Suricata

mDNS is just DNS on another port, right ?

I've looked a bit into this, and so far it seems that it's indeed just dns over 5353 so far. Adding 5353 to the UDP DNS ports in the yaml is enough to get logging going.

To me the main question now is: is this enough, or should we distinguish between dns and mdns? It's fairly trivial to reregister the dns parsers as mdns, so they get their own log type. This would require dns keywords to be updated as well.

On the other hand, we can also just annotate regular dns records as mdns by looking at the ports and/or dest address.

One thing to consider if that existing rules won't expect mdns/5353 to match app proto dns.

Related: there are several other DNS-like protocols. Netbios name service uses DNS structure but with a special name encoding. There is link local mnds too, using port 5355.

Related to #6281. MDNS actually uses the ability to have multiple queries in the request which is one of the logging issues #6281 addresses.

I wonder if its safe enough to identify DNS on port 5353 as mdns? If we need a further restriction, multicast and port 5353.

Conclusion after some discussion:

dns, doh, dns over tls should be grouped together as app proto dns
mdns and it's variants should be separate