Merge pull request #276 from Control-D-Inc/release-branch-v1.4.9

Release branch v1.4.9
fix(system): disable ghw warnings to reduce log noise
2026-02-03 22:18:39 +00:00 · 2026-01-13 21:41:48 +07:00 · 2026-01-09 15:10:29 +07:00 · 2025-12-18 17:10:43 +07:00 · 2025-12-18 17:10:43 +07:00 · 2025-12-18 17:10:43 +07:00
41 changed files with 770 additions and 215 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,18 +9,18 @@ jobs:
      fail-fast: false
      matrix:
        os: ["windows-latest", "ubuntu-latest", "macOS-latest"]
-        go: ["1.23.x"]
+        go: ["1.24.x"]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 1
-      - uses: WillAbides/setup-go-faster@v1.8.0
+      - uses: actions/setup-go@v6
        with:
          go-version: ${{ matrix.go }}
      - run: "go test -race ./..."
-      - uses: dominikh/staticcheck-action@v1.3.1
+      - uses: dominikh/staticcheck-action@v1.4.0
        with:
-          version: "2024.1.1"
+          version: "2025.1.1"
          install-go: false
          cache-key: ${{ matrix.go }}
--- a/cmd/cli/ad_windows.go
+++ b/cmd/cli/ad_windows.go
@@ -10,11 +10,12 @@ import (
 	hh "github.com/microsoft/wmi/pkg/hardware/host"

 	"github.com/Control-D-Inc/ctrld"
+	"github.com/Control-D-Inc/ctrld/internal/system"
 )

 // addExtraSplitDnsRule adds split DNS rule for domain if it's part of active directory.
 func addExtraSplitDnsRule(cfg *ctrld.Config) bool {
-	domain, err := getActiveDirectoryDomain()
+	domain, err := system.GetActiveDirectoryDomain()
 	if err != nil {
 		mainLog.Load().Debug().Msgf("unable to get active directory domain: %v", err)
 		return false
--- a/cmd/cli/ad_windows_test.go
+++ b/cmd/cli/ad_windows_test.go
@@ -5,14 +5,16 @@ import (
 	"testing"
 	"time"

-	"github.com/Control-D-Inc/ctrld"
-	"github.com/Control-D-Inc/ctrld/testhelper"
 	"github.com/stretchr/testify/assert"
+
+	"github.com/Control-D-Inc/ctrld"
+	"github.com/Control-D-Inc/ctrld/internal/system"
+	"github.com/Control-D-Inc/ctrld/testhelper"
 )

 func Test_getActiveDirectoryDomain(t *testing.T) {
 	start := time.Now()
-	domain, err := getActiveDirectoryDomain()
+	domain, err := system.GetActiveDirectoryDomain()
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/cmd/cli/cli.go
+++ b/cmd/cli/cli.go
@@ -178,7 +178,15 @@ func RunMobile(appConfig *AppConfig, appCallback *AppCallback, stopCh chan struc
 	noConfigStart = false
 	homedir = appConfig.HomeDir
 	verbose = appConfig.Verbose
-	cdUID = appConfig.CdUID
+	if appConfig.ProvisionID != "" {
+		cdOrg = appConfig.ProvisionID
+	}
+	if appConfig.CustomHostname != "" {
+		customHostname = appConfig.CustomHostname
+	}
+	if appConfig.CdUID != "" {
+		cdUID = appConfig.CdUID
+	}
 	cdUpstreamProto = appConfig.UpstreamProto
 	logPath = appConfig.LogPath
 	run(appCallback, stopCh)
@@ -274,7 +282,7 @@ func run(appCallback *AppCallback, stopCh chan struct{}) {
 	}
 	p.mu.Unlock()

-	processLogAndCacheFlags()
+	processLogAndCacheFlags(v, &cfg)

 	// Log config do not have thing to validate, so it's safe to init log here,
 	// so it's able to log information in processCDFlags.
@@ -334,7 +342,7 @@ func run(appCallback *AppCallback, stopCh chan struct{}) {
 	updated := updateListenerConfig(&cfg, notifyExitToLogServer)

 	if cdUID != "" {
-		processLogAndCacheFlags()
+		processLogAndCacheFlags(v, &cfg)
 	}

 	if updated {
@@ -634,13 +642,19 @@ func processCDFlags(cfg *ctrld.Config) (*controld.ResolverConfig, error) {
 	logger.Info().Msgf("fetching Controld D configuration from API: %s", cdUID)
 	bo := backoff.NewBackoff("processCDFlags", logf, 30*time.Second)
 	bo.LogLongerThan = 30 * time.Second
+
 	ctx := context.Background()
-	resolverConfig, err := controld.FetchResolverConfig(cdUID, rootCmd.Version, cdDev)
+	req := &controld.ResolverConfigRequest{
+		RawUID:   cdUID,
+		Version:  rootCmd.Version,
+		Metadata: ctrld.SystemMetadata(ctx),
+	}
+	resolverConfig, err := controld.FetchResolverConfig(req, cdDev)
 	for {
 		if errUrlNetworkError(err) {
 			bo.BackOff(ctx, err)
 			logger.Warn().Msg("could not fetch resolver using bootstrap DNS, retrying...")
-			resolverConfig, err = controld.FetchResolverConfig(cdUID, rootCmd.Version, cdDev)
+			resolverConfig, err = controld.FetchResolverConfig(req, cdDev)
 			continue
 		}
 		break
@@ -772,7 +786,8 @@ func processListenFlag() {
 	})
 }

-func processLogAndCacheFlags() {
+// processLogAndCacheFlags processes log and cache related flags
+func processLogAndCacheFlags(v *viper.Viper, cfg *ctrld.Config) {
 	if logPath != "" {
 		cfg.Service.LogPath = logPath
 	}
@@ -1507,7 +1522,12 @@ func cdUIDFromProvToken() string {
 	if customHostname != "" && !validHostname(customHostname) {
 		mainLog.Load().Fatal().Msgf("invalid custom hostname: %q", customHostname)
 	}
-	req := &controld.UtilityOrgRequest{ProvToken: cdOrg, Hostname: customHostname}
+
+	req := &controld.UtilityOrgRequest{
+		ProvToken: cdOrg,
+		Hostname:  customHostname,
+		Metadata:  ctrld.SystemMetadata(context.Background()),
+	}
 	// Process provision token if provided.
 	resolverConfig, err := controld.FetchResolverUID(req, rootCmd.Version, cdDev)
 	if err != nil {
@@ -1848,7 +1868,12 @@ func runningIface(s service.Service) *ifaceResponse {

 // doValidateCdRemoteConfig fetches and validates custom config for cdUID.
 func doValidateCdRemoteConfig(cdUID string, fatal bool) error {
-	rc, err := controld.FetchResolverConfig(cdUID, rootCmd.Version, cdDev)
+	req := &controld.ResolverConfigRequest{
+		RawUID:   cdUID,
+		Version:  rootCmd.Version,
+		Metadata: ctrld.SystemMetadata(context.Background()),
+	}
+	rc, err := controld.FetchResolverConfig(req, cdDev)
 	if err != nil {
 		logger := mainLog.Load().Fatal()
 		if !fatal {
--- a/cmd/cli/commands.go
+++ b/cmd/cli/commands.go
@@ -189,6 +189,7 @@ func initRunCmd() *cobra.Command {
 	runCmd.Flags().StringVarP(&iface, "iface", "", "", `Update DNS setting for iface, "auto" means the default interface gateway`)
 	_ = runCmd.Flags().MarkHidden("iface")
 	runCmd.Flags().StringVarP(&cdUpstreamProto, "proto", "", ctrld.ResolverTypeDOH, `Control D upstream type, either "doh" or "doh3"`)
+	runCmd.Flags().BoolVarP(&rfc1918, "rfc1918", "", false, "Listen on RFC1918 addresses when 127.0.0.1 is the only listener")

 	runCmd.FParseErrWhitelist = cobra.FParseErrWhitelist{UnknownFlags: true}
 	rootCmd.AddCommand(runCmd)
@@ -531,6 +532,7 @@ NOTE: running "ctrld start" without any arguments will start already installed c
 	startCmd.Flags().BoolVarP(&skipSelfChecks, "skip_self_checks", "", false, `Skip self checks after installing ctrld service`)
 	startCmd.Flags().BoolVarP(&startOnly, "start_only", "", false, "Do not install new service")
 	_ = startCmd.Flags().MarkHidden("start_only")
+	startCmd.Flags().BoolVarP(&rfc1918, "rfc1918", "", false, "Listen on RFC1918 addresses when 127.0.0.1 is the only listener")

 	routerCmd := &cobra.Command{
 		Use: "setup",
--- a/cmd/cli/control_server.go
+++ b/cmd/cli/control_server.go
@@ -217,7 +217,12 @@ func (p *prog) registerControlServerHandler() {
 		}

 		// Re-fetch pin code from API.
-		if rc, err := controld.FetchResolverConfig(cdUID, rootCmd.Version, cdDev); rc != nil {
+		rcReq := &controld.ResolverConfigRequest{
+			RawUID:   cdUID,
+			Version:  rootCmd.Version,
+			Metadata: ctrld.SystemMetadata(context.Background()),
+		}
+		if rc, err := controld.FetchResolverConfig(rcReq, cdDev); rc != nil {
 			if rc.DeactivationPin != nil {
 				cdDeactivationPin.Store(*rc.DeactivationPin)
 			} else {
--- a/cmd/cli/dns_proxy.go
+++ b/cmd/cli/dns_proxy.go
@@ -84,13 +84,7 @@ type upstreamForResult struct {
 	srcAddr        string
 }

-func (p *prog) serveDNS(mainCtx context.Context, listenerNum string) error {
-	// Start network monitoring
-	if err := p.monitorNetworkChanges(mainCtx); err != nil {
-		mainLog.Load().Error().Err(err).Msg("Failed to start network monitoring")
-		// Don't return here as we still want DNS service to run
-	}
-
+func (p *prog) serveDNS(listenerNum string) error {
 	listenerConfig := p.cfg.Listener[listenerNum]
 	// make sure ip is allocated
 	if allocErr := p.allocateIP(listenerConfig.IP); allocErr != nil {
@@ -213,8 +207,8 @@ func (p *prog) serveDNS(mainCtx context.Context, listenerNum string) error {
 				return nil
 			})
 		}
-		// When we spawn a listener on 127.0.0.1, also spawn listeners on the RFC1918
-		// addresses of the machine. So ctrld could receive queries from LAN clients.
+		// When we spawn a listener on 127.0.0.1, also spawn listeners on the RFC1918 addresses of the machine
+		// if explicitly set via setting rfc1918 flag, so ctrld could receive queries from LAN clients.
 		if needRFC1918Listeners(listenerConfig) {
 			g.Go(func() error {
 				for _, addr := range ctrld.Rfc1918Addresses() {
@@ -960,7 +954,13 @@ func (p *prog) doSelfUninstall(answer *dns.Msg) {
 	logger := mainLog.Load().With().Str("mode", "self-uninstall").Logger()
 	if p.refusedQueryCount > selfUninstallMaxQueries {
 		p.checkingSelfUninstall = true
-		_, err := controld.FetchResolverConfig(cdUID, rootCmd.Version, cdDev)
+
+		req := &controld.ResolverConfigRequest{
+			RawUID:   cdUID,
+			Version:  rootCmd.Version,
+			Metadata: ctrld.SystemMetadata(context.Background()),
+		}
+		_, err := controld.FetchResolverConfig(req, cdDev)
 		logger.Debug().Msg("maximum number of refused queries reached, checking device status")
 		selfUninstallCheck(err, p, logger)

@@ -1045,7 +1045,7 @@ func (p *prog) queryFromSelf(ip string) bool {
 // needRFC1918Listeners reports whether ctrld need to spawn listener for RFC 1918 addresses.
 // This is helpful for non-desktop platforms to receive queries from LAN clients.
 func needRFC1918Listeners(lc *ctrld.ListenerConfig) bool {
-	return lc.IP == "127.0.0.1" && lc.Port == 53 && !ctrld.IsDesktopPlatform()
+	return rfc1918 && lc.IP == "127.0.0.1" && lc.Port == 53
 }

 // ipFromARPA parses a FQDN arpa domain and return the IP address if valid.
@@ -1187,7 +1187,7 @@ func FlushDNSCache() error {
 }

 // monitorNetworkChanges starts monitoring for network interface changes
-func (p *prog) monitorNetworkChanges(ctx context.Context) error {
+func (p *prog) monitorNetworkChanges() error {
 	mon, err := netmon.New(func(format string, args ...any) {
 		// Always fetch the latest logger (and inject the prefix)
 		mainLog.Load().Printf("netmon: "+format, args...)
@@ -1406,9 +1406,6 @@ func (p *prog) checkUpstreamOnce(upstream string, uc *ctrld.UpstreamConfig) erro
 		return err
 	}

-	msg := new(dns.Msg)
-	msg.SetQuestion(".", dns.TypeNS)
-
 	timeout := 1000 * time.Millisecond
 	if uc.Timeout > 0 {
 		timeout = time.Millisecond * time.Duration(uc.Timeout)
@@ -1422,6 +1419,7 @@ func (p *prog) checkUpstreamOnce(upstream string, uc *ctrld.UpstreamConfig) erro
 	mainLog.Load().Debug().Msgf("Rebootstrapping resolver for upstream: %s", upstream)

 	start := time.Now()
+	msg := uc.VerifyMsg()
 	_, err = resolver.Resolve(ctx, msg)
 	duration := time.Since(start)

--- a/cmd/cli/library.go
+++ b/cmd/cli/library.go
@@ -18,11 +18,13 @@ type AppCallback struct {

 // AppConfig allows overwriting ctrld cli flags from mobile platforms.
 type AppConfig struct {
-	CdUID         string
-	HomeDir       string
-	UpstreamProto string
-	Verbose       int
-	LogPath       string
+	CdUID          string
+	ProvisionID    string
+	CustomHostname string
+	HomeDir        string
+	UpstreamProto  string
+	Verbose        int
+	LogPath        string
 }

 const (
--- a/cmd/cli/main.go
+++ b/cmd/cli/main.go
@@ -39,6 +39,7 @@ var (
 	skipSelfChecks    bool
 	cleanup           bool
 	startOnly         bool
+	rfc1918           bool

 	mainLog       atomic.Pointer[zerolog.Logger]
 	consoleWriter zerolog.ConsoleWriter
--- a/cmd/cli/os_linux.go
+++ b/cmd/cli/os_linux.go
@@ -72,7 +72,15 @@ func setDNS(iface *net.Interface, nameservers []string) error {
 		SearchDomains: []dnsname.FQDN{},
 	}
 	if sds, err := searchDomains(); err == nil {
-		osConfig.SearchDomains = sds
+		// Filter the root domain, since it's not allowed by systemd.
+		// See https://github.com/systemd/systemd/issues/9515
+		filteredSds := slices.DeleteFunc(sds, func(s dnsname.FQDN) bool {
+			return s == "" || s == "."
+		})
+		if len(filteredSds) != len(sds) {
+			mainLog.Load().Debug().Msg(`Removed root domain "." from search domains list`)
+		}
+		osConfig.SearchDomains = filteredSds
 	} else {
 		mainLog.Load().Debug().Err(err).Msg("failed to get search domains list")
 	}
--- a/cmd/cli/prog.go
+++ b/cmd/cli/prog.go
@@ -213,7 +213,8 @@ func (p *prog) runWait() {
 				continue
 			}
 			if cdUID != "" {
-				if rc, err := processCDFlags(newCfg); err != nil {
+				rc, err := processCDFlags(newCfg)
+				if err != nil {
 					logger.Err(err).Msg("could not fetch ControlD config")
 					waitOldRunDone()
 					continue
@@ -225,6 +226,10 @@ func (p *prog) runWait() {
 			}
 		}

+		// Though the log configuration could not be changed during reloading, we still need to
+		// process the current flags here, so runtime internal logs can be used correctly.
+		processLogAndCacheFlags(v, newCfg)
+
 		waitOldRunDone()

 		p.mu.Lock()
@@ -320,7 +325,12 @@ func (p *prog) apiConfigReload() {
 	}

 	doReloadApiConfig := func(forced bool, logger zerolog.Logger) {
-		resolverConfig, err := controld.FetchResolverConfig(cdUID, rootCmd.Version, cdDev)
+		req := &controld.ResolverConfigRequest{
+			RawUID:   cdUID,
+			Version:  rootCmd.Version,
+			Metadata: ctrld.SystemMetadata(context.Background()),
+		}
+		resolverConfig, err := controld.FetchResolverConfig(req, cdDev)
 		selfUninstallCheck(err, p, logger)
 		if err != nil {
 			logger.Warn().Err(err).Msg("could not fetch resolver config")
@@ -530,6 +540,15 @@ func (p *prog) run(reload bool, reloadCh chan struct{}) {
 		go p.watchLinkState(ctx)
 	}

+	if !reload {
+		go func() {
+			// Start network monitoring
+			if err := p.monitorNetworkChanges(); err != nil {
+				mainLog.Load().Error().Err(err).Msg("Failed to start network monitoring")
+			}
+		}()
+	}
+
 	for listenerNum := range p.cfg.Listener {
 		p.cfg.Listener[listenerNum].Init()
 		if !reload {
@@ -541,7 +560,7 @@ func (p *prog) run(reload bool, reloadCh chan struct{}) {
 				}
 				addr := net.JoinHostPort(listenerConfig.IP, strconv.Itoa(listenerConfig.Port))
 				mainLog.Load().Info().Msgf("starting DNS server on listener.%s: %s", listenerNum, addr)
-				if err := p.serveDNS(ctx, listenerNum); err != nil {
+				if err := p.serveDNS(listenerNum); err != nil {
 					mainLog.Load().Fatal().Err(err).Msgf("unable to start dns proxy on listener.%s", listenerNum)
 				}
 				mainLog.Load().Debug().Msgf("end of serveDNS listener.%s: %s", listenerNum, addr)
--- a/cmd/ctrld_library/main.go
+++ b/cmd/ctrld_library/main.go
@@ -28,15 +28,17 @@ type AppCallback interface {
 // Start configures utility with config.toml from provided directory.
 // This function will block until Stop is called
 // Check port availability prior to calling it.
-func (c *Controller) Start(CdUID string, HomeDir string, UpstreamProto string, logLevel int, logPath string) {
+func (c *Controller) Start(CdUID string, ProvisionID string, CustomHostname string, HomeDir string, UpstreamProto string, logLevel int, logPath string) {
 	if c.stopCh == nil {
 		c.stopCh = make(chan struct{})
 		c.Config = cli.AppConfig{
-			CdUID:         CdUID,
-			HomeDir:       HomeDir,
-			UpstreamProto: UpstreamProto,
-			Verbose:       logLevel,
-			LogPath:       logPath,
+			CdUID:          CdUID,
+			ProvisionID:    ProvisionID,
+			CustomHostname: CustomHostname,
+			HomeDir:        HomeDir,
+			UpstreamProto:  UpstreamProto,
+			Verbose:        logLevel,
+			LogPath:        logPath,
 		}
 		appCallback := mapCallback(c.AppCallback)
 		cli.RunMobile(&c.Config, &appCallback, c.stopCh)
--- a/config.go
+++ b/config.go
@@ -358,6 +358,15 @@ func (uc *UpstreamConfig) Init() {
 	}
 }

