The Multicast DNS (mDNS) you’re seeing in Wireshark is a protocol that resolves hostnames to IP addresses within small networks that do not include a local name server. It’s particularly useful in home networks or small business networks where setting up a DNS server might be overkill.
Here’s a breakdown of how mDNS works and why you might be seeing these queries on your network:
-
Zero-configuration Networking: mDNS is a key part of zero-configuration networking technologies, commonly known by the Apple brand name Bonjour. It allows devices on the same local network to communicate with each other without the need for manual setup.
-
Service Discovery: mDNS is often used to discover services on the network. For example, if you have printers, streaming devices (like Apple TV or Chromecast), or other networked devices that support mDNS, they will broadcast their presence so that other devices can find and interact with them without configuration.
-
Network Traffic: Each device using mDNS will send out multicast queries to the network to resolve hostnames or discover services. This is why you are seeing a lot of mDNS packets in Wireshark; each device is periodically checking the network to update its list of available services and devices.
-
Implementation: Devices including computers (Mac, Windows, and Linux if configured), smartphones, and IoT devices might send out mDNS packets. It’s also used extensively by applications that need to find services on the local network like streaming apps, network file sharing services, and remote application protocols.
If you are analyzing network traffic and see mDNS packets, it generally indicates normal behavior of devices broadcasting and seeking information on available services within the local network. If you have many IoT devices, smartphones, or other network-enabled devices, you might see a significant amount of mDNS traffic.