What is it?
The Domain Name System (DNS) is a network of computers that convert web addresses like “google.com” into Internet Protocol (IP) addresses like 192.168.0.1. The client computer connects to a DNS server and asks for the IP address of “google.com” and gets an answer back.
Multicast DNS (mDNS) does the same thing but in a different way. Every client computer in an mDNS network maintains their own list of names and IP addresses. If an unknown address is requested, then a “muti-cast” is sent to many/all computers in the network. Computers that have the requested information reply back to the client. The client then performs another multi-cast with the “best” answer it received. All computers then add the new entry to their local list.
Although this sounds inefficient, it can be a user-friendly solution for small networks without a dedicated DNS Server because little or no configuration is needed to use the system.
mDNS requests can be used to mount a Denial of Service attack, when an attacker tries to overwhelm a victim’s server by flooding it with requests. In a Distributed Denial of Service (DDoS) attack, the attacker uses an army of unwitting third party servers to all attack the victim at the same time.
Why is it a risk?
mDNS servers were not designed to be open to the Internet. When they are open to the Internet, they present two risks:
1) They can expose the addresses of computers and devices inside your network to the attacker
2) They can be used to amplify a DDOS attack on a victim’s server.
The QRISCloud link below contains instructions for testing whether your mDNS server is vulnerable to such abuses.
The Carnegie Mellon University link below contains more details.
How can you mitigate the risk?
The best way to mitigate this risk is to disable mDNS on your server.
If you must use mDNS exposed to the Internet, then you should configure your firewall to restrict the IP addresses that can access your mDNS server.
Resources:
QRISCloud
https://support.qriscloud.org.au/hc/en-us/articles/115002714663-Multicast-DNS-mDNS-vulnerability
Carnegie Mellon University mDNS Details
https://www.kb.cert.org/vuls/id/550620
