fix: management/Dockerfile to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-UBUNTU2404-GLIBC-11031045
- https://snyk.io/vuln/SNYK-UBUNTU2404-PAM-11936905
- https://snyk.io/vuln/SNYK-UBUNTU2404-PAM-11936905
- https://snyk.io/vuln/SNYK-UBUNTU2404-PAM-11936905
- https://snyk.io/vuln/SNYK-UBUNTU2404-PAM-11936905

.github/workflows/docs-ack.yml

@@ -16,19 +16,29 @@ jobs:
     steps:
       - name: Read PR body
         id: body
+        shell: bash
         run: |
-          BODY=$(jq -r '.pull_request.body // ""' "$GITHUB_EVENT_PATH")
-          echo "body<<EOF" >> $GITHUB_OUTPUT
-          echo "$BODY" >> $GITHUB_OUTPUT
-          echo "EOF" >> $GITHUB_OUTPUT
+          set -euo pipefail
+          BODY_B64=$(jq -r '.pull_request.body // "" | @base64' "$GITHUB_EVENT_PATH")
+          {
+            echo "body_b64=$BODY_B64"
+          } >> "$GITHUB_OUTPUT"
 
       - name: Validate checkbox selection
         id: validate
+        shell: bash
+        env:
+          BODY_B64: ${{ steps.body.outputs.body_b64 }}
         run: |
-          body='${{ steps.body.outputs.body }}'
+          set -euo pipefail
+          if ! body="$(printf '%s' "$BODY_B64" | base64 -d)"; then
+            echo "::error::Failed to decode PR body from base64. Data may be corrupted or missing."
+            exit 1
+          fi
+
+          added_checked=$(printf '%s' "$body" | grep -Ei '^[[:space:]]*-\s*\[x\]\s*I added/updated documentation' | wc -l | tr -d '[:space:]' || true)
+          noneed_checked=$(printf '%s' "$body" | grep -Ei '^[[:space:]]*-\s*\[x\]\s*Documentation is \*\*not needed\*\*' | wc -l | tr -d '[:space:]' || true)
 
-          added_checked=$(printf "%s" "$body" | grep -E '^- \[x\] I added/updated documentation' -i | wc -l | tr -d ' ')
-          noneed_checked=$(printf "%s" "$body" | grep -E '^- \[x\] Documentation is \*\*not needed\*\*' -i | wc -l | tr -d ' ')
 
           if [ "$added_checked" -eq 1 ] && [ "$noneed_checked" -eq 1 ]; then
             echo "::error::Choose exactly one: either 'docs added' OR 'not needed'."
@@ -41,30 +51,35 @@ jobs:
           fi
 
           if [ "$added_checked" -eq 1 ]; then
-            echo "mode=added" >> $GITHUB_OUTPUT
+            echo "mode=added" >> "$GITHUB_OUTPUT"
           else
-            echo "mode=noneed" >> $GITHUB_OUTPUT
+            echo "mode=noneed" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Extract docs PR URL (when 'docs added')
         if: steps.validate.outputs.mode == 'added'
         id: extract
+        shell: bash
+        env:
+          BODY_B64: ${{ steps.body.outputs.body_b64 }}
         run: |
-          body='${{ steps.body.outputs.body }}'
+          set -euo pipefail
+          body="$(printf '%s' "$BODY_B64" | base64 -d)"
 
           # Strictly require HTTPS and that it's a PR in netbirdio/docs
-          # Examples accepted:
-          #   https://github.com/netbirdio/docs/pull/1234
-          url=$(printf "%s" "$body" | grep -Eo 'https://github\.com/netbirdio/docs/pull/[0-9]+' | head -n1 || true)
+          # e.g., https://github.com/netbirdio/docs/pull/1234
+          url="$(printf '%s' "$body" | grep -Eo 'https://github\.com/netbirdio/docs/pull/[0-9]+' | head -n1 || true)"
 
-          if [ -z "$url" ]; then
+          if [ -z "${url:-}" ]; then
             echo "::error::You checked 'docs added' but didn't include a valid HTTPS PR link to netbirdio/docs (e.g., https://github.com/netbirdio/docs/pull/1234)."
             exit 1
           fi
 
-          pr_number=$(echo "$url" | sed -E 's#.*/pull/([0-9]+)$#\1#')
-          echo "url=$url" >> $GITHUB_OUTPUT
-          echo "pr_number=$pr_number" >> $GITHUB_OUTPUT
+          pr_number="$(printf '%s' "$url" | sed -E 's#.*/pull/([0-9]+)$#\1#')"
+          {
+            echo "url=$url"
+            echo "pr_number=$pr_number"
+          } >> "$GITHUB_OUTPUT"
 
       - name: Verify docs PR exists (and is open or merged)
         if: steps.validate.outputs.mode == 'added'

.github/workflows/golang-test-freebsd.yml

@@ -25,8 +25,7 @@ jobs:
           release: "14.2"
           prepare: |
             pkg install -y curl pkgconf xorg
-            LATEST_VERSION=$(curl -s https://go.dev/VERSION?m=text|head -n 1)
-            GO_TARBALL="$LATEST_VERSION.freebsd-amd64.tar.gz"
+            GO_TARBALL="go1.23.12.freebsd-amd64.tar.gz"
             GO_URL="https://go.dev/dl/$GO_TARBALL"
             curl -vLO "$GO_URL"
             tar -C /usr/local -vxzf "$GO_TARBALL"            

.github/workflows/golang-test-linux.yml

@@ -217,7 +217,7 @@ jobs:
           - arch: "386"
             raceFlag: ""
           - arch: "amd64"
-            raceFlag: ""
+            raceFlag: "-race"
     runs-on: ubuntu-22.04
     steps:
       - name: Install Go
@@ -382,6 +382,32 @@ jobs:
         store: [ 'sqlite', 'postgres' ]
     runs-on: ubuntu-22.04
     steps:
+      - name: Create Docker network
+        run: docker network create promnet
+
+      - name: Start Prometheus Pushgateway
+        run: docker run -d --name pushgateway --network promnet -p 9091:9091 prom/pushgateway
+
+      - name: Start Prometheus (for Pushgateway forwarding)
+        run: |
+          echo '
+          global:
+            scrape_interval: 15s
+          scrape_configs:
+            - job_name: "pushgateway"
+              static_configs:
+                - targets: ["pushgateway:9091"]
+          remote_write:
+            - url: ${{ secrets.GRAFANA_URL }}
+              basic_auth:
+                username: ${{ secrets.GRAFANA_USER }}
+                password: ${{ secrets.GRAFANA_API_KEY }}
+          ' > prometheus.yml
+
+          docker run -d --name prometheus --network promnet \
+            -v $PWD/prometheus.yml:/etc/prometheus/prometheus.yml \
+            -p 9090:9090 \
+            prom/prometheus
       - name: Install Go
         uses: actions/setup-go@v5
         with:
@@ -428,9 +454,10 @@ jobs:
           CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
           NETBIRD_STORE_ENGINE=${{ matrix.store }} \
           CI=true \
+          GIT_BRANCH=${{ github.ref_name }} \
           go test -tags devcert -run=^$ -bench=. \
-          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
-          -timeout 20m ./management/... ./shared/management/...
+          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE,GIT_BRANCH,GITHUB_RUN_ID' \
+          -timeout 20m ./management/... ./shared/management/... $(go list ./management/... ./shared/management/... | grep -v -e /management/server/http)
 
   api_benchmark:
     name: "Management / Benchmark (API)"
@@ -521,7 +548,7 @@ jobs:
             -run=^$ \
             -bench=. \
             -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE,GIT_BRANCH,GITHUB_RUN_ID' \
-            -timeout 20m ./management/... ./shared/management/...
+            -timeout 20m ./management/server/http/...
 
   api_integration_test:
     name: "Management / Integration"
@@ -571,4 +598,4 @@ jobs:
           CI=true \
           go test -tags=integration \
           -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
-          -timeout 20m ./management/... ./shared/management/...
+          -timeout 20m ./management/server/http/...

.github/workflows/golang-test-windows.yml

@@ -63,7 +63,7 @@ jobs:
       - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=${{ env.cache }}
       - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=${{ env.modcache }}
       - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe mod tidy
-      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' })" >> $env:GITHUB_ENV
+      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' })" >> $env:GITHUB_ENV
 
       - name: test
         run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -tags=devcert -timeout 10m -p 1 ${{ env.files }} > test-out.txt 2>&1"

.github/workflows/release.yml

@@ -9,7 +9,7 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.0.22"
+  SIGN_PIPE_VER: "v0.0.23"
   GORELEASER_VER: "v2.3.2"
   PRODUCT_NAME: "NetBird"
   COPYRIGHT: "NetBird GmbH"

.github/workflows/test-infrastructure-files.yml

@@ -83,6 +83,15 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Setup MySQL privileges
+        if: matrix.store == 'mysql'
+        run: |
+          sleep 10
+          mysql -h 127.0.0.1 -u root -pmysqlroot -e "
+            GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO 'netbird'@'%';
+            FLUSH PRIVILEGES;
+          "
+
       - name: cp setup.env
         run: cp infrastructure_files/tests/setup.env infrastructure_files/
 

README.md

@@ -1,3 +1,4 @@
+
 <div align="center">
 <br/>
   <br/>
@@ -52,7 +53,7 @@
 
 ### Open Source Network Security in a Single Platform
 
-<img width="1188" alt="centralized-network-management 1" src="https://github.com/user-attachments/assets/c28cc8e4-15d2-4d2f-bb97-a6433db39d56" />
+https://github.com/user-attachments/assets/10cec749-bb56-4ab3-97af-4e38850108d2
 
 ### NetBird on Lawrence Systems (Video)
 [![Watch the video](https://img.youtube.com/vi/Kwrff6h0rEw/0.jpg)](https://www.youtube.com/watch?v=Kwrff6h0rEw)

client/Dockerfile

@@ -18,7 +18,7 @@ ENV \
     NB_LOG_FILE="console,/var/log/netbird/client.log" \
     NB_DAEMON_ADDR="unix:///var/run/netbird.sock" \
     NB_ENTRYPOINT_SERVICE_TIMEOUT="5" \
-    NB_ENTRYPOINT_LOGIN_TIMEOUT="1"
+    NB_ENTRYPOINT_LOGIN_TIMEOUT="5"
 
 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]
 

client/android/client.go

@@ -4,6 +4,7 @@ package android
 
 import (
 	"context"
+	"os"
 	"slices"
 	"sync"
 
@@ -18,7 +19,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/formatter"
-	"github.com/netbirdio/netbird/util/net"
+	"github.com/netbirdio/netbird/client/net"
 )
 
 // ConnectionListener export internal Listener for mobile
@@ -83,7 +84,8 @@ func NewClient(cfgFile string, androidSDKVersion int, deviceName string, uiVersi
 }
 
 // Run start the internal client. It is a blocker function
-func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsReadyListener) error {
+func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsReadyListener, envList *EnvList) error {
+	exportEnvList(envList)
 	cfg, err := profilemanager.UpdateOrCreateConfig(profilemanager.ConfigInput{
 		ConfigPath: c.cfgFile,
 	})
@@ -118,7 +120,8 @@ func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsRead
 
 // RunWithoutLogin we apply this type of run function when the backed has been started without UI (i.e. after reboot).
 // In this case make no sense handle registration steps.
-func (c *Client) RunWithoutLogin(dns *DNSList, dnsReadyListener DnsReadyListener) error {
+func (c *Client) RunWithoutLogin(dns *DNSList, dnsReadyListener DnsReadyListener, envList *EnvList) error {
+	exportEnvList(envList)
 	cfg, err := profilemanager.UpdateOrCreateConfig(profilemanager.ConfigInput{
 		ConfigPath: c.cfgFile,
 	})
@@ -249,3 +252,14 @@ func (c *Client) SetConnectionListener(listener ConnectionListener) {
 func (c *Client) RemoveConnectionListener() {
 	c.recorder.RemoveConnectionListener()
 }
+
+func exportEnvList(list *EnvList) {
+	if list == nil {
+		return
+	}
+	for k, v := range list.AllItems() {
+		if err := os.Setenv(k, v); err != nil {
+			log.Errorf("could not set env variable %s: %v", k, err)
+		}
+	}
+}

client/android/env_list.go

@@ -0,0 +1,32 @@
+package android
+
+import "github.com/netbirdio/netbird/client/internal/peer"
+
+var (
+	// EnvKeyNBForceRelay Exported for Android java client
+	EnvKeyNBForceRelay = peer.EnvKeyNBForceRelay
+)
+
+// EnvList wraps a Go map for export to Java
+type EnvList struct {
+	data map[string]string
+}
+
+// NewEnvList creates a new EnvList
+func NewEnvList() *EnvList {
+	return &EnvList{data: make(map[string]string)}
+}
+
+// Put adds a key-value pair
+func (el *EnvList) Put(key, value string) {
+	el.data[key] = value
+}
+
+// Get retrieves a value by key
+func (el *EnvList) Get(key string) string {
+	return el.data[key]
+}
+
+func (el *EnvList) AllItems() map[string]string {
+	return el.data
+}

client/android/login.go

@@ -33,6 +33,7 @@ type ErrListener interface {
 // the backend want to show an url for the user
 type URLOpener interface {
 	Open(string)
+	OnLoginSuccess()
 }
 
 // Auth can register or login new client
@@ -181,6 +182,11 @@ func (a *Auth) login(urlOpener URLOpener) error {
 
 	err = a.withBackOff(a.ctx, func() error {
 		err := internal.Login(a.ctx, a.config, "", jwtToken)
+
+		if err == nil {
+			go urlOpener.OnLoginSuccess()
+		}
+
 		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
 			return nil
 		}

client/cmd/debug.go

@@ -33,7 +33,7 @@ var (
 var debugCmd = &cobra.Command{
 	Use:   "debug",
 	Short: "Debugging commands",
-	Long:  "Provides commands for debugging and logging control within the NetBird daemon.",
+	Long:  "Commands for debugging and logging within the NetBird daemon.",
 }
 
 var debugBundleCmd = &cobra.Command{

client/cmd/down.go

@@ -14,7 +14,8 @@ import (
 
 var downCmd = &cobra.Command{
 	Use:   "down",
-	Short: "down netbird connections",
+	Short: "Disconnect from the NetBird network",
+	Long:  "Disconnect the NetBird client from the network and management service. This will terminate all active connections with the remote peers.",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		SetFlagsFromEnvVars(rootCmd)
 
@@ -26,7 +27,7 @@ var downCmd = &cobra.Command{
 			return err
 		}
 
-		ctx, cancel := context.WithTimeout(context.Background(), time.Second*7)
+		ctx, cancel := context.WithTimeout(context.Background(), time.Second*20)
 		defer cancel()
 
 		conn, err := DialClientGRPCServer(ctx, daemonAddr)

client/cmd/login.go

@@ -31,7 +31,8 @@ func init() {
 
 var loginCmd = &cobra.Command{
 	Use:   "login",
-	Short: "login to the NetBird Management Service (first run)",
+	Short: "Log in to the NetBird network",
+	Long:  "Log in to the NetBird network using a setup key or SSO",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		if err := setEnvAndFlags(cmd); err != nil {
 			return fmt.Errorf("set env and flags: %v", err)
@@ -226,7 +227,7 @@ func doForegroundLogin(ctx context.Context, cmd *cobra.Command, setupKey string,
 	}
 
 	// update host's static platform and system information
-	system.UpdateStaticInfo()
+	system.UpdateStaticInfoAsync()
 
 	configFilePath, err := activeProf.FilePath()
 	if err != nil {

client/cmd/logout.go

@@ -14,7 +14,8 @@ import (
 var logoutCmd = &cobra.Command{
 	Use:     "deregister",
 	Aliases: []string{"logout"},
-	Short:   "deregister from the NetBird Management Service and delete peer",
+	Short:   "Deregister from the NetBird management service and delete this peer",
+	Long:    "This command will deregister the current peer from the NetBird management service and all associated configuration. Use with caution as this will remove the peer from the network.",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		SetFlagsFromEnvVars(rootCmd)
 

client/cmd/networks.go

@@ -15,7 +15,7 @@ var appendFlag bool
 var networksCMD = &cobra.Command{
 	Use:     "networks",
 	Aliases: []string{"routes"},
-	Short:   "Manage networks",
+	Short:   "Manage connections to NetBird Networks and Resources",
 	Long:    `Commands to list, select, or deselect networks. Replaces the "routes" command.`,
 }
 

client/cmd/profile.go

@@ -16,13 +16,13 @@ import (
 
 var profileCmd = &cobra.Command{
 	Use:   "profile",
-	Short: "manage NetBird profiles",
-	Long:  `Manage NetBird profiles, allowing you to list, switch, and remove profiles.`,
+	Short: "Manage NetBird client profiles",
+	Long:  `Commands to list, add, remove, and switch profiles. Profiles allow you to maintain different accounts in one client app.`,
 }
 
 var profileListCmd = &cobra.Command{
 	Use:     "list",
-	Short:   "list all profiles",
+	Short:   "List all profiles",
 	Long:    `List all available profiles in the NetBird client.`,
 	Aliases: []string{"ls"},
 	RunE:    listProfilesFunc,
@@ -30,7 +30,7 @@ var profileListCmd = &cobra.Command{
 
 var profileAddCmd = &cobra.Command{
 	Use:   "add <profile_name>",
-	Short: "add a new profile",
+	Short: "Add a new profile",
 	Long:  `Add a new profile to the NetBird client. The profile name must be unique.`,
 	Args:  cobra.ExactArgs(1),
 	RunE:  addProfileFunc,
@@ -38,16 +38,16 @@ var profileAddCmd = &cobra.Command{
 
 var profileRemoveCmd = &cobra.Command{
 	Use:   "remove <profile_name>",
-	Short: "remove a profile",
-	Long:  `Remove a profile from the NetBird client. The profile must not be active.`,
+	Short: "Remove a profile",
+	Long:  `Remove a profile from the NetBird client. The profile must not be inactive.`,
 	Args:  cobra.ExactArgs(1),
 	RunE:  removeProfileFunc,
 }
 
 var profileSelectCmd = &cobra.Command{
 	Use:   "select <profile_name>",
-	Short: "select a profile",
-	Long:  `Select a profile to be the active profile in the NetBird client. The profile must exist.`,
+	Short: "Select a profile",
+	Long:  `Make the specified profile active. This will switch the client to use the selected profile's configuration.`,
 	Args:  cobra.ExactArgs(1),
 	RunE:  selectProfileFunc,
 }

client/cmd/root.go

@@ -39,6 +39,7 @@ const (
 	extraIFaceBlackListFlag  = "extra-iface-blacklist"
 	dnsRouteIntervalFlag     = "dns-router-interval"
 	enableLazyConnectionFlag = "enable-lazy-connection"
+	mtuFlag                  = "mtu"
 )
 
 var (
@@ -72,7 +73,9 @@ var (
 	anonymizeFlag           bool
 	dnsRouteInterval        time.Duration
 	lazyConnEnabled         bool
+	mtu                     uint16
 	profilesDisabled        bool
+	updateSettingsDisabled  bool
 
 	rootCmd = &cobra.Command{
 		Use:          "netbird",
@@ -228,7 +231,7 @@ func FlagNameToEnvVar(cmdFlag string, prefix string) string {
 
 // DialClientGRPCServer returns client connection to the daemon server.
 func DialClientGRPCServer(ctx context.Context, addr string) (*grpc.ClientConn, error) {
-	ctx, cancel := context.WithTimeout(ctx, time.Second*3)
+	ctx, cancel := context.WithTimeout(ctx, time.Second*10)
 	defer cancel()
 
 	return grpc.DialContext(

client/cmd/root_test.go

@@ -54,6 +54,7 @@ func TestSetFlagsFromEnvVars(t *testing.T) {
 	cmd.PersistentFlags().StringVar(&interfaceName, interfaceNameFlag, iface.WgInterfaceDefault, "WireGuard interface name")
 	cmd.PersistentFlags().BoolVar(&rosenpassEnabled, enableRosenpassFlag, false, "Enable Rosenpass feature Rosenpass.")
 	cmd.PersistentFlags().Uint16Var(&wireguardPort, wireguardPortFlag, iface.DefaultWgPort, "WireGuard interface listening port")
+	cmd.PersistentFlags().Uint16Var(&mtu, mtuFlag, iface.DefaultMTU, "Set MTU (Maximum Transmission Unit) for the WireGuard interface")
 
 	t.Setenv("NB_EXTERNAL_IP_MAP", "abc,dec")
 	t.Setenv("NB_INTERFACE_NAME", "test-name")

client/cmd/service.go

@@ -19,7 +19,7 @@ import (
 
 var serviceCmd = &cobra.Command{
 	Use:   "service",
-	Short: "manages NetBird service",
+	Short: "Manage the NetBird daemon service",
 }
 
 var (
@@ -42,7 +42,8 @@ func init() {
 	}
 
 	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd, svcStatusCmd, installCmd, uninstallCmd, reconfigureCmd)
-	serviceCmd.PersistentFlags().BoolVar(&profilesDisabled, "disable-profiles", false, "Disables profiles feature. If enabled, the client will not be able to change or edit any profile.")
+	serviceCmd.PersistentFlags().BoolVar(&profilesDisabled, "disable-profiles", false, "Disables profiles feature. If enabled, the client will not be able to change or edit any profile. To persist this setting, use: netbird service install --disable-profiles")
+	serviceCmd.PersistentFlags().BoolVar(&updateSettingsDisabled, "disable-update-settings", false, "Disables update settings feature. If enabled, the client will not be able to change or edit any settings. To persist this setting, use: netbird service install --disable-update-settings")
 
 	rootCmd.PersistentFlags().StringVarP(&serviceName, "service", "s", defaultServiceName, "Netbird system service name")
 	serviceEnvDesc := `Sets extra environment variables for the service. ` +

client/cmd/service_controller.go

@@ -27,7 +27,7 @@ func (p *program) Start(svc service.Service) error {
 	log.Info("starting NetBird service") //nolint
 
 	// Collect static system and platform information
-	system.UpdateStaticInfo()
+	system.UpdateStaticInfoAsync()
 
 	// in any case, even if configuration does not exists we run daemon to serve CLI gRPC API.
 	p.serv = grpc.NewServer()
@@ -61,7 +61,7 @@ func (p *program) Start(svc service.Service) error {
 			}
 		}
 
-		serverInstance := server.New(p.ctx, util.FindFirstLogPath(logFiles), configPath, profilesDisabled)
+		serverInstance := server.New(p.ctx, util.FindFirstLogPath(logFiles), configPath, profilesDisabled, updateSettingsDisabled)
 		if err := serverInstance.Start(); err != nil {
 			log.Fatalf("failed to start daemon: %v", err)
 		}

client/cmd/service_installer.go

@@ -49,6 +49,14 @@ func buildServiceArguments() []string {
 		args = append(args, "--log-file", logFile)
 	}
 
+	if profilesDisabled {
+		args = append(args, "--disable-profiles")
+	}
+
+	if updateSettingsDisabled {
+		args = append(args, "--disable-update-settings")
+	}
+
 	return args
 }
 
@@ -99,7 +107,7 @@ func createServiceConfigForInstall() (*service.Config, error) {
 
 var installCmd = &cobra.Command{
 	Use:   "install",
-	Short: "installs NetBird service",
+	Short: "Install NetBird service",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		if err := setupServiceCommand(cmd); err != nil {
 			return err

client/cmd/ssh.go

@@ -40,7 +40,7 @@ var sshCmd = &cobra.Command{
 
 		return nil
 	},
-	Short: "connect to a remote SSH server",
+	Short: "Connect to a remote SSH server",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		SetFlagsFromEnvVars(rootCmd)
 		SetFlagsFromEnvVars(cmd)

client/cmd/status.go

@@ -32,7 +32,8 @@ var (
 
 var statusCmd = &cobra.Command{
 	Use:   "status",
-	Short: "status of the Netbird Service",
+	Short: "Display NetBird client status",
+	Long:  "Display the current status of the NetBird client, including connection status, peer information, and network details.",
 	RunE:  statusFunc,
 }
 

client/cmd/testutil_test.go

@@ -9,32 +9,31 @@ import (
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/require"
 	"go.opentelemetry.io/otel"
+	"google.golang.org/grpc"
 
+	"github.com/netbirdio/management-integrations/integrations"
+	clientProto "github.com/netbirdio/netbird/client/proto"
+	client "github.com/netbirdio/netbird/client/server"
+	"github.com/netbirdio/netbird/management/internals/server/config"
+	mgmt "github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/groups"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
+	"github.com/netbirdio/netbird/management/server/peers"
 	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"
 	"github.com/netbirdio/netbird/management/server/types"
-
-	"github.com/netbirdio/netbird/util"
-
-	"google.golang.org/grpc"
-
-	"github.com/netbirdio/management-integrations/integrations"
-
-	clientProto "github.com/netbirdio/netbird/client/proto"
-	client "github.com/netbirdio/netbird/client/server"
 	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
-	mgmt "github.com/netbirdio/netbird/management/server"
 	sigProto "github.com/netbirdio/netbird/shared/signal/proto"
 	sig "github.com/netbirdio/netbird/signal/server"
+	"github.com/netbirdio/netbird/util"
 )
 
 func startTestingServices(t *testing.T) string {
 	t.Helper()
-	config := &types.Config{}
+	config := &config.Config{}
 	_, err := util.ReadJson("../testdata/management.json", config)
 	if err != nil {
 		t.Fatal(err)
@@ -69,7 +68,7 @@ func startSignal(t *testing.T) (*grpc.Server, net.Listener) {
 	return s, lis
 }
 
-func startManagement(t *testing.T, config *types.Config, testFile string) (*grpc.Server, net.Listener) {
+func startManagement(t *testing.T, config *config.Config, testFile string) (*grpc.Server, net.Listener) {
 	t.Helper()
 
 	lis, err := net.Listen("tcp", ":0")
@@ -88,15 +87,21 @@ func startManagement(t *testing.T, config *types.Config, testFile string) (*grpc
 	if err != nil {
 		return nil, nil
 	}
-	iv, _ := integrations.NewIntegratedValidator(context.Background(), eventStore)
 
-	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
-	require.NoError(t, err)
 	ctrl := gomock.NewController(t)
 	t.Cleanup(ctrl.Finish)
 
-	settingsMockManager := settings.NewMockManager(ctrl)
 	permissionsManagerMock := permissions.NewMockManager(ctrl)
+	peersmanager := peers.NewManager(store, permissionsManagerMock)
+	settingsManagerMock := settings.NewMockManager(ctrl)
+
+	iv, _ := integrations.NewIntegratedValidator(context.Background(), peersmanager, settingsManagerMock, eventStore)
+
+	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
+	require.NoError(t, err)
+
+	settingsMockManager := settings.NewMockManager(ctrl)
+	groupsManager := groups.NewManagerMock()
 
 	settingsMockManager.EXPECT().
 		GetSettings(gomock.Any(), gomock.Any(), gomock.Any()).
@@ -108,7 +113,7 @@ func startManagement(t *testing.T, config *types.Config, testFile string) (*grpc
 		t.Fatal(err)
 	}
 
-	secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager)
+	secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
 	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, nil, nil, &mgmt.MockIntegratedValidator{})
 	if err != nil {
 		t.Fatal(err)
@@ -134,7 +139,7 @@ func startClientDaemon(
 	s := grpc.NewServer()
 
 	server := client.New(ctx,
-		"", "", false)
+		"", "", false, false)
 	if err := server.Start(); err != nil {
 		t.Fatal(err)
 	}

client/cmd/up.go

@@ -53,7 +53,8 @@ var (
 
 	upCmd = &cobra.Command{
 		Use:   "up",
-		Short: "install, login and start NetBird client",
+		Short: "Connect to the NetBird network",
+		Long:  "Connect to the NetBird network using the provided setup key or SSO auth. This command will bring up the WireGuard interface, connect to the management server, and establish peer-to-peer connections with other peers in the network if required.",
 		RunE:  upFunc,
 	}
 )
@@ -62,6 +63,7 @@ func init() {
 	upCmd.PersistentFlags().BoolVarP(&foregroundMode, "foreground-mode", "F", false, "start service in foreground")
 	upCmd.PersistentFlags().StringVar(&interfaceName, interfaceNameFlag, iface.WgInterfaceDefault, "WireGuard interface name")
 	upCmd.PersistentFlags().Uint16Var(&wireguardPort, wireguardPortFlag, iface.DefaultWgPort, "WireGuard interface listening port")
+	upCmd.PersistentFlags().Uint16Var(&mtu, mtuFlag, iface.DefaultMTU, "Set MTU (Maximum Transmission Unit) for the WireGuard interface")
 	upCmd.PersistentFlags().BoolVarP(&networkMonitor, networkMonitorFlag, "N", networkMonitor,
 		`Manage network monitoring. Defaults to true on Windows and macOS, false on Linux and FreeBSD. `+
 			`E.g. --network-monitor=false to disable or --network-monitor=true to enable.`,
@@ -228,7 +230,9 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command, pm *profilemanager
 
 	client := proto.NewDaemonServiceClient(conn)
 
-	status, err := client.Status(ctx, &proto.StatusRequest{})
+	status, err := client.Status(ctx, &proto.StatusRequest{
+		WaitForReady: func() *bool { b := true; return &b }(),
+	})
 	if err != nil {
 		return fmt.Errorf("unable to get daemon status: %v", err)
 	}
@@ -356,6 +360,11 @@ func setupSetConfigReq(customDNSAddressConverted []byte, cmd *cobra.Command, pro
 		req.WireguardPort = &p
 	}
 
+	if cmd.Flag(mtuFlag).Changed {
+		m := int64(mtu)
+		req.Mtu = &m
+	}
+
 	if cmd.Flag(networkMonitorFlag).Changed {
 		req.NetworkMonitor = &networkMonitor
 	}
@@ -435,6 +444,13 @@ func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command, configFil
 		ic.WireguardPort = &p
 	}
 
+	if cmd.Flag(mtuFlag).Changed {
+		if err := iface.ValidateMTU(mtu); err != nil {
+			return nil, err
+		}
+		ic.MTU = &mtu
+	}
+
 	if cmd.Flag(networkMonitorFlag).Changed {
 		ic.NetworkMonitor = &networkMonitor
 	}
@@ -532,6 +548,14 @@ func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte
 		loginRequest.WireguardPort = &wp
 	}
 
+	if cmd.Flag(mtuFlag).Changed {
+		if err := iface.ValidateMTU(mtu); err != nil {
+			return nil, err
+		}
+		m := int64(mtu)
+		loginRequest.Mtu = &m
+	}
+
 	if cmd.Flag(networkMonitorFlag).Changed {
 		loginRequest.NetworkMonitor = &networkMonitor
 	}

client/cmd/version.go

@@ -9,7 +9,7 @@ import (
 var (
 	versionCmd = &cobra.Command{
 		Use:   "version",
-		Short: "prints NetBird version",
+		Short: "Print the NetBird's client application version",
 		Run: func(cmd *cobra.Command, args []string) {
 			cmd.SetOut(cmd.OutOrStdout())
 			cmd.Println(version.NetbirdVersion())

client/embed/embed.go

@@ -135,7 +135,7 @@ func (c *Client) Start(startCtx context.Context) error {
 
 	// either startup error (permanent backoff err) or nil err (successful engine up)
 	// TODO: make after-startup backoff err available
-	run := make(chan struct{}, 1)
+	run := make(chan struct{})
 	clientErr := make(chan error, 1)
 	go func() {
 		if err := client.Run(run); err != nil {

client/firewall/iptables/acl_linux.go

@@ -12,7 +12,7 @@ import (
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
-	nbnet "github.com/netbirdio/netbird/util/net"
+	nbnet "github.com/netbirdio/netbird/client/net"
 )
 
 const (
@@ -85,7 +85,7 @@ func (m *aclManager) AddPeerFiltering(
 ) ([]firewall.Rule, error) {
 	chain := chainNameInputRules
 
-	ipsetName = transformIPsetName(ipsetName, sPort, dPort)
+	ipsetName = transformIPsetName(ipsetName, sPort, dPort, action)
 	specs := filterRuleSpecs(ip, string(protocol), sPort, dPort, action, ipsetName)
 
 	mangleSpecs := slices.Clone(specs)
@@ -135,7 +135,14 @@ func (m *aclManager) AddPeerFiltering(
 		return nil, fmt.Errorf("rule already exists")
 	}
 
-	if err := m.iptablesClient.Append(tableFilter, chain, specs...); err != nil {
+	// Insert DROP rules at the beginning, append ACCEPT rules at the end
+	if action == firewall.ActionDrop {
+		// Insert at the beginning of the chain (position 1)
+		err = m.iptablesClient.Insert(tableFilter, chain, 1, specs...)
+	} else {
+		err = m.iptablesClient.Append(tableFilter, chain, specs...)
+	}
+	if err != nil {
 		return nil, err
 	}
 
@@ -388,17 +395,25 @@ func actionToStr(action firewall.Action) string {
 	return "DROP"
 }
 
-func transformIPsetName(ipsetName string, sPort, dPort *firewall.Port) string {
-	switch {
-	case ipsetName == "":
+func transformIPsetName(ipsetName string, sPort, dPort *firewall.Port, action firewall.Action) string {
+	if ipsetName == "" {
 		return ""
+	}
+
+	// Include action in the ipset name to prevent squashing rules with different actions
+	actionSuffix := ""
+	if action == firewall.ActionDrop {
+		actionSuffix = "-drop"
+	}
+
+	switch {
 	case sPort != nil && dPort != nil:
-		return ipsetName + "-sport-dport"
+		return ipsetName + "-sport-dport" + actionSuffix
 	case sPort != nil:
-		return ipsetName + "-sport"
+		return ipsetName + "-sport" + actionSuffix
 	case dPort != nil:
-		return ipsetName + "-dport"
+		return ipsetName + "-dport" + actionSuffix
 	default:
-		return ipsetName
+		return ipsetName + actionSuffix
 	}
 }

client/firewall/iptables/manager_linux_test.go

@@ -3,6 +3,7 @@ package iptables
 import (
 	"fmt"
 	"net/netip"
+	"strings"
 	"testing"
 	"time"
 
@@ -15,7 +16,7 @@ import (
 
 var ifaceMock = &iFaceMock{
 	NameFunc: func() string {
-		return "lo"
+		return "wg-test"
 	},
 	AddressFunc: func() wgaddr.Address {
 		return wgaddr.Address{
@@ -109,10 +110,84 @@ func TestIptablesManager(t *testing.T) {
 	})
 }
 
+func TestIptablesManagerDenyRules(t *testing.T) {
+	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
+	require.NoError(t, err)
+
+	manager, err := Create(ifaceMock)
+	require.NoError(t, err)
+	require.NoError(t, manager.Init(nil))
+
+	defer func() {
+		err := manager.Close(nil)
+		require.NoError(t, err)
+	}()
+
+	t.Run("add deny rule", func(t *testing.T) {
+		ip := netip.MustParseAddr("10.20.0.3")
+		port := &fw.Port{Values: []uint16{22}}
+
+		rule, err := manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", nil, port, fw.ActionDrop, "deny-ssh")
+		require.NoError(t, err, "failed to add deny rule")
+		require.NotEmpty(t, rule, "deny rule should not be empty")
+
+		// Verify the rule was added by checking iptables
+		for _, r := range rule {
+			rr := r.(*Rule)
+			checkRuleSpecs(t, ipv4Client, rr.chain, true, rr.specs...)
+		}
+	})
+
+	t.Run("deny rule precedence test", func(t *testing.T) {
+		ip := netip.MustParseAddr("10.20.0.4")
+		port := &fw.Port{Values: []uint16{80}}
+
+		// Add accept rule first
+		_, err := manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", nil, port, fw.ActionAccept, "accept-http")
+		require.NoError(t, err, "failed to add accept rule")
+
+		// Add deny rule second for same IP/port - this should take precedence
+		_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", nil, port, fw.ActionDrop, "deny-http")
+		require.NoError(t, err, "failed to add deny rule")
+
+		// Inspect the actual iptables rules to verify deny rule comes before accept rule
+		rules, err := ipv4Client.List("filter", chainNameInputRules)
+		require.NoError(t, err, "failed to list iptables rules")
+
+		// Debug: print all rules
+		t.Logf("All iptables rules in chain %s:", chainNameInputRules)
+		for i, rule := range rules {
+			t.Logf("  [%d] %s", i, rule)
+		}
+
+		var denyRuleIndex, acceptRuleIndex int = -1, -1
+		for i, rule := range rules {
+			if strings.Contains(rule, "DROP") {
+				t.Logf("Found DROP rule at index %d: %s", i, rule)
+				if strings.Contains(rule, "deny-http") && strings.Contains(rule, "80") {
+					denyRuleIndex = i
+				}
+			}
+			if strings.Contains(rule, "ACCEPT") {
+				t.Logf("Found ACCEPT rule at index %d: %s", i, rule)
+				if strings.Contains(rule, "accept-http") && strings.Contains(rule, "80") {
+					acceptRuleIndex = i
+				}
+			}
+		}
+
+		require.NotEqual(t, -1, denyRuleIndex, "deny rule should exist in iptables")
+		require.NotEqual(t, -1, acceptRuleIndex, "accept rule should exist in iptables")
+		require.Less(t, denyRuleIndex, acceptRuleIndex,
+			"deny rule should come before accept rule in iptables chain (deny at index %d, accept at index %d)",
+			denyRuleIndex, acceptRuleIndex)
+	})
+}
+
 func TestIptablesManagerIPSet(t *testing.T) {
 	mock := &iFaceMock{
 		NameFunc: func() string {
-			return "lo"
+			return "wg-test"
 		},
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
@@ -176,7 +251,7 @@ func checkRuleSpecs(t *testing.T, ipv4Client *iptables.IPTables, chainName strin
 func TestIptablesCreatePerformance(t *testing.T) {
 	mock := &iFaceMock{
 		NameFunc: func() string {
-			return "lo"
+			return "wg-test"
 		},
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{

client/firewall/iptables/router_linux.go

@@ -19,7 +19,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routemanager/ipfwdstate"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
-	nbnet "github.com/netbirdio/netbird/util/net"
+	nbnet "github.com/netbirdio/netbird/client/net"
 )
 
 // constants needed to manage and create iptable rules

client/firewall/iptables/router_linux_test.go

@@ -14,7 +14,7 @@ import (
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
-	nbnet "github.com/netbirdio/netbird/util/net"
+	nbnet "github.com/netbirdio/netbird/client/net"
 )
 
 func isIptablesSupported() bool {

client/firewall/nftables/acl_linux.go

@@ -16,7 +16,7 @@ import (
 	"golang.org/x/sys/unix"
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	nbnet "github.com/netbirdio/netbird/util/net"
+	nbnet "github.com/netbirdio/netbird/client/net"
 )
 
 const (
@@ -341,30 +341,38 @@ func (m *AclManager) addIOFiltering(
 	userData := []byte(ruleId)
 
 	chain := m.chainInputRules
-	nftRule := m.rConn.AddRule(&nftables.Rule{
+	rule := &nftables.Rule{
 		Table:    m.workTable,
 		Chain:    chain,
 		Exprs:    mainExpressions,
 		UserData: userData,
-	})
+	}
+
+	// Insert DROP rules at the beginning, append ACCEPT rules at the end
+	var nftRule *nftables.Rule
+	if action == firewall.ActionDrop {
+		nftRule = m.rConn.InsertRule(rule)
+	} else {
+		nftRule = m.rConn.AddRule(rule)
+	}
 
 	if err := m.rConn.Flush(); err != nil {
 		return nil, fmt.Errorf(flushError, err)
 	}
 
-	rule := &Rule{
+	ruleStruct := &Rule{
 		nftRule:    nftRule,
 		mangleRule: m.createPreroutingRule(expressions, userData),
 		nftSet:     ipset,
 		ruleID:     ruleId,
 		ip:         ip,
 	}
-	m.rules[ruleId] = rule
+	m.rules[ruleId] = ruleStruct
 	if ipset != nil {
 		m.ipsetStore.AddReferenceToIpset(ipset.Name)
 	}
 
-	return rule, nil
+	return ruleStruct, nil
 }
 
 func (m *AclManager) createPreroutingRule(expressions []expr.Any, userData []byte) *nftables.Rule {

client/firewall/nftables/manager_linux_test.go

@@ -2,6 +2,7 @@ package nftables
 
 import (
 	"bytes"
+	"encoding/binary"
 	"fmt"
 	"net/netip"
 	"os/exec"
@@ -20,7 +21,7 @@ import (
 
 var ifaceMock = &iFaceMock{
 	NameFunc: func() string {
-		return "lo"
+		return "wg-test"
 	},
 	AddressFunc: func() wgaddr.Address {
 		return wgaddr.Address{
@@ -103,9 +104,8 @@ func TestNftablesManager(t *testing.T) {
 			Kind: expr.VerdictAccept,
 		},
 	}
-	compareExprsIgnoringCounters(t, rules[0].Exprs, expectedExprs1)
-
-	expectedExprs2 := []expr.Any{
+	// Since DROP rules are inserted at position 0, the DROP rule comes first
+	expectedDropExprs := []expr.Any{
 		&expr.Payload{
 			DestRegister: 1,
 			Base:         expr.PayloadBaseNetworkHeader,
@@ -141,7 +141,12 @@ func TestNftablesManager(t *testing.T) {
 		},
 		&expr.Verdict{Kind: expr.VerdictDrop},
 	}
-	require.ElementsMatch(t, rules[1].Exprs, expectedExprs2, "expected the same expressions")
+
+	// Compare DROP rule at position 0 (inserted first due to InsertRule)
+	compareExprsIgnoringCounters(t, rules[0].Exprs, expectedDropExprs)
+
+	// Compare connection tracking rule at position 1 (pushed down by DROP rule insertion)
+	compareExprsIgnoringCounters(t, rules[1].Exprs, expectedExprs1)
 
 	for _, r := range rule {
 		err = manager.DeletePeerRule(r)
@@ -160,10 +165,90 @@ func TestNftablesManager(t *testing.T) {
 	require.NoError(t, err, "failed to reset")
 }
 
+func TestNftablesManagerRuleOrder(t *testing.T) {
+	// This test verifies rule insertion order in nftables peer ACLs
+	// We add accept rule first, then deny rule to test ordering behavior
+	manager, err := Create(ifaceMock)
+	require.NoError(t, err)
+	require.NoError(t, manager.Init(nil))
+
+	defer func() {
+		err = manager.Close(nil)
+		require.NoError(t, err)
+	}()
+
+	ip := netip.MustParseAddr("100.96.0.2").Unmap()
+	testClient := &nftables.Conn{}
+
+	// Add accept rule first
+	_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept, "accept-http")
+	require.NoError(t, err, "failed to add accept rule")
+
+	// Add deny rule second for the same traffic
+	_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionDrop, "deny-http")
+	require.NoError(t, err, "failed to add deny rule")
+
+	err = manager.Flush()
+	require.NoError(t, err, "failed to flush")
+
+	rules, err := testClient.GetRules(manager.aclManager.workTable, manager.aclManager.chainInputRules)
+	require.NoError(t, err, "failed to get rules")
+
+	t.Logf("Found %d rules in nftables chain", len(rules))
+
+	// Find the accept and deny rules and verify deny comes before accept
+	var acceptRuleIndex, denyRuleIndex int = -1, -1
+	for i, rule := range rules {
+		hasAcceptHTTPSet := false
+		hasDenyHTTPSet := false
+		hasPort80 := false
+		var action string
+
+		for _, e := range rule.Exprs {
+			// Check for set lookup
+			if lookup, ok := e.(*expr.Lookup); ok {
+				if lookup.SetName == "accept-http" {
+					hasAcceptHTTPSet = true
+				} else if lookup.SetName == "deny-http" {
+					hasDenyHTTPSet = true
+				}
+			}
+			// Check for port 80
+			if cmp, ok := e.(*expr.Cmp); ok {
+				if cmp.Op == expr.CmpOpEq && len(cmp.Data) == 2 && binary.BigEndian.Uint16(cmp.Data) == 80 {
+					hasPort80 = true
+				}
+			}
+			// Check for verdict
+			if verdict, ok := e.(*expr.Verdict); ok {
+				if verdict.Kind == expr.VerdictAccept {
+					action = "ACCEPT"
+				} else if verdict.Kind == expr.VerdictDrop {
+					action = "DROP"
+				}
+			}
+		}
+
+		if hasAcceptHTTPSet && hasPort80 && action == "ACCEPT" {
+			t.Logf("Rule [%d]: accept-http set + Port 80 + ACCEPT", i)
+			acceptRuleIndex = i
+		} else if hasDenyHTTPSet && hasPort80 && action == "DROP" {
+			t.Logf("Rule [%d]: deny-http set + Port 80 + DROP", i)
+			denyRuleIndex = i
+		}
+	}
+
+	require.NotEqual(t, -1, acceptRuleIndex, "accept rule should exist in nftables")
+	require.NotEqual(t, -1, denyRuleIndex, "deny rule should exist in nftables")
+	require.Less(t, denyRuleIndex, acceptRuleIndex,
+		"deny rule should come before accept rule in nftables chain (deny at index %d, accept at index %d)",
+		denyRuleIndex, acceptRuleIndex)
+}
+
 func TestNFtablesCreatePerformance(t *testing.T) {
 	mock := &iFaceMock{
 		NameFunc: func() string {
-			return "lo"
+			return "wg-test"
 		},
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{

client/firewall/nftables/router_linux.go

@@ -22,7 +22,7 @@ import (
 	nbid "github.com/netbirdio/netbird/client/internal/acl/id"
 	"github.com/netbirdio/netbird/client/internal/routemanager/ipfwdstate"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
-	nbnet "github.com/netbirdio/netbird/util/net"
+	nbnet "github.com/netbirdio/netbird/client/net"
 )
 
 const (

client/firewall/uspfilter/allow_netbird.go

@@ -18,6 +18,7 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	defer m.mutex.Unlock()
 
 	m.outgoingRules = make(map[netip.Addr]RuleSet)
+	m.incomingDenyRules = make(map[netip.Addr]RuleSet)
 	m.incomingRules = make(map[netip.Addr]RuleSet)
 
 	if m.udpTracker != nil {

client/firewall/uspfilter/allow_netbird_windows.go

@@ -27,6 +27,7 @@ func (m *Manager) Close(*statemanager.Manager) error {
 	defer m.mutex.Unlock()
 
 	m.outgoingRules = make(map[netip.Addr]RuleSet)
+	m.incomingDenyRules = make(map[netip.Addr]RuleSet)
 	m.incomingRules = make(map[netip.Addr]RuleSet)
 
 	if m.udpTracker != nil {

client/firewall/uspfilter/filter.go

@@ -70,14 +70,13 @@ func (r RouteRules) Sort() {
 
 // Manager userspace firewall manager
 type Manager struct {
-	// outgoingRules is used for hooks only
-	outgoingRules map[netip.Addr]RuleSet
-	// incomingRules is used for filtering and hooks
-	incomingRules  map[netip.Addr]RuleSet
-	routeRules     RouteRules
-	decoders       sync.Pool
-	wgIface        common.IFaceMapper
-	nativeFirewall firewall.Manager
+	outgoingRules     map[netip.Addr]RuleSet
+	incomingDenyRules map[netip.Addr]RuleSet
+	incomingRules     map[netip.Addr]RuleSet
+	routeRules        RouteRules
+	decoders          sync.Pool
+	wgIface           common.IFaceMapper
+	nativeFirewall    firewall.Manager
 
 	mutex sync.RWMutex
 
@@ -186,6 +185,7 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		},
 		nativeFirewall:      nativeFirewall,
 		outgoingRules:       make(map[netip.Addr]RuleSet),
+		incomingDenyRules:   make(map[netip.Addr]RuleSet),
 		incomingRules:       make(map[netip.Addr]RuleSet),
 		wgIface:             iface,
 		localipmanager:      newLocalIPManager(),
@@ -417,10 +417,17 @@ func (m *Manager) AddPeerFiltering(
 	}
 
 	m.mutex.Lock()
-	if _, ok := m.incomingRules[r.ip]; !ok {
-		m.incomingRules[r.ip] = make(RuleSet)
+	var targetMap map[netip.Addr]RuleSet
+	if r.drop {
+		targetMap = m.incomingDenyRules
+	} else {
+		targetMap = m.incomingRules
 	}
-	m.incomingRules[r.ip][r.id] = r
+
+	if _, ok := targetMap[r.ip]; !ok {
+		targetMap[r.ip] = make(RuleSet)
+	}
+	targetMap[r.ip][r.id] = r
 	m.mutex.Unlock()
 	return []firewall.Rule{&r}, nil
 }
@@ -507,10 +514,24 @@ func (m *Manager) DeletePeerRule(rule firewall.Rule) error {
 		return fmt.Errorf("delete rule: invalid rule type: %T", rule)
 	}
 
-	if _, ok := m.incomingRules[r.ip][r.id]; !ok {
+	var sourceMap map[netip.Addr]RuleSet
+	if r.drop {
+		sourceMap = m.incomingDenyRules
+	} else {
+		sourceMap = m.incomingRules
+	}
+
+	if ruleset, ok := sourceMap[r.ip]; ok {
+		if _, exists := ruleset[r.id]; !exists {
+			return fmt.Errorf("delete rule: no rule with such id: %v", r.id)
+		}
+		delete(ruleset, r.id)
+		if len(ruleset) == 0 {
+			delete(sourceMap, r.ip)
+		}
+	} else {
 		return fmt.Errorf("delete rule: no rule with such id: %v", r.id)
 	}
-	delete(m.incomingRules[r.ip], r.id)
 
 	return nil
 }
@@ -572,7 +593,7 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	return nil
 }
 
-// FilterOutBound filters outgoing packets
+// FilterOutbound filters outgoing packets
 func (m *Manager) FilterOutbound(packetData []byte, size int) bool {
 	return m.filterOutbound(packetData, size)
 }
@@ -761,7 +782,7 @@ func (m *Manager) filterInbound(packetData []byte, size int) bool {
 // handleLocalTraffic handles local traffic.
 // If it returns true, the packet should be dropped.
 func (m *Manager) handleLocalTraffic(d *decoder, srcIP, dstIP netip.Addr, packetData []byte, size int) bool {
-	ruleID, blocked := m.peerACLsBlock(srcIP, packetData, m.incomingRules, d)
+	ruleID, blocked := m.peerACLsBlock(srcIP, d, packetData)
 	if blocked {
 		_, pnum := getProtocolFromPacket(d)
 		srcPort, dstPort := getPortsFromPacket(d)
@@ -971,26 +992,28 @@ func (m *Manager) isSpecialICMP(d *decoder) bool {
 		icmpType == layers.ICMPv4TypeTimeExceeded
 }
 
-func (m *Manager) peerACLsBlock(srcIP netip.Addr, packetData []byte, rules map[netip.Addr]RuleSet, d *decoder) ([]byte, bool) {
+func (m *Manager) peerACLsBlock(srcIP netip.Addr, d *decoder, packetData []byte) ([]byte, bool) {
 	m.mutex.RLock()
 	defer m.mutex.RUnlock()
+
 	if m.isSpecialICMP(d) {
 		return nil, false
 	}
 
-	if mgmtId, filter, ok := validateRule(srcIP, packetData, rules[srcIP], d); ok {
+	if mgmtId, filter, ok := validateRule(srcIP, packetData, m.incomingDenyRules[srcIP], d); ok {
 		return mgmtId, filter
 	}
 
