• Program: Recursor
• Issue type: Feature request

Short description

Domains that are going to start some abusive campaign can preemptively increase their TTL.
While it is expected that end-user systems will honor this value to some degree (at least until reset/reboot of some kind), DNS server operator should expunge them as soon as they are not trusted anymore (i.e. appear in RPZ blocklist).

Usecase

After reloading rpzFile() (didn't test rpzPrimary() as it's harder to predict what domain to query ahead, needs setting up some testbed) with newly policied domains, Recursor still responds with cached values if it happens that such domain was queried beforehand.

This means that a single DNS client that asks for a domain before it gets blacklisted causes all future clients to get that response until TTL expires, effectively circumventing policing and e.g. allowing to keep spreading some malware.

Wiping entire cache unconditionally (rec_control wipe-cache $) seems to be overkill, as the rpzFile() can be loaded every 5 minutes, the same goes for artificially reducing max-cache-ttl from default 24h to something like 15 minutes.

I would expect RPZ entries to be iterated and automatically removed from the cache.
Ideally the dnsdist standing before should be somehow notified as well...