# Multicast DNS (mDNS) and DNS-SD - PORT 5353/UDP {% tabs %} {% tab title="Support VeryLazyTech πŸŽ‰" %} * Become VeryLazyTech [**member**](https://whop.com/verylazytech/)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://whop.com/verylazytech/)for e-books and courses. πŸ“š {% endtab %} {% endtabs %} ## Basic Information Multicast DNS (mDNS) enables DNS-like name resolution and service discovery inside a **local link without a unicast DNS server**. * **Port:** 5353/UDP * **Multicast addresses:** * `224.0.0.251` (IPv4) * `FF02::FB` (IPv6) It’s most commonly associated with **Apple Bonjour**, **IoT devices**, and **DNS-SD (DNS Service Discovery)**. #### Key Protocol Details * Names in the `.local` zone are resolved via mDNS. * The **QU (Query Unicast)** bit may request unicast replies even for multicast questions. * Implementations *should* ignore packets not sourced from the local link, but some stacks accept them (attack surface). * Probing/announcing enforces unique host/service names β†’ interfering can create **DoS / name squatting** conditions. #### DNS-SD Service Model Services are identified as `_._tcp` or `_._udp` under `.local`. Examples: * `_ipp._tcp.local` β†’ printers * `_airplay._tcp.local` β†’ AirPlay * `_adb._tcp.local` β†’ Android Debug Bridge You can discover service types with `_services._dns-sd._udp.local`, then resolve discovered instances to SRV/TXT/A/AAAA. **Nmap scan result example:** ``` PORT STATE SERVICE 5353/udp open zeroconf ``` *** ### Enumeration #### Nmap ```bash nmap -sU -p 5353 --script=dns-service-discovery ``` Broadcast discovery **(on host)**: ```bash sudo nmap --script=broadcast-dns-service-discovery ``` #### Avahi (Linux) ```bash # List service types avahi-browse -bt _services._dns-sd._udp # Browse all services and resolve to host/port avahi-browse -art ``` #### Apple dns-sd (macOS) ```bash # Browse all HTTP services dns-sd -B _http._tcp # Enumerate service types dns-sd -B _services._dns-sd._udp # Resolve a specific instance dns-sd -L "My Printer" _ipp._tcp local ``` #### Packet Capture with Tshark ```bash # Live capture sudo tshark -i eth0 -f "udp port 5353" -Y mdns # Only DNS-SD service list queries sudo tshark -i eth0 -f "udp port 5353" -Y "dns.qry.name == \"_services._dns-sd._udp.local\"" ``` **Tip:** Browsers/WebRTC often use **ephemeral mDNS hostnames** (`random-UUID.local`) to mask local IPs. If you see these, resolve them to pivot to real IPs. *** ### Exploitations #### DoS / Name Squatting During the probing phase, a host checks for name uniqueness. Spoofing conflicts forces it to pick new names or fail. Example with [**Pholus**](https://github.com/aatlasis/Pholus): ```bash # Block new devices from taking names sudo python3 pholus3.py eth0 -afre -stimeout 1000 ``` #### Service Spoofing & Impersonation (MitM) Impersonate advertised services (printers, AirPlay, HTTP) to **coerce clients into connecting to you**. * Capture print jobs by spoofing `_ipp._tcp.local` * Lure users to rogue HTTP services * Relay NTLM hashes when Windows authenticates to spoofed services With **bettercap’s zerogod** module: ```bash # Discover services sudo bettercap -iface eth0 -eval "zerogod.discovery on" # Impersonate all services of a host zerogod.impersonate 192.168.1.42 # Save intercepted print jobs set zerogod.ipp.save_path ~/.bettercap/zerogod/documents/ zerogod.impersonate 192.168.1.42 ``` *** ### Recent Vulnerabilities * **Avahi (Linux mDNS daemon)** * Reachable-assertion and D-Bus crash bugs (2023) β†’ CVE-2023-38469..38473 * Can crash `avahi-daemon`, disrupting discovery * **Cisco IOS XE Wireless LAN Controller** * mDNS gateway DoS (2024, CVE-2024-20303) * Adjacent attacker can trigger high CPU & disconnect APs *** {% hint style="success" %} Learn & practice [**For the Bug Bounty**](https://whop.com/verylazytech/)
Support VeryLazyTech πŸŽ‰ * Become VeryLazyTech [**member**](https://whop.com/verylazytech/)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://whop.com/verylazytech/)for e-books and courses. πŸ“š
{% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.verylazytech.com/multicast-dns-mdns-and-dns-sd-port-5353-udp.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.