-
Notifications
You must be signed in to change notification settings - Fork 10
Scanner Tab
فارسی: تب اسکنر
The Scanner tab is where you find working DNS resolvers and save them as a VPN profile.
The scanner panel reshapes based on which VPN engine you pick:
- MasterDNS mode shows the MasterDNS Encryption Key field and the regular Start Scan button. The Scan DoH/DoT button is hidden because MasterDNS doesn't support encrypted transports.
- VayDNS mode shows the VayDNS Public Key field, the regular Start Scan button, and the additional Scan DoH/DoT button.
A small hint under the VPN Engine selector tells you what the current mode will scan.
A segmented control with two halves: MasterDNS and VayDNS. Click the half you want. The active half lifts visually with the mode's color (blue for MasterDNS, purple for VayDNS).
The NS-delegated subdomain pointing to your server. e.g. v.example.com
-
MasterDNS Encryption Key — 32-character encryption key from
encrypt_key.txton the server. Shown as dots for privacy. -
VayDNS Public Key — 64-character hex public key from
server.pubon the server.
A name for this configuration. A folder with this name is created next to the KevinNet app, containing the VPN config files and binary. You can have multiple profiles with different names.
| Option | What it controls | Recommended for Iran |
|---|---|---|
| Target | How many resolvers to find |
100 — more resolvers = more stable VPN |
| Concurrency | Simultaneous connections during scan |
80 — do not exceed 100 inside Iran |
| Timeout | How long to wait per resolver |
3s — Iranian networks are slow |
| Pool ×1000 | How many IPs to scan |
200 (= 200,000 IPs) |
- If you find fewer than 10 resolvers, increase Pool to
300or500 - Run the scan 2–3 times — each run picks a different random set of IPs
- Increasing Concurrency above 100 inside Iran causes silent failures and kernel panics on macOS Intel
The primary scan. Probes random Iranian IPs to find working UDP/53 resolvers. Works in both MasterDNS and VayDNS modes.
Phase 1 — Alive check Quickly pings all IPs in the pool to find which ones are responding on port 53. Fast but shallow.
Phase 2 — 6-check scoring Tests each alive resolver against 6 criteria:
- NS→A — does it resolve your NS record?
- TXT — does it handle TXT queries?
- RND — does it handle random subdomains?
- DPI — does it pass Iran's DPI?
- EDNS — does it support EDNS extensions?
- NXD — does it respond correctly to non-existent domains?
Phase 3 — Real E2E tunnel test Connects the actual VPN binary through each resolver to your server. This is the real filter — only resolvers that can tunnel traffic through to your server pass.
If Phase 3 passes zero resolvers, the issue is usually:
- Server is down
- DNS not propagated yet (wait up to 48h)
- Wrong key
Only visible in VayDNS mode. Probes a curated list of public DNS-over-HTTPS (port 443) and DNS-over-TLS (port 853) endpoints to see which respond from your network.
Plain UDP/53 DNS traffic is what Iranian DPI fingerprints. DoH and DoT carry DNS inside TLS, looking like normal HTTPS traffic — much harder to identify as a tunnel. Use this when plain UDP scanning isn't producing usable resolvers.
- 25 well-known DoH endpoints (Cloudflare, Google, Quad9, AdGuard, Mullvad, etc.)
-
18 well-known DoT endpoints on
host:853
The lists ship inside the app, and can be overridden by placing your own data/doh_endpoints.txt or data/dot_endpoints.txt next to the executable.
After the scan finishes, use the same "Save to VayDNS Profiles" button you'd use for a UDP scan. KevinNet detects whether the scan was UDP or DoH/DoT and creates the right profile automatically.
If the scan found both DoH and DoT endpoints, two separate profiles are created — one suffixed -DoH and one suffixed -DoT. Each has the right transport flag pre-set and all the working endpoints baked in.
A one-time guidance dialog appears the first time explaining this; it can be dismissed with a "Don't show again" checkbox.
- The Stop button activates so you can cancel
- The Top bar buttons (Help, Theme toggle, Language) are disabled
- The VPN mode selector is disabled
- Clicking any locked button shows a toast: "Wait until the scan finishes"
This prevents accidental disruption of the running scan.
After scanning:
- 💾 Save to MasterDNS Profiles — shown in MasterDNS mode. Creates a MasterDNS profile from the UDP scan results.
- 💾 Save to VayDNS Profiles — shown in VayDNS mode. Handles UDP, DoH, and DoT scans automatically.
The VPN binary is copied into the output folder automatically when you save.
After any scan, the 📤 Export DNS List button activates regardless of which VPN mode is selected. It saves the found resolver IPs as a plain .txt file — one IP per line, with a header showing the date and total count.
Use this when you want to:
- Pipe the resolver list into another tool or script
- Archive results from multiple scans
- Share working resolvers without sharing an entire profile
Clicking 🗑 Clear disables the export button until the next scan.
Right-click any resolver in the results list (or two-finger click / Ctrl-click on macOS) to get a context menu:
- Copy IP — copies just that one IP to clipboard
- Copy all IPs — copies the entire results list
- Open output folder — opens the folder where the saved profile lives, in your system file manager