Service:
Protocol:
UDPPort:
5353Used for:
Port 5353 (UDP) is used by mDNS to allow devices to discover each other and advertise services within local networks, without requiring a central DNS server.Why It’s Open
Port 5353 is used by the Multicast DNS (mDNS) protocol, which enables devices to perform hostname resolution without the need for a central DNS server. It is a core part of Zero-Configuration Networking (Zeroconf), commonly used in local networks to allow smart devices to discover each other automatically. Services like Apple Bonjour, Chromecast, Sonos, AirPrint, and various IoT devices rely on mDNS to announce their presence and respond to queries for .local hostnames.
This port is typically open on macOS, iOS, Windows (with some services enabled), Linux, and virtually all smart home or media devices. It’s meant to be used only within local networks (via multicast to 224.0.0.251), but misconfigurations can sometimes expose it externally.
Common Risks
- Information Disclosure
Devices may broadcast their hostname, OS type, device model, open ports, and services — aiding fingerprinting and internal recon. - Internal Network Mapping
mDNS responses can be harvested to build a detailed picture of a network, including active hosts and the services they offer. - Reflection in DDoS Attacks
Like SSDP, mDNS can be abused in UDP-based reflection/amplification attacks if not properly filtered. - Unintended Exposure
mDNS should only be used on local subnets. Improperly configured firewalls or VLAN routing may allow broadcasts or responses to reach unintended networks.
Want to save time on reporting?
Let PentestPad generate, track, and export your reports - automatically.
Enumeration & Testing
Check if it’s open
nmap -sU -p 5353Send a basic mDNS query:
dig @224.0.0.251 -p 5353 _services._dns-sd._udp.local PTR +shortUse specialized tools:
- avahi-browse -alr (Linux)
- dns-sd -B *services.*dns-sd._udp (macOS)
- Wireshark with filter: udp.port == 5353
What to Look For
| Checkpoint | What it means |
|---|---|
| Port 5353 open externally | mDNS is exposed beyond the local network (should not be) |
| Device responds with hostname | Reveals system identity, useful for attackers |
| List of advertised services | Indicates running services like SSH, HTTP, or SMB |
| Used by IoT/embedded devices | Often reveals vendor, firmware, and model info |
Mitigation
- Block UDP/5353 at Network Perimeter
Ensure that mDNS traffic is restricted to local segments and cannot traverse VLANs or reach the internet. - Disable mDNS if Not Required
On servers and enterprise desktops where Zeroconf isn’t needed, disable services like Bonjour or Avahi. - Isolate IoT and Media Devices
Segment smart devices using VLANs or firewalled subnets to minimize internal reconnaissance. - Use DNS-SD Logging and Monitoring
Capture and monitor mDNS broadcast activity to detect new or rogue devices.
Known CVEs and Exploits
- CVE-2015-2830 – Avahi daemon buffer overflow via malformed mDNS response.
- CVE-2019-12255 – Multiple embedded devices with mDNS vulnerability via malformed packets (Ripple20).
- CVE-2017-6520 – Denial-of-service via Avahi mDNS response flood.
- SSDP/mDNS DDoS Advisory – US-CERT