diff --git a/control/control_plane.go b/control/control_plane.go
index 5828060..29885d3 100644
--- a/control/control_plane.go
+++ b/control/control_plane.go
@@ -194,12 +194,15 @@ func NewControlPlane(
 		}
 	}()
 
-	/// Bind to links. Binding should be advance of dialerGroups to avoid un-routable old connection.
-	// Bind to LAN
-	if len(global.LanInterface) > 0 {
+	if len(global.LanInterface) > 0 || len(global.WanInterface) > 0 {
 		if err = core.setupRoutingPolicy(); err != nil {
 			return nil, err
 		}
+	}
+
+	/// Bind to links. Binding should be advance of dialerGroups to avoid un-routable old connection.
+	// Bind to LAN
+	if len(global.LanInterface) > 0 {
 		if global.AutoConfigKernelParameter {
 			_ = SetIpv4forward("1")
 		}
diff --git a/docs/en/README.md b/docs/en/README.md
index 44cde1b..8d99411 100644
--- a/docs/en/README.md
+++ b/docs/en/README.md
@@ -195,7 +195,7 @@ group {
 
 # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md for full examples.
 routing {
-  pname(NetworkManager) -> direct
+  pname(NetworkManager, systemd-resolved, dnsmasq) -> must_direct
   dip(224.0.0.0/3, 'ff00::/8') -> direct
 
   ### Write your rules below.
diff --git a/example.dae b/example.dae
index fd62d7d..ab08dd1 100644
--- a/example.dae
+++ b/example.dae
@@ -202,6 +202,9 @@ routing {
     # WAN.
     pname(NetworkManager) -> direct
 
+    # Bypass DNS stubs. We want to bypass their DNS requests, thus use 'must'.
+    pname(systemd-resolved, dnsmasq) -> must_direct
+
     # Put it in the front to prevent broadcast, multicast and other packets that should be sent to the LAN from being
     # forwarded by the proxy.
     # "dip" means destination IP.