localhost in a DNS zone

Question

Our ISP also hosts our external DNS. By default they include an entry for localhost.

For example: localhost.example.com. 86400 IN A 127.0.0.1

When I've asked them to remove it they give me a hard time and say that it's just the way Bind works.

I've tried to do some research on why I might want to have that included but I couldn't find much. I did find at least one place that thought it be a possible XSS attack vector. It does appear to be fairly common so I did lookups on the top 20 website domains from alexa and most don't have such an entry but a couple do. A few others have an entry but instead of pointing to 127.0.0.1 they point to another a world route-able IP address.

So anyway, why would I want to have locahost in the zone for my domain? Are their any issues with not having it? Is there any kind of best practice concerning this? Is it indeed a default Bind thing that I'm not aware of?

Thanks

score 15 · Accepted Answer · answered Mar 09 '10 at 16:08

localhost.example.com is sometimes included on internal DNS servers to prevent "localhost" requests leaking out to the internet (for the case where John Smith types http://localhost/ in his browser & for whatever reason his resolver doesn't look in the hosts file, appends his search path (example.com) & starts asking name servers what that resolves to).

You don't have to have a localhost entry (and if your ISP thinks that's "the way BIND works" they're either misguided or idiots: BIND serves what's in the zone file, and if they remove the localhost line it will stop serving that record). As a free example, localhost.google.com doesn't resolve, and I bet the NS for that domain is running BIND.

The XSS vector is something I'd never thought of, but it is something of concern: having a localhost entry in your public DNS means any hacked machine could be "in your domain" (by running a webserver on 127.0.0.1) and potentially do all sorts of nasty things. Probably a good enough reason to get rid of the entry.

score 4 · Answer 2 · edited Oct 07 '21 at 06:47

Assuming that your internal name resolution is handling name resolution properly, any DNS request for localhost should never go to your external DNS provider, and so this shouldn't be a problem at all.

One reason why someone would do this, that I can think of off the top of my head, is if someone once used a web authoring tool that screwed up with a load of absolute references to http://localhost, but that assumes that your ISP was also hosting on their DNS boxes and is a long shot.

However, RFC 1537 does specify:

There has been extensive discussion about whether or not to append the local domain to it. The conclusion was that "localhost." would be the best solution; reasons given were:

"localhost" itself is used and expected to work on some systems.

translating 127.0.0.1 into "localhost.my_domain" can cause some software to connect to itself using the loopback interface when it didn't want to.

Note that all domains that contain hosts should have a "localhost" A record in them.

So strictly speaking it appears as though your ISP is correct to include localhost, but incorrect to use the fully-qualified name.

score 0 · Answer 3 · answered Mar 09 '10 at 15:40

I'm not sure what the point would be...By default, the external address would be over-ridden by the hosts file, which nearly always maps localhost to 127.0.0.1.

A default BIND zone file does include a localhost zone, though. Never really thought about it.

localhost in a DNS zone

3 Answers3

Linked