Multicast DNS

multicast DNS:

stumbled upon this 7/11/20 after setting up iptables and logging dropped packets, and seeing 224.0.0.251 sending traffic on port 5353.

the 5353 was a clue that it was related to DNS, but it turns out this is a whole rabbit hole about some kind of local loopback DNS.

RFC 6762: https://tools.ietf.org/html/rfc6762

Here it is in plain English: multicast DNS and service discovery are common in modern tech products (home and small office environment - printers, routers, etc.). Part of zeroconf, a suite of technologies to help network devices discover each other in absence of authoritative DNS server.

This is also used by laptops (e.g., Mac -> System Preferences -> Sharing). Name of your mac, dot local (MacAndCheese.local), is an address that everyone on the network can find. How does that work?

You can make a DNS request for the name MacAndCheese.local using dig, and specify the special DNS address 244.0.0.251 and port 5353:

dig @224.0.0.251 -p 5353 +short MacAndCheese.local

This is a special multicast address for multicast DNS. When a query is sent to this special address, all devices on the network see a copy of the query and can choose to respond. If your Mac is up and sees the request, it responds with its IP address.

Good article on the usefulness for penetration testing: https://blog.hyperiongray.com/multicast-dns-service-discovery/