Harden race fan-out and fix lint

[client] Drop DNS probes for passive health projection
[client] Add TTL-based refresh to mgmt DNS cache via handler chain (#5945 )
2026-04-24 10:22:35 -04:00 · 2026-04-23 18:20:55 +02:00 · 2026-04-23 13:34:23 +02:00 · 2026-04-22 15:10:14 +02:00 · 2026-04-22 10:35:22 +02:00 · 2026-04-21 23:06:52 +03:00
54 changed files with 4671 additions and 1034 deletions
--- a/client/firewall/firewalld/firewalld.go
+++ b/client/firewall/firewalld/firewalld.go
@@ -0,0 +1,11 @@
+// Package firewalld integrates with the firewalld daemon so NetBird can place
+// its wg interface into firewalld's "trusted" zone. This is required because
+// firewalld's nftables chains are created with NFT_CHAIN_OWNER on recent
+// versions, which returns EPERM to any other process that tries to insert
+// rules into them. The workaround mirrors what Tailscale does: let firewalld
+// itself add the accept rules to its own chains by trusting the interface.
+package firewalld
+
+// TrustedZone is the firewalld zone name used for interfaces whose traffic
+// should bypass firewalld filtering.
+const TrustedZone = "trusted"
--- a/client/firewall/firewalld/firewalld_linux.go
+++ b/client/firewall/firewalld/firewalld_linux.go
@@ -0,0 +1,260 @@
+//go:build linux
+
+package firewalld
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os/exec"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/godbus/dbus/v5"
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	dbusDest      = "org.fedoraproject.FirewallD1"
+	dbusPath      = "/org/fedoraproject/FirewallD1"
+	dbusRootIface = "org.fedoraproject.FirewallD1"
+	dbusZoneIface = "org.fedoraproject.FirewallD1.zone"
+
+	errZoneAlreadySet = "ZONE_ALREADY_SET"
+	errAlreadyEnabled = "ALREADY_ENABLED"
+	errUnknownIface   = "UNKNOWN_INTERFACE"
+	errNotEnabled     = "NOT_ENABLED"
+
+	// callTimeout bounds each individual DBus or firewall-cmd invocation.
+	// A fresh context is created for each call so a slow DBus probe can't
+	// exhaust the deadline before the firewall-cmd fallback gets to run.
+	callTimeout = 3 * time.Second
+)
+
+var (
+	errDBusUnavailable = errors.New("firewalld dbus unavailable")
+
+	// trustLogOnce ensures the "added to trusted zone" message is logged at
+	// Info level only for the first successful add per process; repeat adds
+	// from other init paths are quieter.
+	trustLogOnce sync.Once
+
+	parentCtxMu sync.RWMutex
+	parentCtx   context.Context = context.Background()
+)
+
+// SetParentContext installs a parent context whose cancellation aborts any
+// in-flight TrustInterface call. It does not affect UntrustInterface, which
+// always uses a fresh Background-rooted timeout so cleanup can still run
+// during engine shutdown when the engine context is already cancelled.
+func SetParentContext(ctx context.Context) {
+	parentCtxMu.Lock()
+	parentCtx = ctx
+	parentCtxMu.Unlock()
+}
+
+func getParentContext() context.Context {
+	parentCtxMu.RLock()
+	defer parentCtxMu.RUnlock()
+	return parentCtx
+}
+
+// TrustInterface places iface into firewalld's trusted zone if firewalld is
+// running. It is idempotent and best-effort: errors are returned so callers
+// can log, but a non-running firewalld is not an error. Only the first
+// successful call per process logs at Info. Respects the parent context set
+// via SetParentContext so startup-time cancellation unblocks it.
+func TrustInterface(iface string) error {
+	parent := getParentContext()
+	if !isRunning(parent) {
+		return nil
+	}
+	if err := addTrusted(parent, iface); err != nil {
+		return fmt.Errorf("add %s to firewalld trusted zone: %w", iface, err)
+	}
+	trustLogOnce.Do(func() {
+		log.Infof("added %s to firewalld trusted zone", iface)
+	})
+	log.Debugf("firewalld: ensured %s is in trusted zone", iface)
+	return nil
+}
+
+// UntrustInterface removes iface from firewalld's trusted zone if firewalld
+// is running. Idempotent. Uses a Background-rooted timeout so it still runs
+// during shutdown after the engine context has been cancelled.
+func UntrustInterface(iface string) error {
+	if !isRunning(context.Background()) {
+		return nil
+	}
+	if err := removeTrusted(context.Background(), iface); err != nil {
+		return fmt.Errorf("remove %s from firewalld trusted zone: %w", iface, err)
+	}
+	return nil
+}
+
+func newCallContext(parent context.Context) (context.Context, context.CancelFunc) {
+	return context.WithTimeout(parent, callTimeout)
+}
+
+func isRunning(parent context.Context) bool {
+	ctx, cancel := newCallContext(parent)
+	ok, err := isRunningDBus(ctx)
+	cancel()
+	if err == nil {
+		return ok
+	}
+	if errors.Is(err, errDBusUnavailable) || errors.Is(err, context.DeadlineExceeded) {
+		ctx, cancel = newCallContext(parent)
+		defer cancel()
+		return isRunningCLI(ctx)
+	}
+	return false
+}
+
+func addTrusted(parent context.Context, iface string) error {
+	ctx, cancel := newCallContext(parent)
+	err := addDBus(ctx, iface)
+	cancel()
+	if err == nil {
+		return nil
+	}
+	if !errors.Is(err, errDBusUnavailable) {
+		log.Debugf("firewalld: dbus add failed, falling back to firewall-cmd: %v", err)
+	}
+	ctx, cancel = newCallContext(parent)
+	defer cancel()
+	return addCLI(ctx, iface)
+}
+
+func removeTrusted(parent context.Context, iface string) error {
+	ctx, cancel := newCallContext(parent)
+	err := removeDBus(ctx, iface)
+	cancel()
+	if err == nil {
+		return nil
+	}
+	if !errors.Is(err, errDBusUnavailable) {
+		log.Debugf("firewalld: dbus remove failed, falling back to firewall-cmd: %v", err)
+	}
+	ctx, cancel = newCallContext(parent)
+	defer cancel()
+	return removeCLI(ctx, iface)
+}
+
+func isRunningDBus(ctx context.Context) (bool, error) {
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return false, fmt.Errorf("%w: %v", errDBusUnavailable, err)
+	}
+	obj := conn.Object(dbusDest, dbusPath)
+
+	var zone string
+	if err := obj.CallWithContext(ctx, dbusRootIface+".getDefaultZone", 0).Store(&zone); err != nil {
+		return false, fmt.Errorf("firewalld getDefaultZone: %w", err)
+	}
+	return true, nil
+}
+
+func isRunningCLI(ctx context.Context) bool {
+	if _, err := exec.LookPath("firewall-cmd"); err != nil {
+		return false
+	}
+	return exec.CommandContext(ctx, "firewall-cmd", "--state").Run() == nil
+}
+
+func addDBus(ctx context.Context, iface string) error {
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return fmt.Errorf("%w: %v", errDBusUnavailable, err)
+	}
+	obj := conn.Object(dbusDest, dbusPath)
+
+	call := obj.CallWithContext(ctx, dbusZoneIface+".addInterface", 0, TrustedZone, iface)
+	if call.Err == nil {
+		return nil
+	}
+
+	if dbusErrContains(call.Err, errAlreadyEnabled) {
+		return nil
+	}
+
+	if dbusErrContains(call.Err, errZoneAlreadySet) {
+		move := obj.CallWithContext(ctx, dbusZoneIface+".changeZoneOfInterface", 0, TrustedZone, iface)
+		if move.Err != nil {
+			return fmt.Errorf("firewalld changeZoneOfInterface: %w", move.Err)
+		}
+		return nil
+	}
+
+	return fmt.Errorf("firewalld addInterface: %w", call.Err)
+}
+
+func removeDBus(ctx context.Context, iface string) error {
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return fmt.Errorf("%w: %v", errDBusUnavailable, err)
+	}
+	obj := conn.Object(dbusDest, dbusPath)
+
+	call := obj.CallWithContext(ctx, dbusZoneIface+".removeInterface", 0, TrustedZone, iface)
+	if call.Err == nil {
+		return nil
+	}
+
+	if dbusErrContains(call.Err, errUnknownIface) || dbusErrContains(call.Err, errNotEnabled) {
+		return nil
+	}
+
+	return fmt.Errorf("firewalld removeInterface: %w", call.Err)
+}
+
+func addCLI(ctx context.Context, iface string) error {
+	if _, err := exec.LookPath("firewall-cmd"); err != nil {
+		return fmt.Errorf("firewall-cmd not available: %w", err)
+	}
+
+	// --change-interface (no --permanent) binds the interface for the
+	// current runtime only; we do not want membership to persist across
+	// reboots because netbird re-asserts it on every startup.
+	out, err := exec.CommandContext(ctx,
+		"firewall-cmd", "--zone="+TrustedZone, "--change-interface="+iface,
+	).CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("firewall-cmd change-interface: %w: %s", err, strings.TrimSpace(string(out)))
+	}
+	return nil
+}
+
+func removeCLI(ctx context.Context, iface string) error {
+	if _, err := exec.LookPath("firewall-cmd"); err != nil {
+		return fmt.Errorf("firewall-cmd not available: %w", err)
+	}
+
+	out, err := exec.CommandContext(ctx,
+		"firewall-cmd", "--zone="+TrustedZone, "--remove-interface="+iface,
+	).CombinedOutput()
+	if err != nil {
+		msg := strings.TrimSpace(string(out))
+		if strings.Contains(msg, errUnknownIface) || strings.Contains(msg, errNotEnabled) {
+			return nil
+		}
+		return fmt.Errorf("firewall-cmd remove-interface: %w: %s", err, msg)
+	}
+	return nil
+}
+
+func dbusErrContains(err error, code string) bool {
+	if err == nil {
+		return false
+	}
+	var de dbus.Error
+	if errors.As(err, &de) {
+		for _, b := range de.Body {
+			if s, ok := b.(string); ok && strings.Contains(s, code) {
+				return true
+			}
+		}
+	}
+	return strings.Contains(err.Error(), code)
+}
--- a/client/firewall/firewalld/firewalld_linux_test.go
+++ b/client/firewall/firewalld/firewalld_linux_test.go
@@ -0,0 +1,49 @@
+//go:build linux
+
+package firewalld
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/godbus/dbus/v5"
+)
+
+func TestDBusErrContains(t *testing.T) {
+	tests := []struct {
+		name string
+		err  error
+		code string
+		want bool
+	}{
+		{"nil error", nil, errZoneAlreadySet, false},
+		{"plain error match", errors.New("ZONE_ALREADY_SET: wt0"), errZoneAlreadySet, true},
+		{"plain error miss", errors.New("something else"), errZoneAlreadySet, false},
+		{
+			"dbus.Error body match",
+			dbus.Error{Name: "org.fedoraproject.FirewallD1.Exception", Body: []any{"ZONE_ALREADY_SET: wt0"}},
+			errZoneAlreadySet,
+			true,
+		},
+		{
+			"dbus.Error body miss",
+			dbus.Error{Name: "org.fedoraproject.FirewallD1.Exception", Body: []any{"INVALID_INTERFACE"}},
+			errAlreadyEnabled,
+			false,
+		},
+		{
+			"dbus.Error non-string body falls back to Error()",
+			dbus.Error{Name: "x", Body: []any{123}},
+			"x",
+			true,
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			got := dbusErrContains(tc.err, tc.code)
+			if got != tc.want {
+				t.Fatalf("dbusErrContains(%v, %q) = %v; want %v", tc.err, tc.code, got, tc.want)
+			}
+		})
+	}
+}
--- a/client/firewall/firewalld/firewalld_other.go
+++ b/client/firewall/firewalld/firewalld_other.go
@@ -0,0 +1,25 @@
+//go:build !linux
+
+package firewalld
+
+import "context"
+
+// SetParentContext is a no-op on non-Linux platforms because firewalld only
+// runs on Linux.
+func SetParentContext(context.Context) {
+	// intentionally empty: firewalld is a Linux-only daemon
+}
+
+// TrustInterface is a no-op on non-Linux platforms because firewalld only
+// runs on Linux.
+func TrustInterface(string) error {
+	// intentionally empty: firewalld is a Linux-only daemon
+	return nil
+}
+
+// UntrustInterface is a no-op on non-Linux platforms because firewalld only
+// runs on Linux.
+func UntrustInterface(string) error {
+	// intentionally empty: firewalld is a Linux-only daemon
+	return nil
+}
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@@ -12,6 +12,7 @@ import (
 	log "github.com/sirupsen/logrus"

 	nberrors "github.com/netbirdio/netbird/client/errors"
+	"github.com/netbirdio/netbird/client/firewall/firewalld"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
@@ -86,6 +87,12 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 		log.Warnf("raw table not available, notrack rules will be disabled: %v", err)
 	}

+	// Trust after all fatal init steps so a later failure doesn't leave the
+	// interface in firewalld's trusted zone without a corresponding Close.
+	if err := firewalld.TrustInterface(m.wgIface.Name()); err != nil {
+		log.Warnf("failed to trust interface in firewalld: %v", err)
+	}
+
 	// persist early to ensure cleanup of chains
 	go func() {
 		if err := stateManager.PersistState(context.Background()); err != nil {
@@ -191,6 +198,12 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 		merr = multierror.Append(merr, fmt.Errorf("reset router: %w", err))
 	}

+	// Appending to merr intentionally blocks DeleteState below so ShutdownState
+	// stays persisted and the crash-recovery path retries firewalld cleanup.
+	if err := firewalld.UntrustInterface(m.wgIface.Name()); err != nil {
+		merr = multierror.Append(merr, err)
+	}
+
 	// attempt to delete state only if all other operations succeeded
 	if merr == nil {
 		if err := stateManager.DeleteState(&ShutdownState{}); err != nil {
@@ -217,6 +230,11 @@ func (m *Manager) AllowNetbird() error {
 	if err != nil {
 		return fmt.Errorf("allow netbird interface traffic: %w", err)
 	}
+
+	if err := firewalld.TrustInterface(m.wgIface.Name()); err != nil {
+		log.Warnf("failed to trust interface in firewalld: %v", err)
+	}
+
 	return nil
 }

--- a/client/firewall/nftables/manager_linux.go
+++ b/client/firewall/nftables/manager_linux.go
@@ -14,6 +14,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"

+	"github.com/netbirdio/netbird/client/firewall/firewalld"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
@@ -217,6 +218,10 @@ func (m *Manager) AllowNetbird() error {
 		return fmt.Errorf("flush allow input netbird rules: %w", err)
 	}

+	if err := firewalld.TrustInterface(m.wgIface.Name()); err != nil {
+		log.Warnf("failed to trust interface in firewalld: %v", err)
+	}
+
 	return nil
 }

--- a/client/firewall/nftables/router_linux.go
+++ b/client/firewall/nftables/router_linux.go
@@ -19,6 +19,7 @@ import (
 	"golang.org/x/sys/unix"

 	nberrors "github.com/netbirdio/netbird/client/errors"
+	"github.com/netbirdio/netbird/client/firewall/firewalld"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	nbid "github.com/netbirdio/netbird/client/internal/acl/id"
 	"github.com/netbirdio/netbird/client/internal/routemanager/ipfwdstate"
@@ -40,6 +41,8 @@ const (
 	chainNameForward       = "FORWARD"
 	chainNameMangleForward = "netbird-mangle-forward"

+	firewalldTableName = "firewalld"
+
 	userDataAcceptForwardRuleIif = "frwacceptiif"
 	userDataAcceptForwardRuleOif = "frwacceptoif"
 	userDataAcceptInputRule      = "inputaccept"
@@ -133,6 +136,10 @@ func (r *router) Reset() error {
 		merr = multierror.Append(merr, fmt.Errorf("remove accept filter rules: %w", err))
 	}

+	if err := firewalld.UntrustInterface(r.wgIface.Name()); err != nil {
+		merr = multierror.Append(merr, err)
+	}
+
 	if err := r.removeNatPreroutingRules(); err != nil {
 		merr = multierror.Append(merr, fmt.Errorf("remove filter prerouting rules: %w", err))
 	}
@@ -280,6 +287,10 @@ func (r *router) createContainers() error {
 		log.Errorf("failed to add accept rules for the forward chain: %s", err)
 	}

+	if err := firewalld.TrustInterface(r.wgIface.Name()); err != nil {
+		log.Warnf("failed to trust interface in firewalld: %v", err)
+	}
+
 	if err := r.refreshRulesMap(); err != nil {
 		log.Errorf("failed to refresh rules: %s", err)
 	}
@@ -1319,6 +1330,13 @@ func (r *router) isExternalChain(chain *nftables.Chain) bool {
 		return false
 	}

+	// Skip firewalld-owned chains. Firewalld creates its chains with the
+	// NFT_CHAIN_OWNER flag, so inserting rules into them returns EPERM.
+	// We delegate acceptance to firewalld by trusting the interface instead.
+	if chain.Table.Name == firewalldTableName {
+		return false
+	}
+
 	// Skip all iptables-managed tables in the ip family
 	if chain.Table.Family == nftables.TableFamilyIPv4 && isIptablesTable(chain.Table.Name) {
 		return false
--- a/client/firewall/uspfilter/allow_netbird.go
+++ b/client/firewall/uspfilter/allow_netbird.go
@@ -3,6 +3,9 @@
 package uspfilter

 import (
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/firewall/firewalld"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )

@@ -16,6 +19,9 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	if m.nativeFirewall != nil {
 		return m.nativeFirewall.Close(stateManager)
 	}
+	if err := firewalld.UntrustInterface(m.wgIface.Name()); err != nil {
+		log.Warnf("failed to untrust interface in firewalld: %v", err)
+	}
 	return nil
 }

@@ -24,5 +30,8 @@ func (m *Manager) AllowNetbird() error {
 	if m.nativeFirewall != nil {
 		return m.nativeFirewall.AllowNetbird()
 	}
+	if err := firewalld.TrustInterface(m.wgIface.Name()); err != nil {
+		log.Warnf("failed to trust interface in firewalld: %v", err)
+	}
 	return nil
 }
--- a/client/firewall/uspfilter/common/iface.go
+++ b/client/firewall/uspfilter/common/iface.go
@@ -9,6 +9,7 @@ import (

 // IFaceMapper defines subset methods of interface required for manager
 type IFaceMapper interface {
+	Name() string
 	SetFilter(device.PacketFilter) error
 	Address() wgaddr.Address
 	GetWGDevice() *wgdevice.Device
--- a/client/firewall/uspfilter/filter_test.go
+++ b/client/firewall/uspfilter/filter_test.go
@@ -31,12 +31,20 @@ var logger = log.NewFromLogrus(logrus.StandardLogger())
 var flowLogger = netflow.NewManager(nil, []byte{}, nil).GetLogger()

 type IFaceMock struct {
+	NameFunc        func() string
 	SetFilterFunc   func(device.PacketFilter) error
 	AddressFunc     func() wgaddr.Address
 	GetWGDeviceFunc func() *wgdevice.Device
 	GetDeviceFunc   func() *device.FilteredDevice
 }

+func (i *IFaceMock) Name() string {
+	if i.NameFunc == nil {
+		return "wgtest"
+	}
+	return i.NameFunc()
+}
+
 func (i *IFaceMock) GetWGDevice() *wgdevice.Device {
 	if i.GetWGDeviceFunc == nil {
 		return nil
--- a/client/iface/bind/ice_bind_test.go
+++ b/client/iface/bind/ice_bind_test.go
@@ -239,8 +239,12 @@ func TestICEBind_HandlesConcurrentMixedTraffic(t *testing.T) {
 		ipv6Count++
 	}

-	assert.Equal(t, packetsPerFamily, ipv4Count)
-	assert.Equal(t, packetsPerFamily, ipv6Count)
+	// Allow some UDP packet loss under load (e.g. FreeBSD/QEMU runners). The
+	// routing-correctness checks above are the real assertions; the counts
+	// are a sanity bound to catch a totally silent path.
+	minDelivered := packetsPerFamily * 80 / 100
+	assert.GreaterOrEqual(t, ipv4Count, minDelivered, "IPv4 delivery below threshold")
+	assert.GreaterOrEqual(t, ipv6Count, minDelivered, "IPv6 delivery below threshold")
 }

 func TestICEBind_DetectsAddressFamilyFromConnection(t *testing.T) {
--- a/client/internal/debug/upload_test.go
+++ b/client/internal/debug/upload_test.go
@@ -3,10 +3,12 @@ package debug
 import (
 	"context"
 	"errors"
+	"net"
 	"net/http"
 	"os"
 	"path/filepath"
 	"testing"
+	"time"

 	"github.com/stretchr/testify/require"

@@ -19,8 +21,10 @@ func TestUpload(t *testing.T) {
 		t.Skip("Skipping upload test on docker ci")
 	}
 	testDir := t.TempDir()
-	testURL := "http://localhost:8080"
+	addr := reserveLoopbackPort(t)
+	testURL := "http://" + addr
 	t.Setenv("SERVER_URL", testURL)
+	t.Setenv("SERVER_ADDRESS", addr)
 	t.Setenv("STORE_DIR", testDir)
 	srv := server.NewServer()
 	go func() {
@@ -33,6 +37,7 @@ func TestUpload(t *testing.T) {
 			t.Errorf("Failed to stop server: %v", err)
 		}
 	})
+	waitForServer(t, addr)

 	file := filepath.Join(t.TempDir(), "tmpfile")
 	fileContent := []byte("test file content")
@@ -47,3 +52,30 @@ func TestUpload(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, fileContent, createdFileContent)
 }
+
+// reserveLoopbackPort binds an ephemeral port on loopback to learn a free
+// address, then releases it so the server under test can rebind. The close/
+// rebind window is racy in theory; on loopback with a kernel-assigned port
+// it's essentially never contended in practice.
+func reserveLoopbackPort(t *testing.T) string {
+	t.Helper()
+	l, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	addr := l.Addr().String()
+	require.NoError(t, l.Close())
+	return addr
+}
+
+func waitForServer(t *testing.T, addr string) {
+	t.Helper()
+	deadline := time.Now().Add(5 * time.Second)
+	for time.Now().Before(deadline) {
+		c, err := net.DialTimeout("tcp", addr, 100*time.Millisecond)
+		if err == nil {
+			_ = c.Close()
+			return
+		}
+		time.Sleep(20 * time.Millisecond)
+	}
+	t.Fatalf("server did not start listening on %s in time", addr)
+}
--- a/client/internal/dns/file_parser_unix.go
+++ b/client/internal/dns/file_parser_unix.go
@@ -13,6 +13,7 @@ import (

 const (
 	defaultResolvConfPath = "/etc/resolv.conf"
+	nsswitchConfPath      = "/etc/nsswitch.conf"
 )

 type resolvConf struct {
--- a/client/internal/dns/handler_chain.go
+++ b/client/internal/dns/handler_chain.go
@@ -1,7 +1,10 @@
 package dns

 import (
+	"context"
 	"fmt"
+	"math"
+	"net"
 	"slices"
 	"strconv"
 	"strings"
@@ -192,6 +195,12 @@ func (c *HandlerChain) logHandlers() {
 }

 func (c *HandlerChain) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
+	c.dispatch(w, r, math.MaxInt)
+}
+
+// dispatch routes a DNS request through the chain, skipping handlers with
+// priority > maxPriority. Shared by ServeDNS and ResolveInternal.
+func (c *HandlerChain) dispatch(w dns.ResponseWriter, r *dns.Msg, maxPriority int) {
 	if len(r.Question) == 0 {
 		return
 	}
@@ -216,6 +225,9 @@ func (c *HandlerChain) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {

 	// Try handlers in priority order
 	for _, entry := range handlers {
+		if entry.Priority > maxPriority {
+			continue
+		}
 		if !c.isHandlerMatch(qname, entry) {
 			continue
 		}
@@ -273,6 +285,55 @@ func (c *HandlerChain) logResponse(logger *log.Entry, cw *ResponseWriterChain, q
 		cw.response.Len(), meta, time.Since(startTime))
 }

+// ResolveInternal runs an in-process DNS query against the chain, skipping any
+// handler with priority > maxPriority. Used by internal callers (e.g. the mgmt
+// cache refresher) that must bypass themselves to avoid loops. Honors ctx
+// cancellation; on ctx.Done the dispatch goroutine is left to drain on its own
+// (bounded by the invoked handler's internal timeout).
+func (c *HandlerChain) ResolveInternal(ctx context.Context, r *dns.Msg, maxPriority int) (*dns.Msg, error) {
+	if len(r.Question) == 0 {
+		return nil, fmt.Errorf("empty question")
+	}
+
+	base := &internalResponseWriter{}
+	done := make(chan struct{})
+	go func() {
+		c.dispatch(base, r, maxPriority)
+		close(done)
+	}()
+
+	select {
+	case <-done:
+	case <-ctx.Done():
+		// Prefer a completed response if dispatch finished concurrently with cancellation.
+		select {
+		case <-done:
+		default:
+			return nil, fmt.Errorf("resolve %s: %w", strings.ToLower(r.Question[0].Name), ctx.Err())
+		}
+	}
+
+	if base.response == nil || base.response.Rcode == dns.RcodeRefused {
+		return nil, fmt.Errorf("no handler resolved %s at priority ≤ %d",
+			strings.ToLower(r.Question[0].Name), maxPriority)
+	}
+	return base.response, nil
+}
+
+// HasRootHandlerAtOrBelow reports whether any "." handler is registered at
+// priority ≤ maxPriority.
+func (c *HandlerChain) HasRootHandlerAtOrBelow(maxPriority int) bool {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+
+	for _, h := range c.handlers {
+		if h.Pattern == "." && h.Priority <= maxPriority {
+			return true
+		}
+	}
+	return false
+}
+
 func (c *HandlerChain) isHandlerMatch(qname string, entry HandlerEntry) bool {
 	switch {
 	case entry.Pattern == ".":
@@ -291,3 +352,36 @@ func (c *HandlerChain) isHandlerMatch(qname string, entry HandlerEntry) bool {
 		}
 	}
 }
+
+// internalResponseWriter captures a dns.Msg for in-process chain queries.
+type internalResponseWriter struct {
+	response *dns.Msg
+}
+
+func (w *internalResponseWriter) WriteMsg(m *dns.Msg) error { w.response = m; return nil }
+func (w *internalResponseWriter) LocalAddr() net.Addr       { return nil }
+func (w *internalResponseWriter) RemoteAddr() net.Addr      { return nil }
+
+// Write unpacks raw DNS bytes so handlers that call Write instead of WriteMsg
+// still surface their answer to ResolveInternal.
+func (w *internalResponseWriter) Write(p []byte) (int, error) {
+	msg := new(dns.Msg)
+	if err := msg.Unpack(p); err != nil {
+		return 0, err
+	}
+	w.response = msg
+	return len(p), nil
+}
+
+func (w *internalResponseWriter) Close() error      { return nil }
+func (w *internalResponseWriter) TsigStatus() error { return nil }
+
+// TsigTimersOnly is part of dns.ResponseWriter.
+func (w *internalResponseWriter) TsigTimersOnly(bool) {
+	// no-op: in-process queries carry no TSIG state.
+}
+
+// Hijack is part of dns.ResponseWriter.
+func (w *internalResponseWriter) Hijack() {
+	// no-op: in-process queries have no underlying connection to hand off.
+}
--- a/client/internal/dns/handler_chain_test.go
+++ b/client/internal/dns/handler_chain_test.go
@@ -1,11 +1,15 @@
 package dns_test

 import (
+	"context"
+	"net"
 	"testing"
+	"time"

 	"github.com/miekg/dns"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"

 	nbdns "github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/dns/test"
@@ -1042,3 +1046,163 @@ func TestHandlerChain_AddRemoveRoundtrip(t *testing.T) {
 		})
 	}
 }
+
+// answeringHandler writes a fixed A record to ack the query. Used to verify
+// which handler ResolveInternal dispatches to.
+type answeringHandler struct {
+	name string
+	ip   string
+}
+
+func (h *answeringHandler) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
+	resp := &dns.Msg{}
+	resp.SetReply(r)
+	resp.Answer = []dns.RR{&dns.A{
+		Hdr: dns.RR_Header{Name: r.Question[0].Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
+		A:   net.ParseIP(h.ip).To4(),
+	}}
+	_ = w.WriteMsg(resp)
+}
+
+func (h *answeringHandler) String() string { return h.name }
+
+func TestHandlerChain_ResolveInternal_SkipsAboveMaxPriority(t *testing.T) {
+	chain := nbdns.NewHandlerChain()
+
+	high := &answeringHandler{name: "high", ip: "10.0.0.1"}
+	low := &answeringHandler{name: "low", ip: "10.0.0.2"}
+
+	chain.AddHandler("example.com.", high, nbdns.PriorityMgmtCache)
+	chain.AddHandler("example.com.", low, nbdns.PriorityUpstream)
+
+	r := new(dns.Msg)
+	r.SetQuestion("example.com.", dns.TypeA)
+
+	resp, err := chain.ResolveInternal(context.Background(), r, nbdns.PriorityUpstream)
+	assert.NoError(t, err)
+	assert.NotNil(t, resp)
+	assert.Equal(t, 1, len(resp.Answer))
+	a, ok := resp.Answer[0].(*dns.A)
+	assert.True(t, ok)
+	assert.Equal(t, "10.0.0.2", a.A.String(), "should skip mgmtCache handler and resolve via upstream")
+}
+
+func TestHandlerChain_ResolveInternal_ErrorWhenNoMatch(t *testing.T) {
+	chain := nbdns.NewHandlerChain()
+	high := &answeringHandler{name: "high", ip: "10.0.0.1"}
+	chain.AddHandler("example.com.", high, nbdns.PriorityMgmtCache)
+
+	r := new(dns.Msg)
+	r.SetQuestion("example.com.", dns.TypeA)
+
+	_, err := chain.ResolveInternal(context.Background(), r, nbdns.PriorityUpstream)
+	assert.Error(t, err, "no handler at or below maxPriority should error")
+}
+
+// rawWriteHandler packs a response and calls ResponseWriter.Write directly
+// (instead of WriteMsg), exercising the internalResponseWriter.Write path.
+type rawWriteHandler struct {
+	ip string
+}
+
+func (h *rawWriteHandler) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
+	resp := &dns.Msg{}
+	resp.SetReply(r)
+	resp.Answer = []dns.RR{&dns.A{
+		Hdr: dns.RR_Header{Name: r.Question[0].Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
+		A:   net.ParseIP(h.ip).To4(),
+	}}
+	packed, err := resp.Pack()
+	if err != nil {
+		return
+	}
+	_, _ = w.Write(packed)
+}
+
+func TestHandlerChain_ResolveInternal_CapturesRawWrite(t *testing.T) {
+	chain := nbdns.NewHandlerChain()
+	chain.AddHandler("example.com.", &rawWriteHandler{ip: "10.0.0.3"}, nbdns.PriorityUpstream)
+
+	r := new(dns.Msg)
+	r.SetQuestion("example.com.", dns.TypeA)
+
+	resp, err := chain.ResolveInternal(context.Background(), r, nbdns.PriorityUpstream)
+	assert.NoError(t, err)
+	require.NotNil(t, resp)
+	require.Len(t, resp.Answer, 1)
+	a, ok := resp.Answer[0].(*dns.A)
+	require.True(t, ok)
+	assert.Equal(t, "10.0.0.3", a.A.String(), "handlers calling Write(packed) must still surface their answer")
+}
+
+func TestHandlerChain_ResolveInternal_EmptyQuestion(t *testing.T) {
+	chain := nbdns.NewHandlerChain()
+	_, err := chain.ResolveInternal(context.Background(), new(dns.Msg), nbdns.PriorityUpstream)
+	assert.Error(t, err)
+}
+
+// hangingHandler blocks indefinitely until closed, simulating a wedged upstream.
+type hangingHandler struct {
+	block chan struct{}
+}
+
+func (h *hangingHandler) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
+	<-h.block
+	resp := &dns.Msg{}
+	resp.SetReply(r)
+	_ = w.WriteMsg(resp)
+}
+
+func (h *hangingHandler) String() string { return "hangingHandler" }
+
+func TestHandlerChain_ResolveInternal_HonorsContextTimeout(t *testing.T) {
+	chain := nbdns.NewHandlerChain()
+	h := &hangingHandler{block: make(chan struct{})}
+	defer close(h.block)
+
+	chain.AddHandler("example.com.", h, nbdns.PriorityUpstream)
+
+	r := new(dns.Msg)
+	r.SetQuestion("example.com.", dns.TypeA)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
+	defer cancel()
+
+	start := time.Now()
+	_, err := chain.ResolveInternal(ctx, r, nbdns.PriorityUpstream)
+	elapsed := time.Since(start)
+
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, context.DeadlineExceeded)
+	assert.Less(t, elapsed, 500*time.Millisecond, "ResolveInternal must return shortly after ctx deadline")
+}
+
+func TestHandlerChain_HasRootHandlerAtOrBelow(t *testing.T) {
+	chain := nbdns.NewHandlerChain()
+	h := &answeringHandler{name: "h", ip: "10.0.0.1"}
+
+	assert.False(t, chain.HasRootHandlerAtOrBelow(nbdns.PriorityUpstream), "empty chain")
+
+	chain.AddHandler("example.com.", h, nbdns.PriorityUpstream)
+	assert.False(t, chain.HasRootHandlerAtOrBelow(nbdns.PriorityUpstream), "non-root handler does not count")
+
+	chain.AddHandler(".", h, nbdns.PriorityMgmtCache)
+	assert.False(t, chain.HasRootHandlerAtOrBelow(nbdns.PriorityUpstream), "root handler above threshold excluded")
+
+	chain.AddHandler(".", h, nbdns.PriorityDefault)
+	assert.True(t, chain.HasRootHandlerAtOrBelow(nbdns.PriorityUpstream), "root handler at PriorityDefault included")
+
+	chain.RemoveHandler(".", nbdns.PriorityDefault)
+	assert.False(t, chain.HasRootHandlerAtOrBelow(nbdns.PriorityUpstream))
+
+	// Primary nsgroup case: root handler lands at PriorityUpstream.
+	chain.AddHandler(".", h, nbdns.PriorityUpstream)
+	assert.True(t, chain.HasRootHandlerAtOrBelow(nbdns.PriorityUpstream), "root at PriorityUpstream included")
+	chain.RemoveHandler(".", nbdns.PriorityUpstream)
+
+	// Fallback case: original /etc/resolv.conf entries land at PriorityFallback.
+	chain.AddHandler(".", h, nbdns.PriorityFallback)
+	assert.True(t, chain.HasRootHandlerAtOrBelow(nbdns.PriorityUpstream), "root at PriorityFallback included")
+	chain.RemoveHandler(".", nbdns.PriorityFallback)
+	assert.False(t, chain.HasRootHandlerAtOrBelow(nbdns.PriorityUpstream))
+}
--- a/client/internal/dns/host_unix.go
+++ b/client/internal/dns/host_unix.go
@@ -46,12 +46,12 @@ type restoreHostManager interface {
 }

 func newHostManager(wgInterface string) (hostManager, error) {
-	osManager, err := getOSDNSManagerType()
+	osManager, reason, err := getOSDNSManagerType()
 	if err != nil {
 		return nil, fmt.Errorf("get os dns manager type: %w", err)
 	}

