Blog Post

Networking Blog
4 MIN READ

mDNS in the Enterprise

JamesKehr's avatar
JamesKehr
Icon for Microsoft rankMicrosoft
Apr 04, 2022
James Kehr here with the Windows networking support team. This article covers details about mDNS and recommended best practices when trying to control the protocol designed to make life easier.   ...
Updated Nov 09, 2023
Version 2.0
networking
AndrewRobinson's avatar
AndrewRobinson
Copper Contributor
Nov 01, 2023

Yeah, that's the problem. I dont know if it is a thing either. We actually work on a 'Block all by default and allow by rules' methodology. Our allow rules do not cover port 5353 100% so some of it gets blocked. The block event in the log typically shows the potentially associated process that is listening on that port. This is fine with TCP as only one process could be using that port, but with UDP, there are several.

 

So, to get more specific, we had some problems with Teams. People looked in the firewall event logs and saw lots of blocks for port 5353. The logs showed the associated process name as "ANOTHER_EDR_PRODUCT.EXE" - that is obviously not the real name, but it was a component of another EDR product. So then they started to say 'We think that EDR bit is causing issues' so we had to turn it off. The EDR company said it was really nothing to do to them, but confirmed that the process would be using port 5353. The firewall EDR company (yes, we use different products for EDR and firewall) just blamed the other EDR company. I am trying to convince the firewall company that their product is at fault.

 

So, I think the block logging process just searches for the process name associated with the first PID that is using port 5353 and puts it in the log. As such, the firewall has simply blocked the packet totally. I think we have actually proved this by uninstalling the EDR and then using a tracing tool - the event log then listed the EXE of the tracing tool as the element that had been blocked as it was also using port 5353!

 

So, I don't think it is really a huge problem apart from the overheads in the processing and the confusion from the logs. I don't think turning the EDR component off solved our Teams problem (we think it was PAC file related). But it does leave us with the conundrum of how we deal with mDNS responder. It is a growing technology I sense and I see customised, imbedded versions being used (for example in National Instruments). This means that the network has huge numbers of packets all over the place and we have no idea whether to allow them or not and what the impact of not doing so might be. There would seem to be a lot of security worries about simply allowing port 5353, so this does not make it any easier.

 

In terms of my question, I think you have answered it though. Thanks