Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

AppleTV as resolver... why?

schlupps

schlupps

macrumors 6502
Original poster
Sep 22, 2020
323
296
RheinMain - Germany
Hi,

does anyone know, why there is an open/listening port 53 on my AppleTV, which can be used as DNS Server in my network, or (and that is somewhat worse) to completely bypass or ignore my pihole filters? Even though my pihole is set as the DNS in the AppleTVs network config, the pihole is not even used for these requests, which makes me think, the AppleTV is using an external resolver =/

I am having a hard time to understand this. Might it be related to this openthread-thing? If this is the case, will the small homepods show this behavior as well and act as DNS resolver, too?

((Device is a AppleTV 4k latest gen, with recent software, no beta. Attached to wired network, my piholes IP is set as DNS server in the AppleTVs network config.))

Thanks for your thoughts and ideas.
best regards.
schlupps
 
  • Like
Reactions: MRrainer
good point! i ran tcpdump on my pihole. But as i only dumped the IPv4 traffic to/from the ATVs IPv4 address, i might have to check, if the apple tv is talking DNS over IPv6 here.?
 
schlupps said:
does anyone know, why there is an open/listening port 53 on my AppleTV,
Click to expand...

Can't find any reference to that specific port being open on the Apple TV, although it is listed on the common ports reference.

Apple TV: TCP and UDP ports and protocols used - Administrivia

Networked devices, such as your Mac, PC, and Apple TV, communicate with each other using specific communication channels known as TCP and UDP ports. Learn about the ports used by Apple TV. These network ports are used by Apple TV for communications on your network. TCP port 123 is used to...
administrivia.com administrivia.com

TCP and UDP ports used by Apple software products - Apple Support

These are some of the common TCP and UDP ports used by Apple products, such as macOS and iCloud. Many are well-known, industry-standard ports.
support.apple.com support.apple.com
 
  • Like
Reactions: schlupps
sure, all devices use port53 to connect to resolvers for DNS (address resolution), but offering this particular service is a little bit strange for a streaming device, right? Have no clue if this is maybe part of this openthread-stuff. If, id love to see an option to disable it.. or .. disable the DNS server part in the Apple TV at all.
 
schlupps said:
does anyone know, why there is an open/listening port 53 on my AppleTV, which can be used as DNS Server in my network, or (and that is somewhat worse) to completely bypass or ignore my pihole filters? Even though my pihole is set as the DNS in the AppleTVs network config, the pihole is not even used for these requests, which makes me think, the AppleTV is using an external resolver =/
Click to expand...
Your report is interesting, but I can't find any functioning DNS server on my Apple TV 4K (1st-gen) running TVOS 15.2.

On my Mac, I changed my System Preferences-->Network entry to hard-code the address of the ATV as the DNS server for that Mac. Thereafter, the Mac acted as one would expect if it had no access to a DNS server -- i.e., it was unable to resolve external domains with 'nslookup' or 'dns-sd' or in Firefox. (I could still resolve a few local network devices, though.)

I'm curious as to how you determined that port 53 was open on your ATV device? If there's a convenient way I'll check out my ATVs, too.

I'm not sure it's relevant, but I'm also running Pi-Hole. However, I've configured its address to be "handed out" from my DHCP server (my router) to all network clients, as opposed to being set in the ATV settings as you've done. I'll also note that both of my Apple TVs do make at least some DNS requests to my pihole, as I have seen from the pihole query logs.
 
  • Like
Reactions: cewatts
hi.

In the beginning, i was sort of misleaded when assuming, that the ATV will do this resolution/DNS without contacting my pihole. Running two piholes (one device for testing, one 'productive'), i chose the wrong pihole to do the tcpdump for verification (it might have been way too late and way too less coffee ;) ).
So i am still a little confused/worried, why my ATV is offering DNS service on open Port53, but it surely uses the configured DNS server (meaning my pihole) as upstream DNS. Sorry for this confusion!

Brian33 said:
I'm curious as to how you determined that port 53 was open on your ATV device? If there's a convenient way I'll check out my ATVs, too.
Click to expand...


with the dig command im getting a response from my ATV (192.168.3.92 in my case and it is the latest version of the 4k ATV). I did the following command and received a valid response:

Code: 
dig macrumors.com @192.168.3.92
 
I checked my Apple TVs (both gen 1) and my HomePod but didn't get a dig response.

But, I did check my HomePod Minis and I did receive dig responses.
 
  • Like
Reactions: schlupps
the piholes logs were my starting point.. seeing it being flooded with huge amounts of requests from my iPhone and iPads, asking for "Wohnzimmer.openthread.thread.home.arpa" (my AppleTV4k2ndGen is named 'Wohnzimmer') made me curious/nervous in the first place.. dont know exactly, what Apple is doing here, to be honest =/ And my pihole forwarded these requests to upstream resolvers, and this is not a good idea imho.
 
my impression is, that this new "Thread" staff is the root cause.. my 1st gen AppleTV4k is a way more noiseless device, related to the DNS based traffic around it =))
 
I am seeing intermittent floods (100s to 1000s of requests per second) of DNS queries originating from mdnsresponder on Macs running 12.2 to the Apple TV 4K (2nd generation) for both IPv4 and v6 on a UniFi network.

Doing a tcpdump on port 53 from the MacBook Pro (16-inch, 2019) is an endless wall of DNS queries like these:

Code: 
23:05:42.482483 (proc mDNSResponder:247) IP reiya-mbp.home.lan.62141 > living-room.home.lan.domain: 44133+ AAAA? Living-Room.openthread.thread.home.arpa. (57)
23:05:42.483118 (proc mDNSResponder:247) IP reiya-mbp.home.lan.57593 > living-room.home.lan.domain: 52155+ A? Living-Room.openthread.thread.home.arpa. (57)

It is pretty obvious when this occurs as the MBPs sound let a jet engine at take off with mdnsresponder eating all the CPU. Packet loss on the UniFi APs also sky rockets at the same time and its so severe AirPlay and everything else starts to drop out.
 
  • Like
Reactions: schlupps
If i interprete the dump on my DNS/Pihole correctly, the iOS devices will behave similar. Blocking these requests on DNS level will push the <appleTVsName>.openthread.thread.home.arpa pretty fast on the top of my top-blocked-requests. =/
since that appleTV is responding to DNS requests, maybe forwarding them from the DNS Pihole with a forward Zone to the AppleTV will either relax this flood, or melt down the AppleTV ;)
ill experiment with forward zones and try to observe (and check the ATV s temperature ;) ).
 
Welcome to Mac! Windows users always seem to complain Macs are "chatty" on networks! It's because Apple devices that are mounted will send out to the network it's awake and ready for data! Windows doesn't tell the network when it is ready, you have to guess!
 
sure, this whole Bonjour-stuff will generate some noise on networks. But somehow i have the impression, this .openthread.thread.home.arpa thing has a new quality of noiselevel; it feels noisier than some time ago.
When opening "finder" -> network, there is an object with this particular name openthread.thread.home.arpa and this object arrived with macos monterey, i think. So, with AppleTV4k2ndGen, HomePod Mini and Monterey, Apples networking even got a little noisier =)

Now fancying a bunch of AppleTV4k2ndGen in a company to be used in conf rooms or whatever.. tough times for the infrastructure and no wonder if the WLAN feels somewhat "bottlenecked" from time to time =/
 
I’m fairly certain this must be a bug as pushing mDNSResponder to the point it’s maxing out several cores querying the Apple TV thousands of times per second seems anything but remotely normal. Sniffing for DNS packets on the router, switch, and APs trying to reproduce this it’s pretty quiet by comparison when it’s not doing this. I dread the thought of having any of the other Macs act up at the same time.
schlupps said:
If i interprete the dump on my DNS/Pihole correctly, the iOS devices will behave similar. Blocking these requests on DNS level will push the <appleTVsName>.openthread.thread.home.arpa pretty fast on the top of my top-blocked-requests. =/
since that appleTV is responding to DNS requests, maybe forwarding them from the DNS Pihole with a forward Zone to the AppleTV will either relax this flood, or melt down the AppleTV ;)
ill experiment with forward zones and try to observe (and check the ATV s temperature ;) ).
Click to expand...
If you can packet capture iOS flooding the Apple TV with DNS queries I’d be awfully interested in the logs. Particularly what queries and responses you see just before it starts flooding as there could be some sort of bad retry logic on a malformed response. I haven’t seen that yet myself but it’s about the only good guess I’ve got.

Edit: I caught it again four times today doing this. In roughly ten minutes there was over 900k DNS queries from the MBP to the AppleTV for A and AAAA records for the AppleTV’s thread address. lol
 
Last edited:
schlupps said:
sure, this whole Bonjour-stuff will generate some noise on networks. But somehow i have the impression, this .openthread.thread.home.arpa thing has a new quality of noiselevel; it feels noisier than some time ago.
When opening "finder" -> network, there is an object with this particular name openthread.thread.home.arpa and this object arrived with macos monterey, i think. So, with AppleTV4k2ndGen, HomePod Mini and Monterey, Apples networking even got a little noisier =)

Now fancying a bunch of AppleTV4k2ndGen in a company to be used in conf rooms or whatever.. tough times for the infrastructure and no wonder if the WLAN feels somewhat "bottlenecked" from time to time =/
Click to expand...
Do you use HomePods with the Apple TV 4K (2nd gen) as the default audio output by any chance?
 
Einkoro said:
Do you use HomePods with the Apple TV 4K (2nd gen) as the default audio output by any chance?
Click to expand...

nope. My AppleTV 4k 2nd Gen is connected via HDMI to my Denon AVReceiver in the living room. My goood old HomePods (1st Gen) are used as default audio device for my ATV 4k 1stGen in the bedroom.
 
Late to the party, I guess. But the open port 53 is certainly realated with configuring Thread over HomeKit. HomePod mini also has port 53 open, whereas original HomePod does not. It seems that HomePod mini has some bug which is advertising its hostname, such as HomePod.openthread.thread.home.arpa. Apple (HomeKit) devices are requesting this lookup from the local DNS servers (usually a router or pi hole), which don't know about it. On the other hand, Apple TV 4K G2 registers itself with the router, e.g. appletv.openthread.thread.home.arpa, so that if you dig it, the router returns the ATV's IPV4 address. This is all odd because thread is all over IPV6, I believe.

Disclaimers: These devices are all on OS 15.3. I don't have IPV6 fully enabled on my network.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back