SlideShare a Scribd company logo

Part 2 - Local Name Resolution in Windows Networks

Men and Mice
Men and Mice

Webinar Trilogy - Part 2, Local Name Resolution in Windows Networks

Technology
1 of 41
Men & Mice Webinar Trilogy Rethinking Name Resolution in Local Networks Local Name Resolution in Windows Networks
Local Name Resolution in Windows Networks • Microsoft operating systems have a long history of local name resolution solutions, from NetBIOS over WINS to the LLMNR and PNRP protocols today. • In this webinar we will take a look at PNRP and LLMNR and how these protocols can be used to have server-less name resolution without a centralised DNS infrastructure. 2
LLMNR Link Local Multicast Resolution
LLMNR 4 • LLMNR provides serverless name resolution on the local link ( = inside the same local subnet) • LLMNR has been documented as an informal RFC by the IETF in RFC 4795 (January 2007)
 https://www.ietf.org/rfc/rfc4795.txt
LLMNR • On the wire, LLMNR works very similar to DNS • But queries are not send to a DNS resolver, but instead to all hosts in the local subnet that have subscribed to the LMNR Multicast address • LLMNR operates on Port 5355 • IPv4 multicast address: 224.0.0.252 • IPv6 multicast address: ff02::1:3 5
LLMNR • LLMNR only operates on short, single label names • A host with the DNS name "windowspc.home.arpa." has the LLMNR name "windowspc" 6
LLMNR • LLMNR can be used on the command line …
 
 ping windowspc • … and as well as in graphical applications. Some applications like web-browser assume multi label hostnames (with at least one dot "." In the name). • A single label name is often seen as a search request. • To use LLMNR single label names in a Browser, enclose the name in a proper URL, like:
 
 http://windowspc/ 7
LLMNR • Every modern Windows System (Client, Server) will send LLMNR requests to the network • But only Systems with enabled "Network Discovery" will listen for LLMNR queries and answer • Network Discovery is disabled for Networks of type "public" and "work" and must be manually enabled to work in these environments 8
LLMNR • The state of LLMNR name resolution can be queried from NetShell (netsh)
 
 netsh dnsclient show state 9
LLMNR • Sending LLMNR requests can be disabled via a group policy
 Group Policy
 Computer Configuration
 Administrative Templates
 Network
 DNS Client
 Turn off Multicast Name Resolution. 
 
 (Enabled = Don’t use LLMNR, Disabled = Use LLMNR) 10
LLMNR • LLMNR requests can also be controlled locally using a registry key • Path: 
 HKLMSoftwarepoliciesMicrosoftWindows NTDNSClient • Key: EnableMulticast • Type: REG_DWORD • Values: 0 == Disabled / 1 == Enabled 11
LLMNR • LLMNR name resolution can be tested with the 
 "Resolve-DnsName" PowerShell commandlet and the 
 "-LlmnrOnly" parameter 12
Demo
LLMNR security • Like plain old DNS, LLMNR is not authenticated (no DNSSEC) • LLMNR responses can be spoofed by an attacker on the local network • Use of LLMNR is dangerous on public (Wifi, Hotel, Airport …) networks • Blog Post on a possible attack using LLMNR: "How to get Windows to give you credentials through LLMNR":
 https://www.pentestpartners.com/security-blog/how-to-get- windows-to-give-you-credentials-through-llmnr/ • Ready-to-use LLMNR spoofing tools exist, like "Inveigh"
 https://github.com/Kevin-Robertson/Inveigh 14
PNRP Peer Name Resolution Protocol
PNRP • PNRP is a Peer-to-Peer name resolution protocol designed by Microsoft • The PNRP specification is open[1], but so far, only Windows Systems since Windows Vista implement this protocol • PNRP requires IPv6 to work, but on an IPv4 only network, the Windows system will automatically create a Teredo IPv6-over-IPv4 tunnel to make PNRP work • PNRP can resolve IPv6 and IPv4 addresses 16 [1] https://msdn.microsoft.com/en-us/library/cc239047.aspx
PNRP cloud • PNRP is implemented as multiple distributed hash tables (DHT)[1] • Every PNRP node "knows" the addresses of it's "neighbours" in the PNRP cloud • By default, a local and a public (global) PNRP-Cloud exists 17 [1] https://en.wikipedia.org/wiki/Distributed_hash_table
PNRP addresses • PNRP addresses are calculated from a human friendly name (Classifier) and (optionally) a cryptographic key (Authority) • The cryptographic key can be zero ("0") for "no key", which makes the resulting PNRP-name human-friendly but insecure • When using a real cryptographic key, the PNRP client can verify that the resolved name is really the indented one (and not a spoofed address) 18
PNRP Adresses 19
PNRP-ID • The PNRP-ID is generated as a hash of the P2P-ID and the Service-Location. The Service-Location is a 128bit value that is derived from the hosts IPv6 address 20
PNRP Ports • PNRP uses UDP-Port 3450 for the PNRP communication with the outside world • For link-local communication, also Port 1900 for the Simple Service Discovery Protocol (SSDP) needs to be enable • In IPv4-only networks, Teredo needs to be permitted through firewalls as well • IPv6 via Teredo can be unstable, native IPv6 is preferred 21
Using PNRP • NetShell can be used to check the state of the PNRP clouds • In this example, PNRP is not active 22
Using PNRP • PNRP is now active on the Link-Local network, but there is no connection to the outside (IPv6) PNRP-cloud 23
Using PNRP • No connection to the outside world in an IPv4-only network often is a problem with the Teredo protocol: 24
Seeding PNRP • To be able to start PNRP name resolution, a Windows system needs some PNRP hosts (peers) to communicate • The initial list of peers is loaded from so called "seed" servers (pnrpv2.ipv6.microsoft.com and pnrpv21.ipv6.microsoft.com) • These names are resolved over classic DNS and are only reachable via IPv6 • Seeding can be forced with 
 netsh p2p pnrp cloud synchronize seed <Cloud> 25
Register a name in PNRP • PNRP does not auto-register names • PNRP names can be registered for publication using NetShell or the WindowsAPI • NetShell example (Authority of "0" = insecure name):
 
 netsh p2p pnrp peer add registration 0.mywebserver comment="Dev-Server" 26
Register a name in PNRP • The tool "PNRP- Beacon"[1] can be used to register a PNRP-name inside a GUI 27 [1] http://ftp.gwdg.de/pub/magazine/ct/listings/0904-098.zip
Registering PNRP names • PNRP names registered as shown via NetShell or PNRP- Beacon are not persistent • They are gone after a reboot of the system • Persistent PNRP names can be generated using the Windows Internet Computer Name service (WICN)[1], which can also be controlled via NetShell
 
 netsh p2p pnrp peer set machinename name="0.mypnrpname" publish=start autopublish=enable 28 [1] https://technet.microsoft.com/en-us/library/bb962088.aspx
Registering PNRP names • The status of the WICN service can be listed with 
 
 29
Register a name in PNRP • The NetShell command "show names" will list all registered named on this host 30
Resolving a PNRP-Name • PNRP names can be resolved via NetShell, the Windows API or through the Windows DNS-Client • The Windows DNS-Client will intercept all queries for domain names that end in the domain pnrp.net and will send the query to the PNRP subsystem • This works best with insecure names (Authority "0") • The PNRP name 0.mywebserver becomes the DNS-Name mywebserver.pnrp.net • Such a name is global resolvable, in if the host has IPv6, it is also reachable from the global Internet 31
Resolving a PNRP name • PNRP Names can also be resolved using NetShell with the command
 
 netsh p2p pnrp peer resolve <name> 32
Resolving a name in PNRP • PNRP-Beacon can also be used to resolve names and to display information about the remove machines (IPv4, IPv6 address, Windows Version, CPU Count) 33
PNRP Traceroute • NetShell offers a PNRP-Traceroute command to list the PNRP-Peers used in name resolution 34
Demo
PNRP Security • The Security of PNRP-Names without Authority (public key) is similar to classic DNS • These names are insecure and can be spoofed by anyone in the PNRP cloud. This is actually intended by the protocol, so that multiple hosts can announce the same service • PNRP-Names with public key are protected against spoofing, however spoofing PNRP names, while hard, is not impossible. When connecting to a sensible service via PNRP, additional authentication should be used 36
Next
Men & Mice Training • Men & Mice DNS Trainings in 2018: • DNS & BIND Fundamentals • DNS & BIND Advanced • DNS & BIND Week • DNSSEC & BIND • Planned dates for the courses in English language • US East Coast - 2018-02-26 • Europe - 2018-04-09 • US West Coast - 2018-05-21 • Europe - 2018-06-25 38 http://menandmice.com/training
Men & Mice Training • Training @ Linuxhotel Essen, Germany • DNSSEC & DANE Training, 3 days
 19.03 - 21.03.18 • DNS & BIND, 3 days 
 16.04 - 18.04.18 • DNS Sicherheit (DNS Security), 2 days
 19.04 - 20.04.18 • DNSSEC & DANE Training, 3 days
 04.06 - 06.06.18 • DNS & BIND, 3 days
 06.08 - 08.08.18 • DNS Sicherheit (DNS Security), 2 days
 09.08 - 10.08.18 39 http://linuxhotel.de/
Next Webinar • Name Resolution Webinar Trilogy Part 3 – Local Name Resolution in Linux, FreeBSD and macOS/iOS • Wednesday, 29th of November, 2017 • Multicast DNS (mDNS) was pioneered in Apple’s MacOS X system, and is now available on all systems from Cupertino. • The focus of this webinar will be to take a deeper look into this local name- resolution system and the implementations for other Unix systems like Linux and FreeBSD. Linux’s new über-Daemon “systemd” supports both mDNS and the Windows LLMNR (Link-Local-Multicast-Name-Resolution). We will also show how well a Systemd-Linux behaves in heterogenous networks running both Windows and macOS. • Join us for a 45 minutes webinar with a Q&A session at the end, on Wednesday, November 29th, 2017 at 4:00 PM CET/ 3:00 PM GMT/ 10:00 AM EDT / 7:00 AM PDT. 40
Fini - Q & A

Recommended

DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
DNS Presentation
DNS PresentationDNS Presentation
DNS PresentationShubham Srivastava
 
DNS Attacks
DNS AttacksDNS Attacks
DNS AttacksHimanshu Prabhakar
 
Port Scanning
Port ScanningPort Scanning
Port Scanningamiable_indian
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
Sql injection
Sql injectionSql injection
Sql injectionPallavi Biswas
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 
Cyber security
Cyber securityCyber security
Cyber securityDr. Kishor Nikam
 

Recommended

DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
DNS Presentation
DNS PresentationDNS Presentation
DNS PresentationShubham Srivastava
 
DNS Attacks
DNS AttacksDNS Attacks
DNS AttacksHimanshu Prabhakar
 
Port Scanning
Port ScanningPort Scanning
Port Scanningamiable_indian
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
Sql injection
Sql injectionSql injection
Sql injectionPallavi Biswas
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 
Cyber security
Cyber securityCyber security
Cyber securityDr. Kishor Nikam
 
Dos attack
Dos attackDos attack
Dos attackManjushree Mashal
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
IDS Evasion Techniques
IDS Evasion TechniquesIDS Evasion Techniques
IDS Evasion TechniquesTudor Damian
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
DoS ve DDoS Saldırıları ve Korunma Yöntemleri
DoS ve DDoS Saldırıları ve Korunma YöntemleriDoS ve DDoS Saldırıları ve Korunma Yöntemleri
DoS ve DDoS Saldırıları ve Korunma YöntemleriBGA Cyber Security
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
CREST CCT Exam Prep Notes
CREST CCT Exam Prep NotesCREST CCT Exam Prep Notes
CREST CCT Exam Prep NotesNathanAn
 
DNS Record
DNS RecordDNS Record
DNS Recordkangting21
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
Network scanning
Network scanningNetwork scanning
Network scanningMD SAQUIB KHAN
 
Sızma Testlerinde Parola Kırma Saldırıları
Sızma Testlerinde Parola Kırma SaldırılarıSızma Testlerinde Parola Kırma Saldırıları
Sızma Testlerinde Parola Kırma SaldırılarıBGA Cyber Security
 
Domain Name System(ppt)
Domain Name System(ppt)Domain Name System(ppt)
Domain Name System(ppt)chovatiyabhautik
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
What is botnet?
What is botnet?What is botnet?
What is botnet?Milan Petrásek
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
Introduction to foot printing
Introduction to foot printingIntroduction to foot printing
Introduction to foot printingCHETAN THAKRE
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPSSantosh Khadsare
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printingleminhvuong
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
Lesson 5: Configuring Name Resolution
Lesson 5: Configuring Name ResolutionLesson 5: Configuring Name Resolution
Lesson 5: Configuring Name ResolutionMahmmoud Mahdi
 
08Mapping.ppt
08Mapping.ppt08Mapping.ppt
08Mapping.pptMalikNuman8
 

More Related Content

What's hot

Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
IDS Evasion Techniques
IDS Evasion TechniquesIDS Evasion Techniques
IDS Evasion TechniquesTudor Damian
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
DoS ve DDoS Saldırıları ve Korunma Yöntemleri
DoS ve DDoS Saldırıları ve Korunma YöntemleriDoS ve DDoS Saldırıları ve Korunma Yöntemleri
DoS ve DDoS Saldırıları ve Korunma YöntemleriBGA Cyber Security
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
CREST CCT Exam Prep Notes
CREST CCT Exam Prep NotesCREST CCT Exam Prep Notes
CREST CCT Exam Prep NotesNathanAn
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
Sızma Testlerinde Parola Kırma Saldırıları
Sızma Testlerinde Parola Kırma SaldırılarıSızma Testlerinde Parola Kırma Saldırıları
Sızma Testlerinde Parola Kırma SaldırılarıBGA Cyber Security
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
Introduction to foot printing
Introduction to foot printingIntroduction to foot printing
Introduction to foot printingCHETAN THAKRE
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printingleminhvuong
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 

What's hot (20)

Dos attack
Dos attackDos attack
Dos attack
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
IDS Evasion Techniques
IDS Evasion TechniquesIDS Evasion Techniques
IDS Evasion Techniques
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
DoS ve DDoS Saldırıları ve Korunma Yöntemleri
DoS ve DDoS Saldırıları ve Korunma YöntemleriDoS ve DDoS Saldırıları ve Korunma Yöntemleri
DoS ve DDoS Saldırıları ve Korunma Yöntemleri
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
CREST CCT Exam Prep Notes
CREST CCT Exam Prep NotesCREST CCT Exam Prep Notes
CREST CCT Exam Prep Notes
 
DNS Record
DNS RecordDNS Record
DNS Record
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
 
Network scanning
Network scanningNetwork scanning
Network scanning
 
Sızma Testlerinde Parola Kırma Saldırıları
Sızma Testlerinde Parola Kırma SaldırılarıSızma Testlerinde Parola Kırma Saldırıları
Sızma Testlerinde Parola Kırma Saldırıları
 
Domain Name System(ppt)
Domain Name System(ppt)Domain Name System(ppt)
Domain Name System(ppt)
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
What is botnet?
What is botnet?What is botnet?
What is botnet?
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
Introduction to foot printing
Introduction to foot printingIntroduction to foot printing
Introduction to foot printing
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printing
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
 

Similar to Part 2 - Local Name Resolution in Windows Networks

Lesson 5: Configuring Name Resolution
Lesson 5: Configuring Name ResolutionLesson 5: Configuring Name Resolution
Lesson 5: Configuring Name ResolutionMahmmoud Mahdi
 
GeoDistributed datacenter: the DNS way
GeoDistributed datacenter: the DNS wayGeoDistributed datacenter: the DNS way
GeoDistributed datacenter: the DNS wayMoyd.co LTD
 
OpenNebulaConf 2014 - Geo distributed datacenter: the DNS way - Alberto Zuin
OpenNebulaConf 2014 - Geo distributed datacenter: the DNS way - Alberto ZuinOpenNebulaConf 2014 - Geo distributed datacenter: the DNS way - Alberto Zuin
OpenNebulaConf 2014 - Geo distributed datacenter: the DNS way - Alberto ZuinOpenNebula Project
 
NFS(Network File System)
NFS(Network File System)NFS(Network File System)
NFS(Network File System)udamale
 
What CloudStackers Need To Know About LINSTOR/DRBD
What CloudStackers Need To Know About LINSTOR/DRBDWhat CloudStackers Need To Know About LINSTOR/DRBD
What CloudStackers Need To Know About LINSTOR/DRBDShapeBlue
 
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPMake Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPAPNIC
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
 
06 coms 525 tcpip - dhcp and dns
06 coms 525 tcpip - dhcp and dns06 coms 525 tcpip - dhcp and dns
06 coms 525 tcpip - dhcp and dnsPalanivel Kuppusamy
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
 
4Developers 2015: Scaling LAMP doesn't have to suck - Sebastian Grodzicki
4Developers 2015: Scaling LAMP doesn't have to suck - Sebastian Grodzicki4Developers 2015: Scaling LAMP doesn't have to suck - Sebastian Grodzicki
4Developers 2015: Scaling LAMP doesn't have to suck - Sebastian GrodzickiPROIDEA
 
Dnscluster @ DevOps Krakow 2013
Dnscluster @ DevOps Krakow 2013Dnscluster @ DevOps Krakow 2013
Dnscluster @ DevOps Krakow 2013Slawomir Skowron
 

Similar to Part 2 - Local Name Resolution in Windows Networks (20)

Lesson 5: Configuring Name Resolution
Lesson 5: Configuring Name ResolutionLesson 5: Configuring Name Resolution
Lesson 5: Configuring Name Resolution
 
08Mapping.ppt
08Mapping.ppt08Mapping.ppt
08Mapping.ppt
 
GeoDistributed datacenter: the DNS way
GeoDistributed datacenter: the DNS wayGeoDistributed datacenter: the DNS way
GeoDistributed datacenter: the DNS way
 
OpenNebulaConf 2014 - Geo distributed datacenter: the DNS way - Alberto Zuin
OpenNebulaConf 2014 - Geo distributed datacenter: the DNS way - Alberto ZuinOpenNebulaConf 2014 - Geo distributed datacenter: the DNS way - Alberto Zuin
OpenNebulaConf 2014 - Geo distributed datacenter: the DNS way - Alberto Zuin
 
NFS(Network File System)
NFS(Network File System)NFS(Network File System)
NFS(Network File System)
 
What CloudStackers Need To Know About LINSTOR/DRBD
What CloudStackers Need To Know About LINSTOR/DRBDWhat CloudStackers Need To Know About LINSTOR/DRBD
What CloudStackers Need To Know About LINSTOR/DRBD
 
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPMake Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
 
06 coms 525 tcpip - dhcp and dns
06 coms 525 tcpip - dhcp and dns06 coms 525 tcpip - dhcp and dns
06 coms 525 tcpip - dhcp and dns
 
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILDNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
 
Lets talk dns
Lets talk dnsLets talk dns
Lets talk dns
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
4Developers 2015: Scaling LAMP doesn't have to suck - Sebastian Grodzicki
4Developers 2015: Scaling LAMP doesn't have to suck - Sebastian Grodzicki4Developers 2015: Scaling LAMP doesn't have to suck - Sebastian Grodzicki
4Developers 2015: Scaling LAMP doesn't have to suck - Sebastian Grodzicki
 
Dn sonly
Dn sonlyDn sonly
Dn sonly
 
Application Layer
Application LayerApplication Layer
Application Layer
 
2_Chapter 2_DNS.pptx
2_Chapter 2_DNS.pptx2_Chapter 2_DNS.pptx
2_Chapter 2_DNS.pptx
 
Dnscluster @ DevOps Krakow 2013
Dnscluster @ DevOps Krakow 2013Dnscluster @ DevOps Krakow 2013
Dnscluster @ DevOps Krakow 2013
 
Common Network Services
Common Network ServicesCommon Network Services
Common Network Services
 

More from Men and Mice

Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network StrategiesCisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network StrategiesMen and Mice
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsMen and Mice
 
The CAA-Record for increased encryption security
The CAA-Record for increased encryption securityThe CAA-Record for increased encryption security
The CAA-Record for increased encryption securityMen and Mice
 
SMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANESMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANEMen and Mice
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial Men and Mice
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practicesMen and Mice
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsMen and Mice
 
Fighting Abuse with DNS
Fighting Abuse with DNSFighting Abuse with DNS
Fighting Abuse with DNSMen and Mice
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?Men and Mice
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootMen and Mice
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
Kea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISCKea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISCMen and Mice
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarMen and Mice
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitMen and Mice
 
PowerDNS Webinar - Part 2
PowerDNS Webinar - Part 2PowerDNS Webinar - Part 2
PowerDNS Webinar - Part 2Men and Mice
 
IETF 93 Review Webinar
IETF 93 Review WebinarIETF 93 Review Webinar
IETF 93 Review WebinarMen and Mice
 
RIPE 70 Report Webinar
RIPE 70 Report WebinarRIPE 70 Report Webinar
RIPE 70 Report WebinarMen and Mice
 

More from Men and Mice (20)

Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network StrategiesCisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
 
The CAA-Record for increased encryption security
The CAA-Record for increased encryption securityThe CAA-Record for increased encryption security
The CAA-Record for increased encryption security
 
SMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANESMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANE
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
 
Fighting Abuse with DNS
Fighting Abuse with DNSFighting Abuse with DNS
Fighting Abuse with DNS
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the root
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
 
Kea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISCKea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISC
 
DNSTap Webinar
DNSTap WebinarDNSTap Webinar
DNSTap Webinar
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
 
PowerDNS Webinar - Part 2
PowerDNS Webinar - Part 2PowerDNS Webinar - Part 2
PowerDNS Webinar - Part 2
 
PowerDNS Webinar
PowerDNS Webinar PowerDNS Webinar
PowerDNS Webinar
 
IETF 93 Review Webinar
IETF 93 Review WebinarIETF 93 Review Webinar
IETF 93 Review Webinar
 
RIPE 70 Report Webinar
RIPE 70 Report WebinarRIPE 70 Report Webinar
RIPE 70 Report Webinar
 

Recently uploaded

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 

Recently uploaded (20)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 

Part 2 - Local Name Resolution in Windows Networks

  • 1. Men & Mice Webinar Trilogy Rethinking Name Resolution in Local Networks Local Name Resolution in Windows Networks
  • 2. Local Name Resolution in Windows Networks • Microsoft operating systems have a long history of local name resolution solutions, from NetBIOS over WINS to the LLMNR and PNRP protocols today. • In this webinar we will take a look at PNRP and LLMNR and how these protocols can be used to have server-less name resolution without a centralised DNS infrastructure. 2
  • 4. LLMNR 4 • LLMNR provides serverless name resolution on the local link ( = inside the same local subnet) • LLMNR has been documented as an informal RFC by the IETF in RFC 4795 (January 2007)
 https://www.ietf.org/rfc/rfc4795.txt
  • 5. LLMNR • On the wire, LLMNR works very similar to DNS • But queries are not send to a DNS resolver, but instead to all hosts in the local subnet that have subscribed to the LMNR Multicast address • LLMNR operates on Port 5355 • IPv4 multicast address: 224.0.0.252 • IPv6 multicast address: ff02::1:3 5
  • 6. LLMNR • LLMNR only operates on short, single label names • A host with the DNS name "windowspc.home.arpa." has the LLMNR name "windowspc" 6
  • 7. LLMNR • LLMNR can be used on the command line …
 
 ping windowspc • … and as well as in graphical applications. Some applications like web-browser assume multi label hostnames (with at least one dot "." In the name). • A single label name is often seen as a search request. • To use LLMNR single label names in a Browser, enclose the name in a proper URL, like:
 
 http://windowspc/ 7
  • 8. LLMNR • Every modern Windows System (Client, Server) will send LLMNR requests to the network • But only Systems with enabled "Network Discovery" will listen for LLMNR queries and answer • Network Discovery is disabled for Networks of type "public" and "work" and must be manually enabled to work in these environments 8
  • 9. LLMNR • The state of LLMNR name resolution can be queried from NetShell (netsh)
 
 netsh dnsclient show state 9
  • 10. LLMNR • Sending LLMNR requests can be disabled via a group policy
 Group Policy
 Computer Configuration
 Administrative Templates
 Network
 DNS Client
 Turn off Multicast Name Resolution. 
 
 (Enabled = Don’t use LLMNR, Disabled = Use LLMNR) 10
  • 11. LLMNR • LLMNR requests can also be controlled locally using a registry key • Path: 
 HKLMSoftwarepoliciesMicrosoftWindows NTDNSClient • Key: EnableMulticast • Type: REG_DWORD • Values: 0 == Disabled / 1 == Enabled 11
  • 12. LLMNR • LLMNR name resolution can be tested with the 
 "Resolve-DnsName" PowerShell commandlet and the 
 "-LlmnrOnly" parameter 12
  • 13. Demo
  • 14. LLMNR security • Like plain old DNS, LLMNR is not authenticated (no DNSSEC) • LLMNR responses can be spoofed by an attacker on the local network • Use of LLMNR is dangerous on public (Wifi, Hotel, Airport …) networks • Blog Post on a possible attack using LLMNR: "How to get Windows to give you credentials through LLMNR":
 https://www.pentestpartners.com/security-blog/how-to-get- windows-to-give-you-credentials-through-llmnr/ • Ready-to-use LLMNR spoofing tools exist, like "Inveigh"
 https://github.com/Kevin-Robertson/Inveigh 14
  • 16. PNRP • PNRP is a Peer-to-Peer name resolution protocol designed by Microsoft • The PNRP specification is open[1], but so far, only Windows Systems since Windows Vista implement this protocol • PNRP requires IPv6 to work, but on an IPv4 only network, the Windows system will automatically create a Teredo IPv6-over-IPv4 tunnel to make PNRP work • PNRP can resolve IPv6 and IPv4 addresses 16 [1] https://msdn.microsoft.com/en-us/library/cc239047.aspx
  • 17. PNRP cloud • PNRP is implemented as multiple distributed hash tables (DHT)[1] • Every PNRP node "knows" the addresses of it's "neighbours" in the PNRP cloud • By default, a local and a public (global) PNRP-Cloud exists 17 [1] https://en.wikipedia.org/wiki/Distributed_hash_table
  • 18. PNRP addresses • PNRP addresses are calculated from a human friendly name (Classifier) and (optionally) a cryptographic key (Authority) • The cryptographic key can be zero ("0") for "no key", which makes the resulting PNRP-name human-friendly but insecure • When using a real cryptographic key, the PNRP client can verify that the resolved name is really the indented one (and not a spoofed address) 18
  • 20. PNRP-ID • The PNRP-ID is generated as a hash of the P2P-ID and the Service-Location. The Service-Location is a 128bit value that is derived from the hosts IPv6 address 20
  • 21. PNRP Ports • PNRP uses UDP-Port 3450 for the PNRP communication with the outside world • For link-local communication, also Port 1900 for the Simple Service Discovery Protocol (SSDP) needs to be enable • In IPv4-only networks, Teredo needs to be permitted through firewalls as well • IPv6 via Teredo can be unstable, native IPv6 is preferred 21
  • 22. Using PNRP • NetShell can be used to check the state of the PNRP clouds • In this example, PNRP is not active 22
  • 23. Using PNRP • PNRP is now active on the Link-Local network, but there is no connection to the outside (IPv6) PNRP-cloud 23
  • 24. Using PNRP • No connection to the outside world in an IPv4-only network often is a problem with the Teredo protocol: 24
  • 25. Seeding PNRP • To be able to start PNRP name resolution, a Windows system needs some PNRP hosts (peers) to communicate • The initial list of peers is loaded from so called "seed" servers (pnrpv2.ipv6.microsoft.com and pnrpv21.ipv6.microsoft.com) • These names are resolved over classic DNS and are only reachable via IPv6 • Seeding can be forced with 
 netsh p2p pnrp cloud synchronize seed <Cloud> 25
  • 26. Register a name in PNRP • PNRP does not auto-register names • PNRP names can be registered for publication using NetShell or the WindowsAPI • NetShell example (Authority of "0" = insecure name):
 
 netsh p2p pnrp peer add registration 0.mywebserver comment="Dev-Server" 26
  • 27. Register a name in PNRP • The tool "PNRP- Beacon"[1] can be used to register a PNRP-name inside a GUI 27 [1] http://ftp.gwdg.de/pub/magazine/ct/listings/0904-098.zip
  • 28. Registering PNRP names • PNRP names registered as shown via NetShell or PNRP- Beacon are not persistent • They are gone after a reboot of the system • Persistent PNRP names can be generated using the Windows Internet Computer Name service (WICN)[1], which can also be controlled via NetShell
 
 netsh p2p pnrp peer set machinename name="0.mypnrpname" publish=start autopublish=enable 28 [1] https://technet.microsoft.com/en-us/library/bb962088.aspx
  • 29. Registering PNRP names • The status of the WICN service can be listed with 
 
 29
  • 30. Register a name in PNRP • The NetShell command "show names" will list all registered named on this host 30
  • 31. Resolving a PNRP-Name • PNRP names can be resolved via NetShell, the Windows API or through the Windows DNS-Client • The Windows DNS-Client will intercept all queries for domain names that end in the domain pnrp.net and will send the query to the PNRP subsystem • This works best with insecure names (Authority "0") • The PNRP name 0.mywebserver becomes the DNS-Name mywebserver.pnrp.net • Such a name is global resolvable, in if the host has IPv6, it is also reachable from the global Internet 31
  • 32. Resolving a PNRP name • PNRP Names can also be resolved using NetShell with the command
 
 netsh p2p pnrp peer resolve <name> 32
  • 33. Resolving a name in PNRP • PNRP-Beacon can also be used to resolve names and to display information about the remove machines (IPv4, IPv6 address, Windows Version, CPU Count) 33
  • 34. PNRP Traceroute • NetShell offers a PNRP-Traceroute command to list the PNRP-Peers used in name resolution 34
  • 35. Demo
  • 36. PNRP Security • The Security of PNRP-Names without Authority (public key) is similar to classic DNS • These names are insecure and can be spoofed by anyone in the PNRP cloud. This is actually intended by the protocol, so that multiple hosts can announce the same service • PNRP-Names with public key are protected against spoofing, however spoofing PNRP names, while hard, is not impossible. When connecting to a sensible service via PNRP, additional authentication should be used 36
  • 37. Next
  • 38. Men & Mice Training • Men & Mice DNS Trainings in 2018: • DNS & BIND Fundamentals • DNS & BIND Advanced • DNS & BIND Week • DNSSEC & BIND • Planned dates for the courses in English language • US East Coast - 2018-02-26 • Europe - 2018-04-09 • US West Coast - 2018-05-21 • Europe - 2018-06-25 38 http://menandmice.com/training
  • 39. Men & Mice Training • Training @ Linuxhotel Essen, Germany • DNSSEC & DANE Training, 3 days
 19.03 - 21.03.18 • DNS & BIND, 3 days 
 16.04 - 18.04.18 • DNS Sicherheit (DNS Security), 2 days
 19.04 - 20.04.18 • DNSSEC & DANE Training, 3 days
 04.06 - 06.06.18 • DNS & BIND, 3 days
 06.08 - 08.08.18 • DNS Sicherheit (DNS Security), 2 days
 09.08 - 10.08.18 39 http://linuxhotel.de/
  • 40. Next Webinar • Name Resolution Webinar Trilogy Part 3 – Local Name Resolution in Linux, FreeBSD and macOS/iOS • Wednesday, 29th of November, 2017 • Multicast DNS (mDNS) was pioneered in Apple’s MacOS X system, and is now available on all systems from Cupertino. • The focus of this webinar will be to take a deeper look into this local name- resolution system and the implementations for other Unix systems like Linux and FreeBSD. Linux’s new über-Daemon “systemd” supports both mDNS and the Windows LLMNR (Link-Local-Multicast-Name-Resolution). We will also show how well a Systemd-Linux behaves in heterogenous networks running both Windows and macOS. • Join us for a 45 minutes webinar with a Q&A session at the end, on Wednesday, November 29th, 2017 at 4:00 PM CET/ 3:00 PM GMT/ 10:00 AM EDT / 7:00 AM PDT. 40
  • 41. Fini - Q & A