I have been trying to disable mDSN and DNS-SD, I’ve tried every method I could find with search engines, but to no avail! It seems like it grips tightly to Byz.
I have no use for this service, since my reduced attack surface is only my ISP’s modem/router and one laptop at a time. I don’t share files, don’t use Bonjour nor Avahi, all my printing is only USB (never connected to LAN), don’t care for DLNA or Homeplug and there is no IoT (banned!) Don’t need any zeroconf either.
I know these communications only happen inside the local NAT and supposedly never reach outside the local network - but is it really always the case? If fact, I am wondering, because the resolver seems to cross the router and I see ipv6 addresses to my ISP’s AS (autonomous system) beyond the gateway.
That worries me (ipv6 leaks) and I would like to find a solution for definitely silencing these too-talkative services which I don’t seem to need anyway.
Interesting. I failed to find a quick solution to disabling mDNS but a clever chap used firewall rules to block it: How to disable outgoing mDNS broadcasts on Linux | Ctrl blog (for your IPv6 problems, firewall may be a solution too, if you can’t disable the services - you can at least limit and block them, both ways) And for the other one, have you tried this: How to disable systemd-resolved in Ubuntu · GitHub (possibly better alternative: Disable systemd-resolved Cleanly · Brian's Blog)?
WARNING: make backups of what you edit, just in case these bork your network connectivity!
The first solution (blocking 5353/udp) I had already tried. Still all ghosts are talking on port 5353…
For the second solution, I have systemd-resolved already disabled (but not masked) Maybe I should mask it? Didn’t dare to yet.
I will investigate your third link
Check the @irvinewade’s link to old thread first. The port block seems to be a minimal solution - you can always make that port drop all other protocols than just udp and block both ways, if you want to make sure - but there is potential for side-effects (I can’t say off hand if there’s some necessary services there).
I could purge avahi-daemon and nss-mdns early in my investigations. This did not disable mDNS, which seems to be spawned by something else I don’t know what
What are you using to test this?
I did ss -lup … ok, there it is listening on port 5353, then used systemctl to stop the service and the socket, then repeat the ss and it’s gone. As the original topic says, to make this permanent (across a reboot), you may well have to mask the service, not just stop it.
Another piece of the puzzle could be … resolvectl mdns
which for me shows a global default of “no”, and “no” on each of the network links.
Finally, in /etc/avahi/avahi-daemon.conf I have lots of negativity i.e. disable everything that I could see and in particular use-ipv6=no if you are worried about IPv6.
Both WireShark and Sniffnet.
Actually, before starting to use Sniffnet, I was not aware of the problem while only using WireShark. Sniffnet is much more informative because it showed me very clearly the 3 links crossing from my LAN to my ISP’s AS. All 3 are ipv6 fe80:: (link local), but they traverse the router to fully qualified ipv6 global addresses, all of them plugging into the AS. I fear this could potentially lead to ipv6 leaks: there should be no traffic between an ipv6 link local and a global AS on the other side of the gateway, right?
I could entirely purge avahi daemon and socket services; therefore there is no more avahi folder or conf file in /etc - nothing to try with this suggestion.
I had it masked, since several of the URL links provided above by @JR-Fi suggested to entirely disable systemd-resolved service in order to fallback to more usual conf files. But if I re-enable the service, resolvectl mdns shows no to global and each network links - just as your output. Anyway, I masked it again since this service seems to make things unnecessarily more complicated.
Any chance that your printing is causing this? That is, even though you know that you will never connect a network printer and that all printing is via a USB-connected printer, your computer doesn’t know this - and so may attempt to discover more printers.
Anyway, maybe if you decode the actual packets being sent for mDNS, it will become clearer which component is sending them and why.
I thought of a possible workaround to the problem.
Since my only worry is the 3 ipv6 link local addresses that traverse the gateway to my ISP’s AS, the solution could be to disable ipv6 globally. I would still have this annoying mDSN and all associated discovery services (although I would prefer to get rid of them since I don’t need/use them); but over ipv4 traffic only, so talking over the LAN using regular ipv4 link local addresses.
It is true that on another laptop (not Purism) running Debian 11 (same base as PureOS Byz), I have long been able to kill off ipv6 through sysctl.conf or more globally with ipv6.disable=1 kernel commandline in grub.conf.
I will try this tomorrow.
No. I rarely need to print anything, so the printer is OFF almost all the time. There is an older dedicated laptop next to it, connected to the printer via USB, air-gapped, and I transfer what needs to be printed using a stick. The setup is totally isolated from any network and on top of that, very rarely used.
All my other laptops that connect to a network have CUPS service/daemon/socket masked. They don’t know of any printer and never were connected to any.
Since you are concerned of services being and if they are open, you may want to check with lsof | grep LISTEN (what is open) or lsof -i [4/6] (IPv4 or 6) to get another view. Maybe it helps with identifying… something.
[For those interested to know of lsof (list open files), see this or this or FAQ pages]