diff --git a/Dockerfile b/Dockerfile
index be5c07e..ea05a66 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -105,11 +105,13 @@ RUN <<-"EOF" bash -ex
 
     ln -sf /root/antizapret/doall.sh /usr/bin/doall
 
-    /root/antizapret/doall.sh
-
     rm -frv /tmp/*
 EOF
 
-COPY rootfs /rootfs
+COPY rootfs/etc/openvpn /etc/openvpn-default
+
+RUN <<-"EOF" bash -ex
+    (STAGE_1=true STAGE_2=true STAGE_3=false /root/antizapret/doall.sh)
+EOF
 
 ENTRYPOINT ["/init.sh"]
diff --git a/rootfs/etc/knot-resolver/knot-aliases-alt.conf b/rootfs/etc/knot-resolver/knot-aliases-alt.conf
index 4d0d150..9015241 100644
--- a/rootfs/etc/knot-resolver/knot-aliases-alt.conf
+++ b/rootfs/etc/knot-resolver/knot-aliases-alt.conf
@@ -1,2 +1,4 @@
 -- Dummy file. Filled by antizapret script.
 blocked_hosts = {}
+regex_blocked = '^$'
+regex_allowed = '^$'
\ No newline at end of file
diff --git a/rootfs/etc/knot-resolver/kresd.conf b/rootfs/etc/knot-resolver/kresd.conf
index a1d2df9..8898e63 100644
--- a/rootfs/etc/knot-resolver/kresd.conf
+++ b/rootfs/etc/knot-resolver/kresd.conf
@@ -43,6 +43,30 @@ local dns_ru = os.getenv('DNS_RU')
 -- if not dns then dns = '127.0.0.11' end
 -- if not dns_ru then dns = '77.88.8.8' end
 
+policy.add(
+    function (_, query)
+           local command = string.format(
+                "(echo '%s' | grep -Eq '%s' && echo 'allowed') || (echo '%s' | grep -Eq '%s' && echo 'blocked')",
+                kres.dname2str(query.sname),
+                regex_allowed,
+                kres.dname2str(query.sname),
+                regex_blocked
+           )
+           local handle = io.popen(command)
+           local result = handle:read("*line")
+           handle:close()
+
+           if result == 'blocked' then
+                return policy.STUB({'127.0.0.4'})
+           elseif result == 'allowed' then
+                return policy.FORWARD({dns})
+           end
+
+       -- filter did not match, continue with next filter
+       return nil
+   end
+)
+
 -- Forward blocked domains to dnsmap
 policy.add(
     policy.suffix(
diff --git a/rootfs/init.sh b/rootfs/init.sh
index 316c1ad..f8be660 100755
--- a/rootfs/init.sh
+++ b/rootfs/init.sh
@@ -33,9 +33,9 @@ ln -sf /etc/default/antizapret /etc/profile.d/antizapret.sh
 
 
 # populating directories with files
-cp -rv --update=none /rootfs/etc/openvpn/* /etc/openvpn
+cp -rv --update=none /etc/openvpn-default/* /etc/openvpn
 
-for file in $(echo {exclude,include}-{ips,hosts}-custom.txt); do
+for file in $(echo {exclude,include}-{ips,hosts,regex}-custom.txt); do
     path=/root/antizapret/config/custom/$file
     [ ! -f $path ] && touch $path
 done
diff --git a/rootfs/root/antizapret/build_regex.sh b/rootfs/root/antizapret/build_regex.sh
new file mode 100755
index 0000000..dfa6850
--- /dev/null
+++ b/rootfs/root/antizapret/build_regex.sh
@@ -0,0 +1,23 @@
+#!/bin/bash -e
+
+
+HERE="$(dirname "$(readlink -f "${0}")")"
+cd "$HERE"
+
+
+for file in config/custom/{include,exclude}-regex-custom.txt; do
+    if [[ "$file" =~ include ]]; then
+        type="blocked"
+    else
+        type="allowed"
+    fi
+
+    #regex_allowed
+    #regex_blocked
+    if [ "$(cat "$file" | wc -l)" -gt 0 ]; then
+        echo "regex_$type = '($(sed -E '/^(#.*)?[[:space:]]*$/d' "$file" | tr '\n' '|' | xargs))'" >> result/knot-aliases-alt.conf
+    else
+        echo "regex_$type = '^$'" >> result/knot-aliases-alt.conf
+    fi
+done
+
diff --git a/rootfs/root/antizapret/config/custom/exclude-regex-custom.txt b/rootfs/root/antizapret/config/custom/exclude-regex-custom.txt
new file mode 100644
index 0000000..e69de29
diff --git a/rootfs/root/antizapret/config/custom/include-regex-custom.txt b/rootfs/root/antizapret/config/custom/include-regex-custom.txt
new file mode 100644
index 0000000..e69de29
diff --git a/rootfs/root/antizapret/doall.sh b/rootfs/root/antizapret/doall.sh
index 7b62867..cc05b12 100755
--- a/rootfs/root/antizapret/doall.sh
+++ b/rootfs/root/antizapret/doall.sh
@@ -67,6 +67,7 @@ if [[ $FORCE == true ]]; then
     echo 'Force update detected!'
     ./update.sh
     ./parse.sh
+    ./build_regex.sh
     ./process.sh
     exit
 fi
@@ -89,8 +90,11 @@ done
 if ! diff_hashes; then create_hash > /root/.hash; STAGE_2=true; fi
 
 
-[[ $STAGE_1 == true ]] && ./update.sh
+[[ $STAGE_1 == true ]] && (echo "run update.sh" && ./update.sh || exit 1)
 
-[[ $STAGE_2 == true ]] && ./parse.sh || echo 'Nothing to do.'
+[[ $STAGE_2 == true ]] && (echo "run parse.sh" && ./parse.sh && echo "run build_regex.sh" && ./build_regex.sh || exit 2)
 
-[[ $STAGE_3 == true ]] && ./process.sh 2> /dev/null
+[[ $STAGE_3 == true ]] && (echo "run process.sh" && ./process.sh 2> /dev/null || exit 3)
+
+echo "Kresd rules updated"
+exit 0
\ No newline at end of file
diff --git a/rootfs/root/dnsmap/proxy.py b/rootfs/root/dnsmap/proxy.py
index 26bb065..e88e9cd 100755
--- a/rootfs/root/dnsmap/proxy.py
+++ b/rootfs/root/dnsmap/proxy.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python3
+#!/usr/bin/env -S python3 -u
 # -*- coding: utf-8 -*-
 
 from __future__ import print_function
diff --git a/rootfs/root/patches/parse.patch b/rootfs/root/patches/parse.patch
index 651f18f..1de2b65 100644
--- a/rootfs/root/patches/parse.patch
+++ b/rootfs/root/patches/parse.patch
@@ -23,7 +23,7 @@
 -sort -u config/exclude-ips-{dist,custom}.txt > temp/exclude-ips.txt
 -sort -u config/include-hosts-{dist,custom}.txt > temp/include-hosts.txt
 -sort -u config/include-ips-{dist,custom}.txt > temp/include-ips.txt
-+for file in config/custom/*-custom.txt; do
++for file in config/custom/{include,exclude}-{hosts,ips}-custom.txt; do
 +    basename=$(basename $file | sed 's|-custom.txt||')
 +    sort -u $file config/${basename}-dist.txt > temp/${basename}.txt
 +done