Disable externally-accessible port: systemd-resolved Link Local Multicast Name Resolution
The default configuration in our systemd-resolved enables Link Local Multicast Name Resolution (LLMNR). This results in port 5355 tcp/udp being listened to on all interfaces. We should disable this feature by default so we have no remotely-accessible ports listening on our device by default. Among other things, this protects against some future bug discovered in systemd-resolved that could be exploited remotely on our phone.
To disable this feature, edit /etc/systemd/resolved.conf
and change:
#LLHMR=yes
to
LLHMR=no
The systemd-resolved service will need to be restarted for the change to take effect.