diff --git a/rust/connlib/tunnel/proptest-regressions/tests.txt b/rust/connlib/tunnel/proptest-regressions/tests.txt
index f8c1e87b9..43690da50 100644
--- a/rust/connlib/tunnel/proptest-regressions/tests.txt
+++ b/rust/connlib/tunnel/proptest-regressions/tests.txt
@@ -56,3 +56,4 @@ cc 28573ca2841022e1aa40737c1fda4f870807aeba41f79949a3bfa37a6cab0080 # shrinks to
 cc cd529437ca42deb6fe43a3c3480aba20611ad23f3c1da91f4b4b19c8e9977edd # shrinks to (initial_state, transitions, seen_counter) = (ReferenceState { now: Instant { tv_sec: 34709, tv_nsec: 101922579 }, utc_now: 2024-07-19T08:54:07.235770589Z, client: Host { inner: RefClient { id: ClientId(00000000-0000-0000-0000-000000000000), key: PrivateKey("0000000000000000000000000000000000000000000000000000000000000000"), known_hosts: {}, tunnel_ip4: 100.64.0.1, tunnel_ip6: fd00:2021:1111::, system_dns_resolvers: [0.0.0.0], upstream_dns_resolvers: [], cidr_resources: {}, dns_resources: {}, dns_records: {}, connected_cidr_resources: {}, connected_dns_resources: {}, expected_icmp_handshakes: {}, expected_dns_handshakes: [] }, ip4: Some(203.0.113.1), ip6: None, old_ports: {0}, default_port: 1, allocated_ports: {(1, V4)} }, gateways: {GatewayId(00000000-0000-0000-0000-000000000001): Host { inner: RefGateway { key: PrivateKey("0000000000000000000000000000000000000000000000000000000000000002") }, ip4: Some(203.0.113.2), ip6: Some(2001:db80::1), old_ports: {0}, default_port: 1, allocated_ports: {(1, V4), (1, V6)} }, GatewayId(00000000-0000-0000-0000-000000000000): Host { inner: RefGateway { key: PrivateKey("0000000000000000000000000000000000000000000000000000000000000001") }, ip4: Some(203.0.113.13), ip6: Some(2001:db80::), old_ports: {0}, default_port: 1, allocated_ports: {(1, V4), (1, V6)} }}, relays: {RelayId(59a7486f-9a8a-a1d2-c64c-abfaf3f6a2c6): Host { inner: 15006124509890167122, ip4: Some(203.0.113.12), ip6: Some(2001:db80::19), old_ports: {0}, default_port: 3478, allocated_ports: {(3478, V4), (3478, V6)} }}, portal: StubPortal { gateways_by_site: {SiteId(829ca82c-5fef-1150-37a8-47c64f5f1ac5): {GatewayId(00000000-0000-0000-0000-000000000001)}, SiteId(a3377dbf-7b90-599c-51c5-b7f06f40171c): {GatewayId(00000000-0000-0000-0000-000000000000)}}, sites_by_resource: {ResourceId(ade4473c-d7a4-57a1-0a0a-9f5f7e6e6018): SiteId(829ca82c-5fef-1150-37a8-47c64f5f1ac5), ResourceId(cc182650-b93c-aa71-c01c-24b19b8cb471): SiteId(829ca82c-5fef-1150-37a8-47c64f5f1ac5), ResourceId(c87ffcbe-d0b7-6934-bed8-7df2a64f25a0): SiteId(a3377dbf-7b90-599c-51c5-b7f06f40171c), ResourceId(cebf5e3e-4155-0756-cb22-41381ca938a9): SiteId(a3377dbf-7b90-599c-51c5-b7f06f40171c), ResourceId(5debe9f5-1ffe-bb3e-c62d-4d32059ef45d): SiteId(a3377dbf-7b90-599c-51c5-b7f06f40171c), ResourceId(1185b4d0-bdbc-0da6-b529-32ade22168ac): SiteId(a3377dbf-7b90-599c-51c5-b7f06f40171c), ResourceId(50593d69-0bc2-dd50-d37f-4c3aee9dfb47): SiteId(a3377dbf-7b90-599c-51c5-b7f06f40171c), ResourceId(78321dd6-2f50-f746-0cdb-66bade5561b0): SiteId(829ca82c-5fef-1150-37a8-47c64f5f1ac5), ResourceId(48edbf7d-db4e-bcae-7727-f6fcfe61d332): SiteId(829ca82c-5fef-1150-37a8-47c64f5f1ac5)}, cidr_resources: {ResourceId(ade4473c-d7a4-57a1-0a0a-9f5f7e6e6018): ResourceDescriptionCidr { id: ResourceId(ade4473c-d7a4-57a1-0a0a-9f5f7e6e6018), address: V6(Ipv6Network { network_address: ::ffff:178.120.78.128, netmask: 122 }), name: "lfiahh", address_description: Some("mrmruidpxi"), sites: [Site { id: SiteId(829ca82c-5fef-1150-37a8-47c64f5f1ac5), name: "ubdbsyz" }] }, ResourceId(c87ffcbe-d0b7-6934-bed8-7df2a64f25a0): ResourceDescriptionCidr { id: ResourceId(c87ffcbe-d0b7-6934-bed8-7df2a64f25a0), address: V4(Ipv4Network { network_address: 135.222.169.18, netmask: 31 }), name: "gtzawwzgj", address_description: Some("ieyedhvtey"), sites: [Site { id: SiteId(a3377dbf-7b90-599c-51c5-b7f06f40171c), name: "tgjq" }] }, ResourceId(1185b4d0-bdbc-0da6-b529-32ade22168ac): ResourceDescriptionCidr { id: ResourceId(1185b4d0-bdbc-0da6-b529-32ade22168ac), address: V4(Ipv4Network { network_address: 218.74.119.192, netmask: 27 }), name: "uvokwm", address_description: Some("ajaamit"), sites: [Site { id: SiteId(a3377dbf-7b90-599c-51c5-b7f06f40171c), name: "tgjq" }] }, ResourceId(48edbf7d-db4e-bcae-7727-f6fcfe61d332): ResourceDescriptionCidr { id: ResourceId(48edbf7d-db4e-bcae-7727-f6fcfe61d332), address: V6(Ipv6Network { network_address: ::ffff:127.0.0.0, netmask: 121 }), name: "ksse", address_description: None, sites: [Site { id: SiteId(829ca82c-5fef-1150-37a8-47c64f5f1ac5), name: "ubdbsyz" }] }, ResourceId(5debe9f5-1ffe-bb3e-c62d-4d32059ef45d): ResourceDescriptionCidr { id: ResourceId(5debe9f5-1ffe-bb3e-c62d-4d32059ef45d), address: V6(Ipv6Network { network_address: ::ffff:169.166.125.160, netmask: 124 }), name: "hkcshlmxa", address_description: Some("lhrzhv"), sites: [Site { id: SiteId(a3377dbf-7b90-599c-51c5-b7f06f40171c), name: "tgjq" }] }, ResourceId(50593d69-0bc2-dd50-d37f-4c3aee9dfb47): ResourceDescriptionCidr { id: ResourceId(50593d69-0bc2-dd50-d37f-4c3aee9dfb47), address: V6(Ipv6Network { network_address: ::ffff:169.201.73.64, netmask: 126 }), name: "cpwyl", address_description: Some("aifqq"), sites: [Site { id: SiteId(a3377dbf-7b90-599c-51c5-b7f06f40171c), name: "tgjq" }] }, ResourceId(cc182650-b93c-aa71-c01c-24b19b8cb471): ResourceDescriptionCidr { id: ResourceId(cc182650-b93c-aa71-c01c-24b19b8cb471), address: V6(Ipv6Network { network_address: 960f:8852:4b92:568a:74d2:f183:208d:91f0, netmask: 125 }), name: "atwhznn", address_description: Some("enmyotvco"), sites: [Site { id: SiteId(829ca82c-5fef-1150-37a8-47c64f5f1ac5), name: "ubdbsyz" }] }, ResourceId(cebf5e3e-4155-0756-cb22-41381ca938a9): ResourceDescriptionCidr { id: ResourceId(cebf5e3e-4155-0756-cb22-41381ca938a9), address: V6(Ipv6Network { network_address: bab3:aa90:eb20:ce8:577b:c715:307:f280, netmask: 121 }), name: "rfgnw", address_description: None, sites: [Site { id: SiteId(a3377dbf-7b90-599c-51c5-b7f06f40171c), name: "tgjq" }] }}, dns_resources: {ResourceId(78321dd6-2f50-f746-0cdb-66bade5561b0): ResourceDescriptionDns { id: ResourceId(78321dd6-2f50-f746-0cdb-66bade5561b0), address: "hqmjr.xzk", name: "luvxonqf", address_description: Some("qgejhkvy"), sites: [Site { id: SiteId(829ca82c-5fef-1150-37a8-47c64f5f1ac5), name: "ubdbsyz" }] }}, gateway_selector: Selector { rng: TestRng { rng: ChaCha(ChaCha20Rng { rng: BlockRng { core: ChaChaXCore {}, result_len: 64, index: 64 } }) }, bias_increment: 0 } }, global_dns_records: {Name(fvcqs.pudu.): {205.204.194.141, 180.103.165.165, 141.68.249.218, 44d2:15cb:ea4f:ab9e:9a3c:5818:be6b:2d57}, Name(hqmjr.xzk.): {198.51.100.1}}, network: RoutingTable { routes: {(V4(Ipv4Network { network_address: 203.0.113.1, netmask: 32 }), Client(ClientId(00000000-0000-0000-0000-000000000000))), (V4(Ipv4Network { network_address: 203.0.113.2, netmask: 32 }), Gateway(GatewayId(00000000-0000-0000-0000-000000000001))), (V4(Ipv4Network { network_address: 203.0.113.12, netmask: 32 }), Relay(RelayId(59a7486f-9a8a-a1d2-c64c-abfaf3f6a2c6))), (V4(Ipv4Network { network_address: 203.0.113.13, netmask: 32 }), Gateway(GatewayId(00000000-0000-0000-0000-000000000000))), (V6(Ipv6Network { network_address: 2001:db80::, netmask: 128 }), Gateway(GatewayId(00000000-0000-0000-0000-000000000000))), (V6(Ipv6Network { network_address: 2001:db80::1, netmask: 128 }), Gateway(GatewayId(00000000-0000-0000-0000-000000000001))), (V6(Ipv6Network { network_address: 2001:db80::19, netmask: 128 }), Relay(RelayId(59a7486f-9a8a-a1d2-c64c-abfaf3f6a2c6)))} } }, [ActivateResource(Cidr(ResourceDescriptionCidr { id: ResourceId(1185b4d0-bdbc-0da6-b529-32ade22168ac), address: V4(Ipv4Network { network_address: 218.74.119.192, netmask: 27 }), name: "uvokwm", address_description: Some("ajaamit"), sites: [Site { id: SiteId(a3377dbf-7b90-599c-51c5-b7f06f40171c), name: "tgjq" }] })), SendICMPPacketToCidrResource { src: 100.64.0.1, dst: 218.74.119.192, seq: 0, identifier: 0 }, DeactivateResource(ResourceId(1185b4d0-bdbc-0da6-b529-32ade22168ac)), ActivateResource(Cidr(ResourceDescriptionCidr { id: ResourceId(cebf5e3e-4155-0756-cb22-41381ca938a9), address: V6(Ipv6Network { network_address: bab3:aa90:eb20:ce8:577b:c715:307:f280, netmask: 121 }), name: "rfgnw", address_description: None, sites: [Site { id: SiteId(a3377dbf-7b90-599c-51c5-b7f06f40171c), name: "tgjq" }] })), SendICMPPacketToCidrResource { src: fd00:2021:1111::, dst: bab3:aa90:eb20:ce8:577b:c715:307:f280, seq: 0, identifier: 0 }, ActivateResource(Cidr(ResourceDescriptionCidr { id: ResourceId(1185b4d0-bdbc-0da6-b529-32ade22168ac), address: V4(Ipv4Network { network_address: 218.74.119.192, netmask: 27 }), name: "uvokwm", address_description: Some("ajaamit"), sites: [Site { id: SiteId(a3377dbf-7b90-599c-51c5-b7f06f40171c), name: "tgjq" }] })), SendICMPPacketToCidrResource { src: 100.64.0.1, dst: 218.74.119.192, seq: 0, identifier: 0 }, SendICMPPacketToCidrResource { src: 100.64.0.1, dst: 218.74.119.192, seq: 0, identifier: 0 }], None)
 cc f5a8e8fd890e576f208bcedf184f15be1163a70eb75c090bef33874973abc440
