Multicast DNS

Multicast DNS (mDNS) is a standard for using Domain Name System (DNS)
programming interfaces, packet formats and operating, without configuring a
conventional DNS server. It is useful in small networks without a DNS server, but can
also work in environments beside a DNS server. mDNS functionality is provided using
IP multicast over User Datagram Protocol (UDP).

mDNS is published as RFC 6762 and is implemented in Apple's Bonjour and

GNU/Linux Avahi.

Using mDNS allows a client to determine the IP address of a given host (a host name)
without the direct help of a centralised DNS server. The client machine, looking for the
given host's IP, sends a mDNS IP multicast query message to all the hosts sharing its
local network. Then, the corresponding host replies with a multicast message
announcing itself. With this reply, all machines in the subnet can update their mDNS
cache with the given host's information.

A host can clear its announcement to a network by sending a response packet with a
Time To Live (TTL) equal to zero.

mDNS uses the reserved namespace .local.

Service discovery

DNS-SD allows a list of hosts providing a given service to be built.

The query message is similar to the host discovery message, but the QTYPE is 0x000C
(PTR) instead of 0x0001 (A).

Packet Structure
The mDNS Ethernet frame is a multicast UDP packet to:

 MAC address 01:00:5E:00:00:FB[verification needed]

 IPv4 address 224.0.0.251 or IPv6 address FF02::FB
 UDP port 5353

Its structure is based on the DNS packet format.[1] It is built out of 2 parts: header and
data.
offset (bytes) 0 1
0 ID = 0x0000
2 Flags
4 QDCOUNT
6 ANCOUNT
8 NSCOUNT
10 ARCOUNT

12
Data

The flags are all 0 except for:

 the first bit, Query/Response (QR), which is 0 for a query and 1 for a response
 the sixth bit, Authoritative Answer (AR), which is equal to the bit QR

The data is the UTF-8 list of the parts of the name preceded by the length of the item. In
a question, the name is terminated with a 0x00 and followed by QTYPE which is 0x0001
for a host address, and QCLASS which is 0x0001 for Internet.

Example: Host Discovery

Trying a ping to appletv.local will force the computer to send a mDNS question
with UDP payload:

00 00 00 00 00 01 00 00 00 00 00 00 07 61 70 70
6c 65 74 76 05 6c 6f 63 61 6c 00 00 01 00 01

In the header, after the initial 00 00, Flags are zero (00 00), QDCOUNT is 1 (00 01) and
all other counts are zero (00 00 00). In the data, the string appletv is preceded by its
length 0x07 (07) and local by 0x05 (05). The name is followed by hex 00 00 01 00
01 (QTYPE = host address, QCLASS = question: false, class: in).

The queried device can respond, for ex.:

00 00 84 00 00 00 00 01 00 00 00 02 07 61 70 70
6c 65 74 76 05 6c 6f 63 61 6c 00 00 01 80 01 00
00 00 78 00 04 99 6d 07 5a c0 0c 00 1c 80 01 00
00 00 78 00 10 fe 80 00 00 00 00 00 00 02 23 32
ff fe b1 21 52 c0 0c 00 2f 80 01 00 00 00 78 00
08 c0 0c 00 04 40 00 00 08

In the header, Flags has bits QR and AR set, ANCOUNT is 1, ARCOUNT is 2 and all other
counts are zero.

The data is built out of 3 items: the answer and 2 additional records.

The answer consists of:

  the string appletv, preceded by its length 0x07, the string local, preceded by
length 0x05, and end of string delimiter 0x00
 the type 0x0001, address (A)
 the class 0x8001, Ethernet, with MSB set (mDNS-specific)
 the Time To Live (TTL) 0x00007800
 the length 0x0004
 the IP address 0x996D075A

The first additional record is:

 a link to the name at position 12, 0xC00C

 the type 0x001C, IPv6 address (AAAA)
 the class 0x8001, Ethernet
 the TTL 0x00007800
 the length 0x0010
 the IP address 0xFE80000000000000022332FFFEB12152

The second additional record is:

 a link to the name at position 12, 0xC00C

 the type 0x002F, name section (NSEC)
 the class 0x8001, Ethernet
 the TTL 0x00007800
 the length 0x0008
 the block and bitmap 0xC00C000440000008

Example: Service discovery

Starting a Bonjour or Avahi client which has no mDNS cache will cause it to send a
DNS based Service Discovery (DNS-SD) request in the form of an UDP packet with a
payload such as:

00000 00 00 00 00 00 02 00 05 00 00 00 00 09 5f 73 65
............._se
00010 72 76 69 63 65 73 07 5f 64 6e 73 2d 73 64 04 5f
rvices._dns-sd._
00020 75 64 70 05 6c 6f 63 61 6c 00 00 0c 00 01 01 62
udp.local......b
00030 c0 16 00 0c 00 01 c0 0c 00 0c 00 01 00 00 11 94
................
00040 00 14 0c 5f 77 6f 72 6b 73 74 61 74 69 6f 6e 04
..._workstation.
00050 5f 74 63 70 c0 23 c0 0c 00 0c 00 01 00 00 11 94
_tcp.#..........
00060 00 07 04 5f 72 66 62 c0 4f c0 0c 00 0c 00 01 00
..._rfb.O.......
00070 00 11 94 00 07 04 5f 73 73 68 c0 4f c0 0c 00 0c
......_ssh.O....
00080 00 01 00 00 11 94 00 0c 09 5f 73 66 74 70 2d 73
........._sftp-s
00090 73 68 c0 4f c0 0c 00 0c 00 01 00 00 11 94 00 09
sh.O............
000a0 06 5f 6f 64 69 73 6b c0 4f ._odisk.O
Devices with an mDNS responder service that receive the query would answer with a
response like this:

00000 00 00 84 00 00 01 00 03 00 00 00 00 09 5f 73 65
............._se
00010 72 76 69 63 65 73 07 5f 64 6e 73 2d 73 64 04 5f
rvices._dns-sd._
00020 75 64 70 05 6c 6f 63 61 6c 00 00 0c 00 01 c0 0c
udp.local.......
00030 00 0c 00 01 00 00 00 0a 00 13 0b 5f 61 66 70 6f
..........._afpo
00040 76 65 72 74 63 70 04 5f 74 63 70 c0 23 c0 0c 00
vertcp._tcp.#...
00050 0c 00 01 00 00 00 0a 00 07 04 5f 66 74 70 c0 46
.........._ftp.F
00060 c0 0c 00 0c 00 01 00 00 00 0a 00 07 04 5f 73 6d
............._sm
00070 62 c0 46 b.F

indicating that the responder provides Apple Filing Protocol, File Transfer Protocol and
SAMBA file sharing.