Consolidate SNI-DNS check and tighten doctor

The runtime warning (warnSNIMismatch) and the diagnostic command
(doctor checkSecretHost) previously implemented the same SNI-DNS
check with different logic: the runtime path was tightened in #461
to require every detected IP family to match, but the doctor still
accepted any single match. The two now agree.

Changes:

- Extract the shared check into internal/cli/sni_check.go, returning
  the resolved addresses and a per-family match status.
- Rewrite warnSNIMismatch and checkSecretHost on top of the helper.
- Doctor output now reports the mismatched IP family (IPv4, IPv6, or
  both) and lists the server's public IP alongside the DNS result.
- getIP falls back through a short list of public-IP endpoints
  (ifconfig.co, icanhazip.com, ifconfig.me) instead of relying on
  a single third-party service.

internal/cli/doctor.go

 	)
 
 	tplODNSSNIMatch = template.Must(
-		template.New("").Parse("  ✅ IP address {{ .ip }} matches secret hostname {{ .hostname }}\n"),
+		template.New("").Parse("  ✅ Secret hostname {{ .hostname }} matches our public IP ({{ .our }}); resolved: {{ .resolved }}\n"),
 	)
 	tplEDNSSNIMatch = template.Must(
-		template.New("").Parse("  ❌ Hostname {{ .hostname }} {{ if .resolved }}is resolved to {{ .resolved }} addresses, not {{ if .ip4 }}{{ .ip4 }}{{ else }}{{ .ip6 }}{{ end }}{{ else }}cannot be resolved to any host{{ end }}\n"),
+		template.New("").Parse("  ❌ Secret hostname {{ .hostname }} resolves to {{ .resolved }} but our public IP is {{ .our }}{{ if .families }} (mismatched families: {{ .families }}){{ end }}\n"),
+	)
+	tplEDNSSNINoResolve = template.Must(
+		template.New("").Parse("  ❌ Secret hostname {{ .hostname }} cannot be resolved to any address\n"),
 	)
 
 	tplOFrontingDomain = template.Must(
 }
 
 func (d *Doctor) checkSecretHost(resolver *net.Resolver, ntw mtglib.Network) bool {
-	addresses, err := resolver.LookupIPAddr(context.Background(), d.conf.Secret.Host)
-	if err != nil {
+	res := runSNICheck(context.Background(), resolver, d.conf, ntw)
+
+	if res.ResolveErr != nil {
 		tplError.Execute(os.Stdout, map[string]any{ //nolint: errcheck
-			"description": fmt.Sprintf("cannot resolve DNS name of %s", d.conf.Secret.Host),
-			"error":       err,
+			"description": fmt.Sprintf("cannot resolve DNS name of %s", res.Host),
+			"error":       res.ResolveErr,
 		})
 		return false
 	}
 
-	ourIP4 := d.conf.PublicIPv4.Get(nil)
-	if ourIP4 == nil {
-		ourIP4 = getIP(ntw, "tcp4")
-	}
-
-	ourIP6 := d.conf.PublicIPv6.Get(nil)
-	if ourIP6 == nil {
-		ourIP6 = getIP(ntw, "tcp6")
-	}
-
-	if ourIP4 == nil && ourIP6 == nil {
+	if !res.Known() {
 		tplError.Execute(os.Stdout, map[string]any{ //nolint: errcheck
 			"description": "cannot detect public IP address",
 			"error":       errors.New("cannot detect automatically and public-ipv4/public-ipv6 are not set in config"),
 		return false
 	}
 
-	strAddresses := []string{}
-	for _, value := range addresses {
-		if (ourIP4 != nil && value.IP.String() == ourIP4.String()) ||
-			(ourIP6 != nil && value.IP.String() == ourIP6.String()) {
-			tplODNSSNIMatch.Execute(os.Stdout, map[string]any{ //nolint: errcheck
-				"ip":       value.IP,
-				"hostname": d.conf.Secret.Host,
-			})
-			return true
+	if len(res.Resolved) == 0 {
+		tplEDNSSNINoResolve.Execute(os.Stdout, map[string]any{ //nolint: errcheck
+			"hostname": res.Host,
+		})
+		return false
+	}
+
+	resolved := make([]string, 0, len(res.Resolved))
+	for _, ip := range res.Resolved {
+		resolved = append(resolved, `"`+ip.String()+`"`)
+	}
+
+	our := ""
+	if res.OurIPv4 != nil {
+		our = res.OurIPv4.String()
+	}
+
+	if res.OurIPv6 != nil {
+		if our != "" {
+			our += "/"
 		}
 
-		strAddresses = append(strAddresses, `"`+value.IP.String()+`"`)
+		our += res.OurIPv6.String()
+	}
+
+	if res.OK() {
+		tplODNSSNIMatch.Execute(os.Stdout, map[string]any{ //nolint: errcheck
+			"hostname": res.Host,
+			"resolved": strings.Join(resolved, ", "),
+			"our":      our,
+		})
+		return true
+	}
+
+	mismatched := []string{}
+
+	if res.OurIPv4 != nil && !res.IPv4Match {
+		mismatched = append(mismatched, "IPv4")
+	}
+
+	if res.OurIPv6 != nil && !res.IPv6Match {
+		mismatched = append(mismatched, "IPv6")
 	}
 
 	tplEDNSSNIMatch.Execute(os.Stdout, map[string]any{ //nolint: errcheck
-		"hostname": d.conf.Secret.Host,
-		"resolved": strings.Join(strAddresses, ", "),
-		"ip4":      ourIP4,
-		"ip6":      ourIP6,
+		"hostname": res.Host,
+		"resolved": strings.Join(resolved, ", "),
+		"our":      our,
+		"families": strings.Join(mismatched, ", "),
 	})
 
 	return false

internal/cli/run_proxy.go

 }
 
 func warnSNIMismatch(conf *config.Config, ntw mtglib.Network, log mtglib.Logger) {
-	host := conf.Secret.Host
-	if host == "" {
+	if conf.Secret.Host == "" {
 		return
 	}
 
-	addresses, err := net.DefaultResolver.LookupIPAddr(context.Background(), host)
-	if err != nil {
-		log.BindStr("hostname", host).
-			WarningError("SNI-DNS check: cannot resolve secret hostname", err)
-		return
-	}
+	res := runSNICheck(context.Background(), net.DefaultResolver, conf, ntw)
 
-	ourIP4 := conf.PublicIPv4.Get(nil)
-	if ourIP4 == nil {
-		ourIP4 = getIP(ntw, "tcp4")
-	}
-
-	ourIP6 := conf.PublicIPv6.Get(nil)
-	if ourIP6 == nil {
-		ourIP6 = getIP(ntw, "tcp6")
+	if res.ResolveErr != nil {
+		log.BindStr("hostname", res.Host).
+			WarningError("SNI-DNS check: cannot resolve secret hostname", res.ResolveErr)
+		return
 	}
 
-	if ourIP4 == nil && ourIP6 == nil {
+	if !res.Known() {
 		log.Warning("SNI-DNS check: cannot detect public IP address; set public-ipv4/public-ipv6 in config or run 'mtg doctor'")
 		return
 	}
 
-	v4Match := ourIP4 == nil
-	v6Match := ourIP6 == nil
-
-	for _, addr := range addresses {
-		if ourIP4 != nil && addr.IP.String() == ourIP4.String() {
-			v4Match = true
-		}
-
-		if ourIP6 != nil && addr.IP.String() == ourIP6.String() {
-			v6Match = true
-		}
-	}
-
-	if v4Match && v6Match {
+	if res.OK() {
 		return
 	}
 
-	resolved := make([]string, 0, len(addresses))
-	for _, addr := range addresses {
-		resolved = append(resolved, addr.IP.String())
+	resolved := make([]string, 0, len(res.Resolved))
+	for _, ip := range res.Resolved {
+		resolved = append(resolved, ip.String())
 	}
 
 	our := ""
-	if ourIP4 != nil {
-		our = ourIP4.String()
+	if res.OurIPv4 != nil {
+		our = res.OurIPv4.String()
 	}
 
-	if ourIP6 != nil {
+	if res.OurIPv6 != nil {
 		if our != "" {
 			our += "/"
 		}
 
-		our += ourIP6.String()
+		our += res.OurIPv6.String()
 	}
 
-	entry := log.BindStr("hostname", host).
+	entry := log.BindStr("hostname", res.Host).
 		BindStr("resolved", strings.Join(resolved, ", ")).
 		BindStr("public_ip", our)
 
-	if ourIP4 != nil {
-		entry = entry.BindStr("ipv4_match", fmt.Sprintf("%t", v4Match))
+	if res.OurIPv4 != nil {
+		entry = entry.BindStr("ipv4_match", fmt.Sprintf("%t", res.IPv4Match))
 	}
 
-	if ourIP6 != nil {
-		entry = entry.BindStr("ipv6_match", fmt.Sprintf("%t", v6Match))
+	if res.OurIPv6 != nil {
+		entry = entry.BindStr("ipv6_match", fmt.Sprintf("%t", res.IPv6Match))
 	}
 
 	entry.Warning("SNI-DNS mismatch: secret hostname does not resolve to this server's public IP. " +

internal/cli/sni_check.go

+package cli
+
+import (
+	"context"
+	"net"
+
+	"github.com/9seconds/mtg/v2/internal/config"
+	"github.com/9seconds/mtg/v2/mtglib"
+)
+
+// sniCheckResult captures the outcome of comparing the secret hostname's DNS
+// records with this server's public IP addresses.
+//
+// IPv4Match/IPv6Match are true when either a matching record was found, or
+// when the corresponding public IP could not be detected — in which case
+// there is nothing to compare against.
+type sniCheckResult struct {
+	Host       string
+	Resolved   []net.IP
+	OurIPv4    net.IP
+	OurIPv6    net.IP
+	IPv4Match  bool
+	IPv6Match  bool
+	ResolveErr error
+}
+
+// Known reports whether at least one public IP family was detected.
+func (r sniCheckResult) Known() bool {
+	return r.OurIPv4 != nil || r.OurIPv6 != nil
+}
+
+// OK reports whether every detected public IP family matches a resolved
+// record. A partial match (one family matches, another does not) is not OK.
+func (r sniCheckResult) OK() bool {
+	return r.ResolveErr == nil && r.IPv4Match && r.IPv6Match
+}
+
+// runSNICheck resolves conf.Secret.Host and compares the result with the
+// server's public IPv4 and IPv6. Public IPs come from config first and fall
+// back to on-the-fly detection via ntw.
+func runSNICheck(ctx context.Context,
+	resolver *net.Resolver,
+	conf *config.Config,
+	ntw mtglib.Network,
+) sniCheckResult {
+	res := sniCheckResult{Host: conf.Secret.Host}
+
+	if res.Host == "" {
+		res.IPv4Match = true
+		res.IPv6Match = true
+
+		return res
+	}
+
+	addrs, err := resolver.LookupIPAddr(ctx, res.Host)
+	if err != nil {
+		res.ResolveErr = err
+
+		return res
+	}
+
+	res.Resolved = make([]net.IP, 0, len(addrs))
+	for _, a := range addrs {
+		res.Resolved = append(res.Resolved, a.IP)
+	}
+
+	res.OurIPv4 = conf.PublicIPv4.Get(nil)
+	if res.OurIPv4 == nil {
+		res.OurIPv4 = getIP(ntw, "tcp4")
+	}
+
+	res.OurIPv6 = conf.PublicIPv6.Get(nil)
+	if res.OurIPv6 == nil {
+		res.OurIPv6 = getIP(ntw, "tcp6")
+	}
+
+	res.IPv4Match = res.OurIPv4 == nil
+	res.IPv6Match = res.OurIPv6 == nil
+
+	for _, ip := range res.Resolved {
+		if res.OurIPv4 != nil && ip.String() == res.OurIPv4.String() {
+			res.IPv4Match = true
+		}
+
+		if res.OurIPv6 != nil && ip.String() == res.OurIPv6.String() {
+			res.IPv6Match = true
+		}
+	}
+
+	return res
+}

internal/cli/utils.go

 	"github.com/9seconds/mtg/v2/mtglib"
 )
 
+// publicIPEndpoints are tried in order. Each must return the client's public
+// IP as a single address in the plain-text response body.
+var publicIPEndpoints = []string{
+	"https://ifconfig.co",
+	"https://icanhazip.com",
+	"https://ifconfig.me",
+}
+
 func getIP(ntw mtglib.Network, protocol string) net.IP {
 	dialer := ntw.NativeDialer()
 	client := ntw.MakeHTTPClient(func(ctx context.Context, network, address string) (essentials.Conn, error) {
 		return essentials.WrapNetConn(conn), err
 	})
 
-	req, err := http.NewRequest(http.MethodGet, "https://ifconfig.co", nil) //nolint: noctx
-	if err != nil {
-		panic(err)
+	for _, endpoint := range publicIPEndpoints {
+		if ip := fetchPublicIP(client, endpoint); ip != nil {
+			return ip
+		}
 	}
 
-	req.Header.Add("Accept", "text/plain")
+	return nil
+}
 
-	resp, err := client.Do(req)
+func fetchPublicIP(client *http.Client, endpoint string) net.IP {
+	req, err := http.NewRequest(http.MethodGet, endpoint, nil) //nolint: noctx
 	if err != nil {
 		return nil
 	}
 
-	if resp.StatusCode != http.StatusOK {
+	req.Header.Set("Accept", "text/plain")
+	req.Header.Set("User-Agent", "curl/8")
+
+	resp, err := client.Do(req)
+	if err != nil {
 		return nil
 	}
 
 		resp.Body.Close()              //nolint: errcheck
 	}()
 
+	if resp.StatusCode != http.StatusOK {
+		return nil
+	}
+
 	data, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return nil