From 84abf878f46d9ea0c51beff855464cfc037c4513 Mon Sep 17 00:00:00 2001
From: Saewon Kwak <23280628+saewoni@users.noreply.github.com>
Date: Wed, 28 Jan 2026 22:58:54 +0000
Subject: [PATCH 01/14] fix(localdns): wait for resolv.conf update after
 networkctl reload to prevent race condition

---
 parts/linux/cloud-init/artifacts/localdns.sh  |  58 ++++++++++
 .../cloud-init/artifacts/localdns_spec.sh     | 108 ++++++++++++++++++
 2 files changed, 166 insertions(+)

diff --git a/parts/linux/cloud-init/artifacts/localdns.sh b/parts/linux/cloud-init/artifacts/localdns.sh
index 7f22a6518fb..4df56b6e821 100644
--- a/parts/linux/cloud-init/artifacts/localdns.sh
+++ b/parts/linux/cloud-init/artifacts/localdns.sh
@@ -388,6 +388,48 @@ add_iptable_rules_to_skip_conntrack_from_pods(){
     done
 }
 
+# Wait for DNS configuration to be applied after networkctl reload.
+# This function polls the resolv.conf to verify the expected DNS server is present.
+# Arguments:
+#   $1: expected_dns_ip - The DNS IP that should appear in resolv.conf.
+#   $2: should_contain - "true" if the IP should be present, "false" if it should be absent.
+#   $3: max_wait_seconds - Maximum time to wait for the change (default: 10).
+wait_for_dns_config_applied() {
+    local expected_dns_ip="$1"
+    local should_contain="$2"
+    local max_wait_seconds="${3:-10}"
+    local elapsed=0
+
+    echo "Waiting for DNS configuration to be applied (expecting ${expected_dns_ip} to be ${should_contain})..."
+
+    while [ "$elapsed" -lt "$max_wait_seconds" ]; do
+        # Get current DNS servers from resolv.conf.
+        local current_dns
+        current_dns=$(awk '/^nameserver/ {print $2}' "$RESOLV_CONF" 2>/dev/null | paste -sd' ')
+
+        if [ "$should_contain" = "true" ]; then
+            # Check if the expected DNS IP is present.
+            if echo "$current_dns" | grep -qw "$expected_dns_ip"; then
+                echo "DNS configuration applied successfully. Current DNS: ${current_dns}"
+                return 0
+            fi
+        else
+            # Check if the expected DNS IP is absent.
+            if ! echo "$current_dns" | grep -qw "$expected_dns_ip"; then
+                echo "DNS configuration reverted successfully. Current DNS: ${current_dns}"
+                return 0
+            fi
+        fi
+
+        sleep 1
+        elapsed=$((elapsed + 1))
+    done
+
+    echo "Timed out waiting for DNS configuration to be applied after ${max_wait_seconds} seconds."
+    echo "Expected ${expected_dns_ip} to be ${should_contain}, current DNS: $(awk '/^nameserver/ {print $2}' "$RESOLV_CONF" 2>/dev/null | paste -sd' ')"
+    return 1
+}
+
 # Disable DNS provided by DHCP and point the system at localdns.
 disable_dhcp_use_clusterlistener() {
     mkdir -p "${NETWORK_DROPIN_DIR}"
@@ -412,6 +454,14 @@ EOF
         echo "Failed to reload networkctl."
         return 1
     fi
+
+    # Wait for the DNS configuration to be applied.
+    # This ensures systemd-resolved has updated resolv.conf before we proceed.
+    if ! wait_for_dns_config_applied "${LOCALDNS_NODE_LISTENER_IP}" "true" 10; then
+        echo "Warning: DNS configuration may not have been fully applied."
+        return 1
+    fi
+
     return 0
 }
 
@@ -472,6 +522,14 @@ cleanup_iptables_and_dns() {
     fi
     echo "Reloading network configuration succeeded."
 
+    # Wait for the DNS configuration to be reverted.
+    # This ensures systemd-resolved has removed localdns from resolv.conf before we proceed.
+    # This is called both at startup (to clean up leftover state) and during shutdown.
+    if ! wait_for_dns_config_applied "${LOCALDNS_NODE_LISTENER_IP}" "false" 10; then
+        echo "Warning: DNS configuration may not have been fully reverted."
+        # Don't fail for this - the localdns IP might not have been configured previously.
+    fi
+
     return 0
 }
 
diff --git a/spec/parts/linux/cloud-init/artifacts/localdns_spec.sh b/spec/parts/linux/cloud-init/artifacts/localdns_spec.sh
index 374aee1233a..3f86b9186ff 100644
--- a/spec/parts/linux/cloud-init/artifacts/localdns_spec.sh
+++ b/spec/parts/linux/cloud-init/artifacts/localdns_spec.sh
@@ -1110,4 +1110,112 @@ EOF
             The status should be success
         End
     End
+
+
+# This section tests - wait_for_dns_config_applied
+# This function is defined in parts/linux/cloud-init/artifacts/localdns.sh file.
+#------------------------------------------------------------------------------------------------------------------------------------
+    Describe 'wait_for_dns_config_applied'
+        setup() {
+            Include "./parts/linux/cloud-init/artifacts/localdns.sh"
+            TEST_DIR="/tmp/localdnstest"
+            RESOLV_CONF="${TEST_DIR}/run/systemd/resolve/resolv.conf"
+            mkdir -p "$(dirname "$RESOLV_CONF")"
+        }
+        cleanup() {
+            rm -rf "$TEST_DIR"
+        }
+        BeforeEach 'setup'
+        AfterEach 'cleanup'
+
+        #------------------------- wait_for_dns_config_applied (should_contain=true) ----------------------------------
+        It 'should return success immediately if expected IP is present (should_contain=true)'
+            cat > "$RESOLV_CONF" <<EOF
+nameserver 169.254.10.10
+EOF
+            When run wait_for_dns_config_applied "169.254.10.10" "true" 5
+            The status should be success
+            The stdout should include "DNS configuration applied successfully"
+            The stdout should include "Current DNS: 169.254.10.10"
+        End
+
+        It 'should return success if expected IP is present among multiple IPs (should_contain=true)'
+            cat > "$RESOLV_CONF" <<EOF
+nameserver 10.0.0.1
+nameserver 169.254.10.10
+nameserver 10.0.0.2
+EOF
+            When run wait_for_dns_config_applied "169.254.10.10" "true" 5
+            The status should be success
+            The stdout should include "DNS configuration applied successfully"
+        End
+
+        It 'should timeout if expected IP is not present (should_contain=true)'
+            cat > "$RESOLV_CONF" <<EOF
+nameserver 10.0.0.1
+nameserver 10.0.0.2
+EOF
+            When run wait_for_dns_config_applied "169.254.10.10" "true" 2
+            The status should be failure
+            The stdout should include "Timed out waiting for DNS configuration to be applied after 2 seconds"
+            The stdout should include "Expected 169.254.10.10 to be true"
+        End
+
+        #------------------------- wait_for_dns_config_applied (should_contain=false) ---------------------------------
+        It 'should return success immediately if expected IP is absent (should_contain=false)'
+            cat > "$RESOLV_CONF" <<EOF
+nameserver 10.0.0.1
+nameserver 10.0.0.2
+EOF
+            When run wait_for_dns_config_applied "169.254.10.10" "false" 5
+            The status should be success
+            The stdout should include "DNS configuration reverted successfully"
+        End
+
+        It 'should timeout if expected IP is still present (should_contain=false)'
+            cat > "$RESOLV_CONF" <<EOF
+nameserver 169.254.10.10
+nameserver 10.0.0.1
+EOF
+            When run wait_for_dns_config_applied "169.254.10.10" "false" 2
+            The status should be failure
+            The stdout should include "Timed out waiting for DNS configuration to be applied after 2 seconds"
+            The stdout should include "Expected 169.254.10.10 to be false"
+        End
+
+        It 'should return success if resolv.conf is empty (should_contain=false)'
+            > "$RESOLV_CONF"
+            When run wait_for_dns_config_applied "169.254.10.10" "false" 5
+            The status should be success
+            The stdout should include "DNS configuration reverted successfully"
+        End
+
+        #------------------------- wait_for_dns_config_applied (default timeout) --------------------------------------
+        It 'should use default timeout of 10 seconds when not specified'
+            cat > "$RESOLV_CONF" <<EOF
+nameserver 10.0.0.1
+EOF
+            # Note: This test checks behavior but uses a short actual wait by having the condition pass immediately
+            When run wait_for_dns_config_applied "10.0.0.1" "true"
+            The status should be success
+            The stdout should include "DNS configuration applied successfully"
+        End
+
+        #------------------------- wait_for_dns_config_applied (edge cases) -------------------------------------------
+        It 'should handle resolv.conf not existing gracefully'
+            rm -f "$RESOLV_CONF"
+            When run wait_for_dns_config_applied "169.254.10.10" "false" 2
+            The status should be success
+            The stdout should include "DNS configuration reverted successfully"
+        End
+
+        It 'should not match partial IP addresses'
+            cat > "$RESOLV_CONF" <<EOF
+nameserver 169.254.10.100
+EOF
+            When run wait_for_dns_config_applied "169.254.10.10" "true" 2
+            The status should be failure
+            The stdout should include "Timed out waiting for DNS configuration"
+        End
+    End
 End

