The combination of mDNS, LLMNR, and NBT-NS creates a devastating attack surface that allows adversaries to poison name resolution, capture credentials, and establish persistence in enterprise networks. Recent threat intelligence shows these protocols are increasingly targeted in sophisticated attack campaigns, with attackers leveraging automated tools to exploit all three protocols simultaneously.
This trinity of name resolution protocols represents one of the most overlooked yet critical security vulnerabilities in modern enterprise networks. While organizations focus on perimeter security and advanced persistent threats, attackers are quietly exploiting these foundational network protocols to gain initial access and escalate privileges.
Key Findings:
A user attempts to access a network resource using a hostname that cannot be resolved through the primary DNS server. This could be due to:
When DNS resolution fails, operating systems automatically fall back to alternative name resolution methods:
Attackers deploy tools like Responder, which listens for these multicast queries and responds faster than legitimate services. The tool simultaneously monitors:
When the victim’s system receives the malicious response, it attempts to authenticate to the attacker’s fake server, sending:
Protocol: UDP 5355 Target: Windows Vista and later Attack Method: Multicast query poisoning
LLMNR was designed to provide name resolution in scenarios where DNS is not available. However, it operates on the assumption that all devices on the local network are trustworthy. Any device on the network can respond to LLMNR queries, letting them impersonate another device.
Common Attack Scenarios:
Protocol: UDP 137 Target: All Windows versions (legacy support) Attack Method: NetBIOS name poisoning
NBT-NS provides backward compatibility for legacy Windows applications that rely on NetBIOS names. Despite being deprecated, it remains enabled by default on most Windows systems.
Common Attack Scenarios:
Protocol: UDP 5353 Target: Apple devices, Linux systems, modern Windows Attack Method: Multicast query spoofing
mDNS enables zero-configuration networking, allowing devices to automatically discover services without manual configuration. It’s particularly prevalent in environments with Apple devices and IoT systems.
Common Attack Scenarios:
Timeline: 3 minutes from typo to credential capture
A marketing manager attempts to access the print server by typing \\pintserver instead of \\printserver. The Windows system cannot resolve the hostname through DNS and broadcasts an LLMNR query. An attacker running Responder immediately responds, claiming to be the print server. The victim’s system attempts to authenticate, sending their NTLM hash. The attacker captures the hash and begins offline cracking.
Impact: Domain user credentials compromised, lateral movement initiated
Timeline: 5 minutes from network connection to domain compromise
An executive’s iPhone connects to the corporate WiFi network and automatically searches for AirPrint services using mDNS. An attacker positioned on the network responds to the mDNS query, presenting a malicious print service. When the device attempts to authenticate, the attacker captures the user’s domain credentials through the corporate wireless authentication.
Impact: Executive-level access compromised, sensitive data exposure
Timeline: 2 minutes from application startup to credential theft
A legacy manufacturing application uses NetBIOS names to connect to a database server. The application attempts to resolve the server name through NBT-NS. An attacker poisons the response, directing the application to connect to a malicious SMB server. The application authenticates using the service account credentials, which are captured and used for privilege escalation.
Impact: Service account compromise, manufacturing system access
Responder is a powerful tool that simultaneously exploits all three protocols, making it the weapon of choice for attackers. The tool operates by:
Key Features:
Recent penetration testing data reveals alarming statistics about name resolution attacks:
Both nation-state actors and cybercriminal groups are increasingly incorporating name resolution attacks into their playbooks:
Healthcare, financial services, and manufacturing sectors are particularly vulnerable due to:
Disable LLMNR:
# Group Policy: Computer Configuration > Administrative Templates > Network > DNS Client
# Setting: Turn off multicast name resolution
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -Value 0
Disable NBT-NS:
# Registry modification for all network adapters
$adapters = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object {$_.IPEnabled -eq $true}
foreach ($adapter in $adapters) {
$adapter.SetTcpipNetbios(2) # 2 = Disable NetBIOS over TCP/IP
}
Configure mDNS Controls:
# Linux systems - disable Avahi daemon
sudo systemctl disable avahi-daemon
sudo systemctl stop avahi-daemon
# Windows - disable mDNS through registry
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" -Name "EnableMDNS" -Value 0
VLAN Isolation:
Firewall Rules:
# Block LLMNR (UDP 5355)
deny udp any any eq 5355
# Block NBT-NS (UDP 137)
deny udp any any eq 137
# Control mDNS (UDP 5353)
deny udp any any eq 5353
SIEM Detection Rules:
Honeypot Deployment:
DNS Suffix Configuration:
Host File Management:
Days 1-2: Network Traffic Analysis
Days 3-5: Asset Inventory
Days 6-7: Risk Assessment
Days 8-10: Policy Creation
Days 11-12: Laboratory Testing
Days 13-14: Stakeholder Alignment
Days 15-17: Pilot Deployment
Days 18-19: Production Rollout
Days 20-21: Monitoring Activation
Days 22-24: Validation Testing
Days 25-26: Documentation Completion
Days 27-30: Knowledge Transfer
LLMNR Disable Policy:
Computer Configuration > Policies > Administrative Templates > Network > DNS Client
Policy: Turn off multicast name resolution
Setting: Enabled
NBT-NS Disable via DHCP:
DHCP Option 001 (NetBIOS over TCP/IP): 0x2 (Disable)
Registry-based NBT-NS Disable:
# Disable for all network adapters
Get-WmiObject -Class Win32_NetworkAdapterConfiguration |
Where-Object {$_.IPEnabled -eq $true} |
ForEach-Object {$_.SetTcpipNetbios(2)}
Cisco IOS Firewall Rules:
access-list 100 deny udp any any eq 5355
access-list 100 deny udp any any eq 137
access-list 100 deny udp any any eq 5353
Palo Alto Networks Configuration:
security rule {
name "Block-Name-Resolution-Protocols";
source any;
destination any;
service [udp-5355, udp-137, udp-5353];
action deny;
}
Splunk Detection Query:
index=network sourcetype=firewall (dest_port=5355 OR dest_port=137 OR dest_port=5353)
| stats count by src_ip, dest_ip, dest_port
| where count > 10
Suricata Rule:
alert udp any any -> any 5355 (msg:"LLMNR Query Detected"; flow:to_server; content:"|00 00 00 00 00 01|"; offset:4; depth:6; sid:1000001; rev:1;)
Simple Python LLMNR Honeypot:
import socket
import struct
def llmnr_honeypot():
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.bind(('0.0.0.0', 5355))
while True:
data, addr = sock.recvfrom(1024)
print(f"LLMNR query from {addr}: {data.hex()}")
# Log to SIEM
log_attack(addr, "LLMNR", data)
Proper DNS suffix configuration can eliminate many name resolution failures that trigger fallback protocols:
Windows Domain Configuration:
Primary DNS Suffix: company.local
DNS Suffix Search List:
- company.local
- corp.company.local
- servers.company.local
DHCP Option 015 (DNS Domain Name):
Option 015: company.local
For critical systems, centralized host file management can provide reliable name resolution:
PowerShell Host File Update:
$hostfile = "C:\Windows\System32\drivers\etc\hosts"
$entries = @(
"192.168.1.100 printserver",
"192.168.1.101 fileserver",
"192.168.1.102 dbserver"
)
Add-Content -Path $hostfile -Value $entries
Implementing zero trust principles can mitigate the impact of name resolution attacks:
Watch for these signs of name resolution attacks:
Network Indicators:
Host Indicators:
Immediate Actions (0-15 minutes):
Short-term Actions (15 minutes - 2 hours):
Long-term Actions (2-24 hours):
Name resolution security controls align with multiple compliance frameworks:
NIST Cybersecurity Framework:
ISO 27001 Controls:
Several regulations require organizations to implement appropriate network security controls:
GDPR (General Data Protection Regulation):
PCI DSS (Payment Card Industry Data Security Standard):
HIPAA (Health Insurance Portability and Accountability Act):
The name resolution trinity of mDNS, LLMNR, and NBT-NS represents a critical security vulnerability that affects virtually all enterprise networks. These protocols, while designed to improve user experience through automatic service discovery, create significant attack surfaces that are actively exploited by threat actors.
Week 1:
Week 2:
Week 3:
Week 4:
Organizations must view name resolution security as part of a comprehensive zero-trust architecture. This includes:
The name resolution trinity represents a clear and present danger to enterprise security. Organizations that fail to address these vulnerabilities are providing attackers with a reliable and effective attack vector. The time for action is now.
Created with the help of AI