How to disable LLMNR

Update 20191226: In the latest updates for Windows 10 and Windows Server 2019 these steps are slightly different. You need to disable two local GPOs policies. The first is labeled as “Turn off smart multi-homed name resolution” and the second is “Turn off multicast name resolution”.

Many of you are probably already familiar with what Responder does. It takes advantages of protocols such as LLMNR to spoof responses to Windows auto proxy discovery. Black Hills Information Security has just published a blog post on how to disable LLMNR. This protocol has no security, is a broadcast layer 2 protocol and was designed to be used for DNS resolution when there is no DNS server in the network. Nice right? It is also how Windows performs it’s proxy discovery since Windows Vista and it can be spoofed from any node on the broadcast domain. This has been used by hackers to send the user to a proxy server they control to steal user credentials for websites such as online banking and also exploit the browser itself.

BHIS Blog Post:

Leave a Reply