Subject: Re: localhost security hole
To: David Laight <david@l8s.co.uk>
From: Robert Elz <kre@munnari.OZ.AU>
List: tech-security
Date: 06/28/2003 23:00:05
    Date:        Sat, 28 Jun 2003 16:48:02 +0100
    From:        David Laight <david@l8s.co.uk>
    Message-ID:  <20030628164802.A2608@snowdrop.l8s.co.uk>

  | I didn't say that there should be lots of entries in /etc/hosts,
  | just that it should be looked at first.

One out of date entry is all it takes...

There's also the performance issue here - if the hosts file is small,
then it will almost never contain the data that you're looking for.
But the system still has to open/read/close the file for every name
lookup if the hosts search is done ahead of the DNS.  (Yes, it is likely
to be effectively permanently cached, but the sys call overheads
are still there).

On the other hand, the DNS contains (should contain) everything, and is
in practice going to be used for almost all lookups anyway (assuming you
are using it at all)  The only time the hosts file should need to be used
is when the DNS is broken, so having it as a backup (hosts after dns) if
it is to be used at all, is close to free.   Further, the extra delay that
usually occurs to lookups is a good indicator that the DNS is broken, and
should drive it to get fixed sooner than it might if no-one really noticed
(which is what happens if all lookups that matter are found from the
hosts file).   (Drive fixing as in "users complain" if they're not the ones
responsible in the first place).

Still, there's little point arguing about this, people's perceptions of
what is best vary depending upon which particular failure mode bit them
first/worst/most recently - I know I am not going to convince the
"hosts first" advocates just how dumb that approach is, so I won't bother
trying any more.

kre