Interactive DNS Tunnel Setup Wizard — automated server deployment for unrestricted internet access.

Deploys dnstm DNS tunnel servers with Slipstream, DNSTT, NoizDNS, and VayDNS protocols. Designed to help people in restricted regions stay connected to the free internet.

📑 Table of Contents

• 🆕 What's New in v1.4
• 🔍 How DNS Tunneling Works
• 🏗️ Architecture
• 📦 What Gets Installed
• ✅ Prerequisites
• 🚀 Quick Start
• 📋 Setup Steps Explained
• 🌍 DNS Records Guide
• ⌨️ Usage
• ❓ In-TUI Help System
• 📱 Client Apps
• 🛠️ Management Commands
• 👤 SSH Tunnel User Management
• 🔐 SOCKS Proxy Authentication
• 🔌 Xray Backend Integration
• 🗑️ Uninstall
• 📖 Manual Setup Guide
• 🔧 Troubleshooting
• 🙏 Acknowledgments
• 🔗 Related Projects
• 📖 Documentation & Guides
• 💖 Donate
• 📄 License
• 👤 Author
• 📖 راهنمای فارسی

🆕 What's New in v1.4

⚡ VayDNS Tunnels (Optimized)

Two new tunnel types — VayDNS + SOCKS (v subdomain) and VayDNS + SSH (vz subdomain). VayDNS is an optimized fork of DNSTT by net2share with KCP/smux sessions, auto-recovery, and a leaner wire protocol. Runs in -dnstt-compat mode for backwards compatibility with existing SlipNet clients.

• Up to 8 tunnels (Slipstream + DNSTT + NoizDNS + VayDNS, each with SOCKS and SSH)
• Zero extra configuration — VayDNS binary is downloaded automatically during setup
• Graceful degradation — if the download fails, the script continues with other tunnel types
• Transport option 4 in --add-tunnel TUI
• --monitor — new command for live tunnel stats (CPU, memory, uptime, connections)
• --diag — new command for comprehensive tunnel diagnostics

🔌 Xray Backend Integration (Optional)

New optional feature to connect an existing 3x-ui panel (or raw Xray) to a DNS tunnel. Accessible via --add-xray or management menu option 8. This gives users modern proxy protocols tunneled through DNS:

• Auto-detects 3x-ui (native or Docker) — or installs it for you (full panel or headless mode)
• 4 protocols: VLESS, Shadowsocks (chacha20-ietf-poly1305), VMess, Trojan
• Internal-only inbound on 127.0.0.1 — not exposed to the internet, only reachable through the DNSTT tunnel
• Generates client configs — SlipNet URL for the tunnel + client URI for Nekobox/v2rayNG
• Compatible with any V2Ray client that supports proxy chaining (Nekobox, v2rayNG, Shadowrocket, Clash, etc.)

Other Improvements

• 9 DNS records (was 5) — NS records for NoizDNS (n, z) and VayDNS (v, vz) subdomains
• --add-domain now creates NoizDNS and VayDNS tunnels for backup domains too
• --add-tunnel now offers 4 transport choices: Slipstream, DNSTT, NoizDNS, VayDNS
• --manage (TUI option 9) adds Change DNSTT MTU — update MTU on existing DNSTT tunnels without recreating them
• --status displays all tunnel info and SlipNet URLs including VayDNS
• --remove-tunnel properly cleans up Xray, NoizDNS, and VayDNS service overrides
• Security hardening — SQL injection prevention, cookie jar cleanup, restrictive file permissions, URL-safe base64 encoding
• Portable code — no grep -P (Perl regex), no python3 dependency, pure bash URL encoding

🔍 How DNS Tunneling Works

DNS (Domain Name System) is the internet's phone book — every device on the planet needs it to work. DNS tunneling encodes your internet traffic inside DNS queries and responses.

💡 Why DNS? Censors can block VPNs, Tor, and direct connections, but they almost never block DNS because doing so would break the internet for everyone. Even during total internet shutdowns, DNS queries often still work through ISP resolvers.

How it works:

1. 📱 Your phone (running SlipNet) encodes internet traffic as DNS queries
2. 🔒 These queries look like normal DNS lookups (e.g., abc123.t.yourdomain.com)
3. 🌍 The queries travel through public DNS resolvers (Google 8.8.8.8, Cloudflare 1.1.1.1, etc.)
4. 🖥️ Your server receives the queries, decodes the hidden data, and forwards it to the real internet
5. ↩️ Responses travel back the same way, encoded inside DNS responses

Because the traffic looks like ordinary DNS resolution, it passes through filters undetected.

🏗️ Architecture

  📱 Phone (SlipNet App)
     |
     | DNS queries (encoded traffic)
     v
  🌍 Public DNS Resolver (8.8.8.8 / 1.1.1.1 / 9.9.9.9)
     |
     | DNS delegation (NS records point to your server)
     v
  🖥️ Your Server — Port 53
     |
     v
  🔀 DNS Router (multiplexes port 53)
     |
     +---> t.domain ---> Slipstream ---> microsocks (SOCKS5) ---> 🌐 Internet
     |                    (QUIC + TLS)
     |
     +---> d.domain ---> DNSTT --------> microsocks (SOCKS5) ---> 🌐 Internet
     |                    (Noise + Curve25519)
     |
     +---> s.domain ---> Slipstream ---> SSH Tunnel ------------> 🌐 Internet
     |                    (QUIC + TLS)   (port forwarding)
     |
     +---> ds.domain --> DNSTT --------> SSH Tunnel ------------> 🌐 Internet
     |                    (Noise + Curve25519) (port forwarding)
     |
     +---> n.domain ---> NoizDNS ------> microsocks (SOCKS5) ---> 🌐 Internet
     |                    (DPI-resistant DNSTT fork)
     |
     +---> z.domain ---> NoizDNS ------> SSH Tunnel ------------> 🌐 Internet
     |                    (DPI-resistant)   (port forwarding)
     |
     +---> v.domain ---> VayDNS -------> microsocks (SOCKS5) ---> 🌐 Internet
     |                    (optimized DNSTT, KCP/smux)
     |
     +---> vz.domain --> VayDNS -------> SSH Tunnel ------------> 🌐 Internet
     |                    (optimized)      (port forwarding)
     |
     +---> x.domain ---> DNSTT --------> Xray (VLESS/SS/VMess/Trojan) -> 🌐 Internet
                          (Noise + Curve25519) (optional, via --add-xray)

🔗 How DNS Delegation Works

When someone queries t.yourdomain.com, the global DNS system follows this chain:

1. Client asks its resolver: "What is xyz.t.yourdomain.com?"
2. Resolver asks Cloudflare (your domain's nameserver): "What is t.yourdomain.com?"
3. Cloudflare sees the NS record: "For t.yourdomain.com, ask ns.yourdomain.com"
4. Cloudflare sees the A record: "ns.yourdomain.com is at <your server IP>"
5. Resolver sends the query directly to your server on port 53
6. Your server's DNS Router receives it and routes to the correct tunnel

This is why you need both an A record (telling the internet where your server is) and NS records (delegating subdomains to your server).

📦 What Gets Installed

🚇 Eight Tunnel Types

🧦 SOCKS backend: Optionally secured with SOCKS5 username/password authentication. Without auth, anyone who knows the domain can connect.

🔑 SSH backend: Requires username + password. Provides per-user access control. The SSH user is restricted — even if credentials leak, no one can access your server.

🛡️ NoizDNS: A DPI-resistant fork of DNSTT by anonvector (same author as SlipNet). Uses alternative DNS query encoding designed to evade Deep Packet Inspection systems in heavily censored networks. In SlipNet, select NoizDNS as the tunnel type for n and z subdomains.

⚡ VayDNS: An optimized fork of DNSTT by net2share with KCP/smux reliable sessions, auto-recovery on connection failure, and a leaner wire protocol. Runs in -dnstt-compat mode so existing SlipNet/DNSTT clients work. In SlipNet, select DNSTT as the tunnel type for v and vz subdomains.

✅ Prerequisites

Before running the script, you need:

1. 🖥️ A VPS (Virtual Private Server)

• Running Ubuntu or Debian (tested on Ubuntu 20.04 / 22.04 / 24.04)
• Root access (SSH as root or sudo)
• Public IPv4 address
• Port 53 (UDP + TCP) open in any external firewall / hosting provider panel

2. 🌐 A Domain

• Any domain works (cheap TLDs like .live, .xyz are fine)
• The domain must use Cloudflare DNS (free plan) to manage records
• You can buy domains from Namecheap, Cloudflare Registrar, or any registrar

3. 📥 curl

• Usually pre-installed on Ubuntu/Debian
• If missing, the script will offer to install it for you

🚀 Quick Start

SSH into your server as root, then:

curl -fsSL -o dnstm-setup.sh https://raw.githubusercontent.com/SamNet-dev/dnstm-setup/master/dnstm-setup.sh
sudo bash dnstm-setup.sh

💡 Tip: Press h at any prompt for detailed help on that step.

Add a Backup Domain

Already set up? Add another domain to the same server as a fallback:

sudo bash dnstm-setup.sh --add-domain

This creates a new set of tunnels on the same server with a different domain. If one domain gets blocked, the other still works.

📋 Setup Steps Explained

The wizard has 12 steps. Here's what each one does:

🌍 DNS Records Guide

Create these records in your Cloudflare dashboard:

Record 1 — A Record (Address)

☝️ This tells the internet: "ns.yourdomain.com is at this IP address."

Records 2-9 — NS Records (Delegation)

☝️ These tell the internet: "For queries about t/d/n/v/s/ds/z/vz.yourdomain.com, ask ns.yourdomain.com (your server)."

⚠️ Common Mistakes

⌨️ Usage

# 🚀 Run the interactive setup wizard (first time)
sudo bash dnstm-setup.sh

# 🎛️ Post-setup management menu (all actions in one place)
sudo bash dnstm-setup.sh --manage

# 🔧 Set custom DNSTT MTU (default: 1232, range: 512-1400)
sudo bash dnstm-setup.sh --mtu 1200

# 🌐 Add a backup domain with custom MTU
sudo bash dnstm-setup.sh --add-domain --mtu 1200

# 🚇 Add a single tunnel (interactive — Slipstream, DNSTT, NoizDNS, or VayDNS)
sudo bash dnstm-setup.sh --add-tunnel

# 🔌 Connect existing Xray panel (3x-ui) via DNS tunnel
sudo bash dnstm-setup.sh --add-xray

# 🔒 Apply security hardening to all services
sudo bash dnstm-setup.sh --harden

# ❌ Remove a specific tunnel (interactive picker)
sudo bash dnstm-setup.sh --remove-tunnel
# Or specify the tag directly
sudo bash dnstm-setup.sh --remove-tunnel slip1

# 👤 Manage SSH tunnel users (add, list, update, delete)
sudo bash dnstm-setup.sh --users

# 📊 Show all tunnels, credentials, and share URLs
sudo bash dnstm-setup.sh --status

# 📈 Monitor tunnel usage (CPU, memory, connections, logs)
sudo bash dnstm-setup.sh --monitor

# 🔍 Run tunnel diagnostics (binaries, services, ports, config)
sudo bash dnstm-setup.sh --diag

# 🗑️ Remove ALL installed components (nuclear option)
sudo bash dnstm-setup.sh --uninstall

# ❓ Show help (no root needed)
bash dnstm-setup.sh --help

# ℹ️ Show project information (no root needed)
bash dnstm-setup.sh --about

❓ In-TUI Help System

Press h at any prompt during the interactive setup to open the help menu:

  ┌──────────────────────────────────────────────────────────┐
  │ Help — Pick a Topic                                      │
  └──────────────────────────────────────────────────────────┘

  1  Domains & DNS Basics
  2  DNS Records (Cloudflare Setup)
  3  Port 53 & systemd-resolved
  4  dnstm — DNS Tunnel Manager
  5  SSH Tunnel Users
  6  Architecture & How It Works

  ────────────────────────────────────────
  7  About

  Pick a topic (1-7) or Enter to go back:

Each topic gives deep explanations of how things work, why each step is needed, and what the terminology means. Browse multiple topics and return to the setup prompt when ready.

📱 Client Apps

🤖 Android — SlipNet

SlipNet supports both Slipstream and DNSTT tunnels.

