UNC connection with DNS

I would like to phase out Netbios in our enviroment for security and performance reasons. In our test lab the two side effects I have is not being able to use network neighborhood (which i expected), but I can also no longer connect using UNC paths to file shares. Is there a way to resolve using DNS or is it always going to use port 139. I thought CIFS allowed for DNS for name discovery.

This is an all XP/2003 enviroment

Thanks!

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

dynamik

Can't you use the FQDN?

i.e.\\computername.domainname.com\share

blargoe

Are you able to connect to unc paths using \\fqdn\sharename?

gojericho0

No, which i thought was wierd as well. Going to take a packet capture to see whats going on. Also, we are only a single domain and we should be appending the domain suffix as well. I'll reply after the sniff. Thanks for the help

gojericho0

Ok, capture is showing successful DNS resolution, but then it tries to connect to the remote machine on port 80??? I'm trying to connect using the following

Start -> Run

\\Computer1\C$

sprkymrk

Disable NetBIOS over TCP/IP.

Disabling NetBT
Windows 2000 file and print sharing components uses NetBIOS over TCP/IP to communicate with prior versions of Windows and other non-Microsoft clients. However, the Windows 2000 file and print sharing components (the redirector and server) now support direct hosting for communicating with other computers running Windows 2000. With direct hosting, DNS is used for name resolution. No NetBIOS name resolution (WINS or broadcast) is used and no NetBIOS sessions are established.

By default, both NetBIOS and direct hosting are enabled, and both are tried in parallel when a new connection is established. The first to succeed in connecting is used for any attempt. NetBIOS support can be disabled to force all traffic to use direct hosting.

To disable NetBIOS support

1. From Network and Dial-up Connections , select the connection you want to modify, and then right-click Properties .

2. Select Internet Protocol (TCP/IP) , and then click Properties .

3. Click Advanced .

4. Select the WINS Address tab.

5. Select Disable NetBIOS over TCP/IP .

Or you may want to set up DFS.

gojericho0

Hey sprkymrk,

I currently have netbios disabled in the lab, and for some reason it the direct connection attempts to connect to the remote PC using http on port 80. We are eventually going to be using DFS exclusively, I just thought I might be able to phase out netbios sooner without have DFS implemented yet.

sprkymrk

the direct connection attempts to connect to the remote PC using http on port 80

I'm fairly certain you need to set up DFS. You have disabled the function of browsing the network via NetBIOS, but the shares are still shared out using NetBIOS sharing techniques.

However, I've never been where you are going so can't say for certain.

sprkymrk

Found this, not sure if it means what I think it means (bolded portion):

http://technet2.microsoft.com/windowsserver/en/library/2f4f2924-f6a8-44e2-9b1e-c752e736faff1033.mspx?mfr=true

Disabling NetBIOS over TCP/IP
With computers running Windows Server 2003 operating systems, you can disable NetBIOS over TCP/IP (NetBT) for each network connection. This feature is intended for computers that only use DNS name registration and resolution techniques and communicate by using the Client for Microsoft Networks and the File and Print Sharing for Microsoft Networks components with other computers where NetBT is disabled. Examples of disabling NetBT include computers in specialized or secured roles for your network, such as an edge proxy server or bastion host in a firewall environment, where NetBT support is not required or desired.

The following are considerations for disabling NetBT on computers running Windows Server 2003 operating systems:

• The computer no longer listens for traffic to the NetBIOS datagram service at User Datagram Protocol (UDP) port 138, the NetBIOS name service at UDP port 137, and the NetBIOS session service at Transmission Control Protocol (TCP) port 139.

• TCP/IP-based connections that use the Client for Microsoft Networks and the File and Print Sharing for Microsoft Networks components are only possible to other computers that have NetBT disabled. This affects the ability to browse the network to see network computers and to connect to file shares and network printers.
• NetBIOS name resolution techniques such as WINS, local subnet broadcasts, and the Lmhosts file are no longer used. All name resolution occurs through DNS queries and the Hosts file.

• If the computer needs to participate in WINS as a client, it must have NetBT enabled on at least one network connection.

• If a server running Windows Server 2003 needs to run the WINS service, it must have NetBT enabled on at least one private network connection.

For example, consider disabling NetBT if you have a server computer that has a connection to a private network and a connection to an external network, such as the Internet. In this case, NetBT is not required for the Internet connection. By disabling NetBT on only the Internet connection, the dual-homed computer continues to function as either a WINS server or client for the internal network, and WINS clients are still serviced for connections made by using other physical network adapters installed on the computer.

You can disable NetBT on the WINS tab in the properties of the TCP/IP protocol. For more information, see Configure TCP/IP to use WINS. You can also disable NetBT through DHCP by using a Microsoft vendor-specific DHCP option. For more information, see "Dynamic Host Configuration Protocol" at the Microsoft Resource Kits Web site.

Goldmember

http://support.microsoft.com/kb/244380

gojericho0

Thanks guys. Looks like I'll just have to wait until we get our DFS setup. Appreciate the help and the links.

sprkymrk

Quick question, because I still have not found anything that says you must use DFS when you disable NBT.

What are you doing for DNS? It should be hosted on your DC with host records for all your clients. If you are using an ISP or other DNS server it won't work. According to everything I have read, instead of using NBT (135-139) it should go right to SMB directly over TCP (port 445).

You didn't disable File and Print Sharing did you?

dynamik

Can you connect using the IP? \\123.123.123.123\share

undomiel

It doesn't look like a DNS issue to me but more of a problem in your lab setup. We aren't using DFS here (yet) but you should be able to access shares by UNC with DNS resolution. I ran a few tests and packet captures here and if NBT is set to default it defaults to using port 139 but with it disabled it then went over to using port 445 for SMB. No requests were sent out by port 80. It makes me wonder if explorer is trying to be a web browser for some quirky reason? What happens if you attempt to map a drive from the command line net use X: \\COMPUTER\share and then access it?

EDIT update:

Try disabling the WebClient service on the machine and then try to access via UNC.

gojericho0

OK guys heres an update...meant to post yesterday, but was swamped.

The name resolution part of NETBIOS was disabled via DHCP options and names were successfully being resolved to IPs and connections took place using TCP/445. The problem was occurring when I disabled the TCP/IP Netbios helper service.

I thought this service was just used for name resolution, but apparently the application is also used for establishing connections with the SMB/CIFS protocol .

Bottom line is that I can configure our DHCP options to disable Nebios for name resolution (so i can get rid of the WINS boxes), but will still have to have the TCP/IP Netbios helper service running locally on the client machines until we have DFS up and running.

Thanks for everyones input