Blog Post

Networking Blog

4 MIN READ

mDNS in the Enterprise

Microsoft

Apr 04, 2022

James Kehr here with the Windows networking support team. This article covers details about mDNS and recommended best practices when trying to control the protocol designed to make life easier. ...

Updated Nov 09, 2023

Version 2.0

networking

JamesKehr

Microsoft

Joined February 19, 2019

View Profile

Networking Blog

The Official Blog Site of the Windows Core Networking Team at Microsoft

jplopper

Copper Contributor

Nov 02, 2022

Hello. I'm looking for more clarification. It is my understanding that an mDNS poisoning attack works like this:

Client tries to lookup service (e.g. SMB) via DNS server, but doesn't find an entry in that DNS server.
Client then uses mDNS to send a multicast request for who has that name.
A tool like Responder replies that it has that name and prompts the client to authenticate
The client sends its hashed credentials to Responder.

So if we were to disable the inbound “mDNS (UDP-In)” rule, then would this effectively stop the response in step 3? This rule appears to be targeted specifically at the svchost process and therefore wouldn't block other applications like Edge, Chrome, etc. from responding. Wouldn't it better to just block the inbound port 5353 for the domain profile?