DNS Update Proxy for mDNS

DNS Update Proxy

I recently published a new internet-draft: DNS Update Proxy for mDNS that describes a way to do campus wide service discovery as an alternative to the Discovery Proxy and mDNS Discovery Relay.

The main difference is that instead of delegating subdomains for each IP subnet and translating unicast queries into multicast queries, it pre-populates the unicast authoritative DNS server with all the services it can discover using DNS Update from a proxy listening to multicast DNS.

This allows faster responses and support for DNSSEC with full NSEC next record semantics.

I'm looking for feedback and will also be working on code at the Hackathon @ IETF104 in Prague. Send me a note if you want to work on this MIT licensed code. No Rust knowledge necessary.

Here's a link to the code https://github.com/pusateri/rupdateproxy

more ...

discd

Overview

Discovery daemon (discd) is an implementation of the "Discovery Proxy for Multicast DNS-Based Service Discovery" specified as an internet draft of the IETF:

draft-ietf-dnssd-hybrid

It dynamically maps multicast DNS services into the unicast DNS name space. This allows remote service discovery requests to be answered when the querier is not on the same link local network as the service provider.

Traditionally, zero-conf networking (or Bonjour as Apple Computer calls it) only provides answers to queries on the local network. This works great for home and small offfice (SOHO) networks but frustrates corporate and campus users when a device they want to communicate with is on another IP subnet for network scaling reasons.

By dynamically mapping the ever changing multicast DNS (mDNS) services into the unicast DNS namespace, it's possible to remotely query services through a proxy.

discd is that proxy.

more ...

iPhone/iPad TLS DNS Proxy

As Sarah Dickinson recently mentioned at DNS-OARC 27 in San Jose, CA, https://indico.dns-oarc.net/event/27/session/4/contribution/20, there is a work in progress for a TLS DNS Proxy for the Apple iPhone/iPad running iOS 11 and above. This uses the new DNS Proxy Network Extension and, when enabled, all DNS requests will be sent to a resolver over TLS.

I expect this new DNS Network Extension to be available for macOS in a future release as well.

Check back here in a bit to see the status and sign up for beta testing.

UPDATE:

After receiving the following message on the Console, it appears that the only way to use the new DNS Proxy Network Extension in iOS 11 is through Mobile Device Management (MDM) Tools as a supervised device. This makes it impossible to install for the average user through the App Store.

Therefore, I am suspending this effort until this extension is more useful to a wider audience.

Oct  5 17:29:26 iPhone nehelper(NetworkExtension)[99] <Error>: -[NEHelperConfigurationManager:562  Warning: allowing creation/modification of a DNS proxy configuration on non-supervised device because the requesting app (DNS-TLS) is a development version. This will not be allowed for the production version of DNS-TLS

UPDATE 2:

An Apple representative confirmed this is currently only for supervised devices but he seems to indicate they are considering opening this up to all devices but with no assurances or timeline:

I’ve just confirmed that, as things currently stand, NEDNSProxyProvider is limited to supervised devices.  We have a bug on file (r. 34843801) requesting that this restriction be lifted.  I suspect that this will happen but, as per usual, I can’t make any specific promises about that, or about the timeline for this change.  It certainly wouldn’t hurt for each of you to file your own bug describing your use case, how this restriction is affecting you, and what workarounds you’ve resorted to.

UPDATE 3:

I posted the sample code on github here:

https://github.com/pusateri/DNS-TLS

more ...