​

Changelog

​

v10.0.0 (February 18, 2026)

​

🛰️ New Features

Unified Tunnel Suite (DNSTT / Slipstream / Paqet)

• CLI: New dns-mns tunnel command group:
  • profile CRUD + validation + import/export (file/URL)
  • scan resolver scoring + test resolver health probes
  • status, logs, stop
  • health enable/disable/check with resolver auto-switch helpers
  • Transport commands: dnstt, slipstream, paqet
• Interactive menu: Advanced Evasion Suite → Tunnel Suite
• Bubble Tea TUI: New top-level Tunnels screen with profile/runtime actions
• Guardrails: Single active tunnel runtime policy to prevent port conflicts

Profile System and Compatibility Import

• Profiles stored under the user config directory (~/.config/dns-mns/tunnel/)
• JSON import/export for sharing profiles
• Compatibility mapper for common upstream field naming (transport/mode/listen/remote/resolvers)

​

🧪 Testing and Reliability

Tunnel test coverage

• Added tests for:
  • profile validation and compatibility parsing
  • adapter command builders (DNSTT/Slipstream/Paqet)
  • runner lifecycle (start/stop/log tail)
  • manager lifecycle and state persistence

​

📚 Documentation

• Added a Tunnel Suite documentation page and updated CLI/TUI/evasion docs and README/USAGE to include the new workflows.

---

​

v9.0.2 (February 17, 2026)

​

🔒 Security Fixes

Hysteria2 Salt Generation (CRITICAL)

• Issue: Hysteria2 obfuscation used time.Now().UnixNano() for salt generation, which is not cryptographically secure
• Impact: Predictable salt values could weaken the obfuscation security
• Fix: Now uses crypto/rand for proper cryptographically secure random salt generation
• Files: internal/hysteria2/hysteria2.go

​

🔧 Bug Fixes

Context Leak in Sing-box

• Issue: Context cancel function was discarded (_ = cancel), potentially causing resource leaks
• Fix: Added cancel field to Proxy struct and properly call it during Stop()
• Files: internal/singbox/singbox.go

​

📦 Dependency Updates

Updated 20+ Dependencies

• golang.org/x/crypto: v0.46.0 → v0.48.0
• golang.org/x/net: v0.48.0 → v0.50.0
• golang.org/x/sys: v0.39.0 → v0.41.0
• golang.org/x/text: v0.32.0 → v0.34.0
• github.com/AdguardTeam/golibs: v0.32.7 → v0.35.8
• github.com/libdns/cloudflare: v0.2.2-0.202… → v0.2.2
• github.com/libdns/alidns: v1.0.5 → v1.0.6
• github.com/sagernet/gvisor: v0.0.0-202503… → v0.0.0-202508…
• github.com/sagernet/netlink: Updated to latest
• github.com/sagernet/nftables: Updated to latest
• github.com/charmbracelet/colorprofile: v0.4.1 → v0.4.2
• github.com/mattn/go-runewidth: v0.0.19 → v0.0.20
• github.com/mdlayher/netlink: Updated to latest
• github.com/klauspost/compress: v1.17.11 → v1.18.4
• Plus additional indirect dependency updates

---

​

v9.0.0 (February 17, 2026)

​

🗑️ Removed Features

AmneziaWG (Obfuscated WireGuard) — Framework Only

• Reason: No real WireGuard tunnel was ever established. DNS queries resolved directly, bypassing the “proxy” entirely. This gave a false sense of security.
• Files removed: internal/amneziawg/, docs/usage/amneziawg.mdx

Standalone ShadowTLS proxy — Framework Only

• Reason: Same as AmneziaWG — no real tunnel. The ShadowTLS protocol as a sing-box transport is preserved.
• Files removed: internal/shadowtls/, docs/usage/shadowtls.mdx

Oblivious DoH (ODoH) — Incomplete Encryption

• Reason: HPKE encryption was never implemented. Queries were forwarded in plaintext through the relay, providing no privacy benefit.
• Files removed: internal/odoh/, docs/usage/odoh.mdx

DNS over QUIC (DoQ) — Library Only

• Reason: Never exposed as a CLI command. QUIC-based DNS is already covered by Hysteria2/sing-box.
• Files removed: internal/doq/, docs/usage/doq.mdx

Geneva Genetic Algorithm Engine — Library Only

• Reason: Complex DPI evasion engine that was never reachable from the CLI. TLS fragmentation modes (sni, half, chunked, random) are retained in internal/fragment/.
• Files removed: internal/geneva/

Smart Protocol Selector — Library Only

• Reason: Never reached CLI. Superseded by dns-mns proxy auto-fallback which already tests and selects the best protocol.
• Files removed: internal/selector/

Phantun UDP-to-TCP — Incomplete Library

• Reason: Incomplete TCP header parsing, never reached CLI, no clear path to completion.
• Files removed: internal/phantun/

Legacy dns-mns.sh Shell Script

• Reason: 54KB Bash script fully superseded by the Go binary in all capabilities. Maintenance burden with no unique value.
• Files removed: dns-mns.sh, tests/bash/test_script.bats

​

📚 Documentation

• Merged docs/usage/utls.mdx into docs/usage/dpi-evasion.mdx (uTLS is an internal detail, not a user command)
• Cleaned all references to removed features from installation, contributing, and troubleshooting docs

---

​

v8.0.4 (February 16, 2026)

​

🎨 Web Dashboard Redesign

New Purple-Themed Color System

• Change: Replaced the old gray/blue “Home Assistant” color scheme with a web-optimized purple palette inspired by the TUI’s “Purple Hair Palette”
• Dark mode: Deep violet backgrounds (#0a0812, #110f1d), vibrant lavender accent (#a78bfa), high-contrast text (#f0ecf7)
• Light mode: Soft purple-tinted whites (#f5f3fa), deep purple accent (#7c3aed), clean borders (#e0dae8)
• Impact: Cohesive visual identity between TUI and web dashboard
• Files: internal/leaktestdashboard/templates/dashboard.html, internal/leaktestdashboard/templates/report.html

SVG Icons Replace All Emojis

• Change: Replaced all emoji icons with clean inline Feather-style SVG icons
• Icons: Shield (header), Globe (connection), Server (DNS resolvers), Network (IPv6), Video (WebRTC), BarChart (EDNS), Clock (history), Moon/Sun (theme toggle)
• Impact: Professional appearance across all platforms with consistent rendering
• Files: internal/leaktestdashboard/templates/dashboard.html

Modern UI Components

• Status indicators: Replaced emoji badges with CSS dot indicators featuring glow effects
• Score ring: Updated SVG progress circle with accent color gradient
• Header: Sticky header with backdrop blur effect
• Layout: Compact, information-dense design (~650 lines, down from ~1350)
• Typography: JetBrains Mono for code/numbers, Inter for body text
• Files: internal/leaktestdashboard/templates/dashboard.html, internal/leaktestdashboard/templates/report.html

Report Template Redesign

• Change: Matching redesign of the HTML export report template
• Features: Same purple color system, clean key-value grid layout, updated recommendations section with purple accent
• Size: ~320 lines (down from ~500)
• Files: internal/leaktestdashboard/templates/report.html

---

​

v8.0.3 (February 16, 2026)

