Note: Because this is an experimental feature, we cannot provide technical support for this setup. If you need assistance, check out the Dyn Community.
- After enabling Bonjour on a workstation, other computers on the network can detect and install printers or scanners attached to the workstation or access files from shared folders.
- Bonjour Apple, connect to this Mac OS X exploit. Exploit code for a dangerous flaw in the Mac OS X Bonjour service is released less than 24 hours after Apple's security update.
The recommended method for updating your Dynamic DNS host is the Dyn Updater.
Dyn had been conducting a beta of Wide Area Bonjour and DNS Service Discovery support for Dyn Standard DNS. Learn more about Bonjour and how to use it below.
What is Bonjour?
Bonjour is an Apple technology enabling Zero Configuration Networking.
Have you ever noticed that your Mac OS X laptop could automatically discover available printers on a new wireless network you connected to, or how iTunes could magically see other iTunes music libraries on the network and let you stream music instantly? Bonjour makes this all possible.
Remote Access via manual port forwarding and dynamic DNS update clients
For several years, users have been able to use this “plug and play” technology on the local area network, automatically connecting devices together and having them discover each other. If you wanted to access your services and devices from outside of your LAN, you had a few more steps to follow:
May 25, 2007 Bonjour Apple, connect to this Mac OS X exploit. Exploit code for a dangerous flaw in the Mac OS X Bonjour service is released less than 24 hours after Apple's security update.
- Setting up a reserved DHCP lease or static internal IP address for your internal device or service
- Configuring port forwarding on your home gateway, wireless access point, or broadband router, effectively punching a static hole so that your port 80 on your external WAN IP maps to port 80 for the internal IP address of your device
- Configuring Dynamic DNS in your home gateway or using one of our update clients to keep your dynamic DNS hostname up to date with your latest WAN IP
- Cross your fingers…
- Send the URL for your device or service to your friends or family, or hope to remember it yourself (sometimes, these can get quite ugly, like http://my-hostname.dyndns.org:8081/login.app. Try remembering that!).
This is a complicated process, and there has to be a better way.
Dynamic DNS with Bonjour
Wouldn’t it be great if when we plugged in a new network camera on our LAN, it was automatically discoverable and ready for access? Not just from the LAN, but from the Internet as well? Granted, we would still want to enter our username and password in order to see the video from the camera, but it should be able to FIND the camera so we can enter in the username and password to see the video!
The trick to making automatic service discovery and sharing work over the Internet is a Bonjour-capable DNS server. The Dyn Standard DNS service is also a Wide Area Bonjour-capable DNS server, allowing you to remotely access your dynamic global hostname and all of your shared services automatically from anywhere on the Internet.
With Bonjour and Dyn, we can configure remote access for our LAN services and devices as follows:
- Tell your service or device how to authenticate with your account on Dyn to access your Dyn Standard DNS service
- That’s it!
Thanks to ZeroConf, Bonjour, NAT-PMP, and DNS-SD, your device or service will automatically configure its internal IP address, enable port forwarding in your home gateway, register a hostname in your account at Dyn, and configure your service for automatic discovery with Wide Area Bonjour. Project 64 how to configure controller. Users need only know your Dyn Standard DNS zone name to successfully browse for your services.
Getting Started
First, let’s make sure you have all of the requirements for Wide Area Bonjour in place:
- A domain name of your own (e.g., example.com)… if you don’t have one, register one now.
- Dyn Standard DNS service, fully configured for your domain… if you don’t have it, purchase now.
- A computer running Mac OS X 10.5 (Leopard) or later
Note on the Apple AirPort: If you’re just looking to make dynamic DNS work with your Apple AirPort Extreme or Apple AirPort Express device, you may be interested in a shorter tutorial that does not involve automatic service discovery.
Note on DynDNS Pro: We currently do not support Wide Area Bonjour on our DynDNS Pro services. You must use Dyn Standard DNS with your own domain name for this to work properly.
Setup Your Dyn Standard DNS Zone for updates
Software and devices enabled with Bonjour do NOT use the DynDNS HTTP Update API [IETF Draft] to dynamically update DNS servers. Instead, they use the DNS Update [RFC 2136] protocol combined with TSIG security [RFC 2845].
Your Dyn Standard DNS zone requires a couple of special records to enable these devices to find where and how to update Dyn with your information.
- Enable the Expert Interface in Dyn Standard DNS
- Under Zone Level Services, select the Dyn Standard DNS zone for which you wish to enable for updates.
- In the upper-right corner of the zone page, you will see a button labeled Preferences. Please click this to view your zone’s settings.
- On the Preferences page, you will see a button labeled Enable Expert Interface in the lower-right hand corner. Please click this to change your interface type from Standard to Expert (you can change this back at any time).
- You should be returned to the configuration page for your Dyn Standard DNS service. Your records will be displayed as shown at left, in a format closer to the layout of records in BIND.
- Create a SRV record within the Dyn Standard DNS zone so that your Apple devices can discover where to send their updates. Set the values to the following:
Host TTL Type Data This record instructs Apple dynamic update devices where to find the target host and port for Dyn’s update services. The record is required because the devices by default will attempt to perform their dynamic updates at your zone’s name server (e.g., ns1.mydyndns.org) on port 53, but Dyn operates its TSIG server at update.dyndns.com on port 53. Further details are available at the registry of DNS-SD service types. - Create five PTR records within the Dyn Standard DNS zone. While these are not strictly required for dynamic updates, they are required if you wish to use the Wide Area Bonjour and DNS Service Discovery features built into Apple products in the future. Set the values as follows (example shown at left), but be sure to use your zone name as the value for Data:
Host TTL Type Data These records tell Wide Area Bonjour clients how to browse your zone for services (‘b’ for browse, ‘lb’ for legacy browse, and ‘db’ for default browse) and register their own services (‘r’ for register and ‘dr’ for default register). For more details on the usage and meaning of each record, see the DNS Service Discovery web site. - When you’re finished, you will have six additional records in your Dyn Standard DNS zone.
Setup Your Dynamic Global Hostname in Mac OS X
Now that your Dyn Standard DNS zone is configured to receive dynamic updates from Mac OS X, we can configure Mac OS X to send updates to Dyn.
- In System Preferences, open the Sharing panel.
- Under Computer Name, click Edit….
- Locate the Hostname, User, and Passwordfields. This is where we will populate the settings from Dyn, and enable your dynamic global hostname (just a fancy term for a hostname that supports dynamic DNS updates, and is visible to the global Internet).
- Populate the Hostnamefield with your full hostname from your Dyn Standard DNS service. This would typically be “your-computer-name.your-custom-dns-zone.com”. The User and Password fields are NOT the Dyn account username and password! Instead, they refer to a special type of authentication for dynamic DNS updates called Transaction Signature, or TSIG. Retrieve your TSIG information from your TSIG account settings page, and populate the information in the User and Password fields as shown in the diagram, and then click OK.
Verify Your Dynamic Global Hostname is Working
Your Dyn Standard DNS zone should now be updated to include the global dynamic hostname you selected. Verify this hostname is correctly created and has the correct IP address by refreshing your Dyn Standard DNS settings page.
Configuring Clients to Browse Your Services with Bonjour
There are several options available for configuring clients:
- Setup the DNS search domains on each client manually
- Configure your DHCP server to populate the DNS search domains
- Use the Apple Bonjour application to configure browse domains on each client manually
The best solution is to configure your Dyn Standard DNS zone as one of the “Search Domains” in DNS, either manually or by configuring your DHCP server appropriately. Simple instructions to configure your search domain on Mac OS X and Windows are included on the DNS Service Discovery web site. It is important to have completed the installation of the five PTR records in your Dyn Standard DNS zone as described above in “Setup Your Dyn Standard DNS Zone for updates” so your computer can browse for services within the zone.
An alternative solution for Mac OS X and Windows is to use the Apple Bonjour utility and configure the Browsing tab. Bonobo the north borders zip number. By adding your Dyn Standard DNS zone to the Browsing tab, your computer will discover services advertised in that zone.
Once you’ve configured your client(s) for browsing, you can now browse for services. The recommended way to get started with browsing services is with Bonjour Browser on Mac OS X. With this graphical utility, you can easily see all advertised services, and then double-click on any service to connect to it with the appropriate application.
- The Bonjour Browser allows you to graphically discover all service types in Mac OS X. To access any service, simply open that portion of the service tree, and double click on the instance name in bold.
DNS Service Discovery for SSH
Now that your computer can successfully register itself in your Dyn Standard DNS service and you’ve configured at least one client for browsing, let’s enable some services for discovery. We’ll demonstrate Remote Login via SSH.
Note: Be sure you have a strong password on your account, and are familiar with how to use SSH before enabling SSH service discovery.
- In the Sharing panel of System Preferences, turn on Remote Login, and select which usernames will be allowed access. If you wanted to login to your computer using SSH from inside the LAN, you can see that the panel tells you which username and internal 192.168.X.X IP address to use. Since we enabled Wide Area Bonjour with Dyn, we don’t have to remember any of the specifics, we just need to know our Dyn Standard DNS zone.
- To browse within Terminal, go to Shell -> New Remote Connection.
- Select the desired service instance to connect to, populate your username, and then connect. Note that Bonjour automatically populated the external port for this service, even if it was dynamically configured by NAT-PMP as a forwarded port on your home gateway device!
Additional Notes and Resources
Valid Characters Limited To Lowercase ASCII, Numerals and Hyphens
While local Bonjour and Wide Area Bonjour with BIND currently support uppercase, lowercase, and arbitrary UTF-8 encoded characters for their instance names, the current Dyn implementation does not. Only lowercase ASCII characters, numerals, and hyphens are allowed. To assist users with this limitation, the Dyn TSIG server will automatically transcode any characters it cannot process during each update.
For instance, if you advertise an HTTP service instance named “My Personal Web Site” with Dyn Standard DNS and Wide Area Bonjour, users will discover this as “my-personal-web-site”. We hope to overcome this data format limitation in the future.
Documentation, Mailing Lists, and FAQs
Tools and Utilities
Community Support
Once your setup is complete, your global dynamic hostname will start updating at Dyn. If you need further assistance, you can reach out to the experts in the Dyn Community.
Bonjour Service For Mac Computers
Bonjour, the Bonjour logo, and the Bonjour symbol are trademarks of Apple Inc.
Bonjour is a networking technology that allows devices to automatically discover each other without any configuration. In the first release, Bonjour operated on the local network to provide ad-hoc discovery for applications and devices. Starting in Mac OS X v10.4 Tiger and Bonjour for Windows, a network administrator can set up a Bonjour name server to enable wide-area capable devices and applications to discover services anywhere in the world. This document will explain how to set up a machine running Mac OS X to act as a Bonjour name server to facilitate wide-area discovery on your network. You can also use Linux, Solaris, or any other Unix-style operating system that can run the BIND name server. If you want clients to be able to browse to discover specific services of your choosing, but you don't want to allow individual machines to dynamically register their services, you can also manually add Bonjour service discovery records to your existing name server.
Introduction
Wide-Area Bonjour uses DNS Service Discovery [DNS-SD] along with DNS Update [RFC 2136] and TSIG security [RFC 2845]. Like most Linux distributions, Mac OS X includes the standard BIND DNS Server (named), which supports DNS Update. It's also recommended that you run the dnsextd daemon (also included in Mac OS X). The dnsextd daemon implements two DNS extensions that enhance service discovery:
- DNS Long-Lived Queries [DNS-LLQ] allow clients to be immediately notified when new services are added or removed from the server. Without Long-Lived Queries, clients would have to poll periodically (e.g., once an hour) to find out when services become available.
- DNS Update Leases [DNS-UL] impose a time limit on record updates, so that service registrations are automatically deleted if the client crashes or goes away unexpectedly. Using standard DNS Update without Update Leases, records remain on the server forever, until deleted manually by the server operator.
You can use wide-area Bonjour without running dnsextd, and it will still work, but with the two limitations above.
The instructions below should be enough for someone experienced with DNS to set up a DNS server configured for Wide Area Bonjour, but if you've never set up a DNS server at all before and you find it a little confusing, DNS and BIND, Fourth Edition is a great guide that tells you everything you need to know about setting up and configuring named, the Berkeley Internet Name Daemon (BIND).
Service Registration Zone for Wide-Area Bonjour
First, you need to pick a name for your wide-area Bonjour zone, the domain in which clients will browse and register. This should be a subdomain of your organization's domain. For example, if your organization's domain is 'apple.com', your service registration zone could be 'bonjour.apple.com'.Shared Secrets
Without a shared secret, anyone who has access to your Bonjour name server can make registrations. This may be acceptable in some situations, like behind a firewall when you trust all the people who have access to your server. You may also want to run this way if you're just experimenting with the technology to get a feel for how it works, but normally when running an operational Wide-Area Bonjour service you'll want to set up your name server to accept updates only from authorized clients. The way a client proves it's authorized is by using a DNS TSIG record to sign its update packets using the proper shared secret for that domain [RFC 2845].You can use the dnssec-keygen command-line tool to generate a random shared secret. This command creates two files. We'll pull the shared secret from the .key file. After we copy and paste this key into our BIND configuration file, delete the files generated by the tool so that you don't accidentally leave them lying around for someone to find. Execute the command with the following arguments, substituting your own zone name: The following shows how to generate a shared secret for the 'bonjour.example.com' domain.
For the domain 'bonjour.example.com', our shared secret is 'CnMMp/xdDomQZ4TelKIHeQ'. For more information about the dnssec-keygen command, please see the manual page.
Configuring BIND
To set up a Bonjour name server in Mac OS X, you'll need to edit the BIND configuration file (/etc/named.conf). If you're not already running a name server on your machine, start with a blank file and add the contents below. Otherwise, add the following to your existing configuration file (typically/etc/named.conf
): Writing the Zone File
Next you'll need to create a zone file named db.<your zone>, for example, 'db.bonjour.example.com' and copy it into /var/named. The only change that you need to make is to replace the two instances of 'wab.example.com.' with the hostname of your server (don't forget the dot on the end).Discovering Your Server
If you have access to the parent zone's DNS server, you can delegate the new zone to the new server by adding an entry in the example.com. zone file: Your network administrator may be able to do this for you. If you do not have access to the parent zone's DNS server, a temporary alternative while testing is to simply add the IP address of the new server to the 'DNS Servers' field of the Networking Preference Pane in each client computer. However, manually entering the IP address on the clients is a short-term solution, not really suitable for long-term use. The whole point of DNS is that clients learn the DNS server for a given domain, not by manual configuration, but by following the chain of delegation (NS records) from the root. Likewise, for reliable operation, your subdomain should be properly delegated from its parent.Discovering Domains
Computers running Mac OS X Tiger or later and computers running Bonjour for Windows will issue domain enumeration queries to automatically discover browse and registration domains on the network. The easiest way for clients to discover your domain is by creating PTR records pointing from the DHCP domain name to your new zone. This requires administrative control of that domain. For example, if the DHCP 'Domain Name' option (option code 15 [RFC 2132]) that the DHCP server sends to its clients is 'example.com', then you need to create the following entries in the 'example.com' zone file to tell those DHCP clients about your new 'bonjour.example.com' domain: If you don't have administrative control of that domain, as a last resort, you can manually force a client to 'discover' your new 'bonjour.example.com' domain by adding it to the 'Search Domains' field in the Network Preference Pane on each client. This will only work if you have the domain enumeration PTR records in the bonjour.example.com zone as shown in the 'db.bonjour.example.com' zone file above.Starting named
You should create a backup of the zone file before running named for the first time. Once you run your server with DNS Update turned on, you cannot edit the zone files by hand. If you need to reset your zone for any reason, simply revert to the saved copy, delete any .jnl files, and restart named and dnsextd.
named normally runs with no arguments:
named normally runs with no arguments:
Check the syslog (/var/log/system.log) for errors. You can ignore any errors that say '/private/etc/rndc.key: file not found' or 'couldn't add command channel'. If any other errors occur, make sure that you put periods in exactly the right places in all files. See examples for correct usage of trailing dots. For debugging, you may wish to run it in the foreground, with enhanced logging:
Bonjour Services For Pc
Starting dnsextd
The dnsextd daemon configuration file is
/etc/dnsextd.conf
. Typically the only thing you need to edit in this file is the name of the zone you want dnsextd to handle:You can run dnsextd with no arguments:
To run in the foreground with verbose logging for debugging, add '-vf'.
Bonjour Browser Mac
Run with a single argument, '-h', for help and a full list of options.
Starting named and dnsextd automatically on boot
Once you have verified that your configuration files are correct, you can set named and dnsextd to start automatically on boot. Fist stop named and dnsextd if they are already running, and then execute the following commands:
The 'launchctl load' command tells the system to start that daemon; the '-w' option tells the system to make the change permanent so the daemon will be automatically started on boot too.
Configuration Clients
Now that your server is up and running, the next step is to configure each client on the network to use your new server.http://www.dns-sd.org