LLMNR - Link-Local Multicast Name Resolution
What is LLMNR?
LLMNR stands for Link-Local Multicast Name Resolution. It’s a protocol used by Windows and some other systems to resolve hostnames to IP addresses on a local network when DNS is unavailable.
Why is LLMNR useful?
Without LLMNR or DNS, devices wouldn’t be able to resolve names like printer.local or laptop-01 to IP addresses. LLMNR provides a fallback mechanism for name resolution in small or isolated networks, especially when DNS isn’t configured.
How it works?
Device needs to resolve a name - A computer tries to connect to another device using its hostname.
DNS fails or is unavailable - If DNS doesn’t respond, the system sends an LLMNR query to the local network.
Multicast query sent - The query is sent to the IPv4 multicast address 224.0.0.252 (or FF02::1:3 for IPv6).
Device with the name responds - If a device on the local network recognizes the name, it replies with its IP address.
Connection established - The requesting device uses the IP to connect.
Where is LLMNR used?
Small or ad-hoc networks - Where DNS servers are not present.
Home networks - For device discovery and name resolution.
Temporary setups - Like conference rooms or testing labs.
Fallback mechanism - When DNS is misconfigured or temporarily down.
Which OSI layer does this protocol belong to?
It is a name resolution protocol, similar to DNS.
It uses UDP over port 5355 to send and receive queries.
It interacts with applications and services that rely on hostname resolution.
Topics in this section,
In this section, you are going to learn
Terminology
Version Info
Version & RFC Details |
|||
|---|---|---|---|
LLMNR Version |
RFC Version |
Year |
Core Idea / Contribution |
LLMNR |
|||
RFC 4795 |
2007 |
Introduced LLMNR for local link name resolution using multicast; based on DNS packet format. |
|
MS-LLMNRP |
2024 |
Microsoft-specific profile of LLMNR; TCP and EDNS0 support made optional. |
|
Step-1 : Launch GNS3 and Create Network Topology
Note
Use GNS3 to simulate two Ubuntu virtual machines.
Connect both VMs using a virtual Ethernet cable.
Open GNS3
Add two Ubuntu VMs to the canvas
Connect the VMs using an Ethernet link
Start both virtual machines
Step-2 : Assign Static IPv4 Addresses
VM1:~$ sudo ifconfig enp0s8 192.168.1.10 up VM2:~$ sudo ifconfig enp0s8 192.168.1.20 up
Note
Both machines must be on the same subnet
Replace enp0s8 with your actual interface name (check via ifconfig)
Step-3 : Verify Connectivity Between Machines
VM1:~$ ping -c 4 192.168.1.20 VM2:~$ ping -c 4 192.168.1.10
Note
Ensure both VMs can ping each other successfully
Step-4 : Enable LLMNR on Both Machines
VM1 & VM2:~$ sudo nano /etc/systemd/resolved.conf edit or uncomment the following line:: LLMNR=yes
Note
This enables Link-Local Multicast Name Resolution (LLMNR) over IPv4
Step-5 : Restart systemd-resolved Service
VM1 & VM2:~$ sudo systemctl restart systemd-resolved
Note
Ensure no errors occur during service restart
Step-6 : Confirm LLMNR Status
VM1 & VM2:~$ resolvectl status
- expected output::
LLMNR setting: yes LLMNR status: yes (IPv4)
Step-7 : Temporarily Set Hostnames
VM1:~$ sudo hostnamectl set-hostname machine1 VM2:~$ sudo hostnamectl set-hostname machine2 VM1:~$ hostname machine1 VM2:~$ hostname machine2
Note
Hostnames are used for LLMNR name resolution.
These changes are temporary unless saved in cloud-init or startup scripts.
Step-8 : Test LLMNR Resolution
VM1:~$ ping -c 7 machine2 PING machine2 (192.168.1.20) 56(84) bytes of data. 64 bytes from 192.168.1.20: icmp_seq=1 ttl=64 time=0.682 ms 64 bytes from 192.168.1.20: icmp_seq=2 ttl=64 time=0.509 ms 64 bytes from 192.168.1.20: icmp_seq=3 ttl=64 time=0.485 ms 64 bytes from 192.168.1.20: icmp_seq=4 ttl=64 time=0.461 ms 64 bytes from 192.168.1.20: icmp_seq=5 ttl=64 time=0.444 ms 64 bytes from 192.168.1.20: icmp_seq=6 ttl=64 time=0.451 ms 64 bytes from 192.168.1.20: icmp_seq=7 ttl=64 time=0.448 ms --- machine2 ping statistics --- 7 packets transmitted, 7 received, 0% packet loss, time 6011ms rtt min/avg/max/mdev = 0.444/0.497/0.682/0.080 ms
expected output:
* You should receive replies using **machine2's IP address (192.168.1.20)**
Step-9 : Capture and Inspect LLMNR Traffic
steps :
Start a Wireshark capture on the GNS3 link between VM1 and VM2
Use the following filter: udp.port == 5355 || icmp
Wireshark Capture
Note
You will observe: - LLMNR query: sent from VM1 to 224.0.0.252 (LLMNR multicast) - LLMNR response: sent from VM2 back to VM1, with A record containing IP - ICMP Echo Request/Reply for ping
Step-1 : Launch GNS3 and Create Network Topology
Note
Use GNS3 to simulate two Ubuntu virtual machines.
Connect both VMs using a virtual Ethernet cable.
