Home / server / Questions / 120769
Accepted
matthew
Asked: 2010-03-10 07:29:02 +0800 CST

localhost in a DNS zone

  • 772

Our ISP also hosts our external DNS. By default they include an entry for localhost.

For example: localhost.example.com. 86400 IN A 127.0.0.1

When I've asked them to remove it they give me a hard time and say that it's just the way Bind works.

I've tried to do some research on why I might want to have that included but I couldn't find much. I did find at least one place that thought it be a possible XSS attack vector. It does appear to be fairly common so I did lookups on the top 20 website domains from alexa and most don't have such an entry but a couple do. A few others have an entry but instead of pointing to 127.0.0.1 they point to another a world route-able IP address.

So anyway, why would I want to have locahost in the zone for my domain? Are their any issues with not having it? Is there any kind of best practice concerning this? Is it indeed a default Bind thing that I'm not aware of?

Thanks

domain-name-system localhost

3 Answers

  1. Best Answer

    localhost.example.com is sometimes included on internal DNS servers to prevent "localhost" requests leaking out to the internet (for the case where John Smith types http://localhost/ in his browser & for whatever reason his resolver doesn't look in the hosts file, appends his search path (example.com) & starts asking name servers what that resolves to).

    You don't have to have a localhost entry (and if your ISP thinks that's "the way BIND works" they're either misguided or idiots: BIND serves what's in the zone file, and if they remove the localhost line it will stop serving that record). As a free example, localhost.google.com doesn't resolve, and I bet the NS for that domain is running BIND.

    The XSS vector is something I'd never thought of, but it is something of concern: having a localhost entry in your public DNS means any hacked machine could be "in your domain" (by running a webserver on 127.0.0.1) and potentially do all sorts of nasty things. Probably a good enough reason to get rid of the entry.

    • 15

  2. Assuming that your internal name resolution is handling name resolution properly, any DNS request for localhost should never go to your external DNS provider, and so this shouldn't be a problem at all.

    One reason why someone would do this, that I can think of off the top of my head, is if someone once used a web authoring tool that screwed up with a load of absolute references to http://localhost, but that assumes that your ISP was also hosting on their DNS boxes and is a long shot.

    However, RFC 1537 does specify:

    There has been extensive discussion about whether or not to append the local domain to it. The conclusion was that "localhost." would be the best solution; reasons given were:

    • "localhost" itself is used and expected to work on some systems.

    • translating 127.0.0.1 into "localhost.my_domain" can cause some software to connect to itself using the loopback interface when it didn't want to.

    Note that all domains that contain hosts should have a "localhost" A record in them.

    So strictly speaking it appears as though your ISP is correct to include localhost, but incorrect to use the fully-qualified name.

    • 4

  3. I'm not sure what the point would be...By default, the external address would be over-ridden by the hosts file, which nearly always maps localhost to 127.0.0.1.

    A default BIND zone file does include a localhost zone, though. Never really thought about it.

    • 0