Snow Leopard disabling mDNSResponder/Bonjour drops internet

michaelwithe21 · Sep 4, 2009

So i have used OSX for a very long time...

when i upgraded to snow leopard, one of the first things i did was install little snitch and noobproof...

After installing firewalls, I went to disable mDNSResponder on my laptop and iMac... bonjour=mDNSResponder... which is a really stupid service for someone like myself (doesnt need to advertise my existence to current networks)... Bonjour has always had its ups and downs... BUT

WHEN YOU DISABLE BONJOUR/mDNSResponder YOU CANNOT ACCESS THE INTERNET AT ALL THROUGH SAFARI!!!

Once Bonjour is dissabled from snow leopard via terminal command:

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

or by disallowing network connections to the service via a firewall...

I CANNOT ACCESS THE INTERNET VIA SAFARI OR OTHER!!!, my network settings remain the same, claiming I have connection... I have to re-enable access/turn on mDNSResponder to gain access to the internet again.

When highlighted in little snitch, the services purpose is:
"is necessary for local host name resolving."

I do not know if Snow Leopard some how has relied on Bonjour/mDNSResponder to assign basic network connections, but it totally nocks out all internet to my intel iMac 22"

Please, if anyone can explain why this happens after Snow is installed, or can solve it, let me know immediately...

If you dont know why, but have experienced the same thing, please leave a comment on how u disabled and what problems you receive afterwards.

UPDATE: Randomly, if left off, my transmission (torrents) will lose connection and then regain connection just to drop again, but safari is still not active when mDNSResponder is left off, I also tried command without -w... Yet, when i give netstat (terminal) i still see "ESTABLISHED" connections (torrents) while no activity is being passed through... so bizzar

UPDATE: I found this in iana.org Block all of these via firewall, in and out (littlesnitch/noobproof):
mdnsresponder 5354/tcp Multicast DNS Responder IPC
mdnsresponder 5354/udp Multicast DNS Responder IPC
cuseeme 7648/tcp bonjour-cuseeme
cuseeme 7648/udp bonjour-cuseeme
mdns 5353/tcp Multicast DNS
mdns 5353/udp Multicast DNS

Update: i found a site that claims to have links for new snow leopard support, one of which "disabling bonjour service advertisements without disabling mdnsresponder"... which is what i have been waiting for!!:

http://www.xlr8yourmac.com/index.html#S25936

http://support.apple.com/kb/HT3789?viewlocale=en_US

BUT THE SECOND LINK IS BROKEN!!! i still dont know how to do this!! and it looks like it was an APPLE Support site, now broken... not cool

Update final:

http://support.apple.com/kb/HT3789?viewlocale=en_US

michaelwithe21 · Sep 4, 2009

anyone out there??? cmon people this is HUGE!!!

There is absolutely no reason why we should be required to use mDNSResponder/Bonjour to be able to access the internet or assign IPs!!!

It has always been a big security hole and has always been optional, but with Snow Leopard it appears to be required to have ANY access to the internet!!

WHY IS THIS!!??

alexeismertin · Sep 4, 2009

I noticed this straight away & scoured the web for answers/solutions but nothing! i tried changing the 2 mDNSresponder plists manually but it carried on 'responding'.

Yep this is a BIG SL problem.

michaelwithe21 · Sep 4, 2009

Well, I havnt solved it, but I can at least limit it... here is what i did (without "disabling via terminal" which leaves no connectivity)...

Using LittleSnitch I was able to block access to mDNSResponder, but when this is done by itself, it gives limited access to the internet... when i say limited, safari would not load some websites/parts of the websites and would hang on the load... but my torrents download fine in background (firewall configured for torrent port)...

SO, I denied all access to ff02::fb, 224.0.0.251... and then made a rule ALLOWING only access to the router IP, this i believe will stop some of the security holes that bonjour brings...

UPDATE: I also blocked incoming traffic on Ports 7648 and 5354 with NoobProof

NOTE: in the network monitor, these are what gets connected to mDNSResponder:
RouterIPAddress
ff02::fb
User.local
224.0.0.251

DO NOT TRY TO BLOCK YOUR User.local!!! It will crash your littlesnitch for obvious reasons!! =)

Im gunna mess around a bit more with what to block and allow...

QUESTION:

1) Does mDNSResponder receive or listen for "incoming" connections from other computers which have bonjour/mDNSResponder on?

2) If so, than what port/protocol can i "block" within my "incoming" firewall (NoobProof)?

