Blog Post

Networking Blog

4 MIN READ

mDNS in the Enterprise

Microsoft

Apr 04, 2022

James Kehr here with the Windows networking support team. This article covers details about mDNS and recommended best practices when trying to control the protocol designed to make life easier.

What is mDNS?

Starting with Windows 10 1703 Microsoft has included native support for multicast DNS, or mDNS. The protocol was developed by Apple, via RFC 6762 and RFC 6763, as a method to perform local network name and service discovery without the need for central name resolution, such as a DNS Server, and without user interaction. Simply put, it is how Apple made AirPlay2-based services perform seamless setup via the Bonjour service.

mDNS worked so well for Apple that it subsequently became the most popular many-to-many network name resolver because it uses regular old DNS over regular old IP multicast. This makes creating mDNS resolvers extremely easy as there are tons of DNS engines out there, and all major operating systems have mature multicast capabilities.

Just about everything uses mDNS these days. Seriously… everything. Pop open Wireshark on your home computer, set the capture filter to “udp port 5353”, which is the mDNS protocol (UDP) and port (5353), start the capture, then wait.

Devices and services from Microsoft, Apple, Google, and Amazon all use mDNS in some capacity. SmartTVs, Miracast (wireless screen mirroring), printers, set top boxes, wireless speakers, operating systems, and more all use mDNS. Most use it to resolve service records for device discovery. Others to resolve network names. Some do both. Our modern connected life wouldn’t be the same without mDNS.

mDNS is everywhere these days because it is a simple, easy to build, user friendly – as in users do not need to know or do anything with mDNS for it to “just work” – network discovery protocol. Everyone in the tech industry loves mDNS, whether they know the protocol exists or not … except corporate security.

mDNS in the Enterprise

Corporate security folks, in general, distrust anything that involves decentralized name resolution and multicast/broadcast in the same sentence. This includes mDNS because it is possible to poison name and service resolution with a cleverly written malicious script or program. Granted, a malicious mDNS resolver must first be on your network to do so and that, by itself, is a different kind of nightmare.

There is a magic registry value in Windows that will disable mDNS in the Windows DNS client resolver. I am not going to tell you what it is, but I will tell you why you should not rely on it to disable mDNS.

I mentioned that mDNS is easy to implement in the introduction of this article. In fact, it is so easy to implement that any given operating system, Windows included, could have multiple mDNS resolvers running at the same time. Chromium-based browsers (Chrome, Edge, etc.) have an mDNS resolver. Microsoft Teams has been known to use mDNS. Third-party apps and services can contain their own resolver. Oh, and those malicious programs can run their own mDNS resolver, too.

How is this possible?

Because mDNS uses the connectionless UDP protocol, and not TCP, you can have multiple listeners on UDP port 5353. I have a PowerShell command I use to demonstrate this, with sample output.

Get-NetUDPEndpoint -LocalPort 5353 | Select-Object LocalAddress,LocalPort,OwningProcess,@{ Name="ProcessName"; Expression={((Get-Process -Id $_.OwningProcess).Name )} }

Sample Output:

LocalAddress LocalPort OwningProcess ProcessName
------------ --------- ------------- -----------

::                5353         18080 msedge
::                5353          3592 svchost #DNSCache service, to confirm: tasklist /SVC /FI "PID eq <OwningProcess>"
0.0.0.0           5353         55708 Teams
0.0.0.0           5353          5512 chrome
0.0.0.0           5353         18080 msedge

Disabling mDNS via the registry will only remove one line from that output, the svchost where the DNSCache service lives. It will not stop other first- (Microsoft) and third-party (anyone else) mDNS resolvers. It will not stop devices on your network from reaching your Windows systems with mDNS. It honestly does not do a lot if your goal is to lock down mDNS on your corporate network.

What to do? What to do?

The Microsoft recommendation for locking down mDNS is to use Windows Defender Firewall. This is the best tool for the job and most corporations already manage the firewall through GPOs. This makes the lock down process a matter of modifying an existing well-known process.

Warning! Disabling mDNS can have unexpected negative consequences. Wireless screen sharing/mirroring in conference rooms may stop working. Accessing printers may break. Any number of other issues may creep up given broad service dependencies on mDNS.

Block Inbound

To completely lock down mDNS, disable the inbound “mDNS (UDP-In)” rules in Windows Defender Firewall for all profiles (Public, Private, and Domain). This will prevent all inbound mDNS traffic from being processed and effectively disable mDNS. This is not recommended for mobile workers who may need to use a device at home or client office that relies on mDNS for service discovery.

To disable mDNS within corporate offices only, disable mDNS (UDP-In) for just the Domain profile. This will allow mobile workers to connect at home and on the road, but not in your offices where there is domain connectivity. This is the recommended best practice for mobile workforces.

You can optionally disable mDNS (UDP-In) for the Public profile, too. This might interfere with Miracast screen sharing, which relies on the Public profile, and homes where the Private profile is not selected, but it does add an extra measure of security in public places, like a coffee shop.

What About Outbound?

We do not recommend blocking outbound unless your company needs the absolute strictest of network controls due to a high security requirement. Blocking inbound mDNS is sufficient for nearly all use cases.

mDNS plays a critical role in modern computing. It is not like previous multicast- and broadcast-based name resolution protocols, like LLMNR, SSDP, and NbtNS, which had limited adoption and usefulness. mDNS has near universal adoption within the tech industry which makes controlling it less cut and dry. Hopefully this article will make mDNS decision process a bit easier.

Updated Nov 09, 2023

Version 2.0

networking

JamesKehr

Microsoft

Joined February 19, 2019

View Profile

Networking Blog

The Official Blog Site of the Windows Core Networking Team at Microsoft

16 Comments

AndrewRobinson
Copper Contributor
Oct 30, 2023
Hi,
How does a receiving PC process an incoming UDP Packet when there are multiple processes running on the same port? Let say port 5353. I understand that the packet has the source port in, so perhaps the matching uses that? But what if the source port is the same for multiple processes? I know this is unlikely, but it could happen of course. I see no other way that the packet can match to the right process (unless it tries all processes like a hot potato pass).
TomB11
Copper Contributor
Oct 12, 2023
Hi,
I've found the advice in this article does not prevent mDNS poisoning attacks, and the Windows 10 machine continues to receive and process mDNS responses even when inbound mDNS is blocked.

The Windows Firewall rule to block inbound mDNS traffic is applied only when the request originates from another machine.

I believe the reason is that the Windows Firewall, like most firewalls, is reflexive. When the machine sends an mDNS request it creates a temporary implicit inbound rule which allows the response. In the same manner that if you allow outbound traffic to a web server you don't have to create a corresponding inbound rule.

As such only blocking outbound mDNS is effective at mitigating poisoning attacks.
MannyRS
Copper Contributor
Oct 11, 2023
Hello,
After blocking inbound by creating a Group Policy to disable mDNS just for the Domain profile.
Is there away to verify that the policy is working?
mvduin
Copper Contributor
May 02, 2023
It may be "easy to implement" something that superficially resembles mDNS, but it's not that easy to implement mDNS correctly. One-shot legacy resolution (multicast queries with src port != 5353, yielding non-cacheable unicast replies) is pretty straightforward, but anyone who binds to port 5353 is claiming to be a full mDNS stack and will get multicast replies to their queries which is very spammy unless RFC6762-compliant caching and associated cache-coherency and traffic reduction mechanisms are implemented (all of which are supposed to be mandatory for implementations that bind to port 5353).

That's why normally you'd want to have a single full mDNS stack provided by the OS with a single cache, ideally sufficiently featureful, reliable, and easy to use that applications feel no need to roll their own mDNS (and perhaps some day the OS mDNS stack can stop enabling SO_REUSEPORT).

Applications binding to port 5353 instead of using the OS mDNS stack is generally the result of one of more of:
1. Lack of consistent API across different operating systems.
2. Windows formerly lacking a native mDNS stack, and information about its stack is still kind of lacking. It would be nice if searching for "Windows mDNS" would yield proper documentation on its mDNS stack and available APIs near the top search results, instead of having to fish info out of blogs and stackoverflow posts.
3. Deficiencies in the host mDNS stack. A particularly painful issue in Windows is that it apparently classifies a zeroconf network (i.e. if you just connect another computer or IoT device via Ethernet, no router, no DHCP server) as being a "Public Network" causing it to disable mDNS in the exact situation where it's needed the absolute most.
yannbouvier
Copper Contributor
Nov 24, 2022
Hi jplopper , no unless you manage the Responder endpoint and it it should'nt be.
If you want to prevent from step 3, the only solution is to block outbound traffic on your computer and create a "mDNS (UDP-Out)" firewall rule to prevent computer to send mDNS request and receive a potential poisonned reply.
jplopper
Copper Contributor
Nov 02, 2022
Hello. I'm looking for more clarification. It is my understanding that an mDNS poisoning attack works like this:
Client tries to lookup service (e.g. SMB) via DNS server, but doesn't find an entry in that DNS server.
Client then uses mDNS to send a multicast request for who has that name.
A tool like Responder replies that it has that name and prompts the client to authenticate
The client sends its hashed credentials to Responder.
So if we were to disable the inbound “mDNS (UDP-In)” rule, then would this effectively stop the response in step 3? This rule appears to be targeted specifically at the svchost process and therefore wouldn't block other applications like Edge, Chrome, etc. from responding. Wouldn't it better to just block the inbound port 5353 for the domain profile?