Add DNS query function

README.md

@@ -73,6 +73,7 @@ Example:
 ```toml
 [daemon]
 # host = "localhost"  # default: "localhost" (use reverse proxy for public access)
+#                     # Use "0.0.0.0" for IPv4-only, "::" for IPv6-only (dual-stack depends on OS)
 # port = 8443  # default: 8443
 # log_level = "INFO"  # default: "INFO"
 # log_target = "stdout"  # default: "stdout", or "syslog", "file"
@@ -87,10 +88,13 @@ ssl_cert_file = "/etc/ddns-service/cert.pem"  # required if ssl = true
 ssl_key_file = "/etc/ddns-service/key.pem"  # required if ssl = true
 # proxy_header = ""  # default: "" (disabled), e.g. "X-Forwarded-For"
 # trusted_proxies = []  # default: [], e.g. ["127.0.0.1", "10.0.0.0/8"]
+# thread_pool_size = 10  # default: 10
+# request_timeout = 10  # default: 10 (seconds)
 
 [database]
 # backend = "sqlite"  # default: "sqlite", or "mariadb"
 path = "/var/lib/ddns-service/ddns.db"  # required for sqlite
+# pool_size = 5  # default: 5 (MariaDB connection pool size)
 
 [dns_service]
 # dns_server = "127.0.0.1"  # default: "127.0.0.1" (must be IP address)
@@ -276,6 +280,16 @@ ddns-service --daemon
 ddns-service --daemon --debug
 ```
 
+### Signals
+
+- **SIGHUP**: Reload configuration (all settings except database, host, port; SSL certs are reloaded)
+- **SIGTERM/SIGINT**: Graceful shutdown (waits up to 5 seconds for active requests)
+
+```bash
+# Reload config
+kill -HUP $(pidof ddns-service)
+```
+
 ## HTTP API
 
 ### Request

files/config.example.toml

@@ -1,5 +1,6 @@
 [daemon]
 # host = "localhost"  # default, use reverse proxy for public access!
+#                     # Use "0.0.0.0" for IPv4-only, "::" for IPv6-only (dual-stack depends on OS)
 # port = 8443  # default
 # log_level = "INFO"  # default
 # log_target = "stdout"  # default, "stdout", "syslog" or "file"
@@ -14,6 +15,8 @@ ssl_cert_file = "/etc/ddns-service/cert.pem"  # required if ssl = true
 ssl_key_file = "/etc/ddns-service/key.pem"  # required if ssl = true
 # proxy_header = ""  # default (disabled), header name e.g. "X-Forwarded-For"
 # trusted_proxies = []  # default, list of trusted proxy IPs/CIDRs
+# thread_pool_size = 10  # default, max concurrent request handlers
+# request_timeout = 10  # default, socket timeout in seconds
 
 [database]
 # backend = "sqlite"  # default, "sqlite", or "mariadb"
@@ -23,6 +26,7 @@ path = "/var/lib/ddns-service/ddns.db"  # required for sqlite
 # user = "ddns"  # required for mariadb
 # password = "secret"  # required for mariadb
 # database = "ddns"  # required for mariadb
+# pool_size = 5  # default, MariaDB connection pool size
 
 [dns_service]
 # dns_server = "127.0.0.1"  # default, must be IP address

files/ddns-service-openrc.initd

@@ -20,3 +20,9 @@ depend() {
 start_pre() {
 	checkpath --directory --owner ${USER}:${GROUP} --mode 0750 /var/lib/ddns-service
 }
+
+reload() {
+	ebegin "Reloading ${RC_SVCNAME}"
+	start-stop-daemon --signal HUP --pidfile "${pidfile}"
+	eend $?
+}

src/ddns_service/__init__.py

@@ -15,20 +15,110 @@ __all__ = [
     "cleanup",
     "cli",
     "config",
+    "datetime_aware_utc",
+    "datetime_naive_utc",
     "datetime_str",
     "dns",
     "email",
     "logging",
     "main",
     "models",
+    "now_utc"
     "ratelimit",
     "server",
+    "STATUS_GOOD",
+    "STATUS_NOCHG",
+    "STATUS_BADAUTH",
+    "STATUS_NOHOST",
+    "STATUS_DNSERR",
+    "STATUS_ABUSE",
+    "STATUS_BADIP",
 ]
 
+# DynDNS-compatible response statuses
+STATUS_GOOD = "good"
+STATUS_NOCHG = "nochg"
+STATUS_BADAUTH = "badauth"
+STATUS_NOHOST = "nohost"
+STATUS_DNSERR = "dnserr"
+STATUS_ABUSE = "abuse"
+STATUS_BADIP = "badip"
+
 DATETIME_FORMAT = "%Y-%m-%d %H:%M:%S %Z"
 
+# Datetime convention:
+# All datetime objects in this codebase are timezone-aware.
+# - now_utc(): returns timezone-aware UTC datetime
+# - datetime_str(): converts naive UTC (adds tzinfo for formatting)
+#   or timezone-aware datetime to display string
+# - Database stores/returns naive datetimes (always UTC by convention)
+# - Database models automatically convert between naive/timezone-aware datetimes
+
+
+def now_utc():
+    """
+    Get current date and time in UTC.
+
+    Returns:
+        Timezone-aware datetime object in UTC.
+    """
+    return datetime.datetime.now(datetime.UTC)
+
+
+def datetime_naive_utc(dt):
+    """
+    Convert datetime to naive UTC datetime.
+
+    Args:
+        dt: Datetime object (naive UTC or timezone-aware or None).
+
+    Returns:
+        Naive datetime object in UTC or None if dt is not a datetime.
+    """
+    if not isinstance(dt, datetime.datetime):
+        return None
+
+    if not dt.tzinfo:
+        return dt
+
+    return dt.astimezone(datetime.UTC).replace(tzinfo=None)
+
+
+def datetime_aware_utc(dt):
+    """
+    Convert datetime to UTC datetime.
+
+    Args:
+        dt: Datetime object (naive UTC or timezone-aware or None).
+
+    Returns:
+        Timzone-aware datetime object in UTC or None if dt is not a datetime.
+    """
+    if not isinstance(dt, datetime.datetime):
+        return None
+
+    if not dt.tzinfo:
+        return dt.replace(tzinfo=datetime.UTC)
+
+    if dt.tzinfo == datetime.UTC:
+        return dt
+
+    return dt.astimezone(datetime.UTC)
+
 
 def datetime_str(dt, utc=False):
+    """
+    Convert datetime to display string.
+
+    Assumes naive datetimes are UTC per codebase convention.
+
+    Args:
+        dt: Datetime object (naive UTC or timezone-aware).
+        utc: If True, display in UTC; otherwise convert to local timezone.
+
+    Returns:
+        Formatted datetime string, or "Never" if dt is not a datetime.
+    """
     if not isinstance(dt, datetime.datetime):
         return "Never"
 
@@ -38,7 +128,3 @@ def datetime_str(dt, utc=False):
         return aware_dt.strftime(DATETIME_FORMAT)
     else:
         return aware_dt.astimezone().strftime(DATETIME_FORMAT)
-
-
-def utc_now():
-    return datetime.datetime.now(datetime.UTC).replace(tzinfo=None)

src/ddns_service/app.py

@@ -1,12 +1,13 @@
 """Application class - central dependency holder."""
 
