DNS lookup for domain names in API IP whitelist

CatX

I noticed there's a feature that lets us limit API requests to specific whitelisted IPs.

It would be nice if this also supported domain names. This could work by doing DNS lookups on the domain names to resolve them into IP addresses. The resulting IP addresses would then get added to the whitelist.

This feature would be useful for those of us with non-static IPs, for example if we're making API requests from at home and our ISP does not offer static IP addresses. Currently the only options are to either manually change the whitelist each time the IP changes, or to simply not use the IP whitelist.

Thanks for reading this! 🙂

z64

CatX Just curious, do you know of any other platforms that offer this? The closest thing is that I know some platforms support adding domains for CORS protection, but that is for the use-case of scripts running in the browser, not general network protection.

CatX

z64
I'm not aware of any platform that does this, no. However, I don't think it's an unreasonable thing to add as it's not uncommon for hobbyists to selfhost. It shouldn't require much code to add either.

z64

CatX I think the concern that comes to mind is DNS takeover. But this area of security is not my fortee - so I would be looking to understand what other services offer in the way of security that users would find practical for us to add. We added the IP whitelist since we could do it for free, basically.

We should consider it in context with other options. For example, some means of signed request verification is another way, or having some kind of automated leasing of shorter lived tokens... etc...

I imagine it depends too on what kinds of things users build with our APIs; some might justify some security mechanisms over others...

CatX

I think for a hobbyist type application, the likelihood of a DNS takeover just to abuse someone's Kagi account is slim to none. For anything demanding higher security, dynamic IPs would realistically not be a concern, they'd be renting a server space somewhere and thus have a static IP. This argument does bring up another point worth considering; for a hobbyist-type usecase, is it overkill to limit by IP? Do we need that level of security?

My concern here is the potential of someone using up tokens and automatically charging my account, and me having to pay for that. Perhaps like you said there are better ways of preventing this?