Filter DNS fallback upstreams matching our server IP to prevent loops

Clean up legacy 32-bit and HKCU registry entries on Windows install (#6176 )
Avoid context cancellation in cancelPeerRoutines (#6175 )
2026-05-28 19:49:54 +00:00 · 2026-05-17 15:49:31 +02:00 · 2026-05-16 16:52:57 +02:00 · 2026-05-16 16:29:01 +02:00 · 2026-05-16 15:51:48 +02:00 · 2026-05-15 19:13:44 +02:00
46 changed files with 996 additions and 1850 deletions
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -92,9 +92,6 @@ linters:
      - linters:
          - unused
        path: client/firewall/iptables/rule\.go
-      - linters:
-          - unused
-        path: client/internal/dns/dnsfw/(types|syscall|zsyscall)_windows.*\.go
      - linters:
          - gosec
          - mirror
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -43,16 +43,16 @@ func init() {
 	ipsFilterMap = make(map[string]struct{})
 	prefixNamesFilterMap = make(map[string]struct{})
 	statusCmd.PersistentFlags().BoolVarP(&detailFlag, "detail", "d", false, "display detailed status information in human-readable format")
-	statusCmd.PersistentFlags().BoolVar(&jsonFlag, "json", false, "display detailed status information in json format")
-	statusCmd.PersistentFlags().BoolVar(&yamlFlag, "yaml", false, "display detailed status information in yaml format")
-	statusCmd.PersistentFlags().BoolVar(&ipv4Flag, "ipv4", false, "display only NetBird IPv4 of this peer, e.g., --ipv4 will output 100.64.0.33")
-	statusCmd.PersistentFlags().BoolVar(&ipv6Flag, "ipv6", false, "display only NetBird IPv6 of this peer")
+	statusCmd.PersistentFlags().BoolVarP(&jsonFlag, "json", "j", false, "display detailed status information in json format")
+	statusCmd.PersistentFlags().BoolVarP(&yamlFlag, "yaml", "y", false, "display detailed status information in yaml format")
+	statusCmd.PersistentFlags().BoolVarP(&ipv4Flag, "ipv4", "4", false, "display only NetBird IPv4 of this peer, e.g., --ipv4 will output 100.64.0.33")
+	statusCmd.PersistentFlags().BoolVarP(&ipv6Flag, "ipv6", "6", false, "display only NetBird IPv6 of this peer")
 	statusCmd.MarkFlagsMutuallyExclusive("detail", "json", "yaml", "ipv4", "ipv6")
-	statusCmd.PersistentFlags().StringSliceVar(&ipsFilter, "filter-by-ips", []string{}, "filters the detailed output by a list of one or more IPs (v4 or v6), e.g., --filter-by-ips 100.64.0.100,fd00::1")
-	statusCmd.PersistentFlags().StringSliceVar(&prefixNamesFilter, "filter-by-names", []string{}, "filters the detailed output by a list of one or more peer FQDN or hostnames, e.g., --filter-by-names peer-a,peer-b.netbird.cloud")
-	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(idle|connecting|connected), e.g., --filter-by-status connected")
-	statusCmd.PersistentFlags().StringVar(&connectionTypeFilter, "filter-by-connection-type", "", "filters the detailed output by connection type (P2P|Relayed), e.g., --filter-by-connection-type P2P")
-	statusCmd.PersistentFlags().StringVar(&checkFlag, "check", "", "run a health check and exit with code 0 on success, 1 on failure (live|ready|startup)")
+	statusCmd.PersistentFlags().StringSliceVarP(&ipsFilter, "filter-by-ips", "I", []string{}, "filters the detailed output by a list of one or more IPs (v4 or v6), e.g., --filter-by-ips 100.64.0.100,fd00::1")
+	statusCmd.PersistentFlags().StringSliceVarP(&prefixNamesFilter, "filter-by-names", "N", []string{}, "filters the detailed output by a list of one or more peer FQDN or hostnames, e.g., --filter-by-names peer-a,peer-b.netbird.cloud")
+	statusCmd.PersistentFlags().StringVarP(&statusFilter, "filter-by-status", "S", "", "filters the detailed output by connection status(idle|connecting|connected), e.g., --filter-by-status connected")
+	statusCmd.PersistentFlags().StringVarP(&connectionTypeFilter, "filter-by-connection-type", "T", "", "filters the detailed output by connection type (P2P|Relayed), e.g., --filter-by-connection-type P2P")
+	statusCmd.PersistentFlags().StringVarP(&checkFlag, "check", "C", "", "run a health check and exit with code 0 on success, 1 on failure (live|ready|startup)")
 }

 func statusFunc(cmd *cobra.Command, args []string) error {
--- a/client/embed/embed.go
+++ b/client/embed/embed.go
@@ -336,7 +336,7 @@ func (c *Client) ListenTCP(address string) (net.Listener, error) {
 	if err != nil {
 		return nil, fmt.Errorf("split host port: %w", err)
 	}
-	listenAddr := fmt.Sprintf("%s:%s", addr, port)
+	listenAddr := net.JoinHostPort(addr.String(), port)

 	tcpAddr, err := net.ResolveTCPAddr("tcp", listenAddr)
 	if err != nil {
@@ -357,7 +357,7 @@ func (c *Client) ListenUDP(address string) (net.PacketConn, error) {
 	if err != nil {
 		return nil, fmt.Errorf("split host port: %w", err)
 	}
-	listenAddr := fmt.Sprintf("%s:%s", addr, port)
+	listenAddr := net.JoinHostPort(addr.String(), port)

 	udpAddr, err := net.ResolveUDPAddr("udp", listenAddr)
 	if err != nil {
--- a/client/installer.nsis
+++ b/client/installer.nsis
@@ -260,15 +260,23 @@ WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "Publisher" "${COMP_NAME}"

 WriteRegStr ${REG_ROOT} "${UI_REG_APP_PATH}" "" "$INSTDIR\${UI_APP_EXE}"

-; Create autostart registry entry based on checkbox
+; Drop Run, App Paths and Uninstall entries left in the 32-bit registry view
+; or HKCU by legacy installers.
+DetailPrint "Cleaning legacy 32-bit / HKCU entries..."
+DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+SetRegView 32
+DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+DeleteRegKey HKLM "${REG_APP_PATH}"
+DeleteRegKey HKLM "${UI_REG_APP_PATH}"
+DeleteRegKey HKLM "${UNINSTALL_PATH}"
+SetRegView 64
+
 DetailPrint "Autostart enabled: $AutostartEnabled"
 ${If} $AutostartEnabled == "1"
    WriteRegStr HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}" '"$INSTDIR\${UI_APP_EXE}.exe"'
    DetailPrint "Added autostart registry entry: $INSTDIR\${UI_APP_EXE}.exe"
 ${Else}
    DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
-    ; Legacy: pre-HKLM installs wrote to HKCU; clean that up too.
-    DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
    DetailPrint "Autostart not enabled by user"
 ${EndIf}

@@ -299,11 +307,16 @@ ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service uninstall'
 DetailPrint "Terminating Netbird UI process..."
 ExecWait `taskkill /im ${UI_APP_EXE}.exe /f`

-; Remove autostart registry entry
+; Remove autostart entries from every view a previous installer may have used.
 DetailPrint "Removing autostart registry entry if exists..."
 DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
-; Legacy: pre-HKLM installs wrote to HKCU; clean that up too.
 DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+SetRegView 32
+DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+DeleteRegKey HKLM "${REG_APP_PATH}"
+DeleteRegKey HKLM "${UI_REG_APP_PATH}"
+DeleteRegKey HKLM "${UNINSTALL_PATH}"
+SetRegView 64

 ; Handle data deletion based on checkbox
 DetailPrint "Checking if user requested data deletion..."
--- a/client/internal/debug/debug.go
+++ b/client/internal/debug/debug.go
@@ -45,8 +45,11 @@ netbird.out: Most recent, anonymized stdout log file of the NetBird client.
 routes.txt: Detailed system routing table in tabular format including destination, gateway, interface, metrics, and protocol information, if --system-info flag was provided.
 interfaces.txt: Anonymized network interface information, if --system-info flag was provided.
 ip_rules.txt: Detailed IP routing rules in tabular format including priority, source, destination, interfaces, table, and action information (Linux only), if --system-info flag was provided.
-iptables.txt: Anonymized iptables rules with packet counters, if --system-info flag was provided.
-nftables.txt: Anonymized nftables rules with packet counters, if --system-info flag was provided.
+iptables.txt: Anonymized iptables (IPv4) rules with packet counters, if --system-info flag was provided.
+ip6tables.txt: Anonymized ip6tables (IPv6) rules with packet counters, if --system-info flag was provided.
+ipset.txt: Anonymized ipset list output, if --system-info flag was provided.
+nftables.txt: Anonymized nftables rules with packet counters across all families (ip, ip6, inet, etc.), if --system-info flag was provided.
+sysctls.txt: Forwarding, reverse-path filter, source-validation, and conntrack accounting sysctl values that the NetBird client may read or modify, if --system-info flag was provided (Linux only).
 resolv.conf: DNS resolver configuration from /etc/resolv.conf (Unix systems only), if --system-info flag was provided.
 scutil_dns.txt: DNS configuration from scutil --dns (macOS only), if --system-info flag was provided.
 resolved_domains.txt: Anonymized resolved domain IP addresses from the status recorder.
@@ -165,22 +168,33 @@ The config.txt file contains anonymized configuration information of the NetBird
 Other non-sensitive configuration options are included without anonymization.

 Firewall Rules (Linux only)
-The bundle includes two separate firewall rule files:
+The bundle includes the following firewall-related files:

 iptables.txt:
- Complete iptables ruleset with packet counters using 'iptables -v -n -L'
+- IPv4 iptables ruleset with packet counters using 'iptables-save' and 'iptables -v -n -L'
 - Includes all tables (filter, nat, mangle, raw, security)
 - Shows packet and byte counters for each rule
 - All IP addresses are anonymized
 - Chain names, table names, and other non-sensitive information remain unchanged

+ip6tables.txt:
+- IPv6 ip6tables ruleset with packet counters using 'ip6tables-save' and 'ip6tables -v -n -L'
+- Same table coverage and anonymization as iptables.txt
+- Omitted when ip6tables is not installed or no IPv6 rules are present
+
+ipset.txt:
+- Output of 'ipset list' (family-agnostic)
+- IP addresses are anonymized; set names and types remain unchanged
+
 nftables.txt:
- Complete nftables ruleset obtained via 'nft -a list ruleset'
+- Complete nftables ruleset across all families (ip, ip6, inet, arp, bridge, netdev) via 'nft -a list ruleset'
 - Includes rule handle numbers and packet counters
- All tables, chains, and rules are included
- Shows packet and byte counters for each rule
- All IP addresses are anonymized
- Chain names, table names, and other non-sensitive information remain unchanged
+- All IP addresses are anonymized; chain/table names remain unchanged
+
+sysctls.txt:
+- Forwarding (IPv4 + IPv6, global and per-interface), reverse-path filter, source-validation, conntrack accounting, and TCP-related sysctls that netbird may read or modify
+- Per-interface keys are enumerated from /proc/sys/net/ipv{4,6}/conf
+- Interface names anonymized when --anonymize is set

 IP Rules (Linux only)
 The ip_rules.txt file contains detailed IP routing rule information:
@@ -412,6 +426,10 @@ func (g *BundleGenerator) addSystemInfo() {
 		log.Errorf("failed to add firewall rules to debug bundle: %v", err)
 	}

+	if err := g.addSysctls(); err != nil {
+		log.Errorf("failed to add sysctls to debug bundle: %v", err)
+	}
+
 	if err := g.addDNSInfo(); err != nil {
 		log.Errorf("failed to add DNS info to debug bundle: %v", err)
 	}
--- a/client/internal/debug/debug_linux.go
+++ b/client/internal/debug/debug_linux.go
@@ -124,15 +124,18 @@ func getSystemdLogs(serviceName string) (string, error) {
 // addFirewallRules collects and adds firewall rules to the archive
 func (g *BundleGenerator) addFirewallRules() error {
 	log.Info("Collecting firewall rules")
-	iptablesRules, err := collectIPTablesRules()
+	g.addIPTablesRulesToBundle("iptables-save", "iptables", "iptables.txt")
+	g.addIPTablesRulesToBundle("ip6tables-save", "ip6tables", "ip6tables.txt")
+
+	ipsetOutput, err := collectIPSets()
 	if err != nil {
-		log.Warnf("Failed to collect iptables rules: %v", err)
+		log.Warnf("Failed to collect ipset information: %v", err)
 	} else {
 		if g.anonymize {
-			iptablesRules = g.anonymizer.AnonymizeString(iptablesRules)
+			ipsetOutput = g.anonymizer.AnonymizeString(ipsetOutput)
 		}
-		if err := g.addFileToZip(strings.NewReader(iptablesRules), "iptables.txt"); err != nil {
-			log.Warnf("Failed to add iptables rules to bundle: %v", err)
+		if err := g.addFileToZip(strings.NewReader(ipsetOutput), "ipset.txt"); err != nil {
+			log.Warnf("Failed to add ipset output to bundle: %v", err)
 		}
 	}

@@ -151,44 +154,65 @@ func (g *BundleGenerator) addFirewallRules() error {
 	return nil
 }

-// collectIPTablesRules collects rules using both iptables-save and verbose listing
-func collectIPTablesRules() (string, error) {
-	var builder strings.Builder
-
-	saveOutput, err := collectIPTablesSave()
+// addIPTablesRulesToBundle collects iptables/ip6tables rules and writes them to the bundle.
+func (g *BundleGenerator) addIPTablesRulesToBundle(saveBin, listBin, filename string) {
+	rules, err := collectIPTablesRules(saveBin, listBin)
 	if err != nil {
-		log.Warnf("Failed to collect iptables rules using iptables-save: %v", err)
-	} else {
-		builder.WriteString("=== iptables-save output ===\n")
+		log.Warnf("Failed to collect %s rules: %v", listBin, err)
+		return
+	}
+	if g.anonymize {
+		rules = g.anonymizer.AnonymizeString(rules)
+	}
+	if err := g.addFileToZip(strings.NewReader(rules), filename); err != nil {
+		log.Warnf("Failed to add %s rules to bundle: %v", listBin, err)
+	}
+}
+
+// collectIPTablesRules collects rules using both <saveBin> and verbose listing via <listBin>.
+// Returns an error when neither command produced any output (e.g. the binary is missing),
+// so the caller can skip writing an empty file.
+func collectIPTablesRules(saveBin, listBin string) (string, error) {
+	var builder strings.Builder
+	var collected bool
+	var firstErr error
+
+	saveOutput, err := runCommand(saveBin)
+	switch {
+	case err != nil:
+		firstErr = err
+		log.Warnf("Failed to collect %s output: %v", saveBin, err)
+	case strings.TrimSpace(saveOutput) == "":
+		log.Debugf("%s produced no output, skipping", saveBin)
+	default:
+		builder.WriteString(fmt.Sprintf("=== %s output ===\n", saveBin))
 		builder.WriteString(saveOutput)
 		builder.WriteString("\n")
+		collected = true
 	}

-	ipsetOutput, err := collectIPSets()
-	if err != nil {
-		log.Warnf("Failed to collect ipset information: %v", err)
-	} else {
-		builder.WriteString("=== ipset list output ===\n")
-		builder.WriteString(ipsetOutput)
-		builder.WriteString("\n")
-	}
-
-	builder.WriteString("=== iptables -v -n -L output ===\n")
+	listHeader := fmt.Sprintf("=== %s -v -n -L output ===\n", listBin)
+	builder.WriteString(listHeader)

 	tables := []string{"filter", "nat", "mangle", "raw", "security"}
-
 	for _, table := range tables {
-		builder.WriteString(fmt.Sprintf("*%s\n", table))
-
-		stats, err := getTableStatistics(table)
+		stats, err := runCommand(listBin, "-v", "-n", "-L", "-t", table)
 		if err != nil {
-			log.Warnf("Failed to get statistics for table %s: %v", table, err)
+			if firstErr == nil {
+				firstErr = err
+			}
+			log.Warnf("Failed to get %s statistics for table %s: %v", listBin, table, err)
 			continue
 		}
+		builder.WriteString(fmt.Sprintf("*%s\n", table))
 		builder.WriteString(stats)
 		builder.WriteString("\n")
+		collected = true
 	}

+	if !collected {
+		return "", fmt.Errorf("collect %s rules: %w", listBin, firstErr)
+	}
 	return builder.String(), nil
 }

@@ -214,34 +238,15 @@ func collectIPSets() (string, error) {
 	return ipsets, nil
 }

-// collectIPTablesSave uses iptables-save to get rule definitions
-func collectIPTablesSave() (string, error) {
-	cmd := exec.Command("iptables-save")
+// runCommand executes a command and returns its stdout, wrapping stderr in the error on failure.
+func runCommand(name string, args ...string) (string, error) {
+	cmd := exec.Command(name, args...)
 	var stdout, stderr bytes.Buffer
 	cmd.Stdout = &stdout
 	cmd.Stderr = &stderr

 	if err := cmd.Run(); err != nil {
-		return "", fmt.Errorf("execute iptables-save: %w (stderr: %s)", err, stderr.String())
-	}
-
-	rules := stdout.String()
-	if strings.TrimSpace(rules) == "" {
-		return "", fmt.Errorf("no iptables rules found")
-	}
-
-	return rules, nil
-}
-
-// getTableStatistics gets verbose statistics for an entire table using iptables command
-func getTableStatistics(table string) (string, error) {
-	cmd := exec.Command("iptables", "-v", "-n", "-L", "-t", table)
-	var stdout, stderr bytes.Buffer
-	cmd.Stdout = &stdout
-	cmd.Stderr = &stderr
-
-	if err := cmd.Run(); err != nil {
-		return "", fmt.Errorf("execute iptables -v -n -L: %w (stderr: %s)", err, stderr.String())
+		return "", fmt.Errorf("execute %s: %w (stderr: %s)", name, err, stderr.String())
 	}

 	return stdout.String(), nil
@@ -804,3 +809,91 @@ func formatSetKeyType(keyType nftables.SetDatatype) string {
 		return fmt.Sprintf("type-%v", keyType)
 	}
 }
+
+// addSysctls collects forwarding and netbird-managed sysctl values and writes them to the bundle.
+func (g *BundleGenerator) addSysctls() error {
+	log.Info("Collecting sysctls")
+	content := collectSysctls()
+	if g.anonymize {
+		content = g.anonymizer.AnonymizeString(content)
+	}
+	if err := g.addFileToZip(strings.NewReader(content), "sysctls.txt"); err != nil {
+		return fmt.Errorf("add sysctls to bundle: %w", err)
+	}
+	return nil
+}
+
+// collectSysctls reads every sysctl that the netbird client may modify, plus
+// global IPv4/IPv6 forwarding, and returns a formatted dump grouped by topic.
+// Per-interface values are enumerated by listing /proc/sys/net/ipv{4,6}/conf.
+func collectSysctls() string {
+	var builder strings.Builder
+
+	writeSysctlGroup(&builder, "forwarding", []string{
+		"net.ipv4.ip_forward",
+		"net.ipv6.conf.all.forwarding",
+		"net.ipv6.conf.default.forwarding",
+	})
+	writeSysctlGroup(&builder, "ipv4 per-interface forwarding", listInterfaceSysctls("ipv4", "forwarding"))
+	writeSysctlGroup(&builder, "ipv6 per-interface forwarding", listInterfaceSysctls("ipv6", "forwarding"))
+	writeSysctlGroup(&builder, "rp_filter", append(
+		[]string{"net.ipv4.conf.all.rp_filter", "net.ipv4.conf.default.rp_filter"},
+		listInterfaceSysctls("ipv4", "rp_filter")...,
+	))
+	writeSysctlGroup(&builder, "src_valid_mark", append(
+		[]string{"net.ipv4.conf.all.src_valid_mark", "net.ipv4.conf.default.src_valid_mark"},
+		listInterfaceSysctls("ipv4", "src_valid_mark")...,
+	))
+	writeSysctlGroup(&builder, "conntrack", []string{
+		"net.netfilter.nf_conntrack_acct",
+		"net.netfilter.nf_conntrack_tcp_loose",
+	})
+	writeSysctlGroup(&builder, "tcp", []string{
+		"net.ipv4.tcp_tw_reuse",
+	})
+
+	return builder.String()
+}
+
+func writeSysctlGroup(builder *strings.Builder, title string, keys []string) {
+	builder.WriteString(fmt.Sprintf("=== %s ===\n", title))
+	for _, key := range keys {
+		value, err := readSysctl(key)
+		if err != nil {
+			builder.WriteString(fmt.Sprintf("%s = <error: %v>\n", key, err))
+			continue
+		}
+		builder.WriteString(fmt.Sprintf("%s = %s\n", key, value))
+	}
+	builder.WriteString("\n")
+}
+
+// listInterfaceSysctls returns net.ipvX.conf.<iface>.<leaf> keys for every
+// interface present in /proc/sys/net/ipvX/conf, skipping "all" and "default"
+// (callers add those explicitly so they appear first).
+func listInterfaceSysctls(family, leaf string) []string {
+	dir := fmt.Sprintf("/proc/sys/net/%s/conf", family)
+	entries, err := os.ReadDir(dir)
+	if err != nil {
+		return nil
+	}
+	var keys []string
+	for _, e := range entries {
+		name := e.Name()
+		if name == "all" || name == "default" {
+			continue
+		}
+		keys = append(keys, fmt.Sprintf("net.%s.conf.%s.%s", family, name, leaf))
+	}
+	sort.Strings(keys)
+	return keys
+}
+
+func readSysctl(key string) (string, error) {
+	path := fmt.Sprintf("/proc/sys/%s", strings.ReplaceAll(key, ".", "/"))
+	value, err := os.ReadFile(path)
+	if err != nil {
+		return "", err
+	}
+	return strings.TrimSpace(string(value)), nil
+}
--- a/client/internal/debug/debug_nonlinux.go
+++ b/client/internal/debug/debug_nonlinux.go
@@ -17,3 +17,8 @@ func (g *BundleGenerator) addIPRules() error {
 	// IP rules are only supported on Linux
 	return nil
 }
+
+func (g *BundleGenerator) addSysctls() error {
+	// Sysctl collection is only supported on Linux
+	return nil
+}
--- a/client/internal/dns/dnsfw/config.go
+++ b/client/internal/dns/dnsfw/config.go
@@ -1,63 +0,0 @@
-package dnsfw
-
-import (
-	"os"
-	"strconv"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	// EnvDisable disables the DNS firewall entirely when set to a truthy value.
-	EnvDisable = "NB_DISABLE_DNS_FIREWALL"
-	// EnvPorts overrides the comma-separated list of remote ports to block.
-	// Empty disables the firewall.
-	EnvPorts = "NB_DNS_FIREWALL_PORTS"
-	// EnvStrict enables strict mode: permit DNS only to the virtual DNS IP
-	// and the netbird daemon. Default mode also permits anything on the
-	// netbird tunnel interface, which is safer if NRPT is silently ignored
-	// by Windows but lets apps reach custom DNS servers via the tunnel.
-	EnvStrict = "NB_DNS_FIREWALL_STRICT"
-)
-
-// defaultBlockedPorts are the well-known DNS ports we block for non-netbird
-// processes: 53 (plain DNS) and 853 (DNS-over-TLS).
-var defaultBlockedPorts = []uint16{53, 853}
-
-// blockedPorts returns the effective port list, honoring env overrides.
-// A nil return means the firewall should not be installed.
-func blockedPorts() []uint16 {
-	if disabled, _ := strconv.ParseBool(os.Getenv(EnvDisable)); disabled {
-		log.Infof("dns firewall disabled via %s", EnvDisable)
-		return nil
-	}
-
-	override, ok := os.LookupEnv(EnvPorts)
-	if !ok {
-		return defaultBlockedPorts
-	}
-
-	var ports []uint16
-	for _, raw := range strings.Split(override, ",") {
-		raw = strings.TrimSpace(raw)
-		if raw == "" {
-			continue
-		}
-		port, err := strconv.ParseUint(raw, 10, 16)
-		if err != nil {
-			log.Warnf("dns firewall: ignoring invalid port %q in %s: %v", raw, EnvPorts, err)
-			continue
-		}
-		if port == 0 {
-			log.Warnf("dns firewall: ignoring port 0 in %s", EnvPorts)
-			continue
-		}
-		ports = append(ports, uint16(port))
-	}
-	if len(ports) == 0 {
-		log.Infof("dns firewall disabled: %s yielded no valid ports", EnvPorts)
-		return nil
-	}
-	return ports
-}
--- a/client/internal/dns/dnsfw/config_test.go
+++ b/client/internal/dns/dnsfw/config_test.go
@@ -1,39 +0,0 @@
-package dnsfw
-
-import (
-	"reflect"
-	"testing"
-)
-
-func TestBlockedPorts(t *testing.T) {
-	tests := []struct {
-		name     string
-		disable  string
-		ports    string
-		setPorts bool
-		want     []uint16
-	}{
-		{name: "default", want: defaultBlockedPorts},
-		{name: "disabled", disable: "true", want: nil},
-		{name: "disabled false keeps default", disable: "false", want: defaultBlockedPorts},
-		{name: "override single port", ports: "53", setPorts: true, want: []uint16{53}},
-		{name: "override multi", ports: "53, 853 ,5353", setPorts: true, want: []uint16{53, 853, 5353}},
-		{name: "override empty disables", ports: "", setPorts: true, want: nil},
-		{name: "override invalid skipped", ports: "53,not-a-port,853", setPorts: true, want: []uint16{53, 853}},
-		{name: "override zero skipped", ports: "53,0,853", setPorts: true, want: []uint16{53, 853}},
-		{name: "override only invalid disables", ports: "abc", setPorts: true, want: nil},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Setenv(EnvDisable, tc.disable)
-			if tc.setPorts {
-				t.Setenv(EnvPorts, tc.ports)
-			}
-			got := blockedPorts()
-			if !reflect.DeepEqual(got, tc.want) {
-				t.Fatalf("blockedPorts() = %v, want %v", got, tc.want)
-			}
-		})
-	}
-}
--- a/client/internal/dns/dnsfw/dnsfw.go
+++ b/client/internal/dns/dnsfw/dnsfw.go
@@ -1,16 +0,0 @@
-// Package dnsfw blocks DNS traffic from non-netbird processes when netbird is
-// managing the host's DNS, so that resolvers running on apps or libraries
-// outside netbird cannot bypass the configured DNS path.
-//
-// Implementation is Windows-only (uses WFP). On other platforms New returns
-// a no-op manager.
-package dnsfw
-
-import "net/netip"
-
-// Manager controls the per-tunnel DNS firewall. Both methods must be safe
-// to call multiple times.
-type Manager interface {
-	Enable(ifaceGUID string, virtualDNSIP netip.Addr) error
-	Disable() error
-}
--- a/client/internal/dns/dnsfw/dnsfw_other.go
+++ b/client/internal/dns/dnsfw/dnsfw_other.go
@@ -1,15 +0,0 @@
-//go:build !windows
-
-package dnsfw
-
-import "net/netip"
-
-type noopManager struct{}
-
-func (noopManager) Enable(string, netip.Addr) error { return nil }
-func (noopManager) Disable() error                  { return nil }
-
-// New returns a no-op manager on non-Windows platforms.
-func New() Manager {
-	return noopManager{}
-}
--- a/client/internal/dns/dnsfw/dnsfw_windows.go
+++ b/client/internal/dns/dnsfw/dnsfw_windows.go
@@ -1,144 +0,0 @@
-//go:build windows
-
-package dnsfw
-
-import (
-	"fmt"
-	"net/netip"
-	"os"
-	"strconv"
-	"sync"
-	"unsafe"
-
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/sys/windows"
-)
-
-var (
-	modIphlpapi                    = windows.NewLazyDLL("iphlpapi.dll")
-	procConvertInterfaceGuidToLuid = modIphlpapi.NewProc("ConvertInterfaceGuidToLuid")
-)
-
-type windowsManager struct {
-	mu sync.Mutex
-	// session is the WFP engine handle. Zero when disabled.
-	session uintptr
-}
-
-// Enable installs the dns firewall. Strict mode propagates failures;
-// non-strict mode logs and returns nil so partial protection is preserved.
-func (m *windowsManager) Enable(ifaceGUID string, virtualDNSIP netip.Addr) error {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	ports := blockedPorts()
-	if len(ports) == 0 {
-		return nil
-	}
-
-	if m.session != 0 {
-		if err := m.disableLocked(); err != nil {
-			return fmt.Errorf("reset existing dns firewall session: %w", err)
-		}
-	}
-
-	strict := strictMode()
-
-	luid, err := luidFromGUID(ifaceGUID)
-	if err != nil {
-		return m.failOrLog(strict, fmt.Errorf("resolve tun luid from guid %s: %w", ifaceGUID, err))
-	}
-
-	exe, err := os.Executable()
-	if err != nil {
-		return m.failOrLog(strict, fmt.Errorf("resolve daemon executable path: %w", err))
-	}
-
-	cfg := installConfig{
-		tunLUID:      luid,
-		daemonExe:    exe,
-		blockedPorts: ports,
-		strict:       strict,
-		virtualDNSIP: virtualDNSIP,
-	}
-	// session==0 signals a hard failure; non-zero with non-nil err is a partial install.
-	session, installErr := installFilters(cfg)
-	if session == 0 {
-		return m.failOrLog(strict, fmt.Errorf("install dns firewall filters: %w", installErr))
-	}
-
-	if installErr != nil && strict {
-		_ = closeSession(session)
-		return fmt.Errorf("strict dns firewall: partial install: %w", installErr)
-	}
-
-	m.session = session
-	log.Infof("dns firewall installed: iface=%s daemon=%s ports=%v strict=%v virtual_dns=%s",
-		ifaceGUID, exe, ports, strict, virtualDNSIP)
-	if installErr != nil {
-		log.Warnf("dns firewall partially installed (some filters failed): %v", installErr)
-	}
-	return nil
-}
-
-func (m *windowsManager) Disable() error {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	return m.disableLocked()
-}
-
-func (m *windowsManager) disableLocked() error {
-	if m.session == 0 {
-		return nil
-	}
-	session := m.session
-	m.session = 0
-	if err := closeSession(session); err != nil {
-		return fmt.Errorf("close wfp session: %w", err)
-	}
-	log.Info("dns firewall removed")
-	return nil
-}
-
-// failOrLog returns err unchanged in strict mode. In non-strict mode the
-// error is logged and nil is returned.
-func (m *windowsManager) failOrLog(strict bool, err error) error {
-	if strict {
-		return err
-	}
-	log.Errorf("dns firewall: %v", err)
-	return nil
-}
-
-// New returns a Windows DNS firewall manager backed by WFP.
-func New() Manager {
-	return &windowsManager{}
-}
-
-// strictMode reports whether strict mode is enabled via env.
-func strictMode() bool {
-	v, _ := strconv.ParseBool(os.Getenv(EnvStrict))
-	return v
-}
-
-// luidFromGUID converts a Windows interface GUID string to its LUID.
-func luidFromGUID(ifaceGUID string) (luid uint64, err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			err = fmt.Errorf("panic in luidFromGUID: %v", r)
-		}
-	}()
-
-	guid, err := windows.GUIDFromString(ifaceGUID)
-	if err != nil {
-		return 0, fmt.Errorf("parse guid: %w", err)
-	}
-	rc, _, _ := procConvertInterfaceGuidToLuid.Call(
-		uintptr(unsafe.Pointer(&guid)),
-		uintptr(unsafe.Pointer(&luid)),
-	)
-	if rc != 0 {
-		return 0, fmt.Errorf("ConvertInterfaceGuidToLuid returned %d", rc)
-	}
-	return luid, nil
-}
--- a/client/internal/dns/dnsfw/dnsfw_windows_test.go
+++ b/client/internal/dns/dnsfw/dnsfw_windows_test.go
@@ -1,72 +0,0 @@
-//go:build windows
-
-package dnsfw
-
-import (
-	"net/netip"
-	"os"
-	"testing"
-)
-
-func TestStrictMode(t *testing.T) {
-	tests := []struct {
-		name string
-		val  string
-		set  bool
-		want bool
-	}{
-		{name: "unset", want: false},
-		{name: "true", val: "true", set: true, want: true},
-		{name: "1", val: "1", set: true, want: true},
-		{name: "false", val: "false", set: true, want: false},
-		{name: "invalid is false", val: "garbage", set: true, want: false},
-	}
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Setenv(EnvStrict, tc.val)
-			if !tc.set {
-				os.Unsetenv(EnvStrict)
-			}
-			if got := strictMode(); got != tc.want {
-				t.Fatalf("strictMode() = %v, want %v", got, tc.want)
-			}
-		})
-	}
-}
-
-func TestWindowsManagerDisableIdempotent(t *testing.T) {
-	m := &windowsManager{}
-	if err := m.Disable(); err != nil {
-		t.Fatalf("first Disable on fresh manager: %v", err)
-	}
-	if err := m.Disable(); err != nil {
-		t.Fatalf("second Disable on fresh manager: %v", err)
-	}
-	if m.session != 0 {
-		t.Fatalf("session should remain zero, got %d", m.session)
-	}
-}
-
-func TestWindowsManagerEnableNoOpWhenDisabledByEnv(t *testing.T) {
-	t.Setenv(EnvDisable, "true")
-
-	m := &windowsManager{}
-	if err := m.Enable("00000000-0000-0000-0000-000000000000", netip.Addr{}); err != nil {
-		t.Fatalf("Enable should be a no-op when firewall disabled by env: %v", err)
-	}
-	if m.session != 0 {
-		t.Fatalf("session must remain zero when env disables firewall, got %d", m.session)
-	}
-}
-
-func TestWindowsManagerEnableNoOpWhenPortsEmpty(t *testing.T) {
-	t.Setenv(EnvPorts, "")
-
-	m := &windowsManager{}
-	if err := m.Enable("00000000-0000-0000-0000-000000000000", netip.Addr{}); err != nil {
-		t.Fatalf("Enable should be a no-op when ports list is empty: %v", err)
-	}
-	if m.session != 0 {
-		t.Fatalf("session must remain zero when ports list is empty, got %d", m.session)
-	}
-}
--- a/client/internal/dns/dnsfw/helpers_windows.go
+++ b/client/internal/dns/dnsfw/helpers_windows.go
@@ -1,53 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
- *
- * Adapted from wireguard-windows tunnel/firewall/helpers.go.
- */
-
-package dnsfw
-
-import (
-	"errors"
-	"fmt"
-	"runtime"
-	"syscall"
-
-	"golang.org/x/sys/windows"
-)
-
-func createWtFwpmDisplayData0(name, description string) (*wtFwpmDisplayData0, error) {
-	namePtr, err := windows.UTF16PtrFromString(name)
-	if err != nil {
-		return nil, wrapErr(err)
-	}
-
-	descriptionPtr, err := windows.UTF16PtrFromString(description)
-	if err != nil {
-		return nil, wrapErr(err)
-	}
-
-	return &wtFwpmDisplayData0{
-		name:        namePtr,
-		description: descriptionPtr,
-	}, nil
-}
-
-func filterWeight(weight uint8) wtFwpValue0 {
-	return wtFwpValue0{
-		_type: cFWP_UINT8,
-		value: uintptr(weight),
-	}
-}
-
-func wrapErr(err error) error {
-	var errno syscall.Errno
-	if !errors.As(err, &errno) {
-		return err
-	}
-	_, file, line, ok := runtime.Caller(1)
-	if !ok {
-		return fmt.Errorf("wfp error at unknown location: %w", err)
-	}
-	return fmt.Errorf("wfp error at %s:%d: %w", file, line, err)
-}
--- a/client/internal/dns/dnsfw/rules_windows.go
+++ b/client/internal/dns/dnsfw/rules_windows.go
@@ -1,249 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
- * Copyright (C) 2026 NetBird GmbH. All Rights Reserved.
- *
- * Filter installers adapted from wireguard-windows tunnel/firewall/rules.go.
- * The block-DNS approach (port 53 + UDP/TCP) matches what wireguard-windows
- * uses for its kill-switch DNS leak protection. We extend it with a
- * configurable port set so we also cover :853 (DoT) and any future ports.
- */
-
-package dnsfw
-
-import (
-	"encoding/binary"
-	"fmt"
-	"net/netip"
-	"unsafe"
-
-	"github.com/hashicorp/go-multierror"
-	"golang.org/x/sys/windows"
-
-	nberrors "github.com/netbirdio/netbird/client/errors"
-)
-
-// Filters install at outbound ALE_AUTH_CONNECT layers only; inbound replies
-// follow the authorized outbound flow.
-
-// permitTunInterface installs a permit filter for any traffic whose local
-// interface is the netbird tunnel.
-func permitTunInterface(session uintptr, base *baseObjects, weight uint8, ifLUID uint64) error {
-	cond := wtFwpmFilterCondition0{
-		fieldKey:  cFWPM_CONDITION_IP_LOCAL_INTERFACE,
-		matchType: cFWP_MATCH_EQUAL,
-		conditionValue: wtFwpConditionValue0{
-			_type: cFWP_UINT64,
-			value: uintptr(unsafe.Pointer(&ifLUID)),
-		},
-	}
-
-	filter := wtFwpmFilter0{
-		providerKey:         &base.provider,
-		subLayerKey:         base.filters,
-		weight:              filterWeight(weight),
-		numFilterConditions: 1,
-		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&cond)),
-		action:              wtFwpmAction0{_type: cFWP_ACTION_PERMIT},
-	}
-
-	return addOutboundFilters(session, &filter, "Permit netbird tunnel")
-}
-
-// permitDaemonByAppID installs a permit filter matching the netbird daemon
-// executable by App-ID. App-ID alone is sufficient because netbird.exe is a
-// dedicated binary.
-func permitDaemonByAppID(session uintptr, base *baseObjects, daemonExe string, weight uint8) error {
-	appID, err := daemonAppID(daemonExe)
-	if err != nil {
-		return err
-	}
-	defer fwpmFreeMemory0(unsafe.Pointer(&appID))
-
-	cond := wtFwpmFilterCondition0{
-		fieldKey:  cFWPM_CONDITION_ALE_APP_ID,
-		matchType: cFWP_MATCH_EQUAL,
-		conditionValue: wtFwpConditionValue0{
-			_type: cFWP_BYTE_BLOB_TYPE,
-			value: uintptr(unsafe.Pointer(appID)),
-		},
-	}
-
-	filter := wtFwpmFilter0{
-		providerKey:         &base.provider,
-		subLayerKey:         base.filters,
-		weight:              filterWeight(weight),
-		numFilterConditions: 1,
-		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&cond)),
-		action:              wtFwpmAction0{_type: cFWP_ACTION_PERMIT},
-	}
-
-	return addOutboundFilters(session, &filter, "Permit netbird daemon")
-}
-
-// permitVirtualDNSIP installs a permit filter for DNS-port traffic destined
-// for the in-tunnel virtual DNS IP. Used in strict mode in lieu of
-// permitTunInterface.
-func permitVirtualDNSIP(session uintptr, base *baseObjects, ip netip.Addr, ports []uint16, weight uint8) error {
-	var merr *multierror.Error
-	for _, port := range ports {
-		if err := permitDNSToHost(session, base, ip, port, weight); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("permit %s:%d: %w", ip, port, err))
-		}
-	}
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func permitDNSToHost(session uintptr, base *baseObjects, ip netip.Addr, port uint16, weight uint8) error {
-	if !ip.IsValid() {
-		return fmt.Errorf("invalid address")
-	}
-
-	var addrCond wtFwpmFilterCondition0
-	var layer windows.GUID
-	// v6 backing must outlive fwpmFilterAdd0; keep it on this stack frame.
-	var v6 wtFwpByteArray16
-
-	if ip.Is4() {
-		v4 := ip.As4()
-		addrCond = wtFwpmFilterCondition0{
-			fieldKey:  cFWPM_CONDITION_IP_REMOTE_ADDRESS,
-			matchType: cFWP_MATCH_EQUAL,
-			conditionValue: wtFwpConditionValue0{
-				_type: cFWP_UINT32,
-				value: uintptr(binary.BigEndian.Uint32(v4[:])),
-			},
-		}
-		layer = cFWPM_LAYER_ALE_AUTH_CONNECT_V4
-	} else {
-		v6 = wtFwpByteArray16{byteArray16: ip.As16()}
-		addrCond = wtFwpmFilterCondition0{
-			fieldKey:  cFWPM_CONDITION_IP_REMOTE_ADDRESS,
-			matchType: cFWP_MATCH_EQUAL,
-			conditionValue: wtFwpConditionValue0{
-				_type: cFWP_BYTE_ARRAY16_TYPE,
-				value: uintptr(unsafe.Pointer(&v6)),
-			},
-		}
-		layer = cFWPM_LAYER_ALE_AUTH_CONNECT_V6
-	}
-
-	conditions := [2]wtFwpmFilterCondition0{
-		addrCond,
-		{
-			fieldKey:  cFWPM_CONDITION_IP_REMOTE_PORT,
-			matchType: cFWP_MATCH_EQUAL,
-			conditionValue: wtFwpConditionValue0{
-				_type: cFWP_UINT16,
-				value: uintptr(port),
-			},
-		},
-	}
-	filter := wtFwpmFilter0{
-		providerKey:         &base.provider,
-		subLayerKey:         base.filters,
-		weight:              filterWeight(weight),
-		numFilterConditions: uint32(len(conditions)),
-		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions[0])),
-		action:              wtFwpmAction0{_type: cFWP_ACTION_PERMIT},
-	}
-
-	display, err := createWtFwpmDisplayData0(fmt.Sprintf("Permit DNS to %s:%d", ip, port), "")
-	if err != nil {
-		return wrapErr(err)
-	}
-	filter.displayData = *display
-	filter.layerKey = layer
-
-	var filterID uint64
-	if err := fwpmFilterAdd0(session, &filter, 0, &filterID); err != nil {
-		return wrapErr(err)
-	}
-	_ = v6
-	return nil
-}
-
-// blockDNSPorts installs a deny filter for outbound traffic to each of the
-// given remote ports over UDP or TCP. Per-port and per-layer failures are
-// accumulated; partial coverage is preferred over zero coverage.
-func blockDNSPorts(session uintptr, base *baseObjects, ports []uint16, weight uint8) error {
-	var merr *multierror.Error
-	for _, port := range ports {
-		if err := blockDNSPort(session, base, port, weight); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("block port %d: %w", port, err))
-		}
-	}
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func blockDNSPort(session uintptr, base *baseObjects, port uint16, weight uint8) error {
-	conditions := [3]wtFwpmFilterCondition0{
-		{
-			fieldKey:  cFWPM_CONDITION_IP_REMOTE_PORT,
-			matchType: cFWP_MATCH_EQUAL,
-			conditionValue: wtFwpConditionValue0{
-				_type: cFWP_UINT16,
-				value: uintptr(port),
-			},
-		},
-		{
-			fieldKey:  cFWPM_CONDITION_IP_PROTOCOL,
-			matchType: cFWP_MATCH_EQUAL,
-			conditionValue: wtFwpConditionValue0{
-				_type: cFWP_UINT8,
-				value: uintptr(cIPPROTO_UDP),
-			},
-		},
-		// Repeat the IP_PROTOCOL condition for logical OR with TCP.
-		{
-			fieldKey:  cFWPM_CONDITION_IP_PROTOCOL,
-			matchType: cFWP_MATCH_EQUAL,
-			conditionValue: wtFwpConditionValue0{
-				_type: cFWP_UINT8,
-				value: uintptr(cIPPROTO_TCP),
-			},
-		},
-	}
-
-	filter := wtFwpmFilter0{
-		providerKey:         &base.provider,
-		subLayerKey:         base.filters,
-		weight:              filterWeight(weight),
-		numFilterConditions: uint32(len(conditions)),
-		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions[0])),
-		action:              wtFwpmAction0{_type: cFWP_ACTION_BLOCK},
-	}
-
-	return addOutboundFilters(session, &filter, fmt.Sprintf("Block DNS port %d", port))
-}
-
-// addOutboundFilters installs the same filter on the v4 and v6 outbound ALE
-// connect layers. v4 and v6 are installed independently: failure on one
-// layer does not abort the other, and the accumulated errors are returned.
-// Partial coverage is preferred over zero coverage.
-func addOutboundFilters(session uintptr, filter *wtFwpmFilter0, name string) error {
-	layers := [...]struct {
-		layer windows.GUID
-		label string
-	}{
-		{cFWPM_LAYER_ALE_AUTH_CONNECT_V4, name + " (IPv4)"},
-		{cFWPM_LAYER_ALE_AUTH_CONNECT_V6, name + " (IPv6)"},
-	}
-
-	var merr *multierror.Error
-	for _, l := range layers {
-		display, err := createWtFwpmDisplayData0(l.label, "")
-		if err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("%s: %w", l.label, wrapErr(err)))
-			continue
-		}
-		filter.displayData = *display
-		filter.layerKey = l.layer
-
-		var filterID uint64
-		if err := fwpmFilterAdd0(session, filter, 0, &filterID); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("%s: %w", l.label, wrapErr(err)))
-		}
-	}
-	return nberrors.FormatErrorOrNil(merr)
-}
--- a/client/internal/dns/dnsfw/session_windows.go
+++ b/client/internal/dns/dnsfw/session_windows.go
@@ -1,177 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
- * Copyright (C) 2026 NetBird GmbH. All Rights Reserved.
- *
- * Session lifecycle and the high-level Install/Close entry points adapted
- * from wireguard-windows tunnel/firewall.
- */
-
-package dnsfw
-
-import (
-	"errors"
-	"fmt"
-	"net/netip"
-	"unsafe"
-
-	"github.com/hashicorp/go-multierror"
-	"golang.org/x/sys/windows"
-
-	nberrors "github.com/netbirdio/netbird/client/errors"
-)
-
-// installConfig is the input to installFilters.
-type installConfig struct {
-	tunLUID      uint64
-	daemonExe    string
-	blockedPorts []uint16
-	// strict, when true, narrows the carve-out from "anything on tun" to
-	// "DNS only to virtualDNSIP". virtualDNSIP must be valid in this case.
-	strict       bool
-	virtualDNSIP netip.Addr
-}
-
-// baseObjects holds the GUIDs of the WFP provider and sublayer registered
-// for our session. Both are randomly generated per session.
-type baseObjects struct {
-	provider windows.GUID
-	filters  windows.GUID
-}
-
-// installFilters opens a dynamic WFP session and installs the netbird DNS
-// firewall filters. Returns a zero session on hard failure (session create,
-// base objects); a non-zero session with a non-nil error is a partial install
-// (some per-filter installs failed) and is safe to close.
-func installFilters(cfg installConfig) (session uintptr, err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			// Dynamic session: kernel will clean up on process exit even
-			// if we leave the handle dangling here.
-			err = fmt.Errorf("panic in installFilters: %v", r)
-		}
-	}()
-
-	if len(cfg.blockedPorts) == 0 {
-		return 0, errors.New("dns firewall: no blocked ports configured")
-	}
-	if cfg.strict && !cfg.virtualDNSIP.IsValid() {
-		return 0, errors.New("dns firewall: strict mode requires a valid virtual DNS IP")
-	}
-
-	session, err = createSession()
-	if err != nil {
-		return 0, err
-	}
-
-	base, err := registerBaseObjects(session)
-	if err != nil {
-		_ = fwpmEngineClose0(session)
-		return 0, fmt.Errorf("register base objects: %w", err)
-	}
-
-	var merr *multierror.Error
-	if cfg.strict {
-		if err := permitVirtualDNSIP(session, base, cfg.virtualDNSIP, cfg.blockedPorts, 15); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("permit virtual dns: %w", err))
-		}
-	} else {
-		if err := permitTunInterface(session, base, 15, cfg.tunLUID); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("permit tun interface: %w", err))
-		}
-	}
-	if err := permitDaemonByAppID(session, base, cfg.daemonExe, 14); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("permit netbird daemon: %w", err))
-	}
-	if err := blockDNSPorts(session, base, cfg.blockedPorts, 10); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("block dns ports: %w", err))
-	}
-
-	return session, nberrors.FormatErrorOrNil(merr)
-}
-
-// closeSession tears down a WFP session previously opened by installFilters.
-// All filters owned by the session are removed.
-func closeSession(session uintptr) (err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			err = fmt.Errorf("panic in closeSession: %v", r)
-		}
-	}()
-
-	if session == 0 {
-		return nil
-	}
-	if err := fwpmEngineClose0(session); err != nil {
-		return wrapErr(err)
-	}
-	return nil
-}
-
-func createSession() (uintptr, error) {
-	displayData, err := createWtFwpmDisplayData0("NetBird DNS firewall", "NetBird DNS firewall dynamic session")
-	if err != nil {
-		return 0, wrapErr(err)
-	}
-	session := wtFwpmSession0{
-		displayData:          *displayData,
-		flags:                cFWPM_SESSION_FLAG_DYNAMIC,
-		txnWaitTimeoutInMSec: windows.INFINITE,
-	}
-	var handle uintptr
-	if err := fwpmEngineOpen0(nil, cRPC_C_AUTHN_WINNT, nil, &session, unsafe.Pointer(&handle)); err != nil {
-		return 0, wrapErr(err)
-	}
-	return handle, nil
-}
-
-func registerBaseObjects(session uintptr) (*baseObjects, error) {
-	bo := &baseObjects{}
-	var err error
-	if bo.provider, err = windows.GenerateGUID(); err != nil {
-		return nil, wrapErr(err)
-	}
-	if bo.filters, err = windows.GenerateGUID(); err != nil {
-		return nil, wrapErr(err)
-	}
-
-	displayData, err := createWtFwpmDisplayData0("NetBird DNS firewall", "NetBird DNS firewall provider")
-	if err != nil {
-		return nil, wrapErr(err)
-	}
-	provider := wtFwpmProvider0{
-		providerKey: bo.provider,
-		displayData: *displayData,
-	}
-	if err := fwpmProviderAdd0(session, &provider, 0); err != nil {
-		return nil, wrapErr(err)
-	}
-
-	subDisplay, err := createWtFwpmDisplayData0("NetBird DNS firewall filters", "Permit and block filters")
-	if err != nil {
-		return nil, wrapErr(err)
-	}
-	sublayer := wtFwpmSublayer0{
-		subLayerKey: bo.filters,
-		displayData: *subDisplay,
-		providerKey: &bo.provider,
-		weight:      ^uint16(0),
-	}
-	if err := fwpmSubLayerAdd0(session, &sublayer, 0); err != nil {
-		return nil, wrapErr(err)
-	}
-	return bo, nil
-}
-
-// daemonAppID returns the WFP App-ID byte blob for the given executable path.
-func daemonAppID(path string) (*wtFwpByteBlob, error) {
-	pathPtr, err := windows.UTF16PtrFromString(path)
-	if err != nil {
-		return nil, wrapErr(err)
-	}
-	var appID *wtFwpByteBlob
-	if err := fwpmGetAppIdFromFileName0(pathPtr, unsafe.Pointer(&appID)); err != nil {
-		return nil, wrapErr(err)
-	}
-	return appID, nil
-}
--- a/client/internal/dns/dnsfw/syscall_windows.go
+++ b/client/internal/dns/dnsfw/syscall_windows.go
@@ -1,38 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
- *
- * Adapted from wireguard-windows tunnel/firewall/syscall_windows.go.
- */
-
-package dnsfw
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmengineopen0
-//sys	fwpmEngineOpen0(serverName *uint16, authnService wtRpcCAuthN, authIdentity *uintptr, session *wtFwpmSession0, engineHandle unsafe.Pointer) (err error) [failretval!=0] = fwpuclnt.FwpmEngineOpen0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmengineclose0
-//sys	fwpmEngineClose0(engineHandle uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmEngineClose0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmsublayeradd0
-//sys	fwpmSubLayerAdd0(engineHandle uintptr, subLayer *wtFwpmSublayer0, sd uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmSubLayerAdd0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmgetappidfromfilename0
-//sys	fwpmGetAppIdFromFileName0(fileName *uint16, appID unsafe.Pointer) (err error) [failretval!=0] = fwpuclnt.FwpmGetAppIdFromFileName0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmfreememory0
-//sys	fwpmFreeMemory0(p unsafe.Pointer) = fwpuclnt.FwpmFreeMemory0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmfilteradd0
-//sys	fwpmFilterAdd0(engineHandle uintptr, filter *wtFwpmFilter0, sd uintptr, id *uint64) (err error) [failretval!=0] = fwpuclnt.FwpmFilterAdd0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/Fwpmu/nf-fwpmu-fwpmtransactionbegin0
-//sys	fwpmTransactionBegin0(engineHandle uintptr, flags uint32) (err error) [failretval!=0] = fwpuclnt.FwpmTransactionBegin0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmtransactioncommit0
-//sys	fwpmTransactionCommit0(engineHandle uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmTransactionCommit0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmtransactionabort0
-//sys	fwpmTransactionAbort0(engineHandle uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmTransactionAbort0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmprovideradd0
-//sys	fwpmProviderAdd0(engineHandle uintptr, provider *wtFwpmProvider0, sd uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmProviderAdd0
--- a/client/internal/dns/dnsfw/types_windows.go
+++ b/client/internal/dns/dnsfw/types_windows.go
@@ -1,414 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
- *
- * Adapted from wireguard-windows tunnel/firewall/types_windows.go.
- */
-
-package dnsfw
-
-import "golang.org/x/sys/windows"
-
-const (
-	anysizeArray = 1 // ANYSIZE_ARRAY defined in winnt.h
-
-	wtFwpBitmapArray64_Size = 8
-
-	wtFwpByteArray16_Size = 16
-
-	wtFwpByteArray6_Size = 6
-
-	wtFwpmAction0_Size              = 20
-	wtFwpmAction0_filterType_Offset = 4
-
-	wtFwpV4AddrAndMask_Size        = 8
-	wtFwpV4AddrAndMask_mask_Offset = 4
-
-	wtFwpV6AddrAndMask_Size                = 17
-	wtFwpV6AddrAndMask_prefixLength_Offset = 16
-)
-
-type wtFwpActionFlag uint32
-
-const (
-	cFWP_ACTION_FLAG_TERMINATING     wtFwpActionFlag = 0x00001000
-	cFWP_ACTION_FLAG_NON_TERMINATING wtFwpActionFlag = 0x00002000
-	cFWP_ACTION_FLAG_CALLOUT         wtFwpActionFlag = 0x00004000
-)
-
-// FWP_ACTION_TYPE defined in fwptypes.h
-type wtFwpActionType uint32
-
-const (
-	cFWP_ACTION_BLOCK               wtFwpActionType = wtFwpActionType(0x00000001 | cFWP_ACTION_FLAG_TERMINATING)
-	cFWP_ACTION_PERMIT              wtFwpActionType = wtFwpActionType(0x00000002 | cFWP_ACTION_FLAG_TERMINATING)
-	cFWP_ACTION_CALLOUT_TERMINATING wtFwpActionType = wtFwpActionType(0x00000003 | cFWP_ACTION_FLAG_CALLOUT | cFWP_ACTION_FLAG_TERMINATING)
-	cFWP_ACTION_CALLOUT_INSPECTION  wtFwpActionType = wtFwpActionType(0x00000004 | cFWP_ACTION_FLAG_CALLOUT | cFWP_ACTION_FLAG_NON_TERMINATING)
-	cFWP_ACTION_CALLOUT_UNKNOWN     wtFwpActionType = wtFwpActionType(0x00000005 | cFWP_ACTION_FLAG_CALLOUT)
-	cFWP_ACTION_CONTINUE            wtFwpActionType = wtFwpActionType(0x00000006 | cFWP_ACTION_FLAG_NON_TERMINATING)
-	cFWP_ACTION_NONE                wtFwpActionType = 0x00000007
-	cFWP_ACTION_NONE_NO_MATCH       wtFwpActionType = 0x00000008
-	cFWP_ACTION_BITMAP_INDEX_SET    wtFwpActionType = 0x00000009
-)
-
-// FWP_BYTE_BLOB defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_byte_blob_)
-type wtFwpByteBlob struct {
-	size uint32
-	data *uint8
-}
-
-// FWP_MATCH_TYPE defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ne-fwptypes-fwp_match_type_)
-type wtFwpMatchType uint32
-
-const (
-	cFWP_MATCH_EQUAL                  wtFwpMatchType = 0
-	cFWP_MATCH_GREATER                wtFwpMatchType = cFWP_MATCH_EQUAL + 1
-	cFWP_MATCH_LESS                   wtFwpMatchType = cFWP_MATCH_GREATER + 1
-	cFWP_MATCH_GREATER_OR_EQUAL       wtFwpMatchType = cFWP_MATCH_LESS + 1
-	cFWP_MATCH_LESS_OR_EQUAL          wtFwpMatchType = cFWP_MATCH_GREATER_OR_EQUAL + 1
-	cFWP_MATCH_RANGE                  wtFwpMatchType = cFWP_MATCH_LESS_OR_EQUAL + 1
-	cFWP_MATCH_FLAGS_ALL_SET          wtFwpMatchType = cFWP_MATCH_RANGE + 1
-	cFWP_MATCH_FLAGS_ANY_SET          wtFwpMatchType = cFWP_MATCH_FLAGS_ALL_SET + 1
-	cFWP_MATCH_FLAGS_NONE_SET         wtFwpMatchType = cFWP_MATCH_FLAGS_ANY_SET + 1
-	cFWP_MATCH_EQUAL_CASE_INSENSITIVE wtFwpMatchType = cFWP_MATCH_FLAGS_NONE_SET + 1
-	cFWP_MATCH_NOT_EQUAL              wtFwpMatchType = cFWP_MATCH_EQUAL_CASE_INSENSITIVE + 1
-	cFWP_MATCH_PREFIX                 wtFwpMatchType = cFWP_MATCH_NOT_EQUAL + 1
-	cFWP_MATCH_NOT_PREFIX             wtFwpMatchType = cFWP_MATCH_PREFIX + 1
-	cFWP_MATCH_TYPE_MAX               wtFwpMatchType = cFWP_MATCH_NOT_PREFIX + 1
-)
-
-// FWPM_ACTION0 defined in fwpmtypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_action0_)
-type wtFwpmAction0 struct {
-	_type      wtFwpActionType
-	filterType windows.GUID // Windows type: GUID
-}
-
-// Defined in fwpmu.h. 4cd62a49-59c3-4969-b7f3-bda5d32890a4
-var cFWPM_CONDITION_IP_LOCAL_INTERFACE = windows.GUID{
-	Data1: 0x4cd62a49,
-	Data2: 0x59c3,
-	Data3: 0x4969,
-	Data4: [8]byte{0xb7, 0xf3, 0xbd, 0xa5, 0xd3, 0x28, 0x90, 0xa4},
-}
-
-// Defined in fwpmu.h. b235ae9a-1d64-49b8-a44c-5ff3d9095045
-var cFWPM_CONDITION_IP_REMOTE_ADDRESS = windows.GUID{
-	Data1: 0xb235ae9a,
-	Data2: 0x1d64,
-	Data3: 0x49b8,
-	Data4: [8]byte{0xa4, 0x4c, 0x5f, 0xf3, 0xd9, 0x09, 0x50, 0x45},
-}
-
-// Defined in fwpmu.h. 3971ef2b-623e-4f9a-8cb1-6e79b806b9a7
-var cFWPM_CONDITION_IP_PROTOCOL = windows.GUID{
-	Data1: 0x3971ef2b,
-	Data2: 0x623e,
-	Data3: 0x4f9a,
-	Data4: [8]byte{0x8c, 0xb1, 0x6e, 0x79, 0xb8, 0x06, 0xb9, 0xa7},
-}
-
-// Defined in fwpmu.h. 0c1ba1af-5765-453f-af22-a8f791ac775b
-var cFWPM_CONDITION_IP_LOCAL_PORT = windows.GUID{
-	Data1: 0x0c1ba1af,
-	Data2: 0x5765,
-	Data3: 0x453f,
-	Data4: [8]byte{0xaf, 0x22, 0xa8, 0xf7, 0x91, 0xac, 0x77, 0x5b},
-}
-
-// Defined in fwpmu.h. c35a604d-d22b-4e1a-91b4-68f674ee674b
-var cFWPM_CONDITION_IP_REMOTE_PORT = windows.GUID{
-	Data1: 0xc35a604d,
-	Data2: 0xd22b,
-	Data3: 0x4e1a,
-	Data4: [8]byte{0x91, 0xb4, 0x68, 0xf6, 0x74, 0xee, 0x67, 0x4b},
-}
-
-// Defined in fwpmu.h. d78e1e87-8644-4ea5-9437-d809ecefc971
-var cFWPM_CONDITION_ALE_APP_ID = windows.GUID{
-	Data1: 0xd78e1e87,
-	Data2: 0x8644,
-	Data3: 0x4ea5,
-	Data4: [8]byte{0x94, 0x37, 0xd8, 0x09, 0xec, 0xef, 0xc9, 0x71},
-}
-
-// af043a0a-b34d-4f86-979c-c90371af6e66
-var cFWPM_CONDITION_ALE_USER_ID = windows.GUID{
-	Data1: 0xaf043a0a,
-	Data2: 0xb34d,
-	Data3: 0x4f86,
-	Data4: [8]byte{0x97, 0x9c, 0xc9, 0x03, 0x71, 0xaf, 0x6e, 0x66},
-}
-
-// d9ee00de-c1ef-4617-bfe3-ffd8f5a08957
-var cFWPM_CONDITION_IP_LOCAL_ADDRESS = windows.GUID{
-	Data1: 0xd9ee00de,
-	Data2: 0xc1ef,
-	Data3: 0x4617,
-	Data4: [8]byte{0xbf, 0xe3, 0xff, 0xd8, 0xf5, 0xa0, 0x89, 0x57},
-}
-
-var (
-	cFWPM_CONDITION_ICMP_TYPE = cFWPM_CONDITION_IP_LOCAL_PORT
-	cFWPM_CONDITION_ICMP_CODE = cFWPM_CONDITION_IP_REMOTE_PORT
-)
-
-// 7bc43cbf-37ba-45f1-b74a-82ff518eeb10
-var cFWPM_CONDITION_L2_FLAGS = windows.GUID{
-	Data1: 0x7bc43cbf,
-	Data2: 0x37ba,
-	Data3: 0x45f1,
-	Data4: [8]byte{0xb7, 0x4a, 0x82, 0xff, 0x51, 0x8e, 0xeb, 0x10},
-}
-
-type wtFwpmL2Flags uint32
-
-const cFWP_CONDITION_L2_IS_VM2VM wtFwpmL2Flags = 0x00000010
-
-var cFWPM_CONDITION_FLAGS = windows.GUID{
-	Data1: 0x632ce23b,
-	Data2: 0x5167,
-	Data3: 0x435c,
-	Data4: [8]byte{0x86, 0xd7, 0xe9, 0x03, 0x68, 0x4a, 0xa8, 0x0c},
-}
-
-type wtFwpmFlags uint32
-
-const cFWP_CONDITION_FLAG_IS_LOOPBACK wtFwpmFlags = 0x00000001
-
-// Defined in fwpmtypes.h
-type wtFwpmFilterFlags uint32
-
-const (
-	cFWPM_FILTER_FLAG_NONE                                wtFwpmFilterFlags = 0x00000000
-	cFWPM_FILTER_FLAG_PERSISTENT                          wtFwpmFilterFlags = 0x00000001
-	cFWPM_FILTER_FLAG_BOOTTIME                            wtFwpmFilterFlags = 0x00000002
-	cFWPM_FILTER_FLAG_HAS_PROVIDER_CONTEXT                wtFwpmFilterFlags = 0x00000004
-	cFWPM_FILTER_FLAG_CLEAR_ACTION_RIGHT                  wtFwpmFilterFlags = 0x00000008
-	cFWPM_FILTER_FLAG_PERMIT_IF_CALLOUT_UNREGISTERED      wtFwpmFilterFlags = 0x00000010
-	cFWPM_FILTER_FLAG_DISABLED                            wtFwpmFilterFlags = 0x00000020
-	cFWPM_FILTER_FLAG_INDEXED                             wtFwpmFilterFlags = 0x00000040
-	cFWPM_FILTER_FLAG_HAS_SECURITY_REALM_PROVIDER_CONTEXT wtFwpmFilterFlags = 0x00000080
-	cFWPM_FILTER_FLAG_SYSTEMOS_ONLY                       wtFwpmFilterFlags = 0x00000100
