Its worth mentioning that I'm a complete newbie to network security, and have only recently started playing around with Wireshark.
I used Wireshark to trace some network activity to a process called mDNSResponder. My google searches have resulted in old comments describing mDNSResponder's use in earlier versions of OS X. However, I'm running the newest version of macOS Sierra. As such, I'm concerned that it may be malware.
I have examined a second MacBook Pro, which is also running macOS Sierra. MDNSResponder is not running, nor is it installed. The MacBook Pro that has mDNSResponder installed has it located in /usr/sbin.
MDNSResponder is run by the user _mdnsrespond. It is actively sending and receiving packets.
A second process called MDNSResponderHelper is also running. It is being run by the root user. However, it is not sending or receiving packets.
I would appreciate it if anyone could clarify whether this is malware. If there is anything I can do to help with this, feel free to specify.
Thank you.
EDIT
After conducting further research and considering all of the responses, I have decided to reformat my machine. Both MacBook Pros were recently reformatted within days of each other, and have been connected to the same devices. I see no reason why mDNSResponder is necessarily installed and running on one machine and not the other. It is possible that it is not malware, but the network activity of mDNSResponder would make it an excellent target for malicious attacks. As such, I think it wise to reformat the machine.
After reformatting and updating my machine, mDNSResponder and MDNSResponderHelper are no longer installed. Despite this, the machine is still functioning normally.
I am not knowledgeable enough to claim whether mDNSResponder and MDNSResponderHelper were cleverly concealed malware, legitimate software, or otherwise, but I do think it was wise to reformat the machine. Hopefully this post will help others in the future.
24 Answers
The mDNSResponder service is associated with Bonjour, a network browsing service that auto-browses the network for resources. For example, it knows at all times about network printers and its list is up to date. That is what Bonjour does : It polls the local network segment and discovers devices that you can connect to.
The mDNSResponder service is the engine of Bonjour. Sometimes it can go a little crazy and there are enough articles on the web complaining about it.
There are two launch daemons that manage the Bonjour service. If they are unloaded, Bonjour will shut down and the mDNSResponder activity will stop.
The following commands might still do the job in OS X Sierra :
sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponderHelper.plistUnfortunately, per your report, shutting down mDNSResponder also left you without Internet access. Well, at least this turned out to be the confirmation you asked for that this is a legitimate OS X process.
Since Bonjour is a network-browsing process, its presence on the one Mac but not on the other may be explained by some difference in the network. For example, it might be checking that a network printer is still available.
2mDNSResponder is a standard system daemon that's been part of Mac OS X / OS X / macOS for the last 14 years.
In recent versions of OS X / macOS it's also the primary way that DNS resolution is done.
In mid-2014 in OS X Yosemite (OS X v10.10, which was two major versions ago as of this writing) Apple replaced mDNSResponder with a new daemon called discoveryd, but ended up switching back to mDNSResponder as of OS X Yosemite v10.10.4 a few months later.
After reformatting and reinstalling your machine, unless you downgraded yourself to 10.10.0 – 10.10.3 and stayed there, you certainly do still have mDNSResponder installed. I'm not sure why you think you don't. In fact, even in 10.10.0 – 10.10.3, I think mDNSResponder would have been installed but not activated. If you're on macOS Sierra, DNS wouldn't be working for 90% of your system if mDNSResponder wasn't installed and running.
1mDNSResponder is back (albeit not in Pog form...), so I guess you are fine:
3Word on the street is that going back to mDNSResponder allowed Apple to close 300 separate bug reports. And apparently the company wasn't looking to reopen those reports, as OS X 10.11 comes with mDNSResponder version 624.1.2
This is part of Bonjour and is a service that is needed to run many different programs, applications, and processes. It's not Malware. The reason you sere it running on one and not the other is likely. Because one is running something different than the other.
0
