chore: upgrade package dependencies

Merge pull request #159 from testwill/fmt
chore: unnecessary use of fmt.Sprintf
2026-03-31 18:25:38 +00:00 · 2024-07-05 18:10:37 +02:00 · 2024-06-06 15:32:25 +02:00 · 2024-05-10 17:18:49 +08:00 · 2024-05-06 16:18:48 +02:00 · 2024-04-11 11:56:15 +02:00
55 changed files with 3769 additions and 583 deletions
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -0,0 +1,36 @@
+name: "Docker"
+
+on:
+  push:
+    branches:
+      - 'master'
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    environment: "Docker Hub"
+    strategy:
+      matrix:
+        variant: ["client", "server"]
+    steps:
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      -
+        name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          logout: true
+      - # TODO: port https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners
+        name: Build and push
+        uses: docker/build-push-action@v4
+        with:
+          file: ./Dockerfile.${{ matrix.variant }}
+          tags: m13253/dns-over-https-${{ matrix.variant }}:latest
+          push: true
+          platforms: "linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8"
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -0,0 +1,37 @@
+name: Go build for Linux
+on: [push, pull_request]
+jobs:
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v2
+      with:
+        go-version: 1.21
+      id: go
+
+    - name: Check out repository
+      uses: actions/checkout@v2
+
+    - name: Linux build
+      run: |
+        make
+
+    - name: Upload Linux build
+      uses: actions/upload-artifact@v2
+      with:
+        name: linux-amd64
+        path: |
+          doh-client/doh-client
+          doh-server/doh-server
+
+    - name: Cache
+      uses: actions/cache@v2
+      with:
+        # A directory to store and save the cache
+        path: ~/go/pkg/mod
+        # An explicit key for restoring and saving the cache
+        key: ${{ runner.os }}-${{ hashFiles('**/go.sum') }}
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,9 @@
 *.dll
 *.so
 *.dylib
+darwin-wrapper/doh-logger
+doh-client/doh-client
+doh-server/doh-server

 # Test binary, build with `go test -c`
 *.test
@@ -12,3 +15,6 @@

 # Project-local glide cache, RE: https://github.com/Masterminds/glide/issues/736
 .glide/
+
+.idea/
+vendor/
--- a/Changelog.md
+++ b/Changelog.md
@@ -0,0 +1,224 @@
+# Changelog
+
+This Changelog records major changes between versions.
+
+Not all changes are recorded. Please check git log for details.
+
+## Version 2.3.3
+
+- systemd: Use DynamicUser=yes instead of User=nobody (Fixed #139)
+- Migrate deprecated Go packages `ioutil` to `io` and `os`
+- Fix a bug that truncates the response improperly, causing malformed DNS responsed (Fixed #144)
+
+## Version 2.3.2
+
+- Documentation updates, including deploying recommenation alongside DoT, thanks @gdm85
+- Add unit tests for CIDR subnets parsing, thanks @gdm85
+- Removing Firefox 61-62 patch
+
+Since this version, @gdm85, @GreyXor, @Jamesits will be able to maintain this repository alongside @m13253. Anyone who contributed to this project can also apply to be a maintainer.
+This is because changes in life have delayed the development of this project. By constructing a community hopefully can we restore the pace of development.
+
+## Version 2.3.1
+
+- No new features in this release
+- Bumped versions of Go toolchain and third-party dependencies, requested by #128
+
+## Version 2.3.0
+
+- The repository now conforms to the Go semvar standard (Fixed #115, thanks to @leiless)
+
+## Version 2.2.5
+
+- Add client certificate authentication
+- Fixing documentation related to Docker
+
+## Version 2.2.4
+
+- Add options to configure ECS netmask length
+- Add an option to disable TLS verification (Note: dangerous)
+
+## Version 2.2.3
+
+- Use the library ipTree to determine whether an IP is global routable, improving the performance
+- Google's 8.8.8.8 resolver is now marked as "Good ECS" in the example configuration file
+
+## Version 2.2.2
+
+- Allow client to opt-out EDNS0 Client Support
+- [JSON-DoH] Honor DNSSEC OK flag for incoming DNS requests
+- [JSON-DoH] Add support for non-standard response formats
+- `X-Real-IP` is now used in logging if set by frontend load balancer
+- Fix documentation
+
+## Version 2.2.1
+
+- Fix messy log
+
+## Version 2.2.0
+
+- Breaking change: The configuration format of doh-server is changed
+- Add support for type prefix for upstream addresses of doh-server
+- Add support for DNS-over-TLS upstream addresses of doh-server
+- Remove `tcp_only` configuration option in doh-server
+- Add `no_user_agent` configuration option in doh-server
+- Add an RPM package script with SELinux policy
+- Fix Opcode never assigned in `jsonDNS.PrepareReply`
+- Improve error logging / checking
+- Updated Readme
+
+## Version 2.1.2
+
+- Update address for google's resolver
+- Fix a typo
+
+## Version 2.1.1
+
+- Add a set of Dockerfile contributed by the community
+- Include DNS.SB's resolver in example configuration
+
+## Version 2.1.0
+
+- Add `local_addr` configuration for doh-server (#39)
+- Fix a problem when compiling on macOS 10.14.4 or newer
+- Add Quad9 DoH server to the example `doh-client.conf`
+- Use TCP when appropriate for the given query type/response (AXFR/IXFR)
+
+## Version 2.0.1
+
+- Fix a crash with the random load balancing algorithm.
+
+## Version 2.0.0
+
+**This is a breaking change!** Please update the configuration file after upgrading.
+
+- Implemented two upstream server selector algorithms: `weighted_round_robin` and `lvs_weighted_round_robin`.
+- Add a configuration option for doh-server: `log_guessed_client_ip`.
+
+## Version 1.4.2
+
+- Add PID file feature for systems which lacks a cgroup-based process tracker.
+- Remove dns.ErrTruncated according to <https://github.com/miekg/dns/pull/815>.
+
+## Version 1.4.1
+
+- Add a configuration option: `debug_http_headers` (e.g. Add `CF-Ray` to diagnose Cloudflare's resolver)
+- Add a configuration option: `passrthrough`
+- macOS logger is rebuilt with static libswiftCore
+- Fix HTTP stream leaking problem, which may cause massive half-open connections if HTTP/1 is in use
+- Utilize Go's cancelable context to detect timeouts more reliably.
+- Fix interoperation problems with gDNS
+- CORS is enabled by default in doh-server
+- Documentation updates
+
+## Version 1.3.10
+
+- Enable application/dns-message (draft-13) by default, since Google has finally supported it
+
+## Version 1.3.9
+
+- Fix client crash with `no_cookies = true`
+- Add 5380 as an additional default doh-client port
+- If `$GOROOT` is defined, Makefile now respects the value for the convenience of Debian/Ubuntu users
+- Change the ECS prefix length from /48 to /56 for IPv6, per RFC 7871
+
+## Version 1.3.8
+
+- Workaround a bug causing Firefox 61-62 to reject responses with Content-Type = application/dns-message
+- Workaround a bug causing DNSCrypt-Proxy to expect a response with TransactionID = 0xcafe
+- TransactionID is now preserved to maintain compatibility with some clients
+- Turn on `no_cookies` by default according to the IETF draft
+- Update Documentation
+
+## Version 1.3.7
+
+- Add CloudFlare DNS resolver for Tor to the preset
+- It is now able to print upstream information if error happens
+- Updated default configuration files are now installed to `*.conf.example`
+- Workaround a bug causing Unbound to refuse returning anything about the root
+- Workaround a bug causing DNSCrypt-Proxy to expect a response with TransactionID = 0xcafe
+
+## Version 1.3.6
+
+- We have a logger for macOS platform now, so logs can be sent to Console.app
+- Add an option to disable IPv6, this option is available to client only
+
+## Version 1.3.5
+
+- Limit the frequency of creating HTTP client on bad network condition
+
+## Version 1.3.4
+
+- doh-client now silently fails in case of network error to prevent caching of SERVFAIL
+- EDNS0 is now inserted to the beginning of OPT section, to ensure DNSSEC signatures are at the end
+- Improve building system
+- Update documents
+
+## Version 1.3.3
+
+- Take User-Agent out of common library, that would be better for packaging
+
+## Version 1.3.2
+
+- Fix version string in HTTP User-Agent
+
+## Version 1.3.1
+
+- Fix the "address already in use" issue
+
+## Version 1.3.0
+
+- Breaking change: Add client / server support for multiple listen address
+  The `listen` option in the configuration file is a list now
+
+## Version 1.2.1
+
+- Update protocol to IETF draft-07
+- Update installation documentations for Ubuntu / Debian
+
+## Version 1.2.0
+
+- Add installation documentations for Ubuntu / Debian
+- Include CloudFlare DOH server (1.1.1.1, 1.0.0.1) in default configuration
+- Fix a problem causing `go get` to fail due to relative paths
+- Add documentation about `/etc/hosts` preloading
+
+## Version 1.1.4
+
+- Add `no_cookies` option
+- Add documentation on privacy issues
+- Adapt for CloudFlare DNS service
+- Fix a problem causing a single network failure blocking future requests
+- Add experimental macOS support
+
+## Version 1.1.3
+
+- Unsupported Content-Type now generates HTTP error code 415
+
+## Version 1.1.2
+
+- Adapt to IETF protocol
+- Optimize for HTTP caches
+
+## Version 1.1.1
+
+- Adapt to IETF protocol
+- Optimize for HTTP caches
+- Add documentation for uninstallation instructions
+- Fix build issues
+
+## Version 1.1.0
+
+- Adpat to IETF protocol
+- Fix issues regarding to HTTP caching
+- Require Go 1.9 to build now
+- Fix systemd issue
+
+## Version 1.0.1
+
+- Fix build issues
+
+## Version 1.0.0
+
+- First release
+- Relicense as MIT license
--- a/Dockerfile.client
+++ b/Dockerfile.client
@@ -0,0 +1,23 @@
+FROM golang:alpine AS build-env
+
+RUN apk add --no-cache git make
+
+WORKDIR /src
+ADD . /src
+RUN make doh-client/doh-client
+
+FROM alpine:latest
+
+COPY --from=build-env /src/doh-client/doh-client /doh-client
+
+ADD doh-client/doh-client.conf /doh-client.conf
+
+RUN sed -i '$!N;s/"127.0.0.1:53",.*"127.0.0.1:5380",/":53",/;P;D' /doh-client.conf
+RUN sed -i '$!N;s/"\[::1\]:53",.*"\[::1\]:5380",/":5380",/;P;D' /doh-client.conf
+
+EXPOSE 53/udp
+EXPOSE 53/tcp
+EXPOSE 5380
+
+ENTRYPOINT ["/doh-client"]
+CMD ["-conf", "/doh-client.conf"]
--- a/Dockerfile.server
+++ b/Dockerfile.server
@@ -0,0 +1,20 @@
+FROM golang:alpine AS build-env
+
+RUN apk add --no-cache git make
+
+WORKDIR /src
+ADD . /src
+RUN make doh-server/doh-server
+
+FROM alpine:latest
+
+COPY --from=build-env /src/doh-server/doh-server /doh-server
+
+ADD doh-server/doh-server.conf /doh-server.conf
+
+RUN sed -i '$!N;s/"127.0.0.1:8053",\s*"\[::1\]:8053",/":8053",/;P;D' /doh-server.conf
+
+EXPOSE 8053
+
+ENTRYPOINT ["/doh-server"]
+CMD ["-conf", "/doh-server.conf"]
--- a/66
+++ b/66
@@ -1,32 +1,60 @@
-.PHONY: all clean install uninstall deps
+.PHONY: all clean install uninstall

-GOBUILD=go build
-GOGET=go get -d -v
-PREFIX=/usr/local
+PREFIX = /usr/local
+
+ifeq ($(GOROOT),)
+GOBUILD = go build -ldflags "-s -w"
+else
+GOBUILD = $(GOROOT)/bin/go build -ldflags "-s -w"
+endif
+
+ifeq ($(shell uname),Darwin)
+CONFDIR = /usr/local/etc/dns-over-https
+else
+CONFDIR = /etc/dns-over-https
+endif

 all: doh-client/doh-client doh-server/doh-server
+	if [ "`uname`" = "Darwin" ]; then \
+		$(MAKE) -C darwin-wrapper; \
+	fi

 clean:
 	rm -f doh-client/doh-client doh-server/doh-server
+	if [ "`uname`" = "Darwin" ]; then \
+		$(MAKE) -C darwin-wrapper clean; \
+	fi

-install: doh-client/doh-client doh-server/doh-server
-	install -Dm0755 doh-client/doh-client "$(DESTDIR)$(PREFIX)/bin/doh-client"
-	install -Dm0755 doh-server/doh-server "$(DESTDIR)$(PREFIX)/bin/doh-server"
-	[ -e "$(DESTDIR)/etc/dns-over-https/doh-client.conf" ] || install -Dm0644 doh-client/doh-client.conf "$(DESTDIR)/etc/dns-over-https/doh-client.conf"
-	[ -e "$(DESTDIR)/etc/dns-over-https/doh-server.conf" ] || install -Dm0644 doh-server/doh-server.conf "$(DESTDIR)/etc/dns-over-https/doh-server.conf"
-	$(MAKE) -C systemd install "DESTDIR=$(DESTDIR)" "PREFIX=$(PREFIX)"
-	$(MAKE) -C NetworkManager install "DESTDIR=$(DESTDIR)" "PREFIX=$(PREFIX)"
+install:
+	[ -e doh-client/doh-client ] || $(MAKE) doh-client/doh-client
+	[ -e doh-server/doh-server ] || $(MAKE) doh-server/doh-server
+	mkdir -p "$(DESTDIR)$(PREFIX)/bin/"
+	install -m0755 doh-client/doh-client "$(DESTDIR)$(PREFIX)/bin/doh-client"
+	install -m0755 doh-server/doh-server "$(DESTDIR)$(PREFIX)/bin/doh-server"
+	mkdir -p "$(DESTDIR)$(CONFDIR)/"
+	install -m0644 doh-client/doh-client.conf "$(DESTDIR)$(CONFDIR)/doh-client.conf.example"
+	install -m0644 doh-server/doh-server.conf "$(DESTDIR)$(CONFDIR)/doh-server.conf.example"
+	[ -e "$(DESTDIR)$(CONFDIR)/doh-client.conf" ] || install -m0644 doh-client/doh-client.conf "$(DESTDIR)$(CONFDIR)/doh-client.conf"
+	[ -e "$(DESTDIR)$(CONFDIR)/doh-server.conf" ] || install -m0644 doh-server/doh-server.conf "$(DESTDIR)$(CONFDIR)/doh-server.conf"
+	if [ "`uname`" = "Linux" ]; then \
+		$(MAKE) -C systemd install "DESTDIR=$(DESTDIR)"; \
+		$(MAKE) -C NetworkManager install "DESTDIR=$(DESTDIR)"; \
+	elif [ "`uname`" = "Darwin" ]; then \
+		$(MAKE) -C darwin-wrapper install "DESTDIR=$(DESTDIR)" "PREFIX=$(PREFIX)"; \
+		$(MAKE) -C launchd install "DESTDIR=$(DESTDIR)"; \
+	fi

 uninstall:
-	rm -f "$(DESTDIR)$(PREFIX)/bin/doh-client" "$(DESTDIR)$(PREFIX)/bin/doh-server"
-	$(MAKE) -C systemd uninstall "DESTDIR=$(DESTDIR)" "PREFIX=$(PREFIX)"
-	$(MAKE) -C NetworkManager uninstall "DESTDIR=$(DESTDIR)" "PREFIX=$(PREFIX)"
+	rm -f "$(DESTDIR)$(PREFIX)/bin/doh-client" "$(DESTDIR)$(PREFIX)/bin/doh-server" "$(DESTDIR)$(CONFDIR)/doh-client.conf.example" "$(DESTDIR)$(CONFDIR)/doh-server.conf.example"
+	if [ "`uname`" = "Linux" ]; then \
+		$(MAKE) -C systemd uninstall "DESTDIR=$(DESTDIR)"; \
+		$(MAKE) -C NetworkManager uninstall "DESTDIR=$(DESTDIR)"; \
+	elif [ "`uname`" = "Darwin" ]; then \
+		$(MAKE) -C launchd uninstall "DESTDIR=$(DESTDIR)"; \
+	fi

-deps:
-	$(GOGET) ./doh-client ./doh-server
-
-doh-client/doh-client: deps doh-client/client.go doh-client/config.go doh-client/google.go doh-client/ietf.go doh-client/main.go json-dns/error.go json-dns/globalip.go json-dns/marshal.go json-dns/response.go json-dns/unmarshal.go
+doh-client/doh-client: doh-client/client.go doh-client/config/config.go doh-client/google.go doh-client/ietf.go doh-client/main.go doh-client/version.go json-dns/error.go json-dns/globalip.go json-dns/marshal.go json-dns/response.go json-dns/unmarshal.go
 	cd doh-client && $(GOBUILD)

-doh-server/doh-server: deps doh-server/config.go doh-server/google.go doh-server/ietf.go doh-server/main.go doh-server/server.go json-dns/error.go json-dns/globalip.go json-dns/marshal.go json-dns/response.go json-dns/unmarshal.go
+doh-server/doh-server: doh-server/config.go doh-server/google.go doh-server/ietf.go doh-server/main.go doh-server/server.go doh-server/version.go json-dns/error.go json-dns/globalip.go json-dns/marshal.go json-dns/response.go json-dns/unmarshal.go
 	cd doh-server && $(GOBUILD)
--- a/Readme.md
+++ b/Readme.md
@@ -2,53 +2,79 @@ DNS-over-HTTPS
 ==============

 Client and server software to query DNS over HTTPS, using [Google DNS-over-HTTPS protocol](https://developers.google.com/speed/public-dns/docs/dns-over-https)
-and [draft-ietf-doh-dns-over-https](https://github.com/dohwg/draft-ietf-doh-dns-over-https).
+and [IETF DNS-over-HTTPS (RFC 8484)](https://www.rfc-editor.org/rfc/rfc8484.txt).

-## Easy start
+## Guides

-Install [Go](https://golang.org), at least version 1.9.
+- [Tutorial: Setup your own DNS-over-HTTPS (DoH) server](https://www.aaflalo.me/2018/10/tutorial-setup-dns-over-https-server/). (Thanks to Antoine Aflalo)
+- [Tutorial: Setup your own Docker based DNS-over-HTTPS (DoH) server](https://github.com/satishweb/docker-doh/blob/master/README.md). (Thanks to Satish Gaikwad)

-First create an empty directory, used for `$GOPATH`:
+## Installing
+### From Source
+- Install [Go](https://golang.org), at least version 1.20. The newer, the better.
+> Note for Debian/Ubuntu users: You need to set `$GOROOT` if you could not get your new version of Go selected by the Makefile.

-    mkdir ~/gopath
-    export GOPATH=~/gopath
-
-To build the program, type:
-
-    make
-
-To install DNS-over-HTTPS as Systemd services, type:
-
-    sudo make install
-
-By default, [Google DNS over HTTPS](https://dns.google.com) is used. It should
+- First create an empty directory, used for `$GOPATH`:
+```bash
+mkdir ~/gopath
+export GOPATH=~/gopath
+```
+- To build the program, type:
+```bash
+make
+```
+- To install DNS-over-HTTPS as Systemd services, type:
+```bash
+sudo make install
+```
+- By default, [Google DNS over HTTPS](https://dns.google.com) is used. It should
 work for most users (except for People's Republic of China). If you need to
 modify the default settings, type:
+```bash
+sudoedit /etc/dns-over-https/doh-client.conf
+```
+- To automatically start DNS-over-HTTPS client as a system service, type:
+```bash
+sudo systemctl start doh-client.service
+sudo systemctl enable doh-client.service
+```
+- Then, modify your DNS settings (usually with NetworkManager) to 127.0.0.1.

-    sudoedit /etc/dns-over-https/doh-client.conf
+- To test your configuration, type:
+```bash
+dig www.google.com
+Output:
+;; SERVER: 127.0.0.1#53(127.0.0.1)
+```
+#### Uninstall

-To automatically start DNS-over-HTTPS client as a system service, type:
+- To uninstall, type:
+```bash
+sudo make uninstall
+```
+> Note: The configuration files are kept at `/etc/dns-over-https`. Remove them manually if you want.

-    sudo systemctl start doh-client.service
-    sudo systemctl enable doh-client.service
+### Using docker image
+```bash
+docker run -d --name doh-server \
+  -p 8053:8053 \
+  -e UPSTREAM_DNS_SERVER="udp:8.8.8.8:53" \
+  -e DOH_HTTP_PREFIX="/dns-query" \
+  -e DOH_SERVER_LISTEN=":8053" \
+  -e DOH_SERVER_TIMEOUT="10" \
+  -e DOH_SERVER_TRIES="3" \
+  -e DOH_SERVER_VERBOSE="false" \
+  satishweb/doh-server
+```

-Then, modify your DNS settings (usually with NetworkManager) to 127.0.0.1.
+Feeling adventurous? Try the latest build:

-To test your configuration, type:
+- `m13253/dns-over-https-server:latest`
+- `m13253/dns-over-https-client:latest`

-    dig www.google.com
+## Logging

-If it is OK, you will wee:
-
-    ;; SERVER: 127.0.0.1#53(127.0.0.1)
-
-### Uninstalling
-
-To uninstall, type:
-
-    sudo make uninstall
-
-The configuration files are kept at `/etc/dns-over-https`. Remove them manually if you want.
+All log lines (by either doh-client or doh-server) are written into `stderr`; you can view them using your OS tool of choice (`journalctl` when using systemd).

 ## Server Configuration

@@ -67,31 +93,233 @@ The following is a typical DNS-over-HTTPS architecture:
    |  doh-client  +--+ Content Delivery Network +--+ (Apache, Nginx, Caddy) |
    +--------------+  +--------------------------+  +------------------------+

-Although DNS-over-HTTPS can work alone, a HTTP service muxer would be useful as
+Although DNS-over-HTTPS can work alone, an HTTP service muxer would be useful as
 you can host DNS-over-HTTPS along with other HTTPS services.

+HTTP/2 with at least TLS v1.3 is recommended. OCSP stapling must be enabled,
+otherwise DNS recursion may happen.
+
+### Configuration file
+
+The main configuration file is `doh-client.conf`.
+
+**Server selectors.** If several upstream servers are set, one is selected according to `upstream_selector` for each request. With `upstream_selector = "random"`, a random upstream server will be chosen for each request.
+
+```toml
+# available selector: random (default) or weighted_round_robin or lvs_weighted_round_robin
+upstream_selector = "random"
+```
+
+### Example configuration: Apache
+```bash
+SSLProtocol TLSv1.2
+SSLHonorCipherOrder On
+SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS:!eNULL:!EXP:!LOW:!MD5
+SSLUseStapling on
+SSLStaplingCache shmcb:/var/lib/apache2/stapling_cache(512000)
+
+<VirtualHost *:443>
+    ServerName MY_SERVER_NAME
+    Protocols h2 http/1.1
+    ProxyPass /dns-query http://[::1]:8053/dns-query
+    ProxyPassReverse /dns-query http://[::1]:8053/dns-query
+</VirtualHost>
+```
+(Credit: [Joan Moreau](https://github.com/m13253/dns-over-https/issues/51#issuecomment-526820884))
+
+### Example configuration: Nginx
+```bash
+server {
+  listen       443 ssl http2 default_server;
+  listen       [::]:443 ssl http2 default_server;
+  server_name  MY_SERVER_NAME;
+
+  server_tokens off;
+
+  ssl_protocols TLSv1.2 TLSv1.3;          # TLS 1.3 requires nginx >= 1.20.0
+  ssl_prefer_server_ciphers on;
+  ssl_dhparam /etc/nginx/dhparam.pem;     # openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096
+  ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
+  ssl_ecdh_curve secp384r1;               # Requires nginx >= 1.1.0
+  ssl_session_timeout  10m;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_tickets off;                # Requires nginx >= 1.5.9
+  ssl_stapling on;                        # Requires nginx >= 1.3.7
+  ssl_stapling_verify on;                 # Requires nginx => 1.3.7
+  ssl_early_data off;                     # 0-RTT, enable if desired - Requires nginx >= 1.15.4
+  resolver 1.1.1.1 valid=300s;            # Replace with your local resolver
+  resolver_timeout 5s;
+  # HTTP Security Headers
+  add_header X-Frame-Options DENY;
+  add_header X-Content-Type-Options nosniff;
+  add_header X-XSS-Protection "1; mode=block";
+  add_header Strict-Transport-Security "max-age=63072000";
+  ssl_certificate /path/to/your/server/certificates/fullchain.pem;
+  ssl_certificate_key /path/to/your/server/certificates/privkey.pem;
+  location /dns-query {
+    proxy_pass       http://localhost:8053/dns-query;
+    proxy_set_header Host      $host;
+    proxy_set_header X-Real-IP $remote_addr;
+  }
+}
+```
+(Credit: [Cipherli.st](https://cipherli.st/))
+
+### Example configuration: Caddy (v2)
+```bash
+my.server.name {
+        reverse_proxy * localhost:8053
+        tls your@email.address
+        try_files {path} {path}/index.php /index.php?{query}
+}
+```
+### Example configuration: Docker Compose + Traefik + Unbound (Raspberry Pi/Linux/Mac) [linux/amd64,linux/arm64,linux/arm/v7]
+
+```yaml
+version: '2.2'
+networks:
+  default:
+
+services:
+  proxy:
+    # The official v2 Traefik docker image
+    image: traefik:v2.3
+    hostname: proxy
+    networks:
+      - default
+    environment:
+      TRAEFIK_ACCESSLOG: "true"
+      TRAEFIK_API: "true"
+      TRAEFIK_PROVIDERS_DOCKER: "true"
+      TRAEFIK_API_INSECURE: "true"
+      TRAEFIK_PROVIDERS_DOCKER_NETWORK: "${STACK}_default"
+      # DNS provider specific environment variables for DNS Challenge using route53 (AWS)
+      AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID}
+      AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}
+      AWS_REGION: ${AWS_REGION}
+      AWS_HOSTED_ZONE_ID: ${AWS_HOSTED_ZONE_ID}
+    ports:
+      # The HTTP port
+      - "80:80"
+      # The HTTPS port
+      - "443:443"
+      # The Web UI (enabled by --api.insecure=true)
+      - "8080:8080"
+    command:
+      #- "--log.level=DEBUG"
+      - "--providers.docker.exposedbydefault=false"
+      - "--entrypoints.web.address=:80"
+      - "--entrypoints.websecure.address=:443"
+      - "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
+      # Providers list:
+      #  https://docs.traefik.io/https/acme/#providers
+      #  https://go-acme.github.io/lego/dns/
+      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=route53"
+      # Enable below line to use staging letsencrypt server.
+      #- "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+      - "--certificatesresolvers.letsencrypt.acme.email=${EMAIL}"
+      - "--certificatesresolvers.letsencrypt.acme.storage=/certs/acme.json"
+    volumes:
+      # So that Traefik can listen to the Docker events
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./data/proxy/certs:/certs
+  doh-server:
+    image: satishweb/doh-server:latest
+    hostname: doh-server
+    networks:
+      - default
+    environment:
+      # Enable below line to see more logs
+      # DEBUG: "1"
+      UPSTREAM_DNS_SERVER: "udp:unbound:53"
+      DOH_HTTP_PREFIX: "${DOH_HTTP_PREFIX}"
+      DOH_SERVER_LISTEN: ":${DOH_SERVER_LISTEN}"
+      DOH_SERVER_TIMEOUT: "10"
+      DOH_SERVER_TRIES: "3"
+      DOH_SERVER_VERBOSE: "false"
+    #volumes:
+      # - ./doh-server.conf:/server/doh-server.conf
+      # - ./app-config:/app-config
+    depends_on:
+      - unbound
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.doh-server.rule=Host(`${SUBDOMAIN}.${DOMAIN}`) && Path(`${DOH_HTTP_PREFIX}`)"
+      - "traefik.http.services.doh-server.loadbalancer.server.port=${DOH_SERVER_LISTEN}"
+      - "traefik.http.middlewares.mw-doh-compression.compress=true"
+      - "traefik.http.routers.doh-server.tls=true"
+      - "traefik.http.middlewares.mw-doh-tls.headers.sslredirect=true"
+      - "traefik.http.middlewares.mw-doh-tls.headers.sslforcehost=true"
+      - "traefik.http.routers.doh-server.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.doh-server.tls.domains[0].main=${DOMAIN}"
+      - "traefik.http.routers.doh-server.tls.domains[0].sans=${SUBDOMAIN}.${DOMAIN}"
+      # Protection from requests flood
+      - "traefik.http.middlewares.mw-doh-ratelimit.ratelimit.average=100"
+      - "traefik.http.middlewares.mw-doh-ratelimit.ratelimit.burst=50"
+      - "traefik.http.middlewares.mw-doh-ratelimit.ratelimit.period=10s"
+  unbound:
+    image: satishweb/unbound:latest
+    hostname: unbound
+    networks:
+      - default
+    ports:
+      # Disable these ports if DOH server is the only client
+      - 53:53/tcp
+      - 53:53/udp
+    volumes:
+      - ./unbound.sample.conf:/templates/unbound.sample.conf
+      - ./data/unbound/custom:/etc/unbound/custom
+      # Keep your custom.hosts file inside custom folder
+    #environment:
+    #  DEBUG: "1"
+````
+
+> Complete Guide available at: https://github.com/satishweb/docker-doh
+
+> IPV6 Support for Docker Compose based configuration TBA
+
+### Example configuration: DNS-over-TLS
+
+There is no native [DNS-over-TLS](https://en.wikipedia.org/wiki/DNS_over_TLS) support, but you can easily add it via nginx:
+```
+stream {
+    server {
+        listen                  *:853 ssl;
+        proxy_pass              ipofyourdnsresolver:port  #127.0.0.1:53
+    }
+
+    ssl_certificate /etc/letsencrypt/live/site.yourdomain/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/site.yourdomain/privkey.pem;
+}
+```
+
+The DoT service can also be provided by running a [STunnel](https://www.stunnel.org/) instance to wrap dnsmasq (or any other resolver of your choice, listening on a TCP port);
+this approach does not need a stand-alone daemon to provide the DoT service.
+
 ## DNSSEC

 DNS-over-HTTPS is compatible with DNSSEC, and requests DNSSEC signatures by
-default. However signature validation is not built-in. It is highly recommended
+default. However, signature validation is not built-in. It is highly recommended
 that you install `unbound` or `bind` and pass results for them to validate DNS
-records.
+records. An instance of [Pi Hole](https://pi-hole.net) could also be used to validate DNS signatures as well as provide other capabilities.

 ## EDNS0-Client-Subnet (GeoDNS)

 DNS-over-HTTPS supports EDNS0-Client-Subnet protocol, which submits part of the
-client's IP address (/24 for IPv4, /48 for IPv6 by default) to the upstream
+client's IP address (/24 for IPv4, /56 for IPv6 by default) to the upstream
 server. This is useful for GeoDNS and CDNs to work, and is exactly the same
 configuration as most public DNS servers.

 Keep in mind that /24 is not enough to track a single user, although it is
-precise enough to know the city where the user is from. If you think
+precise enough to know the city where the user is located. If you think
 EDNS0-Client-Subnet is affecting your privacy, you can set `no_ecs = true` in
 `/etc/dns-over-https/doh-client.conf`, with the cost of slower video streaming
 or software downloading speed.

-If your server is backed by `unbound` or `bind`, you probably want to enable
-the EDNS0-Client-Subnet feature in their configuration files as well.
+To ultilize ECS, `X-Forwarded-For` or `X-Real-IP` should be enabled on your
+HTTP service muxer. If your server is backed by `unbound` or `bind`, you
+probably want to configure it to enable the EDNS0-Client-Subnet feature as
+well.

 ## Protocol compatibility

@@ -102,11 +330,9 @@ except for absolute expire time is preferred to relative TTL value. Refer to
 [json-dns/response.go](json-dns/response.go) for a complete description of the
 API.

-### IETF DNS-over-HTTPS Protocol (Draft)
+### IETF DNS-over-HTTPS Protocol

-DNS-over-HTTPS uses a protocol compatible to [draft-ietf-doh-dns-over-https](https://github.com/dohwg/draft-ietf-doh-dns-over-https).
-This protocol is in draft stage. Any incompatibility may be introduced before
-it is finished.
+DNS-over-HTTPS uses a protocol compatible to [IETF DNS-over-HTTPS (RFC 8484)](https://www.rfc-editor.org/rfc/rfc8484.txt).

 ### Supported features

@@ -114,7 +340,17 @@ Currently supported features are:

 - [X] IPv4 / IPv6
 - [X] EDNS0 large UDP packet (4 KiB by default)
- [X] EDNS0-Client-Subnet (/24 for IPv4, /48 for IPv6 by default)
+- [X] EDNS0-Client-Subnet (/24 for IPv4, /56 for IPv6 by default)
+
+## Known issues
+
+* it does not work well with [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy), you might want to use either (or fix the compatibility bugs by submitting PRs)
+
+## The name of the project
+
+This project is named "DNS-over-HTTPS" because it was written before the IETF DoH project. Although this project is compatible with IETF DoH, the project is not affiliated with IETF.
+
+To avoid confusion, you may also call this project "m13253/DNS-over-HTTPS" or anything you like.

 ## License

--- a/contrib/linux-install.md
+++ b/contrib/linux-install.md
@@ -0,0 +1,51 @@
+# Ubuntu Install
+> Tested on a clean install of `Ubuntu 16.04 LTS`
+
+## Intalling go
+Install `Go >= 1.9`
+
+```bash
+sudo apt update
+sudo apt install golang-1.10 -y
+```
+
+Add the newly install `go` to the path
+
+```bash
+export PATH=$PATH:/usr/lib/go-1.10/bin
+```
+
+Test to make sure that you can execute `go`
+
+```bash
+go version
+```
+which should output something like
+
+```bash
+go version go1.10.1 linux/amd64
+```
+
+## Installing dns-over-https
+
+Clone this repo
+
+
+```bash
+git clone https://github.com/m13253/dns-over-https.git
+```
+
+Change directory to the cloned repo
+
+```bash
+cd dns-over-https
+```
+
+make and install
+
+```bash
+make
+sudo make install
+```	
+
+
--- a/contrib/linux-install.sh
+++ b/contrib/linux-install.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# See the linux-install.md (README) first. 
+set -e 
+
+sudo apt update
+sudo apt install golang-1.10 git -y
+export PATH=$PATH:/usr/lib/go-1.10/bin
+cd /tmp
+git clone https://github.com/m13253/dns-over-https.git
+cd dns-over-https
+make 
+sudo make install
--- a/contrib/rpm/dns-over-https-2.1.2-systemd.patch
+++ b/contrib/rpm/dns-over-https-2.1.2-systemd.patch
@@ -0,0 +1,36 @@
+diff -Naur dns-over-https-2.1.2.org/systemd/doh-client.service dns-over-https-2.1.2/systemd/doh-client.service
+--- dns-over-https-2.1.2.org/systemd/doh-client.service	2019-09-10 12:08:35.177574074 +0200
+++ dns-over-https-2.1.2/systemd/doh-client.service	2019-09-10 12:10:05.473700374 +0200
+@@ -7,12 +7,12 @@
+ 
+ [Service]
+ AmbientCapabilities=CAP_NET_BIND_SERVICE
+-ExecStart=/usr/local/bin/doh-client -conf /etc/dns-over-https/doh-client.conf
+ExecStart=/usr/bin/doh-client -conf /etc/dns-over-https/doh-client.conf
+ LimitNOFILE=1048576
+ Restart=always
+ RestartSec=3
+ Type=simple
+-User=nobody
+User=doh-client
+ 
+ [Install]
+ WantedBy=multi-user.target
+diff -Naur dns-over-https-2.1.2.org/systemd/doh-server.service dns-over-https-2.1.2/systemd/doh-server.service
+--- dns-over-https-2.1.2.org/systemd/doh-server.service	2019-09-10 12:08:35.177574074 +0200
+++ dns-over-https-2.1.2/systemd/doh-server.service	2019-09-10 12:10:20.980273992 +0200
+@@ -5,12 +5,12 @@
+ 
+ [Service]
+ AmbientCapabilities=CAP_NET_BIND_SERVICE
+-ExecStart=/usr/local/bin/doh-server -conf /etc/dns-over-https/doh-server.conf
+ExecStart=/usr/bin/doh-server -conf /etc/dns-over-https/doh-server.conf
+ LimitNOFILE=1048576
+ Restart=always
+ RestartSec=3
+ Type=simple
+-User=nobody
+User=doh-server
+ 
+ [Install]
+ WantedBy=multi-user.target
--- a/contrib/rpm/doh.spec
+++ b/contrib/rpm/doh.spec
@@ -0,0 +1,240 @@
+# vim: tabstop=4 shiftwidth=4 expandtab
+%global _hardened_build 1
+# Debug package is empty anyway
+%define debug_package %{nil}
+
+%global _release        1
+%global provider        github
+%global provider_tld    com
+%global project         m13253
+%global repo            dns-over-https
+%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
+%global import_path     %{provider_prefix}
+
+#define commit          984df34ca7b45897ecb5871791e398cc160a4b93
+
+%if 0%{?commit:1}
+%define shortcommit     %(c=%{commit}; echo ${c:0:7})
+%define _date           %(date +'%%Y%%m%%dT%%H%%M%%S')
+%endif
+
+%define rand_id         %(head -c20 /dev/urandom|od -An -tx1|tr -d '[[:space:]]')
+
+%if ! 0%{?gobuild:1}
+%define gobuild(o:) go build -ldflags "${LDFLAGS:-} -B 0x%{rand_id}" -a -v -x %{?**};
+%endif
+
+%if ! 0%{?gotest:1}
+%define gotest() go test -ldflags "${LDFLAGS:-}" %{?**}
+%endif
+
+Name:           %{repo}
+Version:        2.1.2
+%if 0%{?commit:1}
+Release:    %{_release}.git%{shortcommit}.%{_date}%{?dist}
+Source0:        https://%{import_path}/archive/%{commit}.tar.gz
+%else
+Release:        %{_release}%{?dist}
+Source0:        https://%{import_path}/archive/v%{version}.tar.gz
+%endif
+Patch0:         %{name}-%{version}-systemd.patch
+
+Summary:        High performance DNS over HTTPS client & server
+License:        MIT
+URL:            https://github.com/m13253/dns-over-https
+
+
+# e.g. el6 has ppc64 arch without gcc-go, so EA tag is required
+# If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
+#BuildRequires:  %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} >= 1.10
+BuildRequires:  golang >= 1.10
+BuildRequires:  systemd
+BuildRequires:  upx
+
+%description
+%{summary}
+
+%package common
+BuildArch: noarch
+Summary: %{summary} - common files
+
+%description common
+%{summary}
+
+%package server
+ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 %{arm}}
+Summary: %{summary} - Server
+Requires(pre):          shadow-utils
+Requires(post):         systemd
+Requires(preun):        systemd
+Requires(postun):       systemd
+
+%description server
+%{summary}
+
+%package client
+ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 %{arm}}
+Summary: %{summary} - Client
+Requires(pre):          shadow-utils
+Requires(post):         systemd
+Requires(preun):        systemd
+Requires(postun):       systemd
+
+%description client
+%{summary}
+
+%package selinux
+BuildArch:      noarch
+
+Source3:        doh_server.fc
+Source4:        doh_server.if
+Source5:        doh_server.te
+Source6:        doh_client.fc
+Source7:        doh_client.if
+Source8:        doh_client.te
+
+BuildRequires:  selinux-policy
+BuildRequires:  selinux-policy-devel
+Requires:       %{name}
+
+Requires(post):     policycoreutils
+Requires(post):     policycoreutils-python 
+Requires(postun):   policycoreutils
+
+Summary: SELinux policy for %{name}
+
+%description selinux
+%summary
+ 
+%prep
+%if 0%{?commit:1}
+%autosetup -n %{name}-%{commit} -p1
+%else
+%autosetup -n %{name}-%{version} -p1
+%endif
+
+mkdir -p selinux
+cp %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE7} %{SOURCE8} selinux
+
+%build
+cd selinux
+make -f /usr/share/selinux/devel/Makefile doh_server.pp doh_client.pp || exit
+cd -
+
+%set_build_flags
+%make_build \
+    PREFIX=%{_prefix} \
+    GOBUILD="go build -ldflags \"-s -w -B 0x%{rand_id}\" -a -v -x"
+
+%install
+%make_install \
+    PREFIX=%{_prefix}
+install -Dpm 0600 selinux/doh_server.pp %{buildroot}%{_datadir}/selinux/packages/doh_server.pp
+install -Dpm 0644 selinux/doh_server.if %{buildroot}%{_datadir}/selinux/devel/include/contrib/doh_server.if
+install -Dpm 0600 selinux/doh_client.pp %{buildroot}%{_datadir}/selinux/packages/doh_client.pp
+install -Dpm 0644 selinux/doh_client.if %{buildroot}%{_datadir}/selinux/devel/include/contrib/doh_client.if
+
+mkdir -p %{buildroot}%{_docdir}/%{name}
+mv %{buildroot}%{_sysconfdir}/%{name}/*.example %{buildroot}%{_docdir}/%{name}
+
+mkdir -p %{buildroot}%{_libdir}
+mv %{buildroot}%{_sysconfdir}/NetworkManager %{buildroot}%{_libdir}/
+
+for i in $(find %{_buildroot}%{_bindir} -type f)
+do
+    upx $i
+done
+
+%files common
+%license LICENSE
+%doc Changelog.md Readme.md
+
+%files server
+%{_libdir}/NetworkManager/dispatcher.d/doh-server
+%{_docdir}/%{name}/doh-server.conf.example
+%config(noreplace) %{_sysconfdir}/%{name}/doh-server.conf
+%{_bindir}/doh-server
+%{_unitdir}/doh-server.service
+
+%files client
+%{_libdir}/NetworkManager/dispatcher.d/doh-client
+%{_docdir}/%{name}/doh-client.conf.example
+%config(noreplace) %{_sysconfdir}/%{name}/doh-client.conf
+%{_bindir}/doh-client
+%{_unitdir}/doh-client.service
+
+%pre server
+test -d %{_sharedstatedir}/home || mkdir -p %{_sharedstatedir}/home
+getent group doh-server > /dev/null || groupadd -r doh-server
+getent passwd doh-server > /dev/null || \
+    useradd -r -d %{_sharedstatedir}/home/doh-server -g doh-server \
+    -s /sbin/nologin -c "%{name} - server" doh-server
+exit 0
+
+%pre client
+test -d %{_sharedstatedir}/home || mkdir -p %{_sharedstatedir}/home
+getent group doh-client > /dev/null || groupadd -r doh-client
+getent passwd doh-client > /dev/null || \
+    useradd -r -d %{_sharedstatedir}/home/doh-client -g doh-client \
+    -s /sbin/nologin -c "%{name} - client" doh-client
+exit 0
+
+%post server
+%systemd_post doh-server.service
+
+%preun server
+%systemd_preun doh-server.service
+
+%postun server
+%systemd_postun_with_restart doh-server.service
+
+%post client
+%systemd_post doh-client.service
+
+%preun client
+%systemd_preun doh-client.service
+
+%postun client
+%systemd_postun_with_restart doh-client.service
+
+%files selinux
+%{_datadir}/selinux/packages/doh_server.pp
+%{_datadir}/selinux/devel/include/contrib/doh_server.if
+%{_datadir}/selinux/packages/doh_client.pp
+%{_datadir}/selinux/devel/include/contrib/doh_client.if
+
+%post selinux
+semodule -n -i %{_datadir}/selinux/packages/doh_server.pp
+semodule -n -i %{_datadir}/selinux/packages/doh_client.pp
+if /usr/sbin/selinuxenabled ; then
+    /usr/sbin/load_policy
+    /usr/sbin/fixfiles -R %{name}-server restore
+    /usr/sbin/fixfiles -R %{name}-client restore
+fi;
+semanage -i - << __eof
+port -a -t doh_server_port_t -p tcp "8053"
+port -a -t doh_client_port_t -p udp "5380"
+__eof
+exit 0
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    semanage -i - << __eof
+port -d -t doh_server_port_t -p tcp "8053"
+port -d -t doh_client_port_t -p udp "5380"
+__eof
+
+    semodule -n -r doh_server
+    semodule -n -r doh_client
+    if /usr/sbin/selinuxenabled ; then
+       /usr/sbin/load_policy
+       /usr/sbin/fixfiles -R %{name}-server restore
+       /usr/sbin/fixfiles -R %{name}-client restore
+    fi;
+fi;
+exit 0
+
+%changelog
+* Tue Sep 10 2019 fuero <fuerob@gmail.com> 2.1.2-1
+- initial package
+
--- a/contrib/rpm/doh_client.fc
+++ b/contrib/rpm/doh_client.fc
@@ -0,0 +1,2 @@
+/usr/bin/doh-client					--	gen_context(system_u:object_r:doh_client_exec_t,s0)
+/usr/lib/systemd/system/doh-client.service		--	gen_context(system_u:object_r:doh_client_unit_file_t,s0)
--- a/contrib/rpm/doh_client.if
+++ b/contrib/rpm/doh_client.if
@@ -0,0 +1,103 @@
+
+## <summary>policy for doh_client</summary>
+
+########################################
+## <summary>
+##	Execute doh_client_exec_t in the doh_client domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`doh_client_domtrans',`
+	gen_require(`
+		type doh_client_t, doh_client_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, doh_client_exec_t, doh_client_t)
+')
+
+######################################
+## <summary>
+##	Execute doh_client in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`doh_client_exec',`
+	gen_require(`
+		type doh_client_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, doh_client_exec_t)
+')
+########################################
+## <summary>
+##	Execute doh_client server in the doh_client domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`doh_client_systemctl',`
+	gen_require(`
+		type doh_client_t;
+		type doh_client_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 doh_client_unit_file_t:file read_file_perms;
+	allow $1 doh_client_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, doh_client_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an doh_client environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`doh_client_admin',`
+	gen_require(`
+		type doh_client_t;
+	type doh_client_unit_file_t;
+	')
+
+	allow $1 doh_client_t:process { signal_perms };
+	ps_process_pattern($1, doh_client_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 doh_client_t:process ptrace;
+    ')
+
+	doh_client_systemctl($1)
+	admin_pattern($1, doh_client_unit_file_t)
+	allow $1 doh_client_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
--- a/contrib/rpm/doh_client.te
+++ b/contrib/rpm/doh_client.te
@@ -0,0 +1,49 @@
+policy_module(doh_client, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type doh_client_t;
+type doh_client_exec_t;
+init_daemon_domain(doh_client_t, doh_client_exec_t)
+
+type doh_client_port_t;
+
+corenet_port(doh_client_port_t)
+
+type doh_client_unit_file_t;
+systemd_unit_file(doh_client_unit_file_t)
+
+########################################
+#
+# doh_client local policy
+#
+allow doh_client_t self:fifo_file rw_fifo_file_perms;
+allow doh_client_t self:unix_stream_socket create_stream_socket_perms;
+
+allow doh_client_t self:capability net_bind_service;
+allow doh_client_t self:process execmem;
+allow doh_client_t self:tcp_socket { accept bind connect create getattr getopt listen read setopt write };
+allow doh_client_t self:udp_socket { bind connect create getattr read setopt write };
+
+allow doh_client_t doh_client_exec_t:file execmod;
+allow doh_client_t doh_client_port_t:tcp_socket name_bind;
+
+corenet_tcp_bind_dns_port(doh_client_t)
+corenet_tcp_bind_generic_node(doh_client_t)
+corenet_tcp_connect_http_port(doh_client_t)
+corenet_udp_bind_dns_port(doh_client_t)
+corenet_udp_bind_generic_node(doh_client_t)
+corenet_udp_bind_generic_port(doh_client_t)
+kernel_read_net_sysctls(doh_client_t)
+kernel_search_network_sysctl(doh_client_t)
+miscfiles_read_certs(doh_client_t)
+sysnet_read_config(doh_client_t)
+
+domain_use_interactive_fds(doh_client_t)
+
+files_read_etc_files(doh_client_t)
+
+miscfiles_read_localization(doh_client_t)
--- a/contrib/rpm/doh_server.fc
+++ b/contrib/rpm/doh_server.fc
@@ -0,0 +1,2 @@
+/usr/bin/doh-server					--	gen_context(system_u:object_r:doh_server_exec_t,s0)
+/usr/lib/systemd/system/doh-server.service		--	gen_context(system_u:object_r:doh_server_unit_file_t,s0)
--- a/contrib/rpm/doh_server.if
+++ b/contrib/rpm/doh_server.if
@@ -0,0 +1,122 @@
+
+## <summary>policy for doh_server</summary>
+
+########################################
+## <summary>
+##	Execute doh_server_exec_t in the doh_server domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`doh_server_domtrans',`
+	gen_require(`
+		type doh_server_t, doh_server_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, doh_server_exec_t, doh_server_t)
+')
+
+######################################
+## <summary>
+##	Execute doh_server in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`doh_server_exec',`
+	gen_require(`
+		type doh_server_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, doh_server_exec_t)
+')
+########################################
+## <summary>
+##	Execute doh_server server in the doh_server domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`doh_server_systemctl',`
+	gen_require(`
+		type doh_server_t;
+		type doh_server_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 doh_server_unit_file_t:file read_file_perms;
+	allow $1 doh_server_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, doh_server_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an doh_server environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`doh_server_admin',`
+	gen_require(`
+		type doh_server_t;
+	type doh_server_unit_file_t;
+	')
+
+	allow $1 doh_server_t:process { signal_perms };
+	ps_process_pattern($1, doh_server_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 doh_server_t:process ptrace;
+    ')
+
+	doh_server_systemctl($1)
+	admin_pattern($1, doh_server_unit_file_t)
+	allow $1 doh_server_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+
+########################################
+## <summary>
+##      Make a TCP connection to the vault_ocsp_responder port.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`doh_server_connect',`
+        gen_require(`
+                type doh_server_port_t;
+		type $1;
+        ')
+
+        allow $1 doh_server_port_t:tcp_socket name_connect;
+')
--- a/contrib/rpm/doh_server.te
+++ b/contrib/rpm/doh_server.te
@@ -0,0 +1,42 @@
+policy_module(doh_server, 1.0.0)
+
+require {
+	class process execmem;
+	class tcp_socket { accept bind create read write getattr listen setopt connect getopt };
+	class udp_socket { connect create getattr setopt read write };
+	class file execmod;
+}
+
+type doh_server_t;
+type doh_server_exec_t;
+
+init_daemon_domain(doh_server_t, doh_server_exec_t)
+
+type doh_server_port_t;
+
+corenet_port(doh_server_port_t)
+
+type doh_server_unit_file_t;
+systemd_unit_file(doh_server_unit_file_t)
+
+allow doh_server_t self:fifo_file rw_fifo_file_perms;
+allow doh_server_t self:unix_stream_socket create_stream_socket_perms;
+allow doh_server_t self:process execmem;
+allow doh_server_t self:tcp_socket { accept read write bind create getattr listen setopt connect getopt};
+allow doh_server_t self:udp_socket { connect create getattr setopt read write };
+
+allow doh_server_t doh_server_exec_t:file execmod;
+allow doh_server_t doh_server_port_t:tcp_socket name_bind;
+
+domain_use_interactive_fds(doh_server_t)
+
+files_read_etc_files(doh_server_t)
+
+corenet_tcp_bind_generic_node(doh_server_t)
+corenet_tcp_connect_dns_port(doh_server_t)
+doh_server_connect(httpd_t)
+
+kernel_read_net_sysctls(doh_server_t)
+kernel_search_network_sysctl(doh_server_t)
+
+miscfiles_read_localization(doh_server_t)
--- a/darwin-wrapper/Makefile
+++ b/darwin-wrapper/Makefile
@@ -0,0 +1,19 @@
+.PHONY: all clean install uninstall
+
+SWIFTC = swiftc
+PREFIX = /usr/local
+
+all: doh-logger
+
+doh-logger: doh-logger.swift
+	$(SWIFTC) -o $@ -O $<
+
+clean:
+	rm -f doh-logger
+
+install: doh-logger
+	mkdir -p $(DESTDIR)$(PREFIX)/bin
+	install -m0755 doh-logger $(DESTDIR)$(PREFIX)/bin
+
+uninstall:
+	rm -f $(DESTDIR)$(PREFIX)/bin/doh-logger
--- a/darwin-wrapper/doh-logger.swift
+++ b/darwin-wrapper/doh-logger.swift
@@ -0,0 +1,94 @@
+#!/usr/bin/swift
+
+/*
+   DNS-over-HTTPS
+   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
+
+   Permission is hereby granted, free of charge, to any person obtaining a
+   copy of this software and associated documentation files (the "Software"),
+   to deal in the Software without restriction, including without limitation
+   the rights to use, copy, modify, merge, publish, distribute, sublicense,
+   and/or sell copies of the Software, and to permit persons to whom the
+   Software is furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+   DEALINGS IN THE SOFTWARE.
+*/
+
+import Foundation
+import os.log
+
+if CommandLine.arguments.count < 3 {
+    let programName = CommandLine.arguments[0]
+    print("Usage: \(programName) LOG_NAME PROGRAM [ARGUMENTS]\n")
+    exit(1)
+}
+let logSubsystem = CommandLine.arguments[1]
+let logger = OSLog(subsystem: logSubsystem, category: "default")
+
+let pipe = Pipe()
+var buffer = Data()
+NotificationCenter.default.addObserver(forName: FileHandle.readCompletionNotification, object: pipe.fileHandleForReading, queue: nil) { notification in
+    let data = notification.userInfo?["NSFileHandleNotificationDataItem"] as? Data ?? Data()
+    buffer.append(data)
+    var lastIndex = 0
+    for (i, byte) in buffer.enumerated() {
+        if byte == 0x0a {
+            let line = String(data: buffer.subdata(in: lastIndex..<i), encoding: .utf8) ?? ""
+            print(line)
+            os_log("%{public}@", log: logger, line)
+            lastIndex = i + 1
+        }
+    }
+    buffer = buffer.subdata(in: lastIndex..<buffer.count)
+    if data.count == 0 && buffer.count != 0 {
+        let line = String(data: buffer, encoding: .utf8) ?? ""
+        print(line, terminator: "")
+        os_log("%{public}@", log: logger, line)
+    }
+    pipe.fileHandleForReading.readInBackgroundAndNotify()
+}
+pipe.fileHandleForReading.readInBackgroundAndNotify()
+
+let process = Process()
+process.arguments = Array(CommandLine.arguments[3...])
+process.executableURL = URL(fileURLWithPath: CommandLine.arguments[2])
+process.standardError = pipe.fileHandleForWriting
+process.standardInput = FileHandle.standardInput
+process.standardOutput = pipe.fileHandleForWriting
+NotificationCenter.default.addObserver(forName: Process.didTerminateNotification, object: process, queue: nil) { notification in
+    if buffer.count != 0 {
+        let line = String(data: buffer, encoding: .utf8) ?? ""
+        print(line, terminator: "")
+        os_log("%{public}@", log: logger, line)
+    }
+    exit(process.terminationStatus)
+}
+
+let SIGINTSource = DispatchSource.makeSignalSource(signal: SIGINT)
+let SIGTERMSource = DispatchSource.makeSignalSource(signal: SIGTERM)
+SIGINTSource.setEventHandler(handler: process.interrupt)
+SIGTERMSource.setEventHandler(handler: process.terminate)
+signal(SIGINT, SIG_IGN)
+signal(SIGTERM, SIG_IGN)
+SIGINTSource.resume()
+SIGTERMSource.resume()
+
+do {
+    try process.run()
+} catch {
+    let errorMessage = error.localizedDescription
+    print(errorMessage)
+    os_log("%{public}@", log: logger, type: .fault, errorMessage)
+    exit(1)
+}
+
+RunLoop.current.run()
--- a/doh-client/client.go
+++ b/doh-client/client.go
@@ -25,56 +25,88 @@ package main

 import (
 	"context"
+	"crypto/tls"
+	"fmt"
 	"log"
 	"math/rand"
 	"net"
 	"net/http"
 	"net/http/cookiejar"
+	"net/url"
+	"strconv"
 	"strings"
+	"sync"
 	"time"

-	"../json-dns"
 	"github.com/miekg/dns"
 	"golang.org/x/net/http2"
+	"golang.org/x/net/idna"
+
+	"github.com/m13253/dns-over-https/v2/doh-client/config"
+	"github.com/m13253/dns-over-https/v2/doh-client/selector"
+	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 )

 type Client struct {
-	conf          *config
-	bootstrap     []string
-	udpServer     *dns.Server
-	tcpServer     *dns.Server
-	httpTransport *http.Transport
-	httpClient    *http.Client
+	httpClientLastCreate time.Time
+	cookieJar            http.CookieJar
+	selector             selector.Selector
+	httpClientMux        *sync.RWMutex
+	tcpClient            *dns.Client
+	bootstrapResolver    *net.Resolver
+	udpClient            *dns.Client
+	conf                 *config.Config
+	httpTransport        *http.Transport
+	httpClient           *http.Client
+	udpServers           []*dns.Server
+	tcpServers           []*dns.Server
+	passthrough          []string
+	bootstrap            []string
 }

 type DNSRequest struct {
+	err               error
 	response          *http.Response
 	reply             *dns.Msg
-	udpSize           uint16
+	currentUpstream   string
 	ednsClientAddress net.IP
+	udpSize           uint16
 	ednsClientNetmask uint8
-	err               error
 }

-func NewClient(conf *config) (c *Client, err error) {
+func NewClient(conf *config.Config) (c *Client, err error) {
 	c = &Client{
 		conf: conf,
 	}
-	c.udpServer = &dns.Server{
-		Addr:    conf.Listen,
+
+	udpHandler := dns.HandlerFunc(c.udpHandlerFunc)
+	tcpHandler := dns.HandlerFunc(c.tcpHandlerFunc)
+	c.udpClient = &dns.Client{
 		Net:     "udp",
-		Handler: dns.HandlerFunc(c.udpHandlerFunc),
-		UDPSize: 4096,
+		UDPSize: dns.DefaultMsgSize,
+		Timeout: time.Duration(conf.Other.Timeout) * time.Second,
 	}
-	c.tcpServer = &dns.Server{
-		Addr:    conf.Listen,
+	c.tcpClient = &dns.Client{
 		Net:     "tcp",
-		Handler: dns.HandlerFunc(c.tcpHandlerFunc),
+		Timeout: time.Duration(conf.Other.Timeout) * time.Second,
 	}
-	bootResolver := net.DefaultResolver
-	if len(conf.Bootstrap) != 0 {
-		c.bootstrap = make([]string, len(conf.Bootstrap))
-		for i, bootstrap := range conf.Bootstrap {
+	for _, addr := range conf.Listen {
+		c.udpServers = append(c.udpServers, &dns.Server{
+			Addr:    addr,
+			Net:     "udp",
+			Handler: udpHandler,
+			UDPSize: dns.DefaultMsgSize,
+		})
+		c.tcpServers = append(c.tcpServers, &dns.Server{
+			Addr:    addr,
+			Net:     "tcp",
+			Handler: tcpHandler,
+		})
+	}
+	c.bootstrapResolver = net.DefaultResolver
+	if len(conf.Other.Bootstrap) != 0 {
+		c.bootstrap = make([]string, len(conf.Other.Bootstrap))
+		for i, bootstrap := range conf.Other.Bootstrap {
 			bootstrapAddr, err := net.ResolveUDPAddr("udp", bootstrap)
 			if err != nil {
 				bootstrapAddr, err = net.ResolveUDPAddr("udp", "["+bootstrap+"]:53")
@@ -84,7 +116,7 @@ func NewClient(conf *config) (c *Client, err error) {
 			}
 			c.bootstrap[i] = bootstrapAddr.String()
 		}
-		bootResolver = &net.Resolver{
+		c.bootstrapResolver = &net.Resolver{
 			PreferGo: true,
 			Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
 				var d net.Dialer
@@ -94,114 +126,319 @@ func NewClient(conf *config) (c *Client, err error) {
 				return conn, err
 			},
 		}
+		if len(conf.Other.Passthrough) != 0 {
+			c.passthrough = make([]string, len(conf.Other.Passthrough))
+			for i, passthrough := range conf.Other.Passthrough {
+				if punycode, err := idna.ToASCII(passthrough); err != nil {
+					passthrough = punycode
+				}
+				c.passthrough[i] = "." + strings.ToLower(strings.Trim(passthrough, ".")) + "."
+			}
+		}
+	}
+	// Most CDNs require Cookie support to prevent DDoS attack.
+	// Disabling Cookie does not effectively prevent tracking,
+	// so I will leave it on to make anti-DDoS services happy.
+	if !c.conf.Other.NoCookies {
+		c.cookieJar, err = cookiejar.New(nil)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		c.cookieJar = nil
+	}
+
+	c.httpClientMux = new(sync.RWMutex)
+	err = c.newHTTPClient()
+	if err != nil {
+		return nil, err
+	}
+
+	switch c.conf.Upstream.UpstreamSelector {
+	case config.NginxWRR:
+		if c.conf.Other.Verbose {
+			log.Println(config.NginxWRR, "mode start")
+		}
+
+		s := selector.NewNginxWRRSelector(time.Duration(c.conf.Other.Timeout) * time.Second)
+		for _, u := range c.conf.Upstream.UpstreamGoogle {
+			if err := s.Add(u.URL, selector.Google, u.Weight); err != nil {
+				return nil, err
+			}
+		}
+
+		for _, u := range c.conf.Upstream.UpstreamIETF {
+			if err := s.Add(u.URL, selector.IETF, u.Weight); err != nil {
+				return nil, err
+			}
+		}
+
+		c.selector = s
+
+	case config.LVSWRR:
+		if c.conf.Other.Verbose {
+			log.Println(config.LVSWRR, "mode start")
+		}
+
+		s := selector.NewLVSWRRSelector(time.Duration(c.conf.Other.Timeout) * time.Second)
+		for _, u := range c.conf.Upstream.UpstreamGoogle {
+			if err := s.Add(u.URL, selector.Google, u.Weight); err != nil {
+				return nil, err
+			}
+		}
+
+		for _, u := range c.conf.Upstream.UpstreamIETF {
+			if err := s.Add(u.URL, selector.IETF, u.Weight); err != nil {
+				return nil, err
+			}
+		}
+
+		c.selector = s
+
+	default:
+		if c.conf.Other.Verbose {
+			log.Println(config.Random, "mode start")
+		}
+
+		// if selector is invalid or random, use random selector, or should we stop program and let user knows he is wrong?
+		s := selector.NewRandomSelector()
+		for _, u := range c.conf.Upstream.UpstreamGoogle {
+			if err := s.Add(u.URL, selector.Google); err != nil {
+				return nil, err
+			}
+		}
+
+		for _, u := range c.conf.Upstream.UpstreamIETF {
+			if err := s.Add(u.URL, selector.IETF); err != nil {
+				return nil, err
+			}
+		}
+
+		c.selector = s
+	}
+
+	if c.conf.Other.Verbose {
+		if reporter, ok := c.selector.(selector.DebugReporter); ok {
+			reporter.ReportWeights()
+		}
+	}
+
+	return c, nil
+}
+
+func (c *Client) newHTTPClient() error {
+	c.httpClientMux.Lock()
+	defer c.httpClientMux.Unlock()
+	if !c.httpClientLastCreate.IsZero() && time.Since(c.httpClientLastCreate) < time.Duration(c.conf.Other.Timeout)*time.Second {
+		return nil
+	}
+	if c.httpTransport != nil {
+		c.httpTransport.CloseIdleConnections()
+	}
+	dialer := &net.Dialer{
+		Timeout:   time.Duration(c.conf.Other.Timeout) * time.Second,
+		KeepAlive: 30 * time.Second,
+		// DualStack: true,
+		Resolver: c.bootstrapResolver,
 	}
-	c.httpTransport = new(http.Transport)
 	c.httpTransport = &http.Transport{
-		DialContext: (&net.Dialer{
-			Timeout:   time.Duration(conf.Timeout) * time.Second,
-			KeepAlive: 30 * time.Second,
-			DualStack: true,
-			Resolver:  bootResolver,
-		}).DialContext,
+		DialContext:           dialer.DialContext,
 		ExpectContinueTimeout: 1 * time.Second,
 		IdleConnTimeout:       90 * time.Second,
 		MaxIdleConns:          100,
 		MaxIdleConnsPerHost:   10,
 		Proxy:                 http.ProxyFromEnvironment,
-		ResponseHeaderTimeout: time.Duration(conf.Timeout) * time.Second,
-		TLSHandshakeTimeout:   time.Duration(conf.Timeout) * time.Second,
+		TLSHandshakeTimeout:   time.Duration(c.conf.Other.Timeout) * time.Second,
+		TLSClientConfig:       &tls.Config{InsecureSkipVerify: c.conf.Other.TLSInsecureSkipVerify},
 	}
-	http2.ConfigureTransport(c.httpTransport)
-	// Most CDNs require Cookie support to prevent DDoS attack
-	cookieJar, err := cookiejar.New(nil)
-	if err != nil {
-		return nil, err
-	}
-	c.httpClient = &http.Client{
-		Transport: c.httpTransport,
-		Jar:       cookieJar,
-	}
-	return c, nil
-}
-
-func (c *Client) Start() error {
-	result := make(chan error)
-	go func() {
-		err := c.udpServer.ListenAndServe()
-		if err != nil {
-			log.Println(err)
+	if c.conf.Other.NoIPv6 {
+		c.httpTransport.DialContext = func(ctx context.Context, network, address string) (net.Conn, error) {
+			if strings.HasPrefix(network, "tcp") {
+				network = "tcp4"
+			}
+			return dialer.DialContext(ctx, network, address)
 		}
-		result <- err
-	}()
-	go func() {
-		err := c.tcpServer.ListenAndServe()
-		if err != nil {
-			log.Println(err)
-		}
-		result <- err
-	}()
-	err := <-result
+	}
+	err := http2.ConfigureTransport(c.httpTransport)
 	if err != nil {
 		return err
 	}
-	err = <-result
-	return err
+	c.httpClient = &http.Client{
+		Transport: c.httpTransport,
+		Jar:       c.cookieJar,
+	}
+	c.httpClientLastCreate = time.Now()
+	return nil
+}
+
+func (c *Client) Start() error {
+	results := make(chan error, len(c.udpServers)+len(c.tcpServers))
+	for _, srv := range append(c.udpServers, c.tcpServers...) {
+		go func(srv *dns.Server) {
+			err := srv.ListenAndServe()
+			if err != nil {
+				log.Println(err)
+			}
+			results <- err
+		}(srv)
+	}
+
+	// start evaluation loop
+	c.selector.StartEvaluate()
+
+	for i := 0; i < cap(results); i++ {
+		err := <-results
+		if err != nil {
+			return err
+		}
+	}
+	close(results)
+
+	return nil
 }

 func (c *Client) handlerFunc(w dns.ResponseWriter, r *dns.Msg, isTCP bool) {
-	if r.Response == true {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Duration(c.conf.Other.Timeout)*time.Second)
+	defer cancel()
+
+	if r.Response {
 		log.Println("Received a response packet")
 		return
 	}

-	requestType := ""
-	if len(c.conf.UpstreamIETF) == 0 {
-		requestType = "application/x-www-form-urlencoded"
-	} else if len(c.conf.UpstreamGoogle) == 0 {
-		requestType = "application/dns-udpwireformat"
+	if len(r.Question) != 1 {
+		log.Println("Number of questions is not 1")
+		reply := jsondns.PrepareReply(r)
+		reply.Rcode = dns.RcodeFormatError
+		w.WriteMsg(reply)
+		return
+	}
+	question := &r.Question[0]
+	questionName := question.Name
+	questionClass := ""
+	if qclass, ok := dns.ClassToString[question.Qclass]; ok {
+		questionClass = qclass
 	} else {
-		numServers := len(c.conf.UpstreamGoogle) + len(c.conf.UpstreamIETF)
-		random := rand.Intn(numServers)
-		if random < len(c.conf.UpstreamGoogle) {
-			requestType = "application/x-www-form-urlencoded"
-		} else {
-			requestType = "application/dns-udpwireformat"
+		questionClass = strconv.FormatUint(uint64(question.Qclass), 10)
+	}
+	questionType := ""
+	if qtype, ok := dns.TypeToString[question.Qtype]; ok {
+		questionType = qtype
+	} else {
+		questionType = strconv.FormatUint(uint64(question.Qtype), 10)
+	}
+	if c.conf.Other.Verbose {
+		fmt.Printf("%s - - [%s] \"%s %s %s\"\n", w.RemoteAddr(), time.Now().Format("02/Jan/2006:15:04:05 -0700"), questionName, questionClass, questionType)
+	}
+
+	shouldPassthrough := false
+	passthroughQuestionName := questionName
+	if punycode, err := idna.ToASCII(passthroughQuestionName); err != nil {
+		passthroughQuestionName = punycode
+	}
+	passthroughQuestionName = "." + strings.ToLower(strings.Trim(passthroughQuestionName, ".")) + "."
+	for _, passthrough := range c.passthrough {
+		if strings.HasSuffix(passthroughQuestionName, passthrough) {
+			shouldPassthrough = true
+			break
 		}
 	}
+	if shouldPassthrough {
+		numServers := len(c.bootstrap)
+		upstream := c.bootstrap[rand.Intn(numServers)]
+		log.Printf("Request \"%s %s %s\" is passed through %s.\n", questionName, questionClass, questionType, upstream)
+		var reply *dns.Msg
+		var err error
+		if !isTCP {
+			reply, _, err = c.udpClient.Exchange(r, upstream)
+		} else {
+			reply, _, err = c.tcpClient.Exchange(r, upstream)
+		}
+		if err == nil {
+			w.WriteMsg(reply)
+			return
+		}
+		log.Println(err)
+		reply = jsondns.PrepareReply(r)
+		reply.Rcode = dns.RcodeServerFailure
+		w.WriteMsg(reply)
+		return
+	}
+
+	upstream := c.selector.Get()
+	requestType := upstream.RequestType
+
+	if c.conf.Other.Verbose {
+		log.Println("choose upstream:", upstream)
+	}

 	var req *DNSRequest
-	if requestType == "application/x-www-form-urlencoded" {
-		req = c.generateRequestGoogle(w, r, isTCP)
-	} else if requestType == "application/dns-udpwireformat" {
-		req = c.generateRequestIETF(w, r, isTCP)
-	} else {
+	switch requestType {
+	case "application/dns-json":
+		req = c.generateRequestGoogle(ctx, w, r, isTCP, upstream)
+
+	case "application/dns-message":
+		req = c.generateRequestIETF(ctx, w, r, isTCP, upstream)
+
+	default:
 		panic("Unknown request Content-Type")
 	}

 	if req.err != nil {
+		if urlErr, ok := req.err.(*url.Error); ok {
+			// should we only check timeout?
+			if urlErr.Timeout() {
+				c.selector.ReportUpstreamStatus(upstream, selector.Timeout)
+			}
+		}
+
 		return
 	}

