5353 - Mdns

Also see generic LLMNR/NBNS/mDNS/WPAD spoofing and credential capture/relay workflows:

../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md

#### Notes on recent implementation issues (useful for 拒绝服务/persistence during engagements)

- Avahi reachable-assertion and D-Bus crash bugs (2023) can terminate avahi-daemon on Linux distributions (e.g. CVE-2023-38469..38473, CVE-2023-1981), disrupting service discovery on target hosts until restart.
- Cisco IOS XE Wireless LAN Controller mDNS gateway 拒绝服务 (CVE-2024-20303) lets adjacent WLAN clients flood crafted mDNS, spiking WLC CPU and dropping AP tunnels—handy if you need to force client roaming or controller resets during an engagement.
- Apple mDNSResponder logic error 拒绝服务 (CVE-2024-44183) lets a sandboxed local process crash Bonjour to briefly suppress service publication/lookup on Apple endpoints; patched in current iOS/macOS releases.
- Apple mDNSResponder correctness issue (CVE-2025-31222) allowed local privilege escalation via mDNSResponder; useful for persistence on unmanaged Macs/iPhones, fixed in recent iOS/macOS updates.

#### Browser/WebRTC mDNS considerations

Modern Chromium/Firefox obfuscate host candidates with random mDNS names. You can re-expose LAN IPs on managed endpoints by pushing the Chrome policy `WebRtcLocalIpsAllowedUrls` (or toggling `chrome://flags/#enable-webrtc-hide-local-ips-with-mdns`/Edge equivalent) so ICE exposes host candidates instead of mDNS; set via `HKLM\Software\Policies\Google\Chrome`.

When users disable the protection manually (common in WebRTC troubleshooting guides), their browsers start advertising plain host candidates again, which you can capture via mDNS or ICE signaling to speed up host discovery.

### Defensive considerations and OPSEC

- Segment boundaries: Don’t route 224.0.0.251/FF02::FB between security zones unless an mDNS gateway is explicitly required. If you must bridge discovery, prefer allowlists and rate limits.
- Windows endpoints/servers:
  - To hard-disable name resolution via mDNS set the registry value and reboot:
    ```
    HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\EnableMDNS = 0 (DWORD)
    ```
  - In managed environments, disable the built-in “mDNS (UDP-In)” Windows Defender 防火墙 rule (at least on the Domain profile) to prevent inbound mDNS processing while preserving home/roaming functionality.
  - On newer Windows 11 builds/GPO templates, use the policy “Computer 配置 > Administrative Templates > 网络 > DNS 客户端 > Configure multicast DNS (mDNS) protocol” and set it to Disabled.
- Linux (Avahi):
  - Lock down publishing when not needed: set `disable-publishing=yes`, and restrict interfaces with `allow-interfaces=` / `deny-interfaces=` in `/etc/avahi/avahi-daemon.conf`.
  - Consider `check-response-ttl=yes` and avoid `enable-reflector=yes` unless strictly required; prefer `reflect-filters=` allowlists when reflecting.
- macOS: Restrict inbound mDNS at host/network firewalls when Bonjour discovery is not needed for specific subnets.
- Monitoring: Alert on unusual surges in `_services._dns-sd._udp.local` queries or sudden changes in SRV/TXT of critical services; these are indicators of spoofing or service impersonation.

### Tooling quick reference

- nmap NSE: `dns-service-discovery` and `broadcast-dns-service-discovery`.
- Pholus: active scan, reverse mDNS sweeps, 拒绝服务 and spoofing helpers.
  ```bash
  # Passive sniff (timeout seconds)
  sudo python3 pholus3.py <iface> -stimeout 60
  # Enumerate service types
  sudo python3 pholus3.py <iface> -sscan
  # Send generic mDNS requests
  sudo python3 pholus3.py <iface> --request
  # Reverse mDNS sweep of a subnet
  sudo python3 pholus3.py <iface> -rdns_scanning 192.168.2.0/24

# FOFA 搜索语法
port="5353"

# Shodan 搜索语法
port:5353

# ZoomEye 搜索语法
port:5353