Home › Forums › OS X Server and Client Discussion › DNS › Wide Area Bonjour
I’m having trouble getting this to work. I’ve enabled it in server admin as described in http://docs.info.apple.com/article.html?path=ServerAdmin/10.5/en/c3ns34.html
Our office network has a private network of 10.x.x.x/24, and VPN clients connect to the same network and gets addresses in the same range. VPN clients also
use our internal DNS server which has wide area bonjour enabled with bonjour.mycompany.com. I can see it’s enabled in the zonefile /var/named/zones/db.mycompany.com.apple like this: lb._dns-sd._udp IN PTR bonjour.mycompany.com.
I can access the VPN clients from the office and vice versa, it’s just bonjour browsing that won’t work. All clients use the same internal DNS server. No firewalling.
I have also been trying get this working – without success.
My struggles to get an elegant solution for mDNS over VPN tunnels have going since afp548 ran an article on mTunnel [url]https://www.afp548.com/forum/viewtopic.php?showtopic=3501[/url]
The original trouble being multicast/unicast over a VPN tunnel.
If you follow the background information on [url]http://www.dns-sd.org/ServerSetup.html[/url] about gettting wide-area Bonjour running with DNS, you notice the need for a shared secret (The documentation relates from the period of Tiger).
Leopard Server as meant to roll all this in – for a simple implemetation.
I am reluctant to start editing the dns conf from the command line – given that the Server Admin GUI then does not reflect the changes (read this on afp548, I think..).
To further confuse – if you access help from within Server Admin – you get information about setting up wide-area bonjour, telling you amongst other things, to input user/shared secret info – but the GUI does not match the documentation.
I posted on the Apple Forum last week about this [url]http://discussions.apple.com/thread.jspa?threadID=1820976&tstart=15[/url]
And also on the Bonjour mailing list. I got an answer from Marc Krochmal (Apple).
It turns out that the Server Admin GUI and/or wide-area Bonjour implementation was not completed in time for 10.5 Server GM – and has not been resolved/updated in subsequent updates.
From a GUI perspective, I had found using DNS Enabler from cutedgesoftware was actually easier to use than the Tiger Server DNS GUI (forwards, etc).
All-in-all very disappointing – I have a feeling of dread that I’ll have to fork over $999/server for Snow Leopard to get a working solution…
I saw your post actually, Apple fixed their docs now 🙂
Anyways, I got it working after reading up a bit on dns-sd.org.
Enabling wide area bonjour in server admin only adds the lb._dns-sd._udp resource record, which only sets the legacy browsing domain.
Manually adding in b._dns-sd._udp sets the default browsing domain which i.e. Finder uses.
So, add that to your /var/named/db.example.com. like this:
;THE FOLLOWING INCLUDE WAS ADDED BY SERVER ADMIN. PLEASE DO NOT REMOVE.
$INCLUDE /var/named/zones/db.example.com.zone.apple
b._dns-sd._udp IN PTR example.com.
Do an ‘rndc -p 54 reload’, and the next time a client adds your DNS server it will see your wide area bonjour services 🙂
Having a shared secret and/or using authentication is only useful if you want clients to register themselves. I find it easier to
use static service records.
Excellent – I’ll try your work around/addition.
I was interested to discover people discussing wide area bonjour – thought I’d just chime in with my two cents.
I have bind9 up and running with a dynamic zone delegated under my primary.
I can report that if you manage to get past the key generation and enter FQDNs in the first two fields, AND you are behind a compliant NAT (if you are behind a NAT) – that the clients will register A records and their services (other than iTunes – as a matter of policy, I gather). And it really is pretty sexy feeling to be able to browse services under a unicast domain where ever you happen to be – i.e. connecting to machines behind NAT via the Jaadu vnc client on my iTouch.
Meanwhile – if you are behind a bad NAT (read Linksys or any industrial grade NAT/Firewall) things get really ugly, especially if you try to throw lots of clients into the mix. On the Linksys the router does establish the route when it gets the UPnP command, but fails to properly report the handle back to the client… the result is that if you have a bunch of clients, they all try to get routes for their local port (i.e. 22 for ssh), and the first one to the party gets the route – but doesn’t know it got the route… even so – it registers it’s a record, and the service record it asked for, so whichever machine got the to the party first gets the requests, no matter which A record you try to connect to… if you follow that, lol. This seems like a giant bug in apple’s system right now. I’ve had great luck with most other consumer routers – and the Timecapsule here at the house is a dream – my powerbook starts backing up to it wherever I happen to be, for example.
I have yet to get the currently distributed dnsextd (POSIX version) running properly on my Ubuntu distro (generates errors I don’t recall) – and come up with compile link errors when I try to compile the current trunk…. haven’t tracked that yet.
Meanwhile – I’m trying to circumvent the router problem (oh how I love linksys) by connecting to my remote server using OpenVPN and rerouting all my traffic. So far – I can’t get the Wide Area client to use the foreign IP as it’s registration IP, even though all the named requests are shown in the log as coming from the remote addy and everything else (i.e. web browsing) seems to flow correctly. This is a non-bridged set up in the server, btw.
My impression is that, at least on the POSIX side of the world, apple is in no rush to let third parties in on their little .mac parade – which is a disaster as I understand it.
If anyone else is pursuing this stuff, I’d be interested in chatting.
Best,
E