diff --git a/internal/cmd/cmd.go b/internal/cmd/cmd.go
index f0a2a0b43..a9f505e02 100644
--- a/internal/cmd/cmd.go
+++ b/internal/cmd/cmd.go
@@ -77,7 +77,7 @@ func Main() {
 // runProxy starts and runs the proxy.  l must not be nil.
 //
 // TODO(e.burkov):  Move into separate dnssvc package.
-func runProxy(ctx context.Context, l *slog.Logger, options *configuration) (err error) {
+func runProxy(ctx context.Context, l *slog.Logger, conf *configuration) (err error) {
 	var (
 		buildVersion = version.Version()
 		revision     = version.Revision()
@@ -95,12 +95,12 @@ func runProxy(ctx context.Context, l *slog.Logger, options *configuration) (err
 	)
 
 	// Prepare the proxy server and its configuration.
-	conf, err := createProxyConfig(ctx, l, options)
+	proxyConf, err := createProxyConfig(ctx, l, conf)
 	if err != nil {
 		return fmt.Errorf("configuring proxy: %w", err)
 	}
 
-	dnsProxy, err := proxy.New(conf)
+	dnsProxy, err := proxy.New(proxyConf)
 	if err != nil {
 		return fmt.Errorf("creating proxy: %w", err)
 	}
diff --git a/internal/cmd/config.go b/internal/cmd/config.go
index d9aef0a81..c52a9d078 100644
--- a/internal/cmd/config.go
+++ b/internal/cmd/config.go
@@ -236,14 +236,14 @@ func parseConfig() (conf *configuration, exitCode int, err error) {
 
 // parseConfigFile fills options with the settings from file read by the given
 // path.
-func parseConfigFile(options *configuration, confPath string) (err error) {
+func parseConfigFile(conf *configuration, confPath string) (err error) {
 	// #nosec G304 -- Trust the file path that is given in the args.
 	b, err := os.ReadFile(confPath)
 	if err != nil {
 		return fmt.Errorf("reading file: %w", err)
 	}
 
-	err = yaml.Unmarshal(b, options)
+	err = yaml.Unmarshal(b, conf)
 	if err != nil {
 		return fmt.Errorf("unmarshalling file: %w", err)
 	}
diff --git a/internal/cmd/proxy.go b/internal/cmd/proxy.go
index fbbc5a258..c8ccf6509 100644
--- a/internal/cmd/proxy.go
+++ b/internal/cmd/proxy.go
@@ -32,9 +32,9 @@ import (
 func createProxyConfig(
 	ctx context.Context,
 	l *slog.Logger,
-	options *configuration,
-) (conf *proxy.Config, err error) {
-	hostsFiles, err := options.hostsFiles(ctx, l)
+	conf *configuration,
+) (proxyConf *proxy.Config, err error) {
+	hostsFiles, err := conf.hostsFiles(ctx, l)
 	if err != nil {
 		// Don't wrap the error since it's informative enough as is.
 		return nil, err
@@ -44,7 +44,7 @@ func createProxyConfig(
 		Logger: l.With(slogutil.KeyPrefix, "default_handler"),
 		// TODO(e.burkov):  Use the configured message constructor.
 		MessageConstructor: dnsmsg.DefaultMessageConstructor{},
-		HaltIPv6:           options.IPv6Disabled,
+		HaltIPv6:           conf.IPv6Disabled,
 		HostsFiles:         hostsFiles,
 		FileSystem:         osutil.RootDirFS(),
 	})
@@ -52,20 +52,20 @@ func createProxyConfig(
 		return nil, fmt.Errorf("creating default handler: %w", err)
 	}
 
-	conf = &proxy.Config{
+	proxyConf = &proxy.Config{
 		Logger: l.With(slogutil.KeyPrefix, proxy.LogPrefix),
 
-		RatelimitSubnetLenIPv4: options.RatelimitSubnetLenIPv4,
-		RatelimitSubnetLenIPv6: options.RatelimitSubnetLenIPv6,
-
-		Ratelimit:       options.Ratelimit,
-		CacheEnabled:    options.Cache,
-		CacheSizeBytes:  options.CacheSizeBytes,
-		CacheMinTTL:     options.CacheMinTTL,
-		CacheMaxTTL:     options.CacheMaxTTL,
-		CacheOptimistic: options.CacheOptimistic,
-		RefuseAny:       options.RefuseAny,
-		HTTP3:           options.HTTP3,
+		RatelimitSubnetLenIPv4: conf.RatelimitSubnetLenIPv4,
+		RatelimitSubnetLenIPv6: conf.RatelimitSubnetLenIPv6,
+
+		Ratelimit:       conf.Ratelimit,
+		CacheEnabled:    conf.Cache,
+		CacheSizeBytes:  conf.CacheSizeBytes,
+		CacheMinTTL:     conf.CacheMinTTL,
+		CacheMaxTTL:     conf.CacheMaxTTL,
+		CacheOptimistic: conf.CacheOptimistic,
+		RefuseAny:       conf.RefuseAny,
+		HTTP3:           conf.HTTP3,
 		// TODO(e.burkov):  The following CIDRs are aimed to match any address.
 		// This is not quite proper approach to be used by default so think
 		// about configuring it.
@@ -73,35 +73,35 @@ func createProxyConfig(
 			netip.MustParsePrefix("0.0.0.0/0"),
 			netip.MustParsePrefix("::0/0"),
 		},
-		EnableEDNSClientSubnet: options.EnableEDNSSubnet,
-		UDPBufferSize:          options.UDPBufferSize,
-		HTTPSServerName:        options.HTTPSServerName,
-		MaxGoroutines:          options.MaxGoRoutines,
-		UsePrivateRDNS:         options.UsePrivateRDNS,
+		EnableEDNSClientSubnet: conf.EnableEDNSSubnet,
+		UDPBufferSize:          conf.UDPBufferSize,
+		HTTPSServerName:        conf.HTTPSServerName,
+		MaxGoroutines:          conf.MaxGoRoutines,
+		UsePrivateRDNS:         conf.UsePrivateRDNS,
 		PrivateSubnets:         netutil.SubnetSetFunc(netutil.IsLocallyServed),
 		RequestHandler:         reqHdlr.HandleRequest,
 	}
 
-	if uiStr := options.HTTPSUserinfo; uiStr != "" {
+	if uiStr := conf.HTTPSUserinfo; uiStr != "" {
 		user, pass, ok := strings.Cut(uiStr, ":")
 		if ok {
-			conf.Userinfo = url.UserPassword(user, pass)
+			proxyConf.Userinfo = url.UserPassword(user, pass)
 		} else {
-			conf.Userinfo = url.User(user)
+			proxyConf.Userinfo = url.User(user)
 		}
 	}
 
-	options.initBogusNXDomain(ctx, l, conf)
+	conf.initBogusNXDomain(ctx, l, proxyConf)
 
 	var errs []error
-	errs = append(errs, options.initUpstreams(ctx, l, conf))
-	errs = append(errs, options.initEDNS(ctx, l, conf))
-	errs = append(errs, options.initTLSConfig(conf))
-	errs = append(errs, options.initDNSCryptConfig(conf))
-	errs = append(errs, options.initListenAddrs(conf))
-	errs = append(errs, options.initSubnets(conf))
-
-	return conf, errors.Join(errs...)
+	errs = append(errs, conf.initUpstreams(ctx, l, proxyConf))
+	errs = append(errs, conf.initEDNS(ctx, l, proxyConf))
+	errs = append(errs, conf.initTLSConfig(proxyConf))
+	errs = append(errs, conf.initDNSCryptConfig(proxyConf))
+	errs = append(errs, conf.initListenAddrs(proxyConf))
+	errs = append(errs, conf.initSubnets(proxyConf))
+
+	return proxyConf, errors.Join(errs...)
 }
 
 // isEmpty returns false if uc contains at least a single upstream.  uc must not
@@ -380,47 +380,47 @@ func (conf *configuration) initListenAddrs(config *proxy.Config) (err error) {
 }
 
 // initTLSListenAddrs sets up proxy configuration TLS listen addresses.
-func initTLSListenAddrs(config *proxy.Config, options *configuration, addrs []netip.Addr) {
-	if config.TLSConfig == nil {
+func initTLSListenAddrs(proxyConf *proxy.Config, conf *configuration, addrs []netip.Addr) {
+	if proxyConf.TLSConfig == nil {
 		return
 	}
 
 	for _, ip := range addrs {
-		for _, port := range options.TLSListenPorts {
+		for _, port := range conf.TLSListenPorts {
 			a := net.TCPAddrFromAddrPort(netip.AddrPortFrom(ip, uint16(port)))
-			config.TLSListenAddr = append(config.TLSListenAddr, a)
+			proxyConf.TLSListenAddr = append(proxyConf.TLSListenAddr, a)
 		}
 
