feat(gateway)!: remove hardcoded defaultResolvers for .eth and .crypto

remove implicit DNS-over-HTTPS resolvers that were difficult to
discover, override, or disable, improving user agency and configuration
transparency

- remove defaultResolvers map from gateway.NewDNSResolver
- NewDNSResolver(nil) now uses system DNS only (no implicit DoH)
- add autoconf.Client.ExpandDNSResolvers() convenience method for
  applications needing network-specific DNS resolver expansion
- update test to use .foo instead of .eth TLD

users needing DoH for non-ICANN TLDs should either pass explicit
resolvers or use autoconf.ExpandDNSResolvers() to merge network
defaults with custom resolvers

Closes #771
Closes #772

Author: lidel

CHANGELOG.md

@@ -25,6 +25,7 @@ The following emojis are used to highlight certain changes:
   - Added `Config.DiagnosticServiceURL` to configure a CID retrievability diagnostic service. When set, 504 Gateway Timeout errors show a "Check CID retrievability" button linking to the service with `?cid=<failed-cid>` [#1023](https://github.com/ipfs/boxo/pull/1023)
   - Improved 504 error pages with "Retry" button, diagnostic service integration, and clear indication when timeout occurs on sub-resource vs root CID [#1023](https://github.com/ipfs/boxo/pull/1023)
 - `gateway`: Added `Config.MaxRangeRequestFileSize` to protect against CDN issues with large file range requests. When set to a non-zero value, range requests for files larger than this limit return HTTP 501 Not Implemented with a suggestion to use verifiable block requests (`application/vnd.ipld.raw`) instead. This provides protection against Cloudflare's issue where range requests for files over 5GiB are silently ignored, causing excess bandwidth consumption and billing
+- `autoconf`: Added `Client.ExpandDNSResolvers()` convenience method for expanding DNS resolver maps with autoconf data ([#771](https://github.com/ipfs/boxo/issues/771), [#772](https://github.com/ipfs/boxo/issues/772))
 
 ### Changed
 
@@ -45,6 +46,14 @@ The following emojis are used to highlight certain changes:
 
 ### Removed
 
+- `gateway`: 🛠 Removed hardcoded `defaultResolvers` for `.eth` and `.crypto` TLDs from `gateway.NewDNSResolver` ([#771](https://github.com/ipfs/boxo/issues/771), [#772](https://github.com/ipfs/boxo/issues/772))
+  - This change removes implicit defaults that were difficult to discover, override, or disable, improving user agency and configuration transparency
+  - `NewDNSResolver(nil)` now uses system DNS only (no implicit DoH resolvers)
+  - Users needing DNS-over-HTTPS for non-ICANN TLDs should either:
+    - Pass explicit resolvers: `NewDNSResolver(map[string]string{"eth.": "https://dns.eth.limo/dns-query"})`
+    - Use `autoconf.ExpandDNSResolvers()` to merge network defaults with custom resolvers
+    - Use `autoconf.Client.ExpandDNSResolvers()` for convenience in long-running applications
+
 ### Fixed
 
 - `routing/http/client`:

autoconf/fetch.go

@@ -603,3 +603,32 @@ func calculateEffectiveRefreshInterval(userInterval time.Duration, cacheTTLSecon
 	serverTTL := time.Duration(cacheTTLSeconds) * time.Second
 	return min(serverTTL, userInterval)
 }
+
+// ExpandDNSResolvers expands DNS resolvers with "auto" placeholders using cached autoconf data.
+// This is a convenience method for applications that need to construct DNS resolvers.
+//
+// The customResolvers parameter is a map of domain patterns to DNS resolver URLs,
+// where values can be "auto" to use autoconf-provided resolvers. If nil or empty,
+// only autoconf resolvers will be returned.
+//
+// Returns a map ready to be passed to gateway.NewDNSResolver().
+//
+// Example:
+//
+//	client, _ := autoconf.NewClient()
+//
+//	// Apply all autoconf DNS resolvers
+//	resolvers := client.ExpandDNSResolvers(map[string]string{
+//	    ".": "auto",
+//	})
+//
+//	// Mix autoconf with custom resolvers
+//	resolvers = client.ExpandDNSResolvers(map[string]string{
+//	    "eth.": "auto",
+//	    "example.": "https://dns.example.com/dns-query",
+//	})
+//
+//	dnsResolver, _ := gateway.NewDNSResolver(resolvers)
+func (c *Client) ExpandDNSResolvers(customResolvers map[string]string) map[string]string {
+	return ExpandDNSResolvers(customResolvers, c.GetCached())
+}

gateway/dns.go

@@ -9,11 +9,6 @@ import (
 	madns "github.com/multiformats/go-multiaddr-dns"
 )
 
-var defaultResolvers = map[string]string{
-	"eth.":    "https://dns.eth.limo/dns-query",
-	"crypto.": "https://resolver.unstoppable.io/dns-query",
-}
-
 func newResolver(url string, opts ...doh.Option) (madns.BasicResolver, error) {
 	if !strings.HasPrefix(url, "https://") && !strings.HasPrefix(url, "http://") {
 		return nil, fmt.Errorf("invalid DoH resolver URL: %s", url)
@@ -22,13 +17,18 @@ func newResolver(url string, opts ...doh.Option) (madns.BasicResolver, error) {
 	return doh.NewResolver(url, opts...)
 }
 
-// NewDNSResolver creates a new DNS resolver based on the default resolvers and
-// the provided resolvers.
+// NewDNSResolver creates a new DNS resolver based on the provided resolvers.
 //
 // The argument 'resolvers' is a map of [FQDNs] to URLs for custom DNS resolution.
 // URLs starting with "https://" indicate [DoH] endpoints. Support for other resolver
 // types may be added in the future.
 //
+// If 'resolvers' is nil or empty, the default system DNS resolver will be used.
+//
+// To use network-specific DNS resolvers (e.g., for .eth or other non-ICANN TLDs),
+// use [boxo/autoconf.ExpandDNSResolvers] to merge autoconf-provided resolvers with
+// custom resolvers before calling this function.
+//
 // Example:
 //   - Custom resolver for ENS:          "eth." → "https://eth.link/dns-query"
 //   - Override the default OS resolver: "."    → "https://doh.applied-privacy.net/query"
@@ -39,17 +39,15 @@ func NewDNSResolver(resolvers map[string]string, dohOpts ...doh.Option) (*madns.
 	var opts []madns.Option
 	var err error
 
-	domains := make(map[string]struct{})           // to track overridden default resolvers
 	rslvrs := make(map[string]madns.BasicResolver) // to reuse resolvers for the same URL
 
 	for domain, url := range resolvers {
 		if domain != "." && !dns.IsFqdn(domain) {
 			return nil, fmt.Errorf("invalid domain %s; must be FQDN", domain)
 		}
 
-		domains[domain] = struct{}{}
 		if url == "" {
-			// allow overriding of implicit defaults with the default resolver
+			// allow clearing resolver for a domain
 			continue
 		}
 
@@ -69,24 +67,5 @@ func NewDNSResolver(resolvers map[string]string, dohOpts ...doh.Option) (*madns.
 		}
 	}
 
-	// fill in defaults if not overridden by the user
-	for domain, url := range defaultResolvers {
-		_, ok := domains[domain]
-		if ok {
-			continue
-		}
-
-		rslv, ok := rslvrs[url]
-		if !ok {
-			rslv, err = newResolver(url)
-			if err != nil {
-				return nil, fmt.Errorf("bad resolver for %s: %w", domain, err)
-			}
-			rslvrs[url] = rslv
-		}
-
-		opts = append(opts, madns.WithDomainResolver(domain, rslv))
-	}
-
 	return madns.NewResolver(opts...)
 }

gateway/dns_test.go

@@ -41,7 +41,7 @@ func TestAddNewDNSResolver(t *testing.T) {
 	require.Equal(t, dnslinkValue, res[0])
 }
 
-func TestOverrideDNSDefaults(t *testing.T) {
+func TestCustomDNSResolver(t *testing.T) {
 	ctx := context.Background()
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
@@ -50,7 +50,7 @@ func TestOverrideDNSDefaults(t *testing.T) {
 	require.NoError(t, err)
 	defer l.Close()
 
-	dnslinkName := "dnslink-test.eth"
+	dnslinkName := "dnslink-test.foo"
 	dnslinkValue := "dnslink=/ipfs/bafkqaaa"
 
 	go func() {
@@ -59,7 +59,7 @@ func TestOverrideDNSDefaults(t *testing.T) {
 
 	listenAddr := l.Addr().(*net.TCPAddr)
 	r, err := NewDNSResolver(map[string]string{
-		"eth.": fmt.Sprintf("http://%s:%d", listenAddr.IP, listenAddr.Port),
+		"foo.": fmt.Sprintf("http://%s:%d", listenAddr.IP, listenAddr.Port),
 	})
 	require.NoError(t, err)