-	if mgmtId, filter, ok := validateRule(srcIP, packetData, rules[netip.IPv4Unspecified()], d); ok {
+	if mgmtId, filter, ok := validateRule(srcIP, packetData, m.incomingRules[srcIP], d); ok {
+		return mgmtId, filter
+	}
+	if mgmtId, filter, ok := validateRule(srcIP, packetData, m.incomingRules[netip.IPv4Unspecified()], d); ok {
+		return mgmtId, filter
+	}
+	if mgmtId, filter, ok := validateRule(srcIP, packetData, m.incomingRules[netip.IPv6Unspecified()], d); ok {
 		return mgmtId, filter
 	}
 
-	if mgmtId, filter, ok := validateRule(srcIP, packetData, rules[netip.IPv6Unspecified()], d); ok {
-		return mgmtId, filter
-	}
-
-	// Default policy: DROP ALL
 	return nil, true
 }
 
@@ -1013,6 +1036,7 @@ func portsMatch(rulePort *firewall.Port, packetPort uint16) bool {
 
 func validateRule(ip netip.Addr, packetData []byte, rules map[string]PeerRule, d *decoder) ([]byte, bool, bool) {
 	payloadLayer := d.decoded[1]
+
 	for _, rule := range rules {
 		if rule.matchByIP && ip.Compare(rule.ip) != 0 {
 			continue
@@ -1045,6 +1069,7 @@ func validateRule(ip netip.Addr, packetData []byte, rules map[string]PeerRule, d
 			return rule.mgmtId, rule.drop, true
 		}
 	}
+
 	return nil, false, false
 }
 
@@ -1116,6 +1141,7 @@ func (m *Manager) AddUDPPacketHook(in bool, ip netip.Addr, dPort uint16, hook fu
 
 	m.mutex.Lock()
 	if in {
+		// Incoming UDP hooks are stored in allow rules map
 		if _, ok := m.incomingRules[r.ip]; !ok {
 			m.incomingRules[r.ip] = make(map[string]PeerRule)
 		}
@@ -1136,6 +1162,7 @@ func (m *Manager) RemovePacketHook(hookID string) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
+	// Check incoming hooks (stored in allow rules)
 	for _, arr := range m.incomingRules {
 		for _, r := range arr {
 			if r.id == hookID {
@@ -1144,6 +1171,7 @@ func (m *Manager) RemovePacketHook(hookID string) error {
 			}
 		}
 	}
+	// Check outgoing hooks
 	for _, arr := range m.outgoingRules {
 		for _, r := range arr {
 			if r.id == hookID {

client/firewall/uspfilter/filter_filter_test.go

@@ -458,6 +458,31 @@ func TestPeerACLFiltering(t *testing.T) {
 			ruleAction:      fw.ActionDrop,
 			shouldBeBlocked: true,
 		},
+		{
+			name:            "Peer ACL - Drop rule should override accept all rule",
+			srcIP:           "100.10.0.1",
+			dstIP:           "100.10.0.100",
+			proto:           fw.ProtocolTCP,
+			srcPort:         12345,
+			dstPort:         22,
+			ruleIP:          "100.10.0.1",
+			ruleProto:       fw.ProtocolTCP,
+			ruleDstPort:     &fw.Port{Values: []uint16{22}},
+			ruleAction:      fw.ActionDrop,
+			shouldBeBlocked: true,
+		},
+		{
+			name:            "Peer ACL - Drop all traffic from specific IP",
+			srcIP:           "100.10.0.99",
+			dstIP:           "100.10.0.100",
+			proto:           fw.ProtocolTCP,
+			srcPort:         12345,
+			dstPort:         80,
+			ruleIP:          "100.10.0.99",
+			ruleProto:       fw.ProtocolALL,
+			ruleAction:      fw.ActionDrop,
+			shouldBeBlocked: true,
+		},
 	}
 
 	t.Run("Implicit DROP (no rules)", func(t *testing.T) {
@@ -468,13 +493,11 @@ func TestPeerACLFiltering(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-
 			if tc.ruleAction == fw.ActionDrop {
-				// add general accept rule to test drop rule
-				// TODO: this only works because 0.0.0.0 is tested last, we need to implement order
+				// add general accept rule for the same IP to test drop rule precedence
 				rules, err := manager.AddPeerFiltering(
 					nil,
-					net.ParseIP("0.0.0.0"),
+					net.ParseIP(tc.ruleIP),
 					fw.ProtocolALL,
 					nil,
 					nil,

client/firewall/uspfilter/filter_test.go

@@ -136,9 +136,22 @@ func TestManagerDeleteRule(t *testing.T) {
 		return
 	}
 
+	// Check rules exist in appropriate maps
 	for _, r := range rule2 {
-		if _, ok := m.incomingRules[ip][r.ID()]; !ok {
-			t.Errorf("rule2 is not in the incomingRules")
+		peerRule, ok := r.(*PeerRule)
+		if !ok {
+			t.Errorf("rule should be a PeerRule")
+			continue
+		}
+		// Check if rule exists in deny or allow maps based on action
+		var found bool
+		if peerRule.drop {
+			_, found = m.incomingDenyRules[ip][r.ID()]
+		} else {
+			_, found = m.incomingRules[ip][r.ID()]
+		}
+		if !found {
+			t.Errorf("rule2 is not in the expected rules map")
 		}
 	}
 
@@ -150,9 +163,22 @@ func TestManagerDeleteRule(t *testing.T) {
 		}
 	}
 
+	// Check rules are removed from appropriate maps
 	for _, r := range rule2 {
-		if _, ok := m.incomingRules[ip][r.ID()]; ok {
-			t.Errorf("rule2 is not in the incomingRules")
+		peerRule, ok := r.(*PeerRule)
+		if !ok {
+			t.Errorf("rule should be a PeerRule")
+			continue
+		}
+		// Check if rule is removed from deny or allow maps based on action
+		var found bool
+		if peerRule.drop {
+			_, found = m.incomingDenyRules[ip][r.ID()]
+		} else {
+			_, found = m.incomingRules[ip][r.ID()]
+		}
+		if found {
+			t.Errorf("rule2 should be removed from the rules map")
 		}
 	}
 }
@@ -196,16 +222,17 @@ func TestAddUDPPacketHook(t *testing.T) {
 
 			var addedRule PeerRule
 			if tt.in {
+				// Incoming UDP hooks are stored in allow rules map
 				if len(manager.incomingRules[tt.ip]) != 1 {
-					t.Errorf("expected 1 incoming rule, got %d", len(manager.incomingRules))
+					t.Errorf("expected 1 incoming rule, got %d", len(manager.incomingRules[tt.ip]))
 					return
 				}
 				for _, rule := range manager.incomingRules[tt.ip] {
 					addedRule = rule
 				}
 			} else {
-				if len(manager.outgoingRules) != 1 {
-					t.Errorf("expected 1 outgoing rule, got %d", len(manager.outgoingRules))
+				if len(manager.outgoingRules[tt.ip]) != 1 {
+					t.Errorf("expected 1 outgoing rule, got %d", len(manager.outgoingRules[tt.ip]))
 					return
 				}
 				for _, rule := range manager.outgoingRules[tt.ip] {
@@ -261,8 +288,8 @@ func TestManagerReset(t *testing.T) {
 		return
 	}
 
-	if len(m.outgoingRules) != 0 || len(m.incomingRules) != 0 {
-		t.Errorf("rules is not empty")
+	if len(m.outgoingRules) != 0 || len(m.incomingRules) != 0 || len(m.incomingDenyRules) != 0 {
+		t.Errorf("rules are not empty")
 	}
 }
 

client/firewall/uspfilter/tracer.go

@@ -314,7 +314,7 @@ func (m *Manager) buildConntrackStateMessage(d *decoder) string {
 func (m *Manager) handleLocalDelivery(trace *PacketTrace, packetData []byte, d *decoder, srcIP, dstIP netip.Addr) bool {
 	trace.AddResult(StageRouting, "Packet destined for local delivery", true)
 
-	ruleId, blocked := m.peerACLsBlock(srcIP, packetData, m.incomingRules, d)
+	ruleId, blocked := m.peerACLsBlock(srcIP, d, packetData)
 
 	strRuleId := "<no id>"
 	if ruleId != nil {

client/grpc/dialer.go

@@ -20,8 +20,9 @@ import (
 	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/grpc/keepalive"
 
+	nbnet "github.com/netbirdio/netbird/client/net"
+
 	"github.com/netbirdio/netbird/util/embeddedroots"
-	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 func WithCustomDialer() grpc.DialOption {
@@ -57,7 +58,7 @@ func Backoff(ctx context.Context) backoff.BackOff {
 	return backoff.WithContext(b, ctx)
 }
 
-func CreateConnection(addr string, tlsEnabled bool) (*grpc.ClientConn, error) {
+func CreateConnection(ctx context.Context, addr string, tlsEnabled bool) (*grpc.ClientConn, error) {
 	transportOption := grpc.WithTransportCredentials(insecure.NewCredentials())
 	if tlsEnabled {
 		certPool, err := x509.SystemCertPool()
@@ -71,7 +72,7 @@ func CreateConnection(addr string, tlsEnabled bool) (*grpc.ClientConn, error) {
 		}))
 	}
 
-	connCtx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	connCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
 	defer cancel()
 
 	conn, err := grpc.DialContext(

client/iface/bind/control.go

@@ -3,7 +3,7 @@ package bind
 import (
 	wireguard "golang.zx2c4.com/wireguard/conn"
 
-	nbnet "github.com/netbirdio/netbird/util/net"
+	nbnet "github.com/netbirdio/netbird/client/net"
 )
 
 // TODO: This is most likely obsolete since the control fns should be called by the wrapped udpconn (ice_bind.go)

client/iface/bind/ice_bind.go

@@ -8,15 +8,16 @@ import (
 	"runtime"
 	"sync"
 
-	"github.com/pion/stun/v2"
+	"github.com/pion/stun/v3"
 	"github.com/pion/transport/v3"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/net/ipv4"
 	"golang.org/x/net/ipv6"
 	wgConn "golang.zx2c4.com/wireguard/conn"
 
+	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	nbnet "github.com/netbirdio/netbird/util/net"
+	nbnet "github.com/netbirdio/netbird/client/net"
 )
 
 type RecvMessage struct {
@@ -44,7 +45,7 @@ type ICEBind struct {
 	RecvChan chan RecvMessage
 
 	transportNet transport.Net
-	filterFn     FilterFn
+	filterFn     udpmux.FilterFn
 	endpoints    map[netip.Addr]net.Conn
 	endpointsMu  sync.Mutex
 	// every time when Close() is called (i.e. BindUpdate()) we need to close exit from the receiveRelayed and create a
@@ -54,12 +55,13 @@ type ICEBind struct {
 	closed       bool
 
 	muUDPMux         sync.Mutex
-	udpMux           *UniversalUDPMuxDefault
+	udpMux           *udpmux.UniversalUDPMuxDefault
 	address          wgaddr.Address
+	mtu              uint16
 	activityRecorder *ActivityRecorder
 }
 
-func NewICEBind(transportNet transport.Net, filterFn FilterFn, address wgaddr.Address) *ICEBind {
+func NewICEBind(transportNet transport.Net, filterFn udpmux.FilterFn, address wgaddr.Address, mtu uint16) *ICEBind {
 	b, _ := wgConn.NewStdNetBind().(*wgConn.StdNetBind)
 	ib := &ICEBind{
 		StdNetBind:       b,
@@ -69,6 +71,7 @@ func NewICEBind(transportNet transport.Net, filterFn FilterFn, address wgaddr.Ad
 		endpoints:        make(map[netip.Addr]net.Conn),
 		closedChan:       make(chan struct{}),
 		closed:           true,
+		mtu:              mtu,
 		address:          address,
 		activityRecorder: NewActivityRecorder(),
 	}
@@ -80,6 +83,10 @@ func NewICEBind(transportNet transport.Net, filterFn FilterFn, address wgaddr.Ad
 	return ib
 }
 
+func (s *ICEBind) MTU() uint16 {
+	return s.mtu
+}
+
 func (s *ICEBind) Open(uport uint16) ([]wgConn.ReceiveFunc, uint16, error) {
 	s.closed = false
 	s.closedChanMu.Lock()
@@ -109,7 +116,7 @@ func (s *ICEBind) ActivityRecorder() *ActivityRecorder {
 }
 
 // GetICEMux returns the ICE UDPMux that was created and used by ICEBind
-func (s *ICEBind) GetICEMux() (*UniversalUDPMuxDefault, error) {
+func (s *ICEBind) GetICEMux() (*udpmux.UniversalUDPMuxDefault, error) {
 	s.muUDPMux.Lock()
 	defer s.muUDPMux.Unlock()
 	if s.udpMux == nil {
@@ -152,12 +159,13 @@ func (s *ICEBind) createIPv4ReceiverFn(pc *ipv4.PacketConn, conn *net.UDPConn, r
 	s.muUDPMux.Lock()
 	defer s.muUDPMux.Unlock()
 
-	s.udpMux = NewUniversalUDPMuxDefault(
-		UniversalUDPMuxParams{
+	s.udpMux = udpmux.NewUniversalUDPMuxDefault(
+		udpmux.UniversalUDPMuxParams{
 			UDPConn:   nbnet.WrapPacketConn(conn),
 			Net:       s.transportNet,
 			FilterFn:  s.filterFn,
 			WGAddress: s.address,
+			MTU:       s.mtu,
 		},
 	)
 	return func(bufs [][]byte, sizes []int, eps []wgConn.Endpoint) (n int, err error) {

client/iface/bind/udp_mux_ios.go

@@ -1,7 +0,0 @@
-//go:build ios
-
-package bind
-
-func (m *UDPMuxDefault) notifyAddressRemoval(addr string) {
-	// iOS doesn't support nbnet hooks, so this is a no-op
-}

client/iface/bufsize/bufsize.go

@@ -0,0 +1,9 @@
+package bufsize
+
+const (
+	// WGBufferOverhead represents the additional buffer space needed beyond MTU
+	// for WireGuard packet encapsulation (WG header + UDP + IP + safety margin)
+	// Original hardcoded buffers were 1500, default MTU is 1280, so overhead = 220
+	// TODO: Calculate this properly based on actual protocol overhead instead of using hardcoded difference
+	WGBufferOverhead = 220
+)

client/iface/configurer/usp.go

@@ -17,8 +17,8 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
 	"github.com/netbirdio/netbird/client/iface/bind"
+	nbnet "github.com/netbirdio/netbird/client/net"
 	"github.com/netbirdio/netbird/monotime"
-	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 const (
@@ -394,6 +394,13 @@ func toLastHandshake(stringVar string) (time.Time, error) {
 	if err != nil {
 		return time.Time{}, fmt.Errorf("parse handshake sec: %w", err)
 	}
+
+	// If sec is 0 (Unix epoch), return zero time instead
+	// This indicates no handshake has occurred
+	if sec == 0 {
+		return time.Time{}, nil
+	}
+
 	return time.Unix(sec, 0), nil
 }
 
@@ -402,7 +409,7 @@ func toBytes(s string) (int64, error) {
 }
 
 func getFwmark() int {
-	if nbnet.AdvancedRouting() {
+	if nbnet.AdvancedRouting() && runtime.GOOS == "linux" {
 		return nbnet.ControlPlaneMark
 	}
 	return 0

client/iface/device.go

@@ -7,16 +7,17 @@ import (
 
 	wgdevice "golang.zx2c4.com/wireguard/device"
 
-	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/device"
+	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
 type WGTunDevice interface {
 	Create() (device.WGConfigurer, error)
-	Up() (*bind.UniversalUDPMuxDefault, error)
+	Up() (*udpmux.UniversalUDPMuxDefault, error)
 	UpdateAddr(address wgaddr.Address) error
 	WgAddress() wgaddr.Address
+	MTU() uint16
 	DeviceName() string
 	Close() error
 	FilteredDevice() *device.FilteredDevice

client/iface/device/device_android.go

@@ -13,6 +13,7 @@ import (
 
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
+	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -21,7 +22,7 @@ type WGTunDevice struct {
 	address    wgaddr.Address
 	port       int
 	key        string
-	mtu        int
+	mtu        uint16
 	iceBind    *bind.ICEBind
 	tunAdapter TunAdapter
 	disableDNS bool
@@ -29,11 +30,11 @@ type WGTunDevice struct {
 	name           string
 	device         *device.Device
 	filteredDevice *FilteredDevice
-	udpMux         *bind.UniversalUDPMuxDefault
+	udpMux         *udpmux.UniversalUDPMuxDefault
 	configurer     WGConfigurer
 }
 
-func NewTunDevice(address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind, tunAdapter TunAdapter, disableDNS bool) *WGTunDevice {
+func NewTunDevice(address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind, tunAdapter TunAdapter, disableDNS bool) *WGTunDevice {
 	return &WGTunDevice{
 		address:    address,
 		port:       port,
@@ -58,7 +59,7 @@ func (t *WGTunDevice) Create(routes []string, dns string, searchDomains []string
 		searchDomainsToString = ""
 	}
 
-	fd, err := t.tunAdapter.ConfigureInterface(t.address.String(), t.mtu, dns, searchDomainsToString, routesString)
+	fd, err := t.tunAdapter.ConfigureInterface(t.address.String(), int(t.mtu), dns, searchDomainsToString, routesString)
 	if err != nil {
 		log.Errorf("failed to create Android interface: %s", err)
 		return nil, err
@@ -88,7 +89,7 @@ func (t *WGTunDevice) Create(routes []string, dns string, searchDomains []string
 	}
 	return t.configurer, nil
 }
-func (t *WGTunDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
+func (t *WGTunDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
 	err := t.device.Up()
 	if err != nil {
 		return nil, err
@@ -137,6 +138,10 @@ func (t *WGTunDevice) WgAddress() wgaddr.Address {
 	return t.address
 }
 
+func (t *WGTunDevice) MTU() uint16 {
+	return t.mtu
+}
+
 func (t *WGTunDevice) FilteredDevice() *FilteredDevice {
 	return t.filteredDevice
 }

client/iface/device/device_darwin.go

@@ -13,6 +13,7 @@ import (
 
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
+	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -21,16 +22,16 @@ type TunDevice struct {
 	address wgaddr.Address
 	port    int
 	key     string
-	mtu     int
+	mtu     uint16
 	iceBind *bind.ICEBind
 
 	device         *device.Device
 	filteredDevice *FilteredDevice
-	udpMux         *bind.UniversalUDPMuxDefault
+	udpMux         *udpmux.UniversalUDPMuxDefault
 	configurer     WGConfigurer
 }
 
-func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind) *TunDevice {
+func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind) *TunDevice {
 	return &TunDevice{
 		name:    name,
 		address: address,
@@ -42,7 +43,7 @@ func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu
 }
 
 func (t *TunDevice) Create() (WGConfigurer, error) {
-	tunDevice, err := tun.CreateTUN(t.name, t.mtu)
+	tunDevice, err := tun.CreateTUN(t.name, int(t.mtu))
 	if err != nil {
 		return nil, fmt.Errorf("error creating tun device: %s", err)
 	}
@@ -71,7 +72,7 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 	return t.configurer, nil
 }
 
-func (t *TunDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
+func (t *TunDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
 	err := t.device.Up()
 	if err != nil {
 		return nil, err
@@ -111,6 +112,10 @@ func (t *TunDevice) WgAddress() wgaddr.Address {
 	return t.address
 }
 
+func (t *TunDevice) MTU() uint16 {
+	return t.mtu
+}
+
 func (t *TunDevice) DeviceName() string {
 	return t.name
 }

client/iface/device/device_ios.go

@@ -14,6 +14,7 @@ import (
 
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
+	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -22,21 +23,23 @@ type TunDevice struct {
 	address wgaddr.Address
 	port    int
 	key     string
+	mtu     uint16
 	iceBind *bind.ICEBind
 	tunFd   int
 
 	device         *device.Device
 	filteredDevice *FilteredDevice
-	udpMux         *bind.UniversalUDPMuxDefault
+	udpMux         *udpmux.UniversalUDPMuxDefault
 	configurer     WGConfigurer
 }
 
-func NewTunDevice(name string, address wgaddr.Address, port int, key string, iceBind *bind.ICEBind, tunFd int) *TunDevice {
+func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind, tunFd int) *TunDevice {
 	return &TunDevice{
 		name:    name,
 		address: address,
 		port:    port,
 		key:     key,
+		mtu:     mtu,
 		iceBind: iceBind,
 		tunFd:   tunFd,
 	}
@@ -81,7 +84,7 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 	return t.configurer, nil
 }
 
-func (t *TunDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
+func (t *TunDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
 	err := t.device.Up()
 	if err != nil {
 		return nil, err
@@ -125,6 +128,10 @@ func (t *TunDevice) WgAddress() wgaddr.Address {
 	return t.address
 }
 
+func (t *TunDevice) MTU() uint16 {
+	return t.mtu
+}
+
 func (t *TunDevice) UpdateAddr(_ wgaddr.Address) error {
 	// todo implement
 	return nil

client/iface/device/device_kernel_unix.go

@@ -12,11 +12,11 @@ import (
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/tun/netstack"
 
-	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
+	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
+	nbnet "github.com/netbirdio/netbird/client/net"
 	"github.com/netbirdio/netbird/sharedsock"
-	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 type TunKernelDevice struct {
@@ -24,19 +24,19 @@ type TunKernelDevice struct {
 	address      wgaddr.Address
 	wgPort       int
 	key          string
-	mtu          int
+	mtu          uint16
 	ctx          context.Context
 	ctxCancel    context.CancelFunc
 	transportNet transport.Net
 
 	link       *wgLink
 	udpMuxConn net.PacketConn
-	udpMux     *bind.UniversalUDPMuxDefault
+	udpMux     *udpmux.UniversalUDPMuxDefault
 
-	filterFn bind.FilterFn
+	filterFn udpmux.FilterFn
 }
 
-func NewKernelDevice(name string, address wgaddr.Address, wgPort int, key string, mtu int, transportNet transport.Net) *TunKernelDevice {
+func NewKernelDevice(name string, address wgaddr.Address, wgPort int, key string, mtu uint16, transportNet transport.Net) *TunKernelDevice {
 	ctx, cancel := context.WithCancel(context.Background())
 	return &TunKernelDevice{
 		ctx:          ctx,
@@ -66,7 +66,7 @@ func (t *TunKernelDevice) Create() (WGConfigurer, error) {
 	// TODO: do a MTU discovery
 	log.Debugf("setting MTU: %d interface: %s", t.mtu, t.name)
 
-	if err := link.setMTU(t.mtu); err != nil {
+	if err := link.setMTU(int(t.mtu)); err != nil {
 		return nil, fmt.Errorf("set mtu: %w", err)
 	}
 
@@ -79,7 +79,7 @@ func (t *TunKernelDevice) Create() (WGConfigurer, error) {
 	return configurer, nil
 }
 
-func (t *TunKernelDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
+func (t *TunKernelDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
 	if t.udpMux != nil {
 		return t.udpMux, nil
 	}
@@ -96,23 +96,19 @@ func (t *TunKernelDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
 		return nil, err
 	}
 
-	rawSock, err := sharedsock.Listen(t.wgPort, sharedsock.NewIncomingSTUNFilter())
+	rawSock, err := sharedsock.Listen(t.wgPort, sharedsock.NewIncomingSTUNFilter(), t.mtu)
 	if err != nil {
 		return nil, err
 	}
 
-	var udpConn net.PacketConn = rawSock
-	if !nbnet.AdvancedRouting() {
-		udpConn = nbnet.WrapPacketConn(rawSock)
-	}
-
-	bindParams := bind.UniversalUDPMuxParams{
-		UDPConn:   udpConn,
+	bindParams := udpmux.UniversalUDPMuxParams{
+		UDPConn:   nbnet.WrapPacketConn(rawSock),
 		Net:       t.transportNet,
 		FilterFn:  t.filterFn,
 		WGAddress: t.address,
+		MTU:       t.mtu,
 	}
-	mux := bind.NewUniversalUDPMuxDefault(bindParams)
+	mux := udpmux.NewUniversalUDPMuxDefault(bindParams)
 	go mux.ReadFromConn(t.ctx)
 	t.udpMuxConn = rawSock
 	t.udpMux = mux
@@ -158,6 +154,10 @@ func (t *TunKernelDevice) WgAddress() wgaddr.Address {
 	return t.address
 }
 
+func (t *TunKernelDevice) MTU() uint16 {
+	return t.mtu
+}
+
 func (t *TunKernelDevice) DeviceName() string {
 	return t.name
 }

client/iface/device/device_netstack.go

@@ -1,6 +1,3 @@
-//go:build !android
-// +build !android
-
 package device
 
 import (
@@ -13,8 +10,9 @@ import (
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
 	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
+	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	nbnet "github.com/netbirdio/netbird/util/net"
+	nbnet "github.com/netbirdio/netbird/client/net"
 )
 
 type TunNetstackDevice struct {
@@ -22,20 +20,20 @@ type TunNetstackDevice struct {
 	address       wgaddr.Address
 	port          int
 	key           string
-	mtu           int
+	mtu           uint16
 	listenAddress string
 	iceBind       *bind.ICEBind
 
 	device         *device.Device
 	filteredDevice *FilteredDevice
 	nsTun          *nbnetstack.NetStackTun
-	udpMux         *bind.UniversalUDPMuxDefault
+	udpMux         *udpmux.UniversalUDPMuxDefault
 	configurer     WGConfigurer
 
 	net *netstack.Net
 }
 
-func NewNetstackDevice(name string, address wgaddr.Address, wgPort int, key string, mtu int, iceBind *bind.ICEBind, listenAddress string) *TunNetstackDevice {
+func NewNetstackDevice(name string, address wgaddr.Address, wgPort int, key string, mtu uint16, iceBind *bind.ICEBind, listenAddress string) *TunNetstackDevice {
 	return &TunNetstackDevice{
 		name:          name,
 		address:       address,
@@ -47,7 +45,7 @@ func NewNetstackDevice(name string, address wgaddr.Address, wgPort int, key stri
 	}
 }
 
-func (t *TunNetstackDevice) Create() (WGConfigurer, error) {
+func (t *TunNetstackDevice) create() (WGConfigurer, error) {
 	log.Info("create nbnetstack tun interface")
 
 	// TODO: get from service listener runtime IP
@@ -57,7 +55,7 @@ func (t *TunNetstackDevice) Create() (WGConfigurer, error) {
 	}
 
 	log.Debugf("netstack using address: %s", t.address.IP)
-	t.nsTun = nbnetstack.NewNetStackTun(t.listenAddress, t.address.IP, dnsAddr, t.mtu)
+	t.nsTun = nbnetstack.NewNetStackTun(t.listenAddress, t.address.IP, dnsAddr, int(t.mtu))
 	log.Debugf("netstack using dns address: %s", dnsAddr)
 	tunIface, net, err := t.nsTun.Create()
 	if err != nil {
@@ -83,7 +81,7 @@ func (t *TunNetstackDevice) Create() (WGConfigurer, error) {
 	return t.configurer, nil
 }
 
-func (t *TunNetstackDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
+func (t *TunNetstackDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
 	if t.device == nil {
 		return nil, fmt.Errorf("device is not ready yet")
 	}
@@ -125,6 +123,10 @@ func (t *TunNetstackDevice) WgAddress() wgaddr.Address {
 	return t.address
 }
 
+func (t *TunNetstackDevice) MTU() uint16 {
+	return t.mtu
+}
+
 func (t *TunNetstackDevice) DeviceName() string {
 	return t.name
 }

client/iface/device/device_netstack_android.go

@@ -0,0 +1,7 @@
+//go:build android
+
+package device
+
+func (t *TunNetstackDevice) Create(routes []string, dns string, searchDomains []string) (WGConfigurer, error) {
+	return t.create()
+}

client/iface/device/device_netstack_generic.go

@@ -0,0 +1,7 @@
+//go:build !android
+
+package device
+
+func (t *TunNetstackDevice) Create() (WGConfigurer, error) {
+	return t.create()
+}

client/iface/device/device_usp_unix.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
+	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -20,16 +21,16 @@ type USPDevice struct {
 	address wgaddr.Address
 	port    int
 	key     string
-	mtu     int
+	mtu     uint16
 	iceBind *bind.ICEBind
 
 	device         *device.Device
 	filteredDevice *FilteredDevice
-	udpMux         *bind.UniversalUDPMuxDefault
+	udpMux         *udpmux.UniversalUDPMuxDefault
 	configurer     WGConfigurer
 }
 
-func NewUSPDevice(name string, address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind) *USPDevice {
+func NewUSPDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind) *USPDevice {
 	log.Infof("using userspace bind mode")
 
 	return &USPDevice{
@@ -44,9 +45,9 @@ func NewUSPDevice(name string, address wgaddr.Address, port int, key string, mtu
 
 func (t *USPDevice) Create() (WGConfigurer, error) {
 	log.Info("create tun interface")
-	tunIface, err := tun.CreateTUN(t.name, t.mtu)
+	tunIface, err := tun.CreateTUN(t.name, int(t.mtu))
 	if err != nil {
-		log.Debugf("failed to create tun interface (%s, %d): %s", t.name, t.mtu, err)
+		log.Debugf("failed to create tun interface (%s, %d): %s", t.name, int(t.mtu), err)
 		return nil, fmt.Errorf("error creating tun device: %s", err)
 	}
 	t.filteredDevice = newDeviceFilter(tunIface)
@@ -74,7 +75,7 @@ func (t *USPDevice) Create() (WGConfigurer, error) {
 	return t.configurer, nil
 }
 
-func (t *USPDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
+func (t *USPDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
 	if t.device == nil {
 		return nil, fmt.Errorf("device is not ready yet")
 	}
@@ -118,6 +119,10 @@ func (t *USPDevice) WgAddress() wgaddr.Address {
 	return t.address
 }
 
+func (t *USPDevice) MTU() uint16 {
+	return t.mtu
+}
+
 func (t *USPDevice) DeviceName() string {
 	return t.name
 }

client/iface/device/device_windows.go

@@ -13,6 +13,7 @@ import (
 
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
+	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -23,17 +24,17 @@ type TunDevice struct {
 	address wgaddr.Address
 	port    int
 	key     string
-	mtu     int
+	mtu     uint16
 	iceBind *bind.ICEBind
 
 	device          *device.Device
 	nativeTunDevice *tun.NativeTun
 	filteredDevice  *FilteredDevice
-	udpMux          *bind.UniversalUDPMuxDefault
+	udpMux          *udpmux.UniversalUDPMuxDefault
 	configurer      WGConfigurer
 }
 
-func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind) *TunDevice {
+func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind) *TunDevice {
 	return &TunDevice{
 		name:    name,
 		address: address,
@@ -59,7 +60,7 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 		return nil, err
 	}
 	log.Info("create tun interface")
-	tunDevice, err := tun.CreateTUNWithRequestedGUID(t.name, &guid, t.mtu)
+	tunDevice, err := tun.CreateTUNWithRequestedGUID(t.name, &guid, int(t.mtu))
 	if err != nil {
 		return nil, fmt.Errorf("error creating tun device: %s", err)
 	}
@@ -104,7 +105,7 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 	return t.configurer, nil
 }
 
-func (t *TunDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
+func (t *TunDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
 	err := t.device.Up()
 	if err != nil {
 		return nil, err
@@ -144,6 +145,10 @@ func (t *TunDevice) WgAddress() wgaddr.Address {
 	return t.address
 }
 
+func (t *TunDevice) MTU() uint16 {
+	return t.mtu
+}
+
 func (t *TunDevice) DeviceName() string {
 	return t.name
 }

client/iface/device_android.go

@@ -5,16 +5,17 @@ import (
 
 	"golang.zx2c4.com/wireguard/tun/netstack"
 
-	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/device"
+	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
 type WGTunDevice interface {
 	Create(routes []string, dns string, searchDomains []string) (device.WGConfigurer, error)
-	Up() (*bind.UniversalUDPMuxDefault, error)
+	Up() (*udpmux.UniversalUDPMuxDefault, error)
 	UpdateAddr(address wgaddr.Address) error
 	WgAddress() wgaddr.Address
+	MTU() uint16
 	DeviceName() string
 	Close() error
 	FilteredDevice() *device.FilteredDevice

client/iface/iface.go

@@ -16,9 +16,9 @@ import (
 	wgdevice "golang.zx2c4.com/wireguard/device"
 
 	"github.com/netbirdio/netbird/client/errors"
-	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
 	"github.com/netbirdio/netbird/client/iface/device"
+	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
 	"github.com/netbirdio/netbird/monotime"
@@ -26,6 +26,8 @@ import (
 
 const (
 	DefaultMTU         = 1280
+	MinMTU             = 576
+	MaxMTU             = 8192
 	DefaultWgPort      = 51820
 	WgInterfaceDefault = configurer.WgInterfaceDefault
 )
@@ -35,6 +37,17 @@ var (
 	ErrIfaceNotFound = fmt.Errorf("wireguard interface not found")
 )
 
+// ValidateMTU validates that MTU is within acceptable range
+func ValidateMTU(mtu uint16) error {
+	if mtu < MinMTU {
+		return fmt.Errorf("MTU %d below minimum (%d bytes)", mtu, MinMTU)
+	}
+	if mtu > MaxMTU {
+		return fmt.Errorf("MTU %d exceeds maximum supported size (%d bytes)", mtu, MaxMTU)
+	}
+	return nil
+}
+
 type wgProxyFactory interface {
 	GetProxy() wgproxy.Proxy
 	Free() error
@@ -45,10 +58,10 @@ type WGIFaceOpts struct {
 	Address      string
 	WGPort       int
 	WGPrivKey    string
-	MTU          int
+	MTU          uint16
 	MobileArgs   *device.MobileIFaceArguments
 	TransportNet transport.Net
-	FilterFn     bind.FilterFn
+	FilterFn     udpmux.FilterFn
 	DisableDNS   bool
 }
 
@@ -82,6 +95,10 @@ func (w *WGIface) Address() wgaddr.Address {
 	return w.tun.WgAddress()
 }
 
+func (w *WGIface) MTU() uint16 {
+	return w.tun.MTU()
+}
+
 // ToInterface returns the net.Interface for the Wireguard interface
 func (r *WGIface) ToInterface() *net.Interface {
 	name := r.tun.DeviceName()
@@ -97,7 +114,7 @@ func (r *WGIface) ToInterface() *net.Interface {
 
 // Up configures a Wireguard interface
 // The interface must exist before calling this method (e.g. call interface.Create() before)
-func (w *WGIface) Up() (*bind.UniversalUDPMuxDefault, error) {
+func (w *WGIface) Up() (*udpmux.UniversalUDPMuxDefault, error) {
 	w.mu.Lock()
 	defer w.mu.Unlock()
 

client/iface/iface_new_android.go

@@ -3,6 +3,7 @@ package iface
 import (
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/device"
+	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
 )
@@ -14,7 +15,16 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 		return nil, err
 	}
 
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
+
+	if netstack.IsEnabled() {
+		wgIFace := &WGIface{
+			userspaceBind:  true,
+			tun:            device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr()),
+			wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
+		}
+		return wgIFace, nil
+	}
 
 	wgIFace := &WGIface{
 		userspaceBind:  true,

client/iface/iface_new_darwin.go

@@ -17,7 +17,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 		return nil, err
 	}
 
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
 
 	var tun WGTunDevice
 	if netstack.IsEnabled() {

client/iface/iface_new_ios.go

@@ -16,10 +16,10 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 		return nil, err
 	}
 
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
 
 	wgIFace := &WGIface{
-		tun:            device.NewTunDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, iceBind, opts.MobileArgs.TunFd),
+		tun:            device.NewTunDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunFd),
 		userspaceBind:  true,
 		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 	}

client/iface/iface_new_unix.go

@@ -22,7 +22,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	wgIFace := &WGIface{}
 
 	if netstack.IsEnabled() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
+		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
 		wgIFace.tun = device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
 		wgIFace.userspaceBind = true
 		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind)
@@ -31,11 +31,11 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 
 	if device.WireGuardModuleIsLoaded() {
 		wgIFace.tun = device.NewKernelDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, opts.TransportNet)
-		wgIFace.wgProxyFactory = wgproxy.NewKernelFactory(opts.WGPort)
+		wgIFace.wgProxyFactory = wgproxy.NewKernelFactory(opts.WGPort, opts.MTU)
 		return wgIFace, nil
 	}
 	if device.ModuleTunIsLoaded() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
+		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
 		wgIFace.tun = device.NewUSPDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
 		wgIFace.userspaceBind = true
 		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind)

client/iface/iface_new_windows.go

@@ -14,7 +14,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	if err != nil {
 		return nil, err
 	}
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
 
 	var tun WGTunDevice
 	if netstack.IsEnabled() {

client/iface/udpmux/conn.go

@@ -1,4 +1,4 @@
-package bind
+package udpmux
 
 /*
  Most of this code was copied from https://github.com/pion/ice and modified to fulfill NetBird's requirements
@@ -16,11 +16,12 @@ import (
 )
 
 type udpMuxedConnParams struct {
-	Mux       *UDPMuxDefault
-	AddrPool  *sync.Pool
-	Key       string
-	LocalAddr net.Addr
-	Logger    logging.LeveledLogger
+	Mux         *SingleSocketUDPMux
+	AddrPool    *sync.Pool
+	Key         string
+	LocalAddr   net.Addr
+	Logger      logging.LeveledLogger
+	CandidateID string
 }
 
 // udpMuxedConn represents a logical packet conn for a single remote as identified by ufrag
@@ -119,6 +120,10 @@ func (c *udpMuxedConn) Close() error {
 	return err
 }
 
+func (c *udpMuxedConn) GetCandidateID() string {
+	return c.params.CandidateID
+}
+
 func (c *udpMuxedConn) isClosed() bool {
 	select {
 	case <-c.closedChan:

client/iface/udpmux/doc.go

@@ -0,0 +1,64 @@
+// Package udpmux provides a custom implementation of a UDP multiplexer
+// that allows multiple logical ICE connections to share a single underlying
+// UDP socket. This is based on Pion's ICE library, with modifications for
+// NetBird's requirements.
+//
+// # Background
+//
+// In WebRTC and NAT traversal scenarios, ICE (Interactive Connectivity
+// Establishment) is responsible for discovering candidate network paths
+// and maintaining connectivity between peers. Each ICE connection
+// normally requires a dedicated UDP socket. However, using one socket
+// per candidate can be inefficient and difficult to manage.
+//
+// This package introduces SingleSocketUDPMux, which allows multiple ICE
+// candidate connections (muxed connections) to share a single UDP socket.
+// It handles demultiplexing of packets based on ICE ufrag values, STUN
+// attributes, and candidate IDs.
+//
+// # Usage
+//
+// The typical flow is:
+//
+//  1. Create a UDP socket (net.PacketConn).
+//  2. Construct Params with the socket and optional logger/net stack.
+//  3. Call NewSingleSocketUDPMux(params).
+//  4. For each ICE candidate ufrag, call GetConn(ufrag, addr, candidateID)
+//     to obtain a logical PacketConn.
+//  5. Use the returned PacketConn just like a normal UDP connection.
+//
+// # STUN Message Routing Logic
+//
+//		When a STUN packet arrives, the mux decides which connection should
+//		receive it using this routing logic:
+//
+//		Primary Routing: Candidate Pair ID
+//		  - Extract the candidate pair ID from the STUN message using
+//		    ice.CandidatePairIDFromSTUN(msg)
+//	   - The target candidate is the locally generated candidate that
+//	     corresponds to the connection that should handle this STUN message
+//		  - If found, use the target candidate ID to lookup the specific
+//		    connection in candidateConnMap
+//		  - Route the message directly to that connection
+//
+//		Fallback Routing: Broadcasting
+//		  When candidate pair ID is not available or lookup fails:
+//		  - Collect connections from addressMap based on source address
+//		  - Find connection using username attribute (ufrag) from STUN message
+//		  - Remove duplicate connections from the list
+//		  - Send the STUN message to all collected connections
+//
+// # Peer Reflexive Candidate Discovery
+//
+//	When a remote peer sends a STUN message from an unknown source address
+//	(from a candidate that has not been exchanged via signal), the ICE
+//	library will:
+//	  - Generate a new peer reflexive candidate for this source address
+//	  - Extract or assign a candidate ID based on the STUN message attributes
+//	  - Create a mapping between the new peer reflexive candidate ID and
+//	    the appropriate local connection
+//
+//	This discovery mechanism ensures that STUN messages from newly discovered
+//	peer reflexive candidates can be properly routed to the correct local
+//	connection without requiring fallback broadcasting.
+package udpmux

client/iface/udpmux/mux.go

@@ -1,4 +1,4 @@
-package bind
+package udpmux
 
 import (
 	"fmt"
@@ -8,9 +8,9 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/pion/ice/v3"
+	"github.com/pion/ice/v4"
 	"github.com/pion/logging"
-	"github.com/pion/stun/v2"
+	"github.com/pion/stun/v3"
 	"github.com/pion/transport/v3"
 	"github.com/pion/transport/v3/stdnet"
 	log "github.com/sirupsen/logrus"
@@ -22,9 +22,9 @@ import (
 
 const receiveMTU = 8192
 
-// UDPMuxDefault is an implementation of the interface
-type UDPMuxDefault struct {
-	params UDPMuxParams
+// SingleSocketUDPMux is an implementation of the interface
+type SingleSocketUDPMux struct {
+	params Params
 
 	closedChan chan struct{}
 	closeOnce  sync.Once
@@ -32,6 +32,9 @@ type UDPMuxDefault struct {
 	// connsIPv4 and connsIPv6 are maps of all udpMuxedConn indexed by ufrag|network|candidateType
 	connsIPv4, connsIPv6 map[string]*udpMuxedConn
 
+	// candidateConnMap maps local candidate IDs to their corresponding connection.
+	candidateConnMap map[string]*udpMuxedConn
+
 	addressMapMu sync.RWMutex
 	addressMap   map[string][]*udpMuxedConn
 
@@ -46,8 +49,8 @@ type UDPMuxDefault struct {
 
 const maxAddrSize = 512
 
-// UDPMuxParams are parameters for UDPMux.
-type UDPMuxParams struct {
+// Params are parameters for UDPMux.
+type Params struct {
 	Logger  logging.LeveledLogger
 	UDPConn net.PacketConn
 
@@ -147,18 +150,19 @@ func isZeros(ip net.IP) bool {
 	return true
 }
 
-// NewUDPMuxDefault creates an implementation of UDPMux
-func NewUDPMuxDefault(params UDPMuxParams) *UDPMuxDefault {
+// NewSingleSocketUDPMux creates an implementation of UDPMux
+func NewSingleSocketUDPMux(params Params) *SingleSocketUDPMux {
 	if params.Logger == nil {
 		params.Logger = getLogger()
 	}
 
-	mux := &UDPMuxDefault{
-		addressMap: map[string][]*udpMuxedConn{},
-		params:     params,
-		connsIPv4:  make(map[string]*udpMuxedConn),
-		connsIPv6:  make(map[string]*udpMuxedConn),
-		closedChan: make(chan struct{}, 1),
+	mux := &SingleSocketUDPMux{
+		addressMap:       map[string][]*udpMuxedConn{},
+		params:           params,
+		connsIPv4:        make(map[string]*udpMuxedConn),
+		connsIPv6:        make(map[string]*udpMuxedConn),
+		candidateConnMap: make(map[string]*udpMuxedConn),
+		closedChan:       make(chan struct{}, 1),
 		pool: &sync.Pool{
 			New: func() interface{} {
 				// big enough buffer to fit both packet and address
@@ -171,15 +175,15 @@ func NewUDPMuxDefault(params UDPMuxParams) *UDPMuxDefault {
 	return mux
 }
 
-func (m *UDPMuxDefault) updateLocalAddresses() {
+func (m *SingleSocketUDPMux) updateLocalAddresses() {
 	var localAddrsForUnspecified []net.Addr
 	if addr, ok := m.params.UDPConn.LocalAddr().(*net.UDPAddr); !ok {
 		m.params.Logger.Errorf("LocalAddr is not a net.UDPAddr, got %T", m.params.UDPConn.LocalAddr())
 	} else if ok && addr.IP.IsUnspecified() {
 		// For unspecified addresses, the correct behavior is to return errListenUnspecified, but
 		// it will break the applications that are already using unspecified UDP connection
-		// with UDPMuxDefault, so print a warn log and create a local address list for mux.
-		m.params.Logger.Warn("UDPMuxDefault should not listening on unspecified address, use NewMultiUDPMuxFromPort instead")
+		// with SingleSocketUDPMux, so print a warn log and create a local address list for mux.
+		m.params.Logger.Warn("SingleSocketUDPMux should not listening on unspecified address, use NewMultiUDPMuxFromPort instead")
 		var networks []ice.NetworkType
 		switch {
 
@@ -216,13 +220,13 @@ func (m *UDPMuxDefault) updateLocalAddresses() {
 	m.mu.Unlock()
 }
 
-// LocalAddr returns the listening address of this UDPMuxDefault
-func (m *UDPMuxDefault) LocalAddr() net.Addr {
+// LocalAddr returns the listening address of this SingleSocketUDPMux
+func (m *SingleSocketUDPMux) LocalAddr() net.Addr {
 	return m.params.UDPConn.LocalAddr()
 }
 
 // GetListenAddresses returns the list of addresses that this mux is listening on
-func (m *UDPMuxDefault) GetListenAddresses() []net.Addr {
+func (m *SingleSocketUDPMux) GetListenAddresses() []net.Addr {
 	m.updateLocalAddresses()
 
 	m.mu.Lock()
@@ -236,7 +240,7 @@ func (m *UDPMuxDefault) GetListenAddresses() []net.Addr {
 
 // GetConn returns a PacketConn given the connection's ufrag and network address
 // creates the connection if an existing one can't be found
-func (m *UDPMuxDefault) GetConn(ufrag string, addr net.Addr) (net.PacketConn, error) {
+func (m *SingleSocketUDPMux) GetConn(ufrag string, addr net.Addr, candidateID string) (net.PacketConn, error) {
 	// don't check addr for mux using unspecified address
 	m.mu.Lock()
 	lenLocalAddrs := len(m.localAddrsForUnspecified)
@@ -260,12 +264,14 @@ func (m *UDPMuxDefault) GetConn(ufrag string, addr net.Addr) (net.PacketConn, er
 		return conn, nil
 	}
 
-	c := m.createMuxedConn(ufrag)
+	c := m.createMuxedConn(ufrag, candidateID)
 	go func() {
 		<-c.CloseChannel()
 		m.RemoveConnByUfrag(ufrag)
 	}()
 
+	m.candidateConnMap[candidateID] = c
+
 	if isIPv6 {
 		m.connsIPv6[ufrag] = c
 	} else {
@@ -276,7 +282,7 @@ func (m *UDPMuxDefault) GetConn(ufrag string, addr net.Addr) (net.PacketConn, er
 }
 
 // RemoveConnByUfrag stops and removes the muxed packet connection
-func (m *UDPMuxDefault) RemoveConnByUfrag(ufrag string) {
+func (m *SingleSocketUDPMux) RemoveConnByUfrag(ufrag string) {
 	removedConns := make([]*udpMuxedConn, 0, 2)
 
 	// Keep lock section small to avoid deadlock with conn lock
@@ -284,10 +290,12 @@ func (m *UDPMuxDefault) RemoveConnByUfrag(ufrag string) {
 	if c, ok := m.connsIPv4[ufrag]; ok {
 		delete(m.connsIPv4, ufrag)
 		removedConns = append(removedConns, c)
+		delete(m.candidateConnMap, c.GetCandidateID())
 	}
 	if c, ok := m.connsIPv6[ufrag]; ok {
 		delete(m.connsIPv6, ufrag)
 		removedConns = append(removedConns, c)
+		delete(m.candidateConnMap, c.GetCandidateID())
 	}
 	m.mu.Unlock()
 
@@ -314,7 +322,7 @@ func (m *UDPMuxDefault) RemoveConnByUfrag(ufrag string) {
 }
 
 // IsClosed returns true if the mux had been closed
-func (m *UDPMuxDefault) IsClosed() bool {
+func (m *SingleSocketUDPMux) IsClosed() bool {
 	select {
 	case <-m.closedChan:
 		return true
@@ -324,7 +332,7 @@ func (m *UDPMuxDefault) IsClosed() bool {
 }
 
 // Close the mux, no further connections could be created
-func (m *UDPMuxDefault) Close() error {
+func (m *SingleSocketUDPMux) Close() error {
 	var err error
 	m.closeOnce.Do(func() {
 		m.mu.Lock()
@@ -347,11 +355,11 @@ func (m *UDPMuxDefault) Close() error {
 	return err
 }
 
-func (m *UDPMuxDefault) writeTo(buf []byte, rAddr net.Addr) (n int, err error) {
+func (m *SingleSocketUDPMux) writeTo(buf []byte, rAddr net.Addr) (n int, err error) {
 	return m.params.UDPConn.WriteTo(buf, rAddr)
 }
 
-func (m *UDPMuxDefault) registerConnForAddress(conn *udpMuxedConn, addr string) {
+func (m *SingleSocketUDPMux) registerConnForAddress(conn *udpMuxedConn, addr string) {
 	if m.IsClosed() {
 		return
 	}
@@ -368,81 +376,109 @@ func (m *UDPMuxDefault) registerConnForAddress(conn *udpMuxedConn, addr string)
 	log.Debugf("ICE: registered %s for %s", addr, conn.params.Key)
 }
 
-func (m *UDPMuxDefault) createMuxedConn(key string) *udpMuxedConn {
+func (m *SingleSocketUDPMux) createMuxedConn(key string, candidateID string) *udpMuxedConn {
 	c := newUDPMuxedConn(&udpMuxedConnParams{
-		Mux:       m,
-		Key:       key,
-		AddrPool:  m.pool,
-		LocalAddr: m.LocalAddr(),
-		Logger:    m.params.Logger,
+		Mux:         m,
+		Key:         key,
+		AddrPool:    m.pool,
+		LocalAddr:   m.LocalAddr(),
+		Logger:      m.params.Logger,
+		CandidateID: candidateID,
 	})
 	return c
 }
 
 // HandleSTUNMessage handles STUN packets and forwards them to underlying pion/ice library
-func (m *UDPMuxDefault) HandleSTUNMessage(msg *stun.Message, addr net.Addr) error {
-
+func (m *SingleSocketUDPMux) HandleSTUNMessage(msg *stun.Message, addr net.Addr) error {
 	remoteAddr, ok := addr.(*net.UDPAddr)
 	if !ok {
 		return fmt.Errorf("underlying PacketConn did not return a UDPAddr")
 	}
 
