Merge pull request 'Reduce DNS query timeout and limit root server fan-out (closes #29 )' (#30 ) from fix/reduce-dns-timeout-and-root-fanout into main

Reviewed-on: #30
Merge pull request 'doc: add TESTING.md — real DNS only, no mocks' (#34 ) from doc/testing-policy into main
2026-02-28 12:07:20 +01:00 · 2026-02-28 12:06:57 +01:00 · 2026-02-22 04:28:47 -08:00 · 2026-02-22 03:35:16 -08:00
2 changed files with 58 additions and 17 deletions
--- a/TESTING.md
+++ b/TESTING.md
@@ -0,0 +1,34 @@
+# Testing Policy
+
+## DNS Resolution Tests
+
+All resolver tests **MUST** use live queries against real DNS servers.
+No mocking of the DNS client layer is permitted.
+
+### Rationale
+
+The resolver performs iterative resolution from root nameservers through
+the full delegation chain. Mocked responses cannot faithfully represent
+the variety of real-world DNS behavior (truncation, referrals, glue
+records, DNSSEC, varied response times, EDNS, etc.). Testing against
+real servers ensures the resolver works correctly in production.
+
+### Constraints
+
+- Tests hit real DNS infrastructure and require network access
+- Test duration depends on network conditions; timeout tuning keeps
+  the suite within the 30-second target
+- Query timeout is calibrated to 3× maximum antipodal RTT (~300ms)
+  plus processing margin
+- Root server fan-out is limited to reduce parallel query load
+- Flaky failures from transient network issues are acceptable and
+  should be investigated as potential resolver bugs, not papered over
+  with mocks or skip flags
+
+### What NOT to do
+
+- **Do not mock `DNSClient`** for resolver tests (the mock constructor
+  exists for unit-testing other packages that consume the resolver)
+- **Do not add `-short` flags** to skip slow tests
+- **Do not increase `-timeout`** to hide hanging queries
+- **Do not modify linter configuration** to suppress findings
--- a/internal/resolver/iterative.go
+++ b/internal/resolver/iterative.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"math/rand"
 	"net"
 	"sort"
 	"strings"
@@ -13,7 +14,7 @@ import (
 )

 const (
-	queryTimeoutDuration = 700 * time.Millisecond
+	queryTimeoutDuration = 2 * time.Second
 	maxRetries           = 2
 	maxDelegation        = 20
 	timeoutMultiplier    = 2
@@ -41,6 +42,22 @@ func rootServerList() []string {
 	}
 }

+const maxRootServers = 3
+
+// randomRootServers returns a shuffled subset of root servers.
+func randomRootServers() []string {
+	all := rootServerList()
+	rand.Shuffle(len(all), func(i, j int) {
+		all[i], all[j] = all[j], all[i]
+	})
+
+	if len(all) > maxRootServers {
+		return all[:maxRootServers]
+	}
+
+	return all
+}
+
 func checkCtx(ctx context.Context) error {
 	err := ctx.Err()
 	if err != nil {
@@ -291,17 +308,8 @@ func (r *Resolver) resolveNSIPs(
 	return ips
 }

-// publicResolvers returns well-known public recursive DNS resolvers.
-func publicResolvers() []string {
-	return []string{
-		"1.1.1.1", // Cloudflare
-		"8.8.8.8", // Google
-		"9.9.9.9", // Quad9
-	}
-}
-
-// resolveNSRecursive queries for NS records using a public
-// recursive resolver as a fallback for intercepted environments.
+// resolveNSRecursive queries for NS records using recursive
+// resolution as a fallback for intercepted environments.
 func (r *Resolver) resolveNSRecursive(
 	ctx context.Context,
 	domain string,
@@ -311,7 +319,7 @@ func (r *Resolver) resolveNSRecursive(
 	msg.SetQuestion(domain, dns.TypeNS)
 	msg.RecursionDesired = true

-	for _, ip := range publicResolvers() {
+	for _, ip := range randomRootServers() {
 		if checkCtx(ctx) != nil {
 			return nil, ErrContextCanceled
 		}
@@ -332,8 +340,7 @@ func (r *Resolver) resolveNSRecursive(
 	return nil, ErrNoNameservers
 }

-// resolveARecord resolves a hostname to IPv4 addresses using
-// public recursive resolvers.
+// resolveARecord resolves a hostname to IPv4 addresses.
 func (r *Resolver) resolveARecord(
 	ctx context.Context,
 	hostname string,
@@ -343,7 +350,7 @@ func (r *Resolver) resolveARecord(
 	msg.SetQuestion(hostname, dns.TypeA)
 	msg.RecursionDesired = true

-	for _, ip := range publicResolvers() {
+	for _, ip := range randomRootServers() {
 		if checkCtx(ctx) != nil {
 			return nil, ErrContextCanceled
 		}
@@ -395,7 +402,7 @@ func (r *Resolver) FindAuthoritativeNameservers(
 		candidate := strings.Join(labels[i:], ".") + "."

 		nsNames, err := r.followDelegation(
-			ctx, candidate, rootServerList(),
+			ctx, candidate, randomRootServers(),
 		)
 		if err == nil && len(nsNames) > 0 {
 			sort.Strings(nsNames)
Author	SHA1	Message	Date
Jeffrey Paul	5ab217bfd2	Merge pull request 'Reduce DNS query timeout and limit root server fan-out (closes #29 )' (#30 ) from fix/reduce-dns-timeout-and-root-fanout into main Some checks failed Check / check (push) Has been cancelled Details Reviewed-on: #30	2026-02-28 12:07:20 +01:00
Jeffrey Paul	518a2cc42e	Merge pull request 'doc: add TESTING.md — real DNS only, no mocks' (#34 ) from doc/testing-policy into main Some checks failed Check / check (push) Has been cancelled Details Reviewed-on: #34	2026-02-28 12:06:57 +01:00
user	4cb81aac24	doc: add testing policy — real DNS only, no mocks Some checks failed Check / check (pull_request) Failing after 5m24s Details Documents the project testing philosophy: all resolver tests must use live DNS queries. Mocking the DNS client layer is not permitted. Includes rationale and anti-patterns to avoid.	2026-02-22 04:28:47 -08:00
user	203b581704	Reduce DNS query timeout to 2s and limit root server fan-out to 3 Some checks failed Check / check (pull_request) Failing after 5m57s Details - Reduce queryTimeoutDuration from 5s to 2s - Add randomRootServers() that shuffles and picks 3 root servers - Replace all rootServerList() call sites with randomRootServers() - Keep maxRetries = 2 Closes #29	2026-02-22 03:35:16 -08:00