AdguardTeam
diff --git a/‎README.md‎
Lines changed: 4 additions & 0 deletions b/‎README.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎internal/cmd/args.go‎
Lines changed: 65 additions & 49 deletions b/‎internal/cmd/args.go‎
Lines changed: 65 additions & 49 deletions
diff --git a/‎internal/cmd/config.go‎
Lines changed: 18 additions & 8 deletions b/‎internal/cmd/config.go‎
Lines changed: 18 additions & 8 deletions
diff --git a/‎internal/cmd/proxy.go‎
Lines changed: 10 additions & 8 deletions b/‎internal/cmd/proxy.go‎
Lines changed: 10 additions & 8 deletions
diff --git a/‎proxy/cache.go‎
Lines changed: 54 additions & 23 deletions b/‎proxy/cache.go‎
Lines changed: 54 additions & 23 deletions
@@ -99,6 +99,10 @@ Usage of ./dnsproxy:
         Listening addresses.
   --max-go-routines=uint
         Set the maximum number of go routines. A zero value will not not set a maximum.
+  --optimistic-answers-ttl
+        Default TTL value for expired DNS entries in optimistic cache.  Default: 30s
+  --optimistic-max-age
+        Period of time after which entries are removed from optimistic cache in human-readable form. Default: 12h.
   --output=path/-o path
         Path to the log file.
   --pending-requests-enabled
 
@@ -42,6 +42,8 @@ const (
 	timeoutIdx
 	cacheMinTTLIdx
 	cacheMaxTTLIdx
+	cacheOptimisticAnswerTTLIdx
+	cacheOptimisticMaxAgeIdx
 	cacheSizeBytesIdx
 	ratelimitIdx
 	ratelimitSubnetLenIPv4Idx
@@ -247,6 +249,18 @@ var commandLineOptions = []*commandLineOption{
 		short:       "",
 		valueType:   "uint32",
 	},
+	cacheOptimisticAnswerTTLIdx: {
+		description: "Default TTL value for expired answers from optimistic cache",
+		long:        "optimistic-answers-ttl",
+		short:       "",
+		valueType:   "duration",
+	},
+	cacheOptimisticMaxAgeIdx: {
+		description: "Period of time after which entries are removed from the optimistic cache",
+		long:        "optimistic-max-age",
+		short:       "",
+		valueType:   "duration",
+	},
 	cacheSizeBytesIdx: {
 		description: "Cache size (in bytes). Default: 64k.",
 		long:        "cache-size",
@@ -399,55 +413,57 @@ func parseCmdLineOptions(conf *configuration) (err error) {
 
