Hi guys, i note that in Virtualmin>Server Configuration>Suggested DNS Records,
virtualmin is suggesting the localhost A Record
localhost.domain.com.au. IN A 127.0.0.1
In reading stack about this it appears to be a couple of trains of thought on whether or not it should be used. I post the following opposing views, and ask what you guys think?
localhost.example.com is sometimes included on internal DNS servers to prevent "localhost" requests leaking out to the internet (for the case where John Smith types http://localhost/ in his browser & for whatever reason his resolver doesn't look in the hosts file, appends his search path (example.com) & starts asking name servers what that resolves to).
You don't have to have a localhost entry (and if your ISP thinks that's "the way BIND works" they're either misguided or idiots: BIND serves what's in the zone file, and if they remove the localhost line it will stop serving that record). As a free example, localhost.google.com doesn't resolve, and I bet the NS for that domain is running BIND.
The XSS vector is something I'd never thought of, but it is something of concern: having a localhost entry in your public DNS means any hacked machine could be "in your domain" (by running a webserver on 127.0.0.1) and potentially do all sorts of nasty things. Probably a good enough reason to get rid of the entry.
Assuming that your internal name resolution is handling name resolution properly, any DNS request for localhost should never go to your external DNS provider, and so this shouldn't be a problem at all.
One reason why someone would do this, that I can think of off the top of my head, is if someone once used a web authoring tool that screwed up with a load of absolute references to http://localhost, but that assumes that your ISP was also hosting on their DNS boxes and is a long shot.
However, RFC 1537 does specify:
There has been extensive discussion about whether or not to append the local domain to it. The conclusion was that "localhost." would be the best solution; reasons given were:
"localhost" itself is used and expected to work on some systems.
translating 127.0.0.1 into "localhost.my_domain" can cause some software to connect to itself using the loopback interface when it didn't want to.
Note that all domains that contain hosts should have a "localhost" A record in them.
So strictly speaking it appears as though your ISP is correct to include localhost, but incorrect to use the fully-qualified name.