Remove preflight and NS checks — scan is the real test

Preflight e2e and NS delegation checks used external resolvers
(8.8.8.8, 1.1.1.1, etc.) that are all blocked in some areas. They always failed, showed misleading warnings, and added delay.
The scan itself tests every resolver directly. Removed 372
lines of dead code and updated docs to match.

Author: SamNet-dev

GUIDE.md

@@ -732,7 +732,7 @@ findns scan --domain t.example.com
 
 مراحل: `ping -> nxdomain -> resolve/tunnel`
 
-> **نکته مهم:** وقتی `--domain` تنظیم شود، مرحله `resolve` ساده (رکورد A برای google.com) رد می‌شود — دامنه‌های تانل رکورد A ندارند. findns مستقیم به `resolve/tunnel` (بررسی NS delegation) می‌رود.
+> **نکته مهم:** وقتی `--domain` تنظیم شود، مرحله `resolve` ساده (رکورد A برای google.com) رد می‌شود — دامنه‌های تانل رکورد A ندارند. findns مستقیم به `resolve/tunnel` می‌رود.
 
 > برای اضافه کردن تست EDNS payload size از فلگ `--edns` استفاده کنید. با این فلگ: `ping -> nxdomain -> edns -> resolve/tunnel`
 
@@ -1200,11 +1200,7 @@ findns scan -i resolvers.txt -o results.json \
 - pubkey باید دقیقاً همان کلیدی باشد که سرور DNSTT با آن اجرا شده
 - اگر pubkey اشتباه باشد، dnstt-client بدون پیام خطا فیل می‌شود
 
-**۶. preflight e2e و DoH fallback:**
-
-findns قبل از شروع تست e2e، یک "preflight" انجام می‌دهد — با یک resolver عمومی (Google, Cloudflare و ...) تست می‌کند تانل کار می‌کند. اگر DNS معمولی (UDP) مسدود باشد، به صورت خودکار از DoH fallback (آدرس‌های IP-based مثل `https://8.8.8.8/dns-query`) استفاده می‌کند. این یعنی حتی اگر تمام DNS مسدود باشد، preflight e2e همچنان کار می‌کند.
-
-**۷. تست دستی:**
+**۶. تست دستی:**
 
 </div>
 
@@ -1672,7 +1668,6 @@ findns به صورت کامل آفلاین کار می‌کند:
 - بدون `-o`: نتایج در `results.json` ذخیره می‌شود
 - فایل `_ips.txt` خودکار ساخته می‌شود
 - `fetch` اگر دانلود شکست بخورد، خودکار از لیست داخلی استفاده می‌کند
-- تست e2e preflight از DoH fallback (IP-based) استفاده می‌کند — حتی اگر DNS مسدود باشد
 
 ساده‌ترین دستور ممکن: `findns scan --domain t.example.com`
 

README.md

@@ -26,7 +26,6 @@ Supports both **UDP** and **DoH (DNS-over-HTTPS)** resolvers with end-to-end tun
 | 🌐 **CIDR Input** | Accept IP ranges like `185.51.200.0/24` — auto-expanded to individual hosts |
 | 🖥️ **Interactive TUI** | Full terminal UI with guided setup — no flags to remember |
 | 🔌 **Fully Offline** | Zero-config: auto-loads bundled resolvers, no `-i` or `-o` needed |
-| 🛡️ **DoH Preflight** | E2E preflight uses DoH fallback (IP-based URLs) to bypass UDP DNS blocking |
 
 ---
 
@@ -263,7 +262,7 @@ findns scan --domain t.example.com
 **UDP mode pipeline:** `ping → nxdomain → resolve/tunnel → e2e` (add `--edns` for EDNS payload check)
 **DoH mode pipeline:** `doh/resolve/tunnel → doh/e2e`
 
-> When `--domain` is set, the basic `resolve` step (A record for google.com) is skipped — tunnel domains have no A record, so findns goes straight to `resolve/tunnel` (NS delegation check).
+> When `--domain` is set, the basic `resolve` step (A record for google.com) is skipped — tunnel domains have no A record, so findns goes straight to `resolve/tunnel`.
 