From 6c4bf72a69d7d8d1a192438fc49ee18efd299464 Mon Sep 17 00:00:00 2001
From: Saewon Kwak <23280628+saewoni@users.noreply.github.com>
Date: Thu, 29 Jan 2026 20:46:08 +0000
Subject: [PATCH 02/14] update the tests

---
 .../cloud-init/artifacts/localdns_spec.sh     | 103 +++++++++++++++++-
 1 file changed, 100 insertions(+), 3 deletions(-)

diff --git a/spec/parts/linux/cloud-init/artifacts/localdns_spec.sh b/spec/parts/linux/cloud-init/artifacts/localdns_spec.sh
index 3f86b9186ff..873282b8ced 100644
--- a/spec/parts/linux/cloud-init/artifacts/localdns_spec.sh
+++ b/spec/parts/linux/cloud-init/artifacts/localdns_spec.sh
@@ -631,25 +631,34 @@ EOF
 #------------------------------------------------------------------------------------------------------------------------------------
     Describe 'disable_dhcp_use_clusterlistener'
         setup() {
-            NETWORK_DROPIN_DIR="/tmp/test-systemd-network"
+            Include "./parts/linux/cloud-init/artifacts/localdns.sh"
+
+            TEST_DIR="/tmp/test-disable-dhcp-$$"
+            NETWORK_DROPIN_DIR="${TEST_DIR}/systemd-network"
             NETWORK_DROPIN_FILE="${NETWORK_DROPIN_DIR}/10-localdns.conf"
             LOCALDNS_NODE_LISTENER_IP="169.254.10.10"
 
-            Include "./parts/linux/cloud-init/artifacts/localdns.sh"
+            # Setup RESOLV_CONF for wait_for_dns_config_applied (must be after Include)
+            mkdir -p "${TEST_DIR}/run/systemd/resolve"
+            RESOLV_CONF="${TEST_DIR}/run/systemd/resolve/resolv.conf"
         }
         cleanup() {
-            rm -rf "$NETWORK_DROPIN_DIR"
+            rm -rf "$TEST_DIR"
         }
         BeforeEach 'setup'
         AfterEach 'cleanup'
         #------------------------- disable_dhcp_use_clusterlistener -------------------------------------------------
             It 'should update network configuration and reload networkctl'
+                # Pre-populate resolv.conf with expected IP so wait succeeds immediately
+                echo "nameserver 169.254.10.10" > "$RESOLV_CONF"
                 NETWORKCTL_RELOAD_CMD="true"
                 When call disable_dhcp_use_clusterlistener
                 The status should be success
                 The file "${NETWORK_DROPIN_FILE}" should be exist
                 The contents of file "${NETWORK_DROPIN_FILE}" should include "UseDNS=false"
                 The contents of file "${NETWORK_DROPIN_FILE}" should include "DNS=169.254.10.10"
+                The stdout should include "DNS configuration applied successfully"
+                The contents of file "${RESOLV_CONF}" should include "nameserver 169.254.10.10"
             End
 
             It 'should fail if networkctl reload fails'
@@ -803,6 +812,88 @@ EOF
     End
 
 
+# This section tests - async networkctl reload behavior with wait_for_dns_config_applied
+# These tests verify that cleanup_iptables_and_dns properly waits for resolv.conf to be updated
+#------------------------------------------------------------------------------------------------------------------------------------
+    Describe 'cleanup_iptables_and_dns_with_async_resolv_update'
+        setup() {
+            # Mock iptables to return no rules (must be defined before Include)
+            iptables() {
+                case "$1" in
+                    "-w")
+                        if [ "$2" = "-t" ] && [ "$3" = "raw" ] && [ "$4" = "-L" ]; then
+                            echo "Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)"
+                            echo "Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)"
+                        fi
+                        ;;
+                esac
+                return 0
+            }
+
+            Include "./parts/linux/cloud-init/artifacts/localdns.sh"
+
+            TEST_DIR="/tmp/localdns-async-test-$$"
+            mkdir -p "${TEST_DIR}/run/systemd/resolve"
+            mkdir -p "${TEST_DIR}/network.d"
+
+            # Set RESOLV_CONF AFTER including the script to override the default
+            RESOLV_CONF="${TEST_DIR}/run/systemd/resolve/resolv.conf"
+            NETWORK_DROPIN_FILE="${TEST_DIR}/test-network-dropin.conf"
+            DEFAULT_ROUTE_INTERFACE="eth0"
+            NETWORK_FILE="/etc/systemd/network/eth0.network"
+            NETWORK_DROPIN_DIR="${TEST_DIR}/network.d"
+        }
+        cleanup() {
+            rm -rf "$TEST_DIR"
+        }
+        BeforeEach 'setup'
+        AfterEach 'cleanup'
+
+        It 'should wait for resolv.conf update after networkctl reload (simulating async behavior)'
+            # Setup resolv.conf with localdns IP present
+            cat > "$RESOLV_CONF" <<EOF
+nameserver 169.254.10.10
+nameserver 10.0.0.1
+EOF
+            touch "$NETWORK_DROPIN_FILE"
+
+            # Create a script that simulates async update
+            ASYNC_SCRIPT="${TEST_DIR}/async_update.sh"
+            cat > "$ASYNC_SCRIPT" <<SCRIPT
+#!/bin/bash
+sleep 2
+echo "nameserver 10.0.0.1" > "$RESOLV_CONF"
+SCRIPT
+            chmod +x "$ASYNC_SCRIPT"
+
+            # networkctl reload triggers async update and returns immediately
+            NETWORKCTL_RELOAD_CMD="$ASYNC_SCRIPT &"
+
+            When call cleanup_iptables_and_dns
+            The status should be success
+            The stdout should include "Waiting for DNS configuration to be applied"
+            The stdout should include "DNS configuration reverted successfully"
+            The stdout should include "Current DNS: 10.0.0.1"
+        End
+
+        It 'should handle immediate resolv.conf update (no delay)'
+            # Setup resolv.conf without localdns IP (already in expected state)
+            cat > "$RESOLV_CONF" <<EOF
+nameserver 10.0.0.1
+nameserver 10.0.0.2
+EOF
+
+            touch "$NETWORK_DROPIN_FILE"
+            NETWORKCTL_RELOAD_CMD="true"
+
+            When call cleanup_iptables_and_dns
+            The status should be success
+            The stdout should include "DNS configuration reverted successfully"
+            The stdout should include "Current DNS: 10.0.0.1 10.0.0.2"
+        End
+    End
+
+
 # This section tests - cleanup_localdns_configs
 # These functions is defined in parts/linux/cloud-init/artifacts/localdns.sh file.
 #------------------------------------------------------------------------------------------------------------------------------------
@@ -1148,6 +1239,7 @@ EOF
             When run wait_for_dns_config_applied "169.254.10.10" "true" 5
             The status should be success
             The stdout should include "DNS configuration applied successfully"
+            The stdout should include "Current DNS: 10.0.0.1 169.254.10.10 10.0.0.2"
         End
 
         It 'should timeout if expected IP is not present (should_contain=true)'
@@ -1159,6 +1251,7 @@ EOF
             The status should be failure
             The stdout should include "Timed out waiting for DNS configuration to be applied after 2 seconds"
             The stdout should include "Expected 169.254.10.10 to be true"
+            The stdout should include "current DNS: 10.0.0.1 10.0.0.2"
         End
 
         #------------------------- wait_for_dns_config_applied (should_contain=false) ---------------------------------
@@ -1170,6 +1263,7 @@ EOF
             When run wait_for_dns_config_applied "169.254.10.10" "false" 5
             The status should be success
             The stdout should include "DNS configuration reverted successfully"
+            The stdout should include "Current DNS: 10.0.0.1 10.0.0.2"
         End
 
         It 'should timeout if expected IP is still present (should_contain=false)'
@@ -1181,6 +1275,7 @@ EOF
             The status should be failure
             The stdout should include "Timed out waiting for DNS configuration to be applied after 2 seconds"
             The stdout should include "Expected 169.254.10.10 to be false"
+            The stdout should include "current DNS: 169.254.10.10 10.0.0.1"
         End
 
         It 'should return success if resolv.conf is empty (should_contain=false)'
@@ -1199,6 +1294,7 @@ EOF
             When run wait_for_dns_config_applied "10.0.0.1" "true"
             The status should be success
             The stdout should include "DNS configuration applied successfully"
+            The stdout should include "Current DNS: 10.0.0.1"
         End
 
         #------------------------- wait_for_dns_config_applied (edge cases) -------------------------------------------
@@ -1216,6 +1312,7 @@ EOF
             When run wait_for_dns_config_applied "169.254.10.10" "true" 2
             The status should be failure
             The stdout should include "Timed out waiting for DNS configuration"
+            The stdout should include "current DNS: 169.254.10.100"
         End
     End
 End

From cc368b3f8080f2935288670024b11e784730a4a8 Mon Sep 17 00:00:00 2001
From: Saewon Kwak <23280628+saewoni@users.noreply.github.com>
Date: Thu, 29 Jan 2026 21:20:29 +0000
Subject: [PATCH 03/14] fix(localdns): change Warning to Error for DNS config
 timeout messages

Update log messages to use Error: prefix when wait_for_dns_config_applied fails, since these are failure conditions (return 1), not warnings. Updated corresponding test assertion.
---
 parts/linux/cloud-init/artifacts/localdns.sh  |  6 ++--
 .../cloud-init/artifacts/localdns_spec.sh     | 34 +++++++++++++++++++
 2 files changed, 37 insertions(+), 3 deletions(-)

diff --git a/parts/linux/cloud-init/artifacts/localdns.sh b/parts/linux/cloud-init/artifacts/localdns.sh
index 4df56b6e821..52b80396378 100644
--- a/parts/linux/cloud-init/artifacts/localdns.sh
+++ b/parts/linux/cloud-init/artifacts/localdns.sh
@@ -458,7 +458,7 @@ EOF
     # Wait for the DNS configuration to be applied.
     # This ensures systemd-resolved has updated resolv.conf before we proceed.
     if ! wait_for_dns_config_applied "${LOCALDNS_NODE_LISTENER_IP}" "true" 10; then
-        echo "Warning: DNS configuration may not have been fully applied."
+        echo "Error: DNS configuration was not applied within timeout."
         return 1
     fi
 
@@ -526,8 +526,8 @@ cleanup_iptables_and_dns() {
     # This ensures systemd-resolved has removed localdns from resolv.conf before we proceed.
     # This is called both at startup (to clean up leftover state) and during shutdown.
     if ! wait_for_dns_config_applied "${LOCALDNS_NODE_LISTENER_IP}" "false" 10; then
-        echo "Warning: DNS configuration may not have been fully reverted."
-        # Don't fail for this - the localdns IP might not have been configured previously.
+        echo "Error: DNS configuration was not reverted within timeout."
+        return 1
     fi
 
     return 0
diff --git a/spec/parts/linux/cloud-init/artifacts/localdns_spec.sh b/spec/parts/linux/cloud-init/artifacts/localdns_spec.sh
index 873282b8ced..395c32a5891 100644
--- a/spec/parts/linux/cloud-init/artifacts/localdns_spec.sh
+++ b/spec/parts/linux/cloud-init/artifacts/localdns_spec.sh
@@ -668,6 +668,40 @@ EOF
                 The output should include "Failed to reload networkctl."
             End
 
+            It 'should fail if wait_for_dns_config_applied times out'
+                # resolv.conf has a different DNS IP, simulating the race condition
+                # where networkctl reload succeeds but systemd-resolved hasn't updated resolv.conf yet
+                echo "nameserver 168.63.129.16" > "$RESOLV_CONF"
+                NETWORKCTL_RELOAD_CMD="true"
+                # Override disable_dhcp_use_clusterlistener to use a short timeout for testing
+                disable_dhcp_use_clusterlistener() {
+                    mkdir -p "${NETWORK_DROPIN_DIR}"
+                    verify_network_dropin_dir || return 1
+                    cat > "${NETWORK_DROPIN_FILE}" <<EOF
+[Network]
+DNS=${LOCALDNS_NODE_LISTENER_IP}
+[DHCP]
+UseDNS=false
+EOF
+                    chmod -R ugo+rX "${NETWORK_DROPIN_DIR}"
+                    eval "$NETWORKCTL_RELOAD_CMD"
+                    if [ "$?" -ne 0 ]; then
+                        echo "Failed to reload networkctl."
+                        return 1
+                    fi
+                    # Use a 2-second timeout for testing
+                    if ! wait_for_dns_config_applied "${LOCALDNS_NODE_LISTENER_IP}" "true" 2; then
+                        echo "Error: DNS configuration was not applied within timeout."
+                        return 1
+                    fi
+                    return 0
+                }
+                When call disable_dhcp_use_clusterlistener
+                The status should be failure
+                The output should include "Timed out waiting for DNS configuration"
+                The output should include "Error: DNS configuration was not applied within timeout."
+            End
+
     End
 
 

From 5367380725620bc255410c111741ec6f44ec54e9 Mon Sep 17 00:00:00 2001
From: Saewon Kwak <23280628+saewoni@users.noreply.github.com>
Date: Thu, 29 Jan 2026 22:00:41 +0000
Subject: [PATCH 04/14] changed grep -qw to -qF s.t. IP addresses are matched
 literally instead of being interpreted as regex wildcards

---
 parts/linux/cloud-init/artifacts/localdns.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/parts/linux/cloud-init/artifacts/localdns.sh b/parts/linux/cloud-init/artifacts/localdns.sh
index 52b80396378..e6f726ac40b 100644
--- a/parts/linux/cloud-init/artifacts/localdns.sh
+++ b/parts/linux/cloud-init/artifacts/localdns.sh
@@ -409,13 +409,13 @@ wait_for_dns_config_applied() {
 
         if [ "$should_contain" = "true" ]; then
             # Check if the expected DNS IP is present.
-            if echo "$current_dns" | grep -qw "$expected_dns_ip"; then
+            if echo "$current_dns" | grep -qF "$expected_dns_ip"; then
                 echo "DNS configuration applied successfully. Current DNS: ${current_dns}"
                 return 0
             fi
         else
             # Check if the expected DNS IP is absent.
-            if ! echo "$current_dns" | grep -qw "$expected_dns_ip"; then
+            if ! echo "$current_dns" | grep -qF "$expected_dns_ip"; then
                 echo "DNS configuration reverted successfully. Current DNS: ${current_dns}"
                 return 0
             fi

From 0de2f598059539b9bec87e6276149eb3f8ee5c7c Mon Sep 17 00:00:00 2001
From: Saewon Kwak <23280628+saewoni@users.noreply.github.com>
Date: Thu, 29 Jan 2026 22:11:49 +0000
Subject: [PATCH 05/14] fix: use grep -qwF to avoid partial IP matches and
 regex issues

---
 parts/linux/cloud-init/artifacts/localdns.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/parts/linux/cloud-init/artifacts/localdns.sh b/parts/linux/cloud-init/artifacts/localdns.sh
index e6f726ac40b..d4ee5e6b6e2 100644
--- a/parts/linux/cloud-init/artifacts/localdns.sh
+++ b/parts/linux/cloud-init/artifacts/localdns.sh
@@ -409,13 +409,14 @@ wait_for_dns_config_applied() {
 
         if [ "$should_contain" = "true" ]; then
             # Check if the expected DNS IP is present.
-            if echo "$current_dns" | grep -qF "$expected_dns_ip"; then
+            # Use word boundary matching (-w) with fixed string (-F) to avoid partial IP matches.
+            if echo "$current_dns" | grep -qwF "$expected_dns_ip"; then
                 echo "DNS configuration applied successfully. Current DNS: ${current_dns}"
                 return 0
             fi
         else
             # Check if the expected DNS IP is absent.
-            if ! echo "$current_dns" | grep -qF "$expected_dns_ip"; then
+            if ! echo "$current_dns" | grep -qwF "$expected_dns_ip"; then
                 echo "DNS configuration reverted successfully. Current DNS: ${current_dns}"
                 return 0
             fi

From 84634abc5380dbe45c6707df679510294cab89cd Mon Sep 17 00:00:00 2001
From: Saewon Kwak <23280628+saewoni@users.noreply.github.com>
Date: Fri, 30 Jan 2026 19:32:35 +0000
Subject: [PATCH 06/14] simplify logic + cleanup

---
 parts/linux/cloud-init/artifacts/localdns.sh  |  62 ++---
 .../cloud-init/artifacts/localdns_spec.sh     | 220 +++---------------
 2 files changed, 52 insertions(+), 230 deletions(-)

diff --git a/parts/linux/cloud-init/artifacts/localdns.sh b/parts/linux/cloud-init/artifacts/localdns.sh
index d4ee5e6b6e2..907e6cee93a 100644
--- a/parts/linux/cloud-init/artifacts/localdns.sh
+++ b/parts/linux/cloud-init/artifacts/localdns.sh
@@ -388,46 +388,31 @@ add_iptable_rules_to_skip_conntrack_from_pods(){
     done
 }
 
-# Wait for DNS configuration to be applied after networkctl reload.
-# This function polls the resolv.conf to verify the expected DNS server is present.
+# Wait for localdns IP to be removed from resolv.conf after networkctl reload.
 # Arguments:
-#   $1: expected_dns_ip - The DNS IP that should appear in resolv.conf.
-#   $2: should_contain - "true" if the IP should be present, "false" if it should be absent.
-#   $3: max_wait_seconds - Maximum time to wait for the change (default: 10).
-wait_for_dns_config_applied() {
-    local expected_dns_ip="$1"
-    local should_contain="$2"
-    local max_wait_seconds="${3:-10}"
+#   $1: max_wait_seconds - Maximum time to wait for the change (default: 5).
+wait_for_localdns_removed_from_resolv_conf() {
+    local max_wait_seconds="${1:-5}"
     local elapsed=0
 
-    echo "Waiting for DNS configuration to be applied (expecting ${expected_dns_ip} to be ${should_contain})..."
+    echo "Waiting for localdns (${LOCALDNS_NODE_LISTENER_IP}) to be removed from resolv.conf..."
 
     while [ "$elapsed" -lt "$max_wait_seconds" ]; do
-        # Get current DNS servers from resolv.conf.
         local current_dns
         current_dns=$(awk '/^nameserver/ {print $2}' "$RESOLV_CONF" 2>/dev/null | paste -sd' ')
 
-        if [ "$should_contain" = "true" ]; then
-            # Check if the expected DNS IP is present.
-            # Use word boundary matching (-w) with fixed string (-F) to avoid partial IP matches.
-            if echo "$current_dns" | grep -qwF "$expected_dns_ip"; then
-                echo "DNS configuration applied successfully. Current DNS: ${current_dns}"
-                return 0
-            fi
-        else
-            # Check if the expected DNS IP is absent.
-            if ! echo "$current_dns" | grep -qwF "$expected_dns_ip"; then
-                echo "DNS configuration reverted successfully. Current DNS: ${current_dns}"
-                return 0
-            fi
+        # Use word boundary matching (-w) with fixed string (-F) to avoid partial IP matches.
+        if ! echo "$current_dns" | grep -qwF "$LOCALDNS_NODE_LISTENER_IP"; then
+            echo "DNS configuration reverted successfully. Current DNS: ${current_dns}"
+            return 0
         fi
 
         sleep 1
         elapsed=$((elapsed + 1))
     done
 
-    echo "Timed out waiting for DNS configuration to be applied after ${max_wait_seconds} seconds."
-    echo "Expected ${expected_dns_ip} to be ${should_contain}, current DNS: $(awk '/^nameserver/ {print $2}' "$RESOLV_CONF" 2>/dev/null | paste -sd' ')"
+    echo "Timed out waiting for localdns to be removed from resolv.conf after ${max_wait_seconds} seconds."
+    echo "Current DNS: $(awk '/^nameserver/ {print $2}' "$RESOLV_CONF" 2>/dev/null | paste -sd' ')"
     return 1
 }
 
@@ -455,14 +440,6 @@ EOF
         echo "Failed to reload networkctl."
         return 1
     fi
-
-    # Wait for the DNS configuration to be applied.
-    # This ensures systemd-resolved has updated resolv.conf before we proceed.
-    if ! wait_for_dns_config_applied "${LOCALDNS_NODE_LISTENER_IP}" "true" 10; then
-        echo "Error: DNS configuration was not applied within timeout."
-        return 1
-    fi
-
     return 0
 }
 
@@ -522,15 +499,6 @@ cleanup_iptables_and_dns() {
         return 1
     fi
     echo "Reloading network configuration succeeded."
-
-    # Wait for the DNS configuration to be reverted.
-    # This ensures systemd-resolved has removed localdns from resolv.conf before we proceed.
-    # This is called both at startup (to clean up leftover state) and during shutdown.
-    if ! wait_for_dns_config_applied "${LOCALDNS_NODE_LISTENER_IP}" "false" 10; then
-        echo "Error: DNS configuration was not reverted within timeout."
-        return 1
-    fi
-
     return 0
 }
 
@@ -680,6 +648,14 @@ initialize_network_variables || exit $ERR_LOCALDNS_FAIL
 # ---------------------------------------------------------------------------------------------------------------------
 cleanup_iptables_and_dns || exit $ERR_LOCALDNS_FAIL
 
+# Wait for the DNS configuration to be reverted.
+# This ensures systemd-resolved has removed localdns from resolv.conf before we proceed.
+# This is called both at startup (to clean up leftover state) and during shutdown.
+if ! wait_for_localdns_removed_from_resolv_conf 5; then
+    echo "Error: DNS configuration was not reverted within timeout."
+    exit $ERR_LOCALDNS_FAIL
+fi
+
 # Replace AzureDNSIP in corefile with VNET DNS ServerIPs.
 # ---------------------------------------------------------------------------------------------------------------------
 replace_azurednsip_in_corefile || exit $ERR_LOCALDNS_FAIL
diff --git a/spec/parts/linux/cloud-init/artifacts/localdns_spec.sh b/spec/parts/linux/cloud-init/artifacts/localdns_spec.sh
index 395c32a5891..6d7b25871f5 100644
--- a/spec/parts/linux/cloud-init/artifacts/localdns_spec.sh
+++ b/spec/parts/linux/cloud-init/artifacts/localdns_spec.sh
@@ -631,34 +631,25 @@ EOF
 #------------------------------------------------------------------------------------------------------------------------------------
     Describe 'disable_dhcp_use_clusterlistener'
         setup() {
-            Include "./parts/linux/cloud-init/artifacts/localdns.sh"
-
-            TEST_DIR="/tmp/test-disable-dhcp-$$"
-            NETWORK_DROPIN_DIR="${TEST_DIR}/systemd-network"
+            NETWORK_DROPIN_DIR="/tmp/test-systemd-network"
             NETWORK_DROPIN_FILE="${NETWORK_DROPIN_DIR}/10-localdns.conf"
             LOCALDNS_NODE_LISTENER_IP="169.254.10.10"
 
-            # Setup RESOLV_CONF for wait_for_dns_config_applied (must be after Include)
-            mkdir -p "${TEST_DIR}/run/systemd/resolve"
-            RESOLV_CONF="${TEST_DIR}/run/systemd/resolve/resolv.conf"
+            Include "./parts/linux/cloud-init/artifacts/localdns.sh"
         }
         cleanup() {
-            rm -rf "$TEST_DIR"
+            rm -rf "$NETWORK_DROPIN_DIR"
         }
         BeforeEach 'setup'
         AfterEach 'cleanup'
         #------------------------- disable_dhcp_use_clusterlistener -------------------------------------------------
             It 'should update network configuration and reload networkctl'
-                # Pre-populate resolv.conf with expected IP so wait succeeds immediately
-                echo "nameserver 169.254.10.10" > "$RESOLV_CONF"
                 NETWORKCTL_RELOAD_CMD="true"
                 When call disable_dhcp_use_clusterlistener
                 The status should be success
                 The file "${NETWORK_DROPIN_FILE}" should be exist
                 The contents of file "${NETWORK_DROPIN_FILE}" should include "UseDNS=false"
                 The contents of file "${NETWORK_DROPIN_FILE}" should include "DNS=169.254.10.10"
-                The stdout should include "DNS configuration applied successfully"
-                The contents of file "${RESOLV_CONF}" should include "nameserver 169.254.10.10"
             End
 
             It 'should fail if networkctl reload fails'
@@ -668,40 +659,6 @@ EOF
                 The output should include "Failed to reload networkctl."
             End
 
-            It 'should fail if wait_for_dns_config_applied times out'
-                # resolv.conf has a different DNS IP, simulating the race condition
-                # where networkctl reload succeeds but systemd-resolved hasn't updated resolv.conf yet
-                echo "nameserver 168.63.129.16" > "$RESOLV_CONF"
-                NETWORKCTL_RELOAD_CMD="true"
-                # Override disable_dhcp_use_clusterlistener to use a short timeout for testing
-                disable_dhcp_use_clusterlistener() {
-                    mkdir -p "${NETWORK_DROPIN_DIR}"
-                    verify_network_dropin_dir || return 1
-                    cat > "${NETWORK_DROPIN_FILE}" <<EOF
-[Network]
-DNS=${LOCALDNS_NODE_LISTENER_IP}
-[DHCP]
-UseDNS=false
-EOF
-                    chmod -R ugo+rX "${NETWORK_DROPIN_DIR}"
-                    eval "$NETWORKCTL_RELOAD_CMD"
-                    if [ "$?" -ne 0 ]; then
-                        echo "Failed to reload networkctl."
-                        return 1
-                    fi
-                    # Use a 2-second timeout for testing
-                    if ! wait_for_dns_config_applied "${LOCALDNS_NODE_LISTENER_IP}" "true" 2; then
-                        echo "Error: DNS configuration was not applied within timeout."
-                        return 1
-                    fi
-                    return 0
-                }
-                When call disable_dhcp_use_clusterlistener
-                The status should be failure
-                The output should include "Timed out waiting for DNS configuration"
-                The output should include "Error: DNS configuration was not applied within timeout."
-            End
-
     End
 
 
@@ -846,88 +803,6 @@ EOF
     End
 
 
-# This section tests - async networkctl reload behavior with wait_for_dns_config_applied
-# These tests verify that cleanup_iptables_and_dns properly waits for resolv.conf to be updated
-#------------------------------------------------------------------------------------------------------------------------------------
-    Describe 'cleanup_iptables_and_dns_with_async_resolv_update'
-        setup() {
-            # Mock iptables to return no rules (must be defined before Include)
-            iptables() {
-                case "$1" in
-                    "-w")
-                        if [ "$2" = "-t" ] && [ "$3" = "raw" ] && [ "$4" = "-L" ]; then
-                            echo "Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)"
-                            echo "Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)"
-                        fi
-                        ;;
-                esac
-                return 0
-            }
-
-            Include "./parts/linux/cloud-init/artifacts/localdns.sh"
-
-            TEST_DIR="/tmp/localdns-async-test-$$"
-            mkdir -p "${TEST_DIR}/run/systemd/resolve"
-            mkdir -p "${TEST_DIR}/network.d"
-
-            # Set RESOLV_CONF AFTER including the script to override the default
-            RESOLV_CONF="${TEST_DIR}/run/systemd/resolve/resolv.conf"
-            NETWORK_DROPIN_FILE="${TEST_DIR}/test-network-dropin.conf"
-            DEFAULT_ROUTE_INTERFACE="eth0"
-            NETWORK_FILE="/etc/systemd/network/eth0.network"
-            NETWORK_DROPIN_DIR="${TEST_DIR}/network.d"
-        }
-        cleanup() {
-            rm -rf "$TEST_DIR"
-        }
-        BeforeEach 'setup'
-        AfterEach 'cleanup'
-
-        It 'should wait for resolv.conf update after networkctl reload (simulating async behavior)'
-            # Setup resolv.conf with localdns IP present
-            cat > "$RESOLV_CONF" <<EOF
-nameserver 169.254.10.10
-nameserver 10.0.0.1
-EOF
-            touch "$NETWORK_DROPIN_FILE"
-
-            # Create a script that simulates async update
-            ASYNC_SCRIPT="${TEST_DIR}/async_update.sh"
-            cat > "$ASYNC_SCRIPT" <<SCRIPT
-#!/bin/bash
-sleep 2
-echo "nameserver 10.0.0.1" > "$RESOLV_CONF"
-SCRIPT
-            chmod +x "$ASYNC_SCRIPT"
-
-            # networkctl reload triggers async update and returns immediately
-            NETWORKCTL_RELOAD_CMD="$ASYNC_SCRIPT &"
-
-            When call cleanup_iptables_and_dns
-            The status should be success
-            The stdout should include "Waiting for DNS configuration to be applied"
-            The stdout should include "DNS configuration reverted successfully"
-            The stdout should include "Current DNS: 10.0.0.1"
-        End
-
-        It 'should handle immediate resolv.conf update (no delay)'
-            # Setup resolv.conf without localdns IP (already in expected state)
-            cat > "$RESOLV_CONF" <<EOF
-nameserver 10.0.0.1
-nameserver 10.0.0.2
-EOF
-
-            touch "$NETWORK_DROPIN_FILE"
-            NETWORKCTL_RELOAD_CMD="true"
-
-            When call cleanup_iptables_and_dns
-            The status should be success
-            The stdout should include "DNS configuration reverted successfully"
-            The stdout should include "Current DNS: 10.0.0.1 10.0.0.2"
-        End
-    End
-
-
 # This section tests - cleanup_localdns_configs
 # These functions is defined in parts/linux/cloud-init/artifacts/localdns.sh file.
 #------------------------------------------------------------------------------------------------------------------------------------
@@ -1237,13 +1112,13 @@ EOF
     End
 
 
-# This section tests - wait_for_dns_config_applied
+# This section tests - wait_for_localdns_removed_from_resolv_conf
 # This function is defined in parts/linux/cloud-init/artifacts/localdns.sh file.
 #------------------------------------------------------------------------------------------------------------------------------------
-    Describe 'wait_for_dns_config_applied'
+    Describe 'wait_for_localdns_removed_from_resolv_conf'
         setup() {
             Include "./parts/linux/cloud-init/artifacts/localdns.sh"
-            TEST_DIR="/tmp/localdnstest"
+            TEST_DIR="/tmp/localdnstest-$$"
             RESOLV_CONF="${TEST_DIR}/run/systemd/resolve/resolv.conf"
             mkdir -p "$(dirname "$RESOLV_CONF")"
         }
@@ -1253,88 +1128,48 @@ EOF
         BeforeEach 'setup'
         AfterEach 'cleanup'
 
-        #------------------------- wait_for_dns_config_applied (should_contain=true) ----------------------------------
-        It 'should return success immediately if expected IP is present (should_contain=true)'
-            cat > "$RESOLV_CONF" <<EOF
-nameserver 169.254.10.10
-EOF
-            When run wait_for_dns_config_applied "169.254.10.10" "true" 5
-            The status should be success
-            The stdout should include "DNS configuration applied successfully"
-            The stdout should include "Current DNS: 169.254.10.10"
-        End
-
-        It 'should return success if expected IP is present among multiple IPs (should_contain=true)'
+        #------------------------- wait_for_localdns_removed_from_resolv_conf ------------------------------------------
+        It 'should return success immediately if localdns IP is absent'
             cat > "$RESOLV_CONF" <<EOF
 nameserver 10.0.0.1
-nameserver 169.254.10.10
 nameserver 10.0.0.2
 EOF
-            When run wait_for_dns_config_applied "169.254.10.10" "true" 5
-            The status should be success
-            The stdout should include "DNS configuration applied successfully"
-            The stdout should include "Current DNS: 10.0.0.1 169.254.10.10 10.0.0.2"
-        End
-
-        It 'should timeout if expected IP is not present (should_contain=true)'
-            cat > "$RESOLV_CONF" <<EOF
-nameserver 10.0.0.1
-nameserver 10.0.0.2
-EOF
-            When run wait_for_dns_config_applied "169.254.10.10" "true" 2
-            The status should be failure
-            The stdout should include "Timed out waiting for DNS configuration to be applied after 2 seconds"
-            The stdout should include "Expected 169.254.10.10 to be true"
-            The stdout should include "current DNS: 10.0.0.1 10.0.0.2"
-        End
-
-        #------------------------- wait_for_dns_config_applied (should_contain=false) ---------------------------------
-        It 'should return success immediately if expected IP is absent (should_contain=false)'
-            cat > "$RESOLV_CONF" <<EOF
-nameserver 10.0.0.1
-nameserver 10.0.0.2
-EOF
-            When run wait_for_dns_config_applied "169.254.10.10" "false" 5
+            When run wait_for_localdns_removed_from_resolv_conf 5
             The status should be success
             The stdout should include "DNS configuration reverted successfully"
             The stdout should include "Current DNS: 10.0.0.1 10.0.0.2"
         End
 
-        It 'should timeout if expected IP is still present (should_contain=false)'
+        It 'should timeout if localdns IP is still present'
             cat > "$RESOLV_CONF" <<EOF
 nameserver 169.254.10.10
 nameserver 10.0.0.1
 EOF
-            When run wait_for_dns_config_applied "169.254.10.10" "false" 2
+            When run wait_for_localdns_removed_from_resolv_conf 2
             The status should be failure
-            The stdout should include "Timed out waiting for DNS configuration to be applied after 2 seconds"
-            The stdout should include "Expected 169.254.10.10 to be false"
-            The stdout should include "current DNS: 169.254.10.10 10.0.0.1"
+            The stdout should include "Timed out waiting for localdns to be removed from resolv.conf after 2 seconds"
+            The stdout should include "Current DNS:"
         End
 
-        It 'should return success if resolv.conf is empty (should_contain=false)'
+        It 'should return success if resolv.conf is empty'
             > "$RESOLV_CONF"
-            When run wait_for_dns_config_applied "169.254.10.10" "false" 5
+            When run wait_for_localdns_removed_from_resolv_conf 5
             The status should be success
             The stdout should include "DNS configuration reverted successfully"
         End
 
-        #------------------------- wait_for_dns_config_applied (default timeout) --------------------------------------
-        It 'should use default timeout of 10 seconds when not specified'
+        It 'should use default timeout of 5 seconds when not specified'
             cat > "$RESOLV_CONF" <<EOF
 nameserver 10.0.0.1
 EOF
-            # Note: This test checks behavior but uses a short actual wait by having the condition pass immediately
-            When run wait_for_dns_config_applied "10.0.0.1" "true"
+            When run wait_for_localdns_removed_from_resolv_conf
             The status should be success
-            The stdout should include "DNS configuration applied successfully"
-            The stdout should include "Current DNS: 10.0.0.1"
+            The stdout should include "DNS configuration reverted successfully"
         End
 
-        #------------------------- wait_for_dns_config_applied (edge cases) -------------------------------------------
         It 'should handle resolv.conf not existing gracefully'
             rm -f "$RESOLV_CONF"
-            When run wait_for_dns_config_applied "169.254.10.10" "false" 2
+            When run wait_for_localdns_removed_from_resolv_conf 2
             The status should be success
             The stdout should include "DNS configuration reverted successfully"
         End
@@ -1343,10 +1178,21 @@ EOF
             cat > "$RESOLV_CONF" <<EOF
 nameserver 169.254.10.100
 EOF
-            When run wait_for_dns_config_applied "169.254.10.10" "true" 2
+            # 169.254.10.100 should NOT match 169.254.10.10
+            When run wait_for_localdns_removed_from_resolv_conf 2
+            The status should be success
+            The stdout should include "DNS configuration reverted successfully"
+        End
+
+        It 'should detect localdns IP among multiple nameservers'
+            cat > "$RESOLV_CONF" <<EOF
+nameserver 10.0.0.1
+nameserver 169.254.10.10
+nameserver 10.0.0.2
+EOF
+            When run wait_for_localdns_removed_from_resolv_conf 2
             The status should be failure
-            The stdout should include "Timed out waiting for DNS configuration"
-            The stdout should include "current DNS: 169.254.10.100"
+            The stdout should include "Timed out waiting for localdns to be removed"
         End
     End
 End

From 5b86ad4e2bbdd0499911e1560ba2acca32fdccfb Mon Sep 17 00:00:00 2001
From: Saewon Kwak <23280628+saewoni@users.noreply.github.com>
Date: Fri, 30 Jan 2026 20:07:31 +0000
Subject: [PATCH 07/14] add more tests

---
 .../cloud-init/artifacts/localdns_spec.sh     | 66 +++++++++++++++++++
 1 file changed, 66 insertions(+)

diff --git a/spec/parts/linux/cloud-init/artifacts/localdns_spec.sh b/spec/parts/linux/cloud-init/artifacts/localdns_spec.sh
index 6d7b25871f5..7158f84f145 100644
--- a/spec/parts/linux/cloud-init/artifacts/localdns_spec.sh
+++ b/spec/parts/linux/cloud-init/artifacts/localdns_spec.sh
@@ -1194,5 +1194,71 @@ EOF
             The status should be failure
             The stdout should include "Timed out waiting for localdns to be removed"
         End
+
+        It 'should succeed when localdns IP is removed during wait (async removal)'
+            # Start with localdns IP present
+            cat > "$RESOLV_CONF" <<EOF
+nameserver 169.254.10.10
+nameserver 10.0.0.1
+EOF
+            # Create background process that removes localdns IP after 2 seconds
+            (sleep 2 && echo "nameserver 10.0.0.1" > "$RESOLV_CONF") &
+            When run wait_for_localdns_removed_from_resolv_conf 5
+            The status should be success
+            The stdout should include "DNS configuration reverted successfully"
+        End
+
+        It 'should ignore commented lines in resolv.conf'
+            cat > "$RESOLV_CONF" <<EOF
+# nameserver 169.254.10.10
+nameserver 10.0.0.1
+# This is a comment
+nameserver 10.0.0.2
+EOF
+            When run wait_for_localdns_removed_from_resolv_conf 2
+            The status should be success
+            The stdout should include "DNS configuration reverted successfully"
+        End
+
+        It 'should timeout when only localdns IP is present'
+            cat > "$RESOLV_CONF" <<EOF
+nameserver 169.254.10.10
+EOF
+            When run wait_for_localdns_removed_from_resolv_conf 2
+            The status should be failure
+            The stdout should include "Timed out waiting for localdns to be removed"
+        End
+
+        It 'should handle IPv6 nameservers mixed with IPv4'
+            cat > "$RESOLV_CONF" <<EOF
+nameserver 10.0.0.1
+nameserver 2001:4860:4860::8888
+nameserver 10.0.0.2
+EOF
+            When run wait_for_localdns_removed_from_resolv_conf 2
+            The status should be success
+            The stdout should include "DNS configuration reverted successfully"
+        End
+
+        It 'should handle resolv.conf with search and options directives'
+            cat > "$RESOLV_CONF" <<EOF
+search example.com local
+nameserver 10.0.0.1
+nameserver 10.0.0.2
+options timeout:2 attempts:3
+EOF
+            When run wait_for_localdns_removed_from_resolv_conf 2
+            The status should be success
+            The stdout should include "DNS configuration reverted successfully"
+            The stdout should include "Current DNS: 10.0.0.1 10.0.0.2"
+        End
+
+        It 'should handle whitespace variations in resolv.conf'
+            # Use tabs and extra spaces
+            printf "nameserver\t10.0.0.1\nnameserver   10.0.0.2\n" > "$RESOLV_CONF"
+            When run wait_for_localdns_removed_from_resolv_conf 2
+            The status should be success
+            The stdout should include "DNS configuration reverted successfully"
+        End
     End
 End

From cddb423024844275bf36772c63faf42cc1471ba1 Mon Sep 17 00:00:00 2001
From: Saewon Kwak <23280628+saewoni@users.noreply.github.com>
Date: Fri, 30 Jan 2026 13:46:59 -0800
Subject: [PATCH 08/14] Update parts/linux/cloud-init/artifacts/localdns.sh

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 parts/linux/cloud-init/artifacts/localdns.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/parts/linux/cloud-init/artifacts/localdns.sh b/parts/linux/cloud-init/artifacts/localdns.sh
index 907e6cee93a..d57a336dfe9 100644
--- a/parts/linux/cloud-init/artifacts/localdns.sh
+++ b/parts/linux/cloud-init/artifacts/localdns.sh
@@ -648,9 +648,9 @@ initialize_network_variables || exit $ERR_LOCALDNS_FAIL
 # ---------------------------------------------------------------------------------------------------------------------
 cleanup_iptables_and_dns || exit $ERR_LOCALDNS_FAIL
 
-# Wait for the DNS configuration to be reverted.
-# This ensures systemd-resolved has removed localdns from resolv.conf before we proceed.
-# This is called both at startup (to clean up leftover state) and during shutdown.
+# During startup, wait for the DNS configuration to be fully reverted.
+# This ensures systemd-resolved has removed localdns from resolv.conf before we read upstream DNS servers.
+# Note: the shutdown path does not invoke this wait; it only calls cleanup_iptables_and_dns.
 if ! wait_for_localdns_removed_from_resolv_conf 5; then
     echo "Error: DNS configuration was not reverted within timeout."
     exit $ERR_LOCALDNS_FAIL

From 9d922f7f9029d531d13d919ebe2968b88bea15cf Mon Sep 17 00:00:00 2001
From: Saewon Kwak <23280628+saewoni@users.noreply.github.com>
Date: Fri, 30 Jan 2026 21:48:52 +0000
Subject: [PATCH 09/14] github comments

---
 parts/linux/cloud-init/artifacts/localdns.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/parts/linux/cloud-init/artifacts/localdns.sh b/parts/linux/cloud-init/artifacts/localdns.sh
index d57a336dfe9..5774b52a154 100644
--- a/parts/linux/cloud-init/artifacts/localdns.sh
+++ b/parts/linux/cloud-init/artifacts/localdns.sh
@@ -499,6 +499,7 @@ cleanup_iptables_and_dns() {
         return 1
     fi
     echo "Reloading network configuration succeeded."
+
     return 0
 }
 

From 2a1df235d3fbfe522b08da44722514c832aa4bcd Mon Sep 17 00:00:00 2001
From: Saewon Kwak <23280628+saewoni@users.noreply.github.com>
Date: Fri, 30 Jan 2026 22:30:41 +0000
Subject: [PATCH 10/14] revert -> refresh

---
 parts/linux/cloud-init/artifacts/localdns.sh  |  4 ++--
 .../cloud-init/artifacts/localdns_spec.sh     | 20 +++++++++----------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/parts/linux/cloud-init/artifacts/localdns.sh b/parts/linux/cloud-init/artifacts/localdns.sh
index 5774b52a154..f601d950856 100644
--- a/parts/linux/cloud-init/artifacts/localdns.sh
+++ b/parts/linux/cloud-init/artifacts/localdns.sh
@@ -649,11 +649,11 @@ initialize_network_variables || exit $ERR_LOCALDNS_FAIL
 # ---------------------------------------------------------------------------------------------------------------------
 cleanup_iptables_and_dns || exit $ERR_LOCALDNS_FAIL
 
-# During startup, wait for the DNS configuration to be fully reverted.
+# During startup, wait for the DNS configuration to be fully refreshed.
 # This ensures systemd-resolved has removed localdns from resolv.conf before we read upstream DNS servers.
 # Note: the shutdown path does not invoke this wait; it only calls cleanup_iptables_and_dns.
 if ! wait_for_localdns_removed_from_resolv_conf 5; then
-    echo "Error: DNS configuration was not reverted within timeout."
+    echo "Error: DNS configuration was not refreshed within timeout."
     exit $ERR_LOCALDNS_FAIL
 fi
 
diff --git a/spec/parts/linux/cloud-init/artifacts/localdns_spec.sh b/spec/parts/linux/cloud-init/artifacts/localdns_spec.sh
index 7158f84f145..95a5c555364 100644
--- a/spec/parts/linux/cloud-init/artifacts/localdns_spec.sh
+++ b/spec/parts/linux/cloud-init/artifacts/localdns_spec.sh
@@ -1136,7 +1136,7 @@ nameserver 10.0.0.2
 EOF
             When run wait_for_localdns_removed_from_resolv_conf 5
             The status should be success
-            The stdout should include "DNS configuration reverted successfully"
+            The stdout should include "DNS configuration refreshed successfully"
             The stdout should include "Current DNS: 10.0.0.1 10.0.0.2"
         End
 
@@ -1155,7 +1155,7 @@ EOF
             > "$RESOLV_CONF"
             When run wait_for_localdns_removed_from_resolv_conf 5
             The status should be success
-            The stdout should include "DNS configuration reverted successfully"
+            The stdout should include "DNS configuration refreshed successfully"
         End
 
         It 'should use default timeout of 5 seconds when not specified'
@@ -1164,14 +1164,14 @@ nameserver 10.0.0.1
 EOF
             When run wait_for_localdns_removed_from_resolv_conf
             The status should be success
-            The stdout should include "DNS configuration reverted successfully"
+            The stdout should include "DNS configuration refreshed successfully"
         End
 
         It 'should handle resolv.conf not existing gracefully'
             rm -f "$RESOLV_CONF"
             When run wait_for_localdns_removed_from_resolv_conf 2
             The status should be success
-            The stdout should include "DNS configuration reverted successfully"
+            The stdout should include "DNS configuration refreshed successfully"
         End
 
         It 'should not match partial IP addresses'
@@ -1181,7 +1181,7 @@ EOF
             # 169.254.10.100 should NOT match 169.254.10.10
             When run wait_for_localdns_removed_from_resolv_conf 2
             The status should be success
-            The stdout should include "DNS configuration reverted successfully"
+            The stdout should include "DNS configuration refreshed successfully"
         End
 
         It 'should detect localdns IP among multiple nameservers'
@@ -1205,7 +1205,7 @@ EOF
             (sleep 2 && echo "nameserver 10.0.0.1" > "$RESOLV_CONF") &
             When run wait_for_localdns_removed_from_resolv_conf 5
             The status should be success
-            The stdout should include "DNS configuration reverted successfully"
+            The stdout should include "DNS configuration refreshed successfully"
         End
 
