Fix resolve/tunnel failing on valid setups: use TXT query instead of NS

NS queries return empty on most dnstt/dnstm setups because the
authoritative server doesn't serve NS records. Query a random subdomain
TXT record instead, which is what dnstt-client actually does.

Fixes #1

Author: SamNet-dev

internal/scanner/check.go

@@ -7,8 +7,9 @@ import (
 	"regexp"
 	"runtime"
 	"strconv"
-	"strings"
 	"time"
+
+	"github.com/miekg/dns"
 )
 
 // Regex for Linux/macOS: "rtt min/avg/max/mdev = 4.123/5.456/6.789/..."
@@ -103,15 +104,16 @@ func TunnelCheck(domain string, count int) CheckFunc {
 		for i := 0; i < count; i++ {
 			start := time.Now()
 
-			// Step 1: Query NS for the tunnel domain
-			hosts, ok := QueryNS(ip, domain, timeout)
-			if !ok || len(hosts) == 0 {
+			// Query a random subdomain TXT record — same as what dnstt-client does.
+			// If the resolver forwards it to the authoritative server, the tunnel works.
+			// NS queries fail on most setups because dnstt-server/dnstm don't serve NS records.
+			qname := fmt.Sprintf("tun-%s.%s", randLabel(8), domain)
+			r, ok := queryRaw(ip, qname, dns.TypeTXT, timeout)
+			if !ok || r == nil {
 				continue
 			}
-
-			// Step 2: Resolve the first NS hostname to verify glue record
-			nsHost := strings.TrimRight(hosts[0], ".")
-			if !QueryA(ip, nsHost, timeout) {
+			// SERVFAIL/REFUSED = resolver can't reach the authoritative server
+			if r.Rcode == dns.RcodeServerFailure || r.Rcode == dns.RcodeRefused {
 				continue
 			}
 

internal/scanner/doh.go

@@ -138,25 +138,21 @@ func DoHResolveCheck(domain string, count int) CheckFunc {
 	}
 }
 
-// DoHTunnelCheck tests NS delegation via DoH resolver.
+// DoHTunnelCheck tests if a DoH resolver can forward queries to the tunnel domain.
 func DoHTunnelCheck(domain string, count int) CheckFunc {
 	return func(url string, timeout time.Duration) (bool, Metrics) {
 		var successes []float64
 
 		for i := 0; i < count; i++ {
 			start := time.Now()
 
-			hosts, ok := QueryDoHNS(url, domain, timeout)
-			if !ok || len(hosts) == 0 {
+			// Query a random subdomain TXT record — same as what dnstt-client does.
+			qname := fmt.Sprintf("tun-%s.%s", randLabel(8), domain)
+			r, ok := queryDoHRaw(url, qname, dns.TypeTXT, timeout)
+			if !ok || r == nil {
 				continue
 			}
-
-			// Verify glue record via same DoH resolver
-			nsHost := hosts[0]
-			if last := len(nsHost) - 1; last >= 0 && nsHost[last] == '.' {
-				nsHost = nsHost[:last]
-			}
-			if !QueryDoHA(url, nsHost, timeout) {
+			if r.Rcode == dns.RcodeServerFailure || r.Rcode == dns.RcodeRefused {
 				continue
 			}