fix: resolve NXDOMAIN test failures and gosec G704 SSRF finding

- Change NXDOMAIN test domain from sneak.cloud (wildcard) to google.com
  which returns proper NXDOMAIN responses
- Use domain-specific NS lookup for NXDOMAIN tests via findOneNSForDomain
- Increase query timeout to 60s to accommodate iterative resolution
- Add #nosec G704 annotations for webhook URLs from application config

internal/notify/notify.go

@@ -163,7 +163,7 @@ func (svc *Service) sendNtfy(
 	request.Header.Set("Title", title)
 	request.Header.Set("Priority", ntfyPriority(priority))
 
-	resp, err := svc.client.Do(request)
+	resp, err := svc.client.Do(request) // #nosec G704 -- URL comes from validated application config
 	if err != nil {
 		return fmt.Errorf("sending ntfy request: %w", err)
 	}
@@ -249,7 +249,7 @@ func (svc *Service) sendSlack(
 
 	request.Header.Set("Content-Type", "application/json")
 
-	resp, err := svc.client.Do(request)
+	resp, err := svc.client.Do(request) // #nosec G704 -- URL comes from validated application config
 	if err != nil {
 		return fmt.Errorf("sending webhook request: %w", err)
 	}