# NordVPN macOS DNS Design

## Goal
Keep NordVPN DNS while connected on macOS, but only apply it to active physical services so the WireGuard backend does not break Tailscale or other virtual interfaces.

## Behavior
- Keep the generated WireGuard config free of `DNS = ...`
- During `connect` on macOS:
  - detect active physical network services
  - snapshot current DNS/search-domain settings
  - set NordVPN DNS only on those physical services
- During `disconnect`:
  - restore the saved DNS/search-domain settings
- During failed `connect` after DNS changes:
  - restore DNS before returning the error

## DNS Values
- IPv4 primary: `103.86.96.100`
- IPv4 secondary: `103.86.99.100`
- No IPv6 DNS for now

## Service Selection
Include only enabled physical services from `networksetup`.
Exclude names matching:
- Tailscale
- Bridge
- Thunderbolt Bridge
- Loopback
- VPN
- utun

## Persistence
- Save DNS snapshot under `~/.nordvpn-client`
- Overwrite on each successful connect
- Clear after successful disconnect restore

## Verification
- Unit tests for service selection and DNS snapshot/restore helpers
- Direct logic/config tests
- Avoid live connect tests from this session unless explicitly requested because they can drop connectivity