Autarch/CHANGELOG.md

# AUTARCH Changelog

---

## v2.2.0 — 2026-03-03

### Full Arsenal Expansion — 16 New Modules

Phase 2 complete. 16 new security modules with full CLI, Flask routes, and web UI templates.

#### Offense
- **WiFi Auditing** (`/wifi/`) — aircrack-ng integration: monitor mode, AP scanning, deauth attacks, WPA handshake capture/crack, WPS Pixie-Dust, rogue AP detection, packet capture
- **API Fuzzer** (`/api-fuzzer/`) — OpenAPI/Swagger discovery, parameter fuzzing (SQLi/XSS/traversal/type confusion), auth bypass & IDOR testing, rate limit probing, GraphQL introspection attacks
- **Cloud Security Scanner** (`/cloud/`) — S3/GCS/Azure blob enumeration, exposed service scanning, IMDS metadata SSRF checks, cloud subdomain enumeration
- **C2 Framework** (`/c2/`) — multi-session agent management, Python/PowerShell/Bash payloads, HTTP/HTTPS/DNS beaconing, file transfer, SOCKS pivoting, listener management
- **Web Application Scanner** (`/webscan/`) — directory bruteforce, subdomain enum, SQLi/XSS detection, header analysis, tech fingerprinting, SSL/TLS audit, crawler

#### Defense
- **Threat Intel Feed** (`/threat-intel/`) — IOC management (IP/domain/hash/URL), STIX/CSV/JSON feed ingestion, VirusTotal & AbuseIPDB API lookups, network correlation, blocklist export (iptables/nginx/snort)
- **Log Correlator** (`/logs/`) — multi-format log parsing (syslog/Apache/JSON), 10 built-in detection rules (SSH brute force, SQLi, XSS, path traversal), threshold alerting, custom rules, timeline view

#### Counter
- **Steganography** (`/stego/`) — LSB image encoding (PNG/BMP), audio steganography (WAV), document whitespace encoding (zero-width chars), AES-256 pre-encryption, chi-square & RS statistical detection
- **Anti-Forensics** (`/anti-forensics/`) — multi-pass secure file/directory deletion, free space wiping, timestamp manipulation (set/clone/randomize), log clearing, shell history scrubbing, EXIF & PDF metadata stripping

#### Analyze
- **Password Toolkit** (`/passwords/`) — hash identification & cracking (hashcat/john integration), secure password generation, credential spray testing (SSH/FTP/SMB/HTTP), wordlist management, policy auditing
- **Network Topology Mapper** (`/netmap/`) — ARP/ICMP/TCP host discovery, service enumeration, OS fingerprinting, SVG topology visualization, subnet grouping, scan diffing
- **Reporting Engine** (`/reports/`) — structured pentest reports, CVSS-scored findings, auto-population from scans & dossiers, PDF/HTML/Markdown export, compliance mapping (OWASP/NIST/CIS)
- **BLE Scanner** (`/ble/`) — BLE advertisement scanning via bleak, service & characteristic enumeration, read/write operations, known vulnerability database, RSSI proximity tracking
- **Forensics Toolkit** (`/forensics/`) — disk imaging (dd + hash verification), file carving by magic bytes (15 types), EXIF metadata extraction, filesystem timeline builder, chain of custody logging
- **RFID/NFC Tools** (`/rfid/`) — Proxmark3 integration (LF/HF search, EM410x read/clone/sim, MIFARE dump/clone), libnfc NFC scanning, card database, default MIFARE keys
- **Malware Sandbox** (`/sandbox/`) — sample submission (file upload or path), static analysis (strings, PE/ELF parsing, YARA-like indicators, risk scoring), Docker-based dynamic analysis with behavior logging

### Build System
- All 16 modules wired into `web/app.py` (blueprint registration), `base.html` (sidebar navigation), `autarch_public.spec` and `setup_msi.py` (hidden imports)
- Sidebar organized by category: Defense, Offense, Counter, Analyze

---

## v2.1.0 — 2026-03-03

### DNS-over-TLS (DoT) & DNS-over-HTTPS (DoH)

- **Full DoT implementation** — encrypted DNS queries over TLS (port 853) with certificate validation
- **Full DoH implementation** — encrypted DNS queries over HTTPS (RFC 8484, wire-format POST)
- **Auto-detection** for known encrypted providers:
  - Google DNS (`8.8.8.8`, `8.8.4.4`) — DoT via `dns.google`, DoH via `https://dns.google/dns-query`
  - Cloudflare (`1.1.1.1`, `1.0.0.1`) — DoT via `one.one.one.one`, DoH via `https://cloudflare-dns.com/dns-query`
  - Quad9 (`9.9.9.9`, `149.112.112.112`) — DoT via `dns.quad9.net`, DoH via `https://dns.quad9.net/dns-query`
  - OpenDNS (`208.67.222.222`, `208.67.220.220`) — DoT/DoH via `dns.opendns.com`
  - AdGuard (`94.140.14.14`, `94.140.15.15`) — DoT/DoH via `dns.adguard-dns.com`
- **Priority chain**: DoH > DoT > Plain DNS — auto-fallback on failure
- **Encryption test tool** in the Nameserver UI — live test DoT/DoH/Plain against any server with latency reporting
- **Toggle controls** — enable/disable DoT and DoH independently via UI or API
- **API endpoints**: `GET/POST /api/encryption`, `POST /api/encryption/test`

### Hosts File Support

- **Hosts-file parser** — `/etc/hosts` style hostname resolution served via DNS
- **Resolution priority**: Hosts file entries checked before zones and cache for fastest local resolution
- **CRUD operations** — add, remove, search individual host entries via UI or API
- **Bulk import** — paste hosts-file format text or load from a file path (e.g., `/etc/hosts`, `C:\Windows\System32\drivers\etc\hosts`)
- **System hosts loader** — one-click button to load the OS hosts file
- **Export** — download current hosts database in standard hosts-file format
- **PTR reverse lookup** — hosts entries support reverse DNS (in-addr.arpa) queries
- **Alias support** — multiple hostnames per IP, matching on primary hostname or any alias
- **Hosts tab** in Nameserver UI — full management table with search, inline add, import/export
- **API endpoints**: `GET/POST/DELETE /api/hosts`, `POST /api/hosts/import`, `GET /api/hosts/export`

### EZ Intranet Domain (One-Click Local DNS)

- **One-click intranet domain creation** in the Nameserver UI
- **Auto network detection** — discovers local IP, hostname, gateway, subnet via socket/ARP
- **Host discovery** — scans ARP table for all devices on the network with reverse DNS lookup
- **Editable DNS names** — auto-suggests names for discovered hosts, fully editable before deployment
- **Custom hosts** — add arbitrary hosts not found by network scan
- **Deployment creates**:
  - Forward DNS zone with SOA + NS records
  - A records for server, hostname, and all selected/custom hosts
  - Hosts-file entries for instant resolution
  - Reverse DNS zone (PTR records) for reverse lookups
- **Client configuration** — shows copy-paste instructions for Windows (`netsh`) and Linux (`resolv.conf`/`systemd-resolved`)
- **Router DHCP hint** — advises setting the DNS server IP in router DHCP for automatic network-wide deployment
- **API endpoint**: `POST /dns/ez-intranet`

### Full Configuration UI

Expanded the Config tab from 5 fields to 18 fields across 5 categories:

- **Network** — DNS listen address, API listen address, upstream forwarder servers
- **Cache & Performance** — cache TTL, negative cache TTL (NXDOMAIN), SERVFAIL cache TTL, query log max entries, max UDP response size, rate limit (queries/sec/IP), prefetch toggle
- **Security** — query logging, refuse ANY queries (anti-amplification), minimal responses (hide server info), zone transfer ACL (AXFR/IXFR whitelist)
- **Encryption** — DoH enable/disable, DoT enable/disable with priority explanation
- **Hosts** — hosts file path, auto-load on startup toggle

All settings are live-editable from the dashboard and propagated to the running server without restart.

