{"id":50818352,"url":"https://github.com/mrvcoder/dns-tunnel-kit","last_synced_at":"2026-06-13T11:33:51.622Z","repository":{"id":359944700,"uuid":"1248111185","full_name":"mrvcoder/dns-tunnel-kit","owner":"mrvcoder","description":null,"archived":false,"fork":false,"pushed_at":"2026-05-24T08:24:07.000Z","size":8009,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-24T09:26:50.916Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mrvcoder.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-24T07:43:03.000Z","updated_at":"2026-05-24T08:24:10.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/mrvcoder/dns-tunnel-kit","commit_stats":null,"previous_names":["mrvcoder/dns-tunnel-kit"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/mrvcoder/dns-tunnel-kit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrvcoder%2Fdns-tunnel-kit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrvcoder%2Fdns-tunnel-kit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrvcoder%2Fdns-tunnel-kit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrvcoder%2Fdns-tunnel-kit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mrvcoder","download_url":"https://codeload.github.com/mrvcoder/dns-tunnel-kit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrvcoder%2Fdns-tunnel-kit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34283390,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-13T02:00:06.617Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-13T11:33:49.775Z","updated_at":"2026-06-13T11:33:51.610Z","avatar_url":"https://github.com/mrvcoder.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🌐 DNS Tunnel Kit\n\nBypass DNS-based internet censorship using **five independent DNS tunnel methods** — MasterDnsVPN, Slipstream, dnstt, VayDNS, and StormDNS — all managed by a single setup script.\n\n\u003e **Credits:** [github.com/mrvcoder](https://github.com/mrvcoder)\n\n---\n\n## 🏗 Architecture\n\n```\n                            ┌─────────────────────────────────────────────┐\n  Client (Iran)             │  Frankfurt Server :53                       │\n  ─────────────             │                                             │\n  MasterDnsVPN client  ───▶ │  dnstm DNS Router                           │\n  SlipNet (Slipstream) ───▶ │    ├─ a.yourdomain.com → MasterDnsVPN :5312 │\n  dnstt-client         ───▶ │    ├─ b.yourdomain.com → Slipstream   :5310 │\n  VayDNS client        ───▶ │    ├─ c.yourdomain.com → dnstt        :5313 │\n  StormDNS client      ───▶ │    ├─ d.yourdomain.com → VayDNS       :5314 │\n                            │    └─ e.yourdomain.com → StormDNS     :5315 │\n                            └─────────────────────────────────────────────┘\n```\n\n| Tunnel | Default Domain | Protocol | Encryption | SOCKS5 |\n|---|---|---|---|---|\n| **MasterDnsVPN** | `a.yourdomain.com` | Custom DNS + ARQ | ChaCha20 | built-in |\n| **Slipstream** | `b.yourdomain.com` | DNS → SOCKS5 | TLS passthrough | microsocks |\n| **dnstt** | `c.yourdomain.com` | DNS TXT encoding | Noise protocol | microsocks (no-auth) |\n| **VayDNS** | `d.yourdomain.com` | DNS TXT + KCP + smux | Noise + uTLS | microsocks |\n| **StormDNS** | `e.yourdomain.com` | DNS + ARQ + multi-resolver | ChaCha20 (default) | built-in |\n\nAll five run simultaneously on the same server, each on a different subdomain.\n\n---\n\n## 📦 Binary install policy\n\n`setup.sh` resolves every binary in this order:\n\n1. **Already on `$PATH`** — leave it alone.\n2. **Latest GitHub release** — try the upstream `releases/latest/download/...` URL and verify the file is a real ELF.\n3. **Vendored `bin/\u003cname\u003e`** — fall back to the snapshot shipped in this repo.\n4. Warn and continue (the per-tunnel setup decides whether to abort).\n\nThat way users always pick up upstream fixes by default, but the kit still works offline / behind a firewall using the pinned `bin/` snapshot.\n\n| Binary | Vendored fallback (`bin/`) | Upstream source |\n|---|---|---|\n| `dnstm` | ✅ | [github.com/net2share/dnstm](https://github.com/net2share/dnstm/releases/latest) |\n| `slipstream-server` | ✅ | [github.com/endpositive/slipstream](https://github.com/endpositive/slipstream/releases/latest) |\n| `dnstt-server` | ✅ (also used as the fallback for `dnstt-server-noizdns`) | upstream of NoizDNS variant: [github.com/anonvector/noizdns-deploy](https://github.com/anonvector/noizdns-deploy/releases/latest) |\n| `microsocks` | ✅ (and source-build is a last resort) | [github.com/rofl0r/microsocks](https://github.com/rofl0r/microsocks/releases/latest) |\n| `vaydns-server` | ✅ | [github.com/net2share/vaydns](https://github.com/net2share/vaydns/releases/latest) |\n| `stormdns-server` | optional (drop a binary at `bin/stormdns-server` to enable offline install) | [github.com/nullroute1970/StormDNS](https://github.com/nullroute1970/StormDNS/releases/latest) |\n\n\u003e **MasterDnsVPN** is downloaded separately by `setup.sh` (legacy and modern variants) from  \n\u003e [github.com/masterking32/MasterDnsVPN/releases](https://github.com/masterking32/MasterDnsVPN/releases/latest).\n\nSet `FORCE_BUNDLED=1` to skip the upstream check and install straight from `bin/` — useful when you want reproducible builds or your server can't reach GitHub.\n\n```bash\nsudo FORCE_BUNDLED=1 bash setup.sh install\n```\n\n---\n\n## 🚀 Quick Start\n\n### Full Server Setup\n\n```bash\ngit clone https://github.com/mrvcoder/dns-tunnel-kit\ncd dns-tunnel-kit\n\n# Install everything: MasterDnsVPN + Slipstream + dnstt + VayDNS + StormDNS + dnstm router\nsudo bash setup.sh install\n```\n\n### Individual Tunnels\n\n```bash\nsudo bash setup.sh masterdnsvpn   # MasterDnsVPN only\nsudo bash setup.sh slipstream     # Slipstream only\nsudo bash setup.sh dnstt          # dnstt only\nsudo bash setup.sh vaydns         # VayDNS only\nsudo bash setup.sh stormdns       # StormDNS only\nsudo bash setup.sh dnstm          # dnstm DNS router only\n```\n\n### Custom Domains\n\nOverride domains via environment variables:\n\n```bash\nsudo MDNS_DOMAIN=tunnel1.example.com \\\n     SLIP_DOMAIN=tunnel2.example.com \\\n     DNSTT_DOMAIN=tunnel3.example.com \\\n     VAYDNS_DOMAIN=tunnel4.example.com \\\n     STORMDNS_DOMAIN=tunnel5.example.com \\\n     bash setup.sh install\n```\n\n### Cloudflare DNS auto-provisioning\n\nIf your tunnel domains are on a Cloudflare-managed zone, the installer can\ncreate the NS delegations for you. Provide credentials and the wizard will\nask whether to enable it; the `cloudflare-dns` mode can also be run on its\nown at any time.\n\n```bash\n# Scoped API token (preferred — Zone:DNS:Edit + Zone:Zone:Read on the zone)\nsudo CF_API_TOKEN=cf_xxx bash setup.sh install\n\n# Or the legacy global API key + account email\nsudo CF_EMAIL=you@example.com CF_API_KEY=xxxxxxxx bash setup.sh install\n\n# Provision DNS only (idempotent — safe to re-run)\nsudo CF_API_TOKEN=cf_xxx bash setup.sh cloudflare-dns \\\n     a.example.com b.example.com c.example.com\n```\n\nFor every tunnel subdomain, the script creates:\n\n```\n\u003cCF_NS_GLUE_LABEL\u003e.\u003capex\u003e   A   \u003cSERVER_IP\u003e          # one shared NS glue per zone\n\u003ctunnel-subdomain\u003e          NS  \u003cCF_NS_GLUE_LABEL\u003e.\u003capex\u003e\n```\n\n`CF_NS_GLUE_LABEL` defaults to `dns` (so `dns.example.com`), `CF_RECORD_TTL`\ndefaults to `60`. Tunnel domains across multiple Cloudflare zones are handled\nin one pass.