Wireless Access

 View Only

  • 1.  Disabling mDNS

    Posted Feb 10, 2026 11:21 AM

    So wanted to get everyone's thoughts on disabling mDNS internally on our network.  We recently had Penetration Testing done, and one of the things that came out of this was disabling mDNS, which kind of makes sense if we have our own dns servers we should not need mDNS.  So for our environment we have 535 AP's and 6300cx Aruba Switches and use Aruba Central.

    How would you go about disabling udp 5353(mDNS) on our network starting with the wireless, and maybe possibly not doing all wireless, but testing something first that has little impact.  Then proceeding to Aruba 6300 switches, which I believe I would use ACL???  But I don't know if that would be ACL on every single switch or on our core, or maybe just the port channel uplinks to the core or what

    Any help would be greatly appreciated

    Has anyone else done this and what affect if any did it have, good or bad?



    -------------------------------------------


  • 2.  RE: Disabling mDNS

    Posted Feb 11, 2026 06:49 AM

    Hi, I've not a resolutive answer but I started to explore this topic too and this was after I read these two articles from the HPE Threat Labs:

    The Cost of Convenience: Multicast DNS and Your Privacy

    Ghost in the Network: The Persistent Threat of Multicast Name Resolution

    In my case I then started to explore how to manage the above by applying ACL - the hard way - on the ArubaOS-CX (I know, it's just a part of the whole set of possibile approaches), if you're just curious, I opened a thread about that here because I needed to understand exactly how to create the ACL's ACEs to fit my particular networking scenario, which is quite simple (thus, in any case, preferring the approach to block at origin throug ACL on the - IP Routing - Core Switch).

    -------------------------------------------



  • 3.  RE: Disabling mDNS

    Posted Feb 11, 2026 08:17 AM
    Thanks

    Let me take a look at your reply

    Dave Klein
    System Administrator
    563-584-4374

    CONFIDENTIALITY NOTICE: This message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

    The views expressed in this communication are that of the individual and shall not be construed as those of Medical Associates or any of its entities.



    Original Message


  • 4.  RE: Disabling mDNS

    Posted Feb 24, 2026 04:17 PM

    So I added an ACL to the vlan on some of the switches for this:

    access-list ip Block-UDP-mDNS5353-LLMRN5355
        100 deny udp any 224.0.0.251 eq 5353 log count
        101 deny udp any 224.0.0.252 eq 5355 log count
        200 permit any any any

    When I run wireshark and filter for this everything appears to be gone but there are a still a few devices using ipv6 for upd 5353 and udp 5355

    what would acl look like to block this?

    -------------------------------------------

    Original Message


  • 5.  RE: Disabling mDNS

    Posted Feb 11, 2026 10:33 AM

    The BCMC controls are there specifically to bring this traffic under control, you can also use ACLs on the user roles to kill any/all multicast traffic.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



Related Content