Chapter 12

NetBIOS Name Resolution

Name Resolution is the process of taking a NetBIOS name and providing the underlying transport with the TCP/IP addresses for that name.  The tricky part is you must use the underlying transport to find out what the name is.

With Microsoft networking, each computer and each user has a name. The name consist of 16 characters, 15 characters + 1 character which defines the type of name. This 16th character is used to provide an end point for the communication (see table 12.1 on p236).

When you start up or log onto network, your computer must register the name you are using on the network. This is done in one of two ways: broadcasting a Name Registration or sending a Name Registration to a NetBIOS Name Server. This is handled by winsock (all TCP/IP communications use WinSock) over the NetBIOS Name Server port--UDP port 137. (this port is usually disabled on routers, thus relieving the routers of the need to pass broadcast traffic)

The NetBIOS Name service port handles the following 4 main functions:

• Name Registration - occurs when system starts up or new user logs on. This verifies the names that need to be unique on the network.
• Name Query - is sent on network, requesting a response from the computer that has this name registered. (mapping to another computer on network)
• Positive Name Query Response - is the response to the Name Query. Note: every packet is sent to every computer as a broadcast packet. Each computer passes the packet up to IP, which passes it to UDP, which passes it to NetBIOS name service port.
• Name Release - occurs as system is shutdown. A name release broadcast is sent on the wire which informs  hosts you've been communicating with that you are shutting down.

Methods of Name Resolution

There are six methods of NetBIOS name resolution in NT.

• NetBIOS Name Cache
• LMHOSTS file
• Broadcast
• NetBIOS Name Server
• HOSTS file
• A DNS Server

NetBIOS Name Cache

This is an area of memory that contains a list of NetBIOS computer names and the associated IP address. The address in the Name Cache can get there in one of two ways: You have resolved that address or the address was preloaded. It is a quick reference to IP addresses that will be used frequently.

It does not keep every address on your network. It will keep entries for a short period of time ( 10 minutes by default). The exception is preloaded (LMHOSTS file). Very similar to ARP.

This cache cannot be directly modified. However, you can preload entries in LMHOSTS file.  

Commands: (case-sensitive)

NBTSTAT -R will purge and reload the Name Cache.
NBTSTAT -r will view the resolved names.

Registry entry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters

• Size of cache
• Cache Timeout

LMHOSTS file

NT checks the LMHOSTS file if a broadcast on the local network fails to resolve the address.

Create a list of the systems the computer would have to talk to . You could put both the IP address and the NetBIOS name. The LMHOSTS file is located in the \%winroot%\system32\drivers\etc directory. Use the EDIT command to edit LMHOSTS.SAM file. 

Sometimes the client needed to talk to a particular service rather than a single machine. This was resolved by the inclusion of tags. Tags were introduced to enable systems to send a request to all the computers that had a particular service running. The results was a system could communicate across routers even though it internally used NetBIOS. This file needs to be located on each and every hosts. Newer tags were added so that computers could read LMHOSTS file on a central computer, however, you still need one local computer so the system would know where and how to find the central one.  See pp 240 - 241 table 12.2 for tags.

When using LMHOSTS file you should keep the following information in mind:

• If IP address is wrong, system will resolve the address, but you will be unable to connect. [Network Name not Found error msg]
• If the name is spelt incorrectly, NT cannot resolve it.
• If LMHOSTS file contains multiple entries, the address for the first one is returned.

Broadcast

If name cannot be found in NetBIOS Name Cache, the system attempts to find the name by using a broadcast on the local network.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters

• BcastNameQueryCount
• BcastQueryTimeout

NetBIOS Name Server (NBNS)

NBNS is implemented in the form of WINS. Three commands were implemented:

• Name Registration - registers a computer name with the NBNS, NBNS was made to be a dynamic system that requires little or no maintainence.
• Name Query - Normally all systems use the same NBNS, making it very easy to resolve a name and to send the NetBIOS Name query to the NBNS, server responds with IP address if the systems has registered with it
• Name Release - Releases a registered name, which avoids conflict when user moves from one machine to another.

