VPN Distributed DNS

For resource naming, we can use Multicast DNS, allowing completely decentralised naming, but still somewhat familar to programs that use regular DNS

There isn’t a formally allocated top level domain for MDNS, but port 5353 and the multicast addresses have been allocated to a specification that references .local, so we may be able to use that. There are also reserved names such as .test, as this is an experiment.

Further, rather than be a single alternate root as it will be possible, and even desirable, for several services to be able to claim the same name, and users will choose which to resolve by digital signature.

It is possible to persuade Avahi to serve names over the VPN connections with allow-point-to-point.

We also want the reflector so names flood round the VPN mesh.

I have found that workstation publishing will give away the node’s public IPv6 address, so it may be desired to switch that off.

For your /etc/avahi/avahi.conf





In your /etc/nsswitch.conf change mdns4_minimal to mdns_minimal and mdns4 to mdns

Doing that allows many programs to use names from VPN.

Setting AVAHI_DAEMON_DETECT_LOCAL=0 in /etc/default/avahi-daemon is also desirable, to allow a .local zonefile in the local nameserver to catch any escaping requests.

The system then publishes a name hostname.local resolving to the system’s anonymous fdxx:xxxx:xxxx:: address.

If the system hosts the Apache2 webserver, installing libapache2-mod-dnssd gives a bit of customisability to the VPN announces of the server.

	ln --symbolic ../mods-available/mod-dnssd.load /etc/apache2/mods-enabled/mod-dnssd.load
	ln --symbolic ../mods-available/mod-dnssd.conf /etc/apache2/mods-enabled/mod-dnssd.conf

Enabling the module without any additional configuration will give away the computer’s identity on VPN. To prevent this, add near the top of /etc/apache2/sites-available/default some options.

DNSSDAutoRegisterVHosts Off
DNSSDAutoRegisterUserDir Off

Next, mark the virtual host for export on VPN: /etc/apache2/sites-available/hostname.local with an extra DNSSDServiceName option.

<VirtualHost *:80>
        ServerName hostname.local:80
        DNSSDServiceName "VPN Site"


Publishing other names

I got a copy of the example publisher and found it is possible to announce arbitary names into mDNS via avahi_entry_group_add_record.

	avahi_entry_group_add_record(group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "www.example.local", 1, 16, 1, "\x07Example", 8)

This example announces a TXT record against www.example.local