Neat. One issue I’ve encountered with lookup-based rules is the latency of updating the client’s name caches when records become stale. How do you handle that here, or does it need to be done in L7?

For looking up the IP or whether you are permitted for some host?

For the former you don't, it's just DNS. The local DNS server respects TTL, and is no more expensive than a normal DNS lookup. It just proxies it to take the resolved IPs and push them into the eBPF map.

For the latter, the default expectation is that you push the rules to the "Attachment", typically in the "SyncAck". If you need to make updates, you push down deltas (add/remove rule).

You _can_ do dynamic DNS resolution, and there you'll be paying either 1x or ~2x DNS depending on whether your control plane already knows the IPs.