​

🔧 Dependency Updates

sing-box v1.12.21 → v1.12.22

• Change: Updated sing-box universal proxy platform to latest stable release
• Impact: Bug fixes and improvements for VLESS/REALITY proxy support
• Files: go.mod, go.sum

dnscrypt v2.3.0 → v2.4.0

• Change: Updated DNSCrypt client library to v2.4.0
• Impact: Latest DNSCrypt protocol improvements and bug fixes
• Files: go.mod, go.sum, internal/dnscrypt/

certmagic v0.23.0 → v0.25.1

• Change: Updated automatic HTTPS certificate management library
• Impact: Improved ACME client support and certificate handling
• Files: go.mod, go.sum

fsnotify v1.7.0 → v1.9.0

• Change: Updated file system notification library
• Impact: Better file watching performance and reliability
• Files: go.mod, go.sum

brotli v1.1.0 → v1.2.0

• Change: Updated Brotli compression library
• Impact: Improved compression performance
• Files: go.mod, go.sum

cloudflare/circl v1.3.7 → v1.6.3

• Change: Updated Cloudflare cryptographic library
• Impact: Latest cryptographic primitives and security improvements
• Files: go.mod, go.sum

Additional Indirect Dependencies

• AdguardTeam/golibs: v0.20.3 → v0.32.7
• libdns/libdns: v1.1.0 → v1.1.1
• mholt/acmez: v3.1.2 → v3.1.4
• go.uber.org/zap: v1.27.0 → v1.27.1
• golang.org/x/time: v0.9.0 → v0.11.0
• klauspost/cpuid/v2: v2.2.10 → v2.3.0
• gofrs/uuid/v5: v5.3.2 → v5.4.0
• caddyserver/zerossl: v0.1.3 → v0.1.4

​

🧪 Test Fixes

Updated test expectations for version 8.0.3

• Fix: Updated all test files to expect version 8.0.3
• Files: internal/leaktestdashboard/dashboard_test.go, internal/app/app_test.go, internal/app/utility_test.go

---

​

v8.0.2 (February 16, 2026)

​

🆕 TUI Feature Parity

Set DNS directly from benchmark results

• Feature: Pressing Enter on any reachable result row in the benchmark results table now calls setter.SetDNS() to apply that server system-wide.
• Shows: Spinner during application, then a confirmation (or error) result screen with server name, primary/secondary IPs, and latency stats.
• Files: internal/app/benchmark.go

System Diagnostics screen

• Feature: New TUI menu item 🩺 System Diagnostics runs diagnose.Run() and displays OS info, network interfaces, current DNS, permissions, and DNS capabilities.
• Files: internal/app/app.go, internal/app/utility.go

Update checker in Settings

• Feature: New Settings action checks for updates via updater.CheckForUpdate(), shows current vs latest version and a download link if an update is available.
• Files: internal/app/utility.go

DNSCrypt proxy start/stop in Encrypted DNS

• Feature: New Encrypted DNS actions start and stop a local DNSCrypt proxy on 127.0.0.1:5356, using the first working provider from dnscrypt.GetWorkingProviders().
• Files: internal/app/utility.go

Blocked domains check in Security

• Feature: New Security action checks commonly censored domains (Twitter, YouTube, Telegram, Instagram, Facebook, GitHub, Google, Cloudflare, Twitch) for poisoning/blocking status.
• Files: internal/app/utility.go

DoH health check in Encrypted DNS

• Feature: New Encrypted DNS action checks DoH JSON API health for common domains (google.com, cloudflare.com, github.com, youtube.com) with latency display.
• Files: internal/app/utility.go

AmneziaWG and ShadowTLS setup guides in Evasion

• Feature: New Advanced Evasion actions show informational setup guides for AmneziaWG and ShadowTLS protocols, including CLI commands.
• Files: internal/app/utility.go

---

​

v8.0.1 (February 16, 2026)

​

🆕 Interactive TUI (Experimental)

New Bubble Tea Terminal UI

• Feature: Full interactive terminal user interface built with Bubble Tea and Lipgloss.
• Includes: Keyboard-navigable menu system, ASCII art banner, real-time screens for all features (dashboard, benchmark, recommendations, security, leak test, encrypted DNS, proxy, evasion, settings).
• Status: Experimental. The TUI is functional but may receive significant changes in future versions.
• Files: internal/app/app.go, internal/app/utility.go, internal/app/benchmark.go, internal/ui/components/, internal/ui/theme/

​

🔧 UX Improvements

Centered TUI Layouts

• Issue: Dashboard, benchmark results, leak test results, and help views were rendered in the top-left corner of the terminal.
• Fix: All views now use lipgloss.Place() for proper horizontal and vertical centering within the terminal.
• Files: internal/app/utility.go, internal/app/benchmark.go, internal/app/app.go, internal/dashboard/dashboard.go, internal/leaktestdashboard/dashboard.go

Live Dashboard Auto-Refresh

• Issue: Dashboard snapshot required manual re-entry to refresh data.
• Fix: Dashboard now auto-starts on entry and refreshes every 10 seconds for continuous real-time DNS health monitoring.
• Files: internal/app/utility.go

DNS Leak Test Results Layout Fix

• Issue: Leak test notes text could overflow the terminal width, preventing horizontal centering.
• Fix: Notes text is now wrapped to width - 16 to ensure proper centering on narrow terminals.
• Files: internal/app/utility.go

---

​

v7.0.2 (February 15, 2026)

​

🔒 Security & Trustworthiness

ODoH Encryption Status Clarified (Critical)

• Issue: ODoH code path still used an insecure placeholder instead of HPKE, while docs/changelog messaging implied full encryption.
• Fix: Added explicit STUB/INSECURE warnings in code and runtime; aligned README/docs/changelog to state HPKE is not yet implemented.
• Impact: Prevents false privacy assumptions; users are clearly warned not to rely on current ODoH path for confidentiality.
• Files: internal/odoh/odoh.go, internal/odoh/odoh_test.go, docs/usage/odoh.mdx, README.md, docs/reference/changelog.mdx

​

🐛 Reliability Fixes

Fallback Proxy Shutdown Deadlock

• Issue: Stop() could wait on goroutines while holding p.mu, causing lock/wait deadlock with health-check path.
• Fix: Refactored stop flow to release lock before wg.Wait() and re-acquire for final cleanup.
• Files: internal/fallback/fallback.go

DoQ Partial Length Read

• Issue: Response length prefix used Read() instead of io.ReadFull, allowing short-read parsing bugs.
• Fix: Switched to io.ReadFull and added zero-length validation.
• Files: internal/doq/doq.go

OpenWrt Lifecycle Idempotency

• Issue: Multiple components used unguarded close(stopCh), causing panic on repeated stop/restart flows.
• Fix: Added idempotent stop-channel guards and restart-safe reinitialization where applicable.
• Files: internal/openwrt/mdns/resolver.go, internal/openwrt/vpn/monitor.go, internal/openwrt/multiwan/router.go, internal/openwrt/logging/logger.go, internal/openwrt/integration.go

Scheduler Race & Stop-Path Panics

• Issue: Scheduler loop could race on mutable ticker pointer and panic on repeated close paths.
• Fix: Reworked loop to use local ticker ownership, made stop close idempotent, and reinitialized stop channels on start.
• Files: internal/openwrt/scheduler/scheduler.go

Sing-box JSON Config Loading

• Issue: NewFromJSON ignored user JSON and synthesized defaults.
• Fix: Added JSON validation and direct raw-config usage in startup path.
• Files: internal/singbox/singbox.go

Fallback Sing-box Probe Logic

• Issue: Health probe called TestConnection() on non-running temporary sing-box proxies.
• Fix: Probe now checks only running instances and avoids invalid temporary probe path.
• Files: internal/fallback/fallback.go

​

📚 Documentation & Release Process

Feature Maturity Labels and Consistency Gate

• Added explicit maturity labels (Framework Only, Library Only, Experimental) in README for partially integrated features.
• Added release-time docs/runtime consistency script and Make target:
  • scripts/check-feature-consistency.sh
  • make check-features
• Impact: Reduces drift between implementation status and public documentation.

Linux Diagnose Timeout Helper

• Issue: runWithTimeout ignored timeout argument.
• Fix: Implemented context-based command timeout handling.
• Files: internal/diagnose/diagnose_linux.go

---

​

v7.0.1 (February 14, 2026)

​

🔒 Security Fixes

Race Condition with Global Proxy Variables (CRITICAL)

• Issue: Global proxy variables accessed from multiple goroutines without synchronization
• Impact: Nil pointer dereferences, inconsistent proxy state, crashes during start/stop
• Fix: Added sync.RWMutex protection and thread-safe getter/setter functions
• Files: cmd/dns-mns/main.go (40+ locations updated)

Ignored Network Write Errors (CRITICAL)

• Issue: UDP/TCP DNS response write errors were silently ignored
• Impact: Clients waiting indefinitely, silent packet loss, difficult debugging
• Fix: Added proper error handling with OnError callback in all send functions
• Files: internal/singbox/singbox.go, internal/amneziawg/amneziawg.go, internal/shadowtls/shadowtls.go

​

🚀 Improvements

Framework-Only Proxy Warnings

• AmneziaWG: Added prominent WARNING logs indicating framework-only implementation
• ShadowTLS: Added prominent WARNING logs indicating framework-only implementation
• Note: These proxies do NOT provide actual encrypted tunneling

Sing-box DNS Routing Documentation

• Added comprehensive documentation about tunnel routing requirements
• Clarified system configuration needed for proper DNS tunneling

---

​

v6.6.4 (February 14, 2026)

​

🔒 Security Fixes

MikroTik TLS Certificate Verification

• Issue: TLS certificate verification was hardcoded to InsecureSkipVerify: true
• Fix: Made InsecureSkipVerify configurable via ConnectionConfig.InsecureSkipVerify
• Impact: Users can now control certificate verification behavior (defaults to secure)
• File: internal/mikrotik/client.go

​

🐛 Stability Fixes

DNSCrypt Double-Close Panic

• Issue: Potential panic when Stop() is called multiple times due to double-closing channel
• Fix: Added nil-check and clear stopCertRefresh channel after closing
• File: internal/dnscrypt/proxy.go

Race Condition in Statistics

• Issue: Inconsistent atomic value reads in singbox GetStatus()
• Fix: Load all atomic values once for a consistent snapshot
• File: internal/singbox/singbox.go

Partial TCP Reads

• Issue: Potential short reads in TCP DNS handlers using conn.Read()
• Fix: Use io.ReadFull() instead across singbox, amneziawg, and shadowtls
• Files: internal/singbox/singbox.go, internal/amneziawg/amneziawg.go, internal/shadowtls/shadowtls.go

​

🔧 Resource Management

HTTP Connection Leaks

• Issue: Connection pool exhaustion in fallback transport
• Fix: Added CloseIdleConnections() to cleanup idle connections
• File: internal/fallback/transport.go

Panic Recovery

• Issue: Goroutine panics could crash the entire application
• Fix: Added recover() in all goroutine handlers
• Files: internal/singbox/singbox.go, internal/amneziawg/amneziawg.go, internal/shadowtls/shadowtls.go

​

🛡️ Bounds Checking

TLS Fragmentation SNI Parsing

• Issue: Out-of-bounds read on malformed ClientHello packets
• Fix: Changed minimum length check from 43 to 44 bytes
• File: internal/fragment/fragment.go

​

📝 Error Handling

Ignored Write Errors

• Issue: DNS response write errors were silently ignored
• Fix: Added proper error logging for WriteMsg() failures
• File: internal/fallback/fallback.go

Zero-Length Message Validation

• Issue: Zero-length DNS messages weren’t rejected
• Fix: Added validation to reject msgLen == 0
• Files: TCP handlers in singbox, amneziawg, shadowtls

---

​

v6.6.3 (February 14, 2026)

