fix(system): disable ghw warnings to reduce log noise

Disable warnings from ghw library when retrieving chassis information.
These warnings are undesirable but recoverable errors that emit unnecessary
log messages. Using WithDisableWarnings() suppresses them while maintaining
functionality.

.github/workflows/ci.yml

@@ -9,18 +9,18 @@ jobs:
       fail-fast: false
       matrix:
         os: ["windows-latest", "ubuntu-latest", "macOS-latest"]
-        go: ["1.21.x"]
+        go: ["1.24.x"]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 1
-      - uses: WillAbides/setup-go-faster@v1.8.0
+      - uses: actions/setup-go@v6
         with:
           go-version: ${{ matrix.go }}
       - run: "go test -race ./..."
-      - uses: dominikh/staticcheck-action@v1.2.0
+      - uses: dominikh/staticcheck-action@v1.4.0
         with:
-          version: "2023.1.2"
+          version: "2025.1.1"
           install-go: false
           cache-key: ${{ matrix.go }}

README.md

@@ -4,12 +4,12 @@
 [![Go Reference](https://pkg.go.dev/badge/github.com/Control-D-Inc/ctrld.svg)](https://pkg.go.dev/github.com/Control-D-Inc/ctrld)
 [![Go Report Card](https://goreportcard.com/badge/github.com/Control-D-Inc/ctrld)](https://goreportcard.com/report/github.com/Control-D-Inc/ctrld)
 
-![ctrld spash image](/docs/ctrldsplash.png)
+![ctrld splash image](/docs/ctrldsplash.png)
 
 A highly configurable DNS forwarding proxy with support for:
 - Multiple listeners for incoming queries
 - Multiple upstreams with fallbacks
-- Multiple network policy driven DNS query steering
+- Multiple network policy driven DNS query steering (via network cidr, MAC address or FQDN)
 - Policy driven domain based "split horizon" DNS with wildcard support
 - Integrations with common router vendors and firmware
 - LAN client discovery via DHCP, mDNS, ARP, NDP, hosts file parsing
@@ -35,13 +35,29 @@ All DNS protocols are supported, including:
 
 ## OS Support
 - Windows (386, amd64, arm)
-- Mac (amd64, arm64)
+- Windows Server (386, amd64)
+- MacOS (amd64, arm64)
 - Linux (386, amd64, arm, mips)
-- FreeBSD
-- Common routers (See Router Mode below)
+- FreeBSD (386, amd64, arm)
+- Common routers (See below)
+
+
+### Supported Routers
+You can run `ctrld` on any supported router. The list of supported routers and firmware includes:
+- Asus Merlin
+- DD-WRT
+- Firewalla
+- FreshTomato
+- GL.iNet
+- OpenWRT
+- pfSense / OPNsense
+- Synology 
+- Ubiquiti (UniFi, EdgeOS)
+
+`ctrld` will attempt to interface with dnsmasq (or Windows Server) whenever possible and set itself as the upstream, while running on port 5354. On FreeBSD based OSes, `ctrld` will terminate dnsmasq and unbound in order to be able to listen on port 53 directly.  
 
 # Install
-There are several ways to download and install `ctrld.
+There are several ways to download and install `ctrld`.
 
 ## Quick Install
 The simplest way to download and install `ctrld` is to use the following installer command on any UNIX-like platform:
@@ -50,14 +66,14 @@ The simplest way to download and install `ctrld` is to use the following install
 sh -c 'sh -c "$(curl -sL https://api.controld.com/dl)"'
 ```
 
-Windows user and prefer Powershell (who doesn't)? No problem, execute this command instead in administrative cmd:
+Windows user and prefer Powershell (who doesn't)? No problem, execute this command instead in administrative PowerShell:
 ```shell
-powershell -Command "(Invoke-WebRequest -Uri 'https://api.controld.com/dl' -UseBasicParsing).Content | Set-Content 'ctrld_install.bat'" && ctrld_install.bat
+(Invoke-WebRequest -Uri 'https://api.controld.com/dl/ps1' -UseBasicParsing).Content | Set-Content "$env:TEMPctrld_install.ps1"; Invoke-Expression "& '$env:TEMPctrld_install.ps1'"
 ```
 
 Or you can pull and run a Docker container from [Docker Hub](https://hub.docker.com/r/controldns/ctrld)
-```
-$ docker pull controldns/ctrld
+```shell
+docker run -d --name=ctrld -p 127.0.0.1:53:53/tcp -p 127.0.0.1:53:53/udp controldns/ctrld:latest
 ```
 
 ## Download Manually
@@ -67,20 +83,19 @@ Alternatively, if you know what you're doing you can download pre-compiled binar
 Lastly, you can build `ctrld` from source which requires `go1.21+`:
 
 ```shell
-$ go build ./cmd/ctrld
+go build ./cmd/ctrld
 ```
 
 or
 
 ```shell
-$ go install github.com/Control-D-Inc/ctrld/cmd/ctrld@latest
+go install github.com/Control-D-Inc/ctrld/cmd/ctrld@latest
 ```
 
 or 
 
-```
-$ docker build -t controldns/ctrld . -f docker/Dockerfile
-$ docker run -d --name=ctrld -p 53:53/tcp -p 53:53/udp controldns/ctrld --cd=RESOLVER_ID_GOES_HERE -vv
+```shell
+docker build -t controldns/ctrld . -f docker/Dockerfile
 ```
 
 
@@ -101,13 +116,16 @@ Usage:
 
 Available Commands:
   run         Run the DNS proxy server
-  service     Manage ctrld service
   start       Quick start service and configure DNS on interface
   stop        Quick stop service and remove DNS from interface
   restart     Restart the ctrld service
+  reload      Reload the ctrld service
   status      Show status of the ctrld service
   uninstall   Stop and uninstall the ctrld service
+  service     Manage ctrld service
   clients     Manage clients
+  upgrade     Upgrading ctrld to latest version
+  log         Manage runtime debug logs
 
 Flags:
   -h, --help            help for ctrld
@@ -119,81 +137,99 @@ Use "ctrld [command] --help" for more information about a command.
 ```
 
 ## Basic Run Mode
-To start the server with default configuration, simply run: `./ctrld run`. This will create a generic `ctrld.toml` file in the **working directory** and start the application in foreground. 
-1. Start the server
-  ```
-  $ sudo ./ctrld run
+This is the most basic way to run `ctrld`, in foreground mode. Unless you already have a config file, a default one will be generated. 
+
+### Command
+
+Windows (Admin Shell)
+  ```shell
+  ctrld.exe run
   ```
 
-2. Run a test query using a DNS client, for example, `dig`:
+Linux or Macos
+  ```shell
+  sudo ctrld run
+  ```
+
+You can then run a test query using a DNS client, for example, `dig`:
   ```
   $ dig verify.controld.com @127.0.0.1 +short
   api.controld.com.
   147.185.34.1
   ```
 
-If `verify.controld.com` resolves, you're successfully using the default Control D upstream. From here, you can start editing the config file and go nuts with it. To enforce a new config, restart the server. 
+If `verify.controld.com` resolves, you're successfully using the default Control D upstream. From here, you can start editing the config file that was generated. To enforce a new config, restart the server. 
 
 ## Service Mode
-To run the application in service mode on any Windows, MacOS, Linux distibution or supported router, simply run: `./ctrld start` as system/root user. This will create a generic `ctrld.toml` file in the **user home** directory (on Windows) or `/etc/controld/` (almost everywhere else), start the system service, and configure the listener on the default network interface. Service will start on OS boot.
+This mode will run the application as a background system service on any Windows, MacOS, Linux, FreeBSD distribution or supported router. This will create a generic `ctrld.toml` file in the **C:\ControlD** directory (on Windows) or `/etc/controld/` (almost everywhere else), start the system service, and **configure the listener on all physical network interface**. Service will start on OS boot.
 
-When Control D upstreams are used, `ctrld` willl [relay your network topology](https://docs.controld.com/docs/device-clients) to Control D (LAN IPs, MAC addresses, and hostnames), and you will be able to see your LAN devices in the web panel, view analytics and apply unique profiles to them. 
+When Control D upstreams are used on a router type device, `ctrld` will [relay your network topology](https://docs.controld.com/docs/device-clients) to Control D (LAN IPs, MAC addresses, and hostnames), and you will be able to see your LAN devices in the web panel, view analytics and apply unique profiles to them. 
 
-In order to stop the service, and restore your DNS to original state, simply run `./ctrld stop`. If you wish to stop and uninstall the service permanently, run `./ctrld uninstall`. 
+### Command
 
+Windows (Admin Shell)
+  ```shell
+  ctrld.exe start
+  ```
 
-### Supported Routers
-You can run `ctrld` on any supported router, which will function similarly to the Service Mode mentioned above. The list of supported routers and firmware includes:
-- Asus Merlin
-- DD-WRT
-- Firewalla
-- FreshTomato
-- GL.iNet
-- OpenWRT
-- pfSense / OPNsense
-- Synology 
-- Ubiquiti (UniFi, EdgeOS)
+Linux or Macos
+  ```
+  sudo ctrld start
+  ```
 
-`ctrld` will attempt to interface with dnsmasq whenever possible and set itself as the upstream, while running on port 5354. On FreeBSD based OSes, `ctrld` will terminate dnsmasq and unbound in order to be able to listen on port 53 directly.  
+If `ctrld` is not in your system path (you installed it manually), you will need to run the above commands from the directory where you installed `ctrld`. 
 
+In order to stop the service, and restore your DNS to original state, simply run `ctrld stop`. If you wish to stop and uninstall the service permanently, run `ctrld uninstall`. 
 
-### Control D Auto Configuration
-Application can be started with a specific resolver config, instead of the default one. Simply supply your Resolver ID with a `--cd` flag, when using the `run` (foreground) or `start` (service) modes. 
+## Unmanaged Service Mode
+This mode functions similarly to the "Service Mode" above except it will simply start a system service and the config defined listeners, but **will not make any changes to any network interfaces**. You can then set the `ctrld` listener(s) IP on the desired network interfaces manually. 
 
-The following command will start the application in foreground mode, using the free "p2" resolver, which blocks Ads & Trackers. 
+### Command
 
-```shell
-./ctrld run --cd p2
-```
+Windows (Admin Shell)
+  ```shell
+  ctrld.exe service start
+  ```
 
-Alternatively, you can use your own personal Control D Device resolver, and start the application in service mode. Your resolver ID is displayed on the "Show Resolvers" screen for the relevant Control D Device. 
-
-```shell
-./ctrld start --cd abcd1234
-```
-
-Once you run the above commands (in service mode only), the following things will happen:
-- You resolver configuration will be fetched from the API, and config file templated with the resolver data
-- Application will start as a service, and keep running (even after reboot) until you run the `stop` or `uninstall` sub-commands
-- Your default network interface will be updated to use the listener started by the service
-- All OS DNS queries will be sent to the listener
+Linux or Macos
+  ```shell
+  sudo ctrld service start
+  ```
 
 # Configuration
-See [Configuration Docs](docs/config.md).
+`ctrld` can be configured in variety of different ways, which include: API, local config file or via cli launch args. 
 
-## Example 
-- Start `listener.0` on 127.0.0.1:53
-- Accept queries from any source address
-- Send all queries to `upstream.0` via DoH protocol
+## API Based Auto Configuration
+Application can be started with a specific Control D resolver config, instead of the default one. Simply supply your Resolver ID with a `--cd` flag, when using the `start` (service) mode. In this mode, the application will automatically choose a non-conflicting IP and/or port and configure itself as the upstream to whatever process is running on port 53 (like dnsmasq or Windows DNS Server). This mode is used when the 1 liner installer command from the Control D onboarding guide is executed. 
 
-### Default Config
+The following command will use your own personal Control D Device resolver, and start the application in service mode. Your resolver ID is displayed on the "Show Resolvers" screen for the relevant Control D Endpoint. 
+
+Windows (Admin Shell)
+```shell
+ctrld.exe start --cd abcd1234
+```
+
+Linux or Macos
+```shell
+sudo ctrld start --cd abcd1234
+```
+
+Once you run the above command, the following things will happen:
+- You resolver configuration will be fetched from the API, and config file templated with the resolver data
+- Application will start as a service, and keep running (even after reboot) until you run the `stop` or `uninstall` sub-commands
+- All physical network interface will be updated to use the listener started by the service or dnsmasq upstream will be switched to `ctrld`
+- All DNS queries will be sent to the listener
+
+## Manual Configuration 
+`ctrld` is entirely config driven and can be configured in many different ways, please see [Configuration Docs](docs/config.md).
+
+### Example
 ```toml
 [listener]
 
   [listener.0]
-    ip = ""
-    port = 0
-    restricted = false
+    ip = '0.0.0.0'
+    port = 53
 
 [network]
 
@@ -201,10 +237,6 @@ See [Configuration Docs](docs/config.md).
     cidrs = ["0.0.0.0/0"]
     name = "Network 0"
 
-[service]
-  log_level = "info"
-  log_path = ""
-
 [upstream]
 
