[client] Fix netstack upstream dns and add wasm debug methods (#4648)

client/internal/connect.go

@@ -420,6 +420,19 @@ func (c *ConnectClient) GetLatestSyncResponse() (*mgmProto.SyncResponse, error)
 	return syncResponse, nil
 }
 
+// SetLogLevel sets the log level for the firewall manager if the engine is running.
+func (c *ConnectClient) SetLogLevel(level log.Level) {
+	engine := c.Engine()
+	if engine == nil {
+		return
+	}
+
+	fwManager := engine.GetFirewallManager()
+	if fwManager != nil {
+		fwManager.SetLogLevel(level)
+	}
+}
+
 // Status returns the current client status
 func (c *ConnectClient) Status() StatusType {
 	if c == nil {

client/internal/dns/server.go

@@ -631,9 +631,7 @@ func (s *DefaultServer) registerFallback(config HostDNSConfig) {
 
 	handler, err := newUpstreamResolver(
 		s.ctx,
-		s.wgInterface.Name(),
-		s.wgInterface.Address().IP,
-		s.wgInterface.Address().Network,
+		s.wgInterface,
 		s.statusRecorder,
 		s.hostsDNSHolder,
 		nbdns.RootZone,
@@ -743,9 +741,7 @@ func (s *DefaultServer) createHandlersForDomainGroup(domainGroup nsGroupsByDomai
 		log.Debugf("creating handler for domain=%s with priority=%d", domainGroup.domain, priority)
 		handler, err := newUpstreamResolver(
 			s.ctx,
-			s.wgInterface.Name(),
-			s.wgInterface.Address().IP,
-			s.wgInterface.Address().Network,
+			s.wgInterface,
 			s.statusRecorder,
 			s.hostsDNSHolder,
 			domainGroup.domain,
@@ -926,9 +922,7 @@ func (s *DefaultServer) addHostRootZone() {
 
 	handler, err := newUpstreamResolver(
 		s.ctx,
-		s.wgInterface.Name(),
-		s.wgInterface.Address().IP,
-		s.wgInterface.Address().Network,
+		s.wgInterface,
 		s.statusRecorder,
 		s.hostsDNSHolder,
 		nbdns.RootZone,

client/internal/dns/server_test.go

@@ -15,6 +15,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
+	"golang.zx2c4.com/wireguard/tun/netstack"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
 	"github.com/netbirdio/netbird/client/firewall/uspfilter"
@@ -81,6 +82,10 @@ func (w *mocWGIface) GetStats(_ string) (configurer.WGStats, error) {
 	return configurer.WGStats{}, nil
 }
 
+func (w *mocWGIface) GetNet() *netstack.Net {
+	return nil
+}
+
 var zoneRecords = []nbdns.SimpleRecord{
 	{
 		Name:  "peera.netbird.cloud",

client/internal/dns/upstream.go

@@ -18,6 +18,7 @@ import (
 	"github.com/hashicorp/go-multierror"
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/tun/netstack"
 
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal/dns/resutil"
@@ -418,6 +419,56 @@ func ExchangeWithFallback(ctx context.Context, client *dns.Client, r *dns.Msg, u
 	return rm, t, nil
 }
 
+// ExchangeWithNetstack performs a DNS exchange using netstack for dialing.
+// This is needed when netstack is enabled to reach peer IPs through the tunnel.
+func ExchangeWithNetstack(ctx context.Context, nsNet *netstack.Net, r *dns.Msg, upstream string) (*dns.Msg, error) {
+	reply, err := netstackExchange(ctx, nsNet, r, upstream, "udp")
+	if err != nil {
+		return nil, err
+	}
+
+	// If response is truncated, retry with TCP
+	if reply != nil && reply.MsgHdr.Truncated {
+		log.Tracef("udp response for domain=%s type=%v class=%v is truncated, trying TCP",
+			r.Question[0].Name, r.Question[0].Qtype, r.Question[0].Qclass)
+		return netstackExchange(ctx, nsNet, r, upstream, "tcp")
+	}
+
+	return reply, nil
+}
+
+func netstackExchange(ctx context.Context, nsNet *netstack.Net, r *dns.Msg, upstream, network string) (*dns.Msg, error) {
+	conn, err := nsNet.DialContext(ctx, network, upstream)
+	if err != nil {
+		return nil, fmt.Errorf("with %s: %w", network, err)
+	}
+	defer func() {
+		if err := conn.Close(); err != nil {
+			log.Debugf("failed to close DNS connection: %v", err)
+		}
+	}()
+
+	if deadline, ok := ctx.Deadline(); ok {
+		if err := conn.SetDeadline(deadline); err != nil {
+			return nil, fmt.Errorf("set deadline: %w", err)
+		}
+	}
+
+	dnsConn := &dns.Conn{Conn: conn}
+
+	if err := dnsConn.WriteMsg(r); err != nil {
+		return nil, fmt.Errorf("write %s message: %w", network, err)
+	}
+
+	reply, err := dnsConn.ReadMsg()
+	if err != nil {
+		return nil, fmt.Errorf("read %s message: %w", network, err)
+	}
+
+	return reply, nil
+}
+
+
 // FormatPeerStatus formats peer connection status information for debugging DNS timeouts
 func FormatPeerStatus(peerState *peer.State) string {
 	isConnected := peerState.ConnStatus == peer.StatusConnected

client/internal/dns/upstream_android.go

@@ -23,9 +23,7 @@ type upstreamResolver struct {
 // first time, and we need to wait for a while to start to use again the proper DNS resolver.
 func newUpstreamResolver(
 	ctx context.Context,
-	_ string,
-	_ netip.Addr,
-	_ netip.Prefix,
+	_ WGIface,
 	statusRecorder *peer.Status,
 	hostsDNSHolder *hostsDNSHolder,
 	domain string,

client/internal/dns/upstream_general.go

@@ -5,22 +5,23 @@ package dns
 import (
 	"context"
 	"net/netip"
+	"runtime"
 	"time"
 
 	"github.com/miekg/dns"
+	"golang.zx2c4.com/wireguard/tun/netstack"
 
 	"github.com/netbirdio/netbird/client/internal/peer"
 )
 
 type upstreamResolver struct {
 	*upstreamResolverBase
+	nsNet *netstack.Net
 }
 
 func newUpstreamResolver(
 	ctx context.Context,
-	_ string,
-	_ netip.Addr,
-	_ netip.Prefix,
+	wgIface WGIface,
 	statusRecorder *peer.Status,
 	_ *hostsDNSHolder,
 	domain string,
@@ -28,12 +29,23 @@ func newUpstreamResolver(
 	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder, domain)
 	nonIOS := &upstreamResolver{
 		upstreamResolverBase: upstreamResolverBase,
+		nsNet:                wgIface.GetNet(),
 	}
 	upstreamResolverBase.upstreamClient = nonIOS
 	return nonIOS, nil
 }
 
 func (u *upstreamResolver) exchange(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
+	// TODO: Check if upstream DNS server is routed through a peer before using netstack.
+	// Similar to iOS logic, we should determine if the DNS server is reachable directly
+	// or needs to go through the tunnel, and only use netstack when necessary.
+	// For now, only use netstack on JS platform where direct access is not possible.
+	if u.nsNet != nil && runtime.GOOS == "js" {
+		start := time.Now()
+		reply, err := ExchangeWithNetstack(ctx, u.nsNet, r, upstream)
+		return reply, time.Since(start), err
+	}
+
 	client := &dns.Client{
 		Timeout: ClientTimeout,
 	}

client/internal/dns/upstream_ios.go

@@ -26,9 +26,7 @@ type upstreamResolverIOS struct {
 
 func newUpstreamResolver(
 	ctx context.Context,
-	interfaceName string,
-	ip netip.Addr,
-	net netip.Prefix,
+	wgIface WGIface,
 	statusRecorder *peer.Status,
 	_ *hostsDNSHolder,
 	domain string,
@@ -37,9 +35,9 @@ func newUpstreamResolver(
 
 	ios := &upstreamResolverIOS{
 		upstreamResolverBase: upstreamResolverBase,
-		lIP:                  ip,
-		lNet:                 net,
-		interfaceName:        interfaceName,
+		lIP:                  wgIface.Address().IP,
+		lNet:                 wgIface.Address().Network,
+		interfaceName:        wgIface.Name(),
 	}
 	ios.upstreamClient = ios
 

client/internal/dns/upstream_test.go

@@ -2,13 +2,17 @@ package dns
 
 import (
 	"context"
+	"net"
 	"net/netip"
 	"strings"
 	"testing"
 	"time"
 
 	"github.com/miekg/dns"
+	"golang.zx2c4.com/wireguard/tun/netstack"
 
+	"github.com/netbirdio/netbird/client/iface/device"
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/dns/test"
 )
 
@@ -58,7 +62,7 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
 			ctx, cancel := context.WithCancel(context.TODO())
-			resolver, _ := newUpstreamResolver(ctx, "", netip.Addr{}, netip.Prefix{}, nil, nil, ".")
+			resolver, _ := newUpstreamResolver(ctx, &mockNetstackProvider{}, nil, nil, ".")
 			// Convert test servers to netip.AddrPort
 			var servers []netip.AddrPort
 			for _, server := range testCase.InputServers {
@@ -112,6 +116,19 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 	}
 }
 
+type mockNetstackProvider struct{}
+
+func (m *mockNetstackProvider) Name() string                      { return "mock" }
+func (m *mockNetstackProvider) Address() wgaddr.Address           { return wgaddr.Address{} }
+func (m *mockNetstackProvider) ToInterface() *net.Interface       { return nil }
+func (m *mockNetstackProvider) IsUserspaceBind() bool             { return false }
+func (m *mockNetstackProvider) GetFilter() device.PacketFilter    { return nil }
+func (m *mockNetstackProvider) GetDevice() *device.FilteredDevice { return nil }
+func (m *mockNetstackProvider) GetNet() *netstack.Net             { return nil }
+func (m *mockNetstackProvider) GetInterfaceGUIDString() (string, error) {
+	return "", nil
+}
+
 type mockUpstreamResolver struct {
 	r   *dns.Msg
 	rtt time.Duration

client/internal/dns/wgiface.go

@@ -5,6 +5,8 @@ package dns
 import (
 	"net"
 
+	"golang.zx2c4.com/wireguard/tun/netstack"
+
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
@@ -17,4 +19,5 @@ type WGIface interface {
 	IsUserspaceBind() bool
 	GetFilter() device.PacketFilter
 	GetDevice() *device.FilteredDevice
+	GetNet() *netstack.Net
 }

client/internal/dns/wgiface_windows.go

@@ -1,6 +1,8 @@
 package dns
 
 import (
+	"golang.zx2c4.com/wireguard/tun/netstack"
+
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
@@ -12,5 +14,6 @@ type WGIface interface {
 	IsUserspaceBind() bool
 	GetFilter() device.PacketFilter
 	GetDevice() *device.FilteredDevice
+	GetNet() *netstack.Net
 	GetInterfaceGUIDString() (string, error)
 }

client/internal/engine.go

@@ -1748,22 +1748,26 @@ func (e *Engine) RunHealthProbes(waitForResult bool) bool {
 	}
 
 	e.syncMsgMux.Unlock()
-	var results []relay.ProbeResult
-	if waitForResult {
-		results = e.probeStunTurn.ProbeAllWaitResult(e.ctx, stuns, turns)
-	} else {
-		results = e.probeStunTurn.ProbeAll(e.ctx, stuns, turns)
-	}
-	e.statusRecorder.UpdateRelayStates(results)
 
+	// Skip STUN/TURN probing for JS/WASM as it's not available
 	relayHealthy := true
-	for _, res := range results {
-		if res.Err != nil {
-			relayHealthy = false
-			break
+	if runtime.GOOS != "js" {
+		var results []relay.ProbeResult
+		if waitForResult {
+			results = e.probeStunTurn.ProbeAllWaitResult(e.ctx, stuns, turns)
+		} else {
+			results = e.probeStunTurn.ProbeAll(e.ctx, stuns, turns)
 		}
+		e.statusRecorder.UpdateRelayStates(results)
+
+		for _, res := range results {
+			if res.Err != nil {
+				relayHealthy = false
+				break
+			}
+		}
+		log.Debugf("relay health check: healthy=%t", relayHealthy)
 	}
-	log.Debugf("relay health check: healthy=%t", relayHealthy)
 
 	allHealthy := signalHealthy && managementHealthy && relayHealthy
 	log.Debugf("all health checks completed: healthy=%t", allHealthy)

client/internal/peer/status.go

@@ -14,6 +14,7 @@ import (
 	"golang.org/x/exp/maps"
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/durationpb"
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
@@ -158,6 +159,7 @@ type FullStatus struct {
 	NSGroupStates         []NSGroupState
 	NumOfForwardingRules  int
 	LazyConnectionEnabled bool
+	Events                []*proto.SystemEvent
 }
 
 type StatusChangeSubscription struct {
@@ -981,6 +983,7 @@ func (d *Status) GetFullStatus() FullStatus {
 	}
 
 	fullStatus.Peers = append(fullStatus.Peers, d.offlinePeers...)
+	fullStatus.Events = d.GetEventHistory()
 	return fullStatus
 }
 
@@ -1181,3 +1184,97 @@ type EventSubscription struct {
 func (s *EventSubscription) Events() <-chan *proto.SystemEvent {
 	return s.events
 }
+
+// ToProto converts FullStatus to proto.FullStatus.
+func (fs FullStatus) ToProto() *proto.FullStatus {
+	pbFullStatus := proto.FullStatus{
+		ManagementState: &proto.ManagementState{},
+		SignalState:     &proto.SignalState{},
+		LocalPeerState:  &proto.LocalPeerState{},
+		Peers:           []*proto.PeerState{},
+	}
+
+	pbFullStatus.ManagementState.URL = fs.ManagementState.URL
+	pbFullStatus.ManagementState.Connected = fs.ManagementState.Connected
+	if err := fs.ManagementState.Error; err != nil {
+		pbFullStatus.ManagementState.Error = err.Error()
+	}
+
+	pbFullStatus.SignalState.URL = fs.SignalState.URL
+	pbFullStatus.SignalState.Connected = fs.SignalState.Connected
+	if err := fs.SignalState.Error; err != nil {
+		pbFullStatus.SignalState.Error = err.Error()
+	}
+
+	pbFullStatus.LocalPeerState.IP = fs.LocalPeerState.IP
+	pbFullStatus.LocalPeerState.PubKey = fs.LocalPeerState.PubKey
+	pbFullStatus.LocalPeerState.KernelInterface = fs.LocalPeerState.KernelInterface
+	pbFullStatus.LocalPeerState.Fqdn = fs.LocalPeerState.FQDN
+	pbFullStatus.LocalPeerState.RosenpassPermissive = fs.RosenpassState.Permissive
+	pbFullStatus.LocalPeerState.RosenpassEnabled = fs.RosenpassState.Enabled
+	pbFullStatus.NumberOfForwardingRules = int32(fs.NumOfForwardingRules)
+	pbFullStatus.LazyConnectionEnabled = fs.LazyConnectionEnabled
+
+	pbFullStatus.LocalPeerState.Networks = maps.Keys(fs.LocalPeerState.Routes)
+
+	for _, peerState := range fs.Peers {
+		networks := maps.Keys(peerState.GetRoutes())
+
+		pbPeerState := &proto.PeerState{
+			IP:                         peerState.IP,
+			PubKey:                     peerState.PubKey,
+			ConnStatus:                 peerState.ConnStatus.String(),
+			ConnStatusUpdate:           timestamppb.New(peerState.ConnStatusUpdate),
+			Relayed:                    peerState.Relayed,
+			LocalIceCandidateType:      peerState.LocalIceCandidateType,
+			RemoteIceCandidateType:     peerState.RemoteIceCandidateType,
+			LocalIceCandidateEndpoint:  peerState.LocalIceCandidateEndpoint,
+			RemoteIceCandidateEndpoint: peerState.RemoteIceCandidateEndpoint,
+			RelayAddress:               peerState.RelayServerAddress,
+			Fqdn:                       peerState.FQDN,
+			LastWireguardHandshake:     timestamppb.New(peerState.LastWireguardHandshake),
+			BytesRx:                    peerState.BytesRx,
+			BytesTx:                    peerState.BytesTx,
+			RosenpassEnabled:           peerState.RosenpassEnabled,
+			Networks:                   networks,
+			Latency:                    durationpb.New(peerState.Latency),
+			SshHostKey:                 peerState.SSHHostKey,
+		}
+		pbFullStatus.Peers = append(pbFullStatus.Peers, pbPeerState)
+	}
+
+	for _, relayState := range fs.Relays {
+		pbRelayState := &proto.RelayState{
+			URI:       relayState.URI,
+			Available: relayState.Err == nil,
+		}
+		if err := relayState.Err; err != nil {
+			pbRelayState.Error = err.Error()
+		}
+		pbFullStatus.Relays = append(pbFullStatus.Relays, pbRelayState)
+	}
+
+	for _, dnsState := range fs.NSGroupStates {
+		var err string
+		if dnsState.Error != nil {
+			err = dnsState.Error.Error()
+		}
+
+		var servers []string
+		for _, server := range dnsState.Servers {
+			servers = append(servers, server.String())
+		}
+
+		pbDnsState := &proto.NSGroupState{
+			Servers: servers,
+			Domains: dnsState.Domains,
+			Enabled: dnsState.Enabled,
+			Error:   err,
+		}
+		pbFullStatus.DnsServers = append(pbFullStatus.DnsServers, pbDnsState)
+	}
+
+	pbFullStatus.Events = fs.Events
+
+	return &pbFullStatus
+}

