Add e2e preflight check: test dnstt-server before scanning

Before scanning thousands of resolvers, test tunnel connectivity via
known-good resolvers (all 18 from NS resolver list). If dnstt-server
is unreachable, warn immediately instead of scanning for 0 results.

Shows clear pass/fail in CLI pre-flight:
  ✔ Tunnel preflight: connected via 8.8.8.8
  ✘ Tunnel preflight: FAILED — dnstt-server may not be running

Author: SamNet-dev

cmd/scan.go

@@ -185,7 +185,7 @@ func runScan(cmd *cobra.Command, args []string) error {
 	}
 
 	printBanner(len(ips), dohMode, domain, steps)
-	printPreFlight(len(ips), domain, dnsttBin, slipstreamBin, steps)
+	printPreFlight(len(ips), domain, pubkey, testURL, proxyAuth, dnsttBin, slipstreamBin, steps)
 
 	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt)
 	defer stop()
@@ -215,7 +215,7 @@ func hline(left, fill, right string, width int) string {
 	return left + strings.Repeat(fill, width) + right
 }
 
-func printPreFlight(ipCount int, domain, dnsttBin, slipstreamBin string, steps []scanner.Step) {
+func printPreFlight(ipCount int, domain, pubkey, testURL, proxyAuth, dnsttBin, slipstreamBin string, steps []scanner.Step) {
 	if !isTTY() {
 		return
 	}
@@ -245,6 +245,21 @@ func printPreFlight(ipCount int, domain, dnsttBin, slipstreamBin string, steps [
 			fmt.Fprintf(w, "      %sdig NS %s @8.8.8.8  (or check your registrar/Cloudflare dashboard)%s\n", colorDim, domain, colorReset)
 		}
 	}
+	// Preflight e2e: test tunnel connectivity with a known-good resolver
+	if dnsttBin != "" && domain != "" && pubkey != "" {
+		fmt.Fprintf(w, "    %s…%s Tunnel preflight: testing dnstt-server connectivity...\n", colorDim, colorReset)
+		e2eTimeout := time.Duration(e2eTimeout) * time.Second
+		result := scanner.PreflightE2E(dnsttBin, domain, pubkey, testURL, proxyAuth, e2eTimeout)
+		if result.OK {
+			fmt.Fprintf(w, "\r\033[2K\033[A\033[2K    %s\u2714%s Tunnel preflight: %sconnected via %s%s\n",
+				colorGreen, colorReset, colorGreen, result.Resolver, colorReset)
+		} else {
+			fmt.Fprintf(w, "\r\033[2K\033[A\033[2K    %s\u2718%s Tunnel preflight: %sFAILED — %s%s\n",
+				colorRed, colorReset, colorRed, result.Err, colorReset)
+			fmt.Fprintf(w, "      %sYour dnstt-server may not be running or is misconfigured.%s\n", colorDim, colorReset)
+			fmt.Fprintf(w, "      %sThe e2e step will likely produce 0 results.%s\n", colorDim, colorReset)
+		}
+	}
 	fmt.Fprintf(w, "\n")
 }
 

internal/scanner/e2e.go

@@ -361,3 +361,104 @@ func truncate(s string, maxLen int) string {
 	}
 	return s
 }
+
+// preflightResolvers are tried in order for the e2e preflight check.
+// Uses the same list as nsResolvers in dns.go for maximum coverage.
+var preflightResolvers = []string{
+	"8.8.8.8",         // Google
+	"1.1.1.1",         // Cloudflare
+	"9.9.9.9",         // Quad9
+	"208.67.222.222",  // OpenDNS
+	"76.76.2.0",       // ControlD
+	"94.140.14.14",    // AdGuard
+	"185.228.168.9",   // CleanBrowsing
+	"76.76.19.19",     // Alternate DNS
+	"149.112.112.112", // Quad9 secondary
+	"8.26.56.26",      // Comodo Secure
+	"156.154.70.1",    // Neustar/UltraDNS
+	"178.22.122.100",  // Shecan (Iran)
+	"185.51.200.2",    // DNS.sb (anycast)
+	"195.175.39.39",   // Turk Telekom (Turkey)
+	"80.80.80.80",     // Freenom/Level3 (Turkey/EU)
+	"217.218.127.127", // TCI (Iran)
+	"85.132.75.12",    // AzOnline (Azerbaijan)
+	"213.42.20.20",    // Etisalat DNS (UAE)
+}
+
+// PreflightE2EResult holds the outcome of a preflight e2e test.
+type PreflightE2EResult struct {
+	OK       bool
+	Resolver string // which resolver worked (or last tried)
+	Stderr   string // dnstt-client stderr on failure
+	Err      string // human-readable error
+}
+
+// PreflightE2E runs a single e2e tunnel test against known-good resolvers
+// to verify that the dnstt-server is reachable before scanning thousands of IPs.
+// It tries preflightResolvers in order and returns on the first success.
+func PreflightE2E(bin, domain, pubkey, testURL, proxyAuth string, timeout time.Duration) PreflightE2EResult {
+	if testURL == "" {
+		testURL = defaultTestURL
+	}
+	port := 29999 // dedicated port for preflight, outside normal pool range
+
+	for _, resolver := range preflightResolvers {
+		result := preflightSingle(bin, resolver, domain, pubkey, testURL, proxyAuth, port, timeout)
+		if result.OK {
+			return result
+		}
+	}
+
+	return PreflightE2EResult{
+		OK:  false,
+		Err: fmt.Sprintf("tunnel test failed via all preflight resolvers (%v) — dnstt-server may not be running or is misconfigured", preflightResolvers),
+	}
+}
+
+func preflightSingle(bin, resolver, domain, pubkey, testURL, proxyAuth string, port int, timeout time.Duration) PreflightE2EResult {
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	var stderrBuf bytes.Buffer
+	cmd := execCommandContext(ctx, bin,
+		"-udp", net.JoinHostPort(resolver, "53"),
+		"-pubkey", pubkey,
+		domain,
+		fmt.Sprintf("127.0.0.1:%d", port))
+	cmd.Stdout = io.Discard
+	cmd.Stderr = &stderrBuf
+
+	if err := cmd.Start(); err != nil {
+		return PreflightE2EResult{Resolver: resolver, Err: fmt.Sprintf("cannot start %s: %v", bin, err)}
+	}
+
+	exited := make(chan struct{})
+	go func() {
+		cmd.Wait()
+		close(exited)
+	}()
+
+	defer func() {
+		cmd.Process.Kill()
+		select {
+		case <-exited:
+		case <-time.After(2 * time.Second):
+		}
+	}()
+
+	if waitAndTestSOCKS(ctx, port, testURL, proxyAuth, exited, timeout) {
+		return PreflightE2EResult{OK: true, Resolver: resolver}
+	}
+
+	// Kill and wait to safely read stderr
+	cmd.Process.Kill()
+	select {
+	case <-exited:
+	case <-time.After(2 * time.Second):
+	}
+	stderr := strings.TrimSpace(stderrBuf.String())
+	if stderr != "" {
+		return PreflightE2EResult{Resolver: resolver, Stderr: truncate(stderr, 300), Err: "dnstt-client error: " + truncate(stderr, 200)}
+	}
+	return PreflightE2EResult{Resolver: resolver, Err: fmt.Sprintf("tunnel via %s: no HTTP response within %v", resolver, timeout)}
+}