         It 'should ignore commented lines in resolv.conf'
@@ -1217,7 +1217,7 @@ nameserver 10.0.0.2
 EOF
             When run wait_for_localdns_removed_from_resolv_conf 2
             The status should be success
-            The stdout should include "DNS configuration reverted successfully"
+            The stdout should include "DNS configuration refreshed successfully"
         End
 
         It 'should timeout when only localdns IP is present'
@@ -1237,7 +1237,7 @@ nameserver 10.0.0.2
 EOF
             When run wait_for_localdns_removed_from_resolv_conf 2
             The status should be success
-            The stdout should include "DNS configuration reverted successfully"
+            The stdout should include "DNS configuration refreshed successfully"
         End
 
         It 'should handle resolv.conf with search and options directives'
@@ -1249,7 +1249,7 @@ options timeout:2 attempts:3
 EOF
             When run wait_for_localdns_removed_from_resolv_conf 2
             The status should be success
-            The stdout should include "DNS configuration reverted successfully"
+            The stdout should include "DNS configuration refreshed successfully"
             The stdout should include "Current DNS: 10.0.0.1 10.0.0.2"
         End
 
@@ -1258,7 +1258,7 @@ EOF
             printf "nameserver\t10.0.0.1\nnameserver   10.0.0.2\n" > "$RESOLV_CONF"
             When run wait_for_localdns_removed_from_resolv_conf 2
             The status should be success
-            The stdout should include "DNS configuration reverted successfully"
+            The stdout should include "DNS configuration refreshed successfully"
         End
     End
 End

From e5d4effc0626f72c1e3c8de89a7cf375dcd338a9 Mon Sep 17 00:00:00 2001
From: Saewon Kwak <23280628+saewoni@users.noreply.github.com>
Date: Fri, 30 Jan 2026 22:33:22 +0000
Subject: [PATCH 11/14] update the explanation why the
 wait_for_localdns_removed_from_resolv_conf after shutdown

---
 parts/linux/cloud-init/artifacts/localdns.sh | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/parts/linux/cloud-init/artifacts/localdns.sh b/parts/linux/cloud-init/artifacts/localdns.sh
index f601d950856..ae8a88424a2 100644
--- a/parts/linux/cloud-init/artifacts/localdns.sh
+++ b/parts/linux/cloud-init/artifacts/localdns.sh
@@ -651,7 +651,12 @@ cleanup_iptables_and_dns || exit $ERR_LOCALDNS_FAIL
 
 # During startup, wait for the DNS configuration to be fully refreshed.
 # This ensures systemd-resolved has removed localdns from resolv.conf before we read upstream DNS servers.
-# Note: the shutdown path does not invoke this wait; it only calls cleanup_iptables_and_dns.
+# The wait is necessary because networkctl reload is async - there's a delay before systemd-resolved
+# updates /run/systemd/resolve/resolv.conf. The next step (replace_azurednsip_in_corefile) reads
+# resolv.conf to get upstream DNS servers. Without this wait, we might still see 169.254.10.10
+# (localdns IP) as a nameserver, which would create a circular dependency in the corefile.
+# Note: the shutdown path does not need this wait because it doesn't read from resolv.conf afterward -
+# it just cleans up and exits, so systemd-resolved can complete the update asynchronously.
 if ! wait_for_localdns_removed_from_resolv_conf 5; then
     echo "Error: DNS configuration was not refreshed within timeout."
     exit $ERR_LOCALDNS_FAIL

From 57ed26c16718b88b89320a3b72ab505c78cc74e9 Mon Sep 17 00:00:00 2001
From: Saewon Kwak <23280628+saewoni@users.noreply.github.com>
Date: Fri, 30 Jan 2026 22:39:40 +0000
Subject: [PATCH 12/14] reverted -> refreshed

---
 parts/linux/cloud-init/artifacts/localdns.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/parts/linux/cloud-init/artifacts/localdns.sh b/parts/linux/cloud-init/artifacts/localdns.sh
index ae8a88424a2..8f0566b0c94 100644
--- a/parts/linux/cloud-init/artifacts/localdns.sh
+++ b/parts/linux/cloud-init/artifacts/localdns.sh
@@ -403,7 +403,7 @@ wait_for_localdns_removed_from_resolv_conf() {
 
         # Use word boundary matching (-w) with fixed string (-F) to avoid partial IP matches.
         if ! echo "$current_dns" | grep -qwF "$LOCALDNS_NODE_LISTENER_IP"; then
-            echo "DNS configuration reverted successfully. Current DNS: ${current_dns}"
+            echo "DNS configuration refreshed successfully. Current DNS: ${current_dns}"
             return 0
         fi
 

From 91f37b031ea0c9a6ba79e1eadc84f11af18756b4 Mon Sep 17 00:00:00 2001
From: Saewon Kwak <23280628+saewoni@users.noreply.github.com>
Date: Mon, 2 Feb 2026 17:43:42 +0000
Subject: [PATCH 13/14] fix(localdns): use 250ms polling for faster resolv.conf
 update detection

---
 parts/linux/cloud-init/artifacts/localdns.sh | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/parts/linux/cloud-init/artifacts/localdns.sh b/parts/linux/cloud-init/artifacts/localdns.sh
index 8f0566b0c94..0a3a249bac3 100644
--- a/parts/linux/cloud-init/artifacts/localdns.sh
+++ b/parts/linux/cloud-init/artifacts/localdns.sh
@@ -393,11 +393,13 @@ add_iptable_rules_to_skip_conntrack_from_pods(){
 #   $1: max_wait_seconds - Maximum time to wait for the change (default: 5).
 wait_for_localdns_removed_from_resolv_conf() {
     local max_wait_seconds="${1:-5}"
-    local elapsed=0
+    local sleep_interval=0.25
+    local max_iterations=$((max_wait_seconds * 4))  # 4 iterations per second with 0.25s sleep
+    local iteration=0
 
     echo "Waiting for localdns (${LOCALDNS_NODE_LISTENER_IP}) to be removed from resolv.conf..."
 
-    while [ "$elapsed" -lt "$max_wait_seconds" ]; do
+    while [ "$iteration" -lt "$max_iterations" ]; do
         local current_dns
         current_dns=$(awk '/^nameserver/ {print $2}' "$RESOLV_CONF" 2>/dev/null | paste -sd' ')
 
@@ -407,8 +409,8 @@ wait_for_localdns_removed_from_resolv_conf() {
             return 0
         fi
 
-        sleep 1
-        elapsed=$((elapsed + 1))
+        sleep $sleep_interval
+        iteration=$((iteration + 1))
     done
 
     echo "Timed out waiting for localdns to be removed from resolv.conf after ${max_wait_seconds} seconds."

From c47014073d9ab71be6314ce13453761bf650642b Mon Sep 17 00:00:00 2001
From: Saewon Kwak <23280628+saewoni@users.noreply.github.com>
Date: Mon, 2 Feb 2026 18:22:14 +0000
Subject: [PATCH 14/14] use here-string instead of echo at line 406

---
 parts/linux/cloud-init/artifacts/localdns.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/parts/linux/cloud-init/artifacts/localdns.sh b/parts/linux/cloud-init/artifacts/localdns.sh
index 0a3a249bac3..f05e8c3837c 100644
--- a/parts/linux/cloud-init/artifacts/localdns.sh
+++ b/parts/linux/cloud-init/artifacts/localdns.sh
@@ -404,7 +404,7 @@ wait_for_localdns_removed_from_resolv_conf() {
         current_dns=$(awk '/^nameserver/ {print $2}' "$RESOLV_CONF" 2>/dev/null | paste -sd' ')
 
         # Use word boundary matching (-w) with fixed string (-F) to avoid partial IP matches.
-        if ! echo "$current_dns" | grep -qwF "$LOCALDNS_NODE_LISTENER_IP"; then
+        if ! grep -qwF "$LOCALDNS_NODE_LISTENER_IP" <<< "$current_dns"; then
             echo "DNS configuration refreshed successfully. Current DNS: ${current_dns}"
             return 0
         fi