number 9

I’ve been using zeroconf / bonjour / rendezvous
for a while now .
I don’t have a DNS server (it isn’t much use without static DHCP entries, which my linksys doesn’t do),
so multicast DNS is a neat way to do the same job (if you said /etc/hosts, you lose).

I could have built mDNSResponder for Solaris, but
Nevada b72 has a multicast DNS SMF service
(README ).
My boxes are either Macs or Solaris, so this is very handy indeed.

we don’ need no steenkin servers

mDNS is perfect for ‘link-local’ domain names (local subnet only, e.g. a home network) where a DNS server
would just be a pain to maintain.

hypnotoad% ping hypnotoad.local
ping: unknown host hypnotoad.local
hypnotoad% svcadm enable multicast/dns
hypnotoad% grep mdns /etc/nsswitch.dns
hosts: files dns mdns
ipnodes: files dns mdns
hypnotoad% pfexec cp /etc/nsswitch.dns /etc/nsswitch.conf
hypnotoad% ping -s hypnotoad.local
PING hypnotoad.local: 56 data bytes
64 bytes from 192.168.1.101: icmp_seq=0. time=0.291 ms
^C

The mDNS-using machines on my LAN (== all of them) can resolve that name now, and I can resolve theirs. No DNS, no static DHCP entries (and no /etc/hosts), but the names stick to the machines, which is exactly what I need.

it’s called security. perhaps you’ve heard of it?

If this rings alarm bells (what, you don’t want my mac posing as suicidegirls.com?)
then relax. mdnsd only responds to queries for ‘well-known’ zeroconf-related domains, specifically:

hypnotoad% svcprop -p nss_mdns_config/domain dns/multicast
local b.e.f.ip6.arpa a.e.f.ip6.arpa 9.e.f.ip6.arpa 8.e.f.ip6.arpa 254.169.in-addr.arpa

You’ll need to allow multicast queries in and out of your firewall if you want to advertise anything,
so anyone using ipfilter will need these lines to /etc/ipfilter/ipf.conf

pass in quick proto tcp/udp from any to 224.0.0.251 port mdns
pass out quick proto tcp/udp from any to 224.0.0.251 port mdns

(yup, ‘mdns’ made it into /etc/services)

Some people are twitchy about advertising their services (see below).
The way I see it, at worst it saves an attacker a port scan.
Nothing here makes your service less secure – you can still use SSL, authentication, etc.
(if you rely on hostnames for access control, you might wan to pause before starting a debate about security).

this little light of mine, I’m gonna let it shine

Name resolution is nice, but the real point of zeroconf is
service discovery .

Whereever possible you want to avoid users having to remember URLs, hostnames, etc.
I’m particularly interested in advertising network services to clients – Macs, obviously,
but also Linux (ubuntu has particularly strong zeroconf support) and
even Windows boxen .

It’s extremely handy if you’re building network appliances.
I hated having to figure out what IP my NSLU2 had DHCPed for itself –
with mDNS installed, it just advertises its admin webapp as a service.

Things like Samba have their own browsing support, but there are plenty of other services
– FTP shares, ssh daemons, etc. – that can be made much more accessible with a little mDNS fairy dust.
Apples list has details.

The dns-sd(1) command line tool is a nice mDNS toolkit, and lets you tell mdnsd what services to advertise
(you also need to run the services you advertise, or your users will get pissed off pretty quickly).

For example,

dns-sd -R "Welcome, new users" _http._tcp . 80 page=/newusers/quickstart.html

will cause a new bookmark to popup in safari users ‘bonjour bookmark’ menu pointing to http://servername.local:80/newusers/quickstart.html

similarly, something like:

dns-sd -R "Sopranos" _nfs._tcp . 2049 path=/export/torrents

makes your NFS shares appear under ‘Network’ in the OS X 10.4 Finder.

(word to the wise: NFS over 100Mbit is fast enough for viewing full screen VLC. Samba isn’t)

dns-sd is pretty handy for testing, but for production you probably want something more seamless.

For NFS, a simple script could poll the sharetab and advertise what it found.

Apache has mod_zeroconf or mod_dnssd
to automatically advertise UserDirs and VirtualHosts.
mod_dnssd is more full-featured, but relies on Avahi
(whose author is currently a bit miffed , incidentally),
so it might be simpler to try building the first one

my protocols. let me show you them.

If any of this sounds interesting, I’d highly recommend
Stuart Cheshires book
– the first really good O’Reilly book I’ve read in years.

Nicely explains the low-level design of the protocols and how they strove to keep
it simple, portable and robust (yes, UPnP and Jini, I am looking at you) by reusing existing technologies as much as possible.

He gave a Google tech talk on zeroconf
that’s worth a look if you have an hour to kill, too.