ipfs
config: add `dnslink-gateway-domains`
Extracted from internal slack thread
Right now (2025Q1, rainbow v1.12), Rainbow will resolve every DNSLink domain passed via Host header, which is not the best configuration for public HTTP servers.
We only have config options for path, subdomain, and trustless-only: https://github.com/ipfs/rainbow/blob/1bf59f710821432bbb28c5ffe98d4028087e5c7e/main.go#L120-L137
There is none for DNSLink gateway (based on the Host HTTP header), and instead we just handle every domain.
Proposed improvement
Add a new config dnslink-gateway-domains, which takes a list of FQDN domains, similar to subdomain-gateway-domains.
When set:
- it would act as safelist, ensuring only safelisted domains are allowed to be resolved when present in
Hostheader - refuse to resolve DNSLink for domains passed in
Hostheader UNLESS the domain ends with one of names safelisted viadnslink-gateway-domains
Prior art from Kubo
Kubo has global flag at Gateway.NoDNSLink which you can set to true, and then you can add your domain name to Gateway.PublicGateways and set Gateway.PublicGateways: NoDNSLink (for specific domain name) to false, allowing dnslink only on that hostname. See "Hardened dnslink gateway" recipe at https://github.com/ipfs/kubo/blob/master/docs/config.md#gateway-recipes
