tailcfg: ping request notes WIP

2021-05-06 10:23:45 -07:00
231 changed files with 4372 additions and 12529 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -2,7 +2,36 @@
 name: Bug report
 about: Create a bug report
 title: ''
-labels: 'needs-triage'
+labels: ''
 assignees: ''

 ---
+
+<!-- Please note, this template is for definite bugs, not requests for
+support. If you need help with Tailscale, please email
+support@tailscale.com. We don't provide support via Github issues. -->
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Version information:**
+ - Device: [e.g. iPhone X, laptop]
+ - OS: [e.g. Windows, MacOS]
+ - OS version: [e.g. Windows 10, Ubuntu 18.04]
+ - Tailscale version: [e.g. 0.95-0]
+
+**Additional context**
+Add any other context about the problem here.
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -2,6 +2,25 @@
 name: Feature request
 about: Suggest an idea for this project
 title: ''
-labels: 'needs-triage'
+labels: ''
 assignees: ''
+
 ---
+
+**Is your feature request related to a problem? Please describe.**
+
+A clear and concise description of what the problem is. Ex. I'm always
+frustrated when [...]
+
+**Describe the solution you'd like**
+
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+
+A clear and concise description of any alternative solutions or
+features you've considered.
+
+**Additional context**
+
+Add any other context or screenshots about the feature request here.
--- a/.github/workflows/xe-experimental-vm-test.yml
+++ b/.github/workflows/xe-experimental-vm-test.yml
@@ -1,47 +0,0 @@
-name: "integration-vms"
-
-on:
-  # # NOTE(Xe): uncomment this region when testing the test
-  # pull_request:
-  #   branches: [ main ]
-  push:
-    branches: [ main ]
-  release:
-    types: [ created ]
-
-jobs:
-  experimental-linux-vm-test:
-    # To set up a new runner, see tstest/integration/vms/runner.nix
-    runs-on: [ self-hosted, linux, vm_integration_test ]
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-      - name: Checkout Code
-        uses: actions/checkout@v1
-
-      - name: Download VM Images
-        run: go test ./tstest/integration/vms -run-vm-tests -run=Download -timeout=60m -no-s3
-        env:
-          XDG_CACHE_HOME: "/var/lib/ghrunner/cache"
-
-      - name: Run VM tests
-        run: go test ./tstest/integration/vms -v -run-vm-tests
-        env:
-          TMPDIR: "/tmp"
-          XDG_CACHE_HOME: "/var/lib/ghrunner/cache"
-
-      - uses: k0kubun/action-slack@v2.0.0
-        with:
-          payload: |
-            {
-              "attachments": [{
-                "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                        "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                        "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-                "color": "danger"
-              }]
-            }
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-        if: failure() && github.event_name == 'push'
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.11.0
+1.7.0
--- a/api.md
+++ b/api.md
@@ -471,16 +471,15 @@ Determines what rules match for a user on an ACL without saving the ACL to the s
 ##### Parameters

 ###### Query Parameters
-`type` - can be 'user' or 'ipport'
-`previewFor` - if type=user, a user's email. If type=ipport, a IP address + port like "10.0.0.1:80".
-The provided ACL is queried with this paramater to determine which rules match.
+`user` - A user's email. The provided ACL is queried with this user to determine which rules match.

 ###### POST Body
 ACL JSON or HuJSON (see https://tailscale.com/kb/1018/acls)

 ##### Example
 ```
-curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/preview?previewFor=user1@example.com&type=user' \
+POST /api/v2/tailnet/example.com/acl/preiew
+curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl?user=user1@example.com' \
  -u "tskey-yourapikey123:" \
  --data-binary '// Example/default ACLs for unrestricted connections.
 {
--- a/build_dist.sh
+++ b/build_dist.sh
@@ -11,36 +11,6 @@

 set -eu

-IFS=".$IFS" read -r major minor patch <VERSION.txt
-git_hash=$(git rev-parse HEAD)
-if ! git diff-index --quiet HEAD; then
-	git_hash="${git_hash}-dirty"
-fi
-base_hash=$(git rev-list --max-count=1 HEAD -- VERSION.txt)
-change_count=$(git rev-list --count HEAD "^$base_hash")
-short_hash=$(echo "$git_hash" | cut -c1-9)
+eval $(./version/version.sh)

-if expr "$minor" : "[0-9]*[13579]$" >/dev/null; then
-	patch="$change_count"
-	change_suffix=""
-elif [ "$change_count" != "0" ]; then
-	change_suffix="-$change_count"
-else
-	change_suffix=""
-fi
-
-long_suffix="$change_suffix-t$short_hash"
-SHORT="$major.$minor.$patch"
-LONG="${SHORT}$long_suffix"
-GIT_HASH="$git_hash"
-
-if [ "$1" = "shellvars" ]; then
-	cat <<EOF
-VERSION_SHORT="$SHORT"
-VERSION_LONG="$LONG"
-VERSION_GIT_HASH="$GIT_HASH"
-EOF
-	exit 0
-fi
-
-exec go build -ldflags "-X tailscale.com/version.Long=${LONG} -X tailscale.com/version.Short=${SHORT} -X tailscale.com/version.GitCommit=${GIT_HASH}" "$@"
+exec go build -tags xversion -ldflags "-X tailscale.com/version.Long=${VERSION_LONG} -X tailscale.com/version.Short=${VERSION_SHORT} -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" "$@"
--- a/build_docker.sh
+++ b/build_docker.sh
@@ -25,7 +25,7 @@

 set -eu

-eval $(./build_dist.sh shellvars)
+eval $(./version/version.sh)

 docker build \
  --build-arg VERSION_LONG=$VERSION_LONG \
--- a/client/tailscale/tailscale.go
+++ b/client/tailscale/tailscale.go
@@ -24,7 +24,6 @@ import (
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
-	"tailscale.com/tailcfg"
 )

 // TailscaledSocket is the tailscaled Unix socket.
@@ -257,39 +256,3 @@ func Logout(ctx context.Context) error {
 	_, err := send(ctx, "POST", "/localapi/v0/logout", http.StatusNoContent, nil)
 	return err
 }
-
-// SetDNS adds a DNS TXT record for the given domain name, containing
-// the provided TXT value. The intended use case is answering
-// LetsEncrypt/ACME dns-01 challenges.
-//
-// The control plane will only permit SetDNS requests with very
-// specific names and values. The name should be
-// "_acme-challenge." + your node's MagicDNS name. It's expected that
-// clients cache the certs from LetsEncrypt (or whichever CA is
-// providing them) and only request new ones as needed; the control plane
-// rate limits SetDNS requests.
-//
-// This is a low-level interface; it's expected that most Tailscale
-// users use a higher level interface to getting/using TLS
-// certificates.
-func SetDNS(ctx context.Context, name, value string) error {
-	v := url.Values{}
-	v.Set("name", name)
-	v.Set("value", value)
-	_, err := send(ctx, "POST", "/localapi/v0/set-dns?"+v.Encode(), 200, nil)
-	return err
-}
-
-// CurrentDERPMap returns the current DERPMap that is being used by the local tailscaled.
-// It is intended to be used with netcheck to see availability of DERPs.
-func CurrentDERPMap(ctx context.Context) (*tailcfg.DERPMap, error) {
-	var derpMap tailcfg.DERPMap
-	res, err := send(ctx, "GET", "/localapi/v0/derpmap", 200, nil)
-	if err != nil {
-		return nil, err
-	}
-	if err = json.Unmarshal(res, &derpMap); err != nil {
-		return nil, fmt.Errorf("invalid derp map json: %w", err)
-	}
-	return &derpMap, nil
-}
--- a/cmd/cloner/cloner.go
+++ b/cmd/cloner/cloner.go
@@ -246,9 +246,7 @@ func gen(buf *bytes.Buffer, imports map[string]struct{}, name string, typ *types
 					writef("\t\tdst.%s[k] = append([]%s{}, src.%s[k]...)", fname, n, fname)
 					writef("\t}")
 				} else if containsPointers(ft.Elem()) {
-					writef("\tfor k, v := range src.%s {", fname)
-					writef("\t\tdst.%s[k] = v.Clone()", fname)
-					writef("\t}")
+					writef("\t\t" + `panic("TODO map value pointers")`)
 				} else {
 					writef("\tfor k, v := range src.%s {", fname)
 					writef("\t\tdst.%s[k] = v", fname)
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -12,6 +12,8 @@ import (
 	"errors"
 	"expvar"
 	"flag"
+	"fmt"
+	"html"
 	"io"
 	"io/ioutil"
 	"log"
@@ -33,6 +35,7 @@ import (
 	"tailscale.com/tsweb"
 	"tailscale.com/types/key"
 	"tailscale.com/types/wgkey"
+	"tailscale.com/version"
 )

 var (
@@ -46,7 +49,6 @@ var (
 	meshPSKFile   = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
 	meshWith      = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list")
 	bootstrapDNS  = flag.String("bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns")
-	verifyClients = flag.Bool("verify-clients", false, "verify clients to this DERP server through a local tailscaled instance.")
 )

 type config struct {
@@ -123,7 +125,6 @@ func main() {
 	letsEncrypt := tsweb.IsProd443(*addr)

 	s := derp.NewServer(key.Private(cfg.PrivateKey), log.Printf)
-	s.SetVerifyClient(*verifyClients)

 	if *meshPSKFile != "" {
 		b, err := ioutil.ReadFile(*meshPSKFile)
@@ -142,7 +143,8 @@ func main() {
 	}
 	expvar.Publish("derp", s.ExpVar())

-	mux := http.NewServeMux()
+	// Create our own mux so we don't expose /debug/ stuff to the world.
+	mux := tsweb.NewMux(debugHandler(s))
 	mux.Handle("/derp", derphttp.Handler(s))
 	go refreshBootstrapDNSLoop()
 	mux.HandleFunc("/bootstrap-dns", handleBootstrapDNS)
@@ -162,18 +164,6 @@ func main() {
 			io.WriteString(w, "<p>Debug info at <a href='/debug/'>/debug/</a>.</p>\n")
 		}
 	}))
-	debug := tsweb.Debugger(mux)
-	debug.KV("TLS hostname", *hostname)
-	debug.KV("Mesh key", s.HasMeshKey())
-	debug.Handle("check", "Consistency check", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		err := s.ConsistencyCheck()
-		if err != nil {
-			http.Error(w, err.Error(), 500)
-		} else {
-			io.WriteString(w, "derp.Server ConsistencyCheck okay")
-		}
-	}))
-	debug.Handle("traffic", "Traffic check", http.HandlerFunc(s.ServeDebugTraffic))

 	if *runSTUN {
 		go serveSTUN()
@@ -227,6 +217,39 @@ func main() {
 	}
 }

+func debugHandler(s *derp.Server) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.RequestURI == "/debug/check" {
+			err := s.ConsistencyCheck()
+			if err != nil {
+				http.Error(w, err.Error(), 500)
+			} else {
+				io.WriteString(w, "derp.Server ConsistencyCheck okay")
+			}
+			return
+		}
+		f := func(format string, args ...interface{}) { fmt.Fprintf(w, format, args...) }
+		f(`<html><body>
+<h1>DERP debug</h1>
+<ul>
+`)
+		f("<li><b>Hostname:</b> %v</li>\n", html.EscapeString(*hostname))
+		f("<li><b>Uptime:</b> %v</li>\n", tsweb.Uptime())
+		f("<li><b>Mesh Key:</b> %v</li>\n", s.HasMeshKey())
+		f("<li><b>Version:</b> %v</li>\n", html.EscapeString(version.Long))
+
+		f(`<li><a href="/debug/vars">/debug/vars</a> (Go)</li>
+   <li><a href="/debug/varz">/debug/varz</a> (Prometheus)</li>
+   <li><a href="/debug/pprof/">/debug/pprof/</a></li>
+   <li><a href="/debug/pprof/goroutine?debug=1">/debug/pprof/goroutine</a> (collapsed)</li>
+   <li><a href="/debug/pprof/goroutine?debug=2">/debug/pprof/goroutine</a> (full)</li>
+   <li><a href="/debug/check">/debug/check</a> internal consistency check</li>
+<ul>
+</html>
+`)
+	})
+}
+
 func serveSTUN() {
 	pc, err := net.ListenPacket("udp", ":3478")
 	if err != nil {
--- a/cmd/hello/hello.go
+++ b/cmd/hello/hello.go
@@ -112,13 +112,13 @@ func tailscaleIP(who *apitype.WhoIsResponse) string {
 		return ""
 	}
 	for _, nodeIP := range who.Node.Addresses {
-		if nodeIP.IP().Is4() && nodeIP.IsSingleIP() {
-			return nodeIP.IP().String()
+		if nodeIP.IP.Is4() && nodeIP.IsSingleIP() {
+			return nodeIP.IP.String()
 		}
 	}
 	for _, nodeIP := range who.Node.Addresses {
 		if nodeIP.IsSingleIP() {
-			return nodeIP.IP().String()
+			return nodeIP.IP.String()
 		}
 	}
 	return ""
--- a/cmd/microproxy/microproxy.go
+++ b/cmd/microproxy/microproxy.go
@@ -55,13 +55,9 @@ func main() {
 		log.Fatalf("Couldn't parse URL %q: %v", *goVarsURL, err)
 	}

-	mux := http.NewServeMux()
-	tsweb.Debugger(mux) // registers /debug/*
+	mux := tsweb.NewMux(http.HandlerFunc(debugHandler))
 	mux.Handle("/metrics", tsweb.Protected(proxy))
-	mux.Handle("/varz", tsweb.Protected(tsweb.StdHandler(&goVarsHandler{*goVarsURL}, tsweb.HandlerOptions{
-		Quiet200s: true,
-		Logf:      log.Printf,
-	})))
+	mux.Handle("/varz", tsweb.Protected(tsweb.StdHandler(&goVarsHandler{*goVarsURL}, log.Printf)))

 	ch := &certHolder{
 		hostname: *hostname,
@@ -171,3 +167,23 @@ func (c *certHolder) loadLocked() error {
 	c.loaded = time.Now()
 	return nil
 }
+
+// debugHandler serves a page with links to tsweb-managed debug URLs
+// at /debug/.
+func debugHandler(w http.ResponseWriter, r *http.Request) {
+	f := func(format string, args ...interface{}) { fmt.Fprintf(w, format, args...) }
+	f(`<html><body>
+<h1>microproxy debug</h1>
+<ul>
+`)
+	f("<li><b>Hostname:</b> %v</li>\n", *hostname)
+	f("<li><b>Uptime:</b> %v</li>\n", tsweb.Uptime())
+	f(`<li><a href="/debug/vars">/debug/vars</a> (Go)</li>
+   <li><a href="/debug/varz">/debug/varz</a> (Prometheus)</li>
+   <li><a href="/debug/pprof/">/debug/pprof/</a></li>
+   <li><a href="/debug/pprof/goroutine?debug=1">/debug/pprof/goroutine</a> (collapsed)</li>
+   <li><a href="/debug/pprof/goroutine?debug=2">/debug/pprof/goroutine</a> (full)</li>
+<ul>
+</html>
+`)
+}
--- a/cmd/mkpkg/main.go
+++ b/cmd/mkpkg/main.go
@@ -21,9 +21,6 @@ import (
 // into a map of filePathOnDisk -> filePathInPackage.
 func parseFiles(s string) (map[string]string, error) {
 	ret := map[string]string{}
-	if len(s) == 0 {
-		return ret, nil
-	}
 	for _, f := range strings.Split(s, ",") {
 		fs := strings.Split(f, ":")
 		if len(fs) != 2 {
--- a/cmd/tailscale/cli/auth-redirect.html
+++ b/cmd/tailscale/cli/auth-redirect.html
@@ -1,57 +0,0 @@
-<html>
-<head>
-	<title>Redirecting...</title>
-	<style>
-		html,
-		body {
-			height: 100%;
-		}
-
-		html {
-			background-color: rgb(249, 247, 246);
-			font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
-			line-height: 1.5;
-			-webkit-text-size-adjust: 100%;
-			-webkit-font-smoothing: antialiased;
-			-moz-osx-font-smoothing: grayscale;
-		}
-
-		body {
-			display: flex;
-			flex-direction: column;
-			align-items: center;
-			justify-content: center;
-		}
-
-		.spinner {
-			margin-bottom: 2rem;
-			border: 4px rgba(112, 110, 109, 0.5) solid;
-			border-left-color: transparent;
-			border-radius: 9999px;
-			width: 4rem;
-			height: 4rem;
-			-webkit-animation: spin 700ms linear infinite;
-      animation: spin 800ms linear infinite;
-		}
-
-		.label {
-			color: rgb(112, 110, 109);
-			padding-left: 0.4rem;
-		}
-
-		@-webkit-keyframes spin {
-			to {
-				transform: rotate(360deg);
-			}
-		}
-
-		@keyframes spin {
-			to {
-				transform: rotate(360deg);
-			}
-		}
-	</style>
-</head> <body>
-	<div class="spinner"></div>
-	<div class="label">Redirecting...</div>
-</body>
--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -16,91 +16,126 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/types/logger"
 	"tailscale.com/types/preftype"
 )

-// geese is a collection of gooses. It need not be complete.
-// But it should include anything handled specially (e.g. linux, windows)
-// and at least one thing that's not (darwin, freebsd).
-var geese = []string{"linux", "darwin", "windows", "freebsd"}
-
 // Test that checkForAccidentalSettingReverts's updateMaskedPrefsFromUpFlag can handle
 // all flags. This will panic if a new flag creeps in that's unhandled.
-//
-// Also, issue 1880: advertise-exit-node was being ignored. Verify that all flags cause an edit.
 func TestUpdateMaskedPrefsFromUpFlag(t *testing.T) {
-	for _, goos := range geese {
-		var upArgs upArgsT
-		fs := newUpFlagSet(goos, &upArgs)
-		fs.VisitAll(func(f *flag.Flag) {
-			mp := new(ipn.MaskedPrefs)
-			updateMaskedPrefsFromUpFlag(mp, f.Name)
-			got := mp.Pretty()
-			wantEmpty := preflessFlag(f.Name)
-			isEmpty := got == "MaskedPrefs{}"
-			if isEmpty != wantEmpty {
-				t.Errorf("flag %q created MaskedPrefs %s; want empty=%v", f.Name, got, wantEmpty)
-			}
-		})
-	}
+	mp := new(ipn.MaskedPrefs)
+	upFlagSet.VisitAll(func(f *flag.Flag) {
+		updateMaskedPrefsFromUpFlag(mp, f.Name)
+	})
 }

 func TestCheckForAccidentalSettingReverts(t *testing.T) {
+	f := func(flags ...string) map[string]bool {
+		m := make(map[string]bool)
+		for _, f := range flags {
+			m[f] = true
+		}
+		return m
+	}
 	tests := []struct {
 		name     string
-		flags    []string // argv to be parsed by FlagSet
+		flagSet  map[string]bool
 		curPrefs *ipn.Prefs
-
-		curExitNodeIP netaddr.IP
-		curUser       string // os.Getenv("USER") on the client side
-		goos          string // empty means "linux"
-
-		want string
+		curUser  string // os.Getenv("USER") on the client side
+		goos     string // empty means "linux"
+		mp       *ipn.MaskedPrefs
+		want     string
 	}{
 		{
-			name:  "bare_up_means_up",
-			flags: []string{},
+			name:    "bare_up_means_up",
+			flagSet: f(),
 			curPrefs: &ipn.Prefs{
 				ControlURL:  ipn.DefaultControlURL,
 				WantRunning: false,
 				Hostname:    "foo",
 			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					WantRunning: true,
+				},
+				WantRunningSet: true,
+			},
 			want: "",
 		},
 		{
-			name:  "losing_hostname",
-			flags: []string{"--accept-dns"},
+			name:    "losing_hostname",
+			flagSet: f("accept-dns"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				WantRunning:      false,
-				Hostname:         "foo",
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				AllowSingleHosts: true,
+				ControlURL:  ipn.DefaultControlURL,
+				WantRunning: false,
+				Hostname:    "foo",
+				CorpDNS:     true,
+			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL:  ipn.DefaultControlURL,
+					WantRunning: true,
+					CorpDNS:     true,
+				},
+				ControlURLSet:  true,
+				WantRunningSet: true,
+				CorpDNSSet:     true,
 			},
 			want: accidentalUpPrefix + " --accept-dns --hostname=foo",
 		},
 		{
-			name:  "hostname_changing_explicitly",
-			flags: []string{"--hostname=bar"},
+			name:    "hostname_changing_explicitly",
+			flagSet: f("hostname"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				AllowSingleHosts: true,
-				Hostname:         "foo",
+				ControlURL:  ipn.DefaultControlURL,
+				WantRunning: false,
+				Hostname:    "foo",
+			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL:  ipn.DefaultControlURL,
+					WantRunning: true,
+					Hostname:    "bar",
+				},
+				ControlURLSet:  true,
+				WantRunningSet: true,
+				HostnameSet:    true,
 			},
 			want: "",
 		},
 		{
-			name:  "hostname_changing_empty_explicitly",
-			flags: []string{"--hostname="},
+			name:    "hostname_changing_empty_explicitly",
+			flagSet: f("hostname"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				AllowSingleHosts: true,
-				Hostname:         "foo",
+				ControlURL:  ipn.DefaultControlURL,
+				WantRunning: false,
+				Hostname:    "foo",
+			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL:  ipn.DefaultControlURL,
+					WantRunning: true,
+					Hostname:    "",
+				},
+				ControlURLSet:  true,
+				WantRunningSet: true,
+				HostnameSet:    true,
+			},
+			want: "",
+		},
+		{
+			name:    "empty_slice_equals_nil_slice",
+			flagSet: f("hostname"),
+			curPrefs: &ipn.Prefs{
+				ControlURL:      ipn.DefaultControlURL,
+				AdvertiseRoutes: []netaddr.IPPrefix{},
+			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL:      ipn.DefaultControlURL,
+					AdvertiseRoutes: nil,
+				},
+				ControlURLSet: true,
 			},
 			want: "",
 		},
@@ -108,322 +143,335 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 			// Issue 1725: "tailscale up --authkey=..." (or other non-empty flags) works from
 			// a fresh server's initial prefs.
 			name:     "up_with_default_prefs",
-			flags:    []string{"--authkey=foosdlkfjskdljf"},
+			flagSet:  f("authkey"),
 			curPrefs: ipn.NewPrefs(),
-			want:     "",
+			mp: &ipn.MaskedPrefs{
+				Prefs:          *defaultPrefsFromUpArgs(t, "linux"),
+				WantRunningSet: true,
+			},
+			want: "",
 		},
 		{
-			name:  "implicit_operator_change",
-			flags: []string{"--hostname=foo"},
+			name:    "implicit_operator_change",
+			flagSet: f("hostname"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				OperatorUser:     "alice",
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
+				ControlURL:   ipn.DefaultControlURL,
+				OperatorUser: "alice",
 			},
 			curUser: "eve",
-			want:    accidentalUpPrefix + " --hostname=foo --operator=alice",
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+				},
+				ControlURLSet: true,
+			},
+			want: accidentalUpPrefix + " --hostname= --operator=alice",
 		},
 		{
-			name:  "implicit_operator_matches_shell_user",
-			flags: []string{"--hostname=foo"},
+			name:    "implicit_operator_matches_shell_user",
+			flagSet: f("hostname"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				OperatorUser:     "alice",
+				ControlURL:   ipn.DefaultControlURL,
+				OperatorUser: "alice",
 			},
 			curUser: "alice",
-			want:    "",
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+				},
+				ControlURLSet: true,
+			},
+			want: "",
 		},
 		{
-			name:  "error_advertised_routes_exit_node_removed",
-			flags: []string{"--advertise-routes=10.0.42.0/24"},
+			name:    "error_advertised_routes_exit_node_removed",
+			flagSet: f("advertise-routes"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
+				ControlURL: ipn.DefaultControlURL,
 				AdvertiseRoutes: []netaddr.IPPrefix{
 					netaddr.MustParseIPPrefix("10.0.42.0/24"),
 					netaddr.MustParseIPPrefix("0.0.0.0/0"),
 					netaddr.MustParseIPPrefix("::/0"),
 				},
 			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+					AdvertiseRoutes: []netaddr.IPPrefix{
+						netaddr.MustParseIPPrefix("10.0.42.0/24"),
+					},
+				},
+				AdvertiseRoutesSet: true,
+			},
 			want: accidentalUpPrefix + " --advertise-routes=10.0.42.0/24 --advertise-exit-node",
 		},
 		{
-			name:  "advertised_routes_exit_node_removed_explicit",
-			flags: []string{"--advertise-routes=10.0.42.0/24", "--advertise-exit-node=false"},
+			name:    "advertised_routes_exit_node_removed",
+			flagSet: f("advertise-routes", "advertise-exit-node"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
+				ControlURL: ipn.DefaultControlURL,
 				AdvertiseRoutes: []netaddr.IPPrefix{
 					netaddr.MustParseIPPrefix("10.0.42.0/24"),
 					netaddr.MustParseIPPrefix("0.0.0.0/0"),
 					netaddr.MustParseIPPrefix("::/0"),
 				},
 			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+					AdvertiseRoutes: []netaddr.IPPrefix{
+						netaddr.MustParseIPPrefix("10.0.42.0/24"),
+					},
+				},
+				AdvertiseRoutesSet: true,
+			},
 			want: "",
 		},
 		{
-			name:  "advertised_routes_includes_the_0_routes", // but no --advertise-exit-node
-			flags: []string{"--advertise-routes=11.1.43.0/24,0.0.0.0/0,::/0"},
+			name:    "advertised_routes_includes_the_0_routes", // but no --advertise-exit-node
+			flagSet: f("advertise-routes"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
+				ControlURL: ipn.DefaultControlURL,
 				AdvertiseRoutes: []netaddr.IPPrefix{
 					netaddr.MustParseIPPrefix("10.0.42.0/24"),
 					netaddr.MustParseIPPrefix("0.0.0.0/0"),
 					netaddr.MustParseIPPrefix("::/0"),
 				},
 			},
-			want: "",
-		},
-		{
-			name:  "advertise_exit_node", // Issue 1859
-			flags: []string{"--advertise-exit-node"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+					AdvertiseRoutes: []netaddr.IPPrefix{
+						netaddr.MustParseIPPrefix("11.1.43.0/24"),
+						netaddr.MustParseIPPrefix("0.0.0.0/0"),
+						netaddr.MustParseIPPrefix("::/0"),
+					},
+				},
+				AdvertiseRoutesSet: true,
 			},
 			want: "",
 		},
 		{
-			name:  "advertise_exit_node_over_existing_routes",
-			flags: []string{"--advertise-exit-node"},
+			name:    "advertised_routes_includes_only_one_0_route", // and no --advertise-exit-node
+			flagSet: f("advertise-routes"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-
+				ControlURL: ipn.DefaultControlURL,
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("10.0.42.0/24"),
+					netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					netaddr.MustParseIPPrefix("::/0"),
+				},
+			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+					AdvertiseRoutes: []netaddr.IPPrefix{
+						netaddr.MustParseIPPrefix("11.1.43.0/24"),
+						netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					},
+				},
+				AdvertiseRoutesSet: true,
+			},
+			want: accidentalUpPrefix + " --advertise-routes=11.1.43.0/24,0.0.0.0/0 --advertise-exit-node",
+		},
+		{
+			name:    "advertise_exit_node", // Issue 1859
+			flagSet: f("advertise-exit-node"),
+			curPrefs: &ipn.Prefs{
+				ControlURL: ipn.DefaultControlURL,
+			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+					AdvertiseRoutes: []netaddr.IPPrefix{
+						netaddr.MustParseIPPrefix("0.0.0.0/0"),
+						netaddr.MustParseIPPrefix("::/0"),
+					},
+				},
+				// Note: without setting "AdvertiseRoutesSet", as
+				// updateMaskedPrefsFromUpFlag doesn't set that.
+			},
+			want: "",
+		},
+		{
+			name:    "advertise_exit_node_over_existing_routes",
+			flagSet: f("advertise-exit-node"),
+			curPrefs: &ipn.Prefs{
+				ControlURL: ipn.DefaultControlURL,
 				AdvertiseRoutes: []netaddr.IPPrefix{
 					netaddr.MustParseIPPrefix("1.2.0.0/16"),
 				},
 			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+					AdvertiseRoutes: []netaddr.IPPrefix{
+						netaddr.MustParseIPPrefix("0.0.0.0/0"),
+						netaddr.MustParseIPPrefix("::/0"),
+					},
+				},
+				// Note: without setting "AdvertiseRoutesSet", as
+				// updateMaskedPrefsFromUpFlag doesn't set that.
+			},
 			want: accidentalUpPrefix + " --advertise-exit-node --advertise-routes=1.2.0.0/16",
 		},
 		{
-			name:  "advertise_exit_node_over_existing_routes_and_exit_node",
-			flags: []string{"--advertise-exit-node"},
+			name:    "advertise_exit_node_over_existing_routes_and_exit_node",
+			flagSet: f("advertise-exit-node"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
+				ControlURL: ipn.DefaultControlURL,
 				AdvertiseRoutes: []netaddr.IPPrefix{
 					netaddr.MustParseIPPrefix("0.0.0.0/0"),
 					netaddr.MustParseIPPrefix("::/0"),
 					netaddr.MustParseIPPrefix("1.2.0.0/16"),
 				},
 			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+					AdvertiseRoutes: []netaddr.IPPrefix{
+						netaddr.MustParseIPPrefix("0.0.0.0/0"),
+						netaddr.MustParseIPPrefix("::/0"),
+					},
+				},
+				// Note: without setting "AdvertiseRoutesSet", as
+				// updateMaskedPrefsFromUpFlag doesn't set that.
+			},
 			want: accidentalUpPrefix + " --advertise-exit-node --advertise-routes=1.2.0.0/16",
 		},
 		{
-			name:  "exit_node_clearing", // Issue 1777
-			flags: []string{"--exit-node="},
+			name:    "exit_node_clearing", // Issue 1777
+			flagSet: f("exit-node"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-
+				ControlURL: ipn.DefaultControlURL,
 				ExitNodeID: "fooID",
 			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+					ExitNodeIP: netaddr.IP{},
+				},
+				ExitNodeIPSet: true,
+			},
 			want: "",
 		},
 		{
-			name:  "remove_all_implicit",
-			flags: []string{"--force-reauth"},
+			name:    "remove_all_implicit",
+			flagSet: f("force-reauth"),
 			curPrefs: &ipn.Prefs{
 				WantRunning:      true,
 				ControlURL:       ipn.DefaultControlURL,
 				RouteAll:         true,
 				AllowSingleHosts: false,
 				ExitNodeIP:       netaddr.MustParseIP("100.64.5.6"),
-				CorpDNS:          false,
-				ShieldsUp:        true,
-				AdvertiseTags:    []string{"tag:foo", "tag:bar"},
-				Hostname:         "myhostname",
-				ForceDaemon:      true,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("10.0.0.0/16"),
-					netaddr.MustParseIPPrefix("0.0.0.0/0"),
-					netaddr.MustParseIPPrefix("::/0"),
-				},
-				NetfilterMode: preftype.NetfilterNoDivert,
-				OperatorUser:  "alice",
-			},
-			curUser: "eve",
-			want:    accidentalUpPrefix + " --force-reauth --accept-dns=false --accept-routes --advertise-exit-node --advertise-routes=10.0.0.0/16 --advertise-tags=tag:foo,tag:bar --exit-node=100.64.5.6 --host-routes=false --hostname=myhostname --netfilter-mode=nodivert --operator=alice --shields-up",
-		},
-		{
-			name:  "remove_all_implicit_except_hostname",
-			flags: []string{"--hostname=newhostname"},
-			curPrefs: &ipn.Prefs{
-				WantRunning:      true,
-				ControlURL:       ipn.DefaultControlURL,
-				RouteAll:         true,
-				AllowSingleHosts: false,
-				ExitNodeIP:       netaddr.MustParseIP("100.64.5.6"),
-				CorpDNS:          false,
-				ShieldsUp:        true,
-				AdvertiseTags:    []string{"tag:foo", "tag:bar"},
-				Hostname:         "myhostname",
-				ForceDaemon:      true,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("10.0.0.0/16"),
-				},
-				NetfilterMode: preftype.NetfilterNoDivert,
-				OperatorUser:  "alice",
-			},
-			curUser: "eve",
-			want:    accidentalUpPrefix + " --hostname=newhostname --accept-dns=false --accept-routes --advertise-routes=10.0.0.0/16 --advertise-tags=tag:foo,tag:bar --exit-node=100.64.5.6 --host-routes=false --netfilter-mode=nodivert --operator=alice --shields-up",
-		},
-		{
-			name:  "loggedout_is_implicit",
-			flags: []string{"--hostname=foo"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				LoggedOut:        true,
-				AllowSingleHosts: true,
 				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
+				ShieldsUp:        true,
+				AdvertiseTags:    []string{"tag:foo", "tag:bar"},
+				Hostname:         "myhostname",
+				ForceDaemon:      true,
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("10.0.0.0/16"),
+				},
+				NetfilterMode: preftype.NetfilterNoDivert,
+				OperatorUser:  "alice",
 			},
-			want: "", // not an error. LoggedOut is implicit.
+			curUser: "eve",
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL:  ipn.DefaultControlURL,
+					WantRunning: true,
+				},
+			},
+			want: accidentalUpPrefix + " --force-reauth --accept-routes --exit-node=100.64.5.6 --accept-dns --shields-up --advertise-tags=tag:foo,tag:bar --hostname=myhostname --unattended --advertise-routes=10.0.0.0/16 --netfilter-mode=nodivert --operator=alice",
+		},
+		{
+			name:    "remove_all_implicit_except_hostname",
+			flagSet: f("hostname"),
+			curPrefs: &ipn.Prefs{
+				WantRunning:      true,
+				ControlURL:       ipn.DefaultControlURL,
+				RouteAll:         true,
+				AllowSingleHosts: false,
+				ExitNodeIP:       netaddr.MustParseIP("100.64.5.6"),
+				CorpDNS:          true,
+				ShieldsUp:        true,
+				AdvertiseTags:    []string{"tag:foo", "tag:bar"},
+				Hostname:         "myhostname",
+				ForceDaemon:      true,
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("10.0.0.0/16"),
+				},
+				NetfilterMode: preftype.NetfilterNoDivert,
+				OperatorUser:  "alice",
+			},
+			curUser: "eve",
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL:  ipn.DefaultControlURL,
+					WantRunning: true,
+					Hostname:    "newhostname",
+				},
+				HostnameSet: true,
+			},
+			want: accidentalUpPrefix + " --hostname=newhostname --accept-routes --exit-node=100.64.5.6 --accept-dns --shields-up --advertise-tags=tag:foo,tag:bar --unattended --advertise-routes=10.0.0.0/16 --netfilter-mode=nodivert --operator=alice",
+		},
+		{
+			name:    "loggedout_is_implicit",
+			flagSet: f("advertise-exit-node"),
+			curPrefs: &ipn.Prefs{
+				ControlURL: ipn.DefaultControlURL,
+				LoggedOut:  true,
+			},
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+					AdvertiseRoutes: []netaddr.IPPrefix{
+						netaddr.MustParseIPPrefix("0.0.0.0/0"),
+					},
+				},
+				AdvertiseRoutesSet: true,
+			},
+			// not an error. LoggedOut is implicit.
+			want: "",
 		},
 		{
 			// Test that a pre-1.8 version of Tailscale with bogus NoSNAT pref
 			// values is able to enable exit nodes without warnings.
-			name:  "make_windows_exit_node",
-			flags: []string{"--advertise-exit-node"},
+			name:    "make_windows_exit_node",
+			flagSet: f("advertise-exit-node"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-
-				// And assume this no-op accidental pre-1.8 value:
-				NoSNAT: true,
+				ControlURL: ipn.DefaultControlURL,
+				NoSNAT:     true, // assume this no-op accidental pre-1.8 value
 			},
 			goos: "windows",
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+					AdvertiseRoutes: []netaddr.IPPrefix{
+						netaddr.MustParseIPPrefix("192.168.0.0/16"),
+					},
+				},
+				AdvertiseRoutesSet: true,
+			},
 			want: "", // not an error
 		},
 		{
-			name:  "ignore_netfilter_change_non_linux",
-			flags: []string{"--accept-dns"},
+			name:    "ignore_netfilter_change_non_linux",
+			flagSet: f("accept-dns"),
 			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-
+				ControlURL:    ipn.DefaultControlURL,
 				NetfilterMode: preftype.NetfilterNoDivert, // we never had this bug, but pretend it got set non-zero on Windows somehow
 			},
 			goos: "windows",
-			want: "", // not an error
-		},
-		{
-			name:  "operator_losing_routes_step1", // https://twitter.com/EXPbits/status/1390418145047887877
-			flags: []string{"--operator=expbits"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("0.0.0.0/0"),
-					netaddr.MustParseIPPrefix("::/0"),
-					netaddr.MustParseIPPrefix("1.2.0.0/16"),
+			mp: &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					ControlURL: ipn.DefaultControlURL,
+					CorpDNS:    false,
 				},
-			},
-			want: accidentalUpPrefix + " --operator=expbits --advertise-exit-node --advertise-routes=1.2.0.0/16",
-		},
-		{
-			name:  "operator_losing_routes_step2", // https://twitter.com/EXPbits/status/1390418145047887877
-			flags: []string{"--operator=expbits", "--advertise-routes=1.2.0.0/16"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("0.0.0.0/0"),
-					netaddr.MustParseIPPrefix("::/0"),
-					netaddr.MustParseIPPrefix("1.2.0.0/16"),
-				},
-			},
-			want: accidentalUpPrefix + " --advertise-routes=1.2.0.0/16 --operator=expbits --advertise-exit-node",
-		},
-		{
-			name:  "errors_preserve_explicit_flags",
-			flags: []string{"--reset", "--force-reauth=false", "--authkey=secretrand"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				WantRunning:      false,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				AllowSingleHosts: true,
-
-				Hostname: "foo",
-			},
-			want: accidentalUpPrefix + " --authkey=secretrand --force-reauth=false --reset --hostname=foo",
-		},
-		{
-			name:  "error_exit_node_omit_with_ip_pref",
-			flags: []string{"--hostname=foo"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-
-				ExitNodeIP: netaddr.MustParseIP("100.64.5.4"),
-			},
-			want: accidentalUpPrefix + " --hostname=foo --exit-node=100.64.5.4",
-		},
-		{
-			name:          "error_exit_node_omit_with_id_pref",
-			flags:         []string{"--hostname=foo"},
-			curExitNodeIP: netaddr.MustParseIP("100.64.5.7"),
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-
-				ExitNodeID: "some_stable_id",
-			},
-			want: accidentalUpPrefix + " --hostname=foo --exit-node=100.64.5.7",
-		},
-		{
-			name:  "ignore_login_server_synonym",
-			flags: []string{"--login-server=https://controlplane.tailscale.com"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
+				CorpDNSSet: true,
 			},
 			want: "", // not an error
 		},
-		{
-			name:  "ignore_login_server_synonym_on_other_change",
-			flags: []string{"--netfilter-mode=off"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				AllowSingleHosts: true,
-				CorpDNS:          false,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			want: accidentalUpPrefix + " --netfilter-mode=off --accept-dns=false",
-		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -431,19 +479,8 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 			if tt.goos != "" {
 				goos = tt.goos
 			}
-			var upArgs upArgsT
-			flagSet := newUpFlagSet(goos, &upArgs)
-			flagSet.Parse(tt.flags)
-			newPrefs, err := prefsFromUpArgs(upArgs, t.Logf, new(ipnstate.Status), goos)
-			if err != nil {
-				t.Fatal(err)
-			}
-			applyImplicitPrefs(newPrefs, tt.curPrefs, tt.curUser)
 			var got string
-			if err := checkForAccidentalSettingReverts(flagSet, tt.curPrefs, newPrefs, upCheckEnv{
-				goos:          goos,
-				curExitNodeIP: tt.curExitNodeIP,
-			}); err != nil {
+			if err := checkForAccidentalSettingReverts(tt.flagSet, tt.curPrefs, tt.mp, goos, tt.curUser); err != nil {
 				got = err.Error()
 			}
 			if strings.TrimSpace(got) != tt.want {
@@ -453,6 +490,16 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 	}
 }

+func defaultPrefsFromUpArgs(t testing.TB, goos string) *ipn.Prefs {
+	upArgs := upArgsFromOSArgs(goos)
+	prefs, err := prefsFromUpArgs(upArgs, logger.Discard, new(ipnstate.Status), "linux")
+	if err != nil {
+		t.Fatalf("defaultPrefsFromUpArgs: %v", err)
+	}
+	prefs.WantRunning = true
+	return prefs
+}
+
 func upArgsFromOSArgs(goos string, flagArgs ...string) (args upArgsT) {
 	fs := newUpFlagSet(goos, &args)
 	fs.Parse(flagArgs) // populates args
@@ -528,7 +575,7 @@ func TestPrefsFromUpArgs(t *testing.T) {
 			args: upArgsT{
 				exitNodeIP: "foo",
 			},
-			wantErr: `invalid IP address "foo" for --exit-node: ParseIP("foo"): unable to parse IP`,
+			wantErr: `invalid IP address "foo" for --exit-node: unable to parse IP`,
 		},
 		{
 			name: "error_exit_node_allow_lan_without_exit_node",
@@ -648,17 +695,10 @@ func TestPrefsFromUpArgs(t *testing.T) {
 }

 func TestPrefFlagMapping(t *testing.T) {
-	prefHasFlag := map[string]bool{}
-	for _, pv := range prefsOfFlag {
-		for _, pref := range pv {
-			prefHasFlag[pref] = true
-		}
-	}
-
 	prefType := reflect.TypeOf(ipn.Prefs{})
 	for i := 0; i < prefType.NumField(); i++ {
 		prefName := prefType.Field(i).Name
-		if prefHasFlag[prefName] {
+		if _, ok := flagForPref[prefName]; ok {
 			continue
 		}
 		switch prefName {
@@ -676,15 +716,3 @@ func TestPrefFlagMapping(t *testing.T) {
 		t.Errorf("unexpected new ipn.Pref field %q is not handled by up.go (see addPrefFlagMapping and checkForAccidentalSettingReverts)", prefName)
 	}
 }
-
-func TestFlagAppliesToOS(t *testing.T) {
-	for _, goos := range geese {
-		var upArgs upArgsT
-		fs := newUpFlagSet(goos, &upArgs)
-		fs.VisitAll(func(f *flag.Flag) {
-			if !flagAppliesToOS(f.Name, goos) {
-				t.Errorf("flagAppliesToOS(%q, %q) = false but found in %s set", f.Name, goos, goos)
-			}
-		})
-	}
-}
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -31,7 +31,6 @@ var debugCmd = &ffcli.Command{
 		fs.BoolVar(&debugArgs.goroutines, "daemon-goroutines", false, "If true, dump the tailscaled daemon's goroutines")
 		fs.BoolVar(&debugArgs.ipn, "ipn", false, "If true, subscribe to IPN notifications")
 		fs.BoolVar(&debugArgs.prefs, "prefs", false, "If true, dump active prefs")
-		fs.BoolVar(&debugArgs.derpMap, "derp", false, "If true, dump DERP map")
 		fs.BoolVar(&debugArgs.pretty, "pretty", false, "If true, pretty-print output (for --prefs)")
 		fs.BoolVar(&debugArgs.netMap, "netmap", true, "whether to include netmap in --ipn mode")
 		fs.BoolVar(&debugArgs.localCreds, "local-creds", false, "print how to connect to local tailscaled")
@@ -45,7 +44,6 @@ var debugArgs struct {
 	goroutines bool
 	ipn        bool
 	netMap     bool
-	derpMap    bool
 	file       string
 	prefs      bool
 	pretty     bool
@@ -89,18 +87,6 @@ func runDebug(ctx context.Context, args []string) error {
 		os.Stdout.Write(goroutines)
 		return nil
 	}
-	if debugArgs.derpMap {
-		dm, err := tailscale.CurrentDERPMap(ctx)
-		if err != nil {
-			return fmt.Errorf(
-				"failed to get local derp map, instead `curl %s/derpmap/default`: %w", ipn.DefaultControlURL, err,
-			)
-		}
-		enc := json.NewEncoder(os.Stdout)
-		enc.SetIndent("", "\t")
-		enc.Encode(dm)
-		return nil
-	}
 	if debugArgs.ipn {
 		c, bc, ctx, cancel := connect(ctx)
 		defer cancel()
--- a/cmd/tailscale/cli/file.go
+++ b/cmd/tailscale/cli/file.go
@@ -74,6 +74,7 @@ func runCp(ctx context.Context, args []string) error {
 		return runCpTargets(ctx, args)
 	}
 	if len(args) < 2 {
+		//lint:ignore ST1005 no sorry need that colon at the end
 		return errors.New("usage: tailscale file cp <files...> <target>:")
 	}
 	files, target := args[:len(args)-1], args[len(args)-1]
@@ -96,12 +97,14 @@ func runCp(ctx context.Context, args []string) error {
 		return err
 	}

-	peerAPIBase, isOffline, err := discoverPeerAPIBase(ctx, ip)
+	peerAPIBase, lastSeen, isOffline, err := discoverPeerAPIBase(ctx, ip)
 	if err != nil {
 		return fmt.Errorf("can't send to %s: %v", target, err)
 	}
 	if isOffline {
 		fmt.Fprintf(os.Stderr, "# warning: %s is offline\n", target)
+	} else if !lastSeen.IsZero() && time.Since(lastSeen) > lastSeenOld {
+		fmt.Fprintf(os.Stderr, "# warning: %s last seen %v ago\n", target, time.Since(lastSeen).Round(time.Minute))
 	}

 	if len(files) > 1 {
@@ -179,26 +182,29 @@ func runCp(ctx context.Context, args []string) error {
 	return nil
 }

-func discoverPeerAPIBase(ctx context.Context, ipStr string) (base string, isOffline bool, err error) {
+func discoverPeerAPIBase(ctx context.Context, ipStr string) (base string, lastSeen time.Time, isOffline bool, err error) {
 	ip, err := netaddr.ParseIP(ipStr)
 	if err != nil {
-		return "", false, err
+		return "", time.Time{}, false, err
 	}
 	fts, err := tailscale.FileTargets(ctx)
 	if err != nil {
-		return "", false, err
+		return "", time.Time{}, false, err
 	}
 	for _, ft := range fts {
 		n := ft.Node
 		for _, a := range n.Addresses {
-			if a.IP() != ip {
+			if a.IP != ip {
 				continue
 			}
+			if n.LastSeen != nil {
+				lastSeen = *n.LastSeen
+			}
 			isOffline = n.Online != nil && !*n.Online
-			return ft.PeerAPIURL, isOffline, nil
+			return ft.PeerAPIURL, lastSeen, isOffline, nil
 		}
 	}
-	return "", false, fileTargetErrorDetail(ctx, ip)
+	return "", time.Time{}, false, fileTargetErrorDetail(ctx, ip)
 }

 // fileTargetErrorDetail returns a non-nil error saying why ip is an
@@ -268,6 +274,8 @@ func (r *slowReader) Read(p []byte) (n int, err error) {
 	return
 }

+const lastSeenOld = 20 * time.Minute
+
 func runCpTargets(ctx context.Context, args []string) error {
 	if len(args) > 0 {
 		return errors.New("invalid arguments with --targets")
@@ -293,7 +301,7 @@ func runCpTargets(ctx context.Context, args []string) error {
 		if detail != "" {
 			detail = "\t" + detail
 		}
-		fmt.Printf("%s\t%s%s\n", n.Addresses[0].IP(), n.ComputedName, detail)
+		fmt.Printf("%s\t%s%s\n", n.Addresses[0].IP, n.ComputedName, detail)
 	}
 	return nil
 }
--- a/cmd/tailscale/cli/netcheck.go
+++ b/cmd/tailscale/cli/netcheck.go
@@ -9,18 +9,14 @@ import (
 	"encoding/json"
 	"flag"
 	"fmt"
-	"io"
-	"io/ioutil"
 	"log"
-	"net/http"
 	"os"
 	"sort"
 	"strings"
 	"time"

 	"github.com/peterbourgon/ff/v2/ffcli"
-	"tailscale.com/client/tailscale"
-	"tailscale.com/ipn"
+	"tailscale.com/derp/derpmap"
 	"tailscale.com/net/netcheck"
 	"tailscale.com/net/portmapper"
 	"tailscale.com/tailcfg"
@@ -63,13 +59,7 @@ func runNetcheck(ctx context.Context, args []string) error {
 		fmt.Fprintln(os.Stderr, "# Warning: this JSON format is not yet considered a stable interface")
 	}

-	dm, err := tailscale.CurrentDERPMap(ctx)
-	if err != nil {
-		dm, err = prodDERPMap(ctx, http.DefaultClient)
-		if err != nil {
-			return err
-		}
-	}
+	dm := derpmap.Prod()
 	for {
 		t0 := time.Now()
 		report, err := c.GetReport(ctx, dm)
@@ -186,27 +176,3 @@ func portMapping(r *netcheck.Report) string {
 	}
 	return strings.Join(got, ", ")
 }
-
-func prodDERPMap(ctx context.Context, httpc *http.Client) (*tailcfg.DERPMap, error) {
-	req, err := http.NewRequestWithContext(ctx, "GET", ipn.DefaultControlURL+"/derpmap/default", nil)
-	if err != nil {
-		return nil, fmt.Errorf("create prodDERPMap request: %w", err)
-	}
-	res, err := httpc.Do(req)
-	if err != nil {
-		return nil, fmt.Errorf("fetch prodDERPMap failed: %w", err)
-	}
-	defer res.Body.Close()
-	b, err := ioutil.ReadAll(io.LimitReader(res.Body, 1<<20))
-	if err != nil {
-		return nil, fmt.Errorf("fetch prodDERPMap failed: %w", err)
-	}
-	if res.StatusCode != 200 {
-		return nil, fmt.Errorf("fetch prodDERPMap: %v: %s", res.Status, b)
-	}
-	var derpMap tailcfg.DERPMap
-	if err = json.Unmarshal(b, &derpMap); err != nil {
-		return nil, fmt.Errorf("fetch prodDERPMap: %w", err)
-	}
-	return &derpMap, nil
-}
--- a/cmd/tailscale/cli/ping.go
+++ b/cmd/tailscale/cli/ping.go
@@ -139,9 +139,6 @@ func runPing(ctx context.Context, args []string) error {
 			if !anyPong {
 				return errors.New("no reply")
 			}
-			if pingArgs.untilDirect {
-				return errors.New("direct connection not established")
-			}
 			return nil
 		}
 	}
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -13,6 +13,7 @@ import (
 	"reflect"
 	"runtime"
 	"sort"
+	"strconv"
 	"strings"
 	"sync"

@@ -164,10 +165,10 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 		routes = append(routes, r)
 	}
 	sort.Slice(routes, func(i, j int) bool {
-		if routes[i].Bits() != routes[j].Bits() {
-			return routes[i].Bits() < routes[j].Bits()
+		if routes[i].Bits != routes[j].Bits {
+			return routes[i].Bits < routes[j].Bits
 		}
-		return routes[i].IP().Less(routes[j].IP())
+		return routes[i].IP.Less(routes[j].IP)
 	})

 	var exitNodeIP netaddr.IP
@@ -230,9 +231,7 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 			warnf("netfilter=nodivert; add iptables calls to ts-* chains manually.")
 		case "off":
 			prefs.NetfilterMode = preftype.NetfilterOff
-			if defaultNetfilterMode() != "off" {
-				warnf("netfilter=off; configure iptables yourself.")
-			}
+			warnf("netfilter=off; configure iptables yourself.")
 		default:
 			return nil, fmt.Errorf("invalid value --netfilter-mode=%q", upArgs.netfilterMode)
 		}
@@ -268,7 +267,7 @@ func runUp(ctx context.Context, args []string) error {
 	}

 	if distro.Get() == distro.Synology {
-		notSupported := "not supported on Synology; see https://github.com/tailscale/tailscale/issues/1995"
+		notSupported := "not yet supported on Synology; see https://github.com/tailscale/tailscale/issues/451"
 		if upArgs.acceptRoutes {
 			return errors.New("--accept-routes is " + notSupported)
 		}
@@ -296,13 +295,17 @@ func runUp(ctx context.Context, args []string) error {
 		return err
 	}

-	if !upArgs.reset {
-		applyImplicitPrefs(prefs, curPrefs, os.Getenv("USER"))
+	flagSet := map[string]bool{}
+	mp := new(ipn.MaskedPrefs)
+	mp.WantRunningSet = true
+	mp.Prefs = *prefs
+	upFlagSet.Visit(func(f *flag.Flag) {
+		updateMaskedPrefsFromUpFlag(mp, f.Name)
+		flagSet[f.Name] = true
+	})

-		if err := checkForAccidentalSettingReverts(upFlagSet, curPrefs, prefs, upCheckEnv{
-			goos:          runtime.GOOS,
-			curExitNodeIP: exitNodeIP(prefs, st),
-		}); err != nil {
+	if !upArgs.reset {
+		if err := checkForAccidentalSettingReverts(flagSet, curPrefs, mp, runtime.GOOS, os.Getenv("USER")); err != nil {
 			fatalf("%s", err)
 		}
 	}
@@ -314,7 +317,7 @@ func runUp(ctx context.Context, args []string) error {

 	// If we're already running and none of the flags require a
 	// restart, we can just do an EditPrefs call and change the
-	// prefs at runtime (e.g. changing hostname, changing
+	// prefs at runtime (e.g. changing hostname, changinged
 	// advertised tags, routes, etc)
 	justEdit := st.BackendState == ipn.Running.String() &&
 		!upArgs.forceReauth &&
@@ -322,13 +325,6 @@ func runUp(ctx context.Context, args []string) error {
 		upArgs.authKey == "" &&
 		!controlURLChanged
 	if justEdit {
-		mp := new(ipn.MaskedPrefs)
-		mp.WantRunningSet = true
-		mp.Prefs = *prefs
-		upFlagSet.Visit(func(f *flag.Flag) {
-			updateMaskedPrefsFromUpFlag(mp, f.Name)
-		})
-
 		_, err := tailscale.EditPrefs(ctx, mp)
 		return err
 	}
@@ -336,7 +332,7 @@ func runUp(ctx context.Context, args []string) error {
 	// simpleUp is whether we're running a simple "tailscale up"
 	// to transition to running from a previously-logged-in but
 	// down state, without changing any settings.
-	simpleUp := upFlagSet.NFlag() == 0 &&
+	simpleUp := len(flagSet) == 0 &&
 		curPrefs.Persist != nil &&
 		curPrefs.Persist.LoginName != "" &&
 		st.BackendState != ipn.NeedsLogin.String()
@@ -468,20 +464,14 @@ func runUp(ctx context.Context, args []string) error {
 }

 var (
-	prefsOfFlag = map[string][]string{} // "exit-node" => ExitNodeIP, ExitNodeID
+	flagForPref = map[string]string{} // "ExitNodeIP" => "exit-node"
+	prefsOfFlag = map[string][]string{}
 )

 func init() {
-	// Both these have the same ipn.Pref:
-	addPrefFlagMapping("advertise-exit-node", "AdvertiseRoutes")
-	addPrefFlagMapping("advertise-routes", "AdvertiseRoutes")
-
-	// And this flag has two ipn.Prefs:
-	addPrefFlagMapping("exit-node", "ExitNodeIP", "ExitNodeID")
-
-	// The rest are 1:1:
 	addPrefFlagMapping("accept-dns", "CorpDNS")
 	addPrefFlagMapping("accept-routes", "RouteAll")
+	addPrefFlagMapping("advertise-routes", "AdvertiseRoutes")
 	addPrefFlagMapping("advertise-tags", "AdvertiseTags")
 	addPrefFlagMapping("host-routes", "AllowSingleHosts")
 	addPrefFlagMapping("hostname", "Hostname")
@@ -489,6 +479,7 @@ func init() {
 	addPrefFlagMapping("netfilter-mode", "NetfilterMode")
 	addPrefFlagMapping("shields-up", "ShieldsUp")
 	addPrefFlagMapping("snat-subnet-routes", "NoSNAT")
+	addPrefFlagMapping("exit-node", "ExitNodeIP", "ExitNodeID")
 	addPrefFlagMapping("exit-node-allow-lan-access", "ExitNodeAllowLANAccess")
 	addPrefFlagMapping("unattended", "ForceDaemon")
 	addPrefFlagMapping("operator", "OperatorUser")
@@ -498,6 +489,8 @@ func addPrefFlagMapping(flagName string, prefNames ...string) {
 	prefsOfFlag[flagName] = prefNames
 	prefType := reflect.TypeOf(ipn.Prefs{})
 	for _, pref := range prefNames {
+		flagForPref[pref] = flagName
+
 		// Crash at runtime if there's a typo in the prefName.
 		if _, ok := prefType.FieldByName(pref); !ok {
 			panic(fmt.Sprintf("invalid ipn.Prefs field %q", pref))
@@ -505,27 +498,21 @@ func addPrefFlagMapping(flagName string, prefNames ...string) {
 	}
 }

-// preflessFlag reports whether flagName is a flag that doesn't
-// correspond to an ipn.Pref.
-func preflessFlag(flagName string) bool {
-	switch flagName {
-	case "authkey", "force-reauth", "reset":
-		return true
-	}
-	return false
-}
-
 func updateMaskedPrefsFromUpFlag(mp *ipn.MaskedPrefs, flagName string) {
-	if preflessFlag(flagName) {
-		return
-	}
 	if prefs, ok := prefsOfFlag[flagName]; ok {
 		for _, pref := range prefs {
 			reflect.ValueOf(mp).Elem().FieldByName(pref + "Set").SetBool(true)
 		}
 		return
 	}
-	panic(fmt.Sprintf("internal error: unhandled flag %q", flagName))
+	switch flagName {
+	case "authkey", "force-reauth", "reset":
+		// Not pref-related flags.
+	case "advertise-exit-node":
+		// This pref is a shorthand for advertise-routes.
+	default:
+		panic(fmt.Sprintf("internal error: unhandled flag %q", flagName))
+	}
 }

 const accidentalUpPrefix = "Error: changing settings via 'tailscale up' requires mentioning all\n" +
@@ -534,16 +521,9 @@ const accidentalUpPrefix = "Error: changing settings via 'tailscale up' requires
 	"all non-default settings:\n\n" +
 	"\ttailscale up"

-// upCheckEnv are extra parameters describing the environment as
-// needed by checkForAccidentalSettingReverts and friends.
-type upCheckEnv struct {
-	goos          string
-	curExitNodeIP netaddr.IP
-}
-
-// checkForAccidentalSettingReverts (the "up checker") checks for
-// people running "tailscale up" with a subset of the flags they
-// originally ran it with.
+// checkForAccidentalSettingReverts checks for people running
+// "tailscale up" with a subset of the flags they originally ran it
+// with.
 //
 // For example, in Tailscale 1.6 and prior, a user might've advertised
 // a tag, but later tried to change just one other setting and forgot
@@ -555,187 +535,178 @@ type upCheckEnv struct {
 //
 // mp is the mask of settings actually set, where mp.Prefs is the new
 // preferences to set, including any values set from implicit flags.
-func checkForAccidentalSettingReverts(flagSet *flag.FlagSet, curPrefs, newPrefs *ipn.Prefs, env upCheckEnv) error {
-	if curPrefs.ControlURL == "" {
-		// Don't validate things on initial "up" before a control URL has been set.
-		return nil
-	}
-
-	flagIsSet := map[string]bool{}
-	flagSet.Visit(func(f *flag.Flag) {
-		flagIsSet[f.Name] = true
-	})
-
-	if len(flagIsSet) == 0 {
+func checkForAccidentalSettingReverts(flagSet map[string]bool, curPrefs *ipn.Prefs, mp *ipn.MaskedPrefs, goos, curUser string) error {
+	if len(flagSet) == 0 {
 		// A bare "tailscale up" is a special case to just
 		// mean bringing the network up without any changes.
 		return nil
 	}
+	if curPrefs.ControlURL == "" {
+		// Don't validate things on initial "up" before a control URL has been set.
+		return nil
+	}
+	curWithExplicitEdits := curPrefs.Clone()
+	curWithExplicitEdits.ApplyEdits(mp)

-	// flagsCur is what flags we'd need to use to keep the exact
-	// settings as-is.
-	flagsCur := prefsToFlags(env, curPrefs)
-	flagsNew := prefsToFlags(env, newPrefs)
+	prefType := reflect.TypeOf(ipn.Prefs{})
+
+	// Explicit values (current + explicit edit):
+	ev := reflect.ValueOf(curWithExplicitEdits).Elem()
+	// Implicit values (what we'd get if we replaced everything with flag defaults):
+	iv := reflect.ValueOf(&mp.Prefs).Elem()

 	var missing []string
-	for flagName := range flagsCur {
-		valCur, valNew := flagsCur[flagName], flagsNew[flagName]
-		if flagIsSet[flagName] {
+	flagExplicitValue := map[string]interface{}{} // e.g. "accept-dns" => true (from flagSet)
+	for i := 0; i < prefType.NumField(); i++ {
+		prefName := prefType.Field(i).Name
+		// Persist is a legacy field used for storing keys, which
+		// probably should never have been part of Prefs. It's
+		// likely to migrate elsewhere eventually.
+		if prefName == "Persist" {
 			continue
 		}
-		if reflect.DeepEqual(valCur, valNew) {
+		// LoggedOut is a preference, but running the "up" command
+		// always implies that the user now prefers LoggedOut->false.
+		if prefName == "LoggedOut" {
 			continue
 		}
-		if flagName == "login-server" && isLoginServerSynonym(valCur) && isLoginServerSynonym(valNew) {
+		flagName, hasFlag := flagForPref[prefName]
+
+		// Special case for advertise-exit-node; which is a
+		// flag but doesn't have a corresponding pref.  The
+		// flag augments advertise-routes, so we have to infer
+		// the imaginary pref's current value from the routes.
+		if prefName == "AdvertiseRoutes" &&
+			hasExitNodeRoutes(curPrefs.AdvertiseRoutes) &&
+			!hasExitNodeRoutes(curWithExplicitEdits.AdvertiseRoutes) &&
+			!flagSet["advertise-exit-node"] {
+			missing = append(missing, "--advertise-exit-node")
+		}
+
+		if hasFlag && flagSet[flagName] {
+			flagExplicitValue[flagName] = ev.Field(i).Interface()
 			continue
 		}
-		missing = append(missing, fmtFlagValueArg(flagName, valCur))
+
+		if prefName == "AdvertiseRoutes" &&
+			(len(curPrefs.AdvertiseRoutes) == 0 ||
+				hasExitNodeRoutes(curPrefs.AdvertiseRoutes) && len(curPrefs.AdvertiseRoutes) == 2) &&
+			hasExitNodeRoutes(mp.Prefs.AdvertiseRoutes) &&
+			len(mp.Prefs.AdvertiseRoutes) == 2 &&
+			flagSet["advertise-exit-node"] {
+			continue
+		}
+
+		// Get explicit value and implicit value
+		ex, im := ev.Field(i), iv.Field(i)
+		switch ex.Kind() {
+		case reflect.String, reflect.Slice:
+			if ex.Kind() == reflect.Slice && ex.Len() == 0 && im.Len() == 0 {
+				// Treat nil and non-nil empty slices as equivalent.
+				continue
+			}
+		}
+		exi, imi := ex.Interface(), im.Interface()
+
+		if reflect.DeepEqual(exi, imi) {
+			continue
+		}
+		switch flagName {
+		case "operator":
+			if imi == "" && exi == curUser {
+				// Don't require setting operator if the current user matches
+				// the configured operator.
+				continue
+			}
+		case "snat-subnet-routes", "netfilter-mode":
+			if goos != "linux" {
+				// Issue 1833: we used to accidentally set the NoSNAT
+				// pref for non-Linux nodes. It only affects Linux, so
+				// ignore it if it changes. Likewise, ignore
+				// Linux-only netfilter-mode on non-Linux.
+				continue
+			}
+		}
+		switch flagName {
+		case "":
+			return fmt.Errorf("'tailscale up' without --reset requires all preferences with changing values to be explicitly mentioned; this command would change the value of flagless pref %q", prefName)
+		case "exit-node":
+			if prefName == "ExitNodeIP" {
+				missing = append(missing, fmtFlagValueArg("exit-node", fmtSettingVal(exi)))
+			}
+		case "advertise-routes":
+			routes := withoutExitNodes(exi.([]netaddr.IPPrefix))
+			missing = append(missing, fmtFlagValueArg("advertise-routes", fmtSettingVal(routes)))
+		default:
+			missing = append(missing, fmtFlagValueArg(flagName, fmtSettingVal(exi)))
+		}
 	}
 	if len(missing) == 0 {
 		return nil
 	}
-	sort.Strings(missing)
-
-	// Compute the stringification of the explicitly provided args in flagSet
-	// to prepend to the command to run.
-	var explicit []string
-	flagSet.Visit(func(f *flag.Flag) {
-		type isBool interface {
-			IsBoolFlag() bool
-		}
-		if ib, ok := f.Value.(isBool); ok && ib.IsBoolFlag() {
-			if f.Value.String() == "false" {
-				explicit = append(explicit, "--"+f.Name+"=false")
-			} else {
-				explicit = append(explicit, "--"+f.Name)
-			}
-		} else {
-			explicit = append(explicit, fmtFlagValueArg(f.Name, f.Value.String()))
-		}
-	})
-
 	var sb strings.Builder
 	sb.WriteString(accidentalUpPrefix)

-	for _, a := range append(explicit, missing...) {
+	var flagSetSorted []string
+	for f := range flagSet {
+		flagSetSorted = append(flagSetSorted, f)
+	}
+	sort.Strings(flagSetSorted)
+	for _, flagName := range flagSetSorted {
+		if ev, ok := flagExplicitValue[flagName]; ok {
+			fmt.Fprintf(&sb, " %s", fmtFlagValueArg(flagName, fmtSettingVal(ev)))
+		} else {
+			fmt.Fprintf(&sb, " --%s", flagName)
+		}
+	}
+	for _, a := range missing {
 		fmt.Fprintf(&sb, " %s", a)
 	}
 	sb.WriteString("\n\n")
 	return errors.New(sb.String())
 }

-// applyImplicitPrefs mutates prefs to add implicit preferences. Currently
-// this is just the operator user, which only needs to be set if it doesn't
-// match the current user.
-//
-// curUser is os.Getenv("USER"). It's pulled out for testability.
-func applyImplicitPrefs(prefs, oldPrefs *ipn.Prefs, curUser string) {
-	if prefs.OperatorUser == "" && oldPrefs.OperatorUser == curUser {
-		prefs.OperatorUser = oldPrefs.OperatorUser
-	}
-}
-
-func isLoginServerSynonym(val interface{}) bool {
-	return val == "https://login.tailscale.com" || val == "https://controlplane.tailscale.com"
-}
-
-func flagAppliesToOS(flag, goos string) bool {
-	switch flag {
-	case "netfilter-mode", "snat-subnet-routes":
-		return goos == "linux"
-	case "unattended":
-		return goos == "windows"
-	}
-	return true
-}
-
-func prefsToFlags(env upCheckEnv, prefs *ipn.Prefs) (flagVal map[string]interface{}) {
-	ret := make(map[string]interface{})
-
-	exitNodeIPStr := func() string {
-		if !prefs.ExitNodeIP.IsZero() {
-			return prefs.ExitNodeIP.String()
-		}
-		if prefs.ExitNodeID.IsZero() || env.curExitNodeIP.IsZero() {
-			return ""
-		}
-		return env.curExitNodeIP.String()
-	}
-
-	fs := newUpFlagSet(env.goos, new(upArgsT) /* dummy */)
-	fs.VisitAll(func(f *flag.Flag) {
-		if preflessFlag(f.Name) {
-			return
-		}
-		set := func(v interface{}) {
-			if flagAppliesToOS(f.Name, env.goos) {
-				ret[f.Name] = v
-			} else {
-				ret[f.Name] = nil
-			}
-		}
-		switch f.Name {
-		default:
-			panic(fmt.Sprintf("unhandled flag %q", f.Name))
-		case "login-server":
-			set(prefs.ControlURL)
-		case "accept-routes":
-			set(prefs.RouteAll)
-		case "host-routes":
-			set(prefs.AllowSingleHosts)
-		case "accept-dns":
-			set(prefs.CorpDNS)
-		case "shields-up":
-			set(prefs.ShieldsUp)
-		case "exit-node":
-			set(exitNodeIPStr())
-		case "exit-node-allow-lan-access":
-			set(prefs.ExitNodeAllowLANAccess)
-		case "advertise-tags":
-			set(strings.Join(prefs.AdvertiseTags, ","))
-		case "hostname":
-			set(prefs.Hostname)
-		case "operator":
-			set(prefs.OperatorUser)
-		case "advertise-routes":
-			var sb strings.Builder
-			for i, r := range withoutExitNodes(prefs.AdvertiseRoutes) {
-				if i > 0 {
-					sb.WriteByte(',')
-				}
-				sb.WriteString(r.String())
-			}
-			set(sb.String())
-		case "advertise-exit-node":
-			set(hasExitNodeRoutes(prefs.AdvertiseRoutes))
-		case "snat-subnet-routes":
-			set(!prefs.NoSNAT)
-		case "netfilter-mode":
-			set(prefs.NetfilterMode.String())
-		case "unattended":
-			set(prefs.ForceDaemon)
-		}
-	})
-	return ret
-}
-
-func fmtFlagValueArg(flagName string, val interface{}) string {
-	if val == true {
+func fmtFlagValueArg(flagName, val string) string {
+	if val == "true" {
+		// TODO: check flagName's type to see if its Pref is of type bool
 		return "--" + flagName
 	}
 	if val == "" {
 		return "--" + flagName + "="
 	}
-	return fmt.Sprintf("--%s=%v", flagName, shellquote.Join(fmt.Sprint(val)))
+	return fmt.Sprintf("--%s=%v", flagName, shellquote.Join(val))
+}
+
+func fmtSettingVal(v interface{}) string {
+	switch v := v.(type) {
+	case bool:
+		return strconv.FormatBool(v)
+	case string:
+		return v
+	case preftype.NetfilterMode:
+		return v.String()
+	case []string:
+		return strings.Join(v, ",")
+	case []netaddr.IPPrefix:
+		var sb strings.Builder
+		for i, r := range v {
+			if i > 0 {
+				sb.WriteByte(',')
+			}
+			sb.WriteString(r.String())
+		}
+		return sb.String()
+	}
+	return fmt.Sprint(v)
 }

 func hasExitNodeRoutes(rr []netaddr.IPPrefix) bool {
 	var v4, v6 bool
 	for _, r := range rr {
-		if r.Bits() == 0 {
-			if r.IP().Is4() {
+		if r.Bits == 0 {
+			if r.IP.Is4() {
 				v4 = true
-			} else if r.IP().Is6() {
+			} else if r.IP.Is6() {
 				v6 = true
 			}
 		}
@@ -752,33 +723,9 @@ func withoutExitNodes(rr []netaddr.IPPrefix) []netaddr.IPPrefix {
 	}
 	var out []netaddr.IPPrefix
 	for _, r := range rr {
-		if r.Bits() > 0 {
+		if r.Bits > 0 {
 			out = append(out, r)
 		}
 	}
 	return out
 }
-
-// exitNodeIP returns the exit node IP from p, using st to map
-// it from its ID form to an IP address if needed.
-func exitNodeIP(p *ipn.Prefs, st *ipnstate.Status) (ip netaddr.IP) {
-	if p == nil {
-		return
-	}
-	if !p.ExitNodeIP.IsZero() {
-		return p.ExitNodeIP
-	}
-	id := p.ExitNodeID
-	if id.IsZero() {
-		return
-	}
-	for _, p := range st.Peer {
-		if p.ID == id {
-			if len(p.TailscaleIPs) > 0 {
-				return p.TailscaleIPs[0]
-			}
-			break
-		}
-	}
-	return
-}
--- a/cmd/tailscale/cli/web.go
+++ b/cmd/tailscale/cli/web.go
@@ -9,15 +9,12 @@ import (
 	"context"
 	_ "embed"
 	"encoding/json"
-	"encoding/xml"
 	"flag"
 	"fmt"
 	"html/template"
-	"io/ioutil"
 	"log"
 	"net/http"
 	"net/http/cgi"
-	"net/url"
 	"os/exec"
 	"runtime"
 	"strings"
@@ -27,7 +24,6 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/preftype"
-	"tailscale.com/util/groupmember"
 	"tailscale.com/version/distro"
 )

@@ -37,9 +33,6 @@ var webHTML string
 //go:embed web.css
 var webCSS string

-//go:embed auth-redirect.html
-var authenticationRedirectHTML string
-
 var tmpl *template.Template

 func init() {
@@ -60,14 +53,6 @@ var webCmd = &ffcli.Command{
 	ShortUsage: "web [flags]",
 	ShortHelp:  "Run a web server for controlling Tailscale",

-	LongHelp: strings.TrimSpace(`
-"tailscale web" runs a webserver for controlling the Tailscale daemon.
-
-It's primarily intended for use on Synology, QNAP, and other
-NAS devices where a web interface is the natural place to control
-Tailscale, as opposed to a CLI or a native app.
-`),
-
 	FlagSet: (func() *flag.FlagSet {
 		webf := flag.NewFlagSet("web", flag.ExitOnError)
 		webf.StringVar(&webArgs.listen, "listen", "localhost:8088", "listen address; use port 0 for automatic")
@@ -97,114 +82,23 @@ func runWeb(ctx context.Context, args []string) error {
 	return http.ListenAndServe(webArgs.listen, http.HandlerFunc(webHandler))
 }

-// authorize returns the name of the user accessing the web UI after verifying
-// whether the user has access to the web UI. The function will write the
-// error to the provided http.ResponseWriter.
-// Note: This is different from a tailscale user, and is typically the local
-// user on the node.
-func authorize(w http.ResponseWriter, r *http.Request) (string, error) {
-	switch distro.Get() {
-	case distro.Synology:
-		user, err := synoAuthn()
+func auth() (string, error) {
+	if distro.Get() == distro.Synology {
+		cmd := exec.Command("/usr/syno/synoman/webman/modules/authenticate.cgi")
+		out, err := cmd.CombinedOutput()
 		if err != nil {
-			http.Error(w, err.Error(), http.StatusUnauthorized)
-			return "", err
+			return "", fmt.Errorf("auth: %v: %s", err, out)
 		}
-		if err := authorizeSynology(user); err != nil {
-			http.Error(w, err.Error(), http.StatusForbidden)
-			return "", err
-		}
-		return user, nil
-	case distro.QNAP:
-		user, resp, err := qnapAuthn(r)
-		if err != nil {
-			http.Error(w, err.Error(), http.StatusUnauthorized)
-			return "", err
-		}
-		if resp.IsAdmin == 0 {
-			http.Error(w, err.Error(), http.StatusForbidden)
-			return "", err
-		}
-		return user, nil
+		return string(out), nil
 	}
+
 	return "", nil
 }

-// authorizeSynology checks whether the provided user has access to the web UI
-// by consulting the membership of the "administrators" group.
-func authorizeSynology(name string) error {
-	yes, err := groupmember.IsMemberOfGroup("administrators", name)
-	if err != nil {
-		return err
-	}
-	if !yes {
-		return fmt.Errorf("not a member of administrators group")
-	}
-	return nil
-}
-
-type qnapAuthResponse struct {
-	AuthPassed int    `xml:"authPassed"`
-	IsAdmin    int    `xml:"isAdmin"`
-	AuthSID    string `xml:"authSid"`
-	ErrorValue int    `xml:"errorValue"`
-}
-
-func qnapAuthn(r *http.Request) (string, *qnapAuthResponse, error) {
-	user, err := r.Cookie("NAS_USER")
-	if err != nil {
-		return "", nil, err
-	}
-	token, err := r.Cookie("qtoken")
-	if err != nil {
-		return "", nil, err
-	}
-	query := url.Values{
-		"qtoken": []string{token.Value},
-		"user":   []string{user.Value},
-	}
-	u := url.URL{
-		Scheme:   r.URL.Scheme,
-		Host:     r.URL.Host,
-		Path:     "/cgi-bin/authLogin.cgi",
-		RawQuery: query.Encode(),
-	}
-	resp, err := http.Get(u.String())
-	if err != nil {
-		return "", nil, err
-	}
-	defer resp.Body.Close()
-	out, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		return "", nil, err
-	}
-	authResp := &qnapAuthResponse{}
-	if err := xml.Unmarshal(out, authResp); err != nil {
-		return "", nil, err
-	}
-	if authResp.AuthPassed == 0 {
-		return "", nil, fmt.Errorf("not authenticated")
-	}
-	return user.Value, authResp, nil
-}
-
-func synoAuthn() (string, error) {
-	cmd := exec.Command("/usr/syno/synoman/webman/modules/authenticate.cgi")
-	out, err := cmd.CombinedOutput()
-	if err != nil {
-		return "", fmt.Errorf("auth: %v: %s", err, out)
-	}
-	return strings.TrimSpace(string(out)), nil
-}
-
-func authRedirect(w http.ResponseWriter, r *http.Request) bool {
-	if distro.Get() == distro.Synology {
-		return synoTokenRedirect(w, r)
-	}
-	return false
-}
-
 func synoTokenRedirect(w http.ResponseWriter, r *http.Request) bool {
+	if distro.Get() != distro.Synology {
+		return false
+	}
 	if r.Header.Get("X-Syno-Token") != "" {
 		return false
 	}
@@ -238,13 +132,75 @@ req.send(null);
 </body></html>
 `

+const authenticationRedirectHTML = `
+<html>
+<head>
+	<title>Redirecting...</title>
+	<style>
+		html,
+		body {
+			height: 100%;
+		}
+
+		html {
+			background-color: rgb(249, 247, 246);
+			font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
+			line-height: 1.5;
+			-webkit-text-size-adjust: 100%;
+			-webkit-font-smoothing: antialiased;
+			-moz-osx-font-smoothing: grayscale;
+		}
+
+		body {
+			display: flex;
+			flex-direction: column;
+			align-items: center;
+			justify-content: center;
+		}
+
+		.spinner {
+			margin-bottom: 2rem;
+			border: 4px rgba(112, 110, 109, 0.5) solid;
+			border-left-color: transparent;
+			border-radius: 9999px;
+			width: 4rem;
+			height: 4rem;
+			-webkit-animation: spin 700ms linear infinite;
+      animation: spin 800ms linear infinite;
+		}
+
+		.label {
+			color: rgb(112, 110, 109);
+			padding-left: 0.4rem;
+		}
+
+		@-webkit-keyframes spin {
+			to {
+				transform: rotate(360deg);
+			}
+		}
+
+		@keyframes spin {
+			to {
+				transform: rotate(360deg);
+			}
+		}
+	</style>
+</head>
+<body>
+	<div class="spinner"></div>
+	<div class="label">Redirecting...</div>
+</body>
+`
+
 func webHandler(w http.ResponseWriter, r *http.Request) {
-	if authRedirect(w, r) {
+	if synoTokenRedirect(w, r) {
 		return
 	}

-	user, err := authorize(w, r)
+	user, err := auth()
 	if err != nil {
+		http.Error(w, err.Error(), http.StatusForbidden)
 		return
 	}

@@ -258,8 +214,7 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
 		url, err := tailscaleUpForceReauth(r.Context())
 		if err != nil {
-			w.WriteHeader(http.StatusInternalServerError)
-			json.NewEncoder(w).Encode(mi{"error": err.Error()})
+			json.NewEncoder(w).Encode(mi{"error": err})
 			return
 		}
 		json.NewEncoder(w).Encode(mi{"url": url})
@@ -268,7 +223,7 @@ func webHandler(w http.ResponseWriter, r *http.Request) {

 	st, err := tailscale.Status(r.Context())
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		http.Error(w, err.Error(), 500)
 		return
 	}

@@ -286,7 +241,7 @@ func webHandler(w http.ResponseWriter, r *http.Request) {

 	buf := new(bytes.Buffer)
 	if err := tmpl.Execute(buf, data); err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		http.Error(w, err.Error(), 500)
 		return
 	}
 	w.Write(buf.Bytes())
@@ -365,10 +320,6 @@ func tailscaleUpForceReauth(ctx context.Context) (authURL string, retErr error)
 	})
 	bc.StartLoginInteractive()

-	<-pumpCtx.Done() // wait for authURL or complete failure
-	if authURL == "" && retErr == nil {
-		retErr = pumpCtx.Err()
-	}
 	if authURL == "" && retErr == nil {
 		return "", fmt.Errorf("login failed with no backend error message")
 	}
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -1,7 +1,6 @@
 tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/depaware)

-   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
-   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
+   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
        github.com/kballard/go-shellquote                            from tailscale.com/cmd/tailscale/cli
        github.com/peterbourgon/ff/v2                                from github.com/peterbourgon/ff/v2/ffcli
@@ -15,13 +14,13 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        inet.af/netaddr                                              from tailscale.com/cmd/tailscale/cli+
        rsc.io/goversion/version                                     from tailscale.com/version
        tailscale.com/atomicfile                                     from tailscale.com/ipn
-        tailscale.com/client/tailscale                               from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/client/tailscale                               from tailscale.com/cmd/tailscale/cli
        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale+
        tailscale.com/cmd/tailscale/cli                              from tailscale.com/cmd/tailscale
        tailscale.com/derp                                           from tailscale.com/derp/derphttp
        tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck
+        tailscale.com/derp/derpmap                                   from tailscale.com/cmd/tailscale/cli
        tailscale.com/disco                                          from tailscale.com/derp
-        tailscale.com/hostinfo                                       from tailscale.com/net/interfaces
        tailscale.com/ipn                                            from tailscale.com/cmd/tailscale/cli+
        tailscale.com/ipn/ipnstate                                   from tailscale.com/cmd/tailscale/cli+
        tailscale.com/metrics                                        from tailscale.com/derp
@@ -49,14 +48,14 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/types/opt                                      from tailscale.com/net/netcheck+
        tailscale.com/types/persist                                  from tailscale.com/ipn
        tailscale.com/types/preftype                                 from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/types/strbuilder                               from tailscale.com/net/packet
        tailscale.com/types/structs                                  from tailscale.com/ipn+
        tailscale.com/types/wgkey                                    from tailscale.com/types/netmap+
        tailscale.com/util/dnsname                                   from tailscale.com/cmd/tailscale/cli+
   W    tailscale.com/util/endian                                    from tailscale.com/net/netns
-        tailscale.com/util/groupmember                               from tailscale.com/cmd/tailscale/cli
-        tailscale.com/util/lineread                                  from tailscale.com/net/interfaces+
+   L    tailscale.com/util/lineread                                  from tailscale.com/net/interfaces
        tailscale.com/version                                        from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli
        tailscale.com/wgengine/filter                                from tailscale.com/types/netmap
        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
@@ -119,14 +118,13 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        debug/macho                                                  from rsc.io/goversion/version
        debug/pe                                                     from rsc.io/goversion/version
        embed                                                        from tailscale.com/cmd/tailscale/cli
-        encoding                                                     from encoding/json+
+        encoding                                                     from encoding/json
        encoding/asn1                                                from crypto/x509+
        encoding/base64                                              from encoding/json+
        encoding/binary                                              from compress/gzip+
        encoding/hex                                                 from crypto/x509+
        encoding/json                                                from expvar+
        encoding/pem                                                 from crypto/tls+
-        encoding/xml                                                 from tailscale.com/cmd/tailscale/cli
        errors                                                       from bufio+
        expvar                                                       from tailscale.com/derp+
        flag                                                         from github.com/peterbourgon/ff/v2+
@@ -158,7 +156,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        os                                                           from crypto/rand+
        os/exec                                                      from github.com/toqueteos/webbrowser+
        os/signal                                                    from tailscale.com/cmd/tailscale/cli
-        os/user                                                      from tailscale.com/util/groupmember
        path                                                         from debug/dwarf+
        path/filepath                                                from crypto/x509+
        reflect                                                      from crypto/x509+
--- a/cmd/tailscaled/debug.go
+++ b/cmd/tailscaled/debug.go
@@ -11,8 +11,6 @@ import (
 	"errors"
 	"flag"
 	"fmt"
-	"io"
-	"io/ioutil"
 	"log"
 	"net/http"
 	"net/http/httptrace"
@@ -21,7 +19,7 @@ import (
 	"time"

 	"tailscale.com/derp/derphttp"
-	"tailscale.com/ipn"
+	"tailscale.com/derp/derpmap"
 	"tailscale.com/net/interfaces"
 	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/tailcfg"
@@ -133,26 +131,7 @@ func getURL(ctx context.Context, urlStr string) error {
 }

 func checkDerp(ctx context.Context, derpRegion string) error {
-	req, err := http.NewRequestWithContext(ctx, "GET", ipn.DefaultControlURL+"/derpmap/default", nil)
-	if err != nil {
-		return fmt.Errorf("create derp map request: %w", err)
-	}
-	res, err := http.DefaultClient.Do(req)
-	if err != nil {
-		return fmt.Errorf("fetch derp map failed: %w", err)
-	}
-	defer res.Body.Close()
-	b, err := ioutil.ReadAll(io.LimitReader(res.Body, 1<<20))
-	if err != nil {
-		return fmt.Errorf("fetch derp map failed: %w", err)
-	}
-	if res.StatusCode != 200 {
-		return fmt.Errorf("fetch derp map: %v: %s", res.Status, b)
-	}
-	var dmap tailcfg.DERPMap
-	if err = json.Unmarshal(b, &dmap); err != nil {
-		return fmt.Errorf("fetch DERP map: %w", err)
-	}
+	dmap := derpmap.Prod()
 	getRegion := func() *tailcfg.DERPRegion {
 		for _, r := range dmap.Regions {
 			if r.RegionCode == derpRegion {
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -1,47 +1,43 @@
 tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/depaware)

-   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
-   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
+   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/wgengine/router
+   W 💣 github.com/github/certstore                                  from tailscale.com/control/controlclient
        github.com/go-multierror/multierror                          from tailscale.com/wgengine/router+
   W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
   W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/net/dns
-        github.com/golang/snappy                                     from github.com/klauspost/compress/zstd
        github.com/google/btree                                      from inet.af/netstack/tcpip/header+
   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/wgengine/monitor
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
        github.com/klauspost/compress/fse                            from github.com/klauspost/compress/huff0
        github.com/klauspost/compress/huff0                          from github.com/klauspost/compress/zstd
+        github.com/klauspost/compress/snappy                         from github.com/klauspost/compress/zstd
        github.com/klauspost/compress/zstd                           from tailscale.com/smallzstd
        github.com/klauspost/compress/zstd/internal/xxhash           from github.com/klauspost/compress/zstd
-   L 💣 github.com/mdlayher/netlink                                  from tailscale.com/wgengine/monitor+
-   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/mdlayher/netlink+
+   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
+   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
   L    github.com/mdlayher/sdnotify                                 from tailscale.com/util/systemd
-   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
-   W    github.com/pkg/errors                                        from github.com/tailscale/certstore
-   W 💣 github.com/tailscale/certstore                               from tailscale.com/control/controlclient
+   W    github.com/pkg/errors                                        from github.com/github/certstore
+     💣 github.com/tailscale/wireguard-go/conn                       from github.com/tailscale/wireguard-go/device+
+   W 💣 github.com/tailscale/wireguard-go/conn/winrio                from github.com/tailscale/wireguard-go/conn
+     💣 github.com/tailscale/wireguard-go/device                     from tailscale.com/wgengine+
+     💣 github.com/tailscale/wireguard-go/ipc                        from github.com/tailscale/wireguard-go/device
+   W 💣 github.com/tailscale/wireguard-go/ipc/winpipe                from github.com/tailscale/wireguard-go/ipc
+        github.com/tailscale/wireguard-go/ratelimiter                from github.com/tailscale/wireguard-go/device
+        github.com/tailscale/wireguard-go/replay                     from github.com/tailscale/wireguard-go/device
+        github.com/tailscale/wireguard-go/rwcancel                   from github.com/tailscale/wireguard-go/device+
+        github.com/tailscale/wireguard-go/tai64n                     from github.com/tailscale/wireguard-go/device+
+     💣 github.com/tailscale/wireguard-go/tun                        from github.com/tailscale/wireguard-go/device+
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun                 from github.com/tailscale/wireguard-go/tun+
        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
     💣 go4.org/intern                                               from inet.af/netaddr
-     💣 go4.org/mem                                                  from tailscale.com/derp+
+     💣 go4.org/mem                                                  from tailscale.com/control/controlclient+
        go4.org/unsafe/assume-no-moving-gc                           from go4.org/intern
-     💣 golang.zx2c4.com/wireguard/conn                              from golang.zx2c4.com/wireguard/device+
-   W 💣 golang.zx2c4.com/wireguard/conn/winrio                       from golang.zx2c4.com/wireguard/conn
-     💣 golang.zx2c4.com/wireguard/device                            from tailscale.com/net/tstun+
-     💣 golang.zx2c4.com/wireguard/ipc                               from golang.zx2c4.com/wireguard/device
-   W 💣 golang.zx2c4.com/wireguard/ipc/winpipe                       from golang.zx2c4.com/wireguard/ipc
-        golang.zx2c4.com/wireguard/ratelimiter                       from golang.zx2c4.com/wireguard/device
-        golang.zx2c4.com/wireguard/replay                            from golang.zx2c4.com/wireguard/device
-        golang.zx2c4.com/wireguard/rwcancel                          from golang.zx2c4.com/wireguard/device+
-        golang.zx2c4.com/wireguard/tai64n                            from golang.zx2c4.com/wireguard/device+
-     💣 golang.zx2c4.com/wireguard/tun                               from golang.zx2c4.com/wireguard/device+
-   W 💣 golang.zx2c4.com/wireguard/tun/wintun                        from golang.zx2c4.com/wireguard/tun+
   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
        inet.af/netaddr                                              from tailscale.com/control/controlclient+
-        inet.af/netstack/atomicbitops                                from inet.af/netstack/tcpip+
-     💣 inet.af/netstack/buffer                                      from inet.af/netstack/tcpip/stack
     💣 inet.af/netstack/gohacks                                     from inet.af/netstack/state/wire+
        inet.af/netstack/linewriter                                  from inet.af/netstack/log
        inet.af/netstack/log                                         from inet.af/netstack/state+
@@ -50,7 +46,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
     💣 inet.af/netstack/state                                       from inet.af/netstack/tcpip+
        inet.af/netstack/state/wire                                  from inet.af/netstack/state
     💣 inet.af/netstack/sync                                        from inet.af/netstack/linewriter+
-        inet.af/netstack/tcpip                                       from inet.af/netstack/tcpip/adapters/gonet+
+     💣 inet.af/netstack/tcpip                                       from inet.af/netstack/tcpip/adapters/gonet+
        inet.af/netstack/tcpip/adapters/gonet                        from tailscale.com/wgengine/netstack
     💣 inet.af/netstack/tcpip/buffer                                from inet.af/netstack/tcpip/adapters/gonet+
        inet.af/netstack/tcpip/hash/jenkins                          from inet.af/netstack/tcpip/stack+
@@ -73,17 +69,16 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        inet.af/netstack/tcpip/transport/udp                         from inet.af/netstack/tcpip/adapters/gonet+
        inet.af/netstack/waiter                                      from inet.af/netstack/tcpip+
        inet.af/peercred                                             from tailscale.com/ipn/ipnserver
-   W 💣 inet.af/wf                                                   from tailscale.com/wf
        rsc.io/goversion/version                                     from tailscale.com/version
        tailscale.com/atomicfile                                     from tailscale.com/ipn+
-        tailscale.com/client/tailscale                               from tailscale.com/derp
        tailscale.com/client/tailscale/apitype                       from tailscale.com/ipn/ipnlocal+
        tailscale.com/control/controlclient                          from tailscale.com/ipn/ipnlocal+
        tailscale.com/derp                                           from tailscale.com/derp/derphttp+
        tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck+
+        tailscale.com/derp/derpmap                                   from tailscale.com/cmd/tailscaled+
        tailscale.com/disco                                          from tailscale.com/derp+
        tailscale.com/health                                         from tailscale.com/control/controlclient+
-        tailscale.com/hostinfo                                       from tailscale.com/control/controlclient+
+        tailscale.com/internal/deepprint                             from tailscale.com/ipn/ipnlocal+
        tailscale.com/ipn                                            from tailscale.com/ipn/ipnserver+
        tailscale.com/ipn/ipnlocal                                   from tailscale.com/ipn/ipnserver+
        tailscale.com/ipn/ipnserver                                  from tailscale.com/cmd/tailscaled
@@ -108,8 +103,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
     💣 tailscale.com/net/netstat                                    from tailscale.com/ipn/ipnserver
        tailscale.com/net/packet                                     from tailscale.com/wgengine+
        tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
-        tailscale.com/net/socks5                                     from tailscale.com/net/socks5/tssocks
-        tailscale.com/net/socks5/tssocks                             from tailscale.com/cmd/tailscaled
+        tailscale.com/net/socks5                                     from tailscale.com/cmd/tailscaled
        tailscale.com/net/stun                                       from tailscale.com/net/netcheck+
        tailscale.com/net/tlsdial                                    from tailscale.com/control/controlclient+
        tailscale.com/net/tsaddr                                     from tailscale.com/ipn/ipnlocal+
@@ -117,10 +111,11 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/net/tstun                                      from tailscale.com/cmd/tailscaled+
        tailscale.com/paths                                          from tailscale.com/cmd/tailscaled+
        tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
-        tailscale.com/safesocket                                     from tailscale.com/ipn/ipnserver+
+        tailscale.com/safesocket                                     from tailscale.com/ipn/ipnserver
        tailscale.com/smallzstd                                      from tailscale.com/ipn/ipnserver+
        tailscale.com/syncs                                          from tailscale.com/net/interfaces+
        tailscale.com/tailcfg                                        from tailscale.com/control/controlclient+
+   W 💣 tailscale.com/tempfork/wireguard-windows/firewall            from tailscale.com/cmd/tailscaled
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
        tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock
        tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
@@ -133,14 +128,13 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
        tailscale.com/types/persist                                  from tailscale.com/control/controlclient+
        tailscale.com/types/preftype                                 from tailscale.com/ipn+
+        tailscale.com/types/strbuilder                               from tailscale.com/net/packet
        tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
        tailscale.com/types/wgkey                                    from tailscale.com/control/controlclient+
   L    tailscale.com/util/cmpver                                    from tailscale.com/net/dns
-        tailscale.com/util/deephash                                  from tailscale.com/ipn/ipnlocal+
        tailscale.com/util/dnsname                                   from tailscale.com/ipn/ipnstate+
  LW    tailscale.com/util/endian                                    from tailscale.com/net/netns+
-        tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnserver
-        tailscale.com/util/lineread                                  from tailscale.com/control/controlclient+
+   L    tailscale.com/util/lineread                                  from tailscale.com/control/controlclient+
        tailscale.com/util/osshare                                   from tailscale.com/cmd/tailscaled+
        tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnserver
        tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
@@ -149,19 +143,18 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/util/winutil                                   from tailscale.com/logpolicy+
        tailscale.com/version                                        from tailscale.com/cmd/tailscaled+
        tailscale.com/version/distro                                 from tailscale.com/control/controlclient+
-   W    tailscale.com/wf                                             from tailscale.com/cmd/tailscaled
        tailscale.com/wgengine                                       from tailscale.com/cmd/tailscaled+
        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
        tailscale.com/wgengine/magicsock                             from tailscale.com/wgengine+
        tailscale.com/wgengine/monitor                               from tailscale.com/wgengine+
-        tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled+
+        tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled
        tailscale.com/wgengine/router                                from tailscale.com/cmd/tailscaled+
        tailscale.com/wgengine/wgcfg                                 from tailscale.com/ipn/ipnlocal+
        tailscale.com/wgengine/wgcfg/nmcfg                           from tailscale.com/ipn/ipnlocal
        tailscale.com/wgengine/wglog                                 from tailscale.com/wgengine
   W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/blake2s                                  from golang.zx2c4.com/wireguard/device+
+        golang.org/x/crypto/blake2s                                  from github.com/tailscale/wireguard-go/device+
        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
        golang.org/x/crypto/chacha20poly1305                         from crypto/tls+
        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
@@ -170,7 +163,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/crypto/hkdf                                     from crypto/tls
        golang.org/x/crypto/nacl/box                                 from tailscale.com/control/controlclient+
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/poly1305                                 from golang.org/x/crypto/chacha20poly1305+
+        golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device+
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
        golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
        golang.org/x/net/dns/dnsmessage                              from net+
@@ -178,15 +171,15 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/net/http/httpproxy                              from net/http
        golang.org/x/net/http2/hpack                                 from net/http
        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
-        golang.org/x/net/ipv4                                        from golang.zx2c4.com/wireguard/device
-        golang.org/x/net/ipv6                                        from golang.zx2c4.com/wireguard/device+
+        golang.org/x/net/ipv4                                        from github.com/tailscale/wireguard-go/device
+        golang.org/x/net/ipv6                                        from github.com/tailscale/wireguard-go/device+
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
   D    golang.org/x/net/route                                       from net+
        golang.org/x/sync/errgroup                                   from tailscale.com/derp
        golang.org/x/sync/singleflight                               from tailscale.com/net/dnscache
        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
-  LD    golang.org/x/sys/unix                                        from github.com/mdlayher/netlink+
-   W    golang.org/x/sys/windows                                     from github.com/go-ole/go-ole+
+  LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
+   W    golang.org/x/sys/windows                                     from github.com/tailscale/wireguard-go/conn+
   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
   W    golang.org/x/sys/windows/svc                                 from tailscale.com/cmd/tailscaled+
   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/cmd/tailscaled
@@ -228,7 +221,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        debug/elf                                                    from rsc.io/goversion/version
        debug/macho                                                  from rsc.io/goversion/version
        debug/pe                                                     from rsc.io/goversion/version
-        embed                                                        from tailscale.com/net/dns+
+   L    embed                                                        from tailscale.com/net/dns
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
        encoding/base64                                              from encoding/json+
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -24,18 +24,22 @@ import (
 	"runtime/debug"
 	"strconv"
 	"strings"
+	"sync"
 	"syscall"
 	"time"

 	"github.com/go-multierror/multierror"
+	"inet.af/netaddr"
 	"tailscale.com/ipn/ipnserver"
 	"tailscale.com/logpolicy"
 	"tailscale.com/net/dns"
-	"tailscale.com/net/socks5/tssocks"
+	"tailscale.com/net/socks5"
+	"tailscale.com/net/tsaddr"
 	"tailscale.com/net/tstun"
 	"tailscale.com/paths"
 	"tailscale.com/types/flagtype"
 	"tailscale.com/types/logger"
+	"tailscale.com/types/netmap"
 	"tailscale.com/util/osshare"
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
@@ -224,11 +228,6 @@ func run() error {
 		if err != nil {
 			log.Fatalf("SOCKS5 listener: %v", err)
 		}
-		if strings.HasSuffix(args.socksAddr, ":0") {
-			// Log kernel-selected port number so integration tests
-			// can find it portably.
-			log.Printf("SOCKS5 listening on %v", socksListener.Addr())
-		}
 	}

 	e, useNetstack, err := createEngine(logf, linkMon)
@@ -244,7 +243,35 @@ func run() error {
 	}

 	if socksListener != nil {
-		srv := tssocks.NewServer(logger.WithPrefix(logf, "socks5: "), e, ns)
+		srv := &socks5.Server{
+			Logf: logger.WithPrefix(logf, "socks5: "),
+		}
+		var (
+			mu  sync.Mutex // guards the following field
+			dns netstack.DNSMap
+		)
+		e.AddNetworkMapCallback(func(nm *netmap.NetworkMap) {
+			mu.Lock()
+			defer mu.Unlock()
+			dns = netstack.DNSMapFromNetworkMap(nm)
+		})
+		useNetstackForIP := func(ip netaddr.IP) bool {
+			// TODO(bradfitz): this isn't exactly right.
+			// We should also support subnets when the
+			// prefs are configured as such.
+			return tsaddr.IsTailscaleIP(ip)
+		}
+		srv.Dialer = func(ctx context.Context, network, addr string) (net.Conn, error) {
+			ipp, err := dns.Resolve(ctx, addr)
+			if err != nil {
+				return nil, err
+			}
+			if ns != nil && useNetstackForIP(ipp.IP) {
+				return ns.DialContextTCP(ctx, addr)
+			}
+			var d net.Dialer
+			return d.DialContext(ctx, network, ipp.String())
+		}
 		go func() {
 			log.Fatalf("SOCKS5 server exited: %v", srv.Serve(socksListener))
 		}()
--- a/cmd/tailscaled/tailscaled.openrc
+++ b/cmd/tailscaled/tailscaled.openrc
@@ -1,23 +0,0 @@
-#!/sbin/openrc-run
-
-source /etc/default/tailscaled
-
-command="/usr/sbin/tailscaled"
-command_args="--state=/var/lib/tailscale/tailscaled.state --port=$PORT --socket=/var/run/tailscale/tailscaled.sock $FLAGS"
-command_background=true
-pidfile="/run/tailscaled.pid"
-start_stop_daemon_args="-1 /var/log/tailscaled.log -2 /var/log/tailscaled.log"
-
-depend() {
-    need net
-}
-
-start_pre() {
-    mkdir -p /var/run/tailscale
-    mkdir -p /var/lib/tailscale
-    $command --cleanup
-}
-
-stop_post() {
-    $command --cleanup
-}
--- a/cmd/tailscaled/tailscaled.service
+++ b/cmd/tailscaled/tailscaled.service
@@ -2,7 +2,7 @@
 Description=Tailscale node agent
 Documentation=https://tailscale.com/kb/
 Wants=network-pre.target
-After=network-pre.target NetworkManager.service systemd-resolved.service
+After=network-pre.target

 [Service]
 EnvironmentFile=/etc/default/tailscaled
--- a/cmd/tailscaled/tailscaled_windows.go
+++ b/cmd/tailscaled/tailscaled_windows.go
@@ -19,23 +19,22 @@ package main // import "tailscale.com/cmd/tailscaled"

 import (
 	"context"
-	"encoding/json"
 	"fmt"
 	"log"
+	"net"
 	"os"
 	"time"

 	"golang.org/x/sys/windows"
 	"golang.org/x/sys/windows/svc"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
-	"inet.af/netaddr"
 	"tailscale.com/ipn/ipnserver"
 	"tailscale.com/logpolicy"
 	"tailscale.com/net/dns"
 	"tailscale.com/net/tstun"
+	"tailscale.com/tempfork/wireguard-windows/firewall"
 	"tailscale.com/types/logger"
 	"tailscale.com/version"
-	"tailscale.com/wf"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/netstack"
 	"tailscale.com/wgengine/router"
@@ -128,6 +127,16 @@ func beFirewallKillswitch() bool {
 	log.SetFlags(0)
 	log.Printf("killswitch subprocess starting, tailscale GUID is %s", os.Args[2])

+	go func() {
+		b := make([]byte, 16)
+		for {
+			_, err := os.Stdin.Read(b)
+			if err != nil {
+				log.Fatalf("parent process died or requested exit, exiting (%v)", err)
+			}
+		}
+	}()
+
 	guid, err := windows.GUIDFromString(os.Args[2])
 	if err != nil {
 		log.Fatalf("invalid GUID %q: %v", os.Args[2], err)
@@ -135,29 +144,17 @@ func beFirewallKillswitch() bool {

 	luid, err := winipcfg.LUIDFromGUID(&guid)
 	if err != nil {
-		log.Fatalf("no interface with GUID %q: %v", guid, err)
+		log.Fatalf("no interface with GUID %q", guid)
 	}

+	noProtection := false
+	var dnsIPs []net.IP // unused in called code.
 	start := time.Now()
-	fw, err := wf.New(uint64(luid))
-	if err != nil {
-		log.Fatalf("failed to enable firewall: %v", err)
-	}
+	firewall.EnableFirewall(uint64(luid), noProtection, dnsIPs)
 	log.Printf("killswitch enabled, took %s", time.Since(start))

-	// Note(maisem): when local lan access toggled, tailscaled needs to
-	// inform the firewall to let local routes through. The set of routes
-	// is passed in via stdin encoded in json.
-	dcd := json.NewDecoder(os.Stdin)
-	for {
-		var routes []netaddr.IPPrefix
-		if err := dcd.Decode(&routes); err != nil {
-			log.Fatalf("parent process died or requested exit, exiting (%v)", err)
-		}
-		if err := fw.UpdatePermittedRoutes(routes); err != nil {
-			log.Fatalf("failed to update routes (%v)", err)
-		}
-	}
+	// Block until the monitor goroutine shuts us down.
+	select {}
 }

 func startIPNServer(ctx context.Context, logid string) error {
--- a/control/controlclient/auto.go
+++ b/control/controlclient/auto.go
@@ -576,12 +576,9 @@ func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkM
 	c.logf("[v1] sendStatus: %s: %v", who, state)

 	var p *persist.Persist
-	var loginFin, logoutFin *empty.Message
+	var fin *empty.Message
 	if state == StateAuthenticated {
-		loginFin = new(empty.Message)
-	}
-	if state == StateNotAuthenticated {
-		logoutFin = new(empty.Message)
+		fin = new(empty.Message)
 	}
 	if nm != nil && loggedIn && synced {
 		pp := c.direct.GetPersist()
@@ -592,13 +589,12 @@ func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkM
 		nm = nil
 	}
 	new := Status{
-		LoginFinished:  loginFin,
-		LogoutFinished: logoutFin,
-		URL:            url,
-		Persist:        p,
-		NetMap:         nm,
-		Hostinfo:       hi,
-		State:          state,
+		LoginFinished: fin,
+		URL:           url,
+		Persist:       p,
+		NetMap:        nm,
+		Hostinfo:      hi,
+		State:         state,
 	}
 	if err != nil {
 		new.Err = err.Error()
@@ -716,9 +712,3 @@ func (c *Auto) TestOnlySetAuthKey(authkey string) {
 func (c *Auto) TestOnlyTimeNow() time.Time {
 	return c.timeNow()
 }
-
-// SetDNS sends the SetDNSRequest request to the control plane server,
-// requesting a DNS record be created or updated.
-func (c *Auto) SetDNS(ctx context.Context, req *tailcfg.SetDNSRequest) error {
-	return c.direct.SetDNS(ctx, req)
-}
--- a/control/controlclient/client.go
+++ b/control/controlclient/client.go
@@ -74,7 +74,4 @@ type Client interface {
 	// in a separate http request. It has nothing to do with the rest of
 	// the state machine.
 	UpdateEndpoints(localPort uint16, endpoints []tailcfg.Endpoint)
-	// SetDNS sends the SetDNSRequest request to the control plane server,
-	// requesting a DNS record be created or updated.
-	SetDNS(context.Context, *tailcfg.SetDNSRequest) error
 }
--- a/control/controlclient/controlclient_test.go
+++ b/control/controlclient/controlclient_test.go
@@ -22,7 +22,7 @@ func fieldsOf(t reflect.Type) (fields []string) {

 func TestStatusEqual(t *testing.T) {
 	// Verify that the Equal method stays in sync with reality
-	equalHandles := []string{"LoginFinished", "LogoutFinished", "Err", "URL", "NetMap", "State", "Persist", "Hostinfo"}
+	equalHandles := []string{"LoginFinished", "Err", "URL", "NetMap", "State", "Persist", "Hostinfo"}
 	if have := fieldsOf(reflect.TypeOf(Status{})); !reflect.DeepEqual(have, equalHandles) {
 		t.Errorf("Status.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
 			have, equalHandles)
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -32,7 +32,6 @@ import (
 	"golang.org/x/crypto/nacl/box"
 	"inet.af/netaddr"
 	"tailscale.com/health"
-	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/log/logheap"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/dnsfallback"
@@ -67,7 +66,6 @@ type Direct struct {
 	debugFlags             []string
 	keepSharerAndUserSplit bool
 	skipIPForwardingCheck  bool
-	pinger                 Pinger

 	mu           sync.Mutex // mutex guards the following fields
 	serverKey    wgkey.Key
@@ -80,7 +78,6 @@ type Direct struct {
 	endpoints     []tailcfg.Endpoint
 	everEndpoints bool   // whether we've ever had non-empty endpoints
 	localPort     uint16 // or zero to mean auto
-	lastPingURL   string // last PingRequest.URL received, for dup suppresion
 }

 type Options struct {
@@ -106,18 +103,6 @@ type Options struct {
 	// forwarding works and should not be double-checked by the
 	// controlclient package.
 	SkipIPForwardingCheck bool
-
-	// Pinger optionally specifies the Pinger to use to satisfy
-	// MapResponse.PingRequest queries from the control plane.
-	// If nil, PingRequest queries are not answered.
-	Pinger Pinger
-}
-
-// Pinger is a subset of the wgengine.Engine interface, containing just the Ping method.
-type Pinger interface {
-	// Ping is a request to start a discovery or TSMP ping with the peer handling
-	// the given IP and then call cb with its ping latency & method.
-	Ping(ip netaddr.IP, useTSMP bool, cb func(*ipnstate.PingResult))
 }

 type Decompressor interface {
@@ -180,7 +165,6 @@ func NewDirect(opts Options) (*Direct, error) {
 		keepSharerAndUserSplit: opts.KeepSharerAndUserSplit,
 		linkMon:                opts.LinkMonitor,
 		skipIPForwardingCheck:  opts.SkipIPForwardingCheck,
-		pinger:                 opts.Pinger,
 	}
 	if opts.Hostinfo == nil {
 		c.SetHostinfo(NewHostinfo())
@@ -354,7 +338,6 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		if err != nil {
 			return regen, opt.URL, err
 		}
-		c.logf("control server key %s from %s", serverKey.HexString(), c.serverURL)

 		c.mu.Lock()
 		c.serverKey = serverKey
@@ -477,10 +460,10 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 			request.NodeKey.ShortString())
 		return true, "", nil
 	}
-	if resp.Login.Provider != "" {
+	if persist.Provider == "" {
 		persist.Provider = resp.Login.Provider
 	}
-	if resp.Login.LoginName != "" {
+	if persist.LoginName == "" {
 		persist.LoginName = resp.Login.LoginName
 	}

@@ -777,25 +760,8 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 			health.GotStreamedMapResponse()
 		}

-		fmt.Println("Before Ping", resp.PingRequest, c.isUniquePingRequest(resp.PingRequest))
-		fmt.Println("Peers :", resp.Peers, resp.PeersChanged, resp.PeersRemoved)
-		netmap := sess.netmapForResponse(&resp)
-		fmt.Println("Early Netmap : ", netmap.Peers)
-		if len(resp.PeersChanged) > 0 {
-			fmt.Printf("PEER INFO: %+v\n", resp.PeersChanged[0])
-		}
-		// if pr := resp.PingRequest; pr != nil && c.isUniquePingRequest(pr) {
-		// 	fmt.Println("Inside Ping")
-		// 	go answerPing(c.logf, c.httpc, pr)
-		// }
 		if pr := resp.PingRequest; pr != nil {
-			fmt.Println("Inside Ping")
 			go answerPing(c.logf, c.httpc, pr)
-			if len(netmap.Peers) > 0 {
-				fmt.Println("Start Custom Ping")
-				ip := netmap.Peers[0].Addresses[0].IP()
-				go c.CustomPing(&resp, ip)
-			}
 		}

 		if resp.KeepAlive {
@@ -836,12 +802,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 			return errors.New("MapResponse lacked node")
 		}

-		fmt.Println("NETMAP PEERS : ", nm.Peers)
-		if len(nm.Peers) > 0 {
-			fmt.Printf("NETMAP PEER: %+v\n", nm.Peers[0].Addresses)
-		}
-		fmt.Println("NETMAP SELF : ", nm.SelfNode.Addresses)
-
 		// Temporarily (2020-06-29) support removing all but
 		// discovery-supporting nodes during development, for
 		// less noise.
@@ -1131,7 +1091,7 @@ func ipForwardingBroken(routes []netaddr.IPPrefix, state *interfaces.State) bool
 	localIPs := map[netaddr.IP]bool{}
 	for _, addrs := range state.InterfaceIPs {
 		for _, pfx := range addrs {
-			localIPs[pfx.IP()] = true
+			localIPs[pfx.IP] = true
 		}
 	}

@@ -1140,10 +1100,10 @@ func ipForwardingBroken(routes []netaddr.IPPrefix, state *interfaces.State) bool
 		// It's possible to advertise a route to one of the local
 		// machine's local IPs. IP forwarding isn't required for this
 		// to work, so we shouldn't warn for such exports.
-		if r.IsSingleIP() && localIPs[r.IP()] {
+		if r.IsSingleIP() && localIPs[r.IP] {
 			continue
 		}
-		if r.IP().Is4() {
+		if r.IP.Is4() {
 			v4Routes = true
 		} else {
 			v6Routes = true
@@ -1195,25 +1155,7 @@ func ipForwardingBroken(routes []netaddr.IPPrefix, state *interfaces.State) bool
 	return false
 }

-// isUniquePingRequest reports whether pr contains a new PingRequest.URL
-// not already handled, noting its value when returning true.
-func (c *Direct) isUniquePingRequest(pr *tailcfg.PingRequest) bool {
-	if pr == nil || pr.URL == "" {
-		// Bogus.
-		return false
-	}
-
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	if pr.URL == c.lastPingURL {
-		return false
-	}
-	c.lastPingURL = pr.URL
-	return true
-}
-
 func answerPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest) {
-	fmt.Println("Running Ping")
 	if pr.URL == "" {
 		logf("invalid PingRequest with no URL")
 		return
@@ -1237,7 +1179,6 @@ func answerPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest) {
 	} else if pr.Log {
 		logf("answerPing complete to %v (after %v)", pr.URL, d)
 	}
-	fmt.Println("Ping Done")
 }

 func sleepAsRequested(ctx context.Context, logf logger.Logf, timeoutReset chan<- struct{}, d time.Duration) error {
@@ -1270,63 +1211,3 @@ func sleepAsRequested(ctx context.Context, logf logger.Logf, timeoutReset chan<-
 		}
 	}
 }
-
-// SetDNS sends the SetDNSRequest request to the control plane server,
-// requesting a DNS record be created or updated.
-func (c *Direct) SetDNS(ctx context.Context, req *tailcfg.SetDNSRequest) error {
-	c.mu.Lock()
-	serverKey := c.serverKey
-	c.mu.Unlock()
-
-	if serverKey.IsZero() {
-		return errors.New("zero serverKey")
-	}
-	machinePrivKey, err := c.getMachinePrivKey()
-	if err != nil {
-		return fmt.Errorf("getMachinePrivKey: %w", err)
-	}
-	if machinePrivKey.IsZero() {
-		return errors.New("getMachinePrivKey returned zero key")
-	}
-
-	bodyData, err := encode(req, &serverKey, &machinePrivKey)
-	if err != nil {
-		return err
-	}
-	body := bytes.NewReader(bodyData)
-
-	u := fmt.Sprintf("%s/machine/%s/set-dns", c.serverURL, machinePrivKey.Public().HexString())
-	hreq, err := http.NewRequestWithContext(ctx, "POST", u, body)
-	if err != nil {
-		return err
-	}
-	res, err := c.httpc.Do(hreq)
-	if err != nil {
-		return err
-	}
-	defer res.Body.Close()
-	if res.StatusCode != 200 {
-		msg, _ := ioutil.ReadAll(res.Body)
-		return fmt.Errorf("set-dns response: %v, %.200s", res.Status, strings.TrimSpace(string(msg)))
-	}
-	var setDNSRes struct{} // no fields yet
-	if err := decode(res, &setDNSRes, &serverKey, &machinePrivKey); err != nil {
-		c.logf("error decoding SetDNSResponse with server key %s and machine key %s: %v", serverKey, machinePrivKey.Public(), err)
-		return fmt.Errorf("set-dns-response: %v", err)
-	}
-
-	return nil
-}
-
-// Run the ping suite from this client to another one
-// Send the ping results via http to the adminhttp handlers.
-// This is where we hopefully will run the ping suite similar to CLI
-func (c *Direct) CustomPing(mr *tailcfg.MapResponse, ip netaddr.IP) bool {
-	start := time.Now()
-	c.pinger.Ping(ip, true, func(res *ipnstate.PingResult) {
-		fmt.Printf("Callback Nodename : %v, NODEIP : %v, duration : %v\n", res.NodeName, res.NodeIP, res.LatencySeconds)
-		duration := time.Since(start)
-		fmt.Printf("Ping operation took %f seconds\n", duration.Seconds())
-	})
-	return true
-}
--- a/control/controlclient/direct_test.go
+++ b/control/controlclient/direct_test.go
@@ -86,7 +86,7 @@ func TestNewDirect(t *testing.T) {
 func fakeEndpoints(ports ...uint16) (ret []tailcfg.Endpoint) {
 	for _, port := range ports {
 		ret = append(ret, tailcfg.Endpoint{
-			Addr: netaddr.IPPortFrom(netaddr.IP{}, port),
+			Addr: netaddr.IPPort{Port: port},
 		})
 	}
 	return
--- a/control/controlclient/hostinfo_linux.go
+++ b/control/controlclient/hostinfo_linux.go
@@ -9,11 +9,13 @@ package controlclient
 import (
 	"bytes"
 	"fmt"
+	"io"
 	"io/ioutil"
+	"os"
 	"strings"
 	"syscall"

-	"tailscale.com/hostinfo"
+	"go4.org/mem"
 	"tailscale.com/util/lineread"
 	"tailscale.com/version/distro"
 )
@@ -54,11 +56,11 @@ func osVersionLinux() string {
 		}
 		attrBuf.WriteByte(byte(b))
 	}
-	if hostinfo.InContainer() {
+	if inContainer() {
 		attrBuf.WriteString("; container")
 	}
-	if env := hostinfo.GetEnvType(); env != "" {
-		fmt.Fprintf(&attrBuf, "; env=%s", env)
+	if inKnative() {
+		attrBuf.WriteString("; env=kn")
 	}
 	attr := attrBuf.String()

@@ -91,3 +93,31 @@ func osVersionLinux() string {
 	}
 	return fmt.Sprintf("Other%s", attr)
 }
+
+func inContainer() (ret bool) {
+	lineread.File("/proc/1/cgroup", func(line []byte) error {
+		if mem.Contains(mem.B(line), mem.S("/docker/")) ||
+			mem.Contains(mem.B(line), mem.S("/lxc/")) {
+			ret = true
+			return io.EOF // arbitrary non-nil error to stop loop
+		}
+		return nil
+	})
+	lineread.File("/proc/mounts", func(line []byte) error {
+		if mem.Contains(mem.B(line), mem.S("fuse.lxcfs")) {
+			ret = true
+			return io.EOF
+		}
+		return nil
+	})
+	return
+}
+
+func inKnative() bool {
+	// https://cloud.google.com/run/docs/reference/container-contract#env-vars
+	if os.Getenv("K_REVISION") != "" && os.Getenv("K_CONFIGURATION") != "" &&
+		os.Getenv("K_SERVICE") != "" && os.Getenv("PORT") != "" {
+		return true
+	}
+	return false
+}
--- a/control/controlclient/map.go
+++ b/control/controlclient/map.go
@@ -6,11 +6,8 @@ package controlclient

 import (
 	"log"
-	"os"
 	"sort"
-	"strconv"

-	"inet.af/netaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
@@ -127,7 +124,7 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 		nm.SelfNode = node
 		nm.Expiry = node.KeyExpiry
 		nm.Name = node.Name
-		nm.Addresses = filterSelfAddresses(node.Addresses)
+		nm.Addresses = node.Addresses
 		nm.User = node.User
 		nm.Hostinfo = node.Hostinfo
 		if node.MachineAuthorized {
@@ -283,19 +280,3 @@ func cloneNodes(v1 []*tailcfg.Node) []*tailcfg.Node {
 	}
 	return v2
 }
-
-var debugSelfIPv6Only, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_SELF_V6_ONLY"))
-
-func filterSelfAddresses(in []netaddr.IPPrefix) (ret []netaddr.IPPrefix) {
-	switch {
-	default:
-		return in
-	case debugSelfIPv6Only:
-		for _, a := range in {
-			if a.IP().Is6() {
-				ret = append(ret, a)
-			}
-		}
-		return ret
-	}
-}
--- a/control/controlclient/sign_supported.go
+++ b/control/controlclient/sign_supported.go
@@ -18,7 +18,7 @@ import (
 	"fmt"
 	"sync"

-	"github.com/tailscale/certstore"
+	"github.com/github/certstore"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/wgkey"
 	"tailscale.com/util/winutil"
--- a/control/controlclient/status.go
+++ b/control/controlclient/status.go
@@ -64,12 +64,11 @@ func (s State) String() string {
 }

 type Status struct {
-	_              structs.Incomparable
-	LoginFinished  *empty.Message // nonempty when login finishes
-	LogoutFinished *empty.Message // nonempty when logout finishes
-	Err            string
-	URL            string             // interactive URL to visit to finish logging in
-	NetMap         *netmap.NetworkMap // server-pushed configuration
+	_             structs.Incomparable
+	LoginFinished *empty.Message // nonempty when login finishes
+	Err           string
+	URL           string             // interactive URL to visit to finish logging in
+	NetMap        *netmap.NetworkMap // server-pushed configuration

 	// The internal state should not be exposed outside this
 	// package, but we have some automated tests elsewhere that need to
@@ -87,7 +86,6 @@ func (s *Status) Equal(s2 *Status) bool {
 	}
 	return s != nil && s2 != nil &&
 		(s.LoginFinished == nil) == (s2.LoginFinished == nil) &&
-		(s.LogoutFinished == nil) == (s2.LogoutFinished == nil) &&
 		s.Err == s2.Err &&
 		s.URL == s2.URL &&
 		reflect.DeepEqual(s.Persist, s2.Persist) &&
--- a/derp/derp_server.go
+++ b/derp/derp_server.go
@@ -20,24 +20,18 @@ import (
 	"io"
 	"io/ioutil"
 	"log"
-	"math"
 	"math/big"
 	"math/rand"
-	"net/http"
 	"os"
-	"os/exec"
 	"runtime"
 	"strconv"
 	"strings"
 	"sync"
-	"sync/atomic"
 	"time"

 	"go4.org/mem"
 	"golang.org/x/crypto/nacl/box"
 	"golang.org/x/sync/errgroup"
-	"inet.af/netaddr"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/disco"
 	"tailscale.com/metrics"
 	"tailscale.com/types/key"
@@ -126,11 +120,6 @@ type Server struct {
 	multiForwarderCreated    expvar.Int
 	multiForwarderDeleted    expvar.Int
 	removePktForwardOther    expvar.Int
-	avgQueueDuration         *uint64 // In milliseconds; accessed atomically
-
-	// verifyClients only accepts client connections to the DERP server if the clientKey is a
-	// known peer in the network, as specified by a running tailscaled's client's local api.
-	verifyClients bool

 	mu          sync.Mutex
 	closed      bool
@@ -149,9 +138,6 @@ type Server struct {
 	// because it includes intra-region forwarded packets as the
 	// src.
 	sentTo map[key.Public]map[key.Public]int64 // src => dst => dst's latest sclient.connNum
-
-	// maps from netaddr.IPPort to a client's public key
-	keyOfAddr map[netaddr.IPPort]key.Public
 }

 // PacketForwarder is something that can forward packets.
@@ -196,8 +182,6 @@ func NewServer(privateKey key.Private, logf logger.Logf) *Server {
 		memSys0:              ms.Sys,
 		watchers:             map[*sclient]bool{},
 		sentTo:               map[key.Public]map[key.Public]int64{},
-		avgQueueDuration:     new(uint64),
-		keyOfAddr:            map[netaddr.IPPort]key.Public{},
 	}
 	s.initMetacert()
 	s.packetsRecvDisco = s.packetsRecvByKind.Get("disco")
@@ -219,13 +203,6 @@ func (s *Server) SetMeshKey(v string) {
 	s.meshKey = v
 }

-// SetVerifyClients sets whether this DERP server verifies clients through tailscaled.
-//
-// It must be called before serving begins.
-func (s *Server) SetVerifyClient(v bool) {
-	s.verifyClients = v
-}
-
 // HasMeshKey reports whether the server is configured with a mesh key.
 func (s *Server) HasMeshKey() bool { return s.meshKey != "" }

@@ -362,7 +339,6 @@ func (s *Server) registerClient(c *sclient) {
 	if _, ok := s.clientsMesh[c.key]; !ok {
 		s.clientsMesh[c.key] = nil // just for varz of total users in cluster
 	}
-	s.keyOfAddr[c.remoteIPPort] = c.key
 	s.curClients.Add(1)
 	s.broadcastPeerStateChangeLocked(c.key, true)
 }
@@ -397,8 +373,6 @@ func (s *Server) unregisterClient(c *sclient) {
 		delete(s.watchers, c)
 	}

-	delete(s.keyOfAddr, c.remoteIPPort)
-
 	s.curClients.Add(-1)
 	if c.preferred {
 		s.curHomeClients.Add(-1)
@@ -472,23 +446,20 @@ func (s *Server) accept(nc Conn, brw *bufio.ReadWriter, remoteAddr string, connN
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()

-	remoteIPPort, _ := netaddr.ParseIPPort(remoteAddr)
-
 	c := &sclient{
-		connNum:      connNum,
-		s:            s,
-		key:          clientKey,
-		nc:           nc,
-		br:           br,
-		bw:           bw,
-		logf:         logger.WithPrefix(s.logf, fmt.Sprintf("derp client %v/%x: ", remoteAddr, clientKey)),
-		done:         ctx.Done(),
-		remoteAddr:   remoteAddr,
-		remoteIPPort: remoteIPPort,
-		connectedAt:  time.Now(),
-		sendQueue:    make(chan pkt, perClientSendQueueDepth),
-		peerGone:     make(chan key.Public),
-		canMesh:      clientInfo.MeshKey != "" && clientInfo.MeshKey == s.meshKey,
+		connNum:     connNum,
+		s:           s,
+		key:         clientKey,
+		nc:          nc,
+		br:          br,
+		bw:          bw,
+		logf:        logger.WithPrefix(s.logf, fmt.Sprintf("derp client %v/%x: ", remoteAddr, clientKey)),
+		done:        ctx.Done(),
+		remoteAddr:  remoteAddr,
+		connectedAt: time.Now(),
+		sendQueue:   make(chan pkt, perClientSendQueueDepth),
+		peerGone:    make(chan key.Public),
+		canMesh:     clientInfo.MeshKey != "" && clientInfo.MeshKey == s.meshKey,
 	}
 	if c.canMesh {
 		c.meshUpdate = make(chan struct{})
@@ -640,9 +611,8 @@ func (c *sclient) handleFrameForwardPacket(ft frameType, fl uint32) error {
 	}

 	return c.sendPkt(dst, pkt{
-		bs:         contents,
-		enqueuedAt: time.Now(),
-		src:        srcKey,
+		bs:  contents,
+		src: srcKey,
 	})
 }

@@ -695,9 +665,8 @@ func (c *sclient) handleFrameSendPacket(ft frameType, fl uint32) error {
 	}

 	p := pkt{
-		bs:         contents,
-		enqueuedAt: time.Now(),
-		src:        c.key,
+		bs:  contents,
+		src: c.key,
 	}
 	return c.sendPkt(dst, p)
 }
@@ -727,7 +696,7 @@ func (c *sclient) sendPkt(dst *sclient, p pkt) error {
 		}

 		select {
-		case pkt := <-dst.sendQueue:
+		case <-dst.sendQueue:
 			s.packetsDropped.Add(1)
 			s.packetsDroppedQueueHead.Add(1)
 			if verboseDropKeys[dstKey] {
@@ -736,7 +705,6 @@ func (c *sclient) sendPkt(dst *sclient, p pkt) error {
 				msg := fmt.Sprintf("tail drop %s -> %s", p.src.ShortString(), dstKey.ShortString())
 				c.s.limitedLogf(msg)
 			}
-			c.recordQueueTime(pkt.enqueuedAt)
 			if debug {
 				c.logf("dropping packet from client %x queue head", dstKey)
 			}
@@ -782,17 +750,8 @@ func (c *sclient) requestMeshUpdate() {
 }

 func (s *Server) verifyClient(clientKey key.Public, info *clientInfo) error {
-	if !s.verifyClients {
-		return nil
-	}
-	status, err := tailscale.Status(context.TODO())
-	if err != nil {
-		return fmt.Errorf("failed to query local tailscaled status: %w", err)
-	}
-	if _, exists := status.Peer[clientKey]; !exists {
-		return fmt.Errorf("client %v not in set of peers", clientKey)
-	}
-	// TODO(bradfitz): add policy for configurable bandwidth rate per client?
+	// TODO(crawshaw): implement policy constraints on who can use the DERP server
+	// TODO(bradfitz): ... and at what rate.
 	return nil
 }

@@ -926,19 +885,18 @@ func (s *Server) recvForwardPacket(br *bufio.Reader, frameLen uint32) (srcKey, d
 // (The "s" prefix is to more explicitly distinguish it from Client in derp_client.go)
 type sclient struct {
 	// Static after construction.
-	connNum      int64 // process-wide unique counter, incremented each Accept
-	s            *Server
-	nc           Conn
-	key          key.Public
-	info         clientInfo
-	logf         logger.Logf
-	done         <-chan struct{} // closed when connection closes
-	remoteAddr   string          // usually ip:port from net.Conn.RemoteAddr().String()
-	remoteIPPort netaddr.IPPort  // zero if remoteAddr is not ip:port.
-	sendQueue    chan pkt        // packets queued to this client; never closed
-	peerGone     chan key.Public // write request that a previous sender has disconnected (not used by mesh peers)
-	meshUpdate   chan struct{}   // write request to write peerStateChange
-	canMesh      bool            // clientInfo had correct mesh token for inter-region routing
+	connNum    int64 // process-wide unique counter, incremented each Accept
+	s          *Server
+	nc         Conn
+	key        key.Public
+	info       clientInfo
+	logf       logger.Logf
+	done       <-chan struct{} // closed when connection closes
+	remoteAddr string          // usually ip:port from net.Conn.RemoteAddr().String()
+	sendQueue  chan pkt        // packets queued to this client; never closed
+	peerGone   chan key.Public // write request that a previous sender has disconnected (not used by mesh peers)
+	meshUpdate chan struct{}   // write request to write peerStateChange
+	canMesh    bool            // clientInfo had correct mesh token for inter-region routing

 	// Owned by run, not thread-safe.
 	br          *bufio.Reader
@@ -969,13 +927,11 @@ type pkt struct {
 	// src is the who's the sender of the packet.
 	src key.Public

-	// enqueuedAt is when a packet was put onto a queue before it was sent,
-	// and is used for reporting metrics on the duration of packets in the queue.
-	enqueuedAt time.Time
-
 	// bs is the data packet bytes.
 	// The memory is owned by pkt.
 	bs []byte
+
+	// TODO(danderson): enqueue time, to measure queue latency?
 }

 func (c *sclient) setPreferred(v bool) {
@@ -1003,25 +959,6 @@ func (c *sclient) setPreferred(v bool) {
 	}
 }

-// expMovingAverage returns the new moving average given the previous average,
-// a new value, and an alpha decay factor.
-// https://en.wikipedia.org/wiki/Moving_average#Exponential_moving_average
-func expMovingAverage(prev, newValue, alpha float64) float64 {
-	return alpha*newValue + (1-alpha)*prev
-}
-
-// recordQueueTime updates the average queue duration metric after a packet has been sent.
-func (c *sclient) recordQueueTime(enqueuedAt time.Time) {
-	elapsed := float64(time.Since(enqueuedAt).Milliseconds())
-	for {
-		old := atomic.LoadUint64(c.s.avgQueueDuration)
-		newAvg := expMovingAverage(math.Float64frombits(old), elapsed, 0.1)
-		if atomic.CompareAndSwapUint64(c.s.avgQueueDuration, old, math.Float64bits(newAvg)) {
-			break
-		}
-	}
-}
-
 func (c *sclient) sendLoop(ctx context.Context) error {
 	defer func() {
 		// If the sender shuts down unilaterally due to an error, close so
@@ -1065,7 +1002,6 @@ func (c *sclient) sendLoop(ctx context.Context) error {
 			continue
 		case msg := <-c.sendQueue:
 			werr = c.sendPacket(msg.src, msg.bs)
-			c.recordQueueTime(msg.enqueuedAt)
 			continue
 		case <-keepAliveTick.C:
 			werr = c.sendKeepAlive()
@@ -1089,7 +1025,6 @@ func (c *sclient) sendLoop(ctx context.Context) error {
 			continue
 		case msg := <-c.sendQueue:
 			werr = c.sendPacket(msg.src, msg.bs)
-			c.recordQueueTime(msg.enqueuedAt)
 		case <-keepAliveTick.C:
 			werr = c.sendKeepAlive()
 		}
@@ -1355,9 +1290,6 @@ func (s *Server) ExpVar() expvar.Var {
 	m.Set("multiforwarder_created", &s.multiForwarderCreated)
 	m.Set("multiforwarder_deleted", &s.multiForwarderDeleted)
 	m.Set("packet_forwarder_delete_other_value", &s.removePktForwardOther)
-	m.Set("average_queue_duration_ms", expvar.Func(func() interface{} {
-		return math.Float64frombits(atomic.LoadUint64(s.avgQueueDuration))
-	}))
 	var expvarVersion expvar.String
 	expvarVersion.Set(version.Long)
 	m.Set("version", &expvarVersion)
@@ -1433,84 +1365,3 @@ func writePublicKey(bw *bufio.Writer, key *key.Public) error {
 	}
 	return nil
 }
-
-const minTimeBetweenLogs = 2 * time.Second
-
-// BytesSentRecv records the number of bytes that have been sent since the last traffic check
-// for a given process, as well as the public key of the process sending those bytes.
-type BytesSentRecv struct {
-	Sent uint64
-	Recv uint64
-	// Key is the public key of the client which sent/received these bytes.
-	Key key.Public
-}
-
-// parseSSOutput parses the output from the specific call to ss in ServeDebugTraffic.
-// Separated out for ease of testing.
-func parseSSOutput(raw string) map[netaddr.IPPort]BytesSentRecv {
-	newState := map[netaddr.IPPort]BytesSentRecv{}
-	// parse every 2 lines and get src and dst ips, and kv pairs
-	lines := strings.Split(raw, "\n")
-	for i := 0; i < len(lines); i += 2 {
-		ipInfo := strings.Fields(strings.TrimSpace(lines[i]))
-		if len(ipInfo) < 5 {
-			continue
-		}
-		src, err := netaddr.ParseIPPort(ipInfo[4])
-		if err != nil {
-			continue
-		}
-		stats := strings.Fields(strings.TrimSpace(lines[i+1]))
-		stat := BytesSentRecv{}
-		for _, s := range stats {
-			if strings.Contains(s, "bytes_sent") {
-				sent, err := strconv.Atoi(s[strings.Index(s, ":")+1:])
-				if err == nil {
-					stat.Sent = uint64(sent)
-				}
-			} else if strings.Contains(s, "bytes_received") {
-				recv, err := strconv.Atoi(s[strings.Index(s, ":")+1:])
-				if err == nil {
-					stat.Recv = uint64(recv)
-				}
-			}
-		}
-		newState[src] = stat
-	}
-	return newState
-}
-
-func (s *Server) ServeDebugTraffic(w http.ResponseWriter, r *http.Request) {
-	prevState := map[netaddr.IPPort]BytesSentRecv{}
-	enc := json.NewEncoder(w)
-	for r.Context().Err() == nil {
-		output, err := exec.Command("ss", "-i", "-H", "-t").Output()
-		if err != nil {
-			fmt.Fprintf(w, "ss failed: %v", err)
-			return
-		}
-		newState := parseSSOutput(string(output))
-		s.mu.Lock()
-		for k, next := range newState {
-			prev := prevState[k]
-			if prev.Sent < next.Sent || prev.Recv < next.Recv {
-				if pkey, ok := s.keyOfAddr[k]; ok {
-					next.Key = pkey
-					if err := enc.Encode(next); err != nil {
-						s.mu.Unlock()
-						return
-					}
-				}
-			}
-		}
-		s.mu.Unlock()
-		prevState = newState
-		if _, err := fmt.Fprintln(w); err != nil {
-			return
-		}
-		if f, ok := w.(http.Flusher); ok {
-			f.Flush()
-		}
-		time.Sleep(minTimeBetweenLogs)
-	}
-}
--- a/derp/derp_test.go
+++ b/derp/derp_test.go
@@ -948,14 +948,3 @@ func waitConnect(t testing.TB, c *Client) {
 		t.Fatalf("client first Recv was unexpected type %T", v)
 	}
 }
-
-func TestParseSSOutput(t *testing.T) {
-	contents, err := ioutil.ReadFile("testdata/example_ss.txt")
-	if err != nil {
-		t.Errorf("ioutil.Readfile(example_ss.txt) failed: %v", err)
-	}
-	seen := parseSSOutput(string(contents))
-	if len(seen) == 0 {
-		t.Errorf("parseSSOutput expected non-empty map")
-	}
-}
--- a/derp/derpmap/derpmap.go
+++ b/derp/derpmap/derpmap.go
@@ -0,0 +1,91 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package derpmap contains information about Tailscale.com's production DERP nodes.
+//
+// This package is only used by the "tailscale netcheck" command for debugging.
+// In normal operation the Tailscale nodes get this sent to them from the control
+// server.
+//
+// TODO: remove this package and make "tailscale netcheck" get the
+// list from the control server too.
+package derpmap
+
+import (
+	"fmt"
+	"strings"
+
+	"tailscale.com/tailcfg"
+)
+
+func derpNode(suffix, v4, v6 string) *tailcfg.DERPNode {
+	return &tailcfg.DERPNode{
+		Name:     suffix, // updated later
+		RegionID: 0,      // updated later
+		IPv4:     v4,
+		IPv6:     v6,
+	}
+}
+
+func derpRegion(id int, code, name string, nodes ...*tailcfg.DERPNode) *tailcfg.DERPRegion {
+	region := &tailcfg.DERPRegion{
+		RegionID:   id,
+		RegionName: name,
+		RegionCode: code,
+		Nodes:      nodes,
+	}
+	for _, n := range nodes {
+		n.Name = fmt.Sprintf("%d%s", id, n.Name)
+		n.RegionID = id
+		n.HostName = fmt.Sprintf("derp%s.tailscale.com", strings.TrimSuffix(n.Name, "a"))
+	}
+	return region
+}
+
+// Prod returns Tailscale's map of relay servers.
+//
+// This list is only used by cmd/tailscale's netcheck subcommand. In
+// normal operation the Tailscale nodes get this sent to them from the
+// control server.
+//
+// This list is subject to change and should not be relied on.
+func Prod() *tailcfg.DERPMap {
+	return &tailcfg.DERPMap{
+		Regions: map[int]*tailcfg.DERPRegion{
+			1: derpRegion(1, "nyc", "New York City",
+				derpNode("a", "159.89.225.99", "2604:a880:400:d1::828:b001"),
+			),
+			2: derpRegion(2, "sfo", "San Francisco",
+				derpNode("a", "167.172.206.31", "2604:a880:2:d1::c5:7001"),
+			),
+			3: derpRegion(3, "sin", "Singapore",
+				derpNode("a", "68.183.179.66", "2400:6180:0:d1::67d:8001"),
+			),
+			4: derpRegion(4, "fra", "Frankfurt",
+				derpNode("a", "167.172.182.26", "2a03:b0c0:3:e0::36e:9001"),
+			),
+			5: derpRegion(5, "syd", "Sydney",
+				derpNode("a", "103.43.75.49", "2001:19f0:5801:10b7:5400:2ff:feaa:284c"),
+			),
+			6: derpRegion(6, "blr", "Bangalore",
+				derpNode("a", "68.183.90.120", "2400:6180:100:d0::982:d001"),
+			),
+			7: derpRegion(7, "tok", "Tokyo",
+				derpNode("a", "167.179.89.145", "2401:c080:1000:467f:5400:2ff:feee:22aa"),
+			),
+			8: derpRegion(8, "lhr", "London",
+				derpNode("a", "167.71.139.179", "2a03:b0c0:1:e0::3cc:e001"),
+			),
+			9: derpRegion(9, "dfw", "Dallas",
+				derpNode("a", "207.148.3.137", "2001:19f0:6401:1d9c:5400:2ff:feef:bb82"),
+			),
+			10: derpRegion(10, "sea", "Seattle",
+				derpNode("a", "137.220.36.168", "2001:19f0:8001:2d9:5400:2ff:feef:bbb1"),
+			),
+			11: derpRegion(11, "sao", "São Paulo",
+				derpNode("a", "18.230.97.74", "2600:1f1e:ee4:5611:ec5c:1736:d43b:a454"),
+			),
+		},
+	}
+}
--- a/derp/testdata/example_ss.txt
+++ b/derp/testdata/example_ss.txt
@@ -1,8 +0,0 @@
-ESTAB 0      0       10.255.1.11:35238  34.210.105.16:https
-         cubic wscale:7,7 rto:236 rtt:34.14/3.432 ato:40 mss:1448 pmtu:1500 rcvmss:1448 advmss:1448 cwnd:8 ssthresh:6 bytes_sent:38056577 bytes_retrans:2918 bytes_acked:38053660 bytes_received:6973211 segs_out:165090 segs_in:124227 data_segs_out:78018 data_segs_in:71645 send 2.71Mbps lastsnd:1156 lastrcv:1120 lastack:1120 pacing_rate 3.26Mbps delivery_rate 2.35Mbps delivered:78017 app_limited busy:2586132ms retrans:0/6 dsack_dups:4 reordering:5 reord_seen:15 rcv_rtt:126355 rcv_space:65780 rcv_ssthresh:541928 minrtt:26.632
-ESTAB 0      80     100.79.58.14:ssh    100.95.73.104:58145
-         cubic wscale:6,7 rto:224 rtt:23.051/2.03 ato:172 mss:1228 pmtu:1280 rcvmss:1228 advmss:1228 cwnd:10 ssthresh:94 bytes_sent:1591815 bytes_retrans:944 bytes_acked:1590791 bytes_received:158925 segs_out:8070 segs_in:8858 data_segs_out:7452 data_segs_in:3789 send 4.26Mbps lastsnd:4 lastrcv:4 lastack:4 pacing_rate 8.52Mbps delivery_rate 10.9Mbps delivered:7451 app_limited busy:61656ms unacked:2 retrans:0/10 dsack_dups:10 rcv_rtt:174712 rcv_space:65025 rcv_ssthresh:64296 minrtt:16.186                                   
-ESTAB 0      374     10.255.1.11:43254 167.172.206.31:https
-         cubic wscale:7,7 rto:224 rtt:22.55/1.941 ato:40 mss:1448 pmtu:1500 rcvmss:1448 advmss:1448 cwnd:6 ssthresh:4 bytes_sent:14594668 bytes_retrans:173314 bytes_acked:14420981 bytes_received:4207111 segs_out:80566 segs_in:70310 data_segs_out:24317 data_segs_in:20365 send 3.08Mbps lastsnd:4 lastrcv:4 lastack:4 pacing_rate 3.7Mbps delivery_rate 3.05Mbps delivered:24111 app_limited busy:184820ms unacked:2 retrans:0/185 dsack_dups:1 reord_seen:3 rcv_rtt:651.262 rcv_space:226657 rcv_ssthresh:1557136 minrtt:10.18           
-ESTAB 0      0       10.255.1.11:33036    3.121.18.47:https
-         cubic wscale:7,7 rto:372 rtt:168.408/2.044 ato:40 mss:1448 pmtu:1500 rcvmss:1448 advmss:1448 cwnd:10 bytes_sent:27500 bytes_acked:27501 bytes_received:1386524 segs_out:10990 segs_in:11037 data_segs_out:303 data_segs_in:3414 send 688kbps lastsnd:125776 lastrcv:9640 lastack:22760 pacing_rate 1.38Mbps delivery_rate 482kbps delivered:304 app_limited busy:43024ms rcv_rtt:3345.12 rcv_space:62431 rcv_ssthresh:760472 minrtt:168.867
--- a/disco/disco.go
+++ b/disco/disco.go
@@ -147,9 +147,9 @@ const epLength = 16 + 2 // 16 byte IP address + 2 byte port
 func (m *CallMeMaybe) AppendMarshal(b []byte) []byte {
 	ret, p := appendMsgHeader(b, TypeCallMeMaybe, v0, epLength*len(m.MyNumber))
 	for _, ipp := range m.MyNumber {
-		a := ipp.IP().As16()
+		a := ipp.IP.As16()
 		copy(p[:], a[:])
-		binary.BigEndian.PutUint16(p[16:], ipp.Port())
+		binary.BigEndian.PutUint16(p[16:], ipp.Port)
 		p = p[epLength:]
 	}
 	return ret
@@ -164,9 +164,10 @@ func parseCallMeMaybe(ver uint8, p []byte) (m *CallMeMaybe, err error) {
 	for len(p) > 0 {
 		var a [16]byte
 		copy(a[:], p)
-		m.MyNumber = append(m.MyNumber, netaddr.IPPortFrom(
-			netaddr.IPFrom16(a),
-			binary.BigEndian.Uint16(p[16:18])))
+		m.MyNumber = append(m.MyNumber, netaddr.IPPort{
+			IP:   netaddr.IPFrom16(a),
+			Port: binary.BigEndian.Uint16(p[16:18]),
+		})
 		p = p[epLength:]
 	}
 	return m, nil
@@ -186,9 +187,9 @@ const pongLen = 12 + 16 + 2
 func (m *Pong) AppendMarshal(b []byte) []byte {
 	ret, d := appendMsgHeader(b, TypePong, v0, pongLen)
 	d = d[copy(d, m.TxID[:]):]
-	ip16 := m.Src.IP().As16()
+	ip16 := m.Src.IP.As16()
 	d = d[copy(d, ip16[:]):]
-	binary.BigEndian.PutUint16(d, m.Src.Port())
+	binary.BigEndian.PutUint16(d, m.Src.Port)
 	return ret
 }

@@ -200,10 +201,10 @@ func parsePong(ver uint8, p []byte) (m *Pong, err error) {
 	copy(m.TxID[:], p)
 	p = p[12:]

-	srcIP, _ := netaddr.FromStdIP(net.IP(p[:16]))
+	m.Src.IP, _ = netaddr.FromStdIP(net.IP(p[:16]))
 	p = p[16:]
-	port := binary.BigEndian.Uint16(p)
-	m.Src = netaddr.IPPortFrom(srcIP, port)
+
+	m.Src.Port = binary.BigEndian.Uint16(p)
 	return m, nil
 }

--- a/go.mod
+++ b/go.mod
@@ -3,47 +3,47 @@ module tailscale.com
 go 1.16

 require (
-	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74
-	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
-	github.com/aws/aws-sdk-go v1.38.52
-	github.com/coreos/go-iptables v0.6.0
-	github.com/frankban/quicktest v1.13.0
-	github.com/gliderlabs/ssh v0.3.2
+	github.com/alexbrainman/sspi v0.0.0-20180613141037-e580b900e9f5
+	github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 // indirect
+	github.com/coreos/go-iptables v0.4.5
+	github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 // indirect
+	github.com/frankban/quicktest v1.12.1
+	github.com/github/certstore v0.1.0
+	github.com/gliderlabs/ssh v0.2.2
 	github.com/go-multierror/multierror v1.0.2
-	github.com/go-ole/go-ole v1.2.5
-	github.com/godbus/dbus/v5 v5.0.4
-	github.com/google/go-cmp v0.5.6
-	github.com/google/goexpect v0.0.0-20210430020637-ab937bf7fd6f
-	github.com/google/uuid v1.1.2
-	github.com/goreleaser/nfpm v1.10.3
-	github.com/jsimonetti/rtnetlink v0.0.0-20210525051524-4cc836578190
+	github.com/go-ole/go-ole v1.2.4
+	github.com/godbus/dbus/v5 v5.0.3
+	github.com/google/go-cmp v0.5.5
+	github.com/goreleaser/nfpm v1.1.10
+	github.com/jsimonetti/rtnetlink v0.0.0-20210212075122-66c871082f2b
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
-	github.com/klauspost/compress v1.12.2
+	github.com/klauspost/compress v1.10.10
 	github.com/kr/pty v1.1.8
-	github.com/mdlayher/netlink v1.4.1
-	github.com/mdlayher/sdnotify v0.0.0-20210228150836-ea3ec207d697
-	github.com/miekg/dns v1.1.42
-	github.com/pborman/getopt v1.1.0
+	github.com/mdlayher/netlink v1.3.2
+	github.com/mdlayher/sdnotify v0.0.0-20200625151349-e4a4f32afc4a
+	github.com/miekg/dns v1.1.30
+	github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3
 	github.com/peterbourgon/ff/v2 v2.0.0
-	github.com/pkg/sftp v1.13.0
-	github.com/tailscale/certstore v0.0.0-20210528134328-066c94b793d3
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/tailscale/depaware v0.0.0-20201214215404-77d1e9757027
+	github.com/tailscale/wireguard-go v0.0.0-20210429195722-6cd106ab1339
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0
 	go4.org/mem v0.0.0-20201119185036-c04c5a6ff174
-	golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a
-	golang.org/x/net v0.0.0-20210525063256-abc453219eb5
+	golang.org/x/crypto v0.0.0-20210317152858-513c2a44f670
+	golang.org/x/net v0.0.0-20210226172049-e18ecbb05110
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/sys v0.0.0-20210616094352-59db8d763f22
-	golang.org/x/term v0.0.0-20210503060354-a79de5458b56
-	golang.org/x/time v0.0.0-20210611083556-38a9dc6acbc6
-	golang.org/x/tools v0.1.2
-	golang.zx2c4.com/wireguard v0.0.0-20210525143454-64cb82f2b3f5
-	golang.zx2c4.com/wireguard/windows v0.3.15-0.20210525143335-94c0476d63e3
-	honnef.co/go/tools v0.1.4
-	inet.af/netaddr v0.0.0-20210602152128-50f8686885e3
-	inet.af/netstack v0.0.0-20210622165351-29b14ebc044e
-	inet.af/peercred v0.0.0-20210318190834-4259e17bb763
-	inet.af/wf v0.0.0-20210516214145-a5343001b756
+	golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57
+	golang.org/x/term v0.0.0-20210317153231-de623e64d2a6
+	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba
+	golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58
+	golang.zx2c4.com/wireguard/windows v0.1.2-0.20201113162609-9b85be97fdf8
+	gopkg.in/yaml.v2 v2.2.8 // indirect
+	honnef.co/go/tools v0.1.0
+	inet.af/netaddr v0.0.0-20210222205655-a1ec2b7b8c44
+	inet.af/netstack v0.0.0-20210317161235-a1bf4e56ef22
+	inet.af/peercred v0.0.0-20210302202138-56e694897155
 	rsc.io/goversion v1.2.0
 )
+
+replace github.com/github/certstore => github.com/cyolosecurity/certstore v0.0.0-20200922073901-ece7f1d353c2
--- a/go.sum
+++ b/go.sum
--- a/hostinfo/hostinfo.go
+++ b/hostinfo/hostinfo.go
@@ -1,117 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package hostinfo answers questions about the host environment that Tailscale is
-// running on.
-//
-// TODO(bradfitz): move more of control/controlclient/hostinfo_* into this package.
-package hostinfo
-
-import (
-	"io"
-	"os"
-	"runtime"
-	"sync/atomic"
-
-	"go4.org/mem"
-	"tailscale.com/util/lineread"
-)
-
-// EnvType represents a known environment type.
-// The empty string, the default, means unknown.
-type EnvType string
-
-const (
-	KNative         = EnvType("kn")
-	AWSLambda       = EnvType("lm")
-	Heroku          = EnvType("hr")
-	AzureAppService = EnvType("az")
-)
-
-var envType atomic.Value // of EnvType
-
-func GetEnvType() EnvType {
-	if e, ok := envType.Load().(EnvType); ok {
-		return e
-	}
-	e := getEnvType()
-	envType.Store(e)
-	return e
-}
-
-func getEnvType() EnvType {
-	if inKnative() {
-		return KNative
-	}
-	if inAWSLambda() {
-		return AWSLambda
-	}
-	if inHerokuDyno() {
-		return Heroku
-	}
-	if inAzureAppService() {
-		return AzureAppService
-	}
-	return ""
-}
-
-// InContainer reports whether we're running in a container.
-func InContainer() bool {
-	if runtime.GOOS != "linux" {
-		return false
-	}
-	var ret bool
-	lineread.File("/proc/1/cgroup", func(line []byte) error {
-		if mem.Contains(mem.B(line), mem.S("/docker/")) ||
-			mem.Contains(mem.B(line), mem.S("/lxc/")) {
-			ret = true
-			return io.EOF // arbitrary non-nil error to stop loop
-		}
-		return nil
-	})
-	lineread.File("/proc/mounts", func(line []byte) error {
-		if mem.Contains(mem.B(line), mem.S("fuse.lxcfs")) {
-			ret = true
-			return io.EOF
-		}
-		return nil
-	})
-	return ret
-}
-
-func inKnative() bool {
-	// https://cloud.google.com/run/docs/reference/container-contract#env-vars
-	if os.Getenv("K_REVISION") != "" && os.Getenv("K_CONFIGURATION") != "" &&
-		os.Getenv("K_SERVICE") != "" && os.Getenv("PORT") != "" {
-		return true
-	}
-	return false
-}
-
-func inAWSLambda() bool {
-	// https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html
-	if os.Getenv("AWS_LAMBDA_FUNCTION_NAME") != "" &&
-		os.Getenv("AWS_LAMBDA_FUNCTION_VERSION") != "" &&
-		os.Getenv("AWS_LAMBDA_INITIALIZATION_TYPE") != "" &&
-		os.Getenv("AWS_LAMBDA_RUNTIME_API") != "" {
-		return true
-	}
-	return false
-}
-
-func inHerokuDyno() bool {
-	// https://devcenter.heroku.com/articles/dynos#local-environment-variables
-	if os.Getenv("PORT") != "" && os.Getenv("DYNO") != "" {
-		return true
-	}
-	return false
-}
-
-func inAzureAppService() bool {
-	if os.Getenv("APPSVC_RUN_ZIP") != "" && os.Getenv("WEBSITE_STACK") != "" &&
-		os.Getenv("WEBSITE_AUTH_AUTO_AAD") != "" {
-		return true
-	}
-	return false
-}
--- a/internal/deepprint/deepprint.go
+++ b/internal/deepprint/deepprint.go
@@ -0,0 +1,103 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package deepprint walks a Go value recursively, in a predictable
+// order, without looping, and prints each value out to a given
+// Writer, which is assumed to be a hash.Hash, as this package doesn't
+// format things nicely.
+//
+// This is intended as a lighter version of go-spew, etc. We don't need its
+// features when our writer is just a hash.
+package deepprint
+
+import (
+	"crypto/sha256"
+	"fmt"
+	"io"
+	"reflect"
+)
+
+func Hash(v ...interface{}) string {
+	h := sha256.New()
+	Print(h, v)
+	return fmt.Sprintf("%x", h.Sum(nil))
+}
+
+// UpdateHash sets last to the hash of v and reports whether its value changed.
+func UpdateHash(last *string, v ...interface{}) (changed bool) {
+	sig := Hash(v)
+	if *last != sig {
+		*last = sig
+		return true
+	}
+	return false
+}
+
+func Print(w io.Writer, v ...interface{}) {
+	print(w, reflect.ValueOf(v), make(map[uintptr]bool))
+}
+
+func print(w io.Writer, v reflect.Value, visited map[uintptr]bool) {
+	if !v.IsValid() {
+		return
+	}
+	switch v.Kind() {
+	default:
+		panic(fmt.Sprintf("unhandled kind %v for type %v", v.Kind(), v.Type()))
+	case reflect.Ptr:
+		ptr := v.Pointer()
+		if visited[ptr] {
+			return
+		}
+		visited[ptr] = true
+		print(w, v.Elem(), visited)
+		return
+	case reflect.Struct:
+		fmt.Fprintf(w, "struct{\n")
+		t := v.Type()
+		for i, n := 0, v.NumField(); i < n; i++ {
+			sf := t.Field(i)
+			fmt.Fprintf(w, "%s: ", sf.Name)
+			print(w, v.Field(i), visited)
+			fmt.Fprintf(w, "\n")
+		}
+	case reflect.Slice, reflect.Array:
+		if v.Type().Elem().Kind() == reflect.Uint8 && v.CanInterface() {
+			fmt.Fprintf(w, "%q", v.Interface())
+			return
+		}
+		fmt.Fprintf(w, "[%d]{\n", v.Len())
+		for i, ln := 0, v.Len(); i < ln; i++ {
+			fmt.Fprintf(w, " [%d]: ", i)
+			print(w, v.Index(i), visited)
+			fmt.Fprintf(w, "\n")
+		}
+		fmt.Fprintf(w, "}\n")
+	case reflect.Interface:
+		print(w, v.Elem(), visited)
+	case reflect.Map:
+		sm := newSortedMap(v)
+		fmt.Fprintf(w, "map[%d]{\n", len(sm.Key))
+		for i, k := range sm.Key {
+			print(w, k, visited)
+			fmt.Fprintf(w, ": ")
+			print(w, sm.Value[i], visited)
+			fmt.Fprintf(w, "\n")
+		}
+		fmt.Fprintf(w, "}\n")
+
+	case reflect.String:
+		fmt.Fprintf(w, "%s", v.String())
+	case reflect.Bool:
+		fmt.Fprintf(w, "%v", v.Bool())
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		fmt.Fprintf(w, "%v", v.Int())
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+		fmt.Fprintf(w, "%v", v.Uint())
+	case reflect.Float32, reflect.Float64:
+		fmt.Fprintf(w, "%v", v.Float())
+	case reflect.Complex64, reflect.Complex128:
+		fmt.Fprintf(w, "%v", v.Complex())
+	}
+}
--- a/internal/deepprint/deepprint_test.go
+++ b/internal/deepprint/deepprint_test.go
@@ -0,0 +1,64 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package deepprint
+
+import (
+	"bytes"
+	"testing"
+
+	"inet.af/netaddr"
+	"tailscale.com/wgengine/router"
+	"tailscale.com/wgengine/wgcfg"
+)
+
+func TestDeepPrint(t *testing.T) {
+	// v contains the types of values we care about for our current callers.
+	// Mostly we're just testing that we don't panic on handled types.
+	v := getVal()
+
+	var buf bytes.Buffer
+	Print(&buf, v)
+	t.Logf("Got: %s", buf.Bytes())
+
+	hash1 := Hash(v)
+	t.Logf("hash: %v", hash1)
+	for i := 0; i < 20; i++ {
+		hash2 := Hash(getVal())
+		if hash1 != hash2 {
+			t.Error("second hash didn't match")
+		}
+	}
+}
+
+func getVal() []interface{} {
+	return []interface{}{
+		&wgcfg.Config{
+			Name:      "foo",
+			Addresses: []netaddr.IPPrefix{{Bits: 5, IP: netaddr.IPFrom16([16]byte{3: 3})}},
+			Peers: []wgcfg.Peer{
+				{
+					Endpoints: "foo:5",
+				},
+			},
+		},
+		&router.Config{
+			Routes: []netaddr.IPPrefix{
+				netaddr.MustParseIPPrefix("1.2.3.0/24"),
+				netaddr.MustParseIPPrefix("1234::/64"),
+			},
+		},
+		map[string]string{
+			"key1": "val1",
+			"key2": "val2",
+			"key3": "val3",
+			"key4": "val4",
+			"key5": "val5",
+			"key6": "val6",
+			"key7": "val7",
+			"key8": "val8",
+			"key9": "val9",
+		},
+	}
+}
--- a/internal/deepprint/fmtsort.go
+++ b/internal/deepprint/fmtsort.go
@@ -10,7 +10,7 @@

 // This is a slightly modified fork of Go's src/internal/fmtsort/sort.go

-package deephash
+package deepprint

 import (
 	"reflect"
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -29,6 +29,7 @@ import (
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/health"
+	"tailscale.com/internal/deepprint"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/ipn/policy"
@@ -43,14 +44,11 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/persist"
-	"tailscale.com/types/preftype"
 	"tailscale.com/types/wgkey"
-	"tailscale.com/util/deephash"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/util/osshare"
 	"tailscale.com/util/systemd"
 	"tailscale.com/version"
-	"tailscale.com/version/distro"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/router"
@@ -244,10 +242,10 @@ func (b *LocalBackend) linkChange(major bool, ifst *interfaces.State) {
 	// need updating to tweak default routes.
 	b.updateFilter(b.netMap, b.prefs)

-	if peerAPIListenAsync && b.netMap != nil && b.state == ipn.Running {
+	if runtime.GOOS == "windows" && b.netMap != nil && b.state == ipn.Running {
 		want := len(b.netMap.Addresses)
+		b.logf("linkChange: peerAPIListeners too low; trying again")
 		if len(b.peerAPIListeners) < want {
-			b.logf("linkChange: peerAPIListeners too low; trying again")
 			go b.initPeerAPIListener()
 		}
 	}
@@ -325,13 +323,9 @@ func (b *LocalBackend) updateStatus(sb *ipnstate.StatusBuilder, extraLocked func
 		s.AuthURL = b.authURLSticky
 		if b.netMap != nil {
 			s.MagicDNSSuffix = b.netMap.MagicDNSSuffix()
-			s.CertDomains = append([]string(nil), b.netMap.DNS.CertDomains...)
 		}
 	})
 	sb.MutateSelfStatus(func(ss *ipnstate.PeerStatus) {
-		if b.netMap != nil && b.netMap.SelfNode != nil {
-			ss.ID = b.netMap.SelfNode.StableID
-		}
 		for _, pln := range b.peerAPIListeners {
 			ss.PeerAPIURL = append(ss.PeerAPIURL, pln.urlStr)
 		}
@@ -359,19 +353,18 @@ func (b *LocalBackend) populatePeerStatusLocked(sb *ipnstate.StatusBuilder) {
 		var tailAddr4 string
 		var tailscaleIPs = make([]netaddr.IP, 0, len(p.Addresses))
 		for _, addr := range p.Addresses {
-			if addr.IsSingleIP() && tsaddr.IsTailscaleIP(addr.IP()) {
-				if addr.IP().Is4() && tailAddr4 == "" {
+			if addr.IsSingleIP() && tsaddr.IsTailscaleIP(addr.IP) {
+				if addr.IP.Is4() && tailAddr4 == "" {
 					// The peer struct previously only allowed a single
 					// Tailscale IP address. For compatibility for a few releases starting
 					// with 1.8, keep it pulled out as IPv4-only for a bit.
-					tailAddr4 = addr.IP().String()
+					tailAddr4 = addr.IP.String()
 				}
-				tailscaleIPs = append(tailscaleIPs, addr.IP())
+				tailscaleIPs = append(tailscaleIPs, addr.IP)
 			}
 		}
 		sb.AddPeer(key.Public(p.Key), &ipnstate.PeerStatus{
 			InNetworkMap:       true,
-			ID:                 p.StableID,
 			UserID:             p.User,
 			TailAddrDeprecated: tailAddr4,
 			TailscaleIPs:       tailscaleIPs,
@@ -393,10 +386,10 @@ func (b *LocalBackend) populatePeerStatusLocked(sb *ipnstate.StatusBuilder) {
 func (b *LocalBackend) WhoIs(ipp netaddr.IPPort) (n *tailcfg.Node, u tailcfg.UserProfile, ok bool) {
 	b.mu.Lock()
 	defer b.mu.Unlock()
-	n, ok = b.nodeByAddr[ipp.IP()]
+	n, ok = b.nodeByAddr[ipp.IP]
 	if !ok {
 		var ip netaddr.IP
-		if ipp.Port() != 0 {
+		if ipp.Port != 0 {
 			ip, ok = b.e.WhoIsIPPort(ipp)
 		}
 		if !ok {
@@ -437,15 +430,14 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 		}
 		return
 	}
-
-	b.mu.Lock()
-	wasBlocked := b.blocked
-	b.mu.Unlock()
-
-	if st.LoginFinished != nil && wasBlocked {
+	if st.LoginFinished != nil {
 		// Auth completed, unblock the engine
 		b.blockEngineUpdates(false)
 		b.authReconfig()
+		b.EditPrefs(&ipn.MaskedPrefs{
+			LoggedOutSet: true,
+			Prefs:        ipn.Prefs{LoggedOut: false},
+		})
 		b.send(ipn.Notify{LoginFinished: &empty.Message{}})
 	}

@@ -454,13 +446,6 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 	// Lock b once and do only the things that require locking.
 	b.mu.Lock()

-	if st.LogoutFinished != nil {
-		// Since we're logged out now, our netmap cache is invalid.
-		// Since st.NetMap==nil means "netmap is unchanged", there is
-		// no other way to represent this change.
-		b.setNetMapLocked(nil)
-	}
-
 	prefs := b.prefs
 	stateKey := b.stateKey
 	netMap := b.netMap
@@ -491,15 +476,11 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 		b.authURL = st.URL
 		b.authURLSticky = st.URL
 	}
-	if wasBlocked && st.LoginFinished != nil {
-		// Interactive login finished successfully (URL visited).
-		// After an interactive login, the user always wants
-		// WantRunning.
-		if !b.prefs.WantRunning || b.prefs.LoggedOut {
+	if b.state == ipn.NeedsLogin {
+		if !b.prefs.WantRunning {
 			prefsChanged = true
 		}
 		b.prefs.WantRunning = true
-		b.prefs.LoggedOut = false
 	}
 	// Prefs will be written out; this is not safe unless locked or cloned.
 	if prefsChanged {
@@ -562,7 +543,7 @@ func (b *LocalBackend) findExitNodeIDLocked(nm *netmap.NetworkMap) (prefsChanged

 	for _, peer := range nm.Peers {
 		for _, addr := range peer.Addresses {
-			if !addr.IsSingleIP() || addr.IP() != b.prefs.ExitNodeIP {
+			if !addr.IsSingleIP() || addr.IP != b.prefs.ExitNodeIP {
 				continue
 			}
 			// Found the node being referenced, upgrade prefs to
@@ -581,18 +562,10 @@ func (b *LocalBackend) findExitNodeIDLocked(nm *netmap.NetworkMap) (prefsChanged
 func (b *LocalBackend) setWgengineStatus(s *wgengine.Status, err error) {
 	if err != nil {
 		b.logf("wgengine status error: %v", err)
-
-		b.statusLock.Lock()
-		b.statusChanged.Broadcast()
-		b.statusLock.Unlock()
 		return
 	}
 	if s == nil {
 		b.logf("[unexpected] non-error wgengine update with status=nil: %v", s)
-
-		b.statusLock.Lock()
-		b.statusChanged.Broadcast()
-		b.statusLock.Unlock()
 		return
 	}

@@ -658,12 +631,6 @@ func (b *LocalBackend) getNewControlClientFunc() clientGen {
 // startIsNoopLocked reports whether a Start call on this LocalBackend
 // with the provided Start Options would be a useless no-op.
 //
-// TODO(apenwarr): we shouldn't need this.
-//  The state machine is now nearly clean enough where it can accept a new
-//  connection while in any state, not just Running, and on any platform.
-//  We'd want to add a few more tests to state_test.go to ensure this continues
-//  to work as expected.
-//
 // b.mu must be held.
 func (b *LocalBackend) startIsNoopLocked(opts ipn.Options) bool {
 	// Options has 5 fields; check all of them:
@@ -717,7 +684,6 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		b.send(ipn.Notify{
 			State:         &state,
 			NetMap:        nm,
-			Prefs:         b.prefs,
 			LoginFinished: new(empty.Message),
 		})
 		return nil
@@ -838,7 +804,6 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		DiscoPublicKey:       discoPublic,
 		DebugFlags:           debugFlags,
 		LinkMonitor:          b.e.GetLinkMonitor(),
-		Pinger:               b.e,

 		// Don't warn about broken Linux IP forwading when
 		// netstack is being used.
@@ -909,7 +874,7 @@ func (b *LocalBackend) updateFilter(netMap *netmap.NetworkMap, prefs *ipn.Prefs)
 	}
 	if prefs != nil {
 		for _, r := range prefs.AdvertiseRoutes {
-			if r.Bits() == 0 {
+			if r.Bits == 0 {
 				// When offering a default route to the world, we
 				// filter out locally reachable LANs, so that the
 				// default route effectively appears to be a "guest
@@ -931,10 +896,10 @@ func (b *LocalBackend) updateFilter(netMap *netmap.NetworkMap, prefs *ipn.Prefs)
 			}
 		}
 	}
-	localNets, _ := localNetsB.IPSet()
-	logNets, _ := logNetsB.IPSet()
+	localNets := localNetsB.IPSet()
+	logNets := logNetsB.IPSet()

-	changed := deephash.UpdateHash(&b.filterHash, haveNetmap, addrs, packetFilter, localNets.Ranges(), logNets.Ranges(), shieldsUp)
+	changed := deepprint.UpdateHash(&b.filterHash, haveNetmap, addrs, packetFilter, localNets.Ranges(), logNets.Ranges(), shieldsUp)
 	if !changed {
 		return
 	}
@@ -977,20 +942,19 @@ var removeFromDefaultRoute = []netaddr.IPPrefix{
 func interfaceRoutes() (ips *netaddr.IPSet, hostIPs []netaddr.IP, err error) {
 	var b netaddr.IPSetBuilder
 	if err := interfaces.ForeachInterfaceAddress(func(_ interfaces.Interface, pfx netaddr.IPPrefix) {
-		if tsaddr.IsTailscaleIP(pfx.IP()) {
+		if tsaddr.IsTailscaleIP(pfx.IP) {
 			return
 		}
 		if pfx.IsSingleIP() {
 			return
 		}
-		hostIPs = append(hostIPs, pfx.IP())
+		hostIPs = append(hostIPs, pfx.IP)
 		b.AddPrefix(pfx)
 	}); err != nil {
 		return nil, nil, err
 	}

-	ipSet, _ := b.IPSet()
-	return ipSet, hostIPs, nil
+	return b.IPSet(), hostIPs, nil
 }

 // shrinkDefaultRoute returns an IPSet representing the IPs in route,
@@ -1021,7 +985,7 @@ func shrinkDefaultRoute(route netaddr.IPPrefix) (*netaddr.IPSet, error) {
 	for _, pfx := range removeFromDefaultRoute {
 		b.RemovePrefix(pfx)
 	}
-	return b.IPSet()
+	return b.IPSet(), nil
 }

 // dnsCIDRsEqual determines whether two CIDR lists are equal
@@ -1713,64 +1677,9 @@ func (b *LocalBackend) authReconfig() {

 	rcfg := b.routerConfig(cfg, uc)

-	dcfg := dns.Config{
-		Routes: map[dnsname.FQDN][]netaddr.IPPort{},
-		Hosts:  map[dnsname.FQDN][]netaddr.IP{},
-	}
-
-	// Populate MagicDNS records. We do this unconditionally so that
-	// quad-100 can always respond to MagicDNS queries, even if the OS
-	// isn't configured to make MagicDNS resolution truly
-	// magic. Details in
-	// https://github.com/tailscale/tailscale/issues/1886.
-	set := func(name string, addrs []netaddr.IPPrefix) {
-		if len(addrs) == 0 || name == "" {
-			return
-		}
-		fqdn, err := dnsname.ToFQDN(name)
-		if err != nil {
-			return // TODO: propagate error?
-		}
-		var ips []netaddr.IP
-		for _, addr := range addrs {
-			// Remove IPv6 addresses for now, as we don't
-			// guarantee that the peer node actually can speak
-			// IPv6 correctly.
-			//
-			// https://github.com/tailscale/tailscale/issues/1152
-			// tracks adding the right capability reporting to
-			// enable AAAA in MagicDNS.
-			if addr.IP().Is6() {
-				continue
-			}
-			ips = append(ips, addr.IP())
-		}
-		dcfg.Hosts[fqdn] = ips
-	}
-	set(nm.Name, nm.Addresses)
-	for _, peer := range nm.Peers {
-		set(peer.Name, peer.Addresses)
-	}
-	for _, rec := range nm.DNS.ExtraRecords {
-		switch rec.Type {
-		case "", "A", "AAAA":
-			// Treat these all the same for now: infer from the value
-		default:
-			// TODO: more
-			continue
-		}
-		ip, err := netaddr.ParseIP(rec.Value)
-		if err != nil {
-			// Ignore.
-			continue
-		}
-		fqdn, err := dnsname.ToFQDN(rec.Name)
-		if err != nil {
-			continue
-		}
-		dcfg.Hosts[fqdn] = append(dcfg.Hosts[fqdn], ip)
-	}
+	var dcfg dns.Config

+	// If CorpDNS is false, dcfg remains the zero value.
 	if uc.CorpDNS {
 		addDefault := func(resolvers []tailcfg.DNSResolver) {
 			for _, resolver := range resolvers {
@@ -1784,6 +1693,9 @@ func (b *LocalBackend) authReconfig() {
 		}

 		addDefault(nm.DNS.Resolvers)
+		if len(nm.DNS.Routes) > 0 {
+			dcfg.Routes = map[dnsname.FQDN][]netaddr.IPPort{}
+		}
 		for suffix, resolvers := range nm.DNS.Routes {
 			fqdn, err := dnsname.ToFQDN(suffix)
 			if err != nil {
@@ -1805,9 +1717,36 @@ func (b *LocalBackend) authReconfig() {
 			}
 			dcfg.SearchDomains = append(dcfg.SearchDomains, fqdn)
 		}
+		set := func(name string, addrs []netaddr.IPPrefix) {
+			if len(addrs) == 0 || name == "" {
+				return
+			}
+			fqdn, err := dnsname.ToFQDN(name)
+			if err != nil {
+				return // TODO: propagate error?
+			}
+			var ips []netaddr.IP
+			for _, addr := range addrs {
+				// Remove IPv6 addresses for now, as we don't
+				// guarantee that the peer node actually can speak
+				// IPv6 correctly.
+				//
+				// https://github.com/tailscale/tailscale/issues/1152
+				// tracks adding the right capability reporting to
+				// enable AAAA in MagicDNS.
+				if addr.IP.Is6() {
+					continue
+				}
+				ips = append(ips, addr.IP)
+			}
+			dcfg.Hosts[fqdn] = ips
+		}
 		if nm.DNS.Proxied { // actually means "enable MagicDNS"
-			for _, dom := range magicDNSRootDomains(nm) {
-				dcfg.Routes[dom] = nil // resolve internally with dcfg.Hosts
+			dcfg.AuthoritativeSuffixes = magicDNSRootDomains(nm)
+			dcfg.Hosts = map[dnsname.FQDN][]netaddr.IP{}
+			set(nm.Name, nm.Addresses)
+			for _, peer := range nm.Peers {
+				set(peer.Name, peer.Addresses)
 			}
 		}

@@ -1831,7 +1770,7 @@ func (b *LocalBackend) authReconfig() {
 			//
 			// https://github.com/tailscale/tailscale/issues/1713
 			addDefault(nm.DNS.FallbackResolvers)
-		case len(dcfg.Routes) == 0:
+		case len(dcfg.Routes) == 0 && len(dcfg.Hosts) == 0 && len(dcfg.AuthoritativeSuffixes) == 0:
 			// No settings requiring split DNS, no problem.
 		case version.OS() == "android":
 			// We don't support split DNS at all on Android yet.
@@ -1839,7 +1778,7 @@ func (b *LocalBackend) authReconfig() {
 		}
 	}

-	err = b.e.Reconfig(cfg, rcfg, &dcfg, nm.Debug)
+	err = b.e.Reconfig(cfg, rcfg, &dcfg)
 	if err == wgengine.ErrNoChanges {
 		return
 	}
@@ -1853,15 +1792,17 @@ func parseResolver(cfg tailcfg.DNSResolver) (netaddr.IPPort, error) {
 	if err != nil {
 		return netaddr.IPPort{}, fmt.Errorf("[unexpected] non-IP resolver %q", cfg.Addr)
 	}
-	return netaddr.IPPortFrom(ip, 53), nil
+	return netaddr.IPPort{
+		IP:   ip,
+		Port: 53,
+	}, nil
 }

 // tailscaleVarRoot returns the root directory of Tailscale's writable
 // storage area. (e.g. "/var/lib/tailscale")
 func tailscaleVarRoot() string {
-	switch runtime.GOOS {
-	case "ios", "android":
-		dir, _ := paths.AppSharedDir.Load().(string)
+	if runtime.GOOS == "ios" {
+		dir, _ := paths.IOSSharedDir.Load().(string)
 		return dir
 	}
 	stateFile := paths.DefaultTailscaledStateFile()
@@ -1905,30 +1846,14 @@ func (b *LocalBackend) closePeerAPIListenersLocked() {
 	b.peerAPIListeners = nil
 }

-// peerAPIListenAsync is whether the operating system requires that we
-// retry listening on the peerAPI ip/port for whatever reason.
-//
-// On Windows, see Issue 1620.
-// On Android, see Issue 1960.
-const peerAPIListenAsync = runtime.GOOS == "windows" || runtime.GOOS == "android"
-
 func (b *LocalBackend) initPeerAPIListener() {
 	b.mu.Lock()
 	defer b.mu.Unlock()

-	if b.netMap == nil {
-		// We're called from authReconfig which checks that
-		// netMap is non-nil, but if a concurrent Logout,
-		// ResetForClientDisconnect, or Start happens when its
-		// mutex was released, the netMap could be
-		// nil'ed out (Issue 1996). Bail out early here if so.
-		return
-	}
-
 	if len(b.netMap.Addresses) == len(b.peerAPIListeners) {
 		allSame := true
 		for i, pln := range b.peerAPIListeners {
-			if pln.ip != b.netMap.Addresses[i].IP() {
+			if pln.ip != b.netMap.Addresses[i].IP {
 				allSame = false
 				break
 			}
@@ -1973,20 +1898,21 @@ func (b *LocalBackend) initPeerAPIListener() {
 		var err error
 		skipListen := i > 0 && isNetstack
 		if !skipListen {
-			ln, err = ps.listen(a.IP(), b.prevIfState)
+			ln, err = ps.listen(a.IP, b.prevIfState)
 			if err != nil {
-				if peerAPIListenAsync {
-					// Expected. But we fix it later in linkChange
+				if runtime.GOOS == "windows" {
+					// Expected for now. See Issue 1620.
+					// But we fix it later in linkChange
 					// ("peerAPIListeners too low").
 					continue
 				}
-				b.logf("[unexpected] peerapi listen(%q) error: %v", a.IP(), err)
+				b.logf("[unexpected] peerapi listen(%q) error: %v", a.IP, err)
 				continue
 			}
 		}
 		pln := &peerAPIListener{
 			ps: ps,
-			ip: a.IP(),
+			ip: a.IP,
 			ln: ln, // nil for 2nd+ on netstack
 			lb: b,
 		}
@@ -1995,7 +1921,7 @@ func (b *LocalBackend) initPeerAPIListener() {
 		} else {
 			pln.port = ln.Addr().(*net.TCPAddr).Port
 		}
-		pln.urlStr = "http://" + net.JoinHostPort(a.IP().String(), strconv.Itoa(pln.port))
+		pln.urlStr = "http://" + net.JoinHostPort(a.IP.String(), strconv.Itoa(pln.port))
 		b.logf("peerapi: serving on %s", pln.urlStr)
 		go pln.serve()
 		b.peerAPIListeners = append(b.peerAPIListeners, pln)
@@ -2046,14 +1972,14 @@ func peerRoutes(peers []wgcfg.Peer, cgnatThreshold int) (routes []netaddr.IPPref
 		for _, aip := range peer.AllowedIPs {
 			aip = unmapIPPrefix(aip)
 			// Only add the Tailscale IPv6 ULA once, if we see anybody using part of it.
-			if aip.IP().Is6() && aip.IsSingleIP() && tsULA.Contains(aip.IP()) {
+			if aip.IP.Is6() && aip.IsSingleIP() && tsULA.Contains(aip.IP) {
 				if !didULA {
 					didULA = true
 					routes = append(routes, tsULA)
 				}
 				continue
 			}
-			if aip.IsSingleIP() && cgNAT.Contains(aip.IP()) {
+			if aip.IsSingleIP() && cgNAT.Contains(aip.IP) {
 				cgNATIPs = append(cgNATIPs, aip)
 			} else {
 				routes = append(routes, aip)
@@ -2079,11 +2005,6 @@ func (b *LocalBackend) routerConfig(cfg *wgcfg.Config, prefs *ipn.Prefs) *router
 		Routes:           peerRoutes(cfg.Peers, 10_000),
 	}

-	if distro.Get() == distro.Synology {
-		// Issue 1995: we don't use iptables on Synology.
-		rs.NetfilterMode = preftype.NetfilterOff
-	}
-
 	// Sanity check: we expect the control server to program both a v4
 	// and a v6 default route, if default routing is on. Fill in
 	// blackhole routes appropriately if we're missing some. This is
@@ -2109,7 +2030,7 @@ func (b *LocalBackend) routerConfig(cfg *wgcfg.Config, prefs *ipn.Prefs) *router
 		if !default6 {
 			rs.Routes = append(rs.Routes, ipv6Default)
 		}
-		if runtime.GOOS == "linux" || runtime.GOOS == "darwin" || runtime.GOOS == "windows" {
+		if runtime.GOOS == "linux" {
 			// Only allow local lan access on linux machines for now.
 			ips, _, err := interfaceRoutes()
 			if err != nil {
@@ -2125,13 +2046,16 @@ func (b *LocalBackend) routerConfig(cfg *wgcfg.Config, prefs *ipn.Prefs) *router
 		}
 	}

-	rs.Routes = append(rs.Routes, netaddr.IPPrefixFrom(tsaddr.TailscaleServiceIP(), 32))
+	rs.Routes = append(rs.Routes, netaddr.IPPrefix{
+		IP:   tsaddr.TailscaleServiceIP(),
+		Bits: 32,
+	})

 	return rs
 }

 func unmapIPPrefix(ipp netaddr.IPPrefix) netaddr.IPPrefix {
-	return netaddr.IPPrefixFrom(ipp.IP().Unmap(), ipp.Bits())
+	return netaddr.IPPrefix{IP: ipp.IP.Unmap(), Bits: ipp.Bits}
 }

 func unmapIPPrefixes(ippsList ...[]netaddr.IPPrefix) (ret []netaddr.IPPrefix) {
@@ -2185,8 +2109,8 @@ func (b *LocalBackend) enterState(newState ipn.State) {
 	if oldState == newState {
 		return
 	}
-	b.logf("Switching ipn state %v -> %v (WantRunning=%v, nm=%v)",
-		oldState, newState, prefs.WantRunning, netMap != nil)
+	b.logf("Switching ipn state %v -> %v (WantRunning=%v)",
+		oldState, newState, prefs.WantRunning)
 	health.SetIPNState(newState.String(), prefs.WantRunning)
 	b.send(ipn.Notify{State: &newState})

@@ -2200,7 +2124,7 @@ func (b *LocalBackend) enterState(newState ipn.State) {
 		b.blockEngineUpdates(true)
 		fallthrough
 	case ipn.Stopped:
-		err := b.e.Reconfig(&wgcfg.Config{}, &router.Config{}, &dns.Config{}, nil)
+		err := b.e.Reconfig(&wgcfg.Config{}, &router.Config{}, &dns.Config{})
 		if err != nil {
 			b.logf("Reconfig(down): %v", err)
 		}
@@ -2214,8 +2138,8 @@ func (b *LocalBackend) enterState(newState ipn.State) {
 		b.e.RequestStatus()
 	case ipn.Running:
 		var addrs []string
-		for _, addr := range netMap.Addresses {
-			addrs = append(addrs, addr.IP().String())
+		for _, addr := range b.netMap.Addresses {
+			addrs = append(addrs, addr.IP.String())
 		}
 		systemd.Status("Connected; %s; %s", activeLogin, strings.Join(addrs, " "))
 	default:
@@ -2242,14 +2166,13 @@ func (b *LocalBackend) nextState() ipn.State {
 		cc          = b.cc
 		netMap      = b.netMap
 		state       = b.state
-		blocked     = b.blocked
 		wantRunning = b.prefs.WantRunning
 		loggedOut   = b.prefs.LoggedOut
 	)
 	b.mu.Unlock()

 	switch {
-	case !wantRunning && !loggedOut && !blocked && b.hasNodeKey():
+	case !wantRunning && !loggedOut && b.hasNodeKey():
 		return ipn.Stopped
 	case netMap == nil:
 		if cc.AuthCantContinue() || loggedOut {
@@ -2320,7 +2243,7 @@ func (b *LocalBackend) stateMachine() {
 // a status update that predates the "I've shut down" update.
 func (b *LocalBackend) stopEngineAndWait() {
 	b.logf("stopEngineAndWait...")
-	b.e.Reconfig(&wgcfg.Config{}, &router.Config{}, &dns.Config{}, nil)
+	b.e.Reconfig(&wgcfg.Config{}, &router.Config{}, &dns.Config{})
 	b.requestEngineStatusAndWait()
 	b.logf("stopEngineAndWait: done.")
 }
@@ -2377,6 +2300,7 @@ func (b *LocalBackend) LogoutSync(ctx context.Context) error {
 func (b *LocalBackend) logout(ctx context.Context, sync bool) error {
 	b.mu.Lock()
 	cc := b.cc
+	b.setNetMapLocked(nil)
 	b.mu.Unlock()

 	b.EditPrefs(&ipn.MaskedPrefs{
@@ -2403,6 +2327,10 @@ func (b *LocalBackend) logout(ctx context.Context, sync bool) error {
 		cc.StartLogout()
 	}

+	b.mu.Lock()
+	b.setNetMapLocked(nil)
+	b.mu.Unlock()
+
 	b.stateMachine()
 	return err
 }
@@ -2478,7 +2406,7 @@ func (b *LocalBackend) setNetMapLocked(nm *netmap.NetworkMap) {
 	addNode := func(n *tailcfg.Node) {
 		for _, ipp := range n.Addresses {
 			if ipp.IsSingleIP() {
-				b.nodeByAddr[ipp.IP()] = n
+				b.nodeByAddr[ipp.IP] = n
 			}
 		}
 	}
@@ -2604,42 +2532,6 @@ func (b *LocalBackend) FileTargets() ([]*apitype.FileTarget, error) {
 	return ret, nil
 }

-// SetDNS adds a DNS record for the given domain name & TXT record
-// value.
-//
-// It's meant for use with dns-01 ACME (LetsEncrypt) challenges.
-//
-// This is the low-level interface. Other layers will provide more
-// friendly options to get HTTPS certs.
-func (b *LocalBackend) SetDNS(ctx context.Context, name, value string) error {
-	req := &tailcfg.SetDNSRequest{
-		Version: 1,
-		Type:    "TXT",
-		Name:    name,
-		Value:   value,
-	}
-
-	b.mu.Lock()
-	cc := b.cc
-	if prefs := b.prefs; prefs != nil {
-		req.NodeKey = tailcfg.NodeKey(prefs.Persist.PrivateNodeKey.Public())
-	}
-	b.mu.Unlock()
-	if cc == nil {
-		return errors.New("not connected")
-	}
-	if req.NodeKey.IsZero() {
-		return errors.New("no nodekey")
-	}
-	if name == "" {
-		return errors.New("missing 'name'")
-	}
-	if value == "" {
-		return errors.New("missing 'value'")
-	}
-	return cc.SetDNS(ctx, req)
-}
-
 func (b *LocalBackend) registerIncomingFile(inf *incomingFile, active bool) {
 	b.mu.Lock()
 	defer b.mu.Unlock()
@@ -2666,9 +2558,9 @@ func peerAPIBase(nm *netmap.NetworkMap, peer *tailcfg.Node) string {
 			continue
 		}
 		switch {
-		case a.IP().Is4():
+		case a.IP.Is4():
 			have4 = true
-		case a.IP().Is6():
+		case a.IP.Is6():
 			have6 = true
 		}
 	}
@@ -2684,11 +2576,11 @@ func peerAPIBase(nm *netmap.NetworkMap, peer *tailcfg.Node) string {
 	var ipp netaddr.IPPort
 	switch {
 	case have4 && p4 != 0:
-		ipp = netaddr.IPPortFrom(nodeIP(peer, netaddr.IP.Is4), p4)
+		ipp = netaddr.IPPort{IP: nodeIP(peer, netaddr.IP.Is4), Port: p4}
 	case have6 && p6 != 0:
-		ipp = netaddr.IPPortFrom(nodeIP(peer, netaddr.IP.Is6), p6)
+		ipp = netaddr.IPPort{IP: nodeIP(peer, netaddr.IP.Is6), Port: p6}
 	}
-	if ipp.IP().IsZero() {
+	if ipp.IP.IsZero() {
 		return ""
 	}
 	return fmt.Sprintf("http://%v", ipp)
@@ -2696,8 +2588,8 @@ func peerAPIBase(nm *netmap.NetworkMap, peer *tailcfg.Node) string {

 func nodeIP(n *tailcfg.Node, pred func(netaddr.IP) bool) netaddr.IP {
 	for _, a := range n.Addresses {
-		if a.IsSingleIP() && pred(a.IP()) {
-			return a.IP()
+		if a.IsSingleIP() && pred(a.IP) {
+			return a.IP
 		}
 	}
 	return netaddr.IP{}
@@ -2712,6 +2604,7 @@ func (b *LocalBackend) CheckIPForwarding() error {
 		return nil
 	}
 	if isBSD(runtime.GOOS) {
+		//lint:ignore ST1005 output to users as is
 		return fmt.Errorf("Subnet routing and exit nodes only work with additional manual configuration on %v, and is not currently officially supported.", runtime.GOOS)
 	}

@@ -2728,13 +2621,16 @@ func (b *LocalBackend) CheckIPForwarding() error {
 	for _, key := range keys {
 		bs, err := exec.Command("sysctl", "-n", key).Output()
 		if err != nil {
+			//lint:ignore ST1005 output to users as is
 			return fmt.Errorf("couldn't check %s (%v).\nSubnet routes won't work without IP forwarding.", key, err)
 		}
 		on, err := strconv.ParseBool(string(bytes.TrimSpace(bs)))
 		if err != nil {
+			//lint:ignore ST1005 output to users as is
 			return fmt.Errorf("couldn't parse %s (%v).\nSubnet routes won't work without IP forwarding.", key, err)
 		}
 		if !on {
+			//lint:ignore ST1005 output to users as is
 			return fmt.Errorf("%s is disabled. Subnet routes won't work.", key)
 		}
 	}
@@ -2753,13 +2649,3 @@ func (b *LocalBackend) PeerDialControlFunc() func(network, address string, c sys
 	}
 	return nil
 }
-
-// DERPMap returns the current DERPMap in use, or nil if not connected.
-func (b *LocalBackend) DERPMap() *tailcfg.DERPMap {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	if b.netMap == nil {
-		return nil
-	}
-	return b.netMap.DERPMap
-}
--- a/ipn/ipnlocal/local_test.go
+++ b/ipn/ipnlocal/local_test.go
@@ -171,7 +171,7 @@ func TestShrinkDefaultRoute(t *testing.T) {
 			out: []string{
 				"fe80::1",
 				"ff00::1",
-				tsaddr.TailscaleULARange().IP().String(),
+				tsaddr.TailscaleULARange().IP.String(),
 			},
 			localIPFn: func(ip netaddr.IP) bool { return !inRemove(ip) && ip.Is6() },
 		},
--- a/ipn/ipnlocal/peerapi.go
+++ b/ipn/ipnlocal/peerapi.go
@@ -510,7 +510,7 @@ func (h *peerAPIHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 <body>
 <h1>Hello, %s (%v)</h1>
 This is my Tailscale device. Your device is %v.
-`, html.EscapeString(who), h.remoteAddr.IP(), html.EscapeString(h.peerNode.ComputedName))
+`, html.EscapeString(who), h.remoteAddr.IP, html.EscapeString(h.peerNode.ComputedName))

 	if h.isSelf {
 		fmt.Fprintf(w, "<p>You are the owner of this node.\n")
--- a/ipn/ipnlocal/peerapi_macios_ext.go
+++ b/ipn/ipnlocal/peerapi_macios_ext.go
@@ -2,19 +2,21 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// +build darwin,ts_macext ios,ts_macext
+// +build darwin,redo ios,redo

 package ipnlocal

 import (
 	"errors"
 	"fmt"
+	"log"
 	"net"
+	"strings"
 	"syscall"

+	"golang.org/x/sys/unix"
 	"inet.af/netaddr"
 	"tailscale.com/net/interfaces"
-	"tailscale.com/net/netns"
 )

 func init() {
@@ -30,7 +32,29 @@ func initListenConfigNetworkExtension(nc *net.ListenConfig, ip netaddr.IP, st *i
 	if !ok {
 		return fmt.Errorf("no interface with name %q", tunIfName)
 	}
-	return netns.SetListenConfigInterfaceIndex(nc, tunIf.Index)
+	nc.Control = func(network, address string, c syscall.RawConn) error {
+		var sockErr error
+		err := c.Control(func(fd uintptr) {
+			sockErr = bindIf(fd, network, address, tunIf.Index)
+			log.Printf("peerapi: bind(%q, %q) on index %v = %v", network, address, tunIf.Index, sockErr)
+		})
+		if err != nil {
+			return err
+		}
+		return sockErr
+	}
+	return nil
+}
+
+func bindIf(fd uintptr, network, address string, ifIndex int) error {
+	v6 := strings.Contains(address, "]:") || strings.HasSuffix(network, "6") // hacky test for v6
+	proto := unix.IPPROTO_IP
+	opt := unix.IP_BOUND_IF
+	if v6 {
+		proto = unix.IPPROTO_IPV6
+		opt = unix.IPV6_BOUND_IF
+	}
+	return unix.SetsockoptInt(int(fd), proto, opt, ifIndex)
 }

 func peerDialControlFuncNetworkExtension(b *LocalBackend) func(network, address string, c syscall.RawConn) error {
@@ -44,12 +68,17 @@ func peerDialControlFuncNetworkExtension(b *LocalBackend) func(network, address
 			index = tunIf.Index
 		}
 	}
-	var lc net.ListenConfig
-	netns.SetListenConfigInterfaceIndex(&lc, index)
 	return func(network, address string, c syscall.RawConn) error {
 		if index == -1 {
 			return errors.New("failed to find TUN interface to bind to")
 		}
-		return lc.Control(network, address, c)
+		var sockErr error
+		err := c.Control(func(fd uintptr) {
+			sockErr = bindIf(fd, network, address, index)
+		})
+		if err != nil {
+			return err
+		}
+		return sockErr
 	}
 }
--- a/ipn/ipnlocal/state_test.go
+++ b/ipn/ipnlocal/state_test.go
@@ -140,8 +140,6 @@ func (cc *mockControl) send(err error, url string, loginFinished bool, nm *netma
 		}
 		if loginFinished {
 			s.LoginFinished = &empty.Message{}
-		} else if url == "" && err == nil && nm == nil {
-			s.LogoutFinished = &empty.Message{}
 		}
 		cc.statusFunc(s)
 	}
@@ -248,10 +246,6 @@ func (cc *mockControl) UpdateEndpoints(localPort uint16, endpoints []tailcfg.End
 	cc.called("UpdateEndpoints")
 }

-func (*mockControl) SetDNS(context.Context, *tailcfg.SetDNSRequest) error {
-	panic("unexpected SetDNS call")
-}
-
 // A very precise test of the sequence of function calls generated by
 // ipnlocal.Local into its controlclient instance, and the events it
 // produces upstream into the UI.
@@ -374,11 +368,13 @@ func TestStateMachine(t *testing.T) {
 	{
 		c.Assert(cc.getCalls(), qt.DeepEquals, []string{"Login"})
 		notifies.drain(0)
-		// Note: WantRunning isn't true yet. It'll switch to true
-		// after a successful login finishes.
-		// (This behaviour is needed so that b.Login() won't
-		// start connecting to an old account right away, if one
-		// exists when you launch another login.)
+		// BUG: this should immediately set WantRunning to true.
+		// Users don't log in if they don't want to also connect.
+		// (Generally, we're inconsistent about who is supposed to
+		// update Prefs at what time. But the overall philosophy is:
+		// update it when the user's intent changes. This is clearly
+		// at the time the user *requests* Login, not at the time
+		// the login finishes.)
 	}

 	// Attempted non-interactive login with no key; indicate that
@@ -388,16 +384,18 @@ func TestStateMachine(t *testing.T) {
 	url1 := "http://localhost:1/1"
 	cc.send(nil, url1, false, nil)
 	{
-		c.Assert(cc.getCalls(), qt.DeepEquals, []string{})
+		c.Assert(cc.getCalls(), qt.HasLen, 0)

 		// ...but backend eats that notification, because the user
 		// didn't explicitly request interactive login yet, and
 		// we're already in NeedsLogin state.
 		nn := notifies.drain(1)

+		// Trying to log in automatically sets WantRunning.
+		// BUG: that should have happened right after Login().
 		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
 		c.Assert(nn[0].Prefs.LoggedOut, qt.IsFalse)
-		c.Assert(nn[0].Prefs.WantRunning, qt.IsFalse)
+		c.Assert(nn[0].Prefs.WantRunning, qt.IsTrue)
 	}

 	// Now we'll try an interactive login.
@@ -453,12 +451,11 @@ func TestStateMachine(t *testing.T) {
 	// same time.
 	// The backend should propagate this upward for the UI.
 	t.Logf("\n\nLoginFinished")
-	notifies.expect(3)
+	notifies.expect(2)
 	cc.setAuthBlocked(false)
-	cc.persist.LoginName = "user1"
 	cc.send(nil, "", true, &netmap.NetworkMap{})
 	{
-		nn := notifies.drain(3)
+		nn := notifies.drain(2)
 		// BUG: still too soon for UpdateEndpoints.
 		//
 		// Arguably it makes sense to unpause now, since the machine
@@ -471,12 +468,15 @@ func TestStateMachine(t *testing.T) {
 		// it's visible in the logs)
 		c.Assert([]string{"unpause", "UpdateEndpoints"}, qt.DeepEquals, cc.getCalls())
 		c.Assert(nn[0].LoginFinished, qt.Not(qt.IsNil))
-		c.Assert(nn[1].Prefs, qt.Not(qt.IsNil))
-		c.Assert(nn[2].State, qt.Not(qt.IsNil))
-		c.Assert(nn[1].Prefs.Persist.LoginName, qt.Equals, "user1")
-		c.Assert(ipn.NeedsMachineAuth, qt.Equals, *nn[2].State)
+		c.Assert(nn[1].State, qt.Not(qt.IsNil))
+		c.Assert(ipn.NeedsMachineAuth, qt.Equals, *nn[1].State)
 	}

+	// TODO: check that the logged-in username propagates from control
+	// through to the UI notifications. I think it's used as a hint
+	// for future logins, to pre-fill the username box? Not really sure
+	// how it works.
+
 	// Pretend that the administrator has authorized our machine.
 	t.Logf("\n\nMachineAuthorized")
 	notifies.expect(1)
@@ -554,7 +554,10 @@ func TestStateMachine(t *testing.T) {
 		c.Assert(nn[0].State, qt.Not(qt.IsNil))
 		c.Assert(nn[0].LoginFinished, qt.Not(qt.IsNil))
 		c.Assert(nn[0].NetMap, qt.Not(qt.IsNil))
-		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
+		// BUG: Prefs should be sent too, or the UI could end up in
+		// a bad state. (iOS, the only current user of this feature,
+		// probably wouldn't notice because it happens to not display
+		// any prefs. Maybe exit nodes will look weird?)
 	}

 	// undo the state hack above.
@@ -566,13 +569,14 @@ func TestStateMachine(t *testing.T) {
 	b.Logout()
 	{
 		nn := notifies.drain(2)
-		c.Assert([]string{"pause", "StartLogout"}, qt.DeepEquals, cc.getCalls())
+		// BUG: now is not the time to unpause.
+		c.Assert([]string{"unpause", "StartLogout"}, qt.DeepEquals, cc.getCalls())
 		c.Assert(nn[0].State, qt.Not(qt.IsNil))
 		c.Assert(nn[1].Prefs, qt.Not(qt.IsNil))
-		c.Assert(ipn.Stopped, qt.Equals, *nn[0].State)
+		c.Assert(ipn.NeedsLogin, qt.Equals, *nn[0].State)
 		c.Assert(nn[1].Prefs.LoggedOut, qt.IsTrue)
 		c.Assert(nn[1].Prefs.WantRunning, qt.IsFalse)
-		c.Assert(ipn.Stopped, qt.Equals, b.State())
+		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
 	}

 	// Let's make the logout succeed.
@@ -582,69 +586,72 @@ func TestStateMachine(t *testing.T) {
 	cc.send(nil, "", false, nil)
 	{
 		nn := notifies.drain(1)
-		c.Assert([]string{"unpause"}, qt.DeepEquals, cc.getCalls())
-		c.Assert(nn[0].State, qt.Not(qt.IsNil))
-		c.Assert(ipn.NeedsLogin, qt.Equals, *nn[0].State)
-		c.Assert(b.Prefs().LoggedOut, qt.IsTrue)
-		c.Assert(b.Prefs().WantRunning, qt.IsFalse)
+		c.Assert(cc.getCalls(), qt.HasLen, 0)
+		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
+		c.Assert(nn[0].Prefs.LoggedOut, qt.IsTrue)
+		// BUG: WantRunning should be false after manual logout.
+		c.Assert(nn[0].Prefs.WantRunning, qt.IsTrue)
 		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
 	}

 	// A second logout should do nothing, since the prefs haven't changed.
 	t.Logf("\n\nLogout2 (async)")
-	notifies.expect(0)
+	notifies.expect(1)
 	b.Logout()
 	{
-		notifies.drain(0)
+		nn := notifies.drain(1)
 		// BUG: the backend has already called StartLogout, and we're
 		// still logged out. So it shouldn't call it again.
 		c.Assert([]string{"StartLogout"}, qt.DeepEquals, cc.getCalls())
-		c.Assert(cc.getCalls(), qt.HasLen, 0)
-		c.Assert(b.Prefs().LoggedOut, qt.IsTrue)
-		c.Assert(b.Prefs().WantRunning, qt.IsFalse)
+		// BUG: Prefs should not change here. Already logged out.
+		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
+		c.Assert(nn[0].Prefs.LoggedOut, qt.IsTrue)
+		c.Assert(nn[0].Prefs.WantRunning, qt.IsFalse)
 		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
 	}

 	// Let's acknowledge the second logout too.
 	t.Logf("\n\nLogout2 (async) - succeed")
-	notifies.expect(0)
+	notifies.expect(1)
 	cc.setAuthBlocked(true)
 	cc.send(nil, "", false, nil)
 	{
-		notifies.drain(0)
+		nn := notifies.drain(1)
 		c.Assert(cc.getCalls(), qt.HasLen, 0)
-		c.Assert(cc.getCalls(), qt.HasLen, 0)
-		c.Assert(b.Prefs().LoggedOut, qt.IsTrue)
-		c.Assert(b.Prefs().WantRunning, qt.IsFalse)
+		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
+		c.Assert(nn[0].Prefs.LoggedOut, qt.IsTrue)
+		// BUG: second logout shouldn't cause WantRunning->true !!
+		c.Assert(nn[0].Prefs.WantRunning, qt.IsTrue)
 		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
 	}

 	// Try the synchronous logout feature.
 	t.Logf("\n\nLogout3 (sync)")
-	notifies.expect(0)
+	notifies.expect(1)
 	b.LogoutSync(context.Background())
 	// NOTE: This returns as soon as cc.Logout() returns, which is okay
 	// I guess, since that's supposed to be synchronous.
 	{
-		notifies.drain(0)
+		nn := notifies.drain(1)
 		c.Assert([]string{"Logout"}, qt.DeepEquals, cc.getCalls())
-		c.Assert(cc.getCalls(), qt.HasLen, 0)
-		c.Assert(b.Prefs().LoggedOut, qt.IsTrue)
-		c.Assert(b.Prefs().WantRunning, qt.IsFalse)
+		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
+		c.Assert(nn[0].Prefs.LoggedOut, qt.IsTrue)
+		c.Assert(nn[0].Prefs.WantRunning, qt.IsFalse)
 		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
 	}

 	// Generate the third logout event.
 	t.Logf("\n\nLogout3 (sync) - succeed")
-	notifies.expect(0)
+	notifies.expect(1)
 	cc.setAuthBlocked(true)
 	cc.send(nil, "", false, nil)
 	{
-		notifies.drain(0)
+		nn := notifies.drain(1)
 		c.Assert(cc.getCalls(), qt.HasLen, 0)
-		c.Assert(cc.getCalls(), qt.HasLen, 0)
-		c.Assert(b.Prefs().LoggedOut, qt.IsTrue)
-		c.Assert(b.Prefs().WantRunning, qt.IsFalse)
+		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
+		c.Assert(nn[0].Prefs.LoggedOut, qt.IsTrue)
+		// BUG: third logout shouldn't cause WantRunning->true !!
+		c.Assert(nn[0].Prefs.WantRunning, qt.IsTrue)
 		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
 	}

@@ -662,6 +669,10 @@ func TestStateMachine(t *testing.T) {
 	// happens if the user exits and restarts while logged out.
 	// Note that it's explicitly okay to call b.Start() over and over
 	// again, every time the frontend reconnects.
+	//
+	// BUG: WantRunning is true here (because of the bug above).
+	//  We'll have to adjust the following test's expectations if we
+	//  fix that.

 	// TODO: test user switching between statekeys.

@@ -680,7 +691,7 @@ func TestStateMachine(t *testing.T) {
 		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
 		c.Assert(nn[1].State, qt.Not(qt.IsNil))
 		c.Assert(nn[0].Prefs.LoggedOut, qt.IsTrue)
-		c.Assert(nn[0].Prefs.WantRunning, qt.IsFalse)
+		c.Assert(nn[0].Prefs.WantRunning, qt.IsTrue)
 		c.Assert(ipn.NeedsLogin, qt.Equals, *nn[1].State)
 		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
 	}
@@ -692,20 +703,16 @@ func TestStateMachine(t *testing.T) {
 	t.Logf("\n\nLoginFinished3")
 	notifies.expect(3)
 	cc.setAuthBlocked(false)
-	cc.persist.LoginName = "user2"
 	cc.send(nil, "", true, &netmap.NetworkMap{
 		MachineStatus: tailcfg.MachineAuthorized,
 	})
 	{
 		nn := notifies.drain(3)
 		c.Assert([]string{"unpause"}, qt.DeepEquals, cc.getCalls())
-		c.Assert(nn[0].LoginFinished, qt.Not(qt.IsNil))
-		c.Assert(nn[1].Prefs, qt.Not(qt.IsNil))
+		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
+		c.Assert(nn[1].LoginFinished, qt.Not(qt.IsNil))
 		c.Assert(nn[2].State, qt.Not(qt.IsNil))
-		// Prefs after finishing the login, so LoginName updated.
-		c.Assert(nn[1].Prefs.Persist.LoginName, qt.Equals, "user2")
-		c.Assert(nn[1].Prefs.LoggedOut, qt.IsFalse)
-		c.Assert(nn[1].Prefs.WantRunning, qt.IsTrue)
+		c.Assert(nn[0].Prefs.LoggedOut, qt.IsFalse)
 		c.Assert(ipn.Starting, qt.Equals, *nn[2].State)
 	}

@@ -766,63 +773,6 @@ func TestStateMachine(t *testing.T) {
 		c.Assert(ipn.Starting, qt.Equals, *nn[0].State)
 	}

-	// Disconnect.
-	t.Logf("\n\nStop")
-	notifies.expect(2)
-	b.EditPrefs(&ipn.MaskedPrefs{
-		WantRunningSet: true,
-		Prefs:          ipn.Prefs{WantRunning: false},
-	})
-	{
-		nn := notifies.drain(2)
-		c.Assert([]string{"unpause"}, qt.DeepEquals, cc.getCalls())
-		// BUG: I would expect Prefs to change first, and state after.
-		c.Assert(nn[0].State, qt.Not(qt.IsNil))
-		c.Assert(nn[1].Prefs, qt.Not(qt.IsNil))
-		c.Assert(ipn.Stopped, qt.Equals, *nn[0].State)
-	}
-
-	// We want to try logging in as a different user, while Stopped.
-	// First, start the login process (without logging out first).
-	t.Logf("\n\nLoginDifferent")
-	notifies.expect(2)
-	b.StartLoginInteractive()
-	url3 := "http://localhost:1/3"
-	cc.send(nil, url3, false, nil)
-	{
-		nn := notifies.drain(2)
-		// It might seem like WantRunning should switch to true here,
-		// but that would be risky since we already have a valid
-		// user account. It might try to reconnect to the old account
-		// before the new one is ready. So no change yet.
-		c.Assert([]string{"Login", "unpause"}, qt.DeepEquals, cc.getCalls())
-		c.Assert(nn[0].BrowseToURL, qt.Not(qt.IsNil))
-		c.Assert(nn[1].State, qt.Not(qt.IsNil))
-		c.Assert(*nn[0].BrowseToURL, qt.Equals, url3)
-		c.Assert(ipn.NeedsLogin, qt.Equals, *nn[1].State)
-	}
-
-	// Now, let's say the interactive login completed, using a different
-	// user account than before.
-	t.Logf("\n\nLoginDifferent URL visited")
-	notifies.expect(3)
-	cc.persist.LoginName = "user3"
-	cc.send(nil, "", true, &netmap.NetworkMap{
-		MachineStatus: tailcfg.MachineAuthorized,
-	})
-	{
-		nn := notifies.drain(3)
-		c.Assert([]string{"unpause"}, qt.DeepEquals, cc.getCalls())
-		c.Assert(nn[0].LoginFinished, qt.Not(qt.IsNil))
-		c.Assert(nn[1].Prefs, qt.Not(qt.IsNil))
-		c.Assert(nn[2].State, qt.Not(qt.IsNil))
-		// Prefs after finishing the login, so LoginName updated.
-		c.Assert(nn[1].Prefs.Persist.LoginName, qt.Equals, "user3")
-		c.Assert(nn[1].Prefs.LoggedOut, qt.IsFalse)
-		c.Assert(nn[1].Prefs.WantRunning, qt.IsTrue)
-		c.Assert(ipn.Starting, qt.Equals, *nn[2].State)
-	}
-
 	// The last test case is the most common one: restarting when both
 	// logged in and WantRunning.
 	t.Logf("\n\nStart5")
@@ -843,18 +793,17 @@ func TestStateMachine(t *testing.T) {

 	// Control server accepts our valid key from before.
 	t.Logf("\n\nLoginFinished5")
-	notifies.expect(1)
+	notifies.expect(2)
 	cc.setAuthBlocked(false)
 	cc.send(nil, "", true, &netmap.NetworkMap{
 		MachineStatus: tailcfg.MachineAuthorized,
 	})
 	{
-		nn := notifies.drain(1)
+		nn := notifies.drain(2)
 		c.Assert([]string{"unpause"}, qt.DeepEquals, cc.getCalls())
-		// NOTE: No LoginFinished message since no interactive
-		// login was needed.
-		c.Assert(nn[0].State, qt.Not(qt.IsNil))
-		c.Assert(ipn.Starting, qt.Equals, *nn[0].State)
+		c.Assert(nn[0].LoginFinished, qt.Not(qt.IsNil))
+		c.Assert(nn[1].State, qt.Not(qt.IsNil))
+		c.Assert(ipn.Starting, qt.Equals, *nn[1].State)
 		// NOTE: No prefs change this time. WantRunning stays true.
 		// We were in Starting in the first place, so that doesn't
 		// change either.
--- a/ipn/ipnserver/server.go
+++ b/ipn/ipnserver/server.go
@@ -6,9 +6,7 @@ package ipnserver

 import (
 	"bufio"
-	"bytes"
 	"context"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@@ -24,6 +22,7 @@ import (
 	"strconv"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"syscall"
 	"time"

@@ -40,11 +39,9 @@ import (
 	"tailscale.com/safesocket"
 	"tailscale.com/smallzstd"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/groupmember"
 	"tailscale.com/util/pidowner"
 	"tailscale.com/util/systemd"
 	"tailscale.com/version"
-	"tailscale.com/version/distro"
 	"tailscale.com/wgengine"
 )

@@ -148,7 +145,7 @@ func (s *server) getConnIdentity(c net.Conn) (ci connIdentity, err error) {
 	if err != nil {
 		return ci, fmt.Errorf("parsing local remote: %w", err)
 	}
-	if !la.IP().IsLoopback() || !ra.IP().IsLoopback() {
+	if !la.IP.IsLoopback() || !ra.IP.IsLoopback() {
 		return ci, errors.New("non-loopback connection")
 	}
 	tab, err := netstat.Get()
@@ -254,7 +251,8 @@ func (s *server) serveConn(ctx context.Context, c net.Conn, logf logger.Logf) {
 			return
 		}
 		defer c.Close()
-		bs := ipn.NewBackendServer(logf, nil, jsonNotifier(c, s.logf))
+		serverToClient := func(b []byte) { ipn.WriteMsg(c, b) }
+		bs := ipn.NewBackendServer(logf, nil, serverToClient)
 		_, occupied := err.(inUseOtherUserError)
 		if occupied {
 			bs.SendInUseOtherUserErrorMessage(err.Error())
@@ -348,32 +346,51 @@ func isReadonlyConn(ci connIdentity, operatorUID string, logf logger.Logf) bool
 		logf("connection from userid %v; is configured operator", uid)
 		return rw
 	}
-	if yes, err := isLocalAdmin(uid); err != nil {
-		logf("connection from userid %v; read-only; %v", uid, err)
+	var adminGroupID string
+	switch runtime.GOOS {
+	case "darwin":
+		adminGroupID = darwinAdminGroupID()
+	default:
+		logf("connection from userid %v; read-only", uid)
 		return ro
-	} else if yes {
-		logf("connection from userid %v; is local admin, has access", uid)
-		return rw
+	}
+	if adminGroupID == "" {
+		logf("connection from userid %v; no system admin group found, read-only", uid)
+		return ro
+	}
+	u, err := user.LookupId(uid)
+	if err != nil {
+		logf("connection from userid %v; failed to look up user; read-only", uid)
+		return ro
+	}
+	gids, err := u.GroupIds()
+	if err != nil {
+		logf("connection from userid %v; failed to look up groups; read-only", uid)
+		return ro
+	}
+	for _, gid := range gids {
+		if gid == adminGroupID {
+			logf("connection from userid %v; is local admin, has access", uid)
+			return rw
+		}
 	}
 	logf("connection from userid %v; read-only", uid)
 	return ro
 }

-func isLocalAdmin(uid string) (bool, error) {
-	u, err := user.LookupId(uid)
+var darwinAdminGroupIDCache atomic.Value // of string
+
+func darwinAdminGroupID() string {
+	s, _ := darwinAdminGroupIDCache.Load().(string)
+	if s != "" {
+		return s
+	}
+	g, err := user.LookupGroup("admin")
 	if err != nil {
-		return false, err
+		return ""
 	}
-	var adminGroup string
-	switch {
-	case runtime.GOOS == "darwin":
-		adminGroup = "admin"
-	case distro.Get() == distro.QNAP:
-		adminGroup = "administrators"
-	default:
-		return false, fmt.Errorf("no system admin group found")
-	}
-	return groupmember.IsMemberOfGroup(adminGroup, u.Username)
+	darwinAdminGroupIDCache.Store(g.Gid)
+	return g.Gid
 }

 // inUseOtherUserError is the error type for when the server is in use
@@ -397,10 +414,12 @@ func (s *server) checkConnIdentityLocked(ci connIdentity) error {
 			break
 		}
 		if ci.UserID != active.UserID {
+			//lint:ignore ST1005 we want to capitalize Tailscale here
 			return inUseOtherUserError{fmt.Errorf("Tailscale already in use by %s, pid %d", active.User.Username, active.Pid)}
 		}
 	}
 	if su := s.serverModeUser; su != nil && ci.UserID != su.Uid {
+		//lint:ignore ST1005 we want to capitalize Tailscale here
 		return inUseOtherUserError{fmt.Errorf("Tailscale already in use by %s", su.Username)}
 	}
 	return nil
@@ -548,9 +567,7 @@ func (s *server) setServerModeUserLocked() {
 	}
 }

-var jsonEscapedZero = []byte(`\u0000`)
-
-func (s *server) writeToClients(n ipn.Notify) {
+func (s *server) writeToClients(b []byte) {
 	inServerMode := s.b.InServerMode()

 	s.mu.Lock()
@@ -567,17 +584,8 @@ func (s *server) writeToClients(n ipn.Notify) {
 		}
 	}

-	if len(s.clients) == 0 {
-		// Common case (at least on busy servers): nobody
-		// connected (no GUI, etc), so return before
-		// serializing JSON.
-		return
-	}
-
-	if b, ok := marshalNotify(n, s.logf); ok {
-		for c := range s.clients {
-			ipn.WriteMsg(c, b)
-		}
+	for c := range s.clients {
+		ipn.WriteMsg(c, b)
 	}
 }

@@ -663,7 +671,8 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 			errMsg := err.Error()
 			go func() {
 				defer c.Close()
-				bs := ipn.NewBackendServer(logf, nil, jsonNotifier(c, logf))
+				serverToClient := func(b []byte) { ipn.WriteMsg(c, b) }
+				bs := ipn.NewBackendServer(logf, nil, serverToClient)
 				bs.SendErrorMessage(errMsg)
 				time.Sleep(time.Second)
 			}()
@@ -953,25 +962,3 @@ func peerPid(entries []netstat.Entry, la, ra netaddr.IPPort) int {
 	}
 	return 0
 }
-
-// jsonNotifier returns a notify-writer func that writes ipn.Notify
-// messages to w.
-func jsonNotifier(w io.Writer, logf logger.Logf) func(ipn.Notify) {
-	return func(n ipn.Notify) {
-		if b, ok := marshalNotify(n, logf); ok {
-			ipn.WriteMsg(w, b)
-		}
-	}
-}
-
-func marshalNotify(n ipn.Notify, logf logger.Logf) (b []byte, ok bool) {
-	b, err := json.Marshal(n)
-	if err != nil {
-		logf("ipnserver: [unexpected] error serializing JSON: %v", err)
-		return nil, false
-	}
-	if bytes.Contains(b, jsonEscapedZero) {
-		logf("[unexpected] zero byte in BackendServer.send notify message: %q", b)
-	}
-	return b, true
-}
--- a/ipn/ipnstate/ipnstate.go
+++ b/ipn/ipnstate/ipnstate.go
@@ -45,13 +45,6 @@ type Status struct {
 	// has MagicDNS enabled.
 	MagicDNSSuffix string

-	// CertDomains are the set of DNS names for which the control
-	// plane server will assist with provisioning TLS
-	// certificates. See SetDNSRequest for dns-01 ACME challenges
-	// for e.g. LetsEncrypt. These names are FQDNs without
-	// trailing periods, and without any "_acme-challenge." prefix.
-	CertDomains []string
-
 	Peer map[key.Public]*PeerStatus
 	User map[tailcfg.UserID]tailcfg.UserProfile
 }
@@ -72,7 +65,6 @@ type PeerStatusLite struct {
 }

 type PeerStatus struct {
-	ID        tailcfg.StableNodeID
 	PublicKey key.Public
 	HostName  string // HostInfo's Hostname (not a DNS name or necessarily unique)
 	DNSName   string
@@ -211,9 +203,6 @@ func (sb *StatusBuilder) AddPeer(peer key.Public, st *PeerStatus) {
 		return
 	}

-	if v := st.ID; v != "" {
-		e.ID = v
-	}
 	if v := st.HostName; v != "" {
 		e.HostName = v
 	}
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -100,10 +100,6 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		h.serveBugReport(w, r)
 	case "/localapi/v0/file-targets":
 		h.serveFileTargets(w, r)
-	case "/localapi/v0/set-dns":
-		h.serveSetDNS(w, r)
-	case "/localapi/v0/derpmap":
-		h.serveDERPMap(w, r)
 	case "/":
 		io.WriteString(w, "tailscaled\n")
 	default:
@@ -386,36 +382,6 @@ func (h *Handler) serveFilePut(w http.ResponseWriter, r *http.Request) {
 	rp.ServeHTTP(w, outReq)
 }

-func (h *Handler) serveSetDNS(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitWrite {
-		http.Error(w, "access denied", http.StatusForbidden)
-		return
-	}
-	if r.Method != "POST" {
-		http.Error(w, "want POST", 400)
-		return
-	}
-	ctx := r.Context()
-	err := h.b.SetDNS(ctx, r.FormValue("name"), r.FormValue("value"))
-	if err != nil {
-		writeErrorJSON(w, err)
-		return
-	}
-	w.Header().Set("Content-Type", "application/json")
-	json.NewEncoder(w).Encode(struct{}{})
-}
-
-func (h *Handler) serveDERPMap(w http.ResponseWriter, r *http.Request) {
-	if r.Method != "GET" {
-		http.Error(w, "want GET", 400)
-		return
-	}
-	w.Header().Set("Content-Type", "application/json")
-	e := json.NewEncoder(w)
-	e.SetIndent("", "\t")
-	e.Encode(h.b.DERPMap())
-}
-
 var dialPeerTransportOnce struct {
 	sync.Once
 	v *http.Transport
@@ -424,7 +390,7 @@ var dialPeerTransportOnce struct {
 func getDialPeerTransport(b *ipnlocal.LocalBackend) *http.Transport {
 	dialPeerTransportOnce.Do(func() {
 		t := http.DefaultTransport.(*http.Transport).Clone()
-		t.Dial = nil
+		t.Dial = nil //lint:ignore SA1019 yes I know I'm setting it to nil defensively
 		dialer := net.Dialer{
 			Timeout:   30 * time.Second,
 			KeepAlive: 30 * time.Second,
--- a/ipn/message.go
+++ b/ipn/message.go
@@ -88,9 +88,9 @@ type Command struct {

 type BackendServer struct {
 	logf          logger.Logf
-	b             Backend      // the Backend we are serving up
-	sendNotifyMsg func(Notify) // send a notification message
-	GotQuit       bool         // a Quit command was received
+	b             Backend              // the Backend we are serving up
+	sendNotifyMsg func(jsonMsg []byte) // send a notification message
+	GotQuit       bool                 // a Quit command was received
 }

 // NewBackendServer creates a new BackendServer using b.
@@ -98,15 +98,13 @@ type BackendServer struct {
 // If sendNotifyMsg is non-nil, it additionally sets the Backend's
 // notification callback to call the func with ipn.Notify messages in
 // JSON form. If nil, it does not change the notification callback.
-func NewBackendServer(logf logger.Logf, b Backend, sendNotifyMsg func(Notify)) *BackendServer {
+func NewBackendServer(logf logger.Logf, b Backend, sendNotifyMsg func(b []byte)) *BackendServer {
 	bs := &BackendServer{
 		logf:          logf,
 		b:             b,
 		sendNotifyMsg: sendNotifyMsg,
 	}
-	// b may be nil if the BackendServer is being created just to
-	// encapsulate and send an error message.
-	if sendNotifyMsg != nil && b != nil {
+	if sendNotifyMsg != nil {
 		b.SetNotifyCallback(bs.send)
 	}
 	return bs
@@ -117,7 +115,14 @@ func (bs *BackendServer) send(n Notify) {
 		return
 	}
 	n.Version = version.Long
-	bs.sendNotifyMsg(n)
+	b, err := json.Marshal(n)
+	if err != nil {
+		log.Fatalf("Failed json.Marshal(notify): %v\n%#v", err, n)
+	}
+	if bytes.Contains(b, jsonEscapedZero) {
+		log.Printf("[unexpected] zero byte in BackendServer.send notify message: %q", b)
+	}
+	bs.sendNotifyMsg(b)
 }

 func (bs *BackendServer) SendErrorMessage(msg string) {
--- a/ipn/message_test.go
+++ b/ipn/message_test.go
@@ -7,7 +7,6 @@ package ipn
 import (
 	"bytes"
 	"context"
-	"encoding/json"
 	"testing"
 	"time"

@@ -75,11 +74,7 @@ func TestClientServer(t *testing.T) {
 			bc.GotNotifyMsg(b)
 		}
 	}()
-	serverToClient := func(n Notify) {
-		b, err := json.Marshal(n)
-		if err != nil {
-			panic(err.Error())
-		}
+	serverToClient := func(b []byte) {
 		serverToClientCh <- append([]byte{}, b...)
 	}
 	clientToServer := func(b []byte) {
@@ -187,17 +182,3 @@ func TestClientServer(t *testing.T) {
 	})
 	flushUntil(Running)
 }
-
-func TestNilBackend(t *testing.T) {
-	var called *Notify
-	bs := NewBackendServer(t.Logf, nil, func(n Notify) {
-		called = &n
-	})
-	bs.SendErrorMessage("Danger, Will Robinson!")
-	if called == nil {
-		t.Errorf("expect callback to be called, wasn't")
-	}
-	if called.ErrMessage == nil || *called.ErrMessage != "Danger, Will Robinson!" {
-		t.Errorf("callback got wrong error: %v", called.ErrMessage)
-	}
-}
--- a/ipn/prefs.go
+++ b/ipn/prefs.go
@@ -28,7 +28,7 @@ import (
 // DefaultControlURL returns the URL base of the control plane
 // ("coordination server") for use when no explicit one is configured.
 // The default control plane is the hosted version run by Tailscale.com.
-const DefaultControlURL = "https://controlplane.tailscale.com"
+const DefaultControlURL = "https://login.tailscale.com"

 // Prefs are the user modifiable settings of the Tailscale node agent.
 type Prefs struct {
--- a/ipn/prefs_test.go
+++ b/ipn/prefs_test.go
@@ -92,13 +92,13 @@ func TestPrefsEqual(t *testing.T) {
 		},

 		{
-			&Prefs{ControlURL: "https://controlplane.tailscale.com"},
+			&Prefs{ControlURL: "https://login.tailscale.com"},
 			&Prefs{ControlURL: "https://login.private.co"},
 			false,
 		},
 		{
-			&Prefs{ControlURL: "https://controlplane.tailscale.com"},
-			&Prefs{ControlURL: "https://controlplane.tailscale.com"},
+			&Prefs{ControlURL: "https://login.tailscale.com"},
+			&Prefs{ControlURL: "https://login.tailscale.com"},
 			true,
 		},

@@ -324,7 +324,7 @@ func TestBasicPrefs(t *testing.T) {
 	tstest.PanicOnLog()

 	p := Prefs{
-		ControlURL: "https://controlplane.tailscale.com",
+		ControlURL: "https://login.tailscale.com",
 	}
 	checkPrefs(t, p)
 }
@@ -336,7 +336,7 @@ func TestPrefsPersist(t *testing.T) {
 		LoginName: "test@example.com",
 	}
 	p := Prefs{
-		ControlURL: "https://controlplane.tailscale.com",
+		ControlURL: "https://login.tailscale.com",
 		CorpDNS:    true,
 		Persist:    &c,
 	}
--- a/logtail/filch/filch.go
+++ b/logtail/filch/filch.go
@@ -15,6 +15,7 @@ import (
 	"sync"
 )

+//lint:ignore U1000 work around false positive: https://github.com/dominikh/go-tools/issues/983
 var stderrFD = 2 // a variable for testing

 type Options struct {
--- a/logtail/logtail.go
+++ b/logtail/logtail.go
@@ -15,7 +15,6 @@ import (
 	"net/http"
 	"os"
 	"strconv"
-	"sync/atomic"
 	"time"

 	"tailscale.com/logtail/backoff"
@@ -73,7 +72,7 @@ func NewLogger(cfg Config, logf tslogger.Logf) *Logger {
 	}
 	l := &Logger{
 		stderr:         cfg.Stderr,
-		stderrLevel:    int64(cfg.StderrLevel),
+		stderrLevel:    cfg.StderrLevel,
 		httpc:          cfg.HTTPC,
 		url:            cfg.BaseURL + "/c/" + cfg.Collection + "/" + cfg.PrivateID.String(),
 		lowMem:         cfg.LowMemory,
@@ -104,7 +103,7 @@ func NewLogger(cfg Config, logf tslogger.Logf) *Logger {
 // logging facilities and uploading to a log server.
 type Logger struct {
 	stderr         io.Writer
-	stderrLevel    int64 // accessed atomically
+	stderrLevel    int
 	httpc          *http.Client
 	url            string
 	lowMem         bool
@@ -126,8 +125,10 @@ type Logger struct {
 // SetVerbosityLevel controls the verbosity level that should be
 // written to stderr. 0 is the default (not verbose). Levels 1 or higher
 // are increasingly verbose.
+//
+// It should not be changed concurrently with log writes.
 func (l *Logger) SetVerbosityLevel(level int) {
-	atomic.StoreInt64(&l.stderrLevel, int64(level))
+	l.stderrLevel = level
 }

 // SetLinkMonitor sets the optional the link monitor.
@@ -513,7 +514,7 @@ func (l *Logger) Write(buf []byte) (int, error) {
 		return 0, nil
 	}
 	level, buf := parseAndRemoveLogLevel(buf)
-	if l.stderr != nil && l.stderr != ioutil.Discard && int64(level) <= atomic.LoadInt64(&l.stderrLevel) {
+	if l.stderr != nil && l.stderr != ioutil.Discard && level <= l.stderrLevel {
 		if buf[len(buf)-1] == '\n' {
 			l.stderr.Write(buf)
 		} else {
--- a/net/dns/config.go
+++ b/net/dns/config.go
@@ -22,26 +22,27 @@ type Config struct {
 	// for queries that fall within that suffix.
 	// If a query doesn't match any entry in Routes, the
 	// DefaultResolvers are used.
-	// A Routes entry with no resolvers means the route should be
-	// authoritatively answered using the contents of Hosts.
 	Routes map[dnsname.FQDN][]netaddr.IPPort
 	// SearchDomains are DNS suffixes to try when expanding
 	// single-label queries.
 	SearchDomains []dnsname.FQDN
 	// Hosts maps DNS FQDNs to their IPs, which can be a mix of IPv4
 	// and IPv6.
-	// Queries matching entries in Hosts are resolved locally by
-	// 100.100.100.100 without leaving the machine.
-	// Adding an entry to Hosts merely creates the record. If you want
-	// it to resolve, you also need to add appropriate routes to
-	// Routes.
+	// Queries matching entries in Hosts are resolved locally without
+	// recursing off-machine.
 	Hosts map[dnsname.FQDN][]netaddr.IP
+	// AuthoritativeSuffixes is a list of fully-qualified DNS suffixes
+	// for which the in-process Tailscale resolver is authoritative.
+	// Queries for names within AuthoritativeSuffixes can only be
+	// fulfilled by entries in Hosts. Queries with no match in Hosts
+	// return NXDOMAIN.
+	AuthoritativeSuffixes []dnsname.FQDN
 }

 // needsAnyResolvers reports whether c requires a resolver to be set
 // at the OS level.
 func (c Config) needsOSResolver() bool {
-	return c.hasDefaultResolvers() || c.hasRoutes()
+	return c.hasDefaultResolvers() || c.hasRoutes() || c.hasHosts()
 }

 func (c Config) hasRoutes() bool {
@@ -51,7 +52,7 @@ func (c Config) hasRoutes() bool {
 // hasDefaultResolversOnly reports whether the only resolvers in c are
 // DefaultResolvers.
 func (c Config) hasDefaultResolversOnly() bool {
-	return c.hasDefaultResolvers() && !c.hasRoutes()
+	return c.hasDefaultResolvers() && !c.hasRoutes() && !c.hasHosts()
 }

 func (c Config) hasDefaultResolvers() bool {
@@ -62,28 +63,44 @@ func (c Config) hasDefaultResolvers() bool {
 // routes use the same resolvers, or nil if multiple sets of resolvers
 // are specified.
 func (c Config) singleResolverSet() []netaddr.IPPort {
-	var (
-		prev            []netaddr.IPPort
-		prevInitialized bool
-	)
+	var first []netaddr.IPPort
 	for _, resolvers := range c.Routes {
-		if !prevInitialized {
-			prev = resolvers
-			prevInitialized = true
+		if first == nil {
+			first = resolvers
 			continue
 		}
-		if !sameIPPorts(prev, resolvers) {
+		if !sameIPPorts(first, resolvers) {
 			return nil
 		}
 	}
-	return prev
+	return first
 }

-// matchDomains returns the list of match suffixes needed by Routes.
+// hasHosts reports whether c requires resolution of MagicDNS hosts or
+// domains.
+func (c Config) hasHosts() bool {
+	return len(c.Hosts) > 0 || len(c.AuthoritativeSuffixes) > 0
+}
+
+// matchDomains returns the list of match suffixes needed by Routes,
+// AuthoritativeSuffixes. Hosts is not considered as we assume that
+// they're covered by AuthoritativeSuffixes for now.
 func (c Config) matchDomains() []dnsname.FQDN {
-	ret := make([]dnsname.FQDN, 0, len(c.Routes))
-	for suffix := range c.Routes {
+	ret := make([]dnsname.FQDN, 0, len(c.Routes)+len(c.AuthoritativeSuffixes))
+	seen := map[dnsname.FQDN]bool{}
+	for _, suffix := range c.AuthoritativeSuffixes {
+		if seen[suffix] {
+			continue
+		}
 		ret = append(ret, suffix)
+		seen[suffix] = true
+	}
+	for suffix := range c.Routes {
+		if seen[suffix] {
+			continue
+		}
+		ret = append(ret, suffix)
+		seen[suffix] = true
 	}
 	sort.Slice(ret, func(i, j int) bool {
 		return ret[i].WithTrailingDot() < ret[j].WithTrailingDot()
--- a/net/dns/direct.go
+++ b/net/dns/direct.go
@@ -2,22 +2,23 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

+// +build linux freebsd openbsd
+
 package dns

 import (
 	"bufio"
 	"bytes"
-	"crypto/rand"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"os"
 	"os/exec"
-	"path/filepath"
 	"runtime"
 	"strings"

 	"inet.af/netaddr"
+	"tailscale.com/atomicfile"
 	"tailscale.com/util/dnsname"
 )

@@ -76,17 +77,21 @@ func readResolv(r io.Reader) (config OSConfig, err error) {
 	return config, nil
 }

-func (m directManager) readResolvFile(path string) (OSConfig, error) {
-	b, err := m.fs.ReadFile(path)
+func readResolvFile(path string) (OSConfig, error) {
+	var config OSConfig
+
+	f, err := os.Open(path)
 	if err != nil {
-		return OSConfig{}, err
+		return config, err
 	}
-	return readResolv(bytes.NewReader(b))
+	defer f.Close()
+
+	return readResolv(f)
 }

 // readResolvConf reads DNS configuration from /etc/resolv.conf.
-func (m directManager) readResolvConf() (OSConfig, error) {
-	return m.readResolvFile(resolvConf)
+func readResolvConf() (OSConfig, error) {
+	return readResolvFile(resolvConf)
 }

 // resolvOwner returns the apparent owner of the resolv.conf
@@ -138,39 +143,33 @@ func isResolvedRunning() bool {
 	return err == nil
 }

-// directManager is an OSConfigurator which replaces /etc/resolv.conf with a file
+// directManager is a managerImpl which replaces /etc/resolv.conf with a file
 // generated from the given configuration, creating a backup of its old state.
 //
 // This way of configuring DNS is precarious, since it does not react
 // to the disappearance of the Tailscale interface.
 // The caller must call Down before program shutdown
 // or as cleanup if the program terminates unexpectedly.
-type directManager struct {
-	fs wholeFileFS
-}
+type directManager struct{}

-func newDirectManager() directManager {
-	return directManager{fs: directFS{}}
-}
-
-func newDirectManagerOnFS(fs wholeFileFS) directManager {
-	return directManager{fs: fs}
+func newDirectManager() (directManager, error) {
+	return directManager{}, nil
 }

 // ownedByTailscale reports whether /etc/resolv.conf seems to be a
 // tailscale-managed file.
 func (m directManager) ownedByTailscale() (bool, error) {
-	isRegular, err := m.fs.Stat(resolvConf)
+	st, err := os.Stat(resolvConf)
 	if err != nil {
 		if os.IsNotExist(err) {
 			return false, nil
 		}
 		return false, err
 	}
-	if !isRegular {
+	if !st.Mode().IsRegular() {
 		return false, nil
 	}
-	bs, err := m.fs.ReadFile(resolvConf)
+	bs, err := ioutil.ReadFile(resolvConf)
 	if err != nil {
 		return false, err
 	}
@@ -183,11 +182,11 @@ func (m directManager) ownedByTailscale() (bool, error) {
 // backupConfig creates or updates a backup of /etc/resolv.conf, if
 // resolv.conf does not currently contain a Tailscale-managed config.
 func (m directManager) backupConfig() error {
-	if _, err := m.fs.Stat(resolvConf); err != nil {
+	if _, err := os.Stat(resolvConf); err != nil {
 		if os.IsNotExist(err) {
 			// No resolv.conf, nothing to back up. Also get rid of any
 			// existing backup file, to avoid restoring something old.
-			m.fs.Remove(backupConf)
+			os.Remove(backupConf)
 			return nil
 		}
 		return err
@@ -201,11 +200,11 @@ func (m directManager) backupConfig() error {
 		return nil
 	}

-	return m.fs.Rename(resolvConf, backupConf)
+	return os.Rename(resolvConf, backupConf)
 }

 func (m directManager) restoreBackup() error {
-	if _, err := m.fs.Stat(backupConf); err != nil {
+	if _, err := os.Stat(backupConf); err != nil {
 		if os.IsNotExist(err) {
 			// No backup, nothing we can do.
 			return nil
@@ -216,7 +215,7 @@ func (m directManager) restoreBackup() error {
 	if err != nil {
 		return err
 	}
-	if _, err := m.fs.Stat(resolvConf); err != nil && !os.IsNotExist(err) {
+	if _, err := os.Stat(resolvConf); err != nil && !os.IsNotExist(err) {
 		return err
 	}
 	resolvConfExists := !os.IsNotExist(err)
@@ -224,12 +223,12 @@ func (m directManager) restoreBackup() error {
 	if resolvConfExists && !owned {
 		// There's already a non-tailscale config in place, get rid of
 		// our backup.
-		m.fs.Remove(backupConf)
+		os.Remove(backupConf)
 		return nil
 	}

 	// We own resolv.conf, and a backup exists.
-	if err := m.fs.Rename(backupConf, resolvConf); err != nil {
+	if err := os.Rename(backupConf, resolvConf); err != nil {
 		return err
 	}

@@ -248,7 +247,7 @@ func (m directManager) SetDNS(config OSConfig) error {

 		buf := new(bytes.Buffer)
 		writeResolvConf(buf, config.Nameservers, config.SearchDomains)
-		if err := atomicWriteFile(m.fs, resolvConf, buf.Bytes(), 0644); err != nil {
+		if err := atomicfile.WriteFile(resolvConf, buf.Bytes(), 0644); err != nil {
 			return err
 		}
 	}
@@ -280,7 +279,7 @@ func (m directManager) GetBaseConfig() (OSConfig, error) {
 		fileToRead = backupConf
 	}

-	return m.readResolvFile(fileToRead)
+	return readResolvFile(fileToRead)
 }

 func (m directManager) Close() error {
@@ -288,9 +287,9 @@ func (m directManager) Close() error {
 	// to it, but then we stopped because /etc/resolv.conf being a
 	// symlink to surprising places breaks snaps and other sandboxing
 	// things. Clean it up if it's still there.
-	m.fs.Remove("/etc/resolv.tailscale.conf")
+	os.Remove("/etc/resolv.tailscale.conf")

-	if _, err := m.fs.Stat(backupConf); err != nil {
+	if _, err := os.Stat(backupConf); err != nil {
 		if os.IsNotExist(err) {
 			// No backup, nothing we can do.
 			return nil
@@ -301,7 +300,7 @@ func (m directManager) Close() error {
 	if err != nil {
 		return err
 	}
-	_, err = m.fs.Stat(resolvConf)
+	_, err = os.Stat(resolvConf)
 	if err != nil && !os.IsNotExist(err) {
 		return err
 	}
@@ -310,12 +309,12 @@ func (m directManager) Close() error {
 	if resolvConfExists && !owned {
 		// There's already a non-tailscale config in place, get rid of
 		// our backup.
-		m.fs.Remove(backupConf)
+		os.Remove(backupConf)
 		return nil
 	}

 	// We own resolv.conf, and a backup exists.
-	if err := m.fs.Rename(backupConf, resolvConf); err != nil {
+	if err := os.Rename(backupConf, resolvConf); err != nil {
 		return err
 	}

@@ -325,63 +324,3 @@ func (m directManager) Close() error {

 	return nil
 }
-
-func atomicWriteFile(fs wholeFileFS, filename string, data []byte, perm os.FileMode) error {
-	var randBytes [12]byte
-	if _, err := rand.Read(randBytes[:]); err != nil {
-		return fmt.Errorf("atomicWriteFile: %w", err)
-	}
-
-	tmpName := fmt.Sprintf("%s.%x.tmp", filename, randBytes[:])
-	defer fs.Remove(tmpName)
-
-	if err := fs.WriteFile(tmpName, data, perm); err != nil {
-		return fmt.Errorf("atomicWriteFile: %w", err)
-	}
-	return fs.Rename(tmpName, filename)
-}
-
-// wholeFileFS is a high-level file system abstraction designed just for use
-// by directManager, with the goal that it is easy to implement over wsl.exe.
-//
-// All name parameters are absolute paths.
-type wholeFileFS interface {
-	Stat(name string) (isRegular bool, err error)
-	Rename(oldName, newName string) error
-	Remove(name string) error
-	ReadFile(name string) ([]byte, error)
-	WriteFile(name string, contents []byte, perm os.FileMode) error
-}
-
-// directFS is a wholeFileFS implemented directly on the OS.
-type directFS struct {
-	// prefix is file path prefix.
-	//
-	// All name parameters are absolute paths so this is typically a
-	// testing temporary directory like "/tmp".
-	prefix string
-}
-
-func (fs directFS) path(name string) string { return filepath.Join(fs.prefix, name) }
-
-func (fs directFS) Stat(name string) (isRegular bool, err error) {
-	fi, err := os.Stat(fs.path(name))
-	if err != nil {
-		return false, err
-	}
-	return fi.Mode().IsRegular(), nil
-}
-
-func (fs directFS) Rename(oldName, newName string) error {
-	return os.Rename(fs.path(oldName), fs.path(newName))
-}
-
-func (fs directFS) Remove(name string) error { return os.Remove(fs.path(name)) }
-
-func (fs directFS) ReadFile(name string) ([]byte, error) {
-	return ioutil.ReadFile(fs.path(name))
-}
-
-func (fs directFS) WriteFile(name string, contents []byte, perm os.FileMode) error {
-	return ioutil.WriteFile(fs.path(name), contents, perm)
-}
--- a/net/dns/direct_test.go
+++ b/net/dns/direct_test.go
@@ -1,83 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package dns
-
-import (
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"testing"
-
-	"inet.af/netaddr"
-	"tailscale.com/util/dnsname"
-)
-
-func TestSetDNS(t *testing.T) {
-	const orig = "nameserver 9.9.9.9 # orig"
-	tmp := t.TempDir()
-	resolvPath := filepath.Join(tmp, "etc", "resolv.conf")
-	backupPath := filepath.Join(tmp, "etc", "resolv.pre-tailscale-backup.conf")
-
-	if err := os.MkdirAll(filepath.Dir(resolvPath), 0777); err != nil {
-		t.Fatal(err)
-	}
-	if err := ioutil.WriteFile(resolvPath, []byte(orig), 0644); err != nil {
-		t.Fatal(err)
-	}
-
-	readFile := func(t *testing.T, path string) string {
-		t.Helper()
-		b, err := ioutil.ReadFile(path)
-		if err != nil {
-			t.Fatal(err)
-		}
-		return string(b)
-	}
-	assertBaseState := func(t *testing.T) {
-		if got := readFile(t, resolvPath); got != orig {
-			t.Fatalf("resolv.conf:\n%s, want:\n%s", got, orig)
-		}
-		if _, err := os.Stat(backupPath); !os.IsNotExist(err) {
-			t.Fatalf("resolv.conf backup: want it to be gone but: %v", err)
-		}
-	}
-
-	m := directManager{fs: directFS{prefix: tmp}}
-	if err := m.SetDNS(OSConfig{
-		Nameservers:   []netaddr.IP{netaddr.MustParseIP("8.8.8.8"), netaddr.MustParseIP("8.8.4.4")},
-		SearchDomains: []dnsname.FQDN{"ts.net.", "ts-dns.test."},
-		MatchDomains:  []dnsname.FQDN{"ignored."},
-	}); err != nil {
-		t.Fatal(err)
-	}
-	want := `# resolv.conf(5) file generated by tailscale
-# DO NOT EDIT THIS FILE BY HAND -- CHANGES WILL BE OVERWRITTEN
-
-nameserver 8.8.8.8
-nameserver 8.8.4.4
-search ts.net ts-dns.test
-`
-	if got := readFile(t, resolvPath); got != want {
-		t.Fatalf("resolv.conf:\n%s, want:\n%s", got, want)
-	}
-	if got := readFile(t, backupPath); got != orig {
-		t.Fatalf("resolv.conf backup:\n%s, want:\n%s", got, orig)
-	}
-
-	// Test that a nil OSConfig cleans up resolv.conf.
-	if err := m.SetDNS(OSConfig{}); err != nil {
-		t.Fatal(err)
-	}
-	assertBaseState(t)
-
-	// Test that Close cleans up resolv.conf.
-	if err := m.SetDNS(OSConfig{Nameservers: []netaddr.IP{netaddr.MustParseIP("8.8.8.8")}}); err != nil {
-		t.Fatal(err)
-	}
-	if err := m.Close(); err != nil {
-		t.Fatal(err)
-	}
-	assertBaseState(t)
-}
--- a/net/dns/ini.go
+++ b/net/dns/ini.go
@@ -1,29 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package dns
-
-import (
-	"regexp"
-	"strings"
-)
-
-// parseIni parses a basic .ini file, used for wsl.conf.
-func parseIni(data string) map[string]map[string]string {
-	sectionRE := regexp.MustCompile(`^\[([^]]+)\]`)
-	kvRE := regexp.MustCompile(`^\s*(\w+)\s*=\s*([^#]*)`)
-
-	ini := map[string]map[string]string{}
-	var section string
-	for _, line := range strings.Split(data, "\n") {
-		if res := sectionRE.FindStringSubmatch(line); len(res) > 1 {
-			section = res[1]
-			ini[section] = map[string]string{}
-		} else if res := kvRE.FindStringSubmatch(line); len(res) > 2 {
-			k, v := strings.TrimSpace(res[1]), strings.TrimSpace(res[2])
-			ini[section][k] = v
-		}
-	}
-	return ini
-}
--- a/net/dns/ini_test.go
+++ b/net/dns/ini_test.go
@@ -1,37 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package dns
-
-import (
-	"reflect"
-	"testing"
-)
-
-func TestParseIni(t *testing.T) {
-	var tests = []struct {
-		src  string
-		want map[string]map[string]string
-	}{
-		{
-			src: `# appended wsl.conf file
-[automount]
-	enabled = true
-	root=/mnt/
-# added by tailscale
-[network] # trailing comment
-generateResolvConf = false  # trailing comment`,
-			want: map[string]map[string]string{
-				"automount": map[string]string{"enabled": "true", "root": "/mnt/"},
-				"network":   map[string]string{"generateResolvConf": "false"},
-			},
-		},
-	}
-	for _, test := range tests {
-		got := parseIni(test.src)
-		if !reflect.DeepEqual(got, test.want) {
-			t.Errorf("for:\n%s\ngot:  %v\nwant: %v", test.src, got, test.want)
-		}
-	}
-}
--- a/net/dns/manager.go
+++ b/net/dns/manager.go
@@ -6,6 +6,7 @@ package dns

 import (
 	"runtime"
+	"strings"
 	"time"

 	"inet.af/netaddr"
@@ -20,6 +21,8 @@ import (
 // the lint exception is necessary and on others it is not,
 // and plain ignore complains if the exception is unnecessary.

+//lint:file-ignore U1000 reconfigTimeout is used on some platforms but not others
+
 // reconfigTimeout is the time interval within which Manager.{Up,Down} should complete.
 //
 // This is particularly useful because certain conditions can cause indefinite hangs
@@ -38,11 +41,11 @@ type Manager struct {
 }

 // NewManagers created a new manager from the given config.
-func NewManager(logf logger.Logf, oscfg OSConfigurator, linkMon *monitor.Mon, linkSel resolver.ForwardLinkSelector) *Manager {
+func NewManager(logf logger.Logf, oscfg OSConfigurator, linkMon *monitor.Mon) *Manager {
 	logf = logger.WithPrefix(logf, "dns: ")
 	m := &Manager{
 		logf:     logf,
-		resolver: resolver.New(logf, linkMon, linkSel),
+		resolver: resolver.New(logf, linkMon),
 		os:       oscfg,
 	}
 	m.logf("using %T", m.os)
@@ -72,40 +75,40 @@ func (m *Manager) Set(cfg Config) error {

 // compileConfig converts cfg into a quad-100 resolver configuration
 // and an OS-level configuration.
-func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig, err error) {
-	// The internal resolver always gets MagicDNS hosts and
-	// authoritative suffixes, even if we don't propagate MagicDNS to
-	// the OS.
-	rcfg.Hosts = cfg.Hosts
-	routes := map[dnsname.FQDN][]netaddr.IPPort{} // assigned conditionally to rcfg.Routes below.
-	for suffix, resolvers := range cfg.Routes {
-		if len(resolvers) == 0 {
-			rcfg.LocalDomains = append(rcfg.LocalDomains, suffix)
-		} else {
-			routes[suffix] = resolvers
-		}
-	}
-	// Similarly, the OS always gets search paths.
-	ocfg.SearchDomains = cfg.SearchDomains
-
+func (m *Manager) compileConfig(cfg Config) (resolver.Config, OSConfig, error) {
 	// Deal with trivial configs first.
 	switch {
 	case !cfg.needsOSResolver():
 		// Set search domains, but nothing else. This also covers the
 		// case where cfg is entirely zero, in which case these
 		// configs clear all Tailscale DNS settings.
-		return rcfg, ocfg, nil
+		return resolver.Config{}, OSConfig{
+			SearchDomains: cfg.SearchDomains,
+		}, nil
 	case cfg.hasDefaultResolversOnly():
 		// Trivial CorpDNS configuration, just override the OS
 		// resolver.
-		ocfg.Nameservers = toIPsOnly(cfg.DefaultResolvers)
-		return rcfg, ocfg, nil
+		return resolver.Config{}, OSConfig{
+			Nameservers:   toIPsOnly(cfg.DefaultResolvers),
+			SearchDomains: cfg.SearchDomains,
+		}, nil
 	case cfg.hasDefaultResolvers():
 		// Default resolvers plus other stuff always ends up proxying
 		// through quad-100.
-		rcfg.Routes = routes
-		rcfg.Routes["."] = cfg.DefaultResolvers
-		ocfg.Nameservers = []netaddr.IP{tsaddr.TailscaleServiceIP()}
+		rcfg := resolver.Config{
+			Routes: map[dnsname.FQDN][]netaddr.IPPort{
+				".": cfg.DefaultResolvers,
+			},
+			Hosts:        cfg.Hosts,
+			LocalDomains: cfg.AuthoritativeSuffixes,
+		}
+		for suffix, resolvers := range cfg.Routes {
+			rcfg.Routes[suffix] = resolvers
+		}
+		ocfg := OSConfig{
+			Nameservers:   []netaddr.IP{tsaddr.TailscaleServiceIP()},
+			SearchDomains: cfg.SearchDomains,
+		}
 		return rcfg, ocfg, nil
 	}

@@ -113,6 +116,8 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 	// configurations. The possible cases don't return directly any
 	// more, because as a final step we have to handle the case where
 	// the OS can't do split DNS.
+	var rcfg resolver.Config
+	var ocfg OSConfig

 	// Workaround for
 	// https://github.com/tailscale/corp/issues/1662. Even though
@@ -130,19 +135,35 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 	// This bool is used in a couple of places below to implement this
 	// workaround.
 	isWindows := runtime.GOOS == "windows"
-	if cfg.singleResolverSet() != nil && m.os.SupportsSplitDNS() && !isWindows {
+
+	// The windows check is for
+	// . See also below
+	// for further routing workarounds there.
+	if !cfg.hasHosts() && cfg.singleResolverSet() != nil && m.os.SupportsSplitDNS() && !isWindows {
 		// Split DNS configuration requested, where all split domains
 		// go to the same resolvers. We can let the OS do it.
-		ocfg.Nameservers = toIPsOnly(cfg.singleResolverSet())
-		ocfg.MatchDomains = cfg.matchDomains()
-		return rcfg, ocfg, nil
+		return resolver.Config{}, OSConfig{
+			Nameservers:   toIPsOnly(cfg.singleResolverSet()),
+			SearchDomains: cfg.SearchDomains,
+			MatchDomains:  cfg.matchDomains(),
+		}, nil
 	}

 	// Split DNS configuration with either multiple upstream routes,
 	// or routes + MagicDNS, or just MagicDNS, or on an OS that cannot
 	// split-DNS. Install a split config pointing at quad-100.
-	rcfg.Routes = routes
-	ocfg.Nameservers = []netaddr.IP{tsaddr.TailscaleServiceIP()}
+	rcfg = resolver.Config{
+		Hosts:        cfg.Hosts,
+		LocalDomains: cfg.AuthoritativeSuffixes,
+		Routes:       map[dnsname.FQDN][]netaddr.IPPort{},
+	}
+	for suffix, resolvers := range cfg.Routes {
+		rcfg.Routes[suffix] = resolvers
+	}
+	ocfg = OSConfig{
+		Nameservers:   []netaddr.IP{tsaddr.TailscaleServiceIP()},
+		SearchDomains: cfg.SearchDomains,
+	}

 	// If the OS can't do native split-dns, read out the underlying
 	// resolver config and blend it into our config.
@@ -152,7 +173,28 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 	if !m.os.SupportsSplitDNS() || isWindows {
 		bcfg, err := m.os.GetBaseConfig()
 		if err != nil {
-			return resolver.Config{}, OSConfig{}, err
+			// Temporary hack to make OSes where split-DNS isn't fully
+			// implemented yet not completely crap out, but instead
+			// fall back to quad-9 as a hardcoded "backup resolver".
+			//
+			// This codepath currently only triggers when opted into
+			// the split-DNS feature server side, and when at least
+			// one search domain is something within tailscale.com, so
+			// we don't accidentally leak unstable user DNS queries to
+			// quad-9 if we accidentally go down this codepath.
+			canUseHack := false
+			for _, dom := range cfg.SearchDomains {
+				if strings.HasSuffix(dom.WithoutTrailingDot(), ".tailscale.com") {
+					canUseHack = true
+					break
+				}
+			}
+			if !canUseHack {
+				return resolver.Config{}, OSConfig{}, err
+			}
+			bcfg = OSConfig{
+				Nameservers: []netaddr.IP{netaddr.IPv4(9, 9, 9, 9)},
+			}
 		}
 		rcfg.Routes["."] = toIPPorts(bcfg.Nameservers)
 		ocfg.SearchDomains = append(ocfg.SearchDomains, bcfg.SearchDomains...)
@@ -169,7 +211,7 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 func toIPsOnly(ipps []netaddr.IPPort) (ret []netaddr.IP) {
 	ret = make([]netaddr.IP, 0, len(ipps))
 	for _, ipp := range ipps {
-		ret = append(ret, ipp.IP())
+		ret = append(ret, ipp.IP)
 	}
 	return ret
 }
@@ -177,7 +219,7 @@ func toIPsOnly(ipps []netaddr.IPPort) (ret []netaddr.IP) {
 func toIPPorts(ips []netaddr.IP) (ret []netaddr.IPPort) {
 	ret = make([]netaddr.IPPort, 0, len(ips))
 	for _, ip := range ips {
-		ret = append(ret, netaddr.IPPortFrom(ip, 53))
+		ret = append(ret, netaddr.IPPort{IP: ip, Port: 53})
 	}
 	return ret
 }
@@ -207,7 +249,7 @@ func Cleanup(logf logger.Logf, interfaceName string) {
 		logf("creating dns cleanup: %v", err)
 		return
 	}
-	dns := NewManager(logf, oscfg, nil, nil)
+	dns := NewManager(logf, oscfg, nil)
 	if err := dns.Down(); err != nil {
 		logf("dns down: %v", err)
 	}
--- a/net/dns/manager_freebsd.go
+++ b/net/dns/manager_freebsd.go
@@ -15,7 +15,7 @@ import (
 func NewOSConfigurator(logf logger.Logf, _ string) (OSConfigurator, error) {
 	bs, err := ioutil.ReadFile("/etc/resolv.conf")
 	if os.IsNotExist(err) {
-		return newDirectManager(), nil
+		return newDirectManager()
 	}
 	if err != nil {
 		return nil, fmt.Errorf("reading /etc/resolv.conf: %w", err)
@@ -25,6 +25,6 @@ func NewOSConfigurator(logf logger.Logf, _ string) (OSConfigurator, error) {
 	case "resolvconf":
 		return newResolvconfManager(logf)
 	default:
-		return newDirectManager(), nil
+		return newDirectManager()
 	}
 }
--- a/net/dns/manager_linux.go
+++ b/net/dns/manager_linux.go
@@ -5,6 +5,7 @@
 package dns

 import (
+	"bytes"
 	"context"
 	"errors"
 	"fmt"
@@ -14,7 +15,6 @@ import (
 	"time"

 	"github.com/godbus/dbus/v5"
-	"inet.af/netaddr"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/cmpver"
 )
@@ -42,7 +42,7 @@ func NewOSConfigurator(logf logger.Logf, interfaceName string) (ret OSConfigurat
 	bs, err := ioutil.ReadFile("/etc/resolv.conf")
 	if os.IsNotExist(err) {
 		dbg("rc", "missing")
-		return newDirectManager(), nil
+		return newDirectManager()
 	}
 	if err != nil {
 		return nil, fmt.Errorf("reading /etc/resolv.conf: %w", err)
@@ -51,27 +51,18 @@ func NewOSConfigurator(logf logger.Logf, interfaceName string) (ret OSConfigurat
 	switch resolvOwner(bs) {
 	case "systemd-resolved":
 		dbg("rc", "resolved")
-		// Some systems, for reasons known only to them, have a
-		// resolv.conf that has the word "systemd-resolved" in its
-		// header, but doesn't actually point to resolved. We mustn't
-		// try to program resolved in that case.
-		// https://github.com/tailscale/tailscale/issues/2136
-		if err := resolvedIsActuallyResolver(); err != nil {
-			dbg("resolved", "not-in-use")
-			return newDirectManager(), nil
-		}
 		if err := dbusPing("org.freedesktop.resolve1", "/org/freedesktop/resolve1"); err != nil {
 			dbg("resolved", "no")
-			return newDirectManager(), nil
+			return newDirectManager()
 		}
 		if err := dbusPing("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager/DnsManager"); err != nil {
 			dbg("nm", "no")
-			return newResolvedManager(logf, interfaceName)
+			return newResolvedManager(logf)
 		}
 		dbg("nm", "yes")
 		if err := nmIsUsingResolved(); err != nil {
 			dbg("nm-resolved", "no")
-			return newResolvedManager(logf, interfaceName)
+			return newResolvedManager(logf)
 		}
 		dbg("nm-resolved", "yes")

@@ -88,69 +79,109 @@ func NewOSConfigurator(logf logger.Logf, interfaceName string) (ret OSConfigurat
 		// "unmanaged" interfaces - meaning NM 1.26.6 and later
 		// actively ignore DNS configuration we give it. So, for those
 		// NM versions, we can and must use resolved directly.
-		//
-		// Even more fun, even-older versions of NM won't let us set
-		// DNS settings if the interface isn't managed by NM, with a
-		// hard failure on DBus requests. Empirically, NM 1.22 does
-		// this. Based on the versions popular distros shipped, we
-		// conservatively decree that only 1.26.0 through 1.26.5 are
-		// "safe" to use for our purposes. This roughly matches
-		// distros released in the latter half of 2020.
-		//
-		// In a perfect world, we'd avoid this by replacing
-		// configuration out from under NM entirely (e.g. using
-		// directManager to overwrite resolv.conf), but in a world
-		// where resolved runs, we need to get correct configuration
-		// into resolved regardless of what's in resolv.conf (because
-		// resolved can also be queried over dbus, or via an NSS
-		// module that bypasses /etc/resolv.conf). Given that we must
-		// get correct configuration into resolved, we have no choice
-		// but to use NM, and accept the loss of IPv6 configuration
-		// that comes with it (see
-		// https://github.com/tailscale/tailscale/issues/1699,
-		// https://github.com/tailscale/tailscale/pull/1945)
-		safe, err := nmVersionBetween("1.26.0", "1.26.5")
+		old, err := nmVersionOlderThan("1.26.6")
 		if err != nil {
 			// Failed to figure out NM's version, can't make a correct
 			// decision.
 			return nil, fmt.Errorf("checking NetworkManager version: %v", err)
 		}
-		if safe {
-			dbg("nm-safe", "yes")
+		if old {
+			dbg("nm-old", "yes")
 			return newNMManager(interfaceName)
 		}
-		dbg("nm-safe", "no")
-		return newResolvedManager(logf, interfaceName)
+		dbg("nm-old", "no")
+		return newResolvedManager(logf)
 	case "resolvconf":
 		dbg("rc", "resolvconf")
+		if err := resolvconfSourceIsNM(bs); err == nil {
+			dbg("src-is-nm", "yes")
+			if err := dbusPing("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager/DnsManager"); err == nil {
+				dbg("nm", "yes")
+				old, err := nmVersionOlderThan("1.26.6")
+				if err != nil {
+					return nil, fmt.Errorf("checking NetworkManager version: %v", err)
+				}
+				if old {
+					dbg("nm-old", "yes")
+					return newNMManager(interfaceName)
+				} else {
+					dbg("nm-old", "no")
+				}
+			} else {
+				dbg("nm", "no")
+			}
+		} else {
+			dbg("src-is-nm", "no")
+		}
 		if _, err := exec.LookPath("resolvconf"); err != nil {
 			dbg("resolvconf", "no")
-			return newDirectManager(), nil
+			return newDirectManager()
 		}
 		dbg("resolvconf", "yes")
 		return newResolvconfManager(logf)
 	case "NetworkManager":
-		// You'd think we would use newNMManager somewhere in
-		// here. However, as explained in
-		// https://github.com/tailscale/tailscale/issues/1699 , using
-		// NetworkManager for DNS configuration carries with it the
-		// cost of losing IPv6 configuration on the Tailscale network
-		// interface. So, when we can avoid it, we bypass
-		// NetworkManager by replacing resolv.conf directly.
-		//
-		// If you ever try to put NMManager back here, keep in mind
-		// that versions >=1.26.6 will ignore DNS configuration
-		// anyway, so you still need a fallback path that uses
-		// directManager.
 		dbg("rc", "nm")
-		return newDirectManager(), nil
+		if err := dbusPing("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager/DnsManager"); err != nil {
+			dbg("nm", "no")
+			return newDirectManager()
+		}
+		dbg("nm", "yes")
+		old, err := nmVersionOlderThan("1.26.6")
+		if err != nil {
+			return nil, fmt.Errorf("checking NetworkManager version: %v", err)
+		}
+		if old {
+			dbg("nm-old", "yes")
+			return newNMManager(interfaceName)
+		}
+		dbg("nm-old", "no")
+		return newDirectManager()
 	default:
 		dbg("rc", "unknown")
-		return newDirectManager(), nil
+		return newDirectManager()
 	}
 }

-func nmVersionBetween(first, last string) (bool, error) {
+func resolvconfSourceIsNM(resolvDotConf []byte) error {
+	b := bytes.NewBuffer(resolvDotConf)
+	cfg, err := readResolv(b)
+	if err != nil {
+		return fmt.Errorf("parsing /etc/resolv.conf: %w", err)
+	}
+
+	var (
+		paths = []string{
+			"/etc/resolvconf/run/interface/NetworkManager",
+			"/run/resolvconf/interface/NetworkManager",
+			"/var/run/resolvconf/interface/NetworkManager",
+			"/run/resolvconf/interfaces/NetworkManager",
+			"/var/run/resolvconf/interfaces/NetworkManager",
+		}
+		nmCfg OSConfig
+		found bool
+	)
+	for _, path := range paths {
+		nmCfg, err = readResolvFile(path)
+		if os.IsNotExist(err) {
+			continue
+		} else if err != nil {
+			return err
+		}
+		found = true
+		break
+	}
+	if !found {
+		return errors.New("NetworkManager resolvconf snippet not found")
+	}
+
+	if !nmCfg.Equal(cfg) {
+		return errors.New("NetworkManager config not applied by resolvconf")
+	}
+
+	return nil
+}
+
+func nmVersionOlderThan(want string) (bool, error) {
 	conn, err := dbus.SystemBus()
 	if err != nil {
 		// DBus probably not running.
@@ -168,8 +199,7 @@ func nmVersionBetween(first, last string) (bool, error) {
 		return false, fmt.Errorf("unexpected type %T for NM version", v.Value())
 	}

-	outside := cmpver.Compare(version, first) < 0 || cmpver.Compare(version, last) > 0
-	return !outside, nil
+	return cmpver.Compare(version, want) < 0, nil
 }

 func nmIsUsingResolved() error {
@@ -194,17 +224,6 @@ func nmIsUsingResolved() error {
 	return nil
 }

-func resolvedIsActuallyResolver() error {
-	cfg, err := newDirectManager().readResolvConf()
-	if err != nil {
-		return err
-	}
-	if len(cfg.Nameservers) != 1 || cfg.Nameservers[0] != netaddr.IPv4(127, 0, 0, 53) {
-		return errors.New("resolv.conf doesn't point to systemd-resolved")
-	}
-	return nil
-}
-
 func dbusPing(name, objectPath string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
 	defer cancel()
--- a/net/dns/manager_openbsd.go
+++ b/net/dns/manager_openbsd.go
@@ -7,5 +7,5 @@ package dns
 import "tailscale.com/types/logger"

 func NewOSConfigurator(logger.Logf, string) (OSConfigurator, error) {
-	return newDirectManager(), nil
+	return newDirectManager()
 }
--- a/net/dns/manager_test.go
+++ b/net/dns/manager_test.go
@@ -76,20 +76,6 @@ func TestManager(t *testing.T) {
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 		},
-		{
-			// Regression test for https://github.com/tailscale/tailscale/issues/1886
-			name: "hosts-only",
-			in: Config{
-				Hosts: hosts(
-					"dave.ts.com.", "1.2.3.4",
-					"bradfitz.ts.com.", "2.3.4.5"),
-			},
-			rs: resolver.Config{
-				Hosts: hosts(
-					"dave.ts.com.", "1.2.3.4",
-					"bradfitz.ts.com.", "2.3.4.5"),
-			},
-		},
 		{
 			name: "corp",
 			in: Config{
@@ -118,10 +104,10 @@ func TestManager(t *testing.T) {
 			in: Config{
 				DefaultResolvers: mustIPPs("1.1.1.1:53", "9.9.9.9:53"),
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
-				Routes:           upstreams("ts.com", ""),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
 			},
 			os: OSConfig{
 				Nameservers:   mustIPs("100.100.100.100"),
@@ -140,10 +126,10 @@ func TestManager(t *testing.T) {
 			in: Config{
 				DefaultResolvers: mustIPPs("1.1.1.1:53", "9.9.9.9:53"),
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
-				Routes:           upstreams("ts.com", ""),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
 			},
 			split: true,
 			os: OSConfig{
@@ -275,8 +261,8 @@ func TestManager(t *testing.T) {
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
-				Routes:        upstreams("ts.com", ""),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
+				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
 			},
 			bs: OSConfig{
 				Nameservers:   mustIPs("8.8.8.8"),
@@ -300,8 +286,8 @@ func TestManager(t *testing.T) {
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
-				Routes:        upstreams("ts.com", ""),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
+				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
 			},
 			split: true,
 			os: OSConfig{
@@ -319,11 +305,12 @@ func TestManager(t *testing.T) {
 		{
 			name: "routes-magic",
 			in: Config{
-				Routes: upstreams("corp.com", "2.2.2.2:53", "ts.com", ""),
+				Routes: upstreams("corp.com", "2.2.2.2:53"),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
+				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
 			},
 			bs: OSConfig{
 				Nameservers:   mustIPs("8.8.8.8"),
@@ -346,13 +333,12 @@ func TestManager(t *testing.T) {
 		{
 			name: "routes-magic-split",
 			in: Config{
-				Routes: upstreams(
-					"corp.com", "2.2.2.2:53",
-					"ts.com", ""),
+				Routes: upstreams("corp.com", "2.2.2.2:53"),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
+				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
 			},
 			split: true,
 			os: OSConfig{
@@ -376,18 +362,17 @@ func TestManager(t *testing.T) {
 				SplitDNS:   test.split,
 				BaseConfig: test.bs,
 			}
-			m := NewManager(t.Logf, &f, nil, nil)
+			m := NewManager(t.Logf, &f, nil)
 			m.resolver.TestOnlySetHook(f.SetResolver)

 			if err := m.Set(test.in); err != nil {
 				t.Fatalf("m.Set: %v", err)
 			}
-			trIP := cmp.Transformer("ipStr", func(ip netaddr.IP) string { return ip.String() })
-			trIPPort := cmp.Transformer("ippStr", func(ipp netaddr.IPPort) string { return ipp.String() })
-			if diff := cmp.Diff(f.OSConfig, test.os, trIP, trIPPort, cmpopts.EquateEmpty()); diff != "" {
+			tr := cmp.Transformer("ipStr", func(ip netaddr.IP) string { return ip.String() })
+			if diff := cmp.Diff(f.OSConfig, test.os, tr, cmpopts.EquateEmpty()); diff != "" {
 				t.Errorf("wrong OSConfig (-got+want)\n%s", diff)
 			}
-			if diff := cmp.Diff(f.ResolverConfig, test.rs, trIP, trIPPort, cmpopts.EquateEmpty()); diff != "" {
+			if diff := cmp.Diff(f.ResolverConfig, test.rs, tr, cmpopts.EquateEmpty()); diff != "" {
 				t.Errorf("wrong resolver.Config (-got+want)\n%s", diff)
 			}
 		})
@@ -443,12 +428,7 @@ func upstreams(strs ...string) (ret map[dnsname.FQDN][]netaddr.IPPort) {
 	var key dnsname.FQDN
 	ret = map[dnsname.FQDN][]netaddr.IPPort{}
 	for _, s := range strs {
-		if s == "" {
-			if key == "" {
-				panic("IPPort provided before suffix")
-			}
-			ret[key] = nil
-		} else if ipp, err := netaddr.ParseIPPort(s); err == nil {
+		if ipp, err := netaddr.ParseIPPort(s); err == nil {
 			if key == "" {
 				panic("IPPort provided before suffix")
 			}
--- a/net/dns/manager_windows.go
+++ b/net/dns/manager_windows.go
@@ -35,18 +35,16 @@ const (
 )

 type windowsManager struct {
-	logf       logger.Logf
-	guid       string
-	nrptWorks  bool
-	wslManager *wslManager
+	logf      logger.Logf
+	guid      string
+	nrptWorks bool
 }

 func NewOSConfigurator(logf logger.Logf, interfaceName string) (OSConfigurator, error) {
 	ret := windowsManager{
-		logf:       logf,
-		guid:       interfaceName,
-		nrptWorks:  isWindows10OrBetter(),
-		wslManager: newWSLManager(logf),
+		logf:      logf,
+		guid:      interfaceName,
+		nrptWorks: !isWindows7(),
 	}

 	// Best-effort: if our NRPT rule exists, try to delete it. Unlike
@@ -59,13 +57,6 @@ func NewOSConfigurator(logf logger.Logf, interfaceName string) (OSConfigurator,
 		ret.delKey(nrptBase)
 	}

-	// Log WSL status once at startup.
-	if distros, err := wslDistros(); err != nil {
-		logf("WSL: could not list distributions: %v", err)
-	} else {
-		logf("WSL: found %d distributions", len(distros))
-	}
-
 	return ret, nil
 }

@@ -305,16 +296,6 @@ func (m windowsManager) SetDNS(cfg OSConfig) error {
 		}
 	}()

-	// On initial setup of WSL, the restart caused by --shutdown is slow,
-	// so we do it out-of-line.
-	go func() {
-		if err := m.wslManager.SetDNS(cfg); err != nil {
-			m.logf("WSL SetDNS: %v", err) // continue
-		} else {
-			m.logf("WSL SetDNS: success")
-		}
-	}()
-
 	return nil
 }

@@ -426,16 +407,22 @@ var siteLocalResolvers = []netaddr.IP{
 	netaddr.MustParseIP("fec0:0:0:ffff::3"),
 }

-func isWindows10OrBetter() bool {
+func isWindows7() bool {
 	key, err := registry.OpenKey(registry.LOCAL_MACHINE, versionKey, registry.READ)
 	if err != nil {
-		// Fail safe, assume old Windows.
-		return false
+		// Fail safe, assume Windows 7.
+		return true
 	}
-	// This key above only exists in Windows 10 and above. Its mere
-	// presence is good enough.
-	if _, _, err := key.GetIntegerValue("CurrentMajorVersionNumber"); err != nil {
-		return false
+	ver, _, err := key.GetStringValue("CurrentVersion")
+	if err != nil {
+		return true
 	}
-	return true
+	// Careful to not assume anything about version numbers beyond
+	// 6.3, Microsoft deprecated this registry key and locked its
+	// value to what it was in Windows 8.1. We can only use this to
+	// probe for versions before that. Good thing we only need Windows
+	// 7 (so far).
+	//
+	// And yes, Windows 7 is version 6.1. Don't ask.
+	return ver == "6.1"
 }
--- a/net/dns/nm.go
+++ b/net/dns/nm.go
@@ -4,6 +4,8 @@

 // +build linux

+//lint:file-ignore U1000 refactoring, temporarily unused code.
+
 package dns

 import (
@@ -173,12 +175,9 @@ func (m *nmManager) trySet(ctx context.Context, config OSConfig) error {
 		search = append(search, "~.")
 	}

-	// Ideally we would like to disable LLMNR and mdns on the
-	// interface here, but older NetworkManagers don't understand
-	// those settings and choke on them, so we don't. Both LLMNR and
-	// mdns will fail since tailscale0 doesn't do multicast, so it's
-	// effectively fine. We used to try and enforce LLMNR and mdns
-	// settings here, but that led to #1870.
+	general := settings["connection"]
+	general["llmnr"] = dbus.MakeVariant(0)
+	general["mdns"] = dbus.MakeVariant(0)

 	ipv4Map := settings["ipv4"]
 	ipv4Map["dns"] = dbus.MakeVariant(dnsv4)
@@ -248,7 +247,7 @@ func (m *nmManager) trySet(ctx context.Context, config OSConfig) error {
 	}

 	if call := device.CallWithContext(ctx, "org.freedesktop.NetworkManager.Device.Reapply", 0, settings, version, uint32(0)); call.Err != nil {
-		return fmt.Errorf("reapply: %w", call.Err)
+		return fmt.Errorf("reapply: %w", err)
 	}

 	return nil
--- a/net/dns/resolved.go
+++ b/net/dns/resolved.go
@@ -4,17 +4,19 @@

 // +build linux

+//lint:file-ignore U1000 refactoring, temporarily unused code.
+
 package dns

 import (
 	"context"
 	"errors"
 	"fmt"
-	"net"

 	"github.com/godbus/dbus/v5"
 	"golang.org/x/sys/unix"
 	"inet.af/netaddr"
+	"tailscale.com/net/interfaces"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/dnsname"
 )
@@ -67,7 +69,7 @@ func isResolvedActive() bool {
 		return false
 	}

-	config, err := newDirectManager().readResolvConf()
+	config, err := readResolvConf()
 	if err != nil {
 		return false
 	}
@@ -80,35 +82,39 @@ func isResolvedActive() bool {
 	return false
 }

-// resolvedManager is an OSConfigurator which uses the systemd-resolved DBus API.
+// resolvedManager uses the systemd-resolved DBus API.
 type resolvedManager struct {
 	logf     logger.Logf
-	ifidx    int
 	resolved dbus.BusObject
 }

-func newResolvedManager(logf logger.Logf, interfaceName string) (*resolvedManager, error) {
+func newResolvedManager(logf logger.Logf) (*resolvedManager, error) {
 	conn, err := dbus.SystemBus()
 	if err != nil {
 		return nil, err
 	}

-	iface, err := net.InterfaceByName(interfaceName)
-	if err != nil {
-		return nil, err
-	}
-
 	return &resolvedManager{
 		logf:     logf,
-		ifidx:    iface.Index,
 		resolved: conn.Object("org.freedesktop.resolve1", dbus.ObjectPath("/org/freedesktop/resolve1")),
 	}, nil
 }

+// Up implements managerImpl.
 func (m *resolvedManager) SetDNS(config OSConfig) error {
 	ctx, cancel := context.WithTimeout(context.Background(), reconfigTimeout)
 	defer cancel()

+	// In principle, we could persist this in the manager struct
+	// if we knew that interface indices are persistent. This does not seem to be the case.
+	_, iface, err := interfaces.Tailscale()
+	if err != nil {
+		return fmt.Errorf("getting interface index: %w", err)
+	}
+	if iface == nil {
+		return errNotReady
+	}
+
 	var linkNameservers = make([]resolvedLinkNameserver, len(config.Nameservers))
 	for i, server := range config.Nameservers {
 		ip := server.As16()
@@ -125,9 +131,9 @@ func (m *resolvedManager) SetDNS(config OSConfig) error {
 		}
 	}

-	err := m.resolved.CallWithContext(
+	err = m.resolved.CallWithContext(
 		ctx, "org.freedesktop.resolve1.Manager.SetLinkDNS", 0,
-		m.ifidx, linkNameservers,
+		iface.Index, linkNameservers,
 	).Store()
 	if err != nil {
 		return fmt.Errorf("setLinkDNS: %w", err)
@@ -168,13 +174,13 @@ func (m *resolvedManager) SetDNS(config OSConfig) error {

 	err = m.resolved.CallWithContext(
 		ctx, "org.freedesktop.resolve1.Manager.SetLinkDomains", 0,
-		m.ifidx, linkDomains,
+		iface.Index, linkDomains,
 	).Store()
 	if err != nil {
 		return fmt.Errorf("setLinkDomains: %w", err)
 	}

-	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkDefaultRoute", 0, m.ifidx, len(config.MatchDomains) == 0); call.Err != nil {
+	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkDefaultRoute", 0, iface.Index, len(config.MatchDomains) == 0); call.Err != nil {
 		return fmt.Errorf("setLinkDefaultRoute: %w", err)
 	}

@@ -183,22 +189,22 @@ func (m *resolvedManager) SetDNS(config OSConfig) error {
 	// or something).

 	// Disable LLMNR, we don't do multicast.
-	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkLLMNR", 0, m.ifidx, "no"); call.Err != nil {
+	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkLLMNR", 0, iface.Index, "no"); call.Err != nil {
 		m.logf("[v1] failed to disable LLMNR: %v", call.Err)
 	}

 	// Disable mdns.
-	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkMulticastDNS", 0, m.ifidx, "no"); call.Err != nil {
+	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkMulticastDNS", 0, iface.Index, "no"); call.Err != nil {
 		m.logf("[v1] failed to disable mdns: %v", call.Err)
 	}

 	// We don't support dnssec consistently right now, force it off to
 	// avoid partial failures when we split DNS internally.
-	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkDNSSEC", 0, m.ifidx, "no"); call.Err != nil {
+	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkDNSSEC", 0, iface.Index, "no"); call.Err != nil {
 		m.logf("[v1] failed to disable DNSSEC: %v", call.Err)
 	}

-	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkDNSOverTLS", 0, m.ifidx, "no"); call.Err != nil {
+	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.SetLinkDNSOverTLS", 0, iface.Index, "no"); call.Err != nil {
 		m.logf("[v1] failed to disable DoT: %v", call.Err)
 	}

@@ -221,7 +227,15 @@ func (m *resolvedManager) Close() error {
 	ctx, cancel := context.WithTimeout(context.Background(), reconfigTimeout)
 	defer cancel()

-	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.RevertLink", 0, m.ifidx); call.Err != nil {
+	_, iface, err := interfaces.Tailscale()
+	if err != nil {
+		return fmt.Errorf("getting interface index: %w", err)
+	}
+	if iface == nil {
+		return errNotReady
+	}
+
+	if call := m.resolved.CallWithContext(ctx, "org.freedesktop.resolve1.Manager.RevertLink", 0, iface.Index); call.Err != nil {
 		return fmt.Errorf("RevertLink: %w", call.Err)
 	}

--- a/net/dns/resolver/forwarder.go
+++ b/net/dns/resolver/forwarder.go
@@ -9,8 +9,8 @@ import (
 	"context"
 	"encoding/binary"
 	"errors"
+	"fmt"
 	"hash/crc32"
-	"io"
 	"math/rand"
 	"net"
 	"sync"
@@ -18,21 +18,31 @@ import (

 	dns "golang.org/x/net/dns/dnsmessage"
 	"inet.af/netaddr"
+	"tailscale.com/logtail/backoff"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/dnsname"
-	"tailscale.com/wgengine/monitor"
 )

 // headerBytes is the number of bytes in a DNS message header.
 const headerBytes = 12

+// connCount is the number of UDP connections to use for forwarding.
+const connCount = 32
+
 const (
+	// cleanupInterval is the interval between purged of timed-out entries from txMap.
+	cleanupInterval = 30 * time.Second
 	// responseTimeout is the maximal amount of time to wait for a DNS response.
 	responseTimeout = 5 * time.Second
 )

 var errNoUpstreams = errors.New("upstream nameservers not set")

+type forwardingRecord struct {
+	src       netaddr.IPPort
+	createdAt time.Time
+}
+
 // txid identifies a DNS transaction.
 //
 // As the standard DNS Request ID is only 16 bits, we extend it:
@@ -88,218 +98,160 @@ func getTxID(packet []byte) txid {
 	return (txid(hash) << 32) | txid(dnsid)
 }

-// clampEDNSSize attempts to limit the maximum EDNS response size. This is not
-// an exhaustive solution, instead only easy cases are currently handled in the
-// interest of speed and reduced complexity. Only OPT records at the very end of
-// the message with no option codes are addressed.
-// TODO: handle more situations if we discover that they happen often
-func clampEDNSSize(packet []byte, maxSize uint16) {
-	// optFixedBytes is the size of an OPT record with no option codes.
-	const optFixedBytes = 11
-	const edns0Version = 0
-
-	if len(packet) < headerBytes+optFixedBytes {
-		return
-	}
-
-	arCount := binary.BigEndian.Uint16(packet[10:12])
-	if arCount == 0 {
-		// OPT shows up in an AR, so there must be no OPT
-		return
-	}
-
-	opt := packet[len(packet)-optFixedBytes:]
-
-	if opt[0] != 0 {
-		// OPT NAME must be 0 (root domain)
-		return
-	}
-	if dns.Type(binary.BigEndian.Uint16(opt[1:3])) != dns.TypeOPT {
-		// Not an OPT record
-		return
-	}
-	requestedSize := binary.BigEndian.Uint16(opt[3:5])
-	// Ignore extended RCODE in opt[5]
-	if opt[6] != edns0Version {
-		// Be conservative and don't touch unknown versions.
-		return
-	}
-	// Ignore flags in opt[7:9]
-	if binary.BigEndian.Uint16(opt[10:12]) != 0 {
-		// RDLEN must be 0 (no variable length data). We're at the end of the
-		// packet so this should be 0 anyway)..
-		return
-	}
-
-	if requestedSize <= maxSize {
-		return
-	}
-
-	// Clamp the maximum size
-	binary.BigEndian.PutUint16(opt[3:5], maxSize)
-}
-
 type route struct {
-	Suffix    dnsname.FQDN
-	Resolvers []netaddr.IPPort
+	suffix    dnsname.FQDN
+	resolvers []netaddr.IPPort
 }

 // forwarder forwards DNS packets to a number of upstream nameservers.
 type forwarder struct {
-	logf    logger.Logf
-	linkMon *monitor.Mon
-	linkSel ForwardLinkSelector
-
-	ctx       context.Context    // good until Close
-	ctxCancel context.CancelFunc // closes ctx
+	logf logger.Logf

 	// responses is a channel by which responses are returned.
 	responses chan packet
+	// closed signals all goroutines to stop.
+	closed chan struct{}
+	// wg signals when all goroutines have stopped.
+	wg sync.WaitGroup

-	mu sync.Mutex // guards following
+	// conns are the UDP connections used for forwarding.
+	// A random one is selected for each request, regardless of the target upstream.
+	conns []*fwdConn

-	// routes are per-suffix resolvers to use, with
-	// the most specific routes first.
-	routes []route
+	mu sync.Mutex
+	// routes are per-suffix resolvers to use.
+	routes []route                   // most specific routes first
+	txMap  map[txid]forwardingRecord // txids to in-flight requests
 }

 func init() {
 	rand.Seed(time.Now().UnixNano())
 }

-func newForwarder(logf logger.Logf, responses chan packet, linkMon *monitor.Mon, linkSel ForwardLinkSelector) *forwarder {
-	f := &forwarder{
+func newForwarder(logf logger.Logf, responses chan packet) *forwarder {
+	ret := &forwarder{
 		logf:      logger.WithPrefix(logf, "forward: "),
-		linkMon:   linkMon,
-		linkSel:   linkSel,
 		responses: responses,
+		closed:    make(chan struct{}),
+		conns:     make([]*fwdConn, connCount),
+		txMap:     make(map[txid]forwardingRecord),
 	}
-	f.ctx, f.ctxCancel = context.WithCancel(context.Background())
-	return f
+
+	ret.wg.Add(connCount + 1)
+	for idx := range ret.conns {
+		ret.conns[idx] = newFwdConn(ret.logf, idx)
+		go ret.recv(ret.conns[idx])
+	}
+	go ret.cleanMap()
+
+	return ret
 }

-func (f *forwarder) Close() error {
-	f.ctxCancel()
-	return nil
+func (f *forwarder) Close() {
+	select {
+	case <-f.closed:
+		return
+	default:
+		// continue
+	}
+	close(f.closed)
+
+	for _, conn := range f.conns {
+		conn.close()
+	}
+
+	f.wg.Wait()
+}
+
+func (f *forwarder) rebindFromNetworkChange() {
+	for _, c := range f.conns {
+		c.mu.Lock()
+		c.reconnectLocked()
+		c.mu.Unlock()
+	}
 }

 func (f *forwarder) setRoutes(routes []route) {
 	f.mu.Lock()
-	defer f.mu.Unlock()
 	f.routes = routes
-}
-
-var stdNetPacketListener packetListener = new(net.ListenConfig)
-
-type packetListener interface {
-	ListenPacket(ctx context.Context, network, address string) (net.PacketConn, error)
-}
-
-func (f *forwarder) packetListener(ip netaddr.IP) (packetListener, error) {
-	if f.linkSel == nil || initListenConfig == nil {
-		return stdNetPacketListener, nil
-	}
-	linkName := f.linkSel.PickLink(ip)
-	if linkName == "" {
-		return stdNetPacketListener, nil
-	}
-	lc := new(net.ListenConfig)
-	if err := initListenConfig(lc, f.linkMon, linkName); err != nil {
-		return nil, err
-	}
-	return lc, nil
+	f.mu.Unlock()
 }

 // send sends packet to dst. It is best effort.
-//
-// send expects the reply to have the same txid as txidOut.
-//
-// The provided closeOnCtxDone lets send register values to Close if
-// the caller's ctx expires. This avoids send from allocating its own
-// waiting goroutine to interrupt the ReadFrom, as memory is tight on
-// iOS and we want the number of pending DNS lookups to be bursty
-// without too much associated goroutine/memory cost.
-func (f *forwarder) send(ctx context.Context, txidOut txid, closeOnCtxDone *closePool, packet []byte, dst netaddr.IPPort) ([]byte, error) {
-	// TODO(bradfitz): if dst.IP is 8.8.8.8 or 8.8.4.4 or 1.1.1.1, etc, or
-	// something dynamically probed earlier to support DoH or DoT,
-	// do that here instead.
-
-	ln, err := f.packetListener(dst.IP())
-	if err != nil {
-		return nil, err
-	}
-	conn, err := ln.ListenPacket(ctx, "udp", ":0")
-	if err != nil {
-		f.logf("ListenPacket failed: %v", err)
-		return nil, err
-	}
-	defer conn.Close()
-
-	closeOnCtxDone.Add(conn)
-	defer closeOnCtxDone.Remove(conn)
-
-	if _, err := conn.WriteTo(packet, dst.UDPAddr()); err != nil {
-		if err := ctx.Err(); err != nil {
-			return nil, err
-		}
-		return nil, err
-	}
-
-	// The 1 extra byte is to detect packet truncation.
