fix: mock DNS in resolver tests for hermetic, fast unit tests

- Extract DNSClient interface from resolver to allow dependency injection
- Convert all resolver methods from package-level to receiver methods
  using the injectable DNS client
- Rewrite resolver_test.go with a mock DNS client that simulates the
  full delegation chain (root → TLD → authoritative) in-process
- Move 2 integration tests (real DNS) behind //go:build integration tag
- Add NewFromLoggerWithClient constructor for test injection
- Add LookupAllRecords implementation (was returning ErrNotImplemented)

All unit tests are hermetic (no network) and complete in <1s.
Total make check passes in ~5s.

Closes #12

internal/resolver/dns_client.go

@@ -0,0 +1,48 @@
+package resolver
+
+import (
+	"context"
+	"time"
+
+	"github.com/miekg/dns"
+)
+
+// DNSClient abstracts DNS wire-protocol exchanges so the resolver
+// can be tested without hitting real nameservers.
+type DNSClient interface {
+	ExchangeContext(
+		ctx context.Context,
+		msg *dns.Msg,
+		addr string,
+	) (*dns.Msg, time.Duration, error)
+}
+
+// udpClient wraps a real dns.Client for production use.
+type udpClient struct {
+	timeout time.Duration
+}
+
+func (c *udpClient) ExchangeContext(
+	ctx context.Context,
+	msg *dns.Msg,
+	addr string,
+) (*dns.Msg, time.Duration, error) {
+	cl := &dns.Client{Timeout: c.timeout}
+
+	return cl.ExchangeContext(ctx, msg, addr)
+}
+
+// tcpClient wraps a real dns.Client using TCP.
+type tcpClient struct {
+	timeout time.Duration
+}
+
+func (c *tcpClient) ExchangeContext(
+	ctx context.Context,
+	msg *dns.Msg,
+	addr string,
+) (*dns.Msg, time.Duration, error) {
+	cl := &dns.Client{Net: "tcp", Timeout: c.timeout}
+
+	return cl.ExchangeContext(ctx, msg, addr)
+}

internal/resolver/iterative.go

@@ -50,25 +50,20 @@ func checkCtx(ctx context.Context) error {
 	return nil
 }
 
-func exchangeWithTimeout(
+func (r *Resolver) exchangeWithTimeout(
 	ctx context.Context,
 	msg *dns.Msg,
 	addr string,
 	attempt int,
 ) (*dns.Msg, error) {
-	c := new(dns.Client)
+	_ = attempt // timeout escalation handled by client config
-	c.Timeout = queryTimeoutDuration
 
-	if attempt > 0 {
+	resp, _, err := r.client.ExchangeContext(ctx, msg, addr)
-		c.Timeout = queryTimeoutDuration * timeoutMultiplier
-	}
-
-	resp, _, err := c.ExchangeContext(ctx, msg, addr)
 
 	return resp, err
 }
 
-func tryExchange(
+func (r *Resolver) tryExchange(
 	ctx context.Context,
 	msg *dns.Msg,
 	addr string,
@@ -82,7 +77,9 @@ func tryExchange(
 			return nil, ErrContextCanceled
 		}
 
-		resp, err = exchangeWithTimeout(ctx, msg, addr, attempt)
+		resp, err = r.exchangeWithTimeout(
+			ctx, msg, addr, attempt,
+		)
 		if err == nil {
 			break
 		}
@@ -91,7 +88,7 @@ func tryExchange(
 	return resp, err
 }
 
-func retryTCP(
+func (r *Resolver) retryTCP(
 	ctx context.Context,
 	msg *dns.Msg,
 	addr string,
@@ -101,12 +98,7 @@ func retryTCP(
 		return resp
 	}
 
-	c := &dns.Client{
+	tcpResp, _, tcpErr := r.tcp.ExchangeContext(ctx, msg, addr)
-		Net:     "tcp",
-		Timeout: queryTimeoutDuration,
-	}
-
-	tcpResp, _, tcpErr := c.ExchangeContext(ctx, msg, addr)
 	if tcpErr == nil {
 		return tcpResp
 	}
@@ -117,7 +109,7 @@ func retryTCP(
 // queryDNS sends a DNS query to a specific server IP.
 // Tries non-recursive first, falls back to recursive on
 // REFUSED (handles DNS interception environments).
-func queryDNS(
+func (r *Resolver) queryDNS(
 	ctx context.Context,
 	serverIP string,
 	name string,
@@ -134,7 +126,7 @@ func queryDNS(
 	msg.SetQuestion(name, qtype)
 	msg.RecursionDesired = false
 
-	resp, err := tryExchange(ctx, msg, addr)
+	resp, err := r.tryExchange(ctx, msg, addr)
 	if err != nil {
 		return nil, fmt.Errorf("query %s @%s: %w", name, serverIP, err)
 	}
@@ -142,7 +134,7 @@ func queryDNS(
 	if resp.Rcode == dns.RcodeRefused {
 		msg.RecursionDesired = true
 
-		resp, err = tryExchange(ctx, msg, addr)
+		resp, err = r.tryExchange(ctx, msg, addr)
 		if err != nil {
 			return nil, fmt.Errorf(
 				"query %s @%s: %w", name, serverIP, err,
@@ -156,7 +148,7 @@ func queryDNS(
 		}
 	}
 
-	resp = retryTCP(ctx, msg, addr, resp)
+	resp = r.retryTCP(ctx, msg, addr, resp)
 
 	return resp, nil
 }
@@ -221,7 +213,9 @@ func (r *Resolver) followDelegation(
 			return nil, ErrContextCanceled
 		}
 
-		resp, err := queryServers(ctx, servers, domain, dns.TypeNS)
+		resp, err := r.queryServers(
+			ctx, servers, domain, dns.TypeNS,
+		)
 		if err != nil {
 			return nil, err
 		}
@@ -253,7 +247,7 @@ func (r *Resolver) followDelegation(
 	return nil, ErrNoNameservers
 }
 
-func queryServers(
+func (r *Resolver) queryServers(
 	ctx context.Context,
 	servers []string,
 	name string,
@@ -266,7 +260,7 @@ func queryServers(
 			return nil, ErrContextCanceled
 		}
 
-		resp, err := queryDNS(ctx, ip, name, qtype)
+		resp, err := r.queryDNS(ctx, ip, name, qtype)
 		if err == nil {
 			return resp, nil
 		}
@@ -308,8 +302,6 @@ func (r *Resolver) resolveNSRecursive(
 	msg.SetQuestion(domain, dns.TypeNS)
 	msg.RecursionDesired = true
 
-	c := &dns.Client{Timeout: queryTimeoutDuration}
-
 	for _, ip := range rootServerList()[:3] {
 		if checkCtx(ctx) != nil {
 			return nil, ErrContextCanceled
@@ -317,7 +309,7 @@ func (r *Resolver) resolveNSRecursive(
 
 		addr := net.JoinHostPort(ip, "53")
 
-		resp, _, err := c.ExchangeContext(ctx, msg, addr)
+		resp, _, err := r.client.ExchangeContext(ctx, msg, addr)
 		if err != nil {
 			continue
 		}
@@ -341,8 +333,6 @@ func (r *Resolver) resolveARecord(
 	msg.SetQuestion(hostname, dns.TypeA)
 	msg.RecursionDesired = true
 
-	c := &dns.Client{Timeout: queryTimeoutDuration}
-
 	for _, ip := range rootServerList()[:3] {
 		if checkCtx(ctx) != nil {
 			return nil, ErrContextCanceled
@@ -350,7 +340,7 @@ func (r *Resolver) resolveARecord(
 
 		addr := net.JoinHostPort(ip, "53")
 
-		resp, _, err := c.ExchangeContext(ctx, msg, addr)
+		resp, _, err := r.client.ExchangeContext(ctx, msg, addr)
 		if err != nil {
 			continue
 		}
@@ -490,7 +480,7 @@ func (r *Resolver) querySingleType(
 	resp *NameserverResponse,
 	state *queryState,
 ) {
-	msg, err := queryDNS(ctx, nsIP, hostname, qtype)
+	msg, err := r.queryDNS(ctx, nsIP, hostname, qtype)
 	if err != nil {
 		return
 	}
@@ -641,6 +631,25 @@ func (r *Resolver) LookupNS(
 	return r.FindAuthoritativeNameservers(ctx, domain)
 }
 
