Found some unexpected TCP socket listening on port 5355.
The corresponding process was systemd-resolved.
Turns out this is the LLMNR implementation for name resolution on the local network, which is enabled by default.

As this is not useful on a server (and rather another attack vector to keep an eye on), I decided to turn it off.
This can be done by adding LLMNR=no to /etc/systemd/resolved.conf and then doing a service systemd-resolved restart.

(via)