Domain names that resolve to local addresses aren't blocked

[z87]

The local segment protection is bypassed by using a hostname that resolves to e.g. 127.0.0.1.

For testing purposes, a selection of such domains is available at https://gist.github.com/tinogomes/c425aa2a56d289f16a1f4fcb8a65ea65 but a real attacker would probably use their own, fresh domain to bypass blocklists.

[ACK-J]

Very clever, thank you for reporting it. I'll write a patch that checks the IP after resolving DNS

If desired, please provide a Monero address for a bounty