KagisoSec_
Service bank
DNS 5353/udp

mDNS / DNS-SD

aka bonjour, avahi, dns-sd

Multicast DNS service discovery on 5353/udp (Bonjour/Avahi). Passively reveals hostnames and advertised services (printers, AirPlay, SMB, SSH) on the local segment, and can be spoofed like LLMNR.

dns discovery poisoning

Ports

PortProtoNotes
5353udpmDNS

Fingerprint

  • avahi-browse / nmap broadcast-dns-service-discovery lists services
  • Devices answer _services._dns-sd._udp.local queries

Exploitation primitives

  • Enumerate hostnames + advertised services on the LAN (printers, _smb, _ssh, _airplay)
  • Map devices without active scanning (passive recon)
  • Spoof mDNS responses to poison name resolution (like LLMNR/NBT-NS)

Overview

mDNS on 5353/udp is how Apple/Linux devices announce themselves on a LAN. It’s a passive map of hosts and what they offer — and, like LLMNR, it’s spoofable.

Enumeration

Browse all advertised services:

avahi-browse -art

nmap discovery:

nmap -p5353 --script broadcast-dns-service-discovery <TARGET>

Active mDNS recon/spoofing with Pholus:

sudo python3 pholus3.py eth0 -rq -stimeout 10

Hardening

Disable mDNS where it isn’t needed, and block 5353/udp from crossing VLAN boundaries.

References