diff --git a/README.md b/README.md
index 6728a70..981cadd 100755
--- a/README.md
+++ b/README.md
@@ -16,17 +16,17 @@ Just flash and forget.
 - DNS server address is 127.0.0.1:53 for ipv4 and [::1]:53 for ipv6
 - If you use AfWall, you can write this enter custom script
   ```
-  iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:53
-  iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:53
-  ip6tables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination [::1]:53
-  ip6tables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination [::1]:53
+  iptables -t nat -A OUTPUT -p tcp ! -d 1.1.1.1 --dport 53 -j DNAT --to-destination 127.0.0.1:53
+  iptables -t nat -A OUTPUT -p udp ! -d 1.1.1.1 --dport 53 -j DNAT --to-destination 127.0.0.1:53
+  ip6tables -t nat -A OUTPUT -p tcp ! -d 1.1.1.1 --dport 53 -j DNAT --to-destination [::1]:53
+  ip6tables -t nat -A OUTPUT -p udp ! -d 1.1.1.1 --dport 53 -j DNAT --to-destination [::1]:53
   ```
   and this shutdown script
   ```
-  iptables -t nat -D OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:53
-  iptables -t nat -D OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:53
-  ip6tables -t nat -D OUTPUT -p tcp --dport 53 -j DNAT --to-destination [::1]:53
-  ip6tables -t nat -D OUTPUT -p udp --dport 53 -j DNAT --to-destination [::1]:53
+  iptables -t nat -D OUTPUT -p tcp ! -d 1.1.1.1 --dport 53 -j DNAT --to-destination 127.0.0.1:53
+  iptables -t nat -D OUTPUT -p udp ! -d 1.1.1.1 --dport 53 -j DNAT --to-destination 127.0.0.1:53
+  ip6tables -t nat -D OUTPUT -p tcp ! -d 1.1.1.1 --dport 53 -j DNAT --to-destination [::1]:53
+  ip6tables -t nat -D OUTPUT -p udp ! -d 1.1.1.1 --dport 53 -j DNAT --to-destination [::1]:53
   ```
 
 ## Configuration (post-installing)
@@ -34,6 +34,9 @@ Just flash and forget.
 - For more detailed configuration please refer to [official documentation](https://github.com/jedisct1/dnscrypt-proxy/wiki/Basic-dnscrypt-proxy.toml-editing)
 
 ## Changelog
+### v2.5.0
+- Update binary files to 2.0.16
+- add exception for cloudflare fallback resolver.
 ### v2.4.0
 - Update binary files to 2.0.14
 ### v2.3.0
diff --git a/binary/dnscrypt-proxy-arm b/binary/dnscrypt-proxy-arm
index 27f01f6..87d3799 100755
Binary files a/binary/dnscrypt-proxy-arm and b/binary/dnscrypt-proxy-arm differ
diff --git a/binary/dnscrypt-proxy-arm64 b/binary/dnscrypt-proxy-arm64
index 06abc7d..3822a26 100755
Binary files a/binary/dnscrypt-proxy-arm64 and b/binary/dnscrypt-proxy-arm64 differ
diff --git a/binary/dnscrypt-proxy-x86 b/binary/dnscrypt-proxy-x86
index 7b4886c..3e795c2 100755
Binary files a/binary/dnscrypt-proxy-x86 and b/binary/dnscrypt-proxy-x86 differ
diff --git a/binary/dnscrypt-proxy-x86_64 b/binary/dnscrypt-proxy-x86_64
index 2cb0431..9d5fadd 100755
Binary files a/binary/dnscrypt-proxy-x86_64 and b/binary/dnscrypt-proxy-x86_64 differ
diff --git a/changelog.md b/changelog.md
index 43d2777..2c9f514 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,4 +1,8 @@
 # Changelog
+## Changelog
+### v2.5.0
+- Update binary files to 2.0.16
+- add exception for cloudflare fallback resolver.
 ## v2.4.0
 * Update binary files to 2.0.14
 ## v2.3.0
diff --git a/common/service.sh b/common/service.sh
index bc62022..644ab5d 100755
--- a/common/service.sh
+++ b/common/service.sh
@@ -12,10 +12,10 @@ for i in 1 2 3 4 5 6 7 8 9 10 11 12; do
 	then
 		$MODDIR/system/xbin/dnscrypt-proxy -config $MODDIR/system/etc/dnscrypt-proxy/dnscrypt-proxy.toml &
 		sleep 15
-		iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:5354
-		iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:5354
-		ip6tables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination [::1]:5354
-		ip6tables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination [::1]:5354
+		iptables -t nat -A OUTPUT -p tcp ! -d 1.1.1.1 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
+		iptables -t nat -A OUTPUT -p udp ! -d 1.1.1.1 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
+		ip6tables -t nat -A OUTPUT -p tcp ! -d 1.1.1.1 --dport 53 -j DNAT --to-destination [::1]:5354
+		ip6tables -t nat -A OUTPUT -p udp ! -d 1.1.1.1 --dport 53 -j DNAT --to-destination [::1]:5354
 		break;
 	else
 		sleep 5
diff --git a/config.sh b/config.sh
index b899d09..fb9fd78 100755
--- a/config.sh
+++ b/config.sh
@@ -44,7 +44,7 @@ print_modname() {
   ui_print "        DNSCrypt-Proxy2        "
   ui_print "         Magisk Module         "
   ui_print "*******************************"
-  ui_print "             v2.3.0            "
+  ui_print "             v2.5.0            "
   ui_print "            bluemeda           "
   ui_print "*******************************"
 }
diff --git a/config/example-dnscrypt-proxy.toml b/config/example-dnscrypt-proxy.toml
index c0a092b..df84952 100644
--- a/config/example-dnscrypt-proxy.toml
+++ b/config/example-dnscrypt-proxy.toml
@@ -27,7 +27,7 @@
 ## The proxy will automatically pick the fastest, working servers from the list.
 ## Remove the leading # first to enable this; lines starting with # are ignored.
 
-# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
+# server_names = ['cloudflare', 'google']
 
 
 ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
@@ -41,6 +41,18 @@ listen_addresses = ['127.0.0.1:53', '[::1]:53']
 max_clients = 250
 
 
+## Switch to a non-privileged system user after listening sockets have been created.
+## Two processes will be running.
+## The first one will keep root privileges, but is only a supervisor, that does nothing
+## except create the sockets, manage the service, and restart it if it crashes.
+## The second process is the service itself, and that one will always run as a different
+## user.
+## Note (1): this feature is currently unsupported on Windows.
+## Note (2): this feature is not compatible with systemd socket activation.
+
+# user_name = 'nobody'
+
+
 ## Require servers (from static + remote sources) to satisfy specific properties
 
 # Use servers reachable over IPv4
@@ -77,6 +89,14 @@ require_nofilter = true
 force_tcp = false
 
 
+## HTTP / SOCKS proxy
+## Uncomment the following line to route all TCP connections to a local Tor node
+## Tor doesn't support UDP, so set `force_tcp` to `true` as well.
+
+# proxy = "socks5://127.0.0.1:9050"
+
+
+
 ## How long a DNS query will wait for a response, in milliseconds
 
 timeout = 2500
@@ -154,7 +174,7 @@ cert_refresh_delay = 240
 ## People in China may need to use 114.114.114.114:53 here.
 ## Other popular options include 8.8.8.8 and 1.1.1.1.
 
-fallback_resolver = '9.9.9.9:53'
+fallback_resolver = '1.1.1.1:53'
 
 
 ## Never let dnscrypt-proxy try to use the system DNS settings;
@@ -172,6 +192,13 @@ ignore_system_dns = false
 netprobe_timeout = 30
 
 
+## Offline mode - Do not use any remote encrypted servers.
+## The proxy will remain fully functional to respond to queries that
+## plugins can handle directly (forwarding, cloaking, ...)
+
+# offline_mode = false
+
+
 ## Automatic log files rotation
 
 # Maximum log files size in MB