1. Home
  2. Forums Index
  3. Server Side / Linux, Unix, and *nix like Operating Systems 4:10 am May 21, 2026

Forum Moderators: bakedjake

Message Too Old, No Replies

Is mDNSResponder needed on a webserver?

Caused 11 GB bandwidth use in one day on an empty server

         

lammert

9:55 pm on Jul 15, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I was asked to prepare a dedicated Linux web server at one of the larger hosting companies to serve sites with Apache 2.2 and MySQL 5.0. The server is running Linux Fedora Core 4, and was basically installed by the hosting company with the standard options they think are necessary for proper operation.

This server is not serving websites yet, the only installed web software is Apache server 2.2 with the default site saying "It works!"

Three days after the server was installed I suddenly saw a peak in the on-line bandwidth information the hosting company provides. Not just a small peak, but 11 GB in one day. From remote the server was difficult to reach, and ping and SSH timed out many times before I managed to connect. This is not what you expect from a brand new server with a website with one page of 40 bytes. I first suspected the server to be hacked and someone misusing it, but when I checked the system, it reported no signs of intrusion. The log files of the mail server and web server contained a few normal entries and no other services like FTP were running which could have caused the huge data traffic.

The only service I suspected was called mDNSResponder. I had never heard of it in the many years I am using various Unix and Linux flavours. I therefore took a dive in the man pages and internet to see what this service is used for.

If I understand it correctly, mDNSResponder is a multicast DNS daemon and part of an Apple project to allow TCP/IP connections without the hassle of name resolving, IP address assignment etc. A little bit like Netbios in the Microsoft environment.

My idea is, that the mDNSResponder process either went crazy in the large arena of the World Wide Web, or someone was exploiting it from the outside. I have disabled this process and all associated processes and the server is now running fine again. Afterall it should only listen to port 80 for HTTP requests.

I have never seen this mDNSResonder process before on a web server, and I can't imagine why it would be needed on a public server. But yet it was installed by one of the respected larger hosting companies as one of the default processes to run on this webserver.

Does anyone have an idea why the process was running, or should I consider it to be an installation error of the hosting company? Are there also reports that the mDNSResolver can be exploited or used for a DoS attack?

mcavic

7:55 pm on Jul 16, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



part of an Apple project to allow TCP/IP connections without the hassle of name resolving

Sounds like something Apple would come up with.

I'm not familiar with mDNSResponder, but it's installed and started by default under Fedora. I've always disabled it on my servers.

lammert

9:27 pm on Jul 16, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I searched around on the internet and found several sites telling about situations where mDNSResponder started generating large numbers of queries, often causing firewalls to trigger. It seems that the 11GB traffic was not caused by an external attack on the mDNSResponder process, but by the mDNSResponder itself, sending queries to computers it discovered on the net.

My hosting company told me that they do not need the process for their regular maintenance work, so it is safe to keep it stopped.

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Linux, Unix, and *nix like Operating Systems 4:10 am May 21, 2026