Multicast DNS (mDNS) is used for resolving host names to IP addresses within small networks that do not include a local DNS server. It is implemented e. g. by the Apple 'Bonjour' and Linux/BSD 'Avahi' (nss-mdns) services. mDNS uses port 5353/udp.

Problem

Openly accessible mDNS services can be abused for DDoS reflection attacks against third parties. Furthermore, they allow potential attackers to gather information on the system or network the service is running on for preparation of further attacks.

Verification

In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 192.168.45.67 with the IP address of the host to check.

To check if an mDNS service is openly accessible from the Internet, the 'dig' tool can be used like this:

$ dig +short -p 5353 -t ptr _services._dns-sd._udp.local @192.168.45.67

An openly accessible mDNS service will return a response like this:

_workstation._tcp.local.

_udisks-ssh._tcp.local.

Otherwise, the request will run into a timeout:

;; connection timed out; no servers could be reached

Solution

If the mDNS service is not required, disable or deinstall it. Otherwise, restrict access to trusted clients, for example by blocking incoming connections to port 5353/udp on the firewall.

On Debian/Ubuntu based Linux systems, the mDNS service can be removed using the following command:

# apt-get remove avahi-daemon

Further information

• Wikipedia: Multicast DNS
• CERT.org: Multicast DNS (mDNS) implementations may respond to unicast queries originating outside the local link (VU#550620)