7 files changed, 729 insertions, 564 deletions
diff --git a/feature/taildrop/ext.go b/feature/taildrop/ext.go
index aee825ee7..1b4494699 100644
--- a/feature/taildrop/ext.go
+++ b/feature/taildrop/ext.go
@@ -73,6 +73,9 @@ type Extension struct {
 	// *.partial file to its final name on completion.
 	directFileRoot string
 
+	// FileOps abstracts platform-specific file operations needed for file transfers.
+	FileOps FileOps
+
 	nodeBackendForTest ipnext.NodeBackend // if non-nil, pretend we're this node state for tests
 
 	mu             sync.Mutex // Lock order: lb.mu > e.mu
@@ -85,6 +88,30 @@ type Extension struct {
 	outgoingFiles map[string]*ipn.OutgoingFile
 }
 
+// safDirectoryPrefix is used to determine if the directory is managed via SAF.
+const SafDirectoryPrefix = "content://"
+
+// PutMode controls how Manager.PutFile writes files to storage.
+//
+//	PutModeDirect    – write files directly to a filesystem path (default).
+//	PutModeAndroidSAF – use Android’s Storage Access Framework (SAF), where
+//	                      the OS manages the underlying directory permissions.
+type PutMode int
+
+const (
+	PutModeDirect PutMode = iota
+	PutModeAndroidSAF
+)
+
+// FileOps defines platform-specific file operations.
+type FileOps interface {
+	OpenFileWriter(filename string) (io.WriteCloser, string, error)
+
+	// RenamePartialFile finalizes a partial file.
+	// It returns the new SAF URI as a string and an error.
+	RenamePartialFile(partialUri, targetDirUri, targetName string) (string, error)
+}
+
 func (e *Extension) Name() string {
 	return "taildrop"
 }
@@ -149,12 +176,18 @@ func (e *Extension) onChangeProfile(profile ipn.LoginProfileView, _ ipn.PrefsVie
 	if fileRoot == "" {
 		e.logf("no Taildrop directory configured")
 	}
+	mode := PutModeDirect
+	if e.directFileRoot != "" && strings.HasPrefix(fileRoot, SafDirectoryPrefix) {
+		mode = PutModeAndroidSAF
+	}
 	e.setMgrLocked(managerOptions{
 		Logf:           e.logf,
 		Clock:          tstime.DefaultClock{Clock: e.sb.Clock()},
 		State:          e.stateStore,
 		Dir:            fileRoot,
 		DirectFileMode: isDirectFileMode,
+		FileOps:        e.FileOps,
+		Mode:           mode,
 		SendFileNotify: e.sendFileNotify,
 	}.New())
 }
diff --git a/feature/taildrop/paths.go b/feature/taildrop/paths.go
index 1129fbcfa..22d01160c 100644
--- a/feature/taildrop/paths.go
+++ b/feature/taildrop/paths.go
@@ -18,6 +18,12 @@ func (e *Extension) SetDirectFileRoot(root string) {
 	e.directFileRoot = root
 }
 
+// SetFileOps sets the platform specific file operations. This is used
+// to call Android's Storage Access Framework APIs.
+func (e *Extension) SetFileOps(fileOps FileOps) {
+	e.FileOps = fileOps
+}
+
 func (e *Extension) setPlatformDefaultDirectFileRoot() {
 	dg := distro.Get()
 
diff --git a/feature/taildrop/send.go b/feature/taildrop/send.go
index 98c3934bb..d2f061b44 100644
--- a/feature/taildrop/send.go
+++ b/feature/taildrop/send.go
@@ -5,7 +5,7 @@ package taildrop
 
 import (
 	"crypto/sha256"
-	"errors"
+	"fmt"
 	"io"
 	"os"
 	"path/filepath"
@@ -82,126 +82,212 @@ func (m *manager) PutFile(id clientID, baseName string, r io.Reader, offset, len
 	case distro.Get() == distro.Unraid && !m.opts.DirectFileMode:
 		return 0, ErrNotAccessible
 	}
-	dstPath, err := joinDir(m.opts.Dir, baseName)
-	if err != nil {
-		return 0, err
-	}
 
-	redactAndLogError := func(action string, err error) error {
-		err = redactError(err)
-		m.opts.Logf("put %v error: %v", action, err)
-		return err
+	//Compute dstPath & avoid mid‑upload deletion
+	var dstPath string
+	if m.opts.Mode == PutModeDirect {
+		var err error
+		dstPath, err = joinDir(m.opts.Dir, baseName)
+		if err != nil {
+			return 0, err
+		}
+	} else {
+		// In SAF mode, we simply use the baseName as the destination "path"
+		// (the actual directory is managed by SAF).
+		dstPath = baseName
 	}
+	m.deleter.Remove(filepath.Base(dstPath)) // avoid deleting the partial file while receiving
 
 	// Check whether there is an in-progress transfer for the file.
-	partialPath := dstPath + id.partialSuffix()
-	inFileKey := incomingFileKey{id, baseName}
-	inFile, loaded := m.incomingFiles.LoadOrInit(inFileKey, func() *incomingFile {
-		inFile := &incomingFile{
+	partialFileKey := incomingFileKey{id, baseName}
+	inFile, loaded := m.incomingFiles.LoadOrInit(partialFileKey, func() *incomingFile {
+		return &incomingFile{
 			clock:          m.opts.Clock,
 			started:        m.opts.Clock.Now(),
 			size:           length,
 			sendFileNotify: m.opts.SendFileNotify,
 		}
-		if m.opts.DirectFileMode {
-			inFile.partialPath = partialPath
-			inFile.finalPath = dstPath
-		}
-		return inFile
 	})
 	if loaded {
 		return 0, ErrFileExists
 	}
-	defer m.incomingFiles.Delete(inFileKey)
-	m.deleter.Remove(filepath.Base(partialPath)) // avoid deleting the partial file while receiving
+	defer m.incomingFiles.Delete(partialFileKey)
 
-	// Create (if not already) the partial file with read-write permissions.
-	f, err := os.OpenFile(partialPath, os.O_CREATE|os.O_RDWR, 0666)
+	// Open writer & populate inFile paths
+	wc, partialPath, err := m.openWriterAndPaths(id, m.opts.Mode, inFile, baseName, dstPath, offset)
 	if err != nil {
-		return 0, redactAndLogError("Create", err)
+		return 0, m.redactAndLogError("Create", err)
 	}
 	defer func() {
-		f.Close() // best-effort to cleanup dangling file handles
+		wc.Close()
 		if err != nil {
 			m.deleter.Insert(filepath.Base(partialPath)) // mark partial file for eventual deletion
 		}
 	}()
-	inFile.w = f
 
 	// Record that we have started to receive at least one file.
 	// This is used by the deleter upon a cold-start to scan the directory
 	// for any files that need to be deleted.
-	if m.opts.State != nil {
-		if b, _ := m.opts.State.ReadState(ipn.TaildropReceivedKey); len(b) == 0 {
-			if err := m.opts.State.WriteState(ipn.TaildropReceivedKey, []byte{1}); err != nil {
-				m.opts.Logf("WriteState error: %v", err) // non-fatal error
+	if st := m.opts.State; st != nil {
+		if b, _ := st.ReadState(ipn.TaildropReceivedKey); len(b) == 0 {
+			if werr := st.WriteState(ipn.TaildropReceivedKey, []byte{1}); werr != nil {
+				m.opts.Logf("WriteState error: %v", werr) // non-fatal error
 			}
 		}
 	}
 
