From 674888e564899e518bc10fdc4f079051556d11ea Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@tailscale.com>
Date: Sat, 11 Jan 2025 18:04:34 -0800
Subject: [PATCH] lanscaping: make CLI compile

Change-Id: I7a564535a1e4f2e2fe34400cf6b190c76ef3105b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
---
 Makefile                            |   1 +
 client/tailscale/localclient.go     |  48 ------
 cmd/tailscale/cli/cli.go            |   2 -
 cmd/tailscale/cli/debug.go          |  15 --
 cmd/tailscale/cli/dns-query.go      | 163 -------------------
 cmd/tailscale/cli/dns-status.go     | 242 ----------------------------
 cmd/tailscale/cli/dns.go            |  49 ------
 cmd/tailscale/cli/netcheck.go       |   4 +-
 cmd/tailscale/cli/status.go         |  39 +----
 cmd/tailscale/cli/syspolicy.go      | 110 -------------
 cmd/tailscale/depaware-minlinux.txt |  11 +-
 11 files changed, 7 insertions(+), 677 deletions(-)
 delete mode 100644 cmd/tailscale/cli/dns-query.go
 delete mode 100644 cmd/tailscale/cli/dns-status.go
 delete mode 100644 cmd/tailscale/cli/dns.go
 delete mode 100644 cmd/tailscale/cli/syspolicy.go

diff --git a/Makefile b/Makefile
index ce168b419..a0b71ec17 100644
--- a/Makefile
+++ b/Makefile
@@ -29,6 +29,7 @@ MIN_OMITS ?= ts_omit_aws,ts_omit_bird,ts_omit_tap,ts_omit_kube,ts_omit_completio
 min:
 	./tool/go build -o $$HOME/bin/tailscaled.min -ldflags "-w -s" --tags=${MIN_OMITS} ./cmd/tailscaled
 	GOOS=linux ./tool/go build -o $$HOME/bin/tailscaled.minlinux -ldflags "-w -s" --tags=${MIN_OMITS} ./cmd/tailscaled
+	GOOS=linux ./tool/go build -o $$HOME/bin/tailscale.minlinux -ldflags "-w -s" --tags=${MIN_OMITS} ./cmd/tailscale
 	ls -l $$HOME/bin/tailscaled.min{,linux}
 
 updatemindeps: min
diff --git a/client/tailscale/localclient.go b/client/tailscale/localclient.go
index cbd6a107b..4897e6a6a 100644
--- a/client/tailscale/localclient.go
+++ b/client/tailscale/localclient.go
@@ -29,16 +29,13 @@ import (
 	"go4.org/mem"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/drive"
-	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/netutil"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
 	"tailscale.com/tailcfg"
-	"tailscale.com/types/dnstype"
 	"tailscale.com/types/key"
-	"tailscale.com/util/syspolicy/setting"
 )
 
 // defaultLocalClient is the default LocalClient when using the legacy
@@ -143,9 +140,6 @@ func (lc *LocalClient) DoLocalRequest(req *http.Request) (*http.Response, error)
 func (lc *LocalClient) doLocalRequestNiceError(req *http.Request) (*http.Response, error) {
 	res, err := lc.DoLocalRequest(req)
 	if err == nil {
-		if server := res.Header.Get("Tailscale-Version"); server != "" && server != envknob.IPCVersion() && onVersionMismatch != nil {
-			onVersionMismatch(envknob.IPCVersion(), server)
-		}
 		if res.StatusCode == 403 {
 			all, _ := io.ReadAll(res.Body)
 			return nil, &AccessDeniedError{errors.New(errorMessageFromBody(all))}
@@ -824,33 +818,6 @@ func (lc *LocalClient) EditPrefs(ctx context.Context, mp *ipn.MaskedPrefs) (*ipn
 	return decodeJSON[*ipn.Prefs](body)
 }
 
-// GetEffectivePolicy returns the effective policy for the specified scope.
-func (lc *LocalClient) GetEffectivePolicy(ctx context.Context, scope setting.PolicyScope) (*setting.Snapshot, error) {
-	scopeID, err := scope.MarshalText()
-	if err != nil {
-		return nil, err
-	}
-	body, err := lc.get200(ctx, "/localapi/v0/policy/"+string(scopeID))
-	if err != nil {
-		return nil, err
-	}
-	return decodeJSON[*setting.Snapshot](body)
-}
-
-// ReloadEffectivePolicy reloads the effective policy for the specified scope
-// by reading and merging policy settings from all applicable policy sources.
-func (lc *LocalClient) ReloadEffectivePolicy(ctx context.Context, scope setting.PolicyScope) (*setting.Snapshot, error) {
-	scopeID, err := scope.MarshalText()
-	if err != nil {
-		return nil, err
-	}
-	body, err := lc.send(ctx, "POST", "/localapi/v0/policy/"+string(scopeID), 200, http.NoBody)
-	if err != nil {
-		return nil, err
-	}
-	return decodeJSON[*setting.Snapshot](body)
-}
-
 // GetDNSOSConfig returns the system DNS configuration for the current device.
 // That is, it returns the DNS configuration that the system would use if Tailscale weren't being used.
 func (lc *LocalClient) GetDNSOSConfig(ctx context.Context) (*apitype.DNSOSConfig, error) {
@@ -865,21 +832,6 @@ func (lc *LocalClient) GetDNSOSConfig(ctx context.Context) (*apitype.DNSOSConfig
 	return &osCfg, nil
 }
 
-// QueryDNS executes a DNS query for a name (`google.com.`) and query type (`CNAME`).
-// It returns the raw DNS response bytes and the resolvers that were used to answer the query
-// (often just one, but can be more if we raced multiple resolvers).
-func (lc *LocalClient) QueryDNS(ctx context.Context, name string, queryType string) (bytes []byte, resolvers []*dnstype.Resolver, err error) {
-	body, err := lc.get200(ctx, fmt.Sprintf("/localapi/v0/dns-query?name=%s&type=%s", url.QueryEscape(name), queryType))
-	if err != nil {
-		return nil, nil, err
-	}
-	var res apitype.DNSQueryResponse
-	if err := json.Unmarshal(body, &res); err != nil {
-		return nil, nil, fmt.Errorf("invalid query response: %w", err)
-	}
-	return res.Bytes, res.Resolvers, nil
-}
-
 // StartLoginInteractive starts an interactive login.
 func (lc *LocalClient) StartLoginInteractive(ctx context.Context) error {
 	_, err := lc.send(ctx, "POST", "/localapi/v0/login-interactive", http.StatusNoContent, nil)
diff --git a/cmd/tailscale/cli/cli.go b/cmd/tailscale/cli/cli.go
index e9cf4aba1..aa4d2678e 100644
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -190,10 +190,8 @@ change in the future.
 			logoutCmd,
 			switchCmd,
 			configureCmd,
-			syspolicyCmd,
 			netcheckCmd,
 			ipCmd,
-			dnsCmd,
 			statusCmd,
 			metricsCmd,
 			pingCmd,
diff --git a/cmd/tailscale/cli/debug.go b/cmd/tailscale/cli/debug.go
index 04b343e76..f54323f42 100644
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -830,7 +830,6 @@ func runTS2021(ctx context.Context, args []string) error {
 		log.Printf("tshttpproxy.ProxyFromEnvironment = (%v, %v)", proxy, err)
 	}
 	machinePrivate := key.NewMachine()
-	var dialer net.Dialer
 
 	var keys struct {
 		PublicKey key.MachinePublic
@@ -858,19 +857,6 @@ func runTS2021(ctx context.Context, args []string) error {
 		log.Printf("got public key: %v", keys.PublicKey)
 	}
 
-	dialFunc := func(ctx context.Context, network, address string) (net.Conn, error) {
-		log.Printf("Dial(%q, %q) ...", network, address)
-		c, err := dialer.DialContext(ctx, network, address)
-		if err != nil {
-			// skip logging context cancellation errors
-			if !errors.Is(err, context.Canceled) {
-				log.Printf("Dial(%q, %q) = %v", network, address, err)
-			}
-		} else {
-			log.Printf("Dial(%q, %q) = %v / %v", network, address, c.LocalAddr(), c.RemoteAddr())
-		}
-		return c, err
-	}
 	var logf logger.Logf
 	if ts2021Args.verbose {
 		logf = log.Printf
@@ -888,7 +874,6 @@ func runTS2021(ctx context.Context, args []string) error {
 		MachineKey:      machinePrivate,
 		ControlKey:      keys.PublicKey,
 		ProtocolVersion: uint16(ts2021Args.version),
-		Dialer:          dialFunc,
 		Logf:            logf,
 		NetMon:          netMon,
 	}
diff --git a/cmd/tailscale/cli/dns-query.go b/cmd/tailscale/cli/dns-query.go
deleted file mode 100644
index da2d9d2a5..000000000
--- a/cmd/tailscale/cli/dns-query.go
+++ /dev/null
@@ -1,163 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package cli
-
-import (
-	"context"
-	"flag"
-	"fmt"
-	"net/netip"
-	"os"
-	"text/tabwriter"
-
-	"golang.org/x/net/dns/dnsmessage"
-	"tailscale.com/types/dnstype"
-)
-
-func runDNSQuery(ctx context.Context, args []string) error {
-	if len(args) < 1 {
-		return flag.ErrHelp
-	}
-	name := args[0]
-	queryType := "A"
-	if len(args) >= 2 {
-		queryType = args[1]
-	}
-	fmt.Printf("DNS query for %q (%s) using internal resolver:\n", name, queryType)
-	fmt.Println()
-	bytes, resolvers, err := localClient.QueryDNS(ctx, name, queryType)
-	if err != nil {
-		fmt.Printf("failed to query DNS: %v\n", err)
-		return nil
-	}
-
-	if len(resolvers) == 1 {
-		fmt.Printf("Forwarding to resolver: %v\n", makeResolverString(*resolvers[0]))
-	} else {
-		fmt.Println("Multiple resolvers available:")
-		for _, r := range resolvers {
-			fmt.Printf("  - %v\n", makeResolverString(*r))
-		}
-	}
-	fmt.Println()
-	var p dnsmessage.Parser
-	header, err := p.Start(bytes)
-	if err != nil {
-		fmt.Printf("failed to parse DNS response: %v\n", err)
-		return err
-	}
-	fmt.Printf("Response code: %v\n", header.RCode.String())
-	fmt.Println()
-	p.SkipAllQuestions()
-	if header.RCode != dnsmessage.RCodeSuccess {
-		fmt.Println("No answers were returned.")
-		return nil
-	}
-	answers, err := p.AllAnswers()
-	if err != nil {
-		fmt.Printf("failed to parse DNS answers: %v\n", err)
-		return err
-	}
-	if len(answers) == 0 {
-		fmt.Println("  (no answers found)")
-	}
-
-	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-	fmt.Fprintln(w, "Name\tTTL\tClass\tType\tBody")
-	fmt.Fprintln(w, "----\t---\t-----\t----\t----")
-	for _, a := range answers {
-		fmt.Fprintf(w, "%s\t%d\t%s\t%s\t%s\n", a.Header.Name.String(), a.Header.TTL, a.Header.Class.String(), a.Header.Type.String(), makeAnswerBody(a))
-	}
-	w.Flush()
-
-	fmt.Println()
-	return nil
-}
-
-// makeAnswerBody returns a string with the DNS answer body in a human-readable format.
-func makeAnswerBody(a dnsmessage.Resource) string {
-	switch a.Header.Type {
-	case dnsmessage.TypeA:
-		return makeABody(a.Body)
-	case dnsmessage.TypeAAAA:
-		return makeAAAABody(a.Body)
-	case dnsmessage.TypeCNAME:
-		return makeCNAMEBody(a.Body)
-	case dnsmessage.TypeMX:
-		return makeMXBody(a.Body)
-	case dnsmessage.TypeNS:
-		return makeNSBody(a.Body)
-	case dnsmessage.TypeOPT:
-		return makeOPTBody(a.Body)
-	case dnsmessage.TypePTR:
-		return makePTRBody(a.Body)
-	case dnsmessage.TypeSRV:
-		return makeSRVBody(a.Body)
-	case dnsmessage.TypeTXT:
-		return makeTXTBody(a.Body)
-	default:
-		return a.Body.GoString()
-	}
-}
-
-func makeABody(a dnsmessage.ResourceBody) string {
-	if a, ok := a.(*dnsmessage.AResource); ok {
-		return netip.AddrFrom4(a.A).String()
-	}
-	return ""
-}
-func makeAAAABody(aaaa dnsmessage.ResourceBody) string {
-	if a, ok := aaaa.(*dnsmessage.AAAAResource); ok {
-		return netip.AddrFrom16(a.AAAA).String()
-	}
-	return ""
-}
-func makeCNAMEBody(cname dnsmessage.ResourceBody) string {
-	if c, ok := cname.(*dnsmessage.CNAMEResource); ok {
-		return c.CNAME.String()
-	}
-	return ""
-}
-func makeMXBody(mx dnsmessage.ResourceBody) string {
-	if m, ok := mx.(*dnsmessage.MXResource); ok {
-		return fmt.Sprintf("%s (Priority=%d)", m.MX, m.Pref)
-	}
-	return ""
-}
-func makeNSBody(ns dnsmessage.ResourceBody) string {
-	if n, ok := ns.(*dnsmessage.NSResource); ok {
-		return n.NS.String()
-	}
-	return ""
-}
-func makeOPTBody(opt dnsmessage.ResourceBody) string {
-	if o, ok := opt.(*dnsmessage.OPTResource); ok {
-		return o.GoString()
-	}
-	return ""
-}
-func makePTRBody(ptr dnsmessage.ResourceBody) string {
-	if p, ok := ptr.(*dnsmessage.PTRResource); ok {
-		return p.PTR.String()
-	}
-	return ""
-}
-func makeSRVBody(srv dnsmessage.ResourceBody) string {
-	if s, ok := srv.(*dnsmessage.SRVResource); ok {
-		return fmt.Sprintf("Target=%s, Port=%d, Priority=%d, Weight=%d", s.Target.String(), s.Port, s.Priority, s.Weight)
-	}
-	return ""
-}
-func makeTXTBody(txt dnsmessage.ResourceBody) string {
-	if t, ok := txt.(*dnsmessage.TXTResource); ok {
-		return fmt.Sprintf("%q", t.TXT)
-	}
-	return ""
-}
-func makeResolverString(r dnstype.Resolver) string {
-	if len(r.BootstrapResolution) > 0 {
-		return fmt.Sprintf("%s (bootstrap: %v)", r.Addr, r.BootstrapResolution)
-	}
-	return fmt.Sprintf("%s", r.Addr)
-}
diff --git a/cmd/tailscale/cli/dns-status.go b/cmd/tailscale/cli/dns-status.go
deleted file mode 100644
index e487c66bc..000000000
--- a/cmd/tailscale/cli/dns-status.go
+++ /dev/null
@@ -1,242 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package cli
-
-import (
-	"context"
-	"fmt"
-	"maps"
-	"slices"
-	"strings"
-
-	"tailscale.com/ipn"
-	"tailscale.com/types/netmap"
-)
-
-// dnsStatusArgs are the arguments for the "dns status" subcommand.
-var dnsStatusArgs struct {
-	all bool
-}
-
-func runDNSStatus(ctx context.Context, args []string) error {
-	all := dnsStatusArgs.all
-	s, err := localClient.Status(ctx)
-	if err != nil {
-		return err
-	}
-
-	prefs, err := localClient.GetPrefs(ctx)
-	if err != nil {
-		return err
-	}
-	enabledStr := "disabled.\n\n(Run 'tailscale set --accept-dns=true' to start sending DNS queries to the Tailscale DNS resolver)"
-	if prefs.CorpDNS {
-		enabledStr = "enabled.\n\nTailscale is configured to handle DNS queries on this device.\nRun 'tailscale set --accept-dns=false' to revert to your system default DNS resolver."
-	}
-	fmt.Print("\n")
-	fmt.Println("=== 'Use Tailscale DNS' status ===")
-	fmt.Print("\n")
-	fmt.Printf("Tailscale DNS: %s\n", enabledStr)
-	fmt.Print("\n")
-	fmt.Println("=== MagicDNS configuration ===")
-	fmt.Print("\n")
-	fmt.Println("This is the DNS configuration provided by the coordination server to this device.")
-	fmt.Print("\n")
-	if s.CurrentTailnet == nil {
-		fmt.Println("No tailnet information available; make sure you're logged in to a tailnet.")
-		return nil
-	} else if s.CurrentTailnet.MagicDNSEnabled {
-		fmt.Printf("MagicDNS: enabled tailnet-wide (suffix = %s)", s.CurrentTailnet.MagicDNSSuffix)
-		fmt.Print("\n\n")
-		fmt.Printf("Other devices in your tailnet can reach this device at %s\n", s.Self.DNSName)
-	} else {
-		fmt.Printf("MagicDNS: disabled tailnet-wide.\n")
-	}
-	fmt.Print("\n")
-
-	netMap, err := fetchNetMap()
-	if err != nil {
-		fmt.Printf("Failed to fetch network map: %v\n", err)
-		return err
-	}
-	dnsConfig := netMap.DNS
-	fmt.Println("Resolvers (in preference order):")
-	if len(dnsConfig.Resolvers) == 0 {
-		fmt.Println("  (no resolvers configured, system default will be used: see 'System DNS configuration' below)")
-	}
-	for _, r := range dnsConfig.Resolvers {
-		fmt.Printf("  - %v", r.Addr)
-		if r.BootstrapResolution != nil {
-			fmt.Printf(" (bootstrap: %v)", r.BootstrapResolution)
-		}
-		fmt.Print("\n")
-	}
-	fmt.Print("\n")
-	fmt.Println("Split DNS Routes:")
-	if len(dnsConfig.Routes) == 0 {
-		fmt.Println("  (no routes configured: split DNS disabled)")
-	}
-	for _, k := range slices.Sorted(maps.Keys(dnsConfig.Routes)) {
-		v := dnsConfig.Routes[k]
-		for _, r := range v {
-			fmt.Printf("  - %-30s -> %v", k, r.Addr)
-			if r.BootstrapResolution != nil {
-				fmt.Printf(" (bootstrap: %v)", r.BootstrapResolution)
-			}
-			fmt.Print("\n")
-		}
-	}
-	fmt.Print("\n")
-	if all {
-		fmt.Println("Fallback Resolvers:")
-		if len(dnsConfig.FallbackResolvers) == 0 {
-			fmt.Println("  (no fallback resolvers configured)")
-		}
-		for i, r := range dnsConfig.FallbackResolvers {
-			fmt.Printf("  %d: %v\n", i, r)
-		}
-		fmt.Print("\n")
-	}
-	fmt.Println("Search Domains:")
-	if len(dnsConfig.Domains) == 0 {
-		fmt.Println("  (no search domains configured)")
-	}
-	domains := dnsConfig.Domains
-	slices.Sort(domains)
-	for _, r := range domains {
-		fmt.Printf("  - %v\n", r)
-	}
-	fmt.Print("\n")
-	if all {
-		fmt.Println("Nameservers IP Addresses:")
-		if len(dnsConfig.Nameservers) == 0 {
-			fmt.Println("  (none were provided)")
-		}
-		for _, r := range dnsConfig.Nameservers {
-			fmt.Printf("  - %v\n", r)
-		}
-		fmt.Print("\n")
-		fmt.Println("Certificate Domains:")
-		if len(dnsConfig.CertDomains) == 0 {
-			fmt.Println("  (no certificate domains are configured)")
-		}
-		for _, r := range dnsConfig.CertDomains {
-			fmt.Printf("  - %v\n", r)
-		}
-		fmt.Print("\n")
-		fmt.Println("Additional DNS Records:")
-		if len(dnsConfig.ExtraRecords) == 0 {
-			fmt.Println("  (no extra records are configured)")
-		}
-		for _, er := range dnsConfig.ExtraRecords {
-			if er.Type == "" {
-				fmt.Printf("  - %-50s -> %v\n", er.Name, er.Value)
-			} else {
-				fmt.Printf("  - [%s] %-50s -> %v\n", er.Type, er.Name, er.Value)
-			}
-		}
-		fmt.Print("\n")
-		fmt.Println("Filtered suffixes when forwarding DNS queries as an exit node:")
-		if len(dnsConfig.ExitNodeFilteredSet) == 0 {
-			fmt.Println("  (no suffixes are filtered)")
-		}
-		for _, s := range dnsConfig.ExitNodeFilteredSet {
-			fmt.Printf("  - %s\n", s)
-		}
-		fmt.Print("\n")
-	}
-
-	fmt.Println("=== System DNS configuration ===")
-	fmt.Print("\n")
-	fmt.Println("This is the DNS configuration that Tailscale believes your operating system is using.\nTailscale may use this configuration if 'Override Local DNS' is disabled in the admin console,\nor if no resolvers are provided by the coordination server.")
-	fmt.Print("\n")
-	osCfg, err := localClient.GetDNSOSConfig(ctx)
-	if err != nil {
-		if strings.Contains(err.Error(), "not supported") {
-			// avoids showing the HTTP error code which would be odd here
-			fmt.Println("  (reading the system DNS configuration is not supported on this platform)")
-		} else {
-			fmt.Printf("  (failed to read system DNS configuration: %v)\n", err)
-		}
-	} else if osCfg == nil {
-		fmt.Println("  (no OS DNS configuration available)")
-	} else {
-		fmt.Println("Nameservers:")
-		if len(osCfg.Nameservers) == 0 {
-			fmt.Println("  (no nameservers found, DNS queries might fail\nunless the coordination server is providing a nameserver)")
-		}
-		for _, ns := range osCfg.Nameservers {
-			fmt.Printf("  - %v\n", ns)
-		}
-		fmt.Print("\n")
-		fmt.Println("Search domains:")
-		if len(osCfg.SearchDomains) == 0 {
-			fmt.Println("  (no search domains found)")
-		}
-		for _, sd := range osCfg.SearchDomains {
-			fmt.Printf("  - %v\n", sd)
-		}
-		if all {
-			fmt.Print("\n")
-			fmt.Println("Match domains:")
-			if len(osCfg.MatchDomains) == 0 {
-				fmt.Println("  (no match domains found)")
-			}
-			for _, md := range osCfg.MatchDomains {
-				fmt.Printf("  - %v\n", md)
-			}
-		}
-	}
-	fmt.Print("\n")
-	fmt.Println("[this is a preliminary version of this command; the output format may change in the future]")
-	return nil
-}
-
-func fetchNetMap() (netMap *netmap.NetworkMap, err error) {
-	w, err := localClient.WatchIPNBus(context.Background(), ipn.NotifyInitialNetMap)
-	if err != nil {
-		return nil, err
-	}
-	defer w.Close()
-	notify, err := w.Next()
-	if err != nil {
-		return nil, err
-	}
-	if notify.NetMap == nil {
-		return nil, fmt.Errorf("no network map yet available, please try again later")
-	}
-	return notify.NetMap, nil
-}
-
-func dnsStatusLongHelp() string {
-	return `The 'tailscale dns status' subcommand prints the current DNS status and configuration, including:
-	
-- Whether the built-in DNS forwarder is enabled.
-- The MagicDNS configuration provided by the coordination server.
-- Details on which resolver(s) Tailscale believes the system is using by default.
-
-The --all flag can be used to output advanced debugging information, including fallback resolvers, nameservers, certificate domains, extra records, and the exit node filtered set.
-
-=== Contents of the MagicDNS configuration ===
-
-The MagicDNS configuration is provided by the coordination server to the client and includes the following components:
-
-- MagicDNS enablement status: Indicates whether MagicDNS is enabled across the entire tailnet.
-
-- MagicDNS Suffix: The DNS suffix used for devices within your tailnet.
-
-- DNS Name: The DNS name that other devices in the tailnet can use to reach this device.
-
-- Resolvers: The preferred DNS resolver(s) to be used for resolving queries, in order of preference. If no resolvers are listed here, the system defaults are used.
-
-- Split DNS Routes: Custom DNS resolvers may be used to resolve hostnames in specific domains, this is also known as a 'Split DNS' configuration. The mapping of domains to their respective resolvers is provided here.
-
-- Certificate Domains: The DNS names for which the coordination server will assist in provisioning TLS certificates.
-
-- Extra Records: Additional DNS records that the coordination server might provide to the internal DNS resolver.
-
-- Exit Node Filtered Set: DNS suffixes that the node, when acting as an exit node DNS proxy, will not answer.
-
-For more information about the DNS functionality built into Tailscale, refer to https://tailscale.com/kb/1054/dns.`
-}
diff --git a/cmd/tailscale/cli/dns.go b/cmd/tailscale/cli/dns.go
deleted file mode 100644
index 042ce1a94..000000000
--- a/cmd/tailscale/cli/dns.go
+++ /dev/null
@@ -1,49 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package cli
-
-import (
-	"flag"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-)
-
-var dnsCmd = &ffcli.Command{
-	Name:       "dns",
-	ShortHelp:  "Diagnose the internal DNS forwarder",
-	LongHelp:   dnsCmdLongHelp(),
-	ShortUsage: "tailscale dns <subcommand> [flags]",
-	UsageFunc:  usageFuncNoDefaultValues,
-	Subcommands: []*ffcli.Command{
-		{
-			Name:       "status",
-			ShortUsage: "tailscale dns status [--all]",
-			Exec:       runDNSStatus,
-			ShortHelp:  "Prints the current DNS status and configuration",
-			LongHelp:   dnsStatusLongHelp(),
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("status")
-				fs.BoolVar(&dnsStatusArgs.all, "all", false, "outputs advanced debugging information (fallback resolvers, nameservers, cert domains, extra records, and exit node filtered set)")
-				return fs
-			})(),
-		},
-		{
-			Name:       "query",
-			ShortUsage: "tailscale dns query <name> [a|aaaa|cname|mx|ns|opt|ptr|srv|txt]",
-			Exec:       runDNSQuery,
-			ShortHelp:  "Perform a DNS query",
-			LongHelp:   "The 'tailscale dns query' subcommand performs a DNS query for the specified name using the internal DNS forwarder (100.100.100.100).\n\nIt also provides information about the resolver(s) used to resolve the query.",
-		},
-
-		// TODO: implement `tailscale log` here
-
-		// The above work is tracked in https://github.com/tailscale/tailscale/issues/13326
-	},
-}
-
-func dnsCmdLongHelp() string {
-	return `The 'tailscale dns' subcommand provides tools for diagnosing the internal DNS forwarder (100.100.100.100).
-	
-For more information about the DNS functionality built into Tailscale, refer to https://tailscale.com/kb/1054/dns.`
-}
diff --git a/cmd/tailscale/cli/netcheck.go b/cmd/tailscale/cli/netcheck.go
index 312475ece..4085c7057 100644
--- a/cmd/tailscale/cli/netcheck.go
+++ b/cmd/tailscale/cli/netcheck.go
@@ -59,9 +59,7 @@ func runNetcheck(ctx context.Context, args []string) error {
 	defer pm.Close()
 
 	c := &netcheck.Client{
-		NetMon:      netMon,
-		PortMapper:  pm,
-		UseDNSCache: false, // always resolve, don't cache
+		NetMon: netMon,
 	}
 	if netcheckArgs.verbose {
 		c.Logf = logger.WithPrefix(log.Printf, "netcheck: ")
diff --git a/cmd/tailscale/cli/status.go b/cmd/tailscale/cli/status.go
index e4dccc247..0a411a6b9 100644
--- a/cmd/tailscale/cli/status.go
+++ b/cmd/tailscale/cli/status.go
@@ -12,24 +12,21 @@ import (
 	"flag"
 	"fmt"
 	"net"
-	"net/http"
 	"net/netip"
 	"os"
 	"strconv"
 	"strings"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"github.com/toqueteos/webbrowser"
 	"golang.org/x/net/idna"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/net/netmon"
 	"tailscale.com/util/dnsname"
 )
 
 var statusCmd = &ffcli.Command{
 	Name:       "status",
-	ShortUsage: "tailscale status [--active] [--web] [--json]",
+	ShortUsage: "tailscale status [--active] [--json]",
 	ShortHelp:  "Show state of tailscaled and its connections",
 	LongHelp: strings.TrimSpace(`
 
@@ -50,7 +47,6 @@ https://github.com/tailscale/tailscale/blob/main/ipn/ipnstate/ipnstate.go
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("status")
 		fs.BoolVar(&statusArgs.json, "json", false, "output in JSON format (WARNING: format subject to change)")
-		fs.BoolVar(&statusArgs.web, "web", false, "run webserver with HTML showing status")
 		fs.BoolVar(&statusArgs.active, "active", false, "filter output to only peers with active sessions (not applicable to web mode)")
 		fs.BoolVar(&statusArgs.self, "self", true, "show status of local machine")
 		fs.BoolVar(&statusArgs.peers, "peers", true, "show status of peers")
@@ -62,7 +58,6 @@ https://github.com/tailscale/tailscale/blob/main/ipn/ipnstate/ipnstate.go
 
 var statusArgs struct {
 	json    bool   // JSON output mode
-	web     bool   // run webserver
 	listen  string // in web mode, webserver address to listen on, empty means auto
 	browser bool   // in web mode, whether to open browser
 	active  bool   // in CLI mode, filter output to only peers with active sessions
@@ -97,38 +92,6 @@ func runStatus(ctx context.Context, args []string) error {
 		printf("%s", j)
 		return nil
 	}
-	if statusArgs.web {
-		ln, err := net.Listen("tcp", statusArgs.listen)
-		if err != nil {
-			return err
-		}
-		statusURL := netmon.HTTPOfListener(ln)
-		printf("Serving Tailscale status at %v ...\n", statusURL)
-		go func() {
-			<-ctx.Done()
-			ln.Close()
-		}()
-		if statusArgs.browser {
-			go webbrowser.Open(statusURL)
-		}
-		err = http.Serve(ln, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			if r.RequestURI != "/" {
-				http.NotFound(w, r)
-				return
-			}
-			st, err := localClient.Status(ctx)
-			if err != nil {
-				http.Error(w, err.Error(), 500)
-				return
-			}
-			w.Header().Set("Content-Type", "text/html; charset=utf-8")
-			st.WriteHTML(w)
-		}))
-		if ctx.Err() != nil {
-			return ctx.Err()
-		}
-		return err
-	}
 
 	printHealth := func() {
 		printf("# Health check:\n")
diff --git a/cmd/tailscale/cli/syspolicy.go b/cmd/tailscale/cli/syspolicy.go
deleted file mode 100644
index 0e903db39..000000000
--- a/cmd/tailscale/cli/syspolicy.go
+++ /dev/null
@@ -1,110 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package cli
-
-import (
-	"context"
-	"encoding/json"
-	"flag"
-	"fmt"
-	"os"
-	"slices"
-	"text/tabwriter"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/util/syspolicy/setting"
-)
-
-var syspolicyArgs struct {
-	json bool // JSON output mode
-}
-
-var syspolicyCmd = &ffcli.Command{
-	Name:       "syspolicy",
-	ShortHelp:  "Diagnose the MDM and system policy configuration",
-	LongHelp:   "The 'tailscale syspolicy' command provides tools for diagnosing the MDM and system policy configuration.",
-	ShortUsage: "tailscale syspolicy <subcommand>",
-	UsageFunc:  usageFuncNoDefaultValues,
-	Subcommands: []*ffcli.Command{
-		{
-			Name:       "list",
-			ShortUsage: "tailscale syspolicy list",
-			Exec:       runSysPolicyList,
-			ShortHelp:  "Prints effective policy settings",
-			LongHelp:   "The 'tailscale syspolicy list' subcommand displays the effective policy settings and their sources (e.g., MDM or environment variables).",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("syspolicy list")
-				fs.BoolVar(&syspolicyArgs.json, "json", false, "output in JSON format")
-				return fs
-			})(),
-		},
-		{
-			Name:       "reload",
-			ShortUsage: "tailscale syspolicy reload",
-			Exec:       runSysPolicyReload,
-			ShortHelp:  "Forces a reload of policy settings, even if no changes are detected, and prints the result",
-			LongHelp:   "The 'tailscale syspolicy reload' subcommand forces a reload of policy settings, even if no changes are detected, and prints the result.",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("syspolicy reload")
-				fs.BoolVar(&syspolicyArgs.json, "json", false, "output in JSON format")
-				return fs
-			})(),
-		},
-	},
-}
-
-func runSysPolicyList(ctx context.Context, args []string) error {
-	policy, err := localClient.GetEffectivePolicy(ctx, setting.DefaultScope())
-	if err != nil {
-		return err
-	}
-	printPolicySettings(policy)
-	return nil
-
-}
-
-func runSysPolicyReload(ctx context.Context, args []string) error {
-	policy, err := localClient.ReloadEffectivePolicy(ctx, setting.DefaultScope())
-	if err != nil {
-		return err
-	}
-	printPolicySettings(policy)
-	return nil
-}
-
-func printPolicySettings(policy *setting.Snapshot) {
-	if syspolicyArgs.json {
-		json, err := json.MarshalIndent(policy, "", "\t")
-		if err != nil {
-			errf("syspolicy marshalling error: %v", err)
-		} else {
-			outln(string(json))
-		}
-		return
-	}
-	if policy.Len() == 0 {
-		outln("No policy settings")
-		return
-	}
-
-	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-	fmt.Fprintln(w, "Name\tOrigin\tValue\tError")
-	fmt.Fprintln(w, "----\t------\t-----\t-----")
-	for _, k := range slices.Sorted(policy.Keys()) {
-		setting, _ := policy.GetSetting(k)
-		var origin string
-		if o := setting.Origin(); o != nil {
-			origin = o.String()
-		}
-		if err := setting.Error(); err != nil {
-			fmt.Fprintf(w, "%s\t%s\t\t{%v}\n", k, origin, err)
-		} else {
-			fmt.Fprintf(w, "%s\t%s\t%v\t\n", k, origin, setting.Value())
-		}
-	}
-	w.Flush()
-
-	fmt.Println()
-	return
-}
diff --git a/cmd/tailscale/depaware-minlinux.txt b/cmd/tailscale/depaware-minlinux.txt
index d640f3aa4..a8f62babe 100644
--- a/cmd/tailscale/depaware-minlinux.txt
+++ b/cmd/tailscale/depaware-minlinux.txt
@@ -23,7 +23,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         github.com/tailscale/goupnp/soap                             from github.com/tailscale/goupnp+
         github.com/tailscale/goupnp/ssdp                             from github.com/tailscale/goupnp
         github.com/tailscale/web-client-prebuilt                     from tailscale.com/client/web
-        github.com/toqueteos/webbrowser                              from tailscale.com/cmd/tailscale/cli
      💣 go4.org/mem                                                  from tailscale.com/client/tailscale+
         go4.org/netipx                                               from tailscale.com/net/tsaddr
         software.sslmate.com/src/go-pkcs12                           from tailscale.com/cmd/tailscale/cli
@@ -43,7 +42,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/control/controlhttp/controlhttpcommon          from tailscale.com/control/controlhttp
         tailscale.com/control/controlknobs                           from tailscale.com/net/portmapper
         tailscale.com/drive                                          from tailscale.com/client/tailscale+
-        tailscale.com/envknob                                        from tailscale.com/client/tailscale+
+        tailscale.com/envknob                                        from tailscale.com/client/web+
         tailscale.com/envknob/featureknob                            from tailscale.com/client/web
         tailscale.com/health                                         from tailscale.com/control/controlhttp+
         tailscale.com/health/healthmsg                               from tailscale.com/cmd/tailscale/cli
@@ -75,13 +74,12 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/tstime                                         from tailscale.com/control/controlhttp
         tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
         tailscale.com/tstime/rate                                    from tailscale.com/cmd/tailscale/cli
-        tailscale.com/types/dnstype                                  from tailscale.com/client/tailscale+
         tailscale.com/types/empty                                    from tailscale.com/ipn
         tailscale.com/types/ipproto                                  from tailscale.com/ipn+
         tailscale.com/types/key                                      from tailscale.com/client/tailscale+
         tailscale.com/types/lazy                                     from tailscale.com/version
         tailscale.com/types/logger                                   from tailscale.com/client/web+
-        tailscale.com/types/netmap                                   from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/types/netmap                                   from tailscale.com/ipn
         tailscale.com/types/nettype                                  from tailscale.com/net/netcheck+
         tailscale.com/types/opt                                      from tailscale.com/client/tailscale+
         tailscale.com/types/persist                                  from tailscale.com/ipn
@@ -104,7 +102,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/util/quarantine                                from tailscale.com/cmd/tailscale/cli
         tailscale.com/util/set                                       from tailscale.com/health+
         tailscale.com/util/slicesx                                   from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/util/syspolicy/setting                         from tailscale.com/client/tailscale+
         tailscale.com/util/testenv                                   from tailscale.com/cmd/tailscale/cli
         tailscale.com/util/truncate                                  from tailscale.com/cmd/tailscale/cli
         tailscale.com/util/vizerror                                  from tailscale.com/tailcfg+
@@ -125,7 +122,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         golang.org/x/crypto/pbkdf2                                   from software.sslmate.com/src/go-pkcs12
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
         golang.org/x/crypto/sha3                                     from crypto/internal/mlkem768+
-        golang.org/x/net/dns/dnsmessage                              from net+
+        golang.org/x/net/dns/dnsmessage                              from net
         golang.org/x/net/http/httpguts                               from golang.org/x/net/http2+
         golang.org/x/net/http/httpproxy                              from net/http+
         golang.org/x/net/http2                                       from tailscale.com/cmd/tailscale/cli+
@@ -221,7 +218,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         net/textproto                                                from golang.org/x/net/http/httpguts+
         net/url                                                      from crypto/x509+
         os                                                           from crypto/rand+
-        os/exec                                                      from github.com/toqueteos/webbrowser+
+        os/exec                                                      from net/http/cgi+
         os/signal                                                    from tailscale.com/cmd/tailscale/cli
         os/user                                                      from archive/tar+
         path                                                         from archive/tar+