Insecure Name Resolution (LLMNR / NBNS / mDNS)

LLMNR

• Purpose: DNS fallback for single-label (unqualified) names (e.g., print1; not FQDNs like print1.corp.example.com).
• Scope: Link-local only (same L2/VLAN); not routed.
• Behavior: Unauthenticated; client accepts the first valid reply on the local link—fastest responder wins.
• Typical abuse: Poison replies to redirect SMB/HTTP to attacker; capture/relay NetNTLM; often used to win wpad lookups.
• Disable:
  • GPO Computer Configuration > Administrative Templates > Network > DNS Client > Turn off multicast name resolution (Enable).
  • Registry HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast=0.
• Notes: Part of the DNS resolution path for single-label names (fallback after DNS). Disabling LLMNR does not affect NetBIOS name resolution (NBNS/WINS)—that’s a separate stack. Minimal impact in AD with proper DNS; may affect ad-hoc peer discovery on unmanaged subnets.

NBNS (NBT-NS)

• Purpose: Legacy NetBIOS hostname resolution for single-label NetBIOS names used by SMB/NetBIOS apps; consulted when NetBIOS over TCP/IP is enabled (often after DNS/LLMNR).
• Scope: Local subnet broadcast; not routed. If WINS is configured, clients also send unicast NBNS/WINS across subnets (not the broadcast poison surface).
• Behavior: Unauthenticated; fastest reply wins; often enabled by NIC/DHCP defaults.
• Typical abuse: Spoof broadcast replies (e.g., wpad, fileserver) to coerce SMB/HTTP auth; capture NetNTLM for relay/cracking.
• Disable: Must be disabled per NIC.
  • Per-NIC: IPv4 → Advanced → WINS → Disable NetBIOS over TCP/IP.
  • Registry: HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_*: NetbiosOptions=2.
  • Also remove WINS servers and disable LMHOSTS lookup.
• Notes: Resolves NetBIOS names (legacy 16-byte namespace), separate from DNS/LLMNR. Disabling LLMNR alone won’t stop NBNS/WINS resolution; you must disable NetBIOS over TCP/IP per NIC. Poisoning requires same-LAN presence; WINS unicast isn’t typically poisonable. May impact legacy devices/apps; modern AD should rely on DNS.

mDNS

• Purpose: Zero-config name/service discovery for .local using DNS-SD (Bonjour/IoT, some apps).
• Scope: Link-local multicast; not routed by default. Some networks deploy mDNS reflectors/gateways that relay across VLANs.
• Behavior: Unauthenticated; hosts advertise and answer on the LAN.
• Typical abuse: Answer .local or advertise services to draw HTTP/SMB connections; capture/relay NetNTLM from clients that auto-connect.
• Disable: Remove/disable Bonjour/mDNS components; turn off app features relying on mDNS; block UDP 5353 at host/switch where not needed.
• Notes: Disabling can break AirPrint/AirPlay/Cast and discovery-based apps; evaluate per segment and device class.

Detection & hardening (summary)

• Disable LLMNR and NBNS; prefer DNS‑only.
• Disable NetBIOS over TCP/IP on interfaces.
• Monitor for broadcast LLMNR/NBNS queries and unexpected responder hosts.
• Enforce SMB/LDAP signing and Extended Protection where applicable.

Related

• WPAD (Proxy Auto-Discovery)
• Responder — poisoning/capture
• ntlmrelayx — relay/capture
• mitm6 — IPv6 RA/DNS spoofing