Menu
Reply
Tuning in
  • 3
  • 0
  • 2
Registered: ‎16-04-2017
Message 1 of 4 (210 Views)

Multicast DNS and DMZ problems

I've received my first mDNS warning letter from Virgin Media, but I have my Playstation 4 in DMZ. I'd really prefer not to disable DMZ, so I'm looking for a different solution.

Can any PS4 users confirm port forwarding is successful with Super Hub 2? As per the suggestions in other topics, I've forwarded port 5353 to an unused local IP as follows:

PF5353.jpg

I tested this yesterday. With the WAN IP, dig displayed the following:

; <<>> DiG 9.10.4-P8 <<>> @81.**.**.** -p 5353 -t ptr _services._dns-sd._udp.
local
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

It looks fine. However, the pentest-tools website reported:

Starting Nmap 6.00 ( http://nmap.org ) at 2017-04-16 11:41 EEST
Initiating Ping Scan at 11:41
Scanning 81.**.**.** [4 ports]
Completed Ping Scan at 11:41, 0.06s elapsed (1 total hosts)
Initiating UDP Scan at 11:41
Scanning ...cable.virginm.net (81.**.**.**) [1 port]
Discovered open port 5353/udp on 81.**.**.**
Completed UDP Scan at 11:41, 0.05s elapsed (1 total ports)

[+] Nmap scan report for ...cable.virginm.net (81.**.**.**)
Host is up (0.021s latency).

PORT     STATE SERVICE
5353/udp open  zeroconf

I also checked the nightlydev site, and it shows port 5353 as being open as well. I just can't make sense of this...

Using the PS4's local IP, dig reports:

; <<>> DiG 9.10.4-P8 <<>> @192.168.0.80 -p 5353 -t ptr _services._dns-sd._udp.lo
cal
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17641
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_services._dns-sd._udp.local.  IN      PTR

;; ANSWER SECTION:
_services._dns-sd._udp.local. 10 IN     PTR     _spotify-connect._tcp.local.

;; Query time: 0 msec
;; SERVER: 192.168.0.80#5353(192.168.0.80)
;; WHEN: Sun Apr 16 09:49:19 GMT Daylight Time 2017
;; MSG SIZE  rcvd: 82

I don't use Spotify and haven't downloaded it onto the console, but it appears in the report above. Again, running dig using my WAN IP still shows "no servers can be reached", which I thought would mean the port 5353 issue was resolved.

Can anyone offer some advice?

Reply
0 Kudos

Accepted Solutions
Superuser
  • 12.48K
  • 627
  • 4.09K
Registered: ‎01-11-2009
Message 2 of 4 (257 Views)
Helpful Answer
confirmed by NinoS
‎21-04-2017 20:23

Re: Multicast DNS and DMZ problems

Hi

Looking at your post I do find it odd that the port forwarding doesn't appear to have worked.  Here's what I get when I use the same tool.

Starting Nmap 6.00 ( http://nmap.org ) at 2017-04-21 15:34 EEST
Initiating Ping Scan at 15:34
Scanning vpn.timothydutton.co.uk (80.193.xxx.xxx) [4 ports]
Completed Ping Scan at 15:34, 0.05s elapsed (1 total hosts)
Initiating UDP Scan at 15:34
Scanning vpn.timothydutton.co.uk (80.193.xxx.xxx) [1 port]
Completed UDP Scan at 15:34, 0.13s elapsed (1 total ports)

[+] Nmap scan report for vpn.timothydutton.co.uk (80.193.xxx.xxx)
Host is up (0.017s latency).

PORT STATE SERVICE
5353/udp open|filtered zeroconf

This is the state I expect the port to show up as.  I can go into detail and explain why if you wish.

With regards to your scan result on the LAN

For some reason this seems to show up on PS4's whether Spotify is installed or not.  I don't know if this means that it could in fact stream Spotify to the PS4 without actually installing it, in the same way as it might be streamed to speakers.  If I had a PS4 I'd certainly love to take a closer look at this.

I would, if you are willing to allow me like to try an nmap scan directly to your system to see what response comes back.  To the best of my knowledge nmap checks to see if a usp port is open by sending a query of the expected type to that port and checking for a response.

If you do not have a device on 192.168.0.253 then there should be nothing responding.

Note:  I am not a Virgin Media employee, Superusers are recognised by Virgin Media for the assistance we provide others, and while we are bound by a code of conduct, I do feel it's only fair to advise you of this.  As such I will understand if you don't want to try this.

Tim

________________________________________


Only use Helpful answer if your problems been solved.

See where this Helpful Answer was posted


All Replies
Superuser
  • 12.48K
  • 627
  • 4.09K
Registered: ‎01-11-2009
Message 2 of 4 (258 Views)
Helpful Answer
confirmed by NinoS
‎21-04-2017 20:23

Re: Multicast DNS and DMZ problems

Hi

Looking at your post I do find it odd that the port forwarding doesn't appear to have worked.  Here's what I get when I use the same tool.

Starting Nmap 6.00 ( http://nmap.org ) at 2017-04-21 15:34 EEST
Initiating Ping Scan at 15:34
Scanning vpn.timothydutton.co.uk (80.193.xxx.xxx) [4 ports]
Completed Ping Scan at 15:34, 0.05s elapsed (1 total hosts)
Initiating UDP Scan at 15:34
Scanning vpn.timothydutton.co.uk (80.193.xxx.xxx) [1 port]
Completed UDP Scan at 15:34, 0.13s elapsed (1 total ports)

[+] Nmap scan report for vpn.timothydutton.co.uk (80.193.xxx.xxx)
Host is up (0.017s latency).

PORT STATE SERVICE
5353/udp open|filtered zeroconf

This is the state I expect the port to show up as.  I can go into detail and explain why if you wish.

With regards to your scan result on the LAN

For some reason this seems to show up on PS4's whether Spotify is installed or not.  I don't know if this means that it could in fact stream Spotify to the PS4 without actually installing it, in the same way as it might be streamed to speakers.  If I had a PS4 I'd certainly love to take a closer look at this.

I would, if you are willing to allow me like to try an nmap scan directly to your system to see what response comes back.  To the best of my knowledge nmap checks to see if a usp port is open by sending a query of the expected type to that port and checking for a response.

If you do not have a device on 192.168.0.253 then there should be nothing responding.

Note:  I am not a Virgin Media employee, Superusers are recognised by Virgin Media for the assistance we provide others, and while we are bound by a code of conduct, I do feel it's only fair to advise you of this.  As such I will understand if you don't want to try this.

Tim

________________________________________


Only use Helpful answer if your problems been solved.

Tuning in
  • 3
  • 0
  • 2
Registered: ‎16-04-2017
Message 3 of 4 (125 Views)

Re: Multicast DNS and DMZ problems

Thank you for your reply... I'd almost forgotten about this!

I haven't touched the Super Hub's settings since Sunday, but I've just checked the tool again and received exactly the same "5353/udp open|filtered" feedback as you did. I understand that the firewall is dropping the packet, hence filtered, and it was your posts in another topic that helped me configure settings and understand the method.

As it's a PS4 DMZ vulnerability and the console itself needs to be on in order to check the connection, the timing might be a bit awkward if you were to check it from your end, but I appreciate the offer. I've had a look at a couple of other sites that offer UDP scans (hackertarget's nmap and speedguide's security scan) and got the same "filtered" response, so it looks like everything is fine now.

I'm uncertain why it appears to be working and didn't earlier in the week, but I must apologise for not checking and updating my post sooner.

Also, you should consider getting a PS4 - great exclusives! Smiley Wink  Thanks again for your help.

Superuser
  • 12.48K
  • 627
  • 4.09K
Registered: ‎01-11-2009
Message 4 of 4 (62 Views)

Re: Multicast DNS and DMZ problems

I've been doing some digging, and found the following page

https://www.spotify.com/uk/playstation/

Looking at this Playstation Music on the PS4 has Spotify integrated into it somewhat, This means that the _spotify_connect service is built into the PS4 operating system, and is separate to the Spotify App which is used to log you into your Spotify account.

Tim

________________________________________


Only use Helpful answer if your problems been solved.

Reply
0 Kudos