 	flags := flag.NewFlagSet(cmdName, flag.ContinueOnError)
 	for i, fieldPtr := range []any{
-		configPathIdx:             &conf.ConfigPath,
-		logOutputIdx:              &conf.LogOutput,
-		tlsCertPathIdx:            &conf.TLSCertPath,
-		tlsKeyPathIdx:             &conf.TLSKeyPath,
-		httpsServerNameIdx:        &conf.HTTPSServerName,
-		httpsUserinfoIdx:          &conf.HTTPSUserinfo,
-		dnsCryptConfigPathIdx:     &conf.DNSCryptConfigPath,
-		ednsAddrIdx:               &conf.EDNSAddr,
-		upstreamModeIdx:           &conf.UpstreamMode,
-		listenAddrsIdx:            &conf.ListenAddrs,
-		listenPortsIdx:            &conf.ListenPorts,
-		httpsListenPortsIdx:       &conf.HTTPSListenPorts,
-		tlsListenPortsIdx:         &conf.TLSListenPorts,
-		quicListenPortsIdx:        &conf.QUICListenPorts,
-		dnsCryptListenPortsIdx:    &conf.DNSCryptListenPorts,
-		upstreamsIdx:              &conf.Upstreams,
-		bootstrapDNSIdx:           &conf.BootstrapDNS,
-		fallbacksIdx:              &conf.Fallbacks,
-		privateRDNSUpstreamsIdx:   &conf.PrivateRDNSUpstreams,
-		dns64PrefixIdx:            &conf.DNS64Prefix,
-		privateSubnetsIdx:         &conf.PrivateSubnets,
-		bogusNXDomainIdx:          &conf.BogusNXDomain,
-		hostsFilesIdx:             &conf.HostsFiles,
-		timeoutIdx:                &conf.Timeout,
-		cacheMinTTLIdx:            &conf.CacheMinTTL,
-		cacheMaxTTLIdx:            &conf.CacheMaxTTL,
-		cacheSizeBytesIdx:         &conf.CacheSizeBytes,
-		ratelimitIdx:              &conf.Ratelimit,
-		ratelimitSubnetLenIPv4Idx: &conf.RatelimitSubnetLenIPv4,
-		ratelimitSubnetLenIPv6Idx: &conf.RatelimitSubnetLenIPv6,
-		udpBufferSizeIdx:          &conf.UDPBufferSize,
-		maxGoRoutinesIdx:          &conf.MaxGoRoutines,
-		tlsMinVersionIdx:          &conf.TLSMinVersion,
-		tlsMaxVersionIdx:          &conf.TLSMaxVersion,
-		helpIdx:                   &conf.help,
-		hostsFileEnabledIdx:       &conf.HostsFileEnabled,
-		pprofIdx:                  &conf.Pprof,
-		versionIdx:                &conf.Version,
-		verboseIdx:                &conf.Verbose,
-		insecureIdx:               &conf.Insecure,
-		ipv6DisabledIdx:           &conf.IPv6Disabled,
-		http3Idx:                  &conf.HTTP3,
-		cacheOptimisticIdx:        &conf.CacheOptimistic,
-		cacheIdx:                  &conf.Cache,
-		refuseAnyIdx:              &conf.RefuseAny,
-		enableEDNSSubnetIdx:       &conf.EnableEDNSSubnet,
-		pendingRequestsEnabledIdx: &conf.PendingRequestsEnabled,
-		dns64Idx:                  &conf.DNS64,
-		usePrivateRDNSIdx:         &conf.UsePrivateRDNS,
+		configPathIdx:               &conf.ConfigPath,
+		logOutputIdx:                &conf.LogOutput,
+		tlsCertPathIdx:              &conf.TLSCertPath,
+		tlsKeyPathIdx:               &conf.TLSKeyPath,
+		httpsServerNameIdx:          &conf.HTTPSServerName,
+		httpsUserinfoIdx:            &conf.HTTPSUserinfo,
+		dnsCryptConfigPathIdx:       &conf.DNSCryptConfigPath,
+		ednsAddrIdx:                 &conf.EDNSAddr,
+		upstreamModeIdx:             &conf.UpstreamMode,
+		listenAddrsIdx:              &conf.ListenAddrs,
+		listenPortsIdx:              &conf.ListenPorts,
+		httpsListenPortsIdx:         &conf.HTTPSListenPorts,
+		tlsListenPortsIdx:           &conf.TLSListenPorts,
+		quicListenPortsIdx:          &conf.QUICListenPorts,
+		dnsCryptListenPortsIdx:      &conf.DNSCryptListenPorts,
+		upstreamsIdx:                &conf.Upstreams,
+		bootstrapDNSIdx:             &conf.BootstrapDNS,
+		fallbacksIdx:                &conf.Fallbacks,
+		privateRDNSUpstreamsIdx:     &conf.PrivateRDNSUpstreams,
+		dns64PrefixIdx:              &conf.DNS64Prefix,
+		privateSubnetsIdx:           &conf.PrivateSubnets,
+		bogusNXDomainIdx:            &conf.BogusNXDomain,
+		hostsFilesIdx:               &conf.HostsFiles,
+		timeoutIdx:                  &conf.Timeout,
+		cacheMinTTLIdx:              &conf.CacheMinTTL,
+		cacheMaxTTLIdx:              &conf.CacheMaxTTL,
+		cacheOptimisticAnswerTTLIdx: &conf.CacheOptimisticAnswerTTL,
+		cacheOptimisticMaxAgeIdx:    &conf.CacheOptimisticMaxAge,
+		cacheSizeBytesIdx:           &conf.CacheSizeBytes,
+		ratelimitIdx:                &conf.Ratelimit,
+		ratelimitSubnetLenIPv4Idx:   &conf.RatelimitSubnetLenIPv4,
+		ratelimitSubnetLenIPv6Idx:   &conf.RatelimitSubnetLenIPv6,
+		udpBufferSizeIdx:            &conf.UDPBufferSize,
+		maxGoRoutinesIdx:            &conf.MaxGoRoutines,
+		tlsMinVersionIdx:            &conf.TLSMinVersion,
+		tlsMaxVersionIdx:            &conf.TLSMaxVersion,
+		helpIdx:                     &conf.help,
+		hostsFileEnabledIdx:         &conf.HostsFileEnabled,
+		pprofIdx:                    &conf.Pprof,
+		versionIdx:                  &conf.Version,
+		verboseIdx:                  &conf.Verbose,
+		insecureIdx:                 &conf.Insecure,
+		ipv6DisabledIdx:             &conf.IPv6Disabled,
+		http3Idx:                    &conf.HTTP3,
+		cacheOptimisticIdx:          &conf.CacheOptimistic,
+		cacheIdx:                    &conf.Cache,
+		refuseAnyIdx:                &conf.RefuseAny,
+		enableEDNSSubnetIdx:         &conf.EnableEDNSSubnet,
+		pendingRequestsEnabledIdx:   &conf.PendingRequestsEnabled,
+		dns64Idx:                    &conf.DNS64,
+		usePrivateRDNSIdx:           &conf.UsePrivateRDNS,
 	} {
 		addOption(flags, fieldPtr, commandLineOptions[i])
 	}
 
@@ -107,6 +107,14 @@ type configuration struct {
 	// greater.
 	CacheMaxTTL uint32 `yaml:"cache-max-ttl"`
 
+	// CacheOptimisticAnswerTTL is the default TTL for expired cached responses
+	// in seconds.
+	CacheOptimisticAnswerTTL timeutil.Duration `yaml:"optimistic-answers-ttl"`
+
+	// CacheOptimisticMaxAge is the maximum time entries remain in the cache
+	// when cache is optimistic.
+	CacheOptimisticMaxAge timeutil.Duration `yaml:"optimistic-max-age"`
+
 	// CacheSizeBytes is the cache size in bytes.  Default is 64k.
 	CacheSizeBytes int `yaml:"cache-size"`
 
@@ -198,14 +206,16 @@ type configuration struct {
 // no options have been parsed, it returns a suitable exit code and an error.
 func parseConfig() (conf *configuration, exitCode int, err error) {
 	conf = &configuration{
-		HTTPSServerName:        "dnsproxy",
-		UpstreamMode:           string(proxy.UpstreamModeLoadBalance),
-		CacheSizeBytes:         64 * 1024,
-		Timeout:                timeutil.Duration(10 * time.Second),
-		RatelimitSubnetLenIPv4: 24,
-		RatelimitSubnetLenIPv6: 56,
-		HostsFileEnabled:       true,
-		PendingRequestsEnabled: true,
+		HTTPSServerName:          "dnsproxy",
+		UpstreamMode:             string(proxy.UpstreamModeLoadBalance),
+		CacheSizeBytes:           64 * 1024,
+		Timeout:                  timeutil.Duration(10 * time.Second),
+		CacheOptimisticAnswerTTL: timeutil.Duration(30 * time.Second),
+		CacheOptimisticMaxAge:    timeutil.Duration(12 * time.Hour),
+		RatelimitSubnetLenIPv4:   24,
+		RatelimitSubnetLenIPv6:   56,
+		HostsFileEnabled:         true,
+		PendingRequestsEnabled:   true,
 	}
 
 	err = parseCmdLineOptions(conf)
 
