Eyes are watching deep in the jungle – Green LEDs “looking out” from behind network cables.

How to disable outgoing mDNS broadcasts on Linux

Multicast DNS (mDNS) is a convenient method for auto-discovering other computers and services (DNS-SD) on the local network. However, in some situations you don’t want to announce your services or even broadcast your presence on a particular network. Here is how to block outgoing mDNS broadcasts on Linux.

In shared hosting environments, on some enterprise or university networks, and on unknown or unfriendly networks you may want to be a good [silent] network neighbor or just remain hidden.

You’ll, of course, want to start by disabling Avahi and other mDNS clients. However, individual programs may also send mDNS and DNS-SD broadcasts. You either need to disable mDNS support in these programs, if they’ve an option for it, or block outgoing mDNS broadcasts in your firewall. This article will focus on the latter option.

mDNS broadcasts to port 5353 over UDP. Silencing it’s as easy as blocking that one specific port. The rest of the article will cover how to block outgoing mDNS with the default firewalls on CentOS, Fedora, and Ubuntu.

Ubuntu uses the Uncomplicated Firewall (UFW) by default. Assuming you’ve already configured your UFW firewall, the following command adds a rule to block outgoing mDNS broadcasts from:

ufw deny out 5353/udp comment "drop outgoing mDNS"

Note that we’re using a deny rule instead of a drop rule. You often want to use a drop rule to hide the fact that anything took action to block a connection. However, you don’t need to worry about this as this all happens on your local computer and no information leaks out of the system. Local services that rely on mDNS will be able to provide better feedback when they know their packets were blocked instead of having them silently dropped.

CentOS and Fedora uses FirewallD by default. Assuming you’ve already configured your FirewallD firewall, the following commands adds a rule to block outgoing mDNS broadcasts:

firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -p udp --dport=5353 -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p udp --dport=5353 -j DROP
firewall-cmd --reload

Remember to verify that your firewall rules do what you expect by inspecting the firewall logs and monitoring network traffic.

I’ve compared UFW and FirewallD’s command management syntaxes before. After writing this article I think my next article will cover how to migrate from FirewallD to UFW. FirewallD is flexible and works well for many situations, but UFW’s simpler syntax still manages to get more jobs done with way easier to remember commands.