NetBIOS packets in firewall
- On virtually all systems (UNIX, Macintosh, Windows), programs call the function ‘gethostbyaddr()‘ with the desired address. This function will then do the appropriate lookup, and return the name. This function is part of the sockets API.
The key thing to remember about gethostbyaddr() is that it is virtual. It doesn’t specify how it resolves an address into a name. In practice, it will use all available mechanisms.
If we look at UNIX, Windows, and Macintosh systems, we see the following techniques:
- DNS in-addr.arpa PTR queries sent to the DNS server
- NetBIOS NodeStatus queries sent to the IP address
- lookups in the /etc/hosts file
- AppleTalk over IP name query sent to the IP address
- RPC query sent to the UNIX NIS server
- NetBIOS lookup sent to the WINS server
- etc.
Windows systems do the /etc/hosts, DNS, WINS, and NodeStatus techniques.
In more excruciating detail, Microsoft has a generic system component called a naming service. All the protocol stacks in the system (NetBIOS, TCP/IP, Novel IPX, AppleTalk, Banyan, etc.) register the kinds of name resolutions they can perform. Some RPC products will likewise register an NIS naming service. When a program requests to resolve an address, this address gets passed onto the generic naming service. Windows will try each registered name resolution subsystem sequentially until it gets an answer. (Side note: User’s sometimes complained that accessing Windows servers is slow. This is caused by installing unneeded protocol stacks that must timeout first before the real protocol stack is queried for the server name.).
The order in which it performs these resolution steps for IP addresses can be configured under the Windows registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider. Of course, that doesn’t help you the firewall admin.