Local Name and Address Resolution On Your Computer

Hosts and LMHosts are local, fixed name resolution caches on your computer, invented before the concept of DNS. Their contents may cause the computer to bypass use of dynamic name resolution techniques like querying DNS, name broadcast, and / or WINS.

If your computer is attempting to resolve the name of a computer, and there’s an entry in either Hosts (if DNS resolution is being used), or in LMHosts (if NetBIOS aka WINS resolution is being used) that matches the target name, resolution will stop there.

The Hosts (and similarly the LMHosts) file contains entries of the form:

nnn.nnn.nnn.nnn hostname

The first entry in Hosts, for instance, should be:

127.0.0.1 localhost

This entry is called the loopback address. It lets you reference the computer itself, from itself, without using any network hardware or software. The loopback address is an essential component in layered testing. It is referenced in a diagnostic sequence, for instance:

  • Ping 127.0.0.1.
  • Ping the computer by IP address.
  • Ping the computer by name.

There may be additional entries in Hosts. Some entries may be intentional, others may have been added without your knowlege. Know and understand the difference.

  • You may intentionally override dynamic resolution to create an alias to a server.
  • Malware has been known to hijack the Hosts file. This practice predates pharming, and has the same effect.
  • Many security strategies use the Hosts file to block access to known malicious websites.


Hosts and LMHosts are generally found in “%SystemRoot%\System32\drivers\etc”. When in doubt, though, it’s best to verify the registry entry which points to that location, as some malware may change the registry entry. Examine the value of registry entry [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath], and make sure its value is as stated above. Any other value may point to a Hosts file hijack.

See TCP/IP and NBT configuration parameters for Windows XP for further information.

Whether or not you find your Hosts file hijacked in a registry setting, check the content of your Hosts file very carefully.

Both Hosts and LMHosts are simple text files, so you may view and/or edit either using Notepad. But view and edit them carefully; errors can have unpredictable results. Saving changes is tricky; you should save Hosts, for instance, as “Hosts.” (note the period after “Hosts”), as type “All Files”.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: