sneak/dnswatcher
1
0
Fork 0
Code Issues 6 Pull Requests Actions Packages Projects Releases Wiki Activity

CRITICAL: Port and TLS checks for apex domains silently do nothing #19

New Issue
Open
opened 2026-02-20 13:49:42 +01:00 by clawbot · 0 comments
clawbot commented 2026-02-20 13:49:42 +01:00
Collaborator
Copy Link

Bug

checkAllPorts() and runTLSChecks() both iterate over w.config.Domains and call collectIPs(domain). However, collectIPs reads from GetHostnameState(hostname), which only returns state set by checkHostname(). Domains go through checkDomain() which sets DomainState (nameservers only), never HostnameState.

func (w *Watcher) checkAllPorts(ctx context.Context) {
    // ...
    for _, domain := range w.config.Domains {
        w.checkPortsForHostname(ctx, domain)  // calls collectIPs
    }
}

func (w *Watcher) collectIPs(hostname string) []string {
    hs, ok := w.state.GetHostnameState(hostname)  // always false for domains!
    if !ok {
        return nil  // silently returns nothing
    }
    // ...
}

Impact

If a user configures example.com as a target (an apex domain), DNS NS monitoring works, but port monitoring and TLS certificate monitoring are silently skipped. No error is logged.

Fix

Either:

  1. Resolve A/AAAA records for domains too (treating them also as hostnames for IP-level checks), or
  2. Remove domains from the port/TLS check loops if they are intentionally NS-only, and document this behavior, or
  3. Unify the domain/hostname distinction so all targets get full monitoring.
## Bug `checkAllPorts()` and `runTLSChecks()` both iterate over `w.config.Domains` and call `collectIPs(domain)`. However, `collectIPs` reads from `GetHostnameState(hostname)`, which only returns state set by `checkHostname()`. Domains go through `checkDomain()` which sets `DomainState` (nameservers only), never `HostnameState`. ```go func (w *Watcher) checkAllPorts(ctx context.Context) { // ... for _, domain := range w.config.Domains { w.checkPortsForHostname(ctx, domain) // calls collectIPs } } func (w *Watcher) collectIPs(hostname string) []string { hs, ok := w.state.GetHostnameState(hostname) // always false for domains! if !ok { return nil // silently returns nothing } // ... } ``` ## Impact If a user configures `example.com` as a target (an apex domain), DNS NS monitoring works, but port monitoring and TLS certificate monitoring are silently skipped. No error is logged. ## Fix Either: 1. Resolve A/AAAA records for domains too (treating them also as hostnames for IP-level checks), or 2. Remove domains from the port/TLS check loops if they are intentionally NS-only, and document this behavior, or 3. Unify the domain/hostname distinction so all targets get full monitoring.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
merge-ready

All checks pass, reviewed, rebased, ready for merge

  
needs-checks

make check does not pass cleanly

  
needs-rebase

PR has merge conflicts or is behind main

  
needs-review

Code review not yet done

  
needs-rework

Code review found issues to fix

No Label
merge-ready
needs-checks
needs-rebase
needs-review
needs-rework
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/dnswatcher#19
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?