Skip to content
PortsDB

Port reference

Port 5353 (UDP) – mDNS

Multicast DNS — resolves hostnames and discovers services on a local network without a DNS server.

udpRegisteredCommonly attacked

Default state

Open by default on macOS, iOS, Linux (Avahi), Windows, printers, and IoT devices. Should be confined to the local subnet.

Common attacks

  • LAN service, device, and hostname enumeration
  • mDNS reflection / amplification DDoS when exposed to the internet
  • Spoofing/poisoning of mDNS responses on the local segment

Hardening

  • Block UDP 5353 inbound at the internet edge
  • Disable mDNS/Bonjour/Avahi where it isn't needed
  • Filter mDNS between VLANs; keep it on trusted segments only
  • Patch mDNS responders (Avahi, mDNSResponder) against known CVEs

nmap snippet

nmap -sU -p5353 --script dns-service-discovery <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 5353?

UDP 5353 carries multicast DNS (mDNS), the zero-configuration name resolution and service discovery protocol behind Apple Bonjour, Avahi on Linux, and similar stacks on Windows and IoT devices. Hosts query the 224.0.0.251/ff02::fb multicast group to resolve .local hostnames and to advertise or find services — printers, AirPlay, file shares — without any central DNS server. It is designed for a single local subnet.

Why it matters for security

mDNS happily broadcasts a wealth of information: hostnames, OS hints, device models, and the services each host offers, giving an attacker on the LAN an instant inventory for targeting. When a misconfigured device or firewall lets mDNS be queried from off-subnet or the internet, it becomes both an information leak and a reflection/amplification DDoS reflector, since responses can be larger than the query. On the local segment, forged responses can also poison .local resolution.

How it's attacked

An attacker on the LAN sends mDNS service-discovery queries to enumerate every device, hostname, and advertised service. Internet-exposed responders are abused as reflectors in amplification DDoS. On the local link, attackers spoof mDNS replies to redirect .local name lookups toward malicious hosts.

Hardening checklist

Block inbound UDP 5353 at the perimeter so mDNS never leaves the local subnet, and filter it between VLANs. Disable mDNS/Bonjour/Avahi on servers and devices that don't need service discovery, and keep responders such as Avahi and Apple mDNSResponder patched. Use the nmap snippet above to enumerate mDNS exposure on hosts you are authorized to test.

Related ports

Port 53Port 1900Port 137Port 5355

Frequently asked questions

What is port 5353 used for?
UDP 5353 carries multicast DNS (mDNS), the basis of Apple Bonjour and Avahi. It lets devices resolve .local names and advertise services like printers and AirPlay without a DNS server.
Is mDNS a security risk on the internet?
Yes. mDNS is meant for the local subnet; if a device answers mDNS from the internet it leaks device details and can be abused as a reflection/amplification DDoS source.