[client] Replace iOS DNS IsPrivate heuristic with route manager check (#5694)

lixmal · web-flow · commit 145d82f322e9 · 2026-03-26T18:11:05.000+08:00
diff --git a/client/internal/dns/mock_server.go b/client/internal/dns/mock_server.go
@@ -85,6 +85,11 @@ func (m *MockServer) PopulateManagementDomain(mgmtURL *url.URL) error {
 	return nil
 }
 
+// SetRouteChecker mock implementation of SetRouteChecker from Server interface
+func (m *MockServer) SetRouteChecker(func(netip.Addr) bool) {
+	// Mock implementation - no-op
+}
+
 // BeginBatch mock implementation of BeginBatch from Server interface
 func (m *MockServer) BeginBatch() {
 	// Mock implementation - no-op
diff --git a/client/internal/dns/server.go b/client/internal/dns/server.go
@@ -57,6 +57,7 @@ type Server interface {
 	ProbeAvailability()
 	UpdateServerConfig(domains dnsconfig.ServerDomains) error
 	PopulateManagementDomain(mgmtURL *url.URL) error
+	SetRouteChecker(func(netip.Addr) bool)
 }
 
 type nsGroupsByDomain struct {
@@ -104,6 +105,7 @@ type DefaultServer struct {
 
 	statusRecorder *peer.Status
 	stateManager   *statemanager.Manager
+	routeMatch     func(netip.Addr) bool
 
 	probeMu     sync.Mutex
 	probeCancel context.CancelFunc
@@ -229,6 +231,14 @@ func newDefaultServer(
 	return defaultServer
 }
 
+// SetRouteChecker sets the function used by upstream resolvers to determine
+// whether an IP is routed through the tunnel.
+func (s *DefaultServer) SetRouteChecker(f func(netip.Addr) bool) {
+	s.mux.Lock()
+	defer s.mux.Unlock()
+	s.routeMatch = f
+}
+
 // RegisterHandler registers a handler for the given domains with the given priority.
 // Any previously registered handler for the same domain and priority will be replaced.
 func (s *DefaultServer) RegisterHandler(domains domain.List, handler dns.Handler, priority int) {
@@ -743,6 +753,7 @@ func (s *DefaultServer) registerFallback(config HostDNSConfig) {
 		log.Errorf("failed to create upstream resolver for original nameservers: %v", err)
 		return
 	}
+	handler.routeMatch = s.routeMatch
 
 	for _, ns := range originalNameservers {
 		if ns == config.ServerIP {
@@ -852,6 +863,7 @@ func (s *DefaultServer) createHandlersForDomainGroup(domainGroup nsGroupsByDomai
 		if err != nil {
 			return nil, fmt.Errorf("create upstream resolver: %v", err)
 		}
+		handler.routeMatch = s.routeMatch
 
 		for _, ns := range nsGroup.NameServers {
 			if ns.NSType != nbdns.UDPNameServerType {
@@ -1036,6 +1048,7 @@ func (s *DefaultServer) addHostRootZone() {
 		log.Errorf("unable to create a new upstream resolver, error: %v", err)
 		return
 	}
+	handler.routeMatch = s.routeMatch
 
 	handler.upstreamServers = maps.Keys(hostDNSServers)
 	handler.deactivate = func(error) {}
diff --git a/client/internal/dns/upstream.go b/client/internal/dns/upstream.go
@@ -70,6 +70,7 @@ type upstreamResolverBase struct {
 	deactivate     func(error)
 	reactivate     func()
 	statusRecorder *peer.Status
+	routeMatch     func(netip.Addr) bool
 }
 
 type upstreamFailure struct {
diff --git a/client/internal/dns/upstream_ios.go b/client/internal/dns/upstream_ios.go
@@ -65,11 +65,13 @@ func (u *upstreamResolverIOS) exchange(ctx context.Context, upstream string, r *
 	} else {
 		upstreamIP = upstreamIP.Unmap()
 	}
-	if u.lNet.Contains(upstreamIP) || upstreamIP.IsPrivate() {
-		log.Debugf("using private client to query upstream: %s", upstream)
+	needsPrivate := u.lNet.Contains(upstreamIP) ||
+		(u.routeMatch != nil && u.routeMatch(upstreamIP))
+	if needsPrivate {
+		log.Debugf("using private client to query %s via upstream %s", r.Question[0].Name, upstream)
 		client, err = GetClientPrivate(u.lIP, u.interfaceName, timeout)
 		if err != nil {
-			return nil, 0, fmt.Errorf("error while creating private client: %s", err)
+			return nil, 0, fmt.Errorf("create private client: %s", err)
 		}
 	}
 
diff --git a/client/internal/engine.go b/client/internal/engine.go
@@ -499,6 +499,17 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 
 	e.routeManager.SetRouteChangeListener(e.mobileDep.NetworkChangeListener)
 
+	e.dnsServer.SetRouteChecker(func(ip netip.Addr) bool {
+		for _, routes := range e.routeManager.GetClientRoutes() {
+			for _, r := range routes {
+				if r.Network.Contains(ip) {
+					return true
+				}
+			}
+		}
+		return false
+	})
+
 	if err = e.wgInterfaceCreate(); err != nil {
 		log.Errorf("failed creating tunnel interface %s: [%s]", e.config.WgIfaceName, err.Error())
 		e.close()

Original file line number	Diff line number	Diff line change
`@@ -70,6 +70,7 @@ type upstreamResolverBase struct {`
`70`	`70`	`deactivate func(error)`
`71`	`71`	`reactivate func()`
`72`	`72`	`statusRecorder *peer.Status`
	`73`	`+ routeMatch func(netip.Addr) bool`
`73`	`74`	`}`
`74`	`75`
`75`	`76`	`type upstreamFailure struct {`
Original file line number	Diff line number	Diff line change
`@@ -65,11 +65,13 @@ func (u upstreamResolverIOS) exchange(ctx context.Context, upstream string, r `
`65`	`65`	`} else {`
`66`	`66`	`upstreamIP = upstreamIP.Unmap()`
`67`	`67`	`}`
`68`		`- if u.lNet.Contains(upstreamIP) \|\| upstreamIP.IsPrivate() {`
`69`		`- log.Debugf("using private client to query upstream: %s", upstream)`
	`68`	`+ needsPrivate := u.lNet.Contains(upstreamIP) \|\|`
	`69`	`+ (u.routeMatch != nil && u.routeMatch(upstreamIP))`
	`70`	`+ if needsPrivate {`
	`71`	`+ log.Debugf("using private client to query %s via upstream %s", r.Question[0].Name, upstream)`
`70`	`72`	`client, err = GetClientPrivate(u.lIP, u.interfaceName, timeout)`
`71`	`73`	`if err != nil {`
`72`		`- return nil, 0, fmt.Errorf("error while creating private client: %s", err)`
	`74`	`+ return nil, 0, fmt.Errorf("create private client: %s", err)`
`73`	`75`	`}`
`74`	`76`	`}`
`75`	`77`