Security warning from german Federal office because mDNS services openly accessible from anywhere

zohan · May 17, 2017, 9:30am

I’ve got a VPS with Yunohost 2.5 running and yesterday I got a strange email form the german Federal Office for Information Security, that the Shadowserver foundation did a scan on my system and found an open mDNS Service on my host and that this is dangerous :

“mDNS services openly accessible from anywhere on the Internet can be abused for DDoS reflection attacks against third parties. (…) We would like to ask you to check this issue and take appropriate steps to close the openly accessible mDNS services on the affected systems.”

Is this really a problem? How can I make the mDNS-service secure?

I’ve got the follwing YH-Apps installed:

HumHub
Linux-Dash
Lufi
Custum Web App
Nextcloud
Roundcube
rss-bridge
Searx
Shell In A Box

More about the scan:

https://www.bsi.bund.de/EN/Topics/IT-Crisis-Management/CERT-Bund/CERT-Reports/Reports/openly-accessible-services/openly-accessible-services_node.html

Bram · May 17, 2017, 5:43pm

Hello,

Have you made any modifications to the configuration of dnsmasq? We recently have several people that did some check on it to see if it was possible to abuse it to do DDoS but the conclusion was “no”.

As far as I know we didn’t changed anything to dnsmasq configuration recently.

We can do other checks if needed.

Rolf · May 17, 2017, 7:47pm

Hi,
I have received the same message.
The port (5323?) was open and I just deleted the firewall rule.

I have made no changes at dnsmasq or something else.

zohan · May 19, 2017, 10:12am

No, I didn’t make any changes to dnsmasq either. Does one of the YH-Apps make those changes?

@ Rolf: Thanks, I closed the port as well.