers = append(conf.servers, net.JoinHostPort(address.String(), "53"))
-	}
 	return conf
 }

--- a/dns/transport/quic/http3.go
+++ b/dns/transport/quic/http3.go
@ -92,9 +92,6 @@ func NewHTTP3(ctx context.Context, logger log.ContextLogger, tag string, options
 	if serverAddr.Port == 0 {
 		serverAddr.Port = 443
 	}
-	if !serverAddr.IsValid() {
-		return nil, E.New("invalid server address: ", serverAddr)
-	}
 	return &HTTP3Transport{
 		TransportAdapter: dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeHTTP3, tag, options.RemoteDNSServerOptions),
 		logger:           logger,
--- a/dns/transport/quic/quic.go
+++ b/dns/transport/quic/quic.go
@ -16,7 +16,6 @@ import (
 	sQUIC "github.com/sagernet/sing-quic"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/bufio"
-	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
@ -59,9 +58,6 @@ func NewQUIC(ctx context.Context, logger log.ContextLogger, tag string, options
 	if serverAddr.Port == 0 {
 		serverAddr.Port = 853
 	}
-	if !serverAddr.IsValid() {
-		return nil, E.New("invalid server address: ", serverAddr)
-	}
 	return &Transport{
 		TransportAdapter: dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeQUIC, tag, options.RemoteDNSServerOptions),
 		ctx:              ctx,
--- a/dns/transport/tcp.go
+++ b/dns/transport/tcp.go
@ -13,7 +13,6 @@ import (
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
-	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"

@ -41,9 +40,6 @@ func NewTCP(ctx context.Context, logger log.ContextLogger, tag string, options o
 	if serverAddr.Port == 0 {
 		serverAddr.Port = 53
 	}
-	if !serverAddr.IsValid() {
-		return nil, E.New("invalid server address: ", serverAddr)
-	}
 	return &TCPTransport{
 		TransportAdapter: dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeTCP, tag, options),
 		dialer:           transportDialer,
--- a/dns/transport/tls.go
+++ b/dns/transport/tls.go
@ -57,20 +57,13 @@ func NewTLS(ctx context.Context, logger log.ContextLogger, tag string, options o
 	if serverAddr.Port == 0 {
 		serverAddr.Port = 853
 	}
-	if !serverAddr.IsValid() {
-		return nil, E.New("invalid server address: ", serverAddr)
-	}
-	return NewTLSRaw(logger, dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeTLS, tag, options.RemoteDNSServerOptions), transportDialer, serverAddr, tlsConfig), nil
-}
-
-func NewTLSRaw(logger logger.ContextLogger, adapter dns.TransportAdapter, dialer N.Dialer, serverAddr M.Socksaddr, tlsConfig tls.Config) *TLSTransport {
 	return &TLSTransport{
-		TransportAdapter: adapter,
+		TransportAdapter: dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeTLS, tag, options.RemoteDNSServerOptions),
 		logger:           logger,
-		dialer:           dialer,
+		dialer:           transportDialer,
 		serverAddr:       serverAddr,
 		tlsConfig:        tlsConfig,
-	}
+	}, nil
 }

 func (t *TLSTransport) Start(stage adapter.StartStage) error {
--- a/dns/transport/udp.go
+++ b/dns/transport/udp.go
@ -13,7 +13,6 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/buf"
-	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
@ -48,9 +47,6 @@ func NewUDP(ctx context.Context, logger log.ContextLogger, tag string, options o
 	if serverAddr.Port == 0 {
 		serverAddr.Port = 53
 	}
-	if !serverAddr.IsValid() {
-		return nil, E.New("invalid server address: ", serverAddr)
-	}
 	return NewUDPRaw(logger, dns.NewTransportAdapterWithRemoteOptions(C.DNSTypeUDP, tag, options), transportDialer, serverAddr), nil
 }

@ -121,7 +117,7 @@ func (t *UDPTransport) exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.M
 	conn.access.Unlock()
 	defer func() {
 		conn.access.Lock()
-		delete(conn.callbacks, exMessage.Id)
+		delete(conn.callbacks, messageId)
 		conn.access.Unlock()
 	}()
 	rawMessage, err := exMessage.PackBuffer(buffer.FreeBytes())
--- a/docs/changelog.md
+++ b/docs/changelog.md
@ -2,133 +2,6 @@
 icon: material/alert-decagram
 ---

-#### 1.12.0-beta.22
-
-* Fixes and improvements
-
-#### 1.12.0-beta.21
-
-* Fix missing `home` option for DERP service **1**
-* Fixes and improvements
-
-**1**:
-
-You can now choose what the DERP home page shows, just like with derper's `-home` flag.
-
-See [DERP](/configuration/service/derp/#home).
-
-### 1.11.13
-
-* Fixes and improvements
-
-_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
-violated the rules (TestFlight users are not affected)._
-
-#### 1.12.0-beta.17
-
-* Update quic-go to v0.52.0
-* Fixes and improvements
-
-#### 1.12.0-beta.15
-
-* Add DERP service **1**
-* Add Resolved service and DNS server **2**
-* Add SSM API service **3**
-* Fixes and improvements
-
-**1**:
-
-DERP service is a Tailscale DERP server, similar to [derper](https://pkg.go.dev/tailscale.com/cmd/derper).
-
-See [DERP Service](/configuration/service/derp/).
-
-**2**:
-
-Resolved service is a fake systemd-resolved DBUS service to receive DNS settings from other programs
-(e.g. NetworkManager) and provide DNS resolution.
-
-See [Resolved Service](/configuration/service/resolved/) and [Resolved DNS Server](/configuration/dns/server/resolved/).
-
-**3**:
-
-SSM API service is a RESTful API server for managing Shadowsocks servers.
-
-See [SSM API Service](/configuration/service/ssm-api/).
-
-### 1.11.11
-
-* Fixes and improvements
-
-_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
-violated the rules (TestFlight users are not affected)._
-
-#### 1.12.0-beta.13
-
-* Add TLS record fragment route options **1**
-* Add missing `accept_routes` option for Tailscale **2**
-* Fixes and improvements
-
-**1**:
-
-See [Route Action](/configuration/route/rule_action/#tls_record_fragment).
-
-**2**:
-
-See [Tailscale](/configuration/endpoint/tailscale/#accept_routes).
-
-#### 1.12.0-beta.10
-
-* Add control options for listeners **1**
-* Fixes and improvements
-
-**1**:
-
-You can now set `bind_interface`, `routing_mark` and `reuse_addr` in Listen Fields.
-
-See [Listen Fields](/configuration/shared/listen/).
-
-### 1.11.10
-
-* Undeprecate the `block` outbound **1**
-* Fixes and improvements
-
-**1**:
-
-Since we don’t have a replacement for using the `block` outbound in selectors yet,
-we decided to temporarily undeprecate the `block` outbound until a replacement is available in the future.
-
-_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
-violated the rules (TestFlight users are not affected)._
-
-#### 1.12.0-beta.9
-
-* Update quic-go to v0.51.0
-* Fixes and improvements
-
-### 1.11.9
-
-* Fixes and improvements
-
-_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
-violated the rules (TestFlight users are not affected)._
-
-#### 1.12.0-beta.5
-
-* Fixes and improvements
-
-### 1.11.8
-
-* Improve `auto_redirect` **1**
-* Fixes and improvements
-
-**1**:
-
-Now `auto_redirect` fixes compatibility issues between TUN and Docker bridge networks,
-see [Tun](/configuration/inbound/tun/#auto_redirect).
-
-_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
-violated the rules (TestFlight users are not affected)._
-
 #### 1.12.0-beta.3

 * Fixes and improvements
@ -137,8 +10,7 @@ violated the rules (TestFlight users are not affected)._

 * Fixes and improvements

-_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
-violated the rules (TestFlight users are not affected)._
+_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected)._

 #### 1.12.0-beta.1

@ -153,8 +25,7 @@ see [Tun](/configuration/inbound/tun/#auto_redirect).

 * Fixes and improvements

-_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
-violated the rules (TestFlight users are not affected)._
+_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected)._

 #### 1.12.0-alpha.19

@ -194,8 +65,7 @@ See [Dial Fields](/configuration/shared/dial/#domain_resolver).

 * Fixes and improvements

-_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
-violated the rules (TestFlight users are not affected)._
+_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected)._

 #### 1.12.0-alpha.13

@ -266,8 +136,7 @@ For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and pa

 * Fixes and improvements

-_This version overwrites 1.11.2, as incorrect binaries were released due to a bug in the continuous integration
-process._
+_This version overwrites 1.11.2, as incorrect binaries were released due to a bug in the continuous integration process._

 #### 1.12.0-alpha.5

--- a/docs/clients/privacy.md
+++ b/docs/clients/privacy.md
@ -9,10 +9,6 @@ and the data generated by the software is always on your device.

 ## Android

-The broad package (App) visibility (QUERY_ALL_PACKAGES) permission
-is used to provide per-application proxy features for VPN,
-sing-box will not collect your app list.
-
 If your configuration contains `wifi_ssid` or `wifi_bssid` routing rules,
 sing-box uses the location permission in the background
 to get information about the connected Wi-Fi network to make them work.
--- a/docs/configuration/dns/index.md
+++ b/docs/configuration/dns/index.md
@ -1,11 +1,7 @@
 ---
-icon: material/alert-decagram
+icon: material/new-box
 ---

-!!! quote "Changes in sing-box 1.12.0"
-
-    :material-decagram: [servers](#servers)
-
 !!! quote "Changes in sing-box 1.11.0"

    :material-plus: [cache_capacity](#cache_capacity)
--- a/docs/configuration/dns/index.zh.md
+++ b/docs/configuration/dns/index.zh.md
@ -1,11 +1,7 @@
 ---
-icon: material/alert-decagram
+icon: material/new-box
 ---

-!!! quote "sing-box 1.12.0 中的更改"
-
-    :material-decagram: [servers](#servers)
-
 !!! quote "sing-box 1.11.0 中的更改"

    :material-plus: [cache_capacity](#cache_capacity)
--- a/docs/configuration/dns/rule_action.md
+++ b/docs/configuration/dns/rule_action.md
@ -81,7 +81,7 @@ Will overrides `dns.client_subnet`.

 #### method

- `default`: Reply with REFUSED.
+- `default`: Reply with NXDOMAIN.
 - `drop`: Drop the request.

 `default` will be used by default.
--- a/docs/configuration/dns/rule_action.zh.md
+++ b/docs/configuration/dns/rule_action.zh.md
@ -81,7 +81,7 @@ icon: material/new-box

 #### method

- `default`: 返回 REFUSED。
+- `default`: 返回 NXDOMAIN。
 - `drop`: 丢弃请求。

 默认使用 `defualt`。
--- a/docs/configuration/dns/server/index.md
+++ b/docs/configuration/dns/server/index.md
@ -27,21 +27,19 @@ icon: material/alert-decagram

 The type of the DNS server.

-| Type            | Format                    |
-|-----------------|---------------------------|
-| empty (default) | [Legacy](./legacy/)       |
-| `local`         | [Local](./local/)         |
-| `hosts`         | [Hosts](./hosts/)         |
-| `tcp`           | [TCP](./tcp/)             |
-| `udp`           | [UDP](./udp/)             |
-| `tls`           | [TLS](./tls/)             |
-| `quic`          | [QUIC](./quic/)           |
-| `https`         | [HTTPS](./https/)         |
-| `h3`            | [HTTP/3](./http3/)        |
-| `dhcp`          | [DHCP](./dhcp/)           |
-| `fakeip`        | [Fake IP](./fakeip/)      |
-| `tailscale`     | [Tailscale](./tailscale/) |
-| `resolved`      | [Resolved](./resolved/)   |
+| Type            | Format                      |
+|-----------------|-----------------------------|
+| empty (default) | [Legacy](./legacy/)         |
+| `tcp`           | [TCP](./tcp/)               |
+| `udp`           | [UDP](./udp/)               |
+| `tls`           | [TLS](./tls/)               |
+| `https`         | [HTTPS](./https/)           |
+| `quic`          | [QUIC](./quic/)             |
+| `h3`            | [HTTP/3](./http3/)          |
+| `predefined`    | [Predefined](./predefined/) |
+| `dhcp`          | [DHCP](./dhcp/)             |
+| `fakeip`        | [Fake IP](./fakeip/)        |
+| `tailscale`     | [Tailscale](./tailscale/)   |

 #### tag

--- a/docs/configuration/dns/server/index.zh.md
+++ b/docs/configuration/dns/server/index.zh.md
@ -27,21 +27,19 @@ icon: material/alert-decagram

 DNS 服务器的类型。

-| 类型              | 格式                        |
-|-----------------|---------------------------|
-| empty (default) | [Legacy](./legacy/)       |
-| `local`         | [Local](./local/)         |
-| `hosts`         | [Hosts](./hosts/)         |
-| `tcp`           | [TCP](./tcp/)             |
-| `udp`           | [UDP](./udp/)             |
-| `tls`           | [TLS](./tls/)             |
-| `quic`          | [QUIC](./quic/)           |
-| `https`         | [HTTPS](./https/)         |
-| `h3`            | [HTTP/3](./http3/)        |
-| `dhcp`          | [DHCP](./dhcp/)           |
-| `fakeip`        | [Fake IP](./fakeip/)      |
-| `tailscale`     | [Tailscale](./tailscale/) |
-| `resolved`      | [Resolved](./resolved/)   |
+| 类型              | 格式                          |
+|-----------------|-----------------------------|
+| empty (default) | [Legacy](./legacy/)         |
+| `tcp`           | [TCP](./tcp/)               |
+| `udp`           | [UDP](./udp/)               |
+| `tls`           | [TLS](./tls/)               |
+| `https`         | [HTTPS](./https/)           |
+| `quic`          | [QUIC](./quic/)             |
+| `h3`            | [HTTP/3](./http3/)          |
+| `predefined`    | [Predefined](./predefined/) |
+| `dhcp`          | [DHCP](./dhcp/)             |
+| `fakeip`        | [Fake IP](./fakeip/)        |
+| `tailscale`     | [Tailscale](./tailscale/)   |

 #### tag

--- a/docs/configuration/dns/server/resolved.md
+++ b/docs/configuration/dns/server/resolved.md
@ -1,84 +0,0 @@
---
-icon: material/new-box
---
-
-!!! question "Since sing-box 1.12.0"
-
-# Resolved
-
-```json
-{
-  "dns": {
-    "servers": [
-      {
-        "type": "resolved",
-        "tag": "",
-
-        "service": "resolved",
-        "accept_default_resolvers": false
-      }
-    ]
-  }
-}
-```
-
-
-### Fields
-
-#### service
-
-==Required==
-
-The tag of the [Resolved Service](/configuration/service/resolved).
-
-#### accept_default_resolvers
-
-Indicates whether the default DNS resolvers should be accepted for fallback queries in addition to matching domains.
-
-Specifically, default DNS resolvers are DNS servers that have `SetLinkDefaultRoute` or `SetLinkDomains ~.` set.
-
-If not enabled, `NXDOMAIN` will be returned for requests that do not match search or match domains.
-
-### Examples
-
-=== "Split DNS only"
-
-    ```json
-    {
-      "dns": {
-        "servers": [
-          {
-            "type": "local",
-            "tag": "local"
-          },
-          {
-            "type": "resolved",
-            "tag": "resolved",
-            "service": "resolved"
-          }
-        ],
-        "rules": [
-          {
-            "ip_accept_any": true,
-            "server": "resolved"
-          }
-        ]
-      }
-    }
-    ```
-
-=== "Use as global DNS"
-
-    ```json
-    {
-      "dns": {
-        "servers": [
-          {
-            "type": "resolved",
-            "service": "resolved",
-            "accept_default_resolvers": true
-          }
-        ]
-      }
-    }
-    ```
--- a/docs/configuration/dns/server/tailscale.md
+++ b/docs/configuration/dns/server/tailscale.md
@ -30,13 +30,13 @@ icon: material/new-box

 ==Required==

-The tag of the [Tailscale Endpoint](/configuration/endpoint/tailscale).
+The tag of the Tailscale endpoint.

 #### accept_default_resolvers

 Indicates whether default DNS resolvers should be accepted for fallback queries in addition to MagicDNS。

-if not enabled, `NXDOMAIN` will be returned for non-Tailscale domain queries.
+if not enabled, NXDOMAIN will be returned for non-Tailscale domain queries.

 ### Examples

@ -80,4 +80,4 @@ if not enabled, `NXDOMAIN` will be returned for non-Tailscale domain queries.
        ]
      }
    }
-    ```
+    ```
--- a/docs/configuration/endpoint/index.md
+++ b/docs/configuration/endpoint/index.md
@ -6,7 +6,7 @@ icon: material/new-box

 # Endpoint

-An endpoint is a protocol with inbound and outbound behavior.
+Endpoint is protocols that has both inbound and outbound behavior.

 ### Structure

--- a/docs/configuration/endpoint/tailscale.md
+++ b/docs/configuration/endpoint/tailscale.md
@ -15,7 +15,6 @@ icon: material/new-box
  "control_url": "",
  "ephemeral": false,
  "hostname": "",
-  "accept_routes": false,
  "exit_node": "",
  "exit_node_allow_lan_access": false,
  "advertise_routes": [],
@ -63,10 +62,6 @@ System hostname is used by default.

 Example: `localhost`

-#### accept_routes
-
-Indicates whether the node should accept routes advertised by other nodes.
-
 #### exit_node

 The exit node name or IP address to use.
--- a/docs/configuration/inbound/anytls.md
+++ b/docs/configuration/inbound/anytls.md
@ -42,18 +42,16 @@ AnyTLS padding scheme line array.

 Default padding scheme:

-```json
-[
-  "stop=8",
-  "0=30-30",
-  "1=100-400",
-  "2=400-500,c,500-1000,c,500-1000,c,500-1000,c,500-1000",
-  "3=9-9,500-1000",
-  "4=500-1000",
-  "5=500-1000",
-  "6=500-1000",
-  "7=500-1000"
-]
+```
+stop=8
+0=30-30
+1=100-400
+2=400-500,c,500-1000,c,500-1000,c,500-1000,c,500-1000
+3=9-9,500-1000
+4=500-1000
+5=500-1000
+6=500-1000
+7=500-1000
 ```

 #### tls
--- a/docs/configuration/inbound/anytls.zh.md
+++ b/docs/configuration/inbound/anytls.zh.md
@ -42,18 +42,16 @@ AnyTLS 填充方案行数组。

 默认填充方案:

-```json
-[
-  "stop=8",
-  "0=30-30",
-  "1=100-400",
-  "2=400-500,c,500-1000,c,500-1000,c,500-1000,c,500-1000",
-  "3=9-9,500-1000",
-  "4=500-1000",
-  "5=500-1000",
-  "6=500-1000",
-  "7=500-1000"
-]
+```
+stop=8
+0=30-30
+1=100-400
+2=400-500,c,500-1000,c,500-1000,c,500-1000,c,500-1000
+3=9-9,500-1000
+4=500-1000
+5=500-1000
+6=500-1000
+7=500-1000
 ```

 #### tls
--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@ -213,7 +213,7 @@ Set the default route to the Tun.

 !!! note "Also enable `auto_redirect`"

-    `auto_redirect` is always recommended on Linux, it provides better routing, higher performance (better than tproxy), and avoids conflicts between TUN and Docker bridge networks.
+    `auto_redirect` is always recommended on Linux, it provides better routing, higher performance (better than tproxy), and avoids conflicts with Docker bridge networks.

 #### iproute2_table_index

@ -239,21 +239,20 @@ Linux iproute2 rule start index generated by `auto_route`.

    Only supported on Linux with `auto_route` enabled.

-Improve TUN routing and performance using nftables.
+Automatically configure iptables/nftables to redirect connections.

-`auto_redirect` is always recommended on Linux, it provides better routing,
+Auto redirect is always recommended on Linux, it provides better routing,
 higher performance (better than tproxy),
-and avoids conflicts between TUN and Docker bridge networks.
+and avoids conflicts with Docker bridge networks.

-Note that `auto_redirect` also works on Android, 
-but due to the lack of `nftables` and `ip6tables`,
-only simple IPv4 TCP forwarding is performed.
-To share your VPN connection over hotspot or repeater on Android,
+*In Android*：
+
+Only local IPv4 connections are forwarded. To share your VPN connection over hotspot or repeater,
 use [VPNHotspot](https://github.com/Mygod/VPNHotspot).

-`auto_redirect` also automatically inserts compatibility rules
-into the OpenWrt fw4 table, i.e. 
-it will work on routers without any extra configuration.
+*In Linux*:
+
+`auto_route` with `auto_redirect` works as expected on routers **without intervention**.

 Conflict with `route.default_mark` and `[dialOptions].routing_mark`.

@ -280,15 +279,17 @@ Enforce strict routing rules when `auto_route` is enabled:
 *In Linux*:

 * Let unsupported network unreachable
-* For legacy reasons, when neither `strict_route` nor `auto_redirect` are enabled, all ICMP traffic will not go through TUN.
+* Make ICMP traffic route to tun instead of upstream interfaces
+* Route all connections to tun
+
+It prevents IP address leaks and makes DNS hijacking work on Android.

 *In Windows*:

-* Let unsupported network unreachable
-* prevent DNS leak caused by
+* Add firewall rules to prevent DNS leak caused by
  Windows' [ordinary multihomed DNS resolution behavior](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552%28v%3Dws.10%29)

-It may prevent some Windows applications (such as VirtualBox) from working properly in certain situations.
+It may prevent some applications (such as VirtualBox) from working properly in certain situations.

 #### route_address

--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@ -217,7 +217,7 @@ tun 接口的 IPv6 前缀。

 !!! note "也启用 `auto_redirect`"

-  在 Linux 上始终推荐使用 `auto_redirect`，它提供更好的路由， 更高的性能（优于 tproxy）， 并避免 TUN 与 Docker 桥接网络冲突。
+  在 Linux 上始终推荐使用 `auto_redirect`，它提供更好的路由， 更高的性能（优于 tproxy）， 并避免与 Docker 桥接网络冲突。

 #### iproute2_table_index

@ -241,16 +241,19 @@ tun 接口的 IPv6 前缀。

 !!! quote ""

-    仅支持 Linux，且需要 `auto_route` 已启用。
+    仅支持 Linux，且需要 `auto_route` 已启用。 

-通过使用 nftables 改善 TUN 路由和性能。
+自动配置 iptables/nftables 以重定向连接。

-在 Linux 上始终推荐使用 `auto_redirect`，它提供更好的路由、更高的性能（优于 tproxy），并避免了 TUN 和 Docker 桥接网络之间的冲突。
+在 Linux 上始终推荐使用 auto redirect，它提供更好的路由， 更高的性能（优于 tproxy）， 并避免与 Docker 桥接网络冲突。

-请注意，`auto_redirect` 也适用于 Android，但由于缺少 `nftables` 和 `ip6tables`，仅执行简单的 IPv4 TCP 转发。  
-若要在 Android 上通过热点或中继器共享 VPN 连接，请使用 [VPNHotspot](https://github.com/Mygod/VPNHotspot)。
+*在 Android 中*：

-`auto_redirect` 还会自动将兼容性规则插入 OpenWrt 的 fw4 表中，即无需额外配置即可在路由器上工作。
+仅转发本地 IPv4 连接。 要通过热点或中继共享您的 VPN 连接，请使用 [VPNHotspot](https://github.com/Mygod/VPNHotspot)。
+
+*在 Linux 中*:
+
+带有 `auto_redirect` 的 `auto_route` 在路由器上**无需干预**即可按预期工作。

 与 `route.default_mark` 和 `[dialOptions].routing_mark` 冲突。

@ -258,7 +261,7 @@ tun 接口的 IPv6 前缀。

 !!! question "自 sing-box 1.10.0 起"

-`auto_redirect` 使用的连接输入标记。
+`auto_redriect` 使用的连接输入标记。

 默认使用 `0x2023`。

@ -266,25 +269,29 @@ tun 接口的 IPv6 前缀。

 !!! question "自 sing-box 1.10.0 起"

-`auto_redirect` 使用的连接输出标记。
+`auto_redriect` 使用的连接输出标记。

 默认使用 `0x2024`。

 #### strict_route

-当启用 `auto_route` 时，强制执行严格的路由规则：
+启用 `auto_route` 时执行严格的路由规则。

-*在 Linux 中*：
+*在 Linux 中*:

-* 使不支持的网络不可达。
-* 出于历史遗留原因，当未启用 `strict_route` 或 `auto_redirect` 时，所有 ICMP 流量将不会通过 TUN。
+* 让不支持的网络无法到达
+* 使 ICMP 流量路由到 tun 而不是上游接口
+* 将所有连接路由到 tun

-*在 Windows 中*：
+它可以防止 IP 地址泄漏，并使 DNS 劫持在 Android 上工作。

-* 使不支持的网络不可达。
-* 阻止 Windows 的 [普通多宿主 DNS 解析行为](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552%28v%3Dws.10%29) 造成的 DNS 泄露
+*在 Windows 中*:

-它可能会使某些 Windows 应用程序（如 VirtualBox）在某些情况下无法正常工作。
+* 添加防火墙规则以阻止 Windows
+  的 [普通多宿主 DNS 解析行为](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552%28v%3Dws.10%29)
+  造成的 DNS 泄露
+
+它可能会使某些应用程序（如 VirtualBox）在某些情况下无法正常工作。

 #### route_address

@ -398,11 +405,11 @@ UDP NAT 过期时间。

 TCP/IP 栈。

-| 栈       | 描述                                                                                                  | 
-|----------|-------------------------------------------------------------------------------------------------------|
-| `system` | 基于系统网络栈执行 L3 到 L4 转换                                                                        |
-| `gvisor` | 基于 [gVisor](https://github.com/google/gvisor) 虚拟网络栈执行 L3 到 L4 转换                            |
-| `mixed`  | 混合 `system` TCP 栈与 `gvisor` UDP 栈                                                                 |
+| 栈      | 描述                                                               |
+|--------|------------------------------------------------------------------|
+| system | 基于系统网络栈执行 L3 到 L4 转换                                             |
+| gVisor | 基于 [gVisor](https://github.com/google/gvisor) 虚拟网络栈执行 L3 到 L4 转换 |
+| mixed  | 混合 `system` TCP 栈与 `gvisor` UDP 栈                                |

 默认使用 `mixed` 栈如果 gVisor 构建标记已启用，否则默认使用 `system` 栈。

--- a/docs/configuration/index.md
+++ b/docs/configuration/index.md
@ -14,7 +14,6 @@ sing-box uses JSON for configuration files.
  "inbounds": [],
  "outbounds": [],
  "route": {},
-  "services": [],
  "experimental": {}
 }
 ```
@ -31,7 +30,6 @@ sing-box uses JSON for configuration files.
 | `inbounds`     | [Inbound](./inbound/)           |
 | `outbounds`    | [Outbound](./outbound/)         |
 | `route`        | [Route](./route/)               |
-| `services`     | [Service](./service/)           |
 | `experimental` | [Experimental](./experimental/) |

 ### Check
--- a/docs/configuration/index.zh.md
+++ b/docs/configuration/index.zh.md
@ -14,7 +14,6 @@ sing-box 使用 JSON 作为配置文件格式。
  "inbounds": [],
  "outbounds": [],
  "route": {},
-  "services": [],
  "experimental": {}
 }
 ```
@ -31,7 +30,6 @@ sing-box 使用 JSON 作为配置文件格式。
 | `inbounds`     | [入站](./inbound/)       |
 | `outbounds`    | [出站](./outbound/)      |
 | `route`        | [路由](./route/)         |
-| `services`     | [服务](./service/)       |
 | `experimental` | [实验性](./experimental/) |

 ### 检查
--- a/docs/configuration/outbound/block.md
+++ b/docs/configuration/outbound/block.md
@ -2,6 +2,10 @@
 icon: material/delete-clock
 ---

+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Legacy special outbounds are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-special-outbounds-to-rule-actions). 
+
 ### Structure

 ```json
--- a/docs/configuration/outbound/block.zh.md
+++ b/docs/configuration/outbound/block.zh.md
@ -2,6 +2,10 @@
 icon: material/delete-clock
 ---

+!!! failure "已在 sing-box 1.11.0 废弃"
+
+    旧的特殊出站已被弃用，且将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-special-outbounds-to-rule-actions). 
+
 `block` 出站关闭所有传入请求。

 ### 结构
--- a/docs/configuration/route/rule_action.md
+++ b/docs/configuration/route/rule_action.md
@ -6,7 +6,6 @@ icon: material/new-box

    :material-plus: [tls_fragment](#tls_fragment)  
    :material-plus: [tls_fragment_fallback_delay](#tls_fragment_fallback_delay)  
-    :material-plus: [tls_record_fragment](#tls_record_fragment)  
    :material-plus: [resolve.disable_cache](#disable_cache)  
    :material-plus: [resolve.rewrite_ttl](#rewrite_ttl)  
    :material-plus: [resolve.client_subnet](#client_subnet)
@ -92,8 +91,7 @@ Not available when `method` is set to drop.
  "udp_connect": false,
  "udp_timeout": "",
  "tls_fragment": false,
-  "tls_fragment_fallback_delay": "",
-  "tls_record_fragment": ""
+  "tls_fragment_fallback_delay": ""
 }
 ```

@ -166,19 +164,13 @@ If no protocol is sniffed, the following ports will be recognized as protocols b

 Fragment TLS handshakes to bypass firewalls.

-This feature is intended to circumvent simple firewalls based on **plaintext packet matching**,
-and should not be used to circumvent real censorship.
+This feature is intended to circumvent simple firewalls based on **plaintext packet matching**, and should not be used to circumvent real censorship.

-Due to poor performance, try `tls_record_fragment` first, and only apply to server names known to be blocked.
+Since it is not designed for performance, it should not be applied to all connections, but only to server names that are known to be blocked.

-On Linux, Apple platforms, (administrator privileges required) Windows,
-the wait time can be automatically detected, otherwise it will fall back to
-waiting for a fixed time specified by `tls_fragment_fallback_delay`.
+On Linux, Apple platforms, (administrator privileges required) Windows, the wait time can be automatically detected, otherwise it will fall back to waiting for a fixed time specified by `tls_fragment_fallback_delay`.

-In addition, if the actual wait time is less than 20ms, it will also fall back to waiting for a fixed time,
-because the target is considered to be local or behind a transparent proxy.
-
-Conflict with `tls_record_fragment`.
+In addition, if the actual wait time is less than 20ms, it will also fall back to waiting for a fixed time, because the target is considered to be local or behind a transparent proxy.

 #### tls_fragment_fallback_delay

@ -188,17 +180,6 @@ The fallback value used when TLS segmentation cannot automatically determine the

 `500ms` is used by default.

-#### tls_record_fragment
-
-!!! question "Since sing-box 1.12.0"
-
-Fragment TLS handshake into multiple TLS records to bypass firewalls.
-
-This feature is intended to circumvent simple firewalls based on **plaintext packet matching**,
-and should not be used to circumvent real censorship.
-
-Conflict with `tls_fragment`.
-
 ### sniff

 ```json
--- a/docs/configuration/route/rule_action.zh.md
+++ b/docs/configuration/route/rule_action.zh.md
@ -5,11 +5,7 @@ icon: material/new-box
 !!! quote "sing-box 1.12.0 中的更改"

    :material-plus: [tls_fragment](#tls_fragment)  
-    :material-plus: [tls_fragment_fallback_delay](#tls_fragment_fallback_delay)  
-    :material-plus: [tls_record_fragment](#tls_record_fragment)  
-    :material-plus: [resolve.disable_cache](#disable_cache)  
-    :material-plus: [resolve.rewrite_ttl](#rewrite_ttl)  
-    :material-plus: [resolve.client_subnet](#client_subnet)
+    :material-plus: [tls_fragment_fallback_delay](#tls_fragment_fallback_delay)

 ## 最终动作

@ -163,15 +159,12 @@ UDP 连接超时时间。

 此功能旨在规避基于**明文数据包匹配**的简单防火墙，不应该用于规避真的审查。

-由于性能不佳，请首先尝试 `tls_record_fragment`，且仅应用于已知被阻止的服务器名称。
+由于它不是为性能设计的，不应被应用于所有连接，而仅应用于已知被阻止的服务器名称。

-在 Linux、Apple 平台和需要管理员权限的 Windows 系统上，可自动检测等待时间。
-若无法自动检测，将回退使用 `tls_fragment_fallback_delay` 指定的固定等待时间。
+在 Linux、Apple 平台和需要管理员权限的 Windows 系统上，可自动检测等待时间。若无法自动检测，将回退使用 `tls_fragment_fallback_delay` 指定的固定等待时间。

 此外，若实际等待时间小于 20 毫秒，同样会回退至固定等待时间模式，因为此时判定目标处于本地或透明代理之后。

-与 `tls_record_fragment` 冲突。
-
 #### tls_fragment_fallback_delay

 !!! question "自 sing-box 1.12.0 起"
@ -180,16 +173,6 @@ UDP 连接超时时间。

 默认使用 `500ms`。

-#### tls_record_fragment
-
-!!! question "自 sing-box 1.12.0 起"
-
-通过分段 TLS 握手数据包到多个 TLS 记录来绕过防火墙检测。
-
-此功能旨在规避基于**明文数据包匹配**的简单防火墙，不应该用于规避真的审查。
-
-与 `tls_fragment` 冲突。
-
 ### sniff

 ```json
--- a/docs/configuration/route/sniff.zh.md
+++ b/docs/configuration/route/sniff.zh.md
@ -26,7 +26,7 @@

 |         QUIC 客户端         |     类型     |
 |:------------------------:|:----------:|
-|     Chromium/Cronet      | `chromium` |
+|     Chromium/Cronet      | `chrimium` |
 | Safari/Apple Network API |  `safari`  |
 | Firefox / uquic firefox  | `firefox`  |
-|  quic-go / uquic chrome  | `quic-go`  |
+|  quic-go / uquic chrome  | `quic-go`  |
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
世界	bc01878605	documentation: Bump version	2025-04-09 11:37:57 +08:00
anytls	7489d3fff7	Update anytls Co-authored-by: anytls <anytls>	2025-04-09 11:37:57 +08:00
世界	794c5f81d1	Fix DNS dialer	2025-04-09 11:28:44 +08:00
世界	26bf8e3a0e	release: Skip override version for iOS	2025-04-09 11:28:43 +08:00
iikira	dcb7fb9880	Fix UDP DNS server crash Signed-off-by: iikira <i2@mail.iikira.com>	2025-04-09 11:28:43 +08:00
ReleTor	3e991b8068	Fix fetch ECH configs	2025-04-09 11:28:43 +08:00
世界	943d977bbb	release: Update Go to 1.24.2	2025-04-09 11:28:43 +08:00
世界	af9ac17d0d	Allow direct outbounds without `domain_resolver`	2025-04-09 11:28:43 +08:00
世界	4760fd80ef	Fix Tailscale dialer	2025-04-09 11:28:42 +08:00
dyhkwong	873b6194b7	Fix DNS over QUIC stream close	2025-04-09 11:28:42 +08:00
anytls	b801eb5eed	Update anytls Co-authored-by: anytls <anytls>	2025-04-09 11:28:42 +08:00
Rambling2076	0044fca876	Fix missing `with_tailscale` in Dockerfile Signed-off-by: Rambling2076 <Rambling2076@proton.me>	2025-04-09 11:28:42 +08:00
世界	40a8bf2a35	Fail when default DNS server not found	2025-04-09 11:28:41 +08:00
世界	fd460fbf52	Update gVisor to 20250319.0	2025-04-09 11:28:41 +08:00
世界	a69fd02e6a	release: Do not build tailscale on iOS and tvOS	2025-04-09 11:28:40 +08:00
世界	ed57655e7e	Explicitly reject detour to empty direct outbounds	2025-04-09 11:28:40 +08:00
世界	e49704c819	Add netns support	2025-04-09 11:28:40 +08:00
世界	fc2724bac2	Add wildcard name support for predefined records	2025-04-09 11:28:40 +08:00
世界	9536f9f8b3	Remove map usage in options	2025-04-09 11:28:40 +08:00
世界	cb7894b509	Fix unhandled DNS loop	2025-04-09 11:28:39 +08:00
世界	0762a81cb3	Add wildcard-sni support for shadow-tls inbound	2025-04-09 11:28:39 +08:00
世界	ab0c4f5c82	Fix Tailscale DNS	2025-04-09 11:28:39 +08:00
k9982874	b998ce8142	Add ntp protocol sniffing	2025-04-09 11:28:38 +08:00
世界	855efbc0f6	option: Fix marshal legacy DNS options	2025-04-09 11:28:38 +08:00
世界	5a2a876c1b	Make `domain_resolver` optional when only one DNS server is configured	2025-04-09 11:28:38 +08:00
世界	9ec8100a91	Fix DNS lookup context pollution	2025-04-09 11:28:38 +08:00
世界	3f1b7919a9	Fix http3 DNS server connecting to wrong address	2025-04-09 11:28:37 +08:00
Restia-Ashbell	1ad4335d53	documentation: Fix typo	2025-04-09 11:28:37 +08:00
anytls	f1023e4ea9	Update sing-anytls Co-authored-by: anytls <anytls>	2025-04-09 11:28:37 +08:00
k9982874	989a0406d7	Fix hosts DNS server	2025-04-09 11:28:37 +08:00
世界	ee6feb1d19	Fix UDP DNS server crash	2025-04-09 11:28:36 +08:00
世界	1a5b1cd84c	documentation: Fix missing `ip_accept_any` DNS rule option	2025-04-09 11:28:36 +08:00
世界	ff6a00351f	Fix anytls dialer usage	2025-04-09 11:28:35 +08:00
世界	4222b5d5f2	Move predefined DNS server to rule action	2025-04-09 11:28:35 +08:00
世界	f58172700a	Fix domain resolver on direct outbound	2025-04-09 11:28:34 +08:00
Zephyruso	91e3abceda	Fix missing AnyTLS display name	2025-04-09 11:28:34 +08:00
anytls	8c3eeb7208	Update sing-anytls Co-authored-by: anytls <anytls>	2025-04-09 11:28:34 +08:00
Estel	8df21000f8	documentation: Fix typo Signed-off-by: Estel <callmebedrockdigger@gmail.com>	2025-04-09 11:28:34 +08:00
TargetLocked	f3759a6065	Fix parsing legacy DNS options	2025-04-09 11:28:33 +08:00
世界	a5b95befb9	Fix DNS fallback	2025-04-09 11:28:33 +08:00
世界	90d5e7012a	documentation: Fix missing hosts DNS server	2025-04-09 11:28:32 +08:00
anytls	a32065ee4f	Add MinIdleSession option to AnyTLS outbound Co-authored-by: anytls <anytls>	2025-04-09 11:28:32 +08:00
ReleTor	7192e4b095	documentation: Minor fixes	2025-04-09 11:28:32 +08:00
libtry486	69fbe7fa5d	documentation: Fix typo fix typo Signed-off-by: libtry486 <89328481+libtry486@users.noreply.github.com>	2025-04-09 11:28:31 +08:00
Alireza Ahmadi	d0e592a438	Fix Outbound deadlock	2025-04-09 11:28:31 +08:00
世界	2f315e233a	documentation: Fix AnyTLS doc	2025-04-09 11:28:31 +08:00
anytls	6de2817f54	Add AnyTLS protocol	2025-04-09 11:28:30 +08:00
世界	19dc4b8c54	Migrate to stdlib ECH support	2025-04-09 11:28:29 +08:00
世界	abf15ce617	Add fallback local DNS server for iOS	2025-04-09 11:28:29 +08:00
世界	c77a1c4378	Get darwin local DNS server from libresolv	2025-04-09 11:28:29 +08:00
世界	011570491e	Improve resolve action	2025-04-09 11:28:28 +08:00
世界	a8e3f53846	Fix toolchain version	2025-04-09 11:28:28 +08:00
世界	17d7b212d4	Add back port hopping to hysteria 1	2025-04-09 11:28:28 +08:00
世界	49c2b013d9	Update dependencies	2025-04-09 11:28:28 +08:00
xchacha20-poly1305	d118cd28d2	Remove single quotes of raw Moziila certs	2025-04-09 11:28:27 +08:00
世界	9b1a56f1f9	Add Tailscale endpoint	2025-04-09 11:28:27 +08:00
世界	11564386ef	Build legacy binaries with latest Go	2025-04-09 11:28:26 +08:00
世界	9718996b62	documentation: Remove outdated icons	2025-04-09 11:28:26 +08:00
世界	11ca25db71	documentation: Certificate store	2025-04-09 11:28:25 +08:00
世界	1e2293decf	documentation: TLS fragment	2025-04-09 11:28:25 +08:00
世界	bf16a98aab	documentation: Outbound domain resolver	2025-04-09 11:28:25 +08:00
世界	882ccecae8	documentation: Refactor DNS	2025-04-09 11:28:25 +08:00
世界	c2cb4f4acd	Add certificate store	2025-04-09 11:28:25 +08:00
世界	d08375b1e3	Add TLS fragment support	2025-04-09 11:28:14 +08:00
世界	5a40ca4a8e	refactor: Outbound domain resolver	2025-04-09 11:27:56 +08:00
世界	6ed29d81c1	refactor: DNS	2025-04-09 11:27:34 +08:00
世界	44329157c1	Fix NTP service	2025-04-09 11:25:52 +08:00
世界	5c495b3779	Improve auto redirect	2025-04-09 11:04:57 +08:00