diff --git a/cmd/cli/dns_proxy.go b/cmd/cli/dns_proxy.go
index b00a355..ad65209 100644
--- a/cmd/cli/dns_proxy.go
+++ b/cmd/cli/dns_proxy.go
@@ -1419,14 +1419,39 @@ func interfaceIPsEqual(a, b []netip.Prefix) bool {
 		return false
 	}
 
-	// Create maps for easier comparison
-	aMap := make(map[netip.Prefix]bool)
-	for _, ip := range a {
-		aMap[ip] = true
+	isUsableIP := func(ip netip.Prefix) bool {
+		addr := ip.Addr()
+		return !addr.IsLinkLocalUnicast() && // fe80::/10
+			!addr.IsLoopback() && // 127.0.0.1/8, ::1
+			!addr.IsMulticast() && // 224.0.0.0/4, ff00::/8
+			!addr.IsUnspecified() && // 0.0.0.0, ::
+			!addr.IsLinkLocalMulticast() && // 224.0.0.0/24
+			!(addr.Is4() && addr.String() == "255.255.255.255") && // broadcast
+			!tsaddr.CGNATRange().Contains(addr) // 100.64.0.0/10 CGNAT
 	}
 
+	// Filter and create maps for comparison
+	aMap := make(map[netip.Prefix]bool)
+	for _, ip := range a {
+		if isUsableIP(ip) {
+			aMap[ip] = true
+		}
+	}
+
+	bMap := make(map[netip.Prefix]bool)
 	for _, ip := range b {
-		if !aMap[ip] {
+		if isUsableIP(ip) {
+			bMap[ip] = true
+		}
+	}
+
+	// Compare the filtered IP sets
+	if len(aMap) != len(bMap) {
+		return false
+	}
+
+	for ip := range aMap {
+		if !bMap[ip] {
 			return false
 		}
 	}