number 9

I’ve been using zeroconf / bonjour / rendezvous
for a while now .
I don’t have a DNS server (it isn’t much use without static DHCP entries, which my linksys doesn’t do),
so multicast DNS is a neat way to do the same job (if you said /etc/hosts, you lose).

I could have built mDNSResponder for Solaris, but
Nevada b72 has a multicast DNS SMF service
(README ).
My boxes are either Macs or Solaris, so this is very handy indeed.

we don’ need no steenkin servers

mDNS is perfect for ‘link-local’ domain names (local subnet only, e.g. a home network) where a DNS server
would just be a pain to maintain.

hypnotoad% ping hypnotoad.local
ping: unknown host hypnotoad.local
hypnotoad% svcadm enable multicast/dns
hypnotoad% grep mdns /etc/nsswitch.dns
hosts: files dns mdns
ipnodes: files dns mdns
hypnotoad% pfexec cp /etc/nsswitch.dns /etc/nsswitch.conf
hypnotoad% ping -s hypnotoad.local
PING hypnotoad.local: 56 data bytes
64 bytes from 192.168.1.101: icmp_seq=0. time=0.291 ms
^C

The mDNS-using machines on my LAN (== all of them) can resolve that name now, and I can resolve theirs. No DNS, no static DHCP entries (and no /etc/hosts), but the names stick to the machines, which is exactly what I need.

it’s called security. perhaps you’ve heard of it?

If this rings alarm bells (what, you don’t want my mac posing as suicidegirls.com?)
then relax. mdnsd only responds to queries for ‘well-known’ zeroconf-related domains, specifically:

hypnotoad% svcprop -p nss_mdns_config/domain dns/multicast
local b.e.f.ip6.arpa a.e.f.ip6.arpa 9.e.f.ip6.arpa 8.e.f.ip6.arpa 254.169.in-addr.arpa

You’ll need to allow multicast queries in and out of your firewall if you want to advertise anything,
so anyone using ipfilter will need these lines to /etc/ipfilter/ipf.conf

pass in quick proto tcp/udp from any to 224.0.0.251 port mdns
pass out quick proto tcp/udp from any to 224.0.0.251 port mdns

(yup, ‘mdns’ made it into /etc/services)

Some people are twitchy about advertising their services (see below).
The way I see it, at worst it saves an attacker a port scan.
Nothing here makes your service less secure – you can still use SSL, authentication, etc.
(if you rely on hostnames for access control, you might wan to pause before starting a debate about security).

this little light of mine, I’m gonna let it shine

Name resolution is nice, but the real point of zeroconf is
service discovery .

Whereever possible you want to avoid users having to remember URLs, hostnames, etc.
I’m particularly interested in advertising network services to clients – Macs, obviously,
but also Linux (ubuntu has particularly strong zeroconf support) and
even Windows boxen .

It’s extremely handy if you’re building network appliances.
I hated having to figure out what IP my NSLU2 had DHCPed for itself –
with mDNS installed, it just advertises its admin webapp as a service.

Things like Samba have their own browsing support, but there are plenty of other services
– FTP shares, ssh daemons, etc. – that can be made much more accessible with a little mDNS fairy dust.
Apples list has details.

The dns-sd(1) command line tool is a nice mDNS toolkit, and lets you tell mdnsd what services to advertise
(you also need to run the services you advertise, or your users will get pissed off pretty quickly).

For example,

dns-sd -R "Welcome, new users" _http._tcp . 80 page=/newusers/quickstart.html

will cause a new bookmark to popup in safari users ‘bonjour bookmark’ menu pointing to http://servername.local:80/newusers/quickstart.html

similarly, something like:

dns-sd -R "Sopranos" _nfs._tcp . 2049 path=/export/torrents

makes your NFS shares appear under ‘Network’ in the OS X 10.4 Finder.

(word to the wise: NFS over 100Mbit is fast enough for viewing full screen VLC. Samba isn’t)

dns-sd is pretty handy for testing, but for production you probably want something more seamless.

For NFS, a simple script could poll the sharetab and advertise what it found.

Apache has mod_zeroconf or mod_dnssd
to automatically advertise UserDirs and VirtualHosts.
mod_dnssd is more full-featured, but relies on Avahi
(whose author is currently a bit miffed , incidentally),
so it might be simpler to try building the first one

my protocols. let me show you them.

If any of this sounds interesting, I’d highly recommend
Stuart Cheshires book
– the first really good O’Reilly book I’ve read in years.

Nicely explains the low-level design of the protocols and how they strove to keep
it simple, portable and robust (yes, UPnP and Jini, I am looking at you) by reusing existing technologies as much as possible.

He gave a Google tech talk on zeroconf
that’s worth a look if you have an hour to kill, too.

The other day I grumbled about the WRT54G lacking static DHCP and an embedded DNS server.

So to shell into the the mac I first have to ping the network address to see what boxes are up, then shell into each of them in turn (telling them all my password if they ask, of course). Like a fricking caveman.

So, what to do?
Nessus mass OS fingerprinting seems a bit rude, host files are ridiculous. But I really want to see how far I can push my server-free lifestyle. BIND is out.

mDNS has looked interesting for a while, and here’s my excuse to try it.
Security had put me off before, but now we’re locked down tighter than a gnats chuff.
This was the whole point of having services elsewhere, I get to play around with relative impunity.

I found someone in an uncannily similar situation who’d setup mDNSresponder. That isn’t in Debian anymore (not even ‘non-free’) because of a licensing bunfight . (IANAL but this is what I hate about Debian – On NetBSD, ACCEPTABLE_LICENSES takes care of this ).
Luckily, I’ve already stomped off in a huff to use Ubuntu…

zero conf

On Breezy (edgy too – see below), enable universe. It’s what all the cool kids do.

sudo apt-get install mdns-scan

If I run ‘mdns-scan’, I can see all the Macs services (mostly iTunes related),
so it looks like the Linksys passes multicast between its wired and wireless VLANs
(your also firewall needs to allow UDP to 224.0.0.251 (multicast) port 5353).

$ sudo apt-get install libnss-mdns
$ # add 'mdns4' to the 'hosts' line in /etc/nsswitch.conf

Now macshostname.local resolves.

For an encore:

sudo apt-get install avahi-daemon

Now myhostname.local resolves to my public IP.

(UPDATE: on Edgy, avahi is now in main, but after a looong argument it turns out you’ll need to edit /etc/default/avahi-daemon and change 0 to 1. I’m not sure they really got the whole ‘zeroconf’ concept…)

NB: the readmes suggest sticking ‘mdns4’ after ‘dns’ in /etc/nsswitch.conf. This means that queries for .local go off to the DNS system before falling back to avahi. I think the other way round is better – avahi only responds for domains in /etc/mdns.allow anyway, so it’s no less secure.

(update: as of v0.8, nss-mdns has an extra module, libnss_minimal, that will only handle .local domains and zeroconf IPs (169.254.x.x) to address this)

next steps

This is so much better suited to my needs than fixed DHCP entries and BIND I am gobsmacked.
Feels like the jump from Java to Ruby.

Unless I have this back-asswards:

• it doesn’t matter what IP the boxes get assigned, you can still find them
• you can find boxes whether they’re connected over ethernet or wireless
• you don’t need to update anything if new machines are installed
• there is no single database/point of failure (BIND dying makes everything go tits up in my experience)

Of course, rogue boxes can spoof hostnames, but frankly if you do
host-based authentication you’re in no position to be lecturing anyone on security.
Servers/clients can of course use whatever secure mechanisms you want (unit tests vs. static typing )

If this sounds like something you could use, I can’t recommend the
O’Reilly zeroconf book highly enough. Or just watch Stuart Cheshires zeroconf Techtalk on Google Video .

My head is already buzzing with potential uses for Avahi’s DNS service discovery.

Sadly, the WRT54G only has a radiobutton to enable uPNP, a rival framework which makes Jini look lightweight….