-	contentType := ""
-	candidateType := strings.SplitN(req.response.Header.Get("Content-Type"), ";", 2)[0]
-	if candidateType == "application/json" {
-		contentType = "application/json"
-	} else if candidateType == "application/dns-udpwireformat" {
-		contentType = "application/dns-udpwireformat"
-	} else {
-		if requestType == "application/x-www-form-urlencoded" {
-			contentType = "application/json"
-		} else if requestType == "application/dns-udpwireformat" {
-			contentType = "application/dns-udpwireformat"
+	// if req.err == nil, req.response != nil
+	defer req.response.Body.Close()
+
+	for _, header := range c.conf.Other.DebugHTTPHeaders {
+		if value := req.response.Header.Get(header); value != "" {
+			log.Printf("%s: %s\n", header, value)
 		}
 	}

-	if contentType == "application/json" {
-		c.parseResponseGoogle(w, r, isTCP, req)
-	} else if contentType == "application/dns-udpwireformat" {
-		c.parseResponseIETF(w, r, isTCP, req)
-	} else {
-		panic("Unknown response Content-Type")
+	candidateType := strings.SplitN(req.response.Header.Get("Content-Type"), ";", 2)[0]
+
+	switch candidateType {
+	case "application/json":
+		c.parseResponseGoogle(ctx, w, r, isTCP, req)
+
+	case "application/dns-message", "application/dns-udpwireformat":
+		c.parseResponseIETF(ctx, w, r, isTCP, req)
+
+	default:
+		switch requestType {
+		case "application/dns-json":
+			c.parseResponseGoogle(ctx, w, r, isTCP, req)
+
+		case "application/dns-message":
+			c.parseResponseIETF(ctx, w, r, isTCP, req)
+
+		default:
+			panic("Unknown response Content-Type")
+		}
+	}
+
+	// https://developers.cloudflare.com/1.1.1.1/dns-over-https/request-structure/ says
+	// returns code will be 200 / 400 / 413 / 415 / 504, some server will return 503, so
+	// I think if status code is 5xx, upstream must have some problems
+	/*if req.response.StatusCode/100 == 5 {
+		c.selector.ReportUpstreamStatus(upstream, selector.Medium)
+	}*/
+
+	switch req.response.StatusCode / 100 {
+	case 5:
+		c.selector.ReportUpstreamStatus(upstream, selector.Error)
+
+	case 2:
+		c.selector.ReportUpstreamStatus(upstream, selector.OK)
 	}
 }

@@ -215,12 +452,12 @@ func (c *Client) tcpHandlerFunc(w dns.ResponseWriter, r *dns.Msg) {

 var (
 	ipv4Mask24 = net.IPMask{255, 255, 255, 0}
-	ipv6Mask48 = net.CIDRMask(48, 128)
+	ipv6Mask56 = net.CIDRMask(56, 128)
 )

 func (c *Client) findClientIP(w dns.ResponseWriter, r *dns.Msg) (ednsClientAddress net.IP, ednsClientNetmask uint8) {
 	ednsClientNetmask = 255
-	if c.conf.NoECS {
+	if c.conf.Other.NoECS {
 		return net.IPv4(0, 0, 0, 0), 0
 	}
 	if opt := r.IsEdns0(); opt != nil {
@@ -237,13 +474,13 @@ func (c *Client) findClientIP(w dns.ResponseWriter, r *dns.Msg) (ednsClientAddre
 	if err != nil {
 		return
 	}
-	if ip := remoteAddr.IP; jsonDNS.IsGlobalIP(ip) {
+	if ip := remoteAddr.IP; jsondns.IsGlobalIP(ip) {
 		if ipv4 := ip.To4(); ipv4 != nil {
 			ednsClientAddress = ipv4.Mask(ipv4Mask24)
 			ednsClientNetmask = 24
 		} else {
-			ednsClientAddress = ip.Mask(ipv6Mask48)
-			ednsClientNetmask = 48
+			ednsClientAddress = ip.Mask(ipv6Mask56)
+			ednsClientNetmask = 56
 		}
 	}
 	return
--- a/doh-client/config/config.go
+++ b/doh-client/config/config.go
@@ -0,0 +1,101 @@
+/*
+   DNS-over-HTTPS
+   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
+
+   Permission is hereby granted, free of charge, to any person obtaining a
+   copy of this software and associated documentation files (the "Software"),
+   to deal in the Software without restriction, including without limitation
+   the rights to use, copy, modify, merge, publish, distribute, sublicense,
+   and/or sell copies of the Software, and to permit persons to whom the
+   Software is furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+   DEALINGS IN THE SOFTWARE.
+*/
+
+package config
+
+import (
+	"fmt"
+
+	"github.com/BurntSushi/toml"
+)
+
+const (
+	Random   = "random"
+	NginxWRR = "weighted_round_robin"
+	LVSWRR   = "lvs_weighted_round_robin"
+)
+
+type upstreamDetail struct {
+	URL    string `toml:"url"`
+	Weight int32  `toml:"weight"`
+}
+
+type upstream struct {
+	UpstreamGoogle   []upstreamDetail `toml:"upstream_google"`
+	UpstreamIETF     []upstreamDetail `toml:"upstream_ietf"`
+	UpstreamSelector string           `toml:"upstream_selector"` // usable: random or weighted_random
+}
+
+type others struct {
+	Bootstrap             []string `toml:"bootstrap"`
+	Passthrough           []string `toml:"passthrough"`
+	Timeout               uint     `toml:"timeout"`
+	NoCookies             bool     `toml:"no_cookies"`
+	NoECS                 bool     `toml:"no_ecs"`
+	NoIPv6                bool     `toml:"no_ipv6"`
+	NoUserAgent           bool     `toml:"no_user_agent"`
+	Verbose               bool     `toml:"verbose"`
+	DebugHTTPHeaders      []string `toml:"debug_http_headers"`
+	TLSInsecureSkipVerify bool     `toml:"insecure_tls_skip_verify"`
+}
+
+type Config struct {
+	Listen   []string `toml:"listen"`
+	Upstream upstream `toml:"upstream"`
+	Other    others   `toml:"others"`
+}
+
+func LoadConfig(path string) (*Config, error) {
+	conf := &Config{}
+	metaData, err := toml.DecodeFile(path, conf)
+	if err != nil {
+		return nil, err
+	}
+	for _, key := range metaData.Undecoded() {
+		return nil, &configError{fmt.Sprintf("unknown option %q", key.String())}
+	}
+
+	if len(conf.Listen) == 0 {
+		conf.Listen = []string{"127.0.0.1:53", "[::1]:53"}
+	}
+	if len(conf.Upstream.UpstreamGoogle) == 0 && len(conf.Upstream.UpstreamIETF) == 0 {
+		conf.Upstream.UpstreamGoogle = []upstreamDetail{{URL: "https://dns.google.com/resolve", Weight: 50}}
+	}
+	if conf.Other.Timeout == 0 {
+		conf.Other.Timeout = 10
+	}
+
+	if conf.Upstream.UpstreamSelector == "" {
+		conf.Upstream.UpstreamSelector = Random
+	}
+
+	return conf, nil
+}
+
+type configError struct {
+	err string
+}
+
+func (e *configError) Error() string {
+	return e.err
+}
--- a/doh-client/doh-client.conf
+++ b/doh-client/doh-client.conf
@@ -1,28 +1,140 @@
 # DNS listen port
-listen = "127.0.0.1:53"
+listen = [
+    "127.0.0.1:53",
+    "127.0.0.1:5380",
+    "[::1]:53",
+    "[::1]:5380",
+
+    ## To listen on both 0.0.0.0:53 and [::]:53, use the following line
+    # ":53",
+]

 # HTTP path for upstream resolver
-# If multiple servers are specified, a random one will be chosen each time.
-upstream_google = [
-    "https://dns.google.com/resolve",
-]
-upstream_ietf = [
-    #"https://dns.google.com/experimental",
-]

+[upstream]
+
+# available selector: random or weighted_round_robin or lvs_weighted_round_robin
+upstream_selector = "random"
+
+# weight should in (0, 100], if upstream_selector is random, weight will be ignored
+
+## Google's resolver, good ECS, good DNSSEC
+#[[upstream.upstream_ietf]]
+#    url = "https://dns.google/dns-query"
+#    weight = 50
+
+## CloudFlare's resolver, bad ECS, good DNSSEC
+## ECS is disabled for privacy by design: https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/#edns-client-subnet
+[[upstream.upstream_ietf]]
+    url = "https://cloudflare-dns.com/dns-query"
+    weight = 50
+
+## CloudFlare's resolver, bad ECS, good DNSSEC
+## ECS is disabled for privacy by design: https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/#edns-client-subnet
+## Note that some ISPs have problems connecting to 1.1.1.1, try 1.0.0.1 if problems happen.
+#[[upstream.upstream_ietf]]
+#    url = "https://1.1.1.1/dns-query"
+#    weight = 50
+
+## DNS.SB's resolver, good ECS, good DNSSEC
+## The provider claims no logging: https://dns.sb/doh/
+#[[upstream.upstream_ietf]]
+#    url = "https://doh.dns.sb/dns-query"
+#    weight = 50
+
+## Quad9's resolver, bad ECS, good DNSSEC
+## ECS is disabled for privacy by design: https://www.quad9.net/faq/#What_is_EDNS_Client-Subnet
+#[[upstream.upstream_ietf]]
+#    url = "https://9.9.9.9/dns-query"
+#    weight = 50
+
+## CloudFlare's resolver for Tor, available only with Tor
+## Remember to disable ECS below when using Tor!
+## Blog: https://blog.cloudflare.com/welcome-hidden-resolver/
+#[[upstream.upstream_ietf]]
+#    url = "https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/dns-query"
+#    weight = 50
+
+
+[others]
 # Bootstrap DNS server to resolve the address of the upstream resolver
 # If multiple servers are specified, a random one will be chosen each time.
 # If empty, use the system DNS settings.
+# If you want to preload IP addresses in /etc/hosts instead of using a
+# bootstrap server, please make this list empty.
 bootstrap = [
+
+    # Google's resolver, good ECS, good DNSSEC
    "8.8.8.8:53",
    "8.8.4.4:53",
+
+    # CloudFlare's resolver, bad ECS, good DNSSEC
+    #"1.1.1.1:53",
+    #"1.0.0.1:53",
+
 ]

-# Timeout for upstream request
-timeout = 10
+# The domain names here are directly passed to bootstrap servers listed above,
+# allowing captive portal detection and systems without RTC to work.
+# Only effective if at least one bootstrap server is configured.
+passthrough = [
+    "captive.apple.com",
+    "connectivitycheck.gstatic.com",
+    "detectportal.firefox.com",
+    "msftconnecttest.com",
+    "nmcheck.gnome.org",

-# Disable EDNS0-Client-Subnet, do not send client's IP address
+    "pool.ntp.org",
+    "time.apple.com",
+    "time.asia.apple.com",
+    "time.euro.apple.com",
+    "time.nist.gov",
+    "time.windows.com",
+]
+
+# Timeout for upstream request in seconds
+timeout = 30
+
+# Disable HTTP Cookies
+#
+# Cookies may be useful if your upstream resolver is protected by some
+# anti-DDoS services to identify clients.
+# Note that DNS Cookies (an DNS protocol extension to DNS) also has the ability
+# to track uesrs and is not controlled by doh-client.
+no_cookies = true
+
+# Disable EDNS0-Client-Subnet (ECS)
+#
+# DNS-over-HTTPS supports EDNS0-Client-Subnet protocol, which submits part of
+# the client's IP address (/24 for IPv4, /56 for IPv6 by default) to the
+# upstream server. This is useful for GeoDNS and CDNs to work, and is exactly
+# the same configuration as most public DNS servers.
 no_ecs = false

+# Disable IPv6 when querying upstream
+#
+# Only enable this if you really have trouble connecting.
+# Doh-client uses both IPv4 and IPv6 by default and should not have problems
+# with an IPv4-only environment.
+# Note that DNS listening and bootstrapping is not controlled by this option.
+no_ipv6 = false
+
+# Disable submitting User-Agent
+#
+# It is generally not recommended to disable submitting User-Agent because it
+# is still possible to probe client version according to behavior differences,
+# such as TLS handshaking, handling of malformed packets, and specific bugs.
+# Additionally, User-Agent is an important way for the server to distinguish
+# buggy, old, or insecure clients, and to workaround specific bugs.
+# (e.g. doh-server can detect and workaround certain issues of DNSCrypt-Proxy
+# and older Firefox.)
+no_user_agent = false
+
 # Enable logging
 verbose = false
+
+# insecure_tls_skip_verification will disable necessary TLS security verification.
+# This option is designed for testing or development purposes,
+# turning on this option on public Internet may cause your connection
+# vulnerable to MITM attack.
+insecure_tls_skip_verify = false
--- a/doh-client/google.go
+++ b/doh-client/google.go
@@ -24,49 +24,42 @@
 package main

 import (
+	"context"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"log"
-	"math/rand"
 	"net/http"
 	"net/url"
 	"strconv"
 	"strings"
-	"time"

-	"../json-dns"
 	"github.com/miekg/dns"
+
+	"github.com/m13253/dns-over-https/v2/doh-client/selector"
+	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 )

-func (c *Client) generateRequestGoogle(w dns.ResponseWriter, r *dns.Msg, isTCP bool) *DNSRequest {
-	reply := jsonDNS.PrepareReply(r)
-
-	if len(r.Question) != 1 {
-		log.Println("Number of questions is not 1")
-		reply.Rcode = dns.RcodeFormatError
+func (c *Client) generateRequestGoogle(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, isTCP bool, upstream *selector.Upstream) *DNSRequest {
+	question := &r.Question[0]
+	questionName := question.Name
+	questionClass := question.Qclass
+	if questionClass != dns.ClassINET {
+		reply := jsondns.PrepareReply(r)
+		reply.Rcode = dns.RcodeRefused
 		w.WriteMsg(reply)
 		return &DNSRequest{
 			err: &dns.Error{},
 		}
 	}
-	question := &r.Question[0]
-	// knot-resolver scrambles capitalization, I think it is unfriendly to cache
-	questionName := strings.ToLower(question.Name)
 	questionType := ""
 	if qtype, ok := dns.TypeToString[question.Qtype]; ok {
 		questionType = qtype
 	} else {
-		questionType = strconv.Itoa(int(question.Qtype))
+		questionType = strconv.FormatUint(uint64(question.Qtype), 10)
 	}

-	if c.conf.Verbose {
-		fmt.Printf("%s - - [%s] \"%s IN %s\"\n", w.RemoteAddr(), time.Now().Format("02/Jan/2006:15:04:05 -0700"), questionName, questionType)
-	}
-
-	numServers := len(c.conf.UpstreamGoogle)
-	upstream := c.conf.UpstreamGoogle[rand.Intn(numServers)]
-	requestURL := fmt.Sprintf("%s?name=%s&type=%s", upstream, url.QueryEscape(questionName), url.QueryEscape(questionType))
+	requestURL := fmt.Sprintf("%s?ct=application/dns-json&name=%s&type=%s", upstream.URL, url.QueryEscape(questionName), url.QueryEscape(questionType))

 	if r.CheckingDisabled {
 		requestURL += "&cd=1"
@@ -75,6 +68,9 @@ func (c *Client) generateRequestGoogle(w dns.ResponseWriter, r *dns.Msg, isTCP b
 	udpSize := uint16(512)
 	if opt := r.IsEdns0(); opt != nil {
 		udpSize = opt.UDPSize()
+		if opt.Do() {
+			requestURL += "&do=1"
+		}
 	}

 	ednsClientAddress, ednsClientNetmask := c.findClientIP(w, r)
@@ -82,23 +78,43 @@ func (c *Client) generateRequestGoogle(w dns.ResponseWriter, r *dns.Msg, isTCP b
 		requestURL += fmt.Sprintf("&edns_client_subnet=%s/%d", ednsClientAddress.String(), ednsClientNetmask)
 	}

-	req, err := http.NewRequest("GET", requestURL, nil)
+	req, err := http.NewRequest(http.MethodGet, requestURL, http.NoBody)
 	if err != nil {
 		log.Println(err)
+		reply := jsondns.PrepareReply(r)
 		reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(reply)
 		return &DNSRequest{
 			err: err,
 		}
 	}
-	req.Header.Set("Accept", "application/json, application/dns-udpwireformat")
-	req.Header.Set("User-Agent", "DNS-over-HTTPS/1.1 (+https://github.com/m13253/dns-over-https)")
+
+	req.Header.Set("Accept", "application/json, application/dns-message, application/dns-udpwireformat")
+	if !c.conf.Other.NoUserAgent {
+		req.Header.Set("User-Agent", USER_AGENT)
+	} else {
+		req.Header.Set("User-Agent", "")
+	}
+	req = req.WithContext(ctx)
+
+	c.httpClientMux.RLock()
 	resp, err := c.httpClient.Do(req)
+	c.httpClientMux.RUnlock()
+
+	// if http Client.Do returns non-nil error, it always *url.Error
+	/*if err == context.DeadlineExceeded {
+		// Do not respond, silently fail to prevent caching of SERVFAIL
+		log.Println(err)
+		return &DNSRequest{
+			err: err,
+		}
+	}*/
+
 	if err != nil {
 		log.Println(err)
+		reply := jsondns.PrepareReply(r)
 		reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(reply)
-		c.httpTransport.CloseIdleConnections()
 		return &DNSRequest{
 			err: err,
 		}
@@ -106,16 +122,17 @@ func (c *Client) generateRequestGoogle(w dns.ResponseWriter, r *dns.Msg, isTCP b

 	return &DNSRequest{
 		response:          resp,
-		reply:             reply,
+		reply:             jsondns.PrepareReply(r),
 		udpSize:           udpSize,
 		ednsClientAddress: ednsClientAddress,
 		ednsClientNetmask: ednsClientNetmask,
+		currentUpstream:   upstream.URL,
 	}
 }

-func (c *Client) parseResponseGoogle(w dns.ResponseWriter, r *dns.Msg, isTCP bool, req *DNSRequest) {
-	if req.response.StatusCode != 200 {
-		log.Printf("HTTP error: %s\n", req.response.Status)
+func (c *Client) parseResponseGoogle(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, isTCP bool, req *DNSRequest) {
+	if req.response.StatusCode != http.StatusOK {
+		log.Printf("HTTP error from upstream %s: %s\n", req.currentUpstream, req.response.Status)
 		req.reply.Rcode = dns.RcodeServerFailure
 		contentType := req.response.Header.Get("Content-Type")
 		if contentType != "application/json" && !strings.HasPrefix(contentType, "application/json;") {
@@ -124,7 +141,7 @@ func (c *Client) parseResponseGoogle(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 		}
 	}

-	body, err := ioutil.ReadAll(req.response.Body)
+	body, err := io.ReadAll(req.response.Body)
 	if err != nil {
 		log.Println(err)
 		req.reply.Rcode = dns.RcodeServerFailure
@@ -132,7 +149,7 @@ func (c *Client) parseResponseGoogle(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 		return
 	}

-	var respJSON jsonDNS.Response
+	var respJSON jsondns.Response
 	err = json.Unmarshal(body, &respJSON)
 	if err != nil {
 		log.Println(err)
@@ -144,8 +161,14 @@ func (c *Client) parseResponseGoogle(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 	if respJSON.Status != dns.RcodeSuccess && respJSON.Comment != "" {
 		log.Printf("DNS error: %s\n", respJSON.Comment)
 	}
+	fixEmptyNames(&respJSON)

-	fullReply := jsonDNS.Unmarshal(req.reply, &respJSON, req.udpSize, req.ednsClientNetmask)
+	fullReply := jsondns.Unmarshal(req.reply, &respJSON, req.udpSize, req.ednsClientNetmask)
+	if isTCP {
+		fullReply.Truncate(dns.MaxMsgSize)
+	} else {
+		fullReply.Truncate(int(req.udpSize))
+	}
 	buf, err := fullReply.Pack()
 	if err != nil {
 		log.Println(err)
@@ -153,14 +176,21 @@ func (c *Client) parseResponseGoogle(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 		w.WriteMsg(req.reply)
 		return
 	}
-	if !isTCP && len(buf) > int(req.udpSize) {
-		fullReply.Truncated = true
-		buf, err = fullReply.Pack()
-		if err != nil {
-			log.Println(err)
-			return
-		}
-		buf = buf[:req.udpSize]
-	}
 	w.Write(buf)
 }
+
+// Fix DNS response empty []RR.Name
+// Additional section won't be rectified
+// see: https://stackoverflow.com/questions/52136176/what-is-additional-section-in-dns-and-how-it-works
+func fixEmptyNames(respJSON *jsondns.Response) {
+	for i := range respJSON.Answer {
+		if respJSON.Answer[i].Name == "" {
+			respJSON.Answer[i].Name = "."
+		}
+	}
+	for i := range respJSON.Authority {
+		if respJSON.Authority[i].Name == "" {
+			respJSON.Authority[i].Name = "."
+		}
+	}
+}
--- a/doh-client/ietf.go
+++ b/doh-client/ietf.go
@@ -25,57 +25,32 @@ package main

 import (
 	"bytes"
+	"context"
 	"encoding/base64"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"log"
-	"math/rand"
 	"net"
 	"net/http"
-	"strconv"
 	"strings"
 	"time"

-	"../json-dns"
 	"github.com/miekg/dns"
+
+	"github.com/m13253/dns-over-https/v2/doh-client/selector"
+	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 )

-func (c *Client) generateRequestIETF(w dns.ResponseWriter, r *dns.Msg, isTCP bool) *DNSRequest {
-	reply := jsonDNS.PrepareReply(r)
-
-	if len(r.Question) != 1 {
-		log.Println("Number of questions is not 1")
-		reply.Rcode = dns.RcodeFormatError
-		w.WriteMsg(reply)
-		return &DNSRequest{
-			err: &dns.Error{},
-		}
-	}
-
-	question := &r.Question[0]
-	// knot-resolver scrambles capitalization, I think it is unfriendly to cache
-	questionName := strings.ToLower(question.Name)
-	questionType := ""
-	if qtype, ok := dns.TypeToString[question.Qtype]; ok {
-		questionType = qtype
-	} else {
-		questionType = strconv.Itoa(int(question.Qtype))
-	}
-
-	if c.conf.Verbose {
-		fmt.Printf("%s - - [%s] \"%s IN %s\"\n", w.RemoteAddr(), time.Now().Format("02/Jan/2006:15:04:05 -0700"), questionName, questionType)
-	}
-
-	question.Name = questionName
+func (c *Client) generateRequestIETF(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, isTCP bool, upstream *selector.Upstream) *DNSRequest {
 	opt := r.IsEdns0()
 	udpSize := uint16(512)
 	if opt == nil {
 		opt = new(dns.OPT)
 		opt.Hdr.Name = "."
 		opt.Hdr.Rrtype = dns.TypeOPT
-		opt.SetUDPSize(4096)
+		opt.SetUDPSize(dns.DefaultMsgSize)
 		opt.SetDo(false)
-		r.Extra = append(r.Extra, opt)
+		r.Extra = append([]dns.RR{opt}, r.Extra...)
 	} else {
 		udpSize = opt.UDPSize()
 	}
@@ -97,7 +72,7 @@ func (c *Client) generateRequestIETF(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 				ednsClientNetmask = 24
 			} else {
 				ednsClientFamily = 2
-				ednsClientNetmask = 48
+				ednsClientNetmask = 56
 			}
 			edns0Subnet = new(dns.EDNS0_SUBNET)
 			edns0Subnet.Code = dns.EDNS0SUBNET
@@ -116,6 +91,7 @@ func (c *Client) generateRequestIETF(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 	requestBinary, err := r.Pack()
 	if err != nil {
 		log.Println(err)
+		reply := jsondns.PrepareReply(r)
 		reply.Rcode = dns.RcodeFormatError
 		w.WriteMsg(reply)
 		return &DNSRequest{
@@ -125,15 +101,14 @@ func (c *Client) generateRequestIETF(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 	r.Id = requestID
 	requestBase64 := base64.RawURLEncoding.EncodeToString(requestBinary)

-	numServers := len(c.conf.UpstreamIETF)
-	upstream := c.conf.UpstreamIETF[rand.Intn(numServers)]
-	requestURL := fmt.Sprintf("%s?ct=application/dns-udpwireformat&dns=%s", upstream, requestBase64)
+	requestURL := fmt.Sprintf("%s?ct=application/dns-message&dns=%s", upstream.URL, requestBase64)

 	var req *http.Request
 	if len(requestURL) < 2048 {
-		req, err = http.NewRequest("GET", requestURL, nil)
+		req, err = http.NewRequest(http.MethodGet, requestURL, http.NoBody)
 		if err != nil {
 			log.Println(err)
+			reply := jsondns.PrepareReply(r)
 			reply.Rcode = dns.RcodeServerFailure
 			w.WriteMsg(reply)
 			return &DNSRequest{
@@ -141,25 +116,43 @@ func (c *Client) generateRequestIETF(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 			}
 		}
 	} else {
-		req, err = http.NewRequest("POST", upstream, bytes.NewReader(requestBinary))
+		req, err = http.NewRequest(http.MethodPost, upstream.URL, bytes.NewReader(requestBinary))
 		if err != nil {
 			log.Println(err)
+			reply := jsondns.PrepareReply(r)
 			reply.Rcode = dns.RcodeServerFailure
 			w.WriteMsg(reply)
 			return &DNSRequest{
 				err: err,
 			}
 		}
-		req.Header.Set("Content-Type", "application/dns-udpwireformat")
+		req.Header.Set("Content-Type", "application/dns-message")
 	}
-	req.Header.Set("Accept", "application/dns-udpwireformat, application/json")
-	req.Header.Set("User-Agent", "DNS-over-HTTPS/1.1 (+https://github.com/m13253/dns-over-https)")
+	req.Header.Set("Accept", "application/dns-message, application/dns-udpwireformat, application/json")
+	if !c.conf.Other.NoUserAgent {
+		req.Header.Set("User-Agent", USER_AGENT)
+	} else {
+		req.Header.Set("User-Agent", "")
+	}
+	req = req.WithContext(ctx)
+	c.httpClientMux.RLock()
 	resp, err := c.httpClient.Do(req)
+	c.httpClientMux.RUnlock()
+
+	// if http Client.Do returns non-nil error, it always *url.Error
+	/*if err == context.DeadlineExceeded {
+		// Do not respond, silently fail to prevent caching of SERVFAIL
+		log.Println(err)
+		return &DNSRequest{
+			err: err,
+		}
+	}*/
+
 	if err != nil {
 		log.Println(err)
+		reply := jsondns.PrepareReply(r)
 		reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(reply)
-		c.httpTransport.CloseIdleConnections()
 		return &DNSRequest{
 			err: err,
 		}
@@ -167,27 +160,28 @@ func (c *Client) generateRequestIETF(w dns.ResponseWriter, r *dns.Msg, isTCP boo

 	return &DNSRequest{
 		response:          resp,
-		reply:             reply,
+		reply:             jsondns.PrepareReply(r),
 		udpSize:           udpSize,
 		ednsClientAddress: ednsClientAddress,
 		ednsClientNetmask: ednsClientNetmask,
+		currentUpstream:   upstream.URL,
 	}
 }

-func (c *Client) parseResponseIETF(w dns.ResponseWriter, r *dns.Msg, isTCP bool, req *DNSRequest) {
-	if req.response.StatusCode != 200 {
-		log.Printf("HTTP error: %s\n", req.response.Status)
+func (c *Client) parseResponseIETF(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, isTCP bool, req *DNSRequest) {
+	if req.response.StatusCode != http.StatusOK {
+		log.Printf("HTTP error from upstream %s: %s\n", req.currentUpstream, req.response.Status)
 		req.reply.Rcode = dns.RcodeServerFailure
 		contentType := req.response.Header.Get("Content-Type")
-		if contentType != "application/dns-udpwireformat" && !strings.HasPrefix(contentType, "application/dns-udpwireformat;") {
+		if contentType != "application/dns-message" && !strings.HasPrefix(contentType, "application/dns-message;") {
 			w.WriteMsg(req.reply)
 			return
 		}
 	}

-	body, err := ioutil.ReadAll(req.response.Body)
+	body, err := io.ReadAll(req.response.Body)
 	if err != nil {
-		log.Println(err)
+		log.Printf("read error from upstream %s: %v\n", req.currentUpstream, err)
 		req.reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(req.reply)
 		return
@@ -198,7 +192,7 @@ func (c *Client) parseResponseIETF(w dns.ResponseWriter, r *dns.Msg, isTCP bool,
 		if nowDate, err := time.Parse(http.TimeFormat, headerNow); err == nil {
 			now = nowDate
 		} else {
-			log.Println(err)
+			log.Printf("Date header parse error from upstream %s: %v\n", req.currentUpstream, err)
 		}
 	}
 	headerLastModified := req.response.Header.Get("Last-Modified")
@@ -207,7 +201,7 @@ func (c *Client) parseResponseIETF(w dns.ResponseWriter, r *dns.Msg, isTCP bool,
 		if lastModifiedDate, err := time.Parse(http.TimeFormat, headerLastModified); err == nil {
 			lastModified = lastModifiedDate
 		} else {
-			log.Println(err)
+			log.Printf("Last-Modified header parse error from upstream %s: %v\n", req.currentUpstream, err)
 		}
 	}
 	timeDelta := now.Sub(lastModified)
@@ -218,7 +212,7 @@ func (c *Client) parseResponseIETF(w dns.ResponseWriter, r *dns.Msg, isTCP bool,
 	fullReply := new(dns.Msg)
 	err = fullReply.Unpack(body)
 	if err != nil {
-		log.Println(err)
+		log.Printf("unpacking error from upstream %s: %v\n", req.currentUpstream, err)
 		req.reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(req.reply)
 		return
@@ -238,23 +232,22 @@ func (c *Client) parseResponseIETF(w dns.ResponseWriter, r *dns.Msg, isTCP bool,
 		_ = fixRecordTTL(rr, timeDelta)
 	}

+	if isTCP {
+		fullReply.Truncate(dns.MaxMsgSize)
+	} else {
+		fullReply.Truncate(int(req.udpSize))
+	}
 	buf, err := fullReply.Pack()
 	if err != nil {
-		log.Println(err)
+		log.Printf("packing error with upstream %s: %v\n", req.currentUpstream, err)
 		req.reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(req.reply)
 		return
 	}
-	if !isTCP && len(buf) > int(req.udpSize) {
-		fullReply.Truncated = true
-		buf, err = fullReply.Pack()
-		if err != nil {
-			log.Println(err)
-			return
-		}
-		buf = buf[:req.udpSize]
+	_, err = w.Write(buf)
+	if err != nil {
+		log.Printf("failed to write to client: %v\n", err)
 	}
-	w.Write(buf)
 }

 func fixRecordTTL(rr dns.RR, delta time.Duration) dns.RR {
--- a/doh-client/main.go
+++ b/doh-client/main.go
@@ -25,21 +25,89 @@ package main

 import (
 	"flag"
+	"fmt"
 	"log"
+	"os"
+	"runtime"
+	"strconv"
+
+	"github.com/m13253/dns-over-https/v2/doh-client/config"
 )

+func checkPIDFile(pidFile string) (bool, error) {
+retry:
+	f, err := os.OpenFile(pidFile, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0o666)
+	if os.IsExist(err) {
+		pidStr, err := os.ReadFile(pidFile)
+		if err != nil {
+			return false, err
+		}
+		pid, err := strconv.ParseUint(string(pidStr), 10, 0)
+		if err != nil {
+			return false, err
+		}
+		_, err = os.Stat(fmt.Sprintf("/proc/%d", pid))
+		if os.IsNotExist(err) {
+			err = os.Remove(pidFile)
+			if err != nil {
+				return false, err
+			}
+			goto retry
+		} else if err != nil {
+			return false, err
+		}
+		log.Printf("Already running on PID %d, exiting.\n", pid)
+		return false, nil
+	} else if err != nil {
+		return false, err
+	}
+	defer f.Close()
+	_, err = f.WriteString(strconv.FormatInt(int64(os.Getpid()), 10))
+	if err != nil {
+		return false, err
+	}
+	return true, nil
+}
+
 func main() {
 	confPath := flag.String("conf", "doh-client.conf", "Configuration file")
 	verbose := flag.Bool("verbose", false, "Enable logging")
+	showVersion := flag.Bool("version", false, "Show software version and exit")
+	var pidFile *string
+
+	// I really want to push the technology forward by recommending cgroup-based
+	// process tracking. But I understand some cloud service providers have
+	// their own monitoring system. So this feature is only enabled on Linux and
+	// BSD series platforms which lacks functionality similar to cgroup.
+	switch runtime.GOOS {
+	case "dragonfly", "freebsd", "linux", "netbsd", "openbsd":
+		pidFile = flag.String("pid-file", "", "PID file for legacy supervision systems lacking support for reliable cgroup-based process tracking")
+	}
+
 	flag.Parse()

-	conf, err := loadConfig(*confPath)
+	if *showVersion {
+		fmt.Printf("doh-client %s\nHomepage: https://github.com/m13253/dns-over-https\n", VERSION)
+		return
+	}
+
+	if pidFile != nil && *pidFile != "" {
+		ok, err := checkPIDFile(*pidFile)
+		if err != nil {
+			log.Printf("Error checking PID file: %v\n", err)
+		}
+		if !ok {
+			return
+		}
+	}
+
+	conf, err := config.LoadConfig(*confPath)
 	if err != nil {
 		log.Fatalln(err)
 	}

 	if *verbose {
-		conf.Verbose = true
+		conf.Other.Verbose = true
 	}

 	client, err := NewClient(conf)
--- a/doh-client/selector/lvsWRRSelector.go
+++ b/doh-client/selector/lvsWRRSelector.go
@@ -0,0 +1,262 @@
+package selector
+
+import (
+	"encoding/json"
+	"errors"
+	"log"
+	"net/http"
+	"sync"
+	"sync/atomic"
+	"time"
+)
+
+type LVSWRRSelector struct {
+	upstreams     []*Upstream // upstreamsInfo
+	client        http.Client // http client to check the upstream
+	lastChoose    int32
+	currentWeight int32
+}
+
+func NewLVSWRRSelector(timeout time.Duration) *LVSWRRSelector {
+	return &LVSWRRSelector{
+		client:     http.Client{Timeout: timeout},
+		lastChoose: -1,
+	}
+}
+
+func (ls *LVSWRRSelector) Add(url string, upstreamType UpstreamType, weight int32) (err error) {
+	if weight < 1 {
+		return errors.New("weight is 1")
+	}
+
+	switch upstreamType {
+	case Google:
+		ls.upstreams = append(ls.upstreams, &Upstream{
+			Type:            Google,
+			URL:             url,
+			RequestType:     "application/dns-json",
+			weight:          weight,
+			effectiveWeight: weight,
+		})
+
+	case IETF:
+		ls.upstreams = append(ls.upstreams, &Upstream{
+			Type:            IETF,
+			URL:             url,
+			RequestType:     "application/dns-message",
+			weight:          weight,
+			effectiveWeight: weight,
+		})
+
+	default:
+		return errors.New("unknown upstream type")
+	}
+
+	return nil
+}
+
+func (ls *LVSWRRSelector) StartEvaluate() {
+	go func() {
+		for {
+			wg := sync.WaitGroup{}
+
+			for i := range ls.upstreams {
+				wg.Add(1)
+
+				go func(i int) {
+					defer wg.Done()
+
+					upstreamURL := ls.upstreams[i].URL
+					var acceptType string
+
+					switch ls.upstreams[i].Type {
+					case Google:
+						upstreamURL += "?name=www.example.com&type=A"
+						acceptType = "application/dns-json"
+
+					case IETF:
+						// www.example.com
+						upstreamURL += "?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB"
+						acceptType = "application/dns-message"
+					}
+
+					req, err := http.NewRequest(http.MethodGet, upstreamURL, http.NoBody)
+					if err != nil {
+						/*log.Println("upstream:", upstreamURL, "type:", typeMap[upstream.Type], "check failed:", err)
+						continue*/
+
+						// should I only log it? But if there is an error, I think when query the server will return error too
+						panic("upstream: " + upstreamURL + " type: " + typeMap[ls.upstreams[i].Type] + " check failed: " + err.Error())
+					}
+
+					req.Header.Set("accept", acceptType)
+
+					resp, err := ls.client.Do(req)
+					if err != nil {
+						// should I check error in detail?
+						if atomic.AddInt32(&ls.upstreams[i].effectiveWeight, -5) < 1 {
+							atomic.StoreInt32(&ls.upstreams[i].effectiveWeight, 1)
+						}
+						return
+					}
+
+					switch ls.upstreams[i].Type {
+					case Google:
+						ls.checkGoogleResponse(resp, ls.upstreams[i])
+
+					case IETF:
+						ls.checkIETFResponse(resp, ls.upstreams[i])
+					}
+				}(i)
+			}
+
+			wg.Wait()
+
+			time.Sleep(15 * time.Second)
+		}
+	}()
+}
+
+func (ls *LVSWRRSelector) Get() *Upstream {
+	if len(ls.upstreams) == 1 {
+		return ls.upstreams[0]
+	}
+
+	for {
+		atomic.StoreInt32(&ls.lastChoose, (atomic.LoadInt32(&ls.lastChoose)+1)%int32(len(ls.upstreams)))
+
+		if atomic.LoadInt32(&ls.lastChoose) == 0 {
+			atomic.AddInt32(&ls.currentWeight, -ls.gcdWeight())
+
+			if atomic.LoadInt32(&ls.currentWeight) <= 0 {
+				atomic.AddInt32(&ls.currentWeight, ls.maxWeight())
+
+				if atomic.LoadInt32(&ls.currentWeight) == 0 {
+					panic("current weight is 0")
+				}
+			}
+		}
+
+		if atomic.LoadInt32(&ls.upstreams[atomic.LoadInt32(&ls.lastChoose)].effectiveWeight) >= atomic.LoadInt32(&ls.currentWeight) {
+			return ls.upstreams[atomic.LoadInt32(&ls.lastChoose)]
+		}
+	}
+}
+
+func (ls *LVSWRRSelector) gcdWeight() (res int32) {
+	res = gcd(atomic.LoadInt32(&ls.upstreams[0].effectiveWeight), atomic.LoadInt32(&ls.upstreams[0].effectiveWeight))
+
+	for i := 1; i < len(ls.upstreams); i++ {
+		res = gcd(res, atomic.LoadInt32(&ls.upstreams[i].effectiveWeight))
+	}
+
+	return
+}
+
+func (ls *LVSWRRSelector) maxWeight() (res int32) {
+	for _, upstream := range ls.upstreams {
+		w := atomic.LoadInt32(&upstream.effectiveWeight)
+		if w > res {
+			res = w
+		}
+	}
+
+	return
+}
+
+func gcd(x, y int32) int32 {
+	for {
+		if x < y {
+			x, y = y, x
+		}
+
+		tmp := x % y
+		if tmp == 0 {
+			return y
+		}
+
+		x = tmp
+	}
+}
+
+func (ls *LVSWRRSelector) ReportUpstreamStatus(upstream *Upstream, upstreamStatus upstreamStatus) {
+	switch upstreamStatus {
+	case Timeout:
+		if atomic.AddInt32(&upstream.effectiveWeight, -5) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+
+	case Error:
+		if atomic.AddInt32(&upstream.effectiveWeight, -2) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+
+	case OK:
+		if atomic.AddInt32(&upstream.effectiveWeight, 1) > upstream.weight {
+			atomic.StoreInt32(&upstream.effectiveWeight, upstream.weight)
+		}
+	}
+}
+
+func (ls *LVSWRRSelector) checkGoogleResponse(resp *http.Response, upstream *Upstream) {
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		// server error
+		if atomic.AddInt32(&upstream.effectiveWeight, -3) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+		return
+	}
+
+	m := make(map[string]interface{})
+	if err := json.NewDecoder(resp.Body).Decode(&m); err != nil {
+		// should I check error in detail?
+		if atomic.AddInt32(&upstream.effectiveWeight, -2) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+		return
+	}
+
+	if status, ok := m["Status"]; ok {
+		if statusNum, ok := status.(float64); ok && statusNum == 0 {
+			if atomic.AddInt32(&upstream.effectiveWeight, 5) > upstream.weight {
+				atomic.StoreInt32(&upstream.effectiveWeight, upstream.weight)
+			}
+			return
+		}
+	}
+
+	// should I check error in detail?
+	if atomic.AddInt32(&upstream.effectiveWeight, -2) < 1 {
+		atomic.StoreInt32(&upstream.effectiveWeight, 1)
+	}
+}
+
+func (ls *LVSWRRSelector) checkIETFResponse(resp *http.Response, upstream *Upstream) {
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		// server error
+		if atomic.AddInt32(&upstream.effectiveWeight, -3) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+		return
+	}
+
+	if atomic.AddInt32(&upstream.effectiveWeight, 5) > upstream.weight {
+		atomic.StoreInt32(&upstream.effectiveWeight, upstream.weight)
+	}
+}
+
+func (ls *LVSWRRSelector) ReportWeights() {
+	go func() {
+		for {
+			time.Sleep(15 * time.Second)
+
+			for _, u := range ls.upstreams {
+				log.Printf("%s, effect weight: %d", u, atomic.LoadInt32(&u.effectiveWeight))
+			}
+		}
+	}()
+}
--- a/doh-client/selector/nginxWRRSelector.go
+++ b/doh-client/selector/nginxWRRSelector.go
@@ -0,0 +1,215 @@
+package selector
+
+import (
+	"encoding/json"
+	"errors"
+	"log"
+	"net/http"
+	"sync"
+	"sync/atomic"
+	"time"
+)
+
+type NginxWRRSelector struct {
+	upstreams []*Upstream // upstreamsInfo
+	client    http.Client // http client to check the upstream
+}
+
+func NewNginxWRRSelector(timeout time.Duration) *NginxWRRSelector {
+	return &NginxWRRSelector{
+		client: http.Client{Timeout: timeout},
+	}
+}
+
+func (ws *NginxWRRSelector) Add(url string, upstreamType UpstreamType, weight int32) (err error) {
+	switch upstreamType {
+	case Google:
+		ws.upstreams = append(ws.upstreams, &Upstream{
+			Type:            Google,
+			URL:             url,
+			RequestType:     "application/dns-json",
+			weight:          weight,
+			effectiveWeight: weight,
+		})
+
+	case IETF:
+		ws.upstreams = append(ws.upstreams, &Upstream{
+			Type:            IETF,
+			URL:             url,
+			RequestType:     "application/dns-message",
+			weight:          weight,
+			effectiveWeight: weight,
+		})
+
+	default:
+		return errors.New("unknown upstream type")
+	}
+
+	return nil
+}
+
+func (ws *NginxWRRSelector) StartEvaluate() {
+	go func() {
+		for {
+			wg := sync.WaitGroup{}
+
+			for i := range ws.upstreams {
+				wg.Add(1)
+
+				go func(i int) {
+					defer wg.Done()
+
+					upstreamURL := ws.upstreams[i].URL
+					var acceptType string
+
+					switch ws.upstreams[i].Type {
+					case Google:
+						upstreamURL += "?name=www.example.com&type=A"
+						acceptType = "application/dns-json"
+
+					case IETF:
+						// www.example.com
+						upstreamURL += "?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB"
+						acceptType = "application/dns-message"
+					}
+
+					req, err := http.NewRequest(http.MethodGet, upstreamURL, http.NoBody)
+					if err != nil {
+						/*log.Println("upstream:", upstreamURL, "type:", typeMap[upstream.Type], "check failed:", err)
+						continue*/
+
+						// should I only log it? But if there is an error, I think when query the server will return error too
+						panic("upstream: " + upstreamURL + " type: " + typeMap[ws.upstreams[i].Type] + " check failed: " + err.Error())
+					}
+
+					req.Header.Set("accept", acceptType)
+
+					resp, err := ws.client.Do(req)
+					if err != nil {
+						// should I check error in detail?
+						if atomic.AddInt32(&ws.upstreams[i].effectiveWeight, -10) < 1 {
+							atomic.StoreInt32(&ws.upstreams[i].effectiveWeight, 1)
+						}
+						return
+					}
+
+					switch ws.upstreams[i].Type {
+					case Google:
+						ws.checkGoogleResponse(resp, ws.upstreams[i])
+
+					case IETF:
+						ws.checkIETFResponse(resp, ws.upstreams[i])
+					}
+				}(i)
+			}
+
+			wg.Wait()
+
+			time.Sleep(15 * time.Second)
+		}
+	}()
+}
+
+// nginx wrr like.
+func (ws *NginxWRRSelector) Get() *Upstream {
+	var (
+		total             int32
+		bestUpstreamIndex = -1
+	)
+
+	for i := range ws.upstreams {
+		effectiveWeight := atomic.LoadInt32(&ws.upstreams[i].effectiveWeight)
+		atomic.AddInt32(&ws.upstreams[i].currentWeight, effectiveWeight)
+		total += effectiveWeight
+
+		if bestUpstreamIndex == -1 || atomic.LoadInt32(&ws.upstreams[i].currentWeight) > atomic.LoadInt32(&ws.upstreams[bestUpstreamIndex].currentWeight) {
+			bestUpstreamIndex = i
+		}
+	}
+
+	atomic.AddInt32(&ws.upstreams[bestUpstreamIndex].currentWeight, -total)
+
+	return ws.upstreams[bestUpstreamIndex]
+}
+
+func (ws *NginxWRRSelector) ReportUpstreamStatus(upstream *Upstream, upstreamStatus upstreamStatus) {
+	switch upstreamStatus {
+	case Timeout:
+		if atomic.AddInt32(&upstream.effectiveWeight, -5) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+
+	case Error:
+		if atomic.AddInt32(&upstream.effectiveWeight, -3) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+
+	case OK:
+		if atomic.AddInt32(&upstream.effectiveWeight, 1) > upstream.weight {
+			atomic.StoreInt32(&upstream.effectiveWeight, upstream.weight)
+		}
+	}
+}
+
+func (ws *NginxWRRSelector) checkGoogleResponse(resp *http.Response, upstream *Upstream) {
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		// server error
+		if atomic.AddInt32(&upstream.effectiveWeight, -3) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+		return
+	}
+
+	m := make(map[string]interface{})
+	if err := json.NewDecoder(resp.Body).Decode(&m); err != nil {
+		// should I check error in detail?
+		if atomic.AddInt32(&upstream.effectiveWeight, -2) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+		return
+	}
+
+	if status, ok := m["Status"]; ok {
+		if statusNum, ok := status.(float64); ok && statusNum == 0 {
+			if atomic.AddInt32(&upstream.effectiveWeight, 5) > upstream.weight {
+				atomic.StoreInt32(&upstream.effectiveWeight, upstream.weight)
+			}
+			return
+		}
+	}
+
+	// should I check error in detail?
+	if atomic.AddInt32(&upstream.effectiveWeight, -2) < 1 {
+		atomic.StoreInt32(&upstream.effectiveWeight, 1)
+	}
+}
+
+func (ws *NginxWRRSelector) checkIETFResponse(resp *http.Response, upstream *Upstream) {
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		// server error
+		if atomic.AddInt32(&upstream.effectiveWeight, -5) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+		return
+	}
+
+	if atomic.AddInt32(&upstream.effectiveWeight, 5) > upstream.weight {
+		atomic.StoreInt32(&upstream.effectiveWeight, upstream.weight)
+	}
+}
+
+func (ws *NginxWRRSelector) ReportWeights() {
+	go func() {
+		for {
+			time.Sleep(15 * time.Second)
+
+			for _, u := range ws.upstreams {
+				log.Printf("%s, effect weight: %d", u, atomic.LoadInt32(&u.effectiveWeight))
+			}
+		}
+	}()
+}
--- a/doh-client/selector/randomSelector.go
+++ b/doh-client/selector/randomSelector.go
@@ -0,0 +1,50 @@
+package selector
+
+import (
+	"errors"
+	"math/rand"
+	"time"
+)
+
+func init() {
+	rand.NewSource(time.Now().UnixNano())
+}
+
+type RandomSelector struct {
+	upstreams []*Upstream
+}
+
+func NewRandomSelector() *RandomSelector {
+	return new(RandomSelector)
+}
+
+func (rs *RandomSelector) Add(url string, upstreamType UpstreamType) (err error) {
+	switch upstreamType {
+	case Google:
+		rs.upstreams = append(rs.upstreams, &Upstream{
+			Type:        Google,
+			URL:         url,
+			RequestType: "application/dns-json",
+		})
+
+	case IETF:
+		rs.upstreams = append(rs.upstreams, &Upstream{
+			Type:        IETF,
+			URL:         url,
+			RequestType: "application/dns-message",
+		})
+
+	default:
+		return errors.New("unknown upstream type")
+	}
+
+	return nil
+}
+
+func (rs *RandomSelector) Get() *Upstream {
+	return rs.upstreams[rand.Intn(len(rs.upstreams))]
+}
+
+func (rs *RandomSelector) StartEvaluate() {}
+
+func (rs *RandomSelector) ReportUpstreamStatus(upstream *Upstream, upstreamStatus upstreamStatus) {}
--- a/doh-client/selector/selector.go
+++ b/doh-client/selector/selector.go
@@ -0,0 +1,17 @@
+package selector
+
+type Selector interface {
+	// Get returns a upstream
+	Get() *Upstream
+
+	// StartEvaluate start upstream evaluation loop
+	StartEvaluate()
+
+	// ReportUpstreamStatus report upstream status
+	ReportUpstreamStatus(upstream *Upstream, upstreamStatus upstreamStatus)
+}
+
+type DebugReporter interface {
+	// ReportWeights starts a goroutine to report all upstream weights, recommend interval is 15s
+	ReportWeights()
+}
--- a/doh-client/selector/upstream.go
+++ b/doh-client/selector/upstream.go
@@ -0,0 +1,28 @@
+package selector
+
+import "fmt"
+
+type UpstreamType int
+
+const (
+	Google UpstreamType = iota
+	IETF
+)
+
+var typeMap = map[UpstreamType]string{
+	Google: "Google",
+	IETF:   "IETF",
+}
+
+type Upstream struct {
+	Type            UpstreamType
+	URL             string
+	RequestType     string
+	weight          int32
+	effectiveWeight int32
+	currentWeight   int32
+}
+
+func (u Upstream) String() string {
+	return fmt.Sprintf("upstream type: %s, upstream url: %s", typeMap[u.Type], u.URL)
+}
--- a/doh-client/selector/upstreamStatus.go
+++ b/doh-client/selector/upstreamStatus.go
@@ -0,0 +1,14 @@
+package selector
+
+type upstreamStatus int
+
+const (
+	// when query upstream timeout, usually upstream is unavailable for a long time.
+	Timeout upstreamStatus = iota
+
+	// when query upstream return 5xx response, upstream still alive, maybe just a lof of query for him.
+	Error
+
+	// when query upstream ok, means upstream is available.
+	OK
+)
--- a/doh-client/version.go
+++ b/doh-client/version.go
@@ -23,49 +23,7 @@

 package main

-import (
-	"fmt"
-
-	"github.com/BurntSushi/toml"
+const (
+	VERSION    = "2.3.6"
+	USER_AGENT = "DNS-over-HTTPS/" + VERSION + " (+https://github.com/m13253/dns-over-https)"
 )
-
-type config struct {
-	Listen         string   `toml:"listen"`
-	UpstreamGoogle []string `toml:"upstream_google"`
-	UpstreamIETF   []string `toml:"upstream_ietf"`
-	Bootstrap      []string `toml:"bootstrap"`
-	Timeout        uint     `toml:"timeout"`
-	NoECS          bool     `toml:"no_ecs"`
-	Verbose        bool     `toml:"verbose"`
-}
-
-func loadConfig(path string) (*config, error) {
-	conf := &config{}
-	metaData, err := toml.DecodeFile(path, conf)
-	if err != nil {
-		return nil, err
-	}
-	for _, key := range metaData.Undecoded() {
-		return nil, &configError{fmt.Sprintf("unknown option %q", key.String())}
-	}
-
-	if conf.Listen == "" {
-		conf.Listen = "127.0.0.1:53"
-	}
-	if len(conf.UpstreamGoogle) == 0 && len(conf.UpstreamIETF) == 0 {
-		conf.UpstreamGoogle = []string{"https://dns.google.com/resolve"}
-	}
-	if conf.Timeout == 0 {
-		conf.Timeout = 10
-	}
-
-	return conf, nil
-}
-
-type configError struct {
-	err string
-}
-
-func (e *configError) Error() string {
-	return e.err
-}
--- a/doh-server/config.go
+++ b/doh-server/config.go
@@ -25,20 +25,27 @@ package main

 import (
 	"fmt"
+	"regexp"

 	"github.com/BurntSushi/toml"
 )

 type config struct {
-	Listen   string   `toml:"listen"`
-	Cert     string   `toml:"cert"`
-	Key      string   `toml:"key"`
-	Path     string   `toml:"path"`
-	Upstream []string `toml:"upstream"`
-	Timeout  uint     `toml:"timeout"`
-	Tries    uint     `toml:"tries"`
-	TCPOnly  bool     `toml:"tcp_only"`
-	Verbose  bool     `toml:"verbose"`
+	TLSClientAuthCA     string   `toml:"tls_client_auth_ca"`
+	LocalAddr           string   `toml:"local_addr"`
+	Cert                string   `toml:"cert"`
+	Key                 string   `toml:"key"`
+	Path                string   `toml:"path"`
+	DebugHTTPHeaders    []string `toml:"debug_http_headers"`
+	Listen              []string `toml:"listen"`
+	Upstream            []string `toml:"upstream"`
+	Timeout             uint     `toml:"timeout"`
+	Tries               uint     `toml:"tries"`
+	Verbose             bool     `toml:"verbose"`
+	LogGuessedIP        bool     `toml:"log_guessed_client_ip"`
+	ECSAllowNonGlobalIP bool     `toml:"ecs_allow_non_global_ip"`
+	ECSUsePreciseIP     bool     `toml:"ecs_use_precise_ip"`
+	TLSClientAuth       bool     `toml:"tls_client_auth"`
 }

 func loadConfig(path string) (*config, error) {
@@ -51,14 +58,15 @@ func loadConfig(path string) (*config, error) {
 		return nil, &configError{fmt.Sprintf("unknown option %q", key.String())}
 	}

-	if conf.Listen == "" {
-		conf.Listen = "127.0.0.1:8053"
+	if len(conf.Listen) == 0 {
+		conf.Listen = []string{"127.0.0.1:8053", "[::1]:8053"}
 	}
+
 	if conf.Path == "" {
 		conf.Path = "/dns-query"
 	}
 	if len(conf.Upstream) == 0 {
-		conf.Upstream = []string{"8.8.8.8:53", "8.8.4.4:53"}
+		conf.Upstream = []string{"udp:8.8.8.8:53", "udp:8.8.4.4:53"}
 	}
 	if conf.Timeout == 0 {
 		conf.Timeout = 10
@@ -71,9 +79,35 @@ func loadConfig(path string) (*config, error) {
 		return nil, &configError{"You must specify both -cert and -key to enable TLS"}
 	}

+	// validate all upstreams
+	for _, us := range conf.Upstream {
+		address, t := addressAndType(us)
+		if address == "" {
+			return nil, &configError{"One of the upstreams has not a (udp|tcp|tcp-tls) prefix e.g. udp:1.1.1.1:53"}
+		}
+
+		switch t {
+		case "tcp", "udp", "tcp-tls":
+			// OK
+		default:
+			return nil, &configError{"Invalid upstream prefix specified, choose one of: udp tcp tcp-tls"}
+		}
+	}
+
 	return conf, nil
 }

+var rxUpstreamWithTypePrefix = regexp.MustCompile("^[a-z-]+(:)")
+
+func addressAndType(us string) (string, string) {
+	p := rxUpstreamWithTypePrefix.FindStringSubmatchIndex(us)
+	if len(p) != 4 {
+		return "", ""
+	}
+
+	return us[p[2]+1:], us[:p[2]]
+}
+
 type configError struct {
 	err string
 }
--- a/doh-server/doh-server.conf
+++ b/doh-server/doh-server.conf
@@ -1,10 +1,25 @@
 # HTTP listen port
-listen = "127.0.0.1:8053"
+listen = [
+    "127.0.0.1:8053",
+    "[::1]:8053",
+
+    ## To listen on both 0.0.0.0:8053 and [::]:8053, use the following line
+    # ":8053",
+]
+
+# Local address and port for upstream DNS
+# If left empty, a local address is automatically chosen.
+local_addr = ""

 # TLS certification file
+# If left empty, plain-text HTTP will be used.
+# You are recommended to leave empty and to use a server load balancer (e.g.
+# Caddy, Nginx) and set up TLS there, because this program does not do OCSP
+# Stapling, which is necessary for client bootstrapping in a network
+# environment with completely no traditional DNS service.
 cert = ""

-# TLS key file
+# TLS private key file
 key = ""

 # HTTP path for resolve application
@@ -12,9 +27,16 @@ path = "/dns-query"

 # Upstream DNS resolver
 # If multiple servers are specified, a random one will be chosen each time.
+# You can use "udp", "tcp" or "tcp-tls" for the type prefix.
+# For "udp", UDP will first be used, and switch to TCP when the server asks to
+# or the response is too large.
+# For "tcp", only TCP will be used.
+# For "tcp-tls", DNS-over-TLS (RFC 7858) will be used to secure the upstream connection.
 upstream = [
-    "8.8.8.8:53",
-    "8.8.4.4:53",
+    "udp:1.1.1.1:53",
+    "udp:1.0.0.1:53",
+    "udp:8.8.8.8:53",
+    "udp:8.8.4.4:53",
 ]

 # Upstream timeout
@@ -23,8 +45,34 @@ timeout = 10
 # Number of tries if upstream DNS fails
 tries = 3

-# Only use TCP for DNS query
-tcp_only = false
-
 # Enable logging
 verbose = false
+
+# Enable log IP from HTTPS-reverse proxy header: X-Forwarded-For or X-Real-IP
+# Note: http uri/useragent log cannot be controlled by this config
+log_guessed_client_ip = false
+
+# By default, non global IP addresses are never forwarded to upstream servers.
+# This is to prevent two things from happening:
+#   1. the upstream server knowing your private LAN addresses;
+#   2. the upstream server unable to provide geographically near results,
+#      or even fail to provide any result.
+# However, if you are deploying a split tunnel corporation network
+# environment, or for any other reason you want to inhibit this
+# behavior and allow local (eg RFC1918) address to be forwarded,
+# change the following option to "true".
+ecs_allow_non_global_ip = false
+
+# If ECS is added to the request, let the full IP address or
+# cap it to 24 or 128 mask. This option is to be used only on private
+# networks where knwoledge of the terminal endpoint may be required for
+# security purposes (eg. DNS Firewalling). Not a good option on the
+# internet where IP address may be used to identify the user and
+# not only the approximate location.
+ecs_use_precise_ip = false
+
+# If DOH is used for a controlled network, it is possible to enable
+# the client TLS certificate validation with a specific certificate
+# authority used to sign any client one. Disabled by default.
+# tls_client_auth = true
+# tls_client_auth_ca = "root-ca-public.crt"
--- a/doh-server/google.go
+++ b/doh-server/google.go
@@ -24,6 +24,7 @@
 package main

 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"log"
@@ -33,12 +34,13 @@ import (
 	"strings"
 	"time"

-	"../json-dns"
 	"github.com/miekg/dns"
 	"golang.org/x/net/idna"
+
+	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 )

-func (s *Server) parseRequestGoogle(w http.ResponseWriter, r *http.Request) *DNSRequest {
+func (s *Server) parseRequestGoogle(ctx context.Context, w http.ResponseWriter, r *http.Request) *DNSRequest {
 	name := r.FormValue("name")
 	if name == "" {
 		return &DNSRequest{
@@ -46,7 +48,6 @@ func (s *Server) parseRequestGoogle(w http.ResponseWriter, r *http.Request) *DNS
 			errtext: "Invalid argument value: \"name\"",
 		}
 	}
-	name = strings.ToLower(name)
 	if punycode, err := idna.ToASCII(name); err == nil {
 		name = punycode
 	} else {
@@ -72,9 +73,9 @@ func (s *Server) parseRequestGoogle(w http.ResponseWriter, r *http.Request) *DNS

 	cdStr := r.FormValue("cd")
 	cd := false
-	if cdStr == "1" || cdStr == "true" {
+	if cdStr == "1" || strings.EqualFold(cdStr, "true") {
 		cd = true
-	} else if cdStr == "0" || cdStr == "false" || cdStr == "" {
+	} else if cdStr == "0" || strings.EqualFold(cdStr, "false") || cdStr == "" {
 	} else {
 		return &DNSRequest{
 			errcode: 400,
@@ -90,45 +91,14 @@ func (s *Server) parseRequestGoogle(w http.ResponseWriter, r *http.Request) *DNS
 		if ednsClientSubnet == "0/0" {
 			ednsClientSubnet = "0.0.0.0/0"
 		}
-		slash := strings.IndexByte(ednsClientSubnet, '/')
-		if slash < 0 {
-			ednsClientAddress = net.ParseIP(ednsClientSubnet)
-			if ednsClientAddress == nil {
-				return &DNSRequest{
-					errcode: 400,
-					errtext: fmt.Sprintf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet),
-				}
+
+		var err error
+		ednsClientFamily, ednsClientAddress, ednsClientNetmask, err = parseSubnet(ednsClientSubnet)
+		if err != nil {
+			return &DNSRequest{
+				errcode: 400,
+				errtext: err.Error(),
 			}
-			if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
-				ednsClientFamily = 1
-				ednsClientAddress = ipv4
-				ednsClientNetmask = 24
-			} else {
-				ednsClientFamily = 2
-				ednsClientNetmask = 48
-			}
-		} else {
-			ednsClientAddress = net.ParseIP(ednsClientSubnet[:slash])
-			if ednsClientAddress == nil {
-				return &DNSRequest{
-					errcode: 400,
-					errtext: fmt.Sprintf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet),
-				}
-			}
-			if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
-				ednsClientFamily = 1
-				ednsClientAddress = ipv4
-			} else {
-				ednsClientFamily = 2
-			}
-			netmask, err := strconv.ParseUint(ednsClientSubnet[slash+1:], 10, 8)
-			if err != nil {
-				return &DNSRequest{
-					errcode: 400,
-					errtext: fmt.Sprintf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet),
-				}
-			}
-			ednsClientNetmask = uint8(netmask)
 		}
 	} else {
 		ednsClientAddress = s.findClientIP(r)
@@ -140,7 +110,7 @@ func (s *Server) parseRequestGoogle(w http.ResponseWriter, r *http.Request) *DNS
 			ednsClientNetmask = 24
 		} else {
 			ednsClientFamily = 2
-			ednsClientNetmask = 48
+			ednsClientNetmask = 56
 		}
 	}

@@ -150,7 +120,7 @@ func (s *Server) parseRequestGoogle(w http.ResponseWriter, r *http.Request) *DNS
 	opt := new(dns.OPT)
 	opt.Hdr.Name = "."
 	opt.Hdr.Rrtype = dns.TypeOPT
-	opt.SetUDPSize(4096)
+	opt.SetUDPSize(dns.DefaultMsgSize)
 	opt.SetDo(true)
 	if ednsClientAddress != nil {
 		edns0Subnet := new(dns.EDNS0_SUBNET)
@@ -169,12 +139,51 @@ func (s *Server) parseRequestGoogle(w http.ResponseWriter, r *http.Request) *DNS
 	}
 }

-func (s *Server) generateResponseGoogle(w http.ResponseWriter, r *http.Request, req *DNSRequest) {
-	respJSON := jsonDNS.Marshal(req.response)
+func parseSubnet(ednsClientSubnet string) (ednsClientFamily uint16, ednsClientAddress net.IP, ednsClientNetmask uint8, err error) {
+	slash := strings.IndexByte(ednsClientSubnet, '/')
+	if slash < 0 {
+		ednsClientAddress = net.ParseIP(ednsClientSubnet)
+		if ednsClientAddress == nil {
+			err = fmt.Errorf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet)
+			return
+		}
+		if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
+			ednsClientFamily = 1
+			ednsClientAddress = ipv4
+			ednsClientNetmask = 24
+		} else {
+			ednsClientFamily = 2
+			ednsClientNetmask = 56
+		}
+	} else {
+		ednsClientAddress = net.ParseIP(ednsClientSubnet[:slash])
+		if ednsClientAddress == nil {
+			err = fmt.Errorf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet)
+			return
+		}
+		if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
+			ednsClientFamily = 1
+			ednsClientAddress = ipv4
+		} else {
+			ednsClientFamily = 2
+		}
+		netmask, err1 := strconv.ParseUint(ednsClientSubnet[slash+1:], 10, 8)
+		if err1 != nil {
+			err = fmt.Errorf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet)
+			return
+		}
+		ednsClientNetmask = uint8(netmask)
+	}
+
+	return
+}
+
+func (s *Server) generateResponseGoogle(ctx context.Context, w http.ResponseWriter, r *http.Request, req *DNSRequest) {
+	respJSON := jsondns.Marshal(req.response)
 	respStr, err := json.Marshal(respJSON)
 	if err != nil {
 		log.Println(err)
-		jsonDNS.FormatError(w, fmt.Sprintf("DNS packet parse failure (%s)", err.Error()), 500)
+		jsondns.FormatError(w, fmt.Sprintf("DNS packet parse failure (%s)", err.Error()), 500)
 		return
 	}

@@ -182,11 +191,12 @@ func (s *Server) generateResponseGoogle(w http.ResponseWriter, r *http.Request,
 	now := time.Now().UTC().Format(http.TimeFormat)
 	w.Header().Set("Date", now)
 	w.Header().Set("Last-Modified", now)
+	w.Header().Set("Vary", "Accept")
 	if respJSON.HaveTTL {
 		if req.isTailored {
-			w.Header().Set("Cache-Control", "private, max-age="+strconv.Itoa(int(respJSON.LeastTTL)))
+			w.Header().Set("Cache-Control", "private, max-age="+strconv.FormatUint(uint64(respJSON.LeastTTL), 10))
 		} else {
-			w.Header().Set("Cache-Control", "public, max-age="+strconv.Itoa(int(respJSON.LeastTTL)))
+			w.Header().Set("Cache-Control", "public, max-age="+strconv.FormatUint(uint64(respJSON.LeastTTL), 10))
 		}
 		w.Header().Set("Expires", respJSON.EarliestExpires.Format(http.TimeFormat))
 	}
--- a/doh-server/ietf.go
+++ b/doh-server/ietf.go
@@ -24,19 +24,24 @@
 package main

 import (
+	"bytes"
+	"context"
 	"encoding/base64"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"log"
+	"net"
 	"net/http"
 	"strconv"
+	"strings"
 	"time"

-	"../json-dns"
 	"github.com/miekg/dns"
+
+	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 )

-func (s *Server) parseRequestIETF(w http.ResponseWriter, r *http.Request) *DNSRequest {
+func (s *Server) parseRequestIETF(ctx context.Context, w http.ResponseWriter, r *http.Request) *DNSRequest {
 	requestBase64 := r.FormValue("dns")
 	requestBinary, err := base64.RawURLEncoding.DecodeString(requestBase64)
 	if err != nil {
@@ -45,8 +50,8 @@ func (s *Server) parseRequestIETF(w http.ResponseWriter, r *http.Request) *DNSRe
 			errtext: fmt.Sprintf("Invalid argument value: \"dns\" = %q", requestBase64),
 		}
 	}
-	if len(requestBinary) == 0 && r.Header.Get("Content-Type") == "application/dns-udpwireformat" {
-		requestBinary, err = ioutil.ReadAll(r.Body)
+	if len(requestBinary) == 0 && (r.Header.Get("Content-Type") == "application/dns-message" || r.Header.Get("Content-Type") == "application/dns-udpwireformat") {
+		requestBinary, err = io.ReadAll(r.Body)
 		if err != nil {
 			return &DNSRequest{
 				errcode: 400,
@@ -57,9 +62,16 @@ func (s *Server) parseRequestIETF(w http.ResponseWriter, r *http.Request) *DNSRe
 	if len(requestBinary) == 0 {
 		return &DNSRequest{
 			errcode: 400,
-			errtext: fmt.Sprintf("Invalid argument value: \"dns\""),
+			errtext: "Invalid argument value: \"dns\"",
 		}
 	}
+
+	if s.patchDNSCryptProxyReqID(w, r, requestBinary) {
+		return &DNSRequest{
+			errcode: 444,
+		}
+	}
+
 	msg := new(dns.Msg)
 	err = msg.Unpack(requestBinary)
 	if err != nil {
@@ -76,26 +88,35 @@ func (s *Server) parseRequestIETF(w http.ResponseWriter, r *http.Request) *DNSRe
 		if qclass, ok := dns.ClassToString[question.Qclass]; ok {
 			questionClass = qclass
 		} else {
-			questionClass = strconv.Itoa(int(question.Qclass))
+			questionClass = strconv.FormatUint(uint64(question.Qclass), 10)
 		}
 		questionType := ""
 		if qtype, ok := dns.TypeToString[question.Qtype]; ok {
 			questionType = qtype
 		} else {
-			questionType = strconv.Itoa(int(question.Qtype))
+			questionType = strconv.FormatUint(uint64(question.Qtype), 10)
+		}
+		var clientip net.IP = nil
+		if s.conf.LogGuessedIP {
+			clientip = s.findClientIP(r)
+		}
+		if clientip != nil {
+			fmt.Printf("%s - - [%s] \"%s %s %s\"\n", clientip, time.Now().Format("02/Jan/2006:15:04:05 -0700"), questionName, questionClass, questionType)
+		} else {
+			fmt.Printf("%s - - [%s] \"%s %s %s\"\n", r.RemoteAddr, time.Now().Format("02/Jan/2006:15:04:05 -0700"), questionName, questionClass, questionType)
 		}
-		fmt.Printf("%s - - [%s] \"%s %s %s\"\n", r.RemoteAddr, time.Now().Format("02/Jan/2006:15:04:05 -0700"), questionName, questionClass, questionType)
 	}

+	transactionID := msg.Id
 	msg.Id = dns.Id()
 	opt := msg.IsEdns0()
 	if opt == nil {
 		opt = new(dns.OPT)
 		opt.Hdr.Name = "."
 		opt.Hdr.Rrtype = dns.TypeOPT
-		opt.SetUDPSize(4096)
+		opt.SetUDPSize(dns.DefaultMsgSize)
 		opt.SetDo(false)
-		msg.Extra = append(msg.Extra, opt)
+		msg.Extra = append([]dns.RR{opt}, msg.Extra...)
 	}
 	var edns0Subnet *dns.EDNS0_SUBNET
 	for _, option := range opt.Option {
@@ -105,6 +126,7 @@ func (s *Server) parseRequestIETF(w http.ResponseWriter, r *http.Request) *DNSRe
 		}
 	}
 	isTailored := edns0Subnet == nil
+
 	if edns0Subnet == nil {
 		ednsClientFamily := uint16(0)
 		ednsClientAddress := s.findClientIP(r)
@@ -113,10 +135,20 @@ func (s *Server) parseRequestIETF(w http.ResponseWriter, r *http.Request) *DNSRe
 			if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
 				ednsClientFamily = 1
 				ednsClientAddress = ipv4
-				ednsClientNetmask = 24
+				if s.conf.ECSUsePreciseIP {
+					ednsClientNetmask = 32
+				} else {
+					ednsClientNetmask = 24
+					ednsClientAddress = ednsClientAddress.Mask(net.CIDRMask(24, 32))
+				}
 			} else {
 				ednsClientFamily = 2
-				ednsClientNetmask = 48
+				if s.conf.ECSUsePreciseIP {
+					ednsClientNetmask = 128
+				} else {
+					ednsClientNetmask = 56
+					ednsClientAddress = ednsClientAddress.Mask(net.CIDRMask(56, 128))
+				}
 			}
 			edns0Subnet = new(dns.EDNS0_SUBNET)
 			edns0Subnet.Code = dns.EDNS0SUBNET
@@ -129,35 +161,59 @@ func (s *Server) parseRequestIETF(w http.ResponseWriter, r *http.Request) *DNSRe
 	}

 	return &DNSRequest{
-		request:    msg,
-		isTailored: isTailored,
+		request:       msg,
+		transactionID: transactionID,
+		isTailored:    isTailored,
 	}
 }

-func (s *Server) generateResponseIETF(w http.ResponseWriter, r *http.Request, req *DNSRequest) {
-	respJSON := jsonDNS.Marshal(req.response)
-	req.response.Id = 0
+func (s *Server) generateResponseIETF(ctx context.Context, w http.ResponseWriter, r *http.Request, req *DNSRequest) {
+	respJSON := jsondns.Marshal(req.response)
+	req.response.Id = req.transactionID
 	respBytes, err := req.response.Pack()
 	if err != nil {
-		log.Println(err)
-		jsonDNS.FormatError(w, fmt.Sprintf("DNS packet construct failure (%s)", err.Error()), 500)
+		log.Printf("DNS packet construct failure with upstream %s: %v\n", req.currentUpstream, err)
+		jsondns.FormatError(w, fmt.Sprintf("DNS packet construct failure (%s)", err.Error()), 500)
 		return
 	}

-	w.Header().Set("Content-Type", "application/dns-udpwireformat")
+	w.Header().Set("Content-Type", "application/dns-message")
 	now := time.Now().UTC().Format(http.TimeFormat)
 	w.Header().Set("Date", now)
 	w.Header().Set("Last-Modified", now)
+	w.Header().Set("Vary", "Accept")
+
 	if respJSON.HaveTTL {
 		if req.isTailored {
-			w.Header().Set("Cache-Control", "private, max-age="+strconv.Itoa(int(respJSON.LeastTTL)))
+			w.Header().Set("Cache-Control", "private, max-age="+strconv.FormatUint(uint64(respJSON.LeastTTL), 10))
 		} else {
-			w.Header().Set("Cache-Control", "public, max-age="+strconv.Itoa(int(respJSON.LeastTTL)))
+			w.Header().Set("Cache-Control", "public, max-age="+strconv.FormatUint(uint64(respJSON.LeastTTL), 10))
 		}
 		w.Header().Set("Expires", respJSON.EarliestExpires.Format(http.TimeFormat))
 	}
+
 	if respJSON.Status == dns.RcodeServerFailure {
+		log.Printf("received server failure from upstream %s: %v\n", req.currentUpstream, req.response)
 		w.WriteHeader(503)
 	}
-	w.Write(respBytes)
+	_, err = w.Write(respBytes)
+	if err != nil {
+		log.Printf("failed to write to client: %v\n", err)
+	}
+}
+
+// Workaround a bug causing DNSCrypt-Proxy to expect a response with TransactionID = 0xcafe.
+func (s *Server) patchDNSCryptProxyReqID(w http.ResponseWriter, r *http.Request, requestBinary []byte) bool {
+	if strings.Contains(r.UserAgent(), "dnscrypt-proxy") && bytes.Equal(requestBinary, []byte("\xca\xfe\x01\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\x00\x02\x00\x01\x00\x00\x29\x10\x00\x00\x00\x80\x00\x00\x00")) {
+		if s.conf.Verbose {
+			log.Println("DNSCrypt-Proxy detected. Patching response.")
+		}
+		w.Header().Set("Content-Type", "application/dns-message")
+		w.Header().Set("Vary", "Accept, User-Agent")
+		now := time.Now().UTC().Format(http.TimeFormat)
+		w.Header().Set("Date", now)
+		w.Write([]byte("\xca\xfe\x81\x05\x00\x01\x00\x01\x00\x00\x00\x00\x00\x00\x02\x00\x01\x00\x00\x10\x00\x01\x00\x00\x00\x00\x00\xa8\xa7\r\nWorkaround a bug causing DNSCrypt-Proxy to expect a response with TransactionID = 0xcafe\r\nRefer to https://github.com/jedisct1/dnscrypt-proxy/issues/526 for details."))
+		return true
+	}
+	return false
 }
--- a/doh-server/main.go
+++ b/doh-server/main.go
@@ -25,14 +25,80 @@ package main

 import (
 	"flag"
+	"fmt"
 	"log"
+	"os"
+	"runtime"
+	"strconv"
 )

+func checkPIDFile(pidFile string) (bool, error) {
+retry:
+	f, err := os.OpenFile(pidFile, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0o666)
+	if os.IsExist(err) {
+		pidStr, err := os.ReadFile(pidFile)
+		if err != nil {
+			return false, err
+		}
+		pid, err := strconv.ParseUint(string(pidStr), 10, 0)
+		if err != nil {
+			return false, err
+		}
+		_, err = os.Stat(fmt.Sprintf("/proc/%d", pid))
+		if os.IsNotExist(err) {
+			err = os.Remove(pidFile)
+			if err != nil {
+				return false, err
+			}
+			goto retry
+		} else if err != nil {
+			return false, err
+		}
+		log.Printf("Already running on PID %d, exiting.\n", pid)
+		return false, nil
+	} else if err != nil {
+		return false, err
+	}
+	defer f.Close()
+	_, err = f.WriteString(strconv.FormatInt(int64(os.Getpid()), 10))
+	if err != nil {
+		return false, err
+	}
+	return true, nil
+}
+
 func main() {
 	confPath := flag.String("conf", "doh-server.conf", "Configuration file")
 	verbose := flag.Bool("verbose", false, "Enable logging")
+	showVersion := flag.Bool("version", false, "Show software version and exit")
+	var pidFile *string
+
+	// I really want to push the technology forward by recommending cgroup-based
+	// process tracking. But I understand some cloud service providers have
+	// their own monitoring system. So this feature is only enabled on Linux and
+	// BSD series platforms which lacks functionality similar to cgroup.
+	switch runtime.GOOS {
+	case "dragonfly", "freebsd", "linux", "netbsd", "openbsd":
+		pidFile = flag.String("pid-file", "", "PID file for legacy supervision systems lacking support for reliable cgroup-based process tracking")
+	}
+
 	flag.Parse()

+	if *showVersion {
+		fmt.Printf("doh-server %s\nHomepage: https://github.com/m13253/dns-over-https\n", VERSION)
+		return
+	}
+
+	if pidFile != nil && *pidFile != "" {
+		ok, err := checkPIDFile(*pidFile)
+		if err != nil {
+			log.Printf("Error checking PID file: %v\n", err)
+		}
+		if !ok {
+			return
+		}
+	}
+
 	conf, err := loadConfig(*confPath)
 	if err != nil {
 		log.Fatalln(err)
@@ -42,9 +108,9 @@ func main() {
 		conf.Verbose = true
 	}

-	server := NewServer(conf)
-	err = server.Start()
+	server, err := NewServer(conf)
 	if err != nil {
 		log.Fatalln(err)
 	}
+	_ = server.Start()
 }
--- a/doh-server/parse_test.go
+++ b/doh-server/parse_test.go
@@ -0,0 +1,119 @@
+/*
+   DNS-over-HTTPS
+   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
+
+   Permission is hereby granted, free of charge, to any person obtaining a
+   copy of this software and associated documentation files (the "Software"),
+   to deal in the Software without restriction, including without limitation
+   the rights to use, copy, modify, merge, publish, distribute, sublicense,
+   and/or sell copies of the Software, and to permit persons to whom the
+   Software is furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+   DEALINGS IN THE SOFTWARE.
+*/
+
+package main
+
+import (
+	"testing"
+
+	"github.com/miekg/dns"
+)
+
+func TestParseCIDR(t *testing.T) {
+	t.Parallel()
+	for _, ednsClientSubnet := range []string{
+		"2001:db8::/0",
+		"2001:db8::/56",
+		"2001:db8::/129",
+		"2001:db8::",
+
+		"127.0.0.1/0",
+		"127.0.0.1/24",
+		"127.0.0.1/33",
+		"127.0.0.1",
+
+		"::ffff:7f00:1/0",
+		"::ffff:7f00:1/120",
+		"::ffff:7f00:1",
+		"127.0.0.1/0",
+		"127.0.0.1/24",
+		"127.0.0.1",
+	} {
+		_, ip, ipNet, err := parseSubnet(ednsClientSubnet)
+		if err != nil {
+			t.Errorf("ecs:%s ip:[%v]  ipNet:[%v]  err:[%v]", ednsClientSubnet, ip, ipNet, err)
+		}
+	}
+}
+
+func TestParseInvalidCIDR(t *testing.T) {
+	t.Parallel()
+
+	for _, ip := range []string{
+		"test",
+		"test/0",
+		"test/24",
+		"test/34",
+		"test/56",
+		"test/129",
+	} {
+		_, _, _, err := parseSubnet(ip)
+		if err == nil {
+			t.Errorf("expected error for %q", ip)
+		}
+	}
+}
+
+func TestEdns0SubnetParseCIDR(t *testing.T) {
+	t.Parallel()
+	// init dns Msg
+	msg := new(dns.Msg)
+	msg.Id = dns.Id()
+	msg.SetQuestion(dns.Fqdn("example.com"), 1)
+
+	// init edns0Subnet
+	edns0Subnet := new(dns.EDNS0_SUBNET)
+	edns0Subnet.Code = dns.EDNS0SUBNET
+	edns0Subnet.SourceScope = 0
+
+	// init opt
+	opt := new(dns.OPT)
+	opt.Hdr.Name = "."
+	opt.Hdr.Rrtype = dns.TypeOPT
+	opt.SetUDPSize(dns.DefaultMsgSize)
+
+	opt.Option = append(opt.Option, edns0Subnet)
+	msg.Extra = append(msg.Extra, opt)
+
+	for _, subnet := range []string{"::ffff:7f00:1/120", "127.0.0.1/24"} {
+		var err error
+		edns0Subnet.Family, edns0Subnet.Address, edns0Subnet.SourceNetmask, err = parseSubnet(subnet)
+		if err != nil {
+			t.Error(err)
+			continue
+		}
+		t.Log(msg.Pack())
+	}
+
+	// ------127.0.0.1/24-----
+	// [143 29 1 0 0 1 0 0 0 0 0 1 7 101 120 97 109 112 108 101 3 99 111 109 0 0 1 0 1 0
+	// opt start   0 41 16 0 0 0 0 0 0 11
+	// subnet start 0 8 0 7 0 1 24 0
+	// client subnet start 127 0 0]
+
+	// -----::ffff:7f00:1/120----
+	// [111 113 1 0 0 1 0 0 0 0 0 1 7 101 120 97 109 112 108 101 3 99 111 109 0 0 1 0 1 0
+	// opt start  0 41 16 0 0 0 0 0 0 23
+	// subnet start  0 8 0 19 0 2 120 0
+	// client subnet start 0 0 0 0 0 0 0 0 0 0 255 255 127 0 0]
+}
--- a/doh-server/server.go
+++ b/doh-server/server.go
@@ -24,6 +24,9 @@
 package main

 import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"log"
 	"math/rand"
@@ -33,41 +36,73 @@ import (
 	"strings"
 	"time"

-	"../json-dns"
 	"github.com/gorilla/handlers"
 	"github.com/miekg/dns"
+
+	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 )

 type Server struct {
-	conf      *config
-	udpClient *dns.Client
-	tcpClient *dns.Client
-	servemux  *http.ServeMux
+	conf         *config
+	udpClient    *dns.Client
+	tcpClient    *dns.Client
+	tcpClientTLS *dns.Client
+	servemux     *http.ServeMux
 }

 type DNSRequest struct {
-	request    *dns.Msg
-	response   *dns.Msg
-	isTailored bool
-	errcode    int
-	errtext    string
+	request         *dns.Msg
+	response        *dns.Msg
+	currentUpstream string
+	errtext         string
+	errcode         int
+	transactionID   uint16
+	isTailored      bool
 }

-func NewServer(conf *config) (s *Server) {
-	s = &Server{
+func NewServer(conf *config) (*Server, error) {
+	timeout := time.Duration(conf.Timeout) * time.Second
+	s := &Server{
 		conf: conf,
 		udpClient: &dns.Client{
 			Net:     "udp",
-			Timeout: time.Duration(conf.Timeout) * time.Second,
+			UDPSize: dns.DefaultMsgSize,
+			Timeout: timeout,
 		},
 		tcpClient: &dns.Client{
 			Net:     "tcp",
-			Timeout: time.Duration(conf.Timeout) * time.Second,
+			Timeout: timeout,
+		},
+		tcpClientTLS: &dns.Client{
+			Net:     "tcp-tls",
+			Timeout: timeout,
 		},
 		servemux: http.NewServeMux(),
 	}
+	if conf.LocalAddr != "" {
+		udpLocalAddr, err := net.ResolveUDPAddr("udp", conf.LocalAddr)
+		if err != nil {
+			return nil, err
+		}
+		tcpLocalAddr, err := net.ResolveTCPAddr("tcp", conf.LocalAddr)
+		if err != nil {
+			return nil, err
+		}
+		s.udpClient.Dialer = &net.Dialer{
+			Timeout:   timeout,
+			LocalAddr: udpLocalAddr,
+		}
+		s.tcpClient.Dialer = &net.Dialer{
+			Timeout:   timeout,
+			LocalAddr: tcpLocalAddr,
+		}
+		s.tcpClientTLS.Dialer = &net.Dialer{
+			Timeout:   timeout,
+			LocalAddr: tcpLocalAddr,
+		}
+	}
 	s.servemux.HandleFunc(conf.Path, s.handlerFunc)
-	return
+	return s, nil
 }

 func (s *Server) Start() error {
@@ -75,20 +110,106 @@ func (s *Server) Start() error {
 	if s.conf.Verbose {
 		servemux = handlers.CombinedLoggingHandler(os.Stdout, servemux)
 	}
-	if s.conf.Cert != "" || s.conf.Key != "" {
-		return http.ListenAndServeTLS(s.conf.Listen, s.conf.Cert, s.conf.Key, servemux)
+
+	var clientCAPool *x509.CertPool
+	if s.conf.TLSClientAuth {
+		if s.conf.TLSClientAuthCA != "" {
+			clientCA, err := os.ReadFile(s.conf.TLSClientAuthCA)
+			if err != nil {
+				log.Fatalf("Reading certificate for client authentication has failed: %v", err)
+			}
+			clientCAPool = x509.NewCertPool()
+			clientCAPool.AppendCertsFromPEM(clientCA)
+			log.Println("Certificate loaded for client TLS authentication")
+		} else {
+			log.Fatalln("TLS client authentication requires both tls_client_auth and tls_client_auth_ca, exiting.")
+		}
 	}
-	return http.ListenAndServe(s.conf.Listen, servemux)
+
+	results := make(chan error, len(s.conf.Listen))
+	for _, addr := range s.conf.Listen {
+		go func(addr string) {
+			var err error
+			if s.conf.Cert != "" || s.conf.Key != "" {
+				if clientCAPool != nil {
+					srvtls := &http.Server{
+						Handler: servemux,
+						Addr:    addr,
+						TLSConfig: &tls.Config{
+							ClientCAs:  clientCAPool,
+							ClientAuth: tls.RequireAndVerifyClientCert,
+							GetCertificate: func(info *tls.ClientHelloInfo) (certificate *tls.Certificate, e error) {
+								c, err := tls.LoadX509KeyPair(s.conf.Cert, s.conf.Key)
+								if err != nil {
+									fmt.Printf("Error loading server certificate key pair: %v\n", err)
+									return nil, err
+								}
+								return &c, nil
+							},
+						},
+					}
+					err = srvtls.ListenAndServeTLS("", "")
+				} else {
+					err = http.ListenAndServeTLS(addr, s.conf.Cert, s.conf.Key, servemux)
+				}
+			} else {
+				err = http.ListenAndServe(addr, servemux)
+			}
+			if err != nil {
+				log.Println(err)
+			}
+			results <- err
+		}(addr)
+	}
+	// wait for all handlers
+	for i := 0; i < cap(results); i++ {
+		err := <-results
+		if err != nil {
+			return err
+		}
+	}
+	close(results)
+	return nil
 }

 func (s *Server) handlerFunc(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set("Server", "DNS-over-HTTPS/1.1 (+https://github.com/m13253/dns-over-https)")
-	w.Header().Set("X-Powered-By", "DNS-over-HTTPS/1.1 (+https://github.com/m13253/dns-over-https)")
+	ctx := r.Context()
+
+	if realIP := r.Header.Get("X-Real-IP"); realIP != "" {
+		if strings.ContainsRune(realIP, ':') {
+			r.RemoteAddr = "[" + realIP + "]:0"
+		} else {
+			r.RemoteAddr = realIP + ":0"
+		}
+		_, _, err := net.SplitHostPort(r.RemoteAddr)
+		if err != nil {
+			r.RemoteAddr = realIP
+		}
+	}
+
+	w.Header().Set("Access-Control-Allow-Headers", "Content-Type")
+	w.Header().Set("Access-Control-Allow-Methods", "GET, HEAD, OPTIONS, POST")
+	w.Header().Set("Access-Control-Allow-Origin", "*")
+	w.Header().Set("Access-Control-Max-Age", "3600")
+	w.Header().Set("Server", USER_AGENT)
+	w.Header().Set("X-Powered-By", USER_AGENT)
+
+	if r.Method == "OPTIONS" {
+		w.Header().Set("Content-Length", "0")
+		return
+	}

 	if r.Form == nil {
 		const maxMemory = 32 << 20 // 32 MB
 		r.ParseMultipartForm(maxMemory)
 	}
+
+	for _, header := range s.conf.DebugHTTPHeaders {
+		if value := r.Header.Get(header); value != "" {
+			log.Printf("%s: %s\n", header, value)
+		}
+	}
+
 	contentType := r.Header.Get("Content-Type")
 	if ct := r.FormValue("ct"); ct != "" {
 		contentType = ct
@@ -96,68 +217,84 @@ func (s *Server) handlerFunc(w http.ResponseWriter, r *http.Request) {
 	if contentType == "" {
 		// Guess request Content-Type based on other parameters
 		if r.FormValue("name") != "" {
-			contentType = "application/x-www-form-urlencoded"
+			contentType = "application/dns-json"
 		} else if r.FormValue("dns") != "" {
-			contentType = "application/dns-udpwireformat"
+			contentType = "application/dns-message"
 		}
 	}
 	var responseType string
 	for _, responseCandidate := range strings.Split(r.Header.Get("Accept"), ",") {
-		responseCandidate = strings.ToLower(strings.SplitN(responseCandidate, ";", 2)[0])
+		responseCandidate = strings.SplitN(responseCandidate, ";", 2)[0]
 		if responseCandidate == "application/json" {
 			responseType = "application/json"
 			break
 		} else if responseCandidate == "application/dns-udpwireformat" {
-			responseType = "application/dns-udpwireformat"
+			responseType = "application/dns-message"
+			break
+		} else if responseCandidate == "application/dns-message" {
+			responseType = "application/dns-message"
 			break
 		}
 	}
 	if responseType == "" {
 		// Guess response Content-Type based on request Content-Type
-		if contentType == "application/x-www-form-urlencoded" {
+		if contentType == "application/dns-json" {
 			responseType = "application/json"
+		} else if contentType == "application/dns-message" {
+			responseType = "application/dns-message"
 		} else if contentType == "application/dns-udpwireformat" {
-			responseType = "application/dns-udpwireformat"
+			responseType = "application/dns-message"
 		}
 	}

 	var req *DNSRequest
-	if contentType == "application/x-www-form-urlencoded" {
-		req = s.parseRequestGoogle(w, r)
+	if contentType == "application/dns-json" {
+		req = s.parseRequestGoogle(ctx, w, r)
+	} else if contentType == "application/dns-message" {
+		req = s.parseRequestIETF(ctx, w, r)
 	} else if contentType == "application/dns-udpwireformat" {
-		req = s.parseRequestIETF(w, r)
+		req = s.parseRequestIETF(ctx, w, r)
 	} else {
-		jsonDNS.FormatError(w, fmt.Sprintf("Invalid argument value: \"ct\" = %q", contentType), 415)
+		jsondns.FormatError(w, fmt.Sprintf("Invalid argument value: \"ct\" = %q", contentType), 415)
+		return
+	}
+	if req.errcode == 444 {
 		return
 	}
 	if req.errcode != 0 {
-		jsonDNS.FormatError(w, req.errtext, req.errcode)
+		jsondns.FormatError(w, req.errtext, req.errcode)
 		return
 	}

-	var err error
-	req.response, err = s.doDNSQuery(req.request)
+	req = s.patchRootRD(req)
+
+	err := s.doDNSQuery(ctx, req)
 	if err != nil {
-		jsonDNS.FormatError(w, fmt.Sprintf("DNS query failure (%s)", err.Error()), 503)
+		jsondns.FormatError(w, fmt.Sprintf("DNS query failure (%s)", err.Error()), 503)
 		return
 	}

 	if responseType == "application/json" {
-		s.generateResponseGoogle(w, r, req)
-	} else if responseType == "application/dns-udpwireformat" {
-		s.generateResponseIETF(w, r, req)
+		s.generateResponseGoogle(ctx, w, r, req)
+	} else if responseType == "application/dns-message" {
+		s.generateResponseIETF(ctx, w, r, req)
 	} else {
 		panic("Unknown response Content-Type")
 	}
 }

 func (s *Server) findClientIP(r *http.Request) net.IP {
+	noEcs := r.URL.Query().Get("no_ecs")
+	if strings.EqualFold(noEcs, "true") {
+		return nil
+	}
+
 	XForwardedFor := r.Header.Get("X-Forwarded-For")
 	if XForwardedFor != "" {
 		for _, addr := range strings.Split(XForwardedFor, ",") {
 			addr = strings.TrimSpace(addr)
 			ip := net.ParseIP(addr)
-			if jsonDNS.IsGlobalIP(ip) {
+			if jsondns.IsGlobalIP(ip) {
 				return ip
 			}
 		}
@@ -166,37 +303,80 @@ func (s *Server) findClientIP(r *http.Request) net.IP {
 	if XRealIP != "" {
 		addr := strings.TrimSpace(XRealIP)
 		ip := net.ParseIP(addr)
-		if jsonDNS.IsGlobalIP(ip) {
+		if s.conf.ECSAllowNonGlobalIP || jsondns.IsGlobalIP(ip) {
 			return ip
 		}
 	}
+
 	remoteAddr, err := net.ResolveTCPAddr("tcp", r.RemoteAddr)
 	if err != nil {
 		return nil
 	}
-	if ip := remoteAddr.IP; jsonDNS.IsGlobalIP(ip) {
+	ip := remoteAddr.IP
+	if s.conf.ECSAllowNonGlobalIP || jsondns.IsGlobalIP(ip) {
 		return ip
 	}
 	return nil
 }

-func (s *Server) doDNSQuery(msg *dns.Msg) (resp *dns.Msg, err error) {
+// Workaround a bug causing Unbound to refuse returning anything about the root.
+func (s *Server) patchRootRD(req *DNSRequest) *DNSRequest {
+	for _, question := range req.request.Question {
+		if question.Name == "." {
+			req.request.RecursionDesired = true
+		}
+	}
+	return req
+}
+
+// Return the position index for the question of qtype from a DNS msg, otherwise return -1.
+func (s *Server) indexQuestionType(msg *dns.Msg, qtype uint16) int {
+	for i, question := range msg.Question {
+		if question.Qtype == qtype {
+			return i
+		}
+	}
+	return -1
+}
+
+func (s *Server) doDNSQuery(ctx context.Context, req *DNSRequest) (err error) {
 	numServers := len(s.conf.Upstream)
 	for i := uint(0); i < s.conf.Tries; i++ {
-		server := s.conf.Upstream[rand.Intn(numServers)]
-		if !s.conf.TCPOnly {
-			resp, _, err = s.udpClient.Exchange(msg, server)
-			if err == dns.ErrTruncated {
-				log.Println(err)
-				resp, _, err = s.tcpClient.Exchange(msg, server)
+		req.currentUpstream = s.conf.Upstream[rand.Intn(numServers)]
+
+		upstream, t := addressAndType(req.currentUpstream)
+
+		switch t {
+		default:
+			log.Printf("invalid DNS type %q in upstream %q", t, upstream)
+			return &configError{"invalid DNS type"}
+		// Use DNS-over-TLS (DoT) if configured to do so
+		case "tcp-tls":
+			req.response, _, err = s.tcpClientTLS.ExchangeContext(ctx, req.request, upstream)
+		case "tcp", "udp":
+			// Use TCP if always configured to or if the Query type dictates it (AXFR)
+			if t == "tcp" || (s.indexQuestionType(req.request, dns.TypeAXFR) > -1) {
+				req.response, _, err = s.tcpClient.ExchangeContext(ctx, req.request, upstream)
+			} else {
+				req.response, _, err = s.udpClient.ExchangeContext(ctx, req.request, upstream)
+				if err == nil && req.response != nil && req.response.Truncated {
+					log.Println(err)
+					req.response, _, err = s.tcpClient.ExchangeContext(ctx, req.request, upstream)
+				}
+
+				// Retry with TCP if this was an IXFR request, and we only received an SOA
+				if (s.indexQuestionType(req.request, dns.TypeIXFR) > -1) &&
+					(len(req.response.Answer) == 1) &&
+					(req.response.Answer[0].Header().Rrtype == dns.TypeSOA) {
+					req.response, _, err = s.tcpClient.ExchangeContext(ctx, req.request, upstream)
+				}
 			}
-		} else {
-			resp, _, err = s.tcpClient.Exchange(msg, server)
 		}
+
 		if err == nil {
-			return
+			return nil
 		}
-		log.Println(err)
+		log.Printf("DNS error from upstream %s: %s\n", req.currentUpstream, err.Error())
 	}
-	return
+	return err
 }
--- a/doh-server/version.go
+++ b/doh-server/version.go
@@ -0,0 +1,29 @@
+/*
+   DNS-over-HTTPS
+   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
+
+   Permission is hereby granted, free of charge, to any person obtaining a
+   copy of this software and associated documentation files (the "Software"),
+   to deal in the Software without restriction, including without limitation
+   the rights to use, copy, modify, merge, publish, distribute, sublicense,
+   and/or sell copies of the Software, and to permit persons to whom the
+   Software is furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+   DEALINGS IN THE SOFTWARE.
+*/
+
+package main
+
+const (
+	VERSION    = "2.3.6"
+	USER_AGENT = "DNS-over-HTTPS/" + VERSION + " (+https://github.com/m13253/dns-over-https)"
+)
--- a/go.mod
+++ b/go.mod
@@ -0,0 +1,20 @@
+module github.com/m13253/dns-over-https/v2
+
+go 1.20
+
+require (
+	github.com/BurntSushi/toml v1.4.0
+	github.com/gorilla/handlers v1.5.2
+	github.com/infobloxopen/go-trees v0.0.0-20221216143356-66ceba885ebc
+	github.com/miekg/dns v1.1.61
+	golang.org/x/net v0.27.0
+)
+
+require (
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	golang.org/x/mod v0.19.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/tools v0.22.0 // indirect
+)
--- a/go.sum
+++ b/go.sum
@@ -0,0 +1,26 @@
+github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
+github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE=
+github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w=
+github.com/infobloxopen/go-trees v0.0.0-20221216143356-66ceba885ebc h1:RhT2pjLo3EVRmldbEcBdeRA7CGPWsNEJC+Y/N1aXQbg=
+github.com/infobloxopen/go-trees v0.0.0-20221216143356-66ceba885ebc/go.mod h1:BaIJzjD2ZnHmx2acPF6XfGLPzNCMiBbMRqJr+8/8uRI=
+github.com/miekg/dns v1.1.61 h1:nLxbwF3XxhwVSm8g9Dghm9MHPaUZuqhPiGL+675ZmEs=
+github.com/miekg/dns v1.1.61/go.mod h1:mnAarhS3nWaW+NVP2wTkYVIZyHNJ098SJZUki3eykwQ=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8=
+golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
+golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
+golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
+golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
--- a/json-dns/error.go
+++ b/json-dns/error.go
@@ -21,7 +21,7 @@
   DEALINGS IN THE SOFTWARE.
 */

-package jsonDNS
+package jsondns

 import (
 	"encoding/json"
@@ -38,11 +38,11 @@ type dnsError struct {

 func FormatError(w http.ResponseWriter, comment string, errcode int) {
 	w.Header().Set("Content-Type", "application/json; charset=UTF-8")
-	errJson := dnsError{
+	errJSON := dnsError{
 		Status:  dns.RcodeServerFailure,
 		Comment: comment,
 	}
-	errStr, err := json.Marshal(errJson)
+	errStr, err := json.Marshal(errJSON)
 	if err != nil {
 		log.Fatalln(err)
 	}
--- a/json-dns/globalip.go
+++ b/json-dns/globalip.go
@@ -21,109 +21,110 @@
   DEALINGS IN THE SOFTWARE.
 */

-package jsonDNS
+package jsondns

 import (
 	"net"
+
+	"github.com/infobloxopen/go-trees/iptree"
 )

-// RFC6890
-var localIPv4Nets = []net.IPNet{
-	// This host on this network
-	net.IPNet{
-		net.IP{0, 0, 0, 0},
-		net.IPMask{255, 0, 0, 0},
-	},
-	// Private-Use Networks
-	net.IPNet{
-		net.IP{10, 0, 0, 0},
-		net.IPMask{255, 0, 0, 0},
-	},
-	// Shared Address Space
-	net.IPNet{
-		net.IP{100, 64, 0, 0},
-		net.IPMask{255, 192, 0, 0},
-	},
-	// Loopback
-	net.IPNet{
-		net.IP{127, 0, 0, 0},
-		net.IPMask{255, 0, 0, 0},
-	},
-	// Link Local
-	net.IPNet{
-		net.IP{169, 254, 0, 0},
-		net.IPMask{255, 255, 0, 0},
-	},
-	// Private-Use Networks
-	net.IPNet{
-		net.IP{172, 16, 0, 0},
-		net.IPMask{255, 240, 0, 0},
-	},
-	// DS-Lite
-	net.IPNet{
-		net.IP{192, 0, 0, 0},
-		net.IPMask{255, 255, 255, 248},
-	},
-	// 6to4 Relay Anycast
-	net.IPNet{
-		net.IP{192, 88, 99, 0},
-		net.IPMask{255, 255, 255, 0},
-	},
-	// Private-Use Networks
-	net.IPNet{
-		net.IP{192, 168, 0, 0},
-		net.IPMask{255, 255, 0, 0},
-	},
-	// Reserved for Future Use & Limited Broadcast
-	net.IPNet{
-		net.IP{240, 0, 0, 0},
-		net.IPMask{240, 0, 0, 0},
-	},
-}
+var defaultFilter *iptree.Tree

-// RFC6890
-var localIPv6Nets = []net.IPNet{
+func init() {
+	defaultFilter = iptree.NewTree()
+
+	// RFC6890
+	// This host on this network
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{0, 0, 0, 0},
+		Mask: net.IPMask{255, 0, 0, 0},
+	}, struct{}{})
+
+	// Private-Use Networks
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{10, 0, 0, 0},
+		Mask: net.IPMask{255, 0, 0, 0},
+	}, struct{}{})
+
+	// Shared Address Space
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{100, 64, 0, 0},
+		Mask: net.IPMask{255, 192, 0, 0},
+	}, struct{}{})
+
+	// Loopback
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{127, 0, 0, 0},
+		Mask: net.IPMask{255, 0, 0, 0},
+	}, struct{}{})
+
+	// Link Local
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{169, 254, 0, 0},
+		Mask: net.IPMask{255, 255, 0, 0},
+	}, struct{}{})
+
+	// Private-Use Networks
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{172, 16, 0, 0},
+		Mask: net.IPMask{255, 240, 0, 0},
+	}, struct{}{})
+
+	// DS-Lite
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{192, 0, 0, 0},
+		Mask: net.IPMask{255, 255, 255, 248},
+	}, struct{}{})
+
+	// 6to4 Relay Anycast
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{192, 88, 99, 0},
+		Mask: net.IPMask{255, 255, 255, 0},
+	}, struct{}{})
+
+	// Private-Use Networks
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{192, 168, 0, 0},
+		Mask: net.IPMask{255, 255, 0, 0},
+	}, struct{}{})
+
+	// Reserved for Future Use & Limited Broadcast
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{240, 0, 0, 0},
+		Mask: net.IPMask{240, 0, 0, 0},
+	}, struct{}{})
+
+	// RFC6890
 	// Unspecified & Loopback Address
-	net.IPNet{
-		net.IP{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		net.IPMask{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe},
-	},
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		Mask: net.IPMask{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe},
+	}, struct{}{})
+
 	// Discard-Only Prefix
-	net.IPNet{
-		net.IP{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		net.IPMask{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-	},
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		Mask: net.IPMask{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+	}, struct{}{})
+
 	// Unique-Local
-	net.IPNet{
-		net.IP{0xfc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		net.IPMask{0xfe, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-	},
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{0xfc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		Mask: net.IPMask{0xfe, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+	}, struct{}{})
+
 	// Linked-Scoped Unicast
-	net.IPNet{
-		net.IP{0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		net.IPMask{0xff, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-	},
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		Mask: net.IPMask{0xff, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+	}, struct{}{})
 }

 func IsGlobalIP(ip net.IP) bool {
 	if ip == nil {
 		return false
 	}
-	if ipv4 := ip.To4(); len(ipv4) == net.IPv4len {
-		for _, ipnet := range localIPv4Nets {
-			if ipnet.Contains(ip) {
-				return false
-			}
-		}
-		return true
-	}
-	if len(ip) == net.IPv6len {
-		for _, ipnet := range localIPv6Nets {
-			if ipnet.Contains(ip) {
-				return false
-			}
-		}
-		return true
-	}
-	return true
+	_, contained := defaultFilter.GetByIP(ip)
+	return !contained
 }
--- a/json-dns/globalip_test.go
+++ b/json-dns/globalip_test.go
@@ -0,0 +1,34 @@
+package jsondns
+
+import (
+	"fmt"
+	"net"
+)
+
+func ExampleIsGlobalIP() {
+	fmt.Println(IsGlobalIP(net.ParseIP("127.0.0.1")))
+	fmt.Println(IsGlobalIP(net.IP{192, 168, 1, 1}))
+	fmt.Println(IsGlobalIP(net.ParseIP("8.8.8.8")))
+	fmt.Println(IsGlobalIP(net.IP{8, 8, 4, 4}))
+	fmt.Println(IsGlobalIP(net.ParseIP("::1")))
+	fmt.Println(IsGlobalIP(net.IP{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}))
+	fmt.Println(IsGlobalIP(net.ParseIP("2001:4860:4860::8888")))
+	fmt.Println(IsGlobalIP(net.IP{0x20, 0x01, 0x48, 0x60, 0x48, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x44}))
+	fmt.Println(IsGlobalIP(net.ParseIP("::ffff:127.0.0.1")))
+	fmt.Println(IsGlobalIP(net.IP{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 192, 168, 1, 1}))
+	fmt.Println(IsGlobalIP(net.ParseIP("::ffff:808:808")))
+	fmt.Println(IsGlobalIP(net.IP{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 8, 8, 4, 4}))
+	// Output:
+	// false
+	// false
+	// true
+	// true
+	// false
+	// false
+	// true
+	// true
+	// false
+	// false
+	// true
+	// true
+}
--- a/json-dns/marshal.go
+++ b/json-dns/marshal.go
@@ -21,7 +21,7 @@
   DEALINGS IN THE SOFTWARE.
 */

-package jsonDNS
+package jsondns

 import (
 	"net"
@@ -90,7 +90,7 @@ func Marshal(msg *dns.Msg) *Response {
 					} else if ipv4 := clientAddress.To4(); ipv4 != nil {
 						clientAddress = ipv4
 					}
-					resp.EdnsClientSubnet = clientAddress.String() + "/" + strconv.Itoa(int(edns0.SourceScope))
+					resp.EdnsClientSubnet = clientAddress.String() + "/" + strconv.FormatUint(uint64(edns0.SourceScope), 10)
 				}
 			}
 			continue
--- a/json-dns/response.go
+++ b/json-dns/response.go
@@ -21,12 +21,32 @@
   DEALINGS IN THE SOFTWARE.
 */

-package jsonDNS
+package jsondns

 import (
+	"encoding/json"
 	"time"
 )

+type QuestionList []Question
+
+func (ql *QuestionList) UnmarshalJSON(b []byte) error {
+	// Fix variant question response in Response.Question
+	//
+	// Solution taken from:
+	//	https://engineering.bitnami.com/articles/dealing-with-json-with-non-homogeneous-types-in-go.html
+	//	https://archive.is/NU4zR
+	if len(b) > 0 && b[0] == '[' {
+		return json.Unmarshal(b, (*[]Question)(ql))
+	}
+	var q Question
+	if err := json.Unmarshal(b, &q); err != nil {
+		return err
+	}
+	*ql = []Question{q}
+	return nil
+}
+
 type Response struct {
 	// Standard DNS response code (32 bit integer)
 	Status uint32 `json:"Status"`
@@ -40,13 +60,13 @@ type Response struct {
 	// FIXME: We don't have DNSSEC yet! This bit is not reliable!
 	AD bool `json:"AD"`
 	// Whether the client asked to disable DNSSEC
-	CD               bool       `json:"CD"`
-	Question         []Question `json:"Question"`
-	Answer           []RR       `json:"Answer,omitempty"`
-	Authority        []RR       `json:"Authority,omitempty"`
-	Additional       []RR       `json:"Additional,omitempty"`
-	Comment          string     `json:"Comment,omitempty"`
-	EdnsClientSubnet string     `json:"edns_client_subnet,omitempty"`
+	CD               bool         `json:"CD"`
+	Question         QuestionList `json:"Question"`
+	Answer           []RR         `json:"Answer,omitempty"`
+	Authority        []RR         `json:"Authority,omitempty"`
+	Additional       []RR         `json:"Additional,omitempty"`
+	Comment          string       `json:"Comment,omitempty"`
+	EdnsClientSubnet string       `json:"edns_client_subnet,omitempty"`
 	// Least time-to-live
 	HaveTTL         bool      `json:"-"`
 	LeastTTL        uint32    `json:"-"`
--- a/json-dns/unmarshal.go
+++ b/json-dns/unmarshal.go
@@ -21,7 +21,7 @@
   DEALINGS IN THE SOFTWARE.
 */

-package jsonDNS
+package jsondns

 import (
 	"fmt"
@@ -38,7 +38,7 @@ func PrepareReply(req *dns.Msg) *dns.Msg {
 	reply := new(dns.Msg)
 	reply.Id = req.Id
 	reply.Response = true
-	reply.Opcode = reply.Opcode
+	reply.Opcode = req.Opcode
 	reply.RecursionDesired = req.RecursionDesired
 	reply.RecursionAvailable = req.RecursionDesired
 	reply.CheckingDisabled = req.CheckingDisabled
@@ -119,7 +119,7 @@ func Unmarshal(msg *dns.Msg, resp *Response, udpSize uint16, ednsClientNetmask u
 			if ednsClientFamily == 1 {
 				ednsClientNetmask = 24
 			} else {
-				ednsClientNetmask = 48
+				ednsClientNetmask = 56
 			}
 		}
 		edns0Subnet := new(dns.EDNS0_SUBNET)
--- a/launchd/Makefile
+++ b/launchd/Makefile
@@ -0,0 +1,16 @@
+.PHONY: install uninstall
+
+PREFIX = /usr/local
+LAUNCHD_DIR = /Library/LaunchDaemons
+
+install:
+	mkdir -p "$(DESTDIR)$(LAUNCHD_DIR)"
+	install -m0644 doh-client.plist "$(DESTDIR)$(LAUNCHD_DIR)/doh-client.plist"
+	install -m0644 doh-server.plist "$(DESTDIR)$(LAUNCHD_DIR)/doh-server.plist"
+	@echo
+	@echo 'Note:'
+	@echo '    Use "sudo launchctl load $(DESTDIR)$(LAUNCHD_DIR)/doh-client.plist" to start doh-client,'
+	@echo '    use "sudo launchctl load -w $(DESTDIR)$(LAUNCHD_DIR)/doh-server.plist" to enable doh-server.'
+
+uninstall:
+	rm -f "$(DESTDIR)$(LAUNCHD_DIR)/doh-client.plist" "$(DESTDIR)$(LAUNCHD_DIR)/doh-server.plist"
--- a/launchd/doh-client.plist
+++ b/launchd/doh-client.plist
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+	<dict>
+		<key>Label</key>
+		<string>org.eu.starlab.doh.client</string>
+		<key>ProgramArguments</key>
+		<array>
+			<string>/usr/local/bin/doh-logger</string>
+			<string>doh-client</string>
+			<string>/usr/local/bin/doh-client</string>
+			<string>-conf</string>
+			<string>/usr/local/etc/dns-over-https/doh-client.conf</string>
+		</array>
+		<key>RunAtLoad</key>
+		<true/>
+		<key>UserName</key>
+		<string>root</string>
+		<key>GroupName</key>
+		<string>wheel</string>
+		<key>KeepAlive</key>
+		<dict>
+			<key>SuccessfulExit</key>
+			<false/>
+		</dict>
+		<key>ThrottleInterval</key>
+		<integer>5</integer>
+	</dict>
+</plist>
--- a/launchd/doh-server.plist
+++ b/launchd/doh-server.plist
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+	<dict>
+		<key>Label</key>
+		<string>org.eu.starlab.doh.server</string>
+		<key>ProgramArguments</key>
+		<array>
+			<string>/usr/local/bin/doh-logger</string>
+			<string>doh-server</string>
+			<string>/usr/local/bin/doh-server</string>
+			<string>-conf</string>
+			<string>/usr/local/etc/dns-over-https/doh-server.conf</string>
+		</array>
+		<key>Disabled</key>
+		<true/>
+		<key>RunAtLoad</key>
+		<true/>
+		<key>UserName</key>
+		<string>root</string>
+		<key>GroupName</key>
+		<string>wheel</string>
+		<key>KeepAlive</key>
+		<dict>
+			<key>SuccessfulExit</key>
+			<false/>
+		</dict>
+		<key>ThrottleInterval</key>
+		<integer>5</integer>
+	</dict>
+</plist>
--- a/systemd/Makefile
+++ b/systemd/Makefile
@@ -1,6 +1,5 @@
 .PHONY: install uninstall

-PREFIX = /usr/local
 SYSTEMD_DIR = /usr/lib/systemd
 SYSTEMD_UNIT_DIR = $(SYSTEMD_DIR)/system

--- a/systemd/doh-client.service
+++ b/systemd/doh-client.service
@@ -12,7 +12,7 @@ LimitNOFILE=1048576
 Restart=always
 RestartSec=3
 Type=simple
-User=nobody
+DynamicUser=yes

 [Install]
 WantedBy=multi-user.target
--- a/systemd/doh-server.service
+++ b/systemd/doh-server.service
@@ -10,7 +10,7 @@ LimitNOFILE=1048576
 Restart=always
 RestartSec=3
 Type=simple
-User=nobody
+DynamicUser=yes

 [Install]
 WantedBy=multi-user.target