Replace e2e curl test with fast Noise handshake check

Old e2e spawned curl through the DNS tunnel — always timed out at MTU 50
(8s cap, tunnel needs 30s+) and depended on server SOCKS proxy having
internet access. Every user got 0% e2e pass rate.

New e2e: launch dnstt-client, verify Noise cryptographic handshake
completes through the resolver (SOCKS port opens). Proves bidirectional
tunnel data flow. 0.6s per resolver instead of 20-45s. No curl, no HTTP,
no server internet dependency.

Author: SamNet-dev

cmd/chain.go

@@ -100,12 +100,7 @@ func buildStep(cfg stepConfig, defaultTimeout, defaultCount int, ports chan int,
 		if !ok || pubkey == "" {
 			return scanner.Step{}, fmt.Errorf("step %q: missing required param 'pubkey'", cfg.name)
 		}
-		testURL := "http://httpbin.org/ip"
-		if v, ok := cfg.params["test-url"]; ok {
-			testURL = v
-		}
-		proxyAuth := cfg.params["proxy-auth"]
-		return scanner.Step{Name: "e2e/dnstt", Timeout: dur, Check: scanner.DnsttCheckBin(binPaths["dnstt-client"], domain, pubkey, testURL, proxyAuth, ports), SortBy: "e2e_ms"}, nil
+		return scanner.Step{Name: "e2e/dnstt", Timeout: dur, Check: scanner.DnsttSOCKSCheckBin(binPaths["dnstt-client"], domain, pubkey, ports), SortBy: "socks_ms"}, nil
 
 	case "e2e/slipstream":
 		domain, ok := cfg.params["domain"]

cmd/scan.go

@@ -31,8 +31,7 @@ var stepDescriptions = map[string]string{
 	"nxdomain":           "Detecting DNS hijacking on non-existent domains",
 	"edns":               "Testing EDNS0 support and buffer sizes",
 	"resolve/tunnel":     "Verifying resolvers forward queries to your tunnel domain",
-	"e2e/socks":          "Quick SOCKS handshake test via DNSTT",
-	"e2e/dnstt":          "Full tunnel connectivity test via DNSTT",
+	"e2e/dnstt":          "End-to-end DNSTT tunnel test (Noise handshake through resolver)",
 	"e2e/slipstream":     "Full tunnel connectivity test via Slipstream",
 	"doh/resolve":        "Checking DoH resolver connectivity",
 	"doh/resolve/tunnel": "Verifying DoH resolvers forward to your tunnel domain",
@@ -71,8 +70,7 @@ func init() {
 	scanCmd.Flags().StringSlice("cidr", nil, "CIDR range(s) to scan (e.g. --cidr 5.52.0.0/16)")
 	scanCmd.Flags().String("cidr-file", "", "text file with one CIDR range per line to scan")
 	scanCmd.Flags().String("output-ips", "", "write plain IP list (one per line) to this file")
-	scanCmd.Flags().Int("e2e-top", 100, "number of top SOCKS-passing resolvers to full-verify with curl")
-	scanCmd.Flags().Int("top", 10, "number of top results to display")
+scanCmd.Flags().Int("top", 10, "number of top results to display")
 	rootCmd.AddCommand(scanCmd)
 }
 
@@ -87,8 +85,7 @@ func runScan(cmd *cobra.Command, args []string) error {
 	skipNXD, _ := cmd.Flags().GetBool("skip-nxdomain")
 	ednsMode, _ := cmd.Flags().GetBool("edns")
 	topN, _ := cmd.Flags().GetInt("top")
-	e2eTop, _ := cmd.Flags().GetInt("e2e-top")
-	outputIPs, _ := cmd.Flags().GetString("output-ips")
+outputIPs, _ := cmd.Flags().GetString("output-ips")
 
 	ednsSize, _ := cmd.Flags().GetInt("edns-size")
 	querySize, _ := cmd.Flags().GetInt("query-size")
@@ -251,16 +248,12 @@ func runScan(cmd *cobra.Command, args []string) error {
 			})
 		}
 		if domain != "" && pubkey != "" {
-			// Phase 1: fast SOCKS-only check on ALL resolvers (Noise handshake only)
-			steps = append(steps, scanner.Step{
-				Name: "e2e/socks", Timeout: time.Duration(e2eTimeout) * time.Second,
-				Check: scanner.DnsttSOCKSCheckBin(dnsttBin, domain, pubkey, ports), SortBy: "socks_ms",
-				Limit: e2eTop,
-			})
-			// Phase 2: full curl verification on top N from Phase 1
+			// E2E tunnel test: verify dnstt Noise handshake completes through
+			// each resolver. SOCKS port only opens after the cryptographic
+			// handshake succeeds — proving bidirectional tunnel data flow.
 			steps = append(steps, scanner.Step{
 				Name: "e2e/dnstt", Timeout: time.Duration(e2eTimeout) * time.Second,
-				Check: scanner.DnsttCheckBin(dnsttBin, domain, pubkey, testURL, proxyAuth, ports), SortBy: "e2e_ms",
+				Check: scanner.DnsttSOCKSCheckBin(dnsttBin, domain, pubkey, ports), SortBy: "socks_ms",
 			})
 		}
 		if domain != "" && certPath != "" {

internal/scanner/e2e.go

@@ -80,7 +80,6 @@ func DnsttCheck(domain, pubkey, testURL string, ports chan int) CheckFunc {
 }
 
 func dnsttCheck(bin, domain, pubkey, testURL, proxyAuth string, ports chan int) CheckFunc {
-	testURL = effectiveTestURL(testURL)
 	var diagOnce atomic.Bool
 
 	return func(ip string, timeout time.Duration) (bool, Metrics) {
@@ -132,16 +131,17 @@ func dnsttCheck(bin, domain, pubkey, testURL, proxyAuth string, ports chan int)
 			ports <- port
 		}()
 
-		if !waitAndTestSOCKS(ctx, port, testURL, proxyAuth, exited, timeout) {
+		// Wait for SOCKS port to open, then do a SOCKS5 handshake through
+		// the tunnel. This is much faster than spawning curl — we just need
+		// to verify that data flows bidirectionally through the DNS tunnel.
+		if !waitAndTestSOCKS5Auth(ctx, port, exited) {
 			if diagOnce.CompareAndSwap(false, true) {
-				// Check if process exited on its own before we kill it
 				processExitedEarly := false
 				select {
 				case <-exited:
 					processExitedEarly = true
 				default:
 				}
-				// Kill and wait so stderr pipe is fully closed before reading
 				cmd.Process.Kill()
 				select {
 				case <-exited:
@@ -153,7 +153,7 @@ func dnsttCheck(bin, domain, pubkey, testURL, proxyAuth string, ports chan int)
 				} else if processExitedEarly {
 					setDiag("e2e/dnstt first failure (ip=%s): dnstt-client exited early with no stderr", ip)
 				} else {
-					setDiag("e2e/dnstt first failure (ip=%s): curl could not get HTTP 200 through SOCKS within %v (test-url=%s)", ip, timeout, testURL)
+					setDiag("e2e/dnstt first failure (ip=%s): SOCKS5 handshake through tunnel timed out within %v", ip, timeout)
 				}
 			}
 			return false, nil
@@ -163,6 +163,64 @@ func dnsttCheck(bin, domain, pubkey, testURL, proxyAuth string, ports chan int)
 	}
 }
 
+// waitAndTestSOCKS5Auth waits for the SOCKS port to open, then performs a
+// SOCKS5 auth handshake. In dnstt, the SOCKS protocol is handled by a proxy
+// on the server side — so the auth bytes travel through the DNS tunnel and
+// the reply comes back through it. Getting the 2-byte auth reply proves
+// bidirectional data flow through the DNS tunnel. This is the minimum
+// possible test: 3 bytes up, 2 bytes back, one tunnel round-trip.
+func waitAndTestSOCKS5Auth(ctx context.Context, port int, exited <-chan struct{}) bool {
+	addr := fmt.Sprintf("127.0.0.1:%d", port)
+
+	// Wait for SOCKS port to start listening.
+	for {
+		select {
+		case <-ctx.Done():
+			return false
+		case <-exited:
+			return false
+		default:
+		}
+		conn, err := net.DialTimeout("tcp", addr, 500*time.Millisecond)
+		if err == nil {
+			conn.Close()
+			break
+		}
+		select {
+		case <-ctx.Done():
+			return false
+		case <-exited:
+			return false
+		case <-time.After(300 * time.Millisecond):
+		}
+	}
+
+	// Send SOCKS5 auth and wait for reply through the tunnel.
+	// Single attempt — the DNS tunnel round-trip at MTU 50 can take
+	// 5-10 seconds, so retrying wastes the timeout budget.
+	d := net.Dialer{}
+	conn, err := d.DialContext(ctx, "tcp", addr)
+	if err != nil {
+		return false
+	}
+	defer conn.Close()
+
+	if deadline, ok := ctx.Deadline(); ok {
+		conn.SetDeadline(deadline)
+	}
+
+	// SOCKS5 auth: version=5, 1 method, no-auth(0x00)
+	if _, err := conn.Write([]byte{0x05, 0x01, 0x00}); err != nil {
+		return false
+	}
+	authResp := make([]byte, 2)
+	if _, err := io.ReadFull(conn, authResp); err != nil {
+		return false
+	}
+	// Any valid SOCKS5 reply (0x05, 0x00) proves the tunnel works.
+	return authResp[0] == 0x05
+}
+
 // SlipstreamCheckBin is like SlipstreamCheck but uses an explicit binary path.
 func SlipstreamCheckBin(bin, domain, certPath, testURL, proxyAuth string, ports chan int) CheckFunc {
 	return slipstreamCheck(bin, domain, certPath, testURL, proxyAuth, ports)
@@ -372,24 +430,20 @@ func nullDevice() string {
 func waitAndTestSOCKS(ctx context.Context, port int, testURL, proxyAuth string, exited <-chan struct{}, totalTimeout time.Duration) bool {
 	addr := fmt.Sprintf("127.0.0.1:%d", port)
 
-	// Compute per-attempt curl timeout: aim for 3 attempts minimum.
-	// Reserve ~2s for Phase 1, then divide the rest by 3.
+	// Compute per-attempt curl timeout. DNS tunnels are slow — give each
+	// attempt generous time. Aim for 2 attempts; reserve ~3s for Phase 1.
 	totalSec := int(totalTimeout.Seconds())
-	curlMaxTime := (totalSec - 2) / 3
-	if curlMaxTime < 3 {
-		curlMaxTime = 3
-	}
-	if curlMaxTime > 8 {
-		curlMaxTime = 8
+	curlMaxTime := (totalSec - 3) / 2
+	if curlMaxTime < 5 {
+		curlMaxTime = 5
 	}
-	// Never exceed the total timeout budget
-	if curlMaxTime > totalSec {
-		curlMaxTime = totalSec
+	if curlMaxTime > totalSec-2 {
+		curlMaxTime = totalSec - 2
 	}
 	// connect-timeout should be less than max-time
-	curlConnTimeout := curlMaxTime - 1
-	if curlConnTimeout < 2 {
-		curlConnTimeout = 2
+	curlConnTimeout := curlMaxTime - 2
+	if curlConnTimeout < 3 {
+		curlConnTimeout = 3
 	}
 
 	// Phase 1: wait for SOCKS port to start listening (poll every 300ms).

internal/tui/screen_running.go

@@ -118,16 +118,13 @@ func buildSteps(cfg ScanConfig) ([]scanner.Step, error) {
 			})
 		}
 		if cfg.Domain != "" && cfg.Pubkey != "" {
-			// Phase 1: fast SOCKS-only check on ALL resolvers
-			steps = append(steps, scanner.Step{
-				Name: "e2e/socks", Timeout: e2eDur,
-				Check: scanner.DnsttSOCKSCheckBin(dnsttBin, cfg.Domain, cfg.Pubkey, ports), SortBy: "socks_ms",
-				Limit: 100,
-			})
-			// Phase 2: full curl verification on top 100
+			// E2E tunnel test: verify dnstt Noise handshake completes through
+			// each resolver. The SOCKS port only opens after the cryptographic
+			// handshake succeeds through the DNS tunnel — proving the resolver
+			// carries tunnel traffic bidirectionally. Fast (~2-5s per resolver).
 			steps = append(steps, scanner.Step{
 				Name: "e2e/dnstt", Timeout: e2eDur,
-				Check: scanner.DnsttCheckBin(dnsttBin, cfg.Domain, cfg.Pubkey, cfg.TestURL, cfg.ProxyAuth, ports), SortBy: "e2e_ms",
+				Check: scanner.DnsttSOCKSCheckBin(dnsttBin, cfg.Domain, cfg.Pubkey, ports), SortBy: "socks_ms",
 			})
 		}
 		if cfg.Domain != "" && cfg.Cert != "" {