Phase 7: Testing & Validation

[sob]

Overview

Comprehensive testing of DNS resolver functionality, performance, security, and reliability.

Parent Issue: #1093

Tasks

• Create automated test suite
• Test standard DNS resolution
• Test DoH endpoint functionality
• Verify anonymous relay routing
• Perform DNS leak tests
• Benchmark query performance
• Test failover scenarios
• Validate DNSSEC signatures
• Test access control enforcement
• Perform load testing
• Execute chaos testing

Test Categories

Functional Testing

• DNS query types (A, AAAA, MX, TXT, etc.)
• DNSSEC validation
• Cache behavior
• Negative caching
• Forward zone handling

Performance Testing

• Query latency benchmarks
  • Target: <10ms p50 cached
  • Target: <50ms p99 uncached
• Throughput testing (10k+ qps)
• Cache hit rate (>80%)
• Memory usage under load

Security Testing

• Access control validation
• DNS leak testing
• Anonymization verification
• DoH TLS security scan
• DNSSEC chain validation

Reliability Testing

• Pod failure recovery
• Node failure handling
• Upstream failover
• Cache persistence
• Rolling update behavior

Test Tools

DNS Testing

# Standard DNS test
dig @dns-resolver.network A example.com

# DoH test  
curl -H 'content-type: application/dns-message' \
  --data-binary @query.bin \
  https://doh.${SECRET_DOMAIN}/dns-query

# Performance test
dnsperf -s dns-resolver.network -d queries.txt

# Leak test
dnsleak-test.sh

Load Testing

• Use dnsperf for load generation
• Target: 10,000 qps sustained
• Monitor resource usage
• Check cache effectiveness

Chaos Testing

• Kill random pods
• Simulate network partitions
• Fill cache to capacity
• Corrupt cache data

Acceptance Criteria

• All functional tests passing
• Performance meets defined SLOs
• No DNS leaks detected
• Failover completes <30 seconds
• Load tests stable at 10k qps
• Chaos tests recover automatically
• Security scans show no vulnerabilities
• Documentation of all test results