Responding to DNS port when it is not running

macOS itself uses a number of well-known ports, including 53 and 5353 for Bonjour multicast DNS discovery.

I don't think you can turn those off without breaking a number of subtle things the OS is doing (even if you set the most restrictive settings in the built-in Firewall - useless as it is - it will still allow a number of ports to receive connections). Third-party firewall similarly have built-in presets to allow these services to work properly and usually warn you that you will break stuff if you close them down.

But is there an actual issue here besides that your computer is responding to other devices on the local network that are advertising Bonjour services? Because that's how Bonjour and mDNS more generally is supposed to work...and, if you have certain devices on your network like AppleTVs, they may act as a sleep proxy for other devices on the network and respond to mDNS requests on their behalf when they are offline.

Then you should probably tcpdump the communications and see where it is going and who is responding.

sonamnamgyel wrote:

Connection to any IP address on port tcp/53 always responds/succeed when that IP isn't running DNS. I think something is responding from MacOS internally. How do we fix this?

It isn't doing that here. This is what I get:

/tmp $ nc -zv www.apple.com 53
nc: connectx to www.apple.com port 53 (tcp) failed: Operation timed out

Of course, I don't run any firewalls, network filters, 3rd party "security" or "privacy" apps.

sonamnamgyel wrote:

Connection to any IP address on port tcp/53 always responds/succeed when that IP isn't running DNS. I think something is responding from MacOS internally. How do we fix this?

? what is the bigger issue here, maybe you can paint a bigger picture

old issue, new issue, what changed?

ref: TCP and UDP ports used by Apple software products - Apple Support

OK, so the answer to that is that www.apple.com doesn't really exist - it's a CNAME for the Akamai CDN that Apple uses, and Akamai, like Cloudflare and other CDN, does run DNS.

Dig, NSLookup, or the DNS resolution tool of you choice on www.apple.com will clearly show you that it is a CNAME redirect, and you will get a different IP address each time.

Oh, for interest's sake, I played around a bit:

1. The issue you describe happens on multiple versions of macOS, but not when any kind of VPN is running (Cloudflare Warp, etc, etc - although I didn't actually test Apple's Private Browsing);
2. The issue you describe happens on Linux, so is not unique to macOS.

Not sure this is unexpected behaviour.