[avahi] breaking avahi through vpn

Lennart Poettering lennart at poettering.net
Wed Feb 15 06:50:11 PST 2006

On Sun, 12.02.06 15:23, Sebastien Estienne (sebastien.estienne at gmail.com) wrote:

> > I don't think it is feasible to implement something like this for
> > mDNS. In contrast to SMB servers mDNS responders never compile
> > something like a complete browse list, hence there is nothing two
> > servers could exchange.
> the idea would be to periodically browse for all available service
> (like service_type_browser , avahi-browse -a) and transfer the results
> over unicast to the other deamon.
> I agree that it may be a bit hackish though... and that uniscat dns-sd
> (wide-area) is a better solution. We just loose the ease of setup as
> wide-area needs a dns server and configuration on each clients
> (unicast domain + key/shared secret for publishing), that's why it's
> not really zeroconf as zero configuration.

DNSSEC is not a hard requirement of wide area DNS-SD. It's just that it
makes a lot of sense two combine these two.

The proper solution for what you suggest is probably to implement a
simple unicast DNS server which does widea area DNS-SD for you. That
simple DNS server would maintain a zone for local services and forward
all other queries to another internet DNS server. In addition it should be
able to sync the DNS-SD zone with another DNS server. Now announce
this mini server with DHCP or avahi-dnsconfd and all local clients
should automatically be able to make use of it. DNSSEC would be fully

(I must admit that this solution wouldn't work out of the box with
current avahi-daemon/avahi-dnsconfd because we don't support changing
the local punlishing domain on-the-fly. But that's just a minor issue)

> - zerospan:
> http://www.zerospan.org/

This seems to be quite an intersting project. Looks like a giant
security hole.


Lennart Poettering; lennart [at] poettering [dot] net
ICQ# 11060553; GPG 0x1A015CC4; http://0pointer.net/lennart/

More information about the avahi mailing list