📥 Download: https://github.com/anonvector/SlipNet/releases

🍎 iOS — HTTP Injector

HTTP Injector supports DNSTT tunnels (the d subdomain). Slipstream is not supported on iOS.

📥 Download: App Store

⚠️ iOS users can only use the DNSTT tunnel (d subdomain). Slipstream tunnels (t/s) are Android-only via SlipNet.

📊 Platform Support

🔗 Share URLs

The setup generates two types of share URLs for easy client configuration:

• dnst:// URLs are generated by dnstm tunnel share and contain JSON-encoded tunnel config
• slipnet:// URLs are generated by the setup script and contain all fields SlipNet needs (domain, resolver, public key, SSH credentials)
• HTTP Injector (iOS) does not support URL import — configure manually using the settings above

💡 The easiest way to set up a client is to copy a slipnet:// link from the server summary and open it on your Android phone — SlipNet will import everything automatically.

🌍 Recommended DNS Resolvers

💡 Try different resolvers if one doesn't work in your region. Some ISPs may block specific resolvers.

🛠️ Management Commands

After setup, manage your tunnels with these commands:

# 🎛️ Interactive management menu (all actions below in one menu)
sudo bash dnstm-setup.sh --manage

# 📊 Show everything: tunnels, credentials, share URLs (all in one)
sudo bash dnstm-setup.sh --status

# 🚇 Add a single tunnel (interactive — pick Slipstream/DNSTT/NoizDNS/VayDNS, backend, domain, tag)
sudo bash dnstm-setup.sh --add-tunnel

# 🔌 Add Xray backend (connect existing 3x-ui panel via DNS tunnel)
sudo bash dnstm-setup.sh --add-xray

# ❌ Remove a specific tunnel (interactive picker or pass tag directly)
sudo bash dnstm-setup.sh --remove-tunnel
sudo bash dnstm-setup.sh --remove-tunnel slip1

# 📋 View all tunnels and their status
dnstm tunnel list

# 🔗 Generate share URLs for a tunnel
# dnst:// URLs (for dnstc CLI client):
dnstm tunnel share -t slip1
dnstm tunnel share -t dnstt-ssh --user tunnel --password secret
# slipnet:// URLs (for SlipNet Android app) are generated automatically
# in the setup summary — tap the link on your phone to import the profile

# 📊 Check DNS Router status
dnstm router status

# 📜 View DNS Router logs
dnstm router logs

# 🔍 View logs for a specific tunnel
dnstm tunnel logs --tag slip1
dnstm tunnel logs --tag dnstt1
dnstm tunnel logs --tag slip-ssh

# ⏹️ Stop / ▶️ Start a specific tunnel
dnstm tunnel stop --tag slip1
dnstm tunnel start --tag slip1

# 🔀 Stop / Start the DNS Router
dnstm router stop
dnstm router start

# 🧪 Test the SOCKS proxy locally (check port with: ss -tlnp | grep microsocks)
# Without authentication:
curl --socks5 127.0.0.1:<MICROSOCKS_PORT> https://api.ipify.org
# With SOCKS5 authentication:
curl --socks5-basic --proxy socks5://127.0.0.1:<MICROSOCKS_PORT> --proxy-user user:pass https://api.ipify.org

👤 SSH Tunnel User Management

Manage SSH tunnel users after setup with the built-in user management TUI:

sudo bash dnstm-setup.sh --users

This opens an interactive menu:

What are SSH tunnel users? These are restricted system users that can only create SSH tunnels (SOCKS proxy, port forwarding) — they have no shell access and cannot run commands on your server. They're required for the SSH-based tunnels (s and ds subdomains).

If sshtun-user is not installed, the script will automatically download and configure it on first run.

🔐 SOCKS Proxy Authentication

During setup (Step 9), the wizard asks whether to enable SOCKS5 authentication on the microsocks proxy. This controls access to the SOCKS tunnels (t and d subdomains).

With Authentication (Recommended)

When enabled, microsocks requires a username and password for every SOCKS5 connection. This means:

• Only clients with the correct credentials can use the tunnel
• The slipnet:// share URLs automatically include the credentials (clients auto-configure)
• The authMode field in SlipNet is set to 1 (username/password)

Authentication is configured via dnstm backend auth (requires dnstm v0.6.8+).

Without Authentication

When disabled, the proxy is open — anyone who can resolve the DNS tunnel domain can connect. Security relies solely on the domain being secret.

Changing Auth After Setup

To add or change authentication:

sudo dnstm backend auth -t socks -u youruser -p yourpassword

To remove authentication:

sudo dnstm backend auth -t socks --disable

Note: When adding a backup domain with --add-domain, the script auto-detects existing SOCKS authentication via dnstm backend status and includes the credentials in the generated share URLs.

🔌 Xray Backend Integration

Optional feature — connect an existing Xray panel (3x-ui) to a DNSTT tunnel for modern proxy protocol support.

If you already have a 3x-ui panel running on your server, this feature lets you route DNS tunnel traffic through Xray. Instead of the default microsocks (SOCKS5) backend, users get access to VLESS, Shadowsocks, VMess, or Trojan protocols — all tunneled through DNS.

How It Works

  📱 Phone
     |
     +-- SlipNet app -------> DNSTT tunnel (DNS queries on port 53)
     |   (transport layer)        |
     |                            v
     +-- Nekobox/v2rayNG --> 🖥️ Server: DNSTT decodes traffic
         (proxy protocol)        |
                                 v
                            Xray inbound (127.0.0.1 only)
                                 |
                                 v
                            🌐 Free Internet

Key points:

• SlipNet handles the DNSTT tunnel (transport — how traffic reaches the server through DNS)
• Nekobox/v2rayNG handles the proxy protocol (VLESS/SS/VMess/Trojan — what runs inside the tunnel)
• The Xray inbound listens on 127.0.0.1 only — it is not exposed to the internet, only reachable through the DNSTT tunnel
• Your existing 3x-ui panel manages the inbound — you can see it in the dashboard

Supported Protocols

Usage

Via CLI:

# Add Xray backend (auto-detects 3x-ui, creates inbound + DNSTT tunnel)
sudo bash dnstm-setup.sh --add-xray

# Optionally set DNSTT MTU (works in any order)
sudo bash dnstm-setup.sh --add-xray --mtu 1100
sudo bash dnstm-setup.sh --mtu 1100 --add-xray

Via Management Menu:

sudo bash dnstm-setup.sh --manage
# Select option 8 → Xray backend

What the Script Does

1. Auto-detects Xray installation (3x-ui panel or raw Xray binary)
2. If not found, offers to install:
   • Full panel (3x-ui) — web dashboard with user management, traffic stats, custom admin credentials and port
   • Headless (Xray only) — lightweight, no web panel, config.json managed directly
3. Reads/sets credentials for the panel (or generates them for headless mode)
4. Creates a new inbound on 127.0.0.1 (your chosen protocol: VLESS/SS/VMess/Trojan)
5. Creates a DNSTT tunnel with subdomain x.yourdomain.com
6. Overrides the tunnel upstream to point at the Xray inbound (instead of microsocks)
7. Generates a SlipNet URL (for the tunnel) and a client URI (for the proxy protocol)

Installation Modes

When installing 3x-ui, you choose:

• Admin username (default: admin)
• Admin password (default: password)
• Panel web port (default: 2053)

Required DNS Record

After running --add-xray, add this record in Cloudflare:

This delegates x.yourdomain.com to your server, just like the other tunnel subdomains.

Removing an Xray Tunnel

sudo bash dnstm-setup.sh --remove-tunnel xray1

This removes the DNSTT tunnel, the systemd service override, and the tunnel config file. The Xray inbound itself is not removed automatically:

• Panel mode (3x-ui): Delete the inbound from the 3x-ui web dashboard
• Headless mode: Edit /usr/local/etc/xray/config.json and remove the inbound entry manually

Prerequisites

• dnstm-setup must be already configured (run the full setup first)
• curl and jq are required (jq is auto-installed if missing)
• 3x-ui is optional — if not installed, the script offers to install it for you (full panel or headless)

🗑️ Uninstall

To remove everything installed by this script:

sudo bash dnstm-setup.sh --uninstall

Removes:

• ✅ All dnstm tunnels and the DNS Router
• ✅ dnstm binary and /etc/dnstm configuration (including Xray tunnel configs)
• ✅ sshtun-user binary (if installed)
• ✅ microsocks service
• ✅ Xray and NoizDNS systemd service overrides
• ✅ NoizDNS server binary

Not removed (must be done manually):

• ⚠️ Xray/3x-ui panel — only DNSTT tunnel configs are cleaned up, the panel is untouched
• ⚠️ Xray inbounds created via --add-xray — remove them from the 3x-ui dashboard
• ⚠️ DNS records in Cloudflare — delete them from your dashboard
• ⚠️ systemd-resolved — re-enable with:

  chattr -i /etc/resolv.conf 2>/dev/null
  rm /etc/resolv.conf && ln -s ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
  systemctl unmask systemd-resolved.socket systemd-resolved.service
  systemctl enable systemd-resolved && systemctl start systemd-resolved
  

📖 Manual Setup Guide

If you prefer to set things up manually step by step (without this script), follow the complete manual guide:

📝 Complete Guide to Setting Up a DNS Tunnel (Farsi)

🔧 Troubleshooting

# Check what's using port 53
ss -ulnp | grep -E ':53\b'

# If systemd-resolved is still there, force it (stop socket too!)
systemctl stop systemd-resolved.socket systemd-resolved.service
systemctl disable systemd-resolved.socket systemd-resolved.service
systemctl mask systemd-resolved.socket systemd-resolved.service
pkill -9 systemd-resolve
# Fix resolv.conf (remove symlink, write real file, lock it)
chattr -i /etc/resolv.conf 2>/dev/null; rm -f /etc/resolv.conf
echo "nameserver 8.8.8.8" > /etc/resolv.conf
chattr +i /etc/resolv.conf

# Check tunnel status
dnstm tunnel list

# Check logs for errors
dnstm tunnel logs --tag slip1
dnstm router logs

# Try restarting
dnstm router stop
dnstm router start
dnstm tunnel start --tag slip1

# Check if microsocks is running
systemctl status microsocks

# Restart it
systemctl restart microsocks

# Test locally (check port with: ss -tlnp | grep microsocks)
curl --socks5 127.0.0.1:<MICROSOCKS_PORT> https://api.ipify.org

🙏 Acknowledgments

This project builds on the incredible work of these open-source projects:

Thank you to David Fifield and EndPositive for making internet freedom possible through their research and open-source contributions. 🫡

🔗 Related Projects

📖 Documentation & Guides

For detailed tutorials and related tools, visit SamNet:

• Complete DNS Tunneling Guide — Full walkthrough: how DNS tunneling works, all 8 tunnel types, setup, client configuration, Xray integration, and troubleshooting
• Every Way to Bypass Internet Censorship — DNS tunneling compared to VPN, Tor, VLESS+Reality, and other methods
• Complete DNS Guide — How DNS works, record types, caching, security, and DNS tunneling explained
• Fortify — Server Security Hardener — Harden your DNS tunnel server after setup
• 3X-UI Panel Setup — Set up the Xray backend for DNS tunnel integration
• Cloudflare Setup Guide — DNS record management for your tunnel domain
• Server Hardening Guide — Secure your VPS
• VPN Leak Test — Verify your tunnel is hiding your IP
• DNS Toolbox — Check your NS records are set correctly
• Port Scanner — Verify port 53 is open

💖 Donate

If this project helps you or someone you know access the free internet, consider supporting continued development:

👉 samnet.dev/donate

📄 License

MIT

👤 Author

Made By SamNet Technologies — Saman

🔗 https://github.com/SamNet-dev

  📱 گوشی (اپلیکیشن SlipNet)
     |
     | درخواست‌های DNS (ترافیک رمزگذاری شده)
     v
  🌍 DNS Resolver عمومی (8.8.8.8 / 1.1.1.1)
     |
     v
  🖥️ سرور شما — پورت 53
     |
     v
  🔀 DNS Router (مالتی‌پلکسر)
     |
     +---> t.domain  ---> Slipstream ---> microsocks (SOCKS5) ---> 🌐 اینترنت
     +---> d.domain  ---> DNSTT --------> microsocks (SOCKS5) ---> 🌐 اینترنت
     +---> n.domain  ---> NoizDNS ------> microsocks (SOCKS5) ---> 🌐 اینترنت (مقاوم DPI)
     +---> s.domain  ---> Slip+SSH -----> تانل SSH --------------> 🌐 اینترنت
     +---> ds.domain --> DNSTT+SSH ----> تانل SSH --------------> 🌐 اینترنت
     +---> z.domain  ---> NoizDNS+SSH --> تانل SSH --------------> 🌐 اینترنت (مقاوم DPI)
     +---> x.domain  ---> DNSTT --------> Xray (VLESS/SS/VMess/Trojan) -> 🌐 اینترنت
                          (اختیاری، با --add-xray)

curl -fsSL -o dnstm-setup.sh https://raw.githubusercontent.com/SamNet-dev/dnstm-setup/master/dnstm-setup.sh
sudo bash dnstm-setup.sh

sudo bash dnstm-setup.sh --add-domain

sudo bash dnstm-setup.sh --users

# 🎛️ منوی مدیریت تعاملی (تمام عملیات در یک منو)
sudo bash dnstm-setup.sh --manage

# 📊 نمایش همه چیز: تانل‌ها، اطلاعات احراز هویت، لینک‌های اشتراک‌گذاری
sudo bash dnstm-setup.sh --status

# 🚇 افزودن یک تانل (تعاملی — انتخاب پروتکل، بک‌اند، دامنه)
sudo bash dnstm-setup.sh --add-tunnel

# 🔌 اتصال پنل Xray (3x-ui) به تانل DNS (اختیاری)
sudo bash dnstm-setup.sh --add-xray

# ❌ حذف یک تانل خاص (تعاملی یا مستقیم)
sudo bash dnstm-setup.sh --remove-tunnel
sudo bash dnstm-setup.sh --remove-tunnel slip1

# 📋 نمایش تمام تانل‌ها و وضعیت آنها
dnstm tunnel list

# 🔗 ایجاد لینک اشتراک‌گذاری (dnst:// برای dnstc)
dnstm tunnel share -t slip1
dnstm tunnel share -t dnstt-ssh --user tunnel --password secret
# لینک‌های slipnet:// برای اپ SlipNet خودکار در خلاصه نصب نمایش داده می‌شوند
# — لینک رو تو گوشی اندروید باز کنید تا پروفایل وارد SlipNet بشه

# 📊 بررسی وضعیت روتر
dnstm router status

# 📜 مشاهده لاگ‌های روتر
dnstm router logs

# 🔍 مشاهده لاگ تانل خاص
dnstm tunnel logs --tag slip1
dnstm tunnel logs --tag dnstt1
dnstm tunnel logs --tag slip-ssh

# ⏹️ توقف / ▶️ شروع یک تانل
dnstm tunnel stop --tag slip1
dnstm tunnel start --tag slip1

# 🔀 توقف / شروع روتر DNS
dnstm router stop
dnstm router start

# 🧪 تست پروکسی SOCKS (بررسی پورت: ss -tlnp | grep microsocks)
# بدون احراز هویت:
curl --socks5 127.0.0.1:<MICROSOCKS_PORT> https://api.ipify.org
# با احراز هویت SOCKS5:
curl --socks5-basic --proxy socks5://127.0.0.1:<MICROSOCKS_PORT> --proxy-user user:pass https://api.ipify.org

sudo bash dnstm-setup.sh --users

ss -ulnp | grep -E ':53\b'
systemctl stop systemd-resolved.socket systemd-resolved.service
systemctl mask systemd-resolved.socket systemd-resolved.service
pkill -9 systemd-resolve
chattr -i /etc/resolv.conf 2>/dev/null; rm -f /etc/resolv.conf
echo "nameserver 8.8.8.8" > /etc/resolv.conf
chattr +i /etc/resolv.conf

dnstm tunnel list
dnstm tunnel logs --tag slip1
dnstm router logs

sudo bash dnstm-setup.sh --uninstall

chattr -i /etc/resolv.conf 2>/dev/null
rm /etc/resolv.conf && ln -s ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
systemctl unmask systemd-resolved.socket systemd-resolved.service
systemctl enable systemd-resolved && systemctl start systemd-resolved