Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > Apple Systems and Services > OS X

Reply
 
Thread Tools Search this Thread Display Modes
Old Sep 4, 2009, 02:55 AM   #1
michaelwithe21
macrumors member
 
Join Date: Mar 2009
Location: CA
Snow Leopard disabling mDNSResponder/Bonjour drops internet

So i have used OSX for a very long time...

when i upgraded to snow leopard, one of the first things i did was install little snitch and noobproof...

After installing firewalls, I went to disable mDNSResponder on my laptop and iMac... bonjour=mDNSResponder... which is a really stupid service for someone like myself (doesnt need to advertise my existence to current networks)... Bonjour has always had its ups and downs... BUT

WHEN YOU DISABLE BONJOUR/mDNSResponder YOU CANNOT ACCESS THE INTERNET AT ALL THROUGH SAFARI!!!

Once Bonjour is dissabled from snow leopard via terminal command:

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

or by disallowing network connections to the service via a firewall...

I CANNOT ACCESS THE INTERNET VIA SAFARI OR OTHER!!!, my network settings remain the same, claiming I have connection... I have to re-enable access/turn on mDNSResponder to gain access to the internet again.

When highlighted in little snitch, the services purpose is:
"is necessary for local host name resolving."

I do not know if Snow Leopard some how has relied on Bonjour/mDNSResponder to assign basic network connections, but it totally nocks out all internet to my intel iMac 22"

Please, if anyone can explain why this happens after Snow is installed, or can solve it, let me know immediately...

If you dont know why, but have experienced the same thing, please leave a comment on how u disabled and what problems you receive afterwards.


UPDATE: Randomly, if left off, my transmission (torrents) will lose connection and then regain connection just to drop again, but safari is still not active when mDNSResponder is left off, I also tried command without -w... Yet, when i give netstat (terminal) i still see "ESTABLISHED" connections (torrents) while no activity is being passed through... so bizzar

UPDATE: I found this in iana.org Block all of these via firewall, in and out (littlesnitch/noobproof):
mdnsresponder 5354/tcp Multicast DNS Responder IPC
mdnsresponder 5354/udp Multicast DNS Responder IPC
cuseeme 7648/tcp bonjour-cuseeme
cuseeme 7648/udp bonjour-cuseeme
mdns 5353/tcp Multicast DNS
mdns 5353/udp Multicast DNS


Update: i found a site that claims to have links for new snow leopard support, one of which "disabling bonjour service advertisements without disabling mdnsresponder"... which is what i have been waiting for!!:

http://www.xlr8yourmac.com/index.html#S25936

http://support.apple.com/kb/HT3789?viewlocale=en_US

BUT THE SECOND LINK IS BROKEN!!! i still dont know how to do this!! and it looks like it was an APPLE Support site, now broken... not cool


Update final:

http://support.apple.com/kb/HT3789?viewlocale=en_US

Last edited by michaelwithe21; Sep 24, 2009 at 07:27 PM. Reason: Problem solved
michaelwithe21 is offline   0 Reply With Quote
Old Sep 4, 2009, 11:21 AM   #2
michaelwithe21
Thread Starter
macrumors member
 
Join Date: Mar 2009
Location: CA
anyone out there??? cmon people this is HUGE!!!

There is absolutely no reason why we should be required to use mDNSResponder/Bonjour to be able to access the internet or assign IPs!!!

It has always been a big security hole and has always been optional, but with Snow Leopard it appears to be required to have ANY access to the internet!!

WHY IS THIS!!??
michaelwithe21 is offline   0 Reply With Quote
Old Sep 4, 2009, 12:43 PM   #3
alexeismertin
macrumors regular
 
Join Date: Jun 2005
Location: Bristol, UK
I noticed this straight away & scoured the web for answers/solutions but nothing! i tried changing the 2 mDNSresponder plists manually but it carried on 'responding'.

Yep this is a BIG SL problem.
alexeismertin is offline   0 Reply With Quote
Old Sep 4, 2009, 01:57 PM   #4
michaelwithe21
Thread Starter
macrumors member
 
Join Date: Mar 2009
Location: CA
Well, I havnt solved it, but I can at least limit it... here is what i did (without "disabling via terminal" which leaves no connectivity)...

Using LittleSnitch I was able to block access to mDNSResponder, but when this is done by itself, it gives limited access to the internet... when i say limited, safari would not load some websites/parts of the websites and would hang on the load... but my torrents download fine in background (firewall configured for torrent port)...

SO, I denied all access to ff02::fb, 224.0.0.251... and then made a rule ALLOWING only access to the router IP, this i believe will stop some of the security holes that bonjour brings...

UPDATE: I also blocked incoming traffic on Ports 7648 and 5354 with NoobProof


NOTE: in the network monitor, these are what gets connected to mDNSResponder:
RouterIPAddress
ff02::fb
User.local
224.0.0.251

DO NOT TRY TO BLOCK YOUR User.local!!! It will crash your littlesnitch for obvious reasons!! =)

Im gunna mess around a bit more with what to block and allow...

QUESTION:

1) Does mDNSResponder receive or listen for "incoming" connections from other computers which have bonjour/mDNSResponder on?

2) If so, than what port/protocol can i "block" within my "incoming" firewall (NoobProof)?

UPDATE: I found this in iana.org Block all of these via firewall, in and out (littlesnitch/noobproof):
mdnsresponder 5354/tcp Multicast DNS Responder IPC
mdnsresponder 5354/udp Multicast DNS Responder IPC
cuseeme 7648/tcp bonjour-cuseeme
cuseeme 7648/udp bonjour-cuseeme
mdns 5353/tcp Multicast DNS
mdns 5353/udp Multicast DNS

So, anyone know of any better ways to stop mdnsresponder from spreading its VD all over my computer?

Last edited by michaelwithe21; Sep 4, 2009 at 11:42 PM.
michaelwithe21 is offline   0 Reply With Quote
Old Sep 15, 2009, 08:25 AM   #5
Dunepilot
macrumors 6502a
 
Dunepilot's Avatar
 
Join Date: Feb 2002
Location: UK
Send a message via MSN to Dunepilot
Wow, this really is a big deal. We're just about to disable Bonjour on all Macs on our network, but won't be able to do this when we deploy SL, as it stands.

Has anyone submitted this as a bug to Apple yet?
__________________
Wii Code - 0279-2698-2658-0111 - Dunepilot
Dunepilot is offline   0 Reply With Quote
Old Sep 16, 2009, 10:41 AM   #6
michaelwithe21
Thread Starter
macrumors member
 
Join Date: Mar 2009
Location: CA
Re-Post in reply to another forum

so here is my REAL question...

lets say one does not NEED these things, such as a constant broadcast to local network, how could i safely disable the "features" that Bonjour/mDNSResponder uses...

Obviously disabling mDNSResponder completely kills all dns, and blocking it on my firewall (in/out) for its listening ports and to router/ff02fb/and local just makes it act weird, randomly working...

So how i can disable "bonjour" from advertising on the network without turning off mDNSResponder? (still waiting for an answer from apple)...

i hate to repeat myself but, cmon!! what can i block on my firewall in or out that would stop it from broadcasting without cutting it off internally/locally??

See other forum regarding similar issue at apple:

http://discussions.apple.com/thread....24435#10224435
michaelwithe21 is offline   0 Reply With Quote
Old Sep 22, 2009, 01:08 AM   #7
michaelwithe21
Thread Starter
macrumors member
 
Join Date: Mar 2009
Location: CA
Updated questions:

(question/comment from other forum below)

Thanks Naudecob for your matching concerns...

to answer ur question, "is this also an issue with Leopard 10.5 or only with SL 10.6?"

Yes, this is specifically a Snow Leopard issue, it appears that apple knows about this, they "gave" mDNSResponder the responsibility of assigning local IP addresses (and many other network attributes)... Which is supposedly the reason why basic internet does not function after mDNSResponder is disabled.

But, what I still dont understand... Bonjour relies on mDNSResponder to function... hence, when mDNSResponder is disabled in Leopard 10.5, all bonjour required apps will not function (ie. disables bonjour)... NOTE: I realize you can disable the bonjour GUI (interface) via the app preferences that use it, but this does not stop the "advertisement" of the bonjour to other computers on the network.

1) How does one disable bonjour in snow leopard without having to disable mDNSResponder? (ie. stop bonjour from advertising to other networks without having to disable individually within each bonjour required app)

2) What is the relationship between Bonjour and mDNSResponder in snow leopard?

2) Does bonjour work the same way with mDNSResponder as it did in 10.5?
michaelwithe21 is offline   0 Reply With Quote
Old Sep 24, 2009, 02:19 PM   #8
APlus84
macrumors newbie
 
Join Date: Sep 2009
Location: Hawaii
Been diddling on another thread with similar issue:

http://forums.macrumors.com/showthre...=1#post8523442

This I don't understand and seems relevant here -

I had network issues which were solved by putting my router back in (other thread if you are interested). There was very little modem activity with router. Nothing odd for about 45 minutes.

Then Time Machine did a scheduled backup. The modem lit up and Little Snitch reported constant activity on mDNSResponder, alternating between ns.oceanic.com and dns2.oceanic.net (Oceanic [Time Warner] is my ISP).

Can't see why my ISP needs know anything after a Time Machine backup.

Got to thinking that the modem activity which got me all excited about this after the SL upgrade never happened until some time had passed with the computer active. Might be coincidence but it had started right after Time Machine did its thing this time.

Did a Restart of the computer. Normal modem startup activity and then all quiet. Little modem, Activity Monitor or Little Snitch action. KUHL!

After a few minutes, I forced a Time Machine Back Up Now. My modem, Activity Monitor and Little Snitch (mDNSResponder Oceanic) began to party.

Turned Time Machine off, put the computer to sleep.

This morning I had no unexpected activity for about 3 hours. Finished what I need to do and did a test - forced a Time Machine Back Up Now. My modem, Activity Monitor and Little Snitch (mDNSResponder Oceanic) began to party.

Did a Restart of the computer. Normal modem startup activity and then all quiet. Little modem, Activity Monitor or Little Snitch action. After 10 minutes, I forced a Time Machine Back Up Now. My modem, Activity Monitor and Little Snitch (mDNSResponder Oceanic) began to party.

Did the above 3 times with same result. Bit of a stretch to think it is coincidence.

Curious, eh?
__________________
MacPro4.1 2.66GHz Quad (Early 2009), 12GB RAM, WD Velociraptor 300GB
APlus84 is offline   0 Reply With Quote
Old Sep 24, 2009, 04:57 PM   #9
Catfish_Man
macrumors 68030
 
Catfish_Man's Avatar
 
Join Date: Sep 2001
Location: Portland, OR
Send a message via AIM to Catfish_Man
Not really, just means Time Machine is doing at least one DNS lookup.
Catfish_Man is offline   0 Reply With Quote
Old Sep 24, 2009, 07:25 PM   #10
michaelwithe21
Thread Starter
macrumors member
 
Join Date: Mar 2009
Location: CA
Problem solved

The below link is apples description for admins to disable bonjour advertisement without disabling mdnsresponder (which is in charge of DNS in 10.6 SL Snow Leopard)

http://support.apple.com/kb/HT3789?viewlocale=en_US
michaelwithe21 is offline   0 Reply With Quote
Old Sep 29, 2009, 02:07 AM   #11
nelly22
macrumors regular
 
Join Date: Sep 2009
Quote:
Originally Posted by michaelwithe21 View Post
The below link is apples description for admins to disable bonjour advertisement without disabling mdnsresponder (which is in charge of DNS in 10.6 SL Snow Leopard)

http://support.apple.com/kb/HT3789?viewlocale=en_US
Cool!

So if i do this trick which is in above link, then my neighbors don't see my Mac and all other security/privacy problems are gone?

What are *exact* rules is should put to Little Snitch? Are these correct?

mDNSResponder:
Allow every connection
Deny TCP connections to port 5353 (mdns)
Deny UDP connections to port 5353 (mdns)
Deny TCP connections to port 5354 (mdnsresponder)
Deny UDP connections to port 5354 (mdnsresponder)
Deny TCP connections to port 7648 (cuseeme)
Deny UDP connections to port 7648 (cuseeme)

If i don't use cuceeme, do i need those 2 last rules?

How about these:
Allow connections to broadcast addresses
Allow connections to multicast addresses
Allow connections to IPv6 multicast addresses

Thanks!

Last edited by nelly22; Sep 29, 2009 at 03:23 AM.
nelly22 is offline   0 Reply With Quote
Old Sep 30, 2009, 10:54 AM   #12
michaelwithe21
Thread Starter
macrumors member
 
Join Date: Mar 2009
Location: CA
Quote:
Originally Posted by nelly22 View Post
So if i do this trick which is in above link, then my neighbors don't see my Mac and all other security/privacy problems are gone?

