Level 1

4 points

Disable Bonjour in 10.10 without breaking DNS or WiFi

Currently, adding the --no-multicast argument to the ProgramArguments of the discoveryd plist introduces the following symptoms with WiFi:

Auto-joining of remembered networks no longer functions.
The Airport status menu bar item no longer tracks actual adapter status correctly (wrong icon).

Apple Feedback already submitted. Besides adding pf rules or 3rd-party software, is this flag the intended way to disable only Bonjour?

Note: Folks that did an in-place upgrade of Yosemite, instead of a clean install, may have a /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist left-over, which is irrelevant since /usr/sbin/mDNSResponder has been completely superseded by /usr/libexec/discoveryd.

Thanks.

MacBook Pro, OS X Yosemite (10.10)

Posted on Nov 13, 2014 1:25 PM

Reply

6 replies

Level 1

4 points

Nov 13, 2014 2:22 PM in response to ba91241

To answer my own question, here's the hackaround we've come up with so far:

Disable Bonjour

Create /private/etc/pf.conf.mdns-disable with the following contents

# /private/etc/pf.conf.mdns-disable

# block mulicast dns (bonjour/avahi/mdns)

block inet proto udp from any to any port mdns

block inet from {224.0.0.251, FF02::FB} to any

block inet from any to {224.0.0.251, FF02::FB}

2. Append the following line to the end of /private/etc/pf.conf

include "/private/etc/pf.conf.mdns-disable"

3. Restart the firewall (or reboot).

Re-enable Bonjour

1. Comment out the following line in /private/etc/pf.conf

include "/private/etc/pf.conf.mdns-disable"

to as follows

# include "/private/etc/pf.conf.mdns-disable"

2. Restart the firewall (or reboot).

Note: The assumption here is the system firewall is always enabled.

Reply

Level 1

4 points

Nov 13, 2014 2:39 PM in response to ba91241

Reload firewall right now (insecure but practical):

sudo sh -c 'pfctl -df /etc/pf.conf && pfctl -ef /etc/pf.conf'

Note: Rebooting is more secure because temporarily disabling the firewall creates a small window of increased attack surface.

(The first Reply actually solved it, but there's neither Unstar nor remove "This helped me." (Really awful UX.))

Reply

Level 1

4 points

Nov 13, 2014 2:40 PM in response to ba91241

-- Deleted --

Reply

Level 1

4 points

Nov 13, 2014 6:54 PM in response to ba91241

**Updated** /private/etc/pf.conf.mdns-disable

# /private/etc/pf.conf.mdns-disable

# block mulicast dns (bonjour/avahi/mdns)

block inet proto {tcp,udp} from any to any port mdns

block inet6 proto {tcp,udp} from any to any port mdns

block inet from 224.0.0.251

block inet6 from FF02::FB

block inet to 224.0.0.251 # these might be redundant

block inet6 to FF02::FB #

Reply

Level 1

4 points

Nov 17, 2014 1:58 PM in response to ba91241

10.10.1 does not address --no-multicast and WiFi.

Reply

Level 1

4 points

Nov 19, 2014 9:44 PM in response to ba91241

Updated: Don't use any of these, it's a pain to start pfctl correctly.

Use IceFloor, it works great and it's far easier to manage.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Disable Bonjour in 10.10 without breaking DNS or WiFi

Welcome to Apple Support Community

A forum where Apple customers help each other with their products. Get started with your Apple Account.

Learn more Sign up