Allow apex only, not subdomains

Presently adding to the allowlist allows any `*.input`.

It would be good to allow resolving only the apex or specified input, and not subdomains.

Example use case:

• Allow sentry.io for pricing, docs, etc.
• Allow employer.sentry.io for viewing issues with a site you work on
• Block everything else *.sentry.io

To remain backwards-compatible and disambiguate the input, a FQDN (`sentry.io.`), which is presently not parsed as a valid input, could be taken to mean the exact input, no wildcard.