DNS checks now always complete before port or TLS checks begin,
ensuring those checks use freshly resolved IP addresses instead of
potentially stale ones from a previous cycle.
Changes:
- Extract runDNSChecks() from runDNSAndPortChecks() so DNS resolution
can be invoked independently
- Run DNS before TLS on the TLS ticker (previously TLS ran alone with
whatever IPs were in state from the last DNS cycle, up to 12h stale)
- RunOnce uses explicit 3-phase ordering: DNS → ports → TLS
- Add TestDNSRunsBeforePortAndTLSChecks to verify fresh IPs propagate
- Update README monitoring lifecycle to document DNS-first ordering
closes#58
