Eyes Above The Waves

Robert O'Callahan. Christian. Repatriate Kiwi. Hacker.

Sunday 13 August 2017

Public Service Announcement: "localhost" Is Not Necessarily Local

Today I learned that there exist systems (presumably misconfigured, but I'm not sure in what way) where the hostname "localhost" does not resolve locally but is sent to some remote DNS server, and then in some cases the DNS server returns a remote address (e.g. a server providing landing pages stuffed with ads).

This was breaking rr, since rr tells gdb to use (e.g.) the command "target extended-remote :1234", and apparently gdb resolves "localhost" to get the address to connect to. I've fixed rr to pass "" as an explicit local address, but who knows what other software is broken in such a configuration — possibly in insecure ways?


Hm... where's the bug here? In gdb, for not recognizing 'localhost' as something it should just automatically resolve to the current host? Or elsewhere? T try to avoid just to avoid being pegged to IPv4. Is there no IP-agnostic way of referring to the current host not susceptible to this?
I don't know how to (reliably, in practice) obtain a string that will resolve to a loopback address when we don't know which of IPv4/IPv6 is running.
I hope it's harmless in practice to configure an IPv4 loopback address even if IPv4 is otherwise disabled. And I suspect not doing so would break a lot of stuff. So maybe we should just rely on that, especially if there's no other way to reliably get a loopback address.
I've run into issues before where didn't work on systems that shifted to IPv6. This was in a fairly controlled environment, so maybe it's less likely to break in other contexts?
If that is ever a problem for us I guess I'll have to write the code to enumerate interfaces and figure out which address to use :-(
Xidorn Quan
FWIW there is a recent IETF RFC proposing making localhost localhost: https://tools.ietf.org/html/draft-west-let-localhost-be-localhost-04
That's good to know, but I wonder when we'll be able to rely on that.
There's nothing special about localhost, it is just a name like everything else, so the name needs resolving. Fortunately all OSes including windows has a hosts file (manual DNS registry), where and ::1 has the name localhost. If the name was not resolved by the hosts file, then DNS server(s) is contacted in order to resolve the name. So if some malicious software has updates the hosts file to make localhost resolve to some remote ip then it will - no magic, just a name like everything else. In the same manner the hosts file can be updated so license.microsoft.com points to and make the Genuine Validation process believe that it talks to a remote server, and but instead talks to your local machine that could have a process that "answers" everything is genuine no matter what license key was in the request.