-	out := make([]byte, maxResponseBytes+1)
-	n, _, err := conn.ReadFrom(out)
-	if err != nil {
-		if err := ctx.Err(); err != nil {
-			return nil, err
-		}
-		if packetWasTruncated(err) {
-			err = nil
-		} else {
-			return nil, err
-		}
-	}
-	truncated := n > maxResponseBytes
-	if truncated {
-		n = maxResponseBytes
-	}
-	if n < headerBytes {
-		f.logf("recv: packet too small (%d bytes)", n)
-	}
-	out = out[:n]
-	txid := getTxID(out)
-	if txid != txidOut {
-		return nil, errors.New("txid doesn't match")
-	}
-
-	if truncated {
-		const dnsFlagTruncated = 0x200
-		flags := binary.BigEndian.Uint16(out[2:4])
-		flags |= dnsFlagTruncated
-		binary.BigEndian.PutUint16(out[2:4], flags)
-
-		// TODO(#2067): Remove any incomplete records? RFC 1035 section 6.2
-		// states that truncation should head drop so that the authority
-		// section can be preserved if possible. However, the UDP read with
-		// a too-small buffer has already dropped the end, so that's the
-		// best we can do.
-	}
-
-	clampEDNSSize(out, maxResponseBytes)
-
-	return out, nil
+func (f *forwarder) send(packet []byte, dst netaddr.IPPort) {
+	connIdx := rand.Intn(connCount)
+	conn := f.conns[connIdx]
+	conn.send(packet, dst)
 }

-// resolvers returns the resolvers to use for domain.
-func (f *forwarder) resolvers(domain dnsname.FQDN) []netaddr.IPPort {
-	f.mu.Lock()
-	routes := f.routes
-	f.mu.Unlock()
-	for _, route := range routes {
-		if route.Suffix == "." || route.Suffix.Contains(domain) {
-			return route.Resolvers
+func (f *forwarder) recv(conn *fwdConn) {
+	defer f.wg.Done()
+
+	for {
+		select {
+		case <-f.closed:
+			return
+		default:
+		}
+		out := make([]byte, maxResponseBytes)
+		n := conn.read(out)
+		if n == 0 {
+			continue
+		}
+		if n < headerBytes {
+			f.logf("recv: packet too small (%d bytes)", n)
+		}
+
+		out = out[:n]
+		txid := getTxID(out)
+
+		f.mu.Lock()
+
+		record, found := f.txMap[txid]
+		// At most one nameserver will return a response:
+		// the first one to do so will delete txid from the map.
+		if !found {
+			f.mu.Unlock()
+			continue
+		}
+		delete(f.txMap, txid)
+
+		f.mu.Unlock()
+
+		pkt := packet{out, record.src}
+		select {
+		case <-f.closed:
+			return
+		case f.responses <- pkt:
+			// continue
 		}
 	}
-	return nil
+}
+
+// cleanMap periodically deletes timed-out forwarding records from f.txMap to bound growth.
+func (f *forwarder) cleanMap() {
+	defer f.wg.Done()
+
+	t := time.NewTicker(cleanupInterval)
+	defer t.Stop()
+
+	var now time.Time
+	for {
+		select {
+		case <-f.closed:
+			return
+		case now = <-t.C:
+			// continue
+		}
+
+		f.mu.Lock()
+		for k, v := range f.txMap {
+			if now.Sub(v.createdAt) > responseTimeout {
+				delete(f.txMap, k)
+			}
+		}
+		f.mu.Unlock()
+	}
 }

 // forward forwards the query to all upstream nameservers and returns the first response.
@@ -310,62 +262,218 @@ func (f *forwarder) forward(query packet) error {
 	}

 	txid := getTxID(query.bs)
-	clampEDNSSize(query.bs, maxResponseBytes)

-	resolvers := f.resolvers(domain)
+	f.mu.Lock()
+	routes := f.routes
+	f.mu.Unlock()
+
+	var resolvers []netaddr.IPPort
+	for _, route := range routes {
+		if route.suffix != "." && !route.suffix.Contains(domain) {
+			continue
+		}
+		resolvers = route.resolvers
+		break
+	}
 	if len(resolvers) == 0 {
 		return errNoUpstreams
 	}

-	closeOnCtxDone := new(closePool)
-	defer closeOnCtxDone.Close()
+	f.mu.Lock()
+	f.txMap[txid] = forwardingRecord{
+		src:       query.addr,
+		createdAt: time.Now(),
+	}
+	f.mu.Unlock()

-	ctx, cancel := context.WithTimeout(f.ctx, responseTimeout)
-	defer cancel()
-
-	resc := make(chan []byte, 1)
-	var (
-		mu       sync.Mutex
-		firstErr error
-	)
-
-	for _, ipp := range resolvers {
-		go func(ipp netaddr.IPPort) {
-			resb, err := f.send(ctx, txid, closeOnCtxDone, query.bs, ipp)
-			if err != nil {
-				mu.Lock()
-				defer mu.Unlock()
-				if firstErr == nil {
-					firstErr = err
-				}
-				return
-			}
-			select {
-			case resc <- resb:
-			default:
-			}
-		}(ipp)
+	for _, resolver := range resolvers {
+		f.send(query.bs, resolver)
 	}

-	select {
-	case v := <-resc:
-		select {
-		case <-ctx.Done():
-			return ctx.Err()
-		case f.responses <- packet{v, query.addr}:
-			return nil
+	return nil
+}
+
+// A fwdConn manages a single connection used to forward DNS requests.
+// Net link changes can cause a *net.UDPConn to become permanently unusable, particularly on macOS.
+// fwdConn detects such situations and transparently creates new connections.
+type fwdConn struct {
+	// logf allows a fwdConn to log.
+	logf logger.Logf
+
+	// change allows calls to read to block until a the network connection has been replaced.
+	change *sync.Cond
+
+	// mu protects fields that follow it; it is also change's Locker.
+	mu sync.Mutex
+	// closed tracks whether fwdConn has been permanently closed.
+	closed bool
+	// conn is the current active connection.
+	conn net.PacketConn
+}
+
+func newFwdConn(logf logger.Logf, idx int) *fwdConn {
+	c := new(fwdConn)
+	c.logf = logger.WithPrefix(logf, fmt.Sprintf("fwdConn %d: ", idx))
+	c.change = sync.NewCond(&c.mu)
+	// c.conn is created lazily in send
+	return c
+}
+
+// send sends packet to dst using c's connection.
+// It is best effort. It is UDP, after all. Failures are logged.
+func (c *fwdConn) send(packet []byte, dst netaddr.IPPort) {
+	var b *backoff.Backoff // lazily initialized, since it is not needed in the common case
+	backOff := func(err error) {
+		if b == nil {
+			b = backoff.NewBackoff("dns-fwdConn-send", c.logf, 30*time.Second)
 		}
-	case <-ctx.Done():
-		mu.Lock()
-		defer mu.Unlock()
-		if firstErr != nil {
-			return firstErr
+		b.BackOff(context.Background(), err)
+	}
+
+	for {
+		// Gather the current connection.
+		// We can't hold the lock while we call WriteTo.
+		c.mu.Lock()
+		conn := c.conn
+		closed := c.closed
+		if closed {
+			c.mu.Unlock()
+			return
 		}
-		return ctx.Err()
+		if conn == nil {
+			c.reconnectLocked()
+			c.mu.Unlock()
+			continue
+		}
+		c.mu.Unlock()
+
+		_, err := conn.WriteTo(packet, dst.UDPAddr())
+		if err == nil {
+			// Success
+			return
+		}
+		if errors.Is(err, net.ErrClosed) {
+			// We intentionally closed this connection.
+			// It has been replaced by a new connection. Try again.
+			continue
+		}
+		// Something else went wrong.
+		// We have three choices here: try again, give up, or create a new connection.
+		var opErr *net.OpError
+		if !errors.As(err, &opErr) {
+			// Weird. All errors from the net package should be *net.OpError. Bail.
+			c.logf("send: non-*net.OpErr %v (%T)", err, err)
+			return
+		}
+		if opErr.Temporary() || opErr.Timeout() {
+			// I doubt that either of these can happen (this is UDP),
+			// but go ahead and try again.
+			backOff(err)
+			continue
+		}
+		if networkIsDown(err) {
+			// Fail.
+			c.logf("send: network is down")
+			return
+		}
+		if networkIsUnreachable(err) {
+			// This can be caused by a link change.
+			// Replace the existing connection with a new one.
+			c.mu.Lock()
+			// It's possible that multiple senders discovered simultaneously
+			// that the network is unreachable. Avoid reconnecting multiple times:
+			// Only reconnect if the current connection is the one that we
+			// discovered to be problematic.
+			if c.conn == conn {
+				backOff(err)
+				c.reconnectLocked()
+			}
+			c.mu.Unlock()
+			// Try again with our new network connection.
+			continue
+		}
+		// Unrecognized error. Fail.
+		c.logf("send: unrecognized error: %v", err)
+		return
 	}
 }

-var initListenConfig func(_ *net.ListenConfig, _ *monitor.Mon, tunName string) error
+// read waits for a response from c's connection.
+// It returns the number of bytes read, which may be 0
+// in case of an error or a closed connection.
+func (c *fwdConn) read(out []byte) int {
+	for {
+		// Gather the current connection.
+		// We can't hold the lock while we call ReadFrom.
+		c.mu.Lock()
+		conn := c.conn
+		closed := c.closed
+		if closed {
+			c.mu.Unlock()
+			return 0
+		}
+		if conn == nil {
+			// There is no current connection.
+			// Wait for the connection to change, then try again.
+			c.change.Wait()
+			c.mu.Unlock()
+			continue
+		}
+		c.mu.Unlock()
+
+		n, _, err := conn.ReadFrom(out)
+		if err == nil {
+			// Success.
+			return n
+		}
+		if errors.Is(err, net.ErrClosed) {
+			// We intentionally closed this connection.
+			// It has been replaced by a new connection. Try again.
+			continue
+		}
+
+		c.logf("read: unrecognized error: %v", err)
+		return 0
+	}
+}
+
+// reconnectLocked replaces the current connection with a new one.
+// c.mu must be locked.
+func (c *fwdConn) reconnectLocked() {
+	c.closeConnLocked()
+	// Make a new connection.
+	conn, err := net.ListenPacket("udp", "")
+	if err != nil {
+		c.logf("ListenPacket failed: %v", err)
+	} else {
+		c.conn = conn
+	}
+	// Broadcast that a new connection is available.
+	c.change.Broadcast()
+}
+
+// closeCurrentConn closes the current connection.
+// c.mu must be locked.
+func (c *fwdConn) closeConnLocked() {
+	if c.conn == nil {
+		return
+	}
+	c.conn.Close() // unblocks all readers/writers, they'll pick up the next connection.
+	c.conn = nil
+}
+
+// close permanently closes c.
+func (c *fwdConn) close() {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if c.closed {
+		return
+	}
+	c.closed = true
+	c.closeConnLocked()
+	// Unblock any remaining readers.
+	c.change.Broadcast()
+}

 // nameFromQuery extracts the normalized query name from bs.
 func nameFromQuery(bs []byte) (dnsname.FQDN, error) {
@@ -387,48 +495,3 @@ func nameFromQuery(bs []byte) (dnsname.FQDN, error) {
 	n := q.Name.Data[:q.Name.Length]
 	return dnsname.ToFQDN(rawNameToLower(n))
 }
-
-// closePool is a dynamic set of io.Closers to close as a group.
-// It's intended to be Closed at most once.
-//
-// The zero value is ready for use.
-type closePool struct {
-	mu     sync.Mutex
-	m      map[io.Closer]bool
-	closed bool
-}
-
-func (p *closePool) Add(c io.Closer) {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-	if p.closed {
-		c.Close()
-		return
-	}
-	if p.m == nil {
-		p.m = map[io.Closer]bool{}
-	}
-	p.m[c] = true
-}
-
-func (p *closePool) Remove(c io.Closer) {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-	if p.closed {
-		return
-	}
-	delete(p.m, c)
-}
-
-func (p *closePool) Close() error {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-	if p.closed {
-		return nil
-	}
-	p.closed = true
-	for c := range p.m {
-		c.Close()
-	}
-	return nil
-}
--- a/net/dns/resolver/macios_ext.go
+++ b/net/dns/resolver/macios_ext.go
@@ -1,27 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build darwin,ts_macext ios,ts_macext
-
-package resolver
-
-import (
-	"errors"
-	"net"
-
-	"tailscale.com/net/netns"
-	"tailscale.com/wgengine/monitor"
-)
-
-func init() {
-	initListenConfig = initListenConfigNetworkExtension
-}
-
-func initListenConfigNetworkExtension(nc *net.ListenConfig, mon *monitor.Mon, tunName string) error {
-	nif, ok := mon.InterfaceState().Interface[tunName]
-	if !ok {
-		return errors.New("utun not found")
-	}
-	return netns.SetListenConfigInterfaceIndex(nc, nif.Interface.Index)
-}
--- a/net/dns/resolver/neterr_darwin.go
+++ b/net/dns/resolver/neterr_darwin.go
@@ -23,8 +23,3 @@ func networkIsDown(err error) bool {
 func networkIsUnreachable(err error) bool {
 	return errors.Is(err, networkUnreachable)
 }
-
-// packetWasTruncated returns true if err indicates truncation but the RecvFrom
-// that generated err was otherwise successful. It always returns false on this
-// platform.
-func packetWasTruncated(err error) bool { return false }
--- a/net/dns/resolver/neterr_other.go
+++ b/net/dns/resolver/neterr_other.go
@@ -8,8 +8,3 @@ package resolver

 func networkIsDown(err error) bool        { return false }
 func networkIsUnreachable(err error) bool { return false }
-
-// packetWasTruncated returns true if err indicates truncation but the RecvFrom
-// that generated err was otherwise successful. It always returns false on this
-// platform.
-func packetWasTruncated(err error) bool { return false }
--- a/net/dns/resolver/neterr_windows.go
+++ b/net/dns/resolver/neterr_windows.go
@@ -5,7 +5,6 @@
 package resolver

 import (
-	"errors"
 	"net"
 	"os"

@@ -28,16 +27,3 @@ func networkIsUnreachable(err error) bool {
 	// difference between down and unreachable? Add comments.
 	return false
 }
-
-// packetWasTruncated returns true if err indicates truncation but the RecvFrom
-// that generated err was otherwise successful. On Windows, Go's UDP RecvFrom
-// calls WSARecvFrom which returns the WSAEMSGSIZE error code when the received
-// datagram is larger than the provided buffer. When that happens, both a valid
-// size and an error are returned (as per the partial fix for golang/go#14074).
-// If the WSAEMSGSIZE error is returned, then we ignore the error to get
-// semantics similar to the POSIX operating systems. One caveat is that it
-// appears that the source address is not returned when WSAEMSGSIZE occurs, but
-// we do not currently look at the source address.
-func packetWasTruncated(err error) bool {
-	return errors.Is(err, windows.WSAEMSGSIZE)
-}
--- a/net/dns/resolver/tsdns.go
+++ b/net/dns/resolver/tsdns.go
@@ -9,39 +9,26 @@ package resolver
 import (
 	"encoding/hex"
 	"errors"
-	"runtime"
 	"sort"
 	"strings"
 	"sync"
-	"sync/atomic"
 	"time"

 	dns "golang.org/x/net/dns/dnsmessage"
 	"inet.af/netaddr"
+	"tailscale.com/net/interfaces"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/wgengine/monitor"
 )

-// maxResponseBytes is the maximum size of a response from a Resolver. The
-// actual buffer size will be one larger than this so that we can detect
-// truncation in a platform-agnostic way.
-const maxResponseBytes = 4095
+// maxResponseBytes is the maximum size of a response from a Resolver.
+const maxResponseBytes = 512

-// maxActiveQueries returns the maximal number of DNS requests that be
-// can running.
+// queueSize is the maximal number of DNS requests that can await polling.
 // If EnqueueRequest is called when this many requests are already pending,
 // the request will be dropped to avoid blocking the caller.
-func maxActiveQueries() int32 {
-	if runtime.GOOS == "ios" {
-		// For memory paranoia reasons on iOS, match the
-		// historical Tailscale 1.x..1.8 behavior for now
-		// (just before the 1.10 release).
-		return 64
-	}
-	// But for other platforms, allow more burstiness:
-	return 256
-}
+const queueSize = 64

 // defaultTTL is the TTL of all responses from Resolver.
 const defaultTTL = 600 * time.Second
@@ -86,12 +73,13 @@ type Config struct {
 type Resolver struct {
 	logf               logger.Logf
 	linkMon            *monitor.Mon     // or nil
+	unregLinkMon       func()           // or nil
 	saveConfigForTests func(cfg Config) // used in tests to capture resolver config
 	// forwarder forwards requests to upstream nameservers.
 	forwarder *forwarder

-	activeQueriesAtomic int32 // number of DNS queries in flight
-
+	// queue is a buffered channel holding DNS requests queued for resolution.
+	queue chan packet
 	// responses is an unbuffered channel to which responses are returned.
 	responses chan packet
 	// errors is an unbuffered channel to which errors are returned.
@@ -108,26 +96,27 @@ type Resolver struct {
 	ipToHost     map[netaddr.IP]dnsname.FQDN
 }

-type ForwardLinkSelector interface {
-	// PickLink returns which network device should be used to query
-	// the DNS server at the given IP.
-	// The empty string means to use an unspecified default.
-	PickLink(netaddr.IP) (linkName string)
-}
-
 // New returns a new resolver.
 // linkMon optionally specifies a link monitor to use for socket rebinding.
-func New(logf logger.Logf, linkMon *monitor.Mon, linkSel ForwardLinkSelector) *Resolver {
+func New(logf logger.Logf, linkMon *monitor.Mon) *Resolver {
 	r := &Resolver{
 		logf:      logger.WithPrefix(logf, "dns: "),
 		linkMon:   linkMon,
+		queue:     make(chan packet, queueSize),
 		responses: make(chan packet),
 		errors:    make(chan error),
 		closed:    make(chan struct{}),
 		hostToIP:  map[dnsname.FQDN][]netaddr.IP{},
 		ipToHost:  map[netaddr.IP]dnsname.FQDN{},
 	}
-	r.forwarder = newForwarder(r.logf, r.responses, linkMon, linkSel)
+	r.forwarder = newForwarder(r.logf, r.responses)
+	if r.linkMon != nil {
+		r.unregLinkMon = r.linkMon.RegisterChangeCallback(r.onLinkMonitorChange)
+	}
+
+	r.wg.Add(1)
+	go r.poll()
+
 	return r
 }

@@ -149,13 +138,13 @@ func (r *Resolver) SetConfig(cfg Config) error {

 	for suffix, ips := range cfg.Routes {
 		routes = append(routes, route{
-			Suffix:    suffix,
-			Resolvers: ips,
+			suffix:    suffix,
+			resolvers: ips,
 		})
 	}
 	// Sort from longest prefix to shortest.
 	sort.Slice(routes, func(i, j int) bool {
-		return routes[i].Suffix.NumLabels() > routes[j].Suffix.NumLabels()
+		return routes[i].suffix.NumLabels() > routes[j].suffix.NumLabels()
 	})

 	r.forwarder.setRoutes(routes)
@@ -179,7 +168,19 @@ func (r *Resolver) Close() {
 	}
 	close(r.closed)

+	if r.unregLinkMon != nil {
+		r.unregLinkMon()
+	}
+
 	r.forwarder.Close()
+	r.wg.Wait()
+}
+
+func (r *Resolver) onLinkMonitorChange(changed bool, state *interfaces.State) {
+	if !changed {
+		return
+	}
+	r.forwarder.rebindFromNetworkChange()
 }

 // EnqueueRequest places the given DNS request in the resolver's queue.
@@ -189,14 +190,11 @@ func (r *Resolver) EnqueueRequest(bs []byte, from netaddr.IPPort) error {
 	select {
 	case <-r.closed:
 		return ErrClosed
+	case r.queue <- packet{bs, from}:
+		return nil
 	default:
-	}
-	if n := atomic.AddInt32(&r.activeQueriesAtomic, 1); n > maxActiveQueries() {
-		atomic.AddInt32(&r.activeQueriesAtomic, -1)
 		return errFullQueue
 	}
-	go r.handleQuery(packet{bs, from})
-	return nil
 }

 // NextResponse returns a DNS response to a previously enqueued request.
@@ -291,34 +289,53 @@ func (r *Resolver) resolveLocal(domain dnsname.FQDN, typ dns.Type) (netaddr.IP,
 // resolveReverse returns the unique domain name that maps to the given address.
 func (r *Resolver) resolveLocalReverse(ip netaddr.IP) (dnsname.FQDN, dns.RCode) {
 	r.mu.Lock()
-	defer r.mu.Unlock()
-	name, ok := r.ipToHost[ip]
-	if !ok {
+	ips := r.ipToHost
+	r.mu.Unlock()
+
+	name, found := ips[ip]
+	if !found {
 		return "", dns.RCodeNameError
 	}
 	return name, dns.RCodeSuccess
 }

-func (r *Resolver) handleQuery(pkt packet) {
-	defer atomic.AddInt32(&r.activeQueriesAtomic, -1)
+func (r *Resolver) poll() {
+	defer r.wg.Done()

-	out, err := r.respond(pkt.bs)
-	if err == errNotOurName {
-		err = r.forwarder.forward(pkt)
-		if err == nil {
-			// forward will send response into r.responses, nothing to do.
+	var pkt packet
+	for {
+		select {
+		case <-r.closed:
 			return
+		case pkt = <-r.queue:
+			// continue
 		}
-	}
-	if err != nil {
-		select {
-		case <-r.closed:
-		case r.errors <- err:
+
+		out, err := r.respond(pkt.bs)
+
+		if err == errNotOurName {
+			err = r.forwarder.forward(pkt)
+			if err == nil {
+				// forward will send response into r.responses, nothing to do.
+				continue
+			}
 		}
-	} else {
-		select {
-		case <-r.closed:
-		case r.responses <- packet{out, pkt.addr}:
+
+		if err != nil {
+			select {
+			case <-r.closed:
+				return
+			case r.errors <- err:
+				// continue
+			}
+		} else {
+			pkt.bs = out
+			select {
+			case <-r.closed:
+				return
+			case r.responses <- pkt:
+				// continue
+			}
 		}
 	}
 }
@@ -332,44 +349,28 @@ type response struct {
 	IP netaddr.IP
 }

-var dnsParserPool = &sync.Pool{
-	New: func() interface{} {
-		return new(dnsParser)
-	},
-}
-
-// dnsParser parses DNS queries using x/net/dns/dnsmessage.
-// These structs are pooled with dnsParserPool.
-type dnsParser struct {
-	Header   dns.Header
-	Question dns.Question
-
-	parser dns.Parser
-}
-
-func (p *dnsParser) response() *response {
-	return &response{Header: p.Header, Question: p.Question}
-}
-
-// zeroParser clears parser so it doesn't retain its most recently
-// parsed DNS query's []byte while it's sitting in a sync.Pool.
-// It's not useful to keep anyway: the next Start will do the same.
-func (p *dnsParser) zeroParser() { p.parser = dns.Parser{} }
-
-// parseQuery parses the query in given packet into p.Header and
-// p.Question.
-func (p *dnsParser) parseQuery(query []byte) error {
-	defer p.zeroParser()
+// parseQuery parses the query in given packet into a response struct.
+// if the parse is successful, resp.Name contains the normalized name being queried.
+// TODO: stuffing the query name in resp.Name temporarily is a hack. Clean it up.
+func parseQuery(query []byte, resp *response) error {
+	var parser dns.Parser
 	var err error
-	p.Header, err = p.parser.Start(query)
+
+	resp.Header, err = parser.Start(query)
 	if err != nil {
 		return err
 	}
-	if p.Header.Response {
+
+	if resp.Header.Response {
 		return errNotQuery
 	}
-	p.Question, err = p.parser.Question()
-	return err
+
+	resp.Question, err = parser.Question()
+	if err != nil {
+		return err
+	}
+
+	return nil
 }

 // marshalARecord serializes an A record into an active builder.
@@ -621,13 +622,12 @@ func (r *Resolver) respondReverse(query []byte, name dnsname.FQDN, resp *respons
 // respond returns a DNS response to query if it can be resolved locally.
 // Otherwise, it returns errNotOurName.
 func (r *Resolver) respond(query []byte) ([]byte, error) {
-	parser := dnsParserPool.Get().(*dnsParser)
-	defer dnsParserPool.Put(parser)
+	resp := new(response)

 	// ParseQuery is sufficiently fast to run on every DNS packet.
 	// This is considerably simpler than extracting the name by hand
 	// to shave off microseconds in case of delegation.
-	err := parser.parseQuery(query)
+	err := parseQuery(query, resp)
 	// We will not return this error: it is the sender's fault.
 	if err != nil {
 		if errors.Is(err, dns.ErrSectionDone) {
@@ -635,15 +635,13 @@ func (r *Resolver) respond(query []byte) ([]byte, error) {
 		} else {
 			r.logf("parseQuery(%02x): %v", query, err)
 		}
-		resp := parser.response()
 		resp.Header.RCode = dns.RCodeFormatError
 		return marshalResponse(resp)
 	}
-	rawName := parser.Question.Name.Data[:parser.Question.Name.Length]
+	rawName := resp.Question.Name.Data[:resp.Question.Name.Length]
 	name, err := dnsname.ToFQDN(rawNameToLower(rawName))
 	if err != nil {
 		// DNS packet unexpectedly contains an invalid FQDN.
-		resp := parser.response()
 		resp.Header.RCode = dns.RCodeFormatError
 		return marshalResponse(resp)
 	}
@@ -651,17 +649,15 @@ func (r *Resolver) respond(query []byte) ([]byte, error) {
 	// Always try to handle reverse lookups; delegate inside when not found.
 	// This way, queries for existent nodes do not leak,
 	// but we behave gracefully if non-Tailscale nodes exist in CGNATRange.
-	if parser.Question.Type == dns.TypePTR {
-		return r.respondReverse(query, name, parser.response())
+	if resp.Question.Type == dns.TypePTR {
+		return r.respondReverse(query, name, resp)
 	}

-	ip, rcode := r.resolveLocal(name, parser.Question.Type)
-	if rcode == dns.RCodeRefused {
-		return nil, errNotOurName // sentinel error return value: it requests forwarding
+	resp.IP, resp.Header.RCode = r.resolveLocal(name, resp.Question.Type)
+	// This return code is special: it requests forwarding.
+	if resp.Header.RCode == dns.RCodeRefused {
+		return nil, errNotOurName
 	}

-	resp := parser.response()
-	resp.Header.RCode = rcode
-	resp.IP = ip
 	return marshalResponse(resp)
 }
--- a/net/dns/resolver/tsdns_server_test.go
+++ b/net/dns/resolver/tsdns_server_test.go
@@ -66,60 +66,6 @@ func resolveToIP(ipv4, ipv6 netaddr.IP, ns string) dns.HandlerFunc {
 	}
 }

-// resolveToTXT returns a handler function which responds to queries of type TXT
-// it receives with the strings in txts.
-func resolveToTXT(txts []string, ednsMaxSize uint16) dns.HandlerFunc {
-	return func(w dns.ResponseWriter, req *dns.Msg) {
-		m := new(dns.Msg)
-		m.SetReply(req)
-
-		if len(req.Question) != 1 {
-			panic("not a single-question request")
-		}
-		question := req.Question[0]
-
-		if question.Qtype != dns.TypeTXT {
-			w.WriteMsg(m)
-			return
-		}
-
-		ans := &dns.TXT{
-			Hdr: dns.RR_Header{
-				Name:   question.Name,
-				Rrtype: dns.TypeTXT,
-				Class:  dns.ClassINET,
-			},
-			Txt: txts,
-		}
-
-		m.Answer = append(m.Answer, ans)
-
-		queryInfo := &dns.TXT{
-			Hdr: dns.RR_Header{
-				Name:   "query-info.test.",
-				Rrtype: dns.TypeTXT,
-				Class:  dns.ClassINET,
-			},
-		}
-
-		if edns := req.IsEdns0(); edns == nil {
-			queryInfo.Txt = []string{"EDNS=false"}
-		} else {
-			queryInfo.Txt = []string{"EDNS=true", fmt.Sprintf("maxSize=%v", edns.UDPSize())}
-		}
-
-		m.Extra = append(m.Extra, queryInfo)
-
-		if ednsMaxSize > 0 {
-			m.SetEdns0(ednsMaxSize, false)
-		}
-
-		if err := w.WriteMsg(m); err != nil {
-			panic(err)
-		}
-	}
-}
-
 var resolveToNXDOMAIN = dns.HandlerFunc(func(w dns.ResponseWriter, req *dns.Msg) {
 	m := new(dns.Msg)
 	m.SetRcode(req, dns.RcodeNameError)
--- a/net/dns/resolver/tsdns_test.go
+++ b/net/dns/resolver/tsdns_test.go
@@ -6,21 +6,14 @@ package resolver

 import (
 	"bytes"
-	"encoding/hex"
 	"errors"
-	"fmt"
-	"math/rand"
 	"net"
-	"runtime"
-	"strconv"
-	"strings"
 	"testing"

 	dns "golang.org/x/net/dns/dnsmessage"
 	"inet.af/netaddr"
 	"tailscale.com/tstest"
 	"tailscale.com/util/dnsname"
-	"tailscale.com/wgengine/monitor"
 )

 var testipv4 = netaddr.MustParseIP("1.2.3.4")
@@ -34,9 +27,7 @@ var dnsCfg = Config{
 	LocalDomains: []dnsname.FQDN{"ipn.dev."},
 }

-const noEdns = 0
-
-func dnspacket(domain dnsname.FQDN, tp dns.Type, ednsSize uint16) []byte {
+func dnspacket(domain dnsname.FQDN, tp dns.Type) []byte {
 	var dnsHeader dns.Header
 	question := dns.Question{
 		Name:  dns.MustNewName(domain.WithTrailingDot()),
@@ -45,44 +36,17 @@ func dnspacket(domain dnsname.FQDN, tp dns.Type, ednsSize uint16) []byte {
 	}

 	builder := dns.NewBuilder(nil, dnsHeader)
-	if err := builder.StartQuestions(); err != nil {
-		panic(err)
-	}
-	if err := builder.Question(question); err != nil {
-		panic(err)
-	}
-
-	if ednsSize != noEdns {
-		if err := builder.StartAdditionals(); err != nil {
-			panic(err)
-		}
-
-		ednsHeader := dns.ResourceHeader{
-			Name:  dns.MustNewName("."),
-			Type:  dns.TypeOPT,
-			Class: dns.Class(ednsSize),
-		}
-
-		if err := builder.OPTResource(ednsHeader, dns.OPTResource{}); err != nil {
-			panic(err)
-		}
-	}
-
+	builder.StartQuestions()
+	builder.Question(question)
 	payload, _ := builder.Finish()

 	return payload
 }

 type dnsResponse struct {
-	ip               netaddr.IP
-	txt              []string
-	name             dnsname.FQDN
-	rcode            dns.RCode
-	truncated        bool
-	requestEdns      bool
-	requestEdnsSize  uint16
-	responseEdns     bool
-	responseEdnsSize uint16
+	ip    netaddr.IP
+	name  dnsname.FQDN
+	rcode dns.RCode
 }

 func unpackResponse(payload []byte) (dnsResponse, error) {
@@ -103,122 +67,47 @@ func unpackResponse(payload []byte) (dnsResponse, error) {
 		return response, nil
 	}

-	response.truncated = h.Truncated
-	if response.truncated {
-		// TODO(#2067): Ideally, answer processing should still succeed when
-		// dealing with a truncated message, but currently when we truncate
-		// a packet, it's caused by the buffer being too small and usually that
-		// means the data runs out mid-record. dns.Parser does not like it when
-		// that happens. We can improve this by trimming off incomplete records.
-		return response, nil
-	}
-
 	err = parser.SkipAllQuestions()
 	if err != nil {
 		return response, err
 	}

-	for {
-		ah, err := parser.AnswerHeader()
-		if err == dns.ErrSectionDone {
-			break
-		}
-		if err != nil {
-			return response, err
-		}
-
-		switch ah.Type {
-		case dns.TypeA:
-			res, err := parser.AResource()
-			if err != nil {
-				return response, err
-			}
-			response.ip = netaddr.IPv4(res.A[0], res.A[1], res.A[2], res.A[3])
-		case dns.TypeAAAA:
-			res, err := parser.AAAAResource()
-			if err != nil {
-				return response, err
-			}
-			response.ip = netaddr.IPv6Raw(res.AAAA)
-		case dns.TypeTXT:
-			res, err := parser.TXTResource()
-			if err != nil {
-				return response, err
-			}
-			response.txt = res.TXT
-		case dns.TypeNS:
-			res, err := parser.NSResource()
-			if err != nil {
-				return response, err
-			}
-			response.name, err = dnsname.ToFQDN(res.NS.String())
-			if err != nil {
-				return response, err
-			}
-		default:
-			return response, errors.New("type not in {A, AAAA, NS}")
-		}
-	}
-
-	err = parser.SkipAllAuthorities()
+	ah, err := parser.AnswerHeader()
 	if err != nil {
 		return response, err
 	}

-	for {
-		ah, err := parser.AdditionalHeader()
-		if err == dns.ErrSectionDone {
-			break
-		}
+	switch ah.Type {
+	case dns.TypeA:
+		res, err := parser.AResource()
 		if err != nil {
 			return response, err
 		}
-
-		switch ah.Type {
-		case dns.TypeOPT:
-			_, err := parser.OPTResource()
-			if err != nil {
-				return response, err
-			}
-			response.responseEdns = true
-			response.responseEdnsSize = uint16(ah.Class)
-		case dns.TypeTXT:
-			res, err := parser.TXTResource()
-			if err != nil {
-				return response, err
-			}
-			switch ah.Name.String() {
-			case "query-info.test.":
-				for _, msg := range res.TXT {
-					s := strings.SplitN(msg, "=", 2)
-					if len(s) != 2 {
-						continue
-					}
-					switch s[0] {
-					case "EDNS":
-						response.requestEdns, err = strconv.ParseBool(s[1])
-						if err != nil {
-							return response, err
-						}
-					case "maxSize":
-						sz, err := strconv.ParseUint(s[1], 10, 16)
-						if err != nil {
-							return response, err
-						}
-						response.requestEdnsSize = uint16(sz)
-					}
-				}
-			}
+		response.ip = netaddr.IPv4(res.A[0], res.A[1], res.A[2], res.A[3])
+	case dns.TypeAAAA:
+		res, err := parser.AAAAResource()
+		if err != nil {
+			return response, err
 		}
+		response.ip = netaddr.IPv6Raw(res.AAAA)
+	case dns.TypeNS:
+		res, err := parser.NSResource()
+		if err != nil {
+			return response, err
+		}
+		response.name, err = dnsname.ToFQDN(res.NS.String())
+		if err != nil {
+			return response, err
+		}
+	default:
+		return response, errors.New("type not in {A, AAAA, NS}")
 	}

 	return response, nil
 }

 func syncRespond(r *Resolver, query []byte) ([]byte, error) {
-	if err := r.EnqueueRequest(query, netaddr.IPPort{}); err != nil {
-		return nil, fmt.Errorf("EnqueueRequest: %w", err)
-	}
+	r.EnqueueRequest(query, netaddr.IPPort{})
 	payload, _, err := r.NextResponse()
 	return payload, err
 }
@@ -301,12 +190,8 @@ func TestRDNSNameToIPv6(t *testing.T) {
 	}
 }

-func newResolver(t testing.TB) *Resolver {
-	return New(t.Logf, nil /* no link monitor */, nil /* no link selector */)
-}
-
 func TestResolveLocal(t *testing.T) {
-	r := newResolver(t)
+	r := New(t.Logf, nil)
 	defer r.Close()

 	r.SetConfig(dnsCfg)
@@ -346,7 +231,7 @@ func TestResolveLocal(t *testing.T) {
 }

 func TestResolveLocalReverse(t *testing.T) {
-	r := newResolver(t)
+	r := New(t.Logf, nil)
 	defer r.Close()

 	r.SetConfig(dnsCfg)
@@ -384,32 +269,6 @@ func ipv6Works() bool {
 	return true
 }

-func generateTXT(size int, source rand.Source) []string {
-	const sizePerTXT = 120
-
-	if size%2 != 0 {
-		panic("even lengths only")
-	}
-
-	rng := rand.New(source)
-
-	txts := make([]string, 0, size/sizePerTXT+1)
-
-	raw := make([]byte, sizePerTXT/2)
-
-	rem := size
-	for ; rem > sizePerTXT; rem -= sizePerTXT {
-		rng.Read(raw)
-		txts = append(txts, hex.EncodeToString(raw))
-	}
-	if rem > 0 {
-		rng.Read(raw[:rem/2])
-		txts = append(txts, hex.EncodeToString(raw[:rem/2]))
-	}
-
-	return txts
-}
-
 func TestDelegate(t *testing.T) {
 	tstest.ResourceCheck(t)

@@ -417,43 +276,16 @@ func TestDelegate(t *testing.T) {
 		t.Skip("skipping test that requires localhost IPv6")
 	}

-	randSource := rand.NewSource(4)
-
-	// smallTXT does not require EDNS
-	smallTXT := generateTXT(300, randSource)
-
-	// medTXT and largeTXT are responses that require EDNS but we would like to
-	// support these sizes of response without truncation because they are
-	// moderately common.
-	medTXT := generateTXT(1200, randSource)
-	largeTXT := generateTXT(3900, randSource)
-
-	// xlargeTXT is slightly above the maximum response size that we support,
-	// so there should be truncation.
-	xlargeTXT := generateTXT(5000, randSource)
-
-	// hugeTXT is significantly larger than any typical MTU and will require
-	// significant fragmentation. For buffer management reasons, we do not
-	// intend to handle responses this large, so there should be truncation.
-	hugeTXT := generateTXT(64000, randSource)
-
-	records := []interface{}{
-		"test.site.",
-		resolveToIP(testipv4, testipv6, "dns.test.site."),
-		"nxdomain.site.", resolveToNXDOMAIN,
-		"small.txt.", resolveToTXT(smallTXT, noEdns),
-		"smalledns.txt.", resolveToTXT(smallTXT, 512),
-		"med.txt.", resolveToTXT(medTXT, 1500),
-		"large.txt.", resolveToTXT(largeTXT, maxResponseBytes),
-		"xlarge.txt.", resolveToTXT(xlargeTXT, 8000),
-		"huge.txt.", resolveToTXT(hugeTXT, 65527),
-	}
-	v4server := serveDNS(t, "127.0.0.1:0", records...)
+	v4server := serveDNS(t, "127.0.0.1:0",
+		"test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."),
+		"nxdomain.site.", resolveToNXDOMAIN)
 	defer v4server.Shutdown()
-	v6server := serveDNS(t, "[::1]:0", records...)
+	v6server := serveDNS(t, "[::1]:0",
+		"test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."),
+		"nxdomain.site.", resolveToNXDOMAIN)
 	defer v6server.Shutdown()

-	r := newResolver(t)
+	r := New(t.Logf, nil)
 	defer r.Close()

 	cfg := dnsCfg
@@ -472,92 +304,28 @@ func TestDelegate(t *testing.T) {
 	}{
 		{
 			"ipv4",
-			dnspacket("test.site.", dns.TypeA, noEdns),
+			dnspacket("test.site.", dns.TypeA),
 			dnsResponse{ip: testipv4, rcode: dns.RCodeSuccess},
 		},
 		{
 			"ipv6",
-			dnspacket("test.site.", dns.TypeAAAA, noEdns),
+			dnspacket("test.site.", dns.TypeAAAA),
 			dnsResponse{ip: testipv6, rcode: dns.RCodeSuccess},
 		},
 		{
 			"ns",
-			dnspacket("test.site.", dns.TypeNS, noEdns),
+			dnspacket("test.site.", dns.TypeNS),
 			dnsResponse{name: "dns.test.site.", rcode: dns.RCodeSuccess},
 		},
 		{
 			"nxdomain",
-			dnspacket("nxdomain.site.", dns.TypeA, noEdns),
+			dnspacket("nxdomain.site.", dns.TypeA),
 			dnsResponse{rcode: dns.RCodeNameError},
 		},
-		{
-			"smalltxt",
-			dnspacket("small.txt.", dns.TypeTXT, 8000),
-			dnsResponse{txt: smallTXT, rcode: dns.RCodeSuccess, requestEdns: true, requestEdnsSize: maxResponseBytes},
-		},
-		{
-			"smalltxtedns",
-			dnspacket("smalledns.txt.", dns.TypeTXT, 512),
-			dnsResponse{
-				txt:              smallTXT,
-				rcode:            dns.RCodeSuccess,
-				requestEdns:      true,
-				requestEdnsSize:  512,
-				responseEdns:     true,
-				responseEdnsSize: 512,
-			},
-		},
-		{
-			"medtxt",
-			dnspacket("med.txt.", dns.TypeTXT, 2000),
-			dnsResponse{
-				txt:              medTXT,
-				rcode:            dns.RCodeSuccess,
-				requestEdns:      true,
-				requestEdnsSize:  2000,
-				responseEdns:     true,
-				responseEdnsSize: 1500,
-			},
-		},
-		{
-			"largetxt",
-			dnspacket("large.txt.", dns.TypeTXT, maxResponseBytes),
-			dnsResponse{
-				txt:              largeTXT,
-				rcode:            dns.RCodeSuccess,
-				requestEdns:      true,
-				requestEdnsSize:  maxResponseBytes,
-				responseEdns:     true,
-				responseEdnsSize: maxResponseBytes,
-			},
-		},
-		{
-			"xlargetxt",
-			dnspacket("xlarge.txt.", dns.TypeTXT, 8000),
-			dnsResponse{
-				rcode:     dns.RCodeSuccess,
-				truncated: true,
-				// request/response EDNS fields will be unset because of
-				// they were truncated away
-			},
-		},
-		{
-			"hugetxt",
-			dnspacket("huge.txt.", dns.TypeTXT, 8000),
-			dnsResponse{
-				rcode:     dns.RCodeSuccess,
-				truncated: true,
-				// request/response EDNS fields will be unset because of
-				// they were truncated away
-			},
-		},
 	}

 	for _, tt := range tests {
 		t.Run(tt.title, func(t *testing.T) {
-			if tt.title == "hugetxt" && runtime.GOOS == "darwin" {
-				t.Skip("known to not work on macOS: https://github.com/tailscale/tailscale/issues/2229")
-			}
 			payload, err := syncRespond(r, tt.query)
 			if err != nil {
 				t.Errorf("err = %v; want nil", err)
@@ -577,27 +345,6 @@ func TestDelegate(t *testing.T) {
 			if response.name != tt.response.name {
 				t.Errorf("name = %v; want %v", response.name, tt.response.name)
 			}
-			if len(response.txt) != len(tt.response.txt) {
-				t.Errorf("%v txt records, want %v txt records", len(response.txt), len(tt.response.txt))
-			} else {
-				for i := range response.txt {
-					if response.txt[i] != tt.response.txt[i] {
-						t.Errorf("txt record %v is %s, want %s", i, response.txt[i], tt.response.txt[i])
-					}
-				}
-			}
-			if response.requestEdns != tt.response.requestEdns {
-				t.Errorf("requestEdns = %v; want %v", response.requestEdns, tt.response.requestEdns)
-			}
-			if response.requestEdnsSize != tt.response.requestEdnsSize {
-				t.Errorf("requestEdnsSize = %v; want %v", response.requestEdnsSize, tt.response.requestEdnsSize)
-			}
-			if response.responseEdns != tt.response.responseEdns {
-				t.Errorf("responseEdns = %v; want %v", response.requestEdns, tt.response.requestEdns)
-			}
-			if response.responseEdnsSize != tt.response.responseEdnsSize {
-				t.Errorf("responseEdnsSize = %v; want %v", response.responseEdnsSize, tt.response.responseEdnsSize)
-			}
 		})
 	}
 }
@@ -613,7 +360,7 @@ func TestDelegateSplitRoute(t *testing.T) {
 		"test.other.", resolveToIP(test4, test6, "dns.other."))
 	defer server2.Shutdown()

-	r := newResolver(t)
+	r := New(t.Logf, nil)
 	defer r.Close()

 	cfg := dnsCfg
@@ -630,12 +377,12 @@ func TestDelegateSplitRoute(t *testing.T) {
 	}{
 		{
 			"general",
-			dnspacket("test.site.", dns.TypeA, noEdns),
+			dnspacket("test.site.", dns.TypeA),
 			dnsResponse{ip: testipv4, rcode: dns.RCodeSuccess},
 		},
 		{
 			"override",
-			dnspacket("test.other.", dns.TypeA, noEdns),
+			dnspacket("test.other.", dns.TypeA),
 			dnsResponse{ip: test4, rcode: dns.RCodeSuccess},
 		},
 	}
@@ -670,7 +417,7 @@ func TestDelegateCollision(t *testing.T) {
 		"test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."))
 	defer server.Shutdown()

-	r := newResolver(t)
+	r := New(t.Logf, nil)
 	defer r.Close()

 	cfg := dnsCfg
@@ -686,13 +433,13 @@ func TestDelegateCollision(t *testing.T) {
 		qtype dns.Type
 		addr  netaddr.IPPort
 	}{
-		{"test.site.", dns.TypeA, netaddr.IPPortFrom(netaddr.IPv4(1, 1, 1, 1), 1001)},
-		{"test.site.", dns.TypeAAAA, netaddr.IPPortFrom(netaddr.IPv4(1, 1, 1, 1), 1002)},
+		{"test.site.", dns.TypeA, netaddr.IPPort{IP: netaddr.IPv4(1, 1, 1, 1), Port: 1001}},
+		{"test.site.", dns.TypeAAAA, netaddr.IPPort{IP: netaddr.IPv4(1, 1, 1, 1), Port: 1002}},
 	}

 	// packets will have the same dns txid.
 	for _, p := range packets {
-		payload := dnspacket(p.qname, p.qtype, noEdns)
+		payload := dnspacket(p.qname, p.qtype)
 		err := r.EnqueueRequest(payload, p.addr)
 		if err != nil {
 			t.Error(err)
@@ -884,7 +631,7 @@ var emptyResponse = []byte{
 }

 func TestFull(t *testing.T) {
-	r := newResolver(t)
+	r := New(t.Logf, nil)
 	defer r.Close()

 	r.SetConfig(dnsCfg)
@@ -895,15 +642,15 @@ func TestFull(t *testing.T) {
 		request  []byte
 		response []byte
 	}{
-		{"all", dnspacket("test1.ipn.dev.", dns.TypeALL, noEdns), allResponse},
-		{"ipv4", dnspacket("test1.ipn.dev.", dns.TypeA, noEdns), ipv4Response},
-		{"ipv6", dnspacket("test2.ipn.dev.", dns.TypeAAAA, noEdns), ipv6Response},
-		{"no-ipv6", dnspacket("test1.ipn.dev.", dns.TypeAAAA, noEdns), emptyResponse},
-		{"upper", dnspacket("TEST1.IPN.DEV.", dns.TypeA, noEdns), ipv4UppercaseResponse},
-		{"ptr4", dnspacket("4.3.2.1.in-addr.arpa.", dns.TypePTR, noEdns), ptrResponse},
+		{"all", dnspacket("test1.ipn.dev.", dns.TypeALL), allResponse},
+		{"ipv4", dnspacket("test1.ipn.dev.", dns.TypeA), ipv4Response},
+		{"ipv6", dnspacket("test2.ipn.dev.", dns.TypeAAAA), ipv6Response},
+		{"no-ipv6", dnspacket("test1.ipn.dev.", dns.TypeAAAA), emptyResponse},
+		{"upper", dnspacket("TEST1.IPN.DEV.", dns.TypeA), ipv4UppercaseResponse},
+		{"ptr4", dnspacket("4.3.2.1.in-addr.arpa.", dns.TypePTR), ptrResponse},
 		{"ptr6", dnspacket("f.0.e.0.d.0.c.0.b.0.a.0.9.0.8.0.7.0.6.0.5.0.4.0.3.0.2.0.1.0.0.0.ip6.arpa.",
-			dns.TypePTR, noEdns), ptrResponse6},
-		{"nxdomain", dnspacket("test3.ipn.dev.", dns.TypeA, noEdns), nxdomainResponse},
+			dns.TypePTR), ptrResponse6},
+		{"nxdomain", dnspacket("test3.ipn.dev.", dns.TypeA), nxdomainResponse},
 	}

 	for _, tt := range tests {
@@ -920,7 +667,7 @@ func TestFull(t *testing.T) {
 }

 func TestAllocs(t *testing.T) {
-	r := newResolver(t)
+	r := New(t.Logf, nil)
 	defer r.Close()
 	r.SetConfig(dnsCfg)

@@ -932,9 +679,9 @@ func TestAllocs(t *testing.T) {
 		want  int
 	}{
 		// Name lowercasing and response slice created by dns.NewBuilder.
