using domain names in the allow list

[jpvlerbe]

Thanks for the awesome proxy service.

The documentation of the allow list only mentions IP-addresses. Would it work as well with domain names?

In CNTLM it works but at boot the domain names get translated to IP-addresses. So in some sense the difficulty of using IP addresses remains. In a DHCP environment the IP-addresses of the devices will change but their domain-name will not. So in that case a reboot of cntlm would be required, to renew the IP-addresses for the list of domains.

So I was wondering what px allows and what would be needed to support this.

[genotrance]

Px also simply checks IP addresses and --allow can specify subnets if that helps.

We could resolve hostnames at startup but again it won't adapt to IP changes at runtime. We would need to flush and resolve again after some X seconds. We could piggy back on --proxyreload.

Alternatively, on every connection to Px, if the IP is not in the allow list, we would have to reverse lookup to see if it matches any domains. If DNS is cached locally, it should be fast after the first resolution and get refreshed as per TTL.

I somewhat prefer the first option since we don't add a runtime cost but really speaking, no one is going to add 100 domain names and will likely prefer subnets anyway. For a couple domains (which could have multiple associated IPs each), the cost of lookup would only be once per IP per timeout.

Open to feedback.