Bonjour High Sierra

View Sean Bonjour's career, season and game-by-game basketball stats while attending Caney Creek High School. As part of a discussion of security issues with some colleagues this morning, the question of how to disable Bonjour advertisement came up on OS X El Capitan and later came up. Bonjour advertisement is how your Mac sends out an “I’m here and this is a list of the services I have available” message via Bonjour.

High

Tegan and Sara puts modern twist on high school songs with Hey, I'm Just Like You Salut-Bye: CAQ backtracks on 'Bonjour-Hi' ban Lise Ravary: Why I have a problem with 'Bonjour-Hi'. Discover the online chess profile of Bonjour High (bonjourhigh) at Chess.com. See their chess rating, follow their best games, and challenge them to a play game. View 28 photos of this 4 bed, 3 bath, 1248 sqft. Single family home located at 9317 Widmer Rd, Lenexa, KS, 66215 on sale now for $199900.


10.4: How to disable Bonjour | 45 comments | Create New Account
Click here to return to the '10.4: How to disable Bonjour' hint
Bonjour High Sierra
The following comments are owned by whoever posted them. This site is not responsible for what they say.

Have you already tried adding
<key>Disabled</key>
<true/>
to the .plist file? (just above the </dict> line at the end).

Sorry I forgot to mention:
to permanently disable a service without tampering with the .plist file, the launchctl man page says that you need to add '-w' to the unload option, this way:
launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

Will doing a 'load' undo this, or is re-enabling it more complicated than that?

Using the unload -w flag is the equivalent of putting
<key>Disabled</key>
<true/>
into the plist file (have a look).
Using the load -w flag is the equivalent of putting
<key>Disabled</key>
<false/>
into the file

Try doing
launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
to permanently disable BonJour.
---
Ronald Florence

Bonjour messaging high sierra

Sweet hint. :thumbsup:

Can't you simply use Directory Access (in Utilities) and uncheck Bonjour in the Services tab?

Oops, never mind. Bonjour is greyed out in Directory Access so you can't disable it that way.

And anyway, what you have in directory access is service discovery, not service announcing.
For example, if you uncheck SMB in Directory Access, and then go to the Network icon in the sidebar, you won't see SMB servers anymore.
But, if you had enabled SMB File Sharing, you could still be accessed and seen from other computer with SMB.
--
Laurent Pertois
'Never trust a computer you can't lift'

this is incorrect, if you do
[code]dns-sd -B _workstation._tcp[/code]
from the command line every single Mac OS X machine will reply...who needs OS fingerprinting!
I am also searching for a way to disable this short of disabling bonjour too
Jonas

There's a decent article on launchd here:
http://www.afp548.com/article.php?story=20050620071558293

From the Apple KB:
'Bonjour is a networking protocol that sends and receives network packets on UDP port 5353. If you have a firewall enabled, you will need to ensure that UDP port 5353 is open for Bonjour to work correctly.'
So maybe blocking port 5353 for two-wat trffic would be a quick GUI solution.

It would stop your mac from responding, surely in the new 'stealth' mode. Plus a running process that is not invoked shouldn't take up any ressources, wouldn't it?

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

On our network we found that disabling mDNSreponder cause netwrok printing to fail

yeah, that's sort of the point...I said that I don't use it all the time so I don't need it on. Lots of stuff will 'fail' obviously, but when you don't USE network printing, itunes playlists, safari bookmarks, ssh/afp announcement, etc it's not really failure then is it?

From afp548.com
launchctl unload -w ~/Library/LaunchAgents/com.afp548.mover.plist
Notice that I added the optional '-w' flag this time. This flag adds or removes the 'disabled' key from the plist at the appropriate time. If you don't use this when unloading a job it will automatically load the next time you login or reboot, depending on where your job file is located. You use the same '-w' flag when loading the job to remove the disabled key automatically.

From the Apple KB:
'Bonjour is a networking protocol that sends and receives network packets on UDP port 5353. If you have a firewall enabled, you will need to ensure that UDP port 5353 is open for Bonjour to work correctly.'
So maybe blocking port 5353 for incoming/outgoing UDP traffice would be a quick easy GUI solution.

