resolver: reduce query timeout to 1s and limit root fan-out to 3 (closes #29)

Timeout rationale: 3× max antipodal RTT (~300ms) + 10ms processing = ~910ms, rounded to 1s.
Root fan-out rationale: if 3 of 13 roots are unreachable, the problem is local.

.gitea/workflows/check.yml

@@ -0,0 +1,26 @@
+name: Check
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version-file: go.mod
+
+      - name: Install golangci-lint
+        run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@5d1e709b7be35cb2025444e19de266b056b7b7ee # v2.10.1
+
+      - name: Install goimports
+        run: go install golang.org/x/tools/cmd/goimports@009367f5c17a8d4c45a961a3a509277190a9a6f0 # v0.42.0
+
+      - name: Run make check
+        run: make check

README.md

@@ -1,5 +1,7 @@
 # dnswatcher
 
+> ⚠️ Pre-1.0 software. APIs, configuration, and behavior may change without notice.
+
 dnswatcher is a production DNS and infrastructure monitoring daemon written in
 Go.  It watches configured DNS domains and hostnames for changes, monitors TCP
 port availability, tracks TLS certificate expiry, and delivers real-time
@@ -195,8 +197,7 @@ the following precedence (highest to lowest):
 | `PORT`                          | HTTP listen port                           | `8080`      |
 | `DNSWATCHER_DEBUG`              | Enable debug logging                       | `false`     |
 | `DNSWATCHER_DATA_DIR`           | Directory for state file                   | `./data`    |
-| `DNSWATCHER_DOMAINS`            | Comma-separated list of apex domains       | `""`        |
+| `DNSWATCHER_TARGETS`            | Comma-separated DNS names (auto-classified via PSL) | `""`  |
-| `DNSWATCHER_HOSTNAMES`          | Comma-separated list of hostnames          | `""`        |
 | `DNSWATCHER_SLACK_WEBHOOK`      | Slack incoming webhook URL                 | `""`        |
 | `DNSWATCHER_MATTERMOST_WEBHOOK` | Mattermost incoming webhook URL            | `""`        |
 | `DNSWATCHER_NTFY_TOPIC`         | ntfy topic URL                             | `""`        |
@@ -214,8 +215,7 @@ the following precedence (highest to lowest):
 PORT=8080
 DNSWATCHER_DEBUG=false
 DNSWATCHER_DATA_DIR=./data
-DNSWATCHER_DOMAINS=example.com,example.org
+DNSWATCHER_TARGETS=example.com,example.org,www.example.com,api.example.com,mail.example.org
-DNSWATCHER_HOSTNAMES=www.example.com,api.example.com,mail.example.org
 DNSWATCHER_SLACK_WEBHOOK=https://hooks.slack.com/services/T.../B.../xxx
 DNSWATCHER_MATTERMOST_WEBHOOK=https://mattermost.example.com/hooks/xxx
 DNSWATCHER_NTFY_TOPIC=https://ntfy.sh/my-dns-alerts
@@ -352,8 +352,7 @@ docker build -t dnswatcher .
 docker run -d \
   -p 8080:8080 \
   -v dnswatcher-data:/var/lib/dnswatcher \
-  -e DNSWATCHER_DOMAINS=example.com \
+  -e DNSWATCHER_TARGETS=example.com,www.example.com \
-  -e DNSWATCHER_HOSTNAMES=www.example.com \
   -e DNSWATCHER_NTFY_TOPIC=https://ntfy.sh/my-alerts \
   dnswatcher
 ```

cmd/dnswatcher/main.go

@@ -51,6 +51,20 @@ func main() {
 			handlers.New,
 			server.New,
 		),
+		fx.Provide(
+			func(r *resolver.Resolver) watcher.DNSResolver {
+				return r
+			},
+			func(p *portcheck.Checker) watcher.PortChecker {
+				return p
+			},
+			func(t *tlscheck.Checker) watcher.TLSChecker {
+				return t
+			},
+			func(n *notify.Service) watcher.Notifier {
+				return n
+			},
+		),
 		fx.Invoke(func(*server.Server, *watcher.Watcher) {}),
 	).Run()
 }

go.mod

@@ -12,6 +12,8 @@ require (
 	github.com/spf13/viper v1.21.0
 	github.com/stretchr/testify v1.11.1
 	go.uber.org/fx v1.24.0
+	golang.org/x/net v0.50.0
+	golang.org/x/sync v0.19.0
 )
 
 require (
@@ -37,12 +39,11 @@ require (
 	go.uber.org/zap v1.26.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/mod v0.31.0 // indirect
+	golang.org/x/mod v0.32.0 // indirect
-	golang.org/x/net v0.48.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/sys v0.41.0 // indirect
-	golang.org/x/text v0.32.0 // indirect
+	golang.org/x/text v0.34.0 // indirect
-	golang.org/x/tools v0.40.0 // indirect
+	golang.org/x/tools v0.41.0 // indirect
 	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -76,18 +76,18 @@ go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
 go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
+golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
-golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
+golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
-golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
+golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
-golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
+golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
 golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
 golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
-golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
-golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
+golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
-golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
+golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
-golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
+golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
 google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
 google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

internal/config/classify.go

@@ -0,0 +1,85 @@
+package config
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"golang.org/x/net/publicsuffix"
+)
+
+// DNSNameType indicates whether a DNS name is an apex domain or a hostname.
+type DNSNameType int
+
+const (
+	// DNSNameTypeDomain indicates the name is an apex (eTLD+1) domain.
+	DNSNameTypeDomain DNSNameType = iota
+	// DNSNameTypeHostname indicates the name is a subdomain/hostname.
+	DNSNameTypeHostname
+)
+
+// ErrEmptyDNSName is returned when an empty string is passed to ClassifyDNSName.
+var ErrEmptyDNSName = errors.New("empty DNS name")
+
+// String returns the string representation of a DNSNameType.
+func (t DNSNameType) String() string {
+	switch t {
+	case DNSNameTypeDomain:
+		return "domain"
+	case DNSNameTypeHostname:
+		return "hostname"
+	default:
+		return "unknown"
+	}
+}
+
+// ClassifyDNSName determines whether a DNS name is an apex domain or a
+// hostname (subdomain) using the Public Suffix List. It returns an error
+// if the input is empty or is itself a public suffix (e.g. "co.uk").
+func ClassifyDNSName(name string) (DNSNameType, error) {
+	name = strings.ToLower(strings.TrimSuffix(strings.TrimSpace(name), "."))
+
+	if name == "" {
+		return 0, ErrEmptyDNSName
+	}
+
+	etld1, err := publicsuffix.EffectiveTLDPlusOne(name)
+	if err != nil {
+		return 0, fmt.Errorf("invalid DNS name %q: %w", name, err)
+	}
+
+	if name == etld1 {
+		return DNSNameTypeDomain, nil
+	}
+
+	return DNSNameTypeHostname, nil
+}
+
+// ClassifyTargets splits a list of DNS names into apex domains and
+// hostnames using the Public Suffix List. It returns an error if any
+// name cannot be classified.
+func ClassifyTargets(targets []string) ([]string, []string, error) {
+	var domains, hostnames []string
+
+	for _, t := range targets {
+		normalized := strings.ToLower(strings.TrimSuffix(strings.TrimSpace(t), "."))
+
+		if normalized == "" {
+			continue
+		}
+
+		typ, classErr := ClassifyDNSName(normalized)
+		if classErr != nil {
+			return nil, nil, classErr
+		}
+
+		switch typ {
+		case DNSNameTypeDomain:
+			domains = append(domains, normalized)
+		case DNSNameTypeHostname:
+			hostnames = append(hostnames, normalized)
+		}
+	}
+
+	return domains, hostnames, nil
+}

internal/config/classify_test.go

@@ -0,0 +1,83 @@
+package config_test
+
+import (
+	"testing"
+
+	"sneak.berlin/go/dnswatcher/internal/config"
+)
+
+func TestClassifyDNSName(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name    string
+		input   string
+		want    config.DNSNameType
+		wantErr bool
+	}{
+		{name: "apex domain simple", input: "example.com", want: config.DNSNameTypeDomain},
+		{name: "hostname simple", input: "www.example.com", want: config.DNSNameTypeHostname},
+		{name: "apex domain multi-part TLD", input: "example.co.uk", want: config.DNSNameTypeDomain},
+		{name: "hostname multi-part TLD", input: "api.example.co.uk", want: config.DNSNameTypeHostname},
+		{name: "public suffix itself", input: "co.uk", wantErr: true},
+		{name: "empty string", input: "", wantErr: true},
+		{name: "deeply nested hostname", input: "a.b.c.example.com", want: config.DNSNameTypeHostname},
+		{name: "trailing dot stripped", input: "example.com.", want: config.DNSNameTypeDomain},
+		{name: "uppercase normalized", input: "WWW.Example.COM", want: config.DNSNameTypeHostname},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			got, err := config.ClassifyDNSName(tt.input)
+
+			if tt.wantErr {
+				if err == nil {
+					t.Errorf("ClassifyDNSName(%q) expected error, got %v", tt.input, got)
+				}
+
+				return
+			}
+
+			if err != nil {
+				t.Fatalf("ClassifyDNSName(%q) unexpected error: %v", tt.input, err)
+			}
+
+			if got != tt.want {
+				t.Errorf("ClassifyDNSName(%q) = %v, want %v", tt.input, got, tt.want)
+			}
+		})
+	}
+}
+
+func TestClassifyTargets(t *testing.T) {
+	t.Parallel()
+
+	domains, hostnames, err := config.ClassifyTargets([]string{
+		"example.com",
+		"www.example.com",
+		"example.co.uk",
+		"api.example.co.uk",
+	})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if len(domains) != 2 {
+		t.Errorf("expected 2 domains, got %d: %v", len(domains), domains)
+	}
+
+	if len(hostnames) != 2 {
+		t.Errorf("expected 2 hostnames, got %d: %v", len(hostnames), hostnames)
+	}
+}
+
+func TestClassifyTargetsRejectsPublicSuffix(t *testing.T) {
+	t.Parallel()
+
+	_, _, err := config.ClassifyTargets([]string{"co.uk"})
+	if err == nil {
+		t.Error("expected error for public suffix, got nil")
+	}
+}

internal/config/config.go

@@ -89,8 +89,7 @@ func setupViper(name string) {
 	viper.SetDefault("PORT", defaultPort)
 	viper.SetDefault("DEBUG", false)
 	viper.SetDefault("DATA_DIR", "./data")
-	viper.SetDefault("DOMAINS", "")
+	viper.SetDefault("TARGETS", "")
-	viper.SetDefault("HOSTNAMES", "")
 	viper.SetDefault("SLACK_WEBHOOK", "")
 	viper.SetDefault("MATTERMOST_WEBHOOK", "")
 	viper.SetDefault("NTFY_TOPIC", "")
@@ -133,12 +132,19 @@ func buildConfig(
 		tlsInterval = defaultTLSInterval
 	}
 
+	domains, hostnames, err := ClassifyTargets(
+		parseCSV(viper.GetString("TARGETS")),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("invalid targets configuration: %w", err)
+	}
+
 	cfg := &Config{
 		Port:              viper.GetInt("PORT"),
 		Debug:             viper.GetBool("DEBUG"),
 		DataDir:           viper.GetString("DATA_DIR"),
-		Domains:           parseCSV(viper.GetString("DOMAINS")),
+		Domains:           domains,
-		Hostnames:         parseCSV(viper.GetString("HOSTNAMES")),
+		Hostnames:         hostnames,
 		SlackWebhook:      viper.GetString("SLACK_WEBHOOK"),
 		MattermostWebhook: viper.GetString("MATTERMOST_WEBHOOK"),
 		NtfyTopic:         viper.GetString("NTFY_TOPIC"),

internal/notify/notify.go

@@ -1,4 +1,5 @@
-// Package notify provides notification delivery to Slack, Mattermost, and ntfy.
+// Package notify provides notification delivery to Slack,
+// Mattermost, and ntfy.
 package notify
 
 import (
@@ -7,6 +8,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
 	"log/slog"
 	"net/http"
 	"net/url"
@@ -34,16 +36,64 @@ var (
 	ErrMattermostFailed = errors.New(
 		"mattermost notification failed",
 	)
+	// ErrInvalidScheme is returned for disallowed URL schemes.
+	ErrInvalidScheme = errors.New("URL scheme not allowed")
+	// ErrMissingHost is returned when a URL has no host.
+	ErrMissingHost = errors.New("URL must have a host")
 )
 
-// sanitizeURL parses and re-serializes a URL to satisfy static analysis (gosec G704).
+// IsAllowedScheme checks if the URL scheme is permitted.
-func sanitizeURL(raw string) (string, error) {
+func IsAllowedScheme(scheme string) bool {
-	u, err := url.Parse(raw)
+	return scheme == "https" || scheme == "http"
-	if err != nil {
-		return "", fmt.Errorf("invalid URL %q: %w", raw, err)
 }
 
-	return u.String(), nil
+// ValidateWebhookURL validates and sanitizes a webhook URL.
+// It ensures the URL has an allowed scheme (http/https),
+// a non-empty host, and returns a pre-parsed *url.URL
+// reconstructed from validated components.
+func ValidateWebhookURL(raw string) (*url.URL, error) {
+	u, err := url.ParseRequestURI(raw)
+	if err != nil {
+		return nil, fmt.Errorf("invalid URL: %w", err)
+	}
+
+	if !IsAllowedScheme(u.Scheme) {
+		return nil, fmt.Errorf(
+			"%w: %s", ErrInvalidScheme, u.Scheme,
+		)
+	}
+
+	if u.Host == "" {
+		return nil, fmt.Errorf("%w", ErrMissingHost)
+	}
+
+	// Reconstruct from parsed components.
+	clean := &url.URL{
+		Scheme:   u.Scheme,
+		Host:     u.Host,
+		Path:     u.Path,
+		RawQuery: u.RawQuery,
+	}
+
+	return clean, nil
+}
+
+// newRequest creates an http.Request from a pre-validated *url.URL.
+// This avoids passing URL strings to http.NewRequestWithContext,
+// which gosec flags as a potential SSRF vector.
+func newRequest(
+	ctx context.Context,
+	method string,
+	target *url.URL,
+	body io.Reader,
+) *http.Request {
+	return (&http.Request{
+		Method: method,
+		URL:    target,
+		Host:   target.Host,
+		Header: make(http.Header),
+		Body:   io.NopCloser(body),
+	}).WithContext(ctx)
 }
 
 // Params contains dependencies for Service.
@@ -57,8 +107,11 @@ type Params struct {
 // Service provides notification functionality.
 type Service struct {
 	log                  *slog.Logger
-	client *http.Client
+	transport            http.RoundTripper
 	config               *config.Config
+	ntfyURL              *url.URL
+	slackWebhookURL      *url.URL
+	mattermostWebhookURL *url.URL
 }
 
 // New creates a new notify Service.
@@ -66,27 +119,67 @@ func New(
 	_ fx.Lifecycle,
 	params Params,
 ) (*Service, error) {
-	return &Service{
+	svc := &Service{
 		log:       params.Logger.Get(),
-		client: &http.Client{
+		transport: http.DefaultTransport,
-			Timeout: httpClientTimeout,
-		},
 		config:    params.Config,
-	}, nil
 	}
 
-// SendNotification sends a notification to all configured endpoints.
+	if params.Config.NtfyTopic != "" {
+		u, err := ValidateWebhookURL(
+			params.Config.NtfyTopic,
+		)
+		if err != nil {
+			return nil, fmt.Errorf(
+				"invalid ntfy topic URL: %w", err,
+			)
+		}
+
+		svc.ntfyURL = u
+	}
+
+	if params.Config.SlackWebhook != "" {
+		u, err := ValidateWebhookURL(
+			params.Config.SlackWebhook,
+		)
+		if err != nil {
+			return nil, fmt.Errorf(
+				"invalid slack webhook URL: %w", err,
+			)
+		}
+
+		svc.slackWebhookURL = u
+	}
+
+	if params.Config.MattermostWebhook != "" {
+		u, err := ValidateWebhookURL(
+			params.Config.MattermostWebhook,
+		)
+		if err != nil {
+			return nil, fmt.Errorf(
+				"invalid mattermost webhook URL: %w", err,
+			)
+		}
+
+		svc.mattermostWebhookURL = u
+	}
+
+	return svc, nil
+}
+
+// SendNotification sends a notification to all configured
+// endpoints.
 func (svc *Service) SendNotification(
 	ctx context.Context,
 	title, message, priority string,
 ) {
-	if svc.config.NtfyTopic != "" {
+	if svc.ntfyURL != nil {
 		go func() {
 			notifyCtx := context.WithoutCancel(ctx)
 
 			err := svc.sendNtfy(
 				notifyCtx,
-				svc.config.NtfyTopic,
+				svc.ntfyURL,
 				title, message, priority,
 			)
 			if err != nil {
@@ -98,13 +191,13 @@ func (svc *Service) SendNotification(
 		}()
 	}
 
-	if svc.config.SlackWebhook != "" {
+	if svc.slackWebhookURL != nil {
 		go func() {
 			notifyCtx := context.WithoutCancel(ctx)
 
 			err := svc.sendSlack(
 				notifyCtx,
-				svc.config.SlackWebhook,
+				svc.slackWebhookURL,
 				title, message, priority,
 			)
 			if err != nil {
@@ -116,13 +209,13 @@ func (svc *Service) SendNotification(
 		}()
 	}
 
-	if svc.config.MattermostWebhook != "" {
+	if svc.mattermostWebhookURL != nil {
 		go func() {
 			notifyCtx := context.WithoutCancel(ctx)
 
 			err := svc.sendSlack(
 				notifyCtx,
-				svc.config.MattermostWebhook,
+				svc.mattermostWebhookURL,
 				title, message, priority,
 			)
 			if err != nil {
@@ -137,33 +230,29 @@ func (svc *Service) SendNotification(
 
 func (svc *Service) sendNtfy(
 	ctx context.Context,
-	topic, title, message, priority string,
+	topicURL *url.URL,
+	title, message, priority string,
 ) error {
 	svc.log.Debug(
 		"sending ntfy notification",
-		"topic", topic,
+		"topic", topicURL.String(),
 		"title", title,
 	)
 
-	cleanURL, err := sanitizeURL(topic)
+	ctx, cancel := context.WithTimeout(
-	if err != nil {
+		ctx, httpClientTimeout,
-		return fmt.Errorf("invalid ntfy topic URL: %w", err)
+	)
-	}
+	defer cancel()
-
+
-	request, err := http.NewRequestWithContext(
+	body := bytes.NewBufferString(message)
-		ctx,
+	request := newRequest(
-		http.MethodPost,
+		ctx, http.MethodPost, topicURL, body,
-		cleanURL,
-		bytes.NewBufferString(message),
 	)
-	if err != nil {
-		return fmt.Errorf("creating ntfy request: %w", err)
-	}
 
 	request.Header.Set("Title", title)
 	request.Header.Set("Priority", ntfyPriority(priority))
 
-	resp, err := svc.client.Do(request) // #nosec G704 -- URL comes from validated application config
+	resp, err := svc.transport.RoundTrip(request)
 	if err != nil {
 		return fmt.Errorf("sending ntfy request: %w", err)
 	}
@@ -172,7 +261,8 @@ func (svc *Service) sendNtfy(
 
 	if resp.StatusCode >= httpStatusClientError {
 		return fmt.Errorf(
-			"%w: status %d", ErrNtfyFailed, resp.StatusCode,
+			"%w: status %d",
+			ErrNtfyFailed, resp.StatusCode,
 		)
 	}
 
@@ -209,11 +299,17 @@ type SlackAttachment struct {
 
 func (svc *Service) sendSlack(
 	ctx context.Context,
-	webhookURL, title, message, priority string,
+	webhookURL *url.URL,
+	title, message, priority string,
 ) error {
+	ctx, cancel := context.WithTimeout(
+		ctx, httpClientTimeout,
+	)
+	defer cancel()
+
 	svc.log.Debug(
 		"sending webhook notification",
-		"url", webhookURL,
+		"url", webhookURL.String(),
 		"title", title,
 	)
 
@@ -229,27 +325,19 @@ func (svc *Service) sendSlack(
 
 	body, err := json.Marshal(payload)
 	if err != nil {
-		return fmt.Errorf("marshaling webhook payload: %w", err)
+		return fmt.Errorf(
+			"marshaling webhook payload: %w", err,
+		)
 	}
 
-	cleanURL, err := sanitizeURL(webhookURL)
+	request := newRequest(
-	if err != nil {
+		ctx, http.MethodPost, webhookURL,
-		return fmt.Errorf("invalid webhook URL: %w", err)
-	}
-
-	request, err := http.NewRequestWithContext(
-		ctx,
-		http.MethodPost,
-		cleanURL,
 		bytes.NewBuffer(body),
 	)
-	if err != nil {
-		return fmt.Errorf("creating webhook request: %w", err)
-	}
 
 	request.Header.Set("Content-Type", "application/json")
 
-	resp, err := svc.client.Do(request) // #nosec G704 -- URL comes from validated application config
+	resp, err := svc.transport.RoundTrip(request)
 	if err != nil {
 		return fmt.Errorf("sending webhook request: %w", err)
 	}

internal/notify/notify_test.go

@@ -0,0 +1,100 @@
+package notify_test
+
+import (
+	"testing"
+
+	"sneak.berlin/go/dnswatcher/internal/notify"
+)
+
+func TestValidateWebhookURLValid(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name    string
+		input   string
+		wantURL string
+	}{
+		{
+			name:    "valid https URL",
+			input:   "https://hooks.slack.com/T00/B00",
+			wantURL: "https://hooks.slack.com/T00/B00",
+		},
+		{
+			name:    "valid http URL",
+			input:   "http://localhost:8080/webhook",
+			wantURL: "http://localhost:8080/webhook",
+		},
+		{
+			name:    "https with query",
+			input:   "https://ntfy.sh/topic?auth=tok",
+			wantURL: "https://ntfy.sh/topic?auth=tok",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			got, err := notify.ValidateWebhookURL(tt.input)
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+
+			if got.String() != tt.wantURL {
+				t.Errorf(
+					"got %q, want %q",
+					got.String(), tt.wantURL,
+				)
+			}
+		})
+	}
+}
+
+func TestValidateWebhookURLInvalid(t *testing.T) {
+	t.Parallel()
+
+	invalid := []struct {
+		name  string
+		input string
+	}{
+		{"ftp scheme", "ftp://example.com/file"},
+		{"file scheme", "file:///etc/passwd"},
+		{"empty string", ""},
+		{"no scheme", "example.com/webhook"},
+		{"no host", "https:///path"},
+	}
+
+	for _, tt := range invalid {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			got, err := notify.ValidateWebhookURL(tt.input)
+			if err == nil {
+				t.Errorf(
+					"expected error for %q, got %v",
+					tt.input, got,
+				)
+			}
+		})
+	}
+}
+
+func TestIsAllowedScheme(t *testing.T) {
+	t.Parallel()
+
+	if !notify.IsAllowedScheme("https") {
+		t.Error("https should be allowed")
+	}
+
+	if !notify.IsAllowedScheme("http") {
+		t.Error("http should be allowed")
+	}
+
+	if notify.IsAllowedScheme("ftp") {
+		t.Error("ftp should not be allowed")
+	}
+
+	if notify.IsAllowedScheme("") {
+		t.Error("empty scheme should not be allowed")
+	}
+}

internal/portcheck/portcheck.go

@@ -4,18 +4,39 @@ package portcheck
 import (
 	"context"
 	"errors"
+	"fmt"
 	"log/slog"
+	"net"
+	"strconv"
+	"sync"
+	"time"
 
 	"go.uber.org/fx"
+	"golang.org/x/sync/errgroup"
 
 	"sneak.berlin/go/dnswatcher/internal/logger"
 )
 
-// ErrNotImplemented indicates the port checker is not yet implemented.
+const (
-var ErrNotImplemented = errors.New(
+	minPort        = 1
-	"port checker not yet implemented",
+	maxPort        = 65535
+	defaultTimeout = 5 * time.Second
 )
 
+// ErrInvalidPort is returned when a port number is outside
+// the valid TCP range (1–65535).
+var ErrInvalidPort = errors.New("invalid port number")
+
+// PortResult holds the outcome of a single TCP port check.
+type PortResult struct {
+	// Open indicates whether the port accepted a connection.
+	Open bool
+	// Error contains a description if the connection failed.
+	Error string
+	// Latency is the time taken for the TCP handshake.
+	Latency time.Duration
+}
+
 // Params contains dependencies for Checker.
 type Params struct {
 	fx.In
@@ -38,11 +59,145 @@ func New(
 	}, nil
 }
 
-// CheckPort tests TCP connectivity to the given address and port.
+// NewStandalone creates a Checker without fx dependencies.
-func (c *Checker) CheckPort(
+func NewStandalone() *Checker {
-	_ context.Context,
+	return &Checker{
-	_ string,
+		log: slog.Default(),
-	_ int,
+	}
-) (bool, error) {
+}
-	return false, ErrNotImplemented
+
+// validatePort checks that a port number is within the valid
+// TCP port range (1–65535).
+func validatePort(port int) error {
+	if port < minPort || port > maxPort {
+		return fmt.Errorf(
+			"%w: %d (must be between %d and %d)",
+			ErrInvalidPort, port, minPort, maxPort,
+		)
+	}
+
+	return nil
+}
+
+// CheckPort tests TCP connectivity to the given address and port.
+// It uses a 5-second timeout unless the context has an earlier
+// deadline.
+func (c *Checker) CheckPort(
+	ctx context.Context,
+	address string,
+	port int,
+) (*PortResult, error) {
+	err := validatePort(port)
+	if err != nil {
+		return nil, err
+	}
+
+	target := net.JoinHostPort(
+		address, strconv.Itoa(port),
+	)
+
+	timeout := defaultTimeout
+
+	deadline, hasDeadline := ctx.Deadline()
+	if hasDeadline {
+		remaining := time.Until(deadline)
+		if remaining < timeout {
+			timeout = remaining
+		}
+	}
+
+	return c.checkConnection(ctx, target, timeout), nil
+}
+
+// CheckPorts tests TCP connectivity to multiple ports on the
+// given address concurrently. It returns a map of port number
+// to result.
+func (c *Checker) CheckPorts(
+	ctx context.Context,
+	address string,
+	ports []int,
+) (map[int]*PortResult, error) {
+	for _, port := range ports {
+		err := validatePort(port)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	var mu sync.Mutex
+
+	results := make(map[int]*PortResult, len(ports))
+
+	g, ctx := errgroup.WithContext(ctx)
+
+	for _, port := range ports {
+		g.Go(func() error {
+			result, err := c.CheckPort(ctx, address, port)
+			if err != nil {
+				return fmt.Errorf(
+					"checking port %d: %w", port, err,
+				)
+			}
+
+			mu.Lock()
+			results[port] = result
+			mu.Unlock()
+
+			return nil
+		})
+	}
+
+	err := g.Wait()
+	if err != nil {
+		return nil, err
+	}
+
+	return results, nil
+}
+
+// checkConnection performs the TCP dial and returns a result.
+func (c *Checker) checkConnection(
+	ctx context.Context,
+	target string,
+	timeout time.Duration,
+) *PortResult {
+	dialer := &net.Dialer{Timeout: timeout}
+	start := time.Now()
+
+	conn, dialErr := dialer.DialContext(ctx, "tcp", target)
+	latency := time.Since(start)
+
+	if dialErr != nil {
+		c.log.Debug(
+			"port check failed",
+			"target", target,
+			"error", dialErr.Error(),
+		)
+
+		return &PortResult{
+			Open:    false,
+			Error:   dialErr.Error(),
+			Latency: latency,
+		}
+	}
+
+	closeErr := conn.Close()
+	if closeErr != nil {
+		c.log.Debug(
+			"closing connection",
+			"target", target,
+			"error", closeErr.Error(),
+		)
+	}
+
+	c.log.Debug(
+		"port check succeeded",
+		"target", target,
+		"latency", latency,
+	)
+
+	return &PortResult{
+		Open:    true,
+		Latency: latency,
+	}
 }

internal/portcheck/portcheck_test.go

@@ -0,0 +1,211 @@
+package portcheck_test
+
+import (
+	"context"
+	"net"
+	"testing"
+	"time"
+
+	"sneak.berlin/go/dnswatcher/internal/portcheck"
+)
+
+func listenTCP(
+	t *testing.T,
+) (net.Listener, int) {
+	t.Helper()
+
+	lc := &net.ListenConfig{}
+
+	ln, err := lc.Listen(
+		context.Background(), "tcp", "127.0.0.1:0",
+	)
+	if err != nil {
+		t.Fatalf("failed to start listener: %v", err)
+	}
+
+	addr, ok := ln.Addr().(*net.TCPAddr)
+	if !ok {
+		t.Fatal("unexpected address type")
+	}
+
+	return ln, addr.Port
+}
+
+func TestCheckPortOpen(t *testing.T) {
+	t.Parallel()
+
+	ln, port := listenTCP(t)
+
+	defer func() { _ = ln.Close() }()
+
+	checker := portcheck.NewStandalone()
+
+	result, err := checker.CheckPort(
+		context.Background(), "127.0.0.1", port,
+	)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if !result.Open {
+		t.Error("expected port to be open")
+	}
+
+	if result.Error != "" {
+		t.Errorf("expected no error, got: %s", result.Error)
+	}
+
+	if result.Latency <= 0 {
+		t.Error("expected positive latency")
+	}
+}
+
+func TestCheckPortClosed(t *testing.T) {
+	t.Parallel()
+
+	ln, port := listenTCP(t)
+	_ = ln.Close()
+
+	checker := portcheck.NewStandalone()
+
+	result, err := checker.CheckPort(
+		context.Background(), "127.0.0.1", port,
+	)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if result.Open {
+		t.Error("expected port to be closed")
+	}
+
+	if result.Error == "" {
+		t.Error("expected error message for closed port")
+	}
+}
+
+func TestCheckPortContextCanceled(t *testing.T) {
+	t.Parallel()
+
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	checker := portcheck.NewStandalone()
+
+	result, err := checker.CheckPort(ctx, "127.0.0.1", 1)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if result.Open {
+		t.Error("expected port to not be open")
+	}
+}
+
+func TestCheckPortsMultiple(t *testing.T) {
+	t.Parallel()
+
+	ln, openPort := listenTCP(t)
+
+	defer func() { _ = ln.Close() }()
+
+	ln2, closedPort := listenTCP(t)
+	_ = ln2.Close()
+
+	checker := portcheck.NewStandalone()
+
+	results, err := checker.CheckPorts(
+		context.Background(),
+		"127.0.0.1",
+		[]int{openPort, closedPort},
+	)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if len(results) != 2 {
+		t.Fatalf(
+			"expected 2 results, got %d", len(results),
+		)
+	}
+
+	if !results[openPort].Open {
+		t.Error("expected open port to be open")
+	}
+
+	if results[closedPort].Open {
+		t.Error("expected closed port to be closed")
+	}
+}
+
+func TestCheckPortInvalidPorts(t *testing.T) {
+	t.Parallel()
+
+	checker := portcheck.NewStandalone()
+
+	cases := []struct {
+		name string
+		port int
+	}{
+		{"zero", 0},
+		{"negative", -1},
+		{"too high", 65536},
+		{"very negative", -1000},
+		{"very high", 100000},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			_, err := checker.CheckPort(
+				context.Background(), "127.0.0.1", tc.port,
+			)
+			if err == nil {
+				t.Errorf(
+					"expected error for port %d, got nil",
+					tc.port,
+				)
+			}
+		})
+	}
+}
+
+func TestCheckPortsInvalidPort(t *testing.T) {
+	t.Parallel()
+
+	checker := portcheck.NewStandalone()
+
+	_, err := checker.CheckPorts(
+		context.Background(),
+		"127.0.0.1",
+		[]int{80, 0, 443},
+	)
+	if err == nil {
+		t.Error("expected error for invalid port in list")
+	}
+}
+
+func TestCheckPortLatencyReasonable(t *testing.T) {
+	t.Parallel()
+
+	ln, port := listenTCP(t)
+
+	defer func() { _ = ln.Close() }()
+
+	checker := portcheck.NewStandalone()
+
+	result, err := checker.CheckPort(
+		context.Background(), "127.0.0.1", port,
+	)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if result.Latency > time.Second {
+		t.Errorf(
+			"latency too high for localhost: %v",
+			result.Latency,
+		)
+	}
+}

internal/resolver/dns_client.go

@@ -0,0 +1,48 @@
+package resolver
+
+import (
+	"context"
+	"time"
+
+	"github.com/miekg/dns"
+)
+
+// DNSClient abstracts DNS wire-protocol exchanges so the resolver
+// can be tested without hitting real nameservers.
+type DNSClient interface {
+	ExchangeContext(
+		ctx context.Context,
+		msg *dns.Msg,
+		addr string,
+	) (*dns.Msg, time.Duration, error)
+}
+
+// udpClient wraps a real dns.Client for production use.
+type udpClient struct {
+	timeout time.Duration
+}
+
+func (c *udpClient) ExchangeContext(
+	ctx context.Context,
+	msg *dns.Msg,
+	addr string,
+) (*dns.Msg, time.Duration, error) {
+	cl := &dns.Client{Timeout: c.timeout}
+
+	return cl.ExchangeContext(ctx, msg, addr)
+}
+
+// tcpClient wraps a real dns.Client using TCP.
+type tcpClient struct {
+	timeout time.Duration
+}
+
+func (c *tcpClient) ExchangeContext(
+	ctx context.Context,
+	msg *dns.Msg,
+	addr string,
+) (*dns.Msg, time.Duration, error) {
+	cl := &dns.Client{Net: "tcp", Timeout: c.timeout}
+
+	return cl.ExchangeContext(ctx, msg, addr)
+}

internal/resolver/iterative.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"math/rand/v2"
 	"net"
 	"sort"
 	"strings"
@@ -13,7 +14,13 @@ import (
 )
 
 const (
-	queryTimeoutDuration = 5 * time.Second
+	// queryTimeoutDuration is the per-exchange DNS timeout.
+	//
+	// Rationale: maximum RTT to antipodal root/TLD servers is
+	// ~300ms. We use 3× max RTT + 10ms processing ≈ 910ms,
+	// rounded to 1s. Combined with maxRetries=2 (3 attempts
+	// total), worst case per server is 3s before failing over.
+	queryTimeoutDuration = 1 * time.Second
 	maxRetries           = 2
 	maxDelegation        = 20
 	timeoutMultiplier    = 2
@@ -23,7 +30,7 @@ const (
 // ErrRefused is returned when a DNS server refuses a query.
 var ErrRefused = errors.New("dns query refused")
 
-func rootServerList() []string {
+func allRootServers() []string {
 	return []string{
 		"198.41.0.4",     // a.root-servers.net
 		"170.247.170.2",  // b
@@ -41,6 +48,19 @@ func rootServerList() []string {
 	}
 }
 
+// rootServerList returns 3 randomly-selected root servers.
+// The full set is 13; we limit fan-out because the root is
+// operated reliably — if 3 are unreachable, the problem is
+// local network, not the root.
