From ab5c4247e515928535ab584ad7a49de8d7219d91 Mon Sep 17 00:00:00 2001
From: Thomas Hallgren <thomas@datawire.io>
Date: Fri, 12 Jan 2024 10:58:03 +0100
Subject: [PATCH 01/20] Improve DNS-sanity check and ensure that it never
 reaches the cluster.

Signed-off-by: Thomas Hallgren <thomas@datawire.io>
---
 pkg/client/rootd/dns/resolved_linux.go | 25 +++++++----
 pkg/client/rootd/dns/server.go         | 57 ++++++++++++++++++++++----
 2 files changed, 66 insertions(+), 16 deletions(-)

diff --git a/pkg/client/rootd/dns/resolved_linux.go b/pkg/client/rootd/dns/resolved_linux.go
index 4c7c4f5d65..22ed1ce191 100644
--- a/pkg/client/rootd/dns/resolved_linux.go
+++ b/pkg/client/rootd/dns/resolved_linux.go
@@ -83,16 +83,23 @@ func (s *Server) tryResolveD(c context.Context, dev vif.Device, configureDNS fun
 		cmdC, cmdCancel := context.WithTimeout(c, 2*time.Second)
 		defer cmdCancel()
 		for cmdC.Err() == nil {
-			_, _ = net.DefaultResolver.LookupHost(cmdC, "jhfweoitnkgyeta."+tel2SubDomain)
-			if s.RequestCount() > 0 {
-				// The query went all way through. Start processing search paths systemd-resolved style
-				// and return nil for successful validation.
-				s.processSearchPaths(g, s.updateLinkDomains, dev)
-				return nil
-			}
-			s.flushDNS()
-			dtime.SleepWithContext(cmdC, 100*time.Millisecond)
+			go func() {
+				dlog.Debug(cmdC, "sanity-check lookup")
+				_, _ = net.DefaultResolver.LookupHost(cmdC, santiyCheck)
+				if s.RequestCount() > 0 {
+					cmdCancel()
+				}
+			}()
+			dtime.SleepWithContext(cmdC, 200*time.Millisecond)
+		}
+		<-cmdC.Done()
+		if s.RequestCount() > 0 {
+			// The query went all way through. Start processing search paths systemd-resolved style
+			// and return nil for successful validation.
+			s.processSearchPaths(g, s.updateLinkDomains, dev)
+			return nil
 		}
+		s.flushDNS()
 		dlog.Error(c, "resolver did not receive requests from systemd-resolved")
 		return errResolveDNotConfigured
 	})
diff --git a/pkg/client/rootd/dns/server.go b/pkg/client/rootd/dns/server.go
index c4b1d7b0e7..82adecb62b 100644
--- a/pkg/client/rootd/dns/server.go
+++ b/pkg/client/rootd/dns/server.go
@@ -32,13 +32,20 @@ import (
 
 type Resolver func(context.Context, *dns.Question) (dnsproxy.RRs, int, error)
 
-// recursionCheck is a special host name in a well known namespace that isn't expected to exist. It
-// is used once for determining if the cluster's DNS resolver will call the Telepresence DNS resolver
-// recursively. This is common when the cluster is running on the local host (k3s in docker for instance).
-const recursionCheck = "tel2-recursion-check.kube-system."
-
-// defaultClusterDomain used unless traffic-manager reports otherwise.
-const defaultClusterDomain = "cluster.local."
+const (
+	// recursionCheck is a special host name in a well known namespace that isn't expected to exist. It
+	// is used once for determining if the cluster's DNS resolver will call the Telepresence DNS resolver
+	// recursively. This is common when the cluster is running on the local host (k3s in docker for instance).
+	recursionCheck = "tel2-recursion-check.kube-system."
+
+	// defaultClusterDomain used unless traffic-manager reports otherwise.
+	defaultClusterDomain = "cluster.local."
+
+	// sanityCheck is the query used when verifying that a DNS query reaches our DNS server. It should result
+	// in an increase of the requestCount but always yield an NXDOMAIN reply.
+	santiyCheck    = "jhfweoitnkgyeta." + tel2SubDomain
+	santiyCheckDot = santiyCheck + "."
+)
 
 type FallbackPool interface {
 	Exchange(context.Context, *dns.Client, *dns.Msg) (*dns.Msg, time.Duration, error)
@@ -702,6 +709,42 @@ func (s *Server) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	}()
 
 	q := &r.Question[0]
+	atomic.AddInt64(&s.requestCount, 1)
+	if q.Name == santiyCheckDot {
+		msg := new(dns.Msg)
+		msg.SetRcode(r, dns.RcodeSuccess)
+		var rr dns.RR
+		switch q.Qtype {
+		case dns.TypeA:
+			rr = &dns.A{
+				Hdr: dns.RR_Header{
+					Name:   q.Name,
+					Rrtype: q.Qtype,
+					Class:  q.Qclass,
+				},
+				A: localhostIPv4,
+			}
+		case dns.TypeAAAA:
+			rr = &dns.AAAA{
+				Hdr: dns.RR_Header{
+					Name:   q.Name,
+					Rrtype: q.Qtype,
+					Class:  q.Qclass,
+				},
+				AAAA: localhostIPv6,
+			}
+		default:
+			msg = new(dns.Msg)
+			msg.SetRcode(r, dns.RcodeNotImplemented)
+			return
+		}
+		msg.Answer = dnsproxy.RRs{rr}
+		msg.Authoritative = true
+		dlog.Debug(c, "sanity-check OK")
+		_ = w.WriteMsg(msg)
+		return
+	}
+
 	qts := dns.TypeToString[q.Qtype]
 	dlog.Debugf(c, "ServeDNS %5d %-6s %s", r.Id, qts, q.Name)
 

From c4e3af5d660882de3b75296b053641408027468e Mon Sep 17 00:00:00 2001
From: Thomas Hallgren <thomas@datawire.io>
Date: Fri, 12 Jan 2024 11:03:16 +0100
Subject: [PATCH 02/20] Remove search-path handling from the overriding
 DNS-resolver.

It's no longer used and will just collide with the search path used
by the cluster's own DNS-resolver.

Signed-off-by: Thomas Hallgren <thomas@datawire.io>
---
 pkg/client/rootd/dns/server.go       | 40 +++------------
 pkg/client/rootd/dns/server_linux.go | 76 +---------------------------
 pkg/client/rootd/session.go          |  2 +-
 3 files changed, 8 insertions(+), 110 deletions(-)

diff --git a/pkg/client/rootd/dns/server.go b/pkg/client/rootd/dns/server.go
index 82adecb62b..47d2ca0f50 100644
--- a/pkg/client/rootd/dns/server.go
+++ b/pkg/client/rootd/dns/server.go
@@ -99,10 +99,6 @@ type Server struct {
 	// Function that sends a lookup request to the traffic-manager
 	clusterLookup Resolver
 
-	// onlyNames is set to true when using a legacy traffic-manager incapable of
-	// using query types
-	onlyNames bool
-
 	error string
 
 	// ready is closed when the DNS server is fully configured
@@ -133,7 +129,7 @@ func (dv *cacheEntry) close() {
 }
 
 // NewServer returns a new dns.Server.
-func NewServer(config *rpc.DNSConfig, clusterLookup Resolver, onlyNames bool) *Server {
+func NewServer(config *rpc.DNSConfig, clusterLookup Resolver) *Server {
 	if config == nil {
 		config = &rpc.DNSConfig{}
 	}
@@ -163,7 +159,6 @@ func NewServer(config *rpc.DNSConfig, clusterLookup Resolver, onlyNames bool) *S
 		searchPathCh:    make(chan []string, 5),
 		clusterDomain:   defaultClusterDomain,
 		clusterLookup:   clusterLookup,
-		onlyNames:       onlyNames,
 		ready:           make(chan struct{}),
 	}
 	if lt := config.LookupTimeout; lt != nil {
@@ -765,35 +760,12 @@ func (s *Server) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		_ = w.WriteMsg(msg)
 	}()
 
-	if s.onlyNames {
-		switch q.Qtype {
-		case dns.TypeA:
-			answer, rCode, err = s.cacheResolve(q)
-		case dns.TypeAAAA:
-			if atomic.LoadInt32(&s.recursive) == recursionDetected || q.Name == recursionCheck {
-				rCode = dns.RcodeNameError
-				break
-			}
-			q.Qtype = dns.TypeA
-			answer, rCode, err = s.cacheResolve(q)
-			q.Qtype = dns.TypeAAAA
-			if rCode == dns.RcodeSuccess {
-				// return EMPTY to indicate that dns.TypeA exists
-				answer = nil
-			}
-		default:
-			msg = new(dns.Msg)
-			msg.SetRcode(r, dns.RcodeNotImplemented)
-			return
-		}
-	} else {
-		if !dnsproxy.SupportedType(q.Qtype) {
-			msg = new(dns.Msg)
-			msg.SetRcode(r, dns.RcodeNotImplemented)
-			return
-		}
-		answer, rCode, err = s.cacheResolve(q)
+	if !dnsproxy.SupportedType(q.Qtype) {
+		msg = new(dns.Msg)
+		msg.SetRcode(r, dns.RcodeNotImplemented)
+		return
 	}
+	answer, rCode, err = s.cacheResolve(q)
 
 	if err == nil && rCode == dns.RcodeSuccess {
 		msg = new(dns.Msg)
diff --git a/pkg/client/rootd/dns/server_linux.go b/pkg/client/rootd/dns/server_linux.go
index 2d950ab5d8..5ba51430e0 100644
--- a/pkg/client/rootd/dns/server_linux.go
+++ b/pkg/client/rootd/dns/server_linux.go
@@ -10,13 +10,10 @@ import (
 	"strings"
 	"time"
 
-	"github.com/miekg/dns"
-
 	"github.com/datawire/dlib/dexec"
 	"github.com/datawire/dlib/dgroup"
 	"github.com/datawire/dlib/dlog"
 	"github.com/datawire/dlib/dtime"
-	"github.com/telepresenceio/telepresence/v2/pkg/dnsproxy"
 	"github.com/telepresenceio/telepresence/v2/pkg/forwarder"
 	"github.com/telepresenceio/telepresence/v2/pkg/iputil"
 	"github.com/telepresenceio/telepresence/v2/pkg/proc"
@@ -48,77 +45,6 @@ func (s *Server) Worker(c context.Context, dev vif.Device, configureDNS func(net
 	return err
 }
 
-// shouldApplySearch returns true if search path should be applied.
-func (s *Server) shouldApplySearch(query string) bool {
-	if len(s.search) == 0 {
-		return false
-	}
-
-	if query == "localhost." {
-		return false
-	}
-
-	// Don't apply search paths to the kubernetes zone
-	if strings.HasSuffix(query, "."+s.clusterDomain) {
-		return false
-	}
-
-	// Don't apply search paths if one is already there
-	for _, s := range s.search {
-		if strings.HasSuffix(query, s) {
-			return false
-		}
-	}
-
-	// Don't apply search path to namespaces or "svc".
-	query = query[:len(query)-1]
-	if lastDot := strings.LastIndexByte(query, '.'); lastDot >= 0 {
-		tld := query[lastDot+1:]
-		if _, ok := s.namespaces[tld]; ok || tld == "svc" {
-			return false
-		}
-	}
-	return true
-}
-
-// resolveInSearch is only used by the overriding resolver. It is needed because unlike other resolvers, this
-// resolver does not hook into a DNS system that handles search paths prior to the arrival of the request.
-//
-// TODO: With the DNS lookups now being done in the cluster, there's only one reason left to have a search path,
-// and that's the local-only intercepts which means that using search-paths really should be limited to that
-// use-case.
-func (s *Server) resolveInSearch(c context.Context, q *dns.Question) (dnsproxy.RRs, int, error) {
-	query := strings.ToLower(q.Name)
-
-	// Drop all known search path suffixes before sending the query to the cluster. The
-	// cluster has its own DNS resolver and its own set of search paths.
-	query = strings.TrimSuffix(query, tel2SubDomainDot)
-	for _, sfx := range s.dropSuffixes {
-		query = strings.TrimSuffix(query, sfx)
-	}
-
-	s.RLock()
-	if !s.shouldDoClusterLookup(query) {
-		s.RUnlock()
-		return nil, dns.RcodeNameError, nil
-	}
-	applySearch := s.shouldApplySearch(query)
-	s.RUnlock()
-
-	if applySearch {
-		origQuery := q.Name
-		for _, sp := range s.search {
-			q.Name = query + sp
-			if rrs, rCode, err := s.resolveInCluster(c, q); err != nil || len(rrs) > 0 {
-				q.Name = origQuery
-				return rrs, rCode, err
-			}
-		}
-		q.Name = origQuery
-	}
-	return s.resolveInCluster(c, q)
-}
-
 func (s *Server) runOverridingServer(c context.Context, dev vif.Device) error {
 	if s.localIP == nil {
 		rf, err := readResolveFile("/etc/resolv.conf")
@@ -186,7 +112,7 @@ func (s *Server) runOverridingServer(c context.Context, dev vif.Device) error {
 			s.flushDNS()
 			return nil
 		}, dev)
-		return s.Run(c, serverStarted, listeners, pool, s.resolveInSearch)
+		return s.Run(c, serverStarted, listeners, pool, s.resolveInCluster)
 	})
 
 	if proc.RunningInContainer() {
diff --git a/pkg/client/rootd/session.go b/pkg/client/rootd/session.go
index 6024ec290b..0ab2d486df 100644
--- a/pkg/client/rootd/session.go
+++ b/pkg/client/rootd/session.go
@@ -363,7 +363,7 @@ func newSession(c context.Context, mi *rpc.OutboundInfo, mc connector.ManagerPro
 		config:                  cfg,
 		done:                    make(chan struct{}),
 	}
-	s.dnsServer = dns.NewServer(mi.Dns, s.clusterLookup, false)
+	s.dnsServer = dns.NewServer(mi.Dns, s.clusterLookup)
 	s.SetSearchPath(c, nil, nil)
 	dlog.Infof(c, "also-proxy subnets %v", as)
 	dlog.Infof(c, "never-proxy subnets %v", ns)

From 3b38ebe7aeb99dc49dba905a7fbe0cf2a54eac03 Mon Sep 17 00:00:00 2001
From: Thomas Hallgren <thomas@datawire.io>
Date: Fri, 12 Jan 2024 13:23:00 +0100
Subject: [PATCH 03/20] Fix correct DNS response when A exists but AAAA
 doesn't, or vice-versa.

Signed-off-by: Thomas Hallgren <thomas@datawire.io>
---
 pkg/client/rootd/dns/server.go | 47 +++++++++++++++++++++++++++-------
 1 file changed, 38 insertions(+), 9 deletions(-)

diff --git a/pkg/client/rootd/dns/server.go b/pkg/client/rootd/dns/server.go
index 47d2ca0f50..df6b3edf16 100644
--- a/pkg/client/rootd/dns/server.go
+++ b/pkg/client/rootd/dns/server.go
@@ -276,17 +276,24 @@ func (s *Server) resolveInCluster(c context.Context, q *dns.Question) (result dn
 		// But it does, so I need this in order to be
 		// productive at home.  We should really
 		// root-cause this, because it's weird.
+		hdr := dns.RR_Header{
+			Name:   q.Name,
+			Rrtype: q.Qtype,
+			Class:  q.Qclass,
+		}
 		switch q.Qtype {
 		case dns.TypeA:
 			return dnsproxy.RRs{&dns.A{
-				Hdr: dns.RR_Header{},
+				Hdr: hdr,
 				A:   localhostIPv4,
 			}}, dns.RcodeSuccess, nil
 		case dns.TypeAAAA:
 			return dnsproxy.RRs{&dns.AAAA{
-				Hdr:  dns.RR_Header{},
+				Hdr:  hdr,
 				AAAA: localhostIPv6,
 			}}, dns.RcodeSuccess, nil
+		default:
+			return nil, dns.RcodeNameError, nil
 		}
 	}
 
@@ -299,9 +306,28 @@ func (s *Server) resolveInCluster(c context.Context, q *dns.Question) (result dn
 	defer cancel()
 
 	result, rCode, err = s.clusterLookup(c, q)
+	if err != nil || rCode != dns.RcodeSuccess {
+		// For A and AAAA queries, we check if we have a successful counterpart in the cache. If we
+		// do, then this query must return NOERROR EMPTY
+		ck := cacheKey{name: q.Name, qType: dns.TypeNone}
+		switch q.Qtype {
+		case dns.TypeA:
+			ck.qType = dns.TypeAAAA
+		case dns.TypeAAAA:
+			ck.qType = dns.TypeA
+		}
+		if ck.qType != dns.TypeNone {
+			if ce, ok := s.cache.Load(ck); ok && !ce.expired() {
+				err = nil
+				rCode = dns.RcodeSuccess
+			}
+		}
+	}
 	if err != nil {
+		dlog.Debugf(c, "clusterLookup returned error: %v", err)
 		return nil, rCode, client.CheckTimeout(c, err)
 	}
+
 	// Keep the TTLs of requests resolved in the cluster low. We
 	// cache them locally anyway, but our cache is flushed when things are
 	// intercepted or the namespaces change.
@@ -560,12 +586,17 @@ func (s *Server) resolveThruCache(q *dns.Question) (dnsproxy.RRs, int, error) {
 		}
 		<-oldDv.wait
 		if !oldDv.expired() {
-			copyQType := q.Qtype
-			// If answer is a mapping, the copy type should be a CNAME.
-			if len(oldDv.answer) == 1 && oldDv.answer[0].Header().Rrtype == dns.TypeCNAME {
-				copyQType = dns.TypeCNAME
+			qTypes := []uint16{q.Qtype}
+			if q.Qtype != dns.TypeCNAME {
+				// Allow additional CNAME records if they are present.
+				for _, rr := range oldDv.answer {
+					if rr.Header().Rrtype == dns.TypeCNAME {
+						qTypes = append(qTypes, dns.TypeCNAME)
+						break
+					}
+				}
 			}
-			return copyRRs(oldDv.answer, []uint16{copyQType}), oldDv.rCode, nil
+			return copyRRs(oldDv.answer, qTypes), oldDv.rCode, nil
 		}
 		s.cache.Store(key, newDv)
 	}
@@ -743,8 +774,6 @@ func (s *Server) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	qts := dns.TypeToString[q.Qtype]
 	dlog.Debugf(c, "ServeDNS %5d %-6s %s", r.Id, qts, q.Name)
 
-	atomic.AddInt64(&s.requestCount, 1)
-
 	var err error
 	var rCode int
 	var answer dnsproxy.RRs

From 4ec63798f02ef4a7feb4a5ed55130aca253792dd Mon Sep 17 00:00:00 2001
From: Thomas Hallgren <thomas@datawire.io>
Date: Wed, 17 Jan 2024 13:15:43 +0100
Subject: [PATCH 04/20] Use the name "routes" instead of "namespaces" for DNS
 routes.

