[avahi] Multicast DNS and the Unicast .local Domain
Carsten Strotmann
carsten at strotmann.de
Fri Jun 19 10:19:59 PDT 2009
Hi,
I stumbled over the topic I describe below when I updated an Ubuntu
System from Version 8.04 tro 9.04. Avahi refused to start because I have
a unicast ".local" domain in my network(s).
This behavior is documented as recommended for distributions in the
Avahi Wiki at
http://avahi.org/wiki/AvahiAndUnicastDotLocal
I think this is a not well thought out decision. It would be a good
decision if it would detect a "used" unicast ".local" domain, but in my
case, the ".local" domain is one of many "pseudo" domains that are
configured as "empty" DNS zones on all resolving DNS Servers on the
network edge (border to the Internet), to prevent any "pseudo TLD" like
".local" to be leaked into the Internet and hitting the Root DNS Server
System.
If you look at the DNS root server statistics (for example
l.root-servers.net ->
http://stats.l.root-servers.org/cgi-bin/dsc-grapher.pl?plot=qtype_vs_all_tld&server=L-root
), you will see that ".local" is the most prominent pseudo Top Level
Domain that is hitting the root server system. There are other reasons
for this than just MDNS (like many Windows AD networks use ".local"
internally), however from my experience of doing DNS Audits in large
enterprise environments I know that some ".local" request are triggered
by the existence of ".local" MDNS in the network (URLs in Documents,
registry keys, configuration files etc etc).
To prevent unnecessary traffic to go to the root dns server system and
to prevent internal data to leak into the Internet, it would be actually
a good practice to have a ".local" unicast DNS domain on every resolving
DNS Server on the edge of an network with MDNS enabled internally. This
".local" Unicast domain would be an empty DNS zone.
To my knowledge there is no bulletproof way to detect whether the
".local" Unicast DNS zone is an empty one to prevent leakage, or a DNS
Zone "in use". One possible way could be to query for the SOA record and
disable MDNS (Avahi) only if the serial number is above a certain value
(as an empty ".local" zone will never change and might have an serial of
"0" or "1". Maybe we can spark a discussion on this topic here on the ML
and collect some ideas from the MDNS community.
Thanks for listening.
Carsten Strotmann
More information about the avahi
mailing list