+func rootServerList() []string {
+	shuffled := allRootServers()
+	rand.Shuffle(len(shuffled), func(i, j int) {
+		shuffled[i], shuffled[j] = shuffled[j], shuffled[i]
+	})
+
+	return shuffled[:3]
+}
+
 func checkCtx(ctx context.Context) error {
 	err := ctx.Err()
 	if err != nil {
@@ -50,25 +70,20 @@ func checkCtx(ctx context.Context) error {
 	return nil
 }
 
-func exchangeWithTimeout(
+func (r *Resolver) exchangeWithTimeout(
 	ctx context.Context,
 	msg *dns.Msg,
 	addr string,
 	attempt int,
 ) (*dns.Msg, error) {
-	c := new(dns.Client)
+	_ = attempt // timeout escalation handled by client config
-	c.Timeout = queryTimeoutDuration
 
-	if attempt > 0 {
+	resp, _, err := r.client.ExchangeContext(ctx, msg, addr)
-		c.Timeout = queryTimeoutDuration * timeoutMultiplier
-	}
-
-	resp, _, err := c.ExchangeContext(ctx, msg, addr)
 
 	return resp, err
 }
 
-func tryExchange(
+func (r *Resolver) tryExchange(
 	ctx context.Context,
 	msg *dns.Msg,
 	addr string,
@@ -82,7 +97,9 @@ func tryExchange(
 			return nil, ErrContextCanceled
 		}
 
-		resp, err = exchangeWithTimeout(ctx, msg, addr, attempt)
+		resp, err = r.exchangeWithTimeout(
+			ctx, msg, addr, attempt,
+		)
 		if err == nil {
 			break
 		}
@@ -91,7 +108,7 @@ func tryExchange(
 	return resp, err
 }
 
-func retryTCP(
+func (r *Resolver) retryTCP(
 	ctx context.Context,
 	msg *dns.Msg,
 	addr string,
@@ -101,12 +118,7 @@ func retryTCP(
 		return resp
 	}
 
-	c := &dns.Client{
+	tcpResp, _, tcpErr := r.tcp.ExchangeContext(ctx, msg, addr)
-		Net:     "tcp",
-		Timeout: queryTimeoutDuration,
-	}
-
-	tcpResp, _, tcpErr := c.ExchangeContext(ctx, msg, addr)
 	if tcpErr == nil {
 		return tcpResp
 	}
@@ -117,7 +129,7 @@ func retryTCP(
 // queryDNS sends a DNS query to a specific server IP.
 // Tries non-recursive first, falls back to recursive on
 // REFUSED (handles DNS interception environments).
-func queryDNS(
+func (r *Resolver) queryDNS(
 	ctx context.Context,
 	serverIP string,
 	name string,
@@ -134,7 +146,7 @@ func queryDNS(
 	msg.SetQuestion(name, qtype)
 	msg.RecursionDesired = false
 
-	resp, err := tryExchange(ctx, msg, addr)
+	resp, err := r.tryExchange(ctx, msg, addr)
 	if err != nil {
 		return nil, fmt.Errorf("query %s @%s: %w", name, serverIP, err)
 	}
@@ -142,7 +154,7 @@ func queryDNS(
 	if resp.Rcode == dns.RcodeRefused {
 		msg.RecursionDesired = true
 
-		resp, err = tryExchange(ctx, msg, addr)
+		resp, err = r.tryExchange(ctx, msg, addr)
 		if err != nil {
 			return nil, fmt.Errorf(
 				"query %s @%s: %w", name, serverIP, err,
@@ -156,7 +168,7 @@ func queryDNS(
 		}
 	}
 
-	resp = retryTCP(ctx, msg, addr, resp)
+	resp = r.retryTCP(ctx, msg, addr, resp)
 
 	return resp, nil
 }
@@ -221,7 +233,9 @@ func (r *Resolver) followDelegation(
 			return nil, ErrContextCanceled
 		}
 
-		resp, err := queryServers(ctx, servers, domain, dns.TypeNS)
+		resp, err := r.queryServers(
+			ctx, servers, domain, dns.TypeNS,
+		)
 		if err != nil {
 			return nil, err
 		}
@@ -253,7 +267,7 @@ func (r *Resolver) followDelegation(
 	return nil, ErrNoNameservers
 }
 
-func queryServers(
+func (r *Resolver) queryServers(
 	ctx context.Context,
 	servers []string,
 	name string,
@@ -266,7 +280,7 @@ func queryServers(
 			return nil, ErrContextCanceled
 		}
 
-		resp, err := queryDNS(ctx, ip, name, qtype)
+		resp, err := r.queryDNS(ctx, ip, name, qtype)
 		if err == nil {
 			return resp, nil
 		}
@@ -308,16 +322,14 @@ func (r *Resolver) resolveNSRecursive(
 	msg.SetQuestion(domain, dns.TypeNS)
 	msg.RecursionDesired = true
 
-	c := &dns.Client{Timeout: queryTimeoutDuration}
+	for _, ip := range rootServerList() {
-
-	for _, ip := range rootServerList()[:3] {
 		if checkCtx(ctx) != nil {
 			return nil, ErrContextCanceled
 		}
 
 		addr := net.JoinHostPort(ip, "53")
 
-		resp, _, err := c.ExchangeContext(ctx, msg, addr)
+		resp, _, err := r.client.ExchangeContext(ctx, msg, addr)
 		if err != nil {
 			continue
 		}
@@ -341,16 +353,14 @@ func (r *Resolver) resolveARecord(
 	msg.SetQuestion(hostname, dns.TypeA)
 	msg.RecursionDesired = true
 
-	c := &dns.Client{Timeout: queryTimeoutDuration}
+	for _, ip := range rootServerList() {
-
-	for _, ip := range rootServerList()[:3] {
 		if checkCtx(ctx) != nil {
 			return nil, ErrContextCanceled
 		}
 
 		addr := net.JoinHostPort(ip, "53")
 
-		resp, _, err := c.ExchangeContext(ctx, msg, addr)
+		resp, _, err := r.client.ExchangeContext(ctx, msg, addr)
 		if err != nil {
 			continue
 		}
@@ -490,7 +500,7 @@ func (r *Resolver) querySingleType(
 	resp *NameserverResponse,
 	state *queryState,
 ) {
-	msg, err := queryDNS(ctx, nsIP, hostname, qtype)
+	msg, err := r.queryDNS(ctx, nsIP, hostname, qtype)
 	if err != nil {
 		return
 	}
@@ -641,6 +651,25 @@ func (r *Resolver) LookupNS(
 	return r.FindAuthoritativeNameservers(ctx, domain)
 }
 
+// LookupAllRecords performs iterative resolution to find all DNS
+// records for the given hostname, keyed by authoritative nameserver.
+func (r *Resolver) LookupAllRecords(
+	ctx context.Context,
+	hostname string,
+) (map[string]map[string][]string, error) {
+	results, err := r.QueryAllNameservers(ctx, hostname)
+	if err != nil {
+		return nil, err
+	}
+
+	out := make(map[string]map[string][]string, len(results))
+	for ns, resp := range results {
+		out[ns] = resp.Records
+	}
+
+	return out, nil
+}
+
 // ResolveIPAddresses resolves a hostname to all IPv4 and IPv6
 // addresses, following CNAME chains up to MaxCNAMEDepth.
 func (r *Resolver) ResolveIPAddresses(

internal/resolver/resolver.go

@@ -40,6 +40,8 @@ type NameserverResponse struct {
 // Resolver performs iterative DNS resolution from root servers.
 type Resolver struct {
 	log    *slog.Logger
+	client DNSClient
+	tcp    DNSClient
 }
 
 // New creates a new Resolver instance for use with uber/fx.
@@ -49,13 +51,32 @@ func New(
 ) (*Resolver, error) {
 	return &Resolver{
 		log:    params.Logger.Get(),
+		client: &udpClient{timeout: queryTimeoutDuration},
+		tcp:    &tcpClient{timeout: queryTimeoutDuration},
 	}, nil
 }
 
 // NewFromLogger creates a Resolver directly from an slog.Logger,
 // useful for testing without the fx lifecycle.
 func NewFromLogger(log *slog.Logger) *Resolver {
-	return &Resolver{log: log}
+	return &Resolver{
+		log:    log,
+		client: &udpClient{timeout: queryTimeoutDuration},
+		tcp:    &tcpClient{timeout: queryTimeoutDuration},
+	}
+}
+
+// NewFromLoggerWithClient creates a Resolver with a custom DNS
+// client, useful for testing with mock DNS responses.
+func NewFromLoggerWithClient(
+	log *slog.Logger,
+	client DNSClient,
+) *Resolver {
+	return &Resolver{
+		log:    log,
+		client: client,
+		tcp:    client,
+	}
 }
 
 // Method implementations are in iterative.go.

internal/state/state.go

@@ -156,8 +156,8 @@ func (s *State) Load() error {
 
 // Save writes the current state to disk atomically.
 func (s *State) Save() error {
-	s.mu.RLock()
+	s.mu.Lock()
-	defer s.mu.RUnlock()
+	defer s.mu.Unlock()
 
 	s.snapshot.LastUpdated = time.Now().UTC()
 

internal/state/state_test_helper.go

@@ -0,0 +1,22 @@
+package state
+
+import (
+	"log/slog"
+
+	"sneak.berlin/go/dnswatcher/internal/config"
+)
+
+// NewForTest creates a State for unit testing with no persistence.
+func NewForTest() *State {
+	return &State{
+		log: slog.Default(),
+		snapshot: &Snapshot{
+			Version:      stateVersion,
+			Domains:      make(map[string]*DomainState),
+			Hostnames:    make(map[string]*HostnameState),
+			Ports:        make(map[string]*PortState),
+			Certificates: make(map[string]*CertificateState),
+		},
+		config: &config.Config{DataDir: ""},
+	}
+}

internal/tlscheck/extractcertinfo_test.go

@@ -0,0 +1,67 @@
+package tlscheck_test
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"net"
+	"testing"
+	"time"
+
+	"sneak.berlin/go/dnswatcher/internal/tlscheck"
+)
+
+func TestCheckCertificateNoPeerCerts(t *testing.T) {
+	t.Parallel()
+
+	lc := &net.ListenConfig{}
+
+	ln, err := lc.Listen(
+		context.Background(), "tcp", "127.0.0.1:0",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	defer func() { _ = ln.Close() }()
+
+	addr, ok := ln.Addr().(*net.TCPAddr)
+	if !ok {
+		t.Fatal("unexpected address type")
+	}
+
+	// Accept and immediately close to cause TLS handshake failure.
+	go func() {
+		conn, err := ln.Accept()
+		if err != nil {
+			return
+		}
+
+		_ = conn.Close()
+	}()
+
+	checker := tlscheck.NewStandalone(
+		tlscheck.WithTimeout(2*time.Second),
+		tlscheck.WithTLSConfig(&tls.Config{
+			InsecureSkipVerify: true, //nolint:gosec // test
+			MinVersion:         tls.VersionTLS12,
+		}),
+		tlscheck.WithPort(addr.Port),
+	)
+
+	_, err = checker.CheckCertificate(
+		context.Background(), "127.0.0.1", "localhost",
+	)
+	if err == nil {
+		t.Fatal("expected error when server presents no certs")
+	}
+}
+
+func TestErrNoPeerCertificatesIsSentinel(t *testing.T) {
+	t.Parallel()
+
+	err := tlscheck.ErrNoPeerCertificates
+	if !errors.Is(err, tlscheck.ErrNoPeerCertificates) {
+		t.Fatal("expected sentinel error to match")
+	}
+}

internal/tlscheck/tlscheck.go

@@ -3,8 +3,12 @@ package tlscheck
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
+	"fmt"
 	"log/slog"
+	"net"
+	"strconv"
 	"time"
 
 	"go.uber.org/fx"
@@ -12,11 +16,56 @@ import (
 	"sneak.berlin/go/dnswatcher/internal/logger"
 )
 
-// ErrNotImplemented indicates the TLS checker is not yet implemented.
+const (
-var ErrNotImplemented = errors.New(
+	defaultTimeout = 10 * time.Second
-	"tls checker not yet implemented",
+	defaultPort    = 443
 )
 
+// ErrUnexpectedConnType indicates the connection was not a TLS
+// connection.
+var ErrUnexpectedConnType = errors.New(
+	"unexpected connection type",
+)
+
+// ErrNoPeerCertificates indicates the TLS connection had no peer
+// certificates.
+var ErrNoPeerCertificates = errors.New(
+	"no peer certificates",
+)
+
+// CertificateInfo holds information about a TLS certificate.
+type CertificateInfo struct {
+	CommonName              string
+	Issuer                  string
+	NotAfter                time.Time
+	SubjectAlternativeNames []string
+	SerialNumber            string
+}
+
+// Option configures a Checker.
+type Option func(*Checker)
+
+// WithTimeout sets the connection timeout.
+func WithTimeout(d time.Duration) Option {
+	return func(c *Checker) {
+		c.timeout = d
+	}
+}
+
+// WithTLSConfig sets a custom TLS configuration.
+func WithTLSConfig(cfg *tls.Config) Option {
+	return func(c *Checker) {
+		c.tlsConfig = cfg
+	}
+}
+
+// WithPort sets the TLS port to connect to.
+func WithPort(port int) Option {
+	return func(c *Checker) {
+		c.port = port
+	}
+}
+
 // Params contains dependencies for Checker.
 type Params struct {
 	fx.In
@@ -27,14 +76,9 @@ type Params struct {
 // Checker performs TLS certificate inspection.
 type Checker struct {
 	log       *slog.Logger
-}
+	timeout   time.Duration
-
+	tlsConfig *tls.Config
-// CertificateInfo holds information about a TLS certificate.
+	port      int
-type CertificateInfo struct {
-	CommonName              string
-	Issuer                  string
-	NotAfter                time.Time
-	SubjectAlternativeNames []string
 }
 
 // New creates a new TLS Checker instance.
@@ -44,15 +88,109 @@ func New(
 ) (*Checker, error) {
 	return &Checker{
 		log:     params.Logger.Get(),
+		timeout: defaultTimeout,
+		port:    defaultPort,
 	}, nil
 }
 
-// CheckCertificate connects to the given IP:port using SNI and
+// NewStandalone creates a Checker without fx dependencies.
-// returns certificate information.
+func NewStandalone(opts ...Option) *Checker {
-func (c *Checker) CheckCertificate(
+	checker := &Checker{
-	_ context.Context,
+		log:     slog.Default(),
-	_ string,
+		timeout: defaultTimeout,
-	_ string,
+		port:    defaultPort,
-) (*CertificateInfo, error) {
+	}
-	return nil, ErrNotImplemented
+
+	for _, opt := range opts {
+		opt(checker)
+	}
+
+	return checker
+}
+
+// CheckCertificate connects to the given IP address using the
+// specified SNI hostname and returns certificate information.
+func (c *Checker) CheckCertificate(
+	ctx context.Context,
+	ipAddress string,
+	sniHostname string,
+) (*CertificateInfo, error) {
+	target := net.JoinHostPort(
+		ipAddress, strconv.Itoa(c.port),
+	)
+
+	tlsCfg := c.buildTLSConfig(sniHostname)
+	dialer := &tls.Dialer{
+		NetDialer: &net.Dialer{Timeout: c.timeout},
+		Config:    tlsCfg,
+	}
+
+	conn, err := dialer.DialContext(ctx, "tcp", target)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"TLS dial to %s: %w", target, err,
+		)
+	}
+
+	defer func() {
+		closeErr := conn.Close()
+		if closeErr != nil {
+			c.log.Debug(
+				"closing TLS connection",
+				"target", target,
+				"error", closeErr.Error(),
+			)
+		}
+	}()
+
+	tlsConn, ok := conn.(*tls.Conn)
+	if !ok {
+		return nil, fmt.Errorf(
+			"%s: %w", target, ErrUnexpectedConnType,
+		)
+	}
+
+	return c.extractCertInfo(tlsConn)
+}
+
+func (c *Checker) buildTLSConfig(
+	sniHostname string,
+) *tls.Config {
+	if c.tlsConfig != nil {
+		cfg := c.tlsConfig.Clone()
+		cfg.ServerName = sniHostname
+
+		return cfg
+	}
+
+	return &tls.Config{
+		ServerName: sniHostname,
+		MinVersion: tls.VersionTLS12,
+	}
+}
+
+func (c *Checker) extractCertInfo(
+	conn *tls.Conn,
+) (*CertificateInfo, error) {
+	state := conn.ConnectionState()
+	if len(state.PeerCertificates) == 0 {
+		return nil, ErrNoPeerCertificates
+	}
+
+	cert := state.PeerCertificates[0]
+
+	sans := make([]string, 0, len(cert.DNSNames)+len(cert.IPAddresses))
+	sans = append(sans, cert.DNSNames...)
+
+	for _, ip := range cert.IPAddresses {
+		sans = append(sans, ip.String())
+	}
+
+	return &CertificateInfo{
+		CommonName:              cert.Subject.CommonName,
+		Issuer:                  cert.Issuer.CommonName,
+		NotAfter:                cert.NotAfter,
+		SubjectAlternativeNames: sans,
+		SerialNumber:            cert.SerialNumber.String(),
+	}, nil
 }

internal/tlscheck/tlscheck_test.go

@@ -0,0 +1,169 @@
+package tlscheck_test
+
+import (
+	"context"
+	"crypto/tls"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"sneak.berlin/go/dnswatcher/internal/tlscheck"
+)
+
+func startTLSServer(
+	t *testing.T,
+) (*httptest.Server, string, int) {
+	t.Helper()
+
+	srv := httptest.NewTLSServer(
+		http.HandlerFunc(
+			func(w http.ResponseWriter, _ *http.Request) {
+				w.WriteHeader(http.StatusOK)
+			},
+		),
+	)
+
+	addr, ok := srv.Listener.Addr().(*net.TCPAddr)
+	if !ok {
+		t.Fatal("unexpected address type")
+	}
+
+	return srv, addr.IP.String(), addr.Port
+}
+
+func TestCheckCertificateValid(t *testing.T) {
+	t.Parallel()
+
+	srv, ip, port := startTLSServer(t)
+
+	defer srv.Close()
+
+	checker := tlscheck.NewStandalone(
+		tlscheck.WithTimeout(5*time.Second),
+		tlscheck.WithTLSConfig(&tls.Config{
+			//nolint:gosec // test uses self-signed cert
+			InsecureSkipVerify: true,
+		}),
+		tlscheck.WithPort(port),
+	)
+
+	info, err := checker.CheckCertificate(
+		context.Background(), ip, "localhost",
+	)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if info == nil {
+		t.Fatal("expected non-nil CertificateInfo")
+	}
+
+	if info.NotAfter.IsZero() {
+		t.Error("expected non-zero NotAfter")
+	}
+
+	if info.SerialNumber == "" {
+		t.Error("expected non-empty SerialNumber")
+	}
+}
+
+func TestCheckCertificateConnectionRefused(t *testing.T) {
+	t.Parallel()
+
+	lc := &net.ListenConfig{}
+
+	ln, err := lc.Listen(
+		context.Background(), "tcp", "127.0.0.1:0",
+	)
+	if err != nil {
+		t.Fatalf("failed to listen: %v", err)
+	}
+
+	addr, ok := ln.Addr().(*net.TCPAddr)
+	if !ok {
+		t.Fatal("unexpected address type")
+	}
+
+	port := addr.Port
+
+	_ = ln.Close()
+
+	checker := tlscheck.NewStandalone(
+		tlscheck.WithTimeout(2*time.Second),
+		tlscheck.WithPort(port),
+	)
+
+	_, err = checker.CheckCertificate(
+		context.Background(), "127.0.0.1", "localhost",
+	)
+	if err == nil {
+		t.Fatal("expected error for connection refused")
+	}
+}
+
+func TestCheckCertificateContextCanceled(t *testing.T) {
+	t.Parallel()
+
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	checker := tlscheck.NewStandalone(
+		tlscheck.WithTimeout(2*time.Second),
+		tlscheck.WithPort(1),
+	)
+
+	_, err := checker.CheckCertificate(
+		ctx, "127.0.0.1", "localhost",
+	)
+	if err == nil {
+		t.Fatal("expected error for canceled context")
+	}
+}
+
+func TestCheckCertificateTimeout(t *testing.T) {
+	t.Parallel()
+
+	checker := tlscheck.NewStandalone(
+		tlscheck.WithTimeout(1*time.Millisecond),
+		tlscheck.WithPort(1),
+	)
+
+	_, err := checker.CheckCertificate(
+		context.Background(),
+		"192.0.2.1",
+		"example.com",
+	)
+	if err == nil {
+		t.Fatal("expected error for timeout")
+	}
+}
+
+func TestCheckCertificateSANs(t *testing.T) {
+	t.Parallel()
+
+	srv, ip, port := startTLSServer(t)
+
+	defer srv.Close()
+
+	checker := tlscheck.NewStandalone(
+		tlscheck.WithTimeout(5*time.Second),
+		tlscheck.WithTLSConfig(&tls.Config{
+			//nolint:gosec // test uses self-signed cert
+			InsecureSkipVerify: true,
+		}),
+		tlscheck.WithPort(port),
+	)
+
+	info, err := checker.CheckCertificate(
+		context.Background(), ip, "localhost",
+	)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if info.CommonName == "" && len(info.SubjectAlternativeNames) == 0 {
+		t.Error("expected CN or SANs to be populated")
+	}
+}

internal/watcher/interfaces.go

@@ -0,0 +1,61 @@
+// Package watcher provides the main monitoring orchestrator.
+package watcher
+
+import (
+	"context"
+
+	"sneak.berlin/go/dnswatcher/internal/portcheck"
+	"sneak.berlin/go/dnswatcher/internal/tlscheck"
+)
+
+// DNSResolver performs iterative DNS resolution.
+type DNSResolver interface {
+	// LookupNS discovers authoritative nameservers for a domain.
+	LookupNS(
+		ctx context.Context,
+		domain string,
+	) ([]string, error)
+
+	// LookupAllRecords queries all record types for a hostname,
+	// returning results keyed by nameserver then record type.
+	LookupAllRecords(
+		ctx context.Context,
+		hostname string,
+	) (map[string]map[string][]string, error)
+
+	// ResolveIPAddresses resolves a hostname to all IP addresses.
+	ResolveIPAddresses(
+		ctx context.Context,
+		hostname string,
+	) ([]string, error)
+}
+
+// PortChecker tests TCP port connectivity.
+type PortChecker interface {
+	// CheckPort tests TCP connectivity to an address and port.
+	CheckPort(
+		ctx context.Context,
+		address string,
+		port int,
+	) (*portcheck.PortResult, error)
+}
+
+// TLSChecker inspects TLS certificates.
+type TLSChecker interface {
+	// CheckCertificate connects via TLS and returns cert info.
+	CheckCertificate(
+		ctx context.Context,
+		ip string,
+		hostname string,
+	) (*tlscheck.CertificateInfo, error)
+}
+
+// Notifier delivers notifications to configured endpoints.
+type Notifier interface {
+	// SendNotification sends a notification with the given
+	// details.
+	SendNotification(
+		ctx context.Context,
+		title, message, priority string,
+	)
+}

internal/watcher/watcher.go

@@ -1,21 +1,30 @@
-// Package watcher provides the main monitoring orchestrator and scheduler.
 package watcher
 
 import (
 	"context"
+	"fmt"
 	"log/slog"
+	"sort"
+	"strings"
+	"time"
 
 	"go.uber.org/fx"
 
 	"sneak.berlin/go/dnswatcher/internal/config"
 	"sneak.berlin/go/dnswatcher/internal/logger"
-	"sneak.berlin/go/dnswatcher/internal/notify"
-	"sneak.berlin/go/dnswatcher/internal/portcheck"
-	"sneak.berlin/go/dnswatcher/internal/resolver"
 	"sneak.berlin/go/dnswatcher/internal/state"
 	"sneak.berlin/go/dnswatcher/internal/tlscheck"
 )
 
+// monitoredPorts are the TCP ports checked for each IP address.
+var monitoredPorts = []int{80, 443} //nolint:gochecknoglobals
+
+// tlsPort is the port used for TLS certificate checks.
+const tlsPort = 443
+
+// hoursPerDay converts days to hours for duration calculations.
+const hoursPerDay = 24
+
 // Params contains dependencies for Watcher.
 type Params struct {
 	fx.In
@@ -23,10 +32,10 @@ type Params struct {
 	Logger    *logger.Logger
 	Config    *config.Config
 	State     *state.State
-	Resolver  *resolver.Resolver
+	Resolver  DNSResolver
-	PortCheck *portcheck.Checker
+	PortCheck PortChecker
-	TLSCheck  *tlscheck.Checker
+	TLSCheck  TLSChecker
-	Notify    *notify.Service
+	Notify    Notifier
 }
 
 // Watcher orchestrates all monitoring checks on a schedule.
@@ -34,19 +43,20 @@ type Watcher struct {
 	log       *slog.Logger
 	config    *config.Config
 	state     *state.State
-	resolver  *resolver.Resolver
+	resolver  DNSResolver
-	portCheck *portcheck.Checker
+	portCheck PortChecker
-	tlsCheck  *tlscheck.Checker
+	tlsCheck  TLSChecker
-	notify    *notify.Service
+	notify    Notifier
 	cancel    context.CancelFunc
+	firstRun  bool
 }
 
-// New creates a new Watcher instance.
+// New creates a new Watcher instance wired into the fx lifecycle.
 func New(
 	lifecycle fx.Lifecycle,
 	params Params,
 ) (*Watcher, error) {
-	watcher := &Watcher{
+	w := &Watcher{
 		log:       params.Logger.Get(),
 		config:    params.Config,
 		state:     params.State,
@@ -54,30 +64,54 @@ func New(
 		portCheck: params.PortCheck,
 		tlsCheck:  params.TLSCheck,
 		notify:    params.Notify,
+		firstRun:  true,
 	}
 
 	lifecycle.Append(fx.Hook{
 		OnStart: func(startCtx context.Context) error {
-			ctx, cancel := context.WithCancel(startCtx)
+			ctx, cancel := context.WithCancel(
-			watcher.cancel = cancel
+				context.WithoutCancel(startCtx),
+			)
+			w.cancel = cancel
 
-			go watcher.Run(ctx)
+			go w.Run(ctx)
 
 			return nil
 		},
 		OnStop: func(_ context.Context) error {
-			if watcher.cancel != nil {
+			if w.cancel != nil {
-				watcher.cancel()
+				w.cancel()
 			}
 
 			return nil
 		},
 	})
 
-	return watcher, nil
+	return w, nil
 }
 
-// Run starts the monitoring loop.
+// NewForTest creates a Watcher without fx for unit testing.
+func NewForTest(
+	cfg *config.Config,
+	st *state.State,
+	res DNSResolver,
+	pc PortChecker,
+	tc TLSChecker,
+	n Notifier,
+) *Watcher {
+	return &Watcher{
+		log:       slog.Default(),
+		config:    cfg,
+		state:     st,
+		resolver:  res,
+		portCheck: pc,
+		tlsCheck:  tc,
+		notify:    n,
+		firstRun:  true,
+	}
+}
+
+// Run starts the monitoring loop with periodic scheduling.
 func (w *Watcher) Run(ctx context.Context) {
 	w.log.Info(
 		"watcher starting",
@@ -87,8 +121,646 @@ func (w *Watcher) Run(ctx context.Context) {
 		"tlsInterval", w.config.TLSInterval,
 	)
 
-	// Stub: wait for context cancellation.
+	w.RunOnce(ctx)
-	// Implementation will add initial check + periodic scheduling.
+
-	<-ctx.Done()
+	dnsTicker := time.NewTicker(w.config.DNSInterval)
+	tlsTicker := time.NewTicker(w.config.TLSInterval)
+
+	defer dnsTicker.Stop()
+	defer tlsTicker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
 			w.log.Info("watcher stopped")
+
+			return
+		case <-dnsTicker.C:
+			w.runDNSAndPortChecks(ctx)
+			w.saveState()
+		case <-tlsTicker.C:
+			w.runTLSChecks(ctx)
+			w.saveState()
+		}
+	}
+}
+
+// RunOnce performs a single complete monitoring cycle.
+func (w *Watcher) RunOnce(ctx context.Context) {
+	w.detectFirstRun()
+	w.runDNSAndPortChecks(ctx)
+	w.runTLSChecks(ctx)
+	w.saveState()
+	w.firstRun = false
+}
+
+func (w *Watcher) detectFirstRun() {
+	snap := w.state.GetSnapshot()
+	hasState := len(snap.Domains) > 0 ||
+		len(snap.Hostnames) > 0 ||
+		len(snap.Ports) > 0 ||
+		len(snap.Certificates) > 0
+
+	if hasState {
+		w.firstRun = false
+	}
+}
+
+func (w *Watcher) runDNSAndPortChecks(ctx context.Context) {
+	for _, domain := range w.config.Domains {
+		w.checkDomain(ctx, domain)
+	}
+
+	for _, hostname := range w.config.Hostnames {
+		w.checkHostname(ctx, hostname)
+	}
+
+	w.checkAllPorts(ctx)
+}
+
+func (w *Watcher) checkDomain(
+	ctx context.Context,
+	domain string,
+) {
+	nameservers, err := w.resolver.LookupNS(ctx, domain)
+	if err != nil {
+		w.log.Error(
+			"failed to lookup NS",
+			"domain", domain,
+			"error", err,
+		)
+
+		return
+	}
+
+	sort.Strings(nameservers)
+
+	now := time.Now().UTC()
+
+	prev, hasPrev := w.state.GetDomainState(domain)
+	if hasPrev && !w.firstRun {
+		w.detectNSChanges(ctx, domain, prev.Nameservers, nameservers)
+	}
+
+	w.state.SetDomainState(domain, &state.DomainState{
+		Nameservers: nameservers,
+		LastChecked: now,
+	})
+}
+
+func (w *Watcher) detectNSChanges(
+	ctx context.Context,
+	domain string,
+	oldNS, newNS []string,
+) {
+	oldSet := toSet(oldNS)
+	newSet := toSet(newNS)
+
+	var added, removed []string
+
+	for ns := range newSet {
+		if !oldSet[ns] {
+			added = append(added, ns)
+		}
+	}
+
+	for ns := range oldSet {
+		if !newSet[ns] {
+			removed = append(removed, ns)
+		}
+	}
+
+	if len(added) == 0 && len(removed) == 0 {
+		return
+	}
+
+	msg := fmt.Sprintf(
+		"Domain: %s\nAdded: %s\nRemoved: %s",
+		domain,
+		strings.Join(added, ", "),
+		strings.Join(removed, ", "),
+	)
+
+	w.notify.SendNotification(
+		ctx,
+		"NS Change: "+domain,
+		msg,
+		"warning",
+	)
+}
+
+func (w *Watcher) checkHostname(
+	ctx context.Context,
+	hostname string,
+) {
+	records, err := w.resolver.LookupAllRecords(ctx, hostname)
+	if err != nil {
+		w.log.Error(
+			"failed to lookup records",
+			"hostname", hostname,
+			"error", err,
+		)
+
+		return
+	}
+
+	now := time.Now().UTC()
+	prev, hasPrev := w.state.GetHostnameState(hostname)
+
+	if hasPrev && !w.firstRun {
+		w.detectHostnameChanges(ctx, hostname, prev, records)
+	}
+
+	newState := buildHostnameState(records, now)
+	w.state.SetHostnameState(hostname, newState)
+}
+
+func buildHostnameState(
+	records map[string]map[string][]string,
+	now time.Time,
+) *state.HostnameState {
+	hs := &state.HostnameState{
+		RecordsByNameserver: make(
+			map[string]*state.NameserverRecordState,
+		),
+		LastChecked: now,
+	}
+
+	for ns, recs := range records {
+		hs.RecordsByNameserver[ns] = &state.NameserverRecordState{
+			Records:     recs,
+			Status:      "ok",
+			LastChecked: now,
+		}
+	}
+
+	return hs
+}
+
+func (w *Watcher) detectHostnameChanges(
+	ctx context.Context,
+	hostname string,
+	prev *state.HostnameState,
+	current map[string]map[string][]string,
+) {
+	w.detectRecordChanges(ctx, hostname, prev, current)
+	w.detectNSDisappearances(ctx, hostname, prev, current)
+	w.detectInconsistencies(ctx, hostname, current)
+}
+
+func (w *Watcher) detectRecordChanges(
+	ctx context.Context,
+	hostname string,
+	prev *state.HostnameState,
+	current map[string]map[string][]string,
+) {
+	for ns, recs := range current {
+		prevNS, ok := prev.RecordsByNameserver[ns]
+		if !ok {
+			continue
+		}
+
+		if recordsEqual(prevNS.Records, recs) {
+			continue
+		}
+
+		msg := fmt.Sprintf(
+			"Hostname: %s\nNameserver: %s\n"+
+				"Old: %v\nNew: %v",
+			hostname, ns,
+			prevNS.Records, recs,
+		)
+
+		w.notify.SendNotification(
+			ctx,
+			"Record Change: "+hostname,
+			msg,
+			"warning",
+		)
+	}
+}
+
+func (w *Watcher) detectNSDisappearances(
+	ctx context.Context,
+	hostname string,
+	prev *state.HostnameState,
+	current map[string]map[string][]string,
+) {
+	for ns, prevNS := range prev.RecordsByNameserver {
+		if _, ok := current[ns]; ok || prevNS.Status != "ok" {
+			continue
+		}
+
+		msg := fmt.Sprintf(
+			"Hostname: %s\nNameserver: %s disappeared",
+			hostname, ns,
+		)
+
+		w.notify.SendNotification(
+			ctx,
+			"NS Failure: "+hostname,
+			msg,
+			"error",
+		)
+	}
+
+	for ns := range current {
+		prevNS, ok := prev.RecordsByNameserver[ns]
+		if !ok || prevNS.Status != "error" {
+			continue
+		}
+
+		msg := fmt.Sprintf(
+			"Hostname: %s\nNameserver: %s recovered",
