Disable externally-accessible port: systemd-resolved Link Local Multicast Name Resolution
The default configuration in our systemd-resolved enables Link Local Multicast Name Resolution (LLMNR). This results in port 5355 tcp/udp being listened to on all interfaces. We should disable this feature by default so we have no remotely-accessible ports listening on our device by default. Among other things, this protects against some future bug discovered in systemd-resolved that could be exploited remotely on our phone.
To disable this feature, edit
/etc/systemd/resolved.conf and change:
The systemd-resolved service will need to be restarted for the change to take effect.