-	// A positive offset implies that we are resuming an existing file.
-	// Seek to the appropriate offset and truncate the file.
-	if offset != 0 {
-		currLength, err := f.Seek(0, io.SeekEnd)
-		if err != nil {
-			return 0, redactAndLogError("Seek", err)
-		}
-		if offset < 0 || offset > currLength {
-			return 0, redactAndLogError("Seek", err)
-		}
-		if _, err := f.Seek(offset, io.SeekStart); err != nil {
-			return 0, redactAndLogError("Seek", err)
-		}
-		if err := f.Truncate(offset); err != nil {
-			return 0, redactAndLogError("Truncate", err)
-		}
-	}
-
-	// Copy the contents of the file.
-	copyLength, err := io.Copy(inFile, r)
+	// Copy the contents of the file to the writer.
+	copyLength, err := io.Copy(wc, r)
 	if err != nil {
-		return 0, redactAndLogError("Copy", err)
+		return 0, m.redactAndLogError("Copy", err)
 	}
 	if length >= 0 && copyLength != length {
-		return 0, redactAndLogError("Copy", errors.New("copied an unexpected number of bytes"))
+		return 0, m.redactAndLogError("Copy", fmt.Errorf("copied %d bytes; expected %d", copyLength, length))
 	}
-	if err := f.Close(); err != nil {
-		return 0, redactAndLogError("Close", err)
+	if err := wc.Close(); err != nil {
+		return 0, m.redactAndLogError("Close", err)
 	}
+
 	fileLength := offset + copyLength
 
 	inFile.mu.Lock()
 	inFile.done = true
 	inFile.mu.Unlock()
 
-	// File has been successfully received, rename the partial file
-	// to the final destination filename. If a file of that name already exists,
-	// then try multiple times with variations of the filename.
-	computePartialSum := sync.OnceValues(func() ([sha256.Size]byte, error) {
-		return sha256File(partialPath)
-	})
-	maxRetries := 10
-	for ; maxRetries > 0; maxRetries-- {
+	// Finalize rename
+	switch m.opts.Mode {
+	case PutModeDirect:
+		var finalDst string
+		finalDst, err = m.finalizeDirect(inFile, partialPath, dstPath, fileLength)
+		if err != nil {
+			return 0, m.redactAndLogError("Rename", err)
+		}
+		inFile.finalPath = finalDst
+
+	case PutModeAndroidSAF:
+		if err = m.finalizeSAF(partialPath, baseName); err != nil {
+			return 0, m.redactAndLogError("Rename", err)
+		}
+	}
+
+	m.totalReceived.Add(1)
+	m.opts.SendFileNotify()
+	return fileLength, nil
+}
+
+// openWriterAndPaths opens the correct writer, seeks/truncates if needed,
+// and sets inFile.partialPath & inFile.finalPath for later cleanup/rename.
+func (m *manager) openWriterAndPaths(
+	id clientID,
+	mode PutMode,
+	inFile *incomingFile,
+	baseName string,
+	dstPath string,
+	offset int64,
+) (wc io.WriteCloser, partialPath string, err error) {
+	switch mode {
+
+	case PutModeDirect:
+		partialPath = dstPath + id.partialSuffix()
+		f, err := os.OpenFile(partialPath, os.O_CREATE|os.O_RDWR, 0o666)
+		if err != nil {
+			return nil, "", m.redactAndLogError("Create", err)
+		}
+		if offset != 0 {
+			curr, err := f.Seek(0, io.SeekEnd)
+			if err != nil {
+				f.Close()
+				return nil, "", m.redactAndLogError("Seek", err)
+			}
+			if offset < 0 || offset > curr {
+				f.Close()
+				return nil, "", m.redactAndLogError("Seek", fmt.Errorf("offset %d out of range", offset))
+			}
+			if _, err := f.Seek(offset, io.SeekStart); err != nil {
+				f.Close()
+				return nil, "", m.redactAndLogError("Seek", err)
+			}
+			if err := f.Truncate(offset); err != nil {
+				f.Close()
+				return nil, "", m.redactAndLogError("Truncate", err)
+			}
+		}
+		wc = f
+		inFile.partialPath = partialPath
+		inFile.finalPath = dstPath
+		return wc, partialPath, nil
+
+	case PutModeAndroidSAF:
+		if m.opts.FileOps == nil {
+			return nil, "", m.redactAndLogError("Create (SAF)", fmt.Errorf("missing FileOps"))
+		}
+		writer, uri, err := m.opts.FileOps.OpenFileWriter(baseName)
+		if err != nil {
+			return nil, "", m.redactAndLogError("Create (SAF)", fmt.Errorf("failed to open file for writing via SAF"))
+		}
+		if writer == nil || uri == "" {
+			return nil, "", fmt.Errorf("invalid SAF writer or URI")
+		}
+		// SAF mode does not support resuming, so enforce offset == 0.
+		if offset != 0 {
+			writer.Close()
+			return nil, "", m.redactAndLogError("Seek", fmt.Errorf("resuming is not supported in SAF mode"))
+		}
+		wc = writer
+		partialPath = uri
+		inFile.partialPath = uri
+		inFile.finalPath = baseName
+		return wc, partialPath, nil
+
+	default:
+		return nil, "", fmt.Errorf("unsupported PutMode: %v", mode)
+	}
+}
+
+// finalizeDirect atomically renames or dedups the partial file, retrying
+// under new names up to 10 times. It returns the final path that succeeded.
+func (m *manager) finalizeDirect(
+	inFile *incomingFile,
+	partialPath string,
+	initialDst string,
+	fileLength int64,
+) (string, error) {
+	var (
+		once       sync.Once
+		cachedSum  [sha256.Size]byte
+		cacheErr   error
+		computeSum = func() ([sha256.Size]byte, error) {
+			once.Do(func() { cachedSum, cacheErr = sha256File(partialPath) })
+			return cachedSum, cacheErr
+		}
+	)
+
+	dstPath := initialDst
+	const maxRetries = 10
+	for i := 0; i < maxRetries; i++ {
 		// Atomically rename the partial file as the destination file if it doesn't exist.
 		// Otherwise, it returns the length of the current destination file.
 		// The operation is atomic.
-		dstLength, err := func() (int64, error) {
+		lengthOnDisk, err := func() (int64, error) {
 			m.renameMu.Lock()
 			defer m.renameMu.Unlock()
-			switch fi, err := os.Stat(dstPath); {
-			case os.IsNotExist(err):
+			fi, statErr := os.Stat(dstPath)
+			if os.IsNotExist(statErr) {
+				// dst missing → rename partial into place
 				return -1, os.Rename(partialPath, dstPath)
-			case err != nil:
-				return -1, err
-			default:
-				return fi.Size(), nil
 			}
+			if statErr != nil {
+				return -1, statErr
+			}
+			return fi.Size(), nil
 		}()
 		if err != nil {
-			return 0, redactAndLogError("Rename", err)
+			return "", err
 		}
-		if dstLength < 0 {
-			break // we successfully renamed; so stop
+		if lengthOnDisk < 0 {
+			// successfully moved
+			inFile.finalPath = dstPath
+			return dstPath, nil
 		}
 
 		// Avoid the final rename if a destination file has the same contents.
@@ -209,33 +295,59 @@ func (m *manager) PutFile(id clientID, baseName string, r io.Reader, offset, len
 		// Note: this is best effort and copying files from iOS from the Media Library
 		// results in processing on the iOS side which means the size and shas of the
 		// same file can be different.
-		if dstLength == fileLength {
-			partialSum, err := computePartialSum()
+		if lengthOnDisk == fileLength {
+			partSum, err := computeSum()
 			if err != nil {
-				return 0, redactAndLogError("Rename", err)
+				return "", err
 			}
 			dstSum, err := sha256File(dstPath)
 			if err != nil {
-				return 0, redactAndLogError("Rename", err)
+				return "", err
 			}
-			if dstSum == partialSum {
+			if partSum == dstSum {
+				// same content → drop the partial
 				if err := os.Remove(partialPath); err != nil {
-					return 0, redactAndLogError("Remove", err)
+					return "", err
 				}
-				break // we successfully found a content match; so stop
+				inFile.finalPath = dstPath
+				return dstPath, nil
 			}
 		}
 
 		// Choose a new destination filename and try again.
 		dstPath = nextFilename(dstPath)
-		inFile.finalPath = dstPath
 	}
-	if maxRetries <= 0 {
-		return 0, errors.New("too many retries trying to rename partial file")
+
+	return "", fmt.Errorf("too many retries trying to rename a partial file %q", initialDst)
+}
+
+// finalizeSAF retries RenamePartialFile up to 10 times, generating a new
+// name on each failure until the SAF URI changes.
+func (m *manager) finalizeSAF(
+	partialPath, finalName string,
+) error {
+	if m.opts.FileOps == nil {
+		return fmt.Errorf("missing FileOps for SAF finalize")
 	}
-	m.totalReceived.Add(1)
-	m.opts.SendFileNotify()
-	return fileLength, nil
+	const maxTries = 10
+	name := finalName
+	for i := 0; i < maxTries; i++ {
+		newURI, err := m.opts.FileOps.RenamePartialFile(partialPath, m.opts.Dir, name)
+		if err != nil {
+			return err
+		}
+		if newURI != "" && newURI != name {
+			return nil
+		}
+		name = nextFilename(name)
+	}
+	return fmt.Errorf("failed to finalize SAF file after %d retries", maxTries)
+}
+
+func (m *manager) redactAndLogError(stage string, err error) error {
+	err = redactError(err)
+	m.opts.Logf("put %s error: %v", stage, err)
+	return err
 }
 
 func sha256File(file string) (out [sha256.Size]byte, err error) {
diff --git a/feature/taildrop/taildrop.go b/feature/taildrop/taildrop.go
index 2e5c94861..2dfa415bb 100644
--- a/feature/taildrop/taildrop.go
+++ b/feature/taildrop/taildrop.go
@@ -91,6 +91,10 @@ type managerOptions struct {
 	// copy them out, and then delete them.
 	DirectFileMode bool
 
+	FileOps FileOps
+
+	Mode PutMode
+
 	// SendFileNotify is called periodically while a file is actively
 	// receiving the contents for the file. There is a final call
 	// to the function when reception completes.
diff --git a/ipn/ipnlocal/local.go b/ipn/ipnlocal/local.go
index e8ff05b37..5d6433002 100644
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -1450,66 +1450,6 @@ func (b *LocalBackend) PeerCaps(src netip.Addr) tailcfg.PeerCapMap {
 	return b.currentNode().PeerCaps(src)
 }
 
-// AppendMatchingPeers returns base with all peers that match pred appended.
-//
-// It acquires b.mu to read the netmap but releases it before calling pred.
-func (nb *nodeBackend) AppendMatchingPeers(base []tailcfg.NodeView, pred func(tailcfg.NodeView) bool) []tailcfg.NodeView {
-	var peers []tailcfg.NodeView
-
-	nb.mu.Lock()
-	if nb.netMap != nil {
-		// All fields on b.netMap are immutable, so this is
-		// safe to copy and use outside the lock.
-		peers = nb.netMap.Peers
-	}
-	nb.mu.Unlock()
-
-	ret := base
-	for _, peer := range peers {
-		// The peers in b.netMap don't contain updates made via
-		// UpdateNetmapDelta. So only use PeerView in b.netMap for its NodeID,
-		// and then look up the latest copy in b.peers which is updated in
-		// response to UpdateNetmapDelta edits.
-		nb.mu.Lock()
-		peer, ok := nb.peers[peer.ID()]
-		nb.mu.Unlock()
-		if ok && pred(peer) {
-			ret = append(ret, peer)
-		}
-	}
-	return ret
-}
-
-// PeerCaps returns the capabilities that remote src IP has to
-// ths current node.
-func (nb *nodeBackend) PeerCaps(src netip.Addr) tailcfg.PeerCapMap {
-	nb.mu.Lock()
-	defer nb.mu.Unlock()
-	return nb.peerCapsLocked(src)
-}
-
-func (nb *nodeBackend) peerCapsLocked(src netip.Addr) tailcfg.PeerCapMap {
-	if nb.netMap == nil {
-		return nil
-	}
-	filt := nb.filterAtomic.Load()
-	if filt == nil {
-		return nil
-	}
-	addrs := nb.netMap.GetAddresses()
-	for i := range addrs.Len() {
-		a := addrs.At(i)
-		if !a.IsSingleIP() {
-			continue
-		}
-		dst := a.Addr()
-		if dst.BitLen() == src.BitLen() { // match on family
-			return filt.CapsWithValues(src, dst)
-		}
-	}
-	return nil
-}
-
 func (b *LocalBackend) GetFilterForTest() *filter.Filter {
 	if !testenv.InTest() {
 		panic("GetFilterForTest called outside of test")
@@ -2025,20 +1965,6 @@ func (b *LocalBackend) UpdateNetmapDelta(muts []netmap.NodeMutation) (handled bo
 	return true
 }
 
-func (nb *nodeBackend) netMapWithPeers() *netmap.NetworkMap {
-	nb.mu.Lock()
-	defer nb.mu.Unlock()
-	if nb.netMap == nil {
-		return nil
-	}
-	nm := ptr.To(*nb.netMap) // shallow clone
-	nm.Peers = slicesx.MapValues(nb.peers)
-	slices.SortFunc(nm.Peers, func(a, b tailcfg.NodeView) int {
-		return cmp.Compare(a.ID(), b.ID())
-	})
-	return nm
-}
-
 // mutationsAreWorthyOfTellingIPNBus reports whether any mutation type in muts is
 // worthy of spamming the IPN bus (the Windows & Mac GUIs, basically) to tell them
 // about the update.
@@ -2069,37 +1995,6 @@ func (b *LocalBackend) pickNewAutoExitNode() {
 	b.send(ipn.Notify{Prefs: &newPrefs})
 }
 
-func (nb *nodeBackend) UpdateNetmapDelta(muts []netmap.NodeMutation) (handled bool) {
-	nb.mu.Lock()
-	defer nb.mu.Unlock()
-	if nb.netMap == nil || len(nb.peers) == 0 {
-		return false
-	}
-
-	// Locally cloned mutable nodes, to avoid calling AsStruct (clone)
-	// multiple times on a node if it's mutated multiple times in this
-	// call (e.g. its endpoints + online status both change)
-	var mutableNodes map[tailcfg.NodeID]*tailcfg.Node
-
-	for _, m := range muts {
-		n, ok := mutableNodes[m.NodeIDBeingMutated()]
-		if !ok {
-			nv, ok := nb.peers[m.NodeIDBeingMutated()]
-			if !ok {
-				// TODO(bradfitz): unexpected metric?
-				return false
-			}
-			n = nv.AsStruct()
-			mak.Set(&mutableNodes, nv.ID(), n)
-		}
-		m.Apply(n)
-	}
-	for nid, n := range mutableNodes {
-		nb.peers[nid] = n.View()
-	}
-	return true
-}
-
 // setExitNodeID updates prefs to reference an exit node by ID, rather
 // than by IP. It returns whether prefs was mutated.
 func setExitNodeID(prefs *ipn.Prefs, nm *netmap.NetworkMap) (prefsChanged bool) {
@@ -2256,16 +2151,6 @@ func (b *LocalBackend) PeersForTest() []tailcfg.NodeView {
 	return b.currentNode().PeersForTest()
 }
 
-func (nb *nodeBackend) PeersForTest() []tailcfg.NodeView {
-	nb.mu.Lock()
-	defer nb.mu.Unlock()
-	ret := slicesx.MapValues(nb.peers)
-	slices.SortFunc(ret, func(a, b tailcfg.NodeView) int {
-		return cmp.Compare(a.ID(), b.ID())
-	})
-	return ret
-}
-
 func (b *LocalBackend) getNewControlClientFuncLocked() clientGen {
 	if b.ccGen == nil {
 		// Initialize it rather than just returning the
@@ -2832,10 +2717,6 @@ func (b *LocalBackend) setFilter(f *filter.Filter) {
 	b.e.SetFilter(f)
 }
 
-func (nb *nodeBackend) setFilter(f *filter.Filter) {
-	nb.filterAtomic.Store(f)
-}
-
 var removeFromDefaultRoute = []netip.Prefix{
 	// RFC1918 LAN ranges
 	netip.MustParsePrefix("192.168.0.0/16"),
@@ -4773,12 +4654,6 @@ func (b *LocalBackend) NetMap() *netmap.NetworkMap {
 	return b.currentNode().NetMap()
 }
 
-func (nb *nodeBackend) NetMap() *netmap.NetworkMap {
-	nb.mu.Lock()
-	defer nb.mu.Unlock()
-	return nb.netMap
-}
-
 func (b *LocalBackend) isEngineBlocked() bool {
 	b.mu.Lock()
 	defer b.mu.Unlock()
@@ -5017,201 +4892,6 @@ func shouldUseOneCGNATRoute(logf logger.Logf, mon *netmon.Monitor, controlKnobs
 	return false
 }
 
-func (nb *nodeBackend) dnsConfigForNetmap(prefs ipn.PrefsView, selfExpired bool, logf logger.Logf, versionOS string) *dns.Config {
-	nb.mu.Lock()
-	defer nb.mu.Unlock()
-	return dnsConfigForNetmap(nb.netMap, nb.peers, prefs, selfExpired, logf, versionOS)
-}
-
-// dnsConfigForNetmap returns a *dns.Config for the given netmap,
-// prefs, client OS version, and cloud hosting environment.
-//
-// The versionOS is a Tailscale-style version ("iOS", "macOS") and not
-// a runtime.GOOS.
-func dnsConfigForNetmap(nm *netmap.NetworkMap, peers map[tailcfg.NodeID]tailcfg.NodeView, prefs ipn.PrefsView, selfExpired bool, logf logger.Logf, versionOS string) *dns.Config {
-	if nm == nil {
-		return nil
-	}
-
-	// If the current node's key is expired, then we don't program any DNS
-	// configuration into the operating system. This ensures that if the
-	// DNS configuration specifies a DNS server that is only reachable over
-	// Tailscale, we don't break connectivity for the user.
-	//
-	// TODO(andrew-d): this also stops returning anything from quad-100; we
-	// could do the same thing as having "CorpDNS: false" and keep that but
-	// not program the OS?
-	if selfExpired {
-		return &dns.Config{}
-	}
-
-	dcfg := &dns.Config{
-		Routes: map[dnsname.FQDN][]*dnstype.Resolver{},
-		Hosts:  map[dnsname.FQDN][]netip.Addr{},
-	}
-
-	// selfV6Only is whether we only have IPv6 addresses ourselves.
-	selfV6Only := nm.GetAddresses().ContainsFunc(tsaddr.PrefixIs6) &&
-		!nm.GetAddresses().ContainsFunc(tsaddr.PrefixIs4)
-	dcfg.OnlyIPv6 = selfV6Only
-
-	wantAAAA := nm.AllCaps.Contains(tailcfg.NodeAttrMagicDNSPeerAAAA)
-
-	// Populate MagicDNS records. We do this unconditionally so that
-	// quad-100 can always respond to MagicDNS queries, even if the OS
-	// isn't configured to make MagicDNS resolution truly
-	// magic. Details in
-	// https://github.com/tailscale/tailscale/issues/1886.
-	set := func(name string, addrs views.Slice[netip.Prefix]) {
-		if addrs.Len() == 0 || name == "" {
-			return
-		}
-		fqdn, err := dnsname.ToFQDN(name)
-		if err != nil {
-			return // TODO: propagate error?
-		}
-		var have4 bool
-		for _, addr := range addrs.All() {
-			if addr.Addr().Is4() {
-				have4 = true
-				break
-			}
-		}
-		var ips []netip.Addr
-		for _, addr := range addrs.All() {
-			if selfV6Only {
-				if addr.Addr().Is6() {
-					ips = append(ips, addr.Addr())
-				}
-				continue
-			}
-			// If this node has an IPv4 address, then
-			// remove peers' IPv6 addresses for now, as we
-			// don't guarantee that the peer node actually
-			// can speak IPv6 correctly.
-			//
-			// https://github.com/tailscale/tailscale/issues/1152
-			// tracks adding the right capability reporting to
-			// enable AAAA in MagicDNS.
-			if addr.Addr().Is6() && have4 && !wantAAAA {
-				continue
-			}
-			ips = append(ips, addr.Addr())
-		}
-		dcfg.Hosts[fqdn] = ips
-	}
-	set(nm.Name, nm.GetAddresses())
-	for _, peer := range peers {
-		set(peer.Name(), peer.Addresses())
-	}
-	for _, rec := range nm.DNS.ExtraRecords {
-		switch rec.Type {
-		case "", "A", "AAAA":
-			// Treat these all the same for now: infer from the value
-		default:
-			// TODO: more
-			continue
-		}
-		ip, err := netip.ParseAddr(rec.Value)
-		if err != nil {
-			// Ignore.
-			continue
-		}
-		fqdn, err := dnsname.ToFQDN(rec.Name)
-		if err != nil {
-			continue
-		}
-		dcfg.Hosts[fqdn] = append(dcfg.Hosts[fqdn], ip)
-	}
-
-	if !prefs.CorpDNS() {
-		return dcfg
-	}
-
-	for _, dom := range nm.DNS.Domains {
-		fqdn, err := dnsname.ToFQDN(dom)
-		if err != nil {
-			logf("[unexpected] non-FQDN search domain %q", dom)
-		}
-		dcfg.SearchDomains = append(dcfg.SearchDomains, fqdn)
-	}
-	if nm.DNS.Proxied { // actually means "enable MagicDNS"
-		for _, dom := range magicDNSRootDomains(nm) {
-			dcfg.Routes[dom] = nil // resolve internally with dcfg.Hosts
-		}
-	}
-
-	addDefault := func(resolvers []*dnstype.Resolver) {
-		dcfg.DefaultResolvers = append(dcfg.DefaultResolvers, resolvers...)
-	}
-
-	// If we're using an exit node and that exit node is new enough (1.19.x+)
-	// to run a DoH DNS proxy, then send all our DNS traffic through it.
-	if dohURL, ok := exitNodeCanProxyDNS(nm, peers, prefs.ExitNodeID()); ok {
-		addDefault([]*dnstype.Resolver{{Addr: dohURL}})
-		return dcfg
-	}
-
-	// If the user has set default resolvers ("override local DNS"), prefer to
-	// use those resolvers as the default, otherwise if there are WireGuard exit
-	// node resolvers, use those as the default.
-	if len(nm.DNS.Resolvers) > 0 {
-		addDefault(nm.DNS.Resolvers)
-	} else {
-		if resolvers, ok := wireguardExitNodeDNSResolvers(nm, peers, prefs.ExitNodeID()); ok {
-			addDefault(resolvers)
-		}
-	}
-
-	for suffix, resolvers := range nm.DNS.Routes {
-		fqdn, err := dnsname.ToFQDN(suffix)
-		if err != nil {
-			logf("[unexpected] non-FQDN route suffix %q", suffix)
-		}
-
-		// Create map entry even if len(resolvers) == 0; Issue 2706.
-		// This lets the control plane send ExtraRecords for which we
-		// can authoritatively answer "name not exists" for when the
-		// control plane also sends this explicit but empty route
-		// making it as something we handle.
-		//
-		// While we're already populating it, might as well size the
-		// slice appropriately.
-		// Per #9498 the exact requirements of nil vs empty slice remain
-		// unclear, this is a haunted graveyard to be resolved.
-		dcfg.Routes[fqdn] = make([]*dnstype.Resolver, 0, len(resolvers))
-		dcfg.Routes[fqdn] = append(dcfg.Routes[fqdn], resolvers...)
-	}
-
-	// Set FallbackResolvers as the default resolvers in the
-	// scenarios that can't handle a purely split-DNS config. See
-	// https://github.com/tailscale/tailscale/issues/1743 for
-	// details.
-	switch {
-	case len(dcfg.DefaultResolvers) != 0:
-		// Default resolvers already set.
-	case !prefs.ExitNodeID().IsZero():
-		// When using an exit node, we send all DNS traffic to the exit node, so
-		// we don't need a fallback resolver.
-		//
-		// However, if the exit node is too old to run a DoH DNS proxy, then we
-		// need to use a fallback resolver as it's very likely the LAN resolvers
-		// will become unreachable.
-		//
-		// This is especially important on Apple OSes, where
-		// adding the default route to the tunnel interface makes
-		// it "primary", and we MUST provide VPN-sourced DNS
-		// settings or we break all DNS resolution.
-		//
-		// https://github.com/tailscale/tailscale/issues/1713
-		addDefault(nm.DNS.FallbackResolvers)
-	case len(dcfg.Routes) == 0:
-		// No settings requiring split DNS, no problem.
-	}
-
-	return dcfg
-}
-
 // SetTCPHandlerForFunnelFlow sets the TCP handler for Funnel flows.
 // It should only be called before the LocalBackend is used.
 func (b *LocalBackend) SetTCPHandlerForFunnelFlow(h func(src netip.AddrPort, dstPort uint16) (handler func(net.Conn))) {
@@ -6124,14 +5804,6 @@ func (b *LocalBackend) setAutoExitNodeIDLockedOnEntry(unlock unlockOnce) (newPre
 	return newPrefs
 }
 
-func (nb *nodeBackend) SetNetMap(nm *netmap.NetworkMap) {
-	nb.mu.Lock()
-	defer nb.mu.Unlock()
-	nb.netMap = nm
-	nb.updateNodeByAddrLocked()
-	nb.updatePeersLocked()
-}
-
 // setNetMapLocked updates the LocalBackend state to reflect the newly
 // received nm. If nm is nil, it resets all configuration as though
 // Tailscale is turned off.
@@ -6206,67 +5878,6 @@ func (b *LocalBackend) setNetMapLocked(nm *netmap.NetworkMap) {
 	b.driveNotifyCurrentSharesLocked()
 }
 
-func (nb *nodeBackend) updateNodeByAddrLocked() {
-	nm := nb.netMap
-	if nm == nil {
-		nb.nodeByAddr = nil
-		return
-	}
-
-	// Update the nodeByAddr index.
-	if nb.nodeByAddr == nil {
-		nb.nodeByAddr = map[netip.Addr]tailcfg.NodeID{}
-	}
-	// First pass, mark everything unwanted.
-	for k := range nb.nodeByAddr {
-		nb.nodeByAddr[k] = 0
-	}
-	addNode := func(n tailcfg.NodeView) {
-		for _, ipp := range n.Addresses().All() {
-			if ipp.IsSingleIP() {
-				nb.nodeByAddr[ipp.Addr()] = n.ID()
-			}
-		}
-	}
-	if nm.SelfNode.Valid() {
-		addNode(nm.SelfNode)
-	}
-	for _, p := range nm.Peers {
-		addNode(p)
-	}
-	// Third pass, actually delete the unwanted items.
-	for k, v := range nb.nodeByAddr {
-		if v == 0 {
-			delete(nb.nodeByAddr, k)
-		}
-	}
-}
-
-func (nb *nodeBackend) updatePeersLocked() {
-	nm := nb.netMap
-	if nm == nil {
-		nb.peers = nil
-		return
-	}
-
-	// First pass, mark everything unwanted.
-	for k := range nb.peers {
-		nb.peers[k] = tailcfg.NodeView{}
-	}
-
-	// Second pass, add everything wanted.
-	for _, p := range nm.Peers {
-		mak.Set(&nb.peers, p.ID(), p)
-	}
-
-	// Third pass, remove deleted things.
-	for k, v := range nb.peers {
-		if !v.Valid() {
-			delete(nb.peers, k)
-		}
-	}
-}
-
 // responseBodyWrapper wraps an io.ReadCloser and stores
 // the number of bytesRead.
 type responseBodyWrapper struct {
@@ -6647,27 +6258,6 @@ func (b *LocalBackend) TestOnlyPublicKeys() (machineKey key.MachinePublic, nodeK
 	return mk, nk
 }
 
-// PeerHasCap reports whether the peer contains the given capability string,
-// with any value(s).
-func (nb *nodeBackend) PeerHasCap(peer tailcfg.NodeView, wantCap tailcfg.PeerCapability) bool {
-	if !peer.Valid() {
-		return false
-	}
-
-	nb.mu.Lock()
-	defer nb.mu.Unlock()
-	for _, ap := range peer.Addresses().All() {
-		if nb.peerHasCapLocked(ap.Addr(), wantCap) {
-			return true
-		}
-	}
-	return false
-}
-
-func (nb *nodeBackend) peerHasCapLocked(addr netip.Addr, wantCap tailcfg.PeerCapability) bool {
-	return nb.peerCapsLocked(addr).HasCapability(wantCap)
-}
-
 // SetDNS adds a DNS record for the given domain name & TXT record
 // value.
 //
@@ -6717,70 +6307,6 @@ func peerAPIPorts(peer tailcfg.NodeView) (p4, p6 uint16) {
 	return
 }
 
-// peerAPIURL returns an HTTP URL for the peer's peerapi service,
-// without a trailing slash.
-//
-// If ip or port is the zero value then it returns the empty string.
-func peerAPIURL(ip netip.Addr, port uint16) string {
-	if port == 0 || !ip.IsValid() {
-		return ""
-	}
-	return fmt.Sprintf("http://%v", netip.AddrPortFrom(ip, port))
-}
-
-func (nb *nodeBackend) PeerHasPeerAPI(p tailcfg.NodeView) bool {
-	return nb.PeerAPIBase(p) != ""
-}
-
-// PeerAPIBase returns the "http://ip:port" URL base to reach peer's PeerAPI,
-// or the empty string if the peer is invalid or doesn't support PeerAPI.
-func (nb *nodeBackend) PeerAPIBase(p tailcfg.NodeView) string {
-	nb.mu.Lock()
-	nm := nb.netMap
-	nb.mu.Unlock()
-	return peerAPIBase(nm, p)
-}
-
-// peerAPIBase returns the "http://ip:port" URL base to reach peer's peerAPI.
-// It returns the empty string if the peer doesn't support the peerapi
-// or there's no matching address family based on the netmap's own addresses.
-func peerAPIBase(nm *netmap.NetworkMap, peer tailcfg.NodeView) string {
-	if nm == nil || !peer.Valid() || !peer.Hostinfo().Valid() {
-		return ""
-	}
-
-	var have4, have6 bool
-	addrs := nm.GetAddresses()
-	for _, a := range addrs.All() {
-		if !a.IsSingleIP() {
-			continue
-		}
-		switch {
-		case a.Addr().Is4():
-			have4 = true
-		case a.Addr().Is6():
-			have6 = true
-		}
-	}
-	p4, p6 := peerAPIPorts(peer)
-	switch {
-	case have4 && p4 != 0:
-		return peerAPIURL(nodeIP(peer, netip.Addr.Is4), p4)
-	case have6 && p6 != 0:
-		return peerAPIURL(nodeIP(peer, netip.Addr.Is6), p6)
-	}
-	return ""
-}
-
-func nodeIP(n tailcfg.NodeView, pred func(netip.Addr) bool) netip.Addr {
-	for _, pfx := range n.Addresses().All() {
-		if pfx.IsSingleIP() && pred(pfx.Addr()) {
-			return pfx.Addr()
-		}
-	}
-	return netip.Addr{}
-}
-
 func (b *LocalBackend) CheckIPForwarding() error {
 	if b.sys.IsNetstackRouter() {
 		return nil
@@ -6978,12 +6504,6 @@ func exitNodeCanProxyDNS(nm *netmap.NetworkMap, peers map[tailcfg.NodeID]tailcfg
 	return "", false
 }
 
-func (nb *nodeBackend) exitNodeCanProxyDNS(exitNodeID tailcfg.StableNodeID) (dohURL string, ok bool) {
-	nb.mu.Lock()
-	defer nb.mu.Unlock()
-	return exitNodeCanProxyDNS(nb.netMap, nb.peers, exitNodeID)
-}
-
 // wireguardExitNodeDNSResolvers returns the DNS resolvers to use for a
 // WireGuard-only exit node, if it has resolver addresses.
 func wireguardExitNodeDNSResolvers(nm *netmap.NetworkMap, peers map[tailcfg.NodeID]tailcfg.NodeView, exitNodeID tailcfg.StableNodeID) ([]*dnstype.Resolver, bool) {
diff --git a/ipn/ipnlocal/node_backend.go b/ipn/ipnlocal/node_backend.go
index fe4973723..fb77f38eb 100644
--- a/ipn/ipnlocal/node_backend.go
+++ b/ipn/ipnlocal/node_backend.go
@@ -4,16 +4,25 @@
 package ipnlocal
 
 import (
+	"cmp"
 	"net/netip"
+	"slices"
 	"sync"
 	"sync/atomic"
 
 	"go4.org/netipx"
 	"tailscale.com/ipn"
+	"tailscale.com/net/dns"
+	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
+	"tailscale.com/types/dnstype"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
+	"tailscale.com/types/ptr"
+	"tailscale.com/types/views"
+	"tailscale.com/util/dnsname"
+	"tailscale.com/util/mak"
 	"tailscale.com/util/slicesx"
 	"tailscale.com/wgengine/filter"
 )
@@ -201,6 +210,239 @@ func (nb *nodeBackend) Peers() []tailcfg.NodeView {
 	return slicesx.MapValues(nb.peers)
 }
 
+func (nb *nodeBackend) PeersForTest() []tailcfg.NodeView {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	ret := slicesx.MapValues(nb.peers)
+	slices.SortFunc(ret, func(a, b tailcfg.NodeView) int {
+		return cmp.Compare(a.ID(), b.ID())
+	})
+	return ret
+}
+
+// AppendMatchingPeers returns base with all peers that match pred appended.
+//
+// It acquires b.mu to read the netmap but releases it before calling pred.
+func (nb *nodeBackend) AppendMatchingPeers(base []tailcfg.NodeView, pred func(tailcfg.NodeView) bool) []tailcfg.NodeView {
+	var peers []tailcfg.NodeView
+
+	nb.mu.Lock()
+	if nb.netMap != nil {
+		// All fields on b.netMap are immutable, so this is
+		// safe to copy and use outside the lock.
+		peers = nb.netMap.Peers
+	}
+	nb.mu.Unlock()
+
+	ret := base
+	for _, peer := range peers {
+		// The peers in b.netMap don't contain updates made via
+		// UpdateNetmapDelta. So only use PeerView in b.netMap for its NodeID,
+		// and then look up the latest copy in b.peers which is updated in
+		// response to UpdateNetmapDelta edits.
+		nb.mu.Lock()
+		peer, ok := nb.peers[peer.ID()]
+		nb.mu.Unlock()
+		if ok && pred(peer) {
+			ret = append(ret, peer)
+		}
+	}
+	return ret
+}
+
+// PeerCaps returns the capabilities that remote src IP has to
+// ths current node.
+func (nb *nodeBackend) PeerCaps(src netip.Addr) tailcfg.PeerCapMap {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	return nb.peerCapsLocked(src)
+}
+
+func (nb *nodeBackend) peerCapsLocked(src netip.Addr) tailcfg.PeerCapMap {
+	if nb.netMap == nil {
+		return nil
+	}
+	filt := nb.filterAtomic.Load()
+	if filt == nil {
+		return nil
+	}
+	addrs := nb.netMap.GetAddresses()
+	for i := range addrs.Len() {
+		a := addrs.At(i)
+		if !a.IsSingleIP() {
+			continue
+		}
+		dst := a.Addr()
+		if dst.BitLen() == src.BitLen() { // match on family
+			return filt.CapsWithValues(src, dst)
+		}
+	}
+	return nil
+}
+
+// PeerHasCap reports whether the peer contains the given capability string,
+// with any value(s).
+func (nb *nodeBackend) PeerHasCap(peer tailcfg.NodeView, wantCap tailcfg.PeerCapability) bool {
+	if !peer.Valid() {
+		return false
+	}
+
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	for _, ap := range peer.Addresses().All() {
+		if nb.peerHasCapLocked(ap.Addr(), wantCap) {
+			return true
+		}
+	}
+	return false
+}
+
+func (nb *nodeBackend) peerHasCapLocked(addr netip.Addr, wantCap tailcfg.PeerCapability) bool {
+	return nb.peerCapsLocked(addr).HasCapability(wantCap)
+}
+
+func (nb *nodeBackend) PeerHasPeerAPI(p tailcfg.NodeView) bool {
+	return nb.PeerAPIBase(p) != ""
+}
+
+// PeerAPIBase returns the "http://ip:port" URL base to reach peer's PeerAPI,
+// or the empty string if the peer is invalid or doesn't support PeerAPI.
+func (nb *nodeBackend) PeerAPIBase(p tailcfg.NodeView) string {
+	nb.mu.Lock()
+	nm := nb.netMap
+	nb.mu.Unlock()
+	return peerAPIBase(nm, p)
+}
+
+func nodeIP(n tailcfg.NodeView, pred func(netip.Addr) bool) netip.Addr {
+	for _, pfx := range n.Addresses().All() {
+		if pfx.IsSingleIP() && pred(pfx.Addr()) {
+			return pfx.Addr()
+		}
+	}
+	return netip.Addr{}
+}
+
+func (nb *nodeBackend) NetMap() *netmap.NetworkMap {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	return nb.netMap
+}
+
+func (nb *nodeBackend) netMapWithPeers() *netmap.NetworkMap {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	if nb.netMap == nil {
+		return nil
+	}
+	nm := ptr.To(*nb.netMap) // shallow clone
+	nm.Peers = slicesx.MapValues(nb.peers)
+	slices.SortFunc(nm.Peers, func(a, b tailcfg.NodeView) int {
+		return cmp.Compare(a.ID(), b.ID())
+	})
+	return nm
+}
+
+func (nb *nodeBackend) SetNetMap(nm *netmap.NetworkMap) {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	nb.netMap = nm
+	nb.updateNodeByAddrLocked()
+	nb.updatePeersLocked()
+}
+
+func (nb *nodeBackend) updateNodeByAddrLocked() {
+	nm := nb.netMap
+	if nm == nil {
+		nb.nodeByAddr = nil
+		return
+	}
+
+	// Update the nodeByAddr index.
+	if nb.nodeByAddr == nil {
+		nb.nodeByAddr = map[netip.Addr]tailcfg.NodeID{}
+	}
+	// First pass, mark everything unwanted.
+	for k := range nb.nodeByAddr {
+		nb.nodeByAddr[k] = 0
+	}
+	addNode := func(n tailcfg.NodeView) {
+		for _, ipp := range n.Addresses().All() {
+			if ipp.IsSingleIP() {
+				nb.nodeByAddr[ipp.Addr()] = n.ID()
+			}
+		}
+	}
+	if nm.SelfNode.Valid() {
+		addNode(nm.SelfNode)
+	}
+	for _, p := range nm.Peers {
+		addNode(p)
+	}
+	// Third pass, actually delete the unwanted items.
+	for k, v := range nb.nodeByAddr {
+		if v == 0 {
+			delete(nb.nodeByAddr, k)
+		}
+	}
+}
+
+func (nb *nodeBackend) updatePeersLocked() {
+	nm := nb.netMap
+	if nm == nil {
+		nb.peers = nil
+		return
+	}
+
+	// First pass, mark everything unwanted.
+	for k := range nb.peers {
+		nb.peers[k] = tailcfg.NodeView{}
+	}
+
+	// Second pass, add everything wanted.
+	for _, p := range nm.Peers {
+		mak.Set(&nb.peers, p.ID(), p)
+	}
+
+	// Third pass, remove deleted things.
+	for k, v := range nb.peers {
+		if !v.Valid() {
+			delete(nb.peers, k)
+		}
+	}
+}
+
+func (nb *nodeBackend) UpdateNetmapDelta(muts []netmap.NodeMutation) (handled bool) {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	if nb.netMap == nil || len(nb.peers) == 0 {
+		return false
+	}
+
+	// Locally cloned mutable nodes, to avoid calling AsStruct (clone)
+	// multiple times on a node if it's mutated multiple times in this
+	// call (e.g. its endpoints + online status both change)
+	var mutableNodes map[tailcfg.NodeID]*tailcfg.Node
+
+	for _, m := range muts {
+		n, ok := mutableNodes[m.NodeIDBeingMutated()]
+		if !ok {
+			nv, ok := nb.peers[m.NodeIDBeingMutated()]
+			if !ok {
+				// TODO(bradfitz): unexpected metric?
+				return false
+			}
+			n = nv.AsStruct()
+			mak.Set(&mutableNodes, nv.ID(), n)
+		}
+		m.Apply(n)
+	}
+	for nid, n := range mutableNodes {
+		nb.peers[nid] = n.View()
+	}
+	return true
+}
+
 // unlockedNodesPermitted reports whether any peer with theUnsignedPeerAPIOnly bool set true has any of its allowed IPs
 // in the specified packet filter.
 //
@@ -216,3 +458,208 @@ func (nb *nodeBackend) unlockedNodesPermitted(packetFilter []filter.Match) bool
 func (nb *nodeBackend) filter() *filter.Filter {
 	return nb.filterAtomic.Load()
 }
+
+func (nb *nodeBackend) setFilter(f *filter.Filter) {
+	nb.filterAtomic.Store(f)
+}
+
+func (nb *nodeBackend) dnsConfigForNetmap(prefs ipn.PrefsView, selfExpired bool, logf logger.Logf, versionOS string) *dns.Config {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	return dnsConfigForNetmap(nb.netMap, nb.peers, prefs, selfExpired, logf, versionOS)
+}
+
+func (nb *nodeBackend) exitNodeCanProxyDNS(exitNodeID tailcfg.StableNodeID) (dohURL string, ok bool) {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	return exitNodeCanProxyDNS(nb.netMap, nb.peers, exitNodeID)
+}
+
+// dnsConfigForNetmap returns a *dns.Config for the given netmap,
+// prefs, client OS version, and cloud hosting environment.
+//
+// The versionOS is a Tailscale-style version ("iOS", "macOS") and not
+// a runtime.GOOS.
+func dnsConfigForNetmap(nm *netmap.NetworkMap, peers map[tailcfg.NodeID]tailcfg.NodeView, prefs ipn.PrefsView, selfExpired bool, logf logger.Logf, versionOS string) *dns.Config {
+	if nm == nil {
+		return nil
+	}
+
+	// If the current node's key is expired, then we don't program any DNS
+	// configuration into the operating system. This ensures that if the
+	// DNS configuration specifies a DNS server that is only reachable over
+	// Tailscale, we don't break connectivity for the user.
+	//
+	// TODO(andrew-d): this also stops returning anything from quad-100; we
+	// could do the same thing as having "CorpDNS: false" and keep that but
+	// not program the OS?
+	if selfExpired {
+		return &dns.Config{}
+	}
+
+	dcfg := &dns.Config{
+		Routes: map[dnsname.FQDN][]*dnstype.Resolver{},
+		Hosts:  map[dnsname.FQDN][]netip.Addr{},
+	}
+
+	// selfV6Only is whether we only have IPv6 addresses ourselves.
+	selfV6Only := nm.GetAddresses().ContainsFunc(tsaddr.PrefixIs6) &&
+		!nm.GetAddresses().ContainsFunc(tsaddr.PrefixIs4)
+	dcfg.OnlyIPv6 = selfV6Only
+
+	wantAAAA := nm.AllCaps.Contains(tailcfg.NodeAttrMagicDNSPeerAAAA)
+
+	// Populate MagicDNS records. We do this unconditionally so that
+	// quad-100 can always respond to MagicDNS queries, even if the OS
+	// isn't configured to make MagicDNS resolution truly
+	// magic. Details in
+	// https://github.com/tailscale/tailscale/issues/1886.
+	set := func(name string, addrs views.Slice[netip.Prefix]) {
+		if addrs.Len() == 0 || name == "" {
+			return
+		}
+		fqdn, err := dnsname.ToFQDN(name)
+		if err != nil {
+			return // TODO: propagate error?
+		}
+		var have4 bool
+		for _, addr := range addrs.All() {
+			if addr.Addr().Is4() {
+				have4 = true
+				break
+			}
+		}
+		var ips []netip.Addr
+		for _, addr := range addrs.All() {
+			if selfV6Only {
+				if addr.Addr().Is6() {
+					ips = append(ips, addr.Addr())
+				}
+				continue
+			}
+			// If this node has an IPv4 address, then
+			// remove peers' IPv6 addresses for now, as we
+			// don't guarantee that the peer node actually
+			// can speak IPv6 correctly.
+			//
+			// https://github.com/tailscale/tailscale/issues/1152
+			// tracks adding the right capability reporting to
+			// enable AAAA in MagicDNS.
+			if addr.Addr().Is6() && have4 && !wantAAAA {
+				continue
+			}
+			ips = append(ips, addr.Addr())
+		}
+		dcfg.Hosts[fqdn] = ips
+	}
+	set(nm.Name, nm.GetAddresses())
+	for _, peer := range peers {
+		set(peer.Name(), peer.Addresses())
+	}
+	for _, rec := range nm.DNS.ExtraRecords {
+		switch rec.Type {
+		case "", "A", "AAAA":
+			// Treat these all the same for now: infer from the value
+		default:
+			// TODO: more
+			continue
+		}
+		ip, err := netip.ParseAddr(rec.Value)
+		if err != nil {
+			// Ignore.
+			continue
+		}
+		fqdn, err := dnsname.ToFQDN(rec.Name)
+		if err != nil {
+			continue
+		}
+		dcfg.Hosts[fqdn] = append(dcfg.Hosts[fqdn], ip)
+	}
+
+	if !prefs.CorpDNS() {
+		return dcfg
+	}
+
+	for _, dom := range nm.DNS.Domains {
+		fqdn, err := dnsname.ToFQDN(dom)
+		if err != nil {
+			logf("[unexpected] non-FQDN search domain %q", dom)
+		}
+		dcfg.SearchDomains = append(dcfg.SearchDomains, fqdn)
+	}
+	if nm.DNS.Proxied { // actually means "enable MagicDNS"
+		for _, dom := range magicDNSRootDomains(nm) {
+			dcfg.Routes[dom] = nil // resolve internally with dcfg.Hosts
+		}
+	}
+
+	addDefault := func(resolvers []*dnstype.Resolver) {
+		dcfg.DefaultResolvers = append(dcfg.DefaultResolvers, resolvers...)
+	}
+
+	// If we're using an exit node and that exit node is new enough (1.19.x+)
+	// to run a DoH DNS proxy, then send all our DNS traffic through it.
+	if dohURL, ok := exitNodeCanProxyDNS(nm, peers, prefs.ExitNodeID()); ok {
+		addDefault([]*dnstype.Resolver{{Addr: dohURL}})
+		return dcfg
+	}
+
+	// If the user has set default resolvers ("override local DNS"), prefer to
+	// use those resolvers as the default, otherwise if there are WireGuard exit
+	// node resolvers, use those as the default.
+	if len(nm.DNS.Resolvers) > 0 {
+		addDefault(nm.DNS.Resolvers)
+	} else {
+		if resolvers, ok := wireguardExitNodeDNSResolvers(nm, peers, prefs.ExitNodeID()); ok {
+			addDefault(resolvers)
+		}
+	}
+
+	for suffix, resolvers := range nm.DNS.Routes {
+		fqdn, err := dnsname.ToFQDN(suffix)
+		if err != nil {
+			logf("[unexpected] non-FQDN route suffix %q", suffix)
+		}
+
+		// Create map entry even if len(resolvers) == 0; Issue 2706.
+		// This lets the control plane send ExtraRecords for which we
+		// can authoritatively answer "name not exists" for when the
+		// control plane also sends this explicit but empty route
+		// making it as something we handle.
+		//
+		// While we're already populating it, might as well size the
+		// slice appropriately.
+		// Per #9498 the exact requirements of nil vs empty slice remain
+		// unclear, this is a haunted graveyard to be resolved.
+		dcfg.Routes[fqdn] = make([]*dnstype.Resolver, 0, len(resolvers))
+		dcfg.Routes[fqdn] = append(dcfg.Routes[fqdn], resolvers...)
+	}
+
+	// Set FallbackResolvers as the default resolvers in the
+	// scenarios that can't handle a purely split-DNS config. See
+	// https://github.com/tailscale/tailscale/issues/1743 for
+	// details.
+	switch {
+	case len(dcfg.DefaultResolvers) != 0:
+		// Default resolvers already set.
+	case !prefs.ExitNodeID().IsZero():
+		// When using an exit node, we send all DNS traffic to the exit node, so
+		// we don't need a fallback resolver.
+		//
+		// However, if the exit node is too old to run a DoH DNS proxy, then we
+		// need to use a fallback resolver as it's very likely the LAN resolvers
+		// will become unreachable.
+		//
+		// This is especially important on Apple OSes, where
+		// adding the default route to the tunnel interface makes
+		// it "primary", and we MUST provide VPN-sourced DNS
+		// settings or we break all DNS resolution.
+		//
+		// https://github.com/tailscale/tailscale/issues/1713
+		addDefault(nm.DNS.FallbackResolvers)
+	case len(dcfg.Routes) == 0:
+		// No settings requiring split DNS, no problem.
+	}
+
+	return dcfg
+}
diff --git a/ipn/ipnlocal/peerapi.go b/ipn/ipnlocal/peerapi.go
index 675623f33..84aaecf7e 100644
--- a/ipn/ipnlocal/peerapi.go
+++ b/ipn/ipnlocal/peerapi.go
@@ -36,6 +36,7 @@ import (
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/sockstats"
 	"tailscale.com/tailcfg"
+	"tailscale.com/types/netmap"
 	"tailscale.com/types/views"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/httpm"
@@ -1094,6 +1095,48 @@ func parseDriveFileExtensionForLog(path string) string {
 	return fileExt
 }
 
+// peerAPIURL returns an HTTP URL for the peer's peerapi service,
+// without a trailing slash.
+//
+// If ip or port is the zero value then it returns the empty string.
+func peerAPIURL(ip netip.Addr, port uint16) string {
+	if port == 0 || !ip.IsValid() {
+		return ""
+	}
+	return fmt.Sprintf("http://%v", netip.AddrPortFrom(ip, port))
+}
+
+// peerAPIBase returns the "http://ip:port" URL base to reach peer's peerAPI.
+// It returns the empty string if the peer doesn't support the peerapi
+// or there's no matching address family based on the netmap's own addresses.
+func peerAPIBase(nm *netmap.NetworkMap, peer tailcfg.NodeView) string {
+	if nm == nil || !peer.Valid() || !peer.Hostinfo().Valid() {
+		return ""
+	}
+
+	var have4, have6 bool
+	addrs := nm.GetAddresses()
+	for _, a := range addrs.All() {
+		if !a.IsSingleIP() {
+			continue
+		}
+		switch {
+		case a.Addr().Is4():
+			have4 = true
+		case a.Addr().Is6():
+			have6 = true
+		}
+	}
+	p4, p6 := peerAPIPorts(peer)
+	switch {
+	case have4 && p4 != 0:
+		return peerAPIURL(nodeIP(peer, netip.Addr.Is4), p4)
+	case have6 && p6 != 0:
+		return peerAPIURL(nodeIP(peer, netip.Addr.Is6), p6)
+	}
+	return ""
+}
+
 // newFakePeerAPIListener creates a new net.Listener that acts like
 // it's listening on the provided IP address and on TCP port 1.
 //