 | Flag | Description | Default |
 |------|-------------|---------|
@@ -635,7 +634,6 @@ MIT
 | 🌐 **ورودی CIDR** | رنج آی‌پی مثل `185.51.200.0/24` را می‌خواند و به صورت خودکار باز می‌کند |
 | 🖥️ **رابط کاربری ترمینال (TUI)** | رابط تعاملی کامل — بدون نیاز به حفظ فلگ‌ها |
 | 🔌 **کاملاً آفلاین** | بدون تنظیم: resolverهای داخلی خودکار بارگذاری می‌شوند، نیازی به `-i` یا `-o` نیست |
-| 🛡️ **DoH Preflight** | تست e2e از DoH fallback (آدرس‌های IP-based) برای دور زدن مسدودسازی DNS استفاده می‌کند |
 
 ---
 
@@ -917,7 +915,7 @@ findns tui
 **حالت UDP:** `ping → nxdomain → resolve/tunnel → e2e` (با `--edns` مرحله EDNS اضافه می‌شود)
 **حالت DoH:** `doh/resolve/tunnel → doh/e2e`
 
-> وقتی `--domain` تنظیم شود، مرحله `resolve` ساده (رکورد A برای google.com) رد می‌شود — دامنه‌های تانل رکورد A ندارند، بنابراین findns مستقیم به `resolve/tunnel` (بررسی NS delegation) می‌رود.
+> وقتی `--domain` تنظیم شود، مرحله `resolve` ساده (رکورد A برای google.com) رد می‌شود — دامنه‌های تانل رکورد A ندارند، بنابراین findns مستقیم به `resolve/tunnel` می‌رود.
 
 | فلگ | توضیح | پیش‌فرض |
 |-----|-------|---------|

cmd/scan.go

@@ -198,7 +198,7 @@ func runScan(cmd *cobra.Command, args []string) error {
 	}
 
 	printBanner(len(ips), dohMode, domain, steps)
-	printPreFlight(len(ips), domain, pubkey, testURL, proxyAuth, dnsttBin, slipstreamBin, steps)
+	printPreFlight(len(ips), domain, dnsttBin, slipstreamBin, steps)
 
 	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt)
 	defer stop()
@@ -241,53 +241,23 @@ func hline(left, fill, right string, width int) string {
 	return left + strings.Repeat(fill, width) + right
 }
 
