Category Archives: Howto Tutorials (EN)

Knowledge Network for Tutorials, Howto’s, Workaround, DevOps Code for Professionals.

Microsoft Windows replaces netbios with mDNS

Multicast DNS (mDNS) is supported by starting with Microsoft Windows 10 1703, Microsoft is now preparing to completely replace NetBIOS and Link-Local Multicast Name Resolution (LLMNR) with mDNS. In Windows 11 previews, NetBIOS name resolution is configured as a fallback by default for the time being.

Originally developed by Apple, mDNS is a name resolution protocol that does not require a central DNS server. It sends a request via multicast to all devices in the network. The one to which the desired host name applies, also responds with a multicast packet to the entire network.

Multiple mDNS resolvers

mDNS resolvers listen on UDP port 5353. In practice, several resolvers are active at the same time. In addition to the operating system, these include Chromium-based web browsers or Microsoft Teams clients.

Active mDNS resolvers can be output in PowerShell:

Get-NetUDPEndpoint -LocalPort 5353 | Select-Object LocalAddress,LocalPort,OwningProcess, @{ Name="Process"; Expression={((Get-Process -Id $_.OwningProcess).Name )} }

There is no central instance in the form of a DNS server by mDNS. It cannot be ruled out that several devices on a network use the same host name.

One danger is where malicious programs settle over UDP port 5353 and forward clients via DNS spoofing to hosts of cybercriminal origin.

Disable Windows mDNS replace NetBIOS

Because of these circumstances, administrators might consider disabling mDNS. However, Microsoft recommends that you refrain from generally disabling it. Otherwise communication with various devices on the network, such as printers or wireless devices, could be affected.

If companies still prefer such a measure, then Microsoft recommends that you use Windows Firewall to block only incoming requests. The Windows Firewall contains the predefined rule “mDNS (UDP-In)”.

Open Windows Firewall with hit the keys Windows+R and insert firewall.cpl to run it, then go to Advanced Settings .

Windows Firewall Advanced Settings mDNS UDP Inbound, Windows mDNS replace NetBIOS
Windows Firewall – Advanced Settings

You should disable mDNS only for the domain profile and the public profile, but enable it for private networks. To ensure that employees in the home office can use devices that are designed for mDNS.

mDNS replaces NetBIOS and LLMNR

Another reason not to disable mDNS prematurely is that Microsoft is increasingly relying on this protocol. In current previews of Windows 11, NetBIOS runs in “Learning Mode” by default. This outdated protocol only comes into play after requests to mDNS and LLMNR have failed.

The default behavior of LLMNR has not changed yet. The default behavior of LLMNR has not changed yet. Microsoft plans to use mDNS as the default for name resolution in the future.

If certain applications still require NetBIOS, a new Group Policy can be configured accordingly. In addition to the aforementioned learning mode. They offers the options to completely allow name resolution via NetBIOS, to prevent it completely or to block it only in public networks.

Group Policy NetBIOS Settings

Disable FortiGate SSL Inspection

FortiGate SSL inspection is the process of intercepting SSL/TLS encrypted Internet communication between the client and the server. Interception can be performed between the sender and the receiver and vice versa (receiver to sender). It is the same technique used in man-in-the-middle (MiTM) attacks without the consent of both entities.

Disable FortiGate SSL Inspection

FortiGate SSL Deep Inspection in Practice

When Deep FortiGate inspection is used, the FortiGate impersonates the recipient of the originating SSL session. Then decrypts and inspects the content to find threats and block them. It then re-encrypts the content and sends it to the real recipient.

In practice, this sometimes leads to unwanted blocking, especially when using self-signed SSL certificates, and the FortiGate behaves like a black box. It is also often found that the connection to the Exchange Server is denied for Outlook clients, with Outlook issuing the following error.

There is a problem with the proxy server’s security certificate.
The name on the security certificate is invalid or does not match the name mail.example.org.
Outlook cannot connect to the proxy server. (Error code 8000000).

To disable the FortiGate SSL inspection completely, you can create a clone for the Read-only Profile no-inspection under Security Profiles – SSL/SSH Inspection and configure it accordingly.

FortiGate SSL Inspection Profile Clone

Under Protocol Port Mapping an unused port is entered for HTTPS. Which means that SSL Deep Inspection no longer takes place for port 443.

Enable the configured custom-no-inspection profile for the corresponding policy. For policies for internal and VPN connections, SSL/TLS deep inspection should not be required.