The Windows operating systems, both client and servers, will always prefer resolving names by the well-known DNS process. However, if a searched name is not present the in the DNS zones, the local client will progress to the three alternative methods:
Link-Local Multicast Name Resolution: UDP/5355
MulticastDNS: UDP/5353
NetBIOS name broadcast: UDP/137
The full details of these protocols could be found in this article.
All of these protocols have the common characteristics that they are designed for name resolution primarily in home networks. Inside isolated boundaries, they provide an easy and useful ability for various smart-TVs, audio speakers, and other equipment to connect to each other.
However, in an enterprise environment, the protocols present potential risks.
The name queries are sent to all devices on the local subnet, and any device can reply to any question, legit or not. There is no authentication or verification possible on the incoming reply. The client or server will believe whatever name reply it is being fed from the anonymous network. This presents an option for a malicious user to stage, e.g., man-in-the-middle attacks.
If an administrator desires to have the clients and servers solely rely on DNS lookups, the decision could be made to disable the local name resolution methods.
How to disable LLMNR:
LLMNR was added in Windows Server 2008 and Windows Vista.
How to verify the current status of LLMNR of the system:
Open a classical Command Prompt (CMD) and run the following command:
reg query "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" | FIND /i "EnableMulticast"
If you receive no output, LLMNR is active. If you receive output with the value 0x1, LLLMNR is also active.
Additional method to verify if LLMNR is enabled:
netstat -nao | FIND /i ":5355 "
If you see a listening port on UDP/5355, LLMNR is active on the machine.
LLMNR is the easiest method to remove. The protocol can be disabled by a Group Policy Setting:
Computer\Policies\Administrative templates\Network\DNS Client
Turn off multicast name resolution: ENABLED
How to disable MulticastDNS:
How to verify if MulticastDNS is currently running on the system:
Open a classical Command Prompt (CMD) and run the following command:
reg query "HKLM\System\CurrentControlSet\Services\DNScache\Parameters" | FIND /i "EnableMDNS"
If you receive no output, MulticastDNS is active. If you receive output with the value 0x1, MulticastDNS is also active.
Additional method to check if mDNS is running on a system:
netstat -nao | FIND /i ":5353 "
If you see a listening port on UDP/5353, mDNS is active on the machine.
MulticastDNS, being very recently added to the Windows Server 2019 and 2022 operating systems, does not have a managed Group Policy to disable the protocol.
At system boot, the server will check for the presence of a specific registry value:
HKLM\System\CurrentControlSet\Services\DNScache\Parameters\EnableMDNS
If this value does not exist, the server will assume that mDNS should be running. By default, this entry will not be present, meaning the server will automatically load mDNS.
By adding the registry entry EnableMDNS will the value of 0, the system will not load mDNS. Note that this is only checked at system boot.
The best option to disable mDNS is to define the registry value through Group Policy Preferences.
Use the action of “Update”, the hive as “HKEY_LOCAL_Machine” and the Key Path:
System\CurrentControlSet\Services\DNScache\Parameters
The value must be called:
EnableMDNS
The value type is REG_DWORD and the actual value data set to zero.
How to disable NetBIOS name resolution broadcasts:
NetBIOS is the oldest local name resolution option still available. It is also the method that is slightly more complicated to disable.
How to verify if NetBIOS is currently running on a system:
Open a classical Command Prompt (CMD) and run the following command:
ipconfig /all | FIND /i "netbios"
Additional method to verify if NetBIOS is active:
netstat -nao | find /i ":137 "
If you see the UDP port listed, NetBIOS broadcast name resolution is enabled.
Note, that when disabling NetBIOS name resolution, you will also disable the listening port TCP/139. This port was used to host the file server service (SMB) before the release of Windows 2000. After this, the default port for SMB is TCP/445. However, for backwards compatibility, e.g., with clients potentially running Windows 95, the TCP/139 is still enabled on all systems. Historically, many security vulnerabilities have been present on the NetBIOS TCP/139 port.
There are three main options to disable NetBIOS.
Option 1 to disable NetBIOS:
For clients receiving their TCP/IP configuration through DHCP, a convenient option is available.
On the Microsoft DHCP server, open the scope, right click Scope Options – Configure Options – Advanced – “Microsoft Windows 2000 Options” in the “Vendor class” list.
Set the “001 Microsoft Disable Netbios Option” to the value “0x2”.
This method is an effective option to remove NetBIOS for client computers.
Option 2 to disable NetBIOS:
For non-DHCP systems, i.e., often servers, NetBIOS could be manually removed through the graphical interface.
Disable NetBIOS through the network interface properties:
TCP/IPv4 properties – Advanced – WINS – Disable NetBIOS over TCP/IP
Option 3 to disable NetBIOS:
To disable NetBIOS programmatically is more difficult. This is due to the fact of NetBIOS storing the values in the registry under each unique Network Interface Card GUID.
HKLM\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces
Due to each interface having a randomized and globally unique GUID, the final path is not predictable.
With systems with multiple NICs, the GUID for each interface card can be retrieved with the Powershell command:
Get-NetAdapter | Format-List -Property name,DeviceID
Set the registry value:
HKLM\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\tcpip_{guid}\netbiosoptions = 2
SUMMARY:
To verify the before and after state, use a classical Command Prompt (CMD) and run the following commands:
netstat -nao | FIND /i ":137 "
netstat -nao | FIND /i ":5353 "
netstat -nao | FIND /i ":5355 "
If you receive any output, the local name resolution methods are still enabled.
If receiving no output, the three local name protocols are now disabled.