+import argon2
 import logging
 import threading
 
-import argon2
+from .config import load_config
-
 from .dns import DNSService
 from .email import EmailService
+from .logging import setup_logging
 from .models import create_tables, init_database
 from .ratelimit import BadLimiter, GoodLimiter
 
@@ -18,14 +19,16 @@ class Application:
     Holds configuration and all service instances.
     """
 
-    def __init__(self, config):
+    def __init__(self, config, config_path=None):
         """
         Initialize application with configuration.
 
         Args:
             config: Configuration dictionary from TOML file.
+            config_path: Path to configuration file (for reload).
         """
         self.config = config
+        self.config_path = config_path
         self.password_hasher = argon2.PasswordHasher()
         self.shutdown_event = threading.Event()
 
@@ -57,6 +60,39 @@ class Application:
         self.bad_limiter = BadLimiter(self.config)
         logging.info("Rate limiters initialized")
 
+    def reload_config(self):
+        """
+        Reload configuration from file.
+
+        Does not reload: database settings, host, port.
+        """
+        new_config = load_config(self.config_path)
+
+        # Preserve DB and bind settings
+        new_config["database"] = self.config["database"]
+        new_config["daemon"]["host"] = self.config["daemon"]["host"]
+        new_config["daemon"]["port"] = self.config["daemon"]["port"]
+
+        self.config = new_config
+
+        # Reconfigure logging
+        setup_logging(
+            level=self.config["daemon"]["log_level"],
+            target=self.config["daemon"]["log_target"],
+            syslog_socket=self.config["daemon"]["syslog_socket"],
+            syslog_facility=self.config["daemon"]["syslog_facility"],
+            log_file=self.config["daemon"]["log_file"],
+            log_file_size=self.config["daemon"]["log_file_size"],
+            log_versions=self.config["daemon"]["log_versions"],
+        )
+
+        # Re-init services
+        self.init_dns()
+        self.init_email()
+        self.init_rate_limiters()
+
+        logging.info("Configuration reloaded")
+
     def signal_shutdown(self):
         """Signal the application to shut down."""
         logging.info("Shutdown signaled")

src/ddns_service/cleanup.py

@@ -3,22 +3,23 @@
 import logging
 import threading
 
-from . import utc_now
+from . import now_utc
 from .models import Hostname, User
 from datetime import timedelta
 
 
-def cleanup_expired(app):
+def cleanup_expired(app, start_time=None):
     """
     Clean up expired hostnames and return count of cleaned entries.
 
     Args:
         app: Application instance with dns_service and email_service.
+        start_time: Timezone aware datetime object containg the start time of the cleanup thread.
 
     Returns:
         Number of expired hostnames processed.
     """
-    now = utc_now()
+    now = now_utc()
     expired_count = 0
 
     for hostname in Hostname.select().join(User).where(
@@ -30,12 +31,14 @@ def cleanup_expired(app):
         ipv6_expired = False
 
         if hostname.last_ipv4:
-            expiry_time = hostname.last_ipv4_update + timedelta(seconds=hostname.expiry_ttl)
+            last_update = max(hostname.last_ipv4_update, start_time)
+            expiry_time = last_update + timedelta(seconds=hostname.expiry_ttl)
             if now > expiry_time:
                 ipv4_expired = True
 
         if hostname.last_ipv6:
-            expiry_time = hostname.last_ipv6_update + timedelta(seconds=hostname.expiry_ttl)
+            last_update = max(hostname.last_ipv6_update, start_time)
+            expiry_time = last_update + timedelta(seconds=hostname.expiry_ttl)
             if now > expiry_time:
                 ipv6_expired = True
 
@@ -48,38 +51,43 @@ def cleanup_expired(app):
         if app.dns_service:
             if ipv4_expired:
                 logging.info(
-                    f"Host expired: hostname={hostname.hostname} zone={hostname.zone} "
+                    f"Cleanup: Host expired: hostname={hostname.hostname} zone={hostname.zone} "
-                    f"ip={hostname.last_ipv4}"
+                    f"ipv4={hostname.last_ipv4}"
                 )
                 try:
                     app.dns_service.delete_record(hostname.hostname, hostname.zone, "A")
                     ipv4_deleted = True
                 except Exception as e:
+                    logging.error(f"DNS error: {e}")
                     logging.error(
-                        f"DNS delete failed: hostname={hostname.hostname} "
+                        f"Cleanup failed: hostname={hostname.hostname} "
-                        f"zone={hostname.zone} type=A error={e}"
+                        f"zone={hostname.zone} type=A"
                     )
 
             if ipv6_expired:
                 logging.info(
-                    f"Host expired: hostname={hostname.hostname} zone={hostname.zone} "
+                    f"Cleanup: Host expired: hostname={hostname.hostname} zone={hostname.zone} "
-                    f"ip={hostname.last_ipv6}"
+                    f"ipv6={hostname.last_ipv6}"
                 )
                 try:
                     app.dns_service.delete_record(hostname.hostname, hostname.zone, "AAAA")
                     ipv6_deleted = True
                 except Exception as e:
+                    logging.error(f"DNS error: {e}")
                     logging.error(
-                        f"DNS delete failed: hostname={hostname.hostname} "
+                        f"Cleanup failed: hostname={hostname.hostname} "
-                        f"zone={hostname.zone} type=AAAA error={e}"
+                        f"zone={hostname.zone} type=AAAA"
                     )
 
+        if not (ipv4_deleted or ipv6_deleted):
+            continue
+
         if app.email_service:
             app.email_service.send_expiry_notification(
                 hostname.user.email,
                 hostname,
-                ipv4_expired,
+                ipv4_deleted,
-                ipv6_expired
+                ipv6_deleted
             )
 
         # Clear IP addresses only if DNS delete succeeded
@@ -88,7 +96,6 @@ def cleanup_expired(app):
         if ipv6_deleted:
             hostname.last_ipv6 = None
 
-        if ipv4_deleted or ipv6_deleted:
         hostname.save()
         expired_count += 1
 