Signed-off-by: Thomas Hallgren <thomas@datawire.io>
---
 pkg/client/rootd/dns/resolved_linux.go |  6 +++---
 pkg/client/rootd/dns/server.go         | 17 ++++++++++++-----
 pkg/client/rootd/dns/server_darwin.go  | 10 +++++-----
 pkg/client/rootd/dns/server_linux.go   |  6 +++---
 pkg/client/rootd/dns/server_windows.go |  6 +++---
 5 files changed, 26 insertions(+), 19 deletions(-)

diff --git a/pkg/client/rootd/dns/resolved_linux.go b/pkg/client/rootd/dns/resolved_linux.go
index 22ed1ce191..347b43680b 100644
--- a/pkg/client/rootd/dns/resolved_linux.go
+++ b/pkg/client/rootd/dns/resolved_linux.go
@@ -107,13 +107,13 @@ func (s *Server) tryResolveD(c context.Context, dev vif.Device, configureDNS fun
 }
 
 func (s *Server) updateLinkDomains(c context.Context, paths []string, dev vif.Device) error {
-	namespaces := make(map[string]struct{})
+	routes := make(map[string]struct{})
 	search := make([]string, 0)
 	for i, path := range paths {
 		if strings.ContainsRune(path, '.') {
 			search = append(search, path)
 		} else {
-			namespaces[path] = struct{}{}
+			routes[path] = struct{}{}
 			// Turn namespace into a route
 			paths[i] = "~" + path
 		}
@@ -125,7 +125,7 @@ func (s *Server) updateLinkDomains(c context.Context, paths []string, dev vif.De
 	s.Lock()
 	paths = append(paths, "~"+s.clusterDomain, tel2SubDomainDot+s.clusterDomain)
 
-	s.namespaces = namespaces
+	s.routes = routes
 	s.search = search
 	s.Unlock()
 
diff --git a/pkg/client/rootd/dns/server.go b/pkg/client/rootd/dns/server.go
index df6b3edf16..e3e5187021 100644
--- a/pkg/client/rootd/dns/server.go
+++ b/pkg/client/rootd/dns/server.go
@@ -73,10 +73,17 @@ type Server struct {
 	cacheResolve func(*dns.Question) (dnsproxy.RRs, int, error)
 	dropSuffixes []string //nolint:unused // only used on linux
 
-	// Namespaces, accessible using <service-name>.<namespace-name>
-	namespaces map[string]struct{}
-	domains    map[string]struct{}
-	search     []string
+	// routes are typically namespaces, accessible using <service-name>.<namespace-name>.
+	routes map[string]struct{}
+
+	// search are appended to a query to form new names that are then dispatched to the
+	// DNS resolver. The act of appending is not performed by this server, but rather
+	// by the system's DNS resolver before calling on this server.
+	search []string
+
+	// domains contains the sum of the include-suffixes and routes. It is currently only
+	// used by the darwin resolver to keep track of files to add or remove.
+	domains map[string]struct{}
 
 	// searchPathCh receives requests to change the search path.
 	searchPathCh chan []string
@@ -147,7 +154,7 @@ func NewServer(config *rpc.DNSConfig, clusterLookup Resolver) *Server {
 	}
 	s := &Server{
 		cache:           xsync.NewMapOf[cacheKey, *cacheEntry](),
-		namespaces:      make(map[string]struct{}),
+		routes:          make(map[string]struct{}),
 		domains:         make(map[string]struct{}),
 		excludes:        config.Excludes,
 		excludeSuffixes: config.ExcludeSuffixes,
diff --git a/pkg/client/rootd/dns/server_darwin.go b/pkg/client/rootd/dns/server_darwin.go
index 3e081ef9d1..dd7c649af1 100644
--- a/pkg/client/rootd/dns/server_darwin.go
+++ b/pkg/client/rootd/dns/server_darwin.go
@@ -140,19 +140,19 @@ func (s *Server) updateResolverFiles(c context.Context, resolverDirName, resolve
 	}
 
 	// paths that contain a dot are search paths, the ones that don't are namespaces.
-	namespaces := make(map[string]struct{})
+	routes := make(map[string]struct{})
 	search := make([]string, 0)
 	for _, path := range paths {
 		if strings.ContainsRune(path, '.') {
 			search = append(search, path)
 		} else if path != "" {
-			namespaces[path] = struct{}{}
+			routes[path] = struct{}{}
 		}
 	}
 
 	// All namespaces and include suffixes become domains
-	domains := make(map[string]struct{}, len(namespaces)+len(s.includeSuffixes))
-	maps.Merge(domains, namespaces)
+	domains := make(map[string]struct{}, len(routes)+len(s.includeSuffixes))
+	maps.Merge(domains, routes)
 	for _, sfx := range s.includeSuffixes {
 		domains[strings.TrimPrefix(sfx, ".")] = struct{}{}
 	}
@@ -180,7 +180,7 @@ func (s *Server) updateResolverFiles(c context.Context, resolverDirName, resolve
 	search = append([]string{tel2SubDomainDot + s.clusterDomain}, search...)
 
 	s.search = search
-	s.namespaces = namespaces
+	s.routes = routes
 	s.domains = domains
 
 	for _, domain := range removals {
diff --git a/pkg/client/rootd/dns/server_linux.go b/pkg/client/rootd/dns/server_linux.go
index 5ba51430e0..573a32367a 100644
--- a/pkg/client/rootd/dns/server_linux.go
+++ b/pkg/client/rootd/dns/server_linux.go
@@ -96,17 +96,17 @@ func (s *Server) runOverridingServer(c context.Context, dev vif.Device) error {
 		defer close(serverDone)
 		// Server will close the listener, so no need to close it here.
 		s.processSearchPaths(g, func(c context.Context, paths []string, _ vif.Device) error {
-			namespaces := make(map[string]struct{})
+			routes := make(map[string]struct{})
 			search := make([]string, 0)
 			for _, path := range paths {
 				if strings.ContainsRune(path, '.') {
 					search = append(search, path)
 				} else if path != "" {
-					namespaces[path] = struct{}{}
+					routes[path] = struct{}{}
 				}
 			}
 			s.Lock()
-			s.namespaces = namespaces
+			s.routes = routes
 			s.search = search
 			s.Unlock()
 			s.flushDNS()
diff --git a/pkg/client/rootd/dns/server_windows.go b/pkg/client/rootd/dns/server_windows.go
index 66e0c86d3d..22fd18b993 100644
--- a/pkg/client/rootd/dns/server_windows.go
+++ b/pkg/client/rootd/dns/server_windows.go
@@ -43,7 +43,7 @@ func (s *Server) Worker(c context.Context, dev vif.Device, configureDNS func(net
 }
 
 func (s *Server) updateRouterDNS(c context.Context, paths []string, dev vif.Device) error {
-	namespaces := make(map[string]struct{})
+	routes := make(map[string]struct{})
 	search := []string{
 		tel2SubDomain + "." + s.clusterDomain,
 	}
@@ -52,11 +52,11 @@ func (s *Server) updateRouterDNS(c context.Context, paths []string, dev vif.Devi
 		if strings.ContainsRune(path, '.') {
 			search = append(search, path)
 		} else if path != "" {
-			namespaces[path] = struct{}{}
+			routes[path] = struct{}{}
 		}
 	}
 	s.Lock()
-	s.namespaces = namespaces
+	s.routes = routes
 	s.search = search
 	err := dev.SetDNS(c, s.clusterDomain, s.remoteIP, search)
 	s.Unlock()

From b48a4efe6ded64e8b7fde87ca46a61031db4f082 Mon Sep 17 00:00:00 2001
From: Thomas Hallgren <thomas@datawire.io>
Date: Wed, 17 Jan 2024 13:32:29 +0100
Subject: [PATCH 05/20] Simplify the flow of calls during DNS resolution.

Gets rid of a reassignment of function pointer which wasn't concurrency
protected.

Signed-off-by: Thomas Hallgren <thomas@datawire.io>
---
 pkg/client/rootd/dns/server.go | 67 +++++++++++-----------------------
 1 file changed, 22 insertions(+), 45 deletions(-)

diff --git a/pkg/client/rootd/dns/server.go b/pkg/client/rootd/dns/server.go
index e3e5187021..2781d8f024 100644
--- a/pkg/client/rootd/dns/server.go
+++ b/pkg/client/rootd/dns/server.go
@@ -69,8 +69,7 @@ type Server struct {
 	resolve      Resolver
 	requestCount int64
 	cache        *xsync.MapOf[cacheKey, *cacheEntry]
-	recursive    int32 // one of the recursionXXX constants declared above (unique type avoided because it just gets messy with the atomic calls)
-	cacheResolve func(*dns.Question) (dnsproxy.RRs, int, error)
+	recursive    int32    // one of the recursionXXX constants declared above (unique type avoided because it just gets messy with the atomic calls)
 	dropSuffixes []string //nolint:unused // only used on linux
 
 	// routes are typically namespaces, accessible using <service-name>.<namespace-name>.
@@ -171,7 +170,6 @@ func NewServer(config *rpc.DNSConfig, clusterLookup Resolver) *Server {
 	if lt := config.LookupTimeout; lt != nil {
 		s.lookupTimeout = lt.AsDuration()
 	}
-	s.cacheResolve = s.resolveWithRecursionCheck
 	return s
 }
 
@@ -580,15 +578,17 @@ type cacheKey struct {
 	qType uint16
 }
 
-// resolveThruCache resolves the given query by first performing a cache lookup. If a cached
-// entry is found that hasn't expired, it's returned. If not, this function will call
-// resolveQuery() to resolve and store in the case.
-func (s *Server) resolveThruCache(q *dns.Question) (dnsproxy.RRs, int, error) {
+// resolveWithRecursionCheck is a special version of resolveThruCache which is only used until the
+// recursionCheck query has completed, and it has been determined whether a query that is propagated
+// to the cluster will recurse back to this resolver or not.
+func (s *Server) resolveWithRecursionCheck(q *dns.Question) (dnsproxy.RRs, int, error) {
 	newDv := &cacheEntry{wait: make(chan struct{}), created: time.Now()}
 	key := cacheKey{name: q.Name, qType: q.Qtype}
 	if oldDv, loaded := s.cache.LoadOrStore(key, newDv); loaded {
-		if atomic.LoadInt32(&s.recursive) == recursionDetected && atomic.LoadInt32(&oldDv.currentQType) == int32(q.Qtype) {
-			// We have to assume that this is a recursion from the cluster.
+		if strings.HasPrefix(q.Name, recursionCheck) {
+			atomic.StoreInt32(&s.recursive, recursionDetected)
+		}
+		if atomic.LoadInt32(&s.recursive) == recursionDetected {
 			return nil, dns.RcodeNameError, nil
 		}
 		<-oldDv.wait
@@ -607,7 +607,17 @@ func (s *Server) resolveThruCache(q *dns.Question) (dnsproxy.RRs, int, error) {
 		}
 		s.cache.Store(key, newDv)
 	}
-	return s.resolveQuery(q, newDv)
+
+	answer, rCode, err := s.resolveQuery(q, newDv)
+	if strings.HasPrefix(q.Name, recursionCheck) {
+		if atomic.LoadInt32(&s.recursive) == recursionDetected {
+			dlog.Debug(s.ctx, "DNS resolver is recursive")
+		} else {
+			atomic.StoreInt32(&s.recursive, recursionNotDetected)
+			dlog.Debug(s.ctx, "DNS resolver is not recursive")
+		}
+	}
+	return answer, rCode, err
 }
 
 func (s *Server) resolveThruCacheWithUnqualifiedHostName(q *dns.Question) (dnsproxy.RRs, int, error) {
@@ -626,7 +636,7 @@ func (s *Server) resolveThruCacheWithUnqualifiedHostName(q *dns.Question) (dnspr
 		q.Name = uhm
 	}
 
-	rrs, rCode, err := s.resolveThruCache(q)
+	rrs, rCode, err := s.resolveWithRecursionCheck(q)
 
 	// Restore the original query name which was stripped before, or the response won't be formed correctly.
 	if uhm != "" {
@@ -639,39 +649,6 @@ func (s *Server) resolveThruCacheWithUnqualifiedHostName(q *dns.Question) (dnspr
 	return rrs, rCode, err
 }
 
-// resolveWithRecursionCheck is a special version of resolveThruCache which is only used until the
-// recursionCheck query has completed, and it has been determined whether a query that is propagated
-// to the cluster will recurse back to this resolver or not.
-func (s *Server) resolveWithRecursionCheck(q *dns.Question) (dnsproxy.RRs, int, error) {
-	newDv := &cacheEntry{wait: make(chan struct{}), created: time.Now()}
-	key := cacheKey{name: q.Name, qType: q.Qtype}
-	if oldDv, loaded := s.cache.LoadOrStore(key, newDv); loaded {
-		if strings.HasPrefix(q.Name, recursionCheck) {
-			atomic.StoreInt32(&s.recursive, recursionDetected)
-		}
-		if atomic.LoadInt32(&s.recursive) == recursionDetected {
-			return nil, dns.RcodeNameError, nil
-		}
-		<-oldDv.wait
-		if !oldDv.expired() {
-			return copyRRs(oldDv.answer, []uint16{q.Qtype}), oldDv.rCode, nil
-		}
-		s.cache.Store(key, newDv)
-	}
-
-	answer, rCode, err := s.resolveQuery(q, newDv)
-	if strings.HasPrefix(q.Name, recursionCheck) {
-		if atomic.LoadInt32(&s.recursive) == recursionDetected {
-			dlog.Debug(s.ctx, "DNS resolver is recursive")
-		} else {
-			atomic.StoreInt32(&s.recursive, recursionNotDetected)
-			dlog.Debug(s.ctx, "DNS resolver is not recursive")
-		}
-		s.cacheResolve = s.resolveThruCacheWithUnqualifiedHostName
-	}
-	return answer, rCode, err
-}
-
 // dfs is a func that implements the fmt.Stringer interface. Used in log statements to ensure
 // that the function isn't evaluated until the log output is formatted (which will happen only
 // if the given loglevel is enabled).
@@ -801,7 +778,7 @@ func (s *Server) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		msg.SetRcode(r, dns.RcodeNotImplemented)
 		return
 	}
-	answer, rCode, err = s.cacheResolve(q)
+	answer, rCode, err = s.resolveThruCacheWithUnqualifiedHostName(q)
 
 	if err == nil && rCode == dns.RcodeSuccess {
 		msg = new(dns.Msg)

From 187a6d28b05edc4cf43a6bf07a3710ffd6de9511 Mon Sep 17 00:00:00 2001
From: Thomas Hallgren <thomas@datawire.io>
Date: Wed, 17 Jan 2024 13:37:37 +0100
Subject: [PATCH 06/20] Use an exported constant for DNS
 DefaultExcludeSuffixes.

Signed-off-by: Thomas Hallgren <thomas@datawire.io>
---
 pkg/client/rootd/dns/server.go | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/pkg/client/rootd/dns/server.go b/pkg/client/rootd/dns/server.go
index 2781d8f024..dd7891f854 100644
--- a/pkg/client/rootd/dns/server.go
+++ b/pkg/client/rootd/dns/server.go
@@ -61,6 +61,15 @@ const (
 	recursionTestInProgress
 )
 
+//nolint:gochecknoglobals // constant
+var DefaultExcludeSuffixes = []string{
+	".com",
+	".io",
+	".net",
+	".org",
+	".ru",
+}
+
 // Server is a DNS server which implements the github.com/miekg/dns Handler interface.
 type Server struct {
 	sync.RWMutex
@@ -140,13 +149,7 @@ func NewServer(config *rpc.DNSConfig, clusterLookup Resolver) *Server {
 		config = &rpc.DNSConfig{}
 	}
 	if len(config.ExcludeSuffixes) == 0 {
-		config.ExcludeSuffixes = []string{
-			".com",
-			".io",
-			".net",
-			".org",
-			".ru",
-		}
+		config.ExcludeSuffixes = DefaultExcludeSuffixes
 	}
 	if config.LookupTimeout.AsDuration() <= 0 {
 		config.LookupTimeout = durationpb.New(8 * time.Second)

From 49a0878d467e37f37d9d2aeac632d06d3730c019 Mon Sep 17 00:00:00 2001
From: Thomas Hallgren <thomas@datawire.io>
Date: Wed, 17 Jan 2024 13:49:05 +0100
Subject: [PATCH 07/20] Let clusters LookupIP return NXNAME when it finds zero
 IPs or errors

Signed-off-by: Thomas Hallgren <thomas@datawire.io>
---
 pkg/client/rootd/session.go | 14 ++++++++++++--
 pkg/dnsproxy/lookup.go      | 11 +++++++++--
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/pkg/client/rootd/session.go b/pkg/client/rootd/session.go
index 0ab2d486df..81c10ee663 100644
--- a/pkg/client/rootd/session.go
+++ b/pkg/client/rootd/session.go
@@ -383,10 +383,20 @@ func (s *Session) clusterLookup(ctx context.Context, q *dns2.Question) (dnsproxy
 	})
 	if err != nil {
 		s.dnsFailures++
-		return nil, dns2.RcodeServerFailure, err
+		rCode := dns2.RcodeServerFailure
+		switch status.Code(err) {
+		case codes.Unavailable, codes.DeadlineExceeded:
+			rCode = dns2.RcodeNameError
+			err = nil
+		}
+		return nil, rCode, err
 	}
 	answer, rCode, err := dnsproxy.FromRPC(r)
-	if err == nil && len(s.localTranslationSubnets) > 0 {
+	if err != nil {
+		s.dnsFailures++
+		return nil, dns2.RcodeServerFailure, err
+	}
+	if len(s.localTranslationSubnets) > 0 {
 		for _, rr := range answer {
 			switch rr := rr.(type) {
 			case *dns2.A:
diff --git a/pkg/dnsproxy/lookup.go b/pkg/dnsproxy/lookup.go
index d8521d1c05..4a3daded45 100644
--- a/pkg/dnsproxy/lookup.go
+++ b/pkg/dnsproxy/lookup.go
@@ -170,6 +170,13 @@ func lookupIP(ctx context.Context, network, qName string, r *net.Resolver) ([]ne
 		dlog.Errorf(ctx, "LookupIP failed, trying LookupIP %q", qName)
 		ips, err = r.LookupIP(ctx, network, qName)
 	}
+	if err == nil && len(ips) == 0 {
+		err = &net.DNSError{
+			Err:        "no such host",
+			Name:       name,
+			IsNotFound: true,
+		}
+	}
 	return ips, err
 }
 
@@ -180,9 +187,9 @@ func makeError(err error) (RRs, int, error) {
 		case dnsErr.IsNotFound:
 			return nil, dns.RcodeNameError, nil
 		case dnsErr.IsTemporary:
-			return nil, dns.RcodeServerFailure, status.Error(codes.Unavailable, dnsErr.Error())
+			return nil, dns.RcodeNameError, status.Error(codes.Unavailable, dnsErr.Error())
 		case dnsErr.IsTimeout:
-			return nil, dns.RcodeServerFailure, status.Error(codes.DeadlineExceeded, dnsErr.Error())
+			return nil, dns.RcodeNameError, status.Error(codes.DeadlineExceeded, dnsErr.Error())
 		}
 	}
 	return nil, dns.RcodeServerFailure, status.Error(codes.Internal, err.Error())

From ca316141c06a86f995d5b55b7cf17d668f1d494e Mon Sep 17 00:00:00 2001
From: Thomas Hallgren <thomas@datawire.io>
Date: Wed, 17 Jan 2024 13:50:29 +0100
Subject: [PATCH 08/20] An intercept no longer changes DNS, so there's no point
 to wait for it.

Historically, the Telepresence DNS would not find single-label service
names until an intercept was active, and code was in place to verify
that this DNS-change took place. Now, with a connection tied to a
specific namespace, this no longer happens and the wait is therefore
pointless.

Signed-off-by: Thomas Hallgren <thomas@datawire.io>
---
 pkg/client/userd/trafficmgr/intercept.go | 20 --------------------
 1 file changed, 20 deletions(-)

diff --git a/pkg/client/userd/trafficmgr/intercept.go b/pkg/client/userd/trafficmgr/intercept.go
index 011b01b470..7d83839fc8 100644
--- a/pkg/client/userd/trafficmgr/intercept.go
+++ b/pkg/client/userd/trafficmgr/intercept.go
@@ -18,7 +18,6 @@ import (
 
 	"github.com/datawire/dlib/dgroup"
 	"github.com/datawire/dlib/dlog"
-	"github.com/datawire/dlib/dtime"
 	"github.com/telepresenceio/telepresence/rpc/v2/common"
 	rpc "github.com/telepresenceio/telepresence/rpc/v2/connector"
 	"github.com/telepresenceio/telepresence/rpc/v2/daemon"
@@ -28,7 +27,6 @@ import (
 	"github.com/telepresenceio/telepresence/v2/pkg/client/docker"
 	"github.com/telepresenceio/telepresence/v2/pkg/client/remotefs"
 	"github.com/telepresenceio/telepresence/v2/pkg/client/userd"
-	"github.com/telepresenceio/telepresence/v2/pkg/dnsproxy"
 	"github.com/telepresenceio/telepresence/v2/pkg/errcat"
 	"github.com/telepresenceio/telepresence/v2/pkg/forwarder"
 	"github.com/telepresenceio/telepresence/v2/pkg/iputil"
@@ -641,9 +639,6 @@ func (s *session) AddIntercept(c context.Context, ir *rpc.CreateInterceptRequest
 				continue
 			}
 			result.InterceptInfo = ii
-			if !waitForDNS(c, spec.ServiceName) {
-				dlog.Warningf(c, "DNS cannot resolve name of intercepted %q service", spec.ServiceName)
-			}
 			select {
 			case <-c.Done():
 				return InterceptError(common.InterceptError_FAILED_TO_ESTABLISH, client.CheckTimeout(c, c.Err()))
@@ -666,21 +661,6 @@ func (s *session) InterceptEpilog(context.Context, *rpc.CreateInterceptRequest,
 	return nil
 }
 
-func waitForDNS(c context.Context, host string) bool {
-	c, cancel := context.WithTimeout(c, 12*time.Second)
-	defer cancel()
-	for c.Err() == nil {
-		dtime.SleepWithContext(c, 200*time.Millisecond)
-		dlog.Debugf(c, "Attempting to resolve DNS for %s", host)
-		ips := dnsproxy.TimedExternalLookup(c, host, 5*time.Second)
-		if len(ips) > 0 {
-			dlog.Debugf(c, "Attempt succeeded, DNS for %s is %v", host, ips)
-			return true
-		}
-	}
-	return false
-}
-
 // RemoveIntercept removes one intercept by name.
 func (s *session) RemoveIntercept(c context.Context, name string) error {
 	dlog.Debugf(c, "Removing intercept %s", name)

From ed464d764c84a94af1335b250c070193b9f9f07d Mon Sep 17 00:00:00 2001
From: Thomas Hallgren <thomas@datawire.io>
Date: Wed, 17 Jan 2024 14:07:44 +0100
Subject: [PATCH 09/20] Unify handling of search paths for all OSes.

Signed-off-by: Thomas Hallgren <thomas@datawire.io>
---
 pkg/client/rootd/dns/resolved_linux.go | 42 +++++++++++-----------
 pkg/client/rootd/dns/server.go         | 49 +++++++++++++-------------
 pkg/client/rootd/dns/server_darwin.go  | 35 +++++-------------
 pkg/client/rootd/dns/server_linux.go   | 20 +++--------
 pkg/client/rootd/dns/server_windows.go | 24 ++++---------
 5 files changed, 68 insertions(+), 102 deletions(-)

diff --git a/pkg/client/rootd/dns/resolved_linux.go b/pkg/client/rootd/dns/resolved_linux.go
index 347b43680b..971cb8caed 100644
--- a/pkg/client/rootd/dns/resolved_linux.go
+++ b/pkg/client/rootd/dns/resolved_linux.go
@@ -64,8 +64,11 @@ func (s *Server) tryResolveD(c context.Context, dev vif.Device, configureDNS fun
 		// Some installation have default DNS configured with ~. routing path.
 		// If two interfaces with DefaultRoute: yes present, the one with the
 		// routing key used and SanityCheck fails. Hence, tel2SubDomain
-		// must be used as a routing key.
-		if err = s.updateLinkDomains(c, []string{tel2SubDomain}, dev); err != nil {
+		// must be used as a route.
+		s.Lock()
+		s.routes = map[string]struct{}{tel2SubDomain: {}}
+		s.Unlock()
+		if err = s.updateLinkDomains(c, dev); err != nil {
 			dlog.Error(c, err)
 			initDone <- struct{}{}
 			return errResolveDNotConfigured
@@ -106,27 +109,26 @@ func (s *Server) tryResolveD(c context.Context, dev vif.Device, configureDNS fun
 	return g.Wait()
 }
 
-func (s *Server) updateLinkDomains(c context.Context, paths []string, dev vif.Device) error {
-	routes := make(map[string]struct{})
-	search := make([]string, 0)
-	for i, path := range paths {
-		if strings.ContainsRune(path, '.') {
-			search = append(search, path)
-		} else {
-			routes[path] = struct{}{}
-			// Turn namespace into a route
-			paths[i] = "~" + path
-		}
+func (s *Server) updateLinkDomains(c context.Context, dev vif.Device) error {
+	s.Lock()
+	paths := make([]string, len(s.routes)+len(s.search)+len(s.includeSuffixes)+1)
+
+	// Namespaces are copied verbatim. Entries that aren't prefixed with "~" are considered search path entries.
+	copy(paths, s.search)
+	i := len(s.search)
+	for ns := range s.routes {
+		paths[i] = "~" + ns
+		i++
 	}
+
+	// Include-suffixes are routes, i.e. in contrast to search paths, they are never appended to the name, but
+	// used as a filter that will direct queries for names ending with them to this resolver. Routes must be
+	// prefixed with "~".
 	for _, sfx := range s.includeSuffixes {
-		paths = append(paths, "~"+strings.TrimPrefix(sfx, "."))
+		paths[i] = "~" + strings.TrimPrefix(sfx, ".")
+		i++
 	}
-
-	s.Lock()
-	paths = append(paths, "~"+s.clusterDomain, tel2SubDomainDot+s.clusterDomain)
-
-	s.routes = routes
-	s.search = search
+	paths[i] = "~" + s.clusterDomain
 	s.Unlock()
 
 	if err := dbus.SetLinkDomains(dcontext.HardContext(c), int(dev.Index()), paths...); err != nil {
diff --git a/pkg/client/rootd/dns/server.go b/pkg/client/rootd/dns/server.go
index dd7891f854..dd52a68a00 100644
--- a/pkg/client/rootd/dns/server.go
+++ b/pkg/client/rootd/dns/server.go
@@ -488,23 +488,10 @@ func newLocalUDPListener(c context.Context) (net.PacketConn, error) {
 	return lc.ListenPacket(c, "udp", "127.0.0.1:0")
 }
 
-func (s *Server) processSearchPaths(g *dgroup.Group, processor func(context.Context, []string, vif.Device) error, dev vif.Device) {
-	g.Go("RecursionCheck", func(c context.Context) error {
-		if dev != nil {
-			s.RLock()
-			_ = dev.SetDNS(c, s.clusterDomain, s.remoteIP, []string{tel2SubDomain})
-			s.RUnlock()
-		}
-		if runtime.GOOS == "windows" {
-			// Give the DNS setting some time to take effect.
-			dtime.SleepWithContext(c, 500*time.Millisecond)
-		}
-		s.performRecursionCheck(c)
-		return nil
-	})
-
+func (s *Server) processSearchPaths(g *dgroup.Group, processor func(context.Context, vif.Device) error, dev vif.Device) {
 	g.Go("SearchPaths", func(c context.Context) error {
-		var prevPaths []string
+		s.performRecursionCheck(c)
+		prevPaths := s.search
 		unchanged := func(paths []string) bool {
 			if len(paths) != len(prevPaths) {
 				return false
@@ -522,18 +509,32 @@ func (s *Server) processSearchPaths(g *dgroup.Group, processor func(context.Cont
 			case <-c.Done():
 				return nil
 			case paths := <-s.searchPathCh:
-				if len(s.searchPathCh) > 0 {
-					// Only interested in the last one
+				// Only interested in the last one, and only if it differs
+				if len(s.searchPathCh) > 0 || unchanged(paths) {
 					continue
 				}
-				if !unchanged(paths) {
-					dlog.Debugf(c, "%v -> %v", prevPaths, paths)
-					prevPaths = make([]string, len(paths))
-					copy(prevPaths, paths)
-					if err := processor(c, paths, dev); err != nil {
-						return err
+
+				dlog.Debugf(c, "%v -> %v", prevPaths, paths)
+				prevPaths = make([]string, len(paths))
+				copy(prevPaths, paths)
+
+				routes := make(map[string]struct{})
+				search := make([]string, 0)
+				for _, path := range paths {
+					if path == tel2SubDomain || strings.ContainsRune(path, '.') {
+						search = append(search, path)
+					} else if path != "" {
+						routes[path] = struct{}{}
 					}
 				}
+				s.Lock()
+				s.routes = routes
+				s.search = search
+				s.Unlock()
+
+				if err := processor(c, dev); err != nil {
+					return err
+				}
 			}
 		}
 	})
diff --git a/pkg/client/rootd/dns/server_darwin.go b/pkg/client/rootd/dns/server_darwin.go
index dd7c649af1..04123c9d54 100644
--- a/pkg/client/rootd/dns/server_darwin.go
+++ b/pkg/client/rootd/dns/server_darwin.go
@@ -105,8 +105,8 @@ func (s *Server) Worker(c context.Context, dev vif.Device, configureDNS func(net
 	// Start local DNS server
 	g := dgroup.NewGroup(c, dgroup.GroupConfig{})
 	g.Go("Server", func(c context.Context) error {
-		s.processSearchPaths(g, func(c context.Context, paths []string, _ vif.Device) error {
-			return s.updateResolverFiles(c, resolverDirName, resolverFileName, dnsAddr, paths)
+		s.processSearchPaths(g, func(c context.Context, _ vif.Device) error {
+			return s.updateResolverFiles(c, resolverDirName, resolverFileName, dnsAddr)
 		}, dev)
 		// Server will close the listener, so no need to close it here.
 		return s.Run(c, make(chan struct{}), []net.PacketConn{listener}, nil, s.resolveInCluster)
@@ -132,34 +132,22 @@ func (s *Server) removeResolverFiles(c context.Context, resolverDirName string)
 	return nil
 }
 
-func (s *Server) updateResolverFiles(c context.Context, resolverDirName, resolverFileName string, dnsAddr *net.UDPAddr, paths []string) error {
-	dlog.Infof(c, "setting search paths %s", strings.Join(paths, " "))
+func (s *Server) updateResolverFiles(c context.Context, resolverDirName, resolverFileName string, dnsAddr *net.UDPAddr) error {
 	rf, err := readResolveFile(resolverFileName)
 	if err != nil {
 		return err
 	}
+	s.Lock()
+	defer s.Unlock()
 
-	// paths that contain a dot are search paths, the ones that don't are namespaces.
-	routes := make(map[string]struct{})
-	search := make([]string, 0)
-	for _, path := range paths {
-		if strings.ContainsRune(path, '.') {
-			search = append(search, path)
-		} else if path != "" {
-			routes[path] = struct{}{}
-		}
-	}
+	// All routes and include suffixes become domains
 
-	// All namespaces and include suffixes become domains
-	domains := make(map[string]struct{}, len(routes)+len(s.includeSuffixes))
-	maps.Merge(domains, routes)
+	domains := make(map[string]struct{}, len(s.routes)+len(s.includeSuffixes))
+	maps.Merge(domains, s.routes)
 	for _, sfx := range s.includeSuffixes {
 		domains[strings.TrimPrefix(sfx, ".")] = struct{}{}
 	}
 
-	s.Lock()
-	defer s.Unlock()
-
 	// On Darwin, we provide resolution of NAME.NAMESPACE by adding one domain
 	// for each namespace in its own domain file under /etc/resolver. Each file
 	// is named "telepresence.<domain>.local"
@@ -176,11 +164,6 @@ func (s *Server) updateResolverFiles(c context.Context, resolverDirName, resolve
 			additions = append(additions, domain)
 		}
 	}
-
-	search = append([]string{tel2SubDomainDot + s.clusterDomain}, search...)
-
-	s.search = search
-	s.routes = routes
 	s.domains = domains
 
 	for _, domain := range removals {
@@ -203,7 +186,7 @@ func (s *Server) updateResolverFiles(c context.Context, resolverDirName, resolve
 		}
 	}
 
-	rf.setSearchPaths(search...)
+	rf.setSearchPaths(s.search...)
 
 	// Versions prior to Big Sur will not trigger an update unless the resolver file
 	// is removed and recreated.
diff --git a/pkg/client/rootd/dns/server_linux.go b/pkg/client/rootd/dns/server_linux.go
index 573a32367a..eea0d92fbf 100644
--- a/pkg/client/rootd/dns/server_linux.go
+++ b/pkg/client/rootd/dns/server_linux.go
@@ -23,7 +23,10 @@ import (
 
 const (
 	maxRecursionTestRetries = 10
-	recursionTestTimeout    = 500 * time.Millisecond
+
+	// We use a fairly short delay here because if DNS recursion is a thing, then the cluster's DNS-server
+	// has access to the caller host's network, so it runs locally in a Docker container or similar.
+	recursionTestTimeout = 200 * time.Millisecond
 )
 
 var errResolveDNotConfigured = errors.New("resolved not configured")
@@ -95,20 +98,7 @@ func (s *Server) runOverridingServer(c context.Context, dev vif.Device) error {
 	g.Go("Server", func(c context.Context) error {
 		defer close(serverDone)
 		// Server will close the listener, so no need to close it here.
-		s.processSearchPaths(g, func(c context.Context, paths []string, _ vif.Device) error {
-			routes := make(map[string]struct{})
-			search := make([]string, 0)
-			for _, path := range paths {
-				if strings.ContainsRune(path, '.') {
-					search = append(search, path)
-				} else if path != "" {
-					routes[path] = struct{}{}
-				}
-			}
-			s.Lock()
-			s.routes = routes
-			s.search = search
-			s.Unlock()
+		s.processSearchPaths(g, func(c context.Context, _ vif.Device) error {
 			s.flushDNS()
 			return nil
 		}, dev)
diff --git a/pkg/client/rootd/dns/server_windows.go b/pkg/client/rootd/dns/server_windows.go
index 22fd18b993..080891c1db 100644
--- a/pkg/client/rootd/dns/server_windows.go
+++ b/pkg/client/rootd/dns/server_windows.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"strings"
 	"time"
 
 	"github.com/datawire/dlib/dgroup"
@@ -33,32 +32,23 @@ func (s *Server) Worker(c context.Context, dev vif.Device, configureDNS func(net
 		// No need to close listener. It's closed by the dns server.
 		defer func() {
 			c, cancel := context.WithTimeout(context.WithoutCancel(c), 5*time.Second)
+			s.Lock()
 			_ = dev.SetDNS(c, s.clusterDomain, s.remoteIP, nil)
+			s.Unlock()
 			cancel()
 		}()
+		if err := s.updateRouterDNS(c, dev); err != nil {
+			return err
+		}
 		s.processSearchPaths(g, s.updateRouterDNS, dev)
 		return s.Run(c, make(chan struct{}), []net.PacketConn{listener}, nil, s.resolveInCluster)
 	})
 	return g.Wait()
 }
 
-func (s *Server) updateRouterDNS(c context.Context, paths []string, dev vif.Device) error {
-	routes := make(map[string]struct{})
-	search := []string{
-		tel2SubDomain + "." + s.clusterDomain,
-	}
-
-	for _, path := range paths {
-		if strings.ContainsRune(path, '.') {
-			search = append(search, path)
-		} else if path != "" {
-			routes[path] = struct{}{}
-		}
-	}
+func (s *Server) updateRouterDNS(c context.Context, dev vif.Device) error {
 	s.Lock()
-	s.routes = routes
-	s.search = search
-	err := dev.SetDNS(c, s.clusterDomain, s.remoteIP, search)
+	err := dev.SetDNS(c, s.clusterDomain, s.remoteIP, s.search)
 	s.Unlock()
 	s.flushDNS()
 	if err != nil {

From 9a0320489201812f22934fe58e70d2ae6c40a41a Mon Sep 17 00:00:00 2001
From: Thomas Hallgren <thomas@datawire.io>
Date: Wed, 17 Jan 2024 14:13:19 +0100
Subject: [PATCH 10/20] Ensure that iptables-legacy is imported to the
 telepresence client image

Also adds logging to IP-tables command used by overriding DNS resolver.

