Buongiorno attempts to map out mDNS and DNS-SD activity by inspecting the raw stream of mDNS packets on the local network. The goal of this post is to give a bit more context for what mDNS and DNS-SD are, how the tool was built, and the many limitations of my current approach.

image.png

mDNS and DNS-SD

The mDNS spec (RFC 6762) is 70 pages long, but the core idea can be communicated in one sentence: it is like normal DNS, but queries are multicast to the entire network instead of unicast to a specific DNS server.

The way this works is simple: UDP packets containing DNS questions and answers are sent to the special multicast IP address 224.0.0.251 (or FF02::FB for IPv6) on port 5353. This causes the packets to be routed to all devices in the network, eliminating the need for a central DNS authority. Responses to these queries c