Friday, September 16, 2011

Fix linux DNS issues with .local addresses on MS domain

B.L.U.F.:

Microsoft uses .local as the recommended root of internal domains, and serves them via unicast dns. Linux uses .local as the root of multicast dns. If you're stuck on a broken MS network like this, reconfigure your linux multicast DNS to use a different domain like .alocal.

To do this, add a "domain-name=.alocal" line to the "[server]" section of "/etc/avahi/avahi-daemon.conf", then restart avahi-daemon: "sudo service avahi-daemon restart".

#/etc/avahi/avahi-daemon.conf
[server]
domain-name=.alocal

You may need to flush the DNS,mDNS and resolver cache, as well as restart your web browsers to clear their internal cache.

Background.

I was seeing the strangest behavior on my work linux box. I could look up local addresses, but not contact them in my browser. Turns out I could look them up but not ping them, either.
% host foo
foo.corp.local is an alias for bar.corp.local
bar.corp.local has address 10.1.2.3

% host foo.corp.local
foo.corp.local is an alias for bar.corp.local
bar.corp.local has address 10.1.2.3

% ping foo -q -c 1
PING bar.corp.local (10.1.2.3) 56(84) bytes of data.

--- bar.corp.local ping statistics ---
1 packets transmitted, 1 recieved, 0% packet loss, time 0ms

% ping foo.corp.local
unknown host foo.corp.local
I spent a while thinking this was a resolver issue in /etc/resolv.conf, since I knew that was getting modified by the VPN. Everything was fine in the resolver. What I'd forgotten about was /etc/nsswitch.conf! The hosts line in /etc/nsswitch.conf put mdns4_minimal before dns AND set a reply of "NOTFOUND" from mdns to propagate back directly without hitting DNS.
# /etc/nsswitch.conf hosts line:
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
We could side-step the problem by removing mdns4_minimal from the hosts search path, but this will lead to potentially long dns timeouts from mistyped .local addresses. (Ok, that's not a very bad side effect, but still let's fix it correctly).

Dig a little deeper into .local and mdns, and you'll find Avahi. Avahi "facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite," what Apple calls Bonjour or Zeroconf. They have a warning page about unicast .local DNS zones that gets to the crux of the problem : linux has mdns (multicast dns) support configured for .local, but Microsoft support suggests using .local with unicast DNS. The two don't get along at all.

mDNS/DNS-SD is inherently incompatible with unicast DNS zones .local. We strongly recommend not to use Avahi or nss-mdns in such a network setup. N.B.: nss-mdns is not typically bundled with Avahi and requires a separate download and install.
-- Avahi and Unicast Dot Local wiki page

Fixes:

  1. move avahi mdns from .local to a different name (e.g. .alocal)
  2. or Remove mdns from /etc/nsswitch.conf or remove mdns module.
For the former, add a domain-name=.alocal line to the [server] section of /etc/avahi/avahi-daemon.conf, then restart avahi-daemon: sudo service avahi-daemon restart.

If that doesn't work (and you restarted your browsers, with their insidious dns cache, right?) you can try removing mdns from the hosts entry in /etc/nsswitch.conf. replace this line:

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
with this line:
hosts: files dns
Links:

18 comments:

Anonymous said...

Thank you sooooooo much! You are a genius! I've spent too much time trying to solve this problem using Windows 2011 server with several Windows computers and MAC and Linux as well. The last two types didn't work solving local names but the Windows ones yes. Now ALL of them work well! Cheers!

Anonymous said...

Worked like a charm, thanks!

Zoredache said...

> Microsoft uses .local as the recommended root of internal domains

Microsoft officially suggests you do NOT use .local. Unfortunately there is a lot of poor 3rd party material suggesting it.

See: http://technet.microsoft.com/en-us/library/cc738121%28WS.10%29.aspx

Using single label names or unregistered suffixes, such as .local, is not recommended.

Zoredache said...

> Microsoft uses .local as the recommended root of internal domains

Microsoft officially suggests you do NOT use .local. Unfortunately there is a lot of poor 3rd party material suggesting it.

See: http://technet.microsoft.com/en-us/library/cc738121%28WS.10%29.aspx

Using single label names or unregistered suffixes, such as .local, is not recommended.

Andrew Grangaard said...

Zoredache, thanks for your comment and link! Looks like it isn't Microsoft that's pushing .local, but some bad cargo-cult copying?

" Using single label names or unregistered suffixes, such as .local, is not recommended."-- http://technet.microsoft.com/en-us/library/cc738121%28WS.10%29.aspx

Anonymous said...

Here's a link for Windows Server 2008 and Windows Server 2008 R2. No real change compared to the Windows Server 2003 documentation.

technet.microsoft.com/en-us/library/cc726016(v=ws.10).aspx

Anonymous said...

Hi, thanks for this post!

Anonymous said...

OMG!!!!! This is what I have been working to resolve for literally days on end.

Thankyou!!! Thankyou!!! Thankyou so much for your post. I am glad I found your post.

YOU ARE MY ANGEL!!!!

David Wu said...

You sir are the man!

Anonymous said...

Thank you!!!!
I got in a mess (probably after installing wine/playonlinux). Wasted a few hours already. Thanks to your post I got my local domain resolution working again.

Dave Messenger said...

Good post, I was wondering what the hell is going on!

Cheers

Anonymous said...

Andrew:
I just setup a centos 7 Forwarding DNS Server.

All is well except .local resolutions point to non-existent domains.

avahi is not running and i disabled multicast.

please share your thoughts.

Lakshmi

Anonymous said...

I forgot to mention that dig and nslookup succeed on DNS box but not from windows clients

Sam said...

Thank you !!!!
I got in a mess . Wasted a few hours already. Thanks to your post I got my local domain resolution working again.
Thanks again.

Elin said...

Thanks! That has resolved a few network problems at once for me both at home and at work.

Anonymous said...

Dude you rock! Thanks for a succinct answer. Personally I consider this an Ubuntu bug as I don't use the .local functionality in Ubuntu and Microsoft networks are so common.

Anonymous said...

You're the man now dog. This was absolutely essential information during a raspberry pi set up on my local network. Thanks so much.

Matt said...

Sweet! Ran into this recently on a Cent box and it drove me insane for about a day.