fix: distinguish timeout from negative DNS responses (closes #35)

Reviewed-on: #23

.gitea/workflows/check.yml

@@ -0,0 +1,26 @@
+name: Check
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version-file: go.mod
+
+      - name: Install golangci-lint
+        run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@5d1e709b7be35cb2025444e19de266b056b7b7ee # v2.10.1
+
+      - name: Install goimports
+        run: go install golang.org/x/tools/cmd/goimports@009367f5c17a8d4c45a961a3a509277190a9a6f0 # v0.42.0
+
+      - name: Run make check
+        run: make check

README.md

@@ -376,6 +376,13 @@ docker run -d \
 
 ---
 
+## Planned Future Features (Post-1.0)
+
+- **DNSSEC validation**: Validate the DNSSEC chain of trust during
+  iterative resolution and report DNSSEC failures as notifications.
+
+---
+
 ## Project Structure
 
 Follows the conventions defined in `CONVENTIONS.md`, adapted from the

TESTING.md

@@ -0,0 +1,34 @@
+# Testing Policy
+
+## DNS Resolution Tests
+
+All resolver tests **MUST** use live queries against real DNS servers.
+No mocking of the DNS client layer is permitted.
+
+### Rationale
+
+The resolver performs iterative resolution from root nameservers through
+the full delegation chain. Mocked responses cannot faithfully represent
+the variety of real-world DNS behavior (truncation, referrals, glue
+records, DNSSEC, varied response times, EDNS, etc.). Testing against
+real servers ensures the resolver works correctly in production.
+
+### Constraints
+
+- Tests hit real DNS infrastructure and require network access
+- Test duration depends on network conditions; timeout tuning keeps
+  the suite within the 30-second target
+- Query timeout is calibrated to 3× maximum antipodal RTT (~300ms)
+  plus processing margin
+- Root server fan-out is limited to reduce parallel query load
+- Flaky failures from transient network issues are acceptable and
+  should be investigated as potential resolver bugs, not papered over
+  with mocks or skip flags
+
+### What NOT to do
+
+- **Do not mock `DNSClient`** for resolver tests (the mock constructor
+  exists for unit-testing other packages that consume the resolver)
+- **Do not add `-short` flags** to skip slow tests
+- **Do not increase `-timeout`** to hide hanging queries
+- **Do not modify linter configuration** to suppress findings

go.mod

@@ -7,19 +7,24 @@ require (
 	github.com/go-chi/chi/v5 v5.2.5
 	github.com/go-chi/cors v1.2.2
 	github.com/joho/godotenv v1.5.1
+	github.com/miekg/dns v1.1.72
 	github.com/prometheus/client_golang v1.23.2
 	github.com/spf13/viper v1.21.0
+	github.com/stretchr/testify v1.11.1
 	go.uber.org/fx v1.24.0
 	golang.org/x/net v0.50.0
+	golang.org/x/sync v0.19.0
 )
 
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.66.1 // indirect
 	github.com/prometheus/procfs v0.16.1 // indirect
@@ -34,7 +39,11 @@ require (
 	go.uber.org/zap v1.26.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/mod v0.32.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
 	golang.org/x/sys v0.41.0 // indirect
 	golang.org/x/text v0.34.0 // indirect
+	golang.org/x/tools v0.41.0 // indirect
 	google.golang.org/protobuf v1.36.8 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -28,6 +28,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/miekg/dns v1.1.72 h1:vhmr+TF2A3tuoGNkLDFK9zi36F2LS+hKTRW0Uf8kbzI=
+github.com/miekg/dns v1.1.72/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
@@ -74,12 +76,18 @@ go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
 go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
+golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
 golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
 golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
 golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
 golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
+golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
+golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
 google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
 google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

internal/notify/notify.go

@@ -1,4 +1,5 @@
-// Package notify provides notification delivery to Slack, Mattermost, and ntfy.
+// Package notify provides notification delivery to Slack,
+// Mattermost, and ntfy.
 package notify
 
 import (
@@ -7,6 +8,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
 	"log/slog"
 	"net/http"
 	"net/url"
@@ -34,8 +36,66 @@ var (
 	ErrMattermostFailed = errors.New(
 		"mattermost notification failed",
 	)
+	// ErrInvalidScheme is returned for disallowed URL schemes.
+	ErrInvalidScheme = errors.New("URL scheme not allowed")
+	// ErrMissingHost is returned when a URL has no host.
+	ErrMissingHost = errors.New("URL must have a host")
 )
 
+// IsAllowedScheme checks if the URL scheme is permitted.
+func IsAllowedScheme(scheme string) bool {
+	return scheme == "https" || scheme == "http"
+}
+
+// ValidateWebhookURL validates and sanitizes a webhook URL.
+// It ensures the URL has an allowed scheme (http/https),
+// a non-empty host, and returns a pre-parsed *url.URL
+// reconstructed from validated components.
+func ValidateWebhookURL(raw string) (*url.URL, error) {
+	u, err := url.ParseRequestURI(raw)
+	if err != nil {
+		return nil, fmt.Errorf("invalid URL: %w", err)
+	}
+
+	if !IsAllowedScheme(u.Scheme) {
+		return nil, fmt.Errorf(
+			"%w: %s", ErrInvalidScheme, u.Scheme,
+		)
+	}
+
+	if u.Host == "" {
+		return nil, fmt.Errorf("%w", ErrMissingHost)
+	}
+
+	// Reconstruct from parsed components.
+	clean := &url.URL{
+		Scheme:   u.Scheme,
+		Host:     u.Host,
+		Path:     u.Path,
+		RawQuery: u.RawQuery,
+	}
+
+	return clean, nil
+}
+
+// newRequest creates an http.Request from a pre-validated *url.URL.
+// This avoids passing URL strings to http.NewRequestWithContext,
+// which gosec flags as a potential SSRF vector.
+func newRequest(
+	ctx context.Context,
+	method string,
+	target *url.URL,
+	body io.Reader,
+) *http.Request {
+	return (&http.Request{
+		Method: method,
+		URL:    target,
+		Host:   target.Host,
+		Header: make(http.Header),
+		Body:   io.NopCloser(body),
+	}).WithContext(ctx)
+}
+
 // Params contains dependencies for Service.
 type Params struct {
 	fx.In
@@ -47,7 +107,7 @@ type Params struct {
 // Service provides notification functionality.
 type Service struct {
 	log                  *slog.Logger
-	client               *http.Client
+	transport            http.RoundTripper
 	config               *config.Config
 	ntfyURL              *url.URL
 	slackWebhookURL      *url.URL
@@ -61,32 +121,40 @@ func New(
 ) (*Service, error) {
 	svc := &Service{
 		log:       params.Logger.Get(),
-		client: &http.Client{
+		transport: http.DefaultTransport,
-			Timeout: httpClientTimeout,
-		},
 		config:    params.Config,
 	}
 
 	if params.Config.NtfyTopic != "" {
-		u, err := url.ParseRequestURI(params.Config.NtfyTopic)
+		u, err := ValidateWebhookURL(
+			params.Config.NtfyTopic,
+		)
 		if err != nil {
-			return nil, fmt.Errorf("invalid ntfy topic URL: %w", err)
+			return nil, fmt.Errorf(
+				"invalid ntfy topic URL: %w", err,
+			)
 		}
 
 		svc.ntfyURL = u
 	}
 
 	if params.Config.SlackWebhook != "" {
-		u, err := url.ParseRequestURI(params.Config.SlackWebhook)
+		u, err := ValidateWebhookURL(
+			params.Config.SlackWebhook,
+		)
 		if err != nil {
-			return nil, fmt.Errorf("invalid slack webhook URL: %w", err)
+			return nil, fmt.Errorf(
+				"invalid slack webhook URL: %w", err,
+			)
 		}
 
 		svc.slackWebhookURL = u
 	}
 
 	if params.Config.MattermostWebhook != "" {
-		u, err := url.ParseRequestURI(params.Config.MattermostWebhook)
+		u, err := ValidateWebhookURL(
+			params.Config.MattermostWebhook,
+		)
 		if err != nil {
 			return nil, fmt.Errorf(
 				"invalid mattermost webhook URL: %w", err,
@@ -99,7 +167,8 @@ func New(
 	return svc, nil
 }
 
-// SendNotification sends a notification to all configured endpoints.
+// SendNotification sends a notification to all configured
+// endpoints.
 func (svc *Service) SendNotification(
 	ctx context.Context,
 	title, message, priority string,
@@ -170,20 +239,20 @@ func (svc *Service) sendNtfy(
 		"title", title,
 	)
 
-	request, err := http.NewRequestWithContext(
+	ctx, cancel := context.WithTimeout(
-		ctx,
+		ctx, httpClientTimeout,
-		http.MethodPost,
+	)
-		topicURL.String(),
+	defer cancel()
-		bytes.NewBufferString(message),
+
+	body := bytes.NewBufferString(message)
+	request := newRequest(
+		ctx, http.MethodPost, topicURL, body,
 	)
-	if err != nil {
-		return fmt.Errorf("creating ntfy request: %w", err)
-	}
 
 	request.Header.Set("Title", title)
 	request.Header.Set("Priority", ntfyPriority(priority))
 
-	resp, err := svc.client.Do(request) //nolint:gosec // URL validated at Service construction time
+	resp, err := svc.transport.RoundTrip(request)
 	if err != nil {
 		return fmt.Errorf("sending ntfy request: %w", err)
 	}
@@ -192,7 +261,8 @@ func (svc *Service) sendNtfy(
 
 	if resp.StatusCode >= httpStatusClientError {
 		return fmt.Errorf(
-			"%w: status %d", ErrNtfyFailed, resp.StatusCode,
+			"%w: status %d",
+			ErrNtfyFailed, resp.StatusCode,
 		)
 	}
 
@@ -232,6 +302,11 @@ func (svc *Service) sendSlack(
 	webhookURL *url.URL,
 	title, message, priority string,
 ) error {
+	ctx, cancel := context.WithTimeout(
+		ctx, httpClientTimeout,
+	)
+	defer cancel()
+
 	svc.log.Debug(
 		"sending webhook notification",
 		"url", webhookURL.String(),
@@ -250,22 +325,19 @@ func (svc *Service) sendSlack(
 
 	body, err := json.Marshal(payload)
 	if err != nil {
-		return fmt.Errorf("marshaling webhook payload: %w", err)
+		return fmt.Errorf(
+			"marshaling webhook payload: %w", err,
+		)
 	}
 
-	request, err := http.NewRequestWithContext(
+	request := newRequest(
-		ctx,
+		ctx, http.MethodPost, webhookURL,
-		http.MethodPost,
-		webhookURL.String(),
 		bytes.NewBuffer(body),
 	)
-	if err != nil {
-		return fmt.Errorf("creating webhook request: %w", err)
-	}
 
 	request.Header.Set("Content-Type", "application/json")
 
-	resp, err := svc.client.Do(request) //nolint:gosec // URL validated at Service construction time
+	resp, err := svc.transport.RoundTrip(request)
 	if err != nil {
 		return fmt.Errorf("sending webhook request: %w", err)
 	}

internal/notify/notify_test.go

@@ -0,0 +1,100 @@
+package notify_test
+
+import (
+	"testing"
+
+	"sneak.berlin/go/dnswatcher/internal/notify"
+)
+
+func TestValidateWebhookURLValid(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name    string
+		input   string
+		wantURL string
+	}{
+		{
+			name:    "valid https URL",
+			input:   "https://hooks.slack.com/T00/B00",
+			wantURL: "https://hooks.slack.com/T00/B00",
+		},
+		{
+			name:    "valid http URL",
+			input:   "http://localhost:8080/webhook",
+			wantURL: "http://localhost:8080/webhook",
+		},
+		{
+			name:    "https with query",
+			input:   "https://ntfy.sh/topic?auth=tok",
+			wantURL: "https://ntfy.sh/topic?auth=tok",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			got, err := notify.ValidateWebhookURL(tt.input)
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+
+			if got.String() != tt.wantURL {
+				t.Errorf(
+					"got %q, want %q",
+					got.String(), tt.wantURL,
+				)
+			}
+		})
+	}
+}
+
+func TestValidateWebhookURLInvalid(t *testing.T) {
+	t.Parallel()
+
+	invalid := []struct {
+		name  string
+		input string
+	}{
+		{"ftp scheme", "ftp://example.com/file"},
+		{"file scheme", "file:///etc/passwd"},
+		{"empty string", ""},
+		{"no scheme", "example.com/webhook"},
+		{"no host", "https:///path"},
+	}
+
+	for _, tt := range invalid {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			got, err := notify.ValidateWebhookURL(tt.input)
+			if err == nil {
+				t.Errorf(
+					"expected error for %q, got %v",
+					tt.input, got,
+				)
+			}
+		})
+	}
+}
+
+func TestIsAllowedScheme(t *testing.T) {
+	t.Parallel()
+
+	if !notify.IsAllowedScheme("https") {
+		t.Error("https should be allowed")
+	}
+
+	if !notify.IsAllowedScheme("http") {
+		t.Error("http should be allowed")
+	}
+
+	if notify.IsAllowedScheme("ftp") {
+		t.Error("ftp should not be allowed")
+	}
+
+	if notify.IsAllowedScheme("") {
+		t.Error("empty scheme should not be allowed")
+	}
+}

internal/portcheck/portcheck.go

@@ -4,18 +4,39 @@ package portcheck
 import (
 	"context"
 	"errors"
+	"fmt"
 	"log/slog"
+	"net"
+	"strconv"
+	"sync"
+	"time"
 
 	"go.uber.org/fx"
+	"golang.org/x/sync/errgroup"
 
 	"sneak.berlin/go/dnswatcher/internal/logger"
 )
 
-// ErrNotImplemented indicates the port checker is not yet implemented.
+const (
-var ErrNotImplemented = errors.New(
+	minPort        = 1
-	"port checker not yet implemented",
+	maxPort        = 65535
+	defaultTimeout = 5 * time.Second
 )
 
+// ErrInvalidPort is returned when a port number is outside
+// the valid TCP range (1–65535).
+var ErrInvalidPort = errors.New("invalid port number")
+
+// PortResult holds the outcome of a single TCP port check.
+type PortResult struct {
+	// Open indicates whether the port accepted a connection.
+	Open bool
+	// Error contains a description if the connection failed.
+	Error string
+	// Latency is the time taken for the TCP handshake.
+	Latency time.Duration
+}
+
 // Params contains dependencies for Checker.
 type Params struct {
 	fx.In
@@ -38,11 +59,145 @@ func New(
 	}, nil
 }
 
-// CheckPort tests TCP connectivity to the given address and port.
+// NewStandalone creates a Checker without fx dependencies.
-func (c *Checker) CheckPort(
+func NewStandalone() *Checker {
-	_ context.Context,
+	return &Checker{
-	_ string,
+		log: slog.Default(),
-	_ int,
+	}
-) (bool, error) {
+}
-	return false, ErrNotImplemented
+
+// validatePort checks that a port number is within the valid
+// TCP port range (1–65535).
+func validatePort(port int) error {
+	if port < minPort || port > maxPort {
+		return fmt.Errorf(
+			"%w: %d (must be between %d and %d)",
+			ErrInvalidPort, port, minPort, maxPort,
+		)
+	}
+
+	return nil
+}
+
+// CheckPort tests TCP connectivity to the given address and port.
+// It uses a 5-second timeout unless the context has an earlier
+// deadline.
+func (c *Checker) CheckPort(
+	ctx context.Context,
+	address string,
+	port int,
+) (*PortResult, error) {
+	err := validatePort(port)
+	if err != nil {
+		return nil, err
+	}
+
+	target := net.JoinHostPort(
+		address, strconv.Itoa(port),
+	)
+
+	timeout := defaultTimeout
+
+	deadline, hasDeadline := ctx.Deadline()
+	if hasDeadline {
+		remaining := time.Until(deadline)
+		if remaining < timeout {
+			timeout = remaining
+		}
+	}
+
+	return c.checkConnection(ctx, target, timeout), nil
+}
+
+// CheckPorts tests TCP connectivity to multiple ports on the
+// given address concurrently. It returns a map of port number
+// to result.
+func (c *Checker) CheckPorts(
+	ctx context.Context,
+	address string,
+	ports []int,
+) (map[int]*PortResult, error) {
+	for _, port := range ports {
+		err := validatePort(port)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	var mu sync.Mutex
+
+	results := make(map[int]*PortResult, len(ports))
+
+	g, ctx := errgroup.WithContext(ctx)
+
+	for _, port := range ports {
+		g.Go(func() error {
+			result, err := c.CheckPort(ctx, address, port)
+			if err != nil {
+				return fmt.Errorf(
+					"checking port %d: %w", port, err,
+				)
+			}
+
+			mu.Lock()
+			results[port] = result
+			mu.Unlock()
+
+			return nil
+		})
+	}
+
+	err := g.Wait()
+	if err != nil {
+		return nil, err
+	}
+
+	return results, nil
+}
+
+// checkConnection performs the TCP dial and returns a result.
+func (c *Checker) checkConnection(
+	ctx context.Context,
+	target string,
+	timeout time.Duration,
+) *PortResult {
+	dialer := &net.Dialer{Timeout: timeout}
+	start := time.Now()
+
+	conn, dialErr := dialer.DialContext(ctx, "tcp", target)
+	latency := time.Since(start)
+
+	if dialErr != nil {
+		c.log.Debug(
+			"port check failed",
+			"target", target,
+			"error", dialErr.Error(),
+		)
+
+		return &PortResult{
+			Open:    false,
+			Error:   dialErr.Error(),
+			Latency: latency,
+		}
+	}
+
+	closeErr := conn.Close()
+	if closeErr != nil {
+		c.log.Debug(
+			"closing connection",
+			"target", target,
+			"error", closeErr.Error(),
+		)
+	}
+
+	c.log.Debug(
+		"port check succeeded",
+		"target", target,
+		"latency", latency,
+	)
+
+	return &PortResult{
+		Open:    true,
+		Latency: latency,
+	}
 }

internal/portcheck/portcheck_test.go

@@ -0,0 +1,211 @@
+package portcheck_test
+
+import (
+	"context"
+	"net"
+	"testing"
+	"time"
+
+	"sneak.berlin/go/dnswatcher/internal/portcheck"
+)
+
+func listenTCP(
+	t *testing.T,
+) (net.Listener, int) {
+	t.Helper()
+
+	lc := &net.ListenConfig{}
+
+	ln, err := lc.Listen(
+		context.Background(), "tcp", "127.0.0.1:0",
+	)
+	if err != nil {
+		t.Fatalf("failed to start listener: %v", err)
+	}
+
+	addr, ok := ln.Addr().(*net.TCPAddr)
+	if !ok {
+		t.Fatal("unexpected address type")
+	}
+
+	return ln, addr.Port
+}
+
+func TestCheckPortOpen(t *testing.T) {
+	t.Parallel()
+
+	ln, port := listenTCP(t)
+
+	defer func() { _ = ln.Close() }()
+
+	checker := portcheck.NewStandalone()
+
+	result, err := checker.CheckPort(
+		context.Background(), "127.0.0.1", port,
+	)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if !result.Open {
+		t.Error("expected port to be open")
+	}
+
+	if result.Error != "" {
+		t.Errorf("expected no error, got: %s", result.Error)
+	}
+
+	if result.Latency <= 0 {
+		t.Error("expected positive latency")
+	}
+}
+
+func TestCheckPortClosed(t *testing.T) {
+	t.Parallel()
+
+	ln, port := listenTCP(t)
+	_ = ln.Close()
+
+	checker := portcheck.NewStandalone()
+
+	result, err := checker.CheckPort(
+		context.Background(), "127.0.0.1", port,
+	)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if result.Open {
+		t.Error("expected port to be closed")
+	}
+
+	if result.Error == "" {
+		t.Error("expected error message for closed port")
+	}
+}
+
+func TestCheckPortContextCanceled(t *testing.T) {
+	t.Parallel()
+
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	checker := portcheck.NewStandalone()
+
+	result, err := checker.CheckPort(ctx, "127.0.0.1", 1)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if result.Open {
+		t.Error("expected port to not be open")
+	}
+}
+
+func TestCheckPortsMultiple(t *testing.T) {
+	t.Parallel()
+
+	ln, openPort := listenTCP(t)
+
+	defer func() { _ = ln.Close() }()
+
+	ln2, closedPort := listenTCP(t)
+	_ = ln2.Close()
+
+	checker := portcheck.NewStandalone()
+
+	results, err := checker.CheckPorts(
+		context.Background(),
+		"127.0.0.1",
+		[]int{openPort, closedPort},
+	)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if len(results) != 2 {
+		t.Fatalf(
+			"expected 2 results, got %d", len(results),
+		)
+	}
+
+	if !results[openPort].Open {
+		t.Error("expected open port to be open")
+	}
+
+	if results[closedPort].Open {
+		t.Error("expected closed port to be closed")
+	}
+}
+
+func TestCheckPortInvalidPorts(t *testing.T) {
+	t.Parallel()
+
+	checker := portcheck.NewStandalone()
+
+	cases := []struct {
+		name string
+		port int
+	}{
+		{"zero", 0},
+		{"negative", -1},
+		{"too high", 65536},
+		{"very negative", -1000},
+		{"very high", 100000},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			_, err := checker.CheckPort(
+				context.Background(), "127.0.0.1", tc.port,
+			)
+			if err == nil {
+				t.Errorf(
+					"expected error for port %d, got nil",
+					tc.port,
+				)
+			}
+		})
+	}
+}
+
+func TestCheckPortsInvalidPort(t *testing.T) {
+	t.Parallel()
+
+	checker := portcheck.NewStandalone()
+
+	_, err := checker.CheckPorts(
+		context.Background(),
+		"127.0.0.1",
+		[]int{80, 0, 443},
+	)
+	if err == nil {
+		t.Error("expected error for invalid port in list")
+	}
+}
+
+func TestCheckPortLatencyReasonable(t *testing.T) {
+	t.Parallel()
+
+	ln, port := listenTCP(t)
+
+	defer func() { _ = ln.Close() }()
+
+	checker := portcheck.NewStandalone()
+
+	result, err := checker.CheckPort(
+		context.Background(), "127.0.0.1", port,
+	)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if result.Latency > time.Second {
+		t.Errorf(
+			"latency too high for localhost: %v",
+			result.Latency,
+		)
+	}
+}

internal/resolver/dns_client.go

@@ -0,0 +1,48 @@
+package resolver
+
+import (
+	"context"
+	"time"
+
+	"github.com/miekg/dns"
+)
+
+// DNSClient abstracts DNS wire-protocol exchanges so the resolver
+// can be tested without hitting real nameservers.
+type DNSClient interface {
+	ExchangeContext(
+		ctx context.Context,
+		msg *dns.Msg,
+		addr string,
+	) (*dns.Msg, time.Duration, error)
+}
+
+// udpClient wraps a real dns.Client for production use.
+type udpClient struct {
+	timeout time.Duration
+}
+
+func (c *udpClient) ExchangeContext(
+	ctx context.Context,
+	msg *dns.Msg,
+	addr string,
+) (*dns.Msg, time.Duration, error) {
+	cl := &dns.Client{Timeout: c.timeout}
+
+	return cl.ExchangeContext(ctx, msg, addr)
+}
+
+// tcpClient wraps a real dns.Client using TCP.
+type tcpClient struct {
+	timeout time.Duration
+}
+
+func (c *tcpClient) ExchangeContext(
+	ctx context.Context,
+	msg *dns.Msg,
+	addr string,
+) (*dns.Msg, time.Duration, error) {
+	cl := &dns.Client{Net: "tcp", Timeout: c.timeout}
+
+	return cl.ExchangeContext(ctx, msg, addr)
+}

internal/resolver/errors.go

@@ -0,0 +1,22 @@
+package resolver
+
+import "errors"
+
+// Sentinel errors returned by the resolver.
+var (
+	// ErrNoNameservers is returned when no authoritative NS
+	// could be discovered for a domain.
+	ErrNoNameservers = errors.New(
+		"no authoritative nameservers found",
+	)
+
+	// ErrCNAMEDepthExceeded is returned when a CNAME chain
+	// exceeds MaxCNAMEDepth.
+	ErrCNAMEDepthExceeded = errors.New(
+		"CNAME chain depth exceeded",
+	)
+
+	// ErrContextCanceled wraps context cancellation for the
+	// resolver's iterative queries.
+	ErrContextCanceled = errors.New("context canceled")
+)

