Our ISP also hosts our external DNS. By default they include an entry for localhost.
For example:
localhost.example.com. 86400 IN A 127.0.0.1
When I've asked them to remove it they give me a hard time and say that it's just the way Bind works.
I've tried to do some research on why I might want to have that included but I couldn't find much. I did find at least one place that thought it be a possible XSS attack vector. It does appear to be fairly common so I did lookups on the top 20 website domains from alexa and most don't have such an entry but a couple do. A few others have an entry but instead of pointing to 127.0.0.1 they point to another a world route-able IP address.
So anyway, why would I want to have locahost in the zone for my domain? Are their any issues with not having it? Is there any kind of best practice concerning this? Is it indeed a default Bind thing that I'm not aware of?
Thanks
Best Answer
localhost.example.comis sometimes included on internal DNS servers to prevent "localhost" requests leaking out to the internet (for the case where John Smith typeshttp://localhost/in his browser & for whatever reason his resolver doesn't look in the hosts file, appends his search path (example.com) & starts asking name servers what that resolves to).You don't have to have a localhost entry (and if your ISP thinks that's "the way BIND works" they're either misguided or idiots: BIND serves what's in the zone file, and if they remove the
localhostline it will stop serving that record). As a free example,localhost.google.comdoesn't resolve, and I bet the NS for that domain is running BIND.The XSS vector is something I'd never thought of, but it is something of concern: having a
localhostentry in your public DNS means any hacked machine could be "in your domain" (by running a webserver on 127.0.0.1) and potentially do all sorts of nasty things. Probably a good enough reason to get rid of the entry.