54

After 18 years of hosts files on Windows, I was surprised to see this in Windows 7 build 7100:

# localhost name resolution is handled within DNS itself.
#   127.0.0.1 localhost
#   ::1 localhost

Does anyone know why this change was introduced? I'm sure there has to be some kind reasoning.

And, perhaps more relevantly, are there any other important DNS-related changes in Windows 7? It scares me a little bit to think that something as fundamental as localhost name resolution has changed... makes me think there are other subtle but important changes to the DNS stack in Win7.

Improve this question
2
  • Added bounty. The speculation about security is good (and almost certainly correct), but I'm hoping the bounty attracts someone who has studied Win7 DNS changes in detail.
    – Portman
    Commented May 12, 2009 at 2:44
  • Can anyone explain how this is related to this other issue stackoverflow.com/questions/1416128/… and what the true fix is? I guess I'm going to uncomment the ipv4 localhost entry in my host file for now.
    – Tyndall
    Commented Jun 11, 2010 at 13:24

6 Answers 6

Reset to default
33
+150

I checked with a developer on the Windows team, and the actual answer is much more innocuous than the other answers to this post :)

At some point in the future, as the world transitions from IPV4 to IPV6, IPV4 will be eventually be disabled/uninstalled by companies that want to simplfy network management in their environments.

With Windows Vista, when IPv4 was uninstalled and IPv6 was enabled, a DNS query for an A (IPv4) address resulted in the IPv4 loopback (which came from the hosts file). This of course caused problems when IPv4 was not installed. The fix was to move the always present IPv4 and IPv6 loopback entries from the host into the DNS resolver, where they could be independently disabled.

-Sean

Improve this answer
3
  • 1
    if you've got a direct link to the Windows team, can you please get them to make sure NSEC3 is supported? DNSSEC validation without NSEC3 is going to be useless! I know for a fact that .com will use NSEC3 when it's signed sometime in 2011.
    – Alnitak
    Commented May 18, 2009 at 23:25
  • (in the validating stub resolver, that is).
    – Alnitak
    Commented May 18, 2009 at 23:26
  • 2
    9 1/2 years later and still using IPv4 :)
    – Christian
    Commented Nov 23, 2018 at 15:29
7

Windows 7 introduces (optional) support for DNSSEC validation. The controls can be found under "Name Resolution Policy" in the "Local Group Policy" plugin (c:\windows\system32\gpedit.msc)

Unfortunately, it doesn't (AFAIK) support RFC 5155 NSEC3 records, which many large zone operators (including .com) will be using when they go live with DNSSEC over the next couple of years.

Improve this answer
1
5

Given that more and more applications on Windows are using IP to talk back to themselves, likely including a number of Windows service I could see someone changing localhost to point somewhere else as being an interesting attack vector. My guess is it was changed as part of Microsoft's SDL.

Improve this answer
3

I can see this also being an attempt to shore up their security. By "fixing" localhost to always point to the loopback, they can avoid DNS poisoning attacks, which are starting to show up in the wild.

I do agree though, it is a bit disturbing on some levels...

Improve this answer
2

I would be curious to know if one can redefine localhost in DNS itself though. The use of clear text files to manage these settings could have never been considered to be a security best practice. It seems to me that Microsoft's new security measures go beyond preventing root access and delves more deeply into nuanced vulnerabilities. I am not sure how much one can stay a step ahead of motivated black hats, regardless.

Improve this answer
1
  • 2
    localhost is just another A record in your zone, it's only convention that points it to 127.0.0.1. So yes, you can point localhost to anything you like, and if an attacker can get control of the DNS server, they can change this record for the whole network of W7 computers rather than just one with a hosts file. It's a notorious problem for the DNS root servers that people do not include a localhost A record in their zone, so the request gets sent to the root: bit.ly/ybu1a
    – user1804
    Commented May 16, 2009 at 9:25
2

I think it has something to do with Microsoft implementing RFC 3484 for destination IP address selection. This is an IPv6 feature back-ported to IPv4 and affects Vista/Server 2008 and above. This change breaks round robin DNS, so even if this doesn't answer your question, it's definitely a major DNS change to know about.

More info at the Microsoft Enterprise Networking blog.

Improve this answer
1
  • +1 for the networking blog link; I hadn't seen that before.
    – Portman
    Commented May 18, 2009 at 23:46

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .