v1.4.0 — VayDNS Tunnels, Monitoring & Diagnostics

What's New

⚡ VayDNS Tunnel Support

VayDNS is an optimized fork of DNSTT by net2share with KCP/smux reliable sessions, auto-recovery, and a leaner wire protocol. Runs in -dnstt-compat mode for backwards compatibility with existing SlipNet clients.

• 2 new tunnels: vay1 (SOCKS on v subdomain) and vay-ssh (SSH on vz subdomain)
• Up to 8 tunnels total (Slipstream + DNSTT + NoizDNS + VayDNS, each with SOCKS and SSH)
• Transport option 4 in --add-tunnel TUI
• Binary downloaded automatically during setup; graceful fallback if unavailable
• Simpler service override than NoizDNS — supports -udp directly, no PT mode needed
• Full integration: --status, --monitor, --diag, --add-domain, --remove-tunnel, --uninstall

📈 --monitor Command

Live tunnel usage monitoring:

• Per-tunnel process stats (PID, CPU%, memory, uptime)
• Active SOCKS/SSH/DNS connection counts
• Total memory usage
• Recent journalctl logs
• Optimized: ~3 forks per tunnel, cached ss output

sudo bash dnstm-setup.sh --monitor
# Live monitoring:
watch -n 5 sudo bash dnstm-setup.sh --monitor

🔍 --diag Command

Comprehensive tunnel diagnostics with issue counting and fix hints:

• Binary validation (dnstm, dnstt-server -udp flag, noizdns-server/vaydns-server ELF check)
• Service status with journal log snippets on failure
• NoizDNS/VayDNS drop-in override and PT env var checks
• Config.json transport/MTU analysis with high-MTU warnings
• Port 53 binding, SSH localhost reachability, UFW/iptables rules
• Public/private key file presence per tunnel
• External DNS resolution test
• systemd-resolved conflict detection

sudo bash dnstm-setup.sh --diag

Bug Fixes

--status Hangs (Fixes #31)

• dnstm tunnel share had no timeout — could hang indefinitely when DNS/domain config is missing
• Added timeout --kill-after=3 10 to all dnstm subcommand calls in the status path

Empty SlipNet URLs in --status (Fixes #32)

• When dnstm tunnel list doesn't include domains in its table output, slipnet:// URLs were silently skipped
• Added fallback to read tunnel domains from /etc/dnstm/config.json via jq or python3

SSH User Management Hangs (Fixes #33)

• sshtun-user commands were missing </dev/null stdin redirect, causing TTY blocking
• All sshtun-user calls (list, create, show, update, delete, configure) now have </dev/null and timeout --kill-after=3

Other Improvements

• 9 DNS records (was 7) — 2 new NS records for VayDNS subdomains (v, vz)
• --add-domain creates VayDNS tunnels for backup domains
• --add-tunnel offers 4 transport choices: Slipstream, DNSTT, NoizDNS, VayDNS
• --remove-tunnel cleans up VayDNS service overrides
• --uninstall removes vaydns-server binary and drop-in files
• SSH user management generates VayDNS SSH share URLs
• Help text lists all 10 components (was 6)

Upgrade

curl -fsSL -o dnstm-setup.sh https://raw.githubusercontent.com/SamNet-dev/dnstm-setup/master/dnstm-setup.sh
sudo bash dnstm-setup.sh

Existing setups will continue to work. VayDNS tunnels are created automatically on fresh installs or when running --add-domain. To add VayDNS to an existing server, use --add-tunnel and select transport 4.

v1.3.1 — Update TUI, SSH MAC fix, DNS/Xray hardening

What's New

Update from TUI

• New option 10) Update script in the management menu
• --update flag for CLI usage
• Auto-detects new versions, downloads, validates, and restarts

SSH MAC Compatibility

• Fix for Bitvise and older SSH clients failing with no match for method mac algo
• Adds non-ETM SHA2 MACs as fallbacks while keeping ETM preferred
• Fixes #19

DNS Safety (never locks users out)

• EXIT trap auto-fixes DNS if script crashes mid-operation
• resolv.conf backed up and locked with chattr +i
• Fallback nameservers written if DNS breaks after disabling stub listener

3x-ui / Xray Backend

• Credentials set via x-ui setting binary (handles bcrypt hashing in v2.0+)
• Panel port set via binary, not just sqlite3
• Login probing validates JSON responses (not HTML error pages)
• Fixes #18

microsocks GLIBC

• Proactive GLIBC compatibility check right after dnstm install
• Waits for dpkg lock (unattended-upgrades) before installing build tools

NoizDNS

• Binaries self-hosted as GitHub release assets for reliability
• Binary validation uses file command instead of unreliable -help flag

sshd_config Safety

• Backed up before sshtun-user configure
• Validated with sshd -t after modification
• Auto-rollback if validation fails

NoizDNS Server Binaries v1.0

NoizDNS (DPI-resistant DNSTT fork) server binaries for bundled distribution.

v1.3 — NoizDNS + Xray Backend

What's New in v1.3

🛡️ NoizDNS Tunnels (DPI-Resistant)

Two new tunnel types added to the main setup — 6 tunnels instead of 4:

• NoizDNS + SOCKS (n subdomain) — DPI-resistant DNS tunnel for SOCKS proxy
• NoizDNS + SSH (z subdomain) — DPI-resistant DNS tunnel for SSH tunneling

NoizDNS is a DPI-resistant fork of DNSTT by anonvector (same author as SlipNet) that uses alternative DNS query encoding to evade Deep Packet Inspection. The server auto-detects both standard DNSTT and NoizDNS clients. In SlipNet, select NoizDNS as the tunnel type for n and z subdomains.

• Zero extra configuration — binary downloaded automatically during setup
• Graceful degradation — if download fails, creates 4 standard tunnels and continues
• Works on all architectures (amd64, arm64, arm, 386)

🔌 Xray Backend Integration (Optional)

New optional feature to connect an existing 3x-ui panel (or raw Xray) to a DNS tunnel:

sudo bash dnstm-setup.sh --add-xray
# Or via management menu: --manage → option 8

• Auto-detects 3x-ui (native or Docker) — or installs it for you (full panel or headless)
• 4 protocols: VLESS, Shadowsocks, VMess, Trojan
• Internal-only inbound on 127.0.0.1 — only reachable through the DNSTT tunnel
• Generates client configs — SlipNet URL + client URI for Nekobox/v2rayNG/Shadowrocket
• Compatible with any V2Ray/Xray client that supports proxy chaining

Other Improvements

• 7 DNS records (was 5) — 2 new NS records for NoizDNS subdomains
• --add-domain now creates NoizDNS tunnels for backup domains
• --status displays NoizDNS tunnel info and SlipNet URLs
• --remove-tunnel properly cleans up Xray and NoizDNS service overrides
• Security — SQL injection prevention, cookie jar cleanup, restrictive file permissions, bcrypt password detection
• Portable — no grep -P, no python3, pure bash

Full Tunnel Setup (v1.3)

Tunnel	Subdomain	Transport	Backend
slip1	t	Slipstream (QUIC)	SOCKS
dnstt1	d	DNSTT (Noise)	SOCKS
noiz1	n	NoizDNS (DPI-resistant)	SOCKS
slip-ssh	s	Slipstream (QUIC)	SSH
dnstt-ssh	ds	DNSTT (Noise)	SSH
noiz-ssh	z	NoizDNS (DPI-resistant)	SSH