Add --query-size flag to cap dnstt-client upstream DNS query size

Fixes e2e failures on filtered networks that block large DNS queries.
Adds Query Size field to TUI config screen and CLI flags parser.

Author: SamNet-dev

cmd/scan.go

@@ -66,6 +66,7 @@ func init() {
 	scanCmd.Flags().Bool("skip-nxdomain", false, "skip NXDOMAIN hijack check")
 	scanCmd.Flags().Bool("edns", false, "include EDNS payload size check (filters resolvers that don't support EDNS)")
 	scanCmd.Flags().Int("edns-size", 1232, "EDNS0 UDP payload size in bytes (default 1232, lower if fragmented)")
+	scanCmd.Flags().Int("query-size", 0, "cap dnstt-client upstream query size in bytes (0 = max, try 50-80 if e2e fails)")
 	scanCmd.Flags().StringSlice("cidr", nil, "CIDR range(s) to scan (e.g. --cidr 5.52.0.0/16)")
 	scanCmd.Flags().String("output-ips", "", "write plain IP list (one per line) to this file")
 	scanCmd.Flags().Int("top", 10, "number of top results to display")
@@ -86,8 +87,14 @@ func runScan(cmd *cobra.Command, args []string) error {
 	outputIPs, _ := cmd.Flags().GetString("output-ips")
 
 	ednsSize, _ := cmd.Flags().GetInt("edns-size")
+	querySize, _ := cmd.Flags().GetInt("query-size")
 	cidrRanges, _ := cmd.Flags().GetStringSlice("cidr")
 
+	// Apply query size (dnstt-client MTU)
+	if querySize > 0 {
+		scanner.DnsttMTU = querySize
+	}
+
 	// Apply EDNS buffer size
 	if ednsSize > 0 && ednsSize <= 65535 {
 		scanner.EDNSBufSize = uint16(ednsSize)

internal/scanner/doh.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"strconv"
 	"strings"
 	"sync/atomic"
 	"time"
@@ -202,11 +203,15 @@ func dohDnsttCheck(bin, domain, pubkey, testURL, proxyAuth string, ports chan in
 		start := time.Now()
 
 		var stderrBuf bytes.Buffer
-		cmd := execCommandContext(ctx, bin,
+		args := []string{
 			"-doh", url,
 			"-pubkey", pubkey,
-			domain,
-			fmt.Sprintf("127.0.0.1:%d", port))
+		}
+		if DnsttMTU > 0 {
+			args = append(args, "-mtu", strconv.Itoa(DnsttMTU))
+		}
+		args = append(args, domain, fmt.Sprintf("127.0.0.1:%d", port))
+		cmd := execCommandContext(ctx, bin, args...)
 		cmd.Stdout = io.Discard
 		cmd.Stderr = &stderrBuf
 		if err := cmd.Start(); err != nil {

internal/scanner/e2e.go

@@ -17,6 +17,10 @@ import (
 
 const defaultTestURL = "http://httpbin.org/ip"
 
+// DnsttMTU caps the upstream DNS query payload size (dnstt-client -mtu flag).
+// 0 means use dnstt-client's default (maximum capacity).
+var DnsttMTU int
+
 func PortPool(base, count int) chan int {
 	ch := make(chan int, count)
 	for i := 0; i < count; i++ {
@@ -93,11 +97,15 @@ func dnsttCheck(bin, domain, pubkey, testURL, proxyAuth string, ports chan int)
 		start := time.Now()
 
 		var stderrBuf bytes.Buffer
-		cmd := execCommandContext(ctx, bin,
+		args := []string{
 			"-udp", net.JoinHostPort(ip, "53"),
 			"-pubkey", pubkey,
-			domain,
-			fmt.Sprintf("127.0.0.1:%d", port))
+		}
+		if DnsttMTU > 0 {
+			args = append(args, "-mtu", strconv.Itoa(DnsttMTU))
+		}
+		args = append(args, domain, fmt.Sprintf("127.0.0.1:%d", port))
+		cmd := execCommandContext(ctx, bin, args...)
 		cmd.Stdout = io.Discard
 		cmd.Stderr = &stderrBuf
 		if err := cmd.Start(); err != nil {