### Go DNS Server Changes

- **`server/resolver.go`** — added `QueryUpstreamDoT()`, `QueryUpstreamDoH()`, `queryUpstreamEncrypted()`, `GetEncryptionStatus()` with TLS 1.2+ minimum, HTTP/2 for DoH, proper SNI for DoT
- **`server/hosts.go`** — new file: `HostsStore` with `LoadFile()`, `LoadFromText()`, `Add()`, `Remove()`, `Lookup()`, `Export()`, PTR support
- **`server/dns.go`** — integrated hosts lookup before zone lookup in query handler; added `GetHosts()`, `GetEncryptionStatus()`, `SetEncryption()`, `GetResolver()`
- **`config/config.go`** — added `HostsFile`, `HostsAutoLoad`, `QueryLogMax`, `NegativeCacheTTL`, `PrefetchEnabled`, `ServFailCacheTTL`
- **`api/router.go`** — added 5 new endpoint groups: hosts CRUD, hosts import/export, encryption status/toggle, encryption test, full config expansion
- **`main.go`** — version bump to 2.1.0

### Web Dashboard Changes

- **`web/templates/dns_nameserver.html`** — added 3 new tabs: Encryption, Hosts, EZ Intranet (13 tabs total)
- **`web/templates/dns_service.html`** — expanded Config tab with all 18 settings in categorized layout
- **`web/routes/dns_service.py`** — added 8 new routes: hosts CRUD, hosts import/export, encryption status/toggle/test, EZ intranet deploy

---

## v2.0.0 — 2026-03-03

### Go DNS/Nameserver Service

- **Full recursive DNS resolver** from IANA root hints — no upstream dependency
- **13 root server** iterative resolution with delegation chain following
- **CNAME chain following** across zone boundaries
- **Authoritative zone hosting** with JSON-backed zone storage
- **Record types**: A, AAAA, CNAME, MX, TXT, NS, SRV, PTR, SOA
- **DNSSEC toggle** per zone
- **DNS caching** with configurable TTL and automatic cleanup
- **Query logging** with ring buffer (configurable size)
- **Analytics**: top domains, query type distribution, per-client query counts
- **Blocklist**: exact match + wildcard parent domain matching, bulk import (hosts-file format)
- **Conditional forwarding**: zone-specific upstream server rules
- **Root health check**: concurrent ping of all 13 IANA root servers with latency measurement
- **Benchmark tool**: multi-domain latency testing with min/avg/max statistics
- **Zone import/export**: BIND zone file format support
- **Zone cloning**: duplicate zone with all records
- **Bulk record operations**: add multiple records in a single request
- **Mail record auto-setup**: one-click MX + SPF + DKIM + DMARC creation
- **Security hardening**: refuse ANY (anti-amplification), minimal responses, AXFR/IXFR blocking, rate limiting, max UDP size (1232 bytes for safe MTU)
- **REST API**: 30+ endpoints with token auth and CORS

### Nameserver Web UI (10 tabs)

- **Query** — DNS query tester against local NS or system resolver
- **Query Log** — auto-refreshing query history with filtering
- **Analytics** — top domains (bar charts), query type distribution, client stats, NS cache viewer
- **Cache** — searchable cache viewer with per-entry and full flush
- **Blocklist** — add/remove/search domains, bulk import in hosts-file format
- **Forwarding** — conditional forwarding rule management
- **Root Health** — concurrent check of all 13 root servers with latency bars
- **Benchmark** — multi-domain latency testing with visual results
- **Delegation** — NS delegation record generator with glue record instructions
- **Build** — Go binary compilation controls and instructions

### DNS Zone Manager Web UI (7 tabs)

- **Zones** — create/delete/clone zones
- **Records** — full CRUD with bulk add (JSON), filtering by type/search, column sorting
- **EZ-Local** — network auto-scan intranet domain setup with ARP host discovery
- **Reverse Proxy** — DDNS, nginx/Caddy/Apache config generation, UPnP port forwarding
- **Import/Export** — BIND zone file backup/restore with inline editor
- **Templates** — quick-setup for web server, mail server, PTR, subdomain delegation
- **Config** — full server configuration panel

### Gone Fishing Mail Server Enhancements

- **Landing pages** — 4 built-in phishing templates (Office 365, Google, Generic, VPN) + custom HTML editor
- **Credential capture** — form POST interception on unauthenticated endpoints with IP/UA/referer logging
- **DKIM signing** — OpenSSL RSA 2048-bit keypair generation and DNS record instructions
- **DNS auto-setup** — automatic MX/SPF/DKIM/DMARC record creation via DNS service integration
- **Email evasion** — Unicode homoglyphs (30% swap), zero-width character insertion (15%), HTML entity encoding (20%)
- **Header manipulation** — random X-Mailer, X-Priority, custom headers, spoofed Received chain generation
- **CSV import/export** — bulk target import and credential capture export
- **Campaign management** — per-campaign tracking, export, and capture association

### IP Capture & Redirect Service

- **Stealthy link tracking** — fast 302 redirect with IP/UA/headers capture
- **Realistic URL disguise** — article-style paths that look like real news URLs
- **GeoIP lookup** on captured IPs
- **Dossier integration** — add captures to existing OSINT dossiers
- **Management UI** — create/manage links, view captures with filtering, export

### SYN Flood Module

- **TCP SYN flood** attack tool with configurable parameters
- **Multi-threaded** packet generation
- **Port targeting** — single port, range, or random
- **Source IP spoofing** options
v2.2.0 — Full arsenal expansion: 16 new security modules Add WiFi Audit, API Fuzzer, Cloud Scanner, Threat Intel, Log Correlator, Steganography, Anti-Forensics, BLE Scanner, Forensics, RFID/NFC, Malware Sandbox, Password Toolkit, Web Scanner, Report Engine, Net Mapper, and C2 Framework. Each module includes CLI interface, Flask routes, and web UI template. Also includes Go DNS server source + binary, IP Capture service, SYN Flood, Gone Fishing mail server, and hack hijack modules from v2.0 work. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-03 05:16:31 -08:00			`# AUTARCH Changelog`

			`---`

			`## v2.2.0 — 2026-03-03`

			`### Full Arsenal Expansion — 16 New Modules`

			`Phase 2 complete. 16 new security modules with full CLI, Flask routes, and web UI templates.`

			`#### Offense`
			- WiFi Auditing (`/wifi/`) — aircrack-ng integration: monitor mode, AP scanning, deauth attacks, WPA handshake capture/crack, WPS Pixie-Dust, rogue AP detection, packet capture
			- API Fuzzer (`/api-fuzzer/`) — OpenAPI/Swagger discovery, parameter fuzzing (SQLi/XSS/traversal/type confusion), auth bypass & IDOR testing, rate limit probing, GraphQL introspection attacks
			- Cloud Security Scanner (`/cloud/`) — S3/GCS/Azure blob enumeration, exposed service scanning, IMDS metadata SSRF checks, cloud subdomain enumeration
			- C2 Framework (`/c2/`) — multi-session agent management, Python/PowerShell/Bash payloads, HTTP/HTTPS/DNS beaconing, file transfer, SOCKS pivoting, listener management
			- Web Application Scanner (`/webscan/`) — directory bruteforce, subdomain enum, SQLi/XSS detection, header analysis, tech fingerprinting, SSL/TLS audit, crawler

			`#### Defense`
			- Threat Intel Feed (`/threat-intel/`) — IOC management (IP/domain/hash/URL), STIX/CSV/JSON feed ingestion, VirusTotal & AbuseIPDB API lookups, network correlation, blocklist export (iptables/nginx/snort)
			- Log Correlator (`/logs/`) — multi-format log parsing (syslog/Apache/JSON), 10 built-in detection rules (SSH brute force, SQLi, XSS, path traversal), threshold alerting, custom rules, timeline view

			`#### Counter`
			- Steganography (`/stego/`) — LSB image encoding (PNG/BMP), audio steganography (WAV), document whitespace encoding (zero-width chars), AES-256 pre-encryption, chi-square & RS statistical detection
			- Anti-Forensics (`/anti-forensics/`) — multi-pass secure file/directory deletion, free space wiping, timestamp manipulation (set/clone/randomize), log clearing, shell history scrubbing, EXIF & PDF metadata stripping

			`#### Analyze`
			- Password Toolkit (`/passwords/`) — hash identification & cracking (hashcat/john integration), secure password generation, credential spray testing (SSH/FTP/SMB/HTTP), wordlist management, policy auditing
			- Network Topology Mapper (`/netmap/`) — ARP/ICMP/TCP host discovery, service enumeration, OS fingerprinting, SVG topology visualization, subnet grouping, scan diffing
			- Reporting Engine (`/reports/`) — structured pentest reports, CVSS-scored findings, auto-population from scans & dossiers, PDF/HTML/Markdown export, compliance mapping (OWASP/NIST/CIS)
			- BLE Scanner (`/ble/`) — BLE advertisement scanning via bleak, service & characteristic enumeration, read/write operations, known vulnerability database, RSSI proximity tracking
			- Forensics Toolkit (`/forensics/`) — disk imaging (dd + hash verification), file carving by magic bytes (15 types), EXIF metadata extraction, filesystem timeline builder, chain of custody logging
			- RFID/NFC Tools (`/rfid/`) — Proxmark3 integration (LF/HF search, EM410x read/clone/sim, MIFARE dump/clone), libnfc NFC scanning, card database, default MIFARE keys
			- Malware Sandbox (`/sandbox/`) — sample submission (file upload or path), static analysis (strings, PE/ELF parsing, YARA-like indicators, risk scoring), Docker-based dynamic analysis with behavior logging

			`### Build System`
			- All 16 modules wired into `web/app.py` (blueprint registration), `base.html` (sidebar navigation), `autarch_public.spec` and `setup_msi.py` (hidden imports)
			`- Sidebar organized by category: Defense, Offense, Counter, Analyze`

			`---`

			`## v2.1.0 — 2026-03-03`

			`### DNS-over-TLS (DoT) & DNS-over-HTTPS (DoH)`

			`- Full DoT implementation — encrypted DNS queries over TLS (port 853) with certificate validation`
			`- Full DoH implementation — encrypted DNS queries over HTTPS (RFC 8484, wire-format POST)`
			`- Auto-detection for known encrypted providers:`
			- Google DNS (`8.8.8.8`, `8.8.4.4`) — DoT via `dns.google`, DoH via `https://dns.google/dns-query`
			- Cloudflare (`1.1.1.1`, `1.0.0.1`) — DoT via `one.one.one.one`, DoH via `https://cloudflare-dns.com/dns-query`
			- Quad9 (`9.9.9.9`, `149.112.112.112`) — DoT via `dns.quad9.net`, DoH via `https://dns.quad9.net/dns-query`
			- OpenDNS (`208.67.222.222`, `208.67.220.220`) — DoT/DoH via `dns.opendns.com`
			- AdGuard (`94.140.14.14`, `94.140.15.15`) — DoT/DoH via `dns.adguard-dns.com`
			`- Priority chain: DoH > DoT > Plain DNS — auto-fallback on failure`
			`- Encryption test tool in the Nameserver UI — live test DoT/DoH/Plain against any server with latency reporting`
			`- Toggle controls — enable/disable DoT and DoH independently via UI or API`
			- API endpoints: `GET/POST /api/encryption`, `POST /api/encryption/test`

			`### Hosts File Support`

			- Hosts-file parser — `/etc/hosts` style hostname resolution served via DNS
			`- Resolution priority: Hosts file entries checked before zones and cache for fastest local resolution`
			`- CRUD operations — add, remove, search individual host entries via UI or API`
			- Bulk import — paste hosts-file format text or load from a file path (e.g., `/etc/hosts`, `C:\Windows\System32\drivers\etc\hosts`)
			`- System hosts loader — one-click button to load the OS hosts file`
			`- Export — download current hosts database in standard hosts-file format`
			`- PTR reverse lookup — hosts entries support reverse DNS (in-addr.arpa) queries`
			`- Alias support — multiple hostnames per IP, matching on primary hostname or any alias`
			`- Hosts tab in Nameserver UI — full management table with search, inline add, import/export`
			- API endpoints: `GET/POST/DELETE /api/hosts`, `POST /api/hosts/import`, `GET /api/hosts/export`

			`### EZ Intranet Domain (One-Click Local DNS)`

			`- One-click intranet domain creation in the Nameserver UI`
			`- Auto network detection — discovers local IP, hostname, gateway, subnet via socket/ARP`
			`- Host discovery — scans ARP table for all devices on the network with reverse DNS lookup`
			`- Editable DNS names — auto-suggests names for discovered hosts, fully editable before deployment`
			`- Custom hosts — add arbitrary hosts not found by network scan`
			`- Deployment creates:`
			`- Forward DNS zone with SOA + NS records`
			`- A records for server, hostname, and all selected/custom hosts`
			`- Hosts-file entries for instant resolution`
			`- Reverse DNS zone (PTR records) for reverse lookups`
			- Client configuration — shows copy-paste instructions for Windows (`netsh`) and Linux (`resolv.conf`/`systemd-resolved`)
			`- Router DHCP hint — advises setting the DNS server IP in router DHCP for automatic network-wide deployment`
			- API endpoint: `POST /dns/ez-intranet`

			`### Full Configuration UI`

			`Expanded the Config tab from 5 fields to 18 fields across 5 categories:`

			`- Network — DNS listen address, API listen address, upstream forwarder servers`
			`- Cache & Performance — cache TTL, negative cache TTL (NXDOMAIN), SERVFAIL cache TTL, query log max entries, max UDP response size, rate limit (queries/sec/IP), prefetch toggle`
			`- Security — query logging, refuse ANY queries (anti-amplification), minimal responses (hide server info), zone transfer ACL (AXFR/IXFR whitelist)`
			`- Encryption — DoH enable/disable, DoT enable/disable with priority explanation`
			`- Hosts — hosts file path, auto-load on startup toggle`

			`All settings are live-editable from the dashboard and propagated to the running server without restart.`

			`### Go DNS Server Changes`

			- `server/resolver.go` — added `QueryUpstreamDoT()`, `QueryUpstreamDoH()`, `queryUpstreamEncrypted()`, `GetEncryptionStatus()` with TLS 1.2+ minimum, HTTP/2 for DoH, proper SNI for DoT
			- `server/hosts.go` — new file: `HostsStore` with `LoadFile()`, `LoadFromText()`, `Add()`, `Remove()`, `Lookup()`, `Export()`, PTR support
			- `server/dns.go` — integrated hosts lookup before zone lookup in query handler; added `GetHosts()`, `GetEncryptionStatus()`, `SetEncryption()`, `GetResolver()`
			- `config/config.go` — added `HostsFile`, `HostsAutoLoad`, `QueryLogMax`, `NegativeCacheTTL`, `PrefetchEnabled`, `ServFailCacheTTL`
			- `api/router.go` — added 5 new endpoint groups: hosts CRUD, hosts import/export, encryption status/toggle, encryption test, full config expansion
			- `main.go` — version bump to 2.1.0

			`### Web Dashboard Changes`

			- `web/templates/dns_nameserver.html` — added 3 new tabs: Encryption, Hosts, EZ Intranet (13 tabs total)
			- `web/templates/dns_service.html` — expanded Config tab with all 18 settings in categorized layout
			- `web/routes/dns_service.py` — added 8 new routes: hosts CRUD, hosts import/export, encryption status/toggle/test, EZ intranet deploy

			`---`

			`## v2.0.0 — 2026-03-03`

			`### Go DNS/Nameserver Service`

			`- Full recursive DNS resolver from IANA root hints — no upstream dependency`
			`- 13 root server iterative resolution with delegation chain following`
			`- CNAME chain following across zone boundaries`
			`- Authoritative zone hosting with JSON-backed zone storage`
			`- Record types: A, AAAA, CNAME, MX, TXT, NS, SRV, PTR, SOA`
			`- DNSSEC toggle per zone`
			`- DNS caching with configurable TTL and automatic cleanup`
			`- Query logging with ring buffer (configurable size)`
			`- Analytics: top domains, query type distribution, per-client query counts`
			`- Blocklist: exact match + wildcard parent domain matching, bulk import (hosts-file format)`
			`- Conditional forwarding: zone-specific upstream server rules`
			`- Root health check: concurrent ping of all 13 IANA root servers with latency measurement`
			`- Benchmark tool: multi-domain latency testing with min/avg/max statistics`
			`- Zone import/export: BIND zone file format support`
			`- Zone cloning: duplicate zone with all records`
			`- Bulk record operations: add multiple records in a single request`
			`- Mail record auto-setup: one-click MX + SPF + DKIM + DMARC creation`
			`- Security hardening: refuse ANY (anti-amplification), minimal responses, AXFR/IXFR blocking, rate limiting, max UDP size (1232 bytes for safe MTU)`
			`- REST API: 30+ endpoints with token auth and CORS`

			`### Nameserver Web UI (10 tabs)`

			`- Query — DNS query tester against local NS or system resolver`
			`- Query Log — auto-refreshing query history with filtering`
			`- Analytics — top domains (bar charts), query type distribution, client stats, NS cache viewer`
			`- Cache — searchable cache viewer with per-entry and full flush`
			`- Blocklist — add/remove/search domains, bulk import in hosts-file format`
			`- Forwarding — conditional forwarding rule management`
			`- Root Health — concurrent check of all 13 root servers with latency bars`
			`- Benchmark — multi-domain latency testing with visual results`
			`- Delegation — NS delegation record generator with glue record instructions`
			`- Build — Go binary compilation controls and instructions`

			`### DNS Zone Manager Web UI (7 tabs)`

			`- Zones — create/delete/clone zones`
			`- Records — full CRUD with bulk add (JSON), filtering by type/search, column sorting`
			`- EZ-Local — network auto-scan intranet domain setup with ARP host discovery`
			`- Reverse Proxy — DDNS, nginx/Caddy/Apache config generation, UPnP port forwarding`
			`- Import/Export — BIND zone file backup/restore with inline editor`
			`- Templates — quick-setup for web server, mail server, PTR, subdomain delegation`
			`- Config — full server configuration panel`

			`### Gone Fishing Mail Server Enhancements`

			`- Landing pages — 4 built-in phishing templates (Office 365, Google, Generic, VPN) + custom HTML editor`
			`- Credential capture — form POST interception on unauthenticated endpoints with IP/UA/referer logging`
			`- DKIM signing — OpenSSL RSA 2048-bit keypair generation and DNS record instructions`
			`- DNS auto-setup — automatic MX/SPF/DKIM/DMARC record creation via DNS service integration`
			`- Email evasion — Unicode homoglyphs (30% swap), zero-width character insertion (15%), HTML entity encoding (20%)`
			`- Header manipulation — random X-Mailer, X-Priority, custom headers, spoofed Received chain generation`
			`- CSV import/export — bulk target import and credential capture export`
			`- Campaign management — per-campaign tracking, export, and capture association`

			`### IP Capture & Redirect Service`

			`- Stealthy link tracking — fast 302 redirect with IP/UA/headers capture`
			`- Realistic URL disguise — article-style paths that look like real news URLs`
			`- GeoIP lookup on captured IPs`
			`- Dossier integration — add captures to existing OSINT dossiers`
			`- Management UI — create/manage links, view captures with filtering, export`

			`### SYN Flood Module`

			`- TCP SYN flood attack tool with configurable parameters`
			`- Multi-threaded packet generation`
			`- Port targeting — single port, range, or random`
			`- Source IP spoofing options`