Fix EDNS0 causing false NXDOMAIN and fix 12 scanner bugs

Root cause fix: queryRaw() unconditionally sets EDNS0 OPT on all DNS
queries. Some servers (e.g. dnstm) return NXDOMAIN instead of FORMERR
when they don't understand EDNS0. Refactored retry logic to strip EDNS0
on ANY non-success Rcode, with full fallback chain:
UDP+EDNS0 → UDP-EDNS0 → TCP+EDNS0 → TCP-EDNS0 → TCP ednsRetry.

Other fixes:
- cmd/scan.go: add --edns flag (opt-in), improve 0% diagnostic hints
- cmd/doh_tunnel.go: fix subcommand registration (was dohResolveCmd)
- check.go: fix PingCheck deadline calc, remove maxConsecFail early exit
- doh.go: fix port pool leak on Start() failure, add HTTP client timeouts
- e2e.go: fix port pool leak, consolidate defer (kill→wait→sleep→return)
- edns.go: handle FORMERR with EDNS0 retry
- input.go: deduplicate IPs, strip inline comments
- nxdomain.go: fix hijack detection, return metrics on both paths
- worker.go: buffer results channel to prevent goroutine leaks

Author: SamNet-dev

cmd/doh_tunnel.go

@@ -20,7 +20,7 @@ var dohTunnelCmd = &cobra.Command{
 func init() {
 	dohTunnelCmd.Flags().String("domain", "", "tunnel domain to check NS for")
 	dohTunnelCmd.MarkFlagRequired("domain")
-	dohResolveCmd.AddCommand(dohTunnelCmd)
+	dohCmd.AddCommand(dohTunnelCmd)
 }
 
 func runDoHTunnel(cmd *cobra.Command, args []string) error {

cmd/scan.go

@@ -39,7 +39,7 @@ var stepDescriptions = map[string]string{
 
 var scanCmd = &cobra.Command{
 	Use:   "scan",
-	Short: "Full scan pipeline: ping -> resolve -> nxdomain -> tunnel -> e2e",
+	Short: "Full scan pipeline: ping -> resolve -> nxdomain -> tunnel -> e2e (use --edns to add EDNS check)",
 	Long: `Run a complete resolver scan with all checks in sequence.
 This is the recommended way to find working resolvers for DNS tunneling.
 
@@ -63,6 +63,7 @@ func init() {
 	scanCmd.Flags().Bool("doh", false, "scan DoH resolvers instead of UDP")
 	scanCmd.Flags().Bool("skip-ping", false, "skip ICMP ping step")
 	scanCmd.Flags().Bool("skip-nxdomain", false, "skip NXDOMAIN hijack check")
+	scanCmd.Flags().Bool("edns", false, "include EDNS payload size check (filters resolvers that don't support EDNS)")
 	scanCmd.Flags().Int("top", 10, "number of top results to display")
 	rootCmd.AddCommand(scanCmd)
 }
@@ -76,6 +77,7 @@ func runScan(cmd *cobra.Command, args []string) error {
 	dohMode, _ := cmd.Flags().GetBool("doh")
 	skipPing, _ := cmd.Flags().GetBool("skip-ping")
 	skipNXD, _ := cmd.Flags().GetBool("skip-nxdomain")
+	ednsMode, _ := cmd.Flags().GetBool("edns")
 	topN, _ := cmd.Flags().GetInt("top")
 
 	if outputFile == "" {
@@ -153,10 +155,12 @@ func runScan(cmd *cobra.Command, args []string) error {
 			})
 		}
 		if domain != "" {
-			steps = append(steps, scanner.Step{
-				Name: "edns", Timeout: dur,
-				Check: scanner.EDNSCheck(domain, count), SortBy: "edns_max",
-			})
+			if ednsMode {
+				steps = append(steps, scanner.Step{
+					Name: "edns", Timeout: dur,
+					Check: scanner.EDNSCheck(domain, count), SortBy: "edns_max",
+				})
+			}
 			steps = append(steps, scanner.Step{
 				Name: "resolve/tunnel", Timeout: dur,
 				Check: scanner.TunnelCheck(domain, count), SortBy: "resolve_ms",
@@ -320,9 +324,11 @@ func printSummary(report scanner.ChainReport, topN int, totalTime time.Duration,
 				switch step.Name {
 				case "resolve/tunnel", "doh/resolve/tunnel":
 					fmt.Fprintf(w, "\n  %s\u26a0 Hint: resolve/tunnel had 0%% pass rate.%s\n", colorYellow, colorReset)
-					fmt.Fprintf(w, "  %sThis usually means your tunnel domain's NS delegation is not set up correctly.%s\n", colorDim, colorReset)
-					fmt.Fprintf(w, "  %sVerify with: nslookup -type=NS <your-domain> 8.8.8.8%s\n", colorDim, colorReset)
-					fmt.Fprintf(w, "  %sYou need NS + glue A records pointing to your DNSTT server.%s\n", colorDim, colorReset)
+					fmt.Fprintf(w, "  %sPossible causes:%s\n", colorDim, colorReset)
+					fmt.Fprintf(w, "  %s  1. NS delegation not set up: nslookup -type=NS <your-domain> 8.8.8.8%s\n", colorDim, colorReset)
+					fmt.Fprintf(w, "  %s     You need NS + glue A records pointing to your server.%s\n", colorDim, colorReset)
+					fmt.Fprintf(w, "  %s  2. Server returns NXDOMAIN: delegation works but dnstt-server/dnstm is misconfigured.%s\n", colorDim, colorReset)
+					fmt.Fprintf(w, "  %s     Check: cat /etc/dnstm/config.json  |  journalctl -u dnstm-dnsrouter -n 20%s\n", colorDim, colorReset)
 					fmt.Fprintf(w, "  %sSee: https://github.com/SamNet-dev/findns/blob/main/GUIDE.md#-تنظیم-دامنه-تانل-مهم--قبل-از-اسکن-بخوانید%s\n", colorDim, colorReset)
 				case "ping":
 					fmt.Fprintf(w, "\n  %s\u26a0 Hint: ping had 0%% pass rate. Try --skip-ping (ICMP may be blocked).%s\n", colorYellow, colorReset)

internal/scanner/check.go

@@ -11,8 +11,6 @@ import (
 	"time"
 )
 
-const maxConsecFail = 3
-
 // Regex for Linux/macOS: "rtt min/avg/max/mdev = 4.123/5.456/6.789/..."
 var pingAvgRegex = regexp.MustCompile(`= [\d.]+/([\d.]+)/`)
 
@@ -59,7 +57,7 @@ func PingCheck(count int) CheckFunc {
 		if secs < 1 {
 			secs = 1
 		}
-		deadline := count + secs
+		deadline := count*secs + 2
 		ctx, cancel := context.WithTimeout(context.Background(), time.Duration(deadline+2)*time.Second)
 		defer cancel()
 
@@ -77,19 +75,12 @@ func PingCheck(count int) CheckFunc {
 func ResolveCheck(domain string, count int) CheckFunc {
 	return func(ip string, timeout time.Duration) (bool, Metrics) {
 		var successes []float64
-		var consecFail int
 
 		for i := 0; i < count; i++ {
 			start := time.Now()
 			if QueryA(ip, domain, timeout) {
 				ms := float64(time.Since(start).Microseconds()) / 1000.0
 				successes = append(successes, ms)
-				consecFail = 0
-			} else {
-				consecFail++
-				if consecFail >= maxConsecFail {
-					return false, nil
-				}
 			}
 		}
 
@@ -108,34 +99,24 @@ func ResolveCheck(domain string, count int) CheckFunc {
 func TunnelCheck(domain string, count int) CheckFunc {
 	return func(ip string, timeout time.Duration) (bool, Metrics) {
 		var successes []float64
-		var consecFail int
 
 		for i := 0; i < count; i++ {
 			start := time.Now()
 
 			// Step 1: Query NS for the tunnel domain
 			hosts, ok := QueryNS(ip, domain, timeout)
 			if !ok || len(hosts) == 0 {
-				consecFail++
-				if consecFail >= maxConsecFail {
-					return false, nil
-				}
 				continue
 			}
 
 			// Step 2: Resolve the first NS hostname to verify glue record
 			nsHost := strings.TrimRight(hosts[0], ".")
 			if !QueryA(ip, nsHost, timeout) {
-				consecFail++
-				if consecFail >= maxConsecFail {
-					return false, nil
-				}
 				continue
 			}
 
 			ms := float64(time.Since(start).Microseconds()) / 1000.0
 			successes = append(successes, ms)
-			consecFail = 0
 		}
 
 		if len(successes) == 0 {

internal/scanner/dns.go

@@ -22,30 +22,73 @@ func queryRaw(resolver, domain string, qtype uint16, timeout time.Duration) (*dn
 	c.Net = "udp"
 	c.Timeout = timeout
 
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
+	// Use a deadline so all retries share a generous overall budget
+	deadline := time.Now().Add(timeout * 2)
 
+	remaining := func() time.Duration {
+		d := time.Until(deadline)
+		if d < 500*time.Millisecond {
+			return 500 * time.Millisecond
+		}
+		return d
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), remaining())
 	r, _, err := c.ExchangeContext(ctx, m, addr)
+	cancel()
 
-	// If EDNS0 caused FORMERR, retry without it
-	if err == nil && r != nil && r.Rcode == dns.RcodeFormatError {
-		m.Extra = nil // strip EDNS0 OPT record
-		r, _, err = c.ExchangeContext(ctx, m, addr)
+	// ednsRetry strips the EDNS0 OPT record and retries the query.
+	// Returns true if the retry produced a better response.
+	ednsRetry := func() bool {
+		savedExtra := m.Extra
+		m.Extra = nil
+		ctx, cancel = context.WithTimeout(context.Background(), remaining())
+		r2, _, err2 := c.ExchangeContext(ctx, m, addr)
+		cancel()
+		if err2 == nil && r2 != nil {
+			r, err = r2, nil
+			return true // EDNS0 was the problem; keep it stripped
+		}
+		m.Extra = savedExtra // retry didn't help; restore
+		return false
+	}
+
+	// If EDNS0 caused an error response, retry without it.
+	// Some servers (e.g. dnstm) return NXDOMAIN instead of FORMERR
+	// when they don't understand the OPT record.
+	if err == nil && r != nil && r.Rcode != dns.RcodeSuccess {
+		ednsRetry()
 	}
 
 	// If UDP failed entirely, try TCP before giving up
 	if err != nil || r == nil {
 		c.Net = "tcp"
+		ctx, cancel = context.WithTimeout(context.Background(), remaining())
 		r, _, err = c.ExchangeContext(ctx, m, addr)
+		cancel()
 		if err != nil || r == nil {
-			return nil, false
+			// TCP with EDNS0 also failed; last resort: TCP without EDNS0
+			m.Extra = nil
+			ctx, cancel = context.WithTimeout(context.Background(), remaining())
+			r, _, err = c.ExchangeContext(ctx, m, addr)
+			cancel()
+			if err != nil || r == nil {
+				return nil, false
+			}
+		}
+		// TCP succeeded but got error Rcode; try without EDNS0
+		// Skip if EDNS0 was already stripped (m.Extra is nil from line 71)
+		if r != nil && r.Rcode != dns.RcodeSuccess && len(m.Extra) > 0 {
+			ednsRetry()
 		}
 	}
 
 	// Retry over TCP if response was truncated
 	if r.Truncated {
 		c.Net = "tcp"
+		ctx, cancel = context.WithTimeout(context.Background(), remaining())
 		r, _, err = c.ExchangeContext(ctx, m, addr)
+		cancel()
 		if err != nil || r == nil {
 			return nil, false
 		}

internal/scanner/doh.go

@@ -14,9 +14,12 @@ import (
 
 var dohHTTPClient = &http.Client{
 	Transport: &http.Transport{
-		TLSClientConfig:     &tls.Config{InsecureSkipVerify: false},
-		MaxIdleConnsPerHost: 2,
-		IdleConnTimeout:     30 * time.Second,
+		TLSClientConfig:       &tls.Config{InsecureSkipVerify: false},
+		MaxIdleConnsPerHost:   10,
+		MaxConnsPerHost:       10,
+		IdleConnTimeout:       30 * time.Second,
+		TLSHandshakeTimeout:  10 * time.Second,
+		ResponseHeaderTimeout: 10 * time.Second,
 	},
 }
 
@@ -114,19 +117,12 @@ func QueryDoHNS(resolverURL, domain string, timeout time.Duration) ([]string, bo
 func DoHResolveCheck(domain string, count int) CheckFunc {
 	return func(url string, timeout time.Duration) (bool, Metrics) {
 		var successes []float64
-		var consecFail int
 
 		for i := 0; i < count; i++ {
 			start := time.Now()
 			if QueryDoHA(url, domain, timeout) {
 				ms := float64(time.Since(start).Microseconds()) / 1000.0
 				successes = append(successes, ms)
-				consecFail = 0
-			} else {
-				consecFail++
-				if consecFail >= maxConsecFail {
-					return false, nil
-				}
 			}
 		}
 
@@ -146,17 +142,12 @@ func DoHResolveCheck(domain string, count int) CheckFunc {
 func DoHTunnelCheck(domain string, count int) CheckFunc {
 	return func(url string, timeout time.Duration) (bool, Metrics) {
 		var successes []float64
-		var consecFail int
 
 		for i := 0; i < count; i++ {
 			start := time.Now()
 
 			hosts, ok := QueryDoHNS(url, domain, timeout)
 			if !ok || len(hosts) == 0 {
-				consecFail++
-				if consecFail >= maxConsecFail {
-					return false, nil
-				}
 				continue
 			}
 
@@ -166,16 +157,11 @@ func DoHTunnelCheck(domain string, count int) CheckFunc {
 				nsHost = nsHost[:last]
 			}
 			if !QueryDoHA(url, nsHost, timeout) {
-				consecFail++
-				if consecFail >= maxConsecFail {
-					return false, nil
-				}
 				continue
 			}
 
 			ms := float64(time.Since(start).Microseconds()) / 1000.0
 			successes = append(successes, ms)
-			consecFail = 0
 		}
 
 		if len(successes) == 0 {
@@ -211,7 +197,6 @@ func dohDnsttCheck(bin, domain, pubkey, testURL, proxyAuth string, ports chan in
 		case <-ctx.Done():
 			return false, nil
 		}
-		defer func() { ports <- port }()
 
 		start := time.Now()
 
@@ -223,12 +208,15 @@ func dohDnsttCheck(bin, domain, pubkey, testURL, proxyAuth string, ports chan in
 		cmd.Stdout = io.Discard
 		cmd.Stderr = io.Discard
 		if err := cmd.Start(); err != nil {
+			ports <- port
 			return false, nil
 		}
+		// Kill process and wait for cleanup BEFORE returning port
 		defer func() {
 			cmd.Process.Kill()
 			cmd.Wait()
-			time.Sleep(100 * time.Millisecond)
+			time.Sleep(300 * time.Millisecond)
+			ports <- port
 		}()
 
 		// Wait for subprocess to start, but cap at 1/3 of timeout

internal/scanner/e2e.go

@@ -43,7 +43,6 @@ func dnsttCheck(bin, domain, pubkey, testURL, proxyAuth string, ports chan int)
 		case <-ctx.Done():
 			return false, nil
 		}
-		defer func() { ports <- port }()
 
 		start := time.Now()
 
@@ -55,13 +54,15 @@ func dnsttCheck(bin, domain, pubkey, testURL, proxyAuth string, ports chan int)
 		cmd.Stdout = io.Discard
 		cmd.Stderr = io.Discard
 		if err := cmd.Start(); err != nil {
+			ports <- port
 			return false, nil
 		}
+		// Kill process and wait for cleanup BEFORE returning port
 		defer func() {
 			cmd.Process.Kill()
 			cmd.Wait()
-			// Brief pause so OS can release the port before it's reused
-			time.Sleep(100 * time.Millisecond)
+			time.Sleep(300 * time.Millisecond)
+			ports <- port
 		}()
 
 		// Wait for subprocess to start, but cap at 1/3 of timeout
@@ -103,7 +104,6 @@ func slipstreamCheck(bin, domain, certPath, testURL, proxyAuth string, ports cha
 		case <-ctx.Done():
 			return false, nil
 		}
-		defer func() { ports <- port }()
 
 		start := time.Now()
 
@@ -119,12 +119,15 @@ func slipstreamCheck(bin, domain, certPath, testURL, proxyAuth string, ports cha
 		cmd.Stdout = io.Discard
 		cmd.Stderr = io.Discard
 		if err := cmd.Start(); err != nil {
+			ports <- port
 			return false, nil
 		}
+		// Kill process and wait for cleanup BEFORE returning port
 		defer func() {
 			cmd.Process.Kill()
 			cmd.Wait()
-			time.Sleep(100 * time.Millisecond)
+			time.Sleep(300 * time.Millisecond)
+			ports <- port
 		}()
 
 		// Wait for subprocess to start, but cap at 1/3 of timeout

internal/scanner/edns.go

@@ -55,14 +55,26 @@ func testEDNSPayload(resolver, domain string, payload uint16, timeout time.Durat
 		c.Net = "udp"
 		c.Timeout = timeout
 
+		addr := net.JoinHostPort(resolver, "53")
 		ctx, cancel := context.WithTimeout(context.Background(), timeout)
-		r, _, err := c.ExchangeContext(ctx, m, net.JoinHostPort(resolver, "53"))
-		cancel()
+		r, _, err := c.ExchangeContext(ctx, m, addr)
 
 		if err != nil || r == nil {
+			cancel()
 			continue
 		}
 
+		// If EDNS0 caused FORMERR, retry without it
+		if r.Rcode == dns.RcodeFormatError {
+			m.Extra = nil
+			r, _, err = c.ExchangeContext(ctx, m, addr)
+			if err != nil || r == nil {
+				cancel()
+				continue
+			}
+		}
+		cancel()
+
 		// NOERROR or NXDOMAIN both count as "resolver handled it"
 		if r.Rcode == dns.RcodeSuccess || r.Rcode == dns.RcodeNameError {
 			successes++