Add two-phase e2e: fast SOCKS check on all, full curl on top 100

SamNet-dev · SamNet-dev · commit 9f2a1775432a · 2026-03-16T17:12:37.000-05:00
Splits e2e into Phase 1 (SOCKS-only handshake check on all resolvers)
and Phase 2 (full curl verification on top 100). Dramatically faster
for large resolver lists on filtered networks like Iran.
diff --git a/cmd/scan.go b/cmd/scan.go
@@ -31,6 +31,7 @@ var stepDescriptions = map[string]string{
 	"nxdomain":           "Detecting DNS hijacking on non-existent domains",
 	"edns":               "Testing EDNS0 support and buffer sizes",
 	"resolve/tunnel":     "Verifying resolvers forward queries to your tunnel domain",
+	"e2e/socks":          "Quick SOCKS handshake test via DNSTT",
 	"e2e/dnstt":          "Full tunnel connectivity test via DNSTT",
 	"e2e/slipstream":     "Full tunnel connectivity test via Slipstream",
 	"doh/resolve":        "Checking DoH resolver connectivity",
@@ -69,6 +70,7 @@ func init() {
 	scanCmd.Flags().Int("query-size", 0, "cap dnstt-client upstream query size in bytes (0 = max, try 50-80 if e2e fails)")
 	scanCmd.Flags().StringSlice("cidr", nil, "CIDR range(s) to scan (e.g. --cidr 5.52.0.0/16)")
 	scanCmd.Flags().String("output-ips", "", "write plain IP list (one per line) to this file")
+	scanCmd.Flags().Int("e2e-top", 100, "number of top SOCKS-passing resolvers to full-verify with curl")
 	scanCmd.Flags().Int("top", 10, "number of top results to display")
 	rootCmd.AddCommand(scanCmd)
 }
@@ -84,6 +86,7 @@ func runScan(cmd *cobra.Command, args []string) error {
 	skipNXD, _ := cmd.Flags().GetBool("skip-nxdomain")
 	ednsMode, _ := cmd.Flags().GetBool("edns")
 	topN, _ := cmd.Flags().GetInt("top")
+	e2eTop, _ := cmd.Flags().GetInt("e2e-top")
 	outputIPs, _ := cmd.Flags().GetString("output-ips")
 
 	ednsSize, _ := cmd.Flags().GetInt("edns-size")
@@ -227,6 +230,13 @@ func runScan(cmd *cobra.Command, args []string) error {
 			})
 		}
 		if domain != "" && pubkey != "" {
+			// Phase 1: fast SOCKS-only check on ALL resolvers (Noise handshake only)
+			steps = append(steps, scanner.Step{
+				Name: "e2e/socks", Timeout: time.Duration(e2eTimeout) * time.Second,
+				Check: scanner.DnsttSOCKSCheckBin(dnsttBin, domain, pubkey, ports), SortBy: "socks_ms",
+				Limit: e2eTop,
+			})
+			// Phase 2: full curl verification on top N from Phase 1
 			steps = append(steps, scanner.Step{
 				Name: "e2e/dnstt", Timeout: time.Duration(e2eTimeout) * time.Second,
 				Check: scanner.DnsttCheckBin(dnsttBin, domain, pubkey, testURL, proxyAuth, ports), SortBy: "e2e_ms",
diff --git a/internal/scanner/chain.go b/internal/scanner/chain.go
@@ -13,6 +13,7 @@ type Step struct {
 	Timeout time.Duration
 	Check   CheckFunc
 	SortBy  string
+	Limit   int // if > 0, only pass top N results to the next step
 }
 
 type StepResult struct {
@@ -117,6 +118,11 @@ func runChain(ctx context.Context, ips []string, workers int, steps []Step, newP
 				step.Name+":", sr.Tested, sr.Passed, sr.Failed, sr.Seconds)
 		}
 
+		// Apply limit: only pass top N to next step
+		if step.Limit > 0 && len(nextIPs) > step.Limit {
+			nextIPs = nextIPs[:step.Limit]
+		}
+
 		current = nextIPs
 	}
 
diff --git a/internal/scanner/e2e.go b/internal/scanner/e2e.go
@@ -254,6 +254,109 @@ func slipstreamCheck(bin, domain, certPath, testURL, proxyAuth string, ports cha
 	}
 }
 
+// DnsttSOCKSCheckBin is a fast e2e check: it only verifies that dnstt-client
+// opens the SOCKS port (i.e. the Noise handshake completes). No curl/HTTP test.
+// This is much faster than the full e2e check and suitable for testing all resolvers.
+func DnsttSOCKSCheckBin(bin, domain, pubkey string, ports chan int) CheckFunc {
+	var diagOnce atomic.Bool
+
+	return func(ip string, timeout time.Duration) (bool, Metrics) {
+		ctx, cancel := context.WithTimeout(context.Background(), timeout)
+		defer cancel()
+
+		var port int
+		select {
+		case port = <-ports:
+		case <-ctx.Done():
+			return false, nil
+		}
+
+		start := time.Now()
+
+		var stderrBuf bytes.Buffer
+		args := []string{
+			"-udp", net.JoinHostPort(ip, "53"),
+			"-pubkey", pubkey,
+		}
+		if DnsttMTU > 0 {
+			args = append(args, "-mtu", strconv.Itoa(DnsttMTU))
+		}
+		args = append(args, domain, fmt.Sprintf("127.0.0.1:%d", port))
+		cmd := execCommandContext(ctx, bin, args...)
+		cmd.Stdout = io.Discard
+		cmd.Stderr = &stderrBuf
+		if err := cmd.Start(); err != nil {
+			ports <- port
+			if diagOnce.CompareAndSwap(false, true) {
+				setDiag("e2e/socks: cannot start %s: %v", bin, err)
+			}
+			return false, nil
+		}
+
+		exited := make(chan struct{})
+		go func() {
+			cmd.Wait()
+			close(exited)
+		}()
+
+		defer func() {
+			cmd.Process.Kill()
+			select {
+			case <-exited:
+			case <-time.After(2 * time.Second):
+			}
+			time.Sleep(300 * time.Millisecond)
+			ports <- port
+		}()
+
+		// Just wait for SOCKS port to accept a TCP connection
+		addr := fmt.Sprintf("127.0.0.1:%d", port)
+		for {
+			select {
+			case <-ctx.Done():
+				if diagOnce.CompareAndSwap(false, true) {
+					cmd.Process.Kill()
+					select {
+					case <-exited:
+					case <-time.After(2 * time.Second):
+					}
+					stderr := strings.TrimSpace(stderrBuf.String())
+					if stderr != "" {
+						setDiag("e2e/socks first failure (ip=%s): dnstt-client stderr: %s", ip, truncate(stderr, 300))
+					} else {
+						setDiag("e2e/socks first failure (ip=%s): SOCKS port did not open within %v", ip, timeout)
+					}
+				}
+				return false, nil
+			case <-exited:
+				if diagOnce.CompareAndSwap(false, true) {
+					stderr := strings.TrimSpace(stderrBuf.String())
+					if stderr != "" {
+						setDiag("e2e/socks first failure (ip=%s): dnstt-client exited early: %s", ip, truncate(stderr, 300))
+					} else {
+						setDiag("e2e/socks first failure (ip=%s): dnstt-client exited early with no stderr", ip)
+					}
+				}
+				return false, nil
+			default:
+			}
+			conn, err := net.DialTimeout("tcp", addr, 500*time.Millisecond)
+			if err == nil {
+				conn.Close()
+				ms := roundMs(float64(time.Since(start).Microseconds()) / 1000.0)
+				return true, Metrics{"socks_ms": ms}
+			}
+			select {
+			case <-ctx.Done():
+				return false, nil
+			case <-exited:
+				return false, nil
+			case <-time.After(300 * time.Millisecond):
+			}
+		}
+	}
+}
+
 func nullDevice() string {
 	if runtime.GOOS == "windows" {
 		return "NUL"
diff --git a/internal/tui/screen_running.go b/internal/tui/screen_running.go
@@ -118,6 +118,13 @@ func buildSteps(cfg ScanConfig) ([]scanner.Step, error) {
 			})
 		}
 		if cfg.Domain != "" && cfg.Pubkey != "" {
+			// Phase 1: fast SOCKS-only check on ALL resolvers
+			steps = append(steps, scanner.Step{
+				Name: "e2e/socks", Timeout: e2eDur,
+				Check: scanner.DnsttSOCKSCheckBin(dnsttBin, cfg.Domain, cfg.Pubkey, ports), SortBy: "socks_ms",
+				Limit: 100,
+			})
+			// Phase 2: full curl verification on top 100
 			steps = append(steps, scanner.Step{
 				Name: "e2e/dnstt", Timeout: e2eDur,
 				Check: scanner.DnsttCheckBin(dnsttBin, cfg.Domain, cfg.Pubkey, cfg.TestURL, cfg.ProxyAuth, ports), SortBy: "e2e_ms",

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@ type Step struct {`
`13`	`13`	`Timeout time.Duration`
`14`	`14`	`Check CheckFunc`
`15`	`15`	`SortBy string`
	`16`	`+ Limit int // if > 0, only pass top N results to the next step`
`16`	`17`	`}`
`17`	`18`
`18`	`19`	`type StepResult struct {`
`@@ -117,6 +118,11 @@ func runChain(ctx context.Context, ips []string, workers int, steps []Step, newP`
`117`	`118`	`step.Name+":", sr.Tested, sr.Passed, sr.Failed, sr.Seconds)`
`118`	`119`	`}`
`119`	`120`
	`121`	`+ // Apply limit: only pass top N to next step`
	`122`	`+ if step.Limit > 0 && len(nextIPs) > step.Limit {`
	`123`	`+ nextIPs = nextIPs[:step.Limit]`
	`124`	`+ }`
	`125`	`+`
`120`	`126`	`current = nextIPs`
`121`	`127`	`}`
`122`	`128`