client/tailscale, cmd/tailscale/cli: plumb --socket through

Without this, `tailscale status` ignores the --socket flag on macOS and always talks to the IPNExtension, even if you wanted it to inspect a userspace tailscaled. Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
2021-03-30 09:23:08 -07:00
150 changed files with 3746 additions and 11542 deletions
--- a/.github/workflows/linux-race.yml
+++ b/.github/workflows/linux-race.yml
@@ -1,48 +0,0 @@
-name: Linux race
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-
-    - name: Set up Go
-      uses: actions/setup-go@v1
-      with:
-        go-version: 1.16
-      id: go
-
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v1
-
-    - name: Basic build
-      run: go build ./cmd/...
-
-    - name: Run tests with -race flag on linux
-      run: go test -race ./...
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
-
--- a/.github/workflows/windows-race.yml
+++ b/.github/workflows/windows-race.yml
@@ -1,52 +0,0 @@
-name: Windows race
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-
-jobs:
-  test:
-    runs-on: windows-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-
-    - name: Install Go
-      uses: actions/setup-go@v2
-      with:
-        go-version: 1.16.x
-
-    - name: Checkout code
-      uses: actions/checkout@v2
-
-    - name: Restore Cache
-      uses: actions/cache@v2
-      with:
-        path: ~/go/pkg/mod
-        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-go-
-
-    - name: Test with -race flag
-      run: go test -race ./...
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
-
--- a/api.md
+++ b/api.md
@@ -367,11 +367,10 @@ Etag: "e0b2816b418b3f266309d94426ac7668ab3c1fa87798785bf82f1085cc2f6d9c"

 #### `POST /api/v2/tailnet/:tailnet/acl` - set ACL for a tailnet

-Sets the ACL for the given domain.
-HuJSON and JSON are both accepted inputs.
-An `If-Match` header can be set to avoid missed updates.
+Sets the ACL for the given tailnet. HuJSON and JSON are both accepted inputs. An `If-Match` header can be set to avoid missed updates.

-Returns the updated ACL in JSON or HuJSON according to the `Accept` header on success. Otherwise, errors are returned for incorrectly defined ACLs, ACLs with failing tests on attempted updates, and mismatched `If-Match` header and ETag.
+Returns error for invalid ACLs.
+Returns error if using an `If-Match` header and the ETag does not match.

 ##### Parameters

@@ -381,17 +380,7 @@ Returns the updated ACL in JSON or HuJSON according to the `Accept` header on su
 `Accept` - Sets the return type of the updated ACL. Response is parsed `JSON` if `application/json` is explicitly named, otherwise HuJSON will be returned.

 ###### POST Body
-
-The POST body should be a JSON or [HuJSON](https://github.com/tailscale/hujson#hujson---human-json) formatted JSON object.
-An ACL policy may contain the following top-level properties:
-
-* `Groups` - Static groups of users which can be used for ACL rules.
-* `Hosts` - Hostname aliases to use in place of IP addresses or subnets.
-* `ACLs` - Access control lists.
-* `TagOwners` - Defines who is allowed to use which tags.
-* `Tests` - Run on ACL updates to check correct functionality of defined ACLs.
-
-See https://tailscale.com/kb/1018/acls for more information on those properties.
+ACL JSON or HuJSON (see https://tailscale.com/kb/1018/acls)

 ##### Example
 ```
@@ -422,7 +411,7 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
 }'
 ```

-Response:
+Response
 ```
 // Example/default ACLs for unrestricted connections.
 {
@@ -447,25 +436,9 @@ Response:
 }
 ```

-Failed test error response:
-```
-{
-    "message": "test(s) failed",
-    "data": [
-        {
-            "user": "user1@example.com",
-            "errors": [
-                "address \"user2@example.com:400\": want: Accept, got: Drop"
-            ]
-        }
-    ]
-}
-```
-
 <a name=tailnet-acl-preview-post></a>

 #### `POST /api/v2/tailnet/:tailnet/acl/preview` - preview rule matches on an ACL for a resource
-
 Determines what rules match for a user on an ACL without saving the ACL to the server.

 ##### Parameters
@@ -504,7 +477,7 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl?user=user1@exampl
 }'
 ```

-Response:
+Response
 ```
 {"matches":[{"users":["*"],"ports":["*:*"],"lineNumber":19}],"user":"user1@example.com"}
 ```
--- a/client/tailscale/apitype/apitype.go
+++ b/client/tailscale/apitype/apitype.go
@@ -1,29 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package apitype contains types for the Tailscale local API.
-package apitype
-
-import "tailscale.com/tailcfg"
-
-// WhoIsResponse is the JSON type returned by tailscaled debug server's /whois?ip=$IP handler.
-type WhoIsResponse struct {
-	Node        *tailcfg.Node
-	UserProfile *tailcfg.UserProfile
-}
-
-// FileTarget is a node to which files can be sent, and the PeerAPI
-// URL base to do so via.
-type FileTarget struct {
-	Node *tailcfg.Node
-
-	// PeerAPI is the http://ip:port URL base of the node's peer API,
-	// without any path (not even a single slash).
-	PeerAPIURL string
-}
-
-type WaitingFile struct {
-	Name string
-	Size int64
-}
--- a/client/tailscale/tailscale.go
+++ b/client/tailscale/tailscale.go
@@ -6,24 +6,19 @@
 package tailscale

 import (
-	"bytes"
 	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
-	"io"
 	"io/ioutil"
 	"net"
 	"net/http"
 	"net/url"
 	"strconv"
-	"strings"

-	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
+	"tailscale.com/tailcfg"
 )

 // TailscaledSocket is the tailscaled Unix socket.
@@ -66,22 +61,9 @@ func DoLocalRequest(req *http.Request) (*http.Response, error) {
 	return tsClient.Do(req)
 }

-type errorJSON struct {
-	Error string
-}
-
-// bestError returns either err, or if body contains a valid JSON
-// object of type errorJSON, its non-empty error body.
-func bestError(err error, body []byte) error {
-	var j errorJSON
-	if err := json.Unmarshal(body, &j); err == nil && j.Error != "" {
-		return errors.New(j.Error)
-	}
-	return err
-}
-
-func send(ctx context.Context, method, path string, wantStatus int, body io.Reader) ([]byte, error) {
-	req, err := http.NewRequestWithContext(ctx, method, "http://local-tailscaled.sock"+path, body)
+// WhoIs returns the owner of the remoteAddr, which must be an IP or IP:port.
+func WhoIs(ctx context.Context, remoteAddr string) (*tailcfg.WhoIsResponse, error) {
+	req, err := http.NewRequestWithContext(ctx, "GET", "http://local-tailscaled.sock/localapi/v0/whois?addr="+url.QueryEscape(remoteAddr), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -90,49 +72,39 @@ func send(ctx context.Context, method, path string, wantStatus int, body io.Read
 		return nil, err
 	}
 	defer res.Body.Close()
-	slurp, err := ioutil.ReadAll(res.Body)
-	if err != nil {
-		return nil, err
+	slurp, _ := ioutil.ReadAll(res.Body)
+	if res.StatusCode != 200 {
+		return nil, fmt.Errorf("HTTP %s: %s", res.Status, slurp)
 	}
-	if res.StatusCode != wantStatus {
-		err := fmt.Errorf("HTTP %s: %s (expected %v)", res.Status, slurp, wantStatus)
-		return nil, bestError(err, slurp)
-	}
-	return slurp, nil
-}
-
-func get200(ctx context.Context, path string) ([]byte, error) {
-	return send(ctx, "GET", path, 200, nil)
-}
-
-// WhoIs returns the owner of the remoteAddr, which must be an IP or IP:port.
-func WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
-	body, err := get200(ctx, "/localapi/v0/whois?addr="+url.QueryEscape(remoteAddr))
-	if err != nil {
-		return nil, err
-	}
-	r := new(apitype.WhoIsResponse)
-	if err := json.Unmarshal(body, r); err != nil {
-		if max := 200; len(body) > max {
-			body = append(body[:max], "..."...)
+	r := new(tailcfg.WhoIsResponse)
+	if err := json.Unmarshal(slurp, r); err != nil {
+		if max := 200; len(slurp) > max {
+			slurp = slurp[:max]
 		}
-		return nil, fmt.Errorf("failed to parse JSON WhoIsResponse from %q", body)
+		return nil, fmt.Errorf("failed to parse JSON WhoIsResponse from %q", slurp)
 	}
 	return r, nil
 }

 // Goroutines returns a dump of the Tailscale daemon's current goroutines.
 func Goroutines(ctx context.Context) ([]byte, error) {
-	return get200(ctx, "/localapi/v0/goroutines")
-}
-
-// BugReport logs and returns a log marker that can be shared by the user with support.
-func BugReport(ctx context.Context, note string) (string, error) {
-	body, err := send(ctx, "POST", "/localapi/v0/bugreport?note="+url.QueryEscape(note), 200, nil)
+	req, err := http.NewRequestWithContext(ctx, "GET", "http://local-tailscaled.sock/localapi/v0/goroutines", nil)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
-	return strings.TrimSpace(string(body)), nil
+	res, err := DoLocalRequest(req)
+	if err != nil {
+		return nil, err
+	}
+	defer res.Body.Close()
+	body, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return nil, err
+	}
+	if res.StatusCode != 200 {
+		return nil, fmt.Errorf("HTTP %s: %s", res.Status, body)
+	}
+	return body, nil
 }

 // Status returns the Tailscale daemon's status.
@@ -146,113 +118,22 @@ func StatusWithoutPeers(ctx context.Context) (*ipnstate.Status, error) {
 }

 func status(ctx context.Context, queryString string) (*ipnstate.Status, error) {
-	body, err := get200(ctx, "/localapi/v0/status"+queryString)
+	req, err := http.NewRequestWithContext(ctx, "GET", "http://local-tailscaled.sock/localapi/v0/status"+queryString, nil)
 	if err != nil {
 		return nil, err
 	}
+	res, err := DoLocalRequest(req)
+	if err != nil {
+		return nil, err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != 200 {
+		body, _ := ioutil.ReadAll(res.Body)
+		return nil, fmt.Errorf("HTTP %s: %s", res.Status, body)
+	}
 	st := new(ipnstate.Status)
-	if err := json.Unmarshal(body, st); err != nil {
+	if err := json.NewDecoder(res.Body).Decode(st); err != nil {
 		return nil, err
 	}
 	return st, nil
 }
-
-func WaitingFiles(ctx context.Context) ([]apitype.WaitingFile, error) {
-	body, err := get200(ctx, "/localapi/v0/files/")
-	if err != nil {
-		return nil, err
-	}
-	var wfs []apitype.WaitingFile
-	if err := json.Unmarshal(body, &wfs); err != nil {
-		return nil, err
-	}
-	return wfs, nil
-}
-
-func DeleteWaitingFile(ctx context.Context, baseName string) error {
-	_, err := send(ctx, "DELETE", "/localapi/v0/files/"+url.PathEscape(baseName), http.StatusNoContent, nil)
-	return err
-}
-
-func GetWaitingFile(ctx context.Context, baseName string) (rc io.ReadCloser, size int64, err error) {
-	req, err := http.NewRequestWithContext(ctx, "GET", "http://local-tailscaled.sock/localapi/v0/files/"+url.PathEscape(baseName), nil)
-	if err != nil {
-		return nil, 0, err
-	}
-	res, err := DoLocalRequest(req)
-	if err != nil {
-		return nil, 0, err
-	}
-	if res.ContentLength == -1 {
-		res.Body.Close()
-		return nil, 0, fmt.Errorf("unexpected chunking")
-	}
-	if res.StatusCode != 200 {
-		body, _ := ioutil.ReadAll(res.Body)
-		res.Body.Close()
-		return nil, 0, fmt.Errorf("HTTP %s: %s", res.Status, body)
-	}
-	return res.Body, res.ContentLength, nil
-}
-
-func FileTargets(ctx context.Context) ([]apitype.FileTarget, error) {
-	body, err := get200(ctx, "/localapi/v0/file-targets")
-	if err != nil {
-		return nil, err
-	}
-	var fts []apitype.FileTarget
-	if err := json.Unmarshal(body, &fts); err != nil {
-		return nil, fmt.Errorf("invalid JSON: %w", err)
-	}
-	return fts, nil
-}
-
-func CheckIPForwarding(ctx context.Context) error {
-	body, err := get200(ctx, "/localapi/v0/check-ip-forwarding")
-	if err != nil {
-		return err
-	}
-	var jres struct {
-		Warning string
-	}
-	if err := json.Unmarshal(body, &jres); err != nil {
-		return fmt.Errorf("invalid JSON from check-ip-forwarding: %w", err)
-	}
-	if jres.Warning != "" {
-		return errors.New(jres.Warning)
-	}
-	return nil
-}
-
-func GetPrefs(ctx context.Context) (*ipn.Prefs, error) {
-	body, err := get200(ctx, "/localapi/v0/prefs")
-	if err != nil {
-		return nil, err
-	}
-	var p ipn.Prefs
-	if err := json.Unmarshal(body, &p); err != nil {
-		return nil, fmt.Errorf("invalid prefs JSON: %w", err)
-	}
-	return &p, nil
-}
-
-func EditPrefs(ctx context.Context, mp *ipn.MaskedPrefs) (*ipn.Prefs, error) {
-	mpj, err := json.Marshal(mp)
-	if err != nil {
-		return nil, err
-	}
-	body, err := send(ctx, "PATCH", "/localapi/v0/prefs", http.StatusOK, bytes.NewReader(mpj))
-	if err != nil {
-		return nil, err
-	}
-	var p ipn.Prefs
-	if err := json.Unmarshal(body, &p); err != nil {
-		return nil, fmt.Errorf("invalid prefs JSON: %w", err)
-	}
-	return &p, nil
-}
-
-func Logout(ctx context.Context) error {
-	_, err := send(ctx, "POST", "/localapi/v0/logout", http.StatusNoContent, nil)
-	return err
-}
--- a/cmd/hello/hello.go
+++ b/cmd/hello/hello.go
@@ -18,7 +18,7 @@ import (
 	"strings"

 	"tailscale.com/client/tailscale"
-	"tailscale.com/client/tailscale/apitype"
+	"tailscale.com/tailcfg"
 )

 var (
@@ -107,7 +107,7 @@ type tmplData struct {
 	IP            string // "100.2.3.4"
 }

-func tailscaleIP(who *apitype.WhoIsResponse) string {
+func tailscaleIP(who *tailcfg.WhoIsResponse) string {
 	if who == nil {
 		return ""
 	}
--- a/cmd/tailscale/cli/bugreport.go
+++ b/cmd/tailscale/cli/bugreport.go
@@ -1,38 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"context"
-	"errors"
-	"fmt"
-
-	"github.com/peterbourgon/ff/v2/ffcli"
-	"tailscale.com/client/tailscale"
-)
-
-var bugReportCmd = &ffcli.Command{
-	Name:       "bugreport",
-	Exec:       runBugReport,
-	ShortHelp:  "Print a shareable identifier to help diagnose issues",
-	ShortUsage: "bugreport [note]",
-}
-
-func runBugReport(ctx context.Context, args []string) error {
-	var note string
-	switch len(args) {
-	case 0:
-	case 1:
-		note = args[0]
-	default:
-		return errors.New("unknown argumets")
-	}
-	logMarker, err := tailscale.BugReport(ctx, note)
-	if err != nil {
-		return err
-	}
-	fmt.Println(logMarker)
-	return nil
-}
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -15,7 +15,6 @@ import (
 	"os"
 	"os/signal"
 	"runtime"
-	"strconv"
 	"strings"
 	"syscall"
 	"text/tabwriter"
@@ -25,44 +24,21 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
-	"tailscale.com/syncs"
 )

 // ActLikeCLI reports whether a GUI application should act like the
 // CLI based on os.Args, GOOS, the context the process is running in
 // (pty, parent PID), etc.
 func ActLikeCLI() bool {
-	// This function is only used on macOS.
-	if runtime.GOOS != "darwin" {
+	if len(os.Args) < 2 {
 		return false
 	}
-
-	// Escape hatch to let people force running the macOS
-	// GUI Tailscale binary as the CLI.
-	if v, _ := strconv.ParseBool(os.Getenv("TAILSCALE_BE_CLI")); v {
+	switch os.Args[1] {
+	case "up", "down", "status", "netcheck", "ping", "version",
+		"debug",
+		"-V", "--version", "-h", "--help":
 		return true
 	}
-
-	// If our parent is launchd, we're definitely not
-	// being run as a CLI.
-	if os.Getppid() == 1 {
-		return false
-	}
-
-	// Looking at the environment of the GUI Tailscale app (ps eww
-	// $PID), empirically none of these environment variables are
-	// present. But all or some of these should be present with
-	// Terminal.all and bash or zsh.
-	for _, e := range []string{
-		"SHLVL",
-		"TERM",
-		"TERM_PROGRAM",
-		"PS1",
-	} {
-		if os.Getenv(e) != "" {
-			return true
-		}
-	}
 	return false
 }

@@ -88,7 +64,6 @@ change in the future.
 		Subcommands: []*ffcli.Command{
 			upCmd,
 			downCmd,
-			logoutCmd,
 			netcheckCmd,
 			ipCmd,
 			statusCmd,
@@ -96,7 +71,6 @@ change in the future.
 			versionCmd,
 			webCmd,
 			pushCmd,
-			bugReportCmd,
 		},
 		FlagSet:   rootfs,
 		Exec:      func(context.Context, []string) error { return flag.ErrHelp },
@@ -133,8 +107,6 @@ var rootArgs struct {
 	socket string
 }

-var gotSignal syncs.AtomicBool
-
 func connect(ctx context.Context) (net.Conn, *ipn.BackendClient, context.Context, context.CancelFunc) {
 	c, err := safesocket.Connect(rootArgs.socket, 41112)
 	if err != nil {
@@ -152,14 +124,7 @@ func connect(ctx context.Context) (net.Conn, *ipn.BackendClient, context.Context
 	go func() {
 		interrupt := make(chan os.Signal, 1)
 		signal.Notify(interrupt, syscall.SIGINT, syscall.SIGTERM)
-		select {
-		case <-interrupt:
-		case <-ctx.Done():
-			// Context canceled elsewhere.
-			signal.Reset(syscall.SIGINT, syscall.SIGTERM)
-			return
-		}
-		gotSignal.Set(true)
+		<-interrupt
 		c.Close()
 		cancel()
 	}()
@@ -177,9 +142,7 @@ func pump(ctx context.Context, bc *ipn.BackendClient, conn net.Conn) {
 			if ctx.Err() != nil {
 				return
 			}
-			if !gotSignal.Get() {
-				log.Printf("ReadMsg: %v\n", err)
-			}
+			log.Printf("ReadMsg: %v\n", err)
 			break
 		}
 		bc.GotNotifyMsg(msg)
--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -1,336 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"bytes"
-	"encoding/json"
-	"flag"
-	"fmt"
-	"strings"
-	"testing"
-
-	"inet.af/netaddr"
-	"tailscale.com/ipn"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/types/logger"
-	"tailscale.com/types/preftype"
-)
-
-// Test that checkForAccidentalSettingReverts's updateMaskedPrefsFromUpFlag can handle
-// all flags. This will panic if a new flag creeps in that's unhandled.
-func TestUpdateMaskedPrefsFromUpFlag(t *testing.T) {
-	mp := new(ipn.MaskedPrefs)
-	upFlagSet.VisitAll(func(f *flag.Flag) {
-		updateMaskedPrefsFromUpFlag(mp, f.Name)
-	})
-}
-
-func TestCheckForAccidentalSettingReverts(t *testing.T) {
-	f := func(flags ...string) map[string]bool {
-		m := make(map[string]bool)
-		for _, f := range flags {
-			m[f] = true
-		}
-		return m
-	}
-	tests := []struct {
-		name     string
-		flagSet  map[string]bool
-		curPrefs *ipn.Prefs
-		mp       *ipn.MaskedPrefs
-		want     string
-	}{
-		{
-			name:    "bare_up_means_up",
-			flagSet: f(),
-			curPrefs: &ipn.Prefs{
-				ControlURL:  ipn.DefaultControlURL,
-				WantRunning: false,
-				Hostname:    "foo",
-			},
-			mp: &ipn.MaskedPrefs{
-				Prefs: ipn.Prefs{
-					WantRunning: true,
-				},
-				WantRunningSet: true,
-			},
-			want: "",
-		},
-		{
-			name:    "losing_hostname",
-			flagSet: f("accept-dns"),
-			curPrefs: &ipn.Prefs{
-				ControlURL:  ipn.DefaultControlURL,
-				WantRunning: false,
-				Hostname:    "foo",
-				CorpDNS:     true,
-			},
-			mp: &ipn.MaskedPrefs{
-				Prefs: ipn.Prefs{
-					ControlURL:  ipn.DefaultControlURL,
-					WantRunning: true,
-					CorpDNS:     true,
-				},
-				ControlURLSet:  true,
-				WantRunningSet: true,
-				CorpDNSSet:     true,
-			},
-			want: `'tailscale up' without --reset requires all preferences with changing values to be explicitly mentioned; --hostname is not specified but its default value of "" differs from current value "foo"`,
-		},
-		{
-			name:    "hostname_changing_explicitly",
-			flagSet: f("hostname"),
-			curPrefs: &ipn.Prefs{
-				ControlURL:  ipn.DefaultControlURL,
-				WantRunning: false,
-				Hostname:    "foo",
-			},
-			mp: &ipn.MaskedPrefs{
-				Prefs: ipn.Prefs{
-					ControlURL:  ipn.DefaultControlURL,
-					WantRunning: true,
-					Hostname:    "bar",
-				},
-				ControlURLSet:  true,
-				WantRunningSet: true,
-				HostnameSet:    true,
-			},
-			want: "",
-		},
-		{
-			name:    "hostname_changing_empty_explicitly",
-			flagSet: f("hostname"),
-			curPrefs: &ipn.Prefs{
-				ControlURL:  ipn.DefaultControlURL,
-				WantRunning: false,
-				Hostname:    "foo",
-			},
-			mp: &ipn.MaskedPrefs{
-				Prefs: ipn.Prefs{
-					ControlURL:  ipn.DefaultControlURL,
-					WantRunning: true,
-					Hostname:    "",
-				},
-				ControlURLSet:  true,
-				WantRunningSet: true,
-				HostnameSet:    true,
-			},
-			want: "",
-		},
-		{
-			name:    "empty_slice_equals_nil_slice",
-			flagSet: f("hostname"),
-			curPrefs: &ipn.Prefs{
-				ControlURL:      ipn.DefaultControlURL,
-				AdvertiseRoutes: []netaddr.IPPrefix{},
-			},
-			mp: &ipn.MaskedPrefs{
-				Prefs: ipn.Prefs{
-					ControlURL:      ipn.DefaultControlURL,
-					AdvertiseRoutes: nil,
-				},
-				ControlURLSet: true,
-			},
-			want: "",
-		},
-		{
-			// Issue 1725: "tailscale up --authkey=..." (or other non-empty flags) works from
-			// a fresh server's initial prefs.
-			name:     "up_with_default_prefs",
-			flagSet:  f("authkey"),
-			curPrefs: ipn.NewPrefs(),
-			mp: &ipn.MaskedPrefs{
-				Prefs:          *defaultPrefsFromUpArgs(t),
-				WantRunningSet: true,
-			},
-			want: "",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			var got string
-			if err := checkForAccidentalSettingReverts(tt.flagSet, tt.curPrefs, tt.mp); err != nil {
-				got = err.Error()
-			}
-			if got != tt.want {
-				t.Errorf("unexpected result\n got: %s\nwant: %s\n", got, tt.want)
-			}
-		})
-	}
-}
-
-func defaultPrefsFromUpArgs(t testing.TB) *ipn.Prefs {
-	upFlagSet.Parse(nil) // populates upArgs
-	if upFlagSet.Lookup("netfilter-mode") == nil && upArgs.netfilterMode == "" {
-		// This flag is not compiled on on-Linux platforms,
-		// but prefsFromUpArgs requires it be populated.
-		upArgs.netfilterMode = defaultNetfilterMode()
-	}
-	prefs, err := prefsFromUpArgs(upArgs, logger.Discard, new(ipnstate.Status), "linux")
-	if err != nil {
-		t.Fatalf("defaultPrefsFromUpArgs: %v", err)
-	}
-	prefs.WantRunning = true
-	return prefs
-}
-
-func TestPrefsFromUpArgs(t *testing.T) {
-	tests := []struct {
-		name     string
-		args     upArgsT
-		goos     string           // runtime.GOOS; empty means linux
-		st       *ipnstate.Status // or nil
-		want     *ipn.Prefs
-		wantErr  string
-		wantWarn string
-	}{
-		{
-			name: "zero",
-			goos: "windows",
-			args: upArgsT{},
-			want: &ipn.Prefs{
-				WantRunning:   true,
-				NoSNAT:        true,
-				NetfilterMode: preftype.NetfilterOn, // silly, but default from ipn.NewPref currently
-			},
-		},
-		{
-			name: "error_advertise_route_invalid_ip",
-			args: upArgsT{
-				advertiseRoutes: "foo",
-			},
-			wantErr: `"foo" is not a valid IP address or CIDR prefix`,
-		},
-		{
-			name: "error_advertise_route_unmasked_bits",
-			args: upArgsT{
-				advertiseRoutes: "1.2.3.4/16",
-			},
-			wantErr: `1.2.3.4/16 has non-address bits set; expected 1.2.0.0/16`,
-		},
-		{
-			name: "error_exit_node_bad_ip",
-			args: upArgsT{
-				exitNodeIP: "foo",
-			},
-			wantErr: `invalid IP address "foo" for --exit-node: unable to parse IP`,
-		},
-		{
-			name: "error_exit_node_allow_lan_without_exit_node",
-			args: upArgsT{
-				exitNodeAllowLANAccess: true,
-			},
-			wantErr: `--exit-node-allow-lan-access can only be used with --exit-node`,
-		},
-		{
-			name: "error_tag_prefix",
-			args: upArgsT{
-				advertiseTags: "foo",
-			},
-			wantErr: `tag: "foo": tags must start with 'tag:'`,
-		},
-		{
-			name: "error_long_hostname",
-			args: upArgsT{
-				hostname: strings.Repeat("a", 300),
-			},
-			wantErr: `hostname too long: 300 bytes (max 256)`,
-		},
-		{
-			name: "error_linux_netfilter_empty",
-			args: upArgsT{
-				netfilterMode: "",
-			},
-			wantErr: `invalid value --netfilter-mode=""`,
-		},
-		{
-			name: "error_linux_netfilter_bogus",
-			args: upArgsT{
-				netfilterMode: "bogus",
-			},
-			wantErr: `invalid value --netfilter-mode="bogus"`,
-		},
-		{
-			name: "error_exit_node_ip_is_self_ip",
-			args: upArgsT{
-				exitNodeIP: "100.105.106.107",
-			},
-			st: &ipnstate.Status{
-				TailscaleIPs: []netaddr.IP{netaddr.MustParseIP("100.105.106.107")},
-			},
-			wantErr: `cannot use 100.105.106.107 as the exit node as it is a local IP address to this machine, did you mean --advertise-exit-node?`,
-		},
-		{
-			name: "warn_linux_netfilter_nodivert",
-			goos: "linux",
-			args: upArgsT{
-				netfilterMode: "nodivert",
-			},
-			wantWarn: "netfilter=nodivert; add iptables calls to ts-* chains manually.",
-			want: &ipn.Prefs{
-				WantRunning:   true,
-				NetfilterMode: preftype.NetfilterNoDivert,
-				NoSNAT:        true,
-			},
-		},
-		{
-			name: "warn_linux_netfilter_off",
-			goos: "linux",
-			args: upArgsT{
-				netfilterMode: "off",
-			},
-			wantWarn: "netfilter=off; configure iptables yourself.",
-			want: &ipn.Prefs{
-				WantRunning:   true,
-				NetfilterMode: preftype.NetfilterOff,
-				NoSNAT:        true,
-			},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			var warnBuf bytes.Buffer
-			warnf := func(format string, a ...interface{}) {
-				fmt.Fprintf(&warnBuf, format, a...)
-			}
-			goos := tt.goos
-			if goos == "" {
-				goos = "linux"
-			}
-			st := tt.st
-			if st == nil {
-				st = new(ipnstate.Status)
-			}
-			got, err := prefsFromUpArgs(tt.args, warnf, st, goos)
-			gotErr := fmt.Sprint(err)
-			if tt.wantErr != "" {
-				if tt.wantErr != gotErr {
-					t.Errorf("wrong error.\n got error: %v\nwant error: %v\n", gotErr, tt.wantErr)
-				}
-				return
-			}
-			if err != nil {
-				t.Fatal(err)
-			}
-			if tt.want == nil {
-				t.Fatal("tt.want is nil")
-			}
-			if !got.Equals(tt.want) {
-				jgot, _ := json.MarshalIndent(got, "", "\t")
-				jwant, _ := json.MarshalIndent(tt.want, "", "\t")
-				if bytes.Equal(jgot, jwant) {
-					t.Logf("prefs differ only in non-JSON-visible ways (nil/non-nil zero-length arrays)")
-				}
-				t.Errorf("wrong prefs\n got: %s\nwant: %s\n\ngot: %s\nwant: %s\n",
-					got.Pretty(), tt.want.Pretty(),
-					jgot, jwant,
-				)
-
-			}
-		})
-	}
-
-}
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -6,21 +6,12 @@ package cli

 import (
 	"context"
-	"encoding/json"
 	"errors"
 	"flag"
-	"fmt"
-	"io"
-	"log"
 	"os"
-	"runtime"
-	"strings"

 	"github.com/peterbourgon/ff/v2/ffcli"
 	"tailscale.com/client/tailscale"
-	"tailscale.com/ipn"
-	"tailscale.com/paths"
-	"tailscale.com/safesocket"
 )

 var debugCmd = &ffcli.Command{
@@ -29,101 +20,24 @@ var debugCmd = &ffcli.Command{
 	FlagSet: (func() *flag.FlagSet {
 		fs := flag.NewFlagSet("debug", flag.ExitOnError)
 		fs.BoolVar(&debugArgs.goroutines, "daemon-goroutines", false, "If true, dump the tailscaled daemon's goroutines")
-		fs.BoolVar(&debugArgs.ipn, "ipn", false, "If true, subscribe to IPN notifications")
-		fs.BoolVar(&debugArgs.prefs, "prefs", false, "If true, dump active prefs")
-		fs.BoolVar(&debugArgs.pretty, "pretty", false, "If true, pretty-print output (for --prefs)")
-		fs.BoolVar(&debugArgs.netMap, "netmap", true, "whether to include netmap in --ipn mode")
-		fs.BoolVar(&debugArgs.localCreds, "local-creds", false, "print how to connect to local tailscaled")
-		fs.StringVar(&debugArgs.file, "file", "", "get, delete:NAME, or NAME")
 		return fs
 	})(),
 }

 var debugArgs struct {
-	localCreds bool
 	goroutines bool
-	ipn        bool
-	netMap     bool
-	file       string
-	prefs      bool
-	pretty     bool
 }

 func runDebug(ctx context.Context, args []string) error {
 	if len(args) > 0 {
 		return errors.New("unknown arguments")
 	}
-	if debugArgs.localCreds {
-		port, token, err := safesocket.LocalTCPPortAndToken()
-		if err == nil {
-			fmt.Printf("curl -u:%s http://localhost:%d/localapi/v0/status\n", token, port)
-			return nil
-		}
-		if runtime.GOOS == "windows" {
-			fmt.Printf("curl http://localhost:41112/localapi/v0/status\n")
-			return nil
-		}
-		fmt.Printf("curl --unix-socket %s http://foo/localapi/v0/status\n", paths.DefaultTailscaledSocket())
-		return nil
-	}
-	if debugArgs.prefs {
-		prefs, err := tailscale.GetPrefs(ctx)
-		if err != nil {
-			return err
-		}
-		if debugArgs.pretty {
-			fmt.Println(prefs.Pretty())
-		} else {
-			j, _ := json.MarshalIndent(prefs, "", "\t")
-			fmt.Println(string(j))
-		}
-		return nil
-	}
 	if debugArgs.goroutines {
 		goroutines, err := tailscale.Goroutines(ctx)
 		if err != nil {
 			return err
 		}
 		os.Stdout.Write(goroutines)
-		return nil
-	}
-	if debugArgs.ipn {
-		c, bc, ctx, cancel := connect(ctx)
-		defer cancel()
-
-		bc.SetNotifyCallback(func(n ipn.Notify) {
-			if !debugArgs.netMap {
-				n.NetMap = nil
-			}
-			j, _ := json.MarshalIndent(n, "", "\t")
-			fmt.Printf("%s\n", j)
-		})
-		bc.RequestEngineStatus()
-		pump(ctx, bc, c)
-		return errors.New("exit")
-	}
-	if debugArgs.file != "" {
-		if debugArgs.file == "get" {
-			wfs, err := tailscale.WaitingFiles(ctx)
-			if err != nil {
-				log.Fatal(err)
-			}
-			e := json.NewEncoder(os.Stdout)
-			e.SetIndent("", "\t")
-			e.Encode(wfs)
-			return nil
-		}
-		delete := strings.HasPrefix(debugArgs.file, "delete:")
-		if delete {
-			return tailscale.DeleteWaitingFile(ctx, strings.TrimPrefix(debugArgs.file, "delete:"))
-		}
-		rc, size, err := tailscale.GetWaitingFile(ctx, debugArgs.file)
-		if err != nil {
-			return err
-		}
-		log.Printf("Size: %v\n", size)
-		io.Copy(os.Stdout, rc)
-		return nil
 	}
 	return nil
 }
--- a/cmd/tailscale/cli/down.go
+++ b/cmd/tailscale/cli/down.go
@@ -8,7 +8,7 @@ import (
 	"context"
 	"fmt"
 	"log"
-	"os"
+	"time"

 	"github.com/peterbourgon/ff/v2/ffcli"
 	"tailscale.com/client/tailscale"
@@ -33,14 +33,34 @@ func runDown(ctx context.Context, args []string) error {
 		return fmt.Errorf("error fetching current status: %w", err)
 	}
 	if st.BackendState == "Stopped" {
-		fmt.Fprintf(os.Stderr, "Tailscale was already stopped.\n")
+		log.Printf("already stopped")
 		return nil
 	}
-	_, err = tailscale.EditPrefs(ctx, &ipn.MaskedPrefs{
-		Prefs: ipn.Prefs{
-			WantRunning: false,
-		},
-		WantRunningSet: true,
+	log.Printf("was in state %q", st.BackendState)
+
+	c, bc, ctx, cancel := connect(ctx)
+	defer cancel()
+
+	timer := time.AfterFunc(5*time.Second, func() {
+		log.Fatalf("timeout running stop")
 	})
-	return err
+	defer timer.Stop()
+
+	bc.SetNotifyCallback(func(n ipn.Notify) {
+		if n.ErrMessage != nil {
+			log.Fatal(*n.ErrMessage)
+		}
+		if n.State != nil {
+			log.Printf("now in state %q", *n.State)
+			if *n.State == ipn.Stopped {
+				cancel()
+			}
+			return
+		}
+	})
+
+	bc.SetWantRunning(false)
+	pump(ctx, bc, c)
+
+	return nil
 }
--- a/cmd/tailscale/cli/ip.go
+++ b/cmd/tailscale/cli/ip.go
@@ -11,16 +11,13 @@ import (
 	"fmt"

 	"github.com/peterbourgon/ff/v2/ffcli"
-	"inet.af/netaddr"
 	"tailscale.com/client/tailscale"
-	"tailscale.com/ipn/ipnstate"
 )

 var ipCmd = &ffcli.Command{
 	Name:       "ip",
-	ShortUsage: "ip [-4] [-6] [peername]",
-	ShortHelp:  "Show current Tailscale IP address(es)",
-	LongHelp:   "Shows the Tailscale IP address of the current machine without an argument. With an argument, it shows the IP of a named peer.",
+	ShortUsage: "ip [-4] [-6]",
+	ShortHelp:  "Show this machine's current Tailscale IP address(es)",
 	Exec:       runIP,
 	FlagSet: (func() *flag.FlagSet {
 		fs := flag.NewFlagSet("ip", flag.ExitOnError)
@@ -36,14 +33,9 @@ var ipArgs struct {
 }

 func runIP(ctx context.Context, args []string) error {
-	if len(args) > 1 {
+	if len(args) > 0 {
 		return errors.New("unknown arguments")
 	}
-	var of string
-	if len(args) == 1 {
-		of = args[0]
-	}
-
 	v4, v6 := ipArgs.want4, ipArgs.want6
 	if v4 && v6 {
 		return errors.New("tailscale up -4 and -6 are mutually exclusive")
@@ -55,24 +47,11 @@ func runIP(ctx context.Context, args []string) error {
 	if err != nil {
 		return err
 	}
-	ips := st.TailscaleIPs
-	if of != "" {
-		ip, err := tailscaleIPFromArg(ctx, of)
-		if err != nil {
-			return err
-		}
-		peer, ok := peerMatchingIP(st, ip)
-		if !ok {
-			return fmt.Errorf("no peer found with IP %v", ip)
-		}
-		ips = peer.TailscaleIPs
-	}
-	if len(ips) == 0 {
+	if len(st.TailscaleIPs) == 0 {
 		return fmt.Errorf("no current Tailscale IPs; state: %v", st.BackendState)
 	}
-
 	match := false
-	for _, ip := range ips {
+	for _, ip := range st.TailscaleIPs {
 		if ip.Is4() && v4 || ip.Is6() && v6 {
 			match = true
 			fmt.Println(ip)
@@ -88,18 +67,3 @@ func runIP(ctx context.Context, args []string) error {
 	}
 	return nil
 }
-
-func peerMatchingIP(st *ipnstate.Status, ipStr string) (ps *ipnstate.PeerStatus, ok bool) {
-	ip, err := netaddr.ParseIP(ipStr)
-	if err != nil {
-		return
-	}
-	for _, ps = range st.Peer {
-		for _, pip := range ps.TailscaleIPs {
-			if ip == pip {
-				return ps, true
-			}
-		}
-	}
-	return nil, false
-}
--- a/cmd/tailscale/cli/logout.go
+++ b/cmd/tailscale/cli/logout.go
@@ -1,34 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"context"
-	"log"
-	"strings"
-
-	"github.com/peterbourgon/ff/v2/ffcli"
-	"tailscale.com/client/tailscale"
-)
-
-var logoutCmd = &ffcli.Command{
-	Name:       "logout",
-	ShortUsage: "logout [flags]",
-	ShortHelp:  "Disconnect from Tailscale and expire current node key",
-
-	LongHelp: strings.TrimSpace(`
-"tailscale logout" brings the network down and invalidates
-the current node key, forcing a future use of it to cause
-a reauthentication.
-`),
-	Exec: runLogout,
-}
-
-func runLogout(ctx context.Context, args []string) error {
-	if len(args) > 0 {
-		log.Fatalf("too many non-flag arguments: %q", args)
-	}
-	return tailscale.Logout(ctx)
-}
--- a/cmd/tailscale/cli/ping.go
+++ b/cmd/tailscale/cli/ping.go
@@ -154,10 +154,7 @@ func tailscaleIPFromArg(ctx context.Context, hostOrIP string) (ip string, err er
 	}
 	for _, ps := range st.Peer {
 		if hostOrIP == dnsOrQuoteHostname(st, ps) || hostOrIP == ps.DNSName {
-			if len(ps.TailscaleIPs) == 0 {
-				return "", errors.New("node found but lacks an IP")
-			}
-			return ps.TailscaleIPs[0].String(), nil
+			return ps.TailAddr, nil
 		}
 	}

--- a/cmd/tailscale/cli/push.go
+++ b/cmd/tailscale/cli/push.go
@@ -13,17 +13,16 @@ import (
 	"io"
 	"log"
 	"mime"
+	"net"
 	"net/http"
 	"net/url"
 	"os"
-	"strconv"
 	"time"
 	"unicode/utf8"

 	"github.com/peterbourgon/ff/v2/ffcli"
-	"golang.org/x/time/rate"
-	"inet.af/netaddr"
-	"tailscale.com/client/tailscale"
+	"tailscale.com/ipn"
+	"tailscale.com/ipn/ipnstate"
 )

 var pushCmd = &ffcli.Command{
@@ -35,7 +34,6 @@ var pushCmd = &ffcli.Command{
 		fs := flag.NewFlagSet("push", flag.ExitOnError)
 		fs.StringVar(&pushArgs.name, "name", "", "alternate filename to use, especially useful when <file> is \"-\" (stdin)")
 		fs.BoolVar(&pushArgs.verbose, "verbose", false, "verbose output")
-		fs.BoolVar(&pushArgs.targets, "targets", false, "list possible push targets")
 		return fs
 	})(),
 }
@@ -43,15 +41,11 @@ var pushCmd = &ffcli.Command{
 var pushArgs struct {
 	name    string
 	verbose bool
-	targets bool
 }

 func runPush(ctx context.Context, args []string) error {
-	if pushArgs.targets {
-		return runPushTargets(ctx, args)
-	}
 	if len(args) != 2 || args[0] == "" {
-		return errors.New("usage: push <hostname-or-IP> <file>\n       push --targets")
+		return errors.New("usage: push <hostname-or-IP> <file>")
 	}
 	var ip string

@@ -61,18 +55,13 @@ func runPush(ctx context.Context, args []string) error {
 		return err
 	}

-	peerAPIBase, lastSeen, err := discoverPeerAPIBase(ctx, ip)
+	peerAPIPort, err := discoverPeerAPIPort(ctx, ip)
 	if err != nil {
 		return err
 	}

-	if !lastSeen.IsZero() && time.Since(lastSeen) > lastSeenOld {
-		fmt.Fprintf(os.Stderr, "# warning: %s last seen %v ago\n", hostOrIP, time.Since(lastSeen).Round(time.Minute))
-	}
-
 	var fileContents io.Reader
 	var name = pushArgs.name
-	var contentLength int64 = -1
 	if fileArg == "-" {
 		fileContents = os.Stdin
 		if name == "" {
@@ -87,30 +76,17 @@ func runPush(ctx context.Context, args []string) error {
 			return err
 		}
 		defer f.Close()
-		fi, err := f.Stat()
-		if err != nil {
-			return err
-		}
-		if fi.IsDir() {
-			return errors.New("directories not supported")
-		}
-		contentLength = fi.Size()
-		fileContents = io.LimitReader(f, contentLength)
+		fileContents = f
 		if name == "" {
 			name = fileArg
 		}
-
-		if slow, _ := strconv.ParseBool(os.Getenv("TS_DEBUG_SLOW_PUSH")); slow {
-			fileContents = &slowReader{r: fileContents}
-		}
 	}

-	dstURL := peerAPIBase + "/v0/put/" + url.PathEscape(name)
+	dstURL := "http://" + net.JoinHostPort(ip, fmt.Sprint(peerAPIPort)) + "/v0/put/" + url.PathEscape(name)
 	req, err := http.NewRequestWithContext(ctx, "PUT", dstURL, fileContents)
 	if err != nil {
 		return err
 	}
-	req.ContentLength = contentLength
 	if pushArgs.verbose {
 		log.Printf("sending to %v ...", dstURL)
 	}
@@ -126,28 +102,51 @@ func runPush(ctx context.Context, args []string) error {
 	return errors.New(res.Status)
 }

-func discoverPeerAPIBase(ctx context.Context, ipStr string) (base string, lastSeen time.Time, err error) {
-	ip, err := netaddr.ParseIP(ipStr)
-	if err != nil {
-		return "", time.Time{}, err
+func discoverPeerAPIPort(ctx context.Context, ip string) (port uint16, err error) {
+	c, bc, ctx, cancel := connect(ctx)
+	defer cancel()
+
+	prc := make(chan *ipnstate.PingResult, 2)
+	bc.SetNotifyCallback(func(n ipn.Notify) {
+		if n.ErrMessage != nil {
+			log.Fatal(*n.ErrMessage)
+		}
+		if pr := n.PingResult; pr != nil && pr.IP == ip {
+			prc <- pr
+		}
+	})
+	go pump(ctx, bc, c)
+
+	ticker := time.NewTicker(time.Second)
+	defer ticker.Stop()
+
+	discoPings := 0
+	timer := time.NewTimer(10 * time.Second)
+	defer timer.Stop()
+
+	sendPings := func() {
+		bc.Ping(ip, false)
+		bc.Ping(ip, true)
 	}
-	fts, err := tailscale.FileTargets(ctx)
-	if err != nil {
-		return "", time.Time{}, err
-	}
-	for _, ft := range fts {
-		n := ft.Node
-		for _, a := range n.Addresses {
-			if a.IP != ip {
-				continue
+	sendPings()
+	for {
+		select {
+		case <-ticker.C:
+			sendPings()
+		case <-timer.C:
+			return 0, fmt.Errorf("timeout contacting %v; it offline?", ip)
+		case pr := <-prc:
+			if p := pr.PeerAPIPort; p != 0 {
+				return p, nil
 			}
-			if n.LastSeen != nil {
-				lastSeen = *n.LastSeen
+			discoPings++
+			if discoPings == 3 {
+				return 0, fmt.Errorf("%v is online, but seems to be running an old Tailscale version", ip)
 			}
-			return ft.PeerAPIURL, lastSeen, nil
+		case <-ctx.Done():
+			return 0, ctx.Err()
 		}
 	}
-	return "", time.Time{}, errors.New("target seems to be running an old Tailscale version")
 }

 const maxSniff = 4 << 20
@@ -172,47 +171,3 @@ func pickStdinFilename() (name string, r io.Reader, err error) {
 	}
 	return "stdin" + ext(sniff), io.MultiReader(bytes.NewReader(sniff), os.Stdin), nil
 }
-
-type slowReader struct {
-	r  io.Reader
-	rl *rate.Limiter
-}
-
-func (r *slowReader) Read(p []byte) (n int, err error) {
-	const burst = 4 << 10
-	plen := len(p)
-	if plen > burst {
-		plen = burst
-	}
-	if r.rl == nil {
-		r.rl = rate.NewLimiter(rate.Limit(1<<10), burst)
-	}
-	n, err = r.r.Read(p[:plen])
-	r.rl.WaitN(context.Background(), n)
-	return
-}
-
-const lastSeenOld = 20 * time.Minute
-
-func runPushTargets(ctx context.Context, args []string) error {
-	if len(args) > 0 {
-		return errors.New("invalid arguments with --targets")
-	}
-	fts, err := tailscale.FileTargets(ctx)
-	if err != nil {
-		return err
-	}
-	for _, ft := range fts {
-		n := ft.Node
-		var ago string
-		if n.LastSeen == nil {
-			ago = "\tnode never seen"
-		} else {
-			if d := time.Since(*n.LastSeen); d > lastSeenOld {
-				ago = fmt.Sprintf("\tlast seen %v ago", d.Round(time.Minute))
-			}
-		}
-		fmt.Printf("%s\t%s%s\n", n.Addresses[0].IP, n.ComputedName, ago)
-	}
-	return nil
-}
--- a/cmd/tailscale/cli/status.go
+++ b/cmd/tailscale/cli/status.go
@@ -18,7 +18,6 @@ import (

 	"github.com/peterbourgon/ff/v2/ffcli"
 	"github.com/toqueteos/webbrowser"
-	"inet.af/netaddr"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
@@ -107,24 +106,9 @@ func runStatus(ctx context.Context, args []string) error {
 		return err
 	}

-	switch st.BackendState {
-	default:
-		fmt.Fprintf(os.Stderr, "unexpected state: %s\n", st.BackendState)
-		os.Exit(1)
-	case ipn.Stopped.String():
+	if st.BackendState == ipn.Stopped.String() {
 		fmt.Println("Tailscale is stopped.")
 		os.Exit(1)
-	case ipn.NeedsLogin.String():
-		fmt.Println("Logged out.")
-		if st.AuthURL != "" {
-			fmt.Printf("\nLog in at: %s\n", st.AuthURL)
-		}
-		os.Exit(1)
-	case ipn.NeedsMachineAuth.String():
-		fmt.Println("Machine is not yet authorized by tailnet admin.")
-		os.Exit(1)
-	case ipn.Running.String():
-		// Run below.
 	}

 	var buf bytes.Buffer
@@ -132,7 +116,7 @@ func runStatus(ctx context.Context, args []string) error {
 	printPS := func(ps *ipnstate.PeerStatus) {
 		active := peerActive(ps)
 		f("%-15s %-20s %-12s %-7s ",
-			firstIPString(ps.TailscaleIPs),
+			ps.TailAddr,
 			dnsOrQuoteHostname(st, ps),
 			ownerLogin(st, ps),
 			ps.OS,
@@ -217,10 +201,3 @@ func ownerLogin(st *ipnstate.Status, ps *ipnstate.PeerStatus) string {
 	}
 	return u.LoginName
 }
-
-func firstIPString(v []netaddr.IP) string {
-	if len(v) == 0 {
-		return ""
-	}
-	return v[0].String()
-}
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -5,27 +5,25 @@
 package cli

 import (
+	"bytes"
 	"context"
 	"errors"
 	"flag"
 	"fmt"
+	"log"
 	"os"
-	"reflect"
+	"os/exec"
 	"runtime"
 	"sort"
 	"strconv"
 	"strings"
 	"sync"

-	"github.com/go-multierror/multierror"
 	"github.com/peterbourgon/ff/v2/ffcli"
 	"inet.af/netaddr"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/safesocket"
 	"tailscale.com/tailcfg"
-	"tailscale.com/types/logger"
 	"tailscale.com/types/preftype"
 	"tailscale.com/version/distro"
 )
@@ -33,56 +31,40 @@ import (
 var upCmd = &ffcli.Command{
 	Name:       "up",
 	ShortUsage: "up [flags]",
-	ShortHelp:  "Connect to Tailscale, logging in if needed",
+	ShortHelp:  "Connect to your Tailscale network",

 	LongHelp: strings.TrimSpace(`
 "tailscale up" connects this machine to your Tailscale network,
 triggering authentication if necessary.

-With no flags, "tailscale up" brings the network online without
-changing any settings. (That is, it's the opposite of "tailscale
-down").
-
-If flags are specified, the flags must be the complete set of desired
-settings. An error is returned if any setting would be changed as a
-result of an unspecified flag's default value, unless the --reset
-flag is also used.
+The flags passed to this command are specific to this machine. If you don't
+specify any flags, options are reset to their default.
 `),
-	FlagSet: upFlagSet,
-	Exec:    runUp,
+	FlagSet: (func() *flag.FlagSet {
+		upf := flag.NewFlagSet("up", flag.ExitOnError)
+		upf.StringVar(&upArgs.server, "login-server", "https://login.tailscale.com", "base URL of control server")
+		upf.BoolVar(&upArgs.acceptRoutes, "accept-routes", false, "accept routes advertised by other Tailscale nodes")
+		upf.BoolVar(&upArgs.acceptDNS, "accept-dns", true, "accept DNS configuration from the admin panel")
+		upf.BoolVar(&upArgs.singleRoutes, "host-routes", true, "install host routes to other Tailscale nodes")
+		upf.StringVar(&upArgs.exitNodeIP, "exit-node", "", "Tailscale IP of the exit node for internet traffic")
+		upf.BoolVar(&upArgs.shieldsUp, "shields-up", false, "don't allow incoming connections")
+		upf.BoolVar(&upArgs.forceReauth, "force-reauth", false, "force reauthentication")
+		upf.StringVar(&upArgs.advertiseTags, "advertise-tags", "", "ACL tags to request (comma-separated, e.g. \"tag:eng,tag:montreal,tag:ssh\")")
+		upf.StringVar(&upArgs.authKey, "authkey", "", "node authorization key")
+		upf.StringVar(&upArgs.hostname, "hostname", "", "hostname to use instead of the one provided by the OS")
+		if runtime.GOOS == "linux" || isBSD(runtime.GOOS) {
+			upf.StringVar(&upArgs.advertiseRoutes, "advertise-routes", "", "routes to advertise to other nodes (comma-separated, e.g. \"10.0.0.0/8,192.168.0.0/24\")")
+			upf.BoolVar(&upArgs.advertiseDefaultRoute, "advertise-exit-node", false, "offer to be an exit node for internet traffic for the tailnet")
+		}
+		if runtime.GOOS == "linux" {
+			upf.BoolVar(&upArgs.snat, "snat-subnet-routes", true, "source NAT traffic to local routes advertised with --advertise-routes")
+			upf.StringVar(&upArgs.netfilterMode, "netfilter-mode", defaultNetfilterMode(), "netfilter mode (one of on, nodivert, off)")
+		}
+		return upf
+	})(),
+	Exec: runUp,
 }

-var upFlagSet = (func() *flag.FlagSet {
-	upf := flag.NewFlagSet("up", flag.ExitOnError)
-
-	upf.BoolVar(&upArgs.forceReauth, "force-reauth", false, "force reauthentication")
-	upf.BoolVar(&upArgs.reset, "reset", false, "reset unspecified settings to their default values")
-
-	upf.StringVar(&upArgs.server, "login-server", ipn.DefaultControlURL, "base URL of control server")
-	upf.BoolVar(&upArgs.acceptRoutes, "accept-routes", false, "accept routes advertised by other Tailscale nodes")
-	upf.BoolVar(&upArgs.acceptDNS, "accept-dns", true, "accept DNS configuration from the admin panel")
-	upf.BoolVar(&upArgs.singleRoutes, "host-routes", true, "install host routes to other Tailscale nodes")
-	upf.StringVar(&upArgs.exitNodeIP, "exit-node", "", "Tailscale IP of the exit node for internet traffic")
-	upf.BoolVar(&upArgs.exitNodeAllowLANAccess, "exit-node-allow-lan-access", false, "Allow direct access to the local network when routing traffic via an exit node")
-	upf.BoolVar(&upArgs.shieldsUp, "shields-up", false, "don't allow incoming connections")
-	upf.StringVar(&upArgs.advertiseTags, "advertise-tags", "", "comma-separated ACL tags to request; each must start with \"tag:\" (e.g. \"tag:eng,tag:montreal,tag:ssh\")")
-	upf.StringVar(&upArgs.authKey, "authkey", "", "node authorization key")
-	upf.StringVar(&upArgs.hostname, "hostname", "", "hostname to use instead of the one provided by the OS")
-	upf.StringVar(&upArgs.advertiseRoutes, "advertise-routes", "", "routes to advertise to other nodes (comma-separated, e.g. \"10.0.0.0/8,192.168.0.0/24\")")
-	upf.BoolVar(&upArgs.advertiseDefaultRoute, "advertise-exit-node", false, "offer to be an exit node for internet traffic for the tailnet")
-	if safesocket.PlatformUsesPeerCreds() {
-		upf.StringVar(&upArgs.opUser, "operator", "", "Unix username to allow to operate on tailscaled without sudo")
-	}
-	if runtime.GOOS == "linux" {
-		upf.BoolVar(&upArgs.snat, "snat-subnet-routes", true, "source NAT traffic to local routes advertised with --advertise-routes")
-		upf.StringVar(&upArgs.netfilterMode, "netfilter-mode", defaultNetfilterMode(), "netfilter mode (one of on, nodivert, off)")
-	}
-	if runtime.GOOS == "windows" {
-		upf.BoolVar(&upArgs.forceDaemon, "unattended", false, "run in \"Unattended Mode\" where Tailscale keeps running even after the current GUI user logs out (Windows-only)")
-	}
-	return upf
-})()
-
 func defaultNetfilterMode() string {
 	if distro.Get() == distro.Synology {
 		return "off"
@@ -90,45 +72,85 @@ func defaultNetfilterMode() string {
 	return "on"
 }

-type upArgsT struct {
-	reset                  bool
-	server                 string
-	acceptRoutes           bool
-	acceptDNS              bool
-	singleRoutes           bool
-	exitNodeIP             string
-	exitNodeAllowLANAccess bool
-	shieldsUp              bool
-	forceReauth            bool
-	forceDaemon            bool
-	advertiseRoutes        string
-	advertiseDefaultRoute  bool
-	advertiseTags          string
-	snat                   bool
-	netfilterMode          string
-	authKey                string
-	hostname               string
-	opUser                 string
+var upArgs struct {
+	server                string
+	acceptRoutes          bool
+	acceptDNS             bool
+	singleRoutes          bool
+	exitNodeIP            string
+	shieldsUp             bool
+	forceReauth           bool
+	advertiseRoutes       string
+	advertiseDefaultRoute bool
+	advertiseTags         string
+	snat                  bool
+	netfilterMode         string
+	authKey               string
+	hostname              string
 }

-var upArgs upArgsT
+func isBSD(s string) bool {
+	return s == "dragonfly" || s == "freebsd" || s == "netbsd" || s == "openbsd"
+}

 func warnf(format string, args ...interface{}) {
 	fmt.Printf("Warning: "+format+"\n", args...)
 }

+// checkIPForwarding prints warnings on linux if IP forwarding is not
+// enabled, or if we were unable to verify the state of IP forwarding.
+func checkIPForwarding() {
+	var key string
+
+	if runtime.GOOS == "linux" {
+		key = "net.ipv4.ip_forward"
+	} else if isBSD(runtime.GOOS) {
+		key = "net.inet.ip.forwarding"
+	} else {
+		return
+	}
+
+	bs, err := exec.Command("sysctl", "-n", key).Output()
+	if err != nil {
+		warnf("couldn't check %s (%v).\nSubnet routes won't work without IP forwarding.", key, err)
+		return
+	}
+	on, err := strconv.ParseBool(string(bytes.TrimSpace(bs)))
+	if err != nil {
+		warnf("couldn't parse %s (%v).\nSubnet routes won't work without IP forwarding.", key, err)
+		return
+	}
+	if !on {
+		warnf("%s is disabled. Subnet routes won't work.", key)
+	}
+}
+
 var (
 	ipv4default = netaddr.MustParseIPPrefix("0.0.0.0/0")
 	ipv6default = netaddr.MustParseIPPrefix("::/0")
 )

-// prefsFromUpArgs returns the ipn.Prefs for the provided args.
-//
-// Note that the parameters upArgs and warnf are named intentionally
-// to shadow the globals to prevent accidental misuse of them. This
-// function exists for testing and should have no side effects or
-// outside interactions (e.g. no making Tailscale local API calls).
-func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goos string) (*ipn.Prefs, error) {
+func runUp(ctx context.Context, args []string) error {
+	if len(args) > 0 {
+		log.Fatalf("too many non-flag arguments: %q", args)
+	}
+
+	if distro.Get() == distro.Synology {
+		notSupported := "not yet supported on Synology; see https://github.com/tailscale/tailscale/issues/451"
+		if upArgs.advertiseRoutes != "" {
+			return errors.New("--advertise-routes is " + notSupported)
+		}
+		if upArgs.acceptRoutes {
+			return errors.New("--accept-routes is " + notSupported)
+		}
+		if upArgs.exitNodeIP != "" {
+			return errors.New("--exit-node is " + notSupported)
+		}
+		if upArgs.netfilterMode != "off" {
+			return errors.New("--netfilter-mode values besides \"off\" " + notSupported)
+		}
+	}
+
 	routeMap := map[netaddr.IPPrefix]bool{}
 	var default4, default6 bool
 	if upArgs.advertiseRoutes != "" {
@@ -136,10 +158,10 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 		for _, s := range advroutes {
 			ipp, err := netaddr.ParseIPPrefix(s)
 			if err != nil {
-				return nil, fmt.Errorf("%q is not a valid IP address or CIDR prefix", s)
+				fatalf("%q is not a valid IP address or CIDR prefix", s)
 			}
 			if ipp != ipp.Masked() {
-				return nil, fmt.Errorf("%s has non-address bits set; expected %s", ipp, ipp.Masked())
+				fatalf("%s has non-address bits set; expected %s", ipp, ipp.Masked())
 			}
 			if ipp == ipv4default {
 				default4 = true
@@ -149,15 +171,21 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 			routeMap[ipp] = true
 		}
 		if default4 && !default6 {
-			return nil, fmt.Errorf("%s advertised without its IPv6 counterpart, please also advertise %s", ipv4default, ipv6default)
+			fatalf("%s advertised without its IPv6 counterpart, please also advertise %s", ipv4default, ipv6default)
 		} else if default6 && !default4 {
-			return nil, fmt.Errorf("%s advertised without its IPv6 counterpart, please also advertise %s", ipv6default, ipv4default)
+			fatalf("%s advertised without its IPv6 counterpart, please also advertise %s", ipv6default, ipv4default)
 		}
 	}
 	if upArgs.advertiseDefaultRoute {
 		routeMap[netaddr.MustParseIPPrefix("0.0.0.0/0")] = true
 		routeMap[netaddr.MustParseIPPrefix("::/0")] = true
 	}
+	if len(routeMap) > 0 {
+		checkIPForwarding()
+		if isBSD(runtime.GOOS) {
+			warnf("Subnet routing and exit nodes only work with additional manual configuration on %v, and is not currently officially supported.", runtime.GOOS)
+		}
+	}
 	routes := make([]netaddr.IPPrefix, 0, len(routeMap))
 	for r := range routeMap {
 		routes = append(routes, r)
@@ -174,17 +202,7 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 		var err error
 		exitNodeIP, err = netaddr.ParseIP(upArgs.exitNodeIP)
 		if err != nil {
-			return nil, fmt.Errorf("invalid IP address %q for --exit-node: %v", upArgs.exitNodeIP, err)
-		}
-	} else if upArgs.exitNodeAllowLANAccess {
-		return nil, fmt.Errorf("--exit-node-allow-lan-access can only be used with --exit-node")
-	}
-
-	if upArgs.exitNodeIP != "" {
-		for _, ip := range st.TailscaleIPs {
-			if exitNodeIP == ip {
-				return nil, fmt.Errorf("cannot use %s as the exit node as it is a local IP address to this machine, did you mean --advertise-exit-node?", upArgs.exitNodeIP)
-			}
+			fatalf("invalid IP address %q for --exit-node: %v", upArgs.exitNodeIP, err)
 		}
 	}

@@ -194,13 +212,13 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 		for _, tag := range tags {
 			err := tailcfg.CheckTag(tag)
 			if err != nil {
-				return nil, fmt.Errorf("tag: %q: %s", tag, err)
+				fatalf("tag: %q: %s", tag, err)
 			}
 		}
 	}

 	if len(upArgs.hostname) > 256 {
-		return nil, fmt.Errorf("hostname too long: %d bytes (max 256)", len(upArgs.hostname))
+		fatalf("hostname too long: %d bytes (max 256)", len(upArgs.hostname))
 	}

 	prefs := ipn.NewPrefs()
@@ -208,7 +226,6 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 	prefs.WantRunning = true
 	prefs.RouteAll = upArgs.acceptRoutes
 	prefs.ExitNodeIP = exitNodeIP
-	prefs.ExitNodeAllowLANAccess = upArgs.exitNodeAllowLANAccess
 	prefs.CorpDNS = upArgs.acceptDNS
 	prefs.AllowSingleHosts = upArgs.singleRoutes
 	prefs.ShieldsUp = upArgs.shieldsUp
@@ -216,10 +233,9 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 	prefs.AdvertiseTags = tags
 	prefs.NoSNAT = !upArgs.snat
 	prefs.Hostname = upArgs.hostname
-	prefs.ForceDaemon = upArgs.forceDaemon
-	prefs.OperatorUser = upArgs.opUser
+	prefs.ForceDaemon = (runtime.GOOS == "windows")

-	if goos == "linux" {
+	if runtime.GOOS == "linux" {
 		switch upArgs.netfilterMode {
 		case "on":
 			prefs.NetfilterMode = preftype.NetfilterOn
@@ -230,343 +246,98 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 			prefs.NetfilterMode = preftype.NetfilterOff
 			warnf("netfilter=off; configure iptables yourself.")
 		default:
-			return nil, fmt.Errorf("invalid value --netfilter-mode=%q", upArgs.netfilterMode)
-		}
-	}
-	return prefs, nil
-}
-
-func runUp(ctx context.Context, args []string) error {
-	if len(args) > 0 {
-		fatalf("too many non-flag arguments: %q", args)
-	}
-
-	st, err := tailscale.Status(ctx)
-	if err != nil {
-		fatalf("can't fetch status from tailscaled: %v", err)
-	}
-
-	if distro.Get() == distro.Synology {
-		notSupported := "not yet supported on Synology; see https://github.com/tailscale/tailscale/issues/451"
-		if upArgs.acceptRoutes {
-			return errors.New("--accept-routes is " + notSupported)
-		}
-		if upArgs.exitNodeIP != "" {
-			return errors.New("--exit-node is " + notSupported)
-		}
-		if upArgs.netfilterMode != "off" {
-			return errors.New("--netfilter-mode values besides \"off\" " + notSupported)
+			fatalf("invalid value --netfilter-mode: %q", upArgs.netfilterMode)
 		}
 	}

-	prefs, err := prefsFromUpArgs(upArgs, warnf, st, runtime.GOOS)
-	if err != nil {
-		fatalf("%s", err)
-	}
-
-	if len(prefs.AdvertiseRoutes) > 0 {
-		if err := tailscale.CheckIPForwarding(context.Background()); err != nil {
-			warnf("%v", err)
-		}
-	}
-
-	curPrefs, err := tailscale.GetPrefs(ctx)
-	if err != nil {
-		return err
-	}
-
-	flagSet := map[string]bool{}
-	mp := new(ipn.MaskedPrefs)
-	mp.WantRunningSet = true
-	mp.Prefs = *prefs
-	upFlagSet.Visit(func(f *flag.Flag) {
-		updateMaskedPrefsFromUpFlag(mp, f.Name)
-		flagSet[f.Name] = true
-	})
-
-	if !upArgs.reset {
-		if err := checkForAccidentalSettingReverts(flagSet, curPrefs, mp); err != nil {
-			fatalf("%s", err)
-		}
-	}
-
-	controlURLChanged := curPrefs.ControlURL != prefs.ControlURL
-	if controlURLChanged && st.BackendState == ipn.Running.String() && !upArgs.forceReauth {
-		fatalf("can't change --login-server without --force-reauth")
-	}
-
-	// If we're already running and none of the flags require a
-	// restart, we can just do an EditPrefs call and change the
-	// prefs at runtime (e.g. changing hostname, changinged
-	// advertised tags, routes, etc)
-	justEdit := st.BackendState == ipn.Running.String() &&
-		!upArgs.forceReauth &&
-		!upArgs.reset &&
-		upArgs.authKey == "" &&
-		!controlURLChanged
-	if justEdit {
-		_, err := tailscale.EditPrefs(ctx, mp)
-		return err
-	}
-
-	// simpleUp is whether we're running a simple "tailscale up"
-	// to transition to running from a previously-logged-in but
-	// down state, without changing any settings.
-	simpleUp := len(flagSet) == 0 && curPrefs.Persist != nil && curPrefs.Persist.LoginName != ""
-
-	// At this point we need to subscribe to the IPN bus to watch
-	// for state transitions and possible need to authenticate.
-	c, bc, pumpCtx, cancel := connect(ctx)
+	c, bc, ctx, cancel := connect(ctx)
 	defer cancel()

-	startingOrRunning := make(chan bool, 1) // gets value once starting or running
-	gotEngineUpdate := make(chan bool, 1)   // gets value upon an engine update
-	go pump(pumpCtx, bc, c)
+	if !prefs.ExitNodeIP.IsZero() {
+		st, err := tailscale.Status(ctx)
+		if err != nil {
+			fatalf("can't fetch status from tailscaled: %v", err)
+		}
+		for _, ip := range st.TailscaleIPs {
+			if prefs.ExitNodeIP == ip {
+				fatalf("cannot use %s as the exit node as it is a local IP address to this machine, did you mean --advertise-exit-node?", ip)
+			}
+		}
+	}

-	printed := !simpleUp
+	var printed bool
 	var loginOnce sync.Once
 	startLoginInteractive := func() { loginOnce.Do(func() { bc.StartLoginInteractive() }) }

-	bc.SetNotifyCallback(func(n ipn.Notify) {
-		if n.Engine != nil {
-			select {
-			case gotEngineUpdate <- true:
-			default:
+	bc.SetPrefs(prefs)
+
+	opts := ipn.Options{
+		StateKey: ipn.GlobalDaemonStateKey,
+		AuthKey:  upArgs.authKey,
+		Notify: func(n ipn.Notify) {
+			if n.ErrMessage != nil {
+				msg := *n.ErrMessage
+				if msg == ipn.ErrMsgPermissionDenied {
+					switch runtime.GOOS {
+					case "windows":
+						msg += " (Tailscale service in use by other user?)"
+					default:
+						msg += " (try 'sudo tailscale up [...]')"
+					}
+				}
+				fatalf("backend error: %v\n", msg)
 			}
-		}
-		if n.ErrMessage != nil {
-			msg := *n.ErrMessage
-			if msg == ipn.ErrMsgPermissionDenied {
-				switch runtime.GOOS {
-				case "windows":
-					msg += " (Tailscale service in use by other user?)"
-				default:
-					msg += " (try 'sudo tailscale up [...]')"
+			if s := n.State; s != nil {
+				switch *s {
+				case ipn.NeedsLogin:
+					printed = true
+					startLoginInteractive()
+				case ipn.NeedsMachineAuth:
+					printed = true
+					fmt.Fprintf(os.Stderr, "\nTo authorize your machine, visit (as admin):\n\n\t%s/admin/machines\n\n", upArgs.server)
+				case ipn.Starting, ipn.Running:
+					// Done full authentication process
+					if printed {
+						// Only need to print an update if we printed the "please click" message earlier.
+						fmt.Fprintf(os.Stderr, "Success.\n")
+					}
+					cancel()
 				}
 			}
-			fatalf("backend error: %v\n", msg)
-		}
-		if s := n.State; s != nil {
-			switch *s {
-			case ipn.NeedsLogin:
-				printed = true
-				startLoginInteractive()
-			case ipn.NeedsMachineAuth:
-				printed = true
-				fmt.Fprintf(os.Stderr, "\nTo authorize your machine, visit (as admin):\n\n\t%s/admin/machines\n\n", upArgs.server)
-			case ipn.Starting, ipn.Running:
-				// Done full authentication process
-				if printed {
-					// Only need to print an update if we printed the "please click" message earlier.
-					fmt.Fprintf(os.Stderr, "Success.\n")
-				}
-				select {
-				case startingOrRunning <- true:
-				default:
-				}
-				cancel()
+			if url := n.BrowseToURL; url != nil {
+				fmt.Fprintf(os.Stderr, "\nTo authenticate, visit:\n\n\t%s\n\n", *url)
 			}
-		}
-		if url := n.BrowseToURL; url != nil {
-			printed = true
-			fmt.Fprintf(os.Stderr, "\nTo authenticate, visit:\n\n\t%s\n\n", *url)
-		}
-	})
-	// Wait for backend client to be connected so we know
-	// we're subscribed to updates. Otherwise we can miss
-	// an update upon its transition to running. Do so by causing some traffic
-	// back to the bus that we then wait on.
-	bc.RequestEngineStatus()
-	select {
-	case <-gotEngineUpdate:
-	case <-pumpCtx.Done():
-		return pumpCtx.Err()
+		},
 	}

-	// Special case: bare "tailscale up" means to just start
-	// running, if there's ever been a login.
-	if simpleUp {
-		_, err := tailscale.EditPrefs(ctx, &ipn.MaskedPrefs{
-			Prefs: ipn.Prefs{
-				WantRunning: true,
-			},
-			WantRunningSet: true,
-		})
-		if err != nil {
-			return err
-		}
-	} else {
-		bc.SetPrefs(prefs)
+	// On Windows, we still run in mostly the "legacy" way that
+	// predated the server's StateStore. That is, we send an empty
+	// StateKey and send the prefs directly. Although the Windows
+	// supports server mode, though, the transition to StateStore
+	// is only half complete. Only server mode uses it, and the
+	// Windows service (~tailscaled) is the one that computes the
+	// StateKey based on the connection identity. So for now, just
+	// do as the Windows GUI's always done:
+	if runtime.GOOS == "windows" {
+		// The Windows service will set this as needed based
+		// on our connection's identity.
+		opts.StateKey = ""
+		opts.Prefs = prefs
+	}

-		opts := ipn.Options{
-			StateKey: ipn.GlobalDaemonStateKey,
-			AuthKey:  upArgs.authKey,
-		}
-		// On Windows, we still run in mostly the "legacy" way that
-		// predated the server's StateStore. That is, we send an empty
-		// StateKey and send the prefs directly. Although the Windows
-		// supports server mode, though, the transition to StateStore
-		// is only half complete. Only server mode uses it, and the
-		// Windows service (~tailscaled) is the one that computes the
-		// StateKey based on the connection identity. So for now, just
-		// do as the Windows GUI's always done:
-		if runtime.GOOS == "windows" {
-			// The Windows service will set this as needed based
-			// on our connection's identity.
-			opts.StateKey = ""
-			opts.Prefs = prefs
-		}
-
-		bc.Start(opts)
+	// We still have to Start right now because it's the only way to
+	// set up notifications and whatnot. This causes a bunch of churn
+	// every time the CLI touches anything.
+	//
+	// TODO(danderson): redo the frontend/backend API to assume
+	// ephemeral frontends that read/modify/write state, once
+	// Windows/Mac state is moved into backend.
+	bc.Start(opts)
+	if upArgs.forceReauth {
+		printed = true
 		startLoginInteractive()
 	}
+	pump(ctx, bc, c)

-	select {
-	case <-startingOrRunning:
-		return nil
-	case <-pumpCtx.Done():
-		select {
-		case <-startingOrRunning:
-			return nil
-		default:
-		}
-		return pumpCtx.Err()
-	}
-}
-
-var (
-	flagForPref = map[string]string{} // "ExitNodeIP" => "exit-node"
-	prefsOfFlag = map[string][]string{}
-)
-
-func init() {
-	addPrefFlagMapping("accept-dns", "CorpDNS")
-	addPrefFlagMapping("accept-routes", "RouteAll")
-	addPrefFlagMapping("advertise-routes", "AdvertiseRoutes")
-	addPrefFlagMapping("advertise-tags", "AdvertiseTags")
-	addPrefFlagMapping("host-routes", "AllowSingleHosts")
-	addPrefFlagMapping("hostname", "Hostname")
-	addPrefFlagMapping("login-server", "ControlURL")
-	addPrefFlagMapping("netfilter-mode", "NetfilterMode")
-	addPrefFlagMapping("shields-up", "ShieldsUp")
-	addPrefFlagMapping("snat-subnet-routes", "NoSNAT")
-	addPrefFlagMapping("exit-node", "ExitNodeIP", "ExitNodeIP")
-	addPrefFlagMapping("exit-node-allow-lan-access", "ExitNodeAllowLANAccess")
-	addPrefFlagMapping("unattended", "ForceDaemon")
-	addPrefFlagMapping("operator", "OperatorUser")
-}
-
-func addPrefFlagMapping(flagName string, prefNames ...string) {
-	prefsOfFlag[flagName] = prefNames
-	prefType := reflect.TypeOf(ipn.Prefs{})
-	for _, pref := range prefNames {
-		flagForPref[pref] = flagName
-
-		// Crash at runtime if there's a typo in the prefName.
-		if _, ok := prefType.FieldByName(pref); !ok {
-			panic(fmt.Sprintf("invalid ipn.Prefs field %q", pref))
-		}
-	}
-}
-
-func updateMaskedPrefsFromUpFlag(mp *ipn.MaskedPrefs, flagName string) {
-	if prefs, ok := prefsOfFlag[flagName]; ok {
-		for _, pref := range prefs {
-			reflect.ValueOf(mp).Elem().FieldByName(pref + "Set").SetBool(true)
-		}
-		return
-	}
-	switch flagName {
-	case "authkey", "force-reauth", "reset":
-		// Not pref-related flags.
-	case "advertise-exit-node":
-		// This pref is a shorthand for advertise-routes.
-	default:
-		panic(fmt.Sprintf("internal error: unhandled flag %q", flagName))
-	}
-}
-
-// checkForAccidentalSettingReverts checks for people running
-// "tailscale up" with a subset of the flags they originally ran it
-// with.
-//
-// For example, in Tailscale 1.6 and prior, a user might've advertised
-// a tag, but later tried to change just one other setting and forgot
-// to mention the tag later and silently wiped it out. We now
-// require --reset to change preferences to flag default values when
-// the flag is not mentioned on the command line.
-//
-// curPrefs is what's currently active on the server.
-//
-// mp is the mask of settings actually set, where mp.Prefs is the new
-// preferences to set, including any values set from implicit flags.
-func checkForAccidentalSettingReverts(flagSet map[string]bool, curPrefs *ipn.Prefs, mp *ipn.MaskedPrefs) error {
-	if len(flagSet) == 0 {
-		// A bare "tailscale up" is a special case to just
-		// mean bringing the network up without any changes.
-		return nil
-	}
-	if curPrefs.ControlURL == "" {
-		// Don't validate things on initial "up" before a control URL has been set.
-		return nil
-	}
-	curWithExplicitEdits := curPrefs.Clone()
-	curWithExplicitEdits.ApplyEdits(mp)
-
-	prefType := reflect.TypeOf(ipn.Prefs{})
-
-	// Explicit values (current + explicit edit):
-	ev := reflect.ValueOf(curWithExplicitEdits).Elem()
-	// Implicit values (what we'd get if we replaced everything with flag defaults):
-	iv := reflect.ValueOf(&mp.Prefs).Elem()
-	var errs []error
-	var didExitNodeErr bool
-	for i := 0; i < prefType.NumField(); i++ {
-		prefName := prefType.Field(i).Name
-		if prefName == "Persist" {
-			continue
-		}
-		flagName, hasFlag := flagForPref[prefName]
-		if hasFlag && flagSet[flagName] {
-			continue
-		}
-		// Get explicit value and implicit value
-		ex, im := ev.Field(i), iv.Field(i)
-		switch ex.Kind() {
-		case reflect.String, reflect.Slice:
-			if ex.Kind() == reflect.Slice && ex.Len() == 0 && im.Len() == 0 {
-				// Treat nil and non-nil empty slices as equivalent.
-				continue
-			}
-		}
-		exi, imi := ex.Interface(), im.Interface()
-		if reflect.DeepEqual(exi, imi) {
-			continue
-		}
-		switch flagName {
-		case "":
-			errs = append(errs, fmt.Errorf("'tailscale up' without --reset requires all preferences with changing values to be explicitly mentioned; this command would change the value of flagless pref %q", prefName))
-		case "exit-node":
-			if !didExitNodeErr {
-				didExitNodeErr = true
-				errs = append(errs, errors.New("'tailscale up' without --reset requires all preferences with changing values to be explicitly mentioned; --exit-node is not specified but an exit node is currently configured"))
-			}
-		default:
-			errs = append(errs, fmt.Errorf("'tailscale up' without --reset requires all preferences with changing values to be explicitly mentioned; --%s is not specified but its default value of %v differs from current value %v",
-				flagName, fmtSettingVal(imi), fmtSettingVal(exi)))
-		}
-	}
-	return multierror.New(errs)
-}
-
-func fmtSettingVal(v interface{}) string {
-	switch v := v.(type) {
-	case bool:
-		return strconv.FormatBool(v)
-	case string, preftype.NetfilterMode:
-		return fmt.Sprintf("%q", v)
-	case []string:
-		return strings.Join(v, ",")
-	}
-	return fmt.Sprint(v)
+	return nil
 }
--- a/cmd/tailscale/cli/web.css
+++ b/cmd/tailscale/cli/web.css
--- a/cmd/tailscale/cli/web.go
+++ b/cmd/tailscale/cli/web.go
@@ -17,12 +17,10 @@ import (
 	"net/http/cgi"
 	"os/exec"
 	"runtime"
-	"strings"

 	"github.com/peterbourgon/ff/v2/ffcli"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
-	"tailscale.com/tailcfg"
 	"tailscale.com/types/preftype"
 	"tailscale.com/version/distro"
 )
@@ -30,18 +28,9 @@ import (
 //go:embed web.html
 var webHTML string

-//go:embed web.css
-var webCSS string
-
-var tmpl *template.Template
-
-func init() {
-	tmpl = template.Must(template.New("web.html").Parse(webHTML))
-	template.Must(tmpl.New("web.css").Parse(webCSS))
-}
+var tmpl = template.Must(template.New("html").Parse(webHTML))

 type tmplData struct {
-	Profile      tailcfg.UserProfile
 	SynologyUser string
 	Status       string
 	DeviceName   string
@@ -128,67 +117,6 @@ req.send(null);
 </body></html>
 `

-const authenticationRedirectHTML = `
-<html>
-<head>
-	<title>Redirecting...</title>
-	<style>
-		html,
-		body {
-			height: 100%;
-		}
-
-		html {
-			background-color: rgb(249, 247, 246);
-			font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
-			line-height: 1.5;
-			-webkit-text-size-adjust: 100%;
-			-webkit-font-smoothing: antialiased;
-			-moz-osx-font-smoothing: grayscale;
-		}
-
-		body {
-			display: flex;
-			flex-direction: column;
-			align-items: center;
-			justify-content: center;
-		}
-
-		.spinner {
-			margin-bottom: 2rem;
-			border: 4px rgba(112, 110, 109, 0.5) solid;
-			border-left-color: transparent;
-			border-radius: 9999px;
-			width: 4rem;
-			height: 4rem;
-			-webkit-animation: spin 700ms linear infinite;
-      animation: spin 800ms linear infinite;
-		}
-
-		.label {
-			color: rgb(112, 110, 109);
-			padding-left: 0.4rem;
-		}
-
-		@-webkit-keyframes spin {
-			to {
-				transform: rotate(360deg);
-			}
-		}
-
-		@keyframes spin {
-			to {
-				transform: rotate(360deg);
-			}
-		}
-	</style>
-</head>
-<body>
-	<div class="spinner"></div>
-	<div class="label">Redirecting...</div>
-</body>
-`
-
 func webHandler(w http.ResponseWriter, r *http.Request) {
 	if synoTokenRedirect(w, r) {
 		return
@@ -200,11 +128,6 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if r.URL.Path == "/redirect" || r.URL.Path == "/redirect/" {
-		w.Write([]byte(authenticationRedirectHTML))
-		return
-	}
-
 	if r.Method == "POST" {
 		type mi map[string]interface{}
 		w.Header().Set("Content-Type", "application/json")
@@ -220,16 +143,12 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 	st, err := tailscale.Status(r.Context())
 	if err != nil {
 		http.Error(w, err.Error(), 500)
-		return
 	}

-	profile := st.User[st.Self.UserID]
-	deviceName := strings.Split(st.Self.DNSName, ".")[0]
 	data := tmplData{
 		SynologyUser: user,
-		Profile:      profile,
 		Status:       st.BackendState,
-		DeviceName:   deviceName,
+		DeviceName:   st.Self.DNSName,
 	}
 	if len(st.TailscaleIPs) != 0 {
 		data.IP = st.TailscaleIPs[0].String()
@@ -246,7 +165,7 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 // TODO(crawshaw): some of this is very similar to the code in 'tailscale up', can we share anything?
 func tailscaleUp(ctx context.Context) (authURL string, retErr error) {
 	prefs := ipn.NewPrefs()
-	prefs.ControlURL = ipn.DefaultControlURL
+	prefs.ControlURL = "https://login.tailscale.com"
 	prefs.WantRunning = true
 	prefs.CorpDNS = true
 	prefs.AllowSingleHosts = true
@@ -259,30 +178,30 @@ func tailscaleUp(ctx context.Context) (authURL string, retErr error) {
 	c, bc, ctx, cancel := connect(ctx)
 	defer cancel()

-	bc.SetNotifyCallback(func(n ipn.Notify) {
-		if n.ErrMessage != nil {
-			msg := *n.ErrMessage
-			if msg == ipn.ErrMsgPermissionDenied {
-				switch runtime.GOOS {
-				case "windows":
-					msg += " (Tailscale service in use by other user?)"
-				default:
-					msg += " (try 'sudo tailscale up [...]')"
-				}
-			}
-			retErr = fmt.Errorf("backend error: %v", msg)
-			cancel()
-		} else if url := n.BrowseToURL; url != nil {
-			authURL = *url
-			cancel()
-		}
-	})
-
 	bc.SetPrefs(prefs)

-	bc.Start(ipn.Options{
+	opts := ipn.Options{
 		StateKey: ipn.GlobalDaemonStateKey,
-	})
+		Notify: func(n ipn.Notify) {
+			if n.ErrMessage != nil {
+				msg := *n.ErrMessage
+				if msg == ipn.ErrMsgPermissionDenied {
+					switch runtime.GOOS {
+					case "windows":
+						msg += " (Tailscale service in use by other user?)"
+					default:
+						msg += " (try 'sudo tailscale up [...]')"
+					}
+				}
+				retErr = fmt.Errorf("backend error: %v", msg)
+				cancel()
+			} else if url := n.BrowseToURL; url != nil {
+				authURL = *url
+				cancel()
+			}
+		},
+	}
+	bc.Start(opts)
 	bc.StartLoginInteractive()
 	pump(ctx, bc, c)

--- a/cmd/tailscale/cli/web.html
+++ b/cmd/tailscale/cli/web.html
@@ -1,150 +1,47 @@
 <!doctype html>
-<html class="bg-gray-50">
+<html><title>Tailscale Client</title><body>
+<h1>Tailscale</h1>
+<div style="float:right;">{{.SynologyUser}}</div>
+<table>
+<tr><th>Status:</th><td>{{.Status}}</td></tr>
+<tr><th>Device Name:</th><td>{{.DeviceName}}</td></tr>
+<tr><th>Tailscale IP:</th><td>{{.IP}}</td></tr>
+</table>

-<head>
-	<meta charset="utf-8" />
-	<meta name="viewport" content="width=device-width, initial-scale=1" />
-	<link rel="shortcut icon"
-		href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAQAAADZc7J/AAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAAAmJLR0QA/4ePzL8AAAAHdElNRQflAx4QGA4EvmzDAAAA30lEQVRIx2NgGAWMCKa8JKM4A8Ovt88ekyLCDGOoyDBJMjExMbFy8zF8/EKsCAMDE8yAPyIwFps48SJIBpAL4AZwvoSx/r0lXgQpDN58EWL5x/7/H+vL20+JFxluQKVe5b3Ke5V+0kQQCamfoYKBg4GDwUKI8d0BYkWQkrLKewYBKPPDHUFiRaiZkBgmwhj/F5IgggyUJ6i8V3mv0kCayDAAeEsklXqGAgYGhgV3CnGrwVciYSYk0kokhgS44/JxqqFpiYSZbEgskd4dEBRk1GD4wdB5twKXmlHAwMDAAACdEZau06NQUwAAACV0RVh0ZGF0ZTpjcmVhdGUAMjAyMC0wNy0xNVQxNTo1Mzo0MCswMDowMCVXsDIAAAAldEVYdGRhdGU6bW9kaWZ5ADIwMjAtMDctMTVUMTU6NTM6NDArMDA6MDBUCgiOAAAAAElFTkSuQmCC" />
-	<title>Tailscale</title>
-	<style>{{template "web.css"}}</style>
-</head>
+<p><input id="login" type="button" value="Log in…"></p>

-<body class="py-14">
-	<main class="container max-w-lg mx-auto py-6 px-8 bg-white rounded-md shadow-2xl" style="width: 95%">
-		<header class="flex justify-between items-center min-width-0 py-2 mb-8">
-			<svg width="26" height="26" viewBox="0 0 23 23" title="Tailscale" fill="none" xmlns="http://www.w3.org/2000/svg"
-				class="flex-shrink-0 mr-4">
-				<circle opacity="0.2" cx="3.4" cy="3.25" r="2.7" fill="currentColor"></circle>
-				<circle cx="3.4" cy="11.3" r="2.7" fill="currentColor"></circle>
-				<circle opacity="0.2" cx="3.4" cy="19.5" r="2.7" fill="currentColor"></circle>
-				<circle cx="11.5" cy="11.3" r="2.7" fill="currentColor"></circle>
-				<circle cx="11.5" cy="19.5" r="2.7" fill="currentColor"></circle>
-				<circle opacity="0.2" cx="11.5" cy="3.25" r="2.7" fill="currentColor"></circle>
-				<circle opacity="0.2" cx="19.5" cy="3.25" r="2.7" fill="currentColor"></circle>
-				<circle cx="19.5" cy="11.3" r="2.7" fill="currentColor"></circle>
-				<circle opacity="0.2" cx="19.5" cy="19.5" r="2.7" fill="currentColor"></circle>
-			</svg>
-			<div class="flex items-center justify-end space-x-2 w-2/3">
-				{{ with .Profile.LoginName }}
-				<div class="text-right truncate leading-4">
-					<h4 class="truncate">{{.}}</h4>
-					<a href="#" class="text-xs text-gray-500 hover:text-gray-700 js-loginButton">Switch account</a>
-				</div>
-				{{ end }}
-				<div class="relative flex-shrink-0 w-8 h-8 rounded-full overflow-hidden">
-					{{ with .Profile.ProfilePicURL }}
-					<div class="w-8 h-8 flex pointer-events-none rounded-full bg-gray-200"
-						style="background-image: url('{{.}}'); background-size: cover;"></div>
-					{{ else }}
-					<div class="w-8 h-8 flex pointer-events-none rounded-full border border-gray-400 border-dashed"></div>
-					{{ end }}
-				</div>
-			</div>
-		</header>
-		{{ if .IP }}
-		<div
-			class="border border-gray-200 bg-gray-0 rounded-lg p-2 pl-3 pr-3 mb-8 width-full flex items-center justify-between">
-			<div class="flex items-center min-width-0">
-				<svg class="flex-shrink-0 text-gray-600 mr-3 ml-1" xmlns="http://www.w3.org/2000/svg" width="20" height="20"
-					viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round"
-					stroke-linejoin="round">
-					<rect x="2" y="2" width="20" height="8" rx="2" ry="2"></rect>
-					<rect x="2" y="14" width="20" height="8" rx="2" ry="2"></rect>
-					<line x1="6" y1="6" x2="6.01" y2="6"></line>
-					<line x1="6" y1="18" x2="6.01" y2="18"></line>
-				</svg>
-				<h4 class="font-semibold truncate mr-2">{{.DeviceName}}</h4>
-			</div>
-			<h5>{{.IP}}</h5>
-		</div>
-		{{ end }}
-		{{ if or (eq .Status "NeedsLogin") (eq .Status "NoState") }}
-		{{ if .IP }}
-		<div class="mb-6">
-			<p class="text-gray-700">Your device's key has expired. Reauthenticate this device by logging in again, or <a
-					href="https://tailscale.com/kb/1028/key-expiry" class="link" target="_blank">learn more</a>.</p>
-		</div>
-		<a href="#" class="mb-4 js-loginButton" target="_blank">
-			<button class="button button-blue w-full">Reauthenticate</button>
-		</a>
-		{{ else }}
-		<div class="mb-6">
-			<h3 class="text-3xl font-semibold mb-3">Log in</h3>
-			<p class="text-gray-700">Get started by logging in to your Tailscale network. Or,&nbsp;learn&nbsp;more at <a
-					href="https://tailscale.com/" class="link" target="_blank">tailscale.com</a>.</p>
-		</div>
-		<a href="#" class="mb-4 js-loginButton" target="_blank">
-			<button class="button button-blue w-full">Log In</button>
-		</a>
-		{{ end }}
-		{{ else if eq .Status "NeedsMachineAuth" }}
-		<div class="mb-4">
-			This device is authorized, but needs approval from a network admin before it can connect to the network.
-		</div>
-		{{ else }}
-		<div class="mb-4">
-			<p>You are connected! Access this device over Tailscale using the device name or IP address above.</p>
-		</div>
-		<a href="#" class="mb-4 link font-medium js-loginButton" target="_blank">Reauthenticate</a>
-		{{ end }}
-	</main>
-	<script>
-		(function () {
-			let loginButtons = document.querySelectorAll(".js-loginButton");
-			let fetchingUrl = false;
+<script>
+login.onclick = function() {
+	const urlParams = new URLSearchParams(window.location.search);
+	const token = urlParams.get("SynoToken");

-			function handleClick(e) {
-				e.preventDefault();
+	var params = new URLSearchParams("up=true");
+	if (token) {
+		params.set("SynoToken", token)
+	}

-				if (fetchingUrl) {
-					return;
-				}
+	var req = new XMLHttpRequest();
+	const url = [location.protocol, '//', location.host, location.pathname, "?", params.toString()].join('');
+	req.overrideMimeType("application/json");
+	req.open("POST", url, true);
+	req.onload = function() {
+		var jsonResponse = JSON.parse(req.responseText);
+		const err = jsonResponse["error"];
+		if (err) {
+			document.body.innerText = err;
+			return
+		}
+		var url = jsonResponse["url"];
+		console.log("jsonResponse: ", jsonResponse);
+		if (url) {
+			document.location.href = url;
+		} else {
+			//location.reload();
+		}
+	};
+	req.send(null);
+}
+</script>

-				fetchingUrl = true;
-				const urlParams = new URLSearchParams(window.location.search);
-				const token = urlParams.get("SynoToken");
-				const nextParams = new URLSearchParams({ up: true });
-				if (token) {
-					nextParams.set("SynoToken", token)
-				}
-				const nextUrl = new URL(window.location);
-				nextUrl.search = nextParams.toString()
-				const url = nextUrl.toString();
-
-				const tab = window.open("/redirect", "_blank");
-
-				fetch(url, {
-					method: "POST",
-					headers: {
-						"Accept": "application/json",
-						"Content-Type": "application/json",
-					}
-				}).then(res => res.json()).then(res => {
-					fetchingUrl = false;
-					const err = res["error"];
-					if (err) {
-						throw new Error(err);
-					}
-					const url = res["url"];
-					if (url) {
-						authUrl = url;
-						tab.location = url;
-						tab.focus();
-					} else {
-						location.reload();
-					}
-				}).catch(err => {
-					tab.close();
-					alert("Failed to log in: " + err.message);
-				});
-			}
-
-			Array.from(loginButtons).forEach(el => {
-				el.addEventListener("click", handleClick);
-			})
-		})();
-	</script>
 </body>
-
 </html>
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -2,7 +2,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep

   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
-        github.com/go-multierror/multierror                          from tailscale.com/cmd/tailscale/cli
        github.com/peterbourgon/ff/v2                                from github.com/peterbourgon/ff/v2/ffcli
        github.com/peterbourgon/ff/v2/ffcli                          from tailscale.com/cmd/tailscale/cli
        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
@@ -15,13 +14,12 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        rsc.io/goversion/version                                     from tailscale.com/version
        tailscale.com/atomicfile                                     from tailscale.com/ipn
        tailscale.com/client/tailscale                               from tailscale.com/cmd/tailscale/cli
-        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale
        tailscale.com/cmd/tailscale/cli                              from tailscale.com/cmd/tailscale
        tailscale.com/derp                                           from tailscale.com/derp/derphttp
        tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck
        tailscale.com/derp/derpmap                                   from tailscale.com/cmd/tailscale/cli
        tailscale.com/disco                                          from tailscale.com/derp
-        tailscale.com/ipn                                            from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/ipn                                            from tailscale.com/cmd/tailscale/cli
        tailscale.com/ipn/ipnstate                                   from tailscale.com/cmd/tailscale/cli+
        tailscale.com/metrics                                        from tailscale.com/derp
        tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -22,7 +22,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/mdlayher/sdnotify                                 from tailscale.com/util/systemd
   W    github.com/pkg/errors                                        from github.com/github/certstore
     💣 github.com/tailscale/wireguard-go/conn                       from github.com/tailscale/wireguard-go/device+
-   W 💣 github.com/tailscale/wireguard-go/conn/winrio                from github.com/tailscale/wireguard-go/conn
     💣 github.com/tailscale/wireguard-go/device                     from tailscale.com/wgengine+
     💣 github.com/tailscale/wireguard-go/ipc                        from github.com/tailscale/wireguard-go/device
   W 💣 github.com/tailscale/wireguard-go/ipc/winpipe                from github.com/tailscale/wireguard-go/ipc
@@ -71,7 +70,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        inet.af/peercred                                             from tailscale.com/ipn/ipnserver
        rsc.io/goversion/version                                     from tailscale.com/version
        tailscale.com/atomicfile                                     from tailscale.com/ipn+
-        tailscale.com/client/tailscale/apitype                       from tailscale.com/ipn/ipnlocal+
        tailscale.com/control/controlclient                          from tailscale.com/ipn/ipnlocal+
        tailscale.com/derp                                           from tailscale.com/derp/derphttp+
        tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck+
@@ -93,7 +91,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/logtail/filch                                  from tailscale.com/logpolicy
        tailscale.com/metrics                                        from tailscale.com/derp
        tailscale.com/net/dns                                        from tailscale.com/ipn/ipnlocal+
-        tailscale.com/net/dns/resolver                               from tailscale.com/wgengine+
        tailscale.com/net/dnscache                                   from tailscale.com/control/controlclient+
        tailscale.com/net/dnsfallback                                from tailscale.com/control/controlclient
        tailscale.com/net/flowtrack                                  from tailscale.com/wgengine/filter+
@@ -126,6 +123,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/types/netmap                                   from tailscale.com/control/controlclient+
        tailscale.com/types/nettype                                  from tailscale.com/wgengine/magicsock
        tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
+        tailscale.com/types/pad32                                    from tailscale.com/wgengine/magicsock
        tailscale.com/types/persist                                  from tailscale.com/control/controlclient+
        tailscale.com/types/preftype                                 from tailscale.com/ipn+
        tailscale.com/types/strbuilder                               from tailscale.com/net/packet
@@ -164,7 +162,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
        golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
        golang.org/x/net/dns/dnsmessage                              from net+
-        golang.org/x/net/http/httpguts                               from net/http+
+        golang.org/x/net/http/httpguts                               from net/http
        golang.org/x/net/http/httpproxy                              from net/http
        golang.org/x/net/http2/hpack                                 from net/http
        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
@@ -178,8 +176,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
  LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
   W    golang.org/x/sys/windows                                     from github.com/tailscale/wireguard-go/conn+
   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
-   W    golang.org/x/sys/windows/svc                                 from tailscale.com/cmd/tailscaled+
-   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/cmd/tailscaled
+   W    golang.org/x/sys/windows/svc                                 from tailscale.com/cmd/tailscaled
        golang.org/x/term                                            from tailscale.com/logpolicy
        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
@@ -218,7 +215,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        debug/elf                                                    from rsc.io/goversion/version
        debug/macho                                                  from rsc.io/goversion/version
        debug/pe                                                     from rsc.io/goversion/version
-        embed                                                        from tailscale.com/net/dns
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
        encoding/base64                                              from encoding/json+
@@ -250,8 +246,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        net                                                          from crypto/tls+
        net/http                                                     from expvar+
        net/http/httptrace                                           from github.com/tcnksm/go-httpstat+
-        net/http/httputil                                            from tailscale.com/ipn/localapi
-        net/http/internal                                            from net/http+
+        net/http/internal                                            from net/http
        net/http/pprof                                               from tailscale.com/cmd/tailscaled
        net/textproto                                                from golang.org/x/net/http/httpguts+
        net/url                                                      from crypto/x509+
--- a/cmd/tailscaled/install_darwin.go
+++ b/cmd/tailscaled/install_darwin.go
@@ -73,18 +73,9 @@ func uninstallSystemDaemonDarwin(args []string) (ret error) {
 		}
 	}

-	if err := os.Remove(sysPlist); err != nil {
-		if os.IsNotExist(err) {
-			err = nil
-		}
-		if ret == nil {
-			ret = err
-		}
-	}
-	if err := os.Remove(targetBin); err != nil {
-		if os.IsNotExist(err) {
-			err = nil
-		}
+	err = os.Remove(sysPlist)
+	if os.IsNotExist(err) {
+		err = nil
 		if ret == nil {
 			ret = err
 		}
@@ -102,9 +93,6 @@ func installSystemDaemonDarwin(args []string) (err error) {
 		}
 	}()

-	// Best effort:
-	uninstallSystemDaemonDarwin(nil)
-
 	// Copy ourselves to /usr/local/bin/tailscaled.
 	if err := os.MkdirAll(filepath.Dir(targetBin), 0755); err != nil {
 		return err
@@ -139,6 +127,9 @@ func installSystemDaemonDarwin(args []string) (err error) {
 		return err
 	}

+	// Best effort:
+	uninstallSystemDaemonDarwin(nil)
+
 	if err := ioutil.WriteFile(sysPlist, []byte(darwinLaunchdPlist), 0700); err != nil {
 		return err
 	}
--- a/cmd/tailscaled/install_windows.go
+++ b/cmd/tailscaled/install_windows.go
@@ -1,119 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package main
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"os"
-	"time"
-
-	"golang.org/x/sys/windows"
-	"golang.org/x/sys/windows/svc"
-	"golang.org/x/sys/windows/svc/mgr"
-	"tailscale.com/logtail/backoff"
-	"tailscale.com/types/logger"
-)
-
-func init() {
-	installSystemDaemon = installSystemDaemonWindows
-	uninstallSystemDaemon = uninstallSystemDaemonWindows
-}
-
-func installSystemDaemonWindows(args []string) (err error) {
-	m, err := mgr.Connect()
-	if err != nil {
-		return fmt.Errorf("failed to connect to Windows service manager: %v", err)
-	}
-
-	service, err := m.OpenService(serviceName)
-	if err == nil {
-		service.Close()
-		return fmt.Errorf("service %q is already installed", serviceName)
-	}
-
-	// no such service; proceed to install the service.
-
-	exe, err := os.Executable()
-	if err != nil {
-		return err
-	}
-
-	c := mgr.Config{
-		ServiceType:  windows.SERVICE_WIN32_OWN_PROCESS,
-		StartType:    mgr.StartAutomatic,
-		ErrorControl: mgr.ErrorNormal,
-		DisplayName:  serviceName,
-		Description:  "Connects this computer to others on the Tailscale network.",
-	}
-
-	service, err = m.CreateService(serviceName, exe, c)
-	if err != nil {
-		return fmt.Errorf("failed to create %q service: %v", serviceName, err)
-	}
-	defer service.Close()
-
-	// Exponential backoff is often too aggressive, so use (mostly)
-	// squares instead.
-	ra := []mgr.RecoveryAction{
-		{mgr.ServiceRestart, 1 * time.Second},
-		{mgr.ServiceRestart, 2 * time.Second},
-		{mgr.ServiceRestart, 4 * time.Second},
-		{mgr.ServiceRestart, 9 * time.Second},
-		{mgr.ServiceRestart, 16 * time.Second},
-		{mgr.ServiceRestart, 25 * time.Second},
-		{mgr.ServiceRestart, 36 * time.Second},
-		{mgr.ServiceRestart, 49 * time.Second},
-		{mgr.ServiceRestart, 64 * time.Second},
-	}
-	const resetPeriodSecs = 60
-	err = service.SetRecoveryActions(ra, resetPeriodSecs)
-	if err != nil {
-		return fmt.Errorf("failed to set service recovery actions: %v", err)
-	}
-
-	return nil
-}
-
-func uninstallSystemDaemonWindows(args []string) (ret error) {
-	m, err := mgr.Connect()
-	if err != nil {
-		return fmt.Errorf("failed to connect to Windows service manager: %v", err)
-	}
-	defer m.Disconnect()
-
-	service, err := m.OpenService(serviceName)
-	if err != nil {
-		return fmt.Errorf("failed to open %q service: %v", serviceName, err)
-	}
-
-	st, err := service.Query()
-	if err != nil {
-		service.Close()
-		return fmt.Errorf("failed to query service state: %v", err)
-	}
-	if st.State != svc.Stopped {
-		service.Control(svc.Stop)
-	}
-	err = service.Delete()
-	service.Close()
-	if err != nil {
-		return fmt.Errorf("failed to delete service: %v", err)
-	}
-
-	bo := backoff.NewBackoff("uninstall", logger.Discard, 30*time.Second)
-	end := time.Now().Add(15 * time.Second)
-	for time.Until(end) > 0 {
-		service, err = m.OpenService(serviceName)
-		if err != nil {
-			// service is no longer openable; success!
-			break
-		}
-		service.Close()
-		bo.BackOff(context.Background(), errors.New("service not deleted"))
-	}
-	return nil
-}
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -29,12 +29,9 @@ import (
 	"time"

 	"github.com/go-multierror/multierror"
-	"inet.af/netaddr"
 	"tailscale.com/ipn/ipnserver"
 	"tailscale.com/logpolicy"
-	"tailscale.com/net/dns"
 	"tailscale.com/net/socks5"
-	"tailscale.com/net/tsaddr"
 	"tailscale.com/net/tstun"
 	"tailscale.com/paths"
 	"tailscale.com/types/flagtype"
@@ -195,7 +192,6 @@ func run() error {
 	logf = logger.RateLimitedFn(logf, 5*time.Second, 5, 100)

 	if args.cleanup {
-		dns.Cleanup(logf, args.tunname)
 		router.Cleanup(logf, args.tunname)
 		return nil
 	}
@@ -232,40 +228,44 @@ func run() error {
 	}

 	var ns *netstack.Impl
-	if useNetstack || wrapNetstack {
-		onlySubnets := wrapNetstack && !useNetstack
-		ns = mustStartNetstack(logf, e, onlySubnets)
+	if useNetstack {
+		tunDev, magicConn, ok := e.(wgengine.InternalsGetter).GetInternals()
+		if !ok {
+			log.Fatalf("%T is not a wgengine.InternalsGetter", e)
+		}
+		ns, err = netstack.Create(logf, tunDev, e, magicConn)
+		if err != nil {
+			log.Fatalf("netstack.Create: %v", err)
+		}
+		if err := ns.Start(); err != nil {
+			log.Fatalf("failed to start netstack: %v", err)
+		}
 	}

 	if socksListener != nil {
 		srv := &socks5.Server{
 			Logf: logger.WithPrefix(logf, "socks5: "),
 		}
-		var (
-			mu  sync.Mutex // guards the following field
-			dns netstack.DNSMap
-		)
-		e.AddNetworkMapCallback(func(nm *netmap.NetworkMap) {
-			mu.Lock()
-			defer mu.Unlock()
-			dns = netstack.DNSMapFromNetworkMap(nm)
-		})
-		useNetstackForIP := func(ip netaddr.IP) bool {
-			// TODO(bradfitz): this isn't exactly right.
-			// We should also support subnets when the
-			// prefs are configured as such.
-			return tsaddr.IsTailscaleIP(ip)
-		}
-		srv.Dialer = func(ctx context.Context, network, addr string) (net.Conn, error) {
-			ipp, err := dns.Resolve(ctx, addr)
-			if err != nil {
-				return nil, err
-			}
-			if ns != nil && useNetstackForIP(ipp.IP) {
+		if useNetstack {
+			srv.Dialer = func(ctx context.Context, network, addr string) (net.Conn, error) {
 				return ns.DialContextTCP(ctx, addr)
 			}
-			var d net.Dialer
-			return d.DialContext(ctx, network, ipp.String())
+		} else {
+			var mu sync.Mutex
+			var dns netstack.DNSMap
+			e.AddNetworkMapCallback(func(nm *netmap.NetworkMap) {
+				mu.Lock()
+				defer mu.Unlock()
+				dns = netstack.DNSMapFromNetworkMap(nm)
+			})
+			srv.Dialer = func(ctx context.Context, network, addr string) (net.Conn, error) {
+				ipp, err := dns.Resolve(ctx, addr)
+				if err != nil {
+					return nil, err
+				}
+				var d net.Dialer
+				return d.DialContext(ctx, network, ipp.String())
+			}
 		}
 		go func() {
 			log.Fatalf("SOCKS5 server exited: %v", srv.Serve(socksListener))
@@ -298,7 +298,8 @@ func run() error {
 		Port:               41112,
 		StatePath:          args.statepath,
 		AutostartStateKey:  globalStateKey,
-		SurviveDisconnects: runtime.GOOS != "windows",
+		LegacyConfigPath:   paths.LegacyConfigPath(),
+		SurviveDisconnects: true,
 		DebugMux:           debugMux,
 	}
 	err = ipnserver.Run(ctx, logf, pol.PublicID.String(), ipnserver.FixedEngine(e), opts)
@@ -311,16 +312,16 @@ func run() error {
 	return nil
 }

-func createEngine(logf logger.Logf, linkMon *monitor.Mon) (e wgengine.Engine, useNetstack bool, err error) {
+func createEngine(logf logger.Logf, linkMon *monitor.Mon) (e wgengine.Engine, isUserspace bool, err error) {
 	if args.tunname == "" {
 		return nil, false, errors.New("no --tun value specified")
 	}
 	var errs []error
 	for _, name := range strings.Split(args.tunname, ",") {
 		logf("wgengine.NewUserspaceEngine(tun %q) ...", name)
-		e, useNetstack, err = tryEngine(logf, linkMon, name)
+		e, isUserspace, err = tryEngine(logf, linkMon, name)
 		if err == nil {
-			return e, useNetstack, nil
+			return e, isUserspace, nil
 		}
 		logf("wgengine.NewUserspaceEngine(tun %q) error: %v", name, err)
 		errs = append(errs, err)
@@ -328,36 +329,14 @@ func createEngine(logf logger.Logf, linkMon *monitor.Mon) (e wgengine.Engine, us
 	return nil, false, multierror.New(errs)
 }

-var wrapNetstack = shouldWrapNetstack()
-
-func shouldWrapNetstack() bool {
-	if e := os.Getenv("TS_DEBUG_WRAP_NETSTACK"); e != "" {
-		v, err := strconv.ParseBool(e)
-		if err != nil {
-			log.Fatalf("invalid TS_DEBUG_WRAP_NETSTACK value: %v", err)
-		}
-		return v
-	}
-	if distro.Get() == distro.Synology {
-		return true
-	}
-	switch runtime.GOOS {
-	case "windows", "darwin":
-		// Enable on Windows and tailscaled-on-macOS (this doesn't
-		// affect the GUI clients).
-		return true
-	}
-	return false
-}
-
-func tryEngine(logf logger.Logf, linkMon *monitor.Mon, name string) (e wgengine.Engine, useNetstack bool, err error) {
+func tryEngine(logf logger.Logf, linkMon *monitor.Mon, name string) (e wgengine.Engine, isUserspace bool, err error) {
 	conf := wgengine.Config{
 		ListenPort:  args.port,
 		LinkMonitor: linkMon,
 	}
-	useNetstack = name == "userspace-networking"
-	if !useNetstack {
-		dev, devName, err := tstun.New(logf, name)
+	isUserspace = name == "userspace-networking"
+	if !isUserspace {
+		dev, err := tstun.New(logf, name)
 		if err != nil {
 			tstun.Diagnose(logf, name)
 			return nil, false, err
@@ -368,21 +347,13 @@ func tryEngine(logf logger.Logf, linkMon *monitor.Mon, name string) (e wgengine.
 			dev.Close()
 			return nil, false, err
 		}
-		d, err := dns.NewOSConfigurator(logf, devName)
-		if err != nil {
-			return nil, false, err
-		}
-		conf.DNS = d
 		conf.Router = r
-		if wrapNetstack {
-			conf.Router = netstack.NewSubnetRouterWrapper(conf.Router)
-		}
 	}
 	e, err = wgengine.NewUserspaceEngine(logf, conf)
 	if err != nil {
-		return nil, useNetstack, err
+		return nil, isUserspace, err
 	}
-	return e, useNetstack, nil
+	return e, isUserspace, nil
 }

 func newDebugMux() *http.ServeMux {
@@ -404,18 +375,3 @@ func runDebugServer(mux *http.ServeMux, addr string) {
 		log.Fatal(err)
 	}
 }
-
-func mustStartNetstack(logf logger.Logf, e wgengine.Engine, onlySubnets bool) *netstack.Impl {
-	tunDev, magicConn, ok := e.(wgengine.InternalsGetter).GetInternals()
-	if !ok {
-		log.Fatalf("%T is not a wgengine.InternalsGetter", e)
-	}
-	ns, err := netstack.Create(logf, tunDev, e, magicConn, onlySubnets)
-	if err != nil {
-		log.Fatalf("netstack.Create: %v", err)
-	}
-	if err := ns.Start(); err != nil {
-		log.Fatalf("failed to start netstack: %v", err)
-	}
-	return ns
-}
--- a/cmd/tailscaled/tailscaled_windows.go
+++ b/cmd/tailscaled/tailscaled_windows.go
@@ -30,13 +30,11 @@ import (
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"tailscale.com/ipn/ipnserver"
 	"tailscale.com/logpolicy"
-	"tailscale.com/net/dns"
 	"tailscale.com/net/tstun"
 	"tailscale.com/tempfork/wireguard-windows/firewall"
 	"tailscale.com/types/logger"
 	"tailscale.com/version"
 	"tailscale.com/wgengine"
-	"tailscale.com/wgengine/netstack"
 	"tailscale.com/wgengine/router"
 )

@@ -159,120 +157,86 @@ func beFirewallKillswitch() bool {

 func startIPNServer(ctx context.Context, logid string) error {
 	var logf logger.Logf = log.Printf
+	var eng wgengine.Engine
+	var err error

-	getEngineRaw := func() (wgengine.Engine, error) {
-		dev, devName, err := tstun.New(logf, "Tailscale")
+	getEngine := func() (wgengine.Engine, error) {
+		dev, err := tstun.New(logf, "Tailscale")
 		if err != nil {
-			return nil, fmt.Errorf("TUN: %w", err)
+			return nil, err
 		}
 		r, err := router.New(logf, dev)
 		if err != nil {
 			dev.Close()
-			return nil, fmt.Errorf("Router: %w", err)
-		}
-		if wrapNetstack {
-			r = netstack.NewSubnetRouterWrapper(r)
-		}
-		d, err := dns.NewOSConfigurator(logf, devName)
-		if err != nil {
-			r.Close()
-			dev.Close()
-			return nil, fmt.Errorf("DNS: %w", err)
+			return nil, err
 		}
 		eng, err := wgengine.NewUserspaceEngine(logf, wgengine.Config{
 			Tun:        dev,
 			Router:     r,
-			DNS:        d,
 			ListenPort: 41641,
 		})
 		if err != nil {
 			r.Close()
 			dev.Close()
-			return nil, fmt.Errorf("Engine: %w", err)
-		}
-		onlySubnets := true
-		if wrapNetstack {
-			mustStartNetstack(logf, eng, onlySubnets)
+			return nil, err
 		}
 		return wgengine.NewWatchdog(eng), nil
 	}

-	type engineOrError struct {
-		Engine wgengine.Engine
-		Err    error
-	}
-	engErrc := make(chan engineOrError)
-	t0 := time.Now()
-	go func() {
-		const ms = time.Millisecond
-		for try := 1; ; try++ {
-			logf("tailscaled: getting engine... (try %v)", try)
-			t1 := time.Now()
-			eng, err := getEngineRaw()
-			d, dt := time.Since(t1).Round(ms), time.Since(t1).Round(ms)
+	if msg := os.Getenv("TS_DEBUG_WIN_FAIL"); msg != "" {
+		err = fmt.Errorf("pretending to be a service failure: %v", msg)
+	} else {
+		// We have a bunch of bug reports of wgengine.NewUserspaceEngine returning a few different errors,
+		// all intermittently. A few times I (Brad) have also seen sporadic failures that simply
+		// restarting fixed. So try a few times.
+		for try := 1; try <= 5; try++ {
+			if try > 1 {
+				// Only sleep a bit. Don't do some massive backoff because
+				// the frontend GUI has a 30 second timeout on connecting to us,
+				// but even 5 seconds is too long for them to get any results.
+				// 5 tries * 1 second each seems fine.
+				time.Sleep(time.Second)
+			}
+			eng, err = getEngine()
 			if err != nil {
-				logf("tailscaled: engine fetch error (try %v) in %v (total %v, sysUptime %v): %v",
-					try, d, dt, windowsUptime().Round(time.Second), err)
-			} else {
-				if try > 1 {
-					logf("tailscaled: got engine on try %v in %v (total %v)", try, d, dt)
-				} else {
-					logf("tailscaled: got engine in %v", d)
-				}
+				logf("wgengine.NewUserspaceEngine: (try %v) %v", try, err)
+				continue
 			}
-			timer := time.NewTimer(5 * time.Second)
-			engErrc <- engineOrError{eng, err}
-			if err == nil {
-				timer.Stop()
-				return
+			if try > 1 {
+				logf("wgengine.NewUserspaceEngine: ended up working on try %v", try)
 			}
-			<-timer.C
+			break
 		}
-	}()
-
+	}
+	if err != nil {
+		// Log the error, but don't fatalf. We want to
+		// propagate the error message to the UI frontend. So
+		// we continue and tell the ipnserver to return that
+		// in a Notify message.
+		logf("wgengine.NewUserspaceEngine: %v", err)
+	}
 	opts := ipnserver.Options{
 		Port:               41112,
 		SurviveDisconnects: false,
 		StatePath:          args.statepath,
 	}
-
-	// getEngine is called by ipnserver to get the engine. It's
-	// not called concurrently and is not called again once it
-	// successfully returns an engine.
-	getEngine := func() (wgengine.Engine, error) {
-		if msg := os.Getenv("TS_DEBUG_WIN_FAIL"); msg != "" {
-			return nil, fmt.Errorf("pretending to be a service failure: %v", msg)
-		}
-		for {
-			res := <-engErrc
-			if res.Engine != nil {
-				return res.Engine, nil
+	if err != nil {
+		// Return nicer errors to users, annotated with logids, which helps
+		// when they file bugs.
+		rawGetEngine := getEngine // raw == without verbose logid-containing error
+		getEngine = func() (wgengine.Engine, error) {
+			eng, err := rawGetEngine()
+			if err != nil {
+				return nil, fmt.Errorf("wgengine.NewUserspaceEngine: %v\n\nlogid: %v", err, logid)
 			}
-			if time.Since(t0) < time.Minute || windowsUptime() < 10*time.Minute {
-				// Ignore errors during early boot. Windows 10 auto logs in the GUI
-				// way sooner than the networking stack components start up.
-				// So the network will fail for a bit (and require a few tries) while
-				// the GUI is still fine.
-				continue
-			}
-			// Return nicer errors to users, annotated with logids, which helps
-			// when they file bugs.
-			return nil, fmt.Errorf("%w\n\nlogid: %v", res.Err, logid)
+			return eng, nil
 		}
+	} else {
+		getEngine = ipnserver.FixedEngine(eng)
 	}
-	err := ipnserver.Run(ctx, logf, logid, getEngine, opts)
+	err = ipnserver.Run(ctx, logf, logid, getEngine, opts)
 	if err != nil {
 		logf("ipnserver.Run: %v", err)
 	}
 	return err
 }
-
-var (
-	kernel32           = windows.NewLazySystemDLL("kernel32.dll")
-	getTickCount64Proc = kernel32.NewProc("GetTickCount64")
-)
-
-func windowsUptime() time.Duration {
-	r, _, _ := getTickCount64Proc.Call()
-	return time.Duration(int64(r)) * time.Millisecond
-}
--- a/control/controlclient/auto.go
+++ b/control/controlclient/auto.go
@@ -100,22 +100,11 @@ func (s Status) String() string {
 }

 type LoginGoal struct {
-	_               structs.Incomparable
-	wantLoggedIn    bool                 // true if we *want* to be logged in
-	token           *tailcfg.Oauth2Token // oauth token to use when logging in
-	flags           LoginFlags           // flags to use when logging in
-	url             string               // auth url that needs to be visited
-	loggedOutResult chan<- error
-}
-
-func (g *LoginGoal) sendLogoutError(err error) {
-	if g.loggedOutResult == nil {
-		return
-	}
-	select {
-	case g.loggedOutResult <- err:
-	default:
-	}
+	_            structs.Incomparable
+	wantLoggedIn bool                 // true if we *want* to be logged in
+	token        *tailcfg.Oauth2Token // oauth token to use when logging in
+	flags        LoginFlags           // flags to use when logging in
+	url          string               // auth url that needs to be visited
 }

 // Client connects to a tailcontrol server for a node.
@@ -374,7 +363,6 @@ func (c *Client) authRoutine() {

 		if !goal.wantLoggedIn {
 			err := c.direct.TryLogout(ctx)
-			goal.sendLogoutError(err)
 			if err != nil {
 				report(err, "TryLogout")
 				bo.BackOff(ctx, err)
@@ -414,10 +402,9 @@ func (c *Client) authRoutine() {
 				report(err, f)
 				bo.BackOff(ctx, err)
 				continue
-			}
-			if url != "" {
+			} else if url != "" {
 				if goal.url != "" {
-					err = fmt.Errorf("[unexpected] server required a new URL?")
+					err = fmt.Errorf("weird: server required a new url?")
 					report(err, "WaitLoginURL")
 				}

@@ -603,7 +590,6 @@ func (c *Client) AuthCantContinue() bool {
 	return !c.loggedIn && (c.loginGoal == nil || c.loginGoal.url != "")
 }

-// SetStatusFunc sets fn as the callback to run on any status change.
 func (c *Client) SetStatusFunc(fn func(Status)) {
 	c.mu.Lock()
 	c.statusFunc = fn
@@ -695,50 +681,19 @@ func (c *Client) Login(t *tailcfg.Oauth2Token, flags LoginFlags) {
 	c.cancelAuth()
 }

-func (c *Client) StartLogout() {
-	c.logf("client.StartLogout()")
+func (c *Client) Logout() {
+	c.logf("client.Logout()")

 	c.mu.Lock()
 	c.loginGoal = &LoginGoal{
 		wantLoggedIn: false,
 	}
 	c.mu.Unlock()
+
 	c.cancelAuth()
 }

-func (c *Client) Logout(ctx context.Context) error {
-	c.logf("client.Logout()")
-
-	errc := make(chan error, 1)
-
-	c.mu.Lock()
-	c.loginGoal = &LoginGoal{
-		wantLoggedIn:    false,
-		loggedOutResult: errc,
-	}
-	c.mu.Unlock()
-	c.cancelAuth()
-
-	timer := time.NewTimer(10 * time.Second)
-	defer timer.Stop()
-	select {
-	case err := <-errc:
-		return err
-	case <-ctx.Done():
-		return ctx.Err()
-	case <-timer.C:
-		return context.DeadlineExceeded
-	}
-}
-
-// UpdateEndpoints sets the client's discovered endpoints and sends
-// them to the control server if they've changed.
-//
-// It does not retain the provided slice.
-//
-// The localPort field is unused except for integration tests in
-// another repo.
-func (c *Client) UpdateEndpoints(localPort uint16, endpoints []tailcfg.Endpoint) {
+func (c *Client) UpdateEndpoints(localPort uint16, endpoints []string) {
 	changed := c.direct.SetEndpoints(localPort, endpoints)
 	if changed {
 		c.sendNewMapRequest()
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -23,6 +23,7 @@ import (
 	"path/filepath"
 	"reflect"
 	"runtime"
+	"sort"
 	"strconv"
 	"strings"
 	"sync"
@@ -45,9 +46,9 @@ import (
 	"tailscale.com/types/opt"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/wgkey"
-	"tailscale.com/util/dnsname"
 	"tailscale.com/util/systemd"
 	"tailscale.com/version"
+	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/monitor"
 )

@@ -62,10 +63,9 @@ type Direct struct {
 	logf                   logger.Logf
 	linkMon                *monitor.Mon // or nil
 	discoPubKey            tailcfg.DiscoKey
-	getMachinePrivKey      func() (wgkey.Private, error)
+	machinePrivKey         wgkey.Private
 	debugFlags             []string
 	keepSharerAndUserSplit bool
-	skipIPForwardingCheck  bool

 	mu           sync.Mutex // mutex guards the following fields
 	serverKey    wgkey.Key
@@ -75,34 +75,29 @@ type Direct struct {
 	expiry       *time.Time
 	// hostinfo is mutated in-place while mu is held.
 	hostinfo      *tailcfg.Hostinfo // always non-nil
-	endpoints     []tailcfg.Endpoint
+	endpoints     []string
 	everEndpoints bool   // whether we've ever had non-empty endpoints
 	localPort     uint16 // or zero to mean auto
 }

 type Options struct {
-	Persist              persist.Persist               // initial persistent data
-	GetMachinePrivateKey func() (wgkey.Private, error) // returns the machine key to use
-	ServerURL            string                        // URL of the tailcontrol server
-	AuthKey              string                        // optional node auth key for auto registration
-	TimeNow              func() time.Time              // time.Now implementation used by Client
-	Hostinfo             *tailcfg.Hostinfo             // non-nil passes ownership, nil means to use default using os.Hostname, etc
-	DiscoPublicKey       tailcfg.DiscoKey
-	NewDecompressor      func() (Decompressor, error)
-	KeepAlive            bool
-	Logf                 logger.Logf
-	HTTPTestClient       *http.Client // optional HTTP client to use (for tests only)
-	DebugFlags           []string     // debug settings to send to control
-	LinkMonitor          *monitor.Mon // optional link monitor
+	Persist           persist.Persist   // initial persistent data
+	MachinePrivateKey wgkey.Private     // the machine key to use
+	ServerURL         string            // URL of the tailcontrol server
+	AuthKey           string            // optional node auth key for auto registration
+	TimeNow           func() time.Time  // time.Now implementation used by Client
+	Hostinfo          *tailcfg.Hostinfo // non-nil passes ownership, nil means to use default using os.Hostname, etc
+	DiscoPublicKey    tailcfg.DiscoKey
+	NewDecompressor   func() (Decompressor, error)
+	KeepAlive         bool
+	Logf              logger.Logf
+	HTTPTestClient    *http.Client // optional HTTP client to use (for tests only)
+	DebugFlags        []string     // debug settings to send to control
+	LinkMonitor       *monitor.Mon // optional link monitor

 	// KeepSharerAndUserSplit controls whether the client
 	// understands Node.Sharer. If false, the Sharer is mapped to the User.
 	KeepSharerAndUserSplit bool
-
-	// SkipIPForwardingCheck declares that the host's IP
-	// forwarding works and should not be double-checked by the
-	// controlclient package.
-	SkipIPForwardingCheck bool
 }

 type Decompressor interface {
@@ -115,8 +110,8 @@ func NewDirect(opts Options) (*Direct, error) {
 	if opts.ServerURL == "" {
 		return nil, errors.New("controlclient.New: no server URL specified")
 	}
-	if opts.GetMachinePrivateKey == nil {
-		return nil, errors.New("controlclient.New: no GetMachinePrivateKey specified")
+	if opts.MachinePrivateKey.IsZero() {
+		return nil, errors.New("controlclient.New: no MachinePrivateKey specified")
 	}
 	opts.ServerURL = strings.TrimRight(opts.ServerURL, "/")
 	serverURL, err := url.Parse(opts.ServerURL)
@@ -143,7 +138,7 @@ func NewDirect(opts Options) (*Direct, error) {
 		tr := http.DefaultTransport.(*http.Transport).Clone()
 		tr.Proxy = tshttpproxy.ProxyFromEnvironment
 		tshttpproxy.SetTransportGetProxyConnectHeader(tr)
-		tr.TLSClientConfig = tlsdial.Config(serverURL.Hostname(), tr.TLSClientConfig)
+		tr.TLSClientConfig = tlsdial.Config(serverURL.Host, tr.TLSClientConfig)
 		tr.DialContext = dnscache.Dialer(dialer.DialContext, dnsCache)
 		tr.DialTLSContext = dnscache.TLSDialer(dialer.DialContext, dnsCache, tr.TLSClientConfig)
 		tr.ForceAttemptHTTP2 = true
@@ -152,7 +147,7 @@ func NewDirect(opts Options) (*Direct, error) {

 	c := &Direct{
 		httpc:                  httpc,
-		getMachinePrivKey:      opts.GetMachinePrivateKey,
+		machinePrivKey:         opts.MachinePrivateKey,
 		serverURL:              opts.ServerURL,
 		timeNow:                opts.TimeNow,
 		logf:                   opts.Logf,
@@ -164,7 +159,6 @@ func NewDirect(opts Options) (*Direct, error) {
 		debugFlags:             opts.DebugFlags,
 		keepSharerAndUserSplit: opts.KeepSharerAndUserSplit,
 		linkMon:                opts.LinkMonitor,
-		skipIPForwardingCheck:  opts.SkipIPForwardingCheck,
 	}
 	if opts.Hostinfo == nil {
 		c.SetHostinfo(NewHostinfo())
@@ -178,7 +172,6 @@ var osVersion func() string // non-nil on some platforms

 func NewHostinfo() *tailcfg.Hostinfo {
 	hostname, _ := os.Hostname()
-	hostname = dnsname.FirstLabel(hostname)
 	var osv string
 	if osVersion != nil {
 		osv = osVersion()
@@ -261,50 +254,40 @@ const (
 func (c *Direct) TryLogout(ctx context.Context) error {
 	c.logf("direct.TryLogout()")

-	mustRegen, newURL, err := c.doLogin(ctx, loginOpt{Logout: true})
-	c.logf("TryLogout control response: mustRegen=%v, newURL=%v, err=%v", mustRegen, newURL, err)
-
 	c.mu.Lock()
-	c.persist = persist.Persist{}
-	c.mu.Unlock()
+	defer c.mu.Unlock()

-	return err
+	// TODO(crawshaw): Tell the server. This node key should be
+	// immediately invalidated.
+	//if !c.persist.PrivateNodeKey.IsZero() {
+	//}
+	c.persist = persist.Persist{}
+	return nil
 }

 func (c *Direct) TryLogin(ctx context.Context, t *tailcfg.Oauth2Token, flags LoginFlags) (url string, err error) {
 	c.logf("direct.TryLogin(token=%v, flags=%v)", t != nil, flags)
-	return c.doLoginOrRegen(ctx, loginOpt{Token: t, Flags: flags})
+	return c.doLoginOrRegen(ctx, t, flags, false, "")
 }

-// WaitLoginURL sits in a long poll waiting for the user to authenticate at url.
-//
-// On success, newURL and err will both be nil.
-func (c *Direct) WaitLoginURL(ctx context.Context, url string) (newURL string, err error) {
+func (c *Direct) WaitLoginURL(ctx context.Context, url string) (newUrl string, err error) {
 	c.logf("direct.WaitLoginURL")
-	return c.doLoginOrRegen(ctx, loginOpt{URL: url})
+	return c.doLoginOrRegen(ctx, nil, LoginDefault, false, url)
 }

-func (c *Direct) doLoginOrRegen(ctx context.Context, opt loginOpt) (newURL string, err error) {
-	mustRegen, url, err := c.doLogin(ctx, opt)
+func (c *Direct) doLoginOrRegen(ctx context.Context, t *tailcfg.Oauth2Token, flags LoginFlags, regen bool, url string) (newUrl string, err error) {
+	mustregen, url, err := c.doLogin(ctx, t, flags, regen, url)
 	if err != nil {
 		return url, err
 	}
-	if mustRegen {
-		opt.Regen = true
-		_, url, err = c.doLogin(ctx, opt)
+	if mustregen {
+		_, url, err = c.doLogin(ctx, t, flags, true, url)
 	}
+
 	return url, err
 }

-type loginOpt struct {
-	Token  *tailcfg.Oauth2Token
-	Flags  LoginFlags
-	Regen  bool
-	URL    string
-	Logout bool
-}
-
-func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, newURL string, err error) {
+func (c *Direct) doLogin(ctx context.Context, t *tailcfg.Oauth2Token, flags LoginFlags, regen bool, url string) (mustregen bool, newurl string, err error) {
 	c.mu.Lock()
 	persist := c.persist
 	tryingNewKey := c.tryingNewKey
@@ -315,35 +298,26 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 	expired := c.expiry != nil && !c.expiry.IsZero() && c.expiry.Before(c.timeNow())
 	c.mu.Unlock()

-	machinePrivKey, err := c.getMachinePrivKey()
-	if err != nil {
-		return false, "", fmt.Errorf("getMachinePrivKey: %w", err)
-	}
-	if machinePrivKey.IsZero() {
-		return false, "", errors.New("getMachinePrivKey returned zero key")
+	if c.machinePrivKey.IsZero() {
+		return false, "", errors.New("controlclient.Direct requires a machine private key")
 	}

-	regen := opt.Regen
-	if opt.Logout {
-		c.logf("logging out...")
-	} else {
-		if expired {
-			c.logf("Old key expired -> regen=true")
-			systemd.Status("key expired; run 'tailscale up' to authenticate")
-			regen = true
-		}
-		if (opt.Flags & LoginInteractive) != 0 {
-			c.logf("LoginInteractive -> regen=true")
-			regen = true
-		}
+	if expired {
+		c.logf("Old key expired -> regen=true")
+		systemd.Status("key expired; run 'tailscale up' to authenticate")
+		regen = true
+	}
+	if (flags & LoginInteractive) != 0 {
+		c.logf("LoginInteractive -> regen=true")
+		regen = true
 	}

-	c.logf("doLogin(regen=%v, hasUrl=%v)", regen, opt.URL != "")
+	c.logf("doLogin(regen=%v, hasUrl=%v)", regen, url != "")
 	if serverKey.IsZero() {
 		var err error
 		serverKey, err = loadServerKey(ctx, c.httpc, c.serverURL)
 		if err != nil {
-			return regen, opt.URL, err
+			return regen, url, err
 		}

 		c.mu.Lock()
@@ -352,21 +326,17 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 	}

 	var oldNodeKey wgkey.Key
-	switch {
-	case opt.Logout:
-		tryingNewKey = persist.PrivateNodeKey
-	case opt.URL != "":
-		// Nothing.
-	case regen || persist.PrivateNodeKey.IsZero():
+	if url != "" {
+	} else if regen || persist.PrivateNodeKey.IsZero() {
 		c.logf("Generating a new nodekey.")
 		persist.OldPrivateNodeKey = persist.PrivateNodeKey
 		key, err := wgkey.NewPrivate()
 		if err != nil {
 			c.logf("login keygen: %v", err)
-			return regen, opt.URL, err
+			return regen, url, err
 		}
 		tryingNewKey = key
-	default:
+	} else {
 		// Try refreshing the current key first
 		tryingNewKey = persist.PrivateNodeKey
 	}
@@ -375,14 +345,11 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 	}

 	if tryingNewKey.IsZero() {
-		if opt.Logout {
-			return false, "", errors.New("no nodekey to log out")
-		}
 		log.Fatalf("tryingNewKey is empty, give up")
 	}
 	if backendLogID == "" {
 		err = errors.New("hostinfo: BackendLogID missing")
-		return regen, opt.URL, err
+		return regen, url, err
 	}
 	now := time.Now().Round(time.Second)
 	request := tailcfg.RegisterRequest{
@@ -390,20 +357,17 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		OldNodeKey: tailcfg.NodeKey(oldNodeKey),
 		NodeKey:    tailcfg.NodeKey(tryingNewKey.Public()),
 		Hostinfo:   hostinfo,
-		Followup:   opt.URL,
+		Followup:   url,
 		Timestamp:  &now,
 	}
-	if opt.Logout {
-		request.Expiry = time.Unix(123, 0) // far in the past
-	}
 	c.logf("RegisterReq: onode=%v node=%v fup=%v",
 		request.OldNodeKey.ShortString(),
-		request.NodeKey.ShortString(), opt.URL != "")
-	request.Auth.Oauth2Token = opt.Token
+		request.NodeKey.ShortString(), url != "")
+	request.Auth.Oauth2Token = t
 	request.Auth.Provider = persist.Provider
 	request.Auth.LoginName = persist.LoginName
 	request.Auth.AuthKey = authKey
-	err = signRegisterRequest(&request, c.serverURL, c.serverKey, machinePrivKey.Public())
+	err = signRegisterRequest(&request, c.serverURL, c.serverKey, c.machinePrivKey.Public())
 	if err != nil {
 		// If signing failed, clear all related fields
 		request.SignatureType = tailcfg.SignatureNone
@@ -417,44 +381,34 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 			c.logf("RegisterReq sign error: %v", err)
 		}
 	}
-	if debugRegister {
-		j, _ := json.MarshalIndent(request, "", "\t")
-		c.logf("RegisterRequest: %s", j)
-	}
-
-	bodyData, err := encode(request, &serverKey, &machinePrivKey)
+	bodyData, err := encode(request, &serverKey, &c.machinePrivKey)
 	if err != nil {
-		return regen, opt.URL, err
+		return regen, url, err
 	}
 	body := bytes.NewReader(bodyData)

-	u := fmt.Sprintf("%s/machine/%s", c.serverURL, machinePrivKey.Public().HexString())
+	u := fmt.Sprintf("%s/machine/%s", c.serverURL, c.machinePrivKey.Public().HexString())
 	req, err := http.NewRequest("POST", u, body)
 	if err != nil {
-		return regen, opt.URL, err
+		return regen, url, err
 	}
 	req = req.WithContext(ctx)

 	res, err := c.httpc.Do(req)
 	if err != nil {
-		return regen, opt.URL, fmt.Errorf("register request: %v", err)
+		return regen, url, fmt.Errorf("register request: %v", err)
 	}
 	if res.StatusCode != 200 {
 		msg, _ := ioutil.ReadAll(res.Body)
 		res.Body.Close()
-		return regen, opt.URL, fmt.Errorf("register request: http %d: %.200s",
+		return regen, url, fmt.Errorf("register request: http %d: %.200s",
 			res.StatusCode, strings.TrimSpace(string(msg)))
 	}
 	resp := tailcfg.RegisterResponse{}
-	if err := decode(res, &resp, &serverKey, &machinePrivKey); err != nil {
-		c.logf("error decoding RegisterResponse with server key %s and machine key %s: %v", serverKey, machinePrivKey.Public(), err)
-		return regen, opt.URL, fmt.Errorf("register request: %v", err)
+	if err := decode(res, &resp, &serverKey, &c.machinePrivKey); err != nil {
+		c.logf("error decoding RegisterResponse with server key %s and machine key %s: %v", serverKey, c.machinePrivKey.Public(), err)
+		return regen, url, fmt.Errorf("register request: %v", err)
 	}
-	if debugRegister {
-		j, _ := json.MarshalIndent(resp, "", "\t")
-		c.logf("RegisterResponse: %s", j)
-	}
-
 	// Log without PII:
 	c.logf("RegisterReq: got response; nodeKeyExpired=%v, machineAuthorized=%v; authURL=%v",
 		resp.NodeKeyExpired, resp.MachineAuthorized, resp.AuthURL != "")
@@ -506,7 +460,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 	return false, resp.AuthURL, nil
 }

-func sameEndpoints(a, b []tailcfg.Endpoint) bool {
+func sameStrings(a, b []string) bool {
 	if len(a) != len(b) {
 		return false
 	}
@@ -522,19 +476,15 @@ func sameEndpoints(a, b []tailcfg.Endpoint) bool {
 // whether they've changed.
 //
 // It does not retain the provided slice.
-func (c *Direct) newEndpoints(localPort uint16, endpoints []tailcfg.Endpoint) (changed bool) {
+func (c *Direct) newEndpoints(localPort uint16, endpoints []string) (changed bool) {
 	c.mu.Lock()
 	defer c.mu.Unlock()

 	// Nothing new?
-	if c.localPort == localPort && sameEndpoints(c.endpoints, endpoints) {
+	if c.localPort == localPort && sameStrings(c.endpoints, endpoints) {
 		return false // unchanged
 	}
-	var epStrs []string
-	for _, ep := range endpoints {
-		epStrs = append(epStrs, ep.Addr.String())
-	}
-	c.logf("client.newEndpoints(%v, %v)", localPort, epStrs)
+	c.logf("client.newEndpoints(%v, %v)", localPort, endpoints)
 	c.localPort = localPort
 	c.endpoints = append(c.endpoints[:0], endpoints...)
 	if len(endpoints) > 0 {
@@ -546,7 +496,7 @@ func (c *Direct) newEndpoints(localPort uint16, endpoints []tailcfg.Endpoint) (c
 // SetEndpoints updates the list of locally advertised endpoints.
 // It won't be replicated to the server until a *fresh* call to PollNetMap().
 // You don't need to restart PollNetMap if we return changed==false.
-func (c *Direct) SetEndpoints(localPort uint16, endpoints []tailcfg.Endpoint) (changed bool) {
+func (c *Direct) SetEndpoints(localPort uint16, endpoints []string) (changed bool) {
 	// (no log message on function entry, because it clutters the logs
 	//  if endpoints haven't changed. newEndpoints() will log it.)
 	return c.newEndpoints(localPort, endpoints)
@@ -579,23 +529,10 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 	hostinfo := c.hostinfo.Clone()
 	backendLogID := hostinfo.BackendLogID
 	localPort := c.localPort
-	var epStrs []string
-	var epTypes []tailcfg.EndpointType
-	for _, ep := range c.endpoints {
-		epStrs = append(epStrs, ep.Addr.String())
-		epTypes = append(epTypes, ep.Type)
-	}
+	ep := append([]string(nil), c.endpoints...)
 	everEndpoints := c.everEndpoints
 	c.mu.Unlock()

-	machinePrivKey, err := c.getMachinePrivKey()
-	if err != nil {
-		return fmt.Errorf("getMachinePrivKey: %w", err)
-	}
-	if machinePrivKey.IsZero() {
-		return errors.New("getMachinePrivKey returned zero key")
-	}
-
 	if persist.PrivateNodeKey.IsZero() {
 		return errors.New("privateNodeKey is zero")
 	}
@@ -604,7 +541,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 	}

 	allowStream := maxPolls != 1
-	c.logf("[v1] PollNetMap: stream=%v :%v ep=%v", allowStream, localPort, epStrs)
+	c.logf("[v1] PollNetMap: stream=%v :%v ep=%v", allowStream, localPort, ep)

 	vlogf := logger.Discard
 	if Debug.NetMap {
@@ -614,20 +551,18 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 	}

 	request := &tailcfg.MapRequest{
-		Version:       tailcfg.CurrentMapRequestVersion,
-		KeepAlive:     c.keepAlive,
-		NodeKey:       tailcfg.NodeKey(persist.PrivateNodeKey.Public()),
-		DiscoKey:      c.discoPubKey,
-		Endpoints:     epStrs,
-		EndpointTypes: epTypes,
-		Stream:        allowStream,
-		Hostinfo:      hostinfo,
-		DebugFlags:    c.debugFlags,
-		OmitPeers:     cb == nil,
+		Version:    tailcfg.CurrentMapRequestVersion,
+		KeepAlive:  c.keepAlive,
+		NodeKey:    tailcfg.NodeKey(persist.PrivateNodeKey.Public()),
+		DiscoKey:   c.discoPubKey,
+		Endpoints:  ep,
+		Stream:     allowStream,
+		Hostinfo:   hostinfo,
+		DebugFlags: c.debugFlags,
+		OmitPeers:  cb == nil,
 	}
 	var extraDebugFlags []string
-	if hostinfo != nil && c.linkMon != nil && !c.skipIPForwardingCheck &&
-		ipForwardingBroken(hostinfo.RoutableIPs, c.linkMon.InterfaceState()) {
+	if hostinfo != nil && c.linkMon != nil && ipForwardingBroken(hostinfo.RoutableIPs, c.linkMon.InterfaceState()) {
 		extraDebugFlags = append(extraDebugFlags, "warn-ip-forwarding-off")
 	}
 	if health.RouterHealth() != nil {
@@ -651,11 +586,11 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 	// TODO(bradfitz): we skip this optimization in tests, though,
 	// because the e2e tests are currently hyperspecific about the
 	// ordering of things. The e2e tests need love.
-	if len(epStrs) == 0 && !everEndpoints && !inTest() {
+	if len(ep) == 0 && !everEndpoints && !inTest() {
 		request.ReadOnly = true
 	}

-	bodyData, err := encode(request, &serverKey, &machinePrivKey)
+	bodyData, err := encode(request, &serverKey, &c.machinePrivKey)
 	if err != nil {
 		vlogf("netmap: encode: %v", err)
 		return err
@@ -664,7 +599,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()

-	machinePubKey := tailcfg.MachineKey(machinePrivKey.Public())
+	machinePubKey := tailcfg.MachineKey(c.machinePrivKey.Public())
 	t0 := time.Now()
 	u := fmt.Sprintf("%s/machine/%s/map", serverURL, machinePubKey.HexString())

@@ -727,11 +662,10 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 		}
 	}()

-	sess := newMapSession(persist.PrivateNodeKey)
-	sess.logf = c.logf
-	sess.vlogf = vlogf
-	sess.machinePubKey = machinePubKey
-	sess.keepSharerAndUserSplit = c.keepSharerAndUserSplit
+	var lastDERPMap *tailcfg.DERPMap
+	var lastUserProfile = map[tailcfg.UserID]tailcfg.UserProfile{}
+	var lastParsedPacketFilter []filter.Match
+	var collectServices bool

 	// If allowStream, then the server will use an HTTP long poll to
 	// return incremental results. There is always one response right
@@ -740,6 +674,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 	// the same format before just closing the connection.
 	// We can use this same read loop either way.
 	var msg []byte
+	var previousPeers []*tailcfg.Node // for delta-purposes
 	for i := 0; i < maxPolls || maxPolls < 0; i++ {
 		vlogf("netmap: starting size read after %v (poll %v)", time.Since(t0).Round(time.Millisecond), i)
 		var siz [4]byte
@@ -757,7 +692,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 		vlogf("netmap: read body after %v", time.Since(t0).Round(time.Millisecond))

 		var resp tailcfg.MapResponse
-		if err := c.decodeMsg(msg, &resp, &machinePrivKey); err != nil {
+		if err := c.decodeMsg(msg, &resp); err != nil {
 			vlogf("netmap: decode error: %v")
 			return err
 		}
@@ -786,6 +721,16 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 			continue
 		}

+		undeltaPeers(&resp, previousPeers)
+		previousPeers = cloneNodes(resp.Peers) // defensive/lazy clone, since this escapes to who knows where
+		for _, up := range resp.UserProfiles {
+			lastUserProfile[up.ID] = up
+		}
+
+		if resp.DERPMap != nil {
+			vlogf("netmap: new map contains DERP map")
+			lastDERPMap = resp.DERPMap
+		}
 		if resp.Debug != nil {
 			if resp.Debug.LogHeapPprof {
 				go logheap.LogHeap(resp.Debug.LogHeapURL)
@@ -796,34 +741,17 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 			setControlAtomic(&controlUseDERPRoute, resp.Debug.DERPRoute)
 			setControlAtomic(&controlTrimWGConfig, resp.Debug.TrimWGConfig)
 		}
-
-		nm := sess.netmapForResponse(&resp)
-		if nm.SelfNode == nil {
-			c.logf("MapResponse lacked node")
-			return errors.New("MapResponse lacked node")
-		}
-
 		// Temporarily (2020-06-29) support removing all but
 		// discovery-supporting nodes during development, for
 		// less noise.
 		if Debug.OnlyDisco {
-			anyOld, numDisco := false, 0
-			for _, p := range nm.Peers {
-				if p.DiscoKey.IsZero() {
-					anyOld = true
-				} else {
-					numDisco++
+			filtered := resp.Peers[:0]
+			for _, p := range resp.Peers {
+				if !p.DiscoKey.IsZero() {
+					filtered = append(filtered, p)
 				}
 			}
-			if anyOld {
-				filtered := make([]*tailcfg.Node, 0, numDisco)
-				for _, p := range nm.Peers {
-					if !p.DiscoKey.IsZero() {
-						filtered = append(filtered, p)
-					}
-				}
-				nm.Peers = filtered
-			}
+			resp.Peers = filtered
 		}
 		if Debug.StripEndpoints {
 			for _, p := range resp.Peers {
@@ -833,8 +761,13 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 				p.Endpoints = []string{"127.9.9.9:456"}
 			}
 		}
-		if Debug.StripCaps {
-			nm.SelfNode.Capabilities = nil
+
+		if pf := resp.PacketFilter; pf != nil {
+			lastParsedPacketFilter = c.parsePacketFilter(pf)
+		}
+
+		if v, ok := resp.CollectServices.Get(); ok {
+			collectServices = v
 		}

 		// Get latest localPort. This might've changed if
@@ -842,9 +775,67 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 		// the end-to-end test.
 		// TODO(bradfitz): remove the NetworkMap.LocalPort field entirely.
 		c.mu.Lock()
-		nm.LocalPort = c.localPort
+		localPort = c.localPort
 		c.mu.Unlock()

+		nm := &netmap.NetworkMap{
+			SelfNode:        resp.Node,
+			NodeKey:         tailcfg.NodeKey(persist.PrivateNodeKey.Public()),
+			PrivateKey:      persist.PrivateNodeKey,
+			MachineKey:      machinePubKey,
+			Expiry:          resp.Node.KeyExpiry,
+			Name:            resp.Node.Name,
+			Addresses:       resp.Node.Addresses,
+			Peers:           resp.Peers,
+			LocalPort:       localPort,
+			User:            resp.Node.User,
+			UserProfiles:    make(map[tailcfg.UserID]tailcfg.UserProfile),
+			Domain:          resp.Domain,
+			DNS:             resp.DNSConfig,
+			Hostinfo:        resp.Node.Hostinfo,
+			PacketFilter:    lastParsedPacketFilter,
+			CollectServices: collectServices,
+			DERPMap:         lastDERPMap,
+			Debug:           resp.Debug,
+		}
+		addUserProfile := func(userID tailcfg.UserID) {
+			if _, dup := nm.UserProfiles[userID]; dup {
+				// Already populated it from a previous peer.
+				return
+			}
+			if up, ok := lastUserProfile[userID]; ok {
+				nm.UserProfiles[userID] = up
+			}
+		}
+		addUserProfile(nm.User)
+		magicDNSSuffix := nm.MagicDNSSuffix()
+		nm.SelfNode.InitDisplayNames(magicDNSSuffix)
+		for _, peer := range resp.Peers {
+			peer.InitDisplayNames(magicDNSSuffix)
+			if !peer.Sharer.IsZero() {
+				if c.keepSharerAndUserSplit {
+					addUserProfile(peer.Sharer)
+				} else {
+					peer.User = peer.Sharer
+				}
+			}
+			addUserProfile(peer.User)
+		}
+		if resp.Node.MachineAuthorized {
+			nm.MachineStatus = tailcfg.MachineAuthorized
+		} else {
+			nm.MachineStatus = tailcfg.MachineUnauthorized
+		}
+		if len(resp.DNS) > 0 {
+			nm.DNS.Nameservers = resp.DNS
+		}
+		if len(resp.SearchPaths) > 0 {
+			nm.DNS.Domains = resp.SearchPaths
+		}
+		if Debug.ProxyDNS {
+			nm.DNS.Proxied = true
+		}
+
 		// Printing the netmap can be extremely verbose, but is very
 		// handy for debugging. Let's limit how often we do it.
 		// Code elsewhere prints netmap diffs every time, so this
@@ -880,19 +871,16 @@ func decode(res *http.Response, v interface{}, serverKey *wgkey.Key, mkey *wgkey
 	return decodeMsg(msg, v, serverKey, mkey)
 }

-var (
-	debugMap, _      = strconv.ParseBool(os.Getenv("TS_DEBUG_MAP"))
-	debugRegister, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_REGISTER"))
-)
+var debugMap, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_MAP"))

 var jsonEscapedZero = []byte(`\u0000`)

-func (c *Direct) decodeMsg(msg []byte, v interface{}, machinePrivKey *wgkey.Private) error {
+func (c *Direct) decodeMsg(msg []byte, v interface{}) error {
 	c.mu.Lock()
 	serverKey := c.serverKey
 	c.mu.Unlock()

-	decrypted, err := decryptMsg(msg, &serverKey, machinePrivKey)
+	decrypted, err := decryptMsg(msg, &serverKey, &c.machinePrivKey)
 	if err != nil {
 		return err
 	}
@@ -926,8 +914,8 @@ func (c *Direct) decodeMsg(msg []byte, v interface{}, machinePrivKey *wgkey.Priv

 }

-func decodeMsg(msg []byte, v interface{}, serverKey *wgkey.Key, machinePrivKey *wgkey.Private) error {
-	decrypted, err := decryptMsg(msg, serverKey, machinePrivKey)
+func decodeMsg(msg []byte, v interface{}, serverKey *wgkey.Key, mkey *wgkey.Private) error {
+	decrypted, err := decryptMsg(msg, serverKey, mkey)
 	if err != nil {
 		return err
 	}
@@ -1010,7 +998,6 @@ type debug struct {
 	OnlyDisco      bool
 	Disco          bool
 	StripEndpoints bool // strip endpoints from control (only use disco messages)
-	StripCaps      bool // strip all local node's control-provided capabilities
 }

 func initDebug() debug {
@@ -1019,7 +1006,6 @@ func initDebug() debug {
 		NetMap:         envBool("TS_DEBUG_NETMAP"),
 		ProxyDNS:       envBool("TS_DEBUG_PROXY_DNS"),
 		StripEndpoints: envBool("TS_DEBUG_STRIP_ENDPOINTS"),
-		StripCaps:      envBool("TS_DEBUG_STRIP_CAPS"),
 		OnlyDisco:      use == "only",
 		Disco:          use == "only" || use == "" || envBool("TS_DEBUG_USE_DISCO"),
 	}
@@ -1037,7 +1023,117 @@ func envBool(k string) bool {
 	return v
 }

-var clockNow = time.Now
+// undeltaPeers updates mapRes.Peers to be complete based on the provided previous peer list
+// and the PeersRemoved and PeersChanged fields in mapRes.
+// It then also nils out the delta fields.
+func undeltaPeers(mapRes *tailcfg.MapResponse, prev []*tailcfg.Node) {
+	if len(mapRes.Peers) > 0 {
+		// Not delta encoded.
+		if !nodesSorted(mapRes.Peers) {
+			log.Printf("netmap: undeltaPeers: MapResponse.Peers not sorted; sorting")
+			sortNodes(mapRes.Peers)
+		}
+		return
+	}
+
+	var removed map[tailcfg.NodeID]bool
+	if pr := mapRes.PeersRemoved; len(pr) > 0 {
+		removed = make(map[tailcfg.NodeID]bool, len(pr))
+		for _, id := range pr {
+			removed[id] = true
+		}
+	}
+	changed := mapRes.PeersChanged
+
+	if len(removed) == 0 && len(changed) == 0 {
+		// No changes fast path.
+		mapRes.Peers = prev
+		return
+	}
+
+	if !nodesSorted(changed) {
+		log.Printf("netmap: undeltaPeers: MapResponse.PeersChanged not sorted; sorting")
+		sortNodes(changed)
+	}
+	if !nodesSorted(prev) {
+		// Internal error (unrelated to the network) if we get here.
+		log.Printf("netmap: undeltaPeers: [unexpected] prev not sorted; sorting")
+		sortNodes(prev)
+	}
+
+	newFull := make([]*tailcfg.Node, 0, len(prev)-len(removed))
+	for len(prev) > 0 && len(changed) > 0 {
+		pID := prev[0].ID
+		cID := changed[0].ID
+		if removed[pID] {
+			prev = prev[1:]
+			continue
+		}
+		switch {
+		case pID < cID:
+			newFull = append(newFull, prev[0])
+			prev = prev[1:]
+		case pID == cID:
+			newFull = append(newFull, changed[0])
+			prev, changed = prev[1:], changed[1:]
+		case cID < pID:
+			newFull = append(newFull, changed[0])
+			changed = changed[1:]
+		}
+	}
+	newFull = append(newFull, changed...)
+	for _, n := range prev {
+		if !removed[n.ID] {
+			newFull = append(newFull, n)
+		}
+	}
+	sortNodes(newFull)
+
+	if mapRes.PeerSeenChange != nil {
+		peerByID := make(map[tailcfg.NodeID]*tailcfg.Node, len(newFull))
+		for _, n := range newFull {
+			peerByID[n.ID] = n
+		}
+		now := time.Now()
+		for nodeID, seen := range mapRes.PeerSeenChange {
+			if n, ok := peerByID[nodeID]; ok {
+				if seen {
+					n.LastSeen = &now
+				} else {
+					n.LastSeen = nil
+				}
+			}
+		}
+	}
+
+	mapRes.Peers = newFull
+	mapRes.PeersChanged = nil
+	mapRes.PeersRemoved = nil
+}
+
+func nodesSorted(v []*tailcfg.Node) bool {
+	for i, n := range v {
+		if i > 0 && n.ID <= v[i-1].ID {
+			return false
+		}
+	}
+	return true
+}
+
+func sortNodes(v []*tailcfg.Node) {
+	sort.Slice(v, func(i, j int) bool { return v[i].ID < v[j].ID })
+}
+
+func cloneNodes(v1 []*tailcfg.Node) []*tailcfg.Node {
+	if v1 == nil {
+		return nil
+	}
+	v2 := make([]*tailcfg.Node, len(v1))
+	for i, n := range v1 {
+		v2[i] = n.Clone()
+	}
+	return v2
+}

 // opt.Bool configs from control.
 var (
@@ -1070,11 +1166,6 @@ func TrimWGConfig() opt.Bool {
 // and will definitely not work for the routes provided.
 //
 // It should not return false positives.
-//
-// TODO(bradfitz): merge this code into LocalBackend.CheckIPForwarding
-// and change controlclient.Options.SkipIPForwardingCheck into a
-// func([]netaddr.IPPrefix) error signature instead. Then we only have
-// one copy of this code.
 func ipForwardingBroken(routes []netaddr.IPPrefix, state *interfaces.State) bool {
 	if len(routes) == 0 {
 		// Nothing to route, so no need to warn.
--- a/control/controlclient/direct_test.go
+++ b/control/controlclient/direct_test.go
@@ -6,13 +6,94 @@ package controlclient

 import (
 	"encoding/json"
+	"fmt"
+	"reflect"
+	"strings"
 	"testing"

-	"inet.af/netaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/wgkey"
 )

+func TestUndeltaPeers(t *testing.T) {
+	n := func(id tailcfg.NodeID, name string) *tailcfg.Node {
+		return &tailcfg.Node{ID: id, Name: name}
+	}
+	peers := func(nv ...*tailcfg.Node) []*tailcfg.Node { return nv }
+	tests := []struct {
+		name   string
+		mapRes *tailcfg.MapResponse
+		prev   []*tailcfg.Node
+		want   []*tailcfg.Node
+	}{
+		{
+			name: "full_peers",
+			mapRes: &tailcfg.MapResponse{
+				Peers: peers(n(1, "foo"), n(2, "bar")),
+			},
+			want: peers(n(1, "foo"), n(2, "bar")),
+		},
+		{
+			name: "full_peers_ignores_deltas",
+			mapRes: &tailcfg.MapResponse{
+				Peers:        peers(n(1, "foo"), n(2, "bar")),
+				PeersRemoved: []tailcfg.NodeID{2},
+			},
+			want: peers(n(1, "foo"), n(2, "bar")),
+		},
+		{
+			name: "add_and_update",
+			prev: peers(n(1, "foo"), n(2, "bar")),
+			mapRes: &tailcfg.MapResponse{
+				PeersChanged: peers(n(0, "zero"), n(2, "bar2"), n(3, "three")),
+			},
+			want: peers(n(0, "zero"), n(1, "foo"), n(2, "bar2"), n(3, "three")),
+		},
+		{
+			name: "remove",
+			prev: peers(n(1, "foo"), n(2, "bar")),
+			mapRes: &tailcfg.MapResponse{
+				PeersRemoved: []tailcfg.NodeID{1},
+			},
+			want: peers(n(2, "bar")),
+		},
+		{
+			name: "add_and_remove",
+			prev: peers(n(1, "foo"), n(2, "bar")),
+			mapRes: &tailcfg.MapResponse{
+				PeersChanged: peers(n(1, "foo2")),
+				PeersRemoved: []tailcfg.NodeID{2},
+			},
+			want: peers(n(1, "foo2")),
+		},
+		{
+			name:   "unchanged",
+			prev:   peers(n(1, "foo"), n(2, "bar")),
+			mapRes: &tailcfg.MapResponse{},
+			want:   peers(n(1, "foo"), n(2, "bar")),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			undeltaPeers(tt.mapRes, tt.prev)
+			if !reflect.DeepEqual(tt.mapRes.Peers, tt.want) {
+				t.Errorf("wrong results\n got: %s\nwant: %s", formatNodes(tt.mapRes.Peers), formatNodes(tt.want))
+			}
+		})
+	}
+}
+
+func formatNodes(nodes []*tailcfg.Node) string {
+	var sb strings.Builder
+	for i, n := range nodes {
+		if i > 0 {
+			sb.WriteString(", ")
+		}
+		fmt.Fprintf(&sb, "(%d, %q)", n.ID, n.Name)
+	}
+	return sb.String()
+}
+
 func TestNewDirect(t *testing.T) {
 	hi := NewHostinfo()
 	ni := tailcfg.NetInfo{LinkType: "wired"}
@@ -22,13 +103,7 @@ func TestNewDirect(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	opts := Options{
-		ServerURL: "https://example.com",
-		Hostinfo:  hi,
-		GetMachinePrivateKey: func() (wgkey.Private, error) {
-			return key, nil
-		},
-	}
+	opts := Options{ServerURL: "https://example.com", MachinePrivateKey: key, Hostinfo: hi}
 	c, err := NewDirect(opts)
 	if err != nil {
 		t.Fatal(err)
@@ -63,7 +138,7 @@ func TestNewDirect(t *testing.T) {
 		t.Errorf("c.SetHostinfo(hi) want true got %v", changed)
 	}

-	endpoints := fakeEndpoints(1, 2, 3)
+	endpoints := []string{"1", "2", "3"}
 	changed = c.newEndpoints(12, endpoints)
 	if !changed {
 		t.Errorf("c.newEndpoints(12) want true got %v", changed)
@@ -76,22 +151,13 @@ func TestNewDirect(t *testing.T) {
 	if !changed {
 		t.Errorf("c.newEndpoints(13) want true got %v", changed)
 	}
-	endpoints = fakeEndpoints(4, 5, 6)
+	endpoints = []string{"4", "5", "6"}
 	changed = c.newEndpoints(13, endpoints)
 	if !changed {
 		t.Errorf("c.newEndpoints(13) want true got %v", changed)
 	}
 }

-func fakeEndpoints(ports ...uint16) (ret []tailcfg.Endpoint) {
-	for _, port := range ports {
-		ret = append(ret, tailcfg.Endpoint{
-			Addr: netaddr.IPPort{Port: port},
-		})
-	}
-	return
-}
-
 func TestNewHostinfo(t *testing.T) {
 	hi := NewHostinfo()
 	if hi == nil {
--- a/control/controlclient/filter.go
+++ b/control/controlclient/filter.go
@@ -0,0 +1,20 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package controlclient
+
+import (
+	"tailscale.com/tailcfg"
+	"tailscale.com/wgengine/filter"
+)
+
+// Parse a backward-compatible FilterRule used by control's wire
+// format, producing the most current filter format.
+func (c *Direct) parsePacketFilter(pf []tailcfg.FilterRule) []filter.Match {
+	mm, err := filter.MatchesFromFilterRules(pf)
+	if err != nil {
+		c.logf("parsePacketFilter: %s\n", err)
+	}
+	return mm
+}
--- a/control/controlclient/hostinfo_linux.go
+++ b/control/controlclient/hostinfo_linux.go
@@ -11,7 +11,6 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
-	"os"
 	"strings"
 	"syscall"

@@ -59,9 +58,6 @@ func osVersionLinux() string {
 	if inContainer() {
 		attrBuf.WriteString("; container")
 	}
-	if inKnative() {
-		attrBuf.WriteString("; env=kn")
-	}
 	attr := attrBuf.String()

 	id := m["ID"]
@@ -103,21 +99,5 @@ func inContainer() (ret bool) {
 		}
 		return nil
 	})
-	lineread.File("/proc/mounts", func(line []byte) error {
-		if mem.Contains(mem.B(line), mem.S("fuse.lxcfs")) {
-			ret = true
-			return io.EOF
-		}
-		return nil
-	})
 	return
 }
-
-func inKnative() bool {
-	// https://cloud.google.com/run/docs/reference/container-contract#env-vars
-	if os.Getenv("K_REVISION") != "" && os.Getenv("K_CONFIGURATION") != "" &&
-		os.Getenv("K_SERVICE") != "" && os.Getenv("PORT") != "" {
-		return true
-	}
-	return false
-}
--- a/control/controlclient/map.go
+++ b/control/controlclient/map.go
@@ -1,282 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package controlclient
-
-import (
-	"log"
-	"sort"
-
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/logger"
-	"tailscale.com/types/netmap"
-	"tailscale.com/types/wgkey"
-	"tailscale.com/wgengine/filter"
-)
-
-// mapSession holds the state over a long-polled "map" request to the
-// control plane.
-//
-// It accepts incremental tailcfg.MapResponse values to
-// netMapForResponse and returns fully inflated NetworkMaps, filling
-// in the omitted data implicit from prior MapResponse values from
-// within the same session (the same long-poll HTTP response to the
-// one MapRequest).
-type mapSession struct {
-	// Immutable fields.
-	privateNodeKey         wgkey.Private
-	logf                   logger.Logf
-	vlogf                  logger.Logf
-	machinePubKey          tailcfg.MachineKey
-	keepSharerAndUserSplit bool // see Options.KeepSharerAndUserSplit
-
-	// Fields storing state over the the coards of multiple MapResponses.
-	lastNode               *tailcfg.Node
-	lastDNSConfig          *tailcfg.DNSConfig
-	lastDERPMap            *tailcfg.DERPMap
-	lastUserProfile        map[tailcfg.UserID]tailcfg.UserProfile
-	lastParsedPacketFilter []filter.Match
-	collectServices        bool
-	previousPeers          []*tailcfg.Node // for delta-purposes
-	lastDomain             string
-
-	// netMapBuilding is non-nil during a netmapForResponse call,
-	// containing the value to be returned, once fully populated.
-	netMapBuilding *netmap.NetworkMap
-}
-
-func newMapSession(privateNodeKey wgkey.Private) *mapSession {
-	ms := &mapSession{
-		privateNodeKey:  privateNodeKey,
-		logf:            logger.Discard,
-		vlogf:           logger.Discard,
-		lastDNSConfig:   new(tailcfg.DNSConfig),
-		lastUserProfile: map[tailcfg.UserID]tailcfg.UserProfile{},
-	}
-	return ms
-}
-
-func (ms *mapSession) addUserProfile(userID tailcfg.UserID) {
-	nm := ms.netMapBuilding
-	if _, dup := nm.UserProfiles[userID]; dup {
-		// Already populated it from a previous peer.
-		return
-	}
-	if up, ok := ms.lastUserProfile[userID]; ok {
-		nm.UserProfiles[userID] = up
-	}
-}
-
-// netmapForResponse returns a fully populated NetworkMap from a full
-// or incremental MapResponse within the session, filling in omitted
-// information from prior MapResponse values.
-func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.NetworkMap {
-	undeltaPeers(resp, ms.previousPeers)
-
-	ms.previousPeers = cloneNodes(resp.Peers) // defensive/lazy clone, since this escapes to who knows where
-	for _, up := range resp.UserProfiles {
-		ms.lastUserProfile[up.ID] = up
-	}
-
-	if resp.DERPMap != nil {
-		ms.vlogf("netmap: new map contains DERP map")
-		ms.lastDERPMap = resp.DERPMap
-	}
-
-	if pf := resp.PacketFilter; pf != nil {
-		var err error
-		ms.lastParsedPacketFilter, err = filter.MatchesFromFilterRules(pf)
-		if err != nil {
-			ms.logf("parsePacketFilter: %v", err)
-		}
-	}
-	if c := resp.DNSConfig; c != nil {
-		ms.lastDNSConfig = c
-	}
-
-	if v, ok := resp.CollectServices.Get(); ok {
-		ms.collectServices = v
-	}
-	if resp.Domain != "" {
-		ms.lastDomain = resp.Domain
-	}
-
-	nm := &netmap.NetworkMap{
-		NodeKey:         tailcfg.NodeKey(ms.privateNodeKey.Public()),
-		PrivateKey:      ms.privateNodeKey,
-		MachineKey:      ms.machinePubKey,
-		Peers:           resp.Peers,
-		UserProfiles:    make(map[tailcfg.UserID]tailcfg.UserProfile),
-		Domain:          ms.lastDomain,
-		DNS:             *ms.lastDNSConfig,
-		PacketFilter:    ms.lastParsedPacketFilter,
-		CollectServices: ms.collectServices,
-		DERPMap:         ms.lastDERPMap,
-		Debug:           resp.Debug,
-	}
-	ms.netMapBuilding = nm
-
-	if resp.Node != nil {
-		ms.lastNode = resp.Node
-	}
-	if node := ms.lastNode.Clone(); node != nil {
-		nm.SelfNode = node
-		nm.Expiry = node.KeyExpiry
-		nm.Name = node.Name
-		nm.Addresses = node.Addresses
-		nm.User = node.User
-		nm.Hostinfo = node.Hostinfo
-		if node.MachineAuthorized {
-			nm.MachineStatus = tailcfg.MachineAuthorized
-		} else {
-			nm.MachineStatus = tailcfg.MachineUnauthorized
-		}
-	}
-
-	ms.addUserProfile(nm.User)
-	magicDNSSuffix := nm.MagicDNSSuffix()
-	if nm.SelfNode != nil {
-		nm.SelfNode.InitDisplayNames(magicDNSSuffix)
-	}
-	for _, peer := range resp.Peers {
-		peer.InitDisplayNames(magicDNSSuffix)
-		if !peer.Sharer.IsZero() {
-			if ms.keepSharerAndUserSplit {
-				ms.addUserProfile(peer.Sharer)
-			} else {
-				peer.User = peer.Sharer
-			}
-		}
-		ms.addUserProfile(peer.User)
-	}
-	if len(resp.DNS) > 0 {
-		nm.DNS.Nameservers = resp.DNS
-	}
-	if len(resp.SearchPaths) > 0 {
-		nm.DNS.Domains = resp.SearchPaths
-	}
-	if Debug.ProxyDNS {
-		nm.DNS.Proxied = true
-	}
-	ms.netMapBuilding = nil
-	return nm
-}
-
-// undeltaPeers updates mapRes.Peers to be complete based on the
-// provided previous peer list and the PeersRemoved and PeersChanged
-// fields in mapRes, as well as the PeerSeenChange and OnlineChange
-// maps.
-//
-// It then also nils out the delta fields.
-func undeltaPeers(mapRes *tailcfg.MapResponse, prev []*tailcfg.Node) {
-	if len(mapRes.Peers) > 0 {
-		// Not delta encoded.
-		if !nodesSorted(mapRes.Peers) {
-			log.Printf("netmap: undeltaPeers: MapResponse.Peers not sorted; sorting")
-			sortNodes(mapRes.Peers)
-		}
-		return
-	}
-
-	var removed map[tailcfg.NodeID]bool
-	if pr := mapRes.PeersRemoved; len(pr) > 0 {
-		removed = make(map[tailcfg.NodeID]bool, len(pr))
-		for _, id := range pr {
-			removed[id] = true
-		}
-	}
-	changed := mapRes.PeersChanged
-
-	if !nodesSorted(changed) {
-		log.Printf("netmap: undeltaPeers: MapResponse.PeersChanged not sorted; sorting")
-		sortNodes(changed)
-	}
-	if !nodesSorted(prev) {
-		// Internal error (unrelated to the network) if we get here.
-		log.Printf("netmap: undeltaPeers: [unexpected] prev not sorted; sorting")
-		sortNodes(prev)
-	}
-
-	newFull := prev
-	if len(removed) > 0 || len(changed) > 0 {
-		newFull = make([]*tailcfg.Node, 0, len(prev)-len(removed))
-		for len(prev) > 0 && len(changed) > 0 {
-			pID := prev[0].ID
-			cID := changed[0].ID
-			if removed[pID] {
-				prev = prev[1:]
-				continue
-			}
-			switch {
-			case pID < cID:
-				newFull = append(newFull, prev[0])
-				prev = prev[1:]
-			case pID == cID:
-				newFull = append(newFull, changed[0])
-				prev, changed = prev[1:], changed[1:]
-			case cID < pID:
-				newFull = append(newFull, changed[0])
-				changed = changed[1:]
-			}
-		}
-		newFull = append(newFull, changed...)
-		for _, n := range prev {
-			if !removed[n.ID] {
-				newFull = append(newFull, n)
-			}
-		}
-		sortNodes(newFull)
-	}
-
-	if len(mapRes.PeerSeenChange) != 0 || len(mapRes.OnlineChange) != 0 {
-		peerByID := make(map[tailcfg.NodeID]*tailcfg.Node, len(newFull))
-		for _, n := range newFull {
-			peerByID[n.ID] = n
-		}
-		now := clockNow()
-		for nodeID, seen := range mapRes.PeerSeenChange {
-			if n, ok := peerByID[nodeID]; ok {
-				if seen {
-					n.LastSeen = &now
-				} else {
-					n.LastSeen = nil
-				}
-			}
-		}
-		for nodeID, online := range mapRes.OnlineChange {
-			if n, ok := peerByID[nodeID]; ok {
-				online := online
-				n.Online = &online
-			}
-		}
-	}
-
-	mapRes.Peers = newFull
-	mapRes.PeersChanged = nil
-	mapRes.PeersRemoved = nil
-}
-
-func nodesSorted(v []*tailcfg.Node) bool {
-	for i, n := range v {
-		if i > 0 && n.ID <= v[i-1].ID {
-			return false
-		}
-	}
-	return true
-}
-
-func sortNodes(v []*tailcfg.Node) {
-	sort.Slice(v, func(i, j int) bool { return v[i].ID < v[j].ID })
-}
-
-func cloneNodes(v1 []*tailcfg.Node) []*tailcfg.Node {
-	if v1 == nil {
-		return nil
-	}
-	v2 := make([]*tailcfg.Node, len(v1))
-	for i, n := range v1 {
-		v2[i] = n.Clone()
-	}
-	return v2
-}
--- a/control/controlclient/map_test.go
+++ b/control/controlclient/map_test.go
@@ -1,311 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package controlclient
-
-import (
-	"encoding/json"
-	"fmt"
-	"reflect"
-	"strings"
-	"testing"
-	"time"
-
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/netmap"
-	"tailscale.com/types/wgkey"
-)
-
-func TestUndeltaPeers(t *testing.T) {
-	defer func(old func() time.Time) { clockNow = old }(clockNow)
-
-	var curTime time.Time
-	clockNow = func() time.Time {
-		return curTime
-	}
-	online := func(v bool) func(*tailcfg.Node) {
-		return func(n *tailcfg.Node) {
-			n.Online = &v
-		}
-	}
-	seenAt := func(t time.Time) func(*tailcfg.Node) {
-		return func(n *tailcfg.Node) {
-			n.LastSeen = &t
-		}
-	}
-	n := func(id tailcfg.NodeID, name string, mod ...func(*tailcfg.Node)) *tailcfg.Node {
-		n := &tailcfg.Node{ID: id, Name: name}
-		for _, f := range mod {
-			f(n)
-		}
-		return n
-	}
-	peers := func(nv ...*tailcfg.Node) []*tailcfg.Node { return nv }
-	tests := []struct {
-		name    string
-		mapRes  *tailcfg.MapResponse
-		curTime time.Time
-		prev    []*tailcfg.Node
-		want    []*tailcfg.Node
-	}{
-		{
-			name: "full_peers",
-			mapRes: &tailcfg.MapResponse{
-				Peers: peers(n(1, "foo"), n(2, "bar")),
-			},
-			want: peers(n(1, "foo"), n(2, "bar")),
-		},
-		{
-			name: "full_peers_ignores_deltas",
-			mapRes: &tailcfg.MapResponse{
-				Peers:        peers(n(1, "foo"), n(2, "bar")),
-				PeersRemoved: []tailcfg.NodeID{2},
-			},
-			want: peers(n(1, "foo"), n(2, "bar")),
-		},
-		{
-			name: "add_and_update",
-			prev: peers(n(1, "foo"), n(2, "bar")),
-			mapRes: &tailcfg.MapResponse{
-				PeersChanged: peers(n(0, "zero"), n(2, "bar2"), n(3, "three")),
-			},
-			want: peers(n(0, "zero"), n(1, "foo"), n(2, "bar2"), n(3, "three")),
-		},
-		{
-			name: "remove",
-			prev: peers(n(1, "foo"), n(2, "bar")),
-			mapRes: &tailcfg.MapResponse{
-				PeersRemoved: []tailcfg.NodeID{1},
-			},
-			want: peers(n(2, "bar")),
-		},
-		{
-			name: "add_and_remove",
-			prev: peers(n(1, "foo"), n(2, "bar")),
-			mapRes: &tailcfg.MapResponse{
-				PeersChanged: peers(n(1, "foo2")),
-				PeersRemoved: []tailcfg.NodeID{2},
-			},
-			want: peers(n(1, "foo2")),
-		},
-		{
-			name:   "unchanged",
-			prev:   peers(n(1, "foo"), n(2, "bar")),
-			mapRes: &tailcfg.MapResponse{},
-			want:   peers(n(1, "foo"), n(2, "bar")),
-		},
-		{
-			name: "online_change",
-			prev: peers(n(1, "foo"), n(2, "bar")),
-			mapRes: &tailcfg.MapResponse{
-				OnlineChange: map[tailcfg.NodeID]bool{
-					1: true,
-				},
-			},
-			want: peers(
-				n(1, "foo", online(true)),
-				n(2, "bar"),
-			),
-		},
-		{
-			name: "online_change_offline",
-			prev: peers(n(1, "foo"), n(2, "bar")),
-			mapRes: &tailcfg.MapResponse{
-				OnlineChange: map[tailcfg.NodeID]bool{
-					1: false,
-					2: true,
-				},
-			},
-			want: peers(
-				n(1, "foo", online(false)),
-				n(2, "bar", online(true)),
-			),
-		},
-		{
-			name:    "peer_seen_at",
-			prev:    peers(n(1, "foo", seenAt(time.Unix(111, 0))), n(2, "bar")),
-			curTime: time.Unix(123, 0),
-			mapRes: &tailcfg.MapResponse{
-				PeerSeenChange: map[tailcfg.NodeID]bool{
-					1: false,
-					2: true,
-				},
-			},
-			want: peers(
-				n(1, "foo"),
-				n(2, "bar", seenAt(time.Unix(123, 0))),
-			),
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if !tt.curTime.IsZero() {
-				curTime = tt.curTime
-			}
-			undeltaPeers(tt.mapRes, tt.prev)
-			if !reflect.DeepEqual(tt.mapRes.Peers, tt.want) {
-				t.Errorf("wrong results\n got: %s\nwant: %s", formatNodes(tt.mapRes.Peers), formatNodes(tt.want))
-			}
-		})
-	}
-}
-
-func formatNodes(nodes []*tailcfg.Node) string {
-	var sb strings.Builder
-	for i, n := range nodes {
-		if i > 0 {
-			sb.WriteString(", ")
-		}
-		var extra string
-		if n.Online != nil {
-			extra += fmt.Sprintf(", online=%v", *n.Online)
-		}
-		if n.LastSeen != nil {
-			extra += fmt.Sprintf(", lastSeen=%v", n.LastSeen.Unix())
-		}
-		fmt.Fprintf(&sb, "(%d, %q%s)", n.ID, n.Name, extra)
-	}
-	return sb.String()
-}
-
-func newTestMapSession(t *testing.T) *mapSession {
-	k, err := wgkey.NewPrivate()
-	if err != nil {
-		t.Fatal(err)
-	}
-	return newMapSession(k)
-}
-
-func TestNetmapForResponse(t *testing.T) {
-	t.Run("implicit_packetfilter", func(t *testing.T) {
-		somePacketFilter := []tailcfg.FilterRule{
-			{
-				SrcIPs: []string{"*"},
-				DstPorts: []tailcfg.NetPortRange{
-					{IP: "10.2.3.4", Ports: tailcfg.PortRange{First: 22, Last: 22}},
-				},
-			},
-		}
-		ms := newTestMapSession(t)
-		nm1 := ms.netmapForResponse(&tailcfg.MapResponse{
-			Node:         new(tailcfg.Node),
-			PacketFilter: somePacketFilter,
-		})
-		if len(nm1.PacketFilter) == 0 {
-			t.Fatalf("zero length PacketFilter")
-		}
-		nm2 := ms.netmapForResponse(&tailcfg.MapResponse{
-			Node:         new(tailcfg.Node),
-			PacketFilter: nil, // testing that the server can omit this.
-		})
-		if len(nm1.PacketFilter) == 0 {
-			t.Fatalf("zero length PacketFilter in 2nd netmap")
-		}
-		if !reflect.DeepEqual(nm1.PacketFilter, nm2.PacketFilter) {
-			t.Error("packet filters differ")
-		}
-	})
-	t.Run("implicit_dnsconfig", func(t *testing.T) {
-		someDNSConfig := &tailcfg.DNSConfig{Domains: []string{"foo", "bar"}}
-		ms := newTestMapSession(t)
-		nm1 := ms.netmapForResponse(&tailcfg.MapResponse{
-			Node:      new(tailcfg.Node),
-			DNSConfig: someDNSConfig,
-		})
-		if !reflect.DeepEqual(nm1.DNS, *someDNSConfig) {
-			t.Fatalf("1st DNS wrong")
-		}
-		nm2 := ms.netmapForResponse(&tailcfg.MapResponse{
-			Node:      new(tailcfg.Node),
-			DNSConfig: nil, // implict
-		})
-		if !reflect.DeepEqual(nm2.DNS, *someDNSConfig) {
-			t.Fatalf("2nd DNS wrong")
-		}
-	})
-	t.Run("collect_services", func(t *testing.T) {
-		ms := newTestMapSession(t)
-		var nm *netmap.NetworkMap
-		wantCollect := func(v bool) {
-			t.Helper()
-			if nm.CollectServices != v {
-				t.Errorf("netmap.CollectServices = %v; want %v", nm.CollectServices, v)
-			}
-		}
-
-		nm = ms.netmapForResponse(&tailcfg.MapResponse{
-			Node: new(tailcfg.Node),
-		})
-		wantCollect(false)
-
-		nm = ms.netmapForResponse(&tailcfg.MapResponse{
-			Node:            new(tailcfg.Node),
-			CollectServices: "false",
-		})
-		wantCollect(false)
-
-		nm = ms.netmapForResponse(&tailcfg.MapResponse{
-			Node:            new(tailcfg.Node),
-			CollectServices: "true",
-		})
-		wantCollect(true)
-
-		nm = ms.netmapForResponse(&tailcfg.MapResponse{
-			Node:            new(tailcfg.Node),
-			CollectServices: "",
-		})
-		wantCollect(true)
-	})
-	t.Run("implicit_domain", func(t *testing.T) {
-		ms := newTestMapSession(t)
-		var nm *netmap.NetworkMap
-		want := func(v string) {
-			t.Helper()
-			if nm.Domain != v {
-				t.Errorf("netmap.Domain = %q; want %q", nm.Domain, v)
-			}
-		}
-		nm = ms.netmapForResponse(&tailcfg.MapResponse{
-			Node:   new(tailcfg.Node),
-			Domain: "foo.com",
-		})
-		want("foo.com")
-
-		nm = ms.netmapForResponse(&tailcfg.MapResponse{
-			Node: new(tailcfg.Node),
-		})
-		want("foo.com")
-	})
-	t.Run("implicit_node", func(t *testing.T) {
-		someNode := &tailcfg.Node{
-			Name: "foo",
-		}
-		wantNode := &tailcfg.Node{
-			Name:                 "foo",
-			ComputedName:         "foo",
-			ComputedNameWithHost: "foo",
-		}
-		ms := newTestMapSession(t)
-
-		nm1 := ms.netmapForResponse(&tailcfg.MapResponse{
-			Node: someNode,
-		})
-		if nm1.SelfNode == nil {
-			t.Fatal("nil Node in 1st netmap")
-		}
-		if !reflect.DeepEqual(nm1.SelfNode, wantNode) {
-			j, _ := json.Marshal(nm1.SelfNode)
-			t.Errorf("Node mismatch in 1st netmap; got: %s", j)
-		}
-
-		nm2 := ms.netmapForResponse(&tailcfg.MapResponse{})
-		if nm2.SelfNode == nil {
-			t.Fatal("nil Node in 1st netmap")
-		}
-		if !reflect.DeepEqual(nm2.SelfNode, wantNode) {
-			j, _ := json.Marshal(nm2.SelfNode)
-			t.Errorf("Node mismatch in 2nd netmap; got: %s", j)
-		}
-	})
-}
--- a/control/controlclient/sign_supported.go
+++ b/control/controlclient/sign_supported.go
@@ -51,46 +51,6 @@ var (
 	errBadRequest = errors.New("malformed request")
 )

-func isSupportedCertificate(cert *x509.Certificate) bool {
-	return cert.PublicKeyAlgorithm == x509.RSA
-}
-
-func isSubjectInChain(subject string, chain []*x509.Certificate) bool {
-	if len(chain) == 0 || chain[0] == nil {
-		return false
-	}
-
-	for _, c := range chain {
-		if c == nil {
-			continue
-		}
-		if c.Subject.String() == subject {
-			return true
-		}
-	}
-
-	return false
-}
-
-func selectIdentityFromSlice(subject string, ids []certstore.Identity) (certstore.Identity, []*x509.Certificate) {
-	for _, id := range ids {
-		chain, err := id.CertificateChain()
-		if err != nil {
-			continue
-		}
-
-		if !isSupportedCertificate(chain[0]) {
-			continue
-		}
-
-		if isSubjectInChain(subject, chain) {
-			return id, chain
-		}
-	}
-
-	return nil, nil
-}
-
 // findIdentity locates an identity from the Windows or Darwin certificate
 // store. It returns the first certificate with a matching Subject anywhere in
 // its certificate chain, so it is possible to search for the leaf certificate,
@@ -104,7 +64,26 @@ func findIdentity(subject string, st certstore.Store) (certstore.Identity, []*x5
 		return nil, nil, err
 	}

-	selected, chain := selectIdentityFromSlice(subject, ids)
+	var selected certstore.Identity
+	var chain []*x509.Certificate
+
+	for _, id := range ids {
+		chain, err = id.CertificateChain()
+		if err != nil {
+			continue
+		}
+
+		if chain[0].PublicKeyAlgorithm != x509.RSA {
+			continue
+		}
+
+		for _, c := range chain {
+			if c.Subject.String() == subject {
+				selected = id
+				break
+			}
+		}
+	}

 	for _, id := range ids {
 		if id != selected {
--- a/derp/derp_test.go
+++ b/derp/derp_test.go
@@ -409,7 +409,7 @@ func TestSendFreeze(t *testing.T) {
 	for i := 0; i < cap(errCh); i++ {
 		err := <-errCh
 		if err != nil {
-			if errors.Is(err, io.EOF) || errors.Is(err, net.ErrClosed) {
+			if errors.Is(err, io.EOF) {
 				continue
 			}
 			t.Error(err)
--- a/disco/disco_fuzzer.go
+++ b/disco/disco_fuzzer.go
@@ -1,18 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-// +build gofuzz
-
-package disco
-
-func Fuzz(data []byte) int {
-	m, _ := Parse(data)
-
-	newBytes := m.AppendMarshal(data)
-	parsedMarshall, _ := Parse(newBytes)
-
-	if m != parsedMarshall {
-		panic("Parsing error")
-	}
-	return 1
-}
--- a/go.mod
+++ b/go.mod
@@ -24,14 +24,14 @@ require (
 	github.com/peterbourgon/ff/v2 v2.0.0
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/tailscale/depaware v0.0.0-20201214215404-77d1e9757027
-	github.com/tailscale/wireguard-go v0.0.0-20210419202603-b32acd8f0292
+	github.com/tailscale/wireguard-go v0.0.0-20210327173134-f6a42a1646a0
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0
 	go4.org/mem v0.0.0-20201119185036-c04c5a6ff174
 	golang.org/x/crypto v0.0.0-20210317152858-513c2a44f670
 	golang.org/x/net v0.0.0-20210226172049-e18ecbb05110
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57
+	golang.org/x/sys v0.0.0-20210317225723-c4fcb01b228e
 	golang.org/x/term v0.0.0-20210317153231-de623e64d2a6
 	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba
 	golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58
--- a/go.sum
+++ b/go.sum
@@ -123,24 +123,6 @@ github.com/tailscale/wireguard-go v0.0.0-20210324165952-2963b66bc23a h1:tQ7Y0ALS
 github.com/tailscale/wireguard-go v0.0.0-20210324165952-2963b66bc23a/go.mod h1:6t0OVdJwFOKFnvaHaVMKG6GznWaHqkmiR2n3kH0t924=
 github.com/tailscale/wireguard-go v0.0.0-20210327173134-f6a42a1646a0 h1:7KFBvUmm3TW/K+bAN22D7M6xSSoY/39s+PajaNBGrLw=
 github.com/tailscale/wireguard-go v0.0.0-20210327173134-f6a42a1646a0/go.mod h1:6t0OVdJwFOKFnvaHaVMKG6GznWaHqkmiR2n3kH0t924=
-github.com/tailscale/wireguard-go v0.0.0-20210330185929-1689f2635004 h1:GNEPNdNHsYe5zhoR/0z2Pl/a9zXbr0IySmHV6PhCrzI=
-github.com/tailscale/wireguard-go v0.0.0-20210330185929-1689f2635004/go.mod h1:6t0OVdJwFOKFnvaHaVMKG6GznWaHqkmiR2n3kH0t924=
-github.com/tailscale/wireguard-go v0.0.0-20210330200845-4914b4a944c4 h1:7Y0H5NzrV3fwHeDrUXDFcTy8QNbAEDwr+qHyOfX4VyE=
-github.com/tailscale/wireguard-go v0.0.0-20210330200845-4914b4a944c4/go.mod h1:6t0OVdJwFOKFnvaHaVMKG6GznWaHqkmiR2n3kH0t924=
-github.com/tailscale/wireguard-go v0.0.0-20210401164443-2d6878b6b30d h1:zbDBqtYvc492gcRL5BB7AO5Aed+aVht2jbYg8SKoMYs=
-github.com/tailscale/wireguard-go v0.0.0-20210401164443-2d6878b6b30d/go.mod h1:6t0OVdJwFOKFnvaHaVMKG6GznWaHqkmiR2n3kH0t924=
-github.com/tailscale/wireguard-go v0.0.0-20210401172819-1aca620a8afb h1:6TGRROCOrjTKbt1ucBTZaDMBeScG6yVEXEjuabOiBzU=
-github.com/tailscale/wireguard-go v0.0.0-20210401172819-1aca620a8afb/go.mod h1:jy12FSeiDLRvS7VQvSoiaqH9WtpapbrC8YSzyZ7fUAk=
-github.com/tailscale/wireguard-go v0.0.0-20210401194826-bb7bc2f24083 h1:e3k65apTVs7NM6mhQ1c94XISLe+2gdizPfRdsImNL8Y=
-github.com/tailscale/wireguard-go v0.0.0-20210401194826-bb7bc2f24083/go.mod h1:jy12FSeiDLRvS7VQvSoiaqH9WtpapbrC8YSzyZ7fUAk=
-github.com/tailscale/wireguard-go v0.0.0-20210402173217-0a47c6e64d15 h1:13GZsTKbCmPGwDBurcSXT+ssYID2IfcX0MfsvhaaagY=
-github.com/tailscale/wireguard-go v0.0.0-20210402173217-0a47c6e64d15/go.mod h1:jy12FSeiDLRvS7VQvSoiaqH9WtpapbrC8YSzyZ7fUAk=
-github.com/tailscale/wireguard-go v0.0.0-20210402193818-fc309421dd43 h1:SRUknVD6AHsxfghv0By9SFjQ8dhn8K8gIFwxf3OEPyU=
-github.com/tailscale/wireguard-go v0.0.0-20210402193818-fc309421dd43/go.mod h1:g3WdWX37upLnDT8STKFWhvA34Gwrt4hIpnWR3HGufpM=
-github.com/tailscale/wireguard-go v0.0.0-20210403171604-17614717a9b5 h1:FegsXWjtyhCxpB8bBSL1kLzagtV+e7BaX07phMM8uQM=
-github.com/tailscale/wireguard-go v0.0.0-20210403171604-17614717a9b5/go.mod h1:ys4yUmhKncXy1jWP34qUHKipRjl322VVhxoh1Rkfo7c=
-github.com/tailscale/wireguard-go v0.0.0-20210419202603-b32acd8f0292 h1:rKgYi0k3TNqEz5f7sc6zNeufZcnxm1Efd6bb39cGGkY=
-github.com/tailscale/wireguard-go v0.0.0-20210419202603-b32acd8f0292/go.mod h1:ys4yUmhKncXy1jWP34qUHKipRjl322VVhxoh1Rkfo7c=
 github.com/tcnksm/go-httpstat v0.2.0 h1:rP7T5e5U2HfmOBmZzGgGZjBQ5/GluWUylujl0tJ04I0=
 github.com/tcnksm/go-httpstat v0.2.0/go.mod h1:s3JVJFtQxtBEBC9dwcdTTXS9xFnM3SXAZwPG41aurT8=
 github.com/toqueteos/webbrowser v1.2.0 h1:tVP/gpK69Fx+qMJKsLE7TD8LuGWPnEV71wBN9rrstGQ=
@@ -224,10 +206,6 @@ golang.org/x/sys v0.0.0-20210309040221-94ec62e08169/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210316164454-77fc1eacc6aa/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210317225723-c4fcb01b228e h1:XNp2Flc/1eWQGk5BLzqTAN7fQIwIbfyVTuVxXxZh73M=
 golang.org/x/sys v0.0.0-20210317225723-c4fcb01b228e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210402192133-700132347e07 h1:4k6HsQjxj6hVMsI2Vf0yKlzt5lXxZsMW1q0zaq2k8zY=
-golang.org/x/sys v0.0.0-20210402192133-700132347e07/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57 h1:F5Gozwx4I1xtr/sr/8CFbb57iKi3297KFs0QDbGN60A=
-golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210317153231-de623e64d2a6 h1:EC6+IGYTjPpRfv9a2b/6Puw0W+hLtAhkV1tPsXhutqs=
--- a/health/health.go
+++ b/health/health.go
@@ -49,9 +49,6 @@ const (
 	// SysRouter is the name the wgengine/router subsystem.
 	SysRouter = Subsystem("router")

-	// SysDNS is the name of the net/dns subsystem.
-	SysDNS = Subsystem("dns")
-
 	// SysNetworkCategory is the name of the subsystem that sets
 	// the Windows network adapter's "category" (public, private, domain).
 	// If it's unhealthy, the Windows firewall rules won't match.
@@ -83,18 +80,12 @@ func RegisterWatcher(cb func(key Subsystem, err error)) (unregister func()) {
 	}
 }

-// SetRouterHealth sets the state of the wgengine/router.Router.
+// SetRouter sets the state of the wgengine/router.Router.
 func SetRouterHealth(err error) { set(SysRouter, err) }

 // RouterHealth returns the wgengine/router.Router error state.
 func RouterHealth() error { return get(SysRouter) }

-// SetDNSHealth sets the state of the net/dns.Manager
-func SetDNSHealth(err error) { set(SysDNS, err) }
-
-// DNSHealth returns the net/dns.Manager error state.
-func DNSHealth() error { return get(SysDNS) }
-
 // SetNetworkCategoryHealth sets the state of setting the network adaptor's category.
 // This only applies on Windows.
 func SetNetworkCategoryHealth(err error) { set(SysNetworkCategory, err) }
--- a/internal/deepprint/deepprint_test.go
+++ b/internal/deepprint/deepprint_test.go
@@ -9,6 +9,7 @@ import (
 	"testing"

 	"inet.af/netaddr"
+	"tailscale.com/net/dns"
 	"tailscale.com/wgengine/router"
 	"tailscale.com/wgengine/wgcfg"
 )
@@ -35,8 +36,9 @@ func TestDeepPrint(t *testing.T) {
 func getVal() []interface{} {
 	return []interface{}{
 		&wgcfg.Config{
-			Name:      "foo",
-			Addresses: []netaddr.IPPrefix{{Bits: 5, IP: netaddr.IPFrom16([16]byte{3: 3})}},
+			Name:       "foo",
+			Addresses:  []netaddr.IPPrefix{{Bits: 5, IP: netaddr.IPFrom16([16]byte{3: 3})}},
+			ListenPort: 5,
 			Peers: []wgcfg.Peer{
 				{
 					Endpoints: "foo:5",
@@ -44,9 +46,9 @@ func getVal() []interface{} {
 			},
 		},
 		&router.Config{
-			Routes: []netaddr.IPPrefix{
-				netaddr.MustParseIPPrefix("1.2.3.0/24"),
-				netaddr.MustParseIPPrefix("1234::/64"),
+			DNS: dns.Config{
+				Nameservers: []netaddr.IP{netaddr.IPv4(8, 8, 8, 8)},
+				Domains:     []string{"tailscale.net"},
 			},
 		},
 		map[string]string{
--- a/ipn/backend.go
+++ b/ipn/backend.go
@@ -5,6 +5,7 @@
 package ipn

 import (
+	"net/http"
 	"time"

 	"tailscale.com/ipn/ipnstate"
@@ -67,18 +68,6 @@ type Notify struct {
 	BackendLogID  *string            // public logtail id used by backend
 	PingResult    *ipnstate.PingResult

-	// FilesWaiting if non-nil means that files are buffered in
-	// the Tailscale daemon and ready for local transfer to the
-	// user's preferred storage location.
-	FilesWaiting *empty.Message `json:",omitempty"`
-
-	// IncomingFiles, if non-nil, specifies which files are in the
-	// process of being received. A nil IncomingFiles means this
-	// Notify should not update the state of file transfers. A non-nil
-	// but empty IncomingFiles means that no files are in the middle
-	// of being transferred.
-	IncomingFiles []PartialFile `json:",omitempty"`
-
 	// LocalTCPPort, if non-nil, informs the UI frontend which
 	// (non-zero) localhost TCP port it's listening on.
 	// This is currently only used by Tailscale when run in the
@@ -88,24 +77,6 @@ type Notify struct {
 	// type is mirrored in xcode/Shared/IPN.swift
 }

-// PartialFile represents an in-progress file transfer.
-type PartialFile struct {
-	Name         string    // e.g. "foo.jpg"
-	Started      time.Time // time transfer started
-	DeclaredSize int64     // or -1 if unknown
-	Received     int64     // bytes copied thus far
-
-	// PartialPath is set non-empty in "direct" file mode to the
-	// in-progress '*.partial' file's path when the peerapi isn't
-	// being used; see LocalBackend.SetDirectFileRoot.
-	PartialPath string `json:",omitempty"`
-
-	// Done is set in "direct" mode when the partial file has been
-	// closed and is ready for the caller to rename away the
-	// ".partial" suffix.
-	Done bool `json:",omitempty"`
-}
-
 // StateKey is an opaque identifier for a set of LocalBackend state
 // (preferences, private keys, etc.).
 //
@@ -141,6 +112,19 @@ type Options struct {
 	// AuthKey is an optional node auth key used to authorize a
 	// new node key without user interaction.
 	AuthKey string
+	// LegacyConfigPath optionally specifies the old-style relaynode
+	// relay.conf location. If both LegacyConfigPath and StateKey are
+	// specified and the requested state doesn't exist in the backend
+	// store, the backend migrates the config from LegacyConfigPath.
+	//
+	// TODO(danderson): remove some time after the transition to
+	// tailscaled is done.
+	LegacyConfigPath string
+	// Notify is called when backend events happen.
+	Notify func(Notify) `json:"-"`
+	// HTTPTestClient is an optional HTTP client to pass to controlclient
+	// (for tests only).
+	HTTPTestClient *http.Client
 }

 // Backend is the interface between Tailscale frontends
@@ -149,9 +133,6 @@ type Options struct {
 // (It has nothing to do with the interface between the backends
 // and the cloud control plane.)
 type Backend interface {
-	// SetNotifyCallback sets the callback to be called on updates
-	// from the backend to the client.
-	SetNotifyCallback(func(Notify))
 	// Start starts or restarts the backend, typically when a
 	// frontend client connects.
 	Start(Options) error
@@ -168,6 +149,9 @@ type Backend interface {
 	// WantRunning. This may cause the wireguard engine to
 	// reconfigure or stop.
 	SetPrefs(*Prefs)
+	// SetWantRunning is like SetPrefs but sets only the
+	// WantRunning field.
+	SetWantRunning(wantRunning bool)
 	// RequestEngineStatus polls for an update from the wireguard
 	// engine. Only needed if you want to display byte
 	// counts. Connection events are emitted automatically without
--- a/ipn/fake_test.go
+++ b/ipn/fake_test.go
@@ -5,6 +5,7 @@
 package ipn

 import (
+	"log"
 	"time"

 	"tailscale.com/ipn/ipnstate"
@@ -19,29 +20,19 @@ type FakeBackend struct {
 }

 func (b *FakeBackend) Start(opts Options) error {
-	b.serverURL = opts.Prefs.ControlURLOrDefault()
-	if b.notify == nil {
-		panic("FakeBackend.Start: SetNotifyCallback not called")
+	b.serverURL = opts.Prefs.ControlURL
+	if opts.Notify == nil {
+		log.Fatalf("FakeBackend.Start: opts.Notify is nil\n")
 	}
+	b.notify = opts.Notify
+	b.notify(Notify{Prefs: opts.Prefs})
 	nl := NeedsLogin
-	if b.notify != nil {
-		b.notify(Notify{Prefs: opts.Prefs})
-		b.notify(Notify{State: &nl})
-	}
+	b.notify(Notify{State: &nl})
 	return nil
 }

-func (b *FakeBackend) SetNotifyCallback(notify func(Notify)) {
-	if notify == nil {
-		panic("FakeBackend.SetNotifyCallback: notify is nil")
-	}
-	b.notify = notify
-}
-
 func (b *FakeBackend) newState(s State) {
-	if b.notify != nil {
-		b.notify(Notify{State: &s})
-	}
+	b.notify(Notify{State: &s})
 	if s == Running {
 		b.live = true
 	} else {
@@ -51,9 +42,7 @@ func (b *FakeBackend) newState(s State) {

 func (b *FakeBackend) StartLoginInteractive() {
 	u := b.serverURL + "/this/is/fake"
-	if b.notify != nil {
-		b.notify(Notify{BrowseToURL: &u})
-	}
+	b.notify(Notify{BrowseToURL: &u})
 	b.login()
 }

@@ -65,14 +54,10 @@ func (b *FakeBackend) login() {
 	b.newState(NeedsMachineAuth)
 	b.newState(Stopped)
 	// TODO(apenwarr): Fill in a more interesting netmap here.
-	if b.notify != nil {
-		b.notify(Notify{NetMap: &netmap.NetworkMap{}})
-	}
+	b.notify(Notify{NetMap: &netmap.NetworkMap{}})
 	b.newState(Starting)
 	// TODO(apenwarr): Fill in a more interesting status.
-	if b.notify != nil {
-		b.notify(Notify{Engine: &EngineStatus{}})
-	}
+	b.notify(Notify{Engine: &EngineStatus{}})
 	b.newState(Running)
 }

@@ -85,9 +70,7 @@ func (b *FakeBackend) SetPrefs(new *Prefs) {
 		panic("FakeBackend.SetPrefs got nil prefs")
 	}

-	if b.notify != nil {
-		b.notify(Notify{Prefs: new.Clone()})
-	}
+	b.notify(Notify{Prefs: new.Clone()})
 	if new.WantRunning && !b.live {
 		b.newState(Starting)
 		b.newState(Running)
@@ -96,20 +79,18 @@ func (b *FakeBackend) SetPrefs(new *Prefs) {
 	}
 }

+func (b *FakeBackend) SetWantRunning(v bool) {
+	b.SetPrefs(&Prefs{WantRunning: v})
+}
+
 func (b *FakeBackend) RequestEngineStatus() {
-	if b.notify != nil {
-		b.notify(Notify{Engine: &EngineStatus{}})
-	}
+	b.notify(Notify{Engine: &EngineStatus{}})
 }

 func (b *FakeBackend) FakeExpireAfter(x time.Duration) {
-	if b.notify != nil {
-		b.notify(Notify{NetMap: &netmap.NetworkMap{}})
-	}
+	b.notify(Notify{NetMap: &netmap.NetworkMap{}})
 }

 func (b *FakeBackend) Ping(ip string, useTSMP bool) {
-	if b.notify != nil {
-		b.notify(Notify{PingResult: &ipnstate.PingResult{}})
-	}
+	b.notify(Notify{PingResult: &ipnstate.PingResult{}})
 }
--- a/ipn/handle.go
+++ b/ipn/handle.go
@@ -15,26 +15,25 @@ import (
 )

 type Handle struct {
-	b    Backend
-	logf logger.Logf
+	frontendLogID string
+	b             Backend
+	xnotify       func(Notify)
+	logf          logger.Logf

 	// Mutex protects everything below
 	mu                sync.Mutex
-	xnotify           func(Notify)
-	frontendLogID     string
 	netmapCache       *netmap.NetworkMap
 	engineStatusCache EngineStatus
 	stateCache        State
 	prefsCache        *Prefs
 }

-func NewHandle(b Backend, logf logger.Logf, notify func(Notify), opts Options) (*Handle, error) {
+func NewHandle(b Backend, logf logger.Logf, opts Options) (*Handle, error) {
 	h := &Handle{
 		b:    b,
 		logf: logf,
 	}

-	h.SetNotifyCallback(notify)
 	err := h.Start(opts)
 	if err != nil {
 		return nil, err
@@ -43,25 +42,18 @@ func NewHandle(b Backend, logf logger.Logf, notify func(Notify), opts Options) (
 	return h, nil
 }

-func (h *Handle) SetNotifyCallback(notify func(Notify)) {
-	h.mu.Lock()
-	h.xnotify = notify
-	h.mu.Unlock()
-
-	h.b.SetNotifyCallback(h.notify)
-}
-
 func (h *Handle) Start(opts Options) error {
-	h.mu.Lock()
 	h.frontendLogID = opts.FrontendLogID
+	h.xnotify = opts.Notify
 	h.netmapCache = nil
 	h.engineStatusCache = EngineStatus{}
 	h.stateCache = NoState
 	if opts.Prefs != nil {
 		h.prefsCache = opts.Prefs.Clone()
 	}
-	h.mu.Unlock()
-	return h.b.Start(opts)
+	xopts := opts
+	xopts.Notify = h.notify
+	return h.b.Start(xopts)
 }

 func (h *Handle) Reset() {
@@ -156,7 +148,7 @@ func (h *Handle) Expiry() time.Time {
 }

 func (h *Handle) AdminPageURL() string {
-	return h.prefsCache.ControlURLOrDefault() + "/admin/machines"
+	return h.prefsCache.ControlURL + "/admin/machines"
 }

 func (h *Handle) StartLoginInteractive() {
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
--- a/ipn/ipnlocal/local_test.go
+++ b/ipn/ipnlocal/local_test.go
@@ -291,131 +291,3 @@ func TestPeerRoutes(t *testing.T) {
 	}

 }
-
-func TestPeerAPIBase(t *testing.T) {
-	tests := []struct {
-		name string
-		nm   *netmap.NetworkMap
-		peer *tailcfg.Node
-		want string
-	}{
-		{
-			name: "nil_netmap",
-			peer: new(tailcfg.Node),
-			want: "",
-		},
-		{
-			name: "nil_peer",
-			nm:   new(netmap.NetworkMap),
-			want: "",
-		},
-		{
-			name: "self_only_4_them_both",
-			nm: &netmap.NetworkMap{
-				Addresses: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("100.64.1.1/32"),
-				},
-			},
-			peer: &tailcfg.Node{
-				Addresses: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("100.64.1.2/32"),
-					netaddr.MustParseIPPrefix("fe70::2/128"),
-				},
-				Hostinfo: tailcfg.Hostinfo{
-					Services: []tailcfg.Service{
-						{Proto: "peerapi4", Port: 444},
-						{Proto: "peerapi6", Port: 666},
-					},
-				},
-			},
-			want: "http://100.64.1.2:444",
-		},
-		{
-			name: "self_only_6_them_both",
-			nm: &netmap.NetworkMap{
-				Addresses: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("fe70::1/128"),
-				},
-			},
-			peer: &tailcfg.Node{
-				Addresses: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("100.64.1.2/32"),
-					netaddr.MustParseIPPrefix("fe70::2/128"),
-				},
-				Hostinfo: tailcfg.Hostinfo{
-					Services: []tailcfg.Service{
-						{Proto: "peerapi4", Port: 444},
-						{Proto: "peerapi6", Port: 666},
-					},
-				},
-			},
-			want: "http://[fe70::2]:666",
-		},
-		{
-			name: "self_both_them_only_4",
-			nm: &netmap.NetworkMap{
-				Addresses: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("100.64.1.1/32"),
-					netaddr.MustParseIPPrefix("fe70::1/128"),
-				},
-			},
-			peer: &tailcfg.Node{
-				Addresses: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("100.64.1.2/32"),
-					netaddr.MustParseIPPrefix("fe70::2/128"),
-				},
-				Hostinfo: tailcfg.Hostinfo{
-					Services: []tailcfg.Service{
-						{Proto: "peerapi4", Port: 444},
-					},
-				},
-			},
-			want: "http://100.64.1.2:444",
-		},
-		{
-			name: "self_both_them_only_6",
-			nm: &netmap.NetworkMap{
-				Addresses: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("100.64.1.1/32"),
-					netaddr.MustParseIPPrefix("fe70::1/128"),
-				},
-			},
-			peer: &tailcfg.Node{
-				Addresses: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("100.64.1.2/32"),
-					netaddr.MustParseIPPrefix("fe70::2/128"),
-				},
-				Hostinfo: tailcfg.Hostinfo{
-					Services: []tailcfg.Service{
-						{Proto: "peerapi6", Port: 666},
-					},
-				},
-			},
-			want: "http://[fe70::2]:666",
-		},
-		{
-			name: "self_both_them_no_peerapi_service",
-			nm: &netmap.NetworkMap{
-				Addresses: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("100.64.1.1/32"),
-					netaddr.MustParseIPPrefix("fe70::1/128"),
-				},
-			},
-			peer: &tailcfg.Node{
-				Addresses: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("100.64.1.2/32"),
-					netaddr.MustParseIPPrefix("fe70::2/128"),
-				},
-			},
-			want: "",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got := peerAPIBase(tt.nm, tt.peer)
-			if got != tt.want {
-				t.Errorf("got %q; want %q", got, tt.want)
-			}
-		})
-	}
-}
--- a/ipn/ipnlocal/loglines_test.go
+++ b/ipn/ipnlocal/loglines_test.go
@@ -82,6 +82,7 @@ func TestLocalLogLines(t *testing.T) {
 			LastHandshake: time.Now(),
 			NodeKey:       tailcfg.NodeKey(key.NewPrivate()),
 		}},
+		LocalAddrs: []string{"idk an address"},
 	}
 	lb.mu.Lock()
 	lb.parseWgStatusLocked(status)
--- a/ipn/ipnlocal/peerapi.go
+++ b/ipn/ipnlocal/peerapi.go
@@ -20,198 +20,19 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
-	"sync"
-	"time"
-	"unicode"
-	"unicode/utf8"

 	"inet.af/netaddr"
-	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/ipn"
 	"tailscale.com/net/interfaces"
-	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
-	"tailscale.com/wgengine"
 )

 var initListenConfig func(*net.ListenConfig, netaddr.IP, *interfaces.State, string) error

 type peerAPIServer struct {
-	b          *LocalBackend
-	rootDir    string
-	tunName    string
-	selfNode   *tailcfg.Node
-	knownEmpty syncs.AtomicBool
-
-	// directFileMode is whether we're writing files directly to a
-	// download directory (as *.partial files), rather than making
-	// the frontend retrieve it over localapi HTTP and write it
-	// somewhere itself. This is used on GUI macOS version.
-	directFileMode bool
-}
-
-const partialSuffix = ".partial"
-
-func validFilenameRune(r rune) bool {
-	switch r {
-	case '/':
-		return false
-	case '\\', ':', '*', '"', '<', '>', '|':
-		// Invalid stuff on Windows, but we reject them everywhere
-		// for now.
-		// TODO(bradfitz): figure out a better plan. We initially just
-		// wrote things to disk URL path-escaped, but that's gross
-		// when debugging, and just moves the problem to callers.
-		// So now we put the UTF-8 filenames on disk directly as
-		// sent.
-		return false
-	}
-	return unicode.IsPrint(r)
-}
-
-func (s *peerAPIServer) diskPath(baseName string) (fullPath string, ok bool) {
-	if !utf8.ValidString(baseName) {
-		return "", false
-	}
-	if strings.TrimSpace(baseName) != baseName {
-		return "", false
-	}
-	if len(baseName) > 255 {
-		return "", false
-	}
-	// TODO: validate unicode normalization form too? Varies by platform.
-	clean := path.Clean(baseName)
-	if clean != baseName ||
-		clean == "." || clean == ".." ||
-		strings.HasSuffix(clean, partialSuffix) {
-		return "", false
-	}
-	for _, r := range baseName {
-		if !validFilenameRune(r) {
-			return "", false
-		}
-	}
-	return filepath.Join(s.rootDir, baseName), true
-}
-
-// hasFilesWaiting reports whether any files are buffered in the
-// tailscaled daemon storage.
-func (s *peerAPIServer) hasFilesWaiting() bool {
-	if s.rootDir == "" || s.directFileMode {
-		return false
-	}
-	if s.knownEmpty.Get() {
-		// Optimization: this is usually empty, so avoid opening
-		// the directory and checking. We can't cache the actual
-		// has-files-or-not values as the macOS/iOS client might
-		// in the future use+delete the files directly. So only
-		// keep this negative cache.
-		return false
-	}
-	f, err := os.Open(s.rootDir)
-	if err != nil {
-		return false
-	}
-	defer f.Close()
-	for {
-		des, err := f.ReadDir(10)
-		for _, de := range des {
-			if strings.HasSuffix(de.Name(), partialSuffix) {
-				continue
-			}
-			if de.Type().IsRegular() {
-				return true
-			}
-		}
-		if err == io.EOF {
-			s.knownEmpty.Set(true)
-		}
-		if err != nil {
-			break
-		}
-	}
-	return false
-}
-
-func (s *peerAPIServer) WaitingFiles() (ret []apitype.WaitingFile, err error) {
-	if s.rootDir == "" {
-		return nil, errors.New("peerapi disabled; no storage configured")
-	}
-	if s.directFileMode {
-		return nil, nil
-	}
-	f, err := os.Open(s.rootDir)
-	if err != nil {
-		return nil, err
-	}
-	defer f.Close()
-	for {
-		des, err := f.ReadDir(10)
-		for _, de := range des {
-			name := de.Name()
-			if strings.HasSuffix(name, partialSuffix) {
-				continue
-			}
-			if de.Type().IsRegular() {
-				fi, err := de.Info()
-				if err != nil {
-					continue
-				}
-				ret = append(ret, apitype.WaitingFile{
-					Name: filepath.Base(name),
-					Size: fi.Size(),
-				})
-			}
-		}
-		if err == io.EOF {
-			break
-		}
-		if err != nil {
-			return nil, err
-		}
-	}
-	return ret, nil
-}
-
-func (s *peerAPIServer) DeleteFile(baseName string) error {
-	if s.rootDir == "" {
-		return errors.New("peerapi disabled; no storage configured")
-	}
-	if s.directFileMode {
-		return errors.New("deletes not allowed in direct mode")
-	}
-	path, ok := s.diskPath(baseName)
-	if !ok {
-		return errors.New("bad filename")
-	}
-	err := os.Remove(path)
-	if err != nil && !os.IsNotExist(err) {
-		return err
-	}
-	return nil
-}
-
-func (s *peerAPIServer) OpenFile(baseName string) (rc io.ReadCloser, size int64, err error) {
-	if s.rootDir == "" {
-		return nil, 0, errors.New("peerapi disabled; no storage configured")
-	}
-	if s.directFileMode {
-		return nil, 0, errors.New("opens not allowed in direct mode")
-	}
-	path, ok := s.diskPath(baseName)
-	if !ok {
-		return nil, 0, errors.New("bad filename")
-	}
-	f, err := os.Open(path)
-	if err != nil {
-		return nil, 0, err
-	}
-	fi, err := f.Stat()
-	if err != nil {
-		f.Close()
-		return nil, 0, err
-	}
-	return f, fi.Size(), nil
+	b        *LocalBackend
+	rootDir  string
+	tunName  string
+	selfNode *tailcfg.Node
 }

 func (s *peerAPIServer) listen(ip netaddr.IP, ifState *interfaces.State) (ln net.Listener, err error) {
@@ -230,10 +51,6 @@ func (s *peerAPIServer) listen(ip netaddr.IP, ifState *interfaces.State) (ln net
 		}
 	}

-	if wgengine.IsNetstack(s.b.e) {
-		ipStr = ""
-	}
-
 	tcp4or6 := "tcp4"
 	if ip.Is6() {
 		tcp4or6 = "tcp6"
@@ -262,32 +79,22 @@ func (s *peerAPIServer) listen(ip netaddr.IP, ifState *interfaces.State) (ln net
 }

 type peerAPIListener struct {
-	ps *peerAPIServer
-	ip netaddr.IP
-	lb *LocalBackend
-
-	// ln is the Listener. It can be nil in netstack mode if there are more than
-	// 1 local addresses (e.g. both an IPv4 and IPv6). When it's nil, port
-	// and urlStr are still populated.
-	ln net.Listener
-
-	// urlStr is the base URL to access the peer API (http://ip:port/).
+	ps     *peerAPIServer
+	ip     netaddr.IP
+	ln     net.Listener
+	lb     *LocalBackend
 	urlStr string
-	// port is just the port of urlStr.
-	port int
 }

-func (pln *peerAPIListener) Close() error {
-	if pln.ln != nil {
-		return pln.ln.Close()
+func (pln *peerAPIListener) Port() int {
+	ta, ok := pln.ln.Addr().(*net.TCPAddr)
+	if !ok {
+		return 0
 	}
-	return nil
+	return ta.Port
 }

 func (pln *peerAPIListener) serve() {
-	if pln.ln == nil {
-		return
-	}
 	defer pln.ln.Close()
 	logf := pln.lb.logf
 	for {
@@ -323,6 +130,7 @@ func (pln *peerAPIListener) serve() {
 			remoteAddr: ipp,
 			peerNode:   peerNode,
 			peerUser:   peerUser,
+			lb:         pln.lb,
 		}
 		httpServer := &http.Server{
 			Handler: h,
@@ -356,6 +164,7 @@ type peerAPIHandler struct {
 	isSelf     bool                // whether peerNode is owned by same user as this node
 	peerNode   *tailcfg.Node       // peerNode is who's making the request
 	peerUser   tailcfg.UserProfile // profile of peerNode
+	lb         *LocalBackend
 }

 func (h *peerAPIHandler) logf(format string, a ...interface{}) {
@@ -364,7 +173,7 @@ func (h *peerAPIHandler) logf(format string, a ...interface{}) {

 func (h *peerAPIHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if strings.HasPrefix(r.URL.Path, "/v0/put/") {
-		h.handlePeerPut(w, r)
+		h.put(w, r)
 		return
 	}
 	who := h.peerUser.DisplayName
@@ -380,108 +189,26 @@ This is my Tailscale device. Your device is %v.
 	}
 }

-type incomingFile struct {
-	name        string // "foo.jpg"
-	started     time.Time
-	size        int64     // or -1 if unknown; never 0
-	w           io.Writer // underlying writer
-	ph          *peerAPIHandler
-	partialPath string // non-empty in direct mode
-
-	mu         sync.Mutex
-	copied     int64
-	done       bool
-	lastNotify time.Time
-}
-
-func (f *incomingFile) markAndNotifyDone() {
-	f.mu.Lock()
-	f.done = true
-	f.mu.Unlock()
-	b := f.ph.ps.b
-	b.sendFileNotify()
-}
-
-func (f *incomingFile) Write(p []byte) (n int, err error) {
-	n, err = f.w.Write(p)
-
-	b := f.ph.ps.b
-	var needNotify bool
-	defer func() {
-		if needNotify {
-			b.sendFileNotify()
-		}
-	}()
-	if n > 0 {
-		f.mu.Lock()
-		defer f.mu.Unlock()
-		f.copied += int64(n)
-		now := time.Now()
-		if f.lastNotify.IsZero() || now.Sub(f.lastNotify) > time.Second {
-			f.lastNotify = now
-			needNotify = true
-		}
-	}
-	return n, err
-}
-
-func (f *incomingFile) PartialFile() ipn.PartialFile {
-	f.mu.Lock()
-	defer f.mu.Unlock()
-	return ipn.PartialFile{
-		Name:         f.name,
-		Started:      f.started,
-		DeclaredSize: f.size,
-		Received:     f.copied,
-		PartialPath:  f.partialPath,
-		Done:         f.done,
-	}
-}
-
-func (h *peerAPIHandler) handlePeerPut(w http.ResponseWriter, r *http.Request) {
+func (h *peerAPIHandler) put(w http.ResponseWriter, r *http.Request) {
 	if !h.isSelf {
 		http.Error(w, "not owner", http.StatusForbidden)
 		return
 	}
-	if !h.ps.b.hasCapFileSharing() {
-		http.Error(w, "file sharing not enabled by Tailscale admin", http.StatusForbidden)
-		return
-	}
 	if r.Method != "PUT" {
-		http.Error(w, "expected method PUT", http.StatusMethodNotAllowed)
+		http.Error(w, "not method PUT", http.StatusMethodNotAllowed)
 		return
 	}
 	if h.ps.rootDir == "" {
 		http.Error(w, "no rootdir", http.StatusInternalServerError)
 		return
 	}
-	rawPath := r.URL.EscapedPath()
-	suffix := strings.TrimPrefix(rawPath, "/v0/put/")
-	if suffix == rawPath {
-		http.Error(w, "misconfigured internals", 500)
+	name := path.Base(r.URL.Path)
+	if name == "." || name == "/" {
+		http.Error(w, "bad filename", http.StatusForbidden)
 		return
 	}
-	if suffix == "" {
-		http.Error(w, "empty filename", 400)
-		return
-	}
-	if strings.Contains(suffix, "/") {
-		http.Error(w, "directories not supported", 400)
-		return
-	}
-	baseName, err := url.PathUnescape(suffix)
-	if err != nil {
-		http.Error(w, "bad path encoding", 400)
-		return
-	}
-	dstFile, ok := h.ps.diskPath(baseName)
-	if !ok {
-		http.Error(w, "bad filename", 400)
-		return
-	}
-	if h.ps.directFileMode {
-		dstFile += partialSuffix
-	}
+	fileBase := strings.ReplaceAll(url.PathEscape(name), ":", "%3a")
+	dstFile := filepath.Join(h.ps.rootDir, fileBase)
 	f, err := os.Create(dstFile)
 	if err != nil {
 		h.logf("put Create error: %v", err)
@@ -494,57 +221,23 @@ func (h *peerAPIHandler) handlePeerPut(w http.ResponseWriter, r *http.Request) {
 			os.Remove(dstFile)
 		}
 	}()
-	var finalSize int64
-	var inFile *incomingFile
-	if r.ContentLength != 0 {
-		inFile = &incomingFile{
-			name:    baseName,
-			started: time.Now(),
-			size:    r.ContentLength,
-			w:       f,
-			ph:      h,
-		}
-		if h.ps.directFileMode {
-			inFile.partialPath = dstFile
-		}
-		h.ps.b.registerIncomingFile(inFile, true)
-		defer h.ps.b.registerIncomingFile(inFile, false)
-		n, err := io.Copy(inFile, r.Body)
-		if err != nil {
-			f.Close()
-			h.logf("put Copy error: %v", err)
-			http.Error(w, err.Error(), http.StatusInternalServerError)
-			return
-		}
-		finalSize = n
+	n, err := io.Copy(f, r.Body)
+	if err != nil {
+		f.Close()
+		h.logf("put Copy error: %v", err)
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
 	}
 	if err := f.Close(); err != nil {
 		h.logf("put Close error: %v", err)
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
-	if h.ps.directFileMode {
-		if inFile != nil { // non-zero length; TODO: notify even for zero length
-			inFile.markAndNotifyDone()
-		}
-	}

-	h.logf("put of %s from %v/%v", approxSize(finalSize), h.remoteAddr.IP, h.peerNode.ComputedName)
+	h.logf("put(%q): %d bytes from %v/%v", name, n, h.remoteAddr.IP, h.peerNode.ComputedName)

 	// TODO: set modtime
 	// TODO: some real response
 	success = true
 	io.WriteString(w, "{}\n")
-	h.ps.knownEmpty.Set(false)
-	h.ps.b.sendFileNotify()
-}
-
-func approxSize(n int64) string {
-	if n <= 1<<10 {
-		return "<=1KB"
-	}
-	if n <= 1<<20 {
-		return "<=1MB"
-	}
-	return fmt.Sprintf("~%dMB", n/1<<20)
 }
--- a/ipn/ipnlocal/peerapi_macios_ext.go
+++ b/ipn/ipnlocal/peerapi_macios_ext.go
@@ -7,7 +7,6 @@
 package ipnlocal

 import (
-	"errors"
 	"fmt"
 	"log"
 	"net"
@@ -21,7 +20,6 @@ import (

 func init() {
 	initListenConfig = initListenConfigNetworkExtension
-	peerDialControlFunc = peerDialControlFuncNetworkExtension
 }

 // initListenConfigNetworkExtension configures nc for listening on IP
@@ -35,7 +33,16 @@ func initListenConfigNetworkExtension(nc *net.ListenConfig, ip netaddr.IP, st *i
 	nc.Control = func(network, address string, c syscall.RawConn) error {
 		var sockErr error
 		err := c.Control(func(fd uintptr) {
-			sockErr = bindIf(fd, network, address, tunIf.Index)
+
+			v6 := strings.Contains(address, "]:") || strings.HasSuffix(network, "6") // hacky test for v6
+			proto := unix.IPPROTO_IP
+			opt := unix.IP_BOUND_IF
+			if v6 {
+				proto = unix.IPPROTO_IPV6
+				opt = unix.IPV6_BOUND_IF
+			}
+
+			sockErr = unix.SetsockoptInt(int(fd), proto, opt, tunIf.Index)
 			log.Printf("peerapi: bind(%q, %q) on index %v = %v", network, address, tunIf.Index, sockErr)
 		})
 		if err != nil {
@@ -45,40 +52,3 @@ func initListenConfigNetworkExtension(nc *net.ListenConfig, ip netaddr.IP, st *i
 	}
 	return nil
 }
-
-func bindIf(fd uintptr, network, address string, ifIndex int) error {
-	v6 := strings.Contains(address, "]:") || strings.HasSuffix(network, "6") // hacky test for v6
-	proto := unix.IPPROTO_IP
-	opt := unix.IP_BOUND_IF
-	if v6 {
-		proto = unix.IPPROTO_IPV6
-		opt = unix.IPV6_BOUND_IF
-	}
-	return unix.SetsockoptInt(int(fd), proto, opt, ifIndex)
-}
-
-func peerDialControlFuncNetworkExtension(b *LocalBackend) func(network, address string, c syscall.RawConn) error {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	st := b.prevIfState
-	pas := b.peerAPIServer
-	index := -1
-	if st != nil && pas != nil && pas.tunName != "" {
-		if tunIf, ok := st.Interface[pas.tunName]; ok {
-			index = tunIf.Index
-		}
-	}
-	return func(network, address string, c syscall.RawConn) error {
-		if index == -1 {
-			return errors.New("failed to find TUN interface to bind to")
-		}
-		var sockErr error
-		err := c.Control(func(fd uintptr) {
-			sockErr = bindIf(fd, network, address, index)
-		})
-		if err != nil {
-			return err
-		}
-		return sockErr
-	}
-}
--- a/ipn/ipnlocal/peerapi_test.go
+++ b/ipn/ipnlocal/peerapi_test.go
@@ -1,424 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ipnlocal
-
-import (
-	"bytes"
-	"fmt"
-	"io"
-	"io/fs"
-	"io/ioutil"
-	"net/http"
-	"net/http/httptest"
-	"os"
-	"path/filepath"
-	"strings"
-	"testing"
-
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/netmap"
-)
-
-type peerAPITestEnv struct {
-	ph     *peerAPIHandler
-	rr     *httptest.ResponseRecorder
-	logBuf bytes.Buffer
-}
-
-func (e *peerAPITestEnv) logf(format string, a ...interface{}) {
-	fmt.Fprintf(&e.logBuf, format, a...)
-}
-
-type check func(*testing.T, *peerAPITestEnv)
-
-func checks(vv ...check) []check { return vv }
-
-func httpStatus(wantStatus int) check {
-	return func(t *testing.T, e *peerAPITestEnv) {
-		if res := e.rr.Result(); res.StatusCode != wantStatus {
-			t.Errorf("HTTP response code = %v; want %v", res.Status, wantStatus)
-		}
-	}
-}
-
-func bodyContains(sub string) check {
-	return func(t *testing.T, e *peerAPITestEnv) {
-		if body := e.rr.Body.String(); !strings.Contains(body, sub) {
-			t.Errorf("HTTP response body does not contain %q; got: %s", sub, body)
-		}
-	}
-}
-
-func bodyNotContains(sub string) check {
-	return func(t *testing.T, e *peerAPITestEnv) {
-		if body := e.rr.Body.String(); strings.Contains(body, sub) {
-			t.Errorf("HTTP response body unexpectedly contains %q; got: %s", sub, body)
-		}
-	}
-}
-
-func fileHasSize(name string, size int) check {
-	return func(t *testing.T, e *peerAPITestEnv) {
-		root := e.ph.ps.rootDir
-		if root == "" {
-			t.Errorf("no rootdir; can't check whether %q has size %v", name, size)
-			return
-		}
-		path := filepath.Join(root, name)
-		if fi, err := os.Stat(path); err != nil {
-			t.Errorf("fileHasSize(%q, %v): %v", name, size, err)
-		} else if fi.Size() != int64(size) {
-			t.Errorf("file %q has size %v; want %v", name, fi.Size(), size)
-		}
-	}
-}
-
-func fileHasContents(name string, want string) check {
-	return func(t *testing.T, e *peerAPITestEnv) {
-		root := e.ph.ps.rootDir
-		if root == "" {
-			t.Errorf("no rootdir; can't check contents of %q", name)
-			return
-		}
-		path := filepath.Join(root, name)
-		got, err := ioutil.ReadFile(path)
-		if err != nil {
-			t.Errorf("fileHasContents: %v", err)
-			return
-		}
-		if string(got) != want {
-			t.Errorf("file contents = %q; want %q", got, want)
-		}
-	}
-}
-
-func hexAll(v string) string {
-	var sb strings.Builder
-	for i := 0; i < len(v); i++ {
-		fmt.Fprintf(&sb, "%%%02x", v[i])
-	}
-	return sb.String()
-}
-
-func TestHandlePeerPut(t *testing.T) {
-	tests := []struct {
-		name       string
-		isSelf     bool // the peer sending the request is owned by us
-		capSharing bool // self node has file sharing capabilty
-		omitRoot   bool // don't configure
-		req        *http.Request
-		checks     []check
-	}{
-		{
-			name:       "not_peer_api",
-			isSelf:     true,
-			capSharing: true,
-			req:        httptest.NewRequest("GET", "/", nil),
-			checks: checks(
-				httpStatus(200),
-				bodyContains("This is my Tailscale device."),
-				bodyContains("You are the owner of this node."),
-			),
-		},
-		{
-			name:       "not_peer_api_not_owner",
-			isSelf:     false,
-			capSharing: true,
-			req:        httptest.NewRequest("GET", "/", nil),
-			checks: checks(
-				httpStatus(200),
-				bodyContains("This is my Tailscale device."),
-				bodyNotContains("You are the owner of this node."),
-			),
-		},
-		{
-			name:       "reject_non_owner_put",
-			isSelf:     false,
-			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/foo", nil),
-			checks: checks(
-				httpStatus(http.StatusForbidden),
-				bodyContains("not owner"),
-			),
-		},
-		{
-			name:       "owner_without_cap",
-			isSelf:     true,
-			capSharing: false,
-			req:        httptest.NewRequest("PUT", "/v0/put/foo", nil),
-			checks: checks(
-				httpStatus(http.StatusForbidden),
-				bodyContains("file sharing not enabled by Tailscale admin"),
-			),
-		},
-		{
-			name:       "owner_with_cap_no_rootdir",
-			omitRoot:   true,
-			isSelf:     true,
-			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/foo", nil),
-			checks: checks(
-				httpStatus(http.StatusInternalServerError),
-				bodyContains("no rootdir"),
-			),
-		},
-		{
-			name:       "bad_method",
-			isSelf:     true,
-			capSharing: true,
-			req:        httptest.NewRequest("POST", "/v0/put/foo", nil),
-			checks: checks(
-				httpStatus(405),
-				bodyContains("expected method PUT"),
-			),
-		},
-		{
-			name:       "put_zero_length",
-			isSelf:     true,
-			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/foo", nil),
-			checks: checks(
-				httpStatus(200),
-				bodyContains("{}"),
-				fileHasSize("foo", 0),
-				fileHasContents("foo", ""),
-			),
-		},
-		{
-			name:       "put_non_zero_length_content_length",
-			isSelf:     true,
-			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/foo", strings.NewReader("contents")),
-			checks: checks(
-				httpStatus(200),
-				bodyContains("{}"),
-				fileHasSize("foo", len("contents")),
-				fileHasContents("foo", "contents"),
-			),
-		},
-		{
-			name:       "put_non_zero_length_chunked",
-			isSelf:     true,
-			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/foo", struct{ io.Reader }{strings.NewReader("contents")}),
-			checks: checks(
-				httpStatus(200),
-				bodyContains("{}"),
-				fileHasSize("foo", len("contents")),
-				fileHasContents("foo", "contents"),
-			),
-		},
-		{
-			name:       "bad_filename_partial",
-			isSelf:     true,
-			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/foo.partial", nil),
-			checks: checks(
-				httpStatus(400),
-				bodyContains("bad filename"),
-			),
-		},
-		{
-			name:       "bad_filename_dot",
-			isSelf:     true,
-			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/.", nil),
-			checks: checks(
-				httpStatus(400),
-				bodyContains("bad filename"),
-			),
-		},
-		{
-			name:       "bad_filename_empty",
-			isSelf:     true,
-			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/", nil),
-			checks: checks(
-				httpStatus(400),
-				bodyContains("empty filename"),
-			),
-		},
-		{
-			name:       "bad_filename_slash",
-			isSelf:     true,
-			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/foo/bar", nil),
-			checks: checks(
-				httpStatus(400),
-				bodyContains("directories not supported"),
-			),
-		},
-		{
-			name:       "bad_filename_encoded_dot",
-			isSelf:     true,
-			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/"+hexAll("."), nil),
-			checks: checks(
-				httpStatus(400),
-				bodyContains("bad filename"),
-			),
-		},
-		{
-			name:       "bad_filename_encoded_slash",
-			isSelf:     true,
-			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/"+hexAll("/"), nil),
-			checks: checks(
-				httpStatus(400),
-				bodyContains("bad filename"),
-			),
-		},
-		{
-			name:       "bad_filename_encoded_backslash",
-			isSelf:     true,
-			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/"+hexAll("\\"), nil),
-			checks: checks(
-				httpStatus(400),
-				bodyContains("bad filename"),
-			),
-		},
-		{
-			name:       "bad_filename_encoded_dotdot",
-			isSelf:     true,
-			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/"+hexAll(".."), nil),
-			checks: checks(
-				httpStatus(400),
-				bodyContains("bad filename"),
-			),
-		},
-		{
-			name:       "bad_filename_encoded_dotdot_out",
-			isSelf:     true,
-			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/"+hexAll("foo/../../../../../etc/passwd"), nil),
-			checks: checks(
-				httpStatus(400),
-				bodyContains("bad filename"),
-			),
-		},
-		{
-			name:       "put_spaces_and_caps",
-			isSelf:     true,
-			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/"+hexAll("Foo Bar.dat"), strings.NewReader("baz")),
-			checks: checks(
-				httpStatus(200),
-				bodyContains("{}"),
-				fileHasContents("Foo Bar.dat", "baz"),
-			),
-		},
-		{
-			name:       "put_unicode",
-			isSelf:     true,
-			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/"+hexAll("Томас и его друзья.mp3"), strings.NewReader("главный озорник")),
-			checks: checks(
-				httpStatus(200),
-				bodyContains("{}"),
-				fileHasContents("Томас и его друзья.mp3", "главный озорник"),
-			),
-		},
-		{
-			name:       "put_invalid_utf8",
-			isSelf:     true,
-			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/"+(hexAll("😜")[:3]), nil),
-			checks: checks(
-				httpStatus(400),
-				bodyContains("bad filename"),
-			),
-		},
-		{
-			name:       "put_invalid_null",
-			isSelf:     true,
-			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/%00", nil),
-			checks: checks(
-				httpStatus(400),
-				bodyContains("bad filename"),
-			),
-		},
-		{
-			name:       "put_invalid_non_printable",
-			isSelf:     true,
-			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/%01", nil),
-			checks: checks(
-				httpStatus(400),
-				bodyContains("bad filename"),
-			),
-		},
-		{
-			name:       "put_invalid_colon",
-			isSelf:     true,
-			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/"+hexAll("nul:"), nil),
-			checks: checks(
-				httpStatus(400),
-				bodyContains("bad filename"),
-			),
-		},
-		{
-			name:       "put_invalid_surrounding_whitespace",
-			isSelf:     true,
-			capSharing: true,
-			req:        httptest.NewRequest("PUT", "/v0/put/"+hexAll(" foo "), nil),
-			checks: checks(
-				httpStatus(400),
-				bodyContains("bad filename"),
-			),
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			var caps []string
-			if tt.capSharing {
-				caps = append(caps, tailcfg.CapabilityFileSharing)
-			}
-			var e peerAPITestEnv
-			lb := &LocalBackend{
-				netMap: &netmap.NetworkMap{
-					SelfNode: &tailcfg.Node{
-						Capabilities: caps,
-					},
-				},
-				logf: e.logf,
-			}
-			e.ph = &peerAPIHandler{
-				isSelf: tt.isSelf,
-				peerNode: &tailcfg.Node{
-					ComputedName: "some-peer-name",
-				},
-				ps: &peerAPIServer{
-					b: lb,
-				},
-			}
-			var rootDir string
-			if !tt.omitRoot {
-				rootDir = t.TempDir()
-				e.ph.ps.rootDir = rootDir
-			}
-			e.rr = httptest.NewRecorder()
-			e.ph.ServeHTTP(e.rr, tt.req)
-			for _, f := range tt.checks {
-				f(t, &e)
-			}
-			if t.Failed() && rootDir != "" {
-				t.Logf("Contents of %s:", rootDir)
-				des, _ := fs.ReadDir(os.DirFS(rootDir), ".")
-				for _, de := range des {
-					fi, err := de.Info()
-					if err != nil {
-						t.Log(err)
-					} else {
-						t.Logf("  %v %5d %s", fi.Mode(), fi.Size(), de.Name())
-					}
-				}
-			}
-		})
-	}
-}
--- a/ipn/ipnserver/server.go
+++ b/ipn/ipnserver/server.go
@@ -63,6 +63,16 @@ type Options struct {
 	// waits for a frontend to start it.
 	AutostartStateKey ipn.StateKey

+	// LegacyConfigPath optionally specifies the old-style relaynode
+	// relay.conf location. If both LegacyConfigPath and
+	// AutostartStateKey are specified and the requested state doesn't
+	// exist in the backend store, the backend migrates the config
+	// from LegacyConfigPath.
+	//
+	// TODO(danderson): remove some time after the transition to
+	// tailscaled is done.
+	LegacyConfigPath string
+
 	// SurviveDisconnects specifies how the server reacts to its
 	// frontend disconnecting. If true, the server keeps running on
 	// its existing state, and accepts new frontend connections. If
@@ -87,9 +97,8 @@ type Options struct {
 // server is an IPN backend and its set of 0 or more active connections
 // talking to an IPN backend.
 type server struct {
-	b            *ipnlocal.LocalBackend
-	logf         logger.Logf
-	backendLogID string
+	b    *ipnlocal.LocalBackend
+	logf logger.Logf
 	// resetOnZero is whether to call bs.Reset on transition from
 	// 1->0 connections.  That is, this is whether the backend is
 	// being run in "client mode" that requires an active GUI
@@ -287,7 +296,7 @@ func (s *server) serveConn(ctx context.Context, c net.Conn, logf logger.Logf) {
 	defer s.removeAndCloseConn(c)
 	logf("[v1] incoming control connection")

-	if isReadonlyConn(ci, s.b.OperatorUserID(), logf) {
+	if isReadonlyConn(ci, logf) {
 		ctx = ipn.ReadonlyContextOf(ctx)
 	}

@@ -313,7 +322,7 @@ func (s *server) serveConn(ctx context.Context, c net.Conn, logf logger.Logf) {
 	}
 }

-func isReadonlyConn(ci connIdentity, operatorUID string, logf logger.Logf) bool {
+func isReadonlyConn(ci connIdentity, logf logger.Logf) bool {
 	if runtime.GOOS == "windows" {
 		// Windows doesn't need/use this mechanism, at least yet. It
 		// has a different last-user-wins auth model.
@@ -342,10 +351,6 @@ func isReadonlyConn(ci connIdentity, operatorUID string, logf logger.Logf) bool
 		logf("connection from userid %v; connection from non-root user matching daemon has access", uid)
 		return rw
 	}
-	if operatorUID != "" && uid == operatorUID {
-		logf("connection from userid %v; is configured operator", uid)
-		return rw
-	}
 	var adminGroupID string
 	switch runtime.GOOS {
 	case "darwin":
@@ -439,7 +444,7 @@ func (s *server) localAPIPermissions(ci connIdentity) (read, write bool) {
 		return false, false
 	}
 	if ci.IsUnixSock {
-		return true, !isReadonlyConn(ci, s.b.OperatorUserID(), logger.Discard)
+		return true, !isReadonlyConn(ci, logger.Discard)
 	}
 	return false, false
 }
@@ -476,7 +481,9 @@ func (s *server) addConn(c net.Conn, isHTTP bool) (ci connIdentity, err error) {
 	defer func() {
 		if doReset {
 			s.logf("identity changed; resetting server")
-			s.b.ResetForClientDisconnect()
+			s.bsMu.Lock()
+			s.bs.Reset(context.TODO())
+			s.bsMu.Unlock()
 		}
 	}()

@@ -526,7 +533,9 @@ func (s *server) removeAndCloseConn(c net.Conn) {
 			s.logf("client disconnected; staying alive in server mode")
 		} else {
 			s.logf("client disconnected; stopping server")
-			s.b.ResetForClientDisconnect()
+			s.bsMu.Lock()
+			s.bs.Reset(context.TODO())
+			s.bsMu.Unlock()
 		}
 	}
 	c.Close()
@@ -592,7 +601,6 @@ func (s *server) writeToClients(b []byte) {
 // Run runs a Tailscale backend service.
 // The getEngine func is called repeatedly, once per connection, until it returns an engine successfully.
 func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (wgengine.Engine, error), opts Options) error {
-	getEngine = getEngineUntilItWorksWrapper(getEngine)
 	runDone := make(chan struct{})
 	defer close(runDone)

@@ -602,9 +610,8 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 	}

 	server := &server{
-		backendLogID: logid,
-		logf:         logf,
-		resetOnZero:  !opts.SurviveDisconnects,
+		logf:        logf,
+		resetOnZero: !opts.SurviveDisconnects,
 	}

 	// When the context is closed or when we return, whichever is first, close our listner
@@ -653,6 +660,46 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 	eng, err := getEngine()
 	if err != nil {
 		logf("ipnserver: initial getEngine call: %v", err)
+
+		// Issue 1187: on Windows, in unattended mode,
+		// sometimes we try 5 times and fail to create the
+		// engine before the system's ready. Hack until the
+		// bug if fixed properly: if we're running in
+		// unattended mode on Windows, keep trying forever,
+		// waiting for the machine to be ready (networking to
+		// come up?) and then dial our own safesocket TCP
+		// listener to wake up the usual mechanism that lets
+		// us surface getEngine errors to UI clients. (We
+		// don't want to just call getEngine in a loop without
+		// the listener.Accept, as we do want to handle client
+		// connections so we can tell them about errors)
+
+		bootRaceWaitForEngine, bootRaceWaitForEngineCancel := context.WithTimeout(context.Background(), time.Minute)
+		if runtime.GOOS == "windows" && opts.AutostartStateKey != "" {
+			logf("ipnserver: in unattended mode, waiting for engine availability")
+			getEngine = getEngineUntilItWorksWrapper(getEngine)
+			// Wait for it to be ready.
+			go func() {
+				defer bootRaceWaitForEngineCancel()
+				t0 := time.Now()
+				for {
+					time.Sleep(10 * time.Second)
+					if _, err := getEngine(); err != nil {
+						logf("ipnserver: unattended mode engine load: %v", err)
+						continue
+					}
+					c, err := net.Dial("tcp", listen.Addr().String())
+					logf("ipnserver: engine created after %v; waking up Accept: Dial error: %v", time.Since(t0).Round(time.Second), err)
+					if err == nil {
+						c.Close()
+					}
+					break
+				}
+			}()
+		} else {
+			bootRaceWaitForEngineCancel()
+		}
+
 		for i := 1; ctx.Err() == nil; i++ {
 			c, err := listen.Accept()
 			if err != nil {
@@ -660,6 +707,7 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 				bo.BackOff(ctx, err)
 				continue
 			}
+			<-bootRaceWaitForEngine.Done()
 			logf("ipnserver: try%d: trying getEngine again...", i)
 			eng, err = getEngine()
 			if err == nil {
@@ -704,7 +752,10 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 		server.bs.GotCommand(context.TODO(), &ipn.Command{
 			Version: version.Long,
 			Start: &ipn.StartArgs{
-				Opts: ipn.Options{StateKey: opts.AutostartStateKey},
+				Opts: ipn.Options{
+					StateKey:         opts.AutostartStateKey,
+					LegacyConfigPath: opts.LegacyConfigPath,
+				},
 			},
 		})
 	}
@@ -931,7 +982,7 @@ func (psc *protoSwitchConn) Close() error {
 }

 func (s *server) localhostHandler(ci connIdentity) http.Handler {
-	lah := localapi.NewHandler(s.b, s.logf, s.backendLogID)
+	lah := localapi.NewHandler(s.b)
 	lah.PermitRead, lah.PermitWrite = s.localAPIPermissions(ci)

 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
--- a/ipn/ipnstate/ipnstate.go
+++ b/ipn/ipnstate/ipnstate.go
@@ -71,8 +71,7 @@ type PeerStatus struct {
 	OS        string // HostInfo.OS
 	UserID    tailcfg.UserID

-	TailAddrDeprecated string       `json:"TailAddr"` // Tailscale IP
-	TailscaleIPs       []netaddr.IP // Tailscale IP(s) assigned to this node
+	TailAddr string // Tailscale IP

 	// Endpoints:
 	Addrs   []string
@@ -88,8 +87,7 @@ type PeerStatus struct {
 	KeepAlive     bool
 	ExitNode      bool // true if this is the currently selected exit node.

-	PeerAPIURL   []string
-	Capabilities []string `json:",omitempty"`
+	PeerAPIURL []string

 	// ShareeNode indicates this node exists in the netmap because
 	// it's owned by a shared-to user and that node might connect
@@ -215,11 +213,8 @@ func (sb *StatusBuilder) AddPeer(peer key.Public, st *PeerStatus) {
 	if v := st.UserID; v != 0 {
 		e.UserID = v
 	}
-	if v := st.TailAddrDeprecated; v != "" {
-		e.TailAddrDeprecated = v
-	}
-	if v := st.TailscaleIPs; v != nil {
-		e.TailscaleIPs = v
+	if v := st.TailAddr; v != "" {
+		e.TailAddr = v
 	}
 	if v := st.OS; v != "" {
 		e.OS = st.OS
@@ -348,17 +343,13 @@ table tbody tr:nth-child(even) td { background-color: #f5f5f5; }
 			hostNameHTML = "<br>" + html.EscapeString(hostName)
 		}

-		var tailAddr string
-		if len(ps.TailscaleIPs) > 0 {
-			tailAddr = ps.TailscaleIPs[0].String()
-		}
 		f("<tr><td>%s</td><td class=acenter>%s</td>"+
 			"<td><b>%s</b>%s<div class=\"tailaddr\">%s</div></td><td class=\"acenter owner\">%s</td><td class=\"aright\">%v</td><td class=\"aright\">%v</td><td class=\"aright\">%v</td>",
 			ps.PublicKey.ShortString(),
 			osEmoji(ps.OS),
 			html.EscapeString(dnsName),
 			hostNameHTML,
-			tailAddr,
+			ps.TailAddr,
 			html.EscapeString(owner),
 			ps.RxBytes,
 			ps.TxBytes,
@@ -446,9 +437,5 @@ func sortKey(ps *PeerStatus) string {
 	if ps.HostName != "" {
 		return ps.HostName
 	}
-	// TODO(bradfitz): add PeerStatus.Less and avoid these allocs in a Less func.
-	if len(ps.TailscaleIPs) > 0 {
-		return ps.TailscaleIPs[0].String()
-	}
-	return string(ps.PublicKey[:])
+	return ps.TailAddr
 }
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -6,40 +6,20 @@
 package localapi

 import (
-	"crypto/rand"
-	"encoding/hex"
 	"encoding/json"
-	"errors"
-	"fmt"
 	"io"
-	"net"
 	"net/http"
-	"net/http/httputil"
-	"net/url"
-	"reflect"
 	"runtime"
 	"strconv"
-	"strings"
-	"sync"
-	"time"

 	"inet.af/netaddr"
-	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
-	"tailscale.com/types/logger"
 )

-func randHex(n int) string {
-	b := make([]byte, n)
-	rand.Read(b)
-	return hex.EncodeToString(b)
-}
-
-func NewHandler(b *ipnlocal.LocalBackend, logf logger.Logf, logID string) *Handler {
-	return &Handler{b: b, logf: logf, backendLogID: logID}
+func NewHandler(b *ipnlocal.LocalBackend) *Handler {
+	return &Handler{b: b}
 }

 type Handler struct {
@@ -54,9 +34,7 @@ type Handler struct {
 	// PermitWrite is whether mutating HTTP handlers are allowed.
 	PermitWrite bool

-	b            *ipnlocal.LocalBackend
-	logf         logger.Logf
-	backendLogID string
+	b *ipnlocal.LocalBackend
 }

 func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
@@ -75,14 +53,6 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 	}
-	if strings.HasPrefix(r.URL.Path, "/localapi/v0/files/") {
-		h.serveFiles(w, r)
-		return
-	}
-	if strings.HasPrefix(r.URL.Path, "/localapi/v0/file-put/") {
-		h.serveFilePut(w, r)
-		return
-	}
 	switch r.URL.Path {
 	case "/localapi/v0/whois":
 		h.serveWhoIs(w, r)
@@ -90,38 +60,11 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		h.serveGoroutines(w, r)
 	case "/localapi/v0/status":
 		h.serveStatus(w, r)
-	case "/localapi/v0/logout":
-		h.serveLogout(w, r)
-	case "/localapi/v0/prefs":
-		h.servePrefs(w, r)
-	case "/localapi/v0/check-ip-forwarding":
-		h.serveCheckIPForwarding(w, r)
-	case "/localapi/v0/bugreport":
-		h.serveBugReport(w, r)
-	case "/localapi/v0/file-targets":
-		h.serveFileTargets(w, r)
-	case "/":
-		io.WriteString(w, "tailscaled\n")
 	default:
-		http.Error(w, "404 not found", 404)
+		io.WriteString(w, "tailscaled\n")
 	}
 }

-func (h *Handler) serveBugReport(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitRead {
-		http.Error(w, "bugreport access denied", http.StatusForbidden)
-		return
-	}
-
-	logMarker := fmt.Sprintf("BUG-%v-%v-%v", h.backendLogID, time.Now().UTC().Format("20060102150405Z"), randHex(8))
-	h.logf("user bugreport: %s", logMarker)
-	if note := r.FormValue("note"); len(note) > 0 {
-		h.logf("user bugreport note: %s", note)
-	}
-	w.Header().Set("Content-Type", "text/plain")
-	fmt.Fprintln(w, logMarker)
-}
-
 func (h *Handler) serveWhoIs(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitRead {
 		http.Error(w, "whois access denied", http.StatusForbidden)
@@ -145,7 +88,7 @@ func (h *Handler) serveWhoIs(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "no match for IP:port", 404)
 		return
 	}
-	res := &apitype.WhoIsResponse{
+	res := &tailcfg.WhoIsResponse{
 		Node:        n,
 		UserProfile: &u,
 	}
@@ -171,23 +114,6 @@ func (h *Handler) serveGoroutines(w http.ResponseWriter, r *http.Request) {
 	w.Write(buf)
 }

-func (h *Handler) serveCheckIPForwarding(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitRead {
-		http.Error(w, "IP forwarding check access denied", http.StatusForbidden)
-		return
-	}
-	var warning string
-	if err := h.b.CheckIPForwarding(); err != nil {
-		warning = err.Error()
-	}
-	w.Header().Set("Content-Type", "application/json")
-	json.NewEncoder(w).Encode(struct {
-		Warning string
-	}{
-		Warning: warning,
-	})
-}
-
 func (h *Handler) serveStatus(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitRead {
 		http.Error(w, "status access denied", http.StatusForbidden)
@@ -205,203 +131,6 @@ func (h *Handler) serveStatus(w http.ResponseWriter, r *http.Request) {
 	e.Encode(st)
 }

-func (h *Handler) serveLogout(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitWrite {
-		http.Error(w, "logout access denied", http.StatusForbidden)
-		return
-	}
-	if r.Method != "POST" {
-		http.Error(w, "want POST", 400)
-		return
-	}
-	err := h.b.LogoutSync(r.Context())
-	if err == nil {
-		w.WriteHeader(http.StatusNoContent)
-		return
-	}
-	http.Error(w, err.Error(), 500)
-}
-
-func (h *Handler) servePrefs(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitRead {
-		http.Error(w, "prefs access denied", http.StatusForbidden)
-		return
-	}
-	var prefs *ipn.Prefs
-	switch r.Method {
-	case "PATCH":
-		if !h.PermitWrite {
-			http.Error(w, "prefs write access denied", http.StatusForbidden)
-			return
-		}
-		mp := new(ipn.MaskedPrefs)
-		if err := json.NewDecoder(r.Body).Decode(mp); err != nil {
-			http.Error(w, err.Error(), 400)
-			return
-		}
-		var err error
-		prefs, err = h.b.EditPrefs(mp)
-		if err != nil {
-			http.Error(w, err.Error(), 400)
-			return
-		}
-	case "GET", "HEAD":
-		prefs = h.b.Prefs()
-	default:
-		http.Error(w, "unsupported method", http.StatusMethodNotAllowed)
-		return
-	}
-	w.Header().Set("Content-Type", "application/json")
-	e := json.NewEncoder(w)
-	e.SetIndent("", "\t")
-	e.Encode(prefs)
-}
-
-func (h *Handler) serveFiles(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitWrite {
-		http.Error(w, "file access denied", http.StatusForbidden)
-		return
-	}
-	suffix := strings.TrimPrefix(r.URL.Path, "/localapi/v0/files/")
-	if suffix == "" {
-		if r.Method != "GET" {
-			http.Error(w, "want GET to list files", 400)
-			return
-		}
-		wfs, err := h.b.WaitingFiles()
-		if err != nil {
-			http.Error(w, err.Error(), 500)
-			return
-		}
-		w.Header().Set("Content-Type", "application/json")
-		json.NewEncoder(w).Encode(wfs)
-		return
-	}
-	name, err := url.PathUnescape(suffix)
-	if err != nil {
-		http.Error(w, "bad filename", 400)
-		return
-	}
-	if r.Method == "DELETE" {
-		if err := h.b.DeleteFile(name); err != nil {
-			http.Error(w, err.Error(), 500)
-			return
-		}
-		w.WriteHeader(http.StatusNoContent)
-		return
-	}
-	rc, size, err := h.b.OpenFile(name)
-	if err != nil {
-		http.Error(w, err.Error(), 500)
-		return
-	}
-	defer rc.Close()
-	w.Header().Set("Content-Length", fmt.Sprint(size))
-	io.Copy(w, rc)
-}
-
-func writeErrorJSON(w http.ResponseWriter, err error) {
-	if err == nil {
-		err = errors.New("unexpected nil error")
-	}
-	w.Header().Set("Content-Type", "application/json")
-	w.WriteHeader(500)
-	type E struct {
-		Error string `json:"error"`
-	}
-	json.NewEncoder(w).Encode(E{err.Error()})
-}
-
-func (h *Handler) serveFileTargets(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitRead {
-		http.Error(w, "access denied", http.StatusForbidden)
-		return
-	}
-	if r.Method != "GET" {
-		http.Error(w, "want GET to list targets", 400)
-		return
-	}
-	fts, err := h.b.FileTargets()
-	if err != nil {
-		writeErrorJSON(w, err)
-		return
-	}
-	makeNonNil(&fts)
-	w.Header().Set("Content-Type", "application/json")
-	json.NewEncoder(w).Encode(fts)
-}
-
-func (h *Handler) serveFilePut(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitWrite {
-		http.Error(w, "file access denied", http.StatusForbidden)
-		return
-	}
-	if r.Method != "PUT" {
-		http.Error(w, "want PUT to put file", 400)
-		return
-	}
-	fts, err := h.b.FileTargets()
-	if err != nil {
-		http.Error(w, err.Error(), 500)
-		return
-	}
-
-	upath := strings.TrimPrefix(r.URL.EscapedPath(), "/localapi/v0/file-put/")
-	slash := strings.Index(upath, "/")
-	if slash == -1 {
-		http.Error(w, "bogus URL", 400)
-		return
-	}
-	stableID, filenameEscaped := tailcfg.StableNodeID(upath[:slash]), upath[slash+1:]
-
-	var ft *apitype.FileTarget
-	for _, x := range fts {
-		if x.Node.StableID == stableID {
-			ft = x
-			break
-		}
-	}
-	if ft == nil {
-		http.Error(w, "node not found", 404)
-		return
-	}
-	dstURL, err := url.Parse(ft.PeerAPIURL)
-	if err != nil {
-		http.Error(w, "bogus peer URL", 500)
-		return
-	}
-	outReq, err := http.NewRequestWithContext(r.Context(), "PUT", "http://peer/v0/put/"+filenameEscaped, r.Body)
-	if err != nil {
-		http.Error(w, "bogus outreq", 500)
-		return
-	}
-	outReq.ContentLength = r.ContentLength
-
-	rp := httputil.NewSingleHostReverseProxy(dstURL)
-	rp.Transport = getDialPeerTransport(h.b)
-	rp.ServeHTTP(w, outReq)
-}
-
-var dialPeerTransportOnce struct {
-	sync.Once
-	v *http.Transport
-}
-
-func getDialPeerTransport(b *ipnlocal.LocalBackend) *http.Transport {
-	dialPeerTransportOnce.Do(func() {
-		t := http.DefaultTransport.(*http.Transport).Clone()
-		t.Dial = nil //lint:ignore SA1019 yes I know I'm setting it to nil defensively
-		dialer := net.Dialer{
-			Timeout:   30 * time.Second,
-			KeepAlive: 30 * time.Second,
-			Control:   b.PeerDialControlFunc(),
-		}
-		t.DialContext = dialer.DialContext
-		dialPeerTransportOnce.v = t
-	})
-	return dialPeerTransportOnce.v
-}
-
 func defBool(a string, def bool) bool {
 	if a == "" {
 		return def
@@ -412,30 +141,3 @@ func defBool(a string, def bool) bool {
 	}
 	return v
 }
-
-// makeNonNil takes a pointer to a Go data structure
-// (currently only a slice or a map) and makes sure it's non-nil for
-// JSON serialization. (In particular, JavaScript clients usually want
-// the field to be defined after they decode the JSON.)
-func makeNonNil(ptr interface{}) {
-	if ptr == nil {
-		panic("nil interface")
-	}
-	rv := reflect.ValueOf(ptr)
-	if rv.Kind() != reflect.Ptr {
-		panic(fmt.Sprintf("kind %v, not Ptr", rv.Kind()))
-	}
-	if rv.Pointer() == 0 {
-		panic("nil pointer")
-	}
-	rv = rv.Elem()
-	if rv.Pointer() != 0 {
-		return
-	}
-	switch rv.Type().Kind() {
-	case reflect.Slice:
-		rv.Set(reflect.MakeSlice(rv.Type(), 0, 0))
-	case reflect.Map:
-		rv.Set(reflect.MakeMap(rv.Type()))
-	}
-}
--- a/ipn/message.go
+++ b/ipn/message.go
@@ -80,6 +80,7 @@ type Command struct {
 	Login                 *tailcfg.Oauth2Token
 	Logout                *NoArgs
 	SetPrefs              *SetPrefsArgs
+	SetWantRunning        *bool
 	RequestEngineStatus   *NoArgs
 	RequestStatus         *NoArgs
 	FakeExpireAfter       *FakeExpireAfterArgs
@@ -94,13 +95,11 @@ type BackendServer struct {
 }

 func NewBackendServer(logf logger.Logf, b Backend, sendNotifyMsg func(b []byte)) *BackendServer {
-	bs := &BackendServer{
+	return &BackendServer{
 		logf:          logf,
 		b:             b,
 		sendNotifyMsg: sendNotifyMsg,
 	}
-	b.SetNotifyCallback(bs.send)
-	return bs
 }

 func (bs *BackendServer) send(n Notify) {
@@ -143,6 +142,11 @@ func (bs *BackendServer) GotCommandMsg(ctx context.Context, b []byte) error {
 	return bs.GotCommand(ctx, cmd)
 }

+func (bs *BackendServer) GotFakeCommand(ctx context.Context, cmd *Command) error {
+	cmd.Version = version.Long
+	return bs.GotCommand(ctx, cmd)
+}
+
 // ErrMsgPermissionDenied is the Notify.ErrMessage value used an
 // operation was done from a user/context that didn't have permission.
 const ErrMsgPermissionDenied = "permission denied"
@@ -186,6 +190,7 @@ func (bs *BackendServer) GotCommand(ctx context.Context, cmd *Command) error {
 		return errors.New("Quit command received")
 	} else if c := cmd.Start; c != nil {
 		opts := c.Opts
+		opts.Notify = bs.send
 		return bs.b.Start(opts)
 	} else if c := cmd.StartLoginInteractive; c != nil {
 		bs.b.StartLoginInteractive()
@@ -199,6 +204,9 @@ func (bs *BackendServer) GotCommand(ctx context.Context, cmd *Command) error {
 	} else if c := cmd.SetPrefs; c != nil {
 		bs.b.SetPrefs(c.New)
 		return nil
+	} else if c := cmd.SetWantRunning; c != nil {
+		bs.b.SetWantRunning(*c)
+		return nil
 	} else if c := cmd.FakeExpireAfter; c != nil {
 		bs.b.FakeExpireAfter(c.Duration)
 		return nil
@@ -206,6 +214,12 @@ func (bs *BackendServer) GotCommand(ctx context.Context, cmd *Command) error {
 	return fmt.Errorf("BackendServer.Do: no command specified")
 }

+func (bs *BackendServer) Reset(ctx context.Context) error {
+	// Tell the backend we got a Logout command, which will cause it
+	// to forget all its authentication information.
+	return bs.GotFakeCommand(ctx, &Command{Logout: &NoArgs{}})
+}
+
 type BackendClient struct {
 	logf           logger.Logf
 	sendCommandMsg func(jsonb []byte)
@@ -233,7 +247,7 @@ func (bc *BackendClient) GotNotifyMsg(b []byte) {
 	}
 	n := Notify{}
 	if err := json.Unmarshal(b, &n); err != nil {
-		log.Fatalf("BackendClient.Notify: cannot decode message (length=%d, %#q): %v", len(b), b, err)
+		log.Fatalf("BackendClient.Notify: cannot decode message (length=%d)\n%#v", len(b), string(b))
 	}
 	if n.Version != version.Long && !bc.AllowVersionSkew {
 		vs := fmt.Sprintf("GotNotify: Version mismatch! frontend=%#v backend=%#v",
@@ -273,6 +287,8 @@ func (bc *BackendClient) Quit() error {
 }

 func (bc *BackendClient) Start(opts Options) error {
+	bc.notify = opts.Notify
+	opts.Notify = nil // server can't call our function pointer
 	bc.send(Command{Start: &StartArgs{Opts: opts}})
 	return nil // remote Start() errors must be handled remotely
 }
@@ -312,6 +328,10 @@ func (bc *BackendClient) Ping(ip string, useTSMP bool) {
 	}})
 }

+func (bc *BackendClient) SetWantRunning(v bool) {
+	bc.send(Command{SetWantRunning: &v})
+}
+
 // MaxMessageSize is the maximum message size, in bytes.
 const MaxMessageSize = 10 << 20

--- a/ipn/message_test.go
+++ b/ipn/message_test.go
@@ -90,11 +90,13 @@ func TestClientServer(t *testing.T) {
 	bc = NewBackendClient(clogf, clientToServer)

 	ch := make(chan Notify, 256)
-	notify := func(n Notify) { ch <- n }
-	h, err := NewHandle(bc, clogf, notify, Options{
+	h, err := NewHandle(bc, clogf, Options{
 		Prefs: &Prefs{
 			ControlURL: "http://example.com/fake",
 		},
+		Notify: func(n Notify) {
+			ch <- n
+		},
 	})
 	if err != nil {
 		t.Fatalf("NewHandle error: %v\n", err)
--- a/ipn/policy/policy.go
+++ b/ipn/policy/policy.go
@@ -6,17 +6,12 @@
 // shared between the node client & control server.
 package policy

-import (
-	"tailscale.com/tailcfg"
-)
+import "tailscale.com/tailcfg"

 // IsInterestingService reports whether service s on the given operating
 // system (a version.OS value) is an interesting enough port to report
 // to our peer nodes for discovery purposes.
 func IsInterestingService(s tailcfg.Service, os string) bool {
-	if s.Proto == "peerapi4" || s.Proto == "peerapi6" {
-		return true
-	}
 	if s.Proto != tailcfg.TCP {
 		return false
 	}
--- a/ipn/prefs.go
+++ b/ipn/prefs.go
@@ -12,7 +12,6 @@ import (
 	"log"
 	"os"
 	"path/filepath"
-	"reflect"
 	"runtime"
 	"strings"

@@ -25,18 +24,9 @@ import (

 //go:generate go run tailscale.com/cmd/cloner -type=Prefs -output=prefs_clone.go

-// DefaultControlURL returns the URL base of the control plane
-// ("coordination server") for use when no explicit one is configured.
-// The default control plane is the hosted version run by Tailscale.com.
-const DefaultControlURL = "https://login.tailscale.com"
-
 // Prefs are the user modifiable settings of the Tailscale node agent.
 type Prefs struct {
 	// ControlURL is the URL of the control server to use.
-	//
-	// If empty, the default for new installs, DefaultControlURL
-	// is used. It's set non-empty once the daemon has been started
-	// for the first time.
 	ControlURL string

 	// RouteAll specifies whether to accept subnets advertised by
@@ -75,10 +65,6 @@ type Prefs struct {
 	ExitNodeID tailcfg.StableNodeID
 	ExitNodeIP netaddr.IP

-	// ExitNodeAllowLANAccess indicates whether locally accessible subnets should be
-	// routed directly or via the exit node.
-	ExitNodeAllowLANAccess bool
-
 	// CorpDNS specifies whether to install the Tailscale network's
 	// DNS configuration, if it exists.
 	CorpDNS bool
@@ -153,10 +139,6 @@ type Prefs struct {
 	// Tailscale, if at all.
 	NetfilterMode preftype.NetfilterMode

-	// OperatorUser is the local machine user name who is allowed to
-	// operate tailscaled without being root or using sudo.
-	OperatorUser string `json:",omitempty"`
-
 	// The Persist field is named 'Config' in the file for backward
 	// compatibility with earlier versions.
 	// TODO(apenwarr): We should move this out of here, it's not a pref.
@@ -165,75 +147,6 @@ type Prefs struct {
 	Persist *persist.Persist `json:"Config"`
 }

-// MaskedPrefs is a Prefs with an associated bitmask of which fields are set.
-type MaskedPrefs struct {
-	Prefs
-
-	ControlURLSet             bool `json:",omitempty"`
-	RouteAllSet               bool `json:",omitempty"`
-	AllowSingleHostsSet       bool `json:",omitempty"`
-	ExitNodeIDSet             bool `json:",omitempty"`
-	ExitNodeIPSet             bool `json:",omitempty"`
-	ExitNodeAllowLANAccessSet bool `json:",omitempty"`
-	CorpDNSSet                bool `json:",omitempty"`
-	WantRunningSet            bool `json:",omitempty"`
-	ShieldsUpSet              bool `json:",omitempty"`
-	AdvertiseTagsSet          bool `json:",omitempty"`
-	HostnameSet               bool `json:",omitempty"`
-	OSVersionSet              bool `json:",omitempty"`
-	DeviceModelSet            bool `json:",omitempty"`
-	NotepadURLsSet            bool `json:",omitempty"`
-	ForceDaemonSet            bool `json:",omitempty"`
-	AdvertiseRoutesSet        bool `json:",omitempty"`
-	NoSNATSet                 bool `json:",omitempty"`
-	NetfilterModeSet          bool `json:",omitempty"`
-	OperatorUserSet           bool `json:",omitempty"`
-}
-
-// ApplyEdits mutates p, assigning fields from m.Prefs for each MaskedPrefs
-// Set field that's true.
-func (p *Prefs) ApplyEdits(m *MaskedPrefs) {
-	if p == nil {
-		panic("can't edit nil Prefs")
-	}
-	pv := reflect.ValueOf(p).Elem()
-	mv := reflect.ValueOf(m).Elem()
-	mpv := reflect.ValueOf(&m.Prefs).Elem()
-	fields := mv.NumField()
-	for i := 1; i < fields; i++ {
-		if mv.Field(i).Bool() {
-			newFieldValue := mpv.Field(i - 1)
-			pv.Field(i - 1).Set(newFieldValue)
-		}
-	}
-}
-
-func (m *MaskedPrefs) Pretty() string {
-	if m == nil {
-		return "MaskedPrefs{<nil>}"
-	}
-	var sb strings.Builder
-	sb.WriteString("MaskedPrefs{")
-	mv := reflect.ValueOf(m).Elem()
-	mt := mv.Type()
-	mpv := reflect.ValueOf(&m.Prefs).Elem()
-	first := true
-	for i := 1; i < mt.NumField(); i++ {
-		name := mt.Field(i).Name
-		if mv.Field(i).Bool() {
-			if !first {
-				sb.WriteString(" ")
-			}
-			first = false
-			fmt.Fprintf(&sb, "%s=%#v",
-				strings.TrimSuffix(name, "Set"),
-				mpv.Field(i-1).Interface())
-		}
-	}
-	sb.WriteString("}")
-	return sb.String()
-}
-
 // IsEmpty reports whether p is nil or pointing to a Prefs zero value.
 func (p *Prefs) IsEmpty() bool { return p == nil || p.Equals(&Prefs{}) }

@@ -256,9 +169,9 @@ func (p *Prefs) pretty(goos string) string {
 		sb.WriteString("shields=true ")
 	}
 	if !p.ExitNodeIP.IsZero() {
-		fmt.Fprintf(&sb, "exit=%v lan=%t ", p.ExitNodeIP, p.ExitNodeAllowLANAccess)
+		fmt.Fprintf(&sb, "exit=%v ", p.ExitNodeIP)
 	} else if !p.ExitNodeID.IsZero() {
-		fmt.Fprintf(&sb, "exit=%v lan=%t ", p.ExitNodeID, p.ExitNodeAllowLANAccess)
+		fmt.Fprintf(&sb, "exit=%v ", p.ExitNodeID)
 	}
 	if len(p.AdvertiseRoutes) > 0 || goos == "linux" {
 		fmt.Fprintf(&sb, "routes=%v ", p.AdvertiseRoutes)
@@ -272,15 +185,9 @@ func (p *Prefs) pretty(goos string) string {
 	if goos == "linux" {
 		fmt.Fprintf(&sb, "nf=%v ", p.NetfilterMode)
 	}
-	if p.ControlURL != "" && p.ControlURL != DefaultControlURL {
+	if p.ControlURL != "" && p.ControlURL != "https://login.tailscale.com" {
 		fmt.Fprintf(&sb, "url=%q ", p.ControlURL)
 	}
-	if p.Hostname != "" {
-		fmt.Fprintf(&sb, "host=%q ", p.Hostname)
-	}
-	if p.OperatorUser != "" {
-		fmt.Fprintf(&sb, "op=%q ", p.OperatorUser)
-	}
 	if p.Persist != nil {
 		sb.WriteString(p.Persist.Pretty())
 	} else {
@@ -312,14 +219,12 @@ func (p *Prefs) Equals(p2 *Prefs) bool {
 		p.AllowSingleHosts == p2.AllowSingleHosts &&
 		p.ExitNodeID == p2.ExitNodeID &&
 		p.ExitNodeIP == p2.ExitNodeIP &&
-		p.ExitNodeAllowLANAccess == p2.ExitNodeAllowLANAccess &&
 		p.CorpDNS == p2.CorpDNS &&
 		p.WantRunning == p2.WantRunning &&
 		p.NotepadURLs == p2.NotepadURLs &&
 		p.ShieldsUp == p2.ShieldsUp &&
 		p.NoSNAT == p2.NoSNAT &&
 		p.NetfilterMode == p2.NetfilterMode &&
-		p.OperatorUser == p2.OperatorUser &&
 		p.Hostname == p2.Hostname &&
 		p.OSVersion == p2.OSVersion &&
 		p.DeviceModel == p2.DeviceModel &&
@@ -353,36 +258,20 @@ func compareStrings(a, b []string) bool {
 	return true
 }

-// NewPrefs returns the default preferences to use.
 func NewPrefs() *Prefs {
-	// Provide default values for options which might be missing
-	// from the json data for any reason. The json can still
-	// override them to false.
 	return &Prefs{
-		// ControlURL is explicitly not set to signal that
-		// it's not yet configured, which relaxes the CLI "up"
-		// safety net features. It will get set to DefaultControlURL
-		// on first up. Or, if not, DefaultControlURL will be used
-		// later anyway.
-		ControlURL: "",
-
+		// Provide default values for options which might be missing
+		// from the json data for any reason. The json can still
+		// override them to false.
+		ControlURL:       "https://login.tailscale.com",
 		RouteAll:         true,
 		AllowSingleHosts: true,
 		CorpDNS:          true,
-		WantRunning:      false,
+		WantRunning:      true,
 		NetfilterMode:    preftype.NetfilterOn,
 	}
 }

-// ControlURLOrDefault returns the coordination server's URL base.
-// If not configured, DefaultControlURL is returned instead.
-func (p *Prefs) ControlURLOrDefault() string {
-	if p.ControlURL != "" {
-		return p.ControlURL
-	}
-	return DefaultControlURL
-}
-
 // PrefsFromBytes deserializes Prefs from a JSON blob. If
 // enforceDefaults is true, Prefs.RouteAll and Prefs.AllowSingleHosts
 // are forced on.
--- a/ipn/prefs_clone.go
+++ b/ipn/prefs_clone.go
@@ -33,24 +33,22 @@ func (src *Prefs) Clone() *Prefs {
 // A compilation failure here means this code must be regenerated, with command:
 //   tailscale.com/cmd/cloner -type Prefs
 var _PrefsNeedsRegeneration = Prefs(struct {
-	ControlURL             string
-	RouteAll               bool
-	AllowSingleHosts       bool
-	ExitNodeID             tailcfg.StableNodeID
-	ExitNodeIP             netaddr.IP
-	ExitNodeAllowLANAccess bool
-	CorpDNS                bool
-	WantRunning            bool
-	ShieldsUp              bool
-	AdvertiseTags          []string
-	Hostname               string
-	OSVersion              string
-	DeviceModel            string
-	NotepadURLs            bool
-	ForceDaemon            bool
-	AdvertiseRoutes        []netaddr.IPPrefix
-	NoSNAT                 bool
-	NetfilterMode          preftype.NetfilterMode
-	OperatorUser           string
-	Persist                *persist.Persist
+	ControlURL       string
+	RouteAll         bool
+	AllowSingleHosts bool
+	ExitNodeID       tailcfg.StableNodeID
+	ExitNodeIP       netaddr.IP
+	CorpDNS          bool
+	WantRunning      bool
+	ShieldsUp        bool
+	AdvertiseTags    []string
+	Hostname         string
+	OSVersion        string
+	DeviceModel      string
+	NotepadURLs      bool
+	ForceDaemon      bool
+	AdvertiseRoutes  []netaddr.IPPrefix
+	NoSNAT           bool
+	NetfilterMode    preftype.NetfilterMode
+	Persist          *persist.Persist
 }{})
--- a/ipn/prefs_test.go
+++ b/ipn/prefs_test.go
@@ -5,13 +5,11 @@
 package ipn

 import (
-	"encoding/json"
 	"errors"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"reflect"
-	"strings"
 	"testing"
 	"time"

@@ -33,28 +31,7 @@ func fieldsOf(t reflect.Type) (fields []string) {
 func TestPrefsEqual(t *testing.T) {
 	tstest.PanicOnLog()

-	prefsHandles := []string{
-		"ControlURL",
-		"RouteAll",
-		"AllowSingleHosts",
-		"ExitNodeID",
-		"ExitNodeIP",
-		"ExitNodeAllowLANAccess",
-		"CorpDNS",
-		"WantRunning",
-		"ShieldsUp",
-		"AdvertiseTags",
-		"Hostname",
-		"OSVersion",
-		"DeviceModel",
-		"NotepadURLs",
-		"ForceDaemon",
-		"AdvertiseRoutes",
-		"NoSNAT",
-		"NetfilterMode",
-		"OperatorUser",
-		"Persist",
-	}
+	prefsHandles := []string{"ControlURL", "RouteAll", "AllowSingleHosts", "ExitNodeID", "ExitNodeIP", "CorpDNS", "WantRunning", "ShieldsUp", "AdvertiseTags", "Hostname", "OSVersion", "DeviceModel", "NotepadURLs", "ForceDaemon", "AdvertiseRoutes", "NoSNAT", "NetfilterMode", "Persist"}
 	if have := fieldsOf(reflect.TypeOf(Prefs{})); !reflect.DeepEqual(have, prefsHandles) {
 		t.Errorf("Prefs.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
 			have, prefsHandles)
@@ -145,17 +122,6 @@ func TestPrefsEqual(t *testing.T) {
 			true,
 		},

-		{
-			&Prefs{},
-			&Prefs{ExitNodeAllowLANAccess: true},
-			false,
-		},
-		{
-			&Prefs{ExitNodeAllowLANAccess: true},
-			&Prefs{ExitNodeAllowLANAccess: true},
-			true,
-		},
-
 		{
 			&Prefs{CorpDNS: true},
 			&Prefs{CorpDNS: false},
@@ -416,36 +382,14 @@ func TestPrefsPretty(t *testing.T) {
 				ExitNodeIP: netaddr.MustParseIP("1.2.3.4"),
 			},
 			"linux",
-			`Prefs{ra=false mesh=false dns=false want=false exit=1.2.3.4 lan=false routes=[] nf=off Persist=nil}`,
+			`Prefs{ra=false mesh=false dns=false want=false exit=1.2.3.4 routes=[] nf=off Persist=nil}`,
 		},
 		{
 			Prefs{
 				ExitNodeID: tailcfg.StableNodeID("myNodeABC"),
 			},
 			"linux",
-			`Prefs{ra=false mesh=false dns=false want=false exit=myNodeABC lan=false routes=[] nf=off Persist=nil}`,
-		},
-		{
-			Prefs{
-				ExitNodeID:             tailcfg.StableNodeID("myNodeABC"),
-				ExitNodeAllowLANAccess: true,
-			},
-			"linux",
-			`Prefs{ra=false mesh=false dns=false want=false exit=myNodeABC lan=true routes=[] nf=off Persist=nil}`,
-		},
-		{
-			Prefs{
-				ExitNodeAllowLANAccess: true,
-			},
-			"linux",
-			`Prefs{ra=false mesh=false dns=false want=false routes=[] nf=off Persist=nil}`,
-		},
-		{
-			Prefs{
-				Hostname: "foo",
-			},
-			"linux",
-			`Prefs{ra=false mesh=false dns=false want=false routes=[] nf=off host="foo" Persist=nil}`,
+			`Prefs{ra=false mesh=false dns=false want=false exit=myNodeABC routes=[] nf=off Persist=nil}`,
 		},
 	}
 	for i, tt := range tests {
@@ -488,146 +432,3 @@ func TestLoadPrefsFileWithZeroInIt(t *testing.T) {
 	}
 	t.Fatalf("unexpected prefs=%#v, err=%v", p, err)
 }
-
-func TestMaskedPrefsFields(t *testing.T) {
-	have := map[string]bool{}
-	for _, f := range fieldsOf(reflect.TypeOf(Prefs{})) {
-		if f == "Persist" {
-			// This one can't be edited.
-			continue
-		}
-		have[f] = true
-	}
-	for _, f := range fieldsOf(reflect.TypeOf(MaskedPrefs{})) {
-		if f == "Prefs" {
-			continue
-		}
-		if !strings.HasSuffix(f, "Set") {
-			t.Errorf("unexpected non-/Set$/ field %q", f)
-			continue
-		}
-		bare := strings.TrimSuffix(f, "Set")
-		_, ok := have[bare]
-		if !ok {
-			t.Errorf("no corresponding Prefs.%s field for MaskedPrefs.%s", bare, f)
-			continue
-		}
-		delete(have, bare)
-	}
-	for f := range have {
-		t.Errorf("missing MaskedPrefs.%sSet for Prefs.%s", f, f)
-	}
-
-	// And also make sure they line up in the right order, which
-	// ApplyEdits assumes.
-	pt := reflect.TypeOf(Prefs{})
-	mt := reflect.TypeOf(MaskedPrefs{})
-	for i := 0; i < mt.NumField(); i++ {
-		name := mt.Field(i).Name
-		if i == 0 {
-			if name != "Prefs" {
-				t.Errorf("first field of MaskedPrefs should be Prefs")
-			}
-			continue
-		}
-		prefName := pt.Field(i - 1).Name
-		if prefName+"Set" != name {
-			t.Errorf("MaskedField[%d] = %s; want %sSet", i-1, name, prefName)
-		}
-	}
-}
-
-func TestPrefsApplyEdits(t *testing.T) {
-	tests := []struct {
-		name  string
-		prefs *Prefs
-		edit  *MaskedPrefs
-		want  *Prefs
-	}{
-		{
-			name: "no_change",
-			prefs: &Prefs{
-				Hostname: "foo",
-			},
-			edit: &MaskedPrefs{},
-			want: &Prefs{
-				Hostname: "foo",
-			},
-		},
-		{
-			name: "set1_decoy1",
-			prefs: &Prefs{
-				Hostname: "foo",
-			},
-			edit: &MaskedPrefs{
-				Prefs: Prefs{
-					Hostname:    "bar",
-					DeviceModel: "ignore-this", // not set
-				},
-				HostnameSet: true,
-			},
-			want: &Prefs{
-				Hostname: "bar",
-			},
-		},
-		{
-			name:  "set_several",
-			prefs: &Prefs{},
-			edit: &MaskedPrefs{
-				Prefs: Prefs{
-					Hostname:    "bar",
-					DeviceModel: "galaxybrain",
-				},
-				HostnameSet:    true,
-				DeviceModelSet: true,
-			},
-			want: &Prefs{
-				Hostname:    "bar",
-				DeviceModel: "galaxybrain",
-			},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got := tt.prefs.Clone()
-			got.ApplyEdits(tt.edit)
-			if !got.Equals(tt.want) {
-				gotj, _ := json.Marshal(got)
-				wantj, _ := json.Marshal(tt.want)
-				t.Errorf("fail.\n got: %s\nwant: %s\n", gotj, wantj)
-			}
-		})
-	}
-}
-
-func TestMaskedPrefsPretty(t *testing.T) {
-	tests := []struct {
-		m    *MaskedPrefs
-		want string
-	}{
-		{
-			m:    &MaskedPrefs{},
-			want: "MaskedPrefs{}",
-		},
-		{
-			m: &MaskedPrefs{
-				Prefs: Prefs{
-					Hostname:         "bar",
-					DeviceModel:      "galaxybrain",
-					AllowSingleHosts: true,
-					RouteAll:         false,
-				},
-				RouteAllSet:    true,
-				HostnameSet:    true,
-				DeviceModelSet: true,
-			},
-			want: `MaskedPrefs{RouteAll=false Hostname="bar" DeviceModel="galaxybrain"}`,
-		},
-	}
-	for i, tt := range tests {
-		got := tt.m.Pretty()
-		if got != tt.want {
-			t.Errorf("%d.\n got: %#q\nwant: %#q\n", i, got, tt.want)
-		}
-	}
-}
--- a/logtail/id.go
+++ b/logtail/id.go
@@ -121,17 +121,14 @@ func (id PublicID) MarshalText() ([]byte, error) {
 }

 func (id *PublicID) UnmarshalText(s []byte) error {
-	if len(s) != len(id)*2 {
-		return fmt.Errorf("logtail.PublicID.UnmarshalText: invalid hex length: %d", len(s))
+	b, err := hex.DecodeString(string(s))
+	if err != nil {
+		return fmt.Errorf("logtail.PublicID.UnmarshalText: %v", err)
 	}
-	for i := range id {
-		a, ok1 := fromHexChar(s[i*2+0])
-		b, ok2 := fromHexChar(s[i*2+1])
-		if !ok1 || !ok2 {
-			return errors.New("invalid hex character")
-		}
-		id[i] = (a << 4) | b
+	if len(b) != len(id) {
+		return fmt.Errorf("logtail.PublicID.UnmarshalText: invalid hex length: %d", len(b))
 	}
+	copy(id[:], b)
 	return nil
 }

--- a/logtail/logtail_test.go
+++ b/logtail/logtail_test.go
@@ -303,26 +303,3 @@ func TestParseAndRemoveLogLevel(t *testing.T) {
 		}
 	}
 }
-
-func TestPublicIDUnmarshalText(t *testing.T) {
-	const hexStr = "6c60a9e0e7af57170bb1347b2d477e4cbc27d4571a4923b21651456f931e3d55"
-	x := []byte(hexStr)
-
-	var id PublicID
-	if err := id.UnmarshalText(x); err != nil {
-		t.Fatal(err)
-	}
-	if id.String() != hexStr {
-		t.Errorf("String = %q; want %q", id.String(), hexStr)
-	}
-
-	n := int(testing.AllocsPerRun(1000, func() {
-		var id PublicID
-		if err := id.UnmarshalText(x); err != nil {
-			t.Fatal(err)
-		}
-	}))
-	if n != 0 {
-		t.Errorf("allocs = %v; want 0", n)
-	}
-}
--- a/net/dns/config.go
+++ b/net/dns/config.go
@@ -5,119 +5,73 @@
 package dns

 import (
-	"sort"
-
 	"inet.af/netaddr"
-	"tailscale.com/util/dnsname"
+
+	"tailscale.com/types/logger"
 )

-// Config is a DNS configuration.
+// Config is the set of parameters that uniquely determine
+// the state to which a manager should bring system DNS settings.
 type Config struct {
-	// DefaultResolvers are the DNS resolvers to use for DNS names
-	// which aren't covered by more specific per-domain routes below.
-	// If empty, the OS's default resolvers (the ones that predate
-	// Tailscale altering the configuration) are used.
-	DefaultResolvers []netaddr.IPPort
-	// Routes maps a DNS suffix to the resolvers that should be used
-	// for queries that fall within that suffix.
-	// If a query doesn't match any entry in Routes, the
-	// DefaultResolvers are used.
-	Routes map[dnsname.FQDN][]netaddr.IPPort
-	// SearchDomains are DNS suffixes to try when expanding
-	// single-label queries.
-	SearchDomains []dnsname.FQDN
-	// Hosts maps DNS FQDNs to their IPs, which can be a mix of IPv4
-	// and IPv6.
-	// Queries matching entries in Hosts are resolved locally without
-	// recursing off-machine.
-	Hosts map[dnsname.FQDN][]netaddr.IP
-	// AuthoritativeSuffixes is a list of fully-qualified DNS suffixes
-	// for which the in-process Tailscale resolver is authoritative.
-	// Queries for names within AuthoritativeSuffixes can only be
-	// fulfilled by entries in Hosts. Queries with no match in Hosts
-	// return NXDOMAIN.
-	AuthoritativeSuffixes []dnsname.FQDN
+	// Nameservers are the IP addresses of the nameservers to use.
+	Nameservers []netaddr.IP
+	// Domains are the search domains to use.
+	Domains []string
+	// PerDomain indicates whether it is preferred to use Nameservers
+	// only for DNS queries for subdomains of Domains.
+	// Note that Nameservers may still be applied to all queries
+	// if the manager does not support per-domain settings.
+	PerDomain bool
+	// Proxied indicates whether DNS requests are proxied through a dns.Resolver.
+	// This enables MagicDNS.
+	Proxied bool
 }

-// needsAnyResolvers reports whether c requires a resolver to be set
-// at the OS level.
-func (c Config) needsOSResolver() bool {
-	return c.hasDefaultResolvers() || c.hasRoutes() || c.hasHosts()
-}
-
-func (c Config) hasRoutes() bool {
-	return len(c.Routes) > 0
-}
-
-// hasDefaultResolversOnly reports whether the only resolvers in c are
-// DefaultResolvers.
-func (c Config) hasDefaultResolversOnly() bool {
-	return c.hasDefaultResolvers() && !c.hasRoutes() && !c.hasHosts()
-}
-
-func (c Config) hasDefaultResolvers() bool {
-	return len(c.DefaultResolvers) > 0
-}
-
-// singleResolverSet returns the resolvers used by c.Routes if all
-// routes use the same resolvers, or nil if multiple sets of resolvers
-// are specified.
-func (c Config) singleResolverSet() []netaddr.IPPort {
-	var first []netaddr.IPPort
-	for _, resolvers := range c.Routes {
-		if first == nil {
-			first = resolvers
-			continue
-		}
-		if !sameIPPorts(first, resolvers) {
-			return nil
-		}
-	}
-	return first
-}
-
-// hasHosts reports whether c requires resolution of MagicDNS hosts or
-// domains.
-func (c Config) hasHosts() bool {
-	return len(c.Hosts) > 0 || len(c.AuthoritativeSuffixes) > 0
-}
-
-// matchDomains returns the list of match suffixes needed by Routes,
-// AuthoritativeSuffixes. Hosts is not considered as we assume that
-// they're covered by AuthoritativeSuffixes for now.
-func (c Config) matchDomains() []dnsname.FQDN {
-	ret := make([]dnsname.FQDN, 0, len(c.Routes)+len(c.AuthoritativeSuffixes))
-	seen := map[dnsname.FQDN]bool{}
-	for _, suffix := range c.AuthoritativeSuffixes {
-		if seen[suffix] {
-			continue
-		}
-		ret = append(ret, suffix)
-		seen[suffix] = true
-	}
-	for suffix := range c.Routes {
-		if seen[suffix] {
-			continue
-		}
-		ret = append(ret, suffix)
-		seen[suffix] = true
-	}
-	sort.Slice(ret, func(i, j int) bool {
-		return ret[i].WithTrailingDot() < ret[j].WithTrailingDot()
-	})
-	return ret
-}
-
-func sameIPPorts(a, b []netaddr.IPPort) bool {
-	if len(a) != len(b) {
+// Equal determines whether its argument and receiver
+// represent equivalent DNS configurations (then DNS reconfig is a no-op).
+func (lhs Config) Equal(rhs Config) bool {
+	if lhs.Proxied != rhs.Proxied || lhs.PerDomain != rhs.PerDomain {
 		return false
 	}

-	for i := range a {
-		if a[i] != b[i] {
+	if len(lhs.Nameservers) != len(rhs.Nameservers) {
+		return false
+	}
+
+	if len(lhs.Domains) != len(rhs.Domains) {
+		return false
+	}
+
+	// With how we perform resolution order shouldn't matter,
+	// but it is unlikely that we will encounter different orders.
+	for i, server := range lhs.Nameservers {
+		if rhs.Nameservers[i] != server {
+			return false
+		}
+	}
+
+	// The order of domains, on the other hand, is significant.
+	for i, domain := range lhs.Domains {
+		if rhs.Domains[i] != domain {
 			return false
 		}
 	}

 	return true
 }
+
+// ManagerConfig is the set of parameters from which
+// a manager implementation is chosen and initialized.
+type ManagerConfig struct {
+	// Logf is the logger for the manager to use.
+	// It is wrapped with a "dns: " prefix.
+	Logf logger.Logf
+	// InterfaceName is the name of the interface with which DNS settings should be associated.
+	InterfaceName string
+	// Cleanup indicates that the manager is created for cleanup only.
+	// A no-op manager will be instantiated if the system needs no cleanup.
+	Cleanup bool
+	// PerDomain indicates that a manager capable of per-domain configuration is preferred.
+	// Certain managers are per-domain only; they will not be considered if this is false.
+	PerDomain bool
+}
--- a/net/dns/debian_resolvconf.go
+++ b/net/dns/debian_resolvconf.go
@@ -1,184 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package dns
-
-import (
-	"bufio"
-	"bytes"
-	_ "embed"
-	"fmt"
-	"io/ioutil"
-	"os"
-	"os/exec"
-	"path/filepath"
-
-	"tailscale.com/atomicfile"
-	"tailscale.com/types/logger"
-)
-
-//go:embed resolvconf-workaround.sh
-var workaroundScript []byte
-
-// resolvconfConfigName is the name of the config submitted to
-// resolvconf.
-// The name starts with 'tun' in order to match the hardcoded
-// interface order in debian resolvconf, which will place this
-// configuration ahead of regular network links. In theory, this
-// doesn't matter because we then fix things up to ensure our config
-// is the only one in use, but in case that fails, this will make our
-// configuration slightly preferred.
-// The 'inet' suffix has no specific meaning, but conventionally
-// resolvconf implementations encourage adding a suffix roughly
-// indicating where the config came from, and "inet" is the "none of
-// the above" value (rather than, say, "ppp" or "dhcp").
-const resolvconfConfigName = "tun-tailscale.inet"
-
-// resolvconfLibcHookPath is the directory containing libc update
-// scripts, which are run by Debian resolvconf when /etc/resolv.conf
-// has been updated.
-const resolvconfLibcHookPath = "/etc/resolvconf/update-libc.d"
-
-// resolvconfHookPath is the name of the libc hook script we install
-// to force Tailscale's DNS config to take effect.
-var resolvconfHookPath = filepath.Join(resolvconfLibcHookPath, "tailscale")
-
-// resolvconfManager manages DNS configuration using the Debian
-// implementation of the `resolvconf` program, written by Thomas Hood.
-type resolvconfManager struct {
-	logf            logger.Logf
-	listRecordsPath string
-	interfacesDir   string
-	scriptInstalled bool // libc update script has been installed
-}
-
-func newDebianResolvconfManager(logf logger.Logf) (*resolvconfManager, error) {
-	ret := &resolvconfManager{
-		logf:            logf,
-		listRecordsPath: "/lib/resolvconf/list-records",
-		interfacesDir:   "/etc/resolvconf/run/interface", // panic fallback if nothing seems to work
-	}
-
-	if _, err := os.Stat(ret.listRecordsPath); os.IsNotExist(err) {
-		// This might be a Debian system from before the big /usr
-		// merge, try /usr instead.
-		ret.listRecordsPath = "/usr" + ret.listRecordsPath
-	}
-	// The runtime directory is currently (2020-04) canonically
-	// /etc/resolvconf/run, but the manpage is making noise about
-	// switching to /run/resolvconf and dropping the /etc path. So,
-	// let's probe the possible directories and use the first one
-	// that works.
-	for _, path := range []string{
-		"/etc/resolvconf/run/interface",
-		"/run/resolvconf/interface",
-		"/var/run/resolvconf/interface",
-	} {
-		if _, err := os.Stat(path); err == nil {
-			ret.interfacesDir = path
-			break
-		}
-	}
-	if ret.interfacesDir == "" {
-		// None of the paths seem to work, use the canonical location
-		// that the current manpage says to use.
-		ret.interfacesDir = "/etc/resolvconf/run/interfaces"
-	}
-
-	return ret, nil
-}
-
-func (m *resolvconfManager) deleteTailscaleConfig() error {
-	cmd := exec.Command("resolvconf", "-d", resolvconfConfigName)
-	out, err := cmd.CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("running %s: %s", cmd, out)
-	}
-	return nil
-}
-
-func (m *resolvconfManager) SetDNS(config OSConfig) error {
-	if !m.scriptInstalled {
-		m.logf("injecting resolvconf workaround script")
-		if err := os.MkdirAll(resolvconfLibcHookPath, 0755); err != nil {
-			return err
-		}
-		if err := atomicfile.WriteFile(resolvconfHookPath, workaroundScript, 0755); err != nil {
-			return err
-		}
-		m.scriptInstalled = true
-	}
-
-	if config.IsZero() {
-		if err := m.deleteTailscaleConfig(); err != nil {
-			return err
-		}
-	} else {
-		stdin := new(bytes.Buffer)
-		writeResolvConf(stdin, config.Nameservers, config.SearchDomains) // dns_direct.go
-
-		// This resolvconf implementation doesn't support exclusive
-		// mode or interface priorities, so it will end up blending
-		// our configuration with other sources. However, this will
-		// get fixed up by the script we injected above.
-		cmd := exec.Command("resolvconf", "-a", resolvconfConfigName)
-		cmd.Stdin = stdin
-		out, err := cmd.CombinedOutput()
-		if err != nil {
-			return fmt.Errorf("running %s: %s", cmd, out)
-		}
-	}
-
-	return nil
-}
-
-func (m *resolvconfManager) SupportsSplitDNS() bool {
-	return false
-}
-
-func (m *resolvconfManager) GetBaseConfig() (OSConfig, error) {
-	var bs bytes.Buffer
-
-	cmd := exec.Command(m.listRecordsPath)
-	// list-records assumes it's being run with CWD set to the
-	// interfaces runtime dir, and returns nonsense otherwise.
-	cmd.Dir = m.interfacesDir
-	cmd.Stdout = &bs
-	if err := cmd.Run(); err != nil {
-		return OSConfig{}, err
-	}
-
-	var conf bytes.Buffer
-	sc := bufio.NewScanner(&bs)
-	for sc.Scan() {
-		if sc.Text() == resolvconfConfigName {
-			continue
-		}
-		bs, err := ioutil.ReadFile(filepath.Join(m.interfacesDir, sc.Text()))
-		if err != nil {
-			if os.IsNotExist(err) {
-				// Probably raced with a deletion, that's okay.
-				continue
-			}
-			return OSConfig{}, err
-		}
-		conf.Write(bs)
-		conf.WriteByte('\n')
-	}
-
-	return readResolv(&conf)
-}
-
-func (m *resolvconfManager) Close() error {
-	if err := m.deleteTailscaleConfig(); err != nil {
-		return err
-	}
-
-	if m.scriptInstalled {
-		m.logf("removing resolvconf workaround script")
-		os.Remove(resolvconfHookPath) // Best-effort
-	}
-
-	return nil
-}
--- a/net/dns/direct.go
+++ b/net/dns/direct.go
@@ -2,11 +2,14 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

+// +build linux freebsd openbsd
+
 package dns

 import (
 	"bufio"
 	"bytes"
+	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -17,16 +20,16 @@ import (

 	"inet.af/netaddr"
 	"tailscale.com/atomicfile"
-	"tailscale.com/util/dnsname"
 )

 const (
+	tsConf     = "/etc/resolv.tailscale.conf"
 	backupConf = "/etc/resolv.pre-tailscale-backup.conf"
 	resolvConf = "/etc/resolv.conf"
 )

 // writeResolvConf writes DNS configuration in resolv.conf format to the given writer.
-func writeResolvConf(w io.Writer, servers []netaddr.IP, domains []dnsname.FQDN) {
+func writeResolvConf(w io.Writer, servers []netaddr.IP, domains []string) {
 	io.WriteString(w, "# resolv.conf(5) file generated by tailscale\n")
 	io.WriteString(w, "# DO NOT EDIT THIS FILE BY HAND -- CHANGES WILL BE OVERWRITTEN\n\n")
 	for _, ns := range servers {
@@ -38,14 +41,22 @@ func writeResolvConf(w io.Writer, servers []netaddr.IP, domains []dnsname.FQDN)
 		io.WriteString(w, "search")
 		for _, domain := range domains {
 			io.WriteString(w, " ")
-			io.WriteString(w, domain.WithoutTrailingDot())
+			io.WriteString(w, domain)
 		}
 		io.WriteString(w, "\n")
 	}
 }

-func readResolv(r io.Reader) (config OSConfig, err error) {
-	scanner := bufio.NewScanner(r)
+// readResolvConf reads DNS configuration from /etc/resolv.conf.
+func readResolvConf() (Config, error) {
+	var config Config
+
+	f, err := os.Open("/etc/resolv.conf")
+	if err != nil {
+		return config, err
+	}
+
+	scanner := bufio.NewScanner(f)
 	for scanner.Scan() {
 		line := strings.TrimSpace(scanner.Text())

@@ -54,7 +65,7 @@ func readResolv(r io.Reader) (config OSConfig, err error) {
 			nameserver = strings.TrimSpace(nameserver)
 			ip, err := netaddr.ParseIP(nameserver)
 			if err != nil {
-				return OSConfig{}, err
+				return config, err
 			}
 			config.Nameservers = append(config.Nameservers, ip)
 			continue
@@ -63,11 +74,7 @@ func readResolv(r io.Reader) (config OSConfig, err error) {
 		if strings.HasPrefix(line, "search") {
 			domain := strings.TrimPrefix(line, "search")
 			domain = strings.TrimSpace(domain)
-			fqdn, err := dnsname.ToFQDN(domain)
-			if err != nil {
-				return OSConfig{}, fmt.Errorf("parsing search domains %q: %w", line, err)
-			}
-			config.SearchDomains = append(config.SearchDomains, fqdn)
+			config.Domains = append(config.Domains, domain)
 			continue
 		}
 	}
@@ -75,53 +82,6 @@ func readResolv(r io.Reader) (config OSConfig, err error) {
 	return config, nil
 }

-func readResolvFile(path string) (OSConfig, error) {
-	var config OSConfig
-
-	f, err := os.Open(path)
-	if err != nil {
-		return config, err
-	}
-	defer f.Close()
-
-	return readResolv(f)
-}
-
-// readResolvConf reads DNS configuration from /etc/resolv.conf.
-func readResolvConf() (OSConfig, error) {
-	return readResolvFile(resolvConf)
-}
-
-// resolvOwner returns the apparent owner of the resolv.conf
-// configuration in bs - one of "resolvconf", "systemd-resolved" or
-// "NetworkManager", or "" if no known owner was found.
-func resolvOwner(bs []byte) string {
-	b := bytes.NewBuffer(bs)
-	for {
-		line, err := b.ReadString('\n')
-		if err != nil {
-			return ""
-		}
-		line = strings.TrimSpace(line)
-		if line == "" {
-			continue
-		}
-		if line[0] != '#' {
-			// First non-empty, non-comment line. Assume the owner
-			// isn't hiding further down.
-			return ""
-		}
-
-		if strings.Contains(line, "systemd-resolved") {
-			return "systemd-resolved"
-		} else if strings.Contains(line, "NetworkManager") {
-			return "NetworkManager"
-		} else if strings.Contains(line, "resolvconf") {
-			return "resolvconf"
-		}
-	}
-}
-
 // isResolvedRunning reports whether systemd-resolved is running on the system,
 // even if it is not managing the system DNS settings.
 func isResolvedRunning() bool {
@@ -150,169 +110,46 @@ func isResolvedRunning() bool {
 // or as cleanup if the program terminates unexpectedly.
 type directManager struct{}

-func newDirectManager() (directManager, error) {
-	return directManager{}, nil
+func newDirectManager(mconfig ManagerConfig) managerImpl {
+	return directManager{}
 }

-// ownedByTailscale reports whether /etc/resolv.conf seems to be a
-// tailscale-managed file.
-func (m directManager) ownedByTailscale() (bool, error) {
-	st, err := os.Stat(resolvConf)
-	if err != nil {
-		if os.IsNotExist(err) {
-			return false, nil
-		}
-		return false, err
-	}
-	if !st.Mode().IsRegular() {
-		return false, nil
-	}
-	bs, err := ioutil.ReadFile(resolvConf)
-	if err != nil {
-		return false, err
-	}
-	if bytes.Contains(bs, []byte("generated by tailscale")) {
-		return true, nil
-	}
-	return false, nil
-}
-
-// backupConfig creates or updates a backup of /etc/resolv.conf, if
-// resolv.conf does not currently contain a Tailscale-managed config.