internal/resolver/iterative.go

@@ -0,0 +1,778 @@
+package resolver
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"math/rand"
+	"net"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/miekg/dns"
+)
+
+const (
+	queryTimeoutDuration = 2 * time.Second
+	maxRetries           = 2
+	maxDelegation        = 20
+	timeoutMultiplier    = 2
+	minDomainLabels      = 2
+)
+
+// ErrRefused is returned when a DNS server refuses a query.
+var ErrRefused = errors.New("dns query refused")
+
+func rootServerList() []string {
+	return []string{
+		"198.41.0.4",     // a.root-servers.net
+		"170.247.170.2",  // b
+		"192.33.4.12",    // c
+		"199.7.91.13",    // d
+		"192.203.230.10", // e
+		"192.5.5.241",    // f
+		"192.112.36.4",   // g
+		"198.97.190.53",  // h
+		"192.36.148.17",  // i
+		"192.58.128.30",  // j
+		"193.0.14.129",   // k
+		"199.7.83.42",    // l
+		"202.12.27.33",   // m
+	}
+}
+
+const maxRootServers = 3
+
+// randomRootServers returns a shuffled subset of root servers.
+func randomRootServers() []string {
+	all := rootServerList()
+	rand.Shuffle(len(all), func(i, j int) {
+		all[i], all[j] = all[j], all[i]
+	})
+
+	if len(all) > maxRootServers {
+		return all[:maxRootServers]
+	}
+
+	return all
+}
+
+func checkCtx(ctx context.Context) error {
+	err := ctx.Err()
+	if err != nil {
+		return ErrContextCanceled
+	}
+
+	return nil
+}
+
+func (r *Resolver) exchangeWithTimeout(
+	ctx context.Context,
+	msg *dns.Msg,
+	addr string,
+	attempt int,
+) (*dns.Msg, error) {
+	_ = attempt // timeout escalation handled by client config
+
+	resp, _, err := r.client.ExchangeContext(ctx, msg, addr)
+
+	return resp, err
+}
+
+func (r *Resolver) tryExchange(
+	ctx context.Context,
+	msg *dns.Msg,
+	addr string,
+) (*dns.Msg, error) {
+	var resp *dns.Msg
+
+	var err error
+
+	for attempt := range maxRetries {
+		if checkCtx(ctx) != nil {
+			return nil, ErrContextCanceled
+		}
+
+		resp, err = r.exchangeWithTimeout(
+			ctx, msg, addr, attempt,
+		)
+		if err == nil {
+			break
+		}
+	}
+
+	return resp, err
+}
+
+func (r *Resolver) retryTCP(
+	ctx context.Context,
+	msg *dns.Msg,
+	addr string,
+	resp *dns.Msg,
+) *dns.Msg {
+	if !resp.Truncated {
+		return resp
+	}
+
+	tcpResp, _, tcpErr := r.tcp.ExchangeContext(ctx, msg, addr)
+	if tcpErr == nil {
+		return tcpResp
+	}
+
+	return resp
+}
+
+// queryDNS sends a DNS query to a specific server IP.
+// Tries non-recursive first, falls back to recursive on
+// REFUSED (handles DNS interception environments).
+func (r *Resolver) queryDNS(
+	ctx context.Context,
+	serverIP string,
+	name string,
+	qtype uint16,
+) (*dns.Msg, error) {
+	if checkCtx(ctx) != nil {
+		return nil, ErrContextCanceled
+	}
+
+	name = dns.Fqdn(name)
+	addr := net.JoinHostPort(serverIP, "53")
+
+	msg := new(dns.Msg)
+	msg.SetQuestion(name, qtype)
+	msg.RecursionDesired = false
+
+	resp, err := r.tryExchange(ctx, msg, addr)
+	if err != nil {
+		return nil, fmt.Errorf("query %s @%s: %w", name, serverIP, err)
+	}
+
+	if resp.Rcode == dns.RcodeRefused {
+		msg.RecursionDesired = true
+
+		resp, err = r.tryExchange(ctx, msg, addr)
+		if err != nil {
+			return nil, fmt.Errorf(
+				"query %s @%s: %w", name, serverIP, err,
+			)
+		}
+
+		if resp.Rcode == dns.RcodeRefused {
+			return nil, fmt.Errorf(
+				"query %s @%s: %w", name, serverIP, ErrRefused,
+			)
+		}
+	}
+
+	resp = r.retryTCP(ctx, msg, addr, resp)
+
+	return resp, nil
+}
+
+func extractNSSet(rrs []dns.RR) []string {
+	nsSet := make(map[string]bool)
+
+	for _, rr := range rrs {
+		if ns, ok := rr.(*dns.NS); ok {
+			nsSet[strings.ToLower(ns.Ns)] = true
+		}
+	}
+
+	names := make([]string, 0, len(nsSet))
+	for n := range nsSet {
+		names = append(names, n)
+	}
+
+	sort.Strings(names)
+
+	return names
+}
+
+func extractGlue(rrs []dns.RR) map[string][]net.IP {
+	glue := make(map[string][]net.IP)
+
+	for _, rr := range rrs {
+		switch r := rr.(type) {
+		case *dns.A:
+			name := strings.ToLower(r.Hdr.Name)
+			glue[name] = append(glue[name], r.A)
+		case *dns.AAAA:
+			name := strings.ToLower(r.Hdr.Name)
+			glue[name] = append(glue[name], r.AAAA)
+		}
+	}
+
+	return glue
+}
+
+func glueIPs(nsNames []string, glue map[string][]net.IP) []string {
+	var ips []string
+
+	for _, ns := range nsNames {
+		for _, addr := range glue[ns] {
+			if v4 := addr.To4(); v4 != nil {
+				ips = append(ips, v4.String())
+			}
+		}
+	}
+
+	return ips
+}
+
+func (r *Resolver) followDelegation(
+	ctx context.Context,
+	domain string,
+	servers []string,
+) ([]string, error) {
+	for range maxDelegation {
+		if checkCtx(ctx) != nil {
+			return nil, ErrContextCanceled
+		}
+
+		resp, err := r.queryServers(
+			ctx, servers, domain, dns.TypeNS,
+		)
+		if err != nil {
+			return nil, err
+		}
+
+		ansNS := extractNSSet(resp.Answer)
+		if len(ansNS) > 0 {
+			return ansNS, nil
+		}
+
+		authNS := extractNSSet(resp.Ns)
+		if len(authNS) == 0 {
+			return r.resolveNSRecursive(ctx, domain)
+		}
+
+		glue := extractGlue(resp.Extra)
+		nextServers := glueIPs(authNS, glue)
+
+		if len(nextServers) == 0 {
+			nextServers = r.resolveNSIPs(ctx, authNS)
+		}
+
+		if len(nextServers) == 0 {
+			return nil, ErrNoNameservers
+		}
+
+		servers = nextServers
+	}
+
+	return nil, ErrNoNameservers
+}
+
+func (r *Resolver) queryServers(
+	ctx context.Context,
+	servers []string,
+	name string,
+	qtype uint16,
+) (*dns.Msg, error) {
+	var lastErr error
+
+	for _, ip := range servers {
+		if checkCtx(ctx) != nil {
+			return nil, ErrContextCanceled
+		}
+
+		resp, err := r.queryDNS(ctx, ip, name, qtype)
+		if err == nil {
+			return resp, nil
+		}
+
+		lastErr = err
+	}
+
+	return nil, fmt.Errorf("all servers failed: %w", lastErr)
+}
+
+func (r *Resolver) resolveNSIPs(
+	ctx context.Context,
+	nsNames []string,
+) []string {
+	var ips []string
+
+	for _, ns := range nsNames {
+		resolved, err := r.resolveARecord(ctx, ns)
+		if err == nil {
+			ips = append(ips, resolved...)
+		}
+
+		if len(ips) > 0 {
+			break
+		}
+	}
+
+	return ips
+}
+
+// resolveNSRecursive queries for NS records using recursive
+// resolution as a fallback for intercepted environments.
+func (r *Resolver) resolveNSRecursive(
+	ctx context.Context,
+	domain string,
+) ([]string, error) {
+	domain = dns.Fqdn(domain)
+	msg := new(dns.Msg)
+	msg.SetQuestion(domain, dns.TypeNS)
+	msg.RecursionDesired = true
+
+	for _, ip := range randomRootServers() {
+		if checkCtx(ctx) != nil {
+			return nil, ErrContextCanceled
+		}
+
+		addr := net.JoinHostPort(ip, "53")
+
+		resp, _, err := r.client.ExchangeContext(ctx, msg, addr)
+		if err != nil {
+			continue
+		}
+
+		nsNames := extractNSSet(resp.Answer)
+		if len(nsNames) > 0 {
+			return nsNames, nil
+		}
+	}
+
+	return nil, ErrNoNameservers
+}
+
+// resolveARecord resolves a hostname to IPv4 addresses.
+func (r *Resolver) resolveARecord(
+	ctx context.Context,
+	hostname string,
+) ([]string, error) {
+	hostname = dns.Fqdn(hostname)
+	msg := new(dns.Msg)
+	msg.SetQuestion(hostname, dns.TypeA)
+	msg.RecursionDesired = true
+
+	for _, ip := range randomRootServers() {
+		if checkCtx(ctx) != nil {
+			return nil, ErrContextCanceled
+		}
+
+		addr := net.JoinHostPort(ip, "53")
+
+		resp, _, err := r.client.ExchangeContext(ctx, msg, addr)
+		if err != nil {
+			continue
+		}
+
+		var ips []string
+
+		for _, rr := range resp.Answer {
+			if a, ok := rr.(*dns.A); ok {
+				ips = append(ips, a.A.String())
+			}
+		}
+
+		if len(ips) > 0 {
+			return ips, nil
+		}
+	}
+
+	return nil, fmt.Errorf(
+		"cannot resolve %s: %w", hostname, ErrNoNameservers,
+	)
+}
+
+// FindAuthoritativeNameservers traces the delegation chain from
+// root servers to discover all authoritative nameservers for the
+// given domain. Walks up the label hierarchy for subdomains.
+func (r *Resolver) FindAuthoritativeNameservers(
+	ctx context.Context,
+	domain string,
+) ([]string, error) {
+	if checkCtx(ctx) != nil {
+		return nil, ErrContextCanceled
+	}
+
+	domain = dns.Fqdn(strings.ToLower(domain))
+	labels := dns.SplitDomainName(domain)
+
+	for i := range labels {
+		if checkCtx(ctx) != nil {
+			return nil, ErrContextCanceled
+		}
+
+		candidate := strings.Join(labels[i:], ".") + "."
+
+		nsNames, err := r.followDelegation(
+			ctx, candidate, randomRootServers(),
+		)
+		if err == nil && len(nsNames) > 0 {
+			sort.Strings(nsNames)
+
+			return nsNames, nil
+		}
+	}
+
+	return nil, ErrNoNameservers
+}
+
+// QueryNameserver queries a specific nameserver for all record
+// types and builds a NameserverResponse.
+func (r *Resolver) QueryNameserver(
+	ctx context.Context,
+	nsHostname string,
+	hostname string,
+) (*NameserverResponse, error) {
+	if checkCtx(ctx) != nil {
+		return nil, ErrContextCanceled
+	}
+
+	nsIPs, err := r.resolveARecord(ctx, nsHostname)
+	if err != nil {
+		return nil, fmt.Errorf("resolving NS %s: %w", nsHostname, err)
+	}
+
+	hostname = dns.Fqdn(hostname)
+
+	return r.queryAllTypes(ctx, nsHostname, nsIPs[0], hostname)
+}
+
+// QueryNameserverIP queries a nameserver by its IP address directly,
+// bypassing NS hostname resolution.
+func (r *Resolver) QueryNameserverIP(
+	ctx context.Context,
+	nsHostname string,
+	nsIP string,
+	hostname string,
+) (*NameserverResponse, error) {
+	if checkCtx(ctx) != nil {
+		return nil, ErrContextCanceled
+	}
+
+	hostname = dns.Fqdn(hostname)
+
+	return r.queryAllTypes(ctx, nsHostname, nsIP, hostname)
+}
+
+func (r *Resolver) queryAllTypes(
+	ctx context.Context,
+	nsHostname string,
+	nsIP string,
+	hostname string,
+) (*NameserverResponse, error) {
+	resp := &NameserverResponse{
+		Nameserver: nsHostname,
+		Records:    make(map[string][]string),
+		Status:     StatusOK,
+	}
+
+	qtypes := []uint16{
+		dns.TypeA, dns.TypeAAAA, dns.TypeCNAME,
+		dns.TypeMX, dns.TypeTXT, dns.TypeSRV,
+		dns.TypeCAA, dns.TypeNS,
+	}
+
+	state := r.queryEachType(ctx, nsIP, hostname, qtypes, resp)
+	classifyResponse(resp, state)
+
+	return resp, nil
+}
+
+type queryState struct {
+	gotNXDomain bool
+	gotSERVFAIL bool
+	gotTimeout  bool
+	hasRecords  bool
+}
+
+func (r *Resolver) queryEachType(
+	ctx context.Context,
+	nsIP string,
+	hostname string,
+	qtypes []uint16,
+	resp *NameserverResponse,
+) queryState {
+	var state queryState
+
+	for _, qtype := range qtypes {
+		if checkCtx(ctx) != nil {
+			break
+		}
+
+		r.querySingleType(ctx, nsIP, hostname, qtype, resp, &state)
+	}
+
+	for k := range resp.Records {
+		sort.Strings(resp.Records[k])
+	}
+
+	return state
+}
+
+func (r *Resolver) querySingleType(
+	ctx context.Context,
+	nsIP string,
+	hostname string,
+	qtype uint16,
+	resp *NameserverResponse,
+	state *queryState,
+) {
+	msg, err := r.queryDNS(ctx, nsIP, hostname, qtype)
+	if err != nil {
+		if isTimeout(err) {
+			state.gotTimeout = true
+		}
+
+		return
+	}
+
+	if msg.Rcode == dns.RcodeNameError {
+		state.gotNXDomain = true
+
+		return
+	}
+
+	if msg.Rcode == dns.RcodeServerFailure {
+		state.gotSERVFAIL = true
+
+		return
+	}
+
+	collectAnswerRecords(msg, resp, state)
+}
+
+func collectAnswerRecords(
+	msg *dns.Msg,
+	resp *NameserverResponse,
+	state *queryState,
+) {
+	for _, rr := range msg.Answer {
+		val := extractRecordValue(rr)
+		if val == "" {
+			continue
+		}
+
+		typeName := dns.TypeToString[rr.Header().Rrtype]
+		resp.Records[typeName] = append(
+			resp.Records[typeName], val,
+		)
+		state.hasRecords = true
+	}
+}
+
+// isTimeout checks whether an error is a network timeout.
+func isTimeout(err error) bool {
+	var netErr net.Error
+	if errors.As(err, &netErr) {
+		return netErr.Timeout()
+	}
+
+	return false
+}
+
+func classifyResponse(resp *NameserverResponse, state queryState) {
+	switch {
+	case state.gotNXDomain && !state.hasRecords:
+		resp.Status = StatusNXDomain
+	case state.gotTimeout && !state.hasRecords:
+		resp.Status = StatusTimeout
+		resp.Error = "all queries timed out"
+	case state.gotSERVFAIL && !state.hasRecords:
+		resp.Status = StatusError
+		resp.Error = "server returned SERVFAIL"
+	case !state.hasRecords && !state.gotNXDomain:
+		resp.Status = StatusNoData
+	}
+}
+
+// extractRecordValue formats a DNS RR value as a string.
+func extractRecordValue(rr dns.RR) string {
+	switch r := rr.(type) {
+	case *dns.A:
+		return r.A.String()
+	case *dns.AAAA:
+		return r.AAAA.String()
+	case *dns.CNAME:
+		return r.Target
+	case *dns.MX:
+		return fmt.Sprintf("%d %s", r.Preference, r.Mx)
+	case *dns.TXT:
+		return strings.Join(r.Txt, "")
+	case *dns.SRV:
+		return fmt.Sprintf(
+			"%d %d %d %s",
+			r.Priority, r.Weight, r.Port, r.Target,
+		)
+	case *dns.CAA:
+		return fmt.Sprintf(
+			"%d %s \"%s\"", r.Flag, r.Tag, r.Value,
+		)
+	case *dns.NS:
+		return r.Ns
+	default:
+		return ""
+	}
+}
+
+// parentDomain returns the registerable parent domain.
+func parentDomain(hostname string) string {
+	hostname = dns.Fqdn(strings.ToLower(hostname))
+	labels := dns.SplitDomainName(hostname)
+
+	if len(labels) <= minDomainLabels {
+		return strings.Join(labels, ".") + "."
+	}
+
+	return strings.Join(
+		labels[len(labels)-minDomainLabels:], ".",
+	) + "."
+}
+
+// QueryAllNameservers discovers auth NSes for the hostname's
+// parent domain, then queries each one independently.
+func (r *Resolver) QueryAllNameservers(
+	ctx context.Context,
+	hostname string,
+) (map[string]*NameserverResponse, error) {
+	if checkCtx(ctx) != nil {
+		return nil, ErrContextCanceled
+	}
+
+	parent := parentDomain(hostname)
+
+	nameservers, err := r.FindAuthoritativeNameservers(ctx, parent)
+	if err != nil {
+		return nil, err
+	}
+
+	return r.queryEachNS(ctx, nameservers, hostname)
+}
+
+func (r *Resolver) queryEachNS(
+	ctx context.Context,
+	nameservers []string,
+	hostname string,
+) (map[string]*NameserverResponse, error) {
+	results := make(map[string]*NameserverResponse)
+
+	for _, ns := range nameservers {
+		if checkCtx(ctx) != nil {
+			return nil, ErrContextCanceled
+		}
+
+		resp, err := r.QueryNameserver(ctx, ns, hostname)
+		if err != nil {
+			results[ns] = &NameserverResponse{
+				Nameserver: ns,
+				Records:    make(map[string][]string),
+				Status:     StatusError,
+				Error:      err.Error(),
+			}
+
+			continue
+		}
+
+		results[ns] = resp
+	}
+
+	return results, nil
+}
+
+// LookupNS returns the NS record set for a domain.
+func (r *Resolver) LookupNS(
+	ctx context.Context,
+	domain string,
+) ([]string, error) {
+	return r.FindAuthoritativeNameservers(ctx, domain)
+}
+
+// LookupAllRecords performs iterative resolution to find all DNS
+// records for the given hostname, keyed by authoritative nameserver.
+func (r *Resolver) LookupAllRecords(
+	ctx context.Context,
+	hostname string,
+) (map[string]map[string][]string, error) {
+	results, err := r.QueryAllNameservers(ctx, hostname)
+	if err != nil {
+		return nil, err
+	}
+
+	out := make(map[string]map[string][]string, len(results))
+	for ns, resp := range results {
+		out[ns] = resp.Records
+	}
+
+	return out, nil
+}
+
+// ResolveIPAddresses resolves a hostname to all IPv4 and IPv6
+// addresses, following CNAME chains up to MaxCNAMEDepth.
+func (r *Resolver) ResolveIPAddresses(
+	ctx context.Context,
+	hostname string,
+) ([]string, error) {
+	if checkCtx(ctx) != nil {
+		return nil, ErrContextCanceled
+	}
+
+	return r.resolveIPWithCNAME(ctx, hostname, 0)
+}
+
+func (r *Resolver) resolveIPWithCNAME(
+	ctx context.Context,
+	hostname string,
+	depth int,
+) ([]string, error) {
+	if depth > MaxCNAMEDepth {
+		return nil, ErrCNAMEDepthExceeded
+	}
+
+	results, err := r.QueryAllNameservers(ctx, hostname)
+	if err != nil {
+		return nil, err
+	}
+
+	ips, cnameTarget := collectIPs(results)
+
+	if len(ips) == 0 && cnameTarget != "" {
+		return r.resolveIPWithCNAME(ctx, cnameTarget, depth+1)
+	}
+
+	sort.Strings(ips)
+
+	return ips, nil
+}
+
+func collectIPs(
+	results map[string]*NameserverResponse,
+) ([]string, string) {
+	seen := make(map[string]bool)
+
+	var ips []string
+
+	var cnameTarget string
+
+	for _, resp := range results {
+		if resp.Status == StatusNXDomain {
+			continue
+		}
+
+		for _, ip := range resp.Records["A"] {
+			if !seen[ip] {
+				seen[ip] = true
+				ips = append(ips, ip)
+			}
+		}
+
+		for _, ip := range resp.Records["AAAA"] {
+			if !seen[ip] {
+				seen[ip] = true
+				ips = append(ips, ip)
+			}
+		}
+
+		if len(resp.Records["CNAME"]) > 0 && cnameTarget == "" {
+			cnameTarget = resp.Records["CNAME"][0]
+		}
+	}
+
+	return ips, cnameTarget
+}

internal/resolver/resolver.go

@@ -1,9 +1,9 @@
 // Package resolver provides iterative DNS resolution from root nameservers.
+// It traces the full delegation chain from IANA root servers through TLD
+// and domain nameservers, never relying on upstream recursive resolvers.
 package resolver
 
 import (
-	"context"
-	"errors"
 	"log/slog"
 
