From bef84b81a4ac2dbb3069c8a705a0368516bb21c6 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 7 Jun 2023 12:47:09 +0200
Subject: [PATCH] man: document which IP ports resolved listens on, and what
 for

Fixes: #23045
---
 man/systemd-resolved.service.xml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/man/systemd-resolved.service.xml b/man/systemd-resolved.service.xml
index 7003c36db7e..7cc143fd41d 100644
--- a/man/systemd-resolved.service.xml
+++ b/man/systemd-resolved.service.xml
@@ -442,6 +442,27 @@ search foobar.com barbar.com
     </variablelist>
   </refsect1>
 
+  <refsect1>
+    <title>IP Ports</title>
+
+    <para>The <command>systemd-resolved</command> service listens on the following IP ports:</para>
+
+    <itemizedlist>
+      <listitem><para>Port 53 on IPv4 addresses 127.0.0.53 and 127.0.0.54 (both are on the local loopback
+      interface <literal>lo</literal>). This is the local DNS stub, as discussed above. Both UDP and TCP are
+      covered.</para></listitem>
+
+      <listitem><para>Port 5353 on all local addresses, both IPv4 and IPv6 (0.0.0.0 and ::0), for
+      MulticastDNS on UDP. Note that even though the socket is bound to all local interfaces via the selected
+      "wildcard" IP addresses, the incoming datagrams are filtered by the network interface they are coming
+      in on, and separate MulticastDNS link-local scopes are maintained for each, taking into consideration
+      whether MulticastDNS is enabled for the interface or not.</para></listitem>
+
+      <listitem><para>Port 5355 on all local addresses, both IPv4 and IP6 (0.0.0.0 and ::0), for LLMNR, on
+      both TCP and UDP. As with MulticastDNS filtering by incoming network interface is applied.</para></listitem>
+    </itemizedlist>
+  </refsect1>
+
   <refsect1>
     <title>See Also</title>
     <para>