-	cFWPM_FILTER_FLAG_GAMEOS_ONLY                         wtFwpmFilterFlags = 0x00000200
-	cFWPM_FILTER_FLAG_SILENT_MODE                         wtFwpmFilterFlags = 0x00000400
-	cFWPM_FILTER_FLAG_IPSEC_NO_ACQUIRE_INITIATE           wtFwpmFilterFlags = 0x00000800
-)
-
-// FWPM_LAYER_ALE_AUTH_CONNECT_V4 (c38d57d1-05a7-4c33-904f-7fbceee60e82) defined in fwpmu.h
-var cFWPM_LAYER_ALE_AUTH_CONNECT_V4 = windows.GUID{
-	Data1: 0xc38d57d1,
-	Data2: 0x05a7,
-	Data3: 0x4c33,
-	Data4: [8]byte{0x90, 0x4f, 0x7f, 0xbc, 0xee, 0xe6, 0x0e, 0x82},
-}
-
-// e1cd9fe7-f4b5-4273-96c0-592e487b8650
-var cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4 = windows.GUID{
-	Data1: 0xe1cd9fe7,
-	Data2: 0xf4b5,
-	Data3: 0x4273,
-	Data4: [8]byte{0x96, 0xc0, 0x59, 0x2e, 0x48, 0x7b, 0x86, 0x50},
-}
-
-// FWPM_LAYER_ALE_AUTH_CONNECT_V6 (4a72393b-319f-44bc-84c3-ba54dcb3b6b4) defined in fwpmu.h
-var cFWPM_LAYER_ALE_AUTH_CONNECT_V6 = windows.GUID{
-	Data1: 0x4a72393b,
-	Data2: 0x319f,
-	Data3: 0x44bc,
-	Data4: [8]byte{0x84, 0xc3, 0xba, 0x54, 0xdc, 0xb3, 0xb6, 0xb4},
-}
-
-// a3b42c97-9f04-4672-b87e-cee9c483257f
-var cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6 = windows.GUID{
-	Data1: 0xa3b42c97,
-	Data2: 0x9f04,
-	Data3: 0x4672,
-	Data4: [8]byte{0xb8, 0x7e, 0xce, 0xe9, 0xc4, 0x83, 0x25, 0x7f},
-}
-
-// 94c44912-9d6f-4ebf-b995-05ab8a088d1b
-var cFWPM_LAYER_OUTBOUND_MAC_FRAME_NATIVE = windows.GUID{
-	Data1: 0x94c44912,
-	Data2: 0x9d6f,
-	Data3: 0x4ebf,
-	Data4: [8]byte{0xb9, 0x95, 0x05, 0xab, 0x8a, 0x08, 0x8d, 0x1b},
-}
-
-// d4220bd3-62ce-4f08-ae88-b56e8526df50
-var cFWPM_LAYER_INBOUND_MAC_FRAME_NATIVE = windows.GUID{
-	Data1: 0xd4220bd3,
-	Data2: 0x62ce,
-	Data3: 0x4f08,
-	Data4: [8]byte{0xae, 0x88, 0xb5, 0x6e, 0x85, 0x26, 0xdf, 0x50},
-}
-
-// FWP_BITMAP_ARRAY64 defined in fwtypes.h
-type wtFwpBitmapArray64 struct {
-	bitmapArray64 [8]uint8 // Windows type: [8]UINT8
-}
-
-// FWP_BYTE_ARRAY6 defined in fwtypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_byte_array6_)
-type wtFwpByteArray6 struct {
-	byteArray6 [6]uint8 // Windows type: [6]UINT8
-}
-
-// FWP_BYTE_ARRAY16 defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_byte_array16_)
-type wtFwpByteArray16 struct {
-	byteArray16 [16]uint8 // Windows type [16]UINT8
-}
-
-// FWP_CONDITION_VALUE0 defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_condition_value0).
-type wtFwpConditionValue0 wtFwpValue0
-
-// FWP_DATA_TYPE defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ne-fwptypes-fwp_data_type_)
-type wtFwpDataType uint
-
-const (
-	cFWP_EMPTY                         wtFwpDataType = 0
-	cFWP_UINT8                         wtFwpDataType = cFWP_EMPTY + 1
-	cFWP_UINT16                        wtFwpDataType = cFWP_UINT8 + 1
-	cFWP_UINT32                        wtFwpDataType = cFWP_UINT16 + 1
-	cFWP_UINT64                        wtFwpDataType = cFWP_UINT32 + 1
-	cFWP_INT8                          wtFwpDataType = cFWP_UINT64 + 1
-	cFWP_INT16                         wtFwpDataType = cFWP_INT8 + 1
-	cFWP_INT32                         wtFwpDataType = cFWP_INT16 + 1
-	cFWP_INT64                         wtFwpDataType = cFWP_INT32 + 1
-	cFWP_FLOAT                         wtFwpDataType = cFWP_INT64 + 1
-	cFWP_DOUBLE                        wtFwpDataType = cFWP_FLOAT + 1
-	cFWP_BYTE_ARRAY16_TYPE             wtFwpDataType = cFWP_DOUBLE + 1
-	cFWP_BYTE_BLOB_TYPE                wtFwpDataType = cFWP_BYTE_ARRAY16_TYPE + 1
-	cFWP_SID                           wtFwpDataType = cFWP_BYTE_BLOB_TYPE + 1
-	cFWP_SECURITY_DESCRIPTOR_TYPE      wtFwpDataType = cFWP_SID + 1
-	cFWP_TOKEN_INFORMATION_TYPE        wtFwpDataType = cFWP_SECURITY_DESCRIPTOR_TYPE + 1
-	cFWP_TOKEN_ACCESS_INFORMATION_TYPE wtFwpDataType = cFWP_TOKEN_INFORMATION_TYPE + 1
-	cFWP_UNICODE_STRING_TYPE           wtFwpDataType = cFWP_TOKEN_ACCESS_INFORMATION_TYPE + 1
-	cFWP_BYTE_ARRAY6_TYPE              wtFwpDataType = cFWP_UNICODE_STRING_TYPE + 1
-	cFWP_BITMAP_INDEX_TYPE             wtFwpDataType = cFWP_BYTE_ARRAY6_TYPE + 1
-	cFWP_BITMAP_ARRAY64_TYPE           wtFwpDataType = cFWP_BITMAP_INDEX_TYPE + 1
-	cFWP_SINGLE_DATA_TYPE_MAX          wtFwpDataType = 0xff
-	cFWP_V4_ADDR_MASK                  wtFwpDataType = cFWP_SINGLE_DATA_TYPE_MAX + 1
-	cFWP_V6_ADDR_MASK                  wtFwpDataType = cFWP_V4_ADDR_MASK + 1
-	cFWP_RANGE_TYPE                    wtFwpDataType = cFWP_V6_ADDR_MASK + 1
-	cFWP_DATA_TYPE_MAX                 wtFwpDataType = cFWP_RANGE_TYPE + 1
-)
-
-// FWP_V4_ADDR_AND_MASK defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_v4_addr_and_mask).
-type wtFwpV4AddrAndMask struct {
-	addr uint32
-	mask uint32
-}
-
-// FWP_V6_ADDR_AND_MASK defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_v6_addr_and_mask).
-type wtFwpV6AddrAndMask struct {
-	addr         [16]uint8
-	prefixLength uint8
-}
-
-// FWP_VALUE0 defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_value0_)
-type wtFwpValue0 struct {
-	_type wtFwpDataType
-	value uintptr
-}
-
-// FWPM_DISPLAY_DATA0 defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwpm_display_data0).
-type wtFwpmDisplayData0 struct {
-	name        *uint16 // Windows type: *wchar_t
-	description *uint16 // Windows type: *wchar_t
-}
-
-// FWPM_FILTER_CONDITION0 defined in fwpmtypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_filter_condition0).
-type wtFwpmFilterCondition0 struct {
-	fieldKey       windows.GUID // Windows type: GUID
-	matchType      wtFwpMatchType
-	conditionValue wtFwpConditionValue0
-}
-
-// FWPM_PROVIDER0 defined in fwpmtypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_provider0_)
-type wtFwpProvider0 struct {
-	providerKey  windows.GUID // Windows type: GUID
-	displayData  wtFwpmDisplayData0
-	flags        uint32
-	providerData wtFwpByteBlob
-	serviceName  *uint16 // Windows type: *wchar_t
-}
-
-type wtFwpmSessionFlagsValue uint32
-
-const (
-	cFWPM_SESSION_FLAG_DYNAMIC wtFwpmSessionFlagsValue = 0x00000001 // FWPM_SESSION_FLAG_DYNAMIC defined in fwpmtypes.h
-)
-
-// FWPM_SESSION0 defined in fwpmtypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_session0).
-type wtFwpmSession0 struct {
-	sessionKey           windows.GUID // Windows type: GUID
-	displayData          wtFwpmDisplayData0
-	flags                wtFwpmSessionFlagsValue // Windows type UINT32
-	txnWaitTimeoutInMSec uint32
-	processId            uint32 // Windows type: DWORD
-	sid                  *windows.SID
-	username             *uint16 // Windows type: *wchar_t
-	kernelMode           uint8   // Windows type: BOOL
-}
-
-type wtFwpmSublayerFlags uint32
-
-const (
-	cFWPM_SUBLAYER_FLAG_PERSISTENT wtFwpmSublayerFlags = 0x00000001 // FWPM_SUBLAYER_FLAG_PERSISTENT defined in fwpmtypes.h
-)
-
-// FWPM_SUBLAYER0 defined in fwpmtypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_sublayer0_)
-type wtFwpmSublayer0 struct {
-	subLayerKey  windows.GUID // Windows type: GUID
-	displayData  wtFwpmDisplayData0
-	flags        wtFwpmSublayerFlags
-	providerKey  *windows.GUID // Windows type: *GUID
-	providerData wtFwpByteBlob
-	weight       uint16
-}
-
-// Defined in rpcdce.h
-type wtRpcCAuthN uint32
-
-const (
-	cRPC_C_AUTHN_NONE    wtRpcCAuthN = 0
-	cRPC_C_AUTHN_WINNT   wtRpcCAuthN = 10
-	cRPC_C_AUTHN_DEFAULT wtRpcCAuthN = 0xFFFFFFFF
-)
-
-// FWPM_PROVIDER0 defined in fwpmtypes.h
-// (https://docs.microsoft.com/sv-se/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_provider0).
-type wtFwpmProvider0 struct {
-	providerKey  windows.GUID
-	displayData  wtFwpmDisplayData0
-	flags        uint32
-	providerData wtFwpByteBlob
-	serviceName  *uint16
-}
-
-type wtIPProto uint32
-
-const (
-	cIPPROTO_ICMP   wtIPProto = 1
-	cIPPROTO_ICMPV6 wtIPProto = 58
-	cIPPROTO_TCP    wtIPProto = 6
-	cIPPROTO_UDP    wtIPProto = 17
-)
-
-const (
-	cFWP_ACTRL_MATCH_FILTER = 1
-)
--- a/client/internal/dns/dnsfw/types_windows_32.go
+++ b/client/internal/dns/dnsfw/types_windows_32.go
@@ -1,92 +0,0 @@
-//go:build windows && (386 || arm)
-
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
- *
- * Adapted from wireguard-windows tunnel/firewall/types_windows_32.go.
- */
-
-package dnsfw
-
-import "golang.org/x/sys/windows"
-
-const (
-	wtFwpByteBlob_Size        = 8
-	wtFwpByteBlob_data_Offset = 4
-
-	wtFwpConditionValue0_Size         = 8
-	wtFwpConditionValue0_uint8_Offset = 4
-
-	wtFwpmDisplayData0_Size               = 8
-	wtFwpmDisplayData0_description_Offset = 4
-
-	wtFwpmFilter0_Size                       = 152
-	wtFwpmFilter0_displayData_Offset         = 16
-	wtFwpmFilter0_flags_Offset               = 24
-	wtFwpmFilter0_providerKey_Offset         = 28
-	wtFwpmFilter0_providerData_Offset        = 32
-	wtFwpmFilter0_layerKey_Offset            = 40
-	wtFwpmFilter0_subLayerKey_Offset         = 56
-	wtFwpmFilter0_weight_Offset              = 72
-	wtFwpmFilter0_numFilterConditions_Offset = 80
-	wtFwpmFilter0_filterCondition_Offset     = 84
-	wtFwpmFilter0_action_Offset              = 88
-	wtFwpmFilter0_providerContextKey_Offset  = 112
-	wtFwpmFilter0_reserved_Offset            = 128
-	wtFwpmFilter0_filterID_Offset            = 136
-	wtFwpmFilter0_effectiveWeight_Offset     = 144
-
-	wtFwpmFilterCondition0_Size                  = 28
-	wtFwpmFilterCondition0_matchType_Offset      = 16
-	wtFwpmFilterCondition0_conditionValue_Offset = 20
-
-	wtFwpmSession0_Size                        = 48
-	wtFwpmSession0_displayData_Offset          = 16
-	wtFwpmSession0_flags_Offset                = 24
-	wtFwpmSession0_txnWaitTimeoutInMSec_Offset = 28
-	wtFwpmSession0_processId_Offset            = 32
-	wtFwpmSession0_sid_Offset                  = 36
-	wtFwpmSession0_username_Offset             = 40
-	wtFwpmSession0_kernelMode_Offset           = 44
-
-	wtFwpmSublayer0_Size                = 44
-	wtFwpmSublayer0_displayData_Offset  = 16
-	wtFwpmSublayer0_flags_Offset        = 24
-	wtFwpmSublayer0_providerKey_Offset  = 28
-	wtFwpmSublayer0_providerData_Offset = 32
-	wtFwpmSublayer0_weight_Offset       = 40
-
-	wtFwpProvider0_Size                = 40
-	wtFwpProvider0_displayData_Offset  = 16
-	wtFwpProvider0_flags_Offset        = 24
-	wtFwpProvider0_providerData_Offset = 28
-	wtFwpProvider0_serviceName_Offset  = 36
-
-	wtFwpTokenInformation_Size = 16
-
-	wtFwpValue0_Size         = 8
-	wtFwpValue0_value_Offset = 4
-)
-
-// FWPM_FILTER0 defined in fwpmtypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_filter0).
-type wtFwpmFilter0 struct {
-	filterKey           windows.GUID // Windows type: GUID
-	displayData         wtFwpmDisplayData0
-	flags               wtFwpmFilterFlags
-	providerKey         *windows.GUID // Windows type: *GUID
-	providerData        wtFwpByteBlob
-	layerKey            windows.GUID // Windows type: GUID
-	subLayerKey         windows.GUID // Windows type: GUID
-	weight              wtFwpValue0
-	numFilterConditions uint32
-	filterCondition     *wtFwpmFilterCondition0
-	action              wtFwpmAction0
-	offset1             [4]byte       // Layout correction field
-	providerContextKey  windows.GUID  // Windows type: GUID
-	reserved            *windows.GUID // Windows type: *GUID
-	offset2             [4]byte       // Layout correction field
-	filterID            uint64
-	effectiveWeight     wtFwpValue0
-}
--- a/client/internal/dns/dnsfw/types_windows_64.go
+++ b/client/internal/dns/dnsfw/types_windows_64.go
@@ -1,89 +0,0 @@
-//go:build windows && (amd64 || arm64)
-
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
- *
- * Adapted from wireguard-windows tunnel/firewall/types_windows_64.go.
- */
-
-package dnsfw
-
-import "golang.org/x/sys/windows"
-
-const (
-	wtFwpByteBlob_Size        = 16
-	wtFwpByteBlob_data_Offset = 8
-
-	wtFwpConditionValue0_Size         = 16
-	wtFwpConditionValue0_uint8_Offset = 8
-
-	wtFwpmDisplayData0_Size               = 16
-	wtFwpmDisplayData0_description_Offset = 8
-
-	wtFwpmFilter0_Size                       = 200
-	wtFwpmFilter0_displayData_Offset         = 16
-	wtFwpmFilter0_flags_Offset               = 32
-	wtFwpmFilter0_providerKey_Offset         = 40
-	wtFwpmFilter0_providerData_Offset        = 48
-	wtFwpmFilter0_layerKey_Offset            = 64
-	wtFwpmFilter0_subLayerKey_Offset         = 80
-	wtFwpmFilter0_weight_Offset              = 96
-	wtFwpmFilter0_numFilterConditions_Offset = 112
-	wtFwpmFilter0_filterCondition_Offset     = 120
-	wtFwpmFilter0_action_Offset              = 128
-	wtFwpmFilter0_providerContextKey_Offset  = 152
-	wtFwpmFilter0_reserved_Offset            = 168
-	wtFwpmFilter0_filterID_Offset            = 176
-	wtFwpmFilter0_effectiveWeight_Offset     = 184
-
-	wtFwpmFilterCondition0_Size                  = 40
-	wtFwpmFilterCondition0_matchType_Offset      = 16
-	wtFwpmFilterCondition0_conditionValue_Offset = 24
-
-	wtFwpmSession0_Size                        = 72
-	wtFwpmSession0_displayData_Offset          = 16
-	wtFwpmSession0_flags_Offset                = 32
-	wtFwpmSession0_txnWaitTimeoutInMSec_Offset = 36
-	wtFwpmSession0_processId_Offset            = 40
-	wtFwpmSession0_sid_Offset                  = 48
-	wtFwpmSession0_username_Offset             = 56
-	wtFwpmSession0_kernelMode_Offset           = 64
-
-	wtFwpmSublayer0_Size                = 72
-	wtFwpmSublayer0_displayData_Offset  = 16
-	wtFwpmSublayer0_flags_Offset        = 32
-	wtFwpmSublayer0_providerKey_Offset  = 40
-	wtFwpmSublayer0_providerData_Offset = 48
-	wtFwpmSublayer0_weight_Offset       = 64
-
-	wtFwpProvider0_Size                = 64
-	wtFwpProvider0_displayData_Offset  = 16
-	wtFwpProvider0_flags_Offset        = 32
-	wtFwpProvider0_providerData_Offset = 40
-	wtFwpProvider0_serviceName_Offset  = 56
-
-	wtFwpValue0_Size         = 16
-	wtFwpValue0_value_Offset = 8
-)
-
-// FWPM_FILTER0 defined in fwpmtypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_filter0).
-type wtFwpmFilter0 struct {
-	filterKey           windows.GUID // Windows type: GUID
-	displayData         wtFwpmDisplayData0
-	flags               wtFwpmFilterFlags // Windows type: UINT32
-	providerKey         *windows.GUID     // Windows type: *GUID
-	providerData        wtFwpByteBlob
-	layerKey            windows.GUID // Windows type: GUID
-	subLayerKey         windows.GUID // Windows type: GUID
-	weight              wtFwpValue0
-	numFilterConditions uint32
-	filterCondition     *wtFwpmFilterCondition0
-	action              wtFwpmAction0
-	offset1             [4]byte       // Layout correction field
-	providerContextKey  windows.GUID  // Windows type: GUID
-	reserved            *windows.GUID // Windows type: *GUID
-	filterID            uint64
-	effectiveWeight     wtFwpValue0
-}
--- a/client/internal/dns/dnsfw/zsyscall_windows.go
+++ b/client/internal/dns/dnsfw/zsyscall_windows.go
@@ -1,130 +0,0 @@
-// Code generated by 'go generate'; DO NOT EDIT.
-
-package dnsfw
-
-import (
-	"syscall"
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-)
-
-var _ unsafe.Pointer
-
-// Do the interface allocations only once for common
-// Errno values.
-const (
-	errnoERROR_IO_PENDING = 997
-)
-
-var (
-	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
-	errERROR_EINVAL     error = syscall.EINVAL
-)
-
-// errnoErr returns common boxed Errno values, to prevent
-// allocations at runtime.
-func errnoErr(e syscall.Errno) error {
-	switch e {
-	case 0:
-		return errERROR_EINVAL
-	case errnoERROR_IO_PENDING:
-		return errERROR_IO_PENDING
-	}
-	// TODO: add more here, after collecting data on the common
-	// error values see on Windows. (perhaps when running
-	// all.bat?)
-	return e
-}
-
-var (
-	modfwpuclnt = windows.NewLazySystemDLL("fwpuclnt.dll")
-
-	procFwpmEngineClose0          = modfwpuclnt.NewProc("FwpmEngineClose0")
-	procFwpmEngineOpen0           = modfwpuclnt.NewProc("FwpmEngineOpen0")
-	procFwpmFilterAdd0            = modfwpuclnt.NewProc("FwpmFilterAdd0")
-	procFwpmFreeMemory0           = modfwpuclnt.NewProc("FwpmFreeMemory0")
-	procFwpmGetAppIdFromFileName0 = modfwpuclnt.NewProc("FwpmGetAppIdFromFileName0")
-	procFwpmProviderAdd0          = modfwpuclnt.NewProc("FwpmProviderAdd0")
-	procFwpmSubLayerAdd0          = modfwpuclnt.NewProc("FwpmSubLayerAdd0")
-	procFwpmTransactionAbort0     = modfwpuclnt.NewProc("FwpmTransactionAbort0")
-	procFwpmTransactionBegin0     = modfwpuclnt.NewProc("FwpmTransactionBegin0")
-	procFwpmTransactionCommit0    = modfwpuclnt.NewProc("FwpmTransactionCommit0")
-)
-
-func fwpmEngineClose0(engineHandle uintptr) (err error) {
-	r1, _, e1 := syscall.Syscall(procFwpmEngineClose0.Addr(), 1, uintptr(engineHandle), 0, 0)
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func fwpmEngineOpen0(serverName *uint16, authnService wtRpcCAuthN, authIdentity *uintptr, session *wtFwpmSession0, engineHandle unsafe.Pointer) (err error) {
-	r1, _, e1 := syscall.Syscall6(procFwpmEngineOpen0.Addr(), 5, uintptr(unsafe.Pointer(serverName)), uintptr(authnService), uintptr(unsafe.Pointer(authIdentity)), uintptr(unsafe.Pointer(session)), uintptr(engineHandle), 0)
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func fwpmFilterAdd0(engineHandle uintptr, filter *wtFwpmFilter0, sd uintptr, id *uint64) (err error) {
-	r1, _, e1 := syscall.Syscall6(procFwpmFilterAdd0.Addr(), 4, uintptr(engineHandle), uintptr(unsafe.Pointer(filter)), uintptr(sd), uintptr(unsafe.Pointer(id)), 0, 0)
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func fwpmFreeMemory0(p unsafe.Pointer) {
-	syscall.Syscall(procFwpmFreeMemory0.Addr(), 1, uintptr(p), 0, 0)
-	return
-}
-
-func fwpmGetAppIdFromFileName0(fileName *uint16, appID unsafe.Pointer) (err error) {
-	r1, _, e1 := syscall.Syscall(procFwpmGetAppIdFromFileName0.Addr(), 2, uintptr(unsafe.Pointer(fileName)), uintptr(appID), 0)
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func fwpmProviderAdd0(engineHandle uintptr, provider *wtFwpmProvider0, sd uintptr) (err error) {
-	r1, _, e1 := syscall.Syscall(procFwpmProviderAdd0.Addr(), 3, uintptr(engineHandle), uintptr(unsafe.Pointer(provider)), uintptr(sd))
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func fwpmSubLayerAdd0(engineHandle uintptr, subLayer *wtFwpmSublayer0, sd uintptr) (err error) {
-	r1, _, e1 := syscall.Syscall(procFwpmSubLayerAdd0.Addr(), 3, uintptr(engineHandle), uintptr(unsafe.Pointer(subLayer)), uintptr(sd))
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func fwpmTransactionAbort0(engineHandle uintptr) (err error) {
-	r1, _, e1 := syscall.Syscall(procFwpmTransactionAbort0.Addr(), 1, uintptr(engineHandle), 0, 0)
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func fwpmTransactionBegin0(engineHandle uintptr, flags uint32) (err error) {
-	r1, _, e1 := syscall.Syscall(procFwpmTransactionBegin0.Addr(), 2, uintptr(engineHandle), uintptr(flags), 0)
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func fwpmTransactionCommit0(engineHandle uintptr) (err error) {
-	r1, _, e1 := syscall.Syscall(procFwpmTransactionCommit0.Addr(), 1, uintptr(engineHandle), 0, 0)
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
--- a/client/internal/dns/host_windows.go
+++ b/client/internal/dns/host_windows.go
@@ -17,7 +17,6 @@ import (
 	"golang.org/x/sys/windows/registry"

