Saturday, January 26, 2013

mDNSResponder running rampant

So, this morning I took at look at my Mac and noticed that Little Snitch shows that someone is doing almost constant network traffic out.  Looking in the Network Monitor, it appears that mDNSResponder is sending almost constantly to our DNS server.

Useful tip 1:  To debug what mDNSResponder is doing, use the following:

sudo killall -SIGUSR1 mDNSResponder

and then take a look in the Console log.  This is a toggle so do the same command to disable the extended logging.  (Thanks to http://krypted.com/mac-os-x/mdnsresponder-mdns-and-dns-sd/ - I could have just read the man page (man mDNSResponder) but who has time to read local documents when you have Google?)

Some internet pages suggest you can get this symptom if you have a misconfigured DNS server that does not report errors correctly. This does not appear to be the problem for my ISP (Optus).

In my case, the log showed messages like this:


26/01/13 9:55:50.819 AM mDNSResponder[40]:  24: DNSServiceQueryRecord(35000, 0, 1.0.0.127.in-addr.arpa., PTR) START PID[264](LogMeInGUI)
26/01/13 9:55:50.820 AM mDNSResponder[40]:  24: Error socket 72 closed  00000000 00001005 (0)
26/01/13 9:55:50.820 AM mDNSResponder[40]:  24: Error socket 72 created 00000000 00001006
26/01/13 9:55:50.820 AM mDNSResponder[40]:  24: DNSServiceQueryRecord(35000, 0, 1.0.0.127.in-addr.arpa., PTR) START PID[264](LogMeInGUI)
26/01/13 9:55:50.820 AM mDNSResponder[40]:  24: Error socket 72 closed  00000000 00001006 (0)

Hmmm, LogMeIn?  Don't I have that switched off?

I checked the LogMeIn control application and yes, it definitely shows as "Off" - that's the normal state for me.  On a hunch, I turned it "On" and immediately the mDNSResponder traffic ceased.  Turn if "Off" and mDNSResponder again starts sending.

So, LogMeIn, when turned off, generates more network traffic than when it is turned on and idle.

I've reported it to LogMeIn.com - we'll see what happens.  For now, I'll probably uninstall.