14 DAY TRIAL // A proposal made by Mike West, a Google security engineer for the Chromium project, wants to standardize how software applications deal with "localhost" traffic.
West submitted his proposal, called "Let 'localhost' be localhost," to the Internet Engineering Task Force (IETF) discussion group, and it is currently a draft waiting for public comments.
The proposal is an amendment to section 6.3 of RFC6761, a standard that defines special-use domains, such as "localhost," "test," "invalid," and "example."
These domains, with all their variations, such as localhost.com, example.net, test.org, etc., are routed to specific destinations, due to their general purpose.
Localhost should be localhost and not anything else
The problem, which West identified, is with the usage and implementation of the "localhost" term itself.
While most software will recognize that "localhost" stands for 127.0.0.1, the computer's own (loopback) address, there are quite a lot of applications that will forward this query to a DNS server or a local domain name resolver. This behavior manifests in some network setups as traffic meant for the local computer reaching other devices on the network.
“ This document updates RFC6761 by requiring that the domain "localhost." and any names falling within ".localhost." resolve to loopback addresses. This would allow other specifications to join regular users in drawing the common-sense conclusions that "localhost" means "localhost", and doesn't resolve to somewhere else on the network. ”
A secondary benefit of this proposal is that, if users mistakenly delete the content of their hosts file, traffic meant for localhost will reach their local loopback address as intended. Basically, the proposal will allow you to delete the following lines from your hosts file and still access your local servers.127.0.0.1 localhost
::1 localhost
"I'm very much in favor of this change," one user wrote on Hacker News. "I develop my webserver locally, and it has many subdomains. So I have 'www.localhost', 'files.localhost', 'doc.localhost', etc."
"I have to add each subdomain to my /etc/hosts file before I can use it, as you can't have wildcards in that file," he adds. "This should help anyone in a similar situation of testing their server with subdomains on localhost."
While there are also some security-related gains from approving this proposal, there have been many network admins speaking against West's proposal on Twitter and Hacker News. Most critics say this simple wording-related modification to RFC6761 would cause problems for SRV (Service) DNS records, which may sometimes need to resolve to other custom loopback addresses.
Did you know that 'localhost' can resolve to the internet? With the caveat that I'm clueless, I've uploaded https://t.co/h9fuJOoOwD to fix. — Mike West (@mikewest) September 26, 2016