« Strong passcodes for your iPhone

openwrt, dnsmasq, linuxigd, and Back To My Mac

September 10, 2009, 11:12 pm

Simple task: set up my wrt-54g (run­ning open­wrt) with miniupnpdlinuxigd so that “Back To My Mac” works[1].

miniupnpdlinuxigd: trivial. Click a few but­tons to enable it, done. I tried miniupnpd first; but althought it ini­tially looked good, I couldn’t get it to work consistently.

How­ever, that’s when I start get­ting the MobileMe pre­fpane telling me that BTMM couldn’t start because “Your DNS server isn’t respond­ing”. A little bit of search­ing on Google finds me pages like this one, which baldly state that “Back to My Mac isn’t com­pat­ible with dnsmasq.”

Well, dear inter­nets, I’m here to tell you that you are wrong. BTMM is per­fectly com­pat­ible with dns­masq. Sure,openwrt’s default set­tings don’t work, but that doesn’t make the two incompatible.

It did take me a while to fig­ure out what was going on. The clue also came from Apple’s for­ums, which told me to do this:

betelgeuse:~ james$ echo "show State:/Network/BackToMyMac" | scutil
<dictionary> {
  zhasper.members.mac.com : <dictionary> {
    ExternalAddress : 143.211.101.234
    StatusMessage : GetZoneData failed: _afpovertcp._tcp.username.members.mac.com.
    AutoTunnelExternalPort : 4500
    StatusCode : -65554
    LLQExternalPort : 5353
    RouterAddress : 192.168.0.1
    LastNATMapResultCode : 0
  }
}

The vital clue was the StatusMes­sage, which tells you exactly which DNS lookup failed. The import­ant thing is that the host­name starts with an underscore.

Take a look at the dns­masq man page, spe­cific­ally the filterwin2k option. Once upon a time, SRV records (and records with under­scores) really were a sign that you had win2k machines on your net­work. Once upon a time, “trig­ger­ing dial-on-demand links” was actu­ally some­thing to be wor­ried about. Those times are long past.

I turned this option off (vi /etc/dnsmasq.conf, add a # at the start of that line to com­ment the option out, save the file, and run /etc/init.d/S65dnsmasq to restart the ser­vice). As expec­ted BTMM now works fine. Well, as fine as you could expect.

[1] I’m ideo­lo­gic­ally opposed to all things UPnP, and BTMM in par­tic­u­lar. What’s the point of hav­ing a fire­wall if you’re going to allow everything inside to poke so many holes in it it may as well not be there? There’s noth­ing BTMM can give me that a small fire­wall hole (to allow SSH on a non-standard port) + ssh port­for­ward­ing can’t give me in a more con­trolled way — and without shelling out $$$ to Uncle Steve, too. Nevertheless…

Category: slugworthy  |  Comment (RSS)  |  Trackback

Leave a Reply