@fanboynz/network-scanner 2.0.66 → 3.0.0

package/lib/nettools.js

@@ -3,7 +3,14 @@
  * Provides domain analysis capabilities with proper timeout handling, custom whois servers, and retry logic
  */
 
-const { exec, execSync } = require('child_process');
+// execFile (no shell) for whois/dig invocations -- arguments are passed
+// directly to the executable as an argv array, so shell metacharacters in
+// config-supplied hostnames or server names CANNOT execute commands. The
+// prior `exec(string)` approach interpolated tainted values into a shell
+// string protected only by double-quoting, which doesn't stop $()/backticks.
+// execSync is retained ONLY for the version-probe helpers below, where
+// commands are constant string literals with no user-controlled inputs.
+const { execFile, execSync } = require('child_process');
 const fs = require('fs');
 const path = require('path');
 const { formatLogMessage, messageColors } = require('./colorize');
@@ -17,19 +24,68 @@ let whoisServerCycleIndex = 0;
 // DNS records don't change based on what terms you're searching for,
 // so we cache the raw dig output and let each handler check its own terms against it
 const globalDigResultCache = new Map();
-const GLOBAL_DIG_CACHE_TTL = 50400000; // 14 hours (persisted to disk between runs)
-const GLOBAL_DIG_CACHE_MAX = 1000;
+const GLOBAL_DIG_CACHE_TTL = 72000000; // 20 hours (persisted to disk between runs)
+const GLOBAL_DIG_CACHE_MAX = 2000;
 
 // Global whois result cache — shared across ALL handler instances and processUrl calls
 // Whois data is per root domain and doesn't change based on search terms
 const globalWhoisResultCache = new Map();
-const GLOBAL_WHOIS_CACHE_TTL = 50400000; // 14 hours (persisted to disk between runs)
-const GLOBAL_WHOIS_CACHE_MAX = 1000;
+const GLOBAL_WHOIS_CACHE_TTL = 72000000; // 20 hours (persisted to disk between runs)
+const GLOBAL_WHOIS_CACHE_MAX = 2000;
 
 // Persistent disk cache file paths
 const DIG_CACHE_FILE = path.join(__dirname, '..', '.digcache');
 const WHOIS_CACHE_FILE = path.join(__dirname, '..', '.whoiscache');
 
+// Index of hostnames known to resolve, populated as a side effect of
+// positive dig/whois cache writes AND cache hits. nwss.js's DNS pre-check
+// reads this via domainKnownToResolve() so it can skip its own resolve4
+// call on hosts that dig or whois have already proven live within the
+// 20-hour TTL window. Populating on cache HITS (not just writes) handles
+// the --dns-cache disk-load case where entries arrive without going
+// through the in-process write path. Stale entries -- hostname in Set but
+// the dig/whois entry has since been evicted -- are harmless: worst case
+// is one wasted pre-check next time the hostname comes through.
+const knownResolvedHostnames = new Set();
+const MAX_RESOLVED_HOSTNAMES = 5000;
+
+function markResolved(hostname) {
+  if (!hostname) return;
+  if (knownResolvedHostnames.size >= MAX_RESOLVED_HOSTNAMES) {
+    // FIFO eviction -- Set iteration order is insertion order.
+    knownResolvedHostnames.delete(knownResolvedHostnames.values().next().value);
+  }
+  knownResolvedHostnames.add(hostname);
+}
+
+/**
+ * Returns true if dig or whois has produced a verifiable-positive result
+ * for this hostname during the current process lifetime. nwss.js's DNS
+ * pre-check uses this to skip resolve4 calls on hosts we already know
+ * are live. False does NOT mean "unresolvable" -- it means "we have no
+ * recent evidence either way; do the pre-check".
+ */
+function domainKnownToResolve(hostname) {
+  return knownResolvedHostnames.has(hostname);
+}
+
+// Dig responses with success:true can still represent NXDOMAIN -- the dig
+// COMMAND succeeded but the DNS RESPONSE is "no such name". The output
+// string is the only reliable signal. NOERROR + non-zero answer count =
+// the hostname genuinely resolved.
+function digOutputIndicatesResolution(output) {
+  if (!output) return false;
+  if (!output.includes('status: NOERROR')) return false;
+  // ANSWER: 0 means NOERROR but no records of the requested type -- the
+  // hostname exists at this label but doesn't have THIS record type.
+  // For our purposes (proving the name is live) that's still useful, but
+  // strictly "domain has nameservers and returned authoritative empty"
+  // is weaker than "domain returned an actual A/AAAA". Conservative
+  // choice: require non-zero answer count.
+  if (/ANSWER:\s*0\b/.test(output)) return false;
+  return true;
+}
+
 /**
  * Load persistent cache from disk into in-memory Map
  * Skips expired entries and enforces max size
@@ -39,6 +95,18 @@ const WHOIS_CACHE_FILE = path.join(__dirname, '..', '.whoiscache');
  * @param {number} maxSize - Maximum cache entries
  */
 function loadDiskCache(filePath, cache, ttl, maxSize) {
+  // Also clean up any stray .tmp files from a prior interrupted save.
+  // The atomic-write path (saveDiskCache below) writes to `${filePath}.tmp`
+  // then renames; a process killed mid-write leaves the .tmp behind. The
+  // real file remains intact (rename is atomic), so we just sweep the
+  // stray on load.
+  try {
+    const tmpPath = filePath + '.tmp';
+    if (fs.existsSync(tmpPath)) {
+      try { fs.unlinkSync(tmpPath); } catch {}
+    }
+  } catch {}
+
   try {
     if (!fs.existsSync(filePath)) return;
     const data = JSON.parse(fs.readFileSync(filePath, 'utf-8'));
@@ -51,8 +119,13 @@ function loadDiskCache(filePath, cache, ttl, maxSize) {
         loaded++;
       }
     }
-  } catch {
-    // Corrupt or unreadable cache file — delete and start fresh
+  } catch (err) {
+    // Corrupt or unreadable cache file — delete and start fresh.
+    // Surface the event so the user knows they lost their warm cache;
+    // previously this was a silent reset, which made "why did my dns
+    // cache stop helping?" hard to diagnose.
+    // eslint-disable-next-line no-console
+    console.warn(`${messageColors.highlight('[dns-cache]')} ${path.basename(filePath)} was unreadable (${err.message}); starting fresh`);
     try { fs.unlinkSync(filePath); } catch {}
   }
 }
@@ -78,11 +151,12 @@ function saveDiskCache(filePath, cache, ttl, maxSize) {
       }
     }
 
-    // If over max, keep only the newest entries. Drop the pretty-print —
-    // saveDiskCache runs on the synchronous 'exit' handler when --dns-cache
-    // is set, so any work here directly delays scan exit. Compact JSON is
-    // several times faster on multi-megabyte caches and the file is not
-    // intended for human reading.
+    // Build the final payload (with trimming if over cap). Compact JSON
+    // -- saveDiskCache runs on the synchronous 'exit' handler when
+    // --dns-cache is set, so any work here directly delays scan exit.
+    // Several times faster than pretty-print on multi-megabyte caches
+    // and the file is not intended for human reading.
+    let payload;
     if (count > maxSize) {
       const sorted = Object.entries(entries)
         .sort((a, b) => b[1].timestamp - a[1].timestamp)
@@ -91,12 +165,28 @@ function saveDiskCache(filePath, cache, ttl, maxSize) {
       for (const [key, entry] of sorted) {
         trimmed[key] = entry;
       }
-      fs.writeFileSync(filePath, JSON.stringify(trimmed));
+      payload = JSON.stringify(trimmed);
     } else {
-      fs.writeFileSync(filePath, JSON.stringify(entries));
+      payload = JSON.stringify(entries);
     }
+
+    // Atomic write: writeFileSync to a sibling .tmp path, then rename.
+    // If the process is killed mid-write (SIGKILL, OOM, power loss) the
+    // .tmp is left as garbage but the real filePath is either complete
+    // or absent -- never half-written. loadDiskCache sweeps stray .tmp
+    // files on next startup.
+    // Matches the pattern already used in lib/adblock-rust.js per the
+    // CLAUDE.md convention. We deliberately omit the pid suffix used
+    // there because saveDiskCache only ever runs from the single 'exit'
+    // handler -- no concurrent-process race to disambiguate.
+    const tmpPath = filePath + '.tmp';
+    fs.writeFileSync(tmpPath, payload);
+    fs.renameSync(tmpPath, filePath);
   } catch {
-    // Disk write failed — non-fatal, in-memory cache still works
+    // Disk write failed -- non-fatal, in-memory cache still works.
+    // Best-effort cleanup of any stray tmp file from this attempt so
+    // it doesn't accumulate over repeated failures.
+    try { fs.unlinkSync(filePath + '.tmp'); } catch {}
   }
 }
 
@@ -104,9 +194,57 @@ function saveDiskCache(filePath, cache, ttl, maxSize) {
 const pendingDigLookups = new Map();
 const pendingWhoisLookups = new Map();
 
-// DNS cache statistics
+/**
+ * Enforce a hard size cap on the dig/whois global caches. Evicts expired
+ * entries first; if the cache is still over cap after that (i.e. every
+ * remaining entry is within its TTL but there are simply too many),
+ * deletes the oldest entries by timestamp until size <= max. Without the
+ * second pass the caches could grow unbounded on scans of many unique
+ * hostnames whose entries hadn't expired yet.
+ *
+ * @param {Map} cache - cache Map to prune
+ * @param {number} maxSize - desired hard cap
+ * @param {number} ttl - TTL in ms; entries older than this are evicted first
+ * @returns {{expired: number, overflow: number}} eviction counts
+ */
+function enforceCacheCap(cache, maxSize, ttl) {
+  if (cache.size <= maxSize) return { expired: 0, overflow: 0 };
+  const now = Date.now();
+  let expired = 0;
+  for (const [key, entry] of cache.entries()) {
+    if (now - entry.timestamp > ttl) {
+      cache.delete(key);
+      expired++;
+    }
+  }
+  let overflow = 0;
+  if (cache.size > maxSize) {
+    // Snapshot timestamps and sort ascending, evict the oldest few.
+    const byAge = Array.from(cache.entries())
+      .sort((a, b) => a[1].timestamp - b[1].timestamp);
+    const toDrop = cache.size - maxSize;
+    for (let i = 0; i < toDrop; i++) {
+      cache.delete(byAge[i][0]);
+      overflow++;
+    }
+  }
+  return { expired, overflow };
+}
+
+// DNS cache statistics. freshDig / freshWhois are sample lists for
+// end-of-scan visibility; capped at MAX_FRESH_LIST entries (FIFO) so
+// they can't grow unbounded on scans with thousands of unique fresh
+// lookups. digMisses/whoisMisses retain the full count, so callers
+// who want totals can read those; freshDig/freshWhois are intended as
+// "show me which domains" diagnostic samples.
+const MAX_FRESH_LIST = 1000;
 const dnsCacheStats = { digHits: 0, digMisses: 0, whoisHits: 0, whoisMisses: 0, freshDig: [], freshWhois: [] };
 
+function pushFreshSample(arr, item) {
+  if (arr.length >= MAX_FRESH_LIST) arr.shift();
+  arr.push(item);
+}
+
 /**
  * Get DNS cache statistics for end-of-scan reporting
  * @returns {Object} Cache hit/miss counts and fresh domain lists
@@ -119,14 +257,46 @@ function getDnsCacheStats() {
 let diskCacheEnabled = false;
 
 /**
- * Enable persistent disk caching for dig/whois results
- * Call this when --dns-cache flag is set
+ * Enable persistent disk caching for dig/whois results.
+ * Call this when --dns-cache flag is set. Idempotent — repeated calls
+ * are no-ops, which prevents double-loading the cache files and double-
+ * registering the 'exit' handler that flushes them on shutdown.
  */
 function enableDiskCache() {
+  if (diskCacheEnabled) return;
   diskCacheEnabled = true;
   loadDiskCache(DIG_CACHE_FILE, globalDigResultCache, GLOBAL_DIG_CACHE_TTL, GLOBAL_DIG_CACHE_MAX);
   loadDiskCache(WHOIS_CACHE_FILE, globalWhoisResultCache, GLOBAL_WHOIS_CACHE_TTL, GLOBAL_WHOIS_CACHE_MAX);
 
+  // Warm knownResolvedHostnames from disk-loaded entries so the very
+  // first URL per cached domain also skips the c-ares pre-check (instead
+  // of waiting for the cache-hit handler to fire later in the URL's
+  // pipeline). Entries written by older versions of this module lack the
+  // `hostname` field -- they're skipped here and fall back to lazy
+  // on-hit population. Same positive-resolution gates apply as the live
+  // write/hit paths (dig: NOERROR + non-zero answers; whois: success).
+  let digWarm = 0;
+  let whoisWarm = 0;
+  for (const entry of globalDigResultCache.values()) {
+    if (entry.hostname && entry.result && entry.result.success &&
+        digOutputIndicatesResolution(entry.result.output)) {
+      markResolved(entry.hostname);
+      digWarm++;
+    }
+  }
+  for (const entry of globalWhoisResultCache.values()) {
+    if (entry.hostname && entry.result && entry.result.success) {
+      markResolved(entry.hostname);
+      whoisWarm++;
+    }
+  }
+  // Debug log only if anything was actually warmed; silent on fresh
+  // installs / empty disk caches.
+  if (digWarm > 0 || whoisWarm > 0) {
+    // eslint-disable-next-line no-console
+    console.log(`${messageColors.highlight('[dns-cache]')} Warmed resolved-hostnames index from disk: ${digWarm} dig + ${whoisWarm} whois entries`);
+  }
+
   // Save caches to disk once on process exit instead of per-lookup. The
   // 'exit' handler fires synchronously regardless of how the process exits
   // (normal completion, signal, uncaught exception), so a separate signal
@@ -203,25 +373,36 @@ function validateDigAvailability() {
 }
 
 /**
- * Executes a command with proper timeout handling
- * @param {string} command - Command to execute
+ * Spawn a process with execFile (no shell) and a hard timeout. Arguments
+ * are passed directly as argv -- shell metacharacters in any element
+ * cannot execute commands. Replaces the prior exec(string)-based helper
+ * whose double-quote-only protection failed against $()/backticks.
+ *
+ * @param {string} cmd - Executable name or path
+ * @param {string[]} args - Argument vector (each element a separate arg)
  * @param {number} timeout - Timeout in milliseconds
- * @returns {Promise<Object>} Promise that resolves with stdout/stderr or rejects on timeout/error
+ * @returns {Promise<{stdout:string, stderr:string}>} -- rejects on timeout/error
  */
-function execWithTimeout(command, timeout = 10000) {
+function execFileWithTimeout(cmd, args, timeout = 10000) {
   return new Promise((resolve, reject) => {
-    const child = exec(command, { encoding: 'utf8' }, (error, stdout, stderr) => {
+    // Hoisted before the callbacks that reference it. Previously `const
+    // timer = setTimeout(...)` was declared after the exec callback /
+    // 'error' listener that both did `if (timer) clearTimeout(timer)` —
+    // worked in practice because exec defers callbacks via nextTick, but
+    // structurally fragile (a synchronous exec failure would TDZ-throw).
+    let timer = null;
+
+    const child = execFile(cmd, args, { encoding: 'utf8' }, (error, stdout, stderr) => {
       if (timer) clearTimeout(timer);
-      
+
       if (error) {
         reject(error);
       } else {
         resolve({ stdout, stderr });
       }
     });
-    
-    // Set up timeout
-    const timer = setTimeout(() => {
+
+    timer = setTimeout(() => {
       child.kill('SIGTERM');
 
       // Force kill after 2 seconds if SIGTERM doesn't work. unref() so this
@@ -235,9 +416,9 @@ function execWithTimeout(command, timeout = 10000) {
       }, 2000);
       killTimer.unref();
 
-      reject(new Error(`Command timeout after ${timeout}ms: ${command}`));
+      reject(new Error(`Command timeout after ${timeout}ms: ${cmd} ${args.join(' ')}`));
     }, timeout);
-    
+
     // Handle child process errors
     child.on('error', (err) => {
       if (timer) clearTimeout(timer);
@@ -344,19 +525,24 @@ async function whoisLookup(domain = '', timeout = 10000, whoisServer = '', debug
   try {
     // Clean domain (remove protocol, path, etc)
     cleanDomain = domain.replace(/^https?:\/\//, '').replace(/\/.*$/, '').replace(/:\d+$/, '');
-    
+
     // Select whois server if provided
     selectedServer = selectWhoisServer(whoisServer);
-    
-    // Build whois command
+
+    // Build whois argv. Pass each token as a separate argv element --
+    // execFile does NOT spawn a shell, so neither cleanDomain nor
+    // selectedServer can inject commands no matter what they contain.
+    // The leading `--` is preserved so dashes in `cleanDomain` don't get
+    // re-interpreted as flags by the whois binary itself.
+    let whoisArgs;
     if (selectedServer) {
-      // Use custom whois server with -h flag
-      whoisCommand = `whois -h "${selectedServer}" -- "${cleanDomain}"`;
+      whoisArgs = ['-h', selectedServer, '--', cleanDomain];
     } else {
-      // Use default whois behavior
-      whoisCommand = `whois -- "${cleanDomain}"`;
+      whoisArgs = ['--', cleanDomain];
     }
-       
+    // Kept as a display string for debug logging only -- never executed.
+    whoisCommand = `whois ${whoisArgs.join(' ')}`;
+
     if (debugMode) {
       if (logFunc) {
         logFunc(`${messageColors.highlight('[whois]')} Starting lookup for ${cleanDomain} (timeout: ${timeout}ms)`);
@@ -366,8 +552,8 @@ async function whoisLookup(domain = '', timeout = 10000, whoisServer = '', debug
         console.log(formatLogMessage('debug', `${messageColors.highlight('[whois]')} Command: ${whoisCommand}`));
       }
     }
-    
-    const { stdout, stderr } = await execWithTimeout(whoisCommand, timeout);
+
+    const { stdout, stderr } = await execFileWithTimeout('whois', whoisArgs, timeout);
     const duration = Date.now() - startTime;
     
     if (stderr && stderr.trim()) {
@@ -772,9 +958,11 @@ async function digLookup(domain = '', recordType = 'A', timeout = 5000) {
   try {
     // Clean domain
     const cleanDomain = domain.replace(/^https?:\/\//, '').replace(/\/.*$/, '').replace(/:\d+$/, '');
-    
-    // Single dig command — full output contains everything including the short answers
-    const { stdout: fullOutput, stderr } = await execWithTimeout(`dig "${cleanDomain}" ${recordType}`, timeout);
+
+    // Single dig command — full output contains everything including short
+    // answers. execFile (no shell) so cleanDomain / recordType can contain
+    // any chars without injection risk.
+    const { stdout: fullOutput, stderr } = await execFileWithTimeout('dig', [cleanDomain, recordType], timeout);
     
     if (stderr && stderr.trim()) {
       return {
@@ -928,7 +1116,14 @@ function createNetToolsHandler(config) {
     dumpUrls,
     matchedUrlsLogFile,
     forceDebug,
-    fs
+    fs,
+    // ignoreDomains guard: callers pass the live ignoreDomains list + matcher
+    // so a domain that became ignored AFTER the request fired (e.g. via
+    // ignoreDomainsByUrl on a sibling request, or _dynamicallyIgnoredDomains)
+    // doesn't slip into matchedDomains during the async whois/dig window.
+    // Both default to no-op so older callers without the kwargs still work.
+    ignoreDomains = null,
+    matchesIgnoreDomain = null
   } = config;
   
   const hasWhois = whoisTerms && Array.isArray(whoisTerms) && whoisTerms.length > 0;
@@ -1123,6 +1318,11 @@ function createNetToolsHandler(config) {
               originalTimestamp: cachedEntry.timestamp
             });
             dnsCacheStats.whoisHits++;
+            // Warm the resolved-hostnames index from disk-loaded entries.
+            // Cached whois entries are pre-filtered for network errors at
+            // write time, so every cached entry implies the domain has a
+            // registrar record -- strong resolution signal.
+            markResolved(whoisRootDomain);
           } else {
             // Cache expired, remove it
             globalWhoisResultCache.delete(whoisCacheKey);
@@ -1169,12 +1369,18 @@ function createNetToolsHandler(config) {
                    !whoisResult.error.toLowerCase().includes('connection') &&
                    !whoisResult.error.toLowerCase().includes('network'))) {
 
+                // `hostname` field is backwards-compat additive (see dig
+                // write site for details).
                 globalWhoisResultCache.set(whoisCacheKey, {
                   result: whoisResult,
-                timestamp: now
+                timestamp: now,
+                hostname: whoisRootDomain
               });
               dnsCacheStats.whoisMisses++;
-              dnsCacheStats.freshWhois.push(whoisRootDomain);
+              pushFreshSample(dnsCacheStats.freshWhois, whoisRootDomain);
+              // Only mark resolved on actual whois success -- a cached
+              // "not found" / "no match" failure shouldn't claim resolution.
+              if (whoisResult.success) markResolved(whoisRootDomain);
 
               if (forceDebug) {
                 const cacheType = whoisResult.success ? 'successful' : 'failed';
@@ -1332,18 +1538,14 @@ function createNetToolsHandler(config) {
           }
         }
         
-        // Periodic whois cache cleanup to prevent memory leaks
-        if (globalWhoisResultCache.size > GLOBAL_WHOIS_CACHE_MAX) {
-          const now = Date.now();
-          let cleanedCount = 0;
-          for (const [key, entry] of globalWhoisResultCache.entries()) {
-            if (now - entry.timestamp > GLOBAL_WHOIS_CACHE_TTL) {
-              globalWhoisResultCache.delete(key);
-              cleanedCount++;
-            }
-          }
-          if (forceDebug && cleanedCount > 0) {
-            logToConsoleAndFile(`${messageColors.highlight('[whois-cache]')} Cleaned ${cleanedCount} expired entries, cache size: ${globalWhoisResultCache.size}`);
+        // Periodic whois cache cleanup. enforceCacheCap evicts expired
+        // entries first; if still over MAX (all entries still within TTL
+        // but too many), evicts the oldest by timestamp so the cap is
+        // strictly enforced.
+        {
+          const ev = enforceCacheCap(globalWhoisResultCache, GLOBAL_WHOIS_CACHE_MAX, GLOBAL_WHOIS_CACHE_TTL);
+          if (forceDebug && (ev.expired + ev.overflow) > 0) {
+            logToConsoleAndFile(`${messageColors.highlight('[whois-cache]')} Pruned ${ev.expired} expired + ${ev.overflow} overflow entries, cache size: ${globalWhoisResultCache.size}`);
           }
         }
       }
@@ -1374,6 +1576,11 @@ function createNetToolsHandler(config) {
               }
               digResult = cachedEntry.result;
               dnsCacheStats.digHits++;
+              // Warm the resolved-hostnames index from disk-loaded entries.
+              // No-op if already present.
+              if (digResult.success && digOutputIndicatesResolution(digResult.output)) {
+                markResolved(digDomain);
+              }
             } else {
               // Cache expired, remove it
               globalDigResultCache.delete(digCacheKey);
@@ -1397,13 +1604,23 @@ function createNetToolsHandler(config) {
                 pendingDigLookups.delete(digCacheKey);
               }
 
-              // Cache the result for future use
+              // Cache the result for future use. `hostname` field is
+              // backwards-compat additive: old code reading new cache
+              // ignores it; new code reading old cache (no field) falls
+              // back to lazy on-hit population in the cache-hit branch.
               globalDigResultCache.set(digCacheKey, {
                 result: digResult,
-                timestamp: now
+                timestamp: now,
+                hostname: digDomain
               });
               dnsCacheStats.digMisses++;
-              dnsCacheStats.freshDig.push(`${digDomain} (${digRecordType})`);
+              pushFreshSample(dnsCacheStats.freshDig, `${digDomain} (${digRecordType})`);
+              // Index hostname IF dig actually proved resolution -- NXDOMAIN
+              // responses arrive as success:true with NXDOMAIN in the body,
+              // so digOutputIndicatesResolution is the real gate.
+              if (digResult.success && digOutputIndicatesResolution(digResult.output)) {
+                markResolved(digDomain);
+              }
 
               if (forceDebug && digResult.success) {
                 logToConsoleAndFile(`${messageColors.highlight('[dig-cache]')} Cached new result for ${digDomain} (${digRecordType})`);
@@ -1475,18 +1692,11 @@ function createNetToolsHandler(config) {
           }
         }
         
-        // Periodic dig cache cleanup to prevent memory leaks
-        if (globalDigResultCache.size > GLOBAL_DIG_CACHE_MAX) {
-          const now = Date.now();
-          let cleanedCount = 0;
-          for (const [key, entry] of globalDigResultCache.entries()) {
-            if (now - entry.timestamp > GLOBAL_DIG_CACHE_TTL) {
-              globalDigResultCache.delete(key);
-              cleanedCount++;
-            }
-          }
-          if (forceDebug && cleanedCount > 0) {
-            logToConsoleAndFile(`${messageColors.highlight('[dig-cache]')} Cleaned ${cleanedCount} expired entries, cache size: ${globalDigResultCache.size}`);
+        // Periodic dig cache cleanup. Same enforce-cap pattern as whois.
+        {
+          const ev = enforceCacheCap(globalDigResultCache, GLOBAL_DIG_CACHE_MAX, GLOBAL_DIG_CACHE_TTL);
+          if (forceDebug && (ev.expired + ev.overflow) > 0) {
+            logToConsoleAndFile(`${messageColors.highlight('[dig-cache]')} Pruned ${ev.expired} expired + ${ev.overflow} overflow entries, cache size: ${globalDigResultCache.size}`);
           }
         }
       }
@@ -1532,7 +1742,14 @@ function createNetToolsHandler(config) {
           }
           // No need to add to matched domains
         } else {
-          if (typeof addMatchedDomain === 'function') {
+          // Re-check ignoreDomains right before adding — the async whois/dig
+          // window may have classified this domain as ignored since the
+          // request-time gate ran. Mirrors curl.js/grep.js/searchstring.js.
+          if (typeof matchesIgnoreDomain === 'function' && matchesIgnoreDomain(domain, ignoreDomains)) {
+            if (forceDebug) {
+              logToConsoleAndFile(`${messageColors.highlight('[nettools]')} Skipping ${domain}: now in ignoreDomains (post-whois/dig)`);
+            }
+          } else if (typeof addMatchedDomain === 'function') {
             addMatchedDomain(domain, null, fullSubdomain);
           } else {
             matchedDomains.add(domain);
@@ -1581,22 +1798,27 @@ function createNetToolsHandler(config) {
   };
 }
 
+// Public surface kept narrow on purpose -- only what nwss.js actually
+// imports (verified via repo-wide grep). Internal helpers
+// (whoisLookup, whoisLookupWithRetry, digLookup, checkWhoisTerms,
+// checkWhoisTermsOr, checkDigTerms, checkDigTermsOr, selectWhoisServer,
+// getCommonWhoisServers, suggestWhoisServers, execFileWithTimeout,
+// markResolved, digOutputIndicatesResolution, loadDiskCache,
+// saveDiskCache, enforceCacheCap, stripAnsiColors) stay as module-local
+// functions -- move back to module.exports only if a new external
+// consumer appears. The dropped `execWithTimeout` was also the
+// "// Export for testing" entry; there's no test suite, so the export
+// was load-bearing for nothing.
 module.exports = {
-  validateWhoisAvailability,
-  validateDigAvailability,
-  whoisLookup,
-  whoisLookupWithRetry,
-  digLookup,
-  checkWhoisTerms,
-  checkWhoisTermsOr,
-  checkDigTerms,
-  checkDigTermsOr,
   createNetToolsHandler,
   createEnhancedDryRunCallback,
-  selectWhoisServer,
-  getCommonWhoisServers,
-  suggestWhoisServers,
-  execWithTimeout, // Export for testing
+  validateWhoisAvailability,
+  validateDigAvailability,
   enableDiskCache,
-  getDnsCacheStats
+  getDnsCacheStats,
+  // Resolved-hostnames index for the DNS pre-check optimization.
+  // nwss.js's per-task pre-check consults this BEFORE calling resolve4
+  // so hosts already proven live by dig or whois (within their 20h
+  // cache TTL) skip the c-ares call entirely.
+  domainKnownToResolve
 };