client/internal/routemanager/dnsinterceptor/handler.go

@@ -17,13 +17,13 @@ import (
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	nbdns "github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/dns/resutil"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/peerstore"
 	"github.com/netbirdio/netbird/client/internal/routemanager/common"
 	"github.com/netbirdio/netbird/client/internal/routemanager/fakeip"
+	iface "github.com/netbirdio/netbird/client/internal/routemanager/iface"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
 	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
@@ -38,11 +38,6 @@ type internalDNATer interface {
 	AddInternalDNATMapping(netip.Addr, netip.Addr) error
 }
 
-type wgInterface interface {
-	Name() string
-	Address() wgaddr.Address
-}
-
 type DnsInterceptor struct {
 	mu                   sync.RWMutex
 	route                *route.Route
@@ -52,7 +47,7 @@ type DnsInterceptor struct {
 	dnsServer            nbdns.Server
 	currentPeerKey       string
 	interceptedDomains   domainMap
-	wgInterface          wgInterface
+	wgInterface          iface.WGIface
 	peerStore            *peerstore.Store
 	firewall             firewall.Manager
 	fakeIPManager        *fakeip.Manager
@@ -250,12 +245,6 @@ func (d *DnsInterceptor) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		return
 	}
 
-	client, err := nbdns.GetClientPrivate(d.wgInterface.Address().IP, d.wgInterface.Name(), dnsTimeout)
-	if err != nil {
-		d.writeDNSError(w, r, logger, fmt.Sprintf("create DNS client: %v", err))
-		return
-	}
-
 	if r.Extra == nil {
 		r.MsgHdr.AuthenticatedData = true
 	}
@@ -264,20 +253,8 @@ func (d *DnsInterceptor) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	ctx, cancel := context.WithTimeout(context.Background(), dnsTimeout)
 	defer cancel()
 
-	startTime := time.Now()
-	reply, _, err := nbdns.ExchangeWithFallback(ctx, client, r, upstream)
-	if err != nil {
-		if errors.Is(err, context.DeadlineExceeded) {
-			elapsed := time.Since(startTime)
-			peerInfo := d.debugPeerTimeout(upstreamIP, peerKey)
-			logger.Errorf("peer DNS timeout after %v (timeout=%v) for domain=%s to peer %s (%s)%s - error: %v",
-				elapsed.Truncate(time.Millisecond), dnsTimeout, r.Question[0].Name, upstreamIP.String(), peerKey, peerInfo, err)
-		} else {
-			logger.Errorf("failed to exchange DNS request with %s (%s) for domain=%s: %v", upstreamIP.String(), peerKey, r.Question[0].Name, err)
-		}
-		if err := w.WriteMsg(&dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeServerFailure, Id: r.Id}}); err != nil {
-			logger.Errorf("failed writing DNS response: %v", err)
-		}
+	reply := d.queryUpstreamDNS(ctx, w, r, upstream, upstreamIP, peerKey, logger)
+	if reply == nil {
 		return
 	}
 
@@ -586,6 +563,44 @@ func determinePrefixChanges(oldPrefixes, newPrefixes []netip.Prefix) (toAdd, toR
 	return
 }
 
+// queryUpstreamDNS queries the upstream DNS server using netstack if available, otherwise uses regular client.
+// Returns the DNS reply on success, or nil on error (error responses are written internally).
+func (d *DnsInterceptor) queryUpstreamDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, upstream string, upstreamIP netip.Addr, peerKey string, logger *log.Entry) *dns.Msg {
+	startTime := time.Now()
+
+	nsNet := d.wgInterface.GetNet()
+	var reply *dns.Msg
+	var err error
+
+	if nsNet != nil {
+		reply, err = nbdns.ExchangeWithNetstack(ctx, nsNet, r, upstream)
+	} else {
+		client, clientErr := nbdns.GetClientPrivate(d.wgInterface.Address().IP, d.wgInterface.Name(), dnsTimeout)
+		if clientErr != nil {
+			d.writeDNSError(w, r, logger, fmt.Sprintf("create DNS client: %v", clientErr))
+			return nil
+		}
+		reply, _, err = nbdns.ExchangeWithFallback(ctx, client, r, upstream)
+	}
+
+	if err == nil {
+		return reply
+	}
+
+	if errors.Is(err, context.DeadlineExceeded) {
+		elapsed := time.Since(startTime)
+		peerInfo := d.debugPeerTimeout(upstreamIP, peerKey)
+		logger.Errorf("peer DNS timeout after %v (timeout=%v) for domain=%s to peer %s (%s)%s - error: %v",
+			elapsed.Truncate(time.Millisecond), dnsTimeout, r.Question[0].Name, upstreamIP.String(), peerKey, peerInfo, err)
+	} else {
+		logger.Errorf("failed to exchange DNS request with %s (%s) for domain=%s: %v", upstreamIP.String(), peerKey, r.Question[0].Name, err)
+	}
+	if err := w.WriteMsg(&dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeServerFailure, Id: r.Id}}); err != nil {
+		logger.Errorf("failed writing DNS response: %v", err)
+	}
+	return nil
+}
+
 func (d *DnsInterceptor) debugPeerTimeout(peerIP netip.Addr, peerKey string) string {
 	if d.statusRecorder == nil {
 		return ""

client/internal/routemanager/iface/iface_common.go

@@ -4,6 +4,8 @@ import (
 	"net"
 	"net/netip"
 
+	"golang.zx2c4.com/wireguard/tun/netstack"
+
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
@@ -18,4 +20,5 @@ type wgIfaceBase interface {
 	IsUserspaceBind() bool
 	GetFilter() device.PacketFilter
 	GetDevice() *device.FilteredDevice
+	GetNet() *netstack.Net
 }