Open GNS3
Add two Ubuntu VMs to the canvas
Connect the VMs using an Ethernet link
Start both virtual machines
Step-2 : Assign IPv6 Addresses (if not already present)
Note
By default, Ubuntu assigns a link-local IPv6 address (fe80::/64)
If needed, manually assign IPv6 addresses in the same subnet
VM1:~$ sudo ip -6 addr add fd00:1::101/64 dev enp0s8 VM2:~$ sudo ip -6 addr add fd00:1::104/64 dev enp0s8
Step-3 : Verify IPv6 Connectivity Between Machines
VM1:~$ ping6 -c 4 fd00:1::104 VM2:~$ ping6 -c 4 fd00:1::101
Note
Use ping6 or ping -6 to test IPv6 connectivity
Step-4 : Enable LLMNR on Both Machines
VM1 & VM2:~$ sudo nano /etc/systemd/resolved.conf edit or uncomment the following line:: LLMNR=yes
Note
This enables LLMNR over IPv6
Step-5 : Restart systemd-resolved Service
VM1 & VM2:~$ sudo systemctl restart systemd-resolved
Note
Ensure the service restarts without any errors
Step-6 : Confirm LLMNR Status
VM1 & VM2:~$ resolvectl status
expected output:: LLMNR setting: yes LLMNR status: yes (IPv6)
Step-7 : Temporarily Set Hostnames
VM1:~$ sudo hostnamectl set-hostname machine1 VM2:~$ sudo hostnamectl set-hostname machine2 VM1:~$ hostname machine1 VM2:~$ hostname machine2
Note
These names will be resolved via LLMNR
Changes are temporary unless written to persistent configs
Step-8 : Test LLMNR Resolution
VM1:~$ ping -6 -c 7 machine2 PING machine2(fd00:1::104) 56 data bytes 64 bytes from fd00:1::104: icmp_seq=1 ttl=64 time=0.689 ms 64 bytes from fd00:1::104: icmp_seq=2 ttl=64 time=0.502 ms 64 bytes from fd00:1::104: icmp_seq=3 ttl=64 time=0.523 ms 64 bytes from fd00:1::104: icmp_seq=4 ttl=64 time=0.480 ms 64 bytes from fd00:1::104: icmp_seq=5 ttl=64 time=0.512 ms 64 bytes from fd00:1::104: icmp_seq=6 ttl=64 time=0.467 ms 64 bytes from fd00:1::104: icmp_seq=7 ttl=64 time=0.498 ms --- machine2 ping statistics --- 7 packets transmitted, 7 received, 0% packet loss, time 6008ms rtt min/avg/max/mdev = 0.467/0.524/0.689/0.066 ms
expected output:
* You should receive successful replies from **fd00:1::104**
Step-9 : Capture and Inspect LLMNR (IPv6) Traffic
steps:
* Start a Wireshark capture on the GNS3 link between VM1 and VM2
Use the following display filter: udp.port == 5355 || icmpv6
Wireshark Capture
Note
You will observe: - LLMNR query: from VM1 to multicast address ff02::1:3 asking for AAAA record - LLMNR response: from VM2 to VM1 with AAAA record for machine2 - ICMPv6 Echo Request/Reply for ping
LLMNR QUERY Packet
S.No |
Protocol Packets |
Description |
Size(bytes) |
|---|---|---|---|
1 |
Query |
Sent by a host to resolve a hostname on the local network. |
~60100 |
Transaction ID |
Unique identifier to match responses. |
2 |
|
Flags |
0x0000 for standard query. |
2 |
|
Questions |
Number of questions (usually 1). |
2 |
|
Answer RRs |
Number of answer records (0 in query). |
2 |
|
Authority RRs |
Number of authority records (0 in query). |
2 |
|
Additional RRs |
Number of additional records (0 in query). |
2 |
|
QNAME |
Queried hostname (e.g., host.local). |
variable |
|
QTYPE |
Type of query (1 = A, 28 = AAAA). |
2 |
|
QCLASS |
Class of query (1 = IN). |
2 |
LLMNR RESPONSE Packet
S.No |
Protocol Packets |
Description |
Size(bytes) |
|---|---|---|---|
2 |
Response |
Sent by a host that knows the answer to the query |
~80120 |
Transaction ID |
Must match the query’s ID |
2 |
|
Flags |
0x8000 (response, authoritative) |
2 |
|
Questions |
Echoed from query (usually 1) |
2 |
|
Answer RRs |
Number of answers (usually 1) |
2 |
|
Authority RRs |
Usually 0 |
2 |
|
Additional RRs |
Usually 0 |
2 |
|
QNAME |
Echoed from query |
variable |
|
QTYPE |
Echoed from query |
2 |
|
QCLASS |
Echoed from query |
2 |
|
NAME |
Same as QNAME |
variable |
|
TYPE |
Record type (1 = A, 28 = AAAA) |
2 |
|
CLASS |
1 (IN) |
2 |
|
TTL |
Time to live for the record |
4 |
|
RDLENGTH |
Length of RDATA field |
2 |
|
RDATA |
IP address (4 bytes for A, 16 for AAAA). |
4 or 16 |
LLMNR - Use Cases |
||
|---|---|---|
S.no |
Use Case |
Description |
1 |
Name Resolution in Isolated Networks |
Resolves hostnames to IP addresses in networks without a DNS server, such as small office setups. |
2 |
Peer-to-Peer Device Discovery |
Enables devices like printers, scanners, or file shares to be discovered by name on the same subnet. |
3 |
Bootstrapping Network Configuration |
Helps new devices resolve names before full DNS or DHCP configuration is available. |
4 |
Ad-Hoc or Emergency Networks |
Useful in temporary or emergency networks where DNS infrastructure is unavailable. |
5 |
Windows Workgroup Environments |
Supports name resolution in Windows environments without Active Directory or DNS. |
6 |
IPv6-Only Local Networks |
Provides name resolution over IPv6 where traditional NetBIOS or DNS may not be available. |
7 |
Troubleshooting and Diagnostics |
Allows basic name resolution for testing connectivity in isolated or misconfigured networks. |
LLMNR - Basic Features |
||
|---|---|---|
S.no |
Features |
Description |
1 |
DNS-Compatible Format |
Uses the same message format as DNS, making it easy to integrate with DNS tools. |
2 |
Link-Local Scope |
Operates only on the local network segment; does not require a DNS server. |
3 |
Multicast-Based Communication |
Uses multicast IP addresses (IPv4: 224.0.0.252, IPv6: FF02::1:3) for queries. |
4 |
UDP and Optional TCP Support |
Primarily uses UDP port 5355; TCP is optional for larger messages. |
5 |
IPv4 and IPv6 Support |
Works over both IPv4 and IPv6 networks. |
6 |
No Central Server Required |
Enables peer-to-peer name resolution without a central DNS infrastructure. |
7 |
Security Limitations |
No built-in authentication or encryption; vulnerable to spoofing. |
8 |
Microsoft Implementation |
Widely implemented in Windows environments for fallback name resolution. |
DNS-Compatible Format - Testcases
DNS-Compatible Format - Test Cases |
|||
|---|---|---|---|
# |
Test Case |
Description |
Expected Result |
1 |
Valid A record query |
Send a valid A record query in DNS format |
Response contains correct A record |
2 |
Valid AAAA record query |
Send a valid AAAA record query |
Response contains correct IPv6 address |
3 |
Invalid query type |
Send a query with an unsupported type |
Response is empty or error |
4 |
Query with invalid name format |
Use a name not compliant with DNS rules |
Response is error or ignored |
5 |
Query with maximum label length |
Use a label of 63 characters |
Response is valid |
6 |
Query with maximum domain length |
Use a domain name of 255 characters |
Response is valid |
7 |
Query with empty name |
Send a query with no name |
Response is error |
8 |
Query with special characters |
Use non-ASCII characters in name |
Response is error or ignored |
9 |
Query with numeric-only name |
Use a name like “123” |
Response is valid if name exists |
10 |
Query with hyphenated name |
Use a name like “my-host-name” |
Response is valid |
11 |
Query with trailing dot |
Use “host.local.” |
Response is valid |
12 |
Query with uppercase letters |
Use “HOST.LOCAL” |
Response is valid (case-insensitive) |
13 |
Query with mixed case |
Use “HoSt.LoCaL” |
Response is valid |
14 |
Query with underscore |
Use “host_name.local” |
Response is valid or ignored |
15 |
Query with null terminator |
Include null byte in name |
Response is error |
16 |
Query with compression |
Use DNS name compression |
Response is valid |
17 |
Query without compression |
Use uncompressed name |
Response is valid |
18 |
Query with multiple questions |
Include multiple questions in one query |
Response is valid or error |
19 |
Query with no questions |
Send a query with no question section |
Response is error |
20 |
Query with malformed header |
Corrupt the header fields |
Response is error |
21 |
Query with invalid transaction ID |
Use non-matching transaction ID |
Response is ignored |
22 |
Query with valid transaction ID |
Use matching transaction ID |
Response is valid |
23 |
Query with unsupported class |
Use class other than IN (Internet) |
Response is error |
24 |
Query with class IN |
Use Internet class |
Response is valid |
25 |
Query with opcode set to 0 |
Standard query |
Response is valid |
26 |
Query with non-zero opcode |
Use opcode 1 (inverse query) |
Response is error |
27 |
Query with QR bit set |
Send a response as a query |
Response is ignored |
28 |
Query with RD bit set |
Set recursion desired |
Response is valid (ignored by LLMNR) |
29 |
Query with RA bit set |
Set recursion available |
Response is valid (ignored by LLMNR) |
30 |
Query with Z bits set |
Set reserved bits |
Response is error |
31 |
Query with TC bit set |
Set truncated bit |
Response is valid or ignored |
32 |
Query with authoritative answer |
Set AA bit |
Response is valid |
33 |
Query with multiple answers |
Include multiple answers in response |
Response is valid |
34 |
Query with no answers |
Send a query with no answer |
Response is valid (no data) |
35 |
Query with additional records |
Include additional section |
Response is valid |
36 |
Query with invalid TTL |
Use negative TTL |
Response is error |
37 |
Query with zero TTL |
Use TTL = 0 |
Response is valid (no caching) |
38 |
Query with large TTL |
Use TTL = 86400 |
Response is valid |
39 |
Query with invalid RDLENGTH |
Set incorrect RDLENGTH |
Response is error |
40 |
Query with valid RDLENGTH |
Set correct RDLENGTH |
Response is valid |
41 |
Query with CNAME record |
Request CNAME |
Response contains alias |
42 |
Query with MX record |
Request MX record |
Response is empty or error |
43 |
Query with TXT record |
Request TXT record |
Response is empty or error |
44 |
Query with SOA record |
Request SOA record |
Response is empty or error |
45 |
Query with PTR record |
Request PTR record |
Response is valid if supported |
46 |
Query with SRV record |
Request SRV record |
Response is empty or error |
47 |
Query with NSEC record |
Request NSEC record |
Response is empty or error |
48 |
Query with DNSSEC flag |
Set DO bit |
Response is valid (ignored by LLMNR) |
49 |
Query with malformed question section |
Corrupt question format |
Response is error |
50 |
Query with valid DNS-compatible format |
Fully compliant DNS format |
Response is valid |
Link-Local Scope - Testcases
Link-Local Scope - Test Cases |
|||
|---|---|---|---|
# |
Test Case |
Description |
Expected Result |
1 |
Valid LLMNR Query in Link-Local |
Send a valid LLMNR query within link-local scope |
Response received from local host |
2 |
Query Outside Link-Local Scope |
Send LLMNR query to non-link-local address |
No response received |
3 |
Query with Link-Local IPv6 Address |
Use IPv6 link-local address |
Response received |
4 |
Query with Global IPv6 Address |
Use global IPv6 address |
No response |
5 |
Query with Link-Local IPv4 Address |
Use 169.254.x.x address |
Response received |
6 |
Query with Public IPv4 Address |
Use public IPv4 address |
No response |
7 |
Query with Loopback Address |
Use 127.0.0.1 |
No response |
8 |
Query with Broadcast Address |
Use 255.255.255.255 |
No response |
9 |
Query with Multicast Address |
Use 224.0.0.252 |
Response received |
10 |
Query with Unicast Address |
