Bonjour is Apple’s way of doing zero-configuration networking. It’s a bit of software that does three things:
- Service discovery on the local network (LAN)
- IP address assignment/sharing
- Hostname resolution
Normally, things like IP address assignment are handled by DHCP. With Bonjour, the idea is that all you have to do is plug your gizmos in, and turn them on. Bonjour will then “scan” the network, and all devices and services on the LAN will be automagically configured for you. Each gizmo will have an automatically configured IP and hostname, and you’re done.
This is great, except when you don’t want Bonjour to do its thing. Perhaps you have a mostly Windows/Linux LAN, or you want to restrict access to a certain group of computers on your LAN that are separated from the rest by a physical home router/firewall. Bonjour makes this rather difficult, since it sneaks by basic IP/MAC filtering you might set in your router.
So, how do you block Bonjour?
It will first help to understand what Bonjour is actually doing. Most people will tell you, “Oh, just block UDP port 5353, and you’re done!”
It’s a bit more complicated than that, actually…
Bonjour uses mDNS, or multicast DNS, combined with DNS-SD (Domain Name System – Service Discovery).
mDNS resolves host names to IP addresses within local networks without using a DNS server. Basically, it broadcasts query messages onto the local network. When other puters that are running receive those packets, they respond. Each machine has it’s own local hostname, and its own link-local address.
A link-local address will probably be familiar to you as those “default” IP addresses that your puter gives itself when it can’t get an IP from a DHCP server. Specifically, link-local addies are those IPs in the range 169.254.1.0 – 169.254.254.255 (for IPv4).
Coupled with this hostname-IP setup, Bonjour also uses DNS-SD (which also uses local DNS record queries) to establish the services and capabilities of each machine on the local network.
Thus, with mDNS + DNS-SD, Bonjour can set up file sharing, media sharing, printers, and all kinds of stuff on a local network without any parent DHCP or DNS servers/routers.
All of this is done without any configuration on your part.
Well, that’s great, but the question remains: How do I block Bonjour when I don’t want Machine A to see Machine B?
It turns out that mDNS multicasts a UDP packet to:
- MAC addresses:
- 01:00:5E:00:00:FB – IPv4
- 33:33:00:00:00:FB – IPv6
- IP addresses:
- 220.127.116.11 – multicast IPv4 address
- FF02::FB – multicast IPv6 address
- UDP port 5353
So, the first obvious thing that everyone tries is to block traffic on UDP port 5353. That’s all well and good, but it doesn’t block Bonjour because it’s only part of the solution.
The reason is that you also need to block the mDNS multicast IP address – not just UDP port 5353 on your DHCP-assigned IP addies.
Note that routers/gateways are not supposed to pass on multicasts, but often they do anyway. Some routers also have an option called something like “Multicast pass-through”. If your gizmo has this option, disable it.
In common home IPv4 routers nowadays, that means you need to block traffic on 18.104.22.168. For IPv6, block FF02::FB. These multicast addresses are what is used by each puter to broadcast themselves to other puters on the network using services like Bonjour.
Finally, many routers have MAC address filtering. Use this filtering to block access to the IPv4 and/or IPv6 MAC addresses listed above: 01:00:5E:00:00:FB and 33:33:00:00:00:FB.
If you need a new router with more options, check out TP-Link’s products.
After you’re done blocking these 3 things, try again and see if Bonjour will find other gizmos on your network. You should discover that Bonjour no longer works.
And you’re done!