Name resolution in Windows 7

 

Windows 7 can use various mechanisms for resolving host names as required, including -

Windows 7 will use each of these mechanisms in turn in the above order, until it gets an answer. Then it stops trying any further.

 

The "hosts" file

The "hosts" file in Windows 7 is used in a similar way to the "hosts" file in XP - it contains a list of ip addresses and the corresponding host name.

However there is a significant difference between XP and Windows 7 - in XP the localhost address is defined in the "hosts"file - in Windows 7 it is defined within DNS.

There seems to be a variety of opinion on the web about why this has changed, but it looks like the increasing possibility of Windows 7 being used on exclusively IPv6 networks is a major reason for the change.

 

LLMNR

LLMNR - Link-Local Multicast Name Resolution - is a Microsoft designed protocol that can be used on private networks where there is no DNS server, as a mechanism for doing name resolution.

It is one of many protocols that do similar things for zero-configuration networks - they basically allow private networks to function as IP networks without requiring hosts to be configured with addresses.

LLMNR multicasts UDP messages on port 5355. It may also use TCP on port 5355.

It can be regarded as a security risk, as the host transmits multicast LLMNR packets which identify the host.

On the higher versions of Windows 7, Group policy can be used to disable LLMNR.

On Windows 7 Home Premium, LLMNR can be disabled by a registry entry - the key doesn`t exist by default, and needs to be created. The key is


       HKLM/Software/Policies/Microsoft/WindowsNT/DNSClient/

Create a DWORD called "EnableMulticast" with a value of 0.

I was not able to stop the outgoing multicast LLMNR packets using the Windows firewall, which of course is a problem - as the Windows firewall is a stateful firewall, the outgoing packets will cut holes through the firewall for incoming packets for a period of time on port 5355 - this provides a hole for attack. So it is better to disable LLMNR if it is not required.

 

The DNS client in Windows 7

The DNS client in Windows 7 is a quite a bit more complex than that in XP - it has to handle several different environments, such as

 

DirectAccess

It is of course not really part of name resolution, but DirectAccess does have its own unique requirements for name resolution, so here is some more information about it.

As summarised above, DirectAccess is a Microsoft designed mechanism for connecting remote computers to corporate intranets, without users having to connect via VPN`s.

Its use is limited to Windows 7 Enterprise and Server 2008 R2.

It is based on IPv6, and uses IPv6 tunneling over IPv4 over IPSec for authentication and encryption across the public IPv4 internet.

The tunnneling can be based on technologies such as 6to4, Teredo, or IP-HTTPS.

It has several strict technical requirements, such as

The DirectAccess server is essentially a gateway between the internet and the intranet - and the DirectAccess server is working on IPv6. If the intranet is working on IPv4, then there would also have to be IPv6 to IPv4 translation between the DirectAccess server and the file storage and application servers.

The DirectAccess connection between the DirectAccess client on Windows 7 and the server is set up before the user logs on.

Once it is set up, Group Policy settings can be sent down to the remote computer. In addition, this connection state allows system administrators to push down upgrades and patches to the remote computer.

Once the user logs on, the DirectAccess server enables access to the file sharing and application servers.

As the connection between the Windows 7 client and the DirectAccess server is carried over the internet, the Windows 7 host has access to the rest of the internet at the same time, unlike the usual situation with VPN`s, where normal internet access is lost when the VPN connection is active.

----------------

When the remote computer is talking to the corporate intranet over DirectAccess, it needs to use the DNS server on the intranet for the Active Directory. For other internet connections, it needs to use internet DNS servers.

So hopefully this brief description of DirectAccess explains the requirement of the Windows 7 DNS client to accomodate all of IPv4 DNS, IPv6 DNS, DNSSEC, DirectAccess, and the Name Resolution Policy Table, all at the same time.

 

 

 

 

 

website design by ron-t

 

website hosting by freevirtualservers.com

 

© 2024   Ron Turner

 

+                                   +  

 

Link to the W3C website.   Link to the W3C website.