SCIENTIFIC-LINUX-USERS Archives

May 2014

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: 224.0.0.251
From:
David Sommerseth <[log in to unmask]>
Reply To:
[log in to unmask]
Date:
Sat, 24 May 2014 12:43:20 +0200
Content-Type:
text/plain
Parts/Attachments:
text/plain (39 lines) 
On 24/05/14 04:11, ToddAndMargo wrote:
>
> Seems I have already look at 5353 once before.  From
> one of my penetration reports:
>
>      Port 5353/udp (zeroconf) is registered to the Link
>      Local Multicast Name Resolution (LLMNR) service.
>      It is part of how Windows computers identify themselves
>      to each other on a local area network and is part of
>      the normal operation of the Windows XP Operating System.
>      Further information can be found at:
>           https://en.wikipedia.org/wiki/LLMNR
>

mDNS can be used to much more as well when combing it with DNS-SD [1], like 
telling other hosts what kind of services each boxes provides.  mDNS coupled 
with DNS-SD is quite a beast, avahi-daemon provides the same functionality on 
Linux boxes as well.

[1] <http://en.wikipedia.org/wiki/Zero_configuration_networking#Service_discovery>

But it's also possible to provide DNS-SD using a normal DNS server as well, 
which can be suitable to announce services on servers you don't want to have 
avahi-daemon running.

It can surely be quite handy, but if you're concerned about security [2] it 
surely has it challenges there too.  I generally block port 5353 (tcp and udp) 
on all my boxes when they're not on a network I fully trust.  And I also 
carefully configure avahi-daemon (/etc/avahi/avahi-daemon.conf) too, if I want 
avahi-daemon running.

[2] <http://en.wikipedia.org/wiki/Zero_configuration_networking#Security_issues>


--
kind regards,

David Sommerseth

ATOM RSS1 RSS2