+// VerifyMsg creates and returns a new DNS message could be used for testing upstream health.
+func (uc *UpstreamConfig) VerifyMsg() *dns.Msg {
+	msg := new(dns.Msg)
+	msg.RecursionDesired = true
+	msg.SetQuestion(".", dns.TypeNS)
+	msg.SetEdns0(4096, false) // ensure handling of large DNS response
+	return msg
+}
+
 // VerifyDomain returns the domain name that could be resolved by the upstream endpoint.
 // It returns empty for non-ControlD upstream endpoint.
 func (uc *UpstreamConfig) VerifyDomain() string {
--- a/config_quic.go
+++ b/config_quic.go
@@ -36,7 +36,7 @@ func (uc *UpstreamConfig) setupDOH3Transport() {
 func (uc *UpstreamConfig) newDOH3Transport(addrs []string) http.RoundTripper {
 	rt := &http3.Transport{}
 	rt.TLSClientConfig = &tls.Config{RootCAs: uc.certPool}
-	rt.Dial = func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
+	rt.Dial = func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (*quic.Conn, error) {
 		_, port, _ := net.SplitHostPort(addr)
 		// if we have a bootstrap ip set, use it to avoid DNS lookup
 		if uc.BootstrapIP != "" {
@@ -96,14 +96,14 @@ func (uc *UpstreamConfig) doh3Transport(dnsType uint16) http.RoundTripper {
 //   - quic dialer is different with net.Dialer
 //   - simplification for quic free version
 type parallelDialerResult struct {
-	conn quic.EarlyConnection
+	conn *quic.Conn
 	err  error
 }

 type quicParallelDialer struct{}

 // Dial performs parallel dialing to the given address list.
-func (d *quicParallelDialer) Dial(ctx context.Context, addrs []string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
+func (d *quicParallelDialer) Dial(ctx context.Context, addrs []string, tlsCfg *tls.Config, cfg *quic.Config) (*quic.Conn, error) {
 	if len(addrs) == 0 {
 		return nil, errors.New("empty addresses")
 	}
--- a/docs/known-issues.md
+++ b/docs/known-issues.md
@@ -0,0 +1,42 @@
+# Known Issues
+
+This document outlines known issues with ctrld and their current status, workarounds, and recommendations.
+
+## macOS (Darwin) Issues
+
+### Self-Upgrade Issue on Darwin 15.5
+
+**Issue**: ctrld self-upgrading functionality may not work on macOS Darwin 15.5.
+
+**Status**: Under investigation
+
+**Description**: Users on macOS Darwin 15.5 may experience issues when ctrld attempts to perform automatic self-upgrades. The upgrade process would be triggered, but ctrld won't be upgraded.
+
+**Workarounds**:
+1. **Recommended**: Upgrade your macOS system to Darwin 15.6 or later, which has been tested and verified to work correctly with ctrld self-upgrade functionality.
+2. **Alternative**: Run `ctrld upgrade prod` directly to manually upgrade ctrld to the latest version on Darwin 15.5.
+
+**Affected Versions**: ctrld v1.4.2 and later on macOS Darwin 15.5
+
+**Last Updated**: 05/09/2025
+
+---
+
+## Contributing to Known Issues
+
+If you encounter an issue not listed here, please:
+
+1. Check the [GitHub Issues](https://github.com/Control-D-Inc/ctrld/issues) to see if it's already reported
+2. If not reported, create a new issue with:
+   - Detailed description of the problem
+   - Steps to reproduce
+   - Expected vs actual behavior
+   - System information (OS, version, architecture)
+   - ctrld version
+
+## Issue Status Legend
+
+- **Under investigation**: Issue is confirmed and being analyzed
+- **Workaround available**: Temporary solution exists while permanent fix is developed
+- **Fixed**: Issue has been resolved in a specific version
+- **Won't fix**: Issue is acknowledged but will not be addressed due to technical limitations or design decisions
--- a/docs/runtime-internal-logging.md
+++ b/docs/runtime-internal-logging.md
@@ -0,0 +1,46 @@
+# Runtime Internal Logging
+
+When no logging is configured (i.e., `log_path` is not set), ctrld automatically enables an internal logging system. This system stores logs in memory to provide troubleshooting information when problems occur.
+
+## Purpose
+
+The runtime internal logging system is designed primarily for **ctrld developers**, not end users. It captures detailed diagnostic information that can be useful for troubleshooting issues when they arise, especially in production environments where explicit logging may not be configured.
+
+## When It's Enabled
+
+Internal logging is automatically enabled when:
+
+- ctrld is running in Control D mode (i.e., `--cd` flag is provided)
+- No log file is configured (i.e., `log_path` is empty or not set)
+
+If a log file is explicitly configured via `log_path`, internal logging will **not** be enabled, as the configured log file serves the logging purpose.
+
+## How It Works
+
+The internal logging system:
+
+- Stores logs in **in-memory buffers** (not written to disk)
+- Captures logs at **debug level** for normal operations and **warn level** for warnings
+- Maintains separate buffers for normal logs and warning logs
+- Automatically manages buffer size to prevent unbounded memory growth
+- Preserves initialization logs even when buffers overflow
+
+## Configuration
+
+**Important**: The `log_level` configuration option does **not** affect the internal logging system. Internal logging always operates at debug level for normal logs and warn level for warnings, regardless of the `log_level` setting in the configuration file.
+
+The `log_level` setting only affects:
+- Console output (when running interactively)
+- File-based logging (when `log_path` is configured)
+
+## Accessing Internal Logs
+
+Internal logs can be accessed through the control server API endpoints. This functionality is intended for developers and support personnel who need to diagnose issues.
+
+## Notes
+
+- Internal logging is **not** a replacement for proper log file configuration in production environments
+- For production deployments, it is recommended to configure `log_path` to enable persistent file-based logging
+- Internal logs are stored in memory and will be lost if the process terminates unexpectedly
+- The internal logging system is automatically disabled when explicit logging is configured
+
--- a/doh.go
+++ b/doh.go
@@ -122,11 +122,6 @@ func (r *dohResolver) Resolve(ctx context.Context, msg *dns.Msg) (*dns.Msg, erro
 	}
 	if err != nil {
 		err = wrapUrlError(err)
-		if r.isDoH3 {
-			if closer, ok := c.Transport.(io.Closer); ok {
-				closer.Close()
-			}
-		}
 		return nil, fmt.Errorf("could not perform request: %w", err)
 	}
 	defer resp.Body.Close()
--- a/doq_test.go
+++ b/doq_test.go
@@ -142,7 +142,7 @@ func (s *testQUICServer) serve(t *testing.T) {
 }

 // handleConnection manages an individual QUIC connection by accepting and handling incoming streams in separate goroutines.
-func (s *testQUICServer) handleConnection(t *testing.T, conn quic.Connection) {
+func (s *testQUICServer) handleConnection(t *testing.T, conn *quic.Conn) {
 	for {
 		stream, err := conn.AcceptStream(context.Background())
 		if err != nil {
@@ -154,7 +154,7 @@ func (s *testQUICServer) handleConnection(t *testing.T, conn quic.Connection) {
 }

 // handleStream processes a single QUIC stream, reads DNS messages, generates a response, and sends it back to the client.
-func (s *testQUICServer) handleStream(t *testing.T, stream quic.Stream) {
+func (s *testQUICServer) handleStream(t *testing.T, stream *quic.Stream) {
 	defer stream.Close()

 	// Read length (2 bytes)
--- a/go.mod
+++ b/go.mod
@@ -1,12 +1,11 @@
 module github.com/Control-D-Inc/ctrld

-go 1.23.0
-
-toolchain go1.23.7
+go 1.24

 require (
 	github.com/Masterminds/semver/v3 v3.2.1
 	github.com/ameshkov/dnsstamps v1.0.3
+	github.com/brunogui0812/sysprofiler v0.5.0
 	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/cuonglm/osinfo v0.0.0-20230921071424-e0e1b1e0bbbf
 	github.com/docker/go-units v0.5.0
@@ -17,6 +16,7 @@ require (
 	github.com/hashicorp/golang-lru/v2 v2.0.1
 	github.com/illarion/gonotify/v2 v2.0.3
 	github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2
+	github.com/jaypipes/ghw v0.21.0
 	github.com/jaytaylor/go-hostsfile v0.0.0-20220426042432-61485ac1fa6c
 	github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86
 	github.com/kardianos/service v1.2.1
@@ -29,16 +29,16 @@ require (
 	github.com/prometheus/client_golang v1.19.1
 	github.com/prometheus/client_model v0.5.0
 	github.com/prometheus/prom2json v1.3.3
-	github.com/quic-go/quic-go v0.48.2
+	github.com/quic-go/quic-go v0.57.1
 	github.com/rs/zerolog v1.28.0
-	github.com/spf13/cobra v1.8.1
-	github.com/spf13/pflag v1.0.5
+	github.com/spf13/cobra v1.9.1
+	github.com/spf13/pflag v1.0.6
 	github.com/spf13/viper v1.16.0
-	github.com/stretchr/testify v1.9.0
+	github.com/stretchr/testify v1.11.1
 	github.com/vishvananda/netlink v1.2.1-beta.2
-	golang.org/x/net v0.38.0
-	golang.org/x/sync v0.12.0
-	golang.org/x/sys v0.31.0
+	golang.org/x/net v0.43.0
+	golang.org/x/sync v0.16.0
+	golang.org/x/sys v0.35.0
 	golang.zx2c4.com/wireguard/windows v0.5.3
 	tailscale.com v1.74.0
 )
@@ -54,13 +54,13 @@ require (
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-playground/locales v0.14.0 // indirect
 	github.com/go-playground/universal-translator v0.18.0 // indirect
-	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
-	github.com/google/pprof v0.0.0-20240409012703-83162a5b38cd // indirect
 	github.com/google/uuid v1.6.0 // indirect
+	github.com/groob/plist v0.0.0-20200425180238-0f631f258c01 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jaypipes/pcidb v1.1.1 // indirect
 	github.com/jsimonetti/rtnetlink v1.4.0 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/kr/text v0.2.0 // indirect
@@ -74,32 +74,33 @@ require (
 	github.com/mdlayher/packet v1.1.2 // indirect
 	github.com/mdlayher/socket v0.5.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/onsi/ginkgo/v2 v2.9.5 // indirect
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/common v0.48.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
-	github.com/quic-go/qpack v0.5.1 // indirect
+	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/rogpeppe/go-internal v1.11.0 // indirect
+	github.com/spakin/awk v1.0.0 // indirect
 	github.com/spf13/afero v1.9.5 // indirect
 	github.com/spf13/cast v1.6.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/subosito/gotenv v1.4.2 // indirect
 	github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
-	go.uber.org/mock v0.4.0 // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
-	golang.org/x/crypto v0.36.0 // indirect
+	golang.org/x/crypto v0.41.0 // indirect
 	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
-	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
-	golang.org/x/tools v0.23.0 // indirect
+	golang.org/x/mod v0.27.0 // indirect
+	golang.org/x/text v0.28.0 // indirect
+	golang.org/x/tools v0.36.0 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	howett.net/plist v1.0.2-0.20250314012144-ee69052608d9 // indirect
 )

 replace github.com/mr-karan/doggo => github.com/Windscribe/doggo v0.0.0-20220919152748-2c118fc391f8
--- a/go.sum
+++ b/go.sum
@@ -50,6 +50,8 @@ github.com/ameshkov/dnsstamps v1.0.3 h1:Srzik+J9mivH1alRACTbys2xOxs0lRH9qnTA7Y1O
 github.com/ameshkov/dnsstamps v1.0.3/go.mod h1:Ii3eUu73dx4Vw5O4wjzmT5+lkCwovjzaEZZ4gKyIH5A=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/brunogui0812/sysprofiler v0.5.0 h1:AUekplOKG/VKH6sPSBRxsKOA9Uv5OsI8qolXM73dXPU=
+github.com/brunogui0812/sysprofiler v0.5.0/go.mod h1:lLd7gvylgd4nsTSC8exq1YY6qhLWXkgnalxjVzdlbEM=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
@@ -64,7 +66,7 @@ github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnht
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/cuonglm/osinfo v0.0.0-20230921071424-e0e1b1e0bbbf h1:40DHYsri+d1bnroFDU2FQAeq68f3kAlOzlQ93kCf26Q=
 github.com/cuonglm/osinfo v0.0.0-20230921071424-e0e1b1e0bbbf/go.mod h1:G45410zMgmnSjLVKCq4f6GpbYAzoP2plX9rPwgx6C24=
@@ -91,8 +93,7 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0 h1:ymLjT4f35nQbASLnvxEde4XOBL+Sn7rFuV+FOJqkljg=
 github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0/go.mod h1:6daplAwHHGbUGib4990V3Il26O0OC4aRyvewaaAihaA=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
 github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
 github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
 github.com/go-playground/assert/v2 v2.0.1 h1:MsBgLAaY856+nPRTKrp3/OZK38U/wa0CcBYNjji3q3A=
@@ -103,8 +104,6 @@ github.com/go-playground/universal-translator v0.18.0 h1:82dyy6p4OuJq4/CByFNOn/j
 github.com/go-playground/universal-translator v0.18.0/go.mod h1:UvRDBj+xPUEGrFYl+lu/H90nyDXpg0fqeB/AQUGNTVA=
 github.com/go-playground/validator/v10 v10.11.1 h1:prmOlTVv+YjZjmRmNSF3VmspqJIxJWXmqUsHwfTRRkQ=
 github.com/go-playground/validator/v10 v10.11.1/go.mod h1:i+3WkQ1FvaUjjxh1kSvIA4dMGDBiPU55YFDl0WbKdWU=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 h1:sQspH8M4niEijh3PFscJRLDnkL547IeP7kpPe3uUhEg=
 github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466/go.mod h1:ZiQxhyQ+bbbfxUKVvjfO498oPYvtYhZzycal3G/NHmU=
@@ -162,8 +161,6 @@ github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20240409012703-83162a5b38cd h1:gbpYu9NMq8jhDVbvlGkMFWCjLFlqqEZjEmObmhUy6Vo=
-github.com/google/pprof v0.0.0-20240409012703-83162a5b38cd/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@@ -171,6 +168,8 @@ github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
+github.com/groob/plist v0.0.0-20200425180238-0f631f258c01 h1:0T3XGXebqLj7zSVLng9wX9axQzTEnvj/h6eT7iLfUas=
+github.com/groob/plist v0.0.0-20200425180238-0f631f258c01/go.mod h1:itkABA+w2cw7x5nYUS/pLRef6ludkZKOigbROmCTaFw=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru/v2 v2.0.1 h1:5pv5N1lT1fjLg2VQ5KWc7kmucp2x/kvFOnxuVTqZ6x4=
@@ -187,8 +186,13 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 h1:9K06NfxkBh25x56yVhWWlKFE8YpicaSfHwoV8SFbueA=
 github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2/go.mod h1:3A9PQ1cunSDF/1rbTq99Ts4pVnycWg+vlPkfeD2NLFI=
+github.com/jaypipes/ghw v0.21.0 h1:ClG2xWtYY0c1ud9jZYwVGdSgfCI7AbmZmZyw3S5HHz8=
+github.com/jaypipes/ghw v0.21.0/go.mod h1:GPrvwbtPoxYUenr74+nAnWbardIZq600vJDD5HnPsPE=
+github.com/jaypipes/pcidb v1.1.1 h1:QmPhpsbmmnCwZmHeYAATxEaoRuiMAJusKYkUncMC0ro=
+github.com/jaypipes/pcidb v1.1.1/go.mod h1:x27LT2krrUgjf875KxQXKB0Ha/YXLdZRVmw6hH0G7g8=
 github.com/jaytaylor/go-hostsfile v0.0.0-20220426042432-61485ac1fa6c h1:kbTQ8oGf+BVFvt/fM+ECI+NbZDCqoi0vtZTfB2p2hrI=
 github.com/jaytaylor/go-hostsfile v0.0.0-20220426042432-61485ac1fa6c/go.mod h1:k6+89xKz7BSMJ+DzIerBdtpEUeTlBMugO/hcVSzahog=
+github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 h1:elKwZS1OcdQ0WwEDBeqxKwb7WB62QX8bvZ/FJnVXIfk=
 github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86/go.mod h1:aFAMtuldEgx/4q7iSGazk22+IcgvtiC+HIimFO9XlS8=
@@ -242,10 +246,6 @@ github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyua
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
-github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q=
-github.com/onsi/ginkgo/v2 v2.9.5/go.mod h1:tvAoo1QUJwNEU2ITftXTpR7R1RbCzoZUOs3RonqW57k=
-github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE=
-github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg=
 github.com/pelletier/go-toml/v2 v2.0.8 h1:0ctb6s9mE31h0/lhu+J6OPmVeDxJn+kYnJc2jZR9tGQ=
 github.com/pelletier/go-toml/v2 v2.0.8/go.mod h1:vuYfssBdrU2XDZ9bYydBu6t+6a6PYNcZljzZR9VXg+4=
 github.com/pierrec/lz4/v4 v4.1.14/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
@@ -269,10 +269,10 @@ github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k
 github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
 github.com/prometheus/prom2json v1.3.3 h1:IYfSMiZ7sSOfliBoo89PcufjWO4eAR0gznGcETyaUgo=
 github.com/prometheus/prom2json v1.3.3/go.mod h1:Pv4yIPktEkK7btWsrUTWDDDrnpUrAELaOCj+oFwlgmc=
-github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
-github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
-github.com/quic-go/quic-go v0.48.2 h1:wsKXZPeGWpMpCGSWqOcqpW2wZYic/8T3aqiOID0/KWE=
-github.com/quic-go/quic-go v0.48.2/go.mod h1:yBgs3rWBOADpga7F+jJsb6Ybg1LSYiQvwWlLX+/6HMs=
+github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
+github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
+github.com/quic-go/quic-go v0.57.1 h1:25KAAR9QR8KZrCZRThWMKVAwGoiHIrNbT72ULHTuI10=
+github.com/quic-go/quic-go v0.57.1/go.mod h1:ly4QBAjHA2VhdnxhojRsCUOeJwKYg+taDlos92xb1+s=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
 github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
@@ -284,16 +284,18 @@ github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDN
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/spakin/awk v1.0.0 h1:5ulBVgJhdN3XoFGNVv/MOHOIUfPVPvMCIlLH6O6ZqU4=
+github.com/spakin/awk v1.0.0/go.mod h1:e7FnxcIEcRqdKwStPYWonox4n9DpharWk+3nnn1IqJs=
 github.com/spf13/afero v1.9.5 h1:stMpOSZFs//0Lv29HduCmli3GUfpFoF3Y1Q/aXj/wVM=
 github.com/spf13/afero v1.9.5/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/UhQ=
 github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=
 github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
-github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
-github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
+github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
+github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
 github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.16.0 h1:rGGH0XDZhdUOryiDWjmIvUSWpbNqisK8Wk0Vyefw8hc=
 github.com/spf13/viper v1.16.0/go.mod h1:yg78JgCJcbrQOvV9YLXgkLaZqUidkY9K+Dd1FofRzQg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -309,8 +311,8 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/subosito/gotenv v1.4.2 h1:X1TuBLAMDFbaTAChgCBLu3DU3UPyELpnF2jjJ2cz/S8=
 github.com/subosito/gotenv v1.4.2/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=
 github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e h1:BA9O3BmlTmpjbvajAwzWx4Wo2TRVdpPXZEeemGQcajw=
@@ -324,14 +326,16 @@ github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
+github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
-go.uber.org/mock v0.4.0 h1:VcM4ZOtdbR4f6VXfiOpwpVJDL6lCReaZ6mw31wqh7KU=
-go.uber.org/mock v0.4.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
+go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
+go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
 go4.org/mem v0.0.0-20220726221520-4f986261bf13 h1:CbZeCBZ0aZj8EfVgnqQcYZgf0lpZ3H9rmp5nkDTAst8=
 go4.org/mem v0.0.0-20220726221520-4f986261bf13/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
@@ -346,8 +350,8 @@ golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm
 golang.org/x/crypto v0.0.0-20211209193657-4570a0811e8b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
-golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
+golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -383,8 +387,8 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8=
-golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
+golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -417,8 +421,8 @@ golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
-golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
+golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -438,8 +442,8 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -449,6 +453,7 @@ golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -488,8 +493,8 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.4.1-0.20230131160137-e7d7f63158de/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -500,13 +505,13 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
+golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
+golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -554,8 +559,8 @@ golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
-golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg=
-golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI=
+golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
+golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -671,6 +676,8 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+howett.net/plist v1.0.2-0.20250314012144-ee69052608d9 h1:eeH1AIcPvSc0Z25ThsYF+Xoqbn0CI/YnXVYoTLFdGQw=
+howett.net/plist v1.0.2-0.20250314012144-ee69052608d9/go.mod h1:fyFX5Hj5tP1Mpk8obqA9MZgXT416Q5711SDT7dQLTLk=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
--- a/internal/clientinfo/dhcp_lease_files.go
+++ b/internal/clientinfo/dhcp_lease_files.go
@@ -16,4 +16,5 @@ var clientInfoFiles = map[string]ctrld.LeaseFileFormat{
 	"/var/dhcpd/var/db/dhcpd.leases":           ctrld.IscDhcpd, // Pfsense
 	"/home/pi/.router/run/dhcp/dnsmasq.leases": ctrld.Dnsmasq,  // Firewalla
 	"/var/lib/kea/dhcp4.leases":                ctrld.KeaDHCP4, // Pfsense
+	"/var/db/dnsmasq.leases":                   ctrld.Dnsmasq,  // OPNsense
 }
--- a/internal/clientinfo/mdns.go
+++ b/internal/clientinfo/mdns.go
@@ -74,7 +74,6 @@ func (m *mdns) lookupIPByHostname(name string, v6 bool) string {
 		if value == name {
 			if addr, err := netip.ParseAddr(key.(string)); err == nil && addr.Is6() == v6 {
 				ip = addr.String()
-				//lint:ignore S1008 This is used for readable.
 				if addr.IsLoopback() { // Continue searching if this is loopback address.
 					return true
 				}
--- a/internal/clientinfo/ptr_lookup.go
+++ b/internal/clientinfo/ptr_lookup.go
@@ -104,7 +104,6 @@ func (p *ptrDiscover) lookupIPByHostname(name string, v6 bool) string {
 		if value == name {
 			if addr, err := netip.ParseAddr(key.(string)); err == nil && addr.Is6() == v6 {
 				ip = addr.String()
-				//lint:ignore S1008 This is used for readable.
 				if addr.IsLoopback() { // Continue searching if this is loopback address.
 					return true
 				}
@@ -120,8 +119,7 @@ func (p *ptrDiscover) lookupIPByHostname(name string, v6 bool) string {
 // is reachable, set p.serverDown to false, so p.lookupHostname can continue working.
 func (p *ptrDiscover) checkServer() {
 	bo := backoff.NewBackoff("ptrDiscover", func(format string, args ...any) {}, time.Minute*5)
-	m := new(dns.Msg)
-	m.SetQuestion(".", dns.TypeNS)
+	m := (&ctrld.UpstreamConfig{}).VerifyMsg()
 	ping := func() error {
 		ctx, cancel := context.WithTimeout(context.Background(), time.Second)
 		defer cancel()
--- a/internal/controld/config.go
+++ b/internal/controld/config.go
@@ -71,14 +71,23 @@ func (u ErrorResponse) Error() string {
 }