What are *exact* rules is should put to Little Snitch? Are these correct?
Thanks!
hey nelly, if you do the "trick" from the link above, there is no need to block any outgoing connections on littlesnitch. The trick stops all "advertisement" of your computer via the mDNSresponder/Bonjour to the local network... further more I would recommend allowing ALL outgoing connections for mDNSResponder (allow all application/process) in snow leopard.

But for the paranoid (like myself), you could block "incoming" connections via a firewall like noobproof.app, this will stop YOU from seeing OTHER people on the local network =), (which will be logged)

My incoming port connections are as follows (noobproof.app):

Name a rule "bonjour": deny all
Ports: 5298,5354,7648 (maybe 5353, see below)

Note: the default listening port for bonjour is 5353, but this port is already listed within the "system services" rule, so I would recommend setting "system services" to "deny all"...

Note: if you need incoming access to the other "system services" rule (ie 53,67,68,123) for any reason (which a normal user shouldnt), create a new rule named "system services2" without 5353 port, then add 5353 to the "bonjour" rule mentioned above... afterwards, dont forget to delete the old "system services" rule...

for the rule "*All other services", chose allow, denying it will cause problems. (if you can figure out what ports that are not listed which are causing this, let me know)

on another note, use an "nmap" scan on "your" neighbors wifi network, find out what hardware/router hes running, look up his default gateway ip (open terminal type "ifconfig", look for gateway, usually 192.168.0.1 or 192.168.1.1, enter that ip to your browser) and see if hes changed his router default admin password (ie admin or password is the default)... if you are able login to the router as admin, assign their IPs via DHCP table (MAC address) and set your own, then forward ports you need (ie torrent/games/ssh/vnc) and then disable ALL router logging (security tab)... and if you want, you can mess with JUST their internal IPs and have some fun

**the dark side of mac**

Last edited by michaelwithe21; Sep 30, 2009 at 11:14 AM.
michaelwithe21 is offline   0 Reply With Quote
Old Oct 4, 2009, 11:55 AM   #13
APlus84
macrumors newbie
 
Join Date: Sep 2009
Location: Hawaii
I've been driving computers for many years but don't know what makes them work. Sorry if this is stupid but I'm nervous seeing the Send/Receive cable modem activity I have. I'd appreciate an explanation.

Didn't do this until 10.6.1 upgrade. Not allowing Broadcast and Multicast items in Little Snitch had no affect.

We're talking Network here but my Finder>Network window shows no items. Bonjour Browser shows 0-local. I have a router (wireless OFF), LAN is Mac (no AirPort) and a PC (OFF). Only open application is TextEdit I'm using for this note.

But, the Send/Receive cable modem activity is constant. Little Snitch Connection History:

Connection report for process: mDNSResponder (/usr/sbin/mDNSResponder)
05:35
Total: 2.3MB sent, 3.4MB received
address/domain, Port 53 (domain), Protocol 17 (UDP), 1.1MB sent, 2.3MB received
address/domain, Port 53 (domain), Protocol 17 (UDP), 1.2MB sent, 1.1MB received

05:40
Total: 2.4MB sent, 3.6MB received
address/domain, Port 53 (domain), Protocol 17 (UDP), 1.2MB sent, 2.4MB received
address/domain, Port 53 (domain), Protocol 17 (UDP), 1.2MB sent, 1.2MB received

05:45
Total: 2.6MB sent, 3.8MB received
address/domain, Port 53 (domain), Protocol 17 (UDP), 1.3MB sent, 2.5MB received
address/domain, Port 53 (domain), Protocol 17 (UDP), 1.3MB sent, 1.3MB received

Not huge but consistent. Doubt my "stuff" is being downloaded but it is very disquieting.

Thanks.
Doug
__________________
MacPro4.1 2.66GHz Quad (Early 2009), 12GB RAM, WD Velociraptor 300GB

Last edited by APlus84; Oct 5, 2009 at 11:04 AM.
APlus84 is offline   0 Reply With Quote
Old Oct 4, 2009, 11:29 PM   #14
michaelwithe21
Thread Starter
macrumors member
 
Join Date: Mar 2009
Location: CA
Aplus,
Please remove the IP addresses and domains from your post (unless they are Internally assigned), but i was able to find your ISP and general location via www.whois.is, if you wish to contact the IP it is connecting to, doug.stanfield@twcable.com
IP: 24.165.45.231... roadrunner time warner


but port 53 is DNS (domain name server), and snow leopard has made mDNSResponder responsible for all DNS assignment and activity. So dont go accusing ISP of knowing anything =)

Have you even tried the shown above method before demanding answers from forums? The method mentioned above in link, will disable the advertisement of your network locally using bonjour/mdnsresponder.