By using NBNS you can:

• reduce broadcast traffic
• less administrator overhead maintenacne
• facilities domain activity over WAN
• provides browsing services across multiple subnets

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters

• NameSErverPort - UDP port used for NetBIOS Name Queries going to the NBNS (137 is default)
• NameSrvQueryCount - indicates the number of times your system should try each NBNS (default is 3)
• NameSrvQueryTimeout - is how long your computer should wait for a response from the NBNS. (default is 15 seconds)

HOSTS file

The hosts file is normally associated with host name resolution (DNS). If all methods of name resolutions fail, NT will use the HOSTS file to attempt name resolution. A hostname is the name given to the computer, usually this is the same as the NetBIOS name, without the 16th character. The host file is located in \%winroot%\system32\drivers\etc directory and is very similar to the LMHOSTS file. The difference being the HOSTS file is simpler in the following two ways:

• not tags
• and more than one name can be associated with a host by entering the names all on the same line, separated by spaces. The default entry placed by NT in HOSTS file is 127.0.0.1, which enables you to ping your own computer by name to ensure the HOSTS file is working.

DNS

Can be used to resolve hostnames too.  If you will be working with the Internet nearly exclusively, having a DNS server makes sense. This is done by checking the ENABLE DNS for Windows Resolution check box. You will need to add the DNS server address in the DNS tab of the TCP/IP settings.

Order of Resolution

This is the order of resolution for NetBIOS names only. Resolving hostnames uses a different method.

NetBIOS Name Resolution the actual order of resolution is set by the NetBIOS Node Type. The default is B-Node unless a WINS server address is entered; in this case the default is h-node.

Types of Nodes

• B-Node - Broadcast node
• P-Node - Peer - to -Peer Node uses an NBNS
• M-Node - Mixed node, tries B-node first and then P-node
• H-Node - Hybrid node, tries P-node first and then B-node

B-node is the simplest way to resolve a name on the network. However this method takes a lot of bandwidth from the Network and also increases CPU time for every host on the network.  NT attempts three times to resolve the name using broadcasting waiting 7.5 seconds between each attempt. (see page 247 for actual steps)

• NetBIOS Name Cache
• Broadcast a NetBIOS Name Query
• LMHOSTS file
• HOSTS file
• A DNS Server

P-node sends a NetBIOS Name Query directly to NBNS rather than as a broadcast. The resolution is quicker and uses less CPU time per hosts. It too attempts three times to contact an NBNS, waiting 15 seconds between attempts. (see p 248 for order of resolution)

• NetBIOS Name Cache
• Asking a NetBIOS Name Server (NBNS)
• HOSTS file
• A DNS Server

M-node tries every method of resolution. This is a combination of the B-node and P-node systems. The only difference is the order in which NT resolves the names. Order of resolution for m-node is (see p. 248)

• NetBIOS Name Cache
• Broadcast a NetBIOS Name Query
• checking LMHOSTS file
• Asking a NetBIOS Name Server (NBNS)
• checking HOSTS file
• consulting a DNS Server

H-node uses a combination of the B-node and P-node systems similar to M-node. Unlike M-node, H-node reduces the amount of broadcast traffic on your network by consulting the NBNS first before attempting a broadcast.

• NetBIOS Name Cache
• Asking a NetBIOS Name Server (NBNS)
• Broadcast a NetBIOS Name Query
• checking LMHOSTS file
• checking HOSTS file
• consulting a DNS Server

Viewing and Setting the Node Type

ipconfig /all

Windows NT IP Configuration

Host Name . . . . . . . . . : rlghncwt1ef.usps.gov
DNS Servers . . . . . . . . : 56.5.0.110
56.6.0.214
56.80.0.11
Node Type . . . . . . . . . : Hybrid
NetBIOS Scope ID. . . . . . :
IP Routing Enabled. . . . . : No
WINS Proxy Enabled. . . . . : No
NetBIOS Resolution Uses DNS : Yes

Ethernet adapter DC21X41:

Description . . . . . . . . : DEC DC21142 PCI Fast Ethernet Adapter
Physical Address. . . . . . : 00-00-F8-77-48-ED
DHCP Enabled. . . . . . . . : No
IP Address. . . . . . . . . : 56.88.21.239
Subnet Mask . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . : 56.88.21.1
Primary WINS Server . . . . : 56.80.0.39
Secondary WINS Server . . . : 56.160.0.254

You can set your node type manually. By default the B-node system is used. If you want to become an H-node add the WINS server into TCP/IP configuration screen. If you want to use a different node type you can edit the follow registry key.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters

• 1 = B-Node
• 2 = P-Node
• 4 = M-Node
• 8 = H-Node

The node type can also be set automatically by using a DHCP server.