Quick Answer: DNS tunneling encodes internet traffic inside DNS queries. Since DNS is almost never blocked (it would break the internet), it works when VPNs, proxies, and Tor are all blocked. Install:
bash <(curl -sL https://raw.githubusercontent.com/SamNet-dev/dnstm-setup/main/install.sh)— the interactive wizard handles everything.
Need a VPS? Get started with DigitalOcean ($200 free credit), Vultr, or RackNerd.
Why DNS Tunneling?
Every censorship bypass method can be blocked — VPNs, Tor, Shadowsocks, even VLESS+Reality. But DNS queries almost never get blocked, because blocking DNS would break the internet for everyone.
During total internet shutdowns in Iran and other countries, DNS queries often still work through ISP resolvers. DNS tunneling exploits this — it hides your internet traffic inside normal-looking DNS queries.
| Method | Blockable? | Speed |
|---|---|---|
| VPN (WireGuard) | Easy to detect and block | Fast |
| VLESS + Reality | Very hard to block | Fast |
| Tor | Detectable, often blocked | Slow |
| DNS Tunneling | Almost impossible to block | Slow (~42-63 KB/s) |
The tradeoff: DNS tunneling is slow (good enough for messaging, browsing, light use) but nearly unblockable.
How DNS Tunneling Works
Normal DNS:
Your phone: "What is the IP of google.com?"
DNS server: "It's 142.250.80.46"
DNS tunneling:
Your phone: "What is the IP of aGVsbG8gd29ybGQ.t.yourdomain.com?"
↑ encoded data hidden in subdomain
Your server: [decodes the data, fetches the real content, sends back as DNS response]
The Full Flow
1. Your phone (SlipNet app) encodes internet traffic as DNS queries
2. Queries look like normal DNS lookups: abc123.t.yourdomain.com
3. Queries travel through public DNS resolvers (Google 8.8.8.8, Cloudflare 1.1.1.1)
4. Your server receives the queries via DNS delegation (NS records)
5. Server decodes the hidden data and forwards it to the real internet
6. Responses travel back the same way, encoded in DNS responses
Because the traffic looks like ordinary DNS resolution, it passes through censorship filters undetected.
DNS Delegation (How Your Server Receives the Queries)
You set NS records on your domain that point subdomains to your server:
NS record: t.yourdomain.com → ns.yourdomain.com
A record: ns.yourdomain.com → YOUR_SERVER_IP
When anyone queries anything.t.yourdomain.com, the global DNS system routes it directly to your server on port 53.
Tunnel Protocols
dnstm-setup supports 4 different tunnel transports, each with different characteristics:
Slipstream (Fastest)
Uses QUIC protocol tunneled through DNS with TLS encryption. Fastest DNS tunnel option at ~63 KB/s.
Best for: Most users. Start with this.
DNSTT (Classic)
The original DNS tunnel. Uses Noise protocol with Curve25519 key exchange. Well-tested and reliable at ~42 KB/s.
Best for: Fallback when Slipstream is blocked.
NoizDNS (DPI-Resistant)
A modified DNSTT fork with enhanced query encoding specifically designed to evade Deep Packet Inspection. Same speed as DNSTT (~42 KB/s) but harder to detect.
Best for: Heavy censorship environments where standard DNS tunnels get detected.
VayDNS (Optimized)
An optimized DNSTT fork with KCP/smux reliable sessions and auto-recovery. Reconnects automatically if the connection drops.
Best for: Unstable networks, frequent disconnections.
All Eight Tunnel Types
Each transport has two backends — SOCKS (for apps) and SSH (for per-user access):
| Tunnel | Subdomain | Transport | Backend | Speed |
|---|---|---|---|---|
| Slipstream + SOCKS | t.domain |
QUIC | SOCKS5 proxy | ~63 KB/s |
| Slipstream + SSH | s.domain |
QUIC | SSH tunnel | ~63 KB/s |
| DNSTT + SOCKS | d.domain |
Noise | SOCKS5 proxy | ~42 KB/s |
| DNSTT + SSH | ds.domain |
Noise | SSH tunnel | ~42 KB/s |
| NoizDNS + SOCKS | n.domain |
DPI-resistant | SOCKS5 proxy | ~42 KB/s |
| NoizDNS + SSH | z.domain |
DPI-resistant | SSH tunnel | ~42 KB/s |
| VayDNS + SOCKS | v.domain |
Optimized | SOCKS5 proxy | ~42 KB/s |
| VayDNS + SSH | vz.domain |
Optimized | SSH tunnel | ~42 KB/s |
Setup with dnstm-setup
dnstm-setup is an interactive wizard that automates the entire DNS tunnel deployment. One script sets up all tunnel types, DNS routing, SOCKS proxies, SSH users, and optionally an Xray backend.
Prerequisites
- A VPS running Ubuntu 20.04/22.04/24.04 or Debian
- A domain using Cloudflare DNS (free plan)
- Port 53 (UDP + TCP) open on your VPS
DNS Records (Cloudflare)
Set these before running the installer:
| Type | Name | Value | Proxy |
|---|---|---|---|
| A | ns |
Your server IP | OFF (grey cloud) |
| NS | t |
ns.yourdomain.com |
- |
| NS | d |
ns.yourdomain.com |
- |
| NS | s |
ns.yourdomain.com |
- |
| NS | ds |
ns.yourdomain.com |
- |
| NS | n |
ns.yourdomain.com |
- |
| NS | z |
ns.yourdomain.com |
- |
| NS | v |
ns.yourdomain.com |
- |
| NS | vz |
ns.yourdomain.com |
- |
Important: The A record for ns must have the orange cloud OFF (DNS only). NS records don't have a proxy toggle.
Install
bash <(curl -sL https://raw.githubusercontent.com/SamNet-dev/dnstm-setup/main/install.sh)
The interactive wizard walks you through:
- Enter your domain name
- Confirm DNS records are set
- Choose which tunnel types to enable
- Optionally set up SSH users and SOCKS authentication
- Optionally integrate Xray backend (VLESS/Shadowsocks/VMess/Trojan via DNS tunnel)
After Installation
# Check tunnel status
dnstm --status
# Monitor live stats
dnstm --monitor
# Run diagnostics
dnstm --diag
# Add another domain
dnstm --add-domain
# Add a tunnel type
dnstm --add-tunnel
# Manage SSH users
dnstm --manage
Client Setup
SlipNet App (Recommended)
SlipNet is the official client app for DNS tunnels. Available for Android.
- Install SlipNet from the download link provided by
dnstm --status - Enter your tunnel domain
- Select tunnel type (Slipstream, DNSTT, NoizDNS, or VayDNS)
- Connect
SlipNet creates a local VPN that routes all phone traffic through the DNS tunnel.
Manual Client (Desktop)
For desktop, you need the DNSTT client binary:
# Download DNSTT client
# Connect to your tunnel
./dnstt-client -dns 8.8.8.8 -domain d.yourdomain.com -pubkey YOUR_PUBLIC_KEY 127.0.0.1:1080
This creates a SOCKS5 proxy at 127.0.0.1:1080. Configure your browser to use it.
Xray Backend Integration
dnstm-setup can optionally connect an Xray (3X-UI) backend to a DNS tunnel. This gives you modern proxy protocols (VLESS, Shadowsocks, VMess, Trojan) tunneled through DNS:
Phone → DNS Tunnel → Your Server → Xray (VLESS/SS/VMess/Trojan) → Internet
dnstm --add-xray
The wizard:
- Auto-detects existing 3X-UI installation (native or Docker)
- Or installs it for you (full panel or headless mode)
- Creates an internal-only inbound on
127.0.0.1(not exposed to internet) - Generates client configs for Nekobox, v2rayNG, Shadowrocket
This means you get the unblockability of DNS tunneling with the protocol support of Xray.
Management
# Full status with SlipNet URLs
dnstm --status
# Live monitoring (CPU, memory, connections)
dnstm --monitor
# Diagnostics
dnstm --diag
# Add SSH tunnel user
dnstm --add-user
# Remove a tunnel
dnstm --remove-tunnel
# Add SOCKS authentication
dnstm --socks-auth
# Interactive management menu
dnstm --manage
# Uninstall everything
dnstm --uninstall
DNS Tunneling vs Other Methods
| DNS Tunnel | VLESS+Reality | WireGuard VPN | Tor | |
|---|---|---|---|---|
| Blockable? | Almost impossible | Very hard | Easy | Moderate |
| Speed | Slow (42-63 KB/s) | Fast | Fastest | Slow |
| Use case | Last resort, total shutdown | Primary bypass | Privacy, speed | Anonymity |
| Requires | Domain + DNS setup | VPS + 3X-UI | VPS + WireGuard | Nothing (but bridges) |
| Detection | Extremely hard | Very hard | Easy by DPI | Moderate |
When to Use DNS Tunneling
- VPN and proxy connections are completely blocked
- During internet shutdowns (DNS often still works)
- As a last-resort fallback alongside other methods
- In environments with the most aggressive DPI
When NOT to Use DNS Tunneling
- Speed matters (streaming, downloads, video calls)
- Simpler methods work (try VLESS+Reality first)
- You need high bandwidth
Troubleshooting
# Check if port 53 is open
ss -ulnp | grep :53
# Check if DNS queries reach your server
tcpdump -i any port 53 -n
# Run full diagnostics
dnstm --diag
# Check service status
systemctl status dnstm-router
systemctl status dnstm-slip
systemctl status dnstm-dnstt
| Problem | Fix |
|---|---|
| Tunnel doesn't connect | Check NS records point to ns.yourdomain.com |
| DNS queries not reaching server | Port 53 blocked by VPS provider — contact support |
| Slow speeds | Normal for DNS tunneling. Try Slipstream (fastest) |
| Connection drops | Use VayDNS (auto-recovery) |
| DPI blocking the tunnel | Switch to NoizDNS |
Security Notes
- Set up SOCKS5 authentication — without it, anyone who guesses your domain can use your tunnel
- Use SSH backend for per-user access control
- The DNS tunnel itself is encrypted (Noise/TLS), but the SOCKS proxy runs locally
- Use fortify to harden your server after setup
Related Guides
- Bypass Internet Censorship — every bypass method compared
- Complete DNS Guide — how DNS works
- Tor Explained — another censorship bypass method
- 3X-UI Panel Setup — Xray backend for DNS tunnels
- Complete Self-Hosting Guide — VPS setup basics
- Server Hardening Guide — secure your tunnel server
- Cloudflare Setup — DNS record management
Related Tools
- DNS Toolbox — verify your NS records
- Port Scanner — check if port 53 is open
- VPN Leak Test — verify tunnel is working
- What's My IP — confirm your IP changed
- findns — scan for working DNS resolvers for tunneling