Are you using a router? The only connections that my mDNSResponder shows (littleSnitch), is to my gateway router IP (which yours is not) and a couple other internal IP's and broadcasts, and it only does it once in a while using only a couple kbs, as seen (20 min of use, using snow leopard browsing internet and such):

Connection report for process: mDNSResponder (/usr/sbin/mDNSResponder)
Total: 1.5kB sent, 3.1kB received
192.168.X.X (192.168.X.X), Port 53 (domain), Protocol 17 (UDP), 1.5kB sent, 3.1kB received

let me know if you find a solution
michaelwithe21 is offline   0 Reply With Quote
Old Oct 5, 2009, 12:38 PM   #15
APlus84
macrumors newbie
 
Join Date: Sep 2009
Location: Hawaii
--> michaelwithe21

I tried the Deny items listed here and unchecked all the multiCast and Broadcast Allow rules in Little Snitch with no cnange.

I tried the mDNSResponder.plist addition. As in the private note to you, the Save As to the Desktop and replace changes the Permissions to User, system and wheel are not there. Such is above my ability but the result was no internet connection at all.

I can see you are using NoobProof but their web site and VersionTracker list v1.4 for OS 10.5, nothing for OS 10.6. You know what you are doing but I worry that using it with 10.6 not listed could cause me more problems than I currently have. I'm not that good on this thing.

"... only connections that my mDNSResponder shows (littleSnitch), is to my gateway router IP (which yours is not), ...."

I have a router but your Update has NoobProof items and I don't have that.

The oddest thing is I have none of this unexplained activity after a fresh boot of the computer until TimeMachine does a backup. With TimeMachine Off I can diddle for hours. However, even with TimeMachine Off the unexplained activity is there if I wake the computer after Sleep. A Restart stops the activity.

A restart seems an inelegant solution but I seem to have worn out my welcome here. Thanks for the time, I appreciate the effort.
__________________
MacPro4.1 2.66GHz Quad (Early 2009), 12GB RAM, WD Velociraptor 300GB
APlus84 is offline   0 Reply With Quote
Old Nov 29, 2009, 01:59 PM   #16
APlus84
macrumors newbie
 
Join Date: Sep 2009
Location: Hawaii
Problem Solved for me

Four calls to Apple got no help. Even sent them the file from their Data Capture program - never heard from them again.

Turns out it was self inflicted but others who just drive these things and aren't wizard on the workings might find something similar.

Thank you michaelwithe21 for pointing me in the right direction by mentioning that my router was not acting as a gateway. Been busy with Power of Attorney for my parents' finances but did remember the comment.

I did not have a router when my cable modem was installed. I was running Tiger at the time, imported Settings when I moved to Leopard and did an Upgrade to Snow Leopard. The unknown modem activity did not start until the SL upgrade.

I don't know if this was automatic or the installer put them there originally but I found two addresses, grayed but visible, in the System Preferences>Network DNS Server field. They were my two ISP server addresses Little Snitch indicated were active when I had the activity.

Clicked Advanced and DNS. Added my router address with + IPv4 or IPv6 addresses. The two servers disappeared and now the router is the only address in the DNS Servers field.

No more Chatty Cathy.

I suppose those in the know think this obvious. I didn't.
__________________
MacPro4.1 2.66GHz Quad (Early 2009), 12GB RAM, WD Velociraptor 300GB
APlus84 is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Systems and Services > OS X

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Internet access drops 1x per week - motorola + time capsule fabuloid Mac Peripherals 4 May 12, 2014 11:52 AM
Mid-2011 imac drops internet connection Hls811 iMac 0 Dec 11, 2013 09:57 AM
HELP! NO Internet connection after using Terminal (DNS Disabled? / mDNSResponder) mystic08 Mac Basics and Help 8 Sep 12, 2013 04:01 PM
Internet connection fails/drops when running uTorrent gyrex OS X 10.8 Mountain Lion 15 Feb 16, 2013 06:55 PM
iMac mid 2011(Snow Leopard) turn black screen when internet is on.. St7001 iMac 0 Jul 17, 2012 03:02 AM

Forum Jump

All times are GMT -5. The time now is 09:53 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC