Skip to content

config: add dnslink-gateway-domains #258

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
lidel opened this issue Apr 4, 2025 · 0 comments
Open

config: add dnslink-gateway-domains #258

lidel opened this issue Apr 4, 2025 · 0 comments
Labels
dif/medium Prior experience is likely helpful effort/days Estimated to take multiple days, but less than a week help wanted Seeking public contribution on this issue P2 Medium: Good to have, but can wait until someone steps up

Comments

@lidel
Copy link
Member

lidel commented Apr 4, 2025
edited
Loading

Extracted from internal slack thread

Right now (2025Q1, rainbow v1.12), Rainbow will resolve every DNSLink domain passed via Host header, which is not the best configuration for public HTTP servers.

We only have config options for path, subdomain, and trustless-only:

rainbow/main.go

Lines 120 to 137 in 1bf59f7

&cli.StringSliceFlag{
Name: "gateway-domains",
Value: cli.NewStringSlice(),
EnvVars: []string{"RAINBOW_GATEWAY_DOMAINS"},
Usage: "Domains with flat path gateway, no Origin isolation (comma-separated)",
},
&cli.StringSliceFlag{
Name: "subdomain-gateway-domains",
Value: cli.NewStringSlice(),
EnvVars: []string{"RAINBOW_SUBDOMAIN_GATEWAY_DOMAINS"},
Usage: "Domains with subdomain-based Origin isolation (comma-separated)",
},
&cli.StringSliceFlag{
Name: "trustless-gateway-domains",
Value: cli.NewStringSlice(),
EnvVars: []string{"RAINBOW_TRUSTLESS_GATEWAY_DOMAINS"},
Usage: "Domains limited to trustless, verifiable response types (comma-separated)",
},

There is none for DNSLink gateway (based on the Host HTTP header), and instead we just handle every domain.

Proposed improvement

Add a new config dnslink-gateway-domains, which takes a list of FQDN domains, similar to subdomain-gateway-domains.

When set:

  • it would act as safelist, ensuring only safelisted domains are allowed to be resolved when present in Host header
  • refuse to resolve DNSLink for domains passed in Host header UNLESS the domain ends with one of names safelisted via dnslink-gateway-domains

Prior art from Kubo

Kubo has global flag at Gateway.NoDNSLink which you can set to true, and then you can add your domain name to Gateway.PublicGateways and set Gateway.PublicGateways: NoDNSLink (for specific domain name) to false, allowing dnslink only on that hostname. See "Hardened dnslink gateway" recipe at https://github.com/ipfs/kubo/blob/master/docs/config.md#gateway-recipes
@lidel lidel added dif/medium Prior experience is likely helpful effort/days Estimated to take multiple days, but less than a week help wanted Seeking public contribution on this issue P2 Medium: Good to have, but can wait until someone steps up labels Apr 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dif/medium Prior experience is likely helpful effort/days Estimated to take multiple days, but less than a week help wanted Seeking public contribution on this issue P2 Medium: Good to have, but can wait until someone steps up
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lidel