fix relative path

update comments
move package.sh to contrib
2026-03-31 09:45:38 +00:00 · 2019-03-26 15:57:01 +08:00 · 2019-03-26 15:46:57 +08:00 · 2019-03-26 12:30:57 +08:00 · 2019-03-26 12:28:14 +08:00 · 2019-03-26 12:16:07 +08:00
48 changed files with 595 additions and 2032 deletions
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -1,36 +0,0 @@
 name: "Docker"
 on:
  push:
    branches:
      - 'master'
 jobs:
  docker:
    runs-on: ubuntu-latest
    environment: "Docker Hub"
    strategy:
      matrix:
        variant: ["client", "server"]
    steps:
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v2
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      -
        name: Login to Docker Hub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
          logout: true
      - # TODO: port https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners
        name: Build and push
        uses: docker/build-push-action@v4
        with:
          file: ./Dockerfile.${{ matrix.variant }}
          tags: m13253/dns-over-https-${{ matrix.variant }}:latest
          push: true
          platforms: "linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8"
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -1,37 +0,0 @@
 name: Go build for Linux
 on: [push, pull_request]
 jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
    - name: Set up Go
      uses: actions/setup-go@v2
      with:
        go-version: 1.25.6
      id: go
    - name: Check out repository
      uses: actions/checkout@v4
    - name: Linux build
      run: |
        make
    - name: Upload Linux build
      uses: actions/upload-artifact@v4
      with:
        name: linux-amd64
        path: |
          doh-client/doh-client
          doh-server/doh-server
    - name: Cache
      uses: actions/cache@v4
      with:
        # A directory to store and save the cache
        path: ~/go/pkg/mod
        # An explicit key for restoring and saving the cache
        key: ${{ runner.os }}-${{ hashFiles('**/go.sum') }}
--- a/.gitignore
+++ b/.gitignore
@@ -3,9 +3,7 @@
 *.dll
 *.so
 *.dylib
-darwin-wrapper/doh-logger
+build/
 doh-client/doh-client
 doh-server/doh-server
 # Test binary, build with `go test -c`
 *.test
@@ -17,4 +15,3 @@ doh-server/doh-server
 .glide/
 .idea/
 vendor/
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,36 +0,0 @@
 ---
 issues:
  fix: true
 linters:
  enable-all: true
  disable:
    - importas
    - depguard
    - lll
    - exhaustruct
    - perfsprint
    - gochecknoinits
    - wsl
    - exportloopref
 linters-settings:
  revive:
    enable-all-rules: true
    rules:
      - name: line-length-limit
        disabled: true
  gocritic:
    enabled-tags:
      - diagnostic
      - style
      - performance
      - experimental
      - opinionated
  govet:
    enable-all: true
  gci:
    sections:
      - standard
      - default
      - prefix(github.com/m13253/dns-over-https/v2)
  gofumpt:
    extra-rules: true
--- a/Changelog.md
+++ b/Changelog.md
@@ -4,86 +4,6 @@ This Changelog records major changes between versions.
 Not all changes are recorded. Please check git log for details.
 ## Version 2.3.3
 - systemd: Use DynamicUser=yes instead of User=nobody (Fixed #139)
 - Migrate deprecated Go packages `ioutil` to `io` and `os`
 - Fix a bug that truncates the response improperly, causing malformed DNS responsed (Fixed #144)
 ## Version 2.3.2
 - Documentation updates, including deploying recommenation alongside DoT, thanks @gdm85
 - Add unit tests for CIDR subnets parsing, thanks @gdm85
 - Removing Firefox 61-62 patch
 Since this version, @gdm85, @GreyXor, @Jamesits will be able to maintain this repository alongside @m13253. Anyone who contributed to this project can also apply to be a maintainer.
 This is because changes in life have delayed the development of this project. By constructing a community hopefully can we restore the pace of development.
 ## Version 2.3.1
 - No new features in this release
 - Bumped versions of Go toolchain and third-party dependencies, requested by #128
 ## Version 2.3.0
 - The repository now conforms to the Go semvar standard (Fixed #115, thanks to @leiless)
 ## Version 2.2.5
 - Add client certificate authentication
 - Fixing documentation related to Docker
 ## Version 2.2.4
 - Add options to configure ECS netmask length
 - Add an option to disable TLS verification (Note: dangerous)
 ## Version 2.2.3
 - Use the library ipTree to determine whether an IP is global routable, improving the performance
 - Google's 8.8.8.8 resolver is now marked as "Good ECS" in the example configuration file
 ## Version 2.2.2
 - Allow client to opt-out EDNS0 Client Support
 - [JSON-DoH] Honor DNSSEC OK flag for incoming DNS requests
 - [JSON-DoH] Add support for non-standard response formats
 - `X-Real-IP` is now used in logging if set by frontend load balancer
 - Fix documentation
 ## Version 2.2.1
 - Fix messy log
 ## Version 2.2.0
 - Breaking change: The configuration format of doh-server is changed
 - Add support for type prefix for upstream addresses of doh-server
 - Add support for DNS-over-TLS upstream addresses of doh-server
 - Remove `tcp_only` configuration option in doh-server
 - Add `no_user_agent` configuration option in doh-server
 - Add an RPM package script with SELinux policy
 - Fix Opcode never assigned in `jsonDNS.PrepareReply`
 - Improve error logging / checking
 - Updated Readme
 ## Version 2.1.2
 - Update address for google's resolver
 - Fix a typo
 ## Version 2.1.1
 - Add a set of Dockerfile contributed by the community
 - Include DNS.SB's resolver in example configuration
 ## Version 2.1.0
 - Add `local_addr` configuration for doh-server (#39)
 - Fix a problem when compiling on macOS 10.14.4 or newer
 - Add Quad9 DoH server to the example `doh-client.conf`
 - Use TCP when appropriate for the given query type/response (AXFR/IXFR)
 ## Version 2.0.1
 - Fix a crash with the random load balancing algorithm.
--- a/Dockerfile.client
+++ b/Dockerfile.client
@@ -1,23 +0,0 @@
 FROM golang:alpine AS build-env
 RUN apk add --no-cache git make
 WORKDIR /src
 ADD . /src
 RUN make doh-client/doh-client
 FROM alpine:latest
 COPY --from=build-env /src/doh-client/doh-client /doh-client
 ADD doh-client/doh-client.conf /doh-client.conf
 RUN sed -i '$!N;s/"127.0.0.1:53",.*"127.0.0.1:5380",/":53",/;P;D' /doh-client.conf
 RUN sed -i '$!N;s/"\[::1\]:53",.*"\[::1\]:5380",/":5380",/;P;D' /doh-client.conf
 EXPOSE 53/udp
 EXPOSE 53/tcp
 EXPOSE 5380
 ENTRYPOINT ["/doh-client"]
 CMD ["-conf", "/doh-client.conf"]
--- a/Dockerfile.server
+++ b/Dockerfile.server
@@ -1,20 +0,0 @@
 FROM golang:alpine AS build-env
 RUN apk add --no-cache git make
 WORKDIR /src
 ADD . /src
 RUN make doh-server/doh-server
 FROM alpine:latest
 COPY --from=build-env /src/doh-server/doh-server /doh-server
 ADD doh-server/doh-server.conf /doh-server.conf
 RUN sed -i '$!N;s/"127.0.0.1:8053",\s*"\[::1\]:8053",/":8053",/;P;D' /doh-server.conf
 EXPOSE 8053
 ENTRYPOINT ["/doh-server"]
 CMD ["-conf", "/doh-server.conf"]
--- a/19
+++ b/19
@@ -1,11 +1,15 @@
-.PHONY: all clean install uninstall
+.PHONY: all clean install uninstall deps
 PREFIX = /usr/local
 ifeq ($(GOROOT),)
-GOBUILD = go build -ldflags "-s -w"
+GOBUILD = go build
 GOGET = go get -d -v
 GOGET_UPDATE = go get -d -u -v
 else
-GOBUILD = $(GOROOT)/bin/go build -ldflags "-s -w"
+GOBUILD = $(GOROOT)/bin/go build
 GOGET = $(GOROOT)/bin/go get -d -v
 GOGET_UPDATE = $(GOROOT)/bin/go get -d -u -v
 endif
 ifeq ($(shell uname),Darwin)
@@ -53,8 +57,13 @@ uninstall:
 		$(MAKE) -C launchd uninstall "DESTDIR=$(DESTDIR)"; \
 	fi
-doh-client/doh-client: doh-client/client.go doh-client/config/config.go doh-client/google.go doh-client/ietf.go doh-client/main.go doh-client/version.go json-dns/error.go json-dns/globalip.go json-dns/marshal.go json-dns/response.go json-dns/unmarshal.go
+deps:
 	@# I am not sure if it is the correct way to keep the common library updated
 	$(GOGET_UPDATE) github.com/m13253/dns-over-https/json-dns
 	$(GOGET) ./doh-client ./doh-server
 doh-client/doh-client: deps doh-client/client.go doh-client/config/config.go doh-client/google.go doh-client/ietf.go doh-client/main.go doh-client/version.go json-dns/error.go json-dns/globalip.go json-dns/marshal.go json-dns/response.go json-dns/unmarshal.go
 	cd doh-client && $(GOBUILD)
-doh-server/doh-server: doh-server/config.go doh-server/google.go doh-server/ietf.go doh-server/main.go doh-server/server.go doh-server/version.go json-dns/error.go json-dns/globalip.go json-dns/marshal.go json-dns/response.go json-dns/unmarshal.go
+doh-server/doh-server: deps doh-server/config.go doh-server/google.go doh-server/ietf.go doh-server/main.go doh-server/server.go doh-server/version.go json-dns/error.go json-dns/globalip.go json-dns/marshal.go json-dns/response.go json-dns/unmarshal.go
 	cd doh-server && $(GOBUILD)
--- a/Readme.md
+++ b/Readme.md
@@ -4,78 +4,57 @@ DNS-over-HTTPS
 Client and server software to query DNS over HTTPS, using [Google DNS-over-HTTPS protocol](https://developers.google.com/speed/public-dns/docs/dns-over-https)
 and [IETF DNS-over-HTTPS (RFC 8484)](https://www.rfc-editor.org/rfc/rfc8484.txt).
-## Guides
+## Guide
- [Tutorial: Setup your own DNS-over-HTTPS (DoH) server](https://www.aaflalo.me/2018/10/tutorial-setup-dns-over-https-server/). (Thanks to Antoine Aflalo)
+[Tutorial to setup your own DNS-over-HTTPS (DoH) server](https://www.aaflalo.me/2018/10/tutorial-setup-dns-over-https-server/). (Thanks to Antoine Aflalo)
 - [Tutorial: Setup your own Docker based DNS-over-HTTPS (DoH) server](https://github.com/satishweb/docker-doh/blob/master/README.md). (Thanks to Satish Gaikwad)
 ## Installing
 ### From Source
 - Install [Go](https://golang.org), at least version 1.20. The newer, the better.
 > Note for Debian/Ubuntu users: You need to set `$GOROOT` if you could not get your new version of Go selected by the Makefile.
- First create an empty directory, used for `$GOPATH`:
+Install [Go](https://golang.org), at least version 1.10.
-```bash
+
-mkdir ~/gopath
+(Note for Debian/Ubuntu users: You need to set `$GOROOT` if you could not get your new version of Go selected by the Makefile.)
-export GOPATH=~/gopath
+
-```
+First create an empty directory, used for `$GOPATH`:
- To build the program, type:
+
-```bash
+    mkdir ~/gopath
-make
+    export GOPATH=~/gopath
-```
+
- To install DNS-over-HTTPS as Systemd services, type:
+To build the program, type:
-```bash
+
-sudo make install
+    make
-```
+
- By default, [Google DNS over HTTPS](https://dns.google.com) is used. It should
+To install DNS-over-HTTPS as Systemd services, type:
    sudo make install
 By default, [Google DNS over HTTPS](https://dns.google.com) is used. It should
 work for most users (except for People's Republic of China). If you need to
 modify the default settings, type:
 ```bash
 sudoedit /etc/dns-over-https/doh-client.conf
 ```
 - To automatically start DNS-over-HTTPS client as a system service, type:
 ```bash
 sudo systemctl start doh-client.service
 sudo systemctl enable doh-client.service
 ```
 - Then, modify your DNS settings (usually with NetworkManager) to 127.0.0.1.
- To test your configuration, type:
+    sudoedit /etc/dns-over-https/doh-client.conf
 ```bash
 dig www.google.com
 Output:
 ;; SERVER: 127.0.0.1#53(127.0.0.1)
 ```
 #### Uninstall
- To uninstall, type:
+To automatically start DNS-over-HTTPS client as a system service, type:
 ```bash
 sudo make uninstall
 ```
 > Note: The configuration files are kept at `/etc/dns-over-https`. Remove them manually if you want.
-### Using docker image
+    sudo systemctl start doh-client.service
-```bash
+    sudo systemctl enable doh-client.service
 docker run -d --name doh-server \
  -p 8053:8053 \
  -e UPSTREAM_DNS_SERVER="udp:208.67.222.222:53,udp:208.67.220.220:53" \
  -e DOH_HTTP_PREFIX="/dns-query" \
  -e DOH_SERVER_LISTEN=":8053" \
  -e DOH_SERVER_TIMEOUT="10" \
  -e DOH_SERVER_TRIES="3" \
  -e DOH_SERVER_VERBOSE="false" \
  satishweb/doh-server
 ```
 Note: Multiple Upstream DNS server support was added in the container image on 2024-12-19.
-Feeling adventurous? Try the latest build:
+Then, modify your DNS settings (usually with NetworkManager) to 127.0.0.1.
- `m13253/dns-over-https-server:latest`
+To test your configuration, type:
 - `m13253/dns-over-https-client:latest`
-## Logging
+    dig www.google.com
-All log lines (by either doh-client or doh-server) are written into `stderr`; you can view them using your OS tool of choice (`journalctl` when using systemd).
+If it is OK, you will wee:
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
 ### Uninstalling
 To uninstall, type:
    sudo make uninstall
 The configuration files are kept at `/etc/dns-over-https`. Remove them manually if you want.
 ## Server Configuration
@@ -94,215 +73,18 @@ The following is a typical DNS-over-HTTPS architecture:
    |  doh-client  +--+ Content Delivery Network +--+ (Apache, Nginx, Caddy) |
    +--------------+  +--------------------------+  +------------------------+
-Although DNS-over-HTTPS can work alone, an HTTP service muxer would be useful as
+Although DNS-over-HTTPS can work alone, a HTTP service muxer would be useful as
 you can host DNS-over-HTTPS along with other HTTPS services.
 HTTP/2 with at least TLS v1.3 is recommended. OCSP stapling must be enabled,
 otherwise DNS recursion may happen.
 ### Configuration file
 The main configuration file is `doh-client.conf`.
 **Server selectors.** If several upstream servers are set, one is selected according to `upstream_selector` for each request. With `upstream_selector = "random"`, a random upstream server will be chosen for each request.
 ```toml
 # available selector: random (default) or weighted_round_robin or lvs_weighted_round_robin
 upstream_selector = "random"
 ```
 ### Example configuration: Apache
 ```bash
 SSLProtocol TLSv1.2
 SSLHonorCipherOrder On
 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS:!eNULL:!EXP:!LOW:!MD5
 SSLUseStapling on
 SSLStaplingCache shmcb:/var/lib/apache2/stapling_cache(512000)
 <VirtualHost *:443>
    ServerName MY_SERVER_NAME
    Protocols h2 http/1.1
    ProxyPass /dns-query http://[::1]:8053/dns-query
    ProxyPassReverse /dns-query http://[::1]:8053/dns-query
 </VirtualHost>
 ```
 (Credit: [Joan Moreau](https://github.com/m13253/dns-over-https/issues/51#issuecomment-526820884))
 ### Example configuration: Nginx
 ```bash
 server {
  listen       443 ssl http2 default_server;
  listen       [::]:443 ssl http2 default_server;
  server_name  MY_SERVER_NAME;
  server_tokens off;
  ssl_protocols TLSv1.2 TLSv1.3;          # TLS 1.3 requires nginx >= 1.20.0
  ssl_prefer_server_ciphers on;
  ssl_dhparam /etc/nginx/dhparam.pem;     # openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096
  ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
  ssl_ecdh_curve secp384r1;               # Requires nginx >= 1.1.0
  ssl_session_timeout  10m;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;                # Requires nginx >= 1.5.9
  ssl_stapling on;                        # Requires nginx >= 1.3.7
  ssl_stapling_verify on;                 # Requires nginx => 1.3.7
  ssl_early_data off;                     # 0-RTT, enable if desired - Requires nginx >= 1.15.4
  resolver 1.1.1.1 valid=300s;            # Replace with your local resolver
  resolver_timeout 5s;
  # HTTP Security Headers
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
  add_header Strict-Transport-Security "max-age=63072000";
  ssl_certificate /path/to/your/server/certificates/fullchain.pem;
  ssl_certificate_key /path/to/your/server/certificates/privkey.pem;
  location /dns-query {
    proxy_pass       http://localhost:8053/dns-query;
    proxy_set_header Host      $host;
    proxy_set_header X-Real-IP $remote_addr;
  }
 }
 ```
 (Credit: [Cipherli.st](https://cipherli.st/))
 ### Example configuration: Caddy (v2)
 ```bash
 my.server.name {
        reverse_proxy * localhost:8053
        tls your@email.address
        try_files {path} {path}/index.php /index.php?{query}
 }
 ```
 ### Example configuration: Docker Compose + Traefik + Unbound (Raspberry Pi/Linux/Mac) [linux/amd64,linux/arm64,linux/arm/v7]
 ```yaml
 version: '2.2'
 networks:
  default:
 services:
  proxy:
    # The official v2 Traefik docker image
    image: traefik:v2.3
    hostname: proxy
    networks:
      - default
    environment:
      TRAEFIK_ACCESSLOG: "true"
      TRAEFIK_API: "true"
      TRAEFIK_PROVIDERS_DOCKER: "true"
      TRAEFIK_API_INSECURE: "true"
      TRAEFIK_PROVIDERS_DOCKER_NETWORK: "${STACK}_default"
      # DNS provider specific environment variables for DNS Challenge using route53 (AWS)
      AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID}
      AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}
      AWS_REGION: ${AWS_REGION}
      AWS_HOSTED_ZONE_ID: ${AWS_HOSTED_ZONE_ID}
    ports:
      # The HTTP port
      - "80:80"
      # The HTTPS port
      - "443:443"
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"
    command:
      #- "--log.level=DEBUG"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
      # Providers list:
      #  https://docs.traefik.io/https/acme/#providers
      #  https://go-acme.github.io/lego/dns/
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=route53"
      # Enable below line to use staging letsencrypt server.
      #- "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.letsencrypt.acme.email=${EMAIL}"
      - "--certificatesresolvers.letsencrypt.acme.storage=/certs/acme.json"
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data/proxy/certs:/certs
  doh-server:
    image: satishweb/doh-server:latest
    hostname: doh-server
    networks:
      - default
    environment:
      # Enable below line to see more logs
      # DEBUG: "1"
      UPSTREAM_DNS_SERVER: "udp:unbound:53"
      DOH_HTTP_PREFIX: "${DOH_HTTP_PREFIX}"
      DOH_SERVER_LISTEN: ":${DOH_SERVER_LISTEN}"
      DOH_SERVER_TIMEOUT: "10"
      DOH_SERVER_TRIES: "3"
      DOH_SERVER_VERBOSE: "false"
    #volumes:
      # - ./doh-server.conf:/server/doh-server.conf
      # - ./app-config:/app-config
    depends_on:
      - unbound
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.doh-server.rule=Host(`${SUBDOMAIN}.${DOMAIN}`) && Path(`${DOH_HTTP_PREFIX}`)"
      - "traefik.http.services.doh-server.loadbalancer.server.port=${DOH_SERVER_LISTEN}"
      - "traefik.http.middlewares.mw-doh-compression.compress=true"
      - "traefik.http.routers.doh-server.tls=true"
      - "traefik.http.middlewares.mw-doh-tls.headers.sslredirect=true"
      - "traefik.http.middlewares.mw-doh-tls.headers.sslforcehost=true"
      - "traefik.http.routers.doh-server.tls.certresolver=letsencrypt"
      - "traefik.http.routers.doh-server.tls.domains[0].main=${DOMAIN}"
      - "traefik.http.routers.doh-server.tls.domains[0].sans=${SUBDOMAIN}.${DOMAIN}"
      # Protection from requests flood
      - "traefik.http.middlewares.mw-doh-ratelimit.ratelimit.average=100"
      - "traefik.http.middlewares.mw-doh-ratelimit.ratelimit.burst=50"
      - "traefik.http.middlewares.mw-doh-ratelimit.ratelimit.period=10s"
  unbound:
    image: satishweb/unbound:latest
    hostname: unbound
    networks:
      - default
    ports:
      # Disable these ports if DOH server is the only client
      - 53:53/tcp
      - 53:53/udp
    volumes:
      - ./unbound.sample.conf:/templates/unbound.sample.conf
      - ./data/unbound/custom:/etc/unbound/custom
      # Keep your custom.hosts file inside custom folder
    #environment:
    #  DEBUG: "1"
 ````
 > Complete Guide available at: https://github.com/satishweb/docker-doh
 > IPV6 Support for Docker Compose based configuration TBA
 ### Example configuration: DNS-over-TLS
 There is no native [DNS-over-TLS](https://en.wikipedia.org/wiki/DNS_over_TLS) support, but you can easily add it via nginx:
 ```
 stream {
    server {
        listen                  *:853 ssl;
        proxy_pass              ipofyourdnsresolver:port  #127.0.0.1:53
    }
    ssl_certificate /etc/letsencrypt/live/site.yourdomain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/site.yourdomain/privkey.pem;
 }
 ```
 The DoT service can also be provided by running a [STunnel](https://www.stunnel.org/) instance to wrap dnsmasq (or any other resolver of your choice, listening on a TCP port);
 this approach does not need a stand-alone daemon to provide the DoT service.
 ## DNSSEC
 DNS-over-HTTPS is compatible with DNSSEC, and requests DNSSEC signatures by
-default. However, signature validation is not built-in. It is highly recommended
+default. However signature validation is not built-in. It is highly recommended
 that you install `unbound` or `bind` and pass results for them to validate DNS
-records. An instance of [Pi Hole](https://pi-hole.net) could also be used to validate DNS signatures as well as provide other capabilities.
+records.
 ## EDNS0-Client-Subnet (GeoDNS)
@@ -343,10 +125,6 @@ Currently supported features are:
 - [X] EDNS0 large UDP packet (4 KiB by default)
 - [X] EDNS0-Client-Subnet (/24 for IPv4, /56 for IPv6 by default)
 ## Known issues
 * it does not work well with [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy), you might want to use either (or fix the compatibility bugs by submitting PRs)
 ## The name of the project
 This project is named "DNS-over-HTTPS" because it was written before the IETF DoH project. Although this project is compatible with IETF DoH, the project is not affiliated with IETF.
--- a/contrib/package.sh
+++ b/contrib/package.sh
@@ -0,0 +1,173 @@
 #!/bin/bash 
 set -euo pipefail
 # This is a script used for automated packaging.
 # Debian maintainers please don't use this.
 # 
 # Environment assumption:
 #  * Ubuntu 16.04
 #  * run with normal user
 #  * sudo with no password
 #  * go and fpm is pre-installed
 #  * rpmbuild is required if you need rpm packages
 #
 # Compatible with Azure DevOps hosted Ubuntu 16.04 agent
 export DEBIAN_FRONTEND="noninteractive"
 export DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"/..
 export BUILD_BINARIESDIRECTORY="${BUILD_BINARIESDIRECTORY:-${DIR}/build/bin}"
 export BUILD_ARTIFACTSTAGINGDIRECTORY="${BUILD_ARTIFACTSTAGINGDIRECTORY:-${DIR}/build/packages}"
 export TMP_DIRECTORY="/tmp/dohbuild"
 export GOPATH="${GOPATH:-/tmp/go}"
 export GOBIN="${GOBIN:-/tmp/go/bin}"
 function prepare_env() {
    echo "Checking dependencies"
    if ! [ -x "$(command -v go)" ]; then
        echo "Please install golang"
        exit 1
    fi
    if [ -x "$(command -v apt-get)" ]; then
        sudo apt-get -y update
    fi
    if ! [ -x "$(command -v rpmbuild)" ]; then
        # TODO: correctly install rpmbuild
        ! sudo apt-get -y install rpmbuild
    fi
    # if ! [ -x "$(command -v upx)" ]; then
    #     sudo apt-get -y install upx
    # fi
    echo "Creating directories"
    mkdir -p "${BUILD_BINARIESDIRECTORY}/nm-dispatcher"
    mkdir -p "${BUILD_BINARIESDIRECTORY}/launchd"
    mkdir -p "${BUILD_BINARIESDIRECTORY}/systemd"
    mkdir -p "${BUILD_BINARIESDIRECTORY}/config"
    mkdir -p "${BUILD_ARTIFACTSTAGINGDIRECTORY}"
    mkdir -p "${TMP_DIRECTORY}"
 }
 function build_common() {
    cp NetworkManager/dispatcher.d/* "${BUILD_BINARIESDIRECTORY}"/nm-dispatcher
    cp launchd/*.plist "${BUILD_BINARIESDIRECTORY}"/launchd
    cp systemd/*.service "${BUILD_BINARIESDIRECTORY}"/systemd
    cp doh-server/doh-server.conf "${BUILD_BINARIESDIRECTORY}"/config
    cp doh-client/doh-client.conf "${BUILD_BINARIESDIRECTORY}"/config
 }
 # used to get version
 function build_native() {
    echo "Building a native binary..."
    go build -ldflags="-s -w" -o ${BUILD_BINARIESDIRECTORY}/"${EXE}"-native
 }
 function build() {
    echo "Building ${EXE} for OS=$1 ARCH=$2"
    env GOOS="$1" GOARCH="$2" go build -ldflags="-s -w" -o ${BUILD_BINARIESDIRECTORY}/"${EXE}"-"$3"
    # echo "Compressing executable"
    # ! upx --ultra-brute ${BUILD_BINARIESDIRECTORY}/${EXE}-"$3" || true
 }
 function package() {
    VERSION=$("${BUILD_BINARIESDIRECTORY}/${EXE}-native" --version | head -n 1 | cut -d" " -f2)
    REVISION=$(git log --pretty=format:'%h' -n 1)
    echo "Packaging ${EXE} ${VERSION} for OS=$1 ARCH=$2 TYPE=$3 DST=$4"
    ! rm -rf "${TMP_DIRECTORY}"/*
    mkdir -p "${TMP_DIRECTORY}"/usr/bin
    cp "${BUILD_BINARIESDIRECTORY}"/"${EXE}"-"$3" "${TMP_DIRECTORY}"/usr/bin/"${EXE}"
    mkdir -p "${TMP_DIRECTORY}"/usr/lib/systemd/system
    cp "${BUILD_BINARIESDIRECTORY}"/systemd/"${EXE}".service "${TMP_DIRECTORY}"/usr/lib/systemd/system
    mkdir -p "${TMP_DIRECTORY}"/etc/dns-over-https
    cp "${BUILD_BINARIESDIRECTORY}"/config/"${EXE}".conf "${TMP_DIRECTORY}"/etc/dns-over-https
    mkdir -p "${TMP_DIRECTORY}"/etc/NetworkManager/dispatcher.d
    cp "${BUILD_BINARIESDIRECTORY}"/nm-dispatcher/"${EXE}" "${TMP_DIRECTORY}"/etc/NetworkManager/dispatcher.d
    # call fpm
    fpm --input-type dir \
        --output-type $4 \
        --chdir "${TMP_DIRECTORY}" \
        --package "${BUILD_ARTIFACTSTAGINGDIRECTORY}" \
        --name "${EXE}" \
        --description "${DESCR}" \
        --version "${VERSION}" \
        --iteration "${REVISION}" \
        --url "https://github.com/m13253/dns-over-https" \
        --vendor "Star Brilliant <coder@poorlab.com>" \
        --license "MIT License" \
        --category "net" \
        --maintainer "James Swineson <autopkg@public.swineson.me>" \
        --architecture "$2" \
        --force \
        .
 }
 cd "${DIR}"/..
 prepare_env
 make deps
 build_common
 pushd doh-server
 export EXE="doh-server"
 export DESCR="DNS-over-HTTPS Server"
 build_native
 build linux amd64 linux-amd64
 package linux amd64 linux-amd64 deb
 ! package linux amd64 linux-amd64 rpm
 package linux amd64 linux-amd64 pacman
 build linux arm linux-armhf
 package linux arm linux-armhf deb
 ! package linux arm linux-armhf rpm
 package linux arm linux-armhf pacman
 build linux arm64 linux-arm64
 package linux arm64 linux-arm64 deb
 ! package linux arm64 linux-arm64 rpm
 package linux arm64 linux-arm64 pacman
 # build darwin amd64 darwin-amd64
 # build windows 386 windows-x86.exe
 # build windows amd64 windows-amd64.exe
 popd
 pushd doh-client
 export EXE="doh-client"
 export DESCR="DNS-over-HTTPS Client"
 build_native
 build linux amd64 linux-amd64
 package linux amd64 linux-amd64 deb
 ! package linux amd64 linux-amd64 rpm
 package linux amd64 linux-amd64 pacman
 build linux arm linux-armhf
 package linux arm linux-armhf deb
 ! package linux arm linux-armhf rpm
 package linux arm linux-armhf pacman
 build linux arm64 linux-arm64
 package linux arm64 linux-arm64 deb
 ! package linux arm64 linux-arm64 rpm
 package linux arm64 linux-arm64 pacman
 # build darwin amd64 darwin-amd64
 # build windows 386 windows-x86.exe
 # build windows amd64 windows-amd64.exe
 popd
--- a/contrib/rpm/dns-over-https-2.1.2-systemd.patch
+++ b/contrib/rpm/dns-over-https-2.1.2-systemd.patch
@@ -1,36 +0,0 @@
 diff -Naur dns-over-https-2.1.2.org/systemd/doh-client.service dns-over-https-2.1.2/systemd/doh-client.service
 --- dns-over-https-2.1.2.org/systemd/doh-client.service	2019-09-10 12:08:35.177574074 +0200
 +++ dns-over-https-2.1.2/systemd/doh-client.service	2019-09-10 12:10:05.473700374 +0200
@@ -7,12 +7,12 @@
 [Service]
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 -ExecStart=/usr/local/bin/doh-client -conf /etc/dns-over-https/doh-client.conf
 +ExecStart=/usr/bin/doh-client -conf /etc/dns-over-https/doh-client.conf
 LimitNOFILE=1048576
 Restart=always
 RestartSec=3
 Type=simple
 -User=nobody
 +User=doh-client
 [Install]
 WantedBy=multi-user.target
 diff -Naur dns-over-https-2.1.2.org/systemd/doh-server.service dns-over-https-2.1.2/systemd/doh-server.service
 --- dns-over-https-2.1.2.org/systemd/doh-server.service	2019-09-10 12:08:35.177574074 +0200
 +++ dns-over-https-2.1.2/systemd/doh-server.service	2019-09-10 12:10:20.980273992 +0200
@@ -5,12 +5,12 @@
 [Service]
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 -ExecStart=/usr/local/bin/doh-server -conf /etc/dns-over-https/doh-server.conf
 +ExecStart=/usr/bin/doh-server -conf /etc/dns-over-https/doh-server.conf
 LimitNOFILE=1048576
 Restart=always
 RestartSec=3
 Type=simple
 -User=nobody
 +User=doh-server
 [Install]
 WantedBy=multi-user.target
--- a/contrib/rpm/doh.spec
+++ b/contrib/rpm/doh.spec
@@ -1,240 +0,0 @@
 # vim: tabstop=4 shiftwidth=4 expandtab
 %global _hardened_build 1
 # Debug package is empty anyway
 %define debug_package %{nil}
 %global _release        1
 %global provider        github
 %global provider_tld    com
 %global project         m13253
 %global repo            dns-over-https
 %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
 %global import_path     %{provider_prefix}
 #define commit          984df34ca7b45897ecb5871791e398cc160a4b93
 %if 0%{?commit:1}
 %define shortcommit     %(c=%{commit}; echo ${c:0:7})
 %define _date           %(date +'%%Y%%m%%dT%%H%%M%%S')
 %endif
 %define rand_id         %(head -c20 /dev/urandom|od -An -tx1|tr -d '[[:space:]]')
 %if ! 0%{?gobuild:1}
 %define gobuild(o:) go build -ldflags "${LDFLAGS:-} -B 0x%{rand_id}" -a -v -x %{?**};
 %endif
 %if ! 0%{?gotest:1}
 %define gotest() go test -ldflags "${LDFLAGS:-}" %{?**}
 %endif
 Name:           %{repo}
 Version:        2.1.2
 %if 0%{?commit:1}
 Release:    %{_release}.git%{shortcommit}.%{_date}%{?dist}
 Source0:        https://%{import_path}/archive/%{commit}.tar.gz
 %else
 Release:        %{_release}%{?dist}
 Source0:        https://%{import_path}/archive/v%{version}.tar.gz
 %endif
 Patch0:         %{name}-%{version}-systemd.patch
 Summary:        High performance DNS over HTTPS client & server
 License:        MIT
 URL:            https://github.com/m13253/dns-over-https
 # e.g. el6 has ppc64 arch without gcc-go, so EA tag is required
 # If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
 #BuildRequires:  %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} >= 1.10
 BuildRequires:  golang >= 1.10
 BuildRequires:  systemd
 BuildRequires:  upx
 %description
 %{summary}
 %package common
 BuildArch: noarch
 Summary: %{summary} - common files
 %description common
 %{summary}
 %package server
 ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 %{arm}}
 Summary: %{summary} - Server
 Requires(pre):          shadow-utils
 Requires(post):         systemd
 Requires(preun):        systemd
 Requires(postun):       systemd
 %description server
 %{summary}
 %package client
 ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 %{arm}}
 Summary: %{summary} - Client
 Requires(pre):          shadow-utils
 Requires(post):         systemd
 Requires(preun):        systemd
 Requires(postun):       systemd
 %description client
 %{summary}
 %package selinux
 BuildArch:      noarch
 Source3:        doh_server.fc
 Source4:        doh_server.if
 Source5:        doh_server.te
 Source6:        doh_client.fc
 Source7:        doh_client.if
 Source8:        doh_client.te
 BuildRequires:  selinux-policy
 BuildRequires:  selinux-policy-devel
 Requires:       %{name}
 Requires(post):     policycoreutils
 Requires(post):     policycoreutils-python 
 Requires(postun):   policycoreutils
 Summary: SELinux policy for %{name}
 %description selinux
 %summary
 %prep
 %if 0%{?commit:1}
 %autosetup -n %{name}-%{commit} -p1
 %else
 %autosetup -n %{name}-%{version} -p1
 %endif
 mkdir -p selinux
 cp %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE7} %{SOURCE8} selinux
 %build
 cd selinux
 make -f /usr/share/selinux/devel/Makefile doh_server.pp doh_client.pp || exit
 cd -
 %set_build_flags
 %make_build \
    PREFIX=%{_prefix} \
    GOBUILD="go build -ldflags \"-s -w -B 0x%{rand_id}\" -a -v -x"
 %install
 %make_install \
    PREFIX=%{_prefix}
 install -Dpm 0600 selinux/doh_server.pp %{buildroot}%{_datadir}/selinux/packages/doh_server.pp
 install -Dpm 0644 selinux/doh_server.if %{buildroot}%{_datadir}/selinux/devel/include/contrib/doh_server.if
 install -Dpm 0600 selinux/doh_client.pp %{buildroot}%{_datadir}/selinux/packages/doh_client.pp
 install -Dpm 0644 selinux/doh_client.if %{buildroot}%{_datadir}/selinux/devel/include/contrib/doh_client.if
 mkdir -p %{buildroot}%{_docdir}/%{name}
 mv %{buildroot}%{_sysconfdir}/%{name}/*.example %{buildroot}%{_docdir}/%{name}
 mkdir -p %{buildroot}%{_libdir}
 mv %{buildroot}%{_sysconfdir}/NetworkManager %{buildroot}%{_libdir}/
 for i in $(find %{_buildroot}%{_bindir} -type f)
 do
    upx $i
 done
 %files common
 %license LICENSE
 %doc Changelog.md Readme.md
 %files server
 %{_libdir}/NetworkManager/dispatcher.d/doh-server
 %{_docdir}/%{name}/doh-server.conf.example
 %config(noreplace) %{_sysconfdir}/%{name}/doh-server.conf
 %{_bindir}/doh-server
 %{_unitdir}/doh-server.service
 %files client
 %{_libdir}/NetworkManager/dispatcher.d/doh-client
 %{_docdir}/%{name}/doh-client.conf.example
 %config(noreplace) %{_sysconfdir}/%{name}/doh-client.conf
 %{_bindir}/doh-client
 %{_unitdir}/doh-client.service
 %pre server
 test -d %{_sharedstatedir}/home || mkdir -p %{_sharedstatedir}/home
 getent group doh-server > /dev/null || groupadd -r doh-server
 getent passwd doh-server > /dev/null || \
    useradd -r -d %{_sharedstatedir}/home/doh-server -g doh-server \
    -s /sbin/nologin -c "%{name} - server" doh-server
 exit 0
 %pre client
 test -d %{_sharedstatedir}/home || mkdir -p %{_sharedstatedir}/home
 getent group doh-client > /dev/null || groupadd -r doh-client
 getent passwd doh-client > /dev/null || \
    useradd -r -d %{_sharedstatedir}/home/doh-client -g doh-client \
    -s /sbin/nologin -c "%{name} - client" doh-client
 exit 0
 %post server
 %systemd_post doh-server.service
 %preun server
 %systemd_preun doh-server.service
 %postun server
 %systemd_postun_with_restart doh-server.service
 %post client
 %systemd_post doh-client.service
 %preun client
 %systemd_preun doh-client.service
 %postun client
 %systemd_postun_with_restart doh-client.service
 %files selinux
 %{_datadir}/selinux/packages/doh_server.pp
 %{_datadir}/selinux/devel/include/contrib/doh_server.if
 %{_datadir}/selinux/packages/doh_client.pp
 %{_datadir}/selinux/devel/include/contrib/doh_client.if
 %post selinux
 semodule -n -i %{_datadir}/selinux/packages/doh_server.pp
 semodule -n -i %{_datadir}/selinux/packages/doh_client.pp
 if /usr/sbin/selinuxenabled ; then
    /usr/sbin/load_policy
    /usr/sbin/fixfiles -R %{name}-server restore
    /usr/sbin/fixfiles -R %{name}-client restore
 fi;
 semanage -i - << __eof
 port -a -t doh_server_port_t -p tcp "8053"
 port -a -t doh_client_port_t -p udp "5380"
 __eof
 exit 0
 %postun selinux
 if [ $1 -eq 0 ]; then
    semanage -i - << __eof
 port -d -t doh_server_port_t -p tcp "8053"
 port -d -t doh_client_port_t -p udp "5380"
 __eof
    semodule -n -r doh_server
    semodule -n -r doh_client
    if /usr/sbin/selinuxenabled ; then
       /usr/sbin/load_policy
       /usr/sbin/fixfiles -R %{name}-server restore
       /usr/sbin/fixfiles -R %{name}-client restore
    fi;
 fi;
 exit 0
 %changelog
 * Tue Sep 10 2019 fuero <fuerob@gmail.com> 2.1.2-1
 - initial package
--- a/contrib/rpm/doh_client.fc
+++ b/contrib/rpm/doh_client.fc
@@ -1,2 +0,0 @@
 /usr/bin/doh-client					--	gen_context(system_u:object_r:doh_client_exec_t,s0)
 /usr/lib/systemd/system/doh-client.service		--	gen_context(system_u:object_r:doh_client_unit_file_t,s0)
--- a/contrib/rpm/doh_client.if
+++ b/contrib/rpm/doh_client.if
@@ -1,103 +0,0 @@
 ## <summary>policy for doh_client</summary>
 ########################################
 ## <summary>
 ##	Execute doh_client_exec_t in the doh_client domain.
 ## </summary>
 ## <param name="domain">
 ## <summary>
 ##	Domain allowed to transition.
 ## </summary>
 ## </param>
 #
 interface(`doh_client_domtrans',`
 	gen_require(`
 		type doh_client_t, doh_client_exec_t;
 	')
 	corecmd_search_bin($1)
 	domtrans_pattern($1, doh_client_exec_t, doh_client_t)
 ')
 ######################################
 ## <summary>
 ##	Execute doh_client in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`doh_client_exec',`
 	gen_require(`
 		type doh_client_exec_t;
 	')
 	corecmd_search_bin($1)
 	can_exec($1, doh_client_exec_t)
 ')
 ########################################
 ## <summary>
 ##	Execute doh_client server in the doh_client domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
 interface(`doh_client_systemctl',`
 	gen_require(`
 		type doh_client_t;
 		type doh_client_unit_file_t;
 	')
 	systemd_exec_systemctl($1)
        systemd_read_fifo_file_passwd_run($1)
 	allow $1 doh_client_unit_file_t:file read_file_perms;
 	allow $1 doh_client_unit_file_t:service manage_service_perms;
 	ps_process_pattern($1, doh_client_t)
 ')
 ########################################
 ## <summary>
 ##	All of the rules required to administrate
 ##	an doh_client environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
 ##	<summary>
 ##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`doh_client_admin',`
 	gen_require(`
 		type doh_client_t;
 	type doh_client_unit_file_t;
 	')
 	allow $1 doh_client_t:process { signal_perms };
 	ps_process_pattern($1, doh_client_t)
    tunable_policy(`deny_ptrace',`',`
        allow $1 doh_client_t:process ptrace;
    ')
 	doh_client_systemctl($1)
 	admin_pattern($1, doh_client_unit_file_t)
 	allow $1 doh_client_unit_file_t:service all_service_perms;
 	optional_policy(`
 		systemd_passwd_agent_exec($1)
 		systemd_read_fifo_file_passwd_run($1)
 	')
 ')
--- a/contrib/rpm/doh_client.te
+++ b/contrib/rpm/doh_client.te
@@ -1,49 +0,0 @@
 policy_module(doh_client, 1.0.0)
 ########################################
 #
 # Declarations
 #
 type doh_client_t;
 type doh_client_exec_t;
 init_daemon_domain(doh_client_t, doh_client_exec_t)
 type doh_client_port_t;
 corenet_port(doh_client_port_t)
 type doh_client_unit_file_t;
 systemd_unit_file(doh_client_unit_file_t)
 ########################################
 #
 # doh_client local policy
 #
 allow doh_client_t self:fifo_file rw_fifo_file_perms;
 allow doh_client_t self:unix_stream_socket create_stream_socket_perms;
 allow doh_client_t self:capability net_bind_service;
 allow doh_client_t self:process execmem;
 allow doh_client_t self:tcp_socket { accept bind connect create getattr getopt listen read setopt write };
 allow doh_client_t self:udp_socket { bind connect create getattr read setopt write };
 allow doh_client_t doh_client_exec_t:file execmod;
 allow doh_client_t doh_client_port_t:tcp_socket name_bind;
 corenet_tcp_bind_dns_port(doh_client_t)
 corenet_tcp_bind_generic_node(doh_client_t)
 corenet_tcp_connect_http_port(doh_client_t)
 corenet_udp_bind_dns_port(doh_client_t)
 corenet_udp_bind_generic_node(doh_client_t)
 corenet_udp_bind_generic_port(doh_client_t)
 kernel_read_net_sysctls(doh_client_t)
 kernel_search_network_sysctl(doh_client_t)
 miscfiles_read_certs(doh_client_t)
 sysnet_read_config(doh_client_t)
 domain_use_interactive_fds(doh_client_t)
 files_read_etc_files(doh_client_t)
 miscfiles_read_localization(doh_client_t)
--- a/contrib/rpm/doh_server.fc
+++ b/contrib/rpm/doh_server.fc
@@ -1,2 +0,0 @@
 /usr/bin/doh-server					--	gen_context(system_u:object_r:doh_server_exec_t,s0)
 /usr/lib/systemd/system/doh-server.service		--	gen_context(system_u:object_r:doh_server_unit_file_t,s0)
--- a/contrib/rpm/doh_server.if
+++ b/contrib/rpm/doh_server.if
@@ -1,122 +0,0 @@
 ## <summary>policy for doh_server</summary>
 ########################################
 ## <summary>
 ##	Execute doh_server_exec_t in the doh_server domain.
 ## </summary>
 ## <param name="domain">
 ## <summary>
 ##	Domain allowed to transition.
 ## </summary>
 ## </param>
 #
 interface(`doh_server_domtrans',`
 	gen_require(`
 		type doh_server_t, doh_server_exec_t;
 	')
 	corecmd_search_bin($1)
 	domtrans_pattern($1, doh_server_exec_t, doh_server_t)
 ')
 ######################################
 ## <summary>
 ##	Execute doh_server in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`doh_server_exec',`
 	gen_require(`
 		type doh_server_exec_t;
 	')
 	corecmd_search_bin($1)
 	can_exec($1, doh_server_exec_t)
 ')
 ########################################
 ## <summary>
 ##	Execute doh_server server in the doh_server domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
 interface(`doh_server_systemctl',`
 	gen_require(`
 		type doh_server_t;
 		type doh_server_unit_file_t;
 	')
 	systemd_exec_systemctl($1)
        systemd_read_fifo_file_passwd_run($1)
 	allow $1 doh_server_unit_file_t:file read_file_perms;
 	allow $1 doh_server_unit_file_t:service manage_service_perms;
 	ps_process_pattern($1, doh_server_t)
 ')
 ########################################
 ## <summary>
 ##	All of the rules required to administrate
 ##	an doh_server environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
 ##	<summary>
 ##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`doh_server_admin',`
 	gen_require(`
 		type doh_server_t;
 	type doh_server_unit_file_t;
 	')
 	allow $1 doh_server_t:process { signal_perms };
 	ps_process_pattern($1, doh_server_t)
    tunable_policy(`deny_ptrace',`',`
        allow $1 doh_server_t:process ptrace;
    ')
 	doh_server_systemctl($1)
 	admin_pattern($1, doh_server_unit_file_t)
 	allow $1 doh_server_unit_file_t:service all_service_perms;
 	optional_policy(`
 		systemd_passwd_agent_exec($1)
 		systemd_read_fifo_file_passwd_run($1)
 	')
 ')
 ########################################
 ## <summary>
 ##      Make a TCP connection to the vault_ocsp_responder port.
 ## </summary>
 ## <param name="domain">
 ##      <summary>
 ##      Domain allowed access.
 ##      </summary>
 ## </param>
 #
 interface(`doh_server_connect',`
        gen_require(`
                type doh_server_port_t;
 		type $1;
        ')
        allow $1 doh_server_port_t:tcp_socket name_connect;
 ')
--- a/contrib/rpm/doh_server.te
+++ b/contrib/rpm/doh_server.te
@@ -1,42 +0,0 @@
 policy_module(doh_server, 1.0.0)
 require {
 	class process execmem;
 	class tcp_socket { accept bind create read write getattr listen setopt connect getopt };
 	class udp_socket { connect create getattr setopt read write };
 	class file execmod;
 }
 type doh_server_t;
 type doh_server_exec_t;
 init_daemon_domain(doh_server_t, doh_server_exec_t)
 type doh_server_port_t;
 corenet_port(doh_server_port_t)
 type doh_server_unit_file_t;
 systemd_unit_file(doh_server_unit_file_t)
 allow doh_server_t self:fifo_file rw_fifo_file_perms;
 allow doh_server_t self:unix_stream_socket create_stream_socket_perms;
 allow doh_server_t self:process execmem;
 allow doh_server_t self:tcp_socket { accept read write bind create getattr listen setopt connect getopt};
 allow doh_server_t self:udp_socket { connect create getattr setopt read write };
 allow doh_server_t doh_server_exec_t:file execmod;
 allow doh_server_t doh_server_port_t:tcp_socket name_bind;
 domain_use_interactive_fds(doh_server_t)
 files_read_etc_files(doh_server_t)
 corenet_tcp_bind_generic_node(doh_server_t)
 corenet_tcp_connect_dns_port(doh_server_t)
 doh_server_connect(httpd_t)
 kernel_read_net_sysctls(doh_server_t)
 kernel_search_network_sysctl(doh_server_t)
 miscfiles_read_localization(doh_server_t)
--- a/darwin-wrapper/Makefile
+++ b/darwin-wrapper/Makefile
@@ -6,7 +6,7 @@ PREFIX = /usr/local
 all: doh-logger
 doh-logger: doh-logger.swift
-	$(SWIFTC) -o $@ -O $<
+	$(SWIFTC) -o $@ -O -static-stdlib $<
 clean:
 	rm -f doh-logger
--- a/doh-client/client.go
+++ b/doh-client/client.go
@@ -25,7 +25,6 @@ package main
 import (
 	"context"
 	"crypto/tls"
 	"fmt"
 	"log"
 	"math/rand"
@@ -38,40 +37,39 @@ import (
 	"sync"
 	"time"
 	"github.com/m13253/dns-over-https/doh-client/config"
 	"github.com/m13253/dns-over-https/doh-client/selector"
 	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 	"golang.org/x/net/http2"
 	"golang.org/x/net/idna"
 	"github.com/m13253/dns-over-https/v2/doh-client/config"
 	"github.com/m13253/dns-over-https/v2/doh-client/selector"
 	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 )
 type Client struct {
 	httpClientLastCreate time.Time
 	cookieJar            http.CookieJar
 	selector             selector.Selector
 	httpClientMux        *sync.RWMutex
 	tcpClient            *dns.Client
 	bootstrapResolver    *net.Resolver
 	udpClient            *dns.Client
 	conf                 *config.Config
-	httpTransport        *http.Transport
+	bootstrap            []string
-	httpClient           *http.Client
+	passthrough          []string
 	udpClient            *dns.Client
 	tcpClient            *dns.Client
 	udpServers           []*dns.Server
 	tcpServers           []*dns.Server
-	passthrough          []string
+	bootstrapResolver    *net.Resolver
-	bootstrap            []string
+	cookieJar            http.CookieJar
 	httpClientMux        *sync.RWMutex
 	httpTransport        *http.Transport
 	httpClient           *http.Client
 	httpClientLastCreate time.Time
 	selector             selector.Selector
 }
 type DNSRequest struct {
 	err               error
 	response          *http.Response
 	reply             *dns.Msg
 	currentUpstream   string
 	ednsClientAddress net.IP
 	udpSize           uint16
 	ednsClientAddress net.IP
 	ednsClientNetmask uint8
 	currentUpstream   string
 	err               error
 }
 func NewClient(conf *config.Config) (c *Client, err error) {
@@ -90,29 +88,6 @@ func NewClient(conf *config.Config) (c *Client, err error) {
 		Net:     "tcp",
 		Timeout: time.Duration(conf.Other.Timeout) * time.Second,
 	}
 	if c.conf.Other.Interface != "" {
 		localV4, localV6, err := c.getInterfaceIPs()
 		if err != nil {
 			return nil, fmt.Errorf("failed to get interface IPs for %s: %v", c.conf.Other.Interface, err)
 		}
 		var localAddr net.IP
 		if localV4 != nil {
 			localAddr = localV4
 		} else {
 			localAddr = localV6
 		}
 		c.udpClient.Dialer = &net.Dialer{
 			Timeout:   time.Duration(conf.Other.Timeout) * time.Second,
 			LocalAddr: &net.UDPAddr{IP: localAddr},
 		}
 		c.tcpClient.Dialer = &net.Dialer{
 			Timeout:   time.Duration(conf.Other.Timeout) * time.Second,
 			LocalAddr: &net.TCPAddr{IP: localAddr},
 		}
 	}
 	for _, addr := range conf.Listen {
 		c.udpServers = append(c.udpServers, &dns.Server{
 			Addr:    addr,
@@ -143,38 +118,6 @@ func NewClient(conf *config.Config) (c *Client, err error) {
 			PreferGo: true,
 			Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
 				var d net.Dialer
 				if c.conf.Other.Interface != "" {
 					localV4, localV6, err := c.getInterfaceIPs()
 					if err != nil {
 						log.Printf("Bootstrap dial warning: %v", err)
 					} else {
 						numServers := len(c.bootstrap)
 						bootstrap := c.bootstrap[rand.Intn(numServers)]
 						host, _, _ := net.SplitHostPort(bootstrap)
 						ip := net.ParseIP(host)
 						if ip != nil {
 							if ip.To4() != nil {
 								if localV4 != nil {
 									if strings.HasPrefix(network, "udp") {
 										d.LocalAddr = &net.UDPAddr{IP: localV4}
 									} else {
 										d.LocalAddr = &net.TCPAddr{IP: localV4}
 									}
 								}
 							} else {
 								if localV6 != nil {
 									if strings.HasPrefix(network, "udp") {
 										d.LocalAddr = &net.UDPAddr{IP: localV6}
 									} else {
 										d.LocalAddr = &net.TCPAddr{IP: localV6}
 									}
 								}
 							}
 						}
 						conn, err := d.DialContext(ctx, network, bootstrap)
 						return conn, err
 					}
 				}
 				numServers := len(c.bootstrap)
 				bootstrap := c.bootstrap[rand.Intn(numServers)]
 				conn, err := d.DialContext(ctx, network, bootstrap)
@@ -290,92 +233,30 @@ func (c *Client) newHTTPClient() error {
 	if c.httpTransport != nil {
 		c.httpTransport.CloseIdleConnections()
 	}
-
+	dialer := &net.Dialer{
 	localV4, localV6, err := c.getInterfaceIPs()
 	if err != nil {
 		log.Printf("Interface binding error: %v", err)
 		return err
 	}
 	baseDialer := &net.Dialer{
 		Timeout:   time.Duration(c.conf.Other.Timeout) * time.Second,
 		KeepAlive: 30 * time.Second,
-		Resolver:  c.bootstrapResolver,
+		// DualStack: true,
 		Resolver: c.bootstrapResolver,
 	}
 	c.httpTransport = &http.Transport{
-		DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+		DialContext:           dialer.DialContext,
 			if c.conf.Other.Interface == "" {
 				return baseDialer.DialContext(ctx, network, addr)
 			}
 			if network == "tcp4" && localV4 != nil {
 				d := *baseDialer
 				d.LocalAddr = &net.TCPAddr{IP: localV4}
 				return d.DialContext(ctx, network, addr)
 			}
 			if network == "tcp6" && localV6 != nil {
 				d := *baseDialer
 				d.LocalAddr = &net.TCPAddr{IP: localV6}
 				return d.DialContext(ctx, network, addr)
 			}
 			// Manual Dual-Stack: Resolve host and try compatible families sequentially
 			host, port, _ := net.SplitHostPort(addr)
 			ips, err := c.bootstrapResolver.LookupIPAddr(ctx, host)
 			if err != nil {
 				return nil, err
 			}
 			var lastErr error
 			for _, ip := range ips {
 				d := *baseDialer
 				targetAddr := net.JoinHostPort(ip.String(), port)
 				if ip.IP.To4() != nil {
 					if localV4 == nil {
 						continue
 					}
 					d.LocalAddr = &net.TCPAddr{IP: localV4}
 				} else {
 					if localV6 == nil {
 						continue
 					}
 					d.LocalAddr = &net.TCPAddr{IP: localV6}
 				}
 				conn, err := d.DialContext(ctx, "tcp", targetAddr)
 				if err == nil {
 					return conn, nil
 				}
 				lastErr = err
 			}
 			if lastErr != nil {
 				return nil, lastErr
 			}
 			return nil, fmt.Errorf("connection to %s failed: no matching local/remote IP families on interface %s", addr, c.conf.Other.Interface)
 		},
 		ExpectContinueTimeout: 1 * time.Second,
 		IdleConnTimeout:       90 * time.Second,
 		MaxIdleConns:          100,
 		MaxIdleConnsPerHost:   10,
 		Proxy:                 http.ProxyFromEnvironment,
 		TLSHandshakeTimeout:   time.Duration(c.conf.Other.Timeout) * time.Second,
 		TLSClientConfig:       &tls.Config{InsecureSkipVerify: c.conf.Other.TLSInsecureSkipVerify},
 	}
 	if c.conf.Other.NoIPv6 {
 		originalDial := c.httpTransport.DialContext
 		c.httpTransport.DialContext = func(ctx context.Context, network, address string) (net.Conn, error) {
 			if strings.HasPrefix(network, "tcp") {
 				network = "tcp4"
 			}
-			return originalDial(ctx, network, address)
+			return dialer.DialContext(ctx, network, address)
 		}
 	}
-
+	err := http2.ConfigureTransport(c.httpTransport)
 	err = http2.ConfigureTransport(c.httpTransport)
 	if err != nil {
 		return err
 	}
@@ -424,7 +305,7 @@ func (c *Client) handlerFunc(w dns.ResponseWriter, r *dns.Msg, isTCP bool) {
 	if len(r.Question) != 1 {
 		log.Println("Number of questions is not 1")
-		reply := jsondns.PrepareReply(r)
+		reply := jsonDNS.PrepareReply(r)
 		reply.Rcode = dns.RcodeFormatError
 		w.WriteMsg(reply)
 		return
@@ -475,7 +356,7 @@ func (c *Client) handlerFunc(w dns.ResponseWriter, r *dns.Msg, isTCP bool) {
 			return
 		}
 		log.Println(err)
-		reply = jsondns.PrepareReply(r)
+		reply = jsonDNS.PrepareReply(r)
 		reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(reply)
 		return
@@ -544,7 +425,7 @@ func (c *Client) handlerFunc(w dns.ResponseWriter, r *dns.Msg, isTCP bool) {
 	// https://developers.cloudflare.com/1.1.1.1/dns-over-https/request-structure/ says
 	// returns code will be 200 / 400 / 413 / 415 / 504, some server will return 503, so
-	// I think if status code is 5xx, upstream must have some problems
+	// I think if status code is 5xx, upstream must has some problems
 	/*if req.response.StatusCode/100 == 5 {
 		c.selector.ReportUpstreamStatus(upstream, selector.Medium)
 	}*/
@@ -590,7 +471,7 @@ func (c *Client) findClientIP(w dns.ResponseWriter, r *dns.Msg) (ednsClientAddre
 	if err != nil {
 		return
 	}
-	if ip := remoteAddr.IP; jsondns.IsGlobalIP(ip) {
+	if ip := remoteAddr.IP; jsonDNS.IsGlobalIP(ip) {
 		if ipv4 := ip.To4(); ipv4 != nil {
 			ednsClientAddress = ipv4.Mask(ipv4Mask24)
 			ednsClientNetmask = 24
@@ -601,38 +482,3 @@ func (c *Client) findClientIP(w dns.ResponseWriter, r *dns.Msg) (ednsClientAddre
 	}
 	return
 }
 // getInterfaceIPs returns the first valid IPv4 and IPv6 addresses found on the interface
 func (c *Client) getInterfaceIPs() (v4, v6 net.IP, err error) {
 	if c.conf.Other.Interface == "" {
 		return nil, nil, nil
 	}
 	ifi, err := net.InterfaceByName(c.conf.Other.Interface)
 	if err != nil {
 		return nil, nil, err
 	}
 	addrs, err := ifi.Addrs()
 	if err != nil {
 		return nil, nil, err
 	}
 	for _, addr := range addrs {
 		ip, _, err := net.ParseCIDR(addr.String())
 		if err != nil {
 			continue
 		}
 		if ip4 := ip.To4(); ip4 != nil {
 			if v4 == nil {
 				v4 = ip4
 			}
 		} else {
 			if v6 == nil && !c.conf.Other.NoIPv6 {
 				v6 = ip
 			}
 		}
 	}
 	if v4 == nil && v6 == nil {
 		return nil, nil, fmt.Errorf("no valid IP addresses found on interface %s", c.conf.Other.Interface)
 	}
 	return v4, v6, nil
 }
--- a/doh-client/config/config.go
+++ b/doh-client/config/config.go
@@ -47,17 +47,14 @@ type upstream struct {
 }
 type others struct {
-	Bootstrap             []string `toml:"bootstrap"`
+	Bootstrap        []string `toml:"bootstrap"`
-	Passthrough           []string `toml:"passthrough"`
+	Passthrough      []string `toml:"passthrough"`
-	Timeout               uint     `toml:"timeout"`
+	Timeout          uint     `toml:"timeout"`
-	Interface             string   `toml:"interface"`
+	NoCookies        bool     `toml:"no_cookies"`
-	NoCookies             bool     `toml:"no_cookies"`
+	NoECS            bool     `toml:"no_ecs"`
-	NoECS                 bool     `toml:"no_ecs"`
+	NoIPv6           bool     `toml:"no_ipv6"`
-	NoIPv6                bool     `toml:"no_ipv6"`
+	Verbose          bool     `toml:"verbose"`
-	NoUserAgent           bool     `toml:"no_user_agent"`
+	DebugHTTPHeaders []string `toml:"debug_http_headers"`
 	Verbose               bool     `toml:"verbose"`
 	DebugHTTPHeaders      []string `toml:"debug_http_headers"`
 	TLSInsecureSkipVerify bool     `toml:"insecure_tls_skip_verify"`
 }
 type Config struct {
--- a/doh-client/doh-client.conf
+++ b/doh-client/doh-client.conf
@@ -4,9 +4,6 @@ listen = [
    "127.0.0.1:5380",
    "[::1]:53",
    "[::1]:5380",
    ## To listen on both 0.0.0.0:53 and [::]:53, use the following line
    # ":53",
 ]
 # HTTP path for upstream resolver
@@ -18,34 +15,34 @@ upstream_selector = "random"
 # weight should in (0, 100], if upstream_selector is random, weight will be ignored
-## Google's resolver, good ECS, good DNSSEC
+## Google's productive resolver, good ECS, bad DNSSEC
-#[[upstream.upstream_ietf]]
+#[[upstream.upstream_google]]
-#    url = "https://dns.google/dns-query"
+#    url = "https://dns.google.com/resolve"
 #    weight = 50
 ## CloudFlare's resolver, bad ECS, good DNSSEC
-## ECS is disabled for privacy by design: https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/#edns-client-subnet
+#[[upstream.upstream_google]]
 #    url = "https://cloudflare-dns.com/dns-query"
 #    weight = 50
 ## CloudFlare's resolver, bad ECS, good DNSSEC
 #[[upstream.upstream_google]]
 #    url = "https://1.1.1.1/dns-query"
 #    weight = 50
 # CloudFlare's resolver, bad ECS, good DNSSEC
 [[upstream.upstream_ietf]]
    url = "https://cloudflare-dns.com/dns-query"
    weight = 50
 ## CloudFlare's resolver, bad ECS, good DNSSEC
 ## ECS is disabled for privacy by design: https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/#edns-client-subnet
 ## Note that some ISPs have problems connecting to 1.1.1.1, try 1.0.0.1 if problems happen.
 #[[upstream.upstream_ietf]]
 #    url = "https://1.1.1.1/dns-query"
 #    weight = 50
-## DNS.SB's resolver, good ECS, good DNSSEC
+## Google's experimental resolver, good ECS, good DNSSEC
 ## The provider claims no logging: https://dns.sb/doh/
 #[[upstream.upstream_ietf]]
-#    url = "https://doh.dns.sb/dns-query"
+#    url = "https://dns.google.com/experimental"
 #    weight = 50
 ## Quad9's resolver, bad ECS, good DNSSEC
 ## ECS is disabled for privacy by design: https://www.quad9.net/faq/#What_is_EDNS_Client-Subnet
 #[[upstream.upstream_ietf]]
 #    url = "https://9.9.9.9/dns-query"
 #    weight = 50
 ## CloudFlare's resolver for Tor, available only with Tor
@@ -64,7 +61,7 @@ upstream_selector = "random"
 # bootstrap server, please make this list empty.
 bootstrap = [
-    # Google's resolver, good ECS, good DNSSEC
+    # Google's resolver, bad ECS, good DNSSEC
    "8.8.8.8:53",
    "8.8.4.4:53",
@@ -81,9 +78,7 @@ passthrough = [
    "captive.apple.com",
    "connectivitycheck.gstatic.com",
    "detectportal.firefox.com",
    "globalreachtech.com",
    "msftconnecttest.com",
    "network-auth.com",
    "nmcheck.gnome.org",
    "pool.ntp.org",
@@ -97,11 +92,6 @@ passthrough = [
 # Timeout for upstream request in seconds
 timeout = 30
 # Interface to bind to for outgoing connections.
 # If empty, the system default route is used (usually eth0 or wlan0).
 # Example: "eth1", "wlan0"
 interface = ""