-	log.Infof("System DNS manager discovered: %s", osManager)
+	log.Infof("System DNS manager discovered: %s (%s)", osManager, reason)
 	mgr, err := newHostManagerFromType(wgInterface, osManager)
 	// need to explicitly return nil mgr on error to avoid returning a non-nil interface containing a nil value
 	if err != nil {
@@ -74,17 +74,49 @@ func newHostManagerFromType(wgInterface string, osManager osManagerType) (restor
 	}
 }

-func getOSDNSManagerType() (osManagerType, error) {
+func getOSDNSManagerType() (osManagerType, string, error) {
+	resolved := isSystemdResolvedRunning()
+	nss := isLibnssResolveUsed()
+	stub := checkStub()
+
+	// Prefer systemd-resolved whenever it owns libc resolution, regardless of
+	// who wrote /etc/resolv.conf. File-mode rewrites do not affect lookups
+	// that go through nss-resolve, and in foreign mode they can loop back
+	// through resolved as an upstream.
+	if resolved && (nss || stub) {
+		return systemdManager, fmt.Sprintf("systemd-resolved active (nss-resolve=%t, stub=%t)", nss, stub), nil
+	}
+
+	mgr, reason, rejected, err := scanResolvConfHeader()
+	if err != nil {
+		return 0, "", err
+	}
+	if reason != "" {
+		return mgr, reason, nil
+	}
+
+	fallback := fmt.Sprintf("no manager matched (resolved=%t, nss-resolve=%t, stub=%t)", resolved, nss, stub)
+	if len(rejected) > 0 {
+		fallback += "; rejected: " + strings.Join(rejected, ", ")
+	}
+	return fileManager, fallback, nil
+}
+
+// scanResolvConfHeader walks /etc/resolv.conf header comments and returns the
+// matching manager. If reason is empty the caller should pick file mode and
+// use rejected for diagnostics.
+func scanResolvConfHeader() (osManagerType, string, []string, error) {
 	file, err := os.Open(defaultResolvConfPath)
 	if err != nil {
-		return 0, fmt.Errorf("unable to open %s for checking owner, got error: %w", defaultResolvConfPath, err)
+		return 0, "", nil, fmt.Errorf("unable to open %s for checking owner, got error: %w", defaultResolvConfPath, err)
 	}
 	defer func() {
-		if err := file.Close(); err != nil {
-			log.Errorf("close file %s: %s", defaultResolvConfPath, err)
+		if cerr := file.Close(); cerr != nil {
+			log.Errorf("close file %s: %s", defaultResolvConfPath, cerr)
 		}
 	}()

+	var rejected []string
 	scanner := bufio.NewScanner(file)
 	for scanner.Scan() {
 		text := scanner.Text()
@@ -92,41 +124,48 @@ func getOSDNSManagerType() (osManagerType, error) {
 			continue
 		}
 		if text[0] != '#' {
-			return fileManager, nil
+			break
 		}
-		if strings.Contains(text, fileGeneratedResolvConfContentHeader) {
-			return netbirdManager, nil
-		}
-		if strings.Contains(text, "NetworkManager") && isDbusListenerRunning(networkManagerDest, networkManagerDbusObjectNode) && isNetworkManagerSupported() {
-			return networkManager, nil
-		}
-		if strings.Contains(text, "systemd-resolved") && isSystemdResolvedRunning() {
-			if checkStub() {
-				return systemdManager, nil
-			} else {
-				return fileManager, nil
-			}
-		}
-		if strings.Contains(text, "resolvconf") {
-			if isSystemdResolveConfMode() {
-				return systemdManager, nil
-			}
-
-			return resolvConfManager, nil
+		if mgr, reason, rej := matchResolvConfHeader(text); reason != "" {
+			return mgr, reason, nil, nil
+		} else if rej != "" {
+			rejected = append(rejected, rej)
 		}
 	}
 	if err := scanner.Err(); err != nil && err != io.EOF {
-		return 0, fmt.Errorf("scan: %w", err)
+		return 0, "", nil, fmt.Errorf("scan: %w", err)
 	}
-
-	return fileManager, nil
+	return 0, "", rejected, nil
 }

-// checkStub checks if the stub resolver is disabled in systemd-resolved. If it is disabled, we fall back to file manager.
+// matchResolvConfHeader inspects a single comment line. Returns either a
+// definitive (manager, reason) or a non-empty rejected diagnostic.
+func matchResolvConfHeader(text string) (osManagerType, string, string) {
+	if strings.Contains(text, fileGeneratedResolvConfContentHeader) {
+		return netbirdManager, "netbird-managed resolv.conf header detected", ""
+	}
+	if strings.Contains(text, "NetworkManager") {
+		if isDbusListenerRunning(networkManagerDest, networkManagerDbusObjectNode) && isNetworkManagerSupported() {
+			return networkManager, "NetworkManager header + supported version on dbus", ""
+		}
+		return 0, "", "NetworkManager header (no dbus or unsupported version)"
+	}
+	if strings.Contains(text, "resolvconf") {
+		if isSystemdResolveConfMode() {
+			return systemdManager, "resolvconf header in systemd-resolved compatibility mode", ""
+		}
+		return resolvConfManager, "resolvconf header detected", ""
+	}
+	return 0, "", ""
+}
+
+// checkStub reports whether systemd-resolved's stub (127.0.0.53) is listed
+// in /etc/resolv.conf. On parse failure we assume it is, to avoid dropping
+// into file mode while resolved is active.
 func checkStub() bool {
 	rConf, err := parseDefaultResolvConf()
 	if err != nil {
-		log.Warnf("failed to parse resolv conf: %s", err)
+		log.Warnf("failed to parse resolv conf, assuming stub is active: %s", err)
 		return true
 	}

@@ -139,3 +178,36 @@ func checkStub() bool {

 	return false
 }
+
+// isLibnssResolveUsed reports whether nss-resolve is listed before dns on
+// the hosts: line of /etc/nsswitch.conf. When it is, libc lookups are
+// delegated to systemd-resolved regardless of /etc/resolv.conf.
+func isLibnssResolveUsed() bool {
+	bs, err := os.ReadFile(nsswitchConfPath)
+	if err != nil {
+		log.Debugf("read %s: %v", nsswitchConfPath, err)
+		return false
+	}
+	return parseNsswitchResolveAhead(bs)
+}
+
+func parseNsswitchResolveAhead(data []byte) bool {
+	for _, line := range strings.Split(string(data), "\n") {
+		if i := strings.IndexByte(line, '#'); i >= 0 {
+			line = line[:i]
+		}
+		fields := strings.Fields(line)
+		if len(fields) < 2 || fields[0] != "hosts:" {
+			continue
+		}
+		for _, module := range fields[1:] {
+			switch module {
+			case "dns":
+				return false
+			case "resolve":
+				return true
+			}
+		}
+	}
+	return false
+}
--- a/client/internal/dns/host_unix_test.go
+++ b/client/internal/dns/host_unix_test.go
@@ -0,0 +1,76 @@
+//go:build (linux && !android) || freebsd
+
+package dns
+
+import "testing"
+
+func TestParseNsswitchResolveAhead(t *testing.T) {
+	tests := []struct {
+		name string
+		in   string
+		want bool
+	}{
+		{
+			name: "resolve before dns with action token",
+			in:   "hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns\n",
+			want: true,
+		},
+		{
+			name: "dns before resolve",
+			in:   "hosts: files mdns4_minimal [NOTFOUND=return] dns resolve\n",
+			want: false,
+		},
+		{
+			name: "debian default with only dns",
+			in:   "hosts: files mdns4_minimal [NOTFOUND=return] dns mymachines\n",
+			want: false,
+		},
+		{
+			name: "neither resolve nor dns",
+			in:   "hosts: files myhostname\n",
+			want: false,
+		},
+		{
+			name: "no hosts line",
+			in:   "passwd: files systemd\ngroup: files systemd\n",
+			want: false,
+		},
+		{
+			name: "empty",
+			in:   "",
+			want: false,
+		},
+		{
+			name: "comments and blank lines ignored",
+			in:   "# comment\n\n# another\nhosts: resolve dns\n",
+			want: true,
+		},
+		{
+			name: "trailing inline comment",
+			in:   "hosts: resolve [!UNAVAIL=return] dns # fallback\n",
+			want: true,
+		},
+		{
+			name: "hosts token must be the first field",
+			in:   "  hosts: resolve dns\n",
+			want: true,
+		},
+		{
+			name: "other db line mentioning resolve is ignored",
+			in:   "networks: resolve\nhosts: dns\n",
+			want: false,
+		},
+		{
+			name: "only resolve, no dns",
+			in:   "hosts: files resolve\n",
+			want: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := parseNsswitchResolveAhead([]byte(tt.in)); got != tt.want {
+				t.Errorf("parseNsswitchResolveAhead() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
--- a/client/internal/dns/local/local.go
+++ b/client/internal/dns/local/local.go
@@ -77,8 +77,6 @@ func (d *Resolver) ID() types.HandlerID {
 	return "local-resolver"
 }

-func (d *Resolver) ProbeAvailability(context.Context) {}
-
 // ServeDNS handles a DNS request
 func (d *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	logger := log.WithFields(log.Fields{
--- a/client/internal/dns/mgmt/mgmt.go
+++ b/client/internal/dns/mgmt/mgmt.go
@@ -2,40 +2,83 @@ package mgmt

 import (
 	"context"
+	"errors"
 	"fmt"
 	"net"
-	"net/netip"
 	"net/url"
+	"os"
+	"slices"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"time"

 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/sync/singleflight"

 	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
+	"github.com/netbirdio/netbird/client/internal/dns/resutil"
 	"github.com/netbirdio/netbird/shared/management/domain"
 )

-const dnsTimeout = 5 * time.Second
+const (
+	dnsTimeout     = 5 * time.Second
+	defaultTTL     = 300 * time.Second
+	refreshBackoff = 30 * time.Second

-// Resolver caches critical NetBird infrastructure domains
+	// envMgmtCacheTTL overrides defaultTTL for integration/dev testing.
+	envMgmtCacheTTL = "NB_MGMT_CACHE_TTL"
+)
+
+// ChainResolver lets the cache refresh stale entries through the DNS handler
+// chain instead of net.DefaultResolver, avoiding loopback when NetBird is the
+// system resolver.
+type ChainResolver interface {
+	ResolveInternal(ctx context.Context, msg *dns.Msg, maxPriority int) (*dns.Msg, error)
+	HasRootHandlerAtOrBelow(maxPriority int) bool
+}
+
+// cachedRecord holds DNS records plus timestamps used for TTL refresh.
+// records and cachedAt are set at construction and treated as immutable;
+// lastFailedRefresh and consecFailures are mutable and must be accessed under
+// Resolver.mutex.
+type cachedRecord struct {
+	records           []dns.RR
+	cachedAt          time.Time
+	lastFailedRefresh time.Time
+	consecFailures    int
+}
+
+// Resolver caches critical NetBird infrastructure domains.
+// records, refreshing, mgmtDomain and serverDomains are all guarded by mutex.
 type Resolver struct {
-	records       map[dns.Question][]dns.RR
+	records       map[dns.Question]*cachedRecord
 	mgmtDomain    *domain.Domain
 	serverDomains *dnsconfig.ServerDomains
 	mutex         sync.RWMutex
-}

-type ipsResponse struct {
-	ips []netip.Addr
-	err error
+	chain            ChainResolver
+	chainMaxPriority int
+	refreshGroup     singleflight.Group
+
+	// refreshing tracks questions whose refresh is running via the OS
+	// fallback path. A ServeDNS hit for a question in this map indicates
+	// the OS resolver routed the recursive query back to us (loop). Only
+	// the OS path arms this so chain-path refreshes don't produce false
+	// positives. The atomic bool is CAS-flipped once per refresh to
+	// throttle the warning log.
+	refreshing map[dns.Question]*atomic.Bool
+
+	cacheTTL time.Duration
 }

 // NewResolver creates a new management domains cache resolver.
 func NewResolver() *Resolver {
 	return &Resolver{
-		records: make(map[dns.Question][]dns.RR),
+		records:    make(map[dns.Question]*cachedRecord),
+		refreshing: make(map[dns.Question]*atomic.Bool),
+		cacheTTL:   resolveCacheTTL(),
 	}
 }

@@ -44,7 +87,19 @@ func (m *Resolver) String() string {
 	return "MgmtCacheResolver"
 }

-// ServeDNS implements dns.Handler interface.
+// SetChainResolver wires the handler chain used to refresh stale cache entries.
+// maxPriority caps which handlers may answer refresh queries (typically
+// PriorityUpstream, so upstream/default/fallback handlers are consulted and
+// mgmt/route/local handlers are skipped).
+func (m *Resolver) SetChainResolver(chain ChainResolver, maxPriority int) {
+	m.mutex.Lock()
+	m.chain = chain
+	m.chainMaxPriority = maxPriority
+	m.mutex.Unlock()
+}
+
+// ServeDNS serves cached A/AAAA records. Stale entries are returned
+// immediately and refreshed asynchronously (stale-while-revalidate).
 func (m *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	if len(r.Question) == 0 {
 		m.continueToNext(w, r)
@@ -60,7 +115,14 @@ func (m *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	}

 	m.mutex.RLock()
-	records, found := m.records[question]
+	cached, found := m.records[question]
+	inflight := m.refreshing[question]
+	var shouldRefresh bool
+	if found {
+		stale := time.Since(cached.cachedAt) > m.cacheTTL
+		inBackoff := !cached.lastFailedRefresh.IsZero() && time.Since(cached.lastFailedRefresh) < refreshBackoff
+		shouldRefresh = stale && !inBackoff
+	}
 	m.mutex.RUnlock()

 	if !found {
@@ -68,12 +130,23 @@ func (m *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		return
 	}

+	if inflight != nil && inflight.CompareAndSwap(false, true) {
+		log.Warnf("mgmt cache: possible resolver loop for domain=%s: served stale while an OS-fallback refresh was inflight (if NetBird is the system resolver, the OS-path predicate is wrong)",
+			question.Name)
+	}
+
+	// Skip scheduling a refresh goroutine if one is already inflight for
+	// this question; singleflight would dedup anyway but skipping avoids
+	// a parked goroutine per stale hit under bursty load.
+	if shouldRefresh && inflight == nil {
+		m.scheduleRefresh(question, cached)
+	}
+
 	resp := &dns.Msg{}
 	resp.SetReply(r)
 	resp.Authoritative = false
 	resp.RecursionAvailable = true
-
-	resp.Answer = append(resp.Answer, records...)
+	resp.Answer = cloneRecordsWithTTL(cached.records, m.responseTTL(cached.cachedAt))

 	log.Debugf("serving %d cached records for domain=%s", len(resp.Answer), question.Name)

@@ -98,101 +171,260 @@ func (m *Resolver) continueToNext(w dns.ResponseWriter, r *dns.Msg) {
 	}
 }

-// AddDomain manually adds a domain to cache by resolving it.
+// AddDomain resolves a domain and stores its A/AAAA records in the cache.
+// A family that resolves NODATA (nil err, zero records) evicts any stale
+// entry for that qtype.
 func (m *Resolver) AddDomain(ctx context.Context, d domain.Domain) error {
 	dnsName := strings.ToLower(dns.Fqdn(d.PunycodeString()))

 	ctx, cancel := context.WithTimeout(ctx, dnsTimeout)
 	defer cancel()

-	ips, err := lookupIPWithExtraTimeout(ctx, d)
-	if err != nil {
-		return err
+	aRecords, aaaaRecords, errA, errAAAA := m.lookupBoth(ctx, d, dnsName)
+
+	if errA != nil && errAAAA != nil {
+		return fmt.Errorf("resolve %s: %w", d.SafeString(), errors.Join(errA, errAAAA))
 	}

-	var aRecords, aaaaRecords []dns.RR
-	for _, ip := range ips {
-		if ip.Is4() {
-			rr := &dns.A{
-				Hdr: dns.RR_Header{
-					Name:   dnsName,
-					Rrtype: dns.TypeA,
-					Class:  dns.ClassINET,
-					Ttl:    300,
-				},
-				A: ip.AsSlice(),
-			}
-			aRecords = append(aRecords, rr)
-		} else if ip.Is6() {
-			rr := &dns.AAAA{
-				Hdr: dns.RR_Header{
-					Name:   dnsName,
-					Rrtype: dns.TypeAAAA,
-					Class:  dns.ClassINET,
-					Ttl:    300,
-				},
-				AAAA: ip.AsSlice(),
-			}
-			aaaaRecords = append(aaaaRecords, rr)
+	if len(aRecords) == 0 && len(aaaaRecords) == 0 {
+		if err := errors.Join(errA, errAAAA); err != nil {
+			return fmt.Errorf("resolve %s: no A/AAAA records: %w", d.SafeString(), err)
 		}
+		return fmt.Errorf("resolve %s: no A/AAAA records", d.SafeString())
 	}

+	now := time.Now()
 	m.mutex.Lock()
+	defer m.mutex.Unlock()

-	if len(aRecords) > 0 {
-		aQuestion := dns.Question{
-			Name:   dnsName,
-			Qtype:  dns.TypeA,
-			Qclass: dns.ClassINET,
-		}
-		m.records[aQuestion] = aRecords
-	}
+	m.applyFamilyRecords(dnsName, dns.TypeA, aRecords, errA, now)
+	m.applyFamilyRecords(dnsName, dns.TypeAAAA, aaaaRecords, errAAAA, now)

-	if len(aaaaRecords) > 0 {
-		aaaaQuestion := dns.Question{
-			Name:   dnsName,
-			Qtype:  dns.TypeAAAA,
-			Qclass: dns.ClassINET,
-		}
-		m.records[aaaaQuestion] = aaaaRecords
-	}
-
-	m.mutex.Unlock()
-
-	log.Debugf("added domain=%s with %d A records and %d AAAA records",
+	log.Debugf("added/updated domain=%s with %d A records and %d AAAA records",
 		d.SafeString(), len(aRecords), len(aaaaRecords))

 	return nil
 }

-func lookupIPWithExtraTimeout(ctx context.Context, d domain.Domain) ([]netip.Addr, error) {
-	log.Infof("looking up IP for mgmt domain=%s", d.SafeString())
-	defer log.Infof("done looking up IP for mgmt domain=%s", d.SafeString())
-	resultChan := make(chan *ipsResponse, 1)
+// applyFamilyRecords writes records, evicts on NODATA, leaves the cache
+// untouched on error. Caller holds m.mutex.
+func (m *Resolver) applyFamilyRecords(dnsName string, qtype uint16, records []dns.RR, err error, now time.Time) {
+	q := dns.Question{Name: dnsName, Qtype: qtype, Qclass: dns.ClassINET}
+	switch {
+	case len(records) > 0:
+		m.records[q] = &cachedRecord{records: records, cachedAt: now}
+	case err == nil:
+		delete(m.records, q)
+	}
+}

-	go func() {
-		ips, err := net.DefaultResolver.LookupNetIP(ctx, "ip", d.PunycodeString())
-		resultChan <- &ipsResponse{
-			err: err,
-			ips: ips,
+// scheduleRefresh kicks off an async refresh. DoChan spawns one goroutine per
+// unique in-flight key; bursty stale hits share its channel. expected is the
+// cachedRecord pointer observed by the caller; the refresh only mutates the
+// cache if that pointer is still the one stored, so a stale in-flight refresh
+// can't clobber a newer entry written by AddDomain or a competing refresh.
+func (m *Resolver) scheduleRefresh(question dns.Question, expected *cachedRecord) {
+	key := question.Name + "|" + dns.TypeToString[question.Qtype]
+	_ = m.refreshGroup.DoChan(key, func() (any, error) {
+		return nil, m.refreshQuestion(question, expected)
+	})
+}
+
+// refreshQuestion replaces the cached records on success, or marks the entry
+// failed (arming the backoff) on failure. While this runs, ServeDNS can detect
+// a resolver loop by spotting a query for this same question arriving on us.
+// expected pins the cache entry observed at schedule time; mutations only apply
+// if m.records[question] still points at it.
+func (m *Resolver) refreshQuestion(question dns.Question, expected *cachedRecord) error {
+	ctx, cancel := context.WithTimeout(context.Background(), dnsTimeout)
+	defer cancel()
+
+	d, err := domain.FromString(strings.TrimSuffix(question.Name, "."))
+	if err != nil {
+		m.markRefreshFailed(question, expected)
+		return fmt.Errorf("parse domain: %w", err)
+	}
+
+	records, err := m.lookupRecords(ctx, d, question)
+	if err != nil {
+		fails := m.markRefreshFailed(question, expected)
+		logf := log.Warnf
+		if fails == 0 || fails > 1 {
+			logf = log.Debugf
 		}
-	}()
-
-	var resp *ipsResponse
-
-	select {
-	case <-time.After(dnsTimeout + time.Millisecond*500):
-		log.Warnf("timed out waiting for IP for mgmt domain=%s", d.SafeString())
-		return nil, fmt.Errorf("timed out waiting for ips to be available for domain %s", d.SafeString())
-	case <-ctx.Done():
-		return nil, ctx.Err()
-	case resp = <-resultChan:
+		logf("refresh mgmt cache domain=%s type=%s: %v (consecutive failures=%d)",
+			d.SafeString(), dns.TypeToString[question.Qtype], err, fails)
+		return err
 	}

-	if resp.err != nil {
-		return nil, fmt.Errorf("resolve domain %s: %w", d.SafeString(), resp.err)
+	// NOERROR/NODATA: family gone upstream, evict so we stop serving stale.
+	if len(records) == 0 {
+		m.mutex.Lock()
+		if m.records[question] == expected {
+			delete(m.records, question)
+			m.mutex.Unlock()
+			log.Infof("removed mgmt cache domain=%s type=%s: no records returned",
+				d.SafeString(), dns.TypeToString[question.Qtype])
+			return nil
+		}
+		m.mutex.Unlock()
+		log.Debugf("skipping refresh evict for domain=%s type=%s: entry changed during refresh",
+			d.SafeString(), dns.TypeToString[question.Qtype])
+		return nil
 	}
-	return resp.ips, nil
+
+	now := time.Now()
+	m.mutex.Lock()
+	if m.records[question] != expected {
+		m.mutex.Unlock()
+		log.Debugf("skipping refresh write for domain=%s type=%s: entry changed during refresh",
+			d.SafeString(), dns.TypeToString[question.Qtype])
+		return nil
+	}
+	m.records[question] = &cachedRecord{records: records, cachedAt: now}
+	m.mutex.Unlock()
+
+	log.Infof("refreshed mgmt cache domain=%s type=%s",
+		d.SafeString(), dns.TypeToString[question.Qtype])
+	return nil
+}
+
+func (m *Resolver) markRefreshing(question dns.Question) {
+	m.mutex.Lock()
+	m.refreshing[question] = &atomic.Bool{}
+	m.mutex.Unlock()
+}
+
+func (m *Resolver) clearRefreshing(question dns.Question) {
+	m.mutex.Lock()
+	delete(m.refreshing, question)
+	m.mutex.Unlock()
+}
+
+// markRefreshFailed arms the backoff and returns the new consecutive-failure
+// count so callers can downgrade subsequent failure logs to debug.
+func (m *Resolver) markRefreshFailed(question dns.Question, expected *cachedRecord) int {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+	c, ok := m.records[question]
+	if !ok || c != expected {
+		return 0
+	}
+	c.lastFailedRefresh = time.Now()
+	c.consecFailures++
+	return c.consecFailures
+}
+
+// lookupBoth resolves A and AAAA via chain or OS. Per-family errors let
+// callers tell records, NODATA (nil err, no records), and failure apart.
+func (m *Resolver) lookupBoth(ctx context.Context, d domain.Domain, dnsName string) (aRecords, aaaaRecords []dns.RR, errA, errAAAA error) {
+	m.mutex.RLock()
+	chain := m.chain
+	maxPriority := m.chainMaxPriority
+	m.mutex.RUnlock()
+
+	if chain != nil && chain.HasRootHandlerAtOrBelow(maxPriority) {
+		aRecords, errA = m.lookupViaChain(ctx, chain, maxPriority, dnsName, dns.TypeA)
+		aaaaRecords, errAAAA = m.lookupViaChain(ctx, chain, maxPriority, dnsName, dns.TypeAAAA)
+		return
+	}
+
+	// TODO: drop once every supported OS registers a fallback resolver. Safe
+	// today: no root handler at priority ≤ PriorityUpstream means NetBird is
+	// not the system resolver, so net.DefaultResolver will not loop back.
+	aRecords, errA = m.osLookup(ctx, d, dnsName, dns.TypeA)
+	aaaaRecords, errAAAA = m.osLookup(ctx, d, dnsName, dns.TypeAAAA)
+	return
+}
+
+// lookupRecords resolves a single record type via chain or OS. The OS branch
+// arms the loop detector for the duration of its call so that ServeDNS can
+// spot the OS resolver routing the recursive query back to us.
+func (m *Resolver) lookupRecords(ctx context.Context, d domain.Domain, q dns.Question) ([]dns.RR, error) {
+	m.mutex.RLock()
+	chain := m.chain
+	maxPriority := m.chainMaxPriority
+	m.mutex.RUnlock()
+
+	if chain != nil && chain.HasRootHandlerAtOrBelow(maxPriority) {
+		return m.lookupViaChain(ctx, chain, maxPriority, q.Name, q.Qtype)
+	}
+
+	// TODO: drop once every supported OS registers a fallback resolver.
+	m.markRefreshing(q)
+	defer m.clearRefreshing(q)
+
+	return m.osLookup(ctx, d, q.Name, q.Qtype)
+}
+
+// lookupViaChain resolves via the handler chain and rewrites each RR to use
+// dnsName as owner and m.cacheTTL as TTL, so CNAME-backed domains don't cache
+// target-owned records or upstream TTLs. NODATA returns (nil, nil).
+func (m *Resolver) lookupViaChain(ctx context.Context, chain ChainResolver, maxPriority int, dnsName string, qtype uint16) ([]dns.RR, error) {
+	msg := &dns.Msg{}
+	msg.SetQuestion(dnsName, qtype)
+	msg.RecursionDesired = true
+
+	resp, err := chain.ResolveInternal(ctx, msg, maxPriority)
+	if err != nil {
+		return nil, fmt.Errorf("chain resolve: %w", err)
+	}
+	if resp == nil {
+		return nil, fmt.Errorf("chain resolve returned nil response")
+	}
+	if resp.Rcode != dns.RcodeSuccess {
+		return nil, fmt.Errorf("chain resolve rcode=%s", dns.RcodeToString[resp.Rcode])
+	}
+
+	ttl := uint32(m.cacheTTL.Seconds())
+	owners := cnameOwners(dnsName, resp.Answer)
+	var filtered []dns.RR
+	for _, rr := range resp.Answer {
+		h := rr.Header()
+		if h.Class != dns.ClassINET || h.Rrtype != qtype {
+			continue
+		}
+		if !owners[strings.ToLower(dns.Fqdn(h.Name))] {
+			continue
+		}
+		if cp := cloneIPRecord(rr, dnsName, ttl); cp != nil {
+			filtered = append(filtered, cp)
+		}
+	}
+	return filtered, nil
+}
+
+// osLookup resolves a single family via net.DefaultResolver using resutil,
+// which disambiguates NODATA from NXDOMAIN and Unmaps v4-mapped-v6. NODATA
+// returns (nil, nil).
+func (m *Resolver) osLookup(ctx context.Context, d domain.Domain, dnsName string, qtype uint16) ([]dns.RR, error) {
+	network := resutil.NetworkForQtype(qtype)
+	if network == "" {
+		return nil, fmt.Errorf("unsupported qtype %s", dns.TypeToString[qtype])
+	}
+
+	log.Infof("looking up IP for mgmt domain=%s type=%s", d.SafeString(), dns.TypeToString[qtype])
+	defer log.Infof("done looking up IP for mgmt domain=%s type=%s", d.SafeString(), dns.TypeToString[qtype])
+
+	result := resutil.LookupIP(ctx, net.DefaultResolver, network, d.PunycodeString(), qtype)
+	if result.Rcode == dns.RcodeSuccess {
+		return resutil.IPsToRRs(dnsName, result.IPs, uint32(m.cacheTTL.Seconds())), nil
+	}
+
+	if result.Err != nil {
+		return nil, fmt.Errorf("resolve %s type=%s: %w", d.SafeString(), dns.TypeToString[qtype], result.Err)
+	}
+	return nil, fmt.Errorf("resolve %s type=%s: rcode=%s", d.SafeString(), dns.TypeToString[qtype], dns.RcodeToString[result.Rcode])
+}
+
+// responseTTL returns the remaining cache lifetime in seconds (rounded up),
+// so downstream resolvers don't cache an answer for longer than we will.
+func (m *Resolver) responseTTL(cachedAt time.Time) uint32 {
+	remaining := m.cacheTTL - time.Since(cachedAt)
+	if remaining <= 0 {
+		return 0
+	}
+	return uint32((remaining + time.Second - 1) / time.Second)
 }

 // PopulateFromConfig extracts and caches domains from the client configuration.
@@ -224,19 +456,12 @@ func (m *Resolver) RemoveDomain(d domain.Domain) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	aQuestion := dns.Question{
-		Name:   dnsName,
-		Qtype:  dns.TypeA,
-		Qclass: dns.ClassINET,
-	}
-	delete(m.records, aQuestion)
-
-	aaaaQuestion := dns.Question{
-		Name:   dnsName,
-		Qtype:  dns.TypeAAAA,
-		Qclass: dns.ClassINET,
-	}
-	delete(m.records, aaaaQuestion)
+	qA := dns.Question{Name: dnsName, Qtype: dns.TypeA, Qclass: dns.ClassINET}
+	qAAAA := dns.Question{Name: dnsName, Qtype: dns.TypeAAAA, Qclass: dns.ClassINET}
+	delete(m.records, qA)
+	delete(m.records, qAAAA)
+	delete(m.refreshing, qA)
+	delete(m.refreshing, qAAAA)

 	log.Debugf("removed domain=%s from cache", d.SafeString())
 	return nil
@@ -394,3 +619,73 @@ func (m *Resolver) extractDomainsFromServerDomains(serverDomains dnsconfig.Serve

 	return domains
 }
+
+// cloneIPRecord returns a deep copy of rr retargeted to owner with ttl. Non
+// A/AAAA records return nil.
+func cloneIPRecord(rr dns.RR, owner string, ttl uint32) dns.RR {
+	switch r := rr.(type) {
+	case *dns.A:
+		cp := *r
+		cp.Hdr.Name = owner
+		cp.Hdr.Ttl = ttl
+		cp.A = slices.Clone(r.A)
+		return &cp
+	case *dns.AAAA:
+		cp := *r
+		cp.Hdr.Name = owner
+		cp.Hdr.Ttl = ttl
+		cp.AAAA = slices.Clone(r.AAAA)
+		return &cp
+	}
+	return nil
+}
+
+// cloneRecordsWithTTL clones A/AAAA records preserving their owner and
+// stamping ttl so the response shares no memory with the cached slice.
+func cloneRecordsWithTTL(records []dns.RR, ttl uint32) []dns.RR {
+	out := make([]dns.RR, 0, len(records))
+	for _, rr := range records {
+		if cp := cloneIPRecord(rr, rr.Header().Name, ttl); cp != nil {
+			out = append(out, cp)
+		}
+	}
+	return out
+}
+
+// cnameOwners returns dnsName plus every target reachable by following CNAMEs
+// in answer, iterating until fixed point so out-of-order chains resolve.
+func cnameOwners(dnsName string, answer []dns.RR) map[string]bool {
+	owners := map[string]bool{dnsName: true}
+	for {
+		added := false
+		for _, rr := range answer {
+			cname, ok := rr.(*dns.CNAME)
+			if !ok {
+				continue
+			}
+			name := strings.ToLower(dns.Fqdn(cname.Hdr.Name))
+			if !owners[name] {
+				continue
+			}
+			target := strings.ToLower(dns.Fqdn(cname.Target))
+			if !owners[target] {
+				owners[target] = true
+				added = true
+			}
+		}
+		if !added {
+			return owners
+		}
+	}
+}
+
+// resolveCacheTTL reads the cache TTL override env var; invalid or empty
+// values fall back to defaultTTL. Called once per Resolver from NewResolver.
+func resolveCacheTTL() time.Duration {
+	if v := os.Getenv(envMgmtCacheTTL); v != "" {
+		if d, err := time.ParseDuration(v); err == nil && d > 0 {
+			return d
+		}
+	}
+	return defaultTTL
+}
--- a/client/internal/dns/mgmt/mgmt_refresh_test.go
+++ b/client/internal/dns/mgmt/mgmt_refresh_test.go
@@ -0,0 +1,408 @@
+package mgmt
+
+import (
+	"context"
+	"errors"
+	"net"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/client/internal/dns/test"
+	"github.com/netbirdio/netbird/shared/management/domain"
+)
+
+type fakeChain struct {
+	mu       sync.Mutex
+	calls    map[string]int
+	answers  map[string][]dns.RR
+	err      error
+	hasRoot  bool
+	onLookup func()
+}
+
+func newFakeChain() *fakeChain {
+	return &fakeChain{
+		calls:   map[string]int{},
+		answers: map[string][]dns.RR{},
+		hasRoot: true,
+	}
+}
+
+func (f *fakeChain) HasRootHandlerAtOrBelow(maxPriority int) bool {
+	f.mu.Lock()
+	defer f.mu.Unlock()
+	return f.hasRoot
+}
+
+func (f *fakeChain) ResolveInternal(ctx context.Context, msg *dns.Msg, maxPriority int) (*dns.Msg, error) {
+	f.mu.Lock()
+	q := msg.Question[0]
+	key := q.Name + "|" + dns.TypeToString[q.Qtype]
+	f.calls[key]++
+	answers := f.answers[key]
+	err := f.err
+	onLookup := f.onLookup
+	f.mu.Unlock()
+
+	if onLookup != nil {
+		onLookup()
+	}
+	if err != nil {
+		return nil, err
+	}
+	resp := &dns.Msg{}
+	resp.SetReply(msg)
+	resp.Answer = answers
+	return resp, nil
+}
+
+func (f *fakeChain) setAnswer(name string, qtype uint16, ip string) {
+	f.mu.Lock()
+	defer f.mu.Unlock()
+	key := name + "|" + dns.TypeToString[qtype]
+	hdr := dns.RR_Header{Name: name, Rrtype: qtype, Class: dns.ClassINET, Ttl: 60}
+	switch qtype {
+	case dns.TypeA:
+		f.answers[key] = []dns.RR{&dns.A{Hdr: hdr, A: net.ParseIP(ip).To4()}}
+	case dns.TypeAAAA:
+		f.answers[key] = []dns.RR{&dns.AAAA{Hdr: hdr, AAAA: net.ParseIP(ip).To16()}}
+	}
+}
+
+func (f *fakeChain) callCount(name string, qtype uint16) int {
+	f.mu.Lock()
+	defer f.mu.Unlock()
+	return f.calls[name+"|"+dns.TypeToString[qtype]]
+}
+
+// waitFor polls the predicate until it returns true or the deadline passes.
+func waitFor(t *testing.T, d time.Duration, fn func() bool) {
+	t.Helper()
+	deadline := time.Now().Add(d)
+	for time.Now().Before(deadline) {
+		if fn() {
+			return
+		}
+		time.Sleep(5 * time.Millisecond)
+	}
+	t.Fatalf("condition not met within %s", d)
+}
+
+func queryA(t *testing.T, r *Resolver, name string) *dns.Msg {
+	t.Helper()
+	msg := new(dns.Msg)
+	msg.SetQuestion(name, dns.TypeA)
+	w := &test.MockResponseWriter{}
+	r.ServeDNS(w, msg)
+	return w.GetLastResponse()
+}
+
+func firstA(t *testing.T, resp *dns.Msg) string {
+	t.Helper()
+	require.NotNil(t, resp)
+	require.Greater(t, len(resp.Answer), 0, "expected at least one answer")
+	a, ok := resp.Answer[0].(*dns.A)
+	require.True(t, ok, "expected A record")
+	return a.A.String()
+}
+
+func TestResolver_CacheTTLGatesRefresh(t *testing.T) {
+	// Same cached entry age, different cacheTTL values: the shorter TTL must
+	// trigger a background refresh, the longer one must not. Proves that the
+	// per-Resolver cacheTTL field actually drives the stale decision.
+	cachedAt := time.Now().Add(-100 * time.Millisecond)
+
+	newRec := func() *cachedRecord {
+		return &cachedRecord{
+			records: []dns.RR{&dns.A{
+				Hdr: dns.RR_Header{Name: "mgmt.example.com.", Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
+				A:   net.ParseIP("10.0.0.1").To4(),
+			}},
+			cachedAt: cachedAt,
+		}
+	}
+	q := dns.Question{Name: "mgmt.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}
+
+	t.Run("short TTL treats entry as stale and refreshes", func(t *testing.T) {
+		r := NewResolver()
+		r.cacheTTL = 10 * time.Millisecond
+		chain := newFakeChain()
+		chain.setAnswer(q.Name, dns.TypeA, "10.0.0.2")
+		r.SetChainResolver(chain, 50)
+		r.records[q] = newRec()
+
+		resp := queryA(t, r, q.Name)
+		assert.Equal(t, "10.0.0.1", firstA(t, resp), "stale entry must be served while refresh runs")
+
+		waitFor(t, time.Second, func() bool {
+			return chain.callCount(q.Name, dns.TypeA) >= 1
+		})
+	})
+
+	t.Run("long TTL keeps entry fresh and skips refresh", func(t *testing.T) {
+		r := NewResolver()
+		r.cacheTTL = time.Hour
+		chain := newFakeChain()
+		chain.setAnswer(q.Name, dns.TypeA, "10.0.0.2")
+		r.SetChainResolver(chain, 50)
+		r.records[q] = newRec()
+
+		resp := queryA(t, r, q.Name)
+		assert.Equal(t, "10.0.0.1", firstA(t, resp))
+
+		time.Sleep(50 * time.Millisecond)
+		assert.Equal(t, 0, chain.callCount(q.Name, dns.TypeA), "fresh entry must not trigger refresh")
+	})
+}
+
+func TestResolver_ServeFresh_NoRefresh(t *testing.T) {
+	r := NewResolver()
+	chain := newFakeChain()
+	chain.setAnswer("mgmt.example.com.", dns.TypeA, "10.0.0.2")
+	r.SetChainResolver(chain, 50)
+
+	r.records[dns.Question{Name: "mgmt.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}] = &cachedRecord{
+		records: []dns.RR{&dns.A{
+			Hdr: dns.RR_Header{Name: "mgmt.example.com.", Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
+			A:   net.ParseIP("10.0.0.1").To4(),
+		}},
+		cachedAt: time.Now(), // fresh
+	}
+
+	resp := queryA(t, r, "mgmt.example.com.")
+	assert.Equal(t, "10.0.0.1", firstA(t, resp))
+
+	time.Sleep(20 * time.Millisecond)
+	assert.Equal(t, 0, chain.callCount("mgmt.example.com.", dns.TypeA), "fresh entry must not trigger refresh")
+}
+
+func TestResolver_StaleTriggersAsyncRefresh(t *testing.T) {
+	r := NewResolver()
+	chain := newFakeChain()
+	chain.setAnswer("mgmt.example.com.", dns.TypeA, "10.0.0.2")
+	r.SetChainResolver(chain, 50)
+
+	q := dns.Question{Name: "mgmt.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}
+	r.records[q] = &cachedRecord{
+		records: []dns.RR{&dns.A{
+			Hdr: dns.RR_Header{Name: q.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
+			A:   net.ParseIP("10.0.0.1").To4(),
+		}},
+		cachedAt: time.Now().Add(-2 * defaultTTL), // stale
+	}
+
+	// First query: serves stale immediately.
+	resp := queryA(t, r, "mgmt.example.com.")
+	assert.Equal(t, "10.0.0.1", firstA(t, resp), "stale entry must be served while refresh runs")
+
+	waitFor(t, time.Second, func() bool {
+		return chain.callCount("mgmt.example.com.", dns.TypeA) >= 1
+	})
+
+	// Next query should now return the refreshed IP.
+	waitFor(t, time.Second, func() bool {
+		resp := queryA(t, r, "mgmt.example.com.")
+		return resp != nil && len(resp.Answer) > 0 && firstA(t, resp) == "10.0.0.2"
+	})
+}
+
+func TestResolver_ConcurrentStaleHitsCollapseRefresh(t *testing.T) {
+	r := NewResolver()
+	chain := newFakeChain()
+	chain.setAnswer("mgmt.example.com.", dns.TypeA, "10.0.0.2")
+
+	var inflight atomic.Int32
+	var maxInflight atomic.Int32
+	chain.onLookup = func() {
+		cur := inflight.Add(1)
+		defer inflight.Add(-1)
+		for {
+			prev := maxInflight.Load()
+			if cur <= prev || maxInflight.CompareAndSwap(prev, cur) {
+				break
+			}
+		}
+		time.Sleep(50 * time.Millisecond) // hold inflight long enough to collide
+	}
+
+	r.SetChainResolver(chain, 50)
+
+	q := dns.Question{Name: "mgmt.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}
+	r.records[q] = &cachedRecord{
+		records: []dns.RR{&dns.A{
+			Hdr: dns.RR_Header{Name: q.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
+			A:   net.ParseIP("10.0.0.1").To4(),
+		}},
+		cachedAt: time.Now().Add(-2 * defaultTTL),
+	}
+
+	var wg sync.WaitGroup
+	for i := 0; i < 50; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			queryA(t, r, "mgmt.example.com.")
+		}()
+	}
+	wg.Wait()
+
+	waitFor(t, 2*time.Second, func() bool {
+		return inflight.Load() == 0
+	})
+
+	calls := chain.callCount("mgmt.example.com.", dns.TypeA)
+	assert.LessOrEqual(t, calls, 2, "singleflight must collapse concurrent refreshes (got %d)", calls)
+	assert.Equal(t, int32(1), maxInflight.Load(), "only one refresh should run concurrently")
+}
+
+func TestResolver_RefreshFailureArmsBackoff(t *testing.T) {
+	r := NewResolver()
+	chain := newFakeChain()
+	chain.err = errors.New("boom")
+	r.SetChainResolver(chain, 50)
+
+	q := dns.Question{Name: "mgmt.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}
+	r.records[q] = &cachedRecord{
+		records: []dns.RR{&dns.A{
+			Hdr: dns.RR_Header{Name: q.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
+			A:   net.ParseIP("10.0.0.1").To4(),
+		}},
+		cachedAt: time.Now().Add(-2 * defaultTTL),
+	}
+
+	// First stale hit triggers a refresh attempt that fails.
+	resp := queryA(t, r, "mgmt.example.com.")
+	assert.Equal(t, "10.0.0.1", firstA(t, resp), "stale entry served while refresh fails")
+
+	waitFor(t, time.Second, func() bool {
+		return chain.callCount("mgmt.example.com.", dns.TypeA) == 1
+	})
+	waitFor(t, time.Second, func() bool {
+		r.mutex.RLock()
+		defer r.mutex.RUnlock()
+		c, ok := r.records[q]
+		return ok && !c.lastFailedRefresh.IsZero()
+	})
+
+	// Subsequent stale hits within backoff window should not schedule more refreshes.
+	for i := 0; i < 10; i++ {
+		queryA(t, r, "mgmt.example.com.")
+	}
+	time.Sleep(50 * time.Millisecond)
+	assert.Equal(t, 1, chain.callCount("mgmt.example.com.", dns.TypeA), "backoff must suppress further refreshes")
+}
+
+func TestResolver_NoRootHandler_SkipsChain(t *testing.T) {
+	r := NewResolver()
+	chain := newFakeChain()
+	chain.hasRoot = false
+	chain.setAnswer("mgmt.example.com.", dns.TypeA, "10.0.0.2")
+	r.SetChainResolver(chain, 50)
+
+	// With hasRoot=false the chain must not be consulted. Use a short
+	// deadline so the OS fallback returns quickly without waiting on a
+	// real network call in CI.
+	ctx, cancel := context.WithTimeout(context.Background(), 50*time.Millisecond)
+	defer cancel()
+	_, _, _, _ = r.lookupBoth(ctx, domain.Domain("mgmt.example.com"), "mgmt.example.com.")
+
+	assert.Equal(t, 0, chain.callCount("mgmt.example.com.", dns.TypeA),
+		"chain must not be used when no root handler is registered at the bound priority")
+}
+
+func TestResolver_ServeDuringRefreshSetsLoopFlag(t *testing.T) {
+	// ServeDNS being invoked for a question while a refresh for that question
+	// is inflight indicates a resolver loop (OS resolver sent the recursive
+	// query back to us). The inflightRefresh.loopLoggedOnce flag must be set.
+	r := NewResolver()
+
+	q := dns.Question{Name: "mgmt.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}
+	r.records[q] = &cachedRecord{
+		records: []dns.RR{&dns.A{
+			Hdr: dns.RR_Header{Name: q.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
+			A:   net.ParseIP("10.0.0.1").To4(),
+		}},
+		cachedAt: time.Now(),
+	}
+
+	// Simulate an inflight refresh.
+	r.markRefreshing(q)
+	defer r.clearRefreshing(q)
+
+	resp := queryA(t, r, "mgmt.example.com.")
+	assert.Equal(t, "10.0.0.1", firstA(t, resp), "stale entry must still be served to avoid breaking external queries")
+
+	r.mutex.RLock()
+	inflight := r.refreshing[q]
+	r.mutex.RUnlock()
+	require.NotNil(t, inflight)
+	assert.True(t, inflight.Load(), "loop flag must be set once a ServeDNS during refresh was observed")
+}
+
+func TestResolver_LoopFlagOnlyTrippedOncePerRefresh(t *testing.T) {
+	r := NewResolver()
+
+	q := dns.Question{Name: "mgmt.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}
+	r.records[q] = &cachedRecord{
+		records: []dns.RR{&dns.A{
+			Hdr: dns.RR_Header{Name: q.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
+			A:   net.ParseIP("10.0.0.1").To4(),
+		}},
+		cachedAt: time.Now(),
+	}
+
+	r.markRefreshing(q)
+	defer r.clearRefreshing(q)
+
+	// Multiple ServeDNS calls during the same refresh must not re-set the flag
+	// (CompareAndSwap from false -> true returns true only on the first call).
+	for range 5 {
+		queryA(t, r, "mgmt.example.com.")
+	}
+
+	r.mutex.RLock()
+	inflight := r.refreshing[q]
+	r.mutex.RUnlock()
+	assert.True(t, inflight.Load())
+}
+
+func TestResolver_NoLoopFlagWhenNotRefreshing(t *testing.T) {
+	r := NewResolver()
+
+	q := dns.Question{Name: "mgmt.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}
+	r.records[q] = &cachedRecord{
+		records: []dns.RR{&dns.A{
+			Hdr: dns.RR_Header{Name: q.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
+			A:   net.ParseIP("10.0.0.1").To4(),
+		}},
+		cachedAt: time.Now(),
+	}
+
+	queryA(t, r, "mgmt.example.com.")
+
+	r.mutex.RLock()
+	_, ok := r.refreshing[q]
+	r.mutex.RUnlock()
+	assert.False(t, ok, "no refresh inflight means no loop tracking")
+}
+
+func TestResolver_AddDomain_UsesChainWhenRootRegistered(t *testing.T) {
+	r := NewResolver()
+	chain := newFakeChain()
+	chain.setAnswer("mgmt.example.com.", dns.TypeA, "10.0.0.2")
+	chain.setAnswer("mgmt.example.com.", dns.TypeAAAA, "fd00::2")
+	r.SetChainResolver(chain, 50)
+
+	require.NoError(t, r.AddDomain(context.Background(), domain.Domain("mgmt.example.com")))
+
+	resp := queryA(t, r, "mgmt.example.com.")
+	assert.Equal(t, "10.0.0.2", firstA(t, resp))
+	assert.Equal(t, 1, chain.callCount("mgmt.example.com.", dns.TypeA))
+	assert.Equal(t, 1, chain.callCount("mgmt.example.com.", dns.TypeAAAA))
+}
--- a/client/internal/dns/mgmt/mgmt_test.go
+++ b/client/internal/dns/mgmt/mgmt_test.go
@@ -6,6 +6,7 @@ import (
 	"net/url"
 	"strings"
 	"testing"
+	"time"

 	"github.com/miekg/dns"
 	"github.com/stretchr/testify/assert"
@@ -23,6 +24,60 @@ func TestResolver_NewResolver(t *testing.T) {
 	assert.False(t, resolver.MatchSubdomains())
 }

+func TestResolveCacheTTL(t *testing.T) {
+	tests := []struct {
+		name  string
+		value string
+		want  time.Duration
+	}{
+		{"unset falls back to default", "", defaultTTL},
+		{"valid duration", "45s", 45 * time.Second},
+		{"valid minutes", "2m", 2 * time.Minute},
+		{"malformed falls back to default", "not-a-duration", defaultTTL},
+		{"zero falls back to default", "0s", defaultTTL},
+		{"negative falls back to default", "-5s", defaultTTL},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Setenv(envMgmtCacheTTL, tc.value)
+			got := resolveCacheTTL()
+			assert.Equal(t, tc.want, got, "parsed TTL should match")
+		})
+	}
+}
+
+func TestNewResolver_CacheTTLFromEnv(t *testing.T) {
+	t.Setenv(envMgmtCacheTTL, "7s")
+	r := NewResolver()
+	assert.Equal(t, 7*time.Second, r.cacheTTL, "NewResolver should evaluate cacheTTL once from env")
+}
+
+func TestResolver_ResponseTTL(t *testing.T) {
+	now := time.Now()
+	tests := []struct {
+		name     string
+		cacheTTL time.Duration
+		cachedAt time.Time
+		wantMin  uint32
+		wantMax  uint32
+	}{
+		{"fresh entry returns full TTL", 60 * time.Second, now, 59, 60},
+		{"half-aged entry returns half TTL", 60 * time.Second, now.Add(-30 * time.Second), 29, 31},
+		{"expired entry returns zero", 60 * time.Second, now.Add(-61 * time.Second), 0, 0},
+		{"exactly expired returns zero", 10 * time.Second, now.Add(-10 * time.Second), 0, 0},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			r := &Resolver{cacheTTL: tc.cacheTTL}
+			got := r.responseTTL(tc.cachedAt)
+			assert.GreaterOrEqual(t, got, tc.wantMin, "remaining TTL should be >= wantMin")
+			assert.LessOrEqual(t, got, tc.wantMax, "remaining TTL should be <= wantMax")
+		})
+	}
+}
+
 func TestResolver_ExtractDomainFromURL(t *testing.T) {
 	tests := []struct {
 		name        string
--- a/client/internal/dns/mock_server.go
+++ b/client/internal/dns/mock_server.go
@@ -9,6 +9,7 @@ import (

 	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
 	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
 )

@@ -70,10 +71,6 @@ func (m *MockServer) SearchDomains() []string {
 	return make([]string, 0)
 }

-// ProbeAvailability mocks implementation of ProbeAvailability from the Server interface
-func (m *MockServer) ProbeAvailability() {
-}
-
 func (m *MockServer) UpdateServerConfig(domains dnsconfig.ServerDomains) error {
 	if m.UpdateServerConfigFunc != nil {
 		return m.UpdateServerConfigFunc(domains)
@@ -85,8 +82,8 @@ func (m *MockServer) PopulateManagementDomain(mgmtURL *url.URL) error {
 	return nil
 }

-// SetRouteChecker mock implementation of SetRouteChecker from Server interface
-func (m *MockServer) SetRouteChecker(func(netip.Addr) bool) {
+// SetRouteSources mock implementation of SetRouteSources from Server interface
+func (m *MockServer) SetRouteSources(selected, active func() route.HAMap) {
 	// Mock implementation - no-op
 }

--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -6,11 +6,10 @@ import (
 	"fmt"
 	"net/netip"
 	"net/url"
-	"os"
-	"runtime"
-	"strconv"
+	"slices"
 	"strings"
 	"sync"
+	"time"

 	"github.com/miekg/dns"
 	"github.com/mitchellh/hashstructure/v2"
@@ -25,11 +24,31 @@ import (
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
+	"github.com/netbirdio/netbird/client/proto"
 	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
 )

-const envSkipDNSProbe = "NB_SKIP_DNS_PROBE"
+const (
+	// healthLookback must exceed the upstream query timeout so one
+	// query per refresh cycle is enough to keep a group marked healthy.
+	healthLookback               = 60 * time.Second
+	nsGroupHealthRefreshInterval = 10 * time.Second
+	// defaultWarningDelayBase is the starting grace window before a
+	// "Nameserver group unreachable" event fires for a group that's
+	// never been healthy and only has overlay upstreams with no
+	// Connected peer. Per-server and overridable; see warningDelayFor.
+	defaultWarningDelayBase = 30 * time.Second
+	// warningDelayBonusCap caps the route-count bonus added to the
+	// base grace window. See warningDelayFor.
+	warningDelayBonusCap = 30 * time.Second
+)
+
+// errNoUsableNameservers signals that a merged-domain group has no usable
+// upstream servers. Callers should skip the group without treating it as a
+// build failure.
+var errNoUsableNameservers = errors.New("no usable nameservers")

 // ReadyListener is a notification mechanism what indicate the server is ready to handle host dns address changes
 type ReadyListener interface {
@@ -54,10 +73,9 @@ type Server interface {
 	UpdateDNSServer(serial uint64, update nbdns.Config) error
 	OnUpdatedHostDNSServer(addrs []netip.AddrPort)
 	SearchDomains() []string
-	ProbeAvailability()
 	UpdateServerConfig(domains dnsconfig.ServerDomains) error
 	PopulateManagementDomain(mgmtURL *url.URL) error
-	SetRouteChecker(func(netip.Addr) bool)
+	SetRouteSources(selected, active func() route.HAMap)
 	SetFirewall(Firewall)
 }

@@ -66,6 +84,47 @@ type nsGroupsByDomain struct {
 	groups []*nbdns.NameServerGroup
 }

+// nsGroupID identifies a nameserver group by the tuple (server list, domain
+// list) so config updates produce stable IDs across recomputations.
+type nsGroupID string
+
+// nsHealthSnapshot is the input to projectNSGroupHealth, captured under
+// s.mux so projection runs lock-free.
+type nsHealthSnapshot struct {
+	groups   []*nbdns.NameServerGroup
+	merged   map[netip.AddrPort]UpstreamHealth
+	selected route.HAMap
+	active   route.HAMap
+}
+
+// nsGroupProj holds per-group state for the emission rules.
+type nsGroupProj struct {
+	// unhealthySince is the start of the current Unhealthy streak,
+	// zero when the group is not currently Unhealthy.
+	unhealthySince time.Time
+	// everHealthy is sticky: once the group has been Healthy at least
+	// once this session, subsequent failures skip warningDelay.
+	everHealthy bool
+	// warningActive tracks whether we've already published a warning
+	// for the current streak, so recovery emits iff a warning did.
+	warningActive bool
+}
+
+// nsGroupVerdict is the outcome of evaluateNSGroupHealth.
+type nsGroupVerdict int
+
+const (
+	// nsVerdictUndecided means no upstream has a fresh observation
+	// (startup before first query, or records aged past healthLookback).
+	nsVerdictUndecided nsGroupVerdict = iota
+	// nsVerdictHealthy means at least one upstream's most-recent
+	// in-lookback observation is a success.
+	nsVerdictHealthy
+	// nsVerdictUnhealthy means at least one upstream has a recent
+	// failure and none has a fresher success.
+	nsVerdictUnhealthy
+)
+
 // hostManagerWithOriginalNS extends the basic hostManager interface
 type hostManagerWithOriginalNS interface {
 	hostManager
@@ -106,20 +165,35 @@ type DefaultServer struct {

 	statusRecorder *peer.Status
 	stateManager   *statemanager.Manager
-	routeMatch     func(netip.Addr) bool
+	// selectedRoutes returns admin-enabled client routes.
+	selectedRoutes func() route.HAMap
+	// activeRoutes returns the subset whose peer is in StatusConnected.
+	activeRoutes func() route.HAMap

-	probeMu     sync.Mutex
-	probeCancel context.CancelFunc
-	probeWg     sync.WaitGroup
+	nsGroups        []*nbdns.NameServerGroup
+	healthProjectMu sync.Mutex
+	// nsGroupProj is the per-group state used by the emission rules.
+	// Accessed only under healthProjectMu.
+	nsGroupProj map[nsGroupID]*nsGroupProj
+	// warningDelayBase is the base grace window for health projection.
+	// Set at construction, mutated only by tests. Read by the
+	// refresher goroutine so never change it while one is running.
+	warningDelayBase time.Duration
+	// healthRefresh is buffered=1; writers coalesce, senders never block.
+	// See refreshHealth for the lock-order rationale.
+	healthRefresh chan struct{}
 }

 type handlerWithStop interface {
 	dns.Handler
 	Stop()
-	ProbeAvailability(context.Context)
 	ID() types.HandlerID
 }

+type upstreamHealthReporter interface {
+	UpstreamHealth() map[netip.AddrPort]UpstreamHealth
+}
+
 type handlerWrapper struct {
 	domain   string
 	handler  handlerWithStop
@@ -212,6 +286,7 @@ func newDefaultServer(
 	ctx, stop := context.WithCancel(ctx)

 	mgmtCacheResolver := mgmt.NewResolver()
+	mgmtCacheResolver.SetChainResolver(handlerChain, PriorityUpstream)

 	defaultServer := &DefaultServer{
 		ctx:               ctx,
@@ -229,6 +304,8 @@ func newDefaultServer(
 		hostManager:       &noopHostConfigurator{},
 		mgmtCacheResolver: mgmtCacheResolver,
 		currentConfigHash: ^uint64(0), // Initialize to max uint64 to ensure first config is always applied
+		warningDelayBase:  defaultWarningDelayBase,
+		healthRefresh:     make(chan struct{}, 1),
 	}

 	// register with root zone, handler chain takes care of the routing
@@ -237,12 +314,26 @@ func newDefaultServer(
 	return defaultServer
 }

-// SetRouteChecker sets the function used by upstream resolvers to determine
-// whether an IP is routed through the tunnel.
-func (s *DefaultServer) SetRouteChecker(f func(netip.Addr) bool) {
+// SetRouteSources wires the route-manager accessors used by health
+// projection to classify each upstream for emission timing.
+func (s *DefaultServer) SetRouteSources(selected, active func() route.HAMap) {
 	s.mux.Lock()
 	defer s.mux.Unlock()
-	s.routeMatch = f
+	s.selectedRoutes = selected
+	s.activeRoutes = active
+
+	// Permanent / iOS constructors build the root handler before the
+	// engine wires route sources, so its selectedRoutes callback would
+	// otherwise remain nil and overlay upstreams would be classified
+	// as public. Propagate the new accessors to existing handlers.
+	type routeSettable interface {
+		setSelectedRoutes(func() route.HAMap)
+	}
+	for _, entry := range s.dnsMuxMap {
+		if h, ok := entry.handler.(routeSettable); ok {
+			h.setSelectedRoutes(selected)
+		}
+	}
 }

 // RegisterHandler registers a handler for the given domains with the given priority.
@@ -255,7 +346,6 @@ func (s *DefaultServer) RegisterHandler(domains domain.List, handler dns.Handler

 	// TODO: This will take over zones for non-wildcard domains, for which we might not have a handler in the chain
 	for _, domain := range domains {
-		// convert to zone with simple ref counter
 		s.extraDomains[toZone(domain)]++
 	}
 	if !s.batchMode {
@@ -356,6 +446,8 @@ func (s *DefaultServer) Initialize() (err error) {

 	s.stateManager.RegisterState(&ShutdownState{})

+	s.startHealthRefresher()
+
 	// Keep using noop host manager if dns off requested or running in netstack mode.
 	// Netstack mode currently doesn't have a way to receive DNS requests.
 	// TODO: Use listener on localhost in netstack mode when running as root.
@@ -393,13 +485,7 @@ func (s *DefaultServer) SetFirewall(fw Firewall) {

 // Stop stops the server
 func (s *DefaultServer) Stop() {
-	s.probeMu.Lock()
-	if s.probeCancel != nil {
-		s.probeCancel()
-	}
 	s.ctxCancel()
-	s.probeMu.Unlock()
-	s.probeWg.Wait()
 	s.shutdownWg.Wait()

 	s.mux.Lock()
@@ -410,6 +496,13 @@ func (s *DefaultServer) Stop() {
 	}

 	maps.Clear(s.extraDomains)
+
+	// Clear health projection state so a subsequent Start doesn't
+	// inherit sticky flags (notably everHealthy) that would bypass
+	// the grace window during the next peer handshake.
+	s.healthProjectMu.Lock()
+	s.nsGroupProj = nil
+	s.healthProjectMu.Unlock()
 }

 func (s *DefaultServer) disableDNS() (retErr error) {
@@ -445,7 +538,6 @@ func (s *DefaultServer) disableDNS() (retErr error) {
 func (s *DefaultServer) OnUpdatedHostDNSServer(hostsDnsList []netip.AddrPort) {
 	s.hostsDNSHolder.set(hostsDnsList)

-	// Check if there's any root handler
 	var hasRootHandler bool
 	for _, handler := range s.dnsMuxMap {
 		if handler.domain == nbdns.RootZone {
@@ -519,69 +611,6 @@ func (s *DefaultServer) SearchDomains() []string {
 	return searchDomains
 }

-// ProbeAvailability tests each upstream group's servers for availability
-// and deactivates the group if no server responds.
-// If a previous probe is still running, it will be cancelled before starting a new one.
-func (s *DefaultServer) ProbeAvailability() {
-	if val := os.Getenv(envSkipDNSProbe); val != "" {
-		skipProbe, err := strconv.ParseBool(val)
-		if err != nil {
-			log.Warnf("failed to parse %s: %v", envSkipDNSProbe, err)
-		}
-		if skipProbe {
-			log.Infof("skipping DNS probe due to %s", envSkipDNSProbe)
-			return
-		}
-	}
-
-	s.probeMu.Lock()
-
-	// don't start probes on a stopped server
-	if s.ctx.Err() != nil {
-		s.probeMu.Unlock()
-		return
-	}
-
-	// cancel any running probe
-	if s.probeCancel != nil {
-		s.probeCancel()
-		s.probeCancel = nil
-	}
-
-	// wait for the previous probe goroutines to finish while holding
-	// the mutex so no other caller can start a new probe concurrently
-	s.probeWg.Wait()
-
-	// start a new probe
-	probeCtx, probeCancel := context.WithCancel(s.ctx)
-	s.probeCancel = probeCancel
-
-	s.probeWg.Add(1)
-	defer s.probeWg.Done()
-
-	// Snapshot handlers under s.mux to avoid racing with updateMux/dnsMuxMap writers.
-	s.mux.Lock()
-	handlers := make([]handlerWithStop, 0, len(s.dnsMuxMap))
-	for _, mux := range s.dnsMuxMap {
-		handlers = append(handlers, mux.handler)
-	}
-	s.mux.Unlock()
-
-	var wg sync.WaitGroup
-	for _, handler := range handlers {
-		wg.Add(1)
-		go func(h handlerWithStop) {
-			defer wg.Done()
-			h.ProbeAvailability(probeCtx)
-		}(handler)
-	}
-
-	s.probeMu.Unlock()
-
-	wg.Wait()
-	probeCancel()
-}
-
 func (s *DefaultServer) UpdateServerConfig(domains dnsconfig.ServerDomains) error {
 	s.mux.Lock()
 	defer s.mux.Unlock()
@@ -774,19 +803,17 @@ func (s *DefaultServer) registerFallback(config HostDNSConfig) {
 		log.Errorf("failed to create upstream resolver for original nameservers: %v", err)
 		return
 	}
-	handler.routeMatch = s.routeMatch
+	handler.selectedRoutes = s.selectedRoutes

+	var servers []netip.AddrPort
 	for _, ns := range originalNameservers {
 		if ns == config.ServerIP {
 			log.Debugf("skipping original nameserver %s as it is the same as the server IP %s", ns, config.ServerIP)
 			continue
 		}
-
-		addrPort := netip.AddrPortFrom(ns, DefaultPort)
-		handler.upstreamServers = append(handler.upstreamServers, addrPort)
+		servers = append(servers, netip.AddrPortFrom(ns, DefaultPort))
 	}
-	handler.deactivate = func(error) { /* always active */ }
-	handler.reactivate = func() { /* always active */ }
+	handler.addRace(servers)

 	s.registerHandler([]string{nbdns.RootZone}, handler, PriorityFallback)
 }
@@ -846,100 +873,99 @@ func (s *DefaultServer) buildUpstreamHandlerUpdate(nameServerGroups []*nbdns.Nam
 	groupedNS := groupNSGroupsByDomain(nameServerGroups)

 	for _, domainGroup := range groupedNS {
-		basePriority := PriorityUpstream
+		priority := PriorityUpstream
 		if domainGroup.domain == nbdns.RootZone {
-			basePriority = PriorityDefault
+			priority = PriorityDefault
 		}

-		updates, err := s.createHandlersForDomainGroup(domainGroup, basePriority)
+		update, err := s.buildMergedDomainHandler(domainGroup, priority)
 		if err != nil {
+			if errors.Is(err, errNoUsableNameservers) {
+				log.Errorf("no usable nameservers for domain=%s", domainGroup.domain)
+				continue
+			}
 			return nil, err
 		}
-		muxUpdates = append(muxUpdates, updates...)
+		muxUpdates = append(muxUpdates, *update)
 	}

 	return muxUpdates, nil
 }

-func (s *DefaultServer) createHandlersForDomainGroup(domainGroup nsGroupsByDomain, basePriority int) ([]handlerWrapper, error) {
-	var muxUpdates []handlerWrapper
+// buildMergedDomainHandler merges every nameserver group that targets the
+// same domain into one handler whose inner groups are raced in parallel.
+func (s *DefaultServer) buildMergedDomainHandler(domainGroup nsGroupsByDomain, priority int) (*handlerWrapper, error) {
+	handler, err := newUpstreamResolver(
+		s.ctx,
+		s.wgInterface,
+		s.statusRecorder,
+		s.hostsDNSHolder,
+		domain.Domain(domainGroup.domain),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("create upstream resolver: %v", err)
+	}
+	handler.selectedRoutes = s.selectedRoutes

-	for i, nsGroup := range domainGroup.groups {
-		// Decrement priority by handler index (0, 1, 2, ...) to avoid conflicts
-		priority := basePriority - i
-
-		// Check if we're about to overlap with the next priority tier
-		if s.leaksPriority(domainGroup, basePriority, priority) {
-			break
-		}
-
-		log.Debugf("creating handler for domain=%s with priority=%d", domainGroup.domain, priority)
-		handler, err := newUpstreamResolver(
-			s.ctx,
-			s.wgInterface,
-			s.statusRecorder,
-			s.hostsDNSHolder,
-			domainGroup.domain,
-		)
-		if err != nil {
-			return nil, fmt.Errorf("create upstream resolver: %v", err)
-		}
-		handler.routeMatch = s.routeMatch
-
-		for _, ns := range nsGroup.NameServers {
-			if ns.NSType != nbdns.UDPNameServerType {
-				log.Warnf("skipping nameserver %s with type %s, this peer supports only %s",
-					ns.IP.String(), ns.NSType.String(), nbdns.UDPNameServerType.String())
-				continue
-			}
-
-			if ns.IP == s.service.RuntimeIP() {
-				log.Warnf("skipping nameserver %s as it matches our DNS server IP, preventing potential loop", ns.IP)
-				continue
-			}
-
-			handler.upstreamServers = append(handler.upstreamServers, ns.AddrPort())
-		}
-
-		if len(handler.upstreamServers) == 0 {
-			handler.Stop()
-			log.Errorf("received a nameserver group with an invalid nameserver list")
+	for _, nsGroup := range domainGroup.groups {
+		servers := s.filterNameServers(nsGroup.NameServers)
+		if len(servers) == 0 {
+			log.Warnf("nameserver group for domain=%s yielded no usable servers, skipping", domainGroup.domain)
 			continue
 		}
-
-		// when upstream fails to resolve domain several times over all it servers
-		// it will calls this hook to exclude self from the configuration and
-		// reapply DNS settings, but it not touch the original configuration and serial number
-		// because it is temporal deactivation until next try
-		//
-		// after some period defined by upstream it tries to reactivate self by calling this hook
-		// everything we need here is just to re-apply current configuration because it already
-		// contains this upstream settings (temporal deactivation not removed it)
-		handler.deactivate, handler.reactivate = s.upstreamCallbacks(nsGroup, handler, priority)
-
-		muxUpdates = append(muxUpdates, handlerWrapper{
-			domain:   domainGroup.domain,
-			handler:  handler,
-			priority: priority,
-		})
+		handler.addRace(servers)
 	}

-	return muxUpdates, nil
+	if len(handler.upstreamServers) == 0 {
+		handler.Stop()
+		return nil, errNoUsableNameservers
+	}
+
+	log.Debugf("creating merged handler for domain=%s with %d group(s) priority=%d", domainGroup.domain, len(handler.upstreamServers), priority)
+
+	return &handlerWrapper{
+		domain:   domainGroup.domain,
+		handler:  handler,
+		priority: priority,
+	}, nil
 }

-func (s *DefaultServer) leaksPriority(domainGroup nsGroupsByDomain, basePriority int, priority int) bool {
-	if basePriority == PriorityUpstream && priority <= PriorityDefault {
-		log.Warnf("too many handlers for domain=%s, would overlap with default priority tier (diff=%d). Skipping remaining handlers",
-			domainGroup.domain, PriorityUpstream-PriorityDefault)
-		return true
-	}
-	if basePriority == PriorityDefault && priority <= PriorityFallback {
-		log.Warnf("too many handlers for domain=%s, would overlap with fallback priority tier (diff=%d). Skipping remaining handlers",
-			domainGroup.domain, PriorityDefault-PriorityFallback)
-		return true
+func (s *DefaultServer) filterNameServers(nameServers []nbdns.NameServer) []netip.AddrPort {
+	var out []netip.AddrPort
+	for _, ns := range nameServers {
+		if ns.NSType != nbdns.UDPNameServerType {
+			log.Warnf("skipping nameserver %s with type %s, this peer supports only %s",
+				ns.IP.String(), ns.NSType.String(), nbdns.UDPNameServerType.String())
+			continue
+		}
+		if ns.IP == s.service.RuntimeIP() {
+			log.Warnf("skipping nameserver %s as it matches our DNS server IP, preventing potential loop", ns.IP)
+			continue
+		}
+		out = append(out, ns.AddrPort())
 	}
+	return out
+}

-	return false
+// usableNameServers returns the subset of nameServers the handler would
+// actually query. Matches filterNameServers without the warning logs, so
+// it's safe to call on every health-projection tick.
+func (s *DefaultServer) usableNameServers(nameServers []nbdns.NameServer) []netip.AddrPort {
+	var runtimeIP netip.Addr
+	if s.service != nil {
+		runtimeIP = s.service.RuntimeIP()
+	}
+	var out []netip.AddrPort
+	for _, ns := range nameServers {
+		if ns.NSType != nbdns.UDPNameServerType {
+			continue
+		}
+		if runtimeIP.IsValid() && ns.IP == runtimeIP {
+			continue
+		}
+		out = append(out, ns.AddrPort())
+	}
+	return out
 }

 func (s *DefaultServer) updateMux(muxUpdates []handlerWrapper) {
@@ -973,84 +999,6 @@ func (s *DefaultServer) updateMux(muxUpdates []handlerWrapper) {
 	s.dnsMuxMap = muxUpdateMap
 }

-// upstreamCallbacks returns two functions, the first one is used to deactivate
-// the upstream resolver from the configuration, the second one is used to
-// reactivate it. Not allowed to call reactivate before deactivate.
-func (s *DefaultServer) upstreamCallbacks(
-	nsGroup *nbdns.NameServerGroup,
-	handler dns.Handler,
-	priority int,
-) (deactivate func(error), reactivate func()) {
-	var removeIndex map[string]int
-	deactivate = func(err error) {
-		s.mux.Lock()
-		defer s.mux.Unlock()
-
-		l := log.WithField("nameservers", nsGroup.NameServers)
-		l.Info("Temporarily deactivating nameservers group due to timeout")
-
-		removeIndex = make(map[string]int)
-		for _, domain := range nsGroup.Domains {
-			removeIndex[domain] = -1
-		}
-		if nsGroup.Primary {
-			removeIndex[nbdns.RootZone] = -1
-			s.currentConfig.RouteAll = false
-			s.deregisterHandler([]string{nbdns.RootZone}, priority)
-		}
-
-		for i, item := range s.currentConfig.Domains {
-			if _, found := removeIndex[item.Domain]; found {
-				s.currentConfig.Domains[i].Disabled = true
-				s.deregisterHandler([]string{item.Domain}, priority)
-				removeIndex[item.Domain] = i
-			}
-		}
-
-		// Always apply host config when nameserver goes down, regardless of batch mode
-		s.applyHostConfig()
-
-		go func() {
-			if err := s.stateManager.PersistState(s.ctx); err != nil {
-				l.Errorf("Failed to persist dns state: %v", err)
-			}
-		}()
-
-		if runtime.GOOS == "android" && nsGroup.Primary && len(s.hostsDNSHolder.get()) > 0 {
-			s.addHostRootZone()
-		}
-
-		s.updateNSState(nsGroup, err, false)
-	}
-
-	reactivate = func() {
-		s.mux.Lock()
-		defer s.mux.Unlock()
-
-		for domain, i := range removeIndex {
-			if i == -1 || i >= len(s.currentConfig.Domains) || s.currentConfig.Domains[i].Domain != domain {
-				continue
-			}
-			s.currentConfig.Domains[i].Disabled = false
-			s.registerHandler([]string{domain}, handler, priority)
-		}
-
-		l := log.WithField("nameservers", nsGroup.NameServers)
-		l.Debug("reactivate temporary disabled nameserver group")
-
-		if nsGroup.Primary {
-			s.currentConfig.RouteAll = true
-			s.registerHandler([]string{nbdns.RootZone}, handler, priority)
-		}
-
-		// Always apply host config when nameserver reactivates, regardless of batch mode
-		s.applyHostConfig()
-
-		s.updateNSState(nsGroup, nil, true)
-	}
-	return
-}
-
 func (s *DefaultServer) addHostRootZone() {
 	hostDNSServers := s.hostsDNSHolder.get()
 	if len(hostDNSServers) == 0 {
@@ -1069,56 +1017,354 @@ func (s *DefaultServer) addHostRootZone() {
 		log.Errorf("unable to create a new upstream resolver, error: %v", err)
 		return
 	}
-	handler.routeMatch = s.routeMatch
+	handler.selectedRoutes = s.selectedRoutes

-	handler.upstreamServers = maps.Keys(hostDNSServers)
-	handler.deactivate = func(error) {}
-	handler.reactivate = func() {}
+	handler.addRace(maps.Keys(hostDNSServers))

 	s.registerHandler([]string{nbdns.RootZone}, handler, PriorityDefault)
 }

+// updateNSGroupStates records the new group set and pokes the refresher.
+// Must hold s.mux; projection runs async (see refreshHealth for why).
 func (s *DefaultServer) updateNSGroupStates(groups []*nbdns.NameServerGroup) {
-	var states []peer.NSGroupState
+	s.nsGroups = groups
+	select {
+	case s.healthRefresh <- struct{}{}:
+	default:
+	}
+}

-	for _, group := range groups {
-		var servers []netip.AddrPort
-		for _, ns := range group.NameServers {
-			servers = append(servers, ns.AddrPort())
+// refreshHealth runs one projection cycle. Must not be called while
+// holding s.mux: the route callbacks re-enter routemanager's lock.
+func (s *DefaultServer) refreshHealth() {
+	s.mux.Lock()
+	groups := s.nsGroups
+	merged := s.collectUpstreamHealth()
+	selFn := s.selectedRoutes
+	actFn := s.activeRoutes
+	s.mux.Unlock()
+
+	var selected, active route.HAMap
+	if selFn != nil {
+		selected = selFn()
+	}
+	if actFn != nil {
+		active = actFn()
+	}
+
+	s.projectNSGroupHealth(nsHealthSnapshot{
+		groups:   groups,
+		merged:   merged,
+		selected: selected,
+		active:   active,
+	})
+}
+
+// projectNSGroupHealth applies the emission rules to the snapshot and
+// publishes the resulting NSGroupStates. Serialized by healthProjectMu,
+// lock-free wrt s.mux.
+//
+// Rules:
+//   - Healthy: emit recovery iff warningActive; set everHealthy.
+//   - Unhealthy: stamp unhealthySince on streak start; emit warning
+//     iff any of immediate / everHealthy / elapsed >= effective delay.
+//   - Undecided: no-op.
+//
+// "Immediate" means the group has at least one upstream that's public
+// or overlay+Connected: no peer-startup race to wait out.
+func (s *DefaultServer) projectNSGroupHealth(snap nsHealthSnapshot) {
+	if s.statusRecorder == nil {
+		return
+	}
+
+	s.healthProjectMu.Lock()
+	defer s.healthProjectMu.Unlock()
+
+	if s.nsGroupProj == nil {
+		s.nsGroupProj = make(map[nsGroupID]*nsGroupProj)
+	}
+
+	now := time.Now()
+	delay := s.warningDelay(haMapRouteCount(snap.selected))
+	states := make([]peer.NSGroupState, 0, len(snap.groups))
+	seen := make(map[nsGroupID]struct{}, len(snap.groups))
+	for _, group := range snap.groups {
+		servers := s.usableNameServers(group.NameServers)
+		if len(servers) == 0 {
+			continue
+		}
+		verdict, groupErr := evaluateNSGroupHealth(snap.merged, servers, now)
+		id := generateGroupKey(group)
+		seen[id] = struct{}{}
+
+		immediate := s.groupHasImmediateUpstream(servers, snap)
+
+		p, known := s.nsGroupProj[id]
+		if !known {
+			p = &nsGroupProj{}
+			s.nsGroupProj[id] = p
 		}

-		state := peer.NSGroupState{
-			ID:      generateGroupKey(group),
+		enabled := true
+		switch verdict {
+		case nsVerdictHealthy:
+			enabled = s.projectHealthy(p, servers)
+		case nsVerdictUnhealthy:
+			enabled = s.projectUnhealthy(p, servers, immediate, now, delay)
+		case nsVerdictUndecided:
+			// Stay Available until evidence says otherwise, unless a
+			// warning is already active for this group. Also clear any
+			// prior Unhealthy streak so a later Unhealthy verdict starts
+			// a fresh grace window rather than inheriting a stale one.
+			p.unhealthySince = time.Time{}
+			enabled = !p.warningActive
+			groupErr = nil
+		}
+
+		states = append(states, peer.NSGroupState{
+			ID:      string(id),
 			Servers: servers,
 			Domains: group.Domains,
-			// The probe will determine the state, default enabled
-			Enabled: true,
-			Error:   nil,
-		}
-		states = append(states, state)
+			Enabled: enabled,
+			Error:   groupErr,
+		})
 	}
-	s.statusRecorder.UpdateDNSStates(states)
-}
-
-func (s *DefaultServer) updateNSState(nsGroup *nbdns.NameServerGroup, err error, enabled bool) {
-	states := s.statusRecorder.GetDNSStates()
-	id := generateGroupKey(nsGroup)
-	for i, state := range states {
-		if state.ID == id {
-			states[i].Enabled = enabled
-			states[i].Error = err
-			break
+	for id := range s.nsGroupProj {
+		if _, ok := seen[id]; !ok {
+			delete(s.nsGroupProj, id)
 		}
 	}
 	s.statusRecorder.UpdateDNSStates(states)
 }

-func generateGroupKey(nsGroup *nbdns.NameServerGroup) string {
-	var servers []string
+// projectHealthy records a healthy tick on p and publishes a recovery
+// event iff a warning was active for the current streak. Returns the
+// Enabled flag to record in NSGroupState.
+func (s *DefaultServer) projectHealthy(p *nsGroupProj, servers []netip.AddrPort) bool {
+	p.everHealthy = true
+	p.unhealthySince = time.Time{}
+	if !p.warningActive {
+		return true
+	}
+	log.Debugf("DNS health: group [%s] recovered, emitting event", joinAddrPorts(servers))
+	s.statusRecorder.PublishEvent(
+		proto.SystemEvent_INFO,
+		proto.SystemEvent_DNS,
+		"Nameserver group recovered",
+		"DNS servers are reachable again.",
+		map[string]string{"upstreams": joinAddrPorts(servers)},
+	)
+	p.warningActive = false
+	return true
+}
+
+// projectUnhealthy records an unhealthy tick on p, publishes the
+// warning when the emission rules fire, and returns the Enabled flag
+// to record in NSGroupState.
+func (s *DefaultServer) projectUnhealthy(p *nsGroupProj, servers []netip.AddrPort, immediate bool, now time.Time, delay time.Duration) bool {
+	streakStart := p.unhealthySince.IsZero()
+	if streakStart {
+		p.unhealthySince = now
+	}
+	reason := unhealthyEmitReason(immediate, p.everHealthy, now.Sub(p.unhealthySince), delay)
+	switch {
+	case reason != "" && !p.warningActive:
+		log.Debugf("DNS health: group [%s] unreachable, emitting event (reason=%s)", joinAddrPorts(servers), reason)
+		s.statusRecorder.PublishEvent(
+			proto.SystemEvent_WARNING,
+			proto.SystemEvent_DNS,
+			"Nameserver group unreachable",
+			"Unable to reach one or more DNS servers. This might affect your ability to connect to some services.",
+			map[string]string{"upstreams": joinAddrPorts(servers)},
+		)
+		p.warningActive = true
+	case streakStart && reason == "":
+		// One line per streak, not per tick.
+		log.Debugf("DNS health: group [%s] unreachable but holding warning for up to %v (overlay-routed, no connected peer)", joinAddrPorts(servers), delay)
+	}
+	return false
+}
+
+// warningDelay returns the grace window for the given selected-route
+// count. Scales gently: +1s per 100 routes, capped by
+// warningDelayBonusCap. Parallel handshakes mean handshake time grows
+// much slower than route count, so linear scaling would overcorrect.
+//
+// TODO: revisit the scaling curve with real-world data — the current
+// values are a reasonable starting point, not a measured fit.
+func (s *DefaultServer) warningDelay(routeCount int) time.Duration {
+	bonus := time.Duration(routeCount/100) * time.Second
+	if bonus > warningDelayBonusCap {
+		bonus = warningDelayBonusCap
+	}
+	return s.warningDelayBase + bonus
+}
+
+// groupHasImmediateUpstream reports whether the group has at least one
+// upstream in a classification that bypasses the grace window: public
+// (outside the overlay range and not routed), or overlay/routed with a
+// Connected peer.
+//
+// TODO(ipv6): include the v6 overlay prefix once it's plumbed in.
+func (s *DefaultServer) groupHasImmediateUpstream(servers []netip.AddrPort, snap nsHealthSnapshot) bool {
+	var overlayV4 netip.Prefix
+	if s.wgInterface != nil {
+		overlayV4 = s.wgInterface.Address().Network
+	}
+	for _, srv := range servers {
+		addr := srv.Addr().Unmap()
+		overlay := overlayV4.IsValid() && overlayV4.Contains(addr)
+		selMatched, selDynamic := haMapContains(snap.selected, addr)
+		// Treat an unknown (dynamic selected route) as possibly routed:
+		// the upstream might reach through a dynamic route whose Network
+		// hasn't resolved yet, and classifying as public would bypass
+		// the startup grace window.
+		routed := selMatched || selDynamic
+		if !overlay && !routed {
+			return true
+		}
+		if actMatched, _ := haMapContains(snap.active, addr); actMatched {
+			return true
+		}
+	}
+	return false
+}
+
+// collectUpstreamHealth merges health snapshots across handlers, keeping
+// the most recent success and failure per upstream when an address appears
+// in more than one handler.
+func (s *DefaultServer) collectUpstreamHealth() map[netip.AddrPort]UpstreamHealth {
+	merged := make(map[netip.AddrPort]UpstreamHealth)
+	for _, entry := range s.dnsMuxMap {
+		reporter, ok := entry.handler.(upstreamHealthReporter)
+		if !ok {
+			continue
+		}
+		for addr, h := range reporter.UpstreamHealth() {
+			existing, have := merged[addr]
+			if !have {
+				merged[addr] = h
+				continue
+			}
+			if h.LastOk.After(existing.LastOk) {
+				existing.LastOk = h.LastOk
+			}
+			if h.LastFail.After(existing.LastFail) {
+				existing.LastFail = h.LastFail
+				existing.LastErr = h.LastErr
+			}
+			merged[addr] = existing
+		}
+	}
+	return merged
+}
+
+func (s *DefaultServer) startHealthRefresher() {
+	s.shutdownWg.Add(1)
+	go func() {
+		defer s.shutdownWg.Done()
+		ticker := time.NewTicker(nsGroupHealthRefreshInterval)
+		defer ticker.Stop()
+		for {
+			select {
+			case <-s.ctx.Done():
+				return
+			case <-ticker.C:
+			case <-s.healthRefresh:
+			}
+			s.refreshHealth()
+		}
+	}()
+}
+
+// evaluateNSGroupHealth decides a group's verdict from query records
+// alone. Per upstream, the most-recent-in-lookback observation wins.
+// Group is Healthy if any upstream is fresh-working, Unhealthy if any
+// is fresh-broken with no fresh-working sibling, Undecided otherwise.
+func evaluateNSGroupHealth(merged map[netip.AddrPort]UpstreamHealth, servers []netip.AddrPort, now time.Time) (nsGroupVerdict, error) {
+	anyWorking := false
+	anyBroken := false
+	var mostRecentFail time.Time
+	var mostRecentErr string
+
+	for _, srv := range servers {
+		h, ok := merged[srv]
+		if !ok {
+			continue
+		}
+		switch classifyUpstreamHealth(h, now) {
+		case upstreamFresh:
+			anyWorking = true
+		case upstreamBroken:
+			anyBroken = true
+			if h.LastFail.After(mostRecentFail) {
+				mostRecentFail = h.LastFail
+				mostRecentErr = h.LastErr
+			}
+		}
+	}
+
+	if anyWorking {
+		return nsVerdictHealthy, nil
+	}
+	if anyBroken {
+		if mostRecentErr == "" {
+			return nsVerdictUnhealthy, nil
+		}
+		return nsVerdictUnhealthy, errors.New(mostRecentErr)
+	}
+	return nsVerdictUndecided, nil
+}
+
+// upstreamClassification is the per-upstream verdict within healthLookback.
+type upstreamClassification int
+
+const (
+	upstreamStale upstreamClassification = iota
+	upstreamFresh
+	upstreamBroken
+)
+
+// classifyUpstreamHealth compares the last ok and last fail timestamps
+// against healthLookback and returns which one (if any) counts. Fresh
+// wins when both are in-window and ok is newer; broken otherwise.
+func classifyUpstreamHealth(h UpstreamHealth, now time.Time) upstreamClassification {
+	okRecent := !h.LastOk.IsZero() && now.Sub(h.LastOk) <= healthLookback
+	failRecent := !h.LastFail.IsZero() && now.Sub(h.LastFail) <= healthLookback
+	switch {
+	case okRecent && failRecent:
+		if h.LastOk.After(h.LastFail) {
+			return upstreamFresh
+		}
+		return upstreamBroken
+	case okRecent:
+		return upstreamFresh
+	case failRecent:
+		return upstreamBroken
+	}
+	return upstreamStale
+}
+
+func joinAddrPorts(servers []netip.AddrPort) string {
+	parts := make([]string, 0, len(servers))
+	for _, s := range servers {
+		parts = append(parts, s.String())
+	}
+	return strings.Join(parts, ", ")
+}
+
+// generateGroupKey returns a stable identity for an NS group so health
+// state (everHealthy / warningActive) survives reorderings in the
+// configured nameserver or domain lists.
+func generateGroupKey(nsGroup *nbdns.NameServerGroup) nsGroupID {
+	servers := make([]string, 0, len(nsGroup.NameServers))
 	for _, ns := range nsGroup.NameServers {
 		servers = append(servers, ns.AddrPort().String())
 	}
-	return fmt.Sprintf("%v_%v", servers, nsGroup.Domains)
+	slices.Sort(servers)
+	domains := slices.Clone(nsGroup.Domains)
+	slices.Sort(domains)
+	return nsGroupID(fmt.Sprintf("%v_%v", servers, domains))
 }

 // groupNSGroupsByDomain groups nameserver groups by their match domains
@@ -1160,6 +1406,21 @@ func toZone(d domain.Domain) domain.Domain {
 	)
 }

+// unhealthyEmitReason returns the tag of the rule that fires the
+// warning now, or "" if the group is still inside its grace window.
+func unhealthyEmitReason(immediate, everHealthy bool, elapsed, delay time.Duration) string {
+	switch {
+	case immediate:
+		return "immediate"
+	case everHealthy:
+		return "ever-healthy"
+	case elapsed >= delay:
+		return "grace-elapsed"
+	default:
+		return ""
+	}
+}
+
 // PopulateManagementDomain populates the DNS cache with management domain
 func (s *DefaultServer) PopulateManagementDomain(mgmtURL *url.URL) error {
 	if s.mgmtCacheResolver != nil {
--- a/client/internal/dns/server_test.go
+++ b/client/internal/dns/server_test.go
@@ -6,7 +6,6 @@ import (
 	"net"
 	"net/netip"
 	"os"
-	"strings"
 	"testing"
 	"time"

@@ -15,6 +14,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
 	"golang.zx2c4.com/wireguard/tun/netstack"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

@@ -31,8 +31,10 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
+	"github.com/netbirdio/netbird/client/proto"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/formatter"
+	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
 )

@@ -101,16 +103,17 @@ func init() {
 	formatter.SetTextFormatter(log.StandardLogger())
 }

-func generateDummyHandler(domain string, servers []nbdns.NameServer) *upstreamResolverBase {
+func generateDummyHandler(d string, servers []nbdns.NameServer) *upstreamResolverBase {
 	var srvs []netip.AddrPort
 	for _, srv := range servers {
 		srvs = append(srvs, srv.AddrPort())
 	}
-	return &upstreamResolverBase{
-		domain:          domain,
-		upstreamServers: srvs,
-		cancel:          func() {},
+	u := &upstreamResolverBase{
+		domain: domain.Domain(d),
+		cancel: func() {},
 	}
+	u.addRace(srvs)
+	return u
 }

 func TestUpdateDNSServer(t *testing.T) {
@@ -653,73 +656,6 @@ func TestDNSServerStartStop(t *testing.T) {
 	}
 }

-func TestDNSServerUpstreamDeactivateCallback(t *testing.T) {
-	hostManager := &mockHostConfigurator{}
-	server := DefaultServer{
-		ctx:           context.Background(),
-		service:       NewServiceViaMemory(&mocWGIface{}),
-		localResolver: local.NewResolver(),
-		handlerChain:  NewHandlerChain(),
-		hostManager:   hostManager,
-		currentConfig: HostDNSConfig{
-			Domains: []DomainConfig{
-				{false, "domain0", false},
-				{false, "domain1", false},
-				{false, "domain2", false},
-			},
-		},
-		statusRecorder: peer.NewRecorder("mgm"),
-	}
-
-	var domainsUpdate string
-	hostManager.applyDNSConfigFunc = func(config HostDNSConfig, statemanager *statemanager.Manager) error {
-		domains := []string{}
-		for _, item := range config.Domains {
-			if item.Disabled {
-				continue
-			}
-			domains = append(domains, item.Domain)
-		}
-		domainsUpdate = strings.Join(domains, ",")
-		return nil
-	}
-
-	deactivate, reactivate := server.upstreamCallbacks(&nbdns.NameServerGroup{
-		Domains: []string{"domain1"},
-		NameServers: []nbdns.NameServer{
-			{IP: netip.MustParseAddr("8.8.0.0"), NSType: nbdns.UDPNameServerType, Port: 53},
-		},
-	}, nil, 0)
-
-	deactivate(nil)
-	expected := "domain0,domain2"
-	domains := []string{}
-	for _, item := range server.currentConfig.Domains {
-		if item.Disabled {
-			continue
-		}
-		domains = append(domains, item.Domain)
-	}
-	got := strings.Join(domains, ",")
-	if expected != got {
-		t.Errorf("expected domains list: %q, got %q", expected, got)
-	}
-
-	reactivate()
-	expected = "domain0,domain1,domain2"
-	domains = []string{}
-	for _, item := range server.currentConfig.Domains {
-		if item.Disabled {
-			continue
-		}
-		domains = append(domains, item.Domain)
-	}
-	got = strings.Join(domains, ",")
-	if expected != got {
-		t.Errorf("expected domains list: %q, got %q", expected, domainsUpdate)
-	}
-}
-
 func TestDNSPermanent_updateHostDNS_emptyUpstream(t *testing.T) {
 	wgIFace, err := createWgInterfaceWithBind(t)
 	if err != nil {
@@ -1065,7 +1001,6 @@ type mockHandler struct {

 func (m *mockHandler) ServeDNS(dns.ResponseWriter, *dns.Msg) {}
 func (m *mockHandler) Stop()                                 {}
-func (m *mockHandler) ProbeAvailability(context.Context)     {}
 func (m *mockHandler) ID() types.HandlerID                   { return types.HandlerID(m.Id) }

 type mockService struct{}
@@ -2085,6 +2020,598 @@ func TestLocalResolverPriorityConstants(t *testing.T) {
 	assert.Equal(t, "local.example.com", localMuxUpdates[0].domain)
 }

+// TestBuildUpstreamHandler_MergesGroupsPerDomain verifies that multiple
+// admin-defined nameserver groups targeting the same domain collapse into a
+// single handler with each group preserved as a sequential inner list.
+func TestBuildUpstreamHandler_MergesGroupsPerDomain(t *testing.T) {
+	wgInterface := &mocWGIface{}
+	service := NewServiceViaMemory(wgInterface)
+	server := &DefaultServer{
+		ctx:           context.Background(),
+		wgInterface:   wgInterface,
+		service:       service,
+		localResolver: local.NewResolver(),
+		handlerChain:  NewHandlerChain(),
+		hostManager:   &noopHostConfigurator{},
+		dnsMuxMap:     make(registeredHandlerMap),
+	}
+
+	groups := []*nbdns.NameServerGroup{
+		{
+			NameServers: []nbdns.NameServer{
+				{IP: netip.MustParseAddr("192.0.2.1"), NSType: nbdns.UDPNameServerType, Port: 53},
+			},
+			Domains: []string{"example.com"},
+		},
+		{
+			NameServers: []nbdns.NameServer{
+				{IP: netip.MustParseAddr("192.0.2.2"), NSType: nbdns.UDPNameServerType, Port: 53},
+				{IP: netip.MustParseAddr("192.0.2.3"), NSType: nbdns.UDPNameServerType, Port: 53},
+			},
+			Domains: []string{"example.com"},
+		},
+	}
+
+	muxUpdates, err := server.buildUpstreamHandlerUpdate(groups)
+	require.NoError(t, err)
+	require.Len(t, muxUpdates, 1, "same-domain groups should merge into one handler")
+	assert.Equal(t, "example.com", muxUpdates[0].domain)
+	assert.Equal(t, PriorityUpstream, muxUpdates[0].priority)
+
+	handler := muxUpdates[0].handler.(*upstreamResolver)
+	require.Len(t, handler.upstreamServers, 2, "handler should have two groups")
+	assert.Equal(t, upstreamRace{netip.MustParseAddrPort("192.0.2.1:53")}, handler.upstreamServers[0])
+	assert.Equal(t, upstreamRace{
+		netip.MustParseAddrPort("192.0.2.2:53"),
+		netip.MustParseAddrPort("192.0.2.3:53"),
+	}, handler.upstreamServers[1])
+}
+
+// TestEvaluateNSGroupHealth covers the records-only verdict. The gate
+// (overlay route selected-but-no-active-peer) is intentionally NOT an
+// input to the evaluator anymore: the verdict drives the Enabled flag,
+// which must always reflect what we actually observed. Gate-aware event
+// suppression is tested separately in the projection test.
+//
+// Matrix per upstream: {no record, fresh Ok, fresh Fail, stale Fail,
+// stale Ok, Ok newer than Fail, Fail newer than Ok}.
+// Group verdict: any fresh-working → Healthy; any fresh-broken with no
+// fresh-working → Unhealthy; otherwise Undecided.
+func TestEvaluateNSGroupHealth(t *testing.T) {
+	now := time.Now()
+	a := netip.MustParseAddrPort("192.0.2.1:53")
+	b := netip.MustParseAddrPort("192.0.2.2:53")
+
+	recentOk := UpstreamHealth{LastOk: now.Add(-2 * time.Second)}
+	recentFail := UpstreamHealth{LastFail: now.Add(-1 * time.Second), LastErr: "timeout"}
+	staleOk := UpstreamHealth{LastOk: now.Add(-10 * time.Minute)}
+	staleFail := UpstreamHealth{LastFail: now.Add(-10 * time.Minute), LastErr: "timeout"}
+	okThenFail := UpstreamHealth{
+		LastOk:   now.Add(-10 * time.Second),
+		LastFail: now.Add(-1 * time.Second),
+		LastErr:  "timeout",
+	}
+	failThenOk := UpstreamHealth{
+		LastOk:   now.Add(-1 * time.Second),
+		LastFail: now.Add(-10 * time.Second),
+		LastErr:  "timeout",
+	}
+
+	tests := []struct {
+		name         string
+		health       map[netip.AddrPort]UpstreamHealth
+		servers      []netip.AddrPort
+		wantVerdict  nsGroupVerdict
+		wantErrSubst string
+	}{
+		{
+			name:        "no record, undecided",
+			servers:     []netip.AddrPort{a},
+			wantVerdict: nsVerdictUndecided,
+		},
+		{
+			name:        "fresh success, healthy",
+			health:      map[netip.AddrPort]UpstreamHealth{a: recentOk},
+			servers:     []netip.AddrPort{a},
+			wantVerdict: nsVerdictHealthy,
+		},
+		{
+			name:         "fresh failure, unhealthy",
+			health:       map[netip.AddrPort]UpstreamHealth{a: recentFail},
+			servers:      []netip.AddrPort{a},
+			wantVerdict:  nsVerdictUnhealthy,
+			wantErrSubst: "timeout",
+		},
+		{
+			name:        "only stale success, undecided",
+			health:      map[netip.AddrPort]UpstreamHealth{a: staleOk},
+			servers:     []netip.AddrPort{a},
+			wantVerdict: nsVerdictUndecided,
+		},
+		{
+			name:        "only stale failure, undecided",
+			health:      map[netip.AddrPort]UpstreamHealth{a: staleFail},
+			servers:     []netip.AddrPort{a},
+			wantVerdict: nsVerdictUndecided,
+		},
+		{
+			name:         "both fresh, fail newer, unhealthy",
+			health:       map[netip.AddrPort]UpstreamHealth{a: okThenFail},
+			servers:      []netip.AddrPort{a},
+			wantVerdict:  nsVerdictUnhealthy,
+			wantErrSubst: "timeout",
+		},
+		{
+			name:        "both fresh, ok newer, healthy",
+			health:      map[netip.AddrPort]UpstreamHealth{a: failThenOk},
+			servers:     []netip.AddrPort{a},
+			wantVerdict: nsVerdictHealthy,
+		},
+		{
+			name: "two upstreams, one success wins",
+			health: map[netip.AddrPort]UpstreamHealth{
+				a: recentFail,
+				b: recentOk,
+			},
+			servers:     []netip.AddrPort{a, b},
+			wantVerdict: nsVerdictHealthy,
+		},
+		{
+			name: "two upstreams, one fail one unseen, unhealthy",
+			health: map[netip.AddrPort]UpstreamHealth{
+				a: recentFail,
+			},
+			servers:      []netip.AddrPort{a, b},
+			wantVerdict:  nsVerdictUnhealthy,
+			wantErrSubst: "timeout",
+		},
+		{
+			name: "two upstreams, all recent failures, unhealthy",
+			health: map[netip.AddrPort]UpstreamHealth{
+				a: {LastFail: now.Add(-5 * time.Second), LastErr: "timeout"},
+				b: {LastFail: now.Add(-1 * time.Second), LastErr: "SERVFAIL"},
+			},
+			servers:      []netip.AddrPort{a, b},
+			wantVerdict:  nsVerdictUnhealthy,
+			wantErrSubst: "SERVFAIL",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			verdict, err := evaluateNSGroupHealth(tc.health, tc.servers, now)
+			assert.Equal(t, tc.wantVerdict, verdict, "verdict mismatch")
+			if tc.wantErrSubst != "" {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), tc.wantErrSubst)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
+
+// healthStubHandler is a minimal dnsMuxMap entry that exposes a fixed
+// UpstreamHealth snapshot, letting tests drive recomputeNSGroupStates
+// without spinning up real handlers.
+type healthStubHandler struct {
+	health map[netip.AddrPort]UpstreamHealth
+}
+
+func (h *healthStubHandler) ServeDNS(dns.ResponseWriter, *dns.Msg) {}
+func (h *healthStubHandler) Stop()                                 {}
+func (h *healthStubHandler) ID() types.HandlerID                   { return "health-stub" }
+func (h *healthStubHandler) UpstreamHealth() map[netip.AddrPort]UpstreamHealth {
+	return h.health
+}
+
+// TestProjection_SteadyStateIsSilent guards against duplicate events:
+// while a group stays Unhealthy tick after tick, only the first
+// Unhealthy transition may emit. Same for staying Healthy.
+func TestProjection_SteadyStateIsSilent(t *testing.T) {
+	fx := newProjTestFixture(t)
+
+	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
+	fx.tick()
+	fx.expectEvent("unreachable", "first fail emits warning")
+
+	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
+	fx.tick()
+	fx.tick()
+	fx.expectNoEvent("staying unhealthy must not re-emit")
+
+	fx.setHealth(UpstreamHealth{LastOk: time.Now()})
+	fx.tick()
+	fx.expectEvent("recovered", "recovery on transition")
+
+	fx.tick()
+	fx.tick()
+	fx.expectNoEvent("staying healthy must not re-emit")
+}
+
+// projTestFixture is the common setup for the projection tests: a
+// single-upstream group whose route classification the test can flip by
+// assigning to selected/active. Callers drive failures/successes by
+// mutating stub.health and calling refreshHealth.
+type projTestFixture struct {
+	t        *testing.T
+	recorder *peer.Status
+	events   <-chan *proto.SystemEvent
+	server   *DefaultServer
+	stub     *healthStubHandler
+	group    *nbdns.NameServerGroup
+	srv      netip.AddrPort
+	selected route.HAMap
+	active   route.HAMap
+}
+
+func newProjTestFixture(t *testing.T) *projTestFixture {
+	t.Helper()
+	recorder := peer.NewRecorder("mgm")
+	sub := recorder.SubscribeToEvents()
+	t.Cleanup(func() { recorder.UnsubscribeFromEvents(sub) })
+
+	srv := netip.MustParseAddrPort("100.64.0.1:53")
+	fx := &projTestFixture{
+		t:        t,
+		recorder: recorder,
+		events:   sub.Events(),
+		stub:     &healthStubHandler{health: map[netip.AddrPort]UpstreamHealth{}},
+		srv:      srv,
+		group: &nbdns.NameServerGroup{
+			Domains:     []string{"example.com"},
+			NameServers: []nbdns.NameServer{{IP: srv.Addr(), NSType: nbdns.UDPNameServerType, Port: int(srv.Port())}},
+		},
+	}
+	fx.server = &DefaultServer{
+		ctx:              context.Background(),
+		wgInterface:      &mocWGIface{},
+		statusRecorder:   recorder,
+		dnsMuxMap:        make(registeredHandlerMap),
+		selectedRoutes:   func() route.HAMap { return fx.selected },
+		activeRoutes:     func() route.HAMap { return fx.active },
+		warningDelayBase: defaultWarningDelayBase,
+	}
+	fx.server.dnsMuxMap["example.com"] = handlerWrapper{domain: "example.com", handler: fx.stub, priority: PriorityUpstream}
+
+	fx.server.mux.Lock()
+	fx.server.updateNSGroupStates([]*nbdns.NameServerGroup{fx.group})
+	fx.server.mux.Unlock()
+	return fx
+}
+
+func (f *projTestFixture) setHealth(h UpstreamHealth) {
+	f.stub.health = map[netip.AddrPort]UpstreamHealth{f.srv: h}
+}
+
+func (f *projTestFixture) tick() []peer.NSGroupState {
+	f.server.refreshHealth()
+	return f.recorder.GetDNSStates()
+}
+
+func (f *projTestFixture) expectNoEvent(why string) {
+	f.t.Helper()
+	select {
+	case evt := <-f.events:
+		f.t.Fatalf("unexpected event (%s): %+v", why, evt)
+	case <-time.After(100 * time.Millisecond):
+	}
+}
+
+func (f *projTestFixture) expectEvent(substr, why string) *proto.SystemEvent {
+	f.t.Helper()
+	select {
+	case evt := <-f.events:
+		assert.Contains(f.t, evt.Message, substr, why)
+		return evt
+	case <-time.After(time.Second):
+		f.t.Fatalf("expected event (%s) with %q", why, substr)
+		return nil
+	}
+}
+
+var overlayNetForTest = netip.MustParsePrefix("100.64.0.0/16")
+var overlayMapForTest = route.HAMap{"overlay": {{Network: overlayNetForTest}}}
+
+// TestProjection_PublicFailEmitsImmediately covers rule 1: an upstream
+// that is not inside any selected route (public DNS) fires the warning
+// on the first Unhealthy tick, no grace period.
+func TestProjection_PublicFailEmitsImmediately(t *testing.T) {
+	fx := newProjTestFixture(t)
+
+	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
+	states := fx.tick()
+	require.Len(t, states, 1)
+	assert.False(t, states[0].Enabled)
+	fx.expectEvent("unreachable", "public DNS failure")
+}
+
+// TestProjection_OverlayConnectedFailEmitsImmediately covers rule 2:
+// the upstream is inside a selected route AND the route has a Connected
+// peer. Tunnel is up, failure is real, emit immediately.
+func TestProjection_OverlayConnectedFailEmitsImmediately(t *testing.T) {
+	fx := newProjTestFixture(t)
+	fx.selected = overlayMapForTest
+	fx.active = overlayMapForTest
+
+	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
+	states := fx.tick()
+	require.Len(t, states, 1)
+	assert.False(t, states[0].Enabled)
+	fx.expectEvent("unreachable", "overlay + connected failure")
+}
+
+// TestProjection_OverlayNotConnectedDelaysWarning covers rule 3: the
+// upstream is routed but no peer is Connected (Connecting/Idle/missing).
+// First tick: Unhealthy display, no warning. After the grace window
+// elapses with no recovery, the warning fires.
+func TestProjection_OverlayNotConnectedDelaysWarning(t *testing.T) {
+	grace := 50 * time.Millisecond
+	fx := newProjTestFixture(t)
+	fx.server.warningDelayBase = grace
+	fx.selected = overlayMapForTest
+	// active stays nil: routed but not connected.
+
+	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
+	states := fx.tick()
+	require.Len(t, states, 1)
+	assert.False(t, states[0].Enabled, "display must reflect failure even during grace window")
+	fx.expectNoEvent("first fail tick within grace window")
+
+	time.Sleep(grace + 10*time.Millisecond)
+	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
+	fx.tick()
+	fx.expectEvent("unreachable", "warning after grace window")
+}
+
+// TestProjection_OverlayAddrNoRouteDelaysWarning covers an upstream
+// whose address is inside the WireGuard overlay range but is not
+// covered by any selected route (peer-to-peer DNS without an explicit
+// route). Until a peer reports Connected for that address, startup
+// failures must be held just like the routed case.
+func TestProjection_OverlayAddrNoRouteDelaysWarning(t *testing.T) {
+	recorder := peer.NewRecorder("mgm")
+	sub := recorder.SubscribeToEvents()
+	t.Cleanup(func() { recorder.UnsubscribeFromEvents(sub) })
+
+	overlayPeer := netip.MustParseAddrPort("100.66.100.5:53")
+	server := &DefaultServer{
+		ctx:              context.Background(),
+		wgInterface:      &mocWGIface{},
+		statusRecorder:   recorder,
+		dnsMuxMap:        make(registeredHandlerMap),
+		selectedRoutes:   func() route.HAMap { return nil },
+		activeRoutes:     func() route.HAMap { return nil },
+		warningDelayBase: 50 * time.Millisecond,
+	}
+	group := &nbdns.NameServerGroup{
+		Domains:     []string{"example.com"},
+		NameServers: []nbdns.NameServer{{IP: overlayPeer.Addr(), NSType: nbdns.UDPNameServerType, Port: int(overlayPeer.Port())}},
+	}
+	stub := &healthStubHandler{health: map[netip.AddrPort]UpstreamHealth{
+		overlayPeer: {LastFail: time.Now(), LastErr: "timeout"},
+	}}
+	server.dnsMuxMap["example.com"] = handlerWrapper{domain: "example.com", handler: stub, priority: PriorityUpstream}
+
+	server.mux.Lock()
+	server.updateNSGroupStates([]*nbdns.NameServerGroup{group})
+	server.mux.Unlock()
+	server.refreshHealth()
+
+	select {
+	case evt := <-sub.Events():
+		t.Fatalf("unexpected event during grace window: %+v", evt)
+	case <-time.After(100 * time.Millisecond):
+	}
+
+	time.Sleep(60 * time.Millisecond)
+	stub.health = map[netip.AddrPort]UpstreamHealth{overlayPeer: {LastFail: time.Now(), LastErr: "timeout"}}
+	server.refreshHealth()
+
+	select {
+	case evt := <-sub.Events():
+		assert.Contains(t, evt.Message, "unreachable")
+	case <-time.After(time.Second):
+		t.Fatal("expected warning after grace window")
+	}
+}
+
+// TestProjection_StopClearsHealthState verifies that Stop wipes the
+// per-group projection state so a subsequent Start doesn't inherit
+// sticky flags (notably everHealthy) that would bypass the grace
+// window during the next peer handshake.
+func TestProjection_StopClearsHealthState(t *testing.T) {
+	wgIface := &mocWGIface{}
+	server := &DefaultServer{
+		ctx:               context.Background(),
+		wgInterface:       wgIface,
+		service:           NewServiceViaMemory(wgIface),
+		hostManager:       &noopHostConfigurator{},
+		extraDomains:      map[domain.Domain]int{},
+		dnsMuxMap:         make(registeredHandlerMap),
+		statusRecorder:    peer.NewRecorder("mgm"),
+		selectedRoutes:    func() route.HAMap { return nil },
+		activeRoutes:      func() route.HAMap { return nil },
+		warningDelayBase:  defaultWarningDelayBase,
+		currentConfigHash: ^uint64(0),
+	}
+	server.ctx, server.ctxCancel = context.WithCancel(context.Background())
+
+	srv := netip.MustParseAddrPort("8.8.8.8:53")
+	group := &nbdns.NameServerGroup{
+		Domains:     []string{"example.com"},
+		NameServers: []nbdns.NameServer{{IP: srv.Addr(), NSType: nbdns.UDPNameServerType, Port: int(srv.Port())}},
+	}
+	stub := &healthStubHandler{health: map[netip.AddrPort]UpstreamHealth{srv: {LastOk: time.Now()}}}
+	server.dnsMuxMap["example.com"] = handlerWrapper{domain: "example.com", handler: stub, priority: PriorityUpstream}
+
+	server.mux.Lock()
+	server.updateNSGroupStates([]*nbdns.NameServerGroup{group})
+	server.mux.Unlock()
+	server.refreshHealth()
+
+	server.healthProjectMu.Lock()
+	p, ok := server.nsGroupProj[generateGroupKey(group)]
+	server.healthProjectMu.Unlock()
+	require.True(t, ok, "projection state should exist after tick")
+	require.True(t, p.everHealthy, "tick with success must set everHealthy")
+
+	server.Stop()
+
+	server.healthProjectMu.Lock()
+	cleared := server.nsGroupProj == nil
+	server.healthProjectMu.Unlock()
+	assert.True(t, cleared, "Stop must clear nsGroupProj")
+}
+
+// TestProjection_OverlayRecoversDuringGrace covers the happy path of
+// rule 3: startup failures while the peer is handshaking, then the peer
+// comes up and a query succeeds before the grace window elapses. No
+// warning should ever have fired, and no recovery either.
+func TestProjection_OverlayRecoversDuringGrace(t *testing.T) {
+	fx := newProjTestFixture(t)
+	fx.server.warningDelayBase = 200 * time.Millisecond
+	fx.selected = overlayMapForTest
+
+	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
+	fx.tick()
+	fx.expectNoEvent("fail within grace, warning suppressed")
+
+	fx.active = overlayMapForTest
+	fx.setHealth(UpstreamHealth{LastOk: time.Now()})
+	states := fx.tick()
+	require.Len(t, states, 1)
+	assert.True(t, states[0].Enabled)
+	fx.expectNoEvent("recovery without prior warning must not emit")
+}
+
+// TestProjection_RecoveryOnlyAfterWarning enforces the invariant the
+// whole design leans on: recovery events only appear when a warning
+// event was actually emitted for the current streak. A Healthy verdict
+// without a prior warning is silent, so the user never sees "recovered"
+// out of thin air.
+func TestProjection_RecoveryOnlyAfterWarning(t *testing.T) {
+	fx := newProjTestFixture(t)
+
+	fx.setHealth(UpstreamHealth{LastOk: time.Now()})
+	states := fx.tick()
+	require.Len(t, states, 1)
+	assert.True(t, states[0].Enabled)
+	fx.expectNoEvent("first healthy tick should not recover anything")
+
+	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
+	fx.tick()
+	fx.expectEvent("unreachable", "public fail emits immediately")
+
+	fx.setHealth(UpstreamHealth{LastOk: time.Now()})
+	fx.tick()
+	fx.expectEvent("recovered", "recovery follows real warning")
+
+	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
+	fx.tick()
+	fx.expectEvent("unreachable", "second cycle warning")
+
+	fx.setHealth(UpstreamHealth{LastOk: time.Now()})
+	fx.tick()
+	fx.expectEvent("recovered", "second cycle recovery")
+}
+
+// TestProjection_EverHealthyOverridesDelay covers rule 4: once a group
+// has ever been Healthy, subsequent failures skip the grace window even
+// if classification says "routed + not connected". The system has
+// proved it can work, so any new failure is real.
+func TestProjection_EverHealthyOverridesDelay(t *testing.T) {
+	fx := newProjTestFixture(t)
+	// Large base so any emission must come from the everHealthy bypass, not elapsed time.
+	fx.server.warningDelayBase = time.Hour
+	fx.selected = overlayMapForTest
+	fx.active = overlayMapForTest
+
+	// Establish "ever healthy".
+	fx.setHealth(UpstreamHealth{LastOk: time.Now()})
+	fx.tick()
+	fx.expectNoEvent("first healthy tick")
+
+	// Peer drops. Query fails. Routed + not connected → normally grace,
+	// but everHealthy flag bypasses it.
+	fx.active = nil
+	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
+	fx.tick()
+	fx.expectEvent("unreachable", "failure after ever-healthy must be immediate")
+}
+
+// TestProjection_ReconnectBlipEmitsPair covers the explicit tradeoff
+// from the design discussion: once a group has been healthy, a brief
+// reconnect that produces a failing tick will fire warning + recovery.
+// This is by design: user-visible blips are accurate signal, not noise.
+func TestProjection_ReconnectBlipEmitsPair(t *testing.T) {
+	fx := newProjTestFixture(t)
+	fx.selected = overlayMapForTest
+	fx.active = overlayMapForTest
+
+	fx.setHealth(UpstreamHealth{LastOk: time.Now()})
+	fx.tick()
+
+	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
+	fx.tick()
+	fx.expectEvent("unreachable", "blip warning")
+
+	fx.setHealth(UpstreamHealth{LastOk: time.Now()})
+	fx.tick()
+	fx.expectEvent("recovered", "blip recovery")
+}
+
+// TestProjection_MixedGroupEmitsImmediately covers the multi-upstream
+// rule: a group with at least one public upstream is in the "immediate"
+// category regardless of the other upstreams' routing, because the
+// public one has no peer-startup excuse. Prevents public-DNS failures
+// from being hidden behind a routed sibling.
+func TestProjection_MixedGroupEmitsImmediately(t *testing.T) {
+	recorder := peer.NewRecorder("mgm")
+	sub := recorder.SubscribeToEvents()
+	t.Cleanup(func() { recorder.UnsubscribeFromEvents(sub) })
+	events := sub.Events()
+
+	public := netip.MustParseAddrPort("8.8.8.8:53")
+	overlay := netip.MustParseAddrPort("100.64.0.1:53")
+	overlayMap := route.HAMap{"overlay": {{Network: netip.MustParsePrefix("100.64.0.0/16")}}}
+
+	server := &DefaultServer{
+		ctx:              context.Background(),
+		statusRecorder:   recorder,
+		dnsMuxMap:        make(registeredHandlerMap),
+		selectedRoutes:   func() route.HAMap { return overlayMap },
+		activeRoutes:     func() route.HAMap { return nil },
+		warningDelayBase: time.Hour,
+	}
+	group := &nbdns.NameServerGroup{
+		Domains: []string{"example.com"},
+		NameServers: []nbdns.NameServer{
+			{IP: public.Addr(), NSType: nbdns.UDPNameServerType, Port: int(public.Port())},
+			{IP: overlay.Addr(), NSType: nbdns.UDPNameServerType, Port: int(overlay.Port())},
+		},
+	}
+	stub := &healthStubHandler{
+		health: map[netip.AddrPort]UpstreamHealth{
+			public:  {LastFail: time.Now(), LastErr: "servfail"},
+			overlay: {LastFail: time.Now(), LastErr: "timeout"},
+		},
+	}
+	server.dnsMuxMap["example.com"] = handlerWrapper{domain: "example.com", handler: stub, priority: PriorityUpstream}
+
+	server.mux.Lock()
+	server.updateNSGroupStates([]*nbdns.NameServerGroup{group})
+	server.mux.Unlock()
+	server.refreshHealth()
+
+	select {
+	case evt := <-events:
+		assert.Contains(t, evt.Message, "unreachable")
+	case <-time.After(time.Second):
+		t.Fatal("expected immediate warning because group contains a public upstream")
+	}
+}
+
 func TestDNSLoopPrevention(t *testing.T) {
 	wgInterface := &mocWGIface{}
 	service := NewServiceViaMemory(wgInterface)
@@ -2183,17 +2710,18 @@ func TestDNSLoopPrevention(t *testing.T) {

 			if tt.expectedHandlers > 0 {
 				handler := muxUpdates[0].handler.(*upstreamResolver)
-				assert.Len(t, handler.upstreamServers, len(tt.expectedServers))
+				flat := handler.flatUpstreams()
+				assert.Len(t, flat, len(tt.expectedServers))

 				if tt.shouldFilterOwnIP {
-					for _, upstream := range handler.upstreamServers {
+					for _, upstream := range flat {
 						assert.NotEqual(t, dnsServerIP, upstream.Addr())
 					}
 				}

 				for _, expected := range tt.expectedServers {
 					found := false
-					for _, upstream := range handler.upstreamServers {
+					for _, upstream := range flat {
 						if upstream.Addr() == expected {
 							found = true
 							break
--- a/client/internal/dns/upstream.go
+++ b/client/internal/dns/upstream.go
@@ -1,3 +1,32 @@
+// Package dns implements the client-side DNS stack: listener/service on the
+// peer's tunnel address, handler chain that routes questions by domain and
+// priority, and upstream resolvers that forward what remains to configured
+// nameservers.
+//
+// # Upstream resolution and the race model
+//
+// When two or more nameserver groups target the same domain, DefaultServer
+// merges them into one upstream handler whose state is:
+//
+//	upstreamResolverBase
+//	  └── upstreamServers []upstreamRace   // one entry per source NS group
+//	        └── []netip.AddrPort           // primary, fallback, ...
+//
+// Each source nameserver group contributes one upstreamRace. Within a race
+// upstreams are tried in order: the next is used only on failure (timeout,
+// SERVFAIL, REFUSED, no response). NXDOMAIN is a valid answer and stops
+// the walk. When more than one race exists, ServeDNS fans out one
+// goroutine per race and returns the first valid answer, cancelling the
+// rest. A handler with a single race skips the fan-out.
+//
+// # Health projection
+//
+// Query outcomes are recorded per-upstream in UpstreamHealth. The server
+// periodically merges these snapshots across handlers and projects them
+// into peer.NSGroupState. There is no active probing: a group is marked
+// unhealthy only when every seen upstream has a recent failure and none
+// has a recent success. Healthy→unhealthy fires a single
+// SystemEvent_WARNING; steady-state refreshes do not duplicate it.
 package dns

 import (
@@ -11,11 +40,8 @@ import (
 	"slices"
 	"strings"
 	"sync"
-	"sync/atomic"
 	"time"

-	"github.com/cenkalti/backoff/v4"
-	"github.com/hashicorp/go-multierror"
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/tun/netstack"
@@ -24,7 +50,8 @@ import (
 	"github.com/netbirdio/netbird/client/internal/dns/resutil"
 	"github.com/netbirdio/netbird/client/internal/dns/types"
 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/route"
+	"github.com/netbirdio/netbird/shared/management/domain"
 )

 var currentMTU uint16 = iface.DefaultMTU
@@ -39,15 +66,17 @@ const (
 	// Set longer than UpstreamTimeout to ensure context timeout takes precedence
 	ClientTimeout = 5 * time.Second

-	reactivatePeriod = 30 * time.Second
-	probeTimeout     = 2 * time.Second
-
 	// ipv6HeaderSize + udpHeaderSize, used to derive the maximum DNS UDP
 	// payload from the tunnel MTU.
 	ipUDPHeaderSize = 60 + 8
-)

-const testRecord = "com."
+	// raceMaxTotalTimeout caps the combined time spent walking all upstreams
+	// within one race, so a slow primary can't eat the whole race budget.
+	raceMaxTotalTimeout = 5 * time.Second
+	// raceMinPerUpstreamTimeout is the floor applied when dividing
+	// raceMaxTotalTimeout across upstreams within a race.
+	raceMinPerUpstreamTimeout = 2 * time.Second
+)

 const (
 	protoUDP = "udp"
@@ -56,6 +85,68 @@ const (

 type dnsProtocolKey struct{}

+type upstreamProtocolKey struct{}
+
+// upstreamProtocolResult holds the protocol used for the upstream exchange.
+// Stored as a pointer in context so the exchange function can set it.
+type upstreamProtocolResult struct {
+	protocol string
+}
+
+type upstreamClient interface {
+	exchange(ctx context.Context, upstream string, r *dns.Msg) (*dns.Msg, time.Duration, error)
+}
+
+type UpstreamResolver interface {
+	serveDNS(r *dns.Msg) (*dns.Msg, time.Duration, error)
+	upstreamExchange(upstream string, r *dns.Msg) (*dns.Msg, time.Duration, error)
+}
+
+// upstreamRace is an ordered list of upstreams derived from one configured
+// nameserver group. Order matters: the first upstream is tried first, the
+// second only on failure, and so on. Multiple upstreamRace values coexist
+// inside one resolver when overlapping nameserver groups target the same
+// domain; those races run in parallel and the first valid answer wins.
+type upstreamRace []netip.AddrPort
+
+// UpstreamHealth is the last query-path outcome for a single upstream,
+// consumed by nameserver-group status projection.
+type UpstreamHealth struct {
+	LastOk   time.Time
+	LastFail time.Time
+	LastErr  string
+}
+
+type upstreamResolverBase struct {
+	ctx             context.Context
+	cancel          context.CancelFunc
+	upstreamClient  upstreamClient
+	upstreamServers []upstreamRace
+	domain          domain.Domain
+	upstreamTimeout time.Duration
+
+	healthMu sync.RWMutex
+	health   map[netip.AddrPort]*UpstreamHealth
+
+	statusRecorder *peer.Status
+	// selectedRoutes returns the current set of client routes the admin
+	// has enabled. Called lazily from the query hot path when an upstream
+	// might need a tunnel-bound client (iOS) and from health projection.
+	selectedRoutes func() route.HAMap
+}
+
+type upstreamFailure struct {
+	upstream netip.AddrPort
+	reason   string
+}
+
+type raceResult struct {
+	msg      *dns.Msg
+	upstream netip.AddrPort
+	protocol string
+	failures []upstreamFailure
+}
+
 // contextWithDNSProtocol stores the inbound DNS protocol ("udp" or "tcp") in context.
 func contextWithDNSProtocol(ctx context.Context, network string) context.Context {
 	return context.WithValue(ctx, dnsProtocolKey{}, network)
@@ -72,16 +163,8 @@ func dnsProtocolFromContext(ctx context.Context) string {
 	return ""
 }

-type upstreamProtocolKey struct{}
-
-// upstreamProtocolResult holds the protocol used for the upstream exchange.
-// Stored as a pointer in context so the exchange function can set it.
-type upstreamProtocolResult struct {
-	protocol string
-}
-
-// contextWithupstreamProtocolResult stores a mutable result holder in the context.
-func contextWithupstreamProtocolResult(ctx context.Context) (context.Context, *upstreamProtocolResult) {
+// contextWithUpstreamProtocolResult stores a mutable result holder in the context.
+func contextWithUpstreamProtocolResult(ctx context.Context) (context.Context, *upstreamProtocolResult) {
 	r := &upstreamProtocolResult{}
 	return context.WithValue(ctx, upstreamProtocolKey{}, r), r
 }
@@ -96,67 +179,37 @@ func setUpstreamProtocol(ctx context.Context, protocol string) {
 	}
 }

-type upstreamClient interface {
-	exchange(ctx context.Context, upstream string, r *dns.Msg) (*dns.Msg, time.Duration, error)
-}
-
-type UpstreamResolver interface {
-	serveDNS(r *dns.Msg) (*dns.Msg, time.Duration, error)
-	upstreamExchange(upstream string, r *dns.Msg) (*dns.Msg, time.Duration, error)
-}
-
-type upstreamResolverBase struct {
-	ctx              context.Context
-	cancel           context.CancelFunc
-	upstreamClient   upstreamClient
-	upstreamServers  []netip.AddrPort
-	domain           string
-	disabled         bool
-	successCount     atomic.Int32
-	mutex            sync.Mutex
-	reactivatePeriod time.Duration
-	upstreamTimeout  time.Duration
-	wg               sync.WaitGroup
-
-	deactivate     func(error)
-	reactivate     func()
-	statusRecorder *peer.Status
-	routeMatch     func(netip.Addr) bool
-}
-
-type upstreamFailure struct {
-	upstream netip.AddrPort
-	reason   string
-}
-
-func newUpstreamResolverBase(ctx context.Context, statusRecorder *peer.Status, domain string) *upstreamResolverBase {
+func newUpstreamResolverBase(ctx context.Context, statusRecorder *peer.Status, d domain.Domain) *upstreamResolverBase {
 	ctx, cancel := context.WithCancel(ctx)

 	return &upstreamResolverBase{
-		ctx:              ctx,
-		cancel:           cancel,
-		domain:           domain,
-		upstreamTimeout:  UpstreamTimeout,
-		reactivatePeriod: reactivatePeriod,
-		statusRecorder:   statusRecorder,
+		ctx:             ctx,
+		cancel:          cancel,
+		domain:          d,
+		upstreamTimeout: UpstreamTimeout,
+		statusRecorder:  statusRecorder,
 	}
 }

 // String returns a string representation of the upstream resolver
 func (u *upstreamResolverBase) String() string {
-	return fmt.Sprintf("Upstream %s", u.upstreamServers)
+	return fmt.Sprintf("Upstream %s", u.flatUpstreams())
 }

-// ID returns the unique handler ID
+// ID returns the unique handler ID. Race groupings and within-race
+// ordering are both part of the identity: [[A,B]] and [[A],[B]] query
+// the same servers but with different semantics (serial fallback vs
+// parallel race), so their handlers must not collide.
 func (u *upstreamResolverBase) ID() types.HandlerID {
-	servers := slices.Clone(u.upstreamServers)
-	slices.SortFunc(servers, func(a, b netip.AddrPort) int { return a.Compare(b) })
-
 	hash := sha256.New()
-	hash.Write([]byte(u.domain + ":"))
-	for _, s := range servers {
-		hash.Write([]byte(s.String()))
-		hash.Write([]byte("|"))
+	hash.Write([]byte(u.domain.PunycodeString() + ":"))
+	for _, race := range u.upstreamServers {
+		hash.Write([]byte("["))
+		for _, s := range race {
+			hash.Write([]byte(s.String()))
+			hash.Write([]byte("|"))
+		}
+		hash.Write([]byte("]"))
 	}
 	return types.HandlerID("upstream-" + hex.EncodeToString(hash.Sum(nil)[:8]))
 }
@@ -166,13 +219,31 @@ func (u *upstreamResolverBase) MatchSubdomains() bool {
 }

 func (u *upstreamResolverBase) Stop() {
-	log.Debugf("stopping serving DNS for upstreams %s", u.upstreamServers)
+	log.Debugf("stopping serving DNS for upstreams %s", u.flatUpstreams())
 	u.cancel()
+}

-	u.mutex.Lock()
-	u.wg.Wait()
-	u.mutex.Unlock()
+// flatUpstreams is for logging and ID hashing only, not for dispatch.
+func (u *upstreamResolverBase) flatUpstreams() []netip.AddrPort {
+	var out []netip.AddrPort
+	for _, g := range u.upstreamServers {
+		out = append(out, g...)
+	}
+	return out
+}

+// setSelectedRoutes swaps the accessor used to classify overlay-routed
+// upstreams. Called when route sources are wired after the handler was
+// built (permanent / iOS constructors).
+func (u *upstreamResolverBase) setSelectedRoutes(selected func() route.HAMap) {
+	u.selectedRoutes = selected
+}
+
+func (u *upstreamResolverBase) addRace(servers []netip.AddrPort) {
+	if len(servers) == 0 {
+		return
+	}
+	u.upstreamServers = append(u.upstreamServers, slices.Clone(servers))
 }

 // ServeDNS handles a DNS request
@@ -214,59 +285,172 @@ func (u *upstreamResolverBase) prepareRequest(r *dns.Msg) {
 }

 func (u *upstreamResolverBase) tryUpstreamServers(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, logger *log.Entry) (bool, []upstreamFailure) {
-	timeout := u.upstreamTimeout
-	if len(u.upstreamServers) > 1 {
-		maxTotal := 5 * time.Second
-		minPerUpstream := 2 * time.Second
-		scaledTimeout := maxTotal / time.Duration(len(u.upstreamServers))
-		if scaledTimeout > minPerUpstream {
-			timeout = scaledTimeout
-		} else {
-			timeout = minPerUpstream
-		}
+	groups := u.upstreamServers
+	switch len(groups) {
+	case 0:
+		return false, nil
+	case 1:
+		return u.tryOnlyRace(ctx, w, r, groups[0], logger)
+	default:
+		return u.raceAll(ctx, w, r, groups, logger)
+	}
+}
+
+func (u *upstreamResolverBase) tryOnlyRace(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, group upstreamRace, logger *log.Entry) (bool, []upstreamFailure) {
+	res := u.tryRace(ctx, r, group)
+	if res.msg == nil {
+		return false, res.failures
+	}
+	u.writeSuccessResponse(w, res.msg, res.upstream, r.Question[0].Name, res.protocol, logger)
+	return true, res.failures
+}
+
+// raceAll runs one worker per group in parallel, taking the first valid
+// answer and cancelling the rest.
+func (u *upstreamResolverBase) raceAll(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, groups []upstreamRace, logger *log.Entry) (bool, []upstreamFailure) {
+	raceCtx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	// Buffer sized to len(groups) so workers never block on send, even
+	// after the coordinator has returned.
+	results := make(chan raceResult, len(groups))
+	for _, g := range groups {
+		// tryRace clones the request per attempt, so workers never share
+		// a *dns.Msg and concurrent EDNS0 mutations can't race.
+		go func(g upstreamRace) {
+			results <- u.tryRace(raceCtx, r, g)
+		}(g)
 	}

 	var failures []upstreamFailure
-	for _, upstream := range u.upstreamServers {
-		if failure := u.queryUpstream(ctx, w, r, upstream, timeout, logger); failure != nil {
-			failures = append(failures, *failure)
-		} else {
-			return true, failures
+	for range groups {
+		select {
+		case res := <-results:
+			failures = append(failures, res.failures...)
+			if res.msg != nil {
+				u.writeSuccessResponse(w, res.msg, res.upstream, r.Question[0].Name, res.protocol, logger)
+				return true, failures
+			}
+		case <-ctx.Done():
+			return false, failures
 		}
 	}
 	return false, failures
 }

-// queryUpstream queries a single upstream server. Returns nil on success, or failure info to try next upstream.
-func (u *upstreamResolverBase) queryUpstream(parentCtx context.Context, w dns.ResponseWriter, r *dns.Msg, upstream netip.AddrPort, timeout time.Duration, logger *log.Entry) *upstreamFailure {
-	var rm *dns.Msg
-	var t time.Duration
-	var err error
-
-	var startTime time.Time
-	var upstreamProto *upstreamProtocolResult
-	func() {
-		ctx, cancel := context.WithTimeout(parentCtx, timeout)
+func (u *upstreamResolverBase) tryRace(ctx context.Context, r *dns.Msg, group upstreamRace) raceResult {
+	timeout := u.upstreamTimeout
+	if len(group) > 1 {
+		// Cap the whole walk at raceMaxTotalTimeout: per-upstream timeouts
+		// still honor raceMinPerUpstreamTimeout as a floor for correctness
+		// on slow links, but the outer context ensures the combined walk
+		// cannot exceed the cap regardless of group size.
+		timeout = max(raceMaxTotalTimeout/time.Duration(len(group)), raceMinPerUpstreamTimeout)
+		var cancel context.CancelFunc
+		ctx, cancel = context.WithTimeout(ctx, raceMaxTotalTimeout)
 		defer cancel()
-		ctx, upstreamProto = contextWithupstreamProtocolResult(ctx)
-		startTime = time.Now()
-		rm, t, err = u.upstreamClient.exchange(ctx, upstream.String(), r)
-	}()
+	}
+
+	var failures []upstreamFailure
+	for _, upstream := range group {
+		if ctx.Err() != nil {
+			return raceResult{failures: failures}
+		}
+		// Clone the request per attempt: the exchange path mutates EDNS0
+		// options in-place, so reusing the same *dns.Msg across sequential
+		// upstreams would carry those mutations (e.g. a reduced UDP size)
+		// into the next attempt.
+		msg, proto, failure := u.queryUpstream(ctx, r.Copy(), upstream, timeout)
+		if failure != nil {
+			failures = append(failures, *failure)
+			continue
+		}
+		return raceResult{msg: msg, upstream: upstream, protocol: proto, failures: failures}
+	}
+	return raceResult{failures: failures}
+}
+
+func (u *upstreamResolverBase) queryUpstream(parentCtx context.Context, r *dns.Msg, upstream netip.AddrPort, timeout time.Duration) (*dns.Msg, string, *upstreamFailure) {
+	ctx, cancel := context.WithTimeout(parentCtx, timeout)
+	defer cancel()
+	ctx, upstreamProto := contextWithUpstreamProtocolResult(ctx)
+
+	startTime := time.Now()
+	rm, _, err := u.upstreamClient.exchange(ctx, upstream.String(), r)

 	if err != nil {
-		return u.handleUpstreamError(err, upstream, startTime)
+		// A parent cancellation (e.g., another race won and the coordinator
+		// cancelled the losers) is not an upstream failure. Check both the
+		// error chain and the parent context: a transport may surface the
+		// cancellation as a read/deadline error rather than context.Canceled.
+		if errors.Is(err, context.Canceled) || errors.Is(parentCtx.Err(), context.Canceled) {
+			return nil, "", &upstreamFailure{upstream: upstream, reason: "canceled"}
+		}
+		failure := u.handleUpstreamError(err, upstream, startTime)
+		u.markUpstreamFail(upstream, failure.reason)
+		return nil, "", failure
 	}

 	if rm == nil || !rm.Response {
-		return &upstreamFailure{upstream: upstream, reason: "no response"}
+		u.markUpstreamFail(upstream, "no response")
+		return nil, "", &upstreamFailure{upstream: upstream, reason: "no response"}
 	}

 	if rm.Rcode == dns.RcodeServerFailure || rm.Rcode == dns.RcodeRefused {
-		return &upstreamFailure{upstream: upstream, reason: dns.RcodeToString[rm.Rcode]}
+		reason := dns.RcodeToString[rm.Rcode]
+		u.markUpstreamFail(upstream, reason)
+		return nil, "", &upstreamFailure{upstream: upstream, reason: reason}
 	}

-	u.writeSuccessResponse(w, rm, upstream, r.Question[0].Name, t, upstreamProto, logger)
-	return nil
+	u.markUpstreamOk(upstream)
+
+	proto := ""
+	if upstreamProto != nil {
+		proto = upstreamProto.protocol
+	}
+	return rm, proto, nil
+}
+
+// healthEntry returns the mutable health record for addr, lazily creating
+// the map and the entry. Caller must hold u.healthMu.
+func (u *upstreamResolverBase) healthEntry(addr netip.AddrPort) *UpstreamHealth {
+	if u.health == nil {
+		u.health = make(map[netip.AddrPort]*UpstreamHealth)
+	}
+	h := u.health[addr]
+	if h == nil {
+		h = &UpstreamHealth{}
+		u.health[addr] = h
+	}
+	return h
+}
+
+func (u *upstreamResolverBase) markUpstreamOk(addr netip.AddrPort) {
+	u.healthMu.Lock()
+	defer u.healthMu.Unlock()
+	h := u.healthEntry(addr)
+	h.LastOk = time.Now()
+	h.LastFail = time.Time{}
+	h.LastErr = ""
+}
+
+func (u *upstreamResolverBase) markUpstreamFail(addr netip.AddrPort, reason string) {
+	u.healthMu.Lock()
+	defer u.healthMu.Unlock()
+	h := u.healthEntry(addr)
+	h.LastFail = time.Now()
+	h.LastErr = reason
+}
+
+// UpstreamHealth returns a snapshot of per-upstream query outcomes.
+func (u *upstreamResolverBase) UpstreamHealth() map[netip.AddrPort]UpstreamHealth {
+	u.healthMu.RLock()
+	defer u.healthMu.RUnlock()
+	out := make(map[netip.AddrPort]UpstreamHealth, len(u.health))
+	for k, v := range u.health {
+		out[k] = *v
+	}
+	return out
 }

 func (u *upstreamResolverBase) handleUpstreamError(err error, upstream netip.AddrPort, startTime time.Time) *upstreamFailure {
@@ -282,12 +466,23 @@ func (u *upstreamResolverBase) handleUpstreamError(err error, upstream netip.Add
 	return &upstreamFailure{upstream: upstream, reason: reason}
 }

-func (u *upstreamResolverBase) writeSuccessResponse(w dns.ResponseWriter, rm *dns.Msg, upstream netip.AddrPort, domain string, t time.Duration, upstreamProto *upstreamProtocolResult, logger *log.Entry) bool {
-	u.successCount.Add(1)
+func (u *upstreamResolverBase) debugUpstreamTimeout(upstream netip.AddrPort) string {
+	if u.statusRecorder == nil {
+		return ""
+	}

+	peerInfo := findPeerForIP(upstream.Addr(), u.statusRecorder)
+	if peerInfo == nil {
+		return ""
+	}
+
+	return fmt.Sprintf("(routes through NetBird peer %s)", FormatPeerStatus(peerInfo))
+}
+
+func (u *upstreamResolverBase) writeSuccessResponse(w dns.ResponseWriter, rm *dns.Msg, upstream netip.AddrPort, domain string, proto string, logger *log.Entry) {
 	resutil.SetMeta(w, "upstream", upstream.String())
-	if upstreamProto != nil && upstreamProto.protocol != "" {
-		resutil.SetMeta(w, "upstream_protocol", upstreamProto.protocol)
+	if proto != "" {
+		resutil.SetMeta(w, "upstream_protocol", proto)
 	}

