If ALL:ALL is placed in the hosts.deny and specific exceptions are added into the hosts.allow, working DNS is required to successfully connect to any service. The settings in the nsswitch.conf do not seem to affect this problem (i.e. I tried setting hosts to just "files" and it didn't use the /etc/hosts file for authentication). This is new behavior... 6.2 and 7.0beta did not work this way. This has happened on two different machines, one a 6.2 and one a 7.0beta, after upgrading. Both computers use the i386 architecture. Possible reason: tcp_wrappers is now being compiled with -DPARANOID which will always refuse connections which can't be resolved forwards and backwards. This combined with the fact tcp_wrappers sends DNS queries directly instead of using /etc/nsswitch.conf causes my laptop to refuse all connections when plugged into my home network and my desktop to refuse all connections when not dialed into my ISP.
Two things I forgot to mention: 1) I'm not using hostnames in the hosts.allow, just IPs (like 127.0.0.1 10.0.0.0/255.0.0.0) 2) The functionality of -DPARANOID can be obtained without compiling with it on... just use PARANOID as a wildcard... so compiling without it is more flexible.
Nevermind! It looks like I was just confused. After fixing the hosts.allow to use the proper names for the daemons (I was using the service names), it works wonderfully. I looked at the patches that had been added to tcp_wrappers in 7.0 and none of them looked like they should have affected this. Now the only question is how it worked before... Sorry for wasting your time. (BTW: bugzilla is really nice)