Extracted from internal slack thread

Right now (2025Q1, rainbow v1.12), Rainbow will resolve every DNSLink domain passed via Host header, which is not the best configuration for public HTTP servers.

We only have config options for path, subdomain, and trustless-only:

There is none for DNSLink gateway (based on the Host HTTP header), and instead we just handle every domain.

Proposed improvement

Add a new config dnslink-gateway-domains, which takes a list of FQDN domains, similar to subdomain-gateway-domains.

When set:

• it would act as safelist, ensuring only safelisted domains are allowed to be resolved when present in Host header
• refuse to resolve DNSLink for domains passed in Host header UNLESS the domain ends with one of names safelisted via dnslink-gateway-domains

Prior art from Kubo

Kubo has global flag at Gateway.NoDNSLink which you can set to true, and then you can add your domain name to Gateway.PublicGateways and set Gateway.PublicGateways: NoDNSLink (for specific domain name) to false, allowing dnslink only on that hostname. See "Hardened dnslink gateway" recipe at https://github.com/ipfs/kubo/blob/master/docs/config.md#gateway-recipes