 	nberrors "github.com/netbirdio/netbird/client/errors"
-	"github.com/netbirdio/netbird/client/internal/dns/dnsfw"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	"github.com/netbirdio/netbird/client/internal/winregistry"
 )
@@ -75,7 +74,6 @@ type registryConfigurator struct {
 	routingAll      bool
 	gpo             bool
 	nrptEntryCount  int
-	dnsFirewall     dnsfw.Manager
 	origNameservers []netip.Addr
 }

@@ -96,9 +94,8 @@ func newHostManager(wgInterface WGIface) (*registryConfigurator, error) {
 	}

 	configurator := &registryConfigurator{
-		guid:        guid,
-		gpo:         useGPO,
-		dnsFirewall: dnsfw.New(),
+		guid: guid,
+		gpo:  useGPO,
 	}

 	origNameservers, err := configurator.captureOriginalNameservers()
@@ -279,8 +276,16 @@ func (r *registryConfigurator) disableWINSForInterface() error {
 }

 func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *statemanager.Manager) error {
-	if err := r.applyRouteAll(config); err != nil {
-		return err
+	if config.RouteAll {
+		if err := r.addDNSSetupForAll(config.ServerIP); err != nil {
+			return fmt.Errorf("add dns setup: %w", err)
+		}
+	} else if r.routingAll {
+		if err := r.deleteInterfaceRegistryKeyProperty(interfaceConfigNameServerKey); err != nil {
+			return fmt.Errorf("delete interface registry key property: %w", err)
+		}
+		r.routingAll = false
+		log.Infof("removed %s as main DNS forwarder for this peer", config.ServerIP)
 	}

 	r.updateState(stateManager)
@@ -296,13 +301,6 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 		matchDomains = append(matchDomains, "."+strings.TrimSuffix(dConf.Domain, "."))
 	}

-	// In RouteAll mode, install an NRPT root-zone rule so the system DNS client
-	// steers every query to the NetBird resolver even if the per-interface
-	// NameServer setting is bypassed or overridden by another adapter.
-	if config.RouteAll {
-		matchDomains = append(matchDomains, ".")
-	}
-
 	if err := r.removeDNSMatchPolicies(); err != nil {
 		log.Errorf("cleanup old dns match policies: %s", err)
 	}
@@ -329,35 +327,6 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 	return nil
 }

-func (r *registryConfigurator) applyRouteAll(config HostDNSConfig) error {
-	if config.RouteAll {
-		if err := r.dnsFirewall.Enable(r.guid, config.ServerIP); err != nil {
-			return fmt.Errorf("dns firewall: %w", err)
-		}
-		if err := r.addDNSSetupForAll(config.ServerIP); err != nil {
-			merr := multierror.Append(nil, fmt.Errorf("add dns setup: %w", err))
-			if dErr := r.dnsFirewall.Disable(); dErr != nil {
-				merr = multierror.Append(merr, fmt.Errorf("rollback dns firewall: %w", dErr))
-			}
-			return nberrors.FormatErrorOrNil(merr)
-		}
-		return nil
-	}
-
-	if err := r.dnsFirewall.Disable(); err != nil {
-		log.Errorf("disable dns firewall: %v", err)
-	}
-	if !r.routingAll {
-		return nil
-	}
-	if err := r.deleteInterfaceRegistryKeyProperty(interfaceConfigNameServerKey); err != nil {
-		return fmt.Errorf("delete interface registry key property: %w", err)
-	}
-	r.routingAll = false
-	log.Infof("removed %s as main DNS forwarder for this peer", config.ServerIP)
-	return nil
-}
-
 func (r *registryConfigurator) updateState(stateManager *statemanager.Manager) {
 	if err := stateManager.UpdateState(&ShutdownState{
 		Guid:           r.guid,
@@ -544,10 +513,6 @@ func (r *registryConfigurator) restoreHostDNS() error {
 		return fmt.Errorf("remove interface registry key: %w", err)
 	}

-	if err := r.dnsFirewall.Disable(); err != nil {
-		log.Errorf("disable dns firewall: %v", err)
-	}
-
 	go r.flushDNSCache()

 	return nil
--- a/client/internal/dns/host_windows_test.go
+++ b/client/internal/dns/host_windows_test.go
@@ -8,8 +8,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/sys/windows/registry"
-
-	"github.com/netbirdio/netbird/client/internal/dns/dnsfw"
 )

 // TestNRPTEntriesCleanupOnConfigChange tests that old NRPT entries are properly cleaned up
@@ -36,9 +34,8 @@ func TestNRPTEntriesCleanupOnConfigChange(t *testing.T) {
 	}()

 	cfg := &registryConfigurator{
-		guid:        testGUID,
-		gpo:         false,
-		dnsFirewall: dnsfw.New(),
+		guid: testGUID,
+		gpo:  false,
 	}

 	// Create 125 domains which will result in 3 NRPT rules (50+50+25)
@@ -137,9 +134,8 @@ func TestNRPTDomainBatching(t *testing.T) {
 	}()

 	cfg := &registryConfigurator{
-		guid:        testGUID,
-		gpo:         false,
-		dnsFirewall: dnsfw.New(),
+		guid: testGUID,
+		gpo:  false,
 	}

 	testCases := []struct {
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -772,13 +772,24 @@ func (s *DefaultServer) applyHostConfig() {
 // context is released rather than leaked until GC.
 func (s *DefaultServer) registerFallback() {
 	originalNameservers := s.hostManager.getOriginalNameservers()
-	if len(originalNameservers) == 0 {
+
+	serverIP := s.service.RuntimeIP()
+	var servers []netip.AddrPort
+	for _, ns := range originalNameservers {
+		if ns == serverIP {
+			log.Debugf("skipping original nameserver %s as it is the same as the server IP %s", ns, serverIP)
+			continue
+		}
+		servers = append(servers, netip.AddrPortFrom(ns, DefaultPort))
+	}
+
+	if len(servers) == 0 {
 		log.Debugf("no fallback upstreams to register; clearing PriorityFallback handler")
 		s.clearFallback()
 		return
 	}

-	log.Infof("registering original nameservers %v as upstream handlers with priority %d", originalNameservers, PriorityFallback)
+	log.Infof("registering original nameservers %v as upstream handlers with priority %d", servers, PriorityFallback)

 	handler, err := newUpstreamResolver(
 		s.ctx,
@@ -792,11 +803,6 @@ func (s *DefaultServer) registerFallback() {
 		return
 	}
 	handler.selectedRoutes = s.selectedRoutes
-
-	var servers []netip.AddrPort
-	for _, ns := range originalNameservers {
-		servers = append(servers, netip.AddrPortFrom(ns, DefaultPort))
-	}
 	handler.addRace(servers)

 	prev := s.fallbackHandler
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -738,7 +738,10 @@ func (m *DefaultManager) collectExitNodeInfo(clientRoutes route.HAMap) exitNodeI
 }

 func (m *DefaultManager) isExitNodeRoute(routes []*route.Route) bool {
-	return len(routes) > 0 && routes[0].Network.String() == vars.ExitNodeCIDR
+	if len(routes) == 0 {
+		return false
+	}
+	return route.IsV4DefaultRoute(routes[0].Network) || route.IsV6DefaultRoute(routes[0].Network)
 }

 func (m *DefaultManager) categorizeUserSelection(netID route.NetID, info *exitNodeInfo) {
--- a/client/internal/routeselector/routeselector.go
+++ b/client/internal/routeselector/routeselector.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"slices"
+	"strings"
 	"sync"

 	"github.com/hashicorp/go-multierror"
@@ -12,10 +13,6 @@ import (
 	"github.com/netbirdio/netbird/route"
 )

-const (
-	exitNodeCIDR = "0.0.0.0/0"
-)
-
 type RouteSelector struct {
 	mu               sync.RWMutex
 	deselectedRoutes map[route.NetID]struct{}
@@ -124,13 +121,7 @@ func (rs *RouteSelector) IsSelected(routeID route.NetID) bool {
 	rs.mu.RLock()
 	defer rs.mu.RUnlock()

-	if rs.deselectAll {
-		return false
-	}
-
-	_, deselected := rs.deselectedRoutes[routeID]
-	isSelected := !deselected
-	return isSelected
+	return rs.isSelectedLocked(routeID)
 }

 // FilterSelected removes unselected routes from the provided map.
@@ -144,23 +135,22 @@ func (rs *RouteSelector) FilterSelected(routes route.HAMap) route.HAMap {

 	filtered := route.HAMap{}
 	for id, rt := range routes {
-		netID := id.NetID()
-		_, deselected := rs.deselectedRoutes[netID]
-		if !deselected {
+		if !rs.isDeselectedLocked(id.NetID()) {
 			filtered[id] = rt
 		}
 	}
 	return filtered
 }

-// HasUserSelectionForRoute returns true if the user has explicitly selected or deselected this specific route
+// HasUserSelectionForRoute returns true if the user has explicitly selected or deselected this route.
+// Intended for exit-node code paths: a v6 exit-node pair (e.g. "MyExit-v6") with no explicit state of
+// its own inherits its v4 base's state, so legacy persisted selections that predate v6 pairing
+// transparently apply to the synthesized v6 entry.
 func (rs *RouteSelector) HasUserSelectionForRoute(routeID route.NetID) bool {
 	rs.mu.RLock()
 	defer rs.mu.RUnlock()

-	_, selected := rs.selectedRoutes[routeID]
-	_, deselected := rs.deselectedRoutes[routeID]
-	return selected || deselected
+	return rs.hasUserSelectionForRouteLocked(rs.effectiveNetID(routeID))
 }

 func (rs *RouteSelector) FilterSelectedExitNodes(routes route.HAMap) route.HAMap {
@@ -174,7 +164,7 @@ func (rs *RouteSelector) FilterSelectedExitNodes(routes route.HAMap) route.HAMap
 	filtered := make(route.HAMap, len(routes))
 	for id, rt := range routes {
 		netID := id.NetID()
-		if rs.isDeselected(netID) {
+		if rs.isDeselectedLocked(netID) {
 			continue
 		}

@@ -189,13 +179,48 @@ func (rs *RouteSelector) FilterSelectedExitNodes(routes route.HAMap) route.HAMap
 	return filtered
 }

