Problems with MDNS flooding on port 5353 UDP

I am running into a big issue at a small network i manage. This network is an Apple network, with airport extremes, expresses, mac book pro's, imac's, ipads, iphones etc...

I went to add something to this network today and noticed lights flashing like crazy on the switch. After noticing this I started wireshark and took a look at my firewall log file.

The line I see in the log files over and over is

Deny 10.0.3.100 224.0.0.251 mdns/udp 5353 5353 1-Trusted Firebox udp flooding 123 255 (Internal Policy) proc_id="firewall" rc="101"

The source ip changes (10.0.3.100) but the message stays the same.

I am having a big issue figuring out what is causing this. When i have my wireless accesspoints connected i can not connect to anything on the network. When i unplug them the network is ok and is not saturated with this traffic.

Anyone have any good ways to go about diagnosing this issue? I am not sure if this just started or if it has always been the case since i just noticed it now.

UPDATE: The message that i see when i ran wireshark is the following:

25 0.006498000 10.0.3.3 224.0.0.251 MDNS 135 Standard query response 0x0000 A, cache flush 10.0.3.3 A, cache flush 169.254.233.55


Solution 1:

Several machines on your network seem to be using multicast DNS.

You might be creating some sort of network loop. For example if packets are traveling from the physical network up one AP, which forwards it to the next AP, which sends it back to the physical network.

You should consider reviewing your switching/network hardware configuration as you seem to have a switching loop.

What is a switching loop? Check this: http://www.omnisecu.com/cisco-certified-network-associate-ccna/what-is-layer-2-switching-loop.htm

Solution 2:

If it were a switch loop you'd see much more than just the MDNS traffic. With a switch loop ALL frames are endlessly forwarded through the loop and the network would become virtually unusable in very short order. If you can look at the CPU utilization on one of the switches that will also tell you whether or not a loop exists. If a loop exists the CPU utilization will max out (or be very close) and will stay that way until the loop is removed or the switch is power cycled (but if the loop still exists the CPU will max out again). Do you see the same frames multiple times in the Wireshark capture? If so, you have a loop. If not then you don't. What you more likely have is switch flooding due to a misconfigured or faulty device. Find the source of the frames and disconnect it from the network. Does the activity return to normal? Does the Wireshark capture look normal?