UPDATE: I found this in iana.org Block all of these via firewall, in and out (littlesnitch/noobproof):
mdnsresponder 5354/tcp Multicast DNS Responder IPC
mdnsresponder 5354/udp Multicast DNS Responder IPC
cuseeme 7648/tcp bonjour-cuseeme
cuseeme 7648/udp bonjour-cuseeme
mdns 5353/tcp Multicast DNS
mdns 5353/udp Multicast DNS

So, anyone know of any better ways to stop mdnsresponder from spreading its VD all over my computer?

Dunepilot · Sep 15, 2009

Wow, this really is a big deal. We're just about to disable Bonjour on all Macs on our network, but won't be able to do this when we deploy SL, as it stands.

Has anyone submitted this as a bug to Apple yet?

michaelwithe21 · Sep 16, 2009

Re-Post in reply to another forum

so here is my REAL question...

lets say one does not NEED these things, such as a constant broadcast to local network, how could i safely disable the "features" that Bonjour/mDNSResponder uses...

Obviously disabling mDNSResponder completely kills all dns, and blocking it on my firewall (in/out) for its listening ports and to router/ff02fb/and local just makes it act weird, randomly working...

So how i can disable "bonjour" from advertising on the network without turning off mDNSResponder? (still waiting for an answer from apple)...

i hate to repeat myself but, cmon!! what can i block on my firewall in or out that would stop it from broadcasting without cutting it off internally/locally??

See other forum regarding similar issue at apple:

http://discussions.apple.com/thread.jspa?messageID=10224435#10224435

michaelwithe21 · Sep 21, 2009

Updated questions:

(question/comment from other forum below)

Thanks Naudecob for your matching concerns...

to answer ur question, "is this also an issue with Leopard 10.5 or only with SL 10.6?"

Yes, this is specifically a Snow Leopard issue, it appears that apple knows about this, they "gave" mDNSResponder the responsibility of assigning local IP addresses (and many other network attributes)... Which is supposedly the reason why basic internet does not function after mDNSResponder is disabled.

But, what I still dont understand... Bonjour relies on mDNSResponder to function... hence, when mDNSResponder is disabled in Leopard 10.5, all bonjour required apps will not function (ie. disables bonjour)... NOTE: I realize you can disable the bonjour GUI (interface) via the app preferences that use it, but this does not stop the "advertisement" of the bonjour to other computers on the network.

1) How does one disable bonjour in snow leopard without having to disable mDNSResponder? (ie. stop bonjour from advertising to other networks without having to disable individually within each bonjour required app)

2) What is the relationship between Bonjour and mDNSResponder in snow leopard?

2) Does bonjour work the same way with mDNSResponder as it did in 10.5?

APlus84 · Sep 24, 2009

Been diddling on another thread with similar issue:

https://forums.macrumors.com/showthread.php?p=8523442&posted=1#post8523442

This I don't understand and seems relevant here -

I had network issues which were solved by putting my router back in (other thread if you are interested). There was very little modem activity with router. Nothing odd for about 45 minutes.

Then Time Machine did a scheduled backup. The modem lit up and Little Snitch reported constant activity on mDNSResponder, alternating between ns.oceanic.com and dns2.oceanic.net (Oceanic [Time Warner] is my ISP).

Can't see why my ISP needs know anything after a Time Machine backup.

Got to thinking that the modem activity which got me all excited about this after the SL upgrade never happened until some time had passed with the computer active. Might be coincidence but it had started right after Time Machine did its thing this time.

Did a Restart of the computer. Normal modem startup activity and then all quiet. Little modem, Activity Monitor or Little Snitch action. KUHL!

After a few minutes, I forced a Time Machine Back Up Now. My modem, Activity Monitor and Little Snitch (mDNSResponder Oceanic) began to party.

Turned Time Machine off, put the computer to sleep.

This morning I had no unexpected activity for about 3 hours. Finished what I need to do and did a test - forced a Time Machine Back Up Now. My modem, Activity Monitor and Little Snitch (mDNSResponder Oceanic) began to party.

Did a Restart of the computer. Normal modem startup activity and then all quiet. Little modem, Activity Monitor or Little Snitch action. After 10 minutes, I forced a Time Machine Back Up Now. My modem, Activity Monitor and Little Snitch (mDNSResponder Oceanic) began to party.

Did the above 3 times with same result. Bit of a stretch to think it is coincidence.

Curious, eh?

Catfish_Man · Sep 24, 2009

Not really, just means Time Machine is doing at least one DNS lookup.

michaelwithe21 · Sep 24, 2009

Problem solved

The below link is apples description for admins to disable bonjour advertisement without disabling mdnsresponder (which is in charge of DNS in 10.6 SL Snow Leopard)

http://support.apple.com/kb/HT3789?viewlocale=en_US

nelly22 · Sep 29, 2009

michaelwithe21 said:
The below link is apples description for admins to disable bonjour advertisement without disabling mdnsresponder (which is in charge of DNS in 10.6 SL Snow Leopard)

http://support.apple.com/kb/HT3789?viewlocale=en_US

Cool!

So if i do this trick which is in above link, then my neighbors don't see my Mac and all other security/privacy problems are gone?

What are *exact* rules is should put to Little Snitch? Are these correct?

mDNSResponder:
Allow every connection
Deny TCP connections to port 5353 (mdns)
Deny UDP connections to port 5353 (mdns)
Deny TCP connections to port 5354 (mdnsresponder)
Deny UDP connections to port 5354 (mdnsresponder)
Deny TCP connections to port 7648 (cuseeme)
Deny UDP connections to port 7648 (cuseeme)

If i don't use cuceeme, do i need those 2 last rules?

How about these:
Allow connections to broadcast addresses
Allow connections to multicast addresses
Allow connections to IPv6 multicast addresses

Thanks!

michaelwithe21 · Sep 30, 2009

nelly22 said:
So if i do this trick which is in above link, then my neighbors don't see my Mac and all other security/privacy problems are gone?

What are *exact* rules is should put to Little Snitch? Are these correct?
Thanks!

hey nelly, if you do the "trick" from the link above, there is no need to block any outgoing connections on littlesnitch. The trick stops all "advertisement" of your computer via the mDNSresponder/Bonjour to the local network... further more I would recommend allowing ALL outgoing connections for mDNSResponder (allow all application/process) in snow leopard.

But for the paranoid (like myself), you could block "incoming" connections via a firewall like noobproof.app, this will stop YOU from seeing OTHER people on the local network =), (which will be logged)

My incoming port connections are as follows (noobproof.app):

Name a rule "bonjour": deny all
Ports: 5298,5354,7648 (maybe 5353, see below)

Note: the default listening port for bonjour is 5353, but this port is already listed within the "system services" rule, so I would recommend setting "system services" to "deny all"...

Note: if you need incoming access to the other "system services" rule (ie 53,67,68,123) for any reason (which a normal user shouldnt), create a new rule named "system services2" without 5353 port, then add 5353 to the "bonjour" rule mentioned above... afterwards, dont forget to delete the old "system services" rule...

for the rule "*All other services", chose allow, denying it will cause problems. (if you can figure out what ports that are not listed which are causing this, let me know)

on another note, use an "nmap" scan on "your" neighbors wifi network, find out what hardware/router hes running, look up his default gateway ip (open terminal type "ifconfig", look for gateway, usually 192.168.0.1 or 192.168.1.1, enter that ip to your browser) and see if hes changed his router default admin password (ie admin or password is the default)... if you are able login to the router as admin, assign their IPs via DHCP table (MAC address) and set your own, then forward ports you need (ie torrent/games/ssh/vnc) and then disable ALL router logging (security tab)... and if you want, you can mess with JUST their internal IPs and have some fun

**the dark side of mac**

APlus84 · Oct 4, 2009

I've been driving computers for many years but don't know what makes them work. Sorry if this is stupid but I'm nervous seeing the Send/Receive cable modem activity I have. I'd appreciate an explanation.

Didn't do this until 10.6.1 upgrade. Not allowing Broadcast and Multicast items in Little Snitch had no affect.

We're talking Network here but my Finder>Network window shows no items. Bonjour Browser shows 0-local. I have a router (wireless OFF), LAN is Mac (no AirPort) and a PC (OFF). Only open application is TextEdit I'm using for this note.

But, the Send/Receive cable modem activity is constant. Little Snitch Connection History:

Connection report for process: mDNSResponder (/usr/sbin/mDNSResponder)
05:35
Total: 2.3MB sent, 3.4MB received
address/domain, Port 53 (domain), Protocol 17 (UDP), 1.1MB sent, 2.3MB received
address/domain, Port 53 (domain), Protocol 17 (UDP), 1.2MB sent, 1.1MB received

05:40
Total: 2.4MB sent, 3.6MB received
address/domain, Port 53 (domain), Protocol 17 (UDP), 1.2MB sent, 2.4MB received
address/domain, Port 53 (domain), Protocol 17 (UDP), 1.2MB sent, 1.2MB received

05:45
Total: 2.6MB sent, 3.8MB received
address/domain, Port 53 (domain), Protocol 17 (UDP), 1.3MB sent, 2.5MB received
address/domain, Port 53 (domain), Protocol 17 (UDP), 1.3MB sent, 1.3MB received

Not huge but consistent. Doubt my "stuff" is being downloaded but it is very disquieting.

