Name resolution in Windows 7

Windows 7 can use various mechanisms for resolving host names as required, including -

• the "hosts" file located in C:\Windows\System32\drivers\etc\
• DNS lookup requests sent to the specified DNS server
• LLMNR - Link-Local Multicast Name Resolution
• NetBIOS name query request

Windows 7 will use each of these mechanisms in turn in the above order, until it gets an answer. Then it stops trying any further.

The "hosts" file

The "hosts" file in Windows 7 is used in a similar way to the "hosts" file in XP - it contains a list of ip addresses and the corresponding host name.

However there is a significant difference between XP and Windows 7 - in XP the localhost address is defined in the "hosts"file - in Windows 7 it is defined within DNS.

There seems to be a variety of opinion on the web about why this has changed, but it looks like the increasing possibility of Windows 7 being used on exclusively IPv6 networks is a major reason for the change.

LLMNR

LLMNR - Link-Local Multicast Name Resolution - is a Microsoft designed protocol that can be used on private networks where there is no DNS server, as a mechanism for doing name resolution.

It is one of many protocols that do similar things for zero-configuration networks - they basically allow private networks to function as IP networks without requiring hosts to be configured with addresses.

LLMNR multicasts UDP messages on port 5355. It may also use TCP on port 5355.

It can be regarded as a security risk, as the host transmits multicast LLMNR packets which identify the host.

On the higher versions of Windows 7, Group policy can be used to disable LLMNR.

On Windows 7 Home Premium, LLMNR can be disabled by a registry entry - the key doesn`t exist by default, and needs to be created. The key is

       HKLM/Software/Policies/Microsoft/WindowsNT/DNSClient/

Create a DWORD called "EnableMulticast" with a value of 0.

I was not able to stop the outgoing multicast LLMNR packets using the Windows firewall, which of course is a problem - as the Windows firewall is a stateful firewall, the outgoing packets will cut holes through the firewall for incoming packets for a period of time on port 5355 - this provides a hole for attack. So it is better to disable LLMNR if it is not required.

The DNS client in Windows 7

The DNS client in Windows 7 is a quite a bit more complex than that in XP - it has to handle several different environments, such as

• conventional IPv4 DNS
• IPv6
• LLMNR, as described above
• DNSSEC - the secure form of DNS which is coming into use
• DirectAccess - this is another Microsoft-specific communication mechanism which allows remote computers to connect to corporate intranets without VPN`s
• NRPT - Name Resolution Policy Table - a table of domains which dictate whether a DNS query should be handled as a DNSSEC query, or whether it should be handled as a DirectAccess DNS query, or whether it should be handled as a normal DNS query

  The table can be configured via the registry, via Group policy, or via the DirectAccess setup wizard

  NRPT is part of Windows 7 Enterprise and Server 2008 R2

DirectAccess

It is of course not really part of name resolution, but DirectAccess does have its own unique requirements for name resolution, so here is some more information about it.

As summarised above, DirectAccess is a Microsoft designed mechanism for connecting remote computers to corporate intranets, without users having to connect via VPN`s.

Its use is limited to Windows 7 Enterprise and Server 2008 R2.

It is based on IPv6, and uses IPv6 tunneling over IPv4 over IPSec for authentication and encryption across the public IPv4 internet.

The tunnneling can be based on technologies such as 6to4, Teredo, or IP-HTTPS.

It has several strict technical requirements, such as

• Active Directory
• Server 2008 R2 with two network cards - one intranet facing, one internet facing
• 2 adjacent IPv4 addresses on the internet facing card
• A DNS server running on Server 2008 R2
• A Domain Controller running on Server 2008 R2
• Access to the Public Key Infrastructure
• Windows 7 Enterprise - or possibly Windows 7 Ultimate, but I`m not sure about that

The DirectAccess server is essentially a gateway between the internet and the intranet - and the DirectAccess server is working on IPv6. If the intranet is working on IPv4, then there would also have to be IPv6 to IPv4 translation between the DirectAccess server and the file storage and application servers.

The DirectAccess connection between the DirectAccess client on Windows 7 and the server is set up before the user logs on.

Once it is set up, Group Policy settings can be sent down to the remote computer. In addition, this connection state allows system administrators to push down upgrades and patches to the remote computer.

Once the user logs on, the DirectAccess server enables access to the file sharing and application servers.

As the connection between the Windows 7 client and the DirectAccess server is carried over the internet, the Windows 7 host has access to the rest of the internet at the same time, unlike the usual situation with VPN`s, where normal internet access is lost when the VPN connection is active.

----------------

When the remote computer is talking to the corporate intranet over DirectAccess, it needs to use the DNS server on the intranet for the Active Directory. For other internet connections, it needs to use internet DNS servers.

So hopefully this brief description of DirectAccess explains the requirement of the Windows 7 DNS client to accomodate all of IPv4 DNS, IPv6 DNS, DNSSEC, DirectAccess, and the Name Resolution Policy Table, all at the same time.

• home page
• image gallery
• about this website
• about the colour bar

website design by ron-t

website hosting by freevirtualservers.com

© 2024   Ron Turner

+                                   +  

• grayscale