 type utilityRequest struct {
-	UID      string `json:"uid"`
-	ClientID string `json:"client_id,omitempty"`
+	UID      string            `json:"uid"`
+	ClientID string            `json:"client_id,omitempty"`
+	Metadata map[string]string `json:"metadata"`
 }

 // UtilityOrgRequest contains request data for calling Org API.
 type UtilityOrgRequest struct {
-	ProvToken string `json:"prov_token"`
-	Hostname  string `json:"hostname"`
+	ProvToken string            `json:"prov_token"`
+	Hostname  string            `json:"hostname"`
+	Metadata  map[string]string `json:"metadata"`
+}
+
+// ResolverConfigRequest contains request data for fetching resolver config.
+type ResolverConfigRequest struct {
+	RawUID   string
+	Version  string
+	Metadata map[string]string
 }

 // LogsRequest contains request data for sending runtime logs to API.
@@ -88,26 +97,30 @@ type LogsRequest struct {
 }

 // FetchResolverConfig fetch Control D config for given uid.
-func FetchResolverConfig(rawUID, version string, cdDev bool) (*ResolverConfig, error) {
-	uid, clientID := ParseRawUID(rawUID)
-	req := utilityRequest{UID: uid}
-	if clientID != "" {
-		req.ClientID = clientID
+func FetchResolverConfig(req *ResolverConfigRequest, cdDev bool) (*ResolverConfig, error) {
+	uid, clientID := ParseRawUID(req.RawUID)
+	uReq := utilityRequest{
+		UID:      uid,
+		Metadata: req.Metadata,
 	}
-	body, _ := json.Marshal(req)
-	return postUtilityAPI(version, cdDev, false, bytes.NewReader(body))
+	if clientID != "" {
+		uReq.ClientID = clientID
+	}
+	body, _ := json.Marshal(uReq)
+	return postUtilityAPI(req.Version, cdDev, false, bytes.NewReader(body))
 }

-// FetchResolverUID fetch resolver uid from provision token.
+// FetchResolverUID fetch resolver uid from a given request.
 func FetchResolverUID(req *UtilityOrgRequest, version string, cdDev bool) (*ResolverConfig, error) {
 	if req == nil {
 		return nil, errors.New("invalid request")
 	}
-	hostname := req.Hostname
-	if hostname == "" {
-		hostname, _ = os.Hostname()
+	if req.Hostname == "" {
+		hostname, _ := os.Hostname()
+		req.Hostname = hostname
 	}
-	body, _ := json.Marshal(UtilityOrgRequest{ProvToken: req.ProvToken, Hostname: hostname})
+
+	body, _ := json.Marshal(req)
 	return postUtilityAPI(version, cdDev, false, bytes.NewReader(body))
 }

--- a/internal/controld/controld_test.go
+++ b/internal/controld/controld_test.go
@@ -3,10 +3,13 @@
 package controld

 import (
+	"context"
 	"testing"

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+
+	"github.com/Control-D-Inc/ctrld"
 )

 func TestFetchResolverConfig(t *testing.T) {
@@ -20,11 +23,18 @@ func TestFetchResolverConfig(t *testing.T) {
 		{"valid dev", "p2", true, false},
 		{"invalid uid", "abcd1234", false, true},
 	}
+
+	ctx := context.Background()
 	for _, tc := range tests {
 		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
-			got, err := FetchResolverConfig(tc.uid, "dev-test", tc.dev)
+			req := &ResolverConfigRequest{
+				RawUID:   tc.uid,
+				Version:  "dev-test",
+				Metadata: ctrld.SystemMetadata(ctx),
+			}
+			got, err := FetchResolverConfig(ctx, req, tc.dev)
 			require.False(t, (err != nil) != tc.wantErr, err)
 			if !tc.wantErr {
 				assert.NotEmpty(t, got.DOH)
--- a/internal/system/chassis_darwin.go
+++ b/internal/system/chassis_darwin.go
@@ -0,0 +1,25 @@
+package system
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/brunogui0812/sysprofiler"
+)
+
+// GetChassisInfo retrieves hardware information including machine model type and vendor from the system profiler.
+func GetChassisInfo() (*ChassisInfo, error) {
+	hardwares, err := sysprofiler.Hardware()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get hardware info: %w", err)
+	}
+	if len(hardwares) == 0 {
+		return nil, errors.New("no hardware info found")
+	}
+	hardware := hardwares[0]
+	info := &ChassisInfo{
+		Type:   hardware.MachineModel,
+		Vendor: "Apple Inc.",
+	}
+	return info, nil
+}
--- a/internal/system/chassis_others.go
+++ b/internal/system/chassis_others.go
@@ -0,0 +1,20 @@
+//go:build !darwin
+
+package system
+
+import "github.com/jaypipes/ghw"
+
+// GetChassisInfo retrieves hardware information including machine model type and vendor from the system profiler.
+func GetChassisInfo() (*ChassisInfo, error) {
+	// Disable warnings from ghw, since these are undesirable but recoverable errors.
+	// With warnings enabled, ghw will emit unnecessary log messages.
+	chassis, err := ghw.Chassis(ghw.WithDisableWarnings())
+	if err != nil {
+		return nil, err
+	}
+	info := &ChassisInfo{
+		Type:   chassis.TypeDescription,
+		Vendor: chassis.Vendor,
+	}
+	return info, nil
+}
--- a/internal/system/metadata.go
+++ b/internal/system/metadata.go
@@ -0,0 +1,7 @@
+package system
+
+// ChassisInfo represents the structural framework of a device, specifying its type and manufacturer information.
+type ChassisInfo struct {
+	Type   string
+	Vendor string
+}
--- a/internal/system/metadata_others.go
+++ b/internal/system/metadata_others.go
@@ -0,0 +1,8 @@
+//go:build !windows
+
+package system
+
+// GetActiveDirectoryDomain returns AD domain name of this computer.
+func GetActiveDirectoryDomain() (string, error) {
+	return "", nil
+}
--- a/internal/system/metadata_windows.go
+++ b/internal/system/metadata_windows.go
@@ -0,0 +1,74 @@
+package system
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"os"
+	"strings"
+	"unsafe"
+
+	"github.com/microsoft/wmi/pkg/base/host"
+	hh "github.com/microsoft/wmi/pkg/hardware/host"
+	"golang.org/x/sys/windows"
+)
+
+// GetActiveDirectoryDomain returns AD domain name of this computer.
+func GetActiveDirectoryDomain() (string, error) {
+	log.SetOutput(io.Discard)
+	defer log.SetOutput(os.Stderr)
+
+	// 1) Check environment variable
+	envDomain := os.Getenv("USERDNSDOMAIN")
+	if envDomain != "" {
+		return strings.TrimSpace(envDomain), nil
+	}
+
+	// 2) Query WMI via the microsoft/wmi library
+	whost := host.NewWmiLocalHost()
+	cs, err := hh.GetComputerSystem(whost)
+	if cs != nil {
+		defer cs.Close()
+	}
+	if err != nil {
+		return "", err
+	}
+	pod, err := cs.GetPropertyPartOfDomain()
+	if err != nil {
+		return "", err
+	}
+	if pod {
+		domainVal, err := cs.GetPropertyDomain()
+		if err != nil {
+			return "", fmt.Errorf("failed to get domain property: %w", err)
+		}
+		domainName := strings.TrimSpace(fmt.Sprintf("%v", domainVal))
+		if domainName == "" {
+			return "", errors.New("machine does not appear to have a domain set")
+		}
+		return domainName, nil
+	}
+	return "", nil
+}
+
+// DomainJoinedStatus returns the domain joined status of the current computer.
+//
+// NETSETUP_JOIN_STATUS constants from Microsoft Windows API
+// See: https://learn.microsoft.com/en-us/windows/win32/api/lmjoin/ne-lmjoin-netsetup_join_status
+//
+// NetSetupUnknownStatus         uint32 = 0 // The status is unknown
+// NetSetupUnjoined              uint32 = 1 // The computer is not joined to a domain or workgroup
+// NetSetupWorkgroupName         uint32 = 2 // The computer is joined to a workgroup
+// NetSetupDomainName            uint32 = 3 // The computer is joined to a domain
+func DomainJoinedStatus() (uint32, error) {
+	var domain *uint16
+	var status uint32
+
+	if err := windows.NetGetJoinInformation(nil, &domain, &status); err != nil {
+		return 0, fmt.Errorf("failed to get domain join status: %w", err)
+	}
+	defer windows.NetApiBufferFree((*byte)(unsafe.Pointer(domain)))
+
+	return status, nil
+}
--- a/metadata.go
+++ b/metadata.go
@@ -0,0 +1,78 @@
+package ctrld
+
+import (
+	"context"
+	"os"
+	"os/user"
+
+	"github.com/cuonglm/osinfo"
+
+	"github.com/Control-D-Inc/ctrld/internal/system"
+)
+
+const (
+	metadataOsKey                = "os"
+	metadataChassisTypeKey       = "chassis_type"
+	metadataChassisVendorKey     = "chassis_vendor"
+	metadataUsernameKey          = "username"
+	metadataDomainOrWorkgroupKey = "domain_or_workgroup"
+	metadataDomainKey            = "domain"
+)
+
+var (
+	chassisType   string
+	chassisVendor string
+)
+
+// SystemMetadata collects system and user-related SystemMetadata and returns it as a map.
+func SystemMetadata(ctx context.Context) map[string]string {
+	m := make(map[string]string)
+	oi := osinfo.New()
+	m[metadataOsKey] = oi.String()
+	if chassisType == "" && chassisVendor == "" {
+		if ci, err := system.GetChassisInfo(); err == nil {
+			chassisType, chassisVendor = ci.Type, ci.Vendor
+		}
+	}
+	m[metadataChassisTypeKey] = chassisType
+	m[metadataChassisVendorKey] = chassisVendor
+	m[metadataUsernameKey] = currentLoginUser(ctx)
+	m[metadataDomainOrWorkgroupKey] = partOfDomainOrWorkgroup(ctx)
+	domain, err := system.GetActiveDirectoryDomain()
+	if err != nil {
+		ProxyLogger.Load().Debug().Err(err).Msg("Failed to get active directory domain name")
+	}
+	m[metadataDomainKey] = domain
+
+	return m
+}
+
+// currentLoginUser attempts to find the actual login user, even if the process is running as root.
+func currentLoginUser(ctx context.Context) string {
+	// 1. Check SUDO_USER: This is the most reliable way to find the original user
+	// when a script is run via 'sudo'.
+	if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" {
+		return sudoUser
+	}
+
+	// 2. Check general user login variables. LOGNAME is often preferred over USER.
+	if logName := os.Getenv("LOGNAME"); logName != "" {
+		return logName
+	}
+
+	// 3. Fallback to USER variable.
+	if userEnv := os.Getenv("USER"); userEnv != "" {
+		return userEnv
+	}
+
+	// 4. Final fallback: Use the standard library function to get the *effective* user.
+	// This will return "root" if the process is running as root.
+	currentUser, err := user.Current()
+	if err != nil {
+		// Handle error gracefully, returning a placeholder
+		ProxyLogger.Load().Debug().Err(err).Msg("Failed to get current user")
+		return "unknown"
+	}
+
+	return currentUser.Username
+}
--- a/metadata_others.go
+++ b/metadata_others.go
@@ -0,0 +1,10 @@
+//go:build !windows
+
+package ctrld
+
+import "context"
+
+// partOfDomainOrWorkgroup checks if the computer is part of a domain or workgroup and returns "true" or "false".
+func partOfDomainOrWorkgroup(ctx context.Context) string {
+	return "false"
+}
--- a/metadata_test.go
+++ b/metadata_test.go
@@ -0,0 +1,11 @@
+package ctrld
+
+import (
+	"context"
+	"testing"
+)
+
+func Test_metadata(t *testing.T) {
+	m := SystemMetadata(context.Background())
+	t.Logf("metadata: %v", m)
+}
--- a/metadata_windows.go
+++ b/metadata_windows.go
@@ -0,0 +1,22 @@
+package ctrld
+
+import (
+	"context"
+
+	"github.com/Control-D-Inc/ctrld/internal/system"
+)
+
+// partOfDomainOrWorkgroup checks if the computer is part of a domain or workgroup and returns "true" or "false".
+func partOfDomainOrWorkgroup(ctx context.Context) string {
+	status, err := system.DomainJoinedStatus()
+	if err != nil {
+		ProxyLogger.Load().Debug().Err(err).Msg("Failed to get domain join status")
+		return "false"
+	}
+	switch status {
+	case 2, 3:
+		return "true"
+	default:
+		return "false"
+	}
+}
--- a/nameservers_linux.go
+++ b/nameservers_linux.go
@@ -5,9 +5,12 @@ import (
 	"bytes"
 	"encoding/hex"
 	"net"
+	"net/netip"
 	"os"
 	"strings"

+	"tailscale.com/net/netmon"
+
 	"github.com/Control-D-Inc/ctrld/internal/dns/resolvconffile"
 )

@@ -128,3 +131,25 @@ func virtualInterfaces() set {
 	}
 	return s
 }
+
+// validInterfacesMap returns a set containing non virtual interfaces.
+// TODO: deduplicated with cmd/cli/net_linux.go in v2.
+func validInterfaces() set {
+	m := make(map[string]struct{})
+	vis := virtualInterfaces()
+	netmon.ForeachInterface(func(i netmon.Interface, prefixes []netip.Prefix) {
+		if _, existed := vis[i.Name]; existed {
+			return
+		}
+		m[i.Name] = struct{}{}
+	})
+	// Fallback to default route interface if found nothing.
+	if len(m) == 0 {
+		defaultRoute, err := netmon.DefaultRoute()
+		if err != nil {
+			return m
+		}
+		m[defaultRoute.InterfaceName] = struct{}{}
+	}
+	return m
+}
--- a/nameservers_windows.go
+++ b/nameservers_windows.go
@@ -20,23 +20,22 @@ import (
 	"golang.org/x/sys/windows"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"tailscale.com/net/netmon"
+
+	"github.com/Control-D-Inc/ctrld/internal/system"
 )

 const (
-	maxDNSAdapterRetries                 = 5
-	retryDelayDNSAdapter                 = 1 * time.Second
-	defaultDNSAdapterTimeout             = 10 * time.Second
-	minDNSServers                        = 1 // Minimum number of DNS servers we want to find
-	NetSetupUnknown               uint32 = 0
-	NetSetupWorkgroup             uint32 = 1
-	NetSetupDomain                uint32 = 2
-	NetSetupCloudDomain           uint32 = 3
-	DS_FORCE_REDISCOVERY                 = 0x00000001
-	DS_DIRECTORY_SERVICE_REQUIRED        = 0x00000010
-	DS_BACKGROUND_ONLY                   = 0x00000100
-	DS_IP_REQUIRED                       = 0x00000200
-	DS_IS_DNS_NAME                       = 0x00020000
-	DS_RETURN_DNS_NAME                   = 0x40000000
+	maxDNSAdapterRetries     = 5
+	retryDelayDNSAdapter     = 1 * time.Second
+	defaultDNSAdapterTimeout = 10 * time.Second
+	minDNSServers            = 1 // Minimum number of DNS servers we want to find
+
+	DS_FORCE_REDISCOVERY          = 0x00000001
+	DS_DIRECTORY_SERVICE_REQUIRED = 0x00000010
+	DS_BACKGROUND_ONLY            = 0x00000100
+	DS_IP_REQUIRED                = 0x00000200
+	DS_IS_DNS_NAME                = 0x00020000
+	DS_RETURN_DNS_NAME            = 0x40000000
 )

 type DomainControllerInfo struct {
@@ -131,7 +130,7 @@ func getDNSServers(ctx context.Context) ([]string, error) {
 	var dcServers []string
 	isDomain := checkDomainJoined()
 	if isDomain {
-		domainName, err := getLocalADDomain()
+		domainName, err := system.GetActiveDirectoryDomain()
 		if err != nil {
 			Log(context.Background(), logger.Debug(),
 				"Failed to get local AD domain: %v", err)
@@ -158,7 +157,7 @@ func getDNSServers(ctx context.Context) ([]string, error) {
 					0,                                    // DomainGuid - not needed
 					0,                                    // SiteName - not needed
 					uintptr(flags),                       // Flags
-					uintptr(unsafe.Pointer(&info))) // DomainControllerInfo - output
+					uintptr(unsafe.Pointer(&info)))       // DomainControllerInfo - output

 				if ret != 0 {
 					switch ret {
@@ -340,74 +339,18 @@ func currentNameserversFromResolvconf() []string {
 func checkDomainJoined() bool {
 	logger := *ProxyLogger.Load()

-	var domain *uint16
-	var status uint32
-
-	err := windows.NetGetJoinInformation(nil, &domain, &status)
+	status, err := system.DomainJoinedStatus()
 	if err != nil {
-		Log(context.Background(), logger.Debug(),
-			"Failed to get domain join status: %v", err)
+		logger.Debug().Msgf("Failed to get domain joined status: %v", err)
 		return false
 	}
-	defer windows.NetApiBufferFree((*byte)(unsafe.Pointer(domain)))
-
-	domainName := windows.UTF16PtrToString(domain)
-	Log(context.Background(), logger.Debug(),
-		"Domain join status: domain=%s status=%d (Unknown=0, Workgroup=1, Domain=2, CloudDomain=3)",
-		domainName, status)
-
-	// Consider domain or cloud domain as domain-joined
-	isDomain := status == NetSetupDomain || status == NetSetupCloudDomain
-	Log(context.Background(), logger.Debug(),
-		"Is domain joined? status=%d, traditional=%v, cloud=%v, result=%v",
-		status,
-		status == NetSetupDomain,
-		status == NetSetupCloudDomain,
-		isDomain)
+	isDomain := status == syscall.NetSetupDomainName
+	logger.Debug().Msg("Domain join status: (UnknownStatus=0, Unjoined=1, WorkgroupName=2, DomainName=3)")
+	logger.Debug().Msgf("Is domain joined? status=%d, result=%v", status, isDomain)

 	return isDomain
 }

-// getLocalADDomain uses Microsoft's WMI wrappers (github.com/microsoft/wmi/pkg/*)
-// to query the Domain field from Win32_ComputerSystem instead of a direct go-ole call.
-func getLocalADDomain() (string, error) {
-	log.SetOutput(io.Discard)
-	defer log.SetOutput(os.Stderr)
-	// 1) Check environment variable
-	envDomain := os.Getenv("USERDNSDOMAIN")
-	if envDomain != "" {
-		return strings.TrimSpace(envDomain), nil
-	}
-
-	// 2) Query WMI via the microsoft/wmi library
-	whost := host.NewWmiLocalHost()
-	q := query.NewWmiQuery("Win32_ComputerSystem")
-	instances, err := instance.GetWmiInstancesFromHost(whost, string(constant.CimV2), q)
-	if instances != nil {
-		defer instances.Close()
-	}
-	if err != nil {
-		return "", fmt.Errorf("WMI query failed: %v", err)
-	}
-
-	// If no results, return an error
-	if len(instances) == 0 {
-		return "", fmt.Errorf("no rows returned from Win32_ComputerSystem")
-	}
-
-	// We only care about the first row
-	domainVal, err := instances[0].GetProperty("Domain")
-	if err != nil {
-		return "", fmt.Errorf("machine does not appear to have a domain set: %v", err)
-	}
-
-	domainName := strings.TrimSpace(fmt.Sprintf("%v", domainVal))
-	if domainName == "" {
-		return "", fmt.Errorf("machine does not appear to have a domain set")
-	}
-	return domainName, nil
-}
-
 // validInterfaces returns a list of all physical interfaces.
 // this is a duplicate of what is in net_windows.go, we should
 // clean this up so there is only one version
--- a/net_darwin.go
+++ b/net_darwin.go
@@ -0,0 +1,35 @@
+package ctrld
+
+import (
+	"bufio"
+	"bytes"
+	"io"
+	"os/exec"
+	"strings"
+)
+
+// validInterfaces returns a set of all valid hardware ports.
+// TODO: deduplicated with cmd/cli/net_darwin.go in v2.
+func validInterfaces() map[string]struct{} {
+	b, err := exec.Command("networksetup", "-listallhardwareports").Output()
+	if err != nil {
+		return nil
+	}
+	return parseListAllHardwarePorts(bytes.NewReader(b))
+}
+
+// parseListAllHardwarePorts parses output of "networksetup -listallhardwareports"
+// and returns map presents all hardware ports.
+func parseListAllHardwarePorts(r io.Reader) map[string]struct{} {
+	m := make(map[string]struct{})
+	scanner := bufio.NewScanner(r)
+	for scanner.Scan() {
+		line := scanner.Text()
+		after, ok := strings.CutPrefix(line, "Device: ")
+		if !ok {
+			continue
+		}
+		m[after] = struct{}{}
+	}
+	return m
+}
--- a/cmd/cli/net_darwin_test.go
+++ b/cmd/cli/net_darwin_test.go
@@ -1,4 +1,4 @@
-package cli
+package ctrld

 import (
 	"maps"
--- a/net_others.go
+++ b/net_others.go
@@ -0,0 +1,15 @@
+//go:build !darwin && !windows && !linux
+
+package ctrld
+
+import "tailscale.com/net/netmon"
+
+// validInterfaces returns a set containing only default route interfaces.
+// TODO: deuplicated with cmd/cli/net_others.go in v2.
+func validInterfaces() map[string]struct{} {
+	defaultRoute, err := netmon.DefaultRoute()
+	if err != nil {
+		return nil
+	}
+	return map[string]struct{}{defaultRoute.InterfaceName: {}}
+}
--- a/resolver.go
+++ b/resolver.go
@@ -729,10 +729,15 @@ func newResolverWithNameserver(nameservers []string) *osResolver {
 	return r
 }

-// Rfc1918Addresses returns the list of local interfaces private IP addresses
+// Rfc1918Addresses returns the list of local physical interfaces private IP addresses
 func Rfc1918Addresses() []string {
+	vis := validInterfaces()
 	var res []string
 	netmon.ForeachInterface(func(i netmon.Interface, prefixes []netip.Prefix) {
+		// Skip virtual interfaces.
+		if _, existed := vis[i.Name]; !existed {
+			return
+		}
 		addrs, _ := i.Addrs()
 		for _, addr := range addrs {
 			ipNet, ok := addr.(*net.IPNet)
--- a/resolver_test.go
+++ b/resolver_test.go
@@ -282,6 +282,35 @@ func Test_Edns0_CacheReply(t *testing.T) {
 	}
 }

+// https://github.com/Control-D-Inc/ctrld/issues/255
+func Test_legacyResolverWithBigExtraSection(t *testing.T) {
+	lanPC, err := net.ListenPacket("udp", "127.0.0.1:0") // 127.0.0.1 is considered LAN (loopback)
+	if err != nil {
+		t.Fatalf("failed to listen on LAN address: %v", err)
+	}
+	lanServer, lanAddr, err := runLocalPacketConnTestServer(t, lanPC, bigExtraSectionHandler())
+	if err != nil {
+		t.Fatalf("failed to run LAN test server: %v", err)
+	}
+	defer lanServer.Shutdown()
+
+	uc := &UpstreamConfig{
+		Name:     "Legacy",
+		Type:     ResolverTypeLegacy,
+		Endpoint: lanAddr,
+	}
+	uc.Init()
+	r, err := NewResolver(uc)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = r.Resolve(context.Background(), uc.VerifyMsg())
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
 func Test_upstreamTypeFromEndpoint(t *testing.T) {
 	tests := []struct {
 		name         string
@@ -370,6 +399,68 @@ func countHandler(call *atomic.Int64) dns.HandlerFunc {
 	}
 }

+func mustRR(s string) dns.RR {
+	r, err := dns.NewRR(s)
+	if err != nil {
+		panic(err)
+	}
+	return r
+}
+
+func bigExtraSectionHandler() dns.HandlerFunc {
+	return func(w dns.ResponseWriter, msg *dns.Msg) {
+		m := &dns.Msg{
+			Answer: []dns.RR{
+				mustRR(".			7149	IN	NS	m.root-servers.net."),
+				mustRR(".			7149	IN	NS	c.root-servers.net."),
+				mustRR(".			7149	IN	NS	e.root-servers.net."),
+				mustRR(".			7149	IN	NS	j.root-servers.net."),
+				mustRR(".			7149	IN	NS	g.root-servers.net."),
+				mustRR(".			7149	IN	NS	k.root-servers.net."),
+				mustRR(".			7149	IN	NS	l.root-servers.net."),
+				mustRR(".			7149	IN	NS	d.root-servers.net."),
+				mustRR(".			7149	IN	NS	h.root-servers.net."),
+				mustRR(".			7149	IN	NS	b.root-servers.net."),
+				mustRR(".			7149	IN	NS	a.root-servers.net."),
+				mustRR(".			7149	IN	NS	f.root-servers.net."),
+				mustRR(".			7149	IN	NS	i.root-servers.net."),
+			},
+			Extra: []dns.RR{
+				mustRR("m.root-servers.net.	656	IN	A	202.12.27.33"),
+				mustRR("m.root-servers.net.	656	IN	AAAA	2001:dc3::35"),
+				mustRR("c.root-servers.net.	656	IN	A	192.33.4.12"),
+				mustRR("c.root-servers.net.	656	IN	AAAA	2001:500:2::c"),
+				mustRR("e.root-servers.net.	656	IN	A	192.203.230.10"),
+				mustRR("e.root-servers.net.	656	IN	AAAA	2001:500:a8::e"),
+				mustRR("j.root-servers.net.	656	IN	A	192.58.128.30"),
+				mustRR("j.root-servers.net.	656	IN	AAAA	2001:503:c27::2:30"),
+				mustRR("g.root-servers.net.	656	IN	A	192.112.36.4"),
+				mustRR("g.root-servers.net.	656	IN	AAAA	2001:500:12::d0d"),
+				mustRR("k.root-servers.net.	656	IN	A	193.0.14.129"),
+				mustRR("k.root-servers.net.	656	IN	AAAA	2001:7fd::1"),
+				mustRR("l.root-servers.net.	656	IN	A	199.7.83.42"),
+				mustRR("l.root-servers.net.	656	IN	AAAA	2001:500:9f::42"),
+				mustRR("d.root-servers.net.	656	IN	A	199.7.91.13"),
+				mustRR("d.root-servers.net.	656	IN	AAAA	2001:500:2d::d"),
+				mustRR("h.root-servers.net.	656	IN	A	198.97.190.53"),
+				mustRR("h.root-servers.net.	656	IN	AAAA	2001:500:1::53"),
+				mustRR("b.root-servers.net.	656	IN	A	170.247.170.2"),
+				mustRR("b.root-servers.net.	656	IN	AAAA	2801:1b8:10::b"),
+				mustRR("a.root-servers.net.	656	IN	A	198.41.0.4"),
+				mustRR("a.root-servers.net.	656	IN	AAAA	2001:503:ba3e::2:30"),
+				mustRR("f.root-servers.net.	656	IN	A	192.5.5.241"),
+				mustRR("f.root-servers.net.	656	IN	AAAA	2001:500:2f::f"),
+				mustRR("i.root-servers.net.	656	IN	A	192.36.148.17"),
+				mustRR("i.root-servers.net.	656	IN	AAAA	2001:7fe::53"),
+			},
+		}
+
+		m.Compress = true
+		m.SetReply(msg)
+		w.WriteMsg(m)
+	}
+}
+
 func generateEdns0ClientCookie() string {
 	cookie := make([]byte, 8)
 	if _, err := rand.Read(cookie); err != nil {
Author	SHA1	Message	Date
Cuong Manh Le	d0341497d1	Merge pull request #276 from Control-D-Inc/release-branch-v1.4.9 Release branch v1.4.9	2026-01-13 21:41:48 +07:00
Cuong Manh Le	27c5be43c2	fix(system): disable ghw warnings to reduce log noise Disable warnings from ghw library when retrieving chassis information. These warnings are undesirable but recoverable errors that emit unnecessary log messages. Using WithDisableWarnings() suppresses them while maintaining functionality.	2026-01-09 15:10:29 +07:00
Cuong Manh Le	3beffd0dc8	.github/workflows: temporary use actions/setup-go Since WillAbides/setup-go-faster failed with macOS-latest. See: https://github.com/WillAbides/setup-go-faster/issues/37	2025-12-18 17:10:43 +07:00
Cuong Manh Le	1f9c586444	docs: add documentation for runtime internal logging	2025-12-18 17:10:43 +07:00
Cuong Manh Le	a92e1ca024	Upgrade quic-go to v0.57.1	2025-12-18 17:10:43 +07:00
Cuong Manh Le	705df72110	fix: remove incorrect transport close on DoH3 error Remove the transport Close() call from DoH3 error handling path. The transport is shared and reused across requests, and closing it on error would break subsequent requests. The transport lifecycle is already properly managed by the http.Client and the finalizer set in newDOH3Transport().	2025-12-18 17:10:43 +07:00
Cuong Manh Le	22122c45b2	Including system metadata when posting to utility API	2025-12-18 17:10:39 +07:00
Cuong Manh Le	57a9bb9fab	Merge pull request #268 from Control-D-Inc/release-branch-v1.4.8 Release branch v1.4.8	2025-12-02 21:39:38 +07:00
Cuong Manh Le	78ea2d6361	.github/workflows: upgrade staticcheck-action to v1.4.0 While at it, also bump go version to 1.24	2025-11-12 15:22:01 +07:00
Cuong Manh Le	df3cf7ef62	Upgrade quic-go to v0.56.0	2025-11-12 15:15:16 +07:00
Cuong Manh Le	80e652b8d9	fix: ensure log and cache flags are processed during reload During reload operations, log and cache flags were not being processed, which prevented runtime internal logs from working correctly. To fix this, processLogAndCacheFlags was refactored to accept explicit viper and config parameters instead of relying on global state, enabling it to be called during reload with the new configuration. This ensures that log and cache settings are properly applied when the service reloads its configuration.	2025-11-12 15:15:05 +07:00
Cuong Manh Le	091c7edb19	Fix: Filter root domain from search domains on Linux Remove empty and root domain (".") entries from search domains list to prevent systemd-resolved errors. This addresses the issue where systemd doesn't allow root domain in search domains configuration. The filtering ensures only valid search domains are passed to systemd-resolved, preventing DNS operation failures.	2025-11-12 15:14:40 +07:00
Cuong Manh Le	6c550b1d74	Upgrade quic-go to v0.55.0 While at it, also bump required go version to 1.24	2025-11-12 15:14:26 +07:00
Cuong Manh Le	3ca559e5a4	Merge pull request #264 from Control-D-Inc/release-branch-v1.4.7 Release branch v1.4.7	2025-10-07 01:02:39 +07:00
Cuong Manh Le	0e3f764299	feat: add --rfc1918 flag for explicit LAN client support Make RFC1918 listener spawning opt-in via --rfc1918 flag instead of automatic behavior. This allows users to explicitly control when ctrld listens on private network addresses to receive DNS queries from LAN clients, improving security and configurability. Refactor network interface detection to better distinguish between physical and virtual interfaces, ensuring only real hardware interfaces are used for RFC1918 address binding.	2025-09-25 16:45:56 +07:00
Cuong Manh Le	e52402eb0c	Upgrade quic-go to v0.54.0	2025-09-25 16:45:05 +07:00
Cuong Manh Le	2133f31854	docs: add known issues documentation for Darwin 15.5 upgrade issue Documents the self-upgrade issue on macOS Darwin 15.5 affecting ctrld v1.4.2+ and provides workarounds for affected users.	2025-09-25 16:44:54 +07:00
Ginder Singh	a198a5cd65	start mobile library with provision id and custom hostname.	2025-09-25 16:44:39 +07:00
Cuong Manh Le	eb2b231bd2	Merge pull request #254 from Control-D-Inc/release-branch-v1.4.6 Release branch v1.4.6	2025-08-22 04:08:56 +07:00
Jared Quick	7af29cfbc0	Add OPNsense new lease file Signed-off-by: Jared Quick <jared.quick@salesforce.com>	2025-08-20 18:19:35 +07:00
Cuong Manh Le	ce1a165348	.github/workflows: bump go version to 1.24.x	2025-08-15 23:33:23 +07:00
Cuong Manh Le	fd48e6d795	fix: ensure upstream health checks can handle large DNS responses - Add UpstreamConfig.VerifyMsg() method with proper EDNS0 support - Replace hardcoded DNS messages in health checks with standardized verification method - Set EDNS0 buffer size to 4096 bytes to handle large DNS responses - Add test case for legacy resolver with extensive extra sections	2025-08-15 22:55:47 +07:00
Cuong Manh Le	d71d1341b6	refactor(prog): move network monitoring outside listener loop Move the network monitoring goroutine initialization outside the listener loop to prevent it from being started multiple times. Previously, the network monitoring was started once per listener during first run, which was unnecessary and could lead to multiple monitoring instances. The change ensures network monitoring is started only once per program execution cycle, improving efficiency and preventing potential resource waste from duplicate monitoring goroutines. - Extract network monitoring goroutine from listener loop - Start network monitoring once per run cycle instead of per listener - Maintain same functionality while improving resource usage	2025-08-12 16:49:05 +07:00
Cuong Manh Le	21855df4af	fix: correct Windows API constants to fix domain join detection The function was incorrectly identifying domain-joined status due to wrong constant values, potentially causing false negatives for domain-joined machines.	2025-08-12 16:48:10 +07:00
Cuong Manh Le	66e2d3a40a	refactor: move network monitoring to separate goroutine - Move network monitoring initialization out of serveDNS() function - Start network monitoring in a separate goroutine during program startup - Remove context parameter from monitorNetworkChanges() as it's not used - Simplify serveDNS() function signature by removing unused context parameter - Ensure network monitoring starts only once during initial run, not on reload This change improves separation of concerns by isolating network monitoring from DNS serving logic, and prevents potential issues with multiple monitoring goroutines if starting multiple listeners.	2025-08-12 16:46:57 +07:00
Cuong Manh Le	26257cf24a	Merge pull request #250 from Control-D-Inc/release-branch-v1.4.5 Release branch v1.4.5	2025-07-25 04:06:24 +07:00