Recently purchased Little Snitch and very much like the granularity of control- and specifically, being able to determine what is talking to what over network connections-
I have noticed an inordinate amout of traffic from mDNSResponder- for example I am showing connections as I type this to 84 servers- not IP addresses but ports-
I also note a huge amount of console spamming as exemplified by this
7/13/14 11:13:05.073 PM configd[18]: dnssd_clientstub ConnectToServer: connect() failed Socket:9 Err:-1 Errno:2 No such file or directory
7/13/14 11:13:05.073 PM configd[18]: DNSServiceCreateConnection(&dnsMain) failed, error = -65563
7/13/14 11:13:05.073 PM configd[18]: dnssd_clientstub ConnectToServer: connect()-> No of tries: 1
7/13/14 11:13:06.139 PM configd[18]: dnssd_clientstub ConnectToServer: connect()-> No of tries: 2
7/13/14 11:13:07.210 PM configd[18]: dnssd_clientstub ConnectToServer: connect()-> No of tries: 3
7/13/14 11:13:08.228 PM configd[18]: dnssd_clientstub ConnectToServer: connect() failed Socket:9 Err:-1 Errno:2 No such file or directory
I did some web searches and while the information regarding this is paltry, some say that Bonjour is part of the mDNSResponder protocol- there is both https and udp traffic listed from this process. I have also read that Bonjour is primarily the child process of ITunes--However there is nothing definitive about this anywhere I look. I disabled the process with
sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
then rebooted. After reboot the browser was unable to resolve any domain name. I then opend the network utility and tried pinging 8.8.8.8 and was able to without problems. However trying to ping Google.com got an unable to resolve message. I re enabled mDNSResopnder and all returned to normal including the traffic- so the questions are-
1) is this volume of traffic normal ?
2) is Bonjour a part of mDNSResolver in 10.9.4?
3)I read about the possibility of various security risks in Bonjour-while in other places, people say it is not-I am concerned because it seems a promiscuous process- any truth to the security question?
4)Any way to separate out what part of the traffic is Bonjour and what part is DNS resolution?
In reading about Bonjour, it seems that one of the most cited users of this is ITunes. I don't use Itunes but VLC although ITunes is installed.
Any comments or observations would be appreciated. I like OSX because I come from a UNIX/Linux background. That having been said, I have to date discovered that it is difficult to find out about much that Darwin does, particularly when one chooses to go deeper than what one sees at the GUI level. I have not yet tried manually auditing the code to see what exists but am beginning to wonder whether this might not be a bad idea (shades of OpenSSL and the huge number of problems with that, memory randomization and protection-and the associated libc headaches) While lack of functional transparency is OK for some, and given the current threat environment, its not acceptable for the more security conscious.
Thanks.
Expat
I have noticed an inordinate amout of traffic from mDNSResponder- for example I am showing connections as I type this to 84 servers- not IP addresses but ports-
I also note a huge amount of console spamming as exemplified by this
7/13/14 11:13:05.073 PM configd[18]: dnssd_clientstub ConnectToServer: connect() failed Socket:9 Err:-1 Errno:2 No such file or directory
7/13/14 11:13:05.073 PM configd[18]: DNSServiceCreateConnection(&dnsMain) failed, error = -65563
7/13/14 11:13:05.073 PM configd[18]: dnssd_clientstub ConnectToServer: connect()-> No of tries: 1
7/13/14 11:13:06.139 PM configd[18]: dnssd_clientstub ConnectToServer: connect()-> No of tries: 2
7/13/14 11:13:07.210 PM configd[18]: dnssd_clientstub ConnectToServer: connect()-> No of tries: 3
7/13/14 11:13:08.228 PM configd[18]: dnssd_clientstub ConnectToServer: connect() failed Socket:9 Err:-1 Errno:2 No such file or directory
I did some web searches and while the information regarding this is paltry, some say that Bonjour is part of the mDNSResponder protocol- there is both https and udp traffic listed from this process. I have also read that Bonjour is primarily the child process of ITunes--However there is nothing definitive about this anywhere I look. I disabled the process with
sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
then rebooted. After reboot the browser was unable to resolve any domain name. I then opend the network utility and tried pinging 8.8.8.8 and was able to without problems. However trying to ping Google.com got an unable to resolve message. I re enabled mDNSResopnder and all returned to normal including the traffic- so the questions are-
1) is this volume of traffic normal ?
2) is Bonjour a part of mDNSResolver in 10.9.4?
3)I read about the possibility of various security risks in Bonjour-while in other places, people say it is not-I am concerned because it seems a promiscuous process- any truth to the security question?
4)Any way to separate out what part of the traffic is Bonjour and what part is DNS resolution?
In reading about Bonjour, it seems that one of the most cited users of this is ITunes. I don't use Itunes but VLC although ITunes is installed.
Any comments or observations would be appreciated. I like OSX because I come from a UNIX/Linux background. That having been said, I have to date discovered that it is difficult to find out about much that Darwin does, particularly when one chooses to go deeper than what one sees at the GUI level. I have not yet tried manually auditing the code to see what exists but am beginning to wonder whether this might not be a bad idea (shades of OpenSSL and the huge number of problems with that, memory randomization and protection-and the associated libc headaches) While lack of functional transparency is OK for some, and given the current threat environment, its not acceptable for the more security conscious.
Thanks.
Expat
Last edited: