Fixing `.local` (mDNS) Resolution on Debian/Devuan

Applied to both minime and devuan.

Symptom

Hosts on the LAN were reachable by their fully qualified router name (e.g. joe-macmini.home.local) but not by their Bonjour/mDNS name (joe-macmini.local), even though:

Both machines were on the same wired subnet.
avahi-daemon was running and publishing this host's own name.
No firewall was blocking UDP/5353.
mDNS multicast traffic from other LAN hosts was visible via tcpdump.

Even getent hosts minime.local (this host's own advertised name) returned nothing — and tcpdump showed that no outbound mDNS query was ever sent. So the problem was in the NSS layer, not the network.

Root Cause

The home router (192.168.1.1) serves a home.local zone and, as a side effect, answers authoritatively for the top-level local label:

$ dig +short SOA local. @192.168.1.1
localhost. nobody.invalid. 1 3600 1200 604800 10800

The NSS module mdns4_minimal (from libnss-mdns) implements the Apple-recommended heuristic described in HT201275: if unicast DNS has an SOA for local., it assumes .local is a real unicast zone and silently disables itself. That is why no multicast query was ever emitted.

Gotcha: the minimal flavour (mdns4_minimal, mdns6_minimal, mdns_minimal) does not read /etc/mdns.allow under any circumstances — so a whitelist file alone will not override the SOA check. You must switch to the non-minimal module.

The Fix

Two changes, as root:

1. Create /etc/mdns.allow

cat > /etc/mdns.allow <<'EOF'
.local.
.local
EOF

This tells the non-minimal mdns4 module to resolve .local via mDNS authoritatively, bypassing the unicast-SOA heuristic.

2. Edit /etc/nsswitch.conf

Change the hosts: line from:

hosts:          files mdns4_minimal [NOTFOUND=return] dns

to:

hosts:          files mdns4 [NOTFOUND=return] dns

Or as a one-liner:

sed -i 's/mdns4_minimal \[NOTFOUND=return\] dns/mdns4 [NOTFOUND=return] dns/' /etc/nsswitch.conf

No daemon restart is required — NSS is re-read per process. Open a new shell to test.

Verification

$ getent hosts minime.local
192.168.1.173   minime.local
$ getent hosts joe-macmini.local
192.168.1.171   joe-macmini.local
$ ping -c1 joe-macmini.local

Trade-offs of `mdns4` vs `mdns4_minimal`

	`mdns4_minimal`	`mdns4`
Queries beyond `.local`	Never	Only if listed in `/etc/mdns.allow`
Reads `/etc/mdns.allow`	No	Yes
Unicast-SOA heuristic	Always applied	Skipped for suffixes in `/etc/mdns.allow`
Risk of slow lookups for unrelated names	None	None, as long as `/etc/mdns.allow` only contains `.local`/`.local.`

Alternative (Not Applied)

The cleanest fix is on the router: stop it answering for the bare local. zone so that dig SOA local. @router returns NXDOMAIN. That would restore mDNS for every client on the LAN without per-host changes. This was not done here because router configuration was out of scope for the troubleshooting session.

References

/usr/share/doc/libnss-mdns/README.md.gz — "Sites with a .local DNS zone"
Apple TN: HT201275 — About Bonjour
Upstream: github.com/lathiat/nss-mdns

Fixing .local (mDNS) Resolution on Debian/Devuan