There are a few things to think about yes, I actually post in the fleet guide parts of it that it should be considered before posting. the dns rebind issue but that should be controlled by host header validation, CSRF, same-site cookies etc. Internal topology disclosure — real. but we dont post it. You can do the same in Cloudflare for example.

Basically any DNS provider allows this (plus anybody can buy a domain and run their own DNS server).

The defense against this has to happen either on the resource you want to protect or in the browser.