Enabling Zeroconf

jimoe666 · February 15, 2016, 7:40am

opensuse 42.1

I was tracing a log entry in our firewall that it labeled “an unhandled multicast.” I traced it back to a Windows 8 computer that was emitting llmnr requests. Further study shows that llmnr is part of mDNS, or Bonjour, or Zeroconf. Hmm.

Zeroconf is allowed through the firewall on our main server that handles DHCP and DNS services. Zeroconf appears to be enabled; I am not sure.

What is needed for it to handle the Windows requests?

jimoe666 · February 16, 2016, 2:09am

[SUB]I’ve researched this further. Zeroconf is enabled on our server. How do I tell if it works?

The research showed mDNS uses port 5353, which is part of Zeroconf. When I run an nmap scan on the server, that port is not listed as active. LLMNR broadcasts to port 5355, also not open.

I am guessing that opensuse (linux in general?) does not support LLMNR? I should just disable it in Windows?
[/SUB]

glistwan · February 16, 2016, 10:41am

Linux supports LLMNR to the best of my knowledge (for example kodi supports this). The question is which zeroconf implementation are you using ?
Is it avahi ?
https://wiki.archlinux.org/index.php/avahi

To check if your port is open on your linux use :

netstat -apn | grep 5353

Also the port my be blocked by your firewall so double check or look at firewall logs :

iptables -L -v

If it’s blocked you need to allow this port via the firewall (most easily done with YaST if you’re using the standard openSUSE method).

jimoe666 · February 16, 2016, 6:34pm

> The question is which zeroconf implementation are you using ? Is it avahi ?
>
Yes, avahi.
The avahi page makes no mention of LLMNR.

$ netstat -apn | grep 535.
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           -                   
udp        0      0 :::5353                 :::*                                -

The LLMNR port 5355 is not listed.

Some excerpts from iptables -L -v

......
pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             PKTTYPE = broadcast udp dpt:mdns
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             PKTTYPE = broadcast udp dpt:bootps
   34  3246 ACCEPT     udp  --  any    any     anywhere             anywhere             PKTTYPE = broadcast udp dpt:netbios-ns
   17  4046 ACCEPT     udp  --  any    any     anywhere             anywhere             PKTTYPE = broadcast udp dpt:netbios-dgm
   21  4562 DROP       all  --  any    any     anywhere             anywhere             PKTTYPE = broadcast
......
    1    69 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:mdns
......

It looks like zeroconf/mdns/bonjour is enabled. The server has been up 9 days. In that time it has recognized a single mdns packet. I guess this makes sense; the firewall logs show LLMNR packets (100s of them per day) on port 5355, not 5353.