7 files changed, 357 insertions, 71 deletions
diff --git a/internal/cli/cli.go b/internal/cli/cli.go
index 0876d08..11914b1 100644
--- a/internal/cli/cli.go
+++ b/internal/cli/cli.go
@@ -178,7 +178,15 @@ func (a *App) ExecuteCommand(cfg *config.Config) error {
 		}
 
 		// Start the WireGuard userspace device & routing table setup
-		tunnel, err := wireguard.StartTunnel(wgCfg)
+		dnsServer := cfg.DNSServer
+		if dnsServer == "" {
+			dnsServer = wgCfg.DNS
+		}
+		if dnsServer == "" {
+			dnsServer = "1.1.1.1" // Fallback to safe public DNS to prevent leaks
+		}
+
+		tunnel, err := wireguard.StartTunnel(wgCfg, dnsServer)
 		if err != nil {
 			return fmt.Errorf("failed to start WireGuard tunnel: %w", err)
 		}
@@ -256,15 +264,23 @@ func (a *App) handleProfileConfigure(name string) error {
 		return fmt.Errorf("profile '%s' not found", name)
 	}
 
-	cfg, err := wgconf.Parse(profilePath)
-	if err != nil {
-		return fmt.Errorf("failed to parse profile %s: %w", name, err)
+	editor := os.Getenv("EDITOR")
+	if editor == "" {
+		editor = "vi" // Sensible fallback
 	}
 
-	fmt.Printf("Editing profile %s...\n", name)
-	fmt.Println("DNS server (current: '" + cfg.DNS + "'):")
+	fmt.Printf("Opening profile %s in default editor (%s)...\n", name, editor)
+
+	cmd := exec.Command(editor, profilePath)
+	cmd.Stdin = os.Stdin
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("editor failed: %w", err)
+	}
 
-	return fmt.Errorf("interactive configuration not supported in this environment, use a config file")
+	return nil
 }
 
 func (a *App) handleProfileList() error {
@@ -354,6 +370,7 @@ func (a *App) showConfig() error {
 	fmt.Printf("Configuration:\n")
 	fmt.Printf("  Profile:       %s\n", cfg.Profile)
 	fmt.Printf("  DNS Server:    %s\n", cfg.DNSServer)
+	fmt.Printf("  Config Dir:    %s\n", pm.ConfigDir())
 	fmt.Printf("  Runtime Base:  %s\n", pm.RuntimeBaseDir())
 	fmt.Printf("  Profile Path:  %s\n", profilePath)
 	fmt.Printf("  PIDs Path:     %s\n", pidsPath)
diff --git a/internal/cli/profile_test.go b/internal/cli/profile_test.go
index d256cb0..17a5bc6 100644
--- a/internal/cli/profile_test.go
+++ b/internal/cli/profile_test.go
@@ -96,10 +96,6 @@ func TestProfileDeleteNotFound(t *testing.T) {
 }
 
 func TestProfileConfigure(t *testing.T) {
-	// profile configure is intended to modify existing configs.
-	// For now, we just want to ensure it doesn't crash and we can
-	// eventually implement it.
-
 	tmpDir := t.TempDir()
 	profilesDir := filepath.Join(tmpDir, "profiles")
 	err := os.MkdirAll(profilesDir, 0755)
@@ -117,9 +113,11 @@ func TestProfileConfigure(t *testing.T) {
 	app := NewApp([]string{"wg-wrap", "profile", "configure", profileName})
 	app.ConfigDir = profilesDir
 
+	// Use "true" as the mock editor to ensure it exits successfully immediately
+	t.Setenv("EDITOR", "true")
+
 	err = app.Route()
-	// This will currently return "not yet implemented" error, which is expected for now.
-	if err == nil {
-		t.Errorf("expected 'not yet implemented' error, got nil")
+	if err != nil {
+		t.Errorf("expected successful configuration, got error: %v", err)
 	}
 }
diff --git a/internal/wireguard/wireguard.go b/internal/wireguard/wireguard.go
index 42e095d..a45401c 100644
--- a/internal/wireguard/wireguard.go
+++ b/internal/wireguard/wireguard.go
@@ -28,12 +28,20 @@ type Tunnel struct {
 }
 
 // StartTunnel creates a TUN device, launches wireguard-go over it, and configures IPs/routes.
-func StartTunnel(cfg *wgconf.Config) (*Tunnel, error) {
+func StartTunnel(cfg *wgconf.Config, dnsServer string) (*Tunnel, error) {
 	// 1. Create the TUN device inside the current (isolated) namespace
 	// We use the default name 'tun0'
 	tunName := "tun0"
 	mtu := 1420
 
+	// Ensure the mount namespace is private to prevent mount propagation to the host.
+	// This is critical for the bind-mount of /etc/resolv.conf to work in rootless environments.
+	if err := unix.Mount("", "/", "", unix.MS_REC|unix.MS_PRIVATE, ""); err != nil {
+		// We log this as a warning because some environments might not allow this,
+		// but we can still try to proceed.
+		fmt.Printf("warning: failed to make mount namespace private: %v\n", err)
+	}
+
 	tunDev, err := tun.CreateTUN(tunName, mtu)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create TUN device %s: %w", tunName, err)
@@ -91,6 +99,13 @@ func StartTunnel(cfg *wgconf.Config) (*Tunnel, error) {
 		return nil, fmt.Errorf("failed to configure network interface %s: %w", tunName, err)
 	}
 
+	// Configure DNS resolver inside the namespace
+	if err := ConfigureResolvConf(dnsServer); err != nil {
+		// We treat DNS failure as a warning rather than a fatal error to allow
+		// the tunnel to function even if /etc/resolv.conf is read-only.
+		fmt.Printf("warning: failed to configure DNS resolver: %v\n", err)
+	}
+
 	return &Tunnel{
 		Device: wgDev,
 		Tun:    tunDev,
@@ -210,14 +225,34 @@ func GetTunnelLocalIP(cfg *wgconf.Config) (string, error) {
 	return ip.String(), nil
 }
 
-// ConfigureResolvConf sets up the DNS inside the namespace's /etc/resolv.conf.
-// Because the namespace is completely isolated, writing to /etc/resolv.conf inside
-// the container/namespaces context won't affect the host, but since we are mapped to root
-// inside a mount namespace, we may want to bind-mount a custom resolv.conf.
-// To keep it simple and clean without requiring complex host mount setup, we can write
-// directly to /etc/resolv.conf inside our user namespace. Since /etc/resolv.conf is usually
-// writable inside user namespaces, we try to modify it directly.
 func ConfigureResolvConf(dns string) error {
+	if dns == "" {
+		return nil
+	}
+
+	// To avoid modifying the host's /etc/resolv.conf, we use the private mount namespace.
+	tmpFile, err := os.CreateTemp("", "resolvconf")
+	if err != nil {
+		return fmt.Errorf("failed to create temp resolv.conf: %w", err)
+	}
+	defer func() { _ = tmpFile.Close() }()
+
+	content := fmt.Sprintf("nameserver %s\n", dns)
+	if _, err := tmpFile.WriteString(content); err != nil {
+		return fmt.Errorf("failed to write to temp resolv.conf: %w", err)
+	}
+
+	// 1. Bind-mount the temp file over /etc/resolv.conf
+	if err := unix.Mount(tmpFile.Name(), "/etc/resolv.conf", "", unix.MS_BIND, ""); err != nil {
+		return fmt.Errorf("failed to bind-mount %s to /etc/resolv.conf: %w", tmpFile.Name(), err)
+	}
+
+	// 2. Make the mount private to ensure it doesn't propagate back to the host
+	// and to satisfy kernel requirements for mount transitions in some environments.
+	if err := unix.Mount("/etc/resolv.conf", "/etc/resolv.conf", "", unix.MS_REMOUNT|unix.MS_BIND|unix.MS_PRIVATE, ""); err != nil {
+		return fmt.Errorf("failed to make /etc/resolv.conf mount private: %w", err)
+	}
+
 	return nil
 }
 
@@ -289,7 +324,8 @@ func (h *HostBind) BatchSize() int {
 // host UDP socket file descriptor. This allows unprivileged processes inside
 // network namespaces to communicate over the host network loop.
 type FDBind struct {
-	conn *net.UDPConn
+	originalFd int
+	conn       *net.UDPConn
 }
 
 type FDEndpoint struct {
@@ -323,20 +359,31 @@ func (e *FDEndpoint) SrcIfidx() int32 {
 }
 
 func NewFDBind(fd int) (*FDBind, error) {
-	file := os.NewFile(uintptr(fd), "host-udp-socket")
+	return &FDBind{originalFd: fd}, nil
+}
+
+func (b *FDBind) Open(port uint16) (fns []conn.ReceiveFunc, actualPort uint16, err error) {
+	// Duplicate the original fd so we can close the duplicated socket during
+	// transitions or shutdown, while preserving the ability to re-open/re-bind it later.
+	dupFd, err := unix.Dup(b.originalFd)
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to duplicate host socket fd: %w", err)
+	}
+
+	file := os.NewFile(uintptr(dupFd), "host-udp-socket")
 	pconn, err := net.FilePacketConn(file)
 	if err != nil {
-		return nil, fmt.Errorf("failed to wrap fd %d as packet conn: %w", fd, err)
+		_ = file.Close()
+		return nil, 0, fmt.Errorf("failed to wrap fd %d as packet conn: %w", dupFd, err)
 	}
+
 	udpConn, ok := pconn.(*net.UDPConn)
 	if !ok {
 		_ = pconn.Close()
-		return nil, fmt.Errorf("fd %d is not a UDP socket", fd)
+		return nil, 0, fmt.Errorf("fd %d is not a UDP socket", dupFd)
 	}
-	return &FDBind{conn: udpConn}, nil
-}
+	b.conn = udpConn
 
-func (b *FDBind) Open(port uint16) (fns []conn.ReceiveFunc, actualPort uint16, err error) {
 	laddr, ok := b.conn.LocalAddr().(*net.UDPAddr)
 	if !ok {
 		return nil, 0, fmt.Errorf("local address is not a UDP address")
@@ -347,6 +394,9 @@ func (b *FDBind) Open(port uint16) (fns []conn.ReceiveFunc, actualPort uint16, e
 		if len(packets) == 0 {
 			return 0, nil
 		}
+		if b.conn == nil {
+			return 0, net.ErrClosed
+		}
 		nBytes, addr, err := b.conn.ReadFromUDP(packets[0])
 		if err != nil {
 			return 0, err
@@ -361,7 +411,12 @@ func (b *FDBind) Open(port uint16) (fns []conn.ReceiveFunc, actualPort uint16, e
 }
 
 func (b *FDBind) Close() error {
-	return b.conn.Close()
+	if b.conn != nil {
+		err := b.conn.Close()
+		b.conn = nil
+		return err
+	}
+	return nil
 }
 
 func (b *FDBind) SetMark(mark uint32) error {
@@ -369,6 +424,9 @@ func (b *FDBind) SetMark(mark uint32) error {
 }
 
 func (b *FDBind) Send(bufs [][]byte, endpoint conn.Endpoint) error {
+	if b.conn == nil {
+		return net.ErrClosed
+	}
 	addrPort, err := netip.ParseAddrPort(endpoint.DstToString())
 	if err != nil {
 		return fmt.Errorf("failed to parse destination endpoint %s: %w", endpoint.DstToString(), err)
diff --git a/tests/e2e/config_test.go b/tests/e2e/config_test.go
index e613b13..c8749ce 100644
--- a/tests/e2e/config_test.go
+++ b/tests/e2e/config_test.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"strings"
 	"testing"
 )
@@ -14,12 +15,30 @@ func TestConfigPropagation(t *testing.T) {
 		t.Skipf("Skipping test: %v", err)
 	}
 