-func (m directManager) backupConfig() error {
-	if _, err := os.Stat(resolvConf); err != nil {
-		if os.IsNotExist(err) {
-			// No resolv.conf, nothing to back up. Also get rid of any
-			// existing backup file, to avoid restoring something old.
-			os.Remove(backupConf)
-			return nil
-		}
+// Up implements managerImpl.
+func (m directManager) Up(config Config) error {
+	// Write the tsConf file.
+	buf := new(bytes.Buffer)
+	writeResolvConf(buf, config.Nameservers, config.Domains)
+	if err := atomicfile.WriteFile(tsConf, buf.Bytes(), 0644); err != nil {
 		return err
 	}

-	owned, err := m.ownedByTailscale()
-	if err != nil {
-		return err
-	}
-	if owned {
-		return nil
-	}
-
-	return os.Rename(resolvConf, backupConf)
-}
-
-func (m directManager) restoreBackup() error {
-	if _, err := os.Stat(backupConf); err != nil {
-		if os.IsNotExist(err) {
-			// No backup, nothing we can do.
-			return nil
-		}
-		return err
-	}
-	owned, err := m.ownedByTailscale()
-	if err != nil {
-		return err
-	}
-	if _, err := os.Stat(resolvConf); err != nil && !os.IsNotExist(err) {
-		return err
-	}
-	resolvConfExists := !os.IsNotExist(err)
-
-	if resolvConfExists && !owned {
-		// There's already a non-tailscale config in place, get rid of
-		// our backup.
+	if linkPath, err := os.Readlink(resolvConf); err != nil {
+		// Remove any old backup that may exist.
 		os.Remove(backupConf)
-		return nil
-	}

-	// We own resolv.conf, and a backup exists.
-	if err := os.Rename(backupConf, resolvConf); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (m directManager) SetDNS(config OSConfig) error {
-	if config.IsZero() {
-		if err := m.restoreBackup(); err != nil {
+		// Backup the existing /etc/resolv.conf file.
+		contents, err := ioutil.ReadFile(resolvConf)
+		// If the original did not exist, still back up an empty file.
+		// The presence of a backup file is the way we know that Up ran.
+		if err != nil && !errors.Is(err, os.ErrNotExist) {
+			return err
+		}
+		if err := atomicfile.WriteFile(backupConf, contents, 0644); err != nil {
+			return err
+		}
+	} else if linkPath != tsConf {
+		// Backup the existing symlink.
+		os.Remove(backupConf)
+		if err := os.Symlink(linkPath, backupConf); err != nil {
 			return err
 		}
 	} else {
-		if err := m.backupConfig(); err != nil {
-			return err
-		}
-
-		buf := new(bytes.Buffer)
-		writeResolvConf(buf, config.Nameservers, config.SearchDomains)
-		if err := atomicfile.WriteFile(resolvConf, buf.Bytes(), 0644); err != nil {
-			return err
-		}
-	}
-
-	// We might have taken over a configuration managed by resolved,
-	// in which case it will notice this on restart and gracefully
-	// start using our configuration. This shouldn't happen because we
-	// try to manage DNS through resolved when it's around, but as a
-	// best-effort fallback if we messed up the detection, try to
-	// restart resolved to make the system configuration consistent.
-	if isResolvedRunning() {
-		exec.Command("systemctl", "restart", "systemd-resolved.service").Run()
-	}
-
-	return nil
-}
-
-func (m directManager) SupportsSplitDNS() bool {
-	return false
-}
-
-func (m directManager) GetBaseConfig() (OSConfig, error) {
-	owned, err := m.ownedByTailscale()
-	if err != nil {
-		return OSConfig{}, err
-	}
-	fileToRead := resolvConf
-	if owned {
-		fileToRead = backupConf
-	}
-
-	return readResolvFile(fileToRead)
-}
-
-func (m directManager) Close() error {
-	// We used to keep a file for the tailscale config and symlinked
-	// to it, but then we stopped because /etc/resolv.conf being a
-	// symlink to surprising places breaks snaps and other sandboxing
-	// things. Clean it up if it's still there.
-	os.Remove("/etc/resolv.tailscale.conf")
-
-	if _, err := os.Stat(backupConf); err != nil {
-		if os.IsNotExist(err) {
-			// No backup, nothing we can do.
-			return nil
-		}
-		return err
-	}
-	owned, err := m.ownedByTailscale()
-	if err != nil {
-		return err
-	}
-	_, err = os.Stat(resolvConf)
-	if err != nil && !os.IsNotExist(err) {
-		return err
-	}
-	resolvConfExists := !os.IsNotExist(err)
-
-	if resolvConfExists && !owned {
-		// There's already a non-tailscale config in place, get rid of
-		// our backup.
-		os.Remove(backupConf)
+		// Nothing to do, resolvConf already points to tsConf.
 		return nil
 	}

-	// We own resolv.conf, and a backup exists.
-	if err := os.Rename(backupConf, resolvConf); err != nil {
+	os.Remove(resolvConf)
+	if err := os.Symlink(tsConf, resolvConf); err != nil {
 		return err
 	}

@@ -322,3 +159,30 @@ func (m directManager) Close() error {

 	return nil
 }
+
+// Down implements managerImpl.
+func (m directManager) Down() error {
+	if _, err := os.Stat(backupConf); err != nil {
+		// If the backup file does not exist, then Up never ran successfully.
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return err
+	}
+
+	if ln, err := os.Readlink(resolvConf); err != nil {
+		return err
+	} else if ln != tsConf {
+		return fmt.Errorf("resolv.conf is not a symlink to %s", tsConf)
+	}
+	if err := os.Rename(backupConf, resolvConf); err != nil {
+		return err
+	}
+	os.Remove(tsConf)
+
+	if isResolvedRunning() {
+		exec.Command("systemctl", "restart", "systemd-resolved.service").Run() // Best-effort.
+	}
+
+	return nil
+}
--- a/net/dns/resolver/forwarder.go
+++ b/net/dns/resolver/forwarder.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-package resolver
+package dns

 import (
 	"bytes"
@@ -17,11 +17,10 @@ import (
 	"sync"
 	"time"

-	dns "golang.org/x/net/dns/dnsmessage"
 	"inet.af/netaddr"
 	"tailscale.com/logtail/backoff"
+	"tailscale.com/net/netns"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/dnsname"
 )

 // headerBytes is the number of bytes in a DNS message header.
@@ -101,17 +100,12 @@ func getTxID(packet []byte) txid {
 	return (txid(hash) << 32) | txid(dnsid)
 }

-type route struct {
-	suffix    dnsname.FQDN
-	resolvers []netaddr.IPPort
-}
-
 // forwarder forwards DNS packets to a number of upstream nameservers.
 type forwarder struct {
 	logf logger.Logf

 	// responses is a channel by which responses are returned.
-	responses chan packet
+	responses chan Packet
 	// closed signals all goroutines to stop.
 	closed chan struct{}
 	// wg signals when all goroutines have stopped.
@@ -122,32 +116,35 @@ type forwarder struct {
 	conns []*fwdConn

 	mu sync.Mutex
-	// routes are per-suffix resolvers to use.
-	routes []route                   // most specific routes first
-	txMap  map[txid]forwardingRecord // txids to in-flight requests
+	// upstreams are the nameserver addresses that should be used for forwarding.
+	upstreams []net.Addr
+	// txMap maps DNS txids to active forwarding records.
+	txMap map[txid]forwardingRecord
 }

 func init() {
 	rand.Seed(time.Now().UnixNano())
 }

-func newForwarder(logf logger.Logf, responses chan packet) *forwarder {
-	ret := &forwarder{
+func newForwarder(logf logger.Logf, responses chan Packet) *forwarder {
+	return &forwarder{
 		logf:      logger.WithPrefix(logf, "forward: "),
 		responses: responses,
 		closed:    make(chan struct{}),
 		conns:     make([]*fwdConn, connCount),
 		txMap:     make(map[txid]forwardingRecord),
 	}
+}

-	ret.wg.Add(connCount + 1)
-	for idx := range ret.conns {
-		ret.conns[idx] = newFwdConn(ret.logf, idx)
-		go ret.recv(ret.conns[idx])
+func (f *forwarder) Start() error {
+	f.wg.Add(connCount + 1)
+	for idx := range f.conns {
+		f.conns[idx] = newFwdConn(f.logf, idx)
+		go f.recv(f.conns[idx])
 	}
-	go ret.cleanMap()
+	go f.cleanMap()

-	return ret
+	return nil
 }

 func (f *forwarder) Close() {
@@ -174,14 +171,14 @@ func (f *forwarder) rebindFromNetworkChange() {
 	}
 }

-func (f *forwarder) setRoutes(routes []route) {
+func (f *forwarder) setUpstreams(upstreams []net.Addr) {
 	f.mu.Lock()
-	f.routes = routes
+	f.upstreams = upstreams
 	f.mu.Unlock()
 }

 // send sends packet to dst. It is best effort.
-func (f *forwarder) send(packet []byte, dst netaddr.IPPort) {
+func (f *forwarder) send(packet []byte, dst net.Addr) {
 	connIdx := rand.Intn(connCount)
 	conn := f.conns[connIdx]
 	conn.send(packet, dst)
@@ -221,11 +218,14 @@ func (f *forwarder) recv(conn *fwdConn) {

 		f.mu.Unlock()

-		pkt := packet{out, record.src}
+		packet := Packet{
+			Payload: out,
+			Addr:    record.src,
+		}
 		select {
 		case <-f.closed:
 			return
-		case f.responses <- pkt:
+		case f.responses <- packet:
 			// continue
 		}
 	}
@@ -258,39 +258,25 @@ func (f *forwarder) cleanMap() {
 }

 // forward forwards the query to all upstream nameservers and returns the first response.
-func (f *forwarder) forward(query packet) error {
-	domain, err := nameFromQuery(query.bs)
-	if err != nil {
-		return err
-	}
-
-	txid := getTxID(query.bs)
+func (f *forwarder) forward(query Packet) error {
+	txid := getTxID(query.Payload)

 	f.mu.Lock()
-	routes := f.routes
-	f.mu.Unlock()

-	var resolvers []netaddr.IPPort
-	for _, route := range routes {
-		if route.suffix != "." && !route.suffix.Contains(domain) {
-			continue
-		}
-		resolvers = route.resolvers
-		break
-	}
-	if len(resolvers) == 0 {
+	upstreams := f.upstreams
+	if len(upstreams) == 0 {
+		f.mu.Unlock()
 		return errNoUpstreams
 	}
-
-	f.mu.Lock()
 	f.txMap[txid] = forwardingRecord{
-		src:       query.addr,
+		src:       query.Addr,
 		createdAt: time.Now(),
 	}
+
 	f.mu.Unlock()

-	for _, resolver := range resolvers {
-		f.send(query.bs, resolver)
+	for _, upstream := range upstreams {
+		f.send(query.Payload, upstream)
 	}

 	return nil
@@ -326,7 +312,7 @@ func newFwdConn(logf logger.Logf, idx int) *fwdConn {

 // send sends packet to dst using c's connection.
 // It is best effort. It is UDP, after all. Failures are logged.
-func (c *fwdConn) send(packet []byte, dst netaddr.IPPort) {
+func (c *fwdConn) send(packet []byte, dst net.Addr) {
 	var b *backoff.Backoff // lazily initialized, since it is not needed in the common case
 	backOff := func(err error) {
 		if b == nil {
@@ -352,9 +338,8 @@ func (c *fwdConn) send(packet []byte, dst netaddr.IPPort) {
 		}
 		c.mu.Unlock()

-		a := dst.UDPAddr()
 		c.wg.Add(1)
-		_, err := conn.WriteTo(packet, a)
+		_, err := conn.WriteTo(packet, dst)
 		c.wg.Done()
 		if err == nil {
 			// Success
@@ -452,7 +437,7 @@ func (c *fwdConn) read(out []byte) int {
 func (c *fwdConn) reconnectLocked() {
 	c.closeConnLocked()
 	// Make a new connection.
-	conn, err := net.ListenPacket("udp", "")
+	conn, err := netns.Listener().ListenPacket(context.Background(), "udp", "")
 	if err != nil {
 		c.logf("ListenPacket failed: %v", err)
 	} else {
@@ -487,24 +472,3 @@ func (c *fwdConn) close() {
 	// Unblock any remaining readers.
 	c.change.Broadcast()
 }
-
-// nameFromQuery extracts the normalized query name from bs.
-func nameFromQuery(bs []byte) (dnsname.FQDN, error) {
-	var parser dns.Parser
-
-	hdr, err := parser.Start(bs)
-	if err != nil {
-		return "", err
-	}
-	if hdr.Response {
-		return "", errNotQuery
-	}
-
-	q, err := parser.Question()
-	if err != nil {
-		return "", err
-	}
-
-	n := q.Name.Data[:q.Name.Length]
-	return dnsname.ToFQDN(rawNameToLower(n))
-}
--- a/net/dns/manager.go
+++ b/net/dns/manager.go
@@ -5,15 +5,9 @@
 package dns

 import (
-	"strings"
 	"time"

-	"inet.af/netaddr"
-	"tailscale.com/net/dns/resolver"
-	"tailscale.com/net/tsaddr"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/dnsname"
-	"tailscale.com/wgengine/monitor"
 )

 // We use file-ignore below instead of ignore because on some platforms,
@@ -29,206 +23,78 @@ import (
 // Such operations should be wrapped in a timeout context.
 const reconfigTimeout = time.Second

+type managerImpl interface {
+	// Up updates system DNS settings to match the given configuration.
+	Up(Config) error
+	// Down undoes the effects of Up.
+	// It is idempotent and performs no action if Up has never been called.
+	Down() error
+}
+
 // Manager manages system DNS settings.
 type Manager struct {
 	logf logger.Logf

-	resolver *resolver.Resolver
-	os       OSConfigurator
+	impl managerImpl

-	config Config
+	config  Config
+	mconfig ManagerConfig
 }

 // NewManagers created a new manager from the given config.
-func NewManager(logf logger.Logf, oscfg OSConfigurator, linkMon *monitor.Mon) *Manager {
-	logf = logger.WithPrefix(logf, "dns: ")
+func NewManager(mconfig ManagerConfig) *Manager {
+	mconfig.Logf = logger.WithPrefix(mconfig.Logf, "dns: ")
 	m := &Manager{
-		logf:     logf,
-		resolver: resolver.New(logf, linkMon),
-		os:       oscfg,
+		logf: mconfig.Logf,
+		impl: newManager(mconfig),
+
+		config:  Config{PerDomain: mconfig.PerDomain},
+		mconfig: mconfig,
 	}
-	m.logf("using %T", m.os)
+
+	m.logf("using %T", m.impl)
 	return m
 }

-func (m *Manager) Set(cfg Config) error {
-	m.logf("Set: %+v", cfg)
+func (m *Manager) Set(config Config) error {
+	if config.Equal(m.config) {
+		return nil
+	}

-	rcfg, ocfg, err := m.compileConfig(cfg)
-	if err != nil {
+	m.logf("Set: %+v", config)
+
+	if len(config.Nameservers) == 0 {
+		err := m.impl.Down()
+		// If we save the config, we will not retry next time. Only do this on success.
+		if err == nil {
+			m.config = config
+		}
 		return err
 	}

-	m.logf("Resolvercfg: %+v", rcfg)
-	m.logf("OScfg: %+v", ocfg)
-
-	if err := m.resolver.SetConfig(rcfg); err != nil {
-		return err
-	}
-	if err := m.os.SetDNS(ocfg); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// compileConfig converts cfg into a quad-100 resolver configuration
-// and an OS-level configuration.
-func (m *Manager) compileConfig(cfg Config) (resolver.Config, OSConfig, error) {
-	// Deal with trivial configs first.
-	switch {
-	case !cfg.needsOSResolver():
-		// Set search domains, but nothing else. This also covers the
-		// case where cfg is entirely zero, in which case these
-		// configs clear all Tailscale DNS settings.
-		return resolver.Config{}, OSConfig{
-			SearchDomains: cfg.SearchDomains,
-		}, nil
-	case cfg.hasDefaultResolversOnly():
-		// Trivial CorpDNS configuration, just override the OS
-		// resolver.
-		return resolver.Config{}, OSConfig{
-			Nameservers:   toIPsOnly(cfg.DefaultResolvers),
-			SearchDomains: cfg.SearchDomains,
-		}, nil
-	case cfg.hasDefaultResolvers():
-		// Default resolvers plus other stuff always ends up proxying
-		// through quad-100.
-		rcfg := resolver.Config{
-			Routes: map[dnsname.FQDN][]netaddr.IPPort{
-				".": cfg.DefaultResolvers,
-			},
-			Hosts:        cfg.Hosts,
-			LocalDomains: cfg.AuthoritativeSuffixes,
+	// Switching to and from per-domain mode may require a change of manager.
+	if config.PerDomain != m.config.PerDomain {
+		if err := m.impl.Down(); err != nil {
+			return err
 		}
-		for suffix, resolvers := range cfg.Routes {
-			rcfg.Routes[suffix] = resolvers
-		}
-		ocfg := OSConfig{
-			Nameservers:   []netaddr.IP{tsaddr.TailscaleServiceIP()},
-			SearchDomains: cfg.SearchDomains,
-		}
-		return rcfg, ocfg, nil
+		m.mconfig.PerDomain = config.PerDomain
+		m.impl = newManager(m.mconfig)
+		m.logf("switched to %T", m.impl)
 	}

-	// From this point on, we're figuring out split DNS
-	// configurations. The possible cases don't return directly any
-	// more, because as a final step we have to handle the case where
-	// the OS can't do split DNS.
-	var rcfg resolver.Config
-	var ocfg OSConfig
-
-	if !cfg.hasHosts() && cfg.singleResolverSet() != nil && m.os.SupportsSplitDNS() {
-		// Split DNS configuration requested, where all split domains
-		// go to the same resolvers. We can let the OS do it.
-		return resolver.Config{}, OSConfig{
-			Nameservers:   toIPsOnly(cfg.singleResolverSet()),
-			SearchDomains: cfg.SearchDomains,
-			MatchDomains:  cfg.matchDomains(),
-		}, nil
+	err := m.impl.Up(config)
+	// If we save the config, we will not retry next time. Only do this on success.
+	if err == nil {
+		m.config = config
 	}

-	// Split DNS configuration with either multiple upstream routes,
-	// or routes + MagicDNS, or just MagicDNS, or on an OS that cannot
-	// split-DNS. Install a split config pointing at quad-100.
-	rcfg = resolver.Config{
-		Hosts:        cfg.Hosts,
-		LocalDomains: cfg.AuthoritativeSuffixes,
-		Routes:       map[dnsname.FQDN][]netaddr.IPPort{},
-	}
-	for suffix, resolvers := range cfg.Routes {
-		rcfg.Routes[suffix] = resolvers
-	}
-	ocfg = OSConfig{
-		Nameservers:   []netaddr.IP{tsaddr.TailscaleServiceIP()},
-		SearchDomains: cfg.SearchDomains,
-	}
-
-	// If the OS can't do native split-dns, read out the underlying
-	// resolver config and blend it into our config.
-	if m.os.SupportsSplitDNS() {
-		ocfg.MatchDomains = cfg.matchDomains()
-	} else {
-		bcfg, err := m.os.GetBaseConfig()
-		if err != nil {
-			// Temporary hack to make OSes where split-DNS isn't fully
-			// implemented yet not completely crap out, but instead
-			// fall back to quad-9 as a hardcoded "backup resolver".
-			//
-			// This codepath currently only triggers when opted into
-			// the split-DNS feature server side, and when at least
-			// one search domain is something within tailscale.com, so
-			// we don't accidentally leak unstable user DNS queries to
-			// quad-9 if we accidentally go down this codepath.
-			canUseHack := false
-			for _, dom := range cfg.SearchDomains {
-				if strings.HasSuffix(dom.WithoutTrailingDot(), ".tailscale.com") {
-					canUseHack = true
-					break
-				}
-			}
-			if !canUseHack {
-				return resolver.Config{}, OSConfig{}, err
-			}
-			bcfg = OSConfig{
-				Nameservers: []netaddr.IP{netaddr.IPv4(9, 9, 9, 9)},
-			}
-		}
-		rcfg.Routes["."] = toIPPorts(bcfg.Nameservers)
-		ocfg.SearchDomains = append(ocfg.SearchDomains, bcfg.SearchDomains...)
-	}
-
-	return rcfg, ocfg, nil
+	return err
 }

-// toIPsOnly returns only the IP portion of ipps.
-// TODO: this discards port information on the assumption that we're
-// always pointing at port 53.
-// https://github.com/tailscale/tailscale/issues/1666 tracks making
-// that not true, if we ever want to.
-func toIPsOnly(ipps []netaddr.IPPort) (ret []netaddr.IP) {
-	ret = make([]netaddr.IP, 0, len(ipps))
-	for _, ipp := range ipps {
-		ret = append(ret, ipp.IP)
-	}
-	return ret
-}
-
-func toIPPorts(ips []netaddr.IP) (ret []netaddr.IPPort) {
-	ret = make([]netaddr.IPPort, 0, len(ips))
-	for _, ip := range ips {
-		ret = append(ret, netaddr.IPPort{IP: ip, Port: 53})
-	}
-	return ret
-}
-
-func (m *Manager) EnqueueRequest(bs []byte, from netaddr.IPPort) error {
-	return m.resolver.EnqueueRequest(bs, from)
-}
-
-func (m *Manager) NextResponse() ([]byte, netaddr.IPPort, error) {
-	return m.resolver.NextResponse()
+func (m *Manager) Up() error {
+	return m.impl.Up(m.config)
 }

 func (m *Manager) Down() error {
-	if err := m.os.Close(); err != nil {
-		return err
-	}
-	m.resolver.Close()
-	return nil
-}
-
-// Cleanup restores the system DNS configuration to its original state
-// in case the Tailscale daemon terminated without closing the router.
-// No other state needs to be instantiated before this runs.
-func Cleanup(logf logger.Logf, interfaceName string) {
-	oscfg, err := NewOSConfigurator(logf, interfaceName)
-	if err != nil {
-		logf("creating dns cleanup: %v", err)
-		return
-	}
-	dns := NewManager(logf, oscfg, nil)
-	if err := dns.Down(); err != nil {
-		logf("dns down: %v", err)
-	}
+	return m.impl.Down()
 }
--- a/net/dns/manager_default.go
+++ b/net/dns/manager_default.go
@@ -6,11 +6,9 @@

 package dns

-import "tailscale.com/types/logger"
-
-func NewOSConfigurator(logger.Logf, string) (OSConfigurator, error) {
+func newManager(mconfig ManagerConfig) managerImpl {
 	// TODO(dmytro): on darwin, we should use a macOS-specific method such as scutil.
 	// This is currently not implemented. Editing /etc/resolv.conf does not work,
 	// as most applications use the system resolver, which disregards it.
-	return NewNoopManager()
+	return newNoopManager(mconfig)
 }
--- a/net/dns/manager_freebsd.go
+++ b/net/dns/manager_freebsd.go
@@ -4,27 +4,11 @@

 package dns

-import (
-	"fmt"
-	"io/ioutil"
-	"os"
-
-	"tailscale.com/types/logger"
-)
-
-func NewOSConfigurator(logf logger.Logf, _ string) (OSConfigurator, error) {
-	bs, err := ioutil.ReadFile("/etc/resolv.conf")
-	if os.IsNotExist(err) {
-		return newDirectManager()
-	}
-	if err != nil {
-		return nil, fmt.Errorf("reading /etc/resolv.conf: %w", err)
-	}
-
-	switch resolvOwner(bs) {
-	case "resolvconf":
-		return newResolvconfManager(logf)
+func newManager(mconfig ManagerConfig) managerImpl {
+	switch {
+	case isResolvconfActive():
+		return newResolvconfManager(mconfig)
 	default:
-		return newDirectManager()
+		return newDirectManager(mconfig)
 	}
 }
--- a/net/dns/manager_linux.go
+++ b/net/dns/manager_linux.go
@@ -4,170 +4,24 @@

 package dns

-import (
-	"bytes"
-	"context"
-	"errors"
-	"fmt"
-	"io/ioutil"
-	"os"
-	"os/exec"
-	"time"
-
-	"github.com/godbus/dbus/v5"
-	"tailscale.com/types/logger"
-)
-
-type kv struct {
-	k, v string
-}
-
-func (kv kv) String() string {
-	return fmt.Sprintf("%s=%s", kv.k, kv.v)
-}
-
-func NewOSConfigurator(logf logger.Logf, interfaceName string) (ret OSConfigurator, err error) {
-	var debug []kv
-	dbg := func(k, v string) {
-		debug = append(debug, kv{k, v})
-	}
-	defer func() {
-		if ret != nil {
-			dbg("ret", fmt.Sprintf("%T", ret))
+func newManager(mconfig ManagerConfig) managerImpl {
+	switch {
+	// systemd-resolved should only activate per-domain.
+	case isResolvedActive() && mconfig.PerDomain:
+		if mconfig.Cleanup {
+			return newNoopManager(mconfig)
+		} else {
+			return newResolvedManager(mconfig)
 		}
-		logf("dns: %v", debug)
-	}()
-
-	bs, err := ioutil.ReadFile("/etc/resolv.conf")
-	if os.IsNotExist(err) {
-		dbg("rc", "missing")
-		return newDirectManager()
-	}
-	if err != nil {
-		return nil, fmt.Errorf("reading /etc/resolv.conf: %w", err)
-	}
-
-	switch resolvOwner(bs) {
-	case "systemd-resolved":
-		dbg("rc", "resolved")
-		if err := dbusPing("org.freedesktop.resolve1", "/org/freedesktop/resolve1"); err != nil {
-			dbg("resolved", "no")
-			return newDirectManager()
+	case isNMActive():
+		if mconfig.Cleanup {
+			return newNoopManager(mconfig)
+		} else {
+			return newNMManager(mconfig)
 		}
-		if err := dbusPing("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager/DnsManager"); err != nil {
-			dbg("nm", "no")
-			return newResolvedManager(logf)
-		}
-		dbg("nm", "yes")
-		if err := nmIsUsingResolved(); err != nil {
-			dbg("nm-resolved", "no")
-			return newResolvedManager(logf)
-		}
-		dbg("nm-resolved", "yes")
-		return newNMManager(interfaceName)
-	case "resolvconf":
-		dbg("rc", "resolvconf")
-		if err := resolvconfSourceIsNM(bs); err == nil {
-			dbg("src-is-nm", "yes")
-			if err := dbusPing("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager/DnsManager"); err == nil {
-				dbg("nm", "yes")
-				return newNMManager(interfaceName)
-			}
-			dbg("nm", "no")
-		}
-		dbg("src-is-nm", "no")
-		if _, err := exec.LookPath("resolvconf"); err != nil {
-			dbg("resolvconf", "no")
-			return newDirectManager()
-		}
-		dbg("resolvconf", "yes")
-		return newResolvconfManager(logf)
-	case "NetworkManager":
-		dbg("rc", "nm")
-		if err := dbusPing("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager/DnsManager"); err != nil {
-			dbg("nm", "no")
-			return newDirectManager()
-		}
-		dbg("nm", "yes")
-		return newNMManager(interfaceName)
+	case isResolvconfActive():
+		return newResolvconfManager(mconfig)
 	default:
-		dbg("rc", "unknown")
-		return newDirectManager()
+		return newDirectManager(mconfig)
 	}
 }
-
-func resolvconfSourceIsNM(resolvDotConf []byte) error {
-	b := bytes.NewBuffer(resolvDotConf)
-	cfg, err := readResolv(b)
-	if err != nil {
-		return fmt.Errorf("parsing /etc/resolv.conf: %w", err)
-	}
-
-	var (
-		paths = []string{
-			"/etc/resolvconf/run/interface/NetworkManager",
-			"/run/resolvconf/interface/NetworkManager",
-			"/var/run/resolvconf/interface/NetworkManager",
-			"/run/resolvconf/interfaces/NetworkManager",
-			"/var/run/resolvconf/interfaces/NetworkManager",
-		}
-		nmCfg OSConfig
-		found bool
-	)
-	for _, path := range paths {
-		nmCfg, err = readResolvFile(path)
-		if os.IsNotExist(err) {
-			continue
-		} else if err != nil {
-			return err
-		}
-		found = true
-		break
-	}
-	if !found {
-		return errors.New("NetworkManager resolvconf snippet not found")
-	}
-
-	if !nmCfg.Equal(cfg) {
-		return errors.New("NetworkManager config not applied by resolvconf")
-	}
-
-	return nil
-}
-
-func nmIsUsingResolved() error {
-	conn, err := dbus.SystemBus()
-	if err != nil {
-		// DBus probably not running.
-		return err
-	}
-
-	nm := conn.Object("org.freedesktop.NetworkManager", dbus.ObjectPath("/org/freedesktop/NetworkManager/DnsManager"))
-	v, err := nm.GetProperty("org.freedesktop.NetworkManager.DnsManager.Mode")
-	if err != nil {
-		return fmt.Errorf("getting NM mode: %w", err)
-	}
-	mode, ok := v.Value().(string)
-	if !ok {
-		return fmt.Errorf("unexpected type %T for NM DNS mode", v.Value())
-	}
-	if mode != "systemd-resolved" {
-		return errors.New("NetworkManager is not using systemd-resolved for DNS")
-	}
-	return nil
-}
-
-func dbusPing(name, objectPath string) error {
-	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
-	defer cancel()
-
-	conn, err := dbus.SystemBus()
-	if err != nil {
-		// DBus probably not running.
-		return err
-	}
-
-	obj := conn.Object(name, dbus.ObjectPath(objectPath))
-	call := obj.CallWithContext(ctx, "org.freedesktop.DBus.Peer.Ping", 0)
-	return call.Err
-}
--- a/net/dns/manager_openbsd.go
+++ b/net/dns/manager_openbsd.go
@@ -4,8 +4,6 @@

 package dns

-import "tailscale.com/types/logger"
-
-func NewOSConfigurator(logger.Logf, string) (OSConfigurator, error) {
-	return newDirectManager()
+func newManager(mconfig ManagerConfig) managerImpl {
+	return newDirectManager(mconfig)
 }
--- a/net/dns/manager_test.go
+++ b/net/dns/manager_test.go
@@ -1,440 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package dns
-
-import (
-	"testing"
-
-	"github.com/google/go-cmp/cmp"
-	"github.com/google/go-cmp/cmp/cmpopts"
-	"inet.af/netaddr"
-	"tailscale.com/net/dns/resolver"
-	"tailscale.com/util/dnsname"
-)
-
-type fakeOSConfigurator struct {
-	SplitDNS   bool
-	BaseConfig OSConfig
-
-	OSConfig       OSConfig
-	ResolverConfig resolver.Config
-}
-
-func (c *fakeOSConfigurator) SetDNS(cfg OSConfig) error {
-	if !c.SplitDNS && len(cfg.MatchDomains) > 0 {
-		panic("split DNS config passed to non-split OSConfigurator")
-	}
-	c.OSConfig = cfg
-	return nil
-}
-
-func (c *fakeOSConfigurator) SetResolver(cfg resolver.Config) {
-	c.ResolverConfig = cfg
-}
-
-func (c *fakeOSConfigurator) SupportsSplitDNS() bool {
-	return c.SplitDNS
-}
-
-func (c *fakeOSConfigurator) GetBaseConfig() (OSConfig, error) {
-	return c.BaseConfig, nil
-}
-
-func (c *fakeOSConfigurator) Close() error { return nil }
-
-func TestManager(t *testing.T) {
-	// Note: these tests assume that it's safe to switch the
-	// OSConfigurator's split-dns support on and off between Set
-	// calls. Empirically this is currently true, because we reprobe
-	// the support every time we generate configs. It would be
-	// reasonable to make this unsupported as well, in which case
-	// these tests will need tweaking.
-	tests := []struct {
-		name  string
-		in    Config
-		split bool
-		bs    OSConfig
-		os    OSConfig
-		rs    resolver.Config
-	}{
-		{
-			name: "empty",
-		},
-		{
-			name: "search-only",
-			in: Config{
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
-			},
-			os: OSConfig{
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
-			},
-		},
-		{
-			name: "corp",
-			in: Config{
-				DefaultResolvers: mustIPPs("1.1.1.1:53", "9.9.9.9:53"),
-				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
-			},
-			os: OSConfig{
-				Nameservers:   mustIPs("1.1.1.1", "9.9.9.9"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
-			},
-		},
-		{
-			name: "corp-split",
-			in: Config{
-				DefaultResolvers: mustIPPs("1.1.1.1:53", "9.9.9.9:53"),
-				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
-			},
-			split: true,
-			os: OSConfig{
-				Nameservers:   mustIPs("1.1.1.1", "9.9.9.9"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
-			},
-		},
-		{
-			name: "corp-magic",
-			in: Config{
-				DefaultResolvers: mustIPPs("1.1.1.1:53", "9.9.9.9:53"),
-				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
-				Hosts: hosts(
-					"dave.ts.com.", "1.2.3.4",
-					"bradfitz.ts.com.", "2.3.4.5"),
-				AuthoritativeSuffixes: fqdns("ts.com"),
-			},
-			os: OSConfig{
-				Nameservers:   mustIPs("100.100.100.100"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
-			},
-			rs: resolver.Config{
-				Routes: upstreams(".", "1.1.1.1:53", "9.9.9.9:53"),
-				Hosts: hosts(
-					"dave.ts.com.", "1.2.3.4",
-					"bradfitz.ts.com.", "2.3.4.5"),
-				LocalDomains: fqdns("ts.com."),
-			},
-		},
-		{
-			name: "corp-magic-split",
-			in: Config{
-				DefaultResolvers: mustIPPs("1.1.1.1:53", "9.9.9.9:53"),
-				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
-				Hosts: hosts(
-					"dave.ts.com.", "1.2.3.4",
-					"bradfitz.ts.com.", "2.3.4.5"),
-				AuthoritativeSuffixes: fqdns("ts.com"),
-			},
-			split: true,
-			os: OSConfig{
-				Nameservers:   mustIPs("100.100.100.100"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
-			},
-			rs: resolver.Config{
-				Routes: upstreams(".", "1.1.1.1:53", "9.9.9.9:53"),
-				Hosts: hosts(
-					"dave.ts.com.", "1.2.3.4",
-					"bradfitz.ts.com.", "2.3.4.5"),
-				LocalDomains: fqdns("ts.com."),
-			},
-		},
-		{
-			name: "corp-routes",
-			in: Config{
-				DefaultResolvers: mustIPPs("1.1.1.1:53", "9.9.9.9:53"),
-				Routes:           upstreams("corp.com", "2.2.2.2:53"),
-				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
-			},
-			os: OSConfig{
-				Nameservers:   mustIPs("100.100.100.100"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
-			},
-			rs: resolver.Config{
-				Routes: upstreams(
-					".", "1.1.1.1:53", "9.9.9.9:53",
-					"corp.com.", "2.2.2.2:53"),
-			},
-		},
-		{
-			name: "corp-routes-split",
-			in: Config{
-				DefaultResolvers: mustIPPs("1.1.1.1:53", "9.9.9.9:53"),
-				Routes:           upstreams("corp.com", "2.2.2.2:53"),
-				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
-			},
-			split: true,
-			os: OSConfig{
-				Nameservers:   mustIPs("100.100.100.100"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
-			},
-			rs: resolver.Config{
-				Routes: upstreams(
-					".", "1.1.1.1:53", "9.9.9.9:53",
-					"corp.com.", "2.2.2.2:53"),
-			},
-		},
-		{
-			name: "routes",
-			in: Config{
-				Routes:        upstreams("corp.com", "2.2.2.2:53"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
-			},
-			bs: OSConfig{
-				Nameservers:   mustIPs("8.8.8.8"),
-				SearchDomains: fqdns("coffee.shop"),
-			},
-			os: OSConfig{
-				Nameservers:   mustIPs("100.100.100.100"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf", "coffee.shop"),
-			},
-			rs: resolver.Config{
-				Routes: upstreams(
-					".", "8.8.8.8:53",
-					"corp.com.", "2.2.2.2:53"),
-			},
-		},
-		{
-			name: "routes-split",
-			in: Config{
-				Routes:        upstreams("corp.com", "2.2.2.2:53"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
-			},
-			split: true,
-			os: OSConfig{
-				Nameservers:   mustIPs("2.2.2.2"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
-				MatchDomains:  fqdns("corp.com"),
-			},
-		},
-		{
-			name: "routes-multi",
-			in: Config{
-				Routes: upstreams(
-					"corp.com", "2.2.2.2:53",
-					"bigco.net", "3.3.3.3:53"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
-			},
-			bs: OSConfig{
-				Nameservers:   mustIPs("8.8.8.8"),
-				SearchDomains: fqdns("coffee.shop"),
-			},
-			os: OSConfig{
-				Nameservers:   mustIPs("100.100.100.100"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf", "coffee.shop"),
-			},
-			rs: resolver.Config{
-				Routes: upstreams(
-					".", "8.8.8.8:53",
-					"corp.com.", "2.2.2.2:53",
-					"bigco.net.", "3.3.3.3:53"),
-			},
-		},
-		{
-			name: "routes-multi-split",
-			in: Config{
-				Routes: upstreams(
-					"corp.com", "2.2.2.2:53",
-					"bigco.net", "3.3.3.3:53"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
-			},
-			split: true,
-			os: OSConfig{
-				Nameservers:   mustIPs("100.100.100.100"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
-				MatchDomains:  fqdns("bigco.net", "corp.com"),
-			},
-			rs: resolver.Config{
-				Routes: upstreams(
-					"corp.com.", "2.2.2.2:53",
-					"bigco.net.", "3.3.3.3:53"),
-			},
-		},
-		{
-			name: "magic",
-			in: Config{
-				Hosts: hosts(
-					"dave.ts.com.", "1.2.3.4",
-					"bradfitz.ts.com.", "2.3.4.5"),
-				AuthoritativeSuffixes: fqdns("ts.com"),
-				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
-			},
-			bs: OSConfig{
-				Nameservers:   mustIPs("8.8.8.8"),
-				SearchDomains: fqdns("coffee.shop"),
-			},
-			os: OSConfig{
-				Nameservers:   mustIPs("100.100.100.100"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf", "coffee.shop"),
-			},
-			rs: resolver.Config{
-				Routes: upstreams(".", "8.8.8.8:53"),
-				Hosts: hosts(
-					"dave.ts.com.", "1.2.3.4",
-					"bradfitz.ts.com.", "2.3.4.5"),
-				LocalDomains: fqdns("ts.com."),
-			},
-		},
-		{
-			name: "magic-split",
-			in: Config{
-				Hosts: hosts(
-					"dave.ts.com.", "1.2.3.4",
-					"bradfitz.ts.com.", "2.3.4.5"),
-				AuthoritativeSuffixes: fqdns("ts.com"),
-				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
-			},
-			split: true,
-			os: OSConfig{
-				Nameservers:   mustIPs("100.100.100.100"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
-				MatchDomains:  fqdns("ts.com"),
-			},
-			rs: resolver.Config{
-				Hosts: hosts(
-					"dave.ts.com.", "1.2.3.4",
-					"bradfitz.ts.com.", "2.3.4.5"),
-				LocalDomains: fqdns("ts.com."),
-			},
-		},
-		{
-			name: "routes-magic",
-			in: Config{
-				Routes: upstreams("corp.com", "2.2.2.2:53"),
-				Hosts: hosts(
-					"dave.ts.com.", "1.2.3.4",
-					"bradfitz.ts.com.", "2.3.4.5"),
-				AuthoritativeSuffixes: fqdns("ts.com"),
-				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
-			},
-			bs: OSConfig{
-				Nameservers:   mustIPs("8.8.8.8"),
-				SearchDomains: fqdns("coffee.shop"),
-			},
-			os: OSConfig{
-				Nameservers:   mustIPs("100.100.100.100"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf", "coffee.shop"),
-			},
-			rs: resolver.Config{
-				Routes: upstreams(
-					"corp.com.", "2.2.2.2:53",
-					".", "8.8.8.8:53"),
-				Hosts: hosts(
-					"dave.ts.com.", "1.2.3.4",
-					"bradfitz.ts.com.", "2.3.4.5"),
-				LocalDomains: fqdns("ts.com."),
-			},
-		},
-		{
-			name: "routes-magic-split",
-			in: Config{
-				Routes: upstreams("corp.com", "2.2.2.2:53"),
-				Hosts: hosts(
-					"dave.ts.com.", "1.2.3.4",
-					"bradfitz.ts.com.", "2.3.4.5"),
-				AuthoritativeSuffixes: fqdns("ts.com"),
-				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
-			},
-			split: true,
-			os: OSConfig{
-				Nameservers:   mustIPs("100.100.100.100"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
-				MatchDomains:  fqdns("corp.com", "ts.com"),
-			},
-			rs: resolver.Config{
-				Routes: upstreams("corp.com.", "2.2.2.2:53"),
-				Hosts: hosts(
-					"dave.ts.com.", "1.2.3.4",
-					"bradfitz.ts.com.", "2.3.4.5"),
-				LocalDomains: fqdns("ts.com."),
-			},
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			f := fakeOSConfigurator{
-				SplitDNS:   test.split,
-				BaseConfig: test.bs,
-			}
-			m := NewManager(t.Logf, &f, nil)
-			m.resolver.TestOnlySetHook(f.SetResolver)
-
-			if err := m.Set(test.in); err != nil {
-				t.Fatalf("m.Set: %v", err)
-			}
-			tr := cmp.Transformer("ipStr", func(ip netaddr.IP) string { return ip.String() })
-			if diff := cmp.Diff(f.OSConfig, test.os, tr, cmpopts.EquateEmpty()); diff != "" {
-				t.Errorf("wrong OSConfig (-got+want)\n%s", diff)
-			}
-			if diff := cmp.Diff(f.ResolverConfig, test.rs, tr, cmpopts.EquateEmpty()); diff != "" {
-				t.Errorf("wrong resolver.Config (-got+want)\n%s", diff)
-			}
-		})
-	}
-}
-
-func mustIPs(strs ...string) (ret []netaddr.IP) {
-	for _, s := range strs {
-		ret = append(ret, netaddr.MustParseIP(s))
-	}
-	return ret
-}
-
-func mustIPPs(strs ...string) (ret []netaddr.IPPort) {
-	for _, s := range strs {
-		ret = append(ret, netaddr.MustParseIPPort(s))
-	}
-	return ret
-}
-
-func fqdns(strs ...string) (ret []dnsname.FQDN) {
-	for _, s := range strs {
-		fqdn, err := dnsname.ToFQDN(s)
-		if err != nil {
-			panic(err)
-		}
-		ret = append(ret, fqdn)
-	}
-	return ret
-}
-
-func hosts(strs ...string) (ret map[dnsname.FQDN][]netaddr.IP) {
-	var key dnsname.FQDN
-	ret = map[dnsname.FQDN][]netaddr.IP{}
-	for _, s := range strs {
-		if ip, err := netaddr.ParseIP(s); err == nil {
-			if key == "" {
-				panic("IP provided before name")
-			}
-			ret[key] = append(ret[key], ip)
-		} else {
-			fqdn, err := dnsname.ToFQDN(s)
-			if err != nil {
-				panic(err)
-			}
-			key = fqdn
-		}
-	}
-	return ret
-}
-
-func upstreams(strs ...string) (ret map[dnsname.FQDN][]netaddr.IPPort) {
-	var key dnsname.FQDN
-	ret = map[dnsname.FQDN][]netaddr.IPPort{}
-	for _, s := range strs {
-		if ipp, err := netaddr.ParseIPPort(s); err == nil {
-			if key == "" {
-				panic("IPPort provided before suffix")
-			}
-			ret[key] = append(ret[key], ipp)
-		} else {
-			fqdn, err := dnsname.ToFQDN(s)
-			if err != nil {
-				panic(err)
-			}
-			key = fqdn
-		}
-	}
-	return ret
-}
--- a/net/dns/manager_windows.go
+++ b/net/dns/manager_windows.go
@@ -5,58 +5,31 @@
 package dns

 import (
-	"errors"
 	"fmt"
 	"os/exec"
 	"strings"
 	"syscall"
 	"time"

-	"golang.org/x/sys/windows"
 	"golang.org/x/sys/windows/registry"
-	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
-	"inet.af/netaddr"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/dnsname"
 )

 const (
 	ipv4RegBase = `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters`
 	ipv6RegBase = `SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters`
-
-	// the GUID is randomly generated. At present, Tailscale installs
-	// zero or one NRPT rules, so hardcoding a single GUID everywhere
-	// is fine.
-	nrptBase        = `SYSTEM\CurrentControlSet\services\Dnscache\Parameters\DnsPolicyConfig\{5abe529b-675b-4486-8459-25a634dacc23}`
-	nrptOverrideDNS = 0x8 // bitmask value for "use the provided override DNS resolvers"
-
-	versionKey = `SOFTWARE\Microsoft\Windows NT\CurrentVersion`
 )

 type windowsManager struct {
-	logf      logger.Logf
-	guid      string
-	nrptWorks bool
+	logf logger.Logf
+	guid string
 }

-func NewOSConfigurator(logf logger.Logf, interfaceName string) (OSConfigurator, error) {
-	ret := windowsManager{
-		logf:      logf,
-		guid:      interfaceName,
-		nrptWorks: !isWindows7(),
+func newManager(mconfig ManagerConfig) managerImpl {
+	return windowsManager{
+		logf: mconfig.Logf,
+		guid: mconfig.InterfaceName,
 	}
-
-	// Best-effort: if our NRPT rule exists, try to delete it. Unlike
-	// per-interface configuration, NRPT rules survive the unclean
-	// termination of the Tailscale process, and depending on the
-	// rule, it may prevent us from reaching login.tailscale.com to
-	// boot up. The bootstrap resolver logic will save us, but it
-	// slows down start-up a bunch.
-	if ret.nrptWorks {
-		ret.delKey(nrptBase)
-	}
-
-	return ret, nil
 }

 // keyOpenTimeout is how long we wait for a registry key to
@@ -65,86 +38,37 @@ func NewOSConfigurator(logf logger.Logf, interfaceName string) (OSConfigurator,
 // can end up racing with that.
 const keyOpenTimeout = 20 * time.Second

-func (m windowsManager) openKey(path string) (registry.Key, error) {
+func setRegistryString(path, name, value string) error {
 	key, err := openKeyWait(registry.LOCAL_MACHINE, path, registry.SET_VALUE, keyOpenTimeout)
 	if err != nil {
-		return 0, fmt.Errorf("opening %s: %w", path, err)
-	}
-	return key, nil
-}
-
-func (m windowsManager) ifPath(basePath string) string {
-	return fmt.Sprintf(`%s\Interfaces\%s`, basePath, m.guid)
-}
-
-func (m windowsManager) delKey(path string) error {
-	if err := registry.DeleteKey(registry.LOCAL_MACHINE, path); err != nil && err != registry.ErrNotExist {
-		return err
-	}
-	return nil
-}
-
-func delValue(key registry.Key, name string) error {
-	if err := key.DeleteValue(name); err != nil && err != registry.ErrNotExist {
-		return err
-	}
-	return nil
-}
-
-// setSplitDNS configures an NRPT (Name Resolution Policy Table) rule
-// to resolve queries for domains using resolvers, rather than the
-// system's "primary" resolver.
-//
-// If no resolvers are provided, the Tailscale NRPT rule is deleted.
-func (m windowsManager) setSplitDNS(resolvers []netaddr.IP, domains []dnsname.FQDN) error {
-	if len(resolvers) == 0 {
-		return m.delKey(nrptBase)
-	}
-
-	servers := make([]string, 0, len(resolvers))
-	for _, resolver := range resolvers {
-		servers = append(servers, resolver.String())
-	}
-	doms := make([]string, 0, len(domains))
-	for _, domain := range domains {
-		// NRPT rules must have a leading dot, which is not usual for
-		// DNS search paths.
-		doms = append(doms, "."+domain.WithoutTrailingDot())
-	}
-
-	// CreateKey is actually open-or-create, which suits us fine.
-	key, _, err := registry.CreateKey(registry.LOCAL_MACHINE, nrptBase, registry.SET_VALUE)
-	if err != nil {
-		return fmt.Errorf("opening %s: %w", nrptBase, err)
+		return fmt.Errorf("opening %s: %w", path, err)
 	}
 	defer key.Close()
-	if err := key.SetDWordValue("Version", 1); err != nil {
-		return err
-	}
-	if err := key.SetStringsValue("Name", doms); err != nil {
-		return err
-	}
-	if err := key.SetStringValue("GenericDNSServers", strings.Join(servers, "; ")); err != nil {
-		return err
-	}
-	if err := key.SetDWordValue("ConfigOptions", nrptOverrideDNS); err != nil {
-		return err
-	}

+	err = key.SetStringValue(name, value)
+	if err != nil {
+		return fmt.Errorf("setting %s[%s]: %w", path, name, err)
+	}
 	return nil
 }

-// setPrimaryDNS sets the given resolvers and domains as the Tailscale
-// interface's DNS configuration.
-// If resolvers is non-empty, those resolvers become the system's
-// "primary" resolvers.
-// domains can be set without resolvers, which just contributes new
-// paths to the global DNS search list.
-func (m windowsManager) setPrimaryDNS(resolvers []netaddr.IP, domains []dnsname.FQDN) error {
+func (m windowsManager) setNameservers(basePath string, nameservers []string) error {
+	path := fmt.Sprintf(`%s\Interfaces\%s`, basePath, m.guid)
+	value := strings.Join(nameservers, ",")
+	return setRegistryString(path, "NameServer", value)
+}
+
+func (m windowsManager) setDomains(basePath string, domains []string) error {
+	path := fmt.Sprintf(`%s\Interfaces\%s`, basePath, m.guid)
+	value := strings.Join(domains, ",")
+	return setRegistryString(path, "SearchList", value)
+}
+
+func (m windowsManager) Up(config Config) error {
 	var ipsv4 []string
 	var ipsv6 []string

-	for _, ip := range resolvers {
+	for _, ip := range config.Nameservers {
 		if ip.Is4() {
 			ipsv4 = append(ipsv4, ip.String())
 		} else {
@@ -152,111 +76,19 @@ func (m windowsManager) setPrimaryDNS(resolvers []netaddr.IP, domains []dnsname.
 		}
 	}

-	domStrs := make([]string, 0, len(domains))
-	for _, dom := range domains {
-		domStrs = append(domStrs, dom.WithoutTrailingDot())
-	}
-
-	key4, err := m.openKey(m.ifPath(ipv4RegBase))
-	if err != nil {
+	if err := m.setNameservers(ipv4RegBase, ipsv4); err != nil {
 		return err
 	}
-	defer key4.Close()
-
-	if len(ipsv4) == 0 {
-		if err := delValue(key4, "NameServer"); err != nil {
-			return err
-		}
-	} else if err := key4.SetStringValue("NameServer", strings.Join(ipsv4, ",")); err != nil {
+	if err := m.setDomains(ipv4RegBase, config.Domains); err != nil {
 		return err
 	}

-	if len(domains) == 0 {
-		if err := delValue(key4, "SearchList"); err != nil {
-			return err
-		}
-	} else if err := key4.SetStringValue("SearchList", strings.Join(domStrs, ",")); err != nil {
+	if err := m.setNameservers(ipv6RegBase, ipsv6); err != nil {
 		return err
 	}
-
-	key6, err := m.openKey(m.ifPath(ipv6RegBase))
-	if err != nil {
+	if err := m.setDomains(ipv6RegBase, config.Domains); err != nil {
 		return err
 	}
-	defer key6.Close()
-
-	if len(ipsv6) == 0 {
-		if err := delValue(key6, "NameServer"); err != nil {
-			return err
-		}
-	} else if err := key6.SetStringValue("NameServer", strings.Join(ipsv6, ",")); err != nil {
-		return err
-	}
-
-	if len(domains) == 0 {
-		if err := delValue(key6, "SearchList"); err != nil {
-			return err
-		}
-	} else if err := key6.SetStringValue("SearchList", strings.Join(domStrs, ",")); err != nil {
-		return err
-	}
-
-	// Disable LLMNR on the Tailscale interface. We don't do
-	// multicast, and we certainly don't do LLMNR, so it's pointless
-	// to make Windows try it.
-	if err := key4.SetDWordValue("EnableMulticast", 0); err != nil {
-		return err
-	}
-	if err := key6.SetDWordValue("EnableMulticast", 0); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (m windowsManager) SetDNS(cfg OSConfig) error {
-	// We can configure Windows DNS in one of two ways:
-	//
-	//  - In primary DNS mode, we set the NameServer and SearchList
-	//    registry keys on our interface. Because our interface metric
-	//    is very low, this turns us into the one and only "primary"
-	//    resolver for the OS, i.e. all queries flow to the
-	//    resolver(s) we specify.
-	//  - In split DNS mode, we set the Domain registry key on our
-	//    interface (which adds that domain to the global search list,
-	//    but does not contribute other DNS configuration from the
-	//    interface), and configure an NRPT (Name Resolution Policy
-	//    Table) rule to route queries for our suffixes to the
-	//    provided resolver.
-	//
-	// When switching modes, we delete all the configuration related
-	// to the other mode, so these two are an XOR.
-	//
-	// Windows actually supports much more advanced configurations as
-	// well, with arbitrary routing of hosts and suffixes to arbitrary
-	// resolvers. However, we use it in a "simple" split domain
-	// configuration only, routing one set of things to the "split"
-	// resolver and the rest to the primary.
-
-	if len(cfg.MatchDomains) == 0 {
-		if err := m.setSplitDNS(nil, nil); err != nil {
-			return err
-		}
-		if err := m.setPrimaryDNS(cfg.Nameservers, cfg.SearchDomains); err != nil {
-			return err
-		}
-	} else if !m.nrptWorks {
-		return errors.New("cannot set per-domain resolvers on Windows 7")
-	} else {
-		if err := m.setSplitDNS(cfg.Nameservers, cfg.MatchDomains); err != nil {
-			return err
-		}
-		// Still set search domains on the interface, since NRPT only
-		// handles query routing and not search domain expansion.
-		if err := m.setPrimaryDNS(nil, cfg.SearchDomains); err != nil {
-			return err
-		}
-	}

 	// Force DNS re-registration in Active Directory. What we actually
 	// care about is that this command invokes the undocumented hidden
@@ -265,134 +97,22 @@ func (m windowsManager) SetDNS(cfg OSConfig) error {
 	// effect.
 	//
 	// This command can take a few seconds to run, so run it async, best effort.
-	//
-	// After re-registering DNS, also flush the DNS cache to clear out
-	// any cached split-horizon queries that are no longer the correct
-	// answer.
 	go func() {
 		t0 := time.Now()
 		m.logf("running ipconfig /registerdns ...")
 		cmd := exec.Command("ipconfig", "/registerdns")
 		cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
-		err := cmd.Run()
 		d := time.Since(t0).Round(time.Millisecond)
-		if err != nil {
+		if err := cmd.Run(); err != nil {
 			m.logf("error running ipconfig /registerdns after %v: %v", d, err)
 		} else {
 			m.logf("ran ipconfig /registerdns in %v", d)
 		}
-
-		t0 = time.Now()
-		m.logf("running ipconfig /registerdns ...")
-		cmd = exec.Command("ipconfig", "/flushdns")
-		cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
-		err = cmd.Run()
-		d = time.Since(t0).Round(time.Millisecond)
-		if err != nil {
-			m.logf("error running ipconfig /flushdns after %v: %v", d, err)
-		} else {
-			m.logf("ran ipconfig /flushdns in %v", d)
-		}
 	}()

 	return nil
 }

-func (m windowsManager) SupportsSplitDNS() bool {
-	return m.nrptWorks
-}
-
-func (m windowsManager) Close() error {
-	return m.SetDNS(OSConfig{})
-}
-
-func (m windowsManager) GetBaseConfig() (OSConfig, error) {
-	resolvers, err := m.getBasePrimaryResolver()
-	if err != nil {
-		return OSConfig{}, err
-	}
-	return OSConfig{
-		Nameservers: resolvers,
-		// Don't return any search domains here, because even Windows
-		// 7 correctly handles blending search domains from multiple
-		// sources, and any search domains we add here will get tacked
-		// onto the Tailscale config unnecessarily.
-	}, nil
-}
-
-// getBasePrimaryResolver returns a guess of the non-Tailscale primary
-// resolver on the system.
-// It's used on Windows 7 to emulate split DNS by trying to figure out
-// what the "previous" primary resolver was. It might be wrong, or
-// incomplete.
-func (m windowsManager) getBasePrimaryResolver() (resolvers []netaddr.IP, err error) {
-	tsGUID, err := windows.GUIDFromString(m.guid)
-	if err != nil {
-		return nil, err
-	}
-	tsLUID, err := winipcfg.LUIDFromGUID(&tsGUID)
-	if err != nil {
-		return nil, err
-	}
-	ifrows, err := winipcfg.GetIPInterfaceTable(windows.AF_INET)
-	if err == windows.ERROR_NOT_FOUND {
-		// IPv4 seems disabled, try to get interface metrics from IPv6 instead.
-		ifrows, err = winipcfg.GetIPInterfaceTable(windows.AF_INET6)
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	var (
-		primary winipcfg.LUID
-		best    = ^uint32(0)
-	)
-	for _, row := range ifrows {
-		if !row.Connected {
-			continue
-		}
-		if row.InterfaceLUID == tsLUID {
-			continue
-		}
-		if row.Metric < best {
-			primary = row.InterfaceLUID
-			best = row.Metric
-		}
-	}
-	if primary == 0 {
-		// No resolvers set outside of Tailscale.
-		return nil, nil
-	}
-
-	ips, err := primary.DNS()
-	if err != nil {
-		return nil, err
-	}
-	for _, stdip := range ips {
-		if ip, ok := netaddr.FromStdIP(stdip); ok {
-			resolvers = append(resolvers, ip)
-		}
-	}
-
-	return resolvers, nil
-}
-
-func isWindows7() bool {
-	key, err := registry.OpenKey(registry.LOCAL_MACHINE, versionKey, registry.READ)
-	if err != nil {
-		// Fail safe, assume Windows 7.
-		return true
-	}
-	ver, _, err := key.GetStringValue("CurrentVersion")
-	if err != nil {
-		return true
-	}
-	// Careful to not assume anything about version numbers beyond
-	// 6.3, Microsoft deprecated this registry key and locked its
-	// value to what it was in Windows 8.1. We can only use this to
-	// probe for versions before that. Good thing we only need Windows
-	// 7 (so far).
-	//
-	// And yes, Windows 7 is version 6.1. Don't ask.
-	return ver == "6.1"
+func (m windowsManager) Down() error {
+	return m.Up(Config{Nameservers: nil, Domains: nil})
 }
--- a/net/dns/map.go
+++ b/net/dns/map.go
@@ -0,0 +1,160 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package dns
+
+import (
+	"sort"
+	"strings"
+
+	"inet.af/netaddr"
+)
+
+// Map is all the data Resolver needs to resolve DNS queries within the Tailscale network.
+type Map struct {
+	// nameToIP is a mapping of Tailscale domain names to their IP addresses.
+	// For example, monitoring.tailscale.us -> 100.64.0.1.
+	nameToIP map[string]netaddr.IP
+	// ipToName is the inverse of nameToIP.
+	ipToName map[netaddr.IP]string
+	// names are the keys of nameToIP in sorted order.
+	names []string
+	// rootDomains are the domains whose subdomains should always
+	// be resolved locally to prevent leakage of sensitive names.
+	rootDomains []string // e.g. "user.provider.beta.tailscale.net."
+}
+
+// NewMap returns a new Map with name to address mapping given by nameToIP.
+//
+// rootDomains are the domains whose subdomains should always be
+// resolved locally to prevent leakage of sensitive names. They should
+// end in a period ("user-foo.tailscale.net.").
+func NewMap(initNameToIP map[string]netaddr.IP, rootDomains []string) *Map {
+	// TODO(dmytro): we have to allocate names and ipToName, but nameToIP can be avoided.
+	// It is here because control sends us names not in canonical form. Change this.
+	names := make([]string, 0, len(initNameToIP))
+	nameToIP := make(map[string]netaddr.IP, len(initNameToIP))
+	ipToName := make(map[netaddr.IP]string, len(initNameToIP))
+
+	for name, ip := range initNameToIP {
+		if len(name) == 0 {
+			// Nothing useful can be done with empty names.
+			continue
+		}
+		if name[len(name)-1] != '.' {
+			name += "."