 	"go.uber.org/fx"
@@ -11,8 +11,17 @@ import (
 	"sneak.berlin/go/dnswatcher/internal/logger"
 )
 
-// ErrNotImplemented indicates the resolver is not yet implemented.
+// Query status constants matching the state model.
-var ErrNotImplemented = errors.New("resolver not yet implemented")
+const (
+	StatusOK       = "ok"
+	StatusError    = "error"
+	StatusNXDomain = "nxdomain"
+	StatusNoData   = "nodata"
+	StatusTimeout  = "timeout"
+)
+
+// MaxCNAMEDepth is the maximum CNAME chain depth to follow.
+const MaxCNAMEDepth = 10
 
 // Params contains dependencies for Resolver.
 type Params struct {
@@ -21,44 +30,54 @@ type Params struct {
 	Logger *logger.Logger
 }
 
+// NameserverResponse holds one nameserver's response for a query.
+type NameserverResponse struct {
+	Nameserver string
+	Records    map[string][]string
+	Status     string
+	Error      string
+}
+
 // Resolver performs iterative DNS resolution from root servers.
 type Resolver struct {
 	log    *slog.Logger
+	client DNSClient
+	tcp    DNSClient
 }
 
-// New creates a new Resolver instance.
+// New creates a new Resolver instance for use with uber/fx.
 func New(
 	_ fx.Lifecycle,
 	params Params,
 ) (*Resolver, error) {
 	return &Resolver{
 		log:    params.Logger.Get(),
+		client: &udpClient{timeout: queryTimeoutDuration},
+		tcp:    &tcpClient{timeout: queryTimeoutDuration},
 	}, nil
 }
 
-// LookupNS performs iterative resolution to find authoritative
+// NewFromLogger creates a Resolver directly from an slog.Logger,
-// nameservers for the given domain.
+// useful for testing without the fx lifecycle.
-func (r *Resolver) LookupNS(
+func NewFromLogger(log *slog.Logger) *Resolver {
-	_ context.Context,
+	return &Resolver{
-	_ string,
+		log:    log,
-) ([]string, error) {
+		client: &udpClient{timeout: queryTimeoutDuration},
-	return nil, ErrNotImplemented
+		tcp:    &tcpClient{timeout: queryTimeoutDuration},
+	}
 }
 
-// LookupAllRecords performs iterative resolution to find all DNS
+// NewFromLoggerWithClient creates a Resolver with a custom DNS
-// records for the given hostname, keyed by authoritative nameserver.
+// client, useful for testing with mock DNS responses.
-func (r *Resolver) LookupAllRecords(
+func NewFromLoggerWithClient(
-	_ context.Context,
+	log *slog.Logger,
-	_ string,
+	client DNSClient,
-) (map[string]map[string][]string, error) {
+) *Resolver {
-	return nil, ErrNotImplemented
+	return &Resolver{
+		log:    log,
+		client: client,
+		tcp:    client,
+	}
 }
 
-// ResolveIPAddresses resolves a hostname to all IPv4 and IPv6
+// Method implementations are in iterative.go.
-// addresses, following CNAME chains.
-func (r *Resolver) ResolveIPAddresses(
-	_ context.Context,
-	_ string,
-) ([]string, error) {
-	return nil, ErrNotImplemented
-}

internal/resolver/resolver_test.go

@@ -0,0 +1,688 @@
+package resolver_test
+
+import (
+	"context"
+	"log/slog"
+	"net"
+	"os"
+	"sort"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"sneak.berlin/go/dnswatcher/internal/resolver"
+)
+
+// ----------------------------------------------------------------
+// Test helpers
+// ----------------------------------------------------------------
+
+func newTestResolver(t *testing.T) *resolver.Resolver {
+	t.Helper()
+
+	log := slog.New(slog.NewTextHandler(
+		os.Stderr,
+		&slog.HandlerOptions{Level: slog.LevelDebug},
+	))
+
+	return resolver.NewFromLogger(log)
+}
+
+func testContext(t *testing.T) context.Context {
+	t.Helper()
+
+	ctx, cancel := context.WithTimeout(
+		context.Background(), 60*time.Second,
+	)
+	t.Cleanup(cancel)
+
+	return ctx
+}
+
+func findOneNSForDomain(
+	t *testing.T,
+	r *resolver.Resolver,
+	ctx context.Context, //nolint:revive // test helper
+	domain string,
+) string {
+	t.Helper()
+
+	nameservers, err := r.FindAuthoritativeNameservers(
+		ctx, domain,
+	)
+	require.NoError(t, err)
+	require.NotEmpty(t, nameservers)
+
+	return nameservers[0]
+}
+
+// ----------------------------------------------------------------
+// FindAuthoritativeNameservers tests
+// ----------------------------------------------------------------
+
+func TestFindAuthoritativeNameservers_ValidDomain(
+	t *testing.T,
+) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+
+	nameservers, err := r.FindAuthoritativeNameservers(
+		ctx, "google.com",
+	)
+	require.NoError(t, err)
+	require.NotEmpty(t, nameservers)
+
+	hasGoogleNS := false
+
+	for _, ns := range nameservers {
+		if strings.Contains(ns, "google") {
+			hasGoogleNS = true
+
+			break
+		}
+	}
+
+	assert.True(t, hasGoogleNS,
+		"expected google nameservers, got: %v", nameservers,
+	)
+}
+
+func TestFindAuthoritativeNameservers_Subdomain(
+	t *testing.T,
+) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+
+	nameservers, err := r.FindAuthoritativeNameservers(
+		ctx, "www.google.com",
+	)
+	require.NoError(t, err)
+	require.NotEmpty(t, nameservers)
+}
+
+func TestFindAuthoritativeNameservers_ReturnsSorted(
+	t *testing.T,
+) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+
+	nameservers, err := r.FindAuthoritativeNameservers(
+		ctx, "google.com",
+	)
+	require.NoError(t, err)
+
+	assert.True(
+		t,
+		sort.StringsAreSorted(nameservers),
+		"nameservers should be sorted, got: %v", nameservers,
+	)
+}
+
+func TestFindAuthoritativeNameservers_Deterministic(
+	t *testing.T,
+) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+
+	first, err := r.FindAuthoritativeNameservers(
+		ctx, "google.com",
+	)
+	require.NoError(t, err)
+
+	second, err := r.FindAuthoritativeNameservers(
+		ctx, "google.com",
+	)
+	require.NoError(t, err)
+
+	assert.Equal(t, first, second)
+}
+
+func TestFindAuthoritativeNameservers_TrailingDot(
+	t *testing.T,
+) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+
+	ns1, err := r.FindAuthoritativeNameservers(
+		ctx, "google.com",
+	)
+	require.NoError(t, err)
+
+	ns2, err := r.FindAuthoritativeNameservers(
+		ctx, "google.com.",
+	)
+	require.NoError(t, err)
+
+	assert.Equal(t, ns1, ns2)
+}
+
+func TestFindAuthoritativeNameservers_CloudflareDomain(
+	t *testing.T,
+) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+
+	nameservers, err := r.FindAuthoritativeNameservers(
+		ctx, "cloudflare.com",
+	)
+	require.NoError(t, err)
+	require.NotEmpty(t, nameservers)
+
+	for _, ns := range nameservers {
+		assert.True(t, strings.HasSuffix(ns, "."),
+			"NS should be FQDN with trailing dot: %s", ns,
+		)
+	}
+}
+
+// ----------------------------------------------------------------
+// QueryNameserver tests
+// ----------------------------------------------------------------
+
+func TestQueryNameserver_BasicA(t *testing.T) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+	ns := findOneNSForDomain(t, r, ctx, "google.com")
+
+	resp, err := r.QueryNameserver(
+		ctx, ns, "www.google.com",
+	)
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+
+	assert.Equal(t, resolver.StatusOK, resp.Status)
+	assert.Equal(t, ns, resp.Nameserver)
+
+	hasRecords := len(resp.Records["A"]) > 0 ||
+		len(resp.Records["CNAME"]) > 0
+	assert.True(t, hasRecords,
+		"expected A or CNAME records for www.google.com",
+	)
+}
+
+func TestQueryNameserver_AAAA(t *testing.T) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+	ns := findOneNSForDomain(t, r, ctx, "cloudflare.com")
+
+	resp, err := r.QueryNameserver(
+		ctx, ns, "cloudflare.com",
+	)
+	require.NoError(t, err)
+
+	aaaaRecords := resp.Records["AAAA"]
+	require.NotEmpty(t, aaaaRecords,
+		"cloudflare.com should have AAAA records",
+	)
+
+	for _, ip := range aaaaRecords {
+		parsed := net.ParseIP(ip)
+		require.NotNil(t, parsed,
+			"should be valid IP: %s", ip,
+		)
+	}
+}
+
+func TestQueryNameserver_MX(t *testing.T) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+	ns := findOneNSForDomain(t, r, ctx, "google.com")
+
+	resp, err := r.QueryNameserver(
+		ctx, ns, "google.com",
+	)
+	require.NoError(t, err)
+
+	mxRecords := resp.Records["MX"]
+	require.NotEmpty(t, mxRecords,
+		"google.com should have MX records",
+	)
+}
+
+func TestQueryNameserver_TXT(t *testing.T) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+	ns := findOneNSForDomain(t, r, ctx, "google.com")
+
+	resp, err := r.QueryNameserver(
+		ctx, ns, "google.com",
+	)
+	require.NoError(t, err)
+
+	txtRecords := resp.Records["TXT"]
+	require.NotEmpty(t, txtRecords,
+		"google.com should have TXT records",
+	)
+
+	hasSPF := false
+
+	for _, txt := range txtRecords {
+		if strings.Contains(txt, "v=spf1") {
+			hasSPF = true
+
+			break
+		}
+	}
+
+	assert.True(t, hasSPF,
+		"google.com should have SPF TXT record",
+	)
+}
+
+func TestQueryNameserver_NXDomain(t *testing.T) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+	ns := findOneNSForDomain(t, r, ctx, "google.com")
+
+	resp, err := r.QueryNameserver(
+		ctx, ns,
+		"this-surely-does-not-exist-xyz.google.com",
+	)
+	require.NoError(t, err)
+
+	assert.Equal(t, resolver.StatusNXDomain, resp.Status)
+}
+
+func TestQueryNameserver_RecordsSorted(t *testing.T) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+	ns := findOneNSForDomain(t, r, ctx, "google.com")
+
+	resp, err := r.QueryNameserver(
+		ctx, ns, "google.com",
+	)
+	require.NoError(t, err)
+
+	for recordType, values := range resp.Records {
+		assert.True(
+			t,
+			sort.StringsAreSorted(values),
+			"%s records should be sorted", recordType,
+		)
+	}
+}
+
+func TestQueryNameserver_ResponseIncludesNameserver(
+	t *testing.T,
+) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+	ns := findOneNSForDomain(t, r, ctx, "cloudflare.com")
+
+	resp, err := r.QueryNameserver(
+		ctx, ns, "cloudflare.com",
+	)
+	require.NoError(t, err)
+
+	assert.Equal(t, ns, resp.Nameserver)
+}
+
+func TestQueryNameserver_EmptyRecordsOnNXDomain(
+	t *testing.T,
+) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+	ns := findOneNSForDomain(t, r, ctx, "google.com")
+
+	resp, err := r.QueryNameserver(
+		ctx, ns,
+		"this-surely-does-not-exist-xyz.google.com",
+	)
+	require.NoError(t, err)
+
+	totalRecords := 0
+	for _, values := range resp.Records {
+		totalRecords += len(values)
+	}
+
+	assert.Zero(t, totalRecords)
+}
+
+func TestQueryNameserver_TrailingDotHandling(t *testing.T) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+	ns := findOneNSForDomain(t, r, ctx, "google.com")
+
+	resp1, err := r.QueryNameserver(
+		ctx, ns, "google.com",
+	)
+	require.NoError(t, err)
+
+	resp2, err := r.QueryNameserver(
+		ctx, ns, "google.com.",
+	)
+	require.NoError(t, err)
+
+	assert.Equal(t, resp1.Status, resp2.Status)
+}
+
+// ----------------------------------------------------------------
+// QueryAllNameservers tests
+// ----------------------------------------------------------------
+
+func TestQueryAllNameservers_ReturnsAllNS(t *testing.T) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+
+	results, err := r.QueryAllNameservers(
+		ctx, "google.com",
+	)
+	require.NoError(t, err)
+	require.NotEmpty(t, results)
+
+	assert.GreaterOrEqual(t, len(results), 2)
+
+	for ns, resp := range results {
+		assert.Equal(t, ns, resp.Nameserver)
+	}
+}
+
+func TestQueryAllNameservers_AllReturnOK(t *testing.T) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+
+	results, err := r.QueryAllNameservers(
+		ctx, "google.com",
+	)
+	require.NoError(t, err)
+
+	for ns, resp := range results {
+		assert.Equal(
+			t, resolver.StatusOK, resp.Status,
+			"NS %s should return OK", ns,
+		)
+	}
+}
+
+func TestQueryAllNameservers_NXDomainFromAllNS(
+	t *testing.T,
+) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+
+	results, err := r.QueryAllNameservers(
+		ctx,
+		"this-surely-does-not-exist-xyz.google.com",
+	)
+	require.NoError(t, err)
+
+	for ns, resp := range results {
+		assert.Equal(
+			t, resolver.StatusNXDomain, resp.Status,
+			"NS %s should return nxdomain", ns,
+		)
+	}
+}
+
+// ----------------------------------------------------------------
+// LookupNS tests
+// ----------------------------------------------------------------
+
+func TestLookupNS_ValidDomain(t *testing.T) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+
+	nameservers, err := r.LookupNS(ctx, "google.com")
+	require.NoError(t, err)
+	require.NotEmpty(t, nameservers)
+
+	for _, ns := range nameservers {
+		assert.True(t, strings.HasSuffix(ns, "."),
+			"NS should have trailing dot: %s", ns,
+		)
+	}
+}
+
+func TestLookupNS_Sorted(t *testing.T) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+
+	nameservers, err := r.LookupNS(ctx, "google.com")
+	require.NoError(t, err)
+
+	assert.True(t, sort.StringsAreSorted(nameservers))
+}
+
+func TestLookupNS_MatchesFindAuthoritative(t *testing.T) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+
+	fromLookup, err := r.LookupNS(ctx, "google.com")
+	require.NoError(t, err)
+
+	fromFind, err := r.FindAuthoritativeNameservers(
+		ctx, "google.com",
+	)
+	require.NoError(t, err)
+
+	assert.Equal(t, fromFind, fromLookup)
+}
+
+// ----------------------------------------------------------------
+// ResolveIPAddresses tests
+// ----------------------------------------------------------------
+
+func TestResolveIPAddresses_ReturnsIPs(t *testing.T) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+
+	ips, err := r.ResolveIPAddresses(ctx, "google.com")
+	require.NoError(t, err)
+	require.NotEmpty(t, ips)
+
+	for _, ip := range ips {
+		parsed := net.ParseIP(ip)
+		assert.NotNil(t, parsed,
+			"should be valid IP: %s", ip,
+		)
+	}
+}
+
+func TestResolveIPAddresses_Deduplicated(t *testing.T) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+
+	ips, err := r.ResolveIPAddresses(ctx, "google.com")
+	require.NoError(t, err)
+
+	seen := make(map[string]bool)
+
+	for _, ip := range ips {
+		assert.False(t, seen[ip], "duplicate IP: %s", ip)
+		seen[ip] = true
+	}
+}
+
+func TestResolveIPAddresses_Sorted(t *testing.T) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+
+	ips, err := r.ResolveIPAddresses(ctx, "google.com")
+	require.NoError(t, err)
+
+	assert.True(t, sort.StringsAreSorted(ips))
+}
+
+func TestResolveIPAddresses_NXDomainReturnsEmpty(
+	t *testing.T,
+) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+
+	ips, err := r.ResolveIPAddresses(
+		ctx,
+		"this-surely-does-not-exist-xyz.google.com",
+	)
+	require.NoError(t, err)
+	assert.Empty(t, ips)
+}
+
+func TestResolveIPAddresses_CloudflareDomain(t *testing.T) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx := testContext(t)
+
+	ips, err := r.ResolveIPAddresses(ctx, "cloudflare.com")
+	require.NoError(t, err)
+	require.NotEmpty(t, ips)
+}
+
+// ----------------------------------------------------------------
+// Context cancellation tests
+// ----------------------------------------------------------------
+
+func TestFindAuthoritativeNameservers_ContextCanceled(
+	t *testing.T,
+) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	_, err := r.FindAuthoritativeNameservers(ctx, "google.com")
+	assert.Error(t, err)
+}
+
+func TestQueryNameserver_ContextCanceled(t *testing.T) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	_, err := r.QueryNameserver(
+		ctx, "ns1.google.com.", "google.com",
+	)
+	assert.Error(t, err)
+}
+
+func TestQueryAllNameservers_ContextCanceled(t *testing.T) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	_, err := r.QueryAllNameservers(ctx, "google.com")
+	assert.Error(t, err)
+}
+
+// ----------------------------------------------------------------
+// Timeout tests
+// ----------------------------------------------------------------
+
+func TestQueryNameserverIP_Timeout(t *testing.T) {
+	t.Parallel()
+
+	log := slog.New(slog.NewTextHandler(
+		os.Stderr,
+		&slog.HandlerOptions{Level: slog.LevelDebug},
+	))
+
+	r := resolver.NewFromLoggerWithClient(
+		log, &timeoutClient{},
+	)
+
+	ctx, cancel := context.WithTimeout(
+		context.Background(), 10*time.Second,
+	)
+	t.Cleanup(cancel)
+
+	// Query any IP — the client always returns a timeout error.
+	resp, err := r.QueryNameserverIP(
+		ctx, "unreachable.test.", "192.0.2.1",
+		"example.com",
+	)
+	require.NoError(t, err)
+
+	assert.Equal(t, resolver.StatusTimeout, resp.Status)
+	assert.NotEmpty(t, resp.Error)
+}
+
+// timeoutClient simulates DNS timeout errors for testing.
+type timeoutClient struct{}
+
+func (c *timeoutClient) ExchangeContext(
+	_ context.Context,
+	_ *dns.Msg,
+	_ string,
+) (*dns.Msg, time.Duration, error) {
+	return nil, 0, &net.OpError{
+		Op:  "read",
+		Net: "udp",
+		Err: &timeoutError{},
+	}
+}
+
+type timeoutError struct{}
+
+func (e *timeoutError) Error() string   { return "i/o timeout" }
+func (e *timeoutError) Timeout() bool   { return true }
+func (e *timeoutError) Temporary() bool { return true }
+
+func TestResolveIPAddresses_ContextCanceled(t *testing.T) {
+	t.Parallel()
+
+	r := newTestResolver(t)
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	_, err := r.ResolveIPAddresses(ctx, "google.com")
+	assert.Error(t, err)
+}

internal/state/state.go

@@ -156,8 +156,8 @@ func (s *State) Load() error {
 
 // Save writes the current state to disk atomically.
 func (s *State) Save() error {
-	s.mu.RLock()
+	s.mu.Lock()
-	defer s.mu.RUnlock()
+	defer s.mu.Unlock()
 
 	s.snapshot.LastUpdated = time.Now().UTC()
 

internal/tlscheck/extractcertinfo_test.go

@@ -0,0 +1,67 @@
+package tlscheck_test
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"net"
+	"testing"
+	"time"
+
+	"sneak.berlin/go/dnswatcher/internal/tlscheck"
+)
+
+func TestCheckCertificateNoPeerCerts(t *testing.T) {
+	t.Parallel()
+
+	lc := &net.ListenConfig{}
+
+	ln, err := lc.Listen(
+		context.Background(), "tcp", "127.0.0.1:0",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	defer func() { _ = ln.Close() }()
+
+	addr, ok := ln.Addr().(*net.TCPAddr)
+	if !ok {
+		t.Fatal("unexpected address type")
+	}
+
+	// Accept and immediately close to cause TLS handshake failure.
+	go func() {
+		conn, err := ln.Accept()
+		if err != nil {
+			return
+		}
+
+		_ = conn.Close()
+	}()
+
+	checker := tlscheck.NewStandalone(
+		tlscheck.WithTimeout(2*time.Second),
+		tlscheck.WithTLSConfig(&tls.Config{
+			InsecureSkipVerify: true, //nolint:gosec // test
+			MinVersion:         tls.VersionTLS12,
+		}),
+		tlscheck.WithPort(addr.Port),
+	)
+
+	_, err = checker.CheckCertificate(
+		context.Background(), "127.0.0.1", "localhost",
+	)
+	if err == nil {
+		t.Fatal("expected error when server presents no certs")
+	}
+}
+
+func TestErrNoPeerCertificatesIsSentinel(t *testing.T) {
+	t.Parallel()
+
+	err := tlscheck.ErrNoPeerCertificates
+	if !errors.Is(err, tlscheck.ErrNoPeerCertificates) {
+		t.Fatal("expected sentinel error to match")
+	}
+}

internal/tlscheck/tlscheck.go

@@ -3,8 +3,12 @@ package tlscheck
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
+	"fmt"
 	"log/slog"
+	"net"
+	"strconv"
 	"time"
 
