For resource naming, we can use Multicast DNS, allowing completely decentralised naming, but still somewhat familar to programs that use regular DNS
There isn’t a formally allocated top level domain for MDNS, but port 5353 and the multicast addresses have been allocated to a specification that references .local, so we may be able to use that. There are also reserved names such as .test, as this is an experiment.
Further, rather than be a single alternate root as it will be possible, and even desirable, for several services to be able to claim the same name, and users will choose which to resolve by digital signature.
It is possible to persuade Avahi to serve names over the VPN connections with allow-point-to-point.
We also want the reflector so names flood round the VPN mesh.
I have found that workstation publishing will give away the node’s public IPv6 address, so it may be desired to switch that off.
For your /etc/avahi/avahi.conf
[server] use-ipv6=yes allow-interfaces=free0,free1,free2 allow-point-to-point=yes [wide-area] enable-wide-area=yes [reflector] enable-reflector=yes [publish] publish-workstation=no
In your /etc/nsswitch.conf change mdns4_minimal to mdns_minimal and mdns4 to mdns
Doing that allows many programs to use names from VPN.
Setting AVAHI_DAEMON_DETECT_LOCAL=0 in /etc/default/avahi-daemon is also desirable, to allow a .local zonefile in the local nameserver to catch any escaping requests.
The system then publishes a name hostname.local
resolving to the system’s anonymous fdxx:xxxx:xxxx:: address.
If the system hosts the Apache2 webserver, installing libapache2-mod-dnssd
gives a bit of customisability to the VPN announces of the server.
ln --symbolic ../mods-available/mod-dnssd.load /etc/apache2/mods-enabled/mod-dnssd.load ln --symbolic ../mods-available/mod-dnssd.conf /etc/apache2/mods-enabled/mod-dnssd.conf
Enabling the module without any additional configuration will give away the computer’s identity on VPN. To prevent this, add near the top of /etc/apache2/sites-available/default some options.
DNSSDAutoRegisterVHosts Off DNSSDAutoRegisterUserDir Off
Next, mark the virtual host for export on VPN: /etc/apache2/sites-available/hostname.local with an extra DNSSDServiceName option.
<VirtualHost *:80> ServerName hostname.local:80 DNSSDServiceName "VPN Site" </VirtualHost>
I got a copy of the example publisher and found it is possible to announce arbitary names into mDNS via avahi_entry_group_add_record.
avahi_entry_group_add_record(group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "www.example.local", 1, 16, 1, "\x07Example", 8)
This example announces a TXT record against www.example.local