-func (rs *RouteSelector) isDeselected(netID route.NetID) bool {
+// effectiveNetID returns the v4 base for a "-v6" exit pair entry that has no explicit
+// state of its own, so selections made on the v4 entry govern the v6 entry automatically.
+// Only call this from exit-node-specific code paths: applying it to a non-exit "-v6" route
+// would make it inherit unrelated v4 state. Must be called with rs.mu held.
+func (rs *RouteSelector) effectiveNetID(id route.NetID) route.NetID {
+	name := string(id)
+	if !strings.HasSuffix(name, route.V6ExitSuffix) {
+		return id
+	}
+	if _, ok := rs.selectedRoutes[id]; ok {
+		return id
+	}
+	if _, ok := rs.deselectedRoutes[id]; ok {
+		return id
+	}
+	return route.NetID(strings.TrimSuffix(name, route.V6ExitSuffix))
+}
+
+func (rs *RouteSelector) isSelectedLocked(routeID route.NetID) bool {
+	if rs.deselectAll {
+		return false
+	}
+	_, deselected := rs.deselectedRoutes[routeID]
+	return !deselected
+}
+
+func (rs *RouteSelector) isDeselectedLocked(netID route.NetID) bool {
+	if rs.deselectAll {
+		return true
+	}
 	_, deselected := rs.deselectedRoutes[netID]
-	return deselected || rs.deselectAll
+	return deselected
+}
+
+func (rs *RouteSelector) hasUserSelectionForRouteLocked(routeID route.NetID) bool {
+	_, selected := rs.selectedRoutes[routeID]
+	_, deselected := rs.deselectedRoutes[routeID]
+	return selected || deselected
 }

 func isExitNode(rt []*route.Route) bool {
-	return len(rt) > 0 && rt[0].Network.String() == exitNodeCIDR
+	return len(rt) > 0 && (route.IsV4DefaultRoute(rt[0].Network) || route.IsV6DefaultRoute(rt[0].Network))
 }

 func (rs *RouteSelector) applyExitNodeFilter(
@@ -204,26 +229,23 @@ func (rs *RouteSelector) applyExitNodeFilter(
 	rt []*route.Route,
 	out route.HAMap,
 ) {
-
-	if rs.hasUserSelections() {
-		// user made explicit selects/deselects
-		if rs.IsSelected(netID) {
+	// Exit-node path: apply the v4/v6 pair mirror so a deselect on the v4 base also
+	// drops the synthesized v6 entry that lacks its own explicit state.
+	effective := rs.effectiveNetID(netID)
+	if rs.hasUserSelectionForRouteLocked(effective) {
+		if rs.isSelectedLocked(effective) {
 			out[id] = rt
 		}
 		return
 	}

-	// no explicit selections: only include routes marked !SkipAutoApply (=AutoApply)
+	// no explicit selection for this route: defer to management's SkipAutoApply flag
 	sel := collectSelected(rt)
 	if len(sel) > 0 {
 		out[id] = sel
 	}
 }

-func (rs *RouteSelector) hasUserSelections() bool {
-	return len(rs.selectedRoutes) > 0 || len(rs.deselectedRoutes) > 0
-}
-
 func collectSelected(rt []*route.Route) []*route.Route {
 	var sel []*route.Route
 	for _, r := range rt {
--- a/client/internal/routeselector/routeselector_test.go
+++ b/client/internal/routeselector/routeselector_test.go
@@ -330,6 +330,137 @@ func TestRouteSelector_FilterSelectedExitNodes(t *testing.T) {
 	assert.Len(t, filtered, 0) // No routes should be selected
 }

+// TestRouteSelector_V6ExitPairInherits covers the v4/v6 exit-node pair selection
+// mirror. The mirror is scoped to exit-node code paths: HasUserSelectionForRoute
+// and FilterSelectedExitNodes resolve a "-v6" entry without explicit state to its
+// v4 base, so legacy persisted selections that predate v6 pairing transparently
+// apply to the synthesized v6 entry. General lookups (IsSelected, FilterSelected)
+// stay literal so unrelated routes named "*-v6" don't inherit unrelated state.
+func TestRouteSelector_V6ExitPairInherits(t *testing.T) {
+	all := []route.NetID{"exit1", "exit1-v6", "exit2", "exit2-v6", "corp", "corp-v6"}
+
+	t.Run("HasUserSelectionForRoute mirrors deselected v4 base", func(t *testing.T) {
+		rs := routeselector.NewRouteSelector()
+		require.NoError(t, rs.DeselectRoutes([]route.NetID{"exit1"}, all))
+
+		assert.True(t, rs.HasUserSelectionForRoute("exit1-v6"), "v6 pair sees v4 base's user selection")
+
+		// unrelated v6 with no v4 base touched is unaffected
+		assert.False(t, rs.HasUserSelectionForRoute("exit2-v6"))
+	})
+
+	t.Run("IsSelected stays literal for non-exit lookups", func(t *testing.T) {
+		rs := routeselector.NewRouteSelector()
+		require.NoError(t, rs.DeselectRoutes([]route.NetID{"corp"}, all))
+
+		// A non-exit route literally named "corp-v6" must not inherit "corp"'s state
+		// via the mirror; the mirror only applies in exit-node code paths.
+		assert.False(t, rs.IsSelected("corp"))
+		assert.True(t, rs.IsSelected("corp-v6"), "non-exit *-v6 routes must not inherit unrelated v4 state")
+	})
+
+	t.Run("explicit v6 state overrides v4 base in filter", func(t *testing.T) {
+		rs := routeselector.NewRouteSelector()
+		require.NoError(t, rs.DeselectRoutes([]route.NetID{"exit1"}, all))
+		require.NoError(t, rs.SelectRoutes([]route.NetID{"exit1-v6"}, true, all))
+
+		v4Route := &route.Route{NetID: "exit1", Network: netip.MustParsePrefix("0.0.0.0/0")}
+		v6Route := &route.Route{NetID: "exit1-v6", Network: netip.MustParsePrefix("::/0")}
+		routes := route.HAMap{
+			"exit1|0.0.0.0/0": {v4Route},
+			"exit1-v6|::/0":   {v6Route},
+		}
+
+		filtered := rs.FilterSelectedExitNodes(routes)
+		assert.NotContains(t, filtered, route.HAUniqueID("exit1|0.0.0.0/0"))
+		assert.Contains(t, filtered, route.HAUniqueID("exit1-v6|::/0"), "explicit v6 select wins over v4 base")
+	})
+
+	t.Run("non-v6-suffix routes unaffected", func(t *testing.T) {
+		rs := routeselector.NewRouteSelector()
+		require.NoError(t, rs.DeselectRoutes([]route.NetID{"exit1"}, all))
+
+		// A route literally named "exit1-something" must not pair-resolve.
+		assert.False(t, rs.HasUserSelectionForRoute("exit1-something"))
+	})
+
+	t.Run("filter v6 paired with deselected v4 base", func(t *testing.T) {
+		rs := routeselector.NewRouteSelector()
+		require.NoError(t, rs.DeselectRoutes([]route.NetID{"exit1"}, all))
+
+		v4Route := &route.Route{NetID: "exit1", Network: netip.MustParsePrefix("0.0.0.0/0")}
+		v6Route := &route.Route{NetID: "exit1-v6", Network: netip.MustParsePrefix("::/0")}
+		routes := route.HAMap{
+			"exit1|0.0.0.0/0": {v4Route},
+			"exit1-v6|::/0":   {v6Route},
+		}
+
+		filtered := rs.FilterSelectedExitNodes(routes)
+		assert.Empty(t, filtered, "deselecting v4 base must also drop the v6 pair")
+	})
+
+	t.Run("non-exit *-v6 routes pass through FilterSelectedExitNodes", func(t *testing.T) {
+		rs := routeselector.NewRouteSelector()
+		require.NoError(t, rs.DeselectRoutes([]route.NetID{"corp"}, all))
+
+		// A non-default-route entry named "corp-v6" is not an exit node and
+		// must not be skipped because its v4 base "corp" is deselected.
+		corpV6 := &route.Route{NetID: "corp-v6", Network: netip.MustParsePrefix("10.0.0.0/8")}
+		routes := route.HAMap{
+			"corp-v6|10.0.0.0/8": {corpV6},
+		}
+
+		filtered := rs.FilterSelectedExitNodes(routes)
+		assert.Contains(t, filtered, route.HAUniqueID("corp-v6|10.0.0.0/8"),
+			"non-exit *-v6 routes must not inherit unrelated v4 state in FilterSelectedExitNodes")
+	})
+}
+
+// TestRouteSelector_SkipAutoApplyPerRoute verifies that management's
+// SkipAutoApply flag governs each untouched route independently, even when
+// the user has explicit selections on other routes.
+func TestRouteSelector_SkipAutoApplyPerRoute(t *testing.T) {
+	autoApplied := &route.Route{
+		NetID:         "Auto",
+		Network:       netip.MustParsePrefix("0.0.0.0/0"),
+		SkipAutoApply: false,
+	}
+	skipApply := &route.Route{
+		NetID:         "Skip",
+		Network:       netip.MustParsePrefix("0.0.0.0/0"),
+		SkipAutoApply: true,
+	}
+	routes := route.HAMap{
+		"Auto|0.0.0.0/0": {autoApplied},
+		"Skip|0.0.0.0/0": {skipApply},
+	}
+
+	rs := routeselector.NewRouteSelector()
+	// User makes an unrelated explicit selection elsewhere.
+	require.NoError(t, rs.DeselectRoutes([]route.NetID{"Unrelated"}, []route.NetID{"Auto", "Skip", "Unrelated"}))
+
+	filtered := rs.FilterSelectedExitNodes(routes)
+	assert.Contains(t, filtered, route.HAUniqueID("Auto|0.0.0.0/0"), "AutoApply route should be included")
+	assert.NotContains(t, filtered, route.HAUniqueID("Skip|0.0.0.0/0"), "SkipAutoApply route should be excluded without explicit user selection")
+}
+
+// TestRouteSelector_V6ExitIsExitNode verifies that ::/0 routes are recognized
+// as exit nodes by the selector's filter path.
+func TestRouteSelector_V6ExitIsExitNode(t *testing.T) {
+	v6Exit := &route.Route{
+		NetID:         "V6Only",
+		Network:       netip.MustParsePrefix("::/0"),
+		SkipAutoApply: true,
+	}
+	routes := route.HAMap{
+		"V6Only|::/0": {v6Exit},
+	}
+
+	rs := routeselector.NewRouteSelector()
+	filtered := rs.FilterSelectedExitNodes(routes)
+	assert.Empty(t, filtered, "::/0 should be treated as an exit node and respect SkipAutoApply")
+}
+
 func TestRouteSelector_NewRoutesBehavior(t *testing.T) {
 	initialRoutes := []route.NetID{"route1", "route2", "route3"}
 	newRoutes := []route.NetID{"route1", "route2", "route3", "route4", "route5"}
--- a/client/netbird.wxs
+++ b/client/netbird.wxs
@@ -64,6 +64,13 @@
 					<RegistryValue Name="InstalledByMSI" Type="integer" Value="1" KeyPath="yes" />
 				</RegistryKey>
 			</Component>
+			<!-- Drop the HKCU Run\Netbird value written by legacy NSIS installers. -->
+			<Component Id="NetbirdLegacyHKCUCleanup" Guid="*">
+				<RegistryValue Root="HKCU" Key="Software\NetBird GmbH\Installer"
+					Name="LegacyHKCUCleanup" Type="integer" Value="1" KeyPath="yes" />
+				<RemoveRegistryValue Root="HKCU"
+					Key="Software\Microsoft\Windows\CurrentVersion\Run" Name="Netbird" />
+			</Component>
 		</StandardDirectory>

 		<StandardDirectory Id="CommonAppDataFolder">
@@ -76,10 +83,28 @@
 			</Directory>
 		</StandardDirectory>

+		<!-- Drop Run, App Paths and Uninstall entries written by legacy NSIS
+		     installers into the 32-bit registry view (HKLM\Software\Wow6432Node). -->
+		<Component Id="NetbirdLegacyWow6432Cleanup" Directory="NetbirdInstallDir"
+			Guid="bda5d628-16bd-4086-b2c1-5099d8d51763" Bitness="always32">
+			<RegistryValue Root="HKLM" Key="Software\NetBird GmbH\Installer"
+				Name="LegacyWow6432Cleanup" Type="integer" Value="1" KeyPath="yes" />
+			<RemoveRegistryValue Root="HKLM"
+				Key="Software\Microsoft\Windows\CurrentVersion\Run" Name="Netbird" />
+			<RemoveRegistryKey Action="removeOnInstall" Root="HKLM"
+				Key="Software\Microsoft\Windows\CurrentVersion\App Paths\Netbird" />
+			<RemoveRegistryKey Action="removeOnInstall" Root="HKLM"
+				Key="Software\Microsoft\Windows\CurrentVersion\App Paths\Netbird-ui" />
+			<RemoveRegistryKey Action="removeOnInstall" Root="HKLM"
+				Key="Software\Microsoft\Windows\CurrentVersion\Uninstall\Netbird" />
+		</Component>
+
 		<ComponentGroup Id="NetbirdFilesComponent">
 			<ComponentRef Id="NetbirdFiles" />
 			<ComponentRef Id="NetbirdAumidRegistry" />
 			<ComponentRef Id="NetbirdAutoStart" />
+			<ComponentRef Id="NetbirdLegacyHKCUCleanup" />
+			<ComponentRef Id="NetbirdLegacyWow6432Cleanup" />
 		</ComponentGroup>

 		<util:CloseApplication Id="CloseNetBird" CloseMessage="no" Target="netbird.exe" RebootPrompt="no" />
--- a/client/ui/network.go
+++ b/client/ui/network.go
@@ -193,7 +193,15 @@ func getOverlappingNetworks(routes []*proto.Network) []*proto.Network {
 }

 func isDefaultRoute(routeRange string) bool {
-	return routeRange == "0.0.0.0/0" || routeRange == "::/0"
+	// routeRange is the merged display string from the daemon, e.g. "0.0.0.0/0",
+	// "::/0", or "0.0.0.0/0, ::/0" when a v4 exit node has a paired v6 entry.
+	for _, part := range strings.Split(routeRange, ",") {
+		switch strings.TrimSpace(part) {
+		case "0.0.0.0/0", "::/0":
+			return true
+		}
+	}
+	return false
 }

 func getExitNodeNetworks(routes []*proto.Network) []*proto.Network {
--- a/management/internals/modules/reverseproxy/domain/manager/manager.go
+++ b/management/internals/modules/reverseproxy/domain/manager/manager.go
@@ -304,10 +304,27 @@ func (m Manager) getClusterAllowList(ctx context.Context, accountID string) ([]s
 	if err != nil {
 		return nil, fmt.Errorf("get BYOP cluster addresses: %w", err)
 	}
-	if len(byopAddresses) > 0 {
-		return byopAddresses, nil
+	publicAddresses, err := m.proxyManager.GetActiveClusterAddresses(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("get public cluster addresses: %w", err)
 	}
-	return m.proxyManager.GetActiveClusterAddresses(ctx)
+	seen := make(map[string]struct{}, len(byopAddresses)+len(publicAddresses))
+	merged := make([]string, 0, len(byopAddresses)+len(publicAddresses))
+	for _, addr := range byopAddresses {
+		if _, ok := seen[addr]; ok {
+			continue
+		}
+		seen[addr] = struct{}{}
+		merged = append(merged, addr)
+	}
+	for _, addr := range publicAddresses {
+		if _, ok := seen[addr]; ok {
+			continue
+		}
+		seen[addr] = struct{}{}
+		merged = append(merged, addr)
+	}
+	return merged, nil
 }

 func extractClusterFromCustomDomains(serviceDomain string, customDomains []*domain.Domain) (string, bool) {
--- a/management/internals/modules/reverseproxy/domain/manager/manager_test.go
+++ b/management/internals/modules/reverseproxy/domain/manager/manager_test.go
@@ -40,22 +40,37 @@ func (m *mockProxyManager) ClusterSupportsCrowdSec(_ context.Context, _ string)
 	return nil
 }

-func TestGetClusterAllowList_BYOPProxy(t *testing.T) {
+func TestGetClusterAllowList_BYOPMergedWithPublic(t *testing.T) {
 	pm := &mockProxyManager{
 		getActiveClusterAddressesForAccountFunc: func(_ context.Context, accID string) ([]string, error) {
 			assert.Equal(t, "acc-123", accID)
 			return []string{"byop.example.com"}, nil
 		},
 		getActiveClusterAddressesFunc: func(_ context.Context) ([]string, error) {
-			t.Fatal("should not call GetActiveClusterAddresses when BYOP addresses exist")
-			return nil, nil
+			return []string{"eu.proxy.netbird.io"}, nil
 		},
 	}

 	mgr := Manager{proxyManager: pm}
 	result, err := mgr.getClusterAllowList(context.Background(), "acc-123")
 	require.NoError(t, err)
-	assert.Equal(t, []string{"byop.example.com"}, result)
+	assert.Equal(t, []string{"byop.example.com", "eu.proxy.netbird.io"}, result)
+}
+
+func TestGetClusterAllowList_DeduplicatesBYOPAndPublic(t *testing.T) {
+	pm := &mockProxyManager{
+		getActiveClusterAddressesForAccountFunc: func(_ context.Context, _ string) ([]string, error) {
+			return []string{"shared.example.com", "byop.example.com"}, nil
+		},
+		getActiveClusterAddressesFunc: func(_ context.Context) ([]string, error) {
+			return []string{"shared.example.com", "eu.proxy.netbird.io"}, nil
+		},
+	}
+
+	mgr := Manager{proxyManager: pm}
+	result, err := mgr.getClusterAllowList(context.Background(), "acc-123")
+	require.NoError(t, err)
+	assert.Equal(t, []string{"shared.example.com", "byop.example.com", "eu.proxy.netbird.io"}, result)
 }

 func TestGetClusterAllowList_NoBYOP_FallbackToShared(t *testing.T) {
@@ -79,10 +94,6 @@ func TestGetClusterAllowList_BYOPError_ReturnsError(t *testing.T) {
 		getActiveClusterAddressesForAccountFunc: func(_ context.Context, _ string) ([]string, error) {
 			return nil, errors.New("db error")
 		},
-		getActiveClusterAddressesFunc: func(_ context.Context) ([]string, error) {
-			t.Fatal("should not call GetActiveClusterAddresses when BYOP lookup fails")
-			return nil, nil
-		},
 	}

 	mgr := Manager{proxyManager: pm}
@@ -92,6 +103,23 @@ func TestGetClusterAllowList_BYOPError_ReturnsError(t *testing.T) {
 	assert.Contains(t, err.Error(), "BYOP cluster addresses")
 }

+func TestGetClusterAllowList_PublicError_ReturnsError(t *testing.T) {
+	pm := &mockProxyManager{
+		getActiveClusterAddressesForAccountFunc: func(_ context.Context, _ string) ([]string, error) {
+			return []string{"byop.example.com"}, nil
+		},
+		getActiveClusterAddressesFunc: func(_ context.Context) ([]string, error) {
+			return nil, errors.New("db error")
+		},
+	}
+
+	mgr := Manager{proxyManager: pm}
+	result, err := mgr.getClusterAllowList(context.Background(), "acc-123")
+	require.Error(t, err)
+	assert.Nil(t, result)
+	assert.Contains(t, err.Error(), "public cluster addresses")
+}
+
 func TestGetClusterAllowList_BYOPEmptySlice_FallbackToShared(t *testing.T) {
 	pm := &mockProxyManager{
 		getActiveClusterAddressesForAccountFunc: func(_ context.Context, _ string) ([]string, error) {
@@ -108,3 +136,19 @@ func TestGetClusterAllowList_BYOPEmptySlice_FallbackToShared(t *testing.T) {
 	assert.Equal(t, []string{"eu.proxy.netbird.io"}, result)
 }

+func TestGetClusterAllowList_PublicEmpty_BYOPOnly(t *testing.T) {
+	pm := &mockProxyManager{
+		getActiveClusterAddressesForAccountFunc: func(_ context.Context, _ string) ([]string, error) {
+			return []string{"byop.example.com"}, nil
+		},
+		getActiveClusterAddressesFunc: func(_ context.Context) ([]string, error) {
+			return nil, nil
+		},
+	}
+
+	mgr := Manager{proxyManager: pm}
+	result, err := mgr.getClusterAllowList(context.Background(), "acc-123")
+	require.NoError(t, err)
+	assert.Equal(t, []string{"byop.example.com"}, result)
+}
+
--- a/management/internals/modules/reverseproxy/service/manager/manager.go
+++ b/management/internals/modules/reverseproxy/service/manager/manager.go
@@ -306,6 +306,10 @@ func (m *Manager) validateSubdomainRequirement(ctx context.Context, domain, clus
 func (m *Manager) persistNewService(ctx context.Context, accountID string, svc *service.Service) error {
 	customPorts := m.clusterCustomPorts(ctx, svc)

+	if err := validateTargetReferences(ctx, m.store, accountID, svc.Targets); err != nil {
+		return err
+	}
+
 	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if svc.Domain != "" {
 			if err := m.checkDomainAvailable(ctx, transaction, svc.Domain, ""); err != nil {
@@ -321,10 +325,6 @@ func (m *Manager) persistNewService(ctx context.Context, accountID string, svc *
 			return err
 		}

-		if err := validateTargetReferences(ctx, transaction, accountID, svc.Targets); err != nil {
-			return err
-		}
-
 		if err := transaction.CreateService(ctx, svc); err != nil {
 			return fmt.Errorf("create service: %w", err)
 		}
@@ -435,6 +435,10 @@ func (m *Manager) assignPort(ctx context.Context, tx store.Store, cluster string
 func (m *Manager) persistNewEphemeralService(ctx context.Context, accountID, peerID string, svc *service.Service) error {
 	customPorts := m.clusterCustomPorts(ctx, svc)

+	if err := validateTargetReferences(ctx, m.store, accountID, svc.Targets); err != nil {
+		return err
+	}
+
 	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if err := m.validateEphemeralPreconditions(ctx, transaction, accountID, peerID, svc); err != nil {
 			return err
@@ -448,10 +452,6 @@ func (m *Manager) persistNewEphemeralService(ctx context.Context, accountID, pee
 			return err
 		}

-		if err := validateTargetReferences(ctx, transaction, accountID, svc.Targets); err != nil {
-			return err
-		}
-
 		if err := transaction.CreateService(ctx, svc); err != nil {
 			return fmt.Errorf("create service: %w", err)
 		}
@@ -552,10 +552,22 @@ func (m *Manager) persistServiceUpdate(ctx context.Context, accountID string, se
 	svcForCaps.ProxyCluster = effectiveCluster
 	customPorts := m.clusterCustomPorts(ctx, &svcForCaps)

+	if err := validateTargetReferences(ctx, m.store, accountID, service.Targets); err != nil {
+		return nil, err
+	}
+
+	// Validate subdomain requirement *before* the transaction: the underlying
+	// capability lookup talks to the main DB pool, and SQLite's single-connection
+	// pool would self-deadlock if this ran while the tx already held the only
+	// connection.
+	if err := m.validateSubdomainRequirement(ctx, service.Domain, effectiveCluster); err != nil {
+		return nil, err
+	}
+
 	var updateInfo serviceUpdateInfo

 	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		return m.executeServiceUpdate(ctx, transaction, accountID, service, &updateInfo, customPorts)
+		return m.executeServiceUpdate(ctx, transaction, accountID, service, &updateInfo, customPorts, effectiveCluster)
 	})

 	return &updateInfo, err
@@ -585,7 +597,7 @@ func (m *Manager) resolveEffectiveCluster(ctx context.Context, accountID string,
 	return existing.ProxyCluster, nil
 }

-func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.Store, accountID string, service *service.Service, updateInfo *serviceUpdateInfo, customPorts *bool) error {
+func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.Store, accountID string, service *service.Service, updateInfo *serviceUpdateInfo, customPorts *bool, effectiveCluster string) error {
 	existingService, err := transaction.GetServiceByID(ctx, store.LockingStrengthUpdate, accountID, service.ID)
 	if err != nil {
 		return err
@@ -603,17 +615,13 @@ func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.St
 	updateInfo.domainChanged = existingService.Domain != service.Domain

 	if updateInfo.domainChanged {
-		if err := m.handleDomainChange(ctx, transaction, accountID, service); err != nil {
+		if err := m.handleDomainChange(ctx, transaction, service, effectiveCluster); err != nil {
 			return err
 		}
 	} else {
 		service.ProxyCluster = existingService.ProxyCluster
 	}

-	if err := m.validateSubdomainRequirement(ctx, service.Domain, service.ProxyCluster); err != nil {
-		return err
-	}
-
 	m.preserveExistingAuthSecrets(service, existingService)
 	if err := validateHeaderAuthValues(service.Auth.HeaderAuths); err != nil {
 		return err
@@ -628,9 +636,6 @@ func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.St
 	if err := m.checkPortConflict(ctx, transaction, service); err != nil {
 		return err
 	}
-	if err := validateTargetReferences(ctx, transaction, accountID, service.Targets); err != nil {
-		return err
-	}
 	if err := transaction.UpdateService(ctx, service); err != nil {
 		return fmt.Errorf("update service: %w", err)
 	}
@@ -638,20 +643,18 @@ func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.St
 	return nil
 }

-func (m *Manager) handleDomainChange(ctx context.Context, transaction store.Store, accountID string, svc *service.Service) error {
+// handleDomainChange validates the new domain is free inside the transaction
+// and applies the pre-resolved cluster (computed outside the tx by
+// resolveEffectiveCluster). It must NOT call clusterDeriver here: that talks
+// to the main DB pool and would self-deadlock under SQLite (max_open_conns=1)
+// because the transaction already holds the only connection.
+func (m *Manager) handleDomainChange(ctx context.Context, transaction store.Store, svc *service.Service, effectiveCluster string) error {
 	if err := m.checkDomainAvailable(ctx, transaction, svc.Domain, svc.ID); err != nil {
 		return err
 	}
-
-	if m.clusterDeriver != nil {
-		newCluster, err := m.clusterDeriver.DeriveClusterFromDomain(ctx, accountID, svc.Domain)
-		if err != nil {
-			log.WithError(err).Warnf("could not derive cluster from domain %s", svc.Domain)
-		} else {
-			svc.ProxyCluster = newCluster
-		}
+	if effectiveCluster != "" {
+		svc.ProxyCluster = effectiveCluster
 	}
-
 	return nil
 }

--- a/management/internals/modules/reverseproxy/service/service.go
+++ b/management/internals/modules/reverseproxy/service/service.go
@@ -381,13 +381,14 @@ func (s *Service) buildPathMappings() []*proto.PathMapping {
 		}

 		// HTTP/HTTPS: build full URL
+		hostNoBrackets := strings.TrimSuffix(strings.TrimPrefix(target.Host, "["), "]")
 		targetURL := url.URL{
 			Scheme: target.Protocol,
-			Host:   target.Host,
+			Host:   bracketIPv6Host(hostNoBrackets),
 			Path:   "/",
 		}
 		if target.Port > 0 && !isDefaultPort(target.Protocol, target.Port) {
-			targetURL.Host = net.JoinHostPort(targetURL.Host, strconv.FormatUint(uint64(target.Port), 10))
+			targetURL.Host = net.JoinHostPort(hostNoBrackets, strconv.FormatUint(uint64(target.Port), 10))
 		}

 		path := "/"
@@ -405,6 +406,19 @@ func (s *Service) buildPathMappings() []*proto.PathMapping {
 	return pathMappings
 }

+// bracketIPv6Host wraps host in square brackets when it is an IPv6 literal, as
+// required for the Host field of net/url.URL (RFC 3986 §3.2.2). v4-mapped IPv6
+// addresses are bracketed too since their textual form contains colons.
+func bracketIPv6Host(host string) string {
+	if strings.HasPrefix(host, "[") {
+		return host
+	}
+	if addr, err := netip.ParseAddr(host); err == nil && addr.Is6() {
+		return "[" + host + "]"
+	}
+	return host
+}
+
 func operationToProtoType(op Operation) proto.ProxyMappingUpdateType {
 	switch op {
 	case Create:
--- a/management/internals/modules/reverseproxy/service/service_test.go
+++ b/management/internals/modules/reverseproxy/service/service_test.go
@@ -351,6 +351,83 @@ func TestToProtoMapping_PortInTargetURL(t *testing.T) {
 			port:       80,
 			wantTarget: "https://10.0.0.1:80/",
 		},
+		{
+			name:       "domain host without port is unchanged",
+			protocol:   "http",
+			host:       "example.com",
+			port:       0,
+			wantTarget: "http://example.com/",
+		},
+		{
+			name:       "domain host with non-default port is unchanged",
+			protocol:   "http",
+			host:       "example.com",
+			port:       8080,
+			wantTarget: "http://example.com:8080/",
+		},
+		{
+			name:       "ipv6 host without port is bracketed",
+			protocol:   "http",
+			host:       "fb00:cafe:1::3",
+			port:       0,
+			wantTarget: "http://[fb00:cafe:1::3]/",
+		},
+		{
+			name:       "ipv6 host with default port omits port and brackets host",
+			protocol:   "http",
+			host:       "fb00:cafe:1::3",
+			port:       80,
+			wantTarget: "http://[fb00:cafe:1::3]/",
+		},
+		{
+			name:       "ipv6 host with non-default port is bracketed",
+			protocol:   "http",
+			host:       "fb00:cafe:1::3",
+			port:       8080,
+			wantTarget: "http://[fb00:cafe:1::3]:8080/",
+		},
+		{
+			name:       "ipv6 loopback without port is bracketed",
+			protocol:   "http",
+			host:       "::1",
+			port:       0,
+			wantTarget: "http://[::1]/",
+		},
+		{
+			name:       "ipv6 host with 5-digit port is bracketed",
+			protocol:   "http",
+			host:       "fb00:cafe::1",
+			port:       18080,
+			wantTarget: "http://[fb00:cafe::1]:18080/",
+		},
+		{
+			name:       "pre-bracketed ipv6 without port stays single-bracketed",
+			protocol:   "http",
+			host:       "[fb00:cafe::1]",
+			port:       0,
+			wantTarget: "http://[fb00:cafe::1]/",
+		},
+		{
+			name:       "pre-bracketed ipv6 with port is not double-bracketed",
+			protocol:   "http",
+			host:       "[fb00:cafe::1]",
+			port:       8080,
+			wantTarget: "http://[fb00:cafe::1]:8080/",
+		},
+		{
+			name:       "v4-mapped ipv6 host without port is bracketed",
+			protocol:   "http",
+			host:       "::ffff:10.0.0.1",
+			port:       0,
+			wantTarget: "http://[::ffff:10.0.0.1]/",
+		},
+		{
+			name:       "full-form 8-group ipv6 without port is bracketed",
+			protocol:   "http",
+			host:       "fb00:cafe:1:0:0:0:0:3",
+			port:       0,
+			wantTarget: "http://[fb00:cafe:1:0:0:0:0:3]/",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
--- a/management/internals/shared/grpc/proxy.go
+++ b/management/internals/shared/grpc/proxy.go
@@ -394,6 +394,13 @@ func (s *ProxyServiceServer) sendSnapshot(ctx context.Context, conn *proxyConnec
 		if end > len(mappings) {
 			end = len(mappings)
 		}
+		for _, m := range mappings[i:end] {
+			token, err := s.tokenStore.GenerateToken(m.AccountId, m.Id, s.proxyTokenTTL())
+			if err != nil {
+				return fmt.Errorf("generate auth token for service %s: %w", m.Id, err)
+			}
+			m.AuthToken = token
+		}
 		if err := conn.stream.Send(&proto.GetMappingUpdateResponse{
 			Mapping:             mappings[i:end],
 			InitialSyncComplete: end == len(mappings),
@@ -425,18 +432,14 @@ func (s *ProxyServiceServer) snapshotServiceMappings(ctx context.Context, conn *
 		return nil, fmt.Errorf("get services from store: %w", err)
 	}

+	oidcCfg := s.GetOIDCValidationConfig()
 	var mappings []*proto.ProxyMapping
 	for _, service := range services {
 		if !service.Enabled || service.ProxyCluster == "" || service.ProxyCluster != conn.address {
 			continue
 		}

-		token, err := s.tokenStore.GenerateToken(service.AccountID, service.ID, s.proxyTokenTTL())
-		if err != nil {
-			return nil, fmt.Errorf("generate auth token for service %s: %w", service.ID, err)
-		}
-
-		m := service.ToProtoMapping(rpservice.Create, token, s.GetOIDCValidationConfig())
+		m := service.ToProtoMapping(rpservice.Create, "", oidcCfg)
 		if !proxyAcceptsMapping(conn, m) {
 			continue
 		}
--- a/management/internals/shared/grpc/proxy_snapshot_test.go
+++ b/management/internals/shared/grpc/proxy_snapshot_test.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"testing"
+	"time"

 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
@@ -172,3 +173,55 @@ func TestSendSnapshot_EmptySnapshot(t *testing.T) {
 	assert.Empty(t, stream.messages[0].Mapping)
 	assert.True(t, stream.messages[0].InitialSyncComplete)
 }
+
+type hookingStream struct {
+	grpc.ServerStream
+	onSend func(*proto.GetMappingUpdateResponse)
+}
+
+func (s *hookingStream) Send(m *proto.GetMappingUpdateResponse) error {
+	if s.onSend != nil {
+		s.onSend(m)
+	}
+	return nil
+}
+
+func (s *hookingStream) Context() context.Context     { return context.Background() }
+func (s *hookingStream) SetHeader(metadata.MD) error  { return nil }
+func (s *hookingStream) SendHeader(metadata.MD) error { return nil }
+func (s *hookingStream) SetTrailer(metadata.MD)       {}
+func (s *hookingStream) SendMsg(any) error            { return nil }
+func (s *hookingStream) RecvMsg(any) error            { return nil }
+
+func TestSendSnapshot_TokensRemainValidUnderSlowSend(t *testing.T) {
+	const cluster = "cluster.example.com"
+	const batchSize = 2
+	const totalServices = 6
+	const ttl = 100 * time.Millisecond
+	const sendDelay = 200 * time.Millisecond
+
+	ctrl := gomock.NewController(t)
+	mgr := rpservice.NewMockManager(ctrl)
+	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(makeServices(totalServices, cluster), nil)
+
+	s := newSnapshotTestServer(t, batchSize)
+	s.serviceManager = mgr
+	s.tokenTTL = ttl
+
+	var validateErrs []error
+	stream := &hookingStream{
+		onSend: func(resp *proto.GetMappingUpdateResponse) {
+			for _, m := range resp.Mapping {
+				if err := s.tokenStore.ValidateAndConsume(m.AuthToken, m.AccountId, m.Id); err != nil {
+					validateErrs = append(validateErrs, fmt.Errorf("svc %s: %w", m.Id, err))
+				}
+			}
+			time.Sleep(sendDelay)
+		},
+	}
+	conn := &proxyConnection{proxyID: "proxy-a", address: cluster, stream: stream}
+
+	require.NoError(t, s.sendSnapshot(context.Background(), conn))
+	require.Empty(t, validateErrs,
+		"tokens must remain valid even when batches are sent slowly: lazy per-batch generation guarantees freshness")
+}
--- a/management/internals/shared/grpc/server.go
+++ b/management/internals/shared/grpc/server.go
@@ -522,10 +522,11 @@ func (s *Server) sendJob(ctx context.Context, peerKey wgtypes.Key, job *job.Even
 }

 func (s *Server) cancelPeerRoutines(ctx context.Context, accountID string, peer *nbpeer.Peer, streamStartTime time.Time) {
-	unlock := s.acquirePeerLockByUID(ctx, peer.Key)
+	uncanceledCTX := context.WithoutCancel(ctx)
+	unlock := s.acquirePeerLockByUID(uncanceledCTX, peer.Key)
 	defer unlock()

-	s.cancelPeerRoutinesWithoutLock(ctx, accountID, peer, streamStartTime)
+	s.cancelPeerRoutinesWithoutLock(uncanceledCTX, accountID, peer, streamStartTime)
 }

 func (s *Server) cancelPeerRoutinesWithoutLock(ctx context.Context, accountID string, peer *nbpeer.Peer, streamStartTime time.Time) {
--- a/management/internals/shared/grpc/validate_session_test.go
+++ b/management/internals/shared/grpc/validate_session_test.go
@@ -326,17 +326,25 @@ func (m *testValidateSessionServiceManager) GetActiveClusters(_ context.Context,
 	return nil, nil
 }

+func (m *testValidateSessionServiceManager) DeleteAccountCluster(_ context.Context, _, _, _ string) error {
+	return nil
+}
+
 type testValidateSessionProxyManager struct{}

-func (m *testValidateSessionProxyManager) Connect(_ context.Context, _, _, _ string, _ *string, _ *proxy.Capabilities) error {
+func (m *testValidateSessionProxyManager) Connect(_ context.Context, _, _, _, _ string, _ *string, _ *proxy.Capabilities) (*proxy.Proxy, error) {
+	return nil, nil
+}
+
+func (m *testValidateSessionProxyManager) Disconnect(_ context.Context, _, _ string) error {
 	return nil
 }

-func (m *testValidateSessionProxyManager) Disconnect(_ context.Context, _ string) error {
+func (m *testValidateSessionProxyManager) Heartbeat(_ context.Context, _ *proxy.Proxy) error {
 	return nil
 }

-func (m *testValidateSessionProxyManager) Heartbeat(_ context.Context, _, _, _ string) error {
+func (m *testValidateSessionProxyManager) DeleteAccountCluster(_ context.Context, _, _ string) error {
 	return nil
 }

--- a/management/server/account.go
+++ b/management/server/account.go
@@ -291,10 +291,15 @@ func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, acco
 		return nil, status.NewPermissionDeniedError()
 	}

+	// Canonicalize the incoming range so a caller-supplied prefix with host bits
+	// (e.g. 100.64.1.1/16) compares equal to the masked form stored on network.Net.
+	newSettings.NetworkRange = newSettings.NetworkRange.Masked()
+
 	var oldSettings *types.Settings
 	var updateAccountPeers bool
 	var groupChangesAffectPeers bool
 	var reloadReverseProxy bool
+	var effectiveOldNetworkRange netip.Prefix

 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		var groupsUpdated bool
@@ -308,6 +313,16 @@ func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, acco
 			return err
 		}

+		// No lock: the transaction already holds Settings(Update), and network.Net is
+		// only mutated by reallocateAccountPeerIPs, which is reachable only through
+		// this same code path. A Share lock here would extend an unnecessary row lock
+		// and complicate ordering against updatePeerIPv6InTransaction.
+		network, err := transaction.GetAccountNetwork(ctx, store.LockingStrengthNone, accountID)
+		if err != nil {
+			return fmt.Errorf("get account network: %w", err)
+		}
+		effectiveOldNetworkRange = prefixFromIPNet(network.Net)
+
 		if oldSettings.Extra != nil && newSettings.Extra != nil &&
 			oldSettings.Extra.PeerApprovalEnabled && !newSettings.Extra.PeerApprovalEnabled {
 			approvedCount, err := transaction.ApproveAccountPeers(ctx, accountID)
@@ -321,7 +336,7 @@ func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, acco
 			}
 		}

-		if oldSettings.NetworkRange != newSettings.NetworkRange {
+		if newSettings.NetworkRange.IsValid() && newSettings.NetworkRange != effectiveOldNetworkRange {
 			if err = am.reallocateAccountPeerIPs(ctx, transaction, accountID, newSettings.NetworkRange); err != nil {
 				return err
 			}
@@ -396,9 +411,9 @@ func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, acco
 		}
 		am.StoreEvent(ctx, userID, accountID, accountID, activity.AccountDNSDomainUpdated, eventMeta)
 	}
-	if oldSettings.NetworkRange != newSettings.NetworkRange {
+	if newSettings.NetworkRange.IsValid() && newSettings.NetworkRange != effectiveOldNetworkRange {
 		eventMeta := map[string]any{
-			"old_network_range": oldSettings.NetworkRange.String(),
+			"old_network_range": effectiveOldNetworkRange.String(),
 			"new_network_range": newSettings.NetworkRange.String(),
 		}
 		am.StoreEvent(ctx, userID, accountID, accountID, activity.AccountNetworkRangeUpdated, eventMeta)
@@ -443,6 +458,22 @@ func ipv6SettingsChanged(old, updated *types.Settings) bool {
 	return !slices.Equal(oldGroups, newGroups)
 }

+// prefixFromIPNet returns the overlay prefix actually allocated on the account
+// network, or an invalid prefix if none is set. Settings.NetworkRange is a
+// user-facing override that is empty on legacy accounts, so the effective
+// range must be read from network.Net to compare against an incoming update.
+func prefixFromIPNet(ipNet net.IPNet) netip.Prefix {
+	if ipNet.IP == nil {
+		return netip.Prefix{}
+	}
+	addr, ok := netip.AddrFromSlice(ipNet.IP)
+	if !ok {
+		return netip.Prefix{}
+	}
+	ones, _ := ipNet.Mask.Size()
+	return netip.PrefixFrom(addr.Unmap(), ones)
+}
+
 func (am *DefaultAccountManager) validateSettingsUpdate(ctx context.Context, transaction store.Store, newSettings, oldSettings *types.Settings, userID, accountID string) error {
 	halfYearLimit := 180 * 24 * time.Hour
 	if newSettings.PeerLoginExpiration > halfYearLimit {
@@ -2487,6 +2518,18 @@ func (am *DefaultAccountManager) buildIPv6AllowedPeers(ctx context.Context, tran
 			allowedPeers[peerID] = struct{}{}
 		}
 	}
+
+	// Embedded proxy peers sit outside regular group membership but must
+	// participate in any v6-enabled overlay to reach v6-only peers.
+	peers, err := transaction.GetAccountPeers(ctx, store.LockingStrengthNone, accountID, "", "")
+	if err != nil {
+		return nil, fmt.Errorf("get peers: %w", err)
+	}
+	for _, p := range peers {
+		if p.ProxyMeta.Embedded {
+			allowedPeers[p.ID] = struct{}{}
+		}
+	}
 	return allowedPeers, nil
 }

--- a/management/server/account_test.go
+++ b/management/server/account_test.go
@@ -3970,6 +3970,96 @@ func TestDefaultAccountManager_UpdateAccountSettings_NetworkRangeChange(t *testi
 	}
 }

+// TestDefaultAccountManager_UpdateAccountSettings_NetworkRangePreserved guards against
+// peer IP reallocation when a settings update carries the network range that is already
+// in use. Legacy accounts have Settings.NetworkRange unset in the DB while network.Net
+// holds the actual allocated overlay; the dashboard backfills the GET response from
+// network.Net and echoes the value back on PUT, so the diff must be against the
+// effective range to avoid renumbering every peer on an unrelated settings change.
+func TestDefaultAccountManager_UpdateAccountSettings_NetworkRangePreserved(t *testing.T) {
+	manager, _, account, peer1, peer2, peer3 := setupNetworkMapTest(t)
+	ctx := context.Background()
+
+	settings, err := manager.Store.GetAccountSettings(ctx, store.LockingStrengthNone, account.Id)
+	require.NoError(t, err)
+	require.False(t, settings.NetworkRange.IsValid(), "precondition: new accounts leave Settings.NetworkRange unset")
+
+	network, err := manager.Store.GetAccountNetwork(ctx, store.LockingStrengthNone, account.Id)
+	require.NoError(t, err)
+	require.NotNil(t, network.Net.IP, "precondition: network.Net should be allocated")
+	addr, ok := netip.AddrFromSlice(network.Net.IP)
+	require.True(t, ok)
+	ones, _ := network.Net.Mask.Size()
+	effective := netip.PrefixFrom(addr.Unmap(), ones)
+	require.True(t, effective.IsValid())
+
+	before := map[string]netip.Addr{peer1.ID: peer1.IP, peer2.ID: peer2.IP, peer3.ID: peer3.IP}
+
+	// Round-trip the effective range as if the dashboard echoed back the GET-backfilled value.
+	_, err = manager.UpdateAccountSettings(ctx, account.Id, userID, &types.Settings{
+		PeerLoginExpirationEnabled: true,
+		PeerLoginExpiration:        types.DefaultPeerLoginExpiration,
+		NetworkRange:               effective,
+		Extra:                      &types.ExtraSettings{},
+	})
+	require.NoError(t, err)
+
+	peers, err := manager.Store.GetAccountPeers(ctx, store.LockingStrengthNone, account.Id, "", "")
+	require.NoError(t, err)
+	require.Len(t, peers, len(before))
+	for _, p := range peers {
+		assert.Equal(t, before[p.ID], p.IP, "peer %s IP should not change when range matches effective", p.ID)
+	}
+
+	// Carrying the same range with host bits set must also be a no-op once canonicalized.
+	hostBitsForm := netip.PrefixFrom(peer1.IP, ones)
+	require.NotEqual(t, effective, hostBitsForm, "precondition: host-bit form should differ before masking")
+	_, err = manager.UpdateAccountSettings(ctx, account.Id, userID, &types.Settings{
+		PeerLoginExpirationEnabled: true,
+		PeerLoginExpiration:        types.DefaultPeerLoginExpiration,
+		NetworkRange:               hostBitsForm,
+		Extra:                      &types.ExtraSettings{},
+	})
+	require.NoError(t, err)
+
+	peers, err = manager.Store.GetAccountPeers(ctx, store.LockingStrengthNone, account.Id, "", "")
+	require.NoError(t, err)
+	for _, p := range peers {
+		assert.Equal(t, before[p.ID], p.IP, "peer %s IP should not change for host-bit-set equivalent range", p.ID)
+	}
+
+	// Omitting NetworkRange (invalid prefix) must also be a no-op.
+	_, err = manager.UpdateAccountSettings(ctx, account.Id, userID, &types.Settings{
+		PeerLoginExpirationEnabled: true,
+		PeerLoginExpiration:        types.DefaultPeerLoginExpiration,
+		Extra:                      &types.ExtraSettings{},
+	})
+	require.NoError(t, err)
+
+	peers, err = manager.Store.GetAccountPeers(ctx, store.LockingStrengthNone, account.Id, "", "")
+	require.NoError(t, err)
+	for _, p := range peers {
+		assert.Equal(t, before[p.ID], p.IP, "peer %s IP should not change when NetworkRange omitted", p.ID)
+	}
+
+	// Sanity: an actually different range still triggers reallocation.
+	newRange := netip.MustParsePrefix("100.99.0.0/16")
+	_, err = manager.UpdateAccountSettings(ctx, account.Id, userID, &types.Settings{
+		PeerLoginExpirationEnabled: true,
+		PeerLoginExpiration:        types.DefaultPeerLoginExpiration,
+		NetworkRange:               newRange,
+		Extra:                      &types.ExtraSettings{},
+	})
+	require.NoError(t, err)
+
+	peers, err = manager.Store.GetAccountPeers(ctx, store.LockingStrengthNone, account.Id, "", "")
+	require.NoError(t, err)
+	for _, p := range peers {
+		assert.True(t, newRange.Contains(p.IP), "peer %s should be in new range %s, got %s", p.ID, newRange, p.IP)
+		assert.NotEqual(t, before[p.ID], p.IP, "peer %s IP should change on real range update", p.ID)
+	}
+}
+
 func TestDefaultAccountManager_UpdateAccountSettings_IPv6EnabledGroups(t *testing.T) {
 	manager, _, account, peer1, peer2, peer3 := setupNetworkMapTest(t)
 	ctx := context.Background()
--- a/management/server/peer.go
+++ b/management/server/peer.go
@@ -762,16 +762,19 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 		newPeer.IP = freeIP

 		if len(settings.IPv6EnabledGroups) > 0 && network.NetV6.IP != nil {
-			var allGroupID string
-			if !peer.ProxyMeta.Embedded {
-				allGroup, err := am.Store.GetGroupByName(ctx, store.LockingStrengthNone, accountID, "All")
-				if err != nil {
-					log.WithContext(ctx).Debugf("get All group for IPv6 allocation: %v", err)
-				} else {
+			// Embedded proxy peers are not group members but participate in any
+			// IPv6-enabled overlay so reverse-proxy traffic reaches v6-only peers.
+			allocate := peer.ProxyMeta.Embedded
+			if !allocate {
+				var allGroupID string
+				if allGroup, err := am.Store.GetGroupByName(ctx, store.LockingStrengthNone, accountID, types.GroupAllName); err == nil {
 					allGroupID = allGroup.ID
+				} else {
+					log.WithContext(ctx).Debugf("get All group for IPv6 allocation: %v", err)
 				}
+				allocate = peerWillHaveIPv6(settings, peerAddConfig.GroupsToAdd, allGroupID)
 			}
-			if peerWillHaveIPv6(settings, peerAddConfig.GroupsToAdd, allGroupID) {
+			if allocate {
 				v6Prefix, err := netip.ParsePrefix(network.NetV6.String())
 				if err != nil {
 					return nil, nil, nil, fmt.Errorf("parse IPv6 prefix: %w", err)
--- a/management/server/store/sql_store.go
+++ b/management/server/store/sql_store.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
+	"net/url"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -2794,12 +2795,27 @@ func NewSqliteStore(ctx context.Context, dataDir string, metrics telemetry.AppMe
 		connStr = filepath.Join(dataDir, filePath)
 	}

-	// Append query parameters: user-provided take precedence, otherwise default to cache=shared on non-Windows
-	if hasQuery {
-		connStr += "?" + query
-	} else if runtime.GOOS != "windows" {
+	// Compose query parameters. User-provided ?_busy_timeout (or its mattn alias
+	// ?_timeout) overrides our default; otherwise inject 30s so SQLite waits at
+	// most that long on a lock instead of blocking the only Go-side connection.
+	// mattn/go-sqlite3 applies PRAGMA from the DSN on every fresh connection, so
+	// the value survives ConnMaxIdleTime/ConnMaxLifetime recycling. cache=shared
+	// stays the default on non-Windows for the same reason as before.
+	parsed, _ := url.ParseQuery(query)
+	var defaults []string
+	if parsed.Get("_busy_timeout") == "" && parsed.Get("_timeout") == "" {
+		defaults = append(defaults, "_busy_timeout=30000")
+	}
+	if !hasQuery && runtime.GOOS != "windows" {
 		// To avoid `The process cannot access the file because it is being used by another process` on Windows
-		connStr += "?cache=shared"
+		defaults = append(defaults, "cache=shared")
+	}
+	parts := defaults
+	if hasQuery {
+		parts = append(parts, query)
+	}
+	if len(parts) > 0 {
+		connStr += "?" + strings.Join(parts, "&")
 	}

 	db, err := gorm.Open(sqlite.Open(connStr), getGormConfig())
@@ -3402,7 +3418,7 @@ func (s *SqlStore) IncrementNetworkSerial(ctx context.Context, accountId string)
 }

 func (s *SqlStore) ExecuteInTransaction(ctx context.Context, operation func(store Store) error) error {
-	timeoutCtx, cancel := context.WithTimeout(context.Background(), s.transactionTimeout)
+	timeoutCtx, cancel := context.WithTimeout(ctx, s.transactionTimeout)
 	defer cancel()

 	startTime := time.Now()
--- a/management/server/store/sql_store_test.go
+++ b/management/server/store/sql_store_test.go
@@ -4592,3 +4592,55 @@ func TestSqlStore_DeleteZoneDNSRecords(t *testing.T) {
 	require.NoError(t, err)
 	assert.Equal(t, 0, len(remainingRecords))
 }
+
+// TestNewSqliteStore_BusyTimeoutApplied opens a fresh SQLite store and verifies
+// that the _busy_timeout DSN parameter took effect at the driver level. Without
+// this, lock contention on the single SQLite connection waits indefinitely on
+// the Go side and can be hidden behind the 5-minute transactionTimeout.
+func TestNewSqliteStore_BusyTimeoutApplied(t *testing.T) {
+	dir := t.TempDir()
+	store, err := NewSqliteStore(context.Background(), dir, nil, true)
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		_ = store.Close(context.Background())
+	})
+
+	sqlDB, err := store.db.DB()
+	require.NoError(t, err)
+	row := sqlDB.QueryRow("PRAGMA busy_timeout")
+	var busyTimeout int
+	require.NoError(t, row.Scan(&busyTimeout))
+	assert.Equal(t, 30000, busyTimeout, "SQLite busy_timeout must be set via DSN so it survives connection recycling")
+}
+
+// TestNewSqliteStore_BusyTimeoutRespectsUserOverride confirms that an operator
+// passing _busy_timeout or its mattn alias _timeout via NB_STORE_ENGINE_SQLITE_FILE
+// wins over our 30s default. This guards the DSN merge logic in NewSqliteStore.
+func TestNewSqliteStore_BusyTimeoutRespectsUserOverride(t *testing.T) {
+	cases := []struct {
+		name     string
+		envFile  string
+		expected int
+	}{
+		{name: "explicit _busy_timeout wins", envFile: "store.db?_busy_timeout=5000", expected: 5000},
+		{name: "alias _timeout wins", envFile: "store.db?_timeout=7000", expected: 7000},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Setenv("NB_STORE_ENGINE_SQLITE_FILE", tc.envFile)
+			dir := t.TempDir()
+			store, err := NewSqliteStore(context.Background(), dir, nil, true)
+			require.NoError(t, err)
+			t.Cleanup(func() {
+				_ = store.Close(context.Background())
+			})
+
+			sqlDB, err := store.db.DB()
+			require.NoError(t, err)
+			row := sqlDB.QueryRow("PRAGMA busy_timeout")
+			var busyTimeout int
+			require.NoError(t, row.Scan(&busyTimeout))
+			assert.Equal(t, tc.expected, busyTimeout)
+		})
+	}
+}
--- a/management/server/types/account.go
+++ b/management/server/types/account.go
@@ -598,28 +598,21 @@ func (a *Account) GetPeerGroups(peerID string) LookupMap {
 	return groupList
 }

-// PeerIPv6Allowed reports whether the given peer is in any of the account's IPv6 enabled groups.
+// PeerIPv6Allowed reports whether the given peer participates in the IPv6 overlay.
 // Returns false if IPv6 is disabled or no groups are configured.
 func (a *Account) PeerIPv6Allowed(peerID string) bool {
-	if len(a.Settings.IPv6EnabledGroups) == 0 {
-		return false
-	}
-
-	for _, groupID := range a.Settings.IPv6EnabledGroups {
-		group, ok := a.Groups[groupID]
-		if !ok {
-			continue
-		}
-		if slices.Contains(group.Peers, peerID) {
-			return true
-		}
-	}
-	return false
+	_, ok := a.peerIPv6AllowedSet()[peerID]
+	return ok
 }

-// peerIPv6AllowedSet returns a set of peer IDs that belong to any IPv6-enabled group.
+// peerIPv6AllowedSet returns the set of peer IDs that participate in the IPv6 overlay:
+// members of any IPv6-enabled group, plus every embedded proxy peer (which sit outside
+// regular group membership but must reach v6-enabled peers).
 func (a *Account) peerIPv6AllowedSet() map[string]struct{} {
 	result := make(map[string]struct{})
+	if len(a.Settings.IPv6EnabledGroups) == 0 {
+		return result
+	}
 	for _, groupID := range a.Settings.IPv6EnabledGroups {
 		group, ok := a.Groups[groupID]
 		if !ok {
@@ -629,6 +622,11 @@ func (a *Account) peerIPv6AllowedSet() map[string]struct{} {
 			result[peerID] = struct{}{}
 		}
 	}
+	for id, p := range a.Peers {
+		if p != nil && p.ProxyMeta.Embedded {
+			result[id] = struct{}{}
+		}
+	}
 	return result
 }

--- a/management/server/types/group.go
+++ b/management/server/types/group.go
@@ -92,9 +92,12 @@ func (g *Group) HasPeers() bool {
 	return len(g.Peers) > 0
 }

+// GroupAllName is the reserved name of the default group that contains every peer in an account.
+const GroupAllName = "All"
+
 // IsGroupAll checks if the group is a default "All" group.
 func (g *Group) IsGroupAll() bool {
-	return g.Name == "All"
+	return g.Name == GroupAllName
 }

 // AddPeer adds peerID to Peers if not present, returning true if added.
--- a/management/server/types/ipv6_groups_test.go
+++ b/management/server/types/ipv6_groups_test.go
@@ -232,3 +232,33 @@ func TestIPv6RecalculationOnGroupChange(t *testing.T) {
 		assert.True(t, account.PeerIPv6Allowed("peer3"), "peer3 now in infra")
 	})
 }
+
+func TestPeerIPv6AllowedEmbeddedProxy(t *testing.T) {
+	account := &Account{
+		Peers: map[string]*nbpeer.Peer{
+			"peer1": {ID: "peer1"},
+			"proxy": {ID: "proxy", ProxyMeta: nbpeer.ProxyMeta{Embedded: true, Cluster: "netbird.test"}},
+		},
+		Groups: map[string]*Group{
+			"group-devs": {ID: "group-devs", Peers: []string{"peer1"}},
+		},
+		Settings: &Settings{},
+	}
+
+	t.Run("embedded proxy allowed when any v6 group exists, without group membership", func(t *testing.T) {
+		account.Settings.IPv6EnabledGroups = []string{"group-devs"}
+		assert.True(t, account.PeerIPv6Allowed("proxy"), "embedded proxy participates in v6 overlay")
+		assert.True(t, account.PeerIPv6Allowed("peer1"), "regular peer in enabled group still allowed")
+	})
+
+	t.Run("embedded proxy denied when no v6 group enabled", func(t *testing.T) {
+		account.Settings.IPv6EnabledGroups = nil
+		assert.False(t, account.PeerIPv6Allowed("proxy"), "v6 disabled account-wide denies embedded proxies too")
+	})
+
+	t.Run("non-embedded peer outside any enabled group is not pulled in", func(t *testing.T) {
+		account.Settings.IPv6EnabledGroups = []string{"group-devs"}
+		account.Peers["lonely"] = &nbpeer.Peer{ID: "lonely"}
+		assert.False(t, account.PeerIPv6Allowed("lonely"), "embedded-proxy bypass must not leak to regular peers")
+	})
+}
Author	SHA1	Message	Date
Viktor Liu	94a8b7325e	Filter DNS fallback upstreams matching our server IP to prevent loops	2026-05-17 15:49:31 +02:00
Viktor Liu	3f91f49277	Clean up legacy 32-bit and HKCU registry entries on Windows install (#6176 )	2026-05-16 16:52:57 +02:00
Maycon Santos	347c5bf317	Avoid context cancellation in `cancelPeerRoutines` (#6175 ) When closing go routines and handling peer disconnect, we should avoid canceling the flow due to parent gRPC context cancellation. This change triggers disconnection handling with a context that is not bound to the parent gRPC cancellation.	2026-05-16 16:29:01 +02:00
Viktor Liu	22e2519d71	[management] Avoid peer IP reallocation when account settings update preserves the network range (#6173 )	2026-05-16 15:51:48 +02:00
Vlad	e916f12cca	[proxy] auth token generation on mapping (#6157 ) * [management / proxy] auth token generation on mapping * fix tests	2026-05-15 19:13:44 +02:00
Viktor Liu	9ed2e2a5b4	[client] Drop DNS probes for passive health projection (#5971 )	2026-05-15 17:07:38 +02:00
Viktor Liu	2ccae7ec47	[client] Mirror v4 exit selection onto v6 pair and honour SkipAutoApply per route (#6150 )	2026-05-15 16:58:47 +02:00
Viktor Liu	07e5450117	[management] Bracket IPv6 reverse-proxy target hosts when building URL Host field (#6141 )	2026-05-14 16:42:40 +02:00
Viktor Liu	3f914090cb	[client] Bracket IPv6 in embed listeners, expand debug bundle (#6134 )	2026-05-14 16:22:53 +02:00
Viktor Liu	ea9fab4396	[management] Allocate and preserve IPv6 overlay addresses for embedded proxy peers (#6132 )	2026-05-14 16:05:33 +02:00
Vlad	77b479286e	[management] fix offline statuses for public proxy clusters (#6133 )	2026-05-14 13:27:50 +02:00
Maycon Santos	ab2a8794e7	[client] Add short flags for status command options (#6137 ) * [client] Add short flags for status command options * uppercase filters	2026-05-14 12:30:42 +02:00