Details

Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour’s multicast DNS feature to discover a vulnerable or poorlyconfigured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of “I’m here!” messages. Typical end-user endpoints should not have to advertise services to other computers. This setting does not stop the computer from sending out service discovery messages when looking for services on an internal subnet, if the computer is looking for a printer or server and using service discovery. To block all Bonjour traffic except to approved devices the pf or other firewall would be needed.

Solution

Perform the following to implement the prescribed state:
1. Make a backup copy of the mDNSResponder.plist file as a precaution.
2. Open the mDNSResponder.plist file in Terminal using your preferred text editor.

Below is a sample command:
sudo nano ‘/System/Library/LaunchDaemons/com.apple.mDNSResponder.plist’

3. Add -NoMulticastAdvertisements to the array in the
ProgramArguments section. For example, the following:

ProgramArguments

/usr/sbin/mDNSResponder
-launchd

becomes:

ProgramArguments

/usr/sbin/mDNSResponder
-launchd
-NoMulticastAdvertisements

4. Save the file

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/300

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.

References

• 800-53|SC-7(12)
• CSCv6|9.2

Source

• Tenable.com/audits