   [upstream.0]
@@ -213,28 +245,26 @@ See [Configuration Docs](docs/config.md).
     name = "Control D - Anti-Malware"
     timeout = 5000
     type = "doh"
-
-  [upstream.1]
-    bootstrap_ip = "76.76.2.11"
-    endpoint = "p2.freedns.controld.com"
-    name = "Control D - No Ads"
-    timeout = 3000
-    type = "doq"
-
 ```
 
-`ctrld` will pick a working config for `listener.0` then writing the default config to disk for the first run.
+The above basic config will:
+- Start listener on 0.0.0.0:53
+- Accept queries from any source address
+- Send all queries to `https://freedns.controld.com/p1` using DoH protocol
 
-## Advanced Configuration
-The above is the most basic example, which will work out of the box. If you're looking to do advanced configurations using policies, see [Configuration Docs](docs/config.md) for complete documentation of the config file.
+## CLI Args
+If you're unable to use a config file, `ctrld` can be be supplied with basic configuration via launch arguments, in [Ephemeral Mode](docs/ephemeral_mode.md).
 
-You can also supply configuration via launch argeuments, in [Ephemeral Mode](docs/ephemeral_mode.md).
+### Example
+```
+ctrld run --listen=127.0.0.1:53 --primary_upstream=https://freedns.controld.com/p2 --secondary_upstream=10.0.10.1:53 --domains=*.company.int,very-secure.local --log /path/to/log.log
+```
+
+The above will start a foreground process and:
+- Listen on `127.0.0.1:53` for DNS queries
+- Forward all queries to `https://freedns.controld.com/p2` using DoH protocol, while...
+- Excluding `*.company.int` and `very-secure.local` matching queries, that are forwarded to `10.0.10.1:53`
+- Write a debug log to `/path/to/log.log`
 
 ## Contributing
 See [Contribution Guideline](./docs/contributing.md)
-
-## Roadmap
-The following functionality is on the roadmap and will be available in future releases. 
-- DNS intercept mode
-- Direct listener mode
-- Support for more routers (let us know which ones)

client_info_darwin.go

@@ -0,0 +1,4 @@
+package ctrld
+
+// SelfDiscover reports whether ctrld should only do self discover.
+func SelfDiscover() bool { return true }

client_info_others.go

@@ -0,0 +1,6 @@
+//go:build !windows && !darwin
+
+package ctrld
+
+// SelfDiscover reports whether ctrld should only do self discover.
+func SelfDiscover() bool { return false }

client_info_windows.go

@@ -0,0 +1,18 @@
+package ctrld
+
+import (
+	"golang.org/x/sys/windows"
+)
+
+// isWindowsWorkStation reports whether ctrld was run on a Windows workstation machine.
+func isWindowsWorkStation() bool {
+	// From https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-osversioninfoexa
+	const VER_NT_WORKSTATION = 0x0000001
+	osvi := windows.RtlGetVersion()
+	return osvi.ProductType == VER_NT_WORKSTATION
+}
+
+// SelfDiscover reports whether ctrld should only do self discover.
+func SelfDiscover() bool {
+	return isWindowsWorkStation()
+}

cmd/cli/ad_others.go

@@ -0,0 +1,15 @@
+//go:build !windows
+
+package cli
+
+import (
+	"github.com/Control-D-Inc/ctrld"
+)
+
+// addExtraSplitDnsRule adds split DNS rule if present.
+func addExtraSplitDnsRule(_ *ctrld.Config) bool { return false }
+
+// getActiveDirectoryDomain returns AD domain name of this computer.
+func getActiveDirectoryDomain() (string, error) {
+	return "", nil
+}

cmd/cli/ad_windows.go

@@ -0,0 +1,74 @@
+package cli
+
+import (
+	"io"
+	"log"
+	"os"
+	"strings"
+
+	"github.com/microsoft/wmi/pkg/base/host"
+	hh "github.com/microsoft/wmi/pkg/hardware/host"
+
+	"github.com/Control-D-Inc/ctrld"
+	"github.com/Control-D-Inc/ctrld/internal/system"
+)
+
+// addExtraSplitDnsRule adds split DNS rule for domain if it's part of active directory.
+func addExtraSplitDnsRule(cfg *ctrld.Config) bool {
+	domain, err := system.GetActiveDirectoryDomain()
+	if err != nil {
+		mainLog.Load().Debug().Msgf("unable to get active directory domain: %v", err)
+		return false
+	}
+	if domain == "" {
+		mainLog.Load().Debug().Msg("no active directory domain found")
+		return false
+	}
+	// Network rules are lowercase during toml config marshaling,
+	// lowercase the domain here too for consistency.
+	domain = strings.ToLower(domain)
+	domainRuleAdded := addSplitDnsRule(cfg, domain)
+	wildcardDomainRuleRuleAdded := addSplitDnsRule(cfg, "*."+strings.TrimPrefix(domain, "."))
+	return domainRuleAdded || wildcardDomainRuleRuleAdded
+}
+
+// addSplitDnsRule adds split-rule for given domain if there's no existed rule.
+// The return value indicates whether the split-rule was added or not.
+func addSplitDnsRule(cfg *ctrld.Config, domain string) bool {
+	for n, lc := range cfg.Listener {
+		if lc.Policy == nil {
+			lc.Policy = &ctrld.ListenerPolicyConfig{}
+		}
+		for _, rule := range lc.Policy.Rules {
+			if _, ok := rule[domain]; ok {
+				mainLog.Load().Debug().Msgf("split-rule %q already existed for listener.%s", domain, n)
+				return false
+			}
+		}
+		mainLog.Load().Debug().Msgf("adding split-rule %q for listener.%s", domain, n)
+		lc.Policy.Rules = append(lc.Policy.Rules, ctrld.Rule{domain: []string{}})
+	}
+	return true
+}
+
+// getActiveDirectoryDomain returns AD domain name of this computer.
+func getActiveDirectoryDomain() (string, error) {
+	log.SetOutput(io.Discard)
+	defer log.SetOutput(os.Stderr)
+	whost := host.NewWmiLocalHost()
+	cs, err := hh.GetComputerSystem(whost)
+	if cs != nil {
+		defer cs.Close()
+	}
+	if err != nil {
+		return "", err
+	}
+	pod, err := cs.GetPropertyPartOfDomain()
+	if err != nil {
+		return "", err
+	}
+	if pod {
+		return cs.GetPropertyDomain()
+	}
+	return "", nil
+}

cmd/cli/ad_windows_test.go

@@ -0,0 +1,73 @@
+package cli
+
+import (
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/Control-D-Inc/ctrld"
+	"github.com/Control-D-Inc/ctrld/internal/system"
+	"github.com/Control-D-Inc/ctrld/testhelper"
+)
+
+func Test_getActiveDirectoryDomain(t *testing.T) {
+	start := time.Now()
+	domain, err := system.GetActiveDirectoryDomain()
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Logf("Using Windows API takes: %d", time.Since(start).Milliseconds())
+
+	start = time.Now()
+	domainPowershell, err := getActiveDirectoryDomainPowershell()
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Logf("Using Powershell takes: %d", time.Since(start).Milliseconds())
+
+	if domain != domainPowershell {
+		t.Fatalf("result mismatch, want: %v, got: %v", domainPowershell, domain)
+	}
+}
+
+func getActiveDirectoryDomainPowershell() (string, error) {
+	cmd := "$obj = Get-WmiObject Win32_ComputerSystem; if ($obj.PartOfDomain) { $obj.Domain }"
+	output, err := powershell(cmd)
+	if err != nil {
+		return "", fmt.Errorf("failed to get domain name: %w, output:\n\n%s", err, string(output))
+	}
+	return string(output), nil
+}
+
+func Test_addSplitDnsRule(t *testing.T) {
+	newCfg := func(domains ...string) *ctrld.Config {
+		cfg := testhelper.SampleConfig(t)
+		lc := cfg.Listener["0"]
+		for _, domain := range domains {
+			lc.Policy.Rules = append(lc.Policy.Rules, ctrld.Rule{domain: []string{}})
+		}
+		return cfg
+	}
+	tests := []struct {
+		name   string
+		cfg    *ctrld.Config
+		domain string
+		added  bool
+	}{
+		{"added", newCfg(), "example.com", true},
+		{"TLD existed", newCfg("example.com"), "*.example.com", true},
+		{"wildcard existed", newCfg("*.example.com"), "example.com", true},
+		{"not added TLD", newCfg("example.com", "*.example.com"), "example.com", false},
+		{"not added wildcard", newCfg("example.com", "*.example.com"), "*.example.com", false},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			added := addSplitDnsRule(tc.cfg, tc.domain)
+			assert.Equal(t, tc.added, added)
+		})
+	}
+}

cmd/cli/cgo.go

@@ -0,0 +1,5 @@
+//go:build cgo
+
+package cli
+
+const cgoEnabled = true

cmd/cli/cli_test.go

@@ -16,7 +16,7 @@ func Test_writeConfigFile(t *testing.T) {
 	_, err := os.Stat(configPath)
 	assert.True(t, os.IsNotExist(err))
 
-	assert.NoError(t, writeConfigFile())
+	assert.NoError(t, writeConfigFile(&cfg))
 
 	_, err = os.Stat(configPath)
 	require.NoError(t, err)

cmd/cli/control_client.go

@@ -25,6 +25,10 @@ func newControlClient(addr string) *controlClient {
 }
 
 func (c *controlClient) post(path string, data io.Reader) (*http.Response, error) {
+	// for log/send, set the timeout to 5 minutes
+	if path == sendLogsPath {
+		c.c.Timeout = time.Minute * 5
+	}
 	return c.c.Post("http://unix"+path, contentTypeJson, data)
 }
 

cmd/cli/control_server.go

@@ -3,6 +3,8 @@ package cli
 import (
 	"context"
 	"encoding/json"
+	"fmt"
+	"io"
 	"net"
 	"net/http"
 	"os"
@@ -11,10 +13,10 @@ import (
 	"time"
 
 	"github.com/kardianos/service"
-
 	dto "github.com/prometheus/client_model/go"
 
 	"github.com/Control-D-Inc/ctrld"
+	"github.com/Control-D-Inc/ctrld/internal/controld"
 )
 
 const (
@@ -25,8 +27,16 @@ const (
 	deactivationPath = "/deactivation"
 	cdPath           = "/cd"
 	ifacePath        = "/iface"
+	viewLogsPath     = "/log/view"
+	sendLogsPath     = "/log/send"
 )
 
+type ifaceResponse struct {
+	Name string `json:"name"`
+	All  bool   `json:"all"`
+	OK   bool   `json:"ok"`
+}
+
 type controlServer struct {
 	server *http.Server
 	mux    *http.ServeMux
@@ -69,33 +79,81 @@ func (s *controlServer) register(pattern string, handler http.Handler) {
 
 func (p *prog) registerControlServerHandler() {
 	p.cs.register(listClientsPath, http.HandlerFunc(func(w http.ResponseWriter, request *http.Request) {
+		mainLog.Load().Debug().Msg("handling list clients request")
+
 		clients := p.ciTable.ListClients()
+		mainLog.Load().Debug().Int("client_count", len(clients)).Msg("retrieved clients list")
+
 		sort.Slice(clients, func(i, j int) bool {
 			return clients[i].IP.Less(clients[j].IP)
 		})
-		if p.cfg.Service.MetricsQueryStats {
-			for _, client := range clients {
+		mainLog.Load().Debug().Msg("sorted clients by IP address")
+
+		if p.metricsQueryStats.Load() {
+			mainLog.Load().Debug().Msg("metrics query stats enabled, collecting query counts")
+
+			for idx, client := range clients {
+				mainLog.Load().Debug().
+					Int("index", idx).
+					Str("ip", client.IP.String()).
+					Str("mac", client.Mac).
+					Str("hostname", client.Hostname).
+					Msg("processing client metrics")
+
 				client.IncludeQueryCount = true
 				dm := &dto.Metric{}
+
+				if statsClientQueriesCount.MetricVec == nil {
+					mainLog.Load().Debug().
+						Str("client_ip", client.IP.String()).
+						Msg("skipping metrics collection: MetricVec is nil")
+					continue
+				}
+
 				m, err := statsClientQueriesCount.MetricVec.GetMetricWithLabelValues(
 					client.IP.String(),
 					client.Mac,
 					client.Hostname,
 				)
 				if err != nil {
-					mainLog.Load().Debug().Err(err).Msgf("could not get metrics for client: %v", client)
+					mainLog.Load().Debug().
+						Err(err).
+						Str("client_ip", client.IP.String()).
+						Str("mac", client.Mac).
+						Str("hostname", client.Hostname).
+						Msg("failed to get metrics for client")
 					continue
 				}
-				if err := m.Write(dm); err == nil {
+
+				if err := m.Write(dm); err == nil && dm.Counter != nil {
 					client.QueryCount = int64(dm.Counter.GetValue())
+					mainLog.Load().Debug().
+						Str("client_ip", client.IP.String()).
+						Int64("query_count", client.QueryCount).
+						Msg("successfully collected query count")
+				} else if err != nil {
+					mainLog.Load().Debug().
+						Err(err).
+						Str("client_ip", client.IP.String()).
+						Msg("failed to write metric")
 				}
 			}
+		} else {
+			mainLog.Load().Debug().Msg("metrics query stats disabled, skipping query counts")
 		}
 
 		if err := json.NewEncoder(w).Encode(&clients); err != nil {
+			mainLog.Load().Error().
+				Err(err).
+				Int("client_count", len(clients)).
+				Msg("failed to encode clients response")
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}
+
+		mainLog.Load().Debug().
+			Int("client_count", len(clients)).
+			Msg("successfully sent clients list response")
 	}))
 	p.cs.register(startedPath, http.HandlerFunc(func(w http.ResponseWriter, request *http.Request) {
 		select {
@@ -152,8 +210,30 @@ func (p *prog) registerControlServerHandler() {
 		w.WriteHeader(http.StatusOK)
 	}))
 	p.cs.register(deactivationPath, http.HandlerFunc(func(w http.ResponseWriter, request *http.Request) {
-		// Non-cd mode or pin code not set, always allowing deactivation.
-		if cdUID == "" || deactivationPinNotSet() {
+		// Non-cd mode always allowing deactivation.
+		if cdUID == "" {
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+
+		// Re-fetch pin code from API.
+		rcReq := &controld.ResolverConfigRequest{
+			RawUID:   cdUID,
+			Version:  rootCmd.Version,
+			Metadata: ctrld.SystemMetadata(context.Background()),
+		}
+		if rc, err := controld.FetchResolverConfig(rcReq, cdDev); rc != nil {
+			if rc.DeactivationPin != nil {
+				cdDeactivationPin.Store(*rc.DeactivationPin)
+			} else {
+				cdDeactivationPin.Store(defaultDeactivationPin)
+			}
+		} else {
+			mainLog.Load().Warn().Err(err).Msg("could not re-fetch deactivation pin code")
+		}
+
+		// If pin code not set, allowing deactivation.
+		if !deactivationPinSet() {
 			w.WriteHeader(http.StatusOK)
 			return
 		}
@@ -167,8 +247,12 @@ func (p *prog) registerControlServerHandler() {
 
 		code := http.StatusForbidden
 		switch req.Pin {
-		case cdDeactivationPin:
+		case cdDeactivationPin.Load():
 			code = http.StatusOK
+			select {
+			case p.pinCodeValidCh <- struct{}{}:
+			default:
+			}
 		case defaultDeactivationPin:
 			// If the pin code was set, but users do not provide --pin, return proper code to client.
 			code = http.StatusBadRequest
@@ -178,20 +262,82 @@ func (p *prog) registerControlServerHandler() {
 	p.cs.register(cdPath, http.HandlerFunc(func(w http.ResponseWriter, request *http.Request) {
 		if cdUID != "" {
 			w.WriteHeader(http.StatusOK)
+			w.Write([]byte(cdUID))
 			return
 		}
 		w.WriteHeader(http.StatusBadRequest)
 	}))
 	p.cs.register(ifacePath, http.HandlerFunc(func(w http.ResponseWriter, request *http.Request) {
+		res := &ifaceResponse{Name: iface}
 		// p.setDNS is only called when running as a service
 		if !service.Interactive() {
 			<-p.csSetDnsDone
 			if p.csSetDnsOk {
-				w.Write([]byte(iface))
-				return
+				res.Name = p.runningIface
+				res.All = p.requiredMultiNICsConfig
+				res.OK = true
 			}
 		}
-		w.WriteHeader(http.StatusBadRequest)
+		if err := json.NewEncoder(w).Encode(res); err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			http.Error(w, fmt.Sprintf("could not marshal iface data: %v", err), http.StatusInternalServerError)
+			return
+		}
+	}))
+	p.cs.register(viewLogsPath, http.HandlerFunc(func(w http.ResponseWriter, request *http.Request) {
+		lr, err := p.logReader()
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+		defer lr.r.Close()
+		if lr.size == 0 {
+			w.WriteHeader(http.StatusMovedPermanently)
+			return
+		}
+		data, err := io.ReadAll(lr.r)
+		if err != nil {
+			http.Error(w, fmt.Sprintf("could not read log: %v", err), http.StatusInternalServerError)
+			return
+		}
+		if err := json.NewEncoder(w).Encode(&logViewResponse{Data: string(data)}); err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			http.Error(w, fmt.Sprintf("could not marshal log data: %v", err), http.StatusInternalServerError)
+			return
+		}
+	}))
+	p.cs.register(sendLogsPath, http.HandlerFunc(func(w http.ResponseWriter, request *http.Request) {
+		if time.Since(p.internalLogSent) < logWriterSentInterval {
+			w.WriteHeader(http.StatusServiceUnavailable)
+			return
+		}
+		r, err := p.logReader()
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+		if r.size == 0 {
+			w.WriteHeader(http.StatusMovedPermanently)
+			return
+		}
+		req := &controld.LogsRequest{
+			UID:  cdUID,
+			Data: r.r,
+		}
+		mainLog.Load().Debug().Msg("sending log file to ControlD server")
+		resp := logSentResponse{Size: r.size}
+		if err := controld.SendLogs(req, cdDev); err != nil {
+			mainLog.Load().Error().Msgf("could not send log file to ControlD server: %v", err)
+			resp.Error = err.Error()
+			w.WriteHeader(http.StatusInternalServerError)
+		} else {
+			mainLog.Load().Debug().Msg("sending log file successfully")
+			w.WriteHeader(http.StatusOK)
+		}
+		if err := json.NewEncoder(w).Encode(&resp); err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+		}
+		p.internalLogSent = time.Now()
 	}))
 }
 

cmd/cli/dns_proxy.go

@@ -8,7 +8,9 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
+	"os/exec"
 	"runtime"
+	"slices"
 	"strconv"
 	"strings"
 	"sync"
@@ -16,13 +18,14 @@ import (
 
 	"github.com/miekg/dns"
 	"golang.org/x/sync/errgroup"
-	"tailscale.com/net/interfaces"
-	"tailscale.com/net/netaddr"
+	"tailscale.com/net/netmon"
 	"tailscale.com/net/tsaddr"
 
 	"github.com/Control-D-Inc/ctrld"
+	"github.com/Control-D-Inc/ctrld/internal/controld"
 	"github.com/Control-D-Inc/ctrld/internal/dnscache"
 	ctrldnet "github.com/Control-D-Inc/ctrld/internal/net"
+	"github.com/Control-D-Inc/ctrld/internal/router"
 )
 
 const (
@@ -32,12 +35,15 @@ const (
 	// https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/dns-protocol.h;h=76ac66a8c28317e9c121a74ab5fd0e20f6237dc8;hb=HEAD#l81
 	// This is also dns.EDNS0LOCALSTART, but define our own constant here for clarification.
 	EDNS0_OPTION_MAC = 0xFDE9
+
+	// selfUninstallMaxQueries is number of REFUSED queries seen before checking for self-uninstallation.
+	selfUninstallMaxQueries = 32
 )
 
 var osUpstreamConfig = &ctrld.UpstreamConfig{
 	Name:    "OS resolver",
 	Type:    ctrld.ResolverTypeOS,
-	Timeout: 2000,
+	Timeout: 3000,
 }
 
 var privateUpstreamConfig = &ctrld.UpstreamConfig{
@@ -46,6 +52,12 @@ var privateUpstreamConfig = &ctrld.UpstreamConfig{
 	Timeout: 2000,
 }
 
+var localUpstreamConfig = &ctrld.UpstreamConfig{
+	Name:    "Local resolver",
+	Type:    ctrld.ResolverTypeLocal,
+	Timeout: 2000,
+}
+
 // proxyRequest contains data for proxying a DNS query to upstream.
 type proxyRequest struct {
 	msg            *dns.Msg
@@ -89,6 +101,7 @@ func (p *prog) serveDNS(listenerNum string) error {
 			_ = w.WriteMsg(answer)
 			return
 		}
+		listenerConfig := p.cfg.Listener[listenerNum]
 		reqId := requestID()
 		ctx := context.WithValue(context.Background(), ctrld.ReqIdCtxKey{}, reqId)
 		if !listenerConfig.AllowWanClients && isWanClient(w.RemoteAddr()) {
@@ -101,11 +114,18 @@ func (p *prog) serveDNS(listenerNum string) error {
 		go p.detectLoop(m)
 		q := m.Question[0]
 		domain := canonicalName(q.Name)
-		if domain == selfCheckInternalTestDomain {
+		switch {
+		case domain == "":
+			answer := new(dns.Msg)
+			answer.SetRcode(m, dns.RcodeFormatError)
+			_ = w.WriteMsg(answer)
+			return
+		case domain == selfCheckInternalTestDomain:
 			answer := resolveInternalDomainTestQuery(ctx, domain, m)
 			_ = w.WriteMsg(answer)
 			return
 		}
+
 		if _, ok := p.cacheFlushDomainsMap[domain]; ok && p.cache != nil {
 			p.cache.Purge()
 			ctrld.Log(ctx, mainLog.Load().Debug(), "received query %q, local cache is purged", domain)
@@ -143,6 +163,8 @@ func (p *prog) serveDNS(listenerNum string) error {
 				failoverRcodes: failoverRcode,
 				ufr:            ur,
 			})
+			go p.doSelfUninstall(pr.answer)
+
 			answer = pr.answer
 			rtt := time.Since(t)
 			ctrld.Log(ctx, mainLog.Load().Debug(), "received response of %d bytes in %s", answer.Len(), rtt)
@@ -160,6 +182,7 @@ func (p *prog) serveDNS(listenerNum string) error {
 		go func() {
 			p.WithLabelValuesInc(statsQueriesCount, labelValues...)
 			p.WithLabelValuesInc(statsClientQueriesCount, []string{ci.IP, ci.Mac, ci.Hostname}...)
+			p.forceFetchingAPI(domain)
 		}()
 		if err := w.WriteMsg(answer); err != nil {
 			ctrld.Log(ctx, mainLog.Load().Error().Err(err), "serveDNS: failed to send DNS response to client")
@@ -184,8 +207,8 @@ func (p *prog) serveDNS(listenerNum string) error {
 				return nil
 			})
 		}
-		// When we spawn a listener on 127.0.0.1, also spawn listeners on the RFC1918
-		// addresses of the machine. So ctrld could receive queries from LAN clients.
+		// When we spawn a listener on 127.0.0.1, also spawn listeners on the RFC1918 addresses of the machine
+		// if explicitly set via setting rfc1918 flag, so ctrld could receive queries from LAN clients.
 		if needRFC1918Listeners(listenerConfig) {
 			g.Go(func() error {
 				for _, addr := range ctrld.Rfc1918Addresses() {
@@ -402,9 +425,21 @@ func (p *prog) proxy(ctx context.Context, req *proxyRequest) *proxyResponse {
 	upstreams := req.ufr.upstreams
 	serveStaleCache := p.cache != nil && p.cfg.Service.CacheServeStale
 	upstreamConfigs := p.upstreamConfigsFromUpstreamNumbers(upstreams)
+
 	if len(upstreamConfigs) == 0 {
 		upstreamConfigs = []*ctrld.UpstreamConfig{osUpstreamConfig}
 		upstreams = []string{upstreamOS}
+		// For OS resolver, local addresses are ignored to prevent possible looping.
+		// However, on Active Directory Domain Controller, where it has local DNS server
+		// running and listening on local addresses, these local addresses must be used
+		// as nameservers, so queries for ADDC could be resolved as expected.
+		if p.isAdDomainQuery(req.msg) {
+			ctrld.Log(ctx, mainLog.Load().Debug(),
+				"AD domain query detected for %s in domain %s",
+				req.msg.Question[0].Name, p.adDomain)
+			upstreamConfigs = []*ctrld.UpstreamConfig{localUpstreamConfig}
+			upstreams = []string{upstreamOSLocal}
+		}
 	}
 
 	res := &proxyResponse{}
@@ -420,6 +455,11 @@ func (p *prog) proxy(ctx context.Context, req *proxyRequest) *proxyResponse {
 		ctrld.Log(ctx, mainLog.Load().Debug(), "%s, %s, %s -> %v", req.ufr.matchedPolicy, req.ufr.matchedNetwork, req.ufr.matchedRule, upstreams)
 	} else {
 		switch {
+		case isSrvLanLookup(req.msg):
+			upstreams = []string{upstreamOS}
+			upstreamConfigs = []*ctrld.UpstreamConfig{osUpstreamConfig}
+			ctx = ctrld.LanQueryCtx(ctx)
+			ctrld.Log(ctx, mainLog.Load().Debug(), "SRV record lookup, using upstreams: %v", upstreams)
 		case isPrivatePtrLookup(req.msg):
 			isLanOrPtrQuery = true
 			if answer := p.proxyPrivatePtrLookup(ctx, req.msg); answer != nil {
@@ -427,7 +467,8 @@ func (p *prog) proxy(ctx context.Context, req *proxyRequest) *proxyResponse {
 				res.clientInfo = true
 				return res
 			}
-			upstreams, upstreamConfigs = p.upstreamsAndUpstreamConfigForLanAndPtr(upstreams, upstreamConfigs)
+			upstreams, upstreamConfigs = p.upstreamsAndUpstreamConfigForPtr(upstreams, upstreamConfigs)
+			ctx = ctrld.LanQueryCtx(ctx)
 			ctrld.Log(ctx, mainLog.Load().Debug(), "private PTR lookup, using upstreams: %v", upstreams)
 		case isLanHostnameQuery(req.msg):
 			isLanOrPtrQuery = true
@@ -436,7 +477,9 @@ func (p *prog) proxy(ctx context.Context, req *proxyRequest) *proxyResponse {
 				res.clientInfo = true
 				return res
 			}
-			upstreams, upstreamConfigs = p.upstreamsAndUpstreamConfigForLanAndPtr(upstreams, upstreamConfigs)
+			upstreams = []string{upstreamOS}
+			upstreamConfigs = []*ctrld.UpstreamConfig{osUpstreamConfig}
+			ctx = ctrld.LanQueryCtx(ctx)
 			ctrld.Log(ctx, mainLog.Load().Debug(), "lan hostname lookup, using upstreams: %v", upstreams)
 		default:
 			ctrld.Log(ctx, mainLog.Load().Debug(), "no explicit policy matched, using default routing -> %v", upstreams)
@@ -451,7 +494,7 @@ func (p *prog) proxy(ctx context.Context, req *proxyRequest) *proxyResponse {
 				continue
 			}
 			answer := cachedValue.Msg.Copy()
-			answer.SetRcode(req.msg, answer.Rcode)
+			ctrld.SetCacheReply(answer, req.msg, answer.Rcode)
 			now := time.Now()
 			if cachedValue.Expire.After(now) {
 				ctrld.Log(ctx, mainLog.Load().Debug(), "hit cached response")
@@ -463,58 +506,68 @@ func (p *prog) proxy(ctx context.Context, req *proxyRequest) *proxyResponse {
 			staleAnswer = answer
 		}
 	}
-	resolve1 := func(n int, upstreamConfig *ctrld.UpstreamConfig, msg *dns.Msg) (*dns.Msg, error) {
-		ctrld.Log(ctx, mainLog.Load().Debug(), "sending query to %s: %s", upstreams[n], upstreamConfig.Name)
+	resolve1 := func(upstream string, upstreamConfig *ctrld.UpstreamConfig, msg *dns.Msg) (*dns.Msg, error) {
+		ctrld.Log(ctx, mainLog.Load().Debug(), "sending query to %s: %s", upstream, upstreamConfig.Name)
 		dnsResolver, err := ctrld.NewResolver(upstreamConfig)
 		if err != nil {
 			ctrld.Log(ctx, mainLog.Load().Error().Err(err), "failed to create resolver")
 			return nil, err
 		}
-		resolveCtx, cancel := context.WithCancel(ctx)
+		resolveCtx, cancel := upstreamConfig.Context(ctx)
 		defer cancel()
-		if upstreamConfig.Timeout > 0 {
-			timeoutCtx, cancel := context.WithTimeout(resolveCtx, time.Millisecond*time.Duration(upstreamConfig.Timeout))
-			defer cancel()
-			resolveCtx = timeoutCtx
-		}
 		return dnsResolver.Resolve(resolveCtx, msg)
 	}
-	resolve := func(n int, upstreamConfig *ctrld.UpstreamConfig, msg *dns.Msg) *dns.Msg {
+	resolve := func(upstream string, upstreamConfig *ctrld.UpstreamConfig, msg *dns.Msg) *dns.Msg {
 		if upstreamConfig.UpstreamSendClientInfo() && req.ci != nil {
 			ctrld.Log(ctx, mainLog.Load().Debug(), "including client info with the request")
 			ctx = context.WithValue(ctx, ctrld.ClientInfoCtxKey{}, req.ci)
 		}
-		answer, err := resolve1(n, upstreamConfig, msg)
+		answer, err := resolve1(upstream, upstreamConfig, msg)
+		// if we have an answer, we should reset the failure count
+		// we dont use reset here since we dont want to prevent failure counts from being incremented
+		if answer != nil {
+			p.um.mu.Lock()
+			p.um.failureReq[upstream] = 0
+			p.um.down[upstream] = false
+			p.um.mu.Unlock()
+			return answer
+		}
+
+		ctrld.Log(ctx, mainLog.Load().Error().Err(err), "failed to resolve query")
+
+		// increase failure count when there is no answer
+		// rehardless of what kind of error we get
+		p.um.increaseFailureCount(upstream)
+
 		if err != nil {
-			ctrld.Log(ctx, mainLog.Load().Error().Err(err), "failed to resolve query")
-			if errNetworkError(err) {
-				p.um.increaseFailureCount(upstreams[n])
-				if p.um.isDown(upstreams[n]) {
-					go p.um.checkUpstream(upstreams[n], upstreamConfig)
-				}
-			}
 			// For timeout error (i.e: context deadline exceed), force re-bootstrapping.
 			var e net.Error
 			if errors.As(err, &e) && e.Timeout() {
 				upstreamConfig.ReBootstrap()
 			}
-			return nil
+			// For network error, turn ipv6 off if enabled.
+			if ctrld.HasIPv6() && (errUrlNetworkError(err) || errNetworkError(err)) {
+				ctrld.DisableIPv6()
+			}
 		}
-		return answer
+
+		return nil
 	}
 	for n, upstreamConfig := range upstreamConfigs {
 		if upstreamConfig == nil {
 			continue
 		}
+		logger := mainLog.Load().Debug().
+			Str("upstream", upstreamConfig.String()).
+			Str("query", req.msg.Question[0].Name).
+			Bool("is_ad_query", p.isAdDomainQuery(req.msg)).
+			Bool("is_lan_query", isLanOrPtrQuery)
+
 		if p.isLoop(upstreamConfig) {
-			mainLog.Load().Warn().Msgf("dns loop detected, upstream: %q, endpoint: %q", upstreamConfig.Name, upstreamConfig.Endpoint)
+			ctrld.Log(ctx, logger, "DNS loop detected")
 			continue
 		}
-		if p.um.isDown(upstreams[n]) {
-			ctrld.Log(ctx, mainLog.Load().Warn(), "%s is down", upstreams[n])
-			continue
-		}
-		answer := resolve(n, upstreamConfig, req.msg)
+		answer := resolve(upstreams[n], upstreamConfig, req.msg)
 		if answer == nil {
 			if serveStaleCache && staleAnswer != nil {
 				ctrld.Log(ctx, mainLog.Load().Debug(), "serving stale cached response")
@@ -561,13 +614,50 @@ func (p *prog) proxy(ctx context.Context, req *proxyRequest) *proxyResponse {
 		return res
 	}
 	ctrld.Log(ctx, mainLog.Load().Error(), "all %v endpoints failed", upstreams)
+
+	// if we have no healthy upstreams, trigger recovery flow
+	if p.leakOnUpstreamFailure() {
+		if p.um.countHealthy(upstreams) == 0 {
+			p.recoveryCancelMu.Lock()
+			if p.recoveryCancel == nil {
+				var reason RecoveryReason
+				if upstreams[0] == upstreamOS {
+					reason = RecoveryReasonOSFailure
+				} else {
+					reason = RecoveryReasonRegularFailure
+				}
+				mainLog.Load().Debug().Msgf("No healthy upstreams, triggering recovery with reason: %v", reason)
+				go p.handleRecovery(reason)
+			} else {
+				mainLog.Load().Debug().Msg("Recovery already in progress; skipping duplicate trigger from down detection")
+			}
+			p.recoveryCancelMu.Unlock()
+		} else {
+			mainLog.Load().Debug().Msg("One upstream is down but at least one is healthy; skipping recovery trigger")
+		}
+
+		// attempt query to OS resolver while as a retry catch all
+		// we dont want this to happen if leakOnUpstreamFailure is false
+		if upstreams[0] != upstreamOS {
+			ctrld.Log(ctx, mainLog.Load().Debug(), "attempting query to OS resolver as a retry catch all")
+			answer := resolve(upstreamOS, osUpstreamConfig, req.msg)
+			if answer != nil {
+				ctrld.Log(ctx, mainLog.Load().Debug(), "OS resolver retry query successful")
+				res.answer = answer
+				res.upstream = osUpstreamConfig.Endpoint
+				return res
+			}
+			ctrld.Log(ctx, mainLog.Load().Debug(), "OS resolver retry query failed")
+		}
+	}
+
 	answer := new(dns.Msg)
 	answer.SetRcode(req.msg, dns.RcodeServerFailure)
 	res.answer = answer
 	return res
 }
 
-func (p *prog) upstreamsAndUpstreamConfigForLanAndPtr(upstreams []string, upstreamConfigs []*ctrld.UpstreamConfig) ([]string, []*ctrld.UpstreamConfig) {
+func (p *prog) upstreamsAndUpstreamConfigForPtr(upstreams []string, upstreamConfigs []*ctrld.UpstreamConfig) ([]string, []*ctrld.UpstreamConfig) {
 	if len(p.localUpstreams) > 0 {
 		tmp := make([]string, 0, len(p.localUpstreams)+len(upstreams))
 		tmp = append(tmp, p.localUpstreams...)
@@ -586,6 +676,14 @@ func (p *prog) upstreamConfigsFromUpstreamNumbers(upstreams []string) []*ctrld.U
 	return upstreamConfigs
 }
 
+func (p *prog) isAdDomainQuery(msg *dns.Msg) bool {
+	if p.adDomain == "" {
+		return false
+	}
+	cDomainName := canonicalName(msg.Question[0].Name)
+	return dns.IsSubDomain(p.adDomain, cDomainName)
+}
+
 // canonicalName returns canonical name from FQDN with "." trimmed.
 func canonicalName(fqdn string) string {
 	q := strings.TrimSpace(fqdn)
@@ -596,14 +694,15 @@ func canonicalName(fqdn string) string {
 	return q
 }
 
-// wildcardMatches reports whether string str matches the wildcard pattern.
+// wildcardMatches reports whether string str matches the wildcard pattern in case-insensitive manner.
 func wildcardMatches(wildcard, str string) bool {
 	// Wildcard match.
-	wildCardParts := strings.Split(wildcard, "*")
+	wildCardParts := strings.Split(strings.ToLower(wildcard), "*")
 	if len(wildCardParts) != 2 {
 		return false
 	}
 
+	str = strings.ToLower(str)
 	switch {
 	case len(wildCardParts[0]) > 0 && len(wildCardParts[1]) > 0:
 		// Domain must match both prefix and suffix.
@@ -811,7 +910,7 @@ func (p *prog) getClientInfo(remoteIP string, msg *dns.Msg) *ctrld.ClientInfo {
 	} else {
 		ci.Hostname = p.ciTable.LookupHostname(ci.IP, ci.Mac)
 	}
-	ci.Self = queryFromSelf(ci.IP)
+	ci.Self = p.queryFromSelf(ci.IP)
 	// If this is a query from self, but ci.IP is not loopback IP,
 	// try using hostname mapping for lookback IP if presents.
 	if ci.Self {
@@ -836,34 +935,117 @@ func (p *prog) spoofLoopbackIpInClientInfo(ci *ctrld.ClientInfo) {
 	}
 }
 
+// doSelfUninstall performs self-uninstall if these condition met:
+//
+// - There is only 1 ControlD upstream in-use.
+// - Number of refused queries seen so far equals to selfUninstallMaxQueries.
+// - The cdUID is deleted.
+func (p *prog) doSelfUninstall(answer *dns.Msg) {
+	if !p.canSelfUninstall.Load() || answer == nil || answer.Rcode != dns.RcodeRefused {
+		return
+	}
+
+	p.selfUninstallMu.Lock()
+	defer p.selfUninstallMu.Unlock()
+	if p.checkingSelfUninstall {
+		return
+	}
+
+	logger := mainLog.Load().With().Str("mode", "self-uninstall").Logger()
+	if p.refusedQueryCount > selfUninstallMaxQueries {
+		p.checkingSelfUninstall = true
+
+		req := &controld.ResolverConfigRequest{
+			RawUID:   cdUID,
+			Version:  rootCmd.Version,
+			Metadata: ctrld.SystemMetadata(context.Background()),
+		}
+		_, err := controld.FetchResolverConfig(req, cdDev)
+		logger.Debug().Msg("maximum number of refused queries reached, checking device status")
+		selfUninstallCheck(err, p, logger)
+
+		if err != nil {
+			logger.Warn().Err(err).Msg("could not fetch resolver config")
+		}
+		// Cool-of period to prevent abusing the API.
+		go p.selfUninstallCoolOfPeriod()
+		return
+	}
+	p.refusedQueryCount++
+}
+
+// selfUninstallCoolOfPeriod waits for 30 minutes before
+// calling API again for checking ControlD device status.
+func (p *prog) selfUninstallCoolOfPeriod() {
+	t := time.NewTimer(time.Minute * 30)
+	defer t.Stop()
+	<-t.C
+	p.selfUninstallMu.Lock()
+	p.checkingSelfUninstall = false
+	p.refusedQueryCount = 0
+	p.selfUninstallMu.Unlock()
+}
+
+// forceFetchingAPI sends signal to force syncing API config if run in cd mode,
+// and the domain == "cdUID.verify.controld.com"
+func (p *prog) forceFetchingAPI(domain string) {
+	if cdUID == "" {
+		return
+	}
+	resolverID, parent, _ := strings.Cut(domain, ".")
+	if resolverID != cdUID {
+		return
+	}
+	switch {
+	case cdDev && parent == "verify.controld.dev":
+		// match ControlD dev
+	case parent == "verify.controld.com":
+		// match ControlD
+	default:
+		return
+	}
+	_ = p.apiForceReloadGroup.DoChan("force_sync_api", func() (interface{}, error) {
+		p.apiForceReloadCh <- struct{}{}
+		// Wait here to prevent abusing API if we are flooded.
+		time.Sleep(timeDurationOrDefault(p.cfg.Service.ForceRefetchWaitTime, 30) * time.Second)
+		return nil, nil
+	})
+}
+
+// timeDurationOrDefault returns time duration value from n if not nil.
+// Otherwise, it returns time duration value defaultN.
+func timeDurationOrDefault(n *int, defaultN int) time.Duration {
+	if n != nil && *n > 0 {
+		return time.Duration(*n)
+	}
+	return time.Duration(defaultN)
+}
+
 // queryFromSelf reports whether the input IP is from device running ctrld.
-func queryFromSelf(ip string) bool {
+func (p *prog) queryFromSelf(ip string) bool {
+	if val, ok := p.queryFromSelfMap.Load(ip); ok {
+		return val.(bool)
+	}
 	netIP := netip.MustParseAddr(ip)
-	ifaces, err := interfaces.GetList()
+	regularIPs, loopbackIPs, err := netmon.LocalAddresses()
 	if err != nil {
-		mainLog.Load().Warn().Err(err).Msg("could not get interfaces list")
+		mainLog.Load().Warn().Err(err).Msg("could not get local addresses")
 		return false
 	}
-	for _, iface := range ifaces {
-		addrs, err := iface.Addrs()
-		if err != nil {
-			mainLog.Load().Warn().Err(err).Msgf("could not get interfaces addresses: %s", iface.Name)
-			continue
-		}
-		for _, a := range addrs {
-			switch v := a.(type) {
-			case *net.IPNet:
-				if pfx, ok := netaddr.FromStdIPNet(v); ok && pfx.Addr().Compare(netIP) == 0 {
-					return true
-				}
-			}
+	for _, localIP := range slices.Concat(regularIPs, loopbackIPs) {
+		if localIP.Compare(netIP) == 0 {
+			p.queryFromSelfMap.Store(ip, true)
+			return true
 		}
 	}
+	p.queryFromSelfMap.Store(ip, false)
 	return false
 }
 
+// needRFC1918Listeners reports whether ctrld need to spawn listener for RFC 1918 addresses.
+// This is helpful for non-desktop platforms to receive queries from LAN clients.
 func needRFC1918Listeners(lc *ctrld.ListenerConfig) bool {
-	return lc.IP == "127.0.0.1" && lc.Port == 53
+	return rfc1918 && lc.IP == "127.0.0.1" && lc.Port == 53
 }
 
 // ipFromARPA parses a FQDN arpa domain and return the IP address if valid.
@@ -931,10 +1113,25 @@ func isLanHostnameQuery(m *dns.Msg) bool {
 	default:
 		return false
 	}
-	name := strings.TrimSuffix(q.Name, ".")
+	return isLanHostname(q.Name)
+}
+
+// isSrvLanLookup reports whether DNS message is an SRV query of a LAN hostname.
+func isSrvLanLookup(m *dns.Msg) bool {
+	if m == nil || len(m.Question) == 0 {
+		return false
+	}
+	q := m.Question[0]
+	return q.Qtype == dns.TypeSRV && isLanHostname(q.Name)
+}
+
+// isLanHostname reports whether name is a LAN hostname.
+func isLanHostname(name string) bool {
+	name = strings.TrimSuffix(name, ".")
 	return !strings.Contains(name, ".") ||
 		strings.HasSuffix(name, ".domain") ||
-		strings.HasSuffix(name, ".lan")
+		strings.HasSuffix(name, ".lan") ||
+		strings.HasSuffix(name, ".local")
 }
 
 // isWanClient reports whether the input is a WAN address.
@@ -967,3 +1164,470 @@ func resolveInternalDomainTestQuery(ctx context.Context, domain string, m *dns.M
 	answer.SetReply(m)
 	return answer
 }
+
+// FlushDNSCache flushes the DNS cache on macOS.
+func FlushDNSCache() error {
+	// if not macOS, return
+	if runtime.GOOS != "darwin" {
+		return nil
+	}
+
+	// Flush the DNS cache via mDNSResponder.
+	// This is typically needed on modern macOS systems.
+	if out, err := exec.Command("killall", "-HUP", "mDNSResponder").CombinedOutput(); err != nil {
+		return fmt.Errorf("failed to flush mDNSResponder: %w, output: %s", err, string(out))
+	}
+
+	// Optionally, flush the directory services cache.
+	if out, err := exec.Command("dscacheutil", "-flushcache").CombinedOutput(); err != nil {
+		return fmt.Errorf("failed to flush dscacheutil: %w, output: %s", err, string(out))
+	}
+
+	return nil
+}
+
+// monitorNetworkChanges starts monitoring for network interface changes
+func (p *prog) monitorNetworkChanges() error {
+	mon, err := netmon.New(func(format string, args ...any) {
+		// Always fetch the latest logger (and inject the prefix)
+		mainLog.Load().Printf("netmon: "+format, args...)
+	})
+	if err != nil {
+		return fmt.Errorf("creating network monitor: %w", err)
+	}
+
+	mon.RegisterChangeCallback(func(delta *netmon.ChangeDelta) {
+		// Get map of valid interfaces
+		validIfaces := validInterfacesMap()
+
+		isMajorChange := mon.IsMajorChangeFrom(delta.Old, delta.New)
+
+		mainLog.Load().Debug().
+			Interface("old_state", delta.Old).
+			Interface("new_state", delta.New).
+			Bool("is_major_change", isMajorChange).
+			Msg("Network change detected")
+
+		changed := false
+		activeInterfaceExists := false
+		var changeIPs []netip.Prefix
+		// Check each valid interface for changes
+		for ifaceName := range validIfaces {
+			oldIface, oldExists := delta.Old.Interface[ifaceName]
+			newIface, newExists := delta.New.Interface[ifaceName]
+			if !newExists {
+				continue
+			}
+
+			oldIPs := delta.Old.InterfaceIPs[ifaceName]
+			newIPs := delta.New.InterfaceIPs[ifaceName]
+
+			// if a valid interface did not exist in old
+			// check that its up and has usable IPs
+			if !oldExists {
+				// The interface is new (was not present in the old state).
+				usableNewIPs := filterUsableIPs(newIPs)
+				if newIface.IsUp() && len(usableNewIPs) > 0 {
+					changed = true
+					changeIPs = usableNewIPs
+					mainLog.Load().Debug().
+						Str("interface", ifaceName).
+						Interface("new_ips", usableNewIPs).
+						Msg("Interface newly appeared (was not present in old state)")
+					break
+				}
+				continue
+			}
+
+			// Filter new IPs to only those that are usable.
+			usableNewIPs := filterUsableIPs(newIPs)
+
+			// Check if interface is up and has usable IPs.
+			if newIface.IsUp() && len(usableNewIPs) > 0 {
+				activeInterfaceExists = true
+			}
+
+			// Compare interface states and IPs (interfaceIPsEqual will itself filter the IPs).
+			if !interfaceStatesEqual(&oldIface, &newIface) || !interfaceIPsEqual(oldIPs, newIPs) {
+				if newIface.IsUp() && len(usableNewIPs) > 0 {
+					changed = true
+					changeIPs = usableNewIPs
+					mainLog.Load().Debug().
+						Str("interface", ifaceName).
+						Interface("old_ips", oldIPs).
+						Interface("new_ips", usableNewIPs).
+						Msg("Interface state or IPs changed")
+					break
+				}
+			}
+		}
+
+		// if the default route changed, set changed to true
+		if delta.New.DefaultRouteInterface != delta.Old.DefaultRouteInterface {
+			changed = true
+			mainLog.Load().Debug().Msgf("Default route changed from %s to %s", delta.Old.DefaultRouteInterface, delta.New.DefaultRouteInterface)
+		}
+
+		if !changed {
+			mainLog.Load().Debug().Msg("Ignoring interface change - no valid interfaces affected")
+			// check if the default IPs are still on an interface that is up
+			ValidateDefaultLocalIPsFromDelta(delta.New)
+			return
+		}
+
+		if !activeInterfaceExists {
+			mainLog.Load().Debug().Msg("No active interfaces found, skipping reinitialization")
+			return
+		}
+
+		// Get IPs from default route interface in new state
+		selfIP := defaultRouteIP()
+
+		// Ensure that selfIP is an IPv4 address.
+		// If defaultRouteIP mistakenly returns an IPv6 (such as a ULA), clear it
+		if ip := net.ParseIP(selfIP); ip != nil && ip.To4() == nil {
+			mainLog.Load().Debug().Msgf("defaultRouteIP returned a non-IPv4 address: %s, ignoring it", selfIP)
+			selfIP = ""
+		}
+		var ipv6 string
+
+		if delta.New.DefaultRouteInterface != "" {
+			mainLog.Load().Debug().Msgf("default route interface: %s, IPs: %v", delta.New.DefaultRouteInterface, delta.New.InterfaceIPs[delta.New.DefaultRouteInterface])
+			for _, ip := range delta.New.InterfaceIPs[delta.New.DefaultRouteInterface] {
+				ipAddr, _ := netip.ParsePrefix(ip.String())
+				addr := ipAddr.Addr()
+				if selfIP == "" && addr.Is4() {
+					mainLog.Load().Debug().Msgf("checking IP: %s", addr.String())
+					if !addr.IsLoopback() && !addr.IsLinkLocalUnicast() {
+						selfIP = addr.String()
+					}
+				}
+				if addr.Is6() && !addr.IsLoopback() && !addr.IsLinkLocalUnicast() {
+					ipv6 = addr.String()
+				}
+			}
+		} else {
+			// If no default route interface is set yet, use the changed IPs
+			mainLog.Load().Debug().Msgf("no default route interface found, using changed IPs: %v", changeIPs)
+			for _, ip := range changeIPs {
+				ipAddr, _ := netip.ParsePrefix(ip.String())
+				addr := ipAddr.Addr()
+				if selfIP == "" && addr.Is4() {
+					mainLog.Load().Debug().Msgf("checking IP: %s", addr.String())
+					if !addr.IsLoopback() && !addr.IsLinkLocalUnicast() {
+						selfIP = addr.String()
+					}
+				}
+				if addr.Is6() && !addr.IsLoopback() && !addr.IsLinkLocalUnicast() {
+					ipv6 = addr.String()
+				}
+			}
+		}
+
+		// Only set the IPv4 default if selfIP is a valid IPv4 address.
+		if ip := net.ParseIP(selfIP); ip != nil && ip.To4() != nil {
+			ctrld.SetDefaultLocalIPv4(ip)
+			if !isMobile() && p.ciTable != nil {
+				p.ciTable.SetSelfIP(selfIP)
+			}
+		}
+		if ip := net.ParseIP(ipv6); ip != nil {
+			ctrld.SetDefaultLocalIPv6(ip)
+		}
+		mainLog.Load().Debug().Msgf("Set default local IPv4: %s, IPv6: %s", selfIP, ipv6)
+
+		// we only trigger recovery flow for network changes on non router devices
+		if router.Name() == "" {
+			p.handleRecovery(RecoveryReasonNetworkChange)
+		}
+	})
+
+	mon.Start()
+	mainLog.Load().Debug().Msg("Network monitor started")
+	return nil
+}
+
+// interfaceStatesEqual compares two interface states
+func interfaceStatesEqual(a, b *netmon.Interface) bool {
+	if a == nil || b == nil {
+		return a == b
+	}
+	return a.IsUp() == b.IsUp()
+}
+
+// filterUsableIPs is a helper that returns only "usable" IP prefixes,
+// filtering out link-local, loopback, multicast, unspecified, broadcast, or CGNAT addresses.
+func filterUsableIPs(prefixes []netip.Prefix) []netip.Prefix {
+	var usable []netip.Prefix
+	for _, p := range prefixes {
+		addr := p.Addr()
+		if addr.IsLinkLocalUnicast() ||
+			addr.IsLoopback() ||
+			addr.IsMulticast() ||
+			addr.IsUnspecified() ||
+			addr.IsLinkLocalMulticast() ||
+			(addr.Is4() && addr.String() == "255.255.255.255") ||
+			tsaddr.CGNATRange().Contains(addr) {
+			continue
+		}
+		usable = append(usable, p)
+	}
+	return usable
+}
+
+// Modified interfaceIPsEqual compares only the usable (non-link local, non-loopback, etc.) IP addresses.
+func interfaceIPsEqual(a, b []netip.Prefix) bool {
+	aUsable := filterUsableIPs(a)
+	bUsable := filterUsableIPs(b)
+	if len(aUsable) != len(bUsable) {
+		return false
+	}
+
+	aMap := make(map[string]bool)
+	for _, ip := range aUsable {
+		aMap[ip.String()] = true
+	}
+	for _, ip := range bUsable {
+		if !aMap[ip.String()] {
+			return false
+		}
+	}
+	return true
+}
+
+// checkUpstreamOnce sends a test query to the specified upstream.
+// Returns nil if the upstream responds successfully.
+func (p *prog) checkUpstreamOnce(upstream string, uc *ctrld.UpstreamConfig) error {
+	mainLog.Load().Debug().Msgf("Starting check for upstream: %s", upstream)
+
+	resolver, err := ctrld.NewResolver(uc)
+	if err != nil {
+		mainLog.Load().Error().Err(err).Msgf("Failed to create resolver for upstream %s", upstream)
+		return err
+	}
+
+	timeout := 1000 * time.Millisecond
+	if uc.Timeout > 0 {
+		timeout = time.Millisecond * time.Duration(uc.Timeout)
+	}
+	mainLog.Load().Debug().Msgf("Timeout for upstream %s: %s", upstream, timeout)
+
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	uc.ReBootstrap()
+	mainLog.Load().Debug().Msgf("Rebootstrapping resolver for upstream: %s", upstream)
+
+	start := time.Now()
+	msg := uc.VerifyMsg()
+	_, err = resolver.Resolve(ctx, msg)
+	duration := time.Since(start)
+
+	if err != nil {
+		mainLog.Load().Error().Err(err).Msgf("Upstream %s check failed after %v", upstream, duration)
+	} else {
+		mainLog.Load().Debug().Msgf("Upstream %s responded successfully in %v", upstream, duration)
+	}
+	return err
+}
+
+// handleRecovery performs a unified recovery by removing DNS settings,
+// canceling existing recovery checks for network changes, but coalescing duplicate
+// upstream failure recoveries, waiting for recovery to complete (using a cancellable context without timeout),
+// and then re-applying the DNS settings.
+func (p *prog) handleRecovery(reason RecoveryReason) {
+	mainLog.Load().Debug().Msg("Starting recovery process: removing DNS settings")
+
+	// For network changes, cancel any existing recovery check because the network state has changed.
+	if reason == RecoveryReasonNetworkChange {
+		p.recoveryCancelMu.Lock()
+		if p.recoveryCancel != nil {
+			mainLog.Load().Debug().Msg("Cancelling existing recovery check (network change)")
+			p.recoveryCancel()
+			p.recoveryCancel = nil
+		}
+		p.recoveryCancelMu.Unlock()
+	} else {
+		// For upstream failures, if a recovery is already in progress, do nothing new.
+		p.recoveryCancelMu.Lock()
+		if p.recoveryCancel != nil {
+			mainLog.Load().Debug().Msg("Upstream recovery already in progress; skipping duplicate trigger")
+			p.recoveryCancelMu.Unlock()
+			return
+		}
+		p.recoveryCancelMu.Unlock()
+	}
+
+	// Create a new recovery context without a fixed timeout.
+	p.recoveryCancelMu.Lock()
+	recoveryCtx, cancel := context.WithCancel(context.Background())
+	p.recoveryCancel = cancel
+	p.recoveryCancelMu.Unlock()
+
+	// Immediately remove our DNS settings from the interface.
+	// set recoveryRunning to true to prevent watchdogs from putting the listener back on the interface
+	p.recoveryRunning.Store(true)
+	// we do not want to restore any static DNS settings
+	// we must try to get the DHCP values, any static DNS settings
+	// will be appended to nameservers from the saved interface values
+	p.resetDNS(false, false)
+
