Disable NetBios, enable DNS with DD-WRT

Introduction

Using a LAN router based on DD-WRT software offers extra features and functionality sets to improve your network, easy and for low costs. In this article I explain the setup of DNS/DHCP for standard name resolution while disabling NetBIOS.

NetBIOS

NetBIOS is a legacy API from the early days (1983) of PC networking providing services for applications on seperate PC's to communicate in a single local PC network. NetBIOS uses therefore a flat namespace of NetBIOS names and makes extensive use of broadcasting for name resolving of adresses.
SMB is an application-layer network protocol mainly used for file- and print sharing. SMB can run on top of the Session (and lower) network layers in several ways:

• Via the NetBIOS API, which in turn can run on several transports:
• On several legacy protocols such as NBF, NBX and Pathworks. 
• On UDP ports 137, 138 & TCP ports 137, 139 (NBT);
• Directly over TCP, port 445 (Direct hosting of SMB over TCP/IP).

The first implementations of NetBIOS run directly on the Link Layer by the NBF protocol, later NetBIOS came available on routable networks to support existing NetBIOS based applications.

The support of legacy services to support old applications has resulted in complexity and limitations because of the use multiple Naming Systems (NetBIOS name and Hostname, NetBIOS Node types, WINS and DNS, LMHOSTS and HOSTS, .. ) and multiple network management utilities. Communication on Internet requires a hierarchical namespace and worldwide standards for addressing and network management. Because new applications do not depend on NetBIOS anymore, disabling NetBIOS and using the same standards is the way to go for:

• simplification, improvement security and speed,
• removing multiple methods of nameresolution,
• standardizing on TCP/IP name resolution on DNS for file and printer sharing.  

Impact of disabling NetBIOS
Shutting off NetBIOS reduces the network's browsing functionality because the Computer Browser - the service manifested in Network Neighborhood, My Network  Places, and the Net View command - sits atop NetBIOS. Connecting to a share doesn't change: 

• net view command to view resources of a host with hostname
• net use command to access a share
• using UNC name in Start, Run or in address bar of Internet browser
• connect a drive from My Computer or Windows Explorer
• add a Shortcut to your My Network Places folder

In our case users has predefined access to resources, so limited browsing functionality is not an issue, as network manager there are plenty of free tools available for browsing the network.
Disabling NetBIOS means that the infamous ports (UDP 137 and 138, TCP 137 and 139) are not used anymore, direct hosting of SMB over TCP/IP uses UDP en TCP port 445, you might have to update your firewalls for these changes.

Disable NetBIOS
To disable NBT manually, change the computer's TCP/IP properties. In the Network Connections window, you'll see an object for each network card on your system. Right-click the network card for which you want to disable NBT, then choose Properties. On the Properties page, double-click the Internet Protocol (TCP/IP) object, then click Advanced on the Internet Protocol (TCP/IP) Properties page. Click the WINS tab, then click the Disable NetBIOS over TCP/IP radio button. Clear the Enable LMHOSTS lookup check box, then click OK until you've closed the pages.
To verify that you've killed NBT, you can type "ipconfig /all" on a command line. You'll see a line confirming that NetBT is disabled. You can centrally disable NBT with DHCP, I will that explain later.

Disable and remove unnecessary services with care
The Computer Browser is of no use anymore. Type services.msc at the command prompt and select the Computer Browser to stop and disable the service.

The service TCP/IP NetBIOS Helper Service should, despite the name not be disabled. If you stop this service you will receive a system error 1231 with the message "The network location cannot be reached". On various websites it is erroneously recommended to stop this service. In fact it is a legacy name from the time SMB was related to NetBIOS, according to Bill Grant a better name would be TCP/IP SMB Helper.

In My Network Places I disabled Entire Network with the registry key "NoEntireNetwork".

DNS 

The Internet maintains two principal namespaces, the domain namespace and the IP address namespace. DNS maintains the domain namespace and provides translation services between it and the address namespace.
Unlike the flat namespace of Netbios, DNS has a hierarchical namespace, organized in subordinate levels (subdomains) of the DNS root domain. A hostname in DNS is a fully qualified domain name (FQDN), this is a name that is completely specified in the hierarchy of the DNS, having no parts omitted. The dot in a DNS name is required to force a DNS lookup.
The IP address namespace is logically recognized as consisting of two parts: the network prefix and the host identifier. The subnet mask or the CIDR prefix determines how the IP address is divided into network and host parts.

