fix: set 1s query timeout, use public resolvers instead of root servers for recursive queries

- Change queryTimeoutDuration from 5s to 1s per requirement that DNS
  queries complete in <10s total given <800ms RTT
- Fix resolveARecord and resolveNSRecursive to use public recursive
  resolvers (1.1.1.1, 8.8.8.8, 9.9.9.9) instead of root servers,
  which don't answer recursive queries (RD=1)

.dockerignore

@@ -1,6 +0,0 @@
-.git
-bin
-data
-.env
-.DS_Store
-*.exe

.editorconfig

@@ -1,15 +0,0 @@
-root = true
-
-[*]
-indent_style = space
-indent_size = 4
-end_of_line = lf
-charset = utf-8
-trim_trailing_whitespace = true
-insert_final_newline = true
-
-[*.go]
-indent_style = tab
-
-[Makefile]
-indent_style = tab

.gitea/workflows/check.yml

@@ -1,9 +1,26 @@
-name: check
+name: Check
-on: [push]
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
 jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-            # actions/checkout v4.2.2, 2026-02-28
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
-            - run: docker build .
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version-file: go.mod
+
+      - name: Install golangci-lint
+        run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@5d1e709b7be35cb2025444e19de266b056b7b7ee # v2.10.1
+
+      - name: Install goimports
+        run: go install golang.org/x/tools/cmd/goimports@009367f5c17a8d4c45a961a3a509277190a9a6f0 # v0.42.0
+
+      - name: Run make check
+        run: make check

CLAUDE.md

@@ -0,0 +1,68 @@
+# Repository Rules
+
+Last Updated 2026-01-08
+
+These rules MUST be followed at all times, it is very important.
+
+* Never use `git add -A` - add specific changes to a deliberate commit. A
+  commit should contain one change. After each change, make a commit with a
+  good one-line summary.
+
+* NEVER modify the linter config without asking first.
+
+* NEVER modify tests to exclude special cases or otherwise get them to pass
+  without asking first. In almost all cases, the code should be changed,
+  NOT the tests. If you think the test needs to be changed, make your case
+  for that and ask for permission to proceed, then stop. You need explicit
+  user approval to modify existing tests. (You do not need user approval
+  for writing NEW tests.)
+
+* When linting, assume the linter config is CORRECT, and that each item
+  output by the linter is something that legitimately needs fixing in the
+  code.
+
+* When running tests, use `make test`.
+
+* Before commits, run `make check`. This runs `make lint` and `make test`
+  and `make check-fmt`. Any issues discovered MUST be resolved before
+  committing unless explicitly told otherwise.
+
+* When fixing a bug, write a failing test for the bug FIRST. Add
+  appropriate logging to the test to ensure it is written correctly. Commit
+  that. Then go about fixing the bug until the test passes (without
+  modifying the test further). Then commit that.
+
+* When adding a new feature, do the same - implement a test first (TDD). It
+  doesn't have to be super complex. Commit the test, then commit the
+  feature.
+
+* When adding a new feature, use a feature branch. When the feature is
+  completely finished and the code is up to standards (passes `make check`)
+  then and only then can the feature branch be merged into `main` and the
+  branch deleted.
+
+* Write godoc documentation comments for all exported types and functions as
+  you go along.
+
+* ALWAYS be consistent in naming. If you name something one thing in one
+  place, name it the EXACT SAME THING in another place.
+
+* Be descriptive and specific in naming. `wl` is bad;
+  `SourceHostWhitelist` is good. `ConnsPerHost` is bad;
+  `MaxConnectionsPerHost` is good.
+
+* This is not prototype or teaching code - this is designed for production.
+  Any security issues (such as denial of service) or other web
+  vulnerabilities are P1 bugs and must be added to TODO.md at the top.
+
+* As this is production code, no stubbing of implementations unless
+  specifically instructed. We need working implementations.
+
+* Avoid vendoring deps unless specifically instructed to.  NEVER commit
+  the vendor directory, NEVER commit compiled binaries.  If these
+  directories or files exist, add them to .gitignore (and commit the
+  .gitignore) if they are not already in there.  Keep the entire git
+  repository (with history) small - under 20MiB, unless you specifically
+  must commit larger files (e.g. test fixture example media files).  Only
+  OUR source code and immediately supporting files (such as test examples)
+  goes into the repo/history.

Dockerfile

@@ -1,13 +1,11 @@
 # Build stage
-# golang 1.25-alpine, 2026-02-28
+FROM golang:1.25-alpine AS builder
-FROM golang@sha256:f6751d823c26342f9506c03797d2527668d095b0a15f1862cddb4d927a7a4ced AS builder
 
-RUN apk add --no-cache git make gcc musl-dev binutils-gold
+RUN apk add --no-cache git make gcc musl-dev
 
-# golangci-lint v2.10.1
+# Install golangci-lint v2
-RUN go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@5d1e709b7be35cb2025444e19de266b056b7b7ee
+RUN go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
-# goimports v0.42.0
+RUN go install golang.org/x/tools/cmd/goimports@latest
-RUN go install golang.org/x/tools/cmd/goimports@009367f5c17a8d4c45a961a3a509277190a9a6f0
 
 WORKDIR /src
 COPY go.mod go.sum ./
@@ -22,8 +20,7 @@ RUN make check
 RUN make build
 
 # Runtime stage
-# alpine 3.21, 2026-02-28
+FROM alpine:3.21
-FROM alpine@sha256:c3f8e73fdb79deaebaa2037150150191b9dcbfba68b4a46d70103204c53f4709
 
 RUN apk add --no-cache ca-certificates tzdata
 

LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2026 sneak
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

Makefile

@@ -1,4 +1,4 @@
-.PHONY: all build lint fmt fmt-check test check clean docker hooks
+.PHONY: all build lint fmt test check clean
 
 BINARY := dnswatcher
 VERSION := $(shell git describe --tags --always --dirty 2>/dev/null || echo "dev")
@@ -17,26 +17,21 @@ fmt:
 	gofmt -s -w .
 	goimports -w .
 
-fmt-check:
-	@test -z "$$(gofmt -l .)" || (echo "Files not formatted:" && gofmt -l . && exit 1)
-
 test:
-	go test -v -race -cover -timeout 30s ./...
+	go test -v -race -cover ./...
 
 # Check runs all validation without making changes
 # Used by CI and Docker build - fails if anything is wrong
-check: fmt-check lint test
+check:
+	@echo "==> Checking formatting..."
+	@test -z "$$(gofmt -l .)" || (echo "Files not formatted:" && gofmt -l . && exit 1)
+	@echo "==> Running linter..."
+	golangci-lint run --config .golangci.yml ./...
+	@echo "==> Running tests..."
+	go test -v -race ./...
 	@echo "==> Building..."
 	go build -ldflags "$(LDFLAGS)" -o /dev/null ./cmd/dnswatcher
 	@echo "==> All checks passed!"
 
-docker:
-	docker build .
-
-hooks:
-	@printf '#!/bin/sh\nset -e\nmake check\n' > .git/hooks/pre-commit
-	@chmod +x .git/hooks/pre-commit
-	@echo "Pre-commit hook installed."
-
 clean:
 	rm -rf bin/

README.md

@@ -327,13 +327,10 @@ tracks reachability:
 
 ```sh
 make build      # Build binary to bin/dnswatcher
-make test       # Run tests with race detector and 30s timeout
+make test       # Run tests with race detector
 make lint       # Run golangci-lint
-make fmt        # Format code (writes)
+make fmt        # Format code
-make fmt-check  # Read-only format check
+make check      # Run all checks (format, lint, test, build)
-make check      # Run all checks (fmt-check, lint, test, build)
-make docker     # Build Docker image
-make hooks      # Install pre-commit hook
 make clean      # Remove build artifacts
 ```
 
@@ -388,17 +385,7 @@ docker run -d \
 
 ## Project Structure
 
-Follows the conventions defined in `REPO_POLICIES.md`, adapted from the
+Follows the conventions defined in `CONVENTIONS.md`, adapted from the
 [upaas](https://git.eeqj.de/sneak/upaas) project template.  Uses uber/fx
 for dependency injection, go-chi for HTTP routing, slog for logging, and
 Viper for configuration.
-
----
-
-## License
-
-MIT — see [LICENSE](LICENSE).
-
-## Author
-
-[@sneak](https://sneak.berlin)

REPO_POLICIES.md

@@ -1,188 +0,0 @@
----
-title: Repository Policies
-last_modified: 2026-02-22
----
-
-This document covers repository structure, tooling, and workflow standards. Code
-style conventions are in separate documents:
-
-- [Code Styleguide](https://git.eeqj.de/sneak/prompts/raw/branch/main/prompts/CODE_STYLEGUIDE.md)
-  (general, bash, Docker)
-- [Go](https://git.eeqj.de/sneak/prompts/raw/branch/main/prompts/CODE_STYLEGUIDE_GO.md)
-- [JavaScript](https://git.eeqj.de/sneak/prompts/raw/branch/main/prompts/CODE_STYLEGUIDE_JS.md)
-- [Python](https://git.eeqj.de/sneak/prompts/raw/branch/main/prompts/CODE_STYLEGUIDE_PYTHON.md)
-- [Go HTTP Server Conventions](https://git.eeqj.de/sneak/prompts/raw/branch/main/prompts/GO_HTTP_SERVER_CONVENTIONS.md)
-
----
-
-- Cross-project documentation (such as this file) must include
-  `last_modified: YYYY-MM-DD` in the YAML front matter so it can be kept in sync
-  with the authoritative source as policies evolve.
-
-- **ALL external references must be pinned by cryptographic hash.** This
-  includes Docker base images, Go modules, npm packages, GitHub Actions, and
-  anything else fetched from a remote source. Version tags (`@v4`, `@latest`,
-  `:3.21`, etc.) are server-mutable and therefore remote code execution
-  vulnerabilities. The ONLY acceptable way to reference an external dependency
-  is by its content hash (Docker `@sha256:...`, Go module hash in `go.sum`, npm
-  integrity hash in lockfile, GitHub Actions `@<commit-sha>`). No exceptions.
-  This also means never `curl | bash` to install tools like pyenv, nvm, rustup,
-  etc. Instead, download a specific release archive from GitHub, verify its hash
-  (hardcoded in the Dockerfile or script), and only then install. Unverified
-  install scripts are arbitrary remote code execution. This is the single most
-  important rule in this document. Double-check every external reference in
-  every file before committing. There are zero exceptions to this rule.
-
-- Every repo with software must have a root `Makefile` with these targets:
-  `make test`, `make lint`, `make fmt` (writes), `make fmt-check` (read-only),
-  `make check` (prereqs: `test`, `lint`, `fmt-check`), `make docker`, and
-  `make hooks` (installs pre-commit hook). A model Makefile is at
-  `https://git.eeqj.de/sneak/prompts/raw/branch/main/Makefile`.
-
-- Always use Makefile targets (`make fmt`, `make test`, `make lint`, etc.)
-  instead of invoking the underlying tools directly. The Makefile is the single
-  source of truth for how these operations are run.
-
-- The Makefile is authoritative documentation for how the repo is used. Beyond
-  the required targets above, it should have targets for every common operation:
-  running a local development server (`make run`, `make dev`), re-initializing
-  or migrating the database (`make db-reset`, `make migrate`), building
-  artifacts (`make build`), generating code, seeding data, or anything else a
-  developer would do regularly. If someone checks out the repo and types
-  `make<tab>`, they should see every meaningful operation available. A new
-  contributor should be able to understand the entire development workflow by
-  reading the Makefile.
-
-- Every repo should have a `Dockerfile`. All Dockerfiles must run `make check`
-  as a build step so the build fails if the branch is not green. For non-server
-  repos, the Dockerfile should bring up a development environment and run
-  `make check`. For server repos, `make check` should run as an early build
-  stage before the final image is assembled.
-
-- Every repo should have a Gitea Actions workflow (`.gitea/workflows/`) that
-  runs `docker build .` on push. Since the Dockerfile already runs `make check`,
-  a successful build implies all checks pass.
-
-- Use platform-standard formatters: `black` for Python, `prettier` for
-  JS/CSS/Markdown/HTML, `go fmt` for Go. Always use default configuration with
-  two exceptions: four-space indents (except Go), and `proseWrap: always` for
-  Markdown (hard-wrap at 80 columns). Documentation and writing repos (Markdown,
-  HTML, CSS) should also have `.prettierrc` and `.prettierignore`.
-
-- Pre-commit hook: `make check` if local testing is possible, otherwise
-  `make lint && make fmt-check`. The Makefile should provide a `make hooks`
-  target to install the pre-commit hook.
-
-- All repos with software must have tests that run via the platform-standard
-  test framework (`go test`, `pytest`, `jest`/`vitest`, etc.). If no meaningful
-  tests exist yet, add the most minimal test possible — e.g. importing the
-  module under test to verify it compiles/parses. There is no excuse for
-  `make test` to be a no-op.
-
-- `make test` must complete in under 20 seconds. Add a 30-second timeout in the
-  Makefile.
-
-- Docker builds must complete in under 5 minutes.
-
-- `make check` must not modify any files in the repo. Tests may use temporary
-  directories.
-
-- `main` must always pass `make check`, no exceptions.
-
-- Never commit secrets. `.env` files, credentials, API keys, and private keys
-  must be in `.gitignore`. No exceptions.
-
-- `.gitignore` should be comprehensive from the start: OS files (`.DS_Store`),
-  editor files (`.swp`, `*~`), language build artifacts, and `node_modules/`.
-  Fetch the standard `.gitignore` from
-  `https://git.eeqj.de/sneak/prompts/raw/branch/main/.gitignore` when setting up
-  a new repo.
-
-- Never use `git add -A` or `git add .`. Always stage files explicitly by name.
-
-- Never force-push to `main`.
-
-- Make all changes on a feature branch. You can do whatever you want on a
-  feature branch.
-
-- `.golangci.yml` is standardized and must _NEVER_ be modified by an agent, only
-  manually by the user. Fetch from
-  `https://git.eeqj.de/sneak/prompts/raw/branch/main/.golangci.yml`.
-
-- When pinning images or packages by hash, add a comment above the reference
-  with the version and date (YYYY-MM-DD).
-
-- Use `yarn`, not `npm`.
-
-- Write all dates as YYYY-MM-DD (ISO 8601).
-
-- Simple projects should be configured with environment variables.
-
-- Dockerized web services listen on port 8080 by default, overridable with
-  `PORT`.
-
-- `README.md` is the primary documentation. Required sections:
-    - **Description**: First line must include the project name, purpose,
-      category (web server, SPA, CLI tool, etc.), license, and author. Example:
-      "µPaaS is an MIT-licensed Go web application by @sneak that receives
-      git-frontend webhooks and deploys applications via Docker in realtime."
-    - **Getting Started**: Copy-pasteable install/usage code block.
-    - **Rationale**: Why does this exist?
-    - **Design**: How is the program structured?
-    - **TODO**: Update meticulously, even between commits. When planning, put
-      the todo list in the README so a new agent can pick up where the last one
-      left off.
-    - **License**: MIT, GPL, or WTFPL. Ask the user for new projects. Include a
-      `LICENSE` file in the repo root and a License section in the README.
-    - **Author**: [@sneak](https://sneak.berlin).
-
-- First commit of a new repo should contain only `README.md`.
-
-- Go module root: `sneak.berlin/go/<name>`. Always run `go mod tidy` before
-  committing.
-
-- Use SemVer.
-
-- Database migrations live in `internal/db/migrations/` and must be embedded in
-  the binary.
-  - `000_migration.sql` — contains ONLY the creation of the migrations tracking
-    table itself. Nothing else.
-  - `001_schema.sql` — the full application schema.
-  - **Pre-1.0.0:** never add additional migration files (002, 003, etc.). There
-    is no installed base to migrate. Edit `001_schema.sql` directly.
-  - **Post-1.0.0:** add new numbered migration files for each schema change.
-    Never edit existing migrations after release.
-
-- All repos should have an `.editorconfig` enforcing the project's indentation
-  settings.
-
-- Avoid putting files in the repo root unless necessary. Root should contain
-  only project-level config files (`README.md`, `Makefile`, `Dockerfile`,
-  `LICENSE`, `.gitignore`, `.editorconfig`, `REPO_POLICIES.md`, and
-  language-specific config). Everything else goes in a subdirectory. Canonical
-  subdirectory names:
-    - `bin/` — executable scripts and tools
-    - `cmd/` — Go command entrypoints
-    - `configs/` — configuration templates and examples
-    - `deploy/` — deployment manifests (k8s, compose, terraform)
-    - `docs/` — documentation and markdown (README.md stays in root)
-    - `internal/` — Go internal packages
-    - `internal/db/migrations/` — database migrations
-    - `pkg/` — Go library packages
-    - `share/` — systemd units, data files
-    - `static/` — static assets (images, fonts, etc.)
-    - `web/` — web frontend source
-
-- When setting up a new repo, files from the `prompts` repo may be used as
-  templates. Fetch them from
-  `https://git.eeqj.de/sneak/prompts/raw/branch/main/<path>`.
-
-- New repos must contain at minimum:
-    - `README.md`, `.git`, `.gitignore`, `.editorconfig`
-    - `LICENSE`, `REPO_POLICIES.md` (copy from the `prompts` repo)
-    - `Makefile`
-    - `Dockerfile`, `.dockerignore`
-    - `.gitea/workflows/check.yml`
-    - Go: `go.mod`, `go.sum`, `.golangci.yml`
-    - JS: `package.json`, `yarn.lock`, `.prettierrc`, `.prettierignore`
-    - Python: `pyproject.toml`

TESTING.md

@@ -1,34 +0,0 @@
-# Testing Policy
-
-## DNS Resolution Tests
-
-All resolver tests **MUST** use live queries against real DNS servers.
-No mocking of the DNS client layer is permitted.
-
-### Rationale
-
-The resolver performs iterative resolution from root nameservers through
-the full delegation chain. Mocked responses cannot faithfully represent
-the variety of real-world DNS behavior (truncation, referrals, glue
-records, DNSSEC, varied response times, EDNS, etc.). Testing against
-real servers ensures the resolver works correctly in production.
-
-### Constraints
-
-- Tests hit real DNS infrastructure and require network access
-- Test duration depends on network conditions; timeout tuning keeps
-  the suite within the 30-second target
-- Query timeout is calibrated to 3× maximum antipodal RTT (~300ms)
-  plus processing margin
-- Root server fan-out is limited to reduce parallel query load
-- Flaky failures from transient network issues are acceptable and
-  should be investigated as potential resolver bugs, not papered over
-  with mocks or skip flags
-
-### What NOT to do
-
-- **Do not mock `DNSClient`** for resolver tests (the mock constructor
-  exists for unit-testing other packages that consume the resolver)
-- **Do not add `-short` flags** to skip slow tests
-- **Do not increase `-timeout`** to hide hanging queries
-- **Do not modify linter configuration** to suppress findings

internal/resolver/errors.go

@@ -4,6 +4,11 @@ import "errors"
 
 // Sentinel errors returned by the resolver.
 var (
+	// ErrNotImplemented indicates a method is stubbed out.
+	ErrNotImplemented = errors.New(
+		"resolver not yet implemented",
+	)
+
 	// ErrNoNameservers is returned when no authoritative NS
 	// could be discovered for a domain.
 	ErrNoNameservers = errors.New(

internal/resolver/iterative.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"math/rand"
 	"net"
 	"sort"
 	"strings"
@@ -14,7 +13,7 @@ import (
 )
 
 const (
-	queryTimeoutDuration = 2 * time.Second
+	queryTimeoutDuration = 1 * time.Second
 	maxRetries           = 2
 	maxDelegation        = 20
 	timeoutMultiplier    = 2
@@ -42,22 +41,6 @@ func rootServerList() []string {
 	}
 }
 
-const maxRootServers = 3
-
-// randomRootServers returns a shuffled subset of root servers.
-func randomRootServers() []string {
-	all := rootServerList()
-	rand.Shuffle(len(all), func(i, j int) {
-		all[i], all[j] = all[j], all[i]
-	})
-
-	if len(all) > maxRootServers {
-		return all[:maxRootServers]
-	}
-
-	return all
-}
-
 func checkCtx(ctx context.Context) error {
 	err := ctx.Err()
 	if err != nil {
@@ -308,8 +291,17 @@ func (r *Resolver) resolveNSIPs(
 	return ips
 }
 
-// resolveNSRecursive queries for NS records using recursive
+// publicResolvers returns well-known public recursive DNS resolvers.
-// resolution as a fallback for intercepted environments.
+func publicResolvers() []string {
+	return []string{
+		"1.1.1.1", // Cloudflare
+		"8.8.8.8", // Google
+		"9.9.9.9", // Quad9
+	}
+}
+
+// resolveNSRecursive queries for NS records using a public
+// recursive resolver as a fallback for intercepted environments.
 func (r *Resolver) resolveNSRecursive(
 	ctx context.Context,
 	domain string,
@@ -319,7 +311,7 @@ func (r *Resolver) resolveNSRecursive(
 	msg.SetQuestion(domain, dns.TypeNS)
 	msg.RecursionDesired = true
 
-	for _, ip := range randomRootServers() {
+	for _, ip := range publicResolvers() {
 		if checkCtx(ctx) != nil {
 			return nil, ErrContextCanceled
 		}
@@ -340,7 +332,8 @@ func (r *Resolver) resolveNSRecursive(
 	return nil, ErrNoNameservers
 }
 
-// resolveARecord resolves a hostname to IPv4 addresses.
+// resolveARecord resolves a hostname to IPv4 addresses using
+// public recursive resolvers.
 func (r *Resolver) resolveARecord(
 	ctx context.Context,
 	hostname string,
@@ -350,7 +343,7 @@ func (r *Resolver) resolveARecord(
 	msg.SetQuestion(hostname, dns.TypeA)
 	msg.RecursionDesired = true
 
-	for _, ip := range randomRootServers() {
+	for _, ip := range publicResolvers() {
 		if checkCtx(ctx) != nil {
 			return nil, ErrContextCanceled
 		}
@@ -402,7 +395,7 @@ func (r *Resolver) FindAuthoritativeNameservers(
 		candidate := strings.Join(labels[i:], ".") + "."
 
 		nsNames, err := r.followDelegation(
-			ctx, candidate, randomRootServers(),
+			ctx, candidate, rootServerList(),
 		)
 		if err == nil && len(nsNames) > 0 {
 			sort.Strings(nsNames)
@@ -435,23 +428,6 @@ func (r *Resolver) QueryNameserver(
 	return r.queryAllTypes(ctx, nsHostname, nsIPs[0], hostname)
 }
 
