Comment 15 for bug 490317

Actually right, resolving at each startup makes the firewall vulnerable to dns spoofing.

OTOH its a nice feature to be able to write down domain names.

So, the two stages may be improved.
The lower-stage firehol start/stop scripts could always just dump/restore the rules (resolved IPs), to make sure firewall is up even on resolv errors.
The stage two script (when an interface came up) rechecks whether the config file (possibly containing domains) does still create the same rules (with IPs).
If there are differences, notify/warn the admin if the config file has not been changed.