MEDIUM: Open mDNS Report

DESCRIPTION LAST UPDATED: 2023-12-15

DEFAULT SEVERITY LEVEL: MEDIUM

This report identifies hosts that have the mDNS service running and accessible from the Internet.

See https://en.wikipedia.org/wiki/Multicast_DNS for more information on mDNS, which can be probed in a unicast fashion and can respond in methods similar to a standard DNS server.

Our initial probe tests to see if mDNS is accessible on the Internet and collects the information that it discloses, including a list of services that may be accessible via further mDNS probes. If a host is found to have the services “_workstation._tcp.local” or “_http._tcp.local” running, secondary probes are performed to collect whatever system information is returned. Some of the information that may be returned includes: trivial name of the device, IPv4 and IPv6 address(es) of the device (this may include RFC1918 addresses that are not meant to be leaked), MAC address information of the device, and potentially other information.

Track exposed mDNS servers on our Dashboard.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

Filename(s): scan_mdns

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the mDNS response came on (always UDP)
  • port
    Port that the mDNS response came from (usually 5353/UDP)
  • hostname
    Reverse DNS name of the device in question
  • tag
    This will always be mdns
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • mdns_name
    The trivial .local name that is sometimes returned in response to the initial probe for _services._dns-sd._udp.local; this field is often empty
  • mdns_ipv4
    The IPv4 address(es) that are sometimes returned in response to the initial probe; this field is often empty
  • mdns_ipv6
    The IPv6 address(es) that are sometimes returned in response to the initial probe; this field is often empty
  • services
    The services that the host is running in response to the query for the list of info with "_services._dns-sd._udp.local"
  • workstation_name
    The mDNS name that is returned in response to follow up mDNS query for "_workstation._tcp.local"
  • workstation_ipv4
    The IPv4 address(es) that is/are returned in response to follow up mDNS query for "_workstation._tcp.local"
  • workstation_ipv6
    The IPv6 address(es) that is/are returned in response to follow up mDNS query for "_workstation._tcp.local"
  • workstation_info
    Information about the host that responded to the query for "_workstation._tcp.local" — it may contain name, MAC addresses, et cetera
  • http_name
    The mDNS name that is returned in response to follow up mDNS query for "_http._tcp.local"
  • http_ipv4
    The IPv4 address(es) that is/are returned in response to follow up mDNS query for "_http._tcp.local"
  • http_ipv6
    The IPv6 address(es) that is/are returned in response to follow up mDNS query for "_http._tcp.local"
  • http_ptr
    Contains information that looks like a trivial name and mDNS _local strings
  • http_info
    More information about the http device is response to the query for "_http._tcp.local"
  • http_target
    Name of the HTTP server. Usually just the contents of the http_name field with a trailing ".0"
  • http_port
    The port that the http server appears to be listening on
  • spotify_name
    The mDNS name of the device running a Spotify service (often times a Playstation 4 or 5).
  • spotify_ipv4
    Advertised IPv4 address by the Spotify service
  • spotify_ipv6
    Advertised IPv6 address by the Spotify service
  • opc_ua_discovery
    mDNS method of discovering OPC UA Server instances
  • sector
    Sector of the IP in question

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","mdns_name","mdns_ipv4","mdns_ipv6","services","workstation_name","workstation_ipv4","workstation_ipv6","workstation_info","http_name","http_ipv4","http_ipv6","http_ptr","http_info","http_target","http_port","spotify_name","spotify_ipv4","spotify_ipv6","opc_ua_discovery","sector"
"2010-02-10 00:00:00",medium,192.168.0.1,udp,5353,node01.example.com,mdns,64512,ZZ,Region,City,0,ptr,,,,"_workstation._tcp.local.\\;",web15.local.,192.168.0.1,fd09:4ab5:dae9:b078::1,"web15 [52:54:00:97:7c:28]._workstation._tcp.local.",,192.168.0.1,fd09:4ab5:dae9:b078::1,,,,,,,,,
"2010-02-10 00:00:01",medium,192.168.0.2,udp,5353,node02.example.com,mdns,64512,ZZ,Region,City,0,ptr,,,,"_spotify-connect._tcp.local.\\;",,192.168.0.2,fd09:4ab5:dae9:b078::2,,,192.168.0.2,fd09:4ab5:dae9:b078::2,,,,,PS5-4ECA0F.local.,,,,"Communications, Service Provider, and Hosting Service"
"2010-02-10 00:00:02",medium,192.168.0.3,udp,5353,node03.example.com,mdns,64512,ZZ,Region,City,0,ptr,,,,"_workstation._tcp.local.\\;",linux.local.,192.168.0.3,fd09:4ab5:dae9:b078::3,"linux [f2:3c:91:3b:fe:2a]._workstation._tcp.local.",,192.168.0.3,fd09:4ab5:dae9:b078::3,,,,,,,,,"Communications, Service Provider, and Hosting Service"

Our 124 Report Types