 cc 03e85f5a4bc1e4d3eb44e2853e66e5ea9f89bb98f0d5a05bd5e9baa1b18def4f # shrinks to (initial_state, transitions, seen_counter) = (ReferenceState { now: Instant { tv_sec: 53253, tv_nsec: 940862355 }, utc_now: 2024-07-19T14:03:12.074710495Z, client: Host { inner: RefClient { id: ClientId(00000000-0000-0000-0000-000000000000), key: PrivateKey("0000000000000000000000000000000000000000000000000000000000000000"), known_hosts: {}, tunnel_ip4: 100.64.0.1, tunnel_ip6: fd00:2021:1111::, system_dns_resolvers: [0.0.0.0], upstream_dns_resolvers: [IpPort(IpDnsServer { address: 0.0.0.0:53 }), IpPort(IpDnsServer { address: [e44c:d620:c1e9:e326:361d:e6ad:1caf:25a2]:53 }), IpPort(IpDnsServer { address: [6603:13c5:6335:3984:4e59:6b0b:62a3:f068]:53 })], cidr_resources: {}, dns_resources: {}, dns_records: {}, connected_cidr_resources: {}, connected_dns_resources: {}, expected_icmp_handshakes: {}, expected_dns_handshakes: [] }, ip4: None, ip6: Some(2001:db80::7), old_ports: {0}, default_port: 46113, allocated_ports: {(46113, V6)} }, gateways: {GatewayId(dc30baba-eed8-0817-ec08-9af76ec6a705): Host { inner: RefGateway { key: PrivateKey("14afc0f1981355fe5efc1fc7986568a6f8eac259b7344c17a3be9a6a15cfaa44") }, ip4: Some(203.0.113.61), ip6: Some(2001:db80::29), old_ports: {0}, default_port: 47760, allocated_ports: {(47760, V4), (47760, V6)} }, GatewayId(351b6669-2ecc-d4ef-bfdb-ae7e67335f0f): Host { inner: RefGateway { key: PrivateKey("91e26f9b93c82a52358a25bfa38be88daeeb005ee76dbee1ee0eb670d3187fd0") }, ip4: Some(203.0.113.53), ip6: None, old_ports: {0}, default_port: 52416, allocated_ports: {(52416, V4)} }, GatewayId(986cb888-7e70-963c-2424-716987ce2b63): Host { inner: RefGateway { key: PrivateKey("46337def7696c2d69a86e69c37b9b5fc5a66a041665452bfb6871683f1c8623d") }, ip4: None, ip6: Some(2001:db80::45), old_ports: {0}, default_port: 44026, allocated_ports: {(44026, V6)} }}, relays: {RelayId(75d67559-7bfa-5a63-6a27-0e61219b0911): Host { inner: 17233114666030775146, ip4: Some(203.0.113.86), ip6: Some(2001:db80::8), old_ports: {0}, default_port: 3478, allocated_ports: {(3478, V4), (3478, V6)} }, RelayId(db5e85e5-c0d4-5ba8-5f2e-7edd8a257295): Host { inner: 10133780386335438457, ip4: Some(203.0.113.55), ip6: Some(2001:db80::24), old_ports: {0}, default_port: 3478, allocated_ports: {(3478, V6), (3478, V4)} }}, portal: StubPortal { gateways_by_site: {SiteId(dd8656de-e47d-c26a-c47c-313176f5d05e): {GatewayId(986cb888-7e70-963c-2424-716987ce2b63), GatewayId(dc30baba-eed8-0817-ec08-9af76ec6a705)}, SiteId(7d5bb747-fd32-ce19-9627-48579bc60347): {GatewayId(351b6669-2ecc-d4ef-bfdb-ae7e67335f0f)}}, sites_by_resource: {ResourceId(a5d7c295-c083-f35c-a7a6-bca3dc945df6): SiteId(dd8656de-e47d-c26a-c47c-313176f5d05e), ResourceId(00de7415-e811-9256-e3a0-c5f5c1c17575): SiteId(7d5bb747-fd32-ce19-9627-48579bc60347), ResourceId(96ec6dae-6a4b-b22c-e885-7e69b42d6bb9): SiteId(dd8656de-e47d-c26a-c47c-313176f5d05e)}, cidr_resources: {ResourceId(00de7415-e811-9256-e3a0-c5f5c1c17575): ResourceDescriptionCidr { id: ResourceId(00de7415-e811-9256-e3a0-c5f5c1c17575), address: V4(Ipv4Network { network_address: 127.0.0.0, netmask: 26 }), name: "pvwdyrsutv", address_description: None, sites: [Site { id: SiteId(7d5bb747-fd32-ce19-9627-48579bc60347), name: "miyzapusu" }] }}, dns_resources: {ResourceId(96ec6dae-6a4b-b22c-e885-7e69b42d6bb9): ResourceDescriptionDns { id: ResourceId(96ec6dae-6a4b-b22c-e885-7e69b42d6bb9), address: "tcdg.soggv", name: "xguldtdm", address_description: Some("cnrzwdta"), sites: [Site { id: SiteId(dd8656de-e47d-c26a-c47c-313176f5d05e), name: "opkgdiwul" }] }, ResourceId(a5d7c295-c083-f35c-a7a6-bca3dc945df6): ResourceDescriptionDns { id: ResourceId(a5d7c295-c083-f35c-a7a6-bca3dc945df6), address: "wotdd.nsc", name: "gamlub", address_description: Some("fnig"), sites: [Site { id: SiteId(dd8656de-e47d-c26a-c47c-313176f5d05e), name: "opkgdiwul" }] }}, gateway_selector: Selector { rng: TestRng { rng: ChaCha(ChaCha20Rng { rng: BlockRng { core: ChaChaXCore {}, result_len: 64, index: 64 } }) }, bias_increment: 0 } }, global_dns_records: {Name(gmvtch.micn.csycux.): {166.54.78.5, 89.218.96.4, a9b4:c51b:847:baa0:3d37:b7a7:7a41:a758, ::ffff:80.139.91.47}, Name(wotdd.nsc.): {198.51.100.89, 2001:db80::1d, 2001:db80::b, 2001:db80::41, 2001:db80::7}, Name(fauky.ojbl.): {32.237.235.35, ::ffff:127.0.0.1, 217.177.40.0}, Name(tcdg.soggv.): {198.51.100.101, 2001:db80::12}}, network: RoutingTable { routes: {(V4(Ipv4Network { network_address: 203.0.113.53, netmask: 32 }), Gateway(GatewayId(351b6669-2ecc-d4ef-bfdb-ae7e67335f0f))), (V4(Ipv4Network { network_address: 203.0.113.55, netmask: 32 }), Relay(RelayId(db5e85e5-c0d4-5ba8-5f2e-7edd8a257295))), (V4(Ipv4Network { network_address: 203.0.113.61, netmask: 32 }), Gateway(GatewayId(dc30baba-eed8-0817-ec08-9af76ec6a705))), (V4(Ipv4Network { network_address: 203.0.113.86, netmask: 32 }), Relay(RelayId(75d67559-7bfa-5a63-6a27-0e61219b0911))), (V6(Ipv6Network { network_address: 2001:db80::7, netmask: 128 }), Client(ClientId(00000000-0000-0000-0000-000000000000))), (V6(Ipv6Network { network_address: 2001:db80::8, netmask: 128 }), Relay(RelayId(75d67559-7bfa-5a63-6a27-0e61219b0911))), (V6(Ipv6Network { network_address: 2001:db80::24, netmask: 128 }), Relay(RelayId(db5e85e5-c0d4-5ba8-5f2e-7edd8a257295))), (V6(Ipv6Network { network_address: 2001:db80::29, netmask: 128 }), Gateway(GatewayId(dc30baba-eed8-0817-ec08-9af76ec6a705))), (V6(Ipv6Network { network_address: 2001:db80::45, netmask: 128 }), Gateway(GatewayId(986cb888-7e70-963c-2424-716987ce2b63)))} } }, [ActivateResource(Dns(ResourceDescriptionDns { id: ResourceId(96ec6dae-6a4b-b22c-e885-7e69b42d6bb9), address: "tcdg.soggv", name: "xguldtdm", address_description: Some("cnrzwdta"), sites: [Site { id: SiteId(dd8656de-e47d-c26a-c47c-313176f5d05e), name: "opkgdiwul" }] })), SendDnsQuery { domain: Name(tcdg.soggv.), r_type: A, query_id: 52671, dns_server: [6603:13c5:6335:3984:4e59:6b0b:62a3:f068]:53 }, SendICMPPacketToDnsResource { src: 100.64.0.1, dst: Name(tcdg.soggv.), seq: 0, identifier: 0 }, DeactivateResource(ResourceId(96ec6dae-6a4b-b22c-e885-7e69b42d6bb9)), ActivateResource(Dns(ResourceDescriptionDns { id: ResourceId(96ec6dae-6a4b-b22c-e885-7e69b42d6bb9), address: "tcdg.soggv", name: "xguldtdm", address_description: Some("cnrzwdta"), sites: [Site { id: SiteId(dd8656de-e47d-c26a-c47c-313176f5d05e), name: "opkgdiwul" }] })), SendDnsQuery { domain: Name(tcdg.soggv.), r_type: AAAA, query_id: 36641, dns_server: [e44c:d620:c1e9:e326:361d:e6ad:1caf:25a2]:53 }, SendICMPPacketToDnsResource { src: fd00:2021:1111::, dst: Name(tcdg.soggv.), seq: 0, identifier: 0 }], None)
+cc 547a1c29e31d0e03c3d9645dd7d644cf6ee24d4118333efae50c6a0d7e2dd1e6 # shrinks to (initial_state, transitions, seen_counter) = (ReferenceState { now: Instant { tv_sec: 294166, tv_nsec: 684186989 }, utc_now: 2024-07-20T03:30:33.641354967Z, client: Host { inner: RefClient { id: ClientId(00000000-0000-0000-0000-000000000000), key: PrivateKey("0000000000000000000000000000000000000000000000000000000000000000"), known_hosts: {}, tunnel_ip4: 100.64.0.1, tunnel_ip6: fd00:2021:1111::, system_dns_resolvers: [127.0.0.1], upstream_dns_resolvers: [], cidr_resources: {}, dns_resources: {}, dns_records: {}, connected_cidr_resources: {}, connected_dns_resources: {}, expected_icmp_handshakes: {}, expected_dns_handshakes: [] }, ip4: Some(203.0.113.41), ip6: None, old_ports: {0}, default_port: 51234, allocated_ports: {(51234, V4)} }, gateways: {GatewayId(29009c2e-c7bb-b747-2f2a-35b6a061e4ba): Host { inner: RefGateway { key: PrivateKey("5e8e55c90177c08697e3bd5b7217c7034717dcc22deec7cd5d724a56474b88c4") }, ip4: Some(203.0.113.97), ip6: Some(2001:db80::18), old_ports: {0}, default_port: 30743, allocated_ports: {(30743, V4), (30743, V6)} }, GatewayId(bec0b567-d5c2-abae-d198-b4e40558eb5d): Host { inner: RefGateway { key: PrivateKey("a861b5319dd811adf29a182e6ae6d441ea99b2da3de1f5d854323491d8791f75") }, ip4: Some(203.0.113.50), ip6: None, old_ports: {0}, default_port: 61420, allocated_ports: {(61420, V4)} }}, relays: {RelayId(f8821991-8760-432e-774e-9e9f10601a2d): Host { inner: 3060437218861478241, ip4: Some(203.0.113.76), ip6: Some(2001:db80::13), old_ports: {0}, default_port: 3478, allocated_ports: {(3478, V4), (3478, V6)} }, RelayId(15d626e3-4273-0112-ae12-b10d68e45670): Host { inner: 7324147672620279826, ip4: Some(203.0.113.6), ip6: Some(2001:db80::35), old_ports: {0}, default_port: 3478, allocated_ports: {(3478, V4), (3478, V6)} }}, portal: StubPortal { gateways_by_site: {SiteId(926baf76-74f7-9f10-33ce-ecc193225045): {GatewayId(bec0b567-d5c2-abae-d198-b4e40558eb5d), GatewayId(29009c2e-c7bb-b747-2f2a-35b6a061e4ba)}}, sites_by_resource: {ResourceId(4fb7cd6e-426f-9447-4874-63227a86bb1c): SiteId(926baf76-74f7-9f10-33ce-ecc193225045), ResourceId(95628b17-9f45-57b7-773c-ca1f9ba51b0d): SiteId(926baf76-74f7-9f10-33ce-ecc193225045), ResourceId(bde971c9-7a7d-2bb8-e4ed-4aabb9cd7046): SiteId(926baf76-74f7-9f10-33ce-ecc193225045), ResourceId(b28854b5-f5b3-fc05-f825-f199d538e2fd): SiteId(926baf76-74f7-9f10-33ce-ecc193225045), ResourceId(f61fd3bf-823e-0c47-bee7-3f2a566cd7c7): SiteId(926baf76-74f7-9f10-33ce-ecc193225045)}, cidr_resources: {ResourceId(f61fd3bf-823e-0c47-bee7-3f2a566cd7c7): ResourceDescriptionCidr { id: ResourceId(f61fd3bf-823e-0c47-bee7-3f2a566cd7c7), address: V6(Ipv6Network { network_address: f423:16f2:a47:2104:8706:c6b0:512b:d8a0, netmask: 124 }), name: "djwqojp", address_description: None, sites: [Site { id: SiteId(926baf76-74f7-9f10-33ce-ecc193225045), name: "autpi" }] }, ResourceId(4fb7cd6e-426f-9447-4874-63227a86bb1c): ResourceDescriptionCidr { id: ResourceId(4fb7cd6e-426f-9447-4874-63227a86bb1c), address: V6(Ipv6Network { network_address: ::ffff:64.186.64.56, netmask: 125 }), name: "ieybqj", address_description: Some("rxykuo"), sites: [Site { id: SiteId(926baf76-74f7-9f10-33ce-ecc193225045), name: "autpi" }] }, ResourceId(bde971c9-7a7d-2bb8-e4ed-4aabb9cd7046): ResourceDescriptionCidr { id: ResourceId(bde971c9-7a7d-2bb8-e4ed-4aabb9cd7046), address: V4(Ipv4Network { network_address: 127.0.0.0, netmask: 28 }), name: "cwagxmyay", address_description: None, sites: [Site { id: SiteId(926baf76-74f7-9f10-33ce-ecc193225045), name: "autpi" }] }, ResourceId(b28854b5-f5b3-fc05-f825-f199d538e2fd): ResourceDescriptionCidr { id: ResourceId(b28854b5-f5b3-fc05-f825-f199d538e2fd), address: V6(Ipv6Network { network_address: 183:10ea:2b4:e15:75ff:3012:18b7:e0d0, netmask: 124 }), name: "hnhmn", address_description: None, sites: [Site { id: SiteId(926baf76-74f7-9f10-33ce-ecc193225045), name: "autpi" }] }}, dns_resources: {ResourceId(95628b17-9f45-57b7-773c-ca1f9ba51b0d): ResourceDescriptionDns { id: ResourceId(95628b17-9f45-57b7-773c-ca1f9ba51b0d), address: "?.spspt.yxil.ycym", name: "fmumrt", address_description: Some("wwrfj"), sites: [Site { id: SiteId(926baf76-74f7-9f10-33ce-ecc193225045), name: "autpi" }] }}, gateway_selector: Selector { rng: TestRng { rng: ChaCha(ChaCha20Rng { rng: BlockRng { core: ChaChaXCore {}, result_len: 64, index: 64 } }) }, bias_increment: 0 } }, global_dns_records: {Name(nme.ectfdn.nxom.): {140d:e0d6:a055:84bd:6a07:ac77:e087:192a, 127.0.0.1, 59.107.216.84, 217.110.117.58}, Name(ynhth.vtdg.qzbhqk.): {b24d:5587:4408:336a:deab:790a:8959:889d, ::ffff:127.0.0.1}, Name(krsmtn.unzrvv.): {79.222.225.84, 127.0.0.1}, Name(drcf.spspt.yxil.ycym.): {198.51.100.134, 198.51.100.80}, Name(stvij.spspt.yxil.ycym.): {2001:db80::2, 2001:db80::aa, 2001:db80::d6}}, network: RoutingTable { routes: {(V4(Ipv4Network { network_address: 203.0.113.6, netmask: 32 }), Relay(RelayId(15d626e3-4273-0112-ae12-b10d68e45670))), (V4(Ipv4Network { network_address: 203.0.113.41, netmask: 32 }), Client(ClientId(00000000-0000-0000-0000-000000000000))), (V4(Ipv4Network { network_address: 203.0.113.50, netmask: 32 }), Gateway(GatewayId(bec0b567-d5c2-abae-d198-b4e40558eb5d))), (V4(Ipv4Network { network_address: 203.0.113.76, netmask: 32 }), Relay(RelayId(f8821991-8760-432e-774e-9e9f10601a2d))), (V4(Ipv4Network { network_address: 203.0.113.97, netmask: 32 }), Gateway(GatewayId(29009c2e-c7bb-b747-2f2a-35b6a061e4ba))), (V6(Ipv6Network { network_address: 2001:db80::13, netmask: 128 }), Relay(RelayId(f8821991-8760-432e-774e-9e9f10601a2d))), (V6(Ipv6Network { network_address: 2001:db80::18, netmask: 128 }), Gateway(GatewayId(29009c2e-c7bb-b747-2f2a-35b6a061e4ba))), (V6(Ipv6Network { network_address: 2001:db80::35, netmask: 128 }), Relay(RelayId(15d626e3-4273-0112-ae12-b10d68e45670)))} } }, [ActivateResource(Cidr(ResourceDescriptionCidr { id: ResourceId(bde971c9-7a7d-2bb8-e4ed-4aabb9cd7046), address: V4(Ipv4Network { network_address: 127.0.0.0, netmask: 28 }), name: "cwagxmyay", address_description: None, sites: [Site { id: SiteId(926baf76-74f7-9f10-33ce-ecc193225045), name: "autpi" }] })), SendDnsQuery { domain: Name(nme.ectfdn.nxom.), r_type: A, query_id: 0, dns_server: 127.0.0.1:53 }], None)
diff --git a/rust/connlib/tunnel/src/client.rs b/rust/connlib/tunnel/src/client.rs
index dcd77b4a0..32987ce65 100644
--- a/rust/connlib/tunnel/src/client.rs
+++ b/rust/connlib/tunnel/src/client.rs
@@ -583,6 +583,14 @@ impl ClientState {
         })));
     }
 
+    fn is_upstream_set_by_the_portal(&self) -> bool {
+        let Some(interface) = &self.interface_config else {
+            return false;
+        };
+
+        !interface.upstream_dns.is_empty()
+    }
+
     /// Attempt to handle the given packet as a DNS packet.
     ///
     /// Returns `Ok` if the packet is in fact a DNS query with an optional response to send back.
@@ -599,13 +607,14 @@ impl ClientState {
             Some(dns::ResolveStrategy::ForwardQuery(query)) => {
                 // There's an edge case here, where the resolver's ip has been resolved before as
                 // a dns resource... we will ignore that weird case for now.
-                // Assuming a single upstream dns until #3123 lands
                 if let Some(upstream_dns) = self.dns_mapping.get_by_left(&query.query.destination())
                 {
                     let ip = upstream_dns.ip();
 
                     // In case the DNS server is a CIDR resource, it needs to go through the tunnel.
-                    if self.cidr_resources.longest_match(ip).is_some() {
+                    if self.is_upstream_set_by_the_portal()
+                        && self.cidr_resources.longest_match(ip).is_some()
+                    {
                         return Err((packet, ip));
                     }
                 }
diff --git a/rust/connlib/tunnel/src/tests/reference.rs b/rust/connlib/tunnel/src/tests/reference.rs
index abdc6f07b..ee954b962 100644
--- a/rust/connlib/tunnel/src/tests/reference.rs
+++ b/rust/connlib/tunnel/src/tests/reference.rs
@@ -323,6 +323,7 @@ impl ReferenceStateMachine for ReferenceState {
             {
                 Some(resource)
                     if !state.client.inner().is_connected_to_cidr(resource)
+                        && !state.client.inner().upstream_dns_resolvers.is_empty()
                         && !state.client.inner().is_known_host(&domain.to_string()) =>
                 {
                     state