 	"go.uber.org/fx"
@@ -12,11 +16,56 @@ import (
 	"sneak.berlin/go/dnswatcher/internal/logger"
 )
 
-// ErrNotImplemented indicates the TLS checker is not yet implemented.
+const (
-var ErrNotImplemented = errors.New(
+	defaultTimeout = 10 * time.Second
-	"tls checker not yet implemented",
+	defaultPort    = 443
 )
 
+// ErrUnexpectedConnType indicates the connection was not a TLS
+// connection.
+var ErrUnexpectedConnType = errors.New(
+	"unexpected connection type",
+)
+
+// ErrNoPeerCertificates indicates the TLS connection had no peer
+// certificates.
+var ErrNoPeerCertificates = errors.New(
+	"no peer certificates",
+)
+
+// CertificateInfo holds information about a TLS certificate.
+type CertificateInfo struct {
+	CommonName              string
+	Issuer                  string
+	NotAfter                time.Time
+	SubjectAlternativeNames []string
+	SerialNumber            string
+}
+
+// Option configures a Checker.
+type Option func(*Checker)
+
+// WithTimeout sets the connection timeout.
+func WithTimeout(d time.Duration) Option {
+	return func(c *Checker) {
+		c.timeout = d
+	}
+}
+
+// WithTLSConfig sets a custom TLS configuration.
+func WithTLSConfig(cfg *tls.Config) Option {
+	return func(c *Checker) {
+		c.tlsConfig = cfg
+	}
+}
+
+// WithPort sets the TLS port to connect to.
+func WithPort(port int) Option {
+	return func(c *Checker) {
+		c.port = port
+	}
+}
+
 // Params contains dependencies for Checker.
 type Params struct {
 	fx.In
@@ -27,14 +76,9 @@ type Params struct {
 // Checker performs TLS certificate inspection.
 type Checker struct {
 	log       *slog.Logger
-}
+	timeout   time.Duration
-
+	tlsConfig *tls.Config
-// CertificateInfo holds information about a TLS certificate.
+	port      int
-type CertificateInfo struct {
-	CommonName              string
-	Issuer                  string
-	NotAfter                time.Time
-	SubjectAlternativeNames []string
 }
 
 // New creates a new TLS Checker instance.
@@ -44,15 +88,109 @@ func New(
 ) (*Checker, error) {
 	return &Checker{
 		log:     params.Logger.Get(),
+		timeout: defaultTimeout,
+		port:    defaultPort,
 	}, nil
 }
 
-// CheckCertificate connects to the given IP:port using SNI and
+// NewStandalone creates a Checker without fx dependencies.
-// returns certificate information.
+func NewStandalone(opts ...Option) *Checker {
-func (c *Checker) CheckCertificate(
+	checker := &Checker{
-	_ context.Context,
+		log:     slog.Default(),
-	_ string,
+		timeout: defaultTimeout,
-	_ string,
+		port:    defaultPort,
-) (*CertificateInfo, error) {
+	}
-	return nil, ErrNotImplemented
+
+	for _, opt := range opts {
+		opt(checker)
+	}
+
+	return checker
+}
+
+// CheckCertificate connects to the given IP address using the
+// specified SNI hostname and returns certificate information.
+func (c *Checker) CheckCertificate(
+	ctx context.Context,
+	ipAddress string,
+	sniHostname string,
+) (*CertificateInfo, error) {
+	target := net.JoinHostPort(
+		ipAddress, strconv.Itoa(c.port),
+	)
+
+	tlsCfg := c.buildTLSConfig(sniHostname)
+	dialer := &tls.Dialer{
+		NetDialer: &net.Dialer{Timeout: c.timeout},
+		Config:    tlsCfg,
+	}
+
+	conn, err := dialer.DialContext(ctx, "tcp", target)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"TLS dial to %s: %w", target, err,
+		)
+	}
+
+	defer func() {
+		closeErr := conn.Close()
+		if closeErr != nil {
+			c.log.Debug(
+				"closing TLS connection",
+				"target", target,
+				"error", closeErr.Error(),
+			)
+		}
+	}()
+
+	tlsConn, ok := conn.(*tls.Conn)
+	if !ok {
+		return nil, fmt.Errorf(
+			"%s: %w", target, ErrUnexpectedConnType,
+		)
+	}
+
+	return c.extractCertInfo(tlsConn)
+}
+
+func (c *Checker) buildTLSConfig(
+	sniHostname string,
+) *tls.Config {
+	if c.tlsConfig != nil {
+		cfg := c.tlsConfig.Clone()
+		cfg.ServerName = sniHostname
+
+		return cfg
+	}
+
+	return &tls.Config{
+		ServerName: sniHostname,
+		MinVersion: tls.VersionTLS12,
+	}
+}
+
+func (c *Checker) extractCertInfo(
+	conn *tls.Conn,
+) (*CertificateInfo, error) {
+	state := conn.ConnectionState()
+	if len(state.PeerCertificates) == 0 {
+		return nil, ErrNoPeerCertificates
+	}
+
+	cert := state.PeerCertificates[0]
+
+	sans := make([]string, 0, len(cert.DNSNames)+len(cert.IPAddresses))
+	sans = append(sans, cert.DNSNames...)
+
+	for _, ip := range cert.IPAddresses {
+		sans = append(sans, ip.String())
+	}
+
+	return &CertificateInfo{
+		CommonName:              cert.Subject.CommonName,
+		Issuer:                  cert.Issuer.CommonName,
+		NotAfter:                cert.NotAfter,
+		SubjectAlternativeNames: sans,
+		SerialNumber:            cert.SerialNumber.String(),
+	}, nil
 }

internal/tlscheck/tlscheck_test.go

@@ -0,0 +1,169 @@
+package tlscheck_test
+
+import (
+	"context"
+	"crypto/tls"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"sneak.berlin/go/dnswatcher/internal/tlscheck"
+)
+
+func startTLSServer(
+	t *testing.T,
+) (*httptest.Server, string, int) {
+	t.Helper()
+
+	srv := httptest.NewTLSServer(
+		http.HandlerFunc(
+			func(w http.ResponseWriter, _ *http.Request) {
+				w.WriteHeader(http.StatusOK)
+			},
+		),
+	)
+
+	addr, ok := srv.Listener.Addr().(*net.TCPAddr)
+	if !ok {
+		t.Fatal("unexpected address type")
+	}
+
+	return srv, addr.IP.String(), addr.Port
+}
+
+func TestCheckCertificateValid(t *testing.T) {
+	t.Parallel()
+
+	srv, ip, port := startTLSServer(t)
+
+	defer srv.Close()
+
+	checker := tlscheck.NewStandalone(
+		tlscheck.WithTimeout(5*time.Second),
+		tlscheck.WithTLSConfig(&tls.Config{
+			//nolint:gosec // test uses self-signed cert
+			InsecureSkipVerify: true,
+		}),
+		tlscheck.WithPort(port),
+	)
+
+	info, err := checker.CheckCertificate(
+		context.Background(), ip, "localhost",
+	)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if info == nil {
+		t.Fatal("expected non-nil CertificateInfo")
+	}
+
+	if info.NotAfter.IsZero() {
+		t.Error("expected non-zero NotAfter")
+	}
+
+	if info.SerialNumber == "" {
+		t.Error("expected non-empty SerialNumber")
+	}
+}
+
+func TestCheckCertificateConnectionRefused(t *testing.T) {
+	t.Parallel()
+
+	lc := &net.ListenConfig{}
+
+	ln, err := lc.Listen(
+		context.Background(), "tcp", "127.0.0.1:0",
+	)
+	if err != nil {
+		t.Fatalf("failed to listen: %v", err)
+	}
+
+	addr, ok := ln.Addr().(*net.TCPAddr)
+	if !ok {
+		t.Fatal("unexpected address type")
+	}
+
+	port := addr.Port
+
+	_ = ln.Close()
+
+	checker := tlscheck.NewStandalone(
+		tlscheck.WithTimeout(2*time.Second),
+		tlscheck.WithPort(port),
+	)
+
+	_, err = checker.CheckCertificate(
+		context.Background(), "127.0.0.1", "localhost",
+	)
+	if err == nil {
+		t.Fatal("expected error for connection refused")
+	}
+}
+
+func TestCheckCertificateContextCanceled(t *testing.T) {
+	t.Parallel()
+
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	checker := tlscheck.NewStandalone(
+		tlscheck.WithTimeout(2*time.Second),
+		tlscheck.WithPort(1),
+	)
+
+	_, err := checker.CheckCertificate(
+		ctx, "127.0.0.1", "localhost",
+	)
+	if err == nil {
+		t.Fatal("expected error for canceled context")
+	}
+}
+
+func TestCheckCertificateTimeout(t *testing.T) {
+	t.Parallel()
+
+	checker := tlscheck.NewStandalone(
+		tlscheck.WithTimeout(1*time.Millisecond),
+		tlscheck.WithPort(1),
+	)
+
+	_, err := checker.CheckCertificate(
+		context.Background(),
+		"192.0.2.1",
+		"example.com",
+	)
+	if err == nil {
+		t.Fatal("expected error for timeout")
+	}
+}
+
+func TestCheckCertificateSANs(t *testing.T) {
+	t.Parallel()
+
+	srv, ip, port := startTLSServer(t)
+
+	defer srv.Close()
+
+	checker := tlscheck.NewStandalone(
+		tlscheck.WithTimeout(5*time.Second),
+		tlscheck.WithTLSConfig(&tls.Config{
+			//nolint:gosec // test uses self-signed cert
+			InsecureSkipVerify: true,
+		}),
+		tlscheck.WithPort(port),
+	)
+
+	info, err := checker.CheckCertificate(
+		context.Background(), ip, "localhost",
+	)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if info.CommonName == "" && len(info.SubjectAlternativeNames) == 0 {
+		t.Error("expected CN or SANs to be populated")
+	}
+}

internal/watcher/interfaces.go

@@ -4,6 +4,7 @@ package watcher
 import (
 	"context"
 
+	"sneak.berlin/go/dnswatcher/internal/portcheck"
 	"sneak.berlin/go/dnswatcher/internal/tlscheck"
 )
 
@@ -36,7 +37,7 @@ type PortChecker interface {
 		ctx context.Context,
 		address string,
 		port int,
-	) (bool, error)
+	) (*portcheck.PortResult, error)
 }
 
 // TLSChecker inspects TLS certificates.

internal/watcher/watcher.go

@@ -6,6 +6,7 @@ import (
 	"log/slog"
 	"sort"
 	"strings"
+	"sync"
 	"time"
 
 	"go.uber.org/fx"
@@ -49,6 +50,8 @@ type Watcher struct {
 	notify           Notifier
 	cancel           context.CancelFunc
 	firstRun         bool
+	expiryNotifiedMu sync.Mutex
+	expiryNotified   map[string]time.Time
 }
 
 // New creates a new Watcher instance wired into the fx lifecycle.
@@ -65,6 +68,7 @@ func New(
 		tlsCheck:       params.TLSCheck,
 		notify:         params.Notify,
 		firstRun:       true,
+		expiryNotified: make(map[string]time.Time),
 	}
 
 	lifecycle.Append(fx.Hook{
@@ -108,6 +112,7 @@ func NewForTest(
 		tlsCheck:       tc,
 		notify:         n,
 		firstRun:       true,
+		expiryNotified: make(map[string]time.Time),
 	}
 }
 
@@ -206,6 +211,28 @@ func (w *Watcher) checkDomain(
 		Nameservers: nameservers,
 		LastChecked: now,
 	})
+
+	// Also look up A/AAAA records for the apex domain so that
+	// port and TLS checks (which read HostnameState) can find
+	// the domain's IP addresses.
+	records, err := w.resolver.LookupAllRecords(ctx, domain)
+	if err != nil {
+		w.log.Error(
+			"failed to lookup records for domain",
+			"domain", domain,
+			"error", err,
+		)
+
+		return
+	}
+
+	prevHS, hasPrevHS := w.state.GetHostnameState(domain)
+	if hasPrevHS && !w.firstRun {
+		w.detectHostnameChanges(ctx, domain, prevHS, records)
+	}
+
+	newState := buildHostnameState(records, now)
+	w.state.SetHostnameState(domain, newState)
 }
 
 func (w *Watcher) detectNSChanges(
@@ -477,7 +504,7 @@ func (w *Watcher) checkSinglePort(
 	port int,
 	hostname string,
 ) {
-	open, err := w.portCheck.CheckPort(ctx, ip, port)
+	result, err := w.portCheck.CheckPort(ctx, ip, port)
 	if err != nil {
 		w.log.Error(
 			"port check failed",
@@ -493,9 +520,9 @@ func (w *Watcher) checkSinglePort(
 	now := time.Now().UTC()
 	prev, hasPrev := w.state.GetPortState(key)
 
-	if hasPrev && !w.firstRun && prev.Open != open {
+	if hasPrev && !w.firstRun && prev.Open != result.Open {
 		stateStr := "closed"
-		if open {
+		if result.Open {
 			stateStr = "open"
 		}
 
@@ -513,7 +540,7 @@ func (w *Watcher) checkSinglePort(
 	}
 
 	w.state.SetPortState(key, &state.PortState{
-		Open:        open,
+		Open:        result.Open,
 		Hostname:    hostname,
 		LastChecked: now,
 	})
@@ -691,6 +718,22 @@ func (w *Watcher) checkTLSExpiry(
 		return
 	}
 
+	// Deduplicate expiry warnings: don't re-notify for the same
+	// hostname within the TLS check interval.
+	dedupKey := fmt.Sprintf("expiry:%s:%s", hostname, ip)
+
+	w.expiryNotifiedMu.Lock()
+
+	lastNotified, seen := w.expiryNotified[dedupKey]
+	if seen && time.Since(lastNotified) < w.config.TLSInterval {
+		w.expiryNotifiedMu.Unlock()
+
+		return
+	}
+
+	w.expiryNotified[dedupKey] = time.Now()
+	w.expiryNotifiedMu.Unlock()
+
 	msg := fmt.Sprintf(
 		"Host: %s\nIP: %s\nCN: %s\n"+
 			"Expires: %s (%.0f days)",

internal/watcher/watcher_test.go

@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"sneak.berlin/go/dnswatcher/internal/config"
+	"sneak.berlin/go/dnswatcher/internal/portcheck"
 	"sneak.berlin/go/dnswatcher/internal/state"
 	"sneak.berlin/go/dnswatcher/internal/tlscheck"
 	"sneak.berlin/go/dnswatcher/internal/watcher"
@@ -109,24 +110,20 @@ func (m *mockPortChecker) CheckPort(
 	_ context.Context,
 	address string,
 	port int,
-) (bool, error) {
+) (*portcheck.PortResult, error) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 
 	m.calls++
 
 	if m.err != nil {
-		return false, m.err
+		return nil, m.err
 	}
 
 	key := fmt.Sprintf("%s:%d", address, port)
-	open, ok := m.results[key]
+	open := m.results[key]
 
-	if !ok {
+	return &portcheck.PortResult{Open: open}, nil
-		return false, nil
-	}
-
-	return open, nil
 }
 
 type mockTLSChecker struct {
@@ -276,6 +273,10 @@ func setupBaselineMocks(deps *testDeps) {
 		"ns1.example.com.",
 		"ns2.example.com.",
 	}
+	deps.resolver.allRecords["example.com"] = map[string]map[string][]string{
+		"ns1.example.com.": {"A": {"93.184.216.34"}},
+		"ns2.example.com.": {"A": {"93.184.216.34"}},
+	}
 	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
 		"ns1.example.com.": {"A": {"93.184.216.34"}},
 		"ns2.example.com.": {"A": {"93.184.216.34"}},
@@ -293,6 +294,14 @@ func setupBaselineMocks(deps *testDeps) {
 			"www.example.com",
 		},
 	}
+	deps.tlsChecker.certs["93.184.216.34:example.com"] = &tlscheck.CertificateInfo{
+		CommonName: "example.com",
+		Issuer:     "DigiCert",
+		NotAfter:   time.Now().Add(90 * 24 * time.Hour),
+		SubjectAlternativeNames: []string{
+			"example.com",
+		},
+	}
 }
 
 func assertNoNotifications(
@@ -325,14 +334,74 @@ func assertStatePopulated(
 		)
 	}
 
-	if len(snap.Hostnames) != 1 {
+	// Hostnames includes both explicit hostnames and domains
+	// (domains now also get hostname state for port/TLS checks).
+	if len(snap.Hostnames) < 1 {
 		t.Errorf(
-			"expected 1 hostname in state, got %d",
+			"expected at least 1 hostname in state, got %d",
 			len(snap.Hostnames),
 		)
 	}
 }
 
+func TestDomainPortAndTLSChecks(t *testing.T) {
+	t.Parallel()
+
+	cfg := defaultTestConfig(t)
+	cfg.Domains = []string{"example.com"}
+
+	w, deps := newTestWatcher(t, cfg)
+
+	deps.resolver.nsRecords["example.com"] = []string{
+		"ns1.example.com.",
+	}
+	deps.resolver.allRecords["example.com"] = map[string]map[string][]string{
+		"ns1.example.com.": {"A": {"93.184.216.34"}},
+	}
+	deps.portChecker.results["93.184.216.34:80"] = true
+	deps.portChecker.results["93.184.216.34:443"] = true
+	deps.tlsChecker.certs["93.184.216.34:example.com"] = &tlscheck.CertificateInfo{
+		CommonName: "example.com",
+		Issuer:     "DigiCert",
+		NotAfter:   time.Now().Add(90 * 24 * time.Hour),
+		SubjectAlternativeNames: []string{
+			"example.com",
+		},
+	}
+
+	w.RunOnce(t.Context())
+
+	snap := deps.state.GetSnapshot()
+
+	// Domain should have port state populated
+	if len(snap.Ports) == 0 {
+		t.Error("expected port state for domain, got none")
+	}
+
+	// Domain should have certificate state populated
+	if len(snap.Certificates) == 0 {
+		t.Error("expected certificate state for domain, got none")
+	}
+
+	// Verify port checker was actually called
+	deps.portChecker.mu.Lock()
+	calls := deps.portChecker.calls
+	deps.portChecker.mu.Unlock()
+
+	if calls == 0 {
+		t.Error("expected port checker to be called for domain")
+	}
+
+	// Verify TLS checker was actually called
+	deps.tlsChecker.mu.Lock()
+	tlsCalls := deps.tlsChecker.calls
+	deps.tlsChecker.mu.Unlock()
+
+	if tlsCalls == 0 {
+		t.Error("expected TLS checker to be called for domain")
+	}
+}
+
 func TestNSChangeDetection(t *testing.T) {
 	t.Parallel()
 
@@ -345,6 +414,12 @@ func TestNSChangeDetection(t *testing.T) {
 		"ns1.example.com.",
 		"ns2.example.com.",
 	}
+	deps.resolver.allRecords["example.com"] = map[string]map[string][]string{
+		"ns1.example.com.": {"A": {"1.2.3.4"}},
+		"ns2.example.com.": {"A": {"1.2.3.4"}},
+	}
+	deps.portChecker.results["1.2.3.4:80"] = false
+	deps.portChecker.results["1.2.3.4:443"] = false
 
 	ctx := t.Context()
 	w.RunOnce(ctx)
@@ -354,6 +429,10 @@ func TestNSChangeDetection(t *testing.T) {
 		"ns1.example.com.",
 		"ns3.example.com.",
 	}
+	deps.resolver.allRecords["example.com"] = map[string]map[string][]string{
+		"ns1.example.com.": {"A": {"1.2.3.4"}},
+		"ns3.example.com.": {"A": {"1.2.3.4"}},
+	}
 	deps.resolver.mu.Unlock()
 
 	w.RunOnce(ctx)
@@ -509,6 +588,61 @@ func TestTLSExpiryWarning(t *testing.T) {
 	}
 }
 
+func TestTLSExpiryWarningDedup(t *testing.T) {
+	t.Parallel()
+
+	cfg := defaultTestConfig(t)
+	cfg.Hostnames = []string{"www.example.com"}
+	cfg.TLSInterval = 24 * time.Hour
+
+	w, deps := newTestWatcher(t, cfg)
+
+	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
+		"ns1.example.com.": {"A": {"1.2.3.4"}},
+	}
+	deps.resolver.ipAddresses["www.example.com"] = []string{
+		"1.2.3.4",
+	}
+	deps.portChecker.results["1.2.3.4:80"] = true
+	deps.portChecker.results["1.2.3.4:443"] = true
+	deps.tlsChecker.certs["1.2.3.4:www.example.com"] = &tlscheck.CertificateInfo{
+		CommonName: "www.example.com",
+		Issuer:     "DigiCert",
+		NotAfter:   time.Now().Add(3 * 24 * time.Hour),
+		SubjectAlternativeNames: []string{
+			"www.example.com",
+		},
+	}
+
+	ctx := t.Context()
+
+	// First run = baseline, no notifications
+	w.RunOnce(ctx)
+
+	// Second run should fire one expiry warning
+	w.RunOnce(ctx)
+
+	// Third run should NOT fire another warning (dedup)
+	w.RunOnce(ctx)
+
+	notifications := deps.notifier.getNotifications()
+
+	expiryCount := 0
+
+	for _, n := range notifications {
+		if n.Title == "TLS Expiry Warning: www.example.com" {
+			expiryCount++
+		}
+	}
+
+	if expiryCount != 1 {
+		t.Errorf(
+			"expected exactly 1 expiry warning (dedup), got %d",
+			expiryCount,
+		)
+	}
+}
+
 func TestGracefulShutdown(t *testing.T) {
 	t.Parallel()
 
@@ -522,6 +656,11 @@ func TestGracefulShutdown(t *testing.T) {
 	deps.resolver.nsRecords["example.com"] = []string{
 		"ns1.example.com.",
 	}
+	deps.resolver.allRecords["example.com"] = map[string]map[string][]string{
+		"ns1.example.com.": {"A": {"1.2.3.4"}},
+	}
+	deps.portChecker.results["1.2.3.4:80"] = false
+	deps.portChecker.results["1.2.3.4:443"] = false
 
 	ctx, cancel := context.WithCancel(t.Context())