Fix tunnel check failing all resolvers on subdomain delegations

SamNet-dev · SamNet-dev · commit f44dd09ec4fc · 2026-03-05T22:07:27.000-06:00
QueryNS only checked the Answer section for NS records, but for
subdomain delegations (e.g. t.example.com) most resolvers return
NS records in the Authority section. Now checks both.
diff --git a/internal/scanner/dns.go b/internal/scanner/dns.go
@@ -40,11 +40,20 @@ func QueryNS(resolver, domain string, timeout time.Duration) ([]string, bool) {
 		return nil, false
 	}
 	var hosts []string
+	// Check Answer section first
 	for _, ans := range r.Answer {
 		if ns, ok := ans.(*dns.NS); ok {
 			hosts = append(hosts, ns.Ns)
 		}
 	}
+	// For subdomain delegations, NS records are often in the Authority section
+	if len(hosts) == 0 {
+		for _, ans := range r.Ns {
+			if ns, ok := ans.(*dns.NS); ok {
+				hosts = append(hosts, ns.Ns)
+			}
+		}
+	}
 	if len(hosts) == 0 {
 		return nil, false
 	}
diff --git a/internal/scanner/doh.go b/internal/scanner/doh.go
@@ -83,11 +83,20 @@ func QueryDoHNS(resolverURL, domain string, timeout time.Duration) ([]string, bo
 		return nil, false
 	}
 	var hosts []string
+	// Check Answer section first
 	for _, ans := range r.Answer {
 		if ns, ok := ans.(*dns.NS); ok {
 			hosts = append(hosts, ns.Ns)
 		}
 	}
+	// For subdomain delegations, NS records are often in the Authority section
+	if len(hosts) == 0 {
+		for _, ans := range r.Ns {
+			if ns, ok := ans.(*dns.NS); ok {
+				hosts = append(hosts, ns.Ns)
+			}
+		}
+	}
 	if len(hosts) == 0 {
 		return nil, false
 	}

Original file line number	Diff line number	Diff line change
`@@ -40,11 +40,20 @@ func QueryNS(resolver, domain string, timeout time.Duration) ([]string, bool) {`
`40`	`40`	`return nil, false`
`41`	`41`	`}`
`42`	`42`	`var hosts []string`
	`43`	`+ // Check Answer section first`
`43`	`44`	`for _, ans := range r.Answer {`
`44`	`45`	`if ns, ok := ans.(*dns.NS); ok {`
`45`	`46`	`hosts = append(hosts, ns.Ns)`
`46`	`47`	`}`
`47`	`48`	`}`
	`49`	`+ // For subdomain delegations, NS records are often in the Authority section`
	`50`	`+ if len(hosts) == 0 {`
	`51`	`+ for _, ans := range r.Ns {`
	`52`	`+ if ns, ok := ans.(*dns.NS); ok {`
	`53`	`+ hosts = append(hosts, ns.Ns)`
	`54`	`+ }`
	`55`	`+ }`
	`56`	`+ }`
`48`	`57`	`if len(hosts) == 0 {`
`49`	`58`	`return nil, false`
`50`	`59`	`}`
Original file line number	Diff line number	Diff line change
`@@ -83,11 +83,20 @@ func QueryDoHNS(resolverURL, domain string, timeout time.Duration) ([]string, bo`
`83`	`83`	`return nil, false`
`84`	`84`	`}`
`85`	`85`	`var hosts []string`
	`86`	`+ // Check Answer section first`
`86`	`87`	`for _, ans := range r.Answer {`
`87`	`88`	`if ns, ok := ans.(*dns.NS); ok {`
`88`	`89`	`hosts = append(hosts, ns.Ns)`
`89`	`90`	`}`
`90`	`91`	`}`
	`92`	`+ // For subdomain delegations, NS records are often in the Authority section`
	`93`	`+ if len(hosts) == 0 {`
	`94`	`+ for _, ans := range r.Ns {`
	`95`	`+ if ns, ok := ans.(*dns.NS); ok {`
	`96`	`+ hosts = append(hosts, ns.Ns)`
	`97`	`+ }`
	`98`	`+ }`
	`99`	`+ }`
`91`	`100`	`if len(hosts) == 0 {`
`92`	`101`	`return nil, false`
`93`	`102`	`}`