How to stop mdns request traffic on WAN ?
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
My configuration is Cable modem -> switch -> Router -> Lan.
When I monitor the traffic by mirroring the modem <-> router traffic I notice that the router
is publishing my LAN network map via in-addr MDNS requests to port 5353. Besides being
a security / privacy leak I'm a bit nervous about what happens if someone answers ....
Two questions:
1) Does this traffic originate with the router or is the router forwarding multicast from lan to wan ?
2) How do I disable it ? I don't need this traffic on my lan so either completely off or just not to WAN would be fine.
Update: Realized that since this is multicast it is easier to see without port mirroring if I just disable
igmp_snooping on the switch. Censored output but notice tp-link is sending out local lan host list once every 10 seconds.
login@hidden:~# tcpdump -i eth0.2 not arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.2, link-type EN10MB (Ethernet), capture size 262144 bytes
10:25:38.031750 IP <A20 public IP>.49005 > 224.0.0.251.5353: 9018 PTR (QM)? x.x.168.192.in-addr.arpa. (43)
10:25:38.071383 IP <A20 public IP>.37574 > 224.0.0.251.5353: 9019 PTR (QM)? x.x.168.192.in-addr.arpa. (43)
10:25:38.101449 IP <A20 public IP>.56610 > 224.0.0.251.5353: 9020 PTR (QM)? x.x.168.192.in-addr.arpa. (43)
10:25:38.151282 IP <A20 public IP>.60249 > 224.0.0.251.5353: 9021 PTR (QM)? x.x.168.192.in-addr.arpa. (43)
10:25:38.181455 IP <A20 public IP>.38214 > 224.0.0.251.5353: 9022 PTR (QM)? x.x.168.192.in-addr.arpa. (43)
10:25:38.241467 IP <A20 public IP>.39804 > 224.0.0.251.5353: 9023 PTR (QM)? x.x.168.192.in-addr.arpa. (44)
10:25:38.270186 IP <A20 public IP>.51253 > 224.0.0.251.5353: 9024 PTR (QM)? x.x.168.192.in-addr.arpa. (44)
10:25:38.331354 IP <A20 public IP>.55794 > 224.0.0.251.5353: 9025 PTR (QM)? x.x.168.192.in-addr.arpa. (44)
10:25:38.361465 IP <A20 public IP>.42825 > 224.0.0.251.5353: 9026 PTR (QM)? x.x.168.192.in-addr.arpa. (44)
10:25:38.411493 IP <A20 public IP>.34848 > 224.0.0.251.5353: 9027 PTR (QM)? x.x.168.192.in-addr.arpa. (44)
10:25:38.441535 IP <A20 public IP>.38812 > 224.0.0.251.5353: 9028 PTR (QM)? x.x.168.192.in-addr.arpa. (44)
10:25:49.381382 IP <A20 public IP>.53748 > 224.0.0.251.5353: 9029 PTR (QM)? x.x.168.192.in-addr.arpa. (44)
10:25:49.401440 IP <A20 public IP>.52882 > 224.0.0.251.5353: 9030 PTR (QM)? x.x.168.192.in-addr.arpa. (44)
10:25:49.441549 IP <A20 public IP>.51232 > 224.0.0.251.5353: 9031 PTR (QM)? x.x.168.192.in-addr.arpa. (44)
10:25:49.461451 IP <A20 public IP>.43853 > 224.0.0.251.5353: 9032 PTR (QM)? x.x.168.192.in-addr.arpa. (44)
10:25:49.501469 IP <A20 public IP>.57395 > 224.0.0.251.5353: 9033 PTR (QM)? x.x.168.192.in-addr.arpa. (43)
10:25:49.521442 IP <A20 public IP>.38496 > 224.0.0.251.5353: 9034 PTR (QM)? x.x.168.192.in-addr.arpa. (43)
10:25:49.561453 IP <A20 public IP>.36880 > 224.0.0.251.5353: 9035 PTR (QM)? x.x.168.192.in-addr.arpa. (43)
10:25:49.581458 IP <A20 public IP>.53261 > 224.0.0.251.5353: 9036 PTR (QM)? x.x.168.192.in-addr.arpa. (43)
10:25:49.620229 IP <A20 public IP>.53736 > 224.0.0.251.5353: 9037 PTR (QM)? x.x.168.192.in-addr.arpa. (43)
10:25:49.641491 IP <A20 public IP>.39542 > 224.0.0.251.5353: 9038 PTR (QM)? x.x.168.192.in-addr.arpa. (43)
10:25:49.681477 IP <A20 public IP>.35211 > 224.0.0.251.5353: 9039 PTR (QM)? x.x.168.192.in-addr.arpa. (44)
10:25:49.701082 IP <A20 public IP>.60462 > 224.0.0.251.5353: 9040 PTR (QM)? x.x.168.192.in-addr.arpa. (44)
10:25:49.741458 IP <A20 public IP>.56832 > 224.0.0.251.5353: 9041 PTR (QM)? x.x.168.192.in-addr.arpa. (44)
10:25:49.761452 IP <A20 public IP>.57275 > 224.0.0.251.5353: 9042 PTR (QM)? x.x.168.192.in-addr.arpa. (44)
10:25:49.801513 IP <A20 public IP>.60933 > 224.0.0.251.5353: 9043 PTR (QM)? x.x.168.192.in-addr.arpa. (44)
10:25:49.821521 IP <A20 public IP>.44895 > 224.0.0.251.5353: 9044 PTR (QM)? x.x.168.192.in-addr.arpa. (44)
Can't see unicast on the LAN but all I notice for multicast is chromcast broadcasts on a 30 second repeat and a machine that needs to have itunes removed broadcasting once every 5 minutes or so. The only queries are for _google and _android addresses so I don't see why they would trigger wan in-addr.arpa.