Bump actions/checkout from 6.0.1 to 6.0.2

Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](8e8c483db8...de0fac2e45)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/test.yml

@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Go
         uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
@@ -30,7 +30,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0

Dockerfile

@@ -1,8 +1,4 @@
-# FROM golang:1.25-alpine AS builder
-FROM public.ecr.aws/docker/library/golang:1.25-alpine AS builder
-
-# Install git and ca-certificates
-RUN apk --no-cache add ca-certificates git tzdata
+FROM golang:1.25-alpine AS builder
 
 # Set the working directory inside the container
 WORKDIR /app
@@ -17,16 +13,21 @@ RUN go mod download
 COPY . .
 
 # Build the application
-ARG VERSION=dev
-RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w -X main.olmVersion=${VERSION}" -o /olm
+RUN CGO_ENABLED=0 GOOS=linux go build -o /olm
 
-FROM public.ecr.aws/docker/library/alpine:3.23 AS runner
+# Start a new stage from scratch
+FROM alpine:3.23 AS runner
 
-RUN apk --no-cache add ca-certificates tzdata iputils
+RUN apk --no-cache add ca-certificates
 
+# Copy the pre-built binary file from the previous stage and the entrypoint script
 COPY --from=builder /olm /usr/local/bin/
 COPY entrypoint.sh /
 
 RUN chmod +x /entrypoint.sh
+
+# Copy the entrypoint script
 ENTRYPOINT ["/entrypoint.sh"]
+
+# Command to run the executable
 CMD ["olm"]

Makefile

@@ -2,9 +2,6 @@
 
 all: local
 
-VERSION ?= dev
-LDFLAGS = -X main.olmVersion=$(VERSION)
-
 local:
 	CGO_ENABLED=0 go build -o ./bin/olm
 
@@ -46,25 +43,25 @@ go-build-release: \
     go-build-release-windows-amd64 \
 
 go-build-release-linux-arm64:
-	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags "$(LDFLAGS)" -o bin/olm_linux_arm64
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o bin/olm_linux_arm64
 
 go-build-release-linux-arm32-v7:
-	CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build -ldflags "$(LDFLAGS)" -o bin/olm_linux_arm32
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build -o bin/olm_linux_arm32
 
 go-build-release-linux-arm32-v6:
-	CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=6 go build -ldflags "$(LDFLAGS)" -o bin/olm_linux_arm32v6
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=6 go build -o bin/olm_linux_arm32v6
 
 go-build-release-linux-amd64:
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o bin/olm_linux_amd64
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o bin/olm_linux_amd64
 
 go-build-release-linux-riscv64:
-	CGO_ENABLED=0 GOOS=linux GOARCH=riscv64 go build -ldflags "$(LDFLAGS)" -o bin/olm_linux_riscv64
+	CGO_ENABLED=0 GOOS=linux GOARCH=riscv64 go build -o bin/olm_linux_riscv64
 
 go-build-release-darwin-arm64:
-	CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -ldflags "$(LDFLAGS)" -o bin/olm_darwin_arm64
+	CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -o bin/olm_darwin_arm64
 
 go-build-release-darwin-amd64:
-	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o bin/olm_darwin_amd64
+	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -o bin/olm_darwin_amd64
 
 go-build-release-windows-amd64:
-	CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o bin/olm_windows_amd64.exe
+	CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -o bin/olm_windows_amd64.exe

api/api.go

@@ -78,13 +78,6 @@ type MetadataChangeRequest struct {
 	Postures    map[string]any `json:"postures"`
 }
 
-// JITConnectionRequest defines the structure for a dynamic Just-In-Time connection request.
-// Either SiteID or ResourceID must be provided (but not necessarily both).
-type JITConnectionRequest struct {
-	Site     string `json:"site,omitempty"`
-	Resource string `json:"resource,omitempty"`
-}
-
 // API represents the HTTP server and its state
 type API struct {
 	addr       string
@@ -99,7 +92,6 @@ type API struct {
 	onExit           func() error
 	onRebind         func() error
 	onPowerMode      func(PowerModeRequest) error
-	onJITConnect     func(JITConnectionRequest) error
 
 	statusMu     sync.RWMutex
 	peerStatuses map[int]*PeerStatus
@@ -151,7 +143,6 @@ func (s *API) SetHandlers(
 	onExit func() error,
 	onRebind func() error,
 	onPowerMode func(PowerModeRequest) error,
-	onJITConnect func(JITConnectionRequest) error,
 ) {
 	s.onConnect = onConnect
 	s.onSwitchOrg = onSwitchOrg
@@ -160,7 +151,6 @@ func (s *API) SetHandlers(
 	s.onExit = onExit
 	s.onRebind = onRebind
 	s.onPowerMode = onPowerMode
-	s.onJITConnect = onJITConnect
 }
 
 // Start starts the HTTP server
@@ -179,7 +169,6 @@ func (s *API) Start() error {
 	mux.HandleFunc("/health", s.handleHealth)
 	mux.HandleFunc("/rebind", s.handleRebind)
 	mux.HandleFunc("/power-mode", s.handlePowerMode)
-	mux.HandleFunc("/jit-connect", s.handleJITConnect)
 
 	s.server = &http.Server{
 		Handler: mux,
@@ -283,6 +272,9 @@ func (s *API) SetConnectionStatus(isConnected bool) {
 
 	if isConnected {
 		s.connectedAt = time.Now()
+	} else {
+		// Clear peer statuses when disconnected
+		s.peerStatuses = make(map[int]*PeerStatus)
 	}
 }
 
@@ -644,54 +636,6 @@ func (s *API) handleRebind(w http.ResponseWriter, r *http.Request) {
 	})
 }
 
-// handleJITConnect handles the /jit-connect endpoint.
-// It initiates a dynamic Just-In-Time connection to a site identified by either
-// a site or a resource. Exactly one of the two must be provided.
-func (s *API) handleJITConnect(w http.ResponseWriter, r *http.Request) {
-	if r.Method != http.MethodPost {
-		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
-		return
-	}
-
-	var req JITConnectionRequest
-	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		http.Error(w, fmt.Sprintf("Invalid request body: %v", err), http.StatusBadRequest)
-		return
-	}
-
-	// Validate that exactly one of site or resource is provided
-	if req.Site == "" && req.Resource == "" {
-		http.Error(w, "Missing required field: either site or resource must be provided", http.StatusBadRequest)
-		return
-	}
-	if req.Site != "" && req.Resource != "" {
-		http.Error(w, "Ambiguous request: provide either site or resource, not both", http.StatusBadRequest)
-		return
-	}
-
-	if req.Site != "" {
-		logger.Info("Received JIT connection request via API: site=%s", req.Site)
-	} else {
-		logger.Info("Received JIT connection request via API: resource=%s", req.Resource)
-	}
-
-	if s.onJITConnect != nil {
-		if err := s.onJITConnect(req); err != nil {
-			http.Error(w, fmt.Sprintf("JIT connection failed: %v", err), http.StatusInternalServerError)
-			return
-		}
-	} else {
-		http.Error(w, "JIT connect handler not configured", http.StatusNotImplemented)
-		return
-	}
-
-	w.Header().Set("Content-Type", "application/json")
-	w.WriteHeader(http.StatusAccepted)
-	_ = json.NewEncoder(w).Encode(map[string]string{
-		"status": "JIT connection request accepted",
-	})
-}
-
 // handlePowerMode handles the /power-mode endpoint
 // This allows changing the power mode between "normal" and "low"
 func (s *API) handlePowerMode(w http.ResponseWriter, r *http.Request) {

config.go

@@ -89,7 +89,6 @@ func DefaultConfig() *OlmConfig {
 		PingInterval:     "3s",
 		PingTimeout:      "5s",
 		DisableHolepunch: false,
-		OverrideDNS:      true,
 		TunnelDNS:        false,
 		// DoNotCreateNewClient: false,
 		sources: make(map[string]string),
@@ -325,9 +324,9 @@ func loadConfigFromCLI(config *OlmConfig, args []string) (bool, bool, error) {
 	serviceFlags.StringVar(&config.PingTimeout, "ping-timeout", config.PingTimeout, "Timeout for each ping")
 	serviceFlags.BoolVar(&config.EnableAPI, "enable-api", config.EnableAPI, "Enable API server for receiving connection requests")
 	serviceFlags.BoolVar(&config.DisableHolepunch, "disable-holepunch", config.DisableHolepunch, "Disable hole punching")
-	serviceFlags.BoolVar(&config.OverrideDNS, "override-dns", config.OverrideDNS, "When enabled, the client uses custom DNS servers to resolve internal resources and aliases. This overrides your system's default DNS settings. Queries that cannot be resolved as a Pangolin resource will be forwarded to your configured Upstream DNS Server. (default false)")
+	serviceFlags.BoolVar(&config.OverrideDNS, "override-dns", config.OverrideDNS, "Override system DNS settings")
 	serviceFlags.BoolVar(&config.DisableRelay, "disable-relay", config.DisableRelay, "Disable relay connections")
-	serviceFlags.BoolVar(&config.TunnelDNS, "tunnel-dns", config.TunnelDNS, "When enabled, DNS queries are routed through the tunnel for remote resolution. To ensure queries are tunneled correctly, you must define the DNS server as a Pangolin resource and enter its address as an Upstream DNS Server. (default false)")
+	serviceFlags.BoolVar(&config.TunnelDNS, "tunnel-dns", config.TunnelDNS, "Use tunnel for DNS traffic")
 	// serviceFlags.BoolVar(&config.DoNotCreateNewClient, "do-not-create-new-client", config.DoNotCreateNewClient, "Do not create new client")
 
 	version := serviceFlags.Bool("version", false, "Print the version")

dns/dns_proxy.go

@@ -45,11 +45,6 @@ type DNSProxy struct {
 	tunnelActivePorts map[uint16]bool
 	tunnelPortsLock   sync.Mutex
 
-	// jitHandler is called when a local record is resolved for a site that may not be
-	// connected yet, giving the caller a chance to initiate a JIT connection.
-	// It is invoked asynchronously so it never blocks DNS resolution.
-	jitHandler func(siteId int)
-
 	ctx    context.Context
 	cancel context.CancelFunc
 	wg     sync.WaitGroup
@@ -385,20 +380,10 @@ func (p *DNSProxy) handleDNSQuery(udpConn *gonet.UDPConn, queryData []byte, clie
 
 	// Check if we have local records for this query
 	var response *dns.Msg
-	if question.Qtype == dns.TypeA || question.Qtype == dns.TypeAAAA || question.Qtype == dns.TypePTR {
+	if question.Qtype == dns.TypeA || question.Qtype == dns.TypeAAAA {
 		response = p.checkLocalRecords(msg, question)
 	}
 
-	// If a local A/AAAA record was found, notify the JIT handler so that the owning
-	// site can be connected on-demand if it is not yet active.
-	if response != nil && p.jitHandler != nil &&
-		(question.Qtype == dns.TypeA || question.Qtype == dns.TypeAAAA) {
-		if siteId, ok := p.recordStore.GetSiteIdForDomain(question.Name); ok && siteId != 0 {
-			handler := p.jitHandler
-			go handler(siteId)
-		}
-	}
-
 	// If no local records, forward to upstream
 	if response == nil {
 		logger.Debug("No local record for %s, forwarding upstream to %v", question.Name, p.upstreamDNS)
@@ -425,34 +410,6 @@ func (p *DNSProxy) handleDNSQuery(udpConn *gonet.UDPConn, queryData []byte, clie
 
 // checkLocalRecords checks if we have local records for the query
 func (p *DNSProxy) checkLocalRecords(query *dns.Msg, question dns.Question) *dns.Msg {
-	// Handle PTR queries
-	if question.Qtype == dns.TypePTR {
-		if ptrDomain, ok := p.recordStore.GetPTRRecord(question.Name); ok {
-			logger.Debug("Found local PTR record for %s -> %s", question.Name, ptrDomain)
-
-			// Create response message
-			response := new(dns.Msg)
-			response.SetReply(query)
-			response.Authoritative = true
-
-			// Add PTR answer record
-			rr := &dns.PTR{
-				Hdr: dns.RR_Header{
-					Name:   question.Name,
-					Rrtype: dns.TypePTR,
-					Class:  dns.ClassINET,
-					Ttl:    300, // 5 minutes
-				},
-				Ptr: ptrDomain,
-			}
-			response.Answer = append(response.Answer, rr)
-
-			return response
-		}
-		return nil
-	}
-
-	// Handle A and AAAA queries
 	var recordType RecordType
 	if question.Qtype == dns.TypeA {
 		recordType = RecordTypeA
@@ -462,20 +419,19 @@ func (p *DNSProxy) checkLocalRecords(query *dns.Msg, question dns.Question) *dns
 		return nil
 	}
 
-	ips, exists := p.recordStore.GetRecords(question.Name, recordType)
-	if !exists {
-		// Domain not found in local records, forward to upstream
+	ips := p.recordStore.GetRecords(question.Name, recordType)
+	if len(ips) == 0 {
 		return nil
 	}
 
 	logger.Debug("Found %d local record(s) for %s", len(ips), question.Name)
 
-	// Create response message (NODATA if no records, otherwise with answers)
+	// Create response message
 	response := new(dns.Msg)
 	response.SetReply(query)
 	response.Authoritative = true
 
-	// Add answer records (loop is a no-op if ips is empty)
+	// Add answer records
 	for _, ip := range ips {
 		var rr dns.RR
 		if question.Qtype == dns.TypeA {
@@ -733,20 +689,11 @@ func (p *DNSProxy) runPacketSender() {
 	}
 }
 
-// SetJITHandler registers a callback that is invoked whenever a local DNS record is
-// resolved for an A or AAAA query. The siteId identifies which site owns the record.
-// The handler is called in its own goroutine so it must be safe to call concurrently.
-// Pass nil to disable JIT notifications.
-func (p *DNSProxy) SetJITHandler(handler func(siteId int)) {
-	p.jitHandler = handler
-}
-
 // AddDNSRecord adds a DNS record to the local store
 // domain should be a domain name (e.g., "example.com" or "example.com.")
 // ip should be a valid IPv4 or IPv6 address
-func (p *DNSProxy) AddDNSRecord(domain string, ip net.IP, siteId int) error {
-	logger.Debug("Adding dns record for domain %s with IP %s (siteId=%d)", domain, ip.String(), siteId)
-	return p.recordStore.AddRecord(domain, ip, siteId)
+func (p *DNSProxy) AddDNSRecord(domain string, ip net.IP) error {
+	return p.recordStore.AddRecord(domain, ip)
 }
 
 // RemoveDNSRecord removes a DNS record from the local store
@@ -755,9 +702,8 @@ func (p *DNSProxy) RemoveDNSRecord(domain string, ip net.IP) {
 	p.recordStore.RemoveRecord(domain, ip)
 }
 
-// GetDNSRecords returns all IP addresses for a domain and record type.
-// The second return value indicates whether the domain exists.
-func (p *DNSProxy) GetDNSRecords(domain string, recordType RecordType) ([]net.IP, bool) {
+// GetDNSRecords returns all IP addresses for a domain and record type
+func (p *DNSProxy) GetDNSRecords(domain string, recordType RecordType) []net.IP {
 	return p.recordStore.GetRecords(domain, recordType)
 }
 

dns/dns_proxy_test.go

@@ -1,178 +0,0 @@
-package dns
-
-import (
-	"net"
-	"testing"
-
-	"github.com/miekg/dns"
-)
-
-func TestCheckLocalRecordsNODATAForAAAA(t *testing.T) {
-	proxy := &DNSProxy{
-		recordStore: NewDNSRecordStore(),
-	}
-
-	// Add an A record for a domain (no AAAA record)
-	ip := net.ParseIP("10.0.0.1")
-	err := proxy.recordStore.AddRecord("myservice.internal", ip, 0)
-	if err != nil {
-		t.Fatalf("Failed to add A record: %v", err)
-	}
-
-	// Query AAAA for domain with only A record - should return NODATA
-	query := new(dns.Msg)
-	query.SetQuestion("myservice.internal.", dns.TypeAAAA)
-	response := proxy.checkLocalRecords(query, query.Question[0])
-
-	if response == nil {
-		t.Fatal("Expected NODATA response, got nil (would forward to upstream)")
-	}
-	if response.Rcode != dns.RcodeSuccess {
-		t.Errorf("Expected Rcode NOERROR (0), got %d", response.Rcode)
-	}
-	if len(response.Answer) != 0 {
-		t.Errorf("Expected empty answer section for NODATA, got %d answers", len(response.Answer))
-	}
-	if !response.Authoritative {
-		t.Error("Expected response to be authoritative")
-	}
-
-	// Query A for same domain - should return the record
-	query = new(dns.Msg)
-	query.SetQuestion("myservice.internal.", dns.TypeA)
-	response = proxy.checkLocalRecords(query, query.Question[0])
-
-	if response == nil {
-		t.Fatal("Expected response with A record, got nil")
-	}
-	if len(response.Answer) != 1 {
-		t.Fatalf("Expected 1 answer, got %d", len(response.Answer))
-	}
-	aRecord, ok := response.Answer[0].(*dns.A)
-	if !ok {
-		t.Fatal("Expected A record in answer")
-	}
-	if !aRecord.A.Equal(ip.To4()) {
-		t.Errorf("Expected IP %v, got %v", ip.To4(), aRecord.A)
-	}
-}
-
-func TestCheckLocalRecordsNODATAForA(t *testing.T) {
-	proxy := &DNSProxy{
-		recordStore: NewDNSRecordStore(),
-	}
-
-	// Add an AAAA record for a domain (no A record)
-	ip := net.ParseIP("2001:db8::1")
-	err := proxy.recordStore.AddRecord("ipv6only.internal", ip, 0)
-	if err != nil {
-		t.Fatalf("Failed to add AAAA record: %v", err)
-	}
-
-	// Query A for domain with only AAAA record - should return NODATA
-	query := new(dns.Msg)
-	query.SetQuestion("ipv6only.internal.", dns.TypeA)
-	response := proxy.checkLocalRecords(query, query.Question[0])
-
-	if response == nil {
-		t.Fatal("Expected NODATA response, got nil")
-	}
-	if response.Rcode != dns.RcodeSuccess {
-		t.Errorf("Expected Rcode NOERROR (0), got %d", response.Rcode)
-	}
-	if len(response.Answer) != 0 {
-		t.Errorf("Expected empty answer section, got %d answers", len(response.Answer))
-	}
-	if !response.Authoritative {
-		t.Error("Expected response to be authoritative")
-	}
-
-	// Query AAAA for same domain - should return the record
-	query = new(dns.Msg)
-	query.SetQuestion("ipv6only.internal.", dns.TypeAAAA)
-	response = proxy.checkLocalRecords(query, query.Question[0])
-
-	if response == nil {
-		t.Fatal("Expected response with AAAA record, got nil")
-	}
-	if len(response.Answer) != 1 {
-		t.Fatalf("Expected 1 answer, got %d", len(response.Answer))
-	}
-	aaaaRecord, ok := response.Answer[0].(*dns.AAAA)
-	if !ok {
-		t.Fatal("Expected AAAA record in answer")
-	}
-	if !aaaaRecord.AAAA.Equal(ip) {
-		t.Errorf("Expected IP %v, got %v", ip, aaaaRecord.AAAA)
-	}
-}
-
-func TestCheckLocalRecordsNonExistentDomain(t *testing.T) {
-	proxy := &DNSProxy{
-		recordStore: NewDNSRecordStore(),
-	}
-
-	// Add a record so the store isn't empty
-	err := proxy.recordStore.AddRecord("exists.internal", net.ParseIP("10.0.0.1"), 0)
-	if err != nil {
-		t.Fatalf("Failed to add record: %v", err)
-	}
-
-	// Query A for non-existent domain - should return nil (forward to upstream)
-	query := new(dns.Msg)
-	query.SetQuestion("unknown.internal.", dns.TypeA)
-	response := proxy.checkLocalRecords(query, query.Question[0])
-
-	if response != nil {
-		t.Error("Expected nil for non-existent domain, got response")
-	}
-
-	// Query AAAA for non-existent domain - should also return nil
-	query = new(dns.Msg)
-	query.SetQuestion("unknown.internal.", dns.TypeAAAA)
-	response = proxy.checkLocalRecords(query, query.Question[0])
-
-	if response != nil {
-		t.Error("Expected nil for non-existent domain, got response")
-	}
-}
-
-func TestCheckLocalRecordsNODATAWildcard(t *testing.T) {
-	proxy := &DNSProxy{
-		recordStore: NewDNSRecordStore(),
-	}
-
-	// Add a wildcard A record (no AAAA)
-	ip := net.ParseIP("10.0.0.1")
-	err := proxy.recordStore.AddRecord("*.wildcard.internal", ip, 0)
-	if err != nil {
-		t.Fatalf("Failed to add wildcard A record: %v", err)
-	}
-
-	// Query AAAA for wildcard-matched domain - should return NODATA
-	query := new(dns.Msg)
-	query.SetQuestion("host.wildcard.internal.", dns.TypeAAAA)
-	response := proxy.checkLocalRecords(query, query.Question[0])
-
-	if response == nil {
-		t.Fatal("Expected NODATA response for wildcard match, got nil")
-	}
-	if response.Rcode != dns.RcodeSuccess {
-		t.Errorf("Expected Rcode NOERROR (0), got %d", response.Rcode)
-	}
-	if len(response.Answer) != 0 {
-		t.Errorf("Expected empty answer section, got %d answers", len(response.Answer))
-	}
-
-	// Query A for wildcard-matched domain - should return the record
-	query = new(dns.Msg)
-	query.SetQuestion("host.wildcard.internal.", dns.TypeA)
-	response = proxy.checkLocalRecords(query, query.Question[0])
-
-	if response == nil {
-		t.Fatal("Expected response with A record, got nil")
-	}
-	if len(response.Answer) != 1 {
-		t.Fatalf("Expected 1 answer, got %d", len(response.Answer))
-	}
-}

dns/dns_records.go

@@ -1,7 +1,6 @@
 package dns
 
 import (
-	"fmt"
 	"net"
 	"strings"
 	"sync"
@@ -15,31 +14,24 @@ type RecordType uint16
 const (
 	RecordTypeA    RecordType = RecordType(dns.TypeA)
 	RecordTypeAAAA RecordType = RecordType(dns.TypeAAAA)
-	RecordTypePTR  RecordType = RecordType(dns.TypePTR)
 )
 
-// recordSet holds A and AAAA records for a single domain or wildcard pattern
-type recordSet struct {
-	A      []net.IP
-	AAAA   []net.IP
-	SiteId int
-}
-
-// DNSRecordStore manages local DNS records for A, AAAA, and PTR queries.
-// Exact domains are stored in a map; wildcard patterns are in a separate map.
+// DNSRecordStore manages local DNS records for A and AAAA queries
 type DNSRecordStore struct {
-	mu         sync.RWMutex
-	exact      map[string]*recordSet // normalized FQDN -> A/AAAA records
-	wildcards  map[string]*recordSet // wildcard pattern -> A/AAAA records
-	ptrRecords map[string]string     // IP address string -> domain name
+	mu            sync.RWMutex
+	aRecords      map[string][]net.IP // domain -> list of IPv4 addresses
+	aaaaRecords   map[string][]net.IP // domain -> list of IPv6 addresses
+	aWildcards    map[string][]net.IP // wildcard pattern -> list of IPv4 addresses
+	aaaaWildcards map[string][]net.IP // wildcard pattern -> list of IPv6 addresses
 }
 
 // NewDNSRecordStore creates a new DNS record store
 func NewDNSRecordStore() *DNSRecordStore {
 	return &DNSRecordStore{
-		exact:      make(map[string]*recordSet),
-		wildcards:  make(map[string]*recordSet),
-		ptrRecords: make(map[string]string),
+		aRecords:      make(map[string][]net.IP),
+		aaaaRecords:   make(map[string][]net.IP),
+		aWildcards:    make(map[string][]net.IP),
+		aaaaWildcards: make(map[string][]net.IP),
 	}
 }
 
@@ -47,61 +39,7 @@ func NewDNSRecordStore() *DNSRecordStore {
 // domain should be in FQDN format (e.g., "example.com.")
 // domain can contain wildcards: * (0+ chars) and ? (exactly 1 char)
 // ip should be a valid IPv4 or IPv6 address
-// siteId is the site that owns this alias/domain
-// Automatically adds a corresponding PTR record for non-wildcard domains
-func (s *DNSRecordStore) AddRecord(domain string, ip net.IP, siteId int) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	if len(domain) == 0 || domain[len(domain)-1] != '.' {
-		domain = domain + "."
-	}
-	domain = strings.ToLower(dns.Fqdn(domain))
-	isWildcard := strings.ContainsAny(domain, "*?")
-
-	isV4 := ip.To4() != nil
-	if !isV4 && ip.To16() == nil {
-		return &net.ParseError{Type: "IP address", Text: ip.String()}
-	}
-
-	// Choose the appropriate map based on whether this is a wildcard
-	m := s.exact
-	if isWildcard {
-		m = s.wildcards
-	}
-
-	if m[domain] == nil {
-		m[domain] = &recordSet{SiteId: siteId}
-	}
-	rs := m[domain]
-	if isV4 {
-		for _, existing := range rs.A {
-			if existing.Equal(ip) {
-				return nil
-			}
-		}
-		rs.A = append(rs.A, ip)
-	} else {
-		for _, existing := range rs.AAAA {
-			if existing.Equal(ip) {
-				return nil
-			}
-		}
-		rs.AAAA = append(rs.AAAA, ip)
-	}
-
-	// Add PTR record for non-wildcard domains
-	if !isWildcard {
-		s.ptrRecords[ip.String()] = domain
-	}
-	return nil
-}
-
-
-// AddPTRRecord adds a PTR record mapping an IP address to a domain name
-// ip should be a valid IPv4 or IPv6 address
-// domain should be in FQDN format (e.g., "example.com.")
-func (s *DNSRecordStore) AddPTRRecord(ip net.IP, domain string) error {
+func (s *DNSRecordStore) AddRecord(domain string, ip net.IP) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 
@@ -110,182 +48,154 @@ func (s *DNSRecordStore) AddPTRRecord(ip net.IP, domain string) error {
 		domain = domain + "."
 	}
 
-	// Normalize domain to lowercase FQDN
-	domain = strings.ToLower(dns.Fqdn(domain))
+	// Normalize domain to lowercase
+	domain = dns.Fqdn(domain)
 
-	// Store PTR record using IP string as key
-	s.ptrRecords[ip.String()] = domain
+	// Check if domain contains wildcards
+	isWildcard := strings.ContainsAny(domain, "*?")
+
+	if ip.To4() != nil {
+		// IPv4 address
+		if isWildcard {
+			s.aWildcards[domain] = append(s.aWildcards[domain], ip)
+		} else {
+			s.aRecords[domain] = append(s.aRecords[domain], ip)
+		}
+	} else if ip.To16() != nil {
+		// IPv6 address
+		if isWildcard {
+			s.aaaaWildcards[domain] = append(s.aaaaWildcards[domain], ip)
+		} else {
+			s.aaaaRecords[domain] = append(s.aaaaRecords[domain], ip)
+		}
+	} else {
+		return &net.ParseError{Type: "IP address", Text: ip.String()}
+	}
 
 	return nil
 }
 
 // RemoveRecord removes a specific DNS record mapping
 // If ip is nil, removes all records for the domain (including wildcards)
-// Automatically removes corresponding PTR records for non-wildcard domains
 func (s *DNSRecordStore) RemoveRecord(domain string, ip net.IP) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 
+	// Ensure domain ends with a dot (FQDN format)
 	if len(domain) == 0 || domain[len(domain)-1] != '.' {
 		domain = domain + "."
 	}
-	domain = strings.ToLower(dns.Fqdn(domain))
+
+	// Normalize domain to lowercase
+	domain = dns.Fqdn(domain)
+
+	// Check if domain contains wildcards
 	isWildcard := strings.ContainsAny(domain, "*?")
 
-	// Choose the appropriate map
-	m := s.exact
-	if isWildcard {
-		m = s.wildcards
-	}
-
-	rs := m[domain]
-	if rs == nil {
-		return
-	}
-
 	if ip == nil {
 		// Remove all records for this domain
-		if !isWildcard {
-			for _, ipAddr := range rs.A {
-				if ptrDomain, exists := s.ptrRecords[ipAddr.String()]; exists && ptrDomain == domain {
-					delete(s.ptrRecords, ipAddr.String())
-				}
-			}
-			for _, ipAddr := range rs.AAAA {
-				if ptrDomain, exists := s.ptrRecords[ipAddr.String()]; exists && ptrDomain == domain {
-					delete(s.ptrRecords, ipAddr.String())
-				}
-			}
+		if isWildcard {
+			delete(s.aWildcards, domain)
+			delete(s.aaaaWildcards, domain)
+		} else {
+			delete(s.aRecords, domain)
+			delete(s.aaaaRecords, domain)
 		}
-		delete(m, domain)
 		return
 	}
 
-	// Remove specific IP
 	if ip.To4() != nil {
-		rs.A = removeIP(rs.A, ip)
-		if !isWildcard {
-			if ptrDomain, exists := s.ptrRecords[ip.String()]; exists && ptrDomain == domain {
-				delete(s.ptrRecords, ip.String())
+		// Remove specific IPv4 address
+		if isWildcard {
+			if ips, ok := s.aWildcards[domain]; ok {
+				s.aWildcards[domain] = removeIP(ips, ip)
+				if len(s.aWildcards[domain]) == 0 {
+					delete(s.aWildcards, domain)
+				}
 			}
-		}
-	} else {
-		rs.AAAA = removeIP(rs.AAAA, ip)
-		if !isWildcard {
-			if ptrDomain, exists := s.ptrRecords[ip.String()]; exists && ptrDomain == domain {
-				delete(s.ptrRecords, ip.String())
-			}
-		}
-	}
-
-	// Clean up empty record sets
-	if len(rs.A) == 0 && len(rs.AAAA) == 0 {
-		delete(m, domain)
-	}
-}
-
-// RemovePTRRecord removes a PTR record for an IP address
-func (s *DNSRecordStore) RemovePTRRecord(ip net.IP) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	delete(s.ptrRecords, ip.String())
-}
-
-// GetSiteIdForDomain returns the siteId associated with the given domain.
-// It checks exact matches first, then wildcard patterns.
-// The second return value is false if the domain is not found in local records.
-func (s *DNSRecordStore) GetSiteIdForDomain(domain string) (int, bool) {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-
-	domain = strings.ToLower(dns.Fqdn(domain))
-
-	// Check exact match first
-	if rs, exists := s.exact[domain]; exists {
-		return rs.SiteId, true
-	}
-
-	// Check wildcard matches
-	for pattern, rs := range s.wildcards {
-		if matchWildcard(pattern, domain) {
-			return rs.SiteId, true
-		}
-	}
-
-	return 0, false
-}
-
-// GetRecords returns all IP addresses for a domain and record type.
-// The second return value indicates whether the domain exists at all
-// (true = domain exists, use NODATA if no records; false = NXDOMAIN).
-func (s *DNSRecordStore) GetRecords(domain string, recordType RecordType) ([]net.IP, bool) {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-
-	domain = strings.ToLower(dns.Fqdn(domain))
-
-	// Check exact match first
-	if rs, exists := s.exact[domain]; exists {
-		var ips []net.IP
-		if recordType == RecordTypeA {
-			ips = rs.A
 		} else {
-			ips = rs.AAAA
+			if ips, ok := s.aRecords[domain]; ok {
+				s.aRecords[domain] = removeIP(ips, ip)
+				if len(s.aRecords[domain]) == 0 {
+					delete(s.aRecords, domain)
+				}
+			}
 		}
-		if len(ips) > 0 {
-			out := make([]net.IP, len(ips))
-			copy(out, ips)
-			return out, true
+	} else if ip.To16() != nil {
+		// Remove specific IPv6 address
+		if isWildcard {
+			if ips, ok := s.aaaaWildcards[domain]; ok {
+				s.aaaaWildcards[domain] = removeIP(ips, ip)
+				if len(s.aaaaWildcards[domain]) == 0 {
+					delete(s.aaaaWildcards, domain)
+				}
+			}
+		} else {
+			if ips, ok := s.aaaaRecords[domain]; ok {
+				s.aaaaRecords[domain] = removeIP(ips, ip)
+				if len(s.aaaaRecords[domain]) == 0 {
+					delete(s.aaaaRecords, domain)
+				}
+			}
 		}
-		// Domain exists but no records of this type
-		return nil, true
 	}
+}
+
+// GetRecords returns all IP addresses for a domain and record type
+// First checks for exact matches, then checks wildcard patterns
+func (s *DNSRecordStore) GetRecords(domain string, recordType RecordType) []net.IP {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	// Normalize domain to lowercase FQDN
+	domain = dns.Fqdn(domain)
 
-	// Check wildcard matches
 	var records []net.IP
-	matched := false
-	for pattern, rs := range s.wildcards {
-		if !matchWildcard(pattern, domain) {
-			continue
+	switch recordType {
+	case RecordTypeA:
+		// Check exact match first
+		if ips, ok := s.aRecords[domain]; ok {
+			// Return a copy to prevent external modifications
+			records = make([]net.IP, len(ips))
+			copy(records, ips)
+			return records
 		}
-		matched = true
-		if recordType == RecordTypeA {
-			records = append(records, rs.A...)
-		} else {
-			records = append(records, rs.AAAA...)
+		// Check wildcard patterns
+		for pattern, ips := range s.aWildcards {
+			if matchWildcard(pattern, domain) {
+				records = append(records, ips...)
+			}
+		}
+		if len(records) > 0 {
+			// Return a copy
+			result := make([]net.IP, len(records))
+			copy(result, records)
+			return result
+		}
+
+	case RecordTypeAAAA:
+		// Check exact match first
+		if ips, ok := s.aaaaRecords[domain]; ok {
+			// Return a copy to prevent external modifications
+			records = make([]net.IP, len(ips))
+			copy(records, ips)
+			return records
+		}
+		// Check wildcard patterns
+		for pattern, ips := range s.aaaaWildcards {
+			if matchWildcard(pattern, domain) {
+				records = append(records, ips...)
+			}
+		}
+		if len(records) > 0 {
+			// Return a copy
+			result := make([]net.IP, len(records))
+			copy(result, records)
+			return result
 		}
 	}
 
-	if !matched {
-		return nil, false
-	}
-	if len(records) == 0 {
-		return nil, true
-	}
-	out := make([]net.IP, len(records))
-	copy(out, records)
-	return out, true
-}
-
-// GetPTRRecord returns the domain name for a PTR record query
-// domain should be in reverse DNS format (e.g., "1.0.0.127.in-addr.arpa.")
-func (s *DNSRecordStore) GetPTRRecord(domain string) (string, bool) {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-
-	// Convert reverse DNS format to IP address
-	ip := reverseDNSToIP(domain)
-	if ip == nil {
-		return "", false
-	}
-
-	// Look up the PTR record
-	if ptrDomain, ok := s.ptrRecords[ip.String()]; ok {
-		return ptrDomain, true
-	}
-
-	return "", false
+	return records
 }
 
 // HasRecord checks if a domain has any records of the specified type
@@ -294,56 +204,46 @@ func (s *DNSRecordStore) HasRecord(domain string, recordType RecordType) bool {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 
-	domain = strings.ToLower(dns.Fqdn(domain))
+	// Normalize domain to lowercase FQDN
+	domain = dns.Fqdn(domain)
 
-	// Check exact match
-	if rs, exists := s.exact[domain]; exists {
-		if recordType == RecordTypeA && len(rs.A) > 0 {
+	switch recordType {
+	case RecordTypeA:
+		// Check exact match
+		if _, ok := s.aRecords[domain]; ok {
 			return true
 		}
-		if recordType == RecordTypeAAAA && len(rs.AAAA) > 0 {
+		// Check wildcard patterns
+		for pattern := range s.aWildcards {
+			if matchWildcard(pattern, domain) {
+				return true
+			}
+		}
+	case RecordTypeAAAA:
+		// Check exact match
+		if _, ok := s.aaaaRecords[domain]; ok {
 			return true
 		}
+		// Check wildcard patterns
+		for pattern := range s.aaaaWildcards {
+			if matchWildcard(pattern, domain) {
+				return true
+			}
+		}
 	}
 
-	// Check wildcard matches
-	for pattern, rs := range s.wildcards {
-		if !matchWildcard(pattern, domain) {
-			continue
-		}
-		if recordType == RecordTypeA && len(rs.A) > 0 {
-			return true
-		}
-		if recordType == RecordTypeAAAA && len(rs.AAAA) > 0 {
-			return true
-		}
-	}
 	return false
 }
 
-// HasPTRRecord checks if a PTR record exists for the given reverse DNS domain
-func (s *DNSRecordStore) HasPTRRecord(domain string) bool {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-
-	// Convert reverse DNS format to IP address
-	ip := reverseDNSToIP(domain)
-	if ip == nil {
-		return false
-	}
-
-	_, ok := s.ptrRecords[ip.String()]
-	return ok
-}
-
 // Clear removes all records from the store
 func (s *DNSRecordStore) Clear() {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 
-	s.exact = make(map[string]*recordSet)
-	s.wildcards = make(map[string]*recordSet)
-	s.ptrRecords = make(map[string]string)
+	s.aRecords = make(map[string][]net.IP)
+	s.aaaaRecords = make(map[string][]net.IP)
+	s.aWildcards = make(map[string][]net.IP)
+	s.aaaaWildcards = make(map[string][]net.IP)
 }
 
 // removeIP is a helper function to remove a specific IP from a slice
@@ -423,75 +323,3 @@ func matchWildcardInternal(pattern, domain string, pi, di int) bool {
 
 	return matchWildcardInternal(pattern, domain, pi+1, di+1)
 }
-
-// reverseDNSToIP converts a reverse DNS query name to an IP address
-// Supports both IPv4 (in-addr.arpa) and IPv6 (ip6.arpa) formats
-func reverseDNSToIP(domain string) net.IP {
-	// Normalize to lowercase and ensure FQDN
-	domain = strings.ToLower(dns.Fqdn(domain))
-
-	// Check for IPv4 reverse DNS (in-addr.arpa)
-	if strings.HasSuffix(domain, ".in-addr.arpa.") {
-		// Remove the suffix
-		ipPart := strings.TrimSuffix(domain, ".in-addr.arpa.")
-		// Split by dots and reverse
-		parts := strings.Split(ipPart, ".")
-		if len(parts) != 4 {
-			return nil
-		}
-		// Reverse the octets
-		reversed := make([]string, 4)
-		for i := 0; i < 4; i++ {
-			reversed[i] = parts[3-i]
-		}
-		// Parse as IP
-		return net.ParseIP(strings.Join(reversed, "."))
-	}
-
-	// Check for IPv6 reverse DNS (ip6.arpa)
-	if strings.HasSuffix(domain, ".ip6.arpa.") {
-		// Remove the suffix
-		ipPart := strings.TrimSuffix(domain, ".ip6.arpa.")
-		// Split by dots and reverse
-		parts := strings.Split(ipPart, ".")
-		if len(parts) != 32 {
-			return nil
-		}
-		// Reverse the nibbles and group into 16-bit hex values
-		reversed := make([]string, 32)
-		for i := 0; i < 32; i++ {
-			reversed[i] = parts[31-i]
-		}
-		// Join into IPv6 format (groups of 4 nibbles separated by colons)
-		var ipv6Parts []string
-		for i := 0; i < 32; i += 4 {
-			ipv6Parts = append(ipv6Parts, reversed[i]+reversed[i+1]+reversed[i+2]+reversed[i+3])
-		}
-		// Parse as IP
-		return net.ParseIP(strings.Join(ipv6Parts, ":"))
-	}
-
-	return nil
-}
-
-// IPToReverseDNS converts an IP address to reverse DNS format
-// Returns the domain name for PTR queries (e.g., "1.0.0.127.in-addr.arpa.")
-func IPToReverseDNS(ip net.IP) string {
-	if ip4 := ip.To4(); ip4 != nil {
-		// IPv4: reverse octets and append .in-addr.arpa.
-		return dns.Fqdn(fmt.Sprintf("%d.%d.%d.%d.in-addr.arpa",
-			ip4[3], ip4[2], ip4[1], ip4[0]))
-	}
-
-	if ip6 := ip.To16(); ip6 != nil && ip.To4() == nil {
-		// IPv6: expand to 32 nibbles, reverse, and append .ip6.arpa.
-		var nibbles []string
-		for i := 15; i >= 0; i-- {
-			nibbles = append(nibbles, fmt.Sprintf("%x", ip6[i]&0x0f))
-			nibbles = append(nibbles, fmt.Sprintf("%x", ip6[i]>>4))
-		}
-		return dns.Fqdn(strings.Join(nibbles, ".") + ".ip6.arpa")
-	}
-
-	return ""
-}

dns/dns_records_test.go

@@ -170,47 +170,38 @@ func TestDNSRecordStoreWildcard(t *testing.T) {
 
 	// Add wildcard records
 	wildcardIP := net.ParseIP("10.0.0.1")
-	err := store.AddRecord("*.autoco.internal", wildcardIP, 0)
+	err := store.AddRecord("*.autoco.internal", wildcardIP)
 	if err != nil {
 		t.Fatalf("Failed to add wildcard record: %v", err)
 	}
 
 	// Add exact record
 	exactIP := net.ParseIP("10.0.0.2")
-	err = store.AddRecord("exact.autoco.internal", exactIP, 0)
+	err = store.AddRecord("exact.autoco.internal", exactIP)
 	if err != nil {
 		t.Fatalf("Failed to add exact record: %v", err)
 	}
 
 	// Test exact match takes precedence
-	ips, exists := store.GetRecords("exact.autoco.internal.", RecordTypeA)
-	if !exists {
-		t.Error("Expected domain to exist")
-	}
+	ips := store.GetRecords("exact.autoco.internal.", RecordTypeA)
 	if len(ips) != 1 {
 		t.Errorf("Expected 1 IP for exact match, got %d", len(ips))
 	}
-	if len(ips) > 0 && !ips[0].Equal(exactIP) {
+	if !ips[0].Equal(exactIP) {
 		t.Errorf("Expected exact IP %v, got %v", exactIP, ips[0])
 	}
 
 	// Test wildcard match
-	ips, exists = store.GetRecords("host.autoco.internal.", RecordTypeA)
-	if !exists {
-		t.Error("Expected wildcard match to exist")
-	}
+	ips = store.GetRecords("host.autoco.internal.", RecordTypeA)
 	if len(ips) != 1 {
 		t.Errorf("Expected 1 IP for wildcard match, got %d", len(ips))
 	}
-	if len(ips) > 0 && !ips[0].Equal(wildcardIP) {
+	if !ips[0].Equal(wildcardIP) {
 		t.Errorf("Expected wildcard IP %v, got %v", wildcardIP, ips[0])
 	}
 
 	// Test non-match (base domain)
-	ips, exists = store.GetRecords("autoco.internal.", RecordTypeA)
-	if exists {
-		t.Error("Expected base domain to not exist")
-	}
+	ips = store.GetRecords("autoco.internal.", RecordTypeA)
 	if len(ips) != 0 {
 		t.Errorf("Expected 0 IPs for base domain, got %d", len(ips))
 	}
@@ -221,16 +212,13 @@ func TestDNSRecordStoreComplexWildcard(t *testing.T) {
 
 	// Add complex wildcard pattern
 	ip1 := net.ParseIP("10.0.0.1")
-	err := store.AddRecord("*.host-0?.autoco.internal", ip1, 0)
+	err := store.AddRecord("*.host-0?.autoco.internal", ip1)
 	if err != nil {
 		t.Fatalf("Failed to add wildcard record: %v", err)
 	}
 
 	// Test matching domain
-	ips, exists := store.GetRecords("sub.host-01.autoco.internal.", RecordTypeA)
-	if !exists {
-		t.Error("Expected complex wildcard match to exist")
-	}
+	ips := store.GetRecords("sub.host-01.autoco.internal.", RecordTypeA)
 	if len(ips) != 1 {
 		t.Errorf("Expected 1 IP for complex wildcard match, got %d", len(ips))
 	}
@@ -239,19 +227,13 @@ func TestDNSRecordStoreComplexWildcard(t *testing.T) {
 	}
 
 	// Test non-matching domain (missing prefix)
-	ips, exists = store.GetRecords("host-01.autoco.internal.", RecordTypeA)
-	if exists {
-		t.Error("Expected domain without prefix to not exist")
-	}
+	ips = store.GetRecords("host-01.autoco.internal.", RecordTypeA)
 	if len(ips) != 0 {
 		t.Errorf("Expected 0 IPs for domain without prefix, got %d", len(ips))
 	}
 
 	// Test non-matching domain (wrong ? position)
-	ips, exists = store.GetRecords("sub.host-012.autoco.internal.", RecordTypeA)
-	if exists {
-		t.Error("Expected domain with wrong ? match to not exist")
-	}
+	ips = store.GetRecords("sub.host-012.autoco.internal.", RecordTypeA)
 	if len(ips) != 0 {
 		t.Errorf("Expected 0 IPs for domain with wrong ? match, got %d", len(ips))
 	}
@@ -262,16 +244,13 @@ func TestDNSRecordStoreRemoveWildcard(t *testing.T) {
 
 	// Add wildcard record
 	ip := net.ParseIP("10.0.0.1")
-	err := store.AddRecord("*.autoco.internal", ip, 0)
+	err := store.AddRecord("*.autoco.internal", ip)
 	if err != nil {
 		t.Fatalf("Failed to add wildcard record: %v", err)
 	}
 
 	// Verify it exists
-	ips, exists := store.GetRecords("host.autoco.internal.", RecordTypeA)
-	if !exists {
-		t.Error("Expected domain to exist before removal")
-	}
+	ips := store.GetRecords("host.autoco.internal.", RecordTypeA)
 	if len(ips) != 1 {
 		t.Errorf("Expected 1 IP before removal, got %d", len(ips))
 	}
@@ -280,10 +259,7 @@ func TestDNSRecordStoreRemoveWildcard(t *testing.T) {
 	store.RemoveRecord("*.autoco.internal", nil)
 
 	// Verify it's gone
-	ips, exists = store.GetRecords("host.autoco.internal.", RecordTypeA)
-	if exists {
-		t.Error("Expected domain to not exist after removal")
-	}
+	ips = store.GetRecords("host.autoco.internal.", RecordTypeA)
 	if len(ips) != 0 {
 		t.Errorf("Expected 0 IPs after removal, got %d", len(ips))
 	}
@@ -297,36 +273,36 @@ func TestDNSRecordStoreMultipleWildcards(t *testing.T) {
 	ip2 := net.ParseIP("10.0.0.2")
 	ip3 := net.ParseIP("10.0.0.3")
 
-	err := store.AddRecord("*.prod.autoco.internal", ip1, 0)
+	err := store.AddRecord("*.prod.autoco.internal", ip1)
 	if err != nil {
 		t.Fatalf("Failed to add first wildcard: %v", err)
 	}
 
-	err = store.AddRecord("*.dev.autoco.internal", ip2, 0)
+	err = store.AddRecord("*.dev.autoco.internal", ip2)
 	if err != nil {
 		t.Fatalf("Failed to add second wildcard: %v", err)
 	}
 
 	// Add a broader wildcard that matches both
-	err = store.AddRecord("*.autoco.internal", ip3, 0)
+	err = store.AddRecord("*.autoco.internal", ip3)
 	if err != nil {
 		t.Fatalf("Failed to add third wildcard: %v", err)
 	}
 
 	// Test domain matching only the prod pattern and the broad pattern
-	ips, _ := store.GetRecords("host.prod.autoco.internal.", RecordTypeA)
+	ips := store.GetRecords("host.prod.autoco.internal.", RecordTypeA)
 	if len(ips) != 2 {
 		t.Errorf("Expected 2 IPs (prod + broad), got %d", len(ips))
 	}
 
 	// Test domain matching only the dev pattern and the broad pattern
-	ips, _ = store.GetRecords("service.dev.autoco.internal.", RecordTypeA)
+	ips = store.GetRecords("service.dev.autoco.internal.", RecordTypeA)
 	if len(ips) != 2 {
 		t.Errorf("Expected 2 IPs (dev + broad), got %d", len(ips))
 	}
 
 	// Test domain matching only the broad pattern
-	ips, _ = store.GetRecords("host.test.autoco.internal.", RecordTypeA)
+	ips = store.GetRecords("host.test.autoco.internal.", RecordTypeA)
 	if len(ips) != 1 {
 		t.Errorf("Expected 1 IP (broad only), got %d", len(ips))
 	}
@@ -337,13 +313,13 @@ func TestDNSRecordStoreIPv6Wildcard(t *testing.T) {
 
 	// Add IPv6 wildcard record
 	ip := net.ParseIP("2001:db8::1")
-	err := store.AddRecord("*.autoco.internal", ip, 0)
+	err := store.AddRecord("*.autoco.internal", ip)
 	if err != nil {
 		t.Fatalf("Failed to add IPv6 wildcard record: %v", err)
 	}
 
 	// Test wildcard match for IPv6
-	ips, _ := store.GetRecords("host.autoco.internal.", RecordTypeAAAA)
+	ips := store.GetRecords("host.autoco.internal.", RecordTypeAAAA)
 	if len(ips) != 1 {
 		t.Errorf("Expected 1 IPv6 for wildcard match, got %d", len(ips))
 	}
@@ -357,7 +333,7 @@ func TestHasRecordWildcard(t *testing.T) {
 
 	// Add wildcard record
 	ip := net.ParseIP("10.0.0.1")
-	err := store.AddRecord("*.autoco.internal", ip, 0)
+	err := store.AddRecord("*.autoco.internal", ip)
 	if err != nil {
 		t.Fatalf("Failed to add wildcard record: %v", err)
 	}
@@ -372,517 +348,3 @@ func TestHasRecordWildcard(t *testing.T) {
 		t.Error("Expected HasRecord to return false for base domain")
 	}
 }
-
-func TestDNSRecordStoreCaseInsensitive(t *testing.T) {
-	store := NewDNSRecordStore()
-
-	// Add record with mixed case
-	ip := net.ParseIP("10.0.0.1")
-	err := store.AddRecord("MyHost.AutoCo.Internal", ip, 0)
-	if err != nil {
-		t.Fatalf("Failed to add mixed case record: %v", err)
-	}
-
-	// Test lookup with different cases
-	testCases := []string{
-		"myhost.autoco.internal.",
-		"MYHOST.AUTOCO.INTERNAL.",
-		"MyHost.AutoCo.Internal.",
-		"mYhOsT.aUtOcO.iNtErNaL.",
-	}
-
-	for _, domain := range testCases {
-		ips, _ := store.GetRecords(domain, RecordTypeA)
-		if len(ips) != 1 {
-			t.Errorf("Expected 1 IP for domain %q, got %d", domain, len(ips))
-		}
-		if len(ips) > 0 && !ips[0].Equal(ip) {
-			t.Errorf("Expected IP %v for domain %q, got %v", ip, domain, ips[0])
-		}
-	}
-
-	// Test wildcard with mixed case
-	wildcardIP := net.ParseIP("10.0.0.2")
-	err = store.AddRecord("*.Example.Com", wildcardIP, 0)
-	if err != nil {
-		t.Fatalf("Failed to add mixed case wildcard: %v", err)
-	}
-
-	wildcardTestCases := []string{
-		"host.example.com.",
-		"HOST.EXAMPLE.COM.",
-		"Host.Example.Com.",
-		"HoSt.ExAmPlE.CoM.",
-	}
-
-	for _, domain := range wildcardTestCases {
-		ips, _ := store.GetRecords(domain, RecordTypeA)
-		if len(ips) != 1 {
-			t.Errorf("Expected 1 IP for wildcard domain %q, got %d", domain, len(ips))
-		}
-		if len(ips) > 0 && !ips[0].Equal(wildcardIP) {
-			t.Errorf("Expected IP %v for wildcard domain %q, got %v", wildcardIP, domain, ips[0])
-		}
-	}
-
-	// Test removal with different case
-	store.RemoveRecord("MYHOST.AUTOCO.INTERNAL", nil)
-	ips, _ := store.GetRecords("myhost.autoco.internal.", RecordTypeA)
-	if len(ips) != 0 {
-		t.Errorf("Expected 0 IPs after removal, got %d", len(ips))
-	}
-
-	// Test HasRecord with different case
-	if !store.HasRecord("HOST.EXAMPLE.COM.", RecordTypeA) {
-		t.Error("Expected HasRecord to return true for mixed case wildcard match")
-	}
-}
-
-func TestPTRRecordIPv4(t *testing.T) {
-	store := NewDNSRecordStore()
-
-	// Add PTR record for IPv4
-	ip := net.ParseIP("192.168.1.1")
-	domain := "host.example.com."
-	err := store.AddPTRRecord(ip, domain)
-	if err != nil {
-		t.Fatalf("Failed to add PTR record: %v", err)
-	}
-
-	// Test reverse DNS lookup
-	reverseDomain := "1.1.168.192.in-addr.arpa."
-	result, ok := store.GetPTRRecord(reverseDomain)
-	if !ok {
-		t.Error("Expected PTR record to be found")
-	}
-	if result != domain {
-		t.Errorf("Expected domain %q, got %q", domain, result)
-	}
-
-	// Test HasPTRRecord
-	if !store.HasPTRRecord(reverseDomain) {
-		t.Error("Expected HasPTRRecord to return true")
-	}
-
-	// Test non-existent PTR record
-	_, ok = store.GetPTRRecord("2.1.168.192.in-addr.arpa.")
-	if ok {
-		t.Error("Expected PTR record not to be found for different IP")
-	}
-}
-
-func TestPTRRecordIPv6(t *testing.T) {
-	store := NewDNSRecordStore()
-
-	// Add PTR record for IPv6
-	ip := net.ParseIP("2001:db8::1")
-	domain := "ipv6host.example.com."
-	err := store.AddPTRRecord(ip, domain)
-	if err != nil {
-		t.Fatalf("Failed to add PTR record: %v", err)
-	}
-
-	// Test reverse DNS lookup
-	// 2001:db8::1 = 2001:0db8:0000:0000:0000:0000:0000:0001
-	// Reverse: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
-	reverseDomain := "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa."
-	result, ok := store.GetPTRRecord(reverseDomain)
-	if !ok {
-		t.Error("Expected IPv6 PTR record to be found")
-	}
-	if result != domain {
-		t.Errorf("Expected domain %q, got %q", domain, result)
-	}
-
-	// Test HasPTRRecord
-	if !store.HasPTRRecord(reverseDomain) {
-		t.Error("Expected HasPTRRecord to return true for IPv6")
-	}
-}
-
-func TestRemovePTRRecord(t *testing.T) {
-	store := NewDNSRecordStore()
-
-	// Add PTR record
-	ip := net.ParseIP("10.0.0.1")
-	domain := "test.example.com."
-	err := store.AddPTRRecord(ip, domain)
-	if err != nil {
-		t.Fatalf("Failed to add PTR record: %v", err)
-	}
-
-	// Verify it exists
-	reverseDomain := "1.0.0.10.in-addr.arpa."
-	_, ok := store.GetPTRRecord(reverseDomain)
-	if !ok {
-		t.Error("Expected PTR record to exist before removal")
-	}
-
-	// Remove PTR record
-	store.RemovePTRRecord(ip)
-
-	// Verify it's gone
-	_, ok = store.GetPTRRecord(reverseDomain)
-	if ok {
-		t.Error("Expected PTR record to be removed")
-	}
-
-	// Test HasPTRRecord after removal
-	if store.HasPTRRecord(reverseDomain) {
-		t.Error("Expected HasPTRRecord to return false after removal")
-	}
-}
-
-func TestIPToReverseDNS(t *testing.T) {
-	tests := []struct {
-		name     string
-		ip       string
-		expected string
-	}{
-		{
-			name:     "IPv4 simple",
-			ip:       "192.168.1.1",
-			expected: "1.1.168.192.in-addr.arpa.",
-		},
-		{
-			name:     "IPv4 localhost",
-			ip:       "127.0.0.1",
-			expected: "1.0.0.127.in-addr.arpa.",
-		},
-		{
-			name:     "IPv4 with zeros",
-			ip:       "10.0.0.1",
-			expected: "1.0.0.10.in-addr.arpa.",
-		},
-		{
-			name:     "IPv6 simple",
-			ip:       "2001:db8::1",
-			expected: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.",
-		},
-		{
-			name:     "IPv6 localhost",
-			ip:       "::1",
-			expected: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			ip := net.ParseIP(tt.ip)
-			if ip == nil {
-				t.Fatalf("Failed to parse IP: %s", tt.ip)
-			}
-			result := IPToReverseDNS(ip)
-			if result != tt.expected {
-				t.Errorf("IPToReverseDNS(%s) = %q, want %q", tt.ip, result, tt.expected)
-			}
-		})
-	}
-}
-
-func TestReverseDNSToIP(t *testing.T) {
-	tests := []struct {
-		name        string
-		reverseDNS  string
-		expectedIP  string
-		shouldMatch bool
-	}{
-		{
-			name:        "IPv4 simple",
-			reverseDNS:  "1.1.168.192.in-addr.arpa.",
-			expectedIP:  "192.168.1.1",
-			shouldMatch: true,
-		},
-		{
-			name:        "IPv4 localhost",
-			reverseDNS:  "1.0.0.127.in-addr.arpa.",
-			expectedIP:  "127.0.0.1",
-			shouldMatch: true,
-		},
-		{
-			name:        "IPv6 simple",
-			reverseDNS:  "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.",
-			expectedIP:  "2001:db8::1",
-			shouldMatch: true,
-		},
-		{
-			name:        "Invalid IPv4 format",
-			reverseDNS:  "1.1.168.in-addr.arpa.",
-			expectedIP:  "",
-			shouldMatch: false,
-		},
-		{
-			name:        "Invalid IPv6 format",
-			reverseDNS:  "1.0.0.0.ip6.arpa.",
-			expectedIP:  "",
-			shouldMatch: false,
-		},
-		{
-			name:        "Not a reverse DNS domain",
-			reverseDNS:  "example.com.",
-			expectedIP:  "",
-			shouldMatch: false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := reverseDNSToIP(tt.reverseDNS)
-			if tt.shouldMatch {
-				if result == nil {
-					t.Errorf("reverseDNSToIP(%q) returned nil, expected IP", tt.reverseDNS)
-					return
-				}
-				expectedIP := net.ParseIP(tt.expectedIP)
-				if !result.Equal(expectedIP) {
-					t.Errorf("reverseDNSToIP(%q) = %v, want %v", tt.reverseDNS, result, expectedIP)
-				}
-			} else {
-				if result != nil {
-					t.Errorf("reverseDNSToIP(%q) = %v, expected nil", tt.reverseDNS, result)
-				}
-			}
-		})
-	}
-}
-
-func TestPTRRecordCaseInsensitive(t *testing.T) {
-	store := NewDNSRecordStore()
-
-	// Add PTR record with mixed case domain
-	ip := net.ParseIP("192.168.1.1")
-	domain := "MyHost.Example.Com"
-	err := store.AddPTRRecord(ip, domain)
-	if err != nil {
-		t.Fatalf("Failed to add PTR record: %v", err)
-	}
-
-	// Test lookup with different cases in reverse DNS format
-	reverseDomain := "1.1.168.192.in-addr.arpa."
-	result, ok := store.GetPTRRecord(reverseDomain)
-	if !ok {
-		t.Error("Expected PTR record to be found")
-	}
-	// Domain should be normalized to lowercase
-	if result != "myhost.example.com." {
-		t.Errorf("Expected normalized domain %q, got %q", "myhost.example.com.", result)
-	}
-
-	// Test with uppercase reverse DNS
-	reverseDomainUpper := "1.1.168.192.IN-ADDR.ARPA."
-	result, ok = store.GetPTRRecord(reverseDomainUpper)
-	if !ok {
-		t.Error("Expected PTR record to be found with uppercase reverse DNS")
-	}
-	if result != "myhost.example.com." {
-		t.Errorf("Expected normalized domain %q, got %q", "myhost.example.com.", result)
-	}
-}
-
-func TestClearPTRRecords(t *testing.T) {
-	store := NewDNSRecordStore()
-
-	// Add some PTR records
-	ip1 := net.ParseIP("192.168.1.1")
-	ip2 := net.ParseIP("192.168.1.2")
-	store.AddPTRRecord(ip1, "host1.example.com.")
-	store.AddPTRRecord(ip2, "host2.example.com.")
-
-	// Add some A records too
-	store.AddRecord("test.example.com.", net.ParseIP("10.0.0.1"), 0)
-
-	// Verify PTR records exist
-	if !store.HasPTRRecord("1.1.168.192.in-addr.arpa.") {
-		t.Error("Expected PTR record to exist before clear")
-	}
-
-	// Clear all records
-	store.Clear()
-
-	// Verify PTR records are gone
-	if store.HasPTRRecord("1.1.168.192.in-addr.arpa.") {
-		t.Error("Expected PTR record to be cleared")
-	}
-	if store.HasPTRRecord("2.1.168.192.in-addr.arpa.") {
-		t.Error("Expected PTR record to be cleared")
-	}
-
-	// Verify A records are also gone
-	if store.HasRecord("test.example.com.", RecordTypeA) {
-		t.Error("Expected A record to be cleared")
-	}
-}
-
-func TestAutomaticPTRRecordOnAdd(t *testing.T) {
-	store := NewDNSRecordStore()
-
-	// Add an A record - should automatically add PTR record
-	domain := "host.example.com."
-	ip := net.ParseIP("192.168.1.100")
-	err := store.AddRecord(domain, ip, 0)
-	if err != nil {
-		t.Fatalf("Failed to add A record: %v", err)
-	}
-
-	// Verify PTR record was automatically created
-	reverseDomain := "100.1.168.192.in-addr.arpa."
-	result, ok := store.GetPTRRecord(reverseDomain)
-	if !ok {
-		t.Error("Expected PTR record to be automatically created")
-	}
-	if result != domain {
-		t.Errorf("Expected PTR to point to %q, got %q", domain, result)
-	}
-
-	// Add AAAA record - should also automatically add PTR record
-	domain6 := "ipv6host.example.com."
-	ip6 := net.ParseIP("2001:db8::1")
-	err = store.AddRecord(domain6, ip6, 0)
-	if err != nil {
-		t.Fatalf("Failed to add AAAA record: %v", err)
-	}
-
-	// Verify IPv6 PTR record was automatically created
-	reverseDomain6 := "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa."
-	result6, ok := store.GetPTRRecord(reverseDomain6)
-	if !ok {
-		t.Error("Expected IPv6 PTR record to be automatically created")
-	}
-	if result6 != domain6 {
-		t.Errorf("Expected PTR to point to %q, got %q", domain6, result6)
-	}
-}
-
-func TestAutomaticPTRRecordOnRemove(t *testing.T) {
-	store := NewDNSRecordStore()
-
-	// Add an A record (with automatic PTR)
-	domain := "host.example.com."
-	ip := net.ParseIP("192.168.1.100")
-	store.AddRecord(domain, ip, 0)
-
-	// Verify PTR exists
-	reverseDomain := "100.1.168.192.in-addr.arpa."
-	if !store.HasPTRRecord(reverseDomain) {
-		t.Error("Expected PTR record to exist after adding A record")
-	}
-
-	// Remove the A record
-	store.RemoveRecord(domain, ip)
-
-	// Verify PTR was automatically removed
-	if store.HasPTRRecord(reverseDomain) {
-		t.Error("Expected PTR record to be automatically removed")
-	}
-
-	// Verify A record is also gone
-	ips, _ := store.GetRecords(domain, RecordTypeA)
-	if len(ips) != 0 {
-		t.Errorf("Expected A record to be removed, got %d records", len(ips))
-	}
-}
-
-func TestAutomaticPTRRecordOnRemoveAll(t *testing.T) {
-	store := NewDNSRecordStore()
-
-	// Add multiple IPs for the same domain
-	domain := "host.example.com."
-	ip1 := net.ParseIP("192.168.1.100")
-	ip2 := net.ParseIP("192.168.1.101")
-	store.AddRecord(domain, ip1, 0)
-	store.AddRecord(domain, ip2, 0)
-
-	// Verify both PTR records exist
-	reverseDomain1 := "100.1.168.192.in-addr.arpa."
-	reverseDomain2 := "101.1.168.192.in-addr.arpa."
-	if !store.HasPTRRecord(reverseDomain1) {
-		t.Error("Expected first PTR record to exist")
-	}
-	if !store.HasPTRRecord(reverseDomain2) {
-		t.Error("Expected second PTR record to exist")
-	}
-
-	// Remove all records for the domain
-	store.RemoveRecord(domain, nil)
-
-	// Verify both PTR records were removed
-	if store.HasPTRRecord(reverseDomain1) {
-		t.Error("Expected first PTR record to be removed")
-	}
-	if store.HasPTRRecord(reverseDomain2) {
-		t.Error("Expected second PTR record to be removed")
-	}
-}
-
-func TestNoPTRForWildcardRecords(t *testing.T) {
-	store := NewDNSRecordStore()
-
-	// Add wildcard record - should NOT create PTR record
-	domain := "*.example.com."
-	ip := net.ParseIP("192.168.1.100")
-	err := store.AddRecord(domain, ip, 0)
-	if err != nil {
-		t.Fatalf("Failed to add wildcard record: %v", err)
-	}
-
-	// Verify no PTR record was created
-	reverseDomain := "100.1.168.192.in-addr.arpa."
-	_, ok := store.GetPTRRecord(reverseDomain)
-	if ok {
-		t.Error("Expected no PTR record for wildcard domain")
-	}
-
-	// Verify wildcard A record exists
-	if !store.HasRecord("host.example.com.", RecordTypeA) {
-		t.Error("Expected wildcard A record to exist")
-	}
-}
-
-func TestPTRRecordOverwrite(t *testing.T) {
-	store := NewDNSRecordStore()
-
-	// Add first domain with IP
-	domain1 := "host1.example.com."
-	ip := net.ParseIP("192.168.1.100")
-	store.AddRecord(domain1, ip, 0)
-
-	// Verify PTR points to first domain
-	reverseDomain := "100.1.168.192.in-addr.arpa."
-	result, ok := store.GetPTRRecord(reverseDomain)
-	if !ok {
-		t.Fatal("Expected PTR record to exist")
-	}
-	if result != domain1 {
-		t.Errorf("Expected PTR to point to %q, got %q", domain1, result)
-	}
-
-	// Add second domain with same IP - should overwrite PTR
-	domain2 := "host2.example.com."
-	store.AddRecord(domain2, ip, 0)
-
-	// Verify PTR now points to second domain (last one added)
-	result, ok = store.GetPTRRecord(reverseDomain)
-	if !ok {
-		t.Fatal("Expected PTR record to still exist")
-	}
-	if result != domain2 {
-		t.Errorf("Expected PTR to point to %q (overwritten), got %q", domain2, result)
-	}
-
-	// Remove first domain - PTR should remain pointing to second domain
-	store.RemoveRecord(domain1, ip)
-	result, ok = store.GetPTRRecord(reverseDomain)
-	if !ok {
-		t.Error("Expected PTR record to still exist after removing first domain")
-	}
-	if result != domain2 {
-		t.Errorf("Expected PTR to still point to %q, got %q", domain2, result)
-	}
-
-	// Remove second domain - PTR should now be gone
-	store.RemoveRecord(domain2, ip)
-	_, ok = store.GetPTRRecord(reverseDomain)
-	if ok {
-		t.Error("Expected PTR record to be removed after removing second domain")
-	}
-}

