mDNSResponder automatically denied incoming connections

[noraa]

With Little Snitch 4, I have received a number of popups informing me that Little Snitch has denied an incoming connection to mDNSResponder. The connections are from various IP addresses, usually coming from the local network. My question is, should I continue to deny these connections? As far as I know, mDNSResponder responds to DNS requests - thus if the connection is denied the request won't be able to be translated? As such, should mDNSResponder be allowed to accept all both incoming and outgoing connections?

thanks for you help all!

[Xipper]

This is likely part of dynamic service discovery (Aka Bonjour) and perhaps neighbor discovery for IPv6. Services can announce themselves on the network with a broadcast packet, this may be detected by LS as an incoming connection to mDNSResponder as that is the service that registers and stores the info. This could be printers, other OS X computers, etc...many things announce their existence via this process.

[ramblingpolak]

Any idea if there's a way to disable the annoying notification for mDNSResponder being blocked every minute without disabling all notifications?

[user425890uhh]

I'm seeing this as well. Currently getting a notification every 60-90 seconds. Even if I allow incoming connections to mDNSResponder it still seems to happen.

[sammysmalls]

+1. A real annoyance, especially when in shared environments (Cafe/shared office etc).

Actually +10. Please provide a method for silencing alerts.

[bugmenot]

it seems little snitch does not detect the IPv6 link-local addresses as local network.
also it should detect a IPv6 global temporary dynamic address (that contains mac-address but not used for public connections) out of the ISP assigned prefix as local address or as a new group that can be select to block such.
maybe I haven't found, but it would be great to have more IPv6 protocol related options for creating rules.
I assume as obdev is located in Vienna they might be able to test and verify by using an IPv6 product from one of the local ISP's there,...

[jriskin]

Any progress/solutions for this?

[AndreiD]

I have this issue too. mDNSResponder drives me crazy...makes me do what I usually refrain from doing, whitelist entire processes for everything

[hahn]

+1 for best practice solution

[christian]

You should be able to silence the notification by deciding (with a rule) how to handle them.

When you allow any incoming connection for mDNSResponder permanently, you should never see this message again. If you do, please report the details to our support, reporting this as a bug.

If you want to allow local connections only, the "local network" factory rule of Little Snitch should already do that, unless you have disabled it. You can deny any incoming connection for mDNSResponder because the (more specific) factory rule for localnet has precedence. Again, if you still get notifications with an "any connection" rule, please report this as a bug.

And, finally, if you think that other IPv6 addresses should be included in the localnet-rule, please provide details. As far as I can tell, we DO interpret link local IPv6 addresses as localnet. But I'll forward the message from bugmenot to the responsible developer.

[serenitea]

If you want to allow local connections only, the "local network" factory rule of Little Snitch should already do that, unless you have disabled it

What is that rule please @christian? I can't find it so I'd like to recreate it.

[christian]

Copy the following lines and paste them into the Rules window of Little Snitch Configuration:

action: allow
direction: incoming
priority: regular
process: /usr/sbin/mDNSResponder
owner: me
destination: any
port: any
protocol: any

This rule allows mDNSResponder to accept any incoming connections.

[timjph]

I added the above rule, but still get some notifications of an incoming connection being denied:


In log in the LS configuration for the connection says:

On 29 Nov 2017, 137.73.254.10 tried to establish an incoming connection to mDNSResponder. The request was denied automatically because this kind of incoming connection cannot be delayed.

This was a UDP connection on 53530.


I'm surprised that this is denied having added a rule that allows all incoming connections.

Any suggestions?

Best wishes, Tim

[christian]

Ah, sorry, a mistake. The rule should be

action: allow
direction: incoming
priority: regular
process: /usr/sbin/mDNSResponder
owner: system
destination: any
port: any
protocol: any

The owner must be "system" because mDNSResponder runs as system user. Sorry for the error!