 # Disable HTTP Cookies
 #
 # Cookies may be useful if your upstream resolver is protected by some
@@ -126,22 +116,5 @@ no_ecs = false
 # Note that DNS listening and bootstrapping is not controlled by this option.
 no_ipv6 = false
 # Disable submitting User-Agent
 #
 # It is generally not recommended to disable submitting User-Agent because it
 # is still possible to probe client version according to behavior differences,
 # such as TLS handshaking, handling of malformed packets, and specific bugs.
 # Additionally, User-Agent is an important way for the server to distinguish
 # buggy, old, or insecure clients, and to workaround specific bugs.
 # (e.g. doh-server can detect and workaround certain issues of DNSCrypt-Proxy
 # and older Firefox.)
 no_user_agent = false
 # Enable logging
 verbose = false
 # insecure_tls_skip_verification will disable necessary TLS security verification.
 # This option is designed for testing or development purposes,
 # turning on this option on public Internet may cause your connection
 # vulnerable to MITM attack.
 insecure_tls_skip_verify = false
--- a/doh-client/google.go
+++ b/doh-client/google.go
@@ -27,17 +27,16 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"io"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"net/url"
 	"strconv"
 	"strings"
 	"github.com/m13253/dns-over-https/doh-client/selector"
 	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 	"github.com/m13253/dns-over-https/v2/doh-client/selector"
 	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 )
 func (c *Client) generateRequestGoogle(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, isTCP bool, upstream *selector.Upstream) *DNSRequest {
@@ -45,7 +44,7 @@ func (c *Client) generateRequestGoogle(ctx context.Context, w dns.ResponseWriter
 	questionName := question.Name
 	questionClass := question.Qclass
 	if questionClass != dns.ClassINET {
-		reply := jsondns.PrepareReply(r)
+		reply := jsonDNS.PrepareReply(r)
 		reply.Rcode = dns.RcodeRefused
 		w.WriteMsg(reply)
 		return &DNSRequest{
@@ -68,9 +67,6 @@ func (c *Client) generateRequestGoogle(ctx context.Context, w dns.ResponseWriter
 	udpSize := uint16(512)
 	if opt := r.IsEdns0(); opt != nil {
 		udpSize = opt.UDPSize()
 		if opt.Do() {
 			requestURL += "&do=1"
 		}
 	}
 	ednsClientAddress, ednsClientNetmask := c.findClientIP(w, r)
@@ -78,10 +74,10 @@ func (c *Client) generateRequestGoogle(ctx context.Context, w dns.ResponseWriter
 		requestURL += fmt.Sprintf("&edns_client_subnet=%s/%d", ednsClientAddress.String(), ednsClientNetmask)
 	}
-	req, err := http.NewRequest(http.MethodGet, requestURL, http.NoBody)
+	req, err := http.NewRequest(http.MethodGet, requestURL, nil)
 	if err != nil {
 		log.Println(err)
-		reply := jsondns.PrepareReply(r)
+		reply := jsonDNS.PrepareReply(r)
 		reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(reply)
 		return &DNSRequest{
@@ -90,11 +86,7 @@ func (c *Client) generateRequestGoogle(ctx context.Context, w dns.ResponseWriter
 	}
 	req.Header.Set("Accept", "application/json, application/dns-message, application/dns-udpwireformat")
-	if !c.conf.Other.NoUserAgent {
+	req.Header.Set("User-Agent", USER_AGENT)
 		req.Header.Set("User-Agent", USER_AGENT)
 	} else {
 		req.Header.Set("User-Agent", "")
 	}
 	req = req.WithContext(ctx)
 	c.httpClientMux.RLock()
@@ -112,7 +104,7 @@ func (c *Client) generateRequestGoogle(ctx context.Context, w dns.ResponseWriter
 	if err != nil {
 		log.Println(err)
-		reply := jsondns.PrepareReply(r)
+		reply := jsonDNS.PrepareReply(r)
 		reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(reply)
 		return &DNSRequest{
@@ -122,7 +114,7 @@ func (c *Client) generateRequestGoogle(ctx context.Context, w dns.ResponseWriter
 	return &DNSRequest{
 		response:          resp,
-		reply:             jsondns.PrepareReply(r),
+		reply:             jsonDNS.PrepareReply(r),
 		udpSize:           udpSize,
 		ednsClientAddress: ednsClientAddress,
 		ednsClientNetmask: ednsClientNetmask,
@@ -141,7 +133,7 @@ func (c *Client) parseResponseGoogle(ctx context.Context, w dns.ResponseWriter,
 		}
 	}
-	body, err := io.ReadAll(req.response.Body)
+	body, err := ioutil.ReadAll(req.response.Body)
 	if err != nil {
 		log.Println(err)
 		req.reply.Rcode = dns.RcodeServerFailure
@@ -149,7 +141,7 @@ func (c *Client) parseResponseGoogle(ctx context.Context, w dns.ResponseWriter,
 		return
 	}
-	var respJSON jsondns.Response
+	var respJSON jsonDNS.Response
 	err = json.Unmarshal(body, &respJSON)
 	if err != nil {
 		log.Println(err)
@@ -161,14 +153,8 @@ func (c *Client) parseResponseGoogle(ctx context.Context, w dns.ResponseWriter,
 	if respJSON.Status != dns.RcodeSuccess && respJSON.Comment != "" {
 		log.Printf("DNS error: %s\n", respJSON.Comment)
 	}
 	fixEmptyNames(&respJSON)
-	fullReply := jsondns.Unmarshal(req.reply, &respJSON, req.udpSize, req.ednsClientNetmask)
+	fullReply := jsonDNS.Unmarshal(req.reply, &respJSON, req.udpSize, req.ednsClientNetmask)
 	if isTCP {
 		fullReply.Truncate(dns.MaxMsgSize)
 	} else {
 		fullReply.Truncate(int(req.udpSize))
 	}
 	buf, err := fullReply.Pack()
 	if err != nil {
 		log.Println(err)
@@ -176,21 +162,14 @@ func (c *Client) parseResponseGoogle(ctx context.Context, w dns.ResponseWriter,
 		w.WriteMsg(req.reply)
 		return
 	}
 	if !isTCP && len(buf) > int(req.udpSize) {
 		fullReply.Truncated = true
 		buf, err = fullReply.Pack()
 		if err != nil {
 			log.Println(err)
 			return
 		}
 		buf = buf[:req.udpSize]
 	}
 	w.Write(buf)
 }
 // Fix DNS response empty []RR.Name
 // Additional section won't be rectified
 // see: https://stackoverflow.com/questions/52136176/what-is-additional-section-in-dns-and-how-it-works
 func fixEmptyNames(respJSON *jsondns.Response) {
 	for i := range respJSON.Answer {
 		if respJSON.Answer[i].Name == "" {
 			respJSON.Answer[i].Name = "."
 		}
 	}
 	for i := range respJSON.Authority {
 		if respJSON.Authority[i].Name == "" {
 			respJSON.Authority[i].Name = "."
 		}
 	}
 }
--- a/doh-client/ietf.go
+++ b/doh-client/ietf.go
@@ -28,17 +28,16 @@ import (
 	"context"
 	"encoding/base64"
 	"fmt"
-	"io"
+	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
 	"strings"
 	"time"
 	"github.com/m13253/dns-over-https/doh-client/selector"
 	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 	"github.com/m13253/dns-over-https/v2/doh-client/selector"
 	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 )
 func (c *Client) generateRequestIETF(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, isTCP bool, upstream *selector.Upstream) *DNSRequest {
@@ -91,7 +90,7 @@ func (c *Client) generateRequestIETF(ctx context.Context, w dns.ResponseWriter,
 	requestBinary, err := r.Pack()
 	if err != nil {
 		log.Println(err)
-		reply := jsondns.PrepareReply(r)
+		reply := jsonDNS.PrepareReply(r)
 		reply.Rcode = dns.RcodeFormatError
 		w.WriteMsg(reply)
 		return &DNSRequest{
@@ -105,10 +104,10 @@ func (c *Client) generateRequestIETF(ctx context.Context, w dns.ResponseWriter,
 	var req *http.Request
 	if len(requestURL) < 2048 {
-		req, err = http.NewRequest(http.MethodGet, requestURL, http.NoBody)
+		req, err = http.NewRequest(http.MethodGet, requestURL, nil)
 		if err != nil {
 			log.Println(err)
-			reply := jsondns.PrepareReply(r)
+			reply := jsonDNS.PrepareReply(r)
 			reply.Rcode = dns.RcodeServerFailure
 			w.WriteMsg(reply)
 			return &DNSRequest{
@@ -119,7 +118,7 @@ func (c *Client) generateRequestIETF(ctx context.Context, w dns.ResponseWriter,
 		req, err = http.NewRequest(http.MethodPost, upstream.URL, bytes.NewReader(requestBinary))
 		if err != nil {
 			log.Println(err)
-			reply := jsondns.PrepareReply(r)
+			reply := jsonDNS.PrepareReply(r)
 			reply.Rcode = dns.RcodeServerFailure
 			w.WriteMsg(reply)
 			return &DNSRequest{
@@ -129,11 +128,7 @@ func (c *Client) generateRequestIETF(ctx context.Context, w dns.ResponseWriter,
 		req.Header.Set("Content-Type", "application/dns-message")
 	}
 	req.Header.Set("Accept", "application/dns-message, application/dns-udpwireformat, application/json")
-	if !c.conf.Other.NoUserAgent {
+	req.Header.Set("User-Agent", USER_AGENT)
 		req.Header.Set("User-Agent", USER_AGENT)
 	} else {
 		req.Header.Set("User-Agent", "")
 	}
 	req = req.WithContext(ctx)
 	c.httpClientMux.RLock()
 	resp, err := c.httpClient.Do(req)
@@ -150,7 +145,7 @@ func (c *Client) generateRequestIETF(ctx context.Context, w dns.ResponseWriter,
 	if err != nil {
 		log.Println(err)
-		reply := jsondns.PrepareReply(r)
+		reply := jsonDNS.PrepareReply(r)
 		reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(reply)
 		return &DNSRequest{
@@ -160,7 +155,7 @@ func (c *Client) generateRequestIETF(ctx context.Context, w dns.ResponseWriter,
 	return &DNSRequest{
 		response:          resp,
-		reply:             jsondns.PrepareReply(r),
+		reply:             jsonDNS.PrepareReply(r),
 		udpSize:           udpSize,
 		ednsClientAddress: ednsClientAddress,
 		ednsClientNetmask: ednsClientNetmask,
@@ -179,9 +174,9 @@ func (c *Client) parseResponseIETF(ctx context.Context, w dns.ResponseWriter, r
 		}
 	}
-	body, err := io.ReadAll(req.response.Body)
+	body, err := ioutil.ReadAll(req.response.Body)
 	if err != nil {
-		log.Printf("read error from upstream %s: %v\n", req.currentUpstream, err)
+		log.Println(err)
 		req.reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(req.reply)
 		return
@@ -192,7 +187,7 @@ func (c *Client) parseResponseIETF(ctx context.Context, w dns.ResponseWriter, r
 		if nowDate, err := time.Parse(http.TimeFormat, headerNow); err == nil {
 			now = nowDate
 		} else {
-			log.Printf("Date header parse error from upstream %s: %v\n", req.currentUpstream, err)
+			log.Println(err)
 		}
 	}
 	headerLastModified := req.response.Header.Get("Last-Modified")
@@ -201,7 +196,7 @@ func (c *Client) parseResponseIETF(ctx context.Context, w dns.ResponseWriter, r
 		if lastModifiedDate, err := time.Parse(http.TimeFormat, headerLastModified); err == nil {
 			lastModified = lastModifiedDate
 		} else {
-			log.Printf("Last-Modified header parse error from upstream %s: %v\n", req.currentUpstream, err)
+			log.Println(err)
 		}
 	}
 	timeDelta := now.Sub(lastModified)
@@ -212,7 +207,7 @@ func (c *Client) parseResponseIETF(ctx context.Context, w dns.ResponseWriter, r
 	fullReply := new(dns.Msg)
 	err = fullReply.Unpack(body)
 	if err != nil {
-		log.Printf("unpacking error from upstream %s: %v\n", req.currentUpstream, err)
+		log.Println(err)
 		req.reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(req.reply)
 		return
@@ -232,22 +227,23 @@ func (c *Client) parseResponseIETF(ctx context.Context, w dns.ResponseWriter, r
 		_ = fixRecordTTL(rr, timeDelta)
 	}
 	if isTCP {
 		fullReply.Truncate(dns.MaxMsgSize)
 	} else {
 		fullReply.Truncate(int(req.udpSize))
 	}
 	buf, err := fullReply.Pack()
 	if err != nil {
-		log.Printf("packing error with upstream %s: %v\n", req.currentUpstream, err)
+		log.Println(err)
 		req.reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(req.reply)
 		return
 	}
-	_, err = w.Write(buf)
+	if !isTCP && len(buf) > int(req.udpSize) {
-	if err != nil {
+		fullReply.Truncated = true
-		log.Printf("failed to write to client: %v\n", err)
+		buf, err = fullReply.Pack()
 		if err != nil {
 			log.Println(err)
 			return
 		}
 		buf = buf[:req.udpSize]
 	}
 	w.Write(buf)
 }
 func fixRecordTTL(rr dns.RR, delta time.Duration) dns.RR {
--- a/doh-client/main.go
+++ b/doh-client/main.go
@@ -26,19 +26,21 @@ package main
 import (
 	"flag"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"log"
 	"os"
 	"runtime"
 	"strconv"
-	"github.com/m13253/dns-over-https/v2/doh-client/config"
+	"github.com/m13253/dns-over-https/doh-client/config"
 )
 func checkPIDFile(pidFile string) (bool, error) {
 retry:
-	f, err := os.OpenFile(pidFile, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0o666)
+	f, err := os.OpenFile(pidFile, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0666)
 	if os.IsExist(err) {
-		pidStr, err := os.ReadFile(pidFile)
+		pidStr, err := ioutil.ReadFile(pidFile)
 		if err != nil {
 			return false, err
 		}
@@ -62,7 +64,7 @@ retry:
 		return false, err
 	}
 	defer f.Close()
-	_, err = f.WriteString(strconv.FormatInt(int64(os.Getpid()), 10))
+	_, err = io.WriteString(f, strconv.FormatInt(int64(os.Getpid()), 10))
 	if err != nil {
 		return false, err
 	}
@@ -87,7 +89,7 @@ func main() {
 	flag.Parse()
 	if *showVersion {
-		fmt.Printf("doh-client %s\nHomepage: https://github.com/m13253/dns-over-https\n", VERSION)
+		fmt.Printf("doh-server %s\nHomepage: https://github.com/m13253/dns-over-https\n", VERSION)
 		return
 	}
--- a/doh-client/selector/lvsWRRSelector.go
+++ b/doh-client/selector/lvsWRRSelector.go
@@ -80,7 +80,7 @@ func (ls *LVSWRRSelector) StartEvaluate() {
 						acceptType = "application/dns-message"
 					}
-					req, err := http.NewRequest(http.MethodGet, upstreamURL, http.NoBody)
+					req, err := http.NewRequest(http.MethodGet, upstreamURL, nil)
 					if err != nil {
 						/*log.Println("upstream:", upstreamURL, "type:", typeMap[upstream.Type], "check failed:", err)
 						continue*/
--- a/doh-client/selector/nginxWRRSelector.go
+++ b/doh-client/selector/nginxWRRSelector.go
@@ -73,7 +73,7 @@ func (ws *NginxWRRSelector) StartEvaluate() {
 						acceptType = "application/dns-message"
 					}
-					req, err := http.NewRequest(http.MethodGet, upstreamURL, http.NoBody)
+					req, err := http.NewRequest(http.MethodGet, upstreamURL, nil)
 					if err != nil {
 						/*log.Println("upstream:", upstreamURL, "type:", typeMap[upstream.Type], "check failed:", err)
 						continue*/
@@ -110,7 +110,7 @@ func (ws *NginxWRRSelector) StartEvaluate() {
 	}()
 }
-// nginx wrr like.
+// nginx wrr like
 func (ws *NginxWRRSelector) Get() *Upstream {
 	var (
 		total             int32
--- a/doh-client/selector/randomSelector.go
+++ b/doh-client/selector/randomSelector.go
@@ -7,7 +7,7 @@ import (
 )
 func init() {
-	rand.NewSource(time.Now().UnixNano())
+	rand.Seed(time.Now().UnixNano())
 }
 type RandomSelector struct {
--- a/doh-client/selector/upstreamStatus.go
+++ b/doh-client/selector/upstreamStatus.go
@@ -3,12 +3,12 @@ package selector
 type upstreamStatus int
 const (
-	// when query upstream timeout, usually upstream is unavailable for a long time.