+	// For an OS failure, reinitialize OS resolver nameservers immediately.
+	if reason == RecoveryReasonOSFailure {
+		mainLog.Load().Debug().Msg("OS resolver failure detected; reinitializing OS resolver nameservers")
+		ns := ctrld.InitializeOsResolver(true)
+		if len(ns) == 0 {
+			mainLog.Load().Warn().Msg("No nameservers found for OS resolver; using existing values")
+		} else {
+			mainLog.Load().Info().Msgf("Reinitialized OS resolver with nameservers: %v", ns)
+		}
+	}
+
+	// Build upstream map based on the recovery reason.
+	upstreams := p.buildRecoveryUpstreams(reason)
+
+	// Wait indefinitely until one of the upstreams recovers.
+	recovered, err := p.waitForUpstreamRecovery(recoveryCtx, upstreams)
+	if err != nil {
+		mainLog.Load().Error().Err(err).Msg("Recovery canceled; DNS settings remain removed")
+		p.recoveryCancelMu.Lock()
+		p.recoveryCancel = nil
+		p.recoveryCancelMu.Unlock()
+		return
+	}
+	mainLog.Load().Info().Msgf("Upstream %q recovered; re-applying DNS settings", recovered)
+
+	// reset the upstream failure count and down state
+	p.um.reset(recovered)
+
+	// For network changes we also reinitialize the OS resolver.
+	if reason == RecoveryReasonNetworkChange {
+		ns := ctrld.InitializeOsResolver(true)
+		if len(ns) == 0 {
+			mainLog.Load().Warn().Msg("No nameservers found for OS resolver during network-change recovery; using existing values")
+		} else {
+			mainLog.Load().Info().Msgf("Reinitialized OS resolver with nameservers: %v", ns)
+		}
+	}
+
+	// Apply our DNS settings back and log the interface state.
+	p.setDNS()
+	p.logInterfacesState()
+
+	// allow watchdogs to put the listener back on the interface if its changed for any reason
+	p.recoveryRunning.Store(false)
+
+	// Clear the recovery cancellation for a clean slate.
+	p.recoveryCancelMu.Lock()
+	p.recoveryCancel = nil
+	p.recoveryCancelMu.Unlock()
+}
+
+// waitForUpstreamRecovery checks the provided upstreams concurrently until one recovers.
+// It returns the name of the recovered upstream or an error if the check times out.
+func (p *prog) waitForUpstreamRecovery(ctx context.Context, upstreams map[string]*ctrld.UpstreamConfig) (string, error) {
+	recoveredCh := make(chan string, 1)
+	var wg sync.WaitGroup
+
+	mainLog.Load().Debug().Msgf("Starting upstream recovery check for %d upstreams", len(upstreams))
+
+	for name, uc := range upstreams {
+		wg.Add(1)
+		go func(name string, uc *ctrld.UpstreamConfig) {
+			defer wg.Done()
+			mainLog.Load().Debug().Msgf("Starting recovery check loop for upstream: %s", name)
+			attempts := 0
+			for {
+				select {
+				case <-ctx.Done():
+					mainLog.Load().Debug().Msgf("Context canceled for upstream %s", name)
+					return
+				default:
+					attempts++
+					// checkUpstreamOnce will reset any failure counters on success.
+					if err := p.checkUpstreamOnce(name, uc); err == nil {
+						mainLog.Load().Debug().Msgf("Upstream %s recovered successfully", name)
+						select {
+						case recoveredCh <- name:
+							mainLog.Load().Debug().Msgf("Sent recovery notification for upstream %s", name)
+						default:
+							mainLog.Load().Debug().Msg("Recovery channel full, another upstream already recovered")
+						}
+						return
+					}
+					mainLog.Load().Debug().Msgf("Upstream %s check failed, sleeping before retry", name)
+					time.Sleep(checkUpstreamBackoffSleep)
+
+					// if this is the upstreamOS and it's the 3rd attempt (or multiple of 3),
+					// we should try to reinit the OS resolver to ensure we can recover
+					if name == upstreamOS && attempts%3 == 0 {
+						mainLog.Load().Debug().Msgf("UpstreamOS check failed on attempt %d, reinitializing OS resolver", attempts)
+						ns := ctrld.InitializeOsResolver(true)
+						if len(ns) == 0 {
+							mainLog.Load().Warn().Msg("No nameservers found for OS resolver; using existing values")
+						} else {
+							mainLog.Load().Info().Msgf("Reinitialized OS resolver with nameservers: %v", ns)
+						}
+					}
+				}
+			}
+		}(name, uc)
+	}
+
+	var recovered string
+	select {
+	case recovered = <-recoveredCh:
+	case <-ctx.Done():
+		return "", ctx.Err()
+	}
+	wg.Wait()
+	return recovered, nil
+}
+
+// buildRecoveryUpstreams constructs the map of upstream configurations to test.
+// For OS failures we supply the manual OS resolver upstream configuration.
+// For network change or regular failure we use the upstreams defined in p.cfg (ignoring OS).
+func (p *prog) buildRecoveryUpstreams(reason RecoveryReason) map[string]*ctrld.UpstreamConfig {
+	upstreams := make(map[string]*ctrld.UpstreamConfig)
+	switch reason {
+	case RecoveryReasonOSFailure:
+		upstreams[upstreamOS] = osUpstreamConfig
+	case RecoveryReasonNetworkChange, RecoveryReasonRegularFailure:
+		// Use all configured upstreams except any OS type.
+		for k, uc := range p.cfg.Upstream {
+			if uc.Type != ctrld.ResolverTypeOS {
+				upstreams[upstreamPrefix+k] = uc
+			}
+		}
+	}
+	return upstreams
+}
+
+// ValidateDefaultLocalIPsFromDelta checks if the default local IPv4 and IPv6 stored
+// are still present in the new network state (provided by delta.New).
+// If a stored default IP is no longer active, it resets that default (sets it to nil)
+// so that it won't be used in subsequent custom dialer contexts.
+func ValidateDefaultLocalIPsFromDelta(newState *netmon.State) {
+	currentIPv4 := ctrld.GetDefaultLocalIPv4()
+	currentIPv6 := ctrld.GetDefaultLocalIPv6()
+
+	// Build a map of active IP addresses from the new state.
+	activeIPs := make(map[string]bool)
+	for _, prefixes := range newState.InterfaceIPs {
+		for _, prefix := range prefixes {
+			activeIPs[prefix.Addr().String()] = true
+		}
+	}
+
+	// Check if the default IPv4 is still active.
+	if currentIPv4 != nil && !activeIPs[currentIPv4.String()] {
+		mainLog.Load().Debug().Msgf("DefaultLocalIPv4 %s is no longer active in the new state. Resetting.", currentIPv4)
+		ctrld.SetDefaultLocalIPv4(nil)
+	}
+
+	// Check if the default IPv6 is still active.
+	if currentIPv6 != nil && !activeIPs[currentIPv6.String()] {
+		mainLog.Load().Debug().Msgf("DefaultLocalIPv6 %s is no longer active in the new state. Resetting.", currentIPv6)
+		ctrld.SetDefaultLocalIPv6(nil)
+	}
+}

cmd/cli/dns_proxy_test.go

@@ -30,6 +30,7 @@ func Test_wildcardMatches(t *testing.T) {
 		{"domain - suffix not match other", "suffix.*", "suffix1.windscribe.com", false},
 		{"domain - both", "suffix.*.windscribe.com", "suffix.anything.windscribe.com", true},
 		{"domain - both not match", "suffix.*.windscribe.com", "suffix1.suffix.windscribe.com", false},
+		{"domain - case-insensitive", "*.WINDSCRIBE.com", "anything.windscribe.com", true},
 		{"mac - prefix", "*:98:05:b4:2b", "d4:67:98:05:b4:2b", true},
 		{"mac - prefix not match other s", "*:98:05:b4:2b", "0d:ba:54:09:94:2c", false},
 		{"mac - prefix not match s in name", "*:98:05:b4:2b", "e4:67:97:05:b4:2b", false},
@@ -74,6 +75,7 @@ func Test_canonicalName(t *testing.T) {
 
 func Test_prog_upstreamFor(t *testing.T) {
 	cfg := testhelper.SampleConfig(t)
+	cfg.Service.LeakOnUpstreamFailure = func(v bool) *bool { return &v }(false)
 	p := &prog{cfg: cfg}
 	p.um = newUpstreamMonitor(p.cfg)
 	p.lanLoopGuard = newLoopGuard()
@@ -364,6 +366,9 @@ func Test_isLanHostnameQuery(t *testing.T) {
 		{"A not LAN", newDnsMsgWithHostname("example.com", dns.TypeA), false},
 		{"AAAA not LAN", newDnsMsgWithHostname("example.com", dns.TypeAAAA), false},
 		{"Not A or AAAA", newDnsMsgWithHostname("foo", dns.TypeTXT), false},
+		{".domain", newDnsMsgWithHostname("foo.domain", dns.TypeA), true},
+		{".lan", newDnsMsgWithHostname("foo.lan", dns.TypeA), true},
+		{".local", newDnsMsgWithHostname("foo.local", dns.TypeA), true},
 	}
 	for _, tc := range tests {
 		tc := tc
@@ -413,6 +418,27 @@ func Test_isPrivatePtrLookup(t *testing.T) {
 	}
 }
 
+func Test_isSrvLanLookup(t *testing.T) {
+	tests := []struct {
+		name        string
+		msg         *dns.Msg
+		isSrvLookup bool
+	}{
+		{"SRV LAN", newDnsMsgWithHostname("foo", dns.TypeSRV), true},
+		{"Not SRV", newDnsMsgWithHostname("foo", dns.TypeNone), false},
+		{"Not SRV LAN", newDnsMsgWithHostname("controld.com", dns.TypeSRV), false},
+	}
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			if got := isSrvLanLookup(tc.msg); tc.isSrvLookup != got {
+				t.Errorf("unexpected result, want: %v, got: %v", tc.isSrvLookup, got)
+			}
+		})
+	}
+}
+
 func Test_isWanClient(t *testing.T) {
 	tests := []struct {
 		name        string

cmd/cli/hostname.go

@@ -0,0 +1,14 @@
+package cli
+
+import "regexp"
+
+// validHostname reports whether hostname is a valid hostname.
+// A valid hostname contains 3 -> 64 characters and conform to RFC1123.
+func validHostname(hostname string) bool {
+	hostnameLen := len(hostname)
+	if hostnameLen < 3 || hostnameLen > 64 {
+		return false
+	}
+	validHostnameRfc1123 := regexp.MustCompile(`^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$`)
+	return validHostnameRfc1123.MatchString(hostname)
+}

cmd/cli/hostname_test.go

@@ -0,0 +1,35 @@
+package cli
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_validHostname(t *testing.T) {
+	tests := []struct {
+		name     string
+		hostname string
+		valid    bool
+	}{
+		{"localhost", "localhost", true},
+		{"localdomain", "localhost.localdomain", true},
+		{"localhost6", "localhost6.localdomain6", true},
+		{"ip6", "ip6-localhost", true},
+		{"non-domain", "controld", true},
+		{"domain", "controld.com", true},
+		{"empty", "", false},
+		{"min length", "fo", false},
+		{"max length", strings.Repeat("a", 65), false},
+		{"special char", "foo!", false},
+		{"non-ascii", "fooΩ", false},
+	}
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.hostname, func(t *testing.T) {
+			t.Parallel()
+			assert.True(t, validHostname(tc.hostname) == tc.valid)
+		})
+	}
+}

cmd/cli/library.go

@@ -1,5 +1,12 @@
 package cli
 
+import (
+	"fmt"
+	"net"
+	"net/http"
+	"time"
+)
+
 // AppCallback provides hooks for injecting certain functionalities
 // from mobile platforms to main ctrld cli.
 type AppCallback struct {
@@ -11,9 +18,78 @@ type AppCallback struct {
 
 // AppConfig allows overwriting ctrld cli flags from mobile platforms.
 type AppConfig struct {
-	CdUID         string
-	HomeDir       string
-	UpstreamProto string
-	Verbose       int
-	LogPath       string
+	CdUID          string
+	ProvisionID    string
+	CustomHostname string
+	HomeDir        string
+	UpstreamProto  string
+	Verbose        int
+	LogPath        string
+}
+
+const (
+	defaultHTTPTimeout = 30 * time.Second
+	defaultMaxRetries  = 3
+	downloadServerIp   = "23.171.240.151"
+)
+
+// httpClientWithFallback returns an HTTP client configured with timeout and IPv4 fallback
+func httpClientWithFallback(timeout time.Duration) *http.Client {
+	return &http.Client{
+		Timeout: timeout,
+		Transport: &http.Transport{
+			// Prefer IPv4 over IPv6
+			DialContext: (&net.Dialer{
+				Timeout:       10 * time.Second,
+				KeepAlive:     30 * time.Second,
+				FallbackDelay: 1 * time.Millisecond, // Very small delay to prefer IPv4
+			}).DialContext,
+		},
+	}
+}
+
+// doWithRetry performs an HTTP request with retries
+func doWithRetry(req *http.Request, maxRetries int, ip string) (*http.Response, error) {
+	var lastErr error
+	client := httpClientWithFallback(defaultHTTPTimeout)
+	var ipReq *http.Request
+	if ip != "" {
+		ipReq = req.Clone(req.Context())
+		ipReq.Host = ip
+		ipReq.URL.Host = ip
+	}
+	for attempt := 0; attempt < maxRetries; attempt++ {
+		if attempt > 0 {
+			time.Sleep(time.Second * time.Duration(attempt+1)) // Exponential backoff
+		}
+
+		resp, err := client.Do(req)
+		if err == nil {
+			return resp, nil
+		}
+		if ipReq != nil {
+			mainLog.Load().Warn().Err(err).Msgf("dial to %q failed", req.Host)
+			mainLog.Load().Warn().Msgf("fallback to direct IP to download prod version: %q", ip)
+			resp, err = client.Do(ipReq)
+			if err == nil {
+				return resp, nil
+			}
+		}
+
+		lastErr = err
+		mainLog.Load().Debug().Err(err).
+			Str("method", req.Method).
+			Str("url", req.URL.String()).
+			Msgf("HTTP request attempt %d/%d failed", attempt+1, maxRetries)
+	}
+	return nil, fmt.Errorf("failed after %d attempts to %s %s: %v", maxRetries, req.Method, req.URL, lastErr)
+}
+
+// Helper for making GET requests with retries
+func getWithRetry(url string, ip string) (*http.Response, error) {
+	req, err := http.NewRequest(http.MethodGet, url, nil)
+	if err != nil {
+		return nil, err
+	}
+	return doWithRetry(req, defaultMaxRetries, ip)
 }

cmd/cli/log_writer.go

@@ -0,0 +1,204 @@
+package cli
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/rs/zerolog"
+
+	"github.com/Control-D-Inc/ctrld"
+)
+
+const (
+	logWriterSize          = 1024 * 1024 * 5 // 5 MB
+	logWriterSmallSize     = 1024 * 1024 * 1 // 1 MB
+	logWriterInitialSize   = 32 * 1024       // 32 KB
+	logWriterSentInterval  = time.Minute
+	logWriterInitEndMarker = "\n\n=== INIT_END ===\n\n"
+	logWriterLogEndMarker  = "\n\n=== LOG_END ===\n\n"
+)
+
+type logViewResponse struct {
+	Data string `json:"data"`
+}
+
+type logSentResponse struct {
+	Size  int64  `json:"size"`
+	Error string `json:"error"`
+}
+
+type logReader struct {
+	r    io.ReadCloser
+	size int64
+}
+
+// logWriter is an internal buffer to keep track of runtime log when no logging is enabled.
+type logWriter struct {
+	mu   sync.Mutex
+	buf  bytes.Buffer
+	size int
+}
+
+// newLogWriter creates an internal log writer.
+func newLogWriter() *logWriter {
+	return newLogWriterWithSize(logWriterSize)
+}
+
+// newSmallLogWriter creates an internal log writer with small buffer size.
+func newSmallLogWriter() *logWriter {
+	return newLogWriterWithSize(logWriterSmallSize)
+}
+
+// newLogWriterWithSize creates an internal log writer with a given buffer size.
+func newLogWriterWithSize(size int) *logWriter {
+	lw := &logWriter{size: size}
+	return lw
+}
+
+func (lw *logWriter) Write(p []byte) (int, error) {
+	lw.mu.Lock()
+	defer lw.mu.Unlock()
+
+	// If writing p causes overflows, discard old data.
+	if lw.buf.Len()+len(p) > lw.size {
+		buf := lw.buf.Bytes()
+		haveEndMarker := false
+		// If there's init end marker already, preserve the data til the marker.
+		if idx := bytes.LastIndex(buf, []byte(logWriterInitEndMarker)); idx >= 0 {
+			buf = buf[:idx+len(logWriterInitEndMarker)]
+			haveEndMarker = true
+		} else {
+			// Otherwise, preserve the initial size data.
+			buf = buf[:logWriterInitialSize]
+			if idx := bytes.LastIndex(buf, []byte("\n")); idx != -1 {
+				buf = buf[:idx]
+			}
+		}
+		lw.buf.Reset()
+		lw.buf.Write(buf)
+		if !haveEndMarker {
+			lw.buf.WriteString(logWriterInitEndMarker) // indicate that the log was truncated.
+		}
+	}
+	// If p is bigger than buffer size, truncate p by half until its size is smaller.
+	for len(p)+lw.buf.Len() > lw.size {
+		p = p[len(p)/2:]
+	}
+	return lw.buf.Write(p)
+}
+
+// initLogging initializes global logging setup.
+func (p *prog) initLogging(backup bool) {
+	zerolog.TimeFieldFormat = time.RFC3339 + ".000"
+	logWriters := initLoggingWithBackup(backup)
+
+	// Initializing internal logging after global logging.
+	p.initInternalLogging(logWriters)
+}
+
+// initInternalLogging performs internal logging if there's no log enabled.
+func (p *prog) initInternalLogging(writers []io.Writer) {
+	if !p.needInternalLogging() {
+		return
+	}
+	p.initInternalLogWriterOnce.Do(func() {
+		mainLog.Load().Notice().Msg("internal logging enabled")
+		p.internalLogWriter = newLogWriter()
+		p.internalLogSent = time.Now().Add(-logWriterSentInterval)
+		p.internalWarnLogWriter = newSmallLogWriter()
+	})
+	p.mu.Lock()
+	lw := p.internalLogWriter
+	wlw := p.internalWarnLogWriter
+	p.mu.Unlock()
+	// If ctrld was run without explicit verbose level,
+	// run the internal logging at debug level, so we could
+	// have enough information for troubleshooting.
+	if verbose == 0 {
+		for i := range writers {
+			w := &zerolog.FilteredLevelWriter{
+				Writer: zerolog.LevelWriterAdapter{Writer: writers[i]},
+				Level:  zerolog.NoticeLevel,
+			}
+			writers[i] = w
+		}
+		zerolog.SetGlobalLevel(zerolog.DebugLevel)
+	}
+	writers = append(writers, lw)
+	writers = append(writers, &zerolog.FilteredLevelWriter{
+		Writer: zerolog.LevelWriterAdapter{Writer: wlw},
+		Level:  zerolog.WarnLevel,
+	})
+	multi := zerolog.MultiLevelWriter(writers...)
+	l := mainLog.Load().Output(multi).With().Logger()
+	mainLog.Store(&l)
+	ctrld.ProxyLogger.Store(&l)
+}
+
+// needInternalLogging reports whether prog needs to run internal logging.
+func (p *prog) needInternalLogging() bool {
+	// Do not run in non-cd mode.
+	if cdUID == "" {
+		return false
+	}
+	// Do not run if there's already log file.
+	if p.cfg.Service.LogPath != "" {
+		return false
+	}
+	return true
+}
+
+func (p *prog) logReader() (*logReader, error) {
+	if p.needInternalLogging() {
+		p.mu.Lock()
+		lw := p.internalLogWriter
+		wlw := p.internalWarnLogWriter
+		p.mu.Unlock()
+		if lw == nil {
+			return nil, errors.New("nil internal log writer")
+		}
+		if wlw == nil {
+			return nil, errors.New("nil internal warn log writer")
+		}
+		// Normal log content.
+		lw.mu.Lock()
+		lwReader := bytes.NewReader(lw.buf.Bytes())
+		lwSize := lw.buf.Len()
+		lw.mu.Unlock()
+		// Warn log content.
+		wlw.mu.Lock()
+		wlwReader := bytes.NewReader(wlw.buf.Bytes())
+		wlwSize := wlw.buf.Len()
+		wlw.mu.Unlock()
+		reader := io.MultiReader(lwReader, bytes.NewReader([]byte(logWriterLogEndMarker)), wlwReader)
+		lr := &logReader{r: io.NopCloser(reader)}
+		lr.size = int64(lwSize + wlwSize)
+		if lr.size == 0 {
+			return nil, errors.New("internal log is empty")
+		}
+		return lr, nil
+	}
+	if p.cfg.Service.LogPath == "" {
+		return &logReader{r: io.NopCloser(strings.NewReader(""))}, nil
+	}
+	f, err := os.Open(normalizeLogFilePath(p.cfg.Service.LogPath))
+	if err != nil {
+		return nil, err
+	}
+	lr := &logReader{r: f}
+	if st, err := f.Stat(); err == nil {
+		lr.size = st.Size()
+	} else {
+		return nil, fmt.Errorf("f.Stat: %w", err)
+	}
+	if lr.size == 0 {
+		return nil, errors.New("log file is empty")
+	}
+	return lr, nil
+}

cmd/cli/log_writer_test.go

@@ -0,0 +1,85 @@
+package cli
+
+import (
+	"strings"
+	"sync"
+	"testing"
+)
+
+func Test_logWriter_Write(t *testing.T) {
+	size := 64 * 1024
+	lw := &logWriter{size: size}
+	lw.buf.Grow(lw.size)
+	data := strings.Repeat("A", size)
+	lw.Write([]byte(data))
+	if lw.buf.String() != data {
+		t.Fatalf("unexpected buf content: %v", lw.buf.String())
+	}
+	newData := "B"
+	halfData := strings.Repeat("A", len(data)/2) + logWriterInitEndMarker
+	lw.Write([]byte(newData))
+	if lw.buf.String() != halfData+newData {
+		t.Fatalf("unexpected new buf content: %v", lw.buf.String())
+	}
+
+	bigData := strings.Repeat("B", 256*1024)
+	expected := halfData + strings.Repeat("B", 16*1024)
+	lw.Write([]byte(bigData))
+	if lw.buf.String() != expected {
+		t.Fatalf("unexpected big buf content: %v", lw.buf.String())
+	}
+}
+
+func Test_logWriter_ConcurrentWrite(t *testing.T) {
+	size := 64 * 1024
+	lw := &logWriter{size: size}
+	n := 10
+	var wg sync.WaitGroup
+	wg.Add(n)
+	for i := 0; i < n; i++ {
+		go func() {
+			defer wg.Done()
+			lw.Write([]byte(strings.Repeat("A", i)))
+		}()
+	}
+	wg.Wait()
+	if lw.buf.Len() > lw.size {
+		t.Fatalf("unexpected buf size: %v, content: %q", lw.buf.Len(), lw.buf.String())
+	}
+}
+
+func Test_logWriter_MarkerInitEnd(t *testing.T) {
+	size := 64 * 1024
+	lw := &logWriter{size: size}
+	lw.buf.Grow(lw.size)
+
+	paddingSize := 10
+	// Writing half of the size, minus len(end marker) and padding size.
+	dataSize := size/2 - len(logWriterInitEndMarker) - paddingSize
+	data := strings.Repeat("A", dataSize)
+	// Inserting newline for making partial init data
+	data += "\n"
+	// Filling left over buffer to make the log full.
+	// The data length: len(end marker) + padding size - 1 (for newline above) + size/2
+	data += strings.Repeat("A", len(logWriterInitEndMarker)+paddingSize-1+(size/2))
+	lw.Write([]byte(data))
+	if lw.buf.String() != data {
+		t.Fatalf("unexpected buf content: %v", lw.buf.String())
+	}
+	lw.Write([]byte("B"))
+	lw.Write([]byte(strings.Repeat("B", 256*1024)))
+	firstIdx := strings.Index(lw.buf.String(), logWriterInitEndMarker)
+	lastIdx := strings.LastIndex(lw.buf.String(), logWriterInitEndMarker)
+	// Check if init end marker present.
+	if firstIdx == -1 || lastIdx == -1 {
+		t.Fatalf("missing init end marker: %s", lw.buf.String())
+	}
+	// Check if init end marker appears only once.
+	if firstIdx != lastIdx {
+		t.Fatalf("log init end marker appears more than once: %s", lw.buf.String())
+	}
+	// Ensure that we have the correct init log data.
+	if !strings.Contains(lw.buf.String(), strings.Repeat("A", dataSize)+logWriterInitEndMarker) {
+		t.Fatalf("unexpected log content: %s", lw.buf.String())
+	}
+}

cmd/cli/main.go

@@ -29,6 +29,7 @@ var (
 	silent            bool
 	cdUID             string
 	cdOrg             string
+	customHostname    string
 	cdDev             bool
 	iface             string
 	ifaceStartStop    string
@@ -36,6 +37,9 @@ var (
 	cdUpstreamProto   string
 	deactivationPin   int64
 	skipSelfChecks    bool
+	cleanup           bool
+	startOnly         bool
+	rfc1918           bool
 
 	mainLog       atomic.Pointer[zerolog.Logger]
 	consoleWriter zerolog.ConsoleWriter
@@ -43,9 +47,10 @@ var (
 )
 
 const (
-	cdUidFlagName   = "cd"
-	cdOrgFlagName   = "cd-org"
-	nextdnsFlagName = "nextdns"
+	cdUidFlagName          = "cd"
+	cdOrgFlagName          = "cd-org"
+	customHostnameFlagName = "custom-hostname"
+	nextdnsFlagName        = "nextdns"
 )
 
 func init() {
@@ -84,22 +89,33 @@ func initConsoleLogging() {
 	multi := zerolog.MultiLevelWriter(consoleWriter)
 	l := mainLog.Load().Output(multi).With().Timestamp().Logger()
 	mainLog.Store(&l)
+
 	switch {
 	case silent:
 		zerolog.SetGlobalLevel(zerolog.NoLevel)
 	case verbose == 1:
+		ctrld.ProxyLogger.Store(&l)
 		zerolog.SetGlobalLevel(zerolog.InfoLevel)
 	case verbose > 1:
+		ctrld.ProxyLogger.Store(&l)
 		zerolog.SetGlobalLevel(zerolog.DebugLevel)
 	default:
 		zerolog.SetGlobalLevel(zerolog.NoticeLevel)
 	}
 }
 
-// initLogging initializes global logging setup.
-func initLogging() {
+// initInteractiveLogging is like initLogging, but the ProxyLogger is discarded
+// to be used for all interactive commands.
+//
+// Current log file config will also be ignored.
+func initInteractiveLogging() {
+	old := cfg.Service.LogPath
+	cfg.Service.LogPath = ""
 	zerolog.TimeFieldFormat = time.RFC3339 + ".000"
-	initLoggingWithBackup(true)
+	initLoggingWithBackup(false)
+	cfg.Service.LogPath = old
+	l := zerolog.New(io.Discard)
+	ctrld.ProxyLogger.Store(&l)
 }
 
 // initLoggingWithBackup initializes log setup base on current config.
@@ -108,8 +124,8 @@ func initLogging() {
 // This is only used in runCmd for special handling in case of logging config
 // change in cd mode. Without special reason, the caller should use initLogging
 // wrapper instead of calling this function directly.
-func initLoggingWithBackup(doBackup bool) {
-	writers := []io.Writer{io.Discard}
+func initLoggingWithBackup(doBackup bool) []io.Writer {
+	var writers []io.Writer
 	if logFilePath := normalizeLogFilePath(cfg.Service.LogPath); logFilePath != "" {
 		// Create parent directory if necessary.
 		if err := os.MkdirAll(filepath.Dir(logFilePath), 0750); err != nil {
@@ -121,14 +137,14 @@ func initLoggingWithBackup(doBackup bool) {
 		flags := os.O_CREATE | os.O_RDWR | os.O_APPEND
 		if doBackup {
 			// Backup old log file with .1 suffix.
-			if err := os.Rename(logFilePath, logFilePath+".1"); err != nil && !os.IsNotExist(err) {
+			if err := os.Rename(logFilePath, logFilePath+oldLogSuffix); err != nil && !os.IsNotExist(err) {
 				mainLog.Load().Error().Msgf("could not backup old log file: %v", err)
 			} else {
 				// Backup was created, set flags for truncating old log file.
 				flags = os.O_CREATE | os.O_RDWR
 			}
 		}
-		logFile, err := os.OpenFile(logFilePath, flags, os.FileMode(0o600))
+		logFile, err := openLogFile(logFilePath, flags)
 		if err != nil {
 			mainLog.Load().Error().Msgf("failed to create log file: %v", err)
 			os.Exit(1)
@@ -147,21 +163,22 @@ func initLoggingWithBackup(doBackup bool) {
 	switch {
 	case silent:
 		zerolog.SetGlobalLevel(zerolog.NoLevel)
-		return
+		return writers
 	case verbose == 1:
 		logLevel = "info"
 	case verbose > 1:
 		logLevel = "debug"
 	}
 	if logLevel == "" {
-		return
+		return writers
 	}
 	level, err := zerolog.ParseLevel(logLevel)
 	if err != nil {
 		mainLog.Load().Warn().Err(err).Msg("could not set log level")
-		return
+		return writers
 	}
 	zerolog.SetGlobalLevel(level)
+	return writers
 }
 
 func initCache() {

cmd/cli/metrics.go

@@ -107,7 +107,7 @@ func (p *prog) runMetricsServer(ctx context.Context, reloadCh chan struct{}) {
 
 	reg := prometheus.NewRegistry()
 	// Register queries count stats if enabled.
-	if cfg.Service.MetricsQueryStats {
+	if p.metricsQueryStats.Load() {
 		reg.MustRegister(statsQueriesCount)
 		reg.MustRegister(statsClientQueriesCount)
 	}

cmd/cli/net.go

@@ -1,34 +0,0 @@
-package cli
-
-import "strings"
-
-// Copied from https://gist.github.com/Ultraporing/fe52981f678be6831f747c206a4861cb
-
-// Mac Address parts to look for, and identify non-physical devices. There may be more, update me!
-var macAddrPartsToFilter = []string{
-	"00:03:FF",       // Microsoft Hyper-V, Virtual Server, Virtual PC
-	"0A:00:27",       // VirtualBox
-	"00:00:00:00:00", // Teredo Tunneling Pseudo-Interface
-	"00:50:56",       // VMware ESX 3, Server, Workstation, Player
-	"00:1C:14",       // VMware ESX 3, Server, Workstation, Player
-	"00:0C:29",       // VMware ESX 3, Server, Workstation, Player
-	"00:05:69",       // VMware ESX 3, Server, Workstation, Player
-	"00:1C:42",       // Microsoft Hyper-V, Virtual Server, Virtual PC
-	"00:0F:4B",       // Virtual Iron 4
-	"00:16:3E",       // Red Hat Xen, Oracle VM, XenSource, Novell Xen
-	"08:00:27",       // Sun xVM VirtualBox
-	"7A:79",          // Hamachi
-}
-
-// Filters the possible physical interface address by comparing it to known popular VM Software addresses
-// and Teredo Tunneling Pseudo-Interface.
-//
-//lint:ignore U1000 use in net_windows.go
-func isPhysicalInterface(addr string) bool {
-	for _, macPart := range macAddrPartsToFilter {
-		if strings.HasPrefix(strings.ToLower(addr), strings.ToLower(macPart)) {
-			return false
-		}
-	}
-	return true
-}

cmd/cli/net_darwin.go

@@ -9,17 +9,18 @@ import (
 	"strings"
 )
 
-func patchNetIfaceName(iface *net.Interface) error {
+func patchNetIfaceName(iface *net.Interface) (bool, error) {
 	b, err := exec.Command("networksetup", "-listnetworkserviceorder").Output()
 	if err != nil {
-		return err
+		return false, err
 	}
 
+	patched := false
 	if name := networkServiceName(iface.Name, bytes.NewReader(b)); name != "" {
+		patched = true
 		iface.Name = name
-		mainLog.Load().Debug().Str("network_service", name).Msg("found network service name for interface")
 	}
-	return nil
+	return patched, nil
 }
 
 func networkServiceName(ifaceName string, r io.Reader) string {
@@ -43,20 +44,33 @@ func networkServiceName(ifaceName string, r io.Reader) string {
 	return ""
 }
 
-// validInterface reports whether the *net.Interface is a valid one, which includes:
-//
-// - en0: physical wireless
-// - en1: Thunderbolt 1
-// - en2: Thunderbolt 2
-// - en3: Thunderbolt 3
-// - en4: Thunderbolt 4
-//
-// For full list, see: https://unix.stackexchange.com/questions/603506/what-are-these-ifconfig-interfaces-on-macos
-func validInterface(iface *net.Interface) bool {
-	switch iface.Name {
-	case "en0", "en1", "en2", "en3", "en4":
-		return true
-	default:
-		return false
-	}
+// validInterface reports whether the *net.Interface is a valid one.
+func validInterface(iface *net.Interface, validIfacesMap map[string]struct{}) bool {
+	_, ok := validIfacesMap[iface.Name]
+	return ok
+}
+
+// validInterfacesMap returns a set of all valid hardware ports.
+func validInterfacesMap() map[string]struct{} {
+	b, err := exec.Command("networksetup", "-listallhardwareports").Output()
+	if err != nil {
+		return nil
+	}
+	return parseListAllHardwarePorts(bytes.NewReader(b))
+}
+
+// parseListAllHardwarePorts parses output of "networksetup -listallhardwareports"
+// and returns map presents all hardware ports.
+func parseListAllHardwarePorts(r io.Reader) map[string]struct{} {
+	m := make(map[string]struct{})
+	scanner := bufio.NewScanner(r)
+	for scanner.Scan() {
+		line := scanner.Text()
+		after, ok := strings.CutPrefix(line, "Device: ")
+		if !ok {
+			continue
+		}
+		m[after] = struct{}{}
+	}
+	return m
 }

cmd/cli/net_linux.go

@@ -0,0 +1,52 @@
+package cli
+
+import (
+	"net"
+	"net/netip"
+	"os"
+	"strings"
+
+	"tailscale.com/net/netmon"
+)
+
+func patchNetIfaceName(iface *net.Interface) (bool, error) { return true, nil }
+
+// validInterface reports whether the *net.Interface is a valid one.
+// Only non-virtual interfaces are considered valid.
+func validInterface(iface *net.Interface, validIfacesMap map[string]struct{}) bool {
+	_, ok := validIfacesMap[iface.Name]
+	return ok
+}
+
+// validInterfacesMap returns a set containing non virtual interfaces.
+func validInterfacesMap() map[string]struct{} {
+	m := make(map[string]struct{})
+	vis := virtualInterfaces()
+	netmon.ForeachInterface(func(i netmon.Interface, prefixes []netip.Prefix) {
+		if _, existed := vis[i.Name]; existed {
+			return
+		}
+		m[i.Name] = struct{}{}
+	})
+	// Fallback to default route interface if found nothing.
+	if len(m) == 0 {
+		defaultRoute, err := netmon.DefaultRoute()
+		if err != nil {
+			return m
+		}
+		m[defaultRoute.InterfaceName] = struct{}{}
+	}
+	return m
+}
+
+// virtualInterfaces returns a map of virtual interfaces on current machine.
+func virtualInterfaces() map[string]struct{} {
+	s := make(map[string]struct{})
+	entries, _ := os.ReadDir("/sys/devices/virtual/net")
+	for _, entry := range entries {
+		if entry.IsDir() {
+			s[strings.TrimSpace(entry.Name())] = struct{}{}
+		}
+	}
+	return s
+}

cmd/cli/net_others.go

@@ -1,9 +1,22 @@
-//go:build !darwin && !windows
+//go:build !darwin && !windows && !linux
 
 package cli
 
-import "net"
+import (
+	"net"
 
-func patchNetIfaceName(iface *net.Interface) error { return nil }
+	"tailscale.com/net/netmon"
+)
 
-func validInterface(iface *net.Interface) bool { return true }
+func patchNetIfaceName(iface *net.Interface) (bool, error) { return true, nil }
+
+func validInterface(iface *net.Interface, validIfacesMap map[string]struct{}) bool { return true }
+
+// validInterfacesMap returns a set containing only default route interfaces.
+func validInterfacesMap() map[string]struct{} {
+	defaultRoute, err := netmon.DefaultRoute()
+	if err != nil {
+		return nil
+	}
+	return map[string]struct{}{defaultRoute.InterfaceName: {}}
+}

cmd/cli/net_windows.go

@@ -1,21 +1,93 @@
 package cli
 
 import (
+	"io"
+	"log"
 	"net"
+	"os"
+
+	"github.com/microsoft/wmi/pkg/base/host"
+	"github.com/microsoft/wmi/pkg/base/instance"
+	"github.com/microsoft/wmi/pkg/base/query"
+	"github.com/microsoft/wmi/pkg/constant"
+	"github.com/microsoft/wmi/pkg/hardware/network/netadapter"
 )
 
-func patchNetIfaceName(iface *net.Interface) error {
-	return nil
+func patchNetIfaceName(iface *net.Interface) (bool, error) {
+	return true, nil
 }
 
 // validInterface reports whether the *net.Interface is a valid one.
 // On Windows, only physical interfaces are considered valid.
-func validInterface(iface *net.Interface) bool {
-	if iface == nil {
-		return false
-	}
-	if isPhysicalInterface(iface.HardwareAddr.String()) {
-		return true
-	}
-	return false
+func validInterface(iface *net.Interface, validIfacesMap map[string]struct{}) bool {
+	_, ok := validIfacesMap[iface.Name]
+	return ok
+}
+
+// validInterfacesMap returns a set of all physical interfaces.
+func validInterfacesMap() map[string]struct{} {
+	m := make(map[string]struct{})
+	for _, ifaceName := range validInterfaces() {
+		m[ifaceName] = struct{}{}
+	}
+	return m
+}
+
+// validInterfaces returns a list of all physical interfaces.
+func validInterfaces() []string {
+	log.SetOutput(io.Discard)
+	defer log.SetOutput(os.Stderr)
+	whost := host.NewWmiLocalHost()
+	q := query.NewWmiQuery("MSFT_NetAdapter")
+	instances, err := instance.GetWmiInstancesFromHost(whost, string(constant.StadardCimV2), q)
+	if instances != nil {
+		defer instances.Close()
+	}
+	if err != nil {
+		mainLog.Load().Warn().Err(err).Msg("failed to get wmi network adapter")
+		return nil
+	}
+	var adapters []string
+	for _, i := range instances {
+		adapter, err := netadapter.NewNetworkAdapter(i)
+		if err != nil {
+			mainLog.Load().Warn().Err(err).Msg("failed to get network adapter")
+			continue
+		}
+
+		name, err := adapter.GetPropertyName()
+		if err != nil {
+			mainLog.Load().Warn().Err(err).Msg("failed to get interface name")
+			continue
+		}
+
+		// From: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/hh968170(v=vs.85)
+		//
+		// "Indicates if a connector is present on the network adapter. This value is set to TRUE
+		// if this is a physical adapter or FALSE if this is not a physical adapter."
+		physical, err := adapter.GetPropertyConnectorPresent()
+		if err != nil {
+			mainLog.Load().Debug().Str("method", "validInterfaces").Str("interface", name).Msg("failed to get network adapter connector present property")
+			continue
+		}
+		if !physical {
+			mainLog.Load().Debug().Str("method", "validInterfaces").Str("interface", name).Msg("skipping non-physical adapter")
+			continue
+		}
+
+		// Check if it's a hardware interface. Checking only for connector present is not enough
+		// because some interfaces are not physical but have a connector.
+		hardware, err := adapter.GetPropertyHardwareInterface()
+		if err != nil {
+			mainLog.Load().Debug().Str("method", "validInterfaces").Str("interface", name).Msg("failed to get network adapter hardware interface property")
+			continue
+		}
+		if !hardware {
+			mainLog.Load().Debug().Str("method", "validInterfaces").Str("interface", name).Msg("skipping non-hardware interface")
+			continue
+		}
+
+		adapters = append(adapters, name)
+	}
+	return adapters
 }

cmd/cli/net_windows_test.go

@@ -0,0 +1,42 @@
+package cli
+
+import (
+	"bufio"
+	"bytes"
+	"slices"
+	"strings"
+	"testing"
+	"time"
+)
+
+func Test_validInterfaces(t *testing.T) {
+	verbose = 3
+	initConsoleLogging()
+	start := time.Now()
+	ifaces := validInterfaces()
+	t.Logf("Using Windows API takes: %d", time.Since(start).Milliseconds())
+
+	start = time.Now()
+	ifacesPowershell := validInterfacesPowershell()
+	t.Logf("Using Powershell takes: %d", time.Since(start).Milliseconds())
+
+	slices.Sort(ifaces)
+	slices.Sort(ifacesPowershell)
+	if !slices.Equal(ifaces, ifacesPowershell) {
+		t.Fatalf("result mismatch, want: %v, got: %v", ifacesPowershell, ifaces)
+	}
+}
+
+func validInterfacesPowershell() []string {
+	out, err := powershell("Get-NetAdapter -Physical | Select-Object -ExpandProperty Name")
+	if err != nil {
+		return nil
+	}
+	var res []string
+	scanner := bufio.NewScanner(bytes.NewReader(out))
+	for scanner.Scan() {
+		ifaceName := strings.TrimSpace(scanner.Text())
+		res = append(res, ifaceName)
+	}
+	return res
+}

cmd/cli/nocgo.go

@@ -0,0 +1,5 @@
+//go:build !cgo
+
+package cli
+
+const cgoEnabled = false

cmd/cli/os_darwin.go

@@ -47,6 +47,9 @@ func setDnsIgnoreUnusableInterface(iface *net.Interface, nameservers []string) e
 // networksetup -setdnsservers Wi-Fi 8.8.8.8 1.1.1.1
 // TODO(cuonglm): use system API
 func setDNS(iface *net.Interface, nameservers []string) error {
+	// Note that networksetup won't modify search domains settings,
+	// This assignment is just a placeholder to silent linter.
+	_ = searchDomains
 	cmd := "networksetup"
 	args := []string{"-setdnsservers", iface.Name}
 	args = append(args, nameservers...)
@@ -70,11 +73,6 @@ func resetDnsIgnoreUnusableInterface(iface *net.Interface) error {
 
 // TODO(cuonglm): use system API
 func resetDNS(iface *net.Interface) error {
-	if ns := savedStaticNameservers(iface); len(ns) > 0 {
-		if err := setDNS(iface, ns); err == nil {
-			return nil
-		}
-	}
 	cmd := "networksetup"
 	args := []string{"-setdnsservers", iface.Name, "empty"}
 	if out, err := exec.Command(cmd, args...).CombinedOutput(); err != nil {
@@ -83,8 +81,17 @@ func resetDNS(iface *net.Interface) error {
 	return nil
 }
 
+// restoreDNS restores the DNS settings of the given interface.
+// this should only be executed upon turning off the ctrld service.
+func restoreDNS(iface *net.Interface) (err error) {
+	if ns := savedStaticNameservers(iface); len(ns) > 0 {
+		err = setDNS(iface, ns)
+	}
+	return err
+}
+
 func currentDNS(_ *net.Interface) []string {
-	return resolvconffile.NameServers("")
+	return resolvconffile.NameServers()
 }
 
 // currentStaticDNS returns the current static DNS settings of given interface.

cmd/cli/os_freebsd.go

@@ -5,6 +5,10 @@ import (
 	"net/netip"
 	"os/exec"
 
+	"tailscale.com/control/controlknobs"
+	"tailscale.com/health"
+	"tailscale.com/util/dnsname"
+
 	"github.com/Control-D-Inc/ctrld/internal/dns"
 	"github.com/Control-D-Inc/ctrld/internal/resolvconffile"
 )
@@ -36,7 +40,7 @@ func setDnsIgnoreUnusableInterface(iface *net.Interface, nameservers []string) e
 
 // set the dns server for the provided network interface
 func setDNS(iface *net.Interface, nameservers []string) error {
-	r, err := dns.NewOSConfigurator(logf, iface.Name)
+	r, err := dns.NewOSConfigurator(logf, &health.Tracker{}, &controlknobs.Knobs{}, iface.Name)
 	if err != nil {
 		mainLog.Load().Error().Err(err).Msg("failed to create DNS OS configurator")
 		return err
@@ -47,7 +51,17 @@ func setDNS(iface *net.Interface, nameservers []string) error {
 		ns = append(ns, netip.MustParseAddr(nameserver))
 	}
 
-	if err := r.SetDNS(dns.OSConfig{Nameservers: ns}); err != nil {
+	osConfig := dns.OSConfig{
+		Nameservers:   ns,
+		SearchDomains: []dnsname.FQDN{},
+	}
+	if sds, err := searchDomains(); err == nil {
+		osConfig.SearchDomains = sds
+	} else {
+		mainLog.Load().Debug().Err(err).Msg("failed to get search domains list")
+	}
+
+	if err := r.SetDNS(osConfig); err != nil {
 		mainLog.Load().Error().Err(err).Msg("failed to set DNS")
 		return err
 	}
@@ -60,7 +74,7 @@ func resetDnsIgnoreUnusableInterface(iface *net.Interface) error {
 }
 
 func resetDNS(iface *net.Interface) error {
-	r, err := dns.NewOSConfigurator(logf, iface.Name)
+	r, err := dns.NewOSConfigurator(logf, &health.Tracker{}, &controlknobs.Knobs{}, iface.Name)
 	if err != nil {
 		mainLog.Load().Error().Err(err).Msg("failed to create DNS OS configurator")
 		return err
@@ -73,8 +87,14 @@ func resetDNS(iface *net.Interface) error {
 	return nil
 }
 
+// restoreDNS restores the DNS settings of the given interface.
+// this should only be executed upon turning off the ctrld service.
+func restoreDNS(iface *net.Interface) (err error) {
+	return err
+}
+
 func currentDNS(_ *net.Interface) []string {
-	return resolvconffile.NameServers("")
+	return resolvconffile.NameServers()
 }
 
 // currentStaticDNS returns the current static DNS settings of given interface.

cmd/cli/os_linux.go

@@ -17,6 +17,8 @@ import (
 	"github.com/insomniacslk/dhcp/dhcpv4/nclient4"
 	"github.com/insomniacslk/dhcp/dhcpv6"
 	"github.com/insomniacslk/dhcp/dhcpv6/client6"
+	"tailscale.com/control/controlknobs"
+	"tailscale.com/health"
 	"tailscale.com/util/dnsname"
 
 	"github.com/Control-D-Inc/ctrld/internal/dns"
@@ -24,6 +26,8 @@ import (
 	"github.com/Control-D-Inc/ctrld/internal/resolvconffile"
 )
 
+const resolvConfBackupFailedMsg = "open /etc/resolv.pre-ctrld-backup.conf: read-only file system"
+
 // allocate loopback ip
 // sudo ip a add 127.0.0.2/24 dev lo
 func allocateIP(ip string) error {
@@ -52,7 +56,7 @@ func setDnsIgnoreUnusableInterface(iface *net.Interface, nameservers []string) e
 }
 
 func setDNS(iface *net.Interface, nameservers []string) error {
-	r, err := dns.NewOSConfigurator(logf, iface.Name)
+	r, err := dns.NewOSConfigurator(logf, &health.Tracker{}, &controlknobs.Knobs{}, iface.Name)
 	if err != nil {
 		mainLog.Load().Error().Err(err).Msg("failed to create DNS OS configurator")
 		return err
@@ -67,35 +71,39 @@ func setDNS(iface *net.Interface, nameservers []string) error {
 		Nameservers:   ns,
 		SearchDomains: []dnsname.FQDN{},
 	}
+	if sds, err := searchDomains(); err == nil {
+		// Filter the root domain, since it's not allowed by systemd.
+		// See https://github.com/systemd/systemd/issues/9515
+		filteredSds := slices.DeleteFunc(sds, func(s dnsname.FQDN) bool {
+			return s == "" || s == "."
+		})
+		if len(filteredSds) != len(sds) {
+			mainLog.Load().Debug().Msg(`Removed root domain "." from search domains list`)
+		}
+		osConfig.SearchDomains = filteredSds
+	} else {
+		mainLog.Load().Debug().Err(err).Msg("failed to get search domains list")
+	}
 	trySystemdResolve := false
-	for i := 0; i < maxSetDNSAttempts; i++ {
-		if err := r.SetDNS(osConfig); err != nil {
-			if strings.Contains(err.Error(), "Rejected send message") &&
-				strings.Contains(err.Error(), "org.freedesktop.network1.Manager") {
-				mainLog.Load().Warn().Msg("Interfaces are managed by systemd-networkd, switch to systemd-resolve for setting DNS")
-				trySystemdResolve = true
-				break
-			}
-			// This error happens on read-only file system, which causes ctrld failed to create backup
-			// for /etc/resolv.conf file. It is ok, because the DNS is still set anyway, and restore
-			// DNS will fallback to use DHCP if there's no backup /etc/resolv.conf file.
-			// The error format is controlled by us, so checking for error string is fine.
-			// See: ../../internal/dns/direct.go:L278
-			if r.Mode() == "direct" && strings.Contains(err.Error(), resolvConfBackupFailedMsg) {
-				return nil
-			}
-			return err
+	if err := r.SetDNS(osConfig); err != nil {
+		if strings.Contains(err.Error(), "Rejected send message") &&
+			strings.Contains(err.Error(), "org.freedesktop.network1.Manager") {
+			mainLog.Load().Warn().Msg("Interfaces are managed by systemd-networkd, switch to systemd-resolve for setting DNS")
+			trySystemdResolve = true
+			goto systemdResolve
 		}
-		if useSystemdResolved {
-			if out, err := exec.Command("systemctl", "restart", "systemd-resolved").CombinedOutput(); err != nil {
-				mainLog.Load().Warn().Err(err).Msgf("could not restart systemd-resolved: %s", string(out))
-			}
-		}
-		currentNS := currentDNS(iface)
-		if isSubSet(nameservers, currentNS) {
+		// This error happens on read-only file system, which causes ctrld failed to create backup
+		// for /etc/resolv.conf file. It is ok, because the DNS is still set anyway, and restore
+		// DNS will fallback to use DHCP if there's no backup /etc/resolv.conf file.
+		// The error format is controlled by us, so checking for error string is fine.
+		// See: ../../internal/dns/direct.go:L278
+		if r.Mode() == "direct" && strings.Contains(err.Error(), resolvConfBackupFailedMsg) {
 			return nil
 		}
+		return err
 	}
+
+systemdResolve:
 	if trySystemdResolve {
 		// Stop systemd-networkd and retry setting DNS.
 		if out, err := exec.Command("systemctl", "stop", "systemd-networkd").CombinedOutput(); err != nil {
@@ -115,8 +123,8 @@ func setDNS(iface *net.Interface, nameservers []string) error {
 			}
 			time.Sleep(time.Second)
 		}
+		mainLog.Load().Debug().Msg("DNS was not set for some reason")
 	}
-	mainLog.Load().Debug().Msg("DNS was not set for some reason")
 	return nil
 }
 
@@ -134,7 +142,7 @@ func resetDNS(iface *net.Interface) (err error) {
 		if exe, _ := exec.LookPath("/lib/systemd/systemd-networkd"); exe != "" {
 			_ = exec.Command("systemctl", "start", "systemd-networkd").Run()
 		}
-		if r, oerr := dns.NewOSConfigurator(logf, iface.Name); oerr == nil {
+		if r, oerr := dns.NewOSConfigurator(logf, &health.Tracker{}, &controlknobs.Knobs{}, iface.Name); oerr == nil {
 			_ = r.SetDNS(dns.OSConfig{})
 			if err := r.Close(); err != nil {
 				mainLog.Load().Error().Err(err).Msg("failed to rollback DNS setting")
@@ -165,6 +173,7 @@ func resetDNS(iface *net.Interface) (err error) {
 	}
 
 	// TODO(cuonglm): handle DHCPv6 properly.
+	mainLog.Load().Debug().Msg("checking for IPv6 availability")
 	if ctrldnet.IPv6Available(ctx) {
 		c := client6.NewClient()
 		conversation, err := c.Exchange(iface.Name)
@@ -184,6 +193,8 @@ func resetDNS(iface *net.Interface) (err error) {
 				}
 			}
 		}
+	} else {
+		mainLog.Load().Debug().Msg("IPv6 is not available")
 	}
 
 	return ignoringEINTR(func() error {
@@ -191,8 +202,15 @@ func resetDNS(iface *net.Interface) (err error) {
 	})
 }
 
+// restoreDNS restores the DNS settings of the given interface.
+// this should only be executed upon turning off the ctrld service.
+func restoreDNS(iface *net.Interface) (err error) {
+	return err
+}
+
 func currentDNS(iface *net.Interface) []string {
-	for _, fn := range []getDNS{getDNSByResolvectl, getDNSBySystemdResolved, getDNSByNmcli, resolvconffile.NameServers} {
+	resolvconfFunc := func(_ string) []string { return resolvconffile.NameServers() }
+	for _, fn := range []getDNS{getDNSByResolvectl, getDNSBySystemdResolved, getDNSByNmcli, resolvconfFunc} {
 		if ns := fn(iface.Name); len(ns) > 0 {
 			return ns
 		}

cmd/cli/os_windows.go

@@ -1,24 +1,27 @@
 package cli
 
 import (
+	"bytes"
 	"errors"
 	"fmt"
 	"net"
+	"net/netip"
 	"os"
 	"os/exec"
-	"strconv"
+	"slices"
 	"strings"
 	"sync"
 
+	"golang.org/x/sys/windows"
+	"golang.org/x/sys/windows/registry"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 
 	ctrldnet "github.com/Control-D-Inc/ctrld/internal/net"
 )
 
 const (
-	forwardersFilename       = ".forwarders.txt"
-	v4InterfaceKeyPathFormat = `HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\`
-	v6InterfaceKeyPathFormat = `HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\`
+	v4InterfaceKeyPathFormat = `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\`
+	v6InterfaceKeyPathFormat = `SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\`
 )
 
 var (
@@ -39,25 +42,80 @@ func setDNS(iface *net.Interface, nameservers []string) error {
 	setDNSOnce.Do(func() {
 		// If there's a Dns server running, that means we are on AD with Dns feature enabled.
 		// Configuring the Dns server to forward queries to ctrld instead.
-		if windowsHasLocalDnsServerRunning() {
-			file := absHomeDir(forwardersFilename)
-			oldForwardersContent, _ := os.ReadFile(file)
-			if err := os.WriteFile(file, []byte(strings.Join(nameservers, ",")), 0600); err != nil {
-				mainLog.Load().Warn().Err(err).Msg("could not save forwarders settings")
+		if hasLocalDnsServerRunning() {
+			mainLog.Load().Debug().Msg("Local DNS server detected, configuring forwarders")
+
+			file := absHomeDir(windowsForwardersFilename)
+			mainLog.Load().Debug().Msgf("Using forwarders file: %s", file)
+
+			oldForwardersContent, err := os.ReadFile(file)
+			if err != nil {
+				mainLog.Load().Debug().Err(err).Msg("Could not read existing forwarders file")