-func printPreFlight(ipCount int, domain, pubkey, testURL, proxyAuth, dnsttBin, slipstreamBin string, steps []scanner.Step) {
+func printPreFlight(ipCount int, domain, dnsttBin, slipstreamBin string, steps []scanner.Step) {
 	if !isTTY() {
 		return
 	}
 	w := os.Stderr
 	fmt.Fprintf(w, "  %sPre-flight:%s\n", colorBold, colorReset)
-	fmt.Fprintf(w, "    %s\u2714%s %d resolvers loaded\n", colorGreen, colorReset, ipCount)
-	fmt.Fprintf(w, "    %s\u2714%s %d workers\n", colorGreen, colorReset, workers)
-	fmt.Fprintf(w, "    %s\u2714%s %d scan steps configured\n", colorGreen, colorReset, len(steps))
+	fmt.Fprintf(w, "    %s✔%s %d resolvers loaded\n", colorGreen, colorReset, ipCount)
+	fmt.Fprintf(w, "    %s✔%s %d workers\n", colorGreen, colorReset, workers)
+	fmt.Fprintf(w, "    %s✔%s %d scan steps configured\n", colorGreen, colorReset, len(steps))
 	if dnsttBin != "" {
-		fmt.Fprintf(w, "    %s\u2714%s dnstt-client: %s%s%s\n", colorGreen, colorReset, colorDim, dnsttBin, colorReset)
+		fmt.Fprintf(w, "    %s✔%s dnstt-client: %s%s%s\n", colorGreen, colorReset, colorDim, dnsttBin, colorReset)
 	}
 	if slipstreamBin != "" {
-		fmt.Fprintf(w, "    %s\u2714%s slipstream-client: %s%s%s\n", colorGreen, colorReset, colorDim, slipstreamBin, colorReset)
+		fmt.Fprintf(w, "    %s✔%s slipstream-client: %s%s%s\n", colorGreen, colorReset, colorDim, slipstreamBin, colorReset)
 	}
 	if domain != "" {
-		nsHosts, nsOK := scanner.QueryNSMulti(domain, 5*time.Second)
-		if nsOK && len(nsHosts) > 0 {
-			fmt.Fprintf(w, "    %s\u2714%s Domain: %s%s%s — NS delegation verified\n",
-				colorGreen, colorReset, colorCyan, domain, colorReset)
-			for _, ns := range nsHosts {
-				fmt.Fprintf(w, "        %s%s%s\n", colorDim, ns, colorReset)
-			}
-		} else {
-			fmt.Fprintf(w, "    %s⚠%s Domain: %s%s%s — %scould not verify NS delegation (DNS may be blocked)%s\n",
-				colorYellow, colorReset, colorCyan, domain, colorReset, colorYellow, colorReset)
-			fmt.Fprintf(w, "      %sThis is normal on filtered networks — scan will continue anyway%s\n", colorDim, colorReset)
-		}
-	}
-	// Preflight e2e: test tunnel connectivity with a known-good resolver
-	if dnsttBin != "" && domain != "" && pubkey != "" {
-		fmt.Fprintf(w, "    %s…%s Tunnel preflight: testing dnstt-server connectivity...\n", colorDim, colorReset)
-		preflightTimeout := time.Duration(e2eTimeout) * time.Second
-		result := scanner.PreflightE2E(dnsttBin, domain, pubkey, testURL, proxyAuth, preflightTimeout)
-		if result.OK {
-			via := result.Resolver
-			if result.DoH {
-				via += " (DoH)"
-			}
-			fmt.Fprintf(w, "\r\033[2K\033[A\033[2K    %s\u2714%s Tunnel preflight: %sconnected via %s%s\n",
-				colorGreen, colorReset, colorGreen, via, colorReset)
-		} else {
-			fmt.Fprintf(w, "\r\033[2K\033[A\033[2K    %s\u2718%s Tunnel preflight: %sFAILED — %s%s\n",
-				colorRed, colorReset, colorRed, result.Err, colorReset)
-			fmt.Fprintf(w, "      %sYour dnstt-server may not be running or is misconfigured.%s\n", colorDim, colorReset)
-			fmt.Fprintf(w, "      %sThe e2e step will likely produce 0 results.%s\n", colorDim, colorReset)
-		}
+		fmt.Fprintf(w, "    %s✔%s Domain: %s%s%s\n", colorGreen, colorReset, colorCyan, domain, colorReset)
 	}
 	fmt.Fprintf(w, "\n")
 }

internal/scanner/dns.go

@@ -114,57 +114,6 @@ func QueryA(resolver, domain string, timeout time.Duration) bool {
 	return len(r.Answer) > 0
 }
 
-// nsResolvers is the list of public DNS resolvers used for NS delegation checks.
-// Multiple are needed because some may be blocked or unreachable in certain regions.
-var nsResolvers = []string{
-	// Global providers
-	"8.8.8.8",         // Google
-	"1.1.1.1",         // Cloudflare
-	"9.9.9.9",         // Quad9
-	"208.67.222.222",  // OpenDNS
-	"76.76.2.0",       // ControlD
-	"94.140.14.14",    // AdGuard
-	"185.228.168.9",   // CleanBrowsing
-	"76.76.19.19",     // Alternate DNS
-	"149.112.112.112", // Quad9 secondary
-	"8.26.56.26",      // Comodo Secure
-	"156.154.70.1",    // Neustar/UltraDNS
-	// Regional (Middle East / Central Asia)
-	"178.22.122.100",  // Shecan (Iran)
-	"185.51.200.2",    // DNS.sb (anycast, good in ME)
-	"195.175.39.39",   // Turk Telekom (Turkey)
-	"80.80.80.80",     // Freenom/Level3 (Turkey/EU)
-	"217.218.127.127", // TCI (Iran)
-	// Regional (Caucasus / nearby)
-	"85.132.75.12",    // AzOnline (Azerbaijan)
-	"213.42.20.20",    // Etisalat DNS (UAE)
-}
-
-// QueryNSMulti tries all resolvers in parallel and returns the first successful result.
-// Overall deadline is the per-resolver timeout (first responder wins).
-func QueryNSMulti(domain string, timeout time.Duration) ([]string, bool) {
-	type nsResult struct {
-		hosts []string
-		ok    bool
-	}
-	ch := make(chan nsResult, len(nsResolvers))
-	for _, resolver := range nsResolvers {
-		go func(r string) {
-			hosts, ok := QueryNS(r, domain, timeout)
-			ch <- nsResult{hosts, ok && len(hosts) > 0}
-		}(resolver)
-	}
-	failures := 0
-	for range nsResolvers {
-		res := <-ch
-		if res.ok {
-			return res.hosts, true
-		}
-		failures++
-	}
-	return nil, false
-}
-
 func QueryNS(resolver, domain string, timeout time.Duration) ([]string, bool) {
 	// Strategy 1: direct NS query — works when the recursive resolver returns
 	// the delegation NS in Answer or Authority.

