Foris-controller mdns

Hello Team,

I’ve recently been playing with mDSN configuration in my home network, notably I wanted to prevent mDNS traffic in certain VLANs and especially I wanted to prevent the router to disclose its IP address via mDNS. While I know this can be achieved via dedicated firewall rules, I noticed that for each interface I defined on my Turris Omnia (TurrisOS 6.3.3), a foris-controller instance listening on port 5353 is being launched allowing clients to query the router itself.

Can anybody explain what’s the reason for this behaviour and how to prevent it? What if I want foris-controller to be active only on selected interfaces?

Many thanks in advance!

In my cursory layman’s view of the function and purpose of mDNS, you’re probably going about it the wrong way. You can find the function and behavior of mDNS in public sources for example (where port 5353 is listed)

Thanks for your input @JardaB, here the matter is different, the questions are:

  1. Why is foris-controller keeping mDNS port open?
  • What’s the purpose (especially considering umdns and/or avahi being available)
  • How to disable foris-controller replies to mDNS queries and prevent the process to disclose router information
  1. Why a separate foris-controller instance is being created for each interface
  • What’s the purpose
  • How to disable and/or prevent this behaviour
root@turris:~# lsof -i :mdns
foris-con 4671 root   10u  IPv4  45125      0t0  UDP *:mdns
foris-con 4671 root   13u  IPv4  45144      0t0  UDP 192.168.x.1:mdns
foris-con 4671 root   17u  IPv4  45145      0t0  UDP 192.168.y.1:mdns
foris-con 4671 root   18u  IPv4  45146      0t0  UDP 192.168.z.1:mdns
foris-con 4671 root   19u  IPv4  45147      0t0  UDP 172.16.x.1:mdns
foris-con 4671 root   20u  IPv4  45148      0t0  UDP 172.16.y.1:mdns
foris-con 4671 root   23u  IPv4  45151      0t0  UDP 172.16.z.1:mdns
foris-con 4671 root   24u  IPv4  45152      0t0  UDP localhost:mdns
umdns     5483 root    7u  IPv4  65652      0t0  UDP 192.168.x.1:mdns
umdns     5483 root    8u  IPv4  65654      0t0  UDP

EDIT: corrections

mDNS is not configurable, its behavior is a property of … i think
Multicast DNS (mDNS) is a zero-configuration protocol that lets you perform DNS-like operations on the local network in the absence of a conventional, unicast DNS server. The protocol uses the same API, packet formats , and operating semantics as DNS, allowing you to resolve domain names on the local network. DNS Service Discovery (DNS-SD) is a protocol that allows clients to discover a list of named instances of services (such as test._ipps._tcp.local, or linux._ssh._tcp.local) in a domain using standard DNS queries. DNS-SD is most often used in conjunction with mDNS but isn’t dependent on it. They’re both used by many IoT devices, such as network printers, Apple TVs, Google Chromecast, Network-Attached Storage (NAS) devices, and cameras. Default port: 5353/UDP

Thanks for your reply @JardaB. Still this is not answering my questions nor why foris-controller is acting as Multicast DNS responder

I’d suggest to have a read to RFC6762

1- If you deactivate mDNS, the state on foris controller (is acting as Multicast DNS responder) persists or not ? Isn’t there a direct connection to the mDNS protocol activity ?

2 - Excuse my reasoning as a less knowledgeable user :frowning:

Not sure what you mean by “deactivate mDNS”, bottom line is that the router shouldn’t respond to a query unless a software such as, for instance, umdns or avahi is configured to. Still, even without any of this software installed, foris-controller is providing responses.

See an example of the output from dns-sd -q openwrt.local (“openwrt” is the hostname for my Turris Omnia)

DATE: ---Wed 19 Jul 2023---
11:38:22.789  ...STARTING...
Timestamp     A/R  Flags         IF  Name                          Type   Class  Rdata
11:38:22.790  Add  40000002      12  openwrt.local.            Addr   IN     192.168.x.1

You do not experience this behaviour in standard OpenWRT installation unless the afore mentioned software is installed and configured.

No worries, we are all learning, thanks a lot for your support.

I really don’t know how change to the non-configurable mDNS protocol to remove listening on port 5353. Kill process /etc/init.d/umdns ??

As said in my previous post

and in this specific case

Disabling umdns won’t change change the behaviour, in fact you can completely uninstall umdns but still you’ll get a response from the router as long as foris-controller is up and running.

/etc/init.d/foris-controller stop will do the trick but of course this will make the foris web interface unavailable.

@turris-admin It will be really great to have a foris-controller developer to chime in and provide some input and answer to my questions.

Many thanks in advance!

Awaiting some official answer, I managed to disable foris-controller acting as Multicast DNS responder removing the --zeroconf-enabled --zeroconf-port "${remote_port}" parameters from /etc/init.d/foris-controller procd init script.

Not ideal, as this will likely be overwritten with the next TurrisOS upgrade, nor I know what are the implications. Hope we can get some input from developers.

Meanwhile I’m still investigating

turris-admin isn’t a real user. It’s a special administrative account that can be used as a fallback when no normal forum administrator is available. Please don’t mention it.

The best way how to contact our developers it to send a message to our official support channel: You can also write directly to our team members (you can find their e-mail addresses in Git commits) but this way isn’t reliable due to several reasons (e.g. some people leave our team and some other come, there are some transitions etc.).