-	// If we have already seen this address dispatch to the appropriate destination
-	// If you are using the same socket for the Host and SRFLX candidates, it might be that there are more than one
-	// muxed connection - one for the SRFLX candidate and the other one for the HOST one.
-	// We will then forward STUN packets to each of these connections.
-	m.addressMapMu.RLock()
+	// Try to route to specific candidate connection first
+	if conn := m.findCandidateConnection(msg); conn != nil {
+		return conn.writePacket(msg.Raw, remoteAddr)
+	}
+
+	// Fallback: route to all possible connections
+	return m.forwardToAllConnections(msg, addr, remoteAddr)
+}
+
+// findCandidateConnection attempts to find the specific connection for a STUN message
+func (m *SingleSocketUDPMux) findCandidateConnection(msg *stun.Message) *udpMuxedConn {
+	candidatePairID, ok, err := ice.CandidatePairIDFromSTUN(msg)
+	if err != nil {
+		return nil
+	} else if !ok {
+		return nil
+	}
+
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	conn, exists := m.candidateConnMap[candidatePairID.TargetCandidateID()]
+	if !exists {
+		return nil
+	}
+	return conn
+}
+
+// forwardToAllConnections forwards STUN message to all relevant connections
+func (m *SingleSocketUDPMux) forwardToAllConnections(msg *stun.Message, addr net.Addr, remoteAddr *net.UDPAddr) error {
 	var destinationConnList []*udpMuxedConn
+
+	// Add connections from address map
+	m.addressMapMu.RLock()
 	if storedConns, ok := m.addressMap[addr.String()]; ok {
 		destinationConnList = append(destinationConnList, storedConns...)
 	}
 	m.addressMapMu.RUnlock()
 
-	var isIPv6 bool
-	if udpAddr, _ := addr.(*net.UDPAddr); udpAddr != nil && udpAddr.IP.To4() == nil {
-		isIPv6 = true
+	if conn, ok := m.findConnectionByUsername(msg, addr); ok {
+		// If we have already seen this address dispatch to the appropriate destination
+		// If you are using the same socket for the Host and SRFLX candidates, it might be that there are more than one
+		// muxed connection - one for the SRFLX candidate and the other one for the HOST one.
+		// We will then forward STUN packets to each of these connections.
+		if !m.connectionExists(conn, destinationConnList) {
+			destinationConnList = append(destinationConnList, conn)
+		}
 	}
 
-	// This block is needed to discover Peer Reflexive Candidates for which we don't know the Endpoint upfront.
-	// However, we can take a username attribute from the STUN message which contains ufrag.
-	// We can use ufrag to identify the destination conn to route packet to.
-	attr, stunAttrErr := msg.Get(stun.AttrUsername)
-	if stunAttrErr == nil {
-		ufrag := strings.Split(string(attr), ":")[0]
-
-		m.mu.Lock()
-		destinationConn := m.connsIPv4[ufrag]
-		if isIPv6 {
-			destinationConn = m.connsIPv6[ufrag]
-		}
-
-		if destinationConn != nil {
-			exists := false
-			for _, conn := range destinationConnList {
-				if conn.params.Key == destinationConn.params.Key {
-					exists = true
-					break
-				}
-			}
-			if !exists {
-				destinationConnList = append(destinationConnList, destinationConn)
-			}
-		}
-		m.mu.Unlock()
-	}
-
-	// Forward STUN packets to each destination connections even thought the STUN packet might not belong there.
-	// It will be discarded by the further ICE candidate logic if so.
+	// Forward to all found connections
 	for _, conn := range destinationConnList {
 		if err := conn.writePacket(msg.Raw, remoteAddr); err != nil {
 			log.Errorf("could not write packet: %v", err)
 		}
 	}
-
 	return nil
 }
 
-func (m *UDPMuxDefault) getConn(ufrag string, isIPv6 bool) (val *udpMuxedConn, ok bool) {
+// findConnectionByUsername finds connection using username attribute from STUN message
+func (m *SingleSocketUDPMux) findConnectionByUsername(msg *stun.Message, addr net.Addr) (*udpMuxedConn, bool) {
+	attr, err := msg.Get(stun.AttrUsername)
+	if err != nil {
+		return nil, false
+	}
+
+	ufrag := strings.Split(string(attr), ":")[0]
+	isIPv6 := isIPv6Address(addr)
+
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	return m.getConn(ufrag, isIPv6)
+}
+
+// connectionExists checks if a connection already exists in the list
+func (m *SingleSocketUDPMux) connectionExists(target *udpMuxedConn, conns []*udpMuxedConn) bool {
+	for _, conn := range conns {
+		if conn.params.Key == target.params.Key {
+			return true
+		}
+	}
+	return false
+}
+
+func (m *SingleSocketUDPMux) getConn(ufrag string, isIPv6 bool) (val *udpMuxedConn, ok bool) {
 	if isIPv6 {
 		val, ok = m.connsIPv6[ufrag]
 	} else {
@@ -451,6 +487,13 @@ func (m *UDPMuxDefault) getConn(ufrag string, isIPv6 bool) (val *udpMuxedConn, o
 	return
 }
 
+func isIPv6Address(addr net.Addr) bool {
+	if udpAddr, ok := addr.(*net.UDPAddr); ok {
+		return udpAddr.IP.To4() == nil
+	}
+	return false
+}
+
 type bufferHolder struct {
 	buf []byte
 }

client/iface/udpmux/mux_generic.go

@@ -1,12 +1,12 @@
 //go:build !ios
 
-package bind
+package udpmux
 
 import (
-	nbnet "github.com/netbirdio/netbird/util/net"
+	nbnet "github.com/netbirdio/netbird/client/net"
 )
 
-func (m *UDPMuxDefault) notifyAddressRemoval(addr string) {
+func (m *SingleSocketUDPMux) notifyAddressRemoval(addr string) {
 	// Kernel mode: direct nbnet.PacketConn (SharedSocket wrapped with nbnet)
 	if conn, ok := m.params.UDPConn.(*nbnet.PacketConn); ok {
 		conn.RemoveAddress(addr)

client/iface/udpmux/mux_ios.go

@@ -0,0 +1,7 @@
+//go:build ios
+
+package udpmux
+
+func (m *SingleSocketUDPMux) notifyAddressRemoval(addr string) {
+	// iOS doesn't support nbnet hooks, so this is a no-op
+}

client/iface/udpmux/universal.go

@@ -1,4 +1,4 @@
-package bind
+package udpmux
 
 /*
  Most of this code was copied from https://github.com/pion/ice and modified to fulfill NetBird's requirements.
@@ -15,9 +15,10 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	"github.com/pion/logging"
-	"github.com/pion/stun/v2"
+	"github.com/pion/stun/v3"
 	"github.com/pion/transport/v3"
 
+	"github.com/netbirdio/netbird/client/iface/bufsize"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -28,7 +29,7 @@ type FilterFn func(address netip.Addr) (bool, netip.Prefix, error)
 // UniversalUDPMuxDefault handles STUN and TURN servers packets by wrapping the original UDPConn
 // It then passes packets to the UDPMux that does the actual connection muxing.
 type UniversalUDPMuxDefault struct {
-	*UDPMuxDefault
+	*SingleSocketUDPMux
 	params UniversalUDPMuxParams
 
 	// since we have a shared socket, for srflx candidates it makes sense to have a shared mapped address across all the agents
@@ -44,6 +45,7 @@ type UniversalUDPMuxParams struct {
 	Net                   transport.Net
 	FilterFn              FilterFn
 	WGAddress             wgaddr.Address
+	MTU                   uint16
 }
 
 // NewUniversalUDPMuxDefault creates an implementation of UniversalUDPMux embedding UDPMux
@@ -70,12 +72,12 @@ func NewUniversalUDPMuxDefault(params UniversalUDPMuxParams) *UniversalUDPMuxDef
 		address:    params.WGAddress,
 	}
 
-	udpMuxParams := UDPMuxParams{
+	udpMuxParams := Params{
 		Logger:  params.Logger,
 		UDPConn: m.params.UDPConn,
 		Net:     m.params.Net,
 	}
-	m.UDPMuxDefault = NewUDPMuxDefault(udpMuxParams)
+	m.SingleSocketUDPMux = NewSingleSocketUDPMux(udpMuxParams)
 
 	return m
 }
@@ -84,7 +86,7 @@ func NewUniversalUDPMuxDefault(params UniversalUDPMuxParams) *UniversalUDPMuxDef
 // just ignore other packets printing an warning message.
 // It is a blocking method, consider running in a go routine.
 func (m *UniversalUDPMuxDefault) ReadFromConn(ctx context.Context) {
-	buf := make([]byte, 1500)
+	buf := make([]byte, m.params.MTU+bufsize.WGBufferOverhead)
 	for {
 		select {
 		case <-ctx.Done():
@@ -209,8 +211,8 @@ func (m *UniversalUDPMuxDefault) GetRelayedAddr(turnAddr net.Addr, deadline time
 
 // GetConnForURL add uniques to the muxed connection by concatenating ufrag and URL (e.g. STUN URL) to be able to support multiple STUN/TURN servers
 // and return a unique connection per server.
-func (m *UniversalUDPMuxDefault) GetConnForURL(ufrag string, url string, addr net.Addr) (net.PacketConn, error) {
-	return m.UDPMuxDefault.GetConn(fmt.Sprintf("%s%s", ufrag, url), addr)
+func (m *UniversalUDPMuxDefault) GetConnForURL(ufrag string, url string, addr net.Addr, candidateID string) (net.PacketConn, error) {
+	return m.SingleSocketUDPMux.GetConn(fmt.Sprintf("%s%s", ufrag, url), addr, candidateID)
 }
 
 // HandleSTUNMessage discovers STUN packets that carry a XOR mapped address from a STUN server.
@@ -231,7 +233,7 @@ func (m *UniversalUDPMuxDefault) HandleSTUNMessage(msg *stun.Message, addr net.A
 		}
 		return nil
 	}
-	return m.UDPMuxDefault.HandleSTUNMessage(msg, addr)
+	return m.SingleSocketUDPMux.HandleSTUNMessage(msg, addr)
 }
 
 // isXORMappedResponse indicates whether the message is a XORMappedAddress and is coming from the known STUN server.

client/iface/wgproxy/bind/proxy.go

@@ -12,6 +12,7 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/client/iface/bind"
+	"github.com/netbirdio/netbird/client/iface/bufsize"
 	"github.com/netbirdio/netbird/client/iface/wgproxy/listener"
 )
 
@@ -135,7 +136,7 @@ func (p *ProxyBind) proxyToLocal(ctx context.Context) {
 	}()
 
 	for {
-		buf := make([]byte, 1500)
+		buf := make([]byte, p.Bind.MTU()+bufsize.WGBufferOverhead)
 		n, err := p.remoteConn.Read(buf)
 		if err != nil {
 			if ctx.Err() != nil {

client/iface/wgproxy/ebpf/proxy.go

@@ -17,9 +17,10 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
+	"github.com/netbirdio/netbird/client/iface/bufsize"
 	"github.com/netbirdio/netbird/client/internal/ebpf"
 	ebpfMgr "github.com/netbirdio/netbird/client/internal/ebpf/manager"
-	nbnet "github.com/netbirdio/netbird/util/net"
+	nbnet "github.com/netbirdio/netbird/client/net"
 )
 
 const (
@@ -29,6 +30,7 @@ const (
 // WGEBPFProxy definition for proxy with EBPF support
 type WGEBPFProxy struct {
 	localWGListenPort int
+	mtu               uint16
 
 	ebpfManager   ebpfMgr.Manager
 	turnConnStore map[uint16]net.Conn
@@ -43,10 +45,11 @@ type WGEBPFProxy struct {
 }
 
 // NewWGEBPFProxy create new WGEBPFProxy instance
-func NewWGEBPFProxy(wgPort int) *WGEBPFProxy {
+func NewWGEBPFProxy(wgPort int, mtu uint16) *WGEBPFProxy {
 	log.Debugf("instantiate ebpf proxy")
 	wgProxy := &WGEBPFProxy{
 		localWGListenPort: wgPort,
+		mtu:               mtu,
 		ebpfManager:       ebpf.GetEbpfManagerInstance(),
 		turnConnStore:     make(map[uint16]net.Conn),
 	}
@@ -138,7 +141,7 @@ func (p *WGEBPFProxy) Free() error {
 // proxyToRemote read messages from local WireGuard interface and forward it to remote conn
 // From this go routine has only one instance.
 func (p *WGEBPFProxy) proxyToRemote() {
-	buf := make([]byte, 1500)
+	buf := make([]byte, p.mtu+bufsize.WGBufferOverhead)
 	for p.ctx.Err() == nil {
 		if err := p.readAndForwardPacket(buf); err != nil {
 			if p.ctx.Err() != nil {

client/iface/wgproxy/ebpf/proxy_test.go

@@ -7,7 +7,7 @@ import (
 )
 
 func TestWGEBPFProxy_connStore(t *testing.T) {
-	wgProxy := NewWGEBPFProxy(1)
+	wgProxy := NewWGEBPFProxy(1, 1280)
 
 	p, _ := wgProxy.storeTurnConn(nil)
 	if p != 1 {
@@ -27,7 +27,7 @@ func TestWGEBPFProxy_connStore(t *testing.T) {
 }
 
 func TestWGEBPFProxy_portCalculation_overflow(t *testing.T) {
-	wgProxy := NewWGEBPFProxy(1)
+	wgProxy := NewWGEBPFProxy(1, 1280)
 
 	_, _ = wgProxy.storeTurnConn(nil)
 	wgProxy.lastUsedPort = 65535
@@ -43,7 +43,7 @@ func TestWGEBPFProxy_portCalculation_overflow(t *testing.T) {
 }
 
 func TestWGEBPFProxy_portCalculation_maxConn(t *testing.T) {
-	wgProxy := NewWGEBPFProxy(1)
+	wgProxy := NewWGEBPFProxy(1, 1280)
 
 	for i := 0; i < 65535; i++ {
 		_, _ = wgProxy.storeTurnConn(nil)

client/iface/wgproxy/ebpf/wrapper.go

@@ -12,6 +12,7 @@ import (
 
 	log "github.com/sirupsen/logrus"
 
+	"github.com/netbirdio/netbird/client/iface/bufsize"
 	"github.com/netbirdio/netbird/client/iface/wgproxy/listener"
 )
 
@@ -103,7 +104,7 @@ func (e *ProxyWrapper) CloseConn() error {
 func (p *ProxyWrapper) proxyToLocal(ctx context.Context) {
 	defer p.WgeBPFProxy.removeTurnConn(uint16(p.wgEndpointAddr.Port))
 
-	buf := make([]byte, 1500)
+	buf := make([]byte, p.WgeBPFProxy.mtu+bufsize.WGBufferOverhead)
 	for {
 		n, err := p.readFromRemote(ctx, buf)
 		if err != nil {

client/iface/wgproxy/factory_kernel.go

@@ -11,16 +11,18 @@ import (
 
 type KernelFactory struct {
 	wgPort int
+	mtu    uint16
 
 	ebpfProxy *ebpf.WGEBPFProxy
 }
 
-func NewKernelFactory(wgPort int) *KernelFactory {
+func NewKernelFactory(wgPort int, mtu uint16) *KernelFactory {
 	f := &KernelFactory{
 		wgPort: wgPort,
+		mtu:    mtu,
 	}
 
-	ebpfProxy := ebpf.NewWGEBPFProxy(wgPort)
+	ebpfProxy := ebpf.NewWGEBPFProxy(wgPort, mtu)
 	if err := ebpfProxy.Listen(); err != nil {
 		log.Infof("WireGuard Proxy Factory will produce UDP proxy")
 		log.Warnf("failed to initialize ebpf proxy, fallback to user space proxy: %s", err)
@@ -33,7 +35,7 @@ func NewKernelFactory(wgPort int) *KernelFactory {
 
 func (w *KernelFactory) GetProxy() Proxy {
 	if w.ebpfProxy == nil {
-		return udpProxy.NewWGUDPProxy(w.wgPort)
+		return udpProxy.NewWGUDPProxy(w.wgPort, w.mtu)
 	}
 
 	return ebpf.NewProxyWrapper(w.ebpfProxy)

client/iface/wgproxy/factory_kernel_freebsd.go

@@ -9,19 +9,21 @@ import (
 // KernelFactory todo: check eBPF support on FreeBSD
 type KernelFactory struct {
 	wgPort int
+	mtu    uint16
 }
 
-func NewKernelFactory(wgPort int) *KernelFactory {
+func NewKernelFactory(wgPort int, mtu uint16) *KernelFactory {
 	log.Infof("WireGuard Proxy Factory will produce UDP proxy")
 	f := &KernelFactory{
 		wgPort: wgPort,
+		mtu:    mtu,
 	}
 
 	return f
 }
 
 func (w *KernelFactory) GetProxy() Proxy {
-	return udpProxy.NewWGUDPProxy(w.wgPort)
+	return udpProxy.NewWGUDPProxy(w.wgPort, w.mtu)
 }
 
 func (w *KernelFactory) Free() error {

client/iface/wgproxy/proxy_linux_test.go

@@ -16,7 +16,7 @@ func TestProxyCloseByRemoteConnEBPF(t *testing.T) {
 	}
 	ctx := context.Background()
 
-	ebpfProxy := ebpf.NewWGEBPFProxy(51831)
+	ebpfProxy := ebpf.NewWGEBPFProxy(51831, 1280)
 	if err := ebpfProxy.Listen(); err != nil {
 		t.Fatalf("failed to initialize ebpf proxy: %s", err)
 	}

client/iface/wgproxy/proxy_test.go

@@ -84,12 +84,12 @@ func TestProxyCloseByRemoteConn(t *testing.T) {
 	}{
 		{
 			name:  "userspace proxy",
-			proxy: udpProxy.NewWGUDPProxy(51830),
+			proxy: udpProxy.NewWGUDPProxy(51830, 1280),
 		},
 	}
 
 	if runtime.GOOS == "linux" && os.Getenv("GITHUB_ACTIONS") != "true" {
-		ebpfProxy := ebpf.NewWGEBPFProxy(51831)
+		ebpfProxy := ebpf.NewWGEBPFProxy(51831, 1280)
 		if err := ebpfProxy.Listen(); err != nil {
 			t.Fatalf("failed to initialize ebpf proxy: %s", err)
 		}

client/iface/wgproxy/udp/proxy.go

@@ -12,12 +12,14 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	cerrors "github.com/netbirdio/netbird/client/errors"
+	"github.com/netbirdio/netbird/client/iface/bufsize"
 	"github.com/netbirdio/netbird/client/iface/wgproxy/listener"
 )
 
 // WGUDPProxy proxies
 type WGUDPProxy struct {
 	localWGListenPort int
+	mtu               uint16
 
 	remoteConn net.Conn
 	localConn  net.Conn
@@ -34,10 +36,11 @@ type WGUDPProxy struct {
 }
 
 // NewWGUDPProxy instantiate a UDP based WireGuard proxy. This is not a thread safe implementation
-func NewWGUDPProxy(wgPort int) *WGUDPProxy {
+func NewWGUDPProxy(wgPort int, mtu uint16) *WGUDPProxy {
 	log.Debugf("Initializing new user space proxy with port %d", wgPort)
 	p := &WGUDPProxy{
 		localWGListenPort: wgPort,
+		mtu:               mtu,
 		closeListener:     listener.NewCloseListener(),
 	}
 	return p
@@ -144,7 +147,7 @@ func (p *WGUDPProxy) proxyToRemote(ctx context.Context) {
 		}
 	}()
 
-	buf := make([]byte, 1500)
+	buf := make([]byte, p.mtu+bufsize.WGBufferOverhead)
 	for ctx.Err() == nil {
 		n, err := p.localConn.Read(buf)
 		if err != nil {
@@ -179,7 +182,7 @@ func (p *WGUDPProxy) proxyToLocal(ctx context.Context) {
 		}
 	}()
 
-	buf := make([]byte, 1500)
+	buf := make([]byte, p.mtu+bufsize.WGBufferOverhead)
 	for {
 		n, err := p.remoteConnRead(ctx, buf)
 		if err != nil {

client/internal/auth/device_flow_test.go

@@ -3,15 +3,17 @@ package auth
 import (
 	"context"
 	"fmt"
-	"github.com/golang-jwt/jwt"
-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/stretchr/testify/require"
 	"io"
 	"net/http"
 	"net/url"
 	"strings"
 	"testing"
 	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/client/internal"
 )
 
 type mockHTTPClient struct {

client/internal/connect.go

@@ -18,6 +18,7 @@ import (
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"
 
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
@@ -33,7 +34,7 @@ import (
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 	signal "github.com/netbirdio/netbird/shared/signal/client"
 	"github.com/netbirdio/netbird/util"
-	nbnet "github.com/netbirdio/netbird/util/net"
+	nbnet "github.com/netbirdio/netbird/client/net"
 	"github.com/netbirdio/netbird/version"
 )
 
@@ -244,7 +245,15 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		c.statusRecorder.MarkSignalConnected()
 
 		relayURLs, token := parseRelayInfo(loginResp)
-		relayManager := relayClient.NewManager(engineCtx, relayURLs, myPrivateKey.PublicKey().String())
+		peerConfig := loginResp.GetPeerConfig()
+
+		engineConfig, err := createEngineConfig(myPrivateKey, c.config, peerConfig)
+		if err != nil {
+			log.Error(err)
+			return wrapErr(err)
+		}
+
+		relayManager := relayClient.NewManager(engineCtx, relayURLs, myPrivateKey.PublicKey().String(), engineConfig.MTU)
 		c.statusRecorder.SetRelayMgr(relayManager)
 		if len(relayURLs) > 0 {
 			if token != nil {
@@ -259,14 +268,6 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 			}
 		}
 
-		peerConfig := loginResp.GetPeerConfig()
-
-		engineConfig, err := createEngineConfig(myPrivateKey, c.config, peerConfig)
-		if err != nil {
-			log.Error(err)
-			return wrapErr(err)
-		}
-
 		checks := loginResp.GetChecks()
 
 		c.engineMutex.Lock()
@@ -274,7 +275,7 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		c.engine.SetSyncResponsePersistence(c.persistSyncResponse)
 		c.engineMutex.Unlock()
 
-		if err := c.engine.Start(); err != nil {
+		if err := c.engine.Start(loginResp.GetNetbirdConfig(), c.config.ManagementURL); err != nil {
 			log.Errorf("error while starting Netbird Connection Engine: %s", err)
 			return wrapErr(err)
 		}
@@ -283,10 +284,8 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		state.Set(StatusConnected)
 
 		if runningChan != nil {
-			select {
-			case runningChan <- struct{}{}:
-			default:
-			}
+			close(runningChan)
+			runningChan = nil
 		}
 
 		<-engineCtx.Done()
@@ -444,6 +443,8 @@ func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConf
 		BlockInbound:        config.BlockInbound,
 
 		LazyConnectionEnabled: config.LazyConnectionEnabled,
+
+		MTU: selectMTU(config.MTU, peerConfig.Mtu),
 	}
 
 	if config.PreSharedKey != "" {
@@ -466,6 +467,20 @@ func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConf
 	return engineConf, nil
 }
 