go.mod

@@ -1,14 +1,14 @@
 module github.com/fosrl/olm
 
-go 1.25.0
+go 1.25
 
 require (
 	github.com/Microsoft/go-winio v0.6.2
-	github.com/fosrl/newt v1.10.3
+	github.com/fosrl/newt v1.9.0
 	github.com/godbus/dbus/v5 v5.2.2
 	github.com/gorilla/websocket v1.5.3
 	github.com/miekg/dns v1.1.70
-	golang.org/x/sys v0.41.0
+	golang.org/x/sys v0.40.0
 	golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
 	gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c
@@ -20,13 +20,13 @@ require (
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/vishvananda/netlink v1.3.1 // indirect
 	github.com/vishvananda/netns v0.0.5 // indirect
-	golang.org/x/crypto v0.48.0 // indirect
+	golang.org/x/crypto v0.46.0 // indirect
 	golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6 // indirect
-	golang.org/x/mod v0.32.0 // indirect
-	golang.org/x/net v0.51.0 // indirect
+	golang.org/x/mod v0.31.0 // indirect
+	golang.org/x/net v0.48.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
-	golang.org/x/tools v0.41.0 // indirect
+	golang.org/x/tools v0.40.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
 )

go.sum

@@ -1,7 +1,7 @@
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/fosrl/newt v1.10.3 h1:JO9gFK9LP/w2EeDIn4wU+jKggAFPo06hX5hxFSETqcw=
-github.com/fosrl/newt v1.10.3/go.mod h1:iYuuCAG7iabheiogMOX87r61uQN31S39nKxMKRuLS+s=
+github.com/fosrl/newt v1.9.0 h1:66eJMo6fA+YcBTbddxTfNJXNQo1WWKzmn6zPRP5kSDE=
+github.com/fosrl/newt v1.9.0/go.mod h1:d1+yYMnKqg4oLqAM9zdbjthjj2FQEVouiACjqU468ck=
 github.com/godbus/dbus/v5 v5.2.2 h1:TUR3TgtSVDmjiXOgAAyaZbYmIeP3DPkld3jgKGV8mXQ=
 github.com/godbus/dbus/v5 v5.2.2/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c=
 github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
@@ -16,24 +16,24 @@ github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW
 github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4=
 github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
 github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
-golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
-golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
 golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6 h1:zfMcR1Cs4KNuomFFgGefv5N0czO2XZpUbxGUy8i8ug0=
 golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6/go.mod h1:46edojNIoXTNOhySWIWdix628clX9ODXwPsQuG6hsK0=
-golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
-golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
-golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
-golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
+golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
+golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
+golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
+golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
 golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
 golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
-golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
+golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
-golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
-golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
+golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
+golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb h1:whnFRlWMcXI9d+ZbWg+4sHnLp52d5yiIPUxMBSt4X9A=

main.go

@@ -13,8 +13,6 @@ import (
 	olmpkg "github.com/fosrl/olm/olm"
 )
 
-var olmVersion = "version_replaceme"
-
 func main() {
 	// Check if we're running as a Windows service
 	if isWindowsService() {
@@ -192,6 +190,7 @@ func runOlmMainWithArgs(ctx context.Context, cancel context.CancelFunc, signalCt
 		os.Exit(0)
 	}
 
+	olmVersion := "version_replaceme"
 	if showVersion {
 		fmt.Println("Olm version " + olmVersion)
 		os.Exit(0)

olm.iss

@@ -32,7 +32,7 @@ DefaultGroupName={#MyAppName}
 DisableProgramGroupPage=yes
 ; Uncomment the following line to run in non administrative install mode (install for current user only).
 ;PrivilegesRequired=lowest
-OutputBaseFilename=olm_windows_installer
+OutputBaseFilename=mysetup
 SolidCompression=yes
 WizardStyle=modern
 ; Add this to ensure PATH changes are applied and the system is prompted for a restart if needed
@@ -78,7 +78,7 @@ begin
     Result := True;
     exit;
   end;
-  
+
   // Perform a case-insensitive check to see if the path is already present.
   // We add semicolons to prevent partial matches (e.g., matching C:\App in C:\App2).
   if Pos(';' + UpperCase(Path) + ';', ';' + UpperCase(OrigPath) + ';') > 0 then
@@ -109,7 +109,7 @@ begin
     PathList.Delimiter := ';';
     PathList.StrictDelimiter := True;
     PathList.DelimitedText := OrigPath;
-    
+
     // Find and remove the matching entry (case-insensitive)
     for I := PathList.Count - 1 downto 0 do
     begin
@@ -119,10 +119,10 @@ begin
         PathList.Delete(I);
       end;
     end;
-    
+
     // Reconstruct the PATH
     NewPath := PathList.DelimitedText;
-    
+
     // Write the new PATH back to the registry
     if RegWriteExpandStringValue(HKEY_LOCAL_MACHINE,
       'SYSTEM\CurrentControlSet\Control\Session Manager\Environment',
@@ -145,8 +145,8 @@ begin
     // Get the application installation path
     AppPath := ExpandConstant('{app}');
     Log('Removing PATH entry for: ' + AppPath);
-    
+
     // Remove only our path entry from the system PATH
     RemovePathEntry(AppPath);
   end;
-end;
+end;

olm/connect.go

@@ -7,7 +7,6 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
-	"time"
 
 	"github.com/fosrl/newt/logger"
 	"github.com/fosrl/newt/network"
@@ -37,7 +36,7 @@ func (o *Olm) handleConnect(msg websocket.WSMessage) {
 
 	var wgData WgData
 
-	if o.registered {
+	if o.connected {
 		logger.Info("Already connected. Ignoring new connection request.")
 		return
 	}
@@ -169,25 +168,20 @@ func (o *Olm) handleConnect(msg websocket.WSMessage) {
 		SharedBind:    o.sharedBind,
 		WSClient:      o.websocket,
 		APIServer:     o.apiServer,
-		PublicDNS:     o.tunnelConfig.PublicDNS,
 	})
 
 	for i := range wgData.Sites {
 		site := wgData.Sites[i]
-
-		if site.PublicKey != "" {
-			var siteEndpoint string
-			// here we are going to take the relay endpoint if it exists which means we requested a relay for this peer
-			if site.RelayEndpoint != "" {
-				siteEndpoint = site.RelayEndpoint
-			} else {
-				siteEndpoint = site.Endpoint
-			}
-
-			o.apiServer.AddPeerStatus(site.SiteId, site.Name, false, 0, siteEndpoint, false)
+		var siteEndpoint string
+		// here we are going to take the relay endpoint if it exists which means we requested a relay for this peer
+		if site.RelayEndpoint != "" {
+			siteEndpoint = site.RelayEndpoint
+		} else {
+			siteEndpoint = site.Endpoint
 		}
 
-		// we still call this to add the aliases for jit lookup but we just do that then pass inside. need to skip the above so we dont add to the api
+		o.apiServer.AddPeerStatus(site.SiteId, site.Name, false, 0, siteEndpoint, false)
+
 		if err := o.peerManager.AddPeer(site); err != nil {
 			logger.Error("Failed to add peer: %v", err)
 			return
@@ -202,36 +196,6 @@ func (o *Olm) handleConnect(msg websocket.WSMessage) {
 		logger.Error("Failed to start DNS proxy: %v", err)
 	}
 
-	// Register JIT handler: when the DNS proxy resolves a local record, check whether
-	// the owning site is already connected and, if not, initiate a JIT connection.
-	o.dnsProxy.SetJITHandler(func(siteId int) {
-		if o.peerManager == nil || o.websocket == nil {
-			return
-		}
-
-		// Site already has an active peer connection - nothing to do.
-		if _, exists := o.peerManager.GetPeer(siteId); exists {
-			return
-		}
-
-		o.peerSendMu.Lock()
-		defer o.peerSendMu.Unlock()
-
-		// A JIT request for this site is already in-flight - avoid duplicate sends.
-		if _, pending := o.jitPendingSites[siteId]; pending {
-			return
-		}
-
-		chainId := generateChainId()
-		logger.Info("DNS-triggered JIT connect for site %d (chainId=%s)", siteId, chainId)
-		stopFunc, _ := o.websocket.SendMessageInterval("olm/wg/server/peer/init", map[string]interface{}{
-			"siteId":  siteId,
-			"chainId": chainId,
-		}, 2*time.Second, 10)
-		o.stopPeerInits[chainId] = stopFunc
-		o.jitPendingSites[siteId] = chainId
-	})
-
 	if o.tunnelConfig.OverrideDNS {
 		// Set up DNS override to use our DNS proxy
 		if err := dnsOverride.SetupDNSOverride(o.tunnelConfig.InterfaceName, o.dnsProxy.GetProxyIP()); err != nil {
@@ -244,7 +208,7 @@ func (o *Olm) handleConnect(msg websocket.WSMessage) {
 
 	o.apiServer.SetRegistered(true)
 
-	o.registered = true
+	o.connected = true
 
 	// Start ping monitor now that we are registered and connected
 	o.websocket.StartPingMonitor()
@@ -309,12 +273,6 @@ func (o *Olm) handleTerminate(msg websocket.WSMessage) {
 			logger.Error("Error unmarshaling terminate error data: %v", err)
 		} else {
 			logger.Info("Terminate reason (code: %s): %s", errorData.Code, errorData.Message)
-
-			if errorData.Code == "TERMINATED_INACTIVITY" {
-				logger.Info("Ignoring...")
-				return
-			}
-
 			// Set the olm error in the API server so it can be exposed via status
 			o.apiServer.SetOlmError(errorData.Code, errorData.Message)
 		}

olm/data.go

@@ -2,7 +2,6 @@ package olm
 
 import (
 	"encoding/json"
-	"fmt"
 	"time"
 
 	"github.com/fosrl/newt/holepunch"
@@ -158,7 +157,7 @@ func (o *Olm) handleWgPeerUpdateData(msg websocket.WSMessage) {
 func (o *Olm) handleSync(msg websocket.WSMessage) {
 	logger.Debug("Received sync message: %v", msg.Data)
 
-	if !o.registered {
+	if !o.connected {
 		logger.Warn("Not connected, ignoring sync request")
 		return
 	}
@@ -221,7 +220,6 @@ func (o *Olm) handleSync(msg websocket.WSMessage) {
 			logger.Info("Sync: Adding new peer for site %d", siteId)
 
 			o.holePunchManager.TriggerHolePunch()
-			o.holePunchManager.ResetServerHolepunchInterval() // start sending immediately again so we fill in the endpoint on the cloud
 
 			// // TODO: do we need to send the message to the cloud to add the peer that way?
 			// if err := o.peerManager.AddPeer(expectedSite); err != nil {
@@ -232,17 +230,9 @@ func (o *Olm) handleSync(msg websocket.WSMessage) {
 
 			// add the peer via the server
 			// this is important because newt needs to get triggered as well to add the peer once the hp is complete
-			chainId := fmt.Sprintf("sync-%d", expectedSite.SiteId)
-			o.peerSendMu.Lock()
-			if stop, ok := o.stopPeerSends[chainId]; ok {
-				stop()
-			}
-			stopFunc, _ := o.websocket.SendMessageInterval("olm/wg/server/peer/add", map[string]interface{}{
-				"siteId":  expectedSite.SiteId,
-				"chainId": chainId,
-			}, 2*time.Second, 10)
-			o.stopPeerSends[chainId] = stopFunc
-			o.peerSendMu.Unlock()
+			o.stopPeerSend, _ = o.websocket.SendMessageInterval("olm/wg/server/peer/add", map[string]interface{}{
+				"siteId": expectedSite.SiteId,
+			}, 1*time.Second, 10)
 
 		} else {
 			// Existing peer - check if update is needed

olm/olm.go

@@ -2,14 +2,13 @@ package olm
 
 import (
 	"context"
-	"crypto/rand"
-	"encoding/hex"
 	"fmt"
 	"net"
 	"net/http"
 	_ "net/http/pprof"
 	"os"
 	"sync"
+	"syscall"
 	"time"
 
 	"github.com/fosrl/newt/bind"
@@ -33,7 +32,7 @@ type Olm struct {
 	privateKey wgtypes.Key
 	logFile    *os.File
 
-	registered    bool
+	connected     bool
 	tunnelRunning bool
 
 	uapiListener net.Listener
@@ -67,10 +66,7 @@ type Olm struct {
 	stopRegister   func()
 	updateRegister func(newData any)
 
-	stopPeerSends  map[string]func()
-	stopPeerInits  map[string]func()
-	jitPendingSites map[int]string // siteId -> chainId for in-flight JIT requests
-	peerSendMu    sync.Mutex
+	stopPeerSend func()
 
 	// WaitGroup to track tunnel lifecycle
 	tunnelWg sync.WaitGroup
@@ -116,18 +112,11 @@ func (o *Olm) initTunnelInfo(clientID string) error {
 	logger.Info("Created shared UDP socket on port %d (refcount: %d)", sourcePort, sharedBind.GetRefCount())
 
 	// Create the holepunch manager
-	o.holePunchManager = holepunch.NewManager(sharedBind, clientID, "olm", privateKey.PublicKey().String(), o.tunnelConfig.PublicDNS)
+	o.holePunchManager = holepunch.NewManager(sharedBind, clientID, "olm", privateKey.PublicKey().String())
 
 	return nil
 }
 
-// generateChainId generates a random chain ID for tracking peer sender lifecycles.
-func generateChainId() string {
-	b := make([]byte, 8)
-	_, _ = rand.Read(b)
-	return hex.EncodeToString(b)
-}
-
 func Init(ctx context.Context, config OlmConfig) (*Olm, error) {
 	logger.GetLogger().SetLevel(util.ParseLogLevel(config.LogLevel))
 
@@ -178,13 +167,10 @@ func Init(ctx context.Context, config OlmConfig) (*Olm, error) {
 	apiServer.SetAgent(config.Agent)
 
 	newOlm := &Olm{
-		logFile:       logFile,
-		olmCtx:        ctx,
-		apiServer:     apiServer,
-		olmConfig:     config,
-		stopPeerSends:   make(map[string]func()),
-		stopPeerInits:   make(map[string]func()),
-		jitPendingSites: make(map[int]string),
+		logFile:   logFile,
+		olmCtx:    ctx,
+		apiServer: apiServer,
+		olmConfig: config,
 	}
 
 	newOlm.registerAPICallbacks()
@@ -237,7 +223,7 @@ func (o *Olm) registerAPICallbacks() {
 				tunnelConfig.MTU = 1420
 			}
 			if req.DNS == "" {
-				tunnelConfig.DNS = "8.8.8.8"
+				tunnelConfig.DNS = "9.9.9.9"
 			}
 			// DNSProxyIP has no default - it must be provided if DNS proxy is desired
 			// UpstreamDNS defaults to 8.8.8.8 if not provided
@@ -299,21 +285,6 @@ func (o *Olm) registerAPICallbacks() {
 			logger.Info("Processing power mode change request via API: mode=%s", req.Mode)
 			return o.SetPowerMode(req.Mode)
 		},
-		func(req api.JITConnectionRequest) error {
-			logger.Info("Processing JIT connect request via API: site=%s resource=%s", req.Site, req.Resource)
-
-			chainId := generateChainId()
-			o.peerSendMu.Lock()
-			stopFunc, _ := o.websocket.SendMessageInterval("olm/wg/server/peer/init", map[string]interface{}{
-				"siteId":     req.Site,
-				"resourceId": req.Resource,
-				"chainId":    chainId,
-			}, 2*time.Second, 10)
-			o.stopPeerInits[chainId] = stopFunc
-			o.peerSendMu.Unlock()
-
-			return nil
-		},
 	)
 }
 
@@ -322,23 +293,16 @@ func (o *Olm) StartTunnel(config TunnelConfig) {
 		logger.Info("Tunnel already running")
 		return
 	}
-
+	
 	// debug print out the whole config
 	logger.Debug("Starting tunnel with config: %+v", config)
 
 	o.tunnelRunning = true // Also set it here in case it is called externally
 	o.tunnelConfig = config
 
-	// TODO: we are hardcoding this for now but we should really pull it from the current config of the system
-	if o.tunnelConfig.DNS != "" {
-		o.tunnelConfig.PublicDNS = []string{o.tunnelConfig.DNS + ":53"}
-	} else {
-		o.tunnelConfig.PublicDNS = []string{"8.8.8.8:53"}
-	}
-
 	// Reset terminated status when tunnel starts
 	o.apiServer.SetTerminated(false)
-
+	
 	fingerprint := config.InitialFingerprint
 	if fingerprint == nil {
 		fingerprint = make(map[string]any)
@@ -350,7 +314,7 @@ func (o *Olm) StartTunnel(config TunnelConfig) {
 	}
 
 	o.SetFingerprint(fingerprint)
-	o.SetPostures(postures)
+	o.SetPostures(postures)	
 
 	// Create a cancellable context for this tunnel process
 	tunnelCtx, cancel := context.WithCancel(o.olmCtx)
@@ -375,6 +339,7 @@ func (o *Olm) StartTunnel(config TunnelConfig) {
 		config.OrgID,
 		config.Endpoint,
 		30*time.Second, // 30 seconds
+		config.PingTimeoutDuration,
 		websocket.WithPingDataProvider(func() map[string]any {
 			o.metaMu.Lock()
 			defer o.metaMu.Unlock()
@@ -414,7 +379,6 @@ func (o *Olm) StartTunnel(config TunnelConfig) {
 
 	// Handler for peer handshake - adds exit node to holepunch rotation and notifies server
 	o.websocket.RegisterHandler("olm/wg/peer/holepunch/site/add", o.handleWgPeerHolepunchAddSite)
-	o.websocket.RegisterHandler("olm/wg/peer/chain/cancel", o.handleCancelChain)
 	o.websocket.RegisterHandler("olm/sync", o.handleSync)
 
 	o.websocket.OnConnect(func() error {
@@ -422,10 +386,10 @@ func (o *Olm) StartTunnel(config TunnelConfig) {
 
 		o.apiServer.SetConnectionStatus(true)
 
-		if o.registered {
+		if o.connected {
 			o.websocket.StartPingMonitor()
-
-			logger.Debug("Already registered, skipping registration")
+			
+			logger.Debug("Already connected, skipping registration")
 			return nil
 		}
 
@@ -457,7 +421,7 @@ func (o *Olm) StartTunnel(config TunnelConfig) {
 				"userToken":   userToken,
 				"fingerprint": o.fingerprint,
 				"postures":    o.postures,
-			}, 2*time.Second, 10)
+			}, 1*time.Second, 10)
 
 			// Invoke onRegistered callback if configured
 			if o.olmConfig.OnRegistered != nil {
@@ -554,23 +518,6 @@ func (o *Olm) Close() {
 		o.stopRegister = nil
 	}
 
-	// Stop all pending peer init and send senders before closing websocket
-	o.peerSendMu.Lock()
-	for _, stop := range o.stopPeerInits {
-		if stop != nil {
-			stop()
-		}
-	}
-	o.stopPeerInits = make(map[string]func())
-	for _, stop := range o.stopPeerSends {
-		if stop != nil {
-			stop()
-		}
-	}
-	o.stopPeerSends = make(map[string]func())
-	o.jitPendingSites = make(map[int]string)
-	o.peerSendMu.Unlock()
-
 	// send a disconnect message to the cloud to show disconnected
 	if o.websocket != nil {
 		o.websocket.SendMessage("olm/disconnecting", map[string]any{})
@@ -629,7 +576,7 @@ func (o *Olm) Close() {
 		// If we never created a device from the FD, close it explicitly
 		// This can happen if tunnel is stopped during registration before handleConnect
 		logger.Debug("Closing unused TUN file descriptor %d", o.tunnelConfig.FileDescriptorTun)
-		if err := closeFD(o.tunnelConfig.FileDescriptorTun); err != nil {
+		if err := syscall.Close(int(o.tunnelConfig.FileDescriptorTun)); err != nil {
 			logger.Error("Failed to close TUN file descriptor: %v", err)
 		} else {
 			logger.Info("Closed unused TUN file descriptor")
@@ -668,7 +615,7 @@ func (o *Olm) StopTunnel() error {
 	}
 
 	// Reset the running state BEFORE cleanup to prevent callbacks from accessing nil pointers
-	o.registered = false
+	o.connected = false
 	o.tunnelRunning = false
 
 	// Cancel the tunnel context if it exists
@@ -792,6 +739,9 @@ func (o *Olm) SetPowerMode(mode string) error {
 
 		logger.Info("Switching to low power mode")
 
+		// Mark as disconnected so we re-register on reconnect
+		o.connected = false
+
 		// Update API server connection status
 		if o.apiServer != nil {
 			o.apiServer.SetConnectionStatus(false)

olm/olm_unix.go

@@ -1,10 +0,0 @@
-//go:build !windows
-
-package olm
-
-import "syscall"
-
-// closeFD closes a file descriptor in a platform-specific way
-func closeFD(fd uint32) error {
-	return syscall.Close(int(fd))
-}

olm/olm_windows.go

@@ -1,10 +0,0 @@
-//go:build windows
-
-package olm
-
-import "syscall"
-
-// closeFD closes a file descriptor in a platform-specific way
-func closeFD(fd uint32) error {
-	return syscall.Close(syscall.Handle(fd))
-}

olm/peer.go

@@ -20,9 +20,9 @@ func (o *Olm) handleWgPeerAdd(msg websocket.WSMessage) {
 		return
 	}
 
-	if o.peerManager == nil {
-		logger.Debug("Ignoring add-peer message: peerManager is nil (shutdown in progress)")
-		return
+	if o.stopPeerSend != nil {
+		o.stopPeerSend()
+		o.stopPeerSend = nil
 	}
 
 	jsonData, err := json.Marshal(msg.Data)
@@ -31,45 +31,20 @@ func (o *Olm) handleWgPeerAdd(msg websocket.WSMessage) {
 		return
 	}
 
-	var siteConfigMsg struct {
-		peers.SiteConfig
-		ChainId string `json:"chainId"`
-	}
-	if err := json.Unmarshal(jsonData, &siteConfigMsg); err != nil {
+	var siteConfig peers.SiteConfig
+	if err := json.Unmarshal(jsonData, &siteConfig); err != nil {
 		logger.Error("Error unmarshaling add data: %v", err)
 		return
 	}
 
-	if siteConfigMsg.ChainId != "" {
-		o.peerSendMu.Lock()
-		if stop, ok := o.stopPeerSends[siteConfigMsg.ChainId]; ok {
-			stop()
-			delete(o.stopPeerSends, siteConfigMsg.ChainId)
-		}
-		o.peerSendMu.Unlock()
-	} else {
-		// stop all of the stopPeerSends
-		o.peerSendMu.Lock()
-		for _, stop := range o.stopPeerSends {
-			stop()
-		}
-		o.stopPeerSends = make(map[string]func())
-		o.peerSendMu.Unlock()
-	}
-
-	if siteConfigMsg.PublicKey == "" {
-		logger.Warn("Skipping add-peer for site %d (%s): no public key available (site may not be connected)", siteConfigMsg.SiteId, siteConfigMsg.Name)
-		return
-	}
-
 	_ = o.holePunchManager.TriggerHolePunch() // Trigger immediate hole punch attempt so that if the peer decides to relay we have already punched close to when we need it
 
-	if err := o.peerManager.AddPeer(siteConfigMsg.SiteConfig); err != nil {
+	if err := o.peerManager.AddPeer(siteConfig); err != nil {
 		logger.Error("Failed to add peer: %v", err)
 		return
 	}
 
-	logger.Info("Successfully added peer for site %d", siteConfigMsg.SiteId)
+	logger.Info("Successfully added peer for site %d", siteConfig.SiteId)
 }
 
 func (o *Olm) handleWgPeerRemove(msg websocket.WSMessage) {
@@ -81,11 +56,6 @@ func (o *Olm) handleWgPeerRemove(msg websocket.WSMessage) {
 		return
 	}
 
-	if o.peerManager == nil {
-		logger.Debug("Ignoring remove-peer message: peerManager is nil (shutdown in progress)")
-		return
-	}
-
 	jsonData, err := json.Marshal(msg.Data)
 	if err != nil {
 		logger.Error("Error marshaling data: %v", err)
@@ -123,11 +93,6 @@ func (o *Olm) handleWgPeerUpdate(msg websocket.WSMessage) {
 		return
 	}
 
-	if o.peerManager == nil {
-		logger.Debug("Ignoring update-peer message: peerManager is nil (shutdown in progress)")
-		return
-	}
-
 	jsonData, err := json.Marshal(msg.Data)
 	if err != nil {
 		logger.Error("Error marshaling data: %v", err)
@@ -199,21 +164,13 @@ func (o *Olm) handleWgPeerRelay(msg websocket.WSMessage) {
 		return
 	}
 
-	var relayData struct {
-		peers.RelayPeerData
-		ChainId string `json:"chainId"`
-	}
+	var relayData peers.RelayPeerData
 	if err := json.Unmarshal(jsonData, &relayData); err != nil {
 		logger.Error("Error unmarshaling relay data: %v", err)
 		return
 	}
 
-	if monitor := o.peerManager.GetPeerMonitor(); monitor != nil {
-		monitor.CancelRelaySend(relayData.ChainId)
-	}
-
-	primaryRelay, err := util.ResolveDomainUpstream(relayData.RelayEndpoint, o.tunnelConfig.PublicDNS)
-
+	primaryRelay, err := util.ResolveDomain(relayData.RelayEndpoint)
 	if err != nil {
 		logger.Error("Failed to resolve primary relay endpoint: %v", err)
 		return
@@ -240,21 +197,13 @@ func (o *Olm) handleWgPeerUnrelay(msg websocket.WSMessage) {
 		return
 	}
 
-	var relayData struct {
-		peers.UnRelayPeerData
-		ChainId string `json:"chainId"`
-	}
+	var relayData peers.UnRelayPeerData
 	if err := json.Unmarshal(jsonData, &relayData); err != nil {
 		logger.Error("Error unmarshaling relay data: %v", err)
 		return
 	}
 
-	if monitor := o.peerManager.GetPeerMonitor(); monitor != nil {
-		monitor.CancelRelaySend(relayData.ChainId)
-	}
-
-	primaryRelay, err := util.ResolveDomainUpstream(relayData.Endpoint, o.tunnelConfig.PublicDNS)
-
+	primaryRelay, err := util.ResolveDomain(relayData.Endpoint)
 	if err != nil {
 		logger.Warn("Failed to resolve primary relay endpoint: %v", err)
 	}
@@ -281,8 +230,7 @@ func (o *Olm) handleWgPeerHolepunchAddSite(msg websocket.WSMessage) {
 	}
 
 	var handshakeData struct {
-		SiteId   int    `json:"siteId"`
-		ChainId  string `json:"chainId"`
+		SiteId   int `json:"siteId"`
 		ExitNode struct {
 			PublicKey string `json:"publicKey"`
 			Endpoint  string `json:"endpoint"`
@@ -295,27 +243,6 @@ func (o *Olm) handleWgPeerHolepunchAddSite(msg websocket.WSMessage) {
 		return
 	}
 
-	// Stop the peer init sender for this chain, if any
-	if handshakeData.ChainId != "" {
-		o.peerSendMu.Lock()
-		if stop, ok := o.stopPeerInits[handshakeData.ChainId]; ok {
-			stop()
-			delete(o.stopPeerInits, handshakeData.ChainId)
-		}
-		// If this chain was initiated by a DNS-triggered JIT request, clear the
-		// pending entry so the site can be re-triggered if needed in the future.
-		delete(o.jitPendingSites, handshakeData.SiteId)
-		o.peerSendMu.Unlock()
-	} else {
-		// Stop all of the stopPeerInits
-		o.peerSendMu.Lock()
-		for _, stop := range o.stopPeerInits {
-			stop()
-		}
-		o.stopPeerInits = make(map[string]func())
-		o.peerSendMu.Unlock()
-	}
-
 	// Get existing peer from PeerManager
 	_, exists := o.peerManager.GetPeer(handshakeData.SiteId)
 	if exists {
@@ -346,72 +273,10 @@ func (o *Olm) handleWgPeerHolepunchAddSite(msg websocket.WSMessage) {
 	o.holePunchManager.TriggerHolePunch()             // Trigger immediate hole punch attempt
 	o.holePunchManager.ResetServerHolepunchInterval() // start sending immediately again so we fill in the endpoint on the cloud
 
-	// Send handshake acknowledgment back to server with retry, keyed by chainId
-	chainId := handshakeData.ChainId
-	if chainId == "" {
-		chainId = generateChainId()
-	}
-	o.peerSendMu.Lock()
-	stopFunc, _ := o.websocket.SendMessageInterval("olm/wg/server/peer/add", map[string]interface{}{
-		"siteId":  handshakeData.SiteId,
-		"chainId": chainId,
-	}, 2*time.Second, 10)
-	o.stopPeerSends[chainId] = stopFunc
-	o.peerSendMu.Unlock()
+	// Send handshake acknowledgment back to server with retry
+	o.stopPeerSend, _ = o.websocket.SendMessageInterval("olm/wg/server/peer/add", map[string]interface{}{
+		"siteId": handshakeData.SiteId,
+	}, 1*time.Second, 10)
 
 	logger.Info("Initiated handshake for site %d with exit node %s", handshakeData.SiteId, handshakeData.ExitNode.Endpoint)
 }
-
-func (o *Olm) handleCancelChain(msg websocket.WSMessage) {
-	logger.Debug("Received cancel-chain message: %v", msg.Data)
-
-	jsonData, err := json.Marshal(msg.Data)
-	if err != nil {
-		logger.Error("Error marshaling cancel-chain data: %v", err)
-		return
-	}
-
-	var cancelData struct {
-		ChainId string `json:"chainId"`
-	}
-	if err := json.Unmarshal(jsonData, &cancelData); err != nil {
-		logger.Error("Error unmarshaling cancel-chain data: %v", err)
-		return
-	}
-
-	if cancelData.ChainId == "" {
-		logger.Warn("Received cancel-chain message with no chainId")
-		return
-	}
-
-	o.peerSendMu.Lock()
-	defer o.peerSendMu.Unlock()
-
-	found := false
-
-	if stop, ok := o.stopPeerInits[cancelData.ChainId]; ok {
-		stop()
-		delete(o.stopPeerInits, cancelData.ChainId)
-		found = true
-	}
-	// If this chain was a DNS-triggered JIT request, clear the pending entry so
-	// the site can be re-triggered on the next DNS lookup.
-	for siteId, chainId := range o.jitPendingSites {
-		if chainId == cancelData.ChainId {
-			delete(o.jitPendingSites, siteId)
-			break
-		}
-	}
-
-	if stop, ok := o.stopPeerSends[cancelData.ChainId]; ok {
-		stop()
-		delete(o.stopPeerSends, cancelData.ChainId)
-		found = true
-	}
-
-	if found {
-		logger.Info("Cancelled chain %s", cancelData.ChainId)
-	} else {
-		logger.Warn("Cancel-chain: no active sender found for chain %s", cancelData.ChainId)
-	}
-}

olm/types.go

@@ -61,7 +61,6 @@ type TunnelConfig struct {
 	MTU           int
 	DNS           string
 	UpstreamDNS   []string
-	PublicDNS   []string
 	InterfaceName string
 
 	// Advanced

peers/manager.go

@@ -32,8 +32,7 @@ type PeerManagerConfig struct {
 	SharedBind *bind.SharedBind
 	// WSClient is optional - if nil, relay messages won't be sent
 	WSClient  *websocket.Client
-	APIServer   *api.API
-	PublicDNS []string
+	APIServer *api.API
 }
 
 type PeerManager struct {
@@ -51,8 +50,7 @@ type PeerManager struct {
 	// key is the CIDR string, value is a set of siteIds that want this IP
 	allowedIPClaims map[string]map[int]bool
 	APIServer       *api.API
-	publicDNS     []string
-
+	
 	PersistentKeepalive int
 }
 
@@ -67,7 +65,6 @@ func NewPeerManager(config PeerManagerConfig) *PeerManager {
 		allowedIPOwners: make(map[string]int),
 		allowedIPClaims: make(map[string]map[int]bool),
 		APIServer:       config.APIServer,
-		publicDNS:     config.PublicDNS,
 	}
 
 	// Create the peer monitor
@@ -77,7 +74,6 @@ func NewPeerManager(config PeerManagerConfig) *PeerManager {
 		config.LocalIP,
 		config.SharedBind,
 		config.APIServer,
-		config.PublicDNS,
 	)
 
 	return pm
@@ -110,19 +106,6 @@ func (pm *PeerManager) GetAllPeers() []SiteConfig {
 func (pm *PeerManager) AddPeer(siteConfig SiteConfig) error {
 	pm.mu.Lock()
 	defer pm.mu.Unlock()
-	
-	for _, alias := range siteConfig.Aliases {
-		address := net.ParseIP(alias.AliasAddress)
-		if address == nil {
-			continue
-		}
-		pm.dnsProxy.AddDNSRecord(alias.Alias, address, siteConfig.SiteId)
-	}
-	
-	if siteConfig.PublicKey == "" {
-		logger.Debug("Skip adding site %d because no pub key", siteConfig.SiteId)
-		return nil
-	}
 
 	// build the allowed IPs list from the remote subnets and aliases and add them to the peer
 	allowedIPs := make([]string, 0, len(siteConfig.RemoteSubnets)+len(siteConfig.Aliases))
@@ -146,7 +129,7 @@ func (pm *PeerManager) AddPeer(siteConfig SiteConfig) error {
 	wgConfig := siteConfig
 	wgConfig.AllowedIps = ownedIPs
 
-	if err := ConfigurePeer(pm.device, wgConfig, pm.privateKey, pm.peerMonitor.IsPeerRelayed(siteConfig.SiteId), pm.PersistentKeepalive, pm.publicDNS); err != nil {
+	if err := ConfigurePeer(pm.device, wgConfig, pm.privateKey, pm.peerMonitor.IsPeerRelayed(siteConfig.SiteId), pm.PersistentKeepalive); err != nil {
 		return err
 	}
 
@@ -156,7 +139,14 @@ func (pm *PeerManager) AddPeer(siteConfig SiteConfig) error {
 	if err := network.AddRoutes(siteConfig.RemoteSubnets, pm.interfaceName); err != nil {
 		logger.Error("Failed to add routes for remote subnets: %v", err)
 	}
-	
+	for _, alias := range siteConfig.Aliases {
+		address := net.ParseIP(alias.AliasAddress)
+		if address == nil {
+			continue
+		}
+		pm.dnsProxy.AddDNSRecord(alias.Alias, address)
+	}
+
 	monitorAddress := strings.Split(siteConfig.ServerIP, "/")[0]
 	monitorPeer := net.JoinHostPort(monitorAddress, strconv.Itoa(int(siteConfig.ServerPort+1))) // +1 for the monitor port
 
@@ -280,7 +270,7 @@ func (pm *PeerManager) RemovePeer(siteId int) error {
 			ownedIPs := pm.getOwnedAllowedIPs(promotedPeerId)
 			wgConfig := promotedPeer
 			wgConfig.AllowedIps = ownedIPs
-			if err := ConfigurePeer(pm.device, wgConfig, pm.privateKey, pm.peerMonitor.IsPeerRelayed(promotedPeerId), pm.PersistentKeepalive, pm.publicDNS); err != nil {
+			if err := ConfigurePeer(pm.device, wgConfig, pm.privateKey, pm.peerMonitor.IsPeerRelayed(promotedPeerId), pm.PersistentKeepalive); err != nil {
 				logger.Error("Failed to update promoted peer %d: %v", promotedPeerId, err)
 			}
 		}
@@ -356,7 +346,7 @@ func (pm *PeerManager) UpdatePeer(siteConfig SiteConfig) error {
 	wgConfig := siteConfig
 	wgConfig.AllowedIps = ownedIPs
 
