4 files changed, 3 insertions, 93 deletions
diff --git a/net/dnscache/dnscache.go b/net/dnscache/dnscache.go
index d60e92f0b..3974b1320 100644
--- a/net/dnscache/dnscache.go
+++ b/net/dnscache/dnscache.go
@@ -21,7 +21,6 @@ import (
 	"tailscale.com/envknob"
 	"tailscale.com/net/netx"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/cloudenv"
 	"tailscale.com/util/singleflight"
 	"tailscale.com/util/slicesx"
 	"tailscale.com/util/testenv"
@@ -135,26 +134,6 @@ func (r *Resolver) dlogf(format string, args ...any) {
 	}
 }
 
-// cloudHostResolver returns a Resolver for the current cloud hosting environment.
-// It currently only supports Google Cloud.
-func (r *Resolver) cloudHostResolver() (v *net.Resolver, ok bool) {
-	switch runtime.GOOS {
-	case "android", "ios", "darwin":
-		return nil, false
-	}
-	ip := cloudenv.Get().ResolverIP()
-	if ip == "" {
-		return nil, false
-	}
-	return &net.Resolver{
-		PreferGo: true,
-		Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
-			var d net.Dialer
-			return d.DialContext(ctx, network, net.JoinHostPort(ip, "53"))
-		},
-	}, true
-}
-
 func (r *Resolver) ttl() time.Duration {
 	if r.TTL > 0 {
 		return r.TTL
@@ -296,12 +275,6 @@ func (r *Resolver) lookupIP(ctx context.Context, host string) (ip, ip6 netip.Add
 	} else {
 		ips, err = r.fwd().LookupNetIP(lookupCtx, "ip", host)
 	}
-	if err != nil || len(ips) == 0 {
-		if resolver, ok := r.cloudHostResolver(); ok {
-			r.dlogf("resolving %q via cloud resolver", host)
-			ips, err = resolver.LookupNetIP(lookupCtx, "ip", host)
-		}
-	}
 	if (err != nil || len(ips) == 0) && r.LookupIPFallback != nil {
 		lookupCtx, lookupCancel := context.WithTimeout(ctx, 30*time.Second)
 		defer lookupCancel()
diff --git a/net/netmon/state.go b/net/netmon/state.go
index bd0960768..82d941fa0 100644
--- a/net/netmon/state.go
+++ b/net/netmon/state.go
@@ -7,7 +7,6 @@ import (
 	"bytes"
 	"fmt"
 	"net"
-	"net/http"
 	"net/netip"
 	"runtime"
 	"slices"
@@ -18,7 +17,6 @@ import (
 	"tailscale.com/hostinfo"
 	"tailscale.com/net/netaddr"
 	"tailscale.com/net/tsaddr"
-	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/util/mak"
 )
 
@@ -154,7 +152,7 @@ func (i Interface) Addrs() ([]net.Addr, error) {
 	if i.AltAddrs != nil {
 		return i.AltAddrs, nil
 	}
-	return i.Interface.Addrs()
+	return nil, nil
 }
 
 // ForeachInterfaceAddress is a wrapper for GetList, then
@@ -502,13 +500,6 @@ func getState(optTSInterfaceName string) (*State, error) {
 	}
 
 	if s.AnyInterfaceUp() {
-		req, err := http.NewRequest("GET", LoginEndpointForProxyDetermination, nil)
-		if err != nil {
-			return nil, err
-		}
-		if u, err := tshttpproxy.ProxyFromEnvironment(req); err == nil && u != nil {
-			s.HTTPProxy = u.String()
-		}
 		if getPAC != nil {
 			s.PAC = getPAC()
 		}
diff --git a/net/netns/netns.go b/net/netns/netns.go
index a473506fa..742e9167a 100644
--- a/net/netns/netns.go
+++ b/net/netns/netns.go
@@ -90,7 +90,7 @@ func FromDialer(logf logger.Logf, netMon *netmon.Monitor, d *net.Dialer) Dialer
 	if disabled.Load() {
 		return d
 	}
-	d.Control = control(logf, netMon)
+	//d.Control = control(logf, netMon)
 	if wrapDialer != nil {
 		return wrapDialer(d)
 	}
diff --git a/net/tlsdial/tlsdial.go b/net/tlsdial/tlsdial.go
index 80f3bfc06..770900b24 100644
--- a/net/tlsdial/tlsdial.go
+++ b/net/tlsdial/tlsdial.go
@@ -28,10 +28,8 @@ import (
 
 	"tailscale.com/derp/derpconst"
 	"tailscale.com/envknob"
-	"tailscale.com/health"
 	"tailscale.com/hostinfo"
 	"tailscale.com/net/bakedroots"
-	"tailscale.com/net/tlsdial/blockblame"
 )
 
 var counterFallbackOK int32 // atomic
@@ -49,16 +47,6 @@ var debug = envknob.RegisterBool("TS_DEBUG_TLS_DIAL")
 // Headscale, etc.
 var tlsdialWarningPrinted sync.Map // map[string]bool
 
-var mitmBlockWarnable = health.Register(&health.Warnable{
-	Code:  "blockblame-mitm-detected",
-	Title: "Network may be blocking Tailscale",
-	Text: func(args health.Args) string {
-		return fmt.Sprintf("Network equipment from %q may be blocking Tailscale traffic on this network. Connect to another network, or contact your network administrator for assistance.", args["manufacturer"])
-	},
-	Severity:            health.SeverityMedium,
-	ImpactsConnectivity: true,
-})
-
 // Config returns a tls.Config for connecting to a server that
 // uses system roots for validation but, if those fail, also tries
 // the baked-in LetsEncrypt roots as a fallback validation method.
@@ -66,7 +54,7 @@ var mitmBlockWarnable = health.Register(&health.Warnable{
 // If base is non-nil, it's cloned as the base config before
 // being configured and returned.
 // If ht is non-nil, it's used to report health errors.
-func Config(ht *health.Tracker, base *tls.Config) *tls.Config {
+func Config(ht any, base *tls.Config) *tls.Config {
 	var conf *tls.Config
 	if base == nil {
 		conf = new(tls.Config)
@@ -109,48 +97,6 @@ func Config(ht *health.Tracker, base *tls.Config) *tls.Config {
 			return nil
 		}
 
-		// Perform some health checks on this certificate before we do
-		// any verification.
-		var cert *x509.Certificate
-		var selfSignedIssuer string
-		if certs := cs.PeerCertificates; len(certs) > 0 {
-			cert = certs[0]
-			if certIsSelfSigned(cert) {
-				selfSignedIssuer = cert.Issuer.String()
-			}
-		}
-		if ht != nil {
-			defer func() {
-				if retErr != nil && cert != nil {
-					// Is it a MITM SSL certificate from a well-known network appliance manufacturer?
-					// Show a dedicated warning.
-					m, ok := blockblame.VerifyCertificate(cert)
-					if ok {
-						log.Printf("tlsdial: server cert seen while dialing %q looks like %q equipment (could be blocking Tailscale)", dialedHost, m.Name)
-						ht.SetUnhealthy(mitmBlockWarnable, health.Args{"manufacturer": m.Name})
-					} else {
-						ht.SetHealthy(mitmBlockWarnable)
-					}
-				} else {
-					ht.SetHealthy(mitmBlockWarnable)
-				}
-				if retErr != nil && selfSignedIssuer != "" {
-					// Self-signed certs are never valid.
-					//
-					// TODO(bradfitz): plumb down the selfSignedIssuer as a
-					// structured health warning argument.
-					ht.SetTLSConnectionError(cs.ServerName, fmt.Errorf("likely intercepted connection; certificate is self-signed by %v", selfSignedIssuer))
-				} else {
-					// Ensure we clear any error state for this ServerName.
-					ht.SetTLSConnectionError(cs.ServerName, nil)
-					if selfSignedIssuer != "" {
-						// Log the self-signed issuer, but don't treat it as an error.
-						log.Printf("tlsdial: warning: server cert for %q passed x509 validation but is self-signed by %q", dialedHost, selfSignedIssuer)
-					}
-				}
-			}()
-		}
-
 		// First try doing x509 verification with the system's
 		// root CA pool.
 		opts := x509.VerifyOptions{