Disabling LLMNR on hosts that use the systemd stub resolver


While performing a routine audit of my desktop this morning I noticed that the systemd stub resolver was listening on TCP port 5355:

$ netstat -pant | grep 5355

tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      2236/systemd-resolv 

TCP port 5355 is used for Link-Local Multicast Name Resolution (LLMNR) which is completely unnecessary for my set up at home. So I ventured off to /etc/systemd and came across the resolved.conf file. While perusing resolved.conf(5) I came across the following two configuration directives:

LLMNR=
Takes a boolean argument or “resolve”. Controls Link-Local Multicast Name Resolution support (RFC 4794[1]) on the local host. If true, enables full LLMNR responder and resolver support. If false, disables both. If set to “resolve”, only resolution support is enabled, but responding is disabled. Note that systemd-networkd.service(8) also maintains per-link LLMNR settings. LLMNR will be enabled on a link only if the per-link and the global setting is on.

MulticastDNS=
Takes a boolean argument or “resolve”. Controls Multicast DNS support (RFC 6762[2]) on the local host. If true, enables full Multicast DNS responder and resolver support. If false, disables both. If set to “resolve”, only resolution support is enabled, but responding is disabled. Note that systemd- networkd.service(8) also maintains per-link Multicast DNS settings. Multicast DNS will be enabled on a link only if the per-link and the global setting is on.

Setting both values to no and bouncing the systemd-resolved.service service stopped systemd-resolv from listening on *:5355. If you are interested in learning more about LLMNR you can check out RFC 4795. This helped me clarify a number of questions I had about the protocol and when to use it.

This article was posted by Matty on 2017-12-22 07:19:26 -0500 EST