Fix DNS resolution for VPN and private network configurations

PR #167 introduced DNS filtering that excluded all private IP addresses
(10.x, 172.16-31.x, 192.168.x, fc00::/7) assuming they would be
unreachable from QEMU's slirp networking. However, this breaks VPN
scenarios where private DNS servers are actually reachable.

This change removes the overly aggressive private IP filtering, now
only filtering out localhost and link-local addresses. Private network
DNS servers are allowed through since they may be reachable (e.g., via
VPN or air-gapped networks). If they're actually unreachable, DNS will
fail naturally, which is better than prematurely filtering them out.

Also downgraded the fallback warning from WARN to debug level since
falling back to public DNS is a normal case, not an error condition.

Assisted-by: Claude Code (Sonnet 4.5)
Signed-off-by: gursewak1997 <gursmangat@gmail.com>

Author: gursewak1997

crates/kit/src/run_ephemeral.rs

@@ -326,23 +326,23 @@ fn read_host_dns_servers() -> Option<Vec<String>> {
             Ok(content) => {
                 let dns_servers = parse_resolv_conf(&content);
 
-                // Filter out localhost, link-local, and private network addresses
-                // QEMU runs in user networking mode (slirp) inside a container, which cannot
-                // reach private network addresses (10.x.x.x, 172.16-31.x.x, 192.168.x.x for IPv4,
-                // fc00::/7 ULA for IPv6). These are often VPN-only DNS servers that won't work.
-                // We'll fall back to public DNS (8.8.8.8, 1.1.1.1) which is more reliable.
+                // Filter out localhost and link-local addresses only
+                // Private network addresses (10.x, 172.16-31.x, 192.168.x, fc00::/7) are allowed
+                // because they may be reachable from the container/VM (e.g., VPN DNS servers).
+                // If they're unreachable, DNS will fail naturally, but filtering them out
+                // prematurely causes issues with VPN configurations and air-gapped environments.
                 let filtered_servers: Vec<String> = dns_servers
                     .into_iter()
                     .filter(|s| {
                         // Try parsing as IPv4 first
                         if let Ok(ip) = s.parse::<std::net::Ipv4Addr>() {
-                            // Reject loopback, link-local, and private addresses
-                            !ip.is_loopback() && !ip.is_link_local() && !ip.is_private()
+                            // Reject loopback and link-local addresses only
+                            !ip.is_loopback() && !ip.is_link_local()
                         } else if let Ok(ip) = s.parse::<std::net::Ipv6Addr>() {
-                            // Reject loopback (::1), link-local (fe80::/10), ULA (fc00::/7), and multicast
-                            !ip.is_loopback() && !ip.is_multicast()
+                            // Reject loopback (::1), link-local (fe80::/10), and multicast
+                            !ip.is_loopback()
+                                && !ip.is_multicast()
                                 && !(ip.segments()[0] & 0xffc0 == 0xfe80) // link-local fe80::/10
-                                && !(ip.segments()[0] & 0xfe00 == 0xfc00) // ULA fc00::/7 (private)
                         } else {
                             false // Reject invalid addresses
                         }
@@ -586,9 +586,9 @@ fn prepare_run_command_with_temp(
     // which would otherwise contain unreachable bridge DNS servers (e.g., 169.254.1.1).
     // Using --dns properly configures /etc/resolv.conf in the container.
     let host_dns_servers = read_host_dns_servers().or_else(|| {
-        // Fallback to public DNS if no usable DNS found in system configuration
-        // This ensures DNS works even when host has broken/unreachable DNS config
-        warn!("No usable DNS servers found in system configuration, falling back to public DNS (8.8.8.8, 1.1.1.1). This may not work in air-gapped environments.");
+        // Fallback to public DNS if no DNS servers found in system configuration
+        // This ensures DNS works in most cases, but may fail in air-gapped or VPN-only environments
+        debug!("No DNS servers found in system configuration, falling back to public DNS (8.8.8.8, 1.1.1.1)");
         Some(vec!["8.8.8.8".to_string(), "1.1.1.1".to_string()])
     });