MicrosoftIf mDNS is still required between clients and servers, perhaps a Connection Security Rule in the Windows Defender Firewall with Advanced Security MMC could be created to only allow authenticated computer to respond to UDP 5353.
JonBuhagiar The caveat with that idea is that mDNS is more peer-to-peer than client-server. Both queries and advertisements/responses are normally multicast to (and from) port 5353, and all participants are supposed to be seeing the same packets (both queries and responses) to ensure the protocol works correctly as designed. I think it's probably fine though to block all mDNS advertisements/responses (udp packets with source port 5353 having the QR bit set in the DNS packet header) from devices that are not authorized to announce mDNS records, especially if this filtering is applied consistently (so that an authorized advertiser is seen by everyone and an unauthorized advertiser is seen by noone).
