Multicast DNS: alternative name resolution on a small scale

The Domain Name System (DNS) can be thought of as a very large telephone book: users can enter web addresses in their browser and the system determines the correct IP address. The name resolution works by having one’s own computer query an appropriate DNS server, which stores a list of every host name (thus, that of the web address) and assigns the correct IP address to it. Multicast DNS, however, takes a different route. How does the alternative to classic DNS work?

Multicast DNS (mDNS) is a protocol aimed at helping with name resolution in smaller networks. In doing so, it takes a different approach than the well-known DNS. Instead of querying a name server, all participants in the network are directly addressed. The appropriate client sends a multicast into the network while asking which network participant matches up with the host name. A multicast is a unique form of communication through which an individual message is directed at a group of recipients. The group can be made up of, for example, the entire network or a sub-network.

In this way, the request also goes to the group participant who owns the host name that is being searched for. The latter responds to the entire network (also via multicast). All participants are informed of the connection between the name and IP address, and can make a corresponding entry in their mDNS cache. As long as this notation is valid, no one in the network needs to request the host name.

The multicast DNS creates a relatively large amount of traffic, yet attempts to save active network resources. For this purpose, the client making the request sends (according to the current cache entry) the reply that, in their opinion, is correct. Only when this is no longer correct, or when the entry is about to expire, does the recipient need to reply. The other participants are already informed before they receive a reply. With this protocol, the traffic within the network can thus be reduced.

In general, only host names with the ending .local are possible with multicast DNS. That limits this form of name resolution on local networks. Host names with other top-level domains (TLD) – such as .de or .com – are not processed by mDNS. Web addresses can, therefore, not be resolved in this way.

MDNS was developed within the context of zeroconf (Zero Configuration Networking). The idea behind Zero Configuration Networking is that computers can communicate through humans without too much prior adjustment. Multicast DNS conforms to these restrictions. The multicast process is part of TCP/IP and can also function without the appropriate configurations.

Multicast DNS is designed for small networks and is intended to increase their user-friendliness. The idea is that users can connect devices in secret LANs without any issues. Because all devices exchange information with one another via their IP addresses, no server or directory has to be established. In this way, additional devices can be imported in a quick and dynamic manner.

A popular implementation of mDNS is Apple’s Bonjour. The service is primarily intended to more easily connect network printers to a PC or Mac. Because the devices exchange information via their IP addresses, the user must not configure the connection independently. In addition to Apple’s service, you can now also use the open source software Avahi as an mDNS service. This makes it possible to connect different devices without having to perform configurations beforehand. Since Windows 10, mDNS is available as part of the Microsoft operating system.

The easy operation, however, is accompanied by some drawbacks. One problem lies in the multicast process itself. Though it’s true that the protocol tries to keep network traffic low, the computers involved must constantly monitor the network and process the incoming messages. This is a burden on processing power.

Furthermore, the allocation of the host names is problematic. In principle, one can freely assign a name to each device provided that it ends with ‘.local’. This can (at least theoretically) lead to two network participants being represented by the same host name. The developers of mDNS have consciously not implemented a solution for this type of scenario. On the one hand, they assume that this case is rare; on the other hand, the double designation could be intentional.

Another problem is a hazard source. In many cases, the mDNS is open. This means that it also reacts to external queries (via the Internet). Cyber criminals can find these types of open services and use them for DDoS attacks. The network’s devices are then misused in order to bombard a target server with queries. Furthermore, sensitive data can be discovered via an open multicast DNS. Attackers can, in this way, read the Mac addresses of connected devices, for example, and use this information for further attacks.