Blog Post

Networking Blog
4 MIN READ

mDNS in the Enterprise

JamesKehr's avatar
JamesKehr
Icon for Microsoft rankMicrosoft
Apr 04, 2022
James Kehr here with the Windows networking support team. This article covers details about mDNS and recommended best practices when trying to control the protocol designed to make life easier.   ...
Updated Nov 09, 2023
Version 2.0
networking
JonBuhagiar's avatar
JonBuhagiar
Copper Contributor
Nov 17, 2023

This is a great discussion about mDNS in enterprise environments and how to mitigate it. I have studied the Microsoft implementation of mDNS from a blue team aspect, as well as other decentralized name resolutions methods like LLMNR. You can find some scripts to mitigate attack at https://github.com/bohack/WindowsSecurity. In the repository you will also find a PPT that explains how to mitigate with internal controls like GPO, and external controls like VLAN ACLs (VACLs).

 

It is interesting that adding a * record to your DNS can mitigate 95% of name resolution problems without any ill side effects. A simple *.contoso.com to 127.0.0.1 record would protect any stray name resolutions attempts, since the HOSTS file and DNS is checked first before LLMNR and mDNS. This works for FQDN name resolution, but NetBIOS name resolutions still uses mDNS and then it will automatically add a .local onto the end of the mDNS query. As an example: \\printserver will create an attempt for mDNS for printserver and printserver.local, at this point DNS is not attempted for resolution.

 

In my deployment I elected to completely disable mDNS via a registry key that was found in this article https://f20.be/blog/mdns. The registry entry of HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\EnableMDNS to a 0 completely turns off mDNS. We have deployed the 'Responder Mitigation Script.ps1' via Intune as a 64Bit PS script and recently had a penetration test, the clients were reported as silent and the 'low hanging fruit' was gone (so-to-speak).

 

An alternate thought after reading these responses on the subject is... If mDNS is still required between clients and servers, perhaps a Connection Security Rule in the Windows Defender Firewall with Advanced Security MMC could be created to only allow authenticated computer to respond to UDP 5353. It is a thought and I've used this method before to secure communications between clients and servers. I just have not tested it with multicast traffic such as the destination of 224.0.0.251. Sounds like a great future lab to experiment with. I welcome your thoughts and comments.