[egberts1]

Nice writeup. Alway put my mDNS-capable server devices behind a fire-walled sub-subnet or disable server’s Avahi/Bonjour if not needed.

Clients can run Avahi/Bonjour just fine, provided those ports are firewall-limited to its non-public subnet.

[vetinari]

Since mDNS works over multicast, it will not leave their respective subnet. Getting that traffic over subnet boundaries is a problem of it's own (see also mDNS reflector)

[egberts1]

(devices that advertise mDNS as a server should also not communicate via unicast IP out to the Internet, block those kinds).

Looking at you, both HP and Epson printers. Buy a Brothers printer but without their “Refresh” option (Refresh is a dial-home leaky privacy thing).