The DNS hostname of a Windows computer is based on the Computername and the DNS suffix: <comptername>.<dns suffix>., like barebone.example.com with example.com as suffix.
The Computername is set during the installations of Windows as a Computer property, the DNS suffix will be centrally managened with dnsmasq to get DNS hostnames for all devices, including mobile devices such as phones and tablets. When the computername is used the system will automatically append the DNS suffix.

Best practice for internal domain name
A domain name must be carefully planned, the best practice for an internal domain name is to use a sub-domain of an external registered domain. Only if you are sure not using an external domain in the future you could use for example .lan (not .local) as TLD that is what I use in the example configuration.

Dnsmasq

Introduction
Dnsmasq is a lightweight DNS and DHCP server available at the DD-WRT LAN Router. Dnsmasq accepts DNS queries and either answers them or forwards them to a real, recursive, DNS server. It also answers DNS queries for DHCP configured hosts.
The dnsmasq DHCP server supports dynamic and static address assignments and multiple networks. It automatically sends a sensible default set of DHCP options, and can be configured to send any desired set of DHCP options, including vendor-encapsulated options.

Our local network with the subnets 192.168.2.0/24 and 192.168.3.0/24 is shown in the figure, the router configuration for the two subnets are explained in a previous blog.

Prerequisites
All our network devices must have their own computername, and be configured to get their network configuration via DHCP. If you have some machines with static IP addresses DNSmasq will incorporate them as well based on the hardware (MAC) address, so you don't need to change them.

Configuration

De configuration of dnsmasq in DD-WRT consists of two parts: a Basic Setup and an Additional Setup at the Tab Services.
Let's start with the Tab Basic Setup in the webinterface of the DD-WRT router.
On this page we enable DNS and DHCP for the subnet 192.168.3.0 with dynamic IP adresses.
Select Use DNSMasq for DHCP, Use DNSMasq for DNS and DHCP-Authorative.

Under the TAB Services we select Services for the remaining settings.
Under DHCP Server choose LAN&WLAN, this is your internal domain, the Domain Name at the Basic Setup page is the external domain.
Under LAN Domain we definine our internal domain name, in our case its is lan.
Under static leases you define the MAC Addresses, the computername and static IP Address.
Under DNSMasq we enable both DNSMasq and Local DNS.

The remaining settings must be defined in Additional DNSMasq Options. The syntaxt of the settings you can find in the DNSMasq manual. My network have these settings:

dhcp-range=wan,192.168.2.0,static                          Enables DHCP for subnet 192.168.2.0 with static IP Addresses (for dynamic addresses you can define the start and end address). 
wan is the label of this subnet to reference to in the following dhcp-options.
By default dnsmasq sends some standard options to DHCP clients:
- netmask and broadcast address are set to the same as the host running dnsmasq,
- the DNS server and the default Gateway are set to the address of the machine running dnsmasq,
- if the domain option is set, it is send as connection specific suffix and DNS suffix search list.
With dhcp-option these values can be overridden and additional options set. 
dhcp-option=wan,3,192.168.2.1                               Default Gateway (3) as the ISP router 
dhcp-option=wan,6,192.168.2.3                               DNS Server (6)

ptr-record=3.2.168.192.in-addr.arpa,DD-WRT.lan    Return a PTR DNS record for the Lan router.
local=/lan/                                                              Queries from .lan are not send to upstream server.
dhcp-option=43,01:04:00:00:00:02                           Disable NetBIOS over TCP/IP, this requires that the DHCP client is configured Default in Advanced TCP/IP settings.
This DHCP option must be defined last for Windows XP client, see Microsoft KB953761.

Final check
You can check your configuration in the file dnsmasq.conf by entering a cat /tmp/dnsmasq.conf in the Command Shell at the Tab Administration Command.
With WinSCP you can manage your configuration in a user friendly explorer like interface.
With ipconfig /all you can check if the configuration of your clients are correctly set, special attention for the DNS suffix and the message that NetBIOS over TCP/IP is disabled.

That's it: I think dnsmasq is easy to use but powerfull software.

External Links

• NetBIOS on Wikipedia
• Server Message Block (SMB)
• Direct hosting of SMB over TCP/IP
• Live Without NetBIOS 
• Network Location Cannot be Reached
• DNS on Wikipedia
• DHCP Architecture
• Dnsmasq Manual