Cap dynamic egress rule TTL at five minutes

The existing minTTL clamp prevents rule churn from very short
DNS TTLs. Add a symmetric maxTTL clamp (default 5 min) so a very
long advertised TTL does not leave a dynamically-allowed IP in
the rule set for hours or days. Bounds exposure if an upstream
zone returns rogue long-lived answers, and keeps the working set
of dynamic rules pegged to recent resolutions.

Exposed via functional options (WithMinTTL, WithMaxTTL) on
NewDNSInterceptor. The constructor signature gains a variadic
opts parameter — backwards compatible for existing callers.

WithMaxTTL(0) disables the cap; WithMinTTL(0) preserves the
default. Test uses a 5ms max to keep the clamp provable in a
real-time unit test without making the suite slow.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: JAORMX

net/egress/interceptor.go

@@ -16,6 +16,13 @@ const (
 	// if the DNS response has a shorter TTL. This prevents excessive
 	// rule churn from very short TTLs.
 	defaultMinTTL = 60 * time.Second
+
+	// defaultMaxTTL is the maximum TTL applied to dynamic rules, even
+	// if the DNS response advertises a longer TTL. This bounds how long
+	// a resolved IP remains allowed — useful if an upstream server
+	// returns very long TTLs, and as belt-and-suspenders against a
+	// compromised zone returning long-lived rogue answers.
+	defaultMaxTTL = 5 * time.Minute
 )
 
 // DNSInterceptor intercepts DNS traffic at the relay level to enforce
@@ -25,21 +32,47 @@ type DNSInterceptor struct {
 	policy       *Policy
 	dynamicRules *firewall.DynamicRules
 	minTTL       time.Duration
+	maxTTL       time.Duration
 	gatewayIP    [4]byte
 }
 
+// DNSInterceptorOption customizes a DNSInterceptor.
+type DNSInterceptorOption func(*DNSInterceptor)
+
+// WithMinTTL sets the minimum TTL applied to dynamic rules. A zero or
+// negative value leaves the default in place.
+func WithMinTTL(d time.Duration) DNSInterceptorOption {
+	return func(i *DNSInterceptor) {
+		if d > 0 {
+			i.minTTL = d
+		}
+	}
+}
+
+// WithMaxTTL sets the maximum TTL applied to dynamic rules. A zero or
+// negative value disables the cap (any TTL is accepted).
+func WithMaxTTL(d time.Duration) DNSInterceptorOption {
+	return func(i *DNSInterceptor) { i.maxTTL = d }
+}
+
 // NewDNSInterceptor creates an interceptor with the given policy, dynamic
 // rule set, and gateway IP. Only DNS responses from the gateway are
 // snooped to prevent spoofed responses from creating dynamic rules.
-// Dynamic rules created from DNS responses will have at least minTTL
-// duration (use 0 for the default of 60 seconds).
-func NewDNSInterceptor(policy *Policy, dr *firewall.DynamicRules, gatewayIP [4]byte) *DNSInterceptor {
-	return &DNSInterceptor{
+//
+// By default, dynamic rules are clamped to minTTL=60s and maxTTL=5m;
+// override via WithMinTTL / WithMaxTTL.
+func NewDNSInterceptor(policy *Policy, dr *firewall.DynamicRules, gatewayIP [4]byte, opts ...DNSInterceptorOption) *DNSInterceptor {
+	i := &DNSInterceptor{
 		policy:       policy,
 		dynamicRules: dr,
 		minTTL:       defaultMinTTL,
+		maxTTL:       defaultMaxTTL,
 		gatewayIP:    gatewayIP,
 	}
+	for _, o := range opts {
+		o(i)
+	}
+	return i
 }
 
 // HandleEgress processes an outbound DNS query frame. If the queried
@@ -118,6 +151,9 @@ func (d *DNSInterceptor) HandleIngress(frame []byte, hdr *firewall.PacketHeader)
 	if ttl < d.minTTL {
 		ttl = d.minTTL
 	}
+	if d.maxTTL > 0 && ttl > d.maxTTL {
+		ttl = d.maxTTL
+	}
 
 	ports, proto := d.policy.HostPorts(qname)
 

net/egress/interceptor_test.go

@@ -7,6 +7,7 @@ import (
 	"encoding/binary"
 	"net"
 	"testing"
+	"time"
 
 	mdns "github.com/miekg/dns"
 	"github.com/stretchr/testify/assert"
@@ -304,6 +305,37 @@ func TestDNSInterceptor_ResponseFromNonGateway_Ignored(t *testing.T) {
 		"DNS responses from non-gateway sources must not create dynamic rules")
 }
 
+func TestDNSInterceptor_ClampsTTLAtMaximum(t *testing.T) {
+	t.Parallel()
+
+	policy := NewPolicy([]HostSpec{{Name: "example.com"}})
+	dr := firewall.NewDynamicRules()
+	interceptor := NewDNSInterceptor(policy, dr, testDstIP,
+		WithMinTTL(1*time.Microsecond),
+		WithMaxTTL(5*time.Millisecond),
+	)
+
+	// Response advertises TTL = 1 hour; should be clamped to 5 ms.
+	ips := []net.IP{net.ParseIP("1.2.3.4")}
+	frame := buildDNSResponseFrame(testDstMAC, testSrcMAC, testDstIP, testSrcIP, 12345, "example.com", ips, 3600)
+	hdr := firewall.ParseHeaders(frame)
+
+	interceptor.HandleIngress(frame, hdr)
+
+	probe := &firewall.PacketHeader{
+		DstIP:    [4]byte{1, 2, 3, 4},
+		Protocol: 6,
+		DstPort:  443,
+	}
+	_, ok := dr.Match(firewall.Egress, probe)
+	require.True(t, ok, "rule should be live immediately after ingress")
+
+	// Give the clamp time to elapse; the rule must no longer match.
+	time.Sleep(25 * time.Millisecond)
+	_, ok = dr.Match(firewall.Egress, probe)
+	assert.False(t, ok, "rule should have expired past maxTTL clamp")
+}
+
 func TestDNSInterceptor_ExplicitProtocol_SingleRule(t *testing.T) {
 	t.Parallel()