+		}
+		names = append(names, name)
+		nameToIP[name] = ip
+		ipToName[ip] = name
+	}
+	sort.Strings(names)
+
+	return &Map{
+		nameToIP: nameToIP,
+		ipToName: ipToName,
+		names:    names,
+
+		rootDomains: rootDomains,
+	}
+}
+
+func printSingleNameIP(buf *strings.Builder, name string, ip netaddr.IP) {
+	buf.WriteString(name)
+	buf.WriteByte('\t')
+	buf.WriteString(ip.String())
+	buf.WriteByte('\n')
+}
+
+func (m *Map) Pretty() string {
+	buf := new(strings.Builder)
+	for _, name := range m.names {
+		printSingleNameIP(buf, name, m.nameToIP[name])
+	}
+	return buf.String()
+}
+
+func (m *Map) PrettyDiffFrom(old *Map) string {
+	var (
+		oldNameToIP map[string]netaddr.IP
+		newNameToIP map[string]netaddr.IP
+		oldNames    []string
+		newNames    []string
+	)
+	if old != nil {
+		oldNameToIP = old.nameToIP
+		oldNames = old.names
+	}
+	if m != nil {
+		newNameToIP = m.nameToIP
+		newNames = m.names
+	}
+
+	buf := new(strings.Builder)
+	space := func() bool {
+		return buf.Len() < (1 << 10)
+	}
+
+	for len(oldNames) > 0 && len(newNames) > 0 {
+		var name string
+
+		newName, oldName := newNames[0], oldNames[0]
+		switch {
+		case oldName < newName:
+			name = oldName
+			oldNames = oldNames[1:]
+		case oldName > newName:
+			name = newName
+			newNames = newNames[1:]
+		case oldNames[0] == newNames[0]:
+			name = oldNames[0]
+			oldNames = oldNames[1:]
+			newNames = newNames[1:]
+		}
+		if !space() {
+			continue
+		}
+
+		ipOld, inOld := oldNameToIP[name]
+		ipNew, inNew := newNameToIP[name]
+		switch {
+		case !inOld:
+			buf.WriteByte('+')
+			printSingleNameIP(buf, name, ipNew)
+		case !inNew:
+			buf.WriteByte('-')
+			printSingleNameIP(buf, name, ipOld)
+		case ipOld != ipNew:
+			buf.WriteByte('-')
+			printSingleNameIP(buf, name, ipOld)
+			buf.WriteByte('+')
+			printSingleNameIP(buf, name, ipNew)
+		}
+	}
+
+	for _, name := range oldNames {
+		if !space() {
+			break
+		}
+		if _, ok := newNameToIP[name]; !ok {
+			buf.WriteByte('-')
+			printSingleNameIP(buf, name, oldNameToIP[name])
+		}
+	}
+
+	for _, name := range newNames {
+		if !space() {
+			break
+		}
+		if _, ok := oldNameToIP[name]; !ok {
+			buf.WriteByte('+')
+			printSingleNameIP(buf, name, newNameToIP[name])
+		}
+	}
+	if !space() {
+		buf.WriteString("... [truncated]\n")
+	}
+
+	return buf.String()
+}
--- a/net/dns/map_test.go
+++ b/net/dns/map_test.go
@@ -0,0 +1,156 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package dns
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"inet.af/netaddr"
+)
+
+func TestPretty(t *testing.T) {
+	tests := []struct {
+		name string
+		dmap *Map
+		want string
+	}{
+		{"empty", NewMap(nil, nil), ""},
+		{
+			"single",
+			NewMap(map[string]netaddr.IP{
+				"hello.ipn.dev.": netaddr.IPv4(100, 101, 102, 103),
+			}, nil),
+			"hello.ipn.dev.\t100.101.102.103\n",
+		},
+		{
+			"multiple",
+			NewMap(map[string]netaddr.IP{
+				"test1.domain.":     netaddr.IPv4(100, 101, 102, 103),
+				"test2.sub.domain.": netaddr.IPv4(100, 99, 9, 1),
+			}, nil),
+			"test1.domain.\t100.101.102.103\ntest2.sub.domain.\t100.99.9.1\n",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := tt.dmap.Pretty()
+			if tt.want != got {
+				t.Errorf("want %v; got %v", tt.want, got)
+			}
+		})
+	}
+}
+
+func TestPrettyDiffFrom(t *testing.T) {
+	tests := []struct {
+		name string
+		map1 *Map
+		map2 *Map
+		want string
+	}{
+		{
+			"from_empty",
+			nil,
+			NewMap(map[string]netaddr.IP{
+				"test1.ipn.dev.": netaddr.IPv4(100, 101, 102, 103),
+				"test2.ipn.dev.": netaddr.IPv4(100, 103, 102, 101),
+			}, nil),
+			"+test1.ipn.dev.\t100.101.102.103\n+test2.ipn.dev.\t100.103.102.101\n",
+		},
+		{
+			"equal",
+			NewMap(map[string]netaddr.IP{
+				"test1.ipn.dev.": netaddr.IPv4(100, 101, 102, 103),
+				"test2.ipn.dev.": netaddr.IPv4(100, 103, 102, 101),
+			}, nil),
+			NewMap(map[string]netaddr.IP{
+				"test2.ipn.dev.": netaddr.IPv4(100, 103, 102, 101),
+				"test1.ipn.dev.": netaddr.IPv4(100, 101, 102, 103),
+			}, nil),
+			"",
+		},
+		{
+			"changed_ip",
+			NewMap(map[string]netaddr.IP{
+				"test1.ipn.dev.": netaddr.IPv4(100, 101, 102, 103),
+				"test2.ipn.dev.": netaddr.IPv4(100, 103, 102, 101),
+			}, nil),
+			NewMap(map[string]netaddr.IP{
+				"test2.ipn.dev.": netaddr.IPv4(100, 104, 102, 101),
+				"test1.ipn.dev.": netaddr.IPv4(100, 101, 102, 103),
+			}, nil),
+			"-test2.ipn.dev.\t100.103.102.101\n+test2.ipn.dev.\t100.104.102.101\n",
+		},
+		{
+			"new_domain",
+			NewMap(map[string]netaddr.IP{
+				"test1.ipn.dev.": netaddr.IPv4(100, 101, 102, 103),
+				"test2.ipn.dev.": netaddr.IPv4(100, 103, 102, 101),
+			}, nil),
+			NewMap(map[string]netaddr.IP{
+				"test3.ipn.dev.": netaddr.IPv4(100, 105, 106, 107),
+				"test2.ipn.dev.": netaddr.IPv4(100, 103, 102, 101),
+				"test1.ipn.dev.": netaddr.IPv4(100, 101, 102, 103),
+			}, nil),
+			"+test3.ipn.dev.\t100.105.106.107\n",
+		},
+		{
+			"gone_domain",
+			NewMap(map[string]netaddr.IP{
+				"test1.ipn.dev.": netaddr.IPv4(100, 101, 102, 103),
+				"test2.ipn.dev.": netaddr.IPv4(100, 103, 102, 101),
+			}, nil),
+			NewMap(map[string]netaddr.IP{
+				"test1.ipn.dev.": netaddr.IPv4(100, 101, 102, 103),
+			}, nil),
+			"-test2.ipn.dev.\t100.103.102.101\n",
+		},
+		{
+			"mixed",
+			NewMap(map[string]netaddr.IP{
+				"test1.ipn.dev.": netaddr.IPv4(100, 101, 102, 103),
+				"test4.ipn.dev.": netaddr.IPv4(100, 107, 106, 105),
+				"test5.ipn.dev.": netaddr.IPv4(100, 64, 1, 1),
+				"test2.ipn.dev.": netaddr.IPv4(100, 103, 102, 101),
+			}, nil),
+			NewMap(map[string]netaddr.IP{
+				"test2.ipn.dev.": netaddr.IPv4(100, 104, 102, 101),
+				"test1.ipn.dev.": netaddr.IPv4(100, 100, 101, 102),
+				"test3.ipn.dev.": netaddr.IPv4(100, 64, 1, 1),
+			}, nil),
+			"-test1.ipn.dev.\t100.101.102.103\n+test1.ipn.dev.\t100.100.101.102\n" +
+				"-test2.ipn.dev.\t100.103.102.101\n+test2.ipn.dev.\t100.104.102.101\n" +
+				"+test3.ipn.dev.\t100.64.1.1\n-test4.ipn.dev.\t100.107.106.105\n-test5.ipn.dev.\t100.64.1.1\n",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := tt.map2.PrettyDiffFrom(tt.map1)
+			if tt.want != got {
+				t.Errorf("want %v; got %v", tt.want, got)
+			}
+		})
+	}
+
+	t.Run("truncated", func(t *testing.T) {
+		small := NewMap(nil, nil)
+		m := map[string]netaddr.IP{}
+		for i := 0; i < 5000; i++ {
+			m[fmt.Sprintf("host%d.ipn.dev.", i)] = netaddr.IPv4(100, 64, 1, 1)
+		}
+		veryBig := NewMap(m, nil)
+		diff := veryBig.PrettyDiffFrom(small)
+		if len(diff) > 3<<10 {
+			t.Errorf("pretty diff too large: %d bytes", len(diff))
+		}
+		if !strings.Contains(diff, "truncated") {
+			t.Errorf("big diff not truncated")
+		}
+	})
+}
--- a/net/dns/resolver/neterr_darwin.go
+++ b/net/dns/resolver/neterr_darwin.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-package resolver
+package dns

 import (
 	"errors"
--- a/net/dns/resolver/neterr_other.go
+++ b/net/dns/resolver/neterr_other.go
@@ -4,7 +4,7 @@

 // +build !darwin,!windows

-package resolver
+package dns

 func networkIsDown(err error) bool        { return false }
 func networkIsUnreachable(err error) bool { return false }
--- a/net/dns/resolver/neterr_windows.go
+++ b/net/dns/resolver/neterr_windows.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-package resolver
+package dns

 import (
 	"net"
--- a/net/dns/nm.go
+++ b/net/dns/nm.go
@@ -4,72 +4,70 @@

 // +build linux

-//lint:file-ignore U1000 refactoring, temporarily unused code.
-
 package dns

 import (
+	"bufio"
+	"bytes"
 	"context"
 	"fmt"
-	"sort"
-	"time"
+	"os"
+	"os/exec"

 	"github.com/godbus/dbus/v5"
-	"inet.af/netaddr"
-	"tailscale.com/util/dnsname"
 	"tailscale.com/util/endian"
 )

-const (
-	highestPriority = int32(-1 << 31)
-	mediumPriority  = int32(1)   // Highest priority that doesn't hard-override
-	lowerPriority   = int32(200) // lower than all builtin auto priorities
-)
+// isNMActive determines if NetworkManager is currently managing system DNS settings.
+func isNMActive() bool {
+	// This is somewhat tricky because NetworkManager supports a number
+	// of DNS configuration modes. In all cases, we expect it to be installed
+	// and /etc/resolv.conf to contain a mention of NetworkManager in the comments.
+	_, err := exec.LookPath("NetworkManager")
+	if err != nil {
+		return false
+	}
+
+	f, err := os.Open("/etc/resolv.conf")
+	if err != nil {
+		return false
+	}
+	defer f.Close()
+
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		line := scanner.Bytes()
+		// Look for the word "NetworkManager" until comments end.
+		if len(line) > 0 && line[0] != '#' {
+			return false
+		}
+		if bytes.Contains(line, []byte("NetworkManager")) {
+			return true
+		}
+	}
+	return false
+}

 // nmManager uses the NetworkManager DBus API.
 type nmManager struct {
 	interfaceName string
-	manager       dbus.BusObject
-	dnsManager    dbus.BusObject
 }

-func newNMManager(interfaceName string) (*nmManager, error) {
-	conn, err := dbus.SystemBus()
-	if err != nil {
-		return nil, err
+func newNMManager(mconfig ManagerConfig) managerImpl {
+	return nmManager{
+		interfaceName: mconfig.InterfaceName,
 	}
-
-	return &nmManager{
-		interfaceName: interfaceName,
-		manager:       conn.Object("org.freedesktop.NetworkManager", dbus.ObjectPath("/org/freedesktop/NetworkManager")),
-		dnsManager:    conn.Object("org.freedesktop.NetworkManager", dbus.ObjectPath("/org/freedesktop/NetworkManager/DnsManager")),
-	}, nil
 }

 type nmConnectionSettings map[string]map[string]dbus.Variant

-func (m *nmManager) SetDNS(config OSConfig) error {
+// Up implements managerImpl.
+func (m nmManager) Up(config Config) error {
 	ctx, cancel := context.WithTimeout(context.Background(), reconfigTimeout)
 	defer cancel()

-	// NetworkManager only lets you set DNS settings on "active"
-	// connections, which requires an assigned IP address. This got
-	// configured before the DNS manager was invoked, but it might
-	// take a little time for the netlink notifications to propagate
-	// up. So, keep retrying for the duration of the reconfigTimeout.
-	var err error
-	for ctx.Err() == nil {
-		err = m.trySet(ctx, config)
-		if err == nil {
-			break
-		}
-		time.Sleep(10 * time.Millisecond)
-	}
-
-	return err
-}
-
-func (m *nmManager) trySet(ctx context.Context, config OSConfig) error {
+	// conn is a shared connection whose lifecycle is managed by the dbus package.
+	// We should not interfere with that by closing it.
 	conn, err := dbus.SystemBus()
 	if err != nil {
 		return fmt.Errorf("connecting to system bus: %w", err)
@@ -137,79 +135,43 @@ func (m *nmManager) trySet(ctx context.Context, config OSConfig) error {
 		}
 	}

-	seen := map[dnsname.FQDN]bool{}
-	var search []string
-	for _, dom := range config.SearchDomains {
-		if seen[dom] {
-			continue
-		}
-		seen[dom] = true
-		search = append(search, dom.WithTrailingDot())
-	}
-	for _, dom := range config.MatchDomains {
-		if seen[dom] {
-			continue
-		}
-		seen[dom] = true
-		search = append(search, "~"+dom.WithTrailingDot())
-	}
-	if len(config.MatchDomains) == 0 {
-		// Non-split routing requested, add an all-domains match.
-		search = append(search, "~.")
-	}
-
-	general := settings["connection"]
-	general["llmnr"] = dbus.MakeVariant(0)
-	general["mdns"] = dbus.MakeVariant(0)
-
 	ipv4Map := settings["ipv4"]
 	ipv4Map["dns"] = dbus.MakeVariant(dnsv4)
-	ipv4Map["dns-search"] = dbus.MakeVariant(search)
+	ipv4Map["dns-search"] = dbus.MakeVariant(config.Domains)
 	// We should only request priority if we have nameservers to set.
 	if len(dnsv4) == 0 {
-		ipv4Map["dns-priority"] = dbus.MakeVariant(lowerPriority)
-	} else if len(config.MatchDomains) > 0 {
-		// Set a fairly high priority, but don't override all other
-		// configs when in split-DNS mode.
-		ipv4Map["dns-priority"] = dbus.MakeVariant(mediumPriority)
+		ipv4Map["dns-priority"] = dbus.MakeVariant(100)
 	} else {
-		// Negative priority means only the settings from the most
-		// negative connection get used. The way this mixes with
-		// per-domain routing is unclear, but it _seems_ that the
-		// priority applies after routing has found possible
-		// candidates for a resolution.
-		ipv4Map["dns-priority"] = dbus.MakeVariant(highestPriority)
+		// dns-priority = -1 ensures that we have priority
+		// over other interfaces, except those exploiting this same trick.
+		// Ref: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1211110/comments/92.
+		ipv4Map["dns-priority"] = dbus.MakeVariant(-1)
 	}
+	// In principle, we should not need set this to true,
+	// as our interface does not configure any automatic DNS settings (presumably via DHCP).
+	// All the same, better to be safe.
+	ipv4Map["ignore-auto-dns"] = dbus.MakeVariant(true)

 	ipv6Map := settings["ipv6"]
-	// In IPv6 settings, you're only allowed to provide additional
-	// static DNS settings in "auto" (SLAAC) or "manual" mode. In
-	// "manual" mode you also have to specify IP addresses, so we use
-	// "auto".
-	//
-	// NM actually documents that to set just DNS servers, you should
-	// use "auto" mode and then set ignore auto routes and DNS, which
-	// basically means "autoconfigure but ignore any autoconfiguration
-	// results you might get". As a safety, we also say that
-	// NetworkManager should never try to make us the default route
-	// (none of its business anyway, we handle our own default
-	// routing).
+	// This is a hack.
+	// Methods "disabled", "ignore", "link-local" (IPv6 default) prevent us from setting DNS.
+	// It seems that our only recourse is "manual" or "auto".
+	// "manual" requires addresses, so we use "auto", which will assign us a random IPv6 /64.
 	ipv6Map["method"] = dbus.MakeVariant("auto")
-	ipv6Map["ignore-auto-routes"] = dbus.MakeVariant(true)
-	ipv6Map["ignore-auto-dns"] = dbus.MakeVariant(true)
+	// Our IPv6 config is a fake, so it should never become the default route.
 	ipv6Map["never-default"] = dbus.MakeVariant(true)
+	// Moreover, we should ignore all autoconfigured routes (hopefully none), as they are bogus.
+	ipv6Map["ignore-auto-routes"] = dbus.MakeVariant(true)

+	// Finally, set the actual DNS config.
 	ipv6Map["dns"] = dbus.MakeVariant(dnsv6)
-	ipv6Map["dns-search"] = dbus.MakeVariant(search)
+	ipv6Map["dns-search"] = dbus.MakeVariant(config.Domains)
 	if len(dnsv6) == 0 {
-		ipv6Map["dns-priority"] = dbus.MakeVariant(lowerPriority)
-	} else if len(config.MatchDomains) > 0 {
-		// Set a fairly high priority, but don't override all other
-		// configs when in split-DNS mode.
-		ipv6Map["dns-priority"] = dbus.MakeVariant(mediumPriority)
+		ipv6Map["dns-priority"] = dbus.MakeVariant(100)
 	} else {
-		ipv6Map["dns-priority"] = dbus.MakeVariant(highestPriority)
+		ipv6Map["dns-priority"] = dbus.MakeVariant(-1)
 	}
+	ipv6Map["ignore-auto-dns"] = dbus.MakeVariant(true)

 	// deprecatedProperties are the properties in interface settings
 	// that are deprecated by NetworkManager.
@@ -226,134 +188,18 @@ func (m *nmManager) trySet(ctx context.Context, config OSConfig) error {
 		delete(ipv6Map, property)
 	}

-	if call := device.CallWithContext(ctx, "org.freedesktop.NetworkManager.Device.Reapply", 0, settings, version, uint32(0)); call.Err != nil {
+	err = device.CallWithContext(
+		ctx, "org.freedesktop.NetworkManager.Device.Reapply", 0,
+		settings, version, uint32(0),
+	).Store()
+	if err != nil {
 		return fmt.Errorf("reapply: %w", err)
 	}

 	return nil
 }

-func (m *nmManager) SupportsSplitDNS() bool {
-	var mode string
-	v, err := m.dnsManager.GetProperty("org.freedesktop.NetworkManager.DnsManager.Mode")
-	if err != nil {
-		return false
-	}
-	mode, ok := v.Value().(string)
-	if !ok {
-		return false
-	}
-
-	// Per NM's documentation, it only does split-DNS when it's
-	// programming dnsmasq or systemd-resolved. All other modes are
-	// primary-only.
-	return mode == "dnsmasq" || mode == "systemd-resolved"
-}
-
-func (m *nmManager) GetBaseConfig() (OSConfig, error) {
-	conn, err := dbus.SystemBus()
-	if err != nil {
-		return OSConfig{}, err
-	}
-
-	nm := conn.Object("org.freedesktop.NetworkManager", dbus.ObjectPath("/org/freedesktop/NetworkManager/DnsManager"))
-	v, err := nm.GetProperty("org.freedesktop.NetworkManager.DnsManager.Configuration")
-	if err != nil {
-		return OSConfig{}, err
-	}
-	cfgs, ok := v.Value().([]map[string]dbus.Variant)
-	if !ok {
-		return OSConfig{}, fmt.Errorf("unexpected NM config type %T", v.Value())
-	}
-
-	if len(cfgs) == 0 {
-		return OSConfig{}, nil
-	}
-
-	type dnsPrio struct {
-		resolvers []netaddr.IP
-		domains   []string
-		priority  int32
-	}
-	order := make([]dnsPrio, 0, len(cfgs)-1)
-
-	for _, cfg := range cfgs {
-		if name, ok := cfg["interface"]; ok {
-			if s, ok := name.Value().(string); ok && s == m.interfaceName {
-				// Config for the taislcale interface, skip.
-				continue
-			}
-		}
-
-		var p dnsPrio
-
-		if v, ok := cfg["nameservers"]; ok {
-			if ips, ok := v.Value().([]string); ok {
-				for _, s := range ips {
-					ip, err := netaddr.ParseIP(s)
-					if err != nil {
-						// hmm, what do? Shouldn't really happen.
-						continue
-					}
-					p.resolvers = append(p.resolvers, ip)
-				}
-			}
-		}
-		if v, ok := cfg["domains"]; ok {
-			if domains, ok := v.Value().([]string); ok {
-				p.domains = domains
-			}
-		}
-		if v, ok := cfg["priority"]; ok {
-			if prio, ok := v.Value().(int32); ok {
-				p.priority = prio
-			}
-		}
-
-		order = append(order, p)
-	}
-
-	sort.Slice(order, func(i, j int) bool {
-		return order[i].priority < order[j].priority
-	})
-
-	var (
-		ret           OSConfig
-		seenResolvers = map[netaddr.IP]bool{}
-		seenSearch    = map[string]bool{}
-	)
-
-	for _, cfg := range order {
-		for _, resolver := range cfg.resolvers {
-			if seenResolvers[resolver] {
-				continue
-			}
-			ret.Nameservers = append(ret.Nameservers, resolver)
-			seenResolvers[resolver] = true
-		}
-		for _, dom := range cfg.domains {
-			if seenSearch[dom] {
-				continue
-			}
-			fqdn, err := dnsname.ToFQDN(dom)
-			if err != nil {
-				continue
-			}
-			ret.SearchDomains = append(ret.SearchDomains, fqdn)
-			seenSearch[dom] = true
-		}
-		if cfg.priority < 0 {
-			// exclusive configurations preempt all other
-			// configurations, so we're done.
-			break
-		}
-	}
-
-	return ret, nil
-}
-
-func (m *nmManager) Close() error {
-	// No need to do anything on close, NetworkManager will delete our
-	// settings when the tailscale interface goes away.
-	return nil
+// Down implements managerImpl.
+func (m nmManager) Down() error {
+	return m.Up(Config{Nameservers: nil, Domains: nil})
 }
--- a/net/dns/noop.go
+++ b/net/dns/noop.go
@@ -6,13 +6,12 @@ package dns

 type noopManager struct{}

-func (m noopManager) SetDNS(OSConfig) error  { return nil }
-func (m noopManager) SupportsSplitDNS() bool { return false }
-func (m noopManager) Close() error           { return nil }
-func (m noopManager) GetBaseConfig() (OSConfig, error) {
-	return OSConfig{}, ErrGetBaseConfigNotSupported
-}
+// Up implements managerImpl.
+func (m noopManager) Up(Config) error { return nil }

-func NewNoopManager() (noopManager, error) {
-	return noopManager{}, nil
+// Down implements managerImpl.
+func (m noopManager) Down() error { return nil }
+
+func newNoopManager(mconfig ManagerConfig) managerImpl {
+	return noopManager{}
 }
--- a/net/dns/openresolv.go
+++ b/net/dns/openresolv.go
@@ -1,92 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package dns
-
-import (
-	"bytes"
-	"fmt"
-	"os/exec"
-	"strings"
-)
-
-// openresolvManager manages DNS configuration using the openresolv
-// implementation of the `resolvconf` program.
-type openresolvManager struct{}
-
-func newOpenresolvManager() (openresolvManager, error) {
-	return openresolvManager{}, nil
-}
-
-func (m openresolvManager) deleteTailscaleConfig() error {
-	cmd := exec.Command("resolvconf", "-f", "-d", "tailscale")
-	out, err := cmd.CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("running %s: %s", cmd, out)
-	}
-	return nil
-}
-
-func (m openresolvManager) SetDNS(config OSConfig) error {
-	if config.IsZero() {
-		return m.deleteTailscaleConfig()
-	}
-
-	var stdin bytes.Buffer
-	writeResolvConf(&stdin, config.Nameservers, config.SearchDomains)
-
-	cmd := exec.Command("resolvconf", "-m", "0", "-x", "-a", "tailscale")
-	cmd.Stdin = &stdin
-	out, err := cmd.CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("running %s: %s", cmd, out)
-	}
-	return nil
-}
-
-func (m openresolvManager) SupportsSplitDNS() bool {
-	return false
-}
-
-func (m openresolvManager) GetBaseConfig() (OSConfig, error) {
-	// List the names of all config snippets openresolv is aware
-	// of. Snippets get listed in priority order (most to least),
-	// which we'll exploit later.
-	bs, err := exec.Command("resolvconf", "-i").CombinedOutput()
-	if err != nil {
-		return OSConfig{}, err
-	}
-
-	// Remove the "tailscale" snippet from the list.
-	args := []string{"-l"}
-	for _, f := range strings.Split(strings.TrimSpace(string(bs)), " ") {
-		if f == "tailscale" {
-			continue
-		}
-		args = append(args, f)
-	}
-
-	// List all resolvconf snippets except our own, and parse that as
-	// a resolv.conf. This effectively generates a blended config of
-	// "everyone except tailscale", which is what would be in use if
-	// tailscale hadn't set exclusive mode.
-	//
-	// Note that this is not _entirely_ true. To be perfectly correct,
-	// we should be looking for other interfaces marked exclusive that
-	// predated tailscale, and stick to only those. However, in
-	// practice, openresolv uses are generally quite limited, and boil
-	// down to 1-2 DHCP leases, for which the correct outcome is a
-	// blended config like the one we produce here.
-	var buf bytes.Buffer
-	cmd := exec.Command("resolvconf", args...)
-	cmd.Stdout = &buf
-	if err := cmd.Run(); err != nil {
-		return OSConfig{}, err
-	}
-	return readResolv(&buf)
-}
-
-func (m openresolvManager) Close() error {
-	return m.deleteTailscaleConfig()
-}
--- a/net/dns/osconfig.go
+++ b/net/dns/osconfig.go
@@ -1,92 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package dns
-
-import (
-	"errors"
-
-	"inet.af/netaddr"
-	"tailscale.com/util/dnsname"
-)
-
-// An OSConfigurator applies DNS settings to the operating system.
-type OSConfigurator interface {
-	// SetDNS updates the OS's DNS configuration to match cfg.
-	// If cfg is the zero value, all Tailscale-related DNS
-	// configuration is removed.
-	// SetDNS must not be called after Close.
-	SetDNS(cfg OSConfig) error
-	// SupportsSplitDNS reports whether the configurator is capable of
-	// installing a resolver only for specific DNS suffixes. If false,
-	// the configurator can only set a global resolver.
-	SupportsSplitDNS() bool
-	// GetBaseConfig returns the OS's "base" configuration, i.e. the
-	// resolver settings the OS would use without Tailscale
-	// contributing any configuration.
-	// GetBaseConfig must return the tailscale-free base config even
-	// after SetDNS has been called to set a Tailscale configuration.
-	// Only works when SupportsSplitDNS=false.
-
-	// Implementations that don't support getting the base config must
-	// return ErrGetBaseConfigNotSupported.
-	GetBaseConfig() (OSConfig, error)
-	// Close removes Tailscale-related DNS configuration from the OS.
-	Close() error
-}
-
-// OSConfig is an OS DNS configuration.
-type OSConfig struct {
-	// Nameservers are the IP addresses of the nameservers to use.
-	Nameservers []netaddr.IP
-	// SearchDomains are the domain suffixes to use when expanding
-	// single-label name queries. SearchDomains is additive to
-	// whatever non-Tailscale search domains the OS has.
-	SearchDomains []dnsname.FQDN
-	// MatchDomains are the DNS suffixes for which Nameservers should
-	// be used. If empty, Nameservers is installed as the "primary" resolver.
-	// A non-empty MatchDomains requests a "split DNS" configuration
-	// from the OS, which will only work with OSConfigurators that
-	// report SupportsSplitDNS()=true.
-	MatchDomains []dnsname.FQDN
-}
-
-func (o OSConfig) IsZero() bool {
-	return len(o.Nameservers) == 0 && len(o.SearchDomains) == 0 && len(o.MatchDomains) == 0
-}
-
-func (a OSConfig) Equal(b OSConfig) bool {
-	if len(a.Nameservers) != len(b.Nameservers) {
-		return false
-	}
-	if len(a.SearchDomains) != len(b.SearchDomains) {
-		return false
-	}
-	if len(a.MatchDomains) != len(b.MatchDomains) {
-		return false
-	}
-
-	for i := range a.Nameservers {
-		if a.Nameservers[i] != b.Nameservers[i] {
-			return false
-		}
-	}
-	for i := range a.SearchDomains {
-		if a.SearchDomains[i] != b.SearchDomains[i] {
-			return false
-		}
-	}
-	for i := range a.MatchDomains {
-		if a.MatchDomains[i] != b.MatchDomains[i] {
-			return false
-		}
-	}
-
-	return true
-}
-
-// ErrGetBaseConfigNotSupported is the error
-// OSConfigurator.GetBaseConfig returns when the OSConfigurator
-// doesn't support reading the underlying configuration out of the OS.
-var ErrGetBaseConfigNotSupported = errors.New("getting OS base config is not supported")
--- a/net/dns/resolvconf-workaround.sh
+++ b/net/dns/resolvconf-workaround.sh
@@ -1,63 +0,0 @@
-#!/bin/sh
-# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-# Use of this source code is governed by a BSD-style
-# license that can be found in the LICENSE file.
-#
-# This script is a workaround for a vpn-unfriendly behavior of the
-# original resolvconf by Thomas Hood. Unlike the `openresolv`
-# implementation (whose binary is also called resolvconf,
-# confusingly), the original resolvconf lacks a way to specify
-# "exclusive mode" for a provider configuration. In practice, this
-# means that if Tailscale wants to install a DNS configuration, that
-# config will get "blended" with the configs from other sources,
-# rather than override those other sources.
-#
-# This script gets installed at /etc/resolvconf/update-libc.d, which
-# is a directory of hook scripts that get run after resolvconf's libc
-# helper has finished rewriting /etc/resolv.conf. It's meant to notify
-# consumers of resolv.conf of a new configuration.
-#
-# Instead, we use that hook mechanism to reach into resolvconf's
-# stuff, and rewrite the libc-generated resolv.conf to exclusively
-# contain Tailscale's configuration - effectively implementing
-# exclusive mode ourselves in post-production.
-
-set -e
-
-if [ -n "$TAILSCALE_RESOLVCONF_HOOK_LOOP" ]; then
-	# Hook script being invoked by itself, skip.
-	exit 0
-fi
-
-if [ ! -f tun-tailscale.inet ]; then
-	# Tailscale isn't trying to manage DNS, do nothing.
-	exit 0
-fi
-
-if ! grep resolvconf /etc/resolv.conf >/dev/null; then
-	# resolvconf isn't managing /etc/resolv.conf, do nothing.
-	exit 0
-fi
-
-# Write out a modified /etc/resolv.conf containing just our config.
-(
-	if [ -f /etc/resolvconf/resolv.conf.d/head ]; then
-		cat /etc/resolvconf/resolv.conf.d/head
-	fi
-	echo "# Tailscale workaround applied to set exclusive DNS configuration."
-	cat tun-tailscale.inet
-	if [ -f /etc/resolvconf/resolv.conf.d/base ]; then
-		# Keep options and sortlist, discard other base things since
-		# they're the things we're trying to override.
-		grep -e 'sortlist ' -e 'options ' /etc/resolvconf/resolv.conf.d/base || true
-	fi
-	if [ -f /etc/resolvconf/resolv.conf.d/tail ]; then
-		cat /etc/resolvconf/resolv.conf.d/tail
-	fi
-) >/etc/resolv.conf
-
-if [ -d /etc/resolvconf/update-libc.d ] ; then
-	# Re-notify libc watchers that we've changed resolv.conf again.
-	export TAILSCALE_RESOLVCONF_HOOK_LOOP=1
-	exec run-parts /etc/resolvconf/update-libc.d
-fi
--- a/net/dns/resolvconf.go
+++ b/net/dns/resolvconf.go
@@ -1,27 +1,157 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

+// +build linux freebsd
+
 package dns

 import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"os"
 	"os/exec"
-
-	"tailscale.com/types/logger"
 )

-func newResolvconfManager(logf logger.Logf) (OSConfigurator, error) {
-	_, err := exec.Command("resolvconf", "--version").CombinedOutput()
+// isResolvconfActive indicates whether the system appears to be using resolvconf.
+// If this is true, then directManager should be avoided:
+// resolvconf has exclusive ownership of /etc/resolv.conf.
+func isResolvconfActive() bool {
+	// Sanity-check first: if there is no resolvconf binary, then this is fruitless.
+	//
+	// However, this binary may be a shim like the one systemd-resolved provides.
+	// Such a shim may not behave as expected: in particular, systemd-resolved
+	// does not seem to respect the exclusive mode -x, saying:
+	//   -x            Send DNS traffic preferably over this interface
+	// whereas e.g. openresolv sends DNS traffix _exclusively_ over that interface,
+	// or not at all (in case of another exclusive-mode request later in time).
+	//
+	// Moreover, resolvconf may be installed but unused, in which case we should
+	// not use it either, lest we clobber existing configuration.
+	//
+	// To handle all the above correctly, we scan the comments in /etc/resolv.conf
+	// to ensure that it was generated by a resolvconf implementation.
+	_, err := exec.LookPath("resolvconf")
 	if err != nil {
-		if exitErr, ok := err.(*exec.ExitError); ok && exitErr.ExitCode() == 99 {
-			// Debian resolvconf doesn't understand --version, and
-			// exits with a specific error code.
-			return newDebianResolvconfManager(logf)
+		return false
+	}
+
+	f, err := os.Open("/etc/resolv.conf")
+	if err != nil {
+		return false
+	}
+	defer f.Close()
+
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		line := scanner.Bytes()
+		// Look for the word "resolvconf" until comments end.
+		if len(line) > 0 && line[0] != '#' {
+			return false
+		}
+		if bytes.Contains(line, []byte("resolvconf")) {
+			return true
 		}
 	}
-	// If --version works, or we got some surprising error while
-	// probing, use openresolv. It's the more common implementation,
-	// so in cases where we can't figure things out, it's the least
-	// likely to misbehave.
-	return newOpenresolvManager()
+	return false
+}
+
+// resolvconfImpl enumerates supported implementations of the resolvconf CLI.
+type resolvconfImpl uint8
+
+const (
+	// resolvconfOpenresolv is the implementation packaged as "openresolv" on Ubuntu.
+	// It supports exclusive mode and interface metrics.
+	resolvconfOpenresolv resolvconfImpl = iota
+	// resolvconfLegacy is the implementation by Thomas Hood packaged as "resolvconf" on Ubuntu.
+	// It does not support exclusive mode or interface metrics.
+	resolvconfLegacy
+)
+
+func (impl resolvconfImpl) String() string {
+	switch impl {
+	case resolvconfOpenresolv:
+		return "openresolv"
+	case resolvconfLegacy:
+		return "legacy"
+	default:
+		return "unknown"
+	}
+}
+
+// getResolvconfImpl returns the implementation of resolvconf that appears to be in use.
+func getResolvconfImpl() resolvconfImpl {
+	err := exec.Command("resolvconf", "-v").Run()
+	if err != nil {
+		if exitErr, ok := err.(*exec.ExitError); ok {
+			// Thomas Hood's resolvconf has a minimal flag set
+			// and exits with code 99 when passed an unknown flag.
+			if exitErr.ExitCode() == 99 {
+				return resolvconfLegacy
+			}
+		}
+	}
+	return resolvconfOpenresolv
+}
+
+type resolvconfManager struct {
+	impl resolvconfImpl
+}
+
+func newResolvconfManager(mconfig ManagerConfig) managerImpl {
+	impl := getResolvconfImpl()
+	mconfig.Logf("resolvconf implementation is %s", impl)
+
+	return resolvconfManager{
+		impl: impl,
+	}
+}
+
+// resolvconfConfigName is the name of the config submitted to resolvconf.
+// It has this form to match the "tun*" rule in interface-order
+// when running resolvconfLegacy, hopefully placing our config first.
+const resolvconfConfigName = "tun-tailscale.inet"
+
+// Up implements managerImpl.
+func (m resolvconfManager) Up(config Config) error {
+	stdin := new(bytes.Buffer)
+	writeResolvConf(stdin, config.Nameservers, config.Domains) // dns_direct.go
+
+	var cmd *exec.Cmd
+	switch m.impl {
+	case resolvconfOpenresolv:
+		// Request maximal priority (metric 0) and exclusive mode.
+		cmd = exec.Command("resolvconf", "-m", "0", "-x", "-a", resolvconfConfigName)
+	case resolvconfLegacy:
+		// This does not quite give us the desired behavior (queries leak),
+		// but there is nothing else we can do without messing with other interfaces' settings.
+		cmd = exec.Command("resolvconf", "-a", resolvconfConfigName)
+	}
+	cmd.Stdin = stdin
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("running %s: %s", cmd, out)
+	}
+
+	return nil
+}
+
+// Down implements managerImpl.
+func (m resolvconfManager) Down() error {
+	var cmd *exec.Cmd
+	switch m.impl {
+	case resolvconfOpenresolv:
+		cmd = exec.Command("resolvconf", "-f", "-d", resolvconfConfigName)
+	case resolvconfLegacy:
+		// resolvconfLegacy lacks the -f flag.
+		// Instead, it succeeds even when the config does not exist.
+		cmd = exec.Command("resolvconf", "-d", resolvconfConfigName)
+	}
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("running %s: %s", cmd, out)
+	}
+
+	return nil
 }
--- a/net/dns/resolved.go
+++ b/net/dns/resolved.go
@@ -4,21 +4,18 @@

 // +build linux

-//lint:file-ignore U1000 refactoring, temporarily unused code.
-
 package dns

 import (
 	"context"
 	"errors"
 	"fmt"
+	"os/exec"

 	"github.com/godbus/dbus/v5"
 	"golang.org/x/sys/unix"
 	"inet.af/netaddr"
 	"tailscale.com/net/interfaces"
-	"tailscale.com/types/logger"
-	"tailscale.com/util/dnsname"
 )

 // resolvedListenAddr is the listen address of the resolved stub resolver.
@@ -52,20 +49,15 @@ type resolvedLinkDomain struct {

 // isResolvedActive determines if resolved is currently managing system DNS settings.
 func isResolvedActive() bool {
-	ctx, cancel := context.WithTimeout(context.Background(), reconfigTimeout)
-	defer cancel()
-
-	conn, err := dbus.SystemBus()
+	// systemd-resolved is never installed without systemd.
+	_, err := exec.LookPath("systemctl")
 	if err != nil {
-		// Probably no DBus on the system, or we're not allowed to use
-		// it. Cannot control resolved.
 		return false
 	}

-	rd := conn.Object("org.freedesktop.resolve1", dbus.ObjectPath("/org/freedesktop/resolve1"))
-	call := rd.CallWithContext(ctx, "org.freedesktop.DBus.Peer.Ping", 0)
-	if call.Err != nil {
-		// Can't talk to resolved.
+	// is-active exits with code 3 if the service is not active.
+	err = exec.Command("systemctl", "is-active", "systemd-resolved").Run()
+	if err != nil {
 		return false
 	}

@@ -83,28 +75,29 @@ func isResolvedActive() bool {
 }

 // resolvedManager uses the systemd-resolved DBus API.
-type resolvedManager struct {
-	logf     logger.Logf
-	resolved dbus.BusObject
-}
+type resolvedManager struct{}

-func newResolvedManager(logf logger.Logf) (*resolvedManager, error) {
-	conn, err := dbus.SystemBus()
-	if err != nil {
-		return nil, err
-	}
-
-	return &resolvedManager{
-		logf:     logf,
-		resolved: conn.Object("org.freedesktop.resolve1", dbus.ObjectPath("/org/freedesktop/resolve1")),
-	}, nil
+func newResolvedManager(mconfig ManagerConfig) managerImpl {
+	return resolvedManager{}
 }

 // Up implements managerImpl.
-func (m *resolvedManager) SetDNS(config OSConfig) error {
+func (m resolvedManager) Up(config Config) error {
 	ctx, cancel := context.WithTimeout(context.Background(), reconfigTimeout)
 	defer cancel()

+	// conn is a shared connection whose lifecycle is managed by the dbus package.
+	// We should not interfere with that by closing it.
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return fmt.Errorf("connecting to system bus: %w", err)
+	}
+
+	resolved := conn.Object(
+		"org.freedesktop.resolve1",
+		dbus.ObjectPath("/org/freedesktop/resolve1"),
+	)
+
 	// In principle, we could persist this in the manager struct
 	// if we knew that interface indices are persistent. This does not seem to be the case.
 	_, iface, err := interfaces.Tailscale()
@@ -131,7 +124,7 @@ func (m *resolvedManager) SetDNS(config OSConfig) error {
 		}
 	}

-	err = m.resolved.CallWithContext(
+	err = resolved.CallWithContext(
 		ctx, "org.freedesktop.resolve1.Manager.SetLinkDNS", 0,
 		iface.Index, linkNameservers,
 	).Store()
@@ -139,40 +132,15 @@ func (m *resolvedManager) SetDNS(config OSConfig) error {
 		return fmt.Errorf("setLinkDNS: %w", err)
 	}

-	linkDomains := make([]resolvedLinkDomain, 0, len(config.SearchDomains)+len(config.MatchDomains))
-	seenDomains := map[dnsname.FQDN]bool{}
-	for _, domain := range config.SearchDomains {
-		if seenDomains[domain] {
-			continue
-		}
-		seenDomains[domain] = true
-		linkDomains = append(linkDomains, resolvedLinkDomain{
-			Domain:      domain.WithTrailingDot(),
+	var linkDomains = make([]resolvedLinkDomain, len(config.Domains))
+	for i, domain := range config.Domains {
+		linkDomains[i] = resolvedLinkDomain{
+			Domain:      domain,
 			RoutingOnly: false,
-		})
-	}
-	for _, domain := range config.MatchDomains {
-		if seenDomains[domain] {
-			// Search domains act as both search and match in
-			// resolved, so it's correct to skip.
-			continue
 		}
-		seenDomains[domain] = true
-		linkDomains = append(linkDomains, resolvedLinkDomain{
-			Domain:      domain.WithTrailingDot(),
-			RoutingOnly: true,
-		})
-	}
-	if len(config.MatchDomains) == 0 && len(config.Nameservers) > 0 {
-		// Caller requested full DNS interception, install a
-		// routing-only root domain.
-		linkDomains = append(linkDomains, resolvedLinkDomain{
-			Domain:      ".",
-			RoutingOnly: true,
-		})
 	}

-	err = m.resolved.CallWithContext(
+	err = resolved.CallWithContext(
 		ctx, "org.freedesktop.resolve1.Manager.SetLinkDomains", 0,
 		iface.Index, linkDomains,
 	).Store()
@@ -180,53 +148,26 @@ func (m *resolvedManager) SetDNS(config OSConfig) error {
 		return fmt.Errorf("setLinkDomains: %w", err)
 	}

-	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkDefaultRoute", 0, iface.Index, len(config.MatchDomains) == 0); call.Err != nil {
-		return fmt.Errorf("setLinkDefaultRoute: %w", err)
-	}
-
-	// Some best-effort setting of things, but resolved should do the
-	// right thing if these fail (e.g. a really old resolved version
-	// or something).
-
-	// Disable LLMNR, we don't do multicast.
-	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkLLMNR", 0, iface.Index, "no"); call.Err != nil {
-		m.logf("[v1] failed to disable LLMNR: %v", call.Err)
-	}
-
-	// Disable mdns.
-	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkMulticastDNS", 0, iface.Index, "no"); call.Err != nil {
-		m.logf("[v1] failed to disable mdns: %v", call.Err)
-	}
-
-	// We don't support dnssec consistently right now, force it off to
-	// avoid partial failures when we split DNS internally.
-	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkDNSSEC", 0, iface.Index, "no"); call.Err != nil {
-		m.logf("[v1] failed to disable DNSSEC: %v", call.Err)
-	}
-
-	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkDNSOverTLS", 0, iface.Index, "no"); call.Err != nil {
-		m.logf("[v1] failed to disable DoT: %v", call.Err)
-	}
-
-	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.FlushCaches", 0); call.Err != nil {
-		m.logf("failed to flush resolved DNS cache: %v", call.Err)
-	}
-
 	return nil
 }

-func (m *resolvedManager) SupportsSplitDNS() bool {
-	return true
-}
-
-func (m *resolvedManager) GetBaseConfig() (OSConfig, error) {
-	return OSConfig{}, ErrGetBaseConfigNotSupported
-}
-
-func (m *resolvedManager) Close() error {
+// Down implements managerImpl.
+func (m resolvedManager) Down() error {
 	ctx, cancel := context.WithTimeout(context.Background(), reconfigTimeout)
 	defer cancel()

+	// conn is a shared connection whose lifecycle is managed by the dbus package.
+	// We should not interfere with that by closing it.
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return fmt.Errorf("connecting to system bus: %w", err)
+	}
+
+	resolved := conn.Object(
+		"org.freedesktop.resolve1",
+		dbus.ObjectPath("/org/freedesktop/resolve1"),
+	)
+
 	_, iface, err := interfaces.Tailscale()
 	if err != nil {
 		return fmt.Errorf("getting interface index: %w", err)
@@ -235,8 +176,12 @@ func (m *resolvedManager) Close() error {
 		return errNotReady
 	}

-	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.RevertLink", 0, iface.Index); call.Err != nil {
-		return fmt.Errorf("RevertLink: %w", call.Err)
+	err = resolved.CallWithContext(
+		ctx, "org.freedesktop.resolve1.Manager.RevertLink", 0,
+		iface.Index,
+	).Store()
+	if err != nil {
+		return fmt.Errorf("RevertLink: %w", err)
 	}

 	return nil
--- a/net/dns/resolver/tsdns.go
+++ b/net/dns/resolver/tsdns.go
@@ -2,14 +2,14 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// Package resolver implements a stub DNS resolver that can also serve
-// records out of an internal local zone.
-package resolver
+// Package dns provides a Resolver capable of resolving
+// domains on a Tailscale network.
+package dns

 import (
 	"encoding/hex"
 	"errors"
-	"sort"
+	"net"
 	"strings"
 	"sync"
 	"time"
@@ -37,33 +37,22 @@ const defaultTTL = 600 * time.Second
 var ErrClosed = errors.New("closed")

 var (
-	errFullQueue  = errors.New("request queue full")
-	errNotQuery   = errors.New("not a DNS query")
-	errNotOurName = errors.New("not a Tailscale DNS name")
+	errFullQueue      = errors.New("request queue full")
+	errMapNotSet      = errors.New("domain map not set")
+	errNotForwarding  = errors.New("forwarding disabled")
+	errNotImplemented = errors.New("query type not implemented")
+	errNotQuery       = errors.New("not a DNS query")
+	errNotOurName     = errors.New("not a Tailscale DNS name")
 )

-type packet struct {
-	bs   []byte
-	addr netaddr.IPPort // src for a request, dst for a response
-}
-
-// Config is a resolver configuration.
-// Given a Config, queries are resolved in the following order:
-// If the query is an exact match for an entry in LocalHosts, return that.
-// Else if the query suffix matches an entry in LocalDomains, return NXDOMAIN.
-// Else forward the query to the most specific matching entry in Routes.
-// Else return SERVFAIL.
-type Config struct {
-	// Routes is a map of DNS name suffix to the resolvers to use for
-	// queries within that suffix.
-	// Queries only match the most specific suffix.
-	// To register a "default route", add an entry for ".".
-	Routes map[dnsname.FQDN][]netaddr.IPPort
-	// LocalHosts is a map of FQDNs to corresponding IPs.
-	Hosts map[dnsname.FQDN][]netaddr.IP
-	// LocalDomains is a list of DNS name suffixes that should not be
-	// routed to upstream resolvers.
-	LocalDomains []dnsname.FQDN
+// Packet represents a DNS payload together with the address of its origin.
+type Packet struct {
+	// Payload is the application layer DNS payload.
+	// Resolver assumes ownership of the request payload when it is enqueued
+	// and cedes ownership of the response payload when it is returned from NextResponse.
+	Payload []byte
+	// Addr is the source address for a request and the destination address for a response.
+	Addr netaddr.IPPort
 }

 // Resolver is a DNS resolver for nodes on the Tailscale network,
@@ -71,17 +60,16 @@ type Config struct {
 // If it is asked to resolve a domain that is not of that form,
 // it delegates to upstream nameservers if any are set.
 type Resolver struct {
-	logf               logger.Logf
-	linkMon            *monitor.Mon     // or nil
-	unregLinkMon       func()           // or nil
-	saveConfigForTests func(cfg Config) // used in tests to capture resolver config
+	logf         logger.Logf
+	linkMon      *monitor.Mon // or nil
+	unregLinkMon func()       // or nil
 	// forwarder forwards requests to upstream nameservers.
 	forwarder *forwarder

 	// queue is a buffered channel holding DNS requests queued for resolution.
-	queue chan packet
+	queue chan Packet
 	// responses is an unbuffered channel to which responses are returned.
-	responses chan packet
+	responses chan Packet
 	// errors is an unbuffered channel to which errors are returned.
 	errors chan error
 	// closed signals all goroutines to stop.
@@ -90,70 +78,56 @@ type Resolver struct {
 	wg sync.WaitGroup

 	// mu guards the following fields from being updated while used.
-	mu           sync.Mutex
-	localDomains []dnsname.FQDN
-	hostToIP     map[dnsname.FQDN][]netaddr.IP
-	ipToHost     map[netaddr.IP]dnsname.FQDN
+	mu sync.Mutex
+	// dnsMap is the map most recently received from the control server.
+	dnsMap *Map
 }

-// New returns a new resolver.
-// linkMon optionally specifies a link monitor to use for socket rebinding.
-func New(logf logger.Logf, linkMon *monitor.Mon) *Resolver {
+// ResolverConfig is the set of configuration options for a Resolver.
+type ResolverConfig struct {
+	// Logf is the logger to use throughout the Resolver.
+	Logf logger.Logf
+	// Forward determines whether the resolver will forward packets to
+	// nameservers set with SetUpstreams if the domain name is not of a Tailscale node.
+	Forward bool
+	// LinkMonitor optionally provides a link monitor to use to rebind
+	// connections on link changes.
+	// If nil, rebinds are not performend.
+	LinkMonitor *monitor.Mon
+}
+
+// NewResolver constructs a resolver associated with the given root domain.
+// The root domain must be in canonical form (with a trailing period).
+func NewResolver(config ResolverConfig) *Resolver {
 	r := &Resolver{
-		logf:      logger.WithPrefix(logf, "dns: "),
-		linkMon:   linkMon,
-		queue:     make(chan packet, queueSize),
-		responses: make(chan packet),
+		logf:      logger.WithPrefix(config.Logf, "dns: "),
+		linkMon:   config.LinkMonitor,
+		queue:     make(chan Packet, queueSize),
+		responses: make(chan Packet),
 		errors:    make(chan error),
 		closed:    make(chan struct{}),
-		hostToIP:  map[dnsname.FQDN][]netaddr.IP{},
-		ipToHost:  map[netaddr.IP]dnsname.FQDN{},
 	}
-	r.forwarder = newForwarder(r.logf, r.responses)
+
+	if config.Forward {
+		r.forwarder = newForwarder(r.logf, r.responses)
+	}
 	if r.linkMon != nil {
 		r.unregLinkMon = r.linkMon.RegisterChangeCallback(r.onLinkMonitorChange)
 	}

+	return r
+}
+
+func (r *Resolver) Start() error {
+	if r.forwarder != nil {
+		if err := r.forwarder.Start(); err != nil {
+			return err
+		}
+	}
+
 	r.wg.Add(1)
 	go r.poll()

-	return r
-}
-
-func (r *Resolver) TestOnlySetHook(hook func(Config)) { r.saveConfigForTests = hook }
-
-func (r *Resolver) SetConfig(cfg Config) error {
-	if r.saveConfigForTests != nil {
-		r.saveConfigForTests(cfg)
-	}
-
-	routes := make([]route, 0, len(cfg.Routes))
-	reverse := make(map[netaddr.IP]dnsname.FQDN, len(cfg.Hosts))
-
-	for host, ips := range cfg.Hosts {
-		for _, ip := range ips {
-			reverse[ip] = host
-		}
-	}
-
-	for suffix, ips := range cfg.Routes {
-		routes = append(routes, route{
-			suffix:    suffix,
-			resolvers: ips,
-		})
-	}
-	// Sort from longest prefix to shortest.
-	sort.Slice(routes, func(i, j int) bool {
-		return routes[i].suffix.NumLabels() > routes[j].suffix.NumLabels()
-	})
-
-	r.forwarder.setRoutes(routes)
-
-	r.mu.Lock()
-	defer r.mu.Unlock()
-	r.localDomains = cfg.LocalDomains
-	r.hostToIP = cfg.Hosts
-	r.ipToHost = reverse
 	return nil
 }

@@ -172,7 +146,10 @@ func (r *Resolver) Close() {
 		r.unregLinkMon()
 	}

-	r.forwarder.Close()
+	if r.forwarder != nil {
+		r.forwarder.Close()
+	}
+
 	r.wg.Wait()
 }

@@ -180,17 +157,37 @@ func (r *Resolver) onLinkMonitorChange(changed bool, state *interfaces.State) {
 	if !changed {
 		return
 	}
-	r.forwarder.rebindFromNetworkChange()
+	if r.forwarder != nil {
+		r.forwarder.rebindFromNetworkChange()
+	}
+}
+
+// SetMap sets the resolver's DNS map, taking ownership of it.
+func (r *Resolver) SetMap(m *Map) {
+	r.mu.Lock()
+	oldMap := r.dnsMap
+	r.dnsMap = m
+	r.mu.Unlock()
+	r.logf("map diff:\n%s", m.PrettyDiffFrom(oldMap))
+}
+
+// SetUpstreams sets the addresses of the resolver's
+// upstream nameservers, taking ownership of the argument.
+func (r *Resolver) SetUpstreams(upstreams []net.Addr) {
+	if r.forwarder != nil {
+		r.forwarder.setUpstreams(upstreams)
+	}
+	r.logf("set upstreams: %v", upstreams)
 }

 // EnqueueRequest places the given DNS request in the resolver's queue.
 // It takes ownership of the payload and does not block.
 // If the queue is full, the request will be dropped and an error will be returned.
-func (r *Resolver) EnqueueRequest(bs []byte, from netaddr.IPPort) error {
+func (r *Resolver) EnqueueRequest(request Packet) error {
 	select {
 	case <-r.closed:
 		return ErrClosed
-	case r.queue <- packet{bs, from}:
+	case r.queue <- request:
 		return nil
 	default:
 		return errFullQueue
@@ -199,80 +196,73 @@ func (r *Resolver) EnqueueRequest(bs []byte, from netaddr.IPPort) error {

 // NextResponse returns a DNS response to a previously enqueued request.
 // It blocks until a response is available and gives up ownership of the response payload.
-func (r *Resolver) NextResponse() (packet []byte, to netaddr.IPPort, err error) {
+func (r *Resolver) NextResponse() (Packet, error) {
 	select {
 	case <-r.closed:
-		return nil, netaddr.IPPort{}, ErrClosed
+		return Packet{}, ErrClosed
 	case resp := <-r.responses:
-		return resp.bs, resp.addr, nil
+		return resp, nil
 	case err := <-r.errors:
-		return nil, netaddr.IPPort{}, err
+		return Packet{}, err
 	}
 }

-// resolveLocal returns an IP for the given domain, if domain is in
-// the local hosts map and has an IP corresponding to the requested
-// typ (A, AAAA, ALL).
-// Returns dns.RCodeRefused to indicate that the local map is not
-// authoritative for domain.
-func (r *Resolver) resolveLocal(domain dnsname.FQDN, typ dns.Type) (netaddr.IP, dns.RCode) {
-	// Reject .onion domains per RFC 7686.
-	if dnsname.HasSuffix(domain.WithoutTrailingDot(), ".onion") {
-		return netaddr.IP{}, dns.RCodeNameError
-	}
-
+// Resolve maps a given domain name to the IP address of the host that owns it,
+// if the IP address conforms to the DNS resource type given by tp (one of A, AAAA, ALL).
+// The domain name must be in canonical form (with a trailing period).
+func (r *Resolver) Resolve(domain string, tp dns.Type) (netaddr.IP, dns.RCode, error) {
 	r.mu.Lock()
-	hosts := r.hostToIP
-	localDomains := r.localDomains
+	dnsMap := r.dnsMap
 	r.mu.Unlock()

-	addrs, found := hosts[domain]
-	if !found {
-		for _, suffix := range localDomains {
-			if suffix.Contains(domain) {
-				// We are authoritative for the queried domain.
-				return netaddr.IP{}, dns.RCodeNameError
-			}
+	if dnsMap == nil {
+		return netaddr.IP{}, dns.RCodeServerFailure, errMapNotSet
+	}
+
+	// Reject .onion domains per RFC 7686.
+	if dnsname.HasSuffix(domain, ".onion") {
+		return netaddr.IP{}, dns.RCodeNameError, nil
+	}
+
+	anyHasSuffix := false
+	for _, suffix := range dnsMap.rootDomains {
+		if dnsname.HasSuffix(domain, suffix) {
+			anyHasSuffix = true
+			break
 		}
-		// Not authoritative, signal that forwarding is advisable.
-		return netaddr.IP{}, dns.RCodeRefused
+	}
+	addr, found := dnsMap.nameToIP[domain]
+	if !found {
+		if !anyHasSuffix {
+			return netaddr.IP{}, dns.RCodeRefused, nil
+		}
+		return netaddr.IP{}, dns.RCodeNameError, nil
 	}

 	// Refactoring note: this must happen after we check suffixes,
 	// otherwise we will respond with NOTIMP to requests that should be forwarded.
-	//
-	// DNS semantics subtlety: when a DNS name exists, but no records
-	// are available for the requested record type, we must return
-	// RCodeSuccess with no data, not NXDOMAIN.
-	switch typ {
+	switch tp {
 	case dns.TypeA:
-		for _, ip := range addrs {
-			if ip.Is4() {
-				return ip, dns.RCodeSuccess
-			}
+		if !addr.Is4() {
+			return netaddr.IP{}, dns.RCodeSuccess, nil
 		}
-		return netaddr.IP{}, dns.RCodeSuccess
+		return addr, dns.RCodeSuccess, nil
 	case dns.TypeAAAA:
-		for _, ip := range addrs {
-			if ip.Is6() {
-				return ip, dns.RCodeSuccess
-			}
+		if !addr.Is6() {
+			return netaddr.IP{}, dns.RCodeSuccess, nil
 		}
-		return netaddr.IP{}, dns.RCodeSuccess
+		return addr, dns.RCodeSuccess, nil
 	case dns.TypeALL:
 		// Answer with whatever we've got.
 		// It could be IPv4, IPv6, or a zero addr.
 		// TODO: Return all available resolutions (A and AAAA, if we have them).
-		if len(addrs) == 0 {
-			return netaddr.IP{}, dns.RCodeSuccess
-		}
-		return addrs[0], dns.RCodeSuccess
+		return addr, dns.RCodeSuccess, nil

 	// Leave some some record types explicitly unimplemented.
 	// These types relate to recursive resolution or special
-	// DNS semantics and might be implemented in the future.
+	// DNS sematics and might be implemented in the future.
 	case dns.TypeNS, dns.TypeSOA, dns.TypeAXFR, dns.TypeHINFO:
-		return netaddr.IP{}, dns.RCodeNotImplemented
+		return netaddr.IP{}, dns.RCodeNotImplemented, errNotImplemented

 	// For everything except for the few types above that are explictly not implemented, return no records.
 	// This is what other DNS systems do: always return NOERROR
@@ -281,43 +271,51 @@ func (r *Resolver) resolveLocal(domain dnsname.FQDN, typ dns.Type) (netaddr.IP,
 	//   dig -t TYPE9824 example.com
 	// and note that NOERROR is returned, despite that record type being made up.
 	default:
-		// The name exists, but no records exist of the requested type.
-		return netaddr.IP{}, dns.RCodeSuccess
+		// no records exist of this type
+		return netaddr.IP{}, dns.RCodeSuccess, nil
 	}
 }

-// resolveReverse returns the unique domain name that maps to the given address.
-func (r *Resolver) resolveLocalReverse(ip netaddr.IP) (dnsname.FQDN, dns.RCode) {
+// ResolveReverse returns the unique domain name that maps to the given address.
+// The returned domain name is in canonical form (with a trailing period).
+func (r *Resolver) ResolveReverse(ip netaddr.IP) (string, dns.RCode, error) {
 	r.mu.Lock()
-	ips := r.ipToHost
+	dnsMap := r.dnsMap
 	r.mu.Unlock()

-	name, found := ips[ip]
-	if !found {
-		return "", dns.RCodeNameError
+	if dnsMap == nil {
+		return "", dns.RCodeServerFailure, errMapNotSet
 	}
-	return name, dns.RCodeSuccess
+	name, found := dnsMap.ipToName[ip]
+	if !found {
+		return "", dns.RCodeNameError, nil
+	}
+	return name, dns.RCodeSuccess, nil
 }

 func (r *Resolver) poll() {
 	defer r.wg.Done()

-	var pkt packet
+	var packet Packet
 	for {
 		select {
 		case <-r.closed:
 			return
-		case pkt = <-r.queue:
+		case packet = <-r.queue:
 			// continue
 		}

-		out, err := r.respond(pkt.bs)
+		out, err := r.respond(packet.Payload)

 		if err == errNotOurName {
-			err = r.forwarder.forward(pkt)
-			if err == nil {
-				// forward will send response into r.responses, nothing to do.
-				continue
+			if r.forwarder != nil {
+				err = r.forwarder.forward(packet)
+				if err == nil {
+					// forward will send response into r.responses, nothing to do.
+					continue
+				}
+			} else {
+				err = errNotForwarding
 			}
 		}

@@ -329,11 +327,11 @@ func (r *Resolver) poll() {
 				// continue
 			}
 		} else {
-			pkt.bs = out
+			packet.Payload = out
 			select {
 			case <-r.closed:
 				return
-			case r.responses <- pkt:
+			case r.responses <- packet:
 				// continue
 			}
 		}
@@ -344,14 +342,12 @@ type response struct {
 	Header   dns.Header
 	Question dns.Question
 	// Name is the response to a PTR query.
-	Name dnsname.FQDN
+	Name string
 	// IP is the response to an A, AAAA, or ALL query.
 	IP netaddr.IP
 }

 // parseQuery parses the query in given packet into a response struct.
-// if the parse is successful, resp.Name contains the normalized name being queried.
-// TODO: stuffing the query name in resp.Name temporarily is a hack. Clean it up.
 func parseQuery(query []byte, resp *response) error {
 	var parser dns.Parser
 	var err error
@@ -407,7 +403,7 @@ func marshalAAAARecord(name dns.Name, ip netaddr.IP, builder *dns.Builder) error

 // marshalPTRRecord serializes a PTR record into an active builder.
 // The caller may continue using the builder following the call.
-func marshalPTRRecord(queryName dns.Name, name dnsname.FQDN, builder *dns.Builder) error {
+func marshalPTRRecord(queryName dns.Name, name string, builder *dns.Builder) error {
 	var answer dns.PTRResource
 	var err error

@@ -417,7 +413,7 @@ func marshalPTRRecord(queryName dns.Name, name dnsname.FQDN, builder *dns.Builde
 		Class: dns.ClassINET,
 		TTL:   uint32(defaultTTL / time.Second),
 	}
-	answer.PTR, err = dns.NewName(name.WithTrailingDot())
+	answer.PTR, err = dns.NewName(name)
 	if err != nil {
 		return err
 	}
@@ -490,13 +486,12 @@ const (
 //   r._dns-sd._udp.<domain>.
 //  dr._dns-sd._udp.<domain>.
 //  lb._dns-sd._udp.<domain>.
-func hasRDNSBonjourPrefix(name dnsname.FQDN) bool {
+func hasRDNSBonjourPrefix(s string) bool {
 	// Even the shortest name containing a Bonjour prefix is long,
 	// so check length (cheap) and bail early if possible.
-	if len(name) < len("*._dns-sd._udp.0.0.0.0.in-addr.arpa.") {
+	if len(s) < len("*._dns-sd._udp.0.0.0.0.in-addr.arpa.") {
 		return false
 	}
-	s := name.WithTrailingDot()
 	dot := strings.IndexByte(s, '.')
 	if dot == -1 {
 		return false // shouldn't happen
@@ -531,9 +526,9 @@ func rawNameToLower(name []byte) string {
 //   4.3.2.1.in-addr.arpa
 // is transformed to
 //   1.2.3.4
-func rdnsNameToIPv4(name dnsname.FQDN) (ip netaddr.IP, ok bool) {
-	s := strings.TrimSuffix(name.WithTrailingDot(), rdnsv4Suffix)
-	ip, err := netaddr.ParseIP(s)
+func rdnsNameToIPv4(name string) (ip netaddr.IP, ok bool) {
+	name = strings.TrimSuffix(name, rdnsv4Suffix)
+	ip, err := netaddr.ParseIP(string(name))
 	if err != nil {
 		return netaddr.IP{}, false
 	}
@@ -550,21 +545,21 @@ func rdnsNameToIPv4(name dnsname.FQDN) (ip netaddr.IP, ok bool) {
 //   b.a.9.8.7.6.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 // is transformed to
 //   2001:db8::567:89ab
-func rdnsNameToIPv6(name dnsname.FQDN) (ip netaddr.IP, ok bool) {
+func rdnsNameToIPv6(name string) (ip netaddr.IP, ok bool) {
 	var b [32]byte
 	var ipb [16]byte

-	s := strings.TrimSuffix(name.WithTrailingDot(), rdnsv6Suffix)
+	name = strings.TrimSuffix(name, rdnsv6Suffix)
 	// 32 nibbles and 31 dots between them.
-	if len(s) != 63 {
+	if len(name) != 63 {
 		return netaddr.IP{}, false
 	}

 	// Dots and hex digits alternate.
 	prevDot := true
 	// i ranges over name backward; j ranges over b forward.
-	for i, j := len(s)-1, 0; i >= 0; i-- {
-		thisDot := (s[i] == '.')
+	for i, j := len(name)-1, 0; i >= 0; i-- {
+		thisDot := (name[i] == '.')
 		if prevDot == thisDot {
 			return netaddr.IP{}, false
 		}
@@ -573,7 +568,7 @@ func rdnsNameToIPv6(name dnsname.FQDN) (ip netaddr.IP, ok bool) {
 		if !thisDot {
 			// This is safe assuming alternation.
 			// We do not check that non-dots are hex digits: hex.Decode below will do that.
-			b[j] = s[i]
+			b[j] = name[i]
 			j++
 		}
 	}
@@ -588,7 +583,7 @@ func rdnsNameToIPv6(name dnsname.FQDN) (ip netaddr.IP, ok bool) {

 // respondReverse returns a DNS response to a PTR query.
 // It is assumed that resp.Question is populated by respond before this is called.
-func (r *Resolver) respondReverse(query []byte, name dnsname.FQDN, resp *response) ([]byte, error) {
+func (r *Resolver) respondReverse(query []byte, name string, resp *response) ([]byte, error) {
 	if hasRDNSBonjourPrefix(name) {
 		return nil, errNotOurName
 	}
@@ -596,9 +591,9 @@ func (r *Resolver) respondReverse(query []byte, name dnsname.FQDN, resp *respons
 	var ip netaddr.IP
 	var ok bool
 	switch {
-	case strings.HasSuffix(name.WithTrailingDot(), rdnsv4Suffix):
+	case strings.HasSuffix(name, rdnsv4Suffix):
 		ip, ok = rdnsNameToIPv4(name)
-	case strings.HasSuffix(name.WithTrailingDot(), rdnsv6Suffix):
+	case strings.HasSuffix(name, rdnsv6Suffix):
 		ip, ok = rdnsNameToIPv6(name)
 	default:
 		return nil, errNotOurName
@@ -611,7 +606,11 @@ func (r *Resolver) respondReverse(query []byte, name dnsname.FQDN, resp *respons
 		return nil, errNotOurName
 	}

-	resp.Name, resp.Header.RCode = r.resolveLocalReverse(ip)
+	var err error
+	resp.Name, resp.Header.RCode, err = r.ResolveReverse(ip)
+	if err != nil {
+		r.logf("resolving rdns: %v", ip, err)
+	}
 	if resp.Header.RCode == dns.RCodeNameError {
 		return nil, errNotOurName
 	}
@@ -639,12 +638,7 @@ func (r *Resolver) respond(query []byte) ([]byte, error) {
 		return marshalResponse(resp)
 	}
 	rawName := resp.Question.Name.Data[:resp.Question.Name.Length]
-	name, err := dnsname.ToFQDN(rawNameToLower(rawName))
-	if err != nil {
-		// DNS packet unexpectedly contains an invalid FQDN.
-		resp.Header.RCode = dns.RCodeFormatError
-		return marshalResponse(resp)
-	}
+	name := rawNameToLower(rawName)

 	// Always try to handle reverse lookups; delegate inside when not found.
 	// This way, queries for existent nodes do not leak,
@@ -653,11 +647,16 @@ func (r *Resolver) respond(query []byte) ([]byte, error) {
 		return r.respondReverse(query, name, resp)
 	}

-	resp.IP, resp.Header.RCode = r.resolveLocal(name, resp.Question.Type)
+	resp.IP, resp.Header.RCode, err = r.Resolve(name, resp.Question.Type)
 	// This return code is special: it requests forwarding.
 	if resp.Header.RCode == dns.RCodeRefused {
 		return nil, errNotOurName
 	}

+	// We will not return this error: it is the sender's fault.
+	if err != nil {
+		r.logf("resolving: %v", err)
+	}
+
 	return marshalResponse(resp)
 }
--- a/net/dns/resolver/tsdns_server_test.go
+++ b/net/dns/resolver/tsdns_server_test.go
@@ -2,10 +2,10 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-package resolver
+package dns

 import (
-	"fmt"
+	"log"
 	"testing"

 	"github.com/miekg/dns"
@@ -16,6 +16,8 @@ import (
 // that depends on github.com/miekg/dns
 // from the rest, which only depends on dnsmessage.

+var dnsHandleFunc = dns.HandleFunc
+
 // resolveToIP returns a handler function which responds
 // to queries of type A it receives with an A record containing ipv4,
 // to queries of type AAAA with an AAAA record containing ipv6,
@@ -66,38 +68,28 @@ func resolveToIP(ipv4, ipv6 netaddr.IP, ns string) dns.HandlerFunc {
 	}
 }

-var resolveToNXDOMAIN = dns.HandlerFunc(func(w dns.ResponseWriter, req *dns.Msg) {
+func resolveToNXDOMAIN(w dns.ResponseWriter, req *dns.Msg) {
 	m := new(dns.Msg)
 	m.SetRcode(req, dns.RcodeNameError)
 	w.WriteMsg(m)
-})
+}
+
+func serveDNS(tb testing.TB, addr string) (*dns.Server, chan error) {
+	server := &dns.Server{Addr: addr, Net: "udp"}

-func serveDNS(tb testing.TB, addr string, records ...interface{}) *dns.Server {
-	if len(records)%2 != 0 {
-		panic("must have an even number of record values")
-	}
-	mux := dns.NewServeMux()
-	for i := 0; i < len(records); i += 2 {
-		name := records[i].(string)
-		handler := records[i+1].(dns.Handler)
-		mux.Handle(name, handler)
-	}
 	waitch := make(chan struct{})
-	server := &dns.Server{
-		Addr:              addr,
-		Net:               "udp",
-		Handler:           mux,
-		NotifyStartedFunc: func() { close(waitch) },
-		ReusePort:         true,
-	}
+	server.NotifyStartedFunc = func() { close(waitch) }

+	errch := make(chan error, 1)
 	go func() {
 		err := server.ListenAndServe()
 		if err != nil {
-			panic(fmt.Sprintf("ListenAndServe(%q): %v", addr, err))
+			log.Printf("ListenAndServe(%q): %v", addr, err)
 		}
+		errch <- err
+		close(errch)
 	}()

 	<-waitch
-	return server
+	return server, errch
 }
--- a/net/dns/resolver/tsdns_test.go
+++ b/net/dns/resolver/tsdns_test.go
@@ -2,35 +2,40 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-package resolver
+package dns

 import (
 	"bytes"
 	"errors"
 	"net"
+	"sync"
 	"testing"

 	dns "golang.org/x/net/dns/dnsmessage"
 	"inet.af/netaddr"
 	"tailscale.com/tstest"
-	"tailscale.com/util/dnsname"
 )

-var testipv4 = netaddr.MustParseIP("1.2.3.4")
-var testipv6 = netaddr.MustParseIP("0001:0203:0405:0607:0809:0a0b:0c0d:0e0f")
+var testipv4 = netaddr.IPv4(1, 2, 3, 4)
+var testipv6 = netaddr.IPv6Raw([16]byte{
+	0x00, 0x01, 0x02, 0x03,
+	0x04, 0x05, 0x06, 0x07,
+	0x08, 0x09, 0x0a, 0x0b,
+	0x0c, 0x0d, 0x0e, 0x0f,
+})

-var dnsCfg = Config{
-	Hosts: map[dnsname.FQDN][]netaddr.IP{
-		"test1.ipn.dev.": []netaddr.IP{testipv4},
-		"test2.ipn.dev.": []netaddr.IP{testipv6},
+var dnsMap = NewMap(
+	map[string]netaddr.IP{
+		"test1.ipn.dev.": testipv4,
+		"test2.ipn.dev.": testipv6,
 	},
-	LocalDomains: []dnsname.FQDN{"ipn.dev."},
-}
+	[]string{"ipn.dev."},
+)

-func dnspacket(domain dnsname.FQDN, tp dns.Type) []byte {
+func dnspacket(domain string, tp dns.Type) []byte {
 	var dnsHeader dns.Header
 	question := dns.Question{
-		Name:  dns.MustNewName(domain.WithTrailingDot()),
+		Name:  dns.MustNewName(domain),
 		Type:  tp,
 		Class: dns.ClassINET,
 	}
@@ -45,7 +50,7 @@ func dnspacket(domain dnsname.FQDN, tp dns.Type) []byte {

 type dnsResponse struct {
 	ip    netaddr.IP
-	name  dnsname.FQDN
+	name  string
 	rcode dns.RCode
 }

@@ -95,10 +100,7 @@ func unpackResponse(payload []byte) (dnsResponse, error) {
 		if err != nil {
 			return response, err
 		}
-		response.name, err = dnsname.ToFQDN(res.NS.String())
-		if err != nil {
-			return response, err
-		}
+		response.name = res.NS.String()
 	default:
 		return response, errors.New("type not in {A, AAAA, NS}")
 	}
@@ -107,9 +109,10 @@ func unpackResponse(payload []byte) (dnsResponse, error) {
 }

 func syncRespond(r *Resolver, query []byte) ([]byte, error) {
-	r.EnqueueRequest(query, netaddr.IPPort{})
-	payload, _, err := r.NextResponse()
-	return payload, err
+	request := Packet{Payload: query}
+	r.EnqueueRequest(request)
+	resp, err := r.NextResponse()
+	return resp.Payload, err
 }

 func mustIP(str string) netaddr.IP {
@@ -123,7 +126,7 @@ func mustIP(str string) netaddr.IP {
 func TestRDNSNameToIPv4(t *testing.T) {
 	tests := []struct {
 		name   string
-		input  dnsname.FQDN
+		input  string
 		wantIP netaddr.IP
 		wantOK bool
 	}{
@@ -148,7 +151,7 @@ func TestRDNSNameToIPv4(t *testing.T) {
 func TestRDNSNameToIPv6(t *testing.T) {
 	tests := []struct {
 		name   string
-		input  dnsname.FQDN
+		input  string
 		wantIP netaddr.IP
 		wantOK bool
 	}{
@@ -190,15 +193,18 @@ func TestRDNSNameToIPv6(t *testing.T) {
 	}
 }

-func TestResolveLocal(t *testing.T) {
-	r := New(t.Logf, nil)
-	defer r.Close()
+func TestResolve(t *testing.T) {
+	r := NewResolver(ResolverConfig{Logf: t.Logf, Forward: false})
+	r.SetMap(dnsMap)

-	r.SetConfig(dnsCfg)
+	if err := r.Start(); err != nil {
+		t.Fatalf("start: %v", err)
+	}
+	defer r.Close()

 	tests := []struct {
 		name  string
-		qname dnsname.FQDN
+		qname string
 		qtype dns.Type
 		ip    netaddr.IP
 		code  dns.RCode
@@ -218,7 +224,10 @@ func TestResolveLocal(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			ip, code := r.resolveLocal(tt.qname, tt.qtype)
+			ip, code, err := r.Resolve(tt.qname, tt.qtype)
+			if err != nil {
+				t.Errorf("err = %v; want nil", err)
+			}
 			if code != tt.code {
 				t.Errorf("code = %v; want %v", code, tt.code)
 			}
@@ -230,16 +239,19 @@ func TestResolveLocal(t *testing.T) {
 	}
 }

-func TestResolveLocalReverse(t *testing.T) {
-	r := New(t.Logf, nil)
-	defer r.Close()
+func TestResolveReverse(t *testing.T) {
+	r := NewResolver(ResolverConfig{Logf: t.Logf, Forward: false})
+	r.SetMap(dnsMap)

-	r.SetConfig(dnsCfg)
+	if err := r.Start(); err != nil {
+		t.Fatalf("start: %v", err)
+	}
+	defer r.Close()

 	tests := []struct {
 		name string
 		ip   netaddr.IP
-		want dnsname.FQDN
+		want string
 		code dns.RCode
 	}{
 		{"ipv4", testipv4, "test1.ipn.dev.", dns.RCodeSuccess},
@@ -249,7 +261,10 @@ func TestResolveLocalReverse(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			name, code := r.resolveLocalReverse(tt.ip)
+			name, code, err := r.ResolveReverse(tt.ip)
+			if err != nil {
+				t.Errorf("err = %v; want nil", err)
+			}
 			if code != tt.code {
 				t.Errorf("code = %v; want %v", code, tt.code)
 			}
@@ -276,26 +291,44 @@ func TestDelegate(t *testing.T) {
 		t.Skip("skipping test that requires localhost IPv6")
 	}

-	v4server := serveDNS(t, "127.0.0.1:0",
-		"test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."),
-		"nxdomain.site.", resolveToNXDOMAIN)
-	defer v4server.Shutdown()
-	v6server := serveDNS(t, "[::1]:0",
-		"test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."),
-		"nxdomain.site.", resolveToNXDOMAIN)
-	defer v6server.Shutdown()
+	dnsHandleFunc("test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."))
+	dnsHandleFunc("nxdomain.site.", resolveToNXDOMAIN)

-	r := New(t.Logf, nil)
-	defer r.Close()
+	v4server, v4errch := serveDNS(t, "127.0.0.1:0")
+	v6server, v6errch := serveDNS(t, "[::1]:0")

-	cfg := dnsCfg
-	cfg.Routes = map[dnsname.FQDN][]netaddr.IPPort{
-		".": {
-			netaddr.MustParseIPPort(v4server.PacketConn.LocalAddr().String()),
-			netaddr.MustParseIPPort(v6server.PacketConn.LocalAddr().String()),
-		},
+	defer func() {
+		if err := <-v4errch; err != nil {
+			t.Errorf("v4 server error: %v", err)
+		}
+		if err := <-v6errch; err != nil {
+			t.Errorf("v6 server error: %v", err)
+		}
+	}()
+	if v4server != nil {
+		defer v4server.Shutdown()
 	}
-	r.SetConfig(cfg)
+	if v6server != nil {
+		defer v6server.Shutdown()
+	}
+
+	if v4server == nil || v6server == nil {
+		// There is an error in at least one of the channels
+		// and we cannot proceed; return to see it.
+		return
+	}
+
+	r := NewResolver(ResolverConfig{Logf: t.Logf, Forward: true})
+	r.SetMap(dnsMap)
+	r.SetUpstreams([]net.Addr{
+		v4server.PacketConn.LocalAddr(),
+		v6server.PacketConn.LocalAddr(),
+	})
+
+	if err := r.Start(); err != nil {
+		t.Fatalf("start: %v", err)
+	}
+	defer r.Close()

 	tests := []struct {
 		title    string
@@ -349,87 +382,32 @@ func TestDelegate(t *testing.T) {
 	}
 }

-func TestDelegateSplitRoute(t *testing.T) {
-	test4 := netaddr.MustParseIP("2.3.4.5")
-	test6 := netaddr.MustParseIP("ff::1")
-
-	server1 := serveDNS(t, "127.0.0.1:0",
-		"test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."))
-	defer server1.Shutdown()
-	server2 := serveDNS(t, "127.0.0.1:0",
-		"test.other.", resolveToIP(test4, test6, "dns.other."))
-	defer server2.Shutdown()
-
-	r := New(t.Logf, nil)
-	defer r.Close()
-
-	cfg := dnsCfg
-	cfg.Routes = map[dnsname.FQDN][]netaddr.IPPort{
-		".":      {netaddr.MustParseIPPort(server1.PacketConn.LocalAddr().String())},
-		"other.": {netaddr.MustParseIPPort(server2.PacketConn.LocalAddr().String())},
-	}
-	r.SetConfig(cfg)
-
-	tests := []struct {
-		title    string
-		query    []byte
-		response dnsResponse
-	}{
-		{
-			"general",
-			dnspacket("test.site.", dns.TypeA),
-			dnsResponse{ip: testipv4, rcode: dns.RCodeSuccess},
-		},
-		{
-			"override",
-			dnspacket("test.other.", dns.TypeA),
-			dnsResponse{ip: test4, rcode: dns.RCodeSuccess},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.title, func(t *testing.T) {
-			payload, err := syncRespond(r, tt.query)
-			if err != nil {
-				t.Errorf("err = %v; want nil", err)
-				return
-			}
-			response, err := unpackResponse(payload)
-			if err != nil {
-				t.Errorf("extract: err = %v; want nil (in %x)", err, payload)
-				return
-			}
-			if response.rcode != tt.response.rcode {
-				t.Errorf("rcode = %v; want %v", response.rcode, tt.response.rcode)
-			}
-			if response.ip != tt.response.ip {
-				t.Errorf("ip = %v; want %v", response.ip, tt.response.ip)
-			}
-			if response.name != tt.response.name {
-				t.Errorf("name = %v; want %v", response.name, tt.response.name)
-			}
-		})
-	}
-}
-
 func TestDelegateCollision(t *testing.T) {
-	server := serveDNS(t, "127.0.0.1:0",
-		"test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."))
+	dnsHandleFunc("test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."))
+
+	server, errch := serveDNS(t, "127.0.0.1:0")
+	defer func() {
+		if err := <-errch; err != nil {
+			t.Errorf("server error: %v", err)
+		}
+	}()
+
+	if server == nil {
+		return
+	}
 	defer server.Shutdown()

-	r := New(t.Logf, nil)
+	r := NewResolver(ResolverConfig{Logf: t.Logf, Forward: true})
+	r.SetMap(dnsMap)
+	r.SetUpstreams([]net.Addr{server.PacketConn.LocalAddr()})
+
+	if err := r.Start(); err != nil {
+		t.Fatalf("start: %v", err)
+	}
 	defer r.Close()

-	cfg := dnsCfg
-	cfg.Routes = map[dnsname.FQDN][]netaddr.IPPort{
-		".": {
-			netaddr.MustParseIPPort(server.PacketConn.LocalAddr().String()),
-		},
-	}
-	r.SetConfig(cfg)
-
 	packets := []struct {
-		qname dnsname.FQDN
+		qname string
 		qtype dns.Type
 		addr  netaddr.IPPort
 	}{
@@ -440,20 +418,21 @@ func TestDelegateCollision(t *testing.T) {
 	// packets will have the same dns txid.
 	for _, p := range packets {
 		payload := dnspacket(p.qname, p.qtype)
-		err := r.EnqueueRequest(payload, p.addr)
+		req := Packet{Payload: payload, Addr: p.addr}
+		err := r.EnqueueRequest(req)
 		if err != nil {
 			t.Error(err)
 		}
 	}

 	// Despite the txid collision, the answer(s) should still match the query.
-	resp, addr, err := r.NextResponse()
+	resp, err := r.NextResponse()
 	if err != nil {
 		t.Error(err)
 	}

 	var p dns.Parser
-	_, err = p.Start(resp)
+	_, err = p.Start(resp.Payload)
 	if err != nil {
 		t.Error(err)
 	}
@@ -477,12 +456,72 @@ func TestDelegateCollision(t *testing.T) {
 	}

 	for _, p := range packets {
-		if p.qtype == wantType && p.addr != addr {
-			t.Errorf("addr = %v; want %v", addr, p.addr)
+		if p.qtype == wantType && p.addr != resp.Addr {
+			t.Errorf("addr = %v; want %v", resp.Addr, p.addr)
 		}
 	}
 }

+func TestConcurrentSetMap(t *testing.T) {
+	r := NewResolver(ResolverConfig{Logf: t.Logf, Forward: false})
+
+	if err := r.Start(); err != nil {
+		t.Fatalf("start: %v", err)
+	}
+	defer r.Close()
+
+	// This is purely to ensure that Resolve does not race with SetMap.
+	var wg sync.WaitGroup
+	wg.Add(2)
+	go func() {
+		defer wg.Done()
+		r.SetMap(dnsMap)
+	}()
+	go func() {
+		defer wg.Done()
+		r.Resolve("test1.ipn.dev", dns.TypeA)
+	}()
+	wg.Wait()
+}
+
+func TestConcurrentSetUpstreams(t *testing.T) {
+	dnsHandleFunc("test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."))
+
+	server, errch := serveDNS(t, "127.0.0.1:0")
+	defer func() {
+		if err := <-errch; err != nil {
+			t.Errorf("server error: %v", err)
+		}
+	}()
+
+	if server == nil {
+		return
+	}
+	defer server.Shutdown()
+
+	r := NewResolver(ResolverConfig{Logf: t.Logf, Forward: true})
+	r.SetMap(dnsMap)
+
+	if err := r.Start(); err != nil {
+		t.Fatalf("start: %v", err)
+	}
+	defer r.Close()
+
+	packet := dnspacket("test.site.", dns.TypeA)
+	// This is purely to ensure that delegation does not race with SetUpstreams.
+	var wg sync.WaitGroup
+	wg.Add(2)
+	go func() {
+		defer wg.Done()
+		r.SetUpstreams([]net.Addr{server.PacketConn.LocalAddr()})
+	}()
+	go func() {
+		defer wg.Done()
+		syncRespond(r, packet)
+	}()
+	wg.Wait()
+}
+
 var allResponse = []byte{
 	0x00, 0x00, // transaction id: 0
 	0x84, 0x00, // flags: response, authoritative, no error
@@ -631,10 +670,13 @@ var emptyResponse = []byte{
 }

 func TestFull(t *testing.T) {
-	r := New(t.Logf, nil)
-	defer r.Close()
+	r := NewResolver(ResolverConfig{Logf: t.Logf, Forward: false})
+	r.SetMap(dnsMap)

-	r.SetConfig(dnsCfg)
+	if err := r.Start(); err != nil {
+		t.Fatalf("start: %v", err)
+	}
+	defer r.Close()

 	// One full packet and one error packet
 	tests := []struct {
@@ -647,8 +689,8 @@ func TestFull(t *testing.T) {
 		{"ipv6", dnspacket("test2.ipn.dev.", dns.TypeAAAA), ipv6Response},
 		{"no-ipv6", dnspacket("test1.ipn.dev.", dns.TypeAAAA), emptyResponse},
 		{"upper", dnspacket("TEST1.IPN.DEV.", dns.TypeA), ipv4UppercaseResponse},
-		{"ptr4", dnspacket("4.3.2.1.in-addr.arpa.", dns.TypePTR), ptrResponse},
-		{"ptr6", dnspacket("f.0.e.0.d.0.c.0.b.0.a.0.9.0.8.0.7.0.6.0.5.0.4.0.3.0.2.0.1.0.0.0.ip6.arpa.",
+		{"ptr", dnspacket("4.3.2.1.in-addr.arpa.", dns.TypePTR), ptrResponse},
+		{"ptr", dnspacket("f.0.e.0.d.0.c.0.b.0.a.0.9.0.8.0.7.0.6.0.5.0.4.0.3.0.2.0.1.0.0.0.ip6.arpa.",
 			dns.TypePTR), ptrResponse6},
 		{"nxdomain", dnspacket("test3.ipn.dev.", dns.TypeA), nxdomainResponse},
 	}
@@ -667,9 +709,13 @@ func TestFull(t *testing.T) {
 }

 func TestAllocs(t *testing.T) {
-	r := New(t.Logf, nil)
+	r := NewResolver(ResolverConfig{Logf: t.Logf, Forward: false})
+	r.SetMap(dnsMap)
+
+	if err := r.Start(); err != nil {
+		t.Fatalf("start: %v", err)
+	}
 	defer r.Close()
-	r.SetConfig(dnsCfg)

 	// It is seemingly pointless to test allocs in the delegate path,
 	// as dialer.Dial -> Read -> Write alone comprise 12 allocs.
@@ -696,7 +742,7 @@ func TestAllocs(t *testing.T) {

 func TestTrimRDNSBonjourPrefix(t *testing.T) {
 	tests := []struct {
-		in   dnsname.FQDN
+		in   string
 		want bool
 	}{
 		{"b._dns-sd._udp.0.10.20.172.in-addr.arpa.", true},
@@ -706,6 +752,7 @@ func TestTrimRDNSBonjourPrefix(t *testing.T) {
 		{"lb._dns-sd._udp.0.10.20.172.in-addr.arpa.", true},
 		{"qq._dns-sd._udp.0.10.20.172.in-addr.arpa.", false},
 		{"0.10.20.172.in-addr.arpa.", false},
+		{"i-have-no-dot", false},
 	}

 	for _, test := range tests {
@@ -717,19 +764,28 @@ func TestTrimRDNSBonjourPrefix(t *testing.T) {
 }

 func BenchmarkFull(b *testing.B) {
-	server := serveDNS(b, "127.0.0.1:0",
-		"test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."))
+	dnsHandleFunc("test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."))
+
+	server, errch := serveDNS(b, "127.0.0.1:0")
+	defer func() {
+		if err := <-errch; err != nil {
+			b.Errorf("server error: %v", err)
+		}
+	}()
+
+	if server == nil {
+		return
+	}
 	defer server.Shutdown()

-	r := New(b.Logf, nil)
-	defer r.Close()
+	r := NewResolver(ResolverConfig{Logf: b.Logf, Forward: true})
+	r.SetMap(dnsMap)
+	r.SetUpstreams([]net.Addr{server.PacketConn.LocalAddr()})

-	cfg := dnsCfg
-	cfg.Routes = map[dnsname.FQDN][]netaddr.IPPort{
-		".": {
-			netaddr.MustParseIPPort(server.PacketConn.LocalAddr().String()),
-		},
+	if err := r.Start(); err != nil {
+		b.Fatalf("start: %v", err)
 	}
+	defer r.Close()

 	tests := []struct {
 		name    string
--- a/net/interfaces/interfaces.go
+++ b/net/interfaces/interfaces.go
@@ -500,8 +500,7 @@ func isPrivateIP(ip netaddr.IP) bool {
 }

 func isGlobalV6(ip netaddr.IP) bool {
-	return v6Global1.Contains(ip) ||
-		(tsaddr.IsULA(ip) && !tsaddr.TailscaleULARange().Contains(ip))
+	return v6Global1.Contains(ip)
 }

 func mustCIDR(s string) netaddr.IPPrefix {
--- a/net/interfaces/interfaces_default_route_test.go
+++ b/net/interfaces/interfaces_default_route_test.go
@@ -2,85 +2,16 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// +build linux,!redo
+// +build linux darwin,!redo

 package interfaces

-import (
-	"fmt"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"testing"
-)
+import "testing"

 func TestDefaultRouteInterface(t *testing.T) {
-	// tests /proc/net/route on the local system, cannot make an assertion about
-	// the correct interface name, but good as a sanity check.
 	v, err := DefaultRouteInterface()
 	if err != nil {
 		t.Fatal(err)
 	}
 	t.Logf("got %q", v)
 }
-
-// test the specific /proc/net/route path as found on Google Cloud Run instances
-func TestGoogleCloudRunDefaultRouteInterface(t *testing.T) {
-	dir := t.TempDir()
-	savedProcNetRoutePath := procNetRoutePath
-	defer func() { procNetRoutePath = savedProcNetRoutePath }()
-	procNetRoutePath = filepath.Join(dir, "CloudRun")
-	buf := []byte("Iface\tDestination\tGateway\tFlags\tRefCnt\tUse\tMetric\tMask\tMTU\tWindow\tIRTT\n" +
-		"eth0\t8008FEA9\t00000000\t0001\t0\t0\t0\t01FFFFFF\t0\t0\t0\n" +
-		"eth1\t00000000\t00000000\t0001\t0\t0\t0\t00000000\t0\t0\t0\n")
-	err := ioutil.WriteFile(procNetRoutePath, buf, 0644)
-	if err != nil {
-		t.Fatal(err)
-	}
-	got, err := DefaultRouteInterface()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if got != "eth1" {
-		t.Fatalf("got %s, want eth1", got)
-	}
-}
-
-// we read chunks of /proc/net/route at a time, test that files longer than the chunk
-// size can be handled.
-func TestExtremelyLongProcNetRoute(t *testing.T) {
-	dir := t.TempDir()
-	savedProcNetRoutePath := procNetRoutePath
-	defer func() { procNetRoutePath = savedProcNetRoutePath }()
-	procNetRoutePath = filepath.Join(dir, "VeryLong")
-	f, err := os.Create(procNetRoutePath)
-	if err != nil {
-		t.Fatal(err)
-	}
-	_, err = f.Write([]byte("Iface\tDestination\tGateway\tFlags\tRefCnt\tUse\tMetric\tMask\tMTU\tWindow\tIRTT\n"))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	for n := 0; n <= 1000; n++ {
-		line := fmt.Sprintf("eth%d\t8008FEA9\t00000000\t0001\t0\t0\t0\t01FFFFFF\t0\t0\t0\n", n)
-		_, err := f.Write([]byte(line))
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-	_, err = f.Write([]byte("tokenring1\t00000000\t00000000\t0001\t0\t0\t0\t00000000\t0\t0\t0\n"))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	got, err := DefaultRouteInterface()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if got != "tokenring1" {
-		t.Fatalf("got %q, want tokenring1", got)
-	}
-}
--- a/net/interfaces/interfaces_linux.go
+++ b/net/interfaces/interfaces_linux.go
@@ -8,7 +8,6 @@ import (
 	"bufio"
 	"bytes"
 	"errors"
-	"fmt"
 	"io"
 	"log"
 	"os"
@@ -136,20 +135,18 @@ func DefaultRouteInterface() (string, error) {
 }

 var zeroRouteBytes = []byte("00000000")
-var procNetRoutePath = "/proc/net/route"

-func defaultRouteInterfaceProcNetInternal(bufsize int) (string, error) {
-	f, err := os.Open(procNetRoutePath)
+func defaultRouteInterfaceProcNet() (string, error) {
+	f, err := os.Open("/proc/net/route")
 	if err != nil {
 		return "", err
 	}
 	defer f.Close()
-
-	br := bufio.NewReaderSize(f, bufsize)
+	br := bufio.NewReaderSize(f, 128)
 	for {
 		line, err := br.ReadSlice('\n')
 		if err == io.EOF {
-			return "", fmt.Errorf("no default routes found: %w", err)
+			break
 		}
 		if err != nil {
 			return "", err
@@ -171,28 +168,9 @@ func defaultRouteInterfaceProcNetInternal(bufsize int) (string, error) {
 			return ifc, nil // interface name
 		}
 	}
-}

-// returns string interface name and an error.
-// io.EOF: full route table processed, no default route found.
-// other io error: something went wrong reading the route file.
-func defaultRouteInterfaceProcNet() (string, error) {
-	rc, err := defaultRouteInterfaceProcNetInternal(128)
-	if rc == "" && (errors.Is(err, io.EOF) || err == nil) {
-		// https://github.com/google/gvisor/issues/5732
-		// On a regular Linux kernel you can read the first 128 bytes of /proc/net/route,
-		// then come back later to read the next 128 bytes and so on.
-		//
-		// In Google Cloud Run, where /proc/net/route comes from gVisor, you have to
-		// read it all at once. If you read only the first few bytes then the second
-		// read returns 0 bytes no matter how much originally appeared to be in the file.
-		//
-		// At the time of this writing (Mar 2021) Google Cloud Run has eth0 and eth1
-		// with a 384 byte /proc/net/route. We allocate a large buffer to ensure we'll
-		// read it all in one call.
-		return defaultRouteInterfaceProcNetInternal(4096)
-	}
-	return rc, err
+	return "", errors.New("no default routes found")
+
 }

 // defaultRouteInterfaceAndroidIPRoute tries to find the machine's default route interface name
--- a/net/interfaces/interfaces_test.go
+++ b/net/interfaces/interfaces_test.go
@@ -7,8 +7,6 @@ package interfaces
 import (
 	"encoding/json"
 	"testing"
-
-	"inet.af/netaddr"
 )

 func TestGetState(t *testing.T) {
@@ -45,24 +43,3 @@ func TestLikelyHomeRouterIP(t *testing.T) {
 	}
 	t.Logf("myIP = %v; gw = %v", my, gw)
 }
-
-func TestIsGlobalV6(t *testing.T) {
-	tests := []struct {
-		name string
-		ip   string
-		want bool
-	}{
-		{"first ULA", "fc00::1", true},
-		{"Tailscale", "fd7a:115c:a1e0::1", false},
-		{"Cloud Run", "fddf:3978:feb1:d745::1", true},
-		{"zeros", "0000:0000:0000:0000:0000:0000:0000:0000", false},
-		{"Link Local", "fe80::1", false},
-		{"Global", "2602::1", true},
-	}
-
-	for _, test := range tests {
-		if got := isGlobalV6(netaddr.MustParseIP(test.ip)); got != test.want {
-			t.Errorf("isGlobalV6(%s) = %v, want %v", test.name, got, test.want)
-		}
-	}
-}
--- a/net/nettest/conn.go
+++ b/net/nettest/conn.go
@@ -5,13 +5,21 @@
 package nettest

 import (
-	"net"
+	"io"
 	"time"
 )

-// Conn is a net.Conn that can additionally have its reads and writes blocked and unblocked.
+// Conn is a bi-directional in-memory stream that looks like a TCP net.Conn.
 type Conn interface {
-	net.Conn
+	io.Reader
+	io.Writer
+	io.Closer
+
+	// The *Deadline methods follow the semantics of net.Conn.
+
+	SetDeadline(t time.Time) error
+	SetReadDeadline(t time.Time) error
+	SetWriteDeadline(t time.Time) error

 	// SetReadBlock blocks or unblocks the Read method of this Conn.
 	// It reports an error if the existing value matches the new value,
@@ -32,37 +40,24 @@ func NewConn(name string, maxBuf int) (Conn, Conn) {
 	return &connHalf{r: r, w: w}, &connHalf{r: w, w: r}
 }

-type connAddr string
-
-func (a connAddr) Network() string { return "mem" }
-func (a connAddr) String() string  { return string(a) }
-
 type connHalf struct {
 	r, w *Pipe
 }

-func (c *connHalf) LocalAddr() net.Addr {
-	return connAddr(c.r.name)
-}
-
-func (c *connHalf) RemoteAddr() net.Addr {
-	return connAddr(c.w.name)
-}
-
 func (c *connHalf) Read(b []byte) (n int, err error) {
 	return c.r.Read(b)
 }
 func (c *connHalf) Write(b []byte) (n int, err error) {
 	return c.w.Write(b)
 }
-
 func (c *connHalf) Close() error {
-	if err := c.w.Close(); err != nil {
-		return err
+	err1 := c.r.Close()
+	err2 := c.w.Close()
+	if err1 != nil {
+		return err1
 	}
-	return c.r.Close()
+	return err2
 }
-
 func (c *connHalf) SetDeadline(t time.Time) error {
 	err1 := c.SetReadDeadline(t)
 	err2 := c.SetWriteDeadline(t)
@@ -77,7 +72,6 @@ func (c *connHalf) SetReadDeadline(t time.Time) error {
 func (c *connHalf) SetWriteDeadline(t time.Time) error {
 	return c.w.SetWriteDeadline(t)
 }
-
 func (c *connHalf) SetReadBlock(b bool) error {
 	if b {
 		return c.r.Block()
--- a/net/nettest/conn_test.go
+++ b/net/nettest/conn_test.go
@@ -1,22 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package nettest
-
-import (
-	"net"
-	"testing"
-
-	"golang.org/x/net/nettest"
-)
-
-func TestConn(t *testing.T) {
-	nettest.TestConn(t, func() (c1 net.Conn, c2 net.Conn, stop func(), err error) {
-		c1, c2 = NewConn("test", bufferSize)
-		return c1, c2, func() {
-			c1.Close()
-			c2.Close()
-		}, nil
-	})
-}
--- a/net/nettest/listener.go
+++ b/net/nettest/listener.go
@@ -1,83 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package nettest
-
-import (
-	"context"
-	"net"
-	"strings"
-	"sync"
-)
-
-const (
-	bufferSize = 256 * 1024
-)
-
-// Listener is a net.Listener using using NewConn to create pairs of network
-// connections connected in memory using a buffered pipe. It also provides a
-// Dial method to establish new connections.
-type Listener struct {
-	addr      connAddr
-	ch        chan Conn
-	closeOnce sync.Once
-	closed    chan struct{}
-}
-
-// Listen returns a new Listener for the provided address.
-func Listen(addr string) *Listener {
-	return &Listener{
-		addr:   connAddr(addr),
-		ch:     make(chan Conn),
-		closed: make(chan struct{}),
-	}
-}
-
-// Addr implements net.Listener.Addr.
-func (l *Listener) Addr() net.Addr {
-	return l.addr
-}
-
-// Close closes the pipe listener.
-func (l *Listener) Close() error {
-	l.closeOnce.Do(func() {
-		close(l.closed)
-	})
-	return nil
-}
-
-// Accept blocks until a new connection is available or the listener is closed.
-func (l *Listener) Accept() (net.Conn, error) {
-	select {
-	case c := <-l.ch:
-		return c, nil
-	case <-l.closed:
-		return nil, net.ErrClosed
-	}
-}
-
-// Dial connects to the listener using the provided context.
-// The provided Context must be non-nil. If the context expires before the
-// connection is complete, an error is returned. Once successfully connected
-// any expiration of the context will not affect the connection.
-func (l *Listener) Dial(ctx context.Context, network, addr string) (net.Conn, error) {
-	if !strings.HasSuffix(network, "tcp") {
-		return nil, net.UnknownNetworkError(network)
-	}
-	if connAddr(addr) != l.addr {
-		return nil, &net.AddrError{
-			Err:  "invalid address",
-			Addr: addr,
-		}
-	}
-	c, s := NewConn(addr, bufferSize)
-	select {
-	case <-ctx.Done():
-		return nil, ctx.Err()
-	case <-l.closed:
-		return nil, net.ErrClosed
-	case l.ch <- s:
-		return c, nil
-	}
-}
--- a/net/nettest/listener_test.go
+++ b/net/nettest/listener_test.go
@@ -1,34 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package nettest
-
-import (
-	"context"
-	"testing"
-)
-
-func TestListener(t *testing.T) {
-	l := Listen("srv.local")
-	defer l.Close()
-	go func() {
-		c, err := l.Accept()
-		if err != nil {
-			t.Error(err)
-			return
-		}
-		defer c.Close()
-	}()
-
-	if c, err := l.Dial(context.Background(), "tcp", "invalid"); err == nil {
-		c.Close()
-		t.Fatalf("dial to invalid address succeeded")
-	}
-	c, err := l.Dial(context.Background(), "tcp", "srv.local")
-	if err != nil {
-		t.Fatalf("dial failed: %v", err)
-		return
-	}
-	c.Close()
-}
--- a/net/nettest/pipe.go
+++ b/net/nettest/pipe.go
@@ -5,13 +5,11 @@
 package nettest

 import (
-	"bytes"
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"log"
-	"net"
-	"os"
 	"sync"
 	"time"
 )
@@ -22,12 +20,13 @@ const debugPipe = false
 type Pipe struct {
 	name   string
 	maxBuf int
-	mu     sync.Mutex
-	cnd    *sync.Cond
+	rCh    chan struct{}
+	wCh    chan struct{}

-	blocked          bool
+	mu               sync.Mutex
 	closed           bool
-	buf              bytes.Buffer
+	blocked          bool
+	buf              []byte
 	readTimeout      time.Time
 	writeTimeout     time.Time
 	cancelReadTimer  func()
@@ -36,42 +35,21 @@ type Pipe struct {

 // NewPipe creates a Pipe with a buffer size fixed at maxBuf.
 func NewPipe(name string, maxBuf int) *Pipe {
-	p := &Pipe{
+	return &Pipe{
 		name:   name,
 		maxBuf: maxBuf,
+		rCh:    make(chan struct{}, 1),
+		wCh:    make(chan struct{}, 1),
 	}
-	p.cnd = sync.NewCond(&p.mu)
-	return p
 }

-// readOrBlock attempts to read from the buffer, if the buffer is empty and
-// the connection hasn't been closed it will block until there is a change.
-func (p *Pipe) readOrBlock(b []byte) (int, error) {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-	if !p.readTimeout.IsZero() && !time.Now().Before(p.readTimeout) {
-		return 0, os.ErrDeadlineExceeded
-	}
-	if p.blocked {
-		p.cnd.Wait()
-		return 0, nil
-	}
-
-	n, err := p.buf.Read(b)
-	// err will either be nil or io.EOF.
-	if err == io.EOF {
-		if p.closed {
-			return n, err
-		}
-		// Wait for something to change.
-		p.cnd.Wait()
-	}
-	return n, nil
-}
+var (
+	ErrTimeout      = errors.New("timeout")
+	ErrReadTimeout  = fmt.Errorf("read %w", ErrTimeout)
+	ErrWriteTimeout = fmt.Errorf("write %w", ErrTimeout)
+)

 // Read implements io.Reader.
-// Once the buffer is drained (i.e. after Close), subsequent calls will
-// return io.EOF.
 func (p *Pipe) Read(b []byte) (n int, err error) {
 	if debugPipe {
 		orig := b
@@ -79,48 +57,35 @@ func (p *Pipe) Read(b []byte) (n int, err error) {
 			log.Printf("Pipe(%q).Read( %q) n=%d, err=%v", p.name, string(orig[:n]), n, err)
 		}()
 	}
-	for n == 0 {
-		n2, err := p.readOrBlock(b)
-		if err != nil {
-			return n2, err
+	for {
+		p.mu.Lock()
+		closed := p.closed
+		timedout := !p.readTimeout.IsZero() && !time.Now().Before(p.readTimeout)
+		blocked := p.blocked
+		if !closed && !timedout && len(p.buf) > 0 {
+			n2 := copy(b, p.buf)
+			p.buf = p.buf[n2:]
+			b = b[n2:]
+			n += n2
 		}
-		n += n2
-	}
-	p.cnd.Signal()
-	return n, nil
-}
+		p.mu.Unlock()

-// writeOrBlock attempts to write to the buffer, if the buffer is full it will
-// block until there is a change.
-func (p *Pipe) writeOrBlock(b []byte) (int, error) {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-	if p.closed {
-		return 0, net.ErrClosed
+		if closed {
+			return 0, fmt.Errorf("nettest.Pipe(%q): closed: %w", p.name, io.EOF)
+		}
+		if timedout {
+			return 0, fmt.Errorf("nettest.Pipe(%q): %w", p.name, ErrReadTimeout)
+		}
+		if blocked {
+			<-p.rCh
+			continue
+		}
+		if n > 0 {
+			p.signalWrite()
+			return n, nil
+		}
+		<-p.rCh
 	}
-	if !p.writeTimeout.IsZero() && !time.Now().Before(p.writeTimeout) {
-		return 0, os.ErrDeadlineExceeded
-	}
-	if p.blocked {
-		p.cnd.Wait()
-		return 0, nil
-	}
-
-	// Optimistically we want to write the entire slice.
-	n := len(b)
-	if limit := p.maxBuf - p.buf.Len(); limit < n {
-		// However, we don't have enough capacity to write everything.
-		n = limit
-	}
-	if n == 0 {
-		// Wait for something to change.
-		p.cnd.Wait()
-		return 0, nil
-	}
-
-	p.buf.Write(b[:n])
-	p.cnd.Signal()
-	return n, nil
 }

 // Write implements io.Writer.
@@ -131,23 +96,47 @@ func (p *Pipe) Write(b []byte) (n int, err error) {
 			log.Printf("Pipe(%q).Write(%q) n=%d, err=%v", p.name, string(orig), n, err)
 		}()
 	}
-	for len(b) > 0 {
-		n2, err := p.writeOrBlock(b)
-		if err != nil {
-			return n + n2, err
+	for {
+		p.mu.Lock()
+		closed := p.closed
+		timedout := !p.writeTimeout.IsZero() && !time.Now().Before(p.writeTimeout)
+		blocked := p.blocked
+		if !closed && !timedout {
+			n2 := len(b)
+			if limit := p.maxBuf - len(p.buf); limit < n2 {
+				n2 = limit
+			}
+			p.buf = append(p.buf, b[:n2]...)
+			b = b[n2:]
+			n += n2
 		}
-		n += n2
-		b = b[n2:]
+		p.mu.Unlock()
+
+		if closed {
+			return n, fmt.Errorf("nettest.Pipe(%q): closed: %w", p.name, io.EOF)
+		}
+		if timedout {
+			return n, fmt.Errorf("nettest.Pipe(%q): %w", p.name, ErrWriteTimeout)
+		}
+		if blocked {
+			<-p.wCh
+			continue
+		}
+		if n > 0 {
+			p.signalRead()
+		}
+		if len(b) == 0 {
+			return n, nil
+		}
+		<-p.wCh
 	}
-	return n, nil
 }

-// Close closes the pipe.
+// Close implements io.Closer.
 func (p *Pipe) Close() error {
 	p.mu.Lock()
-	defer p.mu.Unlock()
+	closed := p.closed
 	p.closed = true
-	p.blocked = false
 	if p.cancelWriteTimer != nil {
 		p.cancelWriteTimer()
 		p.cancelWriteTimer = nil
@@ -156,65 +145,77 @@ func (p *Pipe) Close() error {
 		p.cancelReadTimer()
 		p.cancelReadTimer = nil
 	}
-	p.cnd.Broadcast()
+	p.mu.Unlock()

+	if closed {
+		return fmt.Errorf("nettest.Pipe(%q).Close: already closed", p.name)
+	}
+
+	p.signalRead()
+	p.signalWrite()
 	return nil
 }

-func (p *Pipe) deadlineTimer(t time.Time) func() {
-	if t.IsZero() {
-		return nil
-	}
-	if t.Before(time.Now()) {
-		p.cnd.Broadcast()
-		return nil
-	}
-	ctx, cancel := context.WithDeadline(context.Background(), t)
-	go func() {
-		<-ctx.Done()
-		if ctx.Err() == context.DeadlineExceeded {
-			p.cnd.Broadcast()
-		}
-	}()
-	return cancel
-}
-
 // SetReadDeadline sets the deadline for future Read calls.
 func (p *Pipe) SetReadDeadline(t time.Time) error {
 	p.mu.Lock()
-	defer p.mu.Unlock()
 	p.readTimeout = t
-	// If we already have a deadline, cancel it and create a new one.
 	if p.cancelReadTimer != nil {
 		p.cancelReadTimer()
 		p.cancelReadTimer = nil
 	}
-	p.cancelReadTimer = p.deadlineTimer(t)
+	if d := time.Until(t); !t.IsZero() && d > 0 {
+		ctx, cancel := context.WithCancel(context.Background())
+		p.cancelReadTimer = cancel
+		go func() {
+			t := time.NewTimer(d)
+			defer t.Stop()
+			select {
+			case <-t.C:
+				p.signalRead()
+			case <-ctx.Done():
+			}
+		}()
+	}
+	p.mu.Unlock()
+
+	p.signalRead()
 	return nil
 }

 // SetWriteDeadline sets the deadline for future Write calls.
 func (p *Pipe) SetWriteDeadline(t time.Time) error {
 	p.mu.Lock()
-	defer p.mu.Unlock()
 	p.writeTimeout = t
-	// If we already have a deadline, cancel it and create a new one.
 	if p.cancelWriteTimer != nil {
 		p.cancelWriteTimer()
 		p.cancelWriteTimer = nil
 	}
-	p.cancelWriteTimer = p.deadlineTimer(t)
+	if d := time.Until(t); !t.IsZero() && d > 0 {
+		ctx, cancel := context.WithCancel(context.Background())
+		p.cancelWriteTimer = cancel
+		go func() {
+			t := time.NewTimer(d)
+			defer t.Stop()
+			select {
+			case <-t.C:
+				p.signalWrite()
+			case <-ctx.Done():
+			}
+		}()
+	}
+	p.mu.Unlock()
+
+	p.signalWrite()
 	return nil
 }

-// Block will cause all calls to Read and Write to block until they either
-// timeout, are unblocked or the pipe is closed.
 func (p *Pipe) Block() error {
 	p.mu.Lock()
-	defer p.mu.Unlock()
 	closed := p.closed
 	blocked := p.blocked
 	p.blocked = true
+	p.mu.Unlock()

 	if closed {
 		return fmt.Errorf("nettest.Pipe(%q).Block: closed", p.name)
@@ -222,17 +223,17 @@ func (p *Pipe) Block() error {
 	if blocked {
 		return fmt.Errorf("nettest.Pipe(%q).Block: already blocked", p.name)
 	}
-	p.cnd.Broadcast()
+	p.signalRead()
+	p.signalWrite()
 	return nil
 }

-// Unblock will cause all blocked Read/Write calls to continue execution.
 func (p *Pipe) Unblock() error {
 	p.mu.Lock()
-	defer p.mu.Unlock()
 	closed := p.closed
 	blocked := p.blocked
 	p.blocked = false
+	p.mu.Unlock()

 	if closed {
 		return fmt.Errorf("nettest.Pipe(%q).Block: closed", p.name)
@@ -240,6 +241,21 @@ func (p *Pipe) Unblock() error {
 	if !blocked {
 		return fmt.Errorf("nettest.Pipe(%q).Block: already unblocked", p.name)
 	}
-	p.cnd.Broadcast()
+	p.signalRead()
+	p.signalWrite()
 	return nil
 }
+
+func (p *Pipe) signalRead() {
+	select {
+	case p.rCh <- struct{}{}:
+	default:
+	}
+}
+
+func (p *Pipe) signalWrite() {
+	select {
+	case p.wCh <- struct{}{}:
+	default:
+	}
+}
--- a/net/nettest/pipe_test.go
+++ b/net/nettest/pipe_test.go
@@ -7,7 +7,6 @@ package nettest
 import (
 	"errors"
 	"fmt"
-	"os"
 	"testing"
 	"time"
 )
@@ -36,7 +35,7 @@ func TestPipeTimeout(t *testing.T) {
 		p := NewPipe("p1", 1<<16)
 		p.SetWriteDeadline(time.Now().Add(-1 * time.Second))
 		n, err := p.Write([]byte{'h'})
-		if !errors.Is(err, os.ErrDeadlineExceeded) {
+		if !errors.Is(err, ErrWriteTimeout) || !errors.Is(err, ErrTimeout) {
 			t.Errorf("missing write timeout got err: %v", err)
 		}
 		if n != 0 {
@@ -50,7 +49,7 @@ func TestPipeTimeout(t *testing.T) {
 		p.SetReadDeadline(time.Now().Add(-1 * time.Second))
 		b := make([]byte, 1)
 		n, err := p.Read(b)
-		if !errors.Is(err, os.ErrDeadlineExceeded) {
+		if !errors.Is(err, ErrReadTimeout) || !errors.Is(err, ErrTimeout) {
 			t.Errorf("missing read timeout got err: %v", err)
 		}
 		if n != 0 {
@@ -66,7 +65,7 @@ func TestPipeTimeout(t *testing.T) {
 		if err := p.Block(); err != nil {
 			t.Fatal(err)
 		}
-		if _, err := p.Write([]byte{'h'}); !errors.Is(err, os.ErrDeadlineExceeded) {
+		if _, err := p.Write([]byte{'h'}); !errors.Is(err, ErrWriteTimeout) {
 			t.Fatalf("want write timeout got: %v", err)
 		}
 	})
@@ -81,7 +80,7 @@ func TestPipeTimeout(t *testing.T) {
 		if err := p.Block(); err != nil {
 			t.Fatal(err)
 		}
-		if _, err := p.Read(b); !errors.Is(err, os.ErrDeadlineExceeded) {
+		if _, err := p.Read(b); !errors.Is(err, ErrReadTimeout) {
 			t.Fatalf("want read timeout got: %v", err)
 		}
 	})
--- a/net/stun/stun_fuzzer.go
+++ b/net/stun/stun_fuzzer.go
@@ -1,13 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-// +build gofuzz
-
-package stun
-
-func FuzzStunParser(data []byte) int {
-	_, _, _, _ = ParseResponse(data)
-
-	_, _ = ParseBindingRequest(data)
-	return 1
-}
--- a/net/tsaddr/tsaddr.go
+++ b/net/tsaddr/tsaddr.go
@@ -33,9 +33,7 @@ func CGNATRange() netaddr.IPPrefix {
 var (
 	cgnatRange   oncePrefix
 	ulaRange     oncePrefix
-	tsUlaRange   oncePrefix
 	ula4To6Range oncePrefix
-	ulaEph6Range oncePrefix
 )

 // TailscaleServiceIP returns the listen address of services
@@ -59,8 +57,8 @@ func IsTailscaleIP(ip netaddr.IP) bool {
 // TailscaleULARange returns the IPv6 Unique Local Address range that
 // is the superset range that Tailscale assigns out of.
 func TailscaleULARange() netaddr.IPPrefix {
-	tsUlaRange.Do(func() { mustPrefix(&tsUlaRange.v, "fd7a:115c:a1e0::/48") })
-	return tsUlaRange.v
+	ulaRange.Do(func() { mustPrefix(&ulaRange.v, "fd7a:115c:a1e0::/48") })
+	return ulaRange.v
 }

 // Tailscale4To6Range returns the subset of TailscaleULARange used for
@@ -73,17 +71,6 @@ func Tailscale4To6Range() netaddr.IPPrefix {
 	return ula4To6Range.v
 }

-// TailscaleEphemeral6Range returns the subset of TailscaleULARange
-// used for ephemeral IPv6-only Tailscale nodes.
-func TailscaleEphemeral6Range() netaddr.IPPrefix {
-	// This IP range has no significance, beyond being a subset of
-	// TailscaleULARange. The bits from /48 to /64 were picked at
-	// random, with the only criterion being to not be the conflict
-	// with the Tailscale4To6Range above.
-	ulaEph6Range.Do(func() { mustPrefix(&ulaEph6Range.v, "fd7a:115c:a1e0:efe3::/64") })
-	return ulaEph6Range.v
-}
-
 // Tailscale4To6Placeholder returns an IP address that can be used as
 // a source IP when one is required, but a netmap didn't provide
 // any. This address never gets allocated by the 4-to-6 algorithm in
@@ -108,11 +95,6 @@ func Tailscale4To6(ipv4 netaddr.IP) netaddr.IP {
 	return netaddr.IPFrom16(ret)
 }

-func IsULA(ip netaddr.IP) bool {
-	ulaRange.Do(func() { mustPrefix(&ulaRange.v, "fc00::/7") })
-	return ulaRange.v.Contains(ip)
-}
-
 func mustPrefix(v *netaddr.IPPrefix, prefix string) {
 	var err error
 	*v, err = netaddr.ParseIPPrefix(prefix)
--- a/net/tsaddr/tsaddr_test.go
+++ b/net/tsaddr/tsaddr_test.go
@@ -42,25 +42,3 @@ func TestCGNATRange(t *testing.T) {
 		t.Errorf("got %q; want %q", got, want)
 	}
 }
-
-func TestIsUla(t *testing.T) {
-	tests := []struct {
-		name string
-		ip   string
-		want bool
-	}{
-		{"first ULA", "fc00::1", true},
-		{"not ULA", "fb00::1", false},
-		{"Tailscale", "fd7a:115c:a1e0::1", true},
-		{"Cloud Run", "fddf:3978:feb1:d745::1", true},
-		{"zeros", "0000:0000:0000:0000:0000:0000:0000:0000", false},
-		{"Link Local", "fe80::1", false},
-		{"Global", "2602::1", false},
-	}
-
-	for _, test := range tests {
-		if got := IsULA(netaddr.MustParseIP(test.ip)); got != test.want {
-			t.Errorf("IsULA(%s) = %v, want %v", test.name, got, test.want)
-		}
-	}
-}
--- a/net/tstun/tun.go
+++ b/net/tstun/tun.go
@@ -28,23 +28,16 @@ import (
 // discovery.
 const minimalMTU = 1280

-// New returns a tun.Device for the requested device name, along with
-// the OS-dependent name that was allocated to the device.
-func New(logf logger.Logf, tunName string) (tun.Device, string, error) {
+// New returns a tun.Device for the requested device name.
+func New(logf logger.Logf, tunName string) (tun.Device, error) {
 	dev, err := tun.CreateTUN(tunName, minimalMTU)
 	if err != nil {
-		return nil, "", err
+		return nil, err
 	}
 	if err := waitInterfaceUp(dev, 90*time.Second, logf); err != nil {
-		dev.Close()
-		return nil, "", err
+		return nil, err
 	}
-	name, err := interfaceName(dev)
-	if err != nil {
-		dev.Close()
-		return nil, "", err
-	}
-	return dev, name, nil
+	return dev, nil
 }

 // Diagnose tries to explain a tuntap device creation failure.
--- a/Show More
+++ b/Show More