search
πŸ“œ MediumπŸ›’ My ShopπŸ‘Ύ GithubπŸ“© Telegram πŸ“Ί YouTubeβœ– Twitter

Multicast DNS (mDNS) and DNS-SD - PORT 5353/UDP

hashtag
Basic Information

Multicast DNS (mDNS) enables DNS-like name resolution and service discovery inside a local link without a unicast DNS server.

  • Port: 5353/UDP

  • Multicast addresses:

    • 224.0.0.251 (IPv4)

    • FF02::FB (IPv6)

It’s most commonly associated with Apple Bonjour, IoT devices, and DNS-SD (DNS Service Discovery).

hashtag
Key Protocol Details

  • Names in the .local zone are resolved via mDNS.

  • The QU (Query Unicast) bit may request unicast replies even for multicast questions.

  • Implementations should ignore packets not sourced from the local link, but some stacks accept them (attack surface).

  • Probing/announcing enforces unique host/service names β†’ interfering can create DoS / name squatting conditions.

hashtag
DNS-SD Service Model

Services are identified as _._tcp or _._udp under .local. Examples:

  • _ipp._tcp.local β†’ printers

  • _airplay._tcp.local β†’ AirPlay

  • _adb._tcp.local β†’ Android Debug Bridge

You can discover service types with _services._dns-sd._udp.local, then resolve discovered instances to SRV/TXT/A/AAAA.

Nmap scan result example:

hashtag
Enumeration

hashtag
Nmap

Broadcast discovery (on host):

hashtag
Avahi (Linux)

hashtag
Apple dns-sd (macOS)

hashtag
Packet Capture with Tshark

Tip: Browsers/WebRTC often use ephemeral mDNS hostnames (random-UUID.local) to mask local IPs. If you see these, resolve them to pivot to real IPs.

hashtag
Exploitations

hashtag
DoS / Name Squatting

During the probing phase, a host checks for name uniqueness. Spoofing conflicts forces it to pick new names or fail.

Example with Pholusarrow-up-right:

hashtag
Service Spoofing & Impersonation (MitM)

Impersonate advertised services (printers, AirPlay, HTTP) to coerce clients into connecting to you.

  • Capture print jobs by spoofing _ipp._tcp.local

  • Lure users to rogue HTTP services

  • Relay NTLM hashes when Windows authenticates to spoofed services

With bettercap’s zerogod module:

hashtag
Recent Vulnerabilities

  • Avahi (Linux mDNS daemon)

    • Reachable-assertion and D-Bus crash bugs (2023) β†’ CVE-2023-38469..38473

    • Can crash avahi-daemon, disrupting discovery

  • Cisco IOS XE Wireless LAN Controller

    • mDNS gateway DoS (2024, CVE-2024-20303)

    • Adjacent attacker can trigger high CPU & disconnect APs

circle-check

Learn & practice For the Bug Bountyarrow-up-right

chevron-rightSupport VeryLazyTech πŸŽ‰hashtag
PreviousDocker Registry - PORT 5000NextPostgresql - PORT 5432,5433

Last updated