Information
Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerates devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled.
Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly-configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of "I'm here!" messages. Typical end-user endpoints should not have to advertise services to other computers. This setting does not stop the computer from sending out service discovery messages when looking for services on an internal subnet, if the computer is looking for a printer or server and using service discovery. To block all Bonjour traffic except to approved devices, the pf or other firewall would be needed.
Solution
Terminal Method:
Run the following command to disable Bonjour Advertising services:
% /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool true
Profile Method:
Create or edit a configuration profile with the following information:
- The PayloadType string is com.apple.mDNSResponder
- The key to include is NoMulticastAdvertisements
Impact:
Some applications may not operate properly if Bonjour advertising (discoverable) is turned off. In AirDrop, having this discoverability feature disabled makes the system unavailable to receive files in AirDrop on the local network.
Item Details
Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1, CSCv7|9.2
Control ID: 1b4563bc08d05c90ad4549f6d7e84a1ac953f61c6be52915de9d5e49874078bb