Multicast DNS

multicast DNS:

stumbled upon this 7/11/20 after setting up iptables and logging dropped packets, and seeing 224.0.0.251 sending traffic on port 5353.

the 5353 was a clue that it was related to DNS, but it turns out this is a whole rabbit hole about some kind of local loopback DNS.

RFC 6762: https://tools.ietf.org/html/rfc6762

Here it is in plain English: multicast DNS and service discovery are common in modern tech products (home and small office environment - printers, routers, etc.). Part of zeroconf, a suite of technologies to help network devices discover each other in absence of authoritative DNS server.

This is also used by laptops (e.g., Mac -> System Preferences -> Sharing). Name of your mac, dot local (MacAndCheese.local), is an address that everyone on the network can find. How does that work?

You can make a DNS request for the name MacAndCheese.local using dig, and specify the special DNS address 244.0.0.251 and port 5353:

dig @224.0.0.251 -p 5353 +short MacAndCheese.local

This is a special multicast address for multicast DNS. When a query is sent to this special address, all devices on the network see a copy of the query and can choose to respond. If your Mac is up and sees the request, it responds with its IP address.