Saturday, January 19, 2008

 

localhost considered harmful

Tavis Ormandy has posted a potential security exposure with DNS entries for "localhost" in zone files on Bugtraq. While the impact of this exposure seems minimal, I would rather err on the side of caution, and this should be fairly easy to fix.

"localhost" DNS records in a domain should not be confused with the ".localhost" TLD defined in RFC 2606 Reserved Top Level DNS Names, and should be configured on nameservers. I haven't been able to find a requirement in the RFCs to have a "localhost" entry in a domain, nor can I think of a compelling reason for keeping the entry as long as nameservers for a domain are properly configured to handle queries for "localhost.".

RFC 1912 Common DNS Errors explains how to configure the localhost and 0.0.127.in-addr.arpa zones:

The "localhost" address is a "special" address which always refers to
the local host. It should contain the following line:

localhost. IN A 127.0.0.1

The "127.0" file should contain the line:
1 PTR localhost.

and recommends to not define "localhost" with the domain name appended.

Thoughts on removing "localhost" from zones, anyone?

Labels: ,

Comments: Post a Comment

Subscribe to Post Comments [Atom]










Page tools



Archives