 	// Clear Zero bit from external responses to prevent upstream servers from
@@ -296,14 +491,11 @@ func (u *upstreamResolverBase) writeSuccessResponse(w dns.ResponseWriter, rm *dn

 	if err := w.WriteMsg(rm); err != nil {
 		logger.Errorf("failed to write DNS response for question domain=%s: %s", domain, err)
-		return true
 	}
-
-	return true
 }

 func (u *upstreamResolverBase) logUpstreamFailures(domain string, failures []upstreamFailure, succeeded bool, logger *log.Entry) {
-	totalUpstreams := len(u.upstreamServers)
+	totalUpstreams := len(u.flatUpstreams())
 	failedCount := len(failures)
 	failureSummary := formatFailures(failures)

@@ -330,119 +522,6 @@ func formatFailures(failures []upstreamFailure) string {
 	return strings.Join(parts, ", ")
 }

-// ProbeAvailability tests all upstream servers simultaneously and
-// disables the resolver if none work
-func (u *upstreamResolverBase) ProbeAvailability(ctx context.Context) {
-	u.mutex.Lock()
-	defer u.mutex.Unlock()
-
-	// avoid probe if upstreams could resolve at least one query
-	if u.successCount.Load() > 0 {
-		return
-	}
-
-	var success bool
-	var mu sync.Mutex
-	var wg sync.WaitGroup
-
-	var errs *multierror.Error
-	for _, upstream := range u.upstreamServers {
-		wg.Add(1)
-		go func(upstream netip.AddrPort) {
-			defer wg.Done()
-			err := u.testNameserver(u.ctx, ctx, upstream, 500*time.Millisecond)
-			if err != nil {
-				mu.Lock()
-				errs = multierror.Append(errs, err)
-				mu.Unlock()
-				log.Warnf("probing upstream nameserver %s: %s", upstream, err)
-				return
-			}
-
-			mu.Lock()
-			success = true
-			mu.Unlock()
-		}(upstream)
-	}
-
-	wg.Wait()
-
-	select {
-	case <-ctx.Done():
-		return
-	case <-u.ctx.Done():
-		return
-	default:
-	}
-
-	// didn't find a working upstream server, let's disable and try later
-	if !success {
-		u.disable(errs.ErrorOrNil())
-
-		if u.statusRecorder == nil {
-			return
-		}
-
-		u.statusRecorder.PublishEvent(
-			proto.SystemEvent_WARNING,
-			proto.SystemEvent_DNS,
-			"All upstream servers failed (probe failed)",
-			"Unable to reach one or more DNS servers. This might affect your ability to connect to some services.",
-			map[string]string{"upstreams": u.upstreamServersString()},
-		)
-	}
-}
-
-// waitUntilResponse retries, in an exponential interval, querying the upstream servers until it gets a positive response
-func (u *upstreamResolverBase) waitUntilResponse() {
-	exponentialBackOff := &backoff.ExponentialBackOff{
-		InitialInterval:     500 * time.Millisecond,
-		RandomizationFactor: 0.5,
-		Multiplier:          1.1,
-		MaxInterval:         u.reactivatePeriod,
-		MaxElapsedTime:      0,
-		Stop:                backoff.Stop,
-		Clock:               backoff.SystemClock,
-	}
-
-	operation := func() error {
-		select {
-		case <-u.ctx.Done():
-			return backoff.Permanent(fmt.Errorf("exiting upstream retry loop for upstreams %s: parent context has been canceled", u.upstreamServersString()))
-		default:
-		}
-
-		for _, upstream := range u.upstreamServers {
-			if err := u.testNameserver(u.ctx, nil, upstream, probeTimeout); err != nil {
-				log.Tracef("upstream check for %s: %s", upstream, err)
-			} else {
-				// at least one upstream server is available, stop probing
-				return nil
-			}
-		}
-
-		log.Tracef("checking connectivity with upstreams %s failed. Retrying in %s", u.upstreamServersString(), exponentialBackOff.NextBackOff())
-		return fmt.Errorf("upstream check call error")
-	}
-
-	err := backoff.Retry(operation, backoff.WithContext(exponentialBackOff, u.ctx))
-	if err != nil {
-		if errors.Is(err, context.Canceled) {
-			log.Debugf("upstream retry loop exited for upstreams %s", u.upstreamServersString())
-		} else {
-			log.Warnf("upstream retry loop exited for upstreams %s: %v", u.upstreamServersString(), err)
-		}
-		return
-	}
-
-	log.Infof("upstreams %s are responsive again. Adding them back to system", u.upstreamServersString())
-	u.successCount.Add(1)
-	u.reactivate()
-	u.mutex.Lock()
-	u.disabled = false
-	u.mutex.Unlock()
-}
-
 // isTimeout returns true if the given error is a network timeout error.
 //
 // Copied from k8s.io/apimachinery/pkg/util/net.IsTimeout
@@ -454,45 +533,6 @@ func isTimeout(err error) bool {
 	return false
 }

-func (u *upstreamResolverBase) disable(err error) {
-	if u.disabled {
-		return
-	}
-
-	log.Warnf("Upstream resolving is Disabled for %v", reactivatePeriod)
-	u.successCount.Store(0)
-	u.deactivate(err)
-	u.disabled = true
-	u.wg.Add(1)
-	go func() {
-		defer u.wg.Done()
-		u.waitUntilResponse()
-	}()
-}
-
-func (u *upstreamResolverBase) upstreamServersString() string {
-	var servers []string
-	for _, server := range u.upstreamServers {
-		servers = append(servers, server.String())
-	}
-	return strings.Join(servers, ", ")
-}
-
-func (u *upstreamResolverBase) testNameserver(baseCtx context.Context, externalCtx context.Context, server netip.AddrPort, timeout time.Duration) error {
-	mergedCtx, cancel := context.WithTimeout(baseCtx, timeout)
-	defer cancel()
-
-	if externalCtx != nil {
-		stop2 := context.AfterFunc(externalCtx, cancel)
-		defer stop2()
-	}
-
-	r := new(dns.Msg).SetQuestion(testRecord, dns.TypeSOA)
-
-	_, _, err := u.upstreamClient.exchange(mergedCtx, server.String(), r)
-	return err
-}
-
 // clientUDPMaxSize returns the maximum UDP response size the client accepts.
 func clientUDPMaxSize(r *dns.Msg) int {
 	if opt := r.IsEdns0(); opt != nil {
@@ -504,13 +544,10 @@ func clientUDPMaxSize(r *dns.Msg) int {
 // ExchangeWithFallback exchanges a DNS message with the upstream server.
 // It first tries to use UDP, and if it is truncated, it falls back to TCP.
 // If the inbound request came over TCP (via context), it skips the UDP attempt.
-// If the passed context is nil, this will use Exchange instead of ExchangeContext.
 func ExchangeWithFallback(ctx context.Context, client *dns.Client, r *dns.Msg, upstream string) (*dns.Msg, time.Duration, error) {
 	// If the request came in over TCP, go straight to TCP upstream.
 	if dnsProtocolFromContext(ctx) == protoTCP {
-		tcpClient := *client
-		tcpClient.Net = protoTCP
-		rm, t, err := tcpClient.ExchangeContext(ctx, r, upstream)
+		rm, t, err := toTCPClient(client).ExchangeContext(ctx, r, upstream)
 		if err != nil {
 			return nil, t, fmt.Errorf("with tcp: %w", err)
 		}
@@ -530,18 +567,7 @@ func ExchangeWithFallback(ctx context.Context, client *dns.Client, r *dns.Msg, u
 		opt.SetUDPSize(maxUDPPayload)
 	}

-	var (
-		rm  *dns.Msg
-		t   time.Duration
-		err error
-	)
-
-	if ctx == nil {
-		rm, t, err = client.Exchange(r, upstream)
-	} else {
-		rm, t, err = client.ExchangeContext(ctx, r, upstream)
-	}
-
+	rm, t, err := client.ExchangeContext(ctx, r, upstream)
 	if err != nil {
 		return nil, t, fmt.Errorf("with udp: %w", err)
 	}
@@ -555,15 +581,7 @@ func ExchangeWithFallback(ctx context.Context, client *dns.Client, r *dns.Msg, u
 	// data than the client's buffer, we could truncate locally and skip
 	// the TCP retry.

-	tcpClient := *client
-	tcpClient.Net = protoTCP
-
-	if ctx == nil {
-		rm, t, err = tcpClient.Exchange(r, upstream)
-	} else {
-		rm, t, err = tcpClient.ExchangeContext(ctx, r, upstream)
-	}
-
+	rm, t, err = toTCPClient(client).ExchangeContext(ctx, r, upstream)
 	if err != nil {
 		return nil, t, fmt.Errorf("with tcp: %w", err)
 	}
@@ -577,6 +595,25 @@ func ExchangeWithFallback(ctx context.Context, client *dns.Client, r *dns.Msg, u
 	return rm, t, nil
 }

+// toTCPClient returns a copy of c configured for TCP. If c's Dialer has a
+// *net.UDPAddr bound as LocalAddr (iOS does this to keep the source IP on
+// the tunnel interface), it is converted to the equivalent *net.TCPAddr
+// so net.Dialer doesn't reject the TCP dial with "mismatched local
+// address type".
+func toTCPClient(c *dns.Client) *dns.Client {
+	tcp := *c
+	tcp.Net = protoTCP
+	if tcp.Dialer == nil {
+		return &tcp
+	}
+	d := *tcp.Dialer
+	if ua, ok := d.LocalAddr.(*net.UDPAddr); ok {
+		d.LocalAddr = &net.TCPAddr{IP: ua.IP, Port: ua.Port, Zone: ua.Zone}
+	}
+	tcp.Dialer = &d
+	return &tcp
+}
+
 // ExchangeWithNetstack performs a DNS exchange using netstack for dialing.
 // This is needed when netstack is enabled to reach peer IPs through the tunnel.
 func ExchangeWithNetstack(ctx context.Context, nsNet *netstack.Net, r *dns.Msg, upstream string) (*dns.Msg, error) {
@@ -718,15 +755,36 @@ func findPeerForIP(ip netip.Addr, statusRecorder *peer.Status) *peer.State {
 	return bestMatch
 }

-func (u *upstreamResolverBase) debugUpstreamTimeout(upstream netip.AddrPort) string {
-	if u.statusRecorder == nil {
-		return ""
+// haMapRouteCount returns the total number of routes across all HA
+// groups in the map. route.HAMap is keyed by HAUniqueID with slices of
+// routes per key, so len(hm) is the number of HA groups, not routes.
+func haMapRouteCount(hm route.HAMap) int {
+	total := 0
+	for _, routes := range hm {
+		total += len(routes)
 	}
-
-	peerInfo := findPeerForIP(upstream.Addr(), u.statusRecorder)
-	if peerInfo == nil {
-		return ""
-	}
-
-	return fmt.Sprintf("(routes through NetBird peer %s)", FormatPeerStatus(peerInfo))
+	return total
+}
+
+// haMapContains checks whether ip is covered by any concrete prefix in
+// the HA map. haveDynamic is reported separately: dynamic (domain-based)
+// routes carry a placeholder Network that can't be prefix-checked, so we
+// can't know at this point whether ip is reached through one. Callers
+// decide how to interpret the unknown: health projection treats it as
+// "possibly routed" to avoid emitting false-positive warnings during
+// startup, while iOS dial selection requires a concrete match before
+// binding to the tunnel.
+func haMapContains(hm route.HAMap, ip netip.Addr) (matched, haveDynamic bool) {
+	for _, routes := range hm {
+		for _, r := range routes {
+			if r.IsDynamic() {
+				haveDynamic = true
+				continue
+			}
+			if r.Network.Contains(ip) {
+				return true, haveDynamic
+			}
+		}
+	}
+	return false, haveDynamic
 }
--- a/client/internal/dns/upstream_android.go
+++ b/client/internal/dns/upstream_android.go
@@ -11,6 +11,7 @@ import (

 	"github.com/netbirdio/netbird/client/internal/peer"
 	nbnet "github.com/netbirdio/netbird/client/net"
+	"github.com/netbirdio/netbird/shared/management/domain"
 )

 type upstreamResolver struct {
@@ -26,9 +27,9 @@ func newUpstreamResolver(
 	_ WGIface,
 	statusRecorder *peer.Status,
 	hostsDNSHolder *hostsDNSHolder,
-	domain string,
+	d domain.Domain,
 ) (*upstreamResolver, error) {
-	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder, domain)
+	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder, d)
 	c := &upstreamResolver{
 		upstreamResolverBase: upstreamResolverBase,
 		hostsDNSHolder:       hostsDNSHolder,
--- a/client/internal/dns/upstream_general.go
+++ b/client/internal/dns/upstream_general.go
@@ -12,6 +12,7 @@ import (
 	"golang.zx2c4.com/wireguard/tun/netstack"

 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/shared/management/domain"
 )

 type upstreamResolver struct {
@@ -24,9 +25,9 @@ func newUpstreamResolver(
 	wgIface WGIface,
 	statusRecorder *peer.Status,
 	_ *hostsDNSHolder,
-	domain string,
+	d domain.Domain,
 ) (*upstreamResolver, error) {
-	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder, domain)
+	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder, d)
 	nonIOS := &upstreamResolver{
 		upstreamResolverBase: upstreamResolverBase,
 		nsNet:                wgIface.GetNet(),
--- a/client/internal/dns/upstream_ios.go
+++ b/client/internal/dns/upstream_ios.go
@@ -15,6 +15,7 @@ import (
 	"golang.org/x/sys/unix"

 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/shared/management/domain"
 )

 type upstreamResolverIOS struct {
@@ -29,9 +30,9 @@ func newUpstreamResolver(
 	wgIface WGIface,
 	statusRecorder *peer.Status,
 	_ *hostsDNSHolder,
-	domain string,
+	d domain.Domain,
 ) (*upstreamResolverIOS, error) {
-	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder, domain)
+	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder, d)

 	ios := &upstreamResolverIOS{
 		upstreamResolverBase: upstreamResolverBase,
@@ -65,8 +66,14 @@ func (u *upstreamResolverIOS) exchange(ctx context.Context, upstream string, r *
 	} else {
 		upstreamIP = upstreamIP.Unmap()
 	}
-	needsPrivate := u.lNet.Contains(upstreamIP) ||
-		(u.routeMatch != nil && u.routeMatch(upstreamIP))
+	var routed bool
+	if u.selectedRoutes != nil {
+		// Only a concrete prefix match binds to the tunnel: dialing
+		// through a private client for an upstream we can't prove is
+		// routed would break public resolvers.
+		routed, _ = haMapContains(u.selectedRoutes(), upstreamIP)
+	}
+	needsPrivate := u.lNet.Contains(upstreamIP) || routed
 	if needsPrivate {
 		log.Debugf("using private client to query %s via upstream %s", r.Question[0].Name, upstream)
 		client, err = GetClientPrivate(u.lIP, u.interfaceName, timeout)
@@ -75,8 +82,7 @@ func (u *upstreamResolverIOS) exchange(ctx context.Context, upstream string, r *
 		}
 	}

-	// Cannot use client.ExchangeContext because it overwrites our Dialer
-	return ExchangeWithFallback(nil, client, r, upstream)
+	return ExchangeWithFallback(ctx, client, r, upstream)
 }

 // GetClientPrivate returns a new DNS client bound to the local IP address of the Netbird interface
--- a/client/internal/dns/upstream_test.go
+++ b/client/internal/dns/upstream_test.go
@@ -6,6 +6,7 @@ import (
 	"net"
 	"net/netip"
 	"strings"
+	"sync/atomic"
 	"testing"
 	"time"

@@ -73,7 +74,7 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 					servers = append(servers, netip.AddrPortFrom(addrPort.Addr().Unmap(), addrPort.Port()))
 				}
 			}
-			resolver.upstreamServers = servers
+			resolver.addRace(servers)
 			resolver.upstreamTimeout = testCase.timeout
 			if testCase.cancelCTX {
 				cancel()
@@ -132,20 +133,10 @@ func (m *mockNetstackProvider) GetInterfaceGUIDString() (string, error) {
 	return "", nil
 }

-type mockUpstreamResolver struct {
-	r   *dns.Msg
-	rtt time.Duration
-	err error
-}
-
-// exchange mock implementation of exchange from upstreamResolver
-func (c mockUpstreamResolver) exchange(_ context.Context, _ string, _ *dns.Msg) (*dns.Msg, time.Duration, error) {
-	return c.r, c.rtt, c.err
-}
-
 type mockUpstreamResponse struct {
-	msg *dns.Msg
-	err error
+	msg   *dns.Msg
+	err   error
+	delay time.Duration
 }

 type mockUpstreamResolverPerServer struct {
@@ -153,63 +144,19 @@ type mockUpstreamResolverPerServer struct {
 	rtt       time.Duration
 }

-func (c mockUpstreamResolverPerServer) exchange(_ context.Context, upstream string, _ *dns.Msg) (*dns.Msg, time.Duration, error) {
-	if r, ok := c.responses[upstream]; ok {
-		return r.msg, c.rtt, r.err
+func (c mockUpstreamResolverPerServer) exchange(ctx context.Context, upstream string, _ *dns.Msg) (*dns.Msg, time.Duration, error) {
+	r, ok := c.responses[upstream]
+	if !ok {
+		return nil, c.rtt, fmt.Errorf("no mock response for %s", upstream)
 	}
-	return nil, c.rtt, fmt.Errorf("no mock response for %s", upstream)
-}
-
-func TestUpstreamResolver_DeactivationReactivation(t *testing.T) {
-	mockClient := &mockUpstreamResolver{
-		err: dns.ErrTime,
-		r:   new(dns.Msg),
-		rtt: time.Millisecond,
-	}
-
-	resolver := &upstreamResolverBase{
-		ctx:              context.TODO(),
-		upstreamClient:   mockClient,
-		upstreamTimeout:  UpstreamTimeout,
-		reactivatePeriod: time.Microsecond * 100,
-	}
-	addrPort, _ := netip.ParseAddrPort("0.0.0.0:1") // Use valid port for parsing, test will still fail on connection
-	resolver.upstreamServers = []netip.AddrPort{netip.AddrPortFrom(addrPort.Addr().Unmap(), addrPort.Port())}
-
-	failed := false
-	resolver.deactivate = func(error) {
-		failed = true
-		// After deactivation, make the mock client work again
-		mockClient.err = nil
-	}
-
-	reactivated := false
-	resolver.reactivate = func() {
-		reactivated = true
-	}
-
-	resolver.ProbeAvailability(context.TODO())
-
-	if !failed {
-		t.Errorf("expected that resolving was deactivated")
-		return
-	}
-
-	if !resolver.disabled {
-		t.Errorf("resolver should be Disabled")
-		return
-	}
-
-	time.Sleep(time.Millisecond * 200)
-
-	if !reactivated {
-		t.Errorf("expected that resolving was reactivated")
-		return
-	}
-
-	if resolver.disabled {
-		t.Errorf("should be enabled")
+	if r.delay > 0 {
+		select {
+		case <-time.After(r.delay):
+		case <-ctx.Done():
+			return nil, c.rtt, ctx.Err()
+		}
 	}
+	return r.msg, c.rtt, r.err
 }

 func TestUpstreamResolver_Failover(t *testing.T) {
@@ -339,9 +286,9 @@ func TestUpstreamResolver_Failover(t *testing.T) {
 			resolver := &upstreamResolverBase{
 				ctx:             ctx,
 				upstreamClient:  trackingClient,
-				upstreamServers: []netip.AddrPort{upstream1, upstream2},
 				upstreamTimeout: UpstreamTimeout,
 			}
+			resolver.addRace([]netip.AddrPort{upstream1, upstream2})

 			var responseMSG *dns.Msg
 			responseWriter := &test.MockResponseWriter{
@@ -421,9 +368,9 @@ func TestUpstreamResolver_SingleUpstreamFailure(t *testing.T) {
 	resolver := &upstreamResolverBase{
 		ctx:             ctx,
 		upstreamClient:  mockClient,
-		upstreamServers: []netip.AddrPort{upstream},
 		upstreamTimeout: UpstreamTimeout,
 	}
+	resolver.addRace([]netip.AddrPort{upstream})

 	var responseMSG *dns.Msg
 	responseWriter := &test.MockResponseWriter{
@@ -440,6 +387,136 @@ func TestUpstreamResolver_SingleUpstreamFailure(t *testing.T) {
 	assert.Equal(t, dns.RcodeServerFailure, responseMSG.Rcode, "single upstream SERVFAIL should return SERVFAIL")
 }

+// TestUpstreamResolver_RaceAcrossGroups covers two nameserver groups
+// configured for the same domain, with one broken group. The merge+race
+// path should answer as fast as the working group and not pay the timeout
+// of the broken one on every query.
+func TestUpstreamResolver_RaceAcrossGroups(t *testing.T) {
+	broken := netip.MustParseAddrPort("192.0.2.1:53")
+	working := netip.MustParseAddrPort("192.0.2.2:53")
+	successAnswer := "192.0.2.100"
+	timeoutErr := &net.OpError{Op: "read", Err: fmt.Errorf("i/o timeout")}
+
+	mockClient := &mockUpstreamResolverPerServer{
+		responses: map[string]mockUpstreamResponse{
+			// Force the broken upstream to only unblock via timeout /
+			// cancellation so the assertion below can't pass if races
+			// were run serially.
+			broken.String():  {err: timeoutErr, delay: 500 * time.Millisecond},
+			working.String(): {msg: buildMockResponse(dns.RcodeSuccess, successAnswer)},
+		},
+		rtt: time.Millisecond,
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	resolver := &upstreamResolverBase{
+		ctx:             ctx,
+		upstreamClient:  mockClient,
+		upstreamTimeout: 250 * time.Millisecond,
+	}
+	resolver.addRace([]netip.AddrPort{broken})
+	resolver.addRace([]netip.AddrPort{working})
+
+	var responseMSG *dns.Msg
+	responseWriter := &test.MockResponseWriter{
+		WriteMsgFunc: func(m *dns.Msg) error {
+			responseMSG = m
+			return nil
+		},
+	}
+
+	inputMSG := new(dns.Msg).SetQuestion("example.com.", dns.TypeA)
+	start := time.Now()
+	resolver.ServeDNS(responseWriter, inputMSG)
+	elapsed := time.Since(start)
+
+	require.NotNil(t, responseMSG, "should write a response")
+	assert.Equal(t, dns.RcodeSuccess, responseMSG.Rcode)
+	require.NotEmpty(t, responseMSG.Answer)
+	assert.Contains(t, responseMSG.Answer[0].String(), successAnswer)
+	// Working group answers in a single RTT; the broken group's
+	// timeout (100ms) must not block the response.
+	assert.Less(t, elapsed, 100*time.Millisecond, "race must not wait for broken group's timeout")
+}
+
+// TestUpstreamResolver_AllGroupsFail checks that when every group fails the
+// resolver returns SERVFAIL rather than leaking a partial response.
+func TestUpstreamResolver_AllGroupsFail(t *testing.T) {
+	a := netip.MustParseAddrPort("192.0.2.1:53")
+	b := netip.MustParseAddrPort("192.0.2.2:53")
+
+	mockClient := &mockUpstreamResolverPerServer{
+		responses: map[string]mockUpstreamResponse{
+			a.String(): {msg: buildMockResponse(dns.RcodeServerFailure, "")},
+			b.String(): {msg: buildMockResponse(dns.RcodeServerFailure, "")},
+		},
+		rtt: time.Millisecond,
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	resolver := &upstreamResolverBase{
+		ctx:             ctx,
+		upstreamClient:  mockClient,
+		upstreamTimeout: UpstreamTimeout,
+	}
+	resolver.addRace([]netip.AddrPort{a})
+	resolver.addRace([]netip.AddrPort{b})
+
+	var responseMSG *dns.Msg
+	responseWriter := &test.MockResponseWriter{
+		WriteMsgFunc: func(m *dns.Msg) error {
+			responseMSG = m
+			return nil
+		},
+	}
+
+	resolver.ServeDNS(responseWriter, new(dns.Msg).SetQuestion("example.com.", dns.TypeA))
+	require.NotNil(t, responseMSG)
+	assert.Equal(t, dns.RcodeServerFailure, responseMSG.Rcode)
+}
+
+// TestUpstreamResolver_HealthTracking verifies that query-path results are
+// recorded into per-upstream health, which is what projects back to
+// NSGroupState for status reporting.
+func TestUpstreamResolver_HealthTracking(t *testing.T) {
+	ok := netip.MustParseAddrPort("192.0.2.10:53")
+	bad := netip.MustParseAddrPort("192.0.2.11:53")
+
+	mockClient := &mockUpstreamResolverPerServer{
+		responses: map[string]mockUpstreamResponse{
+			ok.String():  {msg: buildMockResponse(dns.RcodeSuccess, "192.0.2.100")},
+			bad.String(): {msg: buildMockResponse(dns.RcodeServerFailure, "")},
+		},
+		rtt: time.Millisecond,
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	resolver := &upstreamResolverBase{
+		ctx:             ctx,
+		upstreamClient:  mockClient,
+		upstreamTimeout: UpstreamTimeout,
+	}
+	resolver.addRace([]netip.AddrPort{ok, bad})
+
+	responseWriter := &test.MockResponseWriter{WriteMsgFunc: func(m *dns.Msg) error { return nil }}
+	resolver.ServeDNS(responseWriter, new(dns.Msg).SetQuestion("example.com.", dns.TypeA))
+
+	health := resolver.UpstreamHealth()
+	require.Contains(t, health, ok)
+	assert.False(t, health[ok].LastOk.IsZero(), "ok upstream should have LastOk set")
+	assert.Empty(t, health[ok].LastErr)
+
+	// bad upstream was never tried because ok answered first; its health
+	// should remain unset.
+	assert.NotContains(t, health, bad, "sibling upstream should not be queried when primary answers")
+}
+
 func TestFormatFailures(t *testing.T) {
 	testCases := []struct {
 		name     string
@@ -665,10 +742,10 @@ func TestExchangeWithFallback_EDNS0Capped(t *testing.T) {
 	// Verify that a client EDNS0 larger than our MTU-derived limit gets
 	// capped in the outgoing request so the upstream doesn't send a
 	// response larger than our read buffer.
-	var receivedUDPSize uint16
+	var receivedUDPSize atomic.Uint32
 	udpHandler := dns.HandlerFunc(func(w dns.ResponseWriter, r *dns.Msg) {
 		if opt := r.IsEdns0(); opt != nil {
-			receivedUDPSize = opt.UDPSize()
+			receivedUDPSize.Store(uint32(opt.UDPSize()))
 		}
 		m := new(dns.Msg)
 		m.SetReply(r)
@@ -699,7 +776,7 @@ func TestExchangeWithFallback_EDNS0Capped(t *testing.T) {
 	require.NotNil(t, rm)

 	expectedMax := uint16(currentMTU - ipUDPHeaderSize)
-	assert.Equal(t, expectedMax, receivedUDPSize,
+	assert.Equal(t, expectedMax, uint16(receivedUDPSize.Load()),
 		"upstream should see capped EDNS0, not the client's 4096")
 }

--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -26,6 +26,7 @@ import (

 	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/firewall"
+	"github.com/netbirdio/netbird/client/firewall/firewalld"
 	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
@@ -503,16 +504,7 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)

 	e.routeManager.SetRouteChangeListener(e.mobileDep.NetworkChangeListener)

-	e.dnsServer.SetRouteChecker(func(ip netip.Addr) bool {
-		for _, routes := range e.routeManager.GetSelectedClientRoutes() {
-			for _, r := range routes {
-				if r.Network.Contains(ip) {
-					return true
-				}
-			}
-		}
-		return false
-	})
+	e.dnsServer.SetRouteSources(e.routeManager.GetSelectedClientRoutes, e.routeManager.GetActiveClientRoutes)

 	if err = e.wgInterfaceCreate(); err != nil {
 		log.Errorf("failed creating tunnel interface %s: [%s]", e.config.WgIfaceName, err.Error())
@@ -570,7 +562,7 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 	e.connMgr.Start(e.ctx)

 	e.srWatcher = guard.NewSRWatcher(e.signal, e.relayManager, e.mobileDep.IFaceDiscover, iceCfg)
-	e.srWatcher.Start()
+	e.srWatcher.Start(peer.IsForceRelayed())

 	e.receiveSignalEvents()
 	e.receiveManagementEvents()
@@ -604,6 +596,8 @@ func (e *Engine) createFirewall() error {
 		return nil
 	}

+	firewalld.SetParentContext(e.ctx)
+
 	var err error
 	e.firewall, err = firewall.NewFirewall(e.wgInterface, e.stateManager, e.flowManager.GetLogger(), e.config.DisableServerRoutes, e.config.MTU)
 	if err != nil {
@@ -1333,9 +1327,6 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {

 	e.networkSerial = serial

-	// Test received (upstream) servers for availability right away instead of upon usage.
-	// If no server of a server group responds this will disable the respective handler and retry later.
-	go e.dnsServer.ProbeAvailability()
 	return nil
 }

--- a/client/internal/peer/conn.go
+++ b/client/internal/peer/conn.go
@@ -185,17 +185,20 @@ func (conn *Conn) Open(engineCtx context.Context) error {

 	conn.workerRelay = NewWorkerRelay(conn.ctx, conn.Log, isController(conn.config), conn.config, conn, conn.relayManager)

-	relayIsSupportedLocally := conn.workerRelay.RelayIsSupportedLocally()
-	workerICE, err := NewWorkerICE(conn.ctx, conn.Log, conn.config, conn, conn.signaler, conn.iFaceDiscover, conn.statusRecorder, relayIsSupportedLocally)
-	if err != nil {
-		return err
+	forceRelay := IsForceRelayed()
+	if !forceRelay {
+		relayIsSupportedLocally := conn.workerRelay.RelayIsSupportedLocally()
+		workerICE, err := NewWorkerICE(conn.ctx, conn.Log, conn.config, conn, conn.signaler, conn.iFaceDiscover, conn.statusRecorder, relayIsSupportedLocally)
+		if err != nil {
+			return err
+		}
+		conn.workerICE = workerICE
 	}
-	conn.workerICE = workerICE

 	conn.handshaker = NewHandshaker(conn.Log, conn.config, conn.signaler, conn.workerICE, conn.workerRelay, conn.metricsStages)

 	conn.handshaker.AddRelayListener(conn.workerRelay.OnNewOffer)
-	if !isForceRelayed() {
+	if !forceRelay {
 		conn.handshaker.AddICEListener(conn.workerICE.OnNewOffer)
 	}

@@ -251,7 +254,9 @@ func (conn *Conn) Close(signalToRemote bool) {
 		conn.wgWatcherCancel()
 	}
 	conn.workerRelay.CloseConn()
-	conn.workerICE.Close()
+	if conn.workerICE != nil {
+		conn.workerICE.Close()
+	}

 	if conn.wgProxyRelay != nil {
 		err := conn.wgProxyRelay.CloseConn()
@@ -294,7 +299,9 @@ func (conn *Conn) OnRemoteAnswer(answer OfferAnswer) {
 // OnRemoteCandidate Handles ICE connection Candidate provided by the remote peer.
 func (conn *Conn) OnRemoteCandidate(candidate ice.Candidate, haRoutes route.HAMap) {
 	conn.dumpState.RemoteCandidate()
-	conn.workerICE.OnRemoteCandidate(candidate, haRoutes)
+	if conn.workerICE != nil {
+		conn.workerICE.OnRemoteCandidate(candidate, haRoutes)
+	}
 }

 // SetOnConnected sets a handler function to be triggered by Conn when a new connection to a remote peer established
@@ -712,33 +719,35 @@ func (conn *Conn) evalStatus() ConnStatus {
 	return StatusConnecting
 }

-func (conn *Conn) isConnectedOnAllWay() (connected bool) {
-	// would be better to protect this with a mutex, but it could cause deadlock with Close function
-
+// isConnectedOnAllWay evaluates the overall connection status based on ICE and Relay transports.
+//
+// The result is a tri-state:
+//   - ConnStatusConnected:          all available transports are up
+//   - ConnStatusPartiallyConnected: relay is up but ICE is still pending/reconnecting
+//   - ConnStatusDisconnected:       no working transport
+func (conn *Conn) isConnectedOnAllWay() (status guard.ConnStatus) {
 	defer func() {
-		if !connected {
+		if status == guard.ConnStatusDisconnected {
 			conn.logTraceConnState()
 		}
 	}()

-	// For JS platform: only relay connection is supported
-	if runtime.GOOS == "js" {
-		return conn.statusRelay.Get() == worker.StatusConnected
+	iceWorkerCreated := conn.workerICE != nil
+
+	var iceInProgress bool
+	if iceWorkerCreated {
+		iceInProgress = conn.workerICE.InProgress()
 	}

-	// For non-JS platforms: check ICE connection status
-	if conn.statusICE.Get() == worker.StatusDisconnected && !conn.workerICE.InProgress() {
-		return false
-	}
-
-	// If relay is supported with peer, it must also be connected
-	if conn.workerRelay.IsRelayConnectionSupportedWithPeer() {
-		if conn.statusRelay.Get() == worker.StatusDisconnected {
-			return false
-		}
-	}
-
-	return true
+	return evalConnStatus(connStatusInputs{
+		forceRelay:          IsForceRelayed(),
+		peerUsesRelay:       conn.workerRelay.IsRelayConnectionSupportedWithPeer(),
+		relayConnected:      conn.statusRelay.Get() == worker.StatusConnected,
+		remoteSupportsICE:   conn.handshaker.RemoteICESupported(),
+		iceWorkerCreated:    iceWorkerCreated,
+		iceStatusConnecting: conn.statusICE.Get() != worker.StatusDisconnected,
+		iceInProgress:       iceInProgress,
+	})
 }

 func (conn *Conn) enableWgWatcherIfNeeded(enabledTime time.Time) {
@@ -926,3 +935,43 @@ func isController(config ConnConfig) bool {
 func isRosenpassEnabled(remoteRosenpassPubKey []byte) bool {
 	return remoteRosenpassPubKey != nil
 }
+
+func evalConnStatus(in connStatusInputs) guard.ConnStatus {
+	// "Relay up and needed" — the peer uses relay and the transport is connected.
+	relayUsedAndUp := in.peerUsesRelay && in.relayConnected
+
+	// Force-relay mode: ICE never runs. Relay is the only transport and must be up.
+	if in.forceRelay {
+		return boolToConnStatus(relayUsedAndUp)
+	}
+
+	// Remote peer doesn't support ICE, or we haven't created the worker yet:
+	// relay is the only possible transport.
+	if !in.remoteSupportsICE || !in.iceWorkerCreated {
+		return boolToConnStatus(relayUsedAndUp)
+	}
+
+	// ICE counts as "up" when the status is anything other than Disconnected, OR
+	// when a negotiation is currently in progress (so we don't spam offers while one is in flight).
+	iceUp := in.iceStatusConnecting || in.iceInProgress
+
+	// Relay side is acceptable if the peer doesn't rely on relay, or relay is connected.
+	relayOK := !in.peerUsesRelay || in.relayConnected
+
+	switch {
+	case iceUp && relayOK:
+		return guard.ConnStatusConnected
+	case relayUsedAndUp:
+		// Relay is up but ICE is down — partially connected.
+		return guard.ConnStatusPartiallyConnected
+	default:
+		return guard.ConnStatusDisconnected
+	}
+}
+
+func boolToConnStatus(connected bool) guard.ConnStatus {
+	if connected {
+		return guard.ConnStatusConnected
+	}
+	return guard.ConnStatusDisconnected
+}
--- a/client/internal/peer/conn_status.go
+++ b/client/internal/peer/conn_status.go
@@ -13,6 +13,20 @@ const (
 	StatusConnected
 )

+// connStatusInputs is the primitive-valued snapshot of the state that drives the
+// tri-state connection classification. Extracted so the decision logic can be unit-tested
+// without constructing full Worker/Handshaker objects.
+type connStatusInputs struct {
+	forceRelay          bool // NB_FORCE_RELAY or JS/WASM
+	peerUsesRelay       bool // remote peer advertises relay support AND local has relay
+	relayConnected      bool // statusRelay reports Connected (independent of whether peer uses relay)
+	remoteSupportsICE   bool // remote peer sent ICE credentials
+	iceWorkerCreated    bool // local WorkerICE exists (false in force-relay mode)
+	iceStatusConnecting bool // statusICE is anything other than Disconnected
+	iceInProgress       bool // a negotiation is currently in flight
+}
+
+
 // ConnStatus describe the status of a peer's connection
 type ConnStatus int32

--- a/client/internal/peer/conn_status_eval_test.go
+++ b/client/internal/peer/conn_status_eval_test.go
@@ -0,0 +1,201 @@
+package peer
+
+import (
+	"testing"
+
+	"github.com/netbirdio/netbird/client/internal/peer/guard"
+)
+
+func TestEvalConnStatus_ForceRelay(t *testing.T) {
+	tests := []struct {
+		name string
+		in   connStatusInputs
+		want guard.ConnStatus
+	}{
+		{
+			name: "force relay, peer uses relay, relay up",
+			in: connStatusInputs{
+				forceRelay:     true,
+				peerUsesRelay:  true,
+				relayConnected: true,
+			},
+			want: guard.ConnStatusConnected,
+		},
+		{
+			name: "force relay, peer uses relay, relay down",
+			in: connStatusInputs{
+				forceRelay:     true,
+				peerUsesRelay:  true,
+				relayConnected: false,
+			},
+			want: guard.ConnStatusDisconnected,
+		},
+		{
+			name: "force relay, peer does NOT use relay - disconnected forever",
+			in: connStatusInputs{
+				forceRelay:     true,
+				peerUsesRelay:  false,
+				relayConnected: true,
+			},
+			want: guard.ConnStatusDisconnected,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := evalConnStatus(tc.in); got != tc.want {
+				t.Fatalf("evalConnStatus = %v, want %v", got, tc.want)
+			}
+		})
+	}
+}
+
+func TestEvalConnStatus_ICEUnavailable(t *testing.T) {
+	tests := []struct {
+		name string
+		in   connStatusInputs
+		want guard.ConnStatus
+	}{
+		{
+			name: "remote does not support ICE, peer uses relay, relay up",
+			in: connStatusInputs{
+				peerUsesRelay:     true,
+				relayConnected:    true,
+				remoteSupportsICE: false,
+				iceWorkerCreated:  true,
+			},
+			want: guard.ConnStatusConnected,
+		},
+		{
+			name: "remote does not support ICE, peer uses relay, relay down",
+			in: connStatusInputs{
+				peerUsesRelay:     true,
+				relayConnected:    false,
+				remoteSupportsICE: false,
+				iceWorkerCreated:  true,
+			},
+			want: guard.ConnStatusDisconnected,
+		},
+		{
+			name: "ICE worker not yet created, relay up",
+			in: connStatusInputs{
+				peerUsesRelay:     true,
+				relayConnected:    true,
+				remoteSupportsICE: true,
+				iceWorkerCreated:  false,
+			},
+			want: guard.ConnStatusConnected,
+		},
+		{
+			name: "remote does not support ICE, peer does not use relay",
+			in: connStatusInputs{
+				peerUsesRelay:     false,
+				relayConnected:    false,
+				remoteSupportsICE: false,
+				iceWorkerCreated:  true,
+			},
+			want: guard.ConnStatusDisconnected,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := evalConnStatus(tc.in); got != tc.want {
+				t.Fatalf("evalConnStatus = %v, want %v", got, tc.want)
+			}
+		})
+	}
+}
+
+func TestEvalConnStatus_FullyAvailable(t *testing.T) {
+	base := connStatusInputs{
+		remoteSupportsICE: true,
+		iceWorkerCreated:  true,
+	}
+
+	tests := []struct {
+		name    string
+		mutator func(*connStatusInputs)
+		want    guard.ConnStatus
+	}{
+		{
+			name: "ICE connected, relay connected, peer uses relay",
+			mutator: func(in *connStatusInputs) {
+				in.peerUsesRelay = true
+				in.relayConnected = true
+				in.iceStatusConnecting = true
+			},
+			want: guard.ConnStatusConnected,
+		},
+		{
+			name: "ICE connected, peer does NOT use relay",
+			mutator: func(in *connStatusInputs) {
+				in.peerUsesRelay = false
+				in.relayConnected = false
+				in.iceStatusConnecting = true
+			},
+			want: guard.ConnStatusConnected,
+		},
+		{
+			name: "ICE InProgress only, peer does NOT use relay",
+			mutator: func(in *connStatusInputs) {
+				in.peerUsesRelay = false
+				in.iceStatusConnecting = false
+				in.iceInProgress = true
+			},
+			want: guard.ConnStatusConnected,
+		},
+		{
+			name: "ICE down, relay up, peer uses relay -> partial",
+			mutator: func(in *connStatusInputs) {
+				in.peerUsesRelay = true
+				in.relayConnected = true
+				in.iceStatusConnecting = false
+				in.iceInProgress = false
+			},
+			want: guard.ConnStatusPartiallyConnected,
+		},
+		{
+			name: "ICE down, peer does NOT use relay -> disconnected",
+			mutator: func(in *connStatusInputs) {
+				in.peerUsesRelay = false
+				in.relayConnected = false
+				in.iceStatusConnecting = false
+				in.iceInProgress = false
+			},
+			want: guard.ConnStatusDisconnected,
+		},
+		{
+			name: "ICE up, peer uses relay but relay down -> partial (relay required, ICE ignored)",
+			mutator: func(in *connStatusInputs) {
+				in.peerUsesRelay = true
+				in.relayConnected = false
+				in.iceStatusConnecting = true
+			},
+			// relayOK = false (peer uses relay but it's down), iceUp = true
+			// first switch arm fails (relayOK false), relayUsedAndUp = false (relay down),
+			// falls into default: Disconnected.
+			want: guard.ConnStatusDisconnected,
+		},
+		{
+			name: "ICE down, relay up but peer does not use relay -> disconnected",
+			mutator: func(in *connStatusInputs) {
+				in.peerUsesRelay = false
+				in.relayConnected = true // not actually used since peer doesn't rely on it
+				in.iceStatusConnecting = false
+				in.iceInProgress = false
+			},
+			want: guard.ConnStatusDisconnected,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			in := base
+			tc.mutator(&in)
+			if got := evalConnStatus(in); got != tc.want {
+				t.Fatalf("evalConnStatus = %v, want %v (inputs: %+v)", got, tc.want, in)
+			}
+		})
+	}
+}
--- a/client/internal/peer/env.go
+++ b/client/internal/peer/env.go
@@ -10,7 +10,7 @@ const (
 	EnvKeyNBForceRelay = "NB_FORCE_RELAY"
 )

-func isForceRelayed() bool {
+func IsForceRelayed() bool {
 	if runtime.GOOS == "js" {
 		return true
 	}
--- a/client/internal/peer/guard/guard.go
+++ b/client/internal/peer/guard/guard.go
@@ -8,7 +8,19 @@ import (
 	log "github.com/sirupsen/logrus"
 )

-type isConnectedFunc func() bool
+// ConnStatus represents the connection state as seen by the guard.
+type ConnStatus int
+
+const (
+	// ConnStatusDisconnected means neither ICE nor Relay is connected.
+	ConnStatusDisconnected ConnStatus = iota
+	// ConnStatusPartiallyConnected means Relay is connected but ICE is not.
+	ConnStatusPartiallyConnected
+	// ConnStatusConnected means all required connections are established.
+	ConnStatusConnected
+)
+
+type connStatusFunc func() ConnStatus

 // Guard is responsible for the reconnection logic.
 // It will trigger to send an offer to the peer then has connection issues.
@@ -20,14 +32,14 @@ type isConnectedFunc func() bool
 // - ICE candidate changes
 type Guard struct {
 	log                     *log.Entry
-	isConnectedOnAllWay     isConnectedFunc
+	isConnectedOnAllWay     connStatusFunc
 	timeout                 time.Duration
 	srWatcher               *SRWatcher
 	relayedConnDisconnected chan struct{}
 	iCEConnDisconnected     chan struct{}
 }

-func NewGuard(log *log.Entry, isConnectedFn isConnectedFunc, timeout time.Duration, srWatcher *SRWatcher) *Guard {
+func NewGuard(log *log.Entry, isConnectedFn connStatusFunc, timeout time.Duration, srWatcher *SRWatcher) *Guard {
 	return &Guard{
 		log:                     log,
 		isConnectedOnAllWay:     isConnectedFn,
@@ -57,8 +69,17 @@ func (g *Guard) SetICEConnDisconnected() {
 	}
 }

-// reconnectLoopWithRetry periodically check the connection status.
-// Try to send offer while the P2P is not established or while the Relay is not connected if is it supported
+// reconnectLoopWithRetry periodically checks the connection status and sends offers to re-establish connectivity.
+//
+// Behavior depends on the connection state reported by isConnectedOnAllWay:
+//   - Connected: no action, the peer is fully reachable.
+//   - Disconnected (neither ICE nor Relay): retries aggressively with exponential backoff (800ms doubling
+//     up to timeout), never gives up. This ensures rapid recovery when the peer has no connectivity at all.
+//   - PartiallyConnected (Relay up, ICE not): retries up to 3 times with exponential backoff, then switches
+//     to one attempt per hour. This limits signaling traffic when relay already provides connectivity.
+//
+// External events (relay/ICE disconnect, signal/relay reconnect, candidate changes) reset the retry
+// counter and backoff ticker, giving ICE a fresh chance after network conditions change.
 func (g *Guard) reconnectLoopWithRetry(ctx context.Context, callback func()) {
 	srReconnectedChan := g.srWatcher.NewListener()
 	defer g.srWatcher.RemoveListener(srReconnectedChan)
@@ -68,36 +89,47 @@ func (g *Guard) reconnectLoopWithRetry(ctx context.Context, callback func()) {

 	tickerChannel := ticker.C

+	iceState := &iceRetryState{log: g.log}
+	defer iceState.reset()
+
 	for {
 		select {
-		case t := <-tickerChannel:
-			if t.IsZero() {
-				g.log.Infof("retry timed out, stop periodic offer sending")
-				// after backoff timeout the ticker.C will be closed. We need to a dummy channel to avoid loop
-				tickerChannel = make(<-chan time.Time)
-				continue
+		case <-tickerChannel:
+			switch g.isConnectedOnAllWay() {
+			case ConnStatusConnected:
+				// all good, nothing to do
+			case ConnStatusDisconnected:
+				callback()
+			case ConnStatusPartiallyConnected:
+				if iceState.shouldRetry() {
+					callback()
+				} else {
+					iceState.enterHourlyMode()
+					ticker.Stop()
+					tickerChannel = iceState.hourlyC()
+				}
 			}

-			if !g.isConnectedOnAllWay() {
-				callback()
-			}
 		case <-g.relayedConnDisconnected:
 			g.log.Debugf("Relay connection changed, reset reconnection ticker")
 			ticker.Stop()
-			ticker = g.prepareExponentTicker(ctx)
+			ticker = g.newReconnectTicker(ctx)
 			tickerChannel = ticker.C
+			iceState.reset()

 		case <-g.iCEConnDisconnected:
 			g.log.Debugf("ICE connection changed, reset reconnection ticker")
 			ticker.Stop()
-			ticker = g.prepareExponentTicker(ctx)
+			ticker = g.newReconnectTicker(ctx)
 			tickerChannel = ticker.C
+			iceState.reset()

 		case <-srReconnectedChan:
 			g.log.Debugf("has network changes, reset reconnection ticker")
 			ticker.Stop()
-			ticker = g.prepareExponentTicker(ctx)
+			ticker = g.newReconnectTicker(ctx)
 			tickerChannel = ticker.C
+			iceState.reset()

 		case <-ctx.Done():
 			g.log.Debugf("context is done, stop reconnect loop")
@@ -120,7 +152,7 @@ func (g *Guard) initialTicker(ctx context.Context) *backoff.Ticker {
 	return backoff.NewTicker(bo)
 }

-func (g *Guard) prepareExponentTicker(ctx context.Context) *backoff.Ticker {
+func (g *Guard) newReconnectTicker(ctx context.Context) *backoff.Ticker {
 	bo := backoff.WithContext(&backoff.ExponentialBackOff{
 		InitialInterval:     800 * time.Millisecond,
 		RandomizationFactor: 0.1,
--- a/client/internal/peer/guard/ice_retry_state.go
+++ b/client/internal/peer/guard/ice_retry_state.go
@@ -0,0 +1,61 @@
+package guard
+
+import (
+	"time"
+
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	// maxICERetries is the maximum number of ICE offer attempts when relay is connected
+	maxICERetries = 3
+	// iceRetryInterval is the periodic retry interval after ICE retries are exhausted
+	iceRetryInterval = 1 * time.Hour
+)
+
+// iceRetryState tracks the limited ICE retry attempts when relay is already connected.
+// After maxICERetries attempts it switches to a periodic hourly retry.
+type iceRetryState struct {
+	log     *log.Entry
+	retries int
+	hourly  *time.Ticker
+}
+
+func (s *iceRetryState) reset() {
+	s.retries = 0
+	if s.hourly != nil {
+		s.hourly.Stop()
+		s.hourly = nil
+	}
+}
+
+// shouldRetry reports whether the caller should send another ICE offer on this tick.
+// Returns false when the per-cycle retry budget is exhausted and the caller must switch
+// to the hourly ticker via enterHourlyMode + hourlyC.
+func (s *iceRetryState) shouldRetry() bool {
+	if s.hourly != nil {
+		s.log.Debugf("hourly ICE retry attempt")
+		return true
+	}
+
+	s.retries++
+	if s.retries <= maxICERetries {
+		s.log.Debugf("ICE retry attempt %d/%d", s.retries, maxICERetries)
+		return true
+	}
+
+	return false
+}
+
+// enterHourlyMode starts the hourly retry ticker. Must be called after shouldRetry returns false.
+func (s *iceRetryState) enterHourlyMode() {
+	s.log.Infof("ICE retries exhausted (%d/%d), switching to hourly retry", maxICERetries, maxICERetries)
+	s.hourly = time.NewTicker(iceRetryInterval)
+}
+
+func (s *iceRetryState) hourlyC() <-chan time.Time {
+	if s.hourly == nil {
+		return nil
+	}
+	return s.hourly.C
+}
--- a/client/internal/peer/guard/ice_retry_state_test.go
+++ b/client/internal/peer/guard/ice_retry_state_test.go
@@ -0,0 +1,103 @@
+package guard
+
+import (
+	"testing"
+
+	log "github.com/sirupsen/logrus"
+)
+
+func newTestRetryState() *iceRetryState {
+	return &iceRetryState{log: log.NewEntry(log.StandardLogger())}
+}
+
+func TestICERetryState_AllowsInitialBudget(t *testing.T) {
+	s := newTestRetryState()
+
+	for i := 1; i <= maxICERetries; i++ {
+		if !s.shouldRetry() {
+			t.Fatalf("shouldRetry returned false on attempt %d, want true (budget = %d)", i, maxICERetries)
+		}
+	}
+}
+
+func TestICERetryState_ExhaustsAfterBudget(t *testing.T) {
+	s := newTestRetryState()
+
+	for i := 0; i < maxICERetries; i++ {
+		_ = s.shouldRetry()
+	}
+
+	if s.shouldRetry() {
+		t.Fatalf("shouldRetry returned true after budget exhausted, want false")
+	}
+}
+
+func TestICERetryState_HourlyCNilBeforeEnterHourlyMode(t *testing.T) {
+	s := newTestRetryState()
+
+	if s.hourlyC() != nil {
+		t.Fatalf("hourlyC returned non-nil channel before enterHourlyMode")
+	}
+}
+
+func TestICERetryState_EnterHourlyModeArmsTicker(t *testing.T) {
+	s := newTestRetryState()
+	for i := 0; i < maxICERetries+1; i++ {
+		_ = s.shouldRetry()
+	}
+
+	s.enterHourlyMode()
+	defer s.reset()
+
+	if s.hourlyC() == nil {
+		t.Fatalf("hourlyC returned nil after enterHourlyMode")
+	}
+}
+
+func TestICERetryState_ShouldRetryTrueInHourlyMode(t *testing.T) {
+	s := newTestRetryState()
+	s.enterHourlyMode()
+	defer s.reset()
+
+	if !s.shouldRetry() {
+		t.Fatalf("shouldRetry returned false in hourly mode, want true")
+	}
+
+	// Subsequent calls also return true — we keep retrying on each hourly tick.
+	if !s.shouldRetry() {
+		t.Fatalf("second shouldRetry returned false in hourly mode, want true")
+	}
+}
+
+func TestICERetryState_ResetRestoresBudget(t *testing.T) {
+	s := newTestRetryState()
+	for i := 0; i < maxICERetries+1; i++ {
+		_ = s.shouldRetry()
+	}
+	s.enterHourlyMode()
+
+	s.reset()
+
+	if s.hourlyC() != nil {
+		t.Fatalf("hourlyC returned non-nil channel after reset")
+	}
+	if s.retries != 0 {
+		t.Fatalf("retries = %d after reset, want 0", s.retries)
+	}
+
+	for i := 1; i <= maxICERetries; i++ {
+		if !s.shouldRetry() {
+			t.Fatalf("shouldRetry returned false on attempt %d after reset, want true", i)
+		}
+	}
+}
+
+func TestICERetryState_ResetIsIdempotent(t *testing.T) {
+	s := newTestRetryState()
+	s.reset()
+	s.reset() // second call must not panic or re-stop a nil ticker
+
+	if s.hourlyC() != nil {
+		t.Fatalf("hourlyC non-nil after double reset")
+	}
+}
--- a/client/internal/peer/guard/sr_watcher.go
+++ b/client/internal/peer/guard/sr_watcher.go
@@ -39,7 +39,7 @@ func NewSRWatcher(signalClient chNotifier, relayManager chNotifier, iFaceDiscove
 	return srw
 }

-func (w *SRWatcher) Start() {
+func (w *SRWatcher) Start(disableICEMonitor bool) {
 	w.mu.Lock()
 	defer w.mu.Unlock()

@@ -50,8 +50,10 @@ func (w *SRWatcher) Start() {
 	ctx, cancel := context.WithCancel(context.Background())
 	w.cancelIceMonitor = cancel

-	iceMonitor := NewICEMonitor(w.iFaceDiscover, w.iceConfig, GetICEMonitorPeriod())
-	go iceMonitor.Start(ctx, w.onICEChanged)
+	if !disableICEMonitor {
+		iceMonitor := NewICEMonitor(w.iFaceDiscover, w.iceConfig, GetICEMonitorPeriod())
+		go iceMonitor.Start(ctx, w.onICEChanged)
+	}
 	w.signalClient.SetOnReconnectedListener(w.onReconnected)
 	w.relayManager.SetOnReconnectedListener(w.onReconnected)

--- a/client/internal/peer/handshaker.go
+++ b/client/internal/peer/handshaker.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"sync"
+	"sync/atomic"

 	log "github.com/sirupsen/logrus"

@@ -43,6 +44,10 @@ type OfferAnswer struct {
 	SessionID *ICESessionID
 }

+func (o *OfferAnswer) hasICECredentials() bool {
+	return o.IceCredentials.UFrag != "" && o.IceCredentials.Pwd != ""
+}
+
 type Handshaker struct {
 	mu            sync.Mutex
 	log           *log.Entry
@@ -59,6 +64,10 @@ type Handshaker struct {
 	relayListener *AsyncOfferListener
 	iceListener   func(remoteOfferAnswer *OfferAnswer)

+	// remoteICESupported tracks whether the remote peer includes ICE credentials in its offers/answers.
+	// When false, the local side skips ICE listener dispatch and suppresses ICE credentials in responses.
+	remoteICESupported atomic.Bool
+
 	// remoteOffersCh is a channel used to wait for remote credentials to proceed with the connection
 	remoteOffersCh chan OfferAnswer
 	// remoteAnswerCh is a channel used to wait for remote credentials answer (confirmation of our offer) to proceed with the connection
@@ -66,7 +75,7 @@ type Handshaker struct {
 }

 func NewHandshaker(log *log.Entry, config ConnConfig, signaler *Signaler, ice *WorkerICE, relay *WorkerRelay, metricsStages *MetricsStages) *Handshaker {
-	return &Handshaker{
+	h := &Handshaker{
 		log:            log,
 		config:         config,
 		signaler:       signaler,
@@ -76,6 +85,13 @@ func NewHandshaker(log *log.Entry, config ConnConfig, signaler *Signaler, ice *W
 		remoteOffersCh: make(chan OfferAnswer),
 		remoteAnswerCh: make(chan OfferAnswer),
 	}
+	// assume remote supports ICE until we learn otherwise from received offers
+	h.remoteICESupported.Store(ice != nil)
+	return h
+}
+
+func (h *Handshaker) RemoteICESupported() bool {
+	return h.remoteICESupported.Load()
 }

 func (h *Handshaker) AddRelayListener(offer func(remoteOfferAnswer *OfferAnswer)) {
@@ -90,18 +106,20 @@ func (h *Handshaker) Listen(ctx context.Context) {
 	for {
 		select {
 		case remoteOfferAnswer := <-h.remoteOffersCh:
-			h.log.Infof("received offer, running version %s, remote WireGuard listen port %d, session id: %s", remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort, remoteOfferAnswer.SessionIDString())
+			h.log.Infof("received offer, running version %s, remote WireGuard listen port %d, session id: %s, remote ICE supported: %t", remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort, remoteOfferAnswer.SessionIDString(), remoteOfferAnswer.hasICECredentials())

 			// Record signaling received for reconnection attempts
 			if h.metricsStages != nil {
 				h.metricsStages.RecordSignalingReceived()
 			}

+			h.updateRemoteICEState(&remoteOfferAnswer)
+
 			if h.relayListener != nil {
 				h.relayListener.Notify(&remoteOfferAnswer)
 			}

-			if h.iceListener != nil {
+			if h.iceListener != nil && h.RemoteICESupported() {
 				h.iceListener(&remoteOfferAnswer)
 			}

@@ -110,18 +128,20 @@ func (h *Handshaker) Listen(ctx context.Context) {
 				continue
 			}
 		case remoteOfferAnswer := <-h.remoteAnswerCh:
-			h.log.Infof("received answer, running version %s, remote WireGuard listen port %d, session id: %s", remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort, remoteOfferAnswer.SessionIDString())
+			h.log.Infof("received answer, running version %s, remote WireGuard listen port %d, session id: %s, remote ICE supported: %t", remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort, remoteOfferAnswer.SessionIDString(), remoteOfferAnswer.hasICECredentials())

 			// Record signaling received for reconnection attempts
 			if h.metricsStages != nil {
 				h.metricsStages.RecordSignalingReceived()
 			}

+			h.updateRemoteICEState(&remoteOfferAnswer)
+
 			if h.relayListener != nil {
 				h.relayListener.Notify(&remoteOfferAnswer)
 			}

-			if h.iceListener != nil {
+			if h.iceListener != nil && h.RemoteICESupported() {
 				h.iceListener(&remoteOfferAnswer)
 			}
 		case <-ctx.Done():
@@ -183,15 +203,18 @@ func (h *Handshaker) sendAnswer() error {
 }

 func (h *Handshaker) buildOfferAnswer() OfferAnswer {
-	uFrag, pwd := h.ice.GetLocalUserCredentials()
-	sid := h.ice.SessionID()
 	answer := OfferAnswer{
-		IceCredentials:  IceCredentials{uFrag, pwd},
 		WgListenPort:    h.config.LocalWgPort,
 		Version:         version.NetbirdVersion(),
 		RosenpassPubKey: h.config.RosenpassConfig.PubKey,
 		RosenpassAddr:   h.config.RosenpassConfig.Addr,
-		SessionID:       &sid,
+	}
+
+	if h.ice != nil && h.RemoteICESupported() {
+		uFrag, pwd := h.ice.GetLocalUserCredentials()
+		sid := h.ice.SessionID()
+		answer.IceCredentials = IceCredentials{uFrag, pwd}
+		answer.SessionID = &sid
 	}

 	if addr, err := h.relay.RelayInstanceAddress(); err == nil {
@@ -200,3 +223,18 @@ func (h *Handshaker) buildOfferAnswer() OfferAnswer {

 	return answer
 }
+
+func (h *Handshaker) updateRemoteICEState(offer *OfferAnswer) {
+	hasICE := offer.hasICECredentials()
+	prev := h.remoteICESupported.Swap(hasICE)
+	if prev != hasICE {
+		if hasICE {
+			h.log.Infof("remote peer started sending ICE credentials")
+		} else {
+			h.log.Infof("remote peer stopped sending ICE credentials")
+			if h.ice != nil {
+				h.ice.Close()
+			}
+		}
+	}
+}
--- a/client/internal/peer/signaler.go
+++ b/client/internal/peer/signaler.go
@@ -46,9 +46,13 @@ func (s *Signaler) Ready() bool {

 // SignalOfferAnswer signals either an offer or an answer to remote peer
 func (s *Signaler) signalOfferAnswer(offerAnswer OfferAnswer, remoteKey string, bodyType sProto.Body_Type) error {
-	sessionIDBytes, err := offerAnswer.SessionID.Bytes()
-	if err != nil {
-		log.Warnf("failed to get session ID bytes: %v", err)
+	var sessionIDBytes []byte
+	if offerAnswer.SessionID != nil {
+		var err error
+		sessionIDBytes, err = offerAnswer.SessionID.Bytes()
+		if err != nil {
+			log.Warnf("failed to get session ID bytes: %v", err)
+		}
 	}
 	msg, err := signal.MarshalCredential(
 		s.wgPrivateKey,
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -53,6 +53,7 @@ type Manager interface {
 	GetRouteSelector() *routeselector.RouteSelector
 	GetClientRoutes() route.HAMap
 	GetSelectedClientRoutes() route.HAMap
+	GetActiveClientRoutes() route.HAMap
 	GetClientRoutesWithNetID() map[route.NetID][]*route.Route
 	SetRouteChangeListener(listener listener.NetworkChangeListener)
 	InitialRouteRange() []string
@@ -477,6 +478,39 @@ func (m *DefaultManager) GetSelectedClientRoutes() route.HAMap {
 	return m.routeSelector.FilterSelectedExitNodes(maps.Clone(m.clientRoutes))
 }

+// GetActiveClientRoutes returns the subset of selected client routes
+// that are currently reachable: the route's peer is Connected and is
+// the one actively carrying the route (not just an HA sibling).
+func (m *DefaultManager) GetActiveClientRoutes() route.HAMap {
+	m.mux.Lock()
+	selected := m.routeSelector.FilterSelectedExitNodes(maps.Clone(m.clientRoutes))
+	recorder := m.statusRecorder
+	m.mux.Unlock()
+
+	if recorder == nil {
+		return selected
+	}
+
+	out := make(route.HAMap, len(selected))
+	for id, routes := range selected {
+		for _, r := range routes {
+			st, err := recorder.GetPeer(r.Peer)
+			if err != nil {
+				continue
+			}
+			if st.ConnStatus != peer.StatusConnected {
+				continue
+			}
+			if _, hasRoute := st.GetRoutes()[r.Network.String()]; !hasRoute {
+				continue
+			}
+			out[id] = routes
+			break
+		}
+	}
+	return out
+}
+
 // GetClientRoutesWithNetID returns the current routes from the route map, but the keys consist of the network ID only
 func (m *DefaultManager) GetClientRoutesWithNetID() map[route.NetID][]*route.Route {
 	m.mux.Lock()
--- a/client/internal/routemanager/mock.go
+++ b/client/internal/routemanager/mock.go
@@ -19,6 +19,7 @@ type MockManager struct {
 	GetRouteSelectorFunc         func() *routeselector.RouteSelector
 	GetClientRoutesFunc          func() route.HAMap
 	GetSelectedClientRoutesFunc  func() route.HAMap
+	GetActiveClientRoutesFunc    func() route.HAMap
 	GetClientRoutesWithNetIDFunc func() map[route.NetID][]*route.Route
 	StopFunc                     func(manager *statemanager.Manager)
 }
@@ -78,6 +79,14 @@ func (m *MockManager) GetSelectedClientRoutes() route.HAMap {
 	return nil
 }

+// GetActiveClientRoutes mock implementation of GetActiveClientRoutes from the Manager interface
+func (m *MockManager) GetActiveClientRoutes() route.HAMap {
+	if m.GetActiveClientRoutesFunc != nil {
+		return m.GetActiveClientRoutesFunc()
+	}
+	return nil
+}
+
 // GetClientRoutesWithNetID mock implementation of GetClientRoutesWithNetID from Manager interface
 func (m *MockManager) GetClientRoutesWithNetID() map[route.NetID][]*route.Route {
 	if m.GetClientRoutesWithNetIDFunc != nil {
--- a/combined/config.yaml.example
+++ b/combined/config.yaml.example
@@ -119,6 +119,8 @@ server:

  # Reverse proxy settings (optional)
  # reverseProxy:
-  #   trustedHTTPProxies: []
-  #   trustedHTTPProxiesCount: 0
-  #   trustedPeers: []
+  #   trustedHTTPProxies: []           # CIDRs of trusted reverse proxies (e.g. ["10.0.0.0/8"])
+  #   trustedHTTPProxiesCount: 0       # Number of trusted proxies in front of the server (alternative to trustedHTTPProxies)
+  #   trustedPeers: []                 # CIDRs of trusted peer networks (e.g. ["100.64.0.0/10"])
+  #   accessLogRetentionDays: 7        # Days to retain HTTP access logs. 0 (or unset) defaults to 7. Negative values disable cleanup (logs kept indefinitely).
+  #   accessLogCleanupIntervalHours: 24 # How often (in hours) to run the access-log cleanup job. 0 (or unset) is treated as "not set" and defaults to 24 hours; cleanup remains enabled. To disable cleanup, set accessLogRetentionDays to a negative value.
--- a/flow/client/client_test.go
+++ b/flow/client/client_test.go
@@ -457,6 +457,18 @@ func TestReceive_ProtocolErrorStreamReconnect(t *testing.T) {

 	client, err := flow.NewClient("http://"+server.addr, "test-payload", "test-signature", 1*time.Second)
 	require.NoError(t, err)
+
+	// Cleanups run LIFO: the goroutine-drain registered here runs after Close below,
+	// which is when Receive has actually returned. Without this, the Receive goroutine
+	// can outlive the test and call t.Logf after teardown, panicking.
+	receiveDone := make(chan struct{})
+	t.Cleanup(func() {
+		select {
+		case <-receiveDone:
+		case <-time.After(2 * time.Second):
+			t.Error("Receive goroutine did not exit after Close")
+		}
+	})
 	t.Cleanup(func() {
 		err := client.Close()
 		assert.NoError(t, err, "failed to close flow")
@@ -468,6 +480,7 @@ func TestReceive_ProtocolErrorStreamReconnect(t *testing.T) {
 	receivedAfterReconnect := make(chan struct{})

 	go func() {
+		defer close(receiveDone)
 		err := client.Receive(ctx, 1*time.Second, func(msg *proto.FlowEventAck) error {
 			if msg.IsInitiator || len(msg.EventId) == 0 {
 				return nil
--- a/go.mod
+++ b/go.mod
@@ -323,3 +323,5 @@ replace github.com/pion/ice/v4 => github.com/netbirdio/ice/v4 v4.0.0-20250908184
 replace github.com/libp2p/go-netroute => github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944

 replace github.com/dexidp/dex => github.com/netbirdio/dex v0.244.0
+
+replace github.com/mailru/easyjson => github.com/netbirdio/easyjson v0.9.0
--- a/go.sum
+++ b/go.sum
@@ -400,8 +400,6 @@ github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae h1:dIZY4ULFcto4tA
 github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae/go.mod h1:ilwx/Dta8jXAgpFYFvSWEMwxmbWXyiUHkd5FwyKhb5k=
 github.com/magiconair/properties v1.8.10 h1:s31yESBquKXCV9a/ScB3ESkOjUYYv+X0rg8SYxI99mE=
 github.com/magiconair/properties v1.8.10/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
-github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4=
-github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
 github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU=
 github.com/mattermost/xml-roundtrip-validator v0.1.0/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
 github.com/mattn/go-isatty v0.0.9/go.mod h1:YNRxwqDuOph6SZLI9vUUz6OYw3QyUt7WiY2yME+cCiQ=
@@ -449,6 +447,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/netbirdio/dex v0.244.0 h1:1GOvi8wnXYassnKGildzNqRHq0RbcfEUw7LKYpKIN7U=
 github.com/netbirdio/dex v0.244.0/go.mod h1:STGInJhPcAflrHmDO7vyit2kSq03PdL+8zQPoGALtcU=
+github.com/netbirdio/easyjson v0.9.0 h1:6Nw2lghSVuy8RSkAYDhDv1thBVEmfVbKZnV7T7Z6Aus=
+github.com/netbirdio/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
 github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944 h1:TDtJKmM6Sf8uYFx/dMeqNOL90KUoRscdfpFZ3Im89uk=
 github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944/go.mod h1:sHA6TRxjQ6RLbnI+3R4DZo2Eseg/iKiPRfNmcuNySVQ=
 github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51 h1:Ov4qdafATOgGMB1wbSuh+0aAHcwz9hdvB6VZjh1mVMI=
--- a/infrastructure_files/getting-started.sh
+++ b/infrastructure_files/getting-started.sh
@@ -472,7 +472,7 @@ start_services_and_show_instructions() {
      if [[ "$ENABLE_CROWDSEC" == "true" ]]; then
        echo "Registering CrowdSec bouncer..."
        local cs_retries=0
-        while ! $DOCKER_COMPOSE_COMMAND exec -T crowdsec cscli capi status >/dev/null 2>&1; do
+        while ! $DOCKER_COMPOSE_COMMAND exec -T crowdsec cscli lapi status >/dev/null 2>&1; do
          cs_retries=$((cs_retries + 1))
          if [[ $cs_retries -ge 30 ]]; then
            echo "WARNING: CrowdSec did not become ready. Skipping CrowdSec setup." > /dev/stderr
--- a/management/server/http/middleware/auth_middleware.go
+++ b/management/server/http/middleware/auth_middleware.go
@@ -12,6 +12,7 @@ import (
 	"go.opentelemetry.io/otel/metric"

 	"github.com/netbirdio/management-integrations/integrations"
+
 	serverauth "github.com/netbirdio/netbird/management/server/auth"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/http/middleware/bypass"
@@ -87,17 +88,14 @@ func (m *AuthMiddleware) Handler(h http.Handler) http.Handler {

 		switch authType {
 		case "bearer":
-			request, err := m.checkJWTFromRequest(r, authHeader)
-			if err != nil {
+			if err := m.checkJWTFromRequest(r, authHeader); err != nil {
 				log.WithContext(r.Context()).Errorf("Error when validating JWT: %s", err.Error())
 				util.WriteError(r.Context(), status.Errorf(status.Unauthorized, "token invalid"), w)
 				return
 			}
-
-			h.ServeHTTP(w, request)
+			h.ServeHTTP(w, r)
 		case "token":
-			request, err := m.checkPATFromRequest(r, authHeader)
-			if err != nil {
+			if err := m.checkPATFromRequest(r, authHeader); err != nil {
 				log.WithContext(r.Context()).Debugf("Error when validating PAT: %s", err.Error())
 				// Check if it's a status error, otherwise default to Unauthorized
 				if _, ok := status.FromError(err); !ok {
@@ -106,7 +104,7 @@ func (m *AuthMiddleware) Handler(h http.Handler) http.Handler {
 				util.WriteError(r.Context(), err, w)
 				return
 			}
-			h.ServeHTTP(w, request)
+			h.ServeHTTP(w, r)
 		default:
 			util.WriteError(r.Context(), status.Errorf(status.Unauthorized, "no valid authentication provided"), w)
 			return
@@ -115,19 +113,19 @@ func (m *AuthMiddleware) Handler(h http.Handler) http.Handler {
 }

 // CheckJWTFromRequest checks if the JWT is valid
-func (m *AuthMiddleware) checkJWTFromRequest(r *http.Request, authHeaderParts []string) (*http.Request, error) {
+func (m *AuthMiddleware) checkJWTFromRequest(r *http.Request, authHeaderParts []string) error {
 	token, err := getTokenFromJWTRequest(authHeaderParts)

 	// If an error occurs, call the error handler and return an error
 	if err != nil {
-		return r, fmt.Errorf("error extracting token: %w", err)
+		return fmt.Errorf("error extracting token: %w", err)
 	}

 	ctx := r.Context()

 	userAuth, validatedToken, err := m.authManager.ValidateAndParseToken(ctx, token)
 	if err != nil {
-		return r, err
+		return err
 	}

 	if impersonate, ok := r.URL.Query()["account"]; ok && len(impersonate) == 1 {
@@ -143,7 +141,7 @@ func (m *AuthMiddleware) checkJWTFromRequest(r *http.Request, authHeaderParts []
 	// we need to call this method because if user is new, we will automatically add it to existing or create a new account
 	accountId, _, err := m.ensureAccount(ctx, userAuth)
 	if err != nil {
-		return r, err
+		return err
 	}

 	if userAuth.AccountId != accountId {
@@ -153,7 +151,7 @@ func (m *AuthMiddleware) checkJWTFromRequest(r *http.Request, authHeaderParts []

 	userAuth, err = m.authManager.EnsureUserAccessByJWTGroups(ctx, userAuth, validatedToken)
 	if err != nil {
-		return r, err
+		return err
 	}

 	err = m.syncUserJWTGroups(ctx, userAuth)
@@ -164,17 +162,19 @@ func (m *AuthMiddleware) checkJWTFromRequest(r *http.Request, authHeaderParts []
 	_, err = m.getUserFromUserAuth(ctx, userAuth)
 	if err != nil {
 		log.WithContext(ctx).Errorf("HTTP server failed to update user from user auth: %s", err)
-		return r, err
+		return err
 	}

-	return nbcontext.SetUserAuthInRequest(r, userAuth), nil
+	// propagates ctx change to upstream middleware
+	*r = *nbcontext.SetUserAuthInRequest(r, userAuth)
+	return nil
 }

 // CheckPATFromRequest checks if the PAT is valid
-func (m *AuthMiddleware) checkPATFromRequest(r *http.Request, authHeaderParts []string) (*http.Request, error) {
+func (m *AuthMiddleware) checkPATFromRequest(r *http.Request, authHeaderParts []string) error {
 	token, err := getTokenFromPATRequest(authHeaderParts)
 	if err != nil {
-		return r, fmt.Errorf("error extracting token: %w", err)
+		return fmt.Errorf("error extracting token: %w", err)
 	}

 	if m.patUsageTracker != nil {
@@ -183,22 +183,22 @@ func (m *AuthMiddleware) checkPATFromRequest(r *http.Request, authHeaderParts []

 	if m.rateLimiter != nil && !isTerraformRequest(r) {
 		if !m.rateLimiter.Allow(token) {
-			return r, status.Errorf(status.TooManyRequests, "too many requests")
+			return status.Errorf(status.TooManyRequests, "too many requests")
 		}
 	}

 	ctx := r.Context()
 	user, pat, accDomain, accCategory, err := m.authManager.GetPATInfo(ctx, token)
 	if err != nil {
-		return r, fmt.Errorf("invalid Token: %w", err)
+		return fmt.Errorf("invalid Token: %w", err)
 	}
 	if time.Now().After(pat.GetExpirationDate()) {
-		return r, fmt.Errorf("token expired")
+		return fmt.Errorf("token expired")
 	}

 	err = m.authManager.MarkPATUsed(ctx, pat.ID)
 	if err != nil {
-		return r, err
+		return err
 	}

 	userAuth := auth.UserAuth{
@@ -216,7 +216,9 @@ func (m *AuthMiddleware) checkPATFromRequest(r *http.Request, authHeaderParts []
 		}
 	}

-	return nbcontext.SetUserAuthInRequest(r, userAuth), nil
+	// propagates ctx change to upstream middleware
+	*r = *nbcontext.SetUserAuthInRequest(r, userAuth)
+	return nil
 }

 func isTerraformRequest(r *http.Request) bool {
--- a/management/server/policy.go
+++ b/management/server/policy.go
@@ -5,6 +5,7 @@ import (
 	_ "embed"

 	"github.com/rs/xid"
+	"github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/management/server/permissions/modules"
 	"github.com/netbirdio/netbird/management/server/permissions/operations"
@@ -46,25 +47,40 @@ func (am *DefaultAccountManager) SavePolicy(ctx context.Context, accountID, user
 	var isUpdate = policy.ID != ""
 	var updateAccountPeers bool
 	var action = activity.PolicyAdded
+	var unchanged bool

 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		if err = validatePolicy(ctx, transaction, accountID, policy); err != nil {
-			return err
-		}
-
-		updateAccountPeers, err = arePolicyChangesAffectPeers(ctx, transaction, accountID, policy, isUpdate)
+		existingPolicy, err := validatePolicy(ctx, transaction, accountID, policy)
 		if err != nil {
 			return err
 		}

-		saveFunc := transaction.CreatePolicy
 		if isUpdate {
-			action = activity.PolicyUpdated
-			saveFunc = transaction.SavePolicy
-		}
+			if policy.Equal(existingPolicy) {
+				logrus.WithContext(ctx).Tracef("policy update skipped because equal to stored one - policy id %s", policy.ID)
+				unchanged = true
+				return nil
+			}

-		if err = saveFunc(ctx, policy); err != nil {
-			return err
+			action = activity.PolicyUpdated
+
+			updateAccountPeers, err = arePolicyChangesAffectPeersWithExisting(ctx, transaction, policy, existingPolicy)
+			if err != nil {
+				return err
+			}
+
+			if err = transaction.SavePolicy(ctx, policy); err != nil {
+				return err
+			}
+		} else {
+			updateAccountPeers, err = arePolicyChangesAffectPeers(ctx, transaction, policy)
+			if err != nil {
+				return err
+			}
+
+			if err = transaction.CreatePolicy(ctx, policy); err != nil {
+				return err
+			}
 		}

 		return transaction.IncrementNetworkSerial(ctx, accountID)
@@ -73,6 +89,10 @@ func (am *DefaultAccountManager) SavePolicy(ctx context.Context, accountID, user
 		return nil, err
 	}

+	if unchanged {
+		return policy, nil
+	}
+
 	am.StoreEvent(ctx, userID, policy.ID, accountID, action, policy.EventMeta())

 	if updateAccountPeers {
@@ -101,7 +121,7 @@ func (am *DefaultAccountManager) DeletePolicy(ctx context.Context, accountID, po
 			return err
 		}

-		updateAccountPeers, err = arePolicyChangesAffectPeers(ctx, transaction, accountID, policy, false)
+		updateAccountPeers, err = arePolicyChangesAffectPeers(ctx, transaction, policy)
 		if err != nil {
 			return err
 		}
@@ -138,34 +158,37 @@ func (am *DefaultAccountManager) ListPolicies(ctx context.Context, accountID, us
 	return am.Store.GetAccountPolicies(ctx, store.LockingStrengthNone, accountID)
 }

-// arePolicyChangesAffectPeers checks if changes to a policy will affect any associated peers.
-func arePolicyChangesAffectPeers(ctx context.Context, transaction store.Store, accountID string, policy *types.Policy, isUpdate bool) (bool, error) {
-	if isUpdate {
-		existingPolicy, err := transaction.GetPolicyByID(ctx, store.LockingStrengthNone, accountID, policy.ID)
-		if err != nil {
-			return false, err
-		}
-
-		if !policy.Enabled && !existingPolicy.Enabled {
-			return false, nil
-		}
-
-		for _, rule := range existingPolicy.Rules {
-			if rule.SourceResource.Type != "" || rule.DestinationResource.Type != "" {
-				return true, nil
-			}
-		}
-
-		hasPeers, err := anyGroupHasPeersOrResources(ctx, transaction, policy.AccountID, existingPolicy.RuleGroups())
-		if err != nil {
-			return false, err
-		}
-
-		if hasPeers {
+// arePolicyChangesAffectPeers checks if a policy (being created or deleted) will affect any associated peers.
+func arePolicyChangesAffectPeers(ctx context.Context, transaction store.Store, policy *types.Policy) (bool, error) {
+	for _, rule := range policy.Rules {
+		if rule.SourceResource.Type != "" || rule.DestinationResource.Type != "" {
 			return true, nil
 		}
 	}

+	return anyGroupHasPeersOrResources(ctx, transaction, policy.AccountID, policy.RuleGroups())
+}
+
+func arePolicyChangesAffectPeersWithExisting(ctx context.Context, transaction store.Store, policy *types.Policy, existingPolicy *types.Policy) (bool, error) {
+	if !policy.Enabled && !existingPolicy.Enabled {
+		return false, nil
+	}
+
+	for _, rule := range existingPolicy.Rules {
+		if rule.SourceResource.Type != "" || rule.DestinationResource.Type != "" {
+			return true, nil
+		}
+	}
+
+	hasPeers, err := anyGroupHasPeersOrResources(ctx, transaction, policy.AccountID, existingPolicy.RuleGroups())
+	if err != nil {
+		return false, err
+	}
+
+	if hasPeers {
+		return true, nil
+	}
+
 	for _, rule := range policy.Rules {
 		if rule.SourceResource.Type != "" || rule.DestinationResource.Type != "" {
 			return true, nil
@@ -175,12 +198,15 @@ func arePolicyChangesAffectPeers(ctx context.Context, transaction store.Store, a
 	return anyGroupHasPeersOrResources(ctx, transaction, policy.AccountID, policy.RuleGroups())
 }

-// validatePolicy validates the policy and its rules.
-func validatePolicy(ctx context.Context, transaction store.Store, accountID string, policy *types.Policy) error {
+// validatePolicy validates the policy and its rules. For updates it returns
+// the existing policy loaded from the store so callers can avoid a second read.
+func validatePolicy(ctx context.Context, transaction store.Store, accountID string, policy *types.Policy) (*types.Policy, error) {
+	var existingPolicy *types.Policy
 	if policy.ID != "" {
-		existingPolicy, err := transaction.GetPolicyByID(ctx, store.LockingStrengthNone, accountID, policy.ID)
+		var err error
+		existingPolicy, err = transaction.GetPolicyByID(ctx, store.LockingStrengthNone, accountID, policy.ID)
 		if err != nil {
-			return err
+			return nil, err
 		}

 		// TODO: Refactor to support multiple rules per policy
@@ -191,7 +217,7 @@ func validatePolicy(ctx context.Context, transaction store.Store, accountID stri

 		for _, rule := range policy.Rules {
 			if rule.ID != "" && !existingRuleIDs[rule.ID] {
-				return status.Errorf(status.InvalidArgument, "invalid rule ID: %s", rule.ID)
+				return nil, status.Errorf(status.InvalidArgument, "invalid rule ID: %s", rule.ID)
 			}
 		}
 	} else {
@@ -201,12 +227,12 @@ func validatePolicy(ctx context.Context, transaction store.Store, accountID stri

 	groups, err := transaction.GetGroupsByIDs(ctx, store.LockingStrengthNone, accountID, policy.RuleGroups())
 	if err != nil {
-		return err
+		return nil, err
 	}

 	postureChecks, err := transaction.GetPostureChecksByIDs(ctx, store.LockingStrengthNone, accountID, policy.SourcePostureChecks)
 	if err != nil {
-		return err
+		return nil, err
 	}

 	for i, rule := range policy.Rules {
@@ -225,7 +251,7 @@ func validatePolicy(ctx context.Context, transaction store.Store, accountID stri
 		policy.SourcePostureChecks = getValidPostureCheckIDs(postureChecks, policy.SourcePostureChecks)
 	}

-	return nil
+	return existingPolicy, nil
 }

 // getValidPostureCheckIDs filters and returns only the valid posture check IDs from the provided list.
--- a/management/server/telemetry/http_api_metrics.go
+++ b/management/server/telemetry/http_api_metrics.go
@@ -193,20 +193,12 @@ func (m *HTTPMiddleware) Handler(h http.Handler) http.Handler {
 			}
 		})

-		h.ServeHTTP(w, r.WithContext(ctx))
+		// Hold on to req so auth's in-place ctx update is visible after ServeHTTP.
+		req := r.WithContext(ctx)
+		h.ServeHTTP(w, req)
 		close(handlerDone)

-		userAuth, err := nbContext.GetUserAuthFromContext(r.Context())
-		if err == nil {
-			if userAuth.AccountId != "" {
-				//nolint
-				ctx = context.WithValue(ctx, nbContext.AccountIDKey, userAuth.AccountId)
-			}
-			if userAuth.UserId != "" {
-				//nolint
-				ctx = context.WithValue(ctx, nbContext.UserIDKey, userAuth.UserId)
-			}
-		}
+		ctx = req.Context()

 		if w.Status() > 399 {
 			log.WithContext(ctx).Errorf("HTTP response %v: %v %v status %v", reqID, r.Method, r.URL, w.Status())
--- a/management/server/types/policy.go
+++ b/management/server/types/policy.go
@@ -93,6 +93,44 @@ func (p *Policy) Copy() *Policy {
 	return c
 }

+func (p *Policy) Equal(other *Policy) bool {
+	if p == nil || other == nil {
+		return p == other
+	}
+
+	if p.ID != other.ID ||
+		p.AccountID != other.AccountID ||
+		p.Name != other.Name ||
+		p.Description != other.Description ||
+		p.Enabled != other.Enabled {
+		return false
+	}
+
+	if !stringSlicesEqualUnordered(p.SourcePostureChecks, other.SourcePostureChecks) {
+		return false
+	}
+
+	if len(p.Rules) != len(other.Rules) {
+		return false
+	}
+
+	otherRules := make(map[string]*PolicyRule, len(other.Rules))
+	for _, r := range other.Rules {
+		otherRules[r.ID] = r
+	}
+	for _, r := range p.Rules {
+		otherRule, ok := otherRules[r.ID]
+		if !ok {
+			return false
+		}
+		if !r.Equal(otherRule) {
+			return false
+		}
+	}
+
+	return true
+}
+
 // EventMeta returns activity event meta related to this policy
 func (p *Policy) EventMeta() map[string]any {
 	return map[string]any{"name": p.Name}
--- a/management/server/types/policy_test.go
+++ b/management/server/types/policy_test.go
@@ -0,0 +1,193 @@
+package types
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestPolicyEqual_SameRulesDifferentOrder(t *testing.T) {
+	a := &Policy{
+		ID:        "pol1",
+		AccountID: "acc1",
+		Name:      "test",
+		Enabled:   true,
+		Rules: []*PolicyRule{
+			{ID: "r1", PolicyID: "pol1", Ports: []string{"80"}},
+			{ID: "r2", PolicyID: "pol1", Ports: []string{"443"}},
+		},
+	}
+	b := &Policy{
+		ID:        "pol1",
+		AccountID: "acc1",
+		Name:      "test",
+		Enabled:   true,
+		Rules: []*PolicyRule{
+			{ID: "r2", PolicyID: "pol1", Ports: []string{"443"}},
+			{ID: "r1", PolicyID: "pol1", Ports: []string{"80"}},
+		},
+	}
+	assert.True(t, a.Equal(b))
+}
+
+func TestPolicyEqual_DifferentRules(t *testing.T) {
+	a := &Policy{
+		ID:      "pol1",
+		Enabled: true,
+		Rules: []*PolicyRule{
+			{ID: "r1", PolicyID: "pol1", Ports: []string{"80"}},
+		},
+	}
+	b := &Policy{
+		ID:      "pol1",
+		Enabled: true,
+		Rules: []*PolicyRule{
+			{ID: "r1", PolicyID: "pol1", Ports: []string{"443"}},
+		},
+	}
+	assert.False(t, a.Equal(b))
+}
+
+func TestPolicyEqual_DifferentRuleCount(t *testing.T) {
+	a := &Policy{
+		ID: "pol1",
+		Rules: []*PolicyRule{
+			{ID: "r1", PolicyID: "pol1"},
+		},
+	}
+	b := &Policy{
+		ID: "pol1",
+		Rules: []*PolicyRule{
+			{ID: "r1", PolicyID: "pol1"},
+			{ID: "r2", PolicyID: "pol1"},
+		},
+	}
+	assert.False(t, a.Equal(b))
+}
+
+func TestPolicyEqual_PostureChecksDifferentOrder(t *testing.T) {
+	a := &Policy{
+		ID:                  "pol1",
+		SourcePostureChecks: []string{"pc3", "pc1", "pc2"},
+	}
+	b := &Policy{
+		ID:                  "pol1",
+		SourcePostureChecks: []string{"pc1", "pc2", "pc3"},
+	}
+	assert.True(t, a.Equal(b))
+}
+
+func TestPolicyEqual_DifferentPostureChecks(t *testing.T) {
+	a := &Policy{
+		ID:                  "pol1",
+		SourcePostureChecks: []string{"pc1", "pc2"},
+	}
+	b := &Policy{
+		ID:                  "pol1",
+		SourcePostureChecks: []string{"pc1", "pc3"},
+	}
+	assert.False(t, a.Equal(b))
+}
+
+func TestPolicyEqual_DifferentScalarFields(t *testing.T) {
+	base := Policy{
+		ID:          "pol1",
+		AccountID:   "acc1",
+		Name:        "test",
+		Description: "desc",
+		Enabled:     true,
+	}
+
+	other := base
+	other.Name = "changed"
+	assert.False(t, base.Equal(&other))
+
+	other = base
+	other.Enabled = false
+	assert.False(t, base.Equal(&other))
+
+	other = base
+	other.Description = "changed"
+	assert.False(t, base.Equal(&other))
+}
+
+func TestPolicyEqual_NilCases(t *testing.T) {
+	var a *Policy
+	var b *Policy
+	assert.True(t, a.Equal(b))
+
+	a = &Policy{ID: "pol1"}
+	assert.False(t, a.Equal(nil))
+}
+
+func TestPolicyEqual_RulesMismatchByID(t *testing.T) {
+	a := &Policy{
+		ID: "pol1",
+		Rules: []*PolicyRule{
+			{ID: "r1", PolicyID: "pol1"},
+		},
+	}
+	b := &Policy{
+		ID: "pol1",
+		Rules: []*PolicyRule{
+			{ID: "r2", PolicyID: "pol1"},
+		},
+	}
+	assert.False(t, a.Equal(b))
+}
+
+func TestPolicyEqual_FullScenario(t *testing.T) {
+	a := &Policy{
+		ID:                  "pol1",
+		AccountID:           "acc1",
+		Name:                "Web Access",
+		Description:         "Allow web access",
+		Enabled:             true,
+		SourcePostureChecks: []string{"pc2", "pc1"},
+		Rules: []*PolicyRule{
+			{
+				ID:            "r1",
+				PolicyID:      "pol1",
+				Name:          "HTTP",
+				Enabled:       true,
+				Action:        PolicyTrafficActionAccept,
+				Protocol:      PolicyRuleProtocolTCP,
+				Bidirectional: true,
+				Sources:       []string{"g2", "g1"},
+				Destinations:  []string{"g4", "g3"},
+				Ports:         []string{"443", "80", "8080"},
+				PortRanges: []RulePortRange{
+					{Start: 8000, End: 9000},
+					{Start: 80, End: 80},
+				},
+			},
+		},
+	}
+	b := &Policy{
+		ID:                  "pol1",
+		AccountID:           "acc1",
+		Name:                "Web Access",
+		Description:         "Allow web access",
+		Enabled:             true,
+		SourcePostureChecks: []string{"pc1", "pc2"},
+		Rules: []*PolicyRule{
+			{
+				ID:            "r1",
+				PolicyID:      "pol1",
+				Name:          "HTTP",
+				Enabled:       true,
+				Action:        PolicyTrafficActionAccept,
+				Protocol:      PolicyRuleProtocolTCP,
+				Bidirectional: true,
+				Sources:       []string{"g1", "g2"},
+				Destinations:  []string{"g3", "g4"},
+				Ports:         []string{"80", "8080", "443"},
+				PortRanges: []RulePortRange{
+					{Start: 80, End: 80},
+					{Start: 8000, End: 9000},
+				},
+			},
+		},
+	}
+	assert.True(t, a.Equal(b))
+}
--- a/management/server/types/policyrule.go
+++ b/management/server/types/policyrule.go
@@ -1,6 +1,8 @@
 package types

 import (
+	"slices"
+
 	"github.com/netbirdio/netbird/shared/management/proto"
 )

@@ -118,3 +120,106 @@ func (pm *PolicyRule) Copy() *PolicyRule {
 	}
 	return rule
 }
+
+func (pm *PolicyRule) Equal(other *PolicyRule) bool {
+	if pm == nil || other == nil {
+		return pm == other
+	}
+
+	if pm.ID != other.ID ||
+		pm.PolicyID != other.PolicyID ||
+		pm.Name != other.Name ||
+		pm.Description != other.Description ||
+		pm.Enabled != other.Enabled ||
+		pm.Action != other.Action ||
+		pm.Bidirectional != other.Bidirectional ||
+		pm.Protocol != other.Protocol ||
+		pm.SourceResource != other.SourceResource ||
+		pm.DestinationResource != other.DestinationResource ||
+		pm.AuthorizedUser != other.AuthorizedUser {
+		return false
+	}
+
+	if !stringSlicesEqualUnordered(pm.Sources, other.Sources) {
+		return false
+	}
+	if !stringSlicesEqualUnordered(pm.Destinations, other.Destinations) {
+		return false
+	}
+	if !stringSlicesEqualUnordered(pm.Ports, other.Ports) {
+		return false
+	}
+	if !portRangeSlicesEqualUnordered(pm.PortRanges, other.PortRanges) {
+		return false
+	}
+	if !authorizedGroupsEqual(pm.AuthorizedGroups, other.AuthorizedGroups) {
+		return false
+	}
+
+	return true
+}
+
+func stringSlicesEqualUnordered(a, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	if len(a) == 0 {
+		return true
+	}
+	sorted1 := make([]string, len(a))
+	sorted2 := make([]string, len(b))
+	copy(sorted1, a)
+	copy(sorted2, b)
+	slices.Sort(sorted1)
+	slices.Sort(sorted2)
+	return slices.Equal(sorted1, sorted2)
+}
+
+func portRangeSlicesEqualUnordered(a, b []RulePortRange) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	if len(a) == 0 {
+		return true
+	}
+	cmp := func(x, y RulePortRange) int {
+		if x.Start != y.Start {
+			if x.Start < y.Start {
+				return -1
+			}
+			return 1
+		}
+		if x.End != y.End {
+			if x.End < y.End {
+				return -1
+			}
+			return 1
+		}
+		return 0
+	}
+	sorted1 := make([]RulePortRange, len(a))
+	sorted2 := make([]RulePortRange, len(b))
+	copy(sorted1, a)
+	copy(sorted2, b)
+	slices.SortFunc(sorted1, cmp)
+	slices.SortFunc(sorted2, cmp)
+	return slices.EqualFunc(sorted1, sorted2, func(x, y RulePortRange) bool {
+		return x.Start == y.Start && x.End == y.End
+	})
+}
+
+func authorizedGroupsEqual(a, b map[string][]string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for k, va := range a {
+		vb, ok := b[k]
+		if !ok {
+			return false
+		}
+		if !stringSlicesEqualUnordered(va, vb) {
+			return false
+		}
+	}
+	return true
+}
--- a/management/server/types/policyrule_test.go
+++ b/management/server/types/policyrule_test.go
@@ -0,0 +1,194 @@
+package types
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestPolicyRuleEqual_SamePortsDifferentOrder(t *testing.T) {
+	a := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		Ports:    []string{"443", "80", "22"},
+	}
+	b := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		Ports:    []string{"22", "443", "80"},
+	}
+	assert.True(t, a.Equal(b))
+}
+
+func TestPolicyRuleEqual_DifferentPorts(t *testing.T) {
+	a := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		Ports:    []string{"443", "80"},
+	}
+	b := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		Ports:    []string{"443", "22"},
+	}
+	assert.False(t, a.Equal(b))
+}
+
+func TestPolicyRuleEqual_SourcesDestinationsDifferentOrder(t *testing.T) {
+	a := &PolicyRule{
+		ID:           "rule1",
+		PolicyID:     "pol1",
+		Sources:      []string{"g1", "g2", "g3"},
+		Destinations: []string{"g4", "g5"},
+	}
+	b := &PolicyRule{
+		ID:           "rule1",
+		PolicyID:     "pol1",
+		Sources:      []string{"g3", "g1", "g2"},
+		Destinations: []string{"g5", "g4"},
+	}
+	assert.True(t, a.Equal(b))
+}
+
+func TestPolicyRuleEqual_DifferentSources(t *testing.T) {
+	a := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		Sources:  []string{"g1", "g2"},
+	}
+	b := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		Sources:  []string{"g1", "g3"},
+	}
+	assert.False(t, a.Equal(b))
+}
+
+func TestPolicyRuleEqual_PortRangesDifferentOrder(t *testing.T) {
+	a := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		PortRanges: []RulePortRange{
+			{Start: 8000, End: 9000},
+			{Start: 80, End: 80},
+		},
+	}
+	b := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		PortRanges: []RulePortRange{
+			{Start: 80, End: 80},
+			{Start: 8000, End: 9000},
+		},
+	}
+	assert.True(t, a.Equal(b))
+}
+
+func TestPolicyRuleEqual_DifferentPortRanges(t *testing.T) {
+	a := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		PortRanges: []RulePortRange{
+			{Start: 80, End: 80},
+		},
+	}
+	b := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		PortRanges: []RulePortRange{
+			{Start: 80, End: 443},
+		},
+	}
+	assert.False(t, a.Equal(b))
+}
+
+func TestPolicyRuleEqual_AuthorizedGroupsDifferentValueOrder(t *testing.T) {
+	a := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		AuthorizedGroups: map[string][]string{
+			"g1": {"u1", "u2", "u3"},
+		},
+	}
+	b := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		AuthorizedGroups: map[string][]string{
+			"g1": {"u3", "u1", "u2"},
+		},
+	}
+	assert.True(t, a.Equal(b))
+}
+
+func TestPolicyRuleEqual_DifferentAuthorizedGroups(t *testing.T) {
+	a := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		AuthorizedGroups: map[string][]string{
+			"g1": {"u1"},
+		},
+	}
+	b := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		AuthorizedGroups: map[string][]string{
+			"g2": {"u1"},
+		},
+	}
+	assert.False(t, a.Equal(b))
+}
+
+func TestPolicyRuleEqual_DifferentScalarFields(t *testing.T) {
+	base := PolicyRule{
+		ID:            "rule1",
+		PolicyID:      "pol1",
+		Name:          "test",
+		Description:   "desc",
+		Enabled:       true,
+		Action:        PolicyTrafficActionAccept,
+		Bidirectional: true,
+		Protocol:      PolicyRuleProtocolTCP,
+	}
+
+	other := base
+	other.Name = "changed"
+	assert.False(t, base.Equal(&other))
+
+	other = base
+	other.Enabled = false
+	assert.False(t, base.Equal(&other))
+
+	other = base
+	other.Action = PolicyTrafficActionDrop
+	assert.False(t, base.Equal(&other))
+
+	other = base
+	other.Protocol = PolicyRuleProtocolUDP
+	assert.False(t, base.Equal(&other))
+}
+
+func TestPolicyRuleEqual_NilCases(t *testing.T) {
+	var a *PolicyRule
+	var b *PolicyRule
+	assert.True(t, a.Equal(b))
+
+	a = &PolicyRule{ID: "rule1"}
+	assert.False(t, a.Equal(nil))
+}
+
+func TestPolicyRuleEqual_EmptySlices(t *testing.T) {
+	a := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		Ports:    []string{},
+		Sources:  nil,
+	}
+	b := &PolicyRule{
+		ID:       "rule1",
+		PolicyID: "pol1",
+		Ports:    nil,
+		Sources:  []string{},
+	}
+	assert.True(t, a.Equal(b))
+}
+
Author	SHA1	Message	Date
Viktor Liu	d0f9d80c3a	Harden race fan-out and fix lint	2026-04-23 18:20:55 +02:00
Viktor Liu	c102592735	[client] Drop DNS probes for passive health projection	2026-04-23 13:34:23 +02:00
Viktor Liu	801de8c68d	[client] Add TTL-based refresh to mgmt DNS cache via handler chain (#5945 )	2026-04-22 15:10:14 +02:00
Viktor Liu	a822a33240	[self-hosted] Use cscli lapi status for CrowdSec readiness in installer (#5949 )	2026-04-22 10:35:22 +02:00
Bethuel Mmbaga	57b23c5b25	[management] Propagate context changes to upstream middleware (#5956 )	2026-04-21 23:06:52 +03:00
Zoltan Papp	1165058fad	[client] fix port collision in TestUpload (#5950 ) * [debug] fix port collision in TestUpload TestUpload hardcoded :8080, so it failed deterministically when anything was already on that port and collided across concurrent test runs. Bind a :0 listener in the test to get a kernel-assigned free port, and add Server.Serve so tests can hand the listener in without reaching into unexported state. * [debug] drop test-only Server.Serve, use SERVER_ADDRESS env The previous commit added a Server.Serve method on the upload-server, used only by TestUpload. That left production with an unused function. Reserve an ephemeral loopback port in the test, release it, and pass the address through SERVER_ADDRESS (which the server already reads). A small wait helper ensures the server is accepting connections before the upload runs, so the close/rebind gap does not cause a false failure.	2026-04-21 19:07:20 +02:00
Zoltan Papp	703353d354	[flow] fix goroutine leak in TestReceive_ProtocolErrorStreamReconnect (#5951 ) The Receive goroutine could outlive the test and call t.Logf after teardown, panicking with "Log in goroutine after ... has completed". Register a cleanup that waits for the goroutine to exit; ordering is LIFO so it runs after client.Close, which is what unblocks Receive.	2026-04-21 19:06:47 +02:00
Zoltan Papp	2fb50aef6b	[client] allow UDP packet loss in TestICEBind_HandlesConcurrentMixedTraffic (#5953 ) The test writes 500 packets per family and asserted exact-count delivery within a 5s window, even though its own comment says "Some packet loss is acceptable for UDP". On FreeBSD/QEMU runners the writer loops cannot always finish all 500 before the 5s deadline closes the readers (we have seen 411/500 in CI). The real assertion of this test is the routing check — IPv4 peer only gets v4- packets, IPv6 peer only gets v6- packets — which remains strict. Replace the exact-count assertions with a >=80% delivery threshold so runner speed variance no longer causes false failures.	2026-04-21 19:05:58 +02:00
Vlad	eb3aa96257	[management] check policy for changes before actual db update (#5405 )	2026-04-21 18:37:04 +02:00
Viktor Liu	064ec1c832	[client] Trust wg interface in firewalld to bypass owner-flagged chains (#5928 )	2026-04-21 17:57:16 +02:00
Viktor Liu	75e408f51c	[client] Prefer systemd-resolved stub over file mode regardless of resolv.conf header (#5935 )	2026-04-21 17:56:56 +02:00
Zoltan Papp	5a89e6621b	[client] Supress ICE signaling (#5820 ) * [client] Suppress ICE signaling and periodic offers in force-relay mode When NB_FORCE_RELAY is enabled, skip WorkerICE creation entirely, suppress ICE credentials in offer/answer messages, disable the periodic ICE candidate monitor, and fix isConnectedOnAllWay to only check relay status so the guard stops sending unnecessary offers. * [client] Dynamically suppress ICE based on remote peer's offer credentials Track whether the remote peer includes ICE credentials in its offers/answers. When remote stops sending ICE credentials, skip ICE listener dispatch, suppress ICE credentials in responses, and exclude ICE from the guard connectivity check. When remote resumes sending ICE credentials, re-enable all ICE behavior. * [client] Fix nil SessionID panic and force ICE teardown on relay-only transition Fix nil pointer dereference in signalOfferAnswer when SessionID is nil (relay-only offers). Close stale ICE agent immediately when remote peer stops sending ICE credentials to avoid traffic black-hole during the ICE disconnect timeout. * [client] Add relay-only fallback check when ICE is unavailable Ensure the relay connection is supported with the peer when ICE is disabled to prevent connectivity issues. * [client] Add tri-state connection status to guard for smarter ICE retry (#5828) * [client] Add tri-state connection status to guard for smarter ICE retry Refactor isConnectedOnAllWay to return a ConnStatus enum (Connected, Disconnected, PartiallyConnected) instead of a boolean. When relay is up but ICE is not (PartiallyConnected), limit ICE offers to 3 retries with exponential backoff then fall back to hourly attempts, reducing unnecessary signaling traffic. Fully disconnected peers continue to retry aggressively. External events (relay/ICE disconnect, signal/relay reconnect) reset retry state to give ICE a fresh chance. * [client] Clarify guard ICE retry state and trace log trigger Split iceRetryState.attempt into shouldRetry (pure predicate) and enterHourlyMode (explicit state transition) so the caller in reconnectLoopWithRetry reads top-to-bottom. Restore the original trace-log behavior in isConnectedOnAllWay so it only logs on full disconnection, not on the new PartiallyConnected state. * [client] Extract pure evalConnStatus and add unit tests Split isConnectedOnAllWay into a thin method that snapshots state and a pure evalConnStatus helper that takes a connStatusInputs struct, so the tri-state decision logic can be exercised without constructing full Worker or Handshaker objects. Add table-driven tests covering force-relay, ICE-unavailable and fully-available code paths, plus unit tests for iceRetryState budget/hourly transitions and reset. * [client] Improve grammar in logs and refactor ICE credential checks	2026-04-21 15:52:08 +02:00
Misha Bragin	06dfa9d4a5	[management] replace mailru/easyjson with netbirdio/easyjson fork (#5938 )	2026-04-21 13:59:35 +02:00
Misha Bragin	45d9ee52c0	[self-hosted] add reverse proxy retention fields to combined YAML (#5930 )	2026-04-21 10:21:11 +02:00