Internet-Security raven logo internet-security.com

UDP 5355

ProtocolUDP
Port5355
LabelsLink-Local Multicast Name Resolution (LLMNR) allows hosts to perform name resolution for hosts on the same local link (only provided by Windows Vista and Server 2008)

Synopsis

  • UDP port 5355 is used by Link-Local Multicast Name Resolution (LLMNR).
  • Microsoft Windows (Vista/7/8/10/11 and Server 2008+) implements LLMNR on UDP 5355 to resolve local hostnames when DNS fails.
  • systemd-resolved on many Linux distributions (e.g., Ubuntu, Debian, Fedora, RHEL/CentOS with systemd-resolved enabled) can query/answer LLMNR on UDP 5355 by default unless explicitly disabled.
  • Real-world use: Windows clients in Active Directory or workgroup networks multicast LLMNR queries (e.g., for “fileserver”) and nearby Windows or Linux hosts running systemd-resolved may respond on UDP 5355.
  • Some network management and discovery tools rely on the OS’s LLMNR behavior rather than implementing their own stack, thus leveraging UDP 5355 indirectly.
  • Security angle: LLMNR on UDP 5355 is frequently abused for credential theft via LLMNR/NBNS poisoning; tools like Responder and Inveigh spoof replies to capture NTLM hashes on internal networks.
  • Because of this, enterprises often disable LLMNR via Group Policy or systemd-resolved settings.

Observed activity

Last 30 days Detailed chart

More information