internal/tui/screen_config.go

@@ -23,6 +23,7 @@ const (
 	txtTimeout
 	txtCount
 	txtEDNSSize
+	txtQuerySize
 	txtE2ETimeout
 	numTextInputs
 )
@@ -40,6 +41,7 @@ const (
 	fSkipNXD
 	fEDNS
 	fEDNSSize
+	fQuerySize
 	fE2E       // toggle: enables/disables e2e section
 	fPubkey    // e2e fields below
 	fCert
@@ -69,6 +71,7 @@ var allFields = []fieldDef{
 	{fSkipNXD, "Skip NXDOMAIN", "", "Skip NXDOMAIN hijack detection. Checks if resolver fakes responses.", -1},
 	{fEDNS, "EDNS Check", "", "Test EDNS0 payload size support. Important for DNS tunneling throughput.", -1},
 	{fEDNSSize, "EDNS Size", "", "EDNS0 UDP payload size in bytes. Larger = better throughput, lower if fragmented.", txtEDNSSize},
+	{fQuerySize, "Query Size", "", "Cap upstream DNS query payload size (dnstt -mtu). 0 = max. Try 50-80 if e2e fails on filtered networks.", txtQuerySize},
 	{fE2E, "E2E Testing", "E2E (end-to-end tunnel test)", "Enable end-to-end tunnel tests. Requires tunnel client binaries.", -1},
 	{fPubkey, "Pubkey", "", "Hex public key for dnstt. Requires dnstt-client in PATH.", txtPubkey},
 	{fCert, "Cert", "", "Path to slipstream TLS cert. Requires slipstream-client in PATH.", txtCert},
@@ -143,6 +146,11 @@ func initConfigInputs() []textinput.Model {
 	inputs[txtEDNSSize].SetValue("1232")
 	inputs[txtEDNSSize].CharLimit = 4
 
+	inputs[txtQuerySize] = textinput.New()
+	inputs[txtQuerySize].Placeholder = "0 (max)"
+	inputs[txtQuerySize].SetValue("0")
+	inputs[txtQuerySize].CharLimit = 4
+
 	inputs[txtE2ETimeout] = textinput.New()
 	inputs[txtE2ETimeout].Placeholder = "15"
 	inputs[txtE2ETimeout].SetValue("15")
@@ -286,6 +294,9 @@ func applyConfig(m Model) (Model, tea.Cmd) {
 	if v, err := strconv.Atoi(m.configInputs[txtEDNSSize].Value()); err == nil && v > 0 {
 		m.config.EDNSSize = v
 	}
+	if v, err := strconv.Atoi(m.configInputs[txtQuerySize].Value()); err == nil && v >= 0 {
+		m.config.QuerySize = v
+	}
 	if v, err := strconv.Atoi(m.configInputs[txtE2ETimeout].Value()); err == nil && v > 0 {
 		m.config.E2ETimeout = v
 	}

internal/tui/screen_running.go

@@ -138,6 +138,8 @@ func launchScan(ctx context.Context, ips []string, cfg ScanConfig, steps []scann
 	if cfg.EDNSSize > 0 {
 		scanner.EDNSBufSize = uint16(cfg.EDNSSize)
 	}
+	// Apply query size cap (dnstt-client MTU)
+	scanner.DnsttMTU = cfg.QuerySize
 
 	if len(steps) == 0 {
 		doneCh <- scanDoneMsg{err: fmt.Errorf("no scan steps configured")}

internal/tui/screen_welcome.go

@@ -151,6 +151,12 @@ func parseCLIFlags(m *Model, raw string) {
 				m.configInputs[txtEDNSSize].SetValue(next)
 				i++
 			}
+		case "--query-size":
+			if next != "" {
+				fmt.Sscanf(next, "%d", &m.config.QuerySize)
+				m.configInputs[txtQuerySize].SetValue(next)
+				i++
+			}
 		case "--e2e":
 			m.config.E2E = true
 		case "--doh":

internal/tui/tui.go

@@ -31,6 +31,7 @@ type ScanConfig struct {
 	Count        int
 	E2ETimeout   int
 	EDNSSize     int
+	QuerySize    int
 	SkipPing     bool
 	SkipNXDomain bool
 	EDNS         bool
@@ -125,6 +126,7 @@ func NewModelWithConfig(cfg ScanConfig) Model {
 	inputs[txtTimeout].SetValue(fmt.Sprintf("%d", cfg.Timeout))
 	inputs[txtCount].SetValue(fmt.Sprintf("%d", cfg.Count))
 	inputs[txtEDNSSize].SetValue(fmt.Sprintf("%d", cfg.EDNSSize))
+	inputs[txtQuerySize].SetValue(fmt.Sprintf("%d", cfg.QuerySize))
 	inputs[txtE2ETimeout].SetValue(fmt.Sprintf("%d", cfg.E2ETimeout))
 
 	return Model{