Firewall - Disable multicast DNS on port 5335

[Mihai2 0]

I would like to prevent multicast DNS on port 5335.

There is an existing rule for this in the predefined firewall rules (which are enabled by default) named Allow incoming multicast DNS requests from the Trusted zone on UDP 5355.

This specific rule cannot be disabled, unfortunately.

I do use the predefined firewall rules, so I would prefer not to disable them completely.

How can I keep all of the other predefined rules, but prevent multicast DNS? I also use the Trusted Zone for other firewall rules.

 

I can think of 2 options:

1. Create a single policy with a firewall rule to block this traffic. How can I make sure the new policy's firewall rule to block this traffic is matched first?
2. Remove the Trusted Zone networks. Create a new custom Zone to configure my custom firewall rules. If I do this, will the predefined firewall rule no longer work because there are no networks defined in the Trusted Zone?

[Marcos 5,074]

Enforcing this setting via a policy should disable multicast in the trusted zone:

[itman 1,659]

To clarify, I believe you are referring to mDNS network traffic which is UDP protocol and port 5353.

Eset's default firewalll rules for multicast DNS are misnamed since those rules actually refer to LLMNR service; i.e. protocol UDP port 5355. Also, the default LLMNR firewall rules in regards to blocking and allowing traffic is controlled via enabling or disabling its Eset service setting as @Marcos posted.

It took me a while to figure out that handling of mDNS network traffic via the Eset firewall is actually handled via the default "Allow all traffic within computer" named rule. This rule should not be disabled.

Additionally, Windows default firewall rules allow inbound mDNS for all profiles; Public, Private, and Domain. You should think twice about disabling any mDNS traffic within the local subnet network since Windows uses it extensively and has deprecated and disabled LLMNR inbound traffic on its firewall settings.

Bottom line - Eset firewall default settings will allow all local subnet mDNS traffic and block any other like inbound traffic. Therefore, no additional Eset firewall rule needs to be created. If you still want to disabled inbound mDNS traffic; at your own risk, you would have to create a new firewall rule to block any inbound local network traffic for protocol UDP, port 5353. This rule must be moved above the existing the default "Allow all traffic within computer" named rule.

[Mihai2 0]

Thank you both for the information.

 

To answer your question, @itman, yes, I was looking to disable LLMNR traffic as @Marcos posted.

[itman 1,659]

1 hour ago, Mihai2 said:

I was looking to disable LLMNR traffic

FYI - LLMNR can be completely disabled via Win Group Policy: https://woshub.com/how-to-disable-netbios-over-tcpip-and-llmnr-using-gpo/