We need to have another look at this, especially after #4215 , which changes where the IP blacklist check is done, and is potentially vulnerable to an attack where a super low TTL or no DNS caching can have the check pass on a non whitelisted IP and then the request be made to a refetched DNS query which has a blacklisted IP.