Windows 7: "localhost name resolution is handled within DNS itself". Why?

I checked with a developer on the Windows team, and the actual answer is much more innocuous than the other answers to this post :)

At some point in the future, as the world transitions from IPV4 to IPV6, IPV4 will be eventually be disabled/uninstalled by companies that want to simplfy network management in their environments.

With Windows Vista, when IPv4 was uninstalled and IPv6 was enabled, a DNS query for an A (IPv4) address resulted in the IPv4 loopback (which came from the hosts file). This of course caused problems when IPv4 was not installed. The fix was to move the always present IPv4 and IPv6 loopback entries from the host into the DNS resolver, where they could be independently disabled.

-Sean

Windows 7 introduces (optional) support for DNSSEC validation. The controls can be found under "Name Resolution Policy" in the "Local Group Policy" plugin (c:\windows\system32\gpedit.msc)

Unfortunately, it doesn't (AFAIK) support RFC 5155 NSEC3 records, which many large zone operators (including .com) will be using when they go live with DNSSEC over the next couple of years.

Given that more and more applications on Windows are using IP to talk back to themselves, likely including a number of Windows service I could see someone changing localhost to point somewhere else as being an interesting attack vector. My guess is it was changed as part of Microsoft's SDL.