\n\n---\n\n## 🛠 All Modes\n\n```\nsetup.sh install         Full setup (all five tunnels + dnstm router)\nsetup.sh masterdnsvpn    Install / update MasterDnsVPN only\nsetup.sh slipstream      Install Slipstream only\nsetup.sh dnstt           Install dnstt only\nsetup.sh vaydns          Install VayDNS only\nsetup.sh stormdns        Install StormDNS only\nsetup.sh dnstm           Install dnstm DNS router only\nsetup.sh client-config   Print client configs for all tunnels\nsetup.sh status          Show all service status\nsetup.sh middle-proxy    Set up Iranian VPS DNS multiplexer (dnsmasq)\nsetup.sh cloudflare-dns  Provision NS delegations on Cloudflare\n```\n\n---\n\n## 📱 Client Setup\n\n### 🔵 MasterDnsVPN (`a.yourdomain.com`)\n\n1. Download client: [MasterDnsVPN Releases](https://github.com/masterking32/MasterDnsVPN/releases/latest)\n2. Get your encryption key from the server: `cat /opt/masterdnsvpn/encrypt_key.txt`\n3. Create `client_config.toml`:\n\n```toml\nSOCKS5_HOST = \"127.0.0.1\"\nSOCKS5_PORT = 1080\n\nDOMAINS = [\"a.yourdomain.com\"]\nDATA_ENCRYPTION_METHOD = 2   # 2 = ChaCha20\nENCRYPT_KEY = \"\u003cyour-key\u003e\"\n\nARQ_WINDOW_SIZE = 256\nARQ_INITIAL_RTO = 0.4\nARQ_MAX_RTO     = 1.2\n\nPROTOCOL_TYPE = \"SOCKS5\"\nLOG_LEVEL     = \"INFO\"\n```\n\n4. Scan for best DNS resolvers, then start:\n```bash\n./MasterDnsVPN_Client --scan\n./MasterDnsVPN_Client\n```\n\n5. SOCKS5 proxy at `127.0.0.1:1080`\n\n---\n\n### 🟢 Slipstream (`b.yourdomain.com`)\n\nUse [SlipNet Android app](https://github.com/mrvcoder/SlipNet) with profile:\n\n| Setting | Value |\n|---|---|\n| Type | `SLIPSTREAM_SOCKS` |\n| Domain | `b.yourdomain.com` |\n| Cert | copy `/etc/dnstm/tunnels/slip-socks/cert.pem` from server |\n\n\u003e **Note:** Slipstream runs in pure SOCKS passthrough mode — no SSH credentials are needed.\n\n---\n\n### 🟡 dnstt (`c.yourdomain.com`)\n\nCompatible clients: `dnstt-client`, NoizDNS client, SlipNet (NoizDNS profile type).\n\n\u003e The server runs `dnstt-server-noizdns` which supports both standard `dnstt-client` connections AND NoizDNS-obfuscated clients simultaneously.\n\n1. Get pubkey from server: `cat /opt/dnstt/server.pub`\n2. Run dnstt-client:\n\n```bash\n./dnstt-client \\\n  -doh https://dns.google/dns-query \\\n  -pubkey-file server.pub \\\n  c.yourdomain.com 127.0.0.1:1080\n```\n\n3. SOCKS5 proxy at `127.0.0.1:1080`\n\n---\n\n### 🔴 VayDNS (`d.yourdomain.com`)\n\nVayDNS is a modern DNS tunnel using **Noise protocol encryption** + **KCP/smux transport** + **uTLS fingerprinting** (Chrome 120 by default). It provides better performance and obfuscation than standard dnstt.\n\nCompatible clients: [SlipNet Android app](https://github.com/mrvcoder/SlipNet) (VayDNS profile), `vaydns-client` CLI.\n\n1. Get pubkey from server:\n```bash\ncat /opt/vaydns/server.pub\n```\n\n2. **SlipNet (Android)** — create a new profile:\n\n| Setting | Value |\n|---|---|\n| Type | `VAYDNS` |\n| Domain | `d.yourdomain.com` |\n| Public Key | `\u003cpubkey from server.pub\u003e` |\n\n3. **CLI client** (Linux x86_64 or ARM64):\n```bash\n# Download pre-built binary (Linux x86_64)\ncurl -L https://github.com/mrvcoder/dns-tunnel-kit/releases/latest/download/vaydns-client-linux-amd64 \\\n  -o vaydns-client \u0026\u0026 chmod +x vaydns-client\n\n./vaydns-client \\\n  -udp YOUR_SERVER_IP:53 \\\n  -pubkey \u003cpubkey\u003e \\\n  -domain d.yourdomain.com \\\n  -listen 127.0.0.1:1080\n```\n\n4. Test:\n```bash\ncurl -x socks5://127.0.0.1:1080 https://ifconfig.me\n```\n\nShould return your server's IP if the tunnel is working.\n\n\u003e **Note:** VayDNS uses the same authenticated microsocks backend as Slipstream on the server side. The Noise encryption + uTLS fingerprinting makes it resistant to deep packet inspection. The server is started with `-dnstt-compat` so SlipNet's DNSTT/NoizDNS clients can connect directly.\n\n\u003e **SlipNet share URI:** `setup.sh client-config` prints a ready-to-paste `slipnet://…` URI for dnstt, NoizDNS, and VayDNS profiles (v24 schema).\n\n---\n\n### ⚡ StormDNS (`e.yourdomain.com`)\n\nStormDNS is a DNS-over-UDP/53 tunnel tuned for **hostile, lossy networks** — ARQ + multi-resolver load-balancing + MTU discovery + packet packing. Encryption is ChaCha20 (default; XOR/AES-GCM available) with auto-generated server key. In **SOCKS5 mode** (the kit's default) the server picks the destination per client request — no backend microsocks needed.\n\nCompatible clients: StormDNS client CLI ([releases](https://github.com/nullroute1970/StormDNS/releases/latest)), [WhiteDNS Android app](https://github.com/iampedii/WhiteDNS) (StormDNS backend).\n\n1. Get the auto-generated encryption key from the server (created on first run):\n```bash\ncat /opt/stormdns/encrypt_key.txt\n```\n\n2. **CLI client** — edit `client_config.toml`:\n```toml\nDOMAINS = [\"e.yourdomain.com\"]\nPROTOCOL_TYPE = \"SOCKS5\"\nDATA_ENCRYPTION_METHOD = 2   # ChaCha20 — match server\nENCRYPT_KEY = \"\u003ckey from encrypt_key.txt\u003e\"\nSOCKS5_HOST = \"127.0.0.1\"\nSOCKS5_PORT = 1080\n# RESOLVERS: any open public resolvers, e.g. 1.1.1.1, 8.8.8.8\n```\n\n3. Run the client, then point your app at `socks5://127.0.0.1:1080`. Test:\n```bash\ncurl -x socks5://127.0.0.1:1080 https://ifconfig.me\n```\n\n\u003e **Note:** StormDNS treats packet loss, rate limits, and resolver flapping as normal operating conditions — better than dnstt for marginal Iranian links.\n\n---\n\n## 🔧 Services\n\n| Service | Tunnel | Internal Port |\n|---|---|---|\n| `masterdnsvpn.service` | MasterDnsVPN | UDP 5312 |\n| `dnstm-slip-socks.service` | Slipstream | UDP 5310 |\n| `microsocks-slip-public.service` | Slipstream SOCKS5 backend | TCP 58077 |\n| `microsocks.service` | Private SOCKS5 backend | TCP 58076 |\n| `dnstm-dnstt.service` | dnstt | UDP 5313 |\n| `microsocks-noauth.service` | dnstt SOCKS5 backend (no-auth) | TCP 58078 |\n| `vaydns-server.service` | VayDNS | UDP 5314 |\n| `stormdns.service` | StormDNS | UDP 5315 |\n| `dnstm-dnsrouter.service` | DNS Router (all tunnels) | UDP 53 |\n\n---\n\n## ✅ Check Status\n\n```bash\nsudo bash setup.sh status\n```\n\n---\n\n## 🌍 Middle Proxy (Iranian VPS)\n\nFor users inside Iran who need a local DNS relay:\n\n```bash\nsudo bash setup.sh middle-proxy\n```\n\nInstalls `dnsmasq` rules forwarding all five tunnel domains to public DNS resolvers. Point clients' DNS to this VPS IP.\n\n---\n\n## 📋 DNS Delegation\n\nEach tunnel domain needs NS records pointing to the server.  \nAdd these DNS records at your registrar / Cloudflare:\n\n```\na.yourdomain.com  NS  ns1.a.yourdomain.com\nns1.a.yourdomain.com  A  YOUR_SERVER_IP\n\nb.yourdomain.com  NS  ns1.b.yourdomain.com\nns1.b.yourdomain.com  A  YOUR_SERVER_IP\n\nc.yourdomain.com  NS  ns1.c.yourdomain.com\nns1.c.yourdomain.com  A  YOUR_SERVER_IP\n\nd.yourdomain.com  NS  ns1.d.yourdomain.com\nns1.d.yourdomain.com  A  YOUR_SERVER_IP\n\ne.yourdomain.com  NS  ns1.e.yourdomain.com\nns1.e.yourdomain.com  A  YOUR_SERVER_IP\n```\n\n---\n\n## 🆚 Tunnel Comparison\n\n| | MasterDnsVPN | Slipstream | dnstt | VayDNS | StormDNS |\n|---|---|---|---|---|---|\n| **Encryption** | ChaCha20 | TLS | Noise | Noise + uTLS | ChaCha20 / AES-GCM |\n| **Transport** | ARQ/UDP | TCP-over-DNS | KCP+smux | KCP+smux | ARQ + multi-resolver |\n| **DPI resistance** | Medium | Medium | Medium | High (uTLS Chrome fingerprint) | Medium (plain UDP/53) |\n| **Speed** | Fast | Medium | Medium | Medium-Fast | Tuned for lossy links |\n| **Client** | MasterDnsVPN | SlipNet | dnstt-client / SlipNet | SlipNet / vaydns-client | StormDNS CLI / WhiteDNS |\n| **SOCKS5 auth** | Optional | Passthrough | No | Optional | No (client picks dest) |\n\n---\n\n## 📄 License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmrvcoder%2Fdns-tunnel-kit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmrvcoder%2Fdns-tunnel-kit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmrvcoder%2Fdns-tunnel-kit/lists"}