From 51cce0347bbaf845c63957827553c78963a08376 Mon Sep 17 00:00:00 2001
From: Razvan Dimescu <ssaricu@gmail.com>
Date: Tue, 21 Apr 2026 17:35:59 +0300
Subject: [PATCH] test(odoh): integration-verify relay_ip/target_ip override
 wiring
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Suite 8 now ends with a config using RFC 5737 TEST-NET-1 IPs as
relay_ip/target_ip, started briefly so the bootstrap resolver logs its
override map. Asserts both host=IP pairs land in that map — closing the
gap flagged on PR #126 (zero-plain-DNS-leak for ODoH endpoints was only
unit-tested).

Also: NumaResolver::new now logs the override map at INFO when non-empty,
so operators can verify their ODoH bootstrap without needing DEBUG level.
---
 src/bootstrap_resolver.rs | 11 ++++++++++
 tests/integration.sh      | 46 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+)

diff --git a/src/bootstrap_resolver.rs b/src/bootstrap_resolver.rs
index 1cf5c2e..94b03ea 100644
--- a/src/bootstrap_resolver.rs
+++ b/src/bootstrap_resolver.rs
@@ -70,6 +70,17 @@ impl NumaResolver {
             ips.join(", "),
             source
         );
+        if !overrides.is_empty() {
+            let mut pairs: Vec<String> = overrides
+                .iter()
+                .flat_map(|(host, ips)| ips.iter().map(move |ip| format!("{}={}", host, ip)))
+                .collect();
+            pairs.sort();
+            info!(
+                "bootstrap resolver: host overrides (skip DNS, connect direct): {}",
+                pairs.join(", ")
+            );
+        }
         Self {
             bootstrap,
             overrides,
diff --git a/tests/integration.sh b/tests/integration.sh
index 77b874f..1773c11 100755
--- a/tests/integration.sh
+++ b/tests/integration.sh
@@ -975,6 +975,52 @@ check "Same-host relay+target rejected at startup" \
     "same host" \
     "$STARTUP_OUT"
 
+# relay_ip / target_ip must land in the bootstrap resolver's override map,
+# so reqwest connects direct to the configured IPs instead of resolving the
+# hostnames via plain DNS (ODoH's zero-plain-DNS-leak property). Using
+# RFC 5737 TEST-NET-1 IPs — never routable, so the OdohConfigCache won't
+# actually connect, but the override-map wiring is visible in the startup log.
+cat > "$CONFIG" << 'CONF'
+[server]
+bind_addr = "127.0.0.1:5354"
+api_port = 5381
+
+[upstream]
+mode = "odoh"
+relay = "https://odoh-relay.example.com/proxy"
+target = "https://odoh-target.example.org/dns-query"
+relay_ip = "192.0.2.1"
+target_ip = "192.0.2.2"
+
+[cache]
+max_entries = 10000
+
+[blocking]
+enabled = false
+
+[proxy]
+enabled = false
+CONF
+
+RUST_LOG=info "$BINARY" "$CONFIG" > "$LOG" 2>&1 &
+NUMA_PID=$!
+for _ in $(seq 1 30); do
+    curl -sf "http://127.0.0.1:$API_PORT/health" >/dev/null 2>&1 && break
+    sleep 0.1
+done
+
+OVERRIDE_LOG=$(grep 'bootstrap resolver: host overrides' "$LOG" || true)
+check "relay_ip wired into bootstrap override map" \
+    "odoh-relay.example.com=192.0.2.1" \
+    "$OVERRIDE_LOG"
+check "target_ip wired into bootstrap override map" \
+    "odoh-target.example.org=192.0.2.2" \
+    "$OVERRIDE_LOG"
+
+kill "$NUMA_PID" 2>/dev/null || true
+wait "$NUMA_PID" 2>/dev/null || true
+sleep 1
+
 fi  # end Suite 8
 
 # ---- Suite 9: Numa's own ODoH relay (--relay-mode) ----