14 May 2015

Block Bonjour!Bonjour is Apple’s way of doing zero-configuration networking. It’s a bit of software that does three things:

  1. Service discovery on the local network (LAN)
  2. IP address assignment/sharing
  3. Hostname resolution

Normally, things like IP address assignment are handled by DHCP. With Bonjour, the idea is that all you have to do is plug your gizmos in, and turn them on. Bonjour will then “scan” the network, and all devices and services on the LAN will be automagically configured for you. Each gizmo will have an automatically configured IP and hostname, and you’re done.

This is great, except when you don’t want Bonjour to do its thing. Perhaps you have a mostly Windows/Linux LAN, or you want to restrict access to a certain group of computers on your LAN that are separated from the rest by a physical home router/firewall. Bonjour makes this rather difficult, since it sneaks by basic IP/MAC filtering you might set in your router.

So, how do you block Bonjour?

It will first help to understand what Bonjour is actually doing. Most people will tell you, “Oh, just block UDP port 5353, and you’re done!”

It’s a bit more complicated than that, actually…

mDNS

Bonjour uses mDNS, or multicast DNS, combined with DNS-SD (Domain Name System – Service Discovery).

mDNS resolves host names to IP addresses within local networks without using a DNS server. Basically, it broadcasts query messages onto the local network. When other puters that are running receive those packets, they respond. Each machine has it’s own local hostname, and its own link-local address.

A link-local address will probably be familiar to you as those “default” IP addresses that your puter gives itself when it can’t get an IP from a DHCP server. Specifically, link-local addies are those IPs in the range 169.254.1.0 – 169.254.254.255 (for IPv4).

DNS-SD

Coupled with this hostname-IP setup, Bonjour also uses DNS-SD (which also uses local DNS record queries) to establish the services and capabilities of each machine on the local network.

Thus, with mDNS + DNS-SD, Bonjour can set up file sharing, media sharing, printers, and all kinds of stuff on a local network without any parent DHCP or DNS servers/routers.

All of this is done without any configuration on your part.

Well, that’s great, but the question remains: How do I block Bonjour when I don’t want Machine A to see Machine B?

Blocking Bonjour

It turns out that mDNS multicasts a UDP packet to:

  1. MAC addresses:
    • 01:00:5E:00:00:FB – IPv4
    • 33:33:00:00:00:FB – IPv6
  2. IP addresses:
    • 224.0.0.251 – multicast IPv4 address
    • FF02::FB – multicast IPv6 address
  3. UDP port 5353

So, the first obvious thing that everyone tries is to block traffic on UDP port 5353. That’s all well and good, but it doesn’t block Bonjour because it’s only part of the solution.

The reason is that you also need to block the mDNS multicast IP address – not just UDP port 5353 on your DHCP-assigned IP addies.

Note that routers/gateways are not supposed to pass on multicasts, but often they do anyway. Some routers also have an option called something like “Multicast pass-through”.  If your gizmo has this option, disable it.

In common home IPv4 routers nowadays, that means you need to block traffic on 224.0.0.251. For IPv6, block FF02::FB. These multicast addresses are what is used by each puter to broadcast themselves to other puters on the network using services like Bonjour.

Finally, many routers have MAC address filtering. Use this filtering to block access to the IPv4 and/or IPv6 MAC addresses listed above: 01:00:5E:00:00:FB and 33:33:00:00:00:FB.

If you need a new router with more options, check out TP-Link’s products.

After you’re done blocking these 3 things, try again and see if Bonjour will find other gizmos on your network. You should discover that Bonjour no longer works.

And you’re done!

How to Block Apple Bonjour on your Local Network
Tagged on:                     

6 thoughts on “How to Block Apple Bonjour on your Local Network

  • 1 July 2015 at 14:44
    Permalink

    It seems these 3 rules also block “ping”

    Reply
    • 1 July 2015 at 16:18
      Permalink

      Hmm. Not sure why that would happen. I can still ping like mad!

      Reply
  • 20 January 2017 at 01:16
    Permalink

    Ok..how about step by step instructions for how to perfom the blocking needed.

    Reply
  • 20 January 2017 at 09:42
    Permalink

    @Dana
    It depends on your router. Each one is a bit different. So you’d have to know how to add firewall rules and such for your specific router (or other gizmo) in order to apply these rules.

    Reply
  • 7 February 2017 at 11:22
    Permalink

    Hey Scottie,

    Any advice on how to block specific packets? Eg. The dreaded network wide Android notification when someone uses a Chromecast within the network?

    I’m trying to implement Chromecast in a school of 2000 students, and if I can eventually sniff the packet, I’m sure there’s a way to block it on either our Mikrotik or the Ubuntu/Avahi box we’ve set up between our VLAN’s.

    Reply
    • 7 February 2017 at 12:49
      Permalink

      I’m not sure. This Chromecast thing is REALLY annoying. Unfortunately, I’m not sure how it works exactly, or even if it can be blocked.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *