DNS Tunneling Guide: Bypass Any Firewall Using DNS (dnstm-setup)

7 min read
Advanced DNS Tunneling Censorship Proxy Guide

Prerequisites

  • A VPS with root access
  • A domain name using Cloudflare DNS
  • Port 53 open on your VPS

Quick Answer: DNS tunneling encodes internet traffic inside DNS queries. Since DNS is almost never blocked (it would break the internet), it works when VPNs, proxies, and Tor are all blocked. Install: bash <(curl -sL https://raw.githubusercontent.com/SamNet-dev/dnstm-setup/main/install.sh) — the interactive wizard handles everything.

Need a VPS? Get started with DigitalOcean ($200 free credit), Vultr, or RackNerd.


Why DNS Tunneling?

Every censorship bypass method can be blocked — VPNs, Tor, Shadowsocks, even VLESS+Reality. But DNS queries almost never get blocked, because blocking DNS would break the internet for everyone.

During total internet shutdowns in Iran and other countries, DNS queries often still work through ISP resolvers. DNS tunneling exploits this — it hides your internet traffic inside normal-looking DNS queries.

Method Blockable? Speed
VPN (WireGuard) Easy to detect and block Fast
VLESS + Reality Very hard to block Fast
Tor Detectable, often blocked Slow
DNS Tunneling Almost impossible to block Slow (~42-63 KB/s)

The tradeoff: DNS tunneling is slow (good enough for messaging, browsing, light use) but nearly unblockable.


How DNS Tunneling Works

Normal DNS:

Your phone: "What is the IP of google.com?"
DNS server: "It's 142.250.80.46"

DNS tunneling:

Your phone: "What is the IP of aGVsbG8gd29ybGQ.t.yourdomain.com?"
                                ↑ encoded data hidden in subdomain
Your server: [decodes the data, fetches the real content, sends back as DNS response]

The Full Flow

1. Your phone (SlipNet app) encodes internet traffic as DNS queries
2. Queries look like normal DNS lookups: abc123.t.yourdomain.com
3. Queries travel through public DNS resolvers (Google 8.8.8.8, Cloudflare 1.1.1.1)
4. Your server receives the queries via DNS delegation (NS records)
5. Server decodes the hidden data and forwards it to the real internet
6. Responses travel back the same way, encoded in DNS responses

Because the traffic looks like ordinary DNS resolution, it passes through censorship filters undetected.

DNS Delegation (How Your Server Receives the Queries)

You set NS records on your domain that point subdomains to your server:

NS record: t.yourdomain.com → ns.yourdomain.com
A record:  ns.yourdomain.com → YOUR_SERVER_IP

When anyone queries anything.t.yourdomain.com, the global DNS system routes it directly to your server on port 53.


Tunnel Protocols

dnstm-setup supports 4 different tunnel transports, each with different characteristics:

Slipstream (Fastest)

Uses QUIC protocol tunneled through DNS with TLS encryption. Fastest DNS tunnel option at ~63 KB/s.

Best for: Most users. Start with this.

DNSTT (Classic)

The original DNS tunnel. Uses Noise protocol with Curve25519 key exchange. Well-tested and reliable at ~42 KB/s.

Best for: Fallback when Slipstream is blocked.

NoizDNS (DPI-Resistant)

A modified DNSTT fork with enhanced query encoding specifically designed to evade Deep Packet Inspection. Same speed as DNSTT (~42 KB/s) but harder to detect.

Best for: Heavy censorship environments where standard DNS tunnels get detected.

VayDNS (Optimized)

An optimized DNSTT fork with KCP/smux reliable sessions and auto-recovery. Reconnects automatically if the connection drops.

Best for: Unstable networks, frequent disconnections.

All Eight Tunnel Types

Each transport has two backends — SOCKS (for apps) and SSH (for per-user access):

Tunnel Subdomain Transport Backend Speed
Slipstream + SOCKS t.domain QUIC SOCKS5 proxy ~63 KB/s
Slipstream + SSH s.domain QUIC SSH tunnel ~63 KB/s
DNSTT + SOCKS d.domain Noise SOCKS5 proxy ~42 KB/s
DNSTT + SSH ds.domain Noise SSH tunnel ~42 KB/s
NoizDNS + SOCKS n.domain DPI-resistant SOCKS5 proxy ~42 KB/s
NoizDNS + SSH z.domain DPI-resistant SSH tunnel ~42 KB/s
VayDNS + SOCKS v.domain Optimized SOCKS5 proxy ~42 KB/s
VayDNS + SSH vz.domain Optimized SSH tunnel ~42 KB/s

Setup with dnstm-setup

dnstm-setup is an interactive wizard that automates the entire DNS tunnel deployment. One script sets up all tunnel types, DNS routing, SOCKS proxies, SSH users, and optionally an Xray backend.

Prerequisites

  1. A VPS running Ubuntu 20.04/22.04/24.04 or Debian
  2. A domain using Cloudflare DNS (free plan)
  3. Port 53 (UDP + TCP) open on your VPS

DNS Records (Cloudflare)

Set these before running the installer:

Type Name Value Proxy
A ns Your server IP OFF (grey cloud)
NS t ns.yourdomain.com -
NS d ns.yourdomain.com -
NS s ns.yourdomain.com -
NS ds ns.yourdomain.com -
NS n ns.yourdomain.com -
NS z ns.yourdomain.com -
NS v ns.yourdomain.com -
NS vz ns.yourdomain.com -

Important: The A record for ns must have the orange cloud OFF (DNS only). NS records don't have a proxy toggle.

Install

bash <(curl -sL https://raw.githubusercontent.com/SamNet-dev/dnstm-setup/main/install.sh)

The interactive wizard walks you through:

  1. Enter your domain name
  2. Confirm DNS records are set
  3. Choose which tunnel types to enable
  4. Optionally set up SSH users and SOCKS authentication
  5. Optionally integrate Xray backend (VLESS/Shadowsocks/VMess/Trojan via DNS tunnel)

After Installation

# Check tunnel status
dnstm --status

# Monitor live stats
dnstm --monitor

# Run diagnostics
dnstm --diag

# Add another domain
dnstm --add-domain

# Add a tunnel type
dnstm --add-tunnel

# Manage SSH users
dnstm --manage

Client Setup

SlipNet App (Recommended)

SlipNet is the official client app for DNS tunnels. Available for Android.

  1. Install SlipNet from the download link provided by dnstm --status
  2. Enter your tunnel domain
  3. Select tunnel type (Slipstream, DNSTT, NoizDNS, or VayDNS)
  4. Connect

SlipNet creates a local VPN that routes all phone traffic through the DNS tunnel.

Manual Client (Desktop)

For desktop, you need the DNSTT client binary:

# Download DNSTT client
# Connect to your tunnel
./dnstt-client -dns 8.8.8.8 -domain d.yourdomain.com -pubkey YOUR_PUBLIC_KEY 127.0.0.1:1080

This creates a SOCKS5 proxy at 127.0.0.1:1080. Configure your browser to use it.


Xray Backend Integration

dnstm-setup can optionally connect an Xray (3X-UI) backend to a DNS tunnel. This gives you modern proxy protocols (VLESS, Shadowsocks, VMess, Trojan) tunneled through DNS:

Phone → DNS Tunnel → Your Server → Xray (VLESS/SS/VMess/Trojan) → Internet
dnstm --add-xray

The wizard:

  1. Auto-detects existing 3X-UI installation (native or Docker)
  2. Or installs it for you (full panel or headless mode)
  3. Creates an internal-only inbound on 127.0.0.1 (not exposed to internet)
  4. Generates client configs for Nekobox, v2rayNG, Shadowrocket

This means you get the unblockability of DNS tunneling with the protocol support of Xray.


Management

# Full status with SlipNet URLs
dnstm --status

# Live monitoring (CPU, memory, connections)
dnstm --monitor

# Diagnostics
dnstm --diag

# Add SSH tunnel user
dnstm --add-user

# Remove a tunnel
dnstm --remove-tunnel

# Add SOCKS authentication
dnstm --socks-auth

# Interactive management menu
dnstm --manage

# Uninstall everything
dnstm --uninstall

DNS Tunneling vs Other Methods

DNS Tunnel VLESS+Reality WireGuard VPN Tor
Blockable? Almost impossible Very hard Easy Moderate
Speed Slow (42-63 KB/s) Fast Fastest Slow
Use case Last resort, total shutdown Primary bypass Privacy, speed Anonymity
Requires Domain + DNS setup VPS + 3X-UI VPS + WireGuard Nothing (but bridges)
Detection Extremely hard Very hard Easy by DPI Moderate

When to Use DNS Tunneling

  • VPN and proxy connections are completely blocked
  • During internet shutdowns (DNS often still works)
  • As a last-resort fallback alongside other methods
  • In environments with the most aggressive DPI

When NOT to Use DNS Tunneling

  • Speed matters (streaming, downloads, video calls)
  • Simpler methods work (try VLESS+Reality first)
  • You need high bandwidth

Troubleshooting

# Check if port 53 is open
ss -ulnp | grep :53

# Check if DNS queries reach your server
tcpdump -i any port 53 -n

# Run full diagnostics
dnstm --diag

# Check service status
systemctl status dnstm-router
systemctl status dnstm-slip
systemctl status dnstm-dnstt
Problem Fix
Tunnel doesn't connect Check NS records point to ns.yourdomain.com
DNS queries not reaching server Port 53 blocked by VPS provider — contact support
Slow speeds Normal for DNS tunneling. Try Slipstream (fastest)
Connection drops Use VayDNS (auto-recovery)
DPI blocking the tunnel Switch to NoizDNS

Security Notes

  • Set up SOCKS5 authentication — without it, anyone who guesses your domain can use your tunnel
  • Use SSH backend for per-user access control
  • The DNS tunnel itself is encrypted (Noise/TLS), but the SOCKS proxy runs locally
  • Use fortify to harden your server after setup

Related Guides

Related Tools