How REALLY to avoid NetBIOS in Win XP?

[Philip Inglesant]

I can't believe this hasn't been raised before, but several hours of
searching has failed to bring to light exactly what I want.

I have a small home LAN with three PC's running all Windows XP Professional.
I want to be able to share printers (and sometimes files) between them.
Pretty normal and rather basic, but I DON'T want to use NetBIOS over TCP/IP.

Why not? Well, it's insecure, it's ancient, and I just don't want to have to
be stuck in the dark ages of computing, and I shouldn't have to be.

Now, as I understand it, forgive me if I have mis-understood, but Win XP and
other recent versions of Windows don't have to use NetBIOS for name
resolution, because they use DNS:

"DNS is the name resolution service of Windows 2000, Windows XP, and Windows
Server 2003. Windows clients use DNS for name resolution and service
location, including locating Active Directory domain controllers for logon.
" -
Windows Server 2003 Technical Reference > Technologies Collections >
Networking Collection.

Now, this is a bit ambiguous, but reading between the lines it seems to
imply that DNS in Windows XP etc. is closely linked with Active Directory.
Which is rather bad news if, like me, you are only running XP and not
Windows Server. Am I correct in thinking that AD _server_ is NOT a part of
Win XP professional?

I also have a Netgear DG834GT ADSL firewall/router. This provides DHCP to
configure all the PCs around the LAN with non-routable IP addresses, as well
as acting as a DNS server for them. However, as far as I can see, it doesn't
update the DNS name associated with the IP addresses it allocates around the
LAN. If it is doing this, then it doesn't seem to be telling ME what is in
its DNS (if I use nslookup to query it).

This DG834GT does support "DynamicDNS", but not in the way I mean - it
supports using a dynamic DNS service so that the rest of the Internet can
find it and other things. This is not what I want - I don't want the
Internet to be able to see me, I want my computers to be able to see ONE
ANOTHER.

So, what this comes down to is that:
- in theory, Win XP /2000?/Server 2003 don't actually NEED NetBIOS, however,
- in practice, as far as I can see, a Win XP-only LAN DOES need to use
NetBIOS because otherwise the PCs around the LAN have no way to find one
another, since, it seems to me, there is no way other than Active Directory
(or something equivalent) that their IP addresses can be added to the DNS,
so there is no way that other computers on the LAN can find them.

Just to be clear, I am NOT talking about looking up DNS records on the
Internet DNS - this works fine, computers on the LAN use the gateway as
their (DHCP-allocated) DNS server, the gateway does DNS look-ups out to the
Internet. What I want to be able to do, as well as this, is use my local DNS
server to look up PCs with their local IP addresses - and, obviously, I
don't want the rest of the Internet to access these local IP addresses and
local names.

Have I missed something? Is there a simple way round this?


--- Philip

 

[Philip Inglesant]

Really sorry about multiple postings. I think something got stuck in my
personal firewall.

Anyway, one other question/point. DNS is, as the name implies, all about
DOMAINS. I don't necessarily want to have my local PC's in a real,
registered domain, and even if I did, I don't want my local host names and
local, non-routable IP addresses to be part of that domain. What should I
use? Do I have to put something in "My Computer -> (rt click) Properties ->
Computer Name -> Change -> More - > Primary DNS suffix of this computer",
and if so, what?

 

[Lanwench [MVP - Exchange]]

In

Really sorry about multiple postings. I think something got stuck in
my personal firewall.

Anyway, one other question/point. DNS is, as the name implies, all
about DOMAINS. I don't necessarily want to have my local PC's in a
real, registered domain, and even if I did, I don't want my local
host names and local, non-routable IP addresses to be part of that
domain. What should I use? Do I have to put something in "My Computer
-> (rt click) Properties -> Computer Name -> Change -> More - >
Primary DNS suffix of this computer", and if so, what?

Domain, in the sense you want, would be a local/AD domain. You don't have
AD - so you can't have a local domain.

 

[Lanwench [MVP - Exchange]]

In

I can't believe this hasn't been raised before, but several hours of
searching has failed to bring to light exactly what I want.

I have a small home LAN with three PC's running all Windows XP
Professional. I want to be able to share printers (and sometimes
files) between them. Pretty normal and rather basic, but I DON'T want
to use NetBIOS over TCP/IP.
Why not? Well, it's insecure

Insecure? How so? If your network is protected and your machines are
patched, I don't see how this is a security issue....

, it's ancient,

Ture, dat.

and I just don't want to
have to be stuck in the dark ages of computing, and I shouldn't have
to be.

You don't. If you're in a workgroup and don't want to browse, you don't need
NetBIOS.

Now, as I understand it, forgive me if I have mis-understood, but Win
XP and other recent versions of Windows don't have to use NetBIOS for
name resolution, because they use DNS:

Well...yes, but if you don't have an internal DNS server, it's going to be
broadcast (NetBIOS) or hosts files if you want any sort of local name
resolution.

"DNS is the name resolution service of Windows 2000, Windows XP, and
Windows Server 2003. Windows clients use DNS for name resolution and
service location, including locating Active Directory domain
controllers for logon. " -
Windows Server 2003 Technical Reference > Technologies Collections >
Networking Collection.

Now, this is a bit ambiguous, but reading between the lines it seems
to imply that DNS in Windows XP etc. is closely linked with Active
Directory.
Right.

Which is rather bad news if, like me, you are only running
XP and not Windows Server. Am I correct in thinking that AD _server_
is NOT a part of Win XP professional?

You've got it.

I also have a Netgear DG834GT ADSL firewall/router. This provides
DHCP to configure all the PCs around the LAN with non-routable IP
addresses, as well as acting as a DNS server for them. However, as
far as I can see, it doesn't update the DNS name associated with the
IP addresses it allocates around the LAN. If it is doing this, then
it doesn't seem to be telling ME what is in its DNS (if I use
nslookup to query it).

It isn't going to work for you for this purpose. In fact, it may not even
work as a DNS caching server - I usually hard-code the DHCP scope in these
sorts of devices to use the ISP's DNS servers. It tends to work better.

This DG834GT does support "DynamicDNS", but not in the way I mean - it
supports using a dynamic DNS service so that the rest of the Internet
can find it and other things. This is not what I want - I don't want
the Internet to be able to see me, I want my computers to be able to
see ONE ANOTHER.

Then it's NetBIOS for you - or static IPs and local hosts files if you just
want to 'blind map' drives.

So, what this comes down to is that:
- in theory, Win XP /2000?/Server 2003 don't actually NEED NetBIOS,
however, - in practice, as far as I can see, a Win XP-only LAN DOES need
to use
NetBIOS because otherwise the PCs around the LAN have no way to find
one another, since, it seems to me, there is no way other than Active
Directory (or something equivalent) that their IP addresses can be
added to the DNS, so there is no way that other computers on the LAN
can find them.

You've got it.

Just to be clear, I am NOT talking about looking up DNS records on the
Internet DNS - this works fine, computers on the LAN use the gateway
as their (DHCP-allocated) DNS server, the gateway does DNS look-ups
out to the Internet. What I want to be able to do, as well as this,
is use my local DNS server to look up PCs with their local IP
addresses - and, obviously, I don't want the rest of the Internet to
access these local IP addresses and local names.

Have I missed something? Is there a simple way round this?

I think you've got it down - and I've mentioned your alternatives above.

Best of luck!

 

[Philip Inglesant]

Thanks very much for this, and thanks too to Steve Winograd for his reply.

I'm not sure that this leaves me with any totally satisfactory solutions,
because since IP addies are allocated by DHCP then the machine that the
printer (say) is connected to might change its address next time it boots.
So, connecting to it my fixed IP will be a nuisance. However, it's
reassuring (in a sort of negative way) to know that my understanding of it
is pretty much the way it is.

I don't really know much about NetBIOS security, but as you say, my network
is protected and the machines are patched so it might be the best option. I
understand how the architecture leads to this outcome, but it's annoying to
be stuck with something which supposedly has been surpassed.

- Philip

"Lanwench [MVP - Exchange]"

 

[Lanwench [MVP - Exchange]]

In

Thanks very much for this, and thanks too to Steve Winograd for his
reply.

You're welcome.

I'm not sure that this leaves me with any totally satisfactory
solutions, because since IP addies are allocated by DHCP then the
machine that the printer (say) is connected to might change its
address next time it boots. So, connecting to it my fixed IP will be
a nuisance. However, it's reassuring (in a sort of negative way) to
know that my understanding of it is pretty much the way it is.
Yep.

I don't really know much about NetBIOS security,

They don't really relate to one another at all, those two words.

but as you say, my
network is protected and the machines are patched so it might be the
best option. I understand how the architecture leads to this outcome,
but it's annoying to be stuck with something which supposedly has
been surpassed.

It has been - if you don't care about browsing or local name resolution in a
workgroup with no internal DNS server.

- Philip

"Lanwench [MVP - Exchange]"

In

Insecure? How so? If your network is protected and your machines are
patched, I don't see how this is a security issue....


Ture, dat.


You don't. If you're in a workgroup and don't want to browse, you
don't need
NetBIOS.

Well...yes, but if you don't have an internal DNS server, it's going
to be broadcast (NetBIOS) or hosts files if you want any sort of
local name resolution.

You've got it.

It isn't going to work for you for this purpose. In fact, it may not
even work as a DNS caching server - I usually hard-code the DHCP
scope in these sorts of devices to use the ISP's DNS servers. It
tends to work better.

Then it's NetBIOS for you - or static IPs and local hosts files if
you just
want to 'blind map' drives.

You've got it.

I think you've got it down - and I've mentioned your alternatives
above. Best of luck!