-	if err := ConfigurePeer(pm.device, wgConfig, pm.privateKey, pm.peerMonitor.IsPeerRelayed(siteConfig.SiteId), pm.PersistentKeepalive, pm.publicDNS); err != nil {
+	if err := ConfigurePeer(pm.device, wgConfig, pm.privateKey, pm.peerMonitor.IsPeerRelayed(siteConfig.SiteId), pm.PersistentKeepalive); err != nil {
 		return err
 	}
 
@@ -366,7 +356,7 @@ func (pm *PeerManager) UpdatePeer(siteConfig SiteConfig) error {
 			promotedOwnedIPs := pm.getOwnedAllowedIPs(promotedPeerId)
 			promotedWgConfig := promotedPeer
 			promotedWgConfig.AllowedIps = promotedOwnedIPs
-			if err := ConfigurePeer(pm.device, promotedWgConfig, pm.privateKey, pm.peerMonitor.IsPeerRelayed(promotedPeerId), pm.PersistentKeepalive, pm.publicDNS); err != nil {
+			if err := ConfigurePeer(pm.device, promotedWgConfig, pm.privateKey, pm.peerMonitor.IsPeerRelayed(promotedPeerId), pm.PersistentKeepalive); err != nil {
 				logger.Error("Failed to update promoted peer %d: %v", promotedPeerId, err)
 			}
 		}
@@ -443,7 +433,7 @@ func (pm *PeerManager) UpdatePeer(siteConfig SiteConfig) error {
 		if address == nil {
 			continue
 		}
-		pm.dnsProxy.AddDNSRecord(alias.Alias, address, siteConfig.SiteId)
+		pm.dnsProxy.AddDNSRecord(alias.Alias, address)
 	}
 
 	pm.peerMonitor.UpdateHolepunchEndpoint(siteConfig.SiteId, siteConfig.Endpoint)
@@ -723,7 +713,7 @@ func (pm *PeerManager) AddAlias(siteId int, alias Alias) error {
 
 	address := net.ParseIP(alias.AliasAddress)
 	if address != nil {
-		pm.dnsProxy.AddDNSRecord(alias.Alias, address, siteId)
+		pm.dnsProxy.AddDNSRecord(alias.Alias, address)
 	}
 
 	// Add an allowed IP for the alias

peers/monitor/monitor.go

@@ -2,8 +2,6 @@ package monitor
 
 import (
 	"context"
-	"crypto/rand"
-	"encoding/hex"
 	"fmt"
 	"net"
 	"net/netip"
@@ -33,14 +31,9 @@ type PeerMonitor struct {
 	monitors    map[int]*Client
 	mutex       sync.Mutex
 	running     bool
-	timeout     time.Duration
+	timeout         time.Duration
 	maxAttempts int
 	wsClient    *websocket.Client
-	publicDNS []string
-
-	// Relay sender tracking
-	relaySends  map[string]func()
-	relaySendMu sync.Mutex
 
 	// Netstack fields
 	middleDev   *middleDevice.MiddleDevice
@@ -54,13 +47,13 @@ type PeerMonitor struct {
 	nsWg        sync.WaitGroup
 
 	// Holepunch testing fields
-	sharedBind          *bind.SharedBind
-	holepunchTester     *holepunch.HolepunchTester
-	holepunchTimeout    time.Duration
-	holepunchEndpoints  map[int]string // siteID -> endpoint for holepunch testing
-	holepunchStatus     map[int]bool   // siteID -> connected status
-	holepunchStopChan   chan struct{}
-	holepunchUpdateChan chan struct{}
+	sharedBind         *bind.SharedBind
+	holepunchTester    *holepunch.HolepunchTester
+	holepunchTimeout   time.Duration
+	holepunchEndpoints map[int]string // siteID -> endpoint for holepunch testing
+	holepunchStatus    map[int]bool   // siteID -> connected status
+	holepunchStopChan    chan struct{}
+	holepunchUpdateChan  chan struct{}
 
 	// Relay tracking fields
 	relayedPeers         map[int]bool // siteID -> whether the peer is currently relayed
@@ -89,13 +82,7 @@ type PeerMonitor struct {
 }
 
 // NewPeerMonitor creates a new peer monitor with the given callback
-func generateChainId() string {
-	b := make([]byte, 8)
-	_, _ = rand.Read(b)
-	return hex.EncodeToString(b)
-}
-
-func NewPeerMonitor(wsClient *websocket.Client, middleDev *middleDevice.MiddleDevice, localIP string, sharedBind *bind.SharedBind, apiServer *api.API, publicDNS []string) *PeerMonitor {
+func NewPeerMonitor(wsClient *websocket.Client, middleDev *middleDevice.MiddleDevice, localIP string, sharedBind *bind.SharedBind, apiServer *api.API) *PeerMonitor {
 	ctx, cancel := context.WithCancel(context.Background())
 	pm := &PeerMonitor{
 		monitors:             make(map[int]*Client),
@@ -104,7 +91,6 @@ func NewPeerMonitor(wsClient *websocket.Client, middleDev *middleDevice.MiddleDe
 		wsClient:             wsClient,
 		middleDev:            middleDev,
 		localIP:              localIP,
-		publicDNS:          publicDNS,
 		activePorts:          make(map[uint16]bool),
 		nsCtx:                ctx,
 		nsCancel:             cancel,
@@ -113,7 +99,6 @@ func NewPeerMonitor(wsClient *websocket.Client, middleDev *middleDevice.MiddleDe
 		holepunchEndpoints:   make(map[int]string),
 		holepunchStatus:      make(map[int]bool),
 		relayedPeers:         make(map[int]bool),
-		relaySends:           make(map[string]func()),
 		holepunchMaxAttempts: 3, // Trigger relay after 3 consecutive failures
 		holepunchFailures:    make(map[int]int),
 		// Rapid initial test settings: complete within ~1.5 seconds
@@ -139,7 +124,7 @@ func NewPeerMonitor(wsClient *websocket.Client, middleDev *middleDevice.MiddleDe
 
 	// Initialize holepunch tester if sharedBind is available
 	if sharedBind != nil {
-		pm.holepunchTester = holepunch.NewHolepunchTester(sharedBind, publicDNS)
+		pm.holepunchTester = holepunch.NewHolepunchTester(sharedBind)
 	}
 
 	return pm
@@ -411,23 +396,20 @@ func (pm *PeerMonitor) handleConnectionStatusChange(siteID int, status Connectio
 	}
 }
 
-// sendRelay sends a relay message to the server with retry, keyed by chainId
+// sendRelay sends a relay message to the server
 func (pm *PeerMonitor) sendRelay(siteID int) error {
 	if pm.wsClient == nil {
 		return fmt.Errorf("websocket client is nil")
 	}
 
-	chainId := generateChainId()
-	stopFunc, _ := pm.wsClient.SendMessageInterval("olm/wg/relay", map[string]interface{}{
-		"siteId":  siteID,
-		"chainId": chainId,
-	}, 2*time.Second, 10)
-
-	pm.relaySendMu.Lock()
-	pm.relaySends[chainId] = stopFunc
-	pm.relaySendMu.Unlock()
-
-	logger.Info("Sent relay message for site %d (chain %s)", siteID, chainId)
+	err := pm.wsClient.SendMessage("olm/wg/relay", map[string]interface{}{
+		"siteId": siteID,
+	})
+	if err != nil {
+		logger.Error("Failed to send registration message: %v", err)
+		return err
+	}
+	logger.Info("Sent relay message")
 	return nil
 }
 
@@ -437,52 +419,23 @@ func (pm *PeerMonitor) RequestRelay(siteID int) error {
 	return pm.sendRelay(siteID)
 }
 
-// sendUnRelay sends an unrelay message to the server with retry, keyed by chainId
+// sendUnRelay sends an unrelay message to the server
 func (pm *PeerMonitor) sendUnRelay(siteID int) error {
 	if pm.wsClient == nil {
 		return fmt.Errorf("websocket client is nil")
 	}
 
-	chainId := generateChainId()
-	stopFunc, _ := pm.wsClient.SendMessageInterval("olm/wg/unrelay", map[string]interface{}{
-		"siteId":  siteID,
-		"chainId": chainId,
-	}, 2*time.Second, 10)
-
-	pm.relaySendMu.Lock()
-	pm.relaySends[chainId] = stopFunc
-	pm.relaySendMu.Unlock()
-
-	logger.Info("Sent unrelay message for site %d (chain %s)", siteID, chainId)
+	err := pm.wsClient.SendMessage("olm/wg/unrelay", map[string]interface{}{
+		"siteId": siteID,
+	})
+	if err != nil {
+		logger.Error("Failed to send registration message: %v", err)
+		return err
+	}
+	logger.Info("Sent unrelay message")
 	return nil
 }
 
-// CancelRelaySend stops the interval sender for the given chainId, if one exists.
-// If chainId is empty, all active relay senders are stopped.
-func (pm *PeerMonitor) CancelRelaySend(chainId string) {
-	pm.relaySendMu.Lock()
-	defer pm.relaySendMu.Unlock()
-
-	if chainId == "" {
-		for id, stop := range pm.relaySends {
-			if stop != nil {
-				stop()
-			}
-			delete(pm.relaySends, id)
-		}
-		logger.Info("Cancelled all relay senders")
-		return
-	}
-
-	if stop, ok := pm.relaySends[chainId]; ok {
-		stop()
-		delete(pm.relaySends, chainId)
-		logger.Info("Cancelled relay sender for chain %s", chainId)
-	} else {
-		logger.Warn("CancelRelaySend: no active sender for chain %s", chainId)
-	}
-}
-
 // Stop stops monitoring all peers
 func (pm *PeerMonitor) Stop() {
 	// Stop holepunch monitor first (outside of mutex to avoid deadlock)
@@ -581,7 +534,7 @@ func (pm *PeerMonitor) runHolepunchMonitor() {
 			pm.holepunchCurrentInterval = pm.holepunchMinInterval
 			currentInterval := pm.holepunchCurrentInterval
 			pm.mutex.Unlock()
-
+			
 			timer.Reset(currentInterval)
 			logger.Debug("Holepunch monitor interval updated, reset to %v", currentInterval)
 		case <-timer.C:
@@ -724,16 +677,6 @@ func (pm *PeerMonitor) Close() {
 	// Stop holepunch monitor first (outside of mutex to avoid deadlock)
 	pm.stopHolepunchMonitor()
 
-	// Stop all pending relay senders
-	pm.relaySendMu.Lock()
-	for chainId, stop := range pm.relaySends {
-		if stop != nil {
-			stop()
-		}
-		delete(pm.relaySends, chainId)
-	}
-	pm.relaySendMu.Unlock()
-
 	pm.mutex.Lock()
 	defer pm.mutex.Unlock()
 

peers/peer.go

@@ -11,14 +11,14 @@ import (
 )
 
 // ConfigurePeer sets up or updates a peer within the WireGuard device
-func ConfigurePeer(dev *device.Device, siteConfig SiteConfig, privateKey wgtypes.Key, relay bool, persistentKeepalive int, publicDNS []string) error {
+func ConfigurePeer(dev *device.Device, siteConfig SiteConfig, privateKey wgtypes.Key, relay bool, persistentKeepalive int) error {
 	var endpoint string
 	if relay && siteConfig.RelayEndpoint != "" {
 		endpoint = formatEndpoint(siteConfig.RelayEndpoint)
 	} else {
 		endpoint = formatEndpoint(siteConfig.Endpoint)
 	}
-	siteHost, err := util.ResolveDomainUpstream(endpoint, publicDNS)
+	siteHost, err := util.ResolveDomain(endpoint)
 	if err != nil {
 		return fmt.Errorf("failed to resolve endpoint for site %d: %v", siteConfig.SiteId, err)
 	}

websocket/client.go

@@ -2,7 +2,6 @@ package websocket
 
 import (
 	"bytes"
-	"compress/gzip"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/json"
@@ -83,6 +82,7 @@ type Client struct {
 	isDisconnected    bool // Flag to track if client is intentionally disconnected
 	reconnectMux      sync.RWMutex
 	pingInterval      time.Duration
+	pingTimeout       time.Duration
 	onConnect         func() error
 	onTokenUpdate     func(token string, exitNodes []ExitNode)
 	onAuthError       func(statusCode int, message string) // Callback for auth errors
@@ -158,7 +158,7 @@ func (c *Client) OnAuthError(callback func(statusCode int, message string)) {
 }
 
 // NewClient creates a new websocket client
-func NewClient(ID, secret, userToken, orgId, endpoint string, pingInterval time.Duration, opts ...ClientOption) (*Client, error) {
+func NewClient(ID, secret, userToken, orgId, endpoint string, pingInterval time.Duration, pingTimeout time.Duration, opts ...ClientOption) (*Client, error) {
 	config := &Config{
 		ID:        ID,
 		Secret:    secret,
@@ -175,6 +175,7 @@ func NewClient(ID, secret, userToken, orgId, endpoint string, pingInterval time.
 		reconnectInterval: 3 * time.Second,
 		isConnected:       false,
 		pingInterval:      pingInterval,
+		pingTimeout:       pingTimeout,
 		clientType:        "olm",
 		pingDone:          make(chan struct{}),
 	}
@@ -387,7 +388,6 @@ func (c *Client) getToken() (string, []ExitNode, error) {
 	tokenData := map[string]interface{}{
 		"olmId":  c.config.ID,
 		"secret": c.config.Secret,
-		"userToken": c.config.UserToken,
 		"orgId":  c.config.OrgID,
 	}
 	jsonData, err := json.Marshal(tokenData)
@@ -802,7 +802,8 @@ func (c *Client) readPumpWithDisconnectDetection() {
 		case <-c.done:
 			return
 		default:
-			messageType, p, err := c.conn.ReadMessage()
+			var msg WSMessage
+			err := c.conn.ReadJSON(&msg)
 			if err != nil {
 				// Check if we're shutting down or explicitly disconnected before logging error
 				select {
@@ -827,30 +828,6 @@ func (c *Client) readPumpWithDisconnectDetection() {
 				}
 			}
 
-			// Decompress binary frames (gzip-compressed JSON)
-			var data []byte
-			if messageType == websocket.BinaryMessage {
-				gr, gzErr := gzip.NewReader(bytes.NewReader(p))
-				if gzErr != nil {
-					logger.Error("websocket: failed to create gzip reader: %v", gzErr)
-					continue
-				}
-				data, gzErr = io.ReadAll(gr)
-				gr.Close()
-				if gzErr != nil {
-					logger.Error("websocket: failed to decompress message: %v", gzErr)
-					continue
-				}
-			} else {
-				data = p
-			}
-
-			var msg WSMessage
-			if err = json.Unmarshal(data, &msg); err != nil {
-				logger.Error("websocket: failed to parse message: %v", err)
-				continue
-			}
-
 			// Update config version from incoming message
 			c.setConfigVersion(msg.ConfigVersion)