Use specific host address |
Response received if in link-local |
11 |
TTL = 1 |
Set TTL to 1 |
Response received |
12 |
TTL = 0 |
Set TTL to 0 |
No response |
13 |
TTL > 1 |
Set TTL to 5 |
Response received |
14 |
Query from Same Subnet |
Send query from same subnet |
Response received |
15 |
Query from Different Subnet |
Send query from different subnet |
No response |
16 |
Query with VLAN Tag |
Send query with VLAN tag |
Response received if same VLAN |
17 |
Query with Incorrect VLAN |
VLAN mismatch |
No response |
18 |
Query with IPv6 Scope ID |
Include scope ID in IPv6 |
Response received |
19 |
Query without Scope ID |
Omit scope ID |
No response |
20 |
Query with Expired Lease |
Use expired IP lease |
No response |
21 |
Query with Static IP |
Use static link-local IP |
Response received |
22 |
Query with DHCP IP |
Use DHCP-assigned link-local IP |
Response received |
23 |
Query with Interface Down |
Interface disabled |
No response |
24 |
Query with Interface Up |
Interface enabled |
Response received |
25 |
Query with Firewall Enabled |
Block LLMNR port |
No response |
26 |
Query with Firewall Disabled |
Allow LLMNR port |
Response received |
27 |
Query with NAT |
Send query through NAT |
No response |
28 |
Query with Proxy |
Send query via proxy |
No response |
29 |
Query with VPN |
Send query over VPN |
No response |
30 |
Query with Dual Stack |
IPv4 and IPv6 enabled |
Response received |
31 |
Query with IPv4 Only |
IPv6 disabled |
Response received |
32 |
Query with IPv6 Only |
IPv4 disabled |
Response received |
33 |
Query with Multiple Interfaces |
Send from multiple interfaces |
Response from correct interface |
34 |
Query with Interface Binding |
Bind to specific interface |
Response from bound interface |
35 |
Query with Interface Priority |
Prioritize interfaces |
Response from highest priority |
36 |
Query with Interface Metric |
Lower metric interface |
Response from lower metric |
37 |
Query with Interface Alias |
Use alias IP |
Response received |
38 |
Query with Interface Renamed |
Rename interface |
Response received |
39 |
Query with Interface MAC Change |
Change MAC address |
Response received |
40 |
Query with Interface MTU Change |
Change MTU |
Response received |
41 |
Query with Interface Loopback |
Use loopback interface |
No response |
42 |
Query with Interface Bridged |
Use bridged interface |
Response received |
43 |
Query with Interface in Promiscuous Mode |
Enable promiscuous mode |
Response received |
44 |
Query with Interface in Monitor Mode |
Enable monitor mode |
No response |
45 |
Query with Interface Disabled Temporarily |
Disable and re-enable |
Response after re-enable |
46 |
Query with Interface Hotplug |
Plug in new interface |
Response received |
47 |
Query with Interface Removed |
Remove interface |
No response |
48 |
Query with Interface Reset |
Reset interface |
Response after reset |
49 |
Query with Interface Driver Update |
Update driver |
Response received |
50 |
Query with Interface Firmware Update |
Update firmware |
Response received |
Multicast-Based Communication - Testcases
Multicast-Based Communication - Test Cases |
|||
|---|---|---|---|
# |
Test Case |
Description |
Expected Result |
Valid multicast query |
Send query to 224.0.0.252 |
Response from local hosts |
|
2 |
Invalid multicast address |
Use 224.0.0.1 |
No response |
3 |
IPv6 multicast query |
Send to FF02::1:3 |
Response from IPv6-capable hosts |
4 |
Multicast with TTL = 1 |
Restrict to local subnet |
Response received |
5 |
Multicast with TTL = 0 |
Prevent transmission |
No response |
6 |
Multicast with TTL > 1 |
Allow wider scope |
Response from local only |
7 |
Multicast with multiple listeners |
Multiple hosts listening |
Multiple responses |
8 |
Multicast with no listeners |
No host matches query |
No response |
9 |
Multicast with malformed packet |
Corrupt header |
No response |
10 |
Multicast with valid DNS format |
Use DNS-compatible format |
Valid response |
11 |
Multicast with invalid format |
Non-DNS format |
No response |
12 |
Multicast with large payload |
Exceed MTU |
Truncated or error |
13 |
Multicast with small payload |
Minimal query |
Valid response |
14 |
Multicast with query ID mismatch |
Use wrong transaction ID |
Ignored response |
15 |
Multicast with correct ID |
Match transaction ID |
Valid response |
16 |
Multicast with multiple questions |
Include multiple queries |
Valid response or error |
17 |
Multicast with no questions |
Empty question section |
No response |
18 |
Multicast with unsupported type |
Use MX record |
No response |
19 |
Multicast with A record |
Request IPv4 address |
Valid response |
20 |
Multicast with AAAA record |
Request IPv6 address |
Valid response |
21 |
Multicast with CNAME record |
Request alias |
Valid response if supported |
22 |
Multicast with PTR record |
Request pointer |
Valid response |
23 |
Multicast with TXT record |
Request text |
Valid response or ignored |
24 |
Multicast with SOA record |
Request SOA |
No response |
25 |
Multicast with SRV record |
Request service location |
No response |
26 |
Multicast with NSEC record |
Request DNSSEC info |
No response |
27 |
Multicast with valid class IN |
Internet class |
Valid response |
28 |
Multicast with unsupported class |
Use CH or HS |
No response |
29 |
Multicast with QR bit set |
Send response as query |
Ignored |
30 |
Multicast with RD bit set |
Recursion desired |
Ignored by LLMNR |
31 |
Multicast with RA bit set |
Recursion available |
Ignored by LLMNR |
32 |
Multicast with Z bits set |
Reserved bits set |
Ignored or error |
33 |
Multicast with TC bit set |
Truncated bit |
Response may be ignored |
34 |
Multicast with AA bit set |
Authoritative answer |
Valid response |
35 |
Multicast with additional records |
Include extra info |
Valid response |
36 |
Multicast with no answers |
Query with no match |
No response |
37 |
Multicast with multiple answers |
Multiple matching hosts |
Multiple responses |
38 |
Multicast with invalid TTL in response |
Negative TTL |
Ignored |
39 |
Multicast with zero TTL in response |
No caching |
Valid response |
40 |
Multicast with high TTL |
Long-lived cache |
Valid response |
41 |
Multicast with invalid RDLENGTH |
Incorrect length |
Ignored |
42 |
Multicast with correct RDLENGTH |
Proper format |
Valid response |
43 |
Multicast with spoofed source |
Fake sender IP |
Host may accept |
44 |
Multicast with duplicate responses |
Multiple identical replies |
Host may choose one |
45 |
Multicast with delayed response |
Response after timeout |
Ignored |
46 |
Multicast with fast response |
Immediate reply |
Accepted |
47 |
Multicast with retransmission |
Resend query |
Response received |
48 |
Multicast with congestion |
Network delay |
Response may be delayed |
49 |
Multicast with dropped packet |
Simulate loss |
No response |
50 |
Multicast with retry logic |
Retry after timeout |
Response received on retry |
UDP and Optional TCP Support - Testcases
UDP and Optional TCP Support - Test Cases |
|||
|---|---|---|---|
# |
Test Case |
Description |
Expected Result |
1 |
UDP query to port 5355 |
Send LLMNR query over UDP |
Valid response |
2 |
TCP query to port 5355 |
Send LLMNR query over TCP |
Valid response (if supported) |
3 |
UDP query with valid payload |
Send standard query |
Response received |
4 |
UDP query with large payload |
Exceed UDP size limit |
Truncated or error |
5 |
TCP query with large payload |
Handle large query |
Valid response |
6 |
UDP query with invalid header |
Corrupt header fields |
No response |
7 |
TCP query with invalid header |
Corrupt TCP header |
No response |
8 |
UDP query with correct transaction ID |
Match ID |
Valid response |
9 |
UDP query with incorrect transaction ID |
Mismatch ID |
Ignored response |
10 |
TCP query with multiple questions |
Include multiple queries |
Valid response or error |
11 |
UDP query with no questions |
Empty question section |
No response |
12 |
TCP query with no questions |
Empty question section |
No response |
13 |
UDP query with unsupported type |
Use MX record |
No response |
14 |
TCP query with unsupported type |
Use SRV record |
No response |
15 |
UDP query with A record |
Request IPv4 address |
Valid response |
16 |
TCP query with AAAA record |
Request IPv6 address |
Valid response |
17 |
UDP query with CNAME record |
Request alias |
Valid response |
18 |
TCP query with PTR record |
Request pointer |
Valid response |
19 |
UDP query with TXT record |
Request text |
Valid response or ignored |
20 |
TCP query with SOA record |
Request SOA |
No response |
21 |
UDP query with valid class IN |
Internet class |
Valid response |
22 |
TCP query with unsupported class |
Use CH class |
No response |
23 |
UDP query with QR bit set |
Send response as query |
Ignored |
24 |
TCP query with RD bit set |
Recursion desired |
Ignored by LLMNR |
25 |
UDP query with RA bit set |
Recursion available |
Ignored by LLMNR |
26 |
TCP query with Z bits set |
Reserved bits set |
Ignored or error |
27 |
UDP query with TC bit set |
Truncated bit |
Response may be ignored |
28 |
TCP query with AA bit set |
Authoritative answer |
Valid response |
29 |
UDP query with additional records |
Include extra info |
Valid response |
30 |
TCP query with no answers |
Query with no match |
No response |
31 |
UDP query with multiple answers |
Multiple matching hosts |
Multiple responses |
32 |
TCP query with invalid TTL |
Negative TTL |
Ignored |
33 |
UDP query with zero TTL |
No caching |
Valid response |
34 |
TCP query with high TTL |
Long-lived cache |
Valid response |
35 |
UDP query with invalid RDLENGTH |
Incorrect length |
Ignored |
36 |
TCP query with correct RDLENGTH |
Proper format |
Valid response |
37 |
UDP query with spoofed source |
Fake sender IP |
Host may accept |
38 |
TCP query with duplicate responses |
Multiple identical replies |
Host may choose one |
39 |
UDP query with delayed response |
Response after timeout |
Ignored |
40 |
TCP query with fast response |
Immediate reply |
Accepted |
41 |
UDP query with retransmission |
Resend query |
Response received |
42 |
TCP query with congestion |
Network delay |
Response may be delayed |
43 |
UDP query with dropped packet |
Simulate loss |
No response |
44 |
TCP query with retry logic |
Retry after timeout |
Response received on retry |
45 |
UDP query with firewall enabled |
Block UDP port |
No response |
46 |
TCP query with firewall enabled |
Block TCP port |
No response |
47 |
UDP query with NAT |
Send query through NAT |
No response |
48 |
TCP query with proxy |
Send query via proxy |
No response |
49 |
UDP query with VPN |
Send query over VPN |
No response |
50 |
TCP query with dual stack |
IPv4 and IPv6 enabled |
Response received |
IPv4 and IPv6 Support - Testcases
IPv4 and IPv6 Support - Test Cases |
|||
|---|---|---|---|
# |
Test Case |
Description |
Expected Result |
1 |
IPv4 Basic Query |
Send LLMNR query for a known hostname over IPv4 |
Response received with correct IP |
2 |
IPv6 Basic Query |
Send LLMNR query for a known hostname over IPv6 |
Response received with correct IP |
3 |
IPv4 Unknown Host |
Query an unknown hostname over IPv4 |
No response received |
4 |
IPv6 Unknown Host |
Query an unknown hostname over IPv6 |
No response received |
5 |
IPv4 Multicast Address |
Verify LLMNR uses 224.0.0.252 for IPv4 |
Packet sent to correct multicast address |
6 |
IPv6 Multicast Address |
Verify LLMNR uses FF02::1:3 for IPv6 |
Packet sent to correct multicast address |
7 |
IPv4 TTL Check |
Verify TTL is 1 for IPv4 LLMNR packets |
TTL = 1 |
8 |
IPv6 Hop Limit Check |
Verify Hop Limit is 255 for IPv6 LLMNR packets |
Hop Limit = 255 |
9 |
IPv4 Response Validity |
Validate response contains correct hostname and IP |
Response matches query |
10 |
IPv6 Response Validity |
Validate response contains correct hostname and IP |
Response matches query |
11 |
IPv4 Port Check |
Verify LLMNR uses UDP port 5355 |
Packet sent/received on port 5355 |
12 |
IPv6 Port Check |
Verify LLMNR uses UDP port 5355 |
Packet sent/received on port 5355 |
13 |
IPv4 Query Timeout |
Simulate no response scenario |
Query times out gracefully |
14 |
IPv6 Query Timeout |
Simulate no response scenario |
Query times out gracefully |
15 |
IPv4 Duplicate Name |
Two hosts respond to same name |
Detect conflict or log warning |
16 |
IPv6 Duplicate Name |
Two hosts respond to same name |
Detect conflict or log warning |
17 |
IPv4 Packet Format |
Validate LLMNR packet structure |
Packet conforms to RFC 4795 |
18 |
IPv6 Packet Format |
Validate LLMNR packet structure |
Packet conforms to RFC 4795 |
19 |
IPv4 Hostname Length |
Query with max-length hostname |
Response received correctly |
20 |
IPv6 Hostname Length |
Query with max-length hostname |
Response received correctly |
21 |
IPv4 Case Sensitivity |
Query with different case hostname |
Response received (case-insensitive) |
22 |
IPv6 Case Sensitivity |
Query with different case hostname |
Response received (case-insensitive) |
23 |
IPv4 Special Characters |
Query with special characters in hostname |
Response or error as per spec |
24 |
IPv6 Special Characters |
Query with special characters in hostname |
Response or error as per spec |
25 |
IPv4 Broadcast Block |
Ensure LLMNR does not use broadcast |
No broadcast packets sent |
26 |
IPv6 Broadcast Block |
Ensure LLMNR does not use broadcast |
No broadcast packets sent |
27 |
IPv4 Response Delay |
Measure response time |
Response within acceptable delay |
28 |
IPv6 Response Delay |
Measure response time |
Response within acceptable delay |
29 |
IPv4 Retry Mechanism |
Simulate packet loss |
Retry occurs as per spec |
30 |
IPv6 Retry Mechanism |
Simulate packet loss |
Retry occurs as per spec |
31 |
IPv4 Response to Wrong Query |
Send malformed query |
No response or error |
32 |
IPv6 Response to Wrong Query |
Send malformed query |
No response or error |
33 |
IPv4 Host Not Listening |
Query a host not running LLMNR |
No response |
34 |
IPv6 Host Not Listening |
Query a host not running LLMNR |
No response |
35 |
IPv4 Firewall Block |
Block UDP 5355 |
No LLMNR communication |
36 |
IPv6 Firewall Block |
Block UDP 5355 |
No LLMNR communication |
37 |
IPv4 Hostname with Hyphen |
Query hostname with hyphen |
Valid response |
38 |
IPv6 Hostname with Hyphen |
Query hostname with hyphen |
Valid response |
39 |
IPv4 Hostname with Digits |
Query hostname with digits |
Valid response |
40 |
IPv6 Hostname with Digits |
Query hostname with digits |
Valid response |
41 |
IPv4 Response Spoofing |
Simulate spoofed response |
Detection or rejection |
42 |
IPv6 Response Spoofing |
Simulate spoofed response |
Detection or rejection |
43 |
IPv4 Query Flood |
Send multiple queries rapidly |
System handles gracefully |
44 |
IPv6 Query Flood |
Send multiple queries rapidly |
System handles gracefully |
45 |
IPv4 Multihomed Host |
Query multihomed host |
Correct IP returned |
46 |
IPv6 Multihomed Host |
Query multihomed host |
Correct IP returned |
47 |
IPv4 Hostname Resolution Order |
Check LLMNR vs DNS priority |
LLMNR used as fallback |
48 |
IPv6 Hostname Resolution Order |
Check LLMNR vs DNS priority |
LLMNR used as fallback |
49 |
IPv4 Query from Non-Link-Local |
Send query from non-link-local IP |
No response |
50 |
IPv6 Query from Non-Link-Local |
Send query from non-link-local IP |
No response |
No Central Server Required - Testcases
No Central Server Required - Test Cases |
|||
|---|---|---|---|
# |
Test Case |
Description |
Expected Result |
1 |
Peer-to-Peer Query |
Send LLMNR query from one host to another |
Response received without DNS |
2 |
No DNS Configured |
Remove DNS settings |
LLMNR still resolves names |
3 |
DNS Server Offline |
Simulate DNS server failure |
LLMNR continues to work |
4 |
Isolated Network |
Hosts on isolated LAN |
LLMNR resolves names |
5 |
No Internet Access |
Disconnect from internet |
LLMNR still functions |
6 |
DHCP Without DNS |
DHCP assigns IP without DNS |
LLMNR resolves names |
7 |
Static IP, No DNS |
Static IP config without DNS |
LLMNR resolves names |
8 |
DNS Disabled in OS |
Disable DNS client service |
LLMNR still resolves names |
9 |
DNS Cache Cleared |
Clear DNS cache |
LLMNR still resolves names |
10 |
DNS Port Blocked |
Block port 53 |
LLMNR still resolves names |
11 |
DNS Server Misconfigured |
Invalid DNS IP |
LLMNR still resolves names |
12 |
DNS Server Unreachable |
DNS IP unreachable |
LLMNR still resolves names |
13 |
DNS Server Returns NXDOMAIN |
DNS fails to resolve |
LLMNR resolves locally |
14 |
DNS Server Returns SERVFAIL |
DNS error |
LLMNR resolves locally |
15 |
DNS Server Returns REFUSED |
DNS refuses query |
LLMNR resolves locally |
16 |
DNS Server Returns Empty |
No DNS answer |
LLMNR resolves locally |
17 |
DNS Server Returns Wrong IP |
DNS gives wrong IP |
LLMNR gives correct local IP |
18 |
DNS Server Returns Slow |
DNS response delayed |
LLMNR responds faster |
19 |
DNS Server Hijacked |
DNS gives malicious IP |
LLMNR gives correct local IP |
20 |
DNS Server Not Preferred |
DNS not primary resolver |
LLMNR still resolves |
21 |
DNS Server Not Used |
DNS not queried |
LLMNR resolves directly |
22 |
DNS Server Removed |
Remove DNS from config |
LLMNR resolves names |
23 |
DNS Server in Different Subnet |
DNS unreachable |
LLMNR resolves locally |
24 |
DNS Server in VPN |
VPN DNS unreachable |
LLMNR resolves locally |
25 |
DNS Server in Cloud |
Cloud DNS unreachable |
LLMNR resolves locally |
26 |
DNS Server in Firewall |
DNS blocked by firewall |
LLMNR resolves locally |
27 |
DNS Server in Proxy |
Proxy blocks DNS |
LLMNR resolves locally |
28 |
DNS Server in Split Tunnel |
DNS not routed |
LLMNR resolves locally |
29 |
DNS Server in IPv6 Only |
No IPv4 DNS |
LLMNR resolves via IPv4 |
30 |
DNS Server in IPv4 Only |
No IPv6 DNS |
LLMNR resolves via IPv6 |
31 |
DNS Server in Host File |
Host file overrides DNS |
LLMNR still resolves |
32 |
DNS Server in Loopback |
DNS points to 127.0.0.1 |
LLMNR resolves locally |
33 |
DNS Server in Docker |
DNS inside container |
LLMNR resolves on host |
34 |
DNS Server in VM |
DNS in virtual machine |
LLMNR resolves on LAN |
35 |
DNS Server in Cloudflare |
Cloudflare DNS unreachable |
LLMNR resolves locally |
36 |
DNS Server in Google |
Google DNS unreachable |
LLMNR resolves locally |
37 |
DNS Server in ISP |
ISP DNS unreachable |
LLMNR resolves locally |
38 |
DNS Server in Router |
Router DNS fails |
LLMNR resolves locally |
39 |
DNS Server in AD |
AD DNS fails |
LLMNR resolves locally |
40 |
DNS Server in Kubernetes |
DNS pod fails |
LLMNR resolves locally |
41 |
DNS Server in Split Horizon |
DNS gives external IP |
LLMNR gives local IP |
42 |
DNS Server in DNSSEC |
DNSSEC fails |
LLMNR resolves locally |
43 |
DNS Server in DoH |
DoH fails |
LLMNR resolves locally |
44 |
DNS Server in DoT |
DoT fails |
LLMNR resolves locally |
45 |
DNS Server in DNS64 |
DNS64 fails |
LLMNR resolves locally |
46 |
DNS Server in NAT64 |
NAT64 fails |
LLMNR resolves locally |
47 |
DNS Server in Dual Stack |
Dual stack DNS fails |
LLMNR resolves locally |
48 |
DNS Server in Failover |
Failover DNS fails |
LLMNR resolves locally |
49 |
DNS Server in Round Robin |
All DNS fail |
LLMNR resolves locally |
50 |
DNS Server in Load Balancer |
Load balancer fails |
LLMNR resolves locally |
Security Limitations - Testcases
Security Limitations - Test Cases |
|||
|---|---|---|---|
# |
Test Case |
Description |
Expected Result |
1 |
Spoofed Response |
Send spoofed LLMNR response |
System accepts or rejects based on validation |
2 |
Man-in-the-Middle |
Intercept and alter LLMNR traffic |
System vulnerable or detects tampering |
3 |
Response Injection |
Inject fake IP in response |
System accepts or flags inconsistency |
4 |
Name Spoofing |
Respond with incorrect hostname |
System accepts or logs conflict |
5 |
LLMNR Poisoning |
Poison cache with fake IP |
System uses poisoned entry or detects it |
6 |
Unauthorized Responder |
Untrusted host responds |
System accepts or rejects based on trust |
7 |
Replay Attack |
Replay old valid response |
System accepts or detects replay |
8 |
Packet Flooding |
Flood network with LLMNR packets |
System performance degrades or mitigates |
9 |
Resource Exhaustion |
Exhaust memory with LLMNR queries |
System handles or crashes |
10 |
DNS Hijack via LLMNR |
Redirect DNS via LLMNR spoof |
System uses fake DNS or detects attack |
11 |
LLMNR over VPN |
LLMNR traffic leaks over VPN |
Traffic contained or leaks |
12 |
LLMNR over Public Wi-Fi |
Use LLMNR on open network |
Vulnerable to spoofing |
13 |
LLMNR on Guest Network |
Enable LLMNR on guest VLAN |
Vulnerable to internal attack |
14 |
LLMNR on Corporate LAN |
Test exposure on enterprise LAN |
Risk of internal spoofing |
15 |
LLMNR on IPv6 |
Test spoofing on IPv6 |
Same vulnerabilities as IPv4 |
16 |
LLMNR on IPv4 |
Test spoofing on IPv4 |
Same vulnerabilities as IPv6 |
17 |
LLMNR with Firewall |
Block LLMNR port |
No LLMNR traffic allowed |
18 |
LLMNR with IDS |
Detect LLMNR spoofing |
IDS alerts or logs attack |
19 |
LLMNR with IPS |
Block spoofed responses |
IPS blocks malicious packets |
20 |
LLMNR with Antivirus |
Detect LLMNR abuse |
AV alerts or ignores |
21 |
LLMNR with Endpoint Protection |
Detect misuse |
Endpoint logs or blocks |
22 |
LLMNR with Logging |
Log all LLMNR traffic |
Logs show spoof attempts |
23 |
LLMNR with SIEM |
Correlate LLMNR events |
SIEM alerts on anomalies |
24 |
LLMNR Disabled |
Disable LLMNR in OS |
No LLMNR traffic observed |
25 |
LLMNR Enabled |
Enable LLMNR in OS |
LLMNR traffic observed |
26 |
LLMNR with Group Policy |
Disable via GPO |
LLMNR disabled on domain machines |
27 |
LLMNR with Registry Edit |
Disable via registry |
LLMNR disabled |
28 |
LLMNR with Network Segmentation |
Isolate LLMNR traffic |
No cross-segment spoofing |
29 |
LLMNR with VLANs |
Test spoofing across VLANs |
Spoofing blocked or allowed |
30 |
LLMNR with MAC Filtering |
Allow only trusted MACs |
Spoofed MAC blocked |
31 |
LLMNR with Port Security |
Limit LLMNR responders |
Unauthorized blocked |
32 |
LLMNR with Static ARP |
Prevent spoofing |
Static ARP overrides LLMNR |
33 |
LLMNR with DNSSEC |
Compare with DNSSEC |
LLMNR lacks integrity checks |
34 |
LLMNR with mDNS |
Coexistence with mDNS |
