From b95815c9cc158a562b2cd5e5923184780d4f455f Mon Sep 17 00:00:00 2001
From: Administrator <admin@example.com>
Date: Sun, 20 Jul 2025 16:15:02 +0200
Subject: [PATCH 1/2] limit TTL in handleIPQuery according RFC 1035

---
 proxy/dns/dns.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/proxy/dns/dns.go b/proxy/dns/dns.go
index 1971cf74622..6fcf91efd0a 100644
--- a/proxy/dns/dns.go
+++ b/proxy/dns/dns.go
@@ -251,7 +251,16 @@ func (h *Handler) handleIPQuery(id uint16, qType dnsmessage.Type, domain string,
 
 	var ttl uint32 = 600
 	if h.config.OverrideResponseTtl {
-		ttl = h.config.ResponseTtl
+		// RFC 1035: TTL 32-Bit unsigned Integer, 0 .. 4294967295
+		const maxTTL uint32 = 4294967295
+		const minTTL uint32 = 0
+		if h.config.ResponseTtl > maxTTL {
+			ttl = maxTTL
+		} else if h.config.ResponseTtl < minTTL {
+			ttl = minTTL
+		} else {
+			ttl = h.config.ResponseTtl
+		}
 	}
 
 	switch qType {

From 3c58f65d4739b860be2318762b23ec3bfbac5f76 Mon Sep 17 00:00:00 2001
From: Administrator <admin@example.com>
Date: Sun, 20 Jul 2025 16:20:44 +0200
Subject: [PATCH 2/2] Backporting Response TTL Configuration from v5 to v4
 fixes: #3381

---
 infra/conf/v4/dns_proxy.go | 34 +++++++++++++++++++---------------
 1 file changed, 19 insertions(+), 15 deletions(-)

diff --git a/infra/conf/v4/dns_proxy.go b/infra/conf/v4/dns_proxy.go
index 38f20b21b78..3b9875fdfa9 100644
--- a/infra/conf/v4/dns_proxy.go
+++ b/infra/conf/v4/dns_proxy.go
@@ -9,22 +9,26 @@ import (
 )
 
 type DNSOutboundConfig struct {
-	Network   cfgcommon.Network  `json:"network"`
-	Address   *cfgcommon.Address `json:"address"`
-	Port      uint16             `json:"port"`
-	UserLevel uint32             `json:"userLevel"`
+   Network             cfgcommon.Network  `json:"network"`
+   Address             *cfgcommon.Address `json:"address"`
+   Port                uint16             `json:"port"`
+   UserLevel           uint32             `json:"userLevel"`
+   OverrideResponseTtl bool               `json:"overrideresponseTtl"`
+   ResponseTtl         uint32             `json:"responseTtl"`
 }
 
 func (c *DNSOutboundConfig) Build() (proto.Message, error) {
-	config := &dns.Config{
-		Server: &net.Endpoint{
-			Network: c.Network.Build(),
-			Port:    uint32(c.Port),
-		},
-		UserLevel: c.UserLevel,
-	}
-	if c.Address != nil {
-		config.Server.Address = c.Address.Build()
-	}
-	return config, nil
+   config := &dns.Config{
+	   Server: &net.Endpoint{
+		   Network: c.Network.Build(),
+		   Port:    uint32(c.Port),
+	   },
+	   UserLevel: c.UserLevel,
+	   OverrideResponseTtl: c.OverrideResponseTtl,
+	   ResponseTtl:         c.ResponseTtl,
+   }
+   if c.Address != nil {
+	   config.Server.Address = c.Address.Build()
+   }
+   return config, nil
 }