diff --git a/resolver/resolve.go b/resolver/resolve.go
index ebdf0c8f..c9fb2436 100644
--- a/resolver/resolve.go
+++ b/resolver/resolve.go
@@ -45,6 +45,12 @@ var (
 	ErrNoCompliance = fmt.Errorf("%w: no compliant resolvers for this query", ErrBlocked)
 )
 
+const (
+	minTTL     = 60           // 1 Minute
+	minMDnsTTL = 60           // 1 Minute
+	maxTTL     = 24 * 60 * 60 // 24 hours
+)
+
 // BlockedUpstreamError is returned when a DNS request
 // has been blocked by the upstream server.
 type BlockedUpstreamError struct {
@@ -326,7 +332,7 @@ resolveLoop:
 	// cache if enabled
 	if !q.NoCaching {
 		// persist to database
-		rrCache.Clean(600)
+		rrCache.Clean(minTTL)
 		err = rrCache.Save()
 		if err != nil {
 			log.Warningf("resolver: failed to cache RR for %s%s: %s", q.FQDN, q.QType.String(), err)
diff --git a/resolver/resolver-mdns.go b/resolver/resolver-mdns.go
index c8525637..5a6b552e 100644
--- a/resolver/resolver-mdns.go
+++ b/resolver/resolver-mdns.go
@@ -276,7 +276,7 @@ func handleMDNSMessages(ctx context.Context, messages chan *dns.Msg) error {
 
 			var questionID string
 			if saveFullRequest {
-				rrCache.Clean(60)
+				rrCache.Clean(minMDnsTTL)
 				err := rrCache.Save()
 				if err != nil {
 					log.Warningf("resolver: failed to cache RR %s: %s", rrCache.Domain, err)
@@ -304,7 +304,7 @@ func handleMDNSMessages(ctx context.Context, messages chan *dns.Msg) error {
 					Server:      mDNSResolver.Server,
 					ServerScope: mDNSResolver.ServerIPScope,
 				}
-				rrCache.Clean(60)
+				rrCache.Clean(minMDnsTTL)
 				err := rrCache.Save()
 				if err != nil {
 					log.Warningf("resolver: failed to cache RR %s: %s", rrCache.Domain, err)
diff --git a/resolver/resolver-tcp.go b/resolver/resolver-tcp.go
index 3e84d942..c9f40dcb 100644
--- a/resolver/resolver-tcp.go
+++ b/resolver/resolver-tcp.go
@@ -419,7 +419,7 @@ func (mgr *tcpResolverConnMgr) handleQueryResponse(conn *dns.Conn, msg *dns.Msg)
 
 	// persist to database
 	rrCache := inFlight.MakeCacheRecord(msg)
-	rrCache.Clean(600)
+	rrCache.Clean(minTTL)
 	err := rrCache.Save()
 	if err != nil {
 		log.Warningf(
diff --git a/resolver/rrcache.go b/resolver/rrcache.go
index a794598d..21edf428 100644
--- a/resolver/rrcache.go
+++ b/resolver/rrcache.go
@@ -72,9 +72,12 @@ func (rrCache *RRCache) Clean(minExpires uint32) {
 		header.Ttl = 17
 	}
 
-	// TTL must be at least minExpires
-	if lowestTTL < minExpires {
+	// TTL range limits
+	switch {
+	case lowestTTL < minExpires:
 		lowestTTL = minExpires
+	case lowestTTL > maxTTL:
+		lowestTTL = maxTTL
 	}
 
 	// shorten caching