Thanks.
Doug

michaelwithe21 · Oct 4, 2009

Aplus,
Please remove the IP addresses and domains from your post (unless they are Internally assigned), but i was able to find your ISP and general location via http://www.whois.is, if you wish to contact the IP it is connecting to, doug.stanfield@twcable.com
IP: 24.165.45.231... roadrunner time warner

but port 53 is DNS (domain name server), and snow leopard has made mDNSResponder responsible for all DNS assignment and activity. So dont go accusing ISP of knowing anything =)

Have you even tried the shown above method before demanding answers from forums? The method mentioned above in link, will disable the advertisement of your network locally using bonjour/mdnsresponder.

Are you using a router? The only connections that my mDNSResponder shows (littleSnitch), is to my gateway router IP (which yours is not) and a couple other internal IP's and broadcasts, and it only does it once in a while using only a couple kbs, as seen (20 min of use, using snow leopard browsing internet and such):

Connection report for process: mDNSResponder (/usr/sbin/mDNSResponder)
Total: 1.5kB sent, 3.1kB received
192.168.X.X (192.168.X.X), Port 53 (domain), Protocol 17 (UDP), 1.5kB sent, 3.1kB received

let me know if you find a solution

APlus84 · Oct 5, 2009

--> michaelwithe21

I tried the Deny items listed here and unchecked all the multiCast and Broadcast Allow rules in Little Snitch with no cnange.

I tried the mDNSResponder.plist addition. As in the private note to you, the Save As to the Desktop and replace changes the Permissions to User, system and wheel are not there. Such is above my ability but the result was no internet connection at all.

I can see you are using NoobProof but their web site and VersionTracker list v1.4 for OS 10.5, nothing for OS 10.6. You know what you are doing but I worry that using it with 10.6 not listed could cause me more problems than I currently have. I'm not that good on this thing.

"... only connections that my mDNSResponder shows (littleSnitch), is to my gateway router IP (which yours is not), ...."

I have a router but your Update has NoobProof items and I don't have that.

The oddest thing is I have none of this unexplained activity after a fresh boot of the computer until TimeMachine does a backup. With TimeMachine Off I can diddle for hours. However, even with TimeMachine Off the unexplained activity is there if I wake the computer after Sleep. A Restart stops the activity.

A restart seems an inelegant solution but I seem to have worn out my welcome here. Thanks for the time, I appreciate the effort.

APlus84 · Nov 29, 2009

Problem Solved for me

Four calls to Apple got no help. Even sent them the file from their Data Capture program - never heard from them again.

Turns out it was self inflicted but others who just drive these things and aren't wizard on the workings might find something similar.

Thank you michaelwithe21 for pointing me in the right direction by mentioning that my router was not acting as a gateway. Been busy with Power of Attorney for my parents' finances but did remember the comment.

I did not have a router when my cable modem was installed. I was running Tiger at the time, imported Settings when I moved to Leopard and did an Upgrade to Snow Leopard. The unknown modem activity did not start until the SL upgrade.

I don't know if this was automatic or the installer put them there originally but I found two addresses, grayed but visible, in the System Preferences>Network DNS Server field. They were my two ISP server addresses Little Snitch indicated were active when I had the activity.

Clicked Advanced and DNS. Added my router address with + IPv4 or IPv6 addresses. The two servers disappeared and now the router is the only address in the DNS Servers field.

No more Chatty Cathy.

I suppose those in the know think this obvious. I didn't.

Search

Search

Snow Leopard disabling mDNSResponder/Bonjour drops internet

michaelwithe21

macrumors member

michaelwithe21

macrumors member

alexeismertin

macrumors regular

michaelwithe21

macrumors member

Dunepilot

macrumors 6502a

michaelwithe21

macrumors member

michaelwithe21

macrumors member

APlus84

macrumors member

Catfish_Man

macrumors 68030

michaelwithe21

macrumors member

nelly22

macrumors 6502

michaelwithe21

macrumors member

APlus84

macrumors member

michaelwithe21

macrumors member

APlus84

macrumors member

APlus84

macrumors member

Our Staff