+	// when query upstream timeout, usually upstream is unavailable for a long time
 	Timeout upstreamStatus = iota
-	// when query upstream return 5xx response, upstream still alive, maybe just a lof of query for him.
+	// when query upstream return 5xx response, upstream still alive, maybe just a lof of query for him
 	Error
-	// when query upstream ok, means upstream is available.
+	// when query upstream ok, means upstream is available
 	OK
 )
--- a/doh-client/version.go
+++ b/doh-client/version.go
@@ -24,6 +24,6 @@
 package main
 const (
-	VERSION    = "2.3.10"
+	VERSION    = "2.0.1"
 	USER_AGENT = "DNS-over-HTTPS/" + VERSION + " (+https://github.com/m13253/dns-over-https)"
 )
--- a/doh-server/config.go
+++ b/doh-server/config.go
@@ -25,27 +25,23 @@ package main
 import (
 	"fmt"
 	"regexp"
 	"github.com/BurntSushi/toml"
 )
 type config struct {
-	TLSClientAuthCA     string   `toml:"tls_client_auth_ca"`
+	Listen           []string `toml:"listen"`
-	LocalAddr           string   `toml:"local_addr"`
+	LocalAddr        string   `toml:"local_addr"`
-	Cert                string   `toml:"cert"`
+	Cert             string   `toml:"cert"`
-	Key                 string   `toml:"key"`
+	Key              string   `toml:"key"`
-	Path                string   `toml:"path"`
+	Path             string   `toml:"path"`
-	DebugHTTPHeaders    []string `toml:"debug_http_headers"`
+	Upstream         []string `toml:"upstream"`
-	Listen              []string `toml:"listen"`
+	Timeout          uint     `toml:"timeout"`
-	Upstream            []string `toml:"upstream"`
+	Tries            uint     `toml:"tries"`
-	Timeout             uint     `toml:"timeout"`
+	TCPOnly          bool     `toml:"tcp_only"`
-	Tries               uint     `toml:"tries"`
+	Verbose          bool     `toml:"verbose"`
-	Verbose             bool     `toml:"verbose"`
+	DebugHTTPHeaders []string `toml:"debug_http_headers"`
-	LogGuessedIP        bool     `toml:"log_guessed_client_ip"`
+	LogGuessedIP     bool     `toml:"log_guessed_client_ip"`
 	ECSAllowNonGlobalIP bool     `toml:"ecs_allow_non_global_ip"`
 	ECSUsePreciseIP     bool     `toml:"ecs_use_precise_ip"`
 	TLSClientAuth       bool     `toml:"tls_client_auth"`
 }
 func loadConfig(path string) (*config, error) {
@@ -66,7 +62,7 @@ func loadConfig(path string) (*config, error) {
 		conf.Path = "/dns-query"
 	}
 	if len(conf.Upstream) == 0 {
-		conf.Upstream = []string{"udp:8.8.8.8:53", "udp:8.8.4.4:53"}
+		conf.Upstream = []string{"8.8.8.8:53", "8.8.4.4:53"}
 	}
 	if conf.Timeout == 0 {
 		conf.Timeout = 10
@@ -79,35 +75,9 @@ func loadConfig(path string) (*config, error) {
 		return nil, &configError{"You must specify both -cert and -key to enable TLS"}
 	}
 	// validate all upstreams
 	for _, us := range conf.Upstream {
 		address, t := addressAndType(us)
 		if address == "" {
 			return nil, &configError{"One of the upstreams has not a (udp|tcp|tcp-tls) prefix e.g. udp:1.1.1.1:53"}
 		}
 		switch t {
 		case "tcp", "udp", "tcp-tls":
 			// OK
 		default:
 			return nil, &configError{"Invalid upstream prefix specified, choose one of: udp tcp tcp-tls"}
 		}
 	}
 	return conf, nil
 }
 var rxUpstreamWithTypePrefix = regexp.MustCompile("^[a-z-]+(:)")
 func addressAndType(us string) (string, string) {
 	p := rxUpstreamWithTypePrefix.FindStringSubmatchIndex(us)
 	if len(p) != 4 {
 		return "", ""
 	}
 	return us[p[2]+1:], us[:p[2]]
 }
 type configError struct {
 	err string
 }
--- a/doh-server/doh-server.conf
+++ b/doh-server/doh-server.conf
@@ -2,9 +2,6 @@
 listen = [
    "127.0.0.1:8053",
    "[::1]:8053",
    ## To listen on both 0.0.0.0:8053 and [::]:8053, use the following line
    # ":8053",
 ]
 # Local address and port for upstream DNS
@@ -27,16 +24,11 @@ path = "/dns-query"
 # Upstream DNS resolver
 # If multiple servers are specified, a random one will be chosen each time.
 # You can use "udp", "tcp" or "tcp-tls" for the type prefix.
 # For "udp", UDP will first be used, and switch to TCP when the server asks to
 # or the response is too large.
 # For "tcp", only TCP will be used.
 # For "tcp-tls", DNS-over-TLS (RFC 7858) will be used to secure the upstream connection.
 upstream = [
-    "udp:1.1.1.1:53",
+    "1.1.1.1:53",
-    "udp:1.0.0.1:53",
+    "1.0.0.1:53",
-    "udp:8.8.8.8:53",
+    "8.8.8.8:53",
-    "udp:8.8.4.4:53",
+    "8.8.4.4:53",
 ]
 # Upstream timeout
@@ -45,34 +37,12 @@ timeout = 10
 # Number of tries if upstream DNS fails
 tries = 3
 # Only use TCP for DNS query
 tcp_only = false
 # Enable logging
 verbose = false
 # Enable log IP from HTTPS-reverse proxy header: X-Forwarded-For or X-Real-IP
 # Note: http uri/useragent log cannot be controlled by this config
 log_guessed_client_ip = false
 # By default, non global IP addresses are never forwarded to upstream servers.
 # This is to prevent two things from happening:
 #   1. the upstream server knowing your private LAN addresses;
 #   2. the upstream server unable to provide geographically near results,
 #      or even fail to provide any result.
 # However, if you are deploying a split tunnel corporation network
 # environment, or for any other reason you want to inhibit this
 # behavior and allow local (eg RFC1918) address to be forwarded,
 # change the following option to "true".
 ecs_allow_non_global_ip = false
 # If ECS is added to the request, let the full IP address or
 # cap it to 24 or 128 mask. This option is to be used only on private
 # networks where knwoledge of the terminal endpoint may be required for
 # security purposes (eg. DNS Firewalling). Not a good option on the
 # internet where IP address may be used to identify the user and
 # not only the approximate location.
 ecs_use_precise_ip = false
 # If DOH is used for a controlled network, it is possible to enable
 # the client TLS certificate validation with a specific certificate
 # authority used to sign any client one. Disabled by default.
 # tls_client_auth = true
 # tls_client_auth_ca = "root-ca-public.crt"
--- a/doh-server/google.go
+++ b/doh-server/google.go
@@ -34,10 +34,9 @@ import (
 	"strings"
 	"time"
 	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 	"golang.org/x/net/idna"
 	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 )
 func (s *Server) parseRequestGoogle(ctx context.Context, w http.ResponseWriter, r *http.Request) *DNSRequest {
@@ -91,14 +90,45 @@ func (s *Server) parseRequestGoogle(ctx context.Context, w http.ResponseWriter,
 		if ednsClientSubnet == "0/0" {
 			ednsClientSubnet = "0.0.0.0/0"
 		}
-
+		slash := strings.IndexByte(ednsClientSubnet, '/')
-		var err error
+		if slash < 0 {
-		ednsClientFamily, ednsClientAddress, ednsClientNetmask, err = parseSubnet(ednsClientSubnet)
+			ednsClientAddress = net.ParseIP(ednsClientSubnet)
-		if err != nil {
+			if ednsClientAddress == nil {
-			return &DNSRequest{
+				return &DNSRequest{
-				errcode: 400,
+					errcode: 400,
-				errtext: err.Error(),
+					errtext: fmt.Sprintf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet),
 				}
 			}
 			if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
 				ednsClientFamily = 1
 				ednsClientAddress = ipv4
 				ednsClientNetmask = 24
 			} else {
 				ednsClientFamily = 2
 				ednsClientNetmask = 56
 			}
 		} else {
 			ednsClientAddress = net.ParseIP(ednsClientSubnet[:slash])
 			if ednsClientAddress == nil {
 				return &DNSRequest{
 					errcode: 400,
 					errtext: fmt.Sprintf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet),
 				}
 			}
 			if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
 				ednsClientFamily = 1
 				ednsClientAddress = ipv4
 			} else {
 				ednsClientFamily = 2
 			}
 			netmask, err := strconv.ParseUint(ednsClientSubnet[slash+1:], 10, 8)
 			if err != nil {
 				return &DNSRequest{
 					errcode: 400,
 					errtext: fmt.Sprintf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet),
 				}
 			}
 			ednsClientNetmask = uint8(netmask)
 		}
 	} else {
 		ednsClientAddress = s.findClientIP(r)
@@ -139,51 +169,12 @@ func (s *Server) parseRequestGoogle(ctx context.Context, w http.ResponseWriter,
 	}
 }
 func parseSubnet(ednsClientSubnet string) (ednsClientFamily uint16, ednsClientAddress net.IP, ednsClientNetmask uint8, err error) {
 	slash := strings.IndexByte(ednsClientSubnet, '/')
 	if slash < 0 {
 		ednsClientAddress = net.ParseIP(ednsClientSubnet)
 		if ednsClientAddress == nil {
 			err = fmt.Errorf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet)
 			return
 		}
 		if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
 			ednsClientFamily = 1
 			ednsClientAddress = ipv4
 			ednsClientNetmask = 24
 		} else {
 			ednsClientFamily = 2
 			ednsClientNetmask = 56
 		}
 	} else {
 		ednsClientAddress = net.ParseIP(ednsClientSubnet[:slash])
 		if ednsClientAddress == nil {
 			err = fmt.Errorf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet)
 			return
 		}
 		if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
 			ednsClientFamily = 1
 			ednsClientAddress = ipv4
 		} else {
 			ednsClientFamily = 2
 		}
 		netmask, err1 := strconv.ParseUint(ednsClientSubnet[slash+1:], 10, 8)
 		if err1 != nil {
 			err = fmt.Errorf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet)
 			return
 		}
 		ednsClientNetmask = uint8(netmask)
 	}
 	return
 }
 func (s *Server) generateResponseGoogle(ctx context.Context, w http.ResponseWriter, r *http.Request, req *DNSRequest) {
-	respJSON := jsondns.Marshal(req.response)
+	respJSON := jsonDNS.Marshal(req.response)
 	respStr, err := json.Marshal(respJSON)
 	if err != nil {
 		log.Println(err)
-		jsondns.FormatError(w, fmt.Sprintf("DNS packet parse failure (%s)", err.Error()), 500)
+		jsonDNS.FormatError(w, fmt.Sprintf("DNS packet parse failure (%s)", err.Error()), 500)
 		return
 	}
--- a/doh-server/ietf.go
+++ b/doh-server/ietf.go
@@ -28,7 +28,7 @@ import (
 	"context"
 	"encoding/base64"
 	"fmt"
-	"io"
+	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
@@ -36,9 +36,8 @@ import (
 	"strings"
 	"time"
 	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 )
 func (s *Server) parseRequestIETF(ctx context.Context, w http.ResponseWriter, r *http.Request) *DNSRequest {
@@ -51,7 +50,7 @@ func (s *Server) parseRequestIETF(ctx context.Context, w http.ResponseWriter, r
 		}
 	}
 	if len(requestBinary) == 0 && (r.Header.Get("Content-Type") == "application/dns-message" || r.Header.Get("Content-Type") == "application/dns-udpwireformat") {
-		requestBinary, err = io.ReadAll(r.Body)
+		requestBinary, err = ioutil.ReadAll(r.Body)
 		if err != nil {
 			return &DNSRequest{
 				errcode: 400,
@@ -62,7 +61,7 @@ func (s *Server) parseRequestIETF(ctx context.Context, w http.ResponseWriter, r
 	if len(requestBinary) == 0 {
 		return &DNSRequest{
 			errcode: 400,
-			errtext: "Invalid argument value: \"dns\"",
+			errtext: fmt.Sprintf("Invalid argument value: \"dns\""),
 		}
 	}
@@ -126,7 +125,6 @@ func (s *Server) parseRequestIETF(ctx context.Context, w http.ResponseWriter, r
 		}
 	}
 	isTailored := edns0Subnet == nil
 	if edns0Subnet == nil {
 		ednsClientFamily := uint16(0)
 		ednsClientAddress := s.findClientIP(r)
@@ -135,20 +133,10 @@ func (s *Server) parseRequestIETF(ctx context.Context, w http.ResponseWriter, r
 			if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
 				ednsClientFamily = 1
 				ednsClientAddress = ipv4
-				if s.conf.ECSUsePreciseIP {
+				ednsClientNetmask = 24
 					ednsClientNetmask = 32
 				} else {
 					ednsClientNetmask = 24
 					ednsClientAddress = ednsClientAddress.Mask(net.CIDRMask(24, 32))
 				}
 			} else {
 				ednsClientFamily = 2
-				if s.conf.ECSUsePreciseIP {
+				ednsClientNetmask = 56
 					ednsClientNetmask = 128
 				} else {
 					ednsClientNetmask = 56
 					ednsClientAddress = ednsClientAddress.Mask(net.CIDRMask(56, 128))
 				}
 			}
 			edns0Subnet = new(dns.EDNS0_SUBNET)
 			edns0Subnet.Code = dns.EDNS0SUBNET
@@ -168,12 +156,12 @@ func (s *Server) parseRequestIETF(ctx context.Context, w http.ResponseWriter, r
 }
 func (s *Server) generateResponseIETF(ctx context.Context, w http.ResponseWriter, r *http.Request, req *DNSRequest) {
-	respJSON := jsondns.Marshal(req.response)
+	respJSON := jsonDNS.Marshal(req.response)
 	req.response.Id = req.transactionID
 	respBytes, err := req.response.Pack()
 	if err != nil {
-		log.Printf("DNS packet construct failure with upstream %s: %v\n", req.currentUpstream, err)
+		log.Println(err)
-		jsondns.FormatError(w, fmt.Sprintf("DNS packet construct failure (%s)", err.Error()), 500)
+		jsonDNS.FormatError(w, fmt.Sprintf("DNS packet construct failure (%s)", err.Error()), 500)
 		return
 	}
@@ -183,6 +171,8 @@ func (s *Server) generateResponseIETF(ctx context.Context, w http.ResponseWriter
 	w.Header().Set("Last-Modified", now)
 	w.Header().Set("Vary", "Accept")
 	_ = s.patchFirefoxContentType(w, r, req)
 	if respJSON.HaveTTL {
 		if req.isTailored {
 			w.Header().Set("Cache-Control", "private, max-age="+strconv.FormatUint(uint64(respJSON.LeastTTL), 10))
@@ -193,21 +183,15 @@ func (s *Server) generateResponseIETF(ctx context.Context, w http.ResponseWriter
 	}
 	if respJSON.Status == dns.RcodeServerFailure {
 		log.Printf("received server failure from upstream %s: %v\n", req.currentUpstream, req.response)
 		w.WriteHeader(503)
 	}
-	_, err = w.Write(respBytes)
+	w.Write(respBytes)
 	if err != nil {
 		log.Printf("failed to write to client: %v\n", err)
 	}
 }
-// Workaround a bug causing DNSCrypt-Proxy to expect a response with TransactionID = 0xcafe.
+// Workaround a bug causing DNSCrypt-Proxy to expect a response with TransactionID = 0xcafe
 func (s *Server) patchDNSCryptProxyReqID(w http.ResponseWriter, r *http.Request, requestBinary []byte) bool {
 	if strings.Contains(r.UserAgent(), "dnscrypt-proxy") && bytes.Equal(requestBinary, []byte("\xca\xfe\x01\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\x00\x02\x00\x01\x00\x00\x29\x10\x00\x00\x00\x80\x00\x00\x00")) {
-		if s.conf.Verbose {
+		log.Println("DNSCrypt-Proxy detected. Patching response.")
 			log.Println("DNSCrypt-Proxy detected. Patching response.")
 		}
 		w.Header().Set("Content-Type", "application/dns-message")
 		w.Header().Set("Vary", "Accept, User-Agent")
 		now := time.Now().UTC().Format(http.TimeFormat)
@@ -217,3 +201,15 @@ func (s *Server) patchDNSCryptProxyReqID(w http.ResponseWriter, r *http.Request,
 	}
 	return false
 }
 // Workaround a bug causing Firefox 61-62 to reject responses with Content-Type = application/dns-message
 func (s *Server) patchFirefoxContentType(w http.ResponseWriter, r *http.Request, req *DNSRequest) bool {
 	if strings.Contains(r.UserAgent(), "Firefox") && strings.Contains(r.Header.Get("Accept"), "application/dns-udpwireformat") && !strings.Contains(r.Header.Get("Accept"), "application/dns-message") {
 		log.Println("Firefox 61-62 detected. Patching response.")
 		w.Header().Set("Content-Type", "application/dns-udpwireformat")
 		w.Header().Set("Vary", "Accept, User-Agent")
 		req.isTailored = true
 		return true
 	}
 	return false
 }
--- a/doh-server/main.go
+++ b/doh-server/main.go
@@ -26,6 +26,8 @@ package main
 import (
 	"flag"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"log"
 	"os"
 	"runtime"
@@ -34,9 +36,9 @@ import (
 func checkPIDFile(pidFile string) (bool, error) {
 retry:
-	f, err := os.OpenFile(pidFile, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0o666)
+	f, err := os.OpenFile(pidFile, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0666)
 	if os.IsExist(err) {
-		pidStr, err := os.ReadFile(pidFile)
+		pidStr, err := ioutil.ReadFile(pidFile)
 		if err != nil {
 			return false, err
 		}
@@ -60,7 +62,7 @@ retry:
 		return false, err
 	}
 	defer f.Close()
-	_, err = f.WriteString(strconv.FormatInt(int64(os.Getpid()), 10))
+	_, err = io.WriteString(f, strconv.FormatInt(int64(os.Getpid()), 10))
 	if err != nil {
 		return false, err
 	}
--- a/doh-server/parse_test.go
+++ b/doh-server/parse_test.go
@@ -1,119 +0,0 @@
 /*
   DNS-over-HTTPS
   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
   Permission is hereby granted, free of charge, to any person obtaining a
   copy of this software and associated documentation files (the "Software"),
   to deal in the Software without restriction, including without limitation
   the rights to use, copy, modify, merge, publish, distribute, sublicense,
   and/or sell copies of the Software, and to permit persons to whom the
   Software is furnished to do so, subject to the following conditions:
   The above copyright notice and this permission notice shall be included in
   all copies or substantial portions of the Software.
   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
   DEALINGS IN THE SOFTWARE.
 */
 package main
 import (
 	"testing"
 	"github.com/miekg/dns"
 )
 func TestParseCIDR(t *testing.T) {
 	t.Parallel()
 	for _, ednsClientSubnet := range []string{
 		"2001:db8::/0",
 		"2001:db8::/56",
 		"2001:db8::/129",
 		"2001:db8::",
 		"127.0.0.1/0",
 		"127.0.0.1/24",
 		"127.0.0.1/33",
 		"127.0.0.1",
 		"::ffff:7f00:1/0",
 		"::ffff:7f00:1/120",
 		"::ffff:7f00:1",
 		"127.0.0.1/0",
 		"127.0.0.1/24",
 		"127.0.0.1",
 	} {
 		_, ip, ipNet, err := parseSubnet(ednsClientSubnet)
 		if err != nil {
 			t.Errorf("ecs:%s ip:[%v]  ipNet:[%v]  err:[%v]", ednsClientSubnet, ip, ipNet, err)
 		}
 	}
 }
 func TestParseInvalidCIDR(t *testing.T) {
 	t.Parallel()
 	for _, ip := range []string{
 		"test",
 		"test/0",
 		"test/24",
 		"test/34",
 		"test/56",
 		"test/129",
 	} {
 		_, _, _, err := parseSubnet(ip)
 		if err == nil {
 			t.Errorf("expected error for %q", ip)
 		}
 	}
 }
 func TestEdns0SubnetParseCIDR(t *testing.T) {
 	t.Parallel()
 	// init dns Msg
 	msg := new(dns.Msg)
 	msg.Id = dns.Id()
 	msg.SetQuestion(dns.Fqdn("example.com"), 1)
 	// init edns0Subnet
 	edns0Subnet := new(dns.EDNS0_SUBNET)
 	edns0Subnet.Code = dns.EDNS0SUBNET
 	edns0Subnet.SourceScope = 0
 	// init opt
 	opt := new(dns.OPT)
 	opt.Hdr.Name = "."
 	opt.Hdr.Rrtype = dns.TypeOPT
 	opt.SetUDPSize(dns.DefaultMsgSize)
 	opt.Option = append(opt.Option, edns0Subnet)
 	msg.Extra = append(msg.Extra, opt)
 	for _, subnet := range []string{"::ffff:7f00:1/120", "127.0.0.1/24"} {
 		var err error
 		edns0Subnet.Family, edns0Subnet.Address, edns0Subnet.SourceNetmask, err = parseSubnet(subnet)
 		if err != nil {
 			t.Error(err)
 			continue
 		}
 		t.Log(msg.Pack())
 	}
 	// ------127.0.0.1/24-----
 	// [143 29 1 0 0 1 0 0 0 0 0 1 7 101 120 97 109 112 108 101 3 99 111 109 0 0 1 0 1 0
 	// opt start   0 41 16 0 0 0 0 0 0 11
 	// subnet start 0 8 0 7 0 1 24 0
 	// client subnet start 127 0 0]
 	// -----::ffff:7f00:1/120----
 	// [111 113 1 0 0 1 0 0 0 0 0 1 7 101 120 97 109 112 108 101 3 99 111 109 0 0 1 0 1 0
 	// opt start  0 41 16 0 0 0 0 0 0 23
 	// subnet start  0 8 0 19 0 2 120 0
 	// client subnet start 0 0 0 0 0 0 0 0 0 0 255 255 127 0 0]
 }
--- a/doh-server/server.go
+++ b/doh-server/server.go
@@ -25,8 +25,6 @@ package main
 import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
 	"log"
 	"math/rand"
@@ -37,27 +35,25 @@ import (
 	"time"
 	"github.com/gorilla/handlers"
 	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 )
 type Server struct {
-	conf         *config
+	conf      *config
-	udpClient    *dns.Client
+	udpClient *dns.Client
-	tcpClient    *dns.Client
+	tcpClient *dns.Client
-	tcpClientTLS *dns.Client
+	servemux  *http.ServeMux
 	servemux     *http.ServeMux
 }
 type DNSRequest struct {
 	request         *dns.Msg
 	response        *dns.Msg
 	currentUpstream string
 	errtext         string
 	errcode         int
 	transactionID   uint16
 	currentUpstream string
 	isTailored      bool
 	errcode         int
 	errtext         string
 }
 func NewServer(conf *config) (*Server, error) {
@@ -73,10 +69,6 @@ func NewServer(conf *config) (*Server, error) {
 			Net:     "tcp",
 			Timeout: timeout,
 		},
 		tcpClientTLS: &dns.Client{
 			Net:     "tcp-tls",
 			Timeout: timeout,
 		},
 		servemux: http.NewServeMux(),
 	}
 	if conf.LocalAddr != "" {
@@ -96,10 +88,6 @@ func NewServer(conf *config) (*Server, error) {
 			Timeout:   timeout,
 			LocalAddr: tcpLocalAddr,
 		}
 		s.tcpClientTLS.Dialer = &net.Dialer{
 			Timeout:   timeout,
 			LocalAddr: tcpLocalAddr,
 		}
 	}
 	s.servemux.HandleFunc(conf.Path, s.handlerFunc)
 	return s, nil
@@ -110,48 +98,12 @@ func (s *Server) Start() error {
 	if s.conf.Verbose {
 		servemux = handlers.CombinedLoggingHandler(os.Stdout, servemux)
 	}
 	var clientCAPool *x509.CertPool
 	if s.conf.TLSClientAuth {
 		if s.conf.TLSClientAuthCA != "" {
 			clientCA, err := os.ReadFile(s.conf.TLSClientAuthCA)
 			if err != nil {
 				log.Fatalf("Reading certificate for client authentication has failed: %v", err)
 			}
 			clientCAPool = x509.NewCertPool()
 			clientCAPool.AppendCertsFromPEM(clientCA)
 			log.Println("Certificate loaded for client TLS authentication")
 		} else {
 			log.Fatalln("TLS client authentication requires both tls_client_auth and tls_client_auth_ca, exiting.")
 		}
 	}
 	results := make(chan error, len(s.conf.Listen))
 	for _, addr := range s.conf.Listen {
 		go func(addr string) {
 			var err error
 			if s.conf.Cert != "" || s.conf.Key != "" {
-				if clientCAPool != nil {
+				err = http.ListenAndServeTLS(addr, s.conf.Cert, s.conf.Key, servemux)
 					srvtls := &http.Server{
 						Handler: servemux,
 						Addr:    addr,
 						TLSConfig: &tls.Config{
 							ClientCAs:  clientCAPool,
 							ClientAuth: tls.RequireAndVerifyClientCert,
 							GetCertificate: func(info *tls.ClientHelloInfo) (certificate *tls.Certificate, e error) {
 								c, err := tls.LoadX509KeyPair(s.conf.Cert, s.conf.Key)
 								if err != nil {
 									fmt.Printf("Error loading server certificate key pair: %v\n", err)
 									return nil, err
 								}
 								return &c, nil
 							},
 						},
 					}
 					err = srvtls.ListenAndServeTLS("", "")
 				} else {
 					err = http.ListenAndServeTLS(addr, s.conf.Cert, s.conf.Key, servemux)
 				}
 			} else {
 				err = http.ListenAndServe(addr, servemux)
 			}
@@ -175,18 +127,6 @@ func (s *Server) Start() error {
 func (s *Server) handlerFunc(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if realIP := r.Header.Get("X-Real-IP"); realIP != "" {
 		if strings.ContainsRune(realIP, ':') {
 			r.RemoteAddr = "[" + realIP + "]:0"
 		} else {
 			r.RemoteAddr = realIP + ":0"
 		}
 		_, _, err := net.SplitHostPort(r.RemoteAddr)
 		if err != nil {
 			r.RemoteAddr = realIP
 		}
 	}
 	w.Header().Set("Access-Control-Allow-Headers", "Content-Type")
 	w.Header().Set("Access-Control-Allow-Methods", "GET, HEAD, OPTIONS, POST")
 	w.Header().Set("Access-Control-Allow-Origin", "*")
@@ -255,22 +195,23 @@ func (s *Server) handlerFunc(w http.ResponseWriter, r *http.Request) {
 	} else if contentType == "application/dns-udpwireformat" {
 		req = s.parseRequestIETF(ctx, w, r)
 	} else {
-		jsondns.FormatError(w, fmt.Sprintf("Invalid argument value: \"ct\" = %q", contentType), 415)
+		jsonDNS.FormatError(w, fmt.Sprintf("Invalid argument value: \"ct\" = %q", contentType), 415)
 		return
 	}
 	if req.errcode == 444 {
 		return
 	}
 	if req.errcode != 0 {
-		jsondns.FormatError(w, req.errtext, req.errcode)
+		jsonDNS.FormatError(w, req.errtext, req.errcode)
 		return
 	}
 	req = s.patchRootRD(req)
-	err := s.doDNSQuery(ctx, req)
+	var err error
 	req, err = s.doDNSQuery(ctx, req)
 	if err != nil {
-		jsondns.FormatError(w, fmt.Sprintf("DNS query failure (%s)", err.Error()), 503)
+		jsonDNS.FormatError(w, fmt.Sprintf("DNS query failure (%s)", err.Error()), 503)
 		return
 	}
@@ -284,17 +225,12 @@ func (s *Server) handlerFunc(w http.ResponseWriter, r *http.Request) {
 }
 func (s *Server) findClientIP(r *http.Request) net.IP {
 	noEcs := r.URL.Query().Get("no_ecs")
 	if strings.EqualFold(noEcs, "true") {
 		return nil
 	}
 	XForwardedFor := r.Header.Get("X-Forwarded-For")
 	if XForwardedFor != "" {
 		for _, addr := range strings.Split(XForwardedFor, ",") {
 			addr = strings.TrimSpace(addr)
 			ip := net.ParseIP(addr)
-			if jsondns.IsGlobalIP(ip) {
+			if jsonDNS.IsGlobalIP(ip) {
 				return ip
 			}
 		}
@@ -303,23 +239,21 @@ func (s *Server) findClientIP(r *http.Request) net.IP {
 	if XRealIP != "" {
 		addr := strings.TrimSpace(XRealIP)
 		ip := net.ParseIP(addr)
-		if s.conf.ECSAllowNonGlobalIP || jsondns.IsGlobalIP(ip) {
+		if jsonDNS.IsGlobalIP(ip) {
 			return ip
 		}
 	}
 	remoteAddr, err := net.ResolveTCPAddr("tcp", r.RemoteAddr)
 	if err != nil {
 		return nil
 	}
-	ip := remoteAddr.IP
+	if ip := remoteAddr.IP; jsonDNS.IsGlobalIP(ip) {
 	if s.conf.ECSAllowNonGlobalIP || jsondns.IsGlobalIP(ip) {
 		return ip
 	}
 	return nil
 }
-// Workaround a bug causing Unbound to refuse returning anything about the root.
+// Workaround a bug causing Unbound to refuse returning anything about the root
 func (s *Server) patchRootRD(req *DNSRequest) *DNSRequest {
 	for _, question := range req.request.Question {
 		if question.Name == "." {
@@ -329,54 +263,24 @@ func (s *Server) patchRootRD(req *DNSRequest) *DNSRequest {
 	return req
 }
-// Return the position index for the question of qtype from a DNS msg, otherwise return -1.
+func (s *Server) doDNSQuery(ctx context.Context, req *DNSRequest) (resp *DNSRequest, err error) {
-func (s *Server) indexQuestionType(msg *dns.Msg, qtype uint16) int {
+	// TODO(m13253): Make ctx work. Waiting for a patch for ExchangeContext from miekg/dns.