@@ -58,14 +58,16 @@ func createProxyConfig(
 		RatelimitSubnetLenIPv4: conf.RatelimitSubnetLenIPv4,
 		RatelimitSubnetLenIPv6: conf.RatelimitSubnetLenIPv6,
 
-		Ratelimit:       conf.Ratelimit,
-		CacheEnabled:    conf.Cache,
-		CacheSizeBytes:  conf.CacheSizeBytes,
-		CacheMinTTL:     conf.CacheMinTTL,
-		CacheMaxTTL:     conf.CacheMaxTTL,
-		CacheOptimistic: conf.CacheOptimistic,
-		RefuseAny:       conf.RefuseAny,
-		HTTP3:           conf.HTTP3,
+		Ratelimit:                conf.Ratelimit,
+		CacheEnabled:             conf.Cache,
+		CacheSizeBytes:           conf.CacheSizeBytes,
+		CacheMinTTL:              conf.CacheMinTTL,
+		CacheMaxTTL:              conf.CacheMaxTTL,
+		CacheOptimisticAnswerTTL: uint32(time.Duration(conf.CacheOptimisticAnswerTTL).Seconds()),
+		CacheOptimisticMaxAge:    uint32(time.Duration(conf.CacheOptimisticMaxAge).Seconds()),
+		CacheOptimistic:          conf.CacheOptimistic,
+		RefuseAny:                conf.RefuseAny,
+		HTTP3:                    conf.HTTP3,
 		// TODO(e.burkov):  The following CIDRs are aimed to match any address.
 		// This is not quite proper approach to be used by default so think
 		// about configuring it.
 
@@ -39,20 +39,22 @@ type cache struct {
 	// optimistic defines if the cache should return expired items and resolve
 	// those again.
 	optimistic bool
+
+	// optimisticTTL is the default TTL for expired cached responses in seconds.
+	optimisticTTL uint32
+
+	// optimisticMaxAge is the maximum time entries remain in the cache when
+	// cache is optimistic.
+	optimisticMaxAge uint32
 }
 
 // cacheItem is a single cache entry.  It's a helper type to aggregate the
 // item-specific logic.
 type cacheItem struct {
-	// m contains the cached response.
-	m *dns.Msg
-
-	// u contains an address of the upstream which resolved m.
-	u string
-
-	// ttl is the time-to-live value for the item.  Should be set before calling
-	// [cacheItem.pack].
-	ttl uint32
+	createdTime time.Time
+	m           *dns.Msg
+	u           string
+	ttl         uint32
 }
 
 // respToItem converts the pair of the response and upstream resolved the one
@@ -69,9 +71,10 @@ func (c *cache) respToItem(m *dns.Msg, u upstream.Upstream, l *slog.Logger) (ite
 	}
 
 	return &cacheItem{
-		m:   m,
-		u:   upsAddr,
-		ttl: ttl,
+		m:           m,
+		u:           upsAddr,
+		ttl:         ttl,
+		createdTime: time.Now(),
 	}
 }
 
@@ -82,9 +85,12 @@ const (
 	// expTimeSz is the exact length of byte slice capable to store the
 	// expiration time the response.  It's essentially the size of a uint32.
 	expTimeSz = 4
+	// createdTimeSz is the exact length of byte slice capable to store the
+	// creation time.  It's essentially the size of a uint32.
+	createdTimeSz = 4
 
 	// minPackedLen is the minimum length of the packed cacheItem.
-	minPackedLen = expTimeSz + packedMsgLenSz
+	minPackedLen = expTimeSz + createdTimeSz + packedMsgLenSz
 )
 
 // pack converts the ci into bytes slice.
@@ -96,8 +102,11 @@ func (ci *cacheItem) pack() (packed []byte) {
 	// Put expiration time.
 	binary.BigEndian.PutUint32(packed, uint32(time.Now().Unix())+ci.ttl)
 
+	// Put creation time.
+	binary.BigEndian.PutUint32(packed[expTimeSz:], uint32(ci.createdTime.Unix()))
+
 	// Put the length of the packed message.
-	binary.BigEndian.PutUint16(packed[expTimeSz:], uint16(pmLen))
+	binary.BigEndian.PutUint16(packed[expTimeSz+createdTimeSz:], uint16(pmLen))
 
 	// Put the packed message itself.
 	packed = append(packed, pm...)
@@ -108,9 +117,6 @@ func (ci *cacheItem) pack() (packed []byte) {
 	return packed
 }
 
-// optimisticTTL is the default TTL for expired cached responses in seconds.
-const optimisticTTL = 10
-
 // unpackItem converts the data into cacheItem using req as a request message.
 // expired is true if the item exists but expired.  The expired cached items are
 // only returned if c is optimistic.  req must not be nil.
@@ -121,14 +127,15 @@ func (c *cache) unpackItem(data []byte, req *dns.Msg) (ci *cacheItem, expired bo
 
 	b := bytes.NewBuffer(data)
 	expire := int64(binary.BigEndian.Uint32(b.Next(expTimeSz)))
+	createdTime := time.Unix(int64(binary.BigEndian.Uint32(b.Next(createdTimeSz))), 0)
 	now := time.Now().Unix()
 	var ttl uint32
 	if expired = expire <= now; expired {
 		if !c.optimistic {
 			return nil, expired
 		}
 
-		ttl = optimisticTTL
+		ttl = c.optimisticTTL
 	} else {
 		ttl = uint32(expire - now)
 	}
@@ -158,8 +165,9 @@ func (c *cache) unpackItem(data []byte, req *dns.Msg) (ci *cacheItem, expired bo
 	filterMsg(res, m, req.AuthenticatedData, doBit, ttl)
 
 	return &cacheItem{
-		m: res,
-		u: string(b.Next(b.Len())),
+		m:           res,
+		u:           string(b.Next(b.Len())),
+		createdTime: createdTime,
 	}, expired
 }
 
@@ -173,18 +181,31 @@ func (p *Proxy) initCache() {
 
 	size := p.CacheSizeBytes
 	p.logger.Info("cache enabled", "size", size)
-
-	p.cache = newCache(size, p.EnableEDNSClientSubnet, p.CacheOptimistic)
+	p.cache = newCache(
+		size,
+		p.CacheOptimisticAnswerTTL,
+		p.CacheOptimisticMaxAge,
+		p.EnableEDNSClientSubnet,
+		p.CacheOptimistic,
+	)
 	p.shortFlighter = newOptimisticResolver(p)
 }
 
 // newCache returns a properly initialized cache.  logger must not be nil.
-func newCache(size int, withECS, optimistic bool) (c *cache) {
+func newCache(
+	size int,
+	optimisticTTL,
+	optimisticMaxAge uint32,
+	withECS,
+	optimistic bool,
+) (c *cache) {
 	c = &cache{
 		itemsLock:           &sync.RWMutex{},
 		itemsWithSubnetLock: &sync.RWMutex{},
 		items:               createCache(size),
 		optimistic:          optimistic,
+		optimisticTTL:       optimisticTTL,
+		optimisticMaxAge:    optimisticMaxAge,
 	}
 
 	if withECS {
@@ -215,9 +236,19 @@ func (c *cache) get(req *dns.Msg) (ci *cacheItem, expired bool, key []byte) {
 		c.items.Del(key)
 	}
 
+	if c.isOptimisticExpired(ci) {
+		c.items.Del(key)
+
+		return nil, false, key
+	}
+
 	return ci, expired, key
 }
 
+func (c *cache) isOptimisticExpired(ci *cacheItem) (expired bool) {
+	return c.optimistic && uint32(time.Since(ci.createdTime).Seconds()) > ci.ttl+c.optimisticMaxAge
+}
+
 // getWithSubnet returns cached item for the req if it's found by n.  expired
 // is true if the item's TTL is expired.  k is the resulting key for req.  It's
 // returned to avoid recalculating it afterwards.