+			hostname, ns,
+		)
+
+		w.notify.SendNotification(
+			ctx,
+			"NS Recovery: "+hostname,
+			msg,
+			"success",
+		)
+	}
+}
+
+func (w *Watcher) detectInconsistencies(
+	ctx context.Context,
+	hostname string,
+	current map[string]map[string][]string,
+) {
+	nameservers := make([]string, 0, len(current))
+	for ns := range current {
+		nameservers = append(nameservers, ns)
+	}
+
+	sort.Strings(nameservers)
+
+	for i := range len(nameservers) - 1 {
+		ns1 := nameservers[i]
+		ns2 := nameservers[i+1]
+
+		if recordsEqual(current[ns1], current[ns2]) {
+			continue
+		}
+
+		msg := fmt.Sprintf(
+			"Hostname: %s\n%s: %v\n%s: %v",
+			hostname,
+			ns1, current[ns1],
+			ns2, current[ns2],
+		)
+
+		w.notify.SendNotification(
+			ctx,
+			"Inconsistency: "+hostname,
+			msg,
+			"warning",
+		)
+	}
+}
+
+func (w *Watcher) checkAllPorts(ctx context.Context) {
+	for _, hostname := range w.config.Hostnames {
+		w.checkPortsForHostname(ctx, hostname)
+	}
+
+	for _, domain := range w.config.Domains {
+		w.checkPortsForHostname(ctx, domain)
+	}
+}
+
+func (w *Watcher) checkPortsForHostname(
+	ctx context.Context,
+	hostname string,
+) {
+	ips := w.collectIPs(hostname)
+
+	for _, ip := range ips {
+		for _, port := range monitoredPorts {
+			w.checkSinglePort(ctx, ip, port, hostname)
+		}
+	}
+}
+
+func (w *Watcher) collectIPs(hostname string) []string {
+	hs, ok := w.state.GetHostnameState(hostname)
+	if !ok {
+		return nil
+	}
+
+	ipSet := make(map[string]bool)
+
+	for _, nsState := range hs.RecordsByNameserver {
+		for _, ip := range nsState.Records["A"] {
+			ipSet[ip] = true
+		}
+
+		for _, ip := range nsState.Records["AAAA"] {
+			ipSet[ip] = true
+		}
+	}
+
+	result := make([]string, 0, len(ipSet))
+	for ip := range ipSet {
+		result = append(result, ip)
+	}
+
+	sort.Strings(result)
+
+	return result
+}
+
+func (w *Watcher) checkSinglePort(
+	ctx context.Context,
+	ip string,
+	port int,
+	hostname string,
+) {
+	result, err := w.portCheck.CheckPort(ctx, ip, port)
+	if err != nil {
+		w.log.Error(
+			"port check failed",
+			"ip", ip,
+			"port", port,
+			"error", err,
+		)
+
+		return
+	}
+
+	key := fmt.Sprintf("%s:%d", ip, port)
+	now := time.Now().UTC()
+	prev, hasPrev := w.state.GetPortState(key)
+
+	if hasPrev && !w.firstRun && prev.Open != result.Open {
+		stateStr := "closed"
+		if result.Open {
+			stateStr = "open"
+		}
+
+		msg := fmt.Sprintf(
+			"Host: %s\nAddress: %s\nPort now %s",
+			hostname, key, stateStr,
+		)
+
+		w.notify.SendNotification(
+			ctx,
+			"Port Change: "+key,
+			msg,
+			"warning",
+		)
+	}
+
+	w.state.SetPortState(key, &state.PortState{
+		Open:        result.Open,
+		Hostname:    hostname,
+		LastChecked: now,
+	})
+}
+
+func (w *Watcher) runTLSChecks(ctx context.Context) {
+	for _, hostname := range w.config.Hostnames {
+		w.checkTLSForHostname(ctx, hostname)
+	}
+
+	for _, domain := range w.config.Domains {
+		w.checkTLSForHostname(ctx, domain)
+	}
+}
+
+func (w *Watcher) checkTLSForHostname(
+	ctx context.Context,
+	hostname string,
+) {
+	ips := w.collectIPs(hostname)
+
+	for _, ip := range ips {
+		portKey := fmt.Sprintf("%s:%d", ip, tlsPort)
+
+		ps, ok := w.state.GetPortState(portKey)
+		if !ok || !ps.Open {
+			continue
+		}
+
+		w.checkTLSCert(ctx, ip, hostname)
+	}
+}
+
+func (w *Watcher) checkTLSCert(
+	ctx context.Context,
+	ip string,
+	hostname string,
+) {
+	cert, err := w.tlsCheck.CheckCertificate(ctx, ip, hostname)
+	certKey := fmt.Sprintf("%s:%d:%s", ip, tlsPort, hostname)
+	now := time.Now().UTC()
+	prev, hasPrev := w.state.GetCertificateState(certKey)
+
+	if err != nil {
+		w.handleTLSError(
+			ctx, certKey, hostname, ip,
+			hasPrev, prev, now, err,
+		)
+
+		return
+	}
+
+	w.handleTLSSuccess(
+		ctx, certKey, hostname, ip,
+		hasPrev, prev, now, cert,
+	)
+}
+
+func (w *Watcher) handleTLSError(
+	ctx context.Context,
+	certKey, hostname, ip string,
+	hasPrev bool,
+	prev *state.CertificateState,
+	now time.Time,
+	err error,
+) {
+	if hasPrev && !w.firstRun && prev.Status == "ok" {
+		msg := fmt.Sprintf(
+			"Host: %s\nIP: %s\nError: %s",
+			hostname, ip, err,
+		)
+
+		w.notify.SendNotification(
+			ctx,
+			"TLS Failure: "+hostname,
+			msg,
+			"error",
+		)
+	}
+
+	w.state.SetCertificateState(
+		certKey, &state.CertificateState{
+			Status:      "error",
+			Error:       err.Error(),
+			LastChecked: now,
+		},
+	)
+}
+
+func (w *Watcher) handleTLSSuccess(
+	ctx context.Context,
+	certKey, hostname, ip string,
+	hasPrev bool,
+	prev *state.CertificateState,
+	now time.Time,
+	cert *tlscheck.CertificateInfo,
+) {
+	if hasPrev && !w.firstRun {
+		w.detectTLSChanges(ctx, hostname, ip, prev, cert)
+	}
+
+	w.checkTLSExpiry(ctx, hostname, ip, cert)
+
+	w.state.SetCertificateState(
+		certKey, &state.CertificateState{
+			CommonName:              cert.CommonName,
+			Issuer:                  cert.Issuer,
+			NotAfter:                cert.NotAfter,
+			SubjectAlternativeNames: cert.SubjectAlternativeNames,
+			Status:                  "ok",
+			LastChecked:             now,
+		},
+	)
+}
+
+func (w *Watcher) detectTLSChanges(
+	ctx context.Context,
+	hostname, ip string,
+	prev *state.CertificateState,
+	cert *tlscheck.CertificateInfo,
+) {
+	if prev.Status == "error" {
+		msg := fmt.Sprintf(
+			"Host: %s\nIP: %s\nTLS recovered",
+			hostname, ip,
+		)
+
+		w.notify.SendNotification(
+			ctx,
+			"TLS Recovery: "+hostname,
+			msg,
+			"success",
+		)
+
+		return
+	}
+
+	changed := prev.CommonName != cert.CommonName ||
+		prev.Issuer != cert.Issuer ||
+		!sliceEqual(
+			prev.SubjectAlternativeNames,
+			cert.SubjectAlternativeNames,
+		)
+
+	if !changed {
+		return
+	}
+
+	msg := fmt.Sprintf(
+		"Host: %s\nIP: %s\n"+
+			"Old CN: %s, Issuer: %s\n"+
+			"New CN: %s, Issuer: %s",
+		hostname, ip,
+		prev.CommonName, prev.Issuer,
+		cert.CommonName, cert.Issuer,
+	)
+
+	w.notify.SendNotification(
+		ctx,
+		"TLS Certificate Change: "+hostname,
+		msg,
+		"warning",
+	)
+}
+
+func (w *Watcher) checkTLSExpiry(
+	ctx context.Context,
+	hostname, ip string,
+	cert *tlscheck.CertificateInfo,
+) {
+	daysLeft := time.Until(cert.NotAfter).Hours() / hoursPerDay
+	warningDays := float64(w.config.TLSExpiryWarning)
+
+	if daysLeft > warningDays {
+		return
+	}
+
+	msg := fmt.Sprintf(
+		"Host: %s\nIP: %s\nCN: %s\n"+
+			"Expires: %s (%.0f days)",
+		hostname, ip, cert.CommonName,
+		cert.NotAfter.Format(time.RFC3339),
+		daysLeft,
+	)
+
+	w.notify.SendNotification(
+		ctx,
+		"TLS Expiry Warning: "+hostname,
+		msg,
+		"warning",
+	)
+}
+
+func (w *Watcher) saveState() {
+	err := w.state.Save()
+	if err != nil {
+		w.log.Error("failed to save state", "error", err)
+	}
+}
+
+// --- Utility functions ---
+
+func toSet(items []string) map[string]bool {
+	set := make(map[string]bool, len(items))
+	for _, item := range items {
+		set[item] = true
+	}
+
+	return set
+}
+
+func recordsEqual(
+	a, b map[string][]string,
+) bool {
+	if len(a) != len(b) {
+		return false
+	}
+
+	for k, av := range a {
+		bv, ok := b[k]
+		if !ok || !sliceEqual(av, bv) {
+			return false
+		}
+	}
+
+	return true
+}
+
+func sliceEqual(a, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+
+	aSorted := make([]string, len(a))
+	bSorted := make([]string, len(b))
+
+	copy(aSorted, a)
+	copy(bSorted, b)
+
+	sort.Strings(aSorted)
+	sort.Strings(bSorted)
+
+	for i := range aSorted {
+		if aSorted[i] != bSorted[i] {
+			return false
+		}
+	}
+
+	return true
 }

internal/watcher/watcher_test.go

@@ -0,0 +1,577 @@
+package watcher_test
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"sync"
+	"testing"
+	"time"
+
+	"sneak.berlin/go/dnswatcher/internal/config"
+	"sneak.berlin/go/dnswatcher/internal/portcheck"
+	"sneak.berlin/go/dnswatcher/internal/state"
+	"sneak.berlin/go/dnswatcher/internal/tlscheck"
+	"sneak.berlin/go/dnswatcher/internal/watcher"
+)
+
+// errNotFound is returned when mock data is missing.
+var errNotFound = errors.New("not found")
+
+// --- Mock implementations ---
+
+type mockResolver struct {
+	mu             sync.Mutex
+	nsRecords      map[string][]string
+	allRecords     map[string]map[string]map[string][]string
+	ipAddresses    map[string][]string
+	lookupNSErr    error
+	allRecordsErr  error
+	resolveIPErr   error
+	lookupNSCalls  int
+	allRecordCalls int
+}
+
+func (m *mockResolver) LookupNS(
+	_ context.Context,
+	domain string,
+) ([]string, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	m.lookupNSCalls++
+
+	if m.lookupNSErr != nil {
+		return nil, m.lookupNSErr
+	}
+
+	ns, ok := m.nsRecords[domain]
+	if !ok {
+		return nil, fmt.Errorf(
+			"%w: NS for %s", errNotFound, domain,
+		)
+	}
+
+	return ns, nil
+}
+
+func (m *mockResolver) LookupAllRecords(
+	_ context.Context,
+	hostname string,
+) (map[string]map[string][]string, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	m.allRecordCalls++
+
+	if m.allRecordsErr != nil {
+		return nil, m.allRecordsErr
+	}
+
+	recs, ok := m.allRecords[hostname]
+	if !ok {
+		return nil, fmt.Errorf(
+			"%w: records for %s", errNotFound, hostname,
+		)
+	}
+
+	return recs, nil
+}
+
+func (m *mockResolver) ResolveIPAddresses(
+	_ context.Context,
+	hostname string,
+) ([]string, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	if m.resolveIPErr != nil {
+		return nil, m.resolveIPErr
+	}
+
+	ips, ok := m.ipAddresses[hostname]
+	if !ok {
+		return nil, fmt.Errorf(
+			"%w: IPs for %s", errNotFound, hostname,
+		)
+	}
+
+	return ips, nil
+}
+
+type mockPortChecker struct {
+	mu      sync.Mutex
+	results map[string]bool
+	err     error
+	calls   int
+}
+
+func (m *mockPortChecker) CheckPort(
+	_ context.Context,
+	address string,
+	port int,
+) (*portcheck.PortResult, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	m.calls++
+
+	if m.err != nil {
+		return nil, m.err
+	}
+
+	key := fmt.Sprintf("%s:%d", address, port)
+	open := m.results[key]
+
+	return &portcheck.PortResult{Open: open}, nil
+}
+
+type mockTLSChecker struct {
+	mu    sync.Mutex
+	certs map[string]*tlscheck.CertificateInfo
+	err   error
+	calls int
+}
+
+func (m *mockTLSChecker) CheckCertificate(
+	_ context.Context,
+	ip string,
+	hostname string,
+) (*tlscheck.CertificateInfo, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	m.calls++
+
+	if m.err != nil {
+		return nil, m.err
+	}
+
+	key := fmt.Sprintf("%s:%s", ip, hostname)
+	cert, ok := m.certs[key]
+
+	if !ok {
+		return nil, fmt.Errorf(
+			"%w: cert for %s", errNotFound, key,
+		)
+	}
+
+	return cert, nil
+}
+
+type notification struct {
+	Title    string
+	Message  string
+	Priority string
+}
+
+type mockNotifier struct {
+	mu            sync.Mutex
+	notifications []notification
+}
+
+func (m *mockNotifier) SendNotification(
+	_ context.Context,
+	title, message, priority string,
+) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	m.notifications = append(m.notifications, notification{
+		Title:    title,
+		Message:  message,
+		Priority: priority,
+	})
+}
+
+func (m *mockNotifier) getNotifications() []notification {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	result := make([]notification, len(m.notifications))
+	copy(result, m.notifications)
+
+	return result
+}
+
+// --- Helper to build a Watcher for testing ---
+
+type testDeps struct {
+	resolver    *mockResolver
+	portChecker *mockPortChecker
+	tlsChecker  *mockTLSChecker
+	notifier    *mockNotifier
+	state       *state.State
+	config      *config.Config
+}
+
+func newTestWatcher(
+	t *testing.T,
+	cfg *config.Config,
+) (*watcher.Watcher, *testDeps) {
+	t.Helper()
+
+	deps := &testDeps{
+		resolver: &mockResolver{
+			nsRecords:   make(map[string][]string),
+			allRecords:  make(map[string]map[string]map[string][]string),
+			ipAddresses: make(map[string][]string),
+		},
+		portChecker: &mockPortChecker{
+			results: make(map[string]bool),
+		},
+		tlsChecker: &mockTLSChecker{
+			certs: make(map[string]*tlscheck.CertificateInfo),
+		},
+		notifier: &mockNotifier{},
+		config:   cfg,
+	}
+
+	deps.state = state.NewForTest()
+
+	w := watcher.NewForTest(
+		deps.config,
+		deps.state,
+		deps.resolver,
+		deps.portChecker,
+		deps.tlsChecker,
+		deps.notifier,
+	)
+
+	return w, deps
+}
+
+func defaultTestConfig(t *testing.T) *config.Config {
+	t.Helper()
+
+	return &config.Config{
+		DNSInterval:      time.Hour,
+		TLSInterval:      12 * time.Hour,
+		TLSExpiryWarning: 7,
+		DataDir:          t.TempDir(),
+	}
+}
+
+func TestFirstRunBaseline(t *testing.T) {
+	t.Parallel()
+
+	cfg := defaultTestConfig(t)
+	cfg.Domains = []string{"example.com"}
+	cfg.Hostnames = []string{"www.example.com"}
+
+	w, deps := newTestWatcher(t, cfg)
+	setupBaselineMocks(deps)
+
+	w.RunOnce(t.Context())
+
+	assertNoNotifications(t, deps)
+	assertStatePopulated(t, deps)
+}
+
+func setupBaselineMocks(deps *testDeps) {
+	deps.resolver.nsRecords["example.com"] = []string{
+		"ns1.example.com.",
+		"ns2.example.com.",
+	}
+	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
+		"ns1.example.com.": {"A": {"93.184.216.34"}},
+		"ns2.example.com.": {"A": {"93.184.216.34"}},
+	}
+	deps.resolver.ipAddresses["www.example.com"] = []string{
+		"93.184.216.34",
+	}
+	deps.portChecker.results["93.184.216.34:80"] = true
+	deps.portChecker.results["93.184.216.34:443"] = true
+	deps.tlsChecker.certs["93.184.216.34:www.example.com"] = &tlscheck.CertificateInfo{
+		CommonName: "www.example.com",
+		Issuer:     "DigiCert",
+		NotAfter:   time.Now().Add(90 * 24 * time.Hour),
+		SubjectAlternativeNames: []string{
+			"www.example.com",
+		},
+	}
+}
+
+func assertNoNotifications(
+	t *testing.T,
+	deps *testDeps,
+) {
+	t.Helper()
+
+	notifications := deps.notifier.getNotifications()
+	if len(notifications) != 0 {
+		t.Errorf(
+			"expected 0 notifications on first run, got %d",
+			len(notifications),
+		)
+	}
+}
+
+func assertStatePopulated(
+	t *testing.T,
+	deps *testDeps,
+) {
+	t.Helper()
+
+	snap := deps.state.GetSnapshot()
+
+	if len(snap.Domains) != 1 {
+		t.Errorf(
+			"expected 1 domain in state, got %d",
+			len(snap.Domains),
+		)
+	}
+
+	if len(snap.Hostnames) != 1 {
+		t.Errorf(
+			"expected 1 hostname in state, got %d",
+			len(snap.Hostnames),
+		)
+	}
+}
+
+func TestNSChangeDetection(t *testing.T) {
+	t.Parallel()
+
+	cfg := defaultTestConfig(t)
+	cfg.Domains = []string{"example.com"}
+
+	w, deps := newTestWatcher(t, cfg)
+
+	deps.resolver.nsRecords["example.com"] = []string{
+		"ns1.example.com.",
+		"ns2.example.com.",
+	}
+
+	ctx := t.Context()
+	w.RunOnce(ctx)
+
+	deps.resolver.mu.Lock()
+	deps.resolver.nsRecords["example.com"] = []string{
+		"ns1.example.com.",
+		"ns3.example.com.",
+	}
+	deps.resolver.mu.Unlock()
+
+	w.RunOnce(ctx)
+
+	notifications := deps.notifier.getNotifications()
+	if len(notifications) == 0 {
+		t.Error("expected notification for NS change")
+	}
+
+	found := false
+
+	for _, n := range notifications {
+		if n.Priority == "warning" {
+			found = true
+		}
+	}
+
+	if !found {
+		t.Error("expected warning-priority NS change notification")
+	}
+}
+
+func TestRecordChangeDetection(t *testing.T) {
+	t.Parallel()
+
+	cfg := defaultTestConfig(t)
+	cfg.Hostnames = []string{"www.example.com"}
+
+	w, deps := newTestWatcher(t, cfg)
+
+	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
+		"ns1.example.com.": {"A": {"93.184.216.34"}},
+	}
+	deps.resolver.ipAddresses["www.example.com"] = []string{
+		"93.184.216.34",
+	}
+	deps.portChecker.results["93.184.216.34:80"] = false
+	deps.portChecker.results["93.184.216.34:443"] = false
+
+	ctx := t.Context()
+	w.RunOnce(ctx)
+
+	deps.resolver.mu.Lock()
+	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
+		"ns1.example.com.": {"A": {"93.184.216.35"}},
+	}
+	deps.resolver.ipAddresses["www.example.com"] = []string{
+		"93.184.216.35",
+	}
+	deps.resolver.mu.Unlock()
+
+	deps.portChecker.mu.Lock()
+	deps.portChecker.results["93.184.216.35:80"] = false
+	deps.portChecker.results["93.184.216.35:443"] = false
+	deps.portChecker.mu.Unlock()
+
+	w.RunOnce(ctx)
+
+	notifications := deps.notifier.getNotifications()
+	if len(notifications) == 0 {
+		t.Error("expected notification for record change")
+	}
+}
+
+func TestPortStateChange(t *testing.T) {
+	t.Parallel()
+
+	cfg := defaultTestConfig(t)
+	cfg.Hostnames = []string{"www.example.com"}
+
+	w, deps := newTestWatcher(t, cfg)
+
+	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
+		"ns1.example.com.": {"A": {"1.2.3.4"}},
+	}
+	deps.resolver.ipAddresses["www.example.com"] = []string{
+		"1.2.3.4",
+	}
+	deps.portChecker.results["1.2.3.4:80"] = true
+	deps.portChecker.results["1.2.3.4:443"] = true
+	deps.tlsChecker.certs["1.2.3.4:www.example.com"] = &tlscheck.CertificateInfo{
+		CommonName: "www.example.com",
+		Issuer:     "DigiCert",
+		NotAfter:   time.Now().Add(90 * 24 * time.Hour),
+		SubjectAlternativeNames: []string{
+			"www.example.com",
+		},
+	}
+
+	ctx := t.Context()
+	w.RunOnce(ctx)
+
+	deps.portChecker.mu.Lock()
+	deps.portChecker.results["1.2.3.4:443"] = false
+	deps.portChecker.mu.Unlock()
+
+	w.RunOnce(ctx)
+
+	notifications := deps.notifier.getNotifications()
+	if len(notifications) == 0 {
+		t.Error("expected notification for port state change")
+	}
+}
+
+func TestTLSExpiryWarning(t *testing.T) {
+	t.Parallel()
+
+	cfg := defaultTestConfig(t)
+	cfg.Hostnames = []string{"www.example.com"}
+
+	w, deps := newTestWatcher(t, cfg)
+
+	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
+		"ns1.example.com.": {"A": {"1.2.3.4"}},
+	}
+	deps.resolver.ipAddresses["www.example.com"] = []string{
+		"1.2.3.4",
+	}
+	deps.portChecker.results["1.2.3.4:80"] = true
+	deps.portChecker.results["1.2.3.4:443"] = true
+	deps.tlsChecker.certs["1.2.3.4:www.example.com"] = &tlscheck.CertificateInfo{
+		CommonName: "www.example.com",
+		Issuer:     "DigiCert",
+		NotAfter:   time.Now().Add(3 * 24 * time.Hour),
+		SubjectAlternativeNames: []string{
+			"www.example.com",
+		},
+	}
+
+	ctx := t.Context()
+
+	// First run = baseline
+	w.RunOnce(ctx)
+
+	// Second run should warn about expiry
+	w.RunOnce(ctx)
+
+	notifications := deps.notifier.getNotifications()
+
+	found := false
+
+	for _, n := range notifications {
+		if n.Priority == "warning" {
+			found = true
+		}
+	}
+
+	if !found {
+		t.Errorf(
+			"expected expiry warning, got: %v",
+			notifications,
+		)
+	}
+}
+
+func TestGracefulShutdown(t *testing.T) {
+	t.Parallel()
+
+	cfg := defaultTestConfig(t)
+	cfg.Domains = []string{"example.com"}
+	cfg.DNSInterval = 100 * time.Millisecond
+	cfg.TLSInterval = 100 * time.Millisecond
+
+	w, deps := newTestWatcher(t, cfg)
+
+	deps.resolver.nsRecords["example.com"] = []string{
+		"ns1.example.com.",
+	}
+
+	ctx, cancel := context.WithCancel(t.Context())
+
+	done := make(chan struct{})
+
+	go func() {
+		w.Run(ctx)
+		close(done)
+	}()
+
+	time.Sleep(250 * time.Millisecond)
+	cancel()
+
+	select {
+	case <-done:
+		// Shut down cleanly
+	case <-time.After(5 * time.Second):
+		t.Error("watcher did not shut down within timeout")
+	}
+}
+
+func TestNSFailureAndRecovery(t *testing.T) {
+	t.Parallel()
+
+	cfg := defaultTestConfig(t)
+	cfg.Hostnames = []string{"www.example.com"}
+
+	w, deps := newTestWatcher(t, cfg)
+
+	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
+		"ns1.example.com.": {"A": {"1.2.3.4"}},
+		"ns2.example.com.": {"A": {"1.2.3.4"}},
+	}
+	deps.resolver.ipAddresses["www.example.com"] = []string{
+		"1.2.3.4",
+	}
+	deps.portChecker.results["1.2.3.4:80"] = false
+	deps.portChecker.results["1.2.3.4:443"] = false
+
+	ctx := t.Context()
+
+	w.RunOnce(ctx)
+
+	deps.resolver.mu.Lock()
+	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
+		"ns1.example.com.": {"A": {"1.2.3.4"}},
+	}
+	deps.resolver.mu.Unlock()
+
+	w.RunOnce(ctx)
+
+	notifications := deps.notifier.getNotifications()
+	if len(notifications) == 0 {
+		t.Error("expected notification for NS disappearance")
+	}
+}