diff --git a/rust/connlib/tunnel/src/client.rs b/rust/connlib/tunnel/src/client.rs
index b1c21665c..3eb6c96c4 100644
--- a/rust/connlib/tunnel/src/client.rs
+++ b/rust/connlib/tunnel/src/client.rs
@@ -32,6 +32,10 @@ use std::time::Duration;
 use tokio::time::Instant;
 use webrtc::ice_transport::ice_candidate::RTCIceCandidate;
 
+// Using str here because Ipv4/6Network doesn't support `const` 🙃
+const IPV4_RESOURCES: &str = "100.96.0.0/11";
+const IPV6_RESOURCES: &str = "fd00:2021:1111:8000::/107";
+
 #[derive(Debug, Clone, Hash, PartialEq, Eq)]
 pub struct DnsResource {
     pub id: ResourceId,
@@ -117,7 +121,17 @@ where
         self.device.store(Some(device.clone()));
         self.no_device_waker.wake();
 
+        // TODO: the requirement for the DNS_SENTINEL means you NEED ipv4 stack
+        // we are trying to support ipv4 and ipv6, so we should have an ipv6 dns sentinel
+        // alternative.
         self.add_route(DNS_SENTINEL.into()).await?;
+        // Note: I'm just assuming this needs to succeed since we already require ipv4 stack due to the dns sentinel
+        // TODO: change me when we don't require ipv4
+        self.add_route(IPV4_RESOURCES.parse().unwrap()).await?;
+
+        if let Err(e) = self.add_route(IPV6_RESOURCES.parse().unwrap()).await {
+            tracing::warn!(err = ?e, "ipv6 not supported");
+        }
 
         self.callbacks.on_tunnel_ready()?;
 
@@ -595,8 +609,8 @@ impl Default for ClientState {
             dns_strategy: Default::default(),
             // TODO: decide ip ranges
             ip_provider: IpProvider::new(
-                "100.96.0.0/11".parse().unwrap(),
-                "fd00:2021:1111:8000::/107".parse().unwrap(),
+                IPV4_RESOURCES.parse().unwrap(),
+                IPV6_RESOURCES.parse().unwrap(),
             ),
             dns_resources_internal_ips: Default::default(),
             dns_resources: Default::default(),
diff --git a/rust/connlib/tunnel/src/control_protocol/client.rs b/rust/connlib/tunnel/src/control_protocol/client.rs
index 6b8963b59..6807452f6 100644
--- a/rust/connlib/tunnel/src/control_protocol/client.rs
+++ b/rust/connlib/tunnel/src/control_protocol/client.rs
@@ -272,33 +272,33 @@ where
             })
             .collect();
 
-        let dev = Arc::clone(self);
-        let ips = addrs.clone();
-        let resource = resource_description.clone();
-        tokio::spawn(async move {
-            for ip in &ips {
-                if let Err(e) = dev.add_route((*ip).into()).await {
-                    tracing::error!(err = ?e, "add route failed");
-                }
-            }
+        role_state
+            .dns_resources_internal_ips
+            .insert(resource_description.clone(), addrs.clone());
 
-            if let Some(device) = dev.device.load().as_ref() {
-                let mut role_state = dev.role_state.lock();
-                send_dns_answer(&mut role_state, Rtype::Aaaa, device, &resource, &ips);
-                send_dns_answer(&mut role_state, Rtype::A, device, &resource, &ips);
-            }
-
-            dev.role_state
-                .lock()
-                .dns_resources_internal_ips
-                .insert(resource, ips);
-        });
-
-        let ips: Vec<IpNetwork> = addrs.into_iter().map(Into::into).collect();
+        let ips: Vec<IpNetwork> = addrs.iter().copied().map(Into::into).collect();
         for ip in &ips {
             peer.add_allowed_ip(*ip);
         }
 
+        if let Some(device) = self.device.load().as_ref() {
+            send_dns_answer(
+                &mut role_state,
+                Rtype::Aaaa,
+                device,
+                &resource_description,
+                &addrs,
+            );
+
+            send_dns_answer(
+                &mut role_state,
+                Rtype::A,
+                device,
+                &resource_description,
+                &addrs,
+            );
+        }
+
         Ok(ips)
     }