Fix NS delegation, improve e2e reliability, add preflight tunnel check

- Fix NS delegation: query parent zone authoritative nameservers instead
  of recursive resolvers (which return NXDOMAIN for subdomain delegations)
- Increase e2e timeout 10s → 20s, switch test URL HTTPS → HTTP
- Add preflight e2e check: test tunnel via 18 resolvers in parallel
  before scanning. First success wins — handles blocked resolvers.
- Improve error messages for blocked-resolver regions (Iran, etc.)

Author: SamNet-dev

GUIDE.md

@@ -811,7 +811,7 @@ findns scan -i doh-resolvers.txt -o results.json \
 | `--domain` | دامنه تانل (فعال‌سازی تست tunnel/edns) | — |
 | `--pubkey` | کلید عمومی سرور DNSTT (فعال‌سازی تست e2e) | — |
 | `--cert` | مسیر فایل گواهی Slipstream | — |
-| `--test-url` | آدرسی که از طریق تانل تست شود | `https://httpbin.org/ip` |
+| `--test-url` | آدرسی که از طریق تانل تست شود | `http://httpbin.org/ip` |
 | `--proxy-auth` | احراز هویت پروکسی SOCKS به صورت `user:pass` (برای تست e2e) | — |
 | `--doh` | حالت DoH به جای UDP | `false` |
 | `--skip-ping` | رد کردن مرحله ping (مفید اگر ICMP مسدود باشد) | `false` |
@@ -1201,7 +1201,7 @@ findns scan -i resolvers.txt -o results.json \
 dnstt-client -udp 8.8.8.8:53 -pubkey YOUR_KEY t.example.com 127.0.0.1:1080 &
 
 # صبر کنید 3 ثانیه، بعد:
-curl -x socks5h://127.0.0.1:1080 https://httpbin.org/ip
+curl -x socks5h://127.0.0.1:1080 http://httpbin.org/ip
 
 # اگر جواب آمد = تانل کار می‌کند
 # اگر timeout شد = مشکل از سرور یا resolver
@@ -1314,7 +1314,7 @@ https://dns.quad9.net/dns-query
 | `--timeout` | `-t` | تایم‌اوت هر تلاش (ثانیه) | `3` |
 | `--count` | `-c` | تعداد تلاش برای هر IP | `3` |
 | `--workers` | — | تعداد workerهای موازی | `50` |
-| `--e2e-timeout` | — | تایم‌اوت تست‌های e2e (ثانیه) | `10` |
+| `--e2e-timeout` | — | تایم‌اوت تست‌های e2e (ثانیه) | `20` |
 | `--include-failed` | — | IPهای فیل‌شده از ورودی JSON را هم اسکن کن | `false` |
 
 **تنظیم workers:**

README.md

@@ -248,7 +248,7 @@ findns scan -i resolvers.txt -o results.json --domain t.example.com
 | `--domain` | Tunnel domain (enables tunnel/e2e steps) | — |
 | `--pubkey` | DNSTT server public key (enables e2e test) | — |
 | `--cert` | Slipstream cert path (enables Slipstream e2e) | — |
-| `--test-url` | URL to fetch through tunnel for e2e test | `https://httpbin.org/ip` |
+| `--test-url` | URL to fetch through tunnel for e2e test | `http://httpbin.org/ip` |
 | `--proxy-auth` | SOCKS proxy auth as `user:pass` (for e2e tests) | — |
 | `--doh` | Scan DoH resolvers instead of UDP | `false` |
 | `--edns` | Include EDNS payload size check | `false` |
@@ -481,7 +481,7 @@ Step format: `type:key=val,key=val`. Optional params: `count`, `timeout`.
 | `--timeout` | `-t` | Timeout per attempt (seconds) | 3 |
 | `--count` | `-c` | Attempts per IP/URL | 3 |
 | `--workers` | | Concurrent workers | 50 |
-| `--e2e-timeout` | | Timeout for e2e tests (seconds) | 10 |
+| `--e2e-timeout` | | Timeout for e2e tests (seconds) | 20 |
 | `--include-failed` | | Also scan failed entries from JSON input | false |
 
 ---
@@ -876,7 +876,7 @@ findns tui
 | `--domain` | دامنه تانل (فعال‌سازی تست تانل/e2e) | — |
 | `--pubkey` | کلید عمومی سرور DNSTT (فعال‌سازی تست e2e) | — |
 | `--cert` | مسیر گواهی Slipstream (فعال‌سازی تست Slipstream) | — |
-| `--test-url` | آدرس برای تست اتصال e2e | `https://httpbin.org/ip` |
+| `--test-url` | آدرس برای تست اتصال e2e | `http://httpbin.org/ip` |
 | `--proxy-auth` | احراز هویت پروکسی SOCKS به صورت `user:pass` (برای تست e2e) | — |
 | `--doh` | اسکن DoH به جای UDP | `false` |
 | `--edns` | فعال‌سازی تست سایز EDNS payload | `false` |
@@ -1164,7 +1164,7 @@ findns chain -i doh-resolvers.txt -o result.json \
 | `--timeout` | `-t` | تایم‌اوت هر تلاش (ثانیه) | 3 |
 | `--count` | `-c` | تعداد تلاش برای هر IP/URL | 3 |
 | `--workers` | | تعداد workerهای موازی | 50 |
-| `--e2e-timeout` | | تایم‌اوت تست‌های e2e (ثانیه) | 10 |
+| `--e2e-timeout` | | تایم‌اوت تست‌های e2e (ثانیه) | 20 |
 | `--include-failed` | | اسکن IPهای فیل‌شده از ورودی JSON | false |
 
 ---

cmd/chain.go

@@ -100,7 +100,7 @@ func buildStep(cfg stepConfig, defaultTimeout, defaultCount int, ports chan int,
 		if !ok || pubkey == "" {
 			return scanner.Step{}, fmt.Errorf("step %q: missing required param 'pubkey'", cfg.name)
 		}
-		testURL := "https://httpbin.org/ip"
+		testURL := "http://httpbin.org/ip"
 		if v, ok := cfg.params["test-url"]; ok {
 			testURL = v
 		}
@@ -113,7 +113,7 @@ func buildStep(cfg stepConfig, defaultTimeout, defaultCount int, ports chan int,
 			return scanner.Step{}, fmt.Errorf("step %q: missing required param 'domain'", cfg.name)
 		}
 		cert := cfg.params["cert"]
-		testURL := "https://httpbin.org/ip"
+		testURL := "http://httpbin.org/ip"
 		if v, ok := cfg.params["test-url"]; ok {
 			testURL = v
 		}
@@ -153,7 +153,7 @@ func buildStep(cfg stepConfig, defaultTimeout, defaultCount int, ports chan int,
 		if !ok || pubkey == "" {
 			return scanner.Step{}, fmt.Errorf("step %q: missing required param 'pubkey'", cfg.name)
 		}
-		testURL := "https://httpbin.org/ip"
+		testURL := "http://httpbin.org/ip"
 		if v, ok := cfg.params["test-url"]; ok {
 			testURL = v
 		}

cmd/doh_e2e.go

@@ -20,7 +20,7 @@ var dohE2ECmd = &cobra.Command{
 func init() {
 	dohE2ECmd.Flags().String("domain", "", "DNSTT tunnel domain")
 	dohE2ECmd.Flags().String("pubkey", "", "DNSTT server public key")
-	dohE2ECmd.Flags().String("test-url", "https://httpbin.org/ip", "URL to fetch through tunnel")
+	dohE2ECmd.Flags().String("test-url", "http://httpbin.org/ip", "URL to fetch through tunnel")
 	dohE2ECmd.Flags().String("proxy-auth", "", "SOCKS proxy auth as user:pass")
 	dohE2ECmd.MarkFlagRequired("domain")
 	dohE2ECmd.MarkFlagRequired("pubkey")

cmd/e2e_dnstt.go

@@ -20,7 +20,7 @@ var e2eDnsttCmd = &cobra.Command{
 func init() {
 	e2eDnsttCmd.Flags().String("domain", "", "DNSTT tunnel domain")
 	e2eDnsttCmd.Flags().String("pubkey", "", "DNSTT server public key")
-	e2eDnsttCmd.Flags().String("test-url", "https://httpbin.org/ip", "URL to fetch through tunnel")
+	e2eDnsttCmd.Flags().String("test-url", "http://httpbin.org/ip", "URL to fetch through tunnel")
 	e2eDnsttCmd.Flags().String("proxy-auth", "", "SOCKS proxy auth as user:pass")
 	e2eDnsttCmd.MarkFlagRequired("domain")
 	e2eDnsttCmd.MarkFlagRequired("pubkey")

cmd/e2e_slipstream.go

@@ -20,7 +20,7 @@ var e2eSlipstreamCmd = &cobra.Command{
 func init() {
 	e2eSlipstreamCmd.Flags().String("domain", "", "Slipstream tunnel domain")
 	e2eSlipstreamCmd.Flags().String("cert", "", "path to Slipstream certificate for cert pinning (optional)")
-	e2eSlipstreamCmd.Flags().String("test-url", "https://httpbin.org/ip", "URL to fetch through tunnel")
+	e2eSlipstreamCmd.Flags().String("test-url", "http://httpbin.org/ip", "URL to fetch through tunnel")
 	e2eSlipstreamCmd.Flags().String("proxy-auth", "", "SOCKS proxy auth as user:pass")
 	e2eSlipstreamCmd.MarkFlagRequired("domain")
 	e2eCmd.AddCommand(e2eSlipstreamCmd)

cmd/root.go

@@ -45,7 +45,7 @@ func init() {
 	rootCmd.PersistentFlags().IntVar(&workers, "workers", 50, "concurrent workers")
 	rootCmd.PersistentFlags().IntVarP(&timeout, "timeout", "t", 3, "timeout per attempt in seconds")
 	rootCmd.PersistentFlags().IntVarP(&count, "count", "c", 3, "number of attempts per IP for ping/resolve checks")
-	rootCmd.PersistentFlags().IntVar(&e2eTimeout, "e2e-timeout", 10, "timeout for e2e tunnel tests in seconds")
+	rootCmd.PersistentFlags().IntVar(&e2eTimeout, "e2e-timeout", 20, "timeout for e2e tunnel tests in seconds")
 	rootCmd.SilenceUsage = true
 }
 

cmd/scan.go

@@ -58,7 +58,7 @@ func init() {
 	scanCmd.Flags().String("domain", "", "tunnel domain (required for tunnel/edns/e2e steps)")
 	scanCmd.Flags().String("pubkey", "", "DNSTT public key (enables e2e test)")
 	scanCmd.Flags().String("cert", "", "Slipstream cert path (enables slipstream e2e test)")
-	scanCmd.Flags().String("test-url", "https://httpbin.org/ip", "URL to test through tunnel")
+	scanCmd.Flags().String("test-url", "http://httpbin.org/ip", "URL to test through tunnel")
 	scanCmd.Flags().String("proxy-auth", "", "SOCKS proxy auth as user:pass (for e2e tests)")
 	scanCmd.Flags().Bool("doh", false, "scan DoH resolvers instead of UDP")
 	scanCmd.Flags().Bool("skip-ping", false, "skip ICMP ping step")
@@ -185,7 +185,7 @@ func runScan(cmd *cobra.Command, args []string) error {
 	}
 
 	printBanner(len(ips), dohMode, domain, steps)
-	printPreFlight(len(ips), domain, dnsttBin, slipstreamBin, steps)
+	printPreFlight(len(ips), domain, pubkey, testURL, proxyAuth, dnsttBin, slipstreamBin, steps)
 
 	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt)
 	defer stop()
@@ -215,7 +215,7 @@ func hline(left, fill, right string, width int) string {
 	return left + strings.Repeat(fill, width) + right
 }
 
-func printPreFlight(ipCount int, domain, dnsttBin, slipstreamBin string, steps []scanner.Step) {
+func printPreFlight(ipCount int, domain, pubkey, testURL, proxyAuth, dnsttBin, slipstreamBin string, steps []scanner.Step) {
 	if !isTTY() {
 		return
 	}
@@ -242,7 +242,22 @@ func printPreFlight(ipCount int, domain, dnsttBin, slipstreamBin string, steps [
 			fmt.Fprintf(w, "    %s\u2718%s Domain: %s%s%s — %sNS delegation NOT found!%s\n",
 				colorRed, colorReset, colorCyan, domain, colorReset, colorRed, colorReset)
 			fmt.Fprintf(w, "      %sTunnel/e2e steps will likely fail. Verify your DNS setup:%s\n", colorDim, colorReset)
-			fmt.Fprintf(w, "      %snslookup -type=NS %s 8.8.8.8%s\n", colorDim, domain, colorReset)
+			fmt.Fprintf(w, "      %sdig NS %s @8.8.8.8  (or check your registrar/Cloudflare dashboard)%s\n", colorDim, domain, colorReset)
+		}
+	}
+	// Preflight e2e: test tunnel connectivity with a known-good resolver
+	if dnsttBin != "" && domain != "" && pubkey != "" {
+		fmt.Fprintf(w, "    %s…%s Tunnel preflight: testing dnstt-server connectivity...\n", colorDim, colorReset)
+		preflightTimeout := time.Duration(e2eTimeout) * time.Second
+		result := scanner.PreflightE2E(dnsttBin, domain, pubkey, testURL, proxyAuth, preflightTimeout)
+		if result.OK {
+			fmt.Fprintf(w, "\r\033[2K\033[A\033[2K    %s\u2714%s Tunnel preflight: %sconnected via %s%s\n",
+				colorGreen, colorReset, colorGreen, result.Resolver, colorReset)
+		} else {
+			fmt.Fprintf(w, "\r\033[2K\033[A\033[2K    %s\u2718%s Tunnel preflight: %sFAILED — %s%s\n",
+				colorRed, colorReset, colorRed, result.Err, colorReset)
+			fmt.Fprintf(w, "      %sYour dnstt-server may not be running or is misconfigured.%s\n", colorDim, colorReset)
+			fmt.Fprintf(w, "      %sThe e2e step will likely produce 0 results.%s\n", colorDim, colorReset)
 		}
 	}
 	fmt.Fprintf(w, "\n")

internal/scanner/dns.go

@@ -3,6 +3,7 @@ package scanner
 import (
 	"context"
 	"net"
+	"strings"
 	"time"
 
 	"github.com/miekg/dns"
@@ -152,27 +153,102 @@ func QueryNSMulti(domain string, timeout time.Duration) ([]string, bool) {
 }
 
 func QueryNS(resolver, domain string, timeout time.Duration) ([]string, bool) {
+	// Strategy 1: direct NS query — works when the recursive resolver returns
+	// the delegation NS in Answer or Authority.
 	r, ok := queryRaw(resolver, domain, dns.TypeNS, timeout)
-	if !ok {
+	if ok {
+		var hosts []string
+		for _, ans := range r.Answer {
+			if ns, ok := ans.(*dns.NS); ok {
+				hosts = append(hosts, ns.Ns)
+			}
+		}
+		if len(hosts) == 0 {
+			for _, ans := range r.Ns {
+				if ns, ok := ans.(*dns.NS); ok {
+					hosts = append(hosts, ns.Ns)
+				}
+			}
+		}
+		if len(hosts) > 0 {
+			return hosts, true
+		}
+	}
+
+	// Strategy 2: query the parent zone's authoritative nameservers directly.
+	// For "t.example.com", find NS of "example.com", then ask those servers
+	// for NS of "t.example.com".  This is how subdomain delegation actually
+	// works in the DNS hierarchy.
+	parent := parentZone(domain)
+	if parent == "" {
 		return nil, false
 	}
-	var hosts []string
-	// Check Answer section first
-	for _, ans := range r.Answer {
+	// Get parent zone NS from the resolver
+	pr, pok := queryRaw(resolver, parent, dns.TypeNS, timeout)
+	if !pok {
+		return nil, false
+	}
+	var parentNS []string
+	for _, ans := range pr.Answer {
 		if ns, ok := ans.(*dns.NS); ok {
-			hosts = append(hosts, ns.Ns)
+			parentNS = append(parentNS, ns.Ns)
 		}
 	}
-	// For subdomain delegations, NS records are often in the Authority section
-	if len(hosts) == 0 {
-		for _, ans := range r.Ns {
+	if len(parentNS) == 0 {
+		return nil, false
+	}
+
+	// Resolve the first parent NS to an IP and query it directly
+	for _, nsHost := range parentNS {
+		nsHost = strings.TrimSuffix(nsHost, ".")
+		// Resolve the NS hostname to an IP via the same resolver
+		ar, aok := queryRaw(resolver, nsHost, dns.TypeA, timeout)
+		if !aok {
+			continue
+		}
+		var nsIP string
+		for _, ans := range ar.Answer {
+			if a, ok := ans.(*dns.A); ok {
+				nsIP = a.A.String()
+				break
+			}
+		}
+		if nsIP == "" {
+			continue
+		}
+		// Ask the parent's authoritative NS for the subdomain's NS records
+		dr, dok := queryRaw(nsIP, domain, dns.TypeNS, timeout)
+		if !dok {
+			continue
+		}
+		var hosts []string
+		for _, ans := range dr.Answer {
 			if ns, ok := ans.(*dns.NS); ok {
 				hosts = append(hosts, ns.Ns)
 			}
 		}
+		if len(hosts) == 0 {
+			for _, ans := range dr.Ns {
+				if ns, ok := ans.(*dns.NS); ok {
+					hosts = append(hosts, ns.Ns)
+				}
+			}
+		}
+		if len(hosts) > 0 {
+			return hosts, true
+		}
 	}
-	if len(hosts) == 0 {
-		return nil, false
+	return nil, false
+}
+
+// parentZone returns the parent zone of a domain.
+// e.g. "t.example.com" → "example.com", "example.com" → "com"
+// Returns "" if the domain has no parent (is a TLD or empty).
+func parentZone(domain string) string {
+	domain = strings.TrimSuffix(domain, ".")
+	parts := strings.SplitN(domain, ".", 2)
+	if len(parts) < 2 || parts[1] == "" {
+		return ""
 	}
-	return hosts, true
+	return parts[1]
 }