Signed-off-by: Thomas Hallgren <thomas@datawire.io>
---
 build-aux/docker/images/Dockerfile.client | 4 +++-
 pkg/client/rootd/dns/server_linux.go      | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/build-aux/docker/images/Dockerfile.client b/build-aux/docker/images/Dockerfile.client
index 87b41b7ca8..87064d0d90 100644
--- a/build-aux/docker/images/Dockerfile.client
+++ b/build-aux/docker/images/Dockerfile.client
@@ -41,7 +41,9 @@ RUN setcap 'cap_net_bind_service+ep' /usr/local/bin/telepresence
 # The telepresence target is the one that gets published. It aims to be a small as possible.
 FROM alpine as telepresence
 
-RUN apk add --no-cache ca-certificates iptables bash
+RUN apk add --no-cache ca-certificates iptables iptables-legacy bash
+RUN rm /sbin/iptables && ln -s /sbin/iptables-legacy /sbin/iptables
+RUN rm /sbin/ip6tables && ln -s /sbin/ip6tables-legacy /sbin/ip6tables
 
 # the telepresence binary
 COPY --from=telepresence-build /usr/local/bin/telepresence /usr/local/bin
diff --git a/pkg/client/rootd/dns/server_linux.go b/pkg/client/rootd/dns/server_linux.go
index eea0d92fbf..f5f0d95366 100644
--- a/pkg/client/rootd/dns/server_linux.go
+++ b/pkg/client/rootd/dns/server_linux.go
@@ -239,7 +239,7 @@ func runNatTableCmd(c context.Context, args ...string) error {
 	// want to leave things in a half-cleaned-up state.
 	args = append([]string{"-t", "nat"}, args...)
 	cmd := dexec.CommandContext(c, "iptables", args...)
-	cmd.DisableLogging = true
+	cmd.DisableLogging = dlog.MaxLogLevel(c) < dlog.LogLevelDebug
 	dlog.Debug(c, shellquote.ShellString("iptables", args))
 	return cmd.Run()
 }

From bc7cb29fd3e67de8ca5bfaafb9bdad2bba103d70 Mon Sep 17 00:00:00 2001
From: Thomas Hallgren <thomas@datawire.io>
Date: Wed, 17 Jan 2024 14:16:46 +0100
Subject: [PATCH 11/20] Improve DNS-servers handling of recursion and the
 tel2-search domain.

Rewrites part of the logic to make it more consistent. The tel2-search
domain is now caught early on and removed so that the remaining logic
can safely disregard it. More states were added to the recursion
detection logic to make it more reliable.

Signed-off-by: Thomas Hallgren <thomas@datawire.io>
---
 pkg/client/rootd/dns/server.go      | 662 +++++++++++++++-------------
 pkg/client/rootd/dns/server_test.go |  71 ++-
 2 files changed, 404 insertions(+), 329 deletions(-)

diff --git a/pkg/client/rootd/dns/server.go b/pkg/client/rootd/dns/server.go
index dd52a68a00..e5b85627de 100644
--- a/pkg/client/rootd/dns/server.go
+++ b/pkg/client/rootd/dns/server.go
@@ -5,7 +5,6 @@ import (
 	"errors"
 	"fmt"
 	"net"
-	"runtime"
 	"slices"
 	"strings"
 	"sync"
@@ -33,11 +32,6 @@ import (
 type Resolver func(context.Context, *dns.Question) (dnsproxy.RRs, int, error)
 
 const (
-	// recursionCheck is a special host name in a well known namespace that isn't expected to exist. It
-	// is used once for determining if the cluster's DNS resolver will call the Telepresence DNS resolver
-	// recursively. This is common when the cluster is running on the local host (k3s in docker for instance).
-	recursionCheck = "tel2-recursion-check.kube-system."
-
 	// defaultClusterDomain used unless traffic-manager reports otherwise.
 	defaultClusterDomain = "cluster.local."
 
@@ -45,6 +39,10 @@ const (
 	// in an increase of the requestCount but always yield an NXDOMAIN reply.
 	santiyCheck    = "jhfweoitnkgyeta." + tel2SubDomain
 	santiyCheckDot = santiyCheck + "."
+
+	// dnsTTL is the number of seconds that a found DNS record should be allowed to live in the callers cache. We
+	// keep this low to avoid such caching.
+	dnsTTL = 4
 )
 
 type FallbackPool interface {
@@ -56,9 +54,10 @@ type FallbackPool interface {
 
 const (
 	_ = int32(iota)
+	recursionQueryNotYetReceived
+	recursionQueryReceived
 	recursionNotDetected
 	recursionDetected
-	recursionTestInProgress
 )
 
 //nolint:gochecknoglobals // constant
@@ -199,71 +198,89 @@ var (
 	localhostIPv6 = net.IP{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1} //nolint:gochecknoglobals // constant
 )
 
-func (s *Server) tel2SubDomainHostname(query string) string {
-	// Has to be trimmed since value for an unqualified hostname can be :
-	// - <hostname>.tel2-search.cluster.local
-	s.RLock()
-	uqHostSuffix := "." + tel2SubDomainDot + s.clusterDomain
-	s.RUnlock()
-	if strings.HasSuffix(query, uqHostSuffix) {
-		return strings.TrimSuffix(query, uqHostSuffix) + "."
-	}
-	return ""
-}
-
 func (s *Server) shouldDoClusterLookup(query string) bool {
+	name := query[:len(query)-1] // skip last dot
 	if strings.HasPrefix(query, wpadDot) {
 		// Reject "wpad.*"
+		dlog.Debugf(s.ctx, `Cluster DNS excluded by exclude-prefix "wpad." for name %q`, name)
 		return false
 	}
 
-	if strings.HasSuffix(query, "."+s.clusterDomain) && strings.Count(query, ".") < 4 {
-		// Reject "<label>.cluster.local."
+	if s.isExcluded(name) {
+		// Reject any host explicitly added to the exclude list.
+		dlog.Debugf(s.ctx, "Cluster DNS explicitly excluded for name %q", name)
 		return false
 	}
 
-	if s.isExcluded(query) {
-		// Reject any host explicitly added to the exclude list.
-		return false
+	if !strings.ContainsRune(name, '.') {
+		// Single label names are always included.
+		dlog.Debugf(s.ctx, "Cluster DNS included for single label name %q", name)
+		return true
 	}
 
-	query = query[:len(query)-1] // skip last dot
+	// Skip configured exclude-suffixes unless also matched by an include-suffix
+	// that is longer (i.e. more specific).
+	for _, es := range s.excludeSuffixes {
+		if strings.HasSuffix(name, es) {
+			// Exclude unless more specific include.
+			for _, is := range s.includeSuffixes {
+				if len(is) >= len(es) && strings.HasSuffix(name, is) {
+					dlog.Debugf(s.ctx,
+						"Cluster DNS included by include-suffix %q (overriding exclude-suffix %q) for name %q", is, es, name)
+					return true
+				}
+			}
+			dlog.Debugf(s.ctx, "Cluster DNS excluded by exclude-suffix %q for name %q", es, name)
+			return false
+		}
+	}
 
-	if strings.Contains(query, "."+tel2SubDomainDot) {
-		// Reject "xxx.tel2-search.xxx" (we know it doesn't end with tel2SubDomain because we just removed the last dot)
-		// Addresses like that can come into existence if the daemon runs in a docker container
-		// with --dns-search tel2-search and docker in turn uses a DNS server from a VPN that
-		// applies search paths to multi-label names.
-		// Example when using Tailscape: hello.default.tel2-search.tailbfa9e.ts.net.
-		return false
+	// Always include configured search paths
+	for _, sfx := range s.search {
+		if strings.HasSuffix(name, sfx) {
+			dlog.Debugf(s.ctx, "Cluster DNS included by search %q of name %q", sfx, name)
+			return true
+		}
 	}
 
-	// Always include configured includeSuffixes
-	for _, sfx := range s.includeSuffixes {
-		if strings.HasSuffix(query, sfx) {
+	// Always include configured routes
+	for sfx := range s.routes {
+		if strings.HasSuffix(name, sfx) {
+			dlog.Debugf(s.ctx, "Cluster DNS included by namespace %q of name %q", sfx, name)
 			return true
 		}
 	}
 
-	// Skip configured excludeSuffixes
-	for _, sfx := range s.excludeSuffixes {
-		if strings.HasSuffix(query, sfx) {
-			return false
+	// Always include queries for the cluster domain.
+	if strings.HasSuffix(query, "."+s.clusterDomain) {
+		dlog.Debugf(s.ctx, "Cluster DNS included by cluster domain %q of name %q", s.clusterDomain, name)
+		return true
+	}
+
+	// Always include configured includeSuffixes
+	for _, sfx := range s.includeSuffixes {
+		if strings.HasSuffix(name, sfx) {
+			dlog.Debugf(s.ctx,
+				"Cluster DNS included by include-suffix %q for name %q", sfx, name)
+			return true
 		}
 	}
-	return true
+
+	// Pass any queries for the cluster domain.
+	dlog.Debugf(s.ctx, "Cluster DNS excluded for name %q. No inclusion rule was matched", name)
+	return false
 }
 
-func (s *Server) isExcluded(query string) bool {
-	qLen := len(query)
-	if slice.Contains(s.excludes, query[:qLen-1]) {
+func (s *Server) isExcluded(name string) bool {
+	if slice.Contains(s.excludes, name) {
 		return true
 	}
 
 	// When intercepting, this function will potentially receive the hostname of any search param, so their
 	// unqualified hostname should be evaluated too.
+	qLen := len(name)
 	for _, sp := range s.search {
-		if strings.HasSuffix(query, sp) && slice.Contains(s.excludes, query[:qLen-len(sp)-1]) {
+		if strings.HasSuffix(name, "."+sp) && slice.Contains(s.excludes, name[:qLen-len(sp)-1]) {
 			return true
 		}
 	}
@@ -271,11 +288,7 @@ func (s *Server) isExcluded(query string) bool {
 }
 
 func (s *Server) resolveInCluster(c context.Context, q *dns.Question) (result dnsproxy.RRs, rCode int, err error) {
-	origQuery := q.Name
-	query := strings.ToLower(origQuery)
-	query = strings.TrimSuffix(query, tel2SubDomainDot)
-	q.Name = query
-
+	query := q.Name
 	if query == "localhost." {
 		// BUG(lukeshu): I have no idea why a lookup
 		// for localhost even makes it to here on my
@@ -314,25 +327,7 @@ func (s *Server) resolveInCluster(c context.Context, q *dns.Question) (result dn
 	defer cancel()
 
 	result, rCode, err = s.clusterLookup(c, q)
-	if err != nil || rCode != dns.RcodeSuccess {
-		// For A and AAAA queries, we check if we have a successful counterpart in the cache. If we
-		// do, then this query must return NOERROR EMPTY
-		ck := cacheKey{name: q.Name, qType: dns.TypeNone}
-		switch q.Qtype {
-		case dns.TypeA:
-			ck.qType = dns.TypeAAAA
-		case dns.TypeAAAA:
-			ck.qType = dns.TypeA
-		}
-		if ck.qType != dns.TypeNone {
-			if ce, ok := s.cache.Load(ck); ok && !ce.expired() {
-				err = nil
-				rCode = dns.RcodeSuccess
-			}
-		}
-	}
 	if err != nil {
-		dlog.Debugf(c, "clusterLookup returned error: %v", err)
 		return nil, rCode, client.CheckTimeout(c, err)
 	}
 
@@ -341,22 +336,12 @@ func (s *Server) resolveInCluster(c context.Context, q *dns.Question) (result dn
 	// intercepted or the namespaces change.
 	for _, rr := range result {
 		if h := rr.Header(); h != nil {
-			if h.Name == query {
-				h.Name = origQuery
-			}
 			h.Ttl = dnsTTL
 		}
 	}
 	return result, rCode, nil
 }
 
-func (s *Server) resolveMappingAlias(query string) (string, bool) {
-	s.RLock()
-	a, ok := s.mappings[query]
-	s.RUnlock()
-	return a, ok
-}
-
 func (s *Server) GetConfig() *rpc.DNSConfig {
 	s.RLock()
 	c := rpc.DNSConfig{
@@ -404,15 +389,21 @@ func (s *Server) SetClusterDNS(dns *manager.DNS, remoteIP net.IP) {
 		s.remoteIP = remoteIP
 	}
 	if dns != nil {
+		if slices.Equal(s.excludeSuffixes, DefaultExcludeSuffixes) && len(dns.ExcludeSuffixes) > 0 {
+			s.excludeSuffixes = dns.ExcludeSuffixes
+		}
+		if len(s.includeSuffixes) == 0 {
+			s.includeSuffixes = dns.IncludeSuffixes
+		}
 		s.clusterDomain = dns.ClusterDomain
-		s.excludeSuffixes = slice.AppendUnique(s.excludeSuffixes, dns.ExcludeSuffixes...)
-		s.includeSuffixes = slice.AppendUnique(s.includeSuffixes, dns.IncludeSuffixes...)
 	}
 	s.Unlock()
 }
 
 // SetSearchPath updates the DNS search path used by the resolver.
 func (s *Server) SetSearchPath(ctx context.Context, paths, namespaces []string) {
+	allPaths := make([]string, 0, len(paths)+len(namespaces)+1)
+	allPaths = append(allPaths, tel2SubDomain)
 	if len(namespaces) > 0 {
 		// Provide direct access to intercepted namespaces
 		s.RLock()
@@ -420,12 +411,12 @@ func (s *Server) SetSearchPath(ctx context.Context, paths, namespaces []string)
 			paths = append(paths, ns+".svc."+s.clusterDomain)
 		}
 		s.RUnlock()
-		paths = append(paths, tel2SubDomain)
 	}
+	allPaths = append(allPaths, paths...)
 
 	select {
 	case <-ctx.Done():
-	case s.searchPathCh <- paths:
+	case s.searchPathCh <- allPaths:
 	}
 }
 
@@ -470,14 +461,10 @@ func mappingsMap(mappings []*rpc.DNSMapping) map[string]string {
 func (s *Server) SetMappings(mappings []*rpc.DNSMapping) {
 	mm := mappingsMap(mappings)
 	s.Lock()
-	oldMappings := s.mappings
 	s.mappings = mm
 	s.Unlock()
 
-	// Flush old and the mappings.
-	for n := range oldMappings {
-		s.purgeRecordsFromCache(n)
-	}
+	// Flush the mappings.
 	for n := range mm {
 		s.purgeRecordsFromCache(n)
 	}
@@ -582,17 +569,89 @@ type cacheKey struct {
 	qType uint16
 }
 
-// resolveWithRecursionCheck is a special version of resolveThruCache which is only used until the
-// recursionCheck query has completed, and it has been determined whether a query that is propagated
-// to the cluster will recurse back to this resolver or not.
+func (c *cacheKey) String() string {
+	return fmt.Sprintf("%s %s", dns.TypeToString[c.qType], c.name)
+}
+
+const (
+	// recursionCheck is a special host name in a well known namespace that isn't expected to exist. It
+	// is used once for determining if the cluster's DNS resolver will call the Telepresence DNS resolver
+	// recursively. This is common when the cluster is running on the local host (k3s in docker for instance).
+	//
+	// The check is performed using the following steps.
+	// 1. A lookup is made for "tel-recursion-check
+	// 2. When our DNS-resolver receives this lookup, it modifies the name to "tel2-recursion-check.kube-system."
+	//    and sends that on to the cluster.
+	// 3. If our DNS-resolver now encounters a query for the "tel2-recursion-check.kube-system.", then we know
+	//    that a recursion took place.
+	// 4. If no request for "tel2-recursion-check.kube-system." is received, then it's assumed that the resolver
+	//    is not recursive.
+	recursionCheck  = "tel2-recursion-check."
+	recursionCheck2 = "tel2-recursion-check.kube-system."
+)
+
 func (s *Server) resolveWithRecursionCheck(q *dns.Question) (dnsproxy.RRs, int, error) {
-	newDv := &cacheEntry{wait: make(chan struct{}), created: time.Now()}
-	key := cacheKey{name: q.Name, qType: q.Qtype}
-	if oldDv, loaded := s.cache.LoadOrStore(key, newDv); loaded {
-		if strings.HasPrefix(q.Name, recursionCheck) {
-			atomic.StoreInt32(&s.recursive, recursionDetected)
+	if strings.HasPrefix(q.Name, recursionCheck) {
+		if strings.HasPrefix(q.Name, recursionCheck2) {
+			if atomic.CompareAndSwapInt32(&s.recursive, recursionQueryReceived, recursionDetected) {
+				dlog.Debug(s.ctx, "DNS resolver is recursive")
+			}
+			return nil, dns.RcodeNameError, nil
+		}
+
+		if atomic.CompareAndSwapInt32(&s.recursive, recursionQueryNotYetReceived, recursionQueryReceived) {
+			tc, cancel := context.WithTimeout(s.ctx, recursionTestTimeout)
+			go func() {
+				defer cancel()
+				nq := *q // by value copy
+				nq.Name = recursionCheck2
+				_, _, _ = s.resolveInCluster(s.ctx, &nq) // We really don't care about the reply here.
+			}()
+			<-tc.Done()
+
+			// When we've gotten the reply from the cluster, we know if recursion did occur.
+			if atomic.CompareAndSwapInt32(&s.recursive, recursionQueryReceived, recursionNotDetected) {
+				dlog.Debug(s.ctx, "DNS resolver is not recursive")
+			}
+		}
+		return localHostReply(q), dns.RcodeSuccess, nil
+	}
+
+	answer, rCode, err := s.resolveThruCache(q)
+	if err != nil || rCode != dns.RcodeSuccess {
+		// For A and AAAA queries, we check if we have a successful counterpart in the cache. If we
+		// do, then this query must return NOERROR EMPTY
+		ck := cacheKey{name: q.Name, qType: dns.TypeNone}
+		switch q.Qtype {
+		case dns.TypeA:
+			ck.qType = dns.TypeAAAA
+		case dns.TypeAAAA:
+			ck.qType = dns.TypeA
+		}
+		if ck.qType != dns.TypeNone {
+			if ce, ok := s.cache.Load(ck); ok {
+				<-ce.wait
+				if !ce.expired() && ce.rCode == dns.RcodeSuccess && atomic.LoadInt32(&ce.currentQType) == int32(ck.qType) {
+					dlog.Debugf(s.ctx, "found counterpart for %s %s", dns.TypeToString[uint16(ce.currentQType)], ce.answer)
+					err = nil
+					rCode = dns.RcodeSuccess
+				}
+			}
 		}
-		if atomic.LoadInt32(&s.recursive) == recursionDetected {
+	}
+	return answer, rCode, err
+}
+
+// resolveThruCache resolves the given query by first performing a cache lookup. If a cached
+// entry is found that hasn't expired, it's returned. If not, this function will call
+// resolveQuery() to resolve and store in the case.
+func (s *Server) resolveThruCache(q *dns.Question) (answer dnsproxy.RRs, rCode int, err error) {
+	dv := &cacheEntry{wait: make(chan struct{}), created: time.Now()}
+	key := cacheKey{name: q.Name, qType: q.Qtype}
+	if oldDv, loaded := s.cache.LoadOrStore(key, dv); loaded {
+		if atomic.LoadInt32(&s.recursive) == recursionDetected && atomic.LoadInt32(&oldDv.currentQType) == int32(q.Qtype) {
+			// We have to assume that this is a recursion from the cluster.
+			dlog.Debugf(s.ctx, "returning error for query %q: assumed to be recursive", key.String())
 			return nil, dns.RcodeNameError, nil
 		}
 		<-oldDv.wait
@@ -609,48 +668,26 @@ func (s *Server) resolveWithRecursionCheck(q *dns.Question) (dnsproxy.RRs, int,
 			}
 			return copyRRs(oldDv.answer, qTypes), oldDv.rCode, nil
 		}
-		s.cache.Store(key, newDv)
+		s.cache.Store(key, dv)
 	}
 
-	answer, rCode, err := s.resolveQuery(q, newDv)
-	if strings.HasPrefix(q.Name, recursionCheck) {
-		if atomic.LoadInt32(&s.recursive) == recursionDetected {
-			dlog.Debug(s.ctx, "DNS resolver is recursive")
+	atomic.StoreInt32(&dv.currentQType, int32(q.Qtype))
+	defer func() {
+		if rCode != dns.RcodeSuccess {
+			s.cache.Delete(key) // Don't cache unless the lookup succeeded.
 		} else {
-			atomic.StoreInt32(&s.recursive, recursionNotDetected)
-			dlog.Debug(s.ctx, "DNS resolver is not recursive")
-		}
-	}
-	return answer, rCode, err
-}
+			dv.answer = answer
+			dv.rCode = rCode
 
-func (s *Server) resolveThruCacheWithUnqualifiedHostName(q *dns.Question) (dnsproxy.RRs, int, error) {
-	// Only DNS aliases result in queries belonging to the tel2-search subdomain, which isn't a real one, so we
-	// strip so we can process it later
-	// Example:
-	//	 my-alias.tel2-search.cluster.local -> my-alias.
-	//
-	// Other unqualified hostname generally refer to a specific subdomain associated with an intercept running in
-	// a namespace, so they won't be stripped.
-	// Example:
-	//	 my-svc.blue.cluster.local -> <empty>
-	uhm := s.tel2SubDomainHostname(q.Name)
-	originalName := q.Name
-	if uhm != "" {
-		q.Name = uhm
-	}
-
-	rrs, rCode, err := s.resolveWithRecursionCheck(q)
-
-	// Restore the original query name which was stripped before, or the response won't be formed correctly.
-	if uhm != "" {
-		q.Name = originalName
-		if len(rrs) > 0 {
-			rrs[0].Header().Name = originalName
+			// Return a result for the correct query type. The result will be nil (nxdomain) if nothing was found. It might
+			// also be empty if no RRs were found for the given query type and that is OK.
+			// See https://datatracker.ietf.org/doc/html/rfc4074#section-3
+			answer = copyRRs(answer, []uint16{q.Qtype})
 		}
-	}
-
-	return rrs, rCode, err
+		atomic.StoreInt32(&dv.currentQType, int32(dns.TypeNone))
+		dv.close()
+	}()
+	return s.resolve(s.ctx, q)
 }
 
 // dfs is a func that implements the fmt.Stringer interface. Used in log statements to ensure
@@ -663,130 +700,175 @@ func (d dfs) String() string {
 }
 
 func (s *Server) performRecursionCheck(c context.Context) {
-	defer close(s.ready)
-	defer dlog.Debug(c, "Recursion check finished")
-	var rc string
-	if runtime.GOOS != "darwin" {
-		rc = recursionCheck + tel2SubDomain
-	} else {
-		s.RLock()
-		rc = recursionCheck + s.clusterDomain
-		s.RUnlock()
+	s.Lock()
+	if _, ok := s.routes["kube-system"]; !ok {
+		s.routes["kube-system"] = struct{}{}
+		nl := len(s.routes)
+		defer func() {
+			s.Lock()
+			if nl == len(s.routes) {
+				delete(s.routes, "kube-system")
+			}
+			s.Unlock()
+		}()
 	}
+	s.Unlock()
+	defer func() {
+		dlog.Debug(c, "Recursion check finished")
+		close(s.ready)
+	}()
+	rc := recursionCheck + tel2SubDomain
 	dlog.Debugf(c, "Performing initial recursion check with %s", rc)
 	i := 0
-	atomic.StoreInt32(&s.recursive, recursionTestInProgress)
-	for ; i < maxRecursionTestRetries && atomic.LoadInt32(&s.recursive) == recursionTestInProgress; i++ {
-		// Recursion is typically very fast (all on the same host) so let's
-		// use short timeouts
-		if i > 0 {
-			dlog.Debug(c, "retrying recursion check")
-		}
-		tc, cancel := context.WithTimeout(c, recursionTestTimeout)
-		_, err := net.DefaultResolver.LookupIP(tc, "ip4", rc)
-		cancel()
-		if err != nil {
-			if derr, ok := err.(*net.DNSError); ok {
-				if atomic.LoadInt32(&s.recursive) != recursionTestInProgress {
-					if derr.IsTimeout || derr.IsNotFound {
-						return
-					}
-				}
-				if derr.IsTimeout {
-					dtime.SleepWithContext(c, 200*time.Millisecond)
-					continue
-				}
-			}
-			dlog.Errorf(c, "unexpected error during recursion check: %v", err)
-		}
-		if atomic.LoadInt32(&s.recursive) != recursionTestInProgress {
-			return
-		}
-		// Check didn't hit our resolver. Try again
-		dtime.SleepWithContext(c, 100*time.Millisecond)
+	atomic.StoreInt32(&s.recursive, recursionQueryNotYetReceived)
+	for ; c.Err() == nil && i < maxRecursionTestRetries && atomic.LoadInt32(&s.recursive) == recursionQueryNotYetReceived; i++ {
+		go func() {
+			_, _ = net.DefaultResolver.LookupIP(c, "ip4", rc)
+		}()
+		time.Sleep(500 * time.Millisecond)
 	}
 	if i == maxRecursionTestRetries {
+		msg := "DNS doesn't seem to work properly"
+		dlog.Error(c, msg)
 		s.Lock()
-		s.error = "DNS doesn't seem to work properly"
+		s.error = msg
 		s.Unlock()
+		return
+	}
+	// Await result
+	for c.Err() == nil {
+		rc := atomic.LoadInt32(&s.recursive)
+		if rc == recursionDetected || rc == recursionNotDetected {
+			break
+		}
+		dtime.SleepWithContext(c, 10*time.Millisecond)
+	}
+}
+
+func localHostReply(q *dns.Question) dnsproxy.RRs {
+	switch q.Qtype {
+	case dns.TypeA:
+		return dnsproxy.RRs{&dns.A{
+			Hdr: dns.RR_Header{
+				Name:   q.Name,
+				Rrtype: q.Qtype,
+				Class:  q.Qclass,
+			},
+			A: localhostIPv4,
+		}}
+	case dns.TypeAAAA:
+		return dnsproxy.RRs{&dns.AAAA{
+			Hdr: dns.RR_Header{
+				Name:   q.Name,
+				Rrtype: q.Qtype,
+				Class:  q.Qclass,
+			},
+			AAAA: localhostIPv6,
+		}}
+	default:
+		return nil
 	}
 }
 
 // ServeDNS is an implementation of github.com/miekg/dns Handler.ServeDNS.
 func (s *Server) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	c := s.ctx
+	atomic.AddInt64(&s.requestCount, 1)
+
+	q := &r.Question[0]
+	qts := dns.TypeToString[q.Qtype]
+	dlog.Debugf(c, "ServeDNS %5d %-6s %s", r.Id, qts, q.Name)
+
+	msg := new(dns.Msg)
+	var pfx dfs = func() string { return "" }
+	var txt dfs = func() string { return "" }
+	var rct dfs = func() string { return dns.RcodeToString[msg.Rcode] }
+
 	defer func() {
+		dlog.Debugf(c, "%s%5d %-6s %s -> %s %s", pfx, r.Id, qts, q.Name, rct, txt)
+		_ = w.WriteMsg(msg)
+
 		// Closing the response tells the DNS service to terminate
 		if c.Err() != nil {
 			_ = w.Close()
 		}
 	}()
 
-	q := &r.Question[0]
-	atomic.AddInt64(&s.requestCount, 1)
+	// The sanity-check query is sent during the configuration phase of the DNS server and then
+	// never again. It must reply with localhost.
+	//
+	// NOTE! The sanity-check will always use the tel2-search subdomain, so the check made here
+	//       must be made before the tel2-search is removed.
 	if q.Name == santiyCheckDot {
-		msg := new(dns.Msg)
-		msg.SetRcode(r, dns.RcodeSuccess)
-		var rr dns.RR
-		switch q.Qtype {
-		case dns.TypeA:
-			rr = &dns.A{
-				Hdr: dns.RR_Header{
-					Name:   q.Name,
-					Rrtype: q.Qtype,
-					Class:  q.Qclass,
-				},
-				A: localhostIPv4,
-			}
-		case dns.TypeAAAA:
-			rr = &dns.AAAA{
-				Hdr: dns.RR_Header{
-					Name:   q.Name,
-					Rrtype: q.Qtype,
-					Class:  q.Qclass,
-				},
-				AAAA: localhostIPv6,
-			}
-		default:
-			msg = new(dns.Msg)
+		answer := localHostReply(q)
+		if answer == nil {
 			msg.SetRcode(r, dns.RcodeNotImplemented)
 			return
 		}
-		msg.Answer = dnsproxy.RRs{rr}
+		msg.SetReply(r)
+		msg.Answer = answer
 		msg.Authoritative = true
+		txt = func() string { return answer.String() }
 		dlog.Debug(c, "sanity-check OK")
-		_ = w.WriteMsg(msg)
 		return
 	}
 
-	qts := dns.TypeToString[q.Qtype]
-	dlog.Debugf(c, "ServeDNS %5d %-6s %s", r.Id, qts, q.Name)
-
-	var err error
-	var rCode int
-	var answer dnsproxy.RRs
-
-	var pfx dfs = func() string { return "" }
-	var txt dfs = func() string { return "" }
-	var rct dfs = func() string { return dns.RcodeToString[rCode] }
-
-	var msg *dns.Msg
+	if !dnsproxy.SupportedType(q.Qtype) {
+		msg.SetRcode(r, dns.RcodeNotImplemented)
+		return
+	}
 
+	// We make changes to the query name, so we better restore it prior to writing an
+	// answer back, or the caller will get confused.
+	origName := q.Name
+	q.Name = strings.ToLower(origName)
 	defer func() {
-		dlog.Debugf(c, "%s%5d %-6s %s -> %s %s", pfx, r.Id, qts, q.Name, rct, txt)
-		_ = w.WriteMsg(msg)
+		qs := msg.Question
+		if len(qs) > 0 {
+			mq := &qs[0] // Important to use a pointer here. We don't want to change a by-value copied struct.
+			if mq.Name == q.Name {
+				mq.Name = origName
+			}
+		}
+		for _, rr := range msg.Answer {
+			h := rr.Header()
+			if h.Name == q.Name {
+				h.Name = origName
+			}
+		}
+		q.Name = origName
 	}()
 
-	if !dnsproxy.SupportedType(q.Qtype) {
-		msg = new(dns.Msg)
-		msg.SetRcode(r, dns.RcodeNotImplemented)
-		return
+	// The tel2SubDomain serves one purpose and one purpose alone. It's there to coerce the
+	// system DNS resolver to direct requests to this resolver. The system configuration to
+	// make this happen vary depending on OS, but the purpose is always the same. Given that,
+	// the first step in the resolution is to remove this domain-suffix if it exists.
+	if strings.Contains(q.Name, tel2SubDomainDot) {
+		strippedName := strings.TrimSuffix(q.Name, tel2SubDomainDot)
+		if strippedName == q.Name {
+			// This is a bogus name because it has some domain after
+			// the tel2-search domain. Should normally never happen, but
+			// will happen if someone queries for the tel2-search domain
+			// as a single label name.
+			msg.SetRcode(r, dns.RcodeNameError)
+			return
+		}
+		q.Name = strippedName
+	}
+
+	// try and resolve any mappings before consulting the cache, so that mapping hits don't
+	// end up in the cache.
+	answer, rCode, err := s.resolveMapping(q)
+	if err == errNoMapping {
+		answer, rCode, err = s.resolveWithRecursionCheck(q)
 	}
-	answer, rCode, err = s.resolveThruCacheWithUnqualifiedHostName(q)
 
 	if err == nil && rCode == dns.RcodeSuccess {
-		msg = new(dns.Msg)
-		msg.SetRcode(r, rCode)
+		if rCode != dns.RcodeSuccess {
+			msg.SetRcode(r, rCode)
+		} else {
+			msg.SetReply(r)
+		}
 		msg.Answer = answer
 		msg.Authoritative = true
 		// mac dns seems to fallback if you don't
@@ -803,7 +885,7 @@ func (s *Server) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	s.RLock()
 	cd := s.clusterDomain
 	s.RUnlock()
-	if s.fallbackPool == nil || strings.HasPrefix(q.Name, recursionCheck) || strings.HasSuffix(q.Name, cd) {
+	if s.fallbackPool == nil || strings.HasPrefix(q.Name, recursionCheck2) || strings.HasSuffix(q.Name, cd) {
 		if err == nil {
 			rCode = dns.RcodeNameError
 		} else {
@@ -814,125 +896,87 @@ func (s *Server) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 				txt = err.Error
 			}
 		}
-		msg = new(dns.Msg)
 		msg.SetRcode(r, rCode)
 		return
 	}
 
 	pfx = func() string { return fmt.Sprintf("(%s) ", s.fallbackPool.RemoteAddr()) }
 	dc := &dns.Client{Net: "udp", Timeout: s.lookupTimeout}
-	msg, _, err = s.fallbackPool.Exchange(c, dc, r)
+	var poolMsg *dns.Msg
+	poolMsg, _, err = s.fallbackPool.Exchange(c, dc, r)
 	if err != nil {
-		msg = new(dns.Msg)
 		rCode = dns.RcodeServerFailure
 		txt = err.Error
-		if err, ok := err.(net.Error); ok {
+		if netErr, ok := err.(net.Error); ok {
 			switch {
-			case err.Timeout():
+			case netErr.Timeout():
 				txt = func() string { return "timeout" }
-			case err.Temporary(): //nolint:staticcheck // err.Temporary is deprecated
+			case netErr.Temporary(): //nolint:staticcheck // err.Temporary is deprecated
 				rCode = dns.RcodeRefused
 			default:
 			}
 		}
 		msg.SetRcode(r, rCode)
 	} else {
-		rCode = msg.Rcode
+		msg = poolMsg
 		txt = func() string { return dnsproxy.RRs(msg.Answer).String() }
-		// When the fallback fails an AAAA, we must look for a successful A, and vice versa. If a hit of
-		// the other type is found, then the returned value must be EMPTY here instead of an NXNAME
-		if rCode == dns.RcodeNameError {
-			var counterType uint16
-			switch q.Qtype {
-			case dns.TypeA:
-				counterType = dns.TypeAAAA
-			case dns.TypeAAAA:
-				counterType = dns.TypeA
-			default:
-				return
-			}
-			if _, ok := s.cache.Load(cacheKey{name: q.Name, qType: counterType}); ok {
-				rCode = dns.RcodeSuccess
-				msg.Rcode = rCode
-				msg.Answer = []dns.RR{}
-				txt = func() string { return "EMPTY" }
-			}
-		}
 	}
 }
 
-// dnsTTL is the number of seconds that a found DNS record should be allowed to live in the callers cache. We
-// keep this low to avoid such caching.
-const dnsTTL = 4
-
-func (s *Server) resolveQuery(q *dns.Question, dv *cacheEntry) (answer dnsproxy.RRs, rCode int, err error) {
-	atomic.StoreInt32(&dv.currentQType, int32(q.Qtype))
-	defer func() {
-		if rCode != dns.RcodeSuccess {
-			s.cache.Delete(cacheKey{name: q.Name, qType: q.Qtype}) // Don't cache unless the lookup succeeded.
-		}
-		atomic.StoreInt32(&dv.currentQType, int32(dns.TypeNone))
-		dv.close()
-	}()
+var errNoMapping = errors.New("no mapping") //nolint:gochecknoglobals // constant
 
+func (s *Server) resolveMapping(q *dns.Question) (dnsproxy.RRs, int, error) {
 	switch q.Qtype {
 	case dns.TypeA, dns.TypeAAAA, dns.TypeCNAME:
-		if mappingAlias, ok := s.resolveMappingAlias(q.Name); ok {
-			if ip := iputil.Parse(mappingAlias); ip != nil {
-				// The name resolves to an A or AAAA record known by this DNS server.
-				var rr dns.RR
-				if len(ip) == 4 {
-					rr = &dns.A{
-						Hdr: dns.RR_Header{Name: q.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: dnsTTL},
-						A:   ip,
-					}
-				} else {
-					rr = &dns.AAAA{
-						Hdr:  dns.RR_Header{Name: q.Name, Rrtype: dns.TypeAAAA, Class: dns.ClassINET, Ttl: dnsTTL},
-						AAAA: ip,
-					}
-				}
-				dv.answer = dnsproxy.RRs{rr}
-				dv.rCode = dns.RcodeSuccess
-				return copyRRs(dv.answer, []uint16{q.Qtype}), dv.rCode, nil
-			}
+	default:
+		return nil, dns.RcodeNameError, errNoMapping
+	}
 
-			cnameRRs := dnsproxy.RRs{&dns.CNAME{
-				Hdr:    dns.RR_Header{Name: q.Name, Rrtype: dns.TypeCNAME, Class: dns.ClassINET, Ttl: dnsTTL},
-				Target: mappingAlias,
-			}}
+	s.RLock()
+	mappingAlias, ok := s.mappings[q.Name]
+	s.RUnlock()
 
-			if q.Qtype == dns.TypeCNAME {
-				// A query for the CNAME must only return the CNAME.
-				answer = cnameRRs
-				rCode = dns.RcodeSuccess
-			} else {
-				// A query for an A or AAAA must resolve the CNAME and then return both the result and the
-				// CNAME that resolved to it.
-				answer, rCode, err = s.resolve(s.ctx, &dns.Question{
-					Name:   mappingAlias,
-					Qtype:  q.Qtype,
-					Qclass: q.Qclass,
-				})
-				if err != nil || dv.rCode != dns.RcodeSuccess {
-					return cnameRRs, dv.rCode, err
-				}
-				answer = copyRRs(answer, []uint16{q.Qtype})
-				answer = append(cnameRRs, answer...)
-			}
-			return answer, rCode, nil
+	if !ok {
+		return nil, dns.RcodeNameError, errNoMapping
+	}
+	if ip := iputil.Parse(mappingAlias); ip != nil {
+		// The name resolves to an A or AAAA record known by this DNS server.
+		var rrs dnsproxy.RRs
+		if q.Qtype == dns.TypeA && len(ip) == 4 {
+			rrs = dnsproxy.RRs{&dns.A{
+				Hdr: dns.RR_Header{Name: q.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: dnsTTL},
+				A:   ip,
+			}}
+		} else if q.Qtype == dns.TypeAAAA && len(ip) == 16 {
+			rrs = dnsproxy.RRs{&dns.AAAA{
+				Hdr:  dns.RR_Header{Name: q.Name, Rrtype: dns.TypeAAAA, Class: dns.ClassINET, Ttl: dnsTTL},
+				AAAA: ip,
+			}}
 		}
+		return rrs, dns.RcodeSuccess, nil
 	}
 
-	dv.answer, dv.rCode, err = s.resolve(s.ctx, q)
-	if err != nil || dv.rCode != dns.RcodeSuccess {
-		return nil, dv.rCode, err
+	cnameRRs := dnsproxy.RRs{&dns.CNAME{
+		Hdr:    dns.RR_Header{Name: q.Name, Rrtype: dns.TypeCNAME, Class: dns.ClassINET, Ttl: dnsTTL},
+		Target: mappingAlias,
+	}}
+
+	if q.Qtype == dns.TypeCNAME {
+		// A query for the CNAME must only return the CNAME.
+		return cnameRRs, dns.RcodeSuccess, nil
 	}
 
-	// Return a result for the correct query type. The result will be nil (nxdomain) if nothing was found. It might
-	// also be empty if no RRs were found for the given query type and that is OK.
-	// See https://datatracker.ietf.org/doc/html/rfc4074#section-3
-	return copyRRs(dv.answer, []uint16{q.Qtype}), dv.rCode, err
+	// A query for an A or AAAA must resolve the CNAME and then return both the result and the
+	// CNAME that resolved to it.
+	answer, rCode, err := s.resolveWithRecursionCheck(&dns.Question{
+		Name:   mappingAlias,
+		Qtype:  q.Qtype,
+		Qclass: q.Qclass,
+	})
+	if err == nil {
+		answer = append(cnameRRs, answer...)
+	}
+	return answer, rCode, err
 }
 
 // Run starts the DNS server(s) and waits for them to end.
diff --git a/pkg/client/rootd/dns/server_test.go b/pkg/client/rootd/dns/server_test.go
index a5121c1cb7..507409e065 100644
--- a/pkg/client/rootd/dns/server_test.go
+++ b/pkg/client/rootd/dns/server_test.go
@@ -27,29 +27,60 @@ func (s *suiteServer) SetupSuite() {
 func (s *suiteServer) TestSetMappings() {
 	// given
 	entry := &cacheEntry{wait: make(chan struct{}), created: time.Now()}
-	toDeleteARecordKey := cacheKey{name: "echo-easy-alias.", qType: dns.TypeA}
-	toDelete4ARecordKey := cacheKey{name: "echo-easy-alias.", qType: dns.TypeAAAA}
-	toKeepARecordKey := cacheKey{name: "echo-easy.blue.svc.cluster.local.", qType: dns.TypeA}
+	aliasKeyA := cacheKey{name: "echo-easy-alias.", qType: dns.TypeA}
+	aliasKeyAAAA := cacheKey{name: "echo-easy-alias.", qType: dns.TypeAAAA}
+	aliasedToKeyA := cacheKey{name: "echo-easy.blue.svc.cluster.local.", qType: dns.TypeA}
+	aliasedToKeyAAAA := cacheKey{name: "echo-easy.blue.svc.cluster.local.", qType: dns.TypeA}
 
-	s.server.cache.Store(toDeleteARecordKey, entry)
-	s.server.cache.Store(toDelete4ARecordKey, entry)
-	s.server.cache.Store(toKeepARecordKey, entry)
+	s.server.cache.Store(aliasKeyA, entry)
+	s.server.cache.Store(aliasKeyAAAA, entry)
+	s.server.cache.Store(aliasedToKeyA, entry)
+	s.server.cache.Store(aliasedToKeyAAAA, entry)
+
+	s.server.mappings = map[string]string{}
 
-	s.server.mappings = map[string]string{
+	// when
+	s.server.SetMappings([]*rpc.DNSMapping{
+		{
+			Name:     "echo-easy-alias",
+			AliasFor: "echo-easy.blue.svc.cluster.local",
+		},
+	})
+
+	// then
+	_, exists := s.server.cache.Load(aliasKeyA)
+	s.False(exists, "Mapping's A record wasn't purged")
+	_, exists = s.server.cache.Load(aliasKeyAAAA)
+	s.False(exists, "Mapping's AAAA record wasn't purged")
+	_, exists = s.server.cache.Load(aliasedToKeyA)
+	s.True(exists, "Service's A record was purged")
+	_, exists = s.server.cache.Load(aliasedToKeyAAAA)
+	s.True(exists, "Service's AAAA record was purged")
+
+	s.Equal(s.server.mappings, map[string]string{
 		"echo-easy-alias.": "echo-easy.blue.svc.cluster.local.",
-	}
+	})
+
+	// given
+	s.server.cache.Store(aliasKeyA, entry)
+	s.server.cache.Store(aliasKeyAAAA, entry)
 
 	// when
 	s.server.SetMappings([]*rpc.DNSMapping{})
 
 	// then
-	_, exists := s.server.cache.Load(toDeleteARecordKey)
-	s.False(exists, "Mapping's A record was purged")
-	_, exists = s.server.cache.Load(toDelete4ARecordKey)
-	s.False(exists, "Mapping's AAAA record was purged")
-	_, exists = s.server.cache.Load(toKeepARecordKey)
-	s.Truef(exists, "Service's A record wasn't purged")
+	// mappings are empty
 	s.Empty(s.server.mappings)
+
+	// nothing is purged when clearing the mappings because mappings never make it to the cache
+	_, exists = s.server.cache.Load(aliasKeyA)
+	s.True(exists, "Mapping's A record was purged")
+	_, exists = s.server.cache.Load(aliasKeyAAAA)
+	s.True(exists, "Mapping's AAAA record was purged")
+	_, exists = s.server.cache.Load(aliasedToKeyA)
+	s.True(exists, "Service's A record was purged")
+	_, exists = s.server.cache.Load(aliasedToKeyAAAA)
+	s.True(exists, "Service's AAAA record was purged")
 }
 
 func (s *suiteServer) TestSetExcludes() {
@@ -85,15 +116,15 @@ func (s *suiteServer) TestIsExcluded() {
 		"echo-easy",
 	}
 	s.server.search = []string{
-		tel2SubDomainDot + "cluster.local.",
-		"blue.svc.cluster.local.",
+		tel2SubDomainDot + "cluster.local",
+		"blue.svc.cluster.local",
 	}
 
 	// when & then
-	assert.True(s.T(), s.server.isExcluded("echo-easy."))
-	assert.True(s.T(), s.server.isExcluded("echo-easy.tel2-search.cluster.local."))
-	assert.True(s.T(), s.server.isExcluded("echo-easy.blue.svc.cluster.local."))
-	assert.False(s.T(), s.server.isExcluded("something-else."))
+	assert.True(s.T(), s.server.isExcluded("echo-easy"))
+	assert.True(s.T(), s.server.isExcluded("echo-easy.tel2-search.cluster.local"))
+	assert.True(s.T(), s.server.isExcluded("echo-easy.blue.svc.cluster.local"))
+	assert.False(s.T(), s.server.isExcluded("something-else"))
 }
 
 func TestServerTestSuite(t *testing.T) {

From 0e22e24a992d70e92e589a07aab3840317a59a0c Mon Sep 17 00:00:00 2001
From: Thomas Hallgren <thomas@datawire.io>
Date: Wed, 17 Jan 2024 14:17:29 +0100
Subject: [PATCH 12/20] Add integration tests for the DNS suffix logic.

Signed-off-by: Thomas Hallgren <thomas@datawire.io>
---
 integration_test/kubeconfig_extension_test.go | 200 +++++++++++++++---
 1 file changed, 167 insertions(+), 33 deletions(-)

diff --git a/integration_test/kubeconfig_extension_test.go b/integration_test/kubeconfig_extension_test.go
index 2915f76a6a..987e8b5e6f 100644
--- a/integration_test/kubeconfig_extension_test.go
+++ b/integration_test/kubeconfig_extension_test.go
@@ -3,7 +3,9 @@ package integration_test
 import (
 	"bufio"
 	"context"
+	"encoding/json"
 	"fmt"
+	"io"
 	"net"
 	"net/url"
 	"os"
@@ -18,6 +20,8 @@ import (
 	"github.com/datawire/dlib/dlog"
 	"github.com/datawire/dlib/dtime"
 	"github.com/telepresenceio/telepresence/v2/integration_test/itest"
+	"github.com/telepresenceio/telepresence/v2/pkg/client"
+	"github.com/telepresenceio/telepresence/v2/pkg/client/rootd/dns"
 	"github.com/telepresenceio/telepresence/v2/pkg/filelocation"
 	"github.com/telepresenceio/telepresence/v2/pkg/iputil"
 	"github.com/telepresenceio/telepresence/v2/pkg/routing"
@@ -210,45 +214,175 @@ func (s *notConnectedSuite) Test_ConflictingProxies() {
 	}
 }
 
-func (s *notConnectedSuite) Test_DNSIncludes() {
-	ctx := s.Context()
+func (s *notConnectedSuite) Test_DNSSuffixRules() {
+	const randomName = "zwslkjsdf"
+	const randomDomain = ".xnrqj"
+	tests := []struct {
+		name             string
+		domainName       string
+		includeSuffixes  []string
+		excludeSuffixes  []string
+		wantedLogEntry   []string
+		mustHaveWanted   bool
+		unwantedLogEntry []string
+	}{
+		{
+			"default-exclude-com",
+			randomName + ".com",
+			nil,
+			nil,
+			[]string{
+				`Cluster DNS excluded by exclude-suffix ".com" for name "` + randomName + `.com"`,
+			},
+			false,
+			[]string{
+				`Lookup A "` + randomName + `.com`,
+			},
+		},
+		{
+			"default-exclude-random-domain",
+			randomName + randomDomain,
+			nil,
+			nil,
+			[]string{
+				`Cluster DNS excluded for name "` + randomName + randomDomain + `". No inclusion rule was matched`,
+			},
+			false,
+			[]string{
+				`Lookup A "` + randomName + randomDomain,
+			},
+		},
+		{
+			"include-random-domain",
+			randomName + randomDomain,
+			[]string{randomDomain},
+			dns.DefaultExcludeSuffixes,
+			[]string{
+				`Cluster DNS included by include-suffix "` + randomDomain + `" for name "` + randomName + randomDomain,
+				`Lookup A "` + randomName + randomDomain,
+			},
+			true,
+			nil,
+		},
+		{
+			"equally specific include overrides exclude",
+			randomName + ".org",
+			[]string{".org"},
+			dns.DefaultExcludeSuffixes,
+			[]string{
+				`Cluster DNS included by include-suffix ".org" (overriding exclude-suffix ".org") for name "` + randomName + `.org"`,
+				`Lookup A "` + randomName + `.org."`,
+			},
+			true,
+			nil,
+		},
+		{
+			"more specific include overrides exclude",
+			randomName + ".my-domain.org",
+			[]string{".my-domain.org"},
+			dns.DefaultExcludeSuffixes,
+			[]string{
+				`Cluster DNS included by include-suffix ".my-domain.org" (overriding exclude-suffix ".org") for name "` + randomName + `.my-domain.org"`,
+				`Lookup A "` + randomName + `.my-domain.org."`,
+			},
+			true,
+			nil,
+		},
+		{
+			"more specific exclude overrides include",
+			randomName + ".my-domain.org",
+			[]string{".org"},
+			[]string{".com", ".my-domain.org"},
+			[]string{
+				`Cluster DNS excluded by exclude-suffix ".my-domain.org" for name "` + randomName + `.my-domain.org"`,
+			},
+			true,
+			[]string{
+				`Lookup A "` + randomName + `.my-domain.org."`,
+			},
+		},
+	}
+	logFile := filepath.Join(filelocation.AppUserLogDir(s.Context()), "daemon.log")
 
-	ctx = itest.WithKubeConfigExtension(ctx, func(cluster *api.Cluster) map[string]any {
-		return map[string]any{"dns": map[string][]string{"include-suffixes": {".org"}}}
-	})
-	require := s.Require()
-	logFile := filepath.Join(filelocation.AppUserLogDir(ctx), "daemon.log")
+	for _, tt := range tests {
+		tt := tt
+		s.Run(tt.name, func() {
+			ctx := itest.WithKubeConfigExtension(s.Context(), func(cluster *api.Cluster) map[string]any {
+				return map[string]any{
+					"dns": map[string][]string{
+						"exclude-suffixes": tt.excludeSuffixes,
+						"include-suffixes": tt.includeSuffixes,
+					},
+				}
+			})
+			require := s.Require()
 
-	s.TelepresenceConnect(ctx, "--context", "extra")
-	defer itest.TelepresenceDisconnectOk(ctx)
+			s.TelepresenceConnect(ctx, "--context", "extra")
+			defer itest.TelepresenceDisconnectOk(ctx)
 
-	// Check that config view -c includes the includeSuffixes
-	stdout := itest.TelepresenceOk(ctx, "config", "view", "--client-only")
-	require.Contains(stdout, "    includeSuffixes:\n        - .org")
+			// Check that config view -c includes the includeSuffixes
+			var cfg client.SessionConfig
+			stdout := itest.TelepresenceOk(ctx, "config", "view", "--client-only", "--output", "json")
+			require.NoError(json.Unmarshal([]byte(stdout), &cfg))
+			require.Equal(cfg.DNS.ExcludeSuffixes, tt.excludeSuffixes)
+			require.Equal(cfg.DNS.IncludeSuffixes, tt.includeSuffixes)
 
-	retryCount := 0
-	s.Eventually(func() bool {
-		// Test with ".org" suffix that was added as an include-suffix
-		host := fmt.Sprintf("zwslkjsdf-%d.org", retryCount)
-		short, cancel := context.WithTimeout(ctx, 20*time.Millisecond)
-		defer cancel()
-		_, _ = net.DefaultResolver.LookupIPAddr(short, host)
+			rootLog, err := os.Open(logFile)
+			require.NoError(err)
+			defer rootLog.Close()
 
-		// Give query time to reach telepresence and produce a log entry
-		dtime.SleepWithContext(ctx, 100*time.Millisecond)
+			// Figure out where the current end of the logfile is. This must be done before any
+			// of the tests run because the queries that the DNS resolver receives are dependent
+			// on how the system's DNS resolver handle search paths and caching.
+			st, err := rootLog.Stat()
+			s.Require().NoError(err)
+			pos := st.Size()
 
-		rootLog, err := os.Open(logFile)
-		require.NoError(err)
-		defer rootLog.Close()
+			short, cancel := context.WithTimeout(ctx, 20*time.Millisecond)
+			defer cancel()
+			_, _ = net.DefaultResolver.LookupIPAddr(short, tt.domainName)
 
-		scanFor := fmt.Sprintf(`Lookup A "%s."`, host)
-		scn := bufio.NewScanner(rootLog)
-		for scn.Scan() {
-			if strings.Contains(scn.Text(), scanFor) {
-				return true
+			// Give query time to reach telepresence and produce a log entry
+			dtime.SleepWithContext(ctx, 100*time.Millisecond)
+
+			for _, wl := range tt.wantedLogEntry {
+				_, err = rootLog.Seek(pos, io.SeekStart)
+				require.NoError(err)
+				scn := bufio.NewScanner(rootLog)
+				found := false
+
+				// mustHaveWanted caters for cases where the default behavior from the system's resolver
+				// is to not send unwanted queries to our resolver at all (based on search and routes).
+				// It is forced to true for inclusion tests.
+				mustHaveWanted := tt.mustHaveWanted
+				for scn.Scan() {
+					txt := scn.Text()
+					if strings.Contains(txt, wl) {
+						found = true
+						break
+					}
+					if !mustHaveWanted {
+						if strings.Contains(txt, " ServeDNS ") && strings.Contains(txt, tt.domainName) {
+							mustHaveWanted = true
+						}
+					}
+				}
+				s.Truef(found || !mustHaveWanted, "Unable to find %q", wl)
 			}
-		}
-		retryCount++
-		return false
-	}, 30*time.Second, time.Second, "daemon.log does not contain expected LookupHost entry")
+
+			for _, wl := range tt.unwantedLogEntry {
+				_, err = rootLog.Seek(pos, io.SeekStart)
+				require.NoError(err)
+				scn := bufio.NewScanner(rootLog)
+				found := false
+				for scn.Scan() {
+					if strings.Contains(scn.Text(), wl) {
+						found = true
+						break
+					}
+				}
+				s.Falsef(found, "Found unwanted %q", wl)
+			}
+		})
+	}
 }

From 038942a9cd4aeebfcef4a194caeaad345591c3dd Mon Sep 17 00:00:00 2001
From: Thomas Hallgren <thomas@datawire.io>
Date: Tue, 16 Jan 2024 23:01:49 +0100
Subject: [PATCH 13/20] Removing intercept from exclude test. It's not supposed
 to work.

An attempt to intercept an excluded service is not supposed to work. The
intercept will fail to retrieve the DNS for the service.

Signed-off-by: Thomas Hallgren <thomas@datawire.io>
---
 integration_test/uhn_dns_test.go | 2 --
 1 file changed, 2 deletions(-)

diff --git a/integration_test/uhn_dns_test.go b/integration_test/uhn_dns_test.go
index da8f4bf38c..149ae06b22 100644
--- a/integration_test/uhn_dns_test.go
+++ b/integration_test/uhn_dns_test.go
@@ -3,7 +3,6 @@ package integration_test
 import (
 	"fmt"
 	"net"
-	"strconv"
 	"time"
 
 	"github.com/stretchr/testify/assert"
@@ -56,7 +55,6 @@ func (s *unqualifiedHostNameDNSSuite) Test_UHNExcludes() {
 
 	// when
 	s.TelepresenceConnect(ctx, "--context", "extra")
-	itest.TelepresenceOk(ctx, "intercept", serviceName, "--port", strconv.Itoa(port))
 
 	// then
 	for _, excluded := range excludes {

From c9d6f9bff32e6e6847e21317205b33cc9f942f15 Mon Sep 17 00:00:00 2001
From: Thomas Hallgren <thomas@datawire.io>
Date: Wed, 17 Jan 2024 06:52:09 +0100
Subject: [PATCH 14/20] Restore DNS dropSuffixes and use that for the
 tel2-search too.

The `dropSuffixes` is a list of suffixes to drop before processing the
query. Historically, this was used by the overriding resolver to drop
suffixes added from `/etc/resolv.conf`, because those suffixes are
intended for the fallback only. This list can also contain the
"tel2-search" domain because it should be treated the same way.

Signed-off-by: Thomas Hallgren <thomas@datawire.io>
---
 pkg/client/rootd/dns/resolved_linux.go |  9 +----
 pkg/client/rootd/dns/server.go         | 49 ++++++++++++++++++--------
 pkg/client/rootd/dns/server_linux.go   | 12 +++++--
 3 files changed, 46 insertions(+), 24 deletions(-)

diff --git a/pkg/client/rootd/dns/resolved_linux.go b/pkg/client/rootd/dns/resolved_linux.go
index 971cb8caed..248498beee 100644
--- a/pkg/client/rootd/dns/resolved_linux.go
+++ b/pkg/client/rootd/dns/resolved_linux.go
@@ -61,13 +61,6 @@ func (s *Server) tryResolveD(c context.Context, dev vif.Device, configureDNS fun
 			}
 			// No need to close listeners here. They are closed by the dnsServer
 		}()
-		// Some installation have default DNS configured with ~. routing path.
-		// If two interfaces with DefaultRoute: yes present, the one with the
-		// routing key used and SanityCheck fails. Hence, tel2SubDomain
-		// must be used as a route.
-		s.Lock()
-		s.routes = map[string]struct{}{tel2SubDomain: {}}
-		s.Unlock()
 		if err = s.updateLinkDomains(c, dev); err != nil {
 			dlog.Error(c, err)
 			initDone <- struct{}{}
@@ -111,7 +104,7 @@ func (s *Server) tryResolveD(c context.Context, dev vif.Device, configureDNS fun
 
 func (s *Server) updateLinkDomains(c context.Context, dev vif.Device) error {
 	s.Lock()
-	paths := make([]string, len(s.routes)+len(s.search)+len(s.includeSuffixes)+1)
+	paths := make([]string, len(s.search)+len(s.routes)+len(s.includeSuffixes)+1)
 
 	// Namespaces are copied verbatim. Entries that aren't prefixed with "~" are considered search path entries.
 	copy(paths, s.search)
diff --git a/pkg/client/rootd/dns/server.go b/pkg/client/rootd/dns/server.go
index e5b85627de..966a94b4ef 100644
--- a/pkg/client/rootd/dns/server.go
+++ b/pkg/client/rootd/dns/server.go
@@ -77,8 +77,12 @@ type Server struct {
 	resolve      Resolver
 	requestCount int64
 	cache        *xsync.MapOf[cacheKey, *cacheEntry]
-	recursive    int32    // one of the recursionXXX constants declared above (unique type avoided because it just gets messy with the atomic calls)
-	dropSuffixes []string //nolint:unused // only used on linux
+	recursive    int32 // one of the recursionXXX constants declared above (unique type avoided because it just gets messy with the atomic calls)
+
+	// Suffixes to immediately drop from the query before processing. This list will always contain the tel2Search domain.
+	// The overriding resolver will also add the search path found in /etc/resolv.conf, because that search path is not
+	// intended for this resolver and will get reapplied when passing things on to the fallback resolver.
+	dropSuffixes []string
 
 	// routes are typically namespaces, accessible using <service-name>.<namespace-name>.
 	routes map[string]struct{}
@@ -163,7 +167,8 @@ func NewServer(config *rpc.DNSConfig, clusterLookup Resolver) *Server {
 		mappings:        mappingsMap(config.Mappings),
 		localIP:         config.LocalIp,
 		remoteIP:        config.RemoteIp,
-		search:          []string{""},
+		dropSuffixes:    []string{tel2SubDomainDot},
+		search:          []string{tel2SubDomain},
 		searchPathCh:    make(chan []string, 5),
 		clusterDomain:   defaultClusterDomain,
 		clusterLookup:   clusterLookup,
@@ -843,17 +848,28 @@ func (s *Server) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	// system DNS resolver to direct requests to this resolver. The system configuration to
 	// make this happen vary depending on OS, but the purpose is always the same. Given that,
 	// the first step in the resolution is to remove this domain-suffix if it exists.
-	if strings.Contains(q.Name, tel2SubDomainDot) {
-		strippedName := strings.TrimSuffix(q.Name, tel2SubDomainDot)
-		if strippedName == q.Name {
-			// This is a bogus name because it has some domain after
-			// the tel2-search domain. Should normally never happen, but
-			// will happen if someone queries for the tel2-search domain
-			// as a single label name.
-			msg.SetRcode(r, dns.RcodeNameError)
-			return
+	ln := len(q.Name)
+	for _, dropSuffix := range s.dropSuffixes {
+		if strings.HasSuffix(q.Name, dropSuffix) {
+			// Remove the suffix and ensure that the name still ends
+			// with a dot after the removal. If it doesn't, then this
+			// was not really a domain suffix but rather a partial
+			// domain name.
+			n := q.Name[:ln-len(dropSuffix)]
+			if last := len(n) - 1; last > 0 && n[last] == '.' {
+				q.Name = n
+				break
+			}
 		}
-		q.Name = strippedName
+	}
+
+	if strings.Contains(q.Name, tel2SubDomainDot) {
+		// This is a bogus name because it has some domain after
+		// the tel2-search domain. Should normally never happen, but
+		// will happen if someone queries for the tel2-search domain
+		// as a single label name.
+		msg.SetRcode(r, dns.RcodeNameError)
+		return
 	}
 
 	// try and resolve any mappings before consulting the cache, so that mapping hits don't
@@ -885,7 +901,10 @@ func (s *Server) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	s.RLock()
 	cd := s.clusterDomain
 	s.RUnlock()
-	if s.fallbackPool == nil || strings.HasPrefix(q.Name, recursionCheck2) || strings.HasSuffix(q.Name, cd) {
+	if s.fallbackPool == nil ||
+		strings.HasPrefix(q.Name, recursionCheck2) ||
+		strings.HasSuffix(q.Name, cd) ||
+		strings.HasSuffix(origName, tel2SubDomainDot) {
 		if err == nil {
 			rCode = dns.RcodeNameError
 		} else {
@@ -900,6 +919,8 @@ func (s *Server) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		return
 	}
 
+	// Use original query name when sending things to the fallback resolver.
+	q.Name = origName
 	pfx = func() string { return fmt.Sprintf("(%s) ", s.fallbackPool.RemoteAddr()) }
 	dc := &dns.Client{Net: "udp", Timeout: s.lookupTimeout}
 	var poolMsg *dns.Msg
diff --git a/pkg/client/rootd/dns/server_linux.go b/pkg/client/rootd/dns/server_linux.go
index f5f0d95366..e0cf2057ad 100644
--- a/pkg/client/rootd/dns/server_linux.go
+++ b/pkg/client/rootd/dns/server_linux.go
@@ -61,10 +61,18 @@ func (s *Server) runOverridingServer(c context.Context, dev vif.Device) error {
 			dlog.Infof(c, "Automatically set -dns=%s", ip)
 		}
 
-		// The search entries in /etc/resolv.conf is not intended for this resolver so
+		// The search entries in /etc/resolv.conf are not intended for this resolver so
 		// ensure that we strip them off when we send queries to the cluster.
 		for _, sp := range rf.search {
-			s.dropSuffixes = append(s.dropSuffixes, sp+".")
+			if len(sp) > 0 {
+				if sp[0] == '.' {
+					sp = sp[1:]
+				}
+				if sp[len(sp)-1] != '.' {
+					sp += "."
+				}
+				s.dropSuffixes = append(s.dropSuffixes, strings.ToLower(sp))
+			}
 		}
 	}
 	if s.localIP == nil {

From a682c7b7aeb2abafc2fd80c7f596756d92df1f3a Mon Sep 17 00:00:00 2001
From: Thomas Hallgren <thomas@datawire.io>
Date: Wed, 17 Jan 2024 14:22:56 +0100
Subject: [PATCH 15/20] Ensure that the DNS resolver uses lowercase names
 everywhere.

Signed-off-by: Thomas Hallgren <thomas@datawire.io>
---
 pkg/client/rootd/dns/server.go | 29 +++++++++++++++++++++--------
 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/pkg/client/rootd/dns/server.go b/pkg/client/rootd/dns/server.go
index 966a94b4ef..0fb5643ea8 100644
--- a/pkg/client/rootd/dns/server.go
+++ b/pkg/client/rootd/dns/server.go
@@ -146,6 +146,13 @@ func (dv *cacheEntry) close() {
 	}
 }
 
+func sliceToLower(ss []string) []string {
+	for i, s := range ss {
+		ss[i] = strings.ToLower(s)
+	}
+	return ss
+}
+
 // NewServer returns a new dns.Server.
 func NewServer(config *rpc.DNSConfig, clusterLookup Resolver) *Server {
 	if config == nil {
@@ -161,9 +168,9 @@ func NewServer(config *rpc.DNSConfig, clusterLookup Resolver) *Server {
 		cache:           xsync.NewMapOf[cacheKey, *cacheEntry](),
 		routes:          make(map[string]struct{}),
 		domains:         make(map[string]struct{}),
-		excludes:        config.Excludes,
-		excludeSuffixes: config.ExcludeSuffixes,
-		includeSuffixes: config.IncludeSuffixes,
+		excludes:        sliceToLower(config.Excludes),
+		excludeSuffixes: sliceToLower(config.ExcludeSuffixes),
+		includeSuffixes: sliceToLower(config.IncludeSuffixes),
 		mappings:        mappingsMap(config.Mappings),
 		localIP:         config.LocalIp,
 		remoteIP:        config.RemoteIp,
@@ -395,12 +402,12 @@ func (s *Server) SetClusterDNS(dns *manager.DNS, remoteIP net.IP) {
 	}
 	if dns != nil {
 		if slices.Equal(s.excludeSuffixes, DefaultExcludeSuffixes) && len(dns.ExcludeSuffixes) > 0 {
-			s.excludeSuffixes = dns.ExcludeSuffixes
+			s.excludeSuffixes = sliceToLower(dns.ExcludeSuffixes)
 		}
 		if len(s.includeSuffixes) == 0 {
-			s.includeSuffixes = dns.IncludeSuffixes
+			s.includeSuffixes = sliceToLower(dns.IncludeSuffixes)
 		}
-		s.clusterDomain = dns.ClusterDomain
+		s.clusterDomain = strings.ToLower(dns.ClusterDomain)
 	}
 	s.Unlock()
 }
@@ -437,6 +444,9 @@ func (s *Server) purgeRecordsFromCache(keyName string) {
 
 // SetExcludes sets the excludes list in the config.
 func (s *Server) SetExcludes(excludes []string) {
+	for i, e := range excludes {
+		excludes[i] = strings.ToLower(e)
+	}
 	s.Lock()
 	oldExcludes := s.excludes
 	s.excludes = excludes
@@ -455,7 +465,7 @@ func mappingsMap(mappings []*rpc.DNSMapping) map[string]string {
 			if ip := iputil.Parse(al); ip == nil {
 				al += "."
 			}
-			mm[m.Name+"."] = al
+			mm[strings.ToLower(m.Name+".")] = strings.ToLower(al)
 		}
 		return mm
 	}
@@ -513,6 +523,7 @@ func (s *Server) processSearchPaths(g *dgroup.Group, processor func(context.Cont
 				routes := make(map[string]struct{})
 				search := make([]string, 0)
 				for _, path := range paths {
+					path = strings.ToLower(path)
 					if path == tel2SubDomain || strings.ContainsRune(path, '.') {
 						search = append(search, path)
 					} else if path != "" {
@@ -826,7 +837,6 @@ func (s *Server) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	// We make changes to the query name, so we better restore it prior to writing an
 	// answer back, or the caller will get confused.
 	origName := q.Name
-	q.Name = strings.ToLower(origName)
 	defer func() {
 		qs := msg.Question
 		if len(qs) > 0 {
@@ -844,6 +854,9 @@ func (s *Server) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		q.Name = origName
 	}()
 
+	// We're all about lowercase in here
+	q.Name = strings.ToLower(origName)
+
 	// The tel2SubDomain serves one purpose and one purpose alone. It's there to coerce the
 	// system DNS resolver to direct requests to this resolver. The system configuration to
 	// make this happen vary depending on OS, but the purpose is always the same. Given that,

From 1a35c0a90e3f6e3200b6a515d32ae2b23fc4ec43 Mon Sep 17 00:00:00 2001
From: Thomas Hallgren <thomas@datawire.io>
Date: Wed, 17 Jan 2024 14:23:46 +0100
Subject: [PATCH 16/20] Fix glitch in telepresence config view command.

The command reported an error when no traffic-manager was installed. Now
it will instead report the client config.

Signed-off-by: Thomas Hallgren <thomas@datawire.io>
---
 pkg/client/cli/cmd/config.go | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/pkg/client/cli/cmd/config.go b/pkg/client/cli/cmd/config.go
index 4ff151f21f..64f1a302a4 100644
--- a/pkg/client/cli/cmd/config.go
+++ b/pkg/client/cli/cmd/config.go
@@ -42,9 +42,19 @@ func configView() *cobra.Command {
 func runConfigView(cmd *cobra.Command, _ []string) error {
 	var cfg client.SessionConfig
 	clientOnly, _ := cmd.Flags().GetBool("client-only")
+	if !clientOnly {
+		cmd.Annotations = map[string]string{
+			ann.Session: ann.Required,
+		}
+		if err := connect.InitCommand(cmd); err != nil {
+			// Unable to establish a session, so try to convey the local config instead. It
+			// may be helpful in diagnosing the problem.
+			cmd.Annotations = map[string]string{}
+			clientOnly = true
+		}
+	}
+
 	if clientOnly {
-		// Unable to establish a session, so try to convey the local config instead. It
-		// may be helpful in diagnosing the problem.
 		if err := connect.InitCommand(cmd); err != nil {
 			return err
 		}

From 29f64df7f87ac1e3afad5a4a20fa6f5b685952da Mon Sep 17 00:00:00 2001
From: Thomas Hallgren <thomas@datawire.io>
Date: Wed, 17 Jan 2024 17:15:01 +0100
Subject: [PATCH 17/20] Disable traffic-manager's metriton reporting during
 integration testing

Signed-off-by: Thomas Hallgren <thomas@datawire.io>
---
 charts/telepresence/templates/deployment.yaml |  4 +++
 charts/telepresence/values.yaml               |  3 ++
 integration_test/itest/cluster.go             | 29 ++++++++++---------
 integration_test/itest/context.go             |  2 +-
 4 files changed, 24 insertions(+), 14 deletions(-)

diff --git a/charts/telepresence/templates/deployment.yaml b/charts/telepresence/templates/deployment.yaml
index aca9ad7dd6..c49bbab722 100644
--- a/charts/telepresence/templates/deployment.yaml
+++ b/charts/telepresence/templates/deployment.yaml
@@ -182,6 +182,10 @@ spec:
             value: "{{ join " " . }}"
           {{- end }}
           {{- end }}
+          {{- if not .metritonEnabled }}  # 0 is false
+          - name: SCOUT_DISABLE
+            value: "1"
+          {{- end }}
         {{- /*
         Client configuration
         */}}
diff --git a/charts/telepresence/values.yaml b/charts/telepresence/values.yaml
index d87aec25af..d8330d43d7 100644
--- a/charts/telepresence/values.yaml
+++ b/charts/telepresence/values.yaml
@@ -96,6 +96,9 @@ grpc:
 # podCIDRs is the verbatim list of CIDRs used when the podCIDRStrategy is set to environment
 podCIDRs: []
 
