Merge f0a42c5a81 into b9d5e5ba0f

Squashed commit of the following:

commit 7f15bcb2a679dabb217ebfd46d280e6235070606
Merge: 0f2efaab9 c1ee2c7e5
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Wed Apr 24 20:01:42 2024 +0300

    Merge branch 'master' into fix-i18n

commit 0f2efaab94fd79b49ea8fc72312392c833072f62
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Wed Apr 24 19:54:35 2024 +0300

    client: imp i18n

CHANGELOG.md

@@ -34,6 +34,10 @@ NOTE: Add new changes BELOW THIS COMMENT.
 
 ### Fixed
 
+- Support for link-local subnets, i.e. `fe80::/16`, as client identifiers
+  ([#6312]).
+- Issues with QUIC and HTTP/3 upstreams on older Linux kernel versions
+  ([#6422]).
 - YouTube restricted mode is not enforced by HTTPS queries on Firefox.
 - Support for link-local subnets, i.e. `fe80::/16`, in the access settings
   ([#6192]).
@@ -49,6 +53,8 @@ NOTE: Add new changes BELOW THIS COMMENT.
 [#5345]: https://github.com/AdguardTeam/AdGuardHome/issues/5345
 [#5812]: https://github.com/AdguardTeam/AdGuardHome/issues/5812
 [#6192]: https://github.com/AdguardTeam/AdGuardHome/issues/6192
+[#6312]: https://github.com/AdguardTeam/AdGuardHome/issues/6312
+[#6422]: https://github.com/AdguardTeam/AdGuardHome/issues/6422
 [#6854]: https://github.com/AdguardTeam/AdGuardHome/issues/6854
 [#6875]: https://github.com/AdguardTeam/AdGuardHome/issues/6875
 [#6882]: https://github.com/AdguardTeam/AdGuardHome/issues/6882

client/src/__locales/en.json

@@ -13,14 +13,14 @@
     "fallback_dns_desc": "List of fallback DNS servers used when upstream DNS servers are not responding. The syntax is the same as in the main upstreams field above.",
     "fallback_dns_placeholder": "Enter one fallback DNS server per line",
     "local_ptr_title": "Private reverse DNS servers",
-    "local_ptr_desc": "The DNS servers that AdGuard Home uses for private PTR, SOA, and NS queries. The request is considered private if it asks for ARPA domain containing a subnet within private IP ranges, for example \"192.168.12.34\", and came from a client with private address. If not set, AdGuard Home uses the addresses of the default DNS resolvers of your OS except for the addresses of AdGuard Home itself.",
+    "local_ptr_desc": "DNS servers used by AdGuard Home for private PTR, SOA, and NS requests. A request is considered private if it asks for an ARPA domain containing a subnet within private IP ranges (such as \"192.168.12.34\") and comes from a client with a private IP address. If not set, the default DNS resolvers of your OS will be used, except for the AdGuard Home IP addresses.",
     "local_ptr_default_resolver": "By default, AdGuard Home uses the following reverse DNS resolvers: {{ip}}.",
     "local_ptr_no_default_resolver": "AdGuard Home could not determine suitable private reverse DNS resolvers for this system.",
     "local_ptr_placeholder": "Enter one IP address per line",
     "resolve_clients_title": "Enable reverse resolving of clients' IP addresses",
     "resolve_clients_desc": "Reversely resolve clients' IP addresses into their hostnames by sending PTR queries to corresponding resolvers (private DNS servers for local clients, upstream servers for clients with public IP addresses).",
     "use_private_ptr_resolvers_title": "Use private reverse DNS resolvers",
-    "use_private_ptr_resolvers_desc": "Resolve PTR, SOA, and NS requests for ARPA domains containing private addresses using private upstream servers, DHCP, /etc/hosts, and so on. If disabled, AdGuard Home responds with NXDOMAIN to all such queries.",
+    "use_private_ptr_resolvers_desc": "Resolve PTR, SOA, and NS requests for ARPA domains containing private IP addresses through private upstream servers, DHCP, /etc/hosts, etc. If disabled, AdGuard Home will respond to all such requests with NXDOMAIN.",
     "check_dhcp_servers": "Check for DHCP servers",
     "save_config": "Save configuration",
     "enabled_dhcp": "DHCP server enabled",

go.mod

@@ -3,7 +3,8 @@ module github.com/AdguardTeam/AdGuardHome
 go 1.22.2
 
 require (
-	github.com/AdguardTeam/dnsproxy v0.70.0
+	// TODO(a.garipov): Use a tagged version once released.
+	github.com/AdguardTeam/dnsproxy v0.70.1-0.20240424112457-69feed2dd25e
 	github.com/AdguardTeam/golibs v0.23.2
 	github.com/AdguardTeam/urlfilter v0.18.0
 	github.com/NYTimes/gziphandler v1.1.1
@@ -28,7 +29,8 @@ require (
 	// own code for that.  Perhaps, use gopacket.
 	github.com/mdlayher/raw v0.1.0
 	github.com/miekg/dns v1.1.58
-	github.com/quic-go/quic-go v0.42.0
+	// TODO(a.garipov): Use a tagged version once released.
+	github.com/quic-go/quic-go v0.42.1-0.20240424132812-713525777535
 	github.com/stretchr/testify v1.9.0
 	github.com/ti-mo/netfilter v0.5.1
 	go.etcd.io/bbolt v1.3.9

go.sum

@@ -1,5 +1,5 @@
-github.com/AdguardTeam/dnsproxy v0.70.0 h1:lwPQ+pfyCuorrP6RS90K628bRn8uvvTlnRyQuLKnf2o=
-github.com/AdguardTeam/dnsproxy v0.70.0/go.mod h1:zpA9eBxakSyjKC/bUac+UPSYTp/Q43aOmNlBV2/D6ug=
+github.com/AdguardTeam/dnsproxy v0.70.1-0.20240424112457-69feed2dd25e h1:ju0wprmCakjAOIuvKrmLU+hUFiStIsreWVk4JWmQPm0=
+github.com/AdguardTeam/dnsproxy v0.70.1-0.20240424112457-69feed2dd25e/go.mod h1:eWyFj9zVMdJ4tjHULulfFIXiu6GID/aVvewLVVXLXWE=
 github.com/AdguardTeam/golibs v0.23.2 h1:rMjYantwtQ39e8G4zBQ6ZLlm4s3XH30Bc9VxhoOHwao=
 github.com/AdguardTeam/golibs v0.23.2/go.mod h1:o9i55Sx6v7qogRQeqaBfmLbC/pZqeMBWi015U5PTDY0=
 github.com/AdguardTeam/urlfilter v0.18.0 h1:ZZzwODC/ADpjJSODxySrrUnt/fvOCfGFaCW6j+wsGfQ=
@@ -101,8 +101,8 @@ github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
 github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
-github.com/quic-go/quic-go v0.42.0 h1:uSfdap0eveIl8KXnipv9K7nlwZ5IqLlYOpJ58u5utpM=
-github.com/quic-go/quic-go v0.42.0/go.mod h1:132kz4kL3F9vxhW3CtQJLDVwcFe5wdWeJXXijhsO57M=
+github.com/quic-go/quic-go v0.42.1-0.20240424132812-713525777535 h1:63/XLGwhqZUU0L4DPWihJH9tyqwmvfaxNPjU9I/Av/M=
+github.com/quic-go/quic-go v0.42.1-0.20240424132812-713525777535/go.mod h1:132kz4kL3F9vxhW3CtQJLDVwcFe5wdWeJXXijhsO57M=
 github.com/shirou/gopsutil/v3 v3.23.7 h1:C+fHO8hfIppoJ1WdsVm1RoI0RwXoNdfTK7yWXV0wVj4=
 github.com/shirou/gopsutil/v3 v3.23.7/go.mod h1:c4gnmoRC0hQuaLqvxnx1//VXQ0Ms/X9UnJF8pddY5z4=
 github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=

internal/client/index.go

@@ -197,8 +197,10 @@ func (ci *Index) findByIP(ip netip.Addr) (c *Persistent, found bool) {
 		return ci.uidToClient[uid], true
 	}
 
+	ipWithoutZone := ip.WithZone("")
 	ci.subnetToUID.Range(func(pref netip.Prefix, id UID) (cont bool) {
-		if pref.Contains(ip) {
+		// Remove zone before checking because prefixes strip zones.
+		if pref.Contains(ipWithoutZone) {
 			uid, found = id, true
 
 			return false
@@ -214,6 +216,26 @@ func (ci *Index) findByIP(ip netip.Addr) (c *Persistent, found bool) {
 	return nil, false
 }
 
+// FindByIPWithoutZone finds a persistent client by IP address without zone.  It
+// strips the IPv6 zone index from the stored IP addresses before comparing,
+// because querylog entries don't have it.  See TODO on [querylog.logEntry.IP].
+//
+// Note that multiple clients can have the same IP address with different zones.
+// Therefore, the result of this method is indeterminate.
+func (ci *Index) FindByIPWithoutZone(ip netip.Addr) (c *Persistent) {
+	if (ip == netip.Addr{}) {
+		return nil
+	}
+
+	for addr, uid := range ci.ipToUID {
+		if addr.WithZone("") == ip {
+			return ci.uidToClient[uid]
+		}
+	}
+
+	return nil
+}
+
 // find finds persistent client by MAC.
 func (ci *Index) findByMAC(mac net.HardwareAddr) (c *Persistent, found bool) {
 	k := macToKey(mac)

internal/client/index_internal_test.go

@@ -35,27 +35,49 @@ func TestClientIndex(t *testing.T) {
 
 		cliID  = "client-id"
 		cliMAC = "11:11:11:11:11:11"
+
+		linkLocalIP     = "fe80::abcd:abcd:abcd:ab%eth0"
+		linkLocalSubnet = "fe80::/16"
 	)
 
-	clients := []*Persistent{{
-		Name: "client1",
-		IPs: []netip.Addr{
-			netip.MustParseAddr(cliIP1),
-			netip.MustParseAddr(cliIPv6),
-		},
-	}, {
-		Name:    "client2",
-		IPs:     []netip.Addr{netip.MustParseAddr(cliIP2)},
-		Subnets: []netip.Prefix{netip.MustParsePrefix(cliSubnet)},
-	}, {
-		Name: "client_with_mac",
-		MACs: []net.HardwareAddr{mustParseMAC(cliMAC)},
-	}, {
-		Name:      "client_with_id",
-		ClientIDs: []string{cliID},
-	}}
+	var (
+		clientWithBothFams = &Persistent{
+			Name: "client1",
+			IPs: []netip.Addr{
+				netip.MustParseAddr(cliIP1),
+				netip.MustParseAddr(cliIPv6),
+			},
+		}
 
-	ci := newIDIndex(clients)
+		clientWithSubnet = &Persistent{
+			Name:    "client2",
+			IPs:     []netip.Addr{netip.MustParseAddr(cliIP2)},
+			Subnets: []netip.Prefix{netip.MustParsePrefix(cliSubnet)},
+		}
+
+		clientWithMAC = &Persistent{
+			Name: "client_with_mac",
+			MACs: []net.HardwareAddr{mustParseMAC(cliMAC)},
+		}
+
+		clientWithID = &Persistent{
+			Name:      "client_with_id",
+			ClientIDs: []string{cliID},
+		}
+
+		clientLinkLocal = &Persistent{
+			Name:    "client_link_local",
+			Subnets: []netip.Prefix{netip.MustParsePrefix(linkLocalSubnet)},
+		}
+	)
+
+	ci := newIDIndex([]*Persistent{
+		clientWithBothFams,
+		clientWithSubnet,
+		clientWithMAC,
+		clientWithID,
+		clientLinkLocal,
+	})
 
 	testCases := []struct {
 		want *Persistent
@@ -64,19 +86,23 @@ func TestClientIndex(t *testing.T) {
 	}{{
 		name: "ipv4_ipv6",
 		ids:  []string{cliIP1, cliIPv6},
-		want: clients[0],
+		want: clientWithBothFams,
 	}, {
 		name: "ipv4_subnet",
 		ids:  []string{cliIP2, cliSubnetIP},
-		want: clients[1],
+		want: clientWithSubnet,
 	}, {
 		name: "mac",
 		ids:  []string{cliMAC},
-		want: clients[2],
+		want: clientWithMAC,
 	}, {
 		name: "client_id",
 		ids:  []string{cliID},
-		want: clients[3],
+		want: clientWithID,
+	}, {
+		name: "client_link_local_subnet",
+		ids:  []string{linkLocalIP},
+		want: clientLinkLocal,
 	}}
 
 	for _, tc := range testCases {
@@ -221,3 +247,52 @@ func TestMACToKey(t *testing.T) {
 		_ = macToKey(mac)
 	})
 }
+
+func TestIndex_FindByIPWithoutZone(t *testing.T) {
+	var (
+		ip         = netip.MustParseAddr("fe80::a098:7654:32ef:ff1")
+		ipWithZone = netip.MustParseAddr("fe80::1ff:fe23:4567:890a%eth2")
+	)
+
+	var (
+		clientNoZone = &Persistent{
+			Name: "client",
+			IPs:  []netip.Addr{ip},
+		}
+
+		clientWithZone = &Persistent{
+			Name: "client_with_zone",
+			IPs:  []netip.Addr{ipWithZone},
+		}
+	)
+
+	ci := newIDIndex([]*Persistent{
+		clientNoZone,
+		clientWithZone,
+	})
+
+	testCases := []struct {
+		ip   netip.Addr
+		want *Persistent
+		name string
+	}{{
+		name: "without_zone",
+		ip:   ip,
+		want: clientNoZone,
+	}, {
+		name: "with_zone",
+		ip:   ipWithZone,
+		want: clientWithZone,
+	}, {
+		name: "zero_address",
+		ip:   netip.Addr{},
+		want: nil,
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			c := ci.FindByIPWithoutZone(tc.ip.WithZone(""))
+			require.Equal(t, tc.want, c)
+		})
+	}
+}

internal/dnsforward/beforerequest.go

@@ -18,7 +18,7 @@ var _ proxy.BeforeRequestHandler = (*Server)(nil)
 // including logs.  It performs access checks and puts the client ID, if there
 // is one, into the server's cache.
 //
-// TODO(e.burkov):  Write tests.
+// TODO(d.kolyshev): Extract to separate package.
 func (s *Server) HandleBefore(
 	_ *proxy.Proxy,
 	pctx *proxy.DNSContext,

internal/dnsforward/beforerequest_internal_test.go

@@ -0,0 +1,299 @@
+package dnsforward
+
+import (
+	"crypto/tls"
+	"net"
+	"testing"
+	"time"
+
+	"github.com/AdguardTeam/AdGuardHome/internal/aghtest"
+	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
+	"github.com/AdguardTeam/dnsproxy/proxy"
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+const (
+	blockedHost      = "blockedhost.org"
+	testFQDN         = "example.org."
+	dnsClientTimeout = 200 * time.Millisecond
+)
+
+func TestServer_HandleBefore_tls(t *testing.T) {
+	t.Parallel()
+
+	const clientID = "client-1"
+
+	testCases := []struct {
+		clientSrvName     string
+		name              string
+		host              string
+		allowedClients    []string
+		disallowedClients []string
+		blockedHosts      []string
+		wantRCode         int
+	}{{
+		clientSrvName:     tlsServerName,
+		name:              "allow_all",
+		host:              testFQDN,
+		allowedClients:    []string{},
+		disallowedClients: []string{},
+		blockedHosts:      []string{},
+		wantRCode:         dns.RcodeSuccess,
+	}, {
+		clientSrvName:     "%" + "." + tlsServerName,
+		name:              "invalid_client_id",
+		host:              testFQDN,
+		allowedClients:    []string{},
+		disallowedClients: []string{},
+		blockedHosts:      []string{},
+		wantRCode:         dns.RcodeServerFailure,
+	}, {
+		clientSrvName:     clientID + "." + tlsServerName,
+		name:              "allowed_client_allowed",
+		host:              testFQDN,
+		allowedClients:    []string{clientID},
+		disallowedClients: []string{},
+		blockedHosts:      []string{},
+		wantRCode:         dns.RcodeSuccess,
+	}, {
+		clientSrvName:     "client-2." + tlsServerName,
+		name:              "allowed_client_rejected",
+		host:              testFQDN,
+		allowedClients:    []string{clientID},
+		disallowedClients: []string{},
+		blockedHosts:      []string{},
+		wantRCode:         dns.RcodeRefused,
+	}, {
+		clientSrvName:     tlsServerName,
+		name:              "disallowed_client_allowed",
+		host:              testFQDN,
+		allowedClients:    []string{},
+		disallowedClients: []string{clientID},
+		blockedHosts:      []string{},
+		wantRCode:         dns.RcodeSuccess,
+	}, {
+		clientSrvName:     clientID + "." + tlsServerName,
+		name:              "disallowed_client_rejected",
+		host:              testFQDN,
+		allowedClients:    []string{},
+		disallowedClients: []string{clientID},
+		blockedHosts:      []string{},
+		wantRCode:         dns.RcodeRefused,
+	}, {
+		clientSrvName:     tlsServerName,
+		name:              "blocked_hosts_allowed",
+		host:              testFQDN,
+		allowedClients:    []string{},
+		disallowedClients: []string{},
+		blockedHosts:      []string{blockedHost},
+		wantRCode:         dns.RcodeSuccess,
+	}, {
+		clientSrvName:     tlsServerName,
+		name:              "blocked_hosts_rejected",
+		host:              dns.Fqdn(blockedHost),
+		allowedClients:    []string{},
+		disallowedClients: []string{},
+		blockedHosts:      []string{blockedHost},
+		wantRCode:         dns.RcodeRefused,
+	}}
+
+	localAns := []dns.RR{&dns.A{
+		Hdr: dns.RR_Header{
+			Name:     testFQDN,
+			Rrtype:   dns.TypeA,
+			Class:    dns.ClassINET,
+			Ttl:      3600,
+			Rdlength: 4,
+		},
+		A: net.IP{1, 2, 3, 4},
+	}}
+	localUpsHdlr := dns.HandlerFunc(func(w dns.ResponseWriter, req *dns.Msg) {
+		resp := (&dns.Msg{}).SetReply(req)
+		resp.Answer = localAns
+
+		require.NoError(t, w.WriteMsg(resp))
+	})
+	localUpsAddr := aghtest.StartLocalhostUpstream(t, localUpsHdlr).String()
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			s, _ := createTestTLS(t, TLSConfig{
+				TLSListenAddrs: []*net.TCPAddr{{}},
+				ServerName:     tlsServerName,
+			})
+
+			s.conf.UpstreamDNS = []string{localUpsAddr}
+
+			s.conf.AllowedClients = tc.allowedClients
+			s.conf.DisallowedClients = tc.disallowedClients
+			s.conf.BlockedHosts = tc.blockedHosts
+
+			err := s.Prepare(&s.conf)
+			require.NoError(t, err)
+
+			startDeferStop(t, s)
+
+			tlsConfig := &tls.Config{
+				InsecureSkipVerify: true,
+				ServerName:         tc.clientSrvName,
+			}
+
+			client := &dns.Client{
+				Net:       "tcp-tls",
+				TLSConfig: tlsConfig,
+				Timeout:   dnsClientTimeout,
+			}
+
+			req := createTestMessage(tc.host)
+			addr := s.dnsProxy.Addr(proxy.ProtoTLS).String()
+
+			reply, _, err := client.Exchange(req, addr)
+			require.NoError(t, err)
+
+			assert.Equal(t, tc.wantRCode, reply.Rcode)
+			if tc.wantRCode == dns.RcodeSuccess {
+				assert.Equal(t, localAns, reply.Answer)
+			} else {
+				assert.Empty(t, reply.Answer)
+			}
+		})
+	}
+}
+
+func TestServer_HandleBefore_udp(t *testing.T) {
+	t.Parallel()
+
+	const (
+		clientIPv4 = "127.0.0.1"
+		clientIPv6 = "::1"
+	)
+
+	clientIPs := []string{clientIPv4, clientIPv6}
+
+	testCases := []struct {
+		name              string
+		host              string
+		allowedClients    []string
+		disallowedClients []string
+		blockedHosts      []string
+		wantTimeout       bool
+	}{{
+		name:              "allow_all",
+		host:              testFQDN,
+		allowedClients:    []string{},
+		disallowedClients: []string{},
+		blockedHosts:      []string{},
+		wantTimeout:       false,
+	}, {
+		name:              "allowed_client_allowed",
+		host:              testFQDN,
+		allowedClients:    clientIPs,
+		disallowedClients: []string{},
+		blockedHosts:      []string{},
+		wantTimeout:       false,
+	}, {
+		name:              "allowed_client_rejected",
+		host:              testFQDN,
+		allowedClients:    []string{"1:2:3::4"},
+		disallowedClients: []string{},
+		blockedHosts:      []string{},
+		wantTimeout:       true,
+	}, {
+		name:              "disallowed_client_allowed",
+		host:              testFQDN,
+		allowedClients:    []string{},
+		disallowedClients: []string{"1:2:3::4"},
+		blockedHosts:      []string{},
+		wantTimeout:       false,
+	}, {
+		name:              "disallowed_client_rejected",
+		host:              testFQDN,
+		allowedClients:    []string{},
+		disallowedClients: clientIPs,
+		blockedHosts:      []string{},
+		wantTimeout:       true,
+	}, {
+		name:              "blocked_hosts_allowed",
+		host:              testFQDN,
+		allowedClients:    []string{},
+		disallowedClients: []string{},
+		blockedHosts:      []string{blockedHost},
+		wantTimeout:       false,
+	}, {
+		name:              "blocked_hosts_rejected",
+		host:              dns.Fqdn(blockedHost),
+		allowedClients:    []string{},
+		disallowedClients: []string{},
+		blockedHosts:      []string{blockedHost},
+		wantTimeout:       true,
+	}}
+
+	localAns := []dns.RR{&dns.A{
+		Hdr: dns.RR_Header{
+			Name:     testFQDN,
+			Rrtype:   dns.TypeA,
+			Class:    dns.ClassINET,
+			Ttl:      3600,
+			Rdlength: 4,
+		},
+		A: net.IP{1, 2, 3, 4},
+	}}
+	localUpsHdlr := dns.HandlerFunc(func(w dns.ResponseWriter, req *dns.Msg) {
+		resp := (&dns.Msg{}).SetReply(req)
+		resp.Answer = localAns
+
+		require.NoError(t, w.WriteMsg(resp))
+	})
+	localUpsAddr := aghtest.StartLocalhostUpstream(t, localUpsHdlr).String()
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			s := createTestServer(t, &filtering.Config{
+				BlockingMode: filtering.BlockingModeDefault,
+			}, ServerConfig{
+				UDPListenAddrs: []*net.UDPAddr{{}},
+				TCPListenAddrs: []*net.TCPAddr{{}},
+				Config: Config{
+					AllowedClients:    tc.allowedClients,
+					DisallowedClients: tc.disallowedClients,
+					BlockedHosts:      tc.blockedHosts,
+					UpstreamDNS:       []string{localUpsAddr},
+					UpstreamMode:      UpstreamModeLoadBalance,
+					EDNSClientSubnet:  &EDNSClientSubnet{Enabled: false},
+				},
+				ServePlainDNS: true,
+			})
+
+			startDeferStop(t, s)
+
+			client := &dns.Client{
+				Net:     "udp",
+				Timeout: dnsClientTimeout,
+			}
+
+			req := createTestMessage(tc.host)
+			addr := s.dnsProxy.Addr(proxy.ProtoUDP).String()
+
+			reply, _, err := client.Exchange(req, addr)
+			if tc.wantTimeout {
+				wantErr := &net.OpError{}
+				require.ErrorAs(t, err, &wantErr)
+				assert.True(t, wantErr.Timeout())
+
+				assert.Nil(t, reply)
+			} else {
+				require.NoError(t, err)
+				require.NotNil(t, reply)
+
+				assert.Equal(t, dns.RcodeSuccess, reply.Rcode)
+				assert.Equal(t, localAns, reply.Answer)
+			}
+		})
+	}
+}

internal/dnsforward/stats.go

@@ -130,7 +130,7 @@ func (s *Server) logQuery(dctx *dnsContext, ip net.IP, processingTime time.Durat
 	s.queryLog.Add(p)
 }
 
-// updatesStats writes the request into statistics.
+// updateStats writes the request into statistics.
 func (s *Server) updateStats(dctx *dnsContext, clientIP string, processingTime time.Duration) {
 	pctx := dctx.proxyCtx
 

internal/home/clients.go

@@ -412,7 +412,11 @@ func (clients *clientsContainer) clientOrArtificial(
 	}()
 
 	cli, ok := clients.find(id)
-	if ok {
+	if !ok {
+		cli = clients.clientIndex.FindByIPWithoutZone(ip)
+	}
+
+	if cli != nil {
 		return &querylog.Client{
 			Name:           cli.Name,
 			IgnoreQueryLog: cli.IgnoreQueryLog,

internal/home/service.go

@@ -306,7 +306,7 @@ func handleServiceStatusCommand(s service.Service) {
 	}
 }
 
-// handleServiceStatusCommand handles service "install" command
+// handleServiceInstallCommand handles service "install" command
 func handleServiceInstallCommand(s service.Service) {
 	err := svcAction(s, "install")
 	if err != nil {
@@ -340,7 +340,7 @@ AdGuard Home is now available at the following addresses:`)
 	}
 }
 
-// handleServiceStatusCommand handles service "uninstall" command
+// handleServiceUninstallCommand handles service "uninstall" command
 func handleServiceUninstallCommand(s service.Service) {
 	if aghos.IsOpenWrt() {
 		// On OpenWrt it is important to run disable command first

internal/querylog/entry.go

@@ -31,6 +31,7 @@ type logEntry struct {
 	Answer     []byte `json:",omitempty"`
 	OrigAnswer []byte `json:",omitempty"`
 
+	// TODO(s.chzhen):  Use netip.Addr.
 	IP net.IP `json:"IP"`
 
 	Result filtering.Result