What's new

Easiest way to filter mDNS traffic

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

ndrp

Occasional Visitor
mDNS traffic is peaking over 1 Mbps, sometimes over 2 Mbps. Is there access points or WLAN routers that can filter mDNS traffic or cheap switch can do the same thing?

I would not like to put my WLAN behind router to stop mDNS traffic. I wouls like to use same L2 network.

The source of the mDNS traffic is Apple's devices.
 
Need a bit more info. How many devices are there. You would probably need to get something that does DPI (deep packet inspection) in order to block the protocol on the network. Even then, I am not sure you would get the result you are looking for. You could try blocking UDP port 5353, but devices would still be sending packets out. If you don't need this feature, it's best to disabled it on each device. Not sure how much bandwidth you save trying to block the protocol.
 
mDNS traffic is typically LAN only - and depending on your network config you might want to keep it around...

(mDNS traffic is typically Bonjour/Rendevous on Mac/Windows (w/iTunes)/Linux (avahi), and generally LAN/Subnet limited)

If you're seen mDNS traffic heading out to the WAN side, you've probably got a security problem with a compromised device..
 
I made some new measurements at 2 PM.

This is multicast DNS traffic in the air, bits per second
http://i.imgur.com/y6laser.png

This is multicast DNS traffic in the air, packets per second
http://i.imgur.com/uUZFRfd.png

Need a bit more info. How many devices are there. You would probably need to get something that does DPI (deep packet inspection) in order to block the protocol on the network. Even then, I am not sure you would get the result you are looking for. You could try blocking UDP port 5353, but devices would still be sending packets out. If you don't need this feature, it's best to disabled it on each device. Not sure how much bandwidth you save trying to block the protocol.

I tried to get the device count. I used mDNS Tools http://sourceforge.net/projects/mdnstools/ and ran (about 15 minutes)
mdnsdiscovery.exe -j > hosts.txt
Listening for multicast messages on '224.0.0.251'...
Press CTRL + C to quit

Then I removed duplicate lines in Cygwin
cat hosts.txt | sort | uniq >> hostlist.txt

I found 1089 different hosts. Wireshark tells that there is 1000 to 2000 packets per second in the air. So every host is sending at least one mDNS packet per second? mDNSDiscovery.exe shows only IPv4 traffic. Wireshard measures IPv4 and IPv6 traffic.
 
Last edited:
I found 1089 different hosts. Wireshark tells that there is 1000 to 2000 packets per second in the air. So every host is sending at least one mDNS packet per second? mDNSDiscovery.exe shows only IPv4 traffic. Wireshard measures IPv4 and IPv6 traffic.

wow! that's crazy...

Can you tell a bit more about the environment? e.g. business/enterprise/home/etc...

If this is a home network, what other devices are on the network - if this is a home network either you've got a broken device or some kind of malware perhaps...
 
ok... remember mDNS is Bonjour, so it's trying to do device discovery/lookups, and it also does DNS-SD...

block/filter UDP 5353

block the following 204.0.0.251 (IPV4) and FF02::FB (IPV6) - this is the mDNS multicast IP address

MAC filter/block - 01:00:5E:00:00:FB and 33:33:00:00:00:FB

Should be good from there.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top