privileges abuse with page-diagnostics-dns
my user has
page-diagnostics-dns privilege which provides DNS lookups
but also allowed the user to create an alias
"Created from Diagnostics-> DNS Lookup".
But now the user cannot see this alias nor has any way to remove it
(because needs page-firewall-aliases privilege).
I'd suggest that capability to do DNS lookups diagnostics shouldn't
also allow addition of aliases.