Networking – Why localtest.me Resolves to 127.0.0.1

dnsdomainiplocalhostnetworking

I was reading an article about Server-Side Request Forgery. In that article the attacker found that 127.0.0.1 was open to the internet. The victim then blocked 127.0.0.1, but because many other IPs and apparently also some domains are also resolved to to that, including the mysterious localtest.me, he was able to bypass a weak text-based filter.

  1. What is so special about localtest.me?

  2. Are there others? (And how to find them?)

UPDATE

I found: http://readme.localtest.me/

Apparently someone decided to register that domain in a funny way, for testing purposes:

Here’s how it works. The entire domain name localtest.me—and all
wildcard entries—point to 127.0.0.1. So without any changes to your
host file you can immediate start testing with a local URL.

However, I'm still not sure how you can register an external domain to a local one. This is confusing as a tracert localtest.me never even leaves the machine. How is this handled on the low level?

I then found several more in these comments and elsewhere: 

lvh.me 
vcap.me
fuf.me - IPv4 and IPv6
ulh.us
127-0-0-1.org.uk
ratchetlocal.com
smackaho.st
42foo.com
beweb.com
yoogle.com
ortkut.com
feacebook.com

And in similar questions on Stack Overflow.

Best Answer

However, I'm still not sure how you can register an external domain to a local one. This is confusing as a tracert localtest.me never even leaves the machine. How is this handled on the low level?

There is nothing that "binds" the domain to its address in the way that you imagine. Just like a phone book, DNS merely tells you what the address is – but that's where its involvement ends. (You don't dial "Pizza Hut" on the phone; you look up their phone number, and dial the number.)

So, when someone registers a domain name, they just gain the ability to edit those phonebook records. But to actually "point" a domain name somewhere – let's say to 127.0.0.1 – they add this line to its database:

localtest.me.   A   127.0.0.1

That's it. Whoever asks about localtest.me now gets the answer "Oh, it's at 127.0.0.1."

So when you type tracert localtest.me., it first asks DNS about the associated address; gets the answer 127.0.0.1; and then behaves exactly as if you had ran tracert 127.0.0.1 instead. No magic at all.

Are there others? (And how to find them?)

At this point it should be clear that any domain owner can do this without any effort at all, so there is always a probability that other such domains exist at any given time. Due to DNS data being distributed across many systems (sometimes even dynamically generated), you really cannot find them all, or even expect your results to remain accurate after just a few seconds.

But for security purposes, you don't need to find them all. Some DNS resolvers actually already have a kind of filtering for such entries (called "DNS rebinding protection"), and they don't look for specific questions – they only look at the answer. The protection feature just blocks answers which point to any local address.

However, before you ask, this cannot be forbidden globally – pointing domain names to private addresses is still a perfectly legitimate use of DNS, and is used in practice in many networks.

Related Question