go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/jessevdk/go-flags v1.5.0
 	github.com/miekg/dns v1.1.50
 	github.com/patrickmn/go-cache v2.1.0+incompatible
-	github.com/quic-go/quic-go v0.33.0
+	github.com/quic-go/quic-go v0.35.1
 	github.com/stretchr/testify v1.8.2
 	golang.org/x/exp v0.0.0-20230306221820-f0f767cdffd6
 	golang.org/x/net v0.8.0
@@ -31,8 +31,8 @@ require (
 	github.com/onsi/ginkgo/v2 v2.7.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
-	github.com/quic-go/qtls-go1-19 v0.2.1 // indirect
-	github.com/quic-go/qtls-go1-20 v0.1.1 // indirect
+	github.com/quic-go/qtls-go1-19 v0.3.2 // indirect
+	github.com/quic-go/qtls-go1-20 v0.2.2 // indirect
 	golang.org/x/crypto v0.5.0 // indirect
 	golang.org/x/mod v0.8.0 // indirect
 	golang.org/x/text v0.8.0 // indirect

go.sum

@@ -44,12 +44,12 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
 github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
-github.com/quic-go/qtls-go1-19 v0.2.1 h1:aJcKNMkH5ASEJB9FXNeZCyTEIHU1J7MmHyz1Q1TSG1A=
-github.com/quic-go/qtls-go1-19 v0.2.1/go.mod h1:ySOI96ew8lnoKPtSqx2BlI5wCpUVPT05RMAlajtnyOI=
-github.com/quic-go/qtls-go1-20 v0.1.1 h1:KbChDlg82d3IHqaj2bn6GfKRj84Per2VGf5XV3wSwQk=
-github.com/quic-go/qtls-go1-20 v0.1.1/go.mod h1:JKtK6mjbAVcUTN/9jZpvLbGxvdWIKS8uT7EiStoU1SM=
-github.com/quic-go/quic-go v0.33.0 h1:ItNoTDN/Fm/zBlq769lLJc8ECe9gYaW40veHCCco7y0=
-github.com/quic-go/quic-go v0.33.0/go.mod h1:YMuhaAV9/jIu0XclDXwZPAsP/2Kgr5yMYhe9oxhhOFA=
+github.com/quic-go/qtls-go1-19 v0.3.2 h1:tFxjCFcTQzK+oMxG6Zcvp4Dq8dx4yD3dDiIiyc86Z5U=
+github.com/quic-go/qtls-go1-19 v0.3.2/go.mod h1:ySOI96ew8lnoKPtSqx2BlI5wCpUVPT05RMAlajtnyOI=
+github.com/quic-go/qtls-go1-20 v0.2.2 h1:WLOPx6OY/hxtTxKV1Zrq20FtXtDEkeY00CGQm8GEa3E=
+github.com/quic-go/qtls-go1-20 v0.2.2/go.mod h1:JKtK6mjbAVcUTN/9jZpvLbGxvdWIKS8uT7EiStoU1SM=
+github.com/quic-go/quic-go v0.35.1 h1:b0kzj6b/cQAf05cT0CkQubHM31wiA+xH3IBkxP62poo=
+github.com/quic-go/quic-go v0.35.1/go.mod h1:+4CVgVppm0FNjpG3UcX8Joi/frKOH7/ciD5yGcwOO1g=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=

proxy/proxy.go

@@ -64,28 +64,54 @@ type Proxy struct {
 	// See https://golang.org/pkg/sync/atomic/#pkg-note-BUG.
 	counter uint64
 
-	started bool // Started flag
+	// started indicates if the proxy has been started.
+	started bool
 
 	// Listeners
 	// --
 
-	udpListen         []*net.UDPConn       // UDP listen connections
-	tcpListen         []net.Listener       // TCP listeners
-	tlsListen         []net.Listener       // TLS listeners
-	quicListen        []quic.EarlyListener // QUIC listeners
-	httpsListen       []net.Listener       // HTTPS listeners
-	httpsServer       *http.Server         // HTTPS server instance
-	h3Listen          []quic.EarlyListener // HTTP/3 listeners
-	h3Server          *http3.Server        // HTTP/3 server instance
-	dnsCryptUDPListen []*net.UDPConn       // UDP listen connections for DNSCrypt
-	dnsCryptTCPListen []net.Listener       // TCP listeners for DNSCrypt
-	dnsCryptServer    *dnscrypt.Server     // DNSCrypt server instance
+	// udpListen are the listened UDP connections.
+	udpListen []*net.UDPConn
+
+	// tcpListen are the listened TCP connections.
+	tcpListen []net.Listener
+
+	// tlsListen are the listened TCP connections with TLS.
+	tlsListen []net.Listener
+
+	// quicListen are the listened QUIC connections.
+	quicListen []*quic.EarlyListener
+
+	// httpsListen are the listened HTTPS connections.
+	httpsListen []net.Listener
+
+	// h3Listen are the listened HTTP/3 connections.
+	h3Listen []*quic.EarlyListener
+
+	// httpsServer serves queries received over HTTPS.
+	httpsServer *http.Server
+
+	// h3Server serves queries received over HTTP/3.
+	h3Server *http3.Server
+
+	// dnsCryptUDPListen are the listened UDP connections for DNSCrypt.
+	dnsCryptUDPListen []*net.UDPConn
+
+	// dnsCryptTCPListen are the listened TCP connections for DNSCrypt.
+	dnsCryptTCPListen []net.Listener
+
+	// dnsCryptServer serves DNSCrypt queries.
+	dnsCryptServer *dnscrypt.Server
 
 	// Upstream
 	// --
 
-	upstreamRttStats map[string]int // Map of upstream addresses and their rtt. Used to sort upstreams "from fast to slow"
-	rttLock          sync.Mutex     // Synchronizes access to the upstreamRttStats map
+	// upstreamRttStats is a map of upstream addresses and their rtt.  Used to
+	// sort upstreams by their latency.
+	upstreamRttStats map[string]int
+
+	// rttLock protects upstreamRttStats.
+	rttLock sync.Mutex
 
 	// DNS64 (in case dnsproxy works in a NAT64/DNS64 network)
 	// --
@@ -98,8 +124,11 @@ type Proxy struct {
 	// Ratelimit
 	// --
 
-	ratelimitBuckets *gocache.Cache // where the ratelimiters are stored, per IP
-	ratelimitLock    sync.Mutex     // Synchronizes access to ratelimitBuckets
+	// ratelimitBuckets is a storage for ratelimiters for individual IPs.
+	ratelimitBuckets *gocache.Cache
+
+	// ratelimitLock protects ratelimitBuckets.
+	ratelimitLock sync.Mutex
 
 	// proxyVerifier checks if the proxy is in the trusted list.
 	proxyVerifier netutil.SubnetSet
@@ -109,6 +138,7 @@ type Proxy struct {
 
 	// cache is used to cache requests.  It is disabled if nil.
 	cache *cache
+
 	// shortFlighter is used to resolve the expired cached requests without
 	// repetitions.
 	shortFlighter *optimisticResolver
@@ -116,14 +146,20 @@ type Proxy struct {
 	// FastestAddr module
 	// --
 
-	fastestAddr *fastip.FastestAddr // fastest-addr module
+	// fastestAddr finds the fastest IP address for the resolved domain.
+	fastestAddr *fastip.FastestAddr
 
 	// Other
 	// --
 
-	bytesPool    *sync.Pool // bytes pool to avoid unnecessary allocations when reading DNS packets
-	udpOOBSize   int        // size for received OOB data
-	sync.RWMutex            // protects parallel access to proxy structures
+	// bytesPool is a pool of byte slices used to read DNS packets.
+	bytesPool *sync.Pool
+
+	// udpOOBSize is the size of the out-of-band data for UDP connections.
+	udpOOBSize int
+
+	// RWMutex protects the whole proxy.
+	sync.RWMutex
 
 	// requestGoroutinesSema limits the number of simultaneous requests.
 	//
@@ -135,7 +171,8 @@ type Proxy struct {
 	// See also: https://github.com/AdguardTeam/AdGuardHome/issues/2242.
 	requestGoroutinesSema semaphore
 
-	Config // proxy configuration
+	// Config is the proxy configuration.
+	Config
 }
 
 // Init populates fields of p but does not start listeners.

proxy/server.go

@@ -60,7 +60,7 @@ func (p *Proxy) startListeners(ctx context.Context) error {
 	}
 
 	for _, l := range p.h3Listen {
-		go func(l quic.EarlyListener) { _ = p.h3Server.ServeListener(l) }(l)
+		go func(l *quic.EarlyListener) { _ = p.h3Server.ServeListener(l) }(l)
 	}
 
 	for _, l := range p.quicListen {

proxy/server_https_test.go

@@ -387,7 +387,7 @@ func createTestHTTPClient(dnsProxy *Proxy, caPem []byte, http3Enabled bool) (cli
 				cfg *quic.Config,
 			) (quic.EarlyConnection, error) {
 				addr := dnsProxy.Addr(ProtoHTTPS).String()
-				return quic.DialAddrEarlyContext(ctx, addr, tlsCfg, cfg)
+				return quic.DialAddrEarly(ctx, addr, tlsCfg, cfg)
 			},
 			TLSClientConfig:    tlsClientConfig,
 			QuicConfig:         &quic.Config{},

proxy/server_quic.go

@@ -82,7 +82,7 @@ func (p *Proxy) createQUICListeners() error {
 // quicPacketLoop listens for incoming QUIC packets.
 //
 // See also the comment on Proxy.requestGoroutinesSema.
-func (p *Proxy) quicPacketLoop(l quic.EarlyListener, requestGoroutinesSema semaphore) {
+func (p *Proxy) quicPacketLoop(l *quic.EarlyListener, requestGoroutinesSema semaphore) {
 	log.Info("Entering the DNS-over-QUIC listener loop on %s", l.Addr())
 	for {
 		conn, err := l.Accept(context.Background())
@@ -374,9 +374,7 @@ func newServerQUICConfig() (conf *quic.Config) {
 		MaxIncomingUniStreams:    math.MaxUint16,
 		RequireAddressValidation: v.requiresValidation,
 		// Enable 0-RTT by default for all connections on the server-side.
-		Allow0RTT: func(net.Addr) (ok bool) {
-			return true
-		},
+		Allow0RTT: true,
 	}
 }
 

proxy/server_quic_test.go

@@ -38,7 +38,7 @@ func TestQuicProxy(t *testing.T) {
 	addr := dnsProxy.Addr(ProtoQUIC)
 
 	// Open a QUIC connection.
-	conn, err := quic.DialAddrEarly(addr.String(), tlsConfig, nil)
+	conn, err := quic.DialAddrEarly(context.Background(), addr.String(), tlsConfig, nil)
 	require.NoError(t, err)
 	testutil.CleanupAndRequireSuccess(t, func() (err error) {
 		return conn.CloseWithError(DoQCodeNoError, "")
@@ -95,7 +95,7 @@ func TestQuicProxy_largePackets(t *testing.T) {
 	addr := dnsProxy.Addr(ProtoQUIC)
 
 	// Open a QUIC connection.
-	conn, err := quic.DialAddrEarly(addr.String(), tlsConfig, nil)
+	conn, err := quic.DialAddrEarly(context.Background(), addr.String(), tlsConfig, nil)
 	require.NoError(t, err)
 	testutil.CleanupAndRequireSuccess(t, func() (err error) {
 		return conn.CloseWithError(DoQCodeNoError, "")

proxyutil/dns.go

+// Package proxyutil contains helper functions that are used in all other
+// dnsproxy packages.
 package proxyutil
 
 import (
 	"encoding/binary"
-	"fmt"
-	"io"
 	"net"
 
-	"github.com/AdguardTeam/golibs/errors"
 	"github.com/miekg/dns"
 )
 
-// ErrTooLarge means that a DNS message is larger than 64KiB.
-//
-// Deprecated: This constant is deprecated and will be removed in a future
-// release.
-const ErrTooLarge errors.Error = "dns message is too large"
-
-// DNSSize returns if buffer size *advertised* in the requests OPT record.
-// Or when the request was over TCP, we return the maximum allowed size of 64K.
-//
-// Deprecated: This function is deprecated and will be removed in a future
-// release.
-func DNSSize(isUDP bool, r *dns.Msg) int {
-	var size uint16
-	if o := r.IsEdns0(); o != nil {
-		size = o.UDPSize()
-	}
-
-	if !isUDP {
-		return dns.MaxMsgSize
-	}
-
-	if size < dns.MinMsgSize {
-		return dns.MinMsgSize
-	}
-
-	// normalize size
-	return int(size)
-}
-
-// ReadPrefixed reads a DNS message with a 2-byte prefix containing message
-// length from conn.
-//
-// Deprecated: This function is deprecated and will be removed in a future
-// release.
-func ReadPrefixed(conn net.Conn) ([]byte, error) {
-	l := make([]byte, 2)
-	_, err := conn.Read(l)
-	if err != nil {
-		return nil, fmt.Errorf("reading len: %w", err)
-	}
-
-	packetLen := binary.BigEndian.Uint16(l)
-	if packetLen > dns.MaxMsgSize {
-		return nil, ErrTooLarge
-	}
-
-	buf := make([]byte, packetLen)
-	_, err = io.ReadFull(conn, buf)
-	if err != nil {
-		return nil, fmt.Errorf("reading msg: %w", err)
-	}
-
-	return buf, nil
-}
-
-// WritePrefixed writes a DNS message to a TCP connection it first writes
-// a 2-byte prefix followed by the message itself.
-//
-// Deprecated: This function is deprecated and will be removed in a future
-// release.
-func WritePrefixed(b []byte, conn net.Conn) error {
-	l := make([]byte, 2)
-	binary.BigEndian.PutUint16(l, uint16(len(b)))
-	_, err := (&net.Buffers{l, b}).WriteTo(conn)
-
-	return err
-}
-
 // AddPrefix adds a 2-byte prefix with the DNS message length.
 func AddPrefix(b []byte) (m []byte) {
 	m = make([]byte, 2+len(b))
@@ -86,3 +17,17 @@ func AddPrefix(b []byte) (m []byte) {
 
 	return m
 }
+
+// IPFromRR returns the IP address from rr if any.
+func IPFromRR(rr dns.RR) (ip net.IP) {
+	switch rr := rr.(type) {
+	case *dns.A:
+		ip = rr.A.To4()
+	case *dns.AAAA:
+		ip = rr.AAAA
+	default:
+		// Go on.
+	}
+
+	return ip
+}

proxyutil/helpers.go

-// Package proxyutil contains helper functions that are used
-// in all other dnsproxy packages
-package proxyutil
-
-import (
-	"bytes"
-	"net"
-
-	"github.com/AdguardTeam/golibs/netutil"
-	"github.com/miekg/dns"
-)
-
-// IPFromRR returns the IP address from rr if any.
-func IPFromRR(rr dns.RR) (ip net.IP) {
-	switch rr := rr.(type) {
-	case *dns.A:
-		ip = rr.A.To4()
-	case *dns.AAAA:
-		ip = rr.AAAA
-	default:
-		// Go on.
-	}
-
-	return ip
-}
-
-// ContainsIP returns true if any of nets contains ip.
-//
-// Deprecated: This function is deprecated and will be removed in a future
-// release.
-func ContainsIP(nets []*net.IPNet, ip net.IP) (ok bool) {
-	if netutil.ValidateIP(ip) != nil {
-		return false
-	}
-
-	for _, n := range nets {
-		if n.Contains(ip) {
-			return true
-		}
-	}
-
-	return false
-}
-
-// AppendIPAddrs appends the IP addresses got from dns.RR to the specified array
-//
-// Deprecated: This function is deprecated and will be removed in a future
-// release.
-func AppendIPAddrs(ipAddrs *[]net.IPAddr, answers []dns.RR) {
-	for _, ans := range answers {
-		if a, ok := ans.(*dns.A); ok {
-			ip := net.IPAddr{IP: a.A}
-			*ipAddrs = append(*ipAddrs, ip)
-		} else if a, ok := ans.(*dns.AAAA); ok {
-			ip := net.IPAddr{IP: a.AAAA}
-			*ipAddrs = append(*ipAddrs, ip)
-		}
-	}
-}
-
-// SortIPAddrs sorts the specified IP addresses array
-// IPv4 addresses go first, then IPv6 addresses
-//
-// Deprecated: This function is deprecated.  Packages in module dnsproxy should
-// use internal/netutil.SortIPAddrs instead.
-func SortIPAddrs(ipAddrs []net.IPAddr) []net.IPAddr {
-	l := len(ipAddrs)
-	if l <= 1 {
-		return ipAddrs
-	}
-
-	// Very simple bubble sort
-	arrLen := len(ipAddrs)
-	var buf net.IPAddr
-	swapCnt := 0
-
-	for i := 0; i < arrLen; {
-		if i+1 != arrLen && compareIPAddrs(ipAddrs[i], ipAddrs[i+1]) > 0 {
-			buf = ipAddrs[i]
-			ipAddrs[i] = ipAddrs[i+1]
-			ipAddrs[i+1] = buf
-			swapCnt = 1
-		}
-		i++
-		if i == arrLen && swapCnt == 1 {
-			swapCnt = 0
-			i = 0
-		}
-	}
-
-	return ipAddrs
-}
-
-func compareIPAddrs(a, b net.IPAddr) int {
-	l4 := a.IP.To4()
-	r4 := b.IP.To4()
-	if l4 != nil && r4 == nil {
-		return -1 // IPv4 addresses first
-	} else if l4 == nil && r4 != nil {
-		return 1 // IPv4 addresses first
-	}
-	return bytes.Compare(a.IP, b.IP)
-}

proxyutil/helpers_test.go

-package proxyutil
-
-import (
-	"net"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func TestSortIPAddrs(t *testing.T) {
-	ipAddrs := []net.IPAddr{}
-	ipAddrs = append(ipAddrs, net.IPAddr{IP: net.ParseIP("94.140.14.16").To4()})
-	ipAddrs = append(ipAddrs, net.IPAddr{IP: net.ParseIP("2a10:50c0::bad1:ff")})
-	ipAddrs = append(ipAddrs, net.IPAddr{IP: net.ParseIP("94.140.14.15")})
-	ipAddrs = append(ipAddrs, net.IPAddr{IP: net.ParseIP("2a10:50c0::bad2:ff")})
-
-	ipAddrs = SortIPAddrs(ipAddrs)
-
-	assert.Equal(t, ipAddrs[0].String(), "94.140.14.15")
-	assert.Equal(t, ipAddrs[1].String(), "94.140.14.16")
-	assert.Equal(t, ipAddrs[2].String(), "2a10:50c0::bad1:ff")
-	assert.Equal(t, ipAddrs[3].String(), "2a10:50c0::bad2:ff")
-}

proxyutil/udp.go

-package proxyutil
-
-import (
-	"net"
-
-	proxynetutil "github.com/AdguardTeam/dnsproxy/internal/netutil"
-)
-
-// UDPGetOOBSize returns maximum size of the received OOB data.
-//
-// Deprecated: This function is deprecated.  Packages in module dnsproxy should
-// use internal/netutil.UDPGetOOBSize instead.
-func UDPGetOOBSize() (oobSize int) {
-	return proxynetutil.UDPGetOOBSize()
-}
-
-// UDPSetOptions sets flag options on a UDP socket to be able to receive the
-// necessary OOB data.
-//
-// Deprecated: This function is deprecated.  Packages in module dnsproxy should
-// use internal/netutil.UDPSetOptions instead.
-func UDPSetOptions(c *net.UDPConn) (err error) {
-	return proxynetutil.UDPSetOptions(c)
-}
-
-// UDPRead udpRead reads the message from c using buf receives payload of size
-// udpOOBSize from the UDP socket.  It returns the number of bytes copied into
-// buf, the number of bytes copied with OOB and the source address of the
-// message.
-//
-// Deprecated: This function is deprecated.  Packages in module dnsproxy should
-// use internal/netutil.UDPRead instead.
-func UDPRead(
-	c *net.UDPConn,
-	buf []byte,
-	udpOOBSize int,
-) (n int, localIP net.IP, remoteAddr *net.UDPAddr, err error) {
-	return proxynetutil.UDPRead(c, buf, udpOOBSize)
-}
-
-// UDPWrite writes the data to the remoteAddr using conn.
-//
-// Deprecated: This function is deprecated.  Packages in module dnsproxy should
-// use internal/netutil.UDPWrite instead.
-func UDPWrite(
-	data []byte,
-	conn *net.UDPConn,
-	remoteAddr *net.UDPAddr,
-	localIP net.IP,
-) (n int, err error) {
-	return proxynetutil.UDPWrite(data, conn, remoteAddr, localIP)
-}

upstream/upstream.go

@@ -3,6 +3,7 @@
 package upstream
 
 import (
+	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
@@ -21,6 +22,7 @@ import (
 	"github.com/ameshkov/dnscrypt/v2"
 	"github.com/ameshkov/dnsstamps"
 	"github.com/miekg/dns"
+	"github.com/quic-go/quic-go"
 	"github.com/quic-go/quic-go/logging"
 )
 
@@ -38,6 +40,14 @@ type Upstream interface {
 	io.Closer
 }
 
+// QUICTraceFunc is a function that returns a [logging.ConnectionTracer]
+// specific for a given role and connection ID.
+type QUICTraceFunc func(
+	ctx context.Context,
+	role logging.Perspective,
+	connID quic.ConnectionID,
+) (tracer logging.ConnectionTracer)
+
 // Options for AddressToUpstream func.  With these options we can configure the
 // upstream properties.
 type Options struct {
@@ -72,9 +82,9 @@ type Options struct {
 	// Upstream.Exchange method returns any error caused by it.
 	VerifyDNSCryptCertificate func(cert *dnscrypt.Cert) error
 
-	// QUICTracer is an optional object that allows tracing every QUIC
+	// QUICTracer is an optional callback that allows tracing every QUIC
 	// connection and logging every packet that goes through.
-	QUICTracer logging.Tracer
+	QUICTracer QUICTraceFunc
 
 	// InsecureSkipVerify disables verifying the server's certificate.
 	InsecureSkipVerify bool

upstream/upstream_doh.go

@@ -539,7 +539,7 @@ func (p *dnsOverHTTPS) createTransportH3(
 			tlsCfg *tls.Config,
 			cfg *quic.Config,
 		) (c quic.EarlyConnection, err error) {
-			c, err = quic.DialAddrEarlyContext(ctx, addr, tlsCfg, cfg)
+			c, err = quic.DialAddrEarly(ctx, addr, tlsCfg, cfg)
 			return c, err
 		},
 		DisableCompression: true,
@@ -630,7 +630,7 @@ func (p *dnsOverHTTPS) probeQUIC(addr string, tlsConfig *tls.Config, ch chan err
 	ctx, cancel := context.WithDeadline(context.Background(), time.Now().Add(timeout))
 	defer cancel()
 
-	conn, err := quic.DialAddrEarlyContext(ctx, addr, tlsConfig, p.getQUICConfig())
+	conn, err := quic.DialAddrEarly(ctx, addr, tlsConfig, p.getQUICConfig())
 	if err != nil {
 		ch <- fmt.Errorf("opening QUIC connection to %s: %w", p.addr, err)
 		return

upstream/upstream_doh_test.go

@@ -277,7 +277,7 @@ func TestUpstreamDoH_0RTT(t *testing.T) {
 	address := fmt.Sprintf("h3://%s/dns-query", srv.addr)
 	u, err := AddressToUpstream(address, &Options{
 		InsecureSkipVerify: true,
-		QUICTracer:         tracer,
+		QUICTracer:         tracer.TracerForConnection,
 	})
 	require.NoError(t, err)
 	testutil.CleanupAndRequireSuccess(t, u.Close)
@@ -344,7 +344,7 @@ type testDoHServer struct {
 	serverH3 *http3.Server
 
 	// listenerH3 that's used to serve HTTP/3.
-	listenerH3 quic.EarlyListener
+	listenerH3 *quic.EarlyListener
 }
 
 // Shutdown stops the DoH server.
@@ -407,7 +407,7 @@ func startDoHServer(
 	tcpAddr = tcpListen.Addr().(*net.TCPAddr)
 
 	var serverH3 *http3.Server
-	var listenerH3 quic.EarlyListener
+	var listenerH3 *quic.EarlyListener
 
 	if opts.http3Enabled {
 		tlsConfigH3 := tlsConfig.Clone()
@@ -433,9 +433,7 @@ func startDoHServer(
 			RequireAddressValidation: func(net.Addr) (ok bool) {
 				return true
 			},
-			Allow0RTT: func(net.Addr) (ok bool) {
-				return true
-			},
+			Allow0RTT: true,
 		}
 		listenerH3, err = quic.ListenAddrEarly(udpAddr.String(), tlsConfigH3, quicConfig)
 		require.NoError(t, err)

upstream/upstream_quic.go

@@ -358,7 +358,7 @@ func (p *dnsOverQUIC) openConnection() (conn quic.Connection, err error) {
 	ctx, cancel := p.withDeadline(context.Background())
 	defer cancel()
 
-	conn, err = quic.DialAddrEarlyContext(ctx, addr, p.tlsConf.Clone(), p.getQUICConfig())
+	conn, err = quic.DialAddrEarly(ctx, addr, p.tlsConf.Clone(), p.getQUICConfig())
 	if err != nil {
 		return nil, fmt.Errorf("opening quic connection to %s: %w", p.addr, err)
 	}

upstream/upstream_quic_test.go

@@ -124,7 +124,7 @@ func TestUpstreamDoQ_0RTT(t *testing.T) {
 	address := fmt.Sprintf("quic://%s", srv.addr)
 	u, err := AddressToUpstream(address, &Options{
 		InsecureSkipVerify: true,
-		QUICTracer:         tracer,
+		QUICTracer:         tracer.TracerForConnection,
 	})
 	require.NoError(t, err)
 	testutil.CleanupAndRequireSuccess(t, u.Close)
@@ -176,7 +176,7 @@ type testDoQServer struct {
 	rootCAs *x509.CertPool
 
 	// listener is the QUIC connections listener.
-	listener quic.EarlyListener
+	listener *quic.EarlyListener
 }
 
 // Shutdown stops the test server.
@@ -264,9 +264,7 @@ func startDoQServer(t *testing.T, port int) (s *testDoQServer) {
 			RequireAddressValidation: func(net.Addr) (ok bool) {
 				return false
 			},
-			Allow0RTT: func(net.Addr) (ok bool) {
-				return true
-			},
+			Allow0RTT: true,
 		},
 	)
 	require.NoError(t, err)