localhost considered harmful
Saturday, January 19, 2008
localhost considered harmful
Tavis Ormandy has posted a potential security exposure with DNS entries for "localhost" in zone files on Bugtraq. While the impact of this exposure seems minimal, I would rather err on the side of caution, and this should be fairly easy to fix.
"localhost" DNS records in a domain should not be confused with the ".localhost" TLD defined in RFC 2606 Reserved Top Level DNS Names, and should be configured on nameservers. I haven't been able to find a requirement in the RFCs to have a "localhost" entry in a domain, nor can I think of a compelling reason for keeping the entry as long as nameservers for a domain are properly configured to handle queries for "localhost.".
RFC 1912 Common DNS Errors explains how to configure the localhost and 0.0.127.in-addr.arpa zones:
and recommends to not define "localhost" with the domain name appended.
Thoughts on removing "localhost" from zones, anyone?
"localhost" DNS records in a domain should not be confused with the ".localhost" TLD defined in RFC 2606 Reserved Top Level DNS Names, and should be configured on nameservers. I haven't been able to find a requirement in the RFCs to have a "localhost" entry in a domain, nor can I think of a compelling reason for keeping the entry as long as nameservers for a domain are properly configured to handle queries for "localhost.".
RFC 1912 Common DNS Errors explains how to configure the localhost and 0.0.127.in-addr.arpa zones:
The "localhost" address is a "special" address which always refers to
the local host. It should contain the following line:
localhost. IN A 127.0.0.1
The "127.0" file should contain the line:
1 PTR localhost.
and recommends to not define "localhost" with the domain name appended.
Thoughts on removing "localhost" from zones, anyone?
Labels: security, technology