diff --git a/server/certificates/certificates.go b/server/certificates/certificates.go
index b868b21..6c5afaa 100644
--- a/server/certificates/certificates.go
+++ b/server/certificates/certificates.go
@@ -28,8 +28,6 @@ import (
 
 var ErrUserRateLimitExceeded = errors.New("rate limit exceeded: 10 certificates per user per 24 hours")
 
-var keyCache *lru.Cache[string, tls.Certificate]
-
 // TLSConfig returns the configuration for generating, serving and cleaning up Let's Encrypt certificates.
 func TLSConfig(mainDomainSuffix string,
 	giteaClient *gitea.Client,
@@ -40,6 +38,12 @@ func TLSConfig(mainDomainSuffix string,
 	noDNS01 bool,
 	rawDomain string,
 ) *tls.Config {
+
+	keyCache, err := lru.New[string, tls.Certificate](32)
+	if err != nil {
+		panic(err) // This should only happen if 32 < 0 at the time of writing, which should be reason enough to panic.
+	}
+
 	return &tls.Config{
 		// check DNS name & get certificate from Let's Encrypt
 		GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
@@ -109,14 +113,6 @@ func TLSConfig(mainDomainSuffix string,
 				}
 			}
 
-			if keyCache == nil {
-				var err error
-				keyCache, err = lru.New[string, tls.Certificate](4096)
-				if err != nil {
-					panic(err) // This should only happen if 4096 < 0 at the time of writing, which should be reason enough to panic.
-				}
-			}
-
 			if tlsCertificate, ok := keyCache.Get(domain); ok {
 				// we can use an existing certificate object
 				return &tlsCertificate, nil
diff --git a/server/dns/dns.go b/server/dns/dns.go
index f05f73e..f6ce4bb 100644
--- a/server/dns/dns.go
+++ b/server/dns/dns.go
@@ -5,19 +5,14 @@ import (
 	"strings"
 	"time"
 
-	lru "github.com/hashicorp/golang-lru/v2"
+	"github.com/hashicorp/golang-lru/v2/expirable"
 )
 
-type lookupCacheEntry struct {
-	cachedName string
-	timestamp  time.Time
-}
+const lookupCacheValidity = 30 * time.Second
+const defaultPagesRepo = "pages"
 
-var lookupCacheValidity = 30 * time.Second
-
-var lookupCache *lru.Cache[string, lookupCacheEntry]
-
-var defaultPagesRepo = "pages"
+// TODO(): refactor to not use global variables
+var lookupCache *expirable.LRU[string, string] = expirable.NewLRU[string, string](4096, nil, lookupCacheValidity)
 
 // GetTargetFromDNS searches for CNAME or TXT entries on the request domain ending with MainDomainSuffix.
 // If everything is fine, it returns the target data.
@@ -26,14 +21,8 @@ func GetTargetFromDNS(domain, mainDomainSuffix, firstDefaultBranch string) (targ
 	var cname string
 	var err error
 
-	if lookupCache == nil {
-		lookupCache, err = lru.New[string, lookupCacheEntry](4096)
-		if err != nil {
-			panic(err) // This should only happen if 4096 < 0 at the time of writing, which should be reason enough to panic.
-		}
-	}
-	if entry, ok := lookupCache.Get(domain); ok && time.Now().Before(entry.timestamp.Add(lookupCacheValidity)) {
-		cname = entry.cachedName
+	if entry, ok := lookupCache.Get(domain); ok {
+		cname = entry
 	} else {
 		cname, err = net.LookupCNAME(domain)
 		cname = strings.TrimSuffix(cname, ".")
@@ -51,10 +40,7 @@ func GetTargetFromDNS(domain, mainDomainSuffix, firstDefaultBranch string) (targ
 				}
 			}
 		}
-		_ = lookupCache.Add(domain, lookupCacheEntry{
-			cname,
-			time.Now(),
-		})
+		_ = lookupCache.Add(domain, cname)
 	}
 	if cname == "" {
 		return