[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-1512":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":8,"language":10,"languages":8,"totalLinesOfCode":8,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":16,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":18,"compositeScore":19,"rankGlobal":8,"rankLanguage":8,"license":20,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":23,"hasPages":21,"topics":24,"createdAt":8,"pushedAt":8,"updatedAt":25,"readmeContent":26,"aiSummary":27,"trendingCount":15,"starSnapshotCount":15,"syncStatus":28,"lastSyncTime":29,"discoverSource":30},1512,"StormDNS","nullroute1970\u002FStormDNS","nullroute1970",null,"https:\u002F\u002Ft.me\u002Fnulllroute1970","Go",448,53,1,11,0,6,132,18,5.2,"MIT License",false,"main",true,[],"2026-06-12 02:00:29","# StormDNS Project 🔐\n\n## | [نسخه فارسی](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Fblob\u002Fmain\u002FREADME_FA.MD) | [English Version](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Fblob\u002Fmain\u002FREADME.MD) |\n\n📢 **Telegram Channel:** [https:\u002F\u002Ft.me\u002Fnulllroute1970](https:\u002F\u002Ft.me\u002Fnulllroute1970)\n\n**StormDNS** is a free internet access application built for people living under heavy censorship — especially in Iran and other firewalled countries. It tunnels TCP traffic through DNS queries and responses, allowing users to bypass deep packet inspection, internet filters, and nation-level firewalls without relying on blocked VPN protocols.\n\nWhile it shares a high-level goal with tools such as DNSTT or SlipStream, StormDNS follows a fundamentally different structure and implementation approach: it is engineered specifically for real-world censored networks rather than laboratory conditions. Every design decision — from its lightweight custom protocol to its multipath resolver architecture — is driven by one goal: keeping people connected even when their government actively tries to cut them off.\n\n### 📊 StormDNS Compared with Similar Projects\n\n| Feature | SlipStream | DNSTT | StormDNS |\n| :--- | :--- | :--- | :--- |\n| Protocol type | Advanced DNS tunnel | Classic DNS tunnel | Advanced DNS tunnel \u002F VPN |\n| Transport protocol | QUIC | KCP + Noise | Custom protocol + ARQ |\n| Transport header overhead | 🟠 ~24B | 🔴 ~59B | 🟢 ~5–7B (≈88% lower than DNSTT, ≈71% lower than SlipStream) |\n| Encryption style | TLS 1.3 (inside QUIC) | Noise (Curve25519) | AES \u002F ChaCha20 \u002F XOR (if XOR is used: lightweight with lower security and no extra overhead) |\n| Architecture | Unified (QUIC handles everything) | Multi-layered (KCP + SMUX + Noise) | Lightweight custom design optimized for DNS |\n| Performance (speed) | 🟡 High (up to ~5× faster than DNSTT) | 🔴 Medium | 🟢 Works well in very poor conditions; faster than others in the same situation |\n| Stability under packet loss | 🟡 Good | 🟠 Medium | 🟢 Very high (Multipath + ARQ) |\n| Multi-resolver support | Yes (multipath) | ❌ | Yes — advanced (multi-resolver + duplication) |\n| Resilience under heavy censorship | Good | Medium | Very strong (a core project goal) |\n| Setup complexity | Medium | Simple | Simple by default, but highly configurable and therefore a bit more advanced |\n| SOCKS5 support | Yes | Yes | Optimized for SOCKS5 \u002F SOCKS4 |\n| Shadowsocks support | ✅ | ❌ | Indirectly: TCP Forwarding mode can carry TCP-based protocols |\n| Real multipath | Yes (QUIC multipath) | ❌ | Yes (multi-resolver + duplication) |\n| Adaptive routing | Limited | ❌ | Advanced (latency\u002Floss based) |\n| Design goal | High speed and efficiency | Simplicity and stability | Surviving the harshest networks — stability, speed, and efficiency |\n| Implementation language | Rust | Go | Python and Go |\n| Built-in balancer | 🔴 | ❌ | 🟢 (4 built-in balancing modes) |\n| Duplication system | ❌ | ❌ | Yes — increases traffic to improve reliability (configurable) |\n| MTU tolerance | Better than DNSTT | - | Works even with very small MTU because protocol overhead is very low |\n| Failover system | ❌ | ❌ | ✅ |\n| Download speed 10MB (Local) | 🟡 0.978s | 🔴 2.492s | 🟢 0.270s |\n| Upload speed 10MB (Local) | 🟡 3.249s | 🔴 16.207s | 🟢 1.746s |\n| Resolver health checks and auto-disable | ❌ | ❌ | ✅ |\n| Background reactivation of healthy resolvers | ❌ | ❌ | ✅ |\n| Local DNS service on client (to reduce DNS hijacking) | ❌ | ❌ | ✅ (with strong DNS caching) |\n| DNS resolving through SOCKS5 | ❌ | ❌ | ✅ (with DNS caching) |\n| Fine-grained professional configuration | 🟠 | 🟠 | 🟢 Almost every subsystem is configurable |\n| No external helper software required | ❌ | ❌ | 🟢 No extra software is required; if needed, you can still combine it with SOCKS or tools such as Shadowsocks or OpenVPN |\n\n---\n\n### ❌ Disclaimer\n\nStormDNS is provided as a free tool to help people access the open internet.\n\n- **Provided without warranty:** This software is provided “AS-IS”, without any express or implied warranty, including merchantability, fitness for a particular purpose, or non-infringement.\n- **Limitation of liability:** The developers and contributors of this project accept no responsibility for any direct, indirect, incidental, consequential, or other damages arising from the use of this software or the inability to use it.\n- **User responsibility:** Using this project outside test environments may disrupt or damage network behavior. The user alone is responsible for all consequences of installation, configuration, and use.\n- **Legal compliance:** Using this project to bypass local laws may result in civil or criminal consequences. Please review the laws and regulations of your country before use. The developers accept no responsibility for violations of local, national, or international laws by users.\n- **License terms:** Use, copying, distribution, or modification of this software is governed by the license in the `LICENSE` file of this repository. Any use outside those terms is prohibited.\n\n---\n\n## Announcement and Support Channel 📢\n\nFor the latest news, releases, and project updates, follow our Telegram channel: [Telegram Channel](https:\u002F\u002Ft.me\u002Fnulllroute1970)\n\n---\n\n### If you like this project, please support it by starring it on GitHub (⭐). It helps the project get discovered.\n\n---\n\n### Optional Financial Support 💸\n\n- TON network:\n\n`UQDfjVk2UdpiMg-bsxqoLa0O_icuaF20D-wWJgIJwK1Ha2Ul`\n\n- USDT Tron (TRC20):\n\n`TR8ibZGKutPKoDm5nMbHFwGPFBuMKwjG6j`\n\n- USDT BNB Smart Chain (BEP20):\n\n`0x8c45d6bae8a5a572b2a776779fe0bcae3d3f9107`\n\nEvery contribution and every piece of feedback is appreciated. Support directly helps ongoing development and improvement.\n\n---\n\n## Key Features and Advantages ✨\n\nA brief overview of the main capabilities of StormDNS:\n\n- **Censorship resistance and harsh-network survivability:** 🛡️ Designed to work on filtered networks, unstable links, and strict MTU environments.\n- **Lightweight custom protocol:** 🔄 Uses a custom protocol with retransmission logic to reduce overhead and increase usable DNS payload.\n- **Multipath and packet duplication:** 📡 Sends traffic through multiple paths and supports selective duplication to increase delivery probability on unstable networks.\n- **Smart resolver selection and health checks:** ⚡ Selects resolvers based on quality and health, and manages problematic resolvers automatically.\n- **MTU discovery and synchronization:** 🧰 Detects the practical MTU of working paths and aligns around it to reduce fragmentation and improve stability.\n- **SOCKS5 \u002F SOCKS4 support and optimization:** 🧦 Optimized local proxy handling for common applications.\n- **Packed control blocks and lower control overhead:** 📦 Groups ACK\u002Fcontrol traffic together to reduce control chatter.\n- **Optional compression and request packing:** 🗜️ Reduces request counts and improves efficiency under small-MTU conditions.\n- **Flexible encryption:** 🔐 Supports multiple encryption methods to balance speed and security.\n- **Optional client-side local DNS and caching:** 📛 Can expose a local DNS service, reduce latency, and limit hijacking opportunities.\n- **Scalable resource control:** ⚙️ Can run on small servers or be tuned for heavier loads.\n\nThis list is only a high-level summary. The related sections below explain each area in more detail.\n\n---\n\n# Setup and Getting Started 🧑‍💻\n\n## Section 1: 🖥️ Server Setup\n\n### Section 1.1: 🌐 Domain Setup and Preparation (Prerequisite)\n\nTo receive DNS requests directly on your server, you must delegate a subdomain to it. In short, create two records: one `A` record that points to your server IP, and one `NS` record that delegates the tunnel subdomain to that A record.\n\n#### Step 1.1.1: 🅰️ Create an A Record (Server Address)\n\n- **Type:** `A`\n- **Name:** a short name such as `ns`\n- **Value:** your server IPv4 address\n\n> Example: `ns.example.com -> 1.2.3.4`\n\n> Cloudflare note: if the domain uses Cloudflare, open the `DNS` page and click the cloud icon next to the `A` record so it becomes gray (`DNS only`). It must not remain proxied.\n\n#### Step 1.1.2: 🏷️ Create an NS Record (Delegate the Subdomain)\n\n- **Type:** `NS`\n- **Name:** the tunnel subdomain, for example `v`\n- **Value \u002F Target:** `ns.example.com`\n\n> Example: `v.example.com -> ns.example.com`\n\n> Cloudflare note: add the `NS` record normally. Cloudflare does not proxy NS records, but make sure the `ns` A record is already set to `DNS only`.\n\n#### Section 1.1.3: 💡 A Short Note About MTU\n\nShorter domain names leave more space for actual data inside each DNS request. For better throughput, keep names short. If you use Cloudflare, still keep the relevant records in `DNS only` mode.\n\n---\n\n### Section 1.2: 🐧 Quick Linux Server Installation\n\n#### Step 1.2.1: Automatic Installation (Script)\n\nIf you want to deploy the server on Linux, the easiest method is the automatic installer script. Run this command on the server:\n\n```bash\nbash \u003C(curl -Ls https:\u002F\u002Fraw.githubusercontent.com\u002Fnullroute1970\u002FStormDNS\u002Fmain\u002Fserver_linux_install.sh)\n```\n\nThe script handles installation and configuration automatically. When it finishes, the server starts and the **encryption key** is shown in the terminal log and also written to `encrypt_key.txt` next to the executable. Keep this key safe.\n\n##### Installer command-line options\n\nThe installer also accepts the following options, which can be passed directly through the same `bash \u003C(curl ...)` command:\n\n| Option | Description |\n| --- | --- |\n| `-v \u003CVERSION>`, `--version \u003CVERSION>` | Install a specific StormDNS release tag (e.g. `v1.2.3`) instead of the latest release. |\n| `-u`, `--uninstall` | Uninstall StormDNS: stop and remove the `stormdns` systemd service, drop the kernel\u002Flimit tunings, and clean up the binary, `server_config.toml`, and `encrypt_key.txt` in the current directory. |\n| `-h`, `--help` | Show usage help and exit. |\n\nExamples:\n\n```bash\n# Install a specific release version:\nbash \u003C(curl -Ls https:\u002F\u002Fraw.githubusercontent.com\u002Fnullroute1970\u002FStormDNS\u002Fmain\u002Fserver_linux_install.sh) --version v1.2.3\n\n# Uninstall StormDNS (run from the same directory used during installation):\nbash \u003C(curl -Ls https:\u002F\u002Fraw.githubusercontent.com\u002Fnullroute1970\u002FStormDNS\u002Fmain\u002Fserver_linux_install.sh) --uninstall\n```\n\n> Note: For uninstall, run the command from the same working directory where StormDNS was originally installed so the script can locate the binary, config file, and encryption key.\n\n#### Step 1.2.2: Important Notes After Installation\n\n- During installation, you will be asked for a domain. It must be the same delegated subdomain you configured in the `NS` record, for example `v.example.com`.\n- After creating DNS records, wait for propagation. This may take from a few minutes to several hours, and in some cases up to 48 hours depending on TTL and the DNS provider.\n- To verify the DNS setup, you can use tools such as `dig` or `nslookup`, for example `dig v.example.com NS` or `nslookup -type=ns v.example.com`. For a direct query to the new nameserver: `dig @ns.example.com v.example.com A`.\n- If the server firewall is enabled, allow UDP port 53. Example for `ufw`:\n\n```bash\nsudo ufw allow 53\u002Fudp\nsudo ufw reload\n```\n\nFor `firewalld`:\n\n```bash\nsudo firewall-cmd --add-port=53\u002Fudp --permanent\nsudo firewall-cmd --reload\n```\n\n- If port `53` is already occupied by another service, such as `systemd-resolved`, see the troubleshooting section “Fixing Port 53 Already in Use”.\n- The encryption key (`encrypt_key.txt`) is shown after installation. Copy it and store it safely because the client needs it to connect.\n\n---\n\n## Section 2: 🚀 Installation and Launch (Client and Server)\n\nYou can install and run this project in two ways:\n\n1. Use the prebuilt binaries (recommended for most users)\n2. Run directly from source with **Go** (recommended for developers)\n\n---\n\n### Section 2.1: Use Prebuilt Releases (✅ Recommended)\n\nFor convenience, prebuilt client and server binaries are published in the release page. Download the correct archive for your operating system and extract it.\n\n> 💡 **Note:** Release archives usually include the binary plus sample configuration files.\n\n#### Client Download Links 📥\n\n| Operating System | Architecture | Suitable For | Direct Download |\n| :--- | :--- | :--- | :--- |\n| Windows 🪟 | `AMD64` (64-bit) | Windows 10 and 11 | [Download Windows Client ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Client_Windows_AMD64.zip) |\n| Windows 🪟 | `x86` (32-bit) | Older 32-bit Windows systems | [Download Windows x86 Client ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Client_Windows_X86.zip) |\n| Windows 🪟 | `ARM64` | Windows on ARM devices | [Download Windows ARM64 Client ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Client_Windows_ARM64.zip) |\n| macOS 🍎 | `ARM64` | Apple Silicon Macs (M1 \u002F M2 \u002F M3) | [Download macOS Client ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Client_MacOS_ARM64.zip) |\n| macOS 🍎 | `AMD64` | Intel Macs | [Download macOS Intel Client ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Client_MacOS_AMD64.zip) |\n| Linux 🐧 | `AMD64` (64-bit) | Modern distributions (Ubuntu 22.04+, Debian 12+) | [Download Linux Client ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Client_Linux_AMD64.zip) |\n| Linux 🐧 | `x86` (32-bit) | Older 32-bit Linux systems | [Download Linux x86 Client ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Client_Linux_X86.zip) |\n| Linux (Legacy) 🐧 | `AMD64` (64-bit) | Older distributions (Ubuntu 20.04, Debian 11) | [Download Linux Legacy Client ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Client_Linux-Legacy_AMD64.zip) |\n| Linux (Legacy) 🐧 | `ARM64` | Older ARM64 Linux systems that need broader compatibility | [Download Linux Legacy ARM64 Client ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Client_Linux-Legacy_ARM64.zip) |\n| Linux (ARM) 🐧 | `ARM64` | ARM servers, Raspberry Pi, and similar boards | [Download Linux ARM Client ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Client_Linux_ARM64.zip) |\n| Linux (ARM) 🐧 | `ARMv7` | 32-bit ARM boards and older embedded Linux devices | [Download Linux ARMv7 Client ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Client_Linux_ARMV7.zip) |\n| Linux (ARM) 🐧 | `ARMv6` | Older ARM boards and lightweight Linux devices | [Download Linux ARMv6 Client ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Client_Linux_ARMV6.zip) |\n| Linux (ARM) 🐧 | `ARMv5` | Very old ARM devices and embedded Linux systems | [Download Linux ARMv5 Client ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Client_Linux_ARMV5.zip) |\n| Linux 🐧 | `RISCV64` | RISC-V Linux boards and servers | [Download Linux RISCV64 Client ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Client_Linux_RISCV64.zip) |\n| Linux (MIPS) 🐧 | `MIPS` | Big-endian MIPS Linux and router platforms | [Download Linux MIPS Client ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Client_Linux_MIPS.zip) |\n| Linux (MIPS) 🐧 | `MIPSLE` | Little-endian MIPS Linux and router platforms | [Download Linux MIPSLE Client ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Client_Linux_MIPSLE.zip) |\n| Linux (MIPS) 🐧 | `MIPS64` | 64-bit big-endian MIPS Linux systems | [Download Linux MIPS64 Client ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Client_Linux_MIPS64.zip) |\n| Linux (MIPS) 🐧 | `MIPS64LE` | 64-bit little-endian MIPS Linux systems | [Download Linux MIPS64LE Client ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Client_Linux_MIPS64LE.zip) |\n| Termux \u002F Android 📱 | `ARM64` | Modern Android phones running Termux | [Download Termux ARM64 Client ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Client_Termux_ARM64.zip) |\n| Termux \u002F Android 📱 | `ARMv7` | Older Android phones running 32-bit Termux environments | [Download Termux ARMv7 Client ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Client_Termux_ARMV7.zip) |\n\n#### Server Download Links 📤\n\n*(Use these if you do not want the automated Linux installer.)*\n\n| Operating System | Architecture | Suitable For | Direct Download |\n| :--- | :--- | :--- | :--- |\n| Windows 🪟 | `AMD64` (64-bit) | Windows Server, Windows 10 and 11 | [Download Windows Server ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Server_Windows_AMD64.zip) |\n| Windows 🪟 | `x86` (32-bit) | Older 32-bit Windows systems | [Download Windows x86 Server ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Server_Windows_X86.zip) |\n| Windows 🪟 | `ARM64` | Windows on ARM devices | [Download Windows ARM64 Server ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Server_Windows_ARM64.zip) |\n| Linux 🐧 | `AMD64` (64-bit) | Ubuntu 22.04+, Debian 12+ servers | [Download Linux Server ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Server_Linux_AMD64.zip) |\n| Linux 🐧 | `x86` (32-bit) | Older 32-bit Linux systems | [Download Linux x86 Server ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Server_Linux_X86.zip) |\n| Linux (Legacy) 🐧 | `AMD64` (64-bit) | Older servers (Ubuntu 20.04, Debian 11) | [Download Linux Legacy Server ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Server_Linux-Legacy_AMD64.zip) |\n| Linux (Legacy) 🐧 | `ARM64` | Older ARM64 Linux systems that need broader compatibility | [Download Linux Legacy ARM64 Server ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Server_Linux-Legacy_ARM64.zip) |\n| Linux (ARM) 🐧 | `ARM64` | ARM servers | [Download Linux ARM Server ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Server_Linux_ARM64.zip) |\n| Linux (ARM) 🐧 | `ARMv7` | 32-bit ARM servers and embedded Linux devices | [Download Linux ARMv7 Server ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Server_Linux_ARMV7.zip) |\n| Linux (ARM) 🐧 | `ARMv6` | Older ARM boards and lightweight Linux devices | [Download Linux ARMv6 Server ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Server_Linux_ARMV6.zip) |\n| Linux (ARM) 🐧 | `ARMv5` | Very old ARM devices and embedded Linux systems | [Download Linux ARMv5 Server ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Server_Linux_ARMV5.zip) |\n| Linux 🐧 | `RISCV64` | RISC-V Linux boards and servers | [Download Linux RISCV64 Server ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Server_Linux_RISCV64.zip) |\n| Linux (MIPS) 🐧 | `MIPS` | Big-endian MIPS Linux and router platforms | [Download Linux MIPS Server ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Server_Linux_MIPS.zip) |\n| Linux (MIPS) 🐧 | `MIPSLE` | Little-endian MIPS Linux and router platforms | [Download Linux MIPSLE Server ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Server_Linux_MIPSLE.zip) |\n| Linux (MIPS) 🐧 | `MIPS64` | 64-bit big-endian MIPS Linux systems | [Download Linux MIPS64 Server ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Server_Linux_MIPS64.zip) |\n| Linux (MIPS) 🐧 | `MIPS64LE` | 64-bit little-endian MIPS Linux systems | [Download Linux MIPS64LE Server ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Server_Linux_MIPS64LE.zip) |\n| macOS 🍎 | `ARM64` | Apple Silicon Macs | [Download macOS Server ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Server_MacOS_ARM64.zip) |\n| macOS 🍎 | `AMD64` | Intel Macs | [Download macOS Intel Server ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Server_MacOS_AMD64.zip) |\n| Termux \u002F Android 📱 | `ARM64` | Modern Android \u002F Termux environments | [Download Termux ARM64 Server ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Server_Termux_ARM64.zip) |\n| Termux \u002F Android 📱 | `ARMv7` | Older Android \u002F 32-bit Termux environments | [Download Termux ARMv7 Server ⬇️](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Freleases\u002Flatest\u002Fdownload\u002FStormDNS_Server_Termux_ARMV7.zip) |\n\n---\n\n### Section 2.2: 🪟 Preparing and Running the Client on Windows\n\n- After downloading the Windows package, extract it.\n- Open `client_config.toml` with a text editor such as Notepad.\n- Replace the default values with your real domain, encryption key, and resolver list.\n- Run the client executable.\n- Configure your browser or app to use the local SOCKS5 proxy at `127.0.0.1:18000` unless you changed the defaults.\n\n---\n\n### Section 2.3: 🐧 Preparing and Running on Linux \u002F macOS\n\nAfter downloading the package on Linux:\n\n```bash\nsudo apt update\nsudo apt install unzip nano\n```\n\nExtract the archive:\n\n```bash\nunzip StormDNS_Client_Linux_AMD64.zip\nls\n```\n\nGive execute permission if needed:\n\n```bash\nchmod +x StormDNS_Client_Linux_AMD64\nchmod +x StormDNS_Server_Linux_AMD64\n```\n\nEdit the configuration:\n\n```bash\nnano client_config.toml\nnano server_config.toml\n```\n\nThen run:\n\n```bash\n.\u002FStormDNS_Client_Linux_AMD64\n.\u002FStormDNS_Server_Linux_AMD64\n```\n\n---\n\n### Section 2.4: 🧑‍💻 Run Directly from Source (Go)\n\n> ⚠️ This section is intended for developers or users who want to run the current Go source directly.\n\n#### Prerequisite\n\n- Go `1.24` or newer\n\n#### Build from source\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS.git\ncd StormDNS\n\ngo build -o stormdns-client .\u002Fcmd\u002Fclient\ngo build -o stormdns-server .\u002Fcmd\u002Fserver\n```\n\nOn Windows:\n\n```powershell\ngit clone https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS.git\ncd StormDNS\n\ngo build -o stormdns-client.exe .\\cmd\\client\ngo build -o stormdns-server.exe .\\cmd\\server\n```\n\n#### Create config files\n\nOn Linux and macOS:\n\n```bash\ncp client_config.toml.simple client_config.toml\ncp server_config.toml.simple server_config.toml\ncp client_resolvers.simple client_resolvers.txt\n```\n\nOn Windows:\n\n```powershell\nCopy-Item client_config.toml.simple client_config.toml\nCopy-Item server_config.toml.simple server_config.toml\nCopy-Item client_resolvers.simple client_resolvers.txt\n```\n\n#### Run the server and client\n\n```bash\n.\u002Fstormdns-server -config server_config.toml\n.\u002Fstormdns-client -config client_config.toml\n```\n\nOn Windows:\n\n```powershell\n.\\stormdns-server.exe -config server_config.toml\n.\\stormdns-client.exe -config client_config.toml\n```\n\n#### Command-line parameters\n\nBoth binaries support these arguments:\n\n| Parameter | Description |\n| :--- | :--- |\n| `-config` | Path to the configuration file |\n| `-log` | Optional path to a log file |\n| `-version` | Print version and exit |\n\nExample:\n\n```bash\n.\u002Fstormdns-server -config server_config.toml -log server.log\n.\u002Fstormdns-client -config client_config.toml -log client.log\n```\n\n---\n\n# Section 3: Configuration Files and Structure 🛠️\n\n## Section 3.1: Important Project Files 📂\n\n| File | Purpose |\n| :--- | :--- |\n| `client_config.toml` | Main client configuration |\n| `server_config.toml` | Main server configuration |\n| `client_resolvers.txt` | Resolver list |\n| `encrypt_key.txt` | Shared server-side encryption key |\n| `client_config.toml.simple` | Full sample client config for the current Go version |\n| `server_config.toml.simple` | Full sample server config for the current Go version |\n\nAccepted formats in `client_resolvers.txt`:\n\n- `IP`\n- `IP:PORT`\n- `CIDR`\n- `CIDR:PORT`\n\nExample:\n\n```text\n8.8.8.8\n1.1.1.1:53\n9.9.9.0\u002F24\n208.67.222.0\u002F24:5353\n```\n\n---\n\n## Section 3.2: Quick Client Checklist 🚀\n\nThese items are required on the client:\n\n1. **`ENCRYPTION_KEY`** must match the content of the server’s `encrypt_key.txt`\n2. **`DOMAINS`** must match the server domain\n3. **`client_resolvers.txt`** must contain working resolvers\n4. For normal use, keep **`PROTOCOL_TYPE = \"SOCKS5\"`**\n\n---\n\n## Section 3.3: Quick Server Checklist ⚙️\n\nThese settings are critical on the server:\n\n1. Set **`DOMAIN`** to your delegated tunnel domain\n2. **`DATA_ENCRYPTION_METHOD`** must match the client\n3. **`ENCRYPTION_KEY_FILE`** defines the path to the server key file\n4. If you want direct outbound connections, keep **`USE_EXTERNAL_SOCKS5 = false`**\n5. If you want to chain through an upstream SOCKS5 proxy, set `USE_EXTERNAL_SOCKS5 = true` and fill `FORWARD_IP` \u002F `FORWARD_PORT`\n\n---\n\n## Section 3.4: 📘 Client Configuration Variables (`client_config.toml`)\n\n### 3.4.1) 🧭 Tunnel Identity and Security\n\n| Parameter | Sample Value | Allowed Values \u002F Real Behavior | Full Explanation |\n| :--- | :--- | :--- | :--- |\n| `PROTOCOL_TYPE` | `\"SOCKS5\"` | `\"SOCKS5\"` or `\"TCP\"` | Chooses the local service mode exposed by the client.\u003Cbr>`SOCKS5` is the default and recommended mode for normal use.\u003Cbr>`TCP` is useful when you want to forward traffic to one fixed remote target instead of giving applications a SOCKS proxy. |\n| `DOMAINS` | `[\"v.example.com\"]` | Non-empty list of strings | These are the tunnel domains used to build DNS requests.\u003Cbr>Every domain here must belong to the same tunnel you configured on the server.\u003Cbr>If this list is wrong, the client may build valid DNS queries that the server will simply ignore. |\n| `DATA_ENCRYPTION_METHOD` | `1` | `0..5` | Must match the server.\u003Cbr>`0=None`, `1=XOR`, `2=ChaCha20`, `3=AES-128-GCM`, `4=AES-192-GCM`, `5=AES-256-GCM`.\u003Cbr>XOR is lightweight but weaker. AEAD modes are stronger but have more overhead. |\n| `ENCRYPTION_KEY` | `\"\"` | String | Shared secret used by the client codec.\u003Cbr>This must be exactly the same as the server-side encryption key.\u003Cbr>If the key is wrong, packets may be parsed as garbage and the tunnel will not work. |\n\n### 3.4.2) 🧦 Local Proxy\n\n| Parameter | Sample Value | Allowed Values \u002F Real Behavior | Full Explanation |\n| :--- | :--- | :--- | :--- |\n| `LISTEN_IP` | `\"127.0.0.1\"` | Valid IP string | Address where the client listens for local proxy users.\u003Cbr>Use `127.0.0.1` for normal local-only usage.\u003Cbr>If some applications prefer IPv6 localhost on your system, using `localhost` can be a better local-only choice.\u003Cbr>Use `0.0.0.0` only if you want to share the proxy on the network and understand the security implications. |\n| `LISTEN_PORT` | `18000` | `0..65535` | Port for the local proxy.\u003Cbr>Your applications must use this port to send traffic into the tunnel. |\n| `SOCKS5_AUTH` | `false` | `true\u002Ffalse` | Enables username\u002Fpassword authentication on the local SOCKS5 proxy.\u003Cbr>If you bind to `0.0.0.0`, enabling this is strongly recommended. |\n| `SOCKS5_USER` | `\"master_dns_vpn\"` | Up to 255 bytes | Username for the local SOCKS5 proxy.\u003Cbr>Used only if `SOCKS5_AUTH=true`. |\n| `SOCKS5_PASS` | `\"master_dns_vpn\"` | Up to 255 bytes | Password for the local SOCKS5 proxy.\u003Cbr>Used only if `SOCKS5_AUTH=true`. |\n\n### 3.4.3) 📛 Local DNS\n\n| Parameter | Sample Value | Allowed Values \u002F Real Behavior | Full Explanation |\n| :--- | :--- | :--- | :--- |\n| `LOCAL_DNS_ENABLED` | `false` | `true\u002Ffalse` | If enabled, the client exposes a local DNS service and can resolve DNS through the tunnel.\u003Cbr>This is useful for reducing DNS hijacking or when you want applications to use the tunnel for DNS as well. |\n| `LOCAL_DNS_IP` | `\"127.0.0.1\"` | Valid IP string | Bind address for the local DNS listener. |\n| `LOCAL_DNS_PORT` | `53` | `0..65535` | Port of the local DNS service.\u003Cbr>Port `53` is standard, but on some systems it may already be used by another service. |\n| `LOCAL_DNS_CACHE_MAX_RECORDS` | `5000` | If `\u003C1`, fallback applies | Maximum number of local DNS cache records.\u003Cbr>A larger value reduces repeated DNS lookups but uses more memory. |\n| `LOCAL_DNS_CACHE_TTL_SECONDS` | `28800.0` | If `\u003C=0`, fallback applies | How long successful DNS records stay in the local cache. |\n| `LOCAL_DNS_PENDING_TIMEOUT_SECONDS` | `300.0` | If `\u003C=0`, fallback applies | If a local DNS query is in progress, follower queries can wait for it instead of launching another upstream request.\u003Cbr>This value defines how long they may wait. |\n| `LOCAL_DNS_CACHE_PERSIST_TO_FILE` | `true` | `true\u002Ffalse` | If enabled, the local DNS cache can be written to disk for reuse between runs. |\n| `LOCAL_DNS_CACHE_FLUSH_INTERVAL_SECONDS` | `60.0` | If `\u003C=0`, fallback applies | How often the persisted local DNS cache is flushed to disk. |\n| `DNS_RESPONSE_FRAGMENT_TIMEOUT_SECONDS` | `10.0` | If `\u003C=0`, fallback applies | How long the client waits for missing DNS tunnel response fragments before giving up. |\n\n### 3.4.4) ⚡ Resolver Selection, Duplication, Health, and Failover\n\n| Parameter | Sample Value | Allowed Values \u002F Real Behavior | Full Explanation |\n| :--- | :--- | :--- | :--- |\n| `RESOLVER_BALANCING_STRATEGY` | `0` | `0..4` | Chooses how resolvers are selected.\u003Cbr>`0\u002F2` = Round Robin, `1` = Random, `3` = Least Loss, `4` = Lowest Latency.\u003Cbr>Loss\u002Flatency modes become useful after the client gathers runtime statistics. |\n| `UPLOAD_PACKET_DUPLICATION_COUNT` | `2` | clamp to `[1, 8]` | Duplication count for **upload data** packets only (`STREAM_DATA`, `STREAM_RESEND`).\u003Cbr>These carry bulk bytes from the client to the internet, so each duplicate directly multiplies upload bandwidth usage.\u003Cbr>On upload-limited links (e.g., typical Iranian ISP conditions) keep this low (`1`–`2`). |\n| `DOWNLOAD_PACKET_DUPLICATION_COUNT` | `7` | clamp to `[1, 8]` | Duplication count for **download-support** packets only (`STREAM_DATA_ACK`, `STREAM_DATA_NACK`).\u003Cbr>These are small acknowledgements that protect traffic you are *receiving*.\u003Cbr>Duplicating them costs almost no upload bandwidth but significantly improves download reliability on lossy paths; values of `4`–`7` are reasonable on bad networks. |\n| `UPLOAD_SETUP_PACKET_DUPLICATION_COUNT` | `3` | clamp to `[UPLOAD_PACKET_DUPLICATION_COUNT, 8]` | Duplication count for **upload setup** packets (`STREAM_SYN`, `SOCKS5_SYN`).\u003Cbr>Small per-packet cost but critical for the time-to-first-byte of new connections. |\n| `DOWNLOAD_SETUP_PACKET_DUPLICATION_COUNT` | `8` | clamp to `[DOWNLOAD_PACKET_DUPLICATION_COUNT, 8]` | Duplication count for **download setup \u002F control** packets (`PACKED_CONTROL_BLOCKS`, `STREAM_CLOSE_READ`, `STREAM_CLOSE_WRITE`).\u003Cbr>Small packets whose loss would otherwise stall teardown\u002Fcontrol; safe to keep high (`4`–`8`). |\n| `STREAM_RESOLVER_FAILOVER_RESEND_THRESHOLD` | `2` | If `\u003C1`, fallback applies | If a stream accumulates repeated resend pressure on the same preferred resolver, the client may fail over that stream to another resolver.\u003Cbr>This threshold controls how quickly that happens. |\n| `STREAM_RESOLVER_FAILOVER_COOLDOWN` | `1.0` | If `\u003C=0`, fallback applies | Minimum delay between two failovers for the same stream.\u003Cbr>This prevents unstable oscillation between resolvers. |\n| `RECHECK_INACTIVE_SERVERS_ENABLED` | `true` | `true\u002Ffalse` | Enables background rechecks for currently disabled or unhealthy resolvers.\u003Cbr>If disabled, once a resolver becomes unusable, it will stay disabled until restart or manual rebuild. |\n| `RECHECK_INACTIVE_INTERVAL_SECONDS` | `1800.0` | If `\u003C=0`, fallback applies | Base interval used for rechecking inactive resolvers in the background. |\n| `RECHECK_SERVER_INTERVAL_SECONDS` | `2.0` | If `\u003C=0`, fallback applies | Shorter retry interval used for resolvers disabled during runtime health logic.\u003Cbr>This makes recently bad resolvers come back faster if they recover. |\n| `RECHECK_BATCH_SIZE` | `30` | If `\u003C1`, fallback to `1` | Maximum number of resolver rechecks launched in one pass.\u003Cbr>Higher values reactivate resolvers faster but use more background work. |\n| `AUTO_DISABLE_TIMEOUT_SERVERS` | `true` | `true\u002Ffalse` | Enables automatic disabling of resolvers that keep timing out and show no successful activity. |\n| `AUTO_DISABLE_TIMEOUT_WINDOW_SECONDS` | `180.0` | If `\u003C=0`, fallback applies | Time window used to decide whether a resolver is “timeout only”.\u003Cbr>If all observations in this window are timeouts, it may be disabled. |\n| `AUTO_DISABLE_MIN_OBSERVATIONS` | `3` | minimum `1` | Number of timeout observations required before auto-disable can trigger. |\n| `AUTO_DISABLE_CHECK_INTERVAL_SECONDS` | `3.0` | If `\u003C=0`, fallback applies | How often the health loop evaluates timeout-only resolvers for auto-disable. |\n| `BASE_ENCODE_DATA` | `false` | `true\u002Ffalse` | If enabled, payloads are encoded in a base-safe format before tunneling.\u003Cbr>This usually reduces payload efficiency, but can help in strict resolver environments. |\n\n> **Tip — upload-limited links (e.g., Iran):** Since upload bandwidth is multiplied by `UPLOAD_PACKET_DUPLICATION_COUNT` but ACK duplication is practically free, a good profile is:\n> ```toml\n> UPLOAD_PACKET_DUPLICATION_COUNT         = 1   # or 2\n> DOWNLOAD_PACKET_DUPLICATION_COUNT       = 5   # 4..7\n> UPLOAD_SETUP_PACKET_DUPLICATION_COUNT   = 3   # 2..4\n> DOWNLOAD_SETUP_PACKET_DUPLICATION_COUNT = 6   # 4..8\n> ```\n> This keeps upload bandwidth low while still aggressively protecting download reliability and connection setup.\n\n### 3.4.5) 🗜️ Compression\n\n| Parameter | Sample Value | Allowed Values \u002F Real Behavior | Full Explanation |\n| :--- | :--- | :--- | :--- |\n| `UPLOAD_COMPRESSION_TYPE` | `0` | `0..3` | `0=OFF`, `1=ZSTD`, `2=LZ4`, `3=ZLIB`.\u003Cbr>Controls client-side compression for outgoing payloads. |\n| `DOWNLOAD_COMPRESSION_TYPE` | `0` | `0..3` | Compression type expected or preferred for server-to-client payloads. |\n| `COMPRESSION_MIN_SIZE` | `120` | If invalid, fallback applies | Minimum payload size before compression is attempted.\u003Cbr>Very small packets often grow instead of shrinking, so this avoids pointless compression work. |\n\n### 3.4.6) 🧪 MTU Discovery and Initial Testing\n\n| Parameter | Sample Value | Allowed Values \u002F Real Behavior | Full Explanation |\n| :--- | :--- | :--- | :--- |\n| `MIN_UPLOAD_MTU` | `40` | positive integer | Smallest upload MTU the client accepts during resolver testing. |\n| `MIN_DOWNLOAD_MTU` | `100` | positive integer | Smallest download MTU the client accepts during resolver testing. |\n| `MAX_UPLOAD_MTU` | `64` | positive integer | Upper bound for upload MTU testing. |\n| `MAX_DOWNLOAD_MTU` | `140` | positive integer | Upper bound for download MTU testing. |\n| `MTU_TEST_RETRIES_RESOLVERS` | `3` | if invalid, fallback applies | Number of retries for each MTU probe when `STARTUP_MODE = \"resolvers\"` (full scan from `client_resolvers.txt`). |\n| `MTU_TEST_TIMEOUT_RESOLVERS` | `2.0` | if invalid, fallback applies | Timeout for a single MTU probe when `STARTUP_MODE = \"resolvers\"`. |\n| `MTU_TEST_PARALLELISM_RESOLVERS` | `100` | if invalid, fallback applies | Number of resolvers tested in parallel during MTU scanning when `STARTUP_MODE = \"resolvers\"`.\u003Cbr>Higher values scan faster but use more CPU\u002Fnetwork and may produce more noisy failures. |\n| `MTU_TEST_RETRIES_LOGS` | `5` | if invalid, fallback applies | Number of retries for each MTU probe when `STARTUP_MODE = \"logs\"` (fast start from cached log entries). |\n| `MTU_TEST_TIMEOUT_LOGS` | `2.0` | if invalid, fallback applies | Timeout for a single MTU probe when `STARTUP_MODE = \"logs\"`. |\n| `MTU_TEST_PARALLELISM_LOGS` | `32` | if invalid, fallback applies | Number of resolvers tested in parallel during MTU scanning when `STARTUP_MODE = \"logs\"`. |\n\n### 3.4.7) 🧵 Runtime Workers, Queues, and Timers\n\n| Parameter | Sample Value | Allowed Values \u002F Real Behavior | Full Explanation |\n| :--- | :--- | :--- | :--- |\n| `RX_TX_WORKERS` | `4` | if invalid, fallback applies | Number of shared runtime workers used for both UDP tunnel reads and writes. |\n| `TUNNEL_PROCESS_WORKERS` | `4` | if invalid, fallback applies | Number of workers processing tunnel packets after read. |\n| `TUNNEL_PACKET_TIMEOUT_SECONDS` | `8.0` | if invalid, fallback applies | Overall timeout for tunnel packet handling. |\n| `DISPATCHER_IDLE_POLL_INTERVAL_SECONDS` | `0.020` | if invalid, fallback applies | When there is nothing to send, the dispatcher sleeps for this interval before polling again. |\n| `TX_CHANNEL_SIZE` | `2048` | if invalid, fallback applies | Capacity of the outgoing tunnel packet channel. |\n| `RX_CHANNEL_SIZE` | `2048` | if invalid, fallback applies | Capacity of the incoming tunnel packet channel. |\n| `RESOLVER_UDP_CONNECTION_POOL_SIZE` | `64` | if invalid, fallback applies | Number of reusable UDP sockets kept per resolver label. |\n| `STREAM_QUEUE_INITIAL_CAPACITY` | `128` | if invalid, fallback applies | Initial queue capacity for per-stream client transmit queues. |\n| `ORPHAN_QUEUE_INITIAL_CAPACITY` | `32` | if invalid, fallback applies | Initial capacity for the orphan control queue. |\n| `DNS_RESPONSE_FRAGMENT_STORE_CAPACITY` | `256` | if invalid, fallback applies | Capacity of the client-side DNS response fragment store. |\n| `SOCKS_UDP_ASSOCIATE_READ_TIMEOUT_SECONDS` | `30.0` | if invalid, fallback applies | Read timeout for SOCKS UDP associate mode. |\n| `CLIENT_TERMINAL_STREAM_RETENTION_SECONDS` | `45.0` | if invalid, fallback applies | How long terminal streams remain in client bookkeeping before full cleanup. |\n| `CLIENT_CANCELLED_SETUP_RETENTION_SECONDS` | `120.0` | if invalid, fallback applies | Retention time for setup streams cancelled before completion. |\n| `SESSION_INIT_RETRY_BASE_SECONDS` | `1.0` | if invalid, fallback applies | Base delay for session-init retries. |\n| `SESSION_INIT_RETRY_STEP_SECONDS` | `1.0` | if invalid, fallback applies | Step increment used in the retry schedule. |\n| `SESSION_INIT_RETRY_LINEAR_AFTER` | `5` | if invalid, fallback applies | After this many retries, the retry backoff becomes more linear. |\n| `SESSION_INIT_RETRY_MAX_SECONDS` | `60.0` | if invalid, fallback applies | Maximum retry delay for session initialization. |\n| `SESSION_INIT_BUSY_RETRY_INTERVAL_SECONDS` | `60.0` | if invalid, fallback applies | Retry delay when the server explicitly responds with `SESSION_BUSY`. |\n\n### 3.4.8) 📡 Ping \u002F Keepalive\n\n| Parameter | Sample Value | Allowed Values \u002F Real Behavior | Full Explanation |\n| :--- | :--- | :--- | :--- |\n| `PING_AGGRESSIVE_INTERVAL_SECONDS` | `0.300` | positive number | Fastest ping interval used in the hottest activity state. |\n| `PING_LAZY_INTERVAL_SECONDS` | `1.0` | positive number | Normal operating ping interval. |\n| `PING_COOLDOWN_INTERVAL_SECONDS` | `3.0` | positive number | Ping interval during cooldown. |\n| `PING_COLD_INTERVAL_SECONDS` | `30.0` | positive number | Ping interval when the session is cold\u002Fmostly idle. |\n| `PING_WARM_THRESHOLD_SECONDS` | `5.0` | positive number | Threshold after which the session is treated as warm. |\n| `PING_COOL_THRESHOLD_SECONDS` | `10.0` | positive number | Threshold after which the session is treated as cooling down. |\n| `PING_COLD_THRESHOLD_SECONDS` | `20.0` | positive number | Threshold after which the session is treated as cold. |\n| `PING_WATCHDOG_TIMEOUT_SECONDS` | `300.0` | clamped to `[10, 3600]`, `0` disables | If the client is actively sending non-ping traffic but receives no server response for this many seconds, the session is force-restarted. The timer starts only after all resolvers have been scanned and the session is fully operational. This recovers the \"zombie\" tunnel state where all resolvers silently drop packets and no server-initiated reset ever arrives. |\n\n### 3.4.9) 🔄 ARQ and Packet Packing\n\n| Parameter | Sample Value | Allowed Values \u002F Real Behavior | Full Explanation |\n| :--- | :--- | :--- | :--- |\n| `MAX_PACKETS_PER_BATCH` | `8` | if invalid, fallback applies | Maximum number of control items the client tries to batch in one packet turn. |\n| `ARQ_WINDOW_SIZE` | `2000` | valid positive range | ARQ send\u002Freceive window size per stream. |\n| `ARQ_INITIAL_RTO_SECONDS` | `1.0` | clamped in code | Initial retransmission timeout for data packets. |\n| `ARQ_MAX_RTO_SECONDS` | `8.0` | clamped in code | Maximum retransmission timeout for data packets. |\n| `ARQ_CONTROL_INITIAL_RTO_SECONDS` | `1.0` | clamped in code | Initial retransmission timeout for control packets. |\n| `ARQ_CONTROL_MAX_RTO_SECONDS` | `8.0` | clamped in code | Maximum retransmission timeout for control packets. |\n| `ARQ_MAX_CONTROL_RETRIES` | `80` | clamped in code | Maximum number of retries for control packets. |\n| `ARQ_INACTIVITY_TIMEOUT_SECONDS` | `1800.0` | clamped in code | Stream inactivity timeout. |\n| `ARQ_DATA_PACKET_TTL_SECONDS` | `1800.0` | clamped in code | TTL for data packets before they are abandoned. |\n| `ARQ_CONTROL_PACKET_TTL_SECONDS` | `900.0` | clamped in code | TTL for control packets. |\n| `ARQ_MAX_DATA_RETRIES` | `800` | clamped in code | Maximum retries for data packets. |\n| `ARQ_DATA_NACK_MAX_GAP` | `0` | clamped in code | Maximum gap size for NACK generation when packets arrive out of order. |\n| `ARQ_DATA_NACK_INITIAL_DELAY_SECONDS` | `0.4` | clamped in code | Initial delay before sending a NACK for missing data packets. Controls how eagerly the system requests retransmissions. |\n| `ARQ_DATA_NACK_REPEAT_SECONDS` | `2.0` | clamped in code | Minimum interval before repeating a NACK for the same missing sequence. |\n| `ARQ_TERMINAL_DRAIN_TIMEOUT_SECONDS` | `90.0` | clamped in code | After a stream becomes terminal, how long the client waits for queue drain. |\n| `ARQ_TERMINAL_ACK_WAIT_TIMEOUT_SECONDS` | `60.0` | clamped in code | How long the client waits for the final terminal ACK. |\n\n### 3.4.10) 🪵 Logging\n\n| Parameter | Sample Value | Allowed Values \u002F Real Behavior | Full Explanation |\n| :--- | :--- | :--- | :--- |\n| `LOG_LEVEL` | `\"INFO\"` | usually `DEBUG`, `INFO`, `WARN`, `ERROR` | Controls client log verbosity.\u003Cbr>`INFO` is usually enough for normal operation.\u003Cbr>Use `DEBUG` when investigating resolver health, failover, ARQ, or packet paths. |\n\n---\n\n## Section 3.5: 📖 Server Configuration (`server_config.toml`)\n\n> ℹ️ Note: the sample server config contains a key named `CONFIG_VERSION`, but the current Go code does not read it into `ServerConfig`. For that reason it is not included in the table below and has no effect on real server behavior.\n\n### 3.5.1) 🌐 Tunnel Policy and Protocol Acceptance\n\n| Parameter | Sample Value in `server_config.toml.simple` | Allowed Values \u002F Real Behavior | Full Explanation |\n| :--- | :--- | :--- | :--- |\n| `DOMAIN` | `[\"v.domain.com\"]` | list of strings | Domain or domains that this server treats as belonging to its tunnel.\u003Cbr>They must match the client `DOMAINS`, otherwise tunnel packets will not be recognized correctly. |\n| `PROTOCOL_TYPE` | `\"SOCKS5\"` | only `\"SOCKS5\"` or `\"TCP\"` | Determines what kind of setup the server accepts for new streams.\u003Cbr>In `SOCKS5` mode, the server expects `PACKET_SOCKS5_SYN` and takes the target from the client payload.\u003Cbr>In `TCP` mode, setup happens through `PACKET_STREAM_SYN` and the server connects to `FORWARD_IP:FORWARD_PORT`. |\n| `MIN_VPN_LABEL_LENGTH` | not shown in sample | if `\u003C=0`, fallback to `3` | Minimum tunnel data label length.\u003Cbr>This helps avoid confusing ordinary DNS queries with tunnel queries.\u003Cbr>If this parameter is missing from your old README or config, it is worth adding because the code supports it. |\n| `SUPPORTED_UPLOAD_COMPRESSION_TYPES` | `[0, 1, 2, 3]` | valid compression IDs only | Compression modes the server allows clients to request for upload traffic. |\n| `SUPPORTED_DOWNLOAD_COMPRESSION_TYPES` | `[0, 1, 2, 3]` | valid compression IDs only | Same idea for download traffic from server to client. |\n\n### 3.5.2) 📥 UDP Listener and Front-Door Capacity\n\n| Parameter | Sample Value | Allowed Values \u002F Real Behavior | Full Explanation |\n| :--- | :--- | :--- | :--- |\n| `UDP_HOST` | `\"0.0.0.0\"` | if empty, this value is used | Address where the DNS server binds.\u003Cbr>`0.0.0.0` means listen on all interfaces. |\n| `UDP_PORT` | `53` | `1..65535` | UDP port used by the server.\u003Cbr>In most deployments this should remain `53` so resolvers can query it directly. |\n| `UDP_READERS` | `2` | auto-default if `\u003C=0` | Number of goroutines reading directly from the UDP socket.\u003Cbr>A larger number may help on very busy servers, but beyond a point it only increases context switching. |\n| `DNS_REQUEST_WORKERS` | `4` | auto-default if `\u003C=0` | Number of workers that take requests from the front-door queue and pass them into the session\u002Fdecode layer. |\n| `MAX_CONCURRENT_REQUESTS` | `4096` | fallback if `\u003C=0` | Capacity of the incoming request queue.\u003Cbr>If this queue fills up, packets are dropped and the server emits rate-limited overload logs. |\n| `SOCKET_BUFFER_SIZE` | `4194304` | fallback if `\u003C=0` | Operating-system socket buffer size request for the UDP listener.\u003Cbr>This matters for heavy bursts of incoming traffic. |\n| `MAX_PACKET_SIZE` | `65535` | fallback if `\u003C=0` | Size of the largest packet buffer that the packet pool allocates. |\n| `DROP_LOG_INTERVAL_SECONDS` | `2.0` | fallback if `\u003C=0` | Minimum interval between repeated overload\u002Fdrop logs, to avoid log spam during pressure. |\n\n### 3.5.3) 🧠 Deferred Session Runtime\n\n| Parameter | Sample Value | Allowed Values \u002F Real Behavior | Full Explanation |\n| :--- | :--- | :--- | :--- |\n| `DEFERRED_SESSION_WORKERS` | `2` | clamped up to `128` | Number of deferred-session workers.\u003Cbr>These workers handle ordering-sensitive and setup-heavy tasks such as stream setup, SOCKS connect, and some DNS assembly tasks.\u003Cbr>Too few can slow down stream setup; too many can create unnecessary contention. |\n| `DEFERRED_SESSION_QUEUE_LIMIT` | `2048` | clamped to `256..14336` | Queue capacity for deferred-session work.\u003Cbr>If it fills up, new setup or deferred tasks may be rejected. |\n| `SESSION_ORPHAN_QUEUE_INITIAL_CAPACITY` | `128` | clamped to `4..4096` | Initial capacity of the per-session orphan control queue. |\n| `STREAM_QUEUE_INITIAL_CAPACITY` | `256` | clamped to `8..65536` | Initial capacity of each stream queue on the server. |\n| `DNS_FRAGMENT_STORE_CAPACITY` | `512` | clamped to `16..16384` | Capacity used to hold DNS tunnel fragments while waiting for full assembly. |\n| `SOCKS5_FRAGMENT_STORE_CAPACITY` | `1024` | clamped to `16..16384` | Capacity used to hold fragmented SOCKS5 setup payloads. |\n\n### 3.5.4) 🍪 Session \u002F Stream Lifecycle and Invalid Cookie Tracking\n\n| Parameter | Sample Value | Allowed Values \u002F Real Behavior | Full Explanation |\n| :--- | :--- | :--- | :--- |\n| `INVALID_COOKIE_WINDOW_SECONDS` | `2.0` | fallback if `\u003C=0` | Time window used to count invalid-cookie errors.\u003Cbr>This helps the server detect broken sessions or clients repeatedly using a wrong cookie. |\n| `INVALID_COOKIE_ERROR_THRESHOLD` | `10` | fallback if `\u003C=0` | If invalid-cookie errors reach this threshold inside the window above, the server responds more aggressively. |\n| `SESSION_TIMEOUT_SECONDS` | `300.0` | fallback if `\u003C=0` | If a session has no activity for this long, the server times it out and cleans it up. |\n| `SESSION_CLEANUP_INTERVAL_SECONDS` | `30.0` | fallback if `\u003C=0` | How often the periodic session cleanup loop runs. |\n| `CLOSED_SESSION_RETENTION_SECONDS` | `600.0` | fallback if `\u003C=0` | How long closed-session metadata is kept so late packets can still be recognized. |\n| `SESSION_INIT_REUSE_TTL_SECONDS` | `600.0` | clamp to `1..86400` seconds | How long session-init signatures are kept for reuse and simple replay protection. |\n| `RECENTLY_CLOSED_STREAM_TTL_SECONDS` | `600.0` | clamp to `1..86400` seconds | How long recently closed streams remain in the “recently closed” table so late SYN packets do not revive them. |\n| `RECENTLY_CLOSED_STREAM_CAP` | `2000` | clamp to `1..1000000` | Maximum number of recently closed stream entries the server keeps. |\n| `TERMINAL_STREAM_RETENTION_SECONDS` | `45.0` | clamp to `1..86400` seconds | How long terminal streams remain before final sweeping. |\n\n### 3.5.5) 📛 DNS Tunnel Upstream\n\n| Parameter | Sample Value | Allowed Values \u002F Real Behavior | Full Explanation |\n| :--- | :--- | :--- | :--- |\n| `DNS_UPSTREAM_SERVERS` | `[\"1.1.1.1:53\", \"1.0.0.1:53\"]` | fallback if empty | When the client sends a real DNS request through the tunnel, the server forwards it to these upstream resolvers.\u003Cbr>This section is only for DNS-over-tunnel, not for the tunnel transport itself. |\n| `DNS_UPSTREAM_TIMEOUT` | `4.0` | fallback if `\u003C=0` | Timeout for each exchange with the real DNS upstream. |\n| `DNS_INFLIGHT_WAIT_TIMEOUT_SECONDS` | `60.0` | clamp to `0.1..120` seconds | If several identical DNS queries arrive at the same time, only one upstream lookup is performed and the rest wait as followers.\u003Cbr>This value controls how long followers wait for the main lookup result. |\n| `DNS_FRAGMENT_ASSEMBLY_TIMEOUT` | `300.0` | fallback if `\u003C=0` | How long the server waits for all fragments of a tunneled DNS query to arrive. |\n| `DNS_CACHE_MAX_RECORDS` | `50000` | fallback if `\u003C1` | Maximum size of the server’s internal DNS cache for tunneled DNS queries. |\n| `DNS_CACHE_TTL_SECONDS` | `300.0` | fallback if `\u003C=0` | TTL of the server-side internal DNS cache. |\n\n### 3.5.6) 🌐 Forwarding and External SOCKS\n\n| Parameter | Sample Value | Allowed Values \u002F Real Behavior | Full Explanation |\n| :--- | :--- | :--- | :--- |\n| `SOCKS_CONNECT_TIMEOUT` | `120.0` | fallback if `\u003C=0` | Timeout for the server’s outbound connection to the final target or to an external SOCKS5 server.\u003Cbr>The sample shows a higher value, but the real code fallback is `8` seconds. |\n| `USE_EXTERNAL_SOCKS5` | `false` | `true\u002Ffalse` | If `true`, the server sends outbound traffic through an external SOCKS5 server instead of connecting directly.\u003Cbr>This is mainly useful for chaining or hiding server egress. |\n| `SOCKS5_AUTH` | `false` | `true\u002Ffalse` | Whether the external SOCKS5 server requires username\u002Fpassword authentication. |\n| `SOCKS5_USER` | `\"admin\"` | up to 255 bytes | Username for the external SOCKS5 server. |\n| `SOCKS5_PASS` | `\"123456\"` | up to 255 bytes | Password for the external SOCKS5 server.\u003Cbr>If auth is enabled and username\u002Fpassword are invalid, the config becomes invalid. |\n| `FORWARD_IP` | `\"\"` | string | In `TCP` mode, this is the fixed outbound target.\u003Cbr>In `SOCKS5` mode with `USE_EXTERNAL_SOCKS5=true`, this is the address of the upstream SOCKS5 server itself. |\n| `FORWARD_PORT` | `0` | `0..65535` | Port of the endpoint above.\u003Cbr>If `USE_EXTERNAL_SOCKS5=true`, this must be a valid non-zero value. |\n\n### 3.5.7) 🔐 Security\n\n| Parameter | Sample Value | Allowed Values \u002F Real Behavior | Full Explanation |\n| :--- | :--- | :--- | :--- |\n| `DATA_ENCRYPTION_METHOD` | `1` | `0..5` | Must match the client.\u003Cbr>If an invalid value is supplied, the current code normalizes it back to `1`. |\n| `ENCRYPTION_KEY_FILE` | `\"encrypt_key.txt\"` | relative or absolute path | Path to the server encryption key file.\u003Cbr>If it is relative, it is resolved relative to the config directory.\u003Cbr>If it is empty, the fallback is `encrypt_key.txt`. |\n\n### 3.5.8) 🔄 ARQ, Packing, and Control TTLs\n\n| Parameter | Sample Value | Allowed Values \u002F Real Behavior | Full Explanation |\n| :--- | :--- | :--- | :--- |\n| `MAX_PACKETS_PER_BATCH` | `10` | fallback if `\u003C1` | Maximum number of control blocks the server tries to pack into one response.\u003Cbr>Important note: if the value is invalid, the real code fallback is `20`. |\n| `PACKET_BLOCK_CONTROL_DUPLICATION` | `1` | clamp to `1..16` | How many extra turns the last packed control block should be repeated.\u003Cbr>`1` effectively means duplication is off.\u003Cbr>This is useful on lossy links so critical ACK\u002Fclose data arrives more reliably. |\n| `STREAM_SETUP_ACK_TTL_SECONDS` | `400.0` | clamp to `1..86400` seconds | TTL of ACK packets related to stream setup. |\n| `STREAM_RESULT_PACKET_TTL_SECONDS` | `300.0` | clamp to `1..86400` seconds | TTL of result packets such as connect success\u002Ffailure that must reach the client. |\n| `STREAM_FAILURE_PACKET_TTL_SECONDS` | `120.0` | clamp to `1..86400` seconds | TTL of failure packets for setup or outbound errors. |\n| `ARQ_WINDOW_SIZE` | `600` | clamp to `1..16384` | ARQ window size per stream on the server. |\n| `ARQ_INITIAL_RTO_SECONDS` | `1` | clamp to `0.05..60` seconds | Initial retransmission timeout for data packets. |\n| `ARQ_MAX_RTO_SECONDS` | `5.0` | clamp to `[ARQ_INITIAL_RTO_SECONDS, 120]` | Maximum retransmission timeout for data packets. |\n| `ARQ_CONTROL_INITIAL_RTO_SECONDS` | `0.5` | clamp to `0.05..60` seconds | Initial retransmission timeout for control packets. |\n| `ARQ_CONTROL_MAX_RTO_SECONDS` | `3.0` | clamp to `[ARQ_CONTROL_INITIAL_RTO_SECONDS, 120]` | Maximum retransmission timeout for control packets. |\n| `ARQ_MAX_CONTROL_RETRIES` | `300` | clamp to `5..5000` | Maximum retries for control packets. |\n| `ARQ_INACTIVITY_TIMEOUT_SECONDS` | `1800.0` | clamp to `30..86400` seconds | Inactivity timeout for streams. |\n| `ARQ_DATA_PACKET_TTL_SECONDS` | `2400.0` | clamp to `30..86400` seconds | TTL for data packets. |\n| `ARQ_CONTROL_PACKET_TTL_SECONDS` | `1200.0` | clamp to `30..86400` seconds | TTL for control packets. |\n| `ARQ_MAX_DATA_RETRIES` | `1200` | clamp to `60..100000` | Maximum retries for data packets. |\n| `ARQ_DATA_NACK_MAX_GAP` | not shown in sample | clamp to `0..32` | If out-of-order packets arrive, this controls how large a missing gap may be reported with NACK.\u003Cbr>This exists in code and was missing in older README versions. |\n| `ARQ_DATA_NACK_INITIAL_DELAY_SECONDS` | `0.4` | clamped in code | Initial delay before sending a NACK for missing data packets. Controls how eagerly the system requests retransmissions. |\n| `ARQ_DATA_NACK_REPEAT_SECONDS` | not shown in sample | clamp to `0.1..30` seconds | For a missing sequence, this defines how soon a repeated NACK may be issued again.\u003Cbr>This is active in code and should be documented. |\n| `ARQ_TERMINAL_DRAIN_TIMEOUT_SECONDS` | `120.0` | clamp to `10..3600` seconds | After a stream becomes terminal, how long the server waits for queues to drain. |\n| `ARQ_TERMINAL_ACK_WAIT_TIMEOUT_SECONDS` | `90.0` | clamp to `5..3600` seconds | After terminal close, how long the server waits for the final ACK. |\n\n### 3.5.9) 🪵 Logging\n\n| Parameter | Sample Value | Allowed Values \u002F Real Behavior | Full Explanation |\n| :--- | :--- | :--- | :--- |\n| `LOG_LEVEL` | `\"INFO\"` | usually `DEBUG`, `INFO`, `WARN`, `ERROR` | Server log level.\u003Cbr>For normal production usage, `INFO` is usually enough.\u003Cbr>For deep investigation of sessions, deferred workers, or ARQ behavior, temporarily use `DEBUG`. |\n\n---\n\n## Section 3.6: 🧪 Testing, Finding, and Scanning Resolvers\n\nFinding suitable resolvers is one of the most important parts of any DNS tunnel project. In this project, the client can automatically find healthy resolvers and test their MTU.\nYou can use this client feature to discover healthy resolvers, test your own resolvers, or scan resolver ranges.\nJust place all IPs line by line into `client_resolvers.txt`.\n\nThen back up your current `client_config.toml`, open it with a text editor, and replace the following values with these suggested ones:\n\n- Lower the MTU ceiling so you find all servers that really behave as DNS servers, and make Min and Max equal to speed up scanning by avoiding automatic binary-search style probing.\n\n```toml\nMIN_UPLOAD_MTU=30\nMIN_DOWNLOAD_MTU=40\nMAX_UPLOAD_MTU=30\nMAX_DOWNLOAD_MTU=40\n```\n\n- Increase the number of parallel resolver checks (this section assumes a full `STARTUP_MODE = \"resolvers\"` scan):\n\n```toml\nMTU_TEST_PARALLELISM_RESOLVERS = 200\n```\n\n- Reduce retries and timeout to speed up the scan. With these settings you may miss some slightly slower but still healthy resolvers, so increase them if you want more accurate results.\n\n```toml\nMTU_TEST_RETRIES_RESOLVERS = 1\nMTU_TEST_TIMEOUT_RESOLVERS = 1.0\n```\n\n> ⚠️ **Important note:** You must already have a server running and must place its key and domain into `client_config.toml` before doing this. Otherwise the client cannot perform MTU tests correctly and will likely mark all resolvers invalid.\n\nNow run the program and wait for the tests to finish. After the process completes, close the program. You will find the saved resolver list in the `logs\u002F` folder as a `resolver_cache_\u003Ctimestamp>.log` file. Each line contains the resolver IP, port, domain, and MTU values. You can copy the IPs from this file into your `client_resolvers.txt` for the next run.\n\nAfter that, return to your previous settings and use the healthy resolvers you discovered for the best performance.\n\n---\n\n## Section 3.7: ⚡ Better MTU Understanding and Practical Fast Tuning\n\nThis project depends heavily on a suitable MTU. If you set the MTU too high:\n\n- more resolvers fail\n- startup becomes longer\n- fragmentation and loss increase\n\nIf you set it too low:\n\n- speed decreases\n- but stability improves\n\n### Practical suggestion\n\n1. Start with the sample config.\n2. Let the client test resolvers.\n3. Review the MTU results and the number of valid resolvers.\n4. If quality is poor, lower `MIN_UPLOAD_MTU` and `MIN_DOWNLOAD_MTU` slightly.\n5. If you want faster startup, narrow the `MIN\u002FMAX` MTU range and bring them closer together.\n\n---\n\n## Section 4: Mobile Usage Guide (Android and iPhone) 📱\n\nSince there is currently no official Android or iOS application published directly by us, you can still use the tunnel on mobile with one of these methods. You can also use Android clients built by other developers that are introduced in Section 5.1.\n\n### Method 1: Share the proxy from your computer 📶\n\n1. Set `LISTEN_IP` to `0.0.0.0`\n2. Run the client on your computer\n3. Put your phone and computer on the same network\n4. Configure a **SOCKS5** proxy on the phone using the computer IP and `LISTEN_PORT`\n\n### Method 2: Run the client on an intermediate server 🏗️\n\n1. Run the main server on the final destination\n2. Run the client on an intermediate server\n3. Set `LISTEN_IP` to `0.0.0.0`\n4. Connect the phone to the SOCKS5 proxy on that intermediate server\n\n### Method 3: Combine it with other panels or services 🛠️\n\nIf you already have another panel or service on a server, you can point its outbound path to the local SOCKS5 of the StormDNS client and use it as the exit path.\n\n### ⚠️ Important Security Notes for Mobile\n\n- If `LISTEN_IP = \"0.0.0.0\"`, enable SOCKS5 authentication or make sure your network is trusted. Otherwise anyone on that network can use your tunnel. Using username\u002Fpassword on Internet-facing SOCKS5 is strongly recommended.\n- You can also change the default `LISTEN_PORT` so it is less exposed to automated scans.\n- If devices cannot connect, check the system firewall.\n\n---\n\n## Section 5: Side Notes and Extra Information 🖥️\n\n### Section 5.1: Community Projects Related to StormDNS 🧩\n\nIn this section, we introduce a few projects related to StormDNS that have been developed by other people. They may be useful for practical use, inspiration, or experimentation. Please note that these projects are independent from StormDNS itself and may behave differently or include their own additional features and design choices.\n\nIf you use these projects or benefit from their ideas, please consider supporting their developers by starring their GitHub repositories. If you encounter issues or have suggestions, it is best to open an issue or, if possible, contribute with a pull request to those projects directly.\n\nYou can review these related projects here:\n\n- [MDV HN Edition Android Client](https:\u002F\u002Fgithub.com\u002FHidden-Node\u002FStormDNS-AndroidClient)\n  An Android application built around StormDNS that allows connecting to StormDNS servers from a phone. This project is developed independently by Hidden Node.\n\n- [StormDNS GG Android Client](https:\u002F\u002Fgithub.com\u002FRevocGG\u002FStormDNS-AndroidGG)\n  Another Android client built around StormDNS. This project is developed independently by RevocGG.\n\n- [Persian Config Builder for StormDNS](https:\u002F\u002Fgithub.com\u002Fdatacoder-io\u002FStormDNS-ConfigMaker) - [Web Config Builder](https:\u002F\u002Fdatacoder-io.github.io\u002FStormDNS-ConfigMaker)\n  A tool that helps create StormDNS configuration files with Persian explanations and a guided interface. This project is developed independently by datacoder-io.\n\n---\n\n### Section 5.2: Fixing Port 53 Already in Use (Linux Server) 🛑\n\nOn most Linux distributions, port `53` is already occupied by `systemd-resolved`. If the server does not start:\n\n```bash\nsudo nano \u002Fetc\u002Fsystemd\u002Fresolved.conf\n```\n\nSet this value:\n\n```text\nDNSStubListener=no\n```\n\nThen:\n\n```bash\nsudo systemctl restart systemd-resolved\n```\n\n> ⚠️ **Important warning:** You cannot run multiple DNS tunnel projects at the same time on the same server on port `53`.\n\n---\n\n## Section 6: 🛠️ System Architecture and How It Works\n\n**StormDNS** combines Session Multiplexing, Resolver Balancing, Packet Duplication, a custom ARQ layer, and a Deferred Session Runtime on top of UDP\u002FDNS to avoid the usual limitations of ordinary tunnels.\n\n### Section 6.1: 🌐 High-Level Architecture Diagram\n\n```mermaid\ngraph TD\n    subgraph Client_Side [\"🖥️ User Device (Client)\"]\n        App[\"📱 Applications (Browser, Telegram, etc.)\"]\n        Proxy[\"🧦 Local SOCKS5 \u002F TCP Proxy\"]\n        LDNS[\"📛 Local DNS (Optional)\"]\n        ResolverRuntime[\"⚡ Balancer + Duplication + Resolver Health\"]\n        ClientARQ[\"🔄 ARQ + Session\u002FStream Runtime\"]\n    end\n\n    subgraph DNS_Network [\"🌐 Public DNS Network\"]\n        R1[\"📡 Resolver 1\"]\n        R2[\"📡 Resolver 2\"]\n        RN[\"📡 Resolver N\"]\n    end\n\n    subgraph Server_Side [\"🖥️ Remote Server\"]\n        UDP[\"📥 UDP Listener + Request Workers\"]\n        Sessions[\"🧠 Session Store + Deferred Workers\"]\n        ServerARQ[\"🔄 Server ARQ + Packed Control Blocks\"]\n        DNSUp[\"📛 DNS Upstream \u002F Cache\"]\n        Out[\"🌐 Direct Dial or External SOCKS5\"]\n    end\n\n    App --> Proxy\n    App --> LDNS\n    Proxy --> ClientARQ\n    LDNS --> ClientARQ\n    ClientARQ --> ResolverRuntime\n    ResolverRuntime --> R1\n    ResolverRuntime --> R2\n    ResolverRuntime --> RN\n    R1 --> UDP\n    R2 --> UDP\n    RN --> UDP\n    UDP --> Sessions\n    Sessions --> ServerARQ\n    Sessions --> DNSUp\n    ServerARQ --> Out\n    DNSUp --> UDP\n```\n\n### Section 6.2: 🔄 Packet Lifecycle and Flow\n\n```mermaid\nsequenceDiagram\n    participant App as 📱 User App\n    participant Client as 🖥️ Client\n    participant DNS as 📡 Resolvers\n    participant Server as 🖥️ Server\n    participant Target as 🌐 Final Target\n\n    App->>Client: Create SOCKS5 \u002F TCP connection\n    Note over Client: Build Session\u002FStream\u003Cbr\u002F>Encrypt, ARQ, choose resolver\n    Client->>DNS: Send DNS query with duplication and balancing\n    DNS->>Server: Deliver query to the server NS\n    Note over Server: Checksum \u002F Cookie \u002F Session lookup\u003Cbr\u002F>Deferred setup \u002F ARQ \u002F Queueing\n    Server->>Target: Direct dial or external SOCKS5\n    Target-->>Server: Return target response\n    Note over Server: Put data into ARQ\u003Cbr\u002F>Build ACKs and packed control blocks\n    Server-->>DNS: DNS response\n    DNS-->>Client: DNS reply\n    Note over Client: ARQ reorder \u002F ACK consume \u002F deliver to app\n    Client-->>App: Ordered clean data\n```\n\n### Section 6.3: 🧠 Core Concepts Used by the System\n\n| Concept | Description |\n| :--- | :--- |\n| **Session** | One overall connection between client and server |\n| **Stream** | One independent logical connection carried inside a session |\n| **Resolver Runtime** | Resolver selection, duplication, health tracking, auto-disable, and recheck |\n| **ARQ** | Ordering, ACK, retransmission, timeout, and terminal handling |\n| **Deferred Session Runtime** | Ordering-sensitive tasks such as setup, DNS query handling, and sensitive packet flows |\n| **Packed Control Blocks** | Multiple small ACK or control packets packed into one block |\n| **Synced MTU** | The shared MTU chosen across the healthy resolver pool |\n\n---\n\n## Section 7: ⚙️ Advanced Technical Notes\n\n- ⚡ **Direct connect or external SOCKS5:** If `USE_EXTERNAL_SOCKS5 = false`, the server connects directly to the target. If `true`, it chains through an external SOCKS5 proxy. In general usage you usually do not need an external SOCKS5 server, so this can stay disabled.\n- 🧠 **Per-stream resolver failover:** If a stream gets stuck on a weak resolver, its preferred resolver can move to another one.\n- 📦 **Repeated packed control blocks:** The server can repeat the last packed control block for extra turns so important ACK\u002Fclose packets have a better chance to survive on lossy links.\n- 🔒 **Server-side key generation:** If `encrypt_key.txt` does not exist, the server creates it during startup.\n\n---\n\n## 🤝 Contributing\n\nWe welcome all contributions. If you have an idea, bug report, or performance improvement, please open an Issue or Pull Request.\n\n[Issues](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Fissues)\n\n[Pull Requests](https:\u002F\u002Fgithub.com\u002Fnullroute1970\u002FStormDNS\u002Fpulls)\n\n---\n\n## 📄 License\n\nThis project is published under the **MIT** license. For more details, see the `LICENSE` file.\n\n---\n\n## 👨‍💻 Developer\n\nDeveloped with ❤️ by: [**nullroute1970**](https:\u002F\u002Fgithub.com\u002Fnullroute1970)\n\n---\n\n## 🍴 Fork\n\nThis project is a fork of [**MasterDnsVPN**](https:\u002F\u002Fgithub.com\u002Fmasterking32\u002FMasterDnsVPN) — Release [v2026.04.05.191930-7757d2d](https:\u002F\u002Fgithub.com\u002Fmasterking32\u002FMasterDnsVPN\u002Freleases\u002Ftag\u002Fv2026.04.05.191930-7757d2d) by [masterking32](https:\u002F\u002Fgithub.com\u002Fmasterking32).\n","StormDNS 是一个为生活在重度网络审查环境下的人们设计的免费互联网访问应用，尤其适用于伊朗等防火墙国家。其核心功能是通过DNS查询和响应来隧道传输TCP流量，帮助用户绕过深度包检测、互联网过滤器以及国家级防火墙，而无需依赖被封锁的VPN协议。StormDNS采用了轻量级自定义协议与多路径解析架构，旨在即使在极端审查条件下也能保持连接稳定。该工具特别适合需要在高审查环境下保持互联网访问自由度的场景使用，如新闻报道、学术研究和个人隐私保护等。",2,"2026-06-11 02:44:22","CREATED_QUERY"]