Page 1 of 1

mDNSResponder automatically denied incoming connections

Posted: Fri Jul 21, 2017 6:11 pm
by noraa
With Little Snitch 4, I have received a number of popups informing me that Little Snitch has denied an incoming connection to mDNSResponder. The connections are from various IP addresses, usually coming from the local network. My question is, should I continue to deny these connections? As far as I know, mDNSResponder responds to DNS requests - thus if the connection is denied the request won't be able to be translated? As such, should mDNSResponder be allowed to accept all both incoming and outgoing connections?

thanks for you help all!

Re: mDNSResponder automatically denied incoming connections

Posted: Thu Jul 27, 2017 8:04 pm
by Xipper
This is likely part of dynamic service discovery (Aka Bonjour) and perhaps neighbor discovery for IPv6. Services can announce themselves on the network with a broadcast packet, this may be detected by LS as an incoming connection to mDNSResponder as that is the service that registers and stores the info. This could be printers, other OS X computers, etc...many things announce their existence via this process.

Re: mDNSResponder automatically denied incoming connections

Posted: Wed Aug 09, 2017 6:31 pm
by ramblingpolak
Any idea if there's a way to disable the annoying notification for mDNSResponder being blocked every minute without disabling all notifications?

Re: mDNSResponder automatically denied incoming connections

Posted: Thu Sep 07, 2017 5:03 pm
by user425890uhh
I'm seeing this as well. Currently getting a notification every 60-90 seconds. Even if I allow incoming connections to mDNSResponder it still seems to happen.

Re: mDNSResponder automatically denied incoming connections

Posted: Wed Sep 13, 2017 5:09 pm
by sammysmalls
+1. A real annoyance, especially when in shared environments (Cafe/shared office etc).

Actually +10. Please provide a method for silencing alerts.

Re: mDNSResponder automatically denied incoming connections

Posted: Fri Sep 15, 2017 10:54 am
by bugmenot
it seems little snitch does not detect the IPv6 link-local addresses as local network.
also it should detect a IPv6 global temporary dynamic address (that contains mac-address but not used for public connections) out of the ISP assigned prefix as local address or as a new group that can be select to block such.
maybe I haven't found, but it would be great to have more IPv6 protocol related options for creating rules.
I assume as obdev is located in Vienna they might be able to test and verify by using an IPv6 product from one of the local ISP's there,...

Re: mDNSResponder automatically denied incoming connections

Posted: Wed Oct 11, 2017 1:19 am
by jriskin
Any progress/solutions for this?

Re: mDNSResponder automatically denied incoming connections

Posted: Wed Oct 11, 2017 2:38 pm
by AndreiD
I have this issue too. mDNSResponder drives me crazy...makes me do what I usually refrain from doing, whitelist entire processes for everything

Re: mDNSResponder automatically denied incoming connections

Posted: Thu Oct 12, 2017 9:29 am
by hahn
+1 for best practice solution

Re: mDNSResponder automatically denied incoming connections

Posted: Fri Oct 13, 2017 12:06 pm
by christian
You should be able to silence the notification by deciding (with a rule) how to handle them.

When you allow any incoming connection for mDNSResponder permanently, you should never see this message again. If you do, please report the details to our support, reporting this as a bug.

If you want to allow local connections only, the "local network" factory rule of Little Snitch should already do that, unless you have disabled it. You can deny any incoming connection for mDNSResponder because the (more specific) factory rule for localnet has precedence. Again, if you still get notifications with an "any connection" rule, please report this as a bug.

And, finally, if you think that other IPv6 addresses should be included in the localnet-rule, please provide details. As far as I can tell, we DO interpret link local IPv6 addresses as localnet. But I'll forward the message from bugmenot to the responsible developer.

Re: mDNSResponder automatically denied incoming connections

Posted: Mon Nov 20, 2017 10:23 am
by serenitea
christian wrote:If you want to allow local connections only, the "local network" factory rule of Little Snitch should already do that, unless you have disabled it


What is that rule please @christian? I can't find it so I'd like to recreate it.

Re: mDNSResponder automatically denied incoming connections

Posted: Mon Nov 20, 2017 12:35 pm
by christian
Copy the following lines and paste them into the Rules window of Little Snitch Configuration:

action: allow
direction: incoming
priority: regular
process: /usr/sbin/mDNSResponder
owner: me
destination: any
port: any
protocol: any

This rule allows mDNSResponder to accept any incoming connections.

Re: mDNSResponder automatically denied incoming connections

Posted: Wed Nov 29, 2017 12:15 pm
by timjph
I added the above rule, but still get some notifications of an incoming connection being denied:


In log in the LS configuration for the connection says:

On 29 Nov 2017, 137.73.254.10 tried to establish an incoming connection to mDNSResponder. The request was denied automatically because this kind of incoming connection cannot be delayed.

This was a UDP connection on 53530.


I'm surprised that this is denied having added a rule that allows all incoming connections.

Any suggestions?

Best wishes, Tim

Re: mDNSResponder automatically denied incoming connections

Posted: Wed Nov 29, 2017 12:25 pm
by christian
Ah, sorry, a mistake. The rule should be

action: allow
direction: incoming
priority: regular
process: /usr/sbin/mDNSResponder
owner: system
destination: any
port: any
protocol: any

The owner must be "system" because mDNSResponder runs as system user. Sorry for the error!