+	tmpConfigDir := t.TempDir()
 	tmpRuntimeDir := t.TempDir()
 	profile := "config-test-vpn"
 
+	// Write a valid dummy profile for config-test-vpn so it doesn't fail the profile-existence check
+	confContent := `[Interface]
+PrivateKey = YXNkZmFzZGZhc2RmYXNkZmFzZGZhc2RmYXNkZmFzZGY=
+Address = 10.0.0.2/24
+
+[Peer]
+PublicKey = YXNkZmFzZGZhc2RmYXNkZmFzZGZhc2RmYXNkZmFzZGY=
+Endpoint = 127.0.0.1:51820
+AllowedIPs = 10.0.0.0/24
+`
+	profilesDir := filepath.Join(tmpConfigDir, "wg-wrap", "profiles")
+	_ = os.MkdirAll(profilesDir, 0755)
+	_ = os.WriteFile(filepath.Join(profilesDir, profile+".conf"), []byte(confContent), 0644)
+
 	// Test 1: Non-isolated configuration
 	cmd := exec.Command(binaryPath, "show-config", "--profile", profile)
-	cmd.Env = append(os.Environ(), fmt.Sprintf("XDG_RUNTIME_DIR=%s", tmpRuntimeDir))
+	cmd.Env = append(os.Environ(),
+		fmt.Sprintf("XDG_RUNTIME_DIR=%s", tmpRuntimeDir),
+		fmt.Sprintf("XDG_CONFIG_HOME=%s", tmpConfigDir),
+	)
 	out, err := cmd.CombinedOutput()
 	if err != nil {
 		t.Fatalf("show-config failed: %v\nOutput: %s", err, string(out))
@@ -37,16 +56,11 @@ func TestConfigPropagation(t *testing.T) {
 	}
 
 	// Test 2: Configuration after bootstrap (Isolated)
-	// We use 'test-ns' as a way to run a command that we know is isolated.
-	// Actually, we can just run 'show-config' but the current 'Route'
-	// handles 'show-config' BEFORE the bootstrap.
-	// To test isolated config, we can't use 'show-config' because it's a diagnostic
-	// command designed to run outside isolation.
-
-	// To verify what an isolated process sees, we can use a target command
-	// that prints the environment.
 	cmdIsolated := exec.Command(binaryPath, "--profile", profile, "--", "sh", "-c", "echo $XDG_RUNTIME_DIR")
-	cmdIsolated.Env = append(os.Environ(), fmt.Sprintf("XDG_RUNTIME_DIR=%s", tmpRuntimeDir))
+	cmdIsolated.Env = append(os.Environ(),
+		fmt.Sprintf("XDG_RUNTIME_DIR=%s", tmpRuntimeDir),
+		fmt.Sprintf("XDG_CONFIG_HOME=%s", tmpConfigDir),
+	)
 	outIso, err := cmdIsolated.CombinedOutput()
 	if err != nil {
 		t.Fatalf("Isolated command failed: %v\nOutput: %s", err, string(outIso))
diff --git a/tests/e2e/dns_helpers.go b/tests/e2e/dns_helpers.go
new file mode 100644
index 0000000..38c42a1
--- /dev/null
+++ b/tests/e2e/dns_helpers.go
@@ -0,0 +1,58 @@
+package e2e
+
+import (
+	"net"
+	"testing"
+	"time"
+)
+
+// MockDNSServer is a minimal UDP server that responds to any DNS query
+// with a hardcoded A record for example.com.
+type MockDNSServer struct {
+	conn *net.UDPConn
+}
+
+func StartMockDNSServer(t *testing.T) (*MockDNSServer, int) {
+	addr, err := net.ResolveUDPAddr("udp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("failed to resolve UDP address: %v", err)
+	}
+
+	conn, err := net.ListenUDP("udp", addr)
+	if err != nil {
+		t.Fatalf("failed to start mock DNS server: %v", err)
+	}
+
+	return &MockDNSServer{conn: conn}, conn.LocalAddr().(*net.UDPAddr).Port
+}
+
+func (s *MockDNSServer) Close() {
+	_ = s.conn.Close()
+}
+
+// ListenAndRespond runs in a loop and responds to the first valid-looking DNS query.
+// It returns the response as a channel to allow the test to synchronize.
+func (s *MockDNSServer) ListenAndRespond(timeout time.Duration) (chan bool, error) {
+	respChan := make(chan bool, 1)
+
+	go func() {
+		buf := make([]byte, 1024)
+		_ = s.conn.SetReadDeadline(time.Now().Add(timeout))
+		n, remoteAddr, err := s.conn.ReadFromUDP(buf)
+		if err != nil {
+			respChan <- false
+			return
+		}
+
+		if n < 4 {
+			respChan <- false
+			return
+		}
+
+		// Echo the packet back to the client as a basic "I heard you" confirmation.
+		_, _ = s.conn.WriteToUDP(buf[:n], remoteAddr)
+		respChan <- true
+	}()
+
+	return respChan, nil
+}
diff --git a/tests/e2e/e2e_test.go b/tests/e2e/e2e_test.go
index ebca547..e37810a 100644
--- a/tests/e2e/e2e_test.go
+++ b/tests/e2e/e2e_test.go
@@ -37,8 +37,6 @@ func TestDataPlaneConnectivity(t *testing.T) {
 	localPort := conn.LocalAddr().(*net.UDPAddr).Port
 
 	// Generate profile with valid Base64 keys
-	// local address: 10.0.0.2/24, remote address: 10.0.0.1
-	// using matching Base64 keys
 	clientPrivKey := "YXNkZmFzZGZhc2RmYXNkZmFzZGZhc2RmYXNkZmFzZGY=" // 32-bytes base64
 	peerPubKey := "YXNkZmFzZGZhc2RmYXNkZmFzZGZhc2RmYXNkZmFzZGY="
 
@@ -52,8 +50,7 @@ Endpoint = 127.0.0.1:%d
 AllowedIPs = 10.0.0.0/24
 `, clientPrivKey, peerPubKey, localPort)
 
-	// Write profile into tmpDir
-	profilesDir := filepath.Join(tmpDir, "profiles")
+	profilesDir := filepath.Join(tmpDir, "wg-wrap", "profiles")
 	if err := os.MkdirAll(profilesDir, 0755); err != nil {
 		t.Fatalf("Failed to create temporary profiles dir: %v", err)
 	}
@@ -62,19 +59,13 @@ AllowedIPs = 10.0.0.0/24
 		t.Fatalf("Failed to write temporary test profile: %v", err)
 	}
 
-	// 3. Launch wg-wrap with a simple command to execute inside the network namespace
-	// We run 'ping -c 1 10.0.0.1' or simply a small command like 'ip address show'.
-	// Since we are not running a full stateful WG handshake responder,
-	// any command will trigger WireGuard to initiate/send packets over the UDP socket.
-	// We'll read from our local port to verify that the unprivileged namespace actually
-	// correctly directed and initiated WireGuard packets.
-	cmd := exec.Command(binaryPath, "--profile", profile, "--", "true")
+	// 3. Launch wg-wrap with a command that triggers traffic
+	cmd := exec.Command(binaryPath, "--profile", profile, "--", "ping", "-c", "1", "-W", "1", "10.0.0.1")
 	cmd.Env = append(os.Environ(),
 		fmt.Sprintf("XDG_CONFIG_HOME=%s", tmpDir),
 		fmt.Sprintf("XDG_RUNTIME_DIR=%s", tmpDir),
 	)
 
-	// Read UDP packet asynchronously to verify client initiation
 	packetChan := make(chan []byte, 1)
 	go func() {
 		buf := make([]byte, 2048)
@@ -88,48 +79,199 @@ AllowedIPs = 10.0.0.0/24
 	}()
 
 	err = cmd.Run()
+	// We expect the command (ping) to fail because our mock peer does not complete
+	// the handshake or reply to pings, but we log the error for diagnostic purposes.
 	if err != nil {
-		t.Fatalf("wg-wrap failed to run: %v", err)
+		t.Logf("wg-wrap command returned error (expected since mock peer doesn't reply): %v", err)
+	}
+
+	select {
+	case packet := <-packetChan:
+		if packet == nil {
+			t.Error("Mock remote WG UDP listener did not receive any packet from wg-wrap")
+		} else {
+			t.Logf("Mock remote WG UDP listener successfully received packet of size %d", len(packet))
+		}
+	case <-time.After(4 * time.Second):
+		t.Error("Timed out waiting for WireGuard packet from wg-wrap")
 	}
 
-	// Since we ran 'true' and the namespace successfully unshared & started wg-go device,
-	// that means the base configuration is highly successful and reasonable!
 	t.Log("Successfully created tunnel namespace and ran isolated command rootlessly.")
 }
 
 func TestNetworkIsolation(t *testing.T) {
-	// 1. Determine binary path
 	binaryPath, err := GetBinaryPath()
 	if err != nil {
 		t.Skipf("Skipping test: %v", err)
 	}
 
-	// 2. Run the test-ns command using the binary
 	cmd := exec.Command(binaryPath, "test-ns")
 	out, err := cmd.CombinedOutput()
 	if err != nil {
 		t.Fatalf("wg-wrap test-ns failed: %v\nOutput: %s", err, string(out))
 	}
 
-	// 3. Verify the success message
 	if !strings.Contains(string(out), "Isolation Verified: OK") {
 		t.Errorf("Expected 'Isolation Verified: OK', got: %q", string(out))
 	}
 }
 
-func TestDNSLeakage(t *testing.T) {
-	// Ensure that /etc/resolv.conf is not touched outside but is mockable inside if we had unshared CLONE_NEWNS.
-	// This test stub verified that Mount Isolation was completed.
+func TestDNSIsolation(t *testing.T) {
 	binaryPath, err := GetBinaryPath()
 	if err != nil {
 		t.Skipf("Skipping test: %v", err)
 	}
 
-	// Simply verify we can run a basic check
-	cmd := exec.Command(binaryPath, "--profile", "test-dns-leak", "--", "true")
-	// Expected to pass since we fallback to bare isolation if profile doesn't exist
-	if err := cmd.Run(); err != nil {
-		t.Errorf("expected command to pass, got: %v", err)
+	// 1. Start Mock DNS Server
+	dnsServer, port := StartMockDNSServer(t)
+	defer dnsServer.Close()
+
+	// 2. Setup isolated config
+	tmpDir := t.TempDir()
+	profile := "test-dns-isolation"
+	clientPrivKey := "YXNkZmFzZGZhc2RmYXNkZmFzZGZhc2RmYXNkZmFzZGY="
+	peerPubKey := "YXNkZmFzZGZhc2RmYXNkZmFzZGZhc2RmYXNkZmFzZGY="
+	dnsServerIP := "10.0.0.1"
+
+	confContent := fmt.Sprintf(`[Interface]
+PrivateKey = %s
+Address = 10.0.0.2/24
+
+[Peer]
+PublicKey = %s
+Endpoint = 127.0.0.1:%d
+AllowedIPs = 10.0.0.0/24
+`, clientPrivKey, peerPubKey, port)
+
+	profilesDir := filepath.Join(tmpDir, "wg-wrap", "profiles")
+	_ = os.MkdirAll(profilesDir, 0755)
+	profilePath := filepath.Join(profilesDir, profile+".conf")
+	_ = os.WriteFile(profilePath, []byte(confContent), 0644)
+
+	// 3. Test /etc/resolv.conf modification
+	expectedDNS := "1.1.1.1"
+	cmd := exec.Command(binaryPath, "--profile", profile, "--dns-server", expectedDNS, "--", "cat", "/etc/resolv.conf")
+	cmd.Env = append(os.Environ(),
+		fmt.Sprintf("XDG_CONFIG_HOME=%s", tmpDir),
+		fmt.Sprintf("XDG_RUNTIME_DIR=%s", tmpDir),
+	)
+
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		t.Fatalf("Failed to run resolv.conf check: %v\nOutput: %s", err, string(out))
+	}
+
+	if !strings.Contains(string(out), "nameserver "+expectedDNS) {
+		t.Errorf("Expected /etc/resolv.conf to contain %s, but got: %q", expectedDNS, string(out))
+	}
+
+	// 4. Test Data Path: Send a ping to trigger Handshake on the mock server
+	cmdQuery := exec.Command(binaryPath, "--profile", profile, "--", "ping", "-c", "1", "-W", "1", dnsServerIP)
+	cmdQuery.Env = cmd.Env
+
+	packetReceived := make(chan bool, 1)
+	go func() {
+		success, _ := dnsServer.ListenAndRespond(5 * time.Second)
+		packetReceived <- <-success
+	}()
+
+	if err := cmdQuery.Run(); err != nil {
+		t.Logf("Note: query command failed as expected (since we didn't implement a full DNS stack), but we check if packet arrived: %v", err)
+	}
+
+	select {
+	case received := <-packetReceived:
+		if !received {
+			t.Error("Mock DNS server did not receive the UDP packet through the tunnel")
+		}
+	case <-time.After(5 * time.Second):
+		t.Error("Timed out waiting for DNS packet to reach mock server")
+	}
+}
+
+func TestDNSPrecedence(t *testing.T) {
+	binaryPath, err := GetBinaryPath()
+	if err != nil {
+		t.Skipf("Skipping test: %v", err)
+	}
+
+	tmpDir := t.TempDir()
+	profileName := "test-dns-precedence"
+	clientPrivKey := "YXNkZmFzZGZhc2RmYXNkZmFzZGZhc2RmYXNkZmFzZGY="
+	peerPubKey := "YXNkZmFzZGZhc2RmYXNkZmFzZGZhc2RmYXNkZmFzZGY="
+
+	tests := []struct {
+		name        string
+		configDNS   string
+		cliDNS      string
+		expectedDNS string
+	}{
+		{
+			name:        "Fallback to safe DNS (1.1.1.1) when none is specified",
+			configDNS:   "",
+			cliDNS:      "",
+			expectedDNS: "1.1.1.1",
+		},
+		{
+			name:        "Use .conf specified DNS when no CLI flag is provided",
+			configDNS:   "8.8.4.4",
+			cliDNS:      "",
+			expectedDNS: "8.8.4.4",
+		},
+		{
+			name:        "CLI flag overrides .conf specified DNS",
+			configDNS:   "8.8.4.4",
+			cliDNS:      "9.9.9.9",
+			expectedDNS: "9.9.9.9",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Write the profile conf with or without the DNS field
+			var dnsLine string
+			if tt.configDNS != "" {
+				dnsLine = "DNS = " + tt.configDNS
+			}
+
+			confContent := fmt.Sprintf(`[Interface]
+PrivateKey = %s
+Address = 10.0.0.2/24
+%s
+
+[Peer]
+PublicKey = %s
+Endpoint = 127.0.0.1:51820
+AllowedIPs = 10.0.0.0/24
+`, clientPrivKey, dnsLine, peerPubKey)
+
+			profilesDir := filepath.Join(tmpDir, "wg-wrap", "profiles")
+			_ = os.MkdirAll(profilesDir, 0755)
+			profilePath := filepath.Join(profilesDir, profileName+".conf")
+			_ = os.WriteFile(profilePath, []byte(confContent), 0644)
+
+			// Prepare command args
+			args := []string{"--profile", profileName}
+			if tt.cliDNS != "" {
+				args = append(args, "--dns-server", tt.cliDNS)
+			}
+			args = append(args, "--", "cat", "/etc/resolv.conf")
+
+			cmd := exec.Command(binaryPath, args...)
+			cmd.Env = append(os.Environ(),
+				fmt.Sprintf("XDG_CONFIG_HOME=%s", tmpDir),
+				fmt.Sprintf("XDG_RUNTIME_DIR=%s", tmpDir),
+			)
+
+			out, err := cmd.CombinedOutput()
+			if err != nil {
+				t.Fatalf("Failed to execute resolv.conf check: %v\nOutput: %s", err, string(out))
+			}
+
+			if !strings.Contains(string(out), "nameserver "+tt.expectedDNS) {
+				t.Errorf("Expected /etc/resolv.conf to contain nameserver %s, but got: %q", tt.expectedDNS, string(out))
+			}
+		})
 	}
 }
 
@@ -139,8 +281,7 @@ func TestMTUFragmentation(t *testing.T) {
 		t.Skipf("Skipping test: %v", err)
 	}
 
-	// Simply verify we can run a basic check
-	cmd := exec.Command(binaryPath, "--profile", "test-mtu-frag", "--", "true")
+	cmd := exec.Command(binaryPath, "--profile", "default", "--", "true")
 	if err := cmd.Run(); err != nil {
 		t.Errorf("expected command to pass, got: %v", err)
 	}
diff --git a/tests/e2e/lifecycle_test.go b/tests/e2e/lifecycle_test.go
index 08887e1..0f6cae1 100644
--- a/tests/e2e/lifecycle_test.go
+++ b/tests/e2e/lifecycle_test.go
@@ -46,7 +46,7 @@ func TestNamespaceLifecycleAutomation(t *testing.T) {
 
 	// 2. Override the runtime base dir to a temporary location
 	tmpRuntimeDir := t.TempDir()
-	profile := "e2e-lifecycle-test"
+	profile := "default"
 	pidsDir := filepath.Join(tmpRuntimeDir, "profiles", profile, "pids")
 
 	// Clean up before starting
@@ -56,7 +56,7 @@ func TestNamespaceLifecycleAutomation(t *testing.T) {
 
 	t.Run("ReferenceCounting", func(t *testing.T) {
 		// Start a process that exits quickly
-		cmd1 := exec.Command(binaryPath, "--profile", profile, "--", "sleep", "0.1")
+		cmd1 := exec.Command(binaryPath, "--profile", "default", "--", "sleep", "0.1")
 		cmd1.Env = append(os.Environ(), fmt.Sprintf("XDG_RUNTIME_DIR=%s", tmpRuntimeDir))
 		if err := cmd1.Start(); err != nil {
 			t.Fatalf("Failed to start cmd1: %v", err)
@@ -66,7 +66,7 @@ func TestNamespaceLifecycleAutomation(t *testing.T) {
 		waitForPids(t, pidsDir, 1)
 
 		// Start a second process using the same profile
-		cmd2 := exec.Command(binaryPath, "--profile", profile, "--", "sleep", "0.1")
+		cmd2 := exec.Command(binaryPath, "--profile", "default", "--", "sleep", "0.1")
 		cmd2.Env = append(os.Environ(), fmt.Sprintf("XDG_RUNTIME_DIR=%s", tmpRuntimeDir))
 		if err := cmd2.Start(); err != nil {
 			t.Fatalf("Failed to start cmd2: %v", err)