+			} else {
+				mainLog.Load().Debug().Msgf("Existing forwarders content: %s", string(oldForwardersContent))
 			}
+
+			hasLocalIPv6Listener := needLocalIPv6Listener()
+			mainLog.Load().Debug().Bool("has_ipv6_listener", hasLocalIPv6Listener).Msg("IPv6 listener status")
+
+			forwarders := slices.DeleteFunc(slices.Clone(nameservers), func(s string) bool {
+				if !hasLocalIPv6Listener {
+					return false
+				}
+				return s == "::1"
+			})
+			mainLog.Load().Debug().Strs("forwarders", forwarders).Msg("Filtered forwarders list")
+
+			if err := os.WriteFile(file, []byte(strings.Join(forwarders, ",")), 0600); err != nil {
+				mainLog.Load().Warn().Err(err).Msg("could not save forwarders settings")
+			} else {
+				mainLog.Load().Debug().Msg("Successfully wrote new forwarders file")
+			}
+
 			oldForwarders := strings.Split(string(oldForwardersContent), ",")
-			if err := addDnsServerForwarders(nameservers, oldForwarders); err != nil {
+			mainLog.Load().Debug().Strs("old_forwarders", oldForwarders).Msg("Previous forwarders")
+
+			if err := addDnsServerForwarders(forwarders, oldForwarders); err != nil {
 				mainLog.Load().Warn().Err(err).Msg("could not set forwarders settings")
+			} else {
+				mainLog.Load().Debug().Msg("Successfully configured DNS server forwarders")
 			}
 		}
 	})
-	primaryDNS := nameservers[0]
-	if err := setPrimaryDNS(iface, primaryDNS, true); err != nil {
-		return err
+	luid, err := winipcfg.LUIDFromIndex(uint32(iface.Index))
+	if err != nil {
+		return fmt.Errorf("setDNS: %w", err)
 	}
-	if len(nameservers) > 1 {
-		secondaryDNS := nameservers[1]
-		_ = addSecondaryDNS(iface, secondaryDNS)
+	var (
+		serversV4 []netip.Addr
+		serversV6 []netip.Addr
+	)
+	for _, ns := range nameservers {
+		if addr, err := netip.ParseAddr(ns); err == nil {
+			if addr.Is4() {
+				serversV4 = append(serversV4, addr)
+			} else {
+				serversV6 = append(serversV6, addr)
+			}
+		}
+	}
+
+	// Note that Windows won't modify the current search domains if passing nil to luid.SetDNS function.
+	// searchDomains is still implemented for Windows just in case Windows API changes in future versions.
+	_ = searchDomains
+
+	if len(serversV4) == 0 && len(serversV6) == 0 {
+		return errors.New("invalid DNS nameservers")
+	}
+	if len(serversV4) > 0 {
+		if err := luid.SetDNS(windows.AF_INET, serversV4, nil); err != nil {
+			return fmt.Errorf("could not set DNS ipv4: %w", err)
+		}
+	}
+	if len(serversV6) > 0 {
+		if err := luid.SetDNS(windows.AF_INET6, serversV6, nil); err != nil {
+			return fmt.Errorf("could not set DNS ipv6: %w", err)
+		}
 	}
 	return nil
 }
@@ -71,8 +129,8 @@ func resetDnsIgnoreUnusableInterface(iface *net.Interface) error {
 func resetDNS(iface *net.Interface) error {
 	resetDNSOnce.Do(func() {
 		// See corresponding comment in setDNS.
-		if windowsHasLocalDnsServerRunning() {
-			file := absHomeDir(forwardersFilename)
+		if hasLocalDnsServerRunning() {
+			file := absHomeDir(windowsForwardersFilename)
 			content, err := os.ReadFile(file)
 			if err != nil {
 				mainLog.Load().Error().Err(err).Msg("could not read forwarders settings")
@@ -86,18 +144,23 @@ func resetDNS(iface *net.Interface) error {
 		}
 	})
 
-	// Restoring ipv6 first.
-	if ctrldnet.SupportsIPv6ListenLocal() {
-		if output, err := netsh("interface", "ipv6", "set", "dnsserver", strconv.Itoa(iface.Index), "dhcp"); err != nil {
-			mainLog.Load().Warn().Err(err).Msgf("failed to reset ipv6 DNS: %s", string(output))
-		}
-	}
-	// Restoring ipv4 DHCP.
-	output, err := netsh("interface", "ipv4", "set", "dnsserver", strconv.Itoa(iface.Index), "dhcp")
+	luid, err := winipcfg.LUIDFromIndex(uint32(iface.Index))
 	if err != nil {
-		return fmt.Errorf("%s: %w", string(output), err)
+		return fmt.Errorf("resetDNS: %w", err)
 	}
-	// If there's static DNS saved, restoring it.
+	// Restoring DHCP settings.
+	if err := luid.SetDNS(windows.AF_INET, nil, nil); err != nil {
+		return fmt.Errorf("could not reset DNS ipv4: %w", err)
+	}
+	if err := luid.SetDNS(windows.AF_INET6, nil, nil); err != nil {
+		return fmt.Errorf("could not reset DNS ipv6: %w", err)
+	}
+	return nil
+}
+
+// restoreDNS restores the DNS settings of the given interface.
+// this should only be executed upon turning off the ctrld service.
+func restoreDNS(iface *net.Interface) (err error) {
 	if nss := savedStaticNameservers(iface); len(nss) > 0 {
 		v4ns := make([]string, 0, 2)
 		v6ns := make([]string, 0, 2)
@@ -109,56 +172,36 @@ func resetDNS(iface *net.Interface) error {
 			}
 		}
 
-		for _, ns := range [][]string{v4ns, v6ns} {
-			if len(ns) == 0 {
-				continue
+		luid, err := winipcfg.LUIDFromIndex(uint32(iface.Index))
+		if err != nil {
+			return fmt.Errorf("restoreDNS: %w", err)
+		}
+
+		if len(v4ns) > 0 {
+			mainLog.Load().Debug().Msgf("restoring IPv4 static DNS for interface %q: %v", iface.Name, v4ns)
+			if err := setDNS(iface, v4ns); err != nil {
+				return fmt.Errorf("restoreDNS (IPv4): %w", err)
 			}
-			primaryDNS := ns[0]
-			if err := setPrimaryDNS(iface, primaryDNS, false); err != nil {
-				return err
+		} else {
+			mainLog.Load().Debug().Msgf("restoring IPv4 DHCP for interface %q", iface.Name)
+			if err := luid.SetDNS(windows.AF_INET, nil, nil); err != nil {
+				return fmt.Errorf("restoreDNS (IPv4 clear): %w", err)
 			}
-			if len(ns) > 1 {
-				secondaryDNS := ns[1]
-				_ = addSecondaryDNS(iface, secondaryDNS)
+		}
+
+		if len(v6ns) > 0 {
+			mainLog.Load().Debug().Msgf("restoring IPv6 static DNS for interface %q: %v", iface.Name, v6ns)
+			if err := setDNS(iface, v6ns); err != nil {
+				return fmt.Errorf("restoreDNS (IPv6): %w", err)
+			}
+		} else {
+			mainLog.Load().Debug().Msgf("restoring IPv6 DHCP for interface %q", iface.Name)
+			if err := luid.SetDNS(windows.AF_INET6, nil, nil); err != nil {
+				return fmt.Errorf("restoreDNS (IPv6 clear): %w", err)
 			}
 		}
 	}
-	return nil
-}
-
-func setPrimaryDNS(iface *net.Interface, dns string, disablev6 bool) error {
-	ipVer := "ipv4"
-	if ctrldnet.IsIPv6(dns) {
-		ipVer = "ipv6"
-	}
-	idx := strconv.Itoa(iface.Index)
-	output, err := netsh("interface", ipVer, "set", "dnsserver", idx, "static", dns)
-	if err != nil {
-		mainLog.Load().Error().Err(err).Msgf("failed to set primary DNS: %s", string(output))
-		return err
-	}
-	if disablev6 && ipVer == "ipv4" && ctrldnet.SupportsIPv6ListenLocal() {
-		// Disable IPv6 DNS, so the query will be fallback to IPv4.
-		_, _ = netsh("interface", "ipv6", "set", "dnsserver", idx, "static", "::1", "primary")
-	}
-
-	return nil
-}
-
-func addSecondaryDNS(iface *net.Interface, dns string) error {
-	ipVer := "ipv4"
-	if ctrldnet.IsIPv6(dns) {
-		ipVer = "ipv6"
-	}
-	output, err := netsh("interface", ipVer, "add", "dns", strconv.Itoa(iface.Index), dns, "index=2")
-	if err != nil {
-		mainLog.Load().Warn().Err(err).Msgf("failed to add secondary DNS: %s", string(output))
-	}
-	return nil
-}
-
-func netsh(args ...string) ([]byte, error) {
-	return exec.Command("netsh", args...).Output()
+	return err
 }
 
 func currentDNS(iface *net.Interface) []string {
@@ -179,35 +222,69 @@ func currentDNS(iface *net.Interface) []string {
 	return ns
 }
 
-// currentStaticDNS returns the current static DNS settings of given interface.
+// currentStaticDNS checks both the IPv4 and IPv6 paths for static DNS values using keys
+// like "NameServer" and "ProfileNameServer".
 func currentStaticDNS(iface *net.Interface) ([]string, error) {
 	luid, err := winipcfg.LUIDFromIndex(uint32(iface.Index))
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("fallback winipcfg.LUIDFromIndex: %w", err)
 	}
 	guid, err := luid.GUID()
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("fallback luid.GUID: %w", err)
 	}
+
 	var ns []string
-	for _, path := range []string{v4InterfaceKeyPathFormat, v6InterfaceKeyPathFormat} {
+	keyPaths := []string{v4InterfaceKeyPathFormat, v6InterfaceKeyPathFormat}
+	for _, path := range keyPaths {
 		interfaceKeyPath := path + guid.String()
-		found := false
-		for _, key := range []string{"NameServer", "ProfileNameServer"} {
-			if found {
-				continue
-			}
-			cmd := fmt.Sprintf(`Get-ItemPropertyValue -Path "%s" -Name "%s"`, interfaceKeyPath, key)
-			out, err := powershell(cmd)
-			if err == nil && len(out) > 0 {
-				found = true
-				ns = append(ns, strings.Split(string(out), ",")...)
-			}
+		k, err := registry.OpenKey(registry.LOCAL_MACHINE, interfaceKeyPath, registry.QUERY_VALUE)
+		if err != nil {
+			mainLog.Load().Debug().Err(err).Msgf("failed to open registry key %q for interface %q; trying next key", interfaceKeyPath, iface.Name)
+			continue
 		}
+		func() {
+			defer k.Close()
+			for _, keyName := range []string{"NameServer", "ProfileNameServer"} {
+				value, _, err := k.GetStringValue(keyName)
+				if err != nil && !errors.Is(err, registry.ErrNotExist) {
+					mainLog.Load().Debug().Err(err).Msgf("error reading %s registry key", keyName)
+					continue
+				}
+				if len(value) > 0 {
+					mainLog.Load().Debug().Msgf("found static DNS for interface %q: %s", iface.Name, value)
+					parsed := parseDNSServers(value)
+					for _, pns := range parsed {
+						if !slices.Contains(ns, pns) {
+							ns = append(ns, pns)
+						}
+					}
+				}
+			}
+		}()
+	}
+	if len(ns) == 0 {
+		mainLog.Load().Debug().Msgf("no static DNS values found for interface %q", iface.Name)
 	}
 	return ns, nil
 }
 
+// parseDNSServers splits a DNS server string that may be comma- or space-separated,
+// and trims any extraneous whitespace or null characters.
+func parseDNSServers(val string) []string {
+	fields := strings.FieldsFunc(val, func(r rune) bool {
+		return r == ' ' || r == ','
+	})
+	var servers []string
+	for _, f := range fields {
+		trimmed := strings.TrimSpace(f)
+		if len(trimmed) > 0 {
+			servers = append(servers, trimmed)
+		}
+	}
+	return servers
+}
+
 // addDnsServerForwarders adds given nameservers to DNS server forwarders list,
 // and also removing old forwarders if provided.
 func addDnsServerForwarders(nameservers, old []string) error {
@@ -247,3 +324,9 @@ func removeDnsServerForwarders(nameservers []string) error {
 	}
 	return nil
 }
+
+// powershell runs the given powershell command.
+func powershell(cmd string) ([]byte, error) {
+	out, err := exec.Command("powershell", "-Command", cmd).CombinedOutput()
+	return bytes.TrimSpace(out), err
+}

cmd/cli/os_windows_test.go

@@ -0,0 +1,68 @@
+package cli
+
+import (
+	"fmt"
+	"net"
+	"slices"
+	"strings"
+	"testing"
+	"time"
+
+	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
+)
+
+func Test_currentStaticDNS(t *testing.T) {
+	iface, err := net.InterfaceByName(defaultIfaceName())
+	if err != nil {
+		t.Fatal(err)
+	}
+	start := time.Now()
+	staticDns, err := currentStaticDNS(iface)
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Logf("Using Windows API takes: %d", time.Since(start).Milliseconds())
+
+	start = time.Now()
+	staticDnsPowershell, err := currentStaticDnsPowershell(iface)
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Logf("Using Powershell takes: %d", time.Since(start).Milliseconds())
+
+	slices.Sort(staticDns)
+	slices.Sort(staticDnsPowershell)
+	if !slices.Equal(staticDns, staticDnsPowershell) {
+		t.Fatalf("result mismatch, want: %v, got: %v", staticDnsPowershell, staticDns)
+	}
+}
+
+func currentStaticDnsPowershell(iface *net.Interface) ([]string, error) {
+	luid, err := winipcfg.LUIDFromIndex(uint32(iface.Index))
+	if err != nil {
+		return nil, err
+	}
+	guid, err := luid.GUID()
+	if err != nil {
+		return nil, err
+	}
+	var ns []string
+	for _, path := range []string{"HKLM:\\" + v4InterfaceKeyPathFormat, "HKLM:\\" + v6InterfaceKeyPathFormat} {
+		interfaceKeyPath := path + guid.String()
+		found := false
+		for _, key := range []string{"NameServer", "ProfileNameServer"} {
+			if found {
+				continue
+			}
+			cmd := fmt.Sprintf(`Get-ItemPropertyValue -Path "%s" -Name "%s"`, interfaceKeyPath, key)
+			out, err := powershell(cmd)
+			if err == nil && len(out) > 0 {
+				found = true
+				for _, e := range strings.Split(string(out), ",") {
+					ns = append(ns, strings.TrimRight(e, "\x00"))
+				}
+			}
+		}
+	}
+	return ns, nil
+}

cmd/cli/prog_linux.go

@@ -10,11 +10,11 @@ import (
 
 	"github.com/kardianos/service"
 
-	"github.com/Control-D-Inc/ctrld/internal/dns"
+	"github.com/Control-D-Inc/ctrld/internal/router"
 )
 
 func init() {
-	if r, err := dns.NewOSConfigurator(func(format string, args ...any) {}, "lo"); err == nil {
+	if r, err := newLoopbackOSConfigurator(); err == nil {
 		useSystemdResolved = r.Mode() == "systemd-resolved"
 	}
 	// Disable quic-go's ECN support by default, see https://github.com/quic-go/quic-go/issues/3911
@@ -37,6 +37,9 @@ func setDependencies(svc *service.Config) {
 			svc.Dependencies = append(svc.Dependencies, "Wants=systemd-networkd-wait-online.service")
 		}
 	}
+	if routerDeps := router.ServiceDependencies(); len(routerDeps) > 0 {
+		svc.Dependencies = append(svc.Dependencies, routerDeps...)
+	}
 }
 
 func setWorkingDirectory(svc *service.Config, dir string) {

cmd/cli/prog_others.go

@@ -1,4 +1,4 @@
-//go:build !linux && !freebsd && !darwin
+//go:build !linux && !freebsd && !darwin && !windows
 
 package cli
 

cmd/cli/prog_test.go

@@ -0,0 +1,273 @@
+package cli
+
+import (
+	"runtime"
+	"testing"
+	"time"
+
+	"github.com/Masterminds/semver/v3"
+	"github.com/rs/zerolog"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/Control-D-Inc/ctrld"
+)
+
+func Test_prog_dnsWatchdogEnabled(t *testing.T) {
+	p := &prog{cfg: &ctrld.Config{}}
+
+	// Default value is true.
+	assert.True(t, p.dnsWatchdogEnabled())
+
+	tests := []struct {
+		name    string
+		enabled bool
+	}{
+		{"enabled", true},
+		{"disabled", false},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			p.cfg.Service.DnsWatchdogEnabled = &tc.enabled
+			assert.Equal(t, tc.enabled, p.dnsWatchdogEnabled())
+		})
+	}
+}
+
+func Test_prog_dnsWatchdogInterval(t *testing.T) {
+	p := &prog{cfg: &ctrld.Config{}}
+
+	// Default value is 20s.
+	assert.Equal(t, dnsWatchdogDefaultInterval, p.dnsWatchdogDuration())
+
+	tests := []struct {
+		name     string
+		duration time.Duration
+		expected time.Duration
+	}{
+		{"valid", time.Minute, time.Minute},
+		{"zero", 0, dnsWatchdogDefaultInterval},
+		{"nagative", time.Duration(-1 * time.Minute), dnsWatchdogDefaultInterval},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			p.cfg.Service.DnsWatchdogInvterval = &tc.duration
+			assert.Equal(t, tc.expected, p.dnsWatchdogDuration())
+		})
+	}
+}
+
+func Test_shouldUpgrade(t *testing.T) {
+	// Helper function to create a version
+	makeVersion := func(v string) *semver.Version {
+		ver, err := semver.NewVersion(v)
+		if err != nil {
+			t.Fatalf("failed to create version %s: %v", v, err)
+		}
+		return ver
+	}
+
+	tests := []struct {
+		name           string
+		versionTarget  string
+		currentVersion *semver.Version
+		shouldUpgrade  bool
+		description    string
+	}{
+		{
+			name:           "empty version target",
+			versionTarget:  "",
+			currentVersion: makeVersion("v1.0.0"),
+			shouldUpgrade:  false,
+			description:    "should skip upgrade when version target is empty",
+		},
+		{
+			name:           "invalid version target",
+			versionTarget:  "invalid-version",
+			currentVersion: makeVersion("v1.0.0"),
+			shouldUpgrade:  false,
+			description:    "should skip upgrade when version target is invalid",
+		},
+		{
+			name:           "same version",
+			versionTarget:  "v1.0.0",
+			currentVersion: makeVersion("v1.0.0"),
+			shouldUpgrade:  false,
+			description:    "should skip upgrade when target version equals current version",
+		},
+		{
+			name:           "older version",
+			versionTarget:  "v1.0.0",
+			currentVersion: makeVersion("v1.1.0"),
+			shouldUpgrade:  false,
+			description:    "should skip upgrade when target version is older than current version",
+		},
+		{
+			name:           "patch upgrade allowed",
+			versionTarget:  "v1.0.1",
+			currentVersion: makeVersion("v1.0.0"),
+			shouldUpgrade:  true,
+			description:    "should allow patch version upgrade within same major version",
+		},
+		{
+			name:           "minor upgrade allowed",
+			versionTarget:  "v1.1.0",
+			currentVersion: makeVersion("v1.0.0"),
+			shouldUpgrade:  true,
+			description:    "should allow minor version upgrade within same major version",
+		},
+		{
+			name:           "major upgrade blocked",
+			versionTarget:  "v2.0.0",
+			currentVersion: makeVersion("v1.0.0"),
+			shouldUpgrade:  false,
+			description:    "should block major version upgrade",
+		},
+		{
+			name:           "major downgrade blocked",
+			versionTarget:  "v1.0.0",
+			currentVersion: makeVersion("v2.0.0"),
+			shouldUpgrade:  false,
+			description:    "should block major version downgrade",
+		},
+		{
+			name:           "version without v prefix",
+			versionTarget:  "1.0.1",
+			currentVersion: makeVersion("v1.0.0"),
+			shouldUpgrade:  true,
+			description:    "should handle version target without v prefix",
+		},
+		{
+			name:           "complex version upgrade allowed",
+			versionTarget:  "v1.5.3",
+			currentVersion: makeVersion("v1.4.2"),
+			shouldUpgrade:  true,
+			description:    "should allow complex version upgrade within same major version",
+		},
+		{
+			name:           "complex major upgrade blocked",
+			versionTarget:  "v3.1.0",
+			currentVersion: makeVersion("v2.5.3"),
+			shouldUpgrade:  false,
+			description:    "should block complex major version upgrade",
+		},
+		{
+			name:           "pre-release version upgrade allowed",
+			versionTarget:  "v1.0.1-beta.1",
+			currentVersion: makeVersion("v1.0.0"),
+			shouldUpgrade:  true,
+			description:    "should allow pre-release version upgrade within same major version",
+		},
+		{
+			name:           "pre-release major upgrade blocked",
+			versionTarget:  "v2.0.0-alpha.1",
+			currentVersion: makeVersion("v1.0.0"),
+			shouldUpgrade:  false,
+			description:    "should block pre-release major version upgrade",
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			// Create test logger
+			testLogger := zerolog.New(zerolog.NewTestWriter(t)).With().Logger()
+
+			// Call the function and capture the result
+			result := shouldUpgrade(tc.versionTarget, tc.currentVersion, &testLogger)
+
+			// Assert the expected result
+			assert.Equal(t, tc.shouldUpgrade, result, tc.description)
+		})
+	}
+}
+
+func Test_selfUpgradeCheck(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("skipped due to Windows file locking issue on Github Action runners")
+	}
+
+	// Helper function to create a version
+	makeVersion := func(v string) *semver.Version {
+		ver, err := semver.NewVersion(v)
+		if err != nil {
+			t.Fatalf("failed to create version %s: %v", v, err)
+		}
+		return ver
+	}
+
+	tests := []struct {
+		name           string
+		versionTarget  string
+		currentVersion *semver.Version
+		shouldUpgrade  bool
+		description    string
+	}{
+		{
+			name:           "upgrade allowed",
+			versionTarget:  "v1.0.1",
+			currentVersion: makeVersion("v1.0.0"),
+			shouldUpgrade:  true,
+			description:    "should allow upgrade and attempt to perform it",
+		},
+		{
+			name:           "upgrade blocked",
+			versionTarget:  "v2.0.0",
+			currentVersion: makeVersion("v1.0.0"),
+			shouldUpgrade:  false,
+			description:    "should block upgrade and not attempt to perform it",
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			// Create test logger
+			testLogger := zerolog.New(zerolog.NewTestWriter(t)).With().Logger()
+
+			// Call the function and capture the result
+			result := selfUpgradeCheck(tc.versionTarget, tc.currentVersion, &testLogger)
+
+			// Assert the expected result
+			assert.Equal(t, tc.shouldUpgrade, result, tc.description)
+		})
+	}
+}
+
+func Test_performUpgrade(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("skipped due to Windows file locking issue on Github Action runners")
+	}
+
+	tests := []struct {
+		name           string
+		versionTarget  string
+		expectedResult bool
+		description    string
+	}{
+		{
+			name:           "valid version target",
+			versionTarget:  "v1.0.1",
+			expectedResult: true,
+			description:    "should attempt to perform upgrade with valid version target",
+		},
+		{
+			name:           "empty version target",
+			versionTarget:  "",
+			expectedResult: true,
+			description:    "should attempt to perform upgrade even with empty version target",
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			// Call the function and capture the result
+			result := performUpgrade(tc.versionTarget)
+			assert.Equal(t, tc.expectedResult, result, tc.description)
+		})
+	}
+}

cmd/cli/prog_windows.go

@@ -0,0 +1,14 @@
+package cli
+
+import "github.com/kardianos/service"
+
+func setDependencies(svc *service.Config) {
+	if hasLocalDnsServerRunning() {
+		svc.Dependencies = []string{"DNS"}
+	}
+}
+
+func setWorkingDirectory(svc *service.Config, dir string) {
+	// WorkingDirectory is not supported on Windows.
+	svc.WorkingDirectory = dir
+}

cmd/cli/prometheus.go

@@ -51,7 +51,7 @@ var statsClientQueriesCount = prometheus.NewCounterVec(prometheus.CounterOpts{
 
 // WithLabelValuesInc increases prometheus counter by 1 if query stats is enabled.
 func (p *prog) WithLabelValuesInc(c *prometheus.CounterVec, lvs ...string) {
-	if p.cfg.Service.MetricsQueryStats {
+	if p.metricsQueryStats.Load() {
 		c.WithLabelValues(lvs...).Inc()
 	}
 }

cmd/cli/resolvconf.go

@@ -3,20 +3,47 @@ package cli
 import (
 	"net"
 	"net/netip"
+	"os"
 	"path/filepath"
+	"strings"
+	"time"
 
 	"github.com/fsnotify/fsnotify"
 )
 
-const (
-	resolvConfPath            = "/etc/resolv.conf"
-	resolvConfBackupFailedMsg = "open /etc/resolv.pre-ctrld-backup.conf: read-only file system"
-)
+// parseResolvConfNameservers reads the resolv.conf file and returns the nameservers found.
+// Returns nil if no nameservers are found.
+func (p *prog) parseResolvConfNameservers(path string) ([]string, error) {
+	content, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	// Parse the file for "nameserver" lines
+	var currentNS []string
+	lines := strings.Split(string(content), "\n")
+	for _, line := range lines {
+		trimmed := strings.TrimSpace(line)
+		if strings.HasPrefix(trimmed, "nameserver") {
+			parts := strings.Fields(trimmed)
+			if len(parts) >= 2 {
+				currentNS = append(currentNS, parts[1])
+			}
+		}
+	}
+
+	return currentNS, nil
+}
 
 // watchResolvConf watches any changes to /etc/resolv.conf file,
 // and reverting to the original config set by ctrld.
-func watchResolvConf(iface *net.Interface, ns []netip.Addr, setDnsFn func(iface *net.Interface, ns []netip.Addr) error) {
-	mainLog.Load().Debug().Msg("start watching /etc/resolv.conf file")
+func (p *prog) watchResolvConf(iface *net.Interface, ns []netip.Addr, setDnsFn func(iface *net.Interface, ns []netip.Addr) error) {
+	resolvConfPath := "/etc/resolv.conf"
+	// Evaluating symbolics link to watch the target file that /etc/resolv.conf point to.
+	if rp, _ := filepath.EvalSymlinks(resolvConfPath); rp != "" {
+		resolvConfPath = rp
+	}
+	mainLog.Load().Debug().Msgf("start watching %s file", resolvConfPath)
 	watcher, err := fsnotify.NewWatcher()
 	if err != nil {
 		mainLog.Load().Warn().Err(err).Msg("could not create watcher for /etc/resolv.conf")
@@ -28,13 +55,21 @@ func watchResolvConf(iface *net.Interface, ns []netip.Addr, setDnsFn func(iface
 	// see: https://github.com/fsnotify/fsnotify#watching-a-file-doesnt-work-well
 	watchDir := filepath.Dir(resolvConfPath)
 	if err := watcher.Add(watchDir); err != nil {
-		mainLog.Load().Warn().Err(err).Msg("could not add /etc/resolv.conf to watcher list")
+		mainLog.Load().Warn().Err(err).Msgf("could not add %s to watcher list", watchDir)
 		return
 	}
 
 	for {
 		select {
+		case <-p.dnsWatcherStopCh:
+			return
+		case <-p.stopCh:
+			mainLog.Load().Debug().Msgf("stopping watcher for %s", resolvConfPath)
+			return
 		case event, ok := <-watcher.Events:
+			if p.recoveryRunning.Load() {
+				return
+			}
 			if !ok {
 				return
 			}
@@ -42,17 +77,81 @@ func watchResolvConf(iface *net.Interface, ns []netip.Addr, setDnsFn func(iface
 				continue
 			}
 			if event.Has(fsnotify.Write) || event.Has(fsnotify.Create) {
-				mainLog.Load().Debug().Msg("/etc/resolv.conf changes detected, reverting to ctrld setting")
-				if err := watcher.Remove(watchDir); err != nil {
-					mainLog.Load().Error().Err(err).Msg("failed to pause watcher")
-					continue
+				mainLog.Load().Debug().Msgf("/etc/resolv.conf changes detected, reading changes...")
+
+				// Convert expected nameservers to strings for comparison
+				expectedNS := make([]string, len(ns))
+				for i, addr := range ns {
+					expectedNS[i] = addr.String()
 				}
-				if err := setDnsFn(iface, ns); err != nil {
-					mainLog.Load().Error().Err(err).Msg("failed to revert /etc/resolv.conf changes")
+
+				var foundNS []string
+				var err error
+
+				maxRetries := 1
+				for retry := 0; retry < maxRetries; retry++ {
+					foundNS, err = p.parseResolvConfNameservers(resolvConfPath)
+					if err != nil {
+						mainLog.Load().Error().Err(err).Msg("failed to read resolv.conf content")
+						break
+					}
+
+					// If we found nameservers, break out of retry loop
+					if len(foundNS) > 0 {
+						break
+					}
+
+					// Only retry if we found no nameservers
+					if retry < maxRetries-1 {
+						mainLog.Load().Debug().Msgf("resolv.conf has no nameserver entries, retry %d/%d in 2 seconds", retry+1, maxRetries)
+						select {
+						case <-p.stopCh:
+							return
+						case <-p.dnsWatcherStopCh:
+							return
+						case <-time.After(2 * time.Second):
+							continue
+						}
+					} else {
+						mainLog.Load().Debug().Msg("resolv.conf remained empty after all retries")
+					}
 				}
-				if err := watcher.Add(watchDir); err != nil {
-					mainLog.Load().Error().Err(err).Msg("failed to continue running watcher")
-					return
+
+				// If we found nameservers, check if they match what we expect
+				if len(foundNS) > 0 {
+					// Check if the nameservers match exactly what we expect
+					matches := len(foundNS) == len(expectedNS)
+					if matches {
+						for i := range foundNS {
+							if foundNS[i] != expectedNS[i] {
+								matches = false
+								break
+							}
+						}
+					}
+
+					mainLog.Load().Debug().
+						Strs("found", foundNS).
+						Strs("expected", expectedNS).
+						Bool("matches", matches).
+						Msg("checking nameservers")
+
+					// Only revert if the nameservers don't match
+					if !matches {
+						if err := watcher.Remove(watchDir); err != nil {
+							mainLog.Load().Error().Err(err).Msg("failed to pause watcher")
+							continue
+						}
+
+						if err := setDnsFn(iface, ns); err != nil {
+							mainLog.Load().Error().Err(err).Msg("failed to revert /etc/resolv.conf changes")
+						}
+
+						if err := watcher.Add(watchDir); err != nil {
+							mainLog.Load().Error().Err(err).Msg("failed to continue running watcher")
+							return
+						}
+					}
 				}
 			}
 		case err, ok := <-watcher.Errors:

cmd/cli/resolvconf_darwin.go

@@ -3,15 +3,44 @@ package cli
 import (
 	"net"
 	"net/netip"
+	"os"
+	"slices"
+
+	"github.com/Control-D-Inc/ctrld/internal/dns/resolvconffile"
 )
 
+const resolvConfPath = "/etc/resolv.conf"
+
 // setResolvConf sets the content of resolv.conf file using the given nameservers list.
 func setResolvConf(iface *net.Interface, ns []netip.Addr) error {
 	servers := make([]string, len(ns))
 	for i := range ns {
 		servers[i] = ns[i].String()
 	}
-	return setDNS(iface, servers)
+	if err := setDNS(iface, servers); err != nil {
+		return err
+	}
+	slices.Sort(servers)
+	curNs := currentDNS(iface)
+	slices.Sort(curNs)
+	if !slices.Equal(curNs, servers) {
+		c, err := resolvconffile.ParseFile(resolvConfPath)
+		if err != nil {
+			return err
+		}
+		c.Nameservers = ns
+		f, err := os.Create(resolvConfPath)
+		if err != nil {
+			return err
+		}
+		defer f.Close()
+
+		if err := c.Write(f); err != nil {
+			return err
+		}
+		return f.Close()
+	}
+	return nil
 }
 
 // shouldWatchResolvconf reports whether ctrld should watch changes to resolv.conf file with given OS configurator.

cmd/cli/resolvconf_not_darwin_unix.go

@@ -6,14 +6,16 @@ import (
 	"net"
 	"net/netip"
 
+	"tailscale.com/control/controlknobs"
+	"tailscale.com/health"
 	"tailscale.com/util/dnsname"
 
 	"github.com/Control-D-Inc/ctrld/internal/dns"
 )
 
-// setResolvConf sets the content of resolv.conf file using the given nameservers list.
+// setResolvConf sets the content of the resolv.conf file using the given nameservers list.
 func setResolvConf(iface *net.Interface, ns []netip.Addr) error {
-	r, err := dns.NewOSConfigurator(func(format string, args ...any) {}, "lo") // interface name does not matter.
+	r, err := newLoopbackOSConfigurator()
 	if err != nil {
 		return err
 	}
@@ -22,12 +24,17 @@ func setResolvConf(iface *net.Interface, ns []netip.Addr) error {
 		Nameservers:   ns,
 		SearchDomains: []dnsname.FQDN{},
 	}
+	if sds, err := searchDomains(); err == nil {
+		oc.SearchDomains = sds
+	} else {
+		mainLog.Load().Debug().Err(err).Msg("failed to get search domains list when reverting resolv.conf file")
+	}
 	return r.SetDNS(oc)
 }
 
 // shouldWatchResolvconf reports whether ctrld should watch changes to resolv.conf file with given OS configurator.
 func shouldWatchResolvconf() bool {
-	r, err := dns.NewOSConfigurator(func(format string, args ...any) {}, "lo") // interface name does not matter.
+	r, err := newLoopbackOSConfigurator()
 	if err != nil {
 		return false
 	}
@@ -38,3 +45,8 @@ func shouldWatchResolvconf() bool {
 		return false
 	}
 }
+
+// newLoopbackOSConfigurator creates an OSConfigurator for DNS management using the "lo" interface.
+func newLoopbackOSConfigurator() (dns.OSConfigurator, error) {
+	return dns.NewOSConfigurator(noopLogf, &health.Tracker{}, &controlknobs.Knobs{}, "lo")
+}

cmd/cli/search_domains_unix.go

@@ -0,0 +1,14 @@
+//go:build unix
+
+package cli
+
+import (
+	"tailscale.com/util/dnsname"
+
+	"github.com/Control-D-Inc/ctrld/internal/resolvconffile"
+)
+
+// searchDomains returns the current search domains config.
+func searchDomains() ([]dnsname.FQDN, error) {
+	return resolvconffile.SearchDomains()
+}

cmd/cli/search_domains_windows.go

@@ -0,0 +1,43 @@
+package cli
+
+import (
+	"fmt"
+	"syscall"
+
+	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
+	"tailscale.com/util/dnsname"
+)
+
+// searchDomains returns the current search domains config.
+func searchDomains() ([]dnsname.FQDN, error) {
+	flags := winipcfg.GAAFlagIncludeGateways |
+		winipcfg.GAAFlagIncludePrefix
+
+	aas, err := winipcfg.GetAdaptersAddresses(syscall.AF_UNSPEC, flags)
+	if err != nil {
+		return nil, fmt.Errorf("winipcfg.GetAdaptersAddresses: %w", err)
+	}
+
+	var sds []dnsname.FQDN
+	for _, aa := range aas {
+		if aa.OperStatus != winipcfg.IfOperStatusUp {
+			continue
+		}
+
+		// Skip if software loopback or other non-physical types
+		// This is to avoid the "Loopback Pseudo-Interface 1" issue we see on windows
+		if aa.IfType == winipcfg.IfTypeSoftwareLoopback {
+			continue
+		}
+
+		for a := aa.FirstDNSSuffix; a != nil; a = a.Next {
+			d, err := dnsname.ToFQDN(a.String())
+			if err != nil {
+				mainLog.Load().Debug().Err(err).Msgf("failed to parse domain: %s", a.String())
+				continue
+			}
+			sds = append(sds, d)
+		}
+	}
+	return sds, nil
+}

cmd/cli/self_delete_others.go

@@ -0,0 +1,7 @@
+//go:build !windows
+
+package cli
+
+var supportedSelfDelete = true
+
+func selfDeleteExe() error { return nil }

cmd/cli/self_delete_windows.go

@@ -0,0 +1,134 @@
+// Copied from https://github.com/secur30nly/go-self-delete
+// with modification to suitable for ctrld usage.
+
+/*
+   License: MIT Licence
+
+   References:
+       - https://github.com/LloydLabs/delete-self-poc
+       - https://twitter.com/jonasLyk/status/1350401461985955840
+*/
+
+package cli
+
+import (
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var supportedSelfDelete = false
+
+type FILE_RENAME_INFO struct {
+	Union struct {
+		ReplaceIfExists bool
+		Flags           uint32
+	}
+	RootDirectory  windows.Handle
+	FileNameLength uint32
+	FileName       [1]uint16
+}
+
+type FILE_DISPOSITION_INFO struct {
+	DeleteFile bool
+}
+
+func dsOpenHandle(pwPath *uint16) (windows.Handle, error) {
+	handle, err := windows.CreateFile(
+		pwPath,
+		windows.DELETE,
+		0,
+		nil,
+		windows.OPEN_EXISTING,
+		windows.FILE_ATTRIBUTE_NORMAL,
+		0,
+	)
+
+	if err != nil {
+		return 0, err
+	}
+
+	return handle, nil
+}
+
+func dsRenameHandle(hHandle windows.Handle) error {
+	var fRename FILE_RENAME_INFO
+	DS_STREAM_RENAME, err := windows.UTF16FromString(":deadbeef")
+
+	if err != nil {
+		return err
+	}
+
+	lpwStream := &DS_STREAM_RENAME[0]
+	fRename.FileNameLength = uint32(unsafe.Sizeof(lpwStream))
+
+	windows.NewLazyDLL("kernel32.dll").NewProc("RtlCopyMemory").Call(
+		uintptr(unsafe.Pointer(&fRename.FileName[0])),
+		uintptr(unsafe.Pointer(lpwStream)),
+		unsafe.Sizeof(lpwStream),
+	)
+
+	err = windows.SetFileInformationByHandle(
+		hHandle,
+		windows.FileRenameInfo,
+		(*byte)(unsafe.Pointer(&fRename)),
+		uint32(unsafe.Sizeof(fRename)+unsafe.Sizeof(lpwStream)),
+	)
+
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func dsDepositeHandle(hHandle windows.Handle) error {
+	var fDelete FILE_DISPOSITION_INFO
+	fDelete.DeleteFile = true
+
+	err := windows.SetFileInformationByHandle(
+		hHandle,
+		windows.FileDispositionInfo,
+		(*byte)(unsafe.Pointer(&fDelete)),
+		uint32(unsafe.Sizeof(fDelete)),
+	)
+
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func selfDeleteExe() error {
+	var wcPath [windows.MAX_PATH + 1]uint16
+	var hCurrent windows.Handle
+
+	_, err := windows.GetModuleFileName(0, &wcPath[0], windows.MAX_PATH)
+	if err != nil {
+		return err
+	}
+
+	hCurrent, err = dsOpenHandle(&wcPath[0])
+	if err != nil || hCurrent == windows.InvalidHandle {
+		return err
+	}
+
+	if err := dsRenameHandle(hCurrent); err != nil {
+		_ = windows.CloseHandle(hCurrent)
+		return err
+	}
+	_ = windows.CloseHandle(hCurrent)
+
+	hCurrent, err = dsOpenHandle(&wcPath[0])
+	if err != nil || hCurrent == windows.InvalidHandle {
+		return err
+	}
+
+	if err := dsDepositeHandle(hCurrent); err != nil {
+		_ = windows.CloseHandle(hCurrent)
+		return err
+	}
+
+	return windows.CloseHandle(hCurrent)
+}

cmd/cli/self_kill_others.go

@@ -0,0 +1,16 @@
+//go:build !unix
+
+package cli
+
+import (
+	"os"
+
+	"github.com/rs/zerolog"
+)
+
+func selfUninstall(p *prog, logger zerolog.Logger) {
+	if uninstallInvalidCdUID(p, logger, false) {
+		logger.Warn().Msgf("service was uninstalled because device %q does not exist", cdUID)
+		os.Exit(0)
+	}
+}

cmd/cli/self_kill_unix.go

@@ -0,0 +1,45 @@
+//go:build unix
+
+package cli
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"runtime"
+	"syscall"
+
+	"github.com/rs/zerolog"
+)
+
+func selfUninstall(p *prog, logger zerolog.Logger) {
+	if runtime.GOOS == "linux" {
+		selfUninstallLinux(p, logger)
+	}
+
+	bin, err := os.Executable()
+	if err != nil {
+		logger.Fatal().Err(err).Msg("could not determine executable")
+	}
+	args := []string{"uninstall"}
+	if deactivationPinSet() {
+		args = append(args, fmt.Sprintf("--pin=%d", cdDeactivationPin.Load()))
+	}
+	cmd := exec.Command(bin, args...)
+	cmd.SysProcAttr = &syscall.SysProcAttr{Setpgid: true}
+	if err := cmd.Start(); err != nil {
+		logger.Fatal().Err(err).Msg("could not start self uninstall command")
+	}
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	logger.Warn().Msgf("service was uninstalled because device %q does not exist", cdUID)
+	_ = cmd.Wait()
+	os.Exit(0)
+}
+
+func selfUninstallLinux(p *prog, logger zerolog.Logger) {
+	if uninstallInvalidCdUID(p, logger, true) {
+		logger.Warn().Msgf("service was uninstalled because device %q does not exist", cdUID)
+		os.Exit(0)
+	}
+}

cmd/cli/self_upgrade_others.go

@@ -0,0 +1,12 @@
+//go:build !windows
+
+package cli
+
+import (
+	"syscall"
+)
+
+// sysProcAttrForDetachedChildProcess returns *syscall.SysProcAttr instance for running a detached child command.
+func sysProcAttrForDetachedChildProcess() *syscall.SysProcAttr {
+	return &syscall.SysProcAttr{Setsid: true}
+}

cmd/cli/self_upgrade_windows.go

@@ -0,0 +1,18 @@
+package cli
+
+import (
+	"syscall"
+)
+
+// From: https://learn.microsoft.com/en-us/windows/win32/procthread/process-creation-flags?redirectedfrom=MSDN
+
+// SYSCALL_CREATE_NO_WINDOW set flag to run process without a console window.
+const SYSCALL_CREATE_NO_WINDOW = 0x08000000
+
+// sysProcAttrForDetachedChildProcess returns *syscall.SysProcAttr instance for running self-upgrade command.
+func sysProcAttrForDetachedChildProcess() *syscall.SysProcAttr {
+	return &syscall.SysProcAttr{
+		CreationFlags: syscall.CREATE_NEW_PROCESS_GROUP | SYSCALL_CREATE_NO_WINDOW,
+		HideWindow:    true,
+	}
+}

cmd/cli/service.go

@@ -4,12 +4,16 @@ import (
 	"bytes"
 	"errors"
 	"fmt"
+	"io"
 	"os"
 	"os/exec"
+	"runtime"
 
+	"github.com/coreos/go-systemd/v22/unit"
 	"github.com/kardianos/service"
 
 	"github.com/Control-D-Inc/ctrld/internal/router"
+	"github.com/Control-D-Inc/ctrld/internal/router/openwrt"
 )
 
 // newService wraps service.New call to return service.Service
@@ -28,6 +32,9 @@ func newService(i service.Interface, c *service.Config) (service.Service, error)
 		return &sysV{s}, nil
 	case s.Platform() == "linux-systemd":
 		return &systemd{s}, nil
+	case s.Platform() == "darwin-launchd":
+		return newLaunchd(s), nil
+
 	}
 	return s, nil
 }
@@ -113,7 +120,7 @@ func (s *procd) Status() (service.Status, error) {
 	return service.StatusRunning, nil
 }
 
-// procd wraps a service.Service, and provide status command to
+// systemd wraps a service.Service, and provide status command to
 // report the status correctly.
 type systemd struct {
 	service.Service
@@ -127,20 +134,101 @@ func (s *systemd) Status() (service.Status, error) {
 	return s.Service.Status()
 }
 
+func (s *systemd) Start() error {
+	const systemdUnitFile = "/etc/systemd/system/ctrld.service"
+	f, err := os.Open(systemdUnitFile)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	if opts, change := ensureSystemdKillMode(f); change {
+		mode := os.FileMode(0644)
+		buf, err := io.ReadAll(unit.Serialize(opts))
+		if err != nil {
+			return err
+		}
+		if err := os.WriteFile(systemdUnitFile, buf, mode); err != nil {
+			return err
+		}
+		if out, err := exec.Command("systemctl", "daemon-reload").CombinedOutput(); err != nil {
+			return fmt.Errorf("systemctl daemon-reload failed: %w\n%s", err, string(out))
+		}
+		mainLog.Load().Debug().Msg("set KillMode=process successfully")
+	}
+	return s.Service.Start()
+}
+
+// ensureSystemdKillMode ensure systemd unit file is configured with KillMode=process.
+// This is necessary for running self-upgrade flow.
+func ensureSystemdKillMode(r io.Reader) (opts []*unit.UnitOption, change bool) {
+	opts, err := unit.DeserializeOptions(r)
+	if err != nil {
+		mainLog.Load().Error().Err(err).Msg("failed to deserialize options")
+		return
+	}
+	change = true
+	needKillModeOpt := true
+	killModeOpt := unit.NewUnitOption("Service", "KillMode", "process")
+	for _, opt := range opts {
+		if opt.Match(killModeOpt) {
+			needKillModeOpt = false
+			change = false
+			break
+		}
+		if opt.Section == killModeOpt.Section && opt.Name == killModeOpt.Name {
+			opt.Value = killModeOpt.Value
+			needKillModeOpt = false
+			break
+		}
+	}
+	if needKillModeOpt {
+		opts = append(opts, killModeOpt)
+	}
+	return opts, change
+}
+
+func newLaunchd(s service.Service) *launchd {
+	return &launchd{
+		Service:      s,
+		statusErrMsg: "Permission denied",
+	}
+}
+
+// launchd wraps a service.Service, and provide status command to
+// report the status correctly when not running as root on Darwin.
+//
+// TODO: remove this wrapper once https://github.com/kardianos/service/issues/400 fixed.
+type launchd struct {
+	service.Service
+	statusErrMsg string
+}
+
+func (l *launchd) Status() (service.Status, error) {
+	if os.Geteuid() != 0 {
+		return service.StatusUnknown, errors.New(l.statusErrMsg)
+	}
+	return l.Service.Status()
+}
+
 type task struct {
 	f            func() error
 	abortOnError bool
+	Name         string
 }
 
 func doTasks(tasks []task) bool {
-	var prevErr error
 	for _, task := range tasks {
+		mainLog.Load().Debug().Msgf("Running task %s", task.Name)
 		if err := task.f(); err != nil {
 			if task.abortOnError {
-				mainLog.Load().Error().Msg(errors.Join(prevErr, err).Error())
+				mainLog.Load().Error().Msgf("error running task %s: %v", task.Name, err)
 				return false
 			}
-			prevErr = err
+			// if this is darwin stop command, dont print debug
+			// since launchctl complains on every start
+			if runtime.GOOS != "darwin" || task.Name != "Stop" {
+				mainLog.Load().Debug().Msgf("error running task %s: %v", task.Name, err)
+			}
 		}
 	}
 	return true
@@ -161,6 +249,13 @@ func checkHasElevatedPrivilege() {
 func unixSystemVServiceStatus() (service.Status, error) {
 	out, err := exec.Command("/etc/init.d/ctrld", "status").CombinedOutput()
 	if err != nil {
+		// Specific case for openwrt >= 24.10, it returns non-success code
+		// for above status command, which may not right.
+		if router.Name() == openwrt.Name {
+			if string(bytes.ToLower(bytes.TrimSpace(out))) == "inactive" {
+				return service.StatusStopped, nil
+			}
+		}
 		return service.StatusUnknown, nil
 	}
 

cmd/cli/service_others.go

@@ -9,3 +9,14 @@ import (
 func hasElevatedPrivilege() (bool, error) {
 	return os.Geteuid() == 0, nil
 }
+
+func openLogFile(path string, flags int) (*os.File, error) {
+	return os.OpenFile(path, flags, os.FileMode(0o600))
+}
+
+// hasLocalDnsServerRunning reports whether we are on Windows and having Dns server running.
+func hasLocalDnsServerRunning() bool { return false }
+
+func ConfigureWindowsServiceFailureActions(serviceName string) error { return nil }
+
+func isRunningOnDomainControllerWindows() (bool, int) { return false, 0 }

cmd/cli/service_test.go

@@ -0,0 +1,28 @@
+package cli
+
+import (
+	"strings"
+	"testing"
+)
+
+func Test_ensureSystemdKillMode(t *testing.T) {
+	tests := []struct {
+		name       string
+		unitFile   string
+		wantChange bool
+	}{
+		{"no KillMode", "[Service]\nExecStart=/bin/sleep 1", true},
+		{"not KillMode=process", "[Service]\nExecStart=/bin/sleep 1\nKillMode=mixed", true},
+		{"KillMode=process", "[Service]\nExecStart=/bin/sleep 1\nKillMode=process", false},
+		{"invalid unit file", "[Service\nExecStart=/bin/sleep 1\nKillMode=process", false},
+	}
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			if _, change := ensureSystemdKillMode(strings.NewReader(tc.unitFile)); tc.wantChange != change {
+				t.Errorf("ensureSystemdKillMode(%q) = %v, want %v", tc.unitFile, change, tc.wantChange)
+			}
+		})
+	}
+}

cmd/cli/service_windows.go

@@ -1,6 +1,22 @@
 package cli
 
-import "golang.org/x/sys/windows"
+import (
+	"os"
+	"reflect"
+	"runtime"
+	"strconv"
+	"strings"
+	"syscall"
+	"time"
+	"unsafe"
+
+	"github.com/microsoft/wmi/pkg/base/host"
+	"github.com/microsoft/wmi/pkg/base/instance"
+	"github.com/microsoft/wmi/pkg/base/query"
+	"github.com/microsoft/wmi/pkg/constant"
+	"golang.org/x/sys/windows"
+	"golang.org/x/sys/windows/svc/mgr"
+)
 
 func hasElevatedPrivilege() (bool, error) {
 	var sid *windows.SID
@@ -22,3 +38,190 @@ func hasElevatedPrivilege() (bool, error) {
 	token := windows.Token(0)
 	return token.IsMember(sid)
 }
+
+// ConfigureWindowsServiceFailureActions checks if the given service
+// has the correct failure actions configured, and updates them if not.
+func ConfigureWindowsServiceFailureActions(serviceName string) error {
+	if runtime.GOOS != "windows" {
+		return nil // no-op on non-Windows
+	}
+
+	m, err := mgr.Connect()
+	if err != nil {
+		return err
+	}
+	defer m.Disconnect()
+
+	s, err := m.OpenService(serviceName)
+	if err != nil {
+		return err
+	}
+	defer s.Close()
+
+	// 1. Retrieve the current config
+	cfg, err := s.Config()
+	if err != nil {
+		return err
+	}
+
+	// 2. Update the Description
+	cfg.Description = "A highly configurable, multi-protocol DNS forwarding proxy"
+
+	// 3. Apply the updated config
+	if err := s.UpdateConfig(cfg); err != nil {
+		return err
+	}
+
+	// Then proceed with existing actions, e.g. setting failure actions
+	actions := []mgr.RecoveryAction{
+		{Type: mgr.ServiceRestart, Delay: time.Second * 5}, // 5 seconds
+		{Type: mgr.ServiceRestart, Delay: time.Second * 5}, // 5 seconds
+		{Type: mgr.ServiceRestart, Delay: time.Second * 5}, // 5 seconds
+	}
+
+	// Set the recovery actions (3 restarts, reset period = 120).
+	err = s.SetRecoveryActions(actions, 120)
+	if err != nil {
+		return err
+	}
+
+	// Ensure that failure actions are NOT triggered on user-initiated stops.
+	var failureActionsFlag windows.SERVICE_FAILURE_ACTIONS_FLAG
+	failureActionsFlag.FailureActionsOnNonCrashFailures = 0
+
+	if err := windows.ChangeServiceConfig2(
+		s.Handle,
+		windows.SERVICE_CONFIG_FAILURE_ACTIONS_FLAG,
+		(*byte)(unsafe.Pointer(&failureActionsFlag)),
+	); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func openLogFile(path string, mode int) (*os.File, error) {
+	if len(path) == 0 {
+		return nil, &os.PathError{Path: path, Op: "open", Err: syscall.ERROR_FILE_NOT_FOUND}
+	}
+
+	pathP, err := syscall.UTF16PtrFromString(path)
+	if err != nil {
+		return nil, err
+	}
+	var access uint32
+	switch mode & (os.O_RDONLY | os.O_WRONLY | os.O_RDWR) {
+	case os.O_RDONLY:
+		access = windows.GENERIC_READ
+	case os.O_WRONLY:
+		access = windows.GENERIC_WRITE
+	case os.O_RDWR:
+		access = windows.GENERIC_READ | windows.GENERIC_WRITE
+	}
+	if mode&os.O_CREATE != 0 {
+		access |= windows.GENERIC_WRITE
+	}
+	if mode&os.O_APPEND != 0 {
+		access &^= windows.GENERIC_WRITE
+		access |= windows.FILE_APPEND_DATA
+	}
+
+	shareMode := uint32(syscall.FILE_SHARE_READ | syscall.FILE_SHARE_WRITE | syscall.FILE_SHARE_DELETE)
+
+	var sa *syscall.SecurityAttributes
+
+	var createMode uint32
+	switch {
+	case mode&(os.O_CREATE|os.O_EXCL) == (os.O_CREATE | os.O_EXCL):
+		createMode = windows.CREATE_NEW
+	case mode&(os.O_CREATE|os.O_TRUNC) == (os.O_CREATE | os.O_TRUNC):
+		createMode = windows.CREATE_ALWAYS
+	case mode&os.O_CREATE == os.O_CREATE:
+		createMode = windows.OPEN_ALWAYS
+	case mode&os.O_TRUNC == os.O_TRUNC:
+		createMode = windows.TRUNCATE_EXISTING
+	default:
+		createMode = windows.OPEN_EXISTING
+	}
+
+	handle, err := syscall.CreateFile(pathP, access, shareMode, sa, createMode, syscall.FILE_ATTRIBUTE_NORMAL, 0)
+	if err != nil {
+		return nil, &os.PathError{Path: path, Op: "open", Err: err}
+	}
+
+	return os.NewFile(uintptr(handle), path), nil
+}
+
+const processEntrySize = uint32(unsafe.Sizeof(windows.ProcessEntry32{}))
+
+// hasLocalDnsServerRunning reports whether we are on Windows and having Dns server running.
