Guide to Multicast DNS (mDNS) security issues

What is multicast DNS (mDNS) ?

The mDNS protocol is meant to resolve host names to IP addresses within small networks that do not include a local name server. The mDNS service can be contacted using UDP queries over port 5353.
The mDNS protocol is published as RFC6762 and implemented by the Apple Bonjour and avahi-daemon services.


Vulnerabilities:

If your mDNS service is exposed to the Internet, querying the service would allows hackers to collect information about your server (such as the MAC address information of the device, or services running on the machine) that could be used to prepare an attack.

Also, since mDNS is based on UDP, the mDNS query can be exploited to perform amplification attacks (the attacker can spoof his target IP address to saturate it with mDNS replies from your server):
https://www.us-cert.gov/ncas/alerts/TA14-017A

How to verify if your server is vulnerable?

Use the following command from a remote machine, as root, to query the mDNS service:
# nmap -Pn -sU -p5353 --script=dns-service-discovery <Your-server-IP>

Output sample:

PORT STATE SERVICE
5353/udp open zeroconf
| dns-service-discovery:
| 9/tcp workstation
| Address=xx.xx.xx.xx
| 22/tcp udisks-ssh
|_ Address=xx.xx.xx.xx


If the command returns a time-out, the service might already be filtered.


Resolution:

Multicast DNS is designed for use within a local network. This means that usually it is not a good idea to expose this service directly to the Internet or, in general, to an environment where untrusted clients can directly access this service.

Different options are available to mitigate this issue and protect your server:
- Disable mDNS (Apple Bonjour or avahi-daemon) service if you are not using it. Is the easiest and the most effective solution.
- Configure your firewall to filter inbound connections to your server UDP/5353, and only allow the trusted network IPs/hosts that need to contact your mDNS service to access it.

External references:

https://en.wikipedia.org/wiki/Multicast_DNS
https://tools.ietf.org/html/rfc6762
https://www.akamai.com/us/en/about/our-thinking/threat-advisories/akamai-mdns-reflection-ddos-threat-advisory.jsp

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk