To make Avahi ignore packets unless the TTL field is 255, edit /etc/avahi/avahi-daemon.conf and ensure the following line appears in the [server] section:
check-response-ttl=yes
This helps to ensure that only mDNS responses from the local network are processed, because the TTL field in a packet is decremented from its initial value of 255 whenever it is routed from one network to another. Although a properly-configured router or firewall should not allow mDNS packets into the local network at all, this option provides another check to ensure they are not permitted.
To prevent Avahi from publishing its records, edit /etc/avahi/avahi-daemon.conf and ensure the following line appears in the [publish] section:
disable-publishing=yes
This helps ensure that no record will be published by Avahi.
If you are using only IPv4, edit /etc/avahi/avahi-daemon.conf and ensure the following line exists in the [server] section:
use-ipv6=noSimilarly, if you are using only IPv6, disable IPv4 sockets with the line:
use-ipv4=no
To prevent other mDNS stacks from running, edit /etc/avahi/avahi-daemon.conf and ensure the following line appears in the [server] section:
disallow-other-stacks=yes
This helps ensure that only Avahi is responsible for mDNS traffic coming from that port on the system.
If it is necessary to publish some information to the network, it should not be joined by any extraneous information, or by information supplied by a non-trusted source on the system. Prevent user applications from using Avahi to publish services by adding or correcting the following line in the [publish] section:
disable-user-service-publishing=yesImplement as many of the following lines as possible, to restrict the information published by Avahi.
publish-addresses=no publish-hinfo=no publish-workstation=no publish-domain=noInspect the files in the directory /etc/avahi/services/. Unless there is an operational need to publish information about each of these services, delete the corresponding file.
These options prevent publishing attempts from succeeding, and can be applied even if publishing is disabled entirely via disable-publishing. Alternatively, these can be used to restrict the types of published information in the event that some information must be published.
If the system does not need to have an Avahi server which implements the DNS Service Discovery and Multicast DNS protocols, the avahi-autoipd and avahi packages can be uninstalled.
Automatic discovery of network services is not normally required for system functionality. It is recommended to remove this package to reduce the potential attack surface.
If the system does not need to have an Avahi server which implements the DNS Service Discovery and Multicast DNS protocols, the avahi-autoipd and avahi packages can be uninstalled.
Automatic discovery of network services is not normally required for system functionality. It is recommended to remove this package to reduce the potential attack surface.
The avahi-daemon
service can be disabled with the following command:
$ sudo systemctl mask --now avahi-daemon.service
Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.