+func hasLocalDnsServerRunning() bool {
+	h, e := windows.CreateToolhelp32Snapshot(windows.TH32CS_SNAPPROCESS, 0)
+	if e != nil {
+		return false
+	}
+	p := windows.ProcessEntry32{Size: processEntrySize}
+	for {
+		e := windows.Process32Next(h, &p)
+		if e != nil {
+			return false
+		}
+		if strings.ToLower(windows.UTF16ToString(p.ExeFile[:])) == "dns.exe" {
+			return true
+		}
+	}
+}
+
+func isRunningOnDomainControllerWindows() (bool, int) {
+	whost := host.NewWmiLocalHost()
+	q := query.NewWmiQuery("Win32_ComputerSystem")
+	instances, err := instance.GetWmiInstancesFromHost(whost, string(constant.CimV2), q)
+	if err != nil {
+		mainLog.Load().Debug().Err(err).Msg("WMI query failed")
+		return false, 0
+	}
+	if instances == nil {
+		mainLog.Load().Debug().Msg("WMI query returned nil instances")
+		return false, 0
+	}
+	defer instances.Close()
+
+	if len(instances) == 0 {
+		mainLog.Load().Debug().Msg("no rows returned from Win32_ComputerSystem")
+		return false, 0
+	}
+
+	val, err := instances[0].GetProperty("DomainRole")
+	if err != nil {
+		mainLog.Load().Debug().Err(err).Msg("failed to get DomainRole property")
+		return false, 0
+	}
+	if val == nil {
+		mainLog.Load().Debug().Msg("DomainRole property is nil")
+		return false, 0
+	}
+
+	// Safely handle varied types: string or integer
+	var roleInt int
+	switch v := val.(type) {
+	case string:
+		// "4", "5", etc.
+		parsed, parseErr := strconv.Atoi(v)
+		if parseErr != nil {
+			mainLog.Load().Debug().Err(parseErr).Msgf("failed to parse DomainRole value %q", v)
+			return false, 0
+		}
+		roleInt = parsed
+	case int8, int16, int32, int64:
+		roleInt = int(reflect.ValueOf(v).Int())
+	case uint8, uint16, uint32, uint64:
+		roleInt = int(reflect.ValueOf(v).Uint())
+	default:
+		mainLog.Load().Debug().Msgf("unexpected DomainRole type: %T value=%v", v, v)
+		return false, 0
+	}
+
+	// Check if role indicates a domain controller
+	isDC := roleInt == BackupDomainController || roleInt == PrimaryDomainController
+	return isDC, roleInt
+}

cmd/cli/service_windows_test.go

@@ -0,0 +1,25 @@
+package cli
+
+import (
+	"testing"
+	"time"
+)
+
+func Test_hasLocalDnsServerRunning(t *testing.T) {
+	start := time.Now()
+	hasDns := hasLocalDnsServerRunning()
+	t.Logf("Using Windows API takes: %d", time.Since(start).Milliseconds())
+
+	start = time.Now()
+	hasDnsPowershell := hasLocalDnsServerRunningPowershell()
+	t.Logf("Using Powershell takes: %d", time.Since(start).Milliseconds())
+
+	if hasDns != hasDnsPowershell {
+		t.Fatalf("result mismatch, want: %v, got: %v", hasDnsPowershell, hasDns)
+	}
+}
+
+func hasLocalDnsServerRunningPowershell() bool {
+	_, err := powershell("Get-Process -Name DNS")
+	return err == nil
+}

cmd/cli/upstream_monitor.go

@@ -1,18 +1,15 @@
 package cli
 
 import (
-	"context"
 	"sync"
 	"time"
 
-	"github.com/miekg/dns"
-
 	"github.com/Control-D-Inc/ctrld"
 )
 
 const (
 	// maxFailureRequest is the maximum failed queries allowed before an upstream is marked as down.
-	maxFailureRequest = 100
+	maxFailureRequest = 50
 	// checkUpstreamBackoffSleep is the time interval between each upstream checks.
 	checkUpstreamBackoffSleep = 2 * time.Second
 )
@@ -21,18 +18,24 @@ const (
 type upstreamMonitor struct {
 	cfg *ctrld.Config
 
-	mu         sync.Mutex
+	mu         sync.RWMutex
 	checking   map[string]bool
 	down       map[string]bool
 	failureReq map[string]uint64
+	recovered  map[string]bool
+
+	// failureTimerActive tracks if a timer is already running for a given upstream.
+	failureTimerActive map[string]bool
 }
 
 func newUpstreamMonitor(cfg *ctrld.Config) *upstreamMonitor {
 	um := &upstreamMonitor{
-		cfg:        cfg,
-		checking:   make(map[string]bool),
-		down:       make(map[string]bool),
-		failureReq: make(map[string]uint64),
+		cfg:                cfg,
+		checking:           make(map[string]bool),
+		down:               make(map[string]bool),
+		failureReq:         make(map[string]uint64),
+		recovered:          make(map[string]bool),
+		failureTimerActive: make(map[string]bool),
 	}
 	for n := range cfg.Upstream {
 		upstream := upstreamPrefix + n
@@ -42,14 +45,47 @@ func newUpstreamMonitor(cfg *ctrld.Config) *upstreamMonitor {
 	return um
 }
 
-// increaseFailureCount increase failed queries count for an upstream by 1.
+// increaseFailureCount increases failed queries count for an upstream by 1 and logs debug information.
+// It uses a timer to debounce failure detection, ensuring that an upstream is marked as down
+// within 10 seconds if failures persist, without spawning duplicate goroutines.
 func (um *upstreamMonitor) increaseFailureCount(upstream string) {
 	um.mu.Lock()
 	defer um.mu.Unlock()
 
+	if um.recovered[upstream] {
+		mainLog.Load().Debug().Msgf("upstream %q is recovered, skipping failure count increase", upstream)
+		return
+	}
+
 	um.failureReq[upstream] += 1
 	failedCount := um.failureReq[upstream]
-	um.down[upstream] = failedCount >= maxFailureRequest
+
+	// Log the updated failure count.
+	mainLog.Load().Debug().Msgf("upstream %q failure count updated to %d", upstream, failedCount)
+
+	// If this is the first failure and no timer is running, start a 10-second timer.
+	if failedCount == 1 && !um.failureTimerActive[upstream] {
+		um.failureTimerActive[upstream] = true
+		go func(upstream string) {
+			time.Sleep(10 * time.Second)
+			um.mu.Lock()
+			defer um.mu.Unlock()
+			// If no success occurred during the 10-second window (i.e. counter remains > 0)
+			// and the upstream is not in a recovered state, mark it as down.
+			if um.failureReq[upstream] > 0 && !um.recovered[upstream] {
+				um.down[upstream] = true
+				mainLog.Load().Warn().Msgf("upstream %q marked as down after 10 seconds (failure count: %d)", upstream, um.failureReq[upstream])
+			}
+			// Reset the timer flag so that a new timer can be spawned if needed.
+			um.failureTimerActive[upstream] = false
+		}(upstream)
+	}
+
+	// If the failure count quickly reaches the threshold, mark the upstream as down immediately.
+	if failedCount >= maxFailureRequest {
+		um.down[upstream] = true
+		mainLog.Load().Warn().Msgf("upstream %q marked as down immediately (failure count: %d)", upstream, failedCount)
+	}
 }
 
 // isDown reports whether the given upstream is being marked as down.
@@ -63,50 +99,28 @@ func (um *upstreamMonitor) isDown(upstream string) bool {
 // reset marks an upstream as up and set failed queries counter to zero.
 func (um *upstreamMonitor) reset(upstream string) {
 	um.mu.Lock()
-	defer um.mu.Unlock()
-
 	um.failureReq[upstream] = 0
 	um.down[upstream] = false
-}
-
-// checkUpstream checks the given upstream status, periodically sending query to upstream
-// until successfully. An upstream status/counter will be reset once it becomes reachable.
-func (um *upstreamMonitor) checkUpstream(upstream string, uc *ctrld.UpstreamConfig) {
-	um.mu.Lock()
-	isChecking := um.checking[upstream]
-	if isChecking {
-		um.mu.Unlock()
-		return
-	}
-	um.checking[upstream] = true
+	um.recovered[upstream] = true
 	um.mu.Unlock()
-	defer func() {
+	go func() {
+		// debounce the recovery to avoid incrementing failure counts already in flight
+		time.Sleep(1 * time.Second)
 		um.mu.Lock()
-		um.checking[upstream] = false
+		um.recovered[upstream] = false
 		um.mu.Unlock()
 	}()
-
-	resolver, err := ctrld.NewResolver(uc)
-	if err != nil {
-		mainLog.Load().Warn().Err(err).Msg("could not check upstream")
-		return
-	}
-	msg := new(dns.Msg)
-	msg.SetQuestion(".", dns.TypeNS)
-
-	check := func() error {
-		ctx, cancel := context.WithTimeout(context.Background(), time.Second)
-		defer cancel()
-		uc.ReBootstrap()
-		_, err := resolver.Resolve(ctx, msg)
-		return err
-	}
-	for {
-		if err := check(); err == nil {
-			mainLog.Load().Debug().Msgf("upstream %q is online", uc.Endpoint)
-			um.reset(upstream)
-			return
-		}
-		time.Sleep(checkUpstreamBackoffSleep)
-	}
+}
+
+// countHealthy returns the number of upstreams in the provided map that are considered healthy.
+func (um *upstreamMonitor) countHealthy(upstreams []string) int {
+	var count int
+	um.mu.RLock()
+	for _, upstream := range upstreams {
+		if !um.down[upstream] {
+			count++
+		}
+	}
+	um.mu.RUnlock()
+	return count
 }

cmd/ctrld/main.go

@@ -1,7 +1,13 @@
 package main
 
-import "github.com/Control-D-Inc/ctrld/cmd/cli"
+import (
+	"os"
+
+	"github.com/Control-D-Inc/ctrld/cmd/cli"
+)
 
 func main() {
 	cli.Main()
+	// make sure we exit with 0 if there are no errors
+	os.Exit(0)
 }

cmd/ctrld_library/main.go

@@ -28,15 +28,17 @@ type AppCallback interface {
 // Start configures utility with config.toml from provided directory.
 // This function will block until Stop is called
 // Check port availability prior to calling it.
-func (c *Controller) Start(CdUID string, HomeDir string, UpstreamProto string, logLevel int, logPath string) {
+func (c *Controller) Start(CdUID string, ProvisionID string, CustomHostname string, HomeDir string, UpstreamProto string, logLevel int, logPath string) {
 	if c.stopCh == nil {
 		c.stopCh = make(chan struct{})
 		c.Config = cli.AppConfig{
-			CdUID:         CdUID,
-			HomeDir:       HomeDir,
-			UpstreamProto: UpstreamProto,
-			Verbose:       logLevel,
-			LogPath:       logPath,
+			CdUID:          CdUID,
+			ProvisionID:    ProvisionID,
+			CustomHostname: CustomHostname,
+			HomeDir:        HomeDir,
+			UpstreamProto:  UpstreamProto,
+			Verbose:        logLevel,
+			LogPath:        logPath,
 		}
 		appCallback := mapCallback(c.AppCallback)
 		cli.RunMobile(&c.Config, &appCallback, c.stopCh)

config.go

@@ -7,6 +7,7 @@ import (
 	"crypto/x509"
 	"encoding/hex"
 	"errors"
+	"fmt"
 	"io"
 	"math/rand"
 	"net"
@@ -22,9 +23,11 @@ import (
 	"sync/atomic"
 	"time"
 
+	"github.com/ameshkov/dnsstamps"
 	"github.com/go-playground/validator/v10"
 	"github.com/miekg/dns"
 	"github.com/spf13/viper"
+	"golang.org/x/net/http2"
 	"golang.org/x/sync/singleflight"
 	"tailscale.com/logtail/backoff"
 	"tailscale.com/net/tsaddr"
@@ -50,14 +53,36 @@ const (
 	FreeDnsDomain = "freedns.controld.com"
 	// FreeDNSBoostrapIP is the IP address of freedns.controld.com.
 	FreeDNSBoostrapIP = "76.76.2.11"
+	// FreeDNSBoostrapIPv6 is the IPv6 address of freedns.controld.com.
+	FreeDNSBoostrapIPv6 = "2606:1a40::11"
 	// PremiumDnsDomain is the domain name of premium ControlD service.
 	PremiumDnsDomain = "dns.controld.com"
 	// PremiumDNSBoostrapIP is the IP address of dns.controld.com.
 	PremiumDNSBoostrapIP = "76.76.2.22"
+	// PremiumDNSBoostrapIPv6 is the IPv6 address of dns.controld.com.
+	PremiumDNSBoostrapIPv6 = "2606:1a40::22"
+
+	// freeDnsDomainDev is the domain name of free ControlD service on dev env.
+	freeDnsDomainDev = "freedns.controld.dev"
+	// freeDNSBoostrapIP is the IP address of freedns.controld.dev.
+	freeDNSBoostrapIP = "176.125.239.11"
+	// freeDNSBoostrapIPv6 is the IPv6 address of freedns.controld.com.
+	freeDNSBoostrapIPv6 = "2606:1a40:f000::11"
+	// premiumDnsDomainDev is the domain name of premium ControlD service on dev env.
+	premiumDnsDomainDev = "dns.controld.dev"
+	// premiumDNSBoostrapIP is the IP address of dns.controld.dev.
+	premiumDNSBoostrapIP = "176.125.239.22"
+	// premiumDNSBoostrapIPv6 is the IPv6 address of dns.controld.dev.
+	premiumDNSBoostrapIPv6 = "2606:1a40:f000::22"
 
 	controlDComDomain = "controld.com"
 	controlDNetDomain = "controld.net"
 	controlDDevDomain = "controld.dev"
+
+	endpointPrefixHTTPS = "https://"
+	endpointPrefixQUIC  = "quic://"
+	endpointPrefixH3    = "h3://"
+	endpointPrefixSdns  = "sdns://"
 )
 
 var (
@@ -188,27 +213,32 @@ func (c *Config) FirstUpstream() *UpstreamConfig {
 
 // ServiceConfig specifies the general ctrld config.
 type ServiceConfig struct {
-	LogLevel                string   `mapstructure:"log_level" toml:"log_level,omitempty"`
-	LogPath                 string   `mapstructure:"log_path" toml:"log_path,omitempty"`
-	CacheEnable             bool     `mapstructure:"cache_enable" toml:"cache_enable,omitempty"`
-	CacheSize               int      `mapstructure:"cache_size" toml:"cache_size,omitempty"`
-	CacheTTLOverride        int      `mapstructure:"cache_ttl_override" toml:"cache_ttl_override,omitempty"`
-	CacheServeStale         bool     `mapstructure:"cache_serve_stale" toml:"cache_serve_stale,omitempty"`
-	CacheFlushDomains       []string `mapstructure:"cache_flush_domains" toml:"cache_flush_domains" validate:"max=256"`
-	MaxConcurrentRequests   *int     `mapstructure:"max_concurrent_requests" toml:"max_concurrent_requests,omitempty" validate:"omitempty,gte=0"`
-	DHCPLeaseFile           string   `mapstructure:"dhcp_lease_file_path" toml:"dhcp_lease_file_path" validate:"omitempty,file"`
-	DHCPLeaseFileFormat     string   `mapstructure:"dhcp_lease_file_format" toml:"dhcp_lease_file_format" validate:"required_unless=DHCPLeaseFile '',omitempty,oneof=dnsmasq isc-dhcp"`
-	DiscoverMDNS            *bool    `mapstructure:"discover_mdns" toml:"discover_mdns,omitempty"`
-	DiscoverARP             *bool    `mapstructure:"discover_arp" toml:"discover_arp,omitempty"`
-	DiscoverDHCP            *bool    `mapstructure:"discover_dhcp" toml:"discover_dhcp,omitempty"`
-	DiscoverPtr             *bool    `mapstructure:"discover_ptr" toml:"discover_ptr,omitempty"`
-	DiscoverHosts           *bool    `mapstructure:"discover_hosts" toml:"discover_hosts,omitempty"`
-	DiscoverRefreshInterval int      `mapstructure:"discover_refresh_interval" toml:"discover_refresh_interval,omitempty"`
-	ClientIDPref            string   `mapstructure:"client_id_preference" toml:"client_id_preference,omitempty" validate:"omitempty,oneof=host mac"`
-	MetricsQueryStats       bool     `mapstructure:"metrics_query_stats" toml:"metrics_query_stats,omitempty"`
-	MetricsListener         string   `mapstructure:"metrics_listener" toml:"metrics_listener,omitempty"`
-	Daemon                  bool     `mapstructure:"-" toml:"-"`
-	AllocateIP              bool     `mapstructure:"-" toml:"-"`
+	LogLevel                string         `mapstructure:"log_level" toml:"log_level,omitempty"`
+	LogPath                 string         `mapstructure:"log_path" toml:"log_path,omitempty"`
+	CacheEnable             bool           `mapstructure:"cache_enable" toml:"cache_enable,omitempty"`
+	CacheSize               int            `mapstructure:"cache_size" toml:"cache_size,omitempty"`
+	CacheTTLOverride        int            `mapstructure:"cache_ttl_override" toml:"cache_ttl_override,omitempty"`
+	CacheServeStale         bool           `mapstructure:"cache_serve_stale" toml:"cache_serve_stale,omitempty"`
+	CacheFlushDomains       []string       `mapstructure:"cache_flush_domains" toml:"cache_flush_domains" validate:"max=256"`
+	MaxConcurrentRequests   *int           `mapstructure:"max_concurrent_requests" toml:"max_concurrent_requests,omitempty" validate:"omitempty,gte=0"`
+	DHCPLeaseFile           string         `mapstructure:"dhcp_lease_file_path" toml:"dhcp_lease_file_path" validate:"omitempty,file"`
+	DHCPLeaseFileFormat     string         `mapstructure:"dhcp_lease_file_format" toml:"dhcp_lease_file_format" validate:"required_unless=DHCPLeaseFile '',omitempty,oneof=dnsmasq isc-dhcp kea-dhcp4"`
+	DiscoverMDNS            *bool          `mapstructure:"discover_mdns" toml:"discover_mdns,omitempty"`
+	DiscoverARP             *bool          `mapstructure:"discover_arp" toml:"discover_arp,omitempty"`
+	DiscoverDHCP            *bool          `mapstructure:"discover_dhcp" toml:"discover_dhcp,omitempty"`
+	DiscoverPtr             *bool          `mapstructure:"discover_ptr" toml:"discover_ptr,omitempty"`
+	DiscoverHosts           *bool          `mapstructure:"discover_hosts" toml:"discover_hosts,omitempty"`
+	DiscoverRefreshInterval int            `mapstructure:"discover_refresh_interval" toml:"discover_refresh_interval,omitempty"`
+	ClientIDPref            string         `mapstructure:"client_id_preference" toml:"client_id_preference,omitempty" validate:"omitempty,oneof=host mac"`
+	MetricsQueryStats       bool           `mapstructure:"metrics_query_stats" toml:"metrics_query_stats,omitempty"`
+	MetricsListener         string         `mapstructure:"metrics_listener" toml:"metrics_listener,omitempty"`
+	DnsWatchdogEnabled      *bool          `mapstructure:"dns_watchdog_enabled" toml:"dns_watchdog_enabled,omitempty"`
+	DnsWatchdogInvterval    *time.Duration `mapstructure:"dns_watchdog_interval" toml:"dns_watchdog_interval,omitempty"`
+	RefetchTime             *int           `mapstructure:"refetch_time" toml:"refetch_time,omitempty"`
+	ForceRefetchWaitTime    *int           `mapstructure:"force_refetch_wait_time" toml:"force_refetch_wait_time,omitempty"`
+	LeakOnUpstreamFailure   *bool          `mapstructure:"leak_on_upstream_failure" toml:"leak_on_upstream_failure,omitempty"`
+	Daemon                  bool           `mapstructure:"-" toml:"-"`
+	AllocateIP              bool           `mapstructure:"-" toml:"-"`
 }
 
 // NetworkConfig specifies configuration for networks where ctrld will handle requests.
@@ -221,7 +251,7 @@ type NetworkConfig struct {
 // UpstreamConfig specifies configuration for upstreams that ctrld will forward requests to.
 type UpstreamConfig struct {
 	Name        string `mapstructure:"name" toml:"name,omitempty"`
-	Type        string `mapstructure:"type" toml:"type,omitempty" validate:"oneof=doh doh3 dot doq os legacy"`
+	Type        string `mapstructure:"type" toml:"type,omitempty" validate:"oneof=doh doh3 dot doq os legacy sdns ''"`
 	Endpoint    string `mapstructure:"endpoint" toml:"endpoint,omitempty"`
 	BootstrapIP string `mapstructure:"bootstrap_ip" toml:"bootstrap_ip,omitempty"`
 	Domain      string `mapstructure:"-" toml:"-"`
@@ -248,6 +278,7 @@ type UpstreamConfig struct {
 	http3RoundTripper6 http.RoundTripper
 	certPool           *x509.CertPool
 	u                  *url.URL
+	fallbackOnce       sync.Once
 	uid                string
 }
 
@@ -295,10 +326,13 @@ type Rule map[string][]string
 
 // Init initialized necessary values for an UpstreamConfig.
 func (uc *UpstreamConfig) Init() {
+	if err := uc.initDnsStamps(); err != nil {
+		ProxyLogger.Load().Fatal().Err(err).Msg("invalid DNS Stamps")
+	}
 	uc.initDoHScheme()
 	uc.uid = upstreamUID()
 	if u, err := url.Parse(uc.Endpoint); err == nil {
-		uc.Domain = u.Host
+		uc.Domain = u.Hostname()
 		switch uc.Type {
 		case ResolverTypeDOH, ResolverTypeDOH3:
 			uc.u = u
@@ -316,7 +350,7 @@ func (uc *UpstreamConfig) Init() {
 		}
 	}
 	if uc.IPStack == "" {
-		if uc.isControlD() {
+		if uc.IsControlD() {
 			uc.IPStack = IpStackSplit
 		} else {
 			uc.IPStack = IpStackBoth
@@ -324,6 +358,15 @@ func (uc *UpstreamConfig) Init() {
 	}
 }
 
+// VerifyMsg creates and returns a new DNS message could be used for testing upstream health.
+func (uc *UpstreamConfig) VerifyMsg() *dns.Msg {
+	msg := new(dns.Msg)
+	msg.RecursionDesired = true
+	msg.SetQuestion(".", dns.TypeNS)
+	msg.SetEdns0(4096, false) // ensure handling of large DNS response
+	return msg
+}
+
 // VerifyDomain returns the domain name that could be resolved by the upstream endpoint.
 // It returns empty for non-ControlD upstream endpoint.
 func (uc *UpstreamConfig) VerifyDomain() string {
@@ -354,7 +397,7 @@ func (uc *UpstreamConfig) UpstreamSendClientInfo() bool {
 	}
 	switch uc.Type {
 	case ResolverTypeDOH, ResolverTypeDOH3:
-		if uc.isControlD() || uc.isNextDNS() {
+		if uc.IsControlD() || uc.isNextDNS() {
 			return true
 		}
 	}
@@ -368,7 +411,7 @@ func (uc *UpstreamConfig) IsDiscoverable() bool {
 		return *uc.Discoverable
 	}
 	switch uc.Type {
-	case ResolverTypeOS, ResolverTypeLegacy, ResolverTypePrivate:
+	case ResolverTypeOS, ResolverTypeLegacy, ResolverTypePrivate, ResolverTypeLocal:
 		if ip, err := netip.ParseAddr(uc.Domain); err == nil {
 			return ip.IsLoopback() || ip.IsPrivate() || ip.IsLinkLocalUnicast() || tsaddr.CGNATRange().Contains(ip)
 		}
@@ -386,12 +429,6 @@ func (uc *UpstreamConfig) SetCertPool(cp *x509.CertPool) {
 	uc.certPool = cp
 }
 
-// SetupBootstrapIP manually find all available IPs of the upstream.
-// The first usable IP will be used as bootstrap IP of the upstream.
-func (uc *UpstreamConfig) SetupBootstrapIP() {
-	uc.setupBootstrapIP(true)
-}
-
 // UID returns the unique identifier of the upstream.
 func (uc *UpstreamConfig) UID() string {
 	return uc.uid
@@ -399,11 +436,19 @@ func (uc *UpstreamConfig) UID() string {
 
 // SetupBootstrapIP manually find all available IPs of the upstream.
 // The first usable IP will be used as bootstrap IP of the upstream.
-func (uc *UpstreamConfig) setupBootstrapIP(withBootstrapDNS bool) {
+// The upstream domain will be looked up using following orders:
+//
+// - Current system DNS settings.
+// - Direct IPs table for ControlD upstreams.
+// - ControlD Bootstrap DNS 76.76.2.22
+//
+// The setup process will block until there's usable IPs found.
+func (uc *UpstreamConfig) SetupBootstrapIP() {
 	b := backoff.NewBackoff("setupBootstrapIP", func(format string, args ...any) {}, 10*time.Second)
-	isControlD := uc.isControlD()
+	isControlD := uc.IsControlD()
+	nss := initDefaultOsResolver()
 	for {
-		uc.bootstrapIPs = lookupIP(uc.Domain, uc.Timeout, withBootstrapDNS)
+		uc.bootstrapIPs = lookupIP(uc.Domain, uc.Timeout, nss)
 		// For ControlD upstream, the bootstrap IPs could not be RFC 1918 addresses,
 		// filtering them out here to prevent weird behavior.
 		if isControlD {
@@ -416,6 +461,15 @@ func (uc *UpstreamConfig) setupBootstrapIP(withBootstrapDNS bool) {
 				}
 			}
 			uc.bootstrapIPs = uc.bootstrapIPs[:n]
+			if len(uc.bootstrapIPs) == 0 {
+				uc.bootstrapIPs = bootstrapIPsFromControlDDomain(uc.Domain)
+				ProxyLogger.Load().Warn().Msgf("no record found for %q, lookup from direct IP table", uc.Domain)
+			}
+		}
+		if len(uc.bootstrapIPs) == 0 {
+			ProxyLogger.Load().Warn().Msgf("no record found for %q, using bootstrap server: %s", uc.Domain, PremiumDNSBoostrapIP)
+			uc.bootstrapIPs = lookupIP(uc.Domain, uc.Timeout, []string{net.JoinHostPort(PremiumDNSBoostrapIP, "53")})
+
 		}
 		if len(uc.bootstrapIPs) > 0 {
 			break
@@ -442,7 +496,7 @@ func (uc *UpstreamConfig) ReBootstrap() {
 	}
 	_, _, _ = uc.g.Do("ReBootstrap", func() (any, error) {
 		if uc.rebootstrap.CompareAndSwap(false, true) {
-			ProxyLogger.Load().Debug().Msg("re-bootstrapping upstream ip")
+			ProxyLogger.Load().Debug().Msgf("re-bootstrapping upstream ip for %v", uc)
 		}
 		return true, nil
 	})
@@ -469,7 +523,7 @@ func (uc *UpstreamConfig) setupDOHTransport() {
 		uc.transport = uc.newDOHTransport(uc.bootstrapIPs6)
 	case IpStackSplit:
 		uc.transport4 = uc.newDOHTransport(uc.bootstrapIPs4)
-		if hasIPv6() {
+		if HasIPv6() {
 			uc.transport6 = uc.newDOHTransport(uc.bootstrapIPs6)
 		} else {
 			uc.transport6 = uc.transport4
@@ -486,6 +540,13 @@ func (uc *UpstreamConfig) newDOHTransport(addrs []string) *http.Transport {
 		ClientSessionCache: tls.NewLRUClientSessionCache(0),
 	}
 
+	// Prevent bad tcp connection hanging the requests for too long.
+	// See: https://github.com/golang/go/issues/36026
+	if t2, err := http2.ConfigureTransports(transport); err == nil {
+		t2.ReadIdleTimeout = 10 * time.Second
+		t2.PingTimeout = 5 * time.Second
+	}
+
 	dialerTimeoutMs := 2000
 	if uc.Timeout > 0 && uc.Timeout < dialerTimeoutMs {
 		dialerTimeoutMs = uc.Timeout
@@ -506,7 +567,7 @@ func (uc *UpstreamConfig) newDOHTransport(addrs []string) *http.Transport {
 		for i := range addrs {
 			dialAddrs[i] = net.JoinHostPort(addrs[i], port)
 		}
-		conn, err := pd.DialContext(ctx, network, dialAddrs)
+		conn, err := pd.DialContext(ctx, network, dialAddrs, ProxyLogger.Load())
 		if err != nil {
 			return nil, err
 		}
@@ -521,7 +582,10 @@ func (uc *UpstreamConfig) newDOHTransport(addrs []string) *http.Transport {
 
 // Ping warms up the connection to DoH/DoH3 upstream.
 func (uc *UpstreamConfig) Ping() {
-	_ = uc.ping()
+	if err := uc.ping(); err != nil {
+		ProxyLogger.Load().Debug().Err(err).Msgf("upstream ping failed: %s", uc.Endpoint)
+		_ = uc.FallbackToDirectIP()
+	}
 }
 
 // ErrorPing is like Ping, but return an error if any.
@@ -558,7 +622,6 @@ func (uc *UpstreamConfig) ping() error {
 	for _, typ := range []uint16{dns.TypeA, dns.TypeAAAA} {
 		switch uc.Type {
 		case ResolverTypeDOH:
-
 			if err := ping(uc.dohTransport(typ)); err != nil {
 				return err
 			}
@@ -572,7 +635,8 @@ func (uc *UpstreamConfig) ping() error {
 	return nil
 }
 
-func (uc *UpstreamConfig) isControlD() bool {
+// IsControlD reports whether this is a ControlD upstream.
+func (uc *UpstreamConfig) IsControlD() bool {
 	domain := uc.Domain
 	if domain == "" {
 		if u, err := url.Parse(uc.Endpoint); err == nil {
@@ -631,7 +695,7 @@ func (uc *UpstreamConfig) bootstrapIPForDNSType(dnsType uint16) string {
 		case dns.TypeA:
 			return pick(uc.bootstrapIPs4)
 		default:
-			if hasIPv6() {
+			if HasIPv6() {
 				return pick(uc.bootstrapIPs6)
 			}
 			return pick(uc.bootstrapIPs4)
@@ -653,7 +717,7 @@ func (uc *UpstreamConfig) netForDNSType(dnsType uint16) (string, string) {
 		case dns.TypeA:
 			return "tcp4-tls", "udp4"
 		default:
-			if hasIPv6() {
+			if HasIPv6() {
 				return "tcp6-tls", "udp6"
 			}
 			return "tcp4-tls", "udp4"
@@ -664,16 +728,102 @@ func (uc *UpstreamConfig) netForDNSType(dnsType uint16) (string, string) {
 
 // initDoHScheme initializes the endpoint scheme for DoH/DoH3 upstream if not present.
 func (uc *UpstreamConfig) initDoHScheme() {
+	if strings.HasPrefix(uc.Endpoint, endpointPrefixH3) && uc.Type == "" {
+		uc.Type = ResolverTypeDOH3
+	}
 	switch uc.Type {
-	case ResolverTypeDOH, ResolverTypeDOH3:
+	case ResolverTypeDOH:
+	case ResolverTypeDOH3:
+		if after, found := strings.CutPrefix(uc.Endpoint, endpointPrefixH3); found {
+			uc.Endpoint = endpointPrefixHTTPS + after
+		}
 	default:
 		return
 	}
-	if !strings.HasPrefix(uc.Endpoint, "https://") {
-		uc.Endpoint = "https://" + uc.Endpoint
+	if !strings.HasPrefix(uc.Endpoint, endpointPrefixHTTPS) {
+		uc.Endpoint = endpointPrefixHTTPS + uc.Endpoint
 	}
 }
 
+// initDnsStamps initializes upstream config based on encoded DNS Stamps Endpoint.
+func (uc *UpstreamConfig) initDnsStamps() error {
+	if strings.HasPrefix(uc.Endpoint, endpointPrefixSdns) && uc.Type == "" {
+		uc.Type = ResolverTypeSDNS
+	}
+	if uc.Type != ResolverTypeSDNS {
+		return nil
+	}
+	sdns, err := dnsstamps.NewServerStampFromString(uc.Endpoint)
+	if err != nil {
+		return err
+	}
+	ip, port, _ := net.SplitHostPort(sdns.ServerAddrStr)
+	providerName, port2, _ := net.SplitHostPort(sdns.ProviderName)
+	if port2 != "" {
+		port = port2
+	}
+	if providerName == "" {
+		providerName = sdns.ProviderName
+	}
+	switch sdns.Proto {
+	case dnsstamps.StampProtoTypeDoH:
+		uc.Type = ResolverTypeDOH
+		host := sdns.ProviderName
+		if port != "" && port != defaultPortFor(uc.Type) {
+			host = net.JoinHostPort(providerName, port)
+		}
+		uc.Endpoint = "https://" + host + sdns.Path
+	case dnsstamps.StampProtoTypeTLS:
+		uc.Type = ResolverTypeDOT
+		uc.Endpoint = net.JoinHostPort(providerName, port)
+	case dnsstamps.StampProtoTypeDoQ:
+		uc.Type = ResolverTypeDOQ
+		uc.Endpoint = net.JoinHostPort(providerName, port)
+	case dnsstamps.StampProtoTypePlain:
+		uc.Type = ResolverTypeLegacy
+		uc.Endpoint = sdns.ServerAddrStr
+	default:
+		return fmt.Errorf("unsupported stamp protocol %q", sdns.Proto)
+	}
+	uc.BootstrapIP = ip
+	return nil
+}
+
+// Context returns a new context with timeout set from upstream config.
+func (uc *UpstreamConfig) Context(ctx context.Context) (context.Context, context.CancelFunc) {
+	if uc.Timeout > 0 {
+		return context.WithTimeout(ctx, time.Millisecond*time.Duration(uc.Timeout))
+	}
+	return context.WithCancel(ctx)
+}
+
+// FallbackToDirectIP changes ControlD upstream endpoint to use direct IP instead of domain.
+func (uc *UpstreamConfig) FallbackToDirectIP() bool {
+	if !uc.IsControlD() {
+		return false
+	}
+	if uc.u == nil || uc.Domain == "" {
+		return false
+	}
+
+	done := false
+	uc.fallbackOnce.Do(func() {
+		var ip string
+		switch {
+		case dns.IsSubDomain(PremiumDnsDomain, uc.Domain):
+			ip = PremiumDNSBoostrapIP
+		case dns.IsSubDomain(FreeDnsDomain, uc.Domain):
+			ip = FreeDNSBoostrapIP
+		default:
+			return
+		}
+		ProxyLogger.Load().Warn().Msgf("using direct IP for %q: %s", uc.Endpoint, ip)
+		uc.u.Host = ip
+		done = true
+	})
+	return done
+}
+
 // Init initialized necessary values for an ListenerConfig.
 func (lc *ListenerConfig) Init() {
 	if lc.Policy != nil {
@@ -726,6 +876,23 @@ func upstreamConfigStructLevelValidation(sl validator.StructLevel) {
 		return
 	}
 
+	// Empty type is ok only for endpoints starts with "h3://" and "sdns://".
+	if uc.Type == "" && !strings.HasPrefix(uc.Endpoint, endpointPrefixH3) && !strings.HasPrefix(uc.Endpoint, endpointPrefixSdns) {
+		sl.ReportError(uc.Endpoint, "type", "type", "oneof", "doh doh3 dot doq os legacy sdns")
+		return
+	}
+
+	// initDoHScheme/initDnsStamps may change upstreams information,
+	// so restoring changed values after validation to keep original one.
+	defer func(ep, typ string) {
+		uc.Endpoint = ep
+		uc.Type = typ
+	}(uc.Endpoint, uc.Type)
+
+	if err := uc.initDnsStamps(); err != nil {
+		sl.ReportError(uc.Endpoint, "endpoint", "Endpoint", "http_url", "")
+		return
+	}
 	uc.initDoHScheme()
 	// DoH/DoH3 requires endpoint is an HTTP url.
 	if uc.Type == ResolverTypeDOH || uc.Type == ResolverTypeDOH3 {
@@ -755,13 +922,19 @@ func defaultPortFor(typ string) string {
 // - If endpoint is an IP address ->  ResolverTypeLegacy
 // - If endpoint starts with "https://" -> ResolverTypeDOH
 // - If endpoint starts with "quic://" -> ResolverTypeDOQ
+// - If endpoint starts with "h3://" -> ResolverTypeDOH3
+// - If endpoint starts with "sdns://" -> ResolverTypeSDNS
 // - For anything else -> ResolverTypeDOT
 func ResolverTypeFromEndpoint(endpoint string) string {
 	switch {
-	case strings.HasPrefix(endpoint, "https://"):
+	case strings.HasPrefix(endpoint, endpointPrefixHTTPS):
 		return ResolverTypeDOH
-	case strings.HasPrefix(endpoint, "quic://"):
+	case strings.HasPrefix(endpoint, endpointPrefixQUIC):
 		return ResolverTypeDOQ
+	case strings.HasPrefix(endpoint, endpointPrefixH3):
+		return ResolverTypeDOH3
+	case strings.HasPrefix(endpoint, endpointPrefixSdns):
+		return ResolverTypeSDNS
 	}
 	host := endpoint
 	if strings.Contains(endpoint, ":") {
@@ -788,3 +961,27 @@ func upstreamUID() string {
 		return hex.EncodeToString(b)
 	}
 }
+
+// String returns a string representation of the UpstreamConfig for logging.
+func (uc *UpstreamConfig) String() string {
+	if uc == nil {
+		return "<nil>"
+	}
+	return fmt.Sprintf("{name: %q, type: %q, endpoint: %q, bootstrap_ip: %q, domain: %q, ip_stack: %q}",
+		uc.Name, uc.Type, uc.Endpoint, uc.BootstrapIP, uc.Domain, uc.IPStack)
+}
+
+// bootstrapIPsFromControlDDomain returns bootstrap IPs for ControlD domain.
+func bootstrapIPsFromControlDDomain(domain string) []string {
+	switch {
+	case dns.IsSubDomain(PremiumDnsDomain, domain):
+		return []string{PremiumDNSBoostrapIP, PremiumDNSBoostrapIPv6}
+	case dns.IsSubDomain(FreeDnsDomain, domain):
+		return []string{FreeDNSBoostrapIP, FreeDNSBoostrapIPv6}
+	case dns.IsSubDomain(premiumDnsDomainDev, domain):
+		return []string{premiumDNSBoostrapIP, premiumDNSBoostrapIPv6}
+	case dns.IsSubDomain(freeDnsDomainDev, domain):
+		return []string{freeDNSBoostrapIP, freeDNSBoostrapIPv6}
+	}
+	return nil
+}

config_internal_test.go

@@ -8,24 +8,49 @@ import (
 )
 
 func TestUpstreamConfig_SetupBootstrapIP(t *testing.T) {
-	uc := &UpstreamConfig{
-		Name:     "test",
-		Type:     ResolverTypeDOH,
-		Endpoint: "https://freedns.controld.com/p2",
-		Timeout:  5000,
+	tests := []struct {
+		name string
+		uc   *UpstreamConfig
+	}{
+		{
+			name: "doh/doh3",
+			uc: &UpstreamConfig{
+				Name:     "doh",
+				Type:     ResolverTypeDOH,
+				Endpoint: "https://freedns.controld.com/p2",
+				Timeout:  5000,
+			},
+		},
+		{
+			name: "doq/dot",
+			uc: &UpstreamConfig{
+				Name:     "dot",
+				Type:     ResolverTypeDOT,
+				Endpoint: "p2.freedns.controld.com",
+				Timeout:  5000,
+			},
+		},
 	}
-	uc.Init()
-	uc.setupBootstrapIP(false)
-	if len(uc.bootstrapIPs) == 0 {
-		t.Log(nameservers())
-		t.Fatal("could not bootstrap ip without bootstrap DNS")
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			// Enable parallel tests once https://github.com/microsoft/wmi/issues/165 fixed.
+			// t.Parallel()
+			tc.uc.Init()
+			tc.uc.SetupBootstrapIP()
+			if len(tc.uc.bootstrapIPs) == 0 {
+				t.Log(defaultNameservers())
+				t.Fatalf("could not bootstrap ip: %s", tc.uc.String())
+			}
+		})
 	}
-	t.Log(uc)
+
 }
 
 func TestUpstreamConfig_Init(t *testing.T) {
 	u1, _ := url.Parse("https://example.com")
 	u2, _ := url.Parse("https://example.com?k=v")
+	u3, _ := url.Parse("https://freedns.controld.com/p1")
 	tests := []struct {
 		name     string
 		uc       *UpstreamConfig
@@ -178,6 +203,152 @@ func TestUpstreamConfig_Init(t *testing.T) {
 				u:              u2,
 			},
 		},
+		{
+			"h3",
+			&UpstreamConfig{
+				Name:        "doh3",
+				Type:        "doh3",
+				Endpoint:    "h3://example.com",
+				BootstrapIP: "",
+				Domain:      "",
+				Timeout:     0,
+			},
+			&UpstreamConfig{
+				Name:        "doh3",
+				Type:        "doh3",
+				Endpoint:    "https://example.com",
+				BootstrapIP: "",
+				Domain:      "example.com",
+				Timeout:     0,
+				IPStack:     IpStackBoth,
+				u:           u1,
+			},
+		},
+		{
+			"h3 without type",
+			&UpstreamConfig{
+				Name:        "doh3",
+				Endpoint:    "h3://example.com",
+				BootstrapIP: "",
+				Domain:      "",
+				Timeout:     0,
+			},
+			&UpstreamConfig{
+				Name:        "doh3",
+				Type:        "doh3",
+				Endpoint:    "https://example.com",
+				BootstrapIP: "",
+				Domain:      "example.com",
+				Timeout:     0,
+				IPStack:     IpStackBoth,
+				u:           u1,
+			},
+		},
+		{
+			"sdns -> doh",
+			&UpstreamConfig{
+				Name:        "sdns",
+				Type:        "sdns",
+				Endpoint:    "sdns://AgMAAAAAAAAACjc2Ljc2LjIuMTEAFGZyZWVkbnMuY29udHJvbGQuY29tAy9wMQ",
+				BootstrapIP: "",
+				Domain:      "",
+				Timeout:     0,
+				IPStack:     IpStackBoth,
+			},
+			&UpstreamConfig{
+				Name:        "sdns",
+				Type:        "doh",
+				Endpoint:    "https://freedns.controld.com/p1",
+				BootstrapIP: "76.76.2.11",
+				Domain:      "freedns.controld.com",
+				Timeout:     0,
+				IPStack:     IpStackBoth,
+				u:           u3,
+			},
+		},
+		{
+			"sdns -> dot",
+			&UpstreamConfig{
+				Name:        "sdns",
+				Type:        "sdns",
+				Endpoint:    "sdns://AwcAAAAAAAAACjc2Ljc2LjIuMTEAFGZyZWVkbnMuY29udHJvbGQuY29t",
+				BootstrapIP: "",
+				Domain:      "",
+				Timeout:     0,
+				IPStack:     IpStackBoth,
+			},
+			&UpstreamConfig{
+				Name:        "sdns",
+				Type:        "dot",
+				Endpoint:    "freedns.controld.com:843",
+				BootstrapIP: "76.76.2.11",
+				Domain:      "freedns.controld.com",
+				Timeout:     0,
+				IPStack:     IpStackBoth,
+			},
+		},
+		{
+			"sdns -> doq",
+			&UpstreamConfig{
+				Name:        "sdns",
+				Type:        "sdns",
+				Endpoint:    "sdns://BAcAAAAAAAAACjc2Ljc2LjIuMTEAFGZyZWVkbnMuY29udHJvbGQuY29t",
+				BootstrapIP: "",
+				Domain:      "",
+				Timeout:     0,
+				IPStack:     IpStackBoth,
+			},
+			&UpstreamConfig{
+				Name:        "sdns",
+				Type:        "doq",
+				Endpoint:    "freedns.controld.com:784",
+				BootstrapIP: "76.76.2.11",
+				Domain:      "freedns.controld.com",
+				Timeout:     0,
+				IPStack:     IpStackBoth,
+			},
+		},
+		{
+			"sdns -> legacy",
+			&UpstreamConfig{
+				Name:        "sdns",
+				Type:        "sdns",
+				Endpoint:    "sdns://AAcAAAAAAAAACjc2Ljc2LjIuMTE",
+				BootstrapIP: "",
+				Domain:      "",
+				Timeout:     0,
+				IPStack:     IpStackBoth,
+			},
+			&UpstreamConfig{
+				Name:        "sdns",
+				Type:        "legacy",
+				Endpoint:    "76.76.2.11:53",
+				BootstrapIP: "76.76.2.11",
+				Domain:      "76.76.2.11",
+				Timeout:     0,
+				IPStack:     IpStackBoth,
+			},
+		},
+		{
+			"sdns without type",
+			&UpstreamConfig{
+				Name:        "sdns",
+				Endpoint:    "sdns://AAcAAAAAAAAACjc2Ljc2LjIuMTE",
+				BootstrapIP: "",
+				Domain:      "",
+				Timeout:     0,
+				IPStack:     IpStackBoth,
+			},
+			&UpstreamConfig{
+				Name:        "sdns",
+				Type:        "legacy",
+				Endpoint:    "76.76.2.11:53",
+				BootstrapIP: "76.76.2.11",
+				Domain:      "76.76.2.11",
+				Timeout:     0,
+				IPStack:     IpStackBoth,
+			},
+		},
 	}
 
 	for _, tc := range tests {

config_quic.go

@@ -24,7 +24,7 @@ func (uc *UpstreamConfig) setupDOH3Transport() {
 		uc.http3RoundTripper = uc.newDOH3Transport(uc.bootstrapIPs6)
 	case IpStackSplit:
 		uc.http3RoundTripper4 = uc.newDOH3Transport(uc.bootstrapIPs4)
-		if hasIPv6() {
+		if HasIPv6() {
 			uc.http3RoundTripper6 = uc.newDOH3Transport(uc.bootstrapIPs6)
 		} else {
 			uc.http3RoundTripper6 = uc.http3RoundTripper4
@@ -34,9 +34,9 @@ func (uc *UpstreamConfig) setupDOH3Transport() {
 }
 
 func (uc *UpstreamConfig) newDOH3Transport(addrs []string) http.RoundTripper {
-	rt := &http3.RoundTripper{}
+	rt := &http3.Transport{}
 	rt.TLSClientConfig = &tls.Config{RootCAs: uc.certPool}
-	rt.Dial = func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
+	rt.Dial = func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (*quic.Conn, error) {
 		_, port, _ := net.SplitHostPort(addr)
 		// if we have a bootstrap ip set, use it to avoid DNS lookup
 		if uc.BootstrapIP != "" {
@@ -64,7 +64,7 @@ func (uc *UpstreamConfig) newDOH3Transport(addrs []string) http.RoundTripper {
 		ProxyLogger.Load().Debug().Msgf("sending doh3 request to: %s", conn.RemoteAddr())
 		return conn, err
 	}
-	runtime.SetFinalizer(rt, func(rt *http3.RoundTripper) {
+	runtime.SetFinalizer(rt, func(rt *http3.Transport) {
 		rt.CloseIdleConnections()
 	})
 	return rt
@@ -96,14 +96,14 @@ func (uc *UpstreamConfig) doh3Transport(dnsType uint16) http.RoundTripper {
 //   - quic dialer is different with net.Dialer
 //   - simplification for quic free version
 type parallelDialerResult struct {
-	conn quic.EarlyConnection
+	conn *quic.Conn
 	err  error
 }
 
 type quicParallelDialer struct{}
 
 // Dial performs parallel dialing to the given address list.
-func (d *quicParallelDialer) Dial(ctx context.Context, addrs []string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
+func (d *quicParallelDialer) Dial(ctx context.Context, addrs []string, tlsCfg *tls.Config, cfg *quic.Config) (*quic.Conn, error) {
 	if len(addrs) == 0 {
 		return nil, errors.New("empty addresses")
 	}

config_test.go

@@ -5,6 +5,7 @@ import (
 	"os"
 	"strings"
 	"testing"
+	"time"
 
 	"github.com/go-playground/validator/v10"
 	"github.com/spf13/viper"
@@ -22,6 +23,8 @@ func TestLoadConfig(t *testing.T) {
 
 	assert.Equal(t, "info", cfg.Service.LogLevel)
 	assert.Equal(t, "/path/to/log.log", cfg.Service.LogPath)
+	assert.Equal(t, false, *cfg.Service.DnsWatchdogEnabled)
+	assert.Equal(t, time.Duration(20*time.Second), *cfg.Service.DnsWatchdogInvterval)
 
 	assert.Len(t, cfg.Network, 2)
 	assert.Contains(t, cfg.Network, "0")
@@ -104,7 +107,11 @@ func TestConfigValidation(t *testing.T) {
 		{"invalid doh/doh3 endpoint", configWithInvalidDoHEndpoint(t), true},
 		{"invalid client id pref", configWithInvalidClientIDPref(t), true},
 		{"doh endpoint without scheme", dohUpstreamEndpointWithoutScheme(t), false},
+		{"doh endpoint without type", dohUpstreamEndpointWithoutType(t), true},
+		{"doh3 endpoint without type", doh3UpstreamEndpointWithoutType(t), false},
+		{"sdns endpoint without type", sdnsUpstreamEndpointWithoutType(t), false},
 		{"maximum number of flush cache domains", configWithInvalidFlushCacheDomain(t), true},
+		{"kea dhcp4 format", configWithDhcp4KeaFormat(t), false},
 	}
 
 	for _, tc := range tests {
@@ -124,6 +131,21 @@ func TestConfigValidation(t *testing.T) {
 	}
 }
 
+func TestConfigValidationDoNotChangeEndpoint(t *testing.T) {
+	cfg := configWithInvalidDoHEndpoint(t)
+	endpointMap := map[string]struct{}{}
+	for _, uc := range cfg.Upstream {
+		endpointMap[uc.Endpoint] = struct{}{}
+	}
+	validate := validator.New()
+	_ = ctrld.ValidateConfig(validate, cfg)
+	for _, uc := range cfg.Upstream {
+		if _, ok := endpointMap[uc.Endpoint]; !ok {
+			t.Fatalf("expected endpoint '%s' to exist", uc.Endpoint)
+		}
+	}
+}
+
 func TestConfigDiscoverOverride(t *testing.T) {
 	v := viper.NewWithOptions(viper.KeyDelimiter("::"))
 	ctrld.InitConfig(v, "test_config_discover_override")
@@ -176,6 +198,27 @@ func dohUpstreamEndpointWithoutScheme(t *testing.T) *ctrld.Config {
 	return cfg
 }
 
+func dohUpstreamEndpointWithoutType(t *testing.T) *ctrld.Config {
+	cfg := defaultConfig(t)
+	cfg.Upstream["0"].Endpoint = "https://freedns.controld.com/p1"
+	cfg.Upstream["0"].Type = ""
+	return cfg
+}
+
+func doh3UpstreamEndpointWithoutType(t *testing.T) *ctrld.Config {
+	cfg := defaultConfig(t)
+	cfg.Upstream["0"].Endpoint = "h3://freedns.controld.com/p1"
+	cfg.Upstream["0"].Type = ""
+	return cfg
+}
+
+func sdnsUpstreamEndpointWithoutType(t *testing.T) *ctrld.Config {
+	cfg := defaultConfig(t)
+	cfg.Upstream["0"].Endpoint = "sdns://AgMAAAAAAAAACjc2Ljc2LjIuMTEAFGZyZWVkbnMuY29udHJvbGQuY29tAy9wMQ"
+	cfg.Upstream["0"].Type = ""
+	return cfg
+}
+
 func invalidUpstreamTimeout(t *testing.T) *ctrld.Config {
 	cfg := defaultConfig(t)
 	cfg.Upstream["0"].Timeout = -1
@@ -265,6 +308,12 @@ func configWithInvalidLeaseFileFormat(t *testing.T) *ctrld.Config {
 	return cfg
 }
 
+func configWithDhcp4KeaFormat(t *testing.T) *ctrld.Config {
+	cfg := defaultConfig(t)
+	cfg.Service.DHCPLeaseFileFormat = "kea-dhcp4"
+	return cfg
+}
+
 func configWithInvalidDoHEndpoint(t *testing.T) *ctrld.Config {
 	cfg := defaultConfig(t)
 	cfg.Upstream["0"].Endpoint = "/1.1.1.1"

desktop_darwin.go

@@ -0,0 +1,7 @@
+package ctrld
+
+// IsDesktopPlatform indicates if ctrld is running on a desktop platform,
+// currently defined as macOS or Windows workstation.
+func IsDesktopPlatform() bool {
+	return true
+}

desktop_others.go

@@ -0,0 +1,9 @@
+//go:build !windows && !darwin
+
+package ctrld
+
+// IsDesktopPlatform indicates if ctrld is running on a desktop platform,
+// currently defined as macOS or Windows workstation.
+func IsDesktopPlatform() bool {
+	return false
+}

desktop_windows.go

@@ -0,0 +1,7 @@
+package ctrld
+
+// IsDesktopPlatform indicates if ctrld is running on a desktop platform,
+// currently defined as macOS or Windows workstation.
+func IsDesktopPlatform() bool {
+	return isWindowsWorkStation()
+}

dns.go

@@ -0,0 +1,30 @@
+package ctrld
+
+import (
+	"github.com/miekg/dns"
+)
+
+// SetCacheReply extracts and stores the necessary data from the message for a cached answer.
+func SetCacheReply(answer, msg *dns.Msg, code int) {
+	answer.SetRcode(msg, code)
+	cCookie := getEdns0Cookie(msg.IsEdns0())
+	sCookie := getEdns0Cookie(answer.IsEdns0())
+	if cCookie != nil && sCookie != nil {
+		// Client cookie is fixed size 8 bytes, Server cookie is variable size 8 -> 32 bytes.
+		// See https://datatracker.ietf.org/doc/html/rfc7873#section-4
+		sCookie.Cookie = cCookie.Cookie[:16] + sCookie.Cookie[16:]
+	}
+}
+
+// getEdns0Cookie returns Edns0 cookie from *dns.OPT if present.
+func getEdns0Cookie(opt *dns.OPT) *dns.EDNS0_COOKIE {
+	if opt == nil {
+		return nil
+	}
+	for _, o := range opt.Option {
+		if e, ok := o.(*dns.EDNS0_COOKIE); ok {
+			return e
+		}
+	}
+	return nil
+}

docker/Dockerfile.debug

@@ -8,7 +8,7 @@
 # - Non-cgo ctrld binary.
 #
 # CI_COMMIT_TAG is used to set the version of ctrld binary.
-FROM golang:1.20-bullseye as base
+FROM golang:bullseye as base
 
 WORKDIR /app
 

docs/config.md

@@ -166,7 +166,6 @@ before serving the query.
 
 ### max_concurrent_requests
 The number of concurrent requests that will be handled, must be a non-negative integer. 
-Tweaking this value depends on the capacity of your system.
 
 - Type: number
 - Required: no
@@ -179,6 +178,8 @@ Perform LAN client discovery using mDNS. This will spawn a listener on port 5353
 - Required: no
 - Default: true
 
+This config is ignored, and always set to `false` on Windows Desktop and Macos.
+
 ### discover_arp
 Perform LAN client discovery using ARP.  
 
@@ -186,6 +187,8 @@ Perform LAN client discovery using ARP.
 - Required: no
 - Default: true
 
+This config is ignored, and always set to `false` on Windows Desktop and Macos.
+
 ### discover_dhcp
 Perform LAN client discovery using DHCP leases files. Common file locations are auto-discovered.  
 
@@ -193,6 +196,8 @@ Perform LAN client discovery using DHCP leases files. Common file locations are
 - Required: no
 - Default: true
 
+This config is ignored, and always set to `false` on Windows Desktop and Macos.
+
 ### discover_ptr
 Perform LAN client discovery using PTR queries.  
 
@@ -200,6 +205,8 @@ Perform LAN client discovery using PTR queries.
 - Required: no
 - Default: true
 
+This config is ignored, and always set to `false` on Windows Desktop and Macos.
+
 ### discover_hosts
 Perform LAN client discovery using hosts file.
 
@@ -207,6 +214,8 @@ Perform LAN client discovery using hosts file.
 - Required: no
 - Default: true
 
+This config is ignored, and always set to `false` on Windows Desktop and Macos.
+
 ### discover_refresh_interval
 Time in seconds between each discovery refresh loop to update new client information data. 
 The default value is 120 seconds, lower this value to make the discovery process run more aggressively.
@@ -252,6 +261,40 @@ Specifying the `ip` and `port` of the Prometheus metrics server. The Prometheus
 - Required: no
 - Default: ""
 
+### dns_watchdog_enabled
+Watches all physical interfaces for DNS changes and reverts them to ctrld's settings.The DNS watchdog process only runs on Windows and MacOS.
+
+- Type: boolean
+- Required: no
+- Default: true
+
+### dns_watchdog_interval
+Time duration between each DNS watchdog iteration.
+
+A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix,
+such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+
+If the time duration is non-positive, default value will be used.
+
+- Type: time duration string
+- Required: no
+- Default: 20s
+
+### refetch_time
+Time in seconds between each iteration that reloads custom config from the API.
+
+The value must be a positive number, any invalid value will be ignored and default value will be used.
+- Type: number
+- Required: no
+- Default: 3600
+
+### leak_on_upstream_failure
+If a remote upstream fails to resolve a query or is unreachable, `ctrld` will forward the queries to the default DNS resolver on the network. If failures persist, `ctrld` will remove itself from all networking interfaces until connectivity is restored. 
+
+- Type: boolean
+- Required: no
+- Default: true on Windows, MacOS and non-router Linux.
+
 ## Upstream
 The `[upstream]` section specifies the DNS upstream servers that `ctrld` will forward DNS requests to.
 
@@ -495,6 +538,15 @@ rules = [
 ]
 ```
 
+If there is no explicitly defined rules, LAN queries will be handled solely by the OS resolver.
+
+These following domains are considered LAN queries:
+
+- Queries does not have dot `.` in domain name, like `machine1`, `example`, ... (1)
+- Queries have domain ends with: `.domain`, `.lan`, `.local`.                   (2)
+- All `SRV` queries of LAN hostname (1) + (2).
+- `PTR` queries with private IPs.
+
 ---
 
 Note that the order of matching preference:
@@ -528,6 +580,12 @@ And within each policy, the rules are processed from top to bottom.
 - Required: no
 - Default: []
 
+---
+
+Note that the domain comparisons are done in case in-sensitive manner following [RFC 1034](https://datatracker.ietf.org/doc/html/rfc1034#section-3.1)
+
+---
+
 ### macs:
 `macs` is the list of mac rules within the policy. Mac address value is case-insensitive.
 

docs/known-issues.md

@@ -0,0 +1,42 @@
+# Known Issues
+
+This document outlines known issues with ctrld and their current status, workarounds, and recommendations.
+
+## macOS (Darwin) Issues
+
+### Self-Upgrade Issue on Darwin 15.5
+
+**Issue**: ctrld self-upgrading functionality may not work on macOS Darwin 15.5.
+
+**Status**: Under investigation
+
+**Description**: Users on macOS Darwin 15.5 may experience issues when ctrld attempts to perform automatic self-upgrades. The upgrade process would be triggered, but ctrld won't be upgraded.
+
+**Workarounds**:
+1. **Recommended**: Upgrade your macOS system to Darwin 15.6 or later, which has been tested and verified to work correctly with ctrld self-upgrade functionality.
+2. **Alternative**: Run `ctrld upgrade prod` directly to manually upgrade ctrld to the latest version on Darwin 15.5.
+
+**Affected Versions**: ctrld v1.4.2 and later on macOS Darwin 15.5
+
+**Last Updated**: 05/09/2025
+
+---
+
+## Contributing to Known Issues
+
+If you encounter an issue not listed here, please:
+
+1. Check the [GitHub Issues](https://github.com/Control-D-Inc/ctrld/issues) to see if it's already reported
+2. If not reported, create a new issue with:
+   - Detailed description of the problem
+   - Steps to reproduce
+   - Expected vs actual behavior
+   - System information (OS, version, architecture)
+   - ctrld version
+
+## Issue Status Legend
+
+- **Under investigation**: Issue is confirmed and being analyzed
+- **Workaround available**: Temporary solution exists while permanent fix is developed
+- **Fixed**: Issue has been resolved in a specific version
+- **Won't fix**: Issue is acknowledged but will not be addressed due to technical limitations or design decisions

docs/runtime-internal-logging.md

@@ -0,0 +1,46 @@
+# Runtime Internal Logging
+
+When no logging is configured (i.e., `log_path` is not set), ctrld automatically enables an internal logging system. This system stores logs in memory to provide troubleshooting information when problems occur.
+
+## Purpose
+
+The runtime internal logging system is designed primarily for **ctrld developers**, not end users. It captures detailed diagnostic information that can be useful for troubleshooting issues when they arise, especially in production environments where explicit logging may not be configured.
+
+## When It's Enabled
+
+Internal logging is automatically enabled when:
+
+- ctrld is running in Control D mode (i.e., `--cd` flag is provided)
+- No log file is configured (i.e., `log_path` is empty or not set)
+
+If a log file is explicitly configured via `log_path`, internal logging will **not** be enabled, as the configured log file serves the logging purpose.
+
+## How It Works
+
+The internal logging system:
+
+- Stores logs in **in-memory buffers** (not written to disk)
+- Captures logs at **debug level** for normal operations and **warn level** for warnings
+- Maintains separate buffers for normal logs and warning logs
+- Automatically manages buffer size to prevent unbounded memory growth
+- Preserves initialization logs even when buffers overflow
+
+## Configuration
+
+**Important**: The `log_level` configuration option does **not** affect the internal logging system. Internal logging always operates at debug level for normal logs and warn level for warnings, regardless of the `log_level` setting in the configuration file.
+
+The `log_level` setting only affects:
+- Console output (when running interactively)
+- File-based logging (when `log_path` is configured)
+
+## Accessing Internal Logs
+
+Internal logs can be accessed through the control server API endpoints. This functionality is intended for developers and support personnel who need to diagnose issues.
+
+## Notes
+
+- Internal logging is **not** a replacement for proper log file configuration in production environments
+- For production deployments, it is recommended to configure `log_path` to enable persistent file-based logging
+- Internal logs are stored in memory and will be lost if the process terminates unexpectedly
+- The internal logging system is automatically disabled when explicit logging is configured
+

doh.go

@@ -2,6 +2,7 @@ package ctrld
 
 import (
 	"context"
+	"crypto/tls"
 	"encoding/base64"
 	"errors"
 	"fmt"
@@ -113,12 +114,14 @@ func (r *dohResolver) Resolve(ctx context.Context, msg *dns.Msg) (*dns.Msg, erro
 		c.Transport = transport
 	}
 	resp, err := c.Do(req)
+	if err != nil && r.uc.FallbackToDirectIP() {
+		retryCtx, cancel := r.uc.Context(context.WithoutCancel(ctx))
+		defer cancel()
+		Log(ctx, ProxyLogger.Load().Warn().Err(err), "retrying request after fallback to direct ip")
+		resp, err = c.Do(req.Clone(retryCtx))
+	}
 	if err != nil {
-		if r.isDoH3 {
-			if closer, ok := c.Transport.(io.Closer); ok {
-				closer.Close()
-			}
-		}
+		err = wrapUrlError(err)
 		return nil, fmt.Errorf("could not perform request: %w", err)
 	}
 	defer resp.Body.Close()
@@ -147,7 +150,7 @@ func addHeader(ctx context.Context, req *http.Request, uc *UpstreamConfig) {
 		if ci, ok := ctx.Value(ClientInfoCtxKey{}).(*ClientInfo); ok && ci != nil {
 			printed = ci.Mac != "" || ci.IP != "" || ci.Hostname != ""
 			switch {
-			case uc.isControlD():
+			case uc.IsControlD():
 				dohHeader = newControlDHeaders(ci)
 			case uc.isNextDNS():
 				dohHeader = newNextDNSHeaders(ci)
@@ -202,3 +205,52 @@ func newNextDNSHeaders(ci *ClientInfo) http.Header {
 	}
 	return header
 }
+
+// wrapCertificateVerificationError wraps a certificate verification error with additional context about the certificate issuer.
+// It extracts information like the issuer, organization, and subject from the certificate for a more descriptive error output.
+// If no certificate-related information is available, it simply returns the original error unmodified.
+func wrapCertificateVerificationError(err error) error {
+	var tlsErr *tls.CertificateVerificationError
+	if errors.As(err, &tlsErr) {
+		if len(tlsErr.UnverifiedCertificates) > 0 {
+			cert := tlsErr.UnverifiedCertificates[0]
+			// Extract a more user-friendly issuer name
+			var issuer string
+			var organization string
+			if len(cert.Issuer.Organization) > 0 {
+				organization = cert.Issuer.Organization[0]
+				issuer = organization
+			} else if cert.Issuer.CommonName != "" {
+				issuer = cert.Issuer.CommonName
+			} else {
+				issuer = cert.Issuer.String()
+			}
+
+			// Get the organization from the subject field as well
+			if len(cert.Subject.Organization) > 0 {
+				organization = cert.Subject.Organization[0]
+			}
+
+			// Extract the subject information
+			subjectCN := cert.Subject.CommonName
+			if subjectCN == "" && len(cert.Subject.Organization) > 0 {
+				subjectCN = cert.Subject.Organization[0]
+			}
+			return fmt.Errorf("%w: %s, %s, %s", tlsErr, subjectCN, organization, issuer)
+		}
+	}
+	return err
+}
+
+// wrapUrlError inspects and wraps a URL error, focusing on certificate verification errors for detailed context.
+func wrapUrlError(err error) error {
+	var urlErr *url.Error
+	if errors.As(err, &urlErr) {
+		var tlsErr *tls.CertificateVerificationError
+		if errors.As(urlErr.Err, &tlsErr) {
+			urlErr.Err = wrapCertificateVerificationError(tlsErr)
+			return urlErr
+		}
+	}
+	return err
+}

doh_test.go

@@ -1,8 +1,22 @@
 package ctrld
 
 import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"errors"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
 	"runtime"
+	"strings"
 	"testing"
+	"time"
+
+	"github.com/miekg/dns"
+	"github.com/quic-go/quic-go/http3"
 )
 
 func Test_dohOsHeaderValue(t *testing.T) {
@@ -21,3 +35,232 @@ func Test_dohOsHeaderValue(t *testing.T) {
 		t.Fatalf("missing decoding value for: %q", runtime.GOOS)
 	}
 }
+
+func Test_wrapUrlError(t *testing.T) {
+	tests := []struct {
+		name    string
+		err     error
+		wantErr string
+	}{
+		{
+			name:    "No wrapping for non-URL errors",
+			err:     errors.New("plain error"),
+			wantErr: "plain error",
+		},
+		{
+			name: "URL error without TLS error",
+			err: &url.Error{
+				Op:  "Get",
+				URL: "https://example.com",
+				Err: errors.New("underlying error"),
+			},
+			wantErr: "Get \"https://example.com\": underlying error",
+		},
+		{
+			name: "TLS error with missing unverified certificate data",
+			err: &url.Error{
+				Op:  "Get",
+				URL: "https://example.com",
+				Err: &tls.CertificateVerificationError{
+					UnverifiedCertificates: nil,
+					Err:                    &x509.UnknownAuthorityError{},
+				},
+			},
+			wantErr: `Get "https://example.com": tls: failed to verify certificate: x509: certificate signed by unknown authority`,
+		},
+		{
+			name: "TLS error with valid certificate data",
+			err: &url.Error{
+				Op:  "Get",
+				URL: "https://example.com",
+				Err: &tls.CertificateVerificationError{
+					UnverifiedCertificates: []*x509.Certificate{
+						{
+							Subject: pkix.Name{
+								CommonName:   "BadSubjectCN",
+								Organization: []string{"BadSubjectOrg"},
+							},
+							Issuer: pkix.Name{
+								CommonName:   "BadIssuerCN",
+								Organization: []string{"BadIssuerOrg"},
+							},
+						},
+					},
+					Err: &x509.UnknownAuthorityError{},
+				},
+			},
+			wantErr: `Get "https://example.com": tls: failed to verify certificate: x509: certificate signed by unknown authority: BadSubjectCN, BadSubjectOrg, BadIssuerOrg`,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gotErr := wrapUrlError(tt.err)
+			if gotErr.Error() != tt.wantErr {
+				t.Errorf("wrapCertificateVerificationError() error = %v, want %v", gotErr, tt.wantErr)
+			}
+		})
+	}
+}
+
+func Test_ClientCertificateVerificationError(t *testing.T) {
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/dns-message")
+	})
+	tlsServer, cert := testTLSServer(t, handler)
+	tlsServerUrl, err := url.Parse(tlsServer.URL)
+	if err != nil {
+		t.Fatal(err)
+	}
+	quicServer := newTestQUICServer(t)
+	http3Server := newTestHTTP3Server(t, handler)
+
+	tests := []struct {
+		name string
+		uc   *UpstreamConfig
+	}{
+		{
+			"doh",
+			&UpstreamConfig{
+				Name:     "doh",
+				Type:     ResolverTypeDOH,
+				Endpoint: tlsServer.URL,
+				Timeout:  1000,
+			},
+		},
+		{
+			"doh3",
+			&UpstreamConfig{
+				Name:     "doh3",
+				Type:     ResolverTypeDOH3,
+				Endpoint: http3Server.addr,
+				Timeout:  5000,
+			},
+		},
+		{
+			"doq",
+			&UpstreamConfig{
+				Name:     "doq",
+				Type:     ResolverTypeDOQ,
+				Endpoint: quicServer.addr,
+				Timeout:  5000,
+			},
+		},
+		{
+			"dot",
+			&UpstreamConfig{
+				Name:     "dot",
+				Type:     ResolverTypeDOT,
+				Endpoint: net.JoinHostPort(tlsServerUrl.Hostname(), tlsServerUrl.Port()),
+				Timeout:  1000,
+			},
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			tc.uc.Init()
+			tc.uc.SetupBootstrapIP()
+			r, err := NewResolver(tc.uc)
+			if err != nil {
+				t.Fatal(err)
+			}
+			msg := new(dns.Msg)
+			msg.SetQuestion("verify.controld.com.", dns.TypeA)
+			msg.RecursionDesired = true
+			_, err = r.Resolve(context.Background(), msg)
+			// Verify the error contains the expected certificate information
+			if err == nil {
+				t.Fatal("expected certificate verification error, got nil")
+			}
+
+			// You can check the error contains information about the test certificate
+			if !strings.Contains(err.Error(), cert.Issuer.CommonName) {
+				t.Fatalf("error should contain issuer information %q, got: %v", cert.Issuer.CommonName, err)
+			}
+		})
+	}
+}
+
+// testTLSServer creates an HTTPS test server with a self-signed certificate
+// returns the server and its certificate for verification testing
+// testTLSServer creates an HTTPS test server with a self-signed certificate
+func testTLSServer(t *testing.T, handler http.Handler) (*httptest.Server, *x509.Certificate) {
+	t.Helper()
+
+	testCert := generateTestCertificate(t)
+
+	// Create a test server
+	server := httptest.NewUnstartedServer(handler)
+	server.TLS = &tls.Config{
+		Certificates: []tls.Certificate{testCert.tlsCert},
+	}
+	server.StartTLS()
+
+	// Add cleanup
+	t.Cleanup(server.Close)
+
+	return server, testCert.cert
+}
+
+// testHTTP3Server represents a structure for an HTTP/3 test server with its server instance, TLS certificate, and address.
+type testHTTP3Server struct {
+	server *http3.Server
+	cert   *x509.Certificate
+	addr   string
+}
+
+// newTestHTTP3Server creates and starts a test HTTP/3 server with a given handler and returns the server instance.
+func newTestHTTP3Server(t *testing.T, handler http.Handler) *testHTTP3Server {
+	t.Helper()
+
+	testCert := generateTestCertificate(t)
+
+	// First create a listener to get the actual port
+	udpAddr := &net.UDPAddr{IP: net.ParseIP("127.0.0.1"), Port: 0}
+	udpConn, err := net.ListenUDP("udp", udpAddr)
+	if err != nil {
+		t.Fatalf("failed to create UDP listener: %v", err)
+	}
+
+	// Get the actual address
+	actualAddr := udpConn.LocalAddr().String()
+
+	// Create TLS config
+	tlsConfig := &tls.Config{
+		Certificates: []tls.Certificate{testCert.tlsCert},
+		NextProtos:   []string{"h3"}, // HTTP/3 protocol identifier
+	}
+
+	// Create HTTP/3 server
+	server := &http3.Server{
+		Handler:   handler,
+		TLSConfig: tlsConfig,
+	}
+
+	// Start the server with the existing UDP connection
+	go func() {
+		if err := server.Serve(udpConn); err != nil && !errors.Is(err, http.ErrServerClosed) {
+			t.Logf("HTTP/3 server error: %v", err)
+		}
+	}()
+
+	h3Server := &testHTTP3Server{
+		server: server,
+		cert:   testCert.cert,
+		addr:   actualAddr,
+	}
+
+	// Add cleanup
+	t.Cleanup(func() {
+		server.Close()
+		udpConn.Close()
+	})
+
+	// Wait a bit for the server to be ready
+	time.Sleep(100 * time.Millisecond)
+
+	return h3Server
+}

doq.go

@@ -43,7 +43,7 @@ func resolve(ctx context.Context, msg *dns.Msg, endpoint string, tlsConfig *tls.
 			continue
 		}
 		if err != nil {
-			return nil, err
+			return nil, wrapCertificateVerificationError(err)
 		}
 		return answer, nil
 	}

doq_quic_free.go

@@ -1,18 +0,0 @@
-//go:build qf
-
-package ctrld
-
-import (
-	"context"
-	"errors"
-
-	"github.com/miekg/dns"
-)
-
-type doqResolver struct {
-	uc *UpstreamConfig
-}
-
-func (r *doqResolver) Resolve(ctx context.Context, msg *dns.Msg) (*dns.Msg, error) {
-	return nil, errors.New("DoQ is not supported")
-}

doq_test.go

@@ -0,0 +1,223 @@
+// test_helpers.go
+package ctrld
+
+import (
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"math/big"
+	"net"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/miekg/dns"
+	"github.com/quic-go/quic-go"
+)
+
+// testCertificate represents a test certificate with its components
+type testCertificate struct {
+	cert     *x509.Certificate
+	tlsCert  tls.Certificate
+	template *x509.Certificate
+}
+
+// generateTestCertificate creates a self-signed certificate for testing
+func generateTestCertificate(t *testing.T) *testCertificate {
+	t.Helper()
+
+	// Generate private key
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Fatalf("failed to generate private key: %v", err)
+	}
+
+	// Create certificate template
+	template := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			Organization: []string{"Test Org"},
+			CommonName:   "Test CA",
+		},
+		Issuer: pkix.Name{
+			Organization: []string{"Test Issuer Org"},
+			CommonName:   "Test Issuer CA",
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(time.Hour),
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1")},
+		DNSNames:              []string{"localhost"},
+	}
+
+	// Create certificate
+	derBytes, err := x509.CreateCertificate(rand.Reader, template, template, &privateKey.PublicKey, privateKey)
+	if err != nil {
+		t.Fatalf("failed to create certificate: %v", err)
+	}
+
+	cert, err := x509.ParseCertificate(derBytes)
+	if err != nil {
+		t.Fatalf("failed to parse certificate: %v", err)
+	}
+
+	// Create TLS certificate
+	tlsCert := tls.Certificate{
+		Certificate: [][]byte{derBytes},
+		PrivateKey:  privateKey,
+	}
+
+	return &testCertificate{
+		cert:     cert,
+		tlsCert:  tlsCert,
+		template: template,
+	}
+}
+
+// testQUICServer is a structure representing a test QUIC server for handling connections and streams.
+// listener is the QUIC listener used to accept incoming connections.
+// cert is the x509 certificate used by the server for authentication.
+// addr is the address on which the test server is running.
+type testQUICServer struct {
+	listener *quic.Listener
+	cert     *x509.Certificate
+	addr     string
+}
+
+// newTestQUICServer creates and initializes a test QUIC server with TLS configuration and starts accepting connections.
+func newTestQUICServer(t *testing.T) *testQUICServer {
+	t.Helper()
+
+	testCert := generateTestCertificate(t)
+
+	// Create TLS config
+	tlsConfig := &tls.Config{
+		Certificates: []tls.Certificate{testCert.tlsCert},
+		NextProtos:   []string{"doq"},
+	}
+
+	// Create QUIC listener
+	listener, err := quic.ListenAddr("127.0.0.1:0", tlsConfig, nil)
+	if err != nil {
+		t.Fatalf("failed to create QUIC listener: %v", err)
+	}
+
+	server := &testQUICServer{
+		listener: listener,
+		cert:     testCert.cert,
+		addr:     listener.Addr().String(),
+	}
+
+	// Start handling connections
+	go server.serve(t)
+
+	// Add cleanup
+	t.Cleanup(func() {
+		listener.Close()
+	})
+
+	return server
+}
+
+// serve handles incoming connections on the QUIC listener and delegates them to connection handlers in separate goroutines.
+func (s *testQUICServer) serve(t *testing.T) {
+	for {
+		conn, err := s.listener.Accept(context.Background())
+		if err != nil {
+			// Check if the error is due to the listener being closed
+			if strings.Contains(err.Error(), "server closed") {
+				return
+			}
+			t.Logf("failed to accept connection: %v", err)
+			continue
+		}
+
+		go s.handleConnection(t, conn)
+	}
+}
+
+// handleConnection manages an individual QUIC connection by accepting and handling incoming streams in separate goroutines.
+func (s *testQUICServer) handleConnection(t *testing.T, conn *quic.Conn) {
+	for {
+		stream, err := conn.AcceptStream(context.Background())
+		if err != nil {
+			return
+		}
+
+		go s.handleStream(t, stream)
+	}
+}
+
+// handleStream processes a single QUIC stream, reads DNS messages, generates a response, and sends it back to the client.
+func (s *testQUICServer) handleStream(t *testing.T, stream *quic.Stream) {
+	defer stream.Close()
+
+	// Read length (2 bytes)
+	lenBuf := make([]byte, 2)
+	_, err := stream.Read(lenBuf)
+	if err != nil {
+		t.Logf("failed to read message length: %v", err)
+		return
+	}
+	msgLen := uint16(lenBuf[0])<<8 | uint16(lenBuf[1])
+
+	// Read message
+	msgBuf := make([]byte, msgLen)
+	_, err = stream.Read(msgBuf)
+	if err != nil {
+		t.Logf("failed to read message: %v", err)
+		return
+	}
+
+	// Parse DNS message
+	msg := new(dns.Msg)
+	if err := msg.Unpack(msgBuf); err != nil {
+		t.Logf("failed to unpack DNS message: %v", err)
+		return
+	}
+
+	// Create response
+	response := new(dns.Msg)
+	response.SetReply(msg)
+	response.Authoritative = true
+
+	// Add a test answer
+	if len(msg.Question) > 0 && msg.Question[0].Qtype == dns.TypeA {
+		response.Answer = append(response.Answer, &dns.A{
+			Hdr: dns.RR_Header{
+				Name:   msg.Question[0].Name,
+				Rrtype: dns.TypeA,
+				Class:  dns.ClassINET,
+				Ttl:    300,
+			},
+			A: net.ParseIP("192.0.2.1"), // TEST-NET-1 address
+		})
+	}
+
+	// Pack response
+	respBytes, err := response.Pack()
+	if err != nil {
+		t.Logf("failed to pack response: %v", err)
+		return
+	}
+
+	// Write length
+	respLen := uint16(len(respBytes))
+	_, err = stream.Write([]byte{byte(respLen >> 8), byte(respLen & 0xFF)})
+	if err != nil {
+		t.Logf("failed to write response length: %v", err)
+		return
+	}
+
+	// Write response
+	_, err = stream.Write(respBytes)
+	if err != nil {
+		t.Logf("failed to write response: %v", err)
+		return
+	}
+}

dot.go

@@ -18,12 +18,11 @@ func (r *dotResolver) Resolve(ctx context.Context, msg *dns.Msg) (*dns.Msg, erro
 	// dns.controld.dev first. By using a dialer with custom resolver,
 	// we ensure that we can always resolve the bootstrap domain
 	// regardless of the machine DNS status.
-	dialer := newDialer(net.JoinHostPort(bootstrapDNS, "53"))
+	dialer := newDialer(net.JoinHostPort(controldPublicDns, "53"))
 	dnsTyp := uint16(0)
 	if msg != nil && len(msg.Question) > 0 {
 		dnsTyp = msg.Question[0].Qtype
 	}
-
 	tcpNet, _ := r.uc.netForDNSType(dnsTyp)
 	dnsClient := &dns.Client{
 		Net:       tcpNet,
@@ -39,5 +38,5 @@ func (r *dotResolver) Resolve(ctx context.Context, msg *dns.Msg) (*dns.Msg, erro
 	}
 
 	answer, _, err := dnsClient.ExchangeContext(ctx, msg, endpoint)
-	return answer, err
+	return answer, wrapCertificateVerificationError(err)
 }

go.mod

@@ -1,97 +1,108 @@
 module github.com/Control-D-Inc/ctrld
 
-go 1.21
+go 1.24
 
 require (
-	github.com/Masterminds/semver v1.5.0
+	github.com/Masterminds/semver/v3 v3.2.1
+	github.com/ameshkov/dnsstamps v1.0.3
+	github.com/brunogui0812/sysprofiler v0.5.0
 	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/cuonglm/osinfo v0.0.0-20230921071424-e0e1b1e0bbbf
-	github.com/frankban/quicktest v1.14.5
-	github.com/fsnotify/fsnotify v1.6.0
+	github.com/docker/go-units v0.5.0
+	github.com/frankban/quicktest v1.14.6
+	github.com/fsnotify/fsnotify v1.7.0
 	github.com/go-playground/validator/v10 v10.11.1
-	github.com/godbus/dbus/v5 v5.1.0
+	github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466
 	github.com/hashicorp/golang-lru/v2 v2.0.1
-	github.com/illarion/gonotify v1.0.1
-	github.com/insomniacslk/dhcp v0.0.0-20230407062729-974c6f05fe16
+	github.com/illarion/gonotify/v2 v2.0.3
+	github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2
+	github.com/jaypipes/ghw v0.21.0
 	github.com/jaytaylor/go-hostsfile v0.0.0-20220426042432-61485ac1fa6c
 	github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86
 	github.com/kardianos/service v1.2.1
 	github.com/mdlayher/ndp v1.0.1
-	github.com/miekg/dns v1.1.55
+	github.com/microsoft/wmi v0.24.5
+	github.com/miekg/dns v1.1.58
 	github.com/minio/selfupdate v0.6.0
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/pelletier/go-toml/v2 v2.0.8
-	github.com/prometheus/client_golang v1.15.1
-	github.com/prometheus/client_model v0.4.0
+	github.com/prometheus/client_golang v1.19.1
+	github.com/prometheus/client_model v0.5.0
 	github.com/prometheus/prom2json v1.3.3
-	github.com/quic-go/quic-go v0.42.0
+	github.com/quic-go/quic-go v0.57.1
 	github.com/rs/zerolog v1.28.0
-	github.com/spf13/cobra v1.7.0
-	github.com/spf13/pflag v1.0.5
+	github.com/spf13/cobra v1.9.1
+	github.com/spf13/pflag v1.0.6
 	github.com/spf13/viper v1.16.0
-	github.com/stretchr/testify v1.8.3
+	github.com/stretchr/testify v1.11.1
 	github.com/vishvananda/netlink v1.2.1-beta.2
-	golang.org/x/net v0.23.0
-	golang.org/x/sync v0.2.0
-	golang.org/x/sys v0.18.0
+	golang.org/x/net v0.43.0
+	golang.org/x/sync v0.16.0
+	golang.org/x/sys v0.35.0
 	golang.zx2c4.com/wireguard/windows v0.5.3
-	tailscale.com v1.44.0
+	tailscale.com v1.74.0
 )
 
 require (
 	aead.dev/minisign v0.2.0 // indirect
-	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 // indirect
+	github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa // indirect
+	github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0 // indirect
+	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-playground/locales v0.14.0 // indirect
 	github.com/go-playground/universal-translator v0.18.0 // indirect
-	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
-	github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/groob/plist v0.0.0-20200425180238-0f631f258c01 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/jsimonetti/rtnetlink v1.3.2 // indirect
+	github.com/jaypipes/pcidb v1.1.1 // indirect
+	github.com/jsimonetti/rtnetlink v1.4.0 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/leodido/go-urn v1.2.1 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.18 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
-	github.com/mdlayher/ethernet v0.0.0-20190606142754-0394541c37b7 // indirect
 	github.com/mdlayher/netlink v1.7.2 // indirect
-	github.com/mdlayher/raw v0.0.0-20191009151244-50f2db8cc065 // indirect
-	github.com/mdlayher/socket v0.4.1 // indirect
+	github.com/mdlayher/packet v1.1.2 // indirect
+	github.com/mdlayher/socket v0.5.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/onsi/ginkgo/v2 v2.9.5 // indirect
-	github.com/pierrec/lz4/v4 v4.1.17 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/common v0.44.0 // indirect
-	github.com/prometheus/procfs v0.9.0 // indirect
-	github.com/quic-go/qpack v0.4.0 // indirect
+	github.com/pierrec/lz4/v4 v4.1.21 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/prometheus/common v0.48.0 // indirect
+	github.com/prometheus/procfs v0.12.0 // indirect
+	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
-	github.com/rogpeppe/go-internal v1.10.0 // indirect
+	github.com/rogpeppe/go-internal v1.11.0 // indirect
+	github.com/spakin/awk v1.0.0 // indirect
 	github.com/spf13/afero v1.9.5 // indirect
-	github.com/spf13/cast v1.5.1 // indirect
+	github.com/spf13/cast v1.6.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/subosito/gotenv v1.4.2 // indirect
-	github.com/u-root/uio v0.0.0-20230305220412-3e8cd9d6bf63 // indirect
+	github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
-	go.uber.org/mock v0.4.0 // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect
-	golang.org/x/crypto v0.21.0 // indirect
-	golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53 // indirect
-	golang.org/x/mod v0.11.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
-	golang.org/x/tools v0.9.1 // indirect
+	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
+	golang.org/x/crypto v0.41.0 // indirect
+	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
+	golang.org/x/mod v0.27.0 // indirect
+	golang.org/x/text v0.28.0 // indirect
+	golang.org/x/tools v0.36.0 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	howett.net/plist v1.0.2-0.20250314012144-ee69052608d9 // indirect
 )
 
 replace github.com/mr-karan/doggo => github.com/Windscribe/doggo v0.0.0-20220919152748-2c118fc391f8
 
-replace github.com/rs/zerolog => github.com/Windscribe/zerolog v0.0.0-20230503170159-e6aa153233be
+replace github.com/rs/zerolog => github.com/Windscribe/zerolog v0.0.0-20241206130353-cc6e8ef5397c

go.sum

@@ -40,50 +40,62 @@ cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3f
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
-github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
-github.com/Windscribe/zerolog v0.0.0-20230503170159-e6aa153233be h1:qBKVRi7Mom5heOkyZ+NCIu9HZBiNCsRqrRe5t9pooik=
-github.com/Windscribe/zerolog v0.0.0-20230503170159-e6aa153233be/go.mod h1:/tk+P47gFdPXq4QYjvCmT5/Gsug2nagsFWBWhAiSi1w=
-github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA=
-github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
+github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0=
+github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
+github.com/Windscribe/zerolog v0.0.0-20241206130353-cc6e8ef5397c h1:UqFsxmwiCh/DBvwJB0m7KQ2QFDd6DdUkosznfMppdhE=
+github.com/Windscribe/zerolog v0.0.0-20241206130353-cc6e8ef5397c/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
+github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
+github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
+github.com/ameshkov/dnsstamps v1.0.3 h1:Srzik+J9mivH1alRACTbys2xOxs0lRH9qnTA7Y1OYVo=
+github.com/ameshkov/dnsstamps v1.0.3/go.mod h1:Ii3eUu73dx4Vw5O4wjzmT5+lkCwovjzaEZZ4gKyIH5A=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/brunogui0812/sysprofiler v0.5.0 h1:AUekplOKG/VKH6sPSBRxsKOA9Uv5OsI8qolXM73dXPU=
+github.com/brunogui0812/sysprofiler v0.5.0/go.mod h1:lLd7gvylgd4nsTSC8exq1YY6qhLWXkgnalxjVzdlbEM=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/cilium/ebpf v0.10.0 h1:nk5HPMeoBXtOzbkZBWym+ZWq1GIiHUsBFXxwewXAHLQ=
-github.com/cilium/ebpf v0.10.0/go.mod h1:DPiVdY/kT534dgc9ERmvP8mWA+9gvwgKfRvk4nNWnoE=
+github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk=
+github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/cuonglm/osinfo v0.0.0-20230921071424-e0e1b1e0bbbf h1:40DHYsri+d1bnroFDU2FQAeq68f3kAlOzlQ93kCf26Q=
 github.com/cuonglm/osinfo v0.0.0-20230921071424-e0e1b1e0bbbf/go.mod h1:G45410zMgmnSjLVKCq4f6GpbYAzoP2plX9rPwgx6C24=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa h1:h8TfIT1xc8FWbwwpmHn1J5i43Y0uZP97GqasGCzSRJk=
+github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa/go.mod h1:Nx87SkVqTKd8UtT+xu7sM/l+LgXs6c0aHrlKusR+2EQ=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/frankban/quicktest v1.14.5 h1:dfYrrRyLtiqT9GyKXgdh+k4inNeTvmGbuSgZ3lx3GhA=
-github.com/frankban/quicktest v1.14.5/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
-github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
-github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
+github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
+github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
+github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
+github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
-github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0 h1:ymLjT4f35nQbASLnvxEde4XOBL+Sn7rFuV+FOJqkljg=
+github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0/go.mod h1:6daplAwHHGbUGib4990V3Il26O0OC4aRyvewaaAihaA=
+github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
+github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
+github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
 github.com/go-playground/assert/v2 v2.0.1 h1:MsBgLAaY856+nPRTKrp3/OZK38U/wa0CcBYNjji3q3A=
 github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.14.0 h1:u50s323jtVGugKlcYeyzC0etD1HifMjqmJqb8WugfUU=
@@ -92,11 +104,9 @@ github.com/go-playground/universal-translator v0.18.0 h1:82dyy6p4OuJq4/CByFNOn/j
 github.com/go-playground/universal-translator v0.18.0/go.mod h1:UvRDBj+xPUEGrFYl+lu/H90nyDXpg0fqeB/AQUGNTVA=
 github.com/go-playground/validator/v10 v10.11.1 h1:prmOlTVv+YjZjmRmNSF3VmspqJIxJWXmqUsHwfTRRkQ=
 github.com/go-playground/validator/v10 v10.11.1/go.mod h1:i+3WkQ1FvaUjjxh1kSvIA4dMGDBiPU55YFDl0WbKdWU=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
-github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 h1:sQspH8M4niEijh3PFscJRLDnkL547IeP7kpPe3uUhEg=
+github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466/go.mod h1:ZiQxhyQ+bbbfxUKVvjfO498oPYvtYhZzycal3G/NHmU=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -122,9 +132,8 @@ github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvq
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -136,9 +145,9 @@ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
@@ -152,13 +161,15 @@ github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 h1:yAJXTCF9TqKcTiHJAE8dj7HMvPfh66eeA2JYW7eFpSE=
-github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
+github.com/groob/plist v0.0.0-20200425180238-0f631f258c01 h1:0T3XGXebqLj7zSVLng9wX9axQzTEnvj/h6eT7iLfUas=
+github.com/groob/plist v0.0.0-20200425180238-0f631f258c01/go.mod h1:itkABA+w2cw7x5nYUS/pLRef6ludkZKOigbROmCTaFw=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru/v2 v2.0.1 h1:5pv5N1lT1fjLg2VQ5KWc7kmucp2x/kvFOnxuVTqZ6x4=
@@ -169,19 +180,24 @@ github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714 h1:/jC7qQFrv8
 github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714/go.mod h1:2Goc3h8EklBH5mspfHFxBnEoURQCGzQQH1ga9Myjvis=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/illarion/gonotify v1.0.1 h1:F1d+0Fgbq/sDWjj/r66ekjDG+IDeecQKUFH4wNwsoio=
-github.com/illarion/gonotify v1.0.1/go.mod h1:zt5pmDofZpU1f8aqlK0+95eQhoEAn/d4G4B/FjVW4jE=
+github.com/illarion/gonotify/v2 v2.0.3 h1:B6+SKPo/0Sw8cRJh1aLzNEeNVFfzE3c6N+o+vyxM+9A=
+github.com/illarion/gonotify/v2 v2.0.3/go.mod h1:38oIJTgFqupkEydkkClkbL6i5lXV/bxdH9do5TALPEE=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/insomniacslk/dhcp v0.0.0-20230407062729-974c6f05fe16 h1:+aAGyK41KRn8jbF2Q7PLL0Sxwg6dShGcQSeCC7nZQ8E=
-github.com/insomniacslk/dhcp v0.0.0-20230407062729-974c6f05fe16/go.mod h1:IKrnDWs3/Mqq5n0lI+RxA2sB7MvN/vbMBP3ehXg65UI=
+github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 h1:9K06NfxkBh25x56yVhWWlKFE8YpicaSfHwoV8SFbueA=
+github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2/go.mod h1:3A9PQ1cunSDF/1rbTq99Ts4pVnycWg+vlPkfeD2NLFI=
+github.com/jaypipes/ghw v0.21.0 h1:ClG2xWtYY0c1ud9jZYwVGdSgfCI7AbmZmZyw3S5HHz8=
+github.com/jaypipes/ghw v0.21.0/go.mod h1:GPrvwbtPoxYUenr74+nAnWbardIZq600vJDD5HnPsPE=
+github.com/jaypipes/pcidb v1.1.1 h1:QmPhpsbmmnCwZmHeYAATxEaoRuiMAJusKYkUncMC0ro=
+github.com/jaypipes/pcidb v1.1.1/go.mod h1:x27LT2krrUgjf875KxQXKB0Ha/YXLdZRVmw6hH0G7g8=
 github.com/jaytaylor/go-hostsfile v0.0.0-20220426042432-61485ac1fa6c h1:kbTQ8oGf+BVFvt/fM+ECI+NbZDCqoi0vtZTfB2p2hrI=
 github.com/jaytaylor/go-hostsfile v0.0.0-20220426042432-61485ac1fa6c/go.mod h1:k6+89xKz7BSMJ+DzIerBdtpEUeTlBMugO/hcVSzahog=
+github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 h1:elKwZS1OcdQ0WwEDBeqxKwb7WB62QX8bvZ/FJnVXIfk=
 github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86/go.mod h1:aFAMtuldEgx/4q7iSGazk22+IcgvtiC+HIimFO9XlS8=
-github.com/jsimonetti/rtnetlink v1.3.2 h1:dcn0uWkfxycEEyNy0IGfx3GrhQ38LH7odjxAghimsVI=
-github.com/jsimonetti/rtnetlink v1.3.2/go.mod h1:BBu4jZCpTjP6Gk0/wfrO8qcqymnN3g0hoFqObRmUo6U=
+github.com/jsimonetti/rtnetlink v1.4.0 h1:Z1BF0fRgcETPEa0Kt0MRk3yV5+kF1FWTni6KUFKrq2I=
+github.com/jsimonetti/rtnetlink v1.4.0/go.mod h1:5W1jDvWdnthFJ7fxYX1GMK07BUpI4oskfOqvPteYS6E=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/kardianos/service v1.2.1 h1:AYndMsehS+ywIS6RB9KOlcXzteWUzxgMgBymJD7+BYk=
@@ -201,66 +217,62 @@ github.com/leodido/go-urn v1.2.1 h1:BqpAaACuzVSgi/VLzGZIobT2z4v53pjosyNd9Yv6n/w=
 github.com/leodido/go-urn v1.2.1/go.mod h1:zt4jvISO2HfUBqxjfIshjdMTYS56ZS/qv49ictyFfxY=
 github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
 github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
-github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
-github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.18 h1:DOKFKCQ7FNG2L1rbrmstDN4QVRdS89Nkh85u68Uwp98=
-github.com/mattn/go-isatty v0.0.18/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
 github.com/mattn/go-runewidth v0.0.14 h1:+xnbZSEeDbOIg5/mE6JF0w6n9duR1l3/WmbinWVwUuU=
 github.com/mattn/go-runewidth v0.0.14/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
 github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
-github.com/mdlayher/ethernet v0.0.0-20190606142754-0394541c37b7 h1:lez6TS6aAau+8wXUP3G9I3TGlmPFEq2CTxBaRqY6AGE=
-github.com/mdlayher/ethernet v0.0.0-20190606142754-0394541c37b7/go.mod h1:U6ZQobyTjI/tJyq2HG+i/dfSoFUt8/aZCM+GKtmFk/Y=
 github.com/mdlayher/ndp v1.0.1 h1:+yAD79/BWyFlvAoeG5ncPS0ItlHP/eVbH7bQ6/+LVA4=
 github.com/mdlayher/ndp v1.0.1/go.mod h1:rf3wKaWhAYJEXFKpgF8kQ2AxypxVbfNcZbqoAo6fVzk=
 github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
 github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
-github.com/mdlayher/raw v0.0.0-20190606142536-fef19f00fc18/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg=
-github.com/mdlayher/raw v0.0.0-20191009151244-50f2db8cc065 h1:aFkJ6lx4FPip+S+Uw4aTegFMct9shDvP+79PsSxpm3w=
-github.com/mdlayher/raw v0.0.0-20191009151244-50f2db8cc065/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg=
-github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
-github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
-github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo=
-github.com/miekg/dns v1.1.55/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
+github.com/mdlayher/packet v1.1.2 h1:3Up1NG6LZrsgDVn6X4L9Ge/iyRyxFEFD9o6Pr3Q1nQY=
+github.com/mdlayher/packet v1.1.2/go.mod h1:GEu1+n9sG5VtiRE4SydOmX5GTwyyYlteZiFU+x0kew4=
+github.com/mdlayher/socket v0.5.0 h1:ilICZmJcQz70vrWVes1MFera4jGiWNocSkykwwoy3XI=
+github.com/mdlayher/socket v0.5.0/go.mod h1:WkcBFfvyG8QENs5+hfQPl1X6Jpd2yeLIYgrGFmJiJxI=
+github.com/microsoft/wmi v0.24.5 h1:NT+WqhjKbEcg3ldmDsRMarWgHGkpeW+gMopSCfON0kM=
+github.com/microsoft/wmi v0.24.5/go.mod h1:1zbdSF0A+5OwTUII5p3hN7/K6KF2m3o27pSG6Y51VU8=
+github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4=
+github.com/miekg/dns v1.1.58/go.mod h1:Ypv+3b/KadlvW9vJfXOTf300O4UqaHFzFCuHz+rPkBY=
 github.com/minio/selfupdate v0.6.0 h1:i76PgT0K5xO9+hjzKcacQtO7+MjJ4JKA8Ak8XQ9DDwU=
 github.com/minio/selfupdate v0.6.0/go.mod h1:bO02GTIPCMQFTEvE5h4DjYB58bCoZ35XLeBf0buTDdM=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
-github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q=
-github.com/onsi/ginkgo/v2 v2.9.5/go.mod h1:tvAoo1QUJwNEU2ITftXTpR7R1RbCzoZUOs3RonqW57k=
-github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE=
-github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg=
 github.com/pelletier/go-toml/v2 v2.0.8 h1:0ctb6s9mE31h0/lhu+J6OPmVeDxJn+kYnJc2jZR9tGQ=
 github.com/pelletier/go-toml/v2 v2.0.8/go.mod h1:vuYfssBdrU2XDZ9bYydBu6t+6a6PYNcZljzZR9VXg+4=
 github.com/pierrec/lz4/v4 v4.1.14/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
-github.com/pierrec/lz4/v4 v4.1.17 h1:kV4Ip+/hUBC+8T6+2EgburRtkE9ef4nbY3f4dFhGjMc=
-github.com/pierrec/lz4/v4 v4.1.17/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
+github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
+github.com/pierrec/lz4/v4 v4.1.21/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.15.1 h1:8tXpTmJbyH5lydzFPoxSIJ0J46jdh3tylbvM1xCv0LI=
-github.com/prometheus/client_golang v1.15.1/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=
+github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY=
-github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU=
-github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY=
-github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
-github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI=
-github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY=
+github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
+github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
+github.com/prometheus/common v0.48.0 h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSzKKE=
+github.com/prometheus/common v0.48.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc=
+github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
+github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
 github.com/prometheus/prom2json v1.3.3 h1:IYfSMiZ7sSOfliBoo89PcufjWO4eAR0gznGcETyaUgo=
 github.com/prometheus/prom2json v1.3.3/go.mod h1:Pv4yIPktEkK7btWsrUTWDDDrnpUrAELaOCj+oFwlgmc=
-github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
-github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
-github.com/quic-go/quic-go v0.42.0 h1:uSfdap0eveIl8KXnipv9K7nlwZ5IqLlYOpJ58u5utpM=
-github.com/quic-go/quic-go v0.42.0/go.mod h1:132kz4kL3F9vxhW3CtQJLDVwcFe5wdWeJXXijhsO57M=
+github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
+github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
+github.com/quic-go/quic-go v0.57.1 h1:25KAAR9QR8KZrCZRThWMKVAwGoiHIrNbT72ULHTuI10=
+github.com/quic-go/quic-go v0.57.1/go.mod h1:ly4QBAjHA2VhdnxhojRsCUOeJwKYg+taDlos92xb1+s=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
 github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
@@ -268,26 +280,29 @@ github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
-github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
+github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
+github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
+github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/spakin/awk v1.0.0 h1:5ulBVgJhdN3XoFGNVv/MOHOIUfPVPvMCIlLH6O6ZqU4=
+github.com/spakin/awk v1.0.0/go.mod h1:e7FnxcIEcRqdKwStPYWonox4n9DpharWk+3nnn1IqJs=
 github.com/spf13/afero v1.9.5 h1:stMpOSZFs//0Lv29HduCmli3GUfpFoF3Y1Q/aXj/wVM=
 github.com/spf13/afero v1.9.5/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/UhQ=
-github.com/spf13/cast v1.5.1 h1:R+kOtfhWQE6TVQzY+4D7wJLBgkdVasCEFxSUBYBYIlA=
-github.com/spf13/cast v1.5.1/go.mod h1:b9PdjNptOpzXr7Rq1q9gJML/2cdGQAo69NKzQ10KN48=
-github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
-github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
+github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=
+github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
+github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
+github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
 github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.16.0 h1:rGGH0XDZhdUOryiDWjmIvUSWpbNqisK8Wk0Vyefw8hc=
 github.com/spf13/viper v1.16.0/go.mod h1:yg78JgCJcbrQOvV9YLXgkLaZqUidkY9K+Dd1FofRzQg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
@@ -295,12 +310,13 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.3 h1:RP3t2pwF7cMEbC1dqtB6poj3niw/9gnV4Cjg5oW5gtY=
 github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/subosito/gotenv v1.4.2 h1:X1TuBLAMDFbaTAChgCBLu3DU3UPyELpnF2jjJ2cz/S8=
 github.com/subosito/gotenv v1.4.2/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=
-github.com/u-root/uio v0.0.0-20230305220412-3e8cd9d6bf63 h1:YcojQL98T/OO+rybuzn2+5KrD5dBwXIvYBvQ2cD3Avg=
-github.com/u-root/uio v0.0.0-20230305220412-3e8cd9d6bf63/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
+github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e h1:BA9O3BmlTmpjbvajAwzWx4Wo2TRVdpPXZEeemGQcajw=
+github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
 github.com/vishvananda/netlink v1.2.1-beta.2 h1:Llsql0lnQEbHj0I1OuKyp8otXp0r3q0mPkuhwHfStVs=
 github.com/vishvananda/netlink v1.2.1-beta.2/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
 github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
@@ -310,16 +326,20 @@ github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
+github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
-go.uber.org/mock v0.4.0 h1:VcM4ZOtdbR4f6VXfiOpwpVJDL6lCReaZ6mw31wqh7KU=
-go.uber.org/mock v0.4.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
+go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
+go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
 go4.org/mem v0.0.0-20220726221520-4f986261bf13 h1:CbZeCBZ0aZj8EfVgnqQcYZgf0lpZ3H9rmp5nkDTAst8=
 go4.org/mem v0.0.0-20220726221520-4f986261bf13/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
+go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
+go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -330,8 +350,8 @@ golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm
 golang.org/x/crypto v0.0.0-20211209193657-4570a0811e8b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
-golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
+golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -342,8 +362,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53 h1:5llv2sWeaMSnA3w2kS57ouQQ4pudlXrR0dCgw51QK9o=
-golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
+golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
+golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -367,15 +387,14 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU=
-golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
+golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190419010253-1f3472d942ba/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
@@ -402,8 +421,8 @@ golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
-golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
+golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -423,19 +442,18 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI=
-golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190418153312-f0ce4c0180be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190606122018-79a91cf218c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -467,16 +485,16 @@ golang.org/x/sys v0.0.0-20210228012217-479acdf4ea46/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220817070843-5a390386f1f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.4.1-0.20230131160137-e7d7f63158de/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
-golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -487,13 +505,13 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
+golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
+golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -541,8 +559,8 @@ golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
-golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo=
-golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc=
+golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
+golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -637,8 +655,6 @@ google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
 google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -660,8 +676,10 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+howett.net/plist v1.0.2-0.20250314012144-ee69052608d9 h1:eeH1AIcPvSc0Z25ThsYF+Xoqbn0CI/YnXVYoTLFdGQw=
+howett.net/plist v1.0.2-0.20250314012144-ee69052608d9/go.mod h1:fyFX5Hj5tP1Mpk8obqA9MZgXT416Q5711SDT7dQLTLk=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
-tailscale.com v1.44.0 h1:MPos9n30kJvdyfL52045gVFyNg93K+bwgDsr8gqKq2o=
-tailscale.com v1.44.0/go.mod h1:+iYwTdeHyVJuNDu42Zafwihq1Uqfh+pW7pRaY1GD328=
+tailscale.com v1.74.0 h1:J+vRN9o3D4wCqZBiwvDg9kZpQag2mG4Xz5RXNpmV3KE=
+tailscale.com v1.74.0/go.mod h1:3iACpCONQ4lauDXvwfoGlwNCpfbVxjdc2j6G9EuFOW8=

internal/clientinfo/client_info.go

@@ -77,6 +77,7 @@ type Table struct {
 	hostnameResolvers []HostnameResolver
 	refreshers        []refresher
 	initOnce          sync.Once
+	stopOnce          sync.Once
 	refreshInterval   int
 
 	dhcp           *dhcp
@@ -90,7 +91,9 @@ type Table struct {
 	vni            *virtualNetworkIface
 	svcCfg         ctrld.ServiceConfig
 	quitCh         chan struct{}
+	stopCh         chan struct{}
 	selfIP         string
+	selfIPLock     sync.RWMutex
 	cdUID          string
 	ptrNameservers []string
 }
@@ -103,6 +106,7 @@ func NewTable(cfg *ctrld.Config, selfIP, cdUID string, ns []string) *Table {
 	return &Table{
 		svcCfg:          cfg.Service,
 		quitCh:          make(chan struct{}),
+		stopCh:          make(chan struct{}),
 		selfIP:          selfIP,
 		cdUID:           cdUID,
 		ptrNameservers:  ns,
@@ -120,33 +124,80 @@ func (t *Table) AddLeaseFile(name string, format ctrld.LeaseFileFormat) {
 // RefreshLoop runs all the refresher to update new client info data.
 func (t *Table) RefreshLoop(ctx context.Context) {
 	timer := time.NewTicker(time.Second * time.Duration(t.refreshInterval))
-	defer timer.Stop()
+	defer func() {
+		timer.Stop()
+		close(t.quitCh)
+	}()
 	for {
 		select {
 		case <-timer.C:
-			for _, r := range t.refreshers {
-				_ = r.refresh()
-			}
+			t.Refresh()
+		case <-t.stopCh:
+			return
 		case <-ctx.Done():
-			close(t.quitCh)
 			return
 		}
 	}
 }
 
+// Init initializes all client info discovers.
 func (t *Table) Init() {
 	t.initOnce.Do(t.init)
 }
 
+// Refresh forces all discovers to retrieve new data.
+func (t *Table) Refresh() {
+	for _, r := range t.refreshers {
+		_ = r.refresh()
+	}
+}
+
+// Stop stops all the discovers.
+// It blocks until all the discovers done.
+func (t *Table) Stop() {
+	t.stopOnce.Do(func() {
+		close(t.stopCh)
+	})
+	<-t.quitCh
+}
+
+// SelfIP returns the selfIP value of the Table in a thread-safe manner.
+func (t *Table) SelfIP() string {
+	t.selfIPLock.RLock()
+	defer t.selfIPLock.RUnlock()
+	return t.selfIP
+}
+
+// SetSelfIP sets the selfIP value of the Table in a thread-safe manner.
+func (t *Table) SetSelfIP(ip string) {
+	t.selfIPLock.Lock()
+	defer t.selfIPLock.Unlock()
+	t.selfIP = ip
+	t.dhcp.selfIP = t.selfIP
+	t.dhcp.addSelf()
+}
+
+// initSelfDiscover initializes necessary client metadata for self query.
+func (t *Table) initSelfDiscover() {
+	t.dhcp = &dhcp{selfIP: t.selfIP}
+	t.dhcp.addSelf()
+	t.ipResolvers = append(t.ipResolvers, t.dhcp)
+	t.macResolvers = append(t.macResolvers, t.dhcp)
+	t.hostnameResolvers = append(t.hostnameResolvers, t.dhcp)
+}
+
 func (t *Table) init() {
 	// Custom client ID presents, use it as the only source.
 	if _, clientID := controld.ParseRawUID(t.cdUID); clientID != "" {
-		ctrld.ProxyLogger.Load().Debug().Msg("start self discovery")
-		t.dhcp = &dhcp{selfIP: t.selfIP}
-		t.dhcp.addSelf()
-		t.ipResolvers = append(t.ipResolvers, t.dhcp)
-		t.macResolvers = append(t.macResolvers, t.dhcp)
-		t.hostnameResolvers = append(t.hostnameResolvers, t.dhcp)
+		ctrld.ProxyLogger.Load().Debug().Msg("start self discovery with custom client id")
+		t.initSelfDiscover()
+		return
+	}
+
+	// If we are running on platforms that should only do self discover, use it as the only source, too.
+	if ctrld.SelfDiscover() {
+		ctrld.ProxyLogger.Load().Debug().Msg("start self discovery on desktop platforms")
+		t.initSelfDiscover()
 		return
 	}
 
@@ -168,11 +219,10 @@ func (t *Table) init() {
 		}
 		for platform, discover := range discovers {
 			if err := discover.refresh(); err != nil {
-				ctrld.ProxyLogger.Load().Error().Err(err).Msgf("could not init %s discover", platform)
-			} else {
-				t.hostnameResolvers = append(t.hostnameResolvers, discover)
-				t.refreshers = append(t.refreshers, discover)
+				ctrld.ProxyLogger.Load().Warn().Err(err).Msgf("failed to init %s discover", platform)
 			}
+			t.hostnameResolvers = append(t.hostnameResolvers, discover)
+			t.refreshers = append(t.refreshers, discover)
 		}
 	}
 	// Hosts file mapping.
@@ -381,22 +431,30 @@ func (t *Table) lookupHostnameAll(ip, mac string) []*hostnameEntry {
 
 // ListClients returns list of clients discovered by ctrld.
 func (t *Table) ListClients() []*Client {
-	for _, r := range t.refreshers {
-		_ = r.refresh()
-	}
+	t.Refresh()
 	ipMap := make(map[string]*Client)
 	il := []ipLister{t.dhcp, t.arp, t.ndp, t.ptr, t.mdns, t.vni}
+
 	for _, ir := range il {
+		if ir == nil {
+			continue
+		}
+
 		for _, ip := range ir.List() {
-			c, ok := ipMap[ip]
-			if !ok {
-				c = &Client{
-					IP:     netip.MustParseAddr(ip),
-					Source: map[string]struct{}{ir.String(): {}},
+			// Validate IP before using MustParseAddr
+			if addr, err := netip.ParseAddr(ip); err == nil {
+				c, ok := ipMap[ip]
+				if !ok {
+					c = &Client{
+						IP:     addr,
+						Source: map[string]struct{}{},
+					}
+					ipMap[ip] = c
+				}
+				// Safely get source name
+				if src := ir.String(); src != "" {
+					c.Source[src] = struct{}{}
 				}
-				ipMap[ip] = c
-			} else {
-				c.Source[ir.String()] = struct{}{}
 			}
 		}
 	}

internal/clientinfo/dhcp.go

@@ -13,8 +13,9 @@ import (
 	"strings"
 	"sync"
 
+	"tailscale.com/net/netmon"
+
 	"github.com/fsnotify/fsnotify"
-	"tailscale.com/net/interfaces"
 	"tailscale.com/util/lineread"
 
 	"github.com/Control-D-Inc/ctrld"
@@ -356,7 +357,7 @@ func (d *dhcp) addSelf() {
 	d.ip2name.Store(ipV4Loopback, hostname)
 	d.ip2name.Store(ipv6Loopback, hostname)
 	found := false
-	interfaces.ForeachInterface(func(i interfaces.Interface, prefixes []netip.Prefix) {
+	netmon.ForeachInterface(func(i netmon.Interface, prefixes []netip.Prefix) {
 		mac := i.HardwareAddr.String()
 		// Skip loopback interfaces, info was stored above.
 		if mac == "" {

internal/clientinfo/dhcp_lease_files.go

@@ -16,4 +16,5 @@ var clientInfoFiles = map[string]ctrld.LeaseFileFormat{
 	"/var/dhcpd/var/db/dhcpd.leases":           ctrld.IscDhcpd, // Pfsense
 	"/home/pi/.router/run/dhcp/dnsmasq.leases": ctrld.Dnsmasq,  // Firewalla
 	"/var/lib/kea/dhcp4.leases":                ctrld.KeaDHCP4, // Pfsense
+	"/var/db/dnsmasq.leases":                   ctrld.Dnsmasq,  // OPNsense
 }

internal/clientinfo/mdns.go

@@ -74,7 +74,6 @@ func (m *mdns) lookupIPByHostname(name string, v6 bool) string {
 		if value == name {
 			if addr, err := netip.ParseAddr(key.(string)); err == nil && addr.Is6() == v6 {
 				ip = addr.String()
-				//lint:ignore S1008 This is used for readable.
 				if addr.IsLoopback() { // Continue searching if this is loopback address.
 					return true
 				}
@@ -92,6 +91,11 @@ func (m *mdns) init(quitCh chan struct{}) error {
 		return err
 	}
 
+	// Check if IPv6 is available once and use the result for the rest of the function.
+	ctrld.ProxyLogger.Load().Debug().Msgf("checking for IPv6 availability in mdns init")
+	ipv6 := ctrldnet.IPv6Available(context.Background())
+	ctrld.ProxyLogger.Load().Debug().Msgf("IPv6 is %v in mdns init", ipv6)
+
 	v4ConnList := make([]*net.UDPConn, 0, len(ifaces))
 	v6ConnList := make([]*net.UDPConn, 0, len(ifaces))
 	for _, iface := range ifaces {
@@ -102,7 +106,8 @@ func (m *mdns) init(quitCh chan struct{}) error {
 			v4ConnList = append(v4ConnList, conn)
 			go m.readLoop(conn)
 		}
-		if ctrldnet.IPv6Available(context.Background()) {
+
+		if ipv6 {
 			if conn, err := net.ListenMulticastUDP("udp6", &iface, mdnsV6Addr); err == nil {
 				v6ConnList = append(v6ConnList, conn)
 				go m.readLoop(conn)
@@ -122,8 +127,8 @@ func (m *mdns) probeLoop(conns []*net.UDPConn, remoteAddr net.Addr, quitCh chan
 	bo := backoff.NewBackoff("mdns probe", func(format string, args ...any) {}, time.Second*30)
 	for {
 		err := m.probe(conns, remoteAddr)
-		if isErrNetUnreachableOrInvalid(err) {
-			ctrld.ProxyLogger.Load().Warn().Msgf("stop probing %q: network unreachable or invalid", remoteAddr)
+		if shouldStopProbing(err) {
+			ctrld.ProxyLogger.Load().Warn().Msgf("stop probing %q: %v", remoteAddr, err)
 			break
 		}
 		if err != nil {
@@ -165,7 +170,7 @@ func (m *mdns) readLoop(conn *net.UDPConn) {
 		}
 
 		var ip, name string
-		rrs := make([]dns.RR, 0, len(msg.Answer)+len(msg.Extra))
+		var rrs []dns.RR
 		rrs = append(rrs, msg.Answer...)
 		rrs = append(rrs, msg.Extra...)
 		for _, rr := range rrs {
@@ -273,10 +278,14 @@ func multicastInterfaces() ([]net.Interface, error) {
 	return interfaces, nil
 }
 
-func isErrNetUnreachableOrInvalid(err error) bool {
+// shouldStopProbing reports whether ctrld should stop probing mdns.
+func shouldStopProbing(err error) bool {
 	var se *os.SyscallError
 	if errors.As(err, &se) {
-		return se.Err == syscall.ENETUNREACH || se.Err == syscall.EINVAL
+		switch se.Err {
+		case syscall.ENETUNREACH, syscall.EINVAL, syscall.EPERM:
+			return true
+		}
 	}
 	return false
 }

internal/clientinfo/mdns_services.go

@@ -67,4 +67,16 @@ var services = [...]string{
 
 	// Merlin
 	"_alexa._tcp",
+
+	// Newer Android TV devices
+	"_androidtvremote2._tcp.local.",
+
+	// https://esphome.io/
+	"_esphomelib._tcp.local.",
+
+	// https://www.home-assistant.io/
+	"_home-assistant._tcp.local.",
+
+	// https://kno.wled.ge/
+	"_wled._tcp.local.",
 }

internal/clientinfo/ptr_lookup.go

@@ -104,7 +104,6 @@ func (p *ptrDiscover) lookupIPByHostname(name string, v6 bool) string {
 		if value == name {
 			if addr, err := netip.ParseAddr(key.(string)); err == nil && addr.Is6() == v6 {
 				ip = addr.String()
-				//lint:ignore S1008 This is used for readable.
 				if addr.IsLoopback() { // Continue searching if this is loopback address.
 					return true
 				}
@@ -120,8 +119,7 @@ func (p *ptrDiscover) lookupIPByHostname(name string, v6 bool) string {
 // is reachable, set p.serverDown to false, so p.lookupHostname can continue working.
 func (p *ptrDiscover) checkServer() {
 	bo := backoff.NewBackoff("ptrDiscover", func(format string, args ...any) {}, time.Minute*5)
-	m := new(dns.Msg)
-	m.SetQuestion(".", dns.TypeNS)
+	m := (&ctrld.UpstreamConfig{}).VerifyMsg()
 	ping := func() error {
 		ctx, cancel := context.WithTimeout(context.Background(), time.Second)
 		defer cancel()

internal/clientinfo/ubios.go

@@ -3,6 +3,7 @@ package clientinfo
 import (
 	"bytes"
 	"encoding/json"
+	"fmt"
 	"io"
 	"os/exec"
 	"strings"
@@ -44,9 +45,9 @@ func (u *ubiosDiscover) refreshDevices() error {
 	cmd := exec.Command("/usr/bin/mongo", "localhost:27117/ace", "--quiet", "--eval", `
 		DBQuery.shellBatchSize = 256;
 		db.user.find({name: {$exists: true, $ne: ""}}, {_id:0, mac:1, name:1});`)
-	b, err := cmd.Output()
+	b, err := cmd.CombinedOutput()
 	if err != nil {
-		return err
+		return fmt.Errorf("out: %s, err: %w", string(b), err)
 	}
 	return u.storeDevices(bytes.NewReader(b))
 }

internal/controld/config.go

@@ -5,6 +5,7 @@ import (
 	"context"
 	"crypto/tls"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net"
@@ -23,17 +24,28 @@ import (
 
 const (
 	apiDomainCom       = "api.controld.com"
+	apiDomainComIPv4   = "147.185.34.1"
+	apiDomainComIPv6   = "2606:1a40:3::1"
 	apiDomainDev       = "api.controld.dev"
-	resolverDataURLCom = "https://api.controld.com/utility"
-	resolverDataURLDev = "https://api.controld.dev/utility"
-	InvalidConfigCode  = 40401
+	apiDomainDevIPv4   = "23.171.240.84"
+	apiURLCom          = "https://api.controld.com"
+	apiURLDev          = "https://api.controld.dev"
+	resolverDataURLCom = apiURLCom + "/utility"
+	resolverDataURLDev = apiURLDev + "/utility"
+	logURLCom          = apiURLCom + "/logs"
+	logURLDev          = apiURLDev + "/logs"
+	InvalidConfigCode  = 40402
+	defaultTimeout     = 20 * time.Second
+	sendLogTimeout     = 300 * time.Second
 )
 
 // ResolverConfig represents Control D resolver data.
 type ResolverConfig struct {
 	DOH   string `json:"doh"`
 	Ctrld struct {
-		CustomConfig string `json:"custom_config"`
+		CustomConfig     string `json:"custom_config"`
+		CustomLastUpdate int64  `json:"custom_last_update"`
+		VersionTarget    string `json:"version_target"`
 	} `json:"ctrld"`
 	Exclude         []string `json:"exclude"`
 	UID             string   `json:"uid"`
@@ -47,46 +59,83 @@ type utilityResponse struct {
 	} `json:"body"`
 }
 
-type UtilityErrorResponse struct {
+type ErrorResponse struct {
 	ErrorField struct {
 		Message string `json:"message"`
 		Code    int    `json:"code"`
 	} `json:"error"`
 }
 
-func (u UtilityErrorResponse) Error() string {
+func (u ErrorResponse) Error() string {
 	return u.ErrorField.Message
 }
 
 type utilityRequest struct {
-	UID      string `json:"uid"`
-	ClientID string `json:"client_id,omitempty"`
+	UID      string            `json:"uid"`
+	ClientID string            `json:"client_id,omitempty"`
+	Metadata map[string]string `json:"metadata"`
 }
 
-type utilityOrgRequest struct {
-	ProvToken string `json:"prov_token"`
-	Hostname  string `json:"hostname"`
+// UtilityOrgRequest contains request data for calling Org API.
+type UtilityOrgRequest struct {
+	ProvToken string            `json:"prov_token"`
+	Hostname  string            `json:"hostname"`
+	Metadata  map[string]string `json:"metadata"`
+}
+
+// ResolverConfigRequest contains request data for fetching resolver config.
+type ResolverConfigRequest struct {
+	RawUID   string
+	Version  string
+	Metadata map[string]string
+}
+
+// LogsRequest contains request data for sending runtime logs to API.
+type LogsRequest struct {
+	UID  string        `json:"uid"`
+	Data io.ReadCloser `json:"-"`
 }
 
 // FetchResolverConfig fetch Control D config for given uid.
-func FetchResolverConfig(rawUID, version string, cdDev bool) (*ResolverConfig, error) {
+func FetchResolverConfig(req *ResolverConfigRequest, cdDev bool) (*ResolverConfig, error) {
+	uid, clientID := ParseRawUID(req.RawUID)
+	uReq := utilityRequest{
+		UID:      uid,
+		Metadata: req.Metadata,
+	}
+	if clientID != "" {
+		uReq.ClientID = clientID
+	}
+	body, _ := json.Marshal(uReq)
+	return postUtilityAPI(req.Version, cdDev, false, bytes.NewReader(body))
+}
+
+// FetchResolverUID fetch resolver uid from a given request.
+func FetchResolverUID(req *UtilityOrgRequest, version string, cdDev bool) (*ResolverConfig, error) {
+	if req == nil {
+		return nil, errors.New("invalid request")
+	}
+	if req.Hostname == "" {
+		hostname, _ := os.Hostname()
+		req.Hostname = hostname
+	}
+
+	body, _ := json.Marshal(req)
+	return postUtilityAPI(version, cdDev, false, bytes.NewReader(body))
+}
+
+// UpdateCustomLastFailed calls API to mark custom config is bad.
+func UpdateCustomLastFailed(rawUID, version string, cdDev, lastUpdatedFailed bool) (*ResolverConfig, error) {
 	uid, clientID := ParseRawUID(rawUID)
 	req := utilityRequest{UID: uid}
 	if clientID != "" {
 		req.ClientID = clientID
 	}
 	body, _ := json.Marshal(req)
-	return postUtilityAPI(version, cdDev, bytes.NewReader(body))
+	return postUtilityAPI(version, cdDev, true, bytes.NewReader(body))
 }
 
-// FetchResolverUID fetch resolver uid from provision token.
-func FetchResolverUID(pt, version string, cdDev bool) (*ResolverConfig, error) {
-	hostname, _ := os.Hostname()
-	body, _ := json.Marshal(utilityOrgRequest{ProvToken: pt, Hostname: hostname})
-	return postUtilityAPI(version, cdDev, bytes.NewReader(body))
-}
-
-func postUtilityAPI(version string, cdDev bool, body io.Reader) (*ResolverConfig, error) {
+func postUtilityAPI(version string, cdDev, lastUpdatedFailed bool, body io.Reader) (*ResolverConfig, error) {
 	apiUrl := resolverDataURLCom
 	if cdDev {
 		apiUrl = resolverDataURLDev
@@ -98,44 +147,24 @@ func postUtilityAPI(version string, cdDev bool, body io.Reader) (*ResolverConfig
 	q := req.URL.Query()
 	q.Set("platform", "ctrld")
 	q.Set("version", version)
+	if lastUpdatedFailed {
+		q.Set("custom_last_failed", "1")
+	}
 	req.URL.RawQuery = q.Encode()
 	req.Header.Add("Content-Type", "application/json")
-	transport := http.DefaultTransport.(*http.Transport).Clone()
-	transport.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
-		apiDomain := apiDomainCom
-		if cdDev {
-			apiDomain = apiDomainDev
-		}
-		ips := ctrld.LookupIP(apiDomain)
-		if len(ips) == 0 {
-			ctrld.ProxyLogger.Load().Warn().Msgf("No IPs found for %s, connecting to %s", apiDomain, addr)
-			return ctrldnet.Dialer.DialContext(ctx, network, addr)
-		}
-		ctrld.ProxyLogger.Load().Debug().Msgf("API IPs: %v", ips)
-		_, port, _ := net.SplitHostPort(addr)
-		addrs := make([]string, len(ips))
-		for i := range ips {
-			addrs[i] = net.JoinHostPort(ips[i], port)
-		}
-		d := &ctrldnet.ParallelDialer{}
-		return d.DialContext(ctx, network, addrs)
-	}
-
-	if router.Name() == ddwrt.Name || runtime.GOOS == "android" {
-		transport.TLSClientConfig = &tls.Config{RootCAs: certs.CACertPool()}
-	}
-	client := http.Client{
-		Timeout:   10 * time.Second,
+	transport := apiTransport(cdDev)
+	client := &http.Client{
+		Timeout:   defaultTimeout,
 		Transport: transport,
 	}
-	resp, err := client.Do(req)
+	resp, err := doWithFallback(client, req, apiServerIP(cdDev))
 	if err != nil {
-		return nil, fmt.Errorf("client.Do: %w", err)
+		return nil, fmt.Errorf("postUtilityAPI client.Do: %w", err)
 	}
 	defer resp.Body.Close()
 	d := json.NewDecoder(resp.Body)
 	if resp.StatusCode != http.StatusOK {
-		errResp := &UtilityErrorResponse{}
+		errResp := &ErrorResponse{}
 		if err := d.Decode(errResp); err != nil {
 			return nil, err
 		}
@@ -149,6 +178,43 @@ func postUtilityAPI(version string, cdDev bool, body io.Reader) (*ResolverConfig
 	return &ur.Body.Resolver, nil
 }
 
+// SendLogs sends runtime log to ControlD API.
+func SendLogs(lr *LogsRequest, cdDev bool) error {
+	defer lr.Data.Close()
+	apiUrl := logURLCom
+	if cdDev {
+		apiUrl = logURLDev
+	}
+	req, err := http.NewRequest("POST", apiUrl, lr.Data)
+	if err != nil {
+		return fmt.Errorf("http.NewRequest: %w", err)
+	}
+	q := req.URL.Query()
+	q.Set("uid", lr.UID)
+	req.URL.RawQuery = q.Encode()
+	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+	transport := apiTransport(cdDev)
+	client := &http.Client{
+		Timeout:   sendLogTimeout,
+		Transport: transport,
+	}
+	resp, err := doWithFallback(client, req, apiServerIP(cdDev))
+	if err != nil {
+		return fmt.Errorf("SendLogs client.Do: %w", err)
+	}
+	defer resp.Body.Close()
+	d := json.NewDecoder(resp.Body)
+	if resp.StatusCode != http.StatusOK {
+		errResp := &ErrorResponse{}
+		if err := d.Decode(errResp); err != nil {
+			return err
+		}
+		return errResp
+	}
+	_, _ = io.Copy(io.Discard, resp.Body)
+	return nil
+}
+
 // ParseRawUID parse the input raw UID, returning real UID and ClientID.
 // The raw UID can have 2 forms:
 //
@@ -158,3 +224,94 @@ func ParseRawUID(rawUID string) (string, string) {
 	uid, clientID, _ := strings.Cut(rawUID, "/")
 	return uid, clientID
 }
+
+// apiTransport returns an HTTP transport for connecting to ControlD API endpoint.
+func apiTransport(cdDev bool) *http.Transport {
+	transport := http.DefaultTransport.(*http.Transport).Clone()
+	transport.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
+		apiDomain := apiDomainCom
+		apiIpsV4 := []string{apiDomainComIPv4}
+		apiIpsV6 := []string{apiDomainComIPv6}
+		apiIPs := []string{apiDomainComIPv4, apiDomainComIPv6}
+		if cdDev {
+			apiDomain = apiDomainDev
+			apiIpsV4 = []string{apiDomainDevIPv4}
+			apiIpsV6 = []string{}
+			apiIPs = []string{apiDomainDevIPv4}
+		}
+
+		ips := ctrld.LookupIP(apiDomain)
+		if len(ips) == 0 {
+			ctrld.ProxyLogger.Load().Warn().Msgf("No IPs found for %s, use direct IPs: %v", apiDomain, apiIPs)
+			ips = apiIPs
+		}
+
+		// Separate IPv4 and IPv6 addresses
+		var ipv4s, ipv6s []string
+		for _, ip := range ips {
+			if strings.Contains(ip, ":") {
+				ipv6s = append(ipv6s, ip)
+			} else {
+				ipv4s = append(ipv4s, ip)
+			}
+		}
+
+		dial := func(ctx context.Context, network string, addrs []string) (net.Conn, error) {
+			d := &ctrldnet.ParallelDialer{}
+			return d.DialContext(ctx, network, addrs, ctrld.ProxyLogger.Load())
+		}
+		_, port, _ := net.SplitHostPort(addr)
+
+		// Try IPv4 first
+		if len(ipv4s) > 0 {
+			if conn, err := dial(ctx, "tcp4", addrsFromPort(ipv4s, port)); err == nil {
+				return conn, nil
+			}
+		}
+		// Fallback to direct IPv4
+		if conn, err := dial(ctx, "tcp4", addrsFromPort(apiIpsV4, port)); err == nil {
+			return conn, nil
+		}
+
+		// Fallback to IPv6 if available
+		if len(ipv6s) > 0 {
+			if conn, err := dial(ctx, "tcp6", addrsFromPort(ipv6s, port)); err == nil {
+				return conn, nil
+			}
+		}
+		// Fallback to direct IPv6
+		return dial(ctx, "tcp6", addrsFromPort(apiIpsV6, port))
+	}
+	if router.Name() == ddwrt.Name || runtime.GOOS == "android" {
+		transport.TLSClientConfig = &tls.Config{RootCAs: certs.CACertPool()}
+	}
+	return transport
+}
+
+func addrsFromPort(ips []string, port string) []string {
+	addrs := make([]string, len(ips))
+	for i, ip := range ips {
+		addrs[i] = net.JoinHostPort(ip, port)
+	}
+	return addrs
+}
+
+func doWithFallback(client *http.Client, req *http.Request, apiIp string) (*http.Response, error) {
+	resp, err := client.Do(req)
+	if err != nil {
+		ctrld.ProxyLogger.Load().Warn().Err(err).Msgf("failed to send request, fallback to direct IP: %s", apiIp)
+		ipReq := req.Clone(req.Context())
+		ipReq.Host = apiIp
+		ipReq.URL.Host = apiIp
+		resp, err = client.Do(ipReq)
+	}
+	return resp, err
+}
+
+// apiServerIP returns the direct IP to connect to API server.
+func apiServerIP(cdDev bool) string {
+	if cdDev {
+		return apiDomainDevIPv4
+	}
+	return apiDomainComIPv4
+}

internal/controld/controld_test.go

@@ -3,10 +3,13 @@
 package controld
 
 import (
+	"context"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+
+	"github.com/Control-D-Inc/ctrld"
 )
 
 func TestFetchResolverConfig(t *testing.T) {
@@ -20,11 +23,18 @@ func TestFetchResolverConfig(t *testing.T) {
 		{"valid dev", "p2", true, false},
 		{"invalid uid", "abcd1234", false, true},
 	}
+
+	ctx := context.Background()
 	for _, tc := range tests {
 		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
-			got, err := FetchResolverConfig(tc.uid, "dev-test", tc.dev)
+			req := &ResolverConfigRequest{
+				RawUID:   tc.uid,
+				Version:  "dev-test",
+				Metadata: ctrld.SystemMetadata(ctx),
+			}
+			got, err := FetchResolverConfig(ctx, req, tc.dev)
 			require.False(t, (err != nil) != tc.wantErr, err)
 			if !tc.wantErr {
 				assert.NotEmpty(t, got.DOH)

internal/dns/README.md

@@ -1,2 +1,2 @@
-This is a fork of https://pkg.go.dev/tailscale.com@v1.34.2/net/dns with modification
+This is a fork of https://pkg.go.dev/tailscale.com@v1.74.0/net/dns with modification
 to fit ctrld use case.

internal/dns/debian_resolvconf.go

@@ -1,12 +1,12 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
 
 //go:build linux || freebsd || openbsd
 
 package dns
 
 import (
+	"bufio"
 	"bytes"
 	_ "embed"
 	"fmt"
@@ -33,7 +33,7 @@ var workaroundScript []byte
 // resolvconf implementations encourage adding a suffix roughly
 // indicating where the config came from, and "inet" is the "none of
 // the above" value (rather than, say, "ppp" or "dhcp").
-const resolvconfConfigName = "ctrld.inet"
+const resolvconfConfigName = "tun-ctrld.inet"
 
 // resolvconfLibcHookPath is the directory containing libc update
 // scripts, which are run by Debian resolvconf when /etc/resolv.conf
@@ -53,8 +53,6 @@ type resolvconfManager struct {
 	scriptInstalled bool // libc update script has been installed
 }
 
-var _ OSConfigurator = (*resolvconfManager)(nil)
-
 func newDebianResolvconfManager(logf logger.Logf) (*resolvconfManager, error) {
 	ret := &resolvconfManager{
 		logf:            logf,
@@ -135,6 +133,43 @@ func (m *resolvconfManager) SetDNS(config OSConfig) error {
 	return nil
 }
 
+func (m *resolvconfManager) SupportsSplitDNS() bool {
+	return false
+}
+
+func (m *resolvconfManager) GetBaseConfig() (OSConfig, error) {
+	var bs bytes.Buffer
+
+	cmd := exec.Command(m.listRecordsPath)
+	// list-records assumes it's being run with CWD set to the
+	// interfaces runtime dir, and returns nonsense otherwise.
+	cmd.Dir = m.interfacesDir
+	cmd.Stdout = &bs
+	if err := cmd.Run(); err != nil {
+		return OSConfig{}, err
+	}
+
+	var conf bytes.Buffer
+	sc := bufio.NewScanner(&bs)
+	for sc.Scan() {
+		if sc.Text() == resolvconfConfigName {
+			continue
+		}
+		bs, err := os.ReadFile(filepath.Join(m.interfacesDir, sc.Text()))
+		if err != nil {
+			if os.IsNotExist(err) {
+				// Probably raced with a deletion, that's okay.
+				continue
+			}
+			return OSConfig{}, err
+		}
+		conf.Write(bs)
+		conf.WriteByte('\n')
+	}
+
+	return readResolv(&conf)
+}
+
 func (m *resolvconfManager) Close() error {
 	if err := m.deleteCtrldConfig(); err != nil {
 		return err

internal/dns/direct.go

@@ -1,9 +1,5 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//lint:file-ignore U1000 Ignore, this file is forked from upstream code.
-//lint:file-ignore ST1005 Ignore, this file is forked from upstream code.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
 
 package dns
 
@@ -20,11 +16,13 @@ import (
 	"os/exec"
 	"path/filepath"
 	"runtime"
+	"slices"
 	"strings"
 	"sync"
 	"time"
 
 	"tailscale.com/health"
+	"tailscale.com/net/tsaddr"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/version/distro"
@@ -32,11 +30,6 @@ import (
 	"github.com/Control-D-Inc/ctrld/internal/dns/resolvconffile"
 )
 
-const (
-	backupConf = "/etc/resolv.pre-ctrld-backup.conf"
-	resolvConf = "/etc/resolv.conf"
-)
-
 // writeResolvConf writes DNS configuration in resolv.conf format to the given writer.
 func writeResolvConf(w io.Writer, servers []netip.Addr, domains []dnsname.FQDN) error {
 	c := &resolvconffile.Config{
@@ -60,6 +53,8 @@ func readResolv(r io.Reader) (OSConfig, error) {
 // resolvOwner returns the apparent owner of the resolv.conf
 // configuration in bs - one of "resolvconf", "systemd-resolved" or
 // "NetworkManager", or "" if no known owner was found.
+//
+//lint:ignore U1000 used in linux and freebsd code
 func resolvOwner(bs []byte) string {
 	likely := ""
 	b := bytes.NewBuffer(bs)
@@ -123,8 +118,9 @@ func restartResolved() error {
 // The caller must call Down before program shutdown
 // or as cleanup if the program terminates unexpectedly.
 type directManager struct {
-	logf logger.Logf
-	fs   wholeFileFS
+	logf   logger.Logf
+	health *health.Tracker
+	fs     wholeFileFS
 	// renameBroken is set if fs.Rename to or from /etc/resolv.conf
 	// fails. This can happen in some container runtimes, where
 	// /etc/resolv.conf is bind-mounted from outside the container,
@@ -140,19 +136,22 @@ type directManager struct {
 	ctx      context.Context    // valid until Close
 	ctxClose context.CancelFunc // closes ctx
 
-	mu               sync.Mutex
-	wantResolvConf   []byte // if non-nil, what we expect /etc/resolv.conf to contain
+	mu             sync.Mutex
+	wantResolvConf []byte // if non-nil, what we expect /etc/resolv.conf to contain
+	//lint:ignore U1000 used in direct_linux.go
 	lastWarnContents []byte // last resolv.conf contents that we warned about
 }
 
-func newDirectManager(logf logger.Logf) *directManager {
-	return newDirectManagerOnFS(logf, directFS{})
+//lint:ignore U1000 used in manager_{freebsd,openbsd}.go
+func newDirectManager(logf logger.Logf, health *health.Tracker) *directManager {
+	return newDirectManagerOnFS(logf, health, directFS{})
 }
 
-func newDirectManagerOnFS(logf logger.Logf, fs wholeFileFS) *directManager {
+func newDirectManagerOnFS(logf logger.Logf, health *health.Tracker, fs wholeFileFS) *directManager {
 	ctx, cancel := context.WithCancel(context.Background())
 	m := &directManager{
 		logf:     logf,
+		health:   health,
 		fs:       fs,
 		ctx:      ctx,
 		ctxClose: cancel,
@@ -193,13 +192,13 @@ func (m *directManager) ownedByCtrld() (bool, error) {
 }
 
 // backupConfig creates or updates a backup of /etc/resolv.conf, if
-// resolv.conf does not currently contain a Tailscale-managed config.
+// resolv.conf does not currently contain a ctrld-managed config.
 func (m *directManager) backupConfig() error {
 	if _, err := m.fs.Stat(resolvConf); err != nil {
 		if os.IsNotExist(err) {
 			// No resolv.conf, nothing to back up. Also get rid of any
 			// existing backup file, to avoid restoring something old.
-			_ = m.fs.Remove(backupConf)
+			m.fs.Remove(backupConf)
 			return nil
 		}
 		return err
@@ -237,7 +236,7 @@ func (m *directManager) restoreBackup() (restored bool, err error) {
 	if resolvConfExists && !owned {
 		// There's already a non-ctrld config in place, get rid of
 		// our backup.
-		_ = m.fs.Remove(backupConf)
+		m.fs.Remove(backupConf)
 		return false, nil
 	}
 
@@ -278,6 +277,14 @@ func (m *directManager) rename(old, new string) error {
 		return fmt.Errorf("writing to %q in rename of %q: %w", new, old, err)
 	}
 
+	// Explicitly set the permissions on the new file. This ensures that
+	// if we have a umask set which prevents creating world-readable files,
+	// the file will still have the correct permissions once it's renamed
+	// into place. See #12609.
+	if err := m.fs.Chmod(new, 0644); err != nil {
+		return fmt.Errorf("chmod %q in rename of %q: %w", new, old, err)
+	}
+
 	if err := m.fs.Remove(old); err != nil {
 		err2 := m.fs.Truncate(old)
 		if err2 != nil {
@@ -298,53 +305,6 @@ func (m *directManager) setWant(want []byte) {
 	m.wantResolvConf = want
 }
 
-var warnTrample = health.NewWarnable()
-
-// checkForFileTrample checks whether /etc/resolv.conf has been trampled
-// by another program on the system. (e.g. a DHCP client)
-func (m *directManager) checkForFileTrample() {
-	m.mu.Lock()
-	want := m.wantResolvConf
-	lastWarn := m.lastWarnContents
-	m.mu.Unlock()
-
-	if want == nil {
-		return
-	}
-
-	cur, err := m.fs.ReadFile(resolvConf)
-	if err != nil {
-		m.logf("trample: read error: %v", err)
-		return
-	}
-	if bytes.Equal(cur, want) {
-		warnTrample.Set(nil)
-		if lastWarn != nil {
-			m.mu.Lock()
-			m.lastWarnContents = nil
-			m.mu.Unlock()
-			m.logf("trample: resolv.conf again matches expected content")
-		}
-		return
-	}
-	if bytes.Equal(cur, lastWarn) {
-		// We already logged about this, so not worth doing it again.
-		return
-	}
-
-	m.mu.Lock()
-	m.lastWarnContents = cur
-	m.mu.Unlock()
-
-	show := cur
-	if len(show) > 1024 {
-		show = show[:1024]
-	}
-	m.logf("trample: resolv.conf changed from what we expected. did some other program interfere? current contents: %q", show)
-	//lint:ignore ST1005 This error is for human.
-	warnTrample.Set(errors.New("Linux DNS config not ideal. /etc/resolv.conf overwritten. See https://tailscale.com/s/dns-fight"))
-}
-
 func (m *directManager) SetDNS(config OSConfig) (err error) {
 	defer func() {
 		if err != nil && errors.Is(err, fs.ErrPermission) && runtime.GOOS == "linux" &&
@@ -370,7 +330,7 @@ func (m *directManager) SetDNS(config OSConfig) (err error) {
 		}
 
 		buf := new(bytes.Buffer)
-		_ = writeResolvConf(buf, config.Nameservers, config.SearchDomains)
+		writeResolvConf(buf, config.Nameservers, config.SearchDomains)
 		if err := m.atomicWriteFile(m.fs, resolvConf, buf.Bytes(), 0644); err != nil {
 			return err
 		}
@@ -411,12 +371,57 @@ func (m *directManager) SetDNS(config OSConfig) (err error) {
 	return nil
 }
 
+func (m *directManager) SupportsSplitDNS() bool {
+	return false
+}
+
+func (m *directManager) GetBaseConfig() (OSConfig, error) {
+	owned, err := m.ownedByCtrld()
+	if err != nil {
+		return OSConfig{}, err
+	}
+	fileToRead := resolvConf
+	if owned {
+		fileToRead = backupConf
+	}
+
+	oscfg, err := m.readResolvFile(fileToRead)
+	if err != nil {
+		return OSConfig{}, err
+	}
+
+	// On some systems, the backup configuration file is actually a
+	// symbolic link to something owned by another DNS service (commonly,
+	// resolved). Thus, it can be updated out from underneath us to contain
+	// the Tailscale service IP, which results in an infinite loop of us
+	// trying to send traffic to resolved, which sends back to us, and so
+	// on. To solve this, drop the Tailscale service IP from the base
+	// configuration; we do this in all situations since there's
+	// essentially no world where we want to forward to ourselves.
+	//
+	// See: https://github.com/tailscale/tailscale/issues/7816
+	var removed bool
+	oscfg.Nameservers = slices.DeleteFunc(oscfg.Nameservers, func(ip netip.Addr) bool {
+		if ip == tsaddr.TailscaleServiceIP() || ip == tsaddr.TailscaleServiceIPv6() {
+			removed = true
+			return true
+		}
+		return false
+	})
+	if removed {
+		m.logf("[v1] dropped Tailscale IP from base config that was a symlink")
+	}
+	return oscfg, nil
+}
+
 func (m *directManager) Close() error {
-	// We used to keep a file for the ctrld config and symlinked
+	m.ctxClose()
+
+	// We used to keep a file for the tailscale config and symlinked
 	// to it, but then we stopped because /etc/resolv.conf being a
 	// symlink to surprising places breaks snaps and other sandboxing
 	// things. Clean it up if it's still there.
-	_ = m.fs.Remove("/etc/resolv.ctrld.conf")
+	m.fs.Remove("/etc/resolv.ctrld.conf")
 
 	if _, err := m.fs.Stat(backupConf); err != nil {
 		if os.IsNotExist(err) {
@@ -436,9 +441,9 @@ func (m *directManager) Close() error {
 	resolvConfExists := !os.IsNotExist(err)
 
 	if resolvConfExists && !owned {
-		// There's already a non-ctrld config in place, get rid of
+		// There's already a non-tailscale config in place, get rid of
 		// our backup.
-		_ = m.fs.Remove(backupConf)
+		m.fs.Remove(backupConf)
 		return nil
 	}
 
@@ -475,6 +480,14 @@ func (m *directManager) atomicWriteFile(fs wholeFileFS, filename string, data []
 	if err := fs.WriteFile(tmpName, data, perm); err != nil {
 		return fmt.Errorf("atomicWriteFile: %w", err)
 	}
+	// Explicitly set the permissions on the temporary file before renaming
+	// it. This ensures that if we have a umask set which prevents creating
+	// world-readable files, the file will still have the correct
+	// permissions once it's renamed into place. See #12609.
+	if err := fs.Chmod(tmpName, perm); err != nil {
+		return fmt.Errorf("atomicWriteFile: Chmod: %w", err)
+	}
+
 	return m.rename(tmpName, filename)
 }
 
@@ -483,10 +496,11 @@ func (m *directManager) atomicWriteFile(fs wholeFileFS, filename string, data []
 //
 // All name parameters are absolute paths.
 type wholeFileFS interface {
-	Stat(name string) (isRegular bool, err error)
-	Rename(oldName, newName string) error
-	Remove(name string) error
+	Chmod(name string, mode os.FileMode) error
 	ReadFile(name string) ([]byte, error)
+	Remove(name string) error
+	Rename(oldName, newName string) error
+	Stat(name string) (isRegular bool, err error)
 	Truncate(name string) error
 	WriteFile(name string, contents []byte, perm os.FileMode) error
 }
@@ -510,6 +524,10 @@ func (fs directFS) Stat(name string) (isRegular bool, err error) {
 	return fi.Mode().IsRegular(), nil
 }
 
+func (fs directFS) Chmod(name string, mode os.FileMode) error {
+	return os.Chmod(fs.path(name), mode)
+}
+
 func (fs directFS) Rename(oldName, newName string) error {
 	return os.Rename(fs.path(oldName), fs.path(newName))
 }

internal/dns/direct_linux.go

@@ -1,26 +1,26 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
 
 package dns
 
 import (
+	"bytes"
 	"context"
 
-	"github.com/illarion/gonotify"
+	"github.com/illarion/gonotify/v2"
+	"tailscale.com/health"
 )
 
 func (m *directManager) runFileWatcher() {
-	in, err := gonotify.NewInotify()
+	ctx, cancel := context.WithCancel(m.ctx)
+	defer cancel()
+	in, err := gonotify.NewInotify(ctx)
 	if err != nil {
 		// Oh well, we tried. This is all best effort for now, to
 		// surface warnings to users.
 		m.logf("dns: inotify new: %v", err)
 		return
 	}
-	ctx, cancel := context.WithCancel(m.ctx)
-	defer cancel()
-	go m.closeInotifyOnDone(ctx, in)
 
 	const events = gonotify.IN_ATTRIB |
 		gonotify.IN_CLOSE_WRITE |
@@ -56,7 +56,53 @@ func (m *directManager) runFileWatcher() {
 	}
 }
 
-func (m *directManager) closeInotifyOnDone(ctx context.Context, in *gonotify.Inotify) {
-	<-ctx.Done()
-	_ = in.Close()
+var resolvTrampleWarnable = health.Register(&health.Warnable{
+	Code:     "ctrld-resolv-conf-overwritten",
+	Severity: health.SeverityMedium,
+	Title:    "Linux DNS configuration issue",
+	Text:     health.StaticMessage("Linux DNS config not ideal. /etc/resolv.conf overwritten. See https://tailscale.com/s/dns-fight"),
+})
+
+// checkForFileTrample checks whether /etc/resolv.conf has been trampled
+// by another program on the system. (e.g. a DHCP client)
+func (m *directManager) checkForFileTrample() {
+	m.mu.Lock()
+	want := m.wantResolvConf
+	lastWarn := m.lastWarnContents
+	m.mu.Unlock()
+
+	if want == nil {
+		return
+	}
+
+	cur, err := m.fs.ReadFile(resolvConf)
+	if err != nil {
+		m.logf("trample: read error: %v", err)
+		return
+	}
+	if bytes.Equal(cur, want) {
+		m.health.SetHealthy(resolvTrampleWarnable)
+		if lastWarn != nil {
+			m.mu.Lock()
+			m.lastWarnContents = nil
+			m.mu.Unlock()
+			m.logf("trample: resolv.conf again matches expected content")
+		}
+		return
+	}
+	if bytes.Equal(cur, lastWarn) {
+		// We already logged about this, so not worth doing it again.
+		return
+	}
+
+	m.mu.Lock()
+	m.lastWarnContents = cur
+	m.mu.Unlock()
+
+	show := cur
+	if len(show) > 1024 {
+		show = show[:1024]
+	}
+	m.logf("trample: resolv.conf changed from what we expected. did some other program interfere? current contents: %q", show)
+	m.health.SetUnhealthy(resolvTrampleWarnable, nil)
 }

internal/dns/direct_notlinux.go

@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
 
 //go:build !linux
 

internal/dns/direct_test.go

@@ -1,10 +1,10 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
 
 package dns
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"io/fs"
@@ -79,7 +79,10 @@ func testDirect(t *testing.T, fs wholeFileFS) {
 		}
 	}
 
-	m := directManager{logf: t.Logf, fs: fs}
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	m := directManager{logf: t.Logf, fs: fs, ctx: ctx, ctxClose: cancel}
 	if err := m.SetDNS(OSConfig{
 		Nameservers:   []netip.Addr{netip.MustParseAddr("8.8.8.8"), netip.MustParseAddr("8.8.4.4")},
 		SearchDomains: []dnsname.FQDN{"controld.com."},
@@ -121,7 +124,7 @@ type brokenRemoveFS struct {
 	directFS
 }
 
-func (b brokenRemoveFS) Rename(_, _ string) error {
+func (b brokenRemoveFS) Rename(old, new string) error {
 	return errors.New("nyaaah I'm a silly container!")
 }
 
@@ -178,12 +181,12 @@ func TestReadResolve(t *testing.T) {
 				SearchDomains: []dnsname.FQDN{"controld.com."},
 			},
 		},
-		{in: `search controld.com # typo`,
+		{in: `search controld.com # comment`,
 			want: OSConfig{
 				SearchDomains: []dnsname.FQDN{"controld.com."},
 			},
 		},
-		{in: `searchcontrold.com`, wantErr: true},
+		{in: `searchctrld.com`, wantErr: true},
 		{in: `search`, wantErr: true},
 	}
 

internal/dns/manager_freebsd.go

@@ -1,6 +1,5 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
 
 package dns
 
@@ -8,13 +7,18 @@ import (
 	"fmt"
 	"os"
 
+	"tailscale.com/control/controlknobs"
+	"tailscale.com/health"
 	"tailscale.com/types/logger"
 )
 
-func NewOSConfigurator(logf logger.Logf, _ string) (OSConfigurator, error) {
+// NewOSConfigurator creates a new OS configurator.
+//
+// The health tracker may be nil; the knobs may be nil and are ignored on this platform.
+func NewOSConfigurator(logf logger.Logf, health *health.Tracker, _ *controlknobs.Knobs, _ string) (OSConfigurator, error) {
 	bs, err := os.ReadFile("/etc/resolv.conf")
 	if os.IsNotExist(err) {
-		return newDirectManager(logf), nil
+		return newDirectManager(logf, health), nil
 	}
 	if err != nil {
 		return nil, fmt.Errorf("reading /etc/resolv.conf: %w", err)
@@ -24,16 +28,16 @@ func NewOSConfigurator(logf logger.Logf, _ string) (OSConfigurator, error) {
 	case "resolvconf":
 		switch resolvconfStyle() {
 		case "":
-			return newDirectManager(logf), nil
+			return newDirectManager(logf, health), nil
 		case "debian":
 			return newDebianResolvconfManager(logf)
 		case "openresolv":
-			return newOpenresolvManager()
+			return newOpenresolvManager(logf)
 		default:
 			logf("[unexpected] got unknown flavor of resolvconf %q, falling back to direct manager", resolvconfStyle())
-			return newDirectManager(logf), nil
+			return newDirectManager(logf, health), nil
 		}
 	default:
-		return newDirectManager(logf), nil
+		return newDirectManager(logf, health), nil
 	}
 }

internal/dns/manager_linux.go

@@ -1,8 +1,5 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//lint:file-ignore U1000 Ignore this file, it's a copy.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
 
 package dns
 
@@ -17,6 +14,7 @@ import (
 	"time"
 
 	"github.com/godbus/dbus/v5"
+	"tailscale.com/control/controlknobs"
 	"tailscale.com/health"
 	"tailscale.com/net/netaddr"
 	"tailscale.com/types/logger"
@@ -38,7 +36,10 @@ func (kv kv) String() string {
 
 var publishOnce sync.Once
 
-func NewOSConfigurator(logf logger.Logf, interfaceName string) (ret OSConfigurator, err error) {
+// NewOSConfigurator created a new OS configurator.
+//
+// The health tracker may be nil; the knobs may be nil and are ignored on this platform.
+func NewOSConfigurator(logf logger.Logf, health *health.Tracker, _ *controlknobs.Knobs, interfaceName string) (ret OSConfigurator, err error) {
 	env := newOSConfigEnv{
 		fs:                directFS{},
 		dbusPing:          dbusPing,
@@ -47,7 +48,7 @@ func NewOSConfigurator(logf logger.Logf, interfaceName string) (ret OSConfigurat
 		nmVersionBetween:  nmVersionBetween,
 		resolvconfStyle:   resolvconfStyle,
 	}
-	mode, err := dnsMode(logf, env)
+	mode, err := dnsMode(logf, health, env)
 	if err != nil {
 		return nil, err
 	}
@@ -59,18 +60,18 @@ func NewOSConfigurator(logf logger.Logf, interfaceName string) (ret OSConfigurat
 	logf("dns: using %q mode", mode)
 	switch mode {
 	case "direct":
-		return newDirectManagerOnFS(logf, env.fs), nil
+		return newDirectManagerOnFS(logf, health, env.fs), nil
 	case "systemd-resolved":
-		return newResolvedManager(logf, interfaceName)
+		return newResolvedManager(logf, health, interfaceName)
 	case "network-manager":
 		return newNMManager(interfaceName)
 	case "debian-resolvconf":
 		return newDebianResolvconfManager(logf)
 	case "openresolv":
-		return newOpenresolvManager()
+		return newOpenresolvManager(logf)
 	default:
 		logf("[unexpected] detected unknown DNS mode %q, using direct manager as last resort", mode)
-		return newDirectManagerOnFS(logf, env.fs), nil
+		return newDirectManagerOnFS(logf, health, env.fs), nil
 	}
 }
 
@@ -84,7 +85,7 @@ type newOSConfigEnv struct {
 	resolvconfStyle   func() string
 }
 
-func dnsMode(logf logger.Logf, env newOSConfigEnv) (ret string, err error) {
+func dnsMode(logf logger.Logf, health *health.Tracker, env newOSConfigEnv) (ret string, err error) {
 	var debug []kv
 	dbg := func(k, v string) {
 		debug = append(debug, kv{k, v})
@@ -145,7 +146,7 @@ func dnsMode(logf logger.Logf, env newOSConfigEnv) (ret string, err error) {
 		// header, but doesn't actually point to resolved. We mustn't
 		// try to program resolved in that case.
 		// https://github.com/tailscale/tailscale/issues/2136
-		if err := resolvedIsActuallyResolver(bs); err != nil {
+		if err := resolvedIsActuallyResolver(logf, env, dbg, bs); err != nil {
 			logf("dns: resolvedIsActuallyResolver error: %v", err)
 			dbg("resolved", "not-in-use")
 			return "direct", nil
@@ -231,7 +232,7 @@ func dnsMode(logf logger.Logf, env newOSConfigEnv) (ret string, err error) {
 		dbg("rc", "nm")
 		// Sometimes, NetworkManager owns the configuration but points
 		// it at systemd-resolved.
-		if err := resolvedIsActuallyResolver(bs); err != nil {
+		if err := resolvedIsActuallyResolver(logf, env, dbg, bs); err != nil {
 			logf("dns: resolvedIsActuallyResolver error: %v", err)
 			dbg("resolved", "not-in-use")
 			// You'd think we would use newNMManager here. However, as
@@ -271,6 +272,14 @@ func dnsMode(logf logger.Logf, env newOSConfigEnv) (ret string, err error) {
 			dbg("nm-safe", "yes")
 			return "network-manager", nil
 		}
+		if err := env.nmIsUsingResolved(); err != nil {
+			// If systemd-resolved is not running at all, then we don't have any
+			// other choice: we take direct control of DNS.
+			dbg("nm-resolved", "no")
+			return "direct", nil
+		}
+
+		//lint:ignore SA1019 upstream code still use it.
 		health.SetDNSManagerHealth(errors.New("systemd-resolved and NetworkManager are wired together incorrectly; MagicDNS will probably not work. For more info, see https://tailscale.com/s/resolved-nm"))
 		dbg("nm-safe", "no")
 		return "systemd-resolved", nil
@@ -324,14 +333,23 @@ func nmIsUsingResolved() error {
 	return nil
 }
 
-// resolvedIsActuallyResolver reports whether the given resolv.conf
-// bytes describe a configuration where systemd-resolved (127.0.0.53)
-// is the only configured nameserver.
+// resolvedIsActuallyResolver reports whether the system is using
+// systemd-resolved as the resolver. There are two different ways to
+// use systemd-resolved:
+//   - libnss_resolve, which requires adding `resolve` to the "hosts:"
+//     line in /etc/nsswitch.conf
+//   - setting the only nameserver configured in `resolv.conf` to
+//     systemd-resolved IP (127.0.0.53)
 //
 // Returns an error if the configuration is something other than
 // exclusively systemd-resolved, or nil if the config is only
 // systemd-resolved.
-func resolvedIsActuallyResolver(bs []byte) error {
+func resolvedIsActuallyResolver(logf logger.Logf, env newOSConfigEnv, dbg func(k, v string), bs []byte) error {
+	if err := isLibnssResolveUsed(env); err == nil {
+		dbg("resolved", "nss")
+		return nil
+	}
+
 	cfg, err := readResolv(bytes.NewBuffer(bs))
 	if err != nil {
 		return err
@@ -348,9 +366,34 @@ func resolvedIsActuallyResolver(bs []byte) error {
 			return fmt.Errorf("resolv.conf doesn't point to systemd-resolved; points to %v", cfg.Nameservers)
 		}
 	}
+	dbg("resolved", "file")
 	return nil
 }
 
+// isLibnssResolveUsed reports whether libnss_resolve is used
+// for resolving names. Returns nil if it is, and an error otherwise.
+func isLibnssResolveUsed(env newOSConfigEnv) error {
+	bs, err := env.fs.ReadFile("/etc/nsswitch.conf")
+	if err != nil {
+		return fmt.Errorf("reading /etc/resolv.conf: %w", err)
+	}
+	for _, line := range strings.Split(string(bs), "\n") {
+		fields := strings.Fields(line)
+		if len(fields) < 2 || fields[0] != "hosts:" {
+			continue
+		}
+		for _, module := range fields[1:] {
+			if module == "dns" {
+				return fmt.Errorf("dns with a higher priority than libnss_resolve")
+			}
+			if module == "resolve" {
+				return nil
+			}
+		}
+	}
+	return fmt.Errorf("libnss_resolve not used")
+}
+
 func dbusPing(name, objectPath string) error {
 	conn, err := dbus.SystemBus()
 	if err != nil {

internal/dns/manager_linux_test.go

@@ -1,6 +1,5 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
 
 package dns
 
@@ -71,7 +70,7 @@ func TestLinuxDNSMode(t *testing.T) {
 		{
 			name:    "resolved_alone_without_ping",
 			env:     env(resolvDotConf("# Managed by systemd-resolved", "nameserver 127.0.0.53")),
-			wantLog: "dns: ResolvConfMode error: dbus property not found\ndns: [rc=resolved nm=no resolv-conf-mode=error ret=systemd-resolved]",
+			wantLog: "dns: ResolvConfMode error: dbus property not found\ndns: [rc=resolved resolved=file nm=no resolv-conf-mode=error ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
 		{
@@ -79,16 +78,46 @@ func TestLinuxDNSMode(t *testing.T) {
 			env: env(
 				resolvDotConf("# Managed by systemd-resolved", "nameserver 127.0.0.53"),
 				resolvedRunning()),
-			wantLog: "dns: [resolved-ping=yes rc=resolved nm=no resolv-conf-mode=fortests ret=systemd-resolved]",
+			wantLog: "dns: [resolved-ping=yes rc=resolved resolved=file nm=no resolv-conf-mode=fortests ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
+		{
+			name: "resolved_and_nsswitch_resolve",
+			env: env(
+				resolvDotConf("# Managed by systemd-resolved", "nameserver 1.1.1.1"),
+				resolvedRunning(),
+				nsswitchDotConf("hosts: files resolve [!UNAVAIL=return] dns"),
+			),
+			wantLog: "dns: [resolved-ping=yes rc=resolved resolved=nss nm=no resolv-conf-mode=fortests ret=systemd-resolved]",
+			want:    "systemd-resolved",
+		},
+		{
+			name: "resolved_and_nsswitch_dns",
+			env: env(
+				resolvDotConf("# Managed by systemd-resolved", "nameserver 1.1.1.1"),
+				resolvedRunning(),
+				nsswitchDotConf("hosts: files dns resolve [!UNAVAIL=return]"),
+			),
+			wantLog: "dns: resolvedIsActuallyResolver error: resolv.conf doesn't point to systemd-resolved; points to [1.1.1.1]\ndns: [resolved-ping=yes rc=resolved resolved=not-in-use ret=direct]",
+			want:    "direct",
+		},
+		{
+			name: "resolved_and_nsswitch_none",
+			env: env(
+				resolvDotConf("# Managed by systemd-resolved", "nameserver 1.1.1.1"),
+				resolvedRunning(),
+				nsswitchDotConf("hosts:"),
+			),
+			wantLog: "dns: resolvedIsActuallyResolver error: resolv.conf doesn't point to systemd-resolved; points to [1.1.1.1]\ndns: [resolved-ping=yes rc=resolved resolved=not-in-use ret=direct]",
+			want:    "direct",
+		},
 		{
 			name: "resolved_and_networkmanager_not_using_resolved",
 			env: env(
 				resolvDotConf("# Managed by systemd-resolved", "nameserver 127.0.0.53"),
 				resolvedRunning(),
 				nmRunning("1.2.3", false)),
-			wantLog: "dns: [resolved-ping=yes rc=resolved nm=yes nm-resolved=no resolv-conf-mode=fortests ret=systemd-resolved]",
+			wantLog: "dns: [resolved-ping=yes rc=resolved resolved=file nm=yes nm-resolved=no resolv-conf-mode=fortests ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
 		{
@@ -97,7 +126,7 @@ func TestLinuxDNSMode(t *testing.T) {
 				resolvDotConf("# Managed by systemd-resolved", "nameserver 127.0.0.53"),
 				resolvedRunning(),
 				nmRunning("1.26.2", true)),
-			wantLog: "dns: [resolved-ping=yes rc=resolved nm=yes nm-resolved=yes nm-safe=yes ret=network-manager]",
+			wantLog: "dns: [resolved-ping=yes rc=resolved resolved=file nm=yes nm-resolved=yes nm-safe=yes ret=network-manager]",
 			want:    "network-manager",
 		},
 		{
@@ -106,7 +135,7 @@ func TestLinuxDNSMode(t *testing.T) {
 				resolvDotConf("# Managed by systemd-resolved", "nameserver 127.0.0.53"),
 				resolvedRunning(),
 				nmRunning("1.27.0", true)),
-			wantLog: "dns: [resolved-ping=yes rc=resolved nm=yes nm-resolved=yes nm-safe=no resolv-conf-mode=fortests ret=systemd-resolved]",
+			wantLog: "dns: [resolved-ping=yes rc=resolved resolved=file nm=yes nm-resolved=yes nm-safe=no resolv-conf-mode=fortests ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
 		{
@@ -115,7 +144,7 @@ func TestLinuxDNSMode(t *testing.T) {
 				resolvDotConf("# Managed by systemd-resolved", "nameserver 127.0.0.53"),
 				resolvedRunning(),
 				nmRunning("1.22.0", true)),
-			wantLog: "dns: [resolved-ping=yes rc=resolved nm=yes nm-resolved=yes nm-safe=no resolv-conf-mode=fortests ret=systemd-resolved]",
+			wantLog: "dns: [resolved-ping=yes rc=resolved resolved=file nm=yes nm-resolved=yes nm-safe=no resolv-conf-mode=fortests ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
 		// Regression tests for extreme corner cases below.
@@ -141,7 +170,7 @@ func TestLinuxDNSMode(t *testing.T) {
 					"nameserver 127.0.0.53",
 					"nameserver 127.0.0.53"),
 				resolvedRunning()),
-			wantLog: "dns: [resolved-ping=yes rc=resolved nm=no resolv-conf-mode=fortests ret=systemd-resolved]",
+			wantLog: "dns: [resolved-ping=yes rc=resolved resolved=file nm=no resolv-conf-mode=fortests ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
 		{
@@ -156,7 +185,7 @@ func TestLinuxDNSMode(t *testing.T) {
 				"# run \"systemd-resolve --status\" to see details about the actual nameservers.",
 				"nameserver 127.0.0.53"),
 				resolvedRunning()),
-			wantLog: "dns: [resolved-ping=yes rc=resolved nm=no resolv-conf-mode=fortests ret=systemd-resolved]",
+			wantLog: "dns: [resolved-ping=yes rc=resolved resolved=file nm=no resolv-conf-mode=fortests ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
 		{
@@ -171,7 +200,7 @@ func TestLinuxDNSMode(t *testing.T) {
 				"# 127.0.0.53 is the systemd-resolved stub resolver.",
 				"# run \"systemd-resolve --status\" to see details about the actual nameservers.",
 				"nameserver 127.0.0.53")),
-			wantLog: "dns: ResolvConfMode error: dbus property not found\ndns: [rc=resolved nm=no resolv-conf-mode=error ret=systemd-resolved]",
+			wantLog: "dns: ResolvConfMode error: dbus property not found\ndns: [rc=resolved resolved=file nm=no resolv-conf-mode=error ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
 		{
@@ -183,7 +212,7 @@ func TestLinuxDNSMode(t *testing.T) {
 				"options edns0 trust-ad"),
 				resolvedRunning(),
 				nmRunning("1.32.12", true)),
-			wantLog: "dns: [resolved-ping=yes rc=nm nm-resolved=yes nm-safe=no resolv-conf-mode=fortests ret=systemd-resolved]",
+			wantLog: "dns: [resolved-ping=yes rc=nm resolved=file nm-resolved=yes nm-safe=no resolv-conf-mode=fortests ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
 		{
@@ -194,7 +223,7 @@ func TestLinuxDNSMode(t *testing.T) {
 				"nameserver 127.0.0.53",
 				"options edns0 trust-ad"),
 				nmRunning("1.32.12", true)),
-			wantLog: "dns: ResolvConfMode error: dbus property not found\ndns: [rc=nm nm-resolved=yes nm-safe=no resolv-conf-mode=error ret=systemd-resolved]",
+			wantLog: "dns: ResolvConfMode error: dbus property not found\ndns: [rc=nm resolved=file nm-resolved=yes nm-safe=no resolv-conf-mode=error ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
 		{
@@ -206,7 +235,7 @@ func TestLinuxDNSMode(t *testing.T) {
 				"options edns0 trust-ad"),
 				resolvedRunning(),
 				nmRunning("1.26.3", true)),
-			wantLog: "dns: [resolved-ping=yes rc=nm nm-resolved=yes nm-safe=yes ret=network-manager]",
+			wantLog: "dns: [resolved-ping=yes rc=nm resolved=file nm-resolved=yes nm-safe=yes ret=network-manager]",
 			want:    "network-manager",
 		},
 		{
@@ -217,7 +246,7 @@ func TestLinuxDNSMode(t *testing.T) {
 				"nameserver 127.0.0.53",
 				"options edns0 trust-ad"),
 				resolvedRunning()),
-			wantLog: "dns: [resolved-ping=yes rc=nm nm-resolved=yes nm=no resolv-conf-mode=fortests ret=systemd-resolved]",
+			wantLog: "dns: [resolved-ping=yes rc=nm resolved=file nm-resolved=yes nm=no resolv-conf-mode=fortests ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
 		{
@@ -228,7 +257,7 @@ func TestLinuxDNSMode(t *testing.T) {
 				"search lan",
 				"nameserver 127.0.0.53"),
 				resolvedRunning()),
-			wantLog: "dns: [resolved-ping=yes rc=nm nm-resolved=yes nm=no resolv-conf-mode=fortests ret=systemd-resolved]",
+			wantLog: "dns: [resolved-ping=yes rc=nm resolved=file nm-resolved=yes nm=no resolv-conf-mode=fortests ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
 		{
@@ -238,14 +267,26 @@ func TestLinuxDNSMode(t *testing.T) {
 				resolvDotConf("# Managed by systemd-resolved", "nameserver 127.0.0.53"),
 				resolvedDbusProperty(),
 			)),
-			wantLog: "dns: [resolved-ping=yes rc=resolved nm=no resolv-conf-mode=fortests ret=systemd-resolved]",
+			wantLog: "dns: [resolved-ping=yes rc=resolved resolved=file nm=no resolv-conf-mode=fortests ret=systemd-resolved]",
 			want:    "systemd-resolved",
 		},
+		{
+			// regression test for https://github.com/tailscale/tailscale/issues/9687
+			name: "networkmanager_endeavouros",
+			env: env(resolvDotConf(
+				"# Generated by NetworkManager",
+				"search example.com localdomain",
+				"nameserver 10.0.0.1"),
+				nmRunning("1.44.2", false)),
+			wantLog: "dns: resolvedIsActuallyResolver error: resolv.conf doesn't point to systemd-resolved; points to [10.0.0.1]\n" +
+				"dns: [rc=nm resolved=not-in-use ret=direct]",
+			want: "direct",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			var logBuf tstest.MemLogger
-			got, err := dnsMode(logBuf.Logf, tt.env)
+			got, err := dnsMode(logBuf.Logf, nil, tt.env)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -272,8 +313,9 @@ func (m memFS) Stat(name string) (isRegular bool, err error) {
 	return false, nil
 }
 
-func (m memFS) Rename(_, _ string) error { panic("TODO") }
-func (m memFS) Remove(_ string) error    { panic("TODO") }
+func (m memFS) Chmod(name string, mode os.FileMode) error { panic("TODO") }
+func (m memFS) Rename(oldName, newName string) error      { panic("TODO") }
+func (m memFS) Remove(name string) error                  { panic("TODO") }
 func (m memFS) ReadFile(name string) ([]byte, error) {
 	v, ok := m[name]
 	if !ok {
@@ -297,7 +339,7 @@ func (m memFS) Truncate(name string) error {
 	return nil
 }
 
-func (m memFS) WriteFile(name string, contents []byte, _ os.FileMode) error {
+func (m memFS) WriteFile(name string, contents []byte, perm os.FileMode) error {
 	m[name] = string(contents)
 	return nil
 }
@@ -381,6 +423,12 @@ func resolvDotConf(ss ...string) envOption {
 	})
 }
 
+func nsswitchDotConf(ss ...string) envOption {
+	return envOpt(func(b *envBuilder) {
+		b.fs["/etc/nsswitch.conf"] = strings.Join(ss, "\n")
+	})
+}
+
 // resolvedRunning returns an option that makes resolved reply to a dbusPing
 // and the ResolvConfMode property.
 func resolvedRunning() envOption {

internal/dns/nm.go

@@ -1,6 +1,5 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
 
 //go:build linux
 
@@ -11,6 +10,7 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
+	"sort"
 	"time"
 
 	"github.com/godbus/dbus/v5"
@@ -24,6 +24,13 @@ const (
 	lowerPriority   = int32(200) // lower than all builtin auto priorities
 )
 
+// reconfigTimeout is the time interval within which Manager.{Up,Down} should complete.
+//
+// This is particularly useful because certain conditions can cause indefinite hangs
+// (such as improper dbus auth followed by contextless dbus.Object.Call).
+// Such operations should be wrapped in a timeout context.
+const reconfigTimeout = time.Second
+
 // nmManager uses the NetworkManager DBus API.
 type nmManager struct {
 	interfaceName string
@@ -31,8 +38,6 @@ type nmManager struct {
 	dnsManager    dbus.BusObject
 }
 
-var _ OSConfigurator = (*nmManager)(nil)
-
 func newNMManager(interfaceName string) (*nmManager, error) {
 	conn, err := dbus.SystemBus()
 	if err != nil {
@@ -141,18 +146,17 @@ func (m *nmManager) trySet(ctx context.Context, config OSConfig) error {
 	// tell it explicitly to keep it. Read out the current interface
 	// settings and mirror them out to NetworkManager.
 	var addrs6 []map[string]any
-	if netIface, err := net.InterfaceByName(m.interfaceName); err == nil {
-		if addrs, err := netIface.Addrs(); err == nil {
-			for _, a := range addrs {
-				if ipnet, ok := a.(*net.IPNet); ok {
-					nip, ok := netip.AddrFromSlice(ipnet.IP)
-					nip = nip.Unmap()
-					if ok && nip.Is6() {
-						addrs6 = append(addrs6, map[string]any{
-							"address": nip.String(),
-							"prefix":  uint32(128),
-						})
-					}
+	if tsIf, err := net.InterfaceByName(m.interfaceName); err == nil {
+		addrs, _ := tsIf.Addrs()
+		for _, a := range addrs {
+			if ipnet, ok := a.(*net.IPNet); ok {
+				nip, ok := netip.AddrFromSlice(ipnet.IP)
+				nip = nip.Unmap()
+				if ok && nip.Is6() {
+					addrs6 = append(addrs6, map[string]any{
+						"address": nip.String(),
+						"prefix":  uint32(128),
+					})
 				}
 			}
 		}
@@ -260,6 +264,125 @@ func (m *nmManager) trySet(ctx context.Context, config OSConfig) error {
 	return nil
 }
 
+func (m *nmManager) SupportsSplitDNS() bool {
+	var mode string
+	v, err := m.dnsManager.GetProperty("org.freedesktop.NetworkManager.DnsManager.Mode")
+	if err != nil {
+		return false
+	}
+	mode, ok := v.Value().(string)
+	if !ok {
+		return false
+	}
+
+	// Per NM's documentation, it only does split-DNS when it's
+	// programming dnsmasq or systemd-resolved. All other modes are
+	// primary-only.
+	return mode == "dnsmasq" || mode == "systemd-resolved"
+}
+
+func (m *nmManager) GetBaseConfig() (OSConfig, error) {
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return OSConfig{}, err
+	}
+
+	nm := conn.Object("org.freedesktop.NetworkManager", dbus.ObjectPath("/org/freedesktop/NetworkManager/DnsManager"))
+	v, err := nm.GetProperty("org.freedesktop.NetworkManager.DnsManager.Configuration")
+	if err != nil {
+		return OSConfig{}, err
+	}
+	cfgs, ok := v.Value().([]map[string]dbus.Variant)
+	if !ok {
+		return OSConfig{}, fmt.Errorf("unexpected NM config type %T", v.Value())
+	}
+
+	if len(cfgs) == 0 {
+		return OSConfig{}, nil
+	}
+
+	type dnsPrio struct {
+		resolvers []netip.Addr
+		domains   []string
+		priority  int32
+	}
+	order := make([]dnsPrio, 0, len(cfgs)-1)
+
+	for _, cfg := range cfgs {
+		if name, ok := cfg["interface"]; ok {
+			if s, ok := name.Value().(string); ok && s == m.interfaceName {
+				// Config for the tailscale interface, skip.
+				continue
+			}
+		}
+
+		var p dnsPrio
+
+		if v, ok := cfg["nameservers"]; ok {
+			if ips, ok := v.Value().([]string); ok {
+				for _, s := range ips {
+					ip, err := netip.ParseAddr(s)
+					if err != nil {
+						// hmm, what do? Shouldn't really happen.
+						continue
+					}
+					p.resolvers = append(p.resolvers, ip)
+				}
+			}
+		}
+		if v, ok := cfg["domains"]; ok {
+			if domains, ok := v.Value().([]string); ok {
+				p.domains = domains
+			}
+		}
+		if v, ok := cfg["priority"]; ok {
+			if prio, ok := v.Value().(int32); ok {
+				p.priority = prio
+			}
+		}
+
+		order = append(order, p)
+	}
+
+	sort.Slice(order, func(i, j int) bool {
+		return order[i].priority < order[j].priority
+	})
+
+	var (
+		ret           OSConfig
+		seenResolvers = map[netip.Addr]bool{}
+		seenSearch    = map[string]bool{}
+	)
+
+	for _, cfg := range order {
+		for _, resolver := range cfg.resolvers {
+			if seenResolvers[resolver] {
+				continue
+			}
+			ret.Nameservers = append(ret.Nameservers, resolver)
+			seenResolvers[resolver] = true
+		}
+		for _, dom := range cfg.domains {
+			if seenSearch[dom] {
+				continue
+			}
+			fqdn, err := dnsname.ToFQDN(dom)
+			if err != nil {
+				continue
+			}
+			ret.SearchDomains = append(ret.SearchDomains, fqdn)
+			seenSearch[dom] = true
+		}
+		if cfg.priority < 0 {
+			// exclusive configurations preempt all other
+			// configurations, so we're done.
+			break
+		}
+	}
+
+	return ret, nil
+}
+
 func (m *nmManager) Close() error {
 	// No need to do anything on close, NetworkManager will delete our
 	// settings when the tailscale interface goes away.

internal/dns/openresolv.go

@@ -1,6 +1,5 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
 
 //go:build linux || freebsd || openbsd
 
@@ -10,22 +9,41 @@ import (
 	"bytes"
 	"fmt"
 	"os/exec"
+	"strings"
+
+	"tailscale.com/types/logger"
 )
 
 // openresolvManager manages DNS configuration using the openresolv
 // implementation of the `resolvconf` program.
-type openresolvManager struct{}
+type openresolvManager struct {
+	logf logger.Logf
+}
 
-var _ OSConfigurator = (*openresolvManager)(nil)
+func newOpenresolvManager(logf logger.Logf) (openresolvManager, error) {
+	return openresolvManager{logf}, nil
+}
 
-func newOpenresolvManager() (openresolvManager, error) {
-	return openresolvManager{}, nil
+func (m openresolvManager) logCmdErr(cmd *exec.Cmd, err error) {
+	if err == nil {
+		return
+	}
+
+	commandStr := fmt.Sprintf("path=%q args=%q", cmd.Path, cmd.Args)
+	exerr, ok := err.(*exec.ExitError)
+	if !ok {
+		m.logf("error running command %s: %v", commandStr, err)
+		return
+	}
+
+	m.logf("error running command %s stderr=%q exitCode=%d: %v", commandStr, exerr.Stderr, exerr.ExitCode(), err)
 }
 
 func (m openresolvManager) deleteTailscaleConfig() error {
 	cmd := exec.Command("resolvconf", "-f", "-d", "ctrld")
 	out, err := cmd.CombinedOutput()
 	if err != nil {
+		m.logCmdErr(cmd, err)
 		return fmt.Errorf("running %s: %s", cmd, out)
 	}
 	return nil
@@ -43,11 +61,55 @@ func (m openresolvManager) SetDNS(config OSConfig) error {
 	cmd.Stdin = &stdin
 	out, err := cmd.CombinedOutput()
 	if err != nil {
+		m.logCmdErr(cmd, err)
 		return fmt.Errorf("running %s: %s", cmd, out)
 	}
 	return nil
 }
 
+func (m openresolvManager) SupportsSplitDNS() bool {
+	return false
+}
+
+func (m openresolvManager) GetBaseConfig() (OSConfig, error) {
+	// List the names of all config snippets openresolv is aware
+	// of. Snippets get listed in priority order (most to least),
+	// which we'll exploit later.
+	bs, err := exec.Command("resolvconf", "-i").CombinedOutput()
+	if err != nil {
+		return OSConfig{}, err
+	}
+
+	// Remove the "tailscale" snippet from the list.
+	args := []string{"-l"}
+	for _, f := range strings.Split(strings.TrimSpace(string(bs)), " ") {
+		if f == "tailscale" {
+			continue
+		}
+		args = append(args, f)
+	}
+
+	// List all resolvconf snippets except our own, and parse that as
+	// a resolv.conf. This effectively generates a blended config of
+	// "everyone except tailscale", which is what would be in use if
+	// tailscale hadn't set exclusive mode.
+	//
+	// Note that this is not _entirely_ true. To be perfectly correct,
+	// we should be looking for other interfaces marked exclusive that
+	// predated tailscale, and stick to only those. However, in
+	// practice, openresolv uses are generally quite limited, and boil
+	// down to 1-2 DHCP leases, for which the correct outcome is a
+	// blended config like the one we produce here.
+	var buf bytes.Buffer
+	cmd := exec.Command("resolvconf", args...)
+	cmd.Stdout = &buf
+	if err := cmd.Run(); err != nil {
+		m.logCmdErr(cmd, err)
+		return OSConfig{}, err
+	}
+	return readResolv(&buf)
+}
+
 func (m openresolvManager) Close() error {
 	return m.deleteTailscaleConfig()
 }