@@ -113,10 +120,11 @@ class ExpiredRecordsCleanupThread(threading.Thread):
     def run(self):
         """Run the cleanup loop."""
         logging.info(f"Expired records cleanup thread started: interval={self.interval}s")
+        start_time = now_utc()
 
         while not self.stop_event.wait(self.interval):
             try:
-                count = cleanup_expired(self.app)
+                count = cleanup_expired(self.app, start_time)
                 if count > 0:
                     logging.info(f"Expired records cleanup completed: count={count}")
             except Exception as e:

src/ddns_service/cli.py

@@ -1,18 +1,19 @@
 """CLI commands for user and hostname management."""
 
 import getpass
-import logging
 
 from . import datetime_str
 from .cleanup import cleanup_expired
+from .dns import encode_dnsname
 from .models import (
+    DatabaseError,
     DoesNotExist,
+    EncodingError,
     get_hostname,
     get_user,
     Hostname,
     User,
 )
-from .dns import encode_dnsname, EncodingError
 
 
 def cmd_user_list(args, app):
@@ -166,24 +167,8 @@ def cmd_hostname_list(args, app):
 def cmd_hostname_add(args, app):
     """Add a hostname."""
     username = args.username
-    config = app.config
 
-    # Validate and encode hostname/zone
     try:
-        hostname_str = encode_dnsname(args.hostname)
-        zone = encode_dnsname(args.zone)
-    except EncodingError as e:
-        print(f"Error: {e}")
-        return 1
-
-    # Get TTLs from args or config defaults
-    dns_ttl = args.dns_ttl
-    if dns_ttl is None:
-        dns_ttl = config["defaults"]["dns_ttl"]
-    expiry_ttl = args.expiry_ttl
-    if expiry_ttl is None:
-        expiry_ttl = config["defaults"]["expiry_ttl"]
-
         # Get user
         try:
             user = get_user(username)
@@ -192,40 +177,59 @@ def cmd_hostname_add(args, app):
             return 1
 
         # Check if hostname+zone exists
-    if Hostname.select().where(
+        try:
-        (Hostname.hostname == hostname_str) & (Hostname.zone == zone)
+            hostname = get_hostname(args.hostname, args.zone)
-    ).exists():
+            print(f"Error: Hostname '{hostname.hostname}' in zone '{hostname.zone}' exists.")
-        print(f"Error: Hostname '{hostname_str}' in zone '{zone}' exists.")
             return 1
+        except EncodingError as e:
+            print(f"Error: {e}")
+            return 1
+        except DoesNotExist:
+            pass
+
+        # Get TTLs from args or config defaults
+        config = app.config
+
+        dns_ttl = args.dns_ttl
+        if dns_ttl is None:
+            dns_ttl = config["defaults"]["dns_ttl"]
+        expiry_ttl = args.expiry_ttl
+        if expiry_ttl is None:
+            expiry_ttl = config["defaults"]["expiry_ttl"]
 
         # Create hostname
-    Hostname.create(
+        hostname = Hostname.create(
             user=user,
-        hostname=hostname_str,
+            hostname=args.hostname,
-        zone=zone,
+            zone=args.zone,
             dns_ttl=dns_ttl,
             expiry_ttl=expiry_ttl
         )
-    print(f"Hostname '{hostname_str}' added for user '{username}'.")
+        print(
+            f"Hostname '{hostname.hostname}' in zone '{hostname.zone}' added "
+            f"for user '{username}'."
+        )
+    except DatabaseError as e:
+        print(f"Database error: {e}")
+        return 1
+
     return 0
 
 
 def cmd_hostname_delete(args, app):
     """Delete a hostname."""
-    # Validate and encode hostname and zone
     try:
-        hostname_str = encode_dnsname(args.hostname)
+        try:
+            hostname = get_hostname(args.hostname, args.zone)
+        except DoesNotExist:
+            hostname = encode_dnsname(args.hostname)
             zone = encode_dnsname(args.zone)
+            print(f"Error: Hostname '{hostname}' in zone '{zone}' not found.")
+            return 1
         except EncodingError as e:
             print(f"Error: {e}")
             return 1
 
-    try:
-        hostname = get_hostname(hostname_str, zone)
-    except DoesNotExist:
-        print(f"Error: Hostname '{hostname_str}' in zone '{zone}' not found.")
-        return 1
-
         # Delete DNS records if active
         if hostname.last_ipv4 or hostname.last_ipv6:
             # Initialize DNS service if not already
@@ -233,45 +237,50 @@ def cmd_hostname_delete(args, app):
                 try:
                     app.init_dns()
                 except Exception as e:
-                logging.warning(f"DNS init failed: {e}")
+                    print(f"DNS init failed: {e}")
+                    return 1
 
-        if app.dns_service:
             if hostname.last_ipv4:
                 try:
                     app.dns_service.delete_record(
                         hostname.hostname, hostname.zone, "A"
                     )
                 except Exception as e:
-                    logging.warning(f"DNS delete failed: type=A error={e}")
+                    print(f"DNS delete failed: type=A error={e}")
+                    return 1
+
             if hostname.last_ipv6:
                 try:
                     app.dns_service.delete_record(
                         hostname.hostname, hostname.zone, "AAAA"
                     )
                 except Exception as e:
-                    logging.warning(f"DNS delete failed: type=AAAA error={e}")
+                    print(f"DNS delete failed: type=AAAA error={e}")
+                    return 1
 
         hostname.delete_instance()
-    print(f"Hostname '{hostname_str}' in zone '{zone}' deleted.")
+        print(f"Hostname '{hostname.hostname}' in zone '{hostname.zone}' deleted.")
+    except DatabaseError as e:
+        print(f"Database error: {e}")
+        return 1
+
     return 0
 
 
 def cmd_hostname_modify(args, app):
     """Modify hostname settings."""
-    # Validate and encode hostname and zone
     try:
-        hostname_str = encode_dnsname(args.hostname)
+        try:
+            hostname = get_hostname(args.hostname, args.zone)
+        except DoesNotExist:
+            hostname = encode_dnsname(args.hostname)
             zone = encode_dnsname(args.zone)
+            print(f"Error: Hostname '{hostname}' in zone '{zone}' not found.")
+            return 1
         except EncodingError as e:
             print(f"Error: {e}")
             return 1
 
-    try:
-        hostname = get_hostname(hostname_str, zone)
-    except DoesNotExist:
-        print(f"Error: Hostname '{hostname_str}' in zone '{zone}' not found.")
-        return 1
-
         # Get new TTLs
         dns_ttl = args.dns_ttl if args.dns_ttl is not None else hostname.dns_ttl
         expiry_ttl = args.expiry_ttl if args.expiry_ttl is not None else hostname.expiry_ttl
@@ -280,9 +289,13 @@ def cmd_hostname_modify(args, app):
         hostname.expiry_ttl = expiry_ttl
         hostname.save()
         print(
-        f"Hostname '{hostname_str}' updated: "
+            f"Hostname '{hostname.hostname}' in zone '{hostname.zone}' updated: "
             f"dns_ttl={dns_ttl}, expiry_ttl={expiry_ttl}"
         )
+    except DatabaseError as e:
+        print(f"Database error: {e}")
+        return 1
+
     return 0
 
 
@@ -293,11 +306,20 @@ def cmd_cleanup(args, app):
         try:
             app.init_dns()
         except Exception as e:
-            logging.warning(f"DNS init failed: {e}")
+            print(f"DNS init failed: {e}")
+            return 1
 
     if app.email_service is None:
         app.init_email()
 
+    try:
         count = cleanup_expired(app)
         print(f"Cleanup complete: {count} expired hostname(s) processed.")
+    except DatabaseError as e:
+        print(f"Database error: {e}")
+        return 1
+    except Exception as e:
+        print(f"Error: {e}")
+        return 1
+
     return 0

src/ddns_service/config.py

@@ -141,9 +141,12 @@ def load_config(config_path):
     cfg["daemon"].setdefault("ssl", False)
     cfg["daemon"].setdefault("proxy_header", "")
     cfg["daemon"].setdefault("trusted_proxies", [])
+    cfg["daemon"].setdefault("thread_pool_size", 10)
+    cfg["daemon"].setdefault("request_timeout", 10)
 
     cfg.setdefault("database", {})
     cfg["database"].setdefault("backend", "sqlite")
+    cfg["database"].setdefault("pool_size", 5)
 
     cfg.setdefault("dns_service", {})
     cfg["dns_service"].setdefault("dns_server", "127.0.0.1")

src/ddns_service/dns.py

@@ -10,6 +10,7 @@ import dns.name
 import dns.query
 import dns.rcode
 import dns.rdatatype
+import dns.resolver
 import dns.tsigkeyring
 import dns.update
 
@@ -37,6 +38,12 @@ def encode_dnsname(hostname):
 
     Raises:
         EncodingError: If hostname is invalid.
+
+    Example:
+        >>> encode_dnsname("münchen")
+        'xn--mnchen-3ya'
+        >>> encode_dnsname("example.com.")
+        'example.com'
     """
     hostname = hostname.lower().strip()
 
@@ -84,6 +91,24 @@ def encode_dnsname(hostname):
 
 
 def detect_ip_type(ip):
+    """
+    Detect IP address type and normalize.
+
+    Args:
+        ip: IP address string.
+
+    Returns:
+        Tuple of (record_type, normalized_ip).
+
+    Raises:
+        ValueError: If IP address is invalid.
+
+    Example:
+        >>> detect_ip_type("192.168.1.1")
+        ('A', '192.168.1.1')
+        >>> detect_ip_type("2001:db8::1")
+        ('AAAA', '2001:db8::1')
+    """
     try:
         addr = ipaddress.ip_address(ip)
         if isinstance(addr, ipaddress.IPv4Address):
@@ -127,6 +152,16 @@ def parse_bind_key_file(path):
 
     Raises:
         DNSError: If parsing fails.
+
+    Example:
+        Key file contents::
+
+            key "ddns-key." {
+                algorithm hmac-sha256;
+                secret "base64secret==";
+            };
+
+        >>> keyring, algo = parse_bind_key_file("/etc/bind/ddns.key")
     """
     if not path:
         return None, None
@@ -319,18 +354,54 @@ class DNSService:
             return hostname[:-len(zone_suffix)]
         return hostname
 
+    def query_record(self, hostname, zone, record_type):
+        """
+        Check if DNS record exists.
+
+        Args:
+            hostname: Hostname (without zone suffix).
+            zone: DNS zone name.
+            record_type: Record type string (A or AAAA).
+
+        Returns:
+            IP address string if record exists, None otherwise.
+        """
+        fqdn = f"{self._get_relative_name(hostname, zone)}.{zone}"
+        if not fqdn.endswith("."):
+            fqdn += "."
+        try:
+            resolver = dns.resolver.Resolver()
+            resolver.nameservers = [self.server]
+            resolver.port = self.port
+            resolver.lifetime = self.timeout
+            answers = resolver.resolve(fqdn, record_type)
+            return str(answers[0]) if answers else None
+        except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer,
+                dns.resolver.NoNameservers):
+            return None
+        except Exception as e:
+            logging.warning(
+                f"DNS query failed: hostname={hostname} zone={zone} "
+                f"type={record_type}: {e}"
+            )
+            return None
+
     def update_record(self, hostname, zone, ip, ttl):
         """
         Update a DNS record for the given hostname.
 
         Args:
-            hostname: Fully qualified hostname.
+            hostname: Hostname (without zone suffix).
             zone: DNS zone name.
             ip: IP address to set.
             ttl: DNS record TTL.
 
         Raises:
             DNSError: If update fails.
+
+        Example:
+            >>> dns_service.update_record("myhost", "example.com", "192.168.1.1", 60)
+            >>> dns_service.update_record("myhost", "example.com", "2001:db8::1", 60)
         """
         try:
             record_type, normalized_ip = detect_ip_type(ip)

src/ddns_service/email.py

@@ -76,11 +76,10 @@ class EmailService:
             smtp_host = self.config["smtp_host"]
             smtp_port = self.config["smtp_port"]
 
-            server = smtplib.SMTP(smtp_host, smtp_port)
+            with smtplib.SMTP(smtp_host, smtp_port) as server:
                 if self.config.get("smtp_starttls", False):
                     server.starttls()
 
-            try:
                 if self.config.get("smtp_user"):
                     server.login(
                         self.config["smtp_user"],
@@ -89,8 +88,6 @@ class EmailService:
                 server.sendmail(msg["From"], [to], msg.as_string())
                 logging.info(f"Email sent: to={to} subject={subject}")
                 return True
-            finally:
-                server.quit()
 
         except Exception as e:
             logging.error(f"Email send failed: to={to} error={e}")

src/ddns_service/main.py

@@ -153,7 +153,7 @@ def main():
             )
 
     # Create application instance
-    app = Application(config)
+    app = Application(config, config_path)
 
     # Initialize database
     try:

src/ddns_service/models.py

@@ -2,22 +2,46 @@
 
 import logging
 import os
+import time
 
-from . import utc_now
+from . import datetime_naive_utc, datetime_aware_utc, now_utc
+from .dns import encode_dnsname, EncodingError
 from peewee import (
     AutoField,
     CharField,
+    DatabaseProxy,
+    Model,
     DateTimeField,
     DoesNotExist,
+    fn,
     ForeignKeyField,
     IntegerField,
-    Model,
-    MySQLDatabase,
     SqliteDatabase,
+    PeeweeException as DatabaseError,
 )
+from playhouse.pool import PooledMySQLDatabase
 
-# Database instance (initialized later)
+
-db = SqliteDatabase(None)
+# Re-export PeeweeException as DatabseException, DoesNotExist and
+# EncodingError for convenience
+__all__ = [
+    'db',
+    'DATABASE_VERSION',
+    'User',
+    'Hostname',
+    'Version',
+    'init_database',
+    'create_tables',
+    'get_user',
+    'get_hostname',
+    'get_hostname_for_user',
+    'DoesNotExist',
+    'EncodingError',
+    'DatabaseError',
+]
+
+# Database proxy (initialized later with actual backend)
+db = DatabaseProxy()
 
 # Current database schema version
 DATABASE_VERSION = 2
@@ -42,12 +66,34 @@ MIGRATION_COLUMN_MAPS = {
 }
 
 
+class DateTimeFieldUTC(DateTimeField):
+    def db_value(self, value):
+        if value:
+            value = datetime_naive_utc(value)
+        return super().db_value(value)
+
+    def python_value(self, value):
+        value = super().python_value(value)
+        if value:
+            return datetime_aware_utc(value)
+
+
 class BaseModel(Model):
-    """Base model with database binding."""
+    """Base model with database binding and save retry."""
 
     class Meta:
         database = db
 
+    def save(self, *args, max_retries=3, retry_delay=0.1, **kwargs):
+        """Save with retry on DatabaseError (exponential backoff)."""
+        for attempt in range(max_retries):
+            try:
+                return super().save(*args, **kwargs)
+            except DatabaseError:
+                if attempt == max_retries - 1:
+                    raise
+                time.sleep(retry_delay * (2 ** attempt))
+
 
 class User(BaseModel):
     """User model for authentication."""
@@ -56,7 +102,7 @@ class User(BaseModel):
     username = CharField(max_length=64, unique=True)
     password_hash = CharField(max_length=128)
     email = CharField(max_length=255)
-    created_at = DateTimeField(default=utc_now)
+    created_at = DateTimeFieldUTC(default=now_utc)
 
     class Meta:
         table_name = "users"
@@ -72,9 +118,9 @@ class Hostname(BaseModel):
     dns_ttl = IntegerField()
     expiry_ttl = IntegerField()
     last_ipv4 = CharField(max_length=15, null=True)
-    last_ipv4_update = DateTimeField(null=True)
+    last_ipv4_update = DateTimeFieldUTC(null=True)
     last_ipv6 = CharField(max_length=45, null=True)
-    last_ipv6_update = DateTimeField(null=True)
+    last_ipv6_update = DateTimeFieldUTC(null=True)
 
     class Meta:
         table_name = "hostnames"
@@ -109,7 +155,6 @@ def init_database(config: dict):
     Raises:
         ValueError: If unknown database backend.
     """
-    global db
 
     backend = config["database"].get("backend", "sqlite")
 
@@ -118,21 +163,23 @@ def init_database(config: dict):
         db_dir = os.path.dirname(db_path)
         if db_dir:
             os.makedirs(db_dir, exist_ok=True)
-        db.init(db_path)
+        actual_db = SqliteDatabase(db_path, pragmas={
+            'journal_mode': 'wal',
+            'busy_timeout': 5000,
+        })
+        db.initialize(actual_db)
         logging.debug(f"Database backend: SQLite path={db_path}")
 
     elif backend == "mariadb":
-        db = MySQLDatabase(
+        actual_db = PooledMySQLDatabase(
             config["database"]["database"],
             host=config["database"].get("host", "localhost"),
             port=config["database"].get("port", 3306),
             user=config["database"]["user"],
             password=config["database"]["password"],
+            max_connections=config["database"].get("pool_size", 5),
         )
-        # Re-bind models to new database
+        db.initialize(actual_db)
-        User._meta.database = db
-        Hostname._meta.database = db
-        Version._meta.database = db
         db_name = config['database']['database']
         logging.debug(f"Database backend: MariaDB db={db_name}")
 
@@ -248,7 +295,7 @@ def create_tables():
     logging.debug("Database tables created")
 
 
-def get_user(username: str):
+def get_user(username: str) -> User:
     """
     Get user by username.
 
@@ -260,11 +307,16 @@ def get_user(username: str):
 
     Raises:
         DoesNotExist: If user not found.
+
+    Example:
+        >>> user = get_user("alice")
+        >>> print(user.email)
+        'alice@example.com'
     """
     return User.get(User.username == username)
 
 
-def get_hostname(hostname, zone):
+def get_hostname(hostname: str, zone: str) -> Hostname:
     """
     Get hostname by name and zone.
 
@@ -277,9 +329,16 @@ def get_hostname(hostname, zone):
 
     Raises:
         DoesNotExist: If hostname not found.
+        EncodingError: If hostname or zone is invalid.
+
+    Example:
+        >>> host = get_hostname("myhost", "example.com")
+        >>> print(host.last_ipv4)
+        '192.168.1.1'
     """
     return Hostname.get(
-        (Hostname.hostname == hostname) & (Hostname.zone == zone)
+        (Hostname.hostname == encode_dnsname(hostname)) &
+        (Hostname.zone == encode_dnsname(zone))
     )
 
 
@@ -288,7 +347,7 @@ def get_hostname_for_user(hostname: str, user: User):
     Get hostname owned by specific user.
 
     Args:
-        hostname: Hostname to look up.
+        hostname: Hostname to look up (FQDN).
         user: User who should own the hostname.
 
     Returns:
@@ -296,22 +355,14 @@ def get_hostname_for_user(hostname: str, user: User):
 
     Raises:
         DoesNotExist: If hostname not found or not owned by user.
+        EncodingError: If hostname is invalid.
+
+    Example:
+        >>> user = get_user("alice")
+        >>> host = get_hostname_for_user("myhost.example.com", user)
     """
-    fqdn = Hostname.hostname + '.' + Hostname.zone
+    fqdn = fn.Concat(Hostname.hostname, '.', Hostname.zone)
-    return Hostname.get((fqdn == hostname) & (Hostname.user == user))
+    return Hostname.get(
-
+        (fqdn == encode_dnsname(hostname)) &
-
+        (Hostname.user == user)
-# Re-export DoesNotExist for convenience
+    )
-__all__ = [
-    'db',
-    'DATABASE_VERSION',
-    'User',
-    'Hostname',
-    'Version',
-    'init_database',
-    'create_tables',
-    'get_user',
-    'get_hostname',
-    'get_hostname_for_user',
-    'DoesNotExist',
-]

src/ddns_service/ratelimit.py

@@ -85,11 +85,11 @@ class GoodLimiter(BaseLimiter):
         Args:
             config: Full configuration dictionary.
         """
-        rl = config.get("rate_limit", {})
+        rl = config["rate_limit"]
         super().__init__(
-            rl.get("good_window_seconds", 60),
+            rl["good_window_seconds"],
-            rl.get("good_max_requests", 30),
+            rl["good_max_requests"],
-            rl.get("enabled", False),
+            rl["enabled"],
             False,
         )
 
@@ -104,10 +104,10 @@ class BadLimiter(BaseLimiter):
         Args:
             config: Full configuration dictionary.
         """
-        rl = config.get("rate_limit", {})
+        rl = config["rate_limit"]
         super().__init__(
-            rl.get("bad_window_seconds", 60),
+            rl["bad_window_seconds"],
-            rl.get("bad_max_requests", 5),
+            rl["bad_max_requests"],
-            rl.get("enabled", False),
+            rl["enabled"],
             True,
         )

src/ddns_service/server.py

@@ -8,17 +8,34 @@ import json
 import logging
 import signal
 import ssl
+import threading
+
+from . import (
+    now_utc,
+    datetime_str,
+    STATUS_GOOD,
+    STATUS_NOCHG,
+    STATUS_BADAUTH,
+    STATUS_NOHOST,
+    STATUS_DNSERR,
+    STATUS_ABUSE,
+    STATUS_BADIP,
+)
+from .cleanup import ExpiredRecordsCleanupThread, RateLimitCleanupThread
+from .dns import detect_ip_type
+from .logging import clear_txn_id, set_txn_id
+from .models import (
+    DatabaseError,
+    DoesNotExist,
+    EncodingError,
+    get_hostname_for_user,
+    get_user
+)
+from argon2.exceptions import VerifyMismatchError
+from concurrent.futures import ThreadPoolExecutor
 from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
 from urllib.parse import parse_qs, urlparse
 
-import argon2
-
-from . import datetime_str, utc_now
-from .cleanup import ExpiredRecordsCleanupThread, RateLimitCleanupThread
-from .logging import clear_txn_id, set_txn_id
-from .models import DoesNotExist, get_hostname_for_user, get_user
-from .dns import detect_ip_type, encode_dnsname, EncodingError
-
 
 def extract_param(params, aliases):
     """Extract first matching param from query params."""
@@ -64,7 +81,7 @@ def _is_trusted_proxy(client_ip, trusted_networks):
 
 
 class DDNSServer(ThreadingHTTPServer):
-    """HTTP server with Application instance."""
+    """HTTP server with Application instance and thread pool."""
 
     def __init__(self, app, address):
         """
@@ -79,8 +96,71 @@ class DDNSServer(ThreadingHTTPServer):
         self.trusted_networks = _parse_trusted_proxies(
             app.config["daemon"].get("trusted_proxies", [])
         )
+        self.pool_size = app.config["daemon"]["thread_pool_size"]
+        self.request_timeout = app.config["daemon"]["request_timeout"]
+        self.executor = ThreadPoolExecutor(max_workers=self.pool_size)
+        self.active_requests = 0
+        self.requests_lock = threading.Lock()
+        self.requests_done = threading.Condition(self.requests_lock)
         super().__init__(address, DDNSRequestHandler)
 
+    def process_request(self, request, client_address):
+        """Submit request to thread pool."""
+        with self.requests_lock:
+            self.active_requests += 1
+        request.settimeout(self.request_timeout)
+        self.executor.submit(self._handle_request_wrapper, request, client_address)
+
+    def _handle_request_wrapper(self, request, client_address):
+        """Wrap request handling to track active requests."""
+        try:
+            self.process_request_thread(request, client_address)
+        finally:
+            with self.requests_lock:
+                self.active_requests -= 1
+                if self.active_requests == 0:
+                    self.requests_done.notify_all()
+
+    def wait_for_requests(self, timeout=5):
+        """Wait for active requests to complete."""
+        with self.requests_lock:
+            if self.active_requests > 0:
+                logging.info(f"Waiting for {self.active_requests} active request(s)")
+                self.requests_done.wait(timeout=timeout)
+                if self.active_requests > 0:
+                    logging.warning(
+                        f"Shutdown timeout, {self.active_requests} request(s) still active"
+                    )
+
+    def server_close(self):
+        """Shutdown thread pool and close server."""
+        self.executor.shutdown(wait=True)
+        super().server_close()
+
+
+class DDNSError(Exception):
+    def __init__(self, message, status, **kwargs):
+        super().__init__(self, message)
+        self.message = message
+        self.status = status
+        self.kwargs = kwargs
+
+    def __str__(self):
+        if not self.kwargs:
+            return self.message
+
+        string = f"{self.message}:"
+        for key, value in self.kwargs.items():
+            string += f" {key}={value}"
+
+        return string
+
+
+class DDNSClientError(DDNSError):
+    def __init__(self, message, code, status, **kwargs):
+        super().__init__(message, status, **kwargs)
+        self.code = code
+
 
 class DDNSRequestHandler(BaseHTTPRequestHandler):
     """HTTP request handler for DDNS updates."""
@@ -161,39 +241,55 @@ class DDNSRequestHandler(BaseHTTPRequestHandler):
     def do_GET(self):
         """Handle GET requests."""
         set_txn_id()
-        try:
-            self._handle_get_request()
-        finally:
-            clear_txn_id()
-
-    def _handle_get_request(self):
-        """Handle GET request logic."""
         try:
             client_ip = self.get_client_ip()
         except ProxyHeaderError as e:
             logging.error(f"Proxy header error: {e}")
-            self.send_response_body(400, "Bad Request")
+            self.respond(400, "Bad Request")
             return
 
-        # Bad rate limit check
+        try:
+            self._handle_get_request(client_ip)
+        except DDNSClientError as e:
             if self.app.bad_limiter:
-            blocked, retry_at = self.app.bad_limiter.is_blocked(client_ip)
+                self.app.bad_limiter.record(client_ip)
-            if blocked:
+            logging.warning(e)
-                logging.warning(
+            self.respond(e.code, e.status)
-                    f"Rate limited (bad): client={client_ip}, "
+        except DDNSError as e:
-                    f"retry_at={datetime_str(retry_at)}")
+            logging.error(e)
-                self.respond(429, "abuse")
+            self.respond(500, e.status)
-                return
+        except DatabaseError as e:
+            logging.error(f"Database error: {e}")
+            self.respond(500, "Internal Server Error")
+        except Exception as e:
+            logging.exception(f"Uncaught exception: {e}")
+            self.respond(500, "Internal Server Error")
+        finally:
+            clear_txn_id()
 