 	for i, question := range msg.Question {
 		if question.Qtype == qtype {
 			return i
 		}
 	}
 	return -1
 }
 func (s *Server) doDNSQuery(ctx context.Context, req *DNSRequest) (err error) {
 	numServers := len(s.conf.Upstream)
 	for i := uint(0); i < s.conf.Tries; i++ {
 		req.currentUpstream = s.conf.Upstream[rand.Intn(numServers)]
-
+		if !s.conf.TCPOnly {
-		upstream, t := addressAndType(req.currentUpstream)
+			req.response, _, err = s.udpClient.Exchange(req.request, req.currentUpstream)
-
+			if err == nil && req.response != nil && req.response.Truncated {
-		switch t {
+				log.Println(err)
-		default:
+				req.response, _, err = s.tcpClient.Exchange(req.request, req.currentUpstream)
 			log.Printf("invalid DNS type %q in upstream %q", t, upstream)
 			return &configError{"invalid DNS type"}
 		// Use DNS-over-TLS (DoT) if configured to do so
 		case "tcp-tls":
 			req.response, _, err = s.tcpClientTLS.ExchangeContext(ctx, req.request, upstream)
 		case "tcp", "udp":
 			// Use TCP if always configured to or if the Query type dictates it (AXFR)
 			if t == "tcp" || (s.indexQuestionType(req.request, dns.TypeAXFR) > -1) {
 				req.response, _, err = s.tcpClient.ExchangeContext(ctx, req.request, upstream)
 			} else {
 				req.response, _, err = s.udpClient.ExchangeContext(ctx, req.request, upstream)
 				if err == nil && req.response != nil && req.response.Truncated {
 					log.Println(err)
 					req.response, _, err = s.tcpClient.ExchangeContext(ctx, req.request, upstream)
 				}
 				// Retry with TCP if this was an IXFR request, and we only received an SOA
 				if (s.indexQuestionType(req.request, dns.TypeIXFR) > -1) &&
 					(len(req.response.Answer) == 1) &&
 					(req.response.Answer[0].Header().Rrtype == dns.TypeSOA) {
 					req.response, _, err = s.tcpClient.ExchangeContext(ctx, req.request, upstream)
 				}
 			}
 		} else {
 			req.response, _, err = s.tcpClient.Exchange(req.request, req.currentUpstream)
 		}
 		if err == nil {
-			return nil
+			return req, nil
 		}
 		log.Printf("DNS error from upstream %s: %s\n", req.currentUpstream, err.Error())
 	}
-	return err
+	return req, err
 }
--- a/doh-server/version.go
+++ b/doh-server/version.go
@@ -24,6 +24,6 @@
 package main
 const (
-	VERSION    = "2.3.10"
+	VERSION    = "2.0.1"
 	USER_AGENT = "DNS-over-HTTPS/" + VERSION + " (+https://github.com/m13253/dns-over-https)"
 )
--- a/go.mod
+++ b/go.mod
@@ -1,20 +1,13 @@
-module github.com/m13253/dns-over-https/v2
+module github.com/m13253/dns-over-https
-go 1.24.0
+go 1.12
 require (
-	github.com/BurntSushi/toml v1.6.0
+	github.com/BurntSushi/toml v0.3.1
-	github.com/gorilla/handlers v1.5.2
+	github.com/gorilla/handlers v1.4.0
-	github.com/infobloxopen/go-trees v0.0.0-20221216143356-66ceba885ebc
+	github.com/miekg/dns v1.1.6
-	github.com/miekg/dns v1.1.70
+	golang.org/x/crypto v0.0.0-20190313024323-a1f597ede03a // indirect
-	golang.org/x/net v0.49.0
+	golang.org/x/net v0.0.0-20190311183353-d8887717615a
-)
+	golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6 // indirect
-
+	golang.org/x/sys v0.0.0-20190312061237-fead79001313 // indirect
 require (
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	golang.org/x/mod v0.32.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
 	golang.org/x/sys v0.40.0 // indirect
 	golang.org/x/text v0.33.0 // indirect
 	golang.org/x/tools v0.41.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,30 +1,25 @@
-github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk=
+github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
-github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/gorilla/handlers v1.4.0 h1:XulKRWSQK5uChr4pEgSE4Tc/OcmnU9GJuSwdog/tZsA=
-github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/gorilla/handlers v1.4.0/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/miekg/dns v1.1.4 h1:rCMZsU2ScVSYcAsOXgmC6+AKOK+6pmQTOcw03nfwYV0=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/miekg/dns v1.1.4/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
-github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE=
+github.com/miekg/dns v1.1.6 h1:jVwb4GDwD65q/gtItR/lIZHjNH93QfeGxZUkzJcW9mc=
-github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w=
+github.com/miekg/dns v1.1.6/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
-github.com/infobloxopen/go-trees v0.0.0-20221216143356-66ceba885ebc h1:RhT2pjLo3EVRmldbEcBdeRA7CGPWsNEJC+Y/N1aXQbg=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
-github.com/infobloxopen/go-trees v0.0.0-20221216143356-66ceba885ebc/go.mod h1:BaIJzjD2ZnHmx2acPF6XfGLPzNCMiBbMRqJr+8/8uRI=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-github.com/miekg/dns v1.1.70 h1:DZ4u2AV35VJxdD9Fo9fIWm119BsQL5cZU1cQ9s0LkqA=
+golang.org/x/crypto v0.0.0-20190313024323-a1f597ede03a h1:YX8ljsm6wXlHZO+aRz9Exqr0evNhKRNe5K/gi+zKh4U=
-github.com/miekg/dns v1.1.70/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs=
+golang.org/x/crypto v0.0.0-20190313024323-a1f597ede03a/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+golang.org/x/net v0.0.0-20190301231341-16b79f2e4e95 h1:fY7Dsw114eJN4boqzVSbpVHO6rTdhq6/GnXeu+PKnzU=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+golang.org/x/net v0.0.0-20190301231341-16b79f2e4e95/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a h1:oWX7TPOiFAMXLq8o0ikBYfCJVlRHBcsciT5bXOrH628=
-golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
+golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6 h1:bjcUS9ztw9kFmmIxJInhon/0Is3p+EHBKNgquIzo1OI=
-golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
+golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.0.0-20190308023053-584f3b12f43e h1:K7CV15oJ823+HLXQ+M7MSMrUg8LjfqY7O3naO+8Pp/I=
-golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
+golang.org/x/sys v0.0.0-20190308023053-584f3b12f43e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.0.0-20190312061237-fead79001313 h1:pczuHS43Cp2ktBEEmLwScxgjWsBSzdaQiKzUyf3DTTc=
-golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
+golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
+golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
-golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
--- a/json-dns/error.go
+++ b/json-dns/error.go
@@ -21,7 +21,7 @@
   DEALINGS IN THE SOFTWARE.
 */
-package jsondns
+package jsonDNS
 import (
 	"encoding/json"
@@ -38,11 +38,11 @@ type dnsError struct {
 func FormatError(w http.ResponseWriter, comment string, errcode int) {
 	w.Header().Set("Content-Type", "application/json; charset=UTF-8")
-	errJSON := dnsError{
+	errJson := dnsError{
 		Status:  dns.RcodeServerFailure,
 		Comment: comment,
 	}
-	errStr, err := json.Marshal(errJSON)
+	errStr, err := json.Marshal(errJson)
 	if err != nil {
 		log.Fatalln(err)
 	}
--- a/json-dns/globalip.go
+++ b/json-dns/globalip.go
@@ -21,110 +21,109 @@
   DEALINGS IN THE SOFTWARE.
 */
-package jsondns
+package jsonDNS
 import (
 	"net"
 	"github.com/infobloxopen/go-trees/iptree"
 )
-var defaultFilter *iptree.Tree
+// RFC6890
-
+var localIPv4Nets = []net.IPNet{
 func init() {
 	defaultFilter = iptree.NewTree()
 	// RFC6890
 	// This host on this network
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{0, 0, 0, 0},
+		net.IP{0, 0, 0, 0},
-		Mask: net.IPMask{255, 0, 0, 0},
+		net.IPMask{255, 0, 0, 0},
-	}, struct{}{})
+	},
 	// Private-Use Networks
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{10, 0, 0, 0},
+		net.IP{10, 0, 0, 0},
-		Mask: net.IPMask{255, 0, 0, 0},
+		net.IPMask{255, 0, 0, 0},
-	}, struct{}{})
+	},
 	// Shared Address Space
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{100, 64, 0, 0},
+		net.IP{100, 64, 0, 0},
-		Mask: net.IPMask{255, 192, 0, 0},
+		net.IPMask{255, 192, 0, 0},
-	}, struct{}{})
+	},
 	// Loopback
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{127, 0, 0, 0},
+		net.IP{127, 0, 0, 0},
-		Mask: net.IPMask{255, 0, 0, 0},
+		net.IPMask{255, 0, 0, 0},
-	}, struct{}{})
+	},
 	// Link Local
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{169, 254, 0, 0},
+		net.IP{169, 254, 0, 0},
-		Mask: net.IPMask{255, 255, 0, 0},
+		net.IPMask{255, 255, 0, 0},
-	}, struct{}{})
+	},
 	// Private-Use Networks
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{172, 16, 0, 0},
+		net.IP{172, 16, 0, 0},
-		Mask: net.IPMask{255, 240, 0, 0},
+		net.IPMask{255, 240, 0, 0},
-	}, struct{}{})
+	},
 	// DS-Lite
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{192, 0, 0, 0},
+		net.IP{192, 0, 0, 0},
-		Mask: net.IPMask{255, 255, 255, 248},
+		net.IPMask{255, 255, 255, 248},
-	}, struct{}{})
+	},
 	// 6to4 Relay Anycast
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{192, 88, 99, 0},
+		net.IP{192, 88, 99, 0},
-		Mask: net.IPMask{255, 255, 255, 0},
+		net.IPMask{255, 255, 255, 0},
-	}, struct{}{})
+	},
 	// Private-Use Networks
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{192, 168, 0, 0},
+		net.IP{192, 168, 0, 0},
-		Mask: net.IPMask{255, 255, 0, 0},
+		net.IPMask{255, 255, 0, 0},
-	}, struct{}{})
+	},
 	// Reserved for Future Use & Limited Broadcast
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{240, 0, 0, 0},
+		net.IP{240, 0, 0, 0},
-		Mask: net.IPMask{240, 0, 0, 0},
+		net.IPMask{240, 0, 0, 0},
-	}, struct{}{})
+	},
 }
-	// RFC6890
+// RFC6890
 var localIPv6Nets = []net.IPNet{
 	// Unspecified & Loopback Address
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		net.IP{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		Mask: net.IPMask{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe},
+		net.IPMask{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe},
-	}, struct{}{})
+	},
 	// Discard-Only Prefix
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		net.IP{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		Mask: net.IPMask{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		net.IPMask{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-	}, struct{}{})
+	},
 	// Unique-Local
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{0xfc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		net.IP{0xfc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		Mask: net.IPMask{0xfe, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		net.IPMask{0xfe, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-	}, struct{}{})
+	},
 	// Linked-Scoped Unicast
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		net.IP{0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		Mask: net.IPMask{0xff, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		net.IPMask{0xff, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-	}, struct{}{})
+	},
 }
 func IsGlobalIP(ip net.IP) bool {
 	if ip == nil {
 		return false
 	}
-	_, contained := defaultFilter.GetByIP(ip)
+	if ipv4 := ip.To4(); len(ipv4) == net.IPv4len {
-	return !contained
+		for _, ipnet := range localIPv4Nets {
 			if ipnet.Contains(ip) {
 				return false
 			}
 		}
 		return true
 	}
 	if len(ip) == net.IPv6len {
 		for _, ipnet := range localIPv6Nets {
 			if ipnet.Contains(ip) {
 				return false
 			}
 		}
 		return true
 	}
 	return true
 }
--- a/json-dns/globalip_test.go
+++ b/json-dns/globalip_test.go
@@ -1,34 +0,0 @@
 package jsondns
 import (
 	"fmt"
 	"net"
 )
 func ExampleIsGlobalIP() {
 	fmt.Println(IsGlobalIP(net.ParseIP("127.0.0.1")))
 	fmt.Println(IsGlobalIP(net.IP{192, 168, 1, 1}))
 	fmt.Println(IsGlobalIP(net.ParseIP("8.8.8.8")))
 	fmt.Println(IsGlobalIP(net.IP{8, 8, 4, 4}))
 	fmt.Println(IsGlobalIP(net.ParseIP("::1")))
 	fmt.Println(IsGlobalIP(net.IP{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}))
 	fmt.Println(IsGlobalIP(net.ParseIP("2001:4860:4860::8888")))
 	fmt.Println(IsGlobalIP(net.IP{0x20, 0x01, 0x48, 0x60, 0x48, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x44}))
 	fmt.Println(IsGlobalIP(net.ParseIP("::ffff:127.0.0.1")))
 	fmt.Println(IsGlobalIP(net.IP{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 192, 168, 1, 1}))
 	fmt.Println(IsGlobalIP(net.ParseIP("::ffff:808:808")))
 	fmt.Println(IsGlobalIP(net.IP{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 8, 8, 4, 4}))
 	// Output:
 	// false
 	// false
 	// true
 	// true
 	// false
 	// false
 	// true
 	// true
 	// false
 	// false
 	// true
 	// true
 }
--- a/json-dns/marshal.go
+++ b/json-dns/marshal.go
@@ -21,7 +21,7 @@
   DEALINGS IN THE SOFTWARE.
 */
-package jsondns
+package jsonDNS
 import (
 	"net"
--- a/json-dns/response.go
+++ b/json-dns/response.go
@@ -21,32 +21,12 @@
   DEALINGS IN THE SOFTWARE.
 */
-package jsondns
+package jsonDNS
 import (
 	"encoding/json"
 	"time"
 )
 type QuestionList []Question
 func (ql *QuestionList) UnmarshalJSON(b []byte) error {
 	// Fix variant question response in Response.Question
 	//
 	// Solution taken from:
 	//	https://engineering.bitnami.com/articles/dealing-with-json-with-non-homogeneous-types-in-go.html
 	//	https://archive.is/NU4zR
 	if len(b) > 0 && b[0] == '[' {
 		return json.Unmarshal(b, (*[]Question)(ql))
 	}
 	var q Question
 	if err := json.Unmarshal(b, &q); err != nil {
 		return err
 	}
 	*ql = []Question{q}
 	return nil
 }
 type Response struct {
 	// Standard DNS response code (32 bit integer)
 	Status uint32 `json:"Status"`
@@ -60,13 +40,13 @@ type Response struct {
 	// FIXME: We don't have DNSSEC yet! This bit is not reliable!
 	AD bool `json:"AD"`
 	// Whether the client asked to disable DNSSEC
-	CD               bool         `json:"CD"`
+	CD               bool       `json:"CD"`
-	Question         QuestionList `json:"Question"`
+	Question         []Question `json:"Question"`
-	Answer           []RR         `json:"Answer,omitempty"`
+	Answer           []RR       `json:"Answer,omitempty"`
-	Authority        []RR         `json:"Authority,omitempty"`
+	Authority        []RR       `json:"Authority,omitempty"`
-	Additional       []RR         `json:"Additional,omitempty"`
+	Additional       []RR       `json:"Additional,omitempty"`
-	Comment          string       `json:"Comment,omitempty"`
+	Comment          string     `json:"Comment,omitempty"`
-	EdnsClientSubnet string       `json:"edns_client_subnet,omitempty"`
+	EdnsClientSubnet string     `json:"edns_client_subnet,omitempty"`
 	// Least time-to-live
 	HaveTTL         bool      `json:"-"`
 	LeastTTL        uint32    `json:"-"`
--- a/json-dns/unmarshal.go
+++ b/json-dns/unmarshal.go
@@ -21,7 +21,7 @@
   DEALINGS IN THE SOFTWARE.
 */
-package jsondns
+package jsonDNS
 import (
 	"fmt"
@@ -38,7 +38,7 @@ func PrepareReply(req *dns.Msg) *dns.Msg {
 	reply := new(dns.Msg)
 	reply.Id = req.Id
 	reply.Response = true
-	reply.Opcode = req.Opcode
+	reply.Opcode = reply.Opcode
 	reply.RecursionDesired = req.RecursionDesired
 	reply.RecursionAvailable = req.RecursionDesired
 	reply.CheckingDisabled = req.CheckingDisabled
--- a/systemd/doh-client.service
+++ b/systemd/doh-client.service
@@ -4,18 +4,15 @@ Documentation=https://github.com/m13253/dns-over-https
 After=network.target
 Before=nss-lookup.target
 Wants=nss-lookup.target
 StartLimitIntervalSec=0
 [Service]
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 ExecStart=/usr/local/bin/doh-client -conf /etc/dns-over-https/doh-client.conf
 LimitNOFILE=1048576
 Restart=always
-RestartSec=1s
+RestartSec=3
 RestartMaxDelaySec=76s
 RestartSteps=9
 Type=simple
-DynamicUser=yes
+User=nobody
 [Install]
 WantedBy=multi-user.target
--- a/systemd/doh-server.service
+++ b/systemd/doh-server.service
@@ -2,18 +2,15 @@
 Description=DNS-over-HTTPS Server
 Documentation=https://github.com/m13253/dns-over-https
 After=network.target
 StartLimitIntervalSec=0
 [Service]
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 ExecStart=/usr/local/bin/doh-server -conf /etc/dns-over-https/doh-server.conf
 LimitNOFILE=1048576
 Restart=always
-RestartSec=1s
+RestartSec=3
 RestartMaxDelaySec=76s
 RestartSteps=9
 Type=simple
-DynamicUser=yes
+User=nobody
 [Install]
 WantedBy=multi-user.target
Author	SHA1	Message	Date
James Swineson	9985c4b279	fix relative path	2019-03-26 15:57:01 +08:00
James Swineson	97a27e60e1	update comments	2019-03-26 15:46:57 +08:00
James Swineson	ca14db8929	move package.sh to contrib	2019-03-26 12:30:57 +08:00
James Swineson	a95e3e5f39	add networkmanager dispatcher script	2019-03-26 12:28:14 +08:00
James Swineson	5010a16458	initial dirty auto packaging	2019-03-26 12:16:07 +08:00
		`@@ -1,2 +0,0 @@`
			`/usr/bin/doh-client -- gen_context(system_u:object_r:doh_client_exec_t,s0)`
			`/usr/lib/systemd/system/doh-client.service -- gen_context(system_u:object_r:doh_client_unit_file_t,s0)`
		`@@ -1,2 +0,0 @@`
			`/usr/bin/doh-server -- gen_context(system_u:object_r:doh_server_exec_t,s0)`
			`/usr/lib/systemd/system/doh-server.service -- gen_context(system_u:object_r:doh_server_unit_file_t,s0)`