-// QueryNameserverIP queries a nameserver by its IP address directly,
-// bypassing NS hostname resolution.
-func (r *Resolver) QueryNameserverIP(
-	ctx context.Context,
-	nsHostname string,
-	nsIP string,
-	hostname string,
-) (*NameserverResponse, error) {
-	if checkCtx(ctx) != nil {
-		return nil, ErrContextCanceled
-	}
-
-	hostname = dns.Fqdn(hostname)
-
-	return r.queryAllTypes(ctx, nsHostname, nsIP, hostname)
-}
-
 func (r *Resolver) queryAllTypes(
 	ctx context.Context,
 	nsHostname string,
@@ -479,7 +455,6 @@ func (r *Resolver) queryAllTypes(
 type queryState struct {
 	gotNXDomain bool
 	gotSERVFAIL bool
-	gotTimeout  bool
 	hasRecords  bool
 }
 
@@ -517,10 +492,6 @@ func (r *Resolver) querySingleType(
 ) {
 	msg, err := r.queryDNS(ctx, nsIP, hostname, qtype)
 	if err != nil {
-		if isTimeout(err) {
-			state.gotTimeout = true
-		}
-
 		return
 	}
 
@@ -558,26 +529,12 @@ func collectAnswerRecords(
 	}
 }
 
-// isTimeout checks whether an error is a network timeout.
-func isTimeout(err error) bool {
-	var netErr net.Error
-	if errors.As(err, &netErr) {
-		return netErr.Timeout()
-	}
-
-	return false
-}
-
 func classifyResponse(resp *NameserverResponse, state queryState) {
 	switch {
 	case state.gotNXDomain && !state.hasRecords:
 		resp.Status = StatusNXDomain
-	case state.gotTimeout && !state.hasRecords:
-		resp.Status = StatusTimeout
-		resp.Error = "all queries timed out"
 	case state.gotSERVFAIL && !state.hasRecords:
 		resp.Status = StatusError
-		resp.Error = "server returned SERVFAIL"
 	case !state.hasRecords && !state.gotNXDomain:
 		resp.Status = StatusNoData
 	}

internal/resolver/resolver.go

@@ -17,7 +17,6 @@ const (
 	StatusError    = "error"
 	StatusNXDomain = "nxdomain"
 	StatusNoData   = "nodata"
-	StatusTimeout  = "timeout"
 )
 
 // MaxCNAMEDepth is the maximum CNAME chain depth to follow.

internal/resolver/resolver_test.go

@@ -10,7 +10,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/miekg/dns"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
@@ -623,59 +622,6 @@ func TestQueryAllNameservers_ContextCanceled(t *testing.T) {
 	assert.Error(t, err)
 }
 
-// ----------------------------------------------------------------
-// Timeout tests
-// ----------------------------------------------------------------
-
-func TestQueryNameserverIP_Timeout(t *testing.T) {
-	t.Parallel()
-
-	log := slog.New(slog.NewTextHandler(
-		os.Stderr,
-		&slog.HandlerOptions{Level: slog.LevelDebug},
-	))
-
-	r := resolver.NewFromLoggerWithClient(
-		log, &timeoutClient{},
-	)
-
-	ctx, cancel := context.WithTimeout(
-		context.Background(), 10*time.Second,
-	)
-	t.Cleanup(cancel)
-
-	// Query any IP — the client always returns a timeout error.
-	resp, err := r.QueryNameserverIP(
-		ctx, "unreachable.test.", "192.0.2.1",
-		"example.com",
-	)
-	require.NoError(t, err)
-
-	assert.Equal(t, resolver.StatusTimeout, resp.Status)
-	assert.NotEmpty(t, resp.Error)
-}
-
-// timeoutClient simulates DNS timeout errors for testing.
-type timeoutClient struct{}
-
-func (c *timeoutClient) ExchangeContext(
-	_ context.Context,
-	_ *dns.Msg,
-	_ string,
-) (*dns.Msg, time.Duration, error) {
-	return nil, 0, &net.OpError{
-		Op:  "read",
-		Net: "udp",
-		Err: &timeoutError{},
-	}
-}
-
-type timeoutError struct{}
-
-func (e *timeoutError) Error() string   { return "i/o timeout" }
-func (e *timeoutError) Timeout() bool   { return true }
-func (e *timeoutError) Temporary() bool { return true }
-
 func TestResolveIPAddresses_ContextCanceled(t *testing.T) {
 	t.Parallel()
 

internal/watcher/watcher.go

@@ -6,7 +6,6 @@ import (
 	"log/slog"
 	"sort"
 	"strings"
-	"sync"
 	"time"
 
 	"go.uber.org/fx"
@@ -50,8 +49,6 @@ type Watcher struct {
 	notify    Notifier
 	cancel    context.CancelFunc
 	firstRun  bool
-	expiryNotifiedMu sync.Mutex
-	expiryNotified   map[string]time.Time
 }
 
 // New creates a new Watcher instance wired into the fx lifecycle.
@@ -68,7 +65,6 @@ func New(
 		tlsCheck:  params.TLSCheck,
 		notify:    params.Notify,
 		firstRun:  true,
-		expiryNotified: make(map[string]time.Time),
 	}
 
 	lifecycle.Append(fx.Hook{
@@ -112,7 +108,6 @@ func NewForTest(
 		tlsCheck:  tc,
 		notify:    n,
 		firstRun:  true,
-		expiryNotified: make(map[string]time.Time),
 	}
 }
 
@@ -211,28 +206,6 @@ func (w *Watcher) checkDomain(
 		Nameservers: nameservers,
 		LastChecked: now,
 	})
-
-	// Also look up A/AAAA records for the apex domain so that
-	// port and TLS checks (which read HostnameState) can find
-	// the domain's IP addresses.
-	records, err := w.resolver.LookupAllRecords(ctx, domain)
-	if err != nil {
-		w.log.Error(
-			"failed to lookup records for domain",
-			"domain", domain,
-			"error", err,
-		)
-
-		return
-	}
-
-	prevHS, hasPrevHS := w.state.GetHostnameState(domain)
-	if hasPrevHS && !w.firstRun {
-		w.detectHostnameChanges(ctx, domain, prevHS, records)
-	}
-
-	newState := buildHostnameState(records, now)
-	w.state.SetHostnameState(domain, newState)
 }
 
 func (w *Watcher) detectNSChanges(
@@ -718,22 +691,6 @@ func (w *Watcher) checkTLSExpiry(
 		return
 	}
 
-	// Deduplicate expiry warnings: don't re-notify for the same
-	// hostname within the TLS check interval.
-	dedupKey := fmt.Sprintf("expiry:%s:%s", hostname, ip)
-
-	w.expiryNotifiedMu.Lock()
-
-	lastNotified, seen := w.expiryNotified[dedupKey]
-	if seen && time.Since(lastNotified) < w.config.TLSInterval {
-		w.expiryNotifiedMu.Unlock()
-
-		return
-	}
-
-	w.expiryNotified[dedupKey] = time.Now()
-	w.expiryNotifiedMu.Unlock()
-
 	msg := fmt.Sprintf(
 		"Host: %s\nIP: %s\nCN: %s\n"+
 			"Expires: %s (%.0f days)",

internal/watcher/watcher_test.go

@@ -273,10 +273,6 @@ func setupBaselineMocks(deps *testDeps) {
 		"ns1.example.com.",
 		"ns2.example.com.",
 	}
-	deps.resolver.allRecords["example.com"] = map[string]map[string][]string{
-		"ns1.example.com.": {"A": {"93.184.216.34"}},
-		"ns2.example.com.": {"A": {"93.184.216.34"}},
-	}
 	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
 		"ns1.example.com.": {"A": {"93.184.216.34"}},
 		"ns2.example.com.": {"A": {"93.184.216.34"}},
@@ -294,14 +290,6 @@ func setupBaselineMocks(deps *testDeps) {
 			"www.example.com",
 		},
 	}
-	deps.tlsChecker.certs["93.184.216.34:example.com"] = &tlscheck.CertificateInfo{
-		CommonName: "example.com",
-		Issuer:     "DigiCert",
-		NotAfter:   time.Now().Add(90 * 24 * time.Hour),
-		SubjectAlternativeNames: []string{
-			"example.com",
-		},
-	}
 }
 
 func assertNoNotifications(
@@ -334,74 +322,14 @@ func assertStatePopulated(
 		)
 	}
 
-	// Hostnames includes both explicit hostnames and domains
+	if len(snap.Hostnames) != 1 {
-	// (domains now also get hostname state for port/TLS checks).
-	if len(snap.Hostnames) < 1 {
 		t.Errorf(
-			"expected at least 1 hostname in state, got %d",
+			"expected 1 hostname in state, got %d",
 			len(snap.Hostnames),
 		)
 	}
 }
 
