LLMNR - Link-Local Multicast Name Resolution ================================================= .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is LLMNR?** LLMNR stands for Link-Local Multicast Name Resolution. It's a protocol used by Windows and some other systems to resolve hostnames to IP addresses on a local network when DNS is unavailable. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is LLMNR useful?** Without LLMNR or DNS, devices wouldn't be able to resolve names like printer.local or laptop-01 to IP addresses. LLMNR provides a fallback mechanism for name resolution in small or isolated networks, especially when DNS isn't configured. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** * Device needs to resolve a name - A computer tries to connect to another device using its hostname. * DNS fails or is unavailable - If DNS doesn’t respond, the system sends an LLMNR query to the local network. * Multicast query sent - The query is sent to the IPv4 multicast address 224.0.0.252 (or FF02::1:3 for IPv6). * Device with the name responds - If a device on the local network recognizes the name, it replies with its IP address. * Connection established - The requesting device uses the IP to connect. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is LLMNR used?** * Small or ad-hoc networks - Where DNS servers are not present. * Home networks - For device discovery and name resolution. * Temporary setups - Like conference rooms or testing labs. * Fallback mechanism - When DNS is misconfigured or temporarily down. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which OSI layer does this protocol belong to?** * It is a name resolution protocol, similar to DNS. * It uses UDP over port 5355 to send and receive queries. * It interacts with applications and services that rely on hostname resolution. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`LLMNR Version&RFC Details ` * :ref:`LLMNR Basic Setup on Ubuntu using IPv4 ` * :ref:`LLMNR Basic Setup on Ubuntu using IPv6 ` * :ref:`LLMNR Protocol Packet Details ` * :ref:`LLMNR Usecases ` * :ref:`LLMNR Basic Features ` * :ref:`LLMNR Feature : DNS-Compatible Format ` * :ref:`LLMNR Feature : Link-Local Scope ` * :ref:`LLMNR Feature : Multicast-Based Communication ` * :ref:`LLMNR Feature : UDP and Optional TCP Support ` * :ref:`LLMNR Feature : IPv4 and IPv6 Support ` * :ref:`LLMNR Feature : No Central Server Required ` * :ref:`LLMNR Feature : Security Limitations ` * :ref:`LLMNR Feature : Microsoft Implementation ` * :ref:`Reference links ` .. _LLMNR_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _LLMNR_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _LLMNR_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _LLMNR_step5: .. tab-set:: .. tab-item:: LLMNR Version&RFC Details .. csv-table:: :file: ./LLMNR/LLMNR_Version_RFC_details.csv :widths: 10,10,10,30 :header-rows: 1 .. _LLMNR_step18: .. tab-set:: .. tab-item:: LLMNR Basic Setup on Ubuntu using IPv4 * Step-1 : Launch GNS3 and Create Network Topology .. note:: * Use GNS3 to simulate two Ubuntu virtual machines. * Connect both VMs using a virtual Ethernet cable. 1. Open GNS3 2. Add **two Ubuntu VMs** to the canvas 3. Connect the VMs using an **Ethernet link** 4. Start both virtual machines * Step-2 : Assign Static IPv4 Addresses .. code-block:: shell VM1:~$ sudo ifconfig enp0s8 192.168.1.10 up VM2:~$ sudo ifconfig enp0s8 192.168.1.20 up .. note:: * Both machines must be on the **same subnet** * Replace `enp0s8` with your actual interface name (check via `ifconfig`) * Step-3 : Verify Connectivity Between Machines .. code-block:: shell VM1:~$ ping -c 4 192.168.1.20 VM2:~$ ping -c 4 192.168.1.10 .. note:: * Ensure both VMs can **ping each other successfully** * Step-4 : Enable LLMNR on Both Machines .. code-block:: shell VM1 & VM2:~$ sudo nano /etc/systemd/resolved.conf edit or uncomment the following line:: LLMNR=yes .. note:: * This enables **Link-Local Multicast Name Resolution (LLMNR)** over IPv4 * Step-5 : Restart systemd-resolved Service .. code-block:: shell VM1 & VM2:~$ sudo systemctl restart systemd-resolved .. note:: * Ensure no errors occur during service restart * Step-6 : Confirm LLMNR Status .. code-block:: shell VM1 & VM2:~$ resolvectl status * expected output:: LLMNR setting: yes LLMNR status: yes (IPv4) * Step-7 : Temporarily Set Hostnames .. code-block:: shell VM1:~$ sudo hostnamectl set-hostname machine1 VM2:~$ sudo hostnamectl set-hostname machine2 VM1:~$ hostname machine1 VM2:~$ hostname machine2 .. note:: * Hostnames are used for LLMNR name resolution. * These changes are temporary unless saved in cloud-init or startup scripts. * Step-8 : Test LLMNR Resolution .. code-block:: shell VM1:~$ ping -c 7 machine2 PING machine2 (192.168.1.20) 56(84) bytes of data. 64 bytes from 192.168.1.20: icmp_seq=1 ttl=64 time=0.682 ms 64 bytes from 192.168.1.20: icmp_seq=2 ttl=64 time=0.509 ms 64 bytes from 192.168.1.20: icmp_seq=3 ttl=64 time=0.485 ms 64 bytes from 192.168.1.20: icmp_seq=4 ttl=64 time=0.461 ms 64 bytes from 192.168.1.20: icmp_seq=5 ttl=64 time=0.444 ms 64 bytes from 192.168.1.20: icmp_seq=6 ttl=64 time=0.451 ms 64 bytes from 192.168.1.20: icmp_seq=7 ttl=64 time=0.448 ms --- machine2 ping statistics --- 7 packets transmitted, 7 received, 0% packet loss, time 6011ms rtt min/avg/max/mdev = 0.444/0.497/0.682/0.080 ms * expected output:: * You should receive replies using **machine2's IP address (192.168.1.20)** * Step-9 : Capture and Inspect LLMNR Traffic * steps : * Start a Wireshark capture on the GNS3 link between VM1 and VM2 * Use the following filter: udp.port == 5355 || icmp * Wireshark Capture :download:`Download wireshark capture ` .. note:: * You will observe: - **LLMNR query**: sent from VM1 to 224.0.0.252 (LLMNR multicast) - **LLMNR response**: sent from VM2 back to VM1, with `A` record containing IP - ICMP Echo Request/Reply for `ping` .. _LLMNR_step19: .. tab-set:: .. tab-item:: LLMNR Basic Setup on Ubuntu using IPv6 * Step-1 : Launch GNS3 and Create Network Topology .. note:: * Use GNS3 to simulate two Ubuntu virtual machines. * Connect both VMs using a virtual Ethernet cable. 1. Open GNS3 2. Add **two Ubuntu VMs** to the canvas 3. Connect the VMs using an **Ethernet link** 4. Start both virtual machines * Step-2 : Assign IPv6 Addresses (if not already present) .. note:: * By default, Ubuntu assigns a link-local IPv6 address (`fe80::/64`) * If needed, manually assign IPv6 addresses in the **same subnet** .. code-block:: shell VM1:~$ sudo ip -6 addr add fd00:1::101/64 dev enp0s8 VM2:~$ sudo ip -6 addr add fd00:1::104/64 dev enp0s8 * Step-3 : Verify IPv6 Connectivity Between Machines .. code-block:: shell VM1:~$ ping6 -c 4 fd00:1::104 VM2:~$ ping6 -c 4 fd00:1::101 .. note:: * Use `ping6` or `ping -6` to test IPv6 connectivity * Step-4 : Enable LLMNR on Both Machines .. code-block:: shell VM1 & VM2:~$ sudo nano /etc/systemd/resolved.conf edit or uncomment the following line:: LLMNR=yes .. note:: * This enables **LLMNR over IPv6** * Step-5 : Restart systemd-resolved Service .. code-block:: shell VM1 & VM2:~$ sudo systemctl restart systemd-resolved .. note:: * Ensure the service restarts without any errors * Step-6 : Confirm LLMNR Status .. code-block:: shell VM1 & VM2:~$ resolvectl status * expected output:: LLMNR setting: yes LLMNR status: yes (IPv6) * Step-7 : Temporarily Set Hostnames .. code-block:: shell VM1:~$ sudo hostnamectl set-hostname machine1 VM2:~$ sudo hostnamectl set-hostname machine2 VM1:~$ hostname machine1 VM2:~$ hostname machine2 .. note:: * These names will be resolved via LLMNR * Changes are temporary unless written to persistent configs * Step-8 : Test LLMNR Resolution .. code-block:: shell VM1:~$ ping -6 -c 7 machine2 PING machine2(fd00:1::104) 56 data bytes 64 bytes from fd00:1::104: icmp_seq=1 ttl=64 time=0.689 ms 64 bytes from fd00:1::104: icmp_seq=2 ttl=64 time=0.502 ms 64 bytes from fd00:1::104: icmp_seq=3 ttl=64 time=0.523 ms 64 bytes from fd00:1::104: icmp_seq=4 ttl=64 time=0.480 ms 64 bytes from fd00:1::104: icmp_seq=5 ttl=64 time=0.512 ms 64 bytes from fd00:1::104: icmp_seq=6 ttl=64 time=0.467 ms 64 bytes from fd00:1::104: icmp_seq=7 ttl=64 time=0.498 ms --- machine2 ping statistics --- 7 packets transmitted, 7 received, 0% packet loss, time 6008ms rtt min/avg/max/mdev = 0.467/0.524/0.689/0.066 ms * expected output:: * You should receive successful replies from **fd00:1::104** * Step-9 : Capture and Inspect LLMNR (IPv6) Traffic * steps:: * Start a Wireshark capture on the GNS3 link between VM1 and VM2 * Use the following display filter: udp.port == 5355 || icmpv6 * Wireshark Capture :download:`Download wireshark capture ` .. note:: * You will observe: - **LLMNR query**: from VM1 to multicast address **ff02::1:3** asking for AAAA record - **LLMNR response**: from VM2 to VM1 with AAAA record for `machine2` - ICMPv6 Echo Request/Reply for ping .. _LLMNR_step6: .. tab-set:: .. tab-item:: LLMNR Protocol Packet Details **LLMNR QUERY Packet** .. csv-table:: :file: ./LLMNR/LLMNR_Packetdetails1.csv :widths: 10,20,30,10 :header-rows: 1 **LLMNR RESPONSE Packet** .. csv-table:: :file: ./LLMNR/LLMNR_Packetdetails2.csv :widths: 10,20,30,10 :header-rows: 1 .. _LLMNR_step7: .. tab-set:: .. tab-item:: LLMNR Usecases .. csv-table:: :file: ./LLMNR/LLMNR_Use_Cases.csv :widths: 10,20,30 :header-rows: 1 .. _LLMNR_step8: .. tab-set:: .. tab-item:: LLMNR Basic Features .. csv-table:: :file: ./LLMNR/LLMNR_Basic_Features.csv :widths: 10,10,30 :header-rows: 1 .. _LLMNR_step9: .. tab-set:: .. tab-item:: LLMNR Feature : DNS-Compatible Format **DNS-Compatible Format - Testcases** .. csv-table:: :file: ./LLMNR/LLMNR_Feature1_DNS_Compatible_Format_TestCases.csv :widths: 10,10,30,20 :header-rows: 1 .. _LLMNR_step10: .. tab-set:: .. tab-item:: LLMNR Feature : Link-Local Scope **Link-Local Scope - Testcases** .. csv-table:: :file: ./LLMNR/LLMNR_Feature2_Link_Local_Scope_TestCases.csv :widths: 10,10,30,20 :header-rows: 1 .. _LLMNR_step11: .. tab-set:: .. tab-item:: LLMNR Feature : Multicast-Based Communication **Multicast-Based Communication - Testcases** .. csv-table:: :file: ./LLMNR/LLMNR_Feature3_Multicast_Based_Communication_TestCases.csv :widths: 10,10,30,20 :header-rows: 1 .. _LLMNR_step12: .. tab-set:: .. tab-item:: LLMNR Feature : UDP and Optional TCP Support **UDP and Optional TCP Support - Testcases** .. csv-table:: :file: ./LLMNR/LLMNR_Feature4_UDP_and_Optional_TCP_Support_TestCases.csv :widths: 10,10,30,20 :header-rows: 1 .. _LLMNR_step13: .. tab-set:: .. tab-item:: LLMNR Feature : IPv4 and IPv6 Support **IPv4 and IPv6 Support - Testcases** .. csv-table:: :file: ./LLMNR/LLMNR_Feature5_IPv4_and_IPv6_Support_TestCases.csv :widths: 10,10,30,20 :header-rows: 1 .. _LLMNR_step14: .. tab-set:: .. tab-item:: LLMNR Feature : No Central Server Required **No Central Server Required - Testcases** .. csv-table:: :file: ./LLMNR/LLMNR_Feature6_No_Central_Server_Required_TestCases.csv :widths: 10,10,30,20 :header-rows: 1 .. _LLMNR_step15: .. tab-set:: .. tab-item:: LLMNR Feature : Security Limitations **Security Limitations - Testcases** .. csv-table:: :file: ./LLMNR/LLMNR_Feature7_Security_Limitations_TestCases.csv :widths: 10,10,30,20 :header-rows: 1 .. _LLMNR_step16: .. tab-set:: .. tab-item:: LLMNR Feature : Microsoft Implementation **Microsoft Implementation - Testcases** .. csv-table:: :file: ./LLMNR/LLMNR_Feature8_Microsoft_Implementation_TestCases.csv :widths: 10,10,30,20 :header-rows: 1 .. _LLMNR_step17: .. tab-set:: .. tab-item:: Reference links * Reference links