+    def _handle_get_request(self, client_ip):
+        """Handle GET request logic."""
         # Parse URL
         parsed = urlparse(self.path)
 
         # Find matching endpoint
         endpoint = self.app.config["_endpoint_map"].get(parsed.path)
         if endpoint is None:
-            self.send_response_body(404, "Not Found")
+            self.respond(404, "Not Found")
             return
 
+        # Bad rate limit check
+        if self.app.bad_limiter:
+            blocked, retry_at = self.app.bad_limiter.is_blocked(client_ip)
+            if blocked:
+                raise DDNSClientError(
+                    "Rate limited (bad requests)",
+                    429,
+                    STATUS_ABUSE,
+                    client=client_ip,
+                    retry_at=datetime_str(retry_at)
+                )
+
         # Parse query parameters
         params = parse_qs(parsed.query)
 
@@ -204,85 +300,33 @@ class DDNSRequestHandler(BaseHTTPRequestHandler):
             password = extract_param(params, endpoint["params"]["password"])
 
         if not username or not password:
-            logging.warning(f"Auth failed: client={client_ip} user=anonymous")
+            raise DDNSClientError(
-            self._handle_bad_request(client_ip, 401, "badauth")
+                "Auth failed",
-            return
+                401,
-
+                STATUS_BADAUTH,
-        # Validate credentials
+                client_ip
-        try:
+            )
-            user = get_user(username)
-            self.app.password_hasher.verify(user.password_hash, password)
-        except (DoesNotExist, argon2.exceptions.VerifyMismatchError):
-            logging.warning(f"Auth failed: client={client_ip} user={username}")
-            self._handle_bad_request(client_ip, 401, "badauth")
-            return
 
         # Get hostname parameter
         hostname_param = extract_param(params, endpoint["params"]["hostname"])
         if not hostname_param:
-            logging.warning(f"Missing hostname: client={client_ip} user={username}")
+            raise DDNSClientError(
-            self._handle_bad_request(client_ip, 400, "nohost")
+                "Missing hostname",
-            return
+                400,
+                STATUS_NOHOST,
+                client=client_ip,
+                username=username
+            )
 
-        # Validate and encode hostname
+        # Validate credentials
-        try:
+        user = self._authenticate(client_ip, username, password)
-            hostname_param = encode_dnsname(hostname_param)
-        except EncodingError:
-            logging.warning(
-                f"Invalid hostname: client={client_ip}, "
-                f"hostname={hostname_param}")
-            self._handle_bad_request(client_ip, 400, "nohost")
-            return
 
         # Check hostname ownership
-        try:
+        hostname = self._check_permissions(client_ip, user, hostname_param)
-            hostname = get_hostname_for_user(hostname_param, user)
-        except DoesNotExist:
-            logging.warning(
-                f"Access denied: client={client_ip} user={username} "
-                f"hostname={hostname_param}"
-            )
-            self._handle_bad_request(client_ip, 403, "nohost")
-            return
-
-        # Good rate limit check
-        if self.app.good_limiter:
-            blocked, retry_at = self.app.good_limiter.is_blocked(client_ip)
-            if blocked:
-                logging.warning(
-                    f"Rate limited: client={client_ip}, "
-                    f"retry_at={datetime_str(retry_at)}")
-                self.respond(429, "abuse")
-                return
-
-        # Record good request
-        if self.app.good_limiter:
-            self.app.good_limiter.record(client_ip)
-
-        # Determine IPs to update
-        result = self._process_ip_update(hostname, params, endpoint, client_ip)
-        if result:
-            code, status, *kwargs = result
-            if kwargs:
-                self.respond(code, status, **kwargs[0])
-            else:
-                self.respond(code, status)
-
-    def _handle_bad_request(self, client_ip, code, status):
-        """Handle bad request and record in rate limiter."""
-        if self.app.bad_limiter:
-            self.app.bad_limiter.record(client_ip)
-        self.respond(code, status)
-
-    def _process_ip_update(self, hostname, params, endpoint, client_ip):
-        """Process IP update for hostname."""
-        myip = extract_param(params, endpoint["params"]["ipv4"])
-        myip6 = extract_param(params, endpoint["params"]["ipv6"])
-
-        ipv4 = None
-        ipv6 = None
 
         # Process myip parameter
+        ipv4 = None
+        myip = extract_param(params, endpoint["params"]["ipv4"])
         if myip:
             try:
                 rtype, myip = detect_ip_type(myip)
@@ -291,31 +335,126 @@ class DDNSRequestHandler(BaseHTTPRequestHandler):
                 else:
                     ipv6 = myip
             except ValueError:
-                return (400, "badip")
+                raise DDNSClientError(
+                    "Bad IP address",
+                    400,
+                    STATUS_BADIP,
+                    client=client_ip,
+                    username=username,
+                    hostname=hostname.hostname,
+                    zone=hostname.zone,
+                    ip=myip
+                )
 
         # Process myip6 parameter
+        ipv6 = None
+        myip6 = extract_param(params, endpoint["params"]["ipv6"])
         if myip6:
             try:
                 rtype, myip6 = detect_ip_type(myip6)
                 if rtype == "AAAA":
                     ipv6 = myip6
                 else:
-                    return (400, "badip")
+                    raise ValueError
             except ValueError:
-                return (400, "badip")
+                raise DDNSClientError(
+                    "Bad IP address",
+                    400,
+                    STATUS_BADIP,
+                    client=client_ip,
+                    username=username,
+                    hostname=hostname.hostname,
+                    zone=hostname.zone,
+                    ipv6=myip6
+                )
 
         # Auto-detect from client IP if no params
         if ipv4 is None and ipv6 is None:
-            try:
             rtype, ip = detect_ip_type(client_ip)
             if rtype == "A":
                 ipv4 = ip
             else:
                 ipv6 = ip
-            except ValueError:
-                return (400, "badip")
 
-        now = utc_now()
+        # Process notify_change parameter
+        notify_change = extract_param(params, endpoint["params"]["notify_change"])
+        notify_change = notify_change.lower() in ["1", "y", "yes", "on", "true"] \
+            if notify_change else False
+
+        # Good rate limit check
+        if self.app.good_limiter:
+            blocked, retry_at = self.app.good_limiter.is_blocked(client_ip)
+            if blocked:
+                raise DDNSClientError(
+                    "Rate limited (good requests)",
+                    429,
+                    STATUS_ABUSE,
+                    client=client_ip,
+                    username=username,
+                    retry_at=datetime_str(retry_at)
+                )
+
+        # Record good request
+        if self.app.good_limiter:
+            self.app.good_limiter.record(client_ip)
+
+        # Process update request
+        self._process_ip_update(
+            client_ip,
+            user,
+            hostname,
+            ipv4,
+            ipv6,
+            notify_change
+        )
+
+    def _authenticate(self, client_ip, username, password):
+        try:
+            try:
+                user = get_user(username)
+            except DoesNotExist:
+                # User does not exist, Hash fake password to prevent time-based attacks
+                self.app.password_hasher.hash("FAKE-PASSWORD")
+                raise DoesNotExist
+
+            self.app.password_hasher.verify(user.password_hash, password)
+        except (DoesNotExist, VerifyMismatchError):
+            raise DDNSClientError(
+                "Auth failed",
+                401,
+                STATUS_BADAUTH,
+                client=client_ip,
+                username=username
+            )
+
+        return user
+
+    def _check_permissions(self, client_ip, user, hostname_param):
+        # Check hostname ownership
+        code = None
+
+        try:
+            hostname = get_hostname_for_user(hostname_param, user)
+        except DoesNotExist:
+            code = 403
+        except EncodingError:
+            code = 400
+
+        if code:
+            raise DDNSClientError(
+                "Access denied",
+                code,
+                STATUS_NOHOST,
+                client=client_ip,
+                username=user.username,
+                hostname=hostname_param
+            )
+
+        return hostname
+
+    def _process_ip_update(self, client_ip, user, hostname, ipv4, ipv6, notify_change):
+        """Process IP update for hostname."""
+        now = now_utc()
 
         ipv4_changed = False
         ipv6_changed = False
@@ -334,11 +473,15 @@ class DDNSRequestHandler(BaseHTTPRequestHandler):
                     ipv4_changed = True
                 except Exception as e:
                     hostname.save()
-                    logging.error(
+                    logging.error(f"DNS error: {e}")
-                        f"DNS update failed: client={client_ip} hostname={hostname.hostname} "
+                    raise DDNSError(
-                        f"zone={hostname.zone} ipv4={ipv4} error={e}"
+                        "Update failed",
+                        STATUS_DNSERR,
+                        client=client_ip,
+                        hostname=hostname.hostname,
+                        zone=hostname.zone,
+                        ipv4=ipv4
                     )
-                    return (500, "dnserr")
 
         if ipv6:
             hostname.last_ipv6_update = now
@@ -355,19 +498,19 @@ class DDNSRequestHandler(BaseHTTPRequestHandler):
                     ipv6_changed = True
                 except Exception as e:
                     hostname.save()
-                    logging.error(
+                    logging.error(f"DNS error: {e}")
-                        f"DNS update failed: client={client_ip} hostname={hostname.hostname} "
+                    raise DDNSError(
-                        f"zone={hostname.zone} ipv6={ipv6} error={e}"
+                        "Update failed",
+                        STATUS_DNSERR,
+                        client=client_ip,
+                        hostname=hostname.hostname,
+                        zone=hostname.zone,
+                        ipv6=ipv6
                     )
-                    return (500, "dnserr")
 
         # Update database
         hostname.save()
 
-        notify_change_val = extract_param(params, endpoint["params"]["notify_change"])
-        notify_change = notify_change_val.lower() not in ["0", "n", "no", "off"] \
-            if notify_change_val else False
-
         changed_addrs = ""
         if ipv4_changed:
             changed_addrs += f" ipv4={ipv4}"
@@ -379,10 +522,13 @@ class DDNSRequestHandler(BaseHTTPRequestHandler):
                 f"No change: client={client_ip} hostname={hostname.hostname} "
                 f"zone={hostname.zone}{changed_addrs} notify_change={str(notify_change).lower()}"
             )
-            return (
+            self.respond(
-                200, "nochg",
+                200,
-                {"ipv4": hostname.last_ipv4, "ipv6": hostname.last_ipv6}
+                STATUS_NOCHG,
+                ipv4=hostname.last_ipv4,
+                ipv6=hostname.last_ipv6
             )
+            return
 
         logging.info(
             f"Updated: client={client_ip} hostname={hostname.hostname} "
@@ -400,9 +546,11 @@ class DDNSRequestHandler(BaseHTTPRequestHandler):
             except Exception as e:
                 logging.error(f"Sending change notification error: {e}")
 
-        return (
+        self.respond(
-            200, "good",
+            200,
-            {"ipv4": hostname.last_ipv4, "ipv6": hostname.last_ipv6}
+            STATUS_GOOD,
+            ipv4=hostname.last_ipv4,
+            ipv6=hostname.last_ipv6
         )
 
 
@@ -440,14 +588,39 @@ def run_daemon(app):
     expired_cleanup_thread = ExpiredRecordsCleanupThread(app)
     expired_cleanup_thread.start()
 
-
     # Setup signal handlers
     def signal_handler(signum, frame):
         logging.info(f"Signal received: {signum}, shutting down")
         app.signal_shutdown()
 
+    def sighup_handler(signum, frame):
+        logging.info("SIGHUP received, reloading configuration")
+        try:
+            app.reload_config()
+
+            # Update server attributes
+            server.proxy_header = app.config["daemon"].get("proxy_header", "")
+            server.trusted_networks = _parse_trusted_proxies(
+                app.config["daemon"].get("trusted_proxies", [])
+            )
+
+            # Reload SSL if enabled
+            if app.config["daemon"]["ssl"]:
+                new_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+                new_context.load_cert_chain(
+                    app.config["daemon"]["ssl_cert_file"],
+                    app.config["daemon"]["ssl_key_file"]
+                )
+                # Note: existing connections use old cert, new connections use new
+                server.socket = new_context.wrap_socket(
+                    server.socket.detach(), server_side=True
+                )
+        except Exception as e:
+            logging.error(f"Config reload failed: {e}")
+
     signal.signal(signal.SIGTERM, signal_handler)
     signal.signal(signal.SIGINT, signal_handler)
+    signal.signal(signal.SIGHUP, sighup_handler)
 
     paths = ", ".join(ep["path"] for ep in config["endpoints"])
     logging.info(f"Daemon started: {proto}://{host}:{port} endpoints=[{paths}]")
@@ -457,6 +630,9 @@ def run_daemon(app):
     while not app.is_shutting_down():
         server.handle_request()
 
+    # Graceful shutdown - wait for active requests
+    server.wait_for_requests(5)
+
     # Cleanup
     expired_cleanup_thread.stop()
     ratelimit_cleanup_thread.stop()