6.1.6.2. Intranet protocols

The order of Windows query name resolution is DNS、mDNS、LLMNR、NBNS。

6.1.6.2.1. NetBIOS

NetBIOS (Network Basic Input/Output System) is a network-based interactive protocol, usually using ports such as UDP 137, UDP 138, and TCP 139. When Windows installs the TCP/IP protocol, this protocol is enabled by default, which may cause network resources without permission verification to be accessed.

Based on NetBIOS, there is NBNS (NetBIOS Name Service) service, which usually monitors on UDP port 137. This service provides three functions: resolve NetBIOS name to IP, query the status of a NetBIOS node, and register/release a NetBIOS name.

The network can be managed using the NetBIOS protocol using nbtstat tools.

6.1.6.2.2. LLMNR

Link-Local Multicast Name Resolution (LLMNR) is a protocol based on the DNS packet format, through which IPv4 and IPv6 hosts can perform name resolution for hosts on the same local link. This protocol was introduced after Windows Vista. LLMNR listens on UDP port 5355 and can be accessed via the multicast address 224.0.0.252 or FF02:0:0:0:0:0:1:3。

6.1.6.2.3. mDNS

mDNS (multicast DNS) was introduced in Windows 10 and listens on UDP port 5353, the corresponding multicast address is 224.0.0.251( FF02::FB ) 。mDNS mainly realizes the mutual discovery and communication between hosts in the local area network without the traditional DNS server.

6.1.6.2.4. WPAD

Web Proxy Auto-Discovery (WPAD) is a method for clients to locate a configuration file URL using DHCP and/or DNS discovery methods. After detecting and downloading the configuration file, it can execute the configuration file to determine which proxy should be used for a particular URL.