Avahi-daemon Loses Addresses

Symptom:

You're running avahi-daemon providing the mDNS (multicast DNS) service, so for example iris.local usually can be resolved to its assigned IP address, e.g. 192.168.0.203 and similarly for IPv6. But sometimes, particularly after you wake up the machine from suspend to RAM, iris.local resolves to a link-local address such as 169.254.7.222 (RFC 3927) and fe80::201:c0ff:fe12:ed4a (RFC 2373). This disrupts services provided by the host.

What's happening:

The affected hosts all have virtual machine guests and a network bridge (br0) into which they insinuate themselves, so they are effectively on the local network. The host's real interface (eth0) also is a member of the bridge. The bridge has the host's assigned IP address, but the real interface has no IP address.

Seeing the address-less interface, avahi-daemon gives it a link-local address. The address of each relevant interface is registered in an A or AAAA record for $HOST.local. When an outside client sends packets to the address of the real interface, the server may not be listening on that interface, causing random denial of service.

How to fix:

It's very simple: in /etc/avahi/avahi-daemon.conf put allow-interfaces=br0 . Then all other interfaces, specifically the real interface, will be excluded from consideration by avahi-daemon and mDNS.

The value of allow-interfaces is a comma-separated list of interfaces whose addresses should be registered. The default is all interfaces except loopback and except point-to-point interfaces. In my simple setup, the right value is just the bridge.