just registered today for a topic i'm not sure about having understood it right.
I installed minidlna on an openwrt-router to serve an internet-radio connected to lan. I did not install something like upnp. Surprisingly (and this is were my understanding ends), the internet radio can see the minidlna-server and play files.
I my understanding now, there is a dlna-server running on the openwrt-router but the router is not having upnp enabled.
So - and here is my primary question - this should be considered secure (in the meaning of not having implemented the problems-by-design of upnp) ?
DLNA specifies the media interop on top of upnp. You can't have DLNA without upnp.
the internet radio discovered minidlna using upnp (ssdp) and knows how to handle the media via DLNA. AFAIK there's nothing problems-by-design about this.
I believe you are referring to enabling upnp on your router, i.e. as a way to control your router, e.g. opening ports etc. upnp trusts any LAN device, so there are obvious security implications as upnp messages can be sent on the LAN from e.g. a browser.
Exactly, the problems of upnp on a router and client devices allowing uncontrolable connections from wan to lan are giving me concerns about security.
Unfortunately, i didn't find consistent, comprehensive and detailed explanations on the web with scenarios like mine.
As far as i understand your answer: There'll be no problem, as long as upnp is not activated on the openwrt-router (which is default unless you install software like miniupnp) althought the client-device (internet-radio) is an upnp-enabled-device.
pretty sure the firewall doesn't allow this, no matter what the application thinks.
Urm, No - that's exactly what upnp-on-the-router is for.
two of the typical commands of the WANIPConnection service are
AddPortMapping
GetExternalIPAddress
MiniDLNA doesn't have the WANIPConnection service so there you would be correct.
you can probably force the application to only bind to the LAN interface.
Since the threat in this scenario is from the LAN the point is moot.
But, yes, never bind a upnp/dlna application to the WAN - it doesn't make much sense either as discovery (SSDP) is multicast based - but it is possible to connect directly to the port. So don't do this, (but even if you did, the firewall would still block incoming connections).
it really does help to name the applications instead of the protocol
minidlna (uses upnp) does not expose WANIPConnection = safe
miniupnp (use upnp) does expose WANIPConnection = not-so-safe