+# Enable/disable metriton reporting to ambassador
+metritonEnabled: true
+
 # podCIDRStrategy controls what strategy the traffic-manager will use for finding out what
 # CIDRs the cluster is using for its pods. Valid values are:
 #
diff --git a/integration_test/itest/cluster.go b/integration_test/itest/cluster.go
index 71e4b405c4..205ffe3edb 100644
--- a/integration_test/itest/cluster.go
+++ b/integration_test/itest/cluster.go
@@ -59,7 +59,7 @@ type Cluster interface {
 	CompatVersion() string
 	Executable() string
 	GeneralError() error
-	GlobalEnv() dos.MapEnv
+	GlobalEnv(context.Context) dos.MapEnv
 	AgentVersion(context.Context) string
 	Initialize(context.Context) context.Context
 	InstallTrafficManager(ctx context.Context, values map[string]string) error
@@ -372,12 +372,13 @@ func (s *cluster) withBasicConfig(c context.Context, t *testing.T) context.Conte
 	return c
 }
 
-func (s *cluster) GlobalEnv() dos.MapEnv {
+func (s *cluster) GlobalEnv(ctx context.Context) dos.MapEnv {
 	globalEnv := dos.MapEnv{
 		"KUBECONFIG": s.kubeConfig,
 	}
 	yes := struct{}{}
 	includeEnv := map[string]struct{}{
+		"SCOUT_DISABLE":             yes,
 		"HOME":                      yes,
 		"PATH":                      yes,
 		"LOGNAME":                   yes,
@@ -403,7 +404,7 @@ func (s *cluster) GlobalEnv() dos.MapEnv {
 		includeEnv["USERNAME"] = yes
 		includeEnv["windir"] = yes
 	}
-	for _, env := range os.Environ() {
+	for _, env := range dos.Environ(ctx) {
 		if eqIdx := strings.IndexByte(env, '='); eqIdx > 0 {
 			key := env[:eqIdx]
 			if _, ok := includeEnv[key]; ok {
@@ -633,16 +634,18 @@ func (s *cluster) TelepresenceHelmInstall(ctx context.Context, upgrade bool, set
 	}
 	nsl := nss.UniqueList()
 	vx := struct {
-		LogLevel    string  `json:"logLevel"`
-		Image       *Image  `json:"image,omitempty"`
-		Agent       *xAgent `json:"agent,omitempty"`
-		ClientRbac  xRbac   `json:"clientRbac"`
-		ManagerRbac xRbac   `json:"managerRbac"`
-		Client      xClient `json:"client"`
+		LogLevel        string  `json:"logLevel"`
+		MetritonEnabled bool    `json:"metritonEnabled"`
+		Image           *Image  `json:"image,omitempty"`
+		Agent           *xAgent `json:"agent,omitempty"`
+		ClientRbac      xRbac   `json:"clientRbac"`
+		ManagerRbac     xRbac   `json:"managerRbac"`
+		Client          xClient `json:"client"`
 	}{
-		LogLevel: "debug",
-		Image:    GetImage(ctx),
-		Agent:    agent,
+		LogLevel:        "debug",
+		MetritonEnabled: false,
+		Image:           GetImage(ctx),
+		Agent:           agent,
 		ClientRbac: xRbac{
 			Create:     true,
 			Namespaced: len(nss.ManagedNamespaces) > 0,
@@ -775,7 +778,7 @@ func Command(ctx context.Context, executable string, args ...string) *dexec.Cmd
 }
 
 func EnvironMap(ctx context.Context) dos.MapEnv {
-	env := GetGlobalHarness(ctx).GlobalEnv()
+	env := GetGlobalHarness(ctx).GlobalEnv(ctx)
 	maps.Merge(env, getEnv(ctx))
 	return env
 }
diff --git a/integration_test/itest/context.go b/integration_test/itest/context.go
index 3f641832e7..a4dff5382d 100644
--- a/integration_test/itest/context.go
+++ b/integration_test/itest/context.go
@@ -175,7 +175,7 @@ func GetUser(ctx context.Context) string {
 
 func LookupEnv(ctx context.Context, key string) (value string, ok bool) {
 	if value, ok = getEnv(ctx)[key]; !ok {
-		value, ok = GetGlobalHarness(ctx).GlobalEnv()[key]
+		value, ok = GetGlobalHarness(ctx).GlobalEnv(ctx)[key]
 	}
 	return
 }

From 1af82d4ebd72c26af48844c77023d3f17438d215 Mon Sep 17 00:00:00 2001
From: Thomas Hallgren <thomas@datawire.io>
Date: Wed, 17 Jan 2024 23:24:21 +0100
Subject: [PATCH 18/20] Disable root-daemon's metriton reporting when
 SCOUT_DISABLE=1

The root daemon starts without environments being passed on from the
caller (passing them requires special permissions), so it is not
possible to disable the metriton reporter by just setting
`SCOUT_DISABLE=1` in the environment.

This commit adds a boolean flag `--disable-metriton` to the daemon. The
CLI passes this flag when `SCOUT_DISABLE=1` variable is set, so that the
daemon can set it too.

Signed-off-by: Thomas Hallgren <thomas@datawire.io>
---
 pkg/client/cli/connect/daemon.go |  3 +++
 pkg/client/rootd/service.go      | 11 ++++++++---
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/pkg/client/cli/connect/daemon.go b/pkg/client/cli/connect/daemon.go
index 80a419462a..5a8d30338b 100644
--- a/pkg/client/cli/connect/daemon.go
+++ b/pkg/client/cli/connect/daemon.go
@@ -47,6 +47,9 @@ func launchDaemon(ctx context.Context, cr *daemon.Request) error {
 	if cr != nil && cr.RootDaemonProfilingPort > 0 {
 		args = append(args, "--pprof", strconv.Itoa(int(cr.RootDaemonProfilingPort)))
 	}
+	if os.Getenv("SCOUT_DISABLE") == "1" {
+		args = append(args, "--disable-metriton")
+	}
 	args = append(args, logDir, filelocation.AppUserConfigDir(ctx))
 	return proc.StartInBackgroundAsRoot(ctx, args...)
 }
diff --git a/pkg/client/rootd/service.go b/pkg/client/rootd/service.go
index b35df4b83c..f4feae700c 100644
--- a/pkg/client/rootd/service.go
+++ b/pkg/client/rootd/service.go
@@ -53,9 +53,10 @@ func GetNewServiceFunc(ctx context.Context) NewServiceFunc {
 }
 
 const (
-	ProcessName = "daemon"
-	titleName   = "Daemon"
-	pprofFlag   = "pprof"
+	ProcessName         = "daemon"
+	titleName           = "Daemon"
+	pprofFlag           = "pprof"
+	metritonDisableFlag = "disable-metriton"
 )
 
 func help() string {
@@ -118,6 +119,7 @@ func Command() *cobra.Command {
 	}
 	flags := cmd.Flags()
 	flags.Uint16(pprofFlag, 0, "start pprof server on the given port")
+	flags.Bool(metritonDisableFlag, false, "disable metriton reporting")
 	return cmd
 }
 
@@ -462,6 +464,9 @@ func run(cmd *cobra.Command, args []string) error {
 			}
 		}()
 	}
+	if disableMetriton, _ := flags.GetBool(metritonDisableFlag); disableMetriton {
+		_ = os.Setenv("SCOUT_DISABLE", "1")
+	}
 
 	c = dgroup.WithGoroutineName(c, "/"+ProcessName)
 	c, err = logging.InitContext(c, ProcessName, logging.RotateDaily, true)

From f251f3fd1d6c7b510a75b1cc74c2982461fb1d8f Mon Sep 17 00:00:00 2001
From: Thomas Hallgren <thomas@datawire.io>
Date: Wed, 17 Jan 2024 23:28:03 +0100
Subject: [PATCH 19/20] Fix correct generation of files under /etc/resolver for
 darwin systems.

This commit simplifies how files are generated under `/etc/resolver`, so
that one file per DNS-route is generate without a `search`, and one
file per DNS-search is generated with a `search`.

If the `search` is suffixed with an existing file generated for a
`route`, then that file will receive the `search`.

Files are no longer suffixed with `.local` because there's really no
reason to do that.

Signed-off-by: Thomas Hallgren <thomas@datawire.io>
---
 pkg/client/rootd/dns/server_darwin.go | 150 ++++++++++++--------------
 1 file changed, 66 insertions(+), 84 deletions(-)

diff --git a/pkg/client/rootd/dns/server_darwin.go b/pkg/client/rootd/dns/server_darwin.go
index 04123c9d54..a7122e7fc7 100644
--- a/pkg/client/rootd/dns/server_darwin.go
+++ b/pkg/client/rootd/dns/server_darwin.go
@@ -6,12 +6,12 @@ import (
 	"net"
 	"os"
 	"path/filepath"
+	"slices"
 	"strings"
 	"time"
 
 	"github.com/datawire/dlib/dgroup"
 	"github.com/datawire/dlib/dlog"
-	"github.com/telepresenceio/telepresence/v2/pkg/maps"
 	"github.com/telepresenceio/telepresence/v2/pkg/vif"
 )
 
@@ -20,15 +20,15 @@ const (
 	recursionTestTimeout    = 500 * time.Millisecond
 )
 
-func (r *resolveFile) setSearchPaths(paths ...string) {
-	ps := make([]string, 0, len(paths)+1)
-	for _, p := range paths {
-		p = strings.TrimSuffix(p, ".")
-		if len(p) > 0 && p != r.domain {
-			ps = append(ps, p)
-		}
+func (r *resolveFile) equals(o *resolveFile) bool {
+	if r == nil || o == nil {
+		return r == o
 	}
-	r.search = ps
+	return r.port == o.port &&
+		r.domain == o.domain &&
+		slices.Equal(r.nameservers, o.nameservers) &&
+		slices.Equal(r.search, o.search) &&
+		slices.Equal(r.options, o.options)
 }
 
 func (r *resolveFile) write(fileName string) error {
@@ -49,7 +49,6 @@ func (r *resolveFile) write(fileName string) error {
 // or, if not on a Mac, follow this link: https://www.manpagez.com/man/5/resolver/
 func (s *Server) Worker(c context.Context, dev vif.Device, configureDNS func(net.IP, *net.UDPAddr)) error {
 	resolverDirName := filepath.Join("/etc", "resolver")
-	resolverFileName := filepath.Join(resolverDirName, "telepresence.local")
 
 	listener, err := newLocalUDPListener(c)
 	if err != nil {
@@ -71,42 +70,19 @@ func (s *Server) Worker(c context.Context, dev vif.Device, configureDNS func(net
 		return err
 	}
 
-	s.RLock()
-	kubernetesZone := s.clusterDomain
-	s.RUnlock()
-	if kubernetesZone == "" {
-		kubernetesZone = "cluster.local."
-	}
-
-	kubernetesZone = kubernetesZone[:len(kubernetesZone)-1] // strip trailing dot
-	rf := resolveFile{
-		port:        dnsAddr.Port,
-		domain:      kubernetesZone,
-		nameservers: []string{dnsAddr.IP.String()},
-		search:      []string{tel2SubDomainDot + kubernetesZone},
-	}
-
-	if err = rf.write(resolverFileName); err != nil {
-		return err
-	}
-	dlog.Infof(c, "Generated new %s", resolverFileName)
-
 	defer func() {
-		// Remove the main resolver file
-		_ = os.Remove(resolverFileName)
-
-		// Remove each namespace resolver file
-		for domain := range s.domains {
-			_ = os.Remove(domainResolverFile(resolverDirName, domain))
-		}
+		_ = s.removeResolverFiles(c, resolverDirName)
 		s.flushDNS()
 	}()
 
 	// Start local DNS server
 	g := dgroup.NewGroup(c, dgroup.GroupConfig{})
 	g.Go("Server", func(c context.Context) error {
+		if err := s.updateResolverFiles(c, resolverDirName, dnsAddr); err != nil {
+			return err
+		}
 		s.processSearchPaths(g, func(c context.Context, _ vif.Device) error {
-			return s.updateResolverFiles(c, resolverDirName, resolverFileName, dnsAddr)
+			return s.updateResolverFiles(c, resolverDirName, dnsAddr)
 		}, dev)
 		// Server will close the listener, so no need to close it here.
 		return s.Run(c, make(chan struct{}), []net.PacketConn{listener}, nil, s.resolveInCluster)
@@ -132,72 +108,78 @@ func (s *Server) removeResolverFiles(c context.Context, resolverDirName string)
 	return nil
 }
 
-func (s *Server) updateResolverFiles(c context.Context, resolverDirName, resolverFileName string, dnsAddr *net.UDPAddr) error {
-	rf, err := readResolveFile(resolverFileName)
-	if err != nil {
-		return err
-	}
+func (s *Server) updateResolverFiles(c context.Context, resolverDirName string, dnsAddr *net.UDPAddr) error {
 	s.Lock()
 	defer s.Unlock()
 
-	// All routes and include suffixes become domains
+	nameservers := []string{dnsAddr.IP.String()}
+	port := dnsAddr.Port
+	newDomainResolveFile := func(domain string) *resolveFile {
+		return &resolveFile{
+			port:        port,
+			domain:      domain,
+			nameservers: nameservers,
+		}
+	}
 
-	domains := make(map[string]struct{}, len(s.routes)+len(s.includeSuffixes))
-	maps.Merge(domains, s.routes)
+	// All routes and include suffixes become domains
+	domains := make(map[string]*resolveFile, len(s.routes)+len(s.includeSuffixes))
+	for route := range s.routes {
+		domains[route] = newDomainResolveFile(route)
+	}
 	for _, sfx := range s.includeSuffixes {
-		domains[strings.TrimPrefix(sfx, ".")] = struct{}{}
+		sfx = strings.TrimPrefix(sfx, ".")
+		domains[sfx] = newDomainResolveFile(sfx)
+	}
+	clusterDomain := strings.TrimSuffix(s.clusterDomain, ".")
+	domains[clusterDomain] = newDomainResolveFile(clusterDomain)
+	domains[tel2SubDomain] = newDomainResolveFile(tel2SubDomain)
+
+nextSearch:
+	for _, search := range s.search {
+		search = strings.TrimSuffix(search, ".")
+		if df, ok := domains[search]; ok {
+			df.search = append(df.search, search)
+			continue
+		}
+		for domain, df := range domains {
+			if strings.HasSuffix(search, "."+domain) {
+				df.search = append(df.search, search)
+				continue nextSearch
+			}
+		}
 	}
 
-	// On Darwin, we provide resolution of NAME.NAMESPACE by adding one domain
-	// for each namespace in its own domain file under /etc/resolver. Each file
-	// is named "telepresence.<domain>.local"
-	var removals []string
-	var additions []string
-
 	for domain := range s.domains {
 		if _, ok := domains[domain]; !ok {
-			removals = append(removals, domain)
-		}
-	}
-	for domain := range domains {
-		if _, ok := s.domains[domain]; !ok {
-			additions = append(additions, domain)
+			nsFile := domainResolverFile(resolverDirName, domain)
+			dlog.Infof(c, "Removing %s", nsFile)
+			if err := os.Remove(nsFile); err != nil {
+				dlog.Error(c, err)
+			}
+			delete(s.domains, domain)
 		}
 	}
-	s.domains = domains
 
-	for _, domain := range removals {
+	for domain, rf := range domains {
 		nsFile := domainResolverFile(resolverDirName, domain)
-		dlog.Infof(c, "Removing %s", nsFile)
-		if err = os.Remove(nsFile); err != nil {
-			dlog.Error(c, err)
-		}
-	}
-	for _, domain := range additions {
-		df := resolveFile{
-			port:        dnsAddr.Port,
-			domain:      domain,
-			nameservers: []string{dnsAddr.IP.String()},
+		if _, ok := s.domains[domain]; ok {
+			if oldRf, err := readResolveFile(nsFile); err != nil && rf.equals(oldRf) {
+				continue
+			}
+			dlog.Infof(c, "Regenerating %s", nsFile)
+		} else {
+			s.domains[domain] = struct{}{}
+			dlog.Infof(c, "Generating %s", nsFile)
 		}
-		nsFile := domainResolverFile(resolverDirName, domain)
-		dlog.Infof(c, "Generated new %s", nsFile)
-		if err = df.write(nsFile); err != nil {
+		if err := rf.write(nsFile); err != nil {
 			dlog.Error(c, err)
 		}
 	}
-
-	rf.setSearchPaths(s.search...)
-
-	// Versions prior to Big Sur will not trigger an update unless the resolver file
-	// is removed and recreated.
-	_ = os.Remove(resolverFileName)
-	if err = rf.write(resolverFileName); err != nil {
-		return err
-	}
 	s.flushDNS()
 	return nil
 }
 
 func domainResolverFile(resolverDirName, domain string) string {
-	return filepath.Join(resolverDirName, "telepresence."+domain+".local")
+	return filepath.Join(resolverDirName, "telepresence."+domain)
 }

From 82b6446ed33f974e5f8e87fcd6eeee636317feae Mon Sep 17 00:00:00 2001
From: Thomas Hallgren <thomas@datawire.io>
Date: Thu, 18 Jan 2024 22:46:04 +0100
Subject: [PATCH 20/20] Skip the DNS suffix-rule test on linux-arm64.

The current runner appends search paths to multi-labeled names. The
systemd-resolved DNS-resolver shouldn't do that so something is
misconfigured.

Signed-off-by: Thomas Hallgren <thomas@datawire.io>
---
 integration_test/kubeconfig_extension_test.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/integration_test/kubeconfig_extension_test.go b/integration_test/kubeconfig_extension_test.go
index 987e8b5e6f..beeb812554 100644
--- a/integration_test/kubeconfig_extension_test.go
+++ b/integration_test/kubeconfig_extension_test.go
@@ -11,6 +11,7 @@ import (
 	"os"
 	"path/filepath"
 	"regexp"
+	"runtime"
 	"strconv"
 	"strings"
 	"time"
@@ -215,6 +216,10 @@ func (s *notConnectedSuite) Test_ConflictingProxies() {
 }
 
 func (s *notConnectedSuite) Test_DNSSuffixRules() {
+	if s.IsCI() && runtime.GOOS == "linux" && runtime.GOARCH == "arm64" {
+		s.T().Skip("The DNS on the linux-arm64 GitHub runner is not configured correctly")
+	}
+
 	const randomName = "zwslkjsdf"
 	const randomDomain = ".xnrqj"
 	tests := []struct {