.well-known lookups can be used to circumvent the IP address blacklist

[richvdh]

further to #3953: It's possible to get synapse to make arbitrary GET requests on the local network by returning a 302 from the .well-known/matrix/server endpoint. It's not obvious if this can be abused, but it seems like a loophole that should be closed in the interests of security.

[Citillara]

I don't think this is an issue, if I want to have my own matrix server on my corporate LAN, then I would probaly like it not to be internet reachable, my contoso.com would point to a LAN IP, which is a legitimate use.

What you fear is in the case of an adversary who knows a GET URL inside a network that could pose problems if called wrongly. I'd say this is out of scope of synapse to handle as synpase is not responsible of the security of another's page. Furthermore the result of the GET stays in the hand of the server, not the attacker

The blacklist in case of a bad domain abuser seems way more than enough