The other day I grumbled about the WRT54G lacking static DHCP and an embedded DNS server.
So to shell into the the mac I first have to ping the network address to see what boxes are up, then shell into each of them in turn (telling them all my password if they ask, of course). Like a fricking caveman.
So, what to do?
Nessus mass OS fingerprinting seems a bit rude, host files are ridiculous. But I really want to see how far I can push my server-free lifestyle. BIND is out.
mDNS has looked interesting for a while, and here’s my excuse to try it.
Security had put me off before, but now we’re locked down tighter than a gnats chuff.
This was the whole point of having services elsewhere, I get to play around with relative impunity.
I found someone in an uncannily similar situation who’d setup mDNSresponder. That isn’t in Debian anymore (not even ‘non-free’) because of a licensing bunfight . (IANAL but this is what I hate about Debian – On NetBSD, ACCEPTABLE_LICENSES takes care of this ).
Luckily, I’ve already stomped off in a huff to use Ubuntu…
zero conf
On Breezy (edgy too – see below), enable universe. It’s what all the cool kids do.
sudo apt-get install mdns-scanIf I run ‘mdns-scan’, I can see all the Macs services (mostly iTunes related),
so it looks like the Linksys passes multicast between its wired and wireless VLANs
(your also firewall needs to allow UDP to 224.0.0.251 (multicast) port 5353).
$ sudo apt-get install libnss-mdns
$ # add 'mdns4' to the 'hosts' line in /etc/nsswitch.confNow macshostname.local resolves.
For an encore:
sudo apt-get install avahi-daemonNow myhostname.local resolves to my public IP.
(UPDATE: on Edgy, avahi is now in main, but after a looong argument it turns out you’ll need to edit /etc/default/avahi-daemon and change 0 to 1. I’m not sure they really got the whole ‘zeroconf’ concept…)
NB: the readmes suggest sticking ‘mdns4’ after ‘dns’ in /etc/nsswitch.conf. This means that queries for .local go off to the DNS system before falling back to avahi. I think the other way round is better – avahi only responds for domains in /etc/mdns.allow anyway, so it’s no less secure.
(update: as of v0.8, nss-mdns has an extra module, libnss_minimal, that will only handle .local domains and zeroconf IPs (169.254.x.x) to address this)
next steps
This is so much better suited to my needs than fixed DHCP entries and BIND I am gobsmacked.
Feels like the jump from Java to Ruby.
Unless I have this back-asswards:
- it doesn’t matter what IP the boxes get assigned, you can still find them
- you can find boxes whether they’re connected over ethernet or wireless
- you don’t need to update anything if new machines are installed
- there is no single database/point of failure (BIND dying makes everything go tits up in my experience)
Of course, rogue boxes can spoof hostnames, but frankly if you do
host-based authentication you’re in no position to be lecturing anyone on security.
Servers/clients can of course use whatever secure mechanisms you want (unit tests vs. static typing 
)
If this sounds like something you could use, I can’t recommend the
O’Reilly zeroconf book highly enough. Or just watch Stuart Cheshires zeroconf Techtalk on Google Video .
My head is already buzzing with potential uses for Avahi’s DNS service discovery.
Sadly, the WRT54G only has a radiobutton to enable uPNP, a rival framework which makes Jini look lightweight….