-		for _, port := range options.HTTPSListenPorts {
+		for _, port := range conf.HTTPSListenPorts {
 			a := net.TCPAddrFromAddrPort(netip.AddrPortFrom(ip, uint16(port)))
-			config.HTTPSListenAddr = append(config.HTTPSListenAddr, a)
+			proxyConf.HTTPSListenAddr = append(proxyConf.HTTPSListenAddr, a)
 		}
 
-		for _, port := range options.QUICListenPorts {
+		for _, port := range conf.QUICListenPorts {
 			a := net.UDPAddrFromAddrPort(netip.AddrPortFrom(ip, uint16(port)))
-			config.QUICListenAddr = append(config.QUICListenAddr, a)
+			proxyConf.QUICListenAddr = append(proxyConf.QUICListenAddr, a)
 		}
 	}
 }
 
 // initDNSCryptListenAddrs sets up proxy configuration DNSCrypt listen
 // addresses.
-func initDNSCryptListenAddrs(config *proxy.Config, options *configuration, addrs []netip.Addr) {
-	if config.DNSCryptResolverCert == nil || config.DNSCryptProviderName == "" {
+func initDNSCryptListenAddrs(proxyConf *proxy.Config, conf *configuration, addrs []netip.Addr) {
+	if proxyConf.DNSCryptResolverCert == nil || proxyConf.DNSCryptProviderName == "" {
 		return
 	}
 
-	for _, port := range options.DNSCryptListenPorts {
+	for _, port := range conf.DNSCryptListenPorts {
 		p := uint16(port)
 
 		for _, ip := range addrs {
 			addrPort := netip.AddrPortFrom(ip, p)
 
 			tcp := net.TCPAddrFromAddrPort(addrPort)
-			config.DNSCryptTCPListenAddr = append(config.DNSCryptTCPListenAddr, tcp)
+			proxyConf.DNSCryptTCPListenAddr = append(proxyConf.DNSCryptTCPListenAddr, tcp)
 
 			udp := net.UDPAddrFromAddrPort(addrPort)
-			config.DNSCryptUDPListenAddr = append(config.DNSCryptUDPListenAddr, udp)
+			proxyConf.DNSCryptUDPListenAddr = append(proxyConf.DNSCryptUDPListenAddr, udp)
 		}
 	}
 }
diff --git a/internal/cmd/tls.go b/internal/cmd/tls.go
index 2dbcfcb0e..c001d1206 100644
--- a/internal/cmd/tls.go
+++ b/internal/cmd/tls.go
@@ -9,12 +9,12 @@ import (
 // NewTLSConfig returns the TLS config that includes a certificate.  Use it for
 // server TLS configuration or for a client certificate.  If caPath is empty,
 // system CAs will be used.
-func newTLSConfig(options *configuration) (c *tls.Config, err error) {
+func newTLSConfig(conf *configuration) (c *tls.Config, err error) {
 	// Set default TLS min/max versions
 	tlsMinVersion := tls.VersionTLS10
 	tlsMaxVersion := tls.VersionTLS13
 
-	switch options.TLSMinVersion {
+	switch conf.TLSMinVersion {
 	case 1.1:
 		tlsMinVersion = tls.VersionTLS11
 	case 1.2:
@@ -23,7 +23,7 @@ func newTLSConfig(options *configuration) (c *tls.Config, err error) {
 		tlsMinVersion = tls.VersionTLS13
 	}
 
-	switch options.TLSMaxVersion {
+	switch conf.TLSMaxVersion {
 	case 1.0:
 		tlsMaxVersion = tls.VersionTLS10
 	case 1.1:
@@ -32,7 +32,7 @@ func newTLSConfig(options *configuration) (c *tls.Config, err error) {
 		tlsMaxVersion = tls.VersionTLS12
 	}
 
-	cert, err := loadX509KeyPair(options.TLSCertPath, options.TLSKeyPath)
+	cert, err := loadX509KeyPair(conf.TLSCertPath, conf.TLSKeyPath)
 	if err != nil {
 		return nil, fmt.Errorf("loading TLS cert: %s", err)
 	}