​

🔧 Bug Fixes

• Version Consistency: Fixed version mismatch between shell script (6.0.0) and binary (6.6.2) - now both report 6.6.2
• Nil Pointer Protection: Added empty path check in runClearCommand to prevent potential nil pointer dereference
• Race Condition Fix: Fixed concurrent write race condition in benchmark results slice
• IP Validation: Enhanced IP validation in shell script to reject octets > 255 (e.g., 999.999.999.999)
• Linux DNS Setter: Critical errors (systemd-resolved restart, nmcli operations) now properly return errors instead of silently failing
• DoH JSON Resolver: Added fallback to Cloudflare, Google, and OpenDNS when primary resolver fails; fixed User-Agent version

---

​

v6.6.2 (February 14, 2026)

​

🔒 Security Fixes

ODoH Encryption (Still Incomplete)

• Issue: EncryptQuery used trivial XOR obfuscation, not actual HPKE encryption
• Status: HPKE encryption is still NOT implemented. The XOR placeholder remains. ODoH queries are forwarded through the relay in plaintext. A proper HPKE library (e.g. github.com/cisco/go-hpke) is required to complete this feature.
• Impact: ODoH does NOT provide end-to-end encryption. Do not rely on it for privacy until HPKE integration is complete.

uTLS Library Integration (Critical)

• Issue: Module used standard crypto/tls instead of actual uTLS library
• Fix: Added proper integration with github.com/metacubex/utls
• Impact: TLS fingerprint spoofing now actually works

Memory Corruption Fix (High)

• Issue: Write() method modified caller’s buffer directly in TLS fragmentation
• Fix: Buffer is now copied before modification
• Impact: Eliminates memory corruption and potential crashes

​

🔧 Functional Fixes

• Sing-box DNS Routing: Fixed DNS queries bypassing the tunnel
• macOS DNS Detection: Fixed pattern matching for scutil --dns output
• DNSCrypt Certificate Refresh: Added auto-refresh every 24 hours
• DNSCrypt Race Condition: Fixed shutdown race condition
• MikroTik Validation: Now accepts hostname-based DNS servers
• Recommendation Engine: Fixed division by zero crash

---

​

v6.6.1 (February 13, 2026)

​

🔧 Bug Fixes

• Minor bug fixes and stability improvements

---

​

v6.6.0 (February 13, 2026)

​

🆕 New Features

MikroTik RouterOS Integration

• Auto-detection of MikroTik routers on your network
• DNS configuration directly on the router
• DoH/DoT support for RouterOS 7+
• Static DNS entry management
• Backup and restore functionality
• Secure API and API-SSL communication

---

​

v6.5.0

​

🆕 Passwall Integration

• Cooperative Mode: DNS-MNS and Passwall work independently
• Integrated Mode: DNS-MNS routes queries through Passwall
• Override Mode: DNS-MNS takes over Passwall’s DNS
• Auto-detection of Passwall installation
• Gaming-optimized DNS recommendations

---

​

v6.2.0

​

🆕 Advanced Censorship Circumvention

• DNS over QUIC (DoQ) - 95% effectiveness (RFC 9250)
• Oblivious DoH (ODoH) - Maximum privacy with IP/query separation
• Geneva Genetic Algorithm Engine - AI-discovered packet manipulation
• JA3/JA4 Fingerprint Randomization - uTLS-based browser spoofing
• Hysteria2 with Salamander - QUIC-based HTTP/3 proxy

---

​

v6.1.0

​

🆕 OpenWrt Router Support

• Full support for OpenWrt routers
• Upstream mode (recommended): Works alongside dnsmasq
• Direct mode: Replaces dnsmasq on port 53
• Static binaries for x86_64, MIPS, ARM, ARM64

---

​

v6.0.0

​

🆕 Groundbreaking Features

• AmneziaWG - WireGuard with junk packet injection
• ShadowTLS v4 - Hides proxy behind legitimate TLS
• Smart Protocol Selector - Auto-selects best protocol
• Phantun UDP-to-TCP - Enables UDP when blocked
• Enhanced Censorship Diagnostics

---

​

Earlier Versions

See GitLab Releases for older changelogs.