diff --git a/Dockerfile b/Dockerfile
index 42e4ad7..b5f009e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -37,7 +37,7 @@ ENV RUSTFLAGS "-C link-arg=-s"
 RUN apt-get update && apt-get install -qy --no-install-recommends $BUILD_DEPS && \
     curl -sSf https://sh.rustup.rs | bash -s -- -y --default-toolchain stable && \
     export PATH="$HOME/.cargo/bin:$PATH" && \
-    echo "Compiling encrypted-dns version 0.3.17" && \
+    echo "Compiling encrypted-dns version 0.3.18" && \
     cargo install encrypted-dns && \
     mkdir -p /opt/encrypted-dns/sbin && \
     mv ~/.cargo/bin/encrypted-dns /opt/encrypted-dns/sbin/ && \
diff --git a/encrypted-dns.toml.in b/encrypted-dns.toml.in
index acb877d..a1347b9 100644
--- a/encrypted-dns.toml.in
+++ b/encrypted-dns.toml.in
@@ -83,6 +83,13 @@ cache_ttl_max = 86400
 cache_ttl_error = 600
 
 
+## DNS cache: to avoid bursts of traffic for popular queries when an
+## RRSET expires, hold a TTL received from an upstream server for
+## `client_ttl_holdon` seconds before decreasing it in client responses.
+
+client_ttl_holdon = 60
+
+
 ## Run as a background process
 
 daemonize = false