Why does the registered domain name “localtest.me” resolve to 127.0.0.1?

However, I'm still not sure how you can register an external domain to a local one. This is confusing as a tracert localtest.me never even leaves the machine. How is this handled on the low level?

There is nothing that "binds" the domain to its address in the way that you imagine. Just like a phone book, DNS merely tells you what the address is – but that's where its involvement ends. (You don't dial "Pizza Hut" on the phone; you look up their phone number, and dial the number.)

So, when someone registers a domain name, they just gain the ability to edit those phonebook records. But to actually "point" a domain name somewhere – let's say to 127.0.0.1 – they add this line to its database:

localtest.me.   A   127.0.0.1

That's it. Whoever asks about localtest.me now gets the answer "Oh, it's at 127.0.0.1."

So when you type tracert localtest.me., it first asks DNS about the associated address; gets the answer 127.0.0.1; and then behaves exactly as if you had ran tracert 127.0.0.1 instead. No magic at all.

Are there others? (And how to find them?)

At this point it should be clear that any domain owner can do this without any effort at all, so there is always a probability that other such domains exist at any given time. Due to DNS data being distributed across many systems (sometimes even dynamically generated), you really cannot find them all, or even expect your results to remain accurate after just a few seconds.

But for security purposes, you don't need to find them all. Some DNS resolvers actually already have a kind of filtering for such entries (called "DNS rebinding protection"), and they don't look for specific questions – they only look at the answer. The protection feature just blocks answers which point to any local address.

However, before you ask, this cannot be forbidden globally – pointing domain names to private addresses is still a perfectly legitimate use of DNS, and is used in practice in many networks.

There are other answers that go into deeper detail, but the core of this question is really simple to answer:

“However, I'm still not sure how you can register an external domain to a local one.”

Registering a domain name and assigning an IP address are two completely different and independent things.

Anyone can register any domain name for any reason; you can even register a domain name without having a destination IP address in place. One must simply pay the domain registrar, going trough the virtual “paperwork” and then, like magic, you have a domain name. All you are paying for when you register a domain name is the domain name itself as well as the ability—read below—to assign an IP address to a domain name.

But then assigning an IP address to that domain name is a whole different process. Anyone can assign any IP address to a domain name if they have control of that domain name. The domain name registrar has no care or concern about what pile of raw addresses you assign to a domain name.

All a domain name is is simply a pointer that makes life easier. Think of it as an alias so people don’t have to memorize piles of numbers (IPv4) or numbers and letters (IPv6).

That’s it!

But what happened—as explained by that page you visited—was not a “hack” of every system in the world’s local “127.0.0.1” address, but rather a flaw on that one specific system itself.

But to further clarify this—and this tripped me up the way you worded it as well—when you state:

I was reading an article about Server-Side Request Forgery. In that article the attacker found that 127.0.0.1 was open to the internet.

I read that article as well, and this is what happened: Someone was using an online tool that allowed you to point that tool to any IP address/hostname. When they pointed that tool at 127.0.0.1 it wasn’t that the IP address 127.0.0.1 was exposed to the Internet. Rather, the tool itself had a flaw that allowed anyone to probe the internal server that tool was running on by using 127.0.0.1. And since this tool was explicitly a hacking tool that was used to detect open ports and such, by using 127.0.0.1 that specific application was able to probe it’s own localhost network and—key here—convey that information to someone accessing the tool via just a web browser.

The risk presented was not that every 127.0.0.1 was exposed to the Internet, but rather that sloppy coding on one tool on one site allowed this to happen.

What is so special about localtest.me?

It points to 127.0.0.1 (localhost). This address is always reserved for the local computer.

Are there others? (And how to find them?)

Yes. Google and Super User are your friends (as you found out).

I'm still not sure how you can register an external domain to a local [IP]. This is confusing as a tracert localtest.me never even leaves the machine. How is this handled on the low level?

You're missing the initial (external) DNS request. tracert displays the path a packet takes but before a packet can go anywhere, the computer must know the IP to send it to. With caveats, if you've never visited locatest.me before, a DNS request is made to external resolvers to discover that it maps to 127.0.0.1. The returned data is then used locally (e.g. for tracert or displaying web content). And remember that DNS can map any hostname to any IP - it doesn't "know" if an IP is local or not.