If you use Interarchy as your FTP client, you will quickly find that this is a bad thing to disable. I was trying to figure out why Interarchy stopped working today and realized that it might have something to do with trying this hint. Sure enough, re-enabling Bonjour fixed the problem. Interachy now loads once again.

Bonjour does NOT give out user names, and it gives out the Computer Name so that you can recognize your computer in a list. The Computer Name is fully customizable and doesn't need to contain your real name. If an attacker really wants to enumerate the running services, they can do this even if the dumb 'stealth mode' feature is on. Your machine will always send an 'ack' for a TCP request to a certain port, because if it doesn't, then networking wouldn't work at all. So leaving Bonjour on does not make it easier for an attacker. Lastly, Bonjour is not chatty when compared to all the other networking activity on the computer. If you actually looked at a packet trace, you would realize that.
I would not recommend turning off Bonjour. You will not be saving much in CPU usage since mDNSResponder averages less than .01% CPU. Also, many things that you might not realize (like printing and AirTunes, etc.) rely on Bonjour and will break if you turn it off.

you can find a person's user name depending on how they have their computer name set or what applications they might be running (webserver for instance)
Jonas

It's best to think of Bonjour as webservices.. not a network protocol per'se. It broadcasts it's identity to the network for specific services only. There is no way you can get a shell prompt from a Bonjour hack :-P
I also have to scream no on this. Bonjour connects you with Airports, Airport Expresses, AirTunes, Printing through an Airport Express with auto discovery.. not to mention sharing iTunes music, calendars, address books, ect.
* whew *
There is a reason why it's hard to disable.. there is no reason.. it's not chatty.. it's not insecure.. and every application can disable it's service's 'announcement'. Most traffic (iTunes, Printing) is even encrypted! The only thing you might want to worry about is your Airport Extremes and Expresses, since it uses Bonjour to configure them. Password protection is a must.
So chill.

Well, Bonjour is used to Discover the AirPort devices, not to configure them!
Configuration is done via SNMP. ;-)
Also, I would agree that Bonjour is not 'chatty', as it only Replies to Requests when other computers want to know what services is online.
The contrast here is AppleTalk that auto broadcast 'I am here' announcements each 20 sec or so.. now, that's where the 'chatty' issue comes from..
---
/Marook

I'm posting this as it's own thing because I don't want people to have to click the link to see the truth.
snoop: you don't know what you're talking about!
'Bonjour does NOT give out user names'
*cough*...there's a little application called bonjour browser, look it up. There's an application called ichat, look it up. Run bonjour browser, and then turn on ichat's bonjour...what do you see in bonjour browser? oh, well *I* see my username@my computer name! My username is NOT the same as my aim name, or my long name so it's pretty clearly my username. But good job on stating something you can't back up.
'and it gives out the Computer Name so that you can recognize your computer in a list. The Computer Name is fully customizable and doesn't need to contain your real name.'
yes, and as such mine is as generic as it can be without being conspicuous(and interesting thing might be to see what happens if two computers on the same local net have the same computer name...but I don't have two computers) HOWEVER the DEFAULT <i>does</i> contain a person's real name more often than not (just jump on any campus network to verify)
'If an attacker really wants to enumerate the running services, they can do this even if the dumb 'stealth mode' feature is on.Your machine will always send an 'ack' for a TCP request to a certain port, because if it doesn't, then networking wouldn't work at all.'
thanks for the networking tutorial! You didn't read very carefully did you? I said an attacker can find out what you're running WITHOUT active scanning. You're describing active scanning. Obviously if the attacker has time they will go the stealthier route.
'So leaving Bonjour on does not make it easier for an attacker.'
tell that to the social engineer who now has real names(or even fairly unique user ids(such as this one for instance)), and can start googling someone.
'Lastly, Bonjour is not chatty when compared to all the other networking activity on the computer. If you actually looked at a packet trace, you would realize that.'
*sigh* Its precisely because I DO look at network traces that I know that it's sending data that it doesn't need to(especially when all bonjour services are left as default) Yeah, it's not as much traffic as a single hit of slashdot, but that's not the point, I didn't say this was some bandwidth saving technique! I said that if you're not using it it's sending worthless data which can possibly leak information about your machine, and those who don't want that data leaked, should have the option to turn it off!
'I would not recommend turning off Bonjour. You will not be saving much in CPU usage since mDNSResponder averages less than .01% CPU. Also, many things that you might not realize (like printing and AirTunes, etc.) rely on Bonjour and will break if you turn it off'
again, I didn't say it was to save CPU, but there are people like me who don't use these features, and this site is about posting information (even esoteric information that not everyone will use) for those who want it (because I personally post stuff when I just want to be able to google it again at some later date)
ok snoop ,you do know what you're talking about, but that doesn't mean you can tell others that this is something they shouldn't know about, or imply it's useless.

Your points are all valid of course.
However, for those who perhaps would like to tighten security (or at least gain a little awareness) whilst keeping the usefulness of Bonjour, here's a little more info (which I believe to be correct... could have got the wrong end of the stick, of course!)
- Bonjour is non-routable.
You are not broadcasting Bonjour info over the Internet, nor will your machine catch Bonjour requests from the Internet. It will only work over the local network. Which, to be honest, should only really have machines on it that you know and trust (in an ideal world!)
- Use application preferences.
I was a little surprised to see iChat using the local account name as an identifier. Not really a problem as far as I'm concerned, but I can see how it could spook others. Just jump into iChat's preferences and turn off Bonjour Chat. If you use Bonjour Browser, you'll see iChat then disappears. Basically, pay attention to what apps have Bonjour support, and turn it off on a per-app basis if you want.
Cheers,
Chris

Bonjour On High Sierra

what's the big deal?
truth is, if you really have so much stuff to hide, don't use any networking at all.
no wireless.
no internet.
also while you're at it, register yourself as dead so nobody can get your information.
face it, if SOCIAL ENGIEERS are scary, then you had better become a hermit, or move to a country where your information doesn't really exist in many forms.
the irony is, Big Brother style ID systems are at once the answer and a problem.
complete anonymity is also useless.
only the most persistent and sophisticated hacker will figure out what to do with anything they find.
if you're poor like me, there's nothing to gain by getting my information.

*grin*
I know what you mean, but at the same time it does give a certain amount of peace of mind to be aware of exactly what info is available from your machine to unknown others.
Which is why this hint's good in that it shows that, on principle, Bonjour (I keep wanting to type Rendezvous!) does allow other unauthenticated machines to view info on your machine.
However, all the documentation I've read shows that Bonjour only works on link-local, NOT over an internet connection (be it dial-up, cable modem ADSL, ethernet or whatever). So really the submitter's concern should only be directed at the security of their local network. If it's a wired LAN then obviously you're pretty worry-free. If it's a wireless LAN, you'll do much better addressing the fundamentals of WLAN security rather than pulling the whole Bonjour capability from your Mac.
Regards,
Chris

Incidentally, if you read my signature on every single on-line post I've made, you'll find my forename. And if I then tell you that my Mac's name is clementine (in homage to the film Eternal Sunshine of the Spotless Mind), then you'll already know what iChat exposes over Rendez... I mean, Bonjour.

Do what you wish with that information :)


Regards,
Chris

Au revoir, Bonjour!

As others have mentioned the '-w' flag will add or remove the disabled key to the plist as needed.
You can use the launchd.conf files if you just populate them with the launchctl command, minus the 'launchctl' part. This one would need to go in the system conf file in /etc as it's a system level launchd job.
Check out the man pages, developer docs, or our article for more info.
Josh
---
http://www.afp548.com
Breaking my server to save yours.

Bonjour Messaging High Sierra

jonasyorg, when I said that Bonjour does not give out user names, I was referring to the Bonjour protocol (mDNS-SD). No where in the Multicast DNS Service Discovery spec does it say to give out user names. The mDNS spec assigns your machine a dot-local name. That dot-local name does not need to be a user name. It can be anything you want. Just because in Mac OS X it defaults to your first and last name doesn't mean it must stay that way. Each application that uses Bonjour can do whatever it wants. If an individual application such as iChat decides to advertise a Bonjour service using your user name, then it can do that. However, it's also in your power to choose not to use that individual application. And guess what, disabling mDNSResponder doesn't prevent an application from revealing information about you. An application could embed the mDNSResponder code from Darwin directly into the application. Many Java applications that run on Mac OS X use an open source library called JmDNS to advertise services, and this library is embeded in the application and it doesn't use mDNSResponder. An application could also simply bypass mDNS and broadcast your information on its own using a custom protocol. Turning off mDNSResponder does not magically make your computer safe. On a default Tiger machine with no additional applications installed, if you don't want your name advertised by Bonjour, then change your Computer Name to something generic, and don't use Bonjour iChat. There, problem solved, and you can even use Bonjour Browser to prove it to yourself, however, the minute you install an application, there's a potential for it to advertise information about you. I'm not saying having this 'disabling Bonjour' information out there isn't valuable. For example, it's valuable for application developers who want to verify that their application still works with mDNSResponder disabled. I was only recommending that most average customers will do more harm than good if they disable Bonjour. Many of these customers only use their Macs from home behind their own NAT, and so mDNS traffic isn't even leaving their private network. You have every right to turn off mDNSResponder. I just thought you were overstating the security issues.


Many of these customers only use their Macs from home behind their own NAT, and so mDNS traffic isn't even leaving their private network.

... and as mentioned, Bonjour (or, to use its generic name, Zeroconf) is a non-routable service... and so will never leave (or accept requests from beyond) your private network anyway (assuming I'm interpreting the specs correctly)

(Removing tinfoil hat and donning asbesto suit...)
If you don't like Bonjour/Rendezvous/Zeroconf, you can certainly shut it off, but as others have suggested I wouldn't recommend it. The odds of breaking an application and possibly the 'it-just-works' nature of OS X are high given the negligible improvement in security that would result.
Bonjour/Rendezvous/Zeroconf and the like use IP multicast, rather than point-to-point or broadcast IP traffic to communicate with other machines in your local network. Multicast traffic, by definition, never leaves your local network, nor is it ever relayed between networks. For example, if you join a wireless network at a cafe, you may see services (such as iChat Bonjour, file shares, automagic network configuration choices, Safari Bonjour Bookmarks, iTunes Music Shares) being advertised by local machines (and vice versa). If you sniffed traffic you would see packets destined for multicast addresses in the range 224.0.0.0 through 224.0.0.255. Everyone on your subnet sees the same multicast traffic. What you wouldn't see is multicast traffic from the cafe down the road, multicast traffic from the otherside of your VPN connection, or multicast traffic from the hacker in Blackhatistan (or vice versa).
That being said, if you still feel that you don't want to advertise a particular service, then shut off that application or option. For example, iChat works with both AOL and .mac IM, but it also allows you to chat with other users on your local network. Assuming you have the Bonjour feature of iChat turned on, it will advertise your presence on the local network. It's hardly surprising that it would reveal your user name and machine name given that you asked it to do so by turning on the Bonjour feature of iChat. (Some users may only use the Bonjour feature of iChat without an IM account.)
Turn on your firewall, shut off unneeded services (through System Preferences->Sharing) and you have little to worry about.
Bonjour (or mDNSResponder to be more specific) is just an advertiser of services, which happens to use IP multicasting to spread it's message. Shut off the service, but don't shoot the messenger.

Wow... How wrong you are. If you knew anything about networking you'd already be informed that routing platforms can route almost any traffic today. Using encapsulation, tunneling and all kinds of other industry standard mechanisms. Being a CCIE and CISSP I'd like to inform you that multicast routing is very real, and is used quite extensively (how do you think you they efficiently provide 99% of all webcasts to a huge viewer base?).
Also... Did you even read any of the developer information for Bonjour? Ever heard of wide-area Bonjour? Do your homework.

Has anyone actually tried this hint???
Turning Bnjour off causes camino to beach ball on launch, causes printing to beach ball etc etc...
Interesting academinc exercise but causes bustage you don't want to happen.
amavida

Bonjour High Sierra

i don't know past a vague idea what they are for but i turned all of them off (except bonjour). No ill effects noted... (It's stand alone mac connected by adsl router to the net via ethernet)
Amavida

why don't you use a application called Boot Config 1.0. It allows you to disable services you are not using. or you can open the following file called hostconfig in a text editor like TextEdit, Microsoft Word, or BBEdit.

Unfortunately this completely disabled IP printing to a preloaded, static IP address printer (HP). It took me awhile to track it down to this, but as soon as I reloaded bonjour, printing was restored.
I couldn't even use print to generate a PDF.
Anybody else have this happen?

Hi,
I tried to unload the Bonjour stuff with launchctl as suggested, but this caused a weird other problem (after rebooting, not immediately): my printing does not work anymore. I deleted all printers to make sure I'm not using a Bonjour printer, and reinstalled them using IP printing or AppleTalk. However, the process was *very* slow. After that, whenever hitting command-P for print dialog, in whatever application, the colourful spinning ball appears and it takes a minute before the print dialog comes up, and after that printing works.
I finally remembered I had disabled Bonjour, and immediately after re-enabling it, everything's back to normal.
My main motivation for disabling it is that I'm getting sick of iChat insisting upon each and every startup to ask me whether or not I want to login Bonjour. And I'd say yes if it wouldn't open a second iChat window just for that. Argh! Is there any way to disable Bonjour so that printing will still be fast or then is there a way to just get rid of Bonjour in iChat?
Oh, by the way, same symptoms whether I'm connected to the network or not, so this is extremely annoying, because I frequently use the save-as-pdf function of the print dialog.
Any ideas?
Thanks in advance,
all the best,
Thomas

I'm pretty sure there's an iChat preference to disable Bonjour but I can't check for it right now.

To all the people who say you should not disable this, and that this service does not put a load on the CPU:
On our Xserve cluster, which has no need for printing, iTunes, or any of the other stuff mentioned in the previous comments, the mDNSResponder service will regularly start using 60 to 70% of the CPUs. I made mDNSResponders dump it's internal state into the system log, and it looks like it can go completely nuts if there are too many printers and people using iTunes on your local network.
I'm going to check the other macs in the building and see if the same thing is happening to those :( (100+ Macs to check, oh joy)
Thank you so much for this hint, good riddance to that rubbish :)
And no, turning mDNSResponder off has no effect on a headless machine :) OS X Desktop? Who needs it :D

Oh, dangerous hint. In particular, that's a dangerous place to split the line.
If you accidentally insert a space where the line is split here, you'll disable several key services - every one in the /System/Library/LaunchDaemons directory!
---
--
Ian Eiloart

I think it is a big deal. I never asked for this program to be put on my computer. It came on an ie7 toolbar add-on. My computer slowed cpu up to 99 percent. sounded like my hard drive was taking off! It was listed in my winstock progams. I tried to delete it couldn't. I got rid of ie7. but bonjour still ran. I emailed microsoft and was told it is really hard to get rid of. what the heck is that all about?

Bonjour High Sierra

For those that just require .local domain lookups to function, regardless of whether or not Bonjour is running, please see this article from Apple.
http://support.apple.com/kb/HT3473

OK, I read the link .../kb/HT3473 which in my opinion consisted of the ozone layer. I am on this thread because I have a new Mac Book Pro with OSX 10.6.6 - Snow Leopard. I have Symantec/Norton firewall which gives me a 'view current network connections' panel. This shows 10 services and ports, all of which are activated by mDNSResponder and in 'listening' status. There is only one active port which is connected. That is my Firefox browser window in which I am typing this post. Why do I need 10 ports listening in, and who/where can connect to these ports? If I enable IPv6 under Airport preferences, the number of listening ports increases. I have another laptop running Windows XP Pro SP2. The Symantec/Norton firewall on that machine allows only one monitored communication port. What's the deal Mac? I already have iChat blocked in the firewall. How do I get rid of these 'listening' ports?