Blog Post

Networking Blog
4 MIN READ

mDNS in the Enterprise

JamesKehr's avatar
JamesKehr
Icon for Microsoft rankMicrosoft
Apr 04, 2022
James Kehr here with the Windows networking support team. This article covers details about mDNS and recommended best practices when trying to control the protocol designed to make life easier.   ...
Updated Nov 09, 2023
Version 2.0
networking
mvduin's avatar
mvduin
Copper Contributor
Nov 01, 2023

mDNS is a very useful technology for making networks work plug&play for normal people by allowing for name resolution and service discovery in the absence of any network infrastructure to support it. However, this necessarily means any device can publish whatever records it wants, hence the protocol doesn't really have any defenses against hostile actors and is best suited for friendly network environments where devices can trust each other. You'll want mDNS enabled in home environments and zero-config networks (Windows unfortunately messes up the latter), you'll probably want it disabled on public networks, and you could argue either way on enterprise networks.

 

Browsers may also use mDNS for privacy protection: WebRTC is a web technology that allows for peer-to-peer communication between browser clients. As a side effect however it enabled websites to determine the local IP addresses of client (listed as candidates for establishing peer-to-peer connections) which some consider to be a security or privacy issue (even though websites already know your remote IP and for IPv6 this is equal to your local IP anyway). As solution a scheme was introduced where the browser registers a random mDNS hostname (e.g. `1f4712db-ea17-4bcf-a596-105139dfd8bf.local`) to anonymize your local IP while still being reachable from other devices on the local network.  I'm not sure what the current status is, I'm pretty sure it was enabled by default for a bit but it looks like they may have disabled it again because they ran into too many issues, e.g. due to mDNS being blocked by overzealous firewall policies 😛   *cough*

 

Properly-implemented mDNS is not that spammy btw, it has a lot of mandatory optimizations to minimize the amount of multicasts. Unfortunately there are also some extremely trash implementations, typically small standalone libraries, which basically act like legacy resolvers (without any caching) but which erroneously use source port 5353 (intended only for proper mDNS stacks) thus resulting in everyone having to suffer the resulting multicast response spam.