internal/scanner/e2e.go

@@ -362,156 +362,3 @@ func truncate(s string, maxLen int) string {
 	return s
 }
 
-// preflightResolver describes a single resolver for the preflight check.
-type preflightResolver struct {
-	addr string // IP for UDP, URL for DoH
-	doh  bool   // true = use -doh flag instead of -udp
-	name string // human-readable label
-}
-
-// preflightResolvers: UDP resolvers tried first (fast path), then DoH fallbacks.
-// DoH goes over HTTPS (port 443) which is almost never blocked, even in Iran.
-var preflightResolvers = []preflightResolver{
-	// UDP resolvers — fast path
-	{"8.8.8.8", false, "Google"},
-	{"1.1.1.1", false, "Cloudflare"},
-	{"9.9.9.9", false, "Quad9"},
-	{"208.67.222.222", false, "OpenDNS"},
-	{"76.76.2.0", false, "ControlD"},
-	{"94.140.14.14", false, "AdGuard"},
-	{"185.228.168.9", false, "CleanBrowsing"},
-	{"76.76.19.19", false, "Alternate DNS"},
-	{"149.112.112.112", false, "Quad9 secondary"},
-	{"8.26.56.26", false, "Comodo Secure"},
-	{"156.154.70.1", false, "Neustar/UltraDNS"},
-	{"178.22.122.100", false, "Shecan (Iran)"},
-	{"185.51.200.2", false, "DNS.sb (anycast)"},
-	{"195.175.39.39", false, "Turk Telekom"},
-	{"80.80.80.80", false, "Freenom/Level3"},
-	{"217.218.127.127", false, "TCI (Iran)"},
-	{"85.132.75.12", false, "AzOnline (Azerbaijan)"},
-	{"213.42.20.20", false, "Etisalat DNS (UAE)"},
-	// DoH fallbacks — bypass UDP blocking entirely (port 443)
-	// IP-based URLs avoid needing DNS to resolve the DoH server itself
-	{"https://8.8.8.8/dns-query", true, "Google DoH"},
-	{"https://1.1.1.1/dns-query", true, "Cloudflare DoH"},
-	{"https://9.9.9.9:5053/dns-query", true, "Quad9 DoH"},
-}
-
-// PreflightE2EResult holds the outcome of a preflight e2e test.
-type PreflightE2EResult struct {
-	OK       bool
-	Resolver string // which resolver worked (or last tried)
-	DoH      bool   // true if connected via DoH
-	Stderr   string // dnstt-client stderr on failure
-	Err      string // human-readable error
-}
-
-// PreflightE2E runs e2e tunnel tests against multiple resolvers in parallel.
-// Returns as soon as any one resolver succeeds. If all fail within the timeout,
-// returns an error. This handles blocked resolvers (e.g. Google in Iran) by
-// racing them — whichever resolver is reachable responds first.
-func PreflightE2E(bin, domain, pubkey, testURL, proxyAuth string, timeout time.Duration) PreflightE2EResult {
-	return PreflightE2EContext(context.Background(), bin, domain, pubkey, testURL, proxyAuth, timeout)
-}
-
-// PreflightE2EContext is like PreflightE2E but accepts a parent context for cancellation.
-func PreflightE2EContext(parent context.Context, bin, domain, pubkey, testURL, proxyAuth string, timeout time.Duration) PreflightE2EResult {
-	if testURL == "" {
-		testURL = defaultTestURL
-	}
-
-	// Each parallel test needs its own port
-	basePort := 29900
-	total := len(preflightResolvers)
-	results := make(chan PreflightE2EResult, total)
-
-	ctx, cancel := context.WithTimeout(parent, timeout)
-	defer cancel()
-
-	for i, res := range preflightResolvers {
-		go func(r preflightResolver, port int) {
-			result := preflightSingle(ctx, bin, r, domain, pubkey, testURL, proxyAuth, port, timeout)
-			results <- result
-		}(res, basePort+i)
-	}
-
-	// Wait for first success or all failures
-	failures := 0
-	for {
-		select {
-		case r := <-results:
-			if r.OK {
-				cancel() // stop remaining goroutines
-				return r
-			}
-			failures++
-			if failures >= total {
-				return PreflightE2EResult{
-					OK:  false,
-					Err: "tunnel test failed via all resolvers (UDP + DoH) — dnstt-server may not be running, or your network blocks all DNS paths",
-				}
-			}
-		case <-ctx.Done():
-			return PreflightE2EResult{
-				OK:  false,
-				Err: "tunnel preflight timed out — dnstt-server may not be running, or resolvers are blocked in your region",
-			}
-		}
-	}
-}
-
-func preflightSingle(parent context.Context, bin string, res preflightResolver, domain, pubkey, testURL, proxyAuth string, port int, timeout time.Duration) PreflightE2EResult {
-	ctx, cancel := context.WithTimeout(parent, timeout)
-	defer cancel()
-
-	label := res.name
-	if label == "" {
-		label = res.addr
-	}
-
-	// Build dnstt-client args: -doh URL or -udp IP:53
-	var args []string
-	if res.doh {
-		args = []string{"-doh", res.addr, "-pubkey", pubkey, domain, fmt.Sprintf("127.0.0.1:%d", port)}
-	} else {
-		args = []string{"-udp", net.JoinHostPort(res.addr, "53"), "-pubkey", pubkey, domain, fmt.Sprintf("127.0.0.1:%d", port)}
-	}
-
-	var stderrBuf bytes.Buffer
-	cmd := execCommandContext(ctx, bin, args...)
-	cmd.Stdout = io.Discard
-	cmd.Stderr = &stderrBuf
-
-	if err := cmd.Start(); err != nil {
-		return PreflightE2EResult{Resolver: label, DoH: res.doh, Err: fmt.Sprintf("cannot start %s: %v", bin, err)}
-	}
-
-	exited := make(chan struct{})
-	go func() {
-		cmd.Wait()
-		close(exited)
-	}()
-
-	// cleanup: kill process and wait for exit before returning
-	cleanup := func() {
-		cmd.Process.Kill()
-		select {
-		case <-exited:
-		case <-time.After(2 * time.Second):
-		}
-	}
-
-	if waitAndTestSOCKS(ctx, port, testURL, proxyAuth, exited, timeout) {
-		cleanup()
-		return PreflightE2EResult{OK: true, Resolver: label, DoH: res.doh}
-	}
-
-	// Kill and wait to safely read stderr
-	cleanup()
-	stderr := strings.TrimSpace(stderrBuf.String())
-	if stderr != "" {
-		return PreflightE2EResult{Resolver: label, DoH: res.doh, Stderr: truncate(stderr, 300), Err: "dnstt-client error: " + truncate(stderr, 200)}
-	}
-	return PreflightE2EResult{Resolver: label, DoH: res.doh, Err: fmt.Sprintf("tunnel via %s: no HTTP response within %v", label, timeout)}
-}