-func TestDomainPortAndTLSChecks(t *testing.T) {
-	t.Parallel()
-
-	cfg := defaultTestConfig(t)
-	cfg.Domains = []string{"example.com"}
-
-	w, deps := newTestWatcher(t, cfg)
-
-	deps.resolver.nsRecords["example.com"] = []string{
-		"ns1.example.com.",
-	}
-	deps.resolver.allRecords["example.com"] = map[string]map[string][]string{
-		"ns1.example.com.": {"A": {"93.184.216.34"}},
-	}
-	deps.portChecker.results["93.184.216.34:80"] = true
-	deps.portChecker.results["93.184.216.34:443"] = true
-	deps.tlsChecker.certs["93.184.216.34:example.com"] = &tlscheck.CertificateInfo{
-		CommonName: "example.com",
-		Issuer:     "DigiCert",
-		NotAfter:   time.Now().Add(90 * 24 * time.Hour),
-		SubjectAlternativeNames: []string{
-			"example.com",
-		},
-	}
-
-	w.RunOnce(t.Context())
-
-	snap := deps.state.GetSnapshot()
-
-	// Domain should have port state populated
-	if len(snap.Ports) == 0 {
-		t.Error("expected port state for domain, got none")
-	}
-
-	// Domain should have certificate state populated
-	if len(snap.Certificates) == 0 {
-		t.Error("expected certificate state for domain, got none")
-	}
-
-	// Verify port checker was actually called
-	deps.portChecker.mu.Lock()
-	calls := deps.portChecker.calls
-	deps.portChecker.mu.Unlock()
-
-	if calls == 0 {
-		t.Error("expected port checker to be called for domain")
-	}
-
-	// Verify TLS checker was actually called
-	deps.tlsChecker.mu.Lock()
-	tlsCalls := deps.tlsChecker.calls
-	deps.tlsChecker.mu.Unlock()
-
-	if tlsCalls == 0 {
-		t.Error("expected TLS checker to be called for domain")
-	}
-}
-
 func TestNSChangeDetection(t *testing.T) {
 	t.Parallel()
 
@@ -414,12 +342,6 @@ func TestNSChangeDetection(t *testing.T) {
 		"ns1.example.com.",
 		"ns2.example.com.",
 	}
-	deps.resolver.allRecords["example.com"] = map[string]map[string][]string{
-		"ns1.example.com.": {"A": {"1.2.3.4"}},
-		"ns2.example.com.": {"A": {"1.2.3.4"}},
-	}
-	deps.portChecker.results["1.2.3.4:80"] = false
-	deps.portChecker.results["1.2.3.4:443"] = false
 
 	ctx := t.Context()
 	w.RunOnce(ctx)
@@ -429,10 +351,6 @@ func TestNSChangeDetection(t *testing.T) {
 		"ns1.example.com.",
 		"ns3.example.com.",
 	}
-	deps.resolver.allRecords["example.com"] = map[string]map[string][]string{
-		"ns1.example.com.": {"A": {"1.2.3.4"}},
-		"ns3.example.com.": {"A": {"1.2.3.4"}},
-	}
 	deps.resolver.mu.Unlock()
 
 	w.RunOnce(ctx)
@@ -588,61 +506,6 @@ func TestTLSExpiryWarning(t *testing.T) {
 	}
 }
 
-func TestTLSExpiryWarningDedup(t *testing.T) {
-	t.Parallel()
-
-	cfg := defaultTestConfig(t)
-	cfg.Hostnames = []string{"www.example.com"}
-	cfg.TLSInterval = 24 * time.Hour
-
-	w, deps := newTestWatcher(t, cfg)
-
-	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
-		"ns1.example.com.": {"A": {"1.2.3.4"}},
-	}
-	deps.resolver.ipAddresses["www.example.com"] = []string{
-		"1.2.3.4",
-	}
-	deps.portChecker.results["1.2.3.4:80"] = true
-	deps.portChecker.results["1.2.3.4:443"] = true
-	deps.tlsChecker.certs["1.2.3.4:www.example.com"] = &tlscheck.CertificateInfo{
-		CommonName: "www.example.com",
-		Issuer:     "DigiCert",
-		NotAfter:   time.Now().Add(3 * 24 * time.Hour),
-		SubjectAlternativeNames: []string{
-			"www.example.com",
-		},
-	}
-
-	ctx := t.Context()
-
-	// First run = baseline, no notifications
-	w.RunOnce(ctx)
-
-	// Second run should fire one expiry warning
-	w.RunOnce(ctx)
-
-	// Third run should NOT fire another warning (dedup)
-	w.RunOnce(ctx)
-
-	notifications := deps.notifier.getNotifications()
-
-	expiryCount := 0
-
-	for _, n := range notifications {
-		if n.Title == "TLS Expiry Warning: www.example.com" {
-			expiryCount++
-		}
-	}
-
-	if expiryCount != 1 {
-		t.Errorf(
-			"expected exactly 1 expiry warning (dedup), got %d",
-			expiryCount,
-		)
-	}
-}
-
 func TestGracefulShutdown(t *testing.T) {
 	t.Parallel()
 
@@ -656,11 +519,6 @@ func TestGracefulShutdown(t *testing.T) {
 	deps.resolver.nsRecords["example.com"] = []string{
 		"ns1.example.com.",
 	}
-	deps.resolver.allRecords["example.com"] = map[string]map[string][]string{
-		"ns1.example.com.": {"A": {"1.2.3.4"}},
-	}
-	deps.portChecker.results["1.2.3.4:80"] = false
-	deps.portChecker.results["1.2.3.4:443"] = false
 
 	ctx, cancel := context.WithCancel(t.Context())