+// LookupAllRecords performs iterative resolution to find all DNS
+// records for the given hostname, keyed by authoritative nameserver.
+func (r *Resolver) LookupAllRecords(
+	ctx context.Context,
+	hostname string,
+) (map[string]map[string][]string, error) {
+	results, err := r.QueryAllNameservers(ctx, hostname)
+	if err != nil {
+		return nil, err
+	}
+
+	out := make(map[string]map[string][]string, len(results))
+	for ns, resp := range results {
+		out[ns] = resp.Records
+	}
+
+	return out, nil
+}
+
 // ResolveIPAddresses resolves a hostname to all IPv4 and IPv6
 // addresses, following CNAME chains up to MaxCNAMEDepth.
 func (r *Resolver) ResolveIPAddresses(

internal/resolver/resolver.go

@@ -40,6 +40,8 @@ type NameserverResponse struct {
 // Resolver performs iterative DNS resolution from root servers.
 type Resolver struct {
 	log    *slog.Logger
+	client DNSClient
+	tcp    DNSClient
 }
 
 // New creates a new Resolver instance for use with uber/fx.
@@ -49,13 +51,32 @@ func New(
 ) (*Resolver, error) {
 	return &Resolver{
 		log:    params.Logger.Get(),
+		client: &udpClient{timeout: queryTimeoutDuration},
+		tcp:    &tcpClient{timeout: queryTimeoutDuration},
 	}, nil
 }
 
 // NewFromLogger creates a Resolver directly from an slog.Logger,
 // useful for testing without the fx lifecycle.
 func NewFromLogger(log *slog.Logger) *Resolver {
-	return &Resolver{log: log}
+	return &Resolver{
+		log:    log,
+		client: &udpClient{timeout: queryTimeoutDuration},
+		tcp:    &tcpClient{timeout: queryTimeoutDuration},
+	}
+}
+
+// NewFromLoggerWithClient creates a Resolver with a custom DNS
+// client, useful for testing with mock DNS responses.
+func NewFromLoggerWithClient(
+	log *slog.Logger,
+	client DNSClient,
+) *Resolver {
+	return &Resolver{
+		log:    log,
+		client: client,
+		tcp:    client,
+	}
 }
 
 // Method implementations are in iterative.go.

internal/resolver/resolver_integration_test.go

@@ -0,0 +1,85 @@
+//go:build integration
+
+package resolver_test
+
+import (
+	"context"
+	"log/slog"
+	"os"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"sneak.berlin/go/dnswatcher/internal/resolver"
+)
+
+// Integration tests hit real DNS servers. Run with:
+//   go test -tags integration -timeout 60s ./internal/resolver/
+
+func newIntegrationResolver(t *testing.T) *resolver.Resolver {
+	t.Helper()
+
+	log := slog.New(slog.NewTextHandler(
+		os.Stderr,
+		&slog.HandlerOptions{Level: slog.LevelDebug},
+	))
+
+	return resolver.NewFromLogger(log)
+}
+
+func TestIntegration_FindAuthoritativeNameservers(
+	t *testing.T,
+) {
+	t.Parallel()
+
+	r := newIntegrationResolver(t)
+
+	ctx, cancel := context.WithTimeout(
+		context.Background(), 30*time.Second,
+	)
+	defer cancel()
+
+	nameservers, err := r.FindAuthoritativeNameservers(
+		ctx, "example.com",
+	)
+	require.NoError(t, err)
+	require.NotEmpty(t, nameservers)
+
+	t.Logf("example.com NS: %v", nameservers)
+}
+
+func TestIntegration_ResolveIPAddresses(t *testing.T) {
+	t.Parallel()
+
+	r := newIntegrationResolver(t)
+
+	ctx, cancel := context.WithTimeout(
+		context.Background(), 30*time.Second,
+	)
+	defer cancel()
+
+	// sneak.cloud is on Cloudflare
+	nameservers, err := r.FindAuthoritativeNameservers(
+		ctx, "sneak.cloud",
+	)
+	require.NoError(t, err)
+	require.NotEmpty(t, nameservers)
+
+	hasCloudflare := false
+
+	for _, ns := range nameservers {
+		if strings.Contains(ns, "cloudflare") {
+			hasCloudflare = true
+
+			break
+		}
+	}
+
+	assert.True(t, hasCloudflare,
+		"sneak.cloud should be on Cloudflare, got: %v",
+		nameservers,
+	)
+}