No conflict or interference |
35 |
LLMNR with DoH |
Compare with DNS over HTTPS |
LLMNR is unencrypted |
36 |
LLMNR with DoT |
Compare with DNS over TLS |
LLMNR is unencrypted |
37 |
LLMNR with TLS |
Attempt to encrypt LLMNR |
Not supported |
38 |
LLMNR with IP Spoofing |
Spoof source IP |
System accepts or rejects |
39 |
LLMNR with Host File |
Override LLMNR with hosts file |
Hosts file takes precedence |
40 |
LLMNR with DNS Priority |
DNS preferred over LLMNR |
DNS used first |
41 |
LLMNR with DHCP |
DHCP assigns malicious hostname |
LLMNR resolves to attacker |
42 |
LLMNR with Rogue DHCP |
Rogue DHCP assigns name |
LLMNR resolves to rogue IP |
43 |
LLMNR with ARP Spoofing |
Combine with ARP spoof |
Full redirection possible |
44 |
LLMNR with SMB Relay |
Use LLMNR for SMB relay |
Credentials captured |
45 |
LLMNR with NTLM |
Capture NTLM hash via LLMNR |
Hash captured |
46 |
LLMNR with Responder Tool |
Use Responder to spoof |
System vulnerable or detects |
47 |
LLMNR with Wireshark |
Monitor LLMNR traffic |
Packets visible in clear text |
48 |
LLMNR with Packet Capture |
Capture and analyze spoof |
Spoof visible in logs |
49 |
LLMNR with IPv6 Privacy Extensions |
Test spoofing with temp IP |
Still vulnerable |
50 |
LLMNR with Zero Trust |
Test in zero-trust model |
LLMNR disabled or restricted |
Microsoft Implementation - Testcases
Microsoft Implementation - Test Cases |
|||
|---|---|---|---|
# |
Test Case |
Description |
Expected Result |
1 |
Windows Default Behavior |
Check if LLMNR is enabled by default |
LLMNR enabled on Windows |
2 |
Group Policy Disable |
Disable LLMNR via GPO |
LLMNR disabled on domain machines |
3 |
Registry Disable |
Disable LLMNR via registry |
LLMNR disabled |
4 |
Windows Firewall Block |
Block UDP 5355 |
LLMNR traffic blocked |
5 |
Windows Defender Detection |
Detect LLMNR spoofing |
Alert or log generated |
6 |
Windows Event Log |
Check for LLMNR events |
Events logged in Event Viewer |
7 |
Windows Hostname Resolution |
Resolve local hostname via LLMNR |
Correct IP returned |
8 |
Windows IPv6 Support |
Send LLMNR query over IPv6 |
Response received |
9 |
Windows IPv4 Support |
Send LLMNR query over IPv4 |
Response received |
10 |
Windows Network Profile |
Test LLMNR on public network |
LLMNR disabled or restricted |
11 |
Windows Network Profile |
Test LLMNR on private network |
LLMNR enabled |
12 |
Windows Network Isolation |
Isolate LLMNR traffic |
No cross-network resolution |
13 |
Windows SMB Integration |
Use LLMNR for SMB name resolution |
Name resolved via LLMNR |
14 |
Windows NTLM Capture |
Capture NTLM hash via LLMNR |
Hash captured |
15 |
Windows Responder Tool |
Use Responder on Windows |
System vulnerable or detects |
16 |
Windows DNS Fallback |
DNS fails, LLMNR used |
LLMNR resolves name |
17 |
Windows DNS Priority |
DNS preferred over LLMNR |
DNS used first |
18 |
Windows Host File Override |
Host file overrides LLMNR |
Host file takes precedence |
19 |
Windows LLMNR Timeout |
Measure query timeout |
Timeout as per spec |
20 |
Windows LLMNR Retry |
Retry on no response |
Retry occurs |
21 |
Windows LLMNR TTL |
Check TTL value |
TTL = 1 |
22 |
Windows LLMNR Port |
Verify UDP port 5355 |
Correct port used |
23 |
Windows LLMNR Multicast |
Verify multicast address |
224.0.0.252 or FF02::1:3 used |
24 |
Windows LLMNR Packet Format |
Validate packet structure |
RFC 4795 compliant |
25 |
Windows LLMNR Logging |
Enable verbose logging |
Detailed logs available |
26 |
Windows LLMNR with AD |
Test in Active Directory domain |
LLMNR works or disabled via policy |
27 |
Windows LLMNR with DHCP |
DHCP assigns hostname |
LLMNR resolves it |
28 |
Windows LLMNR with Static IP |
Static IP config |
LLMNR resolves name |
29 |
Windows LLMNR with VPN |
VPN blocks LLMNR |
No LLMNR traffic |
30 |
Windows LLMNR with Hyper-V |
Test in VM |
LLMNR works in VM |
31 |
Windows LLMNR with Docker |
Test in container |
LLMNR disabled or restricted |
32 |
Windows LLMNR with Azure |
Test in Azure VM |
LLMNR disabled or restricted |
33 |
Windows LLMNR with Defender ATP |
Detect LLMNR abuse |
Alert generated |
34 |
Windows LLMNR with Intune |
Manage LLMNR via Intune |
Policy applied successfully |
35 |
Windows LLMNR with SCCM |
Deploy LLMNR config |
Config applied successfully |
36 |
Windows LLMNR with Endpoint Manager |
Disable via endpoint policy |
LLMNR disabled |
37 |
Windows LLMNR with PowerShell |
Query LLMNR status |
Status retrieved |
38 |
Windows LLMNR with netsh |
Configure via netsh |
LLMNR enabled/disabled |
39 |
Windows LLMNR with Wireshark |
Capture LLMNR packets |
Packets visible |
40 |
Windows LLMNR with NLA |
Network Location Awareness affects LLMNR |
Behavior changes by profile |
41 |
Windows LLMNR with ICS |
Internet Connection Sharing |
LLMNR works or blocked |
42 |
Windows LLMNR with Remote Desktop |
RDP session uses LLMNR |
Name resolved |
43 |
Windows LLMNR with Remote Assistance |
Name resolution via LLMNR |
Works as expected |
44 |
Windows LLMNR with SMBv1 |
Legacy SMB uses LLMNR |
Name resolved |
45 |
Windows LLMNR with SMBv2/v3 |
Modern SMB uses LLMNR |
Name resolved |
46 |
Windows LLMNR with NetBIOS |
NetBIOS disabled, LLMNR used |
Name resolved |
47 |
Windows LLMNR with mDNS |
Coexistence with mDNS |
No conflict |
48 |
Windows LLMNR with DNS Client Service |
DNS service disabled |
LLMNR still works |
49 |
Windows LLMNR with Network Reset |
Reset network stack |
LLMNR re-enabled |
50 |
Windows LLMNR with Security Baseline |
Apply Microsoft baseline |
LLMNR disabled or restricted |
Reference links