After 18 years of hosts files on Windows, I was surprised to see this in Windows 7 build 7100:
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
Does anyone know why this change was introduced? I'm sure there has to be some kind reasoning.
And, perhaps more relevantly, are there any other important DNS-related changes in Windows 7? It scares me a little bit to think that something as fundamental as localhost name resolution has changed... makes me think there are other subtle but important changes to the DNS stack in Win7.
I checked with a developer on the Windows team, and the actual answer is much more innocuous than the other answers to this post :)
At some point in the future, as the world transitions from IPV4 to IPV6, IPV4 will be eventually be disabled/uninstalled by companies that want to simplfy network management in their environments.
With Windows Vista, when IPv4 was uninstalled and IPv6 was enabled, a DNS query for an A (IPv4) address resulted in the IPv4 loopback (which came from the hosts file). This of course caused problems when IPv4 was not installed. The fix was to move the always present IPv4 and IPv6 loopback entries from the host into the DNS resolver, where they could be independently disabled.
-Sean
Windows 7 introduces (optional) support for DNSSEC validation. The controls can be found under "Name Resolution Policy" in the "Local Group Policy" plugin (
c:\windows\system32\gpedit.msc
)Unfortunately, it doesn't (AFAIK) support RFC 5155
NSEC3
records, which many large zone operators (including.com
) will be using when they go live with DNSSEC over the next couple of years.Given that more and more applications on Windows are using IP to talk back to themselves, likely including a number of Windows service I could see someone changing localhost to point somewhere else as being an interesting attack vector. My guess is it was changed as part of Microsoft's SDL.
I can see this also being an attempt to shore up their security. By "fixing" localhost to always point to the loopback, they can avoid DNS poisoning attacks, which are starting to show up in the wild.
I do agree though, it is a bit disturbing on some levels...
I would be curious to know if one can redefine localhost in DNS itself though. The use of clear text files to manage these settings could have never been considered to be a security best practice. It seems to me that Microsoft's new security measures go beyond preventing root access and delves more deeply into nuanced vulnerabilities. I am not sure how much one can stay a step ahead of motivated black hats, regardless.
I think it has something to do with Microsoft implementing RFC 3484 for destination IP address selection. This is an IPv6 feature back-ported to IPv4 and affects Vista/Server 2008 and above. This change breaks round robin DNS, so even if this doesn't answer your question, it's definitely a major DNS change to know about.
More info at the Microsoft Enterprise Networking blog.