+func selectMTU(localMTU uint16, peerMTU int32) uint16 {
+	var finalMTU uint16 = iface.DefaultMTU
+	if localMTU > 0 {
+		finalMTU = localMTU
+	} else if peerMTU > 0 {
+		finalMTU = uint16(peerMTU)
+	}
+
+	// Set global DNS MTU
+	dns.SetCurrentMTU(finalMTU)
+
+	return finalMTU
+}
+
 // connectToSignal creates Signal Service client and established a connection
 func connectToSignal(ctx context.Context, wtConfig *mgmProto.NetbirdConfig, ourPrivateKey wgtypes.Key) (*signal.GrpcClient, error) {
 	var sigTLSEnabled bool

client/internal/dns/config/domains.go

@@ -0,0 +1,201 @@
+package config
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"net/netip"
+	"net/url"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/shared/management/domain"
+	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
+)
+
+var (
+	ErrEmptyURL     = errors.New("empty URL")
+	ErrEmptyHost    = errors.New("empty host")
+	ErrIPNotAllowed = errors.New("IP address not allowed")
+)
+
+// ServerDomains represents the management server domains extracted from NetBird configuration
+type ServerDomains struct {
+	Signal domain.Domain
+	Relay  []domain.Domain
+	Flow   domain.Domain
+	Stuns  []domain.Domain
+	Turns  []domain.Domain
+}
+
+// ExtractFromNetbirdConfig extracts domain information from NetBird protobuf configuration
+func ExtractFromNetbirdConfig(config *mgmProto.NetbirdConfig) ServerDomains {
+	if config == nil {
+		return ServerDomains{}
+	}
+
+	domains := ServerDomains{}
+
+	domains.Signal = extractSignalDomain(config)
+	domains.Relay = extractRelayDomains(config)
+	domains.Flow = extractFlowDomain(config)
+	domains.Stuns = extractStunDomains(config)
+	domains.Turns = extractTurnDomains(config)
+
+	return domains
+}
+
+// ExtractValidDomain extracts a valid domain from a URL, filtering out IP addresses
+func ExtractValidDomain(rawURL string) (domain.Domain, error) {
+	if rawURL == "" {
+		return "", ErrEmptyURL
+	}
+
+	parsedURL, err := url.Parse(rawURL)
+	if err == nil {
+		if domain, err := extractFromParsedURL(parsedURL); err != nil || domain != "" {
+			return domain, err
+		}
+	}
+
+	return extractFromRawString(rawURL)
+}
+
+// extractFromParsedURL handles domain extraction from successfully parsed URLs
+func extractFromParsedURL(parsedURL *url.URL) (domain.Domain, error) {
+	if parsedURL.Hostname() != "" {
+		return extractDomainFromHost(parsedURL.Hostname())
+	}
+
+	if parsedURL.Opaque == "" || parsedURL.Scheme == "" {
+		return "", nil
+	}
+
+	// Handle URLs with opaque content (e.g., stun:host:port)
+	if strings.Contains(parsedURL.Scheme, ".") {
+		// This is likely "domain.com:port" being parsed as scheme:opaque
+		reconstructed := parsedURL.Scheme + ":" + parsedURL.Opaque
+		if host, _, err := net.SplitHostPort(reconstructed); err == nil {
+			return extractDomainFromHost(host)
+		}
+		return extractDomainFromHost(parsedURL.Scheme)
+	}
+
+	// Valid scheme with opaque content (e.g., stun:host:port)
+	host := parsedURL.Opaque
+	if queryIndex := strings.Index(host, "?"); queryIndex > 0 {
+		host = host[:queryIndex]
+	}
+
+	if hostOnly, _, err := net.SplitHostPort(host); err == nil {
+		return extractDomainFromHost(hostOnly)
+	}
+
+	return extractDomainFromHost(host)
+}
+
+// extractFromRawString handles domain extraction when URL parsing fails or returns no results
+func extractFromRawString(rawURL string) (domain.Domain, error) {
+	if host, _, err := net.SplitHostPort(rawURL); err == nil {
+		return extractDomainFromHost(host)
+	}
+
+	return extractDomainFromHost(rawURL)
+}
+
+// extractDomainFromHost extracts domain from a host string, filtering out IP addresses
+func extractDomainFromHost(host string) (domain.Domain, error) {
+	if host == "" {
+		return "", ErrEmptyHost
+	}
+
+	if _, err := netip.ParseAddr(host); err == nil {
+		return "", fmt.Errorf("%w: %s", ErrIPNotAllowed, host)
+	}
+
+	d, err := domain.FromString(host)
+	if err != nil {
+		return "", fmt.Errorf("invalid domain: %v", err)
+	}
+
+	return d, nil
+}
+
+// extractSingleDomain extracts a single domain from a URL with error logging
+func extractSingleDomain(url, serviceType string) domain.Domain {
+	if url == "" {
+		return ""
+	}
+
+	d, err := ExtractValidDomain(url)
+	if err != nil {
+		log.Debugf("Skipping %s: %v", serviceType, err)
+		return ""
+	}
+
+	return d
+}
+
+// extractMultipleDomains extracts multiple domains from URLs with error logging
+func extractMultipleDomains(urls []string, serviceType string) []domain.Domain {
+	var domains []domain.Domain
+	for _, url := range urls {
+		if url == "" {
+			continue
+		}
+		d, err := ExtractValidDomain(url)
+		if err != nil {
+			log.Debugf("Skipping %s: %v", serviceType, err)
+			continue
+		}
+		domains = append(domains, d)
+	}
+	return domains
+}
+
+// extractSignalDomain extracts the signal domain from NetBird configuration.
+func extractSignalDomain(config *mgmProto.NetbirdConfig) domain.Domain {
+	if config.Signal != nil {
+		return extractSingleDomain(config.Signal.Uri, "signal")
+	}
+	return ""
+}
+
+// extractRelayDomains extracts relay server domains from NetBird configuration.
+func extractRelayDomains(config *mgmProto.NetbirdConfig) []domain.Domain {
+	if config.Relay != nil {
+		return extractMultipleDomains(config.Relay.Urls, "relay")
+	}
+	return nil
+}
+
+// extractFlowDomain extracts the traffic flow domain from NetBird configuration.
+func extractFlowDomain(config *mgmProto.NetbirdConfig) domain.Domain {
+	if config.Flow != nil {
+		return extractSingleDomain(config.Flow.Url, "flow")
+	}
+	return ""
+}
+
+// extractStunDomains extracts STUN server domains from NetBird configuration.
+func extractStunDomains(config *mgmProto.NetbirdConfig) []domain.Domain {
+	var urls []string
+	for _, stun := range config.Stuns {
+		if stun != nil && stun.Uri != "" {
+			urls = append(urls, stun.Uri)
+		}
+	}
+	return extractMultipleDomains(urls, "STUN")
+}
+
+// extractTurnDomains extracts TURN server domains from NetBird configuration.
+func extractTurnDomains(config *mgmProto.NetbirdConfig) []domain.Domain {
+	var urls []string
+	for _, turn := range config.Turns {
+		if turn != nil && turn.HostConfig != nil && turn.HostConfig.Uri != "" {
+			urls = append(urls, turn.HostConfig.Uri)
+		}
+	}
+	return extractMultipleDomains(urls, "TURN")
+}

client/internal/dns/config/domains_test.go

@@ -0,0 +1,213 @@
+package config
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestExtractValidDomain(t *testing.T) {
+	tests := []struct {
+		name        string
+		url         string
+		expected    string
+		expectError bool
+	}{
+		{
+			name:     "HTTPS URL with port",
+			url:      "https://api.netbird.io:443",
+			expected: "api.netbird.io",
+		},
+		{
+			name:     "HTTP URL without port",
+			url:      "http://signal.example.com",
+			expected: "signal.example.com",
+		},
+		{
+			name:     "Host with port (no scheme)",
+			url:      "signal.netbird.io:443",
+			expected: "signal.netbird.io",
+		},
+		{
+			name:     "STUN URL",
+			url:      "stun:stun.netbird.io:443",
+			expected: "stun.netbird.io",
+		},
+		{
+			name:     "STUN URL with different port",
+			url:      "stun:stun.netbird.io:5555",
+			expected: "stun.netbird.io",
+		},
+		{
+			name:     "TURNS URL with query params",
+			url:      "turns:turn.netbird.io:443?transport=tcp",
+			expected: "turn.netbird.io",
+		},
+		{
+			name:     "TURN URL",
+			url:      "turn:turn.example.com:3478",
+			expected: "turn.example.com",
+		},
+		{
+			name:     "REL URL",
+			url:      "rel://relay.example.com:443",
+			expected: "relay.example.com",
+		},
+		{
+			name:     "RELS URL",
+			url:      "rels://relay.netbird.io:443",
+			expected: "relay.netbird.io",
+		},
+		{
+			name:     "Raw hostname",
+			url:      "example.org",
+			expected: "example.org",
+		},
+		{
+			name:        "IP address should be rejected",
+			url:         "192.168.1.1",
+			expectError: true,
+		},
+		{
+			name:        "IP address with port should be rejected",
+			url:         "192.168.1.1:443",
+			expectError: true,
+		},
+		{
+			name:        "IPv6 address should be rejected",
+			url:         "2001:db8::1",
+			expectError: true,
+		},
+		{
+			name:        "HTTP URL with IPv4 should be rejected",
+			url:         "http://192.168.1.1:8080",
+			expectError: true,
+		},
+		{
+			name:        "HTTPS URL with IPv4 should be rejected",
+			url:         "https://10.0.0.1:443",
+			expectError: true,
+		},
+		{
+			name:        "STUN URL with IPv4 should be rejected",
+			url:         "stun:192.168.1.1:3478",
+			expectError: true,
+		},
+		{
+			name:        "TURN URL with IPv4 should be rejected",
+			url:         "turn:10.0.0.1:3478",
+			expectError: true,
+		},
+		{
+			name:        "TURNS URL with IPv4 should be rejected",
+			url:         "turns:172.16.0.1:5349",
+			expectError: true,
+		},
+		{
+			name:        "HTTP URL with IPv6 should be rejected",
+			url:         "http://[2001:db8::1]:8080",
+			expectError: true,
+		},
+		{
+			name:        "HTTPS URL with IPv6 should be rejected",
+			url:         "https://[::1]:443",
+			expectError: true,
+		},
+		{
+			name:        "STUN URL with IPv6 should be rejected",
+			url:         "stun:[2001:db8::1]:3478",
+			expectError: true,
+		},
+		{
+			name:        "IPv6 with port should be rejected",
+			url:         "[2001:db8::1]:443",
+			expectError: true,
+		},
+		{
+			name:        "Localhost IPv4 should be rejected",
+			url:         "127.0.0.1:8080",
+			expectError: true,
+		},
+		{
+			name:        "Localhost IPv6 should be rejected",
+			url:         "[::1]:443",
+			expectError: true,
+		},
+		{
+			name:        "REL URL with IPv4 should be rejected",
+			url:         "rel://192.168.1.1:443",
+			expectError: true,
+		},
+		{
+			name:        "RELS URL with IPv4 should be rejected",
+			url:         "rels://10.0.0.1:443",
+			expectError: true,
+		},
+		{
+			name:        "Empty URL",
+			url:         "",
+			expectError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := ExtractValidDomain(tt.url)
+
+			if tt.expectError {
+				assert.Error(t, err, "Expected error for URL: %s", tt.url)
+			} else {
+				assert.NoError(t, err, "Unexpected error for URL: %s", tt.url)
+				assert.Equal(t, tt.expected, result.SafeString(), "Domain mismatch for URL: %s", tt.url)
+			}
+		})
+	}
+}
+
+func TestExtractDomainFromHost(t *testing.T) {
+	tests := []struct {
+		name        string
+		host        string
+		expected    string
+		expectError bool
+	}{
+		{
+			name:     "Valid domain",
+			host:     "example.com",
+			expected: "example.com",
+		},
+		{
+			name:     "Subdomain",
+			host:     "api.example.com",
+			expected: "api.example.com",
+		},
+		{
+			name:        "IPv4 address",
+			host:        "192.168.1.1",
+			expectError: true,
+		},
+		{
+			name:        "IPv6 address",
+			host:        "2001:db8::1",
+			expectError: true,
+		},
+		{
+			name:        "Empty host",
+			host:        "",
+			expectError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := extractDomainFromHost(tt.host)
+
+			if tt.expectError {
+				assert.Error(t, err, "Expected error for host: %s", tt.host)
+			} else {
+				assert.NoError(t, err, "Unexpected error for host: %s", tt.host)
+				assert.Equal(t, tt.expected, result.SafeString(), "Domain mismatch for host: %s", tt.host)
+			}
+		})
+	}
+}

client/internal/dns/file_parser_unix_test.go

@@ -176,4 +176,3 @@ nameserver 192.168.0.1
 		t.Errorf("unexpected resolv.conf content: %v", cfg)
 	}
 }
-

client/internal/dns/handler_chain.go

@@ -11,11 +11,12 @@ import (
 )
 
 const (
-	PriorityLocal    = 100
-	PriorityDNSRoute = 75
-	PriorityUpstream = 50
-	PriorityDefault  = 1
-	PriorityFallback = -100
+	PriorityMgmtCache = 150
+	PriorityLocal     = 100
+	PriorityDNSRoute  = 75
+	PriorityUpstream  = 50
+	PriorityDefault   = 1
+	PriorityFallback  = -100
 )
 
 type SubdomainMatcher interface {
@@ -182,7 +183,10 @@ func (c *HandlerChain) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 
 			// If handler wants to continue, try next handler
 			if chainWriter.shouldContinue {
-				log.Tracef("handler requested continue to next handler for domain=%s", qname)
+				// Only log continue for non-management cache handlers to reduce noise
+				if entry.Priority != PriorityMgmtCache {
+					log.Tracef("handler requested continue to next handler for domain=%s", qname)
+				}
 				continue
 			}
 			return

client/internal/dns/host_darwin.go

@@ -166,9 +166,10 @@ func (s *systemConfigurator) removeKeyFromSystemConfig(key string) error {
 
 func (s *systemConfigurator) addLocalDNS() error {
 	if !s.systemDNSSettings.ServerIP.IsValid() || len(s.systemDNSSettings.Domains) == 0 {
-		err := s.recordSystemDNSSettings(true)
-		log.Errorf("Unable to get system DNS configuration")
-		return err
+		if err := s.recordSystemDNSSettings(true); err != nil {
+			log.Errorf("Unable to get system DNS configuration")
+			return fmt.Errorf("recordSystemDNSSettings(): %w", err)
+		}
 	}
 	localKey := getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix)
 	if s.systemDNSSettings.ServerIP.IsValid() && len(s.systemDNSSettings.Domains) != 0 {

client/internal/dns/host_windows.go

@@ -64,9 +64,10 @@ const (
 )
 
 type registryConfigurator struct {
-	guid       string
-	routingAll bool
-	gpo        bool
+	guid           string
+	routingAll     bool
+	gpo            bool
+	nrptEntryCount int
 }
 
 func newHostManager(wgInterface WGIface) (*registryConfigurator, error) {
@@ -177,7 +178,11 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 		log.Infof("removed %s as main DNS forwarder for this peer", config.ServerIP)
 	}
 
-	if err := stateManager.UpdateState(&ShutdownState{Guid: r.guid, GPO: r.gpo}); err != nil {
+	if err := stateManager.UpdateState(&ShutdownState{
+		Guid:           r.guid,
+		GPO:            r.gpo,
+		NRPTEntryCount: r.nrptEntryCount,
+	}); err != nil {
 		log.Errorf("failed to update shutdown state: %s", err)
 	}
 
@@ -193,13 +198,24 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 	}
 
 	if len(matchDomains) != 0 {
-		if err := r.addDNSMatchPolicy(matchDomains, config.ServerIP); err != nil {
+		count, err := r.addDNSMatchPolicy(matchDomains, config.ServerIP)
+		if err != nil {
 			return fmt.Errorf("add dns match policy: %w", err)
 		}
+		r.nrptEntryCount = count
 	} else {
 		if err := r.removeDNSMatchPolicies(); err != nil {
 			return fmt.Errorf("remove dns match policies: %w", err)
 		}
+		r.nrptEntryCount = 0
+	}
+
+	if err := stateManager.UpdateState(&ShutdownState{
+		Guid:           r.guid,
+		GPO:            r.gpo,
+		NRPTEntryCount: r.nrptEntryCount,
+	}); err != nil {
+		log.Errorf("failed to update shutdown state: %s", err)
 	}
 
 	if err := r.updateSearchDomains(searchDomains); err != nil {
@@ -220,28 +236,36 @@ func (r *registryConfigurator) addDNSSetupForAll(ip netip.Addr) error {
 	return nil
 }
 
-func (r *registryConfigurator) addDNSMatchPolicy(domains []string, ip netip.Addr) error {
+func (r *registryConfigurator) addDNSMatchPolicy(domains []string, ip netip.Addr) (int, error) {
 	// if the gpo key is present, we need to put our DNS settings there, otherwise our config might be ignored
 	// see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpnrpt/8cc31cb9-20cb-4140-9e85-3e08703b4745
-	if r.gpo {
-		if err := r.configureDNSPolicy(gpoDnsPolicyConfigMatchPath, domains, ip); err != nil {
-			return fmt.Errorf("configure GPO DNS policy: %w", err)
+	for i, domain := range domains {
+
+		singleDomain := []string{domain}
+
+		if err := r.configureDNSPolicy(dnsPolicyConfigMatchPath, singleDomain, ip); err != nil {
+			return i, fmt.Errorf("configure DNS Local policy for domain %s: %w", domain, err)
 		}
 
+		if r.gpo {
+			if err := r.configureDNSPolicy(gpoDnsPolicyConfigMatchPath, singleDomain, ip); err != nil {
+				return i, fmt.Errorf("configure gpo DNS policy: %w", err)
+			}
+		}
+
+		log.Debugf("added NRPT entry for domain: %s", domain)
+	}
+
+	if r.gpo {
 		if err := refreshGroupPolicy(); err != nil {
 			log.Warnf("failed to refresh group policy: %v", err)
 		}
-	} else {
-		if err := r.configureDNSPolicy(dnsPolicyConfigMatchPath, domains, ip); err != nil {
-			return fmt.Errorf("configure local DNS policy: %w", err)
-		}
 	}
 
-	log.Infof("added %d match domains. Domain list: %s", len(domains), domains)
-	return nil
+	log.Infof("added %d separate NRPT entries. Domain list: %s", len(domains), domains)
+	return len(domains), nil
 }
 
-// configureDNSPolicy handles the actual configuration of a DNS policy at the specified path
 func (r *registryConfigurator) configureDNSPolicy(policyPath string, domains []string, ip netip.Addr) error {
 	if err := removeRegistryKeyFromDNSPolicyConfig(policyPath); err != nil {
 		return fmt.Errorf("remove existing dns policy: %w", err)
@@ -374,12 +398,27 @@ func (r *registryConfigurator) restoreHostDNS() error {
 
 func (r *registryConfigurator) removeDNSMatchPolicies() error {
 	var merr *multierror.Error
+
+	// Try to remove the base entries (for backward compatibility)
 	if err := removeRegistryKeyFromDNSPolicyConfig(dnsPolicyConfigMatchPath); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("remove local registry key: %w", err))
+		merr = multierror.Append(merr, fmt.Errorf("remove local base entry: %w", err))
 	}
 
 	if err := removeRegistryKeyFromDNSPolicyConfig(gpoDnsPolicyConfigMatchPath); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("remove GPO registry key: %w", err))
+		merr = multierror.Append(merr, fmt.Errorf("remove GPO base entry: %w", err))
+	}
+
+	for i := 0; i < r.nrptEntryCount; i++ {
+		localPath := fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i)
+		gpoPath := fmt.Sprintf("%s-%d", gpoDnsPolicyConfigMatchPath, i)
+
+		if err := removeRegistryKeyFromDNSPolicyConfig(localPath); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("remove local entry %d: %w", i, err))
+		}
+
+		if err := removeRegistryKeyFromDNSPolicyConfig(gpoPath); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("remove GPO entry %d: %w", i, err))
+		}
 	}
 
 	if err := refreshGroupPolicy(); err != nil {

client/internal/dns/local/local.go

@@ -34,7 +34,7 @@ func (d *Resolver) MatchSubdomains() bool {
 
 // String returns a string representation of the local resolver
 func (d *Resolver) String() string {
-	return fmt.Sprintf("local resolver [%d records]", len(d.records))
+	return fmt.Sprintf("LocalResolver [%d records]", len(d.records))
 }
 
 func (d *Resolver) Stop() {}

client/internal/dns/mgmt/mgmt.go

@@ -0,0 +1,360 @@
+package mgmt
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/url"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/miekg/dns"
+	log "github.com/sirupsen/logrus"
+
+	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
+	"github.com/netbirdio/netbird/shared/management/domain"
+)
+
+const dnsTimeout = 5 * time.Second
+
+// Resolver caches critical NetBird infrastructure domains
+type Resolver struct {
+	records       map[dns.Question][]dns.RR
+	mgmtDomain    *domain.Domain
+	serverDomains *dnsconfig.ServerDomains
+	mutex         sync.RWMutex
+}
+
+// NewResolver creates a new management domains cache resolver.
+func NewResolver() *Resolver {
+	return &Resolver{
+		records: make(map[dns.Question][]dns.RR),
+	}
+}
+
+// String returns a string representation of the resolver.
+func (m *Resolver) String() string {
+	return "MgmtCacheResolver"
+}
+
+// ServeDNS implements dns.Handler interface.
+func (m *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
+	if len(r.Question) == 0 {
+		m.continueToNext(w, r)
+		return
+	}
+
+	question := r.Question[0]
+	question.Name = strings.ToLower(dns.Fqdn(question.Name))
+
+	if question.Qtype != dns.TypeA && question.Qtype != dns.TypeAAAA {
+		m.continueToNext(w, r)
+		return
+	}
+
+	m.mutex.RLock()
+	records, found := m.records[question]
+	m.mutex.RUnlock()
+
+	if !found {
+		m.continueToNext(w, r)
+		return
+	}
+
+	resp := &dns.Msg{}
+	resp.SetReply(r)
+	resp.Authoritative = false
+	resp.RecursionAvailable = true
+
+	resp.Answer = append(resp.Answer, records...)
+
+	log.Debugf("serving %d cached records for domain=%s", len(resp.Answer), question.Name)
+
+	if err := w.WriteMsg(resp); err != nil {
+		log.Errorf("failed to write response: %v", err)
+	}
+}
+
+// MatchSubdomains returns false since this resolver only handles exact domain matches
+// for NetBird infrastructure domains (signal, relay, flow, etc.), not their subdomains.
+func (m *Resolver) MatchSubdomains() bool {
+	return false
+}
+
+// continueToNext signals the handler chain to continue to the next handler.
+func (m *Resolver) continueToNext(w dns.ResponseWriter, r *dns.Msg) {
+	resp := &dns.Msg{}
+	resp.SetRcode(r, dns.RcodeNameError)
+	resp.MsgHdr.Zero = true
+	if err := w.WriteMsg(resp); err != nil {
+		log.Errorf("failed to write continue signal: %v", err)
+	}
+}
+
+// AddDomain manually adds a domain to cache by resolving it.
+func (m *Resolver) AddDomain(ctx context.Context, d domain.Domain) error {
+	dnsName := strings.ToLower(dns.Fqdn(d.PunycodeString()))
+
+	ctx, cancel := context.WithTimeout(ctx, dnsTimeout)
+	defer cancel()
+
+	ips, err := net.DefaultResolver.LookupNetIP(ctx, "ip", d.PunycodeString())
+	if err != nil {
+		return fmt.Errorf("resolve domain %s: %w", d.SafeString(), err)
+	}
+
+	var aRecords, aaaaRecords []dns.RR
+	for _, ip := range ips {
+		if ip.Is4() {
+			rr := &dns.A{
+				Hdr: dns.RR_Header{
+					Name:   dnsName,
+					Rrtype: dns.TypeA,
+					Class:  dns.ClassINET,
+					Ttl:    300,
+				},
+				A: ip.AsSlice(),
+			}
+			aRecords = append(aRecords, rr)
+		} else if ip.Is6() {
+			rr := &dns.AAAA{
+				Hdr: dns.RR_Header{
+					Name:   dnsName,
+					Rrtype: dns.TypeAAAA,
+					Class:  dns.ClassINET,
+					Ttl:    300,
+				},
+				AAAA: ip.AsSlice(),
+			}
+			aaaaRecords = append(aaaaRecords, rr)
+		}
+	}
+
+	m.mutex.Lock()
+
+	if len(aRecords) > 0 {
+		aQuestion := dns.Question{
+			Name:   dnsName,
+			Qtype:  dns.TypeA,
+			Qclass: dns.ClassINET,
+		}
+		m.records[aQuestion] = aRecords
+	}
+
+	if len(aaaaRecords) > 0 {
+		aaaaQuestion := dns.Question{
+			Name:   dnsName,
+			Qtype:  dns.TypeAAAA,
+			Qclass: dns.ClassINET,
+		}
+		m.records[aaaaQuestion] = aaaaRecords
+	}
+
+	m.mutex.Unlock()
+
+	log.Debugf("added domain=%s with %d A records and %d AAAA records",
+		d.SafeString(), len(aRecords), len(aaaaRecords))
+
+	return nil
+}
+
+// PopulateFromConfig extracts and caches domains from the client configuration.
+func (m *Resolver) PopulateFromConfig(ctx context.Context, mgmtURL *url.URL) error {
+	if mgmtURL == nil {
+		return nil
+	}
+
+	d, err := dnsconfig.ExtractValidDomain(mgmtURL.String())
+	if err != nil {
+		return fmt.Errorf("extract domain from URL: %w", err)
+	}
+
+	m.mutex.Lock()
+	m.mgmtDomain = &d
+	m.mutex.Unlock()
+
+	if err := m.AddDomain(ctx, d); err != nil {
+		return fmt.Errorf("add domain: %w", err)
+	}
+
+	return nil
+}
+
+// RemoveDomain removes a domain from the cache.
+func (m *Resolver) RemoveDomain(d domain.Domain) error {
+	dnsName := strings.ToLower(dns.Fqdn(d.PunycodeString()))
+
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	aQuestion := dns.Question{
+		Name:   dnsName,
+		Qtype:  dns.TypeA,
+		Qclass: dns.ClassINET,
+	}
+	delete(m.records, aQuestion)
+
+	aaaaQuestion := dns.Question{
+		Name:   dnsName,
+		Qtype:  dns.TypeAAAA,
+		Qclass: dns.ClassINET,
+	}
+	delete(m.records, aaaaQuestion)
+
+	log.Debugf("removed domain=%s from cache", d.SafeString())
+	return nil
+}
+
+// GetCachedDomains returns a list of all cached domains.
+func (m *Resolver) GetCachedDomains() domain.List {
+	m.mutex.RLock()
+	defer m.mutex.RUnlock()
+
+	domainSet := make(map[domain.Domain]struct{})
+	for question := range m.records {
+		domainName := strings.TrimSuffix(question.Name, ".")
+		domainSet[domain.Domain(domainName)] = struct{}{}
+	}
+
+	domains := make(domain.List, 0, len(domainSet))
+	for d := range domainSet {
+		domains = append(domains, d)
+	}
+
+	return domains
+}
+
+// UpdateFromServerDomains updates the cache with server domains from network configuration.
+// It merges new domains with existing ones, replacing entire domain types when updated.
+// Empty updates are ignored to prevent clearing infrastructure domains during partial updates.
+func (m *Resolver) UpdateFromServerDomains(ctx context.Context, serverDomains dnsconfig.ServerDomains) (domain.List, error) {
+	newDomains := m.extractDomainsFromServerDomains(serverDomains)
+	var removedDomains domain.List
+
+	if len(newDomains) > 0 {
+		m.mutex.Lock()
+		if m.serverDomains == nil {
+			m.serverDomains = &dnsconfig.ServerDomains{}
+		}
+		updatedServerDomains := m.mergeServerDomains(*m.serverDomains, serverDomains)
+		m.serverDomains = &updatedServerDomains
+		m.mutex.Unlock()
+
+		allDomains := m.extractDomainsFromServerDomains(updatedServerDomains)
+		currentDomains := m.GetCachedDomains()
+		removedDomains = m.removeStaleDomains(currentDomains, allDomains)
+	}
+
+	m.addNewDomains(ctx, newDomains)
+
+	return removedDomains, nil
+}
+
+// removeStaleDomains removes cached domains not present in the target domain list.
+// Management domains are preserved and never removed during server domain updates.
+func (m *Resolver) removeStaleDomains(currentDomains, newDomains domain.List) domain.List {
+	var removedDomains domain.List
+
+	for _, currentDomain := range currentDomains {
+		if m.isDomainInList(currentDomain, newDomains) {
+			continue
+		}
+
+		if m.isManagementDomain(currentDomain) {
+			continue
+		}
+
+		removedDomains = append(removedDomains, currentDomain)
+		if err := m.RemoveDomain(currentDomain); err != nil {
+			log.Warnf("failed to remove domain=%s: %v", currentDomain.SafeString(), err)
+		}
+	}
+
+	return removedDomains
+}
+
+// mergeServerDomains merges new server domains with existing ones.
+// When a domain type is provided in the new domains, it completely replaces that type.
+func (m *Resolver) mergeServerDomains(existing, incoming dnsconfig.ServerDomains) dnsconfig.ServerDomains {
+	merged := existing
+
+	if incoming.Signal != "" {
+		merged.Signal = incoming.Signal
+	}
+	if len(incoming.Relay) > 0 {
+		merged.Relay = incoming.Relay
+	}
+	if incoming.Flow != "" {
+		merged.Flow = incoming.Flow
+	}
+	if len(incoming.Stuns) > 0 {
+		merged.Stuns = incoming.Stuns
+	}
+	if len(incoming.Turns) > 0 {
+		merged.Turns = incoming.Turns
+	}
+
+	return merged
+}
+
+// isDomainInList checks if domain exists in the list
+func (m *Resolver) isDomainInList(domain domain.Domain, list domain.List) bool {
+	for _, d := range list {
+		if domain.SafeString() == d.SafeString() {
+			return true
+		}
+	}
+	return false
+}
+
+// isManagementDomain checks if domain is the protected management domain
+func (m *Resolver) isManagementDomain(domain domain.Domain) bool {
+	m.mutex.RLock()
+	defer m.mutex.RUnlock()
+
+	return m.mgmtDomain != nil && domain == *m.mgmtDomain
+}
+
+// addNewDomains resolves and caches all domains from the update
+func (m *Resolver) addNewDomains(ctx context.Context, newDomains domain.List) {
+	for _, newDomain := range newDomains {
+		if err := m.AddDomain(ctx, newDomain); err != nil {
+			log.Warnf("failed to add/update domain=%s: %v", newDomain.SafeString(), err)
+		} else {
+			log.Debugf("added/updated management cache domain=%s", newDomain.SafeString())
+		}
+	}
+}
+
+func (m *Resolver) extractDomainsFromServerDomains(serverDomains dnsconfig.ServerDomains) domain.List {
+	var domains domain.List
+
+	if serverDomains.Signal != "" {
+		domains = append(domains, serverDomains.Signal)
+	}
+
+	for _, relay := range serverDomains.Relay {
+		if relay != "" {
+			domains = append(domains, relay)
+		}
+	}
+
+	if serverDomains.Flow != "" {
+		domains = append(domains, serverDomains.Flow)
+	}
+
+	for _, stun := range serverDomains.Stuns {
+		if stun != "" {
+			domains = append(domains, stun)
+		}
+	}
+
+	for _, turn := range serverDomains.Turns {
+		if turn != "" {
+			domains = append(domains, turn)
+		}
+	}
+
+	return domains
+}

client/internal/dns/mgmt/mgmt_test.go

@@ -0,0 +1,416 @@
+package mgmt
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+	"strings"
+	"testing"
+
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/assert"
+
+	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
+	"github.com/netbirdio/netbird/client/internal/dns/test"
+	"github.com/netbirdio/netbird/shared/management/domain"
+)
+
+func TestResolver_NewResolver(t *testing.T) {
+	resolver := NewResolver()
+
+	assert.NotNil(t, resolver)
+	assert.NotNil(t, resolver.records)
+	assert.False(t, resolver.MatchSubdomains())
+}
+
+func TestResolver_ExtractDomainFromURL(t *testing.T) {
+	tests := []struct {
+		name        string
+		urlStr      string
+		expectedDom string
+		expectError bool
+	}{
+		{
+			name:        "HTTPS URL with port",
+			urlStr:      "https://api.netbird.io:443",
+			expectedDom: "api.netbird.io",
+			expectError: false,
+		},
+		{
+			name:        "HTTP URL without port",
+			urlStr:      "http://signal.example.com",
+			expectedDom: "signal.example.com",
+			expectError: false,
+		},
+		{
+			name:        "URL with path",
+			urlStr:      "https://relay.netbird.io/status",
+			expectedDom: "relay.netbird.io",
+			expectError: false,
+		},
+		{
+			name:        "Invalid URL",
+			urlStr:      "not-a-valid-url",
+			expectedDom: "not-a-valid-url",
+			expectError: false,
+		},
+		{
+			name:        "Empty URL",
+			urlStr:      "",
+			expectedDom: "",
+			expectError: true,
+		},
+		{
+			name:        "STUN URL",
+			urlStr:      "stun:stun.example.com:3478",
+			expectedDom: "stun.example.com",
+			expectError: false,
+		},
+		{
+			name:        "TURN URL",
+			urlStr:      "turn:turn.example.com:3478",
+			expectedDom: "turn.example.com",
+			expectError: false,
+		},
+		{
+			name:        "REL URL",
+			urlStr:      "rel://relay.example.com:443",
+			expectedDom: "relay.example.com",
+			expectError: false,
+		},
+		{
+			name:        "RELS URL",
+			urlStr:      "rels://relay.example.com:443",
+			expectedDom: "relay.example.com",
+			expectError: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var parsedURL *url.URL
+			var err error
+
+			if tt.urlStr != "" {
+				parsedURL, err = url.Parse(tt.urlStr)
+				if err != nil && !tt.expectError {
+					t.Fatalf("Failed to parse URL: %v", err)
+				}
+			}
+
+			domain, err := extractDomainFromURL(parsedURL)
+
+			if tt.expectError {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, tt.expectedDom, domain.SafeString())
+			}
+		})
+	}
+}
+
+func TestResolver_PopulateFromConfig(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	resolver := NewResolver()
+
+	// Test with IP address - should return error since IP addresses are rejected
+	mgmtURL, _ := url.Parse("https://127.0.0.1")
+
+	err := resolver.PopulateFromConfig(ctx, mgmtURL)
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, dnsconfig.ErrIPNotAllowed)
+
+	// No domains should be cached when using IP addresses
+	domains := resolver.GetCachedDomains()
+	assert.Equal(t, 0, len(domains), "No domains should be cached when using IP addresses")
+}
+
+func TestResolver_ServeDNS(t *testing.T) {
+	resolver := NewResolver()
+	ctx := context.Background()
+
+	// Add a test domain to the cache - use example.org which is reserved for testing
+	testDomain, err := domain.FromString("example.org")
+	if err != nil {
+		t.Fatalf("Failed to create domain: %v", err)
+	}
+	err = resolver.AddDomain(ctx, testDomain)
+	if err != nil {
+		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
+	}
+
+	// Test A record query for cached domain
+	t.Run("Cached domain A record", func(t *testing.T) {
+		var capturedMsg *dns.Msg
+		mockWriter := &test.MockResponseWriter{
+			WriteMsgFunc: func(m *dns.Msg) error {
+				capturedMsg = m
+				return nil
+			},
+		}
+
+		req := new(dns.Msg)
+		req.SetQuestion("example.org.", dns.TypeA)
+
+		resolver.ServeDNS(mockWriter, req)
+
+		assert.NotNil(t, capturedMsg)
+		assert.Equal(t, dns.RcodeSuccess, capturedMsg.Rcode)
+		assert.True(t, len(capturedMsg.Answer) > 0, "Should have at least one answer")
+	})
+
+	// Test uncached domain signals to continue to next handler
+	t.Run("Uncached domain signals continue to next handler", func(t *testing.T) {
+		var capturedMsg *dns.Msg
+		mockWriter := &test.MockResponseWriter{
+			WriteMsgFunc: func(m *dns.Msg) error {
+				capturedMsg = m
+				return nil
+			},
+		}
+
+		req := new(dns.Msg)
+		req.SetQuestion("unknown.example.com.", dns.TypeA)
+
+		resolver.ServeDNS(mockWriter, req)
+
+		assert.NotNil(t, capturedMsg)
+		assert.Equal(t, dns.RcodeNameError, capturedMsg.Rcode)
+		// Zero flag set to true signals the handler chain to continue to next handler
+		assert.True(t, capturedMsg.MsgHdr.Zero, "Zero flag should be set to signal continuation to next handler")
+		assert.Empty(t, capturedMsg.Answer, "Should have no answers for uncached domain")
+	})
+
+	// Test that subdomains of cached domains are NOT resolved
+	t.Run("Subdomains of cached domains are not resolved", func(t *testing.T) {
+		var capturedMsg *dns.Msg
+		mockWriter := &test.MockResponseWriter{
+			WriteMsgFunc: func(m *dns.Msg) error {
+				capturedMsg = m
+				return nil
+			},
+		}
+
+		// Query for a subdomain of our cached domain
+		req := new(dns.Msg)
+		req.SetQuestion("sub.example.org.", dns.TypeA)
+
+		resolver.ServeDNS(mockWriter, req)
+
+		assert.NotNil(t, capturedMsg)
+		assert.Equal(t, dns.RcodeNameError, capturedMsg.Rcode)
+		assert.True(t, capturedMsg.MsgHdr.Zero, "Should signal continuation to next handler for subdomains")
+		assert.Empty(t, capturedMsg.Answer, "Should have no answers for subdomains")
+	})
+
+	// Test case-insensitive matching
+	t.Run("Case-insensitive domain matching", func(t *testing.T) {
+		var capturedMsg *dns.Msg
+		mockWriter := &test.MockResponseWriter{
+			WriteMsgFunc: func(m *dns.Msg) error {
+				capturedMsg = m
+				return nil
+			},
+		}
+
+		// Query with different casing
+		req := new(dns.Msg)
+		req.SetQuestion("EXAMPLE.ORG.", dns.TypeA)
+
+		resolver.ServeDNS(mockWriter, req)
+
+		assert.NotNil(t, capturedMsg)
+		assert.Equal(t, dns.RcodeSuccess, capturedMsg.Rcode)
+		assert.True(t, len(capturedMsg.Answer) > 0, "Should resolve regardless of case")
+	})
+}
+
+func TestResolver_GetCachedDomains(t *testing.T) {
+	resolver := NewResolver()
+	ctx := context.Background()
+
+	testDomain, err := domain.FromString("example.org")
+	if err != nil {
+		t.Fatalf("Failed to create domain: %v", err)
+	}
+	err = resolver.AddDomain(ctx, testDomain)
+	if err != nil {
+		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
+	}
+
+	cachedDomains := resolver.GetCachedDomains()
+
+	assert.Equal(t, 1, len(cachedDomains), "Should return exactly one domain for single added domain")
+	assert.Equal(t, testDomain.SafeString(), cachedDomains[0].SafeString(), "Cached domain should match original")
+	assert.False(t, strings.HasSuffix(cachedDomains[0].PunycodeString(), "."), "Domain should not have trailing dot")
+}
+
+func TestResolver_ManagementDomainProtection(t *testing.T) {
+	resolver := NewResolver()
+	ctx := context.Background()
+
+	mgmtURL, _ := url.Parse("https://example.org")
+	err := resolver.PopulateFromConfig(ctx, mgmtURL)
+	if err != nil {
+		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
+	}
+
+	initialDomains := resolver.GetCachedDomains()
+	if len(initialDomains) == 0 {
+		t.Skip("Management domain failed to resolve, skipping test")
+	}
+	assert.Equal(t, 1, len(initialDomains), "Should have management domain cached")
+	assert.Equal(t, "example.org", initialDomains[0].SafeString())
+
+	serverDomains := dnsconfig.ServerDomains{
+		Signal: "google.com",
+		Relay:  []domain.Domain{"cloudflare.com"},
+	}
+
+	_, err = resolver.UpdateFromServerDomains(ctx, serverDomains)
+	if err != nil {
+		t.Logf("Server domains update failed: %v", err)
+	}
+
+	finalDomains := resolver.GetCachedDomains()
+
+	managementStillCached := false
+	for _, d := range finalDomains {
+		if d.SafeString() == "example.org" {
+			managementStillCached = true
+			break
+		}
+	}
+	assert.True(t, managementStillCached, "Management domain should never be removed")
+}
+
+// extractDomainFromURL extracts a domain from a URL - test helper function
+func extractDomainFromURL(u *url.URL) (domain.Domain, error) {
+	if u == nil {
+		return "", fmt.Errorf("URL is nil")
+	}
+	return dnsconfig.ExtractValidDomain(u.String())
+}
+
+func TestResolver_EmptyUpdateDoesNotRemoveDomains(t *testing.T) {
+	resolver := NewResolver()
+	ctx := context.Background()
+
+	// Set up initial domains using resolvable domains
+	initialDomains := dnsconfig.ServerDomains{
+		Signal: "example.org",
+		Stuns:  []domain.Domain{"google.com"},
+		Turns:  []domain.Domain{"cloudflare.com"},
+	}
+
+	// Add initial domains
+	_, err := resolver.UpdateFromServerDomains(ctx, initialDomains)
+	if err != nil {
+		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
+	}
+
+	// Verify domains were added
+	cachedDomains := resolver.GetCachedDomains()
+	assert.Len(t, cachedDomains, 3)
+
+	// Update with empty ServerDomains (simulating partial network map update)
+	emptyDomains := dnsconfig.ServerDomains{}
+	removedDomains, err := resolver.UpdateFromServerDomains(ctx, emptyDomains)
+	assert.NoError(t, err)
+
+	// Verify no domains were removed
+	assert.Len(t, removedDomains, 0, "No domains should be removed when update is empty")
+
+	// Verify all original domains are still cached
+	finalDomains := resolver.GetCachedDomains()
+	assert.Len(t, finalDomains, 3, "All original domains should still be cached")
+}
+
+func TestResolver_PartialUpdateReplacesOnlyUpdatedTypes(t *testing.T) {
+	resolver := NewResolver()
+	ctx := context.Background()
+
+	// Set up initial complete domains using resolvable domains
+	initialDomains := dnsconfig.ServerDomains{
+		Signal: "example.org",
+		Stuns:  []domain.Domain{"google.com"},
+		Turns:  []domain.Domain{"cloudflare.com"},
+	}
+
+	// Add initial domains
+	_, err := resolver.UpdateFromServerDomains(ctx, initialDomains)
+	if err != nil {
+		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
+	}
+	assert.Len(t, resolver.GetCachedDomains(), 3)
+
+	// Update with partial ServerDomains (only signal domain - this should replace signal but preserve stun/turn)
+	partialDomains := dnsconfig.ServerDomains{
+		Signal: "github.com",
+	}
+	removedDomains, err := resolver.UpdateFromServerDomains(ctx, partialDomains)
+	if err != nil {
+		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
+	}
+
+	// Should remove only the old signal domain
+	assert.Len(t, removedDomains, 1, "Should remove only the old signal domain")
+	assert.Equal(t, "example.org", removedDomains[0].SafeString())
+
+	finalDomains := resolver.GetCachedDomains()
+	assert.Len(t, finalDomains, 3, "Should have new signal plus preserved stun/turn domains")
+
+	domainStrings := make([]string, len(finalDomains))
+	for i, d := range finalDomains {
+		domainStrings[i] = d.SafeString()
+	}
+	assert.Contains(t, domainStrings, "github.com")
+	assert.Contains(t, domainStrings, "google.com")
+	assert.Contains(t, domainStrings, "cloudflare.com")
+	assert.NotContains(t, domainStrings, "example.org")
+}
+
+func TestResolver_PartialUpdateAddsNewTypePreservesExisting(t *testing.T) {
+	resolver := NewResolver()
+	ctx := context.Background()
+
+	// Set up initial complete domains using resolvable domains
+	initialDomains := dnsconfig.ServerDomains{
+		Signal: "example.org",
+		Stuns:  []domain.Domain{"google.com"},
+		Turns:  []domain.Domain{"cloudflare.com"},
+	}
+
+	// Add initial domains
+	_, err := resolver.UpdateFromServerDomains(ctx, initialDomains)
+	if err != nil {
+		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
+	}
+	assert.Len(t, resolver.GetCachedDomains(), 3)
+
+	// Update with partial ServerDomains (only flow domain - new type, should preserve all existing)
+	partialDomains := dnsconfig.ServerDomains{
+		Flow: "github.com",
+	}
+	removedDomains, err := resolver.UpdateFromServerDomains(ctx, partialDomains)
+	if err != nil {
+		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
+	}
+
+	assert.Len(t, removedDomains, 0, "Should not remove any domains when adding new type")
+
+	finalDomains := resolver.GetCachedDomains()
+	assert.Len(t, finalDomains, 4, "Should have all original domains plus new flow domain")
+
+	domainStrings := make([]string, len(finalDomains))
+	for i, d := range finalDomains {
+		domainStrings[i] = d.SafeString()
+	}
+	assert.Contains(t, domainStrings, "example.org")
+	assert.Contains(t, domainStrings, "google.com")
+	assert.Contains(t, domainStrings, "cloudflare.com")
+	assert.Contains(t, domainStrings, "github.com")
+}

client/internal/dns/mock_server.go

@@ -3,20 +3,23 @@ package dns
 import (
 	"fmt"
 	"net/netip"
+	"net/url"
 
 	"github.com/miekg/dns"
 
+	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
 // MockServer is the mock instance of a dns server
 type MockServer struct {
-	InitializeFunc        func() error
-	StopFunc              func()
-	UpdateDNSServerFunc   func(serial uint64, update nbdns.Config) error
-	RegisterHandlerFunc   func(domain.List, dns.Handler, int)
-	DeregisterHandlerFunc func(domain.List, int)
+	InitializeFunc         func() error
+	StopFunc               func()
+	UpdateDNSServerFunc    func(serial uint64, update nbdns.Config) error
+	RegisterHandlerFunc    func(domain.List, dns.Handler, int)
+	DeregisterHandlerFunc  func(domain.List, int)
+	UpdateServerConfigFunc func(domains dnsconfig.ServerDomains) error
 }
 
 func (m *MockServer) RegisterHandler(domains domain.List, handler dns.Handler, priority int) {
@@ -70,3 +73,14 @@ func (m *MockServer) SearchDomains() []string {
 // ProbeAvailability mocks implementation of ProbeAvailability from the Server interface
 func (m *MockServer) ProbeAvailability() {
 }
+
+func (m *MockServer) UpdateServerConfig(domains dnsconfig.ServerDomains) error {
+	if m.UpdateServerConfigFunc != nil {
+		return m.UpdateServerConfigFunc(domains)
+	}
+	return nil
+}
+
+func (m *MockServer) PopulateManagementDomain(mgmtURL *url.URL) error {
+	return nil
+}

client/internal/dns/server.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net/netip"
+	"net/url"
 	"runtime"
 	"strings"
 	"sync"
@@ -15,7 +16,9 @@ import (
 	"golang.org/x/exp/maps"
 
 	"github.com/netbirdio/netbird/client/iface/netstack"
+	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
 	"github.com/netbirdio/netbird/client/internal/dns/local"
+	"github.com/netbirdio/netbird/client/internal/dns/mgmt"
 	"github.com/netbirdio/netbird/client/internal/dns/types"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
@@ -45,6 +48,8 @@ type Server interface {
 	OnUpdatedHostDNSServer(addrs []netip.AddrPort)
 	SearchDomains() []string
 	ProbeAvailability()
+	UpdateServerConfig(domains dnsconfig.ServerDomains) error
+	PopulateManagementDomain(mgmtURL *url.URL) error
 }
 
 type nsGroupsByDomain struct {
@@ -77,6 +82,8 @@ type DefaultServer struct {
 	handlerChain       *HandlerChain
 	extraDomains       map[domain.Domain]int
 
+	mgmtCacheResolver *mgmt.Resolver
+
 	// permanent related properties
 	permanent      bool
 	hostsDNSHolder *hostsDNSHolder
@@ -104,18 +111,20 @@ type handlerWrapper struct {
 
 type registeredHandlerMap map[types.HandlerID]handlerWrapper
 
+// DefaultServerConfig holds configuration parameters for NewDefaultServer
+type DefaultServerConfig struct {
+	WgInterface    WGIface
+	CustomAddress  string
+	StatusRecorder *peer.Status
+	StateManager   *statemanager.Manager
+	DisableSys     bool
+}
+
 // NewDefaultServer returns a new dns server
-func NewDefaultServer(
-	ctx context.Context,
-	wgInterface WGIface,
-	customAddress string,
-	statusRecorder *peer.Status,
-	stateManager *statemanager.Manager,
-	disableSys bool,
-) (*DefaultServer, error) {
+func NewDefaultServer(ctx context.Context, config DefaultServerConfig) (*DefaultServer, error) {
 	var addrPort *netip.AddrPort
-	if customAddress != "" {
-		parsedAddrPort, err := netip.ParseAddrPort(customAddress)
+	if config.CustomAddress != "" {
+		parsedAddrPort, err := netip.ParseAddrPort(config.CustomAddress)
 		if err != nil {
 			return nil, fmt.Errorf("unable to parse the custom dns address, got error: %s", err)
 		}
@@ -123,13 +132,14 @@ func NewDefaultServer(
 	}
 
 	var dnsService service
-	if wgInterface.IsUserspaceBind() {
-		dnsService = NewServiceViaMemory(wgInterface)
+	if config.WgInterface.IsUserspaceBind() {
+		dnsService = NewServiceViaMemory(config.WgInterface)
 	} else {
-		dnsService = newServiceViaListener(wgInterface, addrPort)
+		dnsService = newServiceViaListener(config.WgInterface, addrPort)
 	}
 
-	return newDefaultServer(ctx, wgInterface, dnsService, statusRecorder, stateManager, disableSys), nil
+	server := newDefaultServer(ctx, config.WgInterface, dnsService, config.StatusRecorder, config.StateManager, config.DisableSys)
+	return server, nil
 }
 
 // NewDefaultServerPermanentUpstream returns a new dns server. It optimized for mobile systems
@@ -178,20 +188,24 @@ func newDefaultServer(
 ) *DefaultServer {
 	handlerChain := NewHandlerChain()
 	ctx, stop := context.WithCancel(ctx)
+
+	mgmtCacheResolver := mgmt.NewResolver()
+
 	defaultServer := &DefaultServer{
-		ctx:            ctx,
-		ctxCancel:      stop,
-		disableSys:     disableSys,
-		service:        dnsService,
-		handlerChain:   handlerChain,
-		extraDomains:   make(map[domain.Domain]int),
-		dnsMuxMap:      make(registeredHandlerMap),
-		localResolver:  local.NewResolver(),
-		wgInterface:    wgInterface,
-		statusRecorder: statusRecorder,
-		stateManager:   stateManager,
-		hostsDNSHolder: newHostsDNSHolder(),
-		hostManager:    &noopHostConfigurator{},
+		ctx:               ctx,
+		ctxCancel:         stop,
+		disableSys:        disableSys,
+		service:           dnsService,
+		handlerChain:      handlerChain,
+		extraDomains:      make(map[domain.Domain]int),
+		dnsMuxMap:         make(registeredHandlerMap),
+		localResolver:     local.NewResolver(),
+		wgInterface:       wgInterface,
+		statusRecorder:    statusRecorder,
+		stateManager:      stateManager,
+		hostsDNSHolder:    newHostsDNSHolder(),
+		hostManager:       &noopHostConfigurator{},
+		mgmtCacheResolver: mgmtCacheResolver,
 	}
 
 	// register with root zone, handler chain takes care of the routing
@@ -217,7 +231,7 @@ func (s *DefaultServer) RegisterHandler(domains domain.List, handler dns.Handler
 }
 
 func (s *DefaultServer) registerHandler(domains []string, handler dns.Handler, priority int) {
-	log.Debugf("registering handler %s with priority %d", handler, priority)
+	log.Debugf("registering handler %s with priority %d for %v", handler, priority, domains)
 
 	for _, domain := range domains {
 		if domain == "" {
@@ -246,7 +260,7 @@ func (s *DefaultServer) DeregisterHandler(domains domain.List, priority int) {
 }
 
 func (s *DefaultServer) deregisterHandler(domains []string, priority int) {
-	log.Debugf("deregistering handler %v with priority %d", domains, priority)
+	log.Debugf("deregistering handler with priority %d for %v", priority, domains)
 
 	for _, domain := range domains {
 		if domain == "" {
@@ -432,6 +446,29 @@ func (s *DefaultServer) ProbeAvailability() {
 	wg.Wait()
 }
 
+func (s *DefaultServer) UpdateServerConfig(domains dnsconfig.ServerDomains) error {
+	s.mux.Lock()
+	defer s.mux.Unlock()
+
+	if s.mgmtCacheResolver != nil {
+		removedDomains, err := s.mgmtCacheResolver.UpdateFromServerDomains(s.ctx, domains)
+		if err != nil {
+			return fmt.Errorf("update management cache resolver: %w", err)
+		}
+
+		if len(removedDomains) > 0 {
+			s.deregisterHandler(removedDomains.ToPunycodeList(), PriorityMgmtCache)
+		}
+
+		newDomains := s.mgmtCacheResolver.GetCachedDomains()
+		if len(newDomains) > 0 {
+			s.registerHandler(newDomains.ToPunycodeList(), s.mgmtCacheResolver, PriorityMgmtCache)
+		}
+	}
+
+	return nil
+}
+
 func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 	// is the service should be Disabled, we stop the listener or fake resolver
 	if update.ServiceEnable {
@@ -695,6 +732,12 @@ func (s *DefaultServer) createHandlersForDomainGroup(domainGroup nsGroupsByDomai
 					ns.IP.String(), ns.NSType.String(), nbdns.UDPNameServerType.String())
 				continue
 			}
+
+			if ns.IP == s.service.RuntimeIP() {
+				log.Warnf("skipping nameserver %s as it matches our DNS server IP, preventing potential loop", ns.IP)
+				continue
+			}
+
 			handler.upstreamServers = append(handler.upstreamServers, ns.AddrPort())
 		}
 
@@ -955,3 +998,11 @@ func toZone(d domain.Domain) domain.Domain {
 		),
 	)
 }
+
+// PopulateManagementDomain populates the DNS cache with management domain
+func (s *DefaultServer) PopulateManagementDomain(mgmtURL *url.URL) error {
+	if s.mgmtCacheResolver != nil {
+		return s.mgmtCacheResolver.PopulateFromConfig(s.ctx, mgmtURL)
+	}
+	return nil
+}

client/internal/dns/server_test.go

@@ -363,7 +363,13 @@ func TestUpdateDNSServer(t *testing.T) {
 					t.Log(err)
 				}
 			}()
-			dnsServer, err := NewDefaultServer(context.Background(), wgIface, "", peer.NewRecorder("mgm"), nil, false)
+			dnsServer, err := NewDefaultServer(context.Background(), DefaultServerConfig{
+				WgInterface:    wgIface,
+				CustomAddress:  "",
+				StatusRecorder: peer.NewRecorder("mgm"),
+				StateManager:   nil,
+				DisableSys:     false,
+			})
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -473,7 +479,13 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 		return
 	}
 
-	dnsServer, err := NewDefaultServer(context.Background(), wgIface, "", peer.NewRecorder("mgm"), nil, false)
+	dnsServer, err := NewDefaultServer(context.Background(), DefaultServerConfig{
+		WgInterface:    wgIface,
+		CustomAddress:  "",
+		StatusRecorder: peer.NewRecorder("mgm"),
+		StateManager:   nil,
+		DisableSys:     false,
+	})
 	if err != nil {
 		t.Errorf("create DNS server: %v", err)
 		return
@@ -575,7 +587,13 @@ func TestDNSServerStartStop(t *testing.T) {
 
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			dnsServer, err := NewDefaultServer(context.Background(), &mocWGIface{}, testCase.addrPort, peer.NewRecorder("mgm"), nil, false)
+			dnsServer, err := NewDefaultServer(context.Background(), DefaultServerConfig{
+				WgInterface:    &mocWGIface{},
+				CustomAddress:  testCase.addrPort,
+				StatusRecorder: peer.NewRecorder("mgm"),
+				StateManager:   nil,
+				DisableSys:     false,
+			})
 			if err != nil {
 				t.Fatalf("%v", err)
 			}
@@ -2056,3 +2074,124 @@ func TestLocalResolverPriorityConstants(t *testing.T) {
 	assert.Equal(t, PriorityLocal, localMuxUpdates[0].priority, "Local handler should use PriorityLocal")
 	assert.Equal(t, "local.example.com", localMuxUpdates[0].domain)
 }
+
+func TestDNSLoopPrevention(t *testing.T) {
+	wgInterface := &mocWGIface{}
+	service := NewServiceViaMemory(wgInterface)
+	dnsServerIP := service.RuntimeIP()
+
+	server := &DefaultServer{
+		ctx:           context.Background(),
+		wgInterface:   wgInterface,
+		service:       service,
+		localResolver: local.NewResolver(),
+		handlerChain:  NewHandlerChain(),
+		hostManager:   &noopHostConfigurator{},
+		dnsMuxMap:     make(registeredHandlerMap),
+	}
+
+	tests := []struct {
+		name              string
+		nsGroups          []*nbdns.NameServerGroup
+		expectedHandlers  int
+		expectedServers   []netip.Addr
+		shouldFilterOwnIP bool
+	}{
+		{
+			name: "FilterOwnDNSServerIP",
+			nsGroups: []*nbdns.NameServerGroup{
+				{
+					Primary: true,
+					NameServers: []nbdns.NameServer{
+						{IP: netip.MustParseAddr("8.8.8.8"), NSType: nbdns.UDPNameServerType, Port: 53},
+						{IP: dnsServerIP, NSType: nbdns.UDPNameServerType, Port: 53},
+						{IP: netip.MustParseAddr("1.1.1.1"), NSType: nbdns.UDPNameServerType, Port: 53},
+					},
+					Domains: []string{},
+				},
+			},
+			expectedHandlers:  1,
+			expectedServers:   []netip.Addr{netip.MustParseAddr("8.8.8.8"), netip.MustParseAddr("1.1.1.1")},
+			shouldFilterOwnIP: true,
+		},
+		{
+			name: "AllServersFiltered",
+			nsGroups: []*nbdns.NameServerGroup{
+				{
+					Primary: false,
+					NameServers: []nbdns.NameServer{
+						{IP: dnsServerIP, NSType: nbdns.UDPNameServerType, Port: 53},
+					},
+					Domains: []string{"example.com"},
+				},
+			},
+			expectedHandlers:  0,
+			expectedServers:   []netip.Addr{},
+			shouldFilterOwnIP: true,
+		},
+		{
+			name: "MixedServersWithOwnIP",
+			nsGroups: []*nbdns.NameServerGroup{
+				{
+					Primary: false,
+					NameServers: []nbdns.NameServer{
+						{IP: netip.MustParseAddr("8.8.8.8"), NSType: nbdns.UDPNameServerType, Port: 53},
+						{IP: dnsServerIP, NSType: nbdns.UDPNameServerType, Port: 53},
+						{IP: netip.MustParseAddr("1.1.1.1"), NSType: nbdns.UDPNameServerType, Port: 53},
+						{IP: dnsServerIP, NSType: nbdns.UDPNameServerType, Port: 53}, // duplicate
+					},
+					Domains: []string{"test.com"},
+				},
+			},
+			expectedHandlers:  1,
+			expectedServers:   []netip.Addr{netip.MustParseAddr("8.8.8.8"), netip.MustParseAddr("1.1.1.1")},
+			shouldFilterOwnIP: true,
+		},
+		{
+			name: "NoOwnIPInList",
+			nsGroups: []*nbdns.NameServerGroup{
+				{
+					Primary: true,
+					NameServers: []nbdns.NameServer{
+						{IP: netip.MustParseAddr("8.8.8.8"), NSType: nbdns.UDPNameServerType, Port: 53},
+						{IP: netip.MustParseAddr("1.1.1.1"), NSType: nbdns.UDPNameServerType, Port: 53},
+					},
+					Domains: []string{},
+				},
+			},
+			expectedHandlers:  1,
+			expectedServers:   []netip.Addr{netip.MustParseAddr("8.8.8.8"), netip.MustParseAddr("1.1.1.1")},
+			shouldFilterOwnIP: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			muxUpdates, err := server.buildUpstreamHandlerUpdate(tt.nsGroups)
+			assert.NoError(t, err)
+			assert.Len(t, muxUpdates, tt.expectedHandlers)
+
+			if tt.expectedHandlers > 0 {
+				handler := muxUpdates[0].handler.(*upstreamResolver)
+				assert.Len(t, handler.upstreamServers, len(tt.expectedServers))
+
+				if tt.shouldFilterOwnIP {
+					for _, upstream := range handler.upstreamServers {
+						assert.NotEqual(t, dnsServerIP, upstream.Addr())
+					}
+				}
+
+				for _, expected := range tt.expectedServers {
+					found := false
+					for _, upstream := range handler.upstreamServers {
+						if upstream.Addr() == expected {
+							found = true
+							break
+						}
+					}
+					assert.True(t, found, "Expected server %s not found", expected)
+				}
+			}
+		})
+	}
+}

client/internal/dns/service_memory.go

@@ -10,7 +10,7 @@ import (
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
 
-	nbnet "github.com/netbirdio/netbird/util/net"
+	nbnet "github.com/netbirdio/netbird/client/net"
 )
 
 type ServiceViaMemory struct {

client/internal/dns/unclean_shutdown_windows.go

@@ -5,8 +5,9 @@ import (
 )
 
 type ShutdownState struct {
-	Guid string
-	GPO  bool
+	Guid           string
+	GPO            bool
+	NRPTEntryCount int
 }
 
 func (s *ShutdownState) Name() string {
@@ -15,8 +16,9 @@ func (s *ShutdownState) Name() string {
 
 func (s *ShutdownState) Cleanup() error {
 	manager := &registryConfigurator{
-		guid: s.Guid,
-		gpo:  s.GPO,
+		guid:           s.Guid,
+		gpo:            s.GPO,
+		nrptEntryCount: s.NRPTEntryCount,
 	}
 
 	if err := manager.restoreUncleanShutdownDNS(); err != nil {

client/internal/dns/upstream.go

@@ -26,10 +26,18 @@ import (
 	"github.com/netbirdio/netbird/client/proto"
 )
 
-const (
-	UpstreamTimeout = 15 * time.Second
+var currentMTU uint16 = iface.DefaultMTU
+
+func SetCurrentMTU(mtu uint16) {
+	currentMTU = mtu
+}
+
+const (
+	UpstreamTimeout = 4 * time.Second
+	// ClientTimeout is the timeout for the dns.Client.
+	// Set longer than UpstreamTimeout to ensure context timeout takes precedence
+	ClientTimeout = 5 * time.Second
 
-	failsTillDeact   = int32(5)
 	reactivatePeriod = 30 * time.Second
 	probeTimeout     = 2 * time.Second
 )
@@ -52,9 +60,7 @@ type upstreamResolverBase struct {
 	upstreamServers  []netip.AddrPort
 	domain           string
 	disabled         bool
-	failsCount       atomic.Int32
 	successCount     atomic.Int32
-	failsTillDeact   int32
 	mutex            sync.Mutex
 	reactivatePeriod time.Duration
 	upstreamTimeout  time.Duration
@@ -73,14 +79,13 @@ func newUpstreamResolverBase(ctx context.Context, statusRecorder *peer.Status, d
 		domain:           domain,
 		upstreamTimeout:  UpstreamTimeout,
 		reactivatePeriod: reactivatePeriod,
-		failsTillDeact:   failsTillDeact,
 		statusRecorder:   statusRecorder,
 	}
 }
 
 // String returns a string representation of the upstream resolver
 func (u *upstreamResolverBase) String() string {
-	return fmt.Sprintf("upstream %s", u.upstreamServers)
+	return fmt.Sprintf("Upstream %s", u.upstreamServers)
 }
 
 // ID returns the unique handler ID
@@ -110,58 +115,102 @@ func (u *upstreamResolverBase) Stop() {
 func (u *upstreamResolverBase) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	requestID := GenerateRequestID()
 	logger := log.WithField("request_id", requestID)
-	var err error
-	defer func() {
-		u.checkUpstreamFails(err)
-	}()
 
 	logger.Tracef("received upstream question: domain=%s type=%v class=%v", r.Question[0].Name, r.Question[0].Qtype, r.Question[0].Qclass)
+
+	u.prepareRequest(r)
+
+	if u.ctx.Err() != nil {
+		logger.Tracef("%s has been stopped", u)
+		return
+	}
+
+	if u.tryUpstreamServers(w, r, logger) {
+		return
+	}
+
+	u.writeErrorResponse(w, r, logger)
+}
+
+func (u *upstreamResolverBase) prepareRequest(r *dns.Msg) {
 	if r.Extra == nil {
 		r.MsgHdr.AuthenticatedData = true
 	}
+}
 
-	select {
-	case <-u.ctx.Done():
-		logger.Tracef("%s has been stopped", u)
-		return
-	default:
+func (u *upstreamResolverBase) tryUpstreamServers(w dns.ResponseWriter, r *dns.Msg, logger *log.Entry) bool {
+	timeout := u.upstreamTimeout
+	if len(u.upstreamServers) > 1 {
+		maxTotal := 5 * time.Second
+		minPerUpstream := 2 * time.Second
+		scaledTimeout := maxTotal / time.Duration(len(u.upstreamServers))
+		if scaledTimeout > minPerUpstream {
+			timeout = scaledTimeout
+		} else {
+			timeout = minPerUpstream
+		}
 	}
 
 	for _, upstream := range u.upstreamServers {
-		var rm *dns.Msg
-		var t time.Duration
-
-		func() {
-			ctx, cancel := context.WithTimeout(u.ctx, u.upstreamTimeout)
-			defer cancel()
-			rm, t, err = u.upstreamClient.exchange(ctx, upstream.String(), r)
-		}()
-
-		if err != nil {
-			if errors.Is(err, context.DeadlineExceeded) || isTimeout(err) {
-				logger.Warnf("upstream %s timed out for question domain=%s", upstream, r.Question[0].Name)
-				continue
-			}
-			logger.Warnf("failed to query upstream %s for question domain=%s: %s", upstream, r.Question[0].Name, err)
-			continue
+		if u.queryUpstream(w, r, upstream, timeout, logger) {
+			return true
 		}
+	}
+	return false
+}
 
-		if rm == nil || !rm.Response {
-			logger.Warnf("no response from upstream %s for question domain=%s", upstream, r.Question[0].Name)
-			continue
-		}
+func (u *upstreamResolverBase) queryUpstream(w dns.ResponseWriter, r *dns.Msg, upstream netip.AddrPort, timeout time.Duration, logger *log.Entry) bool {
+	var rm *dns.Msg
+	var t time.Duration
+	var err error
 
-		u.successCount.Add(1)
-		logger.Tracef("took %s to query the upstream %s for question domain=%s", t, upstream, r.Question[0].Name)
+	var startTime time.Time
+	func() {
+		ctx, cancel := context.WithTimeout(u.ctx, timeout)
+		defer cancel()
+		startTime = time.Now()
+		rm, t, err = u.upstreamClient.exchange(ctx, upstream.String(), r)
+	}()
 
-		if err = w.WriteMsg(rm); err != nil {
-			logger.Errorf("failed to write DNS response for question domain=%s: %s", r.Question[0].Name, err)
-		}
-		// count the fails only if they happen sequentially
-		u.failsCount.Store(0)
+	if err != nil {
+		u.handleUpstreamError(err, upstream, r.Question[0].Name, startTime, timeout, logger)
+		return false
+	}
+
+	if rm == nil || !rm.Response {
+		logger.Warnf("no response from upstream %s for question domain=%s", upstream, r.Question[0].Name)
+		return false
+	}
+
+	return u.writeSuccessResponse(w, rm, upstream, r.Question[0].Name, t, logger)
+}
+
+func (u *upstreamResolverBase) handleUpstreamError(err error, upstream netip.AddrPort, domain string, startTime time.Time, timeout time.Duration, logger *log.Entry) {
+	if !errors.Is(err, context.DeadlineExceeded) && !isTimeout(err) {
+		logger.Warnf("failed to query upstream %s for question domain=%s: %s", upstream, domain, err)
 		return
 	}
-	u.failsCount.Add(1)
+
+	elapsed := time.Since(startTime)
+	timeoutMsg := fmt.Sprintf("upstream %s timed out for question domain=%s after %v (timeout=%v)", upstream, domain, elapsed.Truncate(time.Millisecond), timeout)
+	if peerInfo := u.debugUpstreamTimeout(upstream); peerInfo != "" {
+		timeoutMsg += " " + peerInfo
+	}
+	timeoutMsg += fmt.Sprintf(" - error: %v", err)
+	logger.Warnf(timeoutMsg)
+}
+
+func (u *upstreamResolverBase) writeSuccessResponse(w dns.ResponseWriter, rm *dns.Msg, upstream netip.AddrPort, domain string, t time.Duration, logger *log.Entry) bool {
+	u.successCount.Add(1)
+	logger.Tracef("took %s to query the upstream %s for question domain=%s", t, upstream, domain)
+
+	if err := w.WriteMsg(rm); err != nil {
+		logger.Errorf("failed to write DNS response for question domain=%s: %s", domain, err)
+	}
+	return true
+}
+
+func (u *upstreamResolverBase) writeErrorResponse(w dns.ResponseWriter, r *dns.Msg, logger *log.Entry) {
 	logger.Errorf("all queries to the %s failed for question domain=%s", u, r.Question[0].Name)
 
 	m := new(dns.Msg)
@@ -171,41 +220,6 @@ func (u *upstreamResolverBase) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	}
 }
 
-// checkUpstreamFails counts fails and disables or enables upstream resolving
-//
-// If fails count is greater that failsTillDeact, upstream resolving
-// will be disabled for reactivatePeriod, after that time period fails counter
-// will be reset and upstream will be reactivated.
-func (u *upstreamResolverBase) checkUpstreamFails(err error) {
-	u.mutex.Lock()
-	defer u.mutex.Unlock()
-
-	if u.failsCount.Load() < u.failsTillDeact || u.disabled {
-		return
-	}
-
-	select {
-	case <-u.ctx.Done():
-		return
-	default:
-	}
-
-	u.disable(err)
-
-	if u.statusRecorder == nil {
-		return
-	}
-
-	u.statusRecorder.PublishEvent(
-		proto.SystemEvent_WARNING,
-		proto.SystemEvent_DNS,
-		"All upstream servers failed (fail count exceeded)",
-		"Unable to reach one or more DNS servers. This might affect your ability to connect to some services.",
-		map[string]string{"upstreams": u.upstreamServersString()},
-		// TODO add domain meta
-	)
-}
-
 // ProbeAvailability tests all upstream servers simultaneously and
 // disables the resolver if none work
 func (u *upstreamResolverBase) ProbeAvailability() {
@@ -218,8 +232,8 @@ func (u *upstreamResolverBase) ProbeAvailability() {
 	default:
 	}
 
-	// avoid probe if upstreams could resolve at least one query and fails count is less than failsTillDeact
-	if u.successCount.Load() > 0 && u.failsCount.Load() < u.failsTillDeact {
+	// avoid probe if upstreams could resolve at least one query
+	if u.successCount.Load() > 0 {
 		return
 	}
 
@@ -306,7 +320,6 @@ func (u *upstreamResolverBase) waitUntilResponse() {
 	}
 
 	log.Infof("upstreams %s are responsive again. Adding them back to system", u.upstreamServersString())
-	u.failsCount.Store(0)
 	u.successCount.Add(1)
 	u.reactivate()
 	u.disabled = false
@@ -358,8 +371,8 @@ func (u *upstreamResolverBase) testNameserver(server netip.AddrPort, timeout tim
 // If the passed context is nil, this will use Exchange instead of ExchangeContext.
 func ExchangeWithFallback(ctx context.Context, client *dns.Client, r *dns.Msg, upstream string) (*dns.Msg, time.Duration, error) {
 	// MTU - ip + udp headers
-	// Note: this could be sent out on an interface that is not ours, but our MTU should always be lower.
-	client.UDPSize = iface.DefaultMTU - (60 + 8)
+	// Note: this could be sent out on an interface that is not ours, but higher MTU settings could break truncation handling.
+	client.UDPSize = uint16(currentMTU - (60 + 8))
 
 	var (
 		rm  *dns.Msg
@@ -410,3 +423,80 @@ func GenerateRequestID() string {
 	}
 	return hex.EncodeToString(bytes)
 }
+
+// FormatPeerStatus formats peer connection status information for debugging DNS timeouts
+func FormatPeerStatus(peerState *peer.State) string {
+	isConnected := peerState.ConnStatus == peer.StatusConnected
+	hasRecentHandshake := !peerState.LastWireguardHandshake.IsZero() &&
+		time.Since(peerState.LastWireguardHandshake) < 3*time.Minute
+
+	statusInfo := fmt.Sprintf("%s:%s", peerState.FQDN, peerState.IP)
+
+	switch {
+	case !isConnected:
+		statusInfo += " DISCONNECTED"
+	case !hasRecentHandshake:
+		statusInfo += " NO_RECENT_HANDSHAKE"
+	default:
+		statusInfo += " connected"
+	}
+
+	if !peerState.LastWireguardHandshake.IsZero() {
+		timeSinceHandshake := time.Since(peerState.LastWireguardHandshake)
+		statusInfo += fmt.Sprintf(" last_handshake=%v_ago", timeSinceHandshake.Truncate(time.Second))
+	} else {
+		statusInfo += " no_handshake"
+	}
+
+	if peerState.Relayed {
+		statusInfo += " via_relay"
+	}
+
+	if peerState.Latency > 0 {
+		statusInfo += fmt.Sprintf(" latency=%v", peerState.Latency)
+	}
+
+	return statusInfo
+}
+
+// findPeerForIP finds which peer handles the given IP address
+func findPeerForIP(ip netip.Addr, statusRecorder *peer.Status) *peer.State {
+	if statusRecorder == nil {
+		return nil
+	}
+
+	fullStatus := statusRecorder.GetFullStatus()
+	var bestMatch *peer.State
+	var bestPrefixLen int
+
+	for _, peerState := range fullStatus.Peers {
+		routes := peerState.GetRoutes()
+		for route := range routes {
+			prefix, err := netip.ParsePrefix(route)
+			if err != nil {
+				continue
+			}
+
+			if prefix.Contains(ip) && prefix.Bits() > bestPrefixLen {
+				peerStateCopy := peerState
+				bestMatch = &peerStateCopy
+				bestPrefixLen = prefix.Bits()
+			}
+		}
+	}
+
+	return bestMatch
+}
+
+func (u *upstreamResolverBase) debugUpstreamTimeout(upstream netip.AddrPort) string {
+	if u.statusRecorder == nil {
+		return ""
+	}
+
+	peerInfo := findPeerForIP(upstream.Addr(), u.statusRecorder)
+	if peerInfo == nil {
+		return ""
+	}
+
+	return fmt.Sprintf("(routes through NetBird peer %s)", FormatPeerStatus(peerInfo))
+}

client/internal/dns/upstream_android.go

@@ -10,7 +10,7 @@ import (
 	"github.com/miekg/dns"
 
 	"github.com/netbirdio/netbird/client/internal/peer"
-	nbnet "github.com/netbirdio/netbird/util/net"
+	nbnet "github.com/netbirdio/netbird/client/net"
 )
 
 type upstreamResolver struct {
@@ -50,7 +50,9 @@ func (u *upstreamResolver) exchange(ctx context.Context, upstream string, r *dns
 }
 
 func (u *upstreamResolver) exchangeWithinVPN(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
-	upstreamExchangeClient := &dns.Client{}
+	upstreamExchangeClient := &dns.Client{
+		Timeout: ClientTimeout,
+	}
 	return upstreamExchangeClient.ExchangeContext(ctx, r, upstream)
 }
 
@@ -72,10 +74,11 @@ func (u *upstreamResolver) exchangeWithoutVPN(ctx context.Context, upstream stri
 	}
 
 	upstreamExchangeClient := &dns.Client{
-		Dialer: dialer,
+		Dialer:  dialer,
+		Timeout: timeout,
 	}
 
-	return upstreamExchangeClient.Exchange(r, upstream)
+	return upstreamExchangeClient.ExchangeContext(ctx, r, upstream)
 }
 
 func (u *upstreamResolver) isLocalResolver(upstream string) bool {

client/internal/dns/upstream_general.go

@@ -34,7 +34,10 @@ func newUpstreamResolver(
 }
 
 func (u *upstreamResolver) exchange(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
-	return ExchangeWithFallback(ctx, &dns.Client{}, r, upstream)
+	client := &dns.Client{
+		Timeout: ClientTimeout,
+	}
+	return ExchangeWithFallback(ctx, client, r, upstream)
 }
 
 func GetClientPrivate(ip netip.Addr, interfaceName string, dialTimeout time.Duration) (*dns.Client, error) {

client/internal/dns/upstream_ios.go

@@ -47,7 +47,9 @@ func newUpstreamResolver(
 }
 
 func (u *upstreamResolverIOS) exchange(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
-	client := &dns.Client{}
+	client := &dns.Client{
+		Timeout: ClientTimeout,
+	}
 	upstreamHost, _, err := net.SplitHostPort(upstream)
 	if err != nil {
 		return nil, 0, fmt.Errorf("error while parsing upstream host: %s", err)
@@ -110,7 +112,8 @@ func GetClientPrivate(ip netip.Addr, interfaceName string, dialTimeout time.Dura
 		},
 	}
 	client := &dns.Client{
-		Dialer: dialer,
+		Dialer:  dialer,
+		Timeout: dialTimeout,
 	}
 	return client, nil
 }

client/internal/dns/upstream_test.go

@@ -124,29 +124,26 @@ func (c mockUpstreamResolver) exchange(_ context.Context, _ string, _ *dns.Msg)
 }
 
 func TestUpstreamResolver_DeactivationReactivation(t *testing.T) {
+	mockClient := &mockUpstreamResolver{
+		err: dns.ErrTime,
+		r:   new(dns.Msg),
+		rtt: time.Millisecond,
+	}
+
 	resolver := &upstreamResolverBase{
-		ctx: context.TODO(),
-		upstreamClient: &mockUpstreamResolver{
-			err: nil,
-			r:   new(dns.Msg),
-			rtt: time.Millisecond,
-		},
+		ctx:              context.TODO(),
+		upstreamClient:   mockClient,
 		upstreamTimeout:  UpstreamTimeout,
-		reactivatePeriod: reactivatePeriod,
-		failsTillDeact:   failsTillDeact,
+		reactivatePeriod: time.Microsecond * 100,
 	}
 	addrPort, _ := netip.ParseAddrPort("0.0.0.0:1") // Use valid port for parsing, test will still fail on connection
 	resolver.upstreamServers = []netip.AddrPort{netip.AddrPortFrom(addrPort.Addr().Unmap(), addrPort.Port())}
-	resolver.failsTillDeact = 0
-	resolver.reactivatePeriod = time.Microsecond * 100
-
-	responseWriter := &test.MockResponseWriter{
-		WriteMsgFunc: func(m *dns.Msg) error { return nil },
-	}
 
 	failed := false
 	resolver.deactivate = func(error) {
 		failed = true
+		// After deactivation, make the mock client work again
+		mockClient.err = nil
 	}
 
 	reactivated := false
@@ -154,7 +151,7 @@ func TestUpstreamResolver_DeactivationReactivation(t *testing.T) {
 		reactivated = true
 	}
 
-	resolver.ServeDNS(responseWriter, new(dns.Msg).SetQuestion("one.one.one.one.", dns.TypeA))
+	resolver.ProbeAvailability()
 
 	if !failed {
 		t.Errorf("expected that resolving was deactivated")
@@ -173,11 +170,6 @@ func TestUpstreamResolver_DeactivationReactivation(t *testing.T) {
 		return
 	}
 
-	if resolver.failsCount.Load() != 0 {
-		t.Errorf("fails count after reactivation should be 0")
-		return
-	}
-
 	if resolver.disabled {
 		t.Errorf("should be enabled")
 	}