Gabi

I mean [here](https://github.com/firezone/firezone/blob/84cd1574ffbecf5ee5ac5decfe861503b72aaf41/rust/connlib/tunnel/src/dns.rs#L185-L195) we can add something like: ```rs message.answers_mut().iter().for_each(|a| a.set_ttl(1)); ```

> I think it's something more subtle than just not flushing the cache, because it replicated on Windows with the headless Client, and I see this line about flushing the...

> Okay. So it's not just "Flush when we connect", but "Flush when we connect, or when we add or remove routes"? Do we need to flush when we call...

> I really wish I could get this tested in CI but once again, can't do it with no portal and no mock portal 🤔 Once we have a REST...

> In which circumstances can the query type be `None`? Don't we bail out earlier there already? ah, yeah, somehow I thought that there was a case where we didn't,...

> > In which circumstances can the query type be `None`? Don't we bail out earlier there already? > > ah, yeah, somehow I thought that there was a case...

> Is `NXDOMAIN` actually the correct response here? Shouldn't we just return an empty response? If we get this far in the code, we know the domain, so why return...

> > > Is `NXDOMAIN` actually the correct response here? Shouldn't we just return an empty response? If we get this far in the code, we know the domain, so...

> > > > Is `NXDOMAIN` actually the correct response here? Shouldn't we just return an empty response? If we get this far in the code, we know the domain,...

> I wonder if this is the issue behind #5637. It would also break TXT too for headless clients doing Let's Encrypt validation for example. > > Maybe we should...