-		{"forward", dnspacket("test1.ipn.dev.", dns.TypeA, noEdns), 2},
+		{"forward", dnspacket("test1.ipn.dev.", dns.TypeA), 2},
 		// 3 extra allocs in rdnsNameToIPv4 and one in marshalPTRRecord (dns.NewName).
-		{"reverse", dnspacket("4.3.2.1.in-addr.arpa.", dns.TypePTR, noEdns), 5},
+		{"reverse", dnspacket("4.3.2.1.in-addr.arpa.", dns.TypePTR), 5},
 	}

 	for _, tt := range tests {
@@ -974,7 +721,7 @@ func BenchmarkFull(b *testing.B) {
 		"test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."))
 	defer server.Shutdown()

-	r := newResolver(b)
+	r := New(b.Logf, nil)
 	defer r.Close()

 	cfg := dnsCfg
@@ -988,9 +735,9 @@ func BenchmarkFull(b *testing.B) {
 		name    string
 		request []byte
 	}{
-		{"forward", dnspacket("test1.ipn.dev.", dns.TypeA, noEdns)},
-		{"reverse", dnspacket("4.3.2.1.in-addr.arpa.", dns.TypePTR, noEdns)},
-		{"delegated", dnspacket("test.site.", dns.TypeA, noEdns)},
+		{"forward", dnspacket("test1.ipn.dev.", dns.TypeA)},
+		{"reverse", dnspacket("4.3.2.1.in-addr.arpa.", dns.TypePTR)},
+		{"delegated", dnspacket("test.site.", dns.TypeA)},
 	}

 	for _, tt := range tests {
@@ -1011,58 +758,3 @@ func TestMarshalResponseFormatError(t *testing.T) {
 	}
 	t.Logf("response: %q", v)
 }
-
-func TestForwardLinkSelection(t *testing.T) {
-	old := initListenConfig
-	defer func() { initListenConfig = old }()
-
-	configCall := make(chan string, 1)
-	initListenConfig = func(nc *net.ListenConfig, mon *monitor.Mon, tunName string) error {
-		select {
-		case configCall <- tunName:
-			return nil
-		default:
-			t.Error("buffer full")
-			return errors.New("buffer full")
-		}
-	}
-
-	// specialIP is some IP we pretend that our link selector
-	// routes differently.
-	specialIP := netaddr.IPv4(1, 2, 3, 4)
-
-	fwd := newForwarder(t.Logf, nil, nil, linkSelFunc(func(ip netaddr.IP) string {
-		if ip == netaddr.IPv4(1, 2, 3, 4) {
-			return "special"
-		}
-		return ""
-	}))
-
-	// Test non-special IP.
-	if got, err := fwd.packetListener(netaddr.IP{}); err != nil {
-		t.Fatal(err)
-	} else if got != stdNetPacketListener {
-		t.Errorf("for IP zero value, didn't get expected packet listener")
-	}
-	select {
-	case v := <-configCall:
-		t.Errorf("unexpected ListenConfig call, with tunName %q", v)
-	default:
-	}
-
-	// Test that our special IP generates a call to initListenConfig.
-	if got, err := fwd.packetListener(specialIP); err != nil {
-		t.Fatal(err)
-	} else if got == stdNetPacketListener {
-		t.Errorf("special IP returned std packet listener; expected unique one")
-	}
-	if v, ok := <-configCall; !ok {
-		t.Errorf("didn't get ListenConfig call")
-	} else if v != "special" {
-		t.Errorf("got tunName %q; want 'special'", v)
-	}
-}
-
-type linkSelFunc func(ip netaddr.IP) string
-
-func (f linkSelFunc) PickLink(ip netaddr.IP) string { return f(ip) }
--- a/net/dns/wsl_windows.go
+++ b/net/dns/wsl_windows.go
@@ -1,254 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package dns
-
-import (
-	"bytes"
-	"fmt"
-	"os"
-	"os/exec"
-	"os/user"
-	"strings"
-	"syscall"
-	"unicode/utf16"
-
-	"golang.org/x/sys/windows"
-	"tailscale.com/types/logger"
-	"tailscale.com/util/winutil"
-)
-
-// wslDistros reports the names of the installed WSL2 linux distributions.
-func wslDistros() ([]string, error) {
-	b, err := wslCombinedOutput(exec.Command("wsl.exe", "-l"))
-	if err != nil {
-		return nil, fmt.Errorf("%v: %q", err, string(b))
-	}
-
-	// The first line of output is a WSL header. E.g.
-	//
-	//	C:\tsdev>wsl.exe -l
-	//	Windows Subsystem for Linux Distributions:
-	//	Ubuntu-20.04 (Default)
-	//
-	// We can skip it by passing '-q', but here we put it to work.
-	// It turns out wsl.exe -l is broken, and outputs UTF-16 names
-	// that nothing can read. (Try `wsl.exe -l | more`.)
-	// So we look at the header to see if it's UTF-16.
-	// If so, we run the rest through a UTF-16 parser.
-	//
-	// https://github.com/microsoft/WSL/issues/4607
-	var output string
-	if bytes.HasPrefix(b, []byte("W\x00i\x00n\x00d\x00o\x00w\x00s\x00")) {
-		output, err = decodeUTF16(b)
-		if err != nil {
-			return nil, fmt.Errorf("failed to decode wsl.exe -l output %q: %v", b, err)
-		}
-	} else {
-		output = string(b)
-	}
-	lines := strings.Split(output, "\n")
-	if len(lines) < 1 {
-		return nil, nil
-	}
-	lines = lines[1:] // drop "Windows Subsystem For Linux" header
-
-	var distros []string
-	for _, name := range lines {
-		name = strings.TrimSpace(name)
-		name = strings.TrimSuffix(name, " (Default)")
-		if name == "" {
-			continue
-		}
-		distros = append(distros, name)
-	}
-	return distros, nil
-}
-
-func decodeUTF16(b []byte) (string, error) {
-	if len(b) == 0 {
-		return "", nil
-	} else if len(b)%2 != 0 {
-		return "", fmt.Errorf("decodeUTF16: invalid length %d", len(b))
-	}
-	var u16 []uint16
-	for i := 0; i < len(b); i += 2 {
-		u16 = append(u16, uint16(b[i])+(uint16(b[i+1])<<8))
-	}
-	return string(utf16.Decode(u16)), nil
-}
-
-// wslManager is a DNS manager for WSL2 linux distributions.
-// It configures /etc/wsl.conf and /etc/resolv.conf.
-type wslManager struct {
-	logf logger.Logf
-}
-
-func newWSLManager(logf logger.Logf) *wslManager {
-	m := &wslManager{
-		logf: logf,
-	}
-	return m
-}
-
-func (wm *wslManager) SetDNS(cfg OSConfig) error {
-	distros, err := wslDistros()
-	if err != nil {
-		return err
-	} else if len(distros) == 0 {
-		return nil
-	}
-	managers := make(map[string]directManager)
-	for _, distro := range distros {
-		managers[distro] = newDirectManagerOnFS(wslFS{
-			user:   "root",
-			distro: distro,
-		})
-	}
-
-	if !cfg.IsZero() {
-		if wm.setWSLConf(managers) {
-			// What's this? So glad you asked.
-			//
-			// WSL2 writes the /etc/resolv.conf.
-			// It is aggressive about it. Every time you execute wsl.exe,
-			// it writes it. (Opening a terminal is done by running wsl.exe.)
-			// You can turn this off using /etc/wsl.conf! But: this wsl.conf
-			// file is only parsed when the VM boots up. To do that, we
-			// have to shut down WSL2.
-			//
-			// So we do it here, before we call wsl.exe to write resolv.conf.
-			if b, err := wslCombinedOutput(wslCommand("--shutdown")); err != nil {
-				wm.logf("WSL SetDNS shutdown: %v: %s", err, b)
-			}
-		}
-	}
-
-	for distro, m := range managers {
-		if err := m.SetDNS(cfg); err != nil {
-			wm.logf("WSL(%q) SetDNS: %v", distro, err)
-		}
-	}
-	return nil
-}
-
-const wslConf = "/etc/wsl.conf"
-const wslConfSection = `# added by tailscale
-[network]
-generateResolvConf = false
-`
-
-// setWSLConf attempts to disable generateResolvConf in each WSL2 linux.
-// If any are changed, it reports true.
-func (wm *wslManager) setWSLConf(managers map[string]directManager) (changed bool) {
-	for distro, m := range managers {
-		b, err := m.fs.ReadFile(wslConf)
-		if err != nil && !os.IsNotExist(err) {
-			wm.logf("WSL(%q) wsl.conf: read: %v", distro, err)
-			continue
-		}
-		ini := parseIni(string(b))
-		if v := ini["network"]["generateResolvConf"]; v == "" {
-			b = append(b, wslConfSection...)
-			if err := m.fs.WriteFile(wslConf, b, 0644); err != nil {
-				wm.logf("WSL(%q) wsl.conf: write: %v", distro, err)
-				continue
-			}
-			changed = true
-		}
-	}
-	return changed
-}
-
-func (m *wslManager) SupportsSplitDNS() bool { return false }
-func (m *wslManager) Close() error           { return m.SetDNS(OSConfig{}) }
-
-// wslFS is a pinholeFS implemented on top of wsl.exe.
-//
-// We access WSL2 file systems via wsl.exe instead of \\wsl$\ because
-// the netpath appears to operate as the standard user, not root.
-type wslFS struct {
-	user   string
-	distro string
-}
-
-func (fs wslFS) Stat(name string) (isRegular bool, err error) {
-	err = wslRun(fs.cmd("test", "-f", name))
-	if ee, _ := err.(*exec.ExitError); ee != nil {
-		if ee.ExitCode() == 1 {
-			return false, os.ErrNotExist
-		}
-		return false, err
-	}
-	return true, nil
-}
-
-func (fs wslFS) Rename(oldName, newName string) error {
-	return wslRun(fs.cmd("mv", "--", oldName, newName))
-}
-func (fs wslFS) Remove(name string) error { return wslRun(fs.cmd("rm", "--", name)) }
-
-func (fs wslFS) ReadFile(name string) ([]byte, error) {
-	b, err := wslCombinedOutput(fs.cmd("cat", "--", name))
-	if ee, _ := err.(*exec.ExitError); ee != nil && ee.ExitCode() == 1 {
-		return nil, os.ErrNotExist
-	}
-	return b, err
-}
-
-func (fs wslFS) WriteFile(name string, contents []byte, perm os.FileMode) error {
-	cmd := fs.cmd("tee", "--", name)
-	cmd.Stdin = bytes.NewReader(contents)
-	cmd.Stdout = nil
-	if err := wslRun(cmd); err != nil {
-		return err
-	}
-	return wslRun(fs.cmd("chmod", "--", fmt.Sprintf("%04o", perm), name))
-}
-
-func (fs wslFS) cmd(args ...string) *exec.Cmd {
-	cmd := wslCommand("-u", fs.user, "-d", fs.distro, "-e")
-	cmd.Args = append(cmd.Args, args...)
-	return cmd
-}
-
-func wslCommand(args ...string) *exec.Cmd {
-	cmd := exec.Command("wsl.exe", args...)
-	return cmd
-}
-
-func wslCombinedOutput(cmd *exec.Cmd) ([]byte, error) {
-	buf := new(bytes.Buffer)
-	cmd.Stdout = buf
-	cmd.Stderr = buf
-	err := wslRun(cmd)
-	return buf.Bytes(), err
-}
-
-func wslRun(cmd *exec.Cmd) (err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("wslRun(%v): %w", cmd.Args, err)
-		}
-	}()
-
-	var token windows.Token
-	if u, err := user.Current(); err == nil && u.Name == "SYSTEM" {
-		// We need to switch user to run wsl.exe.
-		// https://github.com/microsoft/WSL/issues/4803
-		sessionID := winutil.WTSGetActiveConsoleSessionId()
-		if sessionID != 0xFFFFFFFF {
-			if err := windows.WTSQueryUserToken(sessionID, &token); err != nil {
-				return err
-			}
-			defer token.Close()
-		}
-	}
-
-	cmd.SysProcAttr = &syscall.SysProcAttr{
-		Token:      syscall.Token(token),
-		HideWindow: true,
-	}
-	return cmd.Run()
-}
--- a/net/dnsfallback/dns-fallback-servers.json
+++ b/net/dnsfallback/dns-fallback-servers.json
@@ -1,179 +0,0 @@
-{
-	"Regions": {
-		"1": {
-			"RegionID": 1,
-			"RegionCode": "r1",
-			"RegionName": "r1",
-			"Nodes": [
-				{
-					"Name": "1a",
-					"RegionID": 1,
-					"HostName": "derp1.tailscale.com",
-					"IPv4": "159.89.225.99",
-					"IPv6": "2604:a880:400:d1::828:b001"
-				},
-				{
-					"Name": "1b",
-					"RegionID": 1,
-					"HostName": "derp1b.tailscale.com",
-					"IPv4": "45.55.35.93",
-					"IPv6": "2604:a880:800:a1::f:2001"
-				}
-			]
-		},
-		"10": {
-			"RegionID": 10,
-			"RegionCode": "r10",
-			"RegionName": "r10",
-			"Nodes": [
-				{
-					"Name": "10a",
-					"RegionID": 10,
-					"HostName": "derp10.tailscale.com",
-					"IPv4": "137.220.36.168",
-					"IPv6": "2001:19f0:8001:2d9:5400:2ff:feef:bbb1"
-				}
-			]
-		},
-		"11": {
-			"RegionID": 11,
-			"RegionCode": "r11",
-			"RegionName": "r11",
-			"Nodes": [
-				{
-					"Name": "11a",
-					"RegionID": 11,
-					"HostName": "derp11.tailscale.com",
-					"IPv4": "18.230.97.74",
-					"IPv6": "2600:1f1e:ee4:5611:ec5c:1736:d43b:a454"
-				}
-			]
-		},
-		"2": {
-			"RegionID": 2,
-			"RegionCode": "r2",
-			"RegionName": "r2",
-			"Nodes": [
-				{
-					"Name": "2a",
-					"RegionID": 2,
-					"HostName": "derp2.tailscale.com",
-					"IPv4": "167.172.206.31",
-					"IPv6": "2604:a880:2:d1::c5:7001"
-				},
-				{
-					"Name": "2b",
-					"RegionID": 2,
-					"HostName": "derp2b.tailscale.com",
-					"IPv4": "64.227.106.23",
-					"IPv6": "2604:a880:4:1d0::29:9000"
-				}
-			]
-		},
-		"3": {
-			"RegionID": 3,
-			"RegionCode": "r3",
-			"RegionName": "r3",
-			"Nodes": [
-				{
-					"Name": "3a",
-					"RegionID": 3,
-					"HostName": "derp3.tailscale.com",
-					"IPv4": "68.183.179.66",
-					"IPv6": "2400:6180:0:d1::67d:8001"
-				}
-			]
-		},
-		"4": {
-			"RegionID": 4,
-			"RegionCode": "r4",
-			"RegionName": "r4",
-			"Nodes": [
-				{
-					"Name": "4a",
-					"RegionID": 4,
-					"HostName": "derp4.tailscale.com",
-					"IPv4": "167.172.182.26",
-					"IPv6": "2a03:b0c0:3:e0::36e:9001"
-				},
-				{
-					"Name": "4b",
-					"RegionID": 4,
-					"HostName": "derp4b.tailscale.com",
-					"IPv4": "157.230.25.0",
-					"IPv6": "2a03:b0c0:3:e0::58f:3001"
-				}
-			]
-		},
-		"5": {
-			"RegionID": 5,
-			"RegionCode": "r5",
-			"RegionName": "r5",
-			"Nodes": [
-				{
-					"Name": "5a",
-					"RegionID": 5,
-					"HostName": "derp5.tailscale.com",
-					"IPv4": "103.43.75.49",
-					"IPv6": "2001:19f0:5801:10b7:5400:2ff:feaa:284c"
-				}
-			]
-		},
-		"6": {
-			"RegionID": 6,
-			"RegionCode": "r6",
-			"RegionName": "r6",
-			"Nodes": [
-				{
-					"Name": "6a",
-					"RegionID": 6,
-					"HostName": "derp6.tailscale.com",
-					"IPv4": "68.183.90.120",
-					"IPv6": "2400:6180:100:d0::982:d001"
-				}
-			]
-		},
-		"7": {
-			"RegionID": 7,
-			"RegionCode": "r7",
-			"RegionName": "r7",
-			"Nodes": [
-				{
-					"Name": "7a",
-					"RegionID": 7,
-					"HostName": "derp7.tailscale.com",
-					"IPv4": "167.179.89.145",
-					"IPv6": "2401:c080:1000:467f:5400:2ff:feee:22aa"
-				}
-			]
-		},
-		"8": {
-			"RegionID": 8,
-			"RegionCode": "r8",
-			"RegionName": "r8",
-			"Nodes": [
-				{
-					"Name": "8a",
-					"RegionID": 8,
-					"HostName": "derp8.tailscale.com",
-					"IPv4": "167.71.139.179",
-					"IPv6": "2a03:b0c0:1:e0::3cc:e001"
-				}
-			]
-		},
-		"9": {
-			"RegionID": 9,
-			"RegionCode": "r9",
-			"RegionName": "r9",
-			"Nodes": [
-				{
-					"Name": "9a",
-					"RegionID": 9,
-					"HostName": "derp9.tailscale.com",
-					"IPv4": "207.148.3.137",
-					"IPv6": "2001:19f0:6401:1d9c:5400:2ff:feef:bb82"
-				}
-			]
-		}
-	}
-}
--- a/net/dnsfallback/dnsfallback.go
+++ b/net/dnsfallback/dnsfallback.go
@@ -2,15 +2,12 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:generate go run update-dns-fallbacks.go
-
 // Package dnsfallback contains a DNS fallback mechanism
 // for starting up Tailscale when the system DNS is broken or otherwise unavailable.
 package dnsfallback

 import (
 	"context"
-	_ "embed"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -22,9 +19,9 @@ import (
 	"time"

 	"inet.af/netaddr"
+	"tailscale.com/derp/derpmap"
 	"tailscale.com/net/netns"
 	"tailscale.com/net/tshttpproxy"
-	"tailscale.com/tailcfg"
 )

 func Lookup(ctx context.Context, host string) ([]netaddr.IP, error) {
@@ -33,7 +30,7 @@ func Lookup(ctx context.Context, host string) ([]netaddr.IP, error) {
 		ip      netaddr.IP
 	}

-	dm := getDERPMap()
+	dm := derpmap.Prod()
 	var cands4, cands6 []nameIP
 	for _, dr := range dm.Regions {
 		for _, n := range dr.Nodes {
@@ -87,7 +84,7 @@ func Lookup(ctx context.Context, host string) ([]netaddr.IP, error) {
 }

 // serverName and serverIP of are, say, "derpN.tailscale.com".
-// queryName is the name being sought (e.g. "controlplane.tailscale.com"), passed as hint.
+// queryName is the name being sought (e.g. "login.tailscale.com"), passed as hint.
 func bootstrapDNSMap(ctx context.Context, serverName string, serverIP netaddr.IP, queryName string) (dnsMap, error) {
 	dialer := netns.NewDialer()
 	tr := http.DefaultTransport.(*http.Transport).Clone()
@@ -118,22 +115,3 @@ func bootstrapDNSMap(ctx context.Context, serverName string, serverIP netaddr.IP
 // dnsMap is the JSON type returned by the DERP /bootstrap-dns handler:
 // https://derp10.tailscale.com/bootstrap-dns
 type dnsMap map[string][]netaddr.IP
-
-// getDERPMap returns some DERP map. The DERP servers also run a fallback
-// DNS server.
-func getDERPMap() *tailcfg.DERPMap {
-	// TODO(bradfitz): try to read the last known DERP map from disk,
-	// at say /var/lib/tailscale/derpmap.txt and write it when it changes,
-	// and read it here.
-	// But ultimately the fallback will be to use a copy baked into the binary,
-	// which is this part:
-
-	dm := new(tailcfg.DERPMap)
-	if err := json.Unmarshal(staticDERPMapJSON, dm); err != nil {
-		panic(err)
-	}
-	return dm
-}
-
-//go:embed dns-fallback-servers.json
-var staticDERPMapJSON []byte
--- a/net/dnsfallback/dnsfallback_test.go
+++ b/net/dnsfallback/dnsfallback_test.go
@@ -1,17 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package dnsfallback
-
-import "testing"
-
-func TestGetDERPMap(t *testing.T) {
-	dm := getDERPMap()
-	if dm == nil {
-		t.Fatal("nil")
-	}
-	if len(dm.Regions) == 0 {
-		t.Fatal("no regions")
-	}
-}
--- a/net/dnsfallback/update-dns-fallbacks.go
+++ b/net/dnsfallback/update-dns-fallbacks.go
@@ -1,47 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build ignore
-
-package main
-
-import (
-	"encoding/json"
-	"fmt"
-	"io/ioutil"
-	"log"
-	"net/http"
-	"os"
-
-	"tailscale.com/tailcfg"
-)
-
-func main() {
-	res, err := http.Get("https://login.tailscale.com/derpmap/default")
-	if err != nil {
-		log.Fatal(err)
-	}
-	if res.StatusCode != 200 {
-		res.Write(os.Stderr)
-		os.Exit(1)
-	}
-	dm := new(tailcfg.DERPMap)
-	if err := json.NewDecoder(res.Body).Decode(dm); err != nil {
-		log.Fatal(err)
-	}
-	for rid, r := range dm.Regions {
-		// Names misleading to check into git, as this is a
-		// static snapshot and doesn't reflect the live DERP
-		// map.
-		r.RegionCode = fmt.Sprintf("r%d", rid)
-		r.RegionName = r.RegionCode
-	}
-	out, err := json.MarshalIndent(dm, "", "\t")
-	if err != nil {
-		log.Fatal(err)
-	}
-	if err := ioutil.WriteFile("dns-fallback-servers.json", out, 0644); err != nil {
-		log.Fatal(err)
-	}
-}
--- a/net/interfaces/interfaces.go
+++ b/net/interfaces/interfaces.go
@@ -15,14 +15,13 @@ import (
 	"strings"

 	"inet.af/netaddr"
-	"tailscale.com/hostinfo"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/net/tshttpproxy"
 )

 // LoginEndpointForProxyDetermination is the URL used for testing
 // which HTTP proxy the system should use.
-var LoginEndpointForProxyDetermination = "https://controlplane.tailscale.com/"
+var LoginEndpointForProxyDetermination = "https://login.tailscale.com/"

 // Tailscale returns the current machine's Tailscale interface, if any.
 // If none is found, all zero values are returned.
@@ -82,16 +81,13 @@ func isProblematicInterface(nif *net.Interface) bool {
 }

 // LocalAddresses returns the machine's IP addresses, separated by
-// whether they're loopback addresses. If there are no regular addresses
-// it will return any IPv4 linklocal or IPv6 unique local addresses because we
-// know of environments where these are used with NAT to provide connectivity.
+// whether they're loopback addresses.
 func LocalAddresses() (regular, loopback []netaddr.IP, err error) {
 	// TODO(crawshaw): don't serve interface addresses that we are routing
 	ifaces, err := net.Interfaces()
 	if err != nil {
 		return nil, nil, err
 	}
-	var regular4, regular6, linklocal4, ula6 []netaddr.IP
 	for i := range ifaces {
 		iface := &ifaces[i]
 		if !isUp(iface) || isProblematicInterface(iface) {
@@ -121,44 +117,17 @@ func LocalAddresses() (regular, loopback []netaddr.IP, err error) {
 				if tsaddr.IsTailscaleIP(ip) {
 					continue
 				}
+				if ip.IsLinkLocalUnicast() {
+					continue
+				}
 				if ip.IsLoopback() || ifcIsLoopback {
 					loopback = append(loopback, ip)
-				} else if ip.IsLinkLocalUnicast() {
-					if ip.Is4() {
-						linklocal4 = append(linklocal4, ip)
-					}
-
-					// We know of no cases where the IPv6 fe80:: addresses
-					// are used to provide WAN connectivity. It is also very
-					// common for users to have no IPv6 WAN connectivity,
-					// but their OS supports IPv6 so they have an fe80::
-					// address. We don't want to report all of those
-					// IPv6 LL to Control.
-				} else if ip.Is6() && tsaddr.IsULA(ip) {
-					// Google Cloud Run uses NAT with IPv6 Unique
-					// Local Addresses to provide IPv6 connectivity.
-					ula6 = append(ula6, ip)
 				} else {
-					if ip.Is4() {
-						regular4 = append(regular4, ip)
-					} else {
-						regular6 = append(regular6, ip)
-					}
+					regular = append(regular, ip)
 				}
 			}
 		}
 	}
-	if len(regular4) == 0 && len(regular6) == 0 {
-		// if we have no usable IP addresses then be willing to accept
-		// addresses we otherwise wouldn't, like:
-		//   + 169.254.x.x (AWS Lambda uses NAT with these)
-		//   + IPv6 ULA (Google Cloud Run uses these with address translation)
-		if hostinfo.GetEnvType() == hostinfo.AWSLambda {
-			regular4 = linklocal4
-		}
-		regular6 = ula6
-	}
-	regular = append(regular4, regular6...)
 	sortIPs(regular)
 	sortIPs(loopback)
 	return regular, loopback, nil
@@ -226,7 +195,7 @@ func ForeachInterface(fn func(Interface, []netaddr.IPPrefix)) error {
 			}
 		}
 		sort.Slice(pfxs, func(i, j int) bool {
-			return pfxs[i].IP().Less(pfxs[j].IP())
+			return pfxs[i].IP.Less(pfxs[j].IP)
 		})
 		fn(Interface{iface}, pfxs)
 	}
@@ -244,9 +213,9 @@ type State struct {
 	InterfaceIPs map[string][]netaddr.IPPrefix
 	Interface    map[string]Interface

-	// HaveV6 is whether this machine has an IPv6 Global or Unique Local Address
-	// which might provide connectivity on a non-Tailscale interface that's up.
-	HaveV6 bool
+	// HaveV6Global is whether this machine has an IPv6 global address
+	// on some non-Tailscale interface that's up.
+	HaveV6Global bool

 	// HaveV4 is whether the machine has some non-localhost,
 	// non-link-local IPv4 address on a non-Tailscale interface that's up.
@@ -295,7 +264,7 @@ func (s *State) String() string {
 			fmt.Fprintf(&sb, "%s:[", ifName)
 			needSpace := false
 			for _, pfx := range s.InterfaceIPs[ifName] {
-				if !isInterestingIP(pfx.IP()) {
+				if !isInterestingIP(pfx.IP) {
 					continue
 				}
 				if needSpace {
@@ -320,7 +289,7 @@ func (s *State) String() string {
 	if s.PAC != "" {
 		fmt.Fprintf(&sb, " pac=%s", s.PAC)
 	}
-	fmt.Fprintf(&sb, " v4=%v v6=%v}", s.HaveV4, s.HaveV6)
+	fmt.Fprintf(&sb, " v4=%v v6global=%v}", s.HaveV4, s.HaveV6Global)
 	return sb.String()
 }

@@ -333,7 +302,7 @@ func (s *State) EqualFiltered(s2 *State, filter func(i Interface, ips []netaddr.
 	if s == nil || s2 == nil {
 		return false
 	}
-	if s.HaveV6 != s2.HaveV6 ||
+	if s.HaveV6Global != s2.HaveV6Global ||
 		s.HaveV4 != s2.HaveV4 ||
 		s.IsExpensive != s2.IsExpensive ||
 		s.DefaultRouteInterface != s2.DefaultRouteInterface ||
@@ -393,12 +362,12 @@ func (s *State) HasPAC() bool { return s != nil && s.PAC != "" }

 // AnyInterfaceUp reports whether any interface seems like it has Internet access.
 func (s *State) AnyInterfaceUp() bool {
-	return s != nil && (s.HaveV4 || s.HaveV6)
+	return s != nil && (s.HaveV4 || s.HaveV6Global)
 }

 func hasTailscaleIP(pfxs []netaddr.IPPrefix) bool {
 	for _, pfx := range pfxs {
-		if tsaddr.IsTailscaleIP(pfx.IP()) {
+		if tsaddr.IsTailscaleIP(pfx.IP) {
 			return true
 		}
 	}
@@ -438,11 +407,11 @@ func GetState() (*State, error) {
 			return
 		}
 		for _, pfx := range pfxs {
-			if pfx.IP().IsLoopback() {
+			if pfx.IP.IsLoopback() || pfx.IP.IsLinkLocalUnicast() {
 				continue
 			}
-			s.HaveV6 = s.HaveV6 || isUsableV6(pfx.IP())
-			s.HaveV4 = s.HaveV4 || isUsableV4(pfx.IP())
+			s.HaveV6Global = s.HaveV6Global || isGlobalV6(pfx.IP)
+			s.HaveV4 = s.HaveV4 || pfx.IP.Is4()
 		}
 	}); err != nil {
 		return nil, err
@@ -478,7 +447,7 @@ func HTTPOfListener(ln net.Listener) string {
 	var goodIP string
 	var privateIP string
 	ForeachInterfaceAddress(func(i Interface, pfx netaddr.IPPrefix) {
-		ip := pfx.IP()
+		ip := pfx.IP
 		if isPrivateIP(ip) {
 			if privateIP == "" {
 				privateIP = ip.String()
@@ -515,7 +484,7 @@ func LikelyHomeRouterIP() (gateway, myIP netaddr.IP, ok bool) {
 		return
 	}
 	ForeachInterfaceAddress(func(i Interface, pfx netaddr.IPPrefix) {
-		ip := pfx.IP()
+		ip := pfx.IP
 		if !i.IsUp() || ip.IsZero() || !myIP.IsZero() {
 			return
 		}
@@ -534,25 +503,7 @@ func isPrivateIP(ip netaddr.IP) bool {
 	return private1.Contains(ip) || private2.Contains(ip) || private3.Contains(ip)
 }

-// isUsableV4 reports whether ip is a usable IPv4 address which could
-// conceivably be used to get Internet connectivity. Globally routable and
-// private IPv4 addresses are always Usable, and link local 169.254.x.x
-// addresses are in some environments.
-func isUsableV4(ip netaddr.IP) bool {
-	if !ip.Is4() || ip.IsLoopback() {
-		return false
-	}
-	if ip.IsLinkLocalUnicast() {
-		return hostinfo.GetEnvType() == hostinfo.AWSLambda
-	}
-	return true
-}
-
-// isUsableV6 reports whether ip is a usable IPv6 address which could
-// conceivably be used to get Internet connectivity. Globally routable
-// IPv6 addresses are always Usable, and Unique Local Addresses
-// (fc00::/7) are in some environments used with address translation.
-func isUsableV6(ip netaddr.IP) bool {
+func isGlobalV6(ip netaddr.IP) bool {
 	return v6Global1.Contains(ip) ||
 		(tsaddr.IsULA(ip) && !tsaddr.TailscaleULARange().Contains(ip))
 }
@@ -577,7 +528,7 @@ var (
 // isInterestingIP.
 func anyInterestingIP(pfxs []netaddr.IPPrefix) bool {
 	for _, pfx := range pfxs {
-		if isInterestingIP(pfx.IP()) {
+		if isInterestingIP(pfx.IP) {
 			return true
 		}
 	}
--- a/net/interfaces/interfaces_darwin.go
+++ b/net/interfaces/interfaces_darwin.go
@@ -10,6 +10,7 @@ import (
 	"log"
 	"net"
 	"syscall"
+	"time"

 	"golang.org/x/net/route"
 	"golang.org/x/sys/unix"
@@ -28,9 +29,32 @@ func DefaultRouteInterface() (string, error) {
 	return iface.Name, nil
 }

-// fetchRoutingTable calls route.FetchRIB, fetching NET_RT_DUMP2.
+// fetchRoutingTable is a retry loop around route.FetchRIB, fetching NET_RT_DUMP2.
+//
+// The retry loop is due to a bug in the BSDs (or Go?). See
+// https://github.com/tailscale/tailscale/issues/1345
 func fetchRoutingTable() (rib []byte, err error) {
-	return route.FetchRIB(syscall.AF_UNSPEC, syscall.NET_RT_DUMP2, 0)
+	fails := 0
+	for {
+		rib, err := route.FetchRIB(syscall.AF_UNSPEC, syscall.NET_RT_DUMP2, 0)
+		if err == nil {
+			return rib, nil
+		}
+		fails++
+		if fails < 10 {
+			// Empirically, 1 retry is enough. In a long
+			// stress test while toggling wifi on & off, I
+			// only saw a few occurrences of 2 and one 3.
+			// So 10 should be more plenty.
+			if fails > 5 {
+				time.Sleep(5 * time.Millisecond)
+			}
+			continue
+		}
+		if err != nil {
+			return nil, fmt.Errorf("route.FetchRIB: %w", err)
+		}
+	}
 }

 func DefaultRouteInterfaceIndex() (int, error) {
--- a/net/interfaces/interfaces_default_route_test.go
+++ b/net/interfaces/interfaces_default_route_test.go
@@ -2,11 +2,15 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// +build linux darwin,!ts_macext
+// +build linux,!redo

 package interfaces

 import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
 	"testing"
 )

@@ -19,3 +23,64 @@ func TestDefaultRouteInterface(t *testing.T) {
 	}
 	t.Logf("got %q", v)
 }
+
+// test the specific /proc/net/route path as found on Google Cloud Run instances
+func TestGoogleCloudRunDefaultRouteInterface(t *testing.T) {
+	dir := t.TempDir()
+	savedProcNetRoutePath := procNetRoutePath
+	defer func() { procNetRoutePath = savedProcNetRoutePath }()
+	procNetRoutePath = filepath.Join(dir, "CloudRun")
+	buf := []byte("Iface\tDestination\tGateway\tFlags\tRefCnt\tUse\tMetric\tMask\tMTU\tWindow\tIRTT\n" +
+		"eth0\t8008FEA9\t00000000\t0001\t0\t0\t0\t01FFFFFF\t0\t0\t0\n" +
+		"eth1\t00000000\t00000000\t0001\t0\t0\t0\t00000000\t0\t0\t0\n")
+	err := ioutil.WriteFile(procNetRoutePath, buf, 0644)
+	if err != nil {
+		t.Fatal(err)
+	}
+	got, err := DefaultRouteInterface()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if got != "eth1" {
+		t.Fatalf("got %s, want eth1", got)
+	}
+}
+
+// we read chunks of /proc/net/route at a time, test that files longer than the chunk
+// size can be handled.
+func TestExtremelyLongProcNetRoute(t *testing.T) {
+	dir := t.TempDir()
+	savedProcNetRoutePath := procNetRoutePath
+	defer func() { procNetRoutePath = savedProcNetRoutePath }()
+	procNetRoutePath = filepath.Join(dir, "VeryLong")
+	f, err := os.Create(procNetRoutePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, err = f.Write([]byte("Iface\tDestination\tGateway\tFlags\tRefCnt\tUse\tMetric\tMask\tMTU\tWindow\tIRTT\n"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for n := 0; n <= 1000; n++ {
+		line := fmt.Sprintf("eth%d\t8008FEA9\t00000000\t0001\t0\t0\t0\t01FFFFFF\t0\t0\t0\n", n)
+		_, err := f.Write([]byte(line))
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+	_, err = f.Write([]byte("tokenring1\t00000000\t00000000\t0001\t0\t0\t0\t00000000\t0\t0\t0\n"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	got, err := DefaultRouteInterface()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if got != "tokenring1" {
+		t.Fatalf("got %q, want tokenring1", got)
+	}
+}
--- a/net/interfaces/interfaces_linux_test.go
+++ b/net/interfaces/interfaces_linux_test.go
@@ -4,74 +4,7 @@

 package interfaces

-import (
-	"fmt"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"testing"
-)
-
-// test the specific /proc/net/route path as found on Google Cloud Run instances
-func TestGoogleCloudRunDefaultRouteInterface(t *testing.T) {
-	dir := t.TempDir()
-	savedProcNetRoutePath := procNetRoutePath
-	defer func() { procNetRoutePath = savedProcNetRoutePath }()
-	procNetRoutePath = filepath.Join(dir, "CloudRun")
-	buf := []byte("Iface\tDestination\tGateway\tFlags\tRefCnt\tUse\tMetric\tMask\tMTU\tWindow\tIRTT\n" +
-		"eth0\t8008FEA9\t00000000\t0001\t0\t0\t0\t01FFFFFF\t0\t0\t0\n" +
-		"eth1\t00000000\t00000000\t0001\t0\t0\t0\t00000000\t0\t0\t0\n")
-	err := ioutil.WriteFile(procNetRoutePath, buf, 0644)
-	if err != nil {
-		t.Fatal(err)
-	}
-	got, err := DefaultRouteInterface()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if got != "eth1" {
-		t.Fatalf("got %s, want eth1", got)
-	}
-}
-
-// we read chunks of /proc/net/route at a time, test that files longer than the chunk
-// size can be handled.
-func TestExtremelyLongProcNetRoute(t *testing.T) {
-	dir := t.TempDir()
-	savedProcNetRoutePath := procNetRoutePath
-	defer func() { procNetRoutePath = savedProcNetRoutePath }()
-	procNetRoutePath = filepath.Join(dir, "VeryLong")
-	f, err := os.Create(procNetRoutePath)
-	if err != nil {
-		t.Fatal(err)
-	}
-	_, err = f.Write([]byte("Iface\tDestination\tGateway\tFlags\tRefCnt\tUse\tMetric\tMask\tMTU\tWindow\tIRTT\n"))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	for n := 0; n <= 1000; n++ {
-		line := fmt.Sprintf("eth%d\t8008FEA9\t00000000\t0001\t0\t0\t0\t01FFFFFF\t0\t0\t0\n", n)
-		_, err := f.Write([]byte(line))
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-	_, err = f.Write([]byte("tokenring1\t00000000\t00000000\t0001\t0\t0\t0\t00000000\t0\t0\t0\n"))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	got, err := DefaultRouteInterface()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if got != "tokenring1" {
-		t.Fatalf("got %q, want tokenring1", got)
-	}
-}
+import "testing"

 func BenchmarkDefaultRouteInterface(b *testing.B) {
 	b.ReportAllocs()
--- a/net/interfaces/interfaces_test.go
+++ b/net/interfaces/interfaces_test.go
@@ -46,7 +46,7 @@ func TestLikelyHomeRouterIP(t *testing.T) {
 	t.Logf("myIP = %v; gw = %v", my, gw)
 }

-func TestIsUsableV6(t *testing.T) {
+func TestIsGlobalV6(t *testing.T) {
 	tests := []struct {
 		name string
 		ip   string
@@ -61,8 +61,8 @@ func TestIsUsableV6(t *testing.T) {
 	}

 	for _, test := range tests {
-		if got := isUsableV6(netaddr.MustParseIP(test.ip)); got != test.want {
-			t.Errorf("isUsableV6(%s) = %v, want %v", test.name, got, test.want)
+		if got := isGlobalV6(netaddr.MustParseIP(test.ip)); got != test.want {
+			t.Errorf("isGlobalV6(%s) = %v, want %v", test.name, got, test.want)
 		}
 	}
 }
--- a/net/netcheck/netcheck.go
+++ b/net/netcheck/netcheck.go
@@ -336,7 +336,7 @@ func makeProbePlan(dm *tailcfg.DERPMap, ifState *interfaces.State, last *Report)
 	if last == nil || len(last.RegionLatency) == 0 {
 		return makeProbePlanInitial(dm, ifState)
 	}
-	have6if := ifState.HaveV6
+	have6if := ifState.HaveV6Global
 	have4if := ifState.HaveV4
 	plan = make(probePlan)
 	if !have4if && !have6if {
@@ -425,7 +425,7 @@ func makeProbePlanInitial(dm *tailcfg.DERPMap, ifState *interfaces.State) (plan
 			if ifState.HaveV4 && nodeMight4(n) {
 				p4 = append(p4, probe{delay: delay, node: n.Name, proto: probeIPv4})
 			}
-			if ifState.HaveV6 && nodeMight6(n) {
+			if ifState.HaveV6Global && nodeMight6(n) {
 				p6 = append(p6, probe{delay: delay, node: n.Name, proto: probeIPv6})
 			}
 		}
@@ -625,7 +625,7 @@ func (rs *reportState) stopTimers() {
 func (rs *reportState) addNodeLatency(node *tailcfg.DERPNode, ipp netaddr.IPPort, d time.Duration) {
 	var ipPortStr string
 	if ipp != (netaddr.IPPort{}) {
-		ipPortStr = net.JoinHostPort(ipp.IP().String(), fmt.Sprint(ipp.Port()))
+		ipPortStr = net.JoinHostPort(ipp.IP.String(), fmt.Sprint(ipp.Port))
 	}

 	rs.mu.Lock()
@@ -650,13 +650,13 @@ func (rs *reportState) addNodeLatency(node *tailcfg.DERPNode, ipp netaddr.IPPort
 	}

 	switch {
-	case ipp.IP().Is6():
+	case ipp.IP.Is6():
 		updateLatency(ret.RegionV6Latency, node.RegionID, d)
 		ret.IPv6 = true
 		ret.GlobalV6 = ipPortStr
 		// TODO: track MappingVariesByDestIP for IPv6
 		// too? Would be sad if so, but who knows.
-	case ipp.IP().Is4():
+	case ipp.IP.Is4():
 		updateLatency(ret.RegionV4Latency, node.RegionID, d)
 		ret.IPv4 = true
 		if rs.gotEP4 == "" {
@@ -808,7 +808,7 @@ func (c *Client) GetReport(ctx context.Context, dm *tailcfg.DERPMap) (*Report, e
 		go c.readPackets(ctx, u4)
 	}

-	if ifState.HaveV6 {
+	if ifState.HaveV6Global {
 		if f := c.GetSTUNConn6; f != nil {
 			rs.pc6 = f()
 		} else {
@@ -1172,7 +1172,7 @@ func (c *Client) nodeAddr(ctx context.Context, n *tailcfg.DERPNode, proto probeP
 		if proto == probeIPv6 && ip.Is4() {
 			return nil
 		}
-		return netaddr.IPPortFrom(ip, uint16(port)).UDPAddr()
+		return netaddr.IPPort{IP: ip, Port: uint16(port)}.UDPAddr()
 	}

 	switch proto {
@@ -1182,7 +1182,7 @@ func (c *Client) nodeAddr(ctx context.Context, n *tailcfg.DERPNode, proto probeP
 			if !ip.Is4() {
 				return nil
 			}
-			return netaddr.IPPortFrom(ip, uint16(port)).UDPAddr()
+			return netaddr.IPPort{IP: ip, Port: uint16(port)}.UDPAddr()
 		}
 	case probeIPv6:
 		if n.IPv6 != "" {
@@ -1190,7 +1190,7 @@ func (c *Client) nodeAddr(ctx context.Context, n *tailcfg.DERPNode, proto probeP
 			if !ip.Is6() {
 				return nil
 			}
-			return netaddr.IPPortFrom(ip, uint16(port)).UDPAddr()
+			return netaddr.IPPort{IP: ip, Port: uint16(port)}.UDPAddr()
 		}
 	default:
 		return nil
--- a/net/netcheck/netcheck_test.go
+++ b/net/netcheck/netcheck_test.go
@@ -443,8 +443,8 @@ func TestMakeProbePlan(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			ifState := &interfaces.State{
-				HaveV6: tt.have6if,
-				HaveV4: !tt.no4,
+				HaveV6Global: tt.have6if,
+				HaveV4:       !tt.no4,
 			}
 			got := makeProbePlan(tt.dm, ifState, tt.last)
 			if !reflect.DeepEqual(got, tt.want) {
--- a/net/netns/netns_android.go
+++ b/net/netns/netns_android.go
@@ -1,64 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build android
-
-package netns
-
-import (
-	"fmt"
-	"sync"
-	"syscall"
-)
-
-var (
-	androidProtectFuncMu sync.Mutex
-	androidProtectFunc   func(fd int) error
-)
-
-// SetAndroidProtectFunc register a func that Android provides that JNI calls into
-// https://developer.android.com/reference/android/net/VpnService#protect(int)
-// which is documented as:
-//
-// "Protect a socket from VPN connections. After protecting, data sent
-// through this socket will go directly to the underlying network, so
-// its traffic will not be forwarded through the VPN. This method is
-// useful if some connections need to be kept outside of VPN. For
-// example, a VPN tunnel should protect itself if its destination is
-// covered by VPN routes. Otherwise its outgoing packets will be sent
-// back to the VPN interface and cause an infinite loop. This method
-// will fail if the application is not prepared or is revoked."
-//
-// A nil func disables the use the hook.
-//
-// This indirection is necessary because this is the supported, stable
-// interface to use on Android, and doing the sockopts to set the
-// fwmark return errors on Android. The actual implementation of
-// VpnService.protect ends up doing an IPC to another process on
-// Android, asking for the fwmark to be set.
-func SetAndroidProtectFunc(f func(fd int) error) {
-	androidProtectFuncMu.Lock()
-	defer androidProtectFuncMu.Unlock()
-	androidProtectFunc = f
-}
-
-// control marks c as necessary to dial in a separate network namespace.
-//
-// It's intentionally the same signature as net.Dialer.Control
-// and net.ListenConfig.Control.
-func control(network, address string, c syscall.RawConn) error {
-	var sockErr error
-	err := c.Control(func(fd uintptr) {
-		androidProtectFuncMu.Lock()
-		f := androidProtectFunc
-		androidProtectFuncMu.Unlock()
-		if f != nil {
-			sockErr = f(int(fd))
-		}
-	})
-	if err != nil {
-		return fmt.Errorf("RawConn.Control on %T: %w", c, err)
-	}
-	return sockErr
-}
--- a/net/netns/netns_darwin_tailscaled.go
+++ b/net/netns/netns_darwin_tailscaled.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// +build darwin,!ts_macext
+// +build darwin,!redo

 package netns

--- a/net/netns/netns_default.go
+++ b/net/netns/netns_default.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// +build !linux,!windows,!darwin darwin,ts_macext
+// +build !linux,!windows,!darwin darwin,redo

 package netns

--- a/net/netns/netns_linux.go
+++ b/net/netns/netns_linux.go
@@ -2,8 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// +build linux,!android
-
 package netns

 import (
--- a/net/netns/netns_macios.go
+++ b/net/netns/netns_macios.go
@@ -1,53 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build darwin ios
-
-package netns
-
-import (
-	"errors"
-	"log"
-	"net"
-	"strings"
-	"syscall"
-
-	"golang.org/x/sys/unix"
-)
-
-// SetListenConfigInterfaceIndex sets lc.Control such that sockets are bound
-// to the provided interface index.
-func SetListenConfigInterfaceIndex(lc *net.ListenConfig, ifIndex int) error {
-	if lc == nil {
-		return errors.New("nil ListenConfig")
-	}
-	if lc.Control != nil {
-		return errors.New("ListenConfig.Control already set")
-	}
-	lc.Control = func(network, address string, c syscall.RawConn) error {
-		var sockErr error
-		err := c.Control(func(fd uintptr) {
-			sockErr = bindInterface(fd, network, address, ifIndex)
-			if sockErr != nil {
-				log.Printf("netns: bind(%q, %q) on index %v: %v", network, address, ifIndex, sockErr)
-			}
-		})
-		if err != nil {
-			return err
-		}
-		return sockErr
-	}
-	return nil
-}
-
-func bindInterface(fd uintptr, network, address string, ifIndex int) error {
-	v6 := strings.Contains(address, "]:") || strings.HasSuffix(network, "6") // hacky test for v6
-	proto := unix.IPPROTO_IP
-	opt := unix.IP_BOUND_IF
-	if v6 {
-		proto = unix.IPPROTO_IPV6
-		opt = unix.IPV6_BOUND_IF